diff --git a/.ansible-lint b/.ansible-lint
index 6b5f8aaa..e750c579 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -5,3 +5,5 @@ skip_list:
 exclude_paths:
   - .forgejo/
   - "**/*.sops.yaml"
+  - ansible_collections/
+  - galaxy_roles/
diff --git a/.forgejo/workflows/lint.yaml b/.forgejo/workflows/lint.yaml
index a867c139..5113e9fb 100644
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@@ -10,7 +10,7 @@ jobs:
     name: Ansible Lint
     runs-on: docker
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@v6
       - name: Install pip
         run: |
           apt update
@@ -24,7 +24,7 @@ jobs:
       # work in our environmnet.
       # Rather manually setup python (pip) before instead.
       - name: Run ansible-lint
-        uses: https://github.com/ansible/ansible-lint@d7cd7cfa2469536527aceaef9ef2ec6f2fb331cb # v25.9.2
+        uses: https://github.com/ansible/ansible-lint@v26.1.1
         with:
           setup_python: "false"
           requirements_file: "requirements.yml"
diff --git a/.sops.yaml b/.sops.yaml
index 98aaf3cd..60da9eb9 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -33,15 +33,37 @@ keys:
         - &host_public_reverse_proxy_ansible_pull_age_key age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
         - &host_zammad_ansible_pull_age_key age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
         - &host_ntfy_ansible_pull_age_key age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
+        - &host_spaceapiccc_ansible_pull_age_key age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+        - &host_acmedns_ansible_pull_age_key age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+    external:
+      age: &host_external_age_keys
+        - &host_status_ansible_pull_age_key age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
 creation_rules:
-  # group vars
+  ## group vars
   - path_regex: inventories/chaosknoten/group_vars/all.*
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           *host_chaosknoten_age_keys
-  # host vars
+  - path_regex: inventories/external/group_vars/all.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          *host_external_age_keys
+  - path_regex: inventories/z9/group_vars/all.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+  ## host vars
+  # chaosknoten hosts
+  - path_regex: inventories/chaosknoten/host_vars/acmedns.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_acmedns_ansible_pull_age_key
   - path_regex: inventories/chaosknoten/host_vars/cloud.*
     key_groups:
       - pgp:
@@ -150,6 +172,20 @@ creation_rules:
           *admin_gpg_keys
         age:
           - *host_public_reverse_proxy_ansible_pull_age_key
+  - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_spaceapiccc_ansible_pull_age_key
+  # external hosts
+  - path_regex: inventories/external/host_vars/status.*
+    key_groups:
+      - pgp:
+          *admin_gpg_keys
+        age:
+          - *host_status_ansible_pull_age_key
+  # z9 hosts
   - path_regex: inventories/z9/host_vars/dooris.*
     key_groups:
       - pgp:
diff --git a/README.md b/README.md
index 5a3d90c7..dff670ab 100644
--- a/README.md
+++ b/README.md
@@ -7,12 +7,14 @@ Folgende Geräte und Server werden duch dieses Ansible Repository verwaltet:
 
 Host-spezifische Konfigurationsdateien liegen unter `resources/` und werden für jeweils über eine `host_vars`-Datei im Inventory geladen.
 
-## Galaxy-Collections und -Rollen installieren
+## Galaxy-Collections und -Rollen
 
-Für einige Aspekte verwenden wir Rollen aus Ansible Galaxy. Die müssen zunächst installiert werden:
+Für einige Aspekte verwenden wir Collections und Rollen aus Ansible Galaxy. Diese werden in [`ansible_collections`](./ansible_collections/) bzw. [`galaxy-roles`](./galaxy-roles/) hier im Repo vorgehalten.
 
+Um unsere gevendorte Version zu aktualisieren, kann man folgendes machen:
 ```bash
 ansible-galaxy install -r requirements.yml
+ansible-galaxy role install -r requirements.yml
 ```
 
 ## Secrets
diff --git a/ansible.cfg b/ansible.cfg
index 654da281..805406f0 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -2,3 +2,5 @@
 inventory = ./inventories/z9/hosts.yaml
 pipelining = True
 vars_plugins_enabled = host_group_vars,community.sops.sops
+collections_path = ./
+roles_path = ./galaxy-roles
diff --git a/ansible_collections/community/docker/.ansible-lint b/ansible_collections/community/docker/.ansible-lint
new file mode 100644
index 00000000..bd650004
--- /dev/null
+++ b/ansible_collections/community/docker/.ansible-lint
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+skip_list:
+  # Ignore rules that make no sense:
+  - galaxy[tags]
+  - galaxy[version-incorrect]
+  - meta-runtime[unsupported-version]
+  - no-changed-when
+  - sanity[cannot-ignore]  # some of the rules you cannot ignore actually MUST be ignored, like yamllint:unparsable-with-libyaml
+  - yaml  # we're using yamllint ourselves
+  - run-once[task]  # wtf???
+
+  # To be checked and maybe fixed:
+  - ignore-errors
+  - key-order[task]
+  - name[casing]
+  - name[missing]
+  - name[play]
+  - name[template]
+  - no-free-form
+  - no-handler
+  - risky-file-permissions
+  - risky-shell-pipe
+  - var-naming[no-reserved]
+  - var-naming[no-role-prefix]
+  - var-naming[pattern]
+  - var-naming[read-only]
diff --git a/ansible_collections/community/docker/.azure-pipelines/README.md b/ansible_collections/community/docker/.azure-pipelines/README.md
new file mode 100644
index 00000000..9e8ad741
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/README.md
@@ -0,0 +1,9 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+## Azure Pipelines Configuration
+
+Please see the [Documentation](https://github.com/ansible/community/wiki/Testing:-Azure-Pipelines) for more information.
diff --git a/ansible_collections/community/docker/.azure-pipelines/azure-pipelines.yml b/ansible_collections/community/docker/.azure-pipelines/azure-pipelines.yml
new file mode 100644
index 00000000..1919fe7d
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/azure-pipelines.yml
@@ -0,0 +1,280 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+trigger:
+  batch: true
+  branches:
+    include:
+      - main
+      - stable-*
+
+pr:
+  autoCancel: true
+  branches:
+    include:
+      - main
+      - stable-*
+
+schedules:
+  - cron: 0 9 * * *
+    displayName: Nightly
+    always: true
+    branches:
+      include:
+        - main
+  - cron: 0 12 * * 0
+    displayName: Weekly (old stable branches)
+    always: true
+    branches:
+      include:
+        - stable-4
+
+variables:
+  - name: checkoutPath
+    value: ansible_collections/community/docker
+  - name: coverageBranches
+    value: main
+  - name: entryPoint
+    value: tests/utils/shippable/shippable.sh
+  - name: fetchDepth
+    value: 0
+
+resources:
+  containers:
+    - container: default
+      image: quay.io/ansible/azure-pipelines-test-container:7.0.0
+
+pool: Standard
+
+stages:
+
+### Sanity & units
+  - stage: Ansible_devel
+    displayName: Sanity & Units devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: 'devel/sanity/1'
+            - name: Units
+              test: 'devel/units/1'
+  - stage: Ansible_2_20
+    displayName: Sanity & Units 2.20
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.20/sanity/1'
+            - name: Units
+              test: '2.20/units/1'
+  - stage: Ansible_2_19
+    displayName: Sanity & Units 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.19/sanity/1'
+            - name: Units
+              test: '2.19/units/1'
+  - stage: Ansible_2_18
+    displayName: Sanity & Units 2.18
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          targets:
+            - name: Sanity
+              test: '2.18/sanity/1'
+            - name: Units
+              test: '2.18/units/1'
+
+### Docker
+  - stage: Docker_devel
+    displayName: Docker devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: devel/linux/{0}
+          targets:
+            - name: Fedora 42
+              test: fedora42
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+            - name: Ubuntu 24.04
+              test: ubuntu2404
+            - name: Alpine 3.22
+              test: alpine322
+          groups:
+            - 4
+            - 5
+  - stage: Docker_2_20
+    displayName: Docker 2.20
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.20/linux/{0}
+          targets:
+            - name: Fedora 42
+              test: fedora42
+            - name: Alpine 3.22
+              test: alpine322
+          groups:
+            - 4
+            - 5
+  - stage: Docker_2_19
+    displayName: Docker 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/linux/{0}
+          targets:
+            - name: Fedora 41
+              test: fedora41
+            - name: Alpine 3.21
+              test: alpine321
+          groups:
+            - 4
+            - 5
+  - stage: Docker_2_18
+    displayName: Docker 2.18
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.18/linux/{0}
+          targets:
+            - name: Fedora 40
+              test: fedora40
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+            - name: Alpine 3.20
+              test: alpine320
+          groups:
+            - 4
+            - 5
+
+### Community Docker
+  - stage: Docker_community_devel
+    displayName: Docker (community images) devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: devel/linux-community/{0}
+          targets:
+            - name: Debian 11 Bullseye
+              test: debian-bullseye/3.9
+            - name: Debian 12 Bookworm
+              test: debian-bookworm/3.11
+            - name: Debian 13 Trixie
+              test: debian-13-trixie/3.13
+            - name: ArchLinux
+              test: archlinux/3.13
+          groups:
+            - 4
+            - 5
+
+### Remote
+  - stage: Remote_devel
+    displayName: Remote devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: devel/{0}
+          targets:
+            - name: RHEL 10.0
+              test: rhel/10.0
+            - name: RHEL 9.6 with Docker SDK, urllib3, requests from sources
+              test: rhel/9.6-dev-latest
+            # For some reason, Ubuntu 24.04 is *extremely* slower than RHEL 9.6
+            # - name: Ubuntu 24.04
+            #   test: ubuntu/24.04
+          groups:
+            - 1
+            - 2
+            - 3
+            - 4
+            - 5
+  - stage: Remote_2_20
+    displayName: Remote 2.20
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.20/{0}
+          targets:
+            - name: RHEL 9.6
+              test: rhel/9.6
+          groups:
+            - 1
+            - 2
+            - 3
+            - 4
+            - 5
+  - stage: Remote_2_19
+    displayName: Remote 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/{0}
+          targets:
+            - name: RHEL 9.5
+              test: rhel/9.5
+            - name: Ubuntu 22.04
+              test: ubuntu/22.04
+          groups:
+            - 1
+            - 2
+            - 3
+            - 4
+            - 5
+  - stage: Remote_2_18
+    displayName: Remote 2.18
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.18/{0}
+          targets:
+            - name: RHEL 9.4
+              test: rhel/9.4
+          groups:
+            - 1
+            - 2
+            - 3
+            - 4
+            - 5
+
+  ## Finally
+
+  - stage: Summary
+    condition: succeededOrFailed()
+    dependsOn:
+      - Ansible_devel
+      - Ansible_2_20
+      - Ansible_2_19
+      - Ansible_2_18
+      - Remote_devel
+      - Remote_2_20
+      - Remote_2_19
+      - Remote_2_18
+      - Docker_devel
+      - Docker_2_20
+      - Docker_2_19
+      - Docker_2_18
+      - Docker_community_devel
+    jobs:
+      - template: templates/coverage.yml
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/aggregate-coverage.sh b/ansible_collections/community/docker/.azure-pipelines/scripts/aggregate-coverage.sh
new file mode 100755
index 00000000..0ccef353
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/aggregate-coverage.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Aggregate code coverage results for later processing.
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eu
+
+agent_temp_directory="$1"
+
+PATH="${PWD}/bin:${PATH}"
+
+mkdir "${agent_temp_directory}/coverage/"
+
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
+options=(--venv --venv-system-site-packages --color -v)
+
+ansible-test coverage combine --group-by command --export "${agent_temp_directory}/coverage/" "${options[@]}"
+
+if ansible-test coverage analyze targets generate --help >/dev/null 2>&1; then
+    # Only analyze coverage if the installed version of ansible-test supports it.
+    # Doing so allows this script to work unmodified for multiple Ansible versions.
+    ansible-test coverage analyze targets generate "${agent_temp_directory}/coverage/coverage-analyze-targets.json" "${options[@]}"
+fi
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/combine-coverage.py b/ansible_collections/community/docker/.azure-pipelines/scripts/combine-coverage.py
new file mode 100755
index 00000000..3b2fd993
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/combine-coverage.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+Combine coverage data from multiple jobs, keeping the data only from the most recent attempt from each job.
+Coverage artifacts must be named using the format: "Coverage $(System.JobAttempt) {StableUniqueNameForEachJob}"
+The recommended coverage artifact name format is: Coverage $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)
+Keep in mind that Azure Pipelines does not enforce unique job display names (only names).
+It is up to pipeline authors to avoid name collisions when deviating from the recommended format.
+"""
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import re
+import shutil
+import sys
+
+
+def main():
+    """Main program entry point."""
+    source_directory = sys.argv[1]
+
+    if '/ansible_collections/' in os.getcwd():
+        output_path = "tests/output"
+    else:
+        output_path = "test/results"
+
+    destination_directory = os.path.join(output_path, 'coverage')
+
+    if not os.path.exists(destination_directory):
+        os.makedirs(destination_directory)
+
+    jobs = {}
+    count = 0
+
+    for name in os.listdir(source_directory):
+        match = re.search('^Coverage (?P<attempt>[0-9]+) (?P<label>.+)$', name)
+        label = match.group('label')
+        attempt = int(match.group('attempt'))
+        jobs[label] = max(attempt, jobs.get(label, 0))
+
+    for label, attempt in jobs.items():
+        name = 'Coverage {attempt} {label}'.format(label=label, attempt=attempt)
+        source = os.path.join(source_directory, name)
+        source_files = os.listdir(source)
+
+        for source_file in source_files:
+            source_path = os.path.join(source, source_file)
+            destination_path = os.path.join(destination_directory, source_file + '.' + label)
+            print('"%s" -> "%s"' % (source_path, destination_path))
+            shutil.copyfile(source_path, destination_path)
+            count += 1
+
+    print('Coverage file count: %d' % count)
+    print('##vso[task.setVariable variable=coverageFileCount]%d' % count)
+    print('##vso[task.setVariable variable=outputPath]%s' % output_path)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/process-results.sh b/ansible_collections/community/docker/.azure-pipelines/scripts/process-results.sh
new file mode 100755
index 00000000..1a5d79ff
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/process-results.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Check the test results and set variables for use in later steps.
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eu
+
+if [[ "$PWD" =~ /ansible_collections/ ]]; then
+    output_path="tests/output"
+else
+    output_path="test/results"
+fi
+
+echo "##vso[task.setVariable variable=outputPath]${output_path}"
+
+if compgen -G "${output_path}"'/junit/*.xml' > /dev/null; then
+    echo "##vso[task.setVariable variable=haveTestResults]true"
+fi
+
+if compgen -G "${output_path}"'/bot/ansible-test-*' > /dev/null; then
+    echo "##vso[task.setVariable variable=haveBotResults]true"
+fi
+
+if compgen -G "${output_path}"'/coverage/*' > /dev/null; then
+    echo "##vso[task.setVariable variable=haveCoverageData]true"
+fi
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/publish-codecov.py b/ansible_collections/community/docker/.azure-pipelines/scripts/publish-codecov.py
new file mode 100755
index 00000000..58e32f6d
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/publish-codecov.py
@@ -0,0 +1,105 @@
+#!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+Upload code coverage reports to codecov.io.
+Multiple coverage files from multiple languages are accepted and aggregated after upload.
+Python coverage, as well as PowerShell and Python stubs can all be uploaded.
+"""
+
+import argparse
+import dataclasses
+import pathlib
+import shutil
+import subprocess
+import tempfile
+import typing as t
+import urllib.request
+
+
+@dataclasses.dataclass(frozen=True)
+class CoverageFile:
+    name: str
+    path: pathlib.Path
+    flags: t.List[str]
+
+
+@dataclasses.dataclass(frozen=True)
+class Args:
+    dry_run: bool
+    path: pathlib.Path
+
+
+def parse_args() -> Args:
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-n', '--dry-run', action='store_true')
+    parser.add_argument('path', type=pathlib.Path)
+
+    args = parser.parse_args()
+
+    # Store arguments in a typed dataclass
+    fields = dataclasses.fields(Args)
+    kwargs = {field.name: getattr(args, field.name) for field in fields}
+
+    return Args(**kwargs)
+
+
+def process_files(directory: pathlib.Path) -> t.Tuple[CoverageFile, ...]:
+    processed = []
+    for file in directory.joinpath('reports').glob('coverage*.xml'):
+        name = file.stem.replace('coverage=', '')
+
+        # Get flags from name
+        flags = name.replace('-powershell', '').split('=')  # Drop '-powershell' suffix
+        flags = [flag if not flag.startswith('stub') else flag.split('-')[0] for flag in flags]  # Remove "-01" from stub files
+
+        processed.append(CoverageFile(name, file, flags))
+
+    return tuple(processed)
+
+
+def upload_files(codecov_bin: pathlib.Path, files: t.Tuple[CoverageFile, ...], dry_run: bool = False) -> None:
+    for file in files:
+        cmd = [
+            str(codecov_bin),
+            '--name', file.name,
+            '--file', str(file.path),
+        ]
+        for flag in file.flags:
+            cmd.extend(['--flags', flag])
+
+        if dry_run:
+            print(f'DRY-RUN: Would run command: {cmd}')
+            continue
+
+        subprocess.run(cmd, check=True)
+
+
+def download_file(url: str, dest: pathlib.Path, flags: int, dry_run: bool = False) -> None:
+    if dry_run:
+        print(f'DRY-RUN: Would download {url} to {dest} and set mode to {flags:o}')
+        return
+
+    with urllib.request.urlopen(url) as resp:
+        with dest.open('w+b') as f:
+            # Read data in chunks rather than all at once
+            shutil.copyfileobj(resp, f, 64 * 1024)
+
+    dest.chmod(flags)
+
+
+def main():
+    args = parse_args()
+    url = 'https://ansible-ci-files.s3.amazonaws.com/codecov/linux/codecov'
+    with tempfile.TemporaryDirectory(prefix='codecov-') as tmpdir:
+        codecov_bin = pathlib.Path(tmpdir) / 'codecov'
+        download_file(url, codecov_bin, 0o755, args.dry_run)
+
+        files = process_files(args.path)
+        upload_files(codecov_bin, files, args.dry_run)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/report-coverage.sh b/ansible_collections/community/docker/.azure-pipelines/scripts/report-coverage.sh
new file mode 100755
index 00000000..e8d82c74
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/report-coverage.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Generate code coverage reports for uploading to Azure Pipelines and codecov.io.
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eu
+
+PATH="${PWD}/bin:${PATH}"
+
+if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
+    exit
+fi
+
+if ! ansible-test --help >/dev/null 2>&1; then
+    # Install the devel version of ansible-test for generating code coverage reports.
+    # This is only used by Ansible Collections, which are typically tested against multiple Ansible versions (in separate jobs).
+    # Since a version of ansible-test is required that can work the output from multiple older releases, the devel version is used.
+    pip install https://github.com/ansible/ansible/archive/devel.tar.gz --disable-pip-version-check
+fi
+
+ansible-test coverage xml --group-by command --stub --venv --venv-system-site-packages --color -v
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/run-tests.sh b/ansible_collections/community/docker/.azure-pipelines/scripts/run-tests.sh
new file mode 100755
index 00000000..4ed20d55
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/run-tests.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Configure the test environment and run the tests.
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eu
+
+entry_point="$1"
+test="$2"
+read -r -a coverage_branches <<< "$3"  # space separated list of branches to run code coverage on for scheduled builds
+
+export COMMIT_MESSAGE
+export COMPLETE
+export COVERAGE
+export IS_PULL_REQUEST
+
+if [ "${SYSTEM_PULLREQUEST_TARGETBRANCH:-}" ]; then
+    IS_PULL_REQUEST=true
+    COMMIT_MESSAGE=$(git log --format=%B -n 1 HEAD^2)
+else
+    IS_PULL_REQUEST=
+    COMMIT_MESSAGE=$(git log --format=%B -n 1 HEAD)
+fi
+
+COMPLETE=
+COVERAGE=
+
+if [ "${BUILD_REASON}" = "Schedule" ]; then
+    COMPLETE=yes
+
+    if printf '%s\n' "${coverage_branches[@]}" | grep -q "^${BUILD_SOURCEBRANCHNAME}$"; then
+        COVERAGE=yes
+    fi
+fi
+
+"${entry_point}" "${test}" 2>&1 | "$(dirname "$0")/time-command.py"
diff --git a/ansible_collections/community/docker/.azure-pipelines/scripts/time-command.py b/ansible_collections/community/docker/.azure-pipelines/scripts/time-command.py
new file mode 100755
index 00000000..85a7c3c1
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/scripts/time-command.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""Prepends a relative timestamp to each input line from stdin and writes it to stdout."""
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import sys
+import time
+
+
+def main():
+    """Main program entry point."""
+    start = time.time()
+
+    sys.stdin.reconfigure(errors='surrogateescape')
+    sys.stdout.reconfigure(errors='surrogateescape')
+
+    for line in sys.stdin:
+        seconds = time.time() - start
+        sys.stdout.write('%02d:%02d %s' % (seconds // 60, seconds % 60, line))
+        sys.stdout.flush()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/community/docker/.azure-pipelines/templates/coverage.yml b/ansible_collections/community/docker/.azure-pipelines/templates/coverage.yml
new file mode 100644
index 00000000..1bf17e05
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/templates/coverage.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This template adds a job for processing code coverage data.
+# It will upload results to Azure Pipelines and codecov.io.
+# Use it from a job stage that completes after all other jobs have completed.
+# This can be done by placing it in a separate summary stage that runs after the test stage(s) have completed.
+
+jobs:
+  - job: Coverage
+    displayName: Code Coverage
+    container: default
+    workspace:
+      clean: all
+    steps:
+      - checkout: self
+        fetchDepth: $(fetchDepth)
+        path: $(checkoutPath)
+      - task: DownloadPipelineArtifact@2
+        displayName: Download Coverage Data
+        inputs:
+          path: coverage/
+          patterns: "Coverage */*=coverage.combined"
+      - bash: .azure-pipelines/scripts/combine-coverage.py coverage/
+        displayName: Combine Coverage Data
+      - bash: .azure-pipelines/scripts/report-coverage.sh
+        displayName: Generate Coverage Report
+        condition: gt(variables.coverageFileCount, 0)
+      - bash: .azure-pipelines/scripts/publish-codecov.py "$(outputPath)"
+        displayName: Publish to codecov.io
+        condition: gt(variables.coverageFileCount, 0)
+        continueOnError: true
diff --git a/ansible_collections/community/docker/.azure-pipelines/templates/matrix.yml b/ansible_collections/community/docker/.azure-pipelines/templates/matrix.yml
new file mode 100644
index 00000000..49f5d859
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/templates/matrix.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This template uses the provided targets and optional groups to generate a matrix which is then passed to the test template.
+# If this matrix template does not provide the required functionality, consider using the test template directly instead.
+
+parameters:
+  # A required list of dictionaries, one per test target.
+  # Each item in the list must contain a "test" or "name" key.
+  # Both may be provided. If one is omitted, the other will be used.
+  - name: targets
+    type: object
+
+  # An optional list of values which will be used to multiply the targets list into a matrix.
+  # Values can be strings or numbers.
+  - name: groups
+    type: object
+    default: []
+
+  # An optional format string used to generate the job name.
+  # - {0} is the name of an item in the targets list.
+  - name: nameFormat
+    type: string
+    default: "{0}"
+
+  # An optional format string used to generate the test name.
+  # - {0} is the name of an item in the targets list.
+  - name: testFormat
+    type: string
+    default: "{0}"
+
+  # An optional format string used to add the group to the job name.
+  # {0} is the formatted name of an item in the targets list.
+  # {{1}} is the group -- be sure to include the double "{{" and "}}".
+  - name: nameGroupFormat
+    type: string
+    default: "{0} - {{1}}"
+
+  # An optional format string used to add the group to the test name.
+  # {0} is the formatted test of an item in the targets list.
+  # {{1}} is the group -- be sure to include the double "{{" and "}}".
+  - name: testGroupFormat
+    type: string
+    default: "{0}/{{1}}"
+
+jobs:
+  - template: test.yml
+    parameters:
+      jobs:
+        - ${{ if eq(length(parameters.groups), 0) }}:
+            - ${{ each target in parameters.targets }}:
+                - name: ${{ format(parameters.nameFormat, coalesce(target.name, target.test)) }}
+                  test: ${{ format(parameters.testFormat, coalesce(target.test, target.name)) }}
+        - ${{ if not(eq(length(parameters.groups), 0)) }}:
+            - ${{ each group in parameters.groups }}:
+                - ${{ each target in parameters.targets }}:
+                    - name: ${{ format(format(parameters.nameGroupFormat, parameters.nameFormat), coalesce(target.name, target.test), group) }}
+                      test: ${{ format(format(parameters.testGroupFormat, parameters.testFormat), coalesce(target.test, target.name), group) }}
diff --git a/ansible_collections/community/docker/.azure-pipelines/templates/test.yml b/ansible_collections/community/docker/.azure-pipelines/templates/test.yml
new file mode 100644
index 00000000..b263379c
--- /dev/null
+++ b/ansible_collections/community/docker/.azure-pipelines/templates/test.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This template uses the provided list of jobs to create test one or more test jobs.
+# It can be used directly if needed, or through the matrix template.
+
+parameters:
+  # A required list of dictionaries, one per test job.
+  # Each item in the list must contain a "job" and "name" key.
+  - name: jobs
+    type: object
+
+jobs:
+  - ${{ each job in parameters.jobs }}:
+      - job: test_${{ replace(replace(replace(job.test, '/', '_'), '.', '_'), '-', '_') }}
+        displayName: ${{ job.name }}
+        container: default
+        workspace:
+          clean: all
+        steps:
+          - checkout: self
+            fetchDepth: $(fetchDepth)
+            path: $(checkoutPath)
+          - bash: .azure-pipelines/scripts/run-tests.sh "$(entryPoint)" "${{ job.test }}" "$(coverageBranches)"
+            displayName: Run Tests
+          - bash: .azure-pipelines/scripts/process-results.sh
+            condition: succeededOrFailed()
+            displayName: Process Results
+          - bash: .azure-pipelines/scripts/aggregate-coverage.sh "$(Agent.TempDirectory)"
+            condition: eq(variables.haveCoverageData, 'true')
+            displayName: Aggregate Coverage Data
+          - task: PublishTestResults@2
+            condition: eq(variables.haveTestResults, 'true')
+            inputs:
+              testResultsFiles: "$(outputPath)/junit/*.xml"
+            displayName: Publish Test Results
+          - task: PublishPipelineArtifact@1
+            condition: eq(variables.haveBotResults, 'true')
+            displayName: Publish Bot Results
+            inputs:
+              targetPath: "$(outputPath)/bot/"
+              artifactName: "Bot $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)"
+          - task: PublishPipelineArtifact@1
+            condition: eq(variables.haveCoverageData, 'true')
+            displayName: Publish Coverage Data
+            inputs:
+              targetPath: "$(Agent.TempDirectory)/coverage/"
+              artifactName: "Coverage $(System.JobAttempt) $(System.StageDisplayName) $(System.JobDisplayName)"
diff --git a/ansible_collections/community/docker/.flake8 b/ansible_collections/community/docker/.flake8
new file mode 100644
index 00000000..f483c0e6
--- /dev/null
+++ b/ansible_collections/community/docker/.flake8
@@ -0,0 +1,13 @@
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+[flake8]
+extend-ignore = E203, E402, F401
+count = true
+# TODO: decrease this to ~10
+max-complexity = 60
+# black's max-line-length is 89, but it doesn't touch long string literals.
+# Since ansible-test's limit is 160, let's use that here.
+max-line-length = 160
+statistics = true
diff --git a/ansible_collections/community/docker/.git-blame-ignore-revs b/ansible_collections/community/docker/.git-blame-ignore-revs
new file mode 100644
index 00000000..680b6283
--- /dev/null
+++ b/ansible_collections/community/docker/.git-blame-ignore-revs
@@ -0,0 +1,10 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Reformat YAML: https://github.com/ansible-collections/community.docker/pull/1071
+2487d1a0bf4f2c79d3ab5a9e7d0f969432bf32a2
+# Reformat with black and isort
+d65d37e9e9a78e03a35643704b413121515ee39c
+# Reformat with ruff check --fix instead of isort
+712d920941d8e95d2826e0dbdc5f02914671d02a
diff --git a/ansible_collections/community/docker/.github/dependabot.yml b/ansible_collections/community/docker/.github/dependabot.yml
new file mode 100644
index 00000000..f71b322d
--- /dev/null
+++ b/ansible_collections/community/docker/.github/dependabot.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      ci:
+        patterns:
+          - "*"
diff --git a/ansible_collections/community/docker/.github/patchback.yml b/ansible_collections/community/docker/.github/patchback.yml
new file mode 100644
index 00000000..5ee7812e
--- /dev/null
+++ b/ansible_collections/community/docker/.github/patchback.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+backport_branch_prefix: patchback/backports/
+backport_label_prefix: backport-
+target_branch_prefix: stable-
+...
diff --git a/ansible_collections/community/docker/.github/workflows/docker-images.yml b/ansible_collections/community/docker/.github/workflows/docker-images.yml
new file mode 100644
index 00000000..1c93d5ae
--- /dev/null
+++ b/ansible_collections/community/docker/.github/workflows/docker-images.yml
@@ -0,0 +1,90 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Helper Docker images for testing
+'on':
+  # Run CI against all pushes (direct commits, also merged PRs), Pull Requests
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/docker-images.yml
+      - tests/images/**
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/docker-images.yml
+      - tests/images/**
+  # Run CI once per day (at 03:00 UTC)
+  schedule:
+    - cron: '0 3 * * *'
+
+env:
+  CONTAINER_REGISTRY: ghcr.io/ansible-collections
+
+jobs:
+  build:
+    name: Build image ${{ matrix.name }}:${{ matrix.tag }}
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: simple-1
+            tag: tag
+            tag-as-latest: true
+          - name: simple-2
+            tag: tag
+            tag-as-latest: true
+          - name: healthcheck
+            tag: check
+            tag-as-latest: true
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install podman buildah
+
+      - name: Set up Go 1.22
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.22'
+          cache: false  # true (default) results in warnings since we don't use Go modules
+
+      - name: Build ${{ matrix.name }} image
+        run: |
+          ./build.sh "${CONTAINER_REGISTRY}/${{ matrix.name }}:${{ matrix.tag }}"
+        working-directory: tests/images/${{ matrix.name }}
+
+      - name: Tag image as latest
+        if: matrix.tag-as-latest && matrix.tag != 'latest'
+        run: |
+          podman tag "${CONTAINER_REGISTRY}/${{ matrix.name }}:${{ matrix.tag }}" "${CONTAINER_REGISTRY}/${{ matrix.name }}:latest"
+
+      - name: Publish container image ${{ env.CONTAINER_REGISTRY }}/${{ matrix.name }}:${{ matrix.tag }}
+        if: github.event_name != 'pull_request'
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          image: ${{ matrix.name }}
+          tags: ${{ matrix.tag }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish container image ${{ env.CONTAINER_REGISTRY }}/${{ matrix.name }}:latest
+        if: github.event_name != 'pull_request' && matrix.tag-as-latest && matrix.tag != 'latest'
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          image: ${{ matrix.name }}
+          tags: latest
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ansible_collections/community/docker/.github/workflows/docs-pr.yml b/ansible_collections/community/docker/.github/workflows/docs-pr.yml
new file mode 100644
index 00000000..11771fdd
--- /dev/null
+++ b/ansible_collections/community/docker/.github/workflows/docs-pr.yml
@@ -0,0 +1,96 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Collection Docs
+concurrency:
+  group: docs-pr-${{ github.head_ref }}
+  cancel-in-progress: true
+'on':
+  pull_request_target:
+    types: [opened, synchronize, reopened, closed]
+
+env:
+  GHP_BASE_URL: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}
+
+jobs:
+  build-docs:
+    permissions:
+      contents: read
+    name: Build Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main
+    with:
+      collection-name: community.docker
+      init-lenient: false
+      init-fail-on-error: true
+      squash-hierarchy: true
+      init-project: Community.Docker Collection
+      init-copyright: Community.Docker Contributors
+      init-title: Community.Docker Collection Documentation
+      init-html-short-title: Community.Docker Collection Docs
+      init-extra-html-theme-options: |
+        documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
+      render-file-line: '> * `$<status>` [$<path_tail>](https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/pr/${{ github.event.number }}/$<path_tail>)'
+      extra-collections: community.library_inventory_filtering_v1
+
+  publish-docs-gh-pages:
+    # for now we won't run this on forks
+    if: github.repository == 'ansible-collections/community.docker'
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
+    needs: [build-docs]
+    name: Publish Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    with:
+      artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
+      action: ${{ (github.event.action == 'closed' || needs.build-docs.outputs.changed != 'true') && 'teardown' || 'publish' }}
+      publish-gh-pages-branch: true
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  comment:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    needs: [build-docs, publish-docs-gh-pages]
+    name: PR comments
+    steps:
+      - name: PR comment
+        uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main
+        with:
+          body-includes: '## Docs Build'
+          reactions: heart
+          action: ${{ needs.build-docs.outputs.changed != 'true' && 'remove' || '' }}
+          on-closed-body: |
+            ## Docs Build 📝
+
+            This PR is closed and any previously published docsite has been unpublished.
+          on-merged-body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            This PR has been merged and the docs are now incorporated into `main`:
+            ${{ env.GHP_BASE_URL }}/branch/main
+          body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            The docs for **this PR** have been published here:
+            ${{ env.GHP_BASE_URL }}/pr/${{ github.event.number }}
+
+            You can compare to the docs for the `main` branch here:
+            ${{ env.GHP_BASE_URL }}/branch/main
+
+            The docsite for **this PR** is also available for download as an artifact from this run:
+            ${{ needs.build-docs.outputs.artifact-url }}
+
+            File changes:
+
+            ${{ needs.build-docs.outputs.diff-files-rendered }}
+
+            ${{ needs.build-docs.outputs.diff-rendered }}
diff --git a/ansible_collections/community/docker/.github/workflows/docs-push.yml b/ansible_collections/community/docker/.github/workflows/docs-push.yml
new file mode 100644
index 00000000..83b41373
--- /dev/null
+++ b/ansible_collections/community/docker/.github/workflows/docs-push.yml
@@ -0,0 +1,56 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Collection Docs
+concurrency:
+  group: docs-push-${{ github.sha }}
+  cancel-in-progress: true
+'on':
+  push:
+    branches:
+      - main
+      - stable-*
+    tags:
+      - '*'
+  # Run CI once per day (at 09:00 UTC)
+  schedule:
+    - cron: '0 9 * * *'
+  # Allow manual trigger (for newer antsibull-docs, sphinx-ansible-theme, ... versions)
+  workflow_dispatch:
+
+jobs:
+  build-docs:
+    permissions:
+      contents: read
+    name: Build Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main
+    with:
+      collection-name: community.docker
+      init-lenient: false
+      init-fail-on-error: true
+      squash-hierarchy: true
+      init-project: Community.Docker Collection
+      init-copyright: Community.Docker Contributors
+      init-title: Community.Docker Collection Documentation
+      init-html-short-title: Community.Docker Collection Docs
+      init-extra-html-theme-options: |
+        documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
+      extra-collections: community.library_inventory_filtering_v1
+
+  publish-docs-gh-pages:
+    # for now we won't run this on forks
+    if: github.repository == 'ansible-collections/community.docker'
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
+    needs: [build-docs]
+    name: Publish Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    with:
+      artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
+      publish-gh-pages-branch: true
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ansible_collections/community/docker/.github/workflows/nox.yml b/ansible_collections/community/docker/.github/workflows/nox.yml
new file mode 100644
index 00000000..386181ef
--- /dev/null
+++ b/ansible_collections/community/docker/.github/workflows/nox.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: nox
+'on':
+  push:
+    branches:
+      - main
+      - stable-*
+  pull_request:
+  # Run CI once per day (at 09:00 UTC)
+  schedule:
+    - cron: '0 9 * * *'
+  workflow_dispatch:
+
+jobs:
+  nox:
+    uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-run.yml@main
+    with:
+      session-name: Run extra sanity tests
+      change-detection-in-prs: true
+
+  ansible-test:
+    uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-matrix.yml@main
+    with:
+      change-detection-in-prs: true
+      upload-codecov: true
+      upload-codecov-pr: false
+      upload-codecov-push: false
+      upload-codecov-schedule: true
+      max-ansible-core: "2.17"
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/ansible_collections/community/docker/.mypy.ini b/ansible_collections/community/docker/.mypy.ini
new file mode 100644
index 00000000..a5c1f514
--- /dev/null
+++ b/ansible_collections/community/docker/.mypy.ini
@@ -0,0 +1,27 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[mypy]
+check_untyped_defs = True
+disallow_untyped_defs = True
+
+# strict = True -- only try to enable once everything (including dependencies!) is typed
+strict_equality = True
+strict_bytes = True
+
+warn_redundant_casts = True
+# warn_return_any = True
+warn_unreachable = True
+
+[mypy-ansible.*]
+# ansible-core has partial typing information
+follow_untyped_imports = True
+
+[mypy-docker.*]
+# Docker SDK for Python has partial typing information
+follow_untyped_imports = True
+
+[mypy-jsondiff.*]
+# jsondiff has no typing information
+ignore_missing_imports = True
diff --git a/ansible_collections/community/docker/.pylintrc b/ansible_collections/community/docker/.pylintrc
new file mode 100644
index 00000000..53171d07
--- /dev/null
+++ b/ansible_collections/community/docker/.pylintrc
@@ -0,0 +1,598 @@
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+[MAIN]
+
+# Clear in-memory caches upon conclusion of linting. Useful if running pylint
+# in a server-like mode.
+clear-cache-post-run=no
+
+# Load and enable all available extensions. Use --list-extensions to see a list
+# all available extensions.
+#enable-all-extensions=
+
+# Specify a score threshold under which the program will exit with error.
+fail-under=10
+
+# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
+# number of processors available to use, and will cap the count on Windows to
+# avoid hangs.
+jobs=0
+
+# Minimum Python version to use for version dependent checks. Will default to
+# the version used to run pylint.
+py-version=3.7
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+# In verbose mode, extra non-checker-related info will be displayed.
+#verbose=
+
+
+[BASIC]
+
+# Naming style matching correct argument names.
+argument-naming-style=snake_case
+
+# Regular expression matching correct argument names. Overrides argument-
+# naming-style. If left empty, argument names will be checked with the set
+# naming style.
+#argument-rgx=
+
+# Naming style matching correct attribute names.
+attr-naming-style=snake_case
+
+# Regular expression matching correct attribute names. Overrides attr-naming-
+# style. If left empty, attribute names will be checked with the set naming
+# style.
+#attr-rgx=
+
+# Bad variable names which should always be refused, separated by a comma.
+bad-names=foo,
+          bar,
+          baz,
+          toto,
+          tutu,
+          tata
+
+# Bad variable names regexes, separated by a comma. If names match any regex,
+# they will always be refused
+bad-names-rgxs=
+
+# Naming style matching correct class attribute names.
+class-attribute-naming-style=any
+
+# Regular expression matching correct class attribute names. Overrides class-
+# attribute-naming-style. If left empty, class attribute names will be checked
+# with the set naming style.
+#class-attribute-rgx=
+
+# Naming style matching correct class constant names.
+class-const-naming-style=UPPER_CASE
+
+# Regular expression matching correct class constant names. Overrides class-
+# const-naming-style. If left empty, class constant names will be checked with
+# the set naming style.
+#class-const-rgx=
+
+# Naming style matching correct class names.
+class-naming-style=PascalCase
+
+# Regular expression matching correct class names. Overrides class-naming-
+# style. If left empty, class names will be checked with the set naming style.
+#class-rgx=
+
+# Naming style matching correct constant names.
+const-naming-style=UPPER_CASE
+
+# Regular expression matching correct constant names. Overrides const-naming-
+# style. If left empty, constant names will be checked with the set naming
+# style.
+#const-rgx=
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=-1
+
+# Naming style matching correct function names.
+function-naming-style=snake_case
+
+# Regular expression matching correct function names. Overrides function-
+# naming-style. If left empty, function names will be checked with the set
+# naming style.
+#function-rgx=
+
+# Good variable names which should always be accepted, separated by a comma.
+good-names=i,
+           j,
+           k,
+           ex,
+           Run,
+           _
+
+# Good variable names regexes, separated by a comma. If names match any regex,
+# they will always be accepted
+good-names-rgxs=
+
+# Include a hint for the correct naming format with invalid-name.
+include-naming-hint=no
+
+# Naming style matching correct inline iteration names.
+inlinevar-naming-style=any
+
+# Regular expression matching correct inline iteration names. Overrides
+# inlinevar-naming-style. If left empty, inline iteration names will be checked
+# with the set naming style.
+#inlinevar-rgx=
+
+# Naming style matching correct method names.
+method-naming-style=snake_case
+
+# Regular expression matching correct method names. Overrides method-naming-
+# style. If left empty, method names will be checked with the set naming style.
+#method-rgx=
+
+# Naming style matching correct module names.
+module-naming-style=snake_case
+
+# Regular expression matching correct module names. Overrides module-naming-
+# style. If left empty, module names will be checked with the set naming style.
+#module-rgx=
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=^_
+
+# List of decorators that produce properties, such as abc.abstractproperty. Add
+# to this list to register other decorators that produce valid properties.
+# These decorators are taken in consideration only for invalid-name.
+property-classes=abc.abstractproperty
+
+# Regular expression matching correct type alias names. If left empty, type
+# alias names will be checked with the set naming style.
+#typealias-rgx=
+
+# Regular expression matching correct type variable names. If left empty, type
+# variable names will be checked with the set naming style.
+#typevar-rgx=
+
+# Naming style matching correct variable names.
+variable-naming-style=snake_case
+
+# Regular expression matching correct variable names. Overrides variable-
+# naming-style. If left empty, variable names will be checked with the set
+# naming style.
+#variable-rgx=
+
+
+[CLASSES]
+
+# Warn about protected attribute access inside special methods
+check-protected-access-in-special-methods=no
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,
+                      __new__,
+                      setUp,
+                      asyncSetUp,
+                      __post_init__
+
+# List of member names, which should be excluded from the protected access
+# warning.
+exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=mcs
+
+
+[DESIGN]
+
+# List of regular expressions of class ancestor names to ignore when counting
+# public methods (see R0903)
+exclude-too-few-public-methods=
+
+# List of qualified class names to ignore when counting class parents (see
+# R0901)
+ignored-parents=
+
+# Maximum number of arguments for function / method.
+max-args=5
+
+# Maximum number of attributes for a class (see R0902).
+max-attributes=7
+
+# Maximum number of boolean expressions in an if statement (see R0916).
+max-bool-expr=5
+
+# Maximum number of branch for function / method body.
+max-branches=12
+
+# Maximum number of locals for function / method body.
+max-locals=15
+
+# Maximum number of parents for a class (see R0901).
+max-parents=7
+
+# Maximum number of positional arguments for function / method.
+max-positional-arguments=5
+
+# Maximum number of public methods for a class (see R0904).
+max-public-methods=20
+
+# Maximum number of return / yield for function / method body.
+max-returns=6
+
+# Maximum number of statements in function / method body.
+max-statements=50
+
+# Minimum number of public methods for a class (see R0903).
+min-public-methods=2
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when caught.
+overgeneral-exceptions=builtins.BaseException,builtins.Exception
+
+
+[FORMAT]
+
+# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
+expected-line-ending-format=
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+
+# Number of spaces of indent required inside a hanging or continued line.
+indent-after-paren=4
+
+# String used as indentation unit. This is usually "    " (4 spaces) or "\t" (1
+# tab).
+indent-string='    '
+
+# Maximum number of characters on a single line.
+max-line-length=160
+
+# Maximum number of lines in a module.
+max-module-lines=1000
+
+# Allow the body of a class to be on the same line as the declaration if body
+# contains single statement.
+single-line-class-stmt=no
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=no
+
+
+[IMPORTS]
+
+# List of modules that can be imported at any level, not just the top level
+# one.
+allow-any-import-level=
+
+# Allow explicit reexports by alias from a package __init__.
+allow-reexport-from-package=no
+
+# Allow wildcard imports from modules that define __all__.
+allow-wildcard-with-all=no
+
+# Deprecated modules which should not be used, separated by a comma.
+deprecated-modules=
+
+# Output a graph (.gv or any supported image format) of external dependencies
+# to the given file (report RP0402 must not be disabled).
+ext-import-graph=
+
+# Output a graph (.gv or any supported image format) of all (i.e. internal and
+# external) dependencies to the given file (report RP0402 must not be
+# disabled).
+import-graph=
+
+# Output a graph (.gv or any supported image format) of internal dependencies
+# to the given file (report RP0402 must not be disabled).
+int-import-graph=
+
+# Force import order to recognize a module as part of the standard
+# compatibility libraries.
+known-standard-library=
+
+# Force import order to recognize a module as part of a third party library.
+known-third-party=enchant
+
+# Couples of modules and preferred modules, separated by a comma.
+preferred-modules=
+
+
+[LOGGING]
+
+# The type of string formatting that logging methods do. `old` means using %
+# formatting, `new` is for `{}` formatting.
+logging-format-style=old
+
+# Logging modules to check that the string format arguments are in logging
+# function parameter format.
+logging-modules=logging
+
+
+[MESSAGES CONTROL]
+
+# Only show warnings with the listed confidence levels. Leave empty to show
+# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
+# UNDEFINED.
+confidence=HIGH,
+           CONTROL_FLOW,
+           INFERENCE,
+           INFERENCE_FAILURE,
+           UNDEFINED
+
+# Disable the message, report, category or checker with the given id(s). You
+# can either give multiple identifiers separated by comma (,) or put this
+# option multiple times (only on the command line, not in the configuration
+# file where it should appear only once). You can also use "--disable=all" to
+# disable everything first and then re-enable specific checks. For example, if
+# you want to run only the similarities checker, you can use "--disable=all
+# --enable=similarities". If you want to run only the classes checker, but have
+# no Warning level messages displayed, use "--disable=all --enable=classes
+# --disable=W".
+disable=raw-checker-failed,
+        bad-inline-option,
+        deprecated-pragma,
+        duplicate-code,
+        file-ignored,
+        import-outside-toplevel,
+        missing-class-docstring,
+        missing-function-docstring,
+        missing-module-docstring,
+        locally-disabled,
+        suppressed-message,
+        use-implicit-booleaness-not-comparison,
+        use-implicit-booleaness-not-comparison-to-string,
+        use-implicit-booleaness-not-comparison-to-zero,
+        superfluous-parens,
+        too-few-public-methods,
+        too-many-ancestors,
+        too-many-arguments,
+        too-many-boolean-expressions,
+        too-many-branches,
+        too-many-function-args,
+        too-many-instance-attributes,
+        too-many-lines,
+        too-many-locals,
+        too-many-nested-blocks,
+        too-many-positional-arguments,
+        too-many-public-methods,
+        too-many-return-statements,
+        too-many-statements,
+        ungrouped-imports,
+        useless-parent-delegation,
+        wrong-import-order,
+        wrong-import-position,
+        # To clean up:
+        fixme,
+        import-error,  # TODO figure out why pylint cannot find the module
+        no-name-in-module,  # TODO figure out why pylint cannot find the module
+        protected-access,
+        subprocess-popen-preexec-fn,
+        unexpected-keyword-arg,
+        unused-argument,
+        # Cannot remove yet due to inadequacy of rules
+        inconsistent-return-statements,  # doesn't notice that fail_json() does not return
+        # Buggy impementation in pylint:
+        relative-beyond-top-level,  # TODO
+
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time (only on the command line, not in the configuration file where
+# it should appear only once). See also the "--disable" option for examples.
+enable=
+
+
+[METHOD_ARGS]
+
+# List of qualified names (i.e., library.method) which require a timeout
+# parameter e.g. 'requests.api.get,requests.api.post'
+timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request
+
+
+[MISCELLANEOUS]
+
+# List of note tags to take in consideration, separated by a comma.
+notes=FIXME,
+      XXX,
+      TODO
+
+# Regular expression of note tags to take in consideration.
+notes-rgx=
+
+
+[REFACTORING]
+
+# Maximum number of nested blocks for function / method body
+max-nested-blocks=5
+
+# Complete name of functions that never returns. When checking for
+# inconsistent-return-statements if a never returning function is called then
+# it will be considered as an explicit return statement and no message will be
+# printed.
+never-returning-functions=sys.exit,argparse.parse_error
+
+# Let 'consider-using-join' be raised when the separator to join on would be
+# non-empty (resulting in expected fixes of the type: ``"- " + " -
+# ".join(items)``)
+suggest-join-with-non-empty-separator=yes
+
+
+[REPORTS]
+
+# Python expression which should return a score less than or equal to 10. You
+# have access to the variables 'fatal', 'error', 'warning', 'refactor',
+# 'convention', and 'info' which contain the number of messages in each
+# category, as well as 'statement' which is the total number of statements
+# analyzed. This score is used by the global evaluation report (RP0004).
+evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details.
+msg-template=
+
+# Set the output format. Available formats are: text, parseable, colorized,
+# json2 (improved json format), json (old json format) and msvs (visual
+# studio). You can also give a reporter class, e.g.
+# mypackage.mymodule.MyReporterClass.
+#output-format=
+
+# Tells whether to display a full report or only the messages.
+reports=no
+
+# Activate the evaluation score.
+score=yes
+
+
+[SIMILARITIES]
+
+# Comments are removed from the similarity computation
+ignore-comments=yes
+
+# Docstrings are removed from the similarity computation
+ignore-docstrings=yes
+
+# Imports are removed from the similarity computation
+ignore-imports=yes
+
+# Signatures are removed from the similarity computation
+ignore-signatures=yes
+
+# Minimum lines number of a similarity.
+min-similarity-lines=4
+
+
+[SPELLING]
+
+# Limits count of emitted suggestions for spelling mistakes.
+max-spelling-suggestions=4
+
+# Spelling dictionary name. No available dictionaries : You need to install
+# both the python package and the system dependency for enchant to work.
+spelling-dict=
+
+# List of comma separated words that should be considered directives if they
+# appear at the beginning of a comment and should not be checked.
+spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy:
+
+# List of comma separated words that should not be checked.
+spelling-ignore-words=
+
+# A path to a file that contains the private dictionary; one word per line.
+spelling-private-dict-file=
+
+# Tells whether to store unknown words to the private dictionary (see the
+# --spelling-private-dict-file option) instead of raising a message.
+spelling-store-unknown-words=no
+
+
+[STRING]
+
+# This flag controls whether inconsistent-quotes generates a warning when the
+# character used as a quote delimiter is used inconsistently within a module.
+check-quote-consistency=no
+
+# This flag controls whether the implicit-str-concat should generate a warning
+# on implicit string concatenation in sequences defined over several lines.
+check-str-concat-over-line-jumps=no
+
+
+[TYPECHECK]
+
+# List of decorators that produce context managers, such as
+# contextlib.contextmanager. Add to this list to register other decorators that
+# produce valid context managers.
+contextmanager-decorators=contextlib.contextmanager
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E1101 when accessed. Python regular
+# expressions are accepted.
+generated-members=
+
+# Tells whether to warn about missing members when the owner of the attribute
+# is inferred to be None.
+ignore-none=yes
+
+# This flag controls whether pylint should warn about no-member and similar
+# checks whenever an opaque object is returned when inferring. The inference
+# can return multiple potential results while evaluating a Python object, but
+# some branches might not be evaluated, which results in partial inference. In
+# that case, it might be useful to still emit no-member and other checks for
+# the rest of the inferred objects.
+ignore-on-opaque-inference=yes
+
+# List of symbolic message names to ignore for Mixin members.
+ignored-checks-for-mixins=no-member,
+                          not-async-context-manager,
+                          not-context-manager,
+                          attribute-defined-outside-init
+
+# List of class names for which member attributes should not be checked (useful
+# for classes with dynamically set attributes). This supports the use of
+# qualified names.
+ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace
+
+# Show a hint with possible names when a member name was not found. The aspect
+# of finding the hint is based on edit distance.
+missing-member-hint=yes
+
+# The minimum edit distance a name should have in order to be considered a
+# similar match for a missing member name.
+missing-member-hint-distance=1
+
+# The total number of similar names that should be taken in consideration when
+# showing a hint for a missing member.
+missing-member-max-choices=1
+
+# Regex pattern to define which classes are considered mixins.
+mixin-class-rgx=.*[Mm]ixin
+
+# List of decorators that change the signature of a decorated function.
+signature-mutators=
+
+
+[VARIABLES]
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid defining new builtins when possible.
+additional-builtins=
+
+# Tells whether unused global variables should be treated as a violation.
+allow-global-unused-variables=yes
+
+# List of names allowed to shadow builtins
+allowed-redefined-builtins=
+
+# List of strings which can identify a callback function by name. A callback
+# name must start or end with one of those strings.
+callbacks=cb_,
+          _cb
+
+# A regular expression matching the name of dummy variables (i.e. expected to
+# not be used).
+dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
+
+# Argument names that match this expression will be ignored.
+ignored-argument-names=_.*|^ignored_|^unused_
+
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# List of qualified module names which can have objects that can redefine
+# builtins.
+redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
diff --git a/ansible_collections/community/docker/.yamllint b/ansible_collections/community/docker/.yamllint
new file mode 100644
index 00000000..a6707e29
--- /dev/null
+++ b/ansible_collections/community/docker/.yamllint
@@ -0,0 +1,53 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 300
+    level: error
+  document-start:
+    present: true
+  document-end: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/docker/.yamllint-docs b/ansible_collections/community/docker/.yamllint-docs
new file mode 100644
index 00000000..de8947d7
--- /dev/null
+++ b/ansible_collections/community/docker/.yamllint-docs
@@ -0,0 +1,54 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 160
+    level: error
+  document-start:
+    present: false
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/docker/.yamllint-examples b/ansible_collections/community/docker/.yamllint-examples
new file mode 100644
index 00000000..062ac5aa
--- /dev/null
+++ b/ansible_collections/community/docker/.yamllint-examples
@@ -0,0 +1,54 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 160
+    level: error
+  document-start:
+    present: true
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/docker/CHANGELOG.md b/ansible_collections/community/docker/CHANGELOG.md
new file mode 100644
index 00000000..eb18d03e
--- /dev/null
+++ b/ansible_collections/community/docker/CHANGELOG.md
@@ -0,0 +1,2123 @@
+# Docker Community Collection Release Notes
+
+**Topics**
+
+- <a href="#v5-0-5">v5\.0\.5</a>
+    - <a href="#release-summary">Release Summary</a>
+    - <a href="#bugfixes">Bugfixes</a>
+- <a href="#v5-0-4">v5\.0\.4</a>
+    - <a href="#release-summary-1">Release Summary</a>
+    - <a href="#bugfixes-1">Bugfixes</a>
+- <a href="#v5-0-3">v5\.0\.3</a>
+    - <a href="#release-summary-2">Release Summary</a>
+    - <a href="#bugfixes-2">Bugfixes</a>
+- <a href="#v5-0-2">v5\.0\.2</a>
+    - <a href="#release-summary-3">Release Summary</a>
+    - <a href="#bugfixes-3">Bugfixes</a>
+    - <a href="#known-issues">Known Issues</a>
+- <a href="#v5-0-1">v5\.0\.1</a>
+    - <a href="#release-summary-4">Release Summary</a>
+    - <a href="#bugfixes-4">Bugfixes</a>
+- <a href="#v5-0-0">v5\.0\.0</a>
+    - <a href="#release-summary-5">Release Summary</a>
+    - <a href="#minor-changes">Minor Changes</a>
+    - <a href="#breaking-changes--porting-guide">Breaking Changes / Porting Guide</a>
+    - <a href="#removed-features-previously-deprecated">Removed Features \(previously deprecated\)</a>
+    - <a href="#bugfixes-5">Bugfixes</a>
+- <a href="#v4-8-1">v4\.8\.1</a>
+    - <a href="#release-summary-6">Release Summary</a>
+    - <a href="#minor-changes-1">Minor Changes</a>
+    - <a href="#bugfixes-6">Bugfixes</a>
+- <a href="#v4-8-0">v4\.8\.0</a>
+    - <a href="#release-summary-7">Release Summary</a>
+    - <a href="#minor-changes-2">Minor Changes</a>
+    - <a href="#bugfixes-7">Bugfixes</a>
+- <a href="#v4-7-0">v4\.7\.0</a>
+    - <a href="#release-summary-8">Release Summary</a>
+    - <a href="#minor-changes-3">Minor Changes</a>
+    - <a href="#bugfixes-8">Bugfixes</a>
+- <a href="#v4-6-2">v4\.6\.2</a>
+    - <a href="#release-summary-9">Release Summary</a>
+    - <a href="#bugfixes-9">Bugfixes</a>
+- <a href="#v4-6-1">v4\.6\.1</a>
+    - <a href="#release-summary-10">Release Summary</a>
+    - <a href="#bugfixes-10">Bugfixes</a>
+- <a href="#v4-6-0">v4\.6\.0</a>
+    - <a href="#release-summary-11">Release Summary</a>
+    - <a href="#minor-changes-4">Minor Changes</a>
+- <a href="#v4-5-2">v4\.5\.2</a>
+    - <a href="#release-summary-12">Release Summary</a>
+    - <a href="#bugfixes-11">Bugfixes</a>
+- <a href="#v4-5-1">v4\.5\.1</a>
+    - <a href="#release-summary-13">Release Summary</a>
+    - <a href="#bugfixes-12">Bugfixes</a>
+- <a href="#v4-5-0">v4\.5\.0</a>
+    - <a href="#release-summary-14">Release Summary</a>
+    - <a href="#minor-changes-5">Minor Changes</a>
+- <a href="#v4-4-0">v4\.4\.0</a>
+    - <a href="#release-summary-15">Release Summary</a>
+    - <a href="#bugfixes-13">Bugfixes</a>
+    - <a href="#new-modules">New Modules</a>
+- <a href="#v4-3-1">v4\.3\.1</a>
+    - <a href="#release-summary-16">Release Summary</a>
+    - <a href="#bugfixes-14">Bugfixes</a>
+- <a href="#v4-3-0">v4\.3\.0</a>
+    - <a href="#release-summary-17">Release Summary</a>
+    - <a href="#minor-changes-6">Minor Changes</a>
+- <a href="#v4-2-0">v4\.2\.0</a>
+    - <a href="#release-summary-18">Release Summary</a>
+    - <a href="#minor-changes-7">Minor Changes</a>
+    - <a href="#bugfixes-15">Bugfixes</a>
+- <a href="#v4-1-0">v4\.1\.0</a>
+    - <a href="#release-summary-19">Release Summary</a>
+    - <a href="#minor-changes-8">Minor Changes</a>
+    - <a href="#bugfixes-16">Bugfixes</a>
+- <a href="#v4-0-1">v4\.0\.1</a>
+    - <a href="#release-summary-20">Release Summary</a>
+    - <a href="#bugfixes-17">Bugfixes</a>
+- <a href="#v4-0-0">v4\.0\.0</a>
+    - <a href="#release-summary-21">Release Summary</a>
+    - <a href="#minor-changes-9">Minor Changes</a>
+    - <a href="#breaking-changes--porting-guide-1">Breaking Changes / Porting Guide</a>
+    - <a href="#removed-features-previously-deprecated-1">Removed Features \(previously deprecated\)</a>
+- <a href="#v3-13-1">v3\.13\.1</a>
+    - <a href="#release-summary-22">Release Summary</a>
+    - <a href="#bugfixes-18">Bugfixes</a>
+- <a href="#v3-13-0">v3\.13\.0</a>
+    - <a href="#release-summary-23">Release Summary</a>
+    - <a href="#new-modules-1">New Modules</a>
+- <a href="#v3-12-2">v3\.12\.2</a>
+    - <a href="#release-summary-24">Release Summary</a>
+    - <a href="#bugfixes-19">Bugfixes</a>
+- <a href="#v3-12-1">v3\.12\.1</a>
+    - <a href="#release-summary-25">Release Summary</a>
+    - <a href="#deprecated-features">Deprecated Features</a>
+- <a href="#v3-12-0">v3\.12\.0</a>
+    - <a href="#release-summary-26">Release Summary</a>
+    - <a href="#minor-changes-10">Minor Changes</a>
+    - <a href="#bugfixes-20">Bugfixes</a>
+    - <a href="#known-issues-1">Known Issues</a>
+- <a href="#v3-11-0">v3\.11\.0</a>
+    - <a href="#minor-changes-11">Minor Changes</a>
+    - <a href="#bugfixes-21">Bugfixes</a>
+- <a href="#v3-10-4">v3\.10\.4</a>
+    - <a href="#release-summary-27">Release Summary</a>
+    - <a href="#bugfixes-22">Bugfixes</a>
+- <a href="#v3-10-3">v3\.10\.3</a>
+    - <a href="#release-summary-28">Release Summary</a>
+    - <a href="#bugfixes-23">Bugfixes</a>
+- <a href="#v3-10-2">v3\.10\.2</a>
+    - <a href="#release-summary-29">Release Summary</a>
+    - <a href="#bugfixes-24">Bugfixes</a>
+- <a href="#v3-10-1">v3\.10\.1</a>
+    - <a href="#release-summary-30">Release Summary</a>
+    - <a href="#bugfixes-25">Bugfixes</a>
+    - <a href="#known-issues-2">Known Issues</a>
+- <a href="#v3-10-0">v3\.10\.0</a>
+    - <a href="#release-summary-31">Release Summary</a>
+    - <a href="#minor-changes-12">Minor Changes</a>
+    - <a href="#deprecated-features-1">Deprecated Features</a>
+- <a href="#v3-9-0">v3\.9\.0</a>
+    - <a href="#release-summary-32">Release Summary</a>
+    - <a href="#minor-changes-13">Minor Changes</a>
+    - <a href="#bugfixes-26">Bugfixes</a>
+- <a href="#v3-8-1">v3\.8\.1</a>
+    - <a href="#release-summary-33">Release Summary</a>
+    - <a href="#security-fixes">Security Fixes</a>
+    - <a href="#bugfixes-27">Bugfixes</a>
+- <a href="#v3-8-0">v3\.8\.0</a>
+    - <a href="#release-summary-34">Release Summary</a>
+    - <a href="#minor-changes-14">Minor Changes</a>
+    - <a href="#bugfixes-28">Bugfixes</a>
+- <a href="#v3-7-0">v3\.7\.0</a>
+    - <a href="#release-summary-35">Release Summary</a>
+    - <a href="#minor-changes-15">Minor Changes</a>
+    - <a href="#bugfixes-29">Bugfixes</a>
+    - <a href="#new-modules-2">New Modules</a>
+- <a href="#v3-6-0">v3\.6\.0</a>
+    - <a href="#release-summary-36">Release Summary</a>
+    - <a href="#major-changes">Major Changes</a>
+    - <a href="#minor-changes-16">Minor Changes</a>
+    - <a href="#bugfixes-30">Bugfixes</a>
+    - <a href="#new-modules-3">New Modules</a>
+- <a href="#v3-5-0">v3\.5\.0</a>
+    - <a href="#release-summary-37">Release Summary</a>
+    - <a href="#minor-changes-17">Minor Changes</a>
+    - <a href="#deprecated-features-2">Deprecated Features</a>
+    - <a href="#bugfixes-31">Bugfixes</a>
+- <a href="#v3-4-11">v3\.4\.11</a>
+    - <a href="#release-summary-38">Release Summary</a>
+    - <a href="#bugfixes-32">Bugfixes</a>
+- <a href="#v3-4-10">v3\.4\.10</a>
+    - <a href="#release-summary-39">Release Summary</a>
+    - <a href="#bugfixes-33">Bugfixes</a>
+- <a href="#v3-4-9">v3\.4\.9</a>
+    - <a href="#release-summary-40">Release Summary</a>
+    - <a href="#bugfixes-34">Bugfixes</a>
+- <a href="#v3-4-8">v3\.4\.8</a>
+    - <a href="#release-summary-41">Release Summary</a>
+    - <a href="#known-issues-3">Known Issues</a>
+- <a href="#v3-4-7">v3\.4\.7</a>
+    - <a href="#release-summary-42">Release Summary</a>
+    - <a href="#bugfixes-35">Bugfixes</a>
+- <a href="#v3-4-6">v3\.4\.6</a>
+    - <a href="#release-summary-43">Release Summary</a>
+    - <a href="#bugfixes-36">Bugfixes</a>
+    - <a href="#known-issues-4">Known Issues</a>
+- <a href="#v3-4-5">v3\.4\.5</a>
+    - <a href="#release-summary-44">Release Summary</a>
+    - <a href="#bugfixes-37">Bugfixes</a>
+- <a href="#v3-4-4">v3\.4\.4</a>
+    - <a href="#release-summary-45">Release Summary</a>
+    - <a href="#minor-changes-18">Minor Changes</a>
+    - <a href="#known-issues-5">Known Issues</a>
+- <a href="#v3-4-3">v3\.4\.3</a>
+    - <a href="#release-summary-46">Release Summary</a>
+- <a href="#v3-4-2">v3\.4\.2</a>
+    - <a href="#release-summary-47">Release Summary</a>
+    - <a href="#bugfixes-38">Bugfixes</a>
+- <a href="#v3-4-1">v3\.4\.1</a>
+    - <a href="#release-summary-48">Release Summary</a>
+    - <a href="#bugfixes-39">Bugfixes</a>
+- <a href="#v3-4-0">v3\.4\.0</a>
+    - <a href="#release-summary-49">Release Summary</a>
+    - <a href="#minor-changes-19">Minor Changes</a>
+    - <a href="#bugfixes-40">Bugfixes</a>
+    - <a href="#new-modules-4">New Modules</a>
+- <a href="#v3-3-2">v3\.3\.2</a>
+    - <a href="#release-summary-50">Release Summary</a>
+    - <a href="#bugfixes-41">Bugfixes</a>
+- <a href="#v3-3-1">v3\.3\.1</a>
+    - <a href="#release-summary-51">Release Summary</a>
+    - <a href="#bugfixes-42">Bugfixes</a>
+- <a href="#v3-3-0">v3\.3\.0</a>
+    - <a href="#release-summary-52">Release Summary</a>
+    - <a href="#minor-changes-20">Minor Changes</a>
+    - <a href="#bugfixes-43">Bugfixes</a>
+- <a href="#v3-2-2">v3\.2\.2</a>
+    - <a href="#release-summary-53">Release Summary</a>
+    - <a href="#bugfixes-44">Bugfixes</a>
+- <a href="#v3-2-1">v3\.2\.1</a>
+    - <a href="#release-summary-54">Release Summary</a>
+- <a href="#v3-2-0">v3\.2\.0</a>
+    - <a href="#release-summary-55">Release Summary</a>
+    - <a href="#minor-changes-21">Minor Changes</a>
+    - <a href="#deprecated-features-3">Deprecated Features</a>
+- <a href="#v3-1-0">v3\.1\.0</a>
+    - <a href="#release-summary-56">Release Summary</a>
+    - <a href="#minor-changes-22">Minor Changes</a>
+- <a href="#v3-0-2">v3\.0\.2</a>
+    - <a href="#release-summary-57">Release Summary</a>
+    - <a href="#bugfixes-45">Bugfixes</a>
+- <a href="#v3-0-1">v3\.0\.1</a>
+    - <a href="#release-summary-58">Release Summary</a>
+    - <a href="#bugfixes-46">Bugfixes</a>
+- <a href="#v3-0-0">v3\.0\.0</a>
+    - <a href="#release-summary-59">Release Summary</a>
+    - <a href="#major-changes-1">Major Changes</a>
+    - <a href="#minor-changes-23">Minor Changes</a>
+    - <a href="#breaking-changes--porting-guide-2">Breaking Changes / Porting Guide</a>
+    - <a href="#removed-features-previously-deprecated-2">Removed Features \(previously deprecated\)</a>
+    - <a href="#security-fixes-1">Security Fixes</a>
+    - <a href="#bugfixes-47">Bugfixes</a>
+- <a href="#v2-7-0">v2\.7\.0</a>
+    - <a href="#release-summary-60">Release Summary</a>
+    - <a href="#minor-changes-24">Minor Changes</a>
+    - <a href="#deprecated-features-4">Deprecated Features</a>
+    - <a href="#bugfixes-48">Bugfixes</a>
+- <a href="#v2-6-0">v2\.6\.0</a>
+    - <a href="#release-summary-61">Release Summary</a>
+    - <a href="#minor-changes-25">Minor Changes</a>
+    - <a href="#deprecated-features-5">Deprecated Features</a>
+    - <a href="#bugfixes-49">Bugfixes</a>
+- <a href="#v2-5-1">v2\.5\.1</a>
+    - <a href="#release-summary-62">Release Summary</a>
+    - <a href="#bugfixes-50">Bugfixes</a>
+- <a href="#v2-5-0">v2\.5\.0</a>
+    - <a href="#release-summary-63">Release Summary</a>
+    - <a href="#minor-changes-26">Minor Changes</a>
+- <a href="#v2-4-0">v2\.4\.0</a>
+    - <a href="#release-summary-64">Release Summary</a>
+    - <a href="#minor-changes-27">Minor Changes</a>
+    - <a href="#bugfixes-51">Bugfixes</a>
+- <a href="#v2-3-0">v2\.3\.0</a>
+    - <a href="#release-summary-65">Release Summary</a>
+    - <a href="#minor-changes-28">Minor Changes</a>
+    - <a href="#bugfixes-52">Bugfixes</a>
+- <a href="#v2-2-1">v2\.2\.1</a>
+    - <a href="#release-summary-66">Release Summary</a>
+    - <a href="#bugfixes-53">Bugfixes</a>
+- <a href="#v2-2-0">v2\.2\.0</a>
+    - <a href="#release-summary-67">Release Summary</a>
+    - <a href="#minor-changes-29">Minor Changes</a>
+    - <a href="#bugfixes-54">Bugfixes</a>
+- <a href="#v2-1-1">v2\.1\.1</a>
+    - <a href="#release-summary-68">Release Summary</a>
+    - <a href="#bugfixes-55">Bugfixes</a>
+- <a href="#v2-1-0">v2\.1\.0</a>
+    - <a href="#release-summary-69">Release Summary</a>
+    - <a href="#minor-changes-30">Minor Changes</a>
+    - <a href="#bugfixes-56">Bugfixes</a>
+- <a href="#v2-0-2">v2\.0\.2</a>
+    - <a href="#release-summary-70">Release Summary</a>
+    - <a href="#bugfixes-57">Bugfixes</a>
+- <a href="#v2-0-1">v2\.0\.1</a>
+    - <a href="#release-summary-71">Release Summary</a>
+- <a href="#v2-0-0">v2\.0\.0</a>
+    - <a href="#release-summary-72">Release Summary</a>
+    - <a href="#breaking-changes--porting-guide-3">Breaking Changes / Porting Guide</a>
+    - <a href="#deprecated-features-6">Deprecated Features</a>
+    - <a href="#removed-features-previously-deprecated-3">Removed Features \(previously deprecated\)</a>
+- <a href="#v1-10-0">v1\.10\.0</a>
+    - <a href="#release-summary-73">Release Summary</a>
+    - <a href="#minor-changes-31">Minor Changes</a>
+- <a href="#v1-9-1">v1\.9\.1</a>
+    - <a href="#release-summary-74">Release Summary</a>
+    - <a href="#bugfixes-58">Bugfixes</a>
+- <a href="#v1-9-0">v1\.9\.0</a>
+    - <a href="#release-summary-75">Release Summary</a>
+    - <a href="#minor-changes-32">Minor Changes</a>
+    - <a href="#deprecated-features-7">Deprecated Features</a>
+    - <a href="#bugfixes-59">Bugfixes</a>
+    - <a href="#new-plugins">New Plugins</a>
+        - <a href="#connection">Connection</a>
+- <a href="#v1-8-0">v1\.8\.0</a>
+    - <a href="#release-summary-76">Release Summary</a>
+    - <a href="#minor-changes-33">Minor Changes</a>
+    - <a href="#bugfixes-60">Bugfixes</a>
+- <a href="#v1-7-0">v1\.7\.0</a>
+    - <a href="#release-summary-77">Release Summary</a>
+    - <a href="#minor-changes-34">Minor Changes</a>
+- <a href="#v1-6-1">v1\.6\.1</a>
+    - <a href="#release-summary-78">Release Summary</a>
+    - <a href="#bugfixes-61">Bugfixes</a>
+- <a href="#v1-6-0">v1\.6\.0</a>
+    - <a href="#release-summary-79">Release Summary</a>
+    - <a href="#minor-changes-35">Minor Changes</a>
+    - <a href="#deprecated-features-8">Deprecated Features</a>
+    - <a href="#bugfixes-62">Bugfixes</a>
+- <a href="#v1-5-0">v1\.5\.0</a>
+    - <a href="#release-summary-80">Release Summary</a>
+    - <a href="#minor-changes-36">Minor Changes</a>
+    - <a href="#bugfixes-63">Bugfixes</a>
+    - <a href="#new-modules-5">New Modules</a>
+- <a href="#v1-4-0">v1\.4\.0</a>
+    - <a href="#release-summary-81">Release Summary</a>
+    - <a href="#minor-changes-37">Minor Changes</a>
+    - <a href="#breaking-changes--porting-guide-4">Breaking Changes / Porting Guide</a>
+    - <a href="#security-fixes-2">Security Fixes</a>
+    - <a href="#bugfixes-64">Bugfixes</a>
+- <a href="#v1-3-0">v1\.3\.0</a>
+    - <a href="#release-summary-82">Release Summary</a>
+    - <a href="#minor-changes-38">Minor Changes</a>
+    - <a href="#bugfixes-65">Bugfixes</a>
+    - <a href="#new-modules-6">New Modules</a>
+- <a href="#v1-2-2">v1\.2\.2</a>
+    - <a href="#release-summary-83">Release Summary</a>
+    - <a href="#security-fixes-3">Security Fixes</a>
+- <a href="#v1-2-1">v1\.2\.1</a>
+    - <a href="#release-summary-84">Release Summary</a>
+    - <a href="#bugfixes-66">Bugfixes</a>
+- <a href="#v1-2-0">v1\.2\.0</a>
+    - <a href="#release-summary-85">Release Summary</a>
+    - <a href="#minor-changes-39">Minor Changes</a>
+    - <a href="#bugfixes-67">Bugfixes</a>
+- <a href="#v1-1-0">v1\.1\.0</a>
+    - <a href="#release-summary-86">Release Summary</a>
+    - <a href="#minor-changes-40">Minor Changes</a>
+    - <a href="#deprecated-features-9">Deprecated Features</a>
+    - <a href="#bugfixes-68">Bugfixes</a>
+    - <a href="#new-plugins-1">New Plugins</a>
+        - <a href="#connection-1">Connection</a>
+        - <a href="#inventory">Inventory</a>
+    - <a href="#new-modules-7">New Modules</a>
+- <a href="#v1-0-1">v1\.0\.1</a>
+    - <a href="#release-summary-87">Release Summary</a>
+    - <a href="#bugfixes-69">Bugfixes</a>
+- <a href="#v1-0-0">v1\.0\.0</a>
+    - <a href="#release-summary-88">Release Summary</a>
+    - <a href="#minor-changes-41">Minor Changes</a>
+- <a href="#v0-1-0">v0\.1\.0</a>
+    - <a href="#release-summary-89">Release Summary</a>
+    - <a href="#minor-changes-42">Minor Changes</a>
+    - <a href="#removed-features-previously-deprecated-4">Removed Features \(previously deprecated\)</a>
+    - <a href="#bugfixes-70">Bugfixes</a>
+
+<a id="v5-0-5"></a>
+## v5\.0\.5
+
+<a id="release-summary"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes"></a>
+### Bugfixes
+
+* modules and plugins using the Docker SDK for Python \- do not automatically set <code>tls\_hostname</code> when <code>validate\_certs\=true</code> for Docker SDK for Python 7\.0\.0\+ \([https\://github\.com/ansible\-collections/community\.docker/issues/1225](https\://github\.com/ansible\-collections/community\.docker/issues/1225)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1226](https\://github\.com/ansible\-collections/community\.docker/pull/1226)\)\.
+
+<a id="v5-0-4"></a>
+## v5\.0\.4
+
+<a id="release-summary-1"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-1"></a>
+### Bugfixes
+
+* CLI\-based modules \- when parsing JSON output fails\, also provide standard error output\. Also provide information on the command and its result in machine\-readable way \([https\://github\.com/ansible\-collections/community\.docker/issues/1216](https\://github\.com/ansible\-collections/community\.docker/issues/1216)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1221](https\://github\.com/ansible\-collections/community\.docker/pull/1221)\)\.
+* docker\_compose\_v2\, docker\_compose\_v2\_pull \- adjust parsing from image pull events to changes in Docker Compose 5\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1219](https\://github\.com/ansible\-collections/community\.docker/pull/1219)\)\.
+
+<a id="v5-0-3"></a>
+## v5\.0\.3
+
+<a id="release-summary-2"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-2"></a>
+### Bugfixes
+
+* docker\_container \- when the same port is mapped more than once for the same protocol without specifying an interface\, a bug caused an invalid value to be passed for the interface \([https\://github\.com/ansible\-collections/community\.docker/issues/1213](https\://github\.com/ansible\-collections/community\.docker/issues/1213)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1214](https\://github\.com/ansible\-collections/community\.docker/pull/1214)\)\.
+
+<a id="v5-0-2"></a>
+## v5\.0\.2
+
+<a id="release-summary-3"></a>
+### Release Summary
+
+Bugfix release for Docker 29\.
+
+<a id="bugfixes-3"></a>
+### Bugfixes
+
+* Docker CLI based modules \- work around bug in Docker 29\.0\.0 that caused a breaking change in <code>docker version \-\-format json</code> output \([https\://github\.com/ansible\-collections/community\.docker/issues/1185](https\://github\.com/ansible\-collections/community\.docker/issues/1185)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1187](https\://github\.com/ansible\-collections/community\.docker/pull/1187)\)\.
+* docker\_container \- fix <code>pull</code> idempotency with Docker 29\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1192](https\://github\.com/ansible\-collections/community\.docker/pull/1192)\)\.
+* docker\_container \- fix handling of exposed port ranges\. So far\, the module used an undocumented feature of Docker that was removed from Docker 29\.0\.0\, that allowed to pass the range to the deamon and let handle it\. Now the module explodes ranges into a list of all contained ports\, same as the Docker CLI does\. For backwards compatibility with Docker \< 29\.0\.0\, it also explodes ranges returned by the API for existing containers so that comparison should only indicate a difference if the ranges actually change \([https\://github\.com/ansible\-collections/community\.docker/pull/1192](https\://github\.com/ansible\-collections/community\.docker/pull/1192)\)\.
+* docker\_container \- fix idempotency for IPv6 addresses with Docker 29\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1192](https\://github\.com/ansible\-collections/community\.docker/pull/1192)\)\.
+* docker\_image \- fix <code>source\=pull</code> idempotency with Docker 29\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1192](https\://github\.com/ansible\-collections/community\.docker/pull/1192)\)\.
+* docker\_image\, docker\_image\_push \- adjust image push detection to Docker 29 \([https\://github\.com/ansible\-collections/community\.docker/pull/1199](https\://github\.com/ansible\-collections/community\.docker/pull/1199)\)\.
+* docker\_image\_pull \- fix idempotency with Docker 29\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1192](https\://github\.com/ansible\-collections/community\.docker/pull/1192)\)\.
+* docker\_network \- fix idempotency for IPv6 addresses and networks with Docker 29\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/1201](https\://github\.com/ansible\-collections/community\.docker/pull/1201)\)\.
+
+<a id="known-issues"></a>
+### Known Issues
+
+* docker\_image\, docker\_image\_export \- idempotency for archiving images depends on whether the image IDs used by the image storage backend correspond to the IDs used in the tarball\'s <code>manifest\.json</code> files\. The new default backend in Docker 29 apparently uses image IDs that no longer correspond\, whence idempotency no longer works \([https\://github\.com/ansible\-collections/community\.docker/pull/1199](https\://github\.com/ansible\-collections/community\.docker/pull/1199)\)\.
+
+<a id="v5-0-1"></a>
+## v5\.0\.1
+
+<a id="release-summary-4"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-4"></a>
+### Bugfixes
+
+* docker\_compose\_v2\_run \- when <code>detach\=true</code>\, ensure that the returned container ID is not a bytes string \([https\://github\.com/ansible\-collections/community\.docker/pull/1183](https\://github\.com/ansible\-collections/community\.docker/pull/1183)\)\.
+* docker\_image \- fix \'Cannot locate specified Dockerfile\' error \([https\://github\.com/ansible\-collections/community\.docker/pull/1184](https\://github\.com/ansible\-collections/community\.docker/pull/1184)\)\.
+
+<a id="v5-0-0"></a>
+## v5\.0\.0
+
+<a id="release-summary-5"></a>
+### Release Summary
+
+New major release\.
+
+The main changes are that the collection dropped support for some ansible\-core
+versions that are End of Life\, and thus dropped support for Python 2\.7\.
+This allowed to modernize the Python code\, in particular with type hints\.
+Also all module and plugin utils are now private to the collection\, which
+makes it easier to refactor code\. All these changes should have no effect on
+end\-users\.
+
+<a id="minor-changes"></a>
+### Minor Changes
+
+* docker\_container \- add <code>driver\_opts</code> option in <code>networks</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/1142](https\://github\.com/ansible\-collections/community\.docker/issues/1142)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1143](https\://github\.com/ansible\-collections/community\.docker/pull/1143)\)\.
+* docker\_container \- add <code>gw\_priority</code> option in <code>networks</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/1142](https\://github\.com/ansible\-collections/community\.docker/issues/1142)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1143](https\://github\.com/ansible\-collections/community\.docker/pull/1143)\)\.
+
+<a id="breaking-changes--porting-guide"></a>
+### Breaking Changes / Porting Guide
+
+* All doc fragments\, module utils\, and plugin utils are from now on private\. They can change at any time\, and have breaking changes even in bugfix releases \([https\://github\.com/ansible\-collections/community\.docker/pull/1144](https\://github\.com/ansible\-collections/community\.docker/pull/1144)\)\.
+
+<a id="removed-features-previously-deprecated"></a>
+### Removed Features \(previously deprecated\)
+
+* Remove support for Docker SDK for Python version 1\.x\.y\, also known as <code>docker\-py</code>\. Modules and plugins that use Docker SDK for Python require version 2\.0\.0\+ \([https\://github\.com/ansible\-collections/community\.docker/pull/1171](https\://github\.com/ansible\-collections/community\.docker/pull/1171)\)\.
+* The collection no longer supports Python 3\.6 and before\. Note that this coincides with the Python requirements of ansible\-core 2\.17\+ \([https\://github\.com/ansible\-collections/community\.docker/pull/1123](https\://github\.com/ansible\-collections/community\.docker/pull/1123)\)\.
+* The collection no longer supports ansible\-core 2\.15 and 2\.16\. You need ansible\-core 2\.17\.0 or newer to use community\.docker 5\.x\.y \([https\://github\.com/ansible\-collections/community\.docker/pull/1123](https\://github\.com/ansible\-collections/community\.docker/pull/1123)\)\.
+
+<a id="bugfixes-5"></a>
+### Bugfixes
+
+* docker connection plugin \- fix crash instead of warning if Docker version does not support <code>remote\_user</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1161](https\://github\.com/ansible\-collections/community\.docker/pull/1161)\)\.
+* docker\, nsenter connection plugins \- fix handling of <code>become</code> plugin password prompt handling in case multiple events arrive at the same time \([https\://github\.com/ansible\-collections/community\.docker/pull/1158](https\://github\.com/ansible\-collections/community\.docker/pull/1158)\)\.
+* docker\_api connection plugin \- fix bug that could lead to loss of data when waiting for <code>become</code> plugin prompt \([https\://github\.com/ansible\-collections/community\.docker/pull/1152](https\://github\.com/ansible\-collections/community\.docker/pull/1152)\)\.
+* docker\_compose\_v2\_exec \- fix crash instead of reporting error if <code>detach\=true</code> and <code>stdin</code> is provided \([https\://github\.com/ansible\-collections/community\.docker/pull/1161](https\://github\.com/ansible\-collections/community\.docker/pull/1161)\)\.
+* docker\_compose\_v2\_run \- fix crash instead of reporting error if <code>detach\=true</code> and <code>stdin</code> is provided \([https\://github\.com/ansible\-collections/community\.docker/pull/1161](https\://github\.com/ansible\-collections/community\.docker/pull/1161)\)\.
+* docker\_container\_exec \- fix bug that could lead to loss of stdout/stderr data \([https\://github\.com/ansible\-collections/community\.docker/pull/1152](https\://github\.com/ansible\-collections/community\.docker/pull/1152)\)\.
+* docker\_container\_exec \- make <code>detach\=true</code> work\. So far this resulted in no execution being done \([https\://github\.com/ansible\-collections/community\.docker/pull/1145](https\://github\.com/ansible\-collections/community\.docker/pull/1145)\)\.
+* docker\_plugin \- fix diff mode for plugin options \([https\://github\.com/ansible\-collections/community\.docker/pull/1146](https\://github\.com/ansible\-collections/community\.docker/pull/1146)\)\.
+
+<a id="v4-8-1"></a>
+## v4\.8\.1
+
+<a id="release-summary-6"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="minor-changes-1"></a>
+### Minor Changes
+
+* Note that some new code in <code>plugins/module\_utils/\_six\.py</code> is MIT licensed \([https\://github\.com/ansible\-collections/community\.docker/pull/1138](https\://github\.com/ansible\-collections/community\.docker/pull/1138)\)\.
+
+<a id="bugfixes-6"></a>
+### Bugfixes
+
+* Avoid remaining usages of deprecated <code>ansible\.module\_utils\.six</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1133](https\://github\.com/ansible\-collections/community\.docker/pull/1133)\)\.
+* Avoid usage of deprecated <code>ansible\.module\_utils\.six</code> in all code that does not have to support Python 2 \([https\://github\.com/ansible\-collections/community\.docker/pull/1137](https\://github\.com/ansible\-collections/community\.docker/pull/1137)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1139](https\://github\.com/ansible\-collections/community\.docker/pull/1139)\)\.
+* Avoid usage of deprecated <code>ansible\.module\_utils\.six</code> in some of the code that still supports Python 2 \([https\://github\.com/ansible\-collections/community\.docker/pull/1138](https\://github\.com/ansible\-collections/community\.docker/pull/1138)\)\.
+
+<a id="v4-8-0"></a>
+## v4\.8\.0
+
+<a id="release-summary-7"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-2"></a>
+### Minor Changes
+
+* docker\_container \- support missing fields and new mount types in <code>mounts</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/1129](https\://github\.com/ansible\-collections/community\.docker/issues/1129)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1134](https\://github\.com/ansible\-collections/community\.docker/pull/1134)\)\.
+
+<a id="bugfixes-7"></a>
+### Bugfixes
+
+* Avoid deprecated functionality in ansible\-core 2\.20 \([https\://github\.com/ansible\-collections/community\.docker/pull/1117](https\://github\.com/ansible\-collections/community\.docker/pull/1117)\)\.
+
+<a id="v4-7-0"></a>
+## v4\.7\.0
+
+<a id="release-summary-8"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-3"></a>
+### Minor Changes
+
+* docker\_swarm\_service \- add support for <code>replicated\-job</code> mode for Swarm services \([https\://github\.com/ansible\-collections/community\.docker/issues/626](https\://github\.com/ansible\-collections/community\.docker/issues/626)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1108](https\://github\.com/ansible\-collections/community\.docker/pull/1108)\)\.
+
+<a id="bugfixes-8"></a>
+### Bugfixes
+
+* docker\_image\, docker\_image\_push \- work around a bug in Docker 28\.3\.3 that prevents pushing without authentication to a registry \([https\://github\.com/ansible\-collections/community\.docker/pull/1110](https\://github\.com/ansible\-collections/community\.docker/pull/1110)\)\.
+
+<a id="v4-6-2"></a>
+## v4\.6\.2
+
+<a id="release-summary-9"></a>
+### Release Summary
+
+Bugfix release for Docker Compose 2\.39\.0\+\.
+
+<a id="bugfixes-9"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- adjust to new dry\-run build events in Docker Compose 2\.39\.0\+ \([https\://github\.com/ansible\-collections/community\.docker/pull/1101](https\://github\.com/ansible\-collections/community\.docker/pull/1101)\)\.
+
+<a id="v4-6-1"></a>
+## v4\.6\.1
+
+<a id="release-summary-10"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-10"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- handle a \(potentially unintentional\) breaking change in Docker Compose 2\.37\.0\. Note that <code>ContainerName</code> is no longer part of the return value \([https\://github\.com/ansible\-collections/community\.docker/issues/1082](https\://github\.com/ansible\-collections/community\.docker/issues/1082)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1083](https\://github\.com/ansible\-collections/community\.docker/pull/1083)\)\.
+* docker\_container \- fix idempotency if <code>command\=\[\]</code> and <code>command\_handling\=correct</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/1080](https\://github\.com/ansible\-collections/community\.docker/issues/1080)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1085](https\://github\.com/ansible\-collections/community\.docker/pull/1085)\)\.
+
+<a id="v4-6-0"></a>
+## v4\.6\.0
+
+<a id="release-summary-11"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-4"></a>
+### Minor Changes
+
+* docker\_container\_copy\_into \- add <code>mode\_parse</code> parameter which determines how <code>mode</code> is parsed \([https\://github\.com/ansible\-collections/community\.docker/pull/1074](https\://github\.com/ansible\-collections/community\.docker/pull/1074)\)\.
+
+<a id="v4-5-2"></a>
+## v4\.5\.2
+
+<a id="release-summary-12"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-11"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- fix version check for <code>assume\_yes</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1054](https\://github\.com/ansible\-collections/community\.docker/pull/1054)\)\.
+* docker\_compose\_v2 \- use <code>\-\-yes</code> instead of <code>\-y</code> from Docker Compose 2\.34\.0 on \([https\://github\.com/ansible\-collections/community\.docker/pull/1060](https\://github\.com/ansible\-collections/community\.docker/pull/1060)\)\.
+
+<a id="v4-5-1"></a>
+## v4\.5\.1
+
+<a id="release-summary-13"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-12"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- rename flag for <code>assume\_yes</code> parameter for <code>docker compose up</code> to <code>\-y</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1054](https\://github\.com/ansible\-collections/community\.docker/pull/1054)\)\.
+
+<a id="v4-5-0"></a>
+## v4\.5\.0
+
+<a id="release-summary-14"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-5"></a>
+### Minor Changes
+
+* docker\_compose\_v2 \- add <code>assume\_yes</code> parameter for <code>docker compose up</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1045](https\://github\.com/ansible\-collections/community\.docker/pull/1045)\)\.
+* docker\_network \- add <code>enable\_ipv4</code> option \([https\://github\.com/ansible\-collections/community\.docker/issues/1047](https\://github\.com/ansible\-collections/community\.docker/issues/1047)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1049](https\://github\.com/ansible\-collections/community\.docker/pull/1049)\)\.
+
+<a id="v4-4-0"></a>
+## v4\.4\.0
+
+<a id="release-summary-15"></a>
+### Release Summary
+
+Feature and bugfix release\.
+
+<a id="bugfixes-13"></a>
+### Bugfixes
+
+* docker\_compose\_v2\_run \- the module has a conflict between the type of parameter it expects and the one it tries to sanitize\. Fix removes the label sanitization step because they are already validated by the parameter definition \([https\://github\.com/ansible\-collections/community\.docker/pull/1034](https\://github\.com/ansible\-collections/community\.docker/pull/1034)\)\.
+* vendored Docker SDK for Python \- do not assume that <code>KeyError</code> is always for <code>ApiVersion</code> when querying version fails \([https\://github\.com/ansible\-collections/community\.docker/issues/1033](https\://github\.com/ansible\-collections/community\.docker/issues/1033)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1034](https\://github\.com/ansible\-collections/community\.docker/pull/1034)\)\.
+
+<a id="new-modules"></a>
+### New Modules
+
+* community\.docker\.docker\_context\_info \- Retrieve information on Docker contexts for the current user\.
+
+<a id="v4-3-1"></a>
+## v4\.3\.1
+
+<a id="release-summary-16"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-14"></a>
+### Bugfixes
+
+* Fix label sanitization code to avoid crashes in case of errors \([https\://github\.com/ansible\-collections/community\.docker/issues/1028](https\://github\.com/ansible\-collections/community\.docker/issues/1028)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1029](https\://github\.com/ansible\-collections/community\.docker/pull/1029)\)\.
+
+<a id="v4-3-0"></a>
+## v4\.3\.0
+
+<a id="release-summary-17"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-6"></a>
+### Minor Changes
+
+* docker\_compose\_v2\* modules \- determine compose version with <code>docker compose version</code> and only then fall back to <code>docker info</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1021](https\://github\.com/ansible\-collections/community\.docker/pull/1021)\)\.
+
+<a id="v4-2-0"></a>
+## v4\.2\.0
+
+<a id="release-summary-18"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-7"></a>
+### Minor Changes
+
+* docker\_compose\_v2 \- add <code>ignore\_build\_events</code> option \(default value <code>true</code>\) which allows to \(not\) ignore build events for change detection \([https\://github\.com/ansible\-collections/community\.docker/issues/1005](https\://github\.com/ansible\-collections/community\.docker/issues/1005)\, [https\://github\.com/ansible\-collections/community\.docker/issues/pull/1011](https\://github\.com/ansible\-collections/community\.docker/issues/pull/1011)\)\.
+* docker\_image\_build \- <code>outputs\[\]\.name</code> can now be a list of strings \([https\://github\.com/ansible\-collections/community\.docker/pull/1006](https\://github\.com/ansible\-collections/community\.docker/pull/1006)\)\.
+* docker\_image\_build \- the executed command is now returned in the <code>command</code> return value in case of success and some errors \([https\://github\.com/ansible\-collections/community\.docker/pull/1006](https\://github\.com/ansible\-collections/community\.docker/pull/1006)\)\.
+* docker\_network \- added <code>ingress</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/999](https\://github\.com/ansible\-collections/community\.docker/pull/999)\)\.
+
+<a id="bugfixes-15"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- when using Compose 2\.31\.0 or newer\, revert to the old behavior that image rebuilds\, for example if <code>rebuild\=always</code>\, only result in <code>changed</code> if a container has been restarted \([https\://github\.com/ansible\-collections/community\.docker/issues/1005](https\://github\.com/ansible\-collections/community\.docker/issues/1005)\, [https\://github\.com/ansible\-collections/community\.docker/issues/pull/1011](https\://github\.com/ansible\-collections/community\.docker/issues/pull/1011)\)\.
+* docker\_image\_build \- work around bug resp\. very unexpected behavior in Docker buildx that overwrites all image names in <code>\-\-output</code> parameters if <code>\-\-tag</code> is provided\, which the module did by default in the past\. The module now only supplies <code>\-\-tag</code> if <code>outputs</code> is empty\. If <code>outputs</code> has entries\, it will add an additional entry with <code>type\=image</code> if no entry of <code>type\=image</code> contains the image name specified by the <code>name</code> and <code>tag</code> options \([https\://github\.com/ansible\-collections/community\.docker/issues/1001](https\://github\.com/ansible\-collections/community\.docker/issues/1001)\, [https\://github\.com/ansible\-collections/community\.docker/pull/1006](https\://github\.com/ansible\-collections/community\.docker/pull/1006)\)\.
+* docker\_network \- added waiting while container actually disconnect from Swarm network \([https\://github\.com/ansible\-collections/community\.docker/pull/999](https\://github\.com/ansible\-collections/community\.docker/pull/999)\)\.
+* docker\_network \- containers are only reconnected to a network if they really exist \([https\://github\.com/ansible\-collections/community\.docker/pull/999](https\://github\.com/ansible\-collections/community\.docker/pull/999)\)\.
+* docker\_network \- enabled \"force\" option in Docker network container disconnect API call \([https\://github\.com/ansible\-collections/community\.docker/pull/999](https\://github\.com/ansible\-collections/community\.docker/pull/999)\)\.
+* docker\_swarm\_info \- do not crash when finding Swarm jobs if <code>services\=true</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/1003](https\://github\.com/ansible\-collections/community\.docker/issues/1003)\)\.
+
+<a id="v4-1-0"></a>
+## v4\.1\.0
+
+<a id="release-summary-19"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-8"></a>
+### Minor Changes
+
+* docker\_stack \- allow to add <code>\-\-detach\=false</code> option to <code>docker stack deploy</code> command \([https\://github\.com/ansible\-collections/community\.docker/pull/987](https\://github\.com/ansible\-collections/community\.docker/pull/987)\)\.
+
+<a id="bugfixes-16"></a>
+### Bugfixes
+
+* docker\_compose\_v2\_exec\, docker\_compose\_v2\_run \- fix missing <code>\-\-env</code> flag while assembling env arguments \([https\://github\.com/ansible\-collections/community\.docker/pull/992](https\://github\.com/ansible\-collections/community\.docker/pull/992)\)\.
+* docker\_host\_info \- ensure that the module always returns <code>can\_talk\_to\_docker</code>\, and that it provides the correct value even if <code>api\_version</code> is specified \([https\://github\.com/ansible\-collections/community\.docker/issues/993](https\://github\.com/ansible\-collections/community\.docker/issues/993)\, [https\://github\.com/ansible\-collections/community\.docker/pull/995](https\://github\.com/ansible\-collections/community\.docker/pull/995)\)\.
+
+<a id="v4-0-1"></a>
+## v4\.0\.1
+
+<a id="release-summary-20"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-17"></a>
+### Bugfixes
+
+* docker\_compose\_v2\_run \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_config \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_network \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_node \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_secret \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_swarm \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_swarm\_service \- make sure to sanitize <code>labels</code> and <code>container\_labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+* docker\_volume \- make sure to sanitize <code>labels</code> before sending them to the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/985](https\://github\.com/ansible\-collections/community\.docker/pull/985)\)\.
+
+<a id="v4-0-0"></a>
+## v4\.0\.0
+
+<a id="release-summary-21"></a>
+### Release Summary
+
+Major release with removed deprecated features\.
+
+<a id="minor-changes-9"></a>
+### Minor Changes
+
+* docker\_compose\_v2 \- add <code>renew\_anon\_volumes</code> parameter for <code>docker compose up</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/977](https\://github\.com/ansible\-collections/community\.docker/pull/977)\)\.
+
+<a id="breaking-changes--porting-guide-1"></a>
+### Breaking Changes / Porting Guide
+
+* docker\_container \- the default of <code>image\_name\_mismatch</code> changed from <code>ignore</code> to <code>recreate</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+
+<a id="removed-features-previously-deprecated-1"></a>
+### Removed Features \(previously deprecated\)
+
+* The collection no longer supports ansible\-core 2\.11\, 2\.12\, 2\.13\, and 2\.14\. You need ansible\-core 2\.15\.0 or newer to use community\.docker 4\.x\.y \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+* The docker\_compose module has been removed\. Please migrate to community\.docker\.docker\_compose\_v2 \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+* docker\_container \- the <code>ignore\_image</code> option has been removed\. Use <code>image\: ignore</code> in <code>comparisons</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+* docker\_container \- the <code>purge\_networks</code> option has been removed\. Use <code>networks\: strict</code> in <code>comparisons</code> instead and make sure that <code>networks</code> is specified \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+* various modules and plugins \- remove the <code>ssl\_version</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/971](https\://github\.com/ansible\-collections/community\.docker/pull/971)\)\.
+
+<a id="v3-13-1"></a>
+## v3\.13\.1
+
+<a id="release-summary-22"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-18"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- improve parsing of dry\-run image build operations from JSON events \([https\://github\.com/ansible\-collections/community\.docker/issues/975](https\://github\.com/ansible\-collections/community\.docker/issues/975)\, [https\://github\.com/ansible\-collections/community\.docker/pull/976](https\://github\.com/ansible\-collections/community\.docker/pull/976)\)\.
+
+<a id="v3-13-0"></a>
+## v3\.13\.0
+
+<a id="release-summary-23"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="new-modules-1"></a>
+### New Modules
+
+* community\.docker\.docker\_compose\_v2\_exec \- Run command in a container of a Compose service\.
+* community\.docker\.docker\_compose\_v2\_run \- Run command in a new container of a Compose service\.
+
+<a id="v3-12-2"></a>
+## v3\.12\.2
+
+<a id="release-summary-24"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-19"></a>
+### Bugfixes
+
+* docker\_prune \- fix handling of lists for the filter options \([https\://github\.com/ansible\-collections/community\.docker/issues/961](https\://github\.com/ansible\-collections/community\.docker/issues/961)\, [https\://github\.com/ansible\-collections/community\.docker/pull/966](https\://github\.com/ansible\-collections/community\.docker/pull/966)\)\.
+
+<a id="v3-12-1"></a>
+## v3\.12\.1
+
+<a id="release-summary-25"></a>
+### Release Summary
+
+Maintenance release with updated documentation and changelog\.
+
+<a id="deprecated-features"></a>
+### Deprecated Features
+
+* The collection deprecates support for all ansible\-core versions that are currently End of Life\, [according to the ansible\-core support matrix](https\://docs\.ansible\.com/ansible\-core/devel/reference\_appendices/release\_and\_maintenance\.html\#ansible\-core\-support\-matrix)\. This means that the next major release of the collection will no longer support ansible\-core 2\.11\, ansible\-core 2\.12\, ansible\-core 2\.13\, and ansible\-core 2\.14\.
+
+<a id="v3-12-0"></a>
+## v3\.12\.0
+
+<a id="release-summary-26"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-10"></a>
+### Minor Changes
+
+* docker\, docker\_api connection plugins \- allow to determine the working directory when executing commands with the new <code>working\_dir</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/943](https\://github\.com/ansible\-collections/community\.docker/pull/943)\)\.
+* docker\, docker\_api connection plugins \- allow to execute commands with extended privileges with the new <code>privileges</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/943](https\://github\.com/ansible\-collections/community\.docker/pull/943)\)\.
+* docker\, docker\_api connection plugins \- allow to pass extra environment variables when executing commands with the new <code>extra\_env</code> option \([https\://github\.com/ansible\-collections/community\.docker/issues/937](https\://github\.com/ansible\-collections/community\.docker/issues/937)\, [https\://github\.com/ansible\-collections/community\.docker/pull/940](https\://github\.com/ansible\-collections/community\.docker/pull/940)\)\.
+* docker\_compose\_v2\* modules \- support Docker Compose 2\.29\.0\'s <code>json</code> progress writer to avoid having to parse text output \([https\://github\.com/ansible\-collections/community\.docker/pull/931](https\://github\.com/ansible\-collections/community\.docker/pull/931)\)\.
+* docker\_compose\_v2\_pull \- add new options <code>ignore\_buildable</code>\, <code>include\_deps</code>\, and <code>services</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/941](https\://github\.com/ansible\-collections/community\.docker/issues/941)\, [https\://github\.com/ansible\-collections/community\.docker/pull/942](https\://github\.com/ansible\-collections/community\.docker/pull/942)\)\.
+* docker\_container \- when creating a container\, directly pass all networks to connect to to the Docker Daemon for API version 1\.44 and newer\. This makes creation more efficient and works around a bug in Docker Daemon that does not use the specified MAC address in at least some cases\, though only for creation \([https\://github\.com/ansible\-collections/community\.docker/pull/933](https\://github\.com/ansible\-collections/community\.docker/pull/933)\)\.
+
+<a id="bugfixes-20"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- handle yet another random unstructured error output from pre\-2\.29\.0 Compose versions \([https\://github\.com/ansible\-collections/community\.docker/issues/948](https\://github\.com/ansible\-collections/community\.docker/issues/948)\, [https\://github\.com/ansible\-collections/community\.docker/pull/949](https\://github\.com/ansible\-collections/community\.docker/pull/949)\)\.
+* docker\_compose\_v2 \- make sure that services provided in <code>services</code> are appended to the command line after <code>\-\-</code> and not before it \([https\://github\.com/ansible\-collections/community\.docker/pull/942](https\://github\.com/ansible\-collections/community\.docker/pull/942)\)\.
+* docker\_compose\_v2\* modules\, docker\_image\_build \- provide better error message when required fields are not present in <code>docker version</code> or <code>docker info</code> output\. This can happen if Podman is used instead of Docker \([https\://github\.com/ansible\-collections/community\.docker/issues/891](https\://github\.com/ansible\-collections/community\.docker/issues/891)\, [https\://github\.com/ansible\-collections/community\.docker/pull/935](https\://github\.com/ansible\-collections/community\.docker/pull/935)\)\.
+* docker\_container \- fix idempotency if <code>network\_mode\=default</code> and Docker 26\.1\.0 or later is used\. There was a breaking change in Docker 26\.1\.0 regarding normalization of <code>NetworkMode</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/934](https\://github\.com/ansible\-collections/community\.docker/issues/934)\, [https\://github\.com/ansible\-collections/community\.docker/pull/936](https\://github\.com/ansible\-collections/community\.docker/pull/936)\)\.
+* docker\_container \- restore behavior of the module from community\.docker 2\.x\.y that passes the first network to the Docker Deamon while creating the container \([https\://github\.com/ansible\-collections/community\.docker/pull/933](https\://github\.com/ansible\-collections/community\.docker/pull/933)\)\.
+* docker\_image\_build \- fix <code>\-\-output</code> parameter composition for <code>type\=docker</code> and <code>type\=image</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/946](https\://github\.com/ansible\-collections/community\.docker/issues/946)\, [https\://github\.com/ansible\-collections/community\.docker/pull/947](https\://github\.com/ansible\-collections/community\.docker/pull/947)\)\.
+
+<a id="known-issues-1"></a>
+### Known Issues
+
+* docker\_container \- when specifying a MAC address for a container\'s network\, and the network is attached after container creation \(for example\, due to idempotency checks\)\, the MAC address is at least in some cases ignored by the Docker Daemon \([https\://github\.com/ansible\-collections/community\.docker/pull/933](https\://github\.com/ansible\-collections/community\.docker/pull/933)\)\.
+
+<a id="v3-11-0"></a>
+## v3\.11\.0
+
+<a id="minor-changes-11"></a>
+### Minor Changes
+
+* docker\_container \- add support for <code>device\_cgroup\_rules</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/910](https\://github\.com/ansible\-collections/community\.docker/pull/910)\)\.
+* docker\_container \- the new <code>state\=healthy</code> allows to wait for a container to become healthy on startup\. The <code>healthy\_wait\_timeout</code> option allows to configure the maximum time to wait for this to happen \([https\://github\.com/ansible\-collections/community\.docker/issues/890](https\://github\.com/ansible\-collections/community\.docker/issues/890)\, [https\://github\.com/ansible\-collections/community\.docker/pull/921](https\://github\.com/ansible\-collections/community\.docker/pull/921)\)\.
+
+<a id="bugfixes-21"></a>
+### Bugfixes
+
+* docker\_compose\_v2\* modules \- fix parsing of skipped pull messages for Docker Compose 2\.28\.x \([https\://github\.com/ansible\-collections/community\.docker/issues/911](https\://github\.com/ansible\-collections/community\.docker/issues/911)\, [https\://github\.com/ansible\-collections/community\.docker/pull/916](https\://github\.com/ansible\-collections/community\.docker/pull/916)\)\.
+* docker\_compose\_v2\*\, docker\_stack\*\, docker\_image\_build modules \- using <code>cli\_context</code> no longer leads to an invalid parameter combination being passed to the corresponding Docker CLI tool\, unless <code>docker\_host</code> is also provided\. Combining <code>cli\_context</code> and <code>docker\_host</code> is no longer allowed \([https\://github\.com/ansible\-collections/community\.docker/issues/892](https\://github\.com/ansible\-collections/community\.docker/issues/892)\, [https\://github\.com/ansible\-collections/community\.docker/pull/895](https\://github\.com/ansible\-collections/community\.docker/pull/895)\)\.
+* docker\_container \- fix possible infinite loop if <code>removal\_wait\_timeout</code> is set \([https\://github\.com/ansible\-collections/community\.docker/pull/922](https\://github\.com/ansible\-collections/community\.docker/pull/922)\)\.
+* vendored Docker SDK for Python \- use <code>LooseVersion</code> instead of <code>StrictVersion</code> to compare urllib3 versions\. This is needed for development versions \([https\://github\.com/ansible\-collections/community\.docker/pull/902](https\://github\.com/ansible\-collections/community\.docker/pull/902)\)\.
+
+<a id="v3-10-4"></a>
+## v3\.10\.4
+
+<a id="release-summary-27"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-22"></a>
+### Bugfixes
+
+* docker\_compose \- make sure that the module uses the <code>api\_version</code> parameter \([https\://github\.com/ansible\-collections/community\.docker/pull/881](https\://github\.com/ansible\-collections/community\.docker/pull/881)\)\.
+* docker\_compose\_v2\* modules \- there was no check to make sure that one of <code>project\_src</code> and <code>definition</code> is provided\. The modules crashed if none were provided \([https\://github\.com/ansible\-collections/community\.docker/issues/885](https\://github\.com/ansible\-collections/community\.docker/issues/885)\, [https\://github\.com/ansible\-collections/community\.docker/pull/886](https\://github\.com/ansible\-collections/community\.docker/pull/886)\)\.
+
+<a id="v3-10-3"></a>
+## v3\.10\.3
+
+<a id="release-summary-28"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-23"></a>
+### Bugfixes
+
+* docker and nsenter connection plugins\, docker\_container\_exec module \- avoid using the deprecated <code>ansible\.module\_utils\.compat\.selectors</code> module util with Python 3 \([https\://github\.com/ansible\-collections/community\.docker/issues/870](https\://github\.com/ansible\-collections/community\.docker/issues/870)\, [https\://github\.com/ansible\-collections/community\.docker/pull/871](https\://github\.com/ansible\-collections/community\.docker/pull/871)\)\.
+
+<a id="v3-10-2"></a>
+## v3\.10\.2
+
+<a id="release-summary-29"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-24"></a>
+### Bugfixes
+
+* vendored Docker SDK for Python \- include a fix requests 2\.32\.2\+ compatibility \([https\://github\.com/ansible\-collections/community\.docker/issues/860](https\://github\.com/ansible\-collections/community\.docker/issues/860)\, [https\://github\.com/psf/requests/issues/6707](https\://github\.com/psf/requests/issues/6707)\, [https\://github\.com/ansible\-collections/community\.docker/pull/864](https\://github\.com/ansible\-collections/community\.docker/pull/864)\)\.
+
+<a id="v3-10-1"></a>
+## v3\.10\.1
+
+<a id="release-summary-30"></a>
+### Release Summary
+
+Hotfix release for requests 2\.32\.0 compatibility\.
+
+<a id="bugfixes-25"></a>
+### Bugfixes
+
+* vendored Docker SDK for Python \- include a hotfix for requests 2\.32\.0 compatibility \([https\://github\.com/ansible\-collections/community\.docker/issues/860](https\://github\.com/ansible\-collections/community\.docker/issues/860)\, [https\://github\.com/docker/docker\-py/issues/3256](https\://github\.com/docker/docker\-py/issues/3256)\, [https\://github\.com/ansible\-collections/community\.docker/pull/861](https\://github\.com/ansible\-collections/community\.docker/pull/861)\)\.
+
+<a id="known-issues-2"></a>
+### Known Issues
+
+* Please note that the fix for requests 2\.32\.0 included in community\.docker 3\.10\.1 only
+  fixes problems with the <em>vendored</em> Docker SDK for Python code\. Modules and plugins that
+  use Docker SDK for Python can still fail due to the SDK currently being incompatible
+  with requests 2\.32\.0\.
+
+  If you still experience problems with requests 2\.32\.0\, such as error messages like
+  <code>Not supported URL scheme http\+docker</code>\, please restrict requests to <code>\<2\.32\.0</code>\.
+
+<a id="v3-10-0"></a>
+## v3\.10\.0
+
+<a id="release-summary-31"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-12"></a>
+### Minor Changes
+
+* docker\_container \- adds <code>healthcheck\.start\_interval</code> to support healthcheck start interval setting on containers \([https\://github\.com/ansible\-collections/community\.docker/pull/848](https\://github\.com/ansible\-collections/community\.docker/pull/848)\)\.
+* docker\_container \- adds <code>healthcheck\.test\_cli\_compatible</code> to allow omit test option on containers without remove existing image test \([https\://github\.com/ansible\-collections/community\.docker/pull/847](https\://github\.com/ansible\-collections/community\.docker/pull/847)\)\.
+* docker\_image\_build \- add <code>outputs</code> option to allow configuring outputs for the build \([https\://github\.com/ansible\-collections/community\.docker/pull/852](https\://github\.com/ansible\-collections/community\.docker/pull/852)\)\.
+* docker\_image\_build \- add <code>secrets</code> option to allow passing secrets to the build \([https\://github\.com/ansible\-collections/community\.docker/pull/852](https\://github\.com/ansible\-collections/community\.docker/pull/852)\)\.
+* docker\_image\_build \- allow <code>platform</code> to be a list of platforms instead of only a single platform for multi\-platform builds \([https\://github\.com/ansible\-collections/community\.docker/pull/852](https\://github\.com/ansible\-collections/community\.docker/pull/852)\)\.
+* docker\_network \- adds <code>config\_only</code> and <code>config\_from</code> to support creating and using config only networks \([https\://github\.com/ansible\-collections/community\.docker/issues/395](https\://github\.com/ansible\-collections/community\.docker/issues/395)\)\.
+* docker\_prune \- add new options <code>builder\_cache\_all</code>\, <code>builder\_cache\_filters</code>\, and <code>builder\_cache\_keep\_storage</code>\, and a new return value <code>builder\_cache\_caches\_deleted</code> for pruning build caches \([https\://github\.com/ansible\-collections/community\.docker/issues/844](https\://github\.com/ansible\-collections/community\.docker/issues/844)\, [https\://github\.com/ansible\-collections/community\.docker/issues/845](https\://github\.com/ansible\-collections/community\.docker/issues/845)\)\.
+* docker\_swarm\_service \- adds <code>sysctls</code> to support sysctl settings on swarm services \([https\://github\.com/ansible\-collections/community\.docker/issues/190](https\://github\.com/ansible\-collections/community\.docker/issues/190)\)\.
+
+<a id="deprecated-features-1"></a>
+### Deprecated Features
+
+* docker\_compose \- the Docker Compose v1 module is deprecated and will be removed from community\.docker 4\.0\.0\. Please migrate to the <code>community\.docker\.docker\_compose\_v2</code> module\, which works with Docker Compose v2 \([https\://github\.com/ansible\-collections/community\.docker/issues/823](https\://github\.com/ansible\-collections/community\.docker/issues/823)\, [https\://github\.com/ansible\-collections/community\.docker/pull/833](https\://github\.com/ansible\-collections/community\.docker/pull/833)\)\.
+* various modules and plugins \- the <code>ssl\_version</code> option has been deprecated and will be removed from community\.docker 4\.0\.0\. It has already been removed from Docker SDK for Python 7\.0\.0\, and was only necessary in the past to work around SSL/TLS issues \([https\://github\.com/ansible\-collections/community\.docker/pull/853](https\://github\.com/ansible\-collections/community\.docker/pull/853)\)\.
+
+<a id="v3-9-0"></a>
+## v3\.9\.0
+
+<a id="release-summary-32"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-13"></a>
+### Minor Changes
+
+* The EE requirements now include PyYAML\, since the <code>docker\_compose\_v2\*</code> modules depend on it when the <code>definition</code> option is used\. This should not have a noticable effect on generated EEs since ansible\-core itself depends on PyYAML as well\, and ansible\-builder explicitly ignores this dependency \([https\://github\.com/ansible\-collections/community\.docker/pull/832](https\://github\.com/ansible\-collections/community\.docker/pull/832)\)\.
+* docker\_compose\_v2\* \- the new option <code>check\_files\_existing</code> allows to disable the check for one of the files <code>compose\.yaml</code>\, <code>compose\.yml</code>\, <code>docker\-compose\.yaml</code>\, and <code>docker\-compose\.yml</code> in <code>project\_src</code> if <code>files</code> is not specified\. This is necessary if a non\-standard compose filename is specified through other means\, like the <code>COMPOSE\_FILE</code> environment variable \([https\://github\.com/ansible\-collections/community\.docker/issues/838](https\://github\.com/ansible\-collections/community\.docker/issues/838)\, [https\://github\.com/ansible\-collections/community\.docker/pull/839](https\://github\.com/ansible\-collections/community\.docker/pull/839)\)\.
+* docker\_compose\_v2\* modules \- allow to provide an inline definition of the compose content instead of having to provide a <code>project\_src</code> directory with the compose file written into it \([https\://github\.com/ansible\-collections/community\.docker/issues/829](https\://github\.com/ansible\-collections/community\.docker/issues/829)\, [https\://github\.com/ansible\-collections/community\.docker/pull/832](https\://github\.com/ansible\-collections/community\.docker/pull/832)\)\.
+* vendored Docker SDK for Python \- remove unused code that relies on functionality deprecated in Python 3\.12 \([https\://github\.com/ansible\-collections/community\.docker/pull/834](https\://github\.com/ansible\-collections/community\.docker/pull/834)\)\.
+
+<a id="bugfixes-26"></a>
+### Bugfixes
+
+* docker\_compose\_v2\* \- allow <code>project\_src</code> to be a relative path\, by converting it to an absolute path before using it \([https\://github\.com/ansible\-collections/community\.docker/issues/827](https\://github\.com/ansible\-collections/community\.docker/issues/827)\, [https\://github\.com/ansible\-collections/community\.docker/pull/828](https\://github\.com/ansible\-collections/community\.docker/pull/828)\)\.
+* docker\_compose\_v2\* modules \- abort with a nice error message instead of crash when the Docker Compose CLI plugin version is <code>dev</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/825](https\://github\.com/ansible\-collections/community\.docker/issues/825)\, [https\://github\.com/ansible\-collections/community\.docker/pull/826](https\://github\.com/ansible\-collections/community\.docker/pull/826)\)\.
+* inventory plugins \- add unsafe wrapper to avoid marking strings that do not contain <code>\{</code> or <code>\}</code> as unsafe\, to work around a bug in AWX \([https\://github\.com/ansible\-collections/community\.docker/pull/835](https\://github\.com/ansible\-collections/community\.docker/pull/835)\)\.
+
+<a id="v3-8-1"></a>
+## v3\.8\.1
+
+<a id="release-summary-33"></a>
+### Release Summary
+
+Bugfix release
+
+<a id="security-fixes"></a>
+### Security Fixes
+
+* docker\_containers\, docker\_machine\, and docker\_swarm inventory plugins \- make sure all data received from the Docker daemon / Docker machine is marked as unsafe\, so remote code execution by obtaining texts that can be evaluated as templates is not possible \([https\://www\.die\-welt\.net/2024/03/remote\-code\-execution\-in\-ansible\-dynamic\-inventory\-plugins/](https\://www\.die\-welt\.net/2024/03/remote\-code\-execution\-in\-ansible\-dynamic\-inventory\-plugins/)\, [https\://github\.com/ansible\-collections/community\.docker/pull/815](https\://github\.com/ansible\-collections/community\.docker/pull/815)\)\.
+
+<a id="bugfixes-27"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- do not fail when non\-fatal errors occur\. This can happen when pulling an image fails\, but then the image can be built for another service\. Docker Compose emits an error in that case\, but <code>docker compose up</code> still completes successfully \([https\://github\.com/ansible\-collections/community\.docker/issues/807](https\://github\.com/ansible\-collections/community\.docker/issues/807)\, [https\://github\.com/ansible\-collections/community\.docker/pull/810](https\://github\.com/ansible\-collections/community\.docker/pull/810)\, [https\://github\.com/ansible\-collections/community\.docker/pull/811](https\://github\.com/ansible\-collections/community\.docker/pull/811)\)\.
+* docker\_compose\_v2\* modules \- correctly parse <code>Warning</code> events emitted by Docker Compose \([https\://github\.com/ansible\-collections/community\.docker/issues/807](https\://github\.com/ansible\-collections/community\.docker/issues/807)\, [https\://github\.com/ansible\-collections/community\.docker/pull/811](https\://github\.com/ansible\-collections/community\.docker/pull/811)\)\.
+* docker\_compose\_v2\* modules \- parse <code>logfmt</code> warnings emitted by Docker Compose \([https\://github\.com/ansible\-collections/community\.docker/issues/787](https\://github\.com/ansible\-collections/community\.docker/issues/787)\, [https\://github\.com/ansible\-collections/community\.docker/pull/811](https\://github\.com/ansible\-collections/community\.docker/pull/811)\)\.
+* docker\_compose\_v2\_pull \- fixing idempotence by checking actual pull progress events instead of service\-level pull request when <code>policy\=always</code>\. This stops the module from reporting <code>changed\=true</code> if no actual change happened when pulling\. In check mode\, it has to assume that a change happens though \([https\://github\.com/ansible\-collections/community\.docker/issues/813](https\://github\.com/ansible\-collections/community\.docker/issues/813)\, [https\://github\.com/ansible\-collections/community\.docker/pull/814](https\://github\.com/ansible\-collections/community\.docker/pull/814)\)\.
+
+<a id="v3-8-0"></a>
+## v3\.8\.0
+
+<a id="release-summary-34"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-14"></a>
+### Minor Changes
+
+* docker\_compose\_v2 \- allow to wait until containers are running/health when running <code>docker compose up</code> with the new <code>wait</code> option \([https\://github\.com/ansible\-collections/community\.docker/issues/794](https\://github\.com/ansible\-collections/community\.docker/issues/794)\, [https\://github\.com/ansible\-collections/community\.docker/pull/796](https\://github\.com/ansible\-collections/community\.docker/pull/796)\)\.
+* docker\_container \- the <code>pull\_check\_mode\_behavior</code> option now allows to control the module\'s behavior in check mode when <code>pull\=always</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/792](https\://github\.com/ansible\-collections/community\.docker/issues/792)\, [https\://github\.com/ansible\-collections/community\.docker/pull/797](https\://github\.com/ansible\-collections/community\.docker/pull/797)\)\.
+* docker\_container \- the <code>pull</code> option now accepts the three values <code>never</code>\, <code>missing\_image</code> \(default\)\, and <code>never</code>\, next to the previously valid values <code>true</code> \(equivalent to <code>always</code>\) and <code>false</code> \(equivalent to <code>missing\_image</code>\)\. This allows the equivalent to <code>\-\-pull\=never</code> from the Docker command line \([https\://github\.com/ansible\-collections/community\.docker/issues/783](https\://github\.com/ansible\-collections/community\.docker/issues/783)\, [https\://github\.com/ansible\-collections/community\.docker/pull/797](https\://github\.com/ansible\-collections/community\.docker/pull/797)\)\.
+
+<a id="bugfixes-28"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- do not consider a <code>Waiting</code> event as an action/change \([https\://github\.com/ansible\-collections/community\.docker/pull/804](https\://github\.com/ansible\-collections/community\.docker/pull/804)\)\.
+* docker\_compose\_v2 \- do not treat service\-level pull events as changes to avoid incorrect <code>changed\=true</code> return value of <code>pull\=always</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/802](https\://github\.com/ansible\-collections/community\.docker/issues/802)\, [https\://github\.com/ansible\-collections/community\.docker/pull/803](https\://github\.com/ansible\-collections/community\.docker/pull/803)\)\.
+* docker\_compose\_v2\, docker\_compose\_v2\_pull \- fix parsing of pull messages for Docker Compose 2\.20\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/785](https\://github\.com/ansible\-collections/community\.docker/issues/785)\, [https\://github\.com/ansible\-collections/community\.docker/pull/786](https\://github\.com/ansible\-collections/community\.docker/pull/786)\)\.
+
+<a id="v3-7-0"></a>
+## v3\.7\.0
+
+<a id="release-summary-35"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-15"></a>
+### Minor Changes
+
+* docker\_compose\_v2 \- add <code>scale</code> option to allow to explicitly scale services \([https\://github\.com/ansible\-collections/community\.docker/pull/776](https\://github\.com/ansible\-collections/community\.docker/pull/776)\)\.
+* docker\_compose\_v2\, docker\_compose\_v2\_pull \- support <code>files</code> parameter to specify multiple Compose files \([https\://github\.com/ansible\-collections/community\.docker/issues/772](https\://github\.com/ansible\-collections/community\.docker/issues/772)\, [https\://github\.com/ansible\-collections/community\.docker/pull/775](https\://github\.com/ansible\-collections/community\.docker/pull/775)\)\.
+
+<a id="bugfixes-29"></a>
+### Bugfixes
+
+* docker\_compose\_v2 \- properly parse dry\-run build events from <code>stderr</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/778](https\://github\.com/ansible\-collections/community\.docker/issues/778)\, [https\://github\.com/ansible\-collections/community\.docker/pull/779](https\://github\.com/ansible\-collections/community\.docker/pull/779)\)\.
+* docker\_compose\_v2\_pull \- the module was documented as part of the <code>community\.docker\.docker</code> action group\, but was not actually part of it\. That has now been fixed \([https\://github\.com/ansible\-collections/community\.docker/pull/773](https\://github\.com/ansible\-collections/community\.docker/pull/773)\)\.
+
+<a id="new-modules-2"></a>
+### New Modules
+
+* community\.docker\.docker\_image\_export \- Export \(archive\) Docker images
+
+<a id="v3-6-0"></a>
+## v3\.6\.0
+
+<a id="release-summary-36"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+The collection now includes a bunch of new <code>docker\_image\_\*</code> modules that move features out of the
+rather complex <code>docker\_image</code> module\. These new modules are easier to use and can better declare whether
+they support check mode\, diff mode\, or none of them\.
+
+This version also features modules that support the Docker CLI plugins <code>buildx</code> and <code>compose</code>\.
+The <code>docker\_image\_build</code> module uses the <code>docker buildx</code> command under the hood\, and the <code>docker\_compose\_v2</code>
+and <code>docker\_compose\_v2\_pull</code> modules uses the <code>docker compose</code> command\. All these modules use the Docker CLI
+instead of directly talking to the API\. The modules support mostly the same interface as the API based modules\,
+so the main difference is that instead of some Python requirements\, they depend on the Docker CLI tool <code>docker</code>\.
+
+<a id="major-changes"></a>
+### Major Changes
+
+* The <code>community\.docker</code> collection now depends on the <code>community\.library\_inventory\_filtering\_v1</code> collection\. This utility collection provides host filtering functionality for inventory plugins\. If you use the Ansible community package\, both collections are included and you do not have to do anything special\. If you install the collection with <code>ansible\-galaxy collection install</code>\, it will be installed automatically\. If you install the collection by copying the files of the collection to a place where ansible\-core can find it\, for example by cloning the git repository\, you need to make sure that you also have to install the dependency if you are using the inventory plugins \([https\://github\.com/ansible\-collections/community\.docker/pull/698](https\://github\.com/ansible\-collections/community\.docker/pull/698)\)\.
+
+<a id="minor-changes-16"></a>
+### Minor Changes
+
+* The <code>ca\_cert</code> option available to almost all modules and plugins has been renamed to <code>ca\_path</code>\. The name <code>ca\_path</code> is also used for similar options in ansible\-core and other collections\. The old name has been added as an alias and can still be used \([https\://github\.com/ansible\-collections/community\.docker/pull/744](https\://github\.com/ansible\-collections/community\.docker/pull/744)\)\.
+* The <code>docker\_stack\*</code> modules now use the common CLI\-based module code added for the <code>docker\_image\_build</code> and <code>docker\_compose\_v2</code> modules\. This means that the modules now have various more configuration options with respect to talking to the Docker Daemon\, and now also are part of the <code>community\.docker\.docker</code> and <code>docker</code> module default groups \([https\://github\.com/ansible\-collections/community\.docker/pull/745](https\://github\.com/ansible\-collections/community\.docker/pull/745)\)\.
+* docker\_container \- add <code>networks\[\]\.mac\_address</code> option for Docker API 1\.44\+\. Note that Docker API 1\.44 no longer uses the global <code>mac\_address</code> option\, this new option is the only way to set the MAC address for a container \([https\://github\.com/ansible\-collections/community\.docker/pull/763](https\://github\.com/ansible\-collections/community\.docker/pull/763)\)\.
+* docker\_image \- allow to specify labels and <code>/dev/shm</code> size when building images \([https\://github\.com/ansible\-collections/community\.docker/issues/726](https\://github\.com/ansible\-collections/community\.docker/issues/726)\, [https\://github\.com/ansible\-collections/community\.docker/pull/727](https\://github\.com/ansible\-collections/community\.docker/pull/727)\)\.
+* docker\_image \- allow to specify memory size and swap memory size in other units than bytes \([https\://github\.com/ansible\-collections/community\.docker/pull/727](https\://github\.com/ansible\-collections/community\.docker/pull/727)\)\.
+* inventory plugins \- add <code>filter</code> option which allows to include and exclude hosts based on Jinja2 conditions \([https\://github\.com/ansible\-collections/community\.docker/pull/698](https\://github\.com/ansible\-collections/community\.docker/pull/698)\, [https\://github\.com/ansible\-collections/community\.docker/issues/610](https\://github\.com/ansible\-collections/community\.docker/issues/610)\)\.
+
+<a id="bugfixes-30"></a>
+### Bugfixes
+
+* Use <code>unix\:///var/run/docker\.sock</code> instead of the legacy <code>unix\://var/run/docker\.sock</code> as default for <code>docker\_host</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/736](https\://github\.com/ansible\-collections/community\.docker/pull/736)\)\.
+* docker\_image \- fix archiving idempotency with Docker API 1\.44 or later \([https\://github\.com/ansible\-collections/community\.docker/pull/765](https\://github\.com/ansible\-collections/community\.docker/pull/765)\)\.
+
+<a id="new-modules-3"></a>
+### New Modules
+
+* community\.docker\.docker\_compose\_v2 \- Manage multi\-container Docker applications with Docker Compose CLI plugin
+* community\.docker\.docker\_compose\_v2\_pull \- Pull a Docker compose project
+* community\.docker\.docker\_image\_build \- Build Docker images using Docker buildx
+* community\.docker\.docker\_image\_pull \- Pull Docker images from registries
+* community\.docker\.docker\_image\_push \- Push Docker images to registries
+* community\.docker\.docker\_image\_remove \- Remove Docker images
+* community\.docker\.docker\_image\_tag \- Tag Docker images with new names and/or tags
+
+<a id="v3-5-0"></a>
+## v3\.5\.0
+
+<a id="release-summary-37"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-17"></a>
+### Minor Changes
+
+* docker\_container \- implement better <code>platform</code> string comparisons to improve idempotency \([https\://github\.com/ansible\-collections/community\.docker/issues/654](https\://github\.com/ansible\-collections/community\.docker/issues/654)\, [https\://github\.com/ansible\-collections/community\.docker/pull/705](https\://github\.com/ansible\-collections/community\.docker/pull/705)\)\.
+* docker\_container \- internal refactorings which allow comparisons to use more information like details of the current image or the Docker host config \([https\://github\.com/ansible\-collections/community\.docker/pull/713](https\://github\.com/ansible\-collections/community\.docker/pull/713)\)\.
+
+<a id="deprecated-features-2"></a>
+### Deprecated Features
+
+* docker\_container \- the default <code>ignore</code> for the <code>image\_name\_mismatch</code> parameter has been deprecated and will switch to <code>recreate</code> in community\.docker 4\.0\.0\. A deprecation warning will be printed in situations where the default value is used and where a behavior would change once the default changes \([https\://github\.com/ansible\-collections/community\.docker/pull/703](https\://github\.com/ansible\-collections/community\.docker/pull/703)\)\.
+
+<a id="bugfixes-31"></a>
+### Bugfixes
+
+* modules and plugins using the Docker SDK for Python \- remove <code>ssl\_version</code> from the parameters passed to Docker SDK for Python 7\.0\.0\+\. Explicitly fail with a nicer error message if it was explicitly set in this case \([https\://github\.com/ansible\-collections/community\.docker/pull/715](https\://github\.com/ansible\-collections/community\.docker/pull/715)\)\.
+* modules and plugins using the Docker SDK for Python \- remove <code>tls\_hostname</code> from the parameters passed to Docker SDK for Python 7\.0\.0\+\. Explicitly fail with a nicer error message if it was explicitly set in this case \([https\://github\.com/ansible\-collections/community\.docker/pull/721](https\://github\.com/ansible\-collections/community\.docker/pull/721)\)\.
+* vendored Docker SDK for Python \- avoid passing on <code>ssl\_version</code> and <code>tls\_hostname</code> if they were not provided by the user\. Remove dead code\. \([https\://github\.com/ansible\-collections/community\.docker/pull/722](https\://github\.com/ansible\-collections/community\.docker/pull/722)\)\.
+
+<a id="v3-4-11"></a>
+## v3\.4\.11
+
+<a id="release-summary-38"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-32"></a>
+### Bugfixes
+
+* docker\_volume \- fix crash caused by accessing an empty dictionary\. The <code>has\_different\_config\(\)</code> was raising an <code>AttributeError</code> because the <code>self\.existing\_volume\[\"Labels\"\]</code> dictionary was <code>None</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/702](https\://github\.com/ansible\-collections/community\.docker/pull/702)\)\.
+
+<a id="v3-4-10"></a>
+## v3\.4\.10
+
+<a id="release-summary-39"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-33"></a>
+### Bugfixes
+
+* docker\_swarm \- make init and join operations work again with Docker SDK for Python before 4\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/695](https\://github\.com/ansible\-collections/community\.docker/issues/695)\, [https\://github\.com/ansible\-collections/community\.docker/pull/696](https\://github\.com/ansible\-collections/community\.docker/pull/696)\)\.
+
+<a id="v3-4-9"></a>
+## v3\.4\.9
+
+<a id="release-summary-40"></a>
+### Release Summary
+
+Maintenance release with updated documentation and vendored Docker SDK for Python code\.
+
+<a id="bugfixes-34"></a>
+### Bugfixes
+
+* vendored Docker SDK for Python code \- cherry\-pick changes from the Docker SDK for Python code to align code\. These changes should not affect the parts used by the collection\'s code \([https\://github\.com/ansible\-collections/community\.docker/pull/694](https\://github\.com/ansible\-collections/community\.docker/pull/694)\)\.
+
+<a id="v3-4-8"></a>
+## v3\.4\.8
+
+<a id="release-summary-41"></a>
+### Release Summary
+
+Maintenance release with updated documentation\.
+
+From this version on\, community\.docker is using the new [Ansible semantic markup](https\://docs\.ansible\.com/ansible/devel/dev\_guide/developing\_modules\_documenting\.html\#semantic\-markup\-within\-module\-documentation)
+in its documentation\. If you look at documentation with the ansible\-doc CLI tool
+from ansible\-core before 2\.15\, please note that it does not render the markup
+correctly\. You should be still able to read it in most cases\, but you need
+ansible\-core 2\.15 or later to see it as it is intended\. Alternatively you can
+look at [the devel docsite](https\://docs\.ansible\.com/ansible/devel/collections/community/docker/)
+for the rendered HTML version of the documentation of the latest release\.
+
+<a id="known-issues-3"></a>
+### Known Issues
+
+* Ansible markup will show up in raw form on ansible\-doc text output for ansible\-core before 2\.15\. If you have trouble deciphering the documentation markup\, please upgrade to ansible\-core 2\.15 \(or newer\)\, or read the HTML documentation on [https\://docs\.ansible\.com/ansible/devel/collections/community/docker/](https\://docs\.ansible\.com/ansible/devel/collections/community/docker/)\.
+
+<a id="v3-4-7"></a>
+## v3\.4\.7
+
+<a id="release-summary-42"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-35"></a>
+### Bugfixes
+
+* docker\_swarm\_info \- if <code>service\=true</code> is used\, do not crash when a service without an endpoint spec is encountered \([https\://github\.com/ansible\-collections/community\.docker/issues/636](https\://github\.com/ansible\-collections/community\.docker/issues/636)\, [https\://github\.com/ansible\-collections/community\.docker/pull/637](https\://github\.com/ansible\-collections/community\.docker/pull/637)\)\.
+
+<a id="v3-4-6"></a>
+## v3\.4\.6
+
+<a id="release-summary-43"></a>
+### Release Summary
+
+Bugfix release with documentation warnings about using certain functionality when connecting to the Docker daemon with TCP TLS\.
+
+<a id="bugfixes-36"></a>
+### Bugfixes
+
+* socket\_handler module utils \- make sure this fully works when Docker SDK for Python is not available \([https\://github\.com/ansible\-collections/community\.docker/pull/620](https\://github\.com/ansible\-collections/community\.docker/pull/620)\)\.
+* vendored Docker SDK for Python code \- fix for errors on pipe close in Windows \([https\://github\.com/ansible\-collections/community\.docker/pull/619](https\://github\.com/ansible\-collections/community\.docker/pull/619)\)\.
+* vendored Docker SDK for Python code \- respect timeouts on Windows named pipes \([https\://github\.com/ansible\-collections/community\.docker/pull/619](https\://github\.com/ansible\-collections/community\.docker/pull/619)\)\.
+* vendored Docker SDK for Python code \- use <code>poll\(\)</code> instead of <code>select\(\)</code> except on Windows \([https\://github\.com/ansible\-collections/community\.docker/pull/619](https\://github\.com/ansible\-collections/community\.docker/pull/619)\)\.
+
+<a id="known-issues-4"></a>
+### Known Issues
+
+* docker\_api connection plugin \- does <strong>not work with TCP TLS sockets</strong>\! This is caused by the inability to send an <code>close\_notify</code> TLS alert without closing the connection with Python\'s <code>SSLSocket</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/605](https\://github\.com/ansible\-collections/community\.docker/issues/605)\, [https\://github\.com/ansible\-collections/community\.docker/pull/621](https\://github\.com/ansible\-collections/community\.docker/pull/621)\)\.
+* docker\_container\_exec \- does <strong>not work with TCP TLS sockets</strong> when the <code>stdin</code> option is used\! This is caused by the inability to send an <code>close\_notify</code> TLS alert without closing the connection with Python\'s <code>SSLSocket</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/605](https\://github\.com/ansible\-collections/community\.docker/issues/605)\, [https\://github\.com/ansible\-collections/community\.docker/pull/621](https\://github\.com/ansible\-collections/community\.docker/pull/621)\)\.
+
+<a id="v3-4-5"></a>
+## v3\.4\.5
+
+<a id="release-summary-44"></a>
+### Release Summary
+
+Maintenance release which adds compatibility with requests 2\.29\.0 and 2\.30\.0 and urllib3 2\.0\.
+
+<a id="bugfixes-37"></a>
+### Bugfixes
+
+* Make vendored Docker SDK for Python code compatible with requests 2\.29\.0 and urllib3 2\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/613](https\://github\.com/ansible\-collections/community\.docker/pull/613)\)\.
+
+<a id="v3-4-4"></a>
+## v3\.4\.4
+
+<a id="release-summary-45"></a>
+### Release Summary
+
+Maintenance release with updated EE requirements and updated documentation\.
+
+<a id="minor-changes-18"></a>
+### Minor Changes
+
+* Restrict requests to versions before 2\.29\.0\, and urllib3 to versions before 2\.0\.0\. This is necessary until the vendored code from Docker SDK for Python has been fully adjusted to work with a feature of urllib3 that is used since requests 2\.29\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/611](https\://github\.com/ansible\-collections/community\.docker/issues/611)\, [https\://github\.com/ansible\-collections/community\.docker/pull/612](https\://github\.com/ansible\-collections/community\.docker/pull/612)\)\.
+
+<a id="known-issues-5"></a>
+### Known Issues
+
+* The modules and plugins using the vendored code from Docker SDK for Python currently do not work with requests 2\.29\.0 and/or urllib3 2\.0\.0\. The same is currently true for the latest version of Docker SDK for Python itself \([https\://github\.com/ansible\-collections/community\.docker/issues/611](https\://github\.com/ansible\-collections/community\.docker/issues/611)\, [https\://github\.com/ansible\-collections/community\.docker/pull/612](https\://github\.com/ansible\-collections/community\.docker/pull/612)\)\.
+
+<a id="v3-4-3"></a>
+## v3\.4\.3
+
+<a id="release-summary-46"></a>
+### Release Summary
+
+Maintenance release with improved documentation\.
+
+<a id="v3-4-2"></a>
+## v3\.4\.2
+
+<a id="release-summary-47"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-38"></a>
+### Bugfixes
+
+* docker\_prune \- return correct value for <code>changed</code>\. So far the module always claimed that nothing changed \([https\://github\.com/ansible\-collections/community\.docker/pull/593](https\://github\.com/ansible\-collections/community\.docker/pull/593)\)\.
+
+<a id="v3-4-1"></a>
+## v3\.4\.1
+
+<a id="release-summary-48"></a>
+### Release Summary
+
+Regular bugfix release\.
+
+<a id="bugfixes-39"></a>
+### Bugfixes
+
+* docker\_api connection plugin\, docker\_container\_exec\, docker\_container\_copy\_into \- properly close socket to Daemon after executing commands in containers \([https\://github\.com/ansible\-collections/community\.docker/pull/582](https\://github\.com/ansible\-collections/community\.docker/pull/582)\)\.
+* docker\_container \- fix <code>tmfs\_size</code> and <code>tmpfs\_mode</code> not being set \([https\://github\.com/ansible\-collections/community\.docker/pull/580](https\://github\.com/ansible\-collections/community\.docker/pull/580)\)\.
+* various plugins and modules \- remove unnecessary imports \([https\://github\.com/ansible\-collections/community\.docker/pull/574](https\://github\.com/ansible\-collections/community\.docker/pull/574)\)\.
+
+<a id="v3-4-0"></a>
+## v3\.4\.0
+
+<a id="release-summary-49"></a>
+### Release Summary
+
+Regular bugfix and feature release\.
+
+<a id="minor-changes-19"></a>
+### Minor Changes
+
+* docker\_api connection plugin \- when copying files to/from a container\, stream the file contents instead of first reading them to memory \([https\://github\.com/ansible\-collections/community\.docker/pull/545](https\://github\.com/ansible\-collections/community\.docker/pull/545)\)\.
+* docker\_host\_info \- allow to list all containers with new option <code>containers\_all</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/535](https\://github\.com/ansible\-collections/community\.docker/issues/535)\, [https\://github\.com/ansible\-collections/community\.docker/pull/538](https\://github\.com/ansible\-collections/community\.docker/pull/538)\)\.
+
+<a id="bugfixes-40"></a>
+### Bugfixes
+
+* docker\_api connection plugin \- fix error handling when 409 Conflict is returned by the Docker daemon in case of a stopped container \([https\://github\.com/ansible\-collections/community\.docker/pull/546](https\://github\.com/ansible\-collections/community\.docker/pull/546)\)\.
+* docker\_container\_exec \- fix error handling when 409 Conflict is returned by the Docker daemon in case of a stopped container \([https\://github\.com/ansible\-collections/community\.docker/pull/546](https\://github\.com/ansible\-collections/community\.docker/pull/546)\)\.
+* docker\_plugin \- do not crash if plugin is installed in check mode \([https\://github\.com/ansible\-collections/community\.docker/issues/552](https\://github\.com/ansible\-collections/community\.docker/issues/552)\, [https\://github\.com/ansible\-collections/community\.docker/pull/553](https\://github\.com/ansible\-collections/community\.docker/pull/553)\)\.
+* most modules \- fix handling of <code>DOCKER\_TIMEOUT</code> environment variable\, and improve handling of other fallback environment variables \([https\://github\.com/ansible\-collections/community\.docker/issues/551](https\://github\.com/ansible\-collections/community\.docker/issues/551)\, [https\://github\.com/ansible\-collections/community\.docker/pull/554](https\://github\.com/ansible\-collections/community\.docker/pull/554)\)\.
+
+<a id="new-modules-4"></a>
+### New Modules
+
+* community\.docker\.docker\_container\_copy\_into \- Copy a file into a Docker container
+
+<a id="v3-3-2"></a>
+## v3\.3\.2
+
+<a id="release-summary-50"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-41"></a>
+### Bugfixes
+
+* docker\_container \- when <code>detach\=false</code>\, wait indefinitely and not at most one minute\. This was the behavior with Docker SDK for Python\, and was accidentally changed in 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/526](https\://github\.com/ansible\-collections/community\.docker/issues/526)\, [https\://github\.com/ansible\-collections/community\.docker/pull/527](https\://github\.com/ansible\-collections/community\.docker/pull/527)\)\.
+
+<a id="v3-3-1"></a>
+## v3\.3\.1
+
+<a id="release-summary-51"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-42"></a>
+### Bugfixes
+
+* current\_container\_facts \- make container detection work better in more cases \([https\://github\.com/ansible\-collections/community\.docker/pull/522](https\://github\.com/ansible\-collections/community\.docker/pull/522)\)\.
+
+<a id="v3-3-0"></a>
+## v3\.3\.0
+
+<a id="release-summary-52"></a>
+### Release Summary
+
+Feature and bugfix release\.
+
+<a id="minor-changes-20"></a>
+### Minor Changes
+
+* current\_container\_facts \- make work with current Docker version\, also support Podman \([https\://github\.com/ansible\-collections/community\.docker/pull/510](https\://github\.com/ansible\-collections/community\.docker/pull/510)\)\.
+* docker\_image \- when using <code>archive\_path</code>\, detect whether changes are necessary based on the image ID \(hash\)\. If the existing tar archive matches the source\, do nothing\. Previously\, each task execution re\-created the archive \([https\://github\.com/ansible\-collections/community\.docker/pull/500](https\://github\.com/ansible\-collections/community\.docker/pull/500)\)\.
+
+<a id="bugfixes-43"></a>
+### Bugfixes
+
+* docker\_container\_exec \- fix <code>chdir</code> option which was ignored since community\.docker 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/517](https\://github\.com/ansible\-collections/community\.docker/issues/517)\, [https\://github\.com/ansible\-collections/community\.docker/pull/518](https\://github\.com/ansible\-collections/community\.docker/pull/518)\)\.
+* vendored latest Docker SDK for Python bugfix \([https\://github\.com/ansible\-collections/community\.docker/pull/513](https\://github\.com/ansible\-collections/community\.docker/pull/513)\, [https\://github\.com/docker/docker\-py/issues/3045](https\://github\.com/docker/docker\-py/issues/3045)\)\.
+
+<a id="v3-2-2"></a>
+## v3\.2\.2
+
+<a id="release-summary-53"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-44"></a>
+### Bugfixes
+
+* docker\_container \- the <code>kill\_signal</code> option erroneously did not accept strings anymore since 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/505](https\://github\.com/ansible\-collections/community\.docker/issues/505)\, [https\://github\.com/ansible\-collections/community\.docker/pull/506](https\://github\.com/ansible\-collections/community\.docker/pull/506)\)\.
+
+<a id="v3-2-1"></a>
+## v3\.2\.1
+
+<a id="release-summary-54"></a>
+### Release Summary
+
+Maintenance release with improved documentation\.
+
+<a id="v3-2-0"></a>
+## v3\.2\.0
+
+<a id="release-summary-55"></a>
+### Release Summary
+
+Feature and deprecation release\.
+
+<a id="minor-changes-21"></a>
+### Minor Changes
+
+* docker\_container \- added <code>image\_name\_mismatch</code> option which allows to control the behavior if the container uses the image specified\, but the container\'s configuration uses a different name for the image than the one provided to the module \([https\://github\.com/ansible\-collections/community\.docker/issues/485](https\://github\.com/ansible\-collections/community\.docker/issues/485)\, [https\://github\.com/ansible\-collections/community\.docker/pull/488](https\://github\.com/ansible\-collections/community\.docker/pull/488)\)\.
+
+<a id="deprecated-features-3"></a>
+### Deprecated Features
+
+* docker\_container \- the <code>ignore\_image</code> option is deprecated and will be removed in community\.docker 4\.0\.0\. Use <code>image\: ignore</code> in <code>comparisons</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/487](https\://github\.com/ansible\-collections/community\.docker/pull/487)\)\.
+* docker\_container \- the <code>purge\_networks</code> option is deprecated and will be removed in community\.docker 4\.0\.0\. Use <code>networks\: strict</code> in <code>comparisons</code> instead\, and make sure to provide <code>networks</code>\, with value <code>\[\]</code> if all networks should be removed \([https\://github\.com/ansible\-collections/community\.docker/pull/487](https\://github\.com/ansible\-collections/community\.docker/pull/487)\)\.
+
+<a id="v3-1-0"></a>
+## v3\.1\.0
+
+<a id="release-summary-56"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-22"></a>
+### Minor Changes
+
+* The collection repository conforms to the [REUSE specification](https\://reuse\.software/spec/) except for the changelog fragments \([https\://github\.com/ansible\-collections/community\.docker/pull/462](https\://github\.com/ansible\-collections/community\.docker/pull/462)\)\.
+* docker\_swarm \- allows usage of the <code>data\_path\_port</code> parameter when initializing a swarm \([https\://github\.com/ansible\-collections/community\.docker/issues/296](https\://github\.com/ansible\-collections/community\.docker/issues/296)\)\.
+
+<a id="v3-0-2"></a>
+## v3\.0\.2
+
+<a id="release-summary-57"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-45"></a>
+### Bugfixes
+
+* docker\_image \- fix build argument handling \([https\://github\.com/ansible\-collections/community\.docker/issues/455](https\://github\.com/ansible\-collections/community\.docker/issues/455)\, [https\://github\.com/ansible\-collections/community\.docker/pull/456](https\://github\.com/ansible\-collections/community\.docker/pull/456)\)\.
+
+<a id="v3-0-1"></a>
+## v3\.0\.1
+
+<a id="release-summary-58"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-46"></a>
+### Bugfixes
+
+* docker\_container \- fix handling of <code>env\_file</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/451](https\://github\.com/ansible\-collections/community\.docker/issues/451)\, [https\://github\.com/ansible\-collections/community\.docker/pull/452](https\://github\.com/ansible\-collections/community\.docker/pull/452)\)\.
+
+<a id="v3-0-0"></a>
+## v3\.0\.0
+
+<a id="release-summary-59"></a>
+### Release Summary
+
+The 3\.0\.0 release features a rewrite of the <code>docker\_container</code> module\, and many modules and plugins no longer depend on the Docker SDK for Python\.
+
+<a id="major-changes-1"></a>
+### Major Changes
+
+* The collection now contains vendored code from the Docker SDK for Python to talk to the Docker daemon\. Modules and plugins using this code no longer need the Docker SDK for Python installed on the machine the module or plugin is running on \([https\://github\.com/ansible\-collections/community\.docker/pull/398](https\://github\.com/ansible\-collections/community\.docker/pull/398)\)\.
+* docker\_api connection plugin \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/414](https\://github\.com/ansible\-collections/community\.docker/pull/414)\)\.
+* docker\_container \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container \- the module was completely rewritten from scratch \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container\_exec \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/401](https\://github\.com/ansible\-collections/community\.docker/pull/401)\)\.
+* docker\_container\_info \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/402](https\://github\.com/ansible\-collections/community\.docker/pull/402)\)\.
+* docker\_containers inventory plugin \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/413](https\://github\.com/ansible\-collections/community\.docker/pull/413)\)\.
+* docker\_host\_info \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/403](https\://github\.com/ansible\-collections/community\.docker/pull/403)\)\.
+* docker\_image \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/404](https\://github\.com/ansible\-collections/community\.docker/pull/404)\)\.
+* docker\_image\_info \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/405](https\://github\.com/ansible\-collections/community\.docker/pull/405)\)\.
+* docker\_image\_load \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/406](https\://github\.com/ansible\-collections/community\.docker/pull/406)\)\.
+* docker\_login \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/407](https\://github\.com/ansible\-collections/community\.docker/pull/407)\)\.
+* docker\_network \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/408](https\://github\.com/ansible\-collections/community\.docker/pull/408)\)\.
+* docker\_network\_info \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/409](https\://github\.com/ansible\-collections/community\.docker/pull/409)\)\.
+* docker\_plugin \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/429](https\://github\.com/ansible\-collections/community\.docker/pull/429)\)\.
+* docker\_prune \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/410](https\://github\.com/ansible\-collections/community\.docker/pull/410)\)\.
+* docker\_volume \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/411](https\://github\.com/ansible\-collections/community\.docker/pull/411)\)\.
+* docker\_volume\_info \- no longer uses the Docker SDK for Python\. It requires <code>requests</code> to be installed\, and depending on the features used has some more requirements\. If the Docker SDK for Python is installed\, these requirements are likely met \([https\://github\.com/ansible\-collections/community\.docker/pull/412](https\://github\.com/ansible\-collections/community\.docker/pull/412)\)\.
+
+<a id="minor-changes-23"></a>
+### Minor Changes
+
+* All software licenses are now in the <code>LICENSES/</code> directory of the collection root\. Moreover\, <code>SPDX\-License\-Identifier\:</code> is used to declare the applicable license for every file that is not automatically generated \([https\://github\.com/ansible\-collections/community\.docker/pull/430](https\://github\.com/ansible\-collections/community\.docker/pull/430)\)\.
+* Remove vendored copy of <code>distutils\.version</code> in favor of vendored copy included with ansible\-core 2\.12\+\. For ansible\-core 2\.11\, uses <code>distutils\.version</code> for Python \< 3\.12\. There is no support for ansible\-core 2\.11 with Python 3\.12\+ \([https\://github\.com/ansible\-collections/community\.docker/pull/271](https\://github\.com/ansible\-collections/community\.docker/pull/271)\)\.
+* docker\_container \- add a new parameter <code>image\_comparison</code> to control the behavior for which image will be used for idempotency checks \([https\://github\.com/ansible\-collections/community\.docker/issues/421](https\://github\.com/ansible\-collections/community\.docker/issues/421)\, [https\://github\.com/ansible\-collections/community\.docker/pull/428](https\://github\.com/ansible\-collections/community\.docker/pull/428)\)\.
+* docker\_container \- add support for <code>cgroupns\_mode</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/338](https\://github\.com/ansible\-collections/community\.docker/issues/338)\, [https\://github\.com/ansible\-collections/community\.docker/pull/427](https\://github\.com/ansible\-collections/community\.docker/pull/427)\)\.
+* docker\_container \- allow to specify <code>platform</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/123](https\://github\.com/ansible\-collections/community\.docker/issues/123)\, [https\://github\.com/ansible\-collections/community\.docker/pull/426](https\://github\.com/ansible\-collections/community\.docker/pull/426)\)\.
+* modules and plugins communicating directly with the Docker daemon \- improve default TLS version selection for Python 3\.6 and newer\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+* modules and plugins communicating directly with the Docker daemon \- simplify use of helper function that was removed in Docker SDK for Python to find executables \([https\://github\.com/ansible\-collections/community\.docker/pull/438](https\://github\.com/ansible\-collections/community\.docker/pull/438)\)\.
+* socker\_handler and socket\_helper module utils \- improve Python forward compatibility\, create helper functions for file blocking/unblocking \([https\://github\.com/ansible\-collections/community\.docker/pull/415](https\://github\.com/ansible\-collections/community\.docker/pull/415)\)\.
+
+<a id="breaking-changes--porting-guide-2"></a>
+### Breaking Changes / Porting Guide
+
+* This collection does not work with ansible\-core 2\.11 on Python 3\.12\+\. Please either upgrade to ansible\-core 2\.12\+\, or use Python 3\.11 or earlier \([https\://github\.com/ansible\-collections/community\.docker/pull/271](https\://github\.com/ansible\-collections/community\.docker/pull/271)\)\.
+* docker\_container \- <code>exposed\_ports</code> is no longer ignored in <code>comparisons</code>\. Before\, its value was assumed to be identical with the value of <code>published\_ports</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container \- <code>log\_options</code> can no longer be specified when <code>log\_driver</code> is not specified \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container \- <code>publish\_all\_ports</code> is no longer ignored in <code>comparisons</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container \- <code>restart\_retries</code> can no longer be specified when <code>restart\_policy</code> is not specified \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* docker\_container \- <code>stop\_timeout</code> is no longer ignored for idempotency if told to be not ignored in <code>comparisons</code>\. So far it defaulted to <code>ignore</code> there\, and setting it to <code>strict</code> had no effect \([https\://github\.com/ansible\-collections/community\.docker/pull/422](https\://github\.com/ansible\-collections/community\.docker/pull/422)\)\.
+* modules and plugins communicating directly with the Docker daemon \- when connecting by SSH and not using <code>use\_ssh\_client\=true</code>\, reject unknown host keys instead of accepting them\. This is only a breaking change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+
+<a id="removed-features-previously-deprecated-2"></a>
+### Removed Features \(previously deprecated\)
+
+* Execution Environments built with community\.docker no longer include docker\-compose \< 2\.0\.0\. If you need to use it with the <code>docker\_compose</code> module\, please install that requirement manually \([https\://github\.com/ansible\-collections/community\.docker/pull/400](https\://github\.com/ansible\-collections/community\.docker/pull/400)\)\.
+* Support for Ansible 2\.9 and ansible\-base 2\.10 has been removed\. If you need support for Ansible 2\.9 or ansible\-base 2\.10\, please use community\.docker 2\.x\.y \([https\://github\.com/ansible\-collections/community\.docker/pull/400](https\://github\.com/ansible\-collections/community\.docker/pull/400)\)\.
+* Support for Docker API versions 1\.20 to 1\.24 has been removed\. If you need support for these API versions\, please use community\.docker 2\.x\.y \([https\://github\.com/ansible\-collections/community\.docker/pull/400](https\://github\.com/ansible\-collections/community\.docker/pull/400)\)\.
+* Support for Python 2\.6 has been removed\. If you need support for Python 2\.6\, please use community\.docker 2\.x\.y \([https\://github\.com/ansible\-collections/community\.docker/pull/400](https\://github\.com/ansible\-collections/community\.docker/pull/400)\)\.
+* Various modules \- the default of <code>tls\_hostname</code> \(<code>localhost</code>\) has been removed\. If you want to continue using <code>localhost</code>\, you need to specify it explicitly \([https\://github\.com/ansible\-collections/community\.docker/pull/363](https\://github\.com/ansible\-collections/community\.docker/pull/363)\)\.
+* docker\_container \- the <code>all</code> value is no longer allowed in <code>published\_ports</code>\. Use <code>publish\_all\_ports\=true</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/399](https\://github\.com/ansible\-collections/community\.docker/pull/399)\)\.
+* docker\_container \- the default of <code>command\_handling</code> was changed from <code>compatibility</code> to <code>correct</code>\. Older versions were warning for every invocation of the module when this would result in a change of behavior \([https\://github\.com/ansible\-collections/community\.docker/pull/399](https\://github\.com/ansible\-collections/community\.docker/pull/399)\)\.
+* docker\_stack \- the return values <code>out</code> and <code>err</code> have been removed\. Use <code>stdout</code> and <code>stderr</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/363](https\://github\.com/ansible\-collections/community\.docker/pull/363)\)\.
+
+<a id="security-fixes-1"></a>
+### Security Fixes
+
+* modules and plugins communicating directly with the Docker daemon \- when connecting by SSH and not using <code>use\_ssh\_client\=true</code>\, reject unknown host keys instead of accepting them\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+
+<a id="bugfixes-47"></a>
+### Bugfixes
+
+* docker\_image \- when composing the build context\, trim trailing whitespace from <code>\.dockerignore</code> entries\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+* docker\_plugin \- fix crash when handling plugin options \([https\://github\.com/ansible\-collections/community\.docker/issues/446](https\://github\.com/ansible\-collections/community\.docker/issues/446)\, [https\://github\.com/ansible\-collections/community\.docker/pull/447](https\://github\.com/ansible\-collections/community\.docker/pull/447)\)\.
+* docker\_stack \- fix broken string formatting when reporting error in case <code>compose</code> was containing invalid values \([https\://github\.com/ansible\-collections/community\.docker/pull/448](https\://github\.com/ansible\-collections/community\.docker/pull/448)\)\.
+* modules and plugins communicating directly with the Docker daemon \- do not create a subshell for SSH connections when using <code>use\_ssh\_client\=true</code>\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+* modules and plugins communicating directly with the Docker daemon \- fix <code>ProxyCommand</code> handling for SSH connections when not using <code>use\_ssh\_client\=true</code>\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+* modules and plugins communicating directly with the Docker daemon \- fix parsing of IPv6 addresses with a port in <code>docker\_host</code>\. This is only a change relative to older community\.docker 3\.0\.0 pre\-releases or with respect to Docker SDK for Python \< 6\.0\.0\. Docker SDK for Python 6\.0\.0 will also include this change \([https\://github\.com/ansible\-collections/community\.docker/pull/434](https\://github\.com/ansible\-collections/community\.docker/pull/434)\)\.
+* modules and plugins communicating directly with the Docker daemon \- prevent crash when TLS is used \([https\://github\.com/ansible\-collections/community\.docker/pull/432](https\://github\.com/ansible\-collections/community\.docker/pull/432)\)\.
+
+<a id="v2-7-0"></a>
+## v2\.7\.0
+
+<a id="release-summary-60"></a>
+### Release Summary
+
+Bugfix and deprecation release\. The next 2\.x\.y releases will only be bugfix releases\, the next expect minor/major release will be 3\.0\.0 with some major changes\.
+
+<a id="minor-changes-24"></a>
+### Minor Changes
+
+* Move common utility functions from the <code>common</code> module\_util to a new module\_util called <code>util</code>\. This should not have any user\-visible effect \([https\://github\.com/ansible\-collections/community\.docker/pull/390](https\://github\.com/ansible\-collections/community\.docker/pull/390)\)\.
+
+<a id="deprecated-features-4"></a>
+### Deprecated Features
+
+* Support for Docker API version 1\.20 to 1\.24 has been deprecated and will be removed in community\.docker 3\.0\.0\. The first Docker version supporting API version 1\.25 was Docker 1\.13\, released in January 2017\. This affects the modules <code>docker\_container</code>\, <code>docker\_container\_exec</code>\, <code>docker\_container\_info</code>\, <code>docker\_compose</code>\, <code>docker\_login</code>\, <code>docker\_image</code>\, <code>docker\_image\_info</code>\, <code>docker\_image\_load</code>\, <code>docker\_host\_info</code>\, <code>docker\_network</code>\, <code>docker\_network\_info</code>\, <code>docker\_node\_info</code>\, <code>docker\_swarm\_info</code>\, <code>docker\_swarm\_service</code>\, <code>docker\_swarm\_service\_info</code>\, <code>docker\_volume\_info</code>\, and <code>docker\_volume</code>\, whose minimally supported API version is between 1\.20 and 1\.24 \([https\://github\.com/ansible\-collections/community\.docker/pull/396](https\://github\.com/ansible\-collections/community\.docker/pull/396)\)\.
+* Support for Python 2\.6 is deprecated and will be removed in the next major release \(community\.docker 3\.0\.0\)\. Some modules might still work with Python 2\.6\, but we will no longer try to ensure compatibility \([https\://github\.com/ansible\-collections/community\.docker/pull/388](https\://github\.com/ansible\-collections/community\.docker/pull/388)\)\.
+
+<a id="bugfixes-48"></a>
+### Bugfixes
+
+* Docker SDK for Python based modules and plugins \- if the API version is specified as an option\, use that one to validate API version requirements of module/plugin options instead of the latest API version supported by the Docker daemon\. This also avoids one unnecessary API call per module/plugin \([https\://github\.com/ansible\-collections/community\.docker/pull/389](https\://github\.com/ansible\-collections/community\.docker/pull/389)\)\.
+
+<a id="v2-6-0"></a>
+## v2\.6\.0
+
+<a id="release-summary-61"></a>
+### Release Summary
+
+Bugfix and feature release\.
+
+<a id="minor-changes-25"></a>
+### Minor Changes
+
+* docker\_container \- added <code>image\_label\_mismatch</code> parameter \([https\://github\.com/ansible\-collections/community\.docker/issues/314](https\://github\.com/ansible\-collections/community\.docker/issues/314)\, [https\://github\.com/ansible\-collections/community\.docker/pull/370](https\://github\.com/ansible\-collections/community\.docker/pull/370)\)\.
+
+<a id="deprecated-features-5"></a>
+### Deprecated Features
+
+* Support for Ansible 2\.9 and ansible\-base 2\.10 is deprecated\, and will be removed in the next major release \(community\.docker 3\.0\.0\)\. Some modules might still work with these versions afterwards\, but we will no longer keep compatibility code that was needed to support them \([https\://github\.com/ansible\-collections/community\.docker/pull/361](https\://github\.com/ansible\-collections/community\.docker/pull/361)\)\.
+* The dependency on docker\-compose for Execution Environments is deprecated and will be removed in community\.docker 3\.0\.0\. The [Python docker\-compose library](https\://pypi\.org/project/docker\-compose/) is unmaintained and can cause dependency issues\. You can manually still install it in an Execution Environment when needed \([https\://github\.com/ansible\-collections/community\.docker/pull/373](https\://github\.com/ansible\-collections/community\.docker/pull/373)\)\.
+* Various modules \- the default of <code>tls\_hostname</code> that was supposed to be removed in community\.docker 2\.0\.0 will now be removed in version 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/362](https\://github\.com/ansible\-collections/community\.docker/pull/362)\)\.
+* docker\_stack \- the return values <code>out</code> and <code>err</code> that were supposed to be removed in community\.docker 2\.0\.0 will now be removed in version 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/362](https\://github\.com/ansible\-collections/community\.docker/pull/362)\)\.
+
+<a id="bugfixes-49"></a>
+### Bugfixes
+
+* docker\_container \- fail with a meaningful message instead of crashing if a port is specified with more than three colon\-separated parts \([https\://github\.com/ansible\-collections/community\.docker/pull/367](https\://github\.com/ansible\-collections/community\.docker/pull/367)\, [https\://github\.com/ansible\-collections/community\.docker/issues/365](https\://github\.com/ansible\-collections/community\.docker/issues/365)\)\.
+* docker\_container \- remove unused code that will cause problems with Python 3\.13 \([https\://github\.com/ansible\-collections/community\.docker/pull/354](https\://github\.com/ansible\-collections/community\.docker/pull/354)\)\.
+
+<a id="v2-5-1"></a>
+## v2\.5\.1
+
+<a id="release-summary-62"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-50"></a>
+### Bugfixes
+
+* Include <code>PSF\-license\.txt</code> file for <code>plugins/module\_utils/\_version\.py</code>\.
+
+<a id="v2-5-0"></a>
+## v2\.5\.0
+
+<a id="release-summary-63"></a>
+### Release Summary
+
+Regular feature release\.
+
+<a id="minor-changes-26"></a>
+### Minor Changes
+
+* docker\_config \- add support for <code>template\_driver</code> with one option <code>golang</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/332](https\://github\.com/ansible\-collections/community\.docker/issues/332)\, [https\://github\.com/ansible\-collections/community\.docker/pull/345](https\://github\.com/ansible\-collections/community\.docker/pull/345)\)\.
+* docker\_swarm \- adds <code>data\_path\_addr</code> parameter during swarm initialization or when joining \([https\://github\.com/ansible\-collections/community\.docker/issues/339](https\://github\.com/ansible\-collections/community\.docker/issues/339)\)\.
+
+<a id="v2-4-0"></a>
+## v2\.4\.0
+
+<a id="release-summary-64"></a>
+### Release Summary
+
+Regular feature and bugfix release\.
+
+<a id="minor-changes-27"></a>
+### Minor Changes
+
+* Prepare collection for inclusion in an Execution Environment by declaring its dependencies\. The <code>docker\_stack\*</code> modules are not supported \([https\://github\.com/ansible\-collections/community\.docker/pull/336](https\://github\.com/ansible\-collections/community\.docker/pull/336)\)\.
+* current\_container\_facts \- add detection for GitHub Actions \([https\://github\.com/ansible\-collections/community\.docker/pull/336](https\://github\.com/ansible\-collections/community\.docker/pull/336)\)\.
+* docker\_container \- support returning Docker container log output when using Docker\'s <code>local</code> logging driver\, an optimized local logging driver introduced in Docker 18\.09 \([https\://github\.com/ansible\-collections/community\.docker/pull/337](https\://github\.com/ansible\-collections/community\.docker/pull/337)\)\.
+
+<a id="bugfixes-51"></a>
+### Bugfixes
+
+* docker connection plugin \- make sure that <code>docker\_extra\_args</code> is used for querying the Docker version\. Also ensures that the Docker version is only queried when needed\. This is currently the case if a remote user is specified \([https\://github\.com/ansible\-collections/community\.docker/issues/325](https\://github\.com/ansible\-collections/community\.docker/issues/325)\, [https\://github\.com/ansible\-collections/community\.docker/pull/327](https\://github\.com/ansible\-collections/community\.docker/pull/327)\)\.
+
+<a id="v2-3-0"></a>
+## v2\.3\.0
+
+<a id="release-summary-65"></a>
+### Release Summary
+
+Regular feature and bugfix release\.
+
+<a id="minor-changes-28"></a>
+### Minor Changes
+
+* docker connection plugin \- implement connection reset by clearing internal container user cache \([https\://github\.com/ansible\-collections/community\.docker/pull/312](https\://github\.com/ansible\-collections/community\.docker/pull/312)\)\.
+* docker connection plugin \- simplify <code>actual\_user</code> handling code \([https\://github\.com/ansible\-collections/community\.docker/pull/311](https\://github\.com/ansible\-collections/community\.docker/pull/311)\)\.
+* docker connection plugin \- the plugin supports new ways to define the timeout\. These are the <code>ANSIBLE\_DOCKER\_TIMEOUT</code> environment variable\, the <code>timeout</code> setting in the <code>docker\_connection</code> section of <code>ansible\.cfg</code>\, and the <code>ansible\_docker\_timeout</code> variable \([https\://github\.com/ansible\-collections/community\.docker/pull/297](https\://github\.com/ansible\-collections/community\.docker/pull/297)\)\.
+* docker\_api connection plugin \- implement connection reset by clearing internal container user/group ID cache \([https\://github\.com/ansible\-collections/community\.docker/pull/312](https\://github\.com/ansible\-collections/community\.docker/pull/312)\)\.
+* docker\_api connection plugin \- the plugin supports new ways to define the timeout\. These are the <code>ANSIBLE\_DOCKER\_TIMEOUT</code> environment variable\, the <code>timeout</code> setting in the <code>docker\_connection</code> section of <code>ansible\.cfg</code>\, and the <code>ansible\_docker\_timeout</code> variable \([https\://github\.com/ansible\-collections/community\.docker/pull/308](https\://github\.com/ansible\-collections/community\.docker/pull/308)\)\.
+
+<a id="bugfixes-52"></a>
+### Bugfixes
+
+* docker connection plugin \- fix option handling to be compatible with ansible\-core 2\.13 \([https\://github\.com/ansible\-collections/community\.docker/pull/297](https\://github\.com/ansible\-collections/community\.docker/pull/297)\, [https\://github\.com/ansible\-collections/community\.docker/issues/307](https\://github\.com/ansible\-collections/community\.docker/issues/307)\)\.
+* docker\_api connection plugin \- fix option handling to be compatible with ansible\-core 2\.13 \([https\://github\.com/ansible\-collections/community\.docker/pull/308](https\://github\.com/ansible\-collections/community\.docker/pull/308)\)\.
+
+<a id="v2-2-1"></a>
+## v2\.2\.1
+
+<a id="release-summary-66"></a>
+### Release Summary
+
+Regular bugfix release\.
+
+<a id="bugfixes-53"></a>
+### Bugfixes
+
+* docker\_compose \- fix Python 3 type error when extracting warnings or errors from docker\-compose\'s output \([https\://github\.com/ansible\-collections/community\.docker/pull/305](https\://github\.com/ansible\-collections/community\.docker/pull/305)\)\.
+
+<a id="v2-2-0"></a>
+## v2\.2\.0
+
+<a id="release-summary-67"></a>
+### Release Summary
+
+Regular feature and bugfix release\.
+
+<a id="minor-changes-29"></a>
+### Minor Changes
+
+* docker\_config \- add support for rolling update\, set <code>rolling\_versions</code> to <code>true</code> to enable \([https\://github\.com/ansible\-collections/community\.docker/pull/295](https\://github\.com/ansible\-collections/community\.docker/pull/295)\, [https\://github\.com/ansible\-collections/community\.docker/issues/109](https\://github\.com/ansible\-collections/community\.docker/issues/109)\)\.
+* docker\_secret \- add support for rolling update\, set <code>rolling\_versions</code> to <code>true</code> to enable \([https\://github\.com/ansible\-collections/community\.docker/pull/293](https\://github\.com/ansible\-collections/community\.docker/pull/293)\, [https\://github\.com/ansible\-collections/community\.docker/issues/21](https\://github\.com/ansible\-collections/community\.docker/issues/21)\)\.
+* docker\_swarm\_service \- add support for setting capabilities with the <code>cap\_add</code> and <code>cap\_drop</code> parameters\. Usage is the same as with the <code>capabilities</code> and <code>cap\_drop</code> parameters for <code>docker\_container</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/294](https\://github\.com/ansible\-collections/community\.docker/pull/294)\)\.
+
+<a id="bugfixes-54"></a>
+### Bugfixes
+
+* docker\_container\, docker\_image \- adjust image finding code to peculiarities of <code>podman\-docker</code>\'s API emulation when Docker short names like <code>redis</code> are used \([https\://github\.com/ansible\-collections/community\.docker/issues/292](https\://github\.com/ansible\-collections/community\.docker/issues/292)\)\.
+
+<a id="v2-1-1"></a>
+## v2\.1\.1
+
+<a id="release-summary-68"></a>
+### Release Summary
+
+Emergency release to amend breaking change in previous release\.
+
+<a id="bugfixes-55"></a>
+### Bugfixes
+
+* Fix unintended breaking change caused by [an earlier fix](https\://github\.com/ansible\-collections/community\.docker/pull/258) by vendoring the deprecated Python standard library <code>distutils\.version</code> until this collection stops supporting Ansible 2\.9 and ansible\-base 2\.10 \([https\://github\.com/ansible\-collections/community\.docker/issues/267](https\://github\.com/ansible\-collections/community\.docker/issues/267)\, [https\://github\.com/ansible\-collections/community\.docker/pull/269](https\://github\.com/ansible\-collections/community\.docker/pull/269)\)\.
+
+<a id="v2-1-0"></a>
+## v2\.1\.0
+
+<a id="release-summary-69"></a>
+### Release Summary
+
+Feature and bugfix release\.
+
+<a id="minor-changes-30"></a>
+### Minor Changes
+
+* docker\_container\_exec \- add <code>detach</code> parameter \([https\://github\.com/ansible\-collections/community\.docker/issues/250](https\://github\.com/ansible\-collections/community\.docker/issues/250)\, [https\://github\.com/ansible\-collections/community\.docker/pull/255](https\://github\.com/ansible\-collections/community\.docker/pull/255)\)\.
+* docker\_container\_exec \- add <code>env</code> option \([https\://github\.com/ansible\-collections/community\.docker/issues/248](https\://github\.com/ansible\-collections/community\.docker/issues/248)\, [https\://github\.com/ansible\-collections/community\.docker/pull/254](https\://github\.com/ansible\-collections/community\.docker/pull/254)\)\.
+
+<a id="bugfixes-56"></a>
+### Bugfixes
+
+* Various modules and plugins \- use vendored version of <code>distutils\.version</code> included in ansible\-core 2\.12 if available\. This avoids breakage when <code>distutils</code> is removed from the standard library of Python 3\.12\. Note that ansible\-core 2\.11\, ansible\-base 2\.10 and Ansible 2\.9 are right now not compatible with Python 3\.12\, hence this fix does not target these ansible\-core/\-base/2\.9 versions \([https\://github\.com/ansible\-collections/community\.docker/pull/258](https\://github\.com/ansible\-collections/community\.docker/pull/258)\)\.
+* docker connection plugin \- replace deprecated <code>distutils\.spawn\.find\_executable</code> with Ansible\'s <code>get\_bin\_path</code> to find the <code>docker</code> executable \([https\://github\.com/ansible\-collections/community\.docker/pull/257](https\://github\.com/ansible\-collections/community\.docker/pull/257)\)\.
+* docker\_container\_exec \- disallow using the <code>chdir</code> option for Docker API before 1\.35 \([https\://github\.com/ansible\-collections/community\.docker/pull/253](https\://github\.com/ansible\-collections/community\.docker/pull/253)\)\.
+
+<a id="v2-0-2"></a>
+## v2\.0\.2
+
+<a id="release-summary-70"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-57"></a>
+### Bugfixes
+
+* docker\_api connection plugin \- avoid passing an unnecessary argument to a Docker SDK for Python call that is only supported by version 3\.0\.0 or later \([https\://github\.com/ansible\-collections/community\.docker/pull/243](https\://github\.com/ansible\-collections/community\.docker/pull/243)\)\.
+* docker\_container\_exec \- <code>chdir</code> is only supported since Docker SDK for Python 3\.0\.0\. Make sure that this option can only use when 3\.0\.0 or later is installed\, and prevent passing this parameter on when <code>chdir</code> is not provided to this module \([https\://github\.com/ansible\-collections/community\.docker/pull/243](https\://github\.com/ansible\-collections/community\.docker/pull/243)\, [https\://github\.com/ansible\-collections/community\.docker/issues/242](https\://github\.com/ansible\-collections/community\.docker/issues/242)\)\.
+* nsenter connection plugin \- ensure the <code>nsenter\_pid</code> option is retrieved in <code>\_connect</code> instead of <code>\_\_init\_\_</code> to prevent a crash due to bad initialization order \([https\://github\.com/ansible\-collections/community\.docker/pull/249](https\://github\.com/ansible\-collections/community\.docker/pull/249)\)\.
+* nsenter connection plugin \- replace the use of <code>\-\-all\-namespaces</code> with specific namespaces to support compatibility with Busybox nsenter \(used on\, for example\, Alpine containers\) \([https\://github\.com/ansible\-collections/community\.docker/pull/249](https\://github\.com/ansible\-collections/community\.docker/pull/249)\)\.
+
+<a id="v2-0-1"></a>
+## v2\.0\.1
+
+<a id="release-summary-71"></a>
+### Release Summary
+
+Maintenance release with some documentation fixes\.
+
+<a id="v2-0-0"></a>
+## v2\.0\.0
+
+<a id="release-summary-72"></a>
+### Release Summary
+
+New major release with some deprecations removed and a breaking change in the <code>docker\_compose</code> module regarding the <code>timeout</code> parameter\.
+
+<a id="breaking-changes--porting-guide-3"></a>
+### Breaking Changes / Porting Guide
+
+* docker\_compose \- fixed <code>timeout</code> defaulting behavior so that <code>stop\_grace\_period</code>\, if defined in the compose file\, will be used if <code>timeout</code> is not specified \([https\://github\.com/ansible\-collections/community\.docker/pull/163](https\://github\.com/ansible\-collections/community\.docker/pull/163)\)\.
+
+<a id="deprecated-features-6"></a>
+### Deprecated Features
+
+* docker\_container \- using the special value <code>all</code> in <code>published\_ports</code> has been deprecated\. Use <code>publish\_all\_ports\=true</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/210](https\://github\.com/ansible\-collections/community\.docker/pull/210)\)\.
+
+<a id="removed-features-previously-deprecated-3"></a>
+### Removed Features \(previously deprecated\)
+
+* docker\_container \- the default value of <code>container\_default\_behavior</code> changed to <code>no\_defaults</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/210](https\://github\.com/ansible\-collections/community\.docker/pull/210)\)\.
+* docker\_container \- the default value of <code>network\_mode</code> is now the name of the first network specified in <code>networks</code> if such are specified and <code>networks\_cli\_compatible\=true</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/210](https\://github\.com/ansible\-collections/community\.docker/pull/210)\)\.
+* docker\_container \- the special value <code>all</code> can no longer be used in <code>published\_ports</code> next to other values\. Please use <code>publish\_all\_ports\=true</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/210](https\://github\.com/ansible\-collections/community\.docker/pull/210)\)\.
+* docker\_login \- removed the <code>email</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/210](https\://github\.com/ansible\-collections/community\.docker/pull/210)\)\.
+
+<a id="v1-10-0"></a>
+## v1\.10\.0
+
+<a id="release-summary-73"></a>
+### Release Summary
+
+Regular feature and bugfix release\.
+
+<a id="minor-changes-31"></a>
+### Minor Changes
+
+* Add the modules docker\_container\_exec\, docker\_image\_load and docker\_plugin to the <code>docker</code> module defaults group \([https\://github\.com/ansible\-collections/community\.docker/pull/209](https\://github\.com/ansible\-collections/community\.docker/pull/209)\)\.
+* docker\_config \- add option <code>data\_src</code> to read configuration data from target \([https\://github\.com/ansible\-collections/community\.docker/issues/64](https\://github\.com/ansible\-collections/community\.docker/issues/64)\, [https\://github\.com/ansible\-collections/community\.docker/pull/203](https\://github\.com/ansible\-collections/community\.docker/pull/203)\)\.
+* docker\_secret \- add option <code>data\_src</code> to read secret data from target \([https\://github\.com/ansible\-collections/community\.docker/issues/64](https\://github\.com/ansible\-collections/community\.docker/issues/64)\, [https\://github\.com/ansible\-collections/community\.docker/pull/203](https\://github\.com/ansible\-collections/community\.docker/pull/203)\)\.
+
+<a id="v1-9-1"></a>
+## v1\.9\.1
+
+<a id="release-summary-74"></a>
+### Release Summary
+
+Regular bugfix release\.
+
+<a id="bugfixes-58"></a>
+### Bugfixes
+
+* docker\_compose \- fixed incorrect <code>changed</code> status for services with <code>profiles</code> defined\, but none enabled \([https\://github\.com/ansible\-collections/community\.docker/pull/192](https\://github\.com/ansible\-collections/community\.docker/pull/192)\)\.
+
+<a id="v1-9-0"></a>
+## v1\.9\.0
+
+<a id="release-summary-75"></a>
+### Release Summary
+
+New bugfixes and features release\.
+
+<a id="minor-changes-32"></a>
+### Minor Changes
+
+* docker\_\* modules \- include <code>ImportError</code> traceback when reporting that Docker SDK for Python could not be found \([https\://github\.com/ansible\-collections/community\.docker/pull/188](https\://github\.com/ansible\-collections/community\.docker/pull/188)\)\.
+* docker\_compose \- added <code>env\_file</code> option for specifying custom environment files \([https\://github\.com/ansible\-collections/community\.docker/pull/174](https\://github\.com/ansible\-collections/community\.docker/pull/174)\)\.
+* docker\_container \- added <code>publish\_all\_ports</code> option to publish all exposed ports to random ports except those explicitly bound with <code>published\_ports</code> \(this was already added in community\.docker 1\.8\.0\) \([https\://github\.com/ansible\-collections/community\.docker/pull/162](https\://github\.com/ansible\-collections/community\.docker/pull/162)\)\.
+* docker\_container \- added new <code>command\_handling</code> option with current deprecated default value <code>compatibility</code> which allows to control how the module handles shell quoting when interpreting lists\, and how the module handles empty lists/strings\. The default will switch to <code>correct</code> in community\.docker 3\.0\.0 \([https\://github\.com/ansible\-collections/community\.docker/pull/186](https\://github\.com/ansible\-collections/community\.docker/pull/186)\)\.
+* docker\_container \- lifted restriction preventing the creation of anonymous volumes with the <code>mounts</code> option \([https\://github\.com/ansible\-collections/community\.docker/pull/181](https\://github\.com/ansible\-collections/community\.docker/pull/181)\)\.
+
+<a id="deprecated-features-7"></a>
+### Deprecated Features
+
+* docker\_container \- the new <code>command\_handling</code>\'s default value\, <code>compatibility</code>\, is deprecated and will change to <code>correct</code> in community\.docker 3\.0\.0\. A deprecation warning is emitted by the module in cases where the behavior will change\. Please note that ansible\-core will output a deprecation warning only once\, so if it is shown for an earlier task\, there could be more tasks with this warning where it is not shown \([https\://github\.com/ansible\-collections/community\.docker/pull/186](https\://github\.com/ansible\-collections/community\.docker/pull/186)\)\.
+
+<a id="bugfixes-59"></a>
+### Bugfixes
+
+* docker\_compose \- fixes task failures when bringing up services while using <code>docker\-compose \<1\.17\.0</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/180](https\://github\.com/ansible\-collections/community\.docker/issues/180)\)\.
+* docker\_container \- make sure to also return <code>container</code> on <code>detached\=false</code> when status code is non\-zero \([https\://github\.com/ansible\-collections/community\.docker/pull/178](https\://github\.com/ansible\-collections/community\.docker/pull/178)\)\.
+* docker\_stack\_info \- make sure that module isn\'t skipped in check mode \([https\://github\.com/ansible\-collections/community\.docker/pull/183](https\://github\.com/ansible\-collections/community\.docker/pull/183)\)\.
+* docker\_stack\_task\_info \- make sure that module isn\'t skipped in check mode \([https\://github\.com/ansible\-collections/community\.docker/pull/183](https\://github\.com/ansible\-collections/community\.docker/pull/183)\)\.
+
+<a id="new-plugins"></a>
+### New Plugins
+
+<a id="connection"></a>
+#### Connection
+
+* community\.docker\.nsenter \- execute on host running controller container
+
+<a id="v1-8-0"></a>
+## v1\.8\.0
+
+<a id="release-summary-76"></a>
+### Release Summary
+
+Regular bugfix and feature release\.
+
+<a id="minor-changes-33"></a>
+### Minor Changes
+
+* Avoid internal ansible\-core module\_utils in favor of equivalent public API available since at least Ansible 2\.9 \([https\://github\.com/ansible\-collections/community\.docker/pull/164](https\://github\.com/ansible\-collections/community\.docker/pull/164)\)\.
+* docker\_compose \- added <code>profiles</code> option to specify service profiles when starting services \([https\://github\.com/ansible\-collections/community\.docker/pull/167](https\://github\.com/ansible\-collections/community\.docker/pull/167)\)\.
+* docker\_containers inventory plugin \- when <code>connection\_type\=docker\-api</code>\, now pass Docker daemon connection options from inventory plugin to connection plugin\. This can be disabled by setting <code>configure\_docker\_daemon\=false</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/157](https\://github\.com/ansible\-collections/community\.docker/pull/157)\)\.
+* docker\_host\_info \- allow values for keys in <code>containers\_filters</code>\, <code>images\_filters</code>\, <code>networks\_filters</code>\, and <code>volumes\_filters</code> to be passed as YAML lists \([https\://github\.com/ansible\-collections/community\.docker/pull/160](https\://github\.com/ansible\-collections/community\.docker/pull/160)\)\.
+* docker\_plugin \- added <code>alias</code> option to specify local names for docker plugins \([https\://github\.com/ansible\-collections/community\.docker/pull/161](https\://github\.com/ansible\-collections/community\.docker/pull/161)\)\.
+
+<a id="bugfixes-60"></a>
+### Bugfixes
+
+* docker\_compose \- fix idempotence bug when using <code>stopped\: true</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/142](https\://github\.com/ansible\-collections/community\.docker/issues/142)\, [https\://github\.com/ansible\-collections/community\.docker/pull/159](https\://github\.com/ansible\-collections/community\.docker/pull/159)\)\.
+
+<a id="v1-7-0"></a>
+## v1\.7\.0
+
+<a id="release-summary-77"></a>
+### Release Summary
+
+Small feature and bugfix release\.
+
+<a id="minor-changes-34"></a>
+### Minor Changes
+
+* docker\_image \- allow to tag images by ID \([https\://github\.com/ansible\-collections/community\.docker/pull/149](https\://github\.com/ansible\-collections/community\.docker/pull/149)\)\.
+
+<a id="v1-6-1"></a>
+## v1\.6\.1
+
+<a id="release-summary-78"></a>
+### Release Summary
+
+Bugfix release to reduce deprecation warning spam\.
+
+<a id="bugfixes-61"></a>
+### Bugfixes
+
+* docker\_\* modules and plugins\, except <code>docker\_swarm</code> connection plugin and <code>docker\_compose</code> and <code>docker\_stack\*\` modules \- only emit \`\`tls\_hostname</code> deprecation message if TLS is actually used \([https\://github\.com/ansible\-collections/community\.docker/pull/143](https\://github\.com/ansible\-collections/community\.docker/pull/143)\)\.
+
+<a id="v1-6-0"></a>
+## v1\.6\.0
+
+<a id="release-summary-79"></a>
+### Release Summary
+
+Regular bugfix and feature release\.
+
+<a id="minor-changes-35"></a>
+### Minor Changes
+
+* common module utils \- correct error messages for guiding to install proper Docker SDK for Python module \([https\://github\.com/ansible\-collections/community\.docker/pull/125](https\://github\.com/ansible\-collections/community\.docker/pull/125)\)\.
+* docker\_container \- allow <code>memory\_swap\: \-1</code> to set memory swap limit to unlimited\. This is useful when the user cannot set memory swap limits due to cgroup limitations or other reasons\, as by default Docker will try to set swap usage to two times the value of <code>memory</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/138](https\://github\.com/ansible\-collections/community\.docker/pull/138)\)\.
+
+<a id="deprecated-features-8"></a>
+### Deprecated Features
+
+* docker\_\* modules and plugins\, except <code>docker\_swarm</code> connection plugin and <code>docker\_compose</code> and <code>docker\_stack\*\` modules \- the current default \`\`localhost</code> for <code>tls\_hostname</code> is deprecated\. In community\.docker 2\.0\.0 it will be computed from <code>docker\_host</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/134](https\://github\.com/ansible\-collections/community\.docker/pull/134)\)\.
+
+<a id="bugfixes-62"></a>
+### Bugfixes
+
+* docker\-compose \- fix not pulling when <code>state\: present</code> and <code>stopped\: true</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/12](https\://github\.com/ansible\-collections/community\.docker/issues/12)\, [https\://github\.com/ansible\-collections/community\.docker/pull/119](https\://github\.com/ansible\-collections/community\.docker/pull/119)\)\.
+* docker\_plugin \- also configure plugin after installing \([https\://github\.com/ansible\-collections/community\.docker/issues/118](https\://github\.com/ansible\-collections/community\.docker/issues/118)\, [https\://github\.com/ansible\-collections/community\.docker/pull/135](https\://github\.com/ansible\-collections/community\.docker/pull/135)\)\.
+* docker\_swarm\_services \- avoid crash during idempotence check if <code>published\_port</code> is not specified \([https\://github\.com/ansible\-collections/community\.docker/issues/107](https\://github\.com/ansible\-collections/community\.docker/issues/107)\, [https\://github\.com/ansible\-collections/community\.docker/pull/136](https\://github\.com/ansible\-collections/community\.docker/pull/136)\)\.
+
+<a id="v1-5-0"></a>
+## v1\.5\.0
+
+<a id="release-summary-80"></a>
+### Release Summary
+
+Regular feature release\.
+
+<a id="minor-changes-36"></a>
+### Minor Changes
+
+* Add the <code>use\_ssh\_client</code> option to most docker modules and plugins \([https\://github\.com/ansible\-collections/community\.docker/issues/108](https\://github\.com/ansible\-collections/community\.docker/issues/108)\, [https\://github\.com/ansible\-collections/community\.docker/pull/114](https\://github\.com/ansible\-collections/community\.docker/pull/114)\)\.
+
+<a id="bugfixes-63"></a>
+### Bugfixes
+
+* all modules \- use <code>to\_native</code> to convert exceptions to strings \([https\://github\.com/ansible\-collections/community\.docker/pull/121](https\://github\.com/ansible\-collections/community\.docker/pull/121)\)\.
+
+<a id="new-modules-5"></a>
+### New Modules
+
+* community\.docker\.docker\_container\_exec \- Execute command in a docker container
+
+<a id="v1-4-0"></a>
+## v1\.4\.0
+
+<a id="release-summary-81"></a>
+### Release Summary
+
+Security release to address another potential secret leak\. Also includes regular bugfixes and features\.
+
+<a id="minor-changes-37"></a>
+### Minor Changes
+
+* docker\_swarm\_service \- change <code>publish\.published\_port</code> option from mandatory to optional\. Docker will assign random high port if not specified \([https\://github\.com/ansible\-collections/community\.docker/issues/99](https\://github\.com/ansible\-collections/community\.docker/issues/99)\)\.
+
+<a id="breaking-changes--porting-guide-4"></a>
+### Breaking Changes / Porting Guide
+
+* docker\_swarm \- if <code>join\_token</code> is specified\, a returned join token with the same value will be replaced by <code>VALUE\_SPECIFIED\_IN\_NO\_LOG\_PARAMETER</code>\. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with <code>join\_token</code> specified\! This breaking change appears in a minor release since it is necessary to fix a security issue \([https\://github\.com/ansible\-collections/community\.docker/pull/103](https\://github\.com/ansible\-collections/community\.docker/pull/103)\)\.
+
+<a id="security-fixes-2"></a>
+### Security Fixes
+
+* docker\_swarm \- the <code>join\_token</code> option is now marked as <code>no\_log</code> so it is no longer written into logs \([https\://github\.com/ansible\-collections/community\.docker/pull/103](https\://github\.com/ansible\-collections/community\.docker/pull/103)\)\.
+
+<a id="bugfixes-64"></a>
+### Bugfixes
+
+* <code>docker\_swarm\_service</code> \- fix KeyError on caused by reference to deprecated option <code>update\_failure\_action</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/100](https\://github\.com/ansible\-collections/community\.docker/pull/100)\)\.
+* docker\_swarm\_service \- mark <code>secrets</code> module option with <code>no\_log\=False</code> since it does not leak secrets \([https\://github\.com/ansible\-collections/community\.general/pull/2001](https\://github\.com/ansible\-collections/community\.general/pull/2001)\)\.
+
+<a id="v1-3-0"></a>
+## v1\.3\.0
+
+<a id="release-summary-82"></a>
+### Release Summary
+
+Regular feature and bugfix release\.
+
+<a id="minor-changes-38"></a>
+### Minor Changes
+
+* docker\_container \- add <code>storage\_opts</code> option to specify storage options \([https\://github\.com/ansible\-collections/community\.docker/issues/91](https\://github\.com/ansible\-collections/community\.docker/issues/91)\, [https\://github\.com/ansible\-collections/community\.docker/pull/93](https\://github\.com/ansible\-collections/community\.docker/pull/93)\)\.
+* docker\_image \- allows to specify platform to pull for <code>source\=pull</code> with new option <code>pull\_platform</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/79](https\://github\.com/ansible\-collections/community\.docker/issues/79)\, [https\://github\.com/ansible\-collections/community\.docker/pull/89](https\://github\.com/ansible\-collections/community\.docker/pull/89)\)\.
+* docker\_image \- properly support image IDs \(hashes\) for loading and tagging images \([https\://github\.com/ansible\-collections/community\.docker/issues/86](https\://github\.com/ansible\-collections/community\.docker/issues/86)\, [https\://github\.com/ansible\-collections/community\.docker/pull/87](https\://github\.com/ansible\-collections/community\.docker/pull/87)\)\.
+* docker\_swarm\_service \- adding support for maximum number of tasks per node \(<code>replicas\_max\_per\_node</code>\) when running swarm service in replicated mode\. Introduced in API 1\.40 \([https\://github\.com/ansible\-collections/community\.docker/issues/7](https\://github\.com/ansible\-collections/community\.docker/issues/7)\, [https\://github\.com/ansible\-collections/community\.docker/pull/92](https\://github\.com/ansible\-collections/community\.docker/pull/92)\)\.
+
+<a id="bugfixes-65"></a>
+### Bugfixes
+
+* docker\_container \- fix healthcheck disabling idempotency issue with strict comparison \([https\://github\.com/ansible\-collections/community\.docker/issues/85](https\://github\.com/ansible\-collections/community\.docker/issues/85)\)\.
+* docker\_image \- prevent module failure when removing image that is removed between inspection and removal \([https\://github\.com/ansible\-collections/community\.docker/pull/87](https\://github\.com/ansible\-collections/community\.docker/pull/87)\)\.
+* docker\_image \- prevent module failure when removing non\-existent image by ID \([https\://github\.com/ansible\-collections/community\.docker/pull/87](https\://github\.com/ansible\-collections/community\.docker/pull/87)\)\.
+* docker\_image\_info \- prevent module failure when image vanishes between listing and inspection \([https\://github\.com/ansible\-collections/community\.docker/pull/87](https\://github\.com/ansible\-collections/community\.docker/pull/87)\)\.
+* docker\_image\_info \- prevent module failure when querying non\-existent image by ID \([https\://github\.com/ansible\-collections/community\.docker/pull/87](https\://github\.com/ansible\-collections/community\.docker/pull/87)\)\.
+
+<a id="new-modules-6"></a>
+### New Modules
+
+* community\.docker\.docker\_image\_load \- Load docker image\(s\) from archives
+* community\.docker\.docker\_plugin \- Manage Docker plugins
+
+<a id="v1-2-2"></a>
+## v1\.2\.2
+
+<a id="release-summary-83"></a>
+### Release Summary
+
+Security bugfix release to address CVE\-2021\-20191\.
+
+<a id="security-fixes-3"></a>
+### Security Fixes
+
+* docker\_swarm \- enabled <code>no\_log</code> for the option <code>signing\_ca\_key</code> to prevent accidental disclosure \(CVE\-2021\-20191\, [https\://github\.com/ansible\-collections/community\.docker/pull/80](https\://github\.com/ansible\-collections/community\.docker/pull/80)\)\.
+
+<a id="v1-2-1"></a>
+## v1\.2\.1
+
+<a id="release-summary-84"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-66"></a>
+### Bugfixes
+
+* docker connection plugin \- fix Docker version parsing\, as some docker versions have a leading <code>v</code> in the output of the command <code>docker version \-\-format \"\{\{\.Server\.Version\}\}\"</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/76](https\://github\.com/ansible\-collections/community\.docker/pull/76)\)\.
+
+<a id="v1-2-0"></a>
+## v1\.2\.0
+
+<a id="release-summary-85"></a>
+### Release Summary
+
+Feature release with one new feature and two bugfixes\.
+
+<a id="minor-changes-39"></a>
+### Minor Changes
+
+* docker\_container \- added <code>default\_host\_ip</code> option which allows to explicitly set the default IP string for published ports without explicitly specified IPs\. When using IPv6 binds with Docker 20\.10\.2 or newer\, this needs to be set to an empty string \(<code>\"\"</code>\) \([https\://github\.com/ansible\-collections/community\.docker/issues/70](https\://github\.com/ansible\-collections/community\.docker/issues/70)\, [https\://github\.com/ansible\-collections/community\.docker/pull/71](https\://github\.com/ansible\-collections/community\.docker/pull/71)\)\.
+
+<a id="bugfixes-67"></a>
+### Bugfixes
+
+* docker\_container \- allow IPv6 zones \(RFC 4007\) in bind IPs \([https\://github\.com/ansible\-collections/community\.docker/pull/66](https\://github\.com/ansible\-collections/community\.docker/pull/66)\)\.
+* docker\_image \- fix crash on loading images with versions of Docker SDK for Python before 2\.5\.0 \([https\://github\.com/ansible\-collections/community\.docker/issues/72](https\://github\.com/ansible\-collections/community\.docker/issues/72)\, [https\://github\.com/ansible\-collections/community\.docker/pull/73](https\://github\.com/ansible\-collections/community\.docker/pull/73)\)\.
+
+<a id="v1-1-0"></a>
+## v1\.1\.0
+
+<a id="release-summary-86"></a>
+### Release Summary
+
+Feature release with three new plugins and modules\.
+
+<a id="minor-changes-40"></a>
+### Minor Changes
+
+* docker\_container \- support specifying <code>cgroup\_parent</code> \([https\://github\.com/ansible\-collections/community\.docker/issues/6](https\://github\.com/ansible\-collections/community\.docker/issues/6)\, [https\://github\.com/ansible\-collections/community\.docker/pull/59](https\://github\.com/ansible\-collections/community\.docker/pull/59)\)\.
+* docker\_container \- when a container is started with <code>detached\=false</code>\, <code>status</code> is now also returned when it is 0 \([https\://github\.com/ansible\-collections/community\.docker/issues/26](https\://github\.com/ansible\-collections/community\.docker/issues/26)\, [https\://github\.com/ansible\-collections/community\.docker/pull/58](https\://github\.com/ansible\-collections/community\.docker/pull/58)\)\.
+* docker\_image \- support <code>platform</code> when building images \([https\://github\.com/ansible\-collections/community\.docker/issues/22](https\://github\.com/ansible\-collections/community\.docker/issues/22)\, [https\://github\.com/ansible\-collections/community\.docker/pull/54](https\://github\.com/ansible\-collections/community\.docker/pull/54)\)\.
+
+<a id="deprecated-features-9"></a>
+### Deprecated Features
+
+* docker\_container \- currently <code>published\_ports</code> can contain port mappings next to the special value <code>all</code>\, in which case the port mappings are ignored\. This behavior is deprecated for community\.docker 2\.0\.0\, at which point it will either be forbidden\, or this behavior will be properly implemented similar to how the Docker CLI tool handles this \([https\://github\.com/ansible\-collections/community\.docker/issues/8](https\://github\.com/ansible\-collections/community\.docker/issues/8)\, [https\://github\.com/ansible\-collections/community\.docker/pull/60](https\://github\.com/ansible\-collections/community\.docker/pull/60)\)\.
+
+<a id="bugfixes-68"></a>
+### Bugfixes
+
+* docker\_image \- if <code>push\=true</code> is used with <code>repository</code>\, and the image does not need to be tagged\, still push\. This can happen if <code>repository</code> and <code>name</code> are equal \([https\://github\.com/ansible\-collections/community\.docker/issues/52](https\://github\.com/ansible\-collections/community\.docker/issues/52)\, [https\://github\.com/ansible\-collections/community\.docker/pull/53](https\://github\.com/ansible\-collections/community\.docker/pull/53)\)\.
+* docker\_image \- report error when loading a broken archive that contains no image \([https\://github\.com/ansible\-collections/community\.docker/issues/46](https\://github\.com/ansible\-collections/community\.docker/issues/46)\, [https\://github\.com/ansible\-collections/community\.docker/pull/55](https\://github\.com/ansible\-collections/community\.docker/pull/55)\)\.
+* docker\_image \- report error when the loaded archive does not contain the specified image \([https\://github\.com/ansible\-collections/community\.docker/issues/41](https\://github\.com/ansible\-collections/community\.docker/issues/41)\, [https\://github\.com/ansible\-collections/community\.docker/pull/55](https\://github\.com/ansible\-collections/community\.docker/pull/55)\)\.
+
+<a id="new-plugins-1"></a>
+### New Plugins
+
+<a id="connection-1"></a>
+#### Connection
+
+* community\.docker\.docker\_api \- Run tasks in docker containers
+
+<a id="inventory"></a>
+#### Inventory
+
+* community\.docker\.docker\_containers \- Ansible dynamic inventory plugin for Docker containers\.
+
+<a id="new-modules-7"></a>
+### New Modules
+
+* community\.docker\.current\_container\_facts \- Return facts about whether the module runs in a Docker container
+
+<a id="v1-0-1"></a>
+## v1\.0\.1
+
+<a id="release-summary-87"></a>
+### Release Summary
+
+Maintenance release with a bugfix for <code>docker\_container</code>\.
+
+<a id="bugfixes-69"></a>
+### Bugfixes
+
+* docker\_container \- the validation for <code>capabilities</code> in <code>device\_requests</code> was incorrect \([https\://github\.com/ansible\-collections/community\.docker/issues/42](https\://github\.com/ansible\-collections/community\.docker/issues/42)\, [https\://github\.com/ansible\-collections/community\.docker/pull/43](https\://github\.com/ansible\-collections/community\.docker/pull/43)\)\.
+
+<a id="v1-0-0"></a>
+## v1\.0\.0
+
+<a id="release-summary-88"></a>
+### Release Summary
+
+This is the first production \(non\-prerelease\) release of <code>community\.docker</code>\.
+
+<a id="minor-changes-41"></a>
+### Minor Changes
+
+* Add collection\-side support of the <code>docker</code> action group / module defaults group \([https\://github\.com/ansible\-collections/community\.docker/pull/17](https\://github\.com/ansible\-collections/community\.docker/pull/17)\)\.
+* docker\_image \- return docker build output \([https\://github\.com/ansible\-collections/community\.general/pull/805](https\://github\.com/ansible\-collections/community\.general/pull/805)\)\.
+* docker\_secret \- add a warning when the secret does not have an <code>ansible\_key</code> label but the <code>force</code> parameter is not set \([https\://github\.com/ansible\-collections/community\.docker/issues/30](https\://github\.com/ansible\-collections/community\.docker/issues/30)\, [https\://github\.com/ansible\-collections/community\.docker/pull/31](https\://github\.com/ansible\-collections/community\.docker/pull/31)\)\.
+
+<a id="v0-1-0"></a>
+## v0\.1\.0
+
+<a id="release-summary-89"></a>
+### Release Summary
+
+The <code>community\.docker</code> continues the work on the Ansible docker modules and plugins from their state in <code>community\.general</code> 1\.2\.0\. The changes listed here are thus relative to the modules and plugins <code>community\.general\.docker\*</code>\.
+
+All deprecation removals planned for <code>community\.general</code> 2\.0\.0 have been applied\. All deprecation removals scheduled for <code>community\.general</code> 3\.0\.0 have been re\-scheduled for <code>community\.docker</code> 2\.0\.0\.
+
+<a id="minor-changes-42"></a>
+### Minor Changes
+
+* docker\_container \- now supports the <code>device\_requests</code> option\, which allows to request additional resources such as GPUs \([https\://github\.com/ansible/ansible/issues/65748](https\://github\.com/ansible/ansible/issues/65748)\, [https\://github\.com/ansible\-collections/community\.general/pull/1119](https\://github\.com/ansible\-collections/community\.general/pull/1119)\)\.
+
+<a id="removed-features-previously-deprecated-4"></a>
+### Removed Features \(previously deprecated\)
+
+* docker\_container \- no longer returns <code>ansible\_facts</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_container \- the default of <code>networks\_cli\_compatible</code> changed to <code>true</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_container \- the unused option <code>trust\_image\_content</code> has been removed \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- <code>state\=build</code> has been removed\. Use <code>present</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- the <code>container\_limits</code>\, <code>dockerfile</code>\, <code>http\_timeout</code>\, <code>nocache</code>\, <code>rm</code>\, <code>path</code>\, <code>buildargs</code>\, <code>pull</code> have been removed\. Use the corresponding suboptions of <code>build</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- the <code>force</code> option has been removed\. Use the more specific <code>force\_\*</code> options instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- the <code>source</code> option is now mandatory \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- the <code>use\_tls</code> option has been removed\. Use <code>tls</code> and <code>validate\_certs</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image \- the default of the <code>build\.pull</code> option changed to <code>false</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_image\_facts \- this alias is on longer available\, use <code>docker\_image\_info</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_network \- no longer returns <code>ansible\_facts</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_network \- the <code>ipam\_options</code> option has been removed\. Use <code>ipam\_config</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_service \- no longer returns <code>ansible\_facts</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm \- <code>state\=inspect</code> has been removed\. Use <code>docker\_swarm\_info</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>constraints</code> option has been removed\. Use <code>placement\.constraints</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>limit\_cpu</code> and <code>limit\_memory</code> options has been removed\. Use the corresponding suboptions in <code>limits</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>log\_driver</code> and <code>log\_driver\_options</code> options has been removed\. Use the corresponding suboptions in <code>logging</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>reserve\_cpu</code> and <code>reserve\_memory</code> options has been removed\. Use the corresponding suboptions in <code>reservations</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>restart\_policy</code>\, <code>restart\_policy\_attempts</code>\, <code>restart\_policy\_delay</code> and <code>restart\_policy\_window</code> options has been removed\. Use the corresponding suboptions in <code>restart\_config</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_swarm\_service \- the <code>update\_delay</code>\, <code>update\_parallelism</code>\, <code>update\_failure\_action</code>\, <code>update\_monitor</code>\, <code>update\_max\_failure\_ratio</code> and <code>update\_order</code> options has been removed\. Use the corresponding suboptions in <code>update\_config</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_volume \- no longer returns <code>ansible\_facts</code> \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+* docker\_volume \- the <code>force</code> option has been removed\. Use <code>recreate</code> instead \([https\://github\.com/ansible\-collections/community\.docker/pull/1](https\://github\.com/ansible\-collections/community\.docker/pull/1)\)\.
+
+<a id="bugfixes-70"></a>
+### Bugfixes
+
+* docker\_login \- fix internal config file storage to handle credentials for more than one registry \([https\://github\.com/ansible\-collections/community\.general/issues/1117](https\://github\.com/ansible\-collections/community\.general/issues/1117)\)\.
diff --git a/ansible_collections/community/docker/CHANGELOG.md.license b/ansible_collections/community/docker/CHANGELOG.md.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/CHANGELOG.md.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/CHANGELOG.rst b/ansible_collections/community/docker/CHANGELOG.rst
new file mode 100644
index 00000000..28dfbb4a
--- /dev/null
+++ b/ansible_collections/community/docker/CHANGELOG.rst
@@ -0,0 +1,1785 @@
+=========================================
+Docker Community Collection Release Notes
+=========================================
+
+.. contents:: Topics
+
+v5.0.5
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- modules and plugins using the Docker SDK for Python - do not automatically set ``tls_hostname`` when ``validate_certs=true`` for Docker SDK for Python 7.0.0+ (https://github.com/ansible-collections/community.docker/issues/1225, https://github.com/ansible-collections/community.docker/pull/1226).
+
+v5.0.4
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- CLI-based modules - when parsing JSON output fails, also provide standard error output. Also provide information on the command and its result in machine-readable way (https://github.com/ansible-collections/community.docker/issues/1216, https://github.com/ansible-collections/community.docker/pull/1221).
+- docker_compose_v2, docker_compose_v2_pull - adjust parsing from image pull events to changes in Docker Compose 5.0.0 (https://github.com/ansible-collections/community.docker/pull/1219).
+
+v5.0.3
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_container - when the same port is mapped more than once for the same protocol without specifying an interface, a bug caused an invalid value to be passed for the interface (https://github.com/ansible-collections/community.docker/issues/1213, https://github.com/ansible-collections/community.docker/pull/1214).
+
+v5.0.2
+======
+
+Release Summary
+---------------
+
+Bugfix release for Docker 29.
+
+Bugfixes
+--------
+
+- Docker CLI based modules - work around bug in Docker 29.0.0 that caused a breaking change in ``docker version --format json`` output (https://github.com/ansible-collections/community.docker/issues/1185, https://github.com/ansible-collections/community.docker/pull/1187).
+- docker_container - fix ``pull`` idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+- docker_container - fix handling of exposed port ranges. So far, the module used an undocumented feature of Docker that was removed from Docker 29.0.0, that allowed to pass the range to the deamon and let handle it. Now the module explodes ranges into a list of all contained ports, same as the Docker CLI does. For backwards compatibility with Docker < 29.0.0, it also explodes ranges returned by the API for existing containers so that comparison should only indicate a difference if the ranges actually change (https://github.com/ansible-collections/community.docker/pull/1192).
+- docker_container - fix idempotency for IPv6 addresses with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+- docker_image - fix ``source=pull`` idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+- docker_image, docker_image_push - adjust image push detection to Docker 29 (https://github.com/ansible-collections/community.docker/pull/1199).
+- docker_image_pull - fix idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+- docker_network - fix idempotency for IPv6 addresses and networks with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1201).
+
+Known Issues
+------------
+
+- docker_image, docker_image_export - idempotency for archiving images depends on whether the image IDs used by the image storage backend correspond to the IDs used in the tarball's ``manifest.json`` files. The new default backend in Docker 29 apparently uses image IDs that no longer correspond, whence idempotency no longer works (https://github.com/ansible-collections/community.docker/pull/1199).
+
+v5.0.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2_run - when ``detach=true``, ensure that the returned container ID is not a bytes string (https://github.com/ansible-collections/community.docker/pull/1183).
+- docker_image - fix 'Cannot locate specified Dockerfile' error (https://github.com/ansible-collections/community.docker/pull/1184).
+
+v5.0.0
+======
+
+Release Summary
+---------------
+
+New major release.
+
+The main changes are that the collection dropped support for some ansible-core
+versions that are End of Life, and thus dropped support for Python 2.7.
+This allowed to modernize the Python code, in particular with type hints.
+Also all module and plugin utils are now private to the collection, which
+makes it easier to refactor code. All these changes should have no effect on
+end-users.
+
+Minor Changes
+-------------
+
+- docker_container - add ``driver_opts`` option in ``networks`` (https://github.com/ansible-collections/community.docker/issues/1142, https://github.com/ansible-collections/community.docker/pull/1143).
+- docker_container - add ``gw_priority`` option in ``networks`` (https://github.com/ansible-collections/community.docker/issues/1142, https://github.com/ansible-collections/community.docker/pull/1143).
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- All doc fragments, module utils, and plugin utils are from now on private. They can change at any time, and have breaking changes even in bugfix releases (https://github.com/ansible-collections/community.docker/pull/1144).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- Remove support for Docker SDK for Python version 1.x.y, also known as ``docker-py``. Modules and plugins that use Docker SDK for Python require version 2.0.0+ (https://github.com/ansible-collections/community.docker/pull/1171).
+- The collection no longer supports Python 3.6 and before. Note that this coincides with the Python requirements of ansible-core 2.17+ (https://github.com/ansible-collections/community.docker/pull/1123).
+- The collection no longer supports ansible-core 2.15 and 2.16. You need ansible-core 2.17.0 or newer to use community.docker 5.x.y (https://github.com/ansible-collections/community.docker/pull/1123).
+
+Bugfixes
+--------
+
+- docker connection plugin - fix crash instead of warning if Docker version does not support ``remote_user`` (https://github.com/ansible-collections/community.docker/pull/1161).
+- docker, nsenter connection plugins - fix handling of ``become`` plugin password prompt handling in case multiple events arrive at the same time (https://github.com/ansible-collections/community.docker/pull/1158).
+- docker_api connection plugin - fix bug that could lead to loss of data when waiting for ``become`` plugin prompt (https://github.com/ansible-collections/community.docker/pull/1152).
+- docker_compose_v2_exec - fix crash instead of reporting error if ``detach=true`` and ``stdin`` is provided (https://github.com/ansible-collections/community.docker/pull/1161).
+- docker_compose_v2_run - fix crash instead of reporting error if ``detach=true`` and ``stdin`` is provided (https://github.com/ansible-collections/community.docker/pull/1161).
+- docker_container_exec - fix bug that could lead to loss of stdout/stderr data (https://github.com/ansible-collections/community.docker/pull/1152).
+- docker_container_exec - make ``detach=true`` work. So far this resulted in no execution being done (https://github.com/ansible-collections/community.docker/pull/1145).
+- docker_plugin - fix diff mode for plugin options (https://github.com/ansible-collections/community.docker/pull/1146).
+
+v4.8.1
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Minor Changes
+-------------
+
+- Note that some new code in ``plugins/module_utils/_six.py`` is MIT licensed (https://github.com/ansible-collections/community.docker/pull/1138).
+
+Bugfixes
+--------
+
+- Avoid remaining usages of deprecated ``ansible.module_utils.six`` (https://github.com/ansible-collections/community.docker/pull/1133).
+- Avoid usage of deprecated ``ansible.module_utils.six`` in all code that does not have to support Python 2 (https://github.com/ansible-collections/community.docker/pull/1137, https://github.com/ansible-collections/community.docker/pull/1139).
+- Avoid usage of deprecated ``ansible.module_utils.six`` in some of the code that still supports Python 2 (https://github.com/ansible-collections/community.docker/pull/1138).
+
+v4.8.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_container - support missing fields and new mount types in ``mounts`` (https://github.com/ansible-collections/community.docker/issues/1129, https://github.com/ansible-collections/community.docker/pull/1134).
+
+Bugfixes
+--------
+
+- Avoid deprecated functionality in ansible-core 2.20 (https://github.com/ansible-collections/community.docker/pull/1117).
+
+v4.7.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_swarm_service - add support for ``replicated-job`` mode for Swarm services (https://github.com/ansible-collections/community.docker/issues/626, https://github.com/ansible-collections/community.docker/pull/1108).
+
+Bugfixes
+--------
+
+- docker_image, docker_image_push - work around a bug in Docker 28.3.3 that prevents pushing without authentication to a registry (https://github.com/ansible-collections/community.docker/pull/1110).
+
+v4.6.2
+======
+
+Release Summary
+---------------
+
+Bugfix release for Docker Compose 2.39.0+.
+
+Bugfixes
+--------
+
+- docker_compose_v2 - adjust to new dry-run build events in Docker Compose 2.39.0+ (https://github.com/ansible-collections/community.docker/pull/1101).
+
+v4.6.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2 - handle a (potentially unintentional) breaking change in Docker Compose 2.37.0. Note that ``ContainerName`` is no longer part of the return value (https://github.com/ansible-collections/community.docker/issues/1082, https://github.com/ansible-collections/community.docker/pull/1083).
+- docker_container - fix idempotency if ``command=[]`` and ``command_handling=correct`` (https://github.com/ansible-collections/community.docker/issues/1080, https://github.com/ansible-collections/community.docker/pull/1085).
+
+v4.6.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- docker_container_copy_into - add ``mode_parse`` parameter which determines how ``mode`` is parsed (https://github.com/ansible-collections/community.docker/pull/1074).
+
+v4.5.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2 - fix version check for ``assume_yes`` (https://github.com/ansible-collections/community.docker/pull/1054).
+- docker_compose_v2 - use ``--yes`` instead of ``-y`` from Docker Compose 2.34.0 on (https://github.com/ansible-collections/community.docker/pull/1060).
+
+v4.5.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2 - rename flag for ``assume_yes`` parameter for ``docker compose up`` to ``-y`` (https://github.com/ansible-collections/community.docker/pull/1054).
+
+v4.5.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- docker_compose_v2 - add ``assume_yes`` parameter for ``docker compose up`` (https://github.com/ansible-collections/community.docker/pull/1045).
+- docker_network - add ``enable_ipv4`` option (https://github.com/ansible-collections/community.docker/issues/1047, https://github.com/ansible-collections/community.docker/pull/1049).
+
+v4.4.0
+======
+
+Release Summary
+---------------
+
+Feature and bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2_run - the module has a conflict between the type of parameter it expects and the one it tries to sanitize. Fix removes the label sanitization step because they are already validated by the parameter definition (https://github.com/ansible-collections/community.docker/pull/1034).
+- vendored Docker SDK for Python - do not assume that ``KeyError`` is always for ``ApiVersion`` when querying version fails (https://github.com/ansible-collections/community.docker/issues/1033, https://github.com/ansible-collections/community.docker/pull/1034).
+
+New Modules
+-----------
+
+- community.docker.docker_context_info - Retrieve information on Docker contexts for the current user.
+
+v4.3.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- Fix label sanitization code to avoid crashes in case of errors (https://github.com/ansible-collections/community.docker/issues/1028, https://github.com/ansible-collections/community.docker/pull/1029).
+
+v4.3.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- docker_compose_v2* modules - determine compose version with ``docker compose version`` and only then fall back to ``docker info`` (https://github.com/ansible-collections/community.docker/pull/1021).
+
+v4.2.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_compose_v2 - add ``ignore_build_events`` option (default value ``true``) which allows to (not) ignore build events for change detection (https://github.com/ansible-collections/community.docker/issues/1005, https://github.com/ansible-collections/community.docker/issues/pull/1011).
+- docker_image_build - ``outputs[].name`` can now be a list of strings (https://github.com/ansible-collections/community.docker/pull/1006).
+- docker_image_build - the executed command is now returned in the ``command`` return value in case of success and some errors (https://github.com/ansible-collections/community.docker/pull/1006).
+- docker_network - added ``ingress`` option (https://github.com/ansible-collections/community.docker/pull/999).
+
+Bugfixes
+--------
+
+- docker_compose_v2 - when using Compose 2.31.0 or newer, revert to the old behavior that image rebuilds, for example if ``rebuild=always``, only result in ``changed`` if a container has been restarted (https://github.com/ansible-collections/community.docker/issues/1005, https://github.com/ansible-collections/community.docker/issues/pull/1011).
+- docker_image_build - work around bug resp. very unexpected behavior in Docker buildx that overwrites all image names in ``--output`` parameters if ``--tag`` is provided, which the module did by default in the past. The module now only supplies ``--tag`` if ``outputs`` is empty. If ``outputs`` has entries, it will add an additional entry with ``type=image`` if no entry of ``type=image`` contains the image name specified by the ``name`` and ``tag`` options (https://github.com/ansible-collections/community.docker/issues/1001, https://github.com/ansible-collections/community.docker/pull/1006).
+- docker_network - added waiting while container actually disconnect from Swarm network (https://github.com/ansible-collections/community.docker/pull/999).
+- docker_network - containers are only reconnected to a network if they really exist (https://github.com/ansible-collections/community.docker/pull/999).
+- docker_network - enabled "force" option in Docker network container disconnect API call (https://github.com/ansible-collections/community.docker/pull/999).
+- docker_swarm_info - do not crash when finding Swarm jobs if ``services=true`` (https://github.com/ansible-collections/community.docker/issues/1003).
+
+v4.1.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_stack - allow to add ``--detach=false`` option to ``docker stack deploy`` command (https://github.com/ansible-collections/community.docker/pull/987).
+
+Bugfixes
+--------
+
+- docker_compose_v2_exec, docker_compose_v2_run - fix missing ``--env`` flag while assembling env arguments (https://github.com/ansible-collections/community.docker/pull/992).
+- docker_host_info - ensure that the module always returns ``can_talk_to_docker``, and that it provides the correct value even if ``api_version`` is specified (https://github.com/ansible-collections/community.docker/issues/993, https://github.com/ansible-collections/community.docker/pull/995).
+
+v4.0.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2_run - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_config - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_network - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_node - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_secret - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_swarm - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_swarm_service - make sure to sanitize ``labels`` and ``container_labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+- docker_volume - make sure to sanitize ``labels`` before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+
+v4.0.0
+======
+
+Release Summary
+---------------
+
+Major release with removed deprecated features.
+
+Minor Changes
+-------------
+
+- docker_compose_v2 - add ``renew_anon_volumes`` parameter for ``docker compose up`` (https://github.com/ansible-collections/community.docker/pull/977).
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- docker_container - the default of ``image_name_mismatch`` changed from ``ignore`` to ``recreate`` (https://github.com/ansible-collections/community.docker/pull/971).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- The collection no longer supports ansible-core 2.11, 2.12, 2.13, and 2.14. You need ansible-core 2.15.0 or newer to use community.docker 4.x.y (https://github.com/ansible-collections/community.docker/pull/971).
+- The docker_compose module has been removed. Please migrate to community.docker.docker_compose_v2 (https://github.com/ansible-collections/community.docker/pull/971).
+- docker_container - the ``ignore_image`` option has been removed. Use ``image: ignore`` in ``comparisons`` instead (https://github.com/ansible-collections/community.docker/pull/971).
+- docker_container - the ``purge_networks`` option has been removed. Use ``networks: strict`` in ``comparisons`` instead and make sure that ``networks`` is specified (https://github.com/ansible-collections/community.docker/pull/971).
+- various modules and plugins - remove the ``ssl_version`` option (https://github.com/ansible-collections/community.docker/pull/971).
+
+v3.13.1
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose_v2 - improve parsing of dry-run image build operations from JSON events (https://github.com/ansible-collections/community.docker/issues/975, https://github.com/ansible-collections/community.docker/pull/976).
+
+v3.13.0
+=======
+
+Release Summary
+---------------
+
+Feature release.
+
+New Modules
+-----------
+
+- community.docker.docker_compose_v2_exec - Run command in a container of a Compose service.
+- community.docker.docker_compose_v2_run - Run command in a new container of a Compose service.
+
+v3.12.2
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_prune - fix handling of lists for the filter options (https://github.com/ansible-collections/community.docker/issues/961, https://github.com/ansible-collections/community.docker/pull/966).
+
+v3.12.1
+=======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation and changelog.
+
+Deprecated Features
+-------------------
+
+- The collection deprecates support for all ansible-core versions that are currently End of Life, `according to the ansible-core support matrix <https://docs.ansible.com/ansible-core/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix>`__. This means that the next major release of the collection will no longer support ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14.
+
+v3.12.0
+=======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker, docker_api connection plugins - allow to determine the working directory when executing commands with the new ``working_dir`` option (https://github.com/ansible-collections/community.docker/pull/943).
+- docker, docker_api connection plugins - allow to execute commands with extended privileges with the new ``privileges`` option (https://github.com/ansible-collections/community.docker/pull/943).
+- docker, docker_api connection plugins - allow to pass extra environment variables when executing commands with the new ``extra_env`` option (https://github.com/ansible-collections/community.docker/issues/937, https://github.com/ansible-collections/community.docker/pull/940).
+- docker_compose_v2* modules - support Docker Compose 2.29.0's ``json`` progress writer to avoid having to parse text output (https://github.com/ansible-collections/community.docker/pull/931).
+- docker_compose_v2_pull - add new options ``ignore_buildable``, ``include_deps``, and ``services`` (https://github.com/ansible-collections/community.docker/issues/941, https://github.com/ansible-collections/community.docker/pull/942).
+- docker_container - when creating a container, directly pass all networks to connect to to the Docker Daemon for API version 1.44 and newer. This makes creation more efficient and works around a bug in Docker Daemon that does not use the specified MAC address in at least some cases, though only for creation (https://github.com/ansible-collections/community.docker/pull/933).
+
+Bugfixes
+--------
+
+- docker_compose_v2 - handle yet another random unstructured error output from pre-2.29.0 Compose versions (https://github.com/ansible-collections/community.docker/issues/948, https://github.com/ansible-collections/community.docker/pull/949).
+- docker_compose_v2 - make sure that services provided in ``services`` are appended to the command line after ``--`` and not before it (https://github.com/ansible-collections/community.docker/pull/942).
+- docker_compose_v2* modules, docker_image_build - provide better error message when required fields are not present in ``docker version`` or ``docker info`` output. This can happen if Podman is used instead of Docker (https://github.com/ansible-collections/community.docker/issues/891, https://github.com/ansible-collections/community.docker/pull/935).
+- docker_container - fix idempotency if ``network_mode=default`` and Docker 26.1.0 or later is used. There was a breaking change in Docker 26.1.0 regarding normalization of ``NetworkMode`` (https://github.com/ansible-collections/community.docker/issues/934, https://github.com/ansible-collections/community.docker/pull/936).
+- docker_container - restore behavior of the module from community.docker 2.x.y that passes the first network to the Docker Deamon while creating the container (https://github.com/ansible-collections/community.docker/pull/933).
+- docker_image_build - fix ``--output`` parameter composition for ``type=docker`` and ``type=image`` (https://github.com/ansible-collections/community.docker/issues/946, https://github.com/ansible-collections/community.docker/pull/947).
+
+Known Issues
+------------
+
+- docker_container - when specifying a MAC address for a container's network, and the network is attached after container creation (for example, due to idempotency checks), the MAC address is at least in some cases ignored by the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/933).
+
+v3.11.0
+=======
+
+Minor Changes
+-------------
+
+- docker_container - add support for ``device_cgroup_rules`` (https://github.com/ansible-collections/community.docker/pull/910).
+- docker_container - the new ``state=healthy`` allows to wait for a container to become healthy on startup. The ``healthy_wait_timeout`` option allows to configure the maximum time to wait for this to happen (https://github.com/ansible-collections/community.docker/issues/890, https://github.com/ansible-collections/community.docker/pull/921).
+
+Bugfixes
+--------
+
+- docker_compose_v2* modules - fix parsing of skipped pull messages for Docker Compose 2.28.x (https://github.com/ansible-collections/community.docker/issues/911, https://github.com/ansible-collections/community.docker/pull/916).
+- docker_compose_v2*, docker_stack*, docker_image_build modules - using ``cli_context`` no longer leads to an invalid parameter combination being passed to the corresponding Docker CLI tool, unless ``docker_host`` is also provided. Combining ``cli_context`` and ``docker_host`` is no longer allowed (https://github.com/ansible-collections/community.docker/issues/892, https://github.com/ansible-collections/community.docker/pull/895).
+- docker_container - fix possible infinite loop if ``removal_wait_timeout`` is set (https://github.com/ansible-collections/community.docker/pull/922).
+- vendored Docker SDK for Python - use ``LooseVersion`` instead of ``StrictVersion`` to compare urllib3 versions. This is needed for development versions (https://github.com/ansible-collections/community.docker/pull/902).
+
+v3.10.4
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose - make sure that the module uses the ``api_version`` parameter (https://github.com/ansible-collections/community.docker/pull/881).
+- docker_compose_v2* modules - there was no check to make sure that one of ``project_src`` and ``definition`` is provided. The modules crashed if none were provided (https://github.com/ansible-collections/community.docker/issues/885, https://github.com/ansible-collections/community.docker/pull/886).
+
+v3.10.3
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker and nsenter connection plugins, docker_container_exec module - avoid using the deprecated ``ansible.module_utils.compat.selectors`` module util with Python 3 (https://github.com/ansible-collections/community.docker/issues/870, https://github.com/ansible-collections/community.docker/pull/871).
+
+v3.10.2
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- vendored Docker SDK for Python - include a fix requests 2.32.2+ compatibility (https://github.com/ansible-collections/community.docker/issues/860, https://github.com/psf/requests/issues/6707, https://github.com/ansible-collections/community.docker/pull/864).
+
+v3.10.1
+=======
+
+Release Summary
+---------------
+
+Hotfix release for requests 2.32.0 compatibility.
+
+Bugfixes
+--------
+
+- vendored Docker SDK for Python - include a hotfix for requests 2.32.0 compatibility (https://github.com/ansible-collections/community.docker/issues/860, https://github.com/docker/docker-py/issues/3256, https://github.com/ansible-collections/community.docker/pull/861).
+
+Known Issues
+------------
+
+- Please note that the fix for requests 2.32.0 included in community.docker 3.10.1 only
+  fixes problems with the *vendored* Docker SDK for Python code. Modules and plugins that
+  use Docker SDK for Python can still fail due to the SDK currently being incompatible
+  with requests 2.32.0.
+
+  If you still experience problems with requests 2.32.0, such as error messages like
+  ``Not supported URL scheme http+docker``, please restrict requests to ``<2.32.0``.
+
+v3.10.0
+=======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- docker_container - adds ``healthcheck.start_interval`` to support healthcheck start interval setting on containers (https://github.com/ansible-collections/community.docker/pull/848).
+- docker_container - adds ``healthcheck.test_cli_compatible`` to allow omit test option on containers without remove existing image test (https://github.com/ansible-collections/community.docker/pull/847).
+- docker_image_build - add ``outputs`` option to allow configuring outputs for the build (https://github.com/ansible-collections/community.docker/pull/852).
+- docker_image_build - add ``secrets`` option to allow passing secrets to the build (https://github.com/ansible-collections/community.docker/pull/852).
+- docker_image_build - allow ``platform`` to be a list of platforms instead of only a single platform for multi-platform builds (https://github.com/ansible-collections/community.docker/pull/852).
+- docker_network - adds ``config_only`` and ``config_from`` to support creating and using config only networks (https://github.com/ansible-collections/community.docker/issues/395).
+- docker_prune - add new options ``builder_cache_all``, ``builder_cache_filters``, and ``builder_cache_keep_storage``, and a new return value ``builder_cache_caches_deleted`` for pruning build caches (https://github.com/ansible-collections/community.docker/issues/844, https://github.com/ansible-collections/community.docker/issues/845).
+- docker_swarm_service - adds ``sysctls`` to support sysctl settings on swarm services (https://github.com/ansible-collections/community.docker/issues/190).
+
+Deprecated Features
+-------------------
+
+- docker_compose - the Docker Compose v1 module is deprecated and will be removed from community.docker 4.0.0. Please migrate to the ``community.docker.docker_compose_v2`` module, which works with Docker Compose v2 (https://github.com/ansible-collections/community.docker/issues/823, https://github.com/ansible-collections/community.docker/pull/833).
+- various modules and plugins - the ``ssl_version`` option has been deprecated and will be removed from community.docker 4.0.0. It has already been removed from Docker SDK for Python 7.0.0, and was only necessary in the past to work around SSL/TLS issues (https://github.com/ansible-collections/community.docker/pull/853).
+
+v3.9.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- The EE requirements now include PyYAML, since the ``docker_compose_v2*`` modules depend on it when the ``definition`` option is used. This should not have a noticable effect on generated EEs since ansible-core itself depends on PyYAML as well, and ansible-builder explicitly ignores this dependency (https://github.com/ansible-collections/community.docker/pull/832).
+- docker_compose_v2* - the new option ``check_files_existing`` allows to disable the check for one of the files ``compose.yaml``, ``compose.yml``, ``docker-compose.yaml``, and ``docker-compose.yml`` in ``project_src`` if ``files`` is not specified. This is necessary if a non-standard compose filename is specified through other means, like the ``COMPOSE_FILE`` environment variable (https://github.com/ansible-collections/community.docker/issues/838, https://github.com/ansible-collections/community.docker/pull/839).
+- docker_compose_v2* modules - allow to provide an inline definition of the compose content instead of having to provide a ``project_src`` directory with the compose file written into it (https://github.com/ansible-collections/community.docker/issues/829, https://github.com/ansible-collections/community.docker/pull/832).
+- vendored Docker SDK for Python - remove unused code that relies on functionality deprecated in Python 3.12 (https://github.com/ansible-collections/community.docker/pull/834).
+
+Bugfixes
+--------
+
+- docker_compose_v2* - allow ``project_src`` to be a relative path, by converting it to an absolute path before using it (https://github.com/ansible-collections/community.docker/issues/827, https://github.com/ansible-collections/community.docker/pull/828).
+- docker_compose_v2* modules - abort with a nice error message instead of crash when the Docker Compose CLI plugin version is ``dev`` (https://github.com/ansible-collections/community.docker/issues/825, https://github.com/ansible-collections/community.docker/pull/826).
+- inventory plugins - add unsafe wrapper to avoid marking strings that do not contain ``{`` or ``}`` as unsafe, to work around a bug in AWX (https://github.com/ansible-collections/community.docker/pull/835).
+
+v3.8.1
+======
+
+Release Summary
+---------------
+
+Bugfix release
+
+Security Fixes
+--------------
+
+- docker_containers, docker_machine, and docker_swarm inventory plugins - make sure all data received from the Docker daemon / Docker machine is marked as unsafe, so remote code execution by obtaining texts that can be evaluated as templates is not possible (https://www.die-welt.net/2024/03/remote-code-execution-in-ansible-dynamic-inventory-plugins/, https://github.com/ansible-collections/community.docker/pull/815).
+
+Bugfixes
+--------
+
+- docker_compose_v2 - do not fail when non-fatal errors occur. This can happen when pulling an image fails, but then the image can be built for another service. Docker Compose emits an error in that case, but ``docker compose up`` still completes successfully (https://github.com/ansible-collections/community.docker/issues/807, https://github.com/ansible-collections/community.docker/pull/810, https://github.com/ansible-collections/community.docker/pull/811).
+- docker_compose_v2* modules - correctly parse ``Warning`` events emitted by Docker Compose (https://github.com/ansible-collections/community.docker/issues/807, https://github.com/ansible-collections/community.docker/pull/811).
+- docker_compose_v2* modules - parse ``logfmt`` warnings emitted by Docker Compose (https://github.com/ansible-collections/community.docker/issues/787, https://github.com/ansible-collections/community.docker/pull/811).
+- docker_compose_v2_pull - fixing idempotence by checking actual pull progress events instead of service-level pull request when ``policy=always``. This stops the module from reporting ``changed=true`` if no actual change happened when pulling. In check mode, it has to assume that a change happens though (https://github.com/ansible-collections/community.docker/issues/813, https://github.com/ansible-collections/community.docker/pull/814).
+
+v3.8.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_compose_v2 - allow to wait until containers are running/health when running ``docker compose up`` with the new ``wait`` option (https://github.com/ansible-collections/community.docker/issues/794, https://github.com/ansible-collections/community.docker/pull/796).
+- docker_container - the ``pull_check_mode_behavior`` option now allows to control the module's behavior in check mode when ``pull=always`` (https://github.com/ansible-collections/community.docker/issues/792, https://github.com/ansible-collections/community.docker/pull/797).
+- docker_container - the ``pull`` option now accepts the three values ``never``, ``missing_image`` (default), and ``never``, next to the previously valid values ``true`` (equivalent to ``always``) and ``false`` (equivalent to ``missing_image``). This allows the equivalent to ``--pull=never`` from the Docker command line (https://github.com/ansible-collections/community.docker/issues/783, https://github.com/ansible-collections/community.docker/pull/797).
+
+Bugfixes
+--------
+
+- docker_compose_v2 - do not consider a ``Waiting`` event as an action/change (https://github.com/ansible-collections/community.docker/pull/804).
+- docker_compose_v2 - do not treat service-level pull events as changes to avoid incorrect ``changed=true`` return value of ``pull=always`` (https://github.com/ansible-collections/community.docker/issues/802, https://github.com/ansible-collections/community.docker/pull/803).
+- docker_compose_v2, docker_compose_v2_pull - fix parsing of pull messages for Docker Compose 2.20.0 (https://github.com/ansible-collections/community.docker/issues/785, https://github.com/ansible-collections/community.docker/pull/786).
+
+v3.7.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_compose_v2 - add ``scale`` option to allow to explicitly scale services (https://github.com/ansible-collections/community.docker/pull/776).
+- docker_compose_v2, docker_compose_v2_pull - support ``files`` parameter to specify multiple Compose files (https://github.com/ansible-collections/community.docker/issues/772, https://github.com/ansible-collections/community.docker/pull/775).
+
+Bugfixes
+--------
+
+- docker_compose_v2 - properly parse dry-run build events from ``stderr`` (https://github.com/ansible-collections/community.docker/issues/778, https://github.com/ansible-collections/community.docker/pull/779).
+- docker_compose_v2_pull - the module was documented as part of the ``community.docker.docker`` action group, but was not actually part of it. That has now been fixed (https://github.com/ansible-collections/community.docker/pull/773).
+
+New Modules
+-----------
+
+- community.docker.docker_image_export - Export (archive) Docker images
+
+v3.6.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+The collection now includes a bunch of new ``docker_image_*`` modules that move features out of the
+rather complex ``docker_image`` module. These new modules are easier to use and can better declare whether
+they support check mode, diff mode, or none of them.
+
+This version also features modules that support the Docker CLI plugins ``buildx`` and ``compose``.
+The ``docker_image_build`` module uses the ``docker buildx`` command under the hood, and the ``docker_compose_v2``
+and ``docker_compose_v2_pull`` modules uses the ``docker compose`` command. All these modules use the Docker CLI
+instead of directly talking to the API. The modules support mostly the same interface as the API based modules,
+so the main difference is that instead of some Python requirements, they depend on the Docker CLI tool ``docker``.
+
+Major Changes
+-------------
+
+- The ``community.docker`` collection now depends on the ``community.library_inventory_filtering_v1`` collection. This utility collection provides host filtering functionality for inventory plugins. If you use the Ansible community package, both collections are included and you do not have to do anything special. If you install the collection with ``ansible-galaxy collection install``, it will be installed automatically. If you install the collection by copying the files of the collection to a place where ansible-core can find it, for example by cloning the git repository, you need to make sure that you also have to install the dependency if you are using the inventory plugins (https://github.com/ansible-collections/community.docker/pull/698).
+
+Minor Changes
+-------------
+
+- The ``ca_cert`` option available to almost all modules and plugins has been renamed to ``ca_path``. The name ``ca_path`` is also used for similar options in ansible-core and other collections. The old name has been added as an alias and can still be used (https://github.com/ansible-collections/community.docker/pull/744).
+- The ``docker_stack*`` modules now use the common CLI-based module code added for the ``docker_image_build`` and ``docker_compose_v2`` modules. This means that the modules now have various more configuration options with respect to talking to the Docker Daemon, and now also are part of the ``community.docker.docker`` and ``docker`` module default groups (https://github.com/ansible-collections/community.docker/pull/745).
+- docker_container - add ``networks[].mac_address`` option for Docker API 1.44+. Note that Docker API 1.44 no longer uses the global ``mac_address`` option, this new option is the only way to set the MAC address for a container (https://github.com/ansible-collections/community.docker/pull/763).
+- docker_image - allow to specify labels and ``/dev/shm`` size when building images (https://github.com/ansible-collections/community.docker/issues/726, https://github.com/ansible-collections/community.docker/pull/727).
+- docker_image - allow to specify memory size and swap memory size in other units than bytes (https://github.com/ansible-collections/community.docker/pull/727).
+- inventory plugins - add ``filter`` option which allows to include and exclude hosts based on Jinja2 conditions (https://github.com/ansible-collections/community.docker/pull/698, https://github.com/ansible-collections/community.docker/issues/610).
+
+Bugfixes
+--------
+
+- Use ``unix:///var/run/docker.sock`` instead of the legacy ``unix://var/run/docker.sock`` as default for ``docker_host`` (https://github.com/ansible-collections/community.docker/pull/736).
+- docker_image - fix archiving idempotency with Docker API 1.44 or later (https://github.com/ansible-collections/community.docker/pull/765).
+
+New Modules
+-----------
+
+- community.docker.docker_compose_v2 - Manage multi-container Docker applications with Docker Compose CLI plugin
+- community.docker.docker_compose_v2_pull - Pull a Docker compose project
+- community.docker.docker_image_build - Build Docker images using Docker buildx
+- community.docker.docker_image_pull - Pull Docker images from registries
+- community.docker.docker_image_push - Push Docker images to registries
+- community.docker.docker_image_remove - Remove Docker images
+- community.docker.docker_image_tag - Tag Docker images with new names and/or tags
+
+v3.5.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_container - implement better ``platform`` string comparisons to improve idempotency (https://github.com/ansible-collections/community.docker/issues/654, https://github.com/ansible-collections/community.docker/pull/705).
+- docker_container - internal refactorings which allow comparisons to use more information like details of the current image or the Docker host config (https://github.com/ansible-collections/community.docker/pull/713).
+
+Deprecated Features
+-------------------
+
+- docker_container - the default ``ignore`` for the ``image_name_mismatch`` parameter has been deprecated and will switch to ``recreate`` in community.docker 4.0.0. A deprecation warning will be printed in situations where the default value is used and where a behavior would change once the default changes (https://github.com/ansible-collections/community.docker/pull/703).
+
+Bugfixes
+--------
+
+- modules and plugins using the Docker SDK for Python - remove ``ssl_version`` from the parameters passed to Docker SDK for Python 7.0.0+. Explicitly fail with a nicer error message if it was explicitly set in this case (https://github.com/ansible-collections/community.docker/pull/715).
+- modules and plugins using the Docker SDK for Python - remove ``tls_hostname`` from the parameters passed to Docker SDK for Python 7.0.0+. Explicitly fail with a nicer error message if it was explicitly set in this case (https://github.com/ansible-collections/community.docker/pull/721).
+- vendored Docker SDK for Python - avoid passing on ``ssl_version`` and ``tls_hostname`` if they were not provided by the user. Remove dead code. (https://github.com/ansible-collections/community.docker/pull/722).
+
+v3.4.11
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_volume - fix crash caused by accessing an empty dictionary. The ``has_different_config()`` was raising an ``AttributeError`` because the ``self.existing_volume["Labels"]`` dictionary was ``None`` (https://github.com/ansible-collections/community.docker/pull/702).
+
+v3.4.10
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_swarm - make init and join operations work again with Docker SDK for Python before 4.0.0 (https://github.com/ansible-collections/community.docker/issues/695, https://github.com/ansible-collections/community.docker/pull/696).
+
+v3.4.9
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation and vendored Docker SDK for Python code.
+
+Bugfixes
+--------
+
+- vendored Docker SDK for Python code - cherry-pick changes from the Docker SDK for Python code to align code. These changes should not affect the parts used by the collection's code (https://github.com/ansible-collections/community.docker/pull/694).
+
+v3.4.8
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation.
+
+From this version on, community.docker is using the new `Ansible semantic markup
+<https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+in its documentation. If you look at documentation with the ansible-doc CLI tool
+from ansible-core before 2.15, please note that it does not render the markup
+correctly. You should be still able to read it in most cases, but you need
+ansible-core 2.15 or later to see it as it is intended. Alternatively you can
+look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/docker/>`__
+for the rendered HTML version of the documentation of the latest release.
+
+Known Issues
+------------
+
+- Ansible markup will show up in raw form on ansible-doc text output for ansible-core before 2.15. If you have trouble deciphering the documentation markup, please upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on https://docs.ansible.com/ansible/devel/collections/community/docker/.
+
+v3.4.7
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_swarm_info - if ``service=true`` is used, do not crash when a service without an endpoint spec is encountered (https://github.com/ansible-collections/community.docker/issues/636, https://github.com/ansible-collections/community.docker/pull/637).
+
+v3.4.6
+======
+
+Release Summary
+---------------
+
+Bugfix release with documentation warnings about using certain functionality when connecting to the Docker daemon with TCP TLS.
+
+Bugfixes
+--------
+
+- socket_handler module utils - make sure this fully works when Docker SDK for Python is not available (https://github.com/ansible-collections/community.docker/pull/620).
+- vendored Docker SDK for Python code - fix for errors on pipe close in Windows (https://github.com/ansible-collections/community.docker/pull/619).
+- vendored Docker SDK for Python code - respect timeouts on Windows named pipes (https://github.com/ansible-collections/community.docker/pull/619).
+- vendored Docker SDK for Python code - use ``poll()`` instead of ``select()`` except on Windows (https://github.com/ansible-collections/community.docker/pull/619).
+
+Known Issues
+------------
+
+- docker_api connection plugin - does **not work with TCP TLS sockets**! This is caused by the inability to send an ``close_notify`` TLS alert without closing the connection with Python's ``SSLSocket`` (https://github.com/ansible-collections/community.docker/issues/605, https://github.com/ansible-collections/community.docker/pull/621).
+- docker_container_exec - does **not work with TCP TLS sockets** when the ``stdin`` option is used! This is caused by the inability to send an ``close_notify`` TLS alert without closing the connection with Python's ``SSLSocket`` (https://github.com/ansible-collections/community.docker/issues/605, https://github.com/ansible-collections/community.docker/pull/621).
+
+v3.4.5
+======
+
+Release Summary
+---------------
+
+Maintenance release which adds compatibility with requests 2.29.0 and 2.30.0 and urllib3 2.0.
+
+Bugfixes
+--------
+
+- Make vendored Docker SDK for Python code compatible with requests 2.29.0 and urllib3 2.0 (https://github.com/ansible-collections/community.docker/pull/613).
+
+v3.4.4
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated EE requirements and updated documentation.
+
+Minor Changes
+-------------
+
+- Restrict requests to versions before 2.29.0, and urllib3 to versions before 2.0.0. This is necessary until the vendored code from Docker SDK for Python has been fully adjusted to work with a feature of urllib3 that is used since requests 2.29.0 (https://github.com/ansible-collections/community.docker/issues/611, https://github.com/ansible-collections/community.docker/pull/612).
+
+Known Issues
+------------
+
+- The modules and plugins using the vendored code from Docker SDK for Python currently do not work with requests 2.29.0 and/or urllib3 2.0.0. The same is currently true for the latest version of Docker SDK for Python itself (https://github.com/ansible-collections/community.docker/issues/611, https://github.com/ansible-collections/community.docker/pull/612).
+
+v3.4.3
+======
+
+Release Summary
+---------------
+
+Maintenance release with improved documentation.
+
+v3.4.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_prune - return correct value for ``changed``. So far the module always claimed that nothing changed (https://github.com/ansible-collections/community.docker/pull/593).
+
+v3.4.1
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- docker_api connection plugin, docker_container_exec, docker_container_copy_into - properly close socket to Daemon after executing commands in containers (https://github.com/ansible-collections/community.docker/pull/582).
+- docker_container - fix ``tmfs_size`` and ``tmpfs_mode`` not being set (https://github.com/ansible-collections/community.docker/pull/580).
+- various plugins and modules - remove unnecessary imports (https://github.com/ansible-collections/community.docker/pull/574).
+
+v3.4.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_api connection plugin - when copying files to/from a container, stream the file contents instead of first reading them to memory (https://github.com/ansible-collections/community.docker/pull/545).
+- docker_host_info - allow to list all containers with new option ``containers_all`` (https://github.com/ansible-collections/community.docker/issues/535, https://github.com/ansible-collections/community.docker/pull/538).
+
+Bugfixes
+--------
+
+- docker_api connection plugin - fix error handling when 409 Conflict is returned by the Docker daemon in case of a stopped container (https://github.com/ansible-collections/community.docker/pull/546).
+- docker_container_exec - fix error handling when 409 Conflict is returned by the Docker daemon in case of a stopped container (https://github.com/ansible-collections/community.docker/pull/546).
+- docker_plugin - do not crash if plugin is installed in check mode (https://github.com/ansible-collections/community.docker/issues/552, https://github.com/ansible-collections/community.docker/pull/553).
+- most modules - fix handling of ``DOCKER_TIMEOUT`` environment variable, and improve handling of other fallback environment variables (https://github.com/ansible-collections/community.docker/issues/551, https://github.com/ansible-collections/community.docker/pull/554).
+
+New Modules
+-----------
+
+- community.docker.docker_container_copy_into - Copy a file into a Docker container
+
+v3.3.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_container - when ``detach=false``, wait indefinitely and not at most one minute. This was the behavior with Docker SDK for Python, and was accidentally changed in 3.0.0 (https://github.com/ansible-collections/community.docker/issues/526, https://github.com/ansible-collections/community.docker/pull/527).
+
+v3.3.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- current_container_facts - make container detection work better in more cases (https://github.com/ansible-collections/community.docker/pull/522).
+
+v3.3.0
+======
+
+Release Summary
+---------------
+
+Feature and bugfix release.
+
+Minor Changes
+-------------
+
+- current_container_facts - make work with current Docker version, also support Podman (https://github.com/ansible-collections/community.docker/pull/510).
+- docker_image - when using ``archive_path``, detect whether changes are necessary based on the image ID (hash). If the existing tar archive matches the source, do nothing. Previously, each task execution re-created the archive (https://github.com/ansible-collections/community.docker/pull/500).
+
+Bugfixes
+--------
+
+- docker_container_exec - fix ``chdir`` option which was ignored since community.docker 3.0.0 (https://github.com/ansible-collections/community.docker/issues/517, https://github.com/ansible-collections/community.docker/pull/518).
+- vendored latest Docker SDK for Python bugfix (https://github.com/ansible-collections/community.docker/pull/513, https://github.com/docker/docker-py/issues/3045).
+
+v3.2.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_container - the ``kill_signal`` option erroneously did not accept strings anymore since 3.0.0 (https://github.com/ansible-collections/community.docker/issues/505, https://github.com/ansible-collections/community.docker/pull/506).
+
+v3.2.1
+======
+
+Release Summary
+---------------
+
+Maintenance release with improved documentation.
+
+v3.2.0
+======
+
+Release Summary
+---------------
+
+Feature and deprecation release.
+
+Minor Changes
+-------------
+
+- docker_container - added ``image_name_mismatch`` option which allows to control the behavior if the container uses the image specified, but the container's configuration uses a different name for the image than the one provided to the module (https://github.com/ansible-collections/community.docker/issues/485, https://github.com/ansible-collections/community.docker/pull/488).
+
+Deprecated Features
+-------------------
+
+- docker_container - the ``ignore_image`` option is deprecated and will be removed in community.docker 4.0.0. Use ``image: ignore`` in ``comparisons`` instead (https://github.com/ansible-collections/community.docker/pull/487).
+- docker_container - the ``purge_networks`` option is deprecated and will be removed in community.docker 4.0.0. Use ``networks: strict`` in ``comparisons`` instead, and make sure to provide ``networks``, with value ``[]`` if all networks should be removed (https://github.com/ansible-collections/community.docker/pull/487).
+
+v3.1.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- The collection repository conforms to the `REUSE specification <https://reuse.software/spec/>`__ except for the changelog fragments (https://github.com/ansible-collections/community.docker/pull/462).
+- docker_swarm - allows usage of the ``data_path_port`` parameter when initializing a swarm (https://github.com/ansible-collections/community.docker/issues/296).
+
+v3.0.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_image - fix build argument handling (https://github.com/ansible-collections/community.docker/issues/455, https://github.com/ansible-collections/community.docker/pull/456).
+
+v3.0.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_container - fix handling of ``env_file`` (https://github.com/ansible-collections/community.docker/issues/451, https://github.com/ansible-collections/community.docker/pull/452).
+
+v3.0.0
+======
+
+Release Summary
+---------------
+
+The 3.0.0 release features a rewrite of the ``docker_container`` module, and many modules and plugins no longer depend on the Docker SDK for Python.
+
+Major Changes
+-------------
+
+- The collection now contains vendored code from the Docker SDK for Python to talk to the Docker daemon. Modules and plugins using this code no longer need the Docker SDK for Python installed on the machine the module or plugin is running on (https://github.com/ansible-collections/community.docker/pull/398).
+- docker_api connection plugin - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/414).
+- docker_container - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container - the module was completely rewritten from scratch (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container_exec - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/401).
+- docker_container_info - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/402).
+- docker_containers inventory plugin - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/413).
+- docker_host_info - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/403).
+- docker_image - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/404).
+- docker_image_info - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/405).
+- docker_image_load - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/406).
+- docker_login - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/407).
+- docker_network - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/408).
+- docker_network_info - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/409).
+- docker_plugin - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/429).
+- docker_prune - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/410).
+- docker_volume - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/411).
+- docker_volume_info - no longer uses the Docker SDK for Python. It requires ``requests`` to be installed, and depending on the features used has some more requirements. If the Docker SDK for Python is installed, these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/412).
+
+Minor Changes
+-------------
+
+- All software licenses are now in the ``LICENSES/`` directory of the collection root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable license for every file that is not automatically generated (https://github.com/ansible-collections/community.docker/pull/430).
+- Remove vendored copy of ``distutils.version`` in favor of vendored copy included with ansible-core 2.12+. For ansible-core 2.11, uses ``distutils.version`` for Python < 3.12. There is no support for ansible-core 2.11 with Python 3.12+ (https://github.com/ansible-collections/community.docker/pull/271).
+- docker_container - add a new parameter ``image_comparison`` to control the behavior for which image will be used for idempotency checks (https://github.com/ansible-collections/community.docker/issues/421, https://github.com/ansible-collections/community.docker/pull/428).
+- docker_container - add support for ``cgroupns_mode`` (https://github.com/ansible-collections/community.docker/issues/338, https://github.com/ansible-collections/community.docker/pull/427).
+- docker_container - allow to specify ``platform`` (https://github.com/ansible-collections/community.docker/issues/123, https://github.com/ansible-collections/community.docker/pull/426).
+- modules and plugins communicating directly with the Docker daemon - improve default TLS version selection for Python 3.6 and newer. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+- modules and plugins communicating directly with the Docker daemon - simplify use of helper function that was removed in Docker SDK for Python to find executables (https://github.com/ansible-collections/community.docker/pull/438).
+- socker_handler and socket_helper module utils - improve Python forward compatibility, create helper functions for file blocking/unblocking (https://github.com/ansible-collections/community.docker/pull/415).
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- This collection does not work with ansible-core 2.11 on Python 3.12+. Please either upgrade to ansible-core 2.12+, or use Python 3.11 or earlier (https://github.com/ansible-collections/community.docker/pull/271).
+- docker_container - ``exposed_ports`` is no longer ignored in ``comparisons``. Before, its value was assumed to be identical with the value of ``published_ports`` (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container - ``log_options`` can no longer be specified when ``log_driver`` is not specified (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container - ``publish_all_ports`` is no longer ignored in ``comparisons`` (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container - ``restart_retries`` can no longer be specified when ``restart_policy`` is not specified (https://github.com/ansible-collections/community.docker/pull/422).
+- docker_container - ``stop_timeout`` is no longer ignored for idempotency if told to be not ignored in ``comparisons``. So far it defaulted to ``ignore`` there, and setting it to ``strict`` had no effect (https://github.com/ansible-collections/community.docker/pull/422).
+- modules and plugins communicating directly with the Docker daemon - when connecting by SSH and not using ``use_ssh_client=true``, reject unknown host keys instead of accepting them. This is only a breaking change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- Execution Environments built with community.docker no longer include docker-compose < 2.0.0. If you need to use it with the ``docker_compose`` module, please install that requirement manually (https://github.com/ansible-collections/community.docker/pull/400).
+- Support for Ansible 2.9 and ansible-base 2.10 has been removed. If you need support for Ansible 2.9 or ansible-base 2.10, please use community.docker 2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+- Support for Docker API versions 1.20 to 1.24 has been removed. If you need support for these API versions, please use community.docker 2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+- Support for Python 2.6 has been removed. If you need support for Python 2.6, please use community.docker 2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+- Various modules - the default of ``tls_hostname`` (``localhost``) has been removed. If you want to continue using ``localhost``, you need to specify it explicitly (https://github.com/ansible-collections/community.docker/pull/363).
+- docker_container - the ``all`` value is no longer allowed in ``published_ports``. Use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/399).
+- docker_container - the default of ``command_handling`` was changed from ``compatibility`` to ``correct``. Older versions were warning for every invocation of the module when this would result in a change of behavior (https://github.com/ansible-collections/community.docker/pull/399).
+- docker_stack - the return values ``out`` and ``err`` have been removed. Use ``stdout`` and ``stderr`` instead (https://github.com/ansible-collections/community.docker/pull/363).
+
+Security Fixes
+--------------
+
+- modules and plugins communicating directly with the Docker daemon - when connecting by SSH and not using ``use_ssh_client=true``, reject unknown host keys instead of accepting them. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+
+Bugfixes
+--------
+
+- docker_image - when composing the build context, trim trailing whitespace from ``.dockerignore`` entries. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+- docker_plugin - fix crash when handling plugin options (https://github.com/ansible-collections/community.docker/issues/446, https://github.com/ansible-collections/community.docker/pull/447).
+- docker_stack - fix broken string formatting when reporting error in case ``compose`` was containing invalid values (https://github.com/ansible-collections/community.docker/pull/448).
+- modules and plugins communicating directly with the Docker daemon - do not create a subshell for SSH connections when using ``use_ssh_client=true``. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+- modules and plugins communicating directly with the Docker daemon - fix ``ProxyCommand`` handling for SSH connections when not using ``use_ssh_client=true``. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+- modules and plugins communicating directly with the Docker daemon - fix parsing of IPv6 addresses with a port in ``docker_host``. This is only a change relative to older community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+- modules and plugins communicating directly with the Docker daemon - prevent crash when TLS is used (https://github.com/ansible-collections/community.docker/pull/432).
+
+v2.7.0
+======
+
+Release Summary
+---------------
+
+Bugfix and deprecation release. The next 2.x.y releases will only be bugfix releases, the next expect minor/major release will be 3.0.0 with some major changes.
+
+Minor Changes
+-------------
+
+- Move common utility functions from the ``common`` module_util to a new module_util called ``util``. This should not have any user-visible effect (https://github.com/ansible-collections/community.docker/pull/390).
+
+Deprecated Features
+-------------------
+
+- Support for Docker API version 1.20 to 1.24 has been deprecated and will be removed in community.docker 3.0.0. The first Docker version supporting API version 1.25 was Docker 1.13, released in January 2017. This affects the modules ``docker_container``, ``docker_container_exec``, ``docker_container_info``, ``docker_compose``, ``docker_login``, ``docker_image``, ``docker_image_info``, ``docker_image_load``, ``docker_host_info``, ``docker_network``, ``docker_network_info``, ``docker_node_info``, ``docker_swarm_info``, ``docker_swarm_service``, ``docker_swarm_service_info``, ``docker_volume_info``, and ``docker_volume``, whose minimally supported API version is between 1.20 and 1.24 (https://github.com/ansible-collections/community.docker/pull/396).
+- Support for Python 2.6 is deprecated and will be removed in the next major release (community.docker 3.0.0). Some modules might still work with Python 2.6, but we will no longer try to ensure compatibility (https://github.com/ansible-collections/community.docker/pull/388).
+
+Bugfixes
+--------
+
+- Docker SDK for Python based modules and plugins - if the API version is specified as an option, use that one to validate API version requirements of module/plugin options instead of the latest API version supported by the Docker daemon. This also avoids one unnecessary API call per module/plugin (https://github.com/ansible-collections/community.docker/pull/389).
+
+v2.6.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release.
+
+Minor Changes
+-------------
+
+- docker_container - added ``image_label_mismatch`` parameter (https://github.com/ansible-collections/community.docker/issues/314, https://github.com/ansible-collections/community.docker/pull/370).
+
+Deprecated Features
+-------------------
+
+- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.docker 3.0.0). Some modules might still work with these versions afterwards, but we will no longer keep compatibility code that was needed to support them (https://github.com/ansible-collections/community.docker/pull/361).
+- The dependency on docker-compose for Execution Environments is deprecated and will be removed in community.docker 3.0.0. The `Python docker-compose library <https://pypi.org/project/docker-compose/>`__ is unmaintained and can cause dependency issues. You can manually still install it in an Execution Environment when needed (https://github.com/ansible-collections/community.docker/pull/373).
+- Various modules - the default of ``tls_hostname`` that was supposed to be removed in community.docker 2.0.0 will now be removed in version 3.0.0 (https://github.com/ansible-collections/community.docker/pull/362).
+- docker_stack - the return values ``out`` and ``err`` that were supposed to be removed in community.docker 2.0.0 will now be removed in version 3.0.0 (https://github.com/ansible-collections/community.docker/pull/362).
+
+Bugfixes
+--------
+
+- docker_container - fail with a meaningful message instead of crashing if a port is specified with more than three colon-separated parts (https://github.com/ansible-collections/community.docker/pull/367, https://github.com/ansible-collections/community.docker/issues/365).
+- docker_container - remove unused code that will cause problems with Python 3.13 (https://github.com/ansible-collections/community.docker/pull/354).
+
+v2.5.1
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+
+v2.5.0
+======
+
+Release Summary
+---------------
+
+Regular feature release.
+
+Minor Changes
+-------------
+
+- docker_config - add support for ``template_driver`` with one option ``golang`` (https://github.com/ansible-collections/community.docker/issues/332, https://github.com/ansible-collections/community.docker/pull/345).
+- docker_swarm - adds ``data_path_addr`` parameter during swarm initialization or when joining (https://github.com/ansible-collections/community.docker/issues/339).
+
+v2.4.0
+======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- Prepare collection for inclusion in an Execution Environment by declaring its dependencies. The ``docker_stack*`` modules are not supported (https://github.com/ansible-collections/community.docker/pull/336).
+- current_container_facts - add detection for GitHub Actions (https://github.com/ansible-collections/community.docker/pull/336).
+- docker_container - support returning Docker container log output when using Docker's ``local`` logging driver, an optimized local logging driver introduced in Docker 18.09 (https://github.com/ansible-collections/community.docker/pull/337).
+
+Bugfixes
+--------
+
+- docker connection plugin - make sure that ``docker_extra_args`` is used for querying the Docker version. Also ensures that the Docker version is only queried when needed. This is currently the case if a remote user is specified (https://github.com/ansible-collections/community.docker/issues/325, https://github.com/ansible-collections/community.docker/pull/327).
+
+v2.3.0
+======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- docker connection plugin - implement connection reset by clearing internal container user cache (https://github.com/ansible-collections/community.docker/pull/312).
+- docker connection plugin - simplify ``actual_user`` handling code (https://github.com/ansible-collections/community.docker/pull/311).
+- docker connection plugin - the plugin supports new ways to define the timeout. These are the ``ANSIBLE_DOCKER_TIMEOUT`` environment variable, the ``timeout`` setting in the ``docker_connection`` section of ``ansible.cfg``, and the ``ansible_docker_timeout`` variable (https://github.com/ansible-collections/community.docker/pull/297).
+- docker_api connection plugin - implement connection reset by clearing internal container user/group ID cache (https://github.com/ansible-collections/community.docker/pull/312).
+- docker_api connection plugin - the plugin supports new ways to define the timeout. These are the ``ANSIBLE_DOCKER_TIMEOUT`` environment variable, the ``timeout`` setting in the ``docker_connection`` section of ``ansible.cfg``, and the ``ansible_docker_timeout`` variable (https://github.com/ansible-collections/community.docker/pull/308).
+
+Bugfixes
+--------
+
+- docker connection plugin - fix option handling to be compatible with ansible-core 2.13 (https://github.com/ansible-collections/community.docker/pull/297, https://github.com/ansible-collections/community.docker/issues/307).
+- docker_api connection plugin - fix option handling to be compatible with ansible-core 2.13 (https://github.com/ansible-collections/community.docker/pull/308).
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose - fix Python 3 type error when extracting warnings or errors from docker-compose's output (https://github.com/ansible-collections/community.docker/pull/305).
+
+v2.2.0
+======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- docker_config - add support for rolling update, set ``rolling_versions`` to ``true`` to enable (https://github.com/ansible-collections/community.docker/pull/295, https://github.com/ansible-collections/community.docker/issues/109).
+- docker_secret - add support for rolling update, set ``rolling_versions`` to ``true`` to enable (https://github.com/ansible-collections/community.docker/pull/293, https://github.com/ansible-collections/community.docker/issues/21).
+- docker_swarm_service - add support for setting capabilities with the ``cap_add`` and ``cap_drop`` parameters. Usage is the same as with the ``capabilities`` and ``cap_drop`` parameters for ``docker_container`` (https://github.com/ansible-collections/community.docker/pull/294).
+
+Bugfixes
+--------
+
+- docker_container, docker_image - adjust image finding code to peculiarities of ``podman-docker``'s API emulation when Docker short names like ``redis`` are used (https://github.com/ansible-collections/community.docker/issues/292).
+
+v2.1.1
+======
+
+Release Summary
+---------------
+
+Emergency release to amend breaking change in previous release.
+
+Bugfixes
+--------
+
+- Fix unintended breaking change caused by `an earlier fix <https://github.com/ansible-collections/community.docker/pull/258>`_ by vendoring the deprecated Python standard library ``distutils.version`` until this collection stops supporting Ansible 2.9 and ansible-base 2.10 (https://github.com/ansible-collections/community.docker/issues/267, https://github.com/ansible-collections/community.docker/pull/269).
+
+v2.1.0
+======
+
+Release Summary
+---------------
+
+Feature and bugfix release.
+
+Minor Changes
+-------------
+
+- docker_container_exec - add ``detach`` parameter (https://github.com/ansible-collections/community.docker/issues/250, https://github.com/ansible-collections/community.docker/pull/255).
+- docker_container_exec - add ``env`` option (https://github.com/ansible-collections/community.docker/issues/248, https://github.com/ansible-collections/community.docker/pull/254).
+
+Bugfixes
+--------
+
+- Various modules and plugins - use vendored version of ``distutils.version`` included in ansible-core 2.12 if available. This avoids breakage when ``distutils`` is removed from the standard library of Python 3.12. Note that ansible-core 2.11, ansible-base 2.10 and Ansible 2.9 are right now not compatible with Python 3.12, hence this fix does not target these ansible-core/-base/2.9 versions (https://github.com/ansible-collections/community.docker/pull/258).
+- docker connection plugin - replace deprecated ``distutils.spawn.find_executable`` with Ansible's ``get_bin_path`` to find the ``docker`` executable (https://github.com/ansible-collections/community.docker/pull/257).
+- docker_container_exec - disallow using the ``chdir`` option for Docker API before 1.35 (https://github.com/ansible-collections/community.docker/pull/253).
+
+v2.0.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker_api connection plugin - avoid passing an unnecessary argument to a Docker SDK for Python call that is only supported by version 3.0.0 or later (https://github.com/ansible-collections/community.docker/pull/243).
+- docker_container_exec - ``chdir`` is only supported since Docker SDK for Python 3.0.0. Make sure that this option can only use when 3.0.0 or later is installed, and prevent passing this parameter on when ``chdir`` is not provided to this module (https://github.com/ansible-collections/community.docker/pull/243, https://github.com/ansible-collections/community.docker/issues/242).
+- nsenter connection plugin - ensure the ``nsenter_pid`` option is retrieved in ``_connect`` instead of ``__init__`` to prevent a crash due to bad initialization order (https://github.com/ansible-collections/community.docker/pull/249).
+- nsenter connection plugin - replace the use of ``--all-namespaces`` with specific namespaces to support compatibility with Busybox nsenter (used on, for example, Alpine containers) (https://github.com/ansible-collections/community.docker/pull/249).
+
+v2.0.1
+======
+
+Release Summary
+---------------
+
+Maintenance release with some documentation fixes.
+
+v2.0.0
+======
+
+Release Summary
+---------------
+
+New major release with some deprecations removed and a breaking change in the ``docker_compose`` module regarding the ``timeout`` parameter.
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- docker_compose - fixed ``timeout`` defaulting behavior so that ``stop_grace_period``, if defined in the compose file, will be used if ``timeout`` is not specified (https://github.com/ansible-collections/community.docker/pull/163).
+
+Deprecated Features
+-------------------
+
+- docker_container - using the special value ``all`` in ``published_ports`` has been deprecated. Use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/210).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- docker_container - the default value of ``container_default_behavior`` changed to ``no_defaults`` (https://github.com/ansible-collections/community.docker/pull/210).
+- docker_container - the default value of ``network_mode`` is now the name of the first network specified in ``networks`` if such are specified and ``networks_cli_compatible=true`` (https://github.com/ansible-collections/community.docker/pull/210).
+- docker_container - the special value ``all`` can no longer be used in ``published_ports`` next to other values. Please use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/210).
+- docker_login - removed the ``email`` option (https://github.com/ansible-collections/community.docker/pull/210).
+
+v1.10.0
+=======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- Add the modules docker_container_exec, docker_image_load and docker_plugin to the ``docker`` module defaults group (https://github.com/ansible-collections/community.docker/pull/209).
+- docker_config - add option ``data_src`` to read configuration data from target (https://github.com/ansible-collections/community.docker/issues/64, https://github.com/ansible-collections/community.docker/pull/203).
+- docker_secret - add option ``data_src`` to read secret data from target (https://github.com/ansible-collections/community.docker/issues/64, https://github.com/ansible-collections/community.docker/pull/203).
+
+v1.9.1
+======
+
+Release Summary
+---------------
+
+Regular bugfix release.
+
+Bugfixes
+--------
+
+- docker_compose - fixed incorrect ``changed`` status for services with ``profiles`` defined, but none enabled (https://github.com/ansible-collections/community.docker/pull/192).
+
+v1.9.0
+======
+
+Release Summary
+---------------
+
+New bugfixes and features release.
+
+Minor Changes
+-------------
+
+- docker_* modules - include ``ImportError`` traceback when reporting that Docker SDK for Python could not be found (https://github.com/ansible-collections/community.docker/pull/188).
+- docker_compose - added ``env_file`` option for specifying custom environment files (https://github.com/ansible-collections/community.docker/pull/174).
+- docker_container - added ``publish_all_ports`` option to publish all exposed ports to random ports except those explicitly bound with ``published_ports`` (this was already added in community.docker 1.8.0) (https://github.com/ansible-collections/community.docker/pull/162).
+- docker_container - added new ``command_handling`` option with current deprecated default value ``compatibility`` which allows to control how the module handles shell quoting when interpreting lists, and how the module handles empty lists/strings. The default will switch to ``correct`` in community.docker 3.0.0 (https://github.com/ansible-collections/community.docker/pull/186).
+- docker_container - lifted restriction preventing the creation of anonymous volumes with the ``mounts`` option (https://github.com/ansible-collections/community.docker/pull/181).
+
+Deprecated Features
+-------------------
+
+- docker_container - the new ``command_handling``'s default value, ``compatibility``, is deprecated and will change to ``correct`` in community.docker 3.0.0. A deprecation warning is emitted by the module in cases where the behavior will change. Please note that ansible-core will output a deprecation warning only once, so if it is shown for an earlier task, there could be more tasks with this warning where it is not shown (https://github.com/ansible-collections/community.docker/pull/186).
+
+Bugfixes
+--------
+
+- docker_compose - fixes task failures when bringing up services while using ``docker-compose <1.17.0`` (https://github.com/ansible-collections/community.docker/issues/180).
+- docker_container - make sure to also return ``container`` on ``detached=false`` when status code is non-zero (https://github.com/ansible-collections/community.docker/pull/178).
+- docker_stack_info - make sure that module isn't skipped in check mode (https://github.com/ansible-collections/community.docker/pull/183).
+- docker_stack_task_info - make sure that module isn't skipped in check mode (https://github.com/ansible-collections/community.docker/pull/183).
+
+New Plugins
+-----------
+
+Connection
+~~~~~~~~~~
+
+- community.docker.nsenter - execute on host running controller container
+
+v1.8.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+Minor Changes
+-------------
+
+- Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (https://github.com/ansible-collections/community.docker/pull/164).
+- docker_compose - added ``profiles`` option to specify service profiles when starting services (https://github.com/ansible-collections/community.docker/pull/167).
+- docker_containers inventory plugin - when ``connection_type=docker-api``, now pass Docker daemon connection options from inventory plugin to connection plugin. This can be disabled by setting ``configure_docker_daemon=false`` (https://github.com/ansible-collections/community.docker/pull/157).
+- docker_host_info - allow values for keys in ``containers_filters``, ``images_filters``, ``networks_filters``, and ``volumes_filters`` to be passed as YAML lists (https://github.com/ansible-collections/community.docker/pull/160).
+- docker_plugin - added ``alias`` option to specify local names for docker plugins (https://github.com/ansible-collections/community.docker/pull/161).
+
+Bugfixes
+--------
+
+- docker_compose - fix idempotence bug when using ``stopped: true`` (https://github.com/ansible-collections/community.docker/issues/142, https://github.com/ansible-collections/community.docker/pull/159).
+
+v1.7.0
+======
+
+Release Summary
+---------------
+
+Small feature and bugfix release.
+
+Minor Changes
+-------------
+
+- docker_image - allow to tag images by ID (https://github.com/ansible-collections/community.docker/pull/149).
+
+v1.6.1
+======
+
+Release Summary
+---------------
+
+Bugfix release to reduce deprecation warning spam.
+
+Bugfixes
+--------
+
+- docker_* modules and plugins, except ``docker_swarm`` connection plugin and ``docker_compose`` and ``docker_stack*` modules - only emit ``tls_hostname`` deprecation message if TLS is actually used (https://github.com/ansible-collections/community.docker/pull/143).
+
+v1.6.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+Minor Changes
+-------------
+
+- common module utils - correct error messages for guiding to install proper Docker SDK for Python module (https://github.com/ansible-collections/community.docker/pull/125).
+- docker_container - allow ``memory_swap: -1`` to set memory swap limit to unlimited. This is useful when the user cannot set memory swap limits due to cgroup limitations or other reasons, as by default Docker will try to set swap usage to two times the value of ``memory`` (https://github.com/ansible-collections/community.docker/pull/138).
+
+Deprecated Features
+-------------------
+
+- docker_* modules and plugins, except ``docker_swarm`` connection plugin and ``docker_compose`` and ``docker_stack*` modules - the current default ``localhost`` for ``tls_hostname`` is deprecated. In community.docker 2.0.0 it will be computed from ``docker_host`` instead (https://github.com/ansible-collections/community.docker/pull/134).
+
+Bugfixes
+--------
+
+- docker-compose - fix not pulling when ``state: present`` and ``stopped: true`` (https://github.com/ansible-collections/community.docker/issues/12, https://github.com/ansible-collections/community.docker/pull/119).
+- docker_plugin - also configure plugin after installing (https://github.com/ansible-collections/community.docker/issues/118, https://github.com/ansible-collections/community.docker/pull/135).
+- docker_swarm_services - avoid crash during idempotence check if ``published_port`` is not specified (https://github.com/ansible-collections/community.docker/issues/107, https://github.com/ansible-collections/community.docker/pull/136).
+
+v1.5.0
+======
+
+Release Summary
+---------------
+
+Regular feature release.
+
+Minor Changes
+-------------
+
+- Add the ``use_ssh_client`` option to most docker modules and plugins (https://github.com/ansible-collections/community.docker/issues/108, https://github.com/ansible-collections/community.docker/pull/114).
+
+Bugfixes
+--------
+
+- all modules - use ``to_native`` to convert exceptions to strings (https://github.com/ansible-collections/community.docker/pull/121).
+
+New Modules
+-----------
+
+- community.docker.docker_container_exec - Execute command in a docker container
+
+v1.4.0
+======
+
+Release Summary
+---------------
+
+Security release to address another potential secret leak. Also includes regular bugfixes and features.
+
+Minor Changes
+-------------
+
+- docker_swarm_service - change ``publish.published_port`` option from mandatory to optional. Docker will assign random high port if not specified (https://github.com/ansible-collections/community.docker/issues/99).
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- docker_swarm - if ``join_token`` is specified, a returned join token with the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``. Make sure that you do not blindly use the join tokens from the return value of this module when the module is invoked with ``join_token`` specified! This breaking change appears in a minor release since it is necessary to fix a security issue (https://github.com/ansible-collections/community.docker/pull/103).
+
+Security Fixes
+--------------
+
+- docker_swarm - the ``join_token`` option is now marked as ``no_log`` so it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103).
+
+Bugfixes
+--------
+
+- ``docker_swarm_service`` - fix KeyError on caused by reference to deprecated option ``update_failure_action`` (https://github.com/ansible-collections/community.docker/pull/100).
+- docker_swarm_service - mark ``secrets`` module option with ``no_log=False`` since it does not leak secrets (https://github.com/ansible-collections/community.general/pull/2001).
+
+v1.3.0
+======
+
+Release Summary
+---------------
+
+Regular feature and bugfix release.
+
+Minor Changes
+-------------
+
+- docker_container - add ``storage_opts`` option to specify storage options (https://github.com/ansible-collections/community.docker/issues/91, https://github.com/ansible-collections/community.docker/pull/93).
+- docker_image - allows to specify platform to pull for ``source=pull`` with new option ``pull_platform`` (https://github.com/ansible-collections/community.docker/issues/79, https://github.com/ansible-collections/community.docker/pull/89).
+- docker_image - properly support image IDs (hashes) for loading and tagging images (https://github.com/ansible-collections/community.docker/issues/86, https://github.com/ansible-collections/community.docker/pull/87).
+- docker_swarm_service - adding support for maximum number of tasks per node (``replicas_max_per_node``) when running swarm service in replicated mode. Introduced in API 1.40 (https://github.com/ansible-collections/community.docker/issues/7, https://github.com/ansible-collections/community.docker/pull/92).
+
+Bugfixes
+--------
+
+- docker_container - fix healthcheck disabling idempotency issue with strict comparison (https://github.com/ansible-collections/community.docker/issues/85).
+- docker_image - prevent module failure when removing image that is removed between inspection and removal (https://github.com/ansible-collections/community.docker/pull/87).
+- docker_image - prevent module failure when removing non-existent image by ID (https://github.com/ansible-collections/community.docker/pull/87).
+- docker_image_info - prevent module failure when image vanishes between listing and inspection (https://github.com/ansible-collections/community.docker/pull/87).
+- docker_image_info - prevent module failure when querying non-existent image by ID (https://github.com/ansible-collections/community.docker/pull/87).
+
+New Modules
+-----------
+
+- community.docker.docker_image_load - Load docker image(s) from archives
+- community.docker.docker_plugin - Manage Docker plugins
+
+v1.2.2
+======
+
+Release Summary
+---------------
+
+Security bugfix release to address CVE-2021-20191.
+
+Security Fixes
+--------------
+
+- docker_swarm - enabled ``no_log`` for the option ``signing_ca_key`` to prevent accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.docker/pull/80).
+
+v1.2.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- docker connection plugin - fix Docker version parsing, as some docker versions have a leading ``v`` in the output of the command ``docker version --format "{{.Server.Version}}"`` (https://github.com/ansible-collections/community.docker/pull/76).
+
+v1.2.0
+======
+
+Release Summary
+---------------
+
+Feature release with one new feature and two bugfixes.
+
+Minor Changes
+-------------
+
+- docker_container - added ``default_host_ip`` option which allows to explicitly set the default IP string for published ports without explicitly specified IPs. When using IPv6 binds with Docker 20.10.2 or newer, this needs to be set to an empty string (``""``) (https://github.com/ansible-collections/community.docker/issues/70, https://github.com/ansible-collections/community.docker/pull/71).
+
+Bugfixes
+--------
+
+- docker_container - allow IPv6 zones (RFC 4007) in bind IPs (https://github.com/ansible-collections/community.docker/pull/66).
+- docker_image - fix crash on loading images with versions of Docker SDK for Python before 2.5.0 (https://github.com/ansible-collections/community.docker/issues/72, https://github.com/ansible-collections/community.docker/pull/73).
+
+v1.1.0
+======
+
+Release Summary
+---------------
+
+Feature release with three new plugins and modules.
+
+Minor Changes
+-------------
+
+- docker_container - support specifying ``cgroup_parent`` (https://github.com/ansible-collections/community.docker/issues/6, https://github.com/ansible-collections/community.docker/pull/59).
+- docker_container - when a container is started with ``detached=false``, ``status`` is now also returned when it is 0 (https://github.com/ansible-collections/community.docker/issues/26, https://github.com/ansible-collections/community.docker/pull/58).
+- docker_image - support ``platform`` when building images (https://github.com/ansible-collections/community.docker/issues/22, https://github.com/ansible-collections/community.docker/pull/54).
+
+Deprecated Features
+-------------------
+
+- docker_container - currently ``published_ports`` can contain port mappings next to the special value ``all``, in which case the port mappings are ignored. This behavior is deprecated for community.docker 2.0.0, at which point it will either be forbidden, or this behavior will be properly implemented similar to how the Docker CLI tool handles this (https://github.com/ansible-collections/community.docker/issues/8, https://github.com/ansible-collections/community.docker/pull/60).
+
+Bugfixes
+--------
+
+- docker_image - if ``push=true`` is used with ``repository``, and the image does not need to be tagged, still push. This can happen if ``repository`` and ``name`` are equal (https://github.com/ansible-collections/community.docker/issues/52, https://github.com/ansible-collections/community.docker/pull/53).
+- docker_image - report error when loading a broken archive that contains no image (https://github.com/ansible-collections/community.docker/issues/46, https://github.com/ansible-collections/community.docker/pull/55).
+- docker_image - report error when the loaded archive does not contain the specified image (https://github.com/ansible-collections/community.docker/issues/41, https://github.com/ansible-collections/community.docker/pull/55).
+
+New Plugins
+-----------
+
+Connection
+~~~~~~~~~~
+
+- community.docker.docker_api - Run tasks in docker containers
+
+Inventory
+~~~~~~~~~
+
+- community.docker.docker_containers - Ansible dynamic inventory plugin for Docker containers.
+
+New Modules
+-----------
+
+- community.docker.current_container_facts - Return facts about whether the module runs in a Docker container
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Maintenance release with a bugfix for ``docker_container``.
+
+Bugfixes
+--------
+
+- docker_container - the validation for ``capabilities`` in ``device_requests`` was incorrect (https://github.com/ansible-collections/community.docker/issues/42, https://github.com/ansible-collections/community.docker/pull/43).
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+This is the first production (non-prerelease) release of ``community.docker``.
+
+Minor Changes
+-------------
+
+- Add collection-side support of the ``docker`` action group / module defaults group (https://github.com/ansible-collections/community.docker/pull/17).
+- docker_image - return docker build output (https://github.com/ansible-collections/community.general/pull/805).
+- docker_secret - add a warning when the secret does not have an ``ansible_key`` label but the ``force`` parameter is not set (https://github.com/ansible-collections/community.docker/issues/30, https://github.com/ansible-collections/community.docker/pull/31).
+
+v0.1.0
+======
+
+Release Summary
+---------------
+
+The ``community.docker`` continues the work on the Ansible docker modules and plugins from their state in ``community.general`` 1.2.0. The changes listed here are thus relative to the modules and plugins ``community.general.docker*``.
+
+All deprecation removals planned for ``community.general`` 2.0.0 have been applied. All deprecation removals scheduled for ``community.general`` 3.0.0 have been re-scheduled for ``community.docker`` 2.0.0.
+
+Minor Changes
+-------------
+
+- docker_container - now supports the ``device_requests`` option, which allows to request additional resources such as GPUs (https://github.com/ansible/ansible/issues/65748, https://github.com/ansible-collections/community.general/pull/1119).
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- docker_container - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_container - the default of ``networks_cli_compatible`` changed to ``true`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_container - the unused option ``trust_image_content`` has been removed (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - ``state=build`` has been removed. Use ``present`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - the ``container_limits``, ``dockerfile``, ``http_timeout``, ``nocache``, ``rm``, ``path``, ``buildargs``, ``pull`` have been removed. Use the corresponding suboptions of ``build`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - the ``force`` option has been removed. Use the more specific ``force_*`` options instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - the ``source`` option is now mandatory (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - the ``use_tls`` option has been removed. Use ``tls`` and ``validate_certs`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image - the default of the ``build.pull`` option changed to ``false`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_image_facts - this alias is on longer available, use ``docker_image_info`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_network - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_network - the ``ipam_options`` option has been removed. Use ``ipam_config`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_service - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm - ``state=inspect`` has been removed. Use ``docker_swarm_info`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``constraints`` option has been removed. Use ``placement.constraints`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``limit_cpu`` and ``limit_memory`` options has been removed. Use the corresponding suboptions in ``limits`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``log_driver`` and ``log_driver_options`` options has been removed. Use the corresponding suboptions in ``logging`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``reserve_cpu`` and ``reserve_memory`` options has been removed. Use the corresponding suboptions in ``reservations`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``restart_policy``, ``restart_policy_attempts``, ``restart_policy_delay`` and ``restart_policy_window`` options has been removed. Use the corresponding suboptions in ``restart_config`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_swarm_service - the ``update_delay``, ``update_parallelism``, ``update_failure_action``, ``update_monitor``, ``update_max_failure_ratio`` and ``update_order`` options has been removed. Use the corresponding suboptions in ``update_config`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_volume - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+- docker_volume - the ``force`` option has been removed. Use ``recreate`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+
+Bugfixes
+--------
+
+- docker_login - fix internal config file storage to handle credentials for more than one registry (https://github.com/ansible-collections/community.general/issues/1117).
diff --git a/ansible_collections/community/docker/CHANGELOG.rst.license b/ansible_collections/community/docker/CHANGELOG.rst.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/CHANGELOG.rst.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/COPYING b/ansible_collections/community/docker/COPYING
new file mode 100644
index 00000000..f288702d
--- /dev/null
+++ b/ansible_collections/community/docker/COPYING
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
diff --git a/ansible_collections/community/docker/FILES.json b/ansible_collections/community/docker/FILES.json
new file mode 100644
index 00000000..5375f735
--- /dev/null
+++ b/ansible_collections/community/docker/FILES.json
@@ -0,0 +1,6564 @@
+{
+ "files": [
+  {
+   "name": ".",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".git-blame-ignore-revs",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "efca7f314e24f2e84a87532e81cd827ab65eb155346fd9f94166af2e3aac2f6d",
+   "format": 1
+  },
+  {
+   "name": ".flake8",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90ad90d07ab5ab54b7a56710bba5ef10762eec6156559228e231c3f951b2ef1d",
+   "format": 1
+  },
+  {
+   "name": ".pylintrc",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3660a06832e1f6fac64c89580ba3a5d1c26dc9f68d11b0060aecb6fdc8e5b691",
+   "format": 1
+  },
+  {
+   "name": "REUSE.toml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "646b5ce1ce1d31715c0e6a8ad9c2cc2828973e92badb73d1d6e7be33a3d2af3f",
+   "format": 1
+  },
+  {
+   "name": ".mypy.ini",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cfb0d3599fbea58d023dfe1500830756bb90666e2f5cb8982ec1ae0618e35194",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/azure-pipelines.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5329f9cf8f1c025c00065985c9c57c5c376aaf11f868bddeb1634b12424e812f",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e68364750709fae75220652b5837198a1deff224fa37d4147eec37a7bcddd70",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/combine-coverage.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "49d3567c21d253290b5c075e250b1460ea46c3f33b7d25a8994447824aa19279",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/run-tests.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f0fcf44f253e20ca994b1ef3cf69dea830445af3116b8cdd9d7423e8ef240873",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/publish-codecov.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31c38e5c2f6021b3762c52c5c55f9fb565586b69e998b36519d3072608564546",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/report-coverage.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6450729de6c27bb170d308857bbf1c685fcd77cb0ea430cc0c21532d334a6893",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/time-command.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "486dd0a00417773b1a8901b4d411cb82f7e3ffea636ed69163743c4b43bf683a",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/aggregate-coverage.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db8ad813c81f9e23c821e10d4c6d91ccb4f0540c0eb3a21efe8fe1242346fa84",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/scripts/process-results.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "360f2205a9559f75b003df8e62099d6df1cee1953bc15b6a4a561d18cab2018a",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/templates/coverage.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a31ecfb36a901b437c426ad4781e5ad86b076cc3192451916bf15984f2ab3a53",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/templates/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "301d7944fc5d89e949d28a4347f8623800f8a360e72a0144bcf2f7d2474c16dc",
+   "format": 1
+  },
+  {
+   "name": ".azure-pipelines/templates/matrix.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7449540d42acdbbbeaa64da007e14a0849160bcbb138a91b8e433c994d2977fe",
+   "format": 1
+  },
+  {
+   "name": "LICENSES",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "LICENSES/GPL-3.0-or-later.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986",
+   "format": 1
+  },
+  {
+   "name": "LICENSES/Apache-2.0.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a88d15b80c84a53d3d94876d718db924f6e59bf5cbc6a9328415bb3c0269f963",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbaaee2685440b42972282c5982549290c1cf6e79878a8d67540c635fc7c378",
+   "format": 1
+  },
+  {
+   "name": "antsibull-nox.toml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79528afb73bc07ea3e866674c3a08c24f7d4f769e5b07a44f83e374b024b26a5",
+   "format": 1
+  },
+  {
+   "name": "plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/connection",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/connection/docker_api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c908c936fdac8967589dc98eaacaab9d21a5ab425e7be673425325e2ae57465",
+   "format": 1
+  },
+  {
+   "name": "plugins/connection/docker.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "631a1dc206a1e0ff6a7c7720136cb5eedad103feb23c23c15a20fdf2a96ce8a4",
+   "format": 1
+  },
+  {
+   "name": "plugins/connection/nsenter.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bf9954c8bdad2a0225859057ff476a2f63926f2cdbad2cf385c30cdb8c668fe",
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments/_attributes.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaba6dfe7fbd9b5befe50ee5a8023ff2586c5f4c93afe6ec29b40e198c967d71",
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments/_compose_v2.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c62489d7ae72a0a45038d3b2619abdc223665fd82c89f67a688b8b3df3c3108c",
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments/_docker.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "478fdda762899654d0eca2031140278a8582dc98e37bcfa611a3cebd4950a68d",
+   "format": 1
+  },
+  {
+   "name": "plugins/action",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/action/docker_container_copy_into.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90cc162379b4cb4059794372baaf856051ed6c8e32ece3aa3c49ad23213108a3",
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils/_socket_handler.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "99fc2db407ee190689fc67630a18ca8d9104160be8a695bf6fda0d105ebf1413",
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils/_common.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "878c874643965bddf5156193e4ac086ba43c88edbd3e0ae8385eb000ab5ec749",
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils/_unsafe.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c9a668352588355a01443aae85486b5122879a20980974d0678f8950e6f1079d",
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils/_common_api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c8a5d807796dc8bbcc5d9077c4b961beebe7880f7e67ca8206285ca691a2f60",
+   "format": 1
+  },
+  {
+   "name": "plugins/inventory",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/inventory/docker_containers.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "314c60936916cf6aef4f8c261f3b90884ce500d8d33ab84cb0a974aeff0fb3a0",
+   "format": 1
+  },
+  {
+   "name": "plugins/inventory/docker_machine.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82ebb74e6d58003ddb4a0bcec1480f883ebf7fec78dd6caf21e6a7f8240e43a6",
+   "format": 1
+  },
+  {
+   "name": "plugins/inventory/docker_swarm.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77e53dec9f1b23cfadb371e5e0b31e4e98fb8cd04fb8a516cabb8663f7b3067d",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_socket_helper.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "93a3f336e08a4db803e8785fecabd5ffc504c71d59ee25d91ad47b230152d8a8",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_socket_handler.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03a895f769d4e272159cdbe5fa730160ca0d99b68cbc0ed2b7b9bb35b18fc1a9",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_module_container",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_module_container/docker_api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e5916db30072f45da23c80edc0895fd6b7201491b90055cae73bc03da7657f7",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_module_container/module.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba047892ccf1ffc86eb1073383680cf03041c43a0044181fba8e4dedefc8b52f",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_module_container/base.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dba73ac726965fa484a3e79c6bebf72c9e1ae505206a5920c79d959ea2c78228",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_version.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d73a196c576c8c93fdf2ca98cba8b56fb6d168740dca22b5ec3a69b75b2b33b1",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_image_name.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58ef0b00dd649075502fe8bb712d58389beef31a94905c8adfb9fb60c0fa2540",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_common.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "257c70f22b525dabd4892ada731d356e83162714bc679755fe69cf20570f9564",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_compose_v2.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "40663ab05e8fbbb2ba5057dffd6ea899163de50975c4549762dee82914ed9f86",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/auth.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be5201455f927147ca94f6a1e04755b85e3d001b9c3795805fddbe02517bca60",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/types",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/types/daemon.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e7dfba2a24dc9a8fe87721b304c951be4bad8637d3ace744a37aaeada84cf77",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/context",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/context/config.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1225bf3e746d5f4a47fdc7c4d0a0dfcffa6d070207174d5ae4756af02ff48964",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/context/api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7f815f68009e2e95b8e5b8629d9eb49f2f701881a20f10561fda7657f72fda32",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/context/context.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "853be6d77edbcf47db130ae3a5f0d5317dee3fa23a317f02ac26022fe4d743da",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/npipeconn.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f58cbcd060492a3482fe86dc30d4ae5eec7a7ced9c8984c1e3e2ac51f5a749dc",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/sshconn.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eea16edae047772b2da3a986d1332d5a4fd09278f476190b14954e853c324117",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/npipesocket.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef60ccdbd9c69fc101b3f778809a62dc63f65194a5bc645d2e67b01c8b418c3a",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/basehttpadapter.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "684209728fc530857551bce5600431867dc4758bd50b0e8a540f65e197185f7d",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/unixconn.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "867cd3d29e742f377bf0bb1a60fcd2ad2fdc49a19b37c5df52eaf5456da39234",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/transport/ssladapter.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7336b8d397ec5c4dd92933282b935300533dbfd5220de20fd7d200eb7ae338a5",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/_import_helper.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8dac75d7aa14d6d1b7714ae0c26fd01ee5bd1c7ca240c837925371d240843200",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/constants.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1dfb262bc3e9d7d886b00f0ffc894eb2980fdc7bae68adaad0d7ddd3a8be9800",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/build.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90c3428a41b93c6931e261baf175dda789c01da856c242895528748e10d7c892",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/json_stream.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c578dc03574b45e815e1c3e5bcebd5a34a5553e0aa62c48bd0d826f79c8a999f",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/config.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f484fcafe8e8ef0fb30f0a168711e56097f4f389a7a54431817998c9f58b750",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/proxy.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "002798b62fdc772f10d342747e8ecb646f5160e36a53dee60edffd2ea1d98308",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/fnmatch.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "defd16f7c4a838d8da95b9fecd5fc3a2c584f431102aa5a98352ff38f28035fc",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/ports.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2bda5d4a31ee7a6b0f4972d9c7f84d386c05d707108f5a6c76d175f11974588",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/utils.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "151bc0ea22e29a37a568d9cd43df1c08225a733738f2af714c4baab645c38f74",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/socket.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d807a6349c7a53784952a55d9804d72668af040b9187e9683d64e86d19ffa120",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/utils/decorators.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c0e62587aba95721bd2ab2007e2efb6b07d74b9c7a5159152c253c6da027e80",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/tls.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa2e293adfbc362abf6a7a0a5d2faf832c6dfb8cdeeb0ac8511de2a2b97e82c6",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/api",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/api/client.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "568538c57ebed96ac54890d415091bad7745abceb403c7028458192bf04ace94",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/errors.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbd0c3f98c8b2eb8f07cce1841d584fb38e1e88cb9fe3f1ab87c2cea216b2bdb",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/credentials",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/credentials/store.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d86a00c63dcddd32c343a7bae1ff00251072928967946093adc43b7c3dd745b4",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/credentials/constants.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7851fba4596a5142dcdb83fd68a57a956ab743717ef3757a9eff2944dfc5704c",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/credentials/utils.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a146d8c6900c122e8dfbe9c9391eff124dcd69912c2fa69712766fd0100cda3e",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_api/credentials/errors.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "317176238da4aa68b4e072f93100c88bf695be92f63f99f4248022333a53630a",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_swarm.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e10d955928ca92089cbf095595c255d8341770bde39a67ae53d73ef42c226e1e",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_common_api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a73d338a0515915fcb88fc0561d6cb4b29d3700ab755c0d7036cd63838ebddf4",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_scramble.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ac40c3da434adea0bf022769d71c11159e2bdfcdc4a34303aeaf60148f0057f",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_common_cli.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb6b4b96548c976f406228988c0deb4e99700f5fc94c0ada693269d9209125e4",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_copy.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1271c9befc6498c34ad2b944b992733528a3c8e1bf7461e31dde98a55b2974db",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_util.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "494e3e727083448929470648314105e5cb4681927f420dacbbc8778a05ba0bdf",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_logfmt.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ab58005b0a5b6bcf2c0b71e5ff1d0e334ec6ee4ea924177d1ddf976696257f1",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_platform.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "350d88e779b66f5659807b6f467dae9813148faaed31e8dbb32edd8039f122da",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/_image_archive.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d6d034be21f4db9176002f0b08eef55543f3dc421120f739c0c65fb5b0f1f999",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_context_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e598e28f8aa06225b8ccda51b81f9da932576659e52641a2c9f799f36336cf56",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_prune.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e240ae31b9179adb58f59ea12ee62501300354be776256dc8126ba9c6018ea2b",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_stack.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5142c4b427fffcce291fb4982c719c5af20820672e16caac6573a36fbe8b0595",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_node.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "45219c0047543591ed5c2a27c38444c51abbf5a64582f20f0788c5a7c8257a51",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_volume_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b310c502cc280a8e201afb6f441333a5e94592a76e32c0d1c23d43f2cb142c83",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_node_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b031682c022739bb37e50a04fa755edd380f0705b97a468561d8229d40d5d4e0",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_compose_v2_run.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c7870f71a9c10f974722ff397aec9b485f4baab04f94f1bde11361658666c1d",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_container_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5054065ce3e1b389a16b6f8bbbf078b0e9ddb3654163e3aa14501b213ff4787",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_container_copy_into.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5ba9eef00151f6703495d82de1ad2a2354cd9393ad56088c2cc9285867f1861",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_compose_v2.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca7e20796b30ecf88fee54e9a284465a2a2a02e7a34742d3926d74a71f9adfbf",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_plugin.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7250e7b15f04228428b1bb4fd3f7cc41c68ebe4db683722d5dbf21b3124886b5",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d90f61db617bfea6e27fe947d802c79805c0d3220f24b7e71a0f715f0106694",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_build.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1028bc48542f4894e3e326b6b2eb097b3cf8078aef8d33e8f4f2cb2b116aa6c9",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_push.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8555700b8a6da0654ee70bdaa77d7126234bc67d813a09e29df7ec0622263f29",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_export.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0112055bef6a06943acc192b28882d95c87803f8f86af6f1c96bb179bf0a8eee",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_secret.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c7196fe7114c155f02f216388378a6da232ddf5d19acb7fe3b77cbfe8e95a506",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_stack_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "806b8e97ccfb8e2bb9a021ee01981b1e380f9dfa638c43773f17914ccb981e61",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_remove.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3bc67d5fc38765e6f33b05a6cc5e1a038e71c2ff1f3e17db8d281cb5414e3bea",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_load.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39c804f16cbab7c510933e9b92f4fc224dc3934dc11f1a47696a5baeb3fb4b1e",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_login.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33e6b5b4ddad40dc50afe33ea9b3e05fcca5d68ac5973984e2b6a27c4848b3cc",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_volume.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59ccce3b9f5273fee1fae8a7221be424516e961cfb93bd19d9ac1b47b1bb4df6",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "542546a5fe81a967151ec36e9bfcedcbb0720a326418fca303cb912c5e50cc4b",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_pull.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "699640b29430c9bc597a33612f653e70ae3a7fc38ee19975cd1e997c98862035",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_swarm_service.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a5d19ec36d6c1e1b6b9c062a8c0644481ee2d9da3cc28343ded1ea7bc750b70",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_network.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "91a6a71a7f925d44b9a212582de281b7ca04106bd45e72d059fbc90f0ae03e40",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_compose_v2_exec.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2028e8db6ba9005d197e57c95706e729c17feb5555c00e22d03fd319be53cc16",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_swarm.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dadca3bd3146bdfdc1ffb697d09deab764234972cd0ef2146d192a0dd4e7eab1",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_host_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d164c387ade260c6c72c4e58a2f8f395be8ccafef2f577bb8947d4804e3453d0",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_network_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0bdff3e690af3a78bc80286f4015693bfae14b2735f23786303574b07525d4ca",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/current_container_facts.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cbc1a0940ed227c5fe4bbe36ac6161f676ae232df2192cfdc7ad20fc4e4fe9ec",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_config.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9a5f36d0b2a99f83b81807429d5b9cdc14840da784e9960800b8e82ba6feb60",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_image_tag.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be6254b49df574c35031e5cb316464cd0808417269b6e8dd7d4ce4e8791bed12",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_container_exec.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cccfac87a46fea79b01c911eac0e7cbb969fb0c9ee69bc567f325d01438a9ec",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_swarm_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14068f407867730890f9a7be34bd6160d5f2b21efc5725176eaea340d1df140d",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_stack_task_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "80bed49918d0e124a12b263c03e6f0273ed7e46501132877327954b21fa05803",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_container.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6279dc30df5e36d6a67f7287305ad99426b4ab1eccabf1bd045d19a145107b86",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_compose_v2_pull.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7274f65142ce43876406385fb483aae255cb750d972bb3f6ed7d8df82533d288",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/docker_swarm_service_info.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bb1fbb7c849c92ecc90327a937ff6859a87f6431d95f460a6dc90ba2266982d",
+   "format": 1
+  },
+  {
+   "name": ".yamllint",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d93680c1f505b887c2ad31a98485e8200caada975c0877bbfdd5a92812da9d3",
+   "format": 1
+  },
+  {
+   "name": "tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/requirements.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c74d0b5ba8f15f61132781110bcbfcd89a9653905302034319e55647d23fffc1",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/connection",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/connection/test_docker.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5cf85a7310ad744b008b3b2ff2745de6de510df7f125e019affdb0f57bcfb8e",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/plugin_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/plugin_utils/test__unsafe.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79356ecfb6572978362f70f7c6d5bc582fca0ad4dba8489a550d3fb24e99b51d",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/inventory",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/inventory/test_docker_containers.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1291775238eae03237d5e6e0cdf5443bfe37b30ae190a62cc74297b77ba51c36",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/test_support",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/test_support/docker_image_archive_stubbing.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a56797f2e221793efd76451b9b1da15bb2d168d370610faf190a60123e4a72f",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__copy.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "758a1fab03204d1ef45d54a8e38e01ca3ca53d64db67f61b8adaf85625d0a1fb",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__image_archive.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d439205be2072f7a9cb0187013c1da77584d92447c34c92dada68313df226c9",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__image_name.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35688fcd9a6000d88c3f3f290b8b28336e34a1f93da82950fdafe9e232d006e9",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__compose_v2.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82b6d2ba1f1eee8994cd2115e4492f3458781c1f45da5d85f150b21a07ee4c15",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__util.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eee97a08fe506b42c38a2409bbe1a0d8deaf33723f88dfda7659355f173608a3",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/fake_stat.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d96531a50db00265b9eed4bbd7a70c43a807c121626423c0270cb48a90e0cfbb",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/transport",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/transport/test_sshconn.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b721edec82624f1172aeb610a000aa4292a9b8ad0183aac6f97ebbcaaac8780",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/transport/test_ssladapter.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3473cc41fad5b9915ae175ade32c14135f113da6567add650314730263d44019",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/test_auth.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ddebe176bd3118a938157f7f3a13cf178a8f645620272caece1d6360739ae48",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/test_errors.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78fe9d5db56aceca3124f5b1153e7c95d2f94324c7a3c0caf08300e591fcfdda",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/constants.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "614b414004b12250ff202de58ad4e06f9e2ec9c22ec0ffb6bd87388b3c0dc18d",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/fake_api.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ec91839a1f96c34ef99fa4bc86cfb08f44faf37cfb906c86f5b17188515deb5",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/testdata",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/testdata/certs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/testdata/certs/key.pem",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9fc3c10d22cf3dfb15727e16c71fe0de673a835dff0e711c208cf2421a3770e",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/testdata/certs/cert.pem",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9fc3c10d22cf3dfb15727e16c71fe0de673a835dff0e711c208cf2421a3770e",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/testdata/certs/ca.pem",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9fc3c10d22cf3dfb15727e16c71fe0de673a835dff0e711c208cf2421a3770e",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_utils.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73a5e866bf99768d7d43b436b8c2645d262a42f3393827aebc76c99437242553",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_decorators.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cb87719d8037909eae1407a046e9a2506f495e4db4b074978eb998f48868e11",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_json_stream.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0174f9e09c0c62abb12c1b1973b6ae780e87ab79b1afdaed0d82df6a8130fb0",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_build.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba2fc26615e9079b54fa913a977b9d729bd3a1ebbf8537f1640e8207a4ae1d61",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_config.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4f4023ee44629cfc159d3e28f8d5de57d537508fa43cdd498bd04f2161472f4e",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_proxy.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "032316a780be30471e00924876621acf7001f305d6c50c7d65fdfec58a45c801",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/utils/test_ports.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4158fe2b56613617fa49c62b60c3e0ad7646eaa4d246b77c05879d01333e65a9",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/api",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/api/test_client.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a639bdb8c36ed3cf58ed7463afe932e69293ca9639e48b6d6ffeb9093277b50",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/_api/test_context.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2603f1a2f0ad86c0a47d96d73bda21949fb5eb366c090009abd039098f495950",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__logfmt.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "688bbe843e90a87da694a36e26730658847d6a5df47a415b73e660d9e741435c",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/compose_v2_test_cases.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d0788e0ae3fc3743960af4af31ea9a376c936abff51fe75733f56c753182a8a4",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/module_utils/test__scramble.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a2d3785d9b8a021c7502b0fe0eafb19d6eacb3ec89563d242698c8a119556b6f",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules/test_docker_swarm_service.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afd6a5cc92ce8975bc9fe0aad40daf87cb70372b11342a5658223968a06cacbf",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules/test_docker_network.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "208e79c2bc48dd13cc2763df6410008f27d416b0f537e28dae987e284d026fd7",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules/test_docker_image_build.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3a2bbea1005c4d146da2bbb0fe6e9a0eeae3fc83376a736135f3a0c2dd08a5a",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules/test_docker_image.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6ee9c0a3efe4b5e903caeb703ea3e67a2a01c16c65ce0df1b71b7e63f2823f9a",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/plugins/modules/test_docker_container_copy_into.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "feeaaae70b25e6dd01f3dee3ab11ca27e578fa0539224071e00234cff4072a08",
+   "format": 1
+  },
+  {
+   "name": "tests/unit/requirements.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec06127b561ae622eda4a0069630dc945698f9b0481e4cf47c497b7f9b8d089a",
+   "format": 1
+  },
+  {
+   "name": "tests/images",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-1",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-1/build.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "feb51e06ea8348e431fe0e67440d872d183d09428196c893ad63c4af9bcf460b",
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-1/main.go",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f5c8bfab3015cd41346add84e0753c04ac147bd92b39728beeb2b95e4a84e8d",
+   "format": 1
+  },
+  {
+   "name": "tests/images/healthcheck",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/images/healthcheck/is-healthy.go",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87d1e703bcbf0618333a35a7df810a1a349196768497e23eeeeca2329a6999d6",
+   "format": 1
+  },
+  {
+   "name": "tests/images/healthcheck/build.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7778280ced47cae70531e0b5fc10f9d8f9f5136c78f8c88a664289f96aebf95a",
+   "format": 1
+  },
+  {
+   "name": "tests/images/healthcheck/make-healthy.go",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "42f10c374ab29242f23c6aa6dfa994d2a46d38dc642bd78e4e10a8cb097bca15",
+   "format": 1
+  },
+  {
+   "name": "tests/images/healthcheck/main.go",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "357d87742e0a6806f843f1a51acee1c215e9cfeb8ecdde88a558aa330aedcb16",
+   "format": 1
+  },
+  {
+   "name": "tests/images/copy-images.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2827fe0b4d79b8668a0fb6ec317d702b00d3b2eb4eba6eb120ccebfae654a831",
+   "format": 1
+  },
+  {
+   "name": "tests/images/build.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "feb51e06ea8348e431fe0e67440d872d183d09428196c893ad63c4af9bcf460b",
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-2/build.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "feb51e06ea8348e431fe0e67440d872d183d09428196c893ad63c4af9bcf460b",
+   "format": 1
+  },
+  {
+   "name": "tests/images/simple-2/main.go",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "412bc847ed6f3fc269a4e077487909299478c6d3bd491569b80d6374c49d1dfe",
+   "format": 1
+  },
+  {
+   "name": "tests/ee",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_plain",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_plain/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_plain/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cfaf1cc054120e7590b390525722209304b7781f20cd8c81e923bfa30260ed04",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_stack",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_stack/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/docker_stack/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33196ce33a946992f9ab32d09fa7ef2e2e6f2b82d57b2b7dfdde8fa5788d3a4f",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/current_container_facts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/current_container_facts/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/current_container_facts/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61f7f613b2c9f13fab6dac649654ca4db223dc94d09f475474c8dcc9ecf4cd14",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/all.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d574241a804b7f18c1a7d1d3086dca99df7c7de5069a9a274ae6cc06378cd2c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0fafbc6dcd31afd1ddcfb7738ffda514b0fca6e32de2075746175677d1fb4d56",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_exec/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b37462f762ac2153f94e3a5757d73fea3f0ed5f9f6e046b9b46d4c74b5085b6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db2ef436478be811894ab9ac2d70d081e219511372800aec6afdf8bf7f369289",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58974ad0879f97f23deb80f10b5f0edca86e1864798c8abc02390de4ea8437d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_exec/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_posix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_posix/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b04c82c870ffc2902a90819cfd91df99dd6c9584734a2a2e646b1f804238262",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_posix/test.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b92bc5256864e79bca068cded19c68d00d1014e45dc101ab7225e8fbaab06af",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89690fb51f4468229ad7155b351810ae3cfac4e6485296a0a401f7e2427d3e42",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8d02f5df27f69fc39e5ab3db5777dcc7a360bd87ec717d236a63604edc14a455",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a934c4ea6402aa92476b4ef75725cdb5a75d2d564e89b574b0f3b59ffd930ff7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "862b710b7ce7a04c7e69cd856e156f3db34906415e9f82941062fd92687c868d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dfddae9742ffe50150212a8ba8150ddb78cd5093dff429b50cc940c17e2ec369",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/vars/Ubuntu-20.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98221fd1a8e84fefd5287f7af582700b8a751607657eec1ed5d10840d948ceaf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d51a7f136a011e8b7b84044b1f69d97c8ce03ea3aa72e3a773c48056798ae40",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e11ca6edae518cc531ab425daa9eb93f78f89b9ddd515deabd239e8c7925323d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb707cc2df5838f22ab14fe848d9ce1e833764b282b5be6a494b84ecaed2db43",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb09ffab7e455855046b8e8ef753c031bcd11a625c879517fa98335d23b15af8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_podman/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3842ac7575b48a30ba5c60dc44d21279ab1640612ed0372f70b78346d31778ab",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e3a7daf68a8ad3934da1705212bb71e55f51ac40710568022a47d0e676766b4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/nothing.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0391df4795e8bbf89618a8ebb1c3ce3458cd06474f1a9e9d9f8cdf1139a8a384",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2e31525a96c3b0193f1c8ecec9695416fce4a40f87be76b0cfc0af6b133b270",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-9.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84025cc071e00b43fa3e7f687b96670e2cebaa366a261e6f323e6c799db89639",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24660eabf2e76f10001d056cc407345bacc46d8d54354050b7a327e13f66b3dc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_compose/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b6cbfff0581c89d9114e38c9c9d6a5f688dbaa924e60b29e8d774eb1203c2ed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e17166d69472d25e55ccbaae9e7e0bfb57d4b0489ca7dda2cc3383059a292b42",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8eefe591fc99e17b212d0aaabf72be2a0337dc3c580cde9a5fdd870e638b88d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e2d9e7293308b946ad6dfc1b223c2942b23c0239e610e7dc7810817f9f31dc0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4fa286312959d8b036593add078e865fda263e006af09e1aa86c7d910b5e26cd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b47800d1b37d41dc93ba12a5eab51ce8b4eef0560f93e1de80734b45cde9bfc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/Ubuntu-14.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8fac5856f538ceb01bcfa39157cc49b2fd4b06f90f81b139931dfb51ba1d3fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95633a5a70b25c4140615c5d6c71b1c18d180eebfd5fdf226591f569e75fa53d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/main.env",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d66d6f3078a388279c0f79932d0cd4e9f09a9d4c86b3fb42b1b607a29b8fc7a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/RedHat-9.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22e0ea71c4c03de665af5fbb1f6c25f6da56b4005791f7ee6ab9d6ee6a362175",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a70c3f81eb70f10095a54ea59d8bd2d78fa5ed57f0c6baf7c2ea73473fad833b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/RedHat-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "55486a7a19fdfe395ed6d8dc88169a0c756476043eba77a4879a7f2f58008d17",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/Ubuntu-22.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3b92e7d0fc430c53df055f9a785d5c02a02a4722f2b503d1f09c721d29e8dcd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "885e9d8c66c4c703a4bc0713cb744b95d62660b5f6ea17ec911e627587784c36",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d0234bf3fb0f55302d4e51666788d96fc8109b4b32d0b9c6f275643505adad34",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9a08463e216f4e3b18c53c3414e7f0142449f74271a3d1e8a9946e134f6be16",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ec7546b6a095eb26263301c7c70f7b06e9f214374b57333bfcd93bd0a1d866a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43a4a5e92d9d51b551ad4e593f784fc9a0de1f843a449eaed44a99dfa51be85d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c16c3a0ff7c4a2e18e4c5bb19b399f5daca23c215824b24ebc0cc3bd7f186acc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b5ed87a8e7eb0f09a4aac1725b48866a44fb29444f9bed3ede9a087f0b7d4f99",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/RedHat-9.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d3056e483a6f6ca4d222f091a68f71adade9530a54a0dabc4a81a0b4d877163",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d3056e483a6f6ca4d222f091a68f71adade9530a54a0dabc4a81a0b4d877163",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/RedHat-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d79a3b7d880e1b67ef4282158808fd1aff3c4420ca9bf8b8fa9039f2d091eee8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "437fe161be27105e1a80f66d02f8ea9c6152135a0c98f4f85e800c0a68e14894",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb68a78cb264725dfaa8d3647048f08b136626454fb58e349c909e13b19d4be1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "588fe56f36b397ee3f8e5f44732ccda89632bad1b148143d06cd21365c162542",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb09ffab7e455855046b8e8ef753c031bcd11a625c879517fa98335d23b15af8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9029ad14480da05f148378f9e0e849043286258419cc1e19427c26c9cd2dc80c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f27c0b49d79918e8c380a1c5403d2bba47619a89ca6433f0f9efad4d29ba8be",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3abb5fd5595147e15c8bbd48de84f270f22672b1978db91b829f3d0e1a712efd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e9048b8c2df59f1b2baed1096a02be39bc85ce5624c604e8f0ce500994ae965",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/tests/docker_image.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22533f13e90327850b15c247e0ba347d6c938c9193cbfbd0141c40c5325dfcfc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c2c8deaa4439989de0cde4582eec0a685d1c15554272cf4e82d6fc4e119b076",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates/EtcHostsDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9d474c11ff7766ee58b74e50ecd80fba99b9ca1bab0b661c8f39c91dee23aed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates/Dockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d300419d4d1e626ddbd093c53831948c6ebb6d48a973ba4a0d9fa34cdf7462e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates/MyDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d9039d8165a7c7170c5f1466438e9c27d6380abb329609d7601d34325709858",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates/StagedDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5882640f5183ed9b01fe7f06e144cd375bd402a1f2014392347c5e0bfce2222",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/templates/ArgsDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3699620b7b078291c3f1d1c97414c9e961b51ce3705fdccb67545e87fe7e75e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/tasks/test_secrets.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e578d1aaec863386ea0e6f8cbbfcaf7da354d6a5aa2e0cd8a3c0e7963a885ab",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0610ec2a3181a0a2336d9d1a16d9bc64584dfdf7c9c880a6161a4dce9ec2936",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48e41681961146fc376abdd7ef550952d84678a300f6310fd18910e2b270ac29",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_secret/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "133d67cf2b2857f5a906a6e054498df8d5ddc556a3671cad8216d06d0dbd8e09",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/inventory_2.docker.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f6beeec0f8619270e63d4170509329cb1ee10be468ad063be53eff92f1da9340",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/playbooks/docker_cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "192b11ea45ad4aba959835908baed2fec7672d00ec53e1fdb660c9e8c3840dca",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_1.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e41ece9ec7fe6e4a2cad5daee4bedf1f0a2c67fc4b020e2de1d0e9e853ae82d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_2.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6527d7d5a02c6e84e6ac0571b38547c7c03fccf0513b3255b8f715b7ba016de8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/playbooks/docker_setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f7c5f17cc2b51e1ef88e5aba4ac071efd2470a8c42d03e6d1faf5f21bb5f034",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "959dd0ebdd942dd1ea2518dcafecf11004ffe7f3ab4f6eb3ddf418a6fd2a947e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/inventory_1.docker.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f3a49b3d86cc4cf58ce41ca680ce530d5f1dbcdb4beec75cf4f9268c35fa158",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_containers/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e6239eaffde9b964ae0ea057e9ae6baa4f6cffef7c2268f5cf62c51119ae403",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection/test_connection.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2c2a9fb64db7f0282070502bc073d436abf56dff1585a3c3bad2670d16940752",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c28953826fdc5ca7bcb519d60bc7d1286b038dae761b63e43f6f0a163cc127b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection/test.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1795c9109c37a127bfb605b3275b1673f59476c3c832979475b3c4f49bb008f1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63bc356cdcd7b223c2cd923f099277013484bb012cbfac89becca80c7cd5b22b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db2ef436478be811894ab9ac2d70d081e219511372800aec6afdf8bf7f369289",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58974ad0879f97f23deb80f10b5f0edca86e1864798c8abc02390de4ea8437d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_run/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests/pull.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ea8e0da015df257ee57628f8292da14abd76f3247ea32b5510518024f50b29c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests/container-exit.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9733a6cfa80a8f14743f0c7d0f976ddff525e79e93db4967174dd9e4afc3931",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests/start-stop.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ae2d3fc0ed8440b403cdffba943d7fc73289a7fdd2e7122a8bb2c2b61eeceaf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests/definition.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69ae9e9272ca4125b4e18ac926ceea89f86ec69b875a5dfbbc371de719126cd6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/tests/build.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74cdfbadfcf6faab5caf34e05e911407c818cec2df6f33db2eff607da22fc6c5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad1a656376522788754988f4345b0c8cbfc8bd80ade94e7b0a1224e344586fd5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58974ad0879f97f23deb80f10b5f0edca86e1864798c8abc02390de4ea8437d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/inventory_2.docker_swarm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4885e38129798ed56b4c6478dcf4021f8394b13cb3ff8105b15087427bd7db46",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/playbooks/swarm_setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff8f32b2b1b6970f2c06742e9a83d1795bd54def582b526bff1edf96ab95a0ce",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_1.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e9629a5298d17fd0dbad5cf664788d2bea12cab9aa8e075c096b5c20fcdc1b5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_2.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e1fb367fc7c5f0389e43e212d0f5b4f5639ef5be3a80a8cd6f0b74156b42afd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/playbooks/swarm_cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8fa3a94a549954e0e4dec187bf36cbe9ea10b26034f86c51d0340c8fb873d409",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9165553f336b498778d029796fb63fce86d53d9a8a3ffc42190c20a9442a4e66",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a76f4a620dfae81104aa5ee3c8aedd5b41550acf46aa7485ccc0d0e6a8bbc5a5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_swarm/inventory_1.docker_swarm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d53b438fa30657a4719b2163d3e1d9ec1b4a76b857cc1d0c1fb75719de6140a1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8cbd32d20411322762009703ef1ae34a595be1ab00fd914374e5f813fda16c17",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01b45d7b6d896d5b801037e95e7e3225acf01da3732237ceb8ebf75e49adf60d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf39208e989d1a6c63c504fab49abe73be696193d1a541d8b92457e8cb82cc25",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_remove/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/vars/Ubuntu-14.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db950d02e92758a200434ecf25d81c90e7f076466be75332673c714b6be638a0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/vars/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82c26f13d94c77a379869f352eb627928a151649bc4035af2063eee6b177316e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "223f4258c33c1817f3cddf43c33835d119460e0e0e5f7cd8664739f1284ba2d0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb68a78cb264725dfaa8d3647048f08b136626454fb58e349c909e13b19d4be1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab7657ff1ae78779beedfcdbd44c1c5827040c2b0973a5a41d38cd02bd0f0234",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_sdk_for_python/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb09ffab7e455855046b8e8ef753c031bcd11a625c879517fa98335d23b15af8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/inventory_3.docker_machine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff090e5f93098c3d15ee6f8cbf9bfc35d896a430fe96ba4eab5779335778e4d0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/docker-machine",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6452172a01de135acbfe826bdf009508e0fd9db385802dd90b3ec75ad52853b0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/teardown.docker_machine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b921d0f0539ea489e8328930b125ec2450c68df24888fa04c6e6a5004688fdf5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b6cbfff0581c89d9114e38c9c9d6a5f688dbaa924e60b29e8d774eb1203c2ed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/playbooks/pre-setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31caa89bc42706acb8939083286f41cede3f5f0da20e0f74ff4a6fccb492deef",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/playbooks/test_inventory_1.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "940ab5b17809532bda24883656db881ae0f6c4cdc317dcda34f41da8eda5d1ad",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/playbooks/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "449060b37d5bb34a62f1ff13acf3577bd45fca1f3dfcc852968611104ccb2889",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/playbooks/teardown.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8731dd018e6682c7de3d7b22ed9d81ebf5c9e8a416078ffceec196e71e7a52ac",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "40d6b2c962e3c75f15ce208eeb6d47cf16b4049560ed69c977e74fb1a2f465c2",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/inventory_1.docker_machine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6a2559f4b458d19217644547f8652c9f4559ee0f173c22db9d5f4b32f5f5071",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b5d49be8f1ede2b4c37f1bc615adc0a60a717430e92655f88bd85d0beaabc87",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/inventory_docker_machine/inventory_2.docker_machine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc839d48eb9e045d698358e82410f7566fea3e83c5a74dca4b0a5b5c20604d63",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9699ffaa0117d51910dd820e37919ef66eccdbfa74d34647507de7f98a1903b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/tests/remote-addr-pool.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b17b7a57b0848157813806b24609ba31c2c73f130ac36ab51ffa7113a2cfed18",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64fa4caa1a19a21dbf819f6986d06995ece9744ee0c761abadaa2797ec881f90",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/tests/options-ca.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09028a40b80843b4e3019b454c4cf7e1917d8c3950cb3d1fdcdcc5c9c14f7ed9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd2f94359e95280652f2178e2466434b0391f02c6c14d05e81f2f7b6a8dcb6ec",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d784c093a3f50600422800be51b5b5af0a674c369f86f3afdeeef72e3fa12854",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afb9965617dda796ed1d87d1a9cb81c0d18c52b89cecc9bd081a60de56421576",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2939bfeaa28470c221965664ddf11c7ce25f6a9fcadc5f55269d0b8f3b9f833a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "488b9b96b7f4e2519b27526d3d61546747c29ae1875893224bc7582a9b31ad02",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/tasks/test_stack_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "99897aea5a20e9eeda079143395dbc8becd30fb81da33e5a5d10c7e333f646bc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "877c4212fc4fe8395ce4aee2dc6f903582ddcf90e5a713497c2ef9da62f15baa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27d1fd9c3d205cb1f018934cc0330a921a7558c44103f3dbcab763ef38621d4e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/templates/stack_compose_base.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c59fdbb88dadc55232c61a24f3a4f8573bb6700e88e68dd483aa4ba40ab320e6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/templates/stack_compose_overrides.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e2d1c762d09c7b79a55a07349eb2388f57194e00866a855f3be289a755bdd34",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ca2add1203cb87d27f8a9d1b37ebe4b8ab2837000380b695c048f1844eaa33f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/tasks/test_docker_swarm_service_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e4d63355e2d882da2b4290299bb0465232faa15290257648aa44f21c1a7e52e5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e16bb020f15d6bc1715c8827f0aab31e277c9b4b3cb20a4eeb7690bf718a1ff7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "133d67cf2b2857f5a906a6e054498df8d5ddc556a3671cad8216d06d0dbd8e09",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/shutdown.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c85e246c0bb1a679bb330c5b39bd18df208bddaaca5ceea4e970f8a6875c1a21",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c70c52c130b4293c08b2f504fdbe32378267658d21da14a10be17e919cbdf70",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/runme-connection.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b92bc5256864e79bca068cded19c68d00d1014e45dc101ab7225e8fbaab06af",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39fc2b32eab3ae7432607c91320e6ecd45455607a9db7f69d41fdd74119d08fe",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker_api/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c928df5dd399e34355a47d1b807cb5f7c2bfbf4191be8a17382fc9b5d9493e9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/vars/Ubuntu-14.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cb84acc4451ea34b384dbd22bf68b593398d4fe490d313dfbd0ea043dbde0fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/vars/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "849f8ca19544ea366e1209448768a68238e0ec4a55d09daa9bb9817e4d51df98",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b51bbe50e80c804654d0c8604b08038324052bd047217f5d6c3f1dc1b4b0763",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb68a78cb264725dfaa8d3647048f08b136626454fb58e349c909e13b19d4be1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "721c28099649141d17cacdcdb886f4de0188ddadac86852f2abb6a334830de34",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_python_deps/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb09ffab7e455855046b8e8ef753c031bcd11a625c879517fa98335d23b15af8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_paramiko",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_paramiko/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_paramiko/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de44ce1698e34585a22bf410aab08da4b9a73bbb524079d33b85556e2a07ca0f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_paramiko/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_paramiko/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "21ba22eb784d536b947fe4fbb008a211d03c25c77d19707a2e167b53205d0f6b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30c9a901a66ae3e50209cdfb917ad088f448bf10bc8ed38ae87aa519e7ae3e9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_tag/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8018c0789c936629d8013ad018ddc7746af8c7d59b70e159ccd1d8931d4350e3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b1032161f5970f6032f78283549e8987c8b8962feab6a35ab7131f14bc22ad65",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58f77094d90397f9219c42f973c386ad471d6a9e17c590260458ea0de4aa7ce0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/EtcHostsDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9d474c11ff7766ee58b74e50ecd80fba99b9ca1bab0b661c8f39c91dee23aed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/Dockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d300419d4d1e626ddbd093c53831948c6ebb6d48a973ba4a0d9fa34cdf7462e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/MyDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d9039d8165a7c7170c5f1466438e9c27d6380abb329609d7601d34325709858",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/StagedDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5882640f5183ed9b01fe7f06e144cd375bd402a1f2014392347c5e0bfce2222",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/SecretsDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d65014cfb0da5082a68731d539360be8b0e522df6da3d8054dfa216910ba63a6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/templates/ArgsDockerfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3699620b7b078291c3f1d1c97414c9e961b51ce3705fdccb67545e87fe7e75e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_build/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f81d2048e76fce1d77b08705531aea771d45f3bcaae8073474b52eee706903e7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/nothing.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d99d87f0c899b2a5f9e72705de13726d9499905a88ee7d0518d1e0a5ecc5afa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "182eca1cb145240fa5bcb539a717af0c00ce143946004d64392f0d428f453765",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-9.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0661c321f5bee187b744f534c4b29e019a087864da4f652ab529441d0787ccaf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c799c5451b3a64dd1fd3d8b578d17b92a074a78f5cb34104da51f04877109b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d0a64b36cb041b98ed46f1460c163df2c59661281a970766bd4fff647cf8221",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_cli_buildx/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b6cbfff0581c89d9114e38c9c9d6a5f688dbaa924e60b29e8d774eb1203c2ed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ecf2668ce298103f8ea02d73cd442b68bf1abbf67d2357add4f67b4b23d9e5f9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ecf2668ce298103f8ea02d73cd442b68bf1abbf67d2357add4f67b4b23d9e5f9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ecf2668ce298103f8ea02d73cd442b68bf1abbf67d2357add4f67b4b23d9e5f9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/FreeBSD.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3d8a6ea8c9bd7ebb5891a190a4953644a5ab44ee380ac4c7068dfc833ad27fd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab8e80d67956c9fc23670767cfbce1fecaf7f256f76b46b923b236ecf435b1a7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/vars/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3135d01f38467ef83cf1c232efc769b321421d50747f21e9d594ef01da26b14c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e028c3d2ff6d8da229e62787cc9311a7437ef5b1da7d57cf1b58ad2428640b09",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_openssl/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb68a78cb264725dfaa8d3647048f08b136626454fb58e349c909e13b19d4be1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/network.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6626ba0b19f6f496541c19dff31c81bdd5ad962b77186e22a8633c43de9df0e5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/mounts-volumes.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bd0bbff1ce60d1e9c6d769619267b6034de9731095c88d12c6efde1cf5b1b5a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/compatibility.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b315b591b6ceba45124e422a93601be73d14d22c98aafbc2a1dfa3d7791ef65",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/regression-45700-dont-parse-on-absent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d118eba0459fa211d13f519278862f9be1054562a2af1e6f65c17d5e4fd83f5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/healthy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "72ee75851b94cb867b1ffb053dadcfbd8604dd0006c370cc8f79906c727ee32c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b9c12e4050d6e729a2311f870a979e390ff1bbc0153a16531f00e063d68e5f4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/ports.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8bbf0e01b8a487c640f88be4b48715d4ecea183c479f204f7f69bdb03d3a937",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/start-stop.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87d4036ed89f62ec426f83321b23ad6bb58d995ad50190545cb9c8d8c7071610",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/image-ids.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd188d5e9721752c08d7d9766f3eb452866cf59ccf4a8d024916aebf018862ec",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/comparisons.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7f4bedda23020eac2b766f69eb7fcafbf39ebc2cf62d2c08b1de50738d1a4afa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/tests/update.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4d2f94cde2612fcb1e91edfa07d5eb6b8d523e87bcdaa3128b39edd31a02c5bd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c00a6540aa19d63925a61d1948b4ff93c3b1b461c864851d3df554f6f5ad8e7c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/filter_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/filter_plugins/ipaddr_tools.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a445238638f71bb2cc220fa017d527766db57e5c468a113a45f36d83658bbb21",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/files/env-file",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d22d5c5709850e8af4d069878fa79d7d8e54b88518a1655c50826e4b50ad045",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01b45d7b6d896d5b801037e95e7e3225acf01da3732237ceb8ebf75e49adf60d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/tasks/test_node_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1da365ccf7f871d85e9a0a217750d1198abf0f53c57e08aafe8d26fec35f05f5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d3bd0eed6c0ed9d803585acccc851943a4baa12149621afdc29d5d3cefca66c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ca2add1203cb87d27f8a9d1b37ebe4b8ab2837000380b695c048f1844eaa33f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e41aaa2342b2b5be72de13aa38cf171c67d0870323c7431232c09fe6986ba1f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e36cf2889ec786556f155b54a0e713529cb5af1a413aef3601e912b456f92785",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8bde6f41a699649448fd5d3641ec296a8db6d6d9e77009129471d838a129e600",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/tests/registry.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f578d151e07bef30fc0ce4a22fed9ff41f6be05ef878cea186017ac20868aa5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3fe2a9716c9e0d5f76289712ef7a56c65f1101ad33972a291e80c638560348de",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_pull/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81cf82274105ad204fda4830fadf6d81d254d1cce624e5720d15909b06391895",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bda329971f3c8f8699c9abdd940904e5dbdcbebe25654235c7b22e2587396a26",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b4106020a362e34cbc75011bfa013d65acb8224f6fbc931cfc6438b67888627",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_constraints/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60c77e9e9feaec01032830fa3e185152cb4aacbbf0b17279e6a9c3efb40b4835",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/tasks/test_swarm_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6ff9ce6bb7a60872518ebd1cf7e9b2e8cac5b0c23ce106de79813119867398d3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03b1cb3ae203aefded953cf4ea872a9f227f7327860d6865dfffffb8519240ac",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8c82d6dae109c4dbb806e41bea1373d7168c14b933637e328f613cefbee7617",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "488b9b96b7f4e2519b27526d3d61546747c29ae1875893224bc7582a9b31ad02",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/tasks/test_stack.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "99830451d194dc3125002859fb7518fc623f9c9b445c7c2cf4cdd36c4eb08ea9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8658b6ecd2631dd8fd82fb8e84fc8cf78e8f89e9317bc8fb3061b7247d6488ff",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27d1fd9c3d205cb1f018934cc0330a921a7558c44103f3dbcab763ef38621d4e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/templates/stack_compose_base.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c59fdbb88dadc55232c61a24f3a4f8573bb6700e88e68dd483aa4ba40ab320e6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/templates/stack_compose_overrides.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e2d1c762d09c7b79a55a07349eb2388f57194e00866a855f3be289a755bdd34",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ca2add1203cb87d27f8a9d1b37ebe4b8ab2837000380b695c048f1844eaa33f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bb1a1b1f70139c5bee7c8322444d88aaba1ec7c658efb5b82db9ca19bf2c533",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_prune/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/current_container_facts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/current_container_facts/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/current_container_facts/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f8f3a5ae6606ca6afa387d6311d5bb91d4922f9b250c93072c76c365a6129a55",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/current_container_facts/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58354391cc6595ac28ad510056fd4be2a0fcd0c6e90a685520f1198fee05461a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7db963a83e570b56f3f6ec55c9a98c4efaa7738d87b86529d963568e3a59aa48",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "515ee11c2347dabc82e8f82887d5b978fd93ef1f324c0dc208182baca2b638a0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_ssh_connection/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cf8f8cb496520633d5717e30f80d3fbdca0bbcdeeece1af78578b17203d8a86",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/tasks/test_node.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3e3da4dbc12381069f4bb60f98a90678f13dbc7fef26708eb323e559f942df1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c90e3e9982e3bc1f9be247a094c29634d4724f8a3bb8643bef216c9a98b79d8b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_node/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a76f4a620dfae81104aa5ee3c8aedd5b41550acf46aa7485ccc0d0e6a8bbc5a5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks/tests/podman.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "abc3b522e6dd06a92ef2a0c5c3b5c88413ddf27456b159bfc95bc9d7f00c00c1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks/tests/default-context.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "182f4ca3ed0195a0ab26139ba0fcc7611672c4c436071d34b3f4897244c0bcad",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90f54b21ec87155d2e41f62adf0d40771eee239cfdcdc59e46457474c869974e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83adc52ce00e4a10200ce1643ec8d9ffe25470ed0a25749688eeb780d0fceb79",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_context_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01b45d7b6d896d5b801037e95e7e3225acf01da3732237ceb8ebf75e49adf60d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4412987e454cc5e7cca261650c51dc0385b497f8c361e0eb6e6839e2b7ee5c8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e41aaa2342b2b5be72de13aa38cf171c67d0870323c7431232c09fe6986ba1f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "787035d309f4c6ee29984de3cb4aabc2853240746a77d54e71a33e00e21aee71",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/tests/registry.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c34088fa29a5842c47d14b5e94b8622a4b306436cb52efa9960c898186a077e6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3fe2a9716c9e0d5f76289712ef7a56c65f1101ad33972a291e80c638560348de",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_push/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2413af1cb28ce8010cd14cd842dac8102beda2485b8641f02eb9a11e41962d6f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/tests/docker_login.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36a95ff7b73b9f6bce17c85b32fc20270f0509a401d214c1411856dcbbe53263",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/tests/multiple-servers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bb79eee1877f976e569dd4e1b0513d3b9a5b0dcfb0daa00199e62e9852d4259",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3fe2a9716c9e0d5f76289712ef7a56c65f1101ad33972a291e80c638560348de",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_login/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests/overlay.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a71007b803ab29f6545b1ee1567301ef237f7359188f904fb4fbfc6c891cf3a6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "42f812518bb8ab256135a6fe076dc96f9be10952d43fa581565ab6e8dadfa2be",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef8229b646ddbaa2ee7ad20c69213b203af2ce3f24dbffd88ebd74c355d40145",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests/substring.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "216ec76a7011a7a1dfacf535a0759577f71369b9eaba385596d83b791c367504",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/tests/ipam.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2eab27438a0ee64ece3c2c7115188cbe298f716e97cfabe355970848c64aceee",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d252dec3c0bdacdf4475e071be2e462b3b6f1016ad251a558991fe8dda9cfe9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae0071cbdc1f10ad0a69b2bcec3ad0c9026329d5a4a885c48defd2286853051c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "885e9d8c66c4c703a4bc0713cb744b95d62660b5f6ea17ec911e627587784c36",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "71b45f2329e3a7e49a14613c87c4f335d6367190cad288fabe896fb55cb36a26",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/filter_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/filter_plugins/filter_attr.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77eed147f210a8568b431037daebbaf91b07a7a632e942fa5b4ce018d9e07e7c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0d732afa83688b5150e3b820884f8342c9ee4c0d9a56858687e17584d6b4de1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/files/nginx.conf",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "381b6215898f79b477b52759f461ca424f6a9853edc0bc3d29790a2dfd8b8cd5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/generic_connection_tests/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd04e140a0ec55b4be4ee030721f3555f2e9cae4eaef3a23aa68133f939394d1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_volume_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e41aaa2342b2b5be72de13aa38cf171c67d0870323c7431232c09fe6986ba1f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca382dcb955284fc503dedfe6850d59b1cd6c073c4673b8fa45c204775161ea6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1c910549dd871495ae0ef7a0ddfa2c2b836d671346c8993ab0d91008b19e86c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_load/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks/tests/basic_with_alias.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81b73aba03db80f43da62ce930eb9e27e9052bb14b10662482d37c4ed705796e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2da592dfd1132ee5725b25d9e91ec1723d45530205c45d065d9f29235e6f3faf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06406059b204d535ca08661c36d2450a55db44d2875993a6605881bf31ebbe32",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_plugin/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64e19da23fea78d6c8091865eaacf81f92545a3c477b13330b04656125ac898a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fbc5e2468efd3c9de72d5eb1061a59b4c3ac7274c4857be455efcc35e8610d5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_network_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/tasks/test_host_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c3c12d9ee8f64dce79658c62e187a5c35e1d53dafa2fe1db4a48d08988b8a75",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fad17fb84150ecadb5e4e503887c84b4bd33b5562de62bb86db887066424a4f9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83adc52ce00e4a10200ce1643ec8d9ffe25470ed0a25749688eeb780d0fceb79",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_host_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/shutdown.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c85e246c0bb1a679bb330c5b39bd18df208bddaaca5ceea4e970f8a6875c1a21",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b6cbfff0581c89d9114e38c9c9d6a5f688dbaa924e60b29e8d774eb1203c2ed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "741ba03ec789ebab1af885d3576e65ef5151f1c01f85f4c3c9c3771950b2684c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/runme-connection.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b92bc5256864e79bca068cded19c68d00d1014e45dc101ab7225e8fbaab06af",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a675b30cc9c275465c1550acf41af61e67798edaad9edf273d5da2850ff0afd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_docker/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c928df5dd399e34355a47d1b807cb5f7c2bfbf4191be8a17382fc9b5d9493e9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks/tests/file.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0df3aaeb45dc792b29e6a00405494d59ff2eec3bbda249a0a0d2ab66ea9beed8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks/tests/content.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee4838566f4f76ae59db305ed154a31fa5f5ecc35461c20b1143e765b862c558",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56cdd7416597185603ad5bd4c9f41fb7254b4badc92e518646dd6c1174c910e9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1c910549dd871495ae0ef7a0ddfa2c2b836d671346c8993ab0d91008b19e86c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_container_copy_into/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/shutdown.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c85e246c0bb1a679bb330c5b39bd18df208bddaaca5ceea4e970f8a6875c1a21",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b6cbfff0581c89d9114e38c9c9d6a5f688dbaa924e60b29e8d774eb1203c2ed",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "741ba03ec789ebab1af885d3576e65ef5151f1c01f85f4c3c9c3771950b2684c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/runme-connection.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b92bc5256864e79bca068cded19c68d00d1014e45dc101ab7225e8fbaab06af",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c7656f5c6e2ce7d59a76527b1dfe599dbf79325e32f23b1ef7fbd478c418c79",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/connection_nsenter/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "55b316a767179f45e493b48d1ec6bd0c94dbbecb26040692731b5fd8ff201b8a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/tasks/test_docker_config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69805acf8f46998bcdf0282a78f639ef1830c0bf1e9441bf45e9f52b44716d6f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81eafd39295cee70d81772a8f809912a529367aa3a160584cddcd10733b0a966",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48e41681961146fc376abdd7ef550952d84678a300f6310fd18910e2b270ac29",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_config/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "133d67cf2b2857f5a906a6e054498df8d5ddc556a3671cad8216d06d0dbd8e09",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_current_container_network_ip",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_current_container_network_ip/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_current_container_network_ip/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb89329af65f11bc40a96ded2a4053e63637b9620ca0c93293bd7260e537d8a4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_current_container_network_ip/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_current_container_network_ip/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "41bf68c553802d515363d753ddcb1dd210353046bbce15372476067f260176c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "380d6716f8abcfa414e9174dffc3bb2b86aafc97ec7594f473b2ac1a3ffa9974",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/secrets.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53d9480c249ed6d9f3ef5e900f51ae8326f873c190812aaf6a83f46565c10354",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/misc.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bd17abbfaa232e221453a9bac5e752dd3f44d8fa3e461f41db595704944e99f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/logging.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd404843412ccbdf1d6b79ae1c1f193c1988484a946d5bef6cfd601a749f041a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/networks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae3dd98e7b555a465f89ece089e8b79c39378f5bbdf9c196fe9b97416af2333c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/placement.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01636d4bebeef2d53cb78eff7c86db9b60bf38c3ccc0336524e7d1560a8835ca",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/resources.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d804324eedb8c1148ca236a5450687d76924d0d126d810f8e314400183929b9c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9b0a8884e5cacead8fa952841eb816845546fe2ee59fe0def20004f72fa817e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/restart_config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3611579bab1353830554f1e9efe8e92d56d9162bb7c5cd8c9a352b75960a5ac5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/mounts.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f509c2dd6faee2481195fe95c7a8902c0123fac84ab6c96ce5d7a48be4d68eeb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/update_config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a56a138cbdbb60e556095fbc483d82f31e4ff63a9bd796d4e3718e69f4d2058",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/configs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d86efcdbfed2be60b5db0837d90f15b3e37240962f2d0e2796580de9151168a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/tests/rollback_config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b285e17a9b73f6dc0c1e1a6c9b3bd492b0bab086a9a8c55e4b38f5214897dc3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ce018b14fb03a30d4ec357ab3a88a29e8e748af4af3ca8a2f41d7ffa1c8288c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd202950e619805dd026c97d7f544448832e6e453bb905939e6e8f86b40700cf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/files/env-file-1",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d22d5c5709850e8af4d069878fa79d7d8e54b88518a1655c50826e4b50ad045",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/files/env-file-2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4de8bfd3c7ac6214b41503ee6f850d0fc2d3b39da724c7b89948f776f01ae6bf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_swarm_service/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "133d67cf2b2857f5a906a6e054498df8d5ddc556a3671cad8216d06d0dbd8e09",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/tasks/tests/pull.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1a87aafb519c95ea30c8dba4dc450d99924ca6ac600e424a5fa896a92604ede",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "86e0c48a8c2b000f31f7cb174ad4c363ea9415a239e5a44fb20b015f977f0d49",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58974ad0879f97f23deb80f10b5f0edca86e1864798c8abc02390de4ea8437d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_compose_v2_pull/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_epel",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_epel/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_epel/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "86830ced0fa160e74cabed746128014b0006f371426a615ef21f419d158108ba",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks/run-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07765893bcc1d0ba5a0f1c59bff66c987cf471acf5f5cda91f776d71a4405ace",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e41aaa2342b2b5be72de13aa38cf171c67d0870323c7431232c09fe6986ba1f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks/tests/basic.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "244f501598c4edf13229dfd5b4c6385e324093ed125decee2c395ee836fadeb9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c4c4f26c6f622f2e25b0bfd9969b24bc2ff387aefbca8fd92d15e697186b2fa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1c910549dd871495ae0ef7a0ddfa2c2b836d671346c8993ab0d91008b19e86c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_image_export/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c22c090ea76cdd2a6ccd1689e016e014e4b1970a498e6db3123d5c95fb7a352b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "885e9d8c66c4c703a4bc0713cb744b95d62660b5f6ea17ec911e627587784c36",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ba4d719e5639fd509d0b764964ca8ffa83ee8feec5d7442be5a528468e9ec83",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/tasks/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4fe4b221b0453a79bf67da2b6b404e233de9e7d7d7822c99e749f1a4e3fc5e06",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3e8c7781139c12fdee10425beb70f9dadc76868832132cb8cc1b8565a57c7bd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f6d8513b6ccc437a46c16a7da22d1fdf8e1c93f1c7d11afa2916ababc1b25cd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/files/nginx.htpasswd",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78a467484164809e507e71864bf48871ea79946ab426ce11334c1ab138ca07df",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/files/nginx.conf",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "235e9368742b2df29f384151996978b3dc53b656b446ce7bae814b46515af48b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9261aed0af24389371a0ac5c0b56cd61997059af5220a337b12a98abe1943cb4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/handlers/cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47ba11fb0f35bc1307f2b00c49a45a5565a5ec85456749172dcd86d8eed5f5b1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_registry/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ddc1c0c2f4721912c605ee7484aa5600601301a2b453e9832481cbda25a8f8d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "488b9b96b7f4e2519b27526d3d61546747c29ae1875893224bc7582a9b31ad02",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/tasks/test_stack_task_info.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bf9ca6a78c22ae4406ac34e0ed1cdbaf0722bff4d406782b0356f86a0e393a1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7429ec5a4a333158833749e3f194e27980d3610ca0dc4dcdf81aade026839020",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27d1fd9c3d205cb1f018934cc0330a921a7558c44103f3dbcab763ef38621d4e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/templates/stack_compose_base.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c59fdbb88dadc55232c61a24f3a4f8573bb6700e88e68dd483aa4ba40ab320e6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/templates/stack_compose_overrides.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e2d1c762d09c7b79a55a07349eb2388f57194e00866a855f3be289a755bdd34",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/docker_stack_task_info/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ca2add1203cb87d27f8a9d1b37ebe4b8ab2837000380b695c048f1844eaa33f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/vars/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f20697da978c8ed625b345961999507bdc44548fc6f322804cce12c8106148a0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63a1b79555c097c3c1d8b0bdb2b84b86b91873c6d3d55b7534067c8fea6d41fb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/vars/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "047f7e71a9d692af77f7b4450878eda6306af058e2ab8f83a8ff005cfa0f6db6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/vars/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f20697da978c8ed625b345961999507bdc44548fc6f322804cce12c8106148a0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79188f337a0d18cc51f1e252d3490ee88e3e3b04160fd5816078ddcc90297a9b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8eb0b2d6ae8ba75408d500d36c1bc26325d79d3277f29a35bf6e7a7dc73cbac8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-7.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "373418ffd431b38a08efa272ff4026ad4f29ac22e8f87df30f2d74567244f55b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a537e0614166d61fdd4e036a2fbc9110a1e97f4f87ce857e44d97f1b011be26",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3cc929984017e2d0de1c96f0458a717127fa1d195ba765f2a364e855034fa81",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88240e7b2aa6bf60e6dd377538f9c09aa57b2195f806c3c1160b9e59143d4228",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4aa4dc9eb3c09418beba6c580521695bcd0e524d2e744bf5ca49ade64f2edf6e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-9.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "373418ffd431b38a08efa272ff4026ad4f29ac22e8f87df30f2d74567244f55b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "373418ffd431b38a08efa272ff4026ad4f29ac22e8f87df30f2d74567244f55b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "373418ffd431b38a08efa272ff4026ad4f29ac22e8f87df30f2d74567244f55b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69b0dfe601712e8d096b3ed99d5252713a3dac7cfc230ea79b6a7dd04775b16e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73fc081e424b642eeab13b34ec6594726fa079ea946df22fdf7e0cc75fece2d3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_docker_compose_v2/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88ac959ec39f15f69e1541912e2a55c74ad2e6410b94b5c6f3d37e1c872af130",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/requirements.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d750aee0bace61eb94577dee79cca7e9a091a3c1984783e4577ea96cd2836f3f",
+   "format": 1
+  },
+  {
+   "name": "tests/utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/utils/constraints.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6063dc4a3103eb072dadbdbc85bfd11c1bc63e80d6bb5d7099959f61dde2bea8",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/alpine.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61da2ccb813543421b0825deb8e8d49bf65a37ea85c3162420eae77a112769ee",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/fedora.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61da2ccb813543421b0825deb8e8d49bf65a37ea85c3162420eae77a112769ee",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/linux.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6106e3dcd2fe7d44808006e86a099aa80cc9f5f8fab542aa3f71b0d5360ce60f",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/ubuntu.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61da2ccb813543421b0825deb8e8d49bf65a37ea85c3162420eae77a112769ee",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/linux-community.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d95ac94ed1d989699325457ae79b08705f68275779df1bf6333db0adecc4aa56",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/sanity.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f5a62e7956e0bac511e0937c87eb6f5e71c645e0c1715e866102c175eb501e1b",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/shippable.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2480081a6c22823a4bae64144fd15141ffb00fd5b3693d56147c33adb92fdd7f",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/units.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1658b58109191789380e35d69fbfcb993c2cbf359c633ea1ecbe22aed8bf5056",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/remote.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61da2ccb813543421b0825deb8e8d49bf65a37ea85c3162420eae77a112769ee",
+   "format": 1
+  },
+  {
+   "name": "tests/utils/shippable/rhel.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61da2ccb813543421b0825deb8e8d49bf65a37ea85c3162420eae77a112769ee",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.17.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.20.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.21.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a90a9eace6ff58a65fc5c438f3a51b3c1fdae6dcc510537a42b8f2a7713a9988",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.18.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.20.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a90a9eace6ff58a65fc5c438f3a51b3c1fdae6dcc510537a42b8f2a7713a9988",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.18.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0231235413efaaf126216eb07042d6156e5351694733a5c4abe471adb2b93ad9",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.19.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a90a9eace6ff58a65fc5c438f3a51b3c1fdae6dcc510537a42b8f2a7713a9988",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.17.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9cc651f6c98cc58810385e4f4c8ad2ffbbba328598f2c60b56d1d51597ef7c87",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.21.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.19.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "498d46cf08b5abb09880088fa8fd142315f7f775e94cdc7d41364ed20fc2cd65",
+   "format": 1
+  },
+  {
+   "name": "meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "meta/execution-environment.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f42b4946cc8e628812ba87c2d36dbd5ed7af316d5c68bba8fd7d72808254f967",
+   "format": 1
+  },
+  {
+   "name": "meta/ee-bindep.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02de562c6658595ae581a5896e447a309c0b6a648ced86815ee3b271c52f0850",
+   "format": 1
+  },
+  {
+   "name": "meta/runtime.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d476b5ec9b85ae5e40234c4f052106f0611749a0f6208de7ddd2fb561625259d",
+   "format": 1
+  },
+  {
+   "name": "meta/ee-requirements.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d078015d25bf12defe85d0ca788cd997ce9fd8f71c08c96ab27c472346df378d",
+   "format": 1
+  },
+  {
+   "name": ".yamllint-docs",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4ff8aace264eb4b3c2acb26002f4075fb5341e152490ade5db2defc992cf2a6",
+   "format": 1
+  },
+  {
+   "name": "docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/links.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cbe17c8a547993bb349648930d6973d8bd53da6385e8e0ecc7c201c8a078441c",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/extra-docs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "abe1ed63f09f1504b11896c80b70b688bb42cd92074a56a893bcdccaeaa9569b",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/rst",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/rst/scenario_guide.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c4eb2c79fca759e3c751255e0da3c0f0ed93714b80d3eaabde4ec73d68c6b89",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2e717709f55bbeb87f08b2fe9722c91150c87f94a3245935becc186c5c8def4",
+   "format": 1
+  },
+  {
+   "name": "changelogs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "changelogs/changelog.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "changelogs/fragments",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "changelogs/fragments/.keep",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "changelogs/config.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9207a4074b199aca60fa78d0c88130d7c515aa284b7e1ea4d3f5df7b800a8c14",
+   "format": 1
+  },
+  {
+   "name": "changelogs/changelog.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7953587dcfe2ffb63298c62df2ba8b73741587e48b2bdb6d3f4006628743809e",
+   "format": 1
+  },
+  {
+   "name": "README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b8fbf7dbb054aac6b210a9553733532f1f17fdb90459e91f4143382c42249afd",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.rst.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "COPYING",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986",
+   "format": 1
+  },
+  {
+   "name": ".ansible-lint",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "827f4b189bf4c71512afb0301b38a3903674e1dd73378a8bc051b9d6bcac0e4b",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.md.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "ruff.toml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7dbb74111a6750ebb09945d0b272d371bd78f63a4429852b90e3c3afe5b9f775",
+   "format": 1
+  },
+  {
+   "name": ".github",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/docker-images.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd0e3e95c51e2952520dfcf64ca8151810f6e6c19b6e150749e784c00a2dfedf",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/docs-pr.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f0e72b7dcc8c137c9f6bc104129ea913afa763df268c3922196e07f0eeaca893",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/nox.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef18eeb8efa45becbd19902cc6231035fa4888869961773652a783cd35c99913",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/docs-push.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b46c9a89e3a1d6804dc2a9d7c3638995e8b57178af696b61d7da9d31588a7a0",
+   "format": 1
+  },
+  {
+   "name": ".github/patchback.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6a23e48e2562604318540e6ddcac75213ad2c367258d76fc75914e9b939d380e",
+   "format": 1
+  },
+  {
+   "name": ".github/dependabot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "673731e08adb20eb69f8b1a19a3ecb6b1989ac7d8f8e9a5b477aaeb480dffa1f",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52cafbcc2e6d9e2e218f82e2f49cf2eae68292ca0ca0d11b4a38744d7c67cdac",
+   "format": 1
+  },
+  {
+   "name": ".yamllint-examples",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0318dedf44e374936934d8f16887df85ac793a0ddd9c0b410972574c700249cb",
+   "format": 1
+  },
+  {
+   "name": "noxfile.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1560f20872d571b9ab34932cbe9dc153c379a97d93f2bc72a599318b0ae26d3d",
+   "format": 1
+  }
+ ],
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/community/docker/LICENSES/Apache-2.0.txt b/ansible_collections/community/docker/LICENSES/Apache-2.0.txt
new file mode 100644
index 00000000..6276c238
--- /dev/null
+++ b/ansible_collections/community/docker/LICENSES/Apache-2.0.txt
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/ansible_collections/community/docker/LICENSES/GPL-3.0-or-later.txt b/ansible_collections/community/docker/LICENSES/GPL-3.0-or-later.txt
new file mode 120000
index 00000000..012065c8
--- /dev/null
+++ b/ansible_collections/community/docker/LICENSES/GPL-3.0-or-later.txt
@@ -0,0 +1 @@
+../COPYING
\ No newline at end of file
diff --git a/ansible_collections/community/docker/MANIFEST.json b/ansible_collections/community/docker/MANIFEST.json
new file mode 100644
index 00000000..ec5dea57
--- /dev/null
+++ b/ansible_collections/community/docker/MANIFEST.json
@@ -0,0 +1,35 @@
+{
+ "collection_info": {
+  "namespace": "community",
+  "name": "docker",
+  "version": "5.0.5",
+  "authors": [
+   "Ansible Docker Working Group"
+  ],
+  "readme": "README.md",
+  "tags": [
+   "docker"
+  ],
+  "description": "Modules and plugins for working with Docker",
+  "license": [
+   "GPL-3.0-or-later",
+   "Apache-2.0"
+  ],
+  "license_file": null,
+  "dependencies": {
+   "community.library_inventory_filtering_v1": ">=1.0.0"
+  },
+  "repository": "https://github.com/ansible-collections/community.docker",
+  "documentation": "https://docs.ansible.com/ansible/latest/collections/community/docker/",
+  "homepage": "https://github.com/ansible-collections/community.docker",
+  "issues": "https://github.com/ansible-collections/community.docker/issues"
+ },
+ "file_manifest_file": {
+  "name": "FILES.json",
+  "ftype": "file",
+  "chksum_type": "sha256",
+  "chksum_sha256": "1aa5979880106388e42eb161e2d88931ab8a128b982afd506536bed31a71c176",
+  "format": 1
+ },
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/community/docker/README.md b/ansible_collections/community/docker/README.md
new file mode 100644
index 00000000..a4d35f24
--- /dev/null
+++ b/ansible_collections/community/docker/README.md
@@ -0,0 +1,164 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+# Docker Community Collection
+
+[![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/docker/)
+[![Build Status](https://dev.azure.com/ansible/community.docker/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.docker/_build?definitionId=25)
+[![Nox CI](https://github.com/ansible-collections/community.docker/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.docker/actions)
+[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.docker)](https://codecov.io/gh/ansible-collections/community.docker)
+[![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.docker)](https://api.reuse.software/info/github.com/ansible-collections/community.docker)
+
+This repo contains the `community.docker` Ansible Collection. The collection includes many modules and plugins to work with Docker.
+
+Please note that this collection does **not** support Windows targets. The connection plugins included in this collection support Windows targets on a best-effort basis, but we are not testing this in CI.
+
+## Code of Conduct
+
+We follow [Ansible Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html) in all our interactions within this project.
+
+If you encounter abusive behavior violating the [Ansible Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html), please refer to the [policy violations](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html#policy-violations) section of the Code of Conduct for information on how to raise a complaint.
+
+## Communication
+
+* Join the Ansible forum:
+  * [Get Help](https://forum.ansible.com/c/help/6): get help or help others. Please add appropriate tags if you start new discussions, for example the `docker`, `docker-compose`, or `docker-swarm` tags.
+  * [Posts tagged with 'docker'](https://forum.ansible.com/tag/docker): subscribe to participate in Docker related conversations.
+  * [Posts tagged with 'docker-compose'](https://forum.ansible.com/tag/docker-compose): subscribe to participate in Docker Compose related conversations.
+  * [Posts tagged with 'docker-swarm'](https://forum.ansible.com/tag/docker-swarm): subscribe to participate in Docker Swarm related conversations.
+  * [Social Spaces](https://forum.ansible.com/c/chat/4): gather and interact with fellow enthusiasts.
+  * [News & Announcements](https://forum.ansible.com/c/news/5): track project-wide announcements including social events.
+
+* The Ansible [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn): used to announce releases and important changes.
+
+For more information about communication, see the [Ansible communication guide](https://docs.ansible.com/ansible/devel/community/communication.html).
+
+## Tested with Ansible
+
+Tested with the current ansible-core 2.17, ansible-core 2.18, and ansible-core 2.19 releases, and the current development version of ansible-core. Ansible/ansible-base versions before 2.17.0 are not supported.
+
+## External requirements
+
+Some modules and plugins require Docker CLI, or other external, programs. Some require the [Docker SDK for Python](https://pypi.org/project/docker/) and some use [requests](https://pypi.org/project/requests/) to directly communicate with the Docker daemon API. All modules and plugins require Python 2.7 or later. Python 2.6 is no longer supported; use community.docker 2.x.y if you need to use Python 2.6.
+
+Installing the Docker SDK for Python also installs the requirements for the modules and plugins that use `requests`. If you want to directly install the Python libraries instead of the SDK, you need the following ones:
+
+- [requests](https://pypi.org/project/requests/);
+- [pywin32](https://pypi.org/project/pywin32/) when using named pipes on Windows with the Windows 32 API;
+- [paramiko](https://pypi.org/project/paramiko/) when using SSH to connect to the Docker daemon with `use_ssh_client=false`;
+- [pyOpenSSL](https://pypi.org/project/pyOpenSSL/) when using TLS to connect to the Docker daemon;
+- [backports.ssl_match_hostname](https://pypi.org/project/backports.ssl_match_hostname/) when using TLS to connect to the Docker daemon on Python 2.
+
+If you have Docker SDK for Python < 2.0.0 installed ([docker-py](https://pypi.org/project/docker-py/)), you can still use it for modules that support it, though we recommend to uninstall it and then install [docker](https://pypi.org/project/docker/), the Docker SDK for Python >= 2.0.0. Note that both libraries cannot be installed at the same time. If you accidentally did install them simultaneously, you have to uninstall *both* before re-installing one of them.
+
+## Collection Documentation
+
+Browsing the [**latest** collection documentation](https://docs.ansible.com/ansible/latest/collections/community/docker) will show docs for the _latest version released in the Ansible package_, not the latest version of the collection released on Galaxy.
+
+Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/docker) shows docs for the _latest version released on Galaxy_.
+
+We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.docker/branch/main/) which shows docs for the _latest commit in the `main` branch_.
+
+If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
+
+## Included content
+
+* Connection plugins:
+  - community.docker.docker: use Docker containers as remotes using the Docker CLI program
+  - community.docker.docker_api: use Docker containers as remotes using the Docker API
+  - community.docker.nsenter: execute commands on the host running the controller container
+* Inventory plugins:
+  - community.docker.docker_containers: dynamic inventory plugin for Docker containers
+  - community.docker.docker_machine: collect Docker machines as inventory
+  - community.docker.docker_swarm: collect Docker Swarm nodes as inventory
+* Modules:
+  * Docker:
+    - community.docker.docker_container: manage Docker containers
+    - community.docker.docker_container_copy_into: copy a file into a Docker container
+    - community.docker.docker_container_exec: run commands in Docker containers
+    - community.docker.docker_container_info: retrieve information on Docker containers
+    - community.docker.docker_host_info: retrieve information on the Docker daemon
+    - community.docker.docker_image: manage Docker images
+    - community.docker.docker_image_build: build Docker images using Docker buildx
+    - community.docker.docker_image_export: export (archive) Docker images
+    - community.docker.docker_image_info: retrieve information on Docker images
+    - community.docker.docker_image_load: load Docker images from archives
+    - community.docker.docker_image_pull: pull Docker images from registries
+    - community.docker.docker_image_push: push Docker images to registries
+    - community.docker.docker_image_remove: remove Docker images
+    - community.docker.docker_image_tag: tag Docker images with new names and/or tags
+    - community.docker.docker_login: log in and out to/from registries
+    - community.docker.docker_network: manage Docker networks
+    - community.docker.docker_network_info: retrieve information on Docker networks
+    - community.docker.docker_plugin: manage Docker plugins
+    - community.docker.docker_prune: prune Docker containers, images, networks, volumes, and build data
+    - community.docker.docker_volume: manage Docker volumes
+    - community.docker.docker_volume_info: retrieve information on Docker volumes
+  * Docker Compose:
+    - community.docker.docker_compose_v2: manage Docker Compose files (Docker compose CLI plugin)
+    - community.docker.docker_compose_v2_exec: run command in a container of a Compose service
+    - community.docker.docker_compose_v2_pull: pull a Docker compose project
+    - community.docker.docker_compose_v2_run: run command in a new container of a Compose service
+  * Docker Swarm:
+    - community.docker.docker_config: manage configurations
+    - community.docker.docker_node: manage Docker Swarm nodes
+    - community.docker.docker_node_info: retrieve information on Docker Swarm nodes
+    - community.docker.docker_secret: manage secrets
+    - community.docker.docker_swarm: manage Docker Swarm
+    - community.docker.docker_swarm_info: retrieve information on Docker Swarm
+    - community.docker.docker_swarm_service: manage Docker Swarm services
+    - community.docker.docker_swarm_service_info: retrieve information on Docker Swarm services
+  * Docker Stack:
+    - community.docker.docker_stack: manage Docker Stacks
+    - community.docker.docker_stack_info: retrieve information on Docker Stacks
+    - community.docker.docker_stack_task_info: retrieve information on tasks in Docker Stacks
+  * Other:
+    - current_container_facts: return facts about whether the module runs in a Docker container
+
+## Using this collection
+
+Before using the Docker community collection, you need to install the collection with the `ansible-galaxy` CLI:
+
+    ansible-galaxy collection install community.docker
+
+You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml` using the format:
+
+```yaml
+collections:
+- name: community.docker
+```
+
+See [Ansible Using collections](https://docs.ansible.com/ansible/latest/user_guide/collections_using.html) for more details.
+
+## Contributing to this collection
+
+If you want to develop new content for this collection or improve what is already here, the easiest way to work on the collection is to clone it into one of the configured [`COLLECTIONS_PATH`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths), and work on it there.
+
+You can find more information in the [developer guide for collections](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#contributing-to-collections), and in the [Ansible Community Guide](https://docs.ansible.com/ansible/latest/community/index.html).
+
+## Release notes
+
+See the [changelog](https://github.com/ansible-collections/community.docker/tree/main/CHANGELOG.md).
+
+## More information
+
+- [Ansible Collection overview](https://github.com/ansible-collections/overview)
+- [Ansible User guide](https://docs.ansible.com/ansible/latest/user_guide/index.html)
+- [Ansible Developer guide](https://docs.ansible.com/ansible/latest/dev_guide/index.html)
+- [Ansible Collections Checklist](https://github.com/ansible-collections/overview/blob/master/collection_requirements.rst)
+- [Ansible Community code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
+- [The Bullhorn (the Ansible Contributor newsletter)](https://us19.campaign-archive.com/home/?u=56d874e027110e35dea0e03c1&id=d6635f5420)
+- [Changes impacting Contributors](https://github.com/ansible-collections/overview/issues/45)
+
+## Licensing
+
+This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
+
+See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.docker/blob/main/COPYING) for the full text.
+
+Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.docker/blob/main/LICENSES/Apache-2.0.txt). This mostly applies to files vendored from the [Docker SDK for Python](https://github.com/docker/docker-py/).
+
+All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).
diff --git a/ansible_collections/community/docker/REUSE.toml b/ansible_collections/community/docker/REUSE.toml
new file mode 100644
index 00000000..ff95bb82
--- /dev/null
+++ b/ansible_collections/community/docker/REUSE.toml
@@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version = 1
+
+[[annotations]]
+path = "changelogs/fragments/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "Ansible Project"
+SPDX-License-Identifier = "GPL-3.0-or-later"
diff --git a/ansible_collections/community/docker/antsibull-nox.toml b/ansible_collections/community/docker/antsibull-nox.toml
new file mode 100644
index 00000000..82d3845e
--- /dev/null
+++ b/ansible_collections/community/docker/antsibull-nox.toml
@@ -0,0 +1,266 @@
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+[collection_sources]
+"ansible.posix" = "git+https://github.com/ansible-collections/ansible.posix.git,main"
+"community.general" = "git+https://github.com/ansible-collections/community.general.git,main"
+"community.internal_test_tools" = "git+https://github.com/ansible-collections/community.internal_test_tools.git,main"
+"community.library_inventory_filtering_v1" = "git+https://github.com/ansible-collections/community.library_inventory_filtering.git,stable-1"
+
+[vcs]
+vcs = "git"
+development_branch = "main"
+stable_branches = [ "stable-*" ]
+
+[sessions]
+
+[sessions.lint]
+run_isort = false
+run_black = true
+run_ruff_autofix = true
+ruff_autofix_config = "ruff.toml"
+ruff_autofix_select = [
+    "I",
+    "RUF022",
+]
+run_ruff_check = true
+ruff_check_config = "ruff.toml"
+run_flake8 = true
+flake8_config = ".flake8"
+run_pylint = true
+pylint_rcfile = ".pylintrc"
+run_yamllint = true
+yamllint_config = ".yamllint"
+yamllint_config_plugins = ".yamllint-docs"
+yamllint_config_plugins_examples = ".yamllint-examples"
+run_mypy = true
+mypy_ansible_core_package = "ansible-core>=2.19.0"
+mypy_config = ".mypy.ini"
+mypy_extra_deps = [
+    "docker",
+    "paramiko",
+    "urllib3",
+    "requests",
+    "types-mock",
+    "types-paramiko",
+    "types-pywin32",
+    "types-PyYAML",
+    "types-requests",
+]
+
+[sessions.docs_check]
+validate_collection_refs="all"
+codeblocks_restrict_types = [
+    "ansible-output",
+    "console",
+    "yaml",
+    "yaml+jinja",
+]
+codeblocks_restrict_type_exact_case = true
+codeblocks_allow_without_type = false
+codeblocks_allow_literal_blocks = false
+
+[sessions.license_check]
+
+[sessions.extra_checks]
+run_no_unwanted_files = true
+no_unwanted_files_module_extensions = [".py"]
+no_unwanted_files_yaml_extensions = [".yml"]
+run_action_groups = true
+run_no_trailing_whitespace = true
+run_avoid_characters = true
+
+[[sessions.extra_checks.action_groups_config]]
+name = "docker"
+pattern = "^.*$"
+exclusions = [
+    "current_container_facts",
+    "docker_context_info",
+]
+doc_fragment = "community.docker._attributes.actiongroup_docker"
+
+[[sessions.extra_checks.avoid_character_group]]
+name = "tab"
+regex = "\\x09"
+skip_directories = [
+    "tests/images/",
+]
+
+[sessions.build_import_check]
+run_galaxy_importer = true
+
+[sessions.ansible_test_sanity]
+include_devel = true
+
+[sessions.ansible_test_units]
+include_devel = true
+
+[sessions.ansible_test_integration]
+session_name_template = "ansible-test-integration-{ansible_core}{dash_docker_short}{dash_remote}{dash_python_version}{dash_target_dashized}"
+display_name_template = "main+Ⓐ{ansible_core}{plus_docker_short}{plus_remote}{plus_py_python_version}{plus_target}{plus_force_docker_sdk_for_python_dev}{plus_force_docker_sdk_for_python_pypi}"
+description_template = "Run main integration tests with ansible-core {ansible_core}{comma_docker_short}{comma_remote}{comma_py_python_version}{comma_target}{comma_force_docker_sdk_for_python_dev}{comma_force_docker_sdk_for_python_pypi}"
+
+[sessions.ansible_test_integration.ansible_vars]
+force_docker_sdk_for_python_dev = { type = "value", value = false, template_value = "" }
+force_docker_sdk_for_python_pypi = { type = "value", value = false, template_value = "" }
+
+##################################################################################################
+
+# Ansible-core 2.17:
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-2.17"
+description = "Meta session for running all ansible-test-integration-2.17-* sessions."
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.17"
+target = [ "azp/4/", "azp/5/" ]
+docker = [ "fedora39", "ubuntu2004", "alpine319" ]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.17"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [ "rhel/9.3" ]
+
+# Ansible-core 2.18:
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-2.18"
+description = "Meta session for running all ansible-test-integration-2.18-* sessions."
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.18"
+target = [ "azp/4/", "azp/5/" ]
+docker = [ "fedora40", "ubuntu2204", "alpine320" ]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.18"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [ "rhel/9.4" ]
+
+# Ansible-core 2.19:
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-2.19"
+description = "Meta session for running all ansible-test-integration-2.19-* sessions."
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+target = [ "azp/4/", "azp/5/" ]
+docker = [ "fedora41", "alpine321" ]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [ "rhel/9.5", "ubuntu/22.04" ]
+
+# Ansible-core 2.20:
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-2.20"
+description = "Meta session for running all ansible-test-integration-2.20-* sessions."
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.20"
+target = [ "azp/4/", "azp/5/" ]
+docker = [ "fedora42", "alpine322" ]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.20"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [ "rhel/9.6" ]
+
+# Ansible-core devel:
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-devel"
+description = "Meta session for running all ansible-test-integration-devel-* sessions."
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/4/", "azp/5/" ]
+docker = [ "fedora42", "ubuntu2204", "ubuntu2404", "alpine322" ]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/4/", "azp/5/" ]
+python_version = "3.9"
+docker = "quay.io/ansible-community/test-image:debian-bullseye"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/4/", "azp/5/" ]
+python_version = "3.11"
+docker = "quay.io/ansible-community/test-image:debian-bookworm"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/4/", "azp/5/" ]
+python_version = "3.13"
+docker = "quay.io/ansible-community/test-image:debian-13-trixie"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/4/", "azp/5/" ]
+python_version = "3.13"
+docker = "quay.io/ansible-community/test-image:archlinux"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [ "rhel/9.6" ]
+ansible_vars = { force_docker_sdk_for_python_dev = { type = "value", value = true, template_value = "sdk-dev-latest" } }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+target = [ "azp/1/", "azp/2/", "azp/3/", "azp/4/", "azp/5/" ]
+remote = [
+    "rhel/10.0",
+    # For some reason, Ubuntu 24.04 is *extremely* slower than RHEL 9.6
+    # "ubuntu/24.04",
+]
+
+##################################################################################################
+
+[sessions.ansible_lint]
+
+[[sessions.ee_check.execution_environments]]
+name = "devel-ubi-9"
+description = "ansible-core devel @ RHEL UBI 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "docker.io/redhat/ubi9:latest"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/devel.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.12 python3.12-pip python3.12-wheel python3.12-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.12"
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
+runtime_container_options = [
+    # Mount Docker socket into the container so we can talk to Docker outside the container
+    "-v",
+    "/var/run/docker.sock:/var/run/docker.sock",
+    # Need to be root so we can access /var/run/docker.sock, which usually isn't accessible by the user,
+    # but only by the group the user is in (but that group membership isn't there in the container)
+    "--user",
+    "0",
+]
+
+[[sessions.ee_check.execution_environments]]
+name = "2.17-rocky-9"
+description = "ansible-core 2.17 @ Rocky Linux 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "quay.io/rockylinux/rockylinux:9"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.17.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.11 python3.11-pip python3.11-wheel python3.11-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.11"
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
+runtime_container_options = [
+    # Mount Docker socket into the container so we can talk to Docker outside the container
+    "-v",
+    "/var/run/docker.sock:/var/run/docker.sock",
+    # Need to be root so we can access /var/run/docker.sock, which usually isn't accessible by the user,
+    # but only by the group the user is in (but that group membership isn't there in the container)
+    "--user",
+    "0",
+]
diff --git a/ansible_collections/community/docker/changelogs/changelog.yaml b/ansible_collections/community/docker/changelogs/changelog.yaml
new file mode 100644
index 00000000..ac4f7f28
--- /dev/null
+++ b/ansible_collections/community/docker/changelogs/changelog.yaml
@@ -0,0 +1,2359 @@
+---
+ancestor: null
+releases:
+  0.1.0:
+    changes:
+      bugfixes:
+        - docker_login - fix internal config file storage to handle credentials for
+          more than one registry (https://github.com/ansible-collections/community.general/issues/1117).
+      minor_changes:
+        - docker_container - now supports the ``device_requests`` option, which allows
+          to request additional resources such as GPUs (https://github.com/ansible/ansible/issues/65748,
+          https://github.com/ansible-collections/community.general/pull/1119).
+      release_summary: 'The ``community.docker`` continues the work on the Ansible
+        docker modules and plugins from their state in ``community.general`` 1.2.0.
+        The changes listed here are thus relative to the modules and plugins ``community.general.docker*``.
+
+
+        All deprecation removals planned for ``community.general`` 2.0.0 have been
+        applied. All deprecation removals scheduled for ``community.general`` 3.0.0
+        have been re-scheduled for ``community.docker`` 2.0.0.
+
+        '
+      removed_features:
+        - docker_container - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_container - the default of ``networks_cli_compatible`` changed to
+          ``true`` (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_container - the unused option ``trust_image_content`` has been removed
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - ``state=build`` has been removed. Use ``present`` instead
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - the ``container_limits``, ``dockerfile``, ``http_timeout``,
+          ``nocache``, ``rm``, ``path``, ``buildargs``, ``pull`` have been removed.
+          Use the corresponding suboptions of ``build`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - the ``force`` option has been removed. Use the more specific
+          ``force_*`` options instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - the ``source`` option is now mandatory (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - the ``use_tls`` option has been removed. Use ``tls`` and
+          ``validate_certs`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image - the default of the ``build.pull`` option changed to ``false``
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_image_facts - this alias is on longer available, use ``docker_image_info``
+          instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_network - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_network - the ``ipam_options`` option has been removed. Use ``ipam_config``
+          instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_service - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm - ``state=inspect`` has been removed. Use ``docker_swarm_info``
+          instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``constraints`` option has been removed. Use
+          ``placement.constraints`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``limit_cpu`` and ``limit_memory`` options has
+          been removed. Use the corresponding suboptions in ``limits`` instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``log_driver`` and ``log_driver_options`` options
+          has been removed. Use the corresponding suboptions in ``logging`` instead
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``reserve_cpu`` and ``reserve_memory`` options
+          has been removed. Use the corresponding suboptions in ``reservations`` instead
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``restart_policy``, ``restart_policy_attempts``,
+          ``restart_policy_delay`` and ``restart_policy_window`` options has been
+          removed. Use the corresponding suboptions in ``restart_config`` instead
+          (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_swarm_service - the ``update_delay``, ``update_parallelism``, ``update_failure_action``,
+          ``update_monitor``, ``update_max_failure_ratio`` and ``update_order`` options
+          has been removed. Use the corresponding suboptions in ``update_config``
+          instead (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_volume - no longer returns ``ansible_facts`` (https://github.com/ansible-collections/community.docker/pull/1).
+        - docker_volume - the ``force`` option has been removed. Use ``recreate``
+          instead (https://github.com/ansible-collections/community.docker/pull/1).
+    fragments:
+      - 0.1.0.yml
+      - c.g-1118-docker_login-config-store.yml
+      - c.g-1119-docker_container-device-reqests.yml
+      - c.g-2.0.0-deprecations.yml
+    release_date: '2020-10-30'
+  1.0.0:
+    changes:
+      minor_changes:
+        - Add collection-side support of the ``docker`` action group / module defaults
+          group (https://github.com/ansible-collections/community.docker/pull/17).
+        - docker_image - return docker build output (https://github.com/ansible-collections/community.general/pull/805).
+        - docker_secret - add a warning when the secret does not have an ``ansible_key``
+          label but the ``force`` parameter is not set (https://github.com/ansible-collections/community.docker/issues/30,
+          https://github.com/ansible-collections/community.docker/pull/31).
+      release_summary: 'This is the first production (non-prerelease) release of ``community.docker``.
+
+        '
+    fragments:
+      - 1.0.0.yml
+      - 17-action-group.yml
+      - 31-docker-secret.yml
+      - community.general-805-docker_image-build-output.yml
+    release_date: '2020-11-17'
+  1.0.1:
+    changes:
+      bugfixes:
+        - docker_container - the validation for ``capabilities`` in ``device_requests``
+          was incorrect (https://github.com/ansible-collections/community.docker/issues/42,
+          https://github.com/ansible-collections/community.docker/pull/43).
+      release_summary: Maintenance release with a bugfix for ``docker_container``.
+    fragments:
+      - 1.0.1.yml
+      - 43-docker_container-device_requests.yml
+    release_date: '2020-12-11'
+  1.1.0:
+    changes:
+      bugfixes:
+        - docker_image - if ``push=true`` is used with ``repository``, and the image
+          does not need to be tagged, still push. This can happen if ``repository``
+          and ``name`` are equal (https://github.com/ansible-collections/community.docker/issues/52,
+          https://github.com/ansible-collections/community.docker/pull/53).
+        - docker_image - report error when loading a broken archive that contains
+          no image (https://github.com/ansible-collections/community.docker/issues/46,
+          https://github.com/ansible-collections/community.docker/pull/55).
+        - docker_image - report error when the loaded archive does not contain the
+          specified image (https://github.com/ansible-collections/community.docker/issues/41,
+          https://github.com/ansible-collections/community.docker/pull/55).
+      deprecated_features:
+        - docker_container - currently ``published_ports`` can contain port mappings
+          next to the special value ``all``, in which case the port mappings are ignored.
+          This behavior is deprecated for community.docker 2.0.0, at which point it
+          will either be forbidden, or this behavior will be properly implemented
+          similar to how the Docker CLI tool handles this (https://github.com/ansible-collections/community.docker/issues/8,
+          https://github.com/ansible-collections/community.docker/pull/60).
+      minor_changes:
+        - docker_container - support specifying ``cgroup_parent`` (https://github.com/ansible-collections/community.docker/issues/6,
+          https://github.com/ansible-collections/community.docker/pull/59).
+        - docker_container - when a container is started with ``detached=false``,
+          ``status`` is now also returned when it is 0 (https://github.com/ansible-collections/community.docker/issues/26,
+          https://github.com/ansible-collections/community.docker/pull/58).
+        - docker_image - support ``platform`` when building images (https://github.com/ansible-collections/community.docker/issues/22,
+          https://github.com/ansible-collections/community.docker/pull/54).
+      release_summary: Feature release with three new plugins and modules.
+    fragments:
+      - 1.1.0.yml
+      - 53-docker_image-tag-push.yml
+      - 54-docker_image-build-platform.yml
+      - 55-docker_image-loading.yml
+      - 58-docker_container-non-detached-status.yml
+      - 59-docker_container-cgroup-parent.yml
+      - 60-docker_container-publish-all.yml
+    modules:
+      - description: Return facts about whether the module runs in a Docker container
+        name: current_container_facts
+        namespace: ''
+    plugins:
+      connection:
+        - description: Run tasks in docker containers
+          name: docker_api
+          namespace: null
+      inventory:
+        - description: Ansible dynamic inventory plugin for Docker containers.
+          name: docker_containers
+          namespace: null
+    release_date: '2021-01-03'
+  1.2.0:
+    changes:
+      bugfixes:
+        - docker_container - allow IPv6 zones (RFC 4007) in bind IPs (https://github.com/ansible-collections/community.docker/pull/66).
+        - docker_image - fix crash on loading images with versions of Docker SDK for
+          Python before 2.5.0 (https://github.com/ansible-collections/community.docker/issues/72,
+          https://github.com/ansible-collections/community.docker/pull/73).
+      minor_changes:
+        - docker_container - added ``default_host_ip`` option which allows to explicitly
+          set the default IP string for published ports without explicitly specified
+          IPs. When using IPv6 binds with Docker 20.10.2 or newer, this needs to be
+          set to an empty string (``""``) (https://github.com/ansible-collections/community.docker/issues/70,
+          https://github.com/ansible-collections/community.docker/pull/71).
+      release_summary: Feature release with one new feature and two bugfixes.
+    fragments:
+      - 1.2.0.yml
+      - 66-ipv6-zones.yml
+      - 71-docker_container-default_host_ip.yml
+      - 73-docker_image-fix-old-docker-py-version.yml
+    release_date: '2021-01-25'
+  1.2.1:
+    changes:
+      bugfixes:
+        - docker connection plugin - fix Docker version parsing, as some docker versions
+          have a leading ``v`` in the output of the command ``docker version --format
+          "{{.Server.Version}}"`` (https://github.com/ansible-collections/community.docker/pull/76).
+      release_summary: Bugfix release.
+    fragments:
+      - 1.2.1.yml
+      - 76-leading-v-support-in-docker-version.yml
+    release_date: '2021-01-28'
+  1.2.2:
+    changes:
+      release_summary: Security bugfix release to address CVE-2021-20191.
+      security_fixes:
+        - docker_swarm - enabled ``no_log`` for the option ``signing_ca_key`` to prevent
+          accidental disclosure (CVE-2021-20191, https://github.com/ansible-collections/community.docker/pull/80).
+    fragments:
+      - 1.2.2.yml
+      - CVE-2021-20191_no_log.yml
+    release_date: '2021-02-05'
+  1.3.0:
+    changes:
+      bugfixes:
+        - docker_container - fix healthcheck disabling idempotency issue with strict
+          comparison (https://github.com/ansible-collections/community.docker/issues/85).
+        - docker_image - prevent module failure when removing image that is removed
+          between inspection and removal (https://github.com/ansible-collections/community.docker/pull/87).
+        - docker_image - prevent module failure when removing non-existent image by
+          ID (https://github.com/ansible-collections/community.docker/pull/87).
+        - docker_image_info - prevent module failure when image vanishes between listing
+          and inspection (https://github.com/ansible-collections/community.docker/pull/87).
+        - docker_image_info - prevent module failure when querying non-existent image
+          by ID (https://github.com/ansible-collections/community.docker/pull/87).
+      minor_changes:
+        - docker_container - add ``storage_opts`` option to specify storage options
+          (https://github.com/ansible-collections/community.docker/issues/91, https://github.com/ansible-collections/community.docker/pull/93).
+        - docker_image - allows to specify platform to pull for ``source=pull`` with
+          new option ``pull_platform`` (https://github.com/ansible-collections/community.docker/issues/79,
+          https://github.com/ansible-collections/community.docker/pull/89).
+        - docker_image - properly support image IDs (hashes) for loading and tagging
+          images (https://github.com/ansible-collections/community.docker/issues/86,
+          https://github.com/ansible-collections/community.docker/pull/87).
+        - docker_swarm_service - adding support for maximum number of tasks per node
+          (``replicas_max_per_node``) when running swarm service in replicated mode.
+          Introduced in API 1.40 (https://github.com/ansible-collections/community.docker/issues/7,
+          https://github.com/ansible-collections/community.docker/pull/92).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+      - 1.3.0.yml
+      - 87-docker_image-load-image-ids.yml
+      - 88-docker_container-healthcheck.yml
+      - 89-docker_image-pull-platform.yml
+      - 92-replicas-max-per-node.yml
+      - 93-docker_container-storage_opts.yml
+    modules:
+      - description: Load docker image(s) from archives
+        name: docker_image_load
+        namespace: ''
+      - description: Manage Docker plugins
+        name: docker_plugin
+        namespace: ''
+    release_date: '2021-03-08'
+  1.4.0:
+    changes:
+      breaking_changes:
+        - docker_swarm - if ``join_token`` is specified, a returned join token with
+          the same value will be replaced by ``VALUE_SPECIFIED_IN_NO_LOG_PARAMETER``.
+          Make sure that you do not blindly use the join tokens from the return value
+          of this module when the module is invoked with ``join_token`` specified!
+          This breaking change appears in a minor release since it is necessary to
+          fix a security issue (https://github.com/ansible-collections/community.docker/pull/103).
+      bugfixes:
+        - '``docker_swarm_service`` - fix KeyError on caused by reference to deprecated
+          option ``update_failure_action`` (https://github.com/ansible-collections/community.docker/pull/100).'
+        - docker_swarm_service - mark ``secrets`` module option with ``no_log=False``
+          since it does not leak secrets (https://github.com/ansible-collections/community.general/pull/2001).
+      minor_changes:
+        - docker_swarm_service - change ``publish.published_port`` option from mandatory
+          to optional. Docker will assign random high port if not specified (https://github.com/ansible-collections/community.docker/issues/99).
+      release_summary: Security release to address another potential secret leak.
+        Also includes regular bugfixes and features.
+      security_fixes:
+        - docker_swarm - the ``join_token`` option is now marked as ``no_log`` so
+          it is no longer written into logs (https://github.com/ansible-collections/community.docker/pull/103).
+    fragments:
+      - 1.4.0.yml
+      - 100-fix-update_failture_action-keyerror-in-docker_swarm_service.yaml
+      - 101-make-service-published-port-optional.yaml
+      - 102-no_log-false.yml
+      - 103-docker_swarm-join_token.yml
+    release_date: '2021-03-14'
+  1.5.0:
+    changes:
+      bugfixes:
+        - all modules - use ``to_native`` to convert exceptions to strings (https://github.com/ansible-collections/community.docker/pull/121).
+      minor_changes:
+        - Add the ``use_ssh_client`` option to most docker modules and plugins (https://github.com/ansible-collections/community.docker/issues/108,
+          https://github.com/ansible-collections/community.docker/pull/114).
+      release_summary: Regular feature release.
+    fragments:
+      - 1.5.0.yml
+      - 114-use_ssh_client.yml
+      - 121-exception-handling.yml
+    modules:
+      - description: Execute command in a docker container
+        name: docker_container_exec
+        namespace: ''
+    release_date: '2021-04-11'
+  1.6.0:
+    changes:
+      bugfixes:
+        - 'docker-compose - fix not pulling when ``state: present`` and ``stopped:
+          true`` (https://github.com/ansible-collections/community.docker/issues/12,
+          https://github.com/ansible-collections/community.docker/pull/119).'
+        - docker_plugin - also configure plugin after installing (https://github.com/ansible-collections/community.docker/issues/118,
+          https://github.com/ansible-collections/community.docker/pull/135).
+        - docker_swarm_services - avoid crash during idempotence check if ``published_port``
+          is not specified (https://github.com/ansible-collections/community.docker/issues/107,
+          https://github.com/ansible-collections/community.docker/pull/136).
+      deprecated_features:
+        - docker_* modules and plugins, except ``docker_swarm`` connection plugin
+          and ``docker_compose`` and ``docker_stack*` modules - the current default
+          ``localhost`` for ``tls_hostname`` is deprecated. In community.docker 2.0.0
+          it will be computed from ``docker_host`` instead (https://github.com/ansible-collections/community.docker/pull/134).
+      minor_changes:
+        - common module utils - correct error messages for guiding to install proper
+          Docker SDK for Python module (https://github.com/ansible-collections/community.docker/pull/125).
+        - 'docker_container - allow ``memory_swap: -1`` to set memory swap limit to
+          unlimited. This is useful when the user cannot set memory swap limits due
+          to cgroup limitations or other reasons, as by default Docker will try to
+          set swap usage to two times the value of ``memory`` (https://github.com/ansible-collections/community.docker/pull/138).'
+      release_summary: Regular bugfix and feature release.
+    fragments:
+      - 1.6.0.yml
+      - 12-correct_pull_wo_starting.yaml
+      - 125-correct-error-message-for-docker-sdk-version.yaml
+      - 134-tls_hostname.yml
+      - 135-docker_plugin-config.yml
+      - 136-docker_swarm_service-fix-idempotence-bug.yml
+      - 138-docker_container-allow-memory-swap-unlimited.yml
+    release_date: '2021-05-11'
+  1.6.1:
+    changes:
+      bugfixes:
+        - docker_* modules and plugins, except ``docker_swarm`` connection plugin
+          and ``docker_compose`` and ``docker_stack*` modules - only emit ``tls_hostname``
+          deprecation message if TLS is actually used (https://github.com/ansible-collections/community.docker/pull/143).
+      release_summary: Bugfix release to reduce deprecation warning spam.
+    fragments:
+      - 1.6.1.yml
+      - 143-tls_hostname-deprecation.yml
+    release_date: '2021-05-17'
+  1.7.0:
+    changes:
+      minor_changes:
+        - docker_image - allow to tag images by ID (https://github.com/ansible-collections/community.docker/pull/149).
+      release_summary: Small feature and bugfix release.
+    fragments:
+      - 1.7.0.yml
+      - 149-docker_image-tagging.yml
+    release_date: '2021-06-08'
+  1.8.0:
+    changes:
+      bugfixes:
+        - 'docker_compose - fix idempotence bug when using ``stopped: true`` (https://github.com/ansible-collections/community.docker/issues/142,
+          https://github.com/ansible-collections/community.docker/pull/159).'
+      minor_changes:
+        - Avoid internal ansible-core module_utils in favor of equivalent public API
+          available since at least Ansible 2.9 (https://github.com/ansible-collections/community.docker/pull/164).
+        - docker_compose - added ``profiles`` option to specify service profiles when
+          starting services (https://github.com/ansible-collections/community.docker/pull/167).
+        - docker_containers inventory plugin - when ``connection_type=docker-api``,
+          now pass Docker daemon connection options from inventory plugin to connection
+          plugin. This can be disabled by setting ``configure_docker_daemon=false``
+          (https://github.com/ansible-collections/community.docker/pull/157).
+        - docker_host_info - allow values for keys in ``containers_filters``, ``images_filters``,
+          ``networks_filters``, and ``volumes_filters`` to be passed as YAML lists
+          (https://github.com/ansible-collections/community.docker/pull/160).
+        - docker_plugin - added ``alias`` option to specify local names for docker
+          plugins (https://github.com/ansible-collections/community.docker/pull/161).
+      release_summary: Regular bugfix and feature release.
+    fragments:
+      - 1.8.0.yml
+      - 157-inventory-connection-options.yml
+      - 159-docker_compose-idempotence-fix.yml
+      - 160-docker_host_info-label-fitler-lists.yml
+      - 161-docker_plugin-alias-option.yml
+      - 167-docker_compose-profiles-option.yml
+      - ansible-core-_text.yml
+    release_date: '2021-06-28'
+  1.9.0:
+    changes:
+      bugfixes:
+        - docker_compose - fixes task failures when bringing up services while using
+          ``docker-compose <1.17.0`` (https://github.com/ansible-collections/community.docker/issues/180).
+        - docker_container - make sure to also return ``container`` on ``detached=false``
+          when status code is non-zero (https://github.com/ansible-collections/community.docker/pull/178).
+        - docker_stack_info - make sure that module isn't skipped in check mode (https://github.com/ansible-collections/community.docker/pull/183).
+        - docker_stack_task_info - make sure that module isn't skipped in check mode
+          (https://github.com/ansible-collections/community.docker/pull/183).
+      deprecated_features:
+        - docker_container - the new ``command_handling``'s default value, ``compatibility``,
+          is deprecated and will change to ``correct`` in community.docker 3.0.0.
+          A deprecation warning is emitted by the module in cases where the behavior
+          will change. Please note that ansible-core will output a deprecation warning
+          only once, so if it is shown for an earlier task, there could be more tasks
+          with this warning where it is not shown (https://github.com/ansible-collections/community.docker/pull/186).
+      minor_changes:
+        - docker_* modules - include ``ImportError`` traceback when reporting that
+          Docker SDK for Python could not be found (https://github.com/ansible-collections/community.docker/pull/188).
+        - docker_compose - added ``env_file`` option for specifying custom environment
+          files (https://github.com/ansible-collections/community.docker/pull/174).
+        - docker_container - added ``publish_all_ports`` option to publish all exposed
+          ports to random ports except those explicitly bound with ``published_ports``
+          (this was already added in community.docker 1.8.0) (https://github.com/ansible-collections/community.docker/pull/162).
+        - docker_container - added new ``command_handling`` option with current deprecated
+          default value ``compatibility`` which allows to control how the module handles
+          shell quoting when interpreting lists, and how the module handles empty
+          lists/strings. The default will switch to ``correct`` in community.docker
+          3.0.0 (https://github.com/ansible-collections/community.docker/pull/186).
+        - docker_container - lifted restriction preventing the creation of anonymous
+          volumes with the ``mounts`` option (https://github.com/ansible-collections/community.docker/pull/181).
+      release_summary: New bugfixes and features release.
+    fragments:
+      - 1.9.0.yml
+      - 162-docker_container_publish_all_option.yml
+      - 174-docker_compose-env_file.yml
+      - 178-docker_container-container.yml
+      - 181-docker_container-allow-anonymous-volume-mounts.yml
+      - 182-docker_compose-fix-start-keyword-failures.yml
+      - 183-info-check_mode.yml
+      - 186-docker_container-command-entrypoint.yml
+      - 188-improve-import-errors.yml
+    plugins:
+      connection:
+        - description: execute on host running controller container
+          name: nsenter
+          namespace: null
+    release_date: '2021-08-03'
+  1.9.1:
+    changes:
+      bugfixes:
+        - docker_compose - fixed incorrect ``changed`` status for services with ``profiles``
+          defined, but none enabled (https://github.com/ansible-collections/community.docker/pull/192).
+      release_summary: Regular bugfix release.
+    fragments:
+      - 1.9.1.yml
+      - 192-docker_compose-profiles-idempotency-fix.yml
+    release_date: '2021-08-29'
+  1.10.0:
+    changes:
+      minor_changes:
+        - Add the modules docker_container_exec, docker_image_load and docker_plugin
+          to the ``docker`` module defaults group (https://github.com/ansible-collections/community.docker/pull/209).
+        - docker_config - add option ``data_src`` to read configuration data from
+          target (https://github.com/ansible-collections/community.docker/issues/64,
+          https://github.com/ansible-collections/community.docker/pull/203).
+        - docker_secret - add option ``data_src`` to read secret data from target
+          (https://github.com/ansible-collections/community.docker/issues/64, https://github.com/ansible-collections/community.docker/pull/203).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+      - 1.10.0.yml
+      - 203-docker_secret-config-data_src.yml
+      - 209-action-group.yml
+    release_date: '2021-10-05'
+  2.0.0:
+    changes:
+      breaking_changes:
+        - docker_compose - fixed ``timeout`` defaulting behavior so that ``stop_grace_period``,
+          if defined in the compose file, will be used if ``timeout`` is not specified
+          (https://github.com/ansible-collections/community.docker/pull/163).
+      deprecated_features:
+        - docker_container - using the special value ``all`` in ``published_ports``
+          has been deprecated. Use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/210).
+      release_summary: New major release with some deprecations removed and a breaking
+        change in the ``docker_compose`` module regarding the ``timeout`` parameter.
+      removed_features:
+        - docker_container - the default value of ``container_default_behavior`` changed
+          to ``no_defaults`` (https://github.com/ansible-collections/community.docker/pull/210).
+        - docker_container - the default value of ``network_mode`` is now the name
+          of the first network specified in ``networks`` if such are specified and
+          ``networks_cli_compatible=true`` (https://github.com/ansible-collections/community.docker/pull/210).
+        - docker_container - the special value ``all`` can no longer be used in ``published_ports``
+          next to other values. Please use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/210).
+        - docker_login - removed the ``email`` option (https://github.com/ansible-collections/community.docker/pull/210).
+    fragments:
+      - 163-docker_compose-timeout-fix.yml
+      - 2.0.0.yml
+      - 210-deprecations.yml
+    release_date: '2021-10-21'
+  2.0.1:
+    changes:
+      release_summary: Maintenance release with some documentation fixes.
+    fragments:
+      - 2.0.1.yml
+    release_date: '2021-11-13'
+  2.0.2:
+    changes:
+      bugfixes:
+        - docker_api connection plugin - avoid passing an unnecessary argument to
+          a Docker SDK for Python call that is only supported by version 3.0.0 or
+          later (https://github.com/ansible-collections/community.docker/pull/243).
+        - docker_container_exec - ``chdir`` is only supported since Docker SDK for
+          Python 3.0.0. Make sure that this option can only use when 3.0.0 or later
+          is installed, and prevent passing this parameter on when ``chdir`` is not
+          provided to this module (https://github.com/ansible-collections/community.docker/pull/243,
+          https://github.com/ansible-collections/community.docker/issues/242).
+        - nsenter connection plugin - ensure the ``nsenter_pid`` option is retrieved
+          in ``_connect`` instead of ``__init__`` to prevent a crash due to bad initialization
+          order (https://github.com/ansible-collections/community.docker/pull/249).
+        - nsenter connection plugin - replace the use of ``--all-namespaces`` with
+          specific namespaces to support compatibility with Busybox nsenter (used
+          on, for example, Alpine containers) (https://github.com/ansible-collections/community.docker/pull/249).
+      release_summary: Bugfix release.
+    fragments:
+      - 2.0.2.yml
+      - 243-docker_container_exec-chdir.yml
+      - 249-nsenter-fixes.yml
+    release_date: '2021-12-09'
+  2.1.0:
+    changes:
+      bugfixes:
+        - Various modules and plugins - use vendored version of ``distutils.version``
+          included in ansible-core 2.12 if available. This avoids breakage when ``distutils``
+          is removed from the standard library of Python 3.12. Note that ansible-core
+          2.11, ansible-base 2.10 and Ansible 2.9 are right now not compatible with
+          Python 3.12, hence this fix does not target these ansible-core/-base/2.9
+          versions (https://github.com/ansible-collections/community.docker/pull/258).
+        - docker connection plugin - replace deprecated ``distutils.spawn.find_executable``
+          with Ansible's ``get_bin_path`` to find the ``docker`` executable (https://github.com/ansible-collections/community.docker/pull/257).
+        - docker_container_exec - disallow using the ``chdir`` option for Docker API
+          before 1.35 (https://github.com/ansible-collections/community.docker/pull/253).
+      minor_changes:
+        - docker_container_exec - add ``detach`` parameter (https://github.com/ansible-collections/community.docker/issues/250,
+          https://github.com/ansible-collections/community.docker/pull/255).
+        - docker_container_exec - add ``env`` option (https://github.com/ansible-collections/community.docker/issues/248,
+          https://github.com/ansible-collections/community.docker/pull/254).
+      release_summary: Feature and bugfix release.
+    fragments:
+      - 2.1.0.yml
+      - 253-chdir-min-version.yml
+      - 254-docker_container_exec-env.yml
+      - 255-docker_container_exec-detach.yml
+      - 257-remove-distutils-spawn.yml
+      - 258-distutils.version.yml
+    release_date: '2022-01-04'
+  2.1.1:
+    changes:
+      bugfixes:
+        - Fix unintended breaking change caused by `an earlier fix <https://github.com/ansible-collections/community.docker/pull/258>`_
+          by vendoring the deprecated Python standard library ``distutils.version``
+          until this collection stops supporting Ansible 2.9 and ansible-base 2.10
+          (https://github.com/ansible-collections/community.docker/issues/267, https://github.com/ansible-collections/community.docker/pull/269).
+      release_summary: Emergency release to amend breaking change in previous release.
+    fragments:
+      - 2.1.1.yml
+      - 269-distutils-version-fix.yml
+    release_date: '2022-01-05'
+  2.2.0:
+    changes:
+      bugfixes:
+        - docker_container, docker_image - adjust image finding code to peculiarities
+          of ``podman-docker``'s API emulation when Docker short names like ``redis``
+          are used (https://github.com/ansible-collections/community.docker/issues/292).
+      minor_changes:
+        - docker_config - add support for rolling update, set ``rolling_versions``
+          to ``true`` to enable (https://github.com/ansible-collections/community.docker/pull/295,
+          https://github.com/ansible-collections/community.docker/issues/109).
+        - docker_secret - add support for rolling update, set ``rolling_versions``
+          to ``true`` to enable (https://github.com/ansible-collections/community.docker/pull/293,
+          https://github.com/ansible-collections/community.docker/issues/21).
+        - docker_swarm_service - add support for setting capabilities with the ``cap_add``
+          and ``cap_drop`` parameters. Usage is the same as with the ``capabilities``
+          and ``cap_drop`` parameters for ``docker_container`` (https://github.com/ansible-collections/community.docker/pull/294).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+      - 2.2.0.yml
+      - 270-rolling-secrets.yml
+      - 271-swarm-service-capabilities.yml
+      - 272-rolling-configs.yml
+      - 292-docker-podman-compatibility.yml
+    release_date: '2022-02-21'
+  2.2.1:
+    changes:
+      bugfixes:
+        - docker_compose - fix Python 3 type error when extracting warnings or errors
+          from docker-compose's output (https://github.com/ansible-collections/community.docker/pull/305).
+      release_summary: Regular bugfix release.
+    fragments:
+      - 2.2.1.yml
+      - 305-docker_compose-errors-warnings.yml
+    release_date: '2022-03-14'
+  2.3.0:
+    changes:
+      bugfixes:
+        - docker connection plugin - fix option handling to be compatible with ansible-core
+          2.13 (https://github.com/ansible-collections/community.docker/pull/297,
+          https://github.com/ansible-collections/community.docker/issues/307).
+        - docker_api connection plugin - fix option handling to be compatible with
+          ansible-core 2.13 (https://github.com/ansible-collections/community.docker/pull/308).
+      minor_changes:
+        - docker connection plugin - implement connection reset by clearing internal
+          container user cache (https://github.com/ansible-collections/community.docker/pull/312).
+        - docker connection plugin - simplify ``actual_user`` handling code (https://github.com/ansible-collections/community.docker/pull/311).
+        - docker connection plugin - the plugin supports new ways to define the timeout.
+          These are the ``ANSIBLE_DOCKER_TIMEOUT`` environment variable, the ``timeout``
+          setting in the ``docker_connection`` section of ``ansible.cfg``, and the
+          ``ansible_docker_timeout`` variable (https://github.com/ansible-collections/community.docker/pull/297).
+        - docker_api connection plugin - implement connection reset by clearing internal
+          container user/group ID cache (https://github.com/ansible-collections/community.docker/pull/312).
+        - docker_api connection plugin - the plugin supports new ways to define the
+          timeout. These are the ``ANSIBLE_DOCKER_TIMEOUT`` environment variable,
+          the ``timeout`` setting in the ``docker_connection`` section of ``ansible.cfg``,
+          and the ``ansible_docker_timeout`` variable (https://github.com/ansible-collections/community.docker/pull/308).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+      - 2.3.0.yml
+      - 297-docker-connection-config.yml
+      - 308-docker_api-connection-config.yml
+      - 311-docker-actual_user.yml
+      - 312-docker-connection-reset.yml
+    release_date: '2022-03-28'
+  2.4.0:
+    changes:
+      bugfixes:
+        - docker connection plugin - make sure that ``docker_extra_args`` is used
+          for querying the Docker version. Also ensures that the Docker version is
+          only queried when needed. This is currently the case if a remote user is
+          specified (https://github.com/ansible-collections/community.docker/issues/325,
+          https://github.com/ansible-collections/community.docker/pull/327).
+      minor_changes:
+        - Prepare collection for inclusion in an Execution Environment by declaring
+          its dependencies. The ``docker_stack*`` modules are not supported (https://github.com/ansible-collections/community.docker/pull/336).
+        - current_container_facts - add detection for GitHub Actions (https://github.com/ansible-collections/community.docker/pull/336).
+        - docker_container - support returning Docker container log output when using
+          Docker's ``local`` logging driver, an optimized local logging driver introduced
+          in Docker 18.09 (https://github.com/ansible-collections/community.docker/pull/337).
+      release_summary: Regular feature and bugfix release.
+    fragments:
+      - 2.4.0.yml
+      - 327-connection-fix.yml
+      - 336-ee.yml
+      - 337-container-output-from-local-logging-driver.yml
+    release_date: '2022-04-25'
+  2.5.0:
+    changes:
+      minor_changes:
+        - docker_config - add support for ``template_driver`` with one option ``golang``
+          (https://github.com/ansible-collections/community.docker/issues/332, https://github.com/ansible-collections/community.docker/pull/345).
+        - docker_swarm - adds ``data_path_addr`` parameter during swarm initialization
+          or when joining (https://github.com/ansible-collections/community.docker/issues/339).
+      release_summary: Regular feature release.
+    fragments:
+      - 2.5.0.yml
+      - 344-adds-data-path-addr.yml
+      - 345-docker_config-template-driver.yml
+    release_date: '2022-05-14'
+  2.5.1:
+    changes:
+      bugfixes:
+        - Include ``PSF-license.txt`` file for ``plugins/module_utils/_version.py``.
+      release_summary: Maintenance release.
+    fragments:
+      - 2.5.1.yml
+      - psf-license.yml
+    release_date: '2022-05-16'
+  2.6.0:
+    changes:
+      bugfixes:
+        - docker_container - fail with a meaningful message instead of crashing if
+          a port is specified with more than three colon-separated parts (https://github.com/ansible-collections/community.docker/pull/367,
+          https://github.com/ansible-collections/community.docker/issues/365).
+        - docker_container - remove unused code that will cause problems with Python
+          3.13 (https://github.com/ansible-collections/community.docker/pull/354).
+      deprecated_features:
+        - Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be
+          removed in the next major release (community.docker 3.0.0). Some modules
+          might still work with these versions afterwards, but we will no longer keep
+          compatibility code that was needed to support them (https://github.com/ansible-collections/community.docker/pull/361).
+        - The dependency on docker-compose for Execution Environments is deprecated
+          and will be removed in community.docker 3.0.0. The `Python docker-compose
+          library <https://pypi.org/project/docker-compose/>`__ is unmaintained and
+          can cause dependency issues. You can manually still install it in an Execution
+          Environment when needed (https://github.com/ansible-collections/community.docker/pull/373).
+        - Various modules - the default of ``tls_hostname`` that was supposed to be
+          removed in community.docker 2.0.0 will now be removed in version 3.0.0 (https://github.com/ansible-collections/community.docker/pull/362).
+        - docker_stack - the return values ``out`` and ``err`` that were supposed
+          to be removed in community.docker 2.0.0 will now be removed in version 3.0.0
+          (https://github.com/ansible-collections/community.docker/pull/362).
+      minor_changes:
+        - docker_container - added ``image_label_mismatch`` parameter (https://github.com/ansible-collections/community.docker/issues/314,
+          https://github.com/ansible-collections/community.docker/pull/370).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 2.6.0.yml
+      - 354-remove-dead-code.yml
+      - 362-deprecations.yml
+      - 367-docker_container-ports-validation.yml
+      - 370-add-image-label-mismatch.yml
+      - 373-deprecate-docker-compose-dependency.yml
+      - deprecate-ansible-2.9-2.10.yml
+    release_date: '2022-05-24'
+  2.7.0:
+    changes:
+      bugfixes:
+        - Docker SDK for Python based modules and plugins - if the API version is
+          specified as an option, use that one to validate API version requirements
+          of module/plugin options instead of the latest API version supported by
+          the Docker daemon. This also avoids one unnecessary API call per module/plugin
+          (https://github.com/ansible-collections/community.docker/pull/389).
+      deprecated_features:
+        - Support for Docker API version 1.20 to 1.24 has been deprecated and will
+          be removed in community.docker 3.0.0. The first Docker version supporting
+          API version 1.25 was Docker 1.13, released in January 2017. This affects
+          the modules ``docker_container``, ``docker_container_exec``, ``docker_container_info``,
+          ``docker_compose``, ``docker_login``, ``docker_image``, ``docker_image_info``,
+          ``docker_image_load``, ``docker_host_info``, ``docker_network``, ``docker_network_info``,
+          ``docker_node_info``, ``docker_swarm_info``, ``docker_swarm_service``, ``docker_swarm_service_info``,
+          ``docker_volume_info``, and ``docker_volume``, whose minimally supported
+          API version is between 1.20 and 1.24 (https://github.com/ansible-collections/community.docker/pull/396).
+        - Support for Python 2.6 is deprecated and will be removed in the next major
+          release (community.docker 3.0.0). Some modules might still work with Python
+          2.6, but we will no longer try to ensure compatibility (https://github.com/ansible-collections/community.docker/pull/388).
+      minor_changes:
+        - Move common utility functions from the ``common`` module_util to a new module_util
+          called ``util``. This should not have any user-visible effect (https://github.com/ansible-collections/community.docker/pull/390).
+      release_summary: Bugfix and deprecation release. The next 2.x.y releases will
+        only be bugfix releases, the next expect minor/major release will be 3.0.0
+        with some major changes.
+    fragments:
+      - 2.7.0.yml
+      - 389-api-version.yml
+      - 390-util.yml
+      - 397-deprecate-docker-api-1.24.yml
+      - python-2.6.yml
+    release_date: '2022-07-02'
+  3.0.0-a1:
+    changes:
+      breaking_changes:
+        - This collection does not work with ansible-core 2.11 on Python 3.12+. Please
+          either upgrade to ansible-core 2.12+, or use Python 3.11 or earlier (https://github.com/ansible-collections/community.docker/pull/271).
+      major_changes:
+        - The collection now contains vendored code from the Docker SDK for Python
+          to talk to the Docker daemon. Modules and plugins using this code no longer
+          need the Docker SDK for Python installed on the machine the module or plugin
+          is running on (https://github.com/ansible-collections/community.docker/pull/398).
+        - docker_api connection plugin - no longer uses the Docker SDK for Python.
+          It requires ``requests`` to be installed, and depending on the features
+          used has some more requirements. If the Docker SDK for Python is installed,
+          these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/414).
+        - docker_container_exec - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/401).
+        - docker_container_info - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/402).
+        - docker_containers inventory plugin - no longer uses the Docker SDK for Python.
+          It requires ``requests`` to be installed, and depending on the features
+          used has some more requirements. If the Docker SDK for Python is installed,
+          these requirements are likely met (https://github.com/ansible-collections/community.docker/pull/413).
+        - docker_host_info - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/403).
+        - docker_image - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/404).
+        - docker_image_info - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/405).
+        - docker_image_load - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/406).
+        - docker_login - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/407).
+        - docker_network - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/408).
+        - docker_network_info - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/409).
+        - docker_prune - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/410).
+        - docker_volume - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/411).
+        - docker_volume_info - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/412).
+      minor_changes:
+        - Remove vendored copy of ``distutils.version`` in favor of vendored copy
+          included with ansible-core 2.12+. For ansible-core 2.11, uses ``distutils.version``
+          for Python < 3.12. There is no support for ansible-core 2.11 with Python
+          3.12+ (https://github.com/ansible-collections/community.docker/pull/271).
+        - socker_handler and socket_helper module utils - improve Python forward compatibility,
+          create helper functions for file blocking/unblocking (https://github.com/ansible-collections/community.docker/pull/415).
+      release_summary: First alpha prerelease of community.docker 3.0.0. This version
+        has several breaking changes and features rewrites of several modules to directly
+        use the API using ``requests``, instead of using the Docker SDK for Python.
+      removed_features:
+        - Execution Environments built with community.docker no longer include docker-compose
+          < 2.0.0. If you need to use it with the ``docker_compose`` module, please
+          install that requirement manually (https://github.com/ansible-collections/community.docker/pull/400).
+        - Support for Ansible 2.9 and ansible-base 2.10 has been removed. If you need
+          support for Ansible 2.9 or ansible-base 2.10, please use community.docker
+          2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+        - Support for Docker API versions 1.20 to 1.24 has been removed. If you need
+          support for these API versions, please use community.docker 2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+        - Support for Python 2.6 has been removed. If you need support for Python
+          2.6, please use community.docker 2.x.y (https://github.com/ansible-collections/community.docker/pull/400).
+        - Various modules - the default of ``tls_hostname`` (``localhost``) has been
+          removed. If you want to continue using ``localhost``, you need to specify
+          it explicitly (https://github.com/ansible-collections/community.docker/pull/363).
+        - docker_container - the ``all`` value is no longer allowed in ``published_ports``.
+          Use ``publish_all_ports=true`` instead (https://github.com/ansible-collections/community.docker/pull/399).
+        - docker_container - the default of ``command_handling`` was changed from
+          ``compatibility`` to ``correct``. Older versions were warning for every
+          invocation of the module when this would result in a change of behavior
+          (https://github.com/ansible-collections/community.docker/pull/399).
+        - docker_stack - the return values ``out`` and ``err`` have been removed.
+          Use ``stdout`` and ``stderr`` instead (https://github.com/ansible-collections/community.docker/pull/363).
+    fragments:
+      - 271-distutils-vendor-removed.yml
+      - 3.0.0-a1.yml
+      - 363-deprecations.yml
+      - 398-docker-api.yml
+      - 399-deprecations.yml
+      - 400-deprecations.yml
+      - 401-docker_container_exec-docker-api.yml
+      - 402-docker-api.yml
+      - 403-docker-api.yml
+      - 404-docker-api.yml
+      - 405-docker-api.yml
+      - 406-docker-api.yml
+      - 407-docker-api.yml
+      - 408-docker-api.yml
+      - 409-docker-api.yml
+      - 410-docker-api.yml
+      - 411-docker-api.yml
+      - 412-docker-api.yml
+      - 413-docker-api.yml
+      - 414-docker-api.yml
+      - 415-socket-improvements.yml
+    release_date: '2022-07-07'
+  3.0.0-a2:
+    changes:
+      breaking_changes:
+        - docker_container - ``exposed_ports`` is no longer ignored in ``comparisons``.
+          Before, its value was assumed to be identical with the value of ``published_ports``
+          (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_container - ``log_options`` can no longer be specified when ``log_driver``
+          is not specified (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_container - ``publish_all_ports`` is no longer ignored in ``comparisons``
+          (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_container - ``restart_retries`` can no longer be specified when ``restart_policy``
+          is not specified (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_container - ``stop_timeout`` is no longer ignored for idempotency
+          if told to be not ignored in ``comparisons``. So far it defaulted to ``ignore``
+          there, and setting it to ``strict`` had no effect (https://github.com/ansible-collections/community.docker/pull/422).
+      major_changes:
+        - docker_container - no longer uses the Docker SDK for Python. It requires
+          ``requests`` to be installed, and depending on the features used has some
+          more requirements. If the Docker SDK for Python is installed, these requirements
+          are likely met (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_container - the module was completely rewritten from scratch (https://github.com/ansible-collections/community.docker/pull/422).
+        - docker_plugin - no longer uses the Docker SDK for Python. It requires ``requests``
+          to be installed, and depending on the features used has some more requirements.
+          If the Docker SDK for Python is installed, these requirements are likely
+          met (https://github.com/ansible-collections/community.docker/pull/429).
+      minor_changes:
+        - docker_container - add a new parameter ``image_comparison`` to control the
+          behavior for which image will be used for idempotency checks (https://github.com/ansible-collections/community.docker/issues/421,
+          https://github.com/ansible-collections/community.docker/pull/428).
+        - docker_container - add support for ``cgroupns_mode`` (https://github.com/ansible-collections/community.docker/issues/338,
+          https://github.com/ansible-collections/community.docker/pull/427).
+        - docker_container - allow to specify ``platform`` (https://github.com/ansible-collections/community.docker/issues/123,
+          https://github.com/ansible-collections/community.docker/pull/426).
+      release_summary: 'Second alpha prerelease of community.docker 3.0.0. This version
+        again has several breaking changes
+
+        and features rewrites of several modules to directly use the API using ``requests``,
+        instead of using
+
+        the Docker SDK for Python.
+
+
+        The largest change to the previous 3.0.0-a1 prerelease is that ``docker_container``
+        module has been
+
+        rewritten. It now also no longer needs the Docker SDK for Python, which allowed
+        to implement some new
+
+        features that were not available before (``platform`` and ``cgroupns_mode``
+        parameters).
+
+        '
+    fragments:
+      - 3.0.0-a2.yml
+      - 426-docker_container-platform.yml
+      - 427-docker_container-cgroupns_mode.yml
+      - 428-docker_container-image-ignore.yml
+      - 429-docker_plugin.yml
+      - docker_container.yml
+    release_date: '2022-07-15'
+  3.0.0-a3:
+    changes:
+      minor_changes:
+        - All software licenses are now in the ``LICENSES/`` directory of the collection
+          root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable
+          license for every file that is not automatically generated (https://github.com/ansible-collections/community.docker/pull/430).
+      release_summary: No content changes except some license declaration adjustments.
+        This is mainly a trial run to see whether this is causing unexpected problems.
+    fragments:
+      - 3.0.0-a3.yml
+      - 430-licenses.yml
+    release_date: '2022-07-23'
+  3.0.0-rc1:
+    changes:
+      bugfixes:
+        - modules and plugins communicating directly with the Docker daemon - prevent
+          crash when TLS is used (https://github.com/ansible-collections/community.docker/pull/432).
+      release_summary: First release candidate for community.docker 3.0.0. As long
+        as more bugs are found new release candidates will be released.
+    fragments:
+      - 3.0.0-rc1.yml
+      - 432-tls.yml
+    release_date: '2022-07-26'
+  3.0.0-rc2:
+    changes:
+      breaking_changes:
+        - modules and plugins communicating directly with the Docker daemon - when
+          connecting by SSH and not using ``use_ssh_client=true``, reject unknown
+          host keys instead of accepting them. This is only a breaking change relative
+          to older community.docker 3.0.0 pre-releases or with respect to Docker SDK
+          for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change
+          (https://github.com/ansible-collections/community.docker/pull/434).
+      bugfixes:
+        - docker_image - when composing the build context, trim trailing whitespace
+          from ``.dockerignore`` entries. This is only a change relative to older
+          community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python
+          < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+        - modules and plugins communicating directly with the Docker daemon - do not
+          create a subshell for SSH connections when using ``use_ssh_client=true``.
+          This is only a change relative to older community.docker 3.0.0 pre-releases
+          or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python
+          6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+        - modules and plugins communicating directly with the Docker daemon - fix
+          ``ProxyCommand`` handling for SSH connections when not using ``use_ssh_client=true``.
+          This is only a change relative to older community.docker 3.0.0 pre-releases
+          or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python
+          6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+        - modules and plugins communicating directly with the Docker daemon - fix
+          parsing of IPv6 addresses with a port in ``docker_host``. This is only a
+          change relative to older community.docker 3.0.0 pre-releases or with respect
+          to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also
+          include this change (https://github.com/ansible-collections/community.docker/pull/434).
+      minor_changes:
+        - modules and plugins communicating directly with the Docker daemon - improve
+          default TLS version selection for Python 3.6 and newer. This is only a change
+          relative to older community.docker 3.0.0 pre-releases or with respect to
+          Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include
+          this change (https://github.com/ansible-collections/community.docker/pull/434).
+      release_summary: Second release candidate for community.docker 3.0.0. As long
+        as more bugs are found new release candidates will be released.
+      security_fixes:
+        - modules and plugins communicating directly with the Docker daemon - when
+          connecting by SSH and not using ``use_ssh_client=true``, reject unknown
+          host keys instead of accepting them. This is only a change relative to older
+          community.docker 3.0.0 pre-releases or with respect to Docker SDK for Python
+          < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434).
+    fragments:
+      - 3.0.0-rc2.yml
+      - docker-py-changes-1.yml
+    release_date: '2022-07-31'
+  3.0.0:
+    changes:
+      bugfixes:
+        - docker_plugin - fix crash when handling plugin options (https://github.com/ansible-collections/community.docker/issues/446,
+          https://github.com/ansible-collections/community.docker/pull/447).
+        - docker_stack - fix broken string formatting when reporting error in case
+          ``compose`` was containing invalid values (https://github.com/ansible-collections/community.docker/pull/448).
+      minor_changes:
+        - modules and plugins communicating directly with the Docker daemon - simplify
+          use of helper function that was removed in Docker SDK for Python to find
+          executables (https://github.com/ansible-collections/community.docker/pull/438).
+      release_summary: The 3.0.0 release features a rewrite of the ``docker_container``
+        module, and many modules and plugins no longer depend on the Docker SDK for
+        Python.
+    fragments:
+      - 3.0.0.yml
+      - 438-docker-py.yml
+      - 447-docker_plugin-bug.yml
+      - 448-docker_stack-error.yml
+    release_date: '2022-08-12'
+  3.0.1:
+    changes:
+      bugfixes:
+        - docker_container - fix handling of ``env_file`` (https://github.com/ansible-collections/community.docker/issues/451,
+          https://github.com/ansible-collections/community.docker/pull/452).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.0.1.yml
+      - 452-docker_container-env_file.yml
+    release_date: '2022-08-15'
+  3.0.2:
+    changes:
+      bugfixes:
+        - docker_image - fix build argument handling (https://github.com/ansible-collections/community.docker/issues/455,
+          https://github.com/ansible-collections/community.docker/pull/456).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.0.2.yml
+      - 456-docker_image-build-args.yml
+    release_date: '2022-08-16'
+  3.1.0:
+    changes:
+      minor_changes:
+        - The collection repository conforms to the `REUSE specification <https://reuse.software/spec/>`__
+          except for the changelog fragments (https://github.com/ansible-collections/community.docker/pull/462).
+        - docker_swarm - allows usage of the ``data_path_port`` parameter when initializing
+          a swarm (https://github.com/ansible-collections/community.docker/issues/296).
+      release_summary: Feature release.
+    fragments:
+      - 3.1.0.yml
+      - 466-add-data-path-port.yml
+      - licenses.yml
+    release_date: '2022-09-08'
+  3.2.0:
+    changes:
+      deprecated_features:
+        - 'docker_container - the ``ignore_image`` option is deprecated and will be
+          removed in community.docker 4.0.0. Use ``image: ignore`` in ``comparisons``
+          instead (https://github.com/ansible-collections/community.docker/pull/487).'
+        - 'docker_container - the ``purge_networks`` option is deprecated and will
+          be removed in community.docker 4.0.0. Use ``networks: strict`` in ``comparisons``
+          instead, and make sure to provide ``networks``, with value ``[]`` if all
+          networks should be removed (https://github.com/ansible-collections/community.docker/pull/487).'
+      minor_changes:
+        - docker_container - added ``image_name_mismatch`` option which allows to
+          control the behavior if the container uses the image specified, but the
+          container's configuration uses a different name for the image than the one
+          provided to the module (https://github.com/ansible-collections/community.docker/issues/485,
+          https://github.com/ansible-collections/community.docker/pull/488).
+      release_summary: Feature and deprecation release.
+    fragments:
+      - 3.2.0.yml
+      - 487-docker_container-deprecate.yml
+      - 488-docker_container-image-name.yml
+    release_date: '2022-11-01'
+  3.2.1:
+    changes:
+      release_summary: Maintenance release with improved documentation.
+    fragments:
+      - 3.2.1.yml
+    release_date: '2022-11-06'
+  3.2.2:
+    changes:
+      bugfixes:
+        - docker_container - the ``kill_signal`` option erroneously did not accept
+          strings anymore since 3.0.0 (https://github.com/ansible-collections/community.docker/issues/505,
+          https://github.com/ansible-collections/community.docker/pull/506).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.2.2.yml
+      - 506-docker_container-kill_signal.yml
+    release_date: '2022-11-28'
+  3.3.0:
+    changes:
+      bugfixes:
+        - docker_container_exec - fix ``chdir`` option which was ignored since community.docker
+          3.0.0 (https://github.com/ansible-collections/community.docker/issues/517,
+          https://github.com/ansible-collections/community.docker/pull/518).
+        - vendored latest Docker SDK for Python bugfix (https://github.com/ansible-collections/community.docker/pull/513,
+          https://github.com/docker/docker-py/issues/3045).
+      minor_changes:
+        - current_container_facts - make work with current Docker version, also support
+          Podman (https://github.com/ansible-collections/community.docker/pull/510).
+        - docker_image - when using ``archive_path``, detect whether changes are necessary
+          based on the image ID (hash). If the existing tar archive matches the source,
+          do nothing. Previously, each task execution re-created the archive (https://github.com/ansible-collections/community.docker/pull/500).
+      release_summary: Feature and bugfix release.
+    fragments:
+      - 3.3.0.yml
+      - 500-idempotent-image-archival.yaml
+      - 510-current_container_facts.yml
+      - 513-api-npipe.yml
+      - 518-docker_container_exec-workdir.yml
+    release_date: '2022-12-03'
+  3.3.1:
+    changes:
+      bugfixes:
+        - current_container_facts - make container detection work better in more cases
+          (https://github.com/ansible-collections/community.docker/pull/522).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.3.1.yml
+      - 522-current-image.yml
+    release_date: '2022-12-06'
+  3.3.2:
+    changes:
+      bugfixes:
+        - docker_container - when ``detach=false``, wait indefinitely and not at most
+          one minute. This was the behavior with Docker SDK for Python, and was accidentally
+          changed in 3.0.0 (https://github.com/ansible-collections/community.docker/issues/526,
+          https://github.com/ansible-collections/community.docker/pull/527).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.3.2.yml
+      - 527-container-wait.yml
+    release_date: '2022-12-09'
+  3.4.0:
+    changes:
+      bugfixes:
+        - docker_api connection plugin - fix error handling when 409 Conflict is returned
+          by the Docker daemon in case of a stopped container (https://github.com/ansible-collections/community.docker/pull/546).
+        - docker_container_exec - fix error handling when 409 Conflict is returned
+          by the Docker daemon in case of a stopped container (https://github.com/ansible-collections/community.docker/pull/546).
+        - docker_plugin - do not crash if plugin is installed in check mode (https://github.com/ansible-collections/community.docker/issues/552,
+          https://github.com/ansible-collections/community.docker/pull/553).
+        - most modules - fix handling of ``DOCKER_TIMEOUT`` environment variable,
+          and improve handling of other fallback environment variables (https://github.com/ansible-collections/community.docker/issues/551,
+          https://github.com/ansible-collections/community.docker/pull/554).
+      minor_changes:
+        - docker_api connection plugin - when copying files to/from a container, stream
+          the file contents instead of first reading them to memory (https://github.com/ansible-collections/community.docker/pull/545).
+        - docker_host_info - allow to list all containers with new option ``containers_all``
+          (https://github.com/ansible-collections/community.docker/issues/535, https://github.com/ansible-collections/community.docker/pull/538).
+      release_summary: Regular bugfix and feature release.
+    fragments:
+      - 3.4.0.yml
+      - 538-docker_host_info-all-containers.yml
+      - 545-docker_api.yml
+      - 546-conflict-error.yml
+      - 553-docker_plugin-check-mode.yml
+      - 554-env-vars.yml
+    modules:
+      - description: Copy a file into a Docker container
+        name: docker_container_copy_into
+        namespace: ''
+    release_date: '2023-01-14'
+  3.4.1:
+    changes:
+      bugfixes:
+        - docker_api connection plugin, docker_container_exec, docker_container_copy_into
+          - properly close socket to Daemon after executing commands in containers
+          (https://github.com/ansible-collections/community.docker/pull/582).
+        - docker_container - fix ``tmfs_size`` and ``tmpfs_mode`` not being set (https://github.com/ansible-collections/community.docker/pull/580).
+        - various plugins and modules - remove unnecessary imports (https://github.com/ansible-collections/community.docker/pull/574).
+      release_summary: Regular bugfix release.
+    fragments:
+      - 3.4.1.yml
+      - 582-stream-close.yml
+      - fix-tmpfs_size-and-tmpfs_mode.yml
+      - remove-unneeded-imports.yml
+    release_date: '2023-02-20'
+  3.4.2:
+    changes:
+      bugfixes:
+        - docker_prune - return correct value for ``changed``. So far the module always
+          claimed that nothing changed (https://github.com/ansible-collections/community.docker/pull/593).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.4.2.yml
+      - 593-docker_prune-changed.yml
+    release_date: '2023-02-25'
+  3.4.3:
+    changes:
+      release_summary: Maintenance release with improved documentation.
+    fragments:
+      - 3.4.3.yml
+    release_date: '2023-03-24'
+  3.4.4:
+    changes:
+      known_issues:
+        - The modules and plugins using the vendored code from Docker SDK for Python
+          currently do not work with requests 2.29.0 and/or urllib3 2.0.0. The same
+          is currently true for the latest version of Docker SDK for Python itself
+          (https://github.com/ansible-collections/community.docker/issues/611, https://github.com/ansible-collections/community.docker/pull/612).
+      minor_changes:
+        - Restrict requests to versions before 2.29.0, and urllib3 to versions before
+          2.0.0. This is necessary until the vendored code from Docker SDK for Python
+          has been fully adjusted to work with a feature of urllib3 that is used since
+          requests 2.29.0 (https://github.com/ansible-collections/community.docker/issues/611,
+          https://github.com/ansible-collections/community.docker/pull/612).
+      release_summary: Maintenance release with updated EE requirements and updated
+        documentation.
+    fragments:
+      - 3.4.4.yml
+      - 612-requests-2.29.0.yml
+    release_date: '2023-05-01'
+  3.4.5:
+    changes:
+      bugfixes:
+        - Make vendored Docker SDK for Python code compatible with requests 2.29.0
+          and urllib3 2.0 (https://github.com/ansible-collections/community.docker/pull/613).
+      release_summary: Maintenance release which adds compatibility with requests
+        2.29.0 and 2.30.0 and urllib3 2.0.
+    fragments:
+      - 3.4.5.yml
+      - 613-requests.yml
+    release_date: '2023-05-05'
+  3.4.6:
+    changes:
+      bugfixes:
+        - socket_handler module utils - make sure this fully works when Docker SDK
+          for Python is not available (https://github.com/ansible-collections/community.docker/pull/620).
+        - vendored Docker SDK for Python code - fix for errors on pipe close in Windows
+          (https://github.com/ansible-collections/community.docker/pull/619).
+        - vendored Docker SDK for Python code - respect timeouts on Windows named
+          pipes (https://github.com/ansible-collections/community.docker/pull/619).
+        - vendored Docker SDK for Python code - use ``poll()`` instead of ``select()``
+          except on Windows (https://github.com/ansible-collections/community.docker/pull/619).
+      known_issues:
+        - docker_api connection plugin - does **not work with TCP TLS sockets**! This
+          is caused by the inability to send an ``close_notify`` TLS alert without
+          closing the connection with Python's ``SSLSocket`` (https://github.com/ansible-collections/community.docker/issues/605,
+          https://github.com/ansible-collections/community.docker/pull/621).
+        - docker_container_exec - does **not work with TCP TLS sockets** when the
+          ``stdin`` option is used! This is caused by the inability to send an ``close_notify``
+          TLS alert without closing the connection with Python's ``SSLSocket`` (https://github.com/ansible-collections/community.docker/issues/605,
+          https://github.com/ansible-collections/community.docker/pull/621).
+      release_summary: Bugfix release with documentation warnings about using certain
+        functionality when connecting to the Docker daemon with TCP TLS.
+    fragments:
+      - 3.4.6.yml
+      - 620-bugfixes.yml
+      - docker-py.yml
+      - tls-tcp-warn.yml
+    release_date: '2023-05-20'
+  3.4.7:
+    changes:
+      bugfixes:
+        - docker_swarm_info - if ``service=true`` is used, do not crash when a service
+          without an endpoint spec is encountered (https://github.com/ansible-collections/community.docker/issues/636,
+          https://github.com/ansible-collections/community.docker/pull/637).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.4.7.yml
+      - 637-swarm_info-endpoint_spec.yml
+    release_date: '2023-06-15'
+  3.4.8:
+    changes:
+      known_issues:
+        - Ansible markup will show up in raw form on ansible-doc text output for ansible-core
+          before 2.15. If you have trouble deciphering the documentation markup, please
+          upgrade to ansible-core 2.15 (or newer), or read the HTML documentation
+          on https://docs.ansible.com/ansible/devel/collections/community/docker/.
+      release_summary: 'Maintenance release with updated documentation.
+
+
+        From this version on, community.docker is using the new `Ansible semantic
+        markup
+
+        <https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+
+        in its documentation. If you look at documentation with the ansible-doc CLI
+        tool
+
+        from ansible-core before 2.15, please note that it does not render the markup
+
+        correctly. You should be still able to read it in most cases, but you need
+
+        ansible-core 2.15 or later to see it as it is intended. Alternatively you
+        can
+
+        look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/docker/>`__
+
+        for the rendered HTML version of the documentation of the latest release.
+
+        '
+    fragments:
+      - 3.4.8.yml
+    release_date: '2023-06-22'
+  3.4.9:
+    changes:
+      bugfixes:
+        - vendored Docker SDK for Python code - cherry-pick changes from the Docker
+          SDK for Python code to align code. These changes should not affect the parts
+          used by the collection's code (https://github.com/ansible-collections/community.docker/pull/694).
+      release_summary: Maintenance release with updated documentation and vendored
+        Docker SDK for Python code.
+    fragments:
+      - 3.4.9.yml
+      - 694-docker-py.yml
+    release_date: '2023-10-08'
+  3.4.10:
+    changes:
+      bugfixes:
+        - docker_swarm - make init and join operations work again with Docker SDK
+          for Python before 4.0.0 (https://github.com/ansible-collections/community.docker/issues/695,
+          https://github.com/ansible-collections/community.docker/pull/696).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.4.10.yml
+      - 696-docker_swarm-data_addr_path.yml
+    release_date: '2023-10-29'
+  3.4.11:
+    changes:
+      bugfixes:
+        - docker_volume - fix crash caused by accessing an empty dictionary. The ``has_different_config()``
+          was raising an ``AttributeError`` because the ``self.existing_volume["Labels"]``
+          dictionary was ``None`` (https://github.com/ansible-collections/community.docker/pull/702).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.4.11.yml
+      - 702-docker-volume-label-none.yaml
+    release_date: '2023-11-12'
+  3.5.0:
+    changes:
+      bugfixes:
+        - modules and plugins using the Docker SDK for Python - remove ``ssl_version``
+          from the parameters passed to Docker SDK for Python 7.0.0+. Explicitly fail
+          with a nicer error message if it was explicitly set in this case (https://github.com/ansible-collections/community.docker/pull/715).
+        - modules and plugins using the Docker SDK for Python - remove ``tls_hostname``
+          from the parameters passed to Docker SDK for Python 7.0.0+. Explicitly fail
+          with a nicer error message if it was explicitly set in this case (https://github.com/ansible-collections/community.docker/pull/721).
+        - vendored Docker SDK for Python - avoid passing on ``ssl_version`` and ``tls_hostname``
+          if they were not provided by the user. Remove dead code. (https://github.com/ansible-collections/community.docker/pull/722).
+      deprecated_features:
+        - docker_container - the default ``ignore`` for the ``image_name_mismatch``
+          parameter has been deprecated and will switch to ``recreate`` in community.docker
+          4.0.0. A deprecation warning will be printed in situations where the default
+          value is used and where a behavior would change once the default changes
+          (https://github.com/ansible-collections/community.docker/pull/703).
+      minor_changes:
+        - docker_container - implement better ``platform`` string comparisons to improve
+          idempotency (https://github.com/ansible-collections/community.docker/issues/654,
+          https://github.com/ansible-collections/community.docker/pull/705).
+        - docker_container - internal refactorings which allow comparisons to use
+          more information like details of the current image or the Docker host config
+          (https://github.com/ansible-collections/community.docker/pull/713).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 3.5.0.yml
+      - 703-docker_container-image_name_mismatch.yml
+      - 705-docker_container-platform.yml
+      - 713-docker_container-refactoring.yml
+      - 715-docker-7.yml
+      - 721-docker-7.yml
+      - 722-tls.yml
+    release_date: '2023-12-10'
+  3.6.0-b1:
+    changes:
+      bugfixes:
+        - Use ``unix:///var/run/docker.sock`` instead of the legacy ``unix://var/run/docker.sock``
+          as default for ``docker_host`` (https://github.com/ansible-collections/community.docker/pull/736).
+      minor_changes:
+        - docker_image - allow to specify labels and ``/dev/shm`` size when building
+          images (https://github.com/ansible-collections/community.docker/issues/726,
+          https://github.com/ansible-collections/community.docker/pull/727).
+        - docker_image - allow to specify memory size and swap memory size in other
+          units than bytes (https://github.com/ansible-collections/community.docker/pull/727).
+      release_summary: 'Prerelease of the upcoming 3.6.0 bugfix and feature release.
+
+
+        The collection now includes a bunch of new ``docker_image_*`` modules that
+        move features out of the
+
+        rather complex ``docker_image`` module. These new modules are easier to use
+        and can better declare whether
+
+        they support check mode, diff mode, or none of them.
+
+
+        This version also features modules that support the Docker CLI plugins ``buildx``
+        and ``compose``.
+
+        The ``docker_image_build`` module uses the ``docker buildx`` command under
+        the hood, and the ``docker_compose_v2``
+
+        module uses the ``docker compose`` command. Both these modules use the Docker
+        CLI instead of directly talking
+
+        to the API. The modules support mostly the same interface as the API based
+        modules, so the main difference is that
+
+        instead of some Python requirements, they depend on the Docker CLI tool ``docker``.
+
+        '
+    fragments:
+      - 3.6.0-b1.yml
+      - 727-docker_image-build.yml
+      - host.yml
+    modules:
+      - description: Manage multi-container Docker applications with Docker Compose
+          CLI plugin
+        name: docker_compose_v2
+        namespace: ''
+      - description: Build Docker images using Docker buildx
+        name: docker_image_build
+        namespace: ''
+      - description: Pull Docker images from registries
+        name: docker_image_pull
+        namespace: ''
+      - description: Push Docker images to registries
+        name: docker_image_push
+        namespace: ''
+      - description: Remove Docker images
+        name: docker_image_remove
+        namespace: ''
+      - description: Tag Docker images with new names and/or tags
+        name: docker_image_tag
+        namespace: ''
+    release_date: '2024-01-04'
+  3.6.0-b2:
+    changes:
+      major_changes:
+        - The ``community.docker`` collection now depends on the ``community.library_inventory_filtering_v1``
+          collection. This utility collection provides host filtering functionality
+          for inventory plugins. If you use the Ansible community package, both collections
+          are included and you do not have to do anything special. If you install
+          the collection with ``ansible-galaxy collection install``, it will be installed
+          automatically. If you install the collection by copying the files of the
+          collection to a place where ansible-core can find it, for example by cloning
+          the git repository, you need to make sure that you also have to install
+          the dependency if you are using the inventory plugins (https://github.com/ansible-collections/community.docker/pull/698).
+      minor_changes:
+        - The ``ca_cert`` option available to almost all modules and plugins has been
+          renamed to ``ca_path``. The name ``ca_path`` is also used for similar options
+          in ansible-core and other collections. The old name has been added as an
+          alias and can still be used (https://github.com/ansible-collections/community.docker/pull/744).
+        - The ``docker_stack*`` modules now use the common CLI-based module code added
+          for the ``docker_image_build`` and ``docker_compose_v2`` modules. This means
+          that the modules now have various more configuration options with respect
+          to talking to the Docker Daemon, and now also are part of the ``community.docker.docker``
+          and ``docker`` module default groups (https://github.com/ansible-collections/community.docker/pull/745).
+        - inventory plugins - add ``filter`` option which allows to include and exclude
+          hosts based on Jinja2 conditions (https://github.com/ansible-collections/community.docker/pull/698,
+          https://github.com/ansible-collections/community.docker/issues/610).
+      release_summary: 'Second prerelease of the upcoming 3.6.0 bugfix and feature
+        release.
+
+
+        The collection now includes a bunch of new ``docker_image_*`` modules that
+        move features out of the
+
+        rather complex ``docker_image`` module. These new modules are easier to use
+        and can better declare whether
+
+        they support check mode, diff mode, or none of them.
+
+
+        This version also features modules that support the Docker CLI plugins ``buildx``
+        and ``compose``.
+
+        The ``docker_image_build`` module uses the ``docker buildx`` command under
+        the hood, and the ``docker_compose_v2``
+
+        and ``docker_compose_v2_pull`` modules uses the ``docker compose`` command.
+        All these modules use the Docker CLI
+
+        instead of directly talking to the API. The modules support mostly the same
+        interface as the API based modules,
+
+        so the main difference is that instead of some Python requirements, they depend
+        on the Docker CLI tool ``docker``.
+
+
+        Other changes to the collection since the last prerelease:
+
+
+        * docker_compose_v2 allows to specify the pull policy
+
+        '
+    fragments:
+      - 3.6.0-b2.yml
+      - 698-filter.yml
+      - 744-ca_path.yml
+      - 745-docker_stack.yml
+    modules:
+      - description: Pull a Docker compose project
+        name: docker_compose_v2_pull
+        namespace: ''
+    release_date: '2024-01-14'
+  3.6.0-rc1:
+    changes:
+      release_summary: 'First release candidate of the latest bugfix and feature release.
+
+        No more features will be added before the final release, which will likely
+        happen on Sunday or Monday.
+
+
+        The collection now includes a bunch of new ``docker_image_*`` modules that
+        move features out of the
+
+        rather complex ``docker_image`` module. These new modules are easier to use
+        and can better declare whether
+
+        they support check mode, diff mode, or none of them.
+
+
+        This version also features modules that support the Docker CLI plugins ``buildx``
+        and ``compose``.
+
+        The ``docker_image_build`` module uses the ``docker buildx`` command under
+        the hood, and the ``docker_compose_v2``
+
+        and ``docker_compose_v2_pull`` modules uses the ``docker compose`` command.
+        All these modules use the Docker CLI
+
+        instead of directly talking to the API. The modules support mostly the same
+        interface as the API based modules,
+
+        so the main difference is that instead of some Python requirements, they depend
+        on the Docker CLI tool ``docker``.
+
+
+        Changes since the last beta:
+
+        * The ``docker_compose_v2*`` modules also checks for ``compose.yaml`` and
+        ``compose.yml``, not only for ``docker-compose.yaml`` and ``docker-compose.yml``.
+
+        * You can now specify ``services`` in the ``docker_compose_v2`` module.
+
+        * You can now specify ``build`` in the ``docker_compose_v2`` module (allows
+        to pass ``--build`` or ``--no-build`` depending on its value).
+
+        '
+    fragments:
+      - 3.6.0-rc1.yml
+    release_date: '2024-01-18'
+  3.6.0:
+    changes:
+      bugfixes:
+        - docker_image - fix archiving idempotency with Docker API 1.44 or later (https://github.com/ansible-collections/community.docker/pull/765).
+      minor_changes:
+        - docker_container - add ``networks[].mac_address`` option for Docker API
+          1.44+. Note that Docker API 1.44 no longer uses the global ``mac_address``
+          option, this new option is the only way to set the MAC address for a container
+          (https://github.com/ansible-collections/community.docker/pull/763).
+      release_summary: 'Bugfix and feature release.
+
+
+        The collection now includes a bunch of new ``docker_image_*`` modules that
+        move features out of the
+
+        rather complex ``docker_image`` module. These new modules are easier to use
+        and can better declare whether
+
+        they support check mode, diff mode, or none of them.
+
+
+        This version also features modules that support the Docker CLI plugins ``buildx``
+        and ``compose``.
+
+        The ``docker_image_build`` module uses the ``docker buildx`` command under
+        the hood, and the ``docker_compose_v2``
+
+        and ``docker_compose_v2_pull`` modules uses the ``docker compose`` command.
+        All these modules use the Docker CLI
+
+        instead of directly talking to the API. The modules support mostly the same
+        interface as the API based modules,
+
+        so the main difference is that instead of some Python requirements, they depend
+        on the Docker CLI tool ``docker``.
+
+        '
+    fragments:
+      - 3.6.0.yml
+      - 763-docker_container-mac_address.yml
+      - 765-docker_image-archive.yml
+    release_date: '2024-01-21'
+  3.7.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - properly parse dry-run build events from ``stderr``
+          (https://github.com/ansible-collections/community.docker/issues/778, https://github.com/ansible-collections/community.docker/pull/779).
+        - docker_compose_v2_pull - the module was documented as part of the ``community.docker.docker``
+          action group, but was not actually part of it. That has now been fixed (https://github.com/ansible-collections/community.docker/pull/773).
+      minor_changes:
+        - docker_compose_v2 - add ``scale`` option to allow to explicitly scale services
+          (https://github.com/ansible-collections/community.docker/pull/776).
+        - docker_compose_v2, docker_compose_v2_pull - support ``files`` parameter
+          to specify multiple Compose files (https://github.com/ansible-collections/community.docker/issues/772,
+          https://github.com/ansible-collections/community.docker/pull/775).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 3.7.0.yml
+      - 773-docker_compose_v2_pull-action-group.yml
+      - 775-docker_compose-files.yml
+      - 776-docker_compose-scale.yml
+      - 779-compose-v2-build.yml
+    modules:
+      - description: Export (archive) Docker images
+        name: docker_image_export
+        namespace: ''
+    release_date: '2024-01-27'
+  3.8.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - do not consider a ``Waiting`` event as an action/change
+          (https://github.com/ansible-collections/community.docker/pull/804).
+        - docker_compose_v2 - do not treat service-level pull events as changes to
+          avoid incorrect ``changed=true`` return value of ``pull=always`` (https://github.com/ansible-collections/community.docker/issues/802,
+          https://github.com/ansible-collections/community.docker/pull/803).
+        - docker_compose_v2, docker_compose_v2_pull - fix parsing of pull messages
+          for Docker Compose 2.20.0 (https://github.com/ansible-collections/community.docker/issues/785,
+          https://github.com/ansible-collections/community.docker/pull/786).
+      minor_changes:
+        - docker_compose_v2 - allow to wait until containers are running/health when
+          running ``docker compose up`` with the new ``wait`` option (https://github.com/ansible-collections/community.docker/issues/794,
+          https://github.com/ansible-collections/community.docker/pull/796).
+        - docker_container - the ``pull_check_mode_behavior`` option now allows to
+          control the module's behavior in check mode when ``pull=always`` (https://github.com/ansible-collections/community.docker/issues/792,
+          https://github.com/ansible-collections/community.docker/pull/797).
+        - docker_container - the ``pull`` option now accepts the three values ``never``,
+          ``missing_image`` (default), and ``never``, next to the previously valid
+          values ``true`` (equivalent to ``always``) and ``false`` (equivalent to
+          ``missing_image``). This allows the equivalent to ``--pull=never`` from
+          the Docker command line (https://github.com/ansible-collections/community.docker/issues/783,
+          https://github.com/ansible-collections/community.docker/pull/797).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 3.8.0.yml
+      - 786-docker_v2.yml
+      - 796-docker_compose_v2-wait.yml
+      - 797-docker_container-pull.yml
+      - 803-compose-v2-pull.yml
+      - 804-compose-v2-waiting.yml
+    release_date: '2024-02-25'
+  3.8.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - do not fail when non-fatal errors occur. This can happen
+          when pulling an image fails, but then the image can be built for another
+          service. Docker Compose emits an error in that case, but ``docker compose
+          up`` still completes successfully (https://github.com/ansible-collections/community.docker/issues/807,
+          https://github.com/ansible-collections/community.docker/pull/810, https://github.com/ansible-collections/community.docker/pull/811).
+        - docker_compose_v2* modules - correctly parse ``Warning`` events emitted
+          by Docker Compose (https://github.com/ansible-collections/community.docker/issues/807,
+          https://github.com/ansible-collections/community.docker/pull/811).
+        - docker_compose_v2* modules - parse ``logfmt`` warnings emitted by Docker
+          Compose (https://github.com/ansible-collections/community.docker/issues/787,
+          https://github.com/ansible-collections/community.docker/pull/811).
+        - docker_compose_v2_pull - fixing idempotence by checking actual pull progress
+          events instead of service-level pull request when ``policy=always``. This
+          stops the module from reporting ``changed=true`` if no actual change happened
+          when pulling. In check mode, it has to assume that a change happens though
+          (https://github.com/ansible-collections/community.docker/issues/813, https://github.com/ansible-collections/community.docker/pull/814).
+      release_summary: Bugfix release
+      security_fixes:
+        - docker_containers, docker_machine, and docker_swarm inventory plugins -
+          make sure all data received from the Docker daemon / Docker machine is marked
+          as unsafe, so remote code execution by obtaining texts that can be evaluated
+          as templates is not possible (https://www.die-welt.net/2024/03/remote-code-execution-in-ansible-dynamic-inventory-plugins/,
+          https://github.com/ansible-collections/community.docker/pull/815).
+    fragments:
+      - 3.8.1.yml
+      - 810-compose-errors.yml
+      - 811-compose-v2-logfmt.yml
+      - 814-docker_compose_v2_pull-idem.yml
+      - inventory-rce.yml
+    release_date: '2024-03-16'
+  3.9.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2* - allow ``project_src`` to be a relative path, by converting
+          it to an absolute path before using it (https://github.com/ansible-collections/community.docker/issues/827,
+          https://github.com/ansible-collections/community.docker/pull/828).
+        - docker_compose_v2* modules - abort with a nice error message instead of
+          crash when the Docker Compose CLI plugin version is ``dev`` (https://github.com/ansible-collections/community.docker/issues/825,
+          https://github.com/ansible-collections/community.docker/pull/826).
+        - inventory plugins - add unsafe wrapper to avoid marking strings that do
+          not contain ``{`` or ``}`` as unsafe, to work around a bug in AWX (https://github.com/ansible-collections/community.docker/pull/835).
+      minor_changes:
+        - The EE requirements now include PyYAML, since the ``docker_compose_v2*``
+          modules depend on it when the ``definition`` option is used. This should
+          not have a noticable effect on generated EEs since ansible-core itself depends
+          on PyYAML as well, and ansible-builder explicitly ignores this dependency
+          (https://github.com/ansible-collections/community.docker/pull/832).
+        - docker_compose_v2* - the new option ``check_files_existing`` allows to disable
+          the check for one of the files ``compose.yaml``, ``compose.yml``, ``docker-compose.yaml``,
+          and ``docker-compose.yml`` in ``project_src`` if ``files`` is not specified.
+          This is necessary if a non-standard compose filename is specified through
+          other means, like the ``COMPOSE_FILE`` environment variable (https://github.com/ansible-collections/community.docker/issues/838,
+          https://github.com/ansible-collections/community.docker/pull/839).
+        - docker_compose_v2* modules - allow to provide an inline definition of the
+          compose content instead of having to provide a ``project_src`` directory
+          with the compose file written into it (https://github.com/ansible-collections/community.docker/issues/829,
+          https://github.com/ansible-collections/community.docker/pull/832).
+        - vendored Docker SDK for Python - remove unused code that relies on functionality
+          deprecated in Python 3.12 (https://github.com/ansible-collections/community.docker/pull/834).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 3.9.0.yml
+      - 826-docker-compose-v2-version.yml
+      - 828-compose-project_src.yml
+      - 832-docker_compose_v2-definition.yml
+      - 834-datetime-depr.yml
+      - 835-unsafe.yml
+      - 839-compose_v2-check-file.yml
+    release_date: '2024-04-21'
+  3.10.0:
+    changes:
+      deprecated_features:
+        - docker_compose - the Docker Compose v1 module is deprecated and will be
+          removed from community.docker 4.0.0. Please migrate to the ``community.docker.docker_compose_v2``
+          module, which works with Docker Compose v2 (https://github.com/ansible-collections/community.docker/issues/823,
+          https://github.com/ansible-collections/community.docker/pull/833).
+        - various modules and plugins - the ``ssl_version`` option has been deprecated
+          and will be removed from community.docker 4.0.0. It has already been removed
+          from Docker SDK for Python 7.0.0, and was only necessary in the past to
+          work around SSL/TLS issues (https://github.com/ansible-collections/community.docker/pull/853).
+      minor_changes:
+        - docker_container - adds ``healthcheck.start_interval`` to support healthcheck
+          start interval setting on containers (https://github.com/ansible-collections/community.docker/pull/848).
+        - docker_container - adds ``healthcheck.test_cli_compatible`` to allow omit
+          test option on containers without remove existing image test (https://github.com/ansible-collections/community.docker/pull/847).
+        - docker_image_build - add ``outputs`` option to allow configuring outputs
+          for the build (https://github.com/ansible-collections/community.docker/pull/852).
+        - docker_image_build - add ``secrets`` option to allow passing secrets to
+          the build (https://github.com/ansible-collections/community.docker/pull/852).
+        - docker_image_build - allow ``platform`` to be a list of platforms instead
+          of only a single platform for multi-platform builds (https://github.com/ansible-collections/community.docker/pull/852).
+        - docker_network - adds ``config_only`` and ``config_from`` to support creating
+          and using config only networks (https://github.com/ansible-collections/community.docker/issues/395).
+        - docker_prune - add new options ``builder_cache_all``, ``builder_cache_filters``,
+          and ``builder_cache_keep_storage``, and a new return value ``builder_cache_caches_deleted``
+          for pruning build caches (https://github.com/ansible-collections/community.docker/issues/844,
+          https://github.com/ansible-collections/community.docker/issues/845).
+        - docker_swarm_service - adds ``sysctls`` to support sysctl settings on swarm
+          services (https://github.com/ansible-collections/community.docker/issues/190).
+      release_summary: Feature release.
+    fragments:
+      - 3.10.0.yml
+      - 836-docker_swarm_service-sysctls.yml
+      - 843-docker_network-config-from-config-only.yml
+      - 845-docker_prune.yml
+      - 847-docker_container-heackcheck-test_cli_compatible.yml
+      - 848-docker_api-healthcheck-start-interval.yml
+      - 852-docker_image_build.yml
+      - 853-ssl_version.yml
+      - deprecate-compose-v1.yml
+    release_date: '2024-05-19'
+  3.10.1:
+    changes:
+      bugfixes:
+        - vendored Docker SDK for Python - include a hotfix for requests 2.32.0 compatibility
+          (https://github.com/ansible-collections/community.docker/issues/860, https://github.com/docker/docker-py/issues/3256,
+          https://github.com/ansible-collections/community.docker/pull/861).
+      known_issues:
+        - 'Please note that the fix for requests 2.32.0 included in community.docker
+          3.10.1 only
+
+          fixes problems with the *vendored* Docker SDK for Python code. Modules and
+          plugins that
+
+          use Docker SDK for Python can still fail due to the SDK currently being
+          incompatible
+
+          with requests 2.32.0.
+
+
+          If you still experience problems with requests 2.32.0, such as error messages
+          like
+
+          ``Not supported URL scheme http+docker``, please restrict requests to ``<2.32.0``.
+
+          '
+      release_summary: 'Hotfix release for requests 2.32.0 compatibility.
+
+        '
+    fragments:
+      - 3.10.1.yml
+      - 862-requests.yml
+    release_date: '2024-05-20'
+  3.10.2:
+    changes:
+      bugfixes:
+        - vendored Docker SDK for Python - include a fix requests 2.32.2+ compatibility
+          (https://github.com/ansible-collections/community.docker/issues/860, https://github.com/psf/requests/issues/6707,
+          https://github.com/ansible-collections/community.docker/pull/864).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.10.2.yml
+      - 864-requests.yml
+    release_date: '2024-05-21'
+  3.10.3:
+    changes:
+      bugfixes:
+        - docker and nsenter connection plugins, docker_container_exec module - avoid
+          using the deprecated ``ansible.module_utils.compat.selectors`` module util
+          with Python 3 (https://github.com/ansible-collections/community.docker/issues/870,
+          https://github.com/ansible-collections/community.docker/pull/871).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.10.3.yml
+      - 871-selectors.yml
+    release_date: '2024-05-26'
+  3.10.4:
+    changes:
+      bugfixes:
+        - docker_compose - make sure that the module uses the ``api_version`` parameter
+          (https://github.com/ansible-collections/community.docker/pull/881).
+        - docker_compose_v2* modules - there was no check to make sure that one of
+          ``project_src`` and ``definition`` is provided. The modules crashed if none
+          were provided (https://github.com/ansible-collections/community.docker/issues/885,
+          https://github.com/ansible-collections/community.docker/pull/886).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.10.4.yml
+      - 881-docker-compose-v1-api-version.yml
+      - 886-compose-v2-req.yml
+    release_date: '2024-06-16'
+  3.11.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2* modules - fix parsing of skipped pull messages for Docker
+          Compose 2.28.x (https://github.com/ansible-collections/community.docker/issues/911,
+          https://github.com/ansible-collections/community.docker/pull/916).
+        - docker_compose_v2*, docker_stack*, docker_image_build modules - using ``cli_context``
+          no longer leads to an invalid parameter combination being passed to the
+          corresponding Docker CLI tool, unless ``docker_host`` is also provided.
+          Combining ``cli_context`` and ``docker_host`` is no longer allowed (https://github.com/ansible-collections/community.docker/issues/892,
+          https://github.com/ansible-collections/community.docker/pull/895).
+        - docker_container - fix possible infinite loop if ``removal_wait_timeout``
+          is set (https://github.com/ansible-collections/community.docker/pull/922).
+        - vendored Docker SDK for Python - use ``LooseVersion`` instead of ``StrictVersion``
+          to compare urllib3 versions. This is needed for development versions (https://github.com/ansible-collections/community.docker/pull/902).
+      minor_changes:
+        - docker_container - add support for ``device_cgroup_rules`` (https://github.com/ansible-collections/community.docker/pull/910).
+        - docker_container - the new ``state=healthy`` allows to wait for a container
+          to become healthy on startup. The ``healthy_wait_timeout`` option allows
+          to configure the maximum time to wait for this to happen (https://github.com/ansible-collections/community.docker/issues/890,
+          https://github.com/ansible-collections/community.docker/pull/921).
+    fragments:
+      - 895-docker-cli.yml
+      - 902-loose-version.yml
+      - 910-docker_container-device_cgroup_rules.yml
+      - 916-compose-v2-parse.yml
+      - 921-docker_container-healthy.yml
+      - 922-docker_container-wait-fix.yml
+    release_date: '2024-07-09'
+  3.12.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - handle yet another random unstructured error output
+          from pre-2.29.0 Compose versions (https://github.com/ansible-collections/community.docker/issues/948,
+          https://github.com/ansible-collections/community.docker/pull/949).
+        - docker_compose_v2 - make sure that services provided in ``services`` are
+          appended to the command line after ``--`` and not before it (https://github.com/ansible-collections/community.docker/pull/942).
+        - docker_compose_v2* modules, docker_image_build - provide better error message
+          when required fields are not present in ``docker version`` or ``docker info``
+          output. This can happen if Podman is used instead of Docker (https://github.com/ansible-collections/community.docker/issues/891,
+          https://github.com/ansible-collections/community.docker/pull/935).
+        - docker_container - fix idempotency if ``network_mode=default`` and Docker
+          26.1.0 or later is used. There was a breaking change in Docker 26.1.0 regarding
+          normalization of ``NetworkMode`` (https://github.com/ansible-collections/community.docker/issues/934,
+          https://github.com/ansible-collections/community.docker/pull/936).
+        - docker_container - restore behavior of the module from community.docker
+          2.x.y that passes the first network to the Docker Deamon while creating
+          the container (https://github.com/ansible-collections/community.docker/pull/933).
+        - docker_image_build - fix ``--output`` parameter composition for ``type=docker``
+          and ``type=image`` (https://github.com/ansible-collections/community.docker/issues/946,
+          https://github.com/ansible-collections/community.docker/pull/947).
+      known_issues:
+        - docker_container - when specifying a MAC address for a container's network,
+          and the network is attached after container creation (for example, due to
+          idempotency checks), the MAC address is at least in some cases ignored by
+          the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/933).
+      minor_changes:
+        - docker, docker_api connection plugins - allow to determine the working directory
+          when executing commands with the new ``working_dir`` option (https://github.com/ansible-collections/community.docker/pull/943).
+        - docker, docker_api connection plugins - allow to execute commands with extended
+          privileges with the new ``privileges`` option (https://github.com/ansible-collections/community.docker/pull/943).
+        - docker, docker_api connection plugins - allow to pass extra environment
+          variables when executing commands with the new ``extra_env`` option (https://github.com/ansible-collections/community.docker/issues/937,
+          https://github.com/ansible-collections/community.docker/pull/940).
+        - docker_compose_v2* modules - support Docker Compose 2.29.0's ``json`` progress
+          writer to avoid having to parse text output (https://github.com/ansible-collections/community.docker/pull/931).
+        - docker_compose_v2_pull - add new options ``ignore_buildable``, ``include_deps``,
+          and ``services`` (https://github.com/ansible-collections/community.docker/issues/941,
+          https://github.com/ansible-collections/community.docker/pull/942).
+        - docker_container - when creating a container, directly pass all networks
+          to connect to to the Docker Daemon for API version 1.44 and newer. This
+          makes creation more efficient and works around a bug in Docker Daemon that
+          does not use the specified MAC address in at least some cases, though only
+          for creation (https://github.com/ansible-collections/community.docker/pull/933).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 3.12.0.yml
+      - 931-compose-2.29.0-json.yml
+      - 933-docker_container-networks.yml
+      - 935-cli-errors.yml
+      - 936-network_mode-default.yml
+      - 940-connection-env.yml
+      - 942-compose-v2-pull.yml
+      - 943-connection.yml
+      - 947-docker_image_build.yml
+      - 949-compose-error.yml
+    release_date: '2024-08-07'
+  3.12.1:
+    changes:
+      deprecated_features:
+        - The collection deprecates support for all ansible-core versions that are
+          currently End of Life, `according to the ansible-core support matrix <https://docs.ansible.com/ansible-core/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix>`__.
+          This means that the next major release of the collection will no longer
+          support ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core
+          2.14.
+      release_summary: Maintenance release with updated documentation and changelog.
+    fragments:
+      - 0-readme.yml
+      - 3.12.1.yml
+      - deprecate-eol-ansible-core.yml
+    release_date: '2024-08-13'
+  3.12.2:
+    changes:
+      bugfixes:
+        - docker_prune - fix handling of lists for the filter options (https://github.com/ansible-collections/community.docker/issues/961,
+          https://github.com/ansible-collections/community.docker/pull/966).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.12.2.yml
+      - 966-prune-filters.yml
+    release_date: '2024-09-17'
+  3.13.0:
+    changes:
+      release_summary: Feature release.
+    fragments:
+      - 3.13.0.yml
+    modules:
+      - description: Run command in a container of a Compose service.
+        name: docker_compose_v2_exec
+        namespace: ''
+      - description: Run command in a new container of a Compose service.
+        name: docker_compose_v2_run
+        namespace: ''
+    release_date: '2024-10-04'
+  3.13.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - improve parsing of dry-run image build operations from
+          JSON events (https://github.com/ansible-collections/community.docker/issues/975,
+          https://github.com/ansible-collections/community.docker/pull/976).
+      release_summary: Bugfix release.
+    fragments:
+      - 3.13.1.yml
+      - 976-compose-v2.yml
+    release_date: '2024-10-15'
+  4.0.0:
+    changes:
+      breaking_changes:
+        - docker_container - the default of ``image_name_mismatch`` changed from ``ignore``
+          to ``recreate`` (https://github.com/ansible-collections/community.docker/pull/971).
+      minor_changes:
+        - docker_compose_v2 - add ``renew_anon_volumes`` parameter for ``docker compose
+          up`` (https://github.com/ansible-collections/community.docker/pull/977).
+      release_summary: Major release with removed deprecated features.
+      removed_features:
+        - The collection no longer supports ansible-core 2.11, 2.12, 2.13, and 2.14.
+          You need ansible-core 2.15.0 or newer to use community.docker 4.x.y (https://github.com/ansible-collections/community.docker/pull/971).
+        - The docker_compose module has been removed. Please migrate to community.docker.docker_compose_v2
+          (https://github.com/ansible-collections/community.docker/pull/971).
+        - 'docker_container - the ``ignore_image`` option has been removed. Use ``image:
+          ignore`` in ``comparisons`` instead (https://github.com/ansible-collections/community.docker/pull/971).'
+        - 'docker_container - the ``purge_networks`` option has been removed. Use
+          ``networks: strict`` in ``comparisons`` instead and make sure that ``networks``
+          is specified (https://github.com/ansible-collections/community.docker/pull/971).'
+        - various modules and plugins - remove the ``ssl_version`` option (https://github.com/ansible-collections/community.docker/pull/971).
+    fragments:
+      - 4.0.0.yml
+      - 977-renew_anon_volumes.yaml
+    release_date: '2024-10-20'
+  4.0.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2_run - make sure to sanitize ``labels`` before sending
+          them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_config - make sure to sanitize ``labels`` before sending them to
+          the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_network - make sure to sanitize ``labels`` before sending them to
+          the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_node - make sure to sanitize ``labels`` before sending them to the
+          Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_secret - make sure to sanitize ``labels`` before sending them to
+          the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_swarm - make sure to sanitize ``labels`` before sending them to the
+          Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_swarm_service - make sure to sanitize ``labels`` and ``container_labels``
+          before sending them to the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+        - docker_volume - make sure to sanitize ``labels`` before sending them to
+          the Docker Daemon (https://github.com/ansible-collections/community.docker/pull/985).
+      release_summary: Bugfix release.
+    fragments:
+      - 4.0.1.yml
+      - 985-label-sanitize.yml
+    release_date: '2024-11-10'
+  4.1.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2_exec, docker_compose_v2_run - fix missing ``--env`` flag
+          while assembling env arguments (https://github.com/ansible-collections/community.docker/pull/992).
+        - docker_host_info - ensure that the module always returns ``can_talk_to_docker``,
+          and that it provides the correct value even if ``api_version`` is specified
+          (https://github.com/ansible-collections/community.docker/issues/993, https://github.com/ansible-collections/community.docker/pull/995).
+      minor_changes:
+        - docker_stack - allow to add ``--detach=false`` option to ``docker stack
+          deploy`` command (https://github.com/ansible-collections/community.docker/pull/987).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 4.1.0.yml
+      - 987-docker-stack-detach.yml
+      - 992-module-docker_compose_v2_run-fix-env-argument.yml
+      - 995-docker_host_info-return.yml
+    release_date: '2024-11-23'
+  4.2.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - when using Compose 2.31.0 or newer, revert to the old
+          behavior that image rebuilds, for example if ``rebuild=always``, only result
+          in ``changed`` if a container has been restarted (https://github.com/ansible-collections/community.docker/issues/1005,
+          https://github.com/ansible-collections/community.docker/issues/pull/1011).
+        - docker_image_build - work around bug resp. very unexpected behavior in Docker
+          buildx that overwrites all image names in ``--output`` parameters if ``--tag``
+          is provided, which the module did by default in the past. The module now
+          only supplies ``--tag`` if ``outputs`` is empty. If ``outputs`` has entries,
+          it will add an additional entry with ``type=image`` if no entry of ``type=image``
+          contains the image name specified by the ``name`` and ``tag`` options (https://github.com/ansible-collections/community.docker/issues/1001,
+          https://github.com/ansible-collections/community.docker/pull/1006).
+        - docker_network - added waiting while container actually disconnect from
+          Swarm network (https://github.com/ansible-collections/community.docker/pull/999).
+        - docker_network - containers are only reconnected to a network if they really
+          exist (https://github.com/ansible-collections/community.docker/pull/999).
+        - docker_network - enabled "force" option in Docker network container disconnect
+          API call (https://github.com/ansible-collections/community.docker/pull/999).
+        - docker_swarm_info - do not crash when finding Swarm jobs if ``services=true``
+          (https://github.com/ansible-collections/community.docker/issues/1003).
+      minor_changes:
+        - docker_compose_v2 - add ``ignore_build_events`` option (default value ``true``)
+          which allows to (not) ignore build events for change detection (https://github.com/ansible-collections/community.docker/issues/1005,
+          https://github.com/ansible-collections/community.docker/issues/pull/1011).
+        - docker_image_build - ``outputs[].name`` can now be a list of strings (https://github.com/ansible-collections/community.docker/pull/1006).
+        - docker_image_build - the executed command is now returned in the ``command``
+          return value in case of success and some errors (https://github.com/ansible-collections/community.docker/pull/1006).
+        - docker_network - added ``ingress`` option (https://github.com/ansible-collections/community.docker/pull/999).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 1003-docker_swarm_info-crash.yml
+      - 1006-docker-image-build-outputs.yml
+      - 1011-docker_compose_v2-build-changed.yml
+      - 4.2.0.yml
+      - 999-add-ingress-option-to-docker_network-module.yml
+    release_date: '2024-12-16'
+  4.3.0:
+    changes:
+      minor_changes:
+        - docker_compose_v2* modules - determine compose version with ``docker compose
+          version`` and only then fall back to ``docker info`` (https://github.com/ansible-collections/community.docker/pull/1021).
+      release_summary: Feature release.
+    fragments:
+      - 1021-docker_compose_v2-version-detection.yml
+      - 4.3.0.yml
+    release_date: '2024-12-30'
+  4.3.1:
+    changes:
+      bugfixes:
+        - Fix label sanitization code to avoid crashes in case of errors (https://github.com/ansible-collections/community.docker/issues/1028,
+          https://github.com/ansible-collections/community.docker/pull/1029).
+      release_summary: Bugfix release.
+    fragments:
+      - 1029-sanitize-labels-fail.yml
+      - 4.3.1.yml
+    release_date: '2025-01-23'
+  4.4.0:
+    changes:
+      bugfixes:
+        - docker_compose_v2_run - the module has a conflict between the type of parameter
+          it expects and the one it tries to sanitize. Fix removes the label sanitization
+          step because they are already validated by the parameter definition (https://github.com/ansible-collections/community.docker/pull/1034).
+        - vendored Docker SDK for Python - do not assume that ``KeyError`` is always
+          for ``ApiVersion`` when querying version fails (https://github.com/ansible-collections/community.docker/issues/1033,
+          https://github.com/ansible-collections/community.docker/pull/1034).
+      release_summary: Feature and bugfix release.
+    fragments:
+      - 1034-do-not-sanitize-labels.yaml
+      - 1034-error-msg.yml
+      - 4.4.0.yml
+    modules:
+      - description: Retrieve information on Docker contexts for the current user.
+        name: docker_context_info
+        namespace: ''
+    release_date: '2025-02-13'
+  4.5.0:
+    changes:
+      minor_changes:
+        - docker_compose_v2 - add ``assume_yes`` parameter for ``docker compose up``
+          (https://github.com/ansible-collections/community.docker/pull/1045).
+        - docker_network - add ``enable_ipv4`` option (https://github.com/ansible-collections/community.docker/issues/1047,
+          https://github.com/ansible-collections/community.docker/pull/1049).
+      release_summary: Feature release.
+    fragments:
+      - 1045-docker-compose-up-yes.yaml
+      - 1049-network-ipv4.yml
+      - 4.5.0.yml
+    release_date: '2025-03-03'
+  4.5.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - rename flag for ``assume_yes`` parameter for ``docker
+          compose up`` to ``-y`` (https://github.com/ansible-collections/community.docker/pull/1054).
+      release_summary: Bugfix release.
+    fragments:
+      - 1054-use-correct-flag-for-assume-yes.yaml
+      - 4.5.1.yml
+    release_date: '2025-03-11'
+  4.5.2:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - fix version check for ``assume_yes`` (https://github.com/ansible-collections/community.docker/pull/1054).
+        - docker_compose_v2 - use ``--yes`` instead of ``-y`` from Docker Compose
+          2.34.0 on (https://github.com/ansible-collections/community.docker/pull/1060).
+      release_summary: Bugfix release.
+    fragments:
+      - 1059-fix-version-check-for-assume-yes.yaml
+      - 1060-compose-yes.yml
+      - 4.5.2.yml
+    release_date: '2025-03-22'
+  4.6.0:
+    changes:
+      minor_changes:
+        - docker_container_copy_into - add ``mode_parse`` parameter which determines
+          how ``mode`` is parsed (https://github.com/ansible-collections/community.docker/pull/1074).
+      release_summary: Feature release.
+    fragments:
+      - 1074-mode-octal.yml
+      - 4.6.0.yml
+    release_date: '2025-05-02'
+  4.6.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - handle a (potentially unintentional) breaking change
+          in Docker Compose 2.37.0. Note that ``ContainerName`` is no longer part
+          of the return value (https://github.com/ansible-collections/community.docker/issues/1082,
+          https://github.com/ansible-collections/community.docker/pull/1083).
+        - docker_container - fix idempotency if ``command=[]`` and ``command_handling=correct``
+          (https://github.com/ansible-collections/community.docker/issues/1080, https://github.com/ansible-collections/community.docker/pull/1085).
+      release_summary: Bugfix release.
+    fragments:
+      - 1083-docker_compose_v2-images.yml
+      - 1085-docker_container-command-empty.yml
+      - 4.6.1.yml
+    release_date: '2025-06-09'
+  4.6.2:
+    changes:
+      bugfixes:
+        - docker_compose_v2 - adjust to new dry-run build events in Docker Compose
+          2.39.0+ (https://github.com/ansible-collections/community.docker/pull/1101).
+      release_summary: Bugfix release for Docker Compose 2.39.0+.
+    fragments:
+      - 1101-compose.yml
+      - 4.6.2.yml
+    release_date: '2025-07-26'
+  4.7.0:
+    changes:
+      bugfixes:
+        - docker_image, docker_image_push - work around a bug in Docker 28.3.3 that
+          prevents pushing without authentication to a registry (https://github.com/ansible-collections/community.docker/pull/1110).
+      minor_changes:
+        - docker_swarm_service - add support for ``replicated-job`` mode for Swarm
+          services (https://github.com/ansible-collections/community.docker/issues/626,
+          https://github.com/ansible-collections/community.docker/pull/1108).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 1108-replicated-job-support.yml
+      - 1110-push-fix.yml
+      - 4.7.0.yml
+    release_date: '2025-08-04'
+  4.8.0:
+    changes:
+      bugfixes:
+        - Avoid deprecated functionality in ansible-core 2.20 (https://github.com/ansible-collections/community.docker/pull/1117).
+      minor_changes:
+        - docker_container - support missing fields and new mount types in ``mounts``
+          (https://github.com/ansible-collections/community.docker/issues/1129, https://github.com/ansible-collections/community.docker/pull/1134).
+      release_summary: Bugfix and feature release.
+    fragments:
+      - 1117-deprecations.yml
+      - 1134-docker_container-mounts.yml
+      - 4.8.0.yml
+    release_date: '2025-10-03'
+  4.8.1:
+    changes:
+      bugfixes:
+        - Avoid remaining usages of deprecated ``ansible.module_utils.six`` (https://github.com/ansible-collections/community.docker/pull/1133).
+        - Avoid usage of deprecated ``ansible.module_utils.six`` in all code that
+          does not have to support Python 2 (https://github.com/ansible-collections/community.docker/pull/1137,
+          https://github.com/ansible-collections/community.docker/pull/1139).
+        - Avoid usage of deprecated ``ansible.module_utils.six`` in some of the code
+          that still supports Python 2 (https://github.com/ansible-collections/community.docker/pull/1138).
+      minor_changes:
+        - Note that some new code in ``plugins/module_utils/_six.py`` is MIT licensed
+          (https://github.com/ansible-collections/community.docker/pull/1138).
+      release_summary: Maintenance release.
+    fragments:
+      - 1137-six.yml
+      - 1138-six.yml
+      - 1139-six.yml
+      - 4.8.1.yml
+    release_date: '2025-10-05'
+  5.0.0-a1:
+    changes:
+      breaking_changes:
+        - All doc fragments, module utils, and plugin utils are from now on private.
+          They can change at any time, and have breaking changes even in bugfix releases
+          (https://github.com/ansible-collections/community.docker/pull/1144).
+      bugfixes:
+        - docker connection plugin - fix crash instead of warning if Docker version
+          does not support ``remote_user`` (https://github.com/ansible-collections/community.docker/pull/1161).
+        - docker, nsenter connection plugins - fix handling of ``become`` plugin password
+          prompt handling in case multiple events arrive at the same time (https://github.com/ansible-collections/community.docker/pull/1158).
+        - docker_api connection plugin - fix bug that could lead to loss of data when
+          waiting for ``become`` plugin prompt (https://github.com/ansible-collections/community.docker/pull/1152).
+        - docker_compose_v2_exec - fix crash instead of reporting error if ``detach=true``
+          and ``stdin`` is provided (https://github.com/ansible-collections/community.docker/pull/1161).
+        - docker_compose_v2_run - fix crash instead of reporting error if ``detach=true``
+          and ``stdin`` is provided (https://github.com/ansible-collections/community.docker/pull/1161).
+        - docker_container_exec - fix bug that could lead to loss of stdout/stderr
+          data (https://github.com/ansible-collections/community.docker/pull/1152).
+        - docker_container_exec - make ``detach=true`` work. So far this resulted
+          in no execution being done (https://github.com/ansible-collections/community.docker/pull/1145).
+        - docker_plugin - fix diff mode for plugin options (https://github.com/ansible-collections/community.docker/pull/1146).
+      minor_changes:
+        - docker_container - add ``driver_opts`` option in ``networks`` (https://github.com/ansible-collections/community.docker/issues/1142,
+          https://github.com/ansible-collections/community.docker/pull/1143).
+        - docker_container - add ``gw_priority`` option in ``networks`` (https://github.com/ansible-collections/community.docker/issues/1142,
+          https://github.com/ansible-collections/community.docker/pull/1143).
+      release_summary: 'First alpha release of community.docker 5.0.0.
+
+
+        The main changes are that the collection dropped support for some ansible-core
+        versions that are End of Life, and thus dropped support for Python 2.7.
+
+        This allowed to modernize the Python code, in particular with type hints.
+
+        Also all module and plugin utils are now private to the collection, which
+        makes it easier to refactor code.
+
+        All these changes should have no effect on end-users.
+
+
+        The current plan is to release 5.0.0 in time for Ansible 13''s feature freeze,
+        so in roughly one week.'
+      removed_features:
+        - Remove support for Docker SDK for Python version 1.x.y, also known as ``docker-py``.
+          Modules and plugins that use Docker SDK for Python require version 2.0.0+
+          (https://github.com/ansible-collections/community.docker/pull/1171).
+        - The collection no longer supports Python 3.6 and before. Note that this
+          coincides with the Python requirements of ansible-core 2.17+ (https://github.com/ansible-collections/community.docker/pull/1123).
+        - The collection no longer supports ansible-core 2.15 and 2.16. You need ansible-core
+          2.17.0 or newer to use community.docker 5.x.y (https://github.com/ansible-collections/community.docker/pull/1123).
+    fragments:
+      - 1142-docker-container-network-driver-opts.yml
+      - 1144-private.yml
+      - 1145-fix.yml
+      - 1146-fix.yml
+      - 1152-fix.yml
+      - 1158-select-fix.yml
+      - 1161-fix.yml
+      - 1171-docker-py.yml
+      - 5.0.0-a1.yml
+      - 5.0.0.yml
+    release_date: '2025-10-25'
+  5.0.0:
+    changes:
+      release_summary: 'New major release.
+
+
+        The main changes are that the collection dropped support for some ansible-core
+
+        versions that are End of Life, and thus dropped support for Python 2.7.
+
+        This allowed to modernize the Python code, in particular with type hints.
+
+        Also all module and plugin utils are now private to the collection, which
+
+        makes it easier to refactor code. All these changes should have no effect
+        on
+
+        end-users.'
+    fragments:
+      - 5.0.0.yml
+    release_date: '2025-11-02'
+  5.0.1:
+    changes:
+      bugfixes:
+        - docker_compose_v2_run - when ``detach=true``, ensure that the returned container
+          ID is not a bytes string (https://github.com/ansible-collections/community.docker/pull/1183).
+        - docker_image - fix 'Cannot locate specified Dockerfile' error (https://github.com/ansible-collections/community.docker/pull/1184).
+      release_summary: Bugfix release.
+    fragments:
+      - 1185-fix.yml
+      - 5.0.1.yml
+      - typing.yml
+    release_date: '2025-11-09'
+  5.0.2:
+    changes:
+      bugfixes:
+        - Docker CLI based modules - work around bug in Docker 29.0.0 that caused
+          a breaking change in ``docker version --format json`` output (https://github.com/ansible-collections/community.docker/issues/1185,
+          https://github.com/ansible-collections/community.docker/pull/1187).
+        - docker_container - fix ``pull`` idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+        - docker_container - fix handling of exposed port ranges. So far, the module
+          used an undocumented feature of Docker that was removed from Docker 29.0.0,
+          that allowed to pass the range to the deamon and let handle it. Now the
+          module explodes ranges into a list of all contained ports, same as the Docker
+          CLI does. For backwards compatibility with Docker < 29.0.0, it also explodes
+          ranges returned by the API for existing containers so that comparison should
+          only indicate a difference if the ranges actually change (https://github.com/ansible-collections/community.docker/pull/1192).
+        - docker_container - fix idempotency for IPv6 addresses with Docker 29.0.0
+          (https://github.com/ansible-collections/community.docker/pull/1192).
+        - docker_image - fix ``source=pull`` idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+        - docker_image, docker_image_push - adjust image push detection to Docker
+          29 (https://github.com/ansible-collections/community.docker/pull/1199).
+        - docker_image_pull - fix idempotency with Docker 29.0.0 (https://github.com/ansible-collections/community.docker/pull/1192).
+        - docker_network - fix idempotency for IPv6 addresses and networks with Docker
+          29.0.0 (https://github.com/ansible-collections/community.docker/pull/1201).
+      known_issues:
+        - docker_image, docker_image_export - idempotency for archiving images depends
+          on whether the image IDs used by the image storage backend correspond to
+          the IDs used in the tarball's ``manifest.json`` files. The new default backend
+          in Docker 29 apparently uses image IDs that no longer correspond, whence
+          idempotency no longer works (https://github.com/ansible-collections/community.docker/pull/1199).
+      release_summary: Bugfix release for Docker 29.
+    fragments:
+      - 1187-docker.yml
+      - 1192-docker_container.yml
+      - 1199-docker_image-push.yml
+      - 1201-docker_network.yml
+      - 5.0.2.yml
+    release_date: '2025-11-16'
+  5.0.3:
+    changes:
+      bugfixes:
+        - docker_container - when the same port is mapped more than once for the same
+          protocol without specifying an interface, a bug caused an invalid value
+          to be passed for the interface (https://github.com/ansible-collections/community.docker/issues/1213,
+          https://github.com/ansible-collections/community.docker/pull/1214).
+      release_summary: Bugfix release.
+    fragments:
+      - 1214-docker_container-ports.yml
+      - 5.0.3.yml
+    release_date: '2025-11-29'
+  5.0.4:
+    changes:
+      bugfixes:
+        - CLI-based modules - when parsing JSON output fails, also provide standard
+          error output. Also provide information on the command and its result in
+          machine-readable way (https://github.com/ansible-collections/community.docker/issues/1216,
+          https://github.com/ansible-collections/community.docker/pull/1221).
+        - docker_compose_v2, docker_compose_v2_pull - adjust parsing from image pull
+          events to changes in Docker Compose 5.0.0 (https://github.com/ansible-collections/community.docker/pull/1219).
+      release_summary: Bugfix release.
+    fragments:
+      - 1219-compose-v2-pull.yml
+      - 1221-cli-json-errors.yml
+      - 5.0.4.yml
+    release_date: '2025-12-06'
+  5.0.5:
+    changes:
+      bugfixes:
+        - modules and plugins using the Docker SDK for Python - do not automatically
+          set ``tls_hostname`` when ``validate_certs=true`` for Docker SDK for Python
+          7.0.0+ (https://github.com/ansible-collections/community.docker/issues/1225,
+          https://github.com/ansible-collections/community.docker/pull/1226).
+      release_summary: Bugfix release.
+    fragments:
+      - 1226-docker-sdk-tls.yml
+      - 5.0.5.yml
+    release_date: '2025-12-31'
diff --git a/ansible_collections/community/docker/changelogs/changelog.yaml.license b/ansible_collections/community/docker/changelogs/changelog.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/changelogs/changelog.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/changelogs/config.yaml b/ansible_collections/community/docker/changelogs/config.yaml
new file mode 100644
index 00000000..09665653
--- /dev/null
+++ b/ansible_collections/community/docker/changelogs/config.yaml
@@ -0,0 +1,43 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+output_formats:
+  - md
+  - rst
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+  - - major_changes
+    - Major Changes
+  - - minor_changes
+    - Minor Changes
+  - - breaking_changes
+    - Breaking Changes / Porting Guide
+  - - deprecated_features
+    - Deprecated Features
+  - - removed_features
+    - Removed Features (previously deprecated)
+  - - security_fixes
+    - Security Fixes
+  - - bugfixes
+    - Bugfixes
+  - - known_issues
+    - Known Issues
+title: Docker Community Collection
+trivial_section_name: trivial
+use_fqcn: true
+add_plugin_period: true
+changelog_nice_yaml: true
+changelog_sort: version
+vcs: auto
diff --git a/ansible_collections/community/docker/changelogs/fragments/.keep b/ansible_collections/community/docker/changelogs/fragments/.keep
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/community/docker/docs/docsite/config.yml b/ansible_collections/community/docker/docs/docsite/config.yml
new file mode 100644
index 00000000..48eedc26
--- /dev/null
+++ b/ansible_collections/community/docker/docs/docsite/config.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The following `.. envvar::` directives are defined in the extra docsite docs:
+envvar_directives:
+  - DOCKER_HOST
+  - DOCKER_API_VERSION
+  - DOCKER_TIMEOUT
+  - DOCKER_CERT_PATH
+  - DOCKER_SSL_VERSION
+  - DOCKER_TLS
+  - DOCKER_TLS_HOSTNAME
+  - DOCKER_TLS_VERIFY
+
+changelog:
+  write_changelog: true
diff --git a/ansible_collections/community/docker/docs/docsite/extra-docs.yml b/ansible_collections/community/docker/docs/docsite/extra-docs.yml
new file mode 100644
index 00000000..c5047369
--- /dev/null
+++ b/ansible_collections/community/docker/docs/docsite/extra-docs.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+sections:
+  - title: Scenario Guide
+    toctree:
+      - scenario_guide
diff --git a/ansible_collections/community/docker/docs/docsite/links.yml b/ansible_collections/community/docker/docs/docsite/links.yml
new file mode 100644
index 00000000..d59d2331
--- /dev/null
+++ b/ansible_collections/community/docker/docs/docsite/links.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+edit_on_github:
+  repository: ansible-collections/community.docker
+  branch: main
+  path_prefix: ''
+
+extra_links:
+  - description: Ask for help (Docker)
+    url: https://forum.ansible.com/tags/c/help/6/none/docker
+  - description: Ask for help (Docker Compose)
+    url: https://forum.ansible.com/tags/c/help/6/none/docker-compose
+  - description: Ask for help (Docker Swarm)
+    url: https://forum.ansible.com/tags/c/help/6/none/docker-swarm
+  - description: Submit a bug report
+    url: https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&template=bug_report.md
+  - description: Request a feature
+    url: https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&template=feature_request.md
+
+communication:
+  matrix_rooms:
+    - topic: General usage and support questions
+      room: '#users:ansible.im'
+  irc_channels:
+    - topic: General usage and support questions
+      network: Libera
+      channel: '#ansible'
+  forums:
+    - topic: "Ansible Forum: General usage and support questions"
+      # The following URL directly points to the "Get Help" section
+      url: https://forum.ansible.com/c/help/6/none
+    - topic: "Ansible Forum: Discussions about Docker"
+      # The following URL directly points to the "docker" tag
+      url: https://forum.ansible.com/tag/docker
+    - topic: "Ansible Forum: Discussions about Docker Compose"
+      # The following URL directly points to the "docker-compose" tag
+      url: https://forum.ansible.com/tag/docker-compose
+    - topic: "Ansible Forum: Discussions about Docker Swarm"
+      # The following URL directly points to the "docker-swarm" tag
+      url: https://forum.ansible.com/tag/docker-swarm
diff --git a/ansible_collections/community/docker/docs/docsite/rst/scenario_guide.rst b/ansible_collections/community/docker/docs/docsite/rst/scenario_guide.rst
new file mode 100644
index 00000000..1d77daf2
--- /dev/null
+++ b/ansible_collections/community/docker/docs/docsite/rst/scenario_guide.rst
@@ -0,0 +1,330 @@
+..
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _ansible_collections.community.docker.docsite.scenario_guide:
+
+Docker Guide
+============
+
+The `community.docker collection <https://galaxy.ansible.com/ui/repo/published/community/docker/>`_ offers several modules and plugins for orchestrating Docker containers and Docker Swarm.
+
+.. contents::
+   :local:
+   :depth: 1
+
+
+Requirements
+------------
+
+Most of the modules and plugins in community.docker require the `Docker SDK for Python <https://docker-py.readthedocs.io/en/stable/>`_. The SDK needs to be installed on the machines where the modules and plugins are executed, and for the Python version(s) with which the modules and plugins are executed. You can use the :ansplugin:`community.general.python_requirements_info module <community.general.python_requirements_info#module>` to make sure that the Docker SDK for Python is installed on the correct machine and for the Python version used by Ansible.
+
+Note that plugins (inventory plugins and connection plugins) are always executed in the context of Ansible itself. If you use a plugin that requires the Docker SDK for Python, you need to install it on the machine running ``ansible`` or ``ansible-playbook`` and for the same Python interpreter used by Ansible. To see which Python is used, run ``ansible --version``.
+
+You can install the Docker SDK for Python for Python 3.6 or later as follows:
+
+.. code-block:: console
+
+    $ pip install docker
+
+For Python 2.7, you need to use a version between 2.0.0 and 4.4.4 since the Python package for Docker removed support for Python 2.7 on 5.0.0. You can install the specific version of the Docker SDK for Python as follows:
+
+.. code-block:: console
+
+    $ pip install 'docker==4.4.4'
+
+Note that the Docker SDK for Python was called ``docker-py`` on PyPi before version 2.0.0. Please avoid installing this really old version, and make sure to not install both ``docker`` and ``docker-py``. Installing both will result in a broken installation. If this happens, Ansible will detect it and inform you about it. If that happens, you must uninstall both and reinstall the correct version. If in doubt, always install ``docker`` and never ``docker-py``.
+
+
+Connecting to the Docker API
+----------------------------
+
+You can connect to a local or remote API using parameters passed to each task or by setting environment variables. The order of precedence is command line parameters and then environment variables. If neither a command line option nor an environment variable is found, Ansible uses the default value  provided under `Parameters`_.
+
+
+Parameters
+..........
+
+Most plugins and modules can be configured by the following parameters:
+
+    docker_host
+        The URL or Unix socket path used to connect to the Docker API. Defaults to ``unix:///var/run/docker.sock``. To connect to a remote host, provide the TCP connection string (for example: ``tcp://192.0.2.23:2376``). If TLS is used to encrypt the connection to the API, then the module will automatically replace ``tcp`` in the connection URL with ``https``.
+
+    api_version
+        The version of the Docker API running on the Docker Host. Defaults to the latest version of the API supported by the Docker SDK for Python installed.
+
+    timeout
+        The maximum amount of time in seconds to wait on a response from the API. Defaults to 60 seconds.
+
+    tls
+        Secure the connection to the API by using TLS without verifying the authenticity of the Docker host server. Defaults to ``false``.
+
+    validate_certs
+        Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server. Default is ``false``.
+
+    ca_path
+        Use a CA certificate when performing server verification by providing the path to a CA certificate file.
+
+    cert_path
+        Path to the client's TLS certificate file.
+
+    key_path
+        Path to the client's TLS key file.
+
+    tls_hostname
+        When verifying the authenticity of the Docker Host server, provide the expected name of the server. Defaults to ``localhost``.
+
+    ssl_version
+        Provide a valid SSL version number. The default value is determined by the Docker SDK for Python.
+
+        This option is not available for the CLI based plugins. It is mainly needed for legacy systems and should be avoided.
+
+
+Module default group
+....................
+
+To avoid having to specify common parameters for all the modules in every task, you can use the ``community.docker.docker`` :ref:`module defaults group <module_defaults_groups>`, or its short name ``docker``.
+
+.. note::
+
+  Module default groups only work for modules, not for plugins (connection and inventory plugins).
+
+The following example shows how the module default group can be used in a playbook:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Pull image and start the container
+      hosts: localhost
+      gather_facts: false
+      module_defaults:
+        group/community.docker.docker:
+          # Select Docker Daemon on other host
+          docker_host: tcp://192.0.2.23:2376
+          # Configure TLS
+          tls: true
+          validate_certs: true
+          tls_hostname: docker.example.com
+          ca_path: /path/to/cacert.pem
+          # Increase timeout
+          timeout: 120
+      tasks:
+        - name: Pull image
+          community.docker.docker_image_pull:
+            name: python
+            tag: 3.12
+
+        - name: Start container
+          community.docker.docker_container:
+            cleanup: true
+            command: python --version
+            detach: false
+            image: python:3.12
+            name: my-python-container
+            output_logs: true
+
+        - name: Show output
+          ansible.builtin.debug:
+            msg: "{{ output.container.Output }}"
+
+Here the two ``community.docker`` tasks will use the options set for the module defaults group.
+
+
+Environment variables
+.....................
+
+You can also control how the plugins and modules connect to the Docker API by setting the following environment variables.
+
+For plugins, they have to be set for the environment Ansible itself runs in. For modules, they have to be set for the environment the modules are executed in. For modules running on remote machines, the environment variables have to be set on that machine for the user used to execute the modules with.
+
+.. envvar:: DOCKER_HOST
+
+    The URL or Unix socket path used to connect to the Docker API.
+
+.. envvar:: DOCKER_API_VERSION
+
+    The version of the Docker API running on the Docker Host. Defaults to the latest version of the API supported
+    by Docker SDK for Python.
+
+.. envvar:: DOCKER_TIMEOUT
+
+    The maximum amount of time in seconds to wait on a response from the API.
+
+.. envvar:: DOCKER_CERT_PATH
+
+    Path to the directory containing the client certificate, client key and CA certificate.
+
+.. envvar:: DOCKER_SSL_VERSION
+
+    Provide a valid SSL version number.
+
+.. envvar:: DOCKER_TLS
+
+    Secure the connection to the API by using TLS without verifying the authenticity of the Docker Host.
+
+.. envvar:: DOCKER_TLS_HOSTNAME
+
+    When verifying the authenticity of the Docker Host, uses this hostname to compare to the host's certificate.
+
+.. envvar:: DOCKER_TLS_VERIFY
+
+    Secure the connection to the API by using TLS and verify the authenticity of the Docker Host.
+
+
+Plain Docker daemon: images, networks, volumes, and containers
+--------------------------------------------------------------
+
+For working with a plain Docker daemon, that is without Swarm, there are connection plugins, an inventory plugin, and several modules available:
+
+    docker connection plugin
+        The :ansplugin:`community.docker.docker connection plugin <community.docker.docker#connection>` uses the Docker CLI utility to connect to Docker containers and execute modules in them. It essentially wraps ``docker exec`` and ``docker cp``. This connection plugin is supported by the :ansplugin:`ansible.posix.synchronize module <ansible.posix.synchronize#module>`.
+
+    docker_api connection plugin
+        The :ansplugin:`community.docker.docker_api connection plugin <community.docker.docker_api#connection>` talks directly to the Docker daemon to connect to Docker containers and execute modules in them.
+
+    docker_containers inventory plugin
+        The :ansplugin:`community.docker.docker_containers inventory plugin <community.docker.docker_containers#inventory>` allows you to dynamically add Docker containers from a Docker Daemon to your Ansible inventory. See :ref:`dynamic_inventory` for details on dynamic inventories.
+
+        The `docker inventory script <https://github.com/ansible-community/contrib-scripts/blob/main/inventory/docker.py>`_ is deprecated. Please use the inventory plugin instead. The inventory plugin has several compatibility options. If you need to collect Docker containers from multiple Docker daemons, you need to add every Docker daemon as an individual inventory source.
+
+    docker_host_info module
+        The :ansplugin:`community.docker.docker_host_info module <community.docker.docker_host_info#module>` allows you to retrieve information on a Docker daemon, such as all containers, images, volumes, networks and so on.
+
+    docker_login module
+        The :ansplugin:`community.docker.docker_login module <community.docker.docker_login#module>` allows you to log in and out of a remote registry, such as Docker Hub or a private registry. It provides similar functionality to the ``docker login`` and ``docker logout`` CLI commands.
+
+    docker_prune module
+        The :ansplugin:`community.docker.docker_prune module <community.docker.docker_prune#module>` allows  you to prune no longer needed containers, images, volumes and so on. It provides similar functionality to the ``docker prune`` CLI command.
+
+    docker_image module
+        The :ansplugin:`community.docker.docker_image module <community.docker.docker_image#module>` provides full control over images, including: build, pull, push, tag and remove.
+
+    docker_image_build
+        The :ansplugin:`community.docker.docker_image_build module <community.docker.docker_image_build#module>` allows you to build a Docker image using Docker buildx.
+
+    docker_image_export module
+        The :ansplugin:`community.docker.docker_image_export module <community.docker.docker_image_export#module>` allows you to export (archive) images.
+
+    docker_image_info module
+        The :ansplugin:`community.docker.docker_image_info module <community.docker.docker_image_info#module>` allows you to list and inspect images.
+
+    docker_image_load
+        The :ansplugin:`community.docker.docker_image_load module <community.docker.docker_image_load#module>` allows you to import one or multiple images from tarballs.
+
+    docker_image_pull
+        The :ansplugin:`community.docker.docker_image_pull module <community.docker.docker_image_pull#module>` allows you to pull a Docker image from a registry.
+
+    docker_image_push
+        The :ansplugin:`community.docker.docker_image_push module <community.docker.docker_image_push#module>` allows you to push a Docker image to a registry.
+
+    docker_image_remove
+        The :ansplugin:`community.docker.docker_image_remove module <community.docker.docker_image_remove#module>` allows you to remove and/or untag a Docker image from the Docker daemon.
+
+    docker_image_tag
+        The :ansplugin:`community.docker.docker_image_tag module <community.docker.docker_image_tag#module>` allows you to tag a Docker image with additional names and/or tags.
+
+    docker_network module
+        The :ansplugin:`community.docker.docker_network module <community.docker.docker_network#module>` provides full control over Docker networks.
+
+    docker_network_info module
+        The :ansplugin:`community.docker.docker_network_info module <community.docker.docker_network_info#module>` allows you to inspect Docker networks.
+
+    docker_volume_info module
+        The :ansplugin:`community.docker.docker_volume_info module <community.docker.docker_volume_info#module>` provides full control over Docker volumes.
+
+    docker_volume module
+        The :ansplugin:`community.docker.docker_volume module <community.docker.docker_volume#module>` allows you to inspect Docker volumes.
+
+    docker_container module
+        The :ansplugin:`community.docker.docker_container module <community.docker.docker_container#module>` manages the container lifecycle by providing the ability to create, update, stop, start and destroy a Docker container.
+
+    docker_container_copy_into
+        The :ansplugin:`community.docker.docker_container_copy_into module <community.docker.docker_container_copy_into#module>` allows you to copy files from the control node into a container.
+
+    docker_container_exec
+        The :ansplugin:`community.docker.docker_container_exec module <community.docker.docker_container_exec#module>` allows you to execute commands in a running container.
+
+    docker_container_info module
+        The :ansplugin:`community.docker.docker_container_info module <community.docker.docker_container_info#module>` allows you to inspect a Docker container.
+
+    docker_plugin
+        The :ansplugin:`community.docker.docker_plugin module <community.docker.docker_plugin#module>` allows you to manage Docker plugins.
+
+
+Docker Compose
+--------------
+
+Docker Compose v2
+.................
+
+There are several modules for working with Docker Compose projects:
+
+    community.docker.docker_compose_v2
+        The :ansplugin:`community.docker.docker_compose_v2 module <community.docker.docker_compose_v2#module>` allows you to use your existing Docker Compose files to orchestrate containers on a single Docker daemon or on Swarm.
+
+    community.docker.docker_compose_v2_exec
+        The :ansplugin:`community.docker.docker_compose_v2_exec module <community.docker.docker_compose_v2_exec#module>` allows you to run a command in a container of Docker Compose projects.
+
+    community.docker.docker_compose_v2_pull
+        The :ansplugin:`community.docker.docker_compose_v2_pull module <community.docker.docker_compose_v2_pull#module>` allows you to pull Docker Compose projects.
+
+    community.docker.docker_compose_v2_run
+        The :ansplugin:`community.docker.docker_compose_v2_run module <community.docker.docker_compose_v2_run#module>` allows you to run a command in a new container of a Docker Compose project.
+
+These modules use the Docker CLI "compose" plugin (``docker compose``), and thus needs access to the Docker CLI tool.
+No further requirements next to to the CLI tool and its Docker Compose plugin are needed.
+
+
+Docker Machine
+--------------
+
+The :ansplugin:`community.docker.docker_machine inventory plugin <community.docker.docker_machine#inventory>` allows you to dynamically add Docker Machine hosts to your Ansible inventory.
+
+
+Docker Swarm stack
+------------------
+
+The :ansplugin:`community.docker.docker_stack module <community.docker.docker_stack#module>` module allows you to control Docker Swarm stacks. Information on Swarm stacks can be retrieved by the :ansplugin:`community.docker.docker_stack_info module <community.docker.docker_stack_info#module>`, and information on Swarm stack tasks can be retrieved by the :ansplugin:`community.docker.docker_stack_task_info module <community.docker.docker_stack_task_info#module>`.
+
+
+Docker Swarm
+------------
+
+The community.docker collection provides multiple plugins and modules for managing Docker Swarms.
+
+Swarm management
+................
+
+One inventory plugin and several modules are provided to manage Docker Swarms:
+
+    docker_swarm inventory plugin
+        The :ansplugin:`community.docker.docker_swarm inventory plugin <community.docker.docker_swarm#inventory>` allows  you to dynamically add all Docker Swarm nodes to your Ansible inventory.
+
+    docker_swarm module
+        The :ansplugin:`community.docker.docker_swarm module <community.docker.docker_swarm#module>` allows you to globally configure Docker Swarm manager nodes to join and leave swarms, and to change the Docker Swarm configuration.
+
+    docker_swarm_info module
+        The :ansplugin:`community.docker.docker_swarm_info module <community.docker.docker_swarm_info#module>` allows  you to retrieve information on Docker Swarm.
+
+    docker_node module
+        The :ansplugin:`community.docker.docker_node module <community.docker.docker_node#module>` allows you to manage Docker Swarm nodes.
+
+    docker_node_info module
+        The :ansplugin:`community.docker.docker_node_info module <community.docker.docker_node_info#module>` allows you to retrieve information on Docker Swarm nodes.
+
+Configuration management
+........................
+
+The community.docker collection offers modules to manage Docker Swarm configurations and secrets:
+
+    docker_config module
+        The :ansplugin:`community.docker.docker_config module <community.docker.docker_config#module>` allows you to create and modify Docker Swarm configs.
+
+    docker_secret module
+        The :ansplugin:`community.docker.docker_secret module <community.docker.docker_secret#module>` allows you to create and modify Docker Swarm secrets.
+
+Swarm services
+..............
+
+Docker Swarm services can be created and updated with the :ansplugin:`community.docker.docker_swarm_service module <community.docker.docker_swarm_service#module>`, and information on them can be queried by the :ansplugin:`community.docker.docker_swarm_service_info module <community.docker.docker_swarm_service_info#module>`.
diff --git a/ansible_collections/community/docker/meta/ee-bindep.txt b/ansible_collections/community/docker/meta/ee-bindep.txt
new file mode 100644
index 00000000..6ffd5ab0
--- /dev/null
+++ b/ansible_collections/community/docker/meta/ee-bindep.txt
@@ -0,0 +1,3 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/meta/ee-requirements.txt b/ansible_collections/community/docker/meta/ee-requirements.txt
new file mode 100644
index 00000000..099dcf9a
--- /dev/null
+++ b/ansible_collections/community/docker/meta/ee-requirements.txt
@@ -0,0 +1,16 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker
+urllib3
+requests
+paramiko
+pyyaml
+
+# We assume that EEs are not based on Windows, and have Python >= 3.5.
+# (ansible-builder does not support conditionals, it will simply add
+# the following unconditionally to the requirements)
+#
+# pywin32 ; sys_platform == 'win32'
+# backports.ssl-match-hostname ; python_version < '3.5'
diff --git a/ansible_collections/community/docker/meta/execution-environment.yml b/ansible_collections/community/docker/meta/execution-environment.yml
new file mode 100644
index 00000000..9da98891
--- /dev/null
+++ b/ansible_collections/community/docker/meta/execution-environment.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: 1
+dependencies:
+  python: meta/ee-requirements.txt
+  system: meta/ee-bindep.txt
diff --git a/ansible_collections/community/docker/meta/runtime.yml b/ansible_collections/community/docker/meta/runtime.yml
new file mode 100644
index 00000000..2ad0ed18
--- /dev/null
+++ b/ansible_collections/community/docker/meta/runtime.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+requires_ansible: '>=2.17.0'
+action_groups:
+  docker:
+    - docker_compose_v2
+    - docker_compose_v2_exec
+    - docker_compose_v2_pull
+    - docker_compose_v2_run
+    - docker_config
+    - docker_container
+    - docker_container_copy_into
+    - docker_container_exec
+    - docker_container_info
+    - docker_host_info
+    - docker_image
+    - docker_image_build
+    - docker_image_export
+    - docker_image_info
+    - docker_image_load
+    - docker_image_pull
+    - docker_image_push
+    - docker_image_remove
+    - docker_image_tag
+    - docker_login
+    - docker_network
+    - docker_network_info
+    - docker_node
+    - docker_node_info
+    - docker_plugin
+    - docker_prune
+    - docker_secret
+    - docker_stack
+    - docker_stack_info
+    - docker_stack_task_info
+    - docker_swarm
+    - docker_swarm_info
+    - docker_swarm_service
+    - docker_swarm_service_info
+    - docker_volume
+    - docker_volume_info
+
+plugin_routing:
+  modules:
+    docker_compose:
+      tombstone:
+        removal_version: 4.0.0
+        warning_text: This module uses docker-compose v1, which is End of Life since July 2022. Please migrate to community.docker.docker_compose_v2.
diff --git a/ansible_collections/community/docker/noxfile.py b/ansible_collections/community/docker/noxfile.py
new file mode 100644
index 00000000..9436f726
--- /dev/null
+++ b/ansible_collections/community/docker/noxfile.py
@@ -0,0 +1,26 @@
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+# /// script
+# dependencies = ["nox>=2025.02.09", "antsibull-nox"]
+# ///
+
+import sys
+
+import nox
+
+try:
+    import antsibull_nox
+except ImportError:
+    print("You need to install antsibull-nox in the same Python environment as nox.")
+    sys.exit(1)
+
+
+antsibull_nox.load_antsibull_nox_toml()
+
+
+# Allow to run the noxfile with `python noxfile.py`, `pipx run noxfile.py`, or similar.
+# Requires nox >= 2025.02.09
+if __name__ == "__main__":
+    nox.main()
diff --git a/ansible_collections/community/docker/plugins/action/docker_container_copy_into.py b/ansible_collections/community/docker/plugins/action/docker_container_copy_into.py
new file mode 100644
index 00000000..25306d43
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/action/docker_container_copy_into.py
@@ -0,0 +1,49 @@
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import base64
+import typing as t
+
+from ansible import constants as C
+from ansible.plugins.action import ActionBase
+from ansible.utils.vars import merge_hash
+
+from ansible_collections.community.docker.plugins.module_utils._scramble import (
+    unscramble,
+)
+
+
+class ActionModule(ActionBase):
+    # Set to True when transferring files to the remote
+    TRANSFERS_FILES = False
+
+    def run(
+        self, tmp: str | None = None, task_vars: dict[str, t.Any] | None = None
+    ) -> dict[str, t.Any]:
+        self._supports_check_mode = True
+        self._supports_async = True
+
+        result = super().run(tmp, task_vars)
+        del tmp  # tmp no longer has any effect
+
+        # pylint: disable-next=no-member
+        max_file_size_for_diff: int = C.MAX_FILE_SIZE_FOR_DIFF  # type: ignore
+        self._task.args["_max_file_size_for_diff"] = max_file_size_for_diff
+
+        result = merge_hash(
+            result,
+            self._execute_module(task_vars=task_vars, wrap_async=self._task.async_val),
+        )
+
+        if "diff" in result and result["diff"].get("scrambled_diff"):
+            # Scrambling is not done for security, but to avoid no_log screwing up the diff
+            diff = result["diff"]
+            key = base64.b64decode(diff.pop("scrambled_diff"))
+            for k in ("before", "after"):
+                if k in diff:
+                    diff[k] = unscramble(diff[k], key)
+
+        return result
diff --git a/ansible_collections/community/docker/plugins/connection/docker.py b/ansible_collections/community/docker/plugins/connection/docker.py
new file mode 100644
index 00000000..2c492fe7
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/connection/docker.py
@@ -0,0 +1,623 @@
+# Based on the chroot connection plugin by Maykel Moya
+#
+# (c) 2014, Lorin Hochstein
+# (c) 2015, Leendert Brouwer (https://github.com/objectified)
+# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
+# Copyright (c) 2017 Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+author:
+  - Lorin Hochestein (!UNKNOWN)
+  - Leendert Brouwer (!UNKNOWN)
+name: docker
+short_description: Run tasks in docker containers
+description:
+  - Run commands or put/fetch files to an existing docker container.
+  - Uses the Docker CLI to execute commands in the container. If you prefer to directly connect to the Docker daemon, use
+    the P(community.docker.docker_api#connection) connection plugin.
+options:
+  remote_addr:
+    description:
+      - The name of the container you want to access.
+    default: inventory_hostname
+    vars:
+      - name: inventory_hostname
+      - name: ansible_host
+      - name: ansible_docker_host
+  remote_user:
+    description:
+      - The user to execute as inside the container.
+      - If Docker is too old to allow this (< 1.7), the one set by Docker itself will be used.
+    vars:
+      - name: ansible_user
+      - name: ansible_docker_user
+    ini:
+      - section: defaults
+        key: remote_user
+    env:
+      - name: ANSIBLE_REMOTE_USER
+    cli:
+      - name: user
+    keyword:
+      - name: remote_user
+  docker_extra_args:
+    description:
+      - Extra arguments to pass to the docker command line.
+    default: ''
+    vars:
+      - name: ansible_docker_extra_args
+    ini:
+      - section: docker_connection
+        key: extra_cli_args
+  container_timeout:
+    default: 10
+    description:
+      - Controls how long we can wait to access reading output from the container once execution started.
+    env:
+      - name: ANSIBLE_TIMEOUT
+      - name: ANSIBLE_DOCKER_TIMEOUT
+        version_added: 2.2.0
+    ini:
+      - key: timeout
+        section: defaults
+      - key: timeout
+        section: docker_connection
+        version_added: 2.2.0
+    vars:
+      - name: ansible_docker_timeout
+        version_added: 2.2.0
+    cli:
+      - name: timeout
+    type: integer
+  extra_env:
+    description:
+      - Provide extra environment variables to set when running commands in the Docker container.
+      - This option can currently only be provided as Ansible variables due to limitations of ansible-core's configuration
+        manager.
+    vars:
+      - name: ansible_docker_extra_env
+    type: dict
+    version_added: 3.12.0
+  working_dir:
+    description:
+      - The directory inside the container to run commands in.
+      - Requires Docker CLI version 18.06 or later.
+    env:
+      - name: ANSIBLE_DOCKER_WORKING_DIR
+    ini:
+      - key: working_dir
+        section: docker_connection
+    vars:
+      - name: ansible_docker_working_dir
+    type: string
+    version_added: 3.12.0
+  privileged:
+    description:
+      - Whether commands should be run with extended privileges.
+      - B(Note) that this allows command to potentially break out of the container. Use with care!
+    env:
+      - name: ANSIBLE_DOCKER_PRIVILEGED
+    ini:
+      - key: privileged
+        section: docker_connection
+    vars:
+      - name: ansible_docker_privileged
+    type: boolean
+    default: false
+    version_added: 3.12.0
+"""
+
+import fcntl
+import os
+import os.path
+import re
+import selectors
+import subprocess
+import typing as t
+from shlex import quote
+
+from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleFileNotFound
+from ansible.module_utils.common.process import get_bin_path
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible.plugins.connection import BUFSIZE, ConnectionBase
+from ansible.utils.display import Display
+
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+display = Display()
+
+
+class Connection(ConnectionBase):
+    """Local docker based connections"""
+
+    transport = "community.docker.docker"
+    has_pipelining = True
+
+    def __init__(self, *args: t.Any, **kwargs: t.Any) -> None:
+        super().__init__(*args, **kwargs)
+
+        # Note: docker supports running as non-root in some configurations.
+        # (For instance, setting the UNIX socket file to be readable and
+        # writable by a specific UNIX group and then putting users into that
+        # group).  Therefore we do not check that the user is root when using
+        # this connection.  But if the user is getting a permission denied
+        # error it probably means that docker on their system is only
+        # configured to be connected to by root and they are not running as
+        # root.
+
+        self._docker_args: list[bytes | str] = []
+        self._container_user_cache: dict[str, str | None] = {}
+        self._version: str | None = None
+        self.remote_user: str | None = None
+        self.timeout: int | float | None = None
+
+        # Windows uses Powershell modules
+        if getattr(self._shell, "_IS_WINDOWS", False):
+            self.module_implementation_preferences = (".ps1", ".exe", "")
+
+        if "docker_command" in kwargs:
+            self.docker_cmd = kwargs["docker_command"]
+        else:
+            try:
+                self.docker_cmd = get_bin_path("docker")
+            except ValueError as exc:
+                raise AnsibleError("docker command not found in PATH") from exc
+
+    @staticmethod
+    def _sanitize_version(version: str) -> str:
+        version = re.sub("[^0-9a-zA-Z.]", "", version)
+        version = re.sub("^v", "", version)
+        return version
+
+    def _old_docker_version(self) -> tuple[list[str], str, bytes, int]:
+        cmd_args = self._docker_args
+
+        old_version_subcommand = ["version"]
+
+        old_docker_cmd = [self.docker_cmd] + cmd_args + old_version_subcommand
+        with subprocess.Popen(
+            old_docker_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+        ) as p:
+            cmd_output, err = p.communicate()
+
+        return old_docker_cmd, to_text(cmd_output), err, p.returncode
+
+    def _new_docker_version(self) -> tuple[list[str], str, bytes, int]:
+        # no result yet, must be newer Docker version
+        cmd_args = self._docker_args
+
+        new_version_subcommand = ["version", "--format", "'{{.Server.Version}}'"]
+
+        new_docker_cmd = [self.docker_cmd] + cmd_args + new_version_subcommand
+        with subprocess.Popen(
+            new_docker_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+        ) as p:
+            cmd_output, err = p.communicate()
+            return new_docker_cmd, to_text(cmd_output), err, p.returncode
+
+    def _get_docker_version(self) -> str:
+        cmd, cmd_output, err, returncode = self._old_docker_version()
+        if returncode == 0:
+            for line in to_text(cmd_output, errors="surrogate_or_strict").split("\n"):
+                if line.startswith("Server version:"):  # old docker versions
+                    return self._sanitize_version(line.split()[2])
+
+        cmd, cmd_output, err, returncode = self._new_docker_version()
+        if returncode:
+            raise AnsibleError(
+                f"Docker version check ({to_text(cmd)}) failed: {to_text(err)}"
+            )
+
+        return self._sanitize_version(to_text(cmd_output, errors="surrogate_or_strict"))
+
+    def _get_docker_remote_user(self) -> str | None:
+        """Get the default user configured in the docker container"""
+        container = self.get_option("remote_addr")
+        if container in self._container_user_cache:
+            return self._container_user_cache[container]
+        with subprocess.Popen(
+            [self.docker_cmd, "inspect", "--format", "{{.Config.User}}", container],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        ) as p:
+            out_b, err_b = p.communicate()
+            out = to_text(out_b, errors="surrogate_or_strict")
+
+            if p.returncode != 0:
+                display.warning(
+                    f"unable to retrieve default user from docker container: {out} {to_text(err_b)}"
+                )
+                self._container_user_cache[container] = None
+                return None
+
+        # The default exec user is root, unless it was changed in the Dockerfile with USER
+        user = out.strip() or "root"
+        self._container_user_cache[container] = user
+        return user
+
+    def _build_exec_cmd(self, cmd: list[bytes | str]) -> list[bytes | str]:
+        """Build the local docker exec command to run cmd on remote_host
+
+        If remote_user is available and is supported by the docker
+        version we are using, it will be provided to docker exec.
+        """
+
+        local_cmd = [self.docker_cmd]
+
+        if self._docker_args:
+            local_cmd += self._docker_args
+
+        local_cmd += [b"exec"]
+
+        if self.remote_user is not None:
+            local_cmd += [b"-u", self.remote_user]
+
+        if self.get_option("extra_env"):
+            for k, v in self.get_option("extra_env").items():
+                for val, what in ((k, "Key"), (v, "Value")):
+                    if not isinstance(val, str):
+                        raise AnsibleConnectionFailure(
+                            f"Non-string {what.lower()} found for extra_env option. Ambiguous env options must be "
+                            "wrapped in quotes to avoid them being interpreted when directly specified "
+                            "in YAML, or explicitly converted to strings when the option is templated. "
+                            f"{what}: {val!r}"
+                        )
+                local_cmd += [
+                    b"-e",
+                    b"%s=%s"
+                    % (
+                        to_bytes(k, errors="surrogate_or_strict"),
+                        to_bytes(v, errors="surrogate_or_strict"),
+                    ),
+                ]
+
+        if self.get_option("working_dir") is not None:
+            local_cmd += [
+                b"-w",
+                to_bytes(self.get_option("working_dir"), errors="surrogate_or_strict"),
+            ]
+            if self.docker_version != "dev" and LooseVersion(
+                self.docker_version
+            ) < LooseVersion("18.06"):
+                # https://github.com/docker/cli/pull/732, first appeared in release 18.06.0
+                raise AnsibleConnectionFailure(
+                    f"Providing the working directory requires Docker CLI version 18.06 or newer. You have Docker CLI version {self.docker_version}."
+                )
+
+        if self.get_option("privileged"):
+            local_cmd += [b"--privileged"]
+
+        # -i is needed to keep stdin open which allows pipelining to work
+        local_cmd += [b"-i", self.get_option("remote_addr")] + cmd
+
+        return local_cmd
+
+    def _set_docker_args(self) -> None:
+        # TODO: this is mostly for backwards compatibility, play_context is used as fallback for older versions
+        # docker arguments
+        del self._docker_args[:]
+        extra_args = self.get_option("docker_extra_args") or getattr(
+            self._play_context, "docker_extra_args", ""
+        )
+        if extra_args:
+            self._docker_args += extra_args.split(" ")
+
+    def _set_conn_data(self) -> None:
+        """initialize for the connection, cannot do only in init since all data is not ready at that point"""
+
+        self._set_docker_args()
+
+        self.remote_user = self.get_option("remote_user")
+        if self.remote_user is None and self._play_context.remote_user is not None:
+            self.remote_user = self._play_context.remote_user
+
+        # timeout, use unless default and pc is different, backwards compat
+        self.timeout = self.get_option("container_timeout")
+        if self.timeout == 10 and self.timeout != self._play_context.timeout:
+            self.timeout = self._play_context.timeout
+
+    @property
+    def docker_version(self) -> str:
+        if not self._version:
+            self._set_docker_args()
+
+            self._version = self._get_docker_version()
+            if self._version == "dev":
+                display.warning(
+                    'Docker version number is "dev". Will assume latest version.'
+                )
+            if self._version != "dev" and LooseVersion(self._version) < LooseVersion(
+                "1.3"
+            ):
+                raise AnsibleError(
+                    "docker connection type requires docker 1.3 or higher"
+                )
+        return self._version
+
+    def _get_actual_user(self) -> str | None:
+        if self.remote_user is not None:
+            # An explicit user is provided
+            if self.docker_version == "dev" or LooseVersion(
+                self.docker_version
+            ) >= LooseVersion("1.7"):
+                # Support for specifying the exec user was added in docker 1.7
+                return self.remote_user
+            self.remote_user = None
+            actual_user = self._get_docker_remote_user()
+            if actual_user != self.get_option("remote_user"):
+                display.warning(
+                    f"docker {self.docker_version} does not support remote_user, using container default: {actual_user or '?'}"
+                )
+            return actual_user
+        if self._display.verbosity > 2:
+            # Since we are not setting the actual_user, look it up so we have it for logging later
+            # Only do this if display verbosity is high enough that we'll need the value
+            # This saves overhead from calling into docker when we do not need to.
+            return self._get_docker_remote_user()
+        return None
+
+    def _connect(self) -> t.Self:
+        """Connect to the container. Nothing to do"""
+        super()._connect()  # type: ignore[safe-super]
+        if not self._connected:
+            self._set_conn_data()
+            actual_user = self._get_actual_user()
+            display.vvv(
+                f"ESTABLISH DOCKER CONNECTION FOR USER: {actual_user or '?'}",
+                host=self.get_option("remote_addr"),
+            )
+            self._connected = True
+        return self
+
+    def exec_command(
+        self, cmd: str, in_data: bytes | None = None, sudoable: bool = False
+    ) -> tuple[int, bytes, bytes]:
+        """Run a command on the docker host"""
+
+        self._set_conn_data()
+
+        super().exec_command(cmd, in_data=in_data, sudoable=sudoable)  # type: ignore[safe-super]
+
+        local_cmd = self._build_exec_cmd([self._play_context.executable, "-c", cmd])
+
+        display.vvv(f"EXEC {to_text(local_cmd)}", host=self.get_option("remote_addr"))
+        display.debug("opening command with Popen()")
+
+        local_cmd = [to_bytes(i, errors="surrogate_or_strict") for i in local_cmd]
+
+        with subprocess.Popen(
+            local_cmd,
+            stdin=subprocess.PIPE,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        ) as p:
+            assert p.stdin is not None
+            assert p.stdout is not None
+            assert p.stderr is not None
+            display.debug("done running command with Popen()")
+
+            if self.become and self.become.expect_prompt() and sudoable:
+                fcntl.fcntl(
+                    p.stdout,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stdout, fcntl.F_GETFL) | os.O_NONBLOCK,
+                )
+                fcntl.fcntl(
+                    p.stderr,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stderr, fcntl.F_GETFL) | os.O_NONBLOCK,
+                )
+                selector = selectors.DefaultSelector()
+                selector.register(p.stdout, selectors.EVENT_READ)
+                selector.register(p.stderr, selectors.EVENT_READ)
+
+                become_output = b""
+                try:
+                    while not self.become.check_success(
+                        become_output
+                    ) and not self.become.check_password_prompt(become_output):
+                        events = selector.select(self.timeout)
+                        if not events:
+                            stdout, stderr = p.communicate()
+                            raise AnsibleError(
+                                "timeout waiting for privilege escalation password prompt:\n"
+                                + to_text(become_output)
+                            )
+
+                        chunks = b""
+                        for key, dummy_event in events:
+                            if key.fileobj == p.stdout:
+                                chunk = p.stdout.read()
+                                if chunk:
+                                    chunks += chunk
+                            elif key.fileobj == p.stderr:
+                                chunk = p.stderr.read()
+                                if chunk:
+                                    chunks += chunk
+
+                        if not chunks:
+                            stdout, stderr = p.communicate()
+                            raise AnsibleError(
+                                "privilege output closed while waiting for password prompt:\n"
+                                + to_text(become_output)
+                            )
+                        become_output += chunks
+                finally:
+                    selector.close()
+
+                if not self.become.check_success(become_output):
+                    become_pass = self.become.get_option(
+                        "become_pass", playcontext=self._play_context
+                    )
+                    p.stdin.write(
+                        to_bytes(become_pass, errors="surrogate_or_strict") + b"\n"
+                    )
+                fcntl.fcntl(
+                    p.stdout,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stdout, fcntl.F_GETFL) & ~os.O_NONBLOCK,
+                )
+                fcntl.fcntl(
+                    p.stderr,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stderr, fcntl.F_GETFL) & ~os.O_NONBLOCK,
+                )
+
+            display.debug("getting output with communicate()")
+            stdout, stderr = p.communicate(in_data)
+            display.debug("done communicating")
+
+            display.debug("done with docker.exec_command()")
+            return (p.returncode, stdout, stderr)
+
+    def _prefix_login_path(self, remote_path: str) -> str:
+        """Make sure that we put files into a standard path
+
+        If a path is relative, then we need to choose where to put it.
+        ssh chooses $HOME but we are not guaranteed that a home dir will
+        exist in any given chroot.  So for now we are choosing "/" instead.
+        This also happens to be the former default.
+
+        Can revisit using $HOME instead if it is a problem
+        """
+        if getattr(self._shell, "_IS_WINDOWS", False):
+            import ntpath
+
+            return ntpath.normpath(remote_path)
+        if not remote_path.startswith(os.path.sep):
+            remote_path = os.path.join(os.path.sep, remote_path)
+        return os.path.normpath(remote_path)
+
+    def put_file(self, in_path: str, out_path: str) -> None:
+        """Transfer a file from local to docker container"""
+        self._set_conn_data()
+        super().put_file(in_path, out_path)  # type: ignore[safe-super]
+        display.vvv(f"PUT {in_path} TO {out_path}", host=self.get_option("remote_addr"))
+
+        out_path = self._prefix_login_path(out_path)
+        if not os.path.exists(to_bytes(in_path, errors="surrogate_or_strict")):
+            raise AnsibleFileNotFound(
+                f"file or module does not exist: {to_text(in_path)}"
+            )
+
+        out_path = quote(out_path)
+        # Older docker does not have native support for copying files into
+        # running containers, so we use docker exec to implement this
+        # Although docker version 1.8 and later provide support, the
+        # owner and group of the files are always set to root
+        with open(to_bytes(in_path, errors="surrogate_or_strict"), "rb") as in_file:
+            if not os.fstat(in_file.fileno()).st_size:
+                count = " count=0"
+            else:
+                count = ""
+            args = self._build_exec_cmd(
+                [
+                    self._play_context.executable,
+                    "-c",
+                    f"dd of={out_path} bs={BUFSIZE}{count}",
+                ]
+            )
+            args = [to_bytes(i, errors="surrogate_or_strict") for i in args]
+            try:
+                # pylint: disable-next=consider-using-with
+                p = subprocess.Popen(
+                    args, stdin=in_file, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+                )
+            except OSError as exc:
+                raise AnsibleError(
+                    "docker connection requires dd command in the container to put files"
+                ) from exc
+            stdout, stderr = p.communicate()
+
+            if p.returncode != 0:
+                raise AnsibleError(
+                    f"failed to transfer file {to_text(in_path)} to {to_text(out_path)}:\n{to_text(stdout)}\n{to_text(stderr)}"
+                )
+
+    def fetch_file(self, in_path: str, out_path: str) -> None:
+        """Fetch a file from container to local."""
+        self._set_conn_data()
+        super().fetch_file(in_path, out_path)  # type: ignore[safe-super]
+        display.vvv(
+            f"FETCH {in_path} TO {out_path}", host=self.get_option("remote_addr")
+        )
+
+        in_path = self._prefix_login_path(in_path)
+        # out_path is the final file path, but docker takes a directory, not a
+        # file path
+        out_dir = os.path.dirname(out_path)
+
+        args = [
+            self.docker_cmd,
+            "cp",
+            f"{self.get_option('remote_addr')}:{in_path}",
+            out_dir,
+        ]
+        args = [to_bytes(i, errors="surrogate_or_strict") for i in args]
+
+        with subprocess.Popen(
+            args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+        ) as p:
+            p.communicate()
+
+            if getattr(self._shell, "_IS_WINDOWS", False):
+                import ntpath
+
+                actual_out_path = ntpath.join(out_dir, ntpath.basename(in_path))
+            else:
+                actual_out_path = os.path.join(out_dir, os.path.basename(in_path))
+
+            if p.returncode != 0:
+                # Older docker does not have native support for fetching files command `cp`
+                # If `cp` fails, try to use `dd` instead
+                args = self._build_exec_cmd(
+                    [
+                        self._play_context.executable,
+                        "-c",
+                        f"dd if={in_path} bs={BUFSIZE}",
+                    ]
+                )
+                args = [to_bytes(i, errors="surrogate_or_strict") for i in args]
+                with open(
+                    to_bytes(actual_out_path, errors="surrogate_or_strict"), "wb"
+                ) as out_file:
+                    try:
+                        # pylint: disable-next=consider-using-with
+                        pp = subprocess.Popen(
+                            args,
+                            stdin=subprocess.PIPE,
+                            stdout=out_file,
+                            stderr=subprocess.PIPE,
+                        )
+                    except OSError as exc:
+                        raise AnsibleError(
+                            "docker connection requires dd command in the container to put files"
+                        ) from exc
+                    stdout, stderr = pp.communicate()
+
+                    if pp.returncode != 0:
+                        raise AnsibleError(
+                            f"failed to fetch file {in_path} to {out_path}:\n{stdout!r}\n{stderr!r}"
+                        )
+
+        # Rename if needed
+        if actual_out_path != out_path:
+            os.rename(
+                to_bytes(actual_out_path, errors="strict"),
+                to_bytes(out_path, errors="strict"),
+            )
+
+    def close(self) -> None:
+        """Terminate the connection. Nothing to do for Docker"""
+        super().close()  # type: ignore[safe-super]
+        self._connected = False
+
+    def reset(self) -> None:
+        # Clear container user cache
+        self._container_user_cache = {}
diff --git a/ansible_collections/community/docker/plugins/connection/docker_api.py b/ansible_collections/community/docker/plugins/connection/docker_api.py
new file mode 100644
index 00000000..6338b4a8
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/connection/docker_api.py
@@ -0,0 +1,479 @@
+# Copyright (c) 2019-2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+author:
+  - Felix Fontein (@felixfontein)
+name: docker_api
+short_description: Run tasks in docker containers
+version_added: 1.1.0
+description:
+  - Run commands or put/fetch files to an existing docker container.
+  - Uses the L(requests library,https://pypi.org/project/requests/) to interact directly with the Docker daemon instead of
+    using the Docker CLI. Use the P(community.docker.docker#connection) connection plugin if you want to use the Docker CLI.
+notes:
+  - Does B(not work with TCP TLS sockets)! This is caused by the inability to send C(close_notify) without closing the connection
+    with Python's C(SSLSocket)s. See U(https://github.com/ansible-collections/community.docker/issues/605) for more information.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._docker.var_names
+options:
+  remote_user:
+    type: str
+    description:
+      - The user to execute as inside the container.
+    vars:
+      - name: ansible_user
+      - name: ansible_docker_user
+    ini:
+      - section: defaults
+        key: remote_user
+    env:
+      - name: ANSIBLE_REMOTE_USER
+    cli:
+      - name: user
+    keyword:
+      - name: remote_user
+  remote_addr:
+    type: str
+    description:
+      - The name of the container you want to access.
+    default: inventory_hostname
+    vars:
+      - name: inventory_hostname
+      - name: ansible_host
+      - name: ansible_docker_host
+  container_timeout:
+    default: 10
+    description:
+      - Controls how long we can wait to access reading output from the container once execution started.
+    env:
+      - name: ANSIBLE_TIMEOUT
+      - name: ANSIBLE_DOCKER_TIMEOUT
+        version_added: 2.2.0
+    ini:
+      - key: timeout
+        section: defaults
+      - key: timeout
+        section: docker_connection
+        version_added: 2.2.0
+    vars:
+      - name: ansible_docker_timeout
+        version_added: 2.2.0
+    cli:
+      - name: timeout
+    type: integer
+  extra_env:
+    description:
+      - Provide extra environment variables to set when running commands in the Docker container.
+      - This option can currently only be provided as Ansible variables due to limitations of ansible-core's configuration
+        manager.
+    vars:
+      - name: ansible_docker_extra_env
+    type: dict
+    version_added: 3.12.0
+  working_dir:
+    description:
+      - The directory inside the container to run commands in.
+      - Requires Docker API version 1.35 or later.
+    env:
+      - name: ANSIBLE_DOCKER_WORKING_DIR
+    ini:
+      - key: working_dir
+        section: docker_connection
+    vars:
+      - name: ansible_docker_working_dir
+    type: string
+    version_added: 3.12.0
+  privileged:
+    description:
+      - Whether commands should be run with extended privileges.
+      - B(Note) that this allows command to potentially break out of the container. Use with care!
+    env:
+      - name: ANSIBLE_DOCKER_PRIVILEGED
+    ini:
+      - key: privileged
+        section: docker_connection
+    vars:
+      - name: ansible_docker_privileged
+    type: boolean
+    default: false
+    version_added: 3.12.0
+"""
+
+import os
+import os.path
+import typing as t
+
+from ansible.errors import AnsibleConnectionFailure, AnsibleFileNotFound
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible.plugins.connection import ConnectionBase
+from ansible.utils.display import Display
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._copy import (
+    DockerFileCopyError,
+    DockerFileNotFound,
+    fetch_file,
+    put_file,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+from ansible_collections.community.docker.plugins.plugin_utils._common_api import (
+    AnsibleDockerClient,
+)
+from ansible_collections.community.docker.plugins.plugin_utils._socket_handler import (
+    DockerSocketHandler,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+    _T = t.TypeVar("_T")
+
+
+MIN_DOCKER_API = None
+
+
+display = Display()
+
+
+class Connection(ConnectionBase):
+    """Local docker based connections"""
+
+    transport = "community.docker.docker_api"
+    has_pipelining = True
+
+    def _call_client(
+        self,
+        f: Callable[[AnsibleDockerClient], _T],
+        not_found_can_be_resource: bool = False,
+    ) -> _T:
+        if self.client is None:
+            raise AssertionError("Client must be present")
+        remote_addr = self.get_option("remote_addr")
+        try:
+            return f(self.client)
+        except NotFound as e:
+            if not_found_can_be_resource:
+                raise AnsibleConnectionFailure(
+                    f'Could not find container "{remote_addr}" or resource in it ({e})'
+                ) from e
+            raise AnsibleConnectionFailure(
+                f'Could not find container "{remote_addr}" ({e})'
+            ) from e
+        except APIError as e:
+            if e.response is not None and e.response.status_code == 409:
+                raise AnsibleConnectionFailure(
+                    f'The container "{remote_addr}" has been paused ({e})'
+                ) from e
+            self.client.fail(
+                f'An unexpected Docker error occurred for container "{remote_addr}": {e}'
+            )
+        except DockerException as e:
+            self.client.fail(
+                f'An unexpected Docker error occurred for container "{remote_addr}": {e}'
+            )
+        except RequestException as e:
+            self.client.fail(
+                f'An unexpected requests error occurred for container "{remote_addr}" when trying to talk to the Docker daemon: {e}'
+            )
+
+    def __init__(self, *args: t.Any, **kwargs: t.Any) -> None:
+        super().__init__(*args, **kwargs)
+
+        self.client: AnsibleDockerClient | None = None
+        self.ids: dict[str | None, tuple[int, int]] = {}
+
+        # Windows uses Powershell modules
+        if getattr(self._shell, "_IS_WINDOWS", False):
+            self.module_implementation_preferences = (".ps1", ".exe", "")
+
+        self.actual_user: str | None = None
+
+    def _connect(self) -> Connection:
+        """Connect to the container. Nothing to do"""
+        super()._connect()  # type: ignore[safe-super]
+        if not self._connected:
+            self.actual_user = self.get_option("remote_user")
+            display.vvv(
+                f"ESTABLISH DOCKER CONNECTION FOR USER: {self.actual_user or '?'}",
+                host=self.get_option("remote_addr"),
+            )
+            if self.client is None:
+                self.client = AnsibleDockerClient(
+                    self, min_docker_api_version=MIN_DOCKER_API
+                )
+            self._connected = True
+
+            if self.actual_user is None and display.verbosity > 2:
+                # Since we are not setting the actual_user, look it up so we have it for logging later
+                # Only do this if display verbosity is high enough that we'll need the value
+                # This saves overhead from calling into docker when we do not need to
+                display.vvv("Trying to determine actual user")
+                result = self._call_client(
+                    lambda client: client.get_json(
+                        "/containers/{0}/json", self.get_option("remote_addr")
+                    )
+                )
+                if result.get("Config"):
+                    self.actual_user = result["Config"].get("User")
+                    if self.actual_user is not None:
+                        display.vvv(f"Actual user is '{self.actual_user}'")
+
+        return self
+
+    def exec_command(
+        self, cmd: str, in_data: bytes | None = None, sudoable: bool = False
+    ) -> tuple[int, bytes, bytes]:
+        """Run a command on the docker host"""
+
+        super().exec_command(cmd, in_data=in_data, sudoable=sudoable)  # type: ignore[safe-super]
+
+        if self.client is None:
+            raise AssertionError("Client must be present")
+
+        command = [self._play_context.executable, "-c", cmd]
+
+        do_become = self.become and self.become.expect_prompt() and sudoable
+
+        stdin_part = (
+            f", with stdin ({len(in_data)} bytes)" if in_data is not None else ""
+        )
+        become_part = ", with become prompt" if do_become else ""
+        display.vvv(
+            f"EXEC {to_text(command)}{stdin_part}{become_part}",
+            host=self.get_option("remote_addr"),
+        )
+
+        need_stdin = bool((in_data is not None) or do_become)
+
+        data = {
+            "Container": self.get_option("remote_addr"),
+            "User": self.get_option("remote_user") or "",
+            "Privileged": self.get_option("privileged"),
+            "Tty": False,
+            "AttachStdin": need_stdin,
+            "AttachStdout": True,
+            "AttachStderr": True,
+            "Cmd": command,
+        }
+
+        if "detachKeys" in self.client._general_configs:
+            data["detachKeys"] = self.client._general_configs["detachKeys"]
+
+        if self.get_option("extra_env"):
+            data["Env"] = []
+            for k, v in self.get_option("extra_env").items():
+                for val, what in ((k, "Key"), (v, "Value")):
+                    if not isinstance(val, str):
+                        raise AnsibleConnectionFailure(
+                            f"Non-string {what.lower()} found for extra_env option. Ambiguous env options must be "
+                            "wrapped in quotes to avoid them being interpreted when directly specified "
+                            "in YAML, or explicitly converted to strings when the option is templated. "
+                            f"{what}: {val!r}"
+                        )
+                data["Env"].append(f"{k}={v}")
+
+        if self.get_option("working_dir") is not None:
+            data["WorkingDir"] = self.get_option("working_dir")
+            if self.client.docker_api_version < LooseVersion("1.35"):
+                raise AnsibleConnectionFailure(
+                    "Providing the working directory requires Docker API version 1.35 or newer."
+                    f" The Docker daemon the connection is using has API version {self.client.docker_api_version_str}."
+                )
+
+        exec_data = self._call_client(
+            lambda client: client.post_json_to_json(
+                "/containers/{0}/exec", self.get_option("remote_addr"), data=data
+            )
+        )
+        exec_id = exec_data["Id"]
+
+        data = {"Tty": False, "Detach": False}
+        if need_stdin:
+            exec_socket = self._call_client(
+                lambda client: client.post_json_to_stream_socket(
+                    "/exec/{0}/start", exec_id, data=data
+                )
+            )
+            try:
+                with DockerSocketHandler(
+                    display, exec_socket, container=self.get_option("remote_addr")
+                ) as exec_socket_handler:
+                    if do_become:
+                        assert self.become is not None
+
+                        become_output = [b""]
+
+                        def append_become_output(stream_id: int, data: bytes) -> None:
+                            become_output[0] += data
+
+                        exec_socket_handler.set_block_done_callback(
+                            append_become_output
+                        )
+
+                        while not self.become.check_success(
+                            become_output[0]
+                        ) and not self.become.check_password_prompt(become_output[0]):
+                            if not exec_socket_handler.select(
+                                self.get_option("container_timeout")
+                            ):
+                                stdout, stderr = exec_socket_handler.consume()
+                                raise AnsibleConnectionFailure(
+                                    "timeout waiting for privilege escalation password prompt:\n"
+                                    + to_text(become_output[0])
+                                )
+
+                            if exec_socket_handler.is_eof():
+                                raise AnsibleConnectionFailure(
+                                    "privilege output closed while waiting for password prompt:\n"
+                                    + to_text(become_output[0])
+                                )
+
+                        if not self.become.check_success(become_output[0]):
+                            become_pass = self.become.get_option(
+                                "become_pass", playcontext=self._play_context
+                            )
+                            exec_socket_handler.write(
+                                to_bytes(become_pass, errors="surrogate_or_strict")
+                                + b"\n"
+                            )
+
+                    if in_data is not None:
+                        exec_socket_handler.write(in_data)
+
+                    stdout, stderr = exec_socket_handler.consume()
+            finally:
+                exec_socket.close()
+        else:
+            stdout, stderr = self._call_client(
+                lambda client: client.post_json_to_stream(
+                    "/exec/{0}/start",
+                    exec_id,
+                    stream=False,
+                    demux=True,
+                    tty=False,
+                    data=data,
+                )
+            )
+
+        result = self._call_client(
+            lambda client: client.get_json("/exec/{0}/json", exec_id)
+        )
+
+        return result.get("ExitCode") or 0, stdout or b"", stderr or b""
+
+    def _prefix_login_path(self, remote_path: str) -> str:
+        """Make sure that we put files into a standard path
+
+        If a path is relative, then we need to choose where to put it.
+        ssh chooses $HOME but we are not guaranteed that a home dir will
+        exist in any given chroot.  So for now we are choosing "/" instead.
+        This also happens to be the former default.
+
+        Can revisit using $HOME instead if it is a problem
+        """
+        if getattr(self._shell, "_IS_WINDOWS", False):
+            import ntpath
+
+            return ntpath.normpath(remote_path)
+        if not remote_path.startswith(os.path.sep):
+            remote_path = os.path.join(os.path.sep, remote_path)
+        return os.path.normpath(remote_path)
+
+    def put_file(self, in_path: str, out_path: str) -> None:
+        """Transfer a file from local to docker container"""
+        super().put_file(in_path, out_path)  # type: ignore[safe-super]
+        display.vvv(f"PUT {in_path} TO {out_path}", host=self.get_option("remote_addr"))
+
+        if self.client is None:
+            raise AssertionError("Client must be present")
+
+        out_path = self._prefix_login_path(out_path)
+
+        if self.actual_user not in self.ids:
+            dummy, ids, dummy2 = self.exec_command("id -u && id -g")
+            remote_addr = self.get_option("remote_addr")
+            try:
+                b_user_id, b_group_id = ids.splitlines()
+                user_id, group_id = int(b_user_id), int(b_group_id)
+                self.ids[self.actual_user] = user_id, group_id
+                display.vvvv(
+                    f'PUT: Determined uid={user_id} and gid={group_id} for user "{self.actual_user}"',
+                    host=remote_addr,
+                )
+            except Exception as e:
+                raise AnsibleConnectionFailure(
+                    f'Error while determining user and group ID of current user in container "{remote_addr}": {e}\nGot value: {ids!r}'
+                ) from e
+
+        user_id, group_id = self.ids[self.actual_user]
+        try:
+            self._call_client(
+                lambda client: put_file(
+                    client,
+                    container=self.get_option("remote_addr"),
+                    in_path=in_path,
+                    out_path=out_path,
+                    user_id=user_id,
+                    group_id=group_id,
+                    user_name=self.actual_user,
+                    follow_links=True,
+                ),
+                not_found_can_be_resource=True,
+            )
+        except DockerFileNotFound as exc:
+            raise AnsibleFileNotFound(to_text(exc)) from exc
+        except DockerFileCopyError as exc:
+            raise AnsibleConnectionFailure(to_text(exc)) from exc
+
+    def fetch_file(self, in_path: str, out_path: str) -> None:
+        """Fetch a file from container to local."""
+        super().fetch_file(in_path, out_path)  # type: ignore[safe-super]
+        display.vvv(
+            f"FETCH {in_path} TO {out_path}", host=self.get_option("remote_addr")
+        )
+
+        if self.client is None:
+            raise AssertionError("Client must be present")
+
+        in_path = self._prefix_login_path(in_path)
+
+        try:
+            self._call_client(
+                lambda client: fetch_file(
+                    client,
+                    container=self.get_option("remote_addr"),
+                    in_path=in_path,
+                    out_path=out_path,
+                    follow_links=True,
+                    log=lambda msg: display.vvvv(
+                        msg, host=self.get_option("remote_addr")
+                    ),
+                ),
+                not_found_can_be_resource=True,
+            )
+        except DockerFileNotFound as exc:
+            raise AnsibleFileNotFound(to_text(exc)) from exc
+        except DockerFileCopyError as exc:
+            raise AnsibleConnectionFailure(to_text(exc)) from exc
+
+    def close(self) -> None:
+        """Terminate the connection. Nothing to do for Docker"""
+        super().close()  # type: ignore[safe-super]
+        self._connected = False
+
+    def reset(self) -> None:
+        self.ids.clear()
diff --git a/ansible_collections/community/docker/plugins/connection/nsenter.py b/ansible_collections/community/docker/plugins/connection/nsenter.py
new file mode 100644
index 00000000..5d94644c
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/connection/nsenter.py
@@ -0,0 +1,286 @@
+# Copyright (c) 2021 Jeff Goldschrafe <jeff@holyhandgrenade.org>
+# Based on Ansible local connection plugin by:
+# Copyright (c) 2012 Michael DeHaan <michael.dehaan@gmail.com>
+# Copyright (c) 2015, 2017 Toshio Kuratomi <tkuratomi@ansible.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: nsenter
+short_description: execute on host running controller container
+version_added: 1.9.0
+description:
+  - This connection plugin allows Ansible, running in a privileged container, to execute tasks on the container host instead
+    of in the container itself.
+  - This is useful for running Ansible in a pull model, while still keeping the Ansible control node containerized.
+  - It relies on having privileged access to run C(nsenter) in the host's PID namespace, allowing it to enter the namespaces
+    of the provided PID (default PID 1, or init/systemd).
+author: Jeff Goldschrafe (@jgoldschrafe)
+options:
+  nsenter_pid:
+    description:
+      - PID to attach with using nsenter.
+      - The default should be fine unless you are attaching as a non-root user.
+    type: int
+    default: 1
+    vars:
+      - name: ansible_nsenter_pid
+    env:
+      - name: ANSIBLE_NSENTER_PID
+    ini:
+      - section: nsenter_connection
+        key: nsenter_pid
+notes:
+  - The remote user is ignored; this plugin always runs as root.
+  - "This plugin requires the Ansible controller container to be launched in the following way: (1) The container image contains
+    the C(nsenter) program; (2) The container is launched in privileged mode; (3) The container is launched in the host's
+    PID namespace (C(--pid host))."
+"""
+
+import fcntl
+import os
+import pty
+import selectors
+import shlex
+import subprocess
+import typing as t
+
+import ansible.constants as C
+from ansible.errors import AnsibleError
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible.plugins.connection import ConnectionBase
+from ansible.utils.display import Display
+from ansible.utils.path import unfrackpath
+
+display = Display()
+
+
+class Connection(ConnectionBase):
+    """Connections to a container host using nsenter"""
+
+    transport = "community.docker.nsenter"
+    has_pipelining = False
+
+    def __init__(self, *args: t.Any, **kwargs: t.Any) -> None:
+        super().__init__(*args, **kwargs)
+        self.cwd = None
+        self._nsenter_pid = None
+
+    def _connect(self) -> t.Self:
+        self._nsenter_pid = self.get_option("nsenter_pid")
+
+        # Because nsenter requires very high privileges, our remote user
+        # is always assumed to be root.
+        self._play_context.remote_user = "root"
+
+        if not self._connected:
+            display.vvv(
+                f"ESTABLISH NSENTER CONNECTION FOR USER: {self._play_context.remote_user}",
+                host=self._play_context.remote_addr,
+            )
+            self._connected = True
+        return self
+
+    def exec_command(
+        self, cmd: str, in_data: bytes | None = None, sudoable: bool = True
+    ) -> tuple[int, bytes, bytes]:
+        super().exec_command(cmd, in_data=in_data, sudoable=sudoable)  # type: ignore[safe-super]
+
+        display.debug("in nsenter.exec_command()")
+
+        # pylint: disable-next=no-member
+        def_executable: str | None = C.DEFAULT_EXECUTABLE  # type: ignore[attr-defined]
+        executable = def_executable.split()[0] if def_executable else None
+
+        if not os.path.exists(to_bytes(executable, errors="surrogate_or_strict")):
+            raise AnsibleError(
+                f"failed to find the executable specified {executable}."
+                " Please verify if the executable exists and re-try."
+            )
+
+        # Rewrite the provided command to prefix it with nsenter
+        nsenter_cmd_parts = [
+            "nsenter",
+            "--ipc",
+            "--mount",
+            "--net",
+            "--pid",
+            "--uts",
+            "--preserve-credentials",
+            f"--target={self._nsenter_pid}",
+            "--",
+        ]
+
+        cmd_parts = nsenter_cmd_parts + [cmd]
+        cmd_b = to_bytes(" ".join(cmd_parts))
+
+        display.vvv(f"EXEC {to_text(cmd_b)}", host=self._play_context.remote_addr)
+        display.debug("opening command with Popen()")
+
+        master = None
+        stdin = subprocess.PIPE
+
+        # This plugin does not support pipelining. This diverges from the behavior of
+        # the core "local" connection plugin that this one derives from.
+        if sudoable and self.become and self.become.expect_prompt():
+            # Create a pty if sudoable for privilege escalation that needs it.
+            # Falls back to using a standard pipe if this fails, which may
+            # cause the command to fail in certain situations where we are escalating
+            # privileges or the command otherwise needs a pty.
+            try:
+                master, stdin = pty.openpty()
+            except (IOError, OSError) as e:
+                display.debug(f"Unable to open pty: {e}")
+
+        with subprocess.Popen(
+            cmd_b,
+            shell=True,
+            executable=executable,
+            cwd=self.cwd,
+            stdin=stdin,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        ) as p:
+            assert p.stderr is not None
+            assert p.stdin is not None
+            assert p.stdout is not None
+            # if we created a master, we can close the other half of the pty now, otherwise master is stdin
+            if master is not None:
+                os.close(stdin)
+
+            display.debug("done running command with Popen()")
+
+            if self.become and self.become.expect_prompt() and sudoable:
+                fcntl.fcntl(
+                    p.stdout,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stdout, fcntl.F_GETFL) | os.O_NONBLOCK,
+                )
+                fcntl.fcntl(
+                    p.stderr,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stderr, fcntl.F_GETFL) | os.O_NONBLOCK,
+                )
+                selector = selectors.DefaultSelector()
+                selector.register(p.stdout, selectors.EVENT_READ)
+                selector.register(p.stderr, selectors.EVENT_READ)
+
+                become_output = b""
+                try:
+                    while not self.become.check_success(
+                        become_output
+                    ) and not self.become.check_password_prompt(become_output):
+                        events = selector.select(self._play_context.timeout)
+                        if not events:
+                            stdout, stderr = p.communicate()
+                            raise AnsibleError(
+                                "timeout waiting for privilege escalation password prompt:\n"
+                                + to_text(become_output)
+                            )
+
+                        chunks = b""
+                        for key, dummy_event in events:
+                            if key.fileobj == p.stdout:
+                                chunk = p.stdout.read()
+                                if chunk:
+                                    chunks += chunk
+                            elif key.fileobj == p.stderr:
+                                chunk = p.stderr.read()
+                                if chunk:
+                                    chunks += chunk
+
+                        if not chunks:
+                            stdout, stderr = p.communicate()
+                            raise AnsibleError(
+                                "privilege output closed while waiting for password prompt:\n"
+                                + to_text(become_output)
+                            )
+                        become_output += chunks
+                finally:
+                    selector.close()
+
+                if not self.become.check_success(become_output):
+                    become_pass = self.become.get_option(
+                        "become_pass", playcontext=self._play_context
+                    )
+                    if master is None:
+                        p.stdin.write(
+                            to_bytes(become_pass, errors="surrogate_or_strict") + b"\n"
+                        )
+                    else:
+                        os.write(
+                            master,
+                            to_bytes(become_pass, errors="surrogate_or_strict") + b"\n",
+                        )
+
+                fcntl.fcntl(
+                    p.stdout,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stdout, fcntl.F_GETFL) & ~os.O_NONBLOCK,
+                )
+                fcntl.fcntl(
+                    p.stderr,
+                    fcntl.F_SETFL,
+                    fcntl.fcntl(p.stderr, fcntl.F_GETFL) & ~os.O_NONBLOCK,
+                )
+
+            display.debug("getting output with communicate()")
+            stdout, stderr = p.communicate(in_data)
+            display.debug("done communicating")
+
+            # finally, close the other half of the pty, if it was created
+            if master:
+                os.close(master)
+
+            display.debug("done with nsenter.exec_command()")
+            return (p.returncode, stdout, stderr)
+
+    def put_file(self, in_path: str, out_path: str) -> None:
+        super().put_file(in_path, out_path)  # type: ignore[safe-super]
+
+        in_path = unfrackpath(in_path, basedir=self.cwd)
+        out_path = unfrackpath(out_path, basedir=self.cwd)
+
+        display.vvv(f"PUT {in_path} to {out_path}", host=self._play_context.remote_addr)
+        try:
+            with open(to_bytes(in_path, errors="surrogate_or_strict"), "rb") as in_file:
+                in_data = in_file.read()
+            rc, dummy_out, err = self.exec_command(
+                cmd=f"tee {shlex.quote(out_path)}", in_data=in_data
+            )
+            if rc != 0:
+                raise AnsibleError(
+                    f"failed to transfer file to {out_path}: {to_text(err)}"
+                )
+        except IOError as e:
+            raise AnsibleError(f"failed to transfer file to {out_path}: {e}") from e
+
+    def fetch_file(self, in_path: str, out_path: str) -> None:
+        super().fetch_file(in_path, out_path)  # type: ignore[safe-super]
+
+        in_path = unfrackpath(in_path, basedir=self.cwd)
+        out_path = unfrackpath(out_path, basedir=self.cwd)
+
+        try:
+            rc, out, err = self.exec_command(cmd=f"cat {shlex.quote(in_path)}")
+            display.vvv(
+                f"FETCH {in_path} TO {out_path}", host=self._play_context.remote_addr
+            )
+            if rc != 0:
+                raise AnsibleError(
+                    f"failed to transfer file to {in_path}: {to_text(err)}"
+                )
+            with open(
+                to_bytes(out_path, errors="surrogate_or_strict"), "wb"
+            ) as out_file:
+                out_file.write(out)
+        except IOError as e:
+            raise AnsibleError(
+                f"failed to transfer file to {to_text(out_path)}: {e}"
+            ) from e
+
+    def close(self) -> None:
+        """terminate the connection; nothing to do here"""
+        self._connected = False
diff --git a/ansible_collections/community/docker/plugins/doc_fragments/_attributes.py b/ansible_collections/community/docker/plugins/doc_fragments/_attributes.py
new file mode 100644
index 00000000..7e9b3edc
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/doc_fragments/_attributes.py
@@ -0,0 +1,110 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+
+class ModuleDocFragment:
+
+    # Standard documentation fragment
+    DOCUMENTATION = r"""
+options: {}
+attributes:
+  check_mode:
+    description: Can run in C(check_mode) and return changed status prediction without modifying target.
+  diff_mode:
+    description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+  idempotent:
+    description:
+      - When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change.
+      - This assumes that the system controlled/queried by the module has not changed in a relevant way.
+"""
+
+    # Should be used together with the standard fragment
+    IDEMPOTENT_NOT_MODIFY_STATE = r"""
+options: {}
+attributes:
+  idempotent:
+    support: full
+    details:
+      - This action does not modify state.
+"""
+
+    # Should be used together with the standard fragment
+    INFO_MODULE = r"""
+options: {}
+attributes:
+  check_mode:
+    support: full
+    details:
+      - This action does not modify state.
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+"""
+
+    ACTIONGROUP_DOCKER = r"""
+options: {}
+attributes:
+  action_group:
+    description: Use C(group/docker) or C(group/community.docker.docker) in C(module_defaults) to set defaults for this module.
+    support: full
+    membership:
+      - community.docker.docker
+      - docker
+"""
+
+    CONN = r"""
+options: {}
+attributes:
+  become:
+    description: Is usable alongside C(become) keywords.
+  connection:
+    description: Uses the target's configured connection information to execute code on it.
+  delegation:
+    description: Can be used in conjunction with C(delegate_to) and related keywords.
+"""
+
+    FACTS = r"""
+options: {}
+attributes:
+  facts:
+    description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
+"""
+
+    # Should be used together with the standard fragment and the FACTS fragment
+    FACTS_MODULE = r"""
+options: {}
+attributes:
+  check_mode:
+    support: full
+    details:
+      - This action does not modify state.
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+  facts:
+    support: full
+"""
+
+    FILES = r"""
+options: {}
+attributes:
+  safe_file_operations:
+    description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
+"""
+
+    FLOW = r"""
+options: {}
+attributes:
+  action:
+    description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
+  async:
+    description: Supports being used with the C(async) keyword.
+"""
diff --git a/ansible_collections/community/docker/plugins/doc_fragments/_compose_v2.py b/ansible_collections/community/docker/plugins/doc_fragments/_compose_v2.py
new file mode 100644
index 00000000..76dc928b
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/doc_fragments/_compose_v2.py
@@ -0,0 +1,82 @@
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+
+class ModuleDocFragment:
+
+    # Docker doc fragment
+    DOCUMENTATION = r"""
+options:
+  project_src:
+    description:
+      - Path to a directory containing a Compose file (C(compose.yml), C(compose.yaml), C(docker-compose.yml), or C(docker-compose.yaml)).
+      - If O(files) is provided, will look for these files in this directory instead.
+      - Mutually exclusive with O(definition). One of O(project_src) and O(definition) must be provided.
+    type: path
+  project_name:
+    description:
+      - Provide a project name. If not provided, the project name is taken from the basename of O(project_src).
+      - Required when O(definition) is provided.
+    type: str
+  files:
+    description:
+      - List of Compose file names relative to O(project_src) to be used instead of the main Compose file (C(compose.yml),
+        C(compose.yaml), C(docker-compose.yml), or C(docker-compose.yaml)).
+      - Files are loaded and merged in the order given.
+      - Mutually exclusive with O(definition).
+    type: list
+    elements: path
+    version_added: 3.7.0
+  definition:
+    description:
+      - Compose file describing one or more services, networks and volumes.
+      - Mutually exclusive with O(project_src) and O(files). One of O(project_src) and O(definition) must be provided.
+      - If provided, PyYAML must be available to this module, and O(project_name) must be specified.
+      - Note that a temporary directory will be created and deleted afterwards when using this option.
+    type: dict
+    version_added: 3.9.0
+  env_files:
+    description:
+      - By default environment files are loaded from a C(.env) file located directly under the O(project_src) directory.
+      - O(env_files) can be used to specify the path of one or multiple custom environment files instead.
+      - The path is relative to the O(project_src) directory.
+    type: list
+    elements: path
+  profiles:
+    description:
+      - List of profiles to enable when starting services.
+      - Equivalent to C(docker compose --profile).
+    type: list
+    elements: str
+  check_files_existing:
+    description:
+      - If set to V(false), the module will not check whether one of the files C(compose.yaml), C(compose.yml), C(docker-compose.yaml),
+        or C(docker-compose.yml) exists in O(project_src) if O(files) is not provided.
+      - This can be useful if environment files with C(COMPOSE_FILE) are used to configure a different filename. The module
+        currently does not check for C(COMPOSE_FILE) in environment files or the current environment.
+    type: bool
+    default: true
+    version_added: 3.9.0
+requirements:
+  - "PyYAML if O(definition) is used"
+notes:
+  - |-
+    The Docker compose CLI plugin has no stable output format (see for example U(https://github.com/docker/compose/issues/10872)),
+    and for the main operations also no machine friendly output format. The module tries to accomodate this with various
+    version-dependent behavior adjustments and with testing older and newer versions of the Docker compose CLI plugin.
+    Currently the module is tested with multiple plugin versions between 2.18.1 and 2.23.3. The exact list of plugin versions
+    will change over time. New releases of the Docker compose CLI plugin can break this module at any time.
+"""
+
+    # The following needs to be kept in sync with the compose_v2 module utils
+    MINIMUM_VERSION = r"""
+options: {}
+requirements:
+  - "Docker CLI with Docker compose plugin 2.18.0 or later"
+"""
diff --git a/ansible_collections/community/docker/plugins/doc_fragments/_docker.py b/ansible_collections/community/docker/plugins/doc_fragments/_docker.py
new file mode 100644
index 00000000..c3e8fdbc
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/doc_fragments/_docker.py
@@ -0,0 +1,389 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+
+class ModuleDocFragment:
+
+    # Docker doc fragment
+    DOCUMENTATION = r"""
+options:
+  docker_host:
+    description:
+      - The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the TCP connection
+        string. For example, V(tcp://192.0.2.23:2376). If TLS is used to encrypt the connection, the module will automatically
+        replace C(tcp) in the connection URL with C(https).
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_HOST) will be used instead.
+        If the environment variable is not set, the default value will be used.
+    type: str
+    default: unix:///var/run/docker.sock
+    aliases:
+      - docker_url
+  tls_hostname:
+    description:
+      - When verifying the authenticity of the Docker Host server, provide the expected name of the server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_HOSTNAME) will be used instead.
+        If the environment variable is not set, the default value will be used.
+      - Note that this option had a default value V(localhost) in older versions. It was removed in community.docker 3.0.0.
+      - B(Note:) this option is no longer supported for Docker SDK for Python 7.0.0+. Specifying it with Docker SDK for Python
+        7.0.0 or newer will lead to an error.
+    type: str
+  api_version:
+    description:
+      - The version of the Docker API running on the Docker Host.
+      - Defaults to the latest version of the API supported by Docker SDK for Python and the docker daemon.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_API_VERSION) will be used instead.
+        If the environment variable is not set, the default value will be used.
+    type: str
+    default: auto
+    aliases:
+      - docker_api_version
+  timeout:
+    description:
+      - The maximum amount of time in seconds to wait on a response from the API.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TIMEOUT) will be used instead.
+        If the environment variable is not set, the default value will be used.
+    type: int
+    default: 60
+  ca_path:
+    description:
+      - Use a CA certificate when performing server verification by providing the path to a CA certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set, the file C(ca.pem)
+        from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+      - This option was called O(ca_cert) and got renamed to O(ca_path) in community.docker 3.6.0. The old name has been added
+        as an alias and can still be used.
+    type: path
+    aliases:
+      - ca_cert
+      - tls_ca_cert
+      - cacert_path
+  client_cert:
+    description:
+      - Path to the client's TLS certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set, the file C(cert.pem)
+        from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_cert
+      - cert_path
+  client_key:
+    description:
+      - Path to the client's TLS key file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set, the file C(key.pem)
+        from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_key
+      - key_path
+  tls:
+    description:
+      - Secure the connection to the API by using TLS without verifying the authenticity of the Docker host server. Note that
+        if O(validate_certs) is set to V(true) as well, it will take precedence.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS) will be used instead. If
+        the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+  use_ssh_client:
+    description:
+      - For SSH transports, use the C(ssh) CLI tool instead of paramiko.
+      - Requires Docker SDK for Python 4.4.0 or newer.
+    type: bool
+    default: false
+    version_added: 1.5.0
+  validate_certs:
+    description:
+      - Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_VERIFY) will be used instead.
+        If the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+    aliases:
+      - tls_verify
+  debug:
+    description:
+      - Debug mode.
+    type: bool
+    default: false
+
+notes:
+  - Connect to the Docker daemon by providing parameters with each task or by defining environment variables. You can define
+    E(DOCKER_HOST), E(DOCKER_TLS_HOSTNAME), E(DOCKER_API_VERSION), E(DOCKER_CERT_PATH), E(DOCKER_TLS), E(DOCKER_TLS_VERIFY)
+    and E(DOCKER_TIMEOUT). If you are using docker machine, run the script shipped with the product that sets up the environment.
+    It will set these variables for you. See U(https://docs.docker.com/machine/reference/env/) for more details.
+  - When connecting to Docker daemon with TLS, you might need to install additional Python packages. For the Docker SDK for
+    Python, version 2.4 or newer, this can be done by installing C(docker[tls]) with M(ansible.builtin.pip).
+  - Note that the Docker SDK for Python only allows to specify the path to the Docker configuration for very few functions.
+    In general, it will use C($HOME/.docker/config.json) if the E(DOCKER_CONFIG) environment variable is not specified, and
+    use C($DOCKER_CONFIG/config.json) otherwise.
+"""
+
+    # For plugins: allow to define common options with Ansible variables
+
+    VAR_NAMES = r"""
+options:
+  docker_host:
+    vars:
+      - name: ansible_docker_docker_host
+  tls_hostname:
+    vars:
+      - name: ansible_docker_tls_hostname
+  api_version:
+    vars:
+      - name: ansible_docker_api_version
+  timeout:
+    vars:
+      - name: ansible_docker_timeout
+  ca_path:
+    vars:
+      - name: ansible_docker_ca_cert
+      - name: ansible_docker_ca_path
+        version_added: 3.6.0
+  client_cert:
+    vars:
+      - name: ansible_docker_client_cert
+  client_key:
+    vars:
+      - name: ansible_docker_client_key
+  tls:
+    vars:
+      - name: ansible_docker_tls
+  validate_certs:
+    vars:
+      - name: ansible_docker_validate_certs
+"""
+
+    # Additional, more specific stuff for minimal Docker SDK for Python version >= 2.0.
+
+    DOCKER_PY_2_DOCUMENTATION = r"""
+options: {}
+notes:
+  - This module uses the L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) to
+    communicate with the Docker daemon.
+requirements:
+  - "Docker SDK for Python: Please note that the L(docker-py,https://pypi.org/project/docker-py/)
+     Python module has been superseded by L(docker,https://pypi.org/project/docker/)
+     (see L(here,https://github.com/docker/docker-py/issues/1310) for details).
+     This module does B(not) work with docker-py."
+"""
+
+    # Docker doc fragment when using the vendored API access code
+    API_DOCUMENTATION = r"""
+options:
+  docker_host:
+    description:
+      - The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the
+        TCP connection string. For example, V(tcp://192.0.2.23:2376). If TLS is used to encrypt the connection,
+        the module will automatically replace C(tcp) in the connection URL with C(https).
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_HOST) will be used
+        instead. If the environment variable is not set, the default value will be used.
+    type: str
+    default: unix:///var/run/docker.sock
+    aliases:
+      - docker_url
+  tls_hostname:
+    description:
+      - When verifying the authenticity of the Docker Host server, provide the expected name of the server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_HOSTNAME) will
+        be used instead. If the environment variable is not set, the default value will be used.
+      - Note that this option had a default value V(localhost) in older versions. It was removed in community.docker 3.0.0.
+    type: str
+  api_version:
+    description:
+      - The version of the Docker API running on the Docker Host.
+      - Defaults to the latest version of the API supported by this collection and the docker daemon.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_API_VERSION) will be
+        used instead. If the environment variable is not set, the default value will be used.
+    type: str
+    default: auto
+    aliases:
+      - docker_api_version
+  timeout:
+    description:
+      - The maximum amount of time in seconds to wait on a response from the API.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TIMEOUT) will be used
+        instead. If the environment variable is not set, the default value will be used.
+    type: int
+    default: 60
+  ca_path:
+    description:
+      - Use a CA certificate when performing server verification by providing the path to a CA certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(ca.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+      - This option was called O(ca_cert) and got renamed to O(ca_path) in community.docker 3.6.0. The old name has
+        been added as an alias and can still be used.
+    type: path
+    aliases:
+      - ca_cert
+      - tls_ca_cert
+      - cacert_path
+  client_cert:
+    description:
+      - Path to the client's TLS certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(cert.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_cert
+      - cert_path
+  client_key:
+    description:
+      - Path to the client's TLS key file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(key.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_key
+      - key_path
+  tls:
+    description:
+      - Secure the connection to the API by using TLS without verifying the authenticity of the Docker host
+        server. Note that if O(validate_certs) is set to V(true) as well, it will take precedence.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS) will be used
+        instead. If the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+  use_ssh_client:
+    description:
+      - For SSH transports, use the C(ssh) CLI tool instead of paramiko.
+    type: bool
+    default: false
+    version_added: 1.5.0
+  validate_certs:
+    description:
+      - Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_VERIFY) will be
+        used instead. If the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+    aliases:
+      - tls_verify
+  debug:
+    description:
+      - Debug mode
+    type: bool
+    default: false
+
+notes:
+  - Connect to the Docker daemon by providing parameters with each task or by defining environment variables.
+    You can define E(DOCKER_HOST), E(DOCKER_TLS_HOSTNAME), E(DOCKER_API_VERSION), E(DOCKER_CERT_PATH),
+    E(DOCKER_TLS), E(DOCKER_TLS_VERIFY) and E(DOCKER_TIMEOUT). If you are using docker machine, run the script shipped
+    with the product that sets up the environment. It will set these variables for you. See
+    U(https://docs.docker.com/machine/reference/env/) for more details.
+#  - Note that the Docker SDK for Python only allows to specify the path to the Docker configuration for very few functions.
+#    In general, it will use C($HOME/.docker/config.json) if the E(DOCKER_CONFIG) environment variable is not specified,
+#    and use C($DOCKER_CONFIG/config.json) otherwise.
+  - This module does B(not) use the L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) to
+    communicate with the Docker daemon. It uses code derived from the Docker SDK or Python that is included in this
+    collection.
+requirements:
+  - requests
+  - pywin32 (when using named pipes on Windows 32)
+  - paramiko (when using SSH with O(use_ssh_client=false))
+  - pyOpenSSL (when using TLS)
+"""
+
+    # Docker doc fragment when using the Docker CLI
+    CLI_DOCUMENTATION = r"""
+options:
+  docker_cli:
+    description:
+      - Path to the Docker CLI. If not provided, will search for Docker CLI on the E(PATH).
+    type: path
+  docker_host:
+    description:
+      - The URL or Unix socket path used to connect to the Docker API. To connect to a remote host, provide the
+        TCP connection string. For example, V(tcp://192.0.2.23:2376). If TLS is used to encrypt the connection,
+        the module will automatically replace C(tcp) in the connection URL with C(https).
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_HOST) will be used
+        instead. If the environment variable is not set, the default value will be used.
+      - Mutually exclusive with O(cli_context). If neither O(docker_host) nor O(cli_context) are provided, the
+        value V(unix:///var/run/docker.sock) is used.
+    type: str
+    aliases:
+      - docker_url
+  tls_hostname:
+    description:
+      - When verifying the authenticity of the Docker Host server, provide the expected name of the server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_HOSTNAME) will
+        be used instead. If the environment variable is not set, the default value will be used.
+    type: str
+  api_version:
+    description:
+      - The version of the Docker API running on the Docker Host.
+      - Defaults to the latest version of the API supported by this collection and the docker daemon.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_API_VERSION) will be
+        used instead. If the environment variable is not set, the default value will be used.
+    type: str
+    default: auto
+    aliases:
+      - docker_api_version
+  ca_path:
+    description:
+      - Use a CA certificate when performing server verification by providing the path to a CA certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(ca.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - ca_cert
+      - tls_ca_cert
+      - cacert_path
+  client_cert:
+    description:
+      - Path to the client's TLS certificate file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(cert.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_cert
+      - cert_path
+  client_key:
+    description:
+      - Path to the client's TLS key file.
+      - If the value is not specified in the task and the environment variable E(DOCKER_CERT_PATH) is set,
+        the file C(key.pem) from the directory specified in the environment variable E(DOCKER_CERT_PATH) will be used.
+    type: path
+    aliases:
+      - tls_client_key
+      - key_path
+  tls:
+    description:
+      - Secure the connection to the API by using TLS without verifying the authenticity of the Docker host
+        server. Note that if O(validate_certs) is set to V(true) as well, it will take precedence.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS) will be used
+        instead. If the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+  validate_certs:
+    description:
+      - Secure the connection to the API by using TLS and verifying the authenticity of the Docker host server.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TLS_VERIFY) will be
+        used instead. If the environment variable is not set, the default value will be used.
+    type: bool
+    default: false
+    aliases:
+      - tls_verify
+  # debug:
+  #   description:
+  #     - Debug mode
+  #   type: bool
+  #   default: false
+  cli_context:
+    description:
+      - The Docker CLI context to use.
+      - Mutually exclusive with O(docker_host).
+    type: str
+
+notes:
+  - Connect to the Docker daemon by providing parameters with each task or by defining environment variables.
+    You can define E(DOCKER_HOST), E(DOCKER_TLS_HOSTNAME), E(DOCKER_API_VERSION), E(DOCKER_CERT_PATH),
+    E(DOCKER_TLS), E(DOCKER_TLS_VERIFY) and E(DOCKER_TIMEOUT). If you are using docker machine, run the script shipped
+    with the product that sets up the environment. It will set these variables for you. See
+    U(https://docs.docker.com/machine/reference/env/) for more details.
+  - This module does B(not) use the L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) to
+    communicate with the Docker daemon. It directly calls the Docker CLI program.
+"""
diff --git a/ansible_collections/community/docker/plugins/inventory/docker_containers.py b/ansible_collections/community/docker/plugins/inventory/docker_containers.py
new file mode 100644
index 00000000..b22d4e36
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/inventory/docker_containers.py
@@ -0,0 +1,423 @@
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# For the parts taken from the docker inventory script:
+# Copyright (c) 2016, Paul Durivage <paul.durivage@gmail.com>
+# Copyright (c) 2016, Chris Houseknecht <house@redhat.com>
+# Copyright (c) 2016, James Tanner <jtanner@redhat.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: docker_containers
+short_description: Ansible dynamic inventory plugin for Docker containers
+version_added: 1.1.0
+author:
+  - Felix Fontein (@felixfontein)
+extends_documentation_fragment:
+  - ansible.builtin.constructed
+  - community.docker._docker.api_documentation
+  - community.library_inventory_filtering_v1.inventory_filter
+description:
+  - Reads inventories from the Docker API.
+  - Uses a YAML configuration file that ends with V(docker.(yml|yaml\)).
+notes:
+  - The configuration file must be a YAML file whose filename ends with V(docker.yml) or V(docker.yaml). Other filenames will
+    not be accepted.
+options:
+  plugin:
+    description:
+      - The name of this plugin, it should always be set to V(community.docker.docker_containers) for this plugin to recognize
+        it as its own.
+    type: str
+    required: true
+    choices: [community.docker.docker_containers]
+
+  connection_type:
+    description:
+      - Which connection type to use the containers.
+      - One way to connect to containers is to use SSH (V(ssh)). For this, the options O(default_ip) and O(private_ssh_port)
+        are used. This requires that a SSH daemon is running inside the containers.
+      - Alternatively, V(docker-cli) selects the P(community.docker.docker#connection) connection plugin, and V(docker-api)
+        (default) selects the P(community.docker.docker_api#connection) connection plugin.
+      - When V(docker-api) is used, all Docker daemon configuration values are passed from the inventory plugin to the connection
+        plugin. This can be controlled with O(configure_docker_daemon).
+      - Note that the P(community.docker.docker_api#connection) does B(not work with TCP TLS sockets)!
+        See U(https://github.com/ansible-collections/community.docker/issues/605) for more information.
+    type: str
+    default: docker-api
+    choices:
+      - ssh
+      - docker-cli
+      - docker-api
+
+  configure_docker_daemon:
+    description:
+      - Whether to pass all Docker daemon configuration from the inventory plugin to the connection plugin.
+      - Only used when O(connection_type=docker-api).
+    type: bool
+    default: true
+    version_added: 1.8.0
+
+  verbose_output:
+    description:
+      - Toggle to (not) include all available inspection metadata.
+      - Note that all top-level keys will be transformed to the format C(docker_xxx). For example, C(HostConfig) is converted
+        to C(docker_hostconfig).
+      - If this is V(false), these values can only be used during O(compose), O(groups), and O(keyed_groups).
+      - The C(docker) inventory script always added these variables, so for compatibility set this to V(true).
+    type: bool
+    default: false
+
+  default_ip:
+    description:
+      - The IP address to assign to ansible_host when the container's SSH port is mapped to interface '0.0.0.0'.
+      - Only used if O(connection_type) is V(ssh).
+    type: str
+    default: 127.0.0.1
+
+  private_ssh_port:
+    description:
+      - The port containers use for SSH.
+      - Only used if O(connection_type) is V(ssh).
+    type: int
+    default: 22
+
+  add_legacy_groups:
+    description:
+      - 'Add the same groups as the C(docker) inventory script does. These are the following:'
+      - 'C(<container id>): contains the container of this ID.'
+      - 'C(<container name>): contains the container that has this name.'
+      - 'C(<container short id>): contains the containers that have this short ID (first 13 letters of ID).'
+      - 'C(image_<image name>): contains the containers that have the image C(<image name>).'
+      - 'C(stack_<stack name>): contains the containers that belong to the stack C(<stack name>).'
+      - 'C(service_<service name>): contains the containers that belong to the service C(<service name>).'
+      - 'C(<docker_host>): contains the containers which belong to the Docker daemon O(docker_host). Useful if you run this
+        plugin against multiple Docker daemons.'
+      - 'C(running): contains all containers that are running.'
+      - 'C(stopped): contains all containers that are not running.'
+      - If this is not set to V(true), you should use keyed groups to add the containers to groups. See the examples for how
+        to do that.
+    type: bool
+    default: false
+
+  filters:
+    version_added: 3.5.0
+"""
+
+EXAMPLES = """
+---
+# Minimal example using local Docker daemon
+plugin: community.docker.docker_containers
+docker_host: unix:///var/run/docker.sock
+
+---
+# Minimal example using remote Docker daemon
+plugin: community.docker.docker_containers
+docker_host: tcp://my-docker-host:2375
+
+---
+# Example using remote Docker daemon with unverified TLS
+plugin: community.docker.docker_containers
+docker_host: tcp://my-docker-host:2376
+tls: true
+
+---
+# Example using remote Docker daemon with verified TLS and client certificate verification
+plugin: community.docker.docker_containers
+docker_host: tcp://my-docker-host:2376
+validate_certs: true
+ca_path: /somewhere/ca.pem
+client_key: /somewhere/key.pem
+client_cert: /somewhere/cert.pem
+
+---
+# Example using constructed features to create groups
+plugin: community.docker.docker_containers
+docker_host: tcp://my-docker-host:2375
+strict: false
+keyed_groups:
+  # Add containers with primary network foo to a network_foo group
+  - prefix: network
+    key: 'docker_hostconfig.NetworkMode'
+  # Add Linux hosts to an os_linux group
+  - prefix: os
+    key: docker_platform
+
+---
+# Example using SSH connection with an explicit fallback for when port 22 has not been
+# exported: use container name as ansible_ssh_host and 22 as ansible_ssh_port
+plugin: community.docker.docker_containers
+connection_type: ssh
+compose:
+  ansible_ssh_host: ansible_ssh_host | default(docker_name[1:], true)
+  ansible_ssh_port: ansible_ssh_port | default(22, true)
+
+---
+# Only consider containers which have a label 'foo', or whose name starts with 'a'
+plugin: community.docker.docker_containers
+filters:
+  # Accept all containers which have a label called 'foo'
+  - include: >-
+      "foo" in docker_config.Labels
+  # Next accept all containers whose inventory_hostname starts with 'a'
+  - include: >-
+      inventory_hostname.startswith("a")
+  # Exclude all containers that did not match any of the above filters
+  - exclude: true
+"""
+
+import re
+import typing as t
+
+from ansible.errors import AnsibleError
+from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
+from ansible_collections.community.library_inventory_filtering_v1.plugins.plugin_utils.inventory_filter import (
+    filter_host,
+    parse_filters,
+)
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DOCKER_COMMON_ARGS_VARS,
+)
+from ansible_collections.community.docker.plugins.plugin_utils._common_api import (
+    AnsibleDockerClient,
+)
+from ansible_collections.community.docker.plugins.plugin_utils._unsafe import (
+    make_unsafe,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.inventory.data import InventoryData
+    from ansible.parsing.dataloader import DataLoader
+
+
+MIN_DOCKER_API = None
+
+
+class InventoryModule(BaseInventoryPlugin, Constructable):
+    """Host inventory parser for ansible using Docker daemon as source."""
+
+    NAME = "community.docker.docker_containers"
+
+    def _slugify(self, value: str) -> str:
+        slug = re.sub(r"[^\w-]", "_", value).lower().lstrip("_")
+        return f"docker_{slug}"
+
+    def _populate(self, client: AnsibleDockerClient) -> None:
+        strict = self.get_option("strict")
+
+        ssh_port = self.get_option("private_ssh_port")
+        default_ip = self.get_option("default_ip")
+        hostname = self.get_option("docker_host")
+        verbose_output = self.get_option("verbose_output")
+        connection_type = self.get_option("connection_type")
+        add_legacy_groups = self.get_option("add_legacy_groups")
+
+        if self.inventory is None:
+            raise AssertionError("Inventory must be there")
+
+        try:
+            params = {
+                "limit": -1,
+                "all": 1,
+                "size": 0,
+                "trunc_cmd": 0,
+                "since": None,
+                "before": None,
+            }
+            containers = client.get_json("/containers/json", params=params)
+        except APIError as exc:
+            raise AnsibleError(f"Error listing containers: {exc}") from exc
+
+        if add_legacy_groups:
+            self.inventory.add_group("running")
+            self.inventory.add_group("stopped")
+
+        extra_facts = {}
+        if self.get_option("configure_docker_daemon"):
+            for option_name, var_name in DOCKER_COMMON_ARGS_VARS.items():
+                value = self.get_option(option_name)
+                if value is not None:
+                    extra_facts[var_name] = value
+
+        filters = parse_filters(self.get_option("filters"))
+        for container in containers:
+            container_id = container.get("Id")
+            short_container_id = container_id[:13]
+
+            try:
+                name = container.get("Names", [])[0].lstrip("/")
+                full_name = name
+            except IndexError:
+                name = short_container_id
+                full_name = container_id
+
+            facts = {
+                "docker_name": make_unsafe(name),
+                "docker_short_id": make_unsafe(short_container_id),
+            }
+            full_facts = {}
+
+            try:
+                inspect = client.get_json("/containers/{0}/json", container_id)
+            except APIError as exc:
+                raise AnsibleError(
+                    f"Error inspecting container {name} - {exc}"
+                ) from exc
+
+            state = inspect.get("State") or {}
+            config = inspect.get("Config") or {}
+            labels = config.get("Labels") or {}
+
+            running = state.get("Running")
+
+            groups = []
+
+            # Add container to groups
+            image_name = config.get("Image")
+            if image_name and add_legacy_groups:
+                groups.append(f"image_{image_name}")
+
+            stack_name = labels.get("com.docker.stack.namespace")
+            if stack_name:
+                full_facts["docker_stack"] = stack_name
+                if add_legacy_groups:
+                    groups.append(f"stack_{stack_name}")
+
+            service_name = labels.get("com.docker.swarm.service.name")
+            if service_name:
+                full_facts["docker_service"] = service_name
+                if add_legacy_groups:
+                    groups.append(f"service_{service_name}")
+
+            ansible_connection = None
+            if connection_type == "ssh":
+                # Figure out ssh IP and Port
+                try:
+                    # Lookup the public facing port Nat'ed to ssh port.
+                    network_settings = inspect.get("NetworkSettings") or {}
+                    port_settings = network_settings.get("Ports") or {}
+                    port = port_settings.get(f"{ssh_port}/tcp")[0]  # type: ignore[index]
+                except (IndexError, AttributeError, TypeError):
+                    port = {}
+
+                try:
+                    ip = default_ip if port["HostIp"] == "0.0.0.0" else port["HostIp"]
+                except KeyError:
+                    ip = ""
+
+                facts.update(
+                    {
+                        "ansible_ssh_host": ip,
+                        "ansible_ssh_port": port.get("HostPort", 0),
+                    }
+                )
+            elif connection_type == "docker-cli":
+                facts.update(
+                    {
+                        "ansible_host": full_name,
+                    }
+                )
+                ansible_connection = "community.docker.docker"
+            elif connection_type == "docker-api":
+                facts.update(
+                    {
+                        "ansible_host": full_name,
+                    }
+                )
+                facts.update(extra_facts)
+                ansible_connection = "community.docker.docker_api"
+
+            full_facts.update(facts)
+            for key, value in inspect.items():
+                fact_key = self._slugify(key)
+                full_facts[fact_key] = value
+
+            full_facts = make_unsafe(full_facts)
+
+            if ansible_connection:
+                for d in (facts, full_facts):
+                    if "ansible_connection" not in d:
+                        d["ansible_connection"] = ansible_connection
+
+            if not filter_host(self, name, full_facts, filters):
+                continue
+
+            if verbose_output:
+                facts.update(full_facts)
+
+            self.inventory.add_host(name)
+            for group in groups:
+                self.inventory.add_group(group)
+                self.inventory.add_host(name, group=group)
+
+            for key, value in facts.items():
+                self.inventory.set_variable(name, key, value)
+
+            # Use constructed if applicable
+            # Composed variables
+            self._set_composite_vars(
+                self.get_option("compose"), full_facts, name, strict=strict
+            )
+            # Complex groups based on jinja2 conditionals, hosts that meet the conditional are added to group
+            self._add_host_to_composed_groups(
+                self.get_option("groups"), full_facts, name, strict=strict
+            )
+            # Create groups based on variable values and add the corresponding hosts to it
+            self._add_host_to_keyed_groups(
+                self.get_option("keyed_groups"), full_facts, name, strict=strict
+            )
+
+            # We need to do this last since we also add a group called `name`.
+            # When we do this before a set_variable() call, the variables are assigned
+            # to the group, and not to the host.
+            if add_legacy_groups:
+                self.inventory.add_group(container_id)
+                self.inventory.add_host(name, group=container_id)
+                self.inventory.add_group(name)
+                self.inventory.add_host(name, group=name)
+                self.inventory.add_group(short_container_id)
+                self.inventory.add_host(name, group=short_container_id)
+                self.inventory.add_group(hostname)
+                self.inventory.add_host(name, group=hostname)
+
+                if running is True:
+                    self.inventory.add_host(name, group="running")
+                else:
+                    self.inventory.add_host(name, group="stopped")
+
+    def verify_file(self, path: str) -> bool:
+        """Return the possibly of a file being consumable by this plugin."""
+        return super().verify_file(path) and path.endswith(
+            ("docker.yaml", "docker.yml")
+        )
+
+    def _create_client(self) -> AnsibleDockerClient:
+        return AnsibleDockerClient(self, min_docker_api_version=MIN_DOCKER_API)
+
+    def parse(
+        self,
+        inventory: InventoryData,
+        loader: DataLoader,
+        path: str,
+        cache: bool = True,
+    ) -> None:
+        super().parse(inventory, loader, path, cache)
+        self._read_config_data(path)
+        client = self._create_client()
+        try:
+            self._populate(client)
+        except DockerException as e:
+            raise AnsibleError(f"An unexpected Docker error occurred: {e}") from e
+        except RequestException as e:
+            raise AnsibleError(
+                f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}"
+            ) from e
diff --git a/ansible_collections/community/docker/plugins/inventory/docker_machine.py b/ansible_collections/community/docker/plugins/inventory/docker_machine.py
new file mode 100644
index 00000000..777ef6f8
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/inventory/docker_machine.py
@@ -0,0 +1,359 @@
+# Copyright (c) 2019, Ximon Eighteen <ximon.eighteen@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: docker_machine
+author: Ximon Eighteen (@ximon18)
+short_description: Docker Machine inventory source
+requirements:
+  - L(Docker Machine,https://docs.docker.com/machine/)
+extends_documentation_fragment:
+  - ansible.builtin.constructed
+  - community.library_inventory_filtering_v1.inventory_filter
+description:
+  - Get inventory hosts from Docker Machine.
+  - Uses a YAML configuration file that ends with V(docker_machine.(yml|yaml\)).
+  - The plugin sets standard host variables C(ansible_host), C(ansible_port), C(ansible_user) and C(ansible_ssh_private_key).
+  - The plugin stores the Docker Machine 'env' output variables in C(dm_) prefixed host variables.
+notes:
+  - The configuration file must be a YAML file whose filename ends with V(docker_machine.yml) or V(docker_machine.yaml). Other
+    filenames will not be accepted.
+options:
+  plugin:
+    description: Token that ensures this is a source file for the C(docker_machine) plugin.
+    required: true
+    choices: ['docker_machine', 'community.docker.docker_machine']
+  daemon_env:
+    description:
+      - Whether docker daemon connection environment variables should be fetched, and how to behave if they cannot be fetched.
+      - With V(require) and V(require-silently), fetch them and skip any host for which they cannot be fetched. A warning
+        will be issued for any skipped host if the choice is V(require).
+      - With V(optional) and V(optional-silently), fetch them and not skip hosts for which they cannot be fetched. A warning
+        will be issued for hosts where they cannot be fetched if the choice is V(optional).
+      - With V(skip), do not attempt to fetch the docker daemon connection environment variables.
+      - If fetched successfully, the variables will be prefixed with C(dm_) and stored as host variables.
+    type: str
+    choices:
+      - require
+      - require-silently
+      - optional
+      - optional-silently
+      - skip
+    default: require
+  running_required:
+    description:
+      - When V(true), hosts which Docker Machine indicates are in a state other than C(running) will be skipped.
+    type: bool
+    default: true
+  verbose_output:
+    description:
+      - When V(true), include all available nodes metadata (for example C(Image), C(Region), C(Size)) as a JSON object named
+        C(docker_machine_node_attributes).
+    type: bool
+    default: true
+  filters:
+    version_added: 3.5.0
+"""
+
+EXAMPLES = """
+---
+# Minimal example
+plugin: community.docker.docker_machine
+
+---
+# Example using constructed features to create a group per Docker Machine driver
+# (https://docs.docker.com/machine/drivers/), for example:
+#   $ docker-machine create --driver digitalocean ... mymachine
+#   $ ansible-inventory -i ./path/to/docker-machine.yml --host=mymachine
+#   {
+#     ...
+#     "digitalocean": {
+#       "hosts": [
+#           "mymachine"
+#       ]
+#     ...
+#   }
+plugin: community.docker.docker_machine
+strict: false
+keyed_groups:
+  - separator: ''
+    key: docker_machine_node_attributes.DriverName
+
+---
+# Example grouping hosts by Digital Machine tag
+plugin: community.docker.docker_machine
+strict: false
+keyed_groups:
+  - prefix: tag
+    key: 'dm_tags'
+
+---
+# Example using compose to override the default SSH behaviour of asking the user to accept the remote host key
+plugin: community.docker.docker_machine
+compose:
+  ansible_ssh_common_args: '"-o StrictHostKeyChecking=accept-new"'
+"""
+
+import json
+import re
+import subprocess
+import typing as t
+
+from ansible.errors import AnsibleError
+from ansible.module_utils.common.process import get_bin_path
+from ansible.module_utils.common.text.converters import to_text
+from ansible.plugins.inventory import BaseInventoryPlugin, Cacheable, Constructable
+from ansible.utils.display import Display
+from ansible_collections.community.library_inventory_filtering_v1.plugins.plugin_utils.inventory_filter import (
+    filter_host,
+    parse_filters,
+)
+
+from ansible_collections.community.docker.plugins.plugin_utils._unsafe import (
+    make_unsafe,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.inventory.data import InventoryData
+    from ansible.parsing.dataloader import DataLoader
+
+    DaemonEnv = t.Literal[
+        "require", "require-silently", "optional", "optional-silently", "skip"
+    ]
+
+
+display = Display()
+
+
+class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
+    """Host inventory parser for ansible using Docker machine as source."""
+
+    NAME = "community.docker.docker_machine"
+
+    docker_machine_path: str | None = None
+
+    def _run_command(self, args: list[str]) -> str:
+        if not self.docker_machine_path:
+            try:
+                self.docker_machine_path = get_bin_path("docker-machine")
+            except ValueError as e:
+                raise AnsibleError(to_text(e)) from e
+
+        command = [self.docker_machine_path]
+        command.extend(args)
+        display.debug(f"Executing command {command}")
+        try:
+            result = subprocess.check_output(command)
+        except subprocess.CalledProcessError as e:
+            display.warning(
+                f"Exception {type(e).__name__} caught while executing command {command}, this was the original exception: {e}"
+            )
+            raise e
+
+        return to_text(result).strip()
+
+    def _get_docker_daemon_variables(self, machine_name: str) -> list[tuple[str, str]]:
+        """
+        Capture settings from Docker Machine that would be needed to connect to the remote Docker daemon installed on
+        the Docker Machine remote host. Note: passing '--shell=sh' is a workaround for 'Error: Unknown shell'.
+        """
+        try:
+            env_lines = self._run_command(
+                ["env", "--shell=sh", machine_name]
+            ).splitlines()
+        except subprocess.CalledProcessError:
+            # This can happen when the machine is created but provisioning is incomplete
+            return []
+
+        # example output of docker-machine env --shell=sh:
+        #   export DOCKER_TLS_VERIFY="1"
+        #   export DOCKER_HOST="tcp://134.209.204.160:2376"
+        #   export DOCKER_CERT_PATH="/root/.docker/machine/machines/routinator"
+        #   export DOCKER_MACHINE_NAME="routinator"
+        #   # Run this command to configure your shell:
+        #   # eval $(docker-machine env --shell=bash routinator)
+
+        # capture any of the DOCKER_xxx variables that were output and create Ansible host vars
+        # with the same name and value but with a dm_ name prefix.
+        env_vars = []
+        for line in env_lines:
+            match = re.search('(DOCKER_[^=]+)="([^"]+)"', line)
+            if match:
+                env_var_name = match.group(1)
+                env_var_value = match.group(2)
+                env_vars.append((env_var_name, env_var_value))
+
+        return env_vars
+
+    def _get_machine_names(self) -> list[str]:
+        # Filter out machines that are not in the Running state as we probably cannot do anything useful actions
+        # with them.
+        ls_command = ["ls", "-q"]
+        if self.get_option("running_required"):
+            ls_command.extend(["--filter", "state=Running"])
+
+        try:
+            ls_lines = self._run_command(ls_command)
+        except subprocess.CalledProcessError:
+            return []
+
+        return ls_lines.splitlines()
+
+    def _inspect_docker_machine_host(self, node: str) -> t.Any | None:
+        try:
+            inspect_lines = self._run_command(["inspect", node])
+        except subprocess.CalledProcessError:
+            return None
+
+        return json.loads(inspect_lines)
+
+    def _ip_addr_docker_machine_host(self, node: str) -> t.Any | None:
+        try:
+            ip_addr = self._run_command(["ip", node])
+        except subprocess.CalledProcessError:
+            return None
+
+        return ip_addr
+
+    def _should_skip_host(
+        self,
+        machine_name: str,
+        env_var_tuples: list[tuple[str, str]],
+        daemon_env: DaemonEnv,
+    ) -> bool:
+        if not env_var_tuples:
+            warning_prefix = f"Unable to fetch Docker daemon env vars from Docker Machine for host {machine_name}"
+            if daemon_env in ("require", "require-silently"):
+                if daemon_env == "require":
+                    display.warning(f"{warning_prefix}: host will be skipped")
+                return True
+            if daemon_env == "optional":
+                display.warning(
+                    f"{warning_prefix}: host will lack dm_DOCKER_xxx variables"
+                )
+            # daemon_env is 'optional-silently'
+        return False
+
+    def _populate(self) -> None:
+        if self.inventory is None:
+            raise AssertionError("Inventory must be there")
+
+        daemon_env: DaemonEnv = self.get_option("daemon_env")
+        filters = parse_filters(self.get_option("filters"))
+        try:
+            for node in self._get_machine_names():
+                node_attrs = self._inspect_docker_machine_host(node)
+                if not node_attrs:
+                    continue
+
+                unsafe_node_attrs = make_unsafe(node_attrs)
+
+                machine_name = unsafe_node_attrs["Driver"]["MachineName"]
+                if not filter_host(self, machine_name, unsafe_node_attrs, filters):
+                    continue
+
+                # query `docker-machine env` to obtain remote Docker daemon connection settings in the form of commands
+                # that could be used to set environment variables to influence a local Docker client:
+                if daemon_env == "skip":
+                    env_var_tuples = []
+                else:
+                    env_var_tuples = self._get_docker_daemon_variables(machine_name)
+                    if self._should_skip_host(machine_name, env_var_tuples, daemon_env):
+                        continue
+
+                # add an entry in the inventory for this host
+                self.inventory.add_host(machine_name)
+
+                # check for valid ip address from inspect output, else explicitly use ip command to find host ip address
+                # this works around an issue seen with Google Compute Platform where the IP address was not available
+                # via the 'inspect' subcommand but was via the 'ip' subcomannd.
+                if unsafe_node_attrs["Driver"]["IPAddress"]:
+                    ip_addr = unsafe_node_attrs["Driver"]["IPAddress"]
+                else:
+                    ip_addr = self._ip_addr_docker_machine_host(node)
+
+                # set standard Ansible remote host connection settings to details captured from `docker-machine`
+                # see: https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
+                self.inventory.set_variable(
+                    machine_name, "ansible_host", make_unsafe(ip_addr)
+                )
+                self.inventory.set_variable(
+                    machine_name, "ansible_port", unsafe_node_attrs["Driver"]["SSHPort"]
+                )
+                self.inventory.set_variable(
+                    machine_name, "ansible_user", unsafe_node_attrs["Driver"]["SSHUser"]
+                )
+                self.inventory.set_variable(
+                    machine_name,
+                    "ansible_ssh_private_key_file",
+                    unsafe_node_attrs["Driver"]["SSHKeyPath"],
+                )
+
+                # set variables based on Docker Machine tags
+                tags = unsafe_node_attrs["Driver"].get("Tags") or ""
+                self.inventory.set_variable(machine_name, "dm_tags", make_unsafe(tags))
+
+                # set variables based on Docker Machine env variables
+                for kv in env_var_tuples:
+                    self.inventory.set_variable(
+                        machine_name, f"dm_{kv[0]}", make_unsafe(kv[1])
+                    )
+
+                if self.get_option("verbose_output"):
+                    self.inventory.set_variable(
+                        machine_name,
+                        "docker_machine_node_attributes",
+                        unsafe_node_attrs,
+                    )
+
+                # Use constructed if applicable
+                strict = self.get_option("strict")
+
+                # Composed variables
+                self._set_composite_vars(
+                    self.get_option("compose"),
+                    unsafe_node_attrs,
+                    machine_name,
+                    strict=strict,
+                )
+
+                # Complex groups based on jinja2 conditionals, hosts that meet the conditional are added to group
+                self._add_host_to_composed_groups(
+                    self.get_option("groups"),
+                    unsafe_node_attrs,
+                    machine_name,
+                    strict=strict,
+                )
+
+                # Create groups based on variable values and add the corresponding hosts to it
+                self._add_host_to_keyed_groups(
+                    self.get_option("keyed_groups"),
+                    unsafe_node_attrs,
+                    machine_name,
+                    strict=strict,
+                )
+
+        except Exception as e:
+            raise AnsibleError(
+                f"Unable to fetch hosts from Docker Machine, this was the original exception: {e}"
+            ) from e
+
+    def verify_file(self, path: str) -> bool:
+        """Return the possibility of a file being consumable by this plugin."""
+        return super().verify_file(path) and path.endswith(
+            ("docker_machine.yaml", "docker_machine.yml")
+        )
+
+    def parse(
+        self,
+        inventory: InventoryData,
+        loader: DataLoader,
+        path: str,
+        cache: bool = True,
+    ) -> None:
+        super().parse(inventory, loader, path, cache)
+        self._read_config_data(path)
+        self._populate()
diff --git a/ansible_collections/community/docker/plugins/inventory/docker_swarm.py b/ansible_collections/community/docker/plugins/inventory/docker_swarm.py
new file mode 100644
index 00000000..07dc1340
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/inventory/docker_swarm.py
@@ -0,0 +1,338 @@
+# Copyright (c) 2018, Stefan Heitmueller <stefan.heitmueller@gmx.com>
+# Copyright (c) 2018 Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: docker_swarm
+author:
+  - Stefan Heitmüller (@morph027) <stefan.heitmueller@gmx.com>
+short_description: Ansible dynamic inventory plugin for Docker swarm nodes
+requirements:
+  - L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 1.10.0
+extends_documentation_fragment:
+  - ansible.builtin.constructed
+  - community.library_inventory_filtering_v1.inventory_filter
+description:
+  - Reads inventories from the Docker swarm API.
+  - Uses a YAML configuration file that ends with V(docker_swarm.(yml|yaml\)).
+  - 'The plugin returns following groups of swarm nodes: C(all) - all hosts; C(workers) - all worker nodes; C(managers) -
+    all manager nodes; C(leader) - the swarm leader node; C(nonleaders) - all nodes except the swarm leader.'
+notes:
+  - The configuration file must be a YAML file whose filename ends with V(docker_swarm.yml) or V(docker_swarm.yaml). Other
+    filenames will not be accepted.
+options:
+  plugin:
+    description: The name of this plugin, it should always be set to V(community.docker.docker_swarm) for this plugin to recognize
+      it as its own.
+    type: str
+    required: true
+    choices: [docker_swarm, community.docker.docker_swarm]
+  docker_host:
+    description:
+      - Socket of a Docker swarm manager node (C(tcp), C(unix)).
+      - Use V(unix:///var/run/docker.sock) to connect through a local socket.
+    type: str
+    required: true
+    aliases: [docker_url]
+  verbose_output:
+    description: Toggle to (not) include all available nodes metadata (for example C(Platform), C(Architecture), C(OS), C(EngineVersion)).
+    type: bool
+    default: true
+  tls:
+    description: Connect using TLS without verifying the authenticity of the Docker host server.
+    type: bool
+    default: false
+  validate_certs:
+    description: Toggle if connecting using TLS with or without verifying the authenticity of the Docker host server.
+    type: bool
+    default: false
+    aliases: [tls_verify]
+  client_key:
+    description: Path to the client's TLS key file.
+    type: path
+    aliases: [tls_client_key, key_path]
+  ca_path:
+    description:
+      - Use a CA certificate when performing server verification by providing the path to a CA certificate file.
+      - This option was called O(ca_cert) and got renamed to O(ca_path) in community.docker 3.6.0. The old name has been added
+        as an alias and can still be used.
+    type: path
+    aliases: [ca_cert, tls_ca_cert, cacert_path]
+  client_cert:
+    description: Path to the client's TLS certificate file.
+    type: path
+    aliases: [tls_client_cert, cert_path]
+  tls_hostname:
+    description: When verifying the authenticity of the Docker host server, provide the expected name of the server.
+    type: str
+  api_version:
+    description:
+      - The version of the Docker API running on the Docker Host.
+      - Defaults to the latest version of the API supported by Docker SDK for Python.
+    type: str
+    aliases: [docker_api_version]
+  timeout:
+    description:
+      - The maximum amount of time in seconds to wait on a response from the API.
+      - If the value is not specified in the task, the value of environment variable E(DOCKER_TIMEOUT). will be used instead.
+        If the environment variable is not set, the default value will be used.
+    type: int
+    default: 60
+    aliases: [time_out]
+  use_ssh_client:
+    description:
+      - For SSH transports, use the C(ssh) CLI tool instead of paramiko.
+      - Requires Docker SDK for Python 4.4.0 or newer.
+    type: bool
+    default: false
+    version_added: 1.5.0
+  include_host_uri:
+    description: Toggle to return the additional attribute C(ansible_host_uri) which contains the URI of the swarm leader
+      in format of V(tcp://172.16.0.1:2376). This value may be used without additional modification as value of option O(docker_host)
+      in Docker Swarm modules when connecting through the API. The port always defaults to V(2376).
+    type: bool
+    default: false
+  include_host_uri_port:
+    description: Override the detected port number included in C(ansible_host_uri).
+    type: int
+  filters:
+    version_added: 3.5.0
+"""
+
+EXAMPLES = """
+---
+# Minimal example using local docker
+plugin: community.docker.docker_swarm
+docker_host: unix:///var/run/docker.sock
+
+---
+# Minimal example using remote docker
+plugin: community.docker.docker_swarm
+docker_host: tcp://my-docker-host:2375
+
+---
+# Example using remote docker with unverified TLS
+plugin: community.docker.docker_swarm
+docker_host: tcp://my-docker-host:2376
+tls: true
+
+---
+# Example using remote docker with verified TLS and client certificate verification
+plugin: community.docker.docker_swarm
+docker_host: tcp://my-docker-host:2376
+validate_certs: true
+ca_path: /somewhere/ca.pem
+client_key: /somewhere/key.pem
+client_cert: /somewhere/cert.pem
+
+---
+# Example using constructed features to create groups and set ansible_host
+plugin: community.docker.docker_swarm
+docker_host: tcp://my-docker-host:2375
+strict: false
+keyed_groups:
+  # add for example x86_64 hosts to an arch_x86_64 group
+  - prefix: arch
+    key: 'Description.Platform.Architecture'
+  # add for example linux hosts to an os_linux group
+  - prefix: os
+    key: 'Description.Platform.OS'
+  # create a group per node label
+  # for exomple a node labeled w/ "production" ends up in group "label_production"
+  # hint: labels containing special characters will be converted to safe names
+  - key: 'Spec.Labels'
+    prefix: label
+"""
+
+import typing as t
+
+from ansible.errors import AnsibleError
+from ansible.parsing.utils.addresses import parse_address
+from ansible.plugins.inventory import BaseInventoryPlugin, Constructable
+from ansible_collections.community.library_inventory_filtering_v1.plugins.plugin_utils.inventory_filter import (
+    filter_host,
+    parse_filters,
+)
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    get_connect_params,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    update_tls_hostname,
+)
+from ansible_collections.community.docker.plugins.plugin_utils._unsafe import (
+    make_unsafe,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.inventory.data import InventoryData
+    from ansible.parsing.dataloader import DataLoader
+
+
+try:
+    import docker
+
+    HAS_DOCKER = True
+except ImportError:
+    HAS_DOCKER = False
+
+
+class InventoryModule(BaseInventoryPlugin, Constructable):
+    """Host inventory parser for ansible using Docker swarm as source."""
+
+    NAME = "community.docker.docker_swarm"
+
+    def _fail(self, msg: str) -> t.NoReturn:
+        raise AnsibleError(msg)
+
+    def _populate(self) -> None:
+        if self.inventory is None:
+            raise AssertionError("Inventory must be there")
+
+        raw_params = {
+            "docker_host": self.get_option("docker_host"),
+            "tls": self.get_option("tls"),
+            "tls_verify": self.get_option("validate_certs"),
+            "key_path": self.get_option("client_key"),
+            "cacert_path": self.get_option("ca_path"),
+            "cert_path": self.get_option("client_cert"),
+            "tls_hostname": self.get_option("tls_hostname"),
+            "api_version": self.get_option("api_version"),
+            "timeout": self.get_option("timeout"),
+            "use_ssh_client": self.get_option("use_ssh_client"),
+            "debug": None,
+        }
+        update_tls_hostname(raw_params)
+        connect_params = get_connect_params(raw_params, fail_function=self._fail)
+        client = docker.DockerClient(**connect_params)
+        self.inventory.add_group("all")
+        self.inventory.add_group("manager")
+        self.inventory.add_group("worker")
+        self.inventory.add_group("leader")
+        self.inventory.add_group("nonleaders")
+
+        filters = parse_filters(self.get_option("filters"))
+
+        if self.get_option("include_host_uri"):
+            if self.get_option("include_host_uri_port"):
+                host_uri_port = str(self.get_option("include_host_uri_port"))
+            elif self.get_option("tls") or self.get_option("validate_certs"):
+                host_uri_port = "2376"
+            else:
+                host_uri_port = "2375"
+
+        try:
+            nodes = client.nodes.list()
+            for node in nodes:
+                node_attrs = client.nodes.get(node.id).attrs
+                unsafe_node_attrs = make_unsafe(node_attrs)
+                if not filter_host(
+                    self, unsafe_node_attrs["ID"], unsafe_node_attrs, filters
+                ):
+                    continue
+                self.inventory.add_host(unsafe_node_attrs["ID"])
+                self.inventory.add_host(
+                    unsafe_node_attrs["ID"], group=unsafe_node_attrs["Spec"]["Role"]
+                )
+                self.inventory.set_variable(
+                    unsafe_node_attrs["ID"],
+                    "ansible_host",
+                    unsafe_node_attrs["Status"]["Addr"],
+                )
+                if self.get_option("include_host_uri"):
+                    self.inventory.set_variable(
+                        unsafe_node_attrs["ID"],
+                        "ansible_host_uri",
+                        make_unsafe(
+                            "tcp://"
+                            + unsafe_node_attrs["Status"]["Addr"]
+                            + ":"
+                            + host_uri_port
+                        ),
+                    )
+                if self.get_option("verbose_output"):
+                    self.inventory.set_variable(
+                        unsafe_node_attrs["ID"],
+                        "docker_swarm_node_attributes",
+                        unsafe_node_attrs,
+                    )
+                if "ManagerStatus" in unsafe_node_attrs:
+                    if unsafe_node_attrs["ManagerStatus"].get("Leader"):
+                        # This is workaround of bug in Docker when in some cases the Leader IP is 0.0.0.0
+                        # Check moby/moby#35437 for details
+                        swarm_leader_ip = (
+                            parse_address(node_attrs["ManagerStatus"]["Addr"])[0]
+                            or unsafe_node_attrs["Status"]["Addr"]
+                        )
+                        if self.get_option("include_host_uri"):
+                            self.inventory.set_variable(
+                                unsafe_node_attrs["ID"],
+                                "ansible_host_uri",
+                                make_unsafe(
+                                    "tcp://" + swarm_leader_ip + ":" + host_uri_port
+                                ),
+                            )
+                        self.inventory.set_variable(
+                            unsafe_node_attrs["ID"],
+                            "ansible_host",
+                            make_unsafe(swarm_leader_ip),
+                        )
+                        self.inventory.add_host(unsafe_node_attrs["ID"], group="leader")
+                    else:
+                        self.inventory.add_host(
+                            unsafe_node_attrs["ID"], group="nonleaders"
+                        )
+                else:
+                    self.inventory.add_host(unsafe_node_attrs["ID"], group="nonleaders")
+                # Use constructed if applicable
+                strict = self.get_option("strict")
+                # Composed variables
+                self._set_composite_vars(
+                    self.get_option("compose"),
+                    unsafe_node_attrs,
+                    unsafe_node_attrs["ID"],
+                    strict=strict,
+                )
+                # Complex groups based on jinja2 conditionals, hosts that meet the conditional are added to group
+                self._add_host_to_composed_groups(
+                    self.get_option("groups"),
+                    unsafe_node_attrs,
+                    unsafe_node_attrs["ID"],
+                    strict=strict,
+                )
+                # Create groups based on variable values and add the corresponding hosts to it
+                self._add_host_to_keyed_groups(
+                    self.get_option("keyed_groups"),
+                    unsafe_node_attrs,
+                    unsafe_node_attrs["ID"],
+                    strict=strict,
+                )
+        except Exception as e:
+            raise AnsibleError(
+                f"Unable to fetch hosts from Docker swarm API, this was the original exception: {e}"
+            ) from e
+
+    def verify_file(self, path: str) -> bool:
+        """Return the possibly of a file being consumable by this plugin."""
+        return super().verify_file(path) and path.endswith(
+            ("docker_swarm.yaml", "docker_swarm.yml")
+        )
+
+    def parse(
+        self,
+        inventory: InventoryData,
+        loader: DataLoader,
+        path: str,
+        cache: bool = True,
+    ) -> None:
+        if not HAS_DOCKER:
+            raise AnsibleError(
+                "The Docker swarm dynamic inventory plugin requires the Docker SDK for Python: "
+                "https://github.com/docker/docker-py."
+            )
+        super().parse(inventory, loader, path, cache)
+        self._read_config_data(path)
+        self._populate()
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/_import_helper.py b/ansible_collections/community/docker/plugins/module_utils/_api/_import_helper.py
new file mode 100644
index 00000000..0a9e5994
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/_import_helper.py
@@ -0,0 +1,102 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import traceback
+import typing as t
+
+REQUESTS_IMPORT_ERROR: str | None  # pylint: disable=invalid-name
+try:
+    from requests import Session  # noqa: F401, pylint: disable=unused-import
+    from requests.adapters import (  # noqa: F401, pylint: disable=unused-import
+        HTTPAdapter,
+    )
+    from requests.exceptions import (  # noqa: F401, pylint: disable=unused-import
+        HTTPError,
+        InvalidSchema,
+    )
+except ImportError:
+    REQUESTS_IMPORT_ERROR = traceback.format_exc()  # pylint: disable=invalid-name
+
+    class Session:  # type: ignore
+        __attrs__: list[t.Never] = []
+
+    class HTTPAdapter:  # type: ignore
+        __attrs__: list[t.Never] = []
+
+    class HTTPError(Exception):  # type: ignore
+        pass
+
+    class InvalidSchema(Exception):  # type: ignore
+        pass
+
+else:
+    REQUESTS_IMPORT_ERROR = None  # pylint: disable=invalid-name
+
+
+URLLIB3_IMPORT_ERROR: str | None = None  # pylint: disable=invalid-name
+try:
+    from requests.packages import urllib3  # pylint: disable=unused-import
+
+    from requests.packages.urllib3 import (  # type: ignore  # pylint: disable=unused-import  # isort: skip
+        connection as urllib3_connection,
+    )
+except ImportError:
+    try:
+        import urllib3  # pylint: disable=unused-import
+        from urllib3 import (
+            connection as urllib3_connection,  # pylint: disable=unused-import
+        )
+    except ImportError:
+        URLLIB3_IMPORT_ERROR = traceback.format_exc()  # pylint: disable=invalid-name
+
+        class _HTTPConnectionPool:
+            pass
+
+        class _HTTPConnection:
+            pass
+
+        class FakeURLLIB3:
+            def __init__(self) -> None:
+                self._collections = self
+                self.poolmanager = self
+                self.connection = self
+                self.connectionpool = self
+
+                self.RecentlyUsedContainer = object()  # pylint: disable=invalid-name
+                self.PoolManager = object()  # pylint: disable=invalid-name
+                self.match_hostname = object()
+                self.HTTPConnectionPool = (  # pylint: disable=invalid-name
+                    _HTTPConnectionPool
+                )
+
+        class FakeURLLIB3Connection:
+            def __init__(self) -> None:
+                self.HTTPConnection = _HTTPConnection  # pylint: disable=invalid-name
+
+        urllib3 = FakeURLLIB3()
+        urllib3_connection = FakeURLLIB3Connection()
+
+
+def fail_on_missing_imports() -> None:
+    if REQUESTS_IMPORT_ERROR is not None:
+        from .errors import MissingRequirementException  # pylint: disable=cyclic-import
+
+        raise MissingRequirementException(
+            "You have to install requests", "requests", REQUESTS_IMPORT_ERROR
+        )
+    if URLLIB3_IMPORT_ERROR is not None:
+        from .errors import MissingRequirementException  # pylint: disable=cyclic-import
+
+        raise MissingRequirementException(
+            "You have to install urllib3", "urllib3", URLLIB3_IMPORT_ERROR
+        )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/api/client.py b/ansible_collections/community/docker/plugins/module_utils/_api/api/client.py
new file mode 100644
index 00000000..edb55f1e
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/api/client.py
@@ -0,0 +1,1049 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import struct
+import typing as t
+from urllib.parse import quote
+
+from .. import auth
+from .._import_helper import HTTPError as _HTTPError
+from .._import_helper import InvalidSchema as _InvalidSchema
+from .._import_helper import Session as _Session
+from .._import_helper import fail_on_missing_imports
+from ..constants import (
+    DEFAULT_DATA_CHUNK_SIZE,
+    DEFAULT_MAX_POOL_SIZE,
+    DEFAULT_NUM_POOLS,
+    DEFAULT_NUM_POOLS_SSH,
+    DEFAULT_TIMEOUT_SECONDS,
+    DEFAULT_USER_AGENT,
+    IS_WINDOWS_PLATFORM,
+    MINIMUM_DOCKER_API_VERSION,
+    STREAM_HEADER_SIZE_BYTES,
+)
+from ..errors import (
+    DockerException,
+    InvalidVersion,
+    MissingRequirementException,
+    TLSParameterError,
+    create_api_error_from_http_exception,
+)
+from ..tls import TLSConfig
+from ..transport.npipeconn import NpipeHTTPAdapter
+from ..transport.npipesocket import PYWIN32_IMPORT_ERROR
+from ..transport.sshconn import PARAMIKO_IMPORT_ERROR, SSHHTTPAdapter
+from ..transport.ssladapter import SSLHTTPAdapter
+from ..transport.unixconn import UnixHTTPAdapter
+from ..utils import config, json_stream, utils
+from ..utils.decorators import minimum_version, update_headers
+from ..utils.proxy import ProxyConfig
+from ..utils.socket import consume_socket_output, demux_adaptor, frames_iter
+
+if t.TYPE_CHECKING:
+    from requests import Response
+    from requests.adapters import BaseAdapter
+
+    from ..._socket_helper import SocketLike
+
+
+log = logging.getLogger(__name__)
+
+
+class APIClient(_Session):
+    """
+    A low-level client for the Docker Engine API.
+
+    Example:
+
+        >>> import docker
+        >>> client = docker.APIClient(base_url='unix://var/run/docker.sock')
+        >>> client.version()
+        {'ApiVersion': '1.33',
+         'Arch': 'amd64',
+         'BuildTime': '2017-11-19T18:46:37.000000000+00:00',
+         'GitCommit': 'f4ffd2511c',
+         'GoVersion': 'go1.9.2',
+         'KernelVersion': '4.14.3-1-ARCH',
+         'MinAPIVersion': '1.12',
+         'Os': 'linux',
+         'Version': '17.10.0-ce'}
+
+    Args:
+        base_url (str): URL to the Docker server. For example,
+            ``unix:///var/run/docker.sock`` or ``tcp://127.0.0.1:1234``.
+        version (str): The version of the API to use. Set to ``auto`` to
+            automatically detect the server's version. Default: ``1.35``
+        timeout (int): Default timeout for API calls, in seconds.
+        tls (bool or :py:class:`~docker.tls.TLSConfig`): Enable TLS. Pass
+            ``True`` to enable it with default options, or pass a
+            :py:class:`~docker.tls.TLSConfig` object to use custom
+            configuration.
+        user_agent (str): Set a custom user agent for requests to the server.
+        credstore_env (dict): Override environment variables when calling the
+            credential store process.
+        use_ssh_client (bool): If set to `True`, an ssh connection is made
+            via shelling out to the ssh client. Ensure the ssh client is
+            installed and configured on the host.
+        max_pool_size (int): The maximum number of connections
+            to save in the pool.
+    """
+
+    __attrs__ = _Session.__attrs__ + [
+        "_auth_configs",
+        "_general_configs",
+        "_version",
+        "base_url",
+        "timeout",
+    ]
+
+    def __init__(
+        self,
+        base_url: str | None = None,
+        version: str | None = None,
+        timeout: int | float = DEFAULT_TIMEOUT_SECONDS,
+        tls: bool | TLSConfig = False,
+        user_agent: str = DEFAULT_USER_AGENT,
+        num_pools: int | None = None,
+        credstore_env: dict[str, str] | None = None,
+        use_ssh_client: bool = False,
+        max_pool_size: int = DEFAULT_MAX_POOL_SIZE,
+    ) -> None:
+        super().__init__()
+
+        fail_on_missing_imports()
+
+        if tls and not base_url:
+            raise TLSParameterError(
+                "If using TLS, the base_url argument must be provided."
+            )
+
+        self.timeout = timeout
+        self.headers["User-Agent"] = user_agent
+
+        self._general_configs = config.load_general_config()
+
+        proxy_config = self._general_configs.get("proxies", {})
+        try:
+            proxies = proxy_config[base_url]
+        except KeyError:
+            proxies = proxy_config.get("default", {})
+
+        self._proxy_configs = ProxyConfig.from_dict(proxies)
+
+        self._auth_configs = auth.load_config(
+            config_dict=self._general_configs,
+            credstore_env=credstore_env,
+        )
+        self.credstore_env = credstore_env
+
+        base_url = utils.parse_host(base_url, IS_WINDOWS_PLATFORM, tls=bool(tls))
+        self.base_url = base_url
+        # SSH has a different default for num_pools to all other adapters
+        num_pools = (
+            num_pools or DEFAULT_NUM_POOLS_SSH
+            if base_url.startswith("ssh://")
+            else DEFAULT_NUM_POOLS
+        )
+
+        self._custom_adapter: (
+            UnixHTTPAdapter | NpipeHTTPAdapter | SSHHTTPAdapter | SSLHTTPAdapter | None
+        ) = None
+        if base_url.startswith("http+unix://"):
+            self._custom_adapter = UnixHTTPAdapter(
+                base_url,
+                timeout,
+                pool_connections=num_pools,
+                max_pool_size=max_pool_size,
+            )
+            self.mount("http+docker://", self._custom_adapter)
+            self._unmount("http://", "https://")
+            # host part of URL should be unused, but is resolved by requests
+            # module in proxy_bypass_macosx_sysconf()
+            self.base_url = "http+docker://localhost"
+        elif base_url.startswith("npipe://"):
+            if not IS_WINDOWS_PLATFORM:
+                raise DockerException(
+                    "The npipe:// protocol is only supported on Windows"
+                )
+            if PYWIN32_IMPORT_ERROR is not None:
+                raise MissingRequirementException(
+                    "Install pypiwin32 package to enable npipe:// support",
+                    "pywin32",
+                    PYWIN32_IMPORT_ERROR,
+                )
+            self._custom_adapter = NpipeHTTPAdapter(
+                base_url,
+                timeout,
+                pool_connections=num_pools,
+                max_pool_size=max_pool_size,
+            )
+            self.mount("http+docker://", self._custom_adapter)
+            self.base_url = "http+docker://localnpipe"
+        elif base_url.startswith("ssh://"):
+            if PARAMIKO_IMPORT_ERROR is not None and not use_ssh_client:
+                raise MissingRequirementException(
+                    "Install paramiko package to enable ssh:// support",
+                    "paramiko",
+                    PARAMIKO_IMPORT_ERROR,
+                )
+            self._custom_adapter = SSHHTTPAdapter(
+                base_url,
+                timeout,
+                pool_connections=num_pools,
+                max_pool_size=max_pool_size,
+                shell_out=use_ssh_client,
+            )
+            self.mount("http+docker://ssh", self._custom_adapter)
+            self._unmount("http://", "https://")
+            self.base_url = "http+docker://ssh"
+        else:
+            # Use SSLAdapter for the ability to specify SSL version
+            if isinstance(tls, TLSConfig):
+                tls.configure_client(self)
+            elif tls:
+                self._custom_adapter = SSLHTTPAdapter(pool_connections=num_pools)
+                self.mount("https://", self._custom_adapter)
+            self.base_url = base_url
+
+        # version detection needs to be after unix adapter mounting
+        if version is None or (isinstance(version, str) and version.lower() == "auto"):
+            self._version = self._retrieve_server_version()
+        else:
+            self._version = version
+        if not isinstance(self._version, str):
+            raise DockerException(
+                f"Version parameter must be a string or None. Found {type(version).__name__}"
+            )
+        if utils.version_lt(self._version, MINIMUM_DOCKER_API_VERSION):
+            raise InvalidVersion(
+                f"API versions below {MINIMUM_DOCKER_API_VERSION} are no longer supported by this library."
+            )
+
+    def _retrieve_server_version(self) -> str:
+        try:
+            version_result = self.version(api_version=False)
+        except Exception as e:
+            raise DockerException(
+                f"Error while fetching server API version: {e}"
+            ) from e
+
+        try:
+            return version_result["ApiVersion"]
+        except KeyError:
+            raise DockerException(
+                'Invalid response from docker daemon: key "ApiVersion" is missing.'
+            ) from None
+        except Exception as e:
+            raise DockerException(
+                f"Error while fetching server API version: {e}. Response seems to be broken."
+            ) from e
+
+    def _set_request_timeout(self, kwargs: dict[str, t.Any]) -> dict[str, t.Any]:
+        """Prepare the kwargs for an HTTP request by inserting the timeout
+        parameter, if not already present."""
+        kwargs.setdefault("timeout", self.timeout)
+        return kwargs
+
+    @update_headers
+    def _post(self, url: str, **kwargs: t.Any) -> Response:
+        return self.post(url, **self._set_request_timeout(kwargs))
+
+    @update_headers
+    def _get(self, url: str, **kwargs: t.Any) -> Response:
+        return self.get(url, **self._set_request_timeout(kwargs))
+
+    @update_headers
+    def _head(self, url: str, **kwargs: t.Any) -> Response:
+        return self.head(url, **self._set_request_timeout(kwargs))
+
+    @update_headers
+    def _put(self, url: str, **kwargs: t.Any) -> Response:
+        return self.put(url, **self._set_request_timeout(kwargs))
+
+    @update_headers
+    def _delete(self, url: str, **kwargs: t.Any) -> Response:
+        return self.delete(url, **self._set_request_timeout(kwargs))
+
+    def _url(self, pathfmt: str, *args: str, versioned_api: bool = True) -> str:
+        for arg in args:
+            if not isinstance(arg, str):
+                raise ValueError(
+                    f"Expected a string but found {arg} ({type(arg)}) instead"
+                )
+
+        q_args = [quote(arg, safe="/:") for arg in args]
+
+        if versioned_api:
+            return f"{self.base_url}/v{self._version}{pathfmt.format(*q_args)}"
+        return f"{self.base_url}{pathfmt.format(*q_args)}"
+
+    def _raise_for_status(self, response: Response) -> None:
+        """Raises stored :class:`APIError`, if one occurred."""
+        try:
+            response.raise_for_status()
+        except _HTTPError as e:
+            create_api_error_from_http_exception(e)
+
+    @t.overload
+    def _result(
+        self,
+        response: Response,
+        *,
+        get_json: t.Literal[False] = False,
+        get_binary: t.Literal[False] = False,
+    ) -> str: ...
+
+    @t.overload
+    def _result(
+        self,
+        response: Response,
+        *,
+        get_json: t.Literal[True],
+        get_binary: t.Literal[False] = False,
+    ) -> t.Any: ...
+
+    @t.overload
+    def _result(
+        self,
+        response: Response,
+        *,
+        get_json: t.Literal[False] = False,
+        get_binary: t.Literal[True],
+    ) -> bytes: ...
+
+    @t.overload
+    def _result(
+        self, response: Response, *, get_json: bool = False, get_binary: bool = False
+    ) -> t.Any | str | bytes: ...
+
+    def _result(
+        self, response: Response, *, get_json: bool = False, get_binary: bool = False
+    ) -> t.Any | str | bytes:
+        if get_json and get_binary:
+            raise AssertionError("json and binary must not be both True")
+        self._raise_for_status(response)
+
+        if get_json:
+            return response.json()
+        if get_binary:
+            return response.content
+        return response.text
+
+    def _post_json(
+        self, url: str, data: dict[str, str | None] | t.Any, **kwargs: t.Any
+    ) -> Response:
+        # Go <1.1 cannot unserialize null to a string
+        # so we do this disgusting thing here.
+        data2: dict[str, t.Any] = {}
+        if data is not None and isinstance(data, dict):
+            for k, v in data.items():
+                if v is not None:
+                    data2[k] = v
+        elif data is not None:
+            data2 = data
+
+        if "headers" not in kwargs:
+            kwargs["headers"] = {}
+        kwargs["headers"]["Content-Type"] = "application/json"
+        return self._post(url, data=json.dumps(data2), **kwargs)
+
+    def _attach_params(self, override: dict[str, int] | None = None) -> dict[str, int]:
+        return override or {"stdout": 1, "stderr": 1, "stream": 1}
+
+    def _get_raw_response_socket(self, response: Response) -> SocketLike:
+        self._raise_for_status(response)
+        if self.base_url == "http+docker://localnpipe":
+            sock = response.raw._fp.fp.raw.sock  # type: ignore[union-attr]
+        elif self.base_url.startswith("http+docker://ssh"):
+            sock = response.raw._fp.fp.channel  # type: ignore[union-attr]
+        else:
+            sock = response.raw._fp.fp.raw  # type: ignore[union-attr]
+            if self.base_url.startswith("https://"):
+                sock = sock._sock  # type: ignore[union-attr]
+        try:
+            # Keep a reference to the response to stop it being garbage
+            # collected. If the response is garbage collected, it will
+            # close TLS sockets.
+            sock._response = response
+        except AttributeError:
+            # UNIX sockets cannot have attributes set on them, but that's
+            # fine because we will not be doing TLS over them
+            pass
+
+        return sock
+
+    @t.overload
+    def _stream_helper(
+        self, response: Response, *, decode: t.Literal[False] = False
+    ) -> t.Generator[bytes]: ...
+
+    @t.overload
+    def _stream_helper(
+        self, response: Response, *, decode: t.Literal[True]
+    ) -> t.Generator[t.Any]: ...
+
+    def _stream_helper(
+        self, response: Response, *, decode: bool = False
+    ) -> t.Generator[t.Any]:
+        """Generator for data coming from a chunked-encoded HTTP response."""
+
+        if response.raw._fp.chunked:  # type: ignore[union-attr]
+            if decode:
+                yield from json_stream.json_stream(
+                    self._stream_helper(response, decode=False)
+                )
+            else:
+                reader = response.raw
+                while not reader.closed:
+                    # this read call will block until we get a chunk
+                    data = reader.read(1)
+                    if not data:
+                        break
+                    if reader._fp.chunk_left:  # type: ignore[union-attr]
+                        data += reader.read(reader._fp.chunk_left)  # type: ignore[union-attr]
+                    yield data
+        else:
+            # Response is not chunked, meaning we probably
+            # encountered an error immediately
+            yield self._result(response, get_json=decode)
+
+    def _multiplexed_buffer_helper(self, response: Response) -> t.Generator[bytes]:
+        """A generator of multiplexed data blocks read from a buffered
+        response."""
+        buf = self._result(response, get_binary=True)
+        buf_length = len(buf)
+        walker = 0
+        while True:
+            if buf_length - walker < STREAM_HEADER_SIZE_BYTES:
+                break
+            header = buf[walker : walker + STREAM_HEADER_SIZE_BYTES]
+            dummy, length = struct.unpack_from(">BxxxL", header)
+            start = walker + STREAM_HEADER_SIZE_BYTES
+            end = start + length
+            walker = end
+            yield buf[start:end]
+
+    def _multiplexed_response_stream_helper(
+        self, response: Response
+    ) -> t.Generator[bytes]:
+        """A generator of multiplexed data blocks coming from a response
+        stream."""
+
+        # Disable timeout on the underlying socket to prevent
+        # Read timed out(s) for long running processes
+        socket = self._get_raw_response_socket(response)
+        self._disable_socket_timeout(socket)
+
+        while True:
+            header = response.raw.read(STREAM_HEADER_SIZE_BYTES)
+            if not header:
+                break
+            dummy, length = struct.unpack(">BxxxL", header)
+            if not length:
+                continue
+            data = response.raw.read(length)
+            if not data:
+                break
+            yield data
+
+    @t.overload
+    def _stream_raw_result(
+        self, response: Response, *, chunk_size: int = 1, decode: t.Literal[True] = True
+    ) -> t.Generator[str]: ...
+
+    @t.overload
+    def _stream_raw_result(
+        self, response: Response, *, chunk_size: int = 1, decode: t.Literal[False]
+    ) -> t.Generator[bytes]: ...
+
+    def _stream_raw_result(
+        self, response: Response, *, chunk_size: int = 1, decode: bool = True
+    ) -> t.Generator[str | bytes]:
+        """Stream result for TTY-enabled container and raw binary data"""
+        self._raise_for_status(response)
+
+        # Disable timeout on the underlying socket to prevent
+        # Read timed out(s) for long running processes
+        socket = self._get_raw_response_socket(response)
+        self._disable_socket_timeout(socket)
+
+        yield from response.iter_content(chunk_size, decode)
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[True],
+        tty: bool = True,
+        demux: t.Literal[False] = False,
+    ) -> t.Generator[bytes]: ...
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[True],
+        tty: t.Literal[True] = True,
+        demux: t.Literal[True],
+    ) -> t.Generator[tuple[bytes, None]]: ...
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[True],
+        tty: t.Literal[False],
+        demux: t.Literal[True],
+    ) -> t.Generator[tuple[bytes, None] | tuple[None, bytes]]: ...
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[False],
+        tty: bool = True,
+        demux: t.Literal[False] = False,
+    ) -> bytes: ...
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[False],
+        tty: t.Literal[True] = True,
+        demux: t.Literal[True],
+    ) -> tuple[bytes, None]: ...
+
+    @t.overload
+    def _read_from_socket(
+        self,
+        response: Response,
+        *,
+        stream: t.Literal[False],
+        tty: t.Literal[False],
+        demux: t.Literal[True],
+    ) -> tuple[bytes, bytes]: ...
+
+    @t.overload
+    def _read_from_socket(
+        self, response: Response, *, stream: bool, tty: bool = True, demux: bool = False
+    ) -> t.Any: ...
+
+    def _read_from_socket(
+        self, response: Response, *, stream: bool, tty: bool = True, demux: bool = False
+    ) -> t.Any:
+        """Consume all data from the socket, close the response and return the
+        data. If stream=True, then a generator is returned instead and the
+        caller is responsible for closing the response.
+        """
+        socket = self._get_raw_response_socket(response)
+
+        gen = frames_iter(socket, tty)
+
+        if demux:
+            # The generator will output tuples (stdout, stderr)
+            demux_gen: t.Generator[tuple[bytes | None, bytes | None]] = (
+                demux_adaptor(*frame) for frame in gen
+            )
+            if stream:
+                return demux_gen
+            try:
+                # Wait for all the frames, concatenate them, and return the result
+                return consume_socket_output(demux_gen, demux=True)
+            finally:
+                response.close()
+        else:
+            # The generator will output strings
+            mux_gen: t.Generator[bytes] = (data for (dummy, data) in gen)
+            if stream:
+                return mux_gen
+            try:
+                # Wait for all the frames, concatenate them, and return the result
+                return consume_socket_output(mux_gen, demux=False)
+            finally:
+                response.close()
+
+    def _disable_socket_timeout(self, socket: SocketLike) -> None:
+        """Depending on the combination of python version and whether we are
+        connecting over http or https, we might need to access _sock, which
+        may or may not exist; or we may need to just settimeout on socket
+        itself, which also may or may not have settimeout on it. To avoid
+        missing the correct one, we try both.
+
+        We also do not want to set the timeout if it is already disabled, as
+        you run the risk of changing a socket that was non-blocking to
+        blocking, for example when using gevent.
+        """
+        sockets = [socket, getattr(socket, "_sock", None)]
+
+        for s in sockets:
+            if not hasattr(s, "settimeout"):
+                continue
+
+            timeout: int | float | None = -1
+
+            if hasattr(s, "gettimeout"):
+                timeout = s.gettimeout()  # type: ignore[union-attr]
+
+            # Do not change the timeout if it is already disabled.
+            if timeout is None or timeout == 0.0:
+                continue
+
+            s.settimeout(None)  # type: ignore[union-attr]
+
+    @t.overload
+    def _get_result_tty(
+        self, stream: t.Literal[True], res: Response, is_tty: t.Literal[True]
+    ) -> t.Generator[str]: ...
+
+    @t.overload
+    def _get_result_tty(
+        self, stream: t.Literal[True], res: Response, is_tty: t.Literal[False]
+    ) -> t.Generator[bytes]: ...
+
+    @t.overload
+    def _get_result_tty(
+        self, stream: t.Literal[False], res: Response, is_tty: t.Literal[True]
+    ) -> bytes: ...
+
+    @t.overload
+    def _get_result_tty(
+        self, stream: t.Literal[False], res: Response, is_tty: t.Literal[False]
+    ) -> bytes: ...
+
+    def _get_result_tty(self, stream: bool, res: Response, is_tty: bool) -> t.Any:
+        # We should also use raw streaming (without keep-alive)
+        # if we are dealing with a tty-enabled container.
+        if is_tty:
+            return (
+                self._stream_raw_result(res)
+                if stream
+                else self._result(res, get_binary=True)
+            )
+
+        self._raise_for_status(res)
+        sep = b""
+        if stream:
+            return self._multiplexed_response_stream_helper(res)
+        return sep.join(list(self._multiplexed_buffer_helper(res)))
+
+    def _unmount(self, *args: t.Any) -> None:
+        for proto in args:
+            self.adapters.pop(proto)
+
+    def get_adapter(self, url: str) -> BaseAdapter:
+        try:
+            # pylint finds our Session stub instead of requests.Session:
+            # pylint: disable-next=no-member
+            return super().get_adapter(url)
+        except _InvalidSchema as e:
+            if self._custom_adapter:
+                return self._custom_adapter
+            raise e
+
+    @property
+    def api_version(self) -> str:
+        return self._version
+
+    def reload_config(self, dockercfg_path: str | None = None) -> None:
+        """
+        Force a reload of the auth configuration
+
+        Args:
+            dockercfg_path (str): Use a custom path for the Docker config file
+                (default ``$HOME/.docker/config.json`` if present,
+                otherwise ``$HOME/.dockercfg``)
+
+        Returns:
+            None
+        """
+        self._auth_configs = auth.load_config(
+            dockercfg_path, credstore_env=self.credstore_env
+        )
+
+    def _set_auth_headers(self, headers: dict[str, str | bytes]) -> None:
+        log.debug("Looking for auth config")
+
+        # If we do not have any auth data so far, try reloading the config
+        # file one more time in case anything showed up in there.
+        if not self._auth_configs or self._auth_configs.is_empty:
+            log.debug("No auth config in memory - loading from filesystem")
+            self._auth_configs = auth.load_config(credstore_env=self.credstore_env)
+
+        # Send the full auth configuration (if any exists), since the build
+        # could use any (or all) of the registries.
+        if self._auth_configs:
+            auth_data = self._auth_configs.get_all_credentials()
+
+            # See https://github.com/docker/docker-py/issues/1683
+            if auth.INDEX_URL not in auth_data and auth.INDEX_NAME in auth_data:
+                auth_data[auth.INDEX_URL] = auth_data.get(auth.INDEX_NAME, {})
+
+            log.debug("Sending auth config (%s)", ", ".join(repr(k) for k in auth_data))
+
+            if auth_data:
+                headers["X-Registry-Config"] = auth.encode_header(auth_data)
+        else:
+            log.debug("No auth config found")
+
+    def get_binary(self, pathfmt: str, *args: str, **kwargs: t.Any) -> bytes:
+        return self._result(
+            self._get(self._url(pathfmt, *args, versioned_api=True), **kwargs),
+            get_binary=True,
+        )
+
+    def get_json(self, pathfmt: str, *args: str, **kwargs: t.Any) -> t.Any:
+        return self._result(
+            self._get(self._url(pathfmt, *args, versioned_api=True), **kwargs),
+            get_json=True,
+        )
+
+    def get_text(self, pathfmt: str, *args: str, **kwargs: t.Any) -> str:
+        return self._result(
+            self._get(self._url(pathfmt, *args, versioned_api=True), **kwargs)
+        )
+
+    def get_raw_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        chunk_size: int = DEFAULT_DATA_CHUNK_SIZE,
+        **kwargs: t.Any,
+    ) -> t.Generator[bytes]:
+        res = self._get(
+            self._url(pathfmt, *args, versioned_api=True), stream=True, **kwargs
+        )
+        self._raise_for_status(res)
+        return self._stream_raw_result(res, chunk_size=chunk_size, decode=False)
+
+    def delete_call(self, pathfmt: str, *args: str, **kwargs: t.Any) -> None:
+        self._raise_for_status(
+            self._delete(self._url(pathfmt, *args, versioned_api=True), **kwargs)
+        )
+
+    def delete_json(self, pathfmt: str, *args: str, **kwargs: t.Any) -> t.Any:
+        return self._result(
+            self._delete(self._url(pathfmt, *args, versioned_api=True), **kwargs),
+            get_json=True,
+        )
+
+    def post_call(self, pathfmt: str, *args: str, **kwargs: t.Any) -> None:
+        self._raise_for_status(
+            self._post(self._url(pathfmt, *args, versioned_api=True), **kwargs)
+        )
+
+    def post_json(
+        self, pathfmt: str, *args: str, data: t.Any = None, **kwargs: t.Any
+    ) -> None:
+        self._raise_for_status(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True), data, **kwargs
+            )
+        )
+
+    def post_json_to_binary(
+        self, pathfmt: str, *args: str, data: t.Any = None, **kwargs: t.Any
+    ) -> bytes:
+        return self._result(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True), data, **kwargs
+            ),
+            get_binary=True,
+        )
+
+    def post_json_to_json(
+        self, pathfmt: str, *args: str, data: t.Any = None, **kwargs: t.Any
+    ) -> t.Any:
+        return self._result(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True), data, **kwargs
+            ),
+            get_json=True,
+        )
+
+    def post_json_to_text(
+        self, pathfmt: str, *args: str, data: t.Any = None, **kwargs: t.Any
+    ) -> str:
+        return self._result(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True), data, **kwargs
+            ),
+        )
+
+    def post_json_to_stream_socket(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        **kwargs: t.Any,
+    ) -> SocketLike:
+        headers = headers.copy() if headers else {}
+        headers.update(
+            {
+                "Connection": "Upgrade",
+                "Upgrade": "tcp",
+            }
+        )
+        return self._get_raw_response_socket(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True),
+                data,
+                headers=headers,
+                stream=True,
+                **kwargs,
+            )
+        )
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[True],
+        tty: bool = True,
+        demux: t.Literal[False] = False,
+        **kwargs: t.Any,
+    ) -> t.Generator[bytes]: ...
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[True],
+        tty: t.Literal[True] = True,
+        demux: t.Literal[True],
+        **kwargs: t.Any,
+    ) -> t.Generator[tuple[bytes, None]]: ...
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[True],
+        tty: t.Literal[False],
+        demux: t.Literal[True],
+        **kwargs: t.Any,
+    ) -> t.Generator[tuple[bytes, None] | tuple[None, bytes]]: ...
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[False],
+        tty: bool = True,
+        demux: t.Literal[False] = False,
+        **kwargs: t.Any,
+    ) -> bytes: ...
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[False],
+        tty: t.Literal[True] = True,
+        demux: t.Literal[True],
+        **kwargs: t.Any,
+    ) -> tuple[bytes, None]: ...
+
+    @t.overload
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: t.Literal[False],
+        tty: t.Literal[False],
+        demux: t.Literal[True],
+        **kwargs: t.Any,
+    ) -> tuple[bytes, bytes]: ...
+
+    def post_json_to_stream(
+        self,
+        pathfmt: str,
+        *args: str,
+        data: t.Any = None,
+        headers: dict[str, str] | None = None,
+        stream: bool = False,
+        demux: bool = False,
+        tty: bool = False,
+        **kwargs: t.Any,
+    ) -> t.Any:
+        headers = headers.copy() if headers else {}
+        headers.update(
+            {
+                "Connection": "Upgrade",
+                "Upgrade": "tcp",
+            }
+        )
+        return self._read_from_socket(
+            self._post_json(
+                self._url(pathfmt, *args, versioned_api=True),
+                data,
+                headers=headers,
+                stream=True,
+                **kwargs,
+            ),
+            stream=stream,
+            tty=tty,
+            demux=demux,
+        )
+
+    def post_to_json(self, pathfmt: str, *args: str, **kwargs: t.Any) -> t.Any:
+        return self._result(
+            self._post(self._url(pathfmt, *args, versioned_api=True), **kwargs),
+            get_json=True,
+        )
+
+    @minimum_version("1.25")
+    def df(self) -> dict[str, t.Any]:
+        """
+        Get data usage information.
+
+        Returns:
+            (dict): A dictionary representing different resource categories
+            and their respective data usage.
+
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If the server returns an error.
+        """
+        url = self._url("/system/df")
+        return self._result(self._get(url), get_json=True)
+
+    def info(self) -> dict[str, t.Any]:
+        """
+        Display system-wide information. Identical to the ``docker info``
+        command.
+
+        Returns:
+            (dict): The info as a dict
+
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If the server returns an error.
+        """
+        return self._result(self._get(self._url("/info")), get_json=True)
+
+    def login(
+        self,
+        username: str,
+        password: str | None = None,
+        email: str | None = None,
+        registry: str | None = None,
+        reauth: bool = False,
+        dockercfg_path: str | None = None,
+    ) -> dict[str, t.Any]:
+        """
+        Authenticate with a registry. Similar to the ``docker login`` command.
+
+        Args:
+            username (str): The registry username
+            password (str): The plaintext password
+            email (str): The email for the registry account
+            registry (str): URL to the registry.  E.g.
+                ``https://index.docker.io/v1/``
+            reauth (bool): Whether or not to refresh existing authentication on
+                the Docker server.
+            dockercfg_path (str): Use a custom path for the Docker config file
+                (default ``$HOME/.docker/config.json`` if present,
+                otherwise ``$HOME/.dockercfg``)
+
+        Returns:
+            (dict): The response from the login request
+
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If the server returns an error.
+        """
+
+        # If we do not have any auth data so far, try reloading the config file
+        # one more time in case anything showed up in there.
+        # If dockercfg_path is passed check to see if the config file exists,
+        # if so load that config.
+        if dockercfg_path and os.path.exists(dockercfg_path):
+            self._auth_configs = auth.load_config(
+                dockercfg_path, credstore_env=self.credstore_env
+            )
+        elif not self._auth_configs or self._auth_configs.is_empty:
+            self._auth_configs = auth.load_config(credstore_env=self.credstore_env)
+
+        authcfg = self._auth_configs.resolve_authconfig(registry)
+        # If we found an existing auth config for this registry and username
+        # combination, we can return it immediately unless reauth is requested.
+        if authcfg and authcfg.get("username", None) == username and not reauth:
+            return authcfg
+
+        req_data = {
+            "username": username,
+            "password": password,
+            "email": email,
+            "serveraddress": registry,
+        }
+
+        response = self._post_json(self._url("/auth"), data=req_data)
+        if response.status_code == 200:
+            self._auth_configs.add_auth(registry or auth.INDEX_NAME, req_data)
+        return self._result(response, get_json=True)
+
+    def ping(self) -> bool:
+        """
+        Checks the server is responsive. An exception will be raised if it
+        is not responding.
+
+        Returns:
+            (bool) The response from the server.
+
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If the server returns an error.
+        """
+        return self._result(self._get(self._url("/_ping"))) == "OK"
+
+    def version(self, api_version: bool = True) -> dict[str, t.Any]:
+        """
+        Returns version information from the server. Similar to the ``docker
+        version`` command.
+
+        Returns:
+            (dict): The server version information
+
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If the server returns an error.
+        """
+        url = self._url("/version", versioned_api=api_version)
+        return self._result(self._get(url), get_json=True)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/auth.py b/ansible_collections/community/docker/plugins/module_utils/_api/auth.py
new file mode 100644
index 00000000..9cdca63d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/auth.py
@@ -0,0 +1,406 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import base64
+import json
+import logging
+import typing as t
+
+from . import errors
+from .credentials.errors import CredentialsNotFound, StoreError
+from .credentials.store import Store
+from .utils import config
+
+if t.TYPE_CHECKING:
+    from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+        APIClient,
+    )
+
+
+INDEX_NAME = "docker.io"
+INDEX_URL = f"https://index.{INDEX_NAME}/v1/"
+TOKEN_USERNAME = "<token>"
+
+log = logging.getLogger(__name__)
+
+
+def resolve_repository_name(repo_name: str) -> tuple[str, str]:
+    if "://" in repo_name:
+        raise errors.InvalidRepository(
+            f"Repository name cannot contain a scheme ({repo_name})"
+        )
+
+    index_name, remote_name = split_repo_name(repo_name)
+    if index_name[0] == "-" or index_name[-1] == "-":
+        raise errors.InvalidRepository(
+            f"Invalid index name ({index_name}). Cannot begin or end with a hyphen."
+        )
+    return resolve_index_name(index_name), remote_name
+
+
+def resolve_index_name(index_name: str) -> str:
+    index_name = convert_to_hostname(index_name)
+    if index_name == "index." + INDEX_NAME:
+        index_name = INDEX_NAME
+    return index_name
+
+
+def get_config_header(client: APIClient, registry: str) -> bytes | None:
+    log.debug("Looking for auth config")
+    if not client._auth_configs or client._auth_configs.is_empty:
+        log.debug("No auth config in memory - loading from filesystem")
+        client._auth_configs = load_config(credstore_env=client.credstore_env)
+    authcfg = resolve_authconfig(
+        client._auth_configs, registry, credstore_env=client.credstore_env
+    )
+    # Do not fail here if no authentication exists for this
+    # specific registry as we can have a readonly pull. Just
+    # put the header if we can.
+    if authcfg:
+        log.debug("Found auth config")
+        # auth_config needs to be a dict in the format used by
+        # auth.py username , password, serveraddress, email
+        return encode_header(authcfg)
+    log.debug("No auth config found")
+    return None
+
+
+def split_repo_name(repo_name: str) -> tuple[str, str]:
+    parts = repo_name.split("/", 1)
+    if len(parts) == 1 or (
+        "." not in parts[0] and ":" not in parts[0] and parts[0] != "localhost"
+    ):
+        # This is a docker index repo (ex: username/foobar or ubuntu)
+        return INDEX_NAME, repo_name
+    return tuple(parts)  # type: ignore
+
+
+def get_credential_store(
+    authconfig: dict[str, t.Any] | AuthConfig, registry: str
+) -> str | None:
+    if not isinstance(authconfig, AuthConfig):
+        authconfig = AuthConfig(authconfig)
+    return authconfig.get_credential_store(registry)
+
+
+class AuthConfig(dict):
+    def __init__(
+        self, dct: dict[str, t.Any], credstore_env: dict[str, str] | None = None
+    ):
+        if "auths" not in dct:
+            dct["auths"] = {}
+        self.update(dct)
+        self._credstore_env = credstore_env
+        self._stores: dict[str, Store] = {}
+
+    @classmethod
+    def parse_auth(
+        cls, entries: dict[str, dict[str, t.Any]], raise_on_error: bool = False
+    ) -> dict[str, dict[str, t.Any]]:
+        """
+        Parses authentication entries
+
+        Args:
+          entries:        Dict of authentication entries.
+          raise_on_error: If set to true, an invalid format will raise
+                          InvalidConfigFile
+
+        Returns:
+          Authentication registry.
+        """
+
+        conf: dict[str, dict[str, t.Any]] = {}
+        for registry, entry in entries.items():
+            if not isinstance(entry, dict):
+                log.debug("Config entry for key %s is not auth config", registry)  # type: ignore
+                # We sometimes fall back to parsing the whole config as if it
+                # was the auth config by itself, for legacy purposes. In that
+                # case, we fail silently and return an empty conf if any of the
+                # keys is not formatted properly.
+                if raise_on_error:
+                    raise errors.InvalidConfigFile(
+                        f"Invalid configuration for registry {registry}"
+                    )
+                return {}
+            if "identitytoken" in entry:
+                log.debug("Found an IdentityToken entry for registry %s", registry)
+                conf[registry] = {"IdentityToken": entry["identitytoken"]}
+                continue  # Other values are irrelevant if we have a token
+
+            if "auth" not in entry:
+                # Starting with engine v1.11 (API 1.23), an empty dictionary is
+                # a valid value in the auths config.
+                # https://github.com/docker/compose/issues/3265
+                log.debug(
+                    "Auth data for %s is absent. Client might be using a credentials store instead.",
+                    registry,
+                )
+                conf[registry] = {}
+                continue
+
+            username, password = decode_auth(entry["auth"])
+            log.debug(
+                "Found entry (registry=%s, username=%s)", repr(registry), repr(username)
+            )
+
+            conf[registry] = {
+                "username": username,
+                "password": password,
+                "email": entry.get("email"),
+                "serveraddress": registry,
+            }
+        return conf
+
+    @classmethod
+    def load_config(
+        cls,
+        config_path: str | None,
+        config_dict: dict[str, t.Any] | None,
+        credstore_env: dict[str, str] | None = None,
+    ) -> t.Self:
+        """
+        Loads authentication data from a Docker configuration file in the given
+        root directory or if config_path is passed use given path.
+        Lookup priority:
+            explicit config_path parameter > DOCKER_CONFIG environment
+            variable > ~/.docker/config.json > ~/.dockercfg
+        """
+
+        if not config_dict:
+            config_file = config.find_config_file(config_path)
+
+            if not config_file:
+                return cls({}, credstore_env)
+            try:
+                with open(config_file, "rt", encoding="utf-8") as f:
+                    config_dict = json.load(f)
+            except (IOError, KeyError, ValueError) as e:
+                # Likely missing new Docker config file or it is in an
+                # unknown format, continue to attempt to read old location
+                # and format.
+                log.debug(e)
+                return cls(_load_legacy_config(config_file), credstore_env)
+
+        res = {}
+        if config_dict.get("auths"):
+            log.debug("Found 'auths' section")
+            res.update(
+                {"auths": cls.parse_auth(config_dict.pop("auths"), raise_on_error=True)}
+            )
+        if config_dict.get("credsStore"):
+            log.debug("Found 'credsStore' section")
+            res.update({"credsStore": config_dict.pop("credsStore")})
+        if config_dict.get("credHelpers"):
+            log.debug("Found 'credHelpers' section")
+            res.update({"credHelpers": config_dict.pop("credHelpers")})
+        if res:
+            return cls(res, credstore_env)
+
+        log.debug(
+            "Could not find auth-related section ; attempting to interpret "
+            "as auth-only file"
+        )
+        return cls({"auths": cls.parse_auth(config_dict)}, credstore_env)
+
+    @property
+    def auths(self) -> dict[str, dict[str, t.Any]]:
+        return self.get("auths", {})
+
+    @property
+    def creds_store(self) -> str | None:
+        return self.get("credsStore", None)
+
+    @property
+    def cred_helpers(self) -> dict[str, t.Any]:
+        return self.get("credHelpers", {})
+
+    @property
+    def is_empty(self) -> bool:
+        return not self.auths and not self.creds_store and not self.cred_helpers
+
+    def resolve_authconfig(
+        self, registry: str | None = None
+    ) -> dict[str, t.Any] | None:
+        """
+        Returns the authentication data from the given auth configuration for a
+        specific registry. As with the Docker client, legacy entries in the
+        config with full URLs are stripped down to hostnames before checking
+        for a match. Returns None if no match was found.
+        """
+
+        if self.creds_store or self.cred_helpers:
+            store_name = self.get_credential_store(registry)
+            if store_name is not None:
+                log.debug('Using credentials store "%s"', store_name)
+                cfg = self._resolve_authconfig_credstore(registry, store_name)
+                if cfg is not None:
+                    return cfg
+                log.debug("No entry in credstore - fetching from auth dict")
+
+        # Default to the public index server
+        registry = resolve_index_name(registry) if registry else INDEX_NAME
+        log.debug("Looking for auth entry for %s", repr(registry))
+
+        if registry in self.auths:
+            log.debug("Found %s", repr(registry))
+            return self.auths[registry]
+
+        for key, conf in self.auths.items():
+            if resolve_index_name(key) == registry:
+                log.debug("Found %s", repr(key))
+                return conf
+
+        log.debug("No entry found")
+        return None
+
+    def _resolve_authconfig_credstore(
+        self, registry: str | None, credstore_name: str
+    ) -> dict[str, t.Any] | None:
+        if not registry or registry == INDEX_NAME:
+            # The ecosystem is a little schizophrenic with index.docker.io VS
+            # docker.io - in that case, it seems the full URL is necessary.
+            registry = INDEX_URL
+        log.debug("Looking for auth entry for %s", repr(registry))
+        store = self._get_store_instance(credstore_name)
+        try:
+            data = store.get(registry)
+            res = {
+                "ServerAddress": registry,
+            }
+            if data["Username"] == TOKEN_USERNAME:
+                res["IdentityToken"] = data["Secret"]
+            else:
+                res.update(
+                    {
+                        "Username": data["Username"],
+                        "Password": data["Secret"],
+                    }
+                )
+            return res
+        except CredentialsNotFound:
+            log.debug("No entry found")
+            return None
+        except StoreError as e:
+            raise errors.DockerException(f"Credentials store error: {e}") from e
+
+    def _get_store_instance(self, name: str) -> Store:
+        if name not in self._stores:
+            self._stores[name] = Store(name, environment=self._credstore_env)
+        return self._stores[name]
+
+    def get_credential_store(self, registry: str | None) -> str | None:
+        if not registry or registry == INDEX_NAME:
+            registry = INDEX_URL
+
+        return self.cred_helpers.get(registry) or self.creds_store
+
+    def get_all_credentials(self) -> dict[str, dict[str, t.Any] | None]:
+        auth_data: dict[str, dict[str, t.Any] | None] = self.auths.copy()  # type: ignore
+        if self.creds_store:
+            # Retrieve all credentials from the default store
+            store = self._get_store_instance(self.creds_store)
+            for k in store.list():
+                auth_data[k] = self._resolve_authconfig_credstore(k, self.creds_store)
+                auth_data[convert_to_hostname(k)] = auth_data[k]
+
+        # credHelpers entries take priority over all others
+        for reg, store_name in self.cred_helpers.items():
+            auth_data[reg] = self._resolve_authconfig_credstore(reg, store_name)
+            auth_data[convert_to_hostname(reg)] = auth_data[reg]
+
+        return auth_data
+
+    def add_auth(self, reg: str, data: dict[str, t.Any]) -> None:
+        self["auths"][reg] = data
+
+
+def resolve_authconfig(
+    authconfig: AuthConfig | dict[str, t.Any],
+    registry: str | None = None,
+    credstore_env: dict[str, str] | None = None,
+) -> dict[str, t.Any] | None:
+    if not isinstance(authconfig, AuthConfig):
+        authconfig = AuthConfig(authconfig, credstore_env)
+    return authconfig.resolve_authconfig(registry)
+
+
+def convert_to_hostname(url: str) -> str:
+    return url.replace("http://", "").replace("https://", "").split("/", 1)[0]
+
+
+def decode_auth(auth: str | bytes) -> tuple[str, str]:
+    if isinstance(auth, str):
+        auth = auth.encode("ascii")
+    s = base64.b64decode(auth)
+    login, pwd = s.split(b":", 1)
+    return login.decode("utf8"), pwd.decode("utf8")
+
+
+def encode_header(auth: dict[str, t.Any]) -> bytes:
+    auth_json = json.dumps(auth).encode("ascii")
+    return base64.urlsafe_b64encode(auth_json)
+
+
+def parse_auth(
+    entries: dict[str, dict[str, t.Any]], raise_on_error: bool = False
+) -> dict[str, dict[str, t.Any]]:
+    """
+    Parses authentication entries
+
+    Args:
+      entries:        Dict of authentication entries.
+      raise_on_error: If set to true, an invalid format will raise
+                      InvalidConfigFile
+
+    Returns:
+      Authentication registry.
+    """
+
+    return AuthConfig.parse_auth(entries, raise_on_error)
+
+
+def load_config(
+    config_path: str | None = None,
+    config_dict: dict[str, t.Any] | None = None,
+    credstore_env: dict[str, str] | None = None,
+) -> AuthConfig:
+    return AuthConfig.load_config(config_path, config_dict, credstore_env)
+
+
+def _load_legacy_config(config_file: str) -> dict[str, dict[str, t.Any]]:
+    log.debug("Attempting to parse legacy auth file format")
+    try:
+        data = []
+        with open(config_file, "rt", encoding="utf-8") as f:
+            for line in f.readlines():
+                data.append(line.strip().split(" = ")[1])
+            if len(data) < 2:
+                # Not enough data
+                raise errors.InvalidConfigFile("Invalid or empty configuration file!")
+
+        username, password = decode_auth(data[0])
+        return {
+            "auths": {
+                INDEX_NAME: {
+                    "username": username,
+                    "password": password,
+                    "email": data[1],
+                    "serveraddress": INDEX_URL,
+                }
+            }
+        }
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        log.debug(e)
+
+    log.debug("All parsing attempts failed - returning empty config")
+    return {}
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/constants.py b/ansible_collections/community/docker/plugins/module_utils/_api/constants.py
new file mode 100644
index 00000000..789a98bd
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/constants.py
@@ -0,0 +1,40 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import sys
+
+MINIMUM_DOCKER_API_VERSION = "1.21"
+DEFAULT_TIMEOUT_SECONDS = 60
+STREAM_HEADER_SIZE_BYTES = 8
+CONTAINER_LIMITS_KEYS = ["memory", "memswap", "cpushares", "cpusetcpus"]
+
+DEFAULT_HTTP_HOST = "127.0.0.1"
+DEFAULT_UNIX_SOCKET = "http+unix:///var/run/docker.sock"
+DEFAULT_NPIPE = "npipe:////./pipe/docker_engine"
+
+BYTE_UNITS = {"b": 1, "k": 1024, "m": 1024 * 1024, "g": 1024 * 1024 * 1024}
+
+IS_WINDOWS_PLATFORM = sys.platform == "win32"
+WINDOWS_LONGPATH_PREFIX = "\\\\?\\"
+
+DEFAULT_USER_AGENT = "ansible-community.docker"
+DEFAULT_NUM_POOLS = 25
+
+# The OpenSSH server default value for MaxSessions is 10 which means we can
+# use up to 9, leaving the final session for the underlying SSH connection.
+# For more details see: https://github.com/docker/docker-py/issues/2246
+DEFAULT_NUM_POOLS_SSH = 9
+
+DEFAULT_MAX_POOL_SIZE = 10
+
+DEFAULT_DATA_CHUNK_SIZE = 1024 * 2048
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/context/api.py b/ansible_collections/community/docker/plugins/module_utils/_api/context/api.py
new file mode 100644
index 00000000..9cc7a950
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/context/api.py
@@ -0,0 +1,253 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2025 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import os
+import typing as t
+
+from .. import errors
+from .config import (
+    METAFILE,
+    get_current_context_name,
+    get_meta_dir,
+    write_context_name_to_docker_config,
+)
+from .context import Context
+
+if t.TYPE_CHECKING:
+    from ..tls import TLSConfig
+
+
+def create_default_context() -> Context:
+    host = None
+    if os.environ.get("DOCKER_HOST"):
+        host = os.environ.get("DOCKER_HOST")
+    return Context(
+        "default", "swarm", host, description="Current DOCKER_HOST based configuration"
+    )
+
+
+class ContextAPI:
+    """Context API.
+    Contains methods for context management:
+    create, list, remove, get, inspect.
+    """
+
+    DEFAULT_CONTEXT = None
+
+    @classmethod
+    def get_default_context(cls) -> Context:
+        context = cls.DEFAULT_CONTEXT
+        if context is None:
+            context = create_default_context()
+            cls.DEFAULT_CONTEXT = context
+        return context
+
+    @classmethod
+    def create_context(
+        cls,
+        name: str,
+        orchestrator: str | None = None,
+        host: str | None = None,
+        tls_cfg: TLSConfig | None = None,
+        default_namespace: str | None = None,
+        skip_tls_verify: bool = False,
+    ) -> Context:
+        """Creates a new context.
+        Returns:
+            (Context): a Context object.
+        Raises:
+            :py:class:`docker.errors.MissingContextParameter`
+                If a context name is not provided.
+            :py:class:`docker.errors.ContextAlreadyExists`
+                If a context with the name already exists.
+            :py:class:`docker.errors.ContextException`
+                If name is default.
+
+        Example:
+
+        >>> from docker.context import ContextAPI
+        >>> ctx = ContextAPI.create_context(name='test')
+        >>> print(ctx.Metadata)
+        {
+            "Name": "test",
+            "Metadata": {},
+            "Endpoints": {
+                "docker": {
+                    "Host": "unix:///var/run/docker.sock",
+                    "SkipTLSVerify": false
+                }
+            }
+        }
+        """
+        if not name:
+            raise errors.MissingContextParameter("name")
+        if name == "default":
+            raise errors.ContextException('"default" is a reserved context name')
+        ctx = Context.load_context(name)
+        if ctx:
+            raise errors.ContextAlreadyExists(name)
+        endpoint = "docker"
+        if orchestrator and orchestrator != "swarm":
+            endpoint = orchestrator
+        ctx = Context(name, orchestrator)
+        ctx.set_endpoint(
+            endpoint,
+            host,
+            tls_cfg,
+            skip_tls_verify=skip_tls_verify,
+            def_namespace=default_namespace,
+        )
+        ctx.save()
+        return ctx
+
+    @classmethod
+    def get_context(cls, name: str | None = None) -> Context | None:
+        """Retrieves a context object.
+        Args:
+            name (str): The name of the context
+
+        Example:
+
+        >>> from docker.context import ContextAPI
+        >>> ctx = ContextAPI.get_context(name='test')
+        >>> print(ctx.Metadata)
+        {
+            "Name": "test",
+            "Metadata": {},
+            "Endpoints": {
+                "docker": {
+                "Host": "unix:///var/run/docker.sock",
+                "SkipTLSVerify": false
+                }
+            }
+        }
+        """
+        if not name:
+            name = get_current_context_name()
+        if name == "default":
+            return cls.get_default_context()
+        return Context.load_context(name)
+
+    @classmethod
+    def contexts(cls) -> list[Context]:
+        """Context list.
+        Returns:
+            (Context): List of context objects.
+        Raises:
+            :py:class:`docker.errors.APIError`
+                If something goes wrong.
+        """
+        names = []
+        for dirname, dummy, fnames in os.walk(get_meta_dir()):
+            for filename in fnames:
+                if filename == METAFILE:
+                    filepath = os.path.join(dirname, filename)
+                    try:
+                        with open(filepath, "rt", encoding="utf-8") as f:
+                            data = json.load(f)
+                        name = data["Name"]
+                        if name == "default":
+                            raise ValueError('"default" is a reserved context name')
+                        names.append(name)
+                    except Exception as e:
+                        raise errors.ContextException(
+                            f"Failed to load metafile {filepath}: {e}"
+                        ) from e
+
+        contexts = [cls.get_default_context()]
+        for name in names:
+            context = Context.load_context(name)
+            if not context:
+                raise errors.ContextException(f"Context {name} cannot be found")
+            contexts.append(context)
+        return contexts
+
+    @classmethod
+    def get_current_context(cls) -> Context | None:
+        """Get current context.
+        Returns:
+            (Context): current context object.
+        """
+        return cls.get_context()
+
+    @classmethod
+    def set_current_context(cls, name: str = "default") -> None:
+        ctx = cls.get_context(name)
+        if not ctx:
+            raise errors.ContextNotFound(name)
+
+        err = write_context_name_to_docker_config(name)
+        if err:
+            raise errors.ContextException(f"Failed to set current context: {err}")
+
+    @classmethod
+    def remove_context(cls, name: str) -> None:
+        """Remove a context. Similar to the ``docker context rm`` command.
+
+        Args:
+            name (str): The name of the context
+
+        Raises:
+            :py:class:`docker.errors.MissingContextParameter`
+                If a context name is not provided.
+            :py:class:`docker.errors.ContextNotFound`
+                If a context with the name does not exist.
+            :py:class:`docker.errors.ContextException`
+                If name is default.
+
+        Example:
+
+        >>> from docker.context import ContextAPI
+        >>> ContextAPI.remove_context(name='test')
+        >>>
+        """
+        if not name:
+            raise errors.MissingContextParameter("name")
+        if name == "default":
+            raise errors.ContextException('context "default" cannot be removed')
+        ctx = Context.load_context(name)
+        if not ctx:
+            raise errors.ContextNotFound(name)
+        if name == get_current_context_name():
+            write_context_name_to_docker_config(None)
+        ctx.remove()
+
+    @classmethod
+    def inspect_context(cls, name: str = "default") -> dict[str, t.Any]:
+        """Inspect a context. Similar to the ``docker context inspect`` command.
+
+        Args:
+            name (str): The name of the context
+
+        Raises:
+            :py:class:`docker.errors.MissingContextParameter`
+                If a context name is not provided.
+            :py:class:`docker.errors.ContextNotFound`
+                If a context with the name does not exist.
+
+        Example:
+
+        >>> from docker.context import ContextAPI
+        >>> ContextAPI.remove_context(name='test')
+        >>>
+        """
+        if not name:
+            raise errors.MissingContextParameter("name")
+        if name == "default":
+            return cls.get_default_context()()
+        ctx = Context.load_context(name)
+        if not ctx:
+            raise errors.ContextNotFound(name)
+
+        return ctx()
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/context/config.py b/ansible_collections/community/docker/plugins/module_utils/_api/context/config.py
new file mode 100644
index 00000000..89d83277
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/context/config.py
@@ -0,0 +1,107 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2025 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import hashlib
+import json
+import os
+
+from ..constants import DEFAULT_UNIX_SOCKET, IS_WINDOWS_PLATFORM
+from ..utils.config import find_config_file, get_default_config_file
+from ..utils.utils import parse_host
+
+METAFILE = "meta.json"
+
+
+def get_current_context_name_with_source() -> tuple[str, str]:
+    if os.environ.get("DOCKER_HOST"):
+        return "default", "DOCKER_HOST environment variable set"
+    if os.environ.get("DOCKER_CONTEXT"):
+        return os.environ["DOCKER_CONTEXT"], "DOCKER_CONTEXT environment variable set"
+    docker_cfg_path = find_config_file()
+    if docker_cfg_path:
+        try:
+            with open(docker_cfg_path, "rt", encoding="utf-8") as f:
+                return (
+                    json.load(f).get("currentContext", "default"),
+                    f"configuration file {docker_cfg_path}",
+                )
+        except Exception:  # pylint: disable=broad-exception-caught
+            pass
+    return "default", "fallback value"
+
+
+def get_current_context_name() -> str:
+    return get_current_context_name_with_source()[0]
+
+
+def write_context_name_to_docker_config(name: str | None = None) -> Exception | None:
+    if name == "default":
+        name = None
+    docker_cfg_path = find_config_file()
+    config = {}
+    if docker_cfg_path:
+        try:
+            with open(docker_cfg_path, "rt", encoding="utf-8") as f:
+                config = json.load(f)
+        except Exception as e:  # pylint: disable=broad-exception-caught
+            return e
+    current_context = config.get("currentContext", None)
+    if current_context and not name:
+        del config["currentContext"]
+    elif name:
+        config["currentContext"] = name
+    else:
+        return None
+    if not docker_cfg_path:
+        docker_cfg_path = get_default_config_file()
+    try:
+        with open(docker_cfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f, indent=4)
+        return None
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        return e
+
+
+def get_context_id(name: str) -> str:
+    return hashlib.sha256(name.encode("utf-8")).hexdigest()
+
+
+def get_context_dir() -> str:
+    docker_cfg_path = find_config_file() or get_default_config_file()
+    return os.path.join(os.path.dirname(docker_cfg_path), "contexts")
+
+
+def get_meta_dir(name: str | None = None) -> str:
+    meta_dir = os.path.join(get_context_dir(), "meta")
+    if name:
+        return os.path.join(meta_dir, get_context_id(name))
+    return meta_dir
+
+
+def get_meta_file(name: str) -> str:
+    return os.path.join(get_meta_dir(name), METAFILE)
+
+
+def get_tls_dir(name: str | None = None, endpoint: str = "") -> str:
+    context_dir = get_context_dir()
+    if name:
+        return os.path.join(context_dir, "tls", get_context_id(name), endpoint)
+    return os.path.join(context_dir, "tls")
+
+
+def get_context_host(path: str | None = None, tls: bool = False) -> str:
+    host = parse_host(path, IS_WINDOWS_PLATFORM, tls)
+    if host == DEFAULT_UNIX_SOCKET and host.startswith("http+"):
+        # remove http+ from default docker socket url
+        host = host[5:]
+    return host
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/context/context.py b/ansible_collections/community/docker/plugins/module_utils/_api/context/context.py
new file mode 100644
index 00000000..10267d49
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/context/context.py
@@ -0,0 +1,286 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2025 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import os
+import typing as t
+from shutil import copyfile, rmtree
+
+from ..errors import ContextException
+from ..tls import TLSConfig
+from .config import (
+    get_context_host,
+    get_meta_dir,
+    get_meta_file,
+    get_tls_dir,
+)
+
+IN_MEMORY = "IN MEMORY"
+
+
+class Context:
+    """A context."""
+
+    def __init__(
+        self,
+        name: str,
+        orchestrator: str | None = None,
+        host: str | None = None,
+        endpoints: dict[str, dict[str, t.Any]] | None = None,
+        skip_tls_verify: bool = False,
+        tls: bool = False,
+        description: str | None = None,
+    ) -> None:
+        if not name:
+            raise ValueError("Name not provided")
+        self.name = name
+        self.context_type = None
+        self.orchestrator = orchestrator
+        self.endpoints = {}
+        self.tls_cfg: dict[str, TLSConfig] = {}
+        self.meta_path = IN_MEMORY
+        self.tls_path = IN_MEMORY
+        self.description = description
+
+        if not endpoints:
+            # set default docker endpoint if no endpoint is set
+            default_endpoint = (
+                "docker"
+                if (not orchestrator or orchestrator == "swarm")
+                else orchestrator
+            )
+
+            self.endpoints = {
+                default_endpoint: {
+                    "Host": get_context_host(host, skip_tls_verify or tls),
+                    "SkipTLSVerify": skip_tls_verify,
+                }
+            }
+            return
+
+        # check docker endpoints
+        for k, v in endpoints.items():
+            if not isinstance(v, dict):
+                # unknown format
+                raise ContextException(
+                    f"Unknown endpoint format for context {name}: {v}",
+                )
+
+            self.endpoints[k] = v
+            if k != "docker":
+                continue
+
+            self.endpoints[k]["Host"] = v.get(
+                "Host", get_context_host(host, skip_tls_verify or tls)
+            )
+            self.endpoints[k]["SkipTLSVerify"] = bool(
+                v.get("SkipTLSVerify", skip_tls_verify)
+            )
+
+    def set_endpoint(
+        self,
+        name: str = "docker",
+        host: str | None = None,
+        tls_cfg: TLSConfig | None = None,
+        skip_tls_verify: bool = False,
+        def_namespace: str | None = None,
+    ) -> None:
+        self.endpoints[name] = {
+            "Host": get_context_host(host, not skip_tls_verify or tls_cfg is not None),
+            "SkipTLSVerify": skip_tls_verify,
+        }
+        if def_namespace:
+            self.endpoints[name]["DefaultNamespace"] = def_namespace
+
+        if tls_cfg:
+            self.tls_cfg[name] = tls_cfg
+
+    def inspect(self) -> dict[str, t.Any]:
+        return self()
+
+    @classmethod
+    def load_context(cls, name: str) -> t.Self | None:
+        meta = Context._load_meta(name)
+        if meta:
+            instance = cls(
+                meta["Name"],
+                orchestrator=meta["Metadata"].get("StackOrchestrator", None),
+                endpoints=meta.get("Endpoints", None),
+                description=meta["Metadata"].get("Description"),
+            )
+            instance.context_type = meta["Metadata"].get("Type", None)
+            instance._load_certs()
+            instance.meta_path = get_meta_dir(name)
+            return instance
+        return None
+
+    @classmethod
+    def _load_meta(cls, name: str) -> dict[str, t.Any] | None:
+        meta_file = get_meta_file(name)
+        if not os.path.isfile(meta_file):
+            return None
+
+        metadata: dict[str, t.Any] = {}
+        try:
+            with open(meta_file, "rt", encoding="utf-8") as f:
+                metadata = json.load(f)
+        except (OSError, KeyError, ValueError) as e:
+            # unknown format
+            raise RuntimeError(
+                f"Detected corrupted meta file for context {name} : {e}"
+            ) from e
+
+        # for docker endpoints, set defaults for
+        # Host and SkipTLSVerify fields
+        for k, v in metadata["Endpoints"].items():
+            if k != "docker":
+                continue
+            metadata["Endpoints"][k]["Host"] = v.get(
+                "Host", get_context_host(None, False)
+            )
+            metadata["Endpoints"][k]["SkipTLSVerify"] = bool(
+                v.get("SkipTLSVerify", True)
+            )
+
+        return metadata
+
+    def _load_certs(self) -> None:
+        certs = {}
+        tls_dir = get_tls_dir(self.name)
+        for endpoint in self.endpoints:
+            if not os.path.isdir(os.path.join(tls_dir, endpoint)):
+                continue
+            ca_cert = None
+            cert = None
+            key = None
+            for filename in os.listdir(os.path.join(tls_dir, endpoint)):
+                if filename.startswith("ca"):
+                    ca_cert = os.path.join(tls_dir, endpoint, filename)
+                elif filename.startswith("cert"):
+                    cert = os.path.join(tls_dir, endpoint, filename)
+                elif filename.startswith("key"):
+                    key = os.path.join(tls_dir, endpoint, filename)
+            if all([cert, key]) or ca_cert:
+                verify = None
+                if endpoint == "docker" and not self.endpoints["docker"].get(
+                    "SkipTLSVerify", False
+                ):
+                    verify = True
+                certs[endpoint] = TLSConfig(
+                    client_cert=(cert, key) if cert and key else None,
+                    ca_cert=ca_cert,
+                    verify=verify,
+                )
+        self.tls_cfg = certs
+        self.tls_path = tls_dir
+
+    def save(self) -> None:
+        meta_dir = get_meta_dir(self.name)
+        if not os.path.isdir(meta_dir):
+            os.makedirs(meta_dir)
+        with open(get_meta_file(self.name), "wt", encoding="utf-8") as f:
+            f.write(json.dumps(self.Metadata))
+
+        tls_dir = get_tls_dir(self.name)
+        for endpoint, tls in self.tls_cfg.items():
+            if not os.path.isdir(os.path.join(tls_dir, endpoint)):
+                os.makedirs(os.path.join(tls_dir, endpoint))
+
+            ca_file = tls.ca_cert
+            if ca_file:
+                copyfile(
+                    ca_file, os.path.join(tls_dir, endpoint, os.path.basename(ca_file))
+                )
+
+            if tls.cert:
+                cert_file, key_file = tls.cert
+                copyfile(
+                    cert_file,
+                    os.path.join(tls_dir, endpoint, os.path.basename(cert_file)),
+                )
+                copyfile(
+                    key_file,
+                    os.path.join(tls_dir, endpoint, os.path.basename(key_file)),
+                )
+
+        self.meta_path = get_meta_dir(self.name)
+        self.tls_path = get_tls_dir(self.name)
+
+    def remove(self) -> None:
+        if os.path.isdir(self.meta_path):
+            rmtree(self.meta_path)
+        if os.path.isdir(self.tls_path):
+            rmtree(self.tls_path)
+
+    def __repr__(self) -> str:
+        return f"<{self.__class__.__name__}: '{self.name}'>"
+
+    def __str__(self) -> str:
+        return json.dumps(self.__call__(), indent=2)
+
+    def __call__(self) -> dict[str, t.Any]:
+        result = self.Metadata
+        result.update(self.TLSMaterial)
+        result.update(self.Storage)
+        return result
+
+    def is_docker_host(self) -> bool:
+        return self.context_type is None
+
+    @property
+    def Name(self) -> str:  # pylint: disable=invalid-name
+        return self.name
+
+    @property
+    def Host(self) -> str | None:  # pylint: disable=invalid-name
+        if not self.orchestrator or self.orchestrator == "swarm":
+            endpoint = self.endpoints.get("docker", None)
+            if endpoint:
+                return endpoint.get("Host", None)  # type: ignore
+            return None
+
+        return self.endpoints[self.orchestrator].get("Host", None)  # type: ignore
+
+    @property
+    def Orchestrator(self) -> str | None:  # pylint: disable=invalid-name
+        return self.orchestrator
+
+    @property
+    def Metadata(self) -> dict[str, t.Any]:  # pylint: disable=invalid-name
+        meta: dict[str, t.Any] = {}
+        if self.orchestrator:
+            meta = {"StackOrchestrator": self.orchestrator}
+        return {"Name": self.name, "Metadata": meta, "Endpoints": self.endpoints}
+
+    @property
+    def TLSConfig(self) -> TLSConfig | None:  # pylint: disable=invalid-name
+        key = self.orchestrator
+        if not key or key == "swarm":
+            key = "docker"
+        if key in self.tls_cfg:
+            return self.tls_cfg[key]
+        return None
+
+    @property
+    def TLSMaterial(self) -> dict[str, t.Any]:  # pylint: disable=invalid-name
+        certs: dict[str, t.Any] = {}
+        for endpoint, tls in self.tls_cfg.items():
+            paths = [tls.ca_cert, *tls.cert] if tls.cert else [tls.ca_cert]
+            certs[endpoint] = [
+                os.path.basename(path) if path else None for path in paths
+            ]
+        return {"TLSMaterial": certs}
+
+    @property
+    def Storage(self) -> dict[str, t.Any]:  # pylint: disable=invalid-name
+        return {"Storage": {"MetadataPath": self.meta_path, "TLSPath": self.tls_path}}
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/credentials/constants.py b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/constants.py
new file mode 100644
index 00000000..9faa2cfa
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/constants.py
@@ -0,0 +1,17 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+PROGRAM_PREFIX = "docker-credential-"
+DEFAULT_LINUX_STORE = "secretservice"
+DEFAULT_OSX_STORE = "osxkeychain"
+DEFAULT_WIN32_STORE = "wincred"
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/credentials/errors.py b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/errors.py
new file mode 100644
index 00000000..b0c2055b
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/errors.py
@@ -0,0 +1,38 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+if t.TYPE_CHECKING:
+    from subprocess import CalledProcessError
+
+
+class StoreError(RuntimeError):
+    pass
+
+
+class CredentialsNotFound(StoreError):
+    pass
+
+
+class InitializationError(StoreError):
+    pass
+
+
+def process_store_error(cpe: CalledProcessError, program: str) -> StoreError:
+    message = cpe.output.decode("utf-8")
+    if "credentials not found in native keychain" in message:
+        return CredentialsNotFound(f"No matching credentials in {program}")
+    return StoreError(
+        f'Credentials store {program} exited with "{cpe.output.decode("utf-8").strip()}".'
+    )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/credentials/store.py b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/store.py
new file mode 100644
index 00000000..a62f0085
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/store.py
@@ -0,0 +1,102 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import errno
+import json
+import subprocess
+import typing as t
+
+from . import constants, errors
+from .utils import create_environment_dict, find_executable
+
+
+class Store:
+    def __init__(self, program: str, environment: dict[str, str] | None = None) -> None:
+        """Create a store object that acts as an interface to
+        perform the basic operations for storing, retrieving
+        and erasing credentials using `program`.
+        """
+        self.program = constants.PROGRAM_PREFIX + program
+        self.exe = find_executable(self.program)
+        self.environment = environment
+        if self.exe is None:
+            raise errors.InitializationError(
+                f"{self.program} not installed or not available in PATH"
+            )
+
+    def get(self, server: str | bytes) -> dict[str, t.Any]:
+        """Retrieve credentials for `server`. If no credentials are found,
+        a `StoreError` will be raised.
+        """
+        if not isinstance(server, bytes):
+            server = server.encode("utf-8")
+        data = self._execute("get", server)
+        result = json.loads(data.decode("utf-8"))
+
+        # docker-credential-pass will return an object for inexistent servers
+        # whereas other helpers will exit with returncode != 0. For
+        # consistency, if no significant data is returned,
+        # raise CredentialsNotFound
+        if result["Username"] == "" and result["Secret"] == "":
+            raise errors.CredentialsNotFound(
+                f"No matching credentials in {self.program}"
+            )
+
+        return result
+
+    def store(self, server: str, username: str, secret: str) -> bytes:
+        """Store credentials for `server`. Raises a `StoreError` if an error
+        occurs.
+        """
+        data_input = json.dumps(
+            {"ServerURL": server, "Username": username, "Secret": secret}
+        ).encode("utf-8")
+        return self._execute("store", data_input)
+
+    def erase(self, server: str | bytes) -> None:
+        """Erase credentials for `server`. Raises a `StoreError` if an error
+        occurs.
+        """
+        if not isinstance(server, bytes):
+            server = server.encode("utf-8")
+        self._execute("erase", server)
+
+    def list(self) -> t.Any:
+        """List stored credentials. Requires v0.4.0+ of the helper."""
+        data = self._execute("list", None)
+        return json.loads(data.decode("utf-8"))
+
+    def _execute(self, subcmd: str, data_input: bytes | None) -> bytes:
+        if self.exe is None:
+            raise errors.StoreError(
+                f"{self.program} not installed or not available in PATH"
+            )
+        output = None
+        env = create_environment_dict(self.environment)
+        try:
+            output = subprocess.check_output(
+                [self.exe, subcmd],
+                input=data_input,
+                env=env,
+            )
+        except subprocess.CalledProcessError as e:
+            raise errors.process_store_error(e, self.program) from e
+        except OSError as e:
+            if e.errno == errno.ENOENT:
+                raise errors.StoreError(
+                    f"{self.program} not installed or not available in PATH"
+                ) from e
+            raise errors.StoreError(
+                f'Unexpected OS error "{e.strerror}", errno={e.errno}'
+            ) from e
+        return output
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/credentials/utils.py b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/utils.py
new file mode 100644
index 00000000..ff63d5df
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/credentials/utils.py
@@ -0,0 +1,35 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import os
+from shutil import which
+
+
+def find_executable(executable: str, path: str | None = None) -> str | None:
+    """
+    As distutils.spawn.find_executable, but on Windows, look up
+    every extension declared in PATHEXT instead of just `.exe`
+    """
+    # shutil.which() already uses PATHEXT on Windows, so on
+    # Python 3 we can simply use shutil.which() in all cases.
+    # (https://github.com/docker/docker-py/commit/42789818bed5d86b487a030e2e60b02bf0cfa284)
+    return which(executable, path=path)
+
+
+def create_environment_dict(overrides: dict[str, str] | None) -> dict[str, str]:
+    """
+    Create and return a copy of os.environ with the specified overrides
+    """
+    result = os.environ.copy()
+    result.update(overrides or {})
+    return result
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/errors.py b/ansible_collections/community/docker/plugins/module_utils/_api/errors.py
new file mode 100644
index 00000000..c45928aa
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/errors.py
@@ -0,0 +1,244 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ._import_helper import HTTPError as _HTTPError
+
+if t.TYPE_CHECKING:
+    from requests import Response
+
+
+class DockerException(Exception):
+    """
+    A base class from which all other exceptions inherit.
+
+    If you want to catch all errors that the Docker SDK might raise,
+    catch this base exception.
+    """
+
+
+def create_api_error_from_http_exception(e: _HTTPError) -> t.NoReturn:
+    """
+    Create a suitable APIError from requests.exceptions.HTTPError.
+    """
+    response = e.response
+    try:
+        explanation = response.json()["message"]
+    except ValueError:
+        explanation = to_text((response.content or "").strip())
+    cls = APIError
+    if response.status_code == 404:
+        if explanation and (
+            "No such image" in str(explanation)
+            or "not found: does not exist or no pull access" in str(explanation)
+            or "repository does not exist" in str(explanation)
+        ):
+            cls = ImageNotFound
+        else:
+            cls = NotFound
+    raise cls(e, response=response, explanation=explanation) from e
+
+
+class APIError(_HTTPError, DockerException):
+    """
+    An HTTP error from the API.
+    """
+
+    def __init__(
+        self,
+        message: str | Exception,
+        response: Response | None = None,
+        explanation: str | None = None,
+    ) -> None:
+        # requests 1.2 supports response as a keyword argument, but
+        # requests 1.1 does not
+        super().__init__(message)
+        self.response = response
+        self.explanation = explanation or ""
+
+    def __str__(self) -> str:
+        message = super().__str__()
+
+        if self.is_client_error():
+            message = f"{self.response.status_code} Client Error for {self.response.url}: {self.response.reason}"
+
+        elif self.is_server_error():
+            message = f"{self.response.status_code} Server Error for {self.response.url}: {self.response.reason}"
+
+        if self.explanation:
+            message = f'{message} ("{self.explanation}")'
+
+        return message
+
+    @property
+    def status_code(self) -> int | None:
+        if self.response is not None:
+            return self.response.status_code
+        return None
+
+    def is_error(self) -> bool:
+        return self.is_client_error() or self.is_server_error()
+
+    def is_client_error(self) -> bool:
+        if self.status_code is None:
+            return False
+        return 400 <= self.status_code < 500
+
+    def is_server_error(self) -> bool:
+        if self.status_code is None:
+            return False
+        return 500 <= self.status_code < 600
+
+
+class NotFound(APIError):
+    pass
+
+
+class ImageNotFound(NotFound):
+    pass
+
+
+class InvalidVersion(DockerException):
+    pass
+
+
+class InvalidRepository(DockerException):
+    pass
+
+
+class InvalidConfigFile(DockerException):
+    pass
+
+
+class InvalidArgument(DockerException):
+    pass
+
+
+class DeprecatedMethod(DockerException):
+    pass
+
+
+class TLSParameterError(DockerException):
+    def __init__(self, msg: str) -> None:
+        self.msg = msg
+
+    def __str__(self) -> str:
+        return self.msg + (
+            ". TLS configurations should map the Docker CLI "
+            "client configurations. See "
+            "https://docs.docker.com/engine/articles/https/ "
+            "for API details."
+        )
+
+
+class NullResource(DockerException, ValueError):
+    pass
+
+
+class ContainerError(DockerException):
+    """
+    Represents a container that has exited with a non-zero exit code.
+    """
+
+    def __init__(
+        self,
+        container: str,
+        exit_status: int,
+        command: list[str],
+        image: str,
+        stderr: str | None,
+    ):
+        self.container = container
+        self.exit_status = exit_status
+        self.command = command
+        self.image = image
+        self.stderr = stderr
+
+        err = f": {stderr}" if stderr is not None else ""
+        msg = f"Command '{command}' in image '{image}' returned non-zero exit status {exit_status}{err}"
+
+        super().__init__(msg)
+
+
+class StreamParseError(RuntimeError):
+    def __init__(self, reason: Exception) -> None:
+        self.msg = reason
+
+
+class BuildError(DockerException):
+    def __init__(self, reason: str, build_log: str) -> None:
+        super().__init__(reason)
+        self.msg = reason
+        self.build_log = build_log
+
+
+class ImageLoadError(DockerException):
+    pass
+
+
+def create_unexpected_kwargs_error(name: str, kwargs: dict[str, t.Any]) -> TypeError:
+    quoted_kwargs = [f"'{k}'" for k in sorted(kwargs)]
+    text = [f"{name}() "]
+    if len(quoted_kwargs) == 1:
+        text.append("got an unexpected keyword argument ")
+    else:
+        text.append("got unexpected keyword arguments ")
+    text.append(", ".join(quoted_kwargs))
+    return TypeError("".join(text))
+
+
+class MissingContextParameter(DockerException):
+    def __init__(self, param: str) -> None:
+        self.param = param
+
+    def __str__(self) -> str:
+        return f"missing parameter: {self.param}"
+
+
+class ContextAlreadyExists(DockerException):
+    def __init__(self, name: str) -> None:
+        self.name = name
+
+    def __str__(self) -> str:
+        return f"context {self.name} already exists"
+
+
+class ContextException(DockerException):
+    def __init__(self, msg: str) -> None:
+        self.msg = msg
+
+    def __str__(self) -> str:
+        return self.msg
+
+
+class ContextNotFound(DockerException):
+    def __init__(self, name: str) -> None:
+        self.name = name
+
+    def __str__(self) -> str:
+        return f"context '{self.name}' not found"
+
+
+class MissingRequirementException(DockerException):
+    def __init__(
+        self, msg: str, requirement: str, import_exception: ImportError | str
+    ) -> None:
+        self.msg = msg
+        self.requirement = requirement
+        self.import_exception = import_exception
+
+    def __str__(self) -> str:
+        return self.msg
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/tls.py b/ansible_collections/community/docker/plugins/module_utils/_api/tls.py
new file mode 100644
index 00000000..742689d9
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/tls.py
@@ -0,0 +1,107 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import os
+import typing as t
+
+from . import errors
+from .transport.ssladapter import SSLHTTPAdapter
+
+if t.TYPE_CHECKING:
+    from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+        APIClient,
+    )
+
+
+class TLSConfig:
+    """
+    TLS configuration.
+
+    Args:
+        client_cert (tuple of str): Path to client cert, path to client key.
+        ca_cert (str): Path to CA cert file.
+        verify (bool or str): This can be ``False`` or a path to a CA cert
+            file.
+        assert_hostname (bool): Verify the hostname of the server.
+
+    .. _`SSL version`:
+        https://docs.python.org/3.5/library/ssl.html#ssl.PROTOCOL_TLSv1
+    """
+
+    cert: tuple[str, str] | None = None
+    ca_cert: str | None = None
+    verify: bool | None = None
+
+    def __init__(
+        self,
+        client_cert: tuple[str, str] | None = None,
+        ca_cert: str | None = None,
+        verify: bool | None = None,
+        assert_hostname: bool | None = None,
+    ):
+        # Argument compatibility/mapping with
+        # https://docs.docker.com/engine/articles/https/
+        # This diverges from the Docker CLI in that users can specify 'tls'
+        # here, but also disable any public/default CA pool verification by
+        # leaving verify=False
+
+        self.assert_hostname = assert_hostname
+
+        # "client_cert" must have both or neither cert/key files. In
+        # either case, Alert the user when both are expected, but any are
+        # missing.
+
+        if client_cert:
+            try:
+                tls_cert, tls_key = client_cert
+            except ValueError:
+                raise errors.TLSParameterError(
+                    "client_cert must be a tuple of (client certificate, key file)"
+                ) from None
+
+            if not (tls_cert and tls_key) or (
+                not os.path.isfile(tls_cert) or not os.path.isfile(tls_key)
+            ):
+                raise errors.TLSParameterError(
+                    "Path to a certificate and key files must be provided"
+                    " through the client_cert param"
+                )
+            self.cert = (tls_cert, tls_key)
+
+        # If verify is set, make sure the cert exists
+        self.verify = verify
+        self.ca_cert = ca_cert
+        if self.verify and self.ca_cert and not os.path.isfile(self.ca_cert):
+            raise errors.TLSParameterError(
+                "Invalid CA certificate provided for `ca_cert`."
+            )
+
+    def configure_client(self, client: APIClient) -> None:
+        """
+        Configure a client with these TLS options.
+        """
+
+        if self.verify and self.ca_cert:
+            client.verify = self.ca_cert
+        else:
+            client.verify = self.verify
+
+        if self.cert:
+            client.cert = self.cert
+
+        client.mount(
+            "https://",
+            SSLHTTPAdapter(
+                assert_hostname=self.assert_hostname,
+            ),
+        )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/basehttpadapter.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/basehttpadapter.py
new file mode 100644
index 00000000..53dc5e3e
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/basehttpadapter.py
@@ -0,0 +1,35 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+from .._import_helper import HTTPAdapter as _HTTPAdapter
+
+
+class BaseHTTPAdapter(_HTTPAdapter):
+    def close(self) -> None:
+        # pylint finds our HTTPAdapter stub instead of requests.adapters.HTTPAdapter:
+        # pylint: disable-next=no-member
+        super().close()
+        if hasattr(self, "pools"):
+            self.pools.clear()
+
+    # Hotfix for requests 2.32.0 and 2.32.1: its commit
+    # https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
+    # changes requests.adapters.HTTPAdapter to no longer call get_connection() from
+    # send(), but instead call _get_connection().
+    def _get_connection(self, request, *args, **kwargs):  # type: ignore
+        return self.get_connection(request.url, kwargs.get("proxies"))
+
+    # Fix for requests 2.32.2+:
+    # https://github.com/psf/requests/commit/c98e4d133ef29c46a9b68cd783087218a8075e05
+    def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):  # type: ignore
+        return self.get_connection(request.url, proxies)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipeconn.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipeconn.py
new file mode 100644
index 00000000..f2e5931f
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipeconn.py
@@ -0,0 +1,123 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+from queue import Empty
+
+from .. import constants
+from .._import_helper import HTTPAdapter, urllib3, urllib3_connection
+from .basehttpadapter import BaseHTTPAdapter
+from .npipesocket import NpipeSocket
+
+if t.TYPE_CHECKING:
+    from collections.abc import Mapping
+
+    from requests import PreparedRequest
+
+
+RecentlyUsedContainer = urllib3._collections.RecentlyUsedContainer
+
+
+class NpipeHTTPConnection(urllib3_connection.HTTPConnection):
+    def __init__(self, npipe_path: str, timeout: int | float = 60) -> None:
+        super().__init__("localhost", timeout=timeout)
+        self.npipe_path = npipe_path
+        self.timeout = timeout
+
+    def connect(self) -> None:
+        sock = NpipeSocket()
+        sock.settimeout(self.timeout)
+        sock.connect(self.npipe_path)
+        self.sock = sock
+
+
+class NpipeHTTPConnectionPool(urllib3.connectionpool.HTTPConnectionPool):
+    def __init__(
+        self, npipe_path: str, timeout: int | float = 60, maxsize: int = 10
+    ) -> None:
+        super().__init__("localhost", timeout=timeout, maxsize=maxsize)
+        self.npipe_path = npipe_path
+        self.timeout = timeout
+
+    def _new_conn(self) -> NpipeHTTPConnection:
+        return NpipeHTTPConnection(self.npipe_path, self.timeout)
+
+    # When re-using connections, urllib3 tries to call select() on our
+    # NpipeSocket instance, causing a crash. To circumvent this, we override
+    # _get_conn, where that check happens.
+    def _get_conn(self, timeout: int | float) -> NpipeHTTPConnection:
+        conn = None
+        try:
+            conn = self.pool.get(block=self.block, timeout=timeout)
+
+        except AttributeError as exc:  # self.pool is None
+            raise urllib3.exceptions.ClosedPoolError(self, "Pool is closed.") from exc
+
+        except Empty as exc:
+            if self.block:
+                raise urllib3.exceptions.EmptyPoolError(
+                    self,
+                    "Pool reached maximum size and no more connections are allowed.",
+                ) from exc
+            # Oh well, we'll create a new connection then
+
+        return conn or self._new_conn()
+
+
+class NpipeHTTPAdapter(BaseHTTPAdapter):
+    __attrs__ = HTTPAdapter.__attrs__ + [
+        "npipe_path",
+        "pools",
+        "timeout",
+        "max_pool_size",
+    ]
+
+    def __init__(
+        self,
+        base_url: str,
+        timeout: int | float = 60,
+        pool_connections: int = constants.DEFAULT_NUM_POOLS,
+        max_pool_size: int = constants.DEFAULT_MAX_POOL_SIZE,
+    ) -> None:
+        self.npipe_path = base_url.replace("npipe://", "")
+        self.timeout = timeout
+        self.max_pool_size = max_pool_size
+        self.pools = RecentlyUsedContainer(
+            pool_connections, dispose_func=lambda p: p.close()
+        )
+        super().__init__()
+
+    def get_connection(
+        self, url: str | bytes, proxies: Mapping[str, str] | None = None
+    ) -> NpipeHTTPConnectionPool:
+        with self.pools.lock:
+            pool = self.pools.get(url)
+            if pool:
+                return pool
+
+            pool = NpipeHTTPConnectionPool(
+                self.npipe_path, self.timeout, maxsize=self.max_pool_size
+            )
+            self.pools[url] = pool
+
+        return pool
+
+    def request_url(
+        self, request: PreparedRequest, proxies: Mapping[str, str] | None
+    ) -> str:
+        # The select_proxy utility in requests errors out when the provided URL
+        # does not have a hostname, like is the case when using a UNIX socket.
+        # Since proxies are an irrelevant notion in the case of UNIX sockets
+        # anyway, we simply return the path URL directly.
+        # See also: https://github.com/docker/docker-sdk-python/issues/811
+        return request.path_url
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipesocket.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipesocket.py
new file mode 100644
index 00000000..b07ce23d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/npipesocket.py
@@ -0,0 +1,277 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import functools
+import io
+import time
+import traceback
+import typing as t
+
+PYWIN32_IMPORT_ERROR: str | None  # pylint: disable=invalid-name
+try:
+    import pywintypes
+    import win32api
+    import win32event
+    import win32file
+    import win32pipe
+except ImportError:
+    PYWIN32_IMPORT_ERROR = traceback.format_exc()  # pylint: disable=invalid-name
+else:
+    PYWIN32_IMPORT_ERROR = None  # pylint: disable=invalid-name
+
+if t.TYPE_CHECKING:
+    from collections.abc import Buffer, Callable
+
+    _Self = t.TypeVar("_Self")
+    _P = t.ParamSpec("_P")
+    _R = t.TypeVar("_R")
+
+
+ERROR_PIPE_BUSY = 0xE7
+SECURITY_SQOS_PRESENT = 0x100000
+SECURITY_ANONYMOUS = 0
+
+MAXIMUM_RETRY_COUNT = 10
+
+
+def check_closed(
+    f: Callable[t.Concatenate[_Self, _P], _R],
+) -> Callable[t.Concatenate[_Self, _P], _R]:
+    @functools.wraps(f)
+    def wrapped(self: _Self, *args: _P.args, **kwargs: _P.kwargs) -> _R:
+        if self._closed:  # type: ignore
+            raise RuntimeError("Can not reuse socket after connection was closed.")
+        return f(self, *args, **kwargs)
+
+    return wrapped
+
+
+class NpipeSocket:
+    """Partial implementation of the socket API over windows named pipes.
+    This implementation is only designed to be used as a client socket,
+    and server-specific methods (bind, listen, accept...) are not
+    implemented.
+    """
+
+    def __init__(self, handle: t.Any | None = None) -> None:
+        self._timeout = win32pipe.NMPWAIT_USE_DEFAULT_WAIT
+        self._handle = handle
+        self._address: str | None = None
+        self._closed = False
+        self.flags: int | None = None
+
+    def accept(self) -> t.NoReturn:
+        raise NotImplementedError()
+
+    def bind(self, address: t.Any) -> t.NoReturn:
+        raise NotImplementedError()
+
+    def close(self) -> None:
+        if self._handle is None:
+            raise ValueError("Handle not present")
+        self._handle.Close()
+        self._closed = True
+
+    @check_closed
+    def connect(self, address: str, retry_count: int = 0) -> None:
+        try:
+            handle = win32file.CreateFile(
+                address,
+                win32file.GENERIC_READ | win32file.GENERIC_WRITE,
+                0,
+                None,
+                win32file.OPEN_EXISTING,
+                (
+                    SECURITY_ANONYMOUS
+                    | SECURITY_SQOS_PRESENT
+                    | win32file.FILE_FLAG_OVERLAPPED
+                ),
+                0,
+            )
+        except win32pipe.error as e:
+            # See Remarks:
+            # https://msdn.microsoft.com/en-us/library/aa365800.aspx
+            if e.winerror == ERROR_PIPE_BUSY:
+                # Another program or thread has grabbed our pipe instance
+                # before we got to it. Wait for availability and attempt to
+                # connect again.
+                retry_count = retry_count + 1
+                if retry_count < MAXIMUM_RETRY_COUNT:
+                    time.sleep(1)
+                    return self.connect(address, retry_count)
+            raise e
+
+        self.flags = win32pipe.GetNamedPipeInfo(handle)[0]  # type: ignore
+
+        self._handle = handle
+        self._address = address
+
+    @check_closed
+    def connect_ex(self, address: str) -> None:
+        self.connect(address)
+
+    @check_closed
+    def detach(self) -> t.Any:
+        self._closed = True
+        return self._handle
+
+    @check_closed
+    def dup(self) -> NpipeSocket:
+        return NpipeSocket(self._handle)
+
+    def getpeername(self) -> str | None:
+        return self._address
+
+    def getsockname(self) -> str | None:
+        return self._address
+
+    def getsockopt(
+        self, level: t.Any, optname: t.Any, buflen: t.Any = None
+    ) -> t.NoReturn:
+        raise NotImplementedError()
+
+    def ioctl(self, control: t.Any, option: t.Any) -> t.NoReturn:
+        raise NotImplementedError()
+
+    def listen(self, backlog: t.Any) -> t.NoReturn:
+        raise NotImplementedError()
+
+    def makefile(self, mode: str, bufsize: int | None = None) -> t.IO[bytes]:
+        if mode.strip("b") != "r":
+            raise NotImplementedError()
+        rawio = NpipeFileIOBase(self)
+        if bufsize is None or bufsize <= 0:
+            bufsize = io.DEFAULT_BUFFER_SIZE
+        return io.BufferedReader(rawio, buffer_size=bufsize)
+
+    @check_closed
+    def recv(self, bufsize: int, flags: int = 0) -> str:
+        if self._handle is None:
+            raise ValueError("Handle not present")
+        dummy_err, data = win32file.ReadFile(self._handle, bufsize)
+        return data
+
+    @check_closed
+    def recvfrom(self, bufsize: int, flags: int = 0) -> tuple[str, str | None]:
+        data = self.recv(bufsize, flags)
+        return (data, self._address)
+
+    @check_closed
+    def recvfrom_into(
+        self, buf: Buffer, nbytes: int = 0, flags: int = 0
+    ) -> tuple[int, str | None]:
+        return self.recv_into(buf, nbytes), self._address
+
+    @check_closed
+    def recv_into(self, buf: Buffer, nbytes: int = 0) -> int:
+        if self._handle is None:
+            raise ValueError("Handle not present")
+        readbuf = buf if isinstance(buf, memoryview) else memoryview(buf)
+
+        event = win32event.CreateEvent(None, True, True, None)
+        try:
+            overlapped = pywintypes.OVERLAPPED()
+            overlapped.hEvent = event
+            dummy_err, dummy_data = win32file.ReadFile(  # type: ignore
+                self._handle, readbuf[:nbytes] if nbytes else readbuf, overlapped
+            )
+            wait_result = win32event.WaitForSingleObject(event, self._timeout)
+            if wait_result == win32event.WAIT_TIMEOUT:
+                win32file.CancelIo(self._handle)
+                raise TimeoutError
+            return win32file.GetOverlappedResult(self._handle, overlapped, 0)
+        finally:
+            win32api.CloseHandle(event)
+
+    @check_closed
+    def send(self, string: Buffer, flags: int = 0) -> int:
+        if self._handle is None:
+            raise ValueError("Handle not present")
+        event = win32event.CreateEvent(None, True, True, None)
+        try:
+            overlapped = pywintypes.OVERLAPPED()
+            overlapped.hEvent = event
+            win32file.WriteFile(self._handle, string, overlapped)  # type: ignore
+            wait_result = win32event.WaitForSingleObject(event, self._timeout)
+            if wait_result == win32event.WAIT_TIMEOUT:
+                win32file.CancelIo(self._handle)
+                raise TimeoutError
+            return win32file.GetOverlappedResult(self._handle, overlapped, 0)
+        finally:
+            win32api.CloseHandle(event)
+
+    @check_closed
+    def sendall(self, string: Buffer, flags: int = 0) -> int:
+        return self.send(string, flags)
+
+    @check_closed
+    def sendto(self, string: Buffer, address: str) -> int:
+        self.connect(address)
+        return self.send(string)
+
+    def setblocking(self, flag: bool) -> None:
+        if flag:
+            return self.settimeout(None)
+        return self.settimeout(0)
+
+    def settimeout(self, value: int | float | None) -> None:
+        if value is None:
+            # Blocking mode
+            self._timeout = win32event.INFINITE
+        elif not isinstance(value, (float, int)) or value < 0:
+            raise ValueError("Timeout value out of range")
+        else:
+            # Timeout mode - Value converted to milliseconds
+            self._timeout = int(value * 1000)
+
+    def gettimeout(self) -> int | float | None:
+        return self._timeout
+
+    def setsockopt(self, level: t.Any, optname: t.Any, value: t.Any) -> t.NoReturn:
+        raise NotImplementedError()
+
+    @check_closed
+    def shutdown(self, how: t.Any) -> None:
+        return self.close()
+
+
+class NpipeFileIOBase(io.RawIOBase):
+    def __init__(self, npipe_socket: NpipeSocket | None) -> None:
+        self.sock = npipe_socket
+
+    def close(self) -> None:
+        super().close()
+        self.sock = None
+
+    def fileno(self) -> int:
+        if self.sock is None:
+            raise RuntimeError("socket is closed")
+        # TODO: This is definitely a bug, NpipeSocket.fileno() does not exist!
+        return self.sock.fileno()  # type: ignore
+
+    def isatty(self) -> bool:
+        return False
+
+    def readable(self) -> bool:
+        return True
+
+    def readinto(self, buf: Buffer) -> int:
+        if self.sock is None:
+            raise RuntimeError("socket is closed")
+        return self.sock.recv_into(buf)
+
+    def seekable(self) -> bool:
+        return False
+
+    def writable(self) -> bool:
+        return False
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/sshconn.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/sshconn.py
new file mode 100644
index 00000000..80ff9d67
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/sshconn.py
@@ -0,0 +1,311 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import logging
+import os
+import signal
+import socket
+import subprocess
+import traceback
+import typing as t
+from queue import Empty
+from urllib.parse import urlparse
+
+from .. import constants
+from .._import_helper import HTTPAdapter, urllib3, urllib3_connection
+from .basehttpadapter import BaseHTTPAdapter
+
+PARAMIKO_IMPORT_ERROR: str | None  # pylint: disable=invalid-name
+try:
+    import paramiko
+except ImportError:
+    PARAMIKO_IMPORT_ERROR = traceback.format_exc()  # pylint: disable=invalid-name
+else:
+    PARAMIKO_IMPORT_ERROR = None  # pylint: disable=invalid-name
+
+if t.TYPE_CHECKING:
+    from collections.abc import Buffer, Mapping
+
+
+RecentlyUsedContainer = urllib3._collections.RecentlyUsedContainer
+
+
+class SSHSocket(socket.socket):
+    def __init__(self, host: str) -> None:
+        super().__init__(socket.AF_INET, socket.SOCK_STREAM)
+        self.host = host
+        self.port = None
+        self.user = None
+        if ":" in self.host:
+            self.host, self.port = self.host.split(":")
+        if "@" in self.host:
+            self.user, self.host = self.host.split("@")
+
+        self.proc: subprocess.Popen | None = None
+
+    def connect(self, *args_: t.Any, **kwargs: t.Any) -> None:
+        args = ["ssh"]
+        if self.user:
+            args = args + ["-l", self.user]
+
+        if self.port:
+            args = args + ["-p", self.port]
+
+        args = args + ["--", self.host, "docker system dial-stdio"]
+
+        preexec_func = None
+        if not constants.IS_WINDOWS_PLATFORM:
+
+            def f() -> None:
+                signal.signal(signal.SIGINT, signal.SIG_IGN)
+
+            preexec_func = f
+
+        env = dict(os.environ)
+
+        # drop LD_LIBRARY_PATH and SSL_CERT_FILE
+        env.pop("LD_LIBRARY_PATH", None)
+        env.pop("SSL_CERT_FILE", None)
+
+        self.proc = subprocess.Popen(  # pylint: disable=consider-using-with
+            args,
+            env=env,
+            stdout=subprocess.PIPE,
+            stdin=subprocess.PIPE,
+            preexec_fn=preexec_func,
+        )
+
+    def _write(self, data: Buffer) -> int:
+        if not self.proc:
+            raise RuntimeError(
+                "SSH subprocess not initiated. connect() must be called first."
+            )
+        assert self.proc.stdin is not None
+        if self.proc.stdin.closed:
+            raise RuntimeError(
+                "SSH subprocess not initiated. connect() must be called first after close()."
+            )
+        written = self.proc.stdin.write(data)
+        self.proc.stdin.flush()
+        return written
+
+    def sendall(self, data: Buffer, *args: t.Any, **kwargs: t.Any) -> None:
+        self._write(data)
+
+    def send(self, data: Buffer, *args: t.Any, **kwargs: t.Any) -> int:
+        return self._write(data)
+
+    def recv(self, n: int, *args: t.Any, **kwargs: t.Any) -> bytes:
+        if not self.proc:
+            raise RuntimeError(
+                "SSH subprocess not initiated. connect() must be called first."
+            )
+        assert self.proc.stdout is not None
+        return self.proc.stdout.read(n)
+
+    def makefile(self, mode: str, *args: t.Any, **kwargs: t.Any) -> t.IO:  # type: ignore
+        if not self.proc:
+            self.connect()
+            assert self.proc is not None
+        assert self.proc.stdout is not None
+        self.proc.stdout.channel = self  # type: ignore
+
+        return self.proc.stdout
+
+    def close(self) -> None:
+        if not self.proc:
+            return
+        assert self.proc.stdin is not None
+        if self.proc.stdin.closed:
+            return
+        self.proc.stdin.write(b"\n\n")
+        self.proc.stdin.flush()
+        self.proc.terminate()
+
+
+class SSHConnection(urllib3_connection.HTTPConnection):
+    def __init__(
+        self,
+        *,
+        ssh_transport: paramiko.Transport | None = None,
+        timeout: int | float = 60,
+        host: str,
+    ) -> None:
+        super().__init__("localhost", timeout=timeout)
+        self.ssh_transport = ssh_transport
+        self.timeout = timeout
+        self.ssh_host = host
+        self.sock: paramiko.Channel | SSHSocket | None = None
+
+    def connect(self) -> None:
+        if self.ssh_transport:
+            channel = self.ssh_transport.open_session()
+            channel.settimeout(self.timeout)
+            channel.exec_command("docker system dial-stdio")
+            self.sock = channel
+        else:
+            sock = SSHSocket(self.ssh_host)
+            sock.settimeout(self.timeout)
+            sock.connect()
+            self.sock = sock
+
+
+class SSHConnectionPool(urllib3.connectionpool.HTTPConnectionPool):
+    scheme = "ssh"
+
+    def __init__(
+        self,
+        *,
+        ssh_client: paramiko.SSHClient | None = None,
+        timeout: int | float = 60,
+        maxsize: int = 10,
+        host: str,
+    ) -> None:
+        super().__init__("localhost", timeout=timeout, maxsize=maxsize)
+        self.ssh_transport: paramiko.Transport | None = None
+        self.timeout = timeout
+        if ssh_client:
+            self.ssh_transport = ssh_client.get_transport()
+        self.ssh_host = host
+
+    def _new_conn(self) -> SSHConnection:
+        return SSHConnection(
+            ssh_transport=self.ssh_transport,
+            timeout=self.timeout,
+            host=self.ssh_host,
+        )
+
+    # When re-using connections, urllib3 calls fileno() on our
+    # SSH channel instance, quickly overloading our fd limit. To avoid this,
+    # we override _get_conn
+    def _get_conn(self, timeout: int | float) -> SSHConnection:
+        conn = None
+        try:
+            conn = self.pool.get(block=self.block, timeout=timeout)
+
+        except AttributeError as exc:  # self.pool is None
+            raise urllib3.exceptions.ClosedPoolError(self, "Pool is closed.") from exc
+
+        except Empty as exc:
+            if self.block:
+                raise urllib3.exceptions.EmptyPoolError(
+                    self,
+                    "Pool reached maximum size and no more connections are allowed.",
+                ) from exc
+            # Oh well, we'll create a new connection then
+
+        return conn or self._new_conn()
+
+
+class SSHHTTPAdapter(BaseHTTPAdapter):
+    __attrs__ = HTTPAdapter.__attrs__ + [
+        "pools",
+        "timeout",
+        "ssh_client",
+        "ssh_params",
+        "max_pool_size",
+    ]
+
+    def __init__(
+        self,
+        base_url: str,
+        timeout: int | float = 60,
+        pool_connections: int = constants.DEFAULT_NUM_POOLS,
+        max_pool_size: int = constants.DEFAULT_MAX_POOL_SIZE,
+        shell_out: bool = False,
+    ) -> None:
+        self.ssh_client: paramiko.SSHClient | None = None
+        if not shell_out:
+            self._create_paramiko_client(base_url)
+            self._connect()
+
+        self.ssh_host = base_url
+        if base_url.startswith("ssh://"):
+            self.ssh_host = base_url[len("ssh://") :]
+
+        self.timeout = timeout
+        self.max_pool_size = max_pool_size
+        self.pools = RecentlyUsedContainer(
+            pool_connections, dispose_func=lambda p: p.close()
+        )
+        super().__init__()
+
+    def _create_paramiko_client(self, base_url: str) -> None:
+        logging.getLogger("paramiko").setLevel(logging.WARNING)
+        self.ssh_client = paramiko.SSHClient()
+        base_url_p = urlparse(base_url)
+        assert base_url_p.hostname is not None
+        self.ssh_params: dict[str, t.Any] = {
+            "hostname": base_url_p.hostname,
+            "port": base_url_p.port,
+            "username": base_url_p.username,
+        }
+        ssh_config_file = os.path.expanduser("~/.ssh/config")
+        if os.path.exists(ssh_config_file):
+            conf = paramiko.SSHConfig()
+            with open(ssh_config_file, "rt", encoding="utf-8") as f:
+                conf.parse(f)
+            host_config = conf.lookup(base_url_p.hostname)
+            if "proxycommand" in host_config:
+                self.ssh_params["sock"] = paramiko.ProxyCommand(
+                    host_config["proxycommand"]
+                )
+            if "hostname" in host_config:
+                self.ssh_params["hostname"] = host_config["hostname"]
+            if base_url_p.port is None and "port" in host_config:
+                self.ssh_params["port"] = host_config["port"]
+            if base_url_p.username is None and "user" in host_config:
+                self.ssh_params["username"] = host_config["user"]
+            if "identityfile" in host_config:
+                self.ssh_params["key_filename"] = host_config["identityfile"]
+
+        self.ssh_client.load_system_host_keys()
+        self.ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy())
+
+    def _connect(self) -> None:
+        if self.ssh_client:
+            self.ssh_client.connect(**self.ssh_params)
+
+    def get_connection(
+        self, url: str | bytes, proxies: Mapping[str, str] | None = None
+    ) -> SSHConnectionPool:
+        if not self.ssh_client:
+            return SSHConnectionPool(
+                ssh_client=self.ssh_client,
+                timeout=self.timeout,
+                maxsize=self.max_pool_size,
+                host=self.ssh_host,
+            )
+        with self.pools.lock:
+            pool = self.pools.get(url)
+            if pool:
+                return pool
+
+            # Connection is closed try a reconnect
+            if self.ssh_client and not self.ssh_client.get_transport():
+                self._connect()
+
+            pool = SSHConnectionPool(
+                ssh_client=self.ssh_client,
+                timeout=self.timeout,
+                maxsize=self.max_pool_size,
+                host=self.ssh_host,
+            )
+            self.pools[url] = pool
+
+        return pool
+
+    def close(self) -> None:
+        super().close()
+        if self.ssh_client:
+            self.ssh_client.close()
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/ssladapter.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/ssladapter.py
new file mode 100644
index 00000000..4993cc55
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/ssladapter.py
@@ -0,0 +1,71 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from .._import_helper import HTTPAdapter, urllib3
+from .basehttpadapter import BaseHTTPAdapter
+
+# Resolves OpenSSL issues in some servers:
+#   https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/
+#   https://github.com/kennethreitz/requests/pull/799
+
+
+PoolManager = urllib3.poolmanager.PoolManager
+
+
+class SSLHTTPAdapter(BaseHTTPAdapter):
+    """An HTTPS Transport Adapter that uses an arbitrary SSL version."""
+
+    __attrs__ = HTTPAdapter.__attrs__ + ["assert_hostname"]
+
+    def __init__(
+        self,
+        assert_hostname: bool | None = None,
+        **kwargs: t.Any,
+    ) -> None:
+        self.assert_hostname = assert_hostname
+        super().__init__(**kwargs)
+
+    def init_poolmanager(
+        self, connections: int, maxsize: int, block: bool = False, **kwargs: t.Any
+    ) -> None:
+        kwargs = {
+            "num_pools": connections,
+            "maxsize": maxsize,
+            "block": block,
+        }
+        if self.assert_hostname is not None:
+            kwargs["assert_hostname"] = self.assert_hostname
+
+        self.poolmanager = PoolManager(**kwargs)
+
+    def get_connection(self, *args: t.Any, **kwargs: t.Any) -> urllib3.ConnectionPool:
+        """
+        Ensure assert_hostname is set correctly on our pool
+
+        We already take care of a normal poolmanager via init_poolmanager
+
+        But we still need to take care of when there is a proxy poolmanager
+
+        Note that this method is no longer called for newer requests versions.
+        """
+        # pylint finds our HTTPAdapter stub instead of requests.adapters.HTTPAdapter:
+        # pylint: disable-next=no-member
+        conn = super().get_connection(*args, **kwargs)
+        if (
+            self.assert_hostname is not None
+            and conn.assert_hostname != self.assert_hostname  # type: ignore
+        ):
+            conn.assert_hostname = self.assert_hostname  # type: ignore
+        return conn
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/transport/unixconn.py b/ansible_collections/community/docker/plugins/module_utils/_api/transport/unixconn.py
new file mode 100644
index 00000000..58c6d728
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/transport/unixconn.py
@@ -0,0 +1,126 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import socket
+import typing as t
+
+from .. import constants
+from .._import_helper import HTTPAdapter, urllib3, urllib3_connection
+from .basehttpadapter import BaseHTTPAdapter
+
+if t.TYPE_CHECKING:
+    from collections.abc import Mapping
+
+    from requests import PreparedRequest
+
+    from ..._socket_helper import SocketLike
+
+
+RecentlyUsedContainer = urllib3._collections.RecentlyUsedContainer
+
+
+class UnixHTTPConnection(urllib3_connection.HTTPConnection):
+    def __init__(
+        self, base_url: str | bytes, unix_socket: str, timeout: int | float = 60
+    ) -> None:
+        super().__init__("localhost", timeout=timeout)
+        self.base_url = base_url
+        self.unix_socket = unix_socket
+        self.timeout = timeout
+        self.disable_buffering = False
+
+    def connect(self) -> None:
+        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        sock.settimeout(self.timeout)
+        sock.connect(self.unix_socket)
+        self.sock = sock
+
+    def putheader(self, header: str, *values: str) -> None:
+        super().putheader(header, *values)
+        if header == "Connection" and "Upgrade" in values:
+            self.disable_buffering = True
+
+    def response_class(self, sock: SocketLike, *args: t.Any, **kwargs: t.Any) -> t.Any:
+        # FIXME: We may need to disable buffering on Py3,
+        # but there's no clear way to do it at the moment. See:
+        # https://github.com/docker/docker-py/issues/1799
+        return super().response_class(sock, *args, **kwargs)
+
+
+class UnixHTTPConnectionPool(urllib3.connectionpool.HTTPConnectionPool):
+    def __init__(
+        self,
+        base_url: str | bytes,
+        socket_path: str,
+        timeout: int | float = 60,
+        maxsize: int = 10,
+    ) -> None:
+        super().__init__("localhost", timeout=timeout, maxsize=maxsize)
+        self.base_url = base_url
+        self.socket_path = socket_path
+        self.timeout = timeout
+
+    def _new_conn(self) -> UnixHTTPConnection:
+        return UnixHTTPConnection(self.base_url, self.socket_path, self.timeout)
+
+
+class UnixHTTPAdapter(BaseHTTPAdapter):
+    __attrs__ = HTTPAdapter.__attrs__ + [
+        "pools",
+        "socket_path",
+        "timeout",
+        "max_pool_size",
+    ]
+
+    def __init__(
+        self,
+        socket_url: str,
+        timeout: int | float = 60,
+        pool_connections: int = constants.DEFAULT_NUM_POOLS,
+        max_pool_size: int = constants.DEFAULT_MAX_POOL_SIZE,
+    ) -> None:
+        socket_path = socket_url.replace("http+unix://", "")
+        if not socket_path.startswith("/"):
+            socket_path = "/" + socket_path
+        self.socket_path = socket_path
+        self.timeout = timeout
+        self.max_pool_size = max_pool_size
+
+        def f(p: t.Any) -> None:
+            p.close()
+
+        self.pools = RecentlyUsedContainer(pool_connections, dispose_func=f)
+        super().__init__()
+
+    def get_connection(
+        self, url: str | bytes, proxies: Mapping[str, str] | None = None
+    ) -> UnixHTTPConnectionPool:
+        with self.pools.lock:
+            pool = self.pools.get(url)
+            if pool:
+                return pool
+
+            pool = UnixHTTPConnectionPool(
+                url, self.socket_path, self.timeout, maxsize=self.max_pool_size
+            )
+            self.pools[url] = pool
+
+        return pool
+
+    def request_url(self, request: PreparedRequest, proxies: Mapping[str, str]) -> str:
+        # The select_proxy utility in requests errors out when the provided URL
+        # does not have a hostname, like is the case when using a UNIX socket.
+        # Since proxies are an irrelevant notion in the case of UNIX sockets
+        # anyway, we simply return the path URL directly.
+        # See also: https://github.com/docker/docker-py/issues/811
+        return request.path_url
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/types/daemon.py b/ansible_collections/community/docker/plugins/module_utils/_api/types/daemon.py
new file mode 100644
index 00000000..fe50ae47
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/types/daemon.py
@@ -0,0 +1,90 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import socket
+import typing as t
+
+from .._import_helper import urllib3
+from ..errors import DockerException
+
+if t.TYPE_CHECKING:
+    from requests import Response
+
+_T = t.TypeVar("_T")
+
+
+class CancellableStream(t.Generic[_T]):
+    """
+    Stream wrapper for real-time events, logs, etc. from the server.
+
+    Example:
+        >>> events = client.events()
+        >>> for event in events:
+        ...   print(event)
+        >>> # and cancel from another thread
+        >>> events.close()
+    """
+
+    def __init__(self, stream: t.Generator[_T], response: Response) -> None:
+        self._stream = stream
+        self._response = response
+
+    def __iter__(self) -> t.Self:
+        return self
+
+    def __next__(self) -> _T:
+        try:
+            return next(self._stream)
+        except urllib3.exceptions.ProtocolError as exc:
+            raise StopIteration from exc
+        except socket.error as exc:
+            raise StopIteration from exc
+
+    next = __next__
+
+    def close(self) -> None:
+        """
+        Closes the event streaming.
+        """
+
+        if not self._response.raw.closed:
+            # find the underlying socket object
+            # based on api.client._get_raw_response_socket
+
+            sock_fp = self._response.raw._fp.fp  # type: ignore
+
+            if hasattr(sock_fp, "raw"):
+                sock_raw = sock_fp.raw
+
+                if hasattr(sock_raw, "sock"):
+                    sock = sock_raw.sock
+
+                elif hasattr(sock_raw, "_sock"):
+                    sock = sock_raw._sock
+
+            elif hasattr(sock_fp, "channel"):
+                # We are working with a paramiko (SSH) channel, which does not
+                # support cancelable streams with the current implementation
+                raise DockerException(
+                    "Cancellable streams not supported for the SSH protocol"
+                )
+            else:
+                sock = sock_fp._sock  # type: ignore
+
+            if hasattr(urllib3.contrib, "pyopenssl") and isinstance(
+                sock, urllib3.contrib.pyopenssl.WrappedSocket
+            ):
+                sock = sock.socket
+
+            sock.shutdown(socket.SHUT_RDWR)
+            sock.close()
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/build.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/build.py
new file mode 100644
index 00000000..0f6a3d56
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/build.py
@@ -0,0 +1,310 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import io
+import os
+import random
+import re
+import tarfile
+import tempfile
+import typing as t
+
+from ..constants import IS_WINDOWS_PLATFORM, WINDOWS_LONGPATH_PREFIX
+from . import fnmatch
+
+if t.TYPE_CHECKING:
+    from collections.abc import Sequence
+
+
+_SEP = re.compile("/|\\\\") if IS_WINDOWS_PLATFORM else re.compile("/")
+
+
+def tar(
+    path: str,
+    exclude: list[str] | None = None,
+    dockerfile: tuple[str, str | None] | tuple[None, None] | None = None,
+    fileobj: t.IO[bytes] | None = None,
+    gzip: bool = False,
+) -> t.IO[bytes]:
+    root = os.path.abspath(path)
+    exclude = exclude or []
+    dockerfile = dockerfile or (None, None)
+    extra_files: list[tuple[str, str]] = []
+    if dockerfile[1] is not None:
+        assert dockerfile[0] is not None
+        dockerignore_contents = "\n".join(
+            (exclude or [".dockerignore"]) + [dockerfile[0]]
+        )
+        extra_files = [
+            (".dockerignore", dockerignore_contents),
+            dockerfile,  # type: ignore
+        ]
+    return create_archive(
+        files=sorted(exclude_paths(root, exclude, dockerfile=dockerfile[0])),
+        root=root,
+        fileobj=fileobj,
+        gzip=gzip,
+        extra_files=extra_files,
+    )
+
+
+def exclude_paths(
+    root: str, patterns: list[str], dockerfile: str | None = None
+) -> set[str]:
+    """
+    Given a root directory path and a list of .dockerignore patterns, return
+    an iterator of all paths (both regular files and directories) in the root
+    directory that do *not* match any of the patterns.
+
+    All paths returned are relative to the root.
+    """
+
+    if dockerfile is None:
+        dockerfile = "Dockerfile"
+
+    patterns.append("!" + dockerfile)
+    pm = PatternMatcher(patterns)
+    return set(pm.walk(root))
+
+
+def build_file_list(root: str) -> list[str]:
+    files = []
+    for dirname, dirnames, fnames in os.walk(root):
+        for filename in fnames + dirnames:
+            longpath = os.path.join(dirname, filename)
+            files.append(longpath.replace(root, "", 1).lstrip("/"))
+
+    return files
+
+
+def create_archive(
+    root: str,
+    files: Sequence[str] | None = None,
+    fileobj: t.IO[bytes] | None = None,
+    gzip: bool = False,
+    extra_files: Sequence[tuple[str, str]] | None = None,
+) -> t.IO[bytes]:
+    extra_files = extra_files or []
+    if not fileobj:
+        # pylint: disable-next=consider-using-with
+        fileobj = tempfile.NamedTemporaryFile()  # noqa: SIM115
+
+    with tarfile.open(mode="w:gz" if gzip else "w", fileobj=fileobj) as tarf:
+        if files is None:
+            files = build_file_list(root)
+        extra_names = set(e[0] for e in extra_files)
+        for path in files:
+            if path in extra_names:
+                # Extra files override context files with the same name
+                continue
+            full_path = os.path.join(root, path)
+
+            i = tarf.gettarinfo(full_path, arcname=path)
+            if i is None:
+                # This happens when we encounter a socket file. We can safely
+                # ignore it and proceed.
+                continue  # type: ignore
+
+            # Workaround https://bugs.python.org/issue32713
+            if i.mtime < 0 or i.mtime > 8**11 - 1:
+                i.mtime = int(i.mtime)
+
+            if IS_WINDOWS_PLATFORM:
+                # Windows does not keep track of the execute bit, so we make files
+                # and directories executable by default.
+                i.mode = i.mode & 0o755 | 0o111
+
+            if i.isfile():
+                try:
+                    with open(full_path, "rb") as f:
+                        tarf.addfile(i, f)
+                except IOError as exc:
+                    raise IOError(f"Can not read file in context: {full_path}") from exc
+            else:
+                # Directories, FIFOs, symlinks... do not need to be read.
+                tarf.addfile(i, None)
+
+        for name, contents in extra_files:
+            info = tarfile.TarInfo(name)
+            contents_encoded = contents.encode("utf-8")
+            info.size = len(contents_encoded)
+            tarf.addfile(info, io.BytesIO(contents_encoded))
+
+    fileobj.seek(0)
+    return fileobj
+
+
+def mkbuildcontext(dockerfile: io.BytesIO | t.IO[bytes]) -> t.IO[bytes]:
+    # pylint: disable-next=consider-using-with
+    f = tempfile.NamedTemporaryFile()  # noqa: SIM115
+    try:
+        with tarfile.open(mode="w", fileobj=f) as tarf:
+            if isinstance(dockerfile, io.StringIO):  # type: ignore
+                raise TypeError("Please use io.BytesIO to create in-memory Dockerfiles")
+            if isinstance(dockerfile, io.BytesIO):
+                dfinfo = tarfile.TarInfo("Dockerfile")
+                dfinfo.size = len(dockerfile.getvalue())
+                dockerfile.seek(0)
+            else:
+                dfinfo = tarf.gettarinfo(fileobj=dockerfile, arcname="Dockerfile")
+            tarf.addfile(dfinfo, dockerfile)
+        f.seek(0)
+    except Exception:  # noqa: E722
+        f.close()
+        raise
+    return f
+
+
+def split_path(p: str) -> list[str]:
+    return [pt for pt in re.split(_SEP, p) if pt and pt != "."]
+
+
+def normalize_slashes(p: str) -> str:
+    if IS_WINDOWS_PLATFORM:
+        return "/".join(split_path(p))
+    return p
+
+
+def walk(root: str, patterns: Sequence[str], default: bool = True) -> t.Generator[str]:
+    pm = PatternMatcher(patterns)
+    return pm.walk(root)
+
+
+# Heavily based on
+# https://github.com/moby/moby/blob/master/pkg/fileutils/fileutils.go
+class PatternMatcher:
+    def __init__(self, patterns: Sequence[str]) -> None:
+        self.patterns = list(filter(lambda p: p.dirs, [Pattern(p) for p in patterns]))
+        self.patterns.append(Pattern("!.dockerignore"))
+
+    def matches(self, filepath: str) -> bool:
+        matched = False
+        parent_path = os.path.dirname(filepath)
+        parent_path_dirs = split_path(parent_path)
+
+        for pattern in self.patterns:
+            negative = pattern.exclusion
+            match = pattern.match(filepath)
+            if (
+                not match
+                and parent_path != ""
+                and len(pattern.dirs) <= len(parent_path_dirs)
+            ):
+                match = pattern.match(
+                    os.path.sep.join(parent_path_dirs[: len(pattern.dirs)])
+                )
+
+            if match:
+                matched = not negative
+
+        return matched
+
+    def walk(self, root: str) -> t.Generator[str]:
+        def rec_walk(current_dir: str) -> t.Generator[str]:
+            for f in os.listdir(current_dir):
+                fpath = os.path.join(os.path.relpath(current_dir, root), f)
+                if fpath.startswith("." + os.path.sep):
+                    fpath = fpath[2:]
+                match = self.matches(fpath)
+                if not match:
+                    yield fpath
+
+                cur = os.path.join(root, fpath)
+                if not os.path.isdir(cur) or os.path.islink(cur):
+                    continue
+
+                if match:
+                    # If we want to skip this file and it is a directory
+                    # then we should first check to see if there's an
+                    # excludes pattern (e.g. !dir/file) that starts with this
+                    # dir. If so then we cannot skip this dir.
+                    skip = True
+
+                    for pat in self.patterns:
+                        if not pat.exclusion:
+                            continue
+                        if pat.cleaned_pattern.startswith(normalize_slashes(fpath)):
+                            skip = False
+                            break
+                    if skip:
+                        continue
+                yield from rec_walk(cur)
+
+        return rec_walk(root)
+
+
+class Pattern:
+    def __init__(self, pattern_str: str) -> None:
+        self.exclusion = False
+        if pattern_str.startswith("!"):
+            self.exclusion = True
+            pattern_str = pattern_str[1:]
+
+        self.dirs = self.normalize(pattern_str)
+        self.cleaned_pattern = "/".join(self.dirs)
+
+    @classmethod
+    def normalize(cls, p: str) -> list[str]:
+        # Remove trailing spaces
+        p = p.strip()
+
+        # Leading and trailing slashes are not relevant. Yes,
+        # "foo.py/" must exclude the "foo.py" regular file. "."
+        # components are not relevant either, even if the whole
+        # pattern is only ".", as the Docker reference states: "For
+        # historical reasons, the pattern . is ignored."
+        # ".." component must be cleared with the potential previous
+        # component, regardless of whether it exists: "A preprocessing
+        # step [...]  eliminates . and .. elements using Go's
+        # filepath.".
+        i = 0
+        split = split_path(p)
+        while i < len(split):
+            if split[i] == "..":
+                del split[i]
+                if i > 0:
+                    del split[i - 1]
+                    i -= 1
+            else:
+                i += 1
+        return split
+
+    def match(self, filepath: str) -> bool:
+        return fnmatch.fnmatch(normalize_slashes(filepath), self.cleaned_pattern)
+
+
+def process_dockerfile(
+    dockerfile: str | None, path: str
+) -> tuple[str, str | None] | tuple[None, None]:
+    if not dockerfile:
+        return (None, None)
+
+    abs_dockerfile = dockerfile
+    if not os.path.isabs(dockerfile):
+        abs_dockerfile = os.path.join(path, dockerfile)
+        if IS_WINDOWS_PLATFORM and path.startswith(WINDOWS_LONGPATH_PREFIX):
+            abs_dockerfile = f"{WINDOWS_LONGPATH_PREFIX}{os.path.normpath(abs_dockerfile[len(WINDOWS_LONGPATH_PREFIX) :])}"
+    if os.path.splitdrive(path)[0] != os.path.splitdrive(abs_dockerfile)[
+        0
+    ] or os.path.relpath(abs_dockerfile, path).startswith(".."):
+        # Dockerfile not in context - read data to insert into tar later
+        with open(abs_dockerfile, "rt", encoding="utf-8") as df:
+            return (f".dockerfile.{random.getrandbits(160):x}", df.read())
+
+    # Dockerfile is inside the context - return path relative to context root
+    if dockerfile == abs_dockerfile:
+        # Only calculate relpath if necessary to avoid errors
+        # on Windows client -> Linux Docker
+        # see https://github.com/docker/compose/issues/5969
+        dockerfile = os.path.relpath(abs_dockerfile, path)
+    return (dockerfile, None)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/config.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/config.py
new file mode 100644
index 00000000..ac52e8d1
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/config.py
@@ -0,0 +1,89 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import typing as t
+
+from ..constants import IS_WINDOWS_PLATFORM
+
+DOCKER_CONFIG_FILENAME = os.path.join(".docker", "config.json")
+LEGACY_DOCKER_CONFIG_FILENAME = ".dockercfg"
+
+log = logging.getLogger(__name__)
+
+
+def get_default_config_file() -> str:
+    return os.path.join(home_dir(), DOCKER_CONFIG_FILENAME)
+
+
+def find_config_file(config_path: str | None = None) -> str | None:
+    homedir = home_dir()
+    paths = list(
+        filter(
+            None,
+            [
+                config_path,  # 1
+                config_path_from_environment(),  # 2
+                os.path.join(homedir, DOCKER_CONFIG_FILENAME),  # 3
+                os.path.join(homedir, LEGACY_DOCKER_CONFIG_FILENAME),  # 4
+            ],
+        )
+    )
+
+    log.debug("Trying paths: %s", repr(paths))
+
+    for path in paths:
+        if os.path.exists(path):
+            log.debug("Found file at path: %s", path)
+            return path
+
+    log.debug("No config file found")
+
+    return None
+
+
+def config_path_from_environment() -> str | None:
+    config_dir = os.environ.get("DOCKER_CONFIG")
+    if not config_dir:
+        return None
+    return os.path.join(config_dir, os.path.basename(DOCKER_CONFIG_FILENAME))
+
+
+def home_dir() -> str:
+    """
+    Get the user's home directory, using the same logic as the Docker Engine
+    client - use %USERPROFILE% on Windows, $HOME/getuid on POSIX.
+    """
+    if IS_WINDOWS_PLATFORM:
+        return os.environ.get("USERPROFILE", "")
+    return os.path.expanduser("~")
+
+
+def load_general_config(config_path: str | None = None) -> dict[str, t.Any]:
+    config_file = find_config_file(config_path)
+
+    if not config_file:
+        return {}
+
+    try:
+        with open(config_file, "rt", encoding="utf-8") as f:
+            return json.load(f)
+    except (IOError, ValueError) as e:
+        # In the case of a legacy `.dockercfg` file, we will not
+        # be able to load any JSON data.
+        log.debug(e)
+
+    log.debug("All parsing attempts failed - returning empty config")
+    return {}
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/decorators.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/decorators.py
new file mode 100644
index 00000000..ddb20945
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/decorators.py
@@ -0,0 +1,67 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import functools
+import typing as t
+
+from .. import errors
+from . import utils
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+    from ..api.client import APIClient
+
+    _Self = t.TypeVar("_Self")
+    _P = t.ParamSpec("_P")
+    _R = t.TypeVar("_R")
+
+
+def minimum_version(
+    version: str,
+) -> Callable[
+    [Callable[t.Concatenate[_Self, _P], _R]],
+    Callable[t.Concatenate[_Self, _P], _R],
+]:
+    def decorator(
+        f: Callable[t.Concatenate[_Self, _P], _R],
+    ) -> Callable[t.Concatenate[_Self, _P], _R]:
+        @functools.wraps(f)
+        def wrapper(self: _Self, *args: _P.args, **kwargs: _P.kwargs) -> _R:
+            # We use _Self instead of APIClient since this is used for mixins for APIClient.
+            # This unfortunately means that self._version does not exist in the mixin,
+            # it only exists after mixing in. This is why we ignore types here.
+            if utils.version_lt(self._version, version):  # type: ignore
+                raise errors.InvalidVersion(
+                    f"{f.__name__} is not available for version < {version}"
+                )
+            return f(self, *args, **kwargs)
+
+        return wrapper
+
+    return decorator
+
+
+def update_headers(
+    f: Callable[t.Concatenate[APIClient, _P], _R],
+) -> Callable[t.Concatenate[APIClient, _P], _R]:
+    def inner(self: APIClient, *args: _P.args, **kwargs: _P.kwargs) -> _R:
+        if "HttpHeaders" in self._general_configs:
+            if not kwargs.get("headers"):
+                kwargs["headers"] = self._general_configs["HttpHeaders"]
+            else:
+                # We cannot (yet) model that kwargs["headers"] should be a dictionary
+                kwargs["headers"].update(self._general_configs["HttpHeaders"])  # type: ignore
+        return f(self, *args, **kwargs)
+
+    return inner
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/fnmatch.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/fnmatch.py
new file mode 100644
index 00000000..35ad0017
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/fnmatch.py
@@ -0,0 +1,128 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+"""Filename matching with shell patterns.
+
+fnmatch(FILENAME, PATTERN) matches according to the local convention.
+fnmatchcase(FILENAME, PATTERN) always takes case in account.
+
+The functions operate by translating the pattern into a regular
+expression.  They cache the compiled regular expressions for speed.
+
+The function translate(PATTERN) returns a regular expression
+corresponding to PATTERN.  (It does not compile it.)
+"""
+
+from __future__ import annotations
+
+import re
+
+__all__ = ["fnmatch", "fnmatchcase", "translate"]
+
+_cache: dict[str, re.Pattern] = {}
+_MAXCACHE = 100
+
+
+def _purge() -> None:
+    """Clear the pattern cache"""
+    _cache.clear()
+
+
+def fnmatch(name: str, pat: str) -> bool:
+    """Test whether FILENAME matches PATTERN.
+
+    Patterns are Unix shell style:
+
+    *       matches everything
+    ?       matches any single character
+    [seq]   matches any character in seq
+    [!seq]  matches any char not in seq
+
+    An initial period in FILENAME is not special.
+    Both FILENAME and PATTERN are first case-normalized
+    if the operating system requires it.
+    If you do not want this, use fnmatchcase(FILENAME, PATTERN).
+    """
+
+    name = name.lower()
+    pat = pat.lower()
+    return fnmatchcase(name, pat)
+
+
+def fnmatchcase(name: str, pat: str) -> bool:
+    """Test whether FILENAME matches PATTERN, including case.
+    This is a version of fnmatch() which does not case-normalize
+    its arguments.
+    """
+
+    try:
+        re_pat = _cache[pat]
+    except KeyError:
+        res = translate(pat)
+        if len(_cache) >= _MAXCACHE:
+            _cache.clear()
+        _cache[pat] = re_pat = re.compile(res)
+    return re_pat.match(name) is not None
+
+
+def translate(pat: str) -> str:
+    """Translate a shell PATTERN to a regular expression.
+
+    There is no way to quote meta-characters.
+    """
+    i, n = 0, len(pat)
+    res = "^"
+    while i < n:
+        c = pat[i]
+        i = i + 1
+        if c == "*":
+            if i < n and pat[i] == "*":
+                # is some flavor of "**"
+                i = i + 1
+                # Treat **/ as ** so eat the "/"
+                if i < n and pat[i] == "/":
+                    i = i + 1
+                if i >= n:
+                    # is "**EOF" - to align with .gitignore just accept all
+                    res = res + ".*"
+                else:
+                    # is "**"
+                    # Note that this allows for any # of /'s (even 0) because
+                    # the .* will eat everything, even /'s
+                    res = res + "(.*/)?"
+            else:
+                # is "*" so map it to anything but "/"
+                res = res + "[^/]*"
+        elif c == "?":
+            # "?" is any char except "/"
+            res = res + "[^/]"
+        elif c == "[":
+            j = i
+            if j < n and pat[j] == "!":
+                j = j + 1
+            if j < n and pat[j] == "]":
+                j = j + 1
+            while j < n and pat[j] != "]":
+                j = j + 1
+            if j >= n:
+                res = res + "\\["
+            else:
+                stuff = pat[i:j].replace("\\", "\\\\")
+                i = j + 1
+                if stuff[0] == "!":
+                    stuff = "^" + stuff[1:]
+                elif stuff[0] == "^":
+                    stuff = "\\" + stuff
+                res = f"{res}[{stuff}]"
+        else:
+            res = res + re.escape(c)
+
+    return res + "$"
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/json_stream.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/json_stream.py
new file mode 100644
index 00000000..6367310a
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/json_stream.py
@@ -0,0 +1,100 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import json.decoder
+import typing as t
+
+from ..errors import StreamParseError
+
+if t.TYPE_CHECKING:
+    import re
+    from collections.abc import Callable
+
+    _T = t.TypeVar("_T")
+
+
+json_decoder = json.JSONDecoder()
+
+
+def stream_as_text(stream: t.Generator[bytes | str]) -> t.Generator[str]:
+    """
+    Given a stream of bytes or text, if any of the items in the stream
+    are bytes convert them to text.
+    This function can be removed once we return text streams
+    instead of byte streams.
+    """
+    for data in stream:
+        if not isinstance(data, str):
+            data = data.decode("utf-8", "replace")
+        yield data
+
+
+def json_splitter(buffer: str) -> tuple[t.Any, str] | None:
+    """Attempt to parse a json object from a buffer. If there is at least one
+    object, return it and the rest of the buffer, otherwise return None.
+    """
+    buffer = buffer.strip()
+    try:
+        obj, index = json_decoder.raw_decode(buffer)
+        ws: re.Pattern = json.decoder.WHITESPACE  # type: ignore[attr-defined]
+        m = ws.match(buffer, index)
+        rest = buffer[m.end() :] if m else buffer[index:]
+        return obj, rest
+    except ValueError:
+        return None
+
+
+def json_stream(stream: t.Generator[str | bytes]) -> t.Generator[t.Any]:
+    """Given a stream of text, return a stream of json objects.
+    This handles streams which are inconsistently buffered (some entries may
+    be newline delimited, and others are not).
+    """
+    return split_buffer(stream, json_splitter, json_decoder.decode)
+
+
+def line_splitter(buffer: str, separator: str = "\n") -> tuple[str, str] | None:
+    index = buffer.find(str(separator))
+    if index == -1:
+        return None
+    return buffer[: index + 1], buffer[index + 1 :]
+
+
+def split_buffer(
+    stream: t.Generator[str | bytes],
+    splitter: Callable[[str], tuple[_T, str] | None],
+    decoder: Callable[[str], _T],
+) -> t.Generator[_T | str]:
+    """Given a generator which yields strings and a splitter function,
+    joins all input, splits on the separator and yields each chunk.
+    Unlike string.split(), each chunk includes the trailing
+    separator, except for the last one if none was found on the end
+    of the input.
+    """
+    buffered = ""
+
+    for data in stream_as_text(stream):
+        buffered += data
+        while True:
+            buffer_split = splitter(buffered)
+            if buffer_split is None:
+                break
+
+            item, buffered = buffer_split
+            yield item
+
+    if buffered:
+        try:
+            yield decoder(buffered)
+        except Exception as e:
+            raise StreamParseError(e) from e
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/ports.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/ports.py
new file mode 100644
index 00000000..b4974219
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/ports.py
@@ -0,0 +1,136 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import re
+import typing as t
+
+if t.TYPE_CHECKING:
+    from collections.abc import Collection, Sequence
+
+
+PORT_SPEC = re.compile(
+    "^"  # Match full string
+    "("  # External part
+    r"(\[?(?P<host>[a-fA-F\d.:]+)\]?:)?"  # Address
+    r"(?P<ext>[\d]*)(-(?P<ext_end>[\d]+))?:"  # External range
+    ")?"
+    r"(?P<int>[\d]+)(-(?P<int_end>[\d]+))?"  # Internal range
+    "(?P<proto>/(udp|tcp|sctp))?"  # Protocol
+    "$"  # Match full string
+)
+
+
+def add_port_mapping(
+    port_bindings: dict[str, list[str | tuple[str, str | None] | None]],
+    internal_port: str,
+    external: str | tuple[str, str | None] | None,
+) -> None:
+    if internal_port in port_bindings:
+        port_bindings[internal_port].append(external)
+    else:
+        port_bindings[internal_port] = [external]
+
+
+def add_port(
+    port_bindings: dict[str, list[str | tuple[str, str | None] | None]],
+    internal_port_range: list[str],
+    external_range: list[str] | list[tuple[str, str | None]] | None,
+) -> None:
+    if external_range is None:
+        for internal_port in internal_port_range:
+            add_port_mapping(port_bindings, internal_port, None)
+    else:
+        for internal_port, external_port in zip(internal_port_range, external_range):
+            # mypy loses the exact type of eternal_port elements for some reason...
+            add_port_mapping(port_bindings, internal_port, external_port)  # type: ignore
+
+
+def build_port_bindings(
+    ports: Collection[str],
+) -> dict[str, list[str | tuple[str, str | None] | None]]:
+    port_bindings: dict[str, list[str | tuple[str, str | None] | None]] = {}
+    for port in ports:
+        internal_port_range, external_range = split_port(port)
+        add_port(port_bindings, internal_port_range, external_range)
+    return port_bindings
+
+
+def _raise_invalid_port(port: str) -> t.NoReturn:
+    raise ValueError(
+        f'Invalid port "{port}", should be '
+        "[[remote_ip:]remote_port[-remote_port]:]"
+        "port[/protocol]"
+    )
+
+
+@t.overload
+def port_range(
+    start: str,
+    end: str | None,
+    proto: str,
+    randomly_available_port: bool = False,
+) -> list[str]: ...
+
+
+@t.overload
+def port_range(
+    start: str | None,
+    end: str | None,
+    proto: str,
+    randomly_available_port: bool = False,
+) -> list[str] | None: ...
+
+
+def port_range(
+    start: str | None,
+    end: str | None,
+    proto: str,
+    randomly_available_port: bool = False,
+) -> list[str] | None:
+    if start is None:
+        return start
+    if end is None:
+        return [f"{start}{proto}"]
+    if randomly_available_port:
+        return [f"{start}-{end}{proto}"]
+    return [f"{port}{proto}" for port in range(int(start), int(end) + 1)]
+
+
+def split_port(
+    port: str | int,
+) -> tuple[list[str], list[str] | list[tuple[str, str | None]] | None]:
+    port = str(port)
+    match = PORT_SPEC.match(port)
+    if match is None:
+        _raise_invalid_port(port)
+    parts = match.groupdict()
+
+    host: str | None = parts["host"]
+    proto: str = parts["proto"] or ""
+    int_p: str = parts["int"]
+    ext_p: str = parts["ext"]
+    internal: list[str] = port_range(int_p, parts["int_end"], proto)  # type: ignore
+    external = port_range(ext_p or None, parts["ext_end"], "", len(internal) == 1)
+
+    if host is None:
+        if (external is not None and len(internal) != len(external)) or ext_p == "":
+            raise ValueError("Port ranges don't match in length")
+        return internal, external
+    external_or_none: Sequence[str | None]
+    if not external:
+        external_or_none = [None] * len(internal)
+    else:
+        external_or_none = external
+        if len(internal) != len(external_or_none):
+            raise ValueError("Port ranges don't match in length")
+    return internal, [(host, ext_port) for ext_port in external_or_none]
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/proxy.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/proxy.py
new file mode 100644
index 00000000..6228be6a
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/proxy.py
@@ -0,0 +1,98 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from .utils import format_environment
+
+
+class ProxyConfig(dict):
+    """
+    Hold the client's proxy configuration
+    """
+
+    @property
+    def http(self) -> str | None:
+        return self.get("http")
+
+    @property
+    def https(self) -> str | None:
+        return self.get("https")
+
+    @property
+    def ftp(self) -> str | None:
+        return self.get("ftp")
+
+    @property
+    def no_proxy(self) -> str | None:
+        return self.get("no_proxy")
+
+    @staticmethod
+    def from_dict(config: dict[str, str]) -> ProxyConfig:
+        """
+        Instantiate a new ProxyConfig from a dictionary that represents a
+        client configuration, as described in `the documentation`_.
+
+        .. _the documentation:
+            https://docs.docker.com/network/proxy/#configure-the-docker-client
+        """
+        return ProxyConfig(
+            http=config.get("httpProxy"),
+            https=config.get("httpsProxy"),
+            ftp=config.get("ftpProxy"),
+            no_proxy=config.get("noProxy"),
+        )
+
+    def get_environment(self) -> dict[str, str]:
+        """
+        Return a dictionary representing the environment variables used to
+        set the proxy settings.
+        """
+        env = {}
+        if self.http:
+            env["http_proxy"] = env["HTTP_PROXY"] = self.http
+        if self.https:
+            env["https_proxy"] = env["HTTPS_PROXY"] = self.https
+        if self.ftp:
+            env["ftp_proxy"] = env["FTP_PROXY"] = self.ftp
+        if self.no_proxy:
+            env["no_proxy"] = env["NO_PROXY"] = self.no_proxy
+        return env
+
+    @t.overload
+    def inject_proxy_environment(self, environment: list[str]) -> list[str]: ...
+
+    @t.overload
+    def inject_proxy_environment(
+        self, environment: list[str] | None
+    ) -> list[str] | None: ...
+
+    def inject_proxy_environment(
+        self, environment: list[str] | None
+    ) -> list[str] | None:
+        """
+        Given a list of strings representing environment variables, prepend the
+        environment variables corresponding to the proxy settings.
+        """
+        if not self:
+            return environment
+
+        proxy_env = format_environment(self.get_environment())
+        if not environment:
+            return proxy_env
+        # It is important to prepend our variables, because we want the
+        # variables defined in "environment" to take precedence.
+        return proxy_env + environment
+
+    def __str__(self) -> str:
+        return f"ProxyConfig(http={self.http}, https={self.https}, ftp={self.ftp}, no_proxy={self.no_proxy})"
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/socket.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/socket.py
new file mode 100644
index 00000000..0deb3ad7
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/socket.py
@@ -0,0 +1,242 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import errno
+import os
+import select
+import socket as pysocket
+import struct
+import typing as t
+
+from ..transport.npipesocket import NpipeSocket
+
+if t.TYPE_CHECKING:
+    from collections.abc import Sequence
+
+    from ..._socket_helper import SocketLike
+
+
+STDOUT = 1
+STDERR = 2
+
+
+class SocketError(Exception):
+    pass
+
+
+# NpipeSockets have their own error types
+# pywintypes.error: (109, 'ReadFile', 'The pipe has been ended.')
+NPIPE_ENDED = 109
+
+
+def read(socket: SocketLike, n: int = 4096) -> bytes | None:
+    """
+    Reads at most n bytes from socket
+    """
+
+    recoverable_errors = (errno.EINTR, errno.EDEADLK, errno.EWOULDBLOCK)
+
+    if not isinstance(socket, NpipeSocket):  # type: ignore[unreachable]
+        if not hasattr(select, "poll"):
+            # Limited to 1024
+            select.select([socket], [], [])
+        else:
+            poll = select.poll()
+            poll.register(socket, select.POLLIN | select.POLLPRI)
+            poll.poll()
+
+    try:
+        if hasattr(socket, "recv"):
+            return socket.recv(n)
+        if isinstance(socket, pysocket.SocketIO):  # type: ignore
+            return socket.read(n)  # type: ignore[unreachable]
+        return os.read(socket.fileno(), n)
+    except EnvironmentError as e:
+        if e.errno not in recoverable_errors:
+            raise
+        return None  # TODO ???
+    except Exception as e:
+        is_pipe_ended = (
+            isinstance(socket, NpipeSocket)  # type: ignore[unreachable]
+            and len(e.args) > 0
+            and e.args[0] == NPIPE_ENDED
+        )
+        if is_pipe_ended:
+            # npipes do not support duplex sockets, so we interpret
+            # a PIPE_ENDED error as a close operation (0-length read).
+            return b""
+        raise
+
+
+def read_exactly(socket: SocketLike, n: int) -> bytes:
+    """
+    Reads exactly n bytes from socket
+    Raises SocketError if there is not enough data
+    """
+    data = b""
+    while len(data) < n:
+        next_data = read(socket, n - len(data))
+        if not next_data:
+            raise SocketError("Unexpected EOF")
+        data += next_data
+    return data
+
+
+def next_frame_header(socket: SocketLike) -> tuple[int, int]:
+    """
+    Returns the stream and size of the next frame of data waiting to be read
+    from socket, according to the protocol defined here:
+
+    https://docs.docker.com/engine/api/v1.24/#attach-to-a-container
+    """
+    try:
+        data = read_exactly(socket, 8)
+    except SocketError:
+        return (-1, -1)
+
+    stream, actual = struct.unpack(">BxxxL", data)
+    return (stream, actual)
+
+
+def frames_iter(socket: SocketLike, tty: bool) -> t.Generator[tuple[int, bytes]]:
+    """
+    Return a generator of frames read from socket. A frame is a tuple where
+    the first item is the stream number and the second item is a chunk of data.
+
+    If the tty setting is enabled, the streams are multiplexed into the stdout
+    stream.
+    """
+    if tty:
+        return ((STDOUT, frame) for frame in frames_iter_tty(socket))
+    return frames_iter_no_tty(socket)
+
+
+def frames_iter_no_tty(socket: SocketLike) -> t.Generator[tuple[int, bytes]]:
+    """
+    Returns a generator of data read from the socket when the tty setting is
+    not enabled.
+    """
+    while True:
+        (stream, n) = next_frame_header(socket)
+        if n < 0:
+            break
+        while n > 0:
+            result = read(socket, n)
+            if result is None:
+                continue
+            data_length = len(result)
+            if data_length == 0:
+                # We have reached EOF
+                return
+            n -= data_length
+            yield (stream, result)
+
+
+def frames_iter_tty(socket: SocketLike) -> t.Generator[bytes]:
+    """
+    Return a generator of data read from the socket when the tty setting is
+    enabled.
+    """
+    while True:
+        result = read(socket)
+        if not result:
+            # We have reached EOF
+            return
+        yield result
+
+
+@t.overload
+def consume_socket_output(
+    frames: Sequence[bytes] | t.Generator[bytes], demux: t.Literal[False] = False
+) -> bytes: ...
+
+
+@t.overload
+def consume_socket_output(
+    frames: (
+        Sequence[tuple[bytes | None, bytes | None]]
+        | t.Generator[tuple[bytes | None, bytes | None]]
+    ),
+    demux: t.Literal[True],
+) -> tuple[bytes, bytes]: ...
+
+
+@t.overload
+def consume_socket_output(
+    frames: (
+        Sequence[bytes]
+        | Sequence[tuple[bytes | None, bytes | None]]
+        | t.Generator[bytes]
+        | t.Generator[tuple[bytes | None, bytes | None]]
+    ),
+    demux: bool = False,
+) -> bytes | tuple[bytes, bytes]: ...
+
+
+def consume_socket_output(
+    frames: (
+        Sequence[bytes]
+        | Sequence[tuple[bytes | None, bytes | None]]
+        | t.Generator[bytes]
+        | t.Generator[tuple[bytes | None, bytes | None]]
+    ),
+    demux: bool = False,
+) -> bytes | tuple[bytes, bytes]:
+    """
+    Iterate through frames read from the socket and return the result.
+
+    Args:
+
+        demux (bool):
+            If False, stdout and stderr are multiplexed, and the result is the
+            concatenation of all the frames. If True, the streams are
+            demultiplexed, and the result is a 2-tuple where each item is the
+            concatenation of frames belonging to the same stream.
+    """
+    if demux is False:
+        # If the streams are multiplexed, the generator returns strings, that
+        # we just need to concatenate.
+        return b"".join(frames)  # type: ignore
+
+    # If the streams are demultiplexed, the generator yields tuples
+    # (stdout, stderr)
+    out: list[bytes | None] = [None, None]
+    frame: tuple[bytes | None, bytes | None]
+    for frame in frames:  # type: ignore
+        # It is guaranteed that for each frame, one and only one stream
+        # is not None.
+        if frame == (None, None):
+            raise AssertionError(f"frame must be (None, None), but got {frame}")
+        if frame[0] is not None:
+            if out[0] is None:
+                out[0] = frame[0]
+            else:
+                out[0] += frame[0]
+        else:
+            if out[1] is None:
+                out[1] = frame[1]
+            else:
+                out[1] += frame[1]  # type: ignore[operator]
+    return tuple(out)  # type: ignore
+
+
+def demux_adaptor(stream_id: int, data: bytes) -> tuple[bytes | None, bytes | None]:
+    """
+    Utility to demultiplex stdout and stderr when reading frames from the
+    socket.
+    """
+    if stream_id == STDOUT:
+        return (data, None)
+    if stream_id == STDERR:
+        return (None, data)
+    raise ValueError(f"{stream_id} is not a valid stream")
diff --git a/ansible_collections/community/docker/plugins/module_utils/_api/utils/utils.py b/ansible_collections/community/docker/plugins/module_utils/_api/utils/utils.py
new file mode 100644
index 00000000..11cd6737
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_api/utils/utils.py
@@ -0,0 +1,519 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import base64
+import collections
+import json
+import os
+import os.path
+import shlex
+import string
+import typing as t
+from urllib.parse import urlparse, urlunparse
+
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    StrictVersion,
+)
+
+from .. import errors
+from ..constants import (
+    BYTE_UNITS,
+    DEFAULT_HTTP_HOST,
+    DEFAULT_NPIPE,
+    DEFAULT_UNIX_SOCKET,
+)
+from ..tls import TLSConfig
+
+if t.TYPE_CHECKING:
+    from collections.abc import Mapping, Sequence
+
+
+URLComponents = collections.namedtuple(
+    "URLComponents",
+    "scheme netloc url params query fragment",
+)
+
+
+def decode_json_header(header: str | bytes) -> dict[str, t.Any]:
+    data = base64.b64decode(header).decode("utf-8")
+    return json.loads(data)
+
+
+def compare_version(v1: str, v2: str) -> t.Literal[-1, 0, 1]:
+    """Compare docker versions
+
+    >>> v1 = '1.9'
+    >>> v2 = '1.10'
+    >>> compare_version(v1, v2)
+    1
+    >>> compare_version(v2, v1)
+    -1
+    >>> compare_version(v2, v2)
+    0
+    """
+    s1 = StrictVersion(v1)
+    s2 = StrictVersion(v2)
+    if s1 == s2:
+        return 0
+    if s1 > s2:
+        return -1
+    return 1
+
+
+def version_lt(v1: str, v2: str) -> bool:
+    return compare_version(v1, v2) > 0
+
+
+def version_gte(v1: str, v2: str) -> bool:
+    return not version_lt(v1, v2)
+
+
+def _convert_port_binding(
+    binding: (
+        tuple[str, str | int | None]
+        | tuple[str | int | None]
+        | dict[str, str]
+        | str
+        | int
+    ),
+) -> dict[str, str]:
+    result = {"HostIp": "", "HostPort": ""}
+    host_port: str | int | None = ""
+    if isinstance(binding, tuple):
+        if len(binding) == 2:
+            host_port = binding[1]  # type: ignore
+            result["HostIp"] = binding[0]
+        elif isinstance(binding[0], str):
+            result["HostIp"] = binding[0]
+        else:
+            host_port = binding[0]
+    elif isinstance(binding, dict):
+        if "HostPort" in binding:
+            host_port = binding["HostPort"]
+            if "HostIp" in binding:
+                result["HostIp"] = binding["HostIp"]
+        else:
+            raise ValueError(binding)
+    else:
+        host_port = binding
+
+    result["HostPort"] = str(host_port) if host_port is not None else ""
+    return result
+
+
+def convert_port_bindings(
+    port_bindings: dict[
+        str | int,
+        tuple[str, str | int | None]
+        | tuple[str | int | None]
+        | dict[str, str]
+        | str
+        | int
+        | list[
+            tuple[str, str | int | None]
+            | tuple[str | int | None]
+            | dict[str, str]
+            | str
+            | int
+        ],
+    ],
+) -> dict[str, list[dict[str, str]]]:
+    result = {}
+    for k, v in port_bindings.items():
+        key = str(k)
+        if "/" not in key:
+            key += "/tcp"
+        if isinstance(v, list):
+            result[key] = [_convert_port_binding(binding) for binding in v]
+        else:
+            result[key] = [_convert_port_binding(v)]
+    return result
+
+
+def convert_volume_binds(
+    binds: (
+        list[str]
+        | Mapping[
+            str | bytes, dict[str, str | bytes] | dict[str, str] | bytes | str | int
+        ]
+    ),
+) -> list[str]:
+    if isinstance(binds, list):
+        return binds  # type: ignore
+
+    result = []
+    for k, v in binds.items():
+        if isinstance(k, bytes):
+            k = k.decode("utf-8")
+
+        if isinstance(v, dict):
+            if "ro" in v and "mode" in v:
+                raise ValueError(f'Binding cannot contain both "ro" and "mode": {v!r}')
+
+            bind = v["bind"]
+            if isinstance(bind, bytes):
+                bind = bind.decode("utf-8")
+
+            if "ro" in v:
+                mode = "ro" if v["ro"] else "rw"
+            elif "mode" in v:
+                mode = v["mode"]  # type: ignore # TODO
+            else:
+                mode = "rw"
+
+            # NOTE: this is only relevant for Linux hosts
+            # (does not apply in Docker Desktop)
+            propagation_modes = [
+                "rshared",
+                "shared",
+                "rslave",
+                "slave",
+                "rprivate",
+                "private",
+            ]
+            if "propagation" in v and v["propagation"] in propagation_modes:
+                if mode:
+                    mode = ",".join([mode, v["propagation"]])  # type: ignore # TODO
+                else:
+                    mode = v["propagation"]  # type: ignore # TODO
+
+            result.append(f"{k}:{bind}:{mode}")
+        else:
+            if isinstance(v, bytes):
+                v = v.decode("utf-8")
+            result.append(f"{k}:{v}:rw")
+    return result
+
+
+def convert_tmpfs_mounts(tmpfs: dict[str, str] | list[str]) -> dict[str, str]:
+    if isinstance(tmpfs, dict):
+        return tmpfs
+
+    if not isinstance(tmpfs, list):
+        raise ValueError(
+            f"Expected tmpfs value to be either a list or a dict, found: {type(tmpfs).__name__}"
+        )
+
+    result = {}
+    for mount in tmpfs:
+        if isinstance(mount, str):
+            if ":" in mount:
+                name, options = mount.split(":", 1)
+            else:
+                name = mount
+                options = ""
+
+        else:
+            raise ValueError(
+                f"Expected item in tmpfs list to be a string, found: {type(mount).__name__}"
+            )
+
+        result[name] = options
+    return result
+
+
+def convert_service_networks(
+    networks: list[str | dict[str, str]],
+) -> list[dict[str, str]]:
+    if not networks:
+        return networks  # type: ignore
+    if not isinstance(networks, list):
+        raise TypeError("networks parameter must be a list.")
+
+    result = []
+    for n in networks:
+        if isinstance(n, str):
+            n = {"Target": n}
+        result.append(n)
+    return result
+
+
+def parse_repository_tag(repo_name: str) -> tuple[str, str | None]:
+    parts = repo_name.rsplit("@", 1)
+    if len(parts) == 2:
+        return tuple(parts)  # type: ignore
+    parts = repo_name.rsplit(":", 1)
+    if len(parts) == 2 and "/" not in parts[1]:
+        return tuple(parts)  # type: ignore
+    return repo_name, None
+
+
+def parse_host(addr: str | None, is_win32: bool = False, tls: bool = False) -> str:
+    # Sensible defaults
+    if not addr and is_win32:
+        return DEFAULT_NPIPE
+    if not addr or addr.strip() == "unix://":
+        return DEFAULT_UNIX_SOCKET
+
+    addr = addr.strip()
+
+    parsed_url = urlparse(addr)
+    proto = parsed_url.scheme
+    if not proto or any(x not in string.ascii_letters + "+" for x in proto):
+        # https://bugs.python.org/issue754016
+        parsed_url = urlparse("//" + addr, "tcp")
+        proto = "tcp"
+
+    if proto == "fd":
+        raise errors.DockerException("fd protocol is not implemented")
+
+    # These protos are valid aliases for our library but not for the
+    # official spec
+    if proto in ("http", "https"):
+        tls = proto == "https"
+        proto = "tcp"
+    elif proto == "http+unix":
+        proto = "unix"
+
+    if proto not in ("tcp", "unix", "npipe", "ssh"):
+        raise errors.DockerException(f"Invalid bind address protocol: {addr}")
+
+    if proto == "tcp" and not parsed_url.netloc:
+        # "tcp://" is exceptionally disallowed by convention;
+        # omitting a hostname for other protocols is fine
+        raise errors.DockerException(f"Invalid bind address format: {addr}")
+
+    if any(
+        [parsed_url.params, parsed_url.query, parsed_url.fragment, parsed_url.password]
+    ):
+        raise errors.DockerException(f"Invalid bind address format: {addr}")
+
+    if parsed_url.path and proto == "ssh":
+        raise errors.DockerException(
+            f"Invalid bind address format: no path allowed for this protocol: {addr}"
+        )
+    path = parsed_url.path
+    if proto == "unix" and parsed_url.hostname is not None:
+        # For legacy reasons, we consider unix://path
+        # to be valid and equivalent to unix:///path
+        path = f"{parsed_url.hostname}/{path}"
+
+    netloc = parsed_url.netloc
+    if proto in ("tcp", "ssh"):
+        port = parsed_url.port or 0
+        if port <= 0:
+            port = 22 if proto == "ssh" else (2375 if tls else 2376)
+            netloc = f"{parsed_url.netloc}:{port}"
+
+        if not parsed_url.hostname:
+            netloc = f"{DEFAULT_HTTP_HOST}:{port}"
+
+    # Rewrite schemes to fit library internals (requests adapters)
+    if proto == "tcp":
+        proto = f"http{'s' if tls else ''}"
+    elif proto == "unix":
+        proto = "http+unix"
+
+    if proto in ("http+unix", "npipe"):
+        return f"{proto}://{path}".rstrip("/")
+    return urlunparse(
+        URLComponents(
+            scheme=proto,
+            netloc=netloc,
+            url=path,
+            params="",
+            query="",
+            fragment="",
+        )
+    ).rstrip("/")
+
+
+def parse_devices(devices: Sequence[dict[str, str] | str]) -> list[dict[str, str]]:
+    device_list = []
+    for device in devices:
+        if isinstance(device, dict):
+            device_list.append(device)
+            continue
+        if not isinstance(device, str):
+            raise errors.DockerException(f"Invalid device type {type(device)}")
+        device_mapping = device.split(":")
+        if device_mapping:
+            path_on_host = device_mapping[0]
+            if len(device_mapping) > 1:
+                path_in_container = device_mapping[1]
+            else:
+                path_in_container = path_on_host
+            if len(device_mapping) > 2:
+                permissions = device_mapping[2]
+            else:
+                permissions = "rwm"
+            device_list.append(
+                {
+                    "PathOnHost": path_on_host,
+                    "PathInContainer": path_in_container,
+                    "CgroupPermissions": permissions,
+                }
+            )
+    return device_list
+
+
+def kwargs_from_env(
+    assert_hostname: bool | None = None,
+    environment: Mapping[str, str] | None = None,
+) -> dict[str, t.Any]:
+    if not environment:
+        environment = os.environ
+    host = environment.get("DOCKER_HOST")
+
+    # empty string for cert path is the same as unset.
+    cert_path = environment.get("DOCKER_CERT_PATH") or None
+
+    # empty string for tls verify counts as "false".
+    # Any value or 'unset' counts as true.
+    tls_verify_str = environment.get("DOCKER_TLS_VERIFY")
+    if tls_verify_str == "":
+        tls_verify = False
+    else:
+        tls_verify = tls_verify_str is not None
+    enable_tls = cert_path or tls_verify
+
+    params: dict[str, t.Any] = {}
+
+    if host:
+        params["base_url"] = host
+
+    if not enable_tls:
+        return params
+
+    if not cert_path:
+        cert_path = os.path.join(os.path.expanduser("~"), ".docker")
+
+    if not tls_verify and assert_hostname is None:
+        # assert_hostname is a subset of TLS verification,
+        # so if it is not set already then set it to false.
+        assert_hostname = False
+
+    params["tls"] = TLSConfig(
+        client_cert=(
+            os.path.join(cert_path, "cert.pem"),
+            os.path.join(cert_path, "key.pem"),
+        ),
+        ca_cert=os.path.join(cert_path, "ca.pem"),
+        verify=tls_verify,
+        assert_hostname=assert_hostname,
+    )
+
+    return params
+
+
+def convert_filters(
+    filters: Mapping[str, bool | str | int | list[int] | list[str] | list[str | int]],
+) -> str:
+    result = {}
+    for k, v in filters.items():
+        if isinstance(v, bool):
+            v = "true" if v else "false"
+        if not isinstance(v, list):
+            v = [
+                v,
+            ]
+        result[k] = [str(item) if not isinstance(item, str) else item for item in v]
+    return json.dumps(result)
+
+
+def parse_bytes(s: int | float | str) -> int | float:
+    if isinstance(s, (int, float)):
+        return s
+    if len(s) == 0:
+        return 0
+
+    if s[-2:-1].isalpha() and s[-1].isalpha() and (s[-1] == "b" or s[-1] == "B"):
+        s = s[:-1]
+    units = BYTE_UNITS
+    suffix = s[-1].lower()
+
+    # Check if the variable is a string representation of an int
+    # without a units part. Assuming that the units are bytes.
+    if suffix.isdigit():
+        digits_part = s
+        suffix = "b"
+    else:
+        digits_part = s[:-1]
+
+    if suffix in units or suffix.isdigit():
+        try:
+            digits = float(digits_part)
+        except ValueError as exc:
+            raise errors.DockerException(
+                f"Failed converting the string value for memory ({digits_part}) to an integer."
+            ) from exc
+
+        # Reconvert to long for the final result
+        s = int(digits * units[suffix])
+    else:
+        raise errors.DockerException(
+            f"The specified value for memory ({s}) should specify the units. The postfix should be one of the `b` `k` `m` `g` characters"
+        )
+
+    return s
+
+
+def normalize_links(links: dict[str, str] | Sequence[tuple[str, str]]) -> list[str]:
+    if isinstance(links, dict):
+        sorted_links = sorted(links.items())
+    else:
+        sorted_links = sorted(links)
+
+    return [f"{k}:{v}" if v else k for k, v in sorted_links]
+
+
+def parse_env_file(env_file: str | os.PathLike) -> dict[str, str]:
+    """
+    Reads a line-separated environment file.
+    The format of each line should be "key=value".
+    """
+    environment = {}
+
+    with open(env_file, "rt", encoding="utf-8") as f:
+        for line in f:
+            if line[0] == "#":
+                continue
+
+            line = line.strip()
+            if not line:
+                continue
+
+            parse_line = line.split("=", 1)
+            if len(parse_line) == 2:
+                k, v = parse_line
+                environment[k] = v
+            else:
+                raise errors.DockerException(
+                    f"Invalid line in environment file {env_file}:\n{line}"
+                )
+
+    return environment
+
+
+def split_command(command: str) -> list[str]:
+    return shlex.split(command)
+
+
+def format_environment(environment: Mapping[str, str | bytes | None]) -> list[str]:
+    def format_env(key: str, value: str | bytes | None) -> str:
+        if value is None:
+            return key
+        if isinstance(value, bytes):
+            value = value.decode("utf-8")
+
+        return f"{key}={value}"
+
+    return [format_env(*var) for var in environment.items()]
+
+
+def format_extra_hosts(extra_hosts: Mapping[str, str], task: bool = False) -> list[str]:
+    # Use format dictated by Swarm API if container is part of a task
+    if task:
+        return [f"{v} {k}" for k, v in sorted(extra_hosts.items())]
+
+    return [f"{k}:{v}" for k, v in sorted(extra_hosts.items())]
diff --git a/ansible_collections/community/docker/plugins/module_utils/_common.py b/ansible_collections/community/docker/plugins/module_utils/_common.py
new file mode 100644
index 00000000..feec628e
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_common.py
@@ -0,0 +1,555 @@
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import abc
+import os
+import platform
+import re
+import sys
+import traceback
+import typing as t
+from collections.abc import Mapping, Sequence
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+from ansible.module_utils.parsing.convert_bool import BOOLEANS_FALSE, BOOLEANS_TRUE
+
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DEFAULT_DOCKER_HOST,
+    DEFAULT_TIMEOUT_SECONDS,
+    DEFAULT_TLS,
+    DEFAULT_TLS_VERIFY,
+    DOCKER_COMMON_ARGS,
+    DOCKER_MUTUALLY_EXCLUSIVE,
+    DOCKER_REQUIRED_TOGETHER,
+    sanitize_result,
+    update_tls_hostname,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+HAS_DOCKER_PY_2 = False  # pylint: disable=invalid-name
+HAS_DOCKER_PY_3 = False  # pylint: disable=invalid-name
+HAS_DOCKER_ERROR: None | str  # pylint: disable=invalid-name
+HAS_DOCKER_TRACEBACK: None | str  # pylint: disable=invalid-name
+docker_version: str | None  # pylint: disable=invalid-name
+
+try:
+    from docker import __version__ as docker_version
+    from docker.errors import APIError, TLSParameterError
+    from docker.tls import TLSConfig
+
+    if LooseVersion(docker_version) >= LooseVersion("3.0.0"):
+        HAS_DOCKER_PY_3 = True  # pylint: disable=invalid-name
+        from docker import APIClient as Client
+    elif LooseVersion(docker_version) >= LooseVersion("2.0.0"):
+        HAS_DOCKER_PY_2 = True  # pylint: disable=invalid-name
+        from docker import APIClient as Client
+    else:
+        from docker import Client  # type: ignore
+
+except ImportError as exc:
+    HAS_DOCKER_ERROR = str(exc)  # pylint: disable=invalid-name
+    HAS_DOCKER_TRACEBACK = traceback.format_exc()  # pylint: disable=invalid-name
+    HAS_DOCKER_PY = False  # pylint: disable=invalid-name
+    docker_version = None  # pylint: disable=invalid-name
+else:
+    HAS_DOCKER_PY = True  # pylint: disable=invalid-name
+    HAS_DOCKER_ERROR = None  # pylint: disable=invalid-name
+    HAS_DOCKER_TRACEBACK = None  # pylint: disable=invalid-name
+
+
+try:
+    from requests.exceptions import (  # noqa: F401, pylint: disable=unused-import
+        RequestException,
+    )
+except ImportError:
+    # Either Docker SDK for Python is no longer using requests, or Docker SDK for Python is not around either,
+    # or Docker SDK for Python's dependency requests is missing. In any case, define an exception
+    # class RequestException so that our code does not break.
+    class RequestException(Exception):  # type: ignore
+        pass
+
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+
+MIN_DOCKER_VERSION = "2.0.0"
+
+
+if not HAS_DOCKER_PY:
+    # No Docker SDK for Python. Create a place holder client to allow
+    # instantiation of AnsibleModule and proper error handing
+    class Client:  # type: ignore # noqa: F811, pylint: disable=function-redefined
+        def __init__(self, **kwargs: t.Any) -> None:
+            pass
+
+    class APIError(Exception):  # type: ignore # noqa: F811, pylint: disable=function-redefined
+        pass
+
+    class NotFound(Exception):  # type: ignore # noqa: F811, pylint: disable=function-redefined
+        pass
+
+
+def _get_tls_config(
+    fail_function: Callable[[str], t.NoReturn], **kwargs: t.Any
+) -> TLSConfig:
+    if "assert_hostname" in kwargs and LooseVersion(docker_version) >= LooseVersion(
+        "7.0.0b1"
+    ):
+        assert_hostname = kwargs.pop("assert_hostname")
+        if assert_hostname is not None:
+            fail_function(
+                "tls_hostname is not compatible with Docker SDK for Python 7.0.0+. You are using"
+                f" Docker SDK for Python {docker_version}. The tls_hostname option (value: {assert_hostname})"
+                " has either been set directly or with the environment variable DOCKER_TLS_HOSTNAME."
+                " Make sure it is not set, or switch to an older version of Docker SDK for Python."
+            )
+    # Filter out all None parameters
+    kwargs = dict((k, v) for k, v in kwargs.items() if v is not None)
+    try:
+        return TLSConfig(**kwargs)
+    except TLSParameterError as exc:
+        fail_function(f"TLS config error: {exc}")
+
+
+def is_using_tls(auth_data: dict[str, t.Any]) -> bool:
+    return auth_data["tls_verify"] or auth_data["tls"]
+
+
+def get_connect_params(
+    auth_data: dict[str, t.Any], fail_function: Callable[[str], t.NoReturn]
+) -> dict[str, t.Any]:
+    if is_using_tls(auth_data):
+        auth_data["docker_host"] = auth_data["docker_host"].replace(
+            "tcp://", "https://"
+        )
+
+    result = {
+        "base_url": auth_data["docker_host"],
+        "version": auth_data["api_version"],
+        "timeout": auth_data["timeout"],
+    }
+
+    if auth_data["tls_verify"]:
+        # TLS with verification
+        tls_config: dict[str, t.Any] = {
+            "verify": True,
+        }
+        if auth_data["tls_hostname"] is not None:
+            tls_config["assert_hostname"] = auth_data["tls_hostname"]
+        if auth_data["cert_path"] and auth_data["key_path"]:
+            tls_config["client_cert"] = (auth_data["cert_path"], auth_data["key_path"])
+        if auth_data["cacert_path"]:
+            tls_config["ca_cert"] = auth_data["cacert_path"]
+        result["tls"] = _get_tls_config(fail_function=fail_function, **tls_config)
+    elif auth_data["tls"]:
+        # TLS without verification
+        tls_config = {
+            "verify": False,
+        }
+        if auth_data["cert_path"] and auth_data["key_path"]:
+            tls_config["client_cert"] = (auth_data["cert_path"], auth_data["key_path"])
+        result["tls"] = _get_tls_config(fail_function=fail_function, **tls_config)
+
+    if auth_data.get("use_ssh_client"):
+        if LooseVersion(docker_version) < LooseVersion("4.4.0"):
+            fail_function(
+                "use_ssh_client=True requires Docker SDK for Python 4.4.0 or newer"
+            )
+        result["use_ssh_client"] = True
+
+    # No TLS
+    return result
+
+
+DOCKERPYUPGRADE_SWITCH_TO_DOCKER = (
+    "Try `pip uninstall docker-py` followed by `pip install docker`."
+)
+DOCKERPYUPGRADE_UPGRADE_DOCKER = "Use `pip install --upgrade docker` to upgrade."
+
+
+class AnsibleDockerClientBase(Client):
+    def __init__(
+        self,
+        min_docker_version: str | None = None,
+        min_docker_api_version: str | None = None,
+    ) -> None:
+        if min_docker_version is None:
+            min_docker_version = MIN_DOCKER_VERSION
+
+        self.docker_py_version = LooseVersion(docker_version)
+
+        if not HAS_DOCKER_PY:
+            msg = missing_required_lib("Docker SDK for Python: docker>=5.0.0")
+            msg = f"{msg}, for example via `pip install docker`. The error was: {HAS_DOCKER_ERROR}"
+            self.fail(msg, exception=HAS_DOCKER_TRACEBACK)
+
+        if self.docker_py_version < LooseVersion(min_docker_version):
+            msg = (
+                f"Error: Docker SDK for Python version is {docker_version} ({platform.node()}'s Python {sys.executable})."
+                f" Minimum version required is {min_docker_version}."
+            )
+            if docker_version < LooseVersion("2.0"):
+                msg += DOCKERPYUPGRADE_SWITCH_TO_DOCKER
+            else:
+                msg += DOCKERPYUPGRADE_UPGRADE_DOCKER
+            self.fail(msg)
+
+        self._connect_params = get_connect_params(
+            self.auth_params, fail_function=self.fail
+        )
+
+        try:
+            super().__init__(**self._connect_params)
+            self.docker_api_version_str = self.api_version
+        except APIError as exc:
+            self.fail(f"Docker API error: {exc}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error connecting: {exc}")
+
+        self.docker_api_version = LooseVersion(self.docker_api_version_str)
+        min_docker_api_version = min_docker_api_version or "1.25"
+        if self.docker_api_version < LooseVersion(min_docker_api_version):
+            self.fail(
+                f"Docker API version is {self.docker_api_version_str}. Minimum version required is {min_docker_api_version}."
+            )
+
+    def log(self, msg: t.Any, pretty_print: bool = False) -> None:
+        pass
+        # if self.debug:
+        #     from .util import log_debug
+        #     log_debug(msg, pretty_print=pretty_print)
+
+    @abc.abstractmethod
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        pass
+
+    @abc.abstractmethod
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        pass
+
+    @staticmethod
+    def _get_value(
+        param_name: str,
+        param_value: t.Any,
+        env_variable: str | None,
+        default_value: t.Any | None,
+        value_type: t.Literal["str", "bool", "int"] = "str",
+    ) -> t.Any:
+        if param_value is not None:
+            # take module parameter value
+            if value_type == "bool":
+                if param_value in BOOLEANS_TRUE:
+                    return True
+                if param_value in BOOLEANS_FALSE:
+                    return False
+                return bool(param_value)
+            if value_type == "int":
+                return int(param_value)
+            return param_value
+
+        if env_variable is not None:
+            env_value = os.environ.get(env_variable)
+            if env_value is not None:
+                # take the env variable value
+                if param_name == "cert_path":
+                    return os.path.join(env_value, "cert.pem")
+                if param_name == "cacert_path":
+                    return os.path.join(env_value, "ca.pem")
+                if param_name == "key_path":
+                    return os.path.join(env_value, "key.pem")
+                if value_type == "bool":
+                    if env_value in BOOLEANS_TRUE:
+                        return True
+                    if env_value in BOOLEANS_FALSE:
+                        return False
+                    return bool(env_value)
+                if value_type == "int":
+                    return int(env_value)
+                return env_value
+
+        # take the default
+        return default_value
+
+    @abc.abstractmethod
+    def _get_params(self) -> dict[str, t.Any]:
+        pass
+
+    @property
+    def auth_params(self) -> dict[str, t.Any]:
+        # Get authentication credentials.
+        # Precedence: module parameters-> environment variables-> defaults.
+
+        self.log("Getting credentials")
+
+        client_params = self._get_params()
+
+        params = {}
+        for key in DOCKER_COMMON_ARGS:
+            params[key] = client_params.get(key)
+
+        result = {
+            "docker_host": self._get_value(
+                "docker_host",
+                params["docker_host"],
+                "DOCKER_HOST",
+                DEFAULT_DOCKER_HOST,
+                value_type="str",
+            ),
+            "tls_hostname": self._get_value(
+                "tls_hostname",
+                params["tls_hostname"],
+                "DOCKER_TLS_HOSTNAME",
+                None,
+                value_type="str",
+            ),
+            "api_version": self._get_value(
+                "api_version",
+                params["api_version"],
+                "DOCKER_API_VERSION",
+                "auto",
+                value_type="str",
+            ),
+            "cacert_path": self._get_value(
+                "cacert_path",
+                params["ca_path"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "cert_path": self._get_value(
+                "cert_path",
+                params["client_cert"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "key_path": self._get_value(
+                "key_path",
+                params["client_key"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "tls": self._get_value(
+                "tls", params["tls"], "DOCKER_TLS", DEFAULT_TLS, value_type="bool"
+            ),
+            "tls_verify": self._get_value(
+                "validate_certs",
+                params["validate_certs"],
+                "DOCKER_TLS_VERIFY",
+                DEFAULT_TLS_VERIFY,
+                value_type="bool",
+            ),
+            "timeout": self._get_value(
+                "timeout",
+                params["timeout"],
+                "DOCKER_TIMEOUT",
+                DEFAULT_TIMEOUT_SECONDS,
+                value_type="int",
+            ),
+            "use_ssh_client": self._get_value(
+                "use_ssh_client",
+                params["use_ssh_client"],
+                None,
+                False,
+                value_type="bool",
+            ),
+        }
+
+        if LooseVersion(docker_version) < LooseVersion("7.0.0b1"):
+            update_tls_hostname(result)
+
+        return result
+
+    def _handle_ssl_error(self, error: Exception) -> t.NoReturn:
+        match = re.match(r"hostname.*doesn\'t match (\'.*\')", str(error))
+        if match:
+            hostname = self.auth_params["tls_hostname"]
+            self.fail(
+                f"You asked for verification that Docker daemons certificate's hostname matches {hostname}. "
+                f"The actual certificate's hostname is {match.group(1)}. Most likely you need to set DOCKER_TLS_HOSTNAME "
+                f"or pass `tls_hostname` with a value of {match.group(1)}. You may also use TLS without verification by "
+                "setting the `tls` parameter to true."
+            )
+        self.fail(f"SSL Exception: {error}")
+
+
+class AnsibleDockerClient(AnsibleDockerClientBase):
+    def __init__(
+        self,
+        argument_spec: dict[str, t.Any] | None = None,
+        supports_check_mode: bool = False,
+        mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        required_together: Sequence[Sequence[str]] | None = None,
+        required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        required_one_of: Sequence[Sequence[str]] | None = None,
+        required_by: dict[str, Sequence[str]] | None = None,
+        min_docker_version: str | None = None,
+        min_docker_api_version: str | None = None,
+        option_minimal_versions: dict[str, t.Any] | None = None,
+        option_minimal_versions_ignore_params: Sequence[str] | None = None,
+        fail_results: dict[str, t.Any] | None = None,
+    ):
+        # Modules can put information in here which will always be returned
+        # in case client.fail() is called.
+        self.fail_results = fail_results or {}
+
+        merged_arg_spec = {}
+        merged_arg_spec.update(DOCKER_COMMON_ARGS)
+        if argument_spec:
+            merged_arg_spec.update(argument_spec)
+            self.arg_spec = merged_arg_spec
+
+        mutually_exclusive_params: list[Sequence[str]] = []
+        mutually_exclusive_params += DOCKER_MUTUALLY_EXCLUSIVE
+        if mutually_exclusive:
+            mutually_exclusive_params += mutually_exclusive
+
+        required_together_params: list[Sequence[str]] = []
+        required_together_params += DOCKER_REQUIRED_TOGETHER
+        if required_together:
+            required_together_params += required_together
+
+        self.module = AnsibleModule(
+            argument_spec=merged_arg_spec,
+            supports_check_mode=supports_check_mode,
+            mutually_exclusive=mutually_exclusive_params,
+            required_together=required_together_params,
+            required_if=required_if,
+            required_one_of=required_one_of,
+            required_by=required_by or {},
+        )
+
+        self.debug = self.module.params.get("debug")
+        self.check_mode = self.module.check_mode
+
+        super().__init__(
+            min_docker_version=min_docker_version,
+            min_docker_api_version=min_docker_api_version,
+        )
+
+        if option_minimal_versions is not None:
+            self._get_minimal_versions(
+                option_minimal_versions, option_minimal_versions_ignore_params
+            )
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        self.fail_results.update(kwargs)
+        self.module.fail_json(msg=msg, **sanitize_result(self.fail_results))
+
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        self.module.deprecate(
+            msg, version=version, date=date, collection_name=collection_name
+        )
+
+    def _get_params(self) -> dict[str, t.Any]:
+        return self.module.params
+
+    def _get_minimal_versions(
+        self,
+        option_minimal_versions: dict[str, t.Any],
+        ignore_params: Sequence[str] | None = None,
+    ) -> None:
+        self.option_minimal_versions: dict[str, dict[str, t.Any]] = {}
+        for option in self.module.argument_spec:
+            if ignore_params is not None and option in ignore_params:
+                continue
+            self.option_minimal_versions[option] = {}
+        self.option_minimal_versions.update(option_minimal_versions)
+
+        for option, data in self.option_minimal_versions.items():
+            # Test whether option is supported, and store result
+            support_docker_py = True
+            support_docker_api = True
+            if "docker_py_version" in data:
+                support_docker_py = self.docker_py_version >= LooseVersion(
+                    data["docker_py_version"]
+                )
+            if "docker_api_version" in data:
+                support_docker_api = self.docker_api_version >= LooseVersion(
+                    data["docker_api_version"]
+                )
+            data["supported"] = support_docker_py and support_docker_api
+            # Fail if option is not supported but used
+            if not data["supported"]:
+                # Test whether option is specified
+                if "detect_usage" in data:
+                    used = data["detect_usage"](self)
+                else:
+                    used = self.module.params.get(option) is not None
+                    if used and "default" in self.module.argument_spec[option]:
+                        used = (
+                            self.module.params[option]
+                            != self.module.argument_spec[option]["default"]
+                        )
+                if used:
+                    # If the option is used, compose error message.
+                    if "usage_msg" in data:
+                        usg = data["usage_msg"]
+                    else:
+                        usg = f"set {option} option"
+                    if not support_docker_api:
+                        msg = f"Docker API version is {self.docker_api_version_str}. Minimum version required is {data['docker_api_version']} to {usg}."
+                    elif not support_docker_py:
+                        msg = (
+                            f"Docker SDK for Python version is {docker_version} ({platform.node()}'s Python {sys.executable})."
+                            f" Minimum version required is {data['docker_py_version']} to {usg}. {DOCKERPYUPGRADE_UPGRADE_DOCKER}"
+                        )
+                    else:
+                        # should not happen
+                        msg = f"Cannot {usg} with your configuration."
+                    self.fail(msg)
+
+    def report_warnings(
+        self, result: t.Any, warnings_key: Sequence[str] | None = None
+    ) -> None:
+        """
+        Checks result of client operation for warnings, and if present, outputs them.
+
+        warnings_key should be a list of keys used to crawl the result dictionary.
+        For example, if warnings_key == ['a', 'b'], the function will consider
+        result['a']['b'] if these keys exist. If the result is a non-empty string, it
+        will be reported as a warning. If the result is a list, every entry will be
+        reported as a warning.
+
+        In most cases (if warnings are returned at all), warnings_key should be
+        ['Warnings'] or ['Warning']. The default value (if not specified) is ['Warnings'].
+        """
+        if warnings_key is None:
+            warnings_key = ["Warnings"]
+        for key in warnings_key:
+            if not isinstance(result, Mapping):
+                return
+            result = result.get(key)
+        if isinstance(result, Sequence):
+            for warning in result:
+                self.module.warn(f"Docker warning: {warning}")
+        elif isinstance(result, str) and result:
+            self.module.warn(f"Docker warning: {result}")
diff --git a/ansible_collections/community/docker/plugins/module_utils/_common_api.py b/ansible_collections/community/docker/plugins/module_utils/_common_api.py
new file mode 100644
index 00000000..d93e82d7
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_common_api.py
@@ -0,0 +1,729 @@
+# Copyright 2016 Red Hat | Ansible
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import abc
+import os
+import re
+import typing as t
+from collections.abc import Mapping, Sequence
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+from ansible.module_utils.parsing.convert_bool import BOOLEANS_FALSE, BOOLEANS_TRUE
+
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+try:
+    from requests.exceptions import (  # noqa: F401, pylint: disable=unused-import
+        RequestException,
+        SSLError,
+    )
+except ImportError:
+    # Define an exception class RequestException so that our code does not break.
+    class RequestException(Exception):  # type: ignore
+        pass
+
+
+from ansible_collections.community.docker.plugins.module_utils._api import auth
+from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+    APIClient as Client,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    MissingRequirementException,
+    NotFound,
+    TLSParameterError,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.tls import TLSConfig
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    convert_filters,
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DEFAULT_DOCKER_HOST,
+    DEFAULT_TIMEOUT_SECONDS,
+    DEFAULT_TLS,
+    DEFAULT_TLS_VERIFY,
+    DOCKER_COMMON_ARGS,
+    DOCKER_MUTUALLY_EXCLUSIVE,
+    DOCKER_REQUIRED_TOGETHER,
+    sanitize_result,
+    update_tls_hostname,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+
+def _get_tls_config(
+    fail_function: Callable[[str], t.NoReturn], **kwargs: t.Any
+) -> TLSConfig:
+    try:
+        return TLSConfig(**kwargs)
+    except TLSParameterError as exc:
+        fail_function(f"TLS config error: {exc}")
+
+
+def is_using_tls(auth_data: dict[str, t.Any]) -> bool:
+    return auth_data["tls_verify"] or auth_data["tls"]
+
+
+def get_connect_params(
+    auth_data: dict[str, t.Any], fail_function: Callable[[str], t.NoReturn]
+) -> dict[str, t.Any]:
+    if is_using_tls(auth_data):
+        auth_data["docker_host"] = auth_data["docker_host"].replace(
+            "tcp://", "https://"
+        )
+
+    result = {
+        "base_url": auth_data["docker_host"],
+        "version": auth_data["api_version"],
+        "timeout": auth_data["timeout"],
+    }
+
+    if auth_data["tls_verify"]:
+        # TLS with verification
+        tls_config = {
+            "verify": True,
+            "assert_hostname": auth_data["tls_hostname"],
+            "fail_function": fail_function,
+        }
+        if auth_data["cert_path"] and auth_data["key_path"]:
+            tls_config["client_cert"] = (auth_data["cert_path"], auth_data["key_path"])
+        if auth_data["cacert_path"]:
+            tls_config["ca_cert"] = auth_data["cacert_path"]
+        result["tls"] = _get_tls_config(**tls_config)
+    elif auth_data["tls"]:
+        # TLS without verification
+        tls_config = {
+            "verify": False,
+            "fail_function": fail_function,
+        }
+        if auth_data["cert_path"] and auth_data["key_path"]:
+            tls_config["client_cert"] = (auth_data["cert_path"], auth_data["key_path"])
+        result["tls"] = _get_tls_config(**tls_config)
+
+    if auth_data.get("use_ssh_client"):
+        result["use_ssh_client"] = True
+
+    # No TLS
+    return result
+
+
+class AnsibleDockerClientBase(Client):
+    def __init__(self, min_docker_api_version: str | None = None) -> None:
+        self._connect_params = get_connect_params(
+            self.auth_params, fail_function=self.fail
+        )
+
+        try:
+            super().__init__(**self._connect_params)
+            self.docker_api_version_str = self.api_version
+        except MissingRequirementException as exc:
+            self.fail(
+                missing_required_lib(exc.requirement), exception=exc.import_exception
+            )
+        except APIError as exc:
+            self.fail(f"Docker API error: {exc}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error connecting: {exc}")
+
+        self.docker_api_version = LooseVersion(self.docker_api_version_str)
+        min_docker_api_version = min_docker_api_version or "1.25"
+        if self.docker_api_version < LooseVersion(min_docker_api_version):
+            self.fail(
+                f"Docker API version is {self.docker_api_version_str}. Minimum version required is {min_docker_api_version}."
+            )
+
+    def log(self, msg: t.Any, pretty_print: bool = False) -> None:
+        pass
+        # if self.debug:
+        #     from .util import log_debug
+        #     log_debug(msg, pretty_print=pretty_print)
+
+    @abc.abstractmethod
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        pass
+
+    @abc.abstractmethod
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        pass
+
+    @staticmethod
+    def _get_value(
+        param_name: str,
+        param_value: t.Any,
+        env_variable: str | None,
+        default_value: t.Any | None,
+        value_type: t.Literal["str", "bool", "int"] = "str",
+    ) -> t.Any:
+        if param_value is not None:
+            # take module parameter value
+            if value_type == "bool":
+                if param_value in BOOLEANS_TRUE:
+                    return True
+                if param_value in BOOLEANS_FALSE:
+                    return False
+                return bool(param_value)
+            if value_type == "int":
+                return int(param_value)
+            return param_value
+
+        if env_variable is not None:
+            env_value = os.environ.get(env_variable)
+            if env_value is not None:
+                # take the env variable value
+                if param_name == "cert_path":
+                    return os.path.join(env_value, "cert.pem")
+                if param_name == "cacert_path":
+                    return os.path.join(env_value, "ca.pem")
+                if param_name == "key_path":
+                    return os.path.join(env_value, "key.pem")
+                if value_type == "bool":
+                    if env_value in BOOLEANS_TRUE:
+                        return True
+                    if env_value in BOOLEANS_FALSE:
+                        return False
+                    return bool(env_value)
+                if value_type == "int":
+                    return int(env_value)
+                return env_value
+
+        # take the default
+        return default_value
+
+    @abc.abstractmethod
+    def _get_params(self) -> dict[str, t.Any]:
+        pass
+
+    @property
+    def auth_params(self) -> dict[str, t.Any]:
+        # Get authentication credentials.
+        # Precedence: module parameters-> environment variables-> defaults.
+
+        self.log("Getting credentials")
+
+        client_params = self._get_params()
+
+        params = {}
+        for key in DOCKER_COMMON_ARGS:
+            params[key] = client_params.get(key)
+
+        result = {
+            "docker_host": self._get_value(
+                "docker_host",
+                params["docker_host"],
+                "DOCKER_HOST",
+                DEFAULT_DOCKER_HOST,
+                value_type="str",
+            ),
+            "tls_hostname": self._get_value(
+                "tls_hostname",
+                params["tls_hostname"],
+                "DOCKER_TLS_HOSTNAME",
+                None,
+                value_type="str",
+            ),
+            "api_version": self._get_value(
+                "api_version",
+                params["api_version"],
+                "DOCKER_API_VERSION",
+                "auto",
+                value_type="str",
+            ),
+            "cacert_path": self._get_value(
+                "cacert_path",
+                params["ca_path"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "cert_path": self._get_value(
+                "cert_path",
+                params["client_cert"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "key_path": self._get_value(
+                "key_path",
+                params["client_key"],
+                "DOCKER_CERT_PATH",
+                None,
+                value_type="str",
+            ),
+            "tls": self._get_value(
+                "tls", params["tls"], "DOCKER_TLS", DEFAULT_TLS, value_type="bool"
+            ),
+            "tls_verify": self._get_value(
+                "validate_certs",
+                params["validate_certs"],
+                "DOCKER_TLS_VERIFY",
+                DEFAULT_TLS_VERIFY,
+                value_type="bool",
+            ),
+            "timeout": self._get_value(
+                "timeout",
+                params["timeout"],
+                "DOCKER_TIMEOUT",
+                DEFAULT_TIMEOUT_SECONDS,
+                value_type="int",
+            ),
+            "use_ssh_client": self._get_value(
+                "use_ssh_client",
+                params["use_ssh_client"],
+                None,
+                False,
+                value_type="bool",
+            ),
+        }
+
+        def depr(*args: t.Any, **kwargs: t.Any) -> None:
+            self.deprecate(*args, **kwargs)
+
+        update_tls_hostname(
+            result,
+            old_behavior=True,
+            deprecate_function=depr,
+            uses_tls=is_using_tls(result),
+        )
+
+        return result
+
+    def _handle_ssl_error(self, error: Exception) -> t.NoReturn:
+        match = re.match(r"hostname.*doesn\'t match (\'.*\')", str(error))
+        if match:
+            hostname = self.auth_params["tls_hostname"]
+            self.fail(
+                f"You asked for verification that Docker daemons certificate's hostname matches {hostname}. "
+                f"The actual certificate's hostname is {match.group(1)}. Most likely you need to set DOCKER_TLS_HOSTNAME "
+                f"or pass `tls_hostname` with a value of {match.group(1)}. You may also use TLS without verification by "
+                "setting the `tls` parameter to true."
+            )
+        self.fail(f"SSL Exception: {error}")
+
+    def get_container_by_id(self, container_id: str) -> dict[str, t.Any] | None:
+        try:
+            self.log(f"Inspecting container Id {container_id}")
+            result = self.get_json("/containers/{0}/json", container_id)
+            self.log("Completed container inspection")
+            return result
+        except NotFound:
+            return None
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error inspecting container: {exc}")
+
+    def get_container(self, name: str | None) -> dict[str, t.Any] | None:
+        """
+        Lookup a container and return the inspection results.
+        """
+        if name is None:
+            return None
+
+        search_name = name
+        if not name.startswith("/"):
+            search_name = "/" + name
+
+        result = None
+        try:
+            params = {
+                "limit": -1,
+                "all": 1,
+                "size": 0,
+                "trunc_cmd": 0,
+            }
+            containers = self.get_json("/containers/json", params=params)
+            for container in containers:
+                self.log(f"testing container: {container['Names']}")
+                if (
+                    isinstance(container["Names"], list)
+                    and search_name in container["Names"]
+                ):
+                    result = container
+                    break
+                if container["Id"].startswith(name):
+                    result = container
+                    break
+                if container["Id"] == name:
+                    result = container
+                    break
+        except SSLError as exc:
+            self._handle_ssl_error(exc)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error retrieving container list: {exc}")
+
+        if result is None:
+            return None
+
+        return self.get_container_by_id(result["Id"])
+
+    def get_network(
+        self, name: str | None = None, network_id: str | None = None
+    ) -> dict[str, t.Any] | None:
+        """
+        Lookup a network and return the inspection results.
+        """
+        if name is None and network_id is None:
+            return None
+
+        result = None
+
+        if network_id is None:
+            try:
+                networks = self.get_json("/networks")
+                for network in networks:
+                    self.log(f"testing network: {network['Name']}")
+                    if name == network["Name"]:
+                        result = network
+                        break
+                    if network["Id"].startswith(name):
+                        result = network
+                        break
+            except SSLError as exc:
+                self._handle_ssl_error(exc)
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error retrieving network list: {exc}")
+
+        if result is not None:
+            network_id = result["Id"]
+
+        if network_id is not None:
+            try:
+                self.log(f"Inspecting network Id {network_id}")
+                result = self.get_json("/networks/{0}", network_id)
+                self.log("Completed network inspection")
+            except NotFound:
+                return None
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error inspecting network: {exc}")
+
+        return result
+
+    def _image_lookup(self, name: str, tag: str | None) -> list[dict[str, t.Any]]:
+        """
+        Including a tag in the name parameter sent to the Docker SDK for Python images method
+        does not work consistently. Instead, get the result set for name and manually check
+        if the tag exists.
+        """
+        try:
+            params: dict[str, t.Any] = {
+                "only_ids": 0,
+                "all": 0,
+            }
+            if LooseVersion(self.api_version) < LooseVersion("1.25"):
+                # only use "filter" on API 1.24 and under, as it is deprecated
+                params["filter"] = name
+            else:
+                params["filters"] = convert_filters({"reference": name})
+            images = self.get_json("/images/json", params=params)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error searching for image {name} - {exc}")
+        if tag:
+            lookup = f"{name}:{tag}"
+            lookup_digest = f"{name}@{tag}"
+            response = images
+            images = []
+            for image in response:
+                tags = image.get("RepoTags")
+                digests = image.get("RepoDigests")
+                if (tags and lookup in tags) or (digests and lookup_digest in digests):
+                    images = [image]
+                    break
+        return images
+
+    def find_image(self, name: str, tag: str | None) -> dict[str, t.Any] | None:
+        """
+        Lookup an image (by name and tag) and return the inspection results.
+        """
+        if not name:
+            return None
+
+        self.log(f"Find image {name}:{tag}")
+        images = self._image_lookup(name, tag)
+        if not images:
+            # In API <= 1.20 seeing 'docker.io/<name>' as the name of images pulled from docker hub
+            registry, repo_name = auth.resolve_repository_name(name)
+            if registry == "docker.io":
+                # If docker.io is explicitly there in name, the image
+                # is not found in some cases (#41509)
+                self.log(f"Check for docker.io image: {repo_name}")
+                images = self._image_lookup(repo_name, tag)
+                if not images and repo_name.startswith("library/"):
+                    # Sometimes library/xxx images are not found
+                    lookup = repo_name[len("library/") :]
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+                if not images:
+                    # Last case for some Docker versions: if docker.io was not there,
+                    # it can be that the image was not found either
+                    # (https://github.com/ansible/ansible/pull/15586)
+                    lookup = f"{registry}/{repo_name}"
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+                if not images and "/" not in repo_name:
+                    # This seems to be happening with podman-docker
+                    # (https://github.com/ansible-collections/community.docker/issues/291)
+                    lookup = f"{registry}/library/{repo_name}"
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+
+        if len(images) > 1:
+            self.fail(f"Daemon returned more than one result for {name}:{tag}")
+
+        if len(images) == 1:
+            try:
+                return self.get_json("/images/{0}/json", images[0]["Id"])
+            except NotFound:
+                self.log(f"Image {name}:{tag} not found.")
+                return None
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error inspecting image {name}:{tag} - {exc}")
+
+        self.log(f"Image {name}:{tag} not found.")
+        return None
+
+    def find_image_by_id(
+        self, image_id: str, accept_missing_image: bool = False
+    ) -> dict[str, t.Any] | None:
+        """
+        Lookup an image (by ID) and return the inspection results.
+        """
+        if not image_id:
+            return None
+
+        self.log(f"Find image {image_id} (by ID)")
+        try:
+            return self.get_json("/images/{0}/json", image_id)
+        except NotFound as exc:
+            if not accept_missing_image:
+                self.fail(f"Error inspecting image ID {image_id} - {exc}")
+            self.log(f"Image {image_id} not found.")
+            return None
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error inspecting image ID {image_id} - {exc}")
+
+    @staticmethod
+    def _compare_images(
+        img1: dict[str, t.Any] | None, img2: dict[str, t.Any] | None
+    ) -> bool:
+        if img1 is None or img2 is None:
+            return img1 == img2
+        filter_keys = {"Metadata"}
+        img1_filtered = {k: v for k, v in img1.items() if k not in filter_keys}
+        img2_filtered = {k: v for k, v in img2.items() if k not in filter_keys}
+        return img1_filtered == img2_filtered
+
+    def pull_image(
+        self, name: str, tag: str = "latest", image_platform: str | None = None
+    ) -> tuple[dict[str, t.Any] | None, bool]:
+        """
+        Pull an image
+        """
+        self.log(f"Pulling image {name}:{tag}")
+        old_image = self.find_image(name, tag)
+        try:
+            repository, image_tag = parse_repository_tag(name)
+            registry, dummy_repo_name = auth.resolve_repository_name(repository)
+            params = {
+                "tag": tag or image_tag or "latest",
+                "fromImage": repository,
+            }
+            if image_platform is not None:
+                params["platform"] = image_platform
+
+            headers = {}
+            header = auth.get_config_header(self, registry)
+            if header:
+                headers["X-Registry-Auth"] = header
+
+            response = self._post(
+                self._url("/images/create"),
+                params=params,
+                headers=headers,
+                stream=True,
+                timeout=None,
+            )
+            self._raise_for_status(response)
+            for line in self._stream_helper(response, decode=True):
+                self.log(line, pretty_print=True)
+                if line.get("error"):
+                    if line.get("errorDetail"):
+                        error_detail = line.get("errorDetail")
+                        self.fail(
+                            f"Error pulling {name} - code: {error_detail.get('code')} message: {error_detail.get('message')}"
+                        )
+                    else:
+                        self.fail(f"Error pulling {name} - {line.get('error')}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error pulling image {name}:{tag} - {exc}")
+
+        new_image = self.find_image(name, tag)
+
+        return new_image, self._compare_images(old_image, new_image)
+
+
+class AnsibleDockerClient(AnsibleDockerClientBase):
+    def __init__(
+        self,
+        argument_spec: dict[str, t.Any] | None = None,
+        supports_check_mode: bool = False,
+        mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        required_together: Sequence[Sequence[str]] | None = None,
+        required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        required_one_of: Sequence[Sequence[str]] | None = None,
+        required_by: dict[str, Sequence[str]] | None = None,
+        min_docker_api_version: str | None = None,
+        option_minimal_versions: dict[str, t.Any] | None = None,
+        option_minimal_versions_ignore_params: Sequence[str] | None = None,
+        fail_results: dict[str, t.Any] | None = None,
+    ):
+        # Modules can put information in here which will always be returned
+        # in case client.fail() is called.
+        self.fail_results = fail_results or {}
+
+        merged_arg_spec = {}
+        merged_arg_spec.update(DOCKER_COMMON_ARGS)
+        if argument_spec:
+            merged_arg_spec.update(argument_spec)
+            self.arg_spec = merged_arg_spec
+
+        mutually_exclusive_params: list[Sequence[str]] = []
+        mutually_exclusive_params += DOCKER_MUTUALLY_EXCLUSIVE
+        if mutually_exclusive:
+            mutually_exclusive_params += mutually_exclusive
+
+        required_together_params: list[Sequence[str]] = []
+        required_together_params += DOCKER_REQUIRED_TOGETHER
+        if required_together:
+            required_together_params += required_together
+
+        self.module = AnsibleModule(
+            argument_spec=merged_arg_spec,
+            supports_check_mode=supports_check_mode,
+            mutually_exclusive=mutually_exclusive_params,
+            required_together=required_together_params,
+            required_if=required_if,
+            required_one_of=required_one_of,
+            required_by=required_by or {},
+        )
+
+        self.debug = self.module.params.get("debug")
+        self.check_mode = self.module.check_mode
+
+        super().__init__(min_docker_api_version=min_docker_api_version)
+
+        if option_minimal_versions is not None:
+            self._get_minimal_versions(
+                option_minimal_versions, option_minimal_versions_ignore_params
+            )
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        self.fail_results.update(kwargs)
+        self.module.fail_json(msg=msg, **sanitize_result(self.fail_results))
+
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        self.module.deprecate(
+            msg, version=version, date=date, collection_name=collection_name
+        )
+
+    def _get_params(self) -> dict[str, t.Any]:
+        return self.module.params
+
+    def _get_minimal_versions(
+        self,
+        option_minimal_versions: dict[str, t.Any],
+        ignore_params: Sequence[str] | None = None,
+    ) -> None:
+        self.option_minimal_versions: dict[str, dict[str, t.Any]] = {}
+        for option in self.module.argument_spec:
+            if ignore_params is not None and option in ignore_params:
+                continue
+            self.option_minimal_versions[option] = {}
+        self.option_minimal_versions.update(option_minimal_versions)
+
+        for option, data in self.option_minimal_versions.items():
+            # Test whether option is supported, and store result
+            support_docker_api = True
+            if "docker_api_version" in data:
+                support_docker_api = self.docker_api_version >= LooseVersion(
+                    data["docker_api_version"]
+                )
+            data["supported"] = support_docker_api
+            # Fail if option is not supported but used
+            if not data["supported"]:
+                # Test whether option is specified
+                if "detect_usage" in data:
+                    used = data["detect_usage"](self)
+                else:
+                    used = self.module.params.get(option) is not None
+                    if used and "default" in self.module.argument_spec[option]:
+                        used = (
+                            self.module.params[option]
+                            != self.module.argument_spec[option]["default"]
+                        )
+                if used:
+                    # If the option is used, compose error message.
+                    if "usage_msg" in data:
+                        usg = data["usage_msg"]
+                    else:
+                        usg = f"set {option} option"
+                    if not support_docker_api:
+                        msg = f"Docker API version is {self.docker_api_version_str}. Minimum version required is {data['docker_api_version']} to {usg}."
+                    else:
+                        # should not happen
+                        msg = f"Cannot {usg} with your configuration."
+                    self.fail(msg)
+
+    def report_warnings(
+        self, result: t.Any, warnings_key: Sequence[str] | None = None
+    ) -> None:
+        """
+        Checks result of client operation for warnings, and if present, outputs them.
+
+        warnings_key should be a list of keys used to crawl the result dictionary.
+        For example, if warnings_key == ['a', 'b'], the function will consider
+        result['a']['b'] if these keys exist. If the result is a non-empty string, it
+        will be reported as a warning. If the result is a list, every entry will be
+        reported as a warning.
+
+        In most cases (if warnings are returned at all), warnings_key should be
+        ['Warnings'] or ['Warning']. The default value (if not specified) is ['Warnings'].
+        """
+        if warnings_key is None:
+            warnings_key = ["Warnings"]
+        for key in warnings_key:
+            if not isinstance(result, Mapping):
+                return
+            result = result.get(key)
+        if isinstance(result, Sequence):
+            for warning in result:
+                self.module.warn(f"Docker warning: {warning}")
+        elif isinstance(result, str) and result:
+            self.module.warn(f"Docker warning: {result}")
diff --git a/ansible_collections/community/docker/plugins/module_utils/_common_cli.py b/ansible_collections/community/docker/plugins/module_utils/_common_cli.py
new file mode 100644
index 00000000..0b2a1f25
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_common_cli.py
@@ -0,0 +1,489 @@
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import abc
+import json
+import shlex
+import typing as t
+
+from ansible.module_utils.basic import AnsibleModule, env_fallback
+from ansible.module_utils.common.process import get_bin_path
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.auth import (
+    resolve_repository_name,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DEFAULT_DOCKER_HOST,
+    DEFAULT_TLS,
+    DEFAULT_TLS_VERIFY,
+    DOCKER_MUTUALLY_EXCLUSIVE,
+    DOCKER_REQUIRED_TOGETHER,
+    sanitize_result,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Mapping, Sequence
+
+
+DOCKER_COMMON_ARGS = {
+    "docker_cli": {"type": "path"},
+    "docker_host": {
+        "type": "str",
+        "fallback": (env_fallback, ["DOCKER_HOST"]),
+        "aliases": ["docker_url"],
+    },
+    "tls_hostname": {
+        "type": "str",
+        "fallback": (env_fallback, ["DOCKER_TLS_HOSTNAME"]),
+    },
+    "api_version": {
+        "type": "str",
+        "default": "auto",
+        "fallback": (env_fallback, ["DOCKER_API_VERSION"]),
+        "aliases": ["docker_api_version"],
+    },
+    "ca_path": {"type": "path", "aliases": ["ca_cert", "tls_ca_cert", "cacert_path"]},
+    "client_cert": {"type": "path", "aliases": ["tls_client_cert", "cert_path"]},
+    "client_key": {"type": "path", "aliases": ["tls_client_key", "key_path"]},
+    "tls": {
+        "type": "bool",
+        "default": DEFAULT_TLS,
+        "fallback": (env_fallback, ["DOCKER_TLS"]),
+    },
+    "validate_certs": {
+        "type": "bool",
+        "default": DEFAULT_TLS_VERIFY,
+        "fallback": (env_fallback, ["DOCKER_TLS_VERIFY"]),
+        "aliases": ["tls_verify"],
+    },
+    # "debug": {"type": "bool", "default: False},
+    "cli_context": {"type": "str"},
+}
+
+
+class DockerException(Exception):
+    pass
+
+
+class AnsibleDockerClientBase:
+    docker_api_version_str: str | None
+    docker_api_version: LooseVersion | None
+
+    def __init__(
+        self,
+        common_args: dict[str, t.Any],
+        min_docker_api_version: str | None = None,
+        needs_api_version: bool = True,
+    ) -> None:
+        self._environment: dict[str, str] = {}
+        if common_args["tls_hostname"]:
+            self._environment["DOCKER_TLS_HOSTNAME"] = common_args["tls_hostname"]
+        if common_args["api_version"] and common_args["api_version"] != "auto":
+            self._environment["DOCKER_API_VERSION"] = common_args["api_version"]
+        cli = common_args.get("docker_cli")
+        if cli is None:
+            try:
+                cli = get_bin_path("docker")
+            except ValueError:
+                self.fail(
+                    "Cannot find docker CLI in path. Please provide it explicitly with the docker_cli parameter"
+                )
+        self._cli = cli
+        self._cli_base = [self._cli]
+        docker_host = common_args["docker_host"]
+        if not docker_host and not common_args["cli_context"]:
+            docker_host = DEFAULT_DOCKER_HOST
+        if docker_host:
+            self._cli_base.extend(["--host", docker_host])
+        if common_args["validate_certs"]:
+            self._cli_base.append("--tlsverify")
+        elif common_args["tls"]:
+            self._cli_base.append("--tls")
+        if common_args["ca_path"]:
+            self._cli_base.extend(["--tlscacert", common_args["ca_path"]])
+        if common_args["client_cert"]:
+            self._cli_base.extend(["--tlscert", common_args["client_cert"]])
+        if common_args["client_key"]:
+            self._cli_base.extend(["--tlskey", common_args["client_key"]])
+        if common_args["cli_context"]:
+            self._cli_base.extend(["--context", common_args["cli_context"]])
+
+        # `--format json` was only added as a shorthand for `--format {{ json . }}` in Docker 23.0
+        dummy, self._version, dummy2 = self.call_cli_json(
+            "version", "--format", "{{ json . }}", check_rc=True
+        )
+        self._info: dict[str, t.Any] | None = None
+
+        if needs_api_version:
+            api_version_string = self._version["Server"].get(
+                "ApiVersion"
+            ) or self._version["Server"].get("APIVersion")
+            if not isinstance(self._version.get("Server"), dict) or not isinstance(
+                api_version_string, str
+            ):
+                self.fail(
+                    "Cannot determine Docker Daemon information. Are you maybe using podman instead of docker?"
+                )
+            self.docker_api_version_str = to_text(api_version_string)
+            self.docker_api_version = LooseVersion(self.docker_api_version_str)
+            min_docker_api_version = min_docker_api_version or "1.25"
+            if self.docker_api_version < LooseVersion(min_docker_api_version):
+                self.fail(
+                    f"Docker API version is {self.docker_api_version_str}. Minimum version required is {min_docker_api_version}."
+                )
+        else:
+            self.docker_api_version_str = None
+            self.docker_api_version = None
+            if min_docker_api_version is not None:
+                self.fail(
+                    "Internal error: cannot have needs_api_version=False with min_docker_api_version not None"
+                )
+
+    def log(self, msg: str, pretty_print: bool = False) -> None:
+        pass
+        # if self.debug:
+        #     from .util import log_debug
+        #     log_debug(msg, pretty_print=pretty_print)
+
+    def get_cli(self) -> str:
+        return self._cli
+
+    def get_version_info(self) -> str:
+        return self._version
+
+    def _compose_cmd(self, args: t.Sequence[str]) -> list[str]:
+        return self._cli_base + list(args)
+
+    def _compose_cmd_str(self, args: t.Sequence[str]) -> str:
+        return " ".join(shlex.quote(a) for a in self._compose_cmd(args))
+
+    @abc.abstractmethod
+    def call_cli(
+        self,
+        *args: str,
+        check_rc: bool = False,
+        data: bytes | None = None,
+        cwd: str | None = None,
+        environ_update: dict[str, str] | None = None,
+    ) -> tuple[int, bytes, bytes]:
+        pass
+
+    def call_cli_json(
+        self,
+        *args: str,
+        check_rc: bool = False,
+        data: bytes | None = None,
+        cwd: str | None = None,
+        environ_update: dict[str, str] | None = None,
+        warn_on_stderr: bool = False,
+    ) -> tuple[int, t.Any, bytes]:
+        rc, stdout, stderr = self.call_cli(
+            *args, check_rc=check_rc, data=data, cwd=cwd, environ_update=environ_update
+        )
+        if warn_on_stderr and stderr:
+            self.warn(to_text(stderr))
+        try:
+            data = json.loads(stdout)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(
+                f"Error while parsing JSON output of {self._compose_cmd_str(args)}: {exc}\nJSON output: {to_text(stdout)}\n\nError output:\n{to_text(stderr)}",
+                cmd=self._compose_cmd_str(args),
+                rc=rc,
+                stdout=stdout,
+                stderr=stderr,
+            )
+        return rc, data, stderr
+
+    def call_cli_json_stream(
+        self,
+        *args: str,
+        check_rc: bool = False,
+        data: bytes | None = None,
+        cwd: str | None = None,
+        environ_update: dict[str, str] | None = None,
+        warn_on_stderr: bool = False,
+    ) -> tuple[int, list[t.Any], bytes]:
+        rc, stdout, stderr = self.call_cli(
+            *args, check_rc=check_rc, data=data, cwd=cwd, environ_update=environ_update
+        )
+        if warn_on_stderr and stderr:
+            self.warn(to_text(stderr))
+        result = []
+        try:
+            for line in stdout.splitlines():
+                line = line.strip()
+                if line.startswith(b"{"):
+                    result.append(json.loads(line))
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(
+                f"Error while parsing JSON output of {self._compose_cmd_str(args)}: {exc}\nJSON output: {to_text(stdout)}\n\nError output:\n{to_text(stderr)}",
+                cmd=self._compose_cmd_str(args),
+                rc=rc,
+                stdout=stdout,
+                stderr=stderr,
+            )
+        return rc, result, stderr
+
+    @abc.abstractmethod
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        pass
+
+    @abc.abstractmethod
+    def warn(self, msg: str) -> None:
+        pass
+
+    @abc.abstractmethod
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        pass
+
+    def get_cli_info(self) -> dict[str, t.Any]:
+        if self._info is None:
+            dummy, self._info, dummy2 = self.call_cli_json(
+                "info", "--format", "{{ json . }}", check_rc=True
+            )
+        return self._info
+
+    def get_client_plugin_info(self, component: str) -> dict[str, t.Any] | None:
+        cli_info = self.get_cli_info()
+        if not isinstance(cli_info.get("ClientInfo"), dict):
+            self.fail(
+                "Cannot determine Docker client information. Are you maybe using podman instead of docker?"
+            )
+        for plugin in cli_info["ClientInfo"].get("Plugins") or []:
+            if plugin.get("Name") == component:
+                return plugin
+        return None
+
+    def _image_lookup(self, name: str, tag: str) -> list[dict[str, t.Any]]:
+        """
+        Including a tag in the name parameter sent to the Docker SDK for Python images method
+        does not work consistently. Instead, get the result set for name and manually check
+        if the tag exists.
+        """
+        dummy, images, dummy2 = self.call_cli_json_stream(
+            "image",
+            "ls",
+            "--format",
+            "{{ json . }}",
+            "--no-trunc",
+            "--filter",
+            f"reference={name}",
+            check_rc=True,
+        )
+        if tag:
+            response = images
+            images = []
+            for image in response:
+                if image.get("Tag") == tag or image.get("Digest") == tag:
+                    images = [image]
+                    break
+        return images
+
+    @t.overload
+    def find_image(self, name: None, tag: str) -> None: ...
+
+    @t.overload
+    def find_image(self, name: str, tag: str) -> dict[str, t.Any] | None: ...
+
+    def find_image(self, name: str | None, tag: str) -> dict[str, t.Any] | None:
+        """
+        Lookup an image (by name and tag) and return the inspection results.
+        """
+        if not name:
+            return None
+
+        self.log(f"Find image {name}:{tag}")
+        images = self._image_lookup(name, tag)
+        if not images:
+            # In API <= 1.20 seeing 'docker.io/<name>' as the name of images pulled from docker hub
+            registry, repo_name = resolve_repository_name(name)
+            if registry == "docker.io":
+                # If docker.io is explicitly there in name, the image
+                # is not found in some cases (#41509)
+                self.log(f"Check for docker.io image: {repo_name}")
+                images = self._image_lookup(repo_name, tag)
+                if not images and repo_name.startswith("library/"):
+                    # Sometimes library/xxx images are not found
+                    lookup = repo_name[len("library/") :]
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+                if not images:
+                    # Last case for some Docker versions: if docker.io was not there,
+                    # it can be that the image was not found either
+                    # (https://github.com/ansible/ansible/pull/15586)
+                    lookup = f"{registry}/{repo_name}"
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+                if not images and "/" not in repo_name:
+                    # This seems to be happening with podman-docker
+                    # (https://github.com/ansible-collections/community.docker/issues/291)
+                    lookup = f"{registry}/library/{repo_name}"
+                    self.log(f"Check for docker.io image: {lookup}")
+                    images = self._image_lookup(lookup, tag)
+
+        if len(images) > 1:
+            self.fail(f"Daemon returned more than one result for {name}:{tag}")
+
+        if len(images) == 1:
+            rc, image, stderr = self.call_cli_json("image", "inspect", images[0]["ID"])
+            if not image:
+                self.log(f"Image {name}:{tag} not found.")
+                return None
+            if rc != 0:
+                self.fail(f"Error inspecting image {name}:{tag} - {to_text(stderr)}")
+            return image[0]
+
+        self.log(f"Image {name}:{tag} not found.")
+        return None
+
+    @t.overload
+    def find_image_by_id(
+        self, image_id: None, accept_missing_image: bool = False
+    ) -> None: ...
+
+    @t.overload
+    def find_image_by_id(
+        self, image_id: str | None, accept_missing_image: bool = False
+    ) -> dict[str, t.Any] | None: ...
+
+    def find_image_by_id(
+        self, image_id: str | None, accept_missing_image: bool = False
+    ) -> dict[str, t.Any] | None:
+        """
+        Lookup an image (by ID) and return the inspection results.
+        """
+        if not image_id:
+            return None
+
+        self.log(f"Find image {image_id} (by ID)")
+        rc, image, stderr = self.call_cli_json("image", "inspect", image_id)
+        if not image:
+            if not accept_missing_image:
+                self.fail(f"Error inspecting image ID {image_id} - {to_text(stderr)}")
+            self.log(f"Image {image_id} not found.")
+            return None
+        if rc != 0:
+            self.fail(f"Error inspecting image ID {image_id} - {to_text(stderr)}")
+        return image[0]
+
+
+class AnsibleModuleDockerClient(AnsibleDockerClientBase):
+    def __init__(
+        self,
+        argument_spec: dict[str, t.Any] | None = None,
+        supports_check_mode: bool = False,
+        mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        required_together: Sequence[Sequence[str]] | None = None,
+        required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        required_one_of: Sequence[Sequence[str]] | None = None,
+        required_by: Mapping[str, Sequence[str]] | None = None,
+        min_docker_api_version: str | None = None,
+        fail_results: dict[str, t.Any] | None = None,
+        needs_api_version: bool = True,
+    ) -> None:
+        # Modules can put information in here which will always be returned
+        # in case client.fail() is called.
+        self.fail_results = fail_results or {}
+
+        merged_arg_spec = {}
+        merged_arg_spec.update(DOCKER_COMMON_ARGS)
+        if argument_spec:
+            merged_arg_spec.update(argument_spec)
+            self.arg_spec = merged_arg_spec
+
+        mutually_exclusive_params: list[Sequence[str]] = [
+            ("docker_host", "cli_context")
+        ]
+        mutually_exclusive_params += DOCKER_MUTUALLY_EXCLUSIVE
+        if mutually_exclusive:
+            mutually_exclusive_params += mutually_exclusive
+
+        required_together_params: list[Sequence[str]] = []
+        required_together_params += DOCKER_REQUIRED_TOGETHER
+        if required_together:
+            required_together_params += required_together
+
+        self.module = AnsibleModule(
+            argument_spec=merged_arg_spec,
+            supports_check_mode=supports_check_mode,
+            mutually_exclusive=mutually_exclusive_params,
+            required_together=required_together_params,
+            required_if=required_if,
+            required_one_of=required_one_of,
+            required_by=required_by or {},
+        )
+
+        self.debug = False  # self.module.params['debug']
+        self.check_mode = self.module.check_mode
+        self.diff = self.module._diff
+
+        common_args = dict((k, self.module.params[k]) for k in DOCKER_COMMON_ARGS)
+        super().__init__(
+            common_args,
+            min_docker_api_version=min_docker_api_version,
+            needs_api_version=needs_api_version,
+        )
+
+    def call_cli(
+        self,
+        *args: str,
+        check_rc: bool = False,
+        data: bytes | None = None,
+        cwd: str | None = None,
+        environ_update: dict[str, str] | None = None,
+    ) -> tuple[int, bytes, bytes]:
+        environment = self._environment.copy()
+        if environ_update:
+            environment.update(environ_update)
+        rc, stdout, stderr = self.module.run_command(
+            self._compose_cmd(args),
+            binary_data=True,
+            check_rc=check_rc,
+            cwd=cwd,
+            data=data,
+            encoding=None,
+            environ_update=environment,
+            expand_user_and_vars=False,
+            ignore_invalid_cwd=False,
+        )
+        return rc, stdout, stderr
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        self.fail_results.update(kwargs)
+        self.module.fail_json(msg=msg, **sanitize_result(self.fail_results))
+
+    def warn(self, msg: str) -> None:
+        self.module.warn(msg)
+
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        self.module.deprecate(
+            msg, version=version, date=date, collection_name=collection_name
+        )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_compose_v2.py b/ansible_collections/community/docker/plugins/module_utils/_compose_v2.py
new file mode 100644
index 00000000..82d703bb
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_compose_v2.py
@@ -0,0 +1,1024 @@
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# Copyright (c) 2023, Léo El Amri (@lel-amri)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import shutil
+import tempfile
+import traceback
+import typing as t
+from collections import namedtuple
+from shlex import quote
+
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._logfmt import (
+    InvalidLogFmt as _InvalidLogFmt,
+)
+from ansible_collections.community.docker.plugins.module_utils._logfmt import (
+    parse_line as _parse_logfmt_line,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+PYYAML_IMPORT_ERROR: None | str  # pylint: disable=invalid-name
+try:
+    import yaml
+
+    try:
+        # use C version if possible for speedup
+        from yaml import CSafeDumper as _SafeDumper
+    except ImportError:
+        from yaml import SafeDumper as _SafeDumper  # type: ignore
+except ImportError:
+    HAS_PYYAML = False
+    PYYAML_IMPORT_ERROR = traceback.format_exc()  # pylint: disable=invalid-name
+else:
+    HAS_PYYAML = True
+    PYYAML_IMPORT_ERROR = None  # pylint: disable=invalid-name
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable, Sequence
+
+    from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+        AnsibleModuleDockerClient as _Client,
+    )
+
+
+DOCKER_COMPOSE_FILES = (
+    "compose.yaml",
+    "compose.yml",
+    "docker-compose.yaml",
+    "docker-compose.yml",
+)
+
+DOCKER_STATUS_DONE = frozenset(
+    (
+        "Started",
+        "Healthy",
+        "Exited",
+        "Restarted",
+        "Running",
+        "Created",
+        "Stopped",
+        "Killed",
+        "Removed",
+        # An extra, specific to containers
+        "Recreated",
+        # Extras for pull events
+        "Pulled",
+        # Extras for built events
+        "Built",
+    )
+)
+DOCKER_STATUS_WORKING = frozenset(
+    (
+        "Creating",
+        "Starting",
+        "Restarting",
+        "Stopping",
+        "Killing",
+        "Removing",
+        # An extra, specific to containers
+        "Recreate",
+        # Extras for pull events
+        "Pulling",
+        # Extras for build start events
+        "Building",
+    )
+)
+DOCKER_STATUS_PULL = frozenset(
+    (
+        "Pulled",
+        "Pulling",
+    )
+)
+DOCKER_STATUS_BUILD = frozenset(
+    (
+        "Built",
+        "Building",
+    )
+)
+DOCKER_STATUS_ERROR = frozenset(("Error",))
+DOCKER_STATUS_WARNING = frozenset(("Warning",))
+DOCKER_STATUS_WAITING = frozenset(("Waiting",))
+DOCKER_STATUS = frozenset(
+    DOCKER_STATUS_DONE
+    | DOCKER_STATUS_WORKING
+    | DOCKER_STATUS_PULL
+    | DOCKER_STATUS_ERROR
+    | DOCKER_STATUS_WAITING
+)
+DOCKER_STATUS_AND_WARNING = frozenset(DOCKER_STATUS | DOCKER_STATUS_WARNING)
+
+DOCKER_PULL_PROGRESS_DONE = frozenset(
+    (
+        "Already exists",
+        "Download complete",
+        "Pull complete",
+    )
+)
+DOCKER_PULL_PROGRESS_WORKING_OLD = frozenset(
+    (
+        "Pulling fs layer",
+        "Waiting",
+        "Downloading",
+        "Verifying Checksum",
+        "Extracting",
+    )
+)
+DOCKER_PULL_PROGRESS_WORKING = frozenset(DOCKER_PULL_PROGRESS_WORKING_OLD | {"Working"})
+
+
+class ResourceType:
+    UNKNOWN = "unknown"
+    NETWORK = "network"
+    IMAGE = "image"
+    IMAGE_LAYER = "image-layer"
+    VOLUME = "volume"
+    CONTAINER = "container"
+    SERVICE = "service"
+
+    @classmethod
+    def from_docker_compose_event(cls, resource_type: str) -> t.Any:
+        return {
+            "Network": cls.NETWORK,
+            "Image": cls.IMAGE,
+            "Volume": cls.VOLUME,
+            "Container": cls.CONTAINER,
+            "Service": cls.SERVICE,
+        }[resource_type]
+
+
+Event = namedtuple("Event", ["resource_type", "resource_id", "status", "msg"])
+
+
+_DRY_RUN_MARKER = "DRY-RUN MODE -"
+
+_RE_RESOURCE_EVENT = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<resource_type>Network|Image|Volume|Container)"
+    r"\s+"
+    r"(?P<resource_id>\S+)"
+    r"\s+"
+    r"(?P<status>\S(?:|.*\S))"
+    r"\s*"
+    r"$"
+)
+
+_RE_PULL_EVENT = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<service>\S+)"
+    r"\s+"
+    f"(?P<status>{'|'.join(re.escape(status) for status in DOCKER_STATUS_PULL)})"
+    r"\s*"
+    r"$"
+)
+
+_DOCKER_PULL_PROGRESS_WD = sorted(
+    DOCKER_PULL_PROGRESS_DONE | DOCKER_PULL_PROGRESS_WORKING_OLD
+)
+
+_RE_PULL_PROGRESS = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<layer>\S+)"
+    r"\s+"
+    f"(?P<status>{'|'.join(re.escape(status) for status in _DOCKER_PULL_PROGRESS_WD)})"
+    r"\s*"
+    r"(?:|\s\[[^]]+\]\s+\S+\s*|\s+[0-9.kKmMgGbB]+/[0-9.kKmMgGbB]+\s*)"
+    r"$"
+)
+
+_RE_ERROR_EVENT = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<resource_id>\S+)"
+    r"\s+"
+    f"(?P<status>{'|'.join(re.escape(status) for status in DOCKER_STATUS_ERROR)})"
+    r"\s*"
+    r"(?P<msg>\S.*\S)?"
+    r"$"
+)
+
+_RE_WARNING_EVENT = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<resource_id>\S+)"
+    r"\s+"
+    f"(?P<status>{'|'.join(re.escape(status) for status in DOCKER_STATUS_WARNING)})"
+    r"\s*"
+    r"(?P<msg>\S.*\S)?"
+    r"$"
+)
+
+_RE_CONTINUE_EVENT = re.compile(r"^\s*(?P<resource_id>\S+)\s+-\s*(?P<msg>\S(?:|.*\S))$")
+
+_RE_SKIPPED_EVENT = re.compile(
+    r"^"
+    r"\s*"
+    r"(?P<resource_id>\S+)"
+    r"\s+"
+    r"Skipped(?: -"
+    r"\s*"
+    r"(?P<msg>\S(?:|.*\S))|\s*)"
+    r"$"
+)
+
+_RE_BUILD_START_EVENT = re.compile(r"^\s*build service\s+(?P<resource_id>\S+)$")
+
+_RE_BUILD_PROGRESS_EVENT = re.compile(r"^\s*==>\s+(?P<msg>.*)$")
+
+# The following needs to be kept in sync with the MINIMUM_VERSION compose_v2 docs fragment
+MINIMUM_COMPOSE_VERSION = "2.18.0"
+
+
+def _extract_event(
+    line: str, warn_function: Callable[[str], None] | None = None
+) -> tuple[Event | None, bool]:
+    match = _RE_RESOURCE_EVENT.match(line)
+    if match is not None:
+        status = match.group("status")
+        msg = None
+        if status not in DOCKER_STATUS:
+            status, msg = msg, status
+        return (
+            Event(
+                ResourceType.from_docker_compose_event(match.group("resource_type")),
+                match.group("resource_id"),
+                status,
+                msg,
+            ),
+            True,
+        )
+    match = _RE_PULL_EVENT.match(line)
+    if match:
+        return (
+            Event(
+                ResourceType.SERVICE,
+                match.group("service"),
+                match.group("status"),
+                None,
+            ),
+            True,
+        )
+    match = _RE_ERROR_EVENT.match(line)
+    if match:
+        return (
+            Event(
+                ResourceType.UNKNOWN,
+                match.group("resource_id"),
+                match.group("status"),
+                match.group("msg") or None,
+            ),
+            True,
+        )
+    match = _RE_WARNING_EVENT.match(line)
+    if match:
+        if warn_function:
+            if match.group("msg"):
+                msg = f"{match.group('resource_id')}: {match.group('msg')}"
+            else:
+                msg = f"Unspecified warning for {match.group('resource_id')}"
+            warn_function(msg)
+        return None, True
+    match = _RE_PULL_PROGRESS.match(line)
+    if match:
+        return (
+            Event(
+                ResourceType.IMAGE_LAYER,
+                match.group("layer"),
+                match.group("status"),
+                None,
+            ),
+            True,
+        )
+    match = _RE_SKIPPED_EVENT.match(line)
+    if match:
+        return (
+            Event(
+                ResourceType.UNKNOWN,
+                match.group("resource_id"),
+                "Skipped",
+                match.group("msg"),
+            ),
+            True,
+        )
+    match = _RE_BUILD_START_EVENT.match(line)
+    if match:
+        return (
+            Event(
+                ResourceType.SERVICE,
+                match.group("resource_id"),
+                "Building",
+                None,
+            ),
+            True,
+        )
+    return None, False
+
+
+def _extract_logfmt_event(
+    line: str, warn_function: Callable[[str], None] | None = None
+) -> tuple[Event | None, bool]:
+    try:
+        result = _parse_logfmt_line(line, logrus_mode=True)
+    except _InvalidLogFmt:
+        return None, False
+    if "time" not in result or "level" not in result or "msg" not in result:
+        return None, False
+    if result["level"] == "warning":
+        if warn_function:
+            warn_function(result["msg"])
+        return None, True
+    # TODO: no idea what to do with this
+    return None, False
+
+
+def _warn_missing_dry_run_prefix(
+    line: str,
+    warn_missing_dry_run_prefix: bool,
+    warn_function: Callable[[str], None] | None,
+) -> None:
+    if warn_missing_dry_run_prefix and warn_function:
+        # This could be a bug, a change of docker compose's output format, ...
+        # Tell the user to report it to us :-)
+        warn_function(
+            f"Event line is missing dry-run mode marker: {line!r}. Please check with the latest community.docker version,"
+            " and if the problem still happens there, please report this at "
+            "https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md"
+        )
+
+
+def _warn_unparsable_line(
+    line: str, warn_function: Callable[[str], None] | None
+) -> None:
+    # This could be a bug, a change of docker compose's output format, ...
+    # Tell the user to report it to us :-)
+    if warn_function:
+        warn_function(
+            f"Cannot parse event from line: {line!r}. Please check with the latest community.docker version,"
+            " and if the problem still happens there, please report this at "
+            "https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md"
+        )
+
+
+def _find_last_event_for(
+    events: list[Event], resource_id: str
+) -> tuple[int, Event] | None:
+    for index, event in enumerate(reversed(events)):
+        if event.resource_id == resource_id:
+            return len(events) - 1 - index, event
+    return None
+
+
+def _concat_event_msg(event: Event, append_msg: str) -> Event:
+    return Event(
+        event.resource_type,
+        event.resource_id,
+        event.status,
+        "\n".join(msg for msg in [event.msg, append_msg] if msg is not None),
+    )
+
+
+_JSON_LEVEL_TO_STATUS_MAP = {
+    "warning": "Warning",
+    "error": "Error",
+}
+
+
+def parse_json_events(
+    stderr: bytes, warn_function: Callable[[str], None] | None = None
+) -> list[Event]:
+    events = []
+    stderr_lines = stderr.splitlines()
+    if stderr_lines and stderr_lines[-1] == b"":
+        del stderr_lines[-1]
+    for line in stderr_lines:
+        line = line.strip()
+        if not line.startswith(b"{") or not line.endswith(b"}"):
+            if line.startswith(b"Warning: "):
+                # This is a bug in Compose that will get fixed by https://github.com/docker/compose/pull/11996
+                event = Event(
+                    ResourceType.UNKNOWN,
+                    None,
+                    "Warning",
+                    to_text(line[len(b"Warning: ") :]),
+                )
+                events.append(event)
+                continue
+            if warn_function:
+                warn_function(
+                    f"Cannot parse event from non-JSON line: {line!r}. Please check with the latest community.docker version,"
+                    " and if the problem still happens there, please report this at "
+                    "https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md"
+                )
+            continue
+        try:
+            line_data = json.loads(line)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            if warn_function:
+                warn_function(
+                    f"Cannot parse event from line: {line!r}: {exc}. Please check with the latest community.docker version,"
+                    " and if the problem still happens there, please report this at "
+                    "https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md"
+                )
+            continue
+        if line_data.get("tail"):
+            resource_type = ResourceType.UNKNOWN
+            msg = line_data.get("text")
+            status = "Error"
+            if isinstance(msg, str) and msg.lower().startswith("warning:"):
+                # For some reason, Writer.TailMsgf() is always used for errors *except* in one place,
+                # where its message is prepended with 'WARNING: ' (in pkg/compose/pull.go).
+                status = "Warning"
+                msg = msg[len("warning:") :].lstrip()
+            event = Event(
+                resource_type,
+                None,
+                status,
+                msg,
+            )
+        elif line_data.get("error"):
+            resource_type = ResourceType.UNKNOWN
+            event = Event(
+                resource_type,
+                line_data.get("id"),
+                "Error",
+                line_data.get("message"),
+            )
+        else:
+            resource_type = ResourceType.UNKNOWN
+            resource_id = line_data.get("id")
+            status = line_data.get("status")
+            text = line_data.get("text")
+            if resource_id == " " and text and text.startswith("build service "):
+                # Example:
+                # {"dry-run":true,"id":" ","text":"build service app"}
+                resource_id = "S" + text[len("build s") :]
+                text = "Building"
+            if (
+                isinstance(resource_id, str)
+                and resource_id.endswith("==>")
+                and text
+                and text.startswith("==> writing image ")
+            ):
+                # Example:
+                # {"dry-run":true,"id":"==>","text":"==> writing image dryRun-7d1043473d55bfa90e8530d35801d4e381bc69f0"}
+                # {"dry-run":true,"id":"ansible-docker-test-dc713f1f-container ==>","text":"==> writing image dryRun-5d9204268db1a73d57bbd24a25afbeacebe2bc02"}
+                # (The longer form happens since Docker Compose 2.39.0)
+                continue
+            if (
+                isinstance(resource_id, str)
+                and resource_id.endswith("==> ==>")
+                and text
+                and text.startswith("naming to ")
+            ):
+                # Example:
+                # {"dry-run":true,"id":"==> ==>","text":"naming to display-app"}
+                # {"dry-run":true,"id":"ansible-docker-test-dc713f1f-container ==> ==>","text":"naming to ansible-docker-test-dc713f1f-image"}
+                # (The longer form happens since Docker Compose 2.39.0)
+                continue
+            if (
+                status in ("Working", "Done")
+                and isinstance(line_data.get("parent_id"), str)
+                and line_data["parent_id"].startswith("Image ")
+            ):
+                # Compose 5.0.0+:
+                # {"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working"}
+                # {"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Done","percent":100}
+                resource_type = ResourceType.IMAGE_LAYER
+                resource_id = line_data["parent_id"][len("Image ") :]
+            elif isinstance(resource_id, str) and " " in resource_id:
+                resource_type_str, resource_id = resource_id.split(" ", 1)
+                try:
+                    resource_type = ResourceType.from_docker_compose_event(
+                        resource_type_str
+                    )
+                except KeyError:
+                    if warn_function:
+                        warn_function(
+                            f"Unknown resource type {resource_type_str!r} in line {line!r}. Please check with the latest community.docker version,"
+                            " and if the problem still happens there, please report this at "
+                            "https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md"
+                        )
+                    resource_type = ResourceType.UNKNOWN
+            elif text in DOCKER_STATUS_PULL:
+                resource_type = ResourceType.IMAGE
+                status, text = text, status
+            elif (
+                text in DOCKER_PULL_PROGRESS_DONE
+                or line_data.get("text") in DOCKER_PULL_PROGRESS_WORKING_OLD
+            ):
+                resource_type = ResourceType.IMAGE_LAYER
+                status, text = text, status
+            elif (
+                status is None
+                and isinstance(text, str)
+                and text.startswith("Skipped - ")
+            ):
+                status, text = text.split(" - ", 1)
+            elif (
+                line_data.get("level") in _JSON_LEVEL_TO_STATUS_MAP
+                and "msg" in line_data
+            ):
+                status = _JSON_LEVEL_TO_STATUS_MAP[line_data["level"]]
+                text = line_data["msg"]
+            if (
+                status not in DOCKER_STATUS_AND_WARNING
+                and text in DOCKER_STATUS_AND_WARNING
+            ):
+                status, text = text, status
+            event = Event(
+                resource_type,
+                resource_id,
+                status,
+                text,
+            )
+
+        events.append(event)
+    return events
+
+
+def parse_events(
+    stderr: bytes,
+    dry_run: bool = False,
+    warn_function: Callable[[str], None] | None = None,
+    nonzero_rc: bool = False,
+) -> list[Event]:
+    events = []
+    error_event = None
+    stderr_lines = stderr.splitlines()
+    if stderr_lines and stderr_lines[-1] == b"":
+        del stderr_lines[-1]
+    for index, line_b in enumerate(stderr_lines):
+        line = to_text(line_b.strip())
+        if not line:
+            continue
+        warn_missing_dry_run_prefix = False
+        if dry_run:
+            if line.startswith(_DRY_RUN_MARKER):
+                line = line[len(_DRY_RUN_MARKER) :].lstrip()
+            else:
+                warn_missing_dry_run_prefix = True
+        event, parsed = _extract_event(line, warn_function=warn_function)
+        if event is not None:
+            events.append(event)
+            if event.status in DOCKER_STATUS_ERROR:
+                error_event = event
+            else:
+                error_event = None
+            _warn_missing_dry_run_prefix(
+                line, warn_missing_dry_run_prefix, warn_function
+            )
+            continue
+        if parsed:
+            continue
+        match = _RE_BUILD_PROGRESS_EVENT.match(line)
+        if match:
+            # Ignore this
+            continue
+        match = _RE_CONTINUE_EVENT.match(line)
+        if match:
+            # Continuing an existing event
+            index_event = _find_last_event_for(events, match.group("resource_id"))
+            if index_event is not None:
+                index, event = index_event
+                events[index] = _concat_event_msg(event, match.group("msg"))
+        event, parsed = _extract_logfmt_event(line, warn_function=warn_function)
+        if event is not None:
+            events.append(event)
+        elif parsed:
+            continue
+        if error_event is not None:
+            # Unparsable line that apparently belongs to the previous error event
+            events[-1] = _concat_event_msg(error_event, line)
+            continue
+        if line.startswith("Error "):
+            # Error message that is independent of an error event
+            error_event = Event(
+                ResourceType.UNKNOWN,
+                "",
+                "Error",
+                line,
+            )
+            events.append(error_event)
+            continue
+        if len(stderr_lines) == 1 or (nonzero_rc and index == len(stderr_lines) - 1):
+            # **Very likely** an error message that is independent of an error event
+            error_event = Event(
+                ResourceType.UNKNOWN,
+                "",
+                "Error",
+                line,
+            )
+            events.append(error_event)
+            continue
+        _warn_missing_dry_run_prefix(line, warn_missing_dry_run_prefix, warn_function)
+        _warn_unparsable_line(line, warn_function)
+    return events
+
+
+def has_changes(
+    events: Sequence[Event],
+    ignore_service_pull_events: bool = False,
+    ignore_build_events: bool = False,
+) -> bool:
+    for event in events:
+        if event.status in DOCKER_STATUS_WORKING:
+            if ignore_service_pull_events and event.status in DOCKER_STATUS_PULL:
+                continue
+            if ignore_build_events and event.status in DOCKER_STATUS_BUILD:
+                continue
+            return True
+        if (
+            event.resource_type == ResourceType.IMAGE_LAYER
+            and event.status in DOCKER_PULL_PROGRESS_WORKING
+        ):
+            return True
+    return False
+
+
+def extract_actions(events: Sequence[Event]) -> list[dict[str, t.Any]]:
+    actions = []
+    pull_actions = set()
+    for event in events:
+        if (
+            event.resource_type == ResourceType.IMAGE_LAYER
+            and event.status in DOCKER_PULL_PROGRESS_WORKING
+        ):
+            pull_id = (event.resource_id, event.status)
+            if pull_id not in pull_actions:
+                pull_actions.add(pull_id)
+                actions.append(
+                    {
+                        "what": event.resource_type,
+                        "id": event.resource_id,
+                        "status": event.status,
+                    }
+                )
+        if (
+            event.resource_type != ResourceType.IMAGE_LAYER
+            and event.status in DOCKER_STATUS_WORKING
+        ):
+            actions.append(
+                {
+                    "what": event.resource_type,
+                    "id": event.resource_id,
+                    "status": event.status,
+                }
+            )
+    return actions
+
+
+def emit_warnings(
+    events: Sequence[Event], warn_function: Callable[[str], None]
+) -> None:
+    for event in events:
+        # If a message is present, assume it is a warning
+        if (
+            event.status is None and event.msg is not None
+        ) or event.status in DOCKER_STATUS_WARNING:
+            warn_function(
+                f"Docker compose: {event.resource_type} {event.resource_id}: {event.msg}"
+            )
+
+
+def is_failed(events: Sequence[Event], rc: int) -> bool:
+    return bool(rc)
+
+
+def update_failed(
+    result: dict[str, t.Any],
+    events: Sequence[Event],
+    args: list[str],
+    stdout: str | bytes,
+    stderr: str | bytes,
+    rc: int,
+    cli: str,
+) -> bool:
+    if not rc:
+        return False
+    errors = []
+    for event in events:
+        if event.status in DOCKER_STATUS_ERROR:
+            if event.resource_id is None:
+                if event.resource_type == "unknown":
+                    msg = (
+                        "General error: "
+                        if event.resource_type == "unknown"
+                        else f"Error when processing {event.resource_type}: "
+                    )
+            else:
+                msg = (
+                    f"Error when processing {event.resource_type} {event.resource_id}: "
+                )
+                if event.resource_type == "unknown":
+                    msg = f"Error when processing {event.resource_id}: "
+                    if event.resource_id == "":
+                        msg = "General error: "
+            msg += f"{event.status}" if event.msg is None else f"{event.msg}"
+            errors.append(msg)
+    if not errors:
+        errors.append(f"Return code {rc} is non-zero")
+    result["failed"] = True
+    result["msg"] = "\n".join(errors)
+    result["cmd"] = " ".join(quote(arg) for arg in [cli] + args)
+    result["stdout"] = to_text(stdout)
+    result["stderr"] = to_text(stderr)
+    result["rc"] = rc
+    return True
+
+
+def common_compose_argspec() -> dict[str, t.Any]:
+    return {
+        "project_src": {"type": "path"},
+        "project_name": {"type": "str"},
+        "files": {"type": "list", "elements": "path"},
+        "definition": {"type": "dict"},
+        "env_files": {"type": "list", "elements": "path"},
+        "profiles": {"type": "list", "elements": "str"},
+        "check_files_existing": {"type": "bool", "default": True},
+    }
+
+
+def common_compose_argspec_ex() -> dict[str, t.Any]:
+    return {
+        "argspec": common_compose_argspec(),
+        "mutually_exclusive": [("definition", "project_src"), ("definition", "files")],
+        "required_one_of": [
+            ("definition", "project_src"),
+        ],
+        "required_by": {
+            "definition": ("project_name",),
+        },
+    }
+
+
+def combine_binary_output(*outputs: bytes | None) -> bytes:
+    return b"\n".join(out for out in outputs if out)
+
+
+def combine_text_output(*outputs: str | None) -> str:
+    return "\n".join(out for out in outputs if out)
+
+
+class BaseComposeManager(DockerBaseClass):
+    def __init__(
+        self, client: _Client, min_version: str = MINIMUM_COMPOSE_VERSION
+    ) -> None:
+        super().__init__()
+        self.client = client
+        self.check_mode = self.client.check_mode
+        self.cleanup_dirs = set()
+        parameters = self.client.module.params
+
+        if parameters["definition"] is not None and not HAS_PYYAML:
+            self.fail(missing_required_lib("PyYAML"), exception=PYYAML_IMPORT_ERROR)
+
+        self.project_name = parameters["project_name"]
+        if parameters["definition"] is not None:
+            self.project_src = tempfile.mkdtemp(prefix="ansible")
+            self.cleanup_dirs.add(self.project_src)
+            compose_file = os.path.join(self.project_src, "compose.yaml")
+            self.client.module.add_cleanup_file(compose_file)
+            try:
+                with open(compose_file, "wb") as f:
+                    yaml.dump(
+                        parameters["definition"],
+                        f,
+                        encoding="utf-8",
+                        Dumper=_SafeDumper,
+                    )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error writing to {compose_file} - {exc}")
+        else:
+            self.project_src = os.path.abspath(parameters["project_src"])
+
+        self.files = parameters["files"]
+        self.env_files = parameters["env_files"]
+        self.profiles = parameters["profiles"]
+
+        compose_version = self.get_compose_version()
+        self.compose_version = LooseVersion(compose_version)
+        if self.compose_version < LooseVersion(min_version):
+            self.fail(
+                f"Docker CLI {self.client.get_cli()} has the compose plugin with version {compose_version}; need version {min_version} or later"
+            )
+
+        if not os.path.isdir(self.project_src):
+            self.fail(f'"{self.project_src}" is not a directory')
+
+        self.check_files_existing = parameters["check_files_existing"]
+        if self.files:
+            for file in self.files:
+                path = os.path.join(self.project_src, file)
+                if not os.path.exists(path):
+                    self.fail(
+                        f'Cannot find Compose file "{file}" relative to project directory "{self.project_src}"'
+                    )
+        elif self.check_files_existing and all(
+            not os.path.exists(os.path.join(self.project_src, f))
+            for f in DOCKER_COMPOSE_FILES
+        ):
+            filenames = ", ".join(DOCKER_COMPOSE_FILES[:-1])
+            self.fail(
+                f'"{self.project_src}" does not contain {filenames}, or {DOCKER_COMPOSE_FILES[-1]}'
+            )
+
+        # Support for JSON output was added in Compose 2.29.0 (https://github.com/docker/compose/releases/tag/v2.29.0);
+        # more precisely in https://github.com/docker/compose/pull/11478
+        self.use_json_events = self.compose_version >= LooseVersion("2.29.0")
+
+    def get_compose_version(self) -> str:
+        return (
+            self.get_compose_version_from_cli() or self.get_compose_version_from_api()
+        )
+
+    def get_compose_version_from_cli(self) -> str | None:
+        rc, version_info, dummy_stderr = self.client.call_cli(
+            "compose", "version", "--format", "json"
+        )
+        if rc:
+            return None
+        try:
+            version = json.loads(version_info)["version"]
+            if version == "dev":
+                return None
+            return version.lstrip("v")
+        except Exception:  # pylint: disable=broad-exception-caught
+            return None
+
+    def get_compose_version_from_api(self) -> str:
+        compose = self.client.get_client_plugin_info("compose")
+        if compose is None:
+            self.fail(
+                f"Docker CLI {self.client.get_cli()} does not have the compose plugin installed"
+            )
+        if compose["Version"] == "dev":
+            self.fail(
+                f'Docker CLI {self.client.get_cli()} has a compose plugin installed, but it reports version "dev".'
+                " Please use a version of the plugin that returns a proper version."
+            )
+        return compose["Version"].lstrip("v")
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        self.cleanup()
+        self.client.fail(msg, **kwargs)
+
+    def get_base_args(self, plain_progress: bool = False) -> list[str]:
+        args = ["compose", "--ansi", "never"]
+        if self.use_json_events and not plain_progress:
+            args.extend(["--progress", "json"])
+        elif self.compose_version >= LooseVersion("2.19.0"):
+            # https://github.com/docker/compose/pull/10690
+            args.extend(["--progress", "plain"])
+        args.extend(["--project-directory", self.project_src])
+        if self.project_name:
+            args.extend(["--project-name", self.project_name])
+        for file in self.files or []:
+            args.extend(["--file", file])
+        for env_file in self.env_files or []:
+            args.extend(["--env-file", env_file])
+        for profile in self.profiles or []:
+            args.extend(["--profile", profile])
+        return args
+
+    def _handle_failed_cli_call(
+        self, args: list[str], rc: int, stdout: str | bytes, stderr: bytes
+    ) -> t.NoReturn:
+        events = parse_json_events(stderr, warn_function=self.client.warn)
+        result: dict[str, t.Any] = {}
+        self.update_failed(result, events, args, stdout, stderr, rc)
+        self.client.module.exit_json(**result)
+
+    def list_containers_raw(self) -> list[dict[str, t.Any]]:
+        args = self.get_base_args() + ["ps", "--format", "json", "--all"]
+        if self.compose_version >= LooseVersion("2.23.0"):
+            # https://github.com/docker/compose/pull/11038
+            args.append("--no-trunc")
+        if self.compose_version >= LooseVersion("2.21.0"):
+            # Breaking change in 2.21.0: https://github.com/docker/compose/pull/10918
+            rc, containers, stderr = self.client.call_cli_json_stream(
+                *args, cwd=self.project_src, check_rc=not self.use_json_events
+            )
+        else:
+            rc, containers, stderr = self.client.call_cli_json(
+                *args, cwd=self.project_src, check_rc=not self.use_json_events
+            )
+        if self.use_json_events and rc != 0:
+            self._handle_failed_cli_call(args, rc, json.dumps(containers), stderr)
+        return containers
+
+    def list_containers(self) -> list[dict[str, t.Any]]:
+        result = []
+        for container in self.list_containers_raw():
+            labels = {}
+            if container.get("Labels"):
+                for part in container["Labels"].split(","):
+                    label_value = part.split("=", 1)
+                    labels[label_value[0]] = (
+                        label_value[1] if len(label_value) > 1 else ""
+                    )
+            container["Labels"] = labels
+            container["Names"] = container.get("Names", container["Name"]).split(",")
+            container["Networks"] = container.get("Networks", "").split(",")
+            container["Publishers"] = container.get("Publishers") or []
+            result.append(container)
+        return result
+
+    def list_images(self) -> list[str]:
+        args = self.get_base_args() + ["images", "--format", "json"]
+        rc, images, stderr = self.client.call_cli_json(
+            *args, cwd=self.project_src, check_rc=not self.use_json_events
+        )
+        if self.use_json_events and rc != 0:
+            self._handle_failed_cli_call(args, rc, images, stderr)
+        if isinstance(images, dict):
+            # Handle breaking change in Docker Compose 2.37.0; see
+            # https://github.com/ansible-collections/community.docker/issues/1082
+            # and https://github.com/docker/compose/issues/12916 for details
+            images = list(images.values())
+        return images
+
+    def parse_events(
+        self, stderr: bytes, dry_run: bool = False, nonzero_rc: bool = False
+    ) -> list[Event]:
+        if self.use_json_events:
+            return parse_json_events(stderr, warn_function=self.client.warn)
+        return parse_events(
+            stderr,
+            dry_run=dry_run,
+            warn_function=self.client.warn,
+            nonzero_rc=nonzero_rc,
+        )
+
+    def emit_warnings(self, events: Sequence[Event]) -> None:
+        emit_warnings(events, warn_function=self.client.warn)
+
+    def update_result(
+        self,
+        result: dict[str, t.Any],
+        events: Sequence[Event],
+        stdout: str | bytes,
+        stderr: str | bytes,
+        ignore_service_pull_events: bool = False,
+        ignore_build_events: bool = False,
+    ) -> None:
+        result["changed"] = result.get("changed", False) or has_changes(
+            events,
+            ignore_service_pull_events=ignore_service_pull_events,
+            ignore_build_events=ignore_build_events,
+        )
+        result["actions"] = result.get("actions", []) + extract_actions(events)
+        result["stdout"] = combine_text_output(result.get("stdout"), to_text(stdout))
+        result["stderr"] = combine_text_output(result.get("stderr"), to_text(stderr))
+
+    def update_failed(
+        self,
+        result: dict[str, t.Any],
+        events: Sequence[Event],
+        args: list[str],
+        stdout: str | bytes,
+        stderr: bytes,
+        rc: int,
+    ) -> bool:
+        return update_failed(
+            result,
+            events,
+            args=args,
+            stdout=stdout,
+            stderr=stderr,
+            rc=rc,
+            cli=self.client.get_cli(),
+        )
+
+    def cleanup_result(self, result: dict[str, t.Any]) -> None:
+        if not result.get("failed"):
+            # Only return stdout and stderr if it is not empty
+            for res in ("stdout", "stderr"):
+                if result.get(res) == "":
+                    result.pop(res)
+
+    def cleanup(self) -> None:
+        for directory in self.cleanup_dirs:
+            try:
+                shutil.rmtree(directory, True)
+            except Exception:  # pylint: disable=broad-exception-caught
+                # should not happen, but simply ignore to be on the safe side
+                pass
diff --git a/ansible_collections/community/docker/plugins/module_utils/_copy.py b/ansible_collections/community/docker/plugins/module_utils/_copy.py
new file mode 100644
index 00000000..73414370
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_copy.py
@@ -0,0 +1,590 @@
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import base64
+import datetime
+import io
+import json
+import os
+import os.path
+import shutil
+import stat
+import tarfile
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    NotFound,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+    from _typeshed import WriteableBuffer
+
+    from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+        APIClient,
+    )
+
+
+class DockerFileCopyError(Exception):
+    pass
+
+
+class DockerUnexpectedError(DockerFileCopyError):
+    pass
+
+
+class DockerFileNotFound(DockerFileCopyError):
+    pass
+
+
+def _put_archive(
+    client: APIClient, container: str, path: str, data: bytes | t.Generator[bytes]
+) -> bool:
+    # data can also be file object for streaming. This is because _put uses requests's put().
+    # See https://requests.readthedocs.io/en/latest/user/advanced/#streaming-uploads
+    url = client._url("/containers/{0}/archive", container)
+    res = client._put(url, params={"path": path}, data=data)
+    client._raise_for_status(res)
+    return res.status_code == 200
+
+
+def _symlink_tar_creator(
+    b_in_path: bytes,
+    file_stat: os.stat_result,
+    out_file: str | bytes,
+    user_id: int,
+    group_id: int,
+    mode: int | None = None,
+    user_name: str | None = None,
+) -> bytes:
+    if not stat.S_ISLNK(file_stat.st_mode):
+        raise DockerUnexpectedError("stat information is not for a symlink")
+    bio = io.BytesIO()
+    with tarfile.open(
+        fileobj=bio, mode="w|", dereference=False, encoding="utf-8"
+    ) as tar:
+        # Note that without both name (bytes) and arcname (unicode), this either fails for
+        # Python 2.7, Python 3.5/3.6, or Python 3.7+. Only when passing both (in this
+        # form) it works with Python 2.7, 3.5, 3.6, and 3.7 up to 3.11
+        tarinfo = tar.gettarinfo(b_in_path, arcname=to_text(out_file))
+        tarinfo.uid = user_id
+        tarinfo.uname = ""
+        if user_name:
+            tarinfo.uname = user_name
+        tarinfo.gid = group_id
+        tarinfo.gname = ""
+        tarinfo.mode &= 0o700
+        if mode is not None:
+            tarinfo.mode = mode
+        if not tarinfo.issym():
+            raise DockerUnexpectedError("stat information is not for a symlink")
+        tar.addfile(tarinfo)
+    return bio.getvalue()
+
+
+def _symlink_tar_generator(
+    b_in_path: bytes,
+    file_stat: os.stat_result,
+    out_file: str | bytes,
+    user_id: int,
+    group_id: int,
+    mode: int | None = None,
+    user_name: str | None = None,
+) -> t.Generator[bytes]:
+    yield _symlink_tar_creator(
+        b_in_path, file_stat, out_file, user_id, group_id, mode, user_name
+    )
+
+
+def _regular_file_tar_generator(
+    b_in_path: bytes,
+    file_stat: os.stat_result,
+    out_file: str | bytes,
+    user_id: int,
+    group_id: int,
+    mode: int | None = None,
+    user_name: str | None = None,
+) -> t.Generator[bytes]:
+    if not stat.S_ISREG(file_stat.st_mode):
+        raise DockerUnexpectedError("stat information is not for a regular file")
+    tarinfo = tarfile.TarInfo()
+    tarinfo.name = (
+        os.path.splitdrive(to_text(out_file))[1].replace(os.sep, "/").lstrip("/")
+    )
+    tarinfo.mode = (file_stat.st_mode & 0o700) if mode is None else mode
+    tarinfo.uid = user_id
+    tarinfo.gid = group_id
+    tarinfo.size = file_stat.st_size
+    tarinfo.mtime = file_stat.st_mtime
+    tarinfo.type = tarfile.REGTYPE
+    tarinfo.linkname = ""
+    if user_name:
+        tarinfo.uname = user_name
+
+    tarinfo_buf = tarinfo.tobuf()
+    total_size = len(tarinfo_buf)
+    yield tarinfo_buf
+
+    size = tarinfo.size
+    total_size += size
+    with open(b_in_path, "rb") as f:
+        while size > 0:
+            to_read = min(size, 65536)
+            buf = f.read(to_read)
+            if not buf:
+                break
+            size -= len(buf)
+            yield buf
+    if size:
+        # If for some reason the file shrunk, fill up to the announced size with zeros.
+        # (If it enlarged, ignore the remainder.)
+        yield tarfile.NUL * size
+
+    remainder = tarinfo.size % tarfile.BLOCKSIZE
+    if remainder:
+        # We need to write a multiple of 512 bytes. Fill up with zeros.
+        yield tarfile.NUL * (tarfile.BLOCKSIZE - remainder)
+        total_size += tarfile.BLOCKSIZE - remainder
+
+    # End with two zeroed blocks
+    yield tarfile.NUL * (2 * tarfile.BLOCKSIZE)
+    total_size += 2 * tarfile.BLOCKSIZE
+
+    remainder = total_size % tarfile.RECORDSIZE
+    if remainder > 0:
+        yield tarfile.NUL * (tarfile.RECORDSIZE - remainder)
+
+
+def _regular_content_tar_generator(
+    content: bytes,
+    out_file: str | bytes,
+    user_id: int,
+    group_id: int,
+    mode: int,
+    user_name: str | None = None,
+) -> t.Generator[bytes]:
+    tarinfo = tarfile.TarInfo()
+    tarinfo.name = (
+        os.path.splitdrive(to_text(out_file))[1].replace(os.sep, "/").lstrip("/")
+    )
+    tarinfo.mode = mode
+    tarinfo.uid = user_id
+    tarinfo.gid = group_id
+    tarinfo.size = len(content)
+    tarinfo.mtime = int(datetime.datetime.now().timestamp())
+    tarinfo.type = tarfile.REGTYPE
+    tarinfo.linkname = ""
+    if user_name:
+        tarinfo.uname = user_name
+
+    tarinfo_buf = tarinfo.tobuf()
+    total_size = len(tarinfo_buf)
+    yield tarinfo_buf
+
+    total_size += len(content)
+    yield content
+
+    remainder = tarinfo.size % tarfile.BLOCKSIZE
+    if remainder:
+        # We need to write a multiple of 512 bytes. Fill up with zeros.
+        yield tarfile.NUL * (tarfile.BLOCKSIZE - remainder)
+        total_size += tarfile.BLOCKSIZE - remainder
+
+    # End with two zeroed blocks
+    yield tarfile.NUL * (2 * tarfile.BLOCKSIZE)
+    total_size += 2 * tarfile.BLOCKSIZE
+
+    remainder = total_size % tarfile.RECORDSIZE
+    if remainder > 0:
+        yield tarfile.NUL * (tarfile.RECORDSIZE - remainder)
+
+
+def put_file(
+    client: APIClient,
+    container: str,
+    in_path: str,
+    out_path: str,
+    user_id: int,
+    group_id: int,
+    mode: int | None = None,
+    user_name: str | None = None,
+    follow_links: bool = False,
+) -> None:
+    """Transfer a file from local to Docker container."""
+    if not os.path.exists(to_bytes(in_path, errors="surrogate_or_strict")):
+        raise DockerFileNotFound(f"file or module does not exist: {to_text(in_path)}")
+
+    b_in_path = to_bytes(in_path, errors="surrogate_or_strict")
+
+    out_dir, out_file = os.path.split(out_path)
+
+    if follow_links:
+        file_stat = os.stat(b_in_path)
+    else:
+        file_stat = os.lstat(b_in_path)
+
+    if stat.S_ISREG(file_stat.st_mode):
+        stream = _regular_file_tar_generator(
+            b_in_path,
+            file_stat,
+            out_file,
+            user_id,
+            group_id,
+            mode=mode,
+            user_name=user_name,
+        )
+    elif stat.S_ISLNK(file_stat.st_mode):
+        stream = _symlink_tar_generator(
+            b_in_path,
+            file_stat,
+            out_file,
+            user_id,
+            group_id,
+            mode=mode,
+            user_name=user_name,
+        )
+    else:
+        file_part = " referenced by" if follow_links else ""
+        raise DockerFileCopyError(
+            f"File{file_part} {in_path} is neither a regular file nor a symlink (stat mode {oct(file_stat.st_mode)})."
+        )
+
+    ok = _put_archive(client, container, out_dir, stream)
+    if not ok:
+        raise DockerUnexpectedError(
+            f'Unknown error while creating file "{out_path}" in container "{container}".'
+        )
+
+
+def put_file_content(
+    client: APIClient,
+    container: str,
+    content: bytes,
+    out_path: str,
+    user_id: int,
+    group_id: int,
+    mode: int,
+    user_name: str | None = None,
+) -> None:
+    """Transfer a file from local to Docker container."""
+    out_dir, out_file = os.path.split(out_path)
+
+    stream = _regular_content_tar_generator(
+        content, out_file, user_id, group_id, mode, user_name=user_name
+    )
+
+    ok = _put_archive(client, container, out_dir, stream)
+    if not ok:
+        raise DockerUnexpectedError(
+            f'Unknown error while creating file "{out_path}" in container "{container}".'
+        )
+
+
+def stat_file(
+    client: APIClient,
+    container: str,
+    in_path: str,
+    follow_links: bool = False,
+    log: Callable[[str], None] | None = None,
+) -> tuple[str, dict[str, t.Any] | None, str | None]:
+    """Fetch information on a file from a Docker container to local.
+
+    Return a tuple ``(path, stat_data, link_target)`` where:
+
+    :path: is the resolved path in case ``follow_links=True``;
+    :stat_data: is ``None`` if the file does not exist, or a dictionary with fields
+        ``name`` (string), ``size`` (integer), ``mode`` (integer, see https://pkg.go.dev/io/fs#FileMode),
+        ``mtime`` (string), and ``linkTarget`` (string);
+    :link_target: is ``None`` if the file is not a symlink or when ``follow_links=False``,
+        and a string with the symlink target otherwise.
+    """
+    considered_in_paths = set()
+
+    while True:
+        if in_path in considered_in_paths:
+            raise DockerFileCopyError(
+                f"Found infinite symbolic link loop when trying to stating {in_path!r}"
+            )
+        considered_in_paths.add(in_path)
+
+        if log:
+            log(f"FETCH: Stating {in_path!r}")
+
+        response = client._head(
+            client._url("/containers/{0}/archive", container),
+            params={"path": in_path},
+        )
+        if response.status_code == 404:
+            return in_path, None, None
+        client._raise_for_status(response)
+        header = response.headers.get("x-docker-container-path-stat")
+        try:
+            if header is None:
+                raise ValueError("x-docker-container-path-stat header not present")
+            stat_data = json.loads(base64.b64decode(header))
+        except Exception as exc:
+            raise DockerUnexpectedError(
+                f"When retrieving information for {in_path} from {container}, obtained header {header!r} that cannot be loaded as JSON: {exc}"
+            ) from exc
+
+        # https://pkg.go.dev/io/fs#FileMode: bit 32 - 5 means ModeSymlink
+        if stat_data["mode"] & (1 << (32 - 5)) != 0:
+            link_target = stat_data["linkTarget"]
+            if not follow_links:
+                return in_path, stat_data, link_target
+            in_path = os.path.join(os.path.split(in_path)[0], link_target)
+            continue
+
+        return in_path, stat_data, None
+
+
+class _RawGeneratorFileobj(io.RawIOBase):
+    def __init__(self, stream: t.Generator[bytes]):
+        self._stream = stream
+        self._buf = b""
+
+    def readable(self) -> bool:
+        return True
+
+    def _readinto_from_buf(self, b: WriteableBuffer, index: int, length: int) -> int:
+        cpy = min(length - index, len(self._buf))
+        if cpy:
+            b[index : index + cpy] = self._buf[:cpy]  # type: ignore # TODO!
+            self._buf = self._buf[cpy:]
+            index += cpy
+        return index
+
+    def readinto(self, b: WriteableBuffer) -> int:
+        index = 0
+        length = len(b)  # type: ignore # TODO!
+
+        index = self._readinto_from_buf(b, index, length)
+        if index == length:
+            return index
+
+        try:
+            self._buf += next(self._stream)
+        except StopIteration:
+            return index
+
+        return self._readinto_from_buf(b, index, length)
+
+
+def _stream_generator_to_fileobj(stream: t.Generator[bytes]) -> io.BufferedReader:
+    """Given a generator that generates chunks of bytes, create a readable buffered stream."""
+    raw = _RawGeneratorFileobj(stream)
+    return io.BufferedReader(raw)
+
+
+_T = t.TypeVar("_T")
+
+
+def fetch_file_ex(
+    client: APIClient,
+    container: str,
+    in_path: str,
+    process_none: Callable[[str], _T],
+    process_regular: Callable[[str, tarfile.TarFile, tarfile.TarInfo], _T],
+    process_symlink: Callable[[str, tarfile.TarInfo], _T],
+    process_other: Callable[[str, tarfile.TarInfo], _T],
+    follow_links: bool = False,
+    log: Callable[[str], None] | None = None,
+) -> _T:
+    """Fetch a file (as a tar file entry) from a Docker container to local."""
+    considered_in_paths: set[str] = set()
+
+    while True:
+        if in_path in considered_in_paths:
+            raise DockerFileCopyError(
+                f'Found infinite symbolic link loop when trying to fetch "{in_path}"'
+            )
+        considered_in_paths.add(in_path)
+
+        if log:
+            log(f'FETCH: Fetching "{in_path}"')
+        try:
+            stream = client.get_raw_stream(
+                "/containers/{0}/archive",
+                container,
+                params={"path": in_path},
+                headers={"Accept-Encoding": "identity"},
+            )
+        except NotFound:
+            return process_none(in_path)
+
+        with tarfile.open(
+            fileobj=_stream_generator_to_fileobj(stream), mode="r|"
+        ) as tar:
+            symlink_member: tarfile.TarInfo | None = None
+            result: _T | None = None
+            found = False
+            for member in tar:
+                if found:
+                    raise DockerUnexpectedError(
+                        "Received tarfile contains more than one file!"
+                    )
+                found = True
+                if member.issym():
+                    symlink_member = member
+                    continue
+                if member.isfile():
+                    result = process_regular(in_path, tar, member)
+                    continue
+                result = process_other(in_path, member)
+            if symlink_member:
+                if not follow_links:
+                    return process_symlink(in_path, symlink_member)
+                in_path = os.path.join(
+                    os.path.split(in_path)[0], symlink_member.linkname
+                )
+                if log:
+                    log(f'FETCH: Following symbolic link to "{in_path}"')
+                continue
+            if found:
+                return result  # type: ignore
+            raise DockerUnexpectedError("Received tarfile is empty!")
+
+
+def fetch_file(
+    client: APIClient,
+    container: str,
+    in_path: str,
+    out_path: str,
+    follow_links: bool = False,
+    log: Callable[[str], None] | None = None,
+) -> str:
+    b_out_path = to_bytes(out_path, errors="surrogate_or_strict")
+
+    def process_none(in_path: str) -> str:
+        raise DockerFileNotFound(
+            f"File {in_path} does not exist in container {container}"
+        )
+
+    def process_regular(
+        in_path: str, tar: tarfile.TarFile, member: tarfile.TarInfo
+    ) -> str:
+        if not follow_links and os.path.exists(b_out_path):
+            os.unlink(b_out_path)
+
+        reader = tar.extractfile(member)
+        if reader:
+            with reader as in_f, open(b_out_path, "wb") as out_f:
+                shutil.copyfileobj(in_f, out_f)
+        return in_path
+
+    def process_symlink(in_path: str, member: tarfile.TarInfo) -> str:
+        if os.path.exists(b_out_path):
+            os.unlink(b_out_path)
+
+        os.symlink(member.linkname, b_out_path)
+        return in_path
+
+    def process_other(in_path: str, member: tarfile.TarInfo) -> str:
+        raise DockerFileCopyError(
+            f'Remote file "{in_path}" is not a regular file or a symbolic link'
+        )
+
+    return fetch_file_ex(
+        client,
+        container,
+        in_path,
+        process_none,
+        process_regular,
+        process_symlink,
+        process_other,
+        follow_links=follow_links,
+        log=log,
+    )
+
+
+def _execute_command(
+    client: APIClient,
+    container: str,
+    command: list[str],
+    log: Callable[[str], None] | None = None,
+    check_rc: bool = False,
+) -> tuple[int, bytes, bytes]:
+    if log:
+        log(f"Executing {command} in {container}")
+
+    data = {
+        "Container": container,
+        "User": "",
+        "Privileged": False,
+        "Tty": False,
+        "AttachStdin": False,
+        "AttachStdout": True,
+        "AttachStderr": True,
+        "Cmd": command,
+    }
+
+    if "detachKeys" in client._general_configs:
+        data["detachKeys"] = client._general_configs["detachKeys"]
+
+    try:
+        exec_data = client.post_json_to_json(
+            "/containers/{0}/exec", container, data=data
+        )
+    except NotFound as e:
+        raise DockerFileCopyError(f'Could not find container "{container}"') from e
+    except APIError as e:
+        if e.response is not None and e.response.status_code == 409:
+            raise DockerFileCopyError(
+                f'Cannot execute command in paused container "{container}"'
+            ) from e
+        raise
+    exec_id = exec_data["Id"]
+
+    data = {"Tty": False, "Detach": False}
+    stdout, stderr = client.post_json_to_stream(
+        "/exec/{0}/start", exec_id, stream=False, demux=True, tty=False
+    )
+
+    result = client.get_json("/exec/{0}/json", exec_id)
+
+    rc: int = result.get("ExitCode") or 0
+    stdout = stdout or b""
+    stderr = stderr or b""
+
+    if log:
+        log(f"Exit code {rc}, stdout {stdout!r}, stderr {stderr!r}")
+
+    if check_rc and rc != 0:
+        command_str = " ".join(command)
+        raise DockerUnexpectedError(
+            f'Obtained unexpected exit code {rc} when running "{command_str}" in {container}.\nSTDOUT: {stdout!r}\nSTDERR: {stderr!r}'
+        )
+
+    return rc, stdout, stderr
+
+
+def determine_user_group(
+    client: APIClient, container: str, log: Callable[[str], None] | None = None
+) -> tuple[int, int]:
+    dummy_rc, stdout, dummy_stderr = _execute_command(
+        client, container, ["/bin/sh", "-c", "id -u && id -g"], check_rc=True, log=log
+    )
+
+    stdout_lines = stdout.splitlines()
+    if len(stdout_lines) != 2:
+        raise DockerUnexpectedError(
+            f"Expected two-line output to obtain user and group ID for container {container}, but got {len(stdout_lines)} lines:\n{stdout!r}"
+        )
+
+    user_id, group_id = stdout_lines
+    try:
+        return int(user_id), int(group_id)
+    except ValueError as exc:
+        raise DockerUnexpectedError(
+            f"Expected two-line output with numeric IDs to obtain user and group ID for container {container}, but got {user_id!r} and {group_id!r} instead"
+        ) from exc
diff --git a/ansible_collections/community/docker/plugins/module_utils/_image_archive.py b/ansible_collections/community/docker/plugins/module_utils/_image_archive.py
new file mode 100644
index 00000000..6156f209
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_image_archive.py
@@ -0,0 +1,166 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import os
+import tarfile
+
+
+class ImageArchiveManifestSummary:
+    """
+    Represents data extracted from a manifest.json found in the tar archive output of the
+    "docker image save some:tag > some.tar" command.
+    """
+
+    def __init__(self, image_id: str, repo_tags: list[str]) -> None:
+        """
+        :param image_id:  File name portion of Config entry, e.g. abcde12345 from abcde12345.json
+        :param repo_tags  Docker image names, e.g. ["hello-world:latest"]
+        """
+
+        self.image_id = image_id
+        self.repo_tags = repo_tags
+
+
+class ImageArchiveInvalidException(Exception):
+    pass
+
+
+def api_image_id(archive_image_id: str) -> str:
+    """
+    Accepts an image hash in the format stored in manifest.json, and returns an equivalent identifier
+    that represents the same image hash, but in the format presented by the Docker Engine API.
+
+    :param archive_image_id: plain image hash
+    :returns: Prefixed hash used by REST api
+    """
+
+    return f"sha256:{archive_image_id}"
+
+
+def load_archived_image_manifest(
+    archive_path: str,
+) -> list[ImageArchiveManifestSummary] | None:
+    """
+    Attempts to get image IDs and image names from metadata stored in the image
+    archive tar file.
+
+    The tar should contain a file "manifest.json" with an array with one or more entries,
+    and every entry should have a Config field with the image ID in its file name, as
+    well as a RepoTags list, which typically has only one entry.
+
+    :raises:
+        ImageArchiveInvalidException: A file already exists at archive_path, but could not extract an image ID from it.
+
+    :param archive_path: Tar file to read
+    :return: None, if no file at archive_path, or a list of ImageArchiveManifestSummary objects.
+    """
+
+    try:
+        # FileNotFoundError does not exist in Python 2
+        if not os.path.isfile(archive_path):
+            return None
+
+        with tarfile.open(archive_path, "r") as tf:
+            try:
+                try:
+                    reader = tf.extractfile("manifest.json")
+                    if reader is None:
+                        raise ImageArchiveInvalidException(
+                            "Failed to read manifest.json"
+                        )
+                    with reader as ef:
+                        manifest = json.load(ef)
+                except ImageArchiveInvalidException:
+                    raise
+                except Exception as exc:
+                    raise ImageArchiveInvalidException(
+                        f"Failed to decode and deserialize manifest.json: {exc}"
+                    ) from exc
+
+                if len(manifest) == 0:
+                    raise ImageArchiveInvalidException(
+                        "Expected to have at least one entry in manifest.json but found none"
+                    )
+
+                result = []
+                for index, meta in enumerate(manifest):
+                    try:
+                        config_file = meta["Config"]
+                    except KeyError as exc:
+                        raise ImageArchiveInvalidException(
+                            f"Failed to get Config entry from {index + 1}th manifest in manifest.json: {exc}"
+                        ) from exc
+
+                    # Extracts hash without 'sha256:' prefix
+                    try:
+                        # Strip off .json filename extension, leaving just the hash.
+                        image_id = os.path.splitext(config_file)[0]
+                    except Exception as exc:
+                        raise ImageArchiveInvalidException(
+                            f"Failed to extract image id from config file name {config_file}: {exc}"
+                        ) from exc
+
+                    for prefix in ("blobs/sha256/",):  # Moby 25.0.0, Docker API 1.44
+                        if image_id.startswith(prefix):
+                            image_id = image_id[len(prefix) :]
+
+                    try:
+                        repo_tags = meta["RepoTags"]
+                    except KeyError as exc:
+                        raise ImageArchiveInvalidException(
+                            f"Failed to get RepoTags entry from {index + 1}th manifest in manifest.json: {exc}"
+                        ) from exc
+
+                    result.append(
+                        ImageArchiveManifestSummary(
+                            image_id=image_id, repo_tags=repo_tags
+                        )
+                    )
+                return result
+
+            except ImageArchiveInvalidException:
+                raise
+            except Exception as exc:
+                raise ImageArchiveInvalidException(
+                    f"Failed to extract manifest.json from tar file {archive_path}: {exc}"
+                ) from exc
+
+    except ImageArchiveInvalidException:
+        raise
+    except Exception as exc:
+        raise ImageArchiveInvalidException(
+            f"Failed to open tar file {archive_path}: {exc}"
+        ) from exc
+
+
+def archived_image_manifest(archive_path: str) -> ImageArchiveManifestSummary | None:
+    """
+    Attempts to get Image.Id and image name from metadata stored in the image
+    archive tar file.
+
+    The tar should contain a file "manifest.json" with an array with a single entry,
+    and the entry should have a Config field with the image ID in its file name, as
+    well as a RepoTags list, which typically has only one entry.
+
+    :raises:
+        ImageArchiveInvalidException: A file already exists at archive_path, but could not extract an image ID from it.
+
+    :param archive_path: Tar file to read
+    :return: None, if no file at archive_path, or the extracted image ID, which will not have a sha256: prefix.
+    """
+
+    results = load_archived_image_manifest(archive_path)
+    if results is None:
+        return None
+    if len(results) == 1:
+        return results[0]
+    raise ImageArchiveInvalidException(
+        f"Expected to have one entry in manifest.json but found {len(results)}"
+    )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_image_name.py b/ansible_collections/community/docker/plugins/module_utils/_image_name.py
new file mode 100644
index 00000000..73d8d95d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_image_name.py
@@ -0,0 +1,116 @@
+# Copyright (c) 2025 Felix Fontein
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import re
+import typing as t
+from dataclasses import dataclass
+
+_PATH_RE = re.compile(
+    r"^[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*$"
+)
+_TAG_RE = re.compile(r"^[a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}$")
+_DIGEST_RE = re.compile(r"^sha256:[0-9a-fA-F]{64}$")
+
+
+def is_digest(name: str, allow_empty: bool = False) -> bool:
+    """Check whether the given name is in fact an image ID (hash)."""
+    if not name:
+        return allow_empty
+    return _DIGEST_RE.match(name) is not None
+
+
+def is_tag(name: str, allow_empty: bool = False) -> bool:
+    """Check whether the given name can be an image tag."""
+    if not name:
+        return allow_empty
+    return _TAG_RE.match(name) is not None
+
+
+@dataclass
+class ImageName:
+    registry: str | None
+    path: str
+    tag: str | None
+    digest: str | None
+
+    @classmethod
+    def parse(cls, name: str) -> t.Self:
+        registry: str | None = None
+        tag: str | None = None
+        digest: str | None = None
+        parts = name.rsplit("@", 1)
+        if len(parts) == 2:
+            name, digest = parts
+        parts = name.rsplit(":", 1)
+        if len(parts) == 2 and "/" not in parts[1]:
+            name, tag = parts
+        parts = name.split("/", 1)
+        if len(parts) == 2 and (
+            "." in parts[0] or ":" in parts[0] or parts[0] == "localhost"
+        ):
+            registry, name = parts
+        return cls(registry, name, tag, digest)
+
+    def validate(self) -> t.Self:
+        if self.registry:
+            if self.registry[0] == "-" or self.registry[-1] == "-":
+                raise ValueError(
+                    f'Invalid registry name ({self.registry}): must not begin or end with a "-".'
+                )
+            if self.registry[-1] == ":":
+                raise ValueError(
+                    f'Invalid registry name ({self.registry}): must not end with ":".'
+                )
+        if not _PATH_RE.match(self.path):
+            raise ValueError(f"Invalid path ({self.path}).")
+        if self.tag and not is_tag(self.tag):
+            raise ValueError(f"Invalid tag ({self.tag}).")
+        if self.digest and not is_digest(self.digest):
+            raise ValueError(f"Invalid digest ({self.digest}).")
+        return self
+
+    def combine(self) -> str:
+        parts = []
+        if self.registry:
+            parts.append(self.registry)
+            if self.path:
+                parts.append("/")
+        parts.append(self.path)
+        if self.tag:
+            parts.append(":")
+            parts.append(self.tag)
+        if self.digest:
+            parts.append("@")
+            parts.append(self.digest)
+        return "".join(parts)
+
+    def normalize(self) -> ImageName:
+        registry = self.registry
+        path = self.path
+        if registry in ("", None, "index.docker.io", "registry.hub.docker.com"):
+            registry = "docker.io"
+        if registry == "docker.io" and "/" not in path and path:
+            path = f"library/{path}"
+        return ImageName(registry, path, self.tag, self.digest)
+
+    def get_hostname_and_port(self) -> tuple[str, int]:
+        if self.registry is None:
+            raise ValueError(
+                "Cannot get hostname when there is no registry. Normalize first!"
+            )
+        if self.registry == "docker.io":
+            return "index.docker.io", 443
+        parts = self.registry.split(":", 1)
+        if len(parts) == 2:
+            try:
+                port = int(parts[1])
+            except (TypeError, ValueError) as exc:
+                raise ValueError(f"Cannot parse port {parts[1]!r}") from exc
+            return parts[0], port
+        return self.registry, 443
diff --git a/ansible_collections/community/docker/plugins/module_utils/_logfmt.py b/ansible_collections/community/docker/plugins/module_utils/_logfmt.py
new file mode 100644
index 00000000..0a20549f
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_logfmt.py
@@ -0,0 +1,211 @@
+# Copyright (c) 2024, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+"""
+Parse go logfmt messages.
+
+See https://pkg.go.dev/github.com/kr/logfmt?utm_source=godoc for information on the format.
+"""
+
+from __future__ import annotations
+
+import typing as t
+from enum import Enum
+
+# The format is defined in https://pkg.go.dev/github.com/kr/logfmt?utm_source=godoc
+# (look for "EBNFish")
+
+
+class InvalidLogFmt(Exception):
+    pass
+
+
+class _Mode(Enum):
+    GARBAGE = 0
+    KEY = 1
+    EQUAL = 2
+    IDENT_VALUE = 3
+    QUOTED_VALUE = 4
+
+
+_ESCAPE_DICT = {
+    '"': '"',
+    "\\": "\\",
+    "'": "'",
+    "/": "/",
+    "b": "\b",
+    "f": "\f",
+    "n": "\n",
+    "r": "\r",
+    "t": "\t",
+}
+
+_HEX_DICT = {
+    "0": 0,
+    "1": 1,
+    "2": 2,
+    "3": 3,
+    "4": 4,
+    "5": 5,
+    "6": 6,
+    "7": 7,
+    "8": 8,
+    "9": 9,
+    "a": 0xA,
+    "b": 0xB,
+    "c": 0xC,
+    "d": 0xD,
+    "e": 0xE,
+    "f": 0xF,
+    "A": 0xA,
+    "B": 0xB,
+    "C": 0xC,
+    "D": 0xD,
+    "E": 0xE,
+    "F": 0xF,
+}
+
+
+def _is_ident(cur: str) -> bool:
+    return cur > " " and cur not in ('"', "=")
+
+
+class _Parser:
+    def __init__(self, line: str) -> None:
+        self.line = line
+        self.index = 0
+        self.length = len(line)
+
+    def done(self) -> bool:
+        return self.index >= self.length
+
+    def cur(self) -> str:
+        return self.line[self.index]
+
+    def next(self) -> None:
+        self.index += 1
+
+    def prev(self) -> None:
+        self.index -= 1
+
+    def parse_unicode_sequence(self) -> str:
+        if self.index + 6 > self.length:
+            raise InvalidLogFmt("Not enough space for unicode escape")
+        if self.line[self.index : self.index + 2] != "\\u":
+            raise InvalidLogFmt("Invalid unicode escape start")
+        v = 0
+        for dummy_index in range(self.index + 2, self.index + 6):
+            v <<= 4
+            try:
+                v += _HEX_DICT[self.line[self.index]]
+            except KeyError:
+                raise InvalidLogFmt(
+                    f"Invalid unicode escape digit {self.line[self.index]!r}"
+                ) from None
+        self.index += 6
+        return chr(v)
+
+
+def parse_line(line: str, logrus_mode: bool = False) -> dict[str, t.Any]:
+    result: dict[str, t.Any] = {}
+    parser = _Parser(line)
+    key: list[str] = []
+    value: list[str] = []
+    mode = _Mode.GARBAGE
+
+    def handle_kv(has_no_value: bool = False) -> None:
+        k = "".join(key)
+        v = None if has_no_value else "".join(value)
+        result[k] = v
+        del key[:]
+        del value[:]
+
+    def parse_garbage(cur: str) -> _Mode:
+        if _is_ident(cur):
+            return _Mode.KEY
+        parser.next()
+        return _Mode.GARBAGE
+
+    def parse_key(cur: str) -> _Mode:
+        if _is_ident(cur):
+            key.append(cur)
+            parser.next()
+            return _Mode.KEY
+        if cur == "=":
+            parser.next()
+            return _Mode.EQUAL
+        if logrus_mode:
+            raise InvalidLogFmt('Key must always be followed by "=" in logrus mode')
+        handle_kv(has_no_value=True)
+        parser.next()
+        return _Mode.GARBAGE
+
+    def parse_equal(cur: str) -> _Mode:
+        if _is_ident(cur):
+            value.append(cur)
+            parser.next()
+            return _Mode.IDENT_VALUE
+        if cur == '"':
+            parser.next()
+            return _Mode.QUOTED_VALUE
+        handle_kv()
+        parser.next()
+        return _Mode.GARBAGE
+
+    def parse_ident_value(cur: str) -> _Mode:
+        if _is_ident(cur):
+            value.append(cur)
+            parser.next()
+            return _Mode.IDENT_VALUE
+        handle_kv()
+        parser.next()
+        return _Mode.GARBAGE
+
+    def parse_quoted_value(cur: str) -> _Mode:
+        if cur == "\\":
+            parser.next()
+            if parser.done():
+                raise InvalidLogFmt("Unterminated escape sequence in quoted string")
+            cur = parser.cur()
+            if cur in _ESCAPE_DICT:
+                value.append(_ESCAPE_DICT[cur])
+            elif cur != "u":
+                es = f"\\{cur}"
+                raise InvalidLogFmt(f"Unknown escape sequence {es!r}")
+            else:
+                parser.prev()
+                value.append(parser.parse_unicode_sequence())
+            parser.next()
+            return _Mode.QUOTED_VALUE
+        if cur == '"':
+            handle_kv()
+            parser.next()
+            return _Mode.GARBAGE
+        if cur < " ":
+            raise InvalidLogFmt("Control characters in quoted string are not allowed")
+        value.append(cur)
+        parser.next()
+        return _Mode.QUOTED_VALUE
+
+    parsers = {
+        _Mode.GARBAGE: parse_garbage,
+        _Mode.KEY: parse_key,
+        _Mode.EQUAL: parse_equal,
+        _Mode.IDENT_VALUE: parse_ident_value,
+        _Mode.QUOTED_VALUE: parse_quoted_value,
+    }
+    while not parser.done():
+        mode = parsers[mode](parser.cur())
+    if mode == _Mode.KEY and logrus_mode:
+        raise InvalidLogFmt('Key must always be followed by "=" in logrus mode')
+    if mode in (_Mode.KEY, _Mode.EQUAL):
+        handle_kv(has_no_value=True)
+    elif mode == _Mode.IDENT_VALUE:
+        handle_kv()
+    elif mode == _Mode.QUOTED_VALUE:
+        raise InvalidLogFmt("Unterminated quoted string")
+    return result
diff --git a/ansible_collections/community/docker/plugins/module_utils/_module_container/base.py b/ansible_collections/community/docker/plugins/module_utils/_module_container/base.py
new file mode 100644
index 00000000..95df8171
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_module_container/base.py
@@ -0,0 +1,1549 @@
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import abc
+import os
+import re
+import shlex
+import typing as t
+from functools import partial
+
+from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_env_file,
+)
+from ansible_collections.community.docker.plugins.module_utils._platform import (
+    compare_platform_strings,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    clean_dict_booleans_for_docker_api,
+    compare_generic,
+    normalize_healthcheck,
+    omit_none_from_dict,
+    sanitize_labels,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable, Sequence
+
+    from ansible.module_utils.basic import AnsibleModule
+
+    from ansible_collections.community.docker.plugins.module_utils._version import (
+        LooseVersion,
+    )
+
+    ValueType = t.Literal["set", "list", "dict", "bool", "int", "float", "str"]
+    AnsibleType = t.Literal["list", "dict", "bool", "int", "float", "str"]
+    ComparisonMode = t.Literal["ignore", "strict", "allow_more_present"]
+    ComparisonType = t.Literal["set", "set(dict)", "list", "dict", "value"]
+
+Client = t.TypeVar("Client")
+
+
+_DEFAULT_IP_REPLACEMENT_STRING = (
+    "[[DEFAULT_IP:iewahhaeB4Sae6Aen8IeShairoh4zeph7xaekoh8Geingunaesaeweiy3ooleiwi]]"
+)
+
+
+_MOUNT_OPTION_TYPES = {
+    "create_mountpoint": ("bind",),
+    "labels": ("volume",),
+    "no_copy": ("volume",),
+    "non_recursive": ("bind",),
+    "propagation": ("bind",),
+    "read_only_force_recursive": ("bind",),
+    "read_only_non_recursive": ("bind",),
+    "subpath": ("volume", "image"),
+    "tmpfs_size": ("tmpfs",),
+    "tmpfs_mode": ("tmpfs",),
+    "tmpfs_options": ("tmpfs",),
+    "volume_driver": ("volume",),
+    "volume_options": ("volume",),
+}
+
+
+def _get_ansible_type(
+    value_type: ValueType,
+) -> AnsibleType:
+    if value_type == "set":
+        return "list"
+    if value_type not in ("list", "dict", "bool", "int", "float", "str"):
+        raise ValueError(f'Invalid type "{value_type}"')
+    return value_type
+
+
+class Option:
+    def __init__(
+        self,
+        name: str,
+        *,
+        value_type: ValueType,
+        owner: OptionGroup,
+        ansible_type: AnsibleType | None = None,
+        elements: ValueType | None = None,
+        ansible_elements: AnsibleType | None = None,
+        ansible_suboptions: dict[str, t.Any] | None = None,
+        ansible_aliases: Sequence[str] | None = None,
+        ansible_choices: Sequence[str] | None = None,
+        needs_no_suboptions: bool = False,
+        default_comparison: ComparisonMode | None = None,
+        not_a_container_option: bool = False,
+        not_an_ansible_option: bool = False,
+        copy_comparison_from: str | None = None,
+        compare: Callable[[Option, t.Any, t.Any], bool] | None = None,
+    ):
+        self.name = name
+        self.value_type = value_type
+        self.ansible_type = ansible_type or _get_ansible_type(value_type)
+        needs_elements = self.value_type in ("list", "set")
+        needs_ansible_elements = self.ansible_type in ("list",)
+        if elements is not None and not needs_elements:
+            raise ValueError("elements only allowed for lists/sets")
+        if elements is None and needs_elements:
+            raise ValueError("elements required for lists/sets")
+        if ansible_elements is not None and not needs_ansible_elements:
+            raise ValueError("Ansible elements only allowed for Ansible lists")
+        if (elements is None and ansible_elements is None) and needs_ansible_elements:
+            raise ValueError("Ansible elements required for Ansible lists")
+        self.elements = elements if needs_elements else None
+        self.ansible_elements: AnsibleType | None = (
+            (ansible_elements or _get_ansible_type(elements or "str"))
+            if needs_ansible_elements
+            else None
+        )
+        needs_suboptions = (
+            self.ansible_type == "list" and self.ansible_elements == "dict"
+        ) or (self.ansible_type == "dict")
+        if ansible_suboptions is not None and not needs_suboptions:
+            raise ValueError(
+                "suboptions only allowed for Ansible lists with dicts, or Ansible dicts"
+            )
+        if (
+            ansible_suboptions is None
+            and needs_suboptions
+            and not needs_no_suboptions
+            and not not_an_ansible_option
+        ):
+            raise ValueError(
+                "suboptions required for Ansible lists with dicts, or Ansible dicts"
+            )
+        self.ansible_suboptions = ansible_suboptions if needs_suboptions else None
+        self.ansible_aliases = ansible_aliases or []
+        self.ansible_choices = ansible_choices
+        comparison_type: ComparisonType
+        if self.value_type == "set" and self.elements == "dict":
+            comparison_type = "set(dict)"
+        elif self.value_type in ("set", "list", "dict"):
+            comparison_type = self.value_type  # type: ignore
+        else:
+            comparison_type = "value"
+        self.comparison_type = comparison_type
+        if default_comparison is not None:
+            self.comparison = default_comparison
+        elif comparison_type in ("list", "value"):
+            self.comparison = "strict"
+        else:
+            self.comparison = "allow_more_present"
+        self.not_a_container_option = not_a_container_option
+        self.not_an_ansible_option = not_an_ansible_option
+        self.copy_comparison_from = copy_comparison_from
+        self.compare = (
+            (
+                lambda param_value, container_value: compare(
+                    self, param_value, container_value
+                )
+            )
+            if compare
+            else (
+                lambda param_value, container_value: compare_generic(
+                    param_value, container_value, self.comparison, self.comparison_type
+                )
+            )
+        )
+
+
+class OptionGroup:
+    def __init__(
+        self,
+        *,
+        preprocess: (
+            Callable[[AnsibleModule, dict[str, t.Any]], dict[str, t.Any]] | None
+        ) = None,
+        ansible_mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        ansible_required_together: Sequence[Sequence[str]] | None = None,
+        ansible_required_one_of: Sequence[Sequence[str]] | None = None,
+        ansible_required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        ansible_required_by: dict[str, Sequence[str]] | None = None,
+    ) -> None:
+        if preprocess is None:
+
+            def preprocess(
+                module: AnsibleModule, values: dict[str, t.Any]
+            ) -> dict[str, t.Any]:
+                return values
+
+        self.preprocess = preprocess
+        self.options: list[Option] = []
+        self.all_options: list[Option] = []
+        self.engines: dict[str, Engine] = {}
+        self.ansible_mutually_exclusive = ansible_mutually_exclusive or []
+        self.ansible_required_together = ansible_required_together or []
+        self.ansible_required_one_of = ansible_required_one_of or []
+        self.ansible_required_if = ansible_required_if or []
+        self.ansible_required_by = ansible_required_by or {}
+        self.argument_spec: dict[str, t.Any] = {}
+
+    def add_option(self, name: str, **kwargs: t.Any) -> OptionGroup:
+        option = Option(name, owner=self, **kwargs)
+        if not option.not_a_container_option:
+            self.options.append(option)
+        self.all_options.append(option)
+        if not option.not_an_ansible_option:
+            ansible_option: dict[str, t.Any] = {
+                "type": option.ansible_type,
+            }
+            if option.ansible_elements is not None:
+                ansible_option["elements"] = option.ansible_elements
+            if option.ansible_suboptions is not None:
+                ansible_option["options"] = option.ansible_suboptions
+            if option.ansible_aliases:
+                ansible_option["aliases"] = option.ansible_aliases
+            if option.ansible_choices is not None:
+                ansible_option["choices"] = option.ansible_choices
+            self.argument_spec[option.name] = ansible_option
+        return self
+
+    def supports_engine(self, engine_name: str) -> bool:
+        return engine_name in self.engines
+
+    def get_engine(self, engine_name: str) -> Engine:
+        return self.engines[engine_name]
+
+    def add_engine(self, engine_name: str, engine: Engine) -> OptionGroup:
+        self.engines[engine_name] = engine
+        return self
+
+
+class Engine(t.Generic[Client]):
+    min_api_version: str | None = None
+    min_api_version_obj: LooseVersion | None = None
+    extra_option_minimal_versions: dict[str, dict[str, t.Any]] | None = None
+
+    @abc.abstractmethod
+    def get_value(
+        self,
+        module: AnsibleModule,
+        container: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> dict[str, t.Any]:
+        pass
+
+    def compare_value(
+        self, option: Option, param_value: t.Any, container_value: t.Any
+    ) -> bool:
+        return option.compare(param_value, container_value)
+
+    @abc.abstractmethod
+    def set_value(
+        self,
+        module: AnsibleModule,
+        data: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def get_expected_values(
+        self,
+        module: AnsibleModule,
+        client: Client,
+        api_version: LooseVersion,
+        options: list[Option],
+        image: dict[str, t.Any] | None,
+        values: dict[str, t.Any],
+        host_info: dict[str, t.Any] | None,
+    ) -> dict[str, t.Any]:
+        pass
+
+    @abc.abstractmethod
+    def ignore_mismatching_result(
+        self,
+        module: AnsibleModule,
+        client: Client,
+        api_version: LooseVersion,
+        option: Option,
+        image: dict[str, t.Any] | None,
+        container_value: t.Any,
+        expected_value: t.Any,
+        host_info: dict[str, t.Any] | None,
+    ) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def preprocess_value(
+        self,
+        module: AnsibleModule,
+        client: Client,
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> dict[str, t.Any]:
+        pass
+
+    @abc.abstractmethod
+    def update_value(
+        self,
+        module: AnsibleModule,
+        data: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def can_set_value(self, api_version: LooseVersion) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def can_update_value(self, api_version: LooseVersion) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def needs_container_image(self, values: dict[str, t.Any]) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def needs_host_info(self, values: dict[str, t.Any]) -> bool:
+        pass
+
+
+class EngineDriver(t.Generic[Client]):
+    name: str
+
+    @abc.abstractmethod
+    def setup(
+        self,
+        argument_spec: dict[str, t.Any],
+        mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        required_together: Sequence[Sequence[str]] | None = None,
+        required_one_of: Sequence[Sequence[str]] | None = None,
+        required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        required_by: dict[str, Sequence[str]] | None = None,
+    ) -> tuple[AnsibleModule, list[OptionGroup], Client]:
+        pass
+
+    @abc.abstractmethod
+    def get_host_info(self, client: Client) -> dict[str, t.Any]:
+        pass
+
+    @abc.abstractmethod
+    def get_api_version(self, client: Client) -> LooseVersion:
+        pass
+
+    @abc.abstractmethod
+    def get_container_id(self, container: dict[str, t.Any]) -> str:
+        pass
+
+    @abc.abstractmethod
+    def get_image_from_container(self, container: dict[str, t.Any]) -> str:
+        pass
+
+    @abc.abstractmethod
+    def get_image_name_from_container(self, container: dict[str, t.Any]) -> str | None:
+        pass
+
+    @abc.abstractmethod
+    def is_container_removing(self, container: dict[str, t.Any]) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def is_container_running(self, container: dict[str, t.Any]) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def is_container_paused(self, container: dict[str, t.Any]) -> bool:
+        pass
+
+    @abc.abstractmethod
+    def inspect_container_by_name(
+        self, client: Client, container_name: str
+    ) -> dict[str, t.Any] | None:
+        pass
+
+    @abc.abstractmethod
+    def inspect_container_by_id(
+        self, client: Client, container_id: str
+    ) -> dict[str, t.Any] | None:
+        pass
+
+    @abc.abstractmethod
+    def inspect_image_by_id(
+        self, client: Client, image_id: str
+    ) -> dict[str, t.Any] | None:
+        pass
+
+    @abc.abstractmethod
+    def inspect_image_by_name(
+        self, client: Client, repository: str, tag: str
+    ) -> dict[str, t.Any] | None:
+        pass
+
+    @abc.abstractmethod
+    def pull_image(
+        self,
+        client: Client,
+        repository: str,
+        tag: str,
+        image_platform: str | None = None,
+    ) -> tuple[dict[str, t.Any] | None, bool]:
+        pass
+
+    @abc.abstractmethod
+    def pause_container(self, client: Client, container_id: str) -> None:
+        pass
+
+    @abc.abstractmethod
+    def unpause_container(self, client: Client, container_id: str) -> None:
+        pass
+
+    @abc.abstractmethod
+    def disconnect_container_from_network(
+        self, client: Client, container_id: str, network_id: str
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def connect_container_to_network(
+        self,
+        client: Client,
+        container_id: str,
+        network_id: str,
+        parameters: dict[str, t.Any] | None = None,
+    ) -> None:
+        pass
+
+    def create_container_supports_more_than_one_network(self, client: Client) -> bool:
+        return False
+
+    @abc.abstractmethod
+    def create_container(
+        self,
+        client: Client,
+        container_name: str,
+        create_parameters: dict[str, t.Any],
+        networks: dict[str, dict[str, t.Any]] | None = None,
+    ) -> str:
+        pass
+
+    @abc.abstractmethod
+    def start_container(self, client: Client, container_id: str) -> None:
+        pass
+
+    @abc.abstractmethod
+    def wait_for_container(
+        self, client: Client, container_id: str, timeout: int | float | None = None
+    ) -> int | None:
+        pass
+
+    @abc.abstractmethod
+    def get_container_output(
+        self, client: Client, container_id: str
+    ) -> tuple[bytes, t.Literal[True]] | tuple[str, t.Literal[False]]:
+        pass
+
+    @abc.abstractmethod
+    def update_container(
+        self, client: Client, container_id: str, update_parameters: dict[str, t.Any]
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def restart_container(
+        self, client: Client, container_id: str, timeout: int | float | None = None
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def kill_container(
+        self, client: Client, container_id: str, kill_signal: str | None = None
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def stop_container(
+        self, client: Client, container_id: str, timeout: int | float | None = None
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def remove_container(
+        self,
+        client: Client,
+        container_id: str,
+        remove_volumes: bool = False,
+        link: bool = False,
+        force: bool = False,
+    ) -> None:
+        pass
+
+    @abc.abstractmethod
+    def run(self, runner: Callable[[], None], client: Client) -> None:
+        pass
+
+
+def _is_volume_permissions(mode: str) -> bool:
+    for part in mode.split(","):
+        if part not in (
+            "rw",
+            "ro",
+            "z",
+            "Z",
+            "consistent",
+            "delegated",
+            "cached",
+            "rprivate",
+            "private",
+            "rshared",
+            "shared",
+            "rslave",
+            "slave",
+            "nocopy",
+        ):
+            return False
+    return True
+
+
+def _parse_port_range(range_or_port: str, module: AnsibleModule) -> list[int]:
+    """
+    Parses a string containing either a single port or a range of ports.
+
+    Returns a list of integers for each port in the list.
+    """
+    if "-" in range_or_port:
+        try:
+            start, end = [int(port) for port in range_or_port.split("-")]
+        except ValueError:
+            module.fail_json(msg=f'Invalid port range: "{range_or_port}"')
+        if end < start:
+            module.fail_json(msg=f'Invalid port range: "{range_or_port}"')
+        return list(range(start, end + 1))
+    try:
+        return [int(range_or_port)]
+    except ValueError:
+        module.fail_json(msg=f'Invalid port: "{range_or_port}"')
+
+
+def _split_colon_ipv6(text: str, module: AnsibleModule) -> list[str]:
+    """
+    Split string by ':', while keeping IPv6 addresses in square brackets in one component.
+    """
+    if "[" not in text:
+        return text.split(":")
+    start = 0
+    result = []
+    while start < len(text):
+        i = text.find("[", start)
+        if i < 0:
+            result.extend(text[start:].split(":"))
+            break
+        j = text.find("]", i)
+        if j < 0:
+            module.fail_json(
+                msg=f'Cannot find closing "]" in input "{text}" for opening "[" at index {i + 1}!'
+            )
+        result.extend(text[start:i].split(":"))
+        k = text.find(":", j)
+        if k < 0:
+            result[-1] += text[i:]
+            start = len(text)
+        else:
+            result[-1] += text[i:k]
+            if k == len(text):
+                result.append("")
+                break
+            start = k + 1
+    return result
+
+
+def _preprocess_command(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "command" not in values:
+        return values
+    value = values["command"]
+    if module.params["command_handling"] == "correct":
+        if value is not None:
+            if not isinstance(value, list):
+                # convert from str to list
+                value = shlex.split(to_text(value, errors="surrogate_or_strict"))
+            value = [to_text(x, errors="surrogate_or_strict") for x in value]
+    elif value:
+        # convert from list to str
+        if isinstance(value, list):
+            value = shlex.split(
+                " ".join([to_text(x, errors="surrogate_or_strict") for x in value])
+            )
+            value = [to_text(x, errors="surrogate_or_strict") for x in value]
+        else:
+            value = shlex.split(to_text(value, errors="surrogate_or_strict"))
+            value = [to_text(x, errors="surrogate_or_strict") for x in value]
+    else:
+        return {}
+    return {
+        "command": value,
+    }
+
+
+def _preprocess_entrypoint(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "entrypoint" not in values:
+        return values
+    value = values["entrypoint"]
+    if module.params["command_handling"] == "correct":
+        if value is not None:
+            value = [to_text(x, errors="surrogate_or_strict") for x in value]
+    elif value:
+        # convert from list to str.
+        value = shlex.split(
+            " ".join([to_text(x, errors="surrogate_or_strict") for x in value])
+        )
+        value = [to_text(x, errors="surrogate_or_strict") for x in value]
+    else:
+        return {}
+    return {
+        "entrypoint": value,
+    }
+
+
+def _preprocess_env(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if not values:
+        return {}
+    final_env = {}
+    if "env_file" in values:
+        parsed_env_file = parse_env_file(values["env_file"])
+        for name, value in parsed_env_file.items():
+            final_env[name] = to_text(value, errors="surrogate_or_strict")
+    if "env" in values:
+        for name, value in values["env"].items():
+            if not isinstance(value, str):
+                module.fail_json(
+                    msg="Non-string value found for env option. Ambiguous env options must be "
+                    "wrapped in quotes to avoid them being interpreted when directly specified "
+                    "in YAML, or explicitly converted to strings when the option is templated. "
+                    f"Key: {name}"
+                )
+            final_env[name] = to_text(value, errors="surrogate_or_strict")
+    formatted_env = []
+    for key, value in final_env.items():
+        formatted_env.append(f"{key}={value}")
+    return {
+        "env": formatted_env,
+    }
+
+
+def _preprocess_healthcheck(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if not values:
+        return {}
+    return {
+        "healthcheck": normalize_healthcheck(
+            values["healthcheck"], normalize_test=False
+        ),
+    }
+
+
+def _preprocess_convert_to_bytes(
+    module: AnsibleModule,
+    values: dict[str, t.Any],
+    name: str,
+    unlimited_value: int | None = None,
+) -> dict[str, t.Any]:
+    if name not in values:
+        return values
+    try:
+        value = values[name]
+        if unlimited_value is not None and value in ("unlimited", str(unlimited_value)):
+            value = unlimited_value
+        else:
+            value = human_to_bytes(value)
+        values[name] = value
+        return values
+    except ValueError as exc:
+        module.fail_json(msg=f"Failed to convert {name} to bytes: {exc}")
+
+
+def _preprocess_mac_address(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "mac_address" not in values:
+        return values
+    return {
+        "mac_address": values["mac_address"].replace("-", ":"),
+    }
+
+
+def _preprocess_networks(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if (
+        module.params["networks_cli_compatible"] is True
+        and values.get("networks")
+        and "network_mode" not in values
+    ):
+        # Same behavior as Docker CLI: if networks are specified, use the name of the first network as the value for network_mode
+        # (assuming no explicit value is specified for network_mode)
+        values["network_mode"] = values["networks"][0]["name"]
+
+    if "networks" in values:
+        for network in values["networks"]:
+            if network["links"]:
+                parsed_links = []
+                for link in network["links"]:
+                    parsed_link = link.split(":", 1)
+                    if len(parsed_link) == 1:
+                        parsed_link = (link, link)
+                    parsed_links.append(tuple(parsed_link))
+                network["links"] = parsed_links
+            if network["mac_address"]:
+                network["mac_address"] = network["mac_address"].replace("-", ":")
+
+    return values
+
+
+def _preprocess_sysctls(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "sysctls" in values:
+        for key, value in values["sysctls"].items():
+            values["sysctls"][key] = to_text(value, errors="surrogate_or_strict")
+    return values
+
+
+def _preprocess_tmpfs(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "tmpfs" not in values:
+        return values
+    result = {}
+    for tmpfs_spec in values["tmpfs"]:
+        split_spec = tmpfs_spec.split(":", 1)
+        if len(split_spec) > 1:
+            result[split_spec[0]] = split_spec[1]
+        else:
+            result[split_spec[0]] = ""
+    return {"tmpfs": result}
+
+
+def _preprocess_ulimits(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "ulimits" not in values:
+        return values
+    result = []
+    for limit in values["ulimits"]:
+        limits = {}
+        pieces = limit.split(":")
+        if len(pieces) >= 2:
+            limits["Name"] = pieces[0]
+            limits["Soft"] = int(pieces[1])
+            limits["Hard"] = int(pieces[1])
+        if len(pieces) == 3:
+            limits["Hard"] = int(pieces[2])
+        result.append(limits)
+    return {
+        "ulimits": result,
+    }
+
+
+def _preprocess_mounts(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    last: dict[str, str] = {}
+
+    def check_collision(target: str, name: str) -> None:
+        if target in last:
+            if name == last[target]:
+                module.fail_json(
+                    msg=f'The mount point "{target}" appears twice in the {name} option'
+                )
+            else:
+                module.fail_json(
+                    msg=f'The mount point "{target}" appears both in the {name} and {last[target]} option'
+                )
+        last[target] = name
+
+    if "mounts" in values:
+        mounts = []
+        for mount in values["mounts"]:
+            target = mount["target"]
+            mount_type = mount["type"]
+
+            check_collision(target, "mounts")
+
+            mount_dict = dict(mount)
+
+            # Sanity checks
+            if mount["source"] is None and mount_type not in (
+                "tmpfs",
+                "volume",
+                "image",
+                "cluster",
+            ):
+                module.fail_json(
+                    msg=f'source must be specified for mount "{target}" of type "{mount_type}"'
+                )
+            for option, req_mount_types in _MOUNT_OPTION_TYPES.items():
+                if mount[option] is not None and mount_type not in req_mount_types:
+                    type_plural = "" if len(req_mount_types) == 1 else "s"
+                    type_list = '", "'.join(req_mount_types)
+                    module.fail_json(
+                        msg=f'{option} cannot be specified for mount "{target}" of type "{mount_type}" (needs type{type_plural} "{type_list}")'
+                    )
+
+            # Streamline options
+            volume_options = mount_dict.pop("volume_options")
+            if mount_dict["volume_driver"] and volume_options:
+                mount_dict["volume_options"] = clean_dict_booleans_for_docker_api(
+                    volume_options
+                )
+            if mount_dict["labels"]:
+                mount_dict["labels"] = clean_dict_booleans_for_docker_api(
+                    mount_dict["labels"]
+                )
+            if mount_dict["tmpfs_size"] is not None:
+                try:
+                    mount_dict["tmpfs_size"] = human_to_bytes(mount_dict["tmpfs_size"])
+                except ValueError as exc:
+                    module.fail_json(
+                        msg=f'Failed to convert tmpfs_size of mount "{target}" to bytes: {exc}'
+                    )
+            if mount_dict["tmpfs_mode"] is not None:
+                try:
+                    mount_dict["tmpfs_mode"] = int(mount_dict["tmpfs_mode"], 8)
+                except ValueError:
+                    module.fail_json(
+                        msg=f'tmp_fs mode of mount "{target}" is not an octal string!'
+                    )
+            if mount_dict["tmpfs_options"]:
+                opts = []
+                for idx, opt in enumerate(mount_dict["tmpfs_options"]):
+                    if len(opt) != 1:
+                        module.fail_json(
+                            msg=f'tmpfs_options[{idx + 1}] of mount "{target}" must be a one-element dictionary!'
+                        )
+                    k, v = list(opt.items())[0]
+                    if not isinstance(k, str):
+                        module.fail_json(
+                            msg=f'key {k!r} in tmpfs_options[{idx + 1}] of mount "{target}" must be a string!'
+                        )
+                    if v is not None and not isinstance(v, str):
+                        module.fail_json(
+                            msg=f'value {v!r} in tmpfs_options[{idx + 1}] of mount "{target}" must be a string or null/none!'
+                        )
+                    opts.append([k, v] if v is not None else [k])
+                mount_dict["tmpfs_options"] = opts
+
+            # Add result to list
+            mounts.append(omit_none_from_dict(mount_dict))
+        values["mounts"] = mounts
+    if "volumes" in values:
+        new_vols = []
+        for vol in values["volumes"]:
+            parts = vol.split(":")
+            if ":" in vol:
+                if len(parts) == 3:
+                    host, container, mode = parts
+                    if not _is_volume_permissions(mode):
+                        module.fail_json(msg=f"Found invalid volumes mode: {mode}")
+                    if re.match(r"[.~]", host):
+                        host = os.path.abspath(os.path.expanduser(host))
+                    check_collision(container, "volumes")
+                    new_vols.append(f"{host}:{container}:{mode}")
+                    continue
+                if (
+                    len(parts) == 2
+                    and not _is_volume_permissions(parts[1])
+                    and re.match(r"[.~]", parts[0])
+                ):
+                    host = os.path.abspath(os.path.expanduser(parts[0]))
+                    check_collision(parts[1], "volumes")
+                    new_vols.append(f"{host}:{parts[1]}:rw")
+                    continue
+            check_collision(parts[min(1, len(parts) - 1)], "volumes")
+            new_vols.append(vol)
+        values["volumes"] = new_vols
+        new_binds = []
+        for vol in new_vols:
+            host = None
+            if ":" in vol:
+                parts = vol.split(":")
+                if len(parts) == 3:
+                    host, container, mode = parts
+                    if not _is_volume_permissions(mode):
+                        module.fail_json(msg=f"Found invalid volumes mode: {mode}")
+                elif len(parts) == 2:
+                    if not _is_volume_permissions(parts[1]):
+                        host, container, mode = parts + ["rw"]
+            if host is not None:
+                new_binds.append(f"{host}:{container}:{mode}")
+        values["volume_binds"] = new_binds
+    return values
+
+
+def _preprocess_labels(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    result = {}
+    if "labels" in values:
+        labels = values["labels"]
+        if labels is not None:
+            labels = dict(labels)
+            sanitize_labels(labels, "labels", module=module)
+        result["labels"] = labels
+    return result
+
+
+def _preprocess_log(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    result: dict[str, t.Any] = {}
+    if "log_driver" not in values:
+        return result
+    result["log_driver"] = values["log_driver"]
+    if "log_options" in values:
+        options: dict[str, str] = {}
+        for k, v in values["log_options"].items():
+            if not isinstance(v, str):
+                value = to_text(v, errors="surrogate_or_strict")
+                module.warn(
+                    f"Non-string value found for log_options option '{k}'. The value is automatically converted to {value!r}. "
+                    "If this is not correct, or you want to avoid such warnings, please quote the value,"
+                    " or explicitly convert the values to strings when templating them."
+                )
+                v = value
+            options[k] = v
+        result["log_options"] = options
+    return result
+
+
+def _preprocess_ports(
+    module: AnsibleModule, values: dict[str, t.Any]
+) -> dict[str, t.Any]:
+    if "published_ports" in values:
+        if "all" in values["published_ports"]:
+            module.fail_json(
+                msg='Specifying "all" in published_ports is no longer allowed. Set publish_all_ports to "true" instead '
+                "to randomly assign port mappings for those not specified by published_ports."
+            )
+
+        binds: dict[
+            str | int,
+            tuple[str]
+            | tuple[str, str | int]
+            | list[tuple[str] | tuple[str, str | int]],
+        ] = {}
+        for port in values["published_ports"]:
+            parts = _split_colon_ipv6(
+                to_text(port, errors="surrogate_or_strict"), module
+            )
+            container_port = parts[-1]
+            protocol = ""
+            if "/" in container_port:
+                container_port, protocol = parts[-1].split("/")
+            container_ports = _parse_port_range(container_port, module)
+
+            p_len = len(parts)
+            port_binds: Sequence[tuple[str] | tuple[str, str | int]]
+            if p_len == 1:
+                port_binds = len(container_ports) * [(_DEFAULT_IP_REPLACEMENT_STRING,)]
+            elif p_len == 2:
+                if len(container_ports) == 1:
+                    port_binds = [(_DEFAULT_IP_REPLACEMENT_STRING, parts[0])]
+                else:
+                    port_binds = [
+                        (_DEFAULT_IP_REPLACEMENT_STRING, port)
+                        for port in _parse_port_range(parts[0], module)
+                    ]
+            elif p_len == 3:
+                # We only allow IPv4 and IPv6 addresses for the bind address
+                ipaddr = parts[0]
+                if not re.match(
+                    r"^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$", parts[0]
+                ) and not re.match(r"^\[[0-9a-fA-F:]+(?:|%[^\]/]+)\]$", ipaddr):
+                    module.fail_json(
+                        msg="Bind addresses for published ports must be IPv4 or IPv6 addresses, not hostnames. "
+                        f"Use the dig lookup to resolve hostnames. (Found hostname: {ipaddr})"
+                    )
+                if re.match(r"^\[[0-9a-fA-F:]+\]$", ipaddr):
+                    ipaddr = ipaddr[1:-1]
+                if parts[1]:
+                    if len(container_ports) == 1:
+                        port_binds = [(ipaddr, parts[1])]
+                    else:
+                        port_binds = [
+                            (ipaddr, port)
+                            for port in _parse_port_range(parts[1], module)
+                        ]
+                else:
+                    port_binds = len(container_ports) * [(ipaddr,)]
+            else:
+                module.fail_json(
+                    msg=f'Invalid port description "{port}" - expected 1 to 3 colon-separated parts, but got {p_len}. '
+                    "Maybe you forgot to use square brackets ([...]) around an IPv6 address?"
+                )
+
+            for bind, container_port_val in zip(port_binds, container_ports):
+                idx = (
+                    f"{container_port_val}/{protocol}"
+                    if protocol
+                    else container_port_val
+                )
+                if idx in binds:
+                    old_bind = binds[idx]
+                    if isinstance(old_bind, list):
+                        old_bind.append(bind)
+                    else:
+                        binds[idx] = [old_bind, bind]
+                else:
+                    binds[idx] = bind
+        values["published_ports"] = binds
+
+    exposed: set[tuple[int, str]] = set()
+    if "exposed_ports" in values:
+        for port in values["exposed_ports"]:
+            port = to_text(port, errors="surrogate_or_strict").strip()
+            protocol = "tcp"
+            parts = port.split("/", maxsplit=1)
+            if len(parts) == 2:
+                port, protocol = parts
+            parts = port.split("-", maxsplit=1)
+            if len(parts) < 2:
+                try:
+                    exposed.add((int(port), protocol))
+                except ValueError as e:
+                    module.fail_json(msg=f"Cannot parse port {port!r}: {e}")
+            else:
+                try:
+                    start_port = int(parts[0])
+                    end_port = int(parts[1])
+                    if start_port > end_port:
+                        raise ValueError(
+                            "start port must be smaller or equal to end port."
+                        )
+                except ValueError as e:
+                    module.fail_json(msg=f"Cannot parse port range {port!r}: {e}")
+                for port in range(start_port, end_port + 1):
+                    exposed.add((port, protocol))
+    if "published_ports" in values:
+        # Any published port should also be exposed
+        for publish_port in values["published_ports"]:
+            if isinstance(publish_port, str) and "/" in publish_port:
+                port, protocol = publish_port.split("/")
+                port = int(port)
+            else:
+                protocol = "tcp"
+                port = int(publish_port)
+            exposed.add((port, protocol))
+    values["ports"] = sorted(exposed)
+    return values
+
+
+def _compare_platform(
+    option: Option, param_value: t.Any, container_value: t.Any
+) -> bool:
+    if option.comparison == "ignore":
+        return True
+    try:
+        return compare_platform_strings(param_value, container_value)
+    except ValueError:
+        return param_value == container_value
+
+
+OPTION_AUTO_REMOVE = OptionGroup().add_option("auto_remove", value_type="bool")
+
+OPTION_BLKIO_WEIGHT = OptionGroup().add_option("blkio_weight", value_type="int")
+
+OPTION_CAPABILITIES = OptionGroup().add_option(
+    "capabilities", value_type="set", elements="str"
+)
+
+OPTION_CAP_DROP = OptionGroup().add_option("cap_drop", value_type="set", elements="str")
+
+OPTION_CGROUP_NS_MODE = OptionGroup().add_option(
+    "cgroupns_mode", value_type="str", ansible_choices=["private", "host"]
+)
+
+OPTION_CGROUP_PARENT = OptionGroup().add_option("cgroup_parent", value_type="str")
+
+OPTION_COMMAND = OptionGroup(preprocess=_preprocess_command).add_option(
+    "command", value_type="list", elements="str", ansible_type="raw"
+)
+
+OPTION_CPU_PERIOD = OptionGroup().add_option("cpu_period", value_type="int")
+
+OPTION_CPU_QUOTA = OptionGroup().add_option("cpu_quota", value_type="int")
+
+OPTION_CPUSET_CPUS = OptionGroup().add_option("cpuset_cpus", value_type="str")
+
+OPTION_CPUSET_MEMS = OptionGroup().add_option("cpuset_mems", value_type="str")
+
+OPTION_CPU_SHARES = OptionGroup().add_option("cpu_shares", value_type="int")
+
+OPTION_ENTRYPOINT = OptionGroup(preprocess=_preprocess_entrypoint).add_option(
+    "entrypoint", value_type="list", elements="str"
+)
+
+OPTION_CPUS = OptionGroup().add_option("cpus", value_type="int", ansible_type="float")
+
+OPTION_DETACH_INTERACTIVE = (
+    OptionGroup()
+    .add_option("detach", value_type="bool")
+    .add_option("interactive", value_type="bool")
+)
+
+OPTION_DEVICES = OptionGroup().add_option(
+    "devices", value_type="set", elements="dict", ansible_elements="str"
+)
+
+OPTION_DEVICE_READ_BPS = OptionGroup().add_option(
+    "device_read_bps",
+    value_type="set",
+    elements="dict",
+    ansible_suboptions={
+        "path": {"type": "str", "required": True},
+        "rate": {"type": "str", "required": True},
+    },
+)
+
+OPTION_DEVICE_WRITE_BPS = OptionGroup().add_option(
+    "device_write_bps",
+    value_type="set",
+    elements="dict",
+    ansible_suboptions={
+        "path": {"type": "str", "required": True},
+        "rate": {"type": "str", "required": True},
+    },
+)
+
+OPTION_DEVICE_READ_IOPS = OptionGroup().add_option(
+    "device_read_iops",
+    value_type="set",
+    elements="dict",
+    ansible_suboptions={
+        "path": {"type": "str", "required": True},
+        "rate": {"type": "int", "required": True},
+    },
+)
+
+OPTION_DEVICE_WRITE_IOPS = OptionGroup().add_option(
+    "device_write_iops",
+    value_type="set",
+    elements="dict",
+    ansible_suboptions={
+        "path": {"type": "str", "required": True},
+        "rate": {"type": "int", "required": True},
+    },
+)
+
+OPTION_DEVICE_REQUESTS = OptionGroup().add_option(
+    "device_requests",
+    value_type="set",
+    elements="dict",
+    ansible_suboptions={
+        "capabilities": {"type": "list", "elements": "list"},
+        "count": {"type": "int"},
+        "device_ids": {"type": "list", "elements": "str"},
+        "driver": {"type": "str"},
+        "options": {"type": "dict"},
+    },
+)
+
+OPTION_DEVICE_CGROUP_RULES = OptionGroup().add_option(
+    "device_cgroup_rules", value_type="list", elements="str"
+)
+
+OPTION_DNS_SERVERS = OptionGroup().add_option(
+    "dns_servers", value_type="list", elements="str"
+)
+
+OPTION_DNS_OPTS = OptionGroup().add_option("dns_opts", value_type="set", elements="str")
+
+OPTION_DNS_SEARCH_DOMAINS = OptionGroup().add_option(
+    "dns_search_domains", value_type="list", elements="str"
+)
+
+OPTION_DOMAINNAME = OptionGroup().add_option("domainname", value_type="str")
+
+OPTION_ENVIRONMENT = (
+    OptionGroup(preprocess=_preprocess_env)
+    .add_option(
+        "env",
+        value_type="set",
+        ansible_type="dict",
+        elements="str",
+        needs_no_suboptions=True,
+    )
+    .add_option(
+        "env_file",
+        value_type="set",
+        ansible_type="path",
+        elements="str",
+        not_a_container_option=True,
+    )
+)
+
+OPTION_ETC_HOSTS = OptionGroup().add_option(
+    "etc_hosts",
+    value_type="set",
+    ansible_type="dict",
+    elements="str",
+    needs_no_suboptions=True,
+)
+
+OPTION_GROUPS = OptionGroup().add_option("groups", value_type="set", elements="str")
+
+OPTION_HEALTHCHECK = OptionGroup(preprocess=_preprocess_healthcheck).add_option(
+    "healthcheck",
+    value_type="dict",
+    ansible_suboptions={
+        "test": {"type": "raw"},
+        "test_cli_compatible": {"type": "bool", "default": False},
+        "interval": {"type": "str"},
+        "timeout": {"type": "str"},
+        "start_period": {"type": "str"},
+        "start_interval": {"type": "str"},
+        "retries": {"type": "int"},
+    },
+)
+
+OPTION_HOSTNAME = OptionGroup().add_option("hostname", value_type="str")
+
+OPTION_IMAGE = OptionGroup().add_option("image", value_type="str")
+
+OPTION_INIT = OptionGroup().add_option("init", value_type="bool")
+
+OPTION_IPC_MODE = OptionGroup().add_option("ipc_mode", value_type="str")
+
+OPTION_KERNEL_MEMORY = OptionGroup(
+    preprocess=partial(_preprocess_convert_to_bytes, name="kernel_memory")
+).add_option("kernel_memory", value_type="int", ansible_type="str")
+
+OPTION_LABELS = OptionGroup(preprocess=_preprocess_labels).add_option(
+    "labels", value_type="dict", needs_no_suboptions=True
+)
+
+OPTION_LINKS = OptionGroup().add_option(
+    "links", value_type="set", elements="list", ansible_elements="str"
+)
+
+OPTION_LOG_DRIVER_OPTIONS = (
+    OptionGroup(
+        preprocess=_preprocess_log, ansible_required_by={"log_options": ["log_driver"]}
+    )
+    .add_option("log_driver", value_type="str")
+    .add_option(
+        "log_options",
+        value_type="dict",
+        ansible_aliases=["log_opt"],
+        needs_no_suboptions=True,
+    )
+)
+
+OPTION_MAC_ADDRESS = OptionGroup(preprocess=_preprocess_mac_address).add_option(
+    "mac_address", value_type="str"
+)
+
+OPTION_MEMORY = OptionGroup(
+    preprocess=partial(_preprocess_convert_to_bytes, name="memory")
+).add_option("memory", value_type="int", ansible_type="str")
+
+OPTION_MEMORY_RESERVATION = OptionGroup(
+    preprocess=partial(_preprocess_convert_to_bytes, name="memory_reservation")
+).add_option("memory_reservation", value_type="int", ansible_type="str")
+
+OPTION_MEMORY_SWAP = OptionGroup(
+    preprocess=partial(
+        _preprocess_convert_to_bytes, name="memory_swap", unlimited_value=-1
+    )
+).add_option("memory_swap", value_type="int", ansible_type="str")
+
+OPTION_MEMORY_SWAPPINESS = OptionGroup().add_option(
+    "memory_swappiness", value_type="int"
+)
+
+OPTION_STOP_TIMEOUT = OptionGroup().add_option(
+    "stop_timeout", value_type="int", default_comparison="ignore"
+)
+
+OPTION_NETWORK = (
+    OptionGroup(preprocess=_preprocess_networks)
+    .add_option("network_mode", value_type="str")
+    .add_option(
+        "networks",
+        value_type="set",
+        elements="dict",
+        ansible_suboptions={
+            "name": {"type": "str", "required": True},
+            "ipv4_address": {"type": "str"},
+            "ipv6_address": {"type": "str"},
+            "aliases": {"type": "list", "elements": "str"},
+            "links": {"type": "list", "elements": "str"},
+            "mac_address": {"type": "str"},
+            "driver_opts": {"type": "dict"},
+            "gw_priority": {"type": "int"},
+        },
+    )
+)
+
+OPTION_OOM_KILLER = OptionGroup().add_option("oom_killer", value_type="bool")
+
+OPTION_OOM_SCORE_ADJ = OptionGroup().add_option("oom_score_adj", value_type="int")
+
+OPTION_PID_MODE = OptionGroup().add_option("pid_mode", value_type="str")
+
+OPTION_PIDS_LIMIT = OptionGroup().add_option("pids_limit", value_type="int")
+
+OPTION_PLATFORM = OptionGroup().add_option(
+    "platform", value_type="str", compare=_compare_platform
+)
+
+OPTION_PRIVILEGED = OptionGroup().add_option("privileged", value_type="bool")
+
+OPTION_READ_ONLY = OptionGroup().add_option("read_only", value_type="bool")
+
+OPTION_RESTART_POLICY = (
+    OptionGroup(ansible_required_by={"restart_retries": ["restart_policy"]})
+    .add_option(
+        "restart_policy",
+        value_type="str",
+        ansible_choices=["no", "on-failure", "always", "unless-stopped"],
+    )
+    .add_option("restart_retries", value_type="int")
+)
+
+OPTION_RUNTIME = OptionGroup().add_option("runtime", value_type="str")
+
+OPTION_SECURITY_OPTS = OptionGroup().add_option(
+    "security_opts", value_type="set", elements="str"
+)
+
+OPTION_SHM_SIZE = OptionGroup(
+    preprocess=partial(_preprocess_convert_to_bytes, name="shm_size")
+).add_option("shm_size", value_type="int", ansible_type="str")
+
+OPTION_STOP_SIGNAL = OptionGroup().add_option("stop_signal", value_type="str")
+
+OPTION_STORAGE_OPTS = OptionGroup().add_option(
+    "storage_opts", value_type="dict", needs_no_suboptions=True
+)
+
+OPTION_SYSCTLS = OptionGroup(preprocess=_preprocess_sysctls).add_option(
+    "sysctls", value_type="dict", needs_no_suboptions=True
+)
+
+OPTION_TMPFS = OptionGroup(preprocess=_preprocess_tmpfs).add_option(
+    "tmpfs", value_type="dict", ansible_type="list", ansible_elements="str"
+)
+
+OPTION_TTY = OptionGroup().add_option("tty", value_type="bool")
+
+OPTION_ULIMITS = OptionGroup(preprocess=_preprocess_ulimits).add_option(
+    "ulimits", value_type="set", elements="dict", ansible_elements="str"
+)
+
+OPTION_USER = OptionGroup().add_option("user", value_type="str")
+
+OPTION_USERNS_MODE = OptionGroup().add_option("userns_mode", value_type="str")
+
+OPTION_UTS = OptionGroup().add_option("uts", value_type="str")
+
+OPTION_VOLUME_DRIVER = OptionGroup().add_option("volume_driver", value_type="str")
+
+OPTION_VOLUMES_FROM = OptionGroup().add_option(
+    "volumes_from", value_type="set", elements="str"
+)
+
+OPTION_WORKING_DIR = OptionGroup().add_option("working_dir", value_type="str")
+
+OPTION_MOUNTS_VOLUMES = (
+    OptionGroup(preprocess=_preprocess_mounts)
+    .add_option(
+        "mounts",
+        value_type="set",
+        elements="dict",
+        ansible_suboptions={
+            "target": {"type": "str", "required": True},
+            "source": {"type": "str"},
+            "type": {
+                "type": "str",
+                "choices": ["bind", "volume", "tmpfs", "npipe", "cluster", "image"],
+                "default": "volume",
+            },
+            "read_only": {"type": "bool"},
+            "consistency": {
+                "type": "str",
+                "choices": ["default", "consistent", "cached", "delegated"],
+            },
+            "propagation": {
+                "type": "str",
+                "choices": [
+                    "private",
+                    "rprivate",
+                    "shared",
+                    "rshared",
+                    "slave",
+                    "rslave",
+                ],
+            },
+            "no_copy": {"type": "bool"},
+            "labels": {"type": "dict"},
+            "volume_driver": {"type": "str"},
+            "volume_options": {"type": "dict"},
+            "tmpfs_size": {"type": "str"},
+            "tmpfs_mode": {"type": "str"},
+            "non_recursive": {"type": "bool"},
+            "create_mountpoint": {"type": "bool"},
+            "read_only_non_recursive": {"type": "bool"},
+            "read_only_force_recursive": {"type": "bool"},
+            "subpath": {"type": "str"},
+            "tmpfs_options": {"type": "list", "elements": "dict"},
+        },
+    )
+    .add_option("volumes", value_type="set", elements="str")
+    .add_option(
+        "volume_binds",
+        value_type="set",
+        elements="str",
+        not_an_ansible_option=True,
+        copy_comparison_from="volumes",
+    )
+)
+
+OPTION_PORTS = (
+    OptionGroup(preprocess=_preprocess_ports)
+    .add_option(
+        "exposed_ports",
+        value_type="set",
+        elements="str",
+        ansible_aliases=["exposed", "expose"],
+    )
+    .add_option("publish_all_ports", value_type="bool")
+    .add_option(
+        "published_ports",
+        value_type="dict",
+        ansible_type="list",
+        ansible_elements="str",
+        ansible_aliases=["ports"],
+    )
+    .add_option(
+        "ports",
+        value_type="set",
+        elements="str",
+        not_an_ansible_option=True,
+        default_comparison="ignore",
+    )
+)
+
+OPTIONS = [
+    OPTION_AUTO_REMOVE,
+    OPTION_BLKIO_WEIGHT,
+    OPTION_CAPABILITIES,
+    OPTION_CAP_DROP,
+    OPTION_CGROUP_NS_MODE,
+    OPTION_CGROUP_PARENT,
+    OPTION_COMMAND,
+    OPTION_CPU_PERIOD,
+    OPTION_CPU_QUOTA,
+    OPTION_CPUSET_CPUS,
+    OPTION_CPUSET_MEMS,
+    OPTION_CPU_SHARES,
+    OPTION_ENTRYPOINT,
+    OPTION_CPUS,
+    OPTION_DETACH_INTERACTIVE,
+    OPTION_DEVICES,
+    OPTION_DEVICE_READ_BPS,
+    OPTION_DEVICE_WRITE_BPS,
+    OPTION_DEVICE_READ_IOPS,
+    OPTION_DEVICE_WRITE_IOPS,
+    OPTION_DEVICE_REQUESTS,
+    OPTION_DEVICE_CGROUP_RULES,
+    OPTION_DNS_SERVERS,
+    OPTION_DNS_OPTS,
+    OPTION_DNS_SEARCH_DOMAINS,
+    OPTION_DOMAINNAME,
+    OPTION_ENVIRONMENT,
+    OPTION_ETC_HOSTS,
+    OPTION_GROUPS,
+    OPTION_HEALTHCHECK,
+    OPTION_HOSTNAME,
+    OPTION_IMAGE,
+    OPTION_INIT,
+    OPTION_IPC_MODE,
+    OPTION_KERNEL_MEMORY,
+    OPTION_LABELS,
+    OPTION_LINKS,
+    OPTION_LOG_DRIVER_OPTIONS,
+    OPTION_MAC_ADDRESS,
+    OPTION_MEMORY,
+    OPTION_MEMORY_RESERVATION,
+    OPTION_MEMORY_SWAP,
+    OPTION_MEMORY_SWAPPINESS,
+    OPTION_STOP_TIMEOUT,
+    OPTION_NETWORK,
+    OPTION_OOM_KILLER,
+    OPTION_OOM_SCORE_ADJ,
+    OPTION_PID_MODE,
+    OPTION_PIDS_LIMIT,
+    OPTION_PLATFORM,
+    OPTION_PRIVILEGED,
+    OPTION_READ_ONLY,
+    OPTION_RESTART_POLICY,
+    OPTION_RUNTIME,
+    OPTION_SECURITY_OPTS,
+    OPTION_SHM_SIZE,
+    OPTION_STOP_SIGNAL,
+    OPTION_STORAGE_OPTS,
+    OPTION_SYSCTLS,
+    OPTION_TMPFS,
+    OPTION_TTY,
+    OPTION_ULIMITS,
+    OPTION_USER,
+    OPTION_USERNS_MODE,
+    OPTION_UTS,
+    OPTION_VOLUME_DRIVER,
+    OPTION_VOLUMES_FROM,
+    OPTION_WORKING_DIR,
+    OPTION_MOUNTS_VOLUMES,
+    OPTION_PORTS,
+]
diff --git a/ansible_collections/community/docker/plugins/module_utils/_module_container/docker_api.py b/ansible_collections/community/docker/plugins/module_utils/_module_container/docker_api.py
new file mode 100644
index 00000000..2e6eefe6
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_module_container/docker_api.py
@@ -0,0 +1,2614 @@
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    convert_port_bindings,
+    normalize_links,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._module_container.base import (
+    _DEFAULT_IP_REPLACEMENT_STRING,
+    OPTION_AUTO_REMOVE,
+    OPTION_BLKIO_WEIGHT,
+    OPTION_CAP_DROP,
+    OPTION_CAPABILITIES,
+    OPTION_CGROUP_NS_MODE,
+    OPTION_CGROUP_PARENT,
+    OPTION_COMMAND,
+    OPTION_CPU_PERIOD,
+    OPTION_CPU_QUOTA,
+    OPTION_CPU_SHARES,
+    OPTION_CPUS,
+    OPTION_CPUSET_CPUS,
+    OPTION_CPUSET_MEMS,
+    OPTION_DETACH_INTERACTIVE,
+    OPTION_DEVICE_CGROUP_RULES,
+    OPTION_DEVICE_READ_BPS,
+    OPTION_DEVICE_READ_IOPS,
+    OPTION_DEVICE_REQUESTS,
+    OPTION_DEVICE_WRITE_BPS,
+    OPTION_DEVICE_WRITE_IOPS,
+    OPTION_DEVICES,
+    OPTION_DNS_OPTS,
+    OPTION_DNS_SEARCH_DOMAINS,
+    OPTION_DNS_SERVERS,
+    OPTION_DOMAINNAME,
+    OPTION_ENTRYPOINT,
+    OPTION_ENVIRONMENT,
+    OPTION_ETC_HOSTS,
+    OPTION_GROUPS,
+    OPTION_HEALTHCHECK,
+    OPTION_HOSTNAME,
+    OPTION_IMAGE,
+    OPTION_INIT,
+    OPTION_IPC_MODE,
+    OPTION_KERNEL_MEMORY,
+    OPTION_LABELS,
+    OPTION_LINKS,
+    OPTION_LOG_DRIVER_OPTIONS,
+    OPTION_MAC_ADDRESS,
+    OPTION_MEMORY,
+    OPTION_MEMORY_RESERVATION,
+    OPTION_MEMORY_SWAP,
+    OPTION_MEMORY_SWAPPINESS,
+    OPTION_MOUNTS_VOLUMES,
+    OPTION_NETWORK,
+    OPTION_OOM_KILLER,
+    OPTION_OOM_SCORE_ADJ,
+    OPTION_PID_MODE,
+    OPTION_PIDS_LIMIT,
+    OPTION_PLATFORM,
+    OPTION_PORTS,
+    OPTION_PRIVILEGED,
+    OPTION_READ_ONLY,
+    OPTION_RESTART_POLICY,
+    OPTION_RUNTIME,
+    OPTION_SECURITY_OPTS,
+    OPTION_SHM_SIZE,
+    OPTION_STOP_SIGNAL,
+    OPTION_STOP_TIMEOUT,
+    OPTION_STORAGE_OPTS,
+    OPTION_SYSCTLS,
+    OPTION_TMPFS,
+    OPTION_TTY,
+    OPTION_ULIMITS,
+    OPTION_USER,
+    OPTION_USERNS_MODE,
+    OPTION_UTS,
+    OPTION_VOLUME_DRIVER,
+    OPTION_VOLUMES_FROM,
+    OPTION_WORKING_DIR,
+    OPTIONS,
+    Engine,
+    EngineDriver,
+    _is_volume_permissions,
+)
+from ansible_collections.community.docker.plugins.module_utils._platform import (
+    compose_platform_string,
+    normalize_platform_string,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    normalize_healthcheck_test,
+    omit_none_from_dict,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable, Sequence
+
+    from ansible.module_utils.basic import AnsibleModule
+
+    from .base import Option, OptionGroup
+
+    Sentry = object
+
+
+_SENTRY: Sentry = object()
+
+
+class DockerAPIEngineDriver(EngineDriver[AnsibleDockerClient]):
+    name = "docker_api"
+
+    def setup(
+        self,
+        argument_spec: dict[str, t.Any],
+        mutually_exclusive: Sequence[Sequence[str]] | None = None,
+        required_together: Sequence[Sequence[str]] | None = None,
+        required_one_of: Sequence[Sequence[str]] | None = None,
+        required_if: (
+            Sequence[
+                tuple[str, t.Any, Sequence[str]]
+                | tuple[str, t.Any, Sequence[str], bool]
+            ]
+            | None
+        ) = None,
+        required_by: dict[str, Sequence[str]] | None = None,
+    ) -> tuple[AnsibleModule, list[OptionGroup], AnsibleDockerClient]:
+        argument_spec = dict(argument_spec or {})
+        mutually_exclusive = list(mutually_exclusive or [])
+        required_together = list(required_together or [])
+        required_one_of = list(required_one_of or [])
+        required_if = list(required_if or [])
+        required_by = dict(required_by or {})
+
+        active_options = []
+        option_minimal_versions = {}
+        for options in OPTIONS:
+            if not options.supports_engine(self.name):
+                continue
+
+            mutually_exclusive.extend(options.ansible_mutually_exclusive)
+            required_together.extend(options.ansible_required_together)
+            required_one_of.extend(options.ansible_required_one_of)
+            required_if.extend(options.ansible_required_if)
+            required_by.update(options.ansible_required_by)
+            argument_spec.update(options.argument_spec)
+
+            engine = options.get_engine(self.name)
+            if engine.min_api_version is not None:
+                for option in options.options:
+                    if not option.not_an_ansible_option:
+                        option_minimal_versions[option.name] = {
+                            "docker_api_version": engine.min_api_version
+                        }
+            if engine.extra_option_minimal_versions:
+                option_minimal_versions.update(engine.extra_option_minimal_versions)
+
+            active_options.append(options)
+
+        client = AnsibleDockerClient(
+            argument_spec=argument_spec,
+            mutually_exclusive=mutually_exclusive,
+            required_together=required_together,
+            required_one_of=required_one_of,
+            required_if=required_if,
+            required_by=required_by,
+            option_minimal_versions=option_minimal_versions,
+            supports_check_mode=True,
+        )
+
+        return client.module, active_options, client
+
+    def get_host_info(self, client: AnsibleDockerClient) -> dict[str, t.Any]:
+        return client.info()
+
+    def get_api_version(self, client: AnsibleDockerClient) -> LooseVersion:
+        return client.docker_api_version
+
+    def get_container_id(self, container: dict[str, t.Any]) -> str:
+        return container["Id"]
+
+    def get_image_from_container(self, container: dict[str, t.Any]) -> str:
+        return container["Image"]
+
+    def get_image_name_from_container(self, container: dict[str, t.Any]) -> str | None:
+        return container["Config"].get("Image")
+
+    def is_container_removing(self, container: dict[str, t.Any]) -> bool:
+        if container.get("State"):
+            return container["State"].get("Status") == "removing"
+        return False
+
+    def is_container_running(self, container: dict[str, t.Any]) -> bool:
+        return bool(
+            container.get("State")
+            and container["State"].get("Running")
+            and not container["State"].get("Ghost", False)
+        )
+
+    def is_container_paused(self, container: dict[str, t.Any]) -> bool:
+        if container.get("State"):
+            return container["State"].get("Paused", False)
+        return False
+
+    def inspect_container_by_name(
+        self, client: AnsibleDockerClient, container_name: str
+    ) -> dict[str, t.Any] | None:
+        return client.get_container(container_name)
+
+    def inspect_container_by_id(
+        self, client: AnsibleDockerClient, container_id: str
+    ) -> dict[str, t.Any] | None:
+        return client.get_container_by_id(container_id)
+
+    def inspect_image_by_id(
+        self, client: AnsibleDockerClient, image_id: str
+    ) -> dict[str, t.Any] | None:
+        return client.find_image_by_id(image_id, accept_missing_image=True)
+
+    def inspect_image_by_name(
+        self, client: AnsibleDockerClient, repository: str, tag: str
+    ) -> dict[str, t.Any] | None:
+        return client.find_image(repository, tag)
+
+    def pull_image(
+        self,
+        client: AnsibleDockerClient,
+        repository: str,
+        tag: str,
+        image_platform: str | None = None,
+    ) -> tuple[dict[str, t.Any] | None, bool]:
+        return client.pull_image(repository, tag, image_platform=image_platform)
+
+    def pause_container(self, client: AnsibleDockerClient, container_id: str) -> None:
+        client.post_call("/containers/{0}/pause", container_id)
+
+    def unpause_container(self, client: AnsibleDockerClient, container_id: str) -> None:
+        client.post_call("/containers/{0}/unpause", container_id)
+
+    def disconnect_container_from_network(
+        self, client: AnsibleDockerClient, container_id: str, network_id: str
+    ) -> None:
+        client.post_json(
+            "/networks/{0}/disconnect", network_id, data={"Container": container_id}
+        )
+
+    def _create_endpoint_config(self, parameters: dict[str, t.Any]) -> dict[str, t.Any]:
+        parameters = parameters.copy()
+        params = {}
+        for para, dest_para in {
+            "ipv4_address": "IPv4Address",
+            "ipv6_address": "IPv6Address",
+            "links": "Links",
+            "aliases": "Aliases",
+            "mac_address": "MacAddress",
+            "driver_opts": "DriverOpts",
+        }.items():
+            value = parameters.pop(para, None)
+            if value:
+                if para == "links":
+                    value = normalize_links(value)
+                elif para == "driver_opts":
+                    # Ensure driver_opts values are strings
+                    for key, val in value.items():
+                        if not isinstance(val, str):
+                            raise ValueError(
+                                f"driver_opts values must be strings, got {type(val).__name__} for key '{key}'"
+                            )
+                params[dest_para] = value
+        for para, dest_para in {
+            "gw_priority": "GwPriority",
+        }.items():
+            value = parameters.pop(para, None)
+            if value is not None:
+                params[dest_para] = value
+        if parameters:
+            ups = ", ".join([f'"{p}"' for p in sorted(parameters)])
+            raise ValueError(
+                f"Unknown parameter(s) for connect_container_to_network for Docker API driver: {ups}"
+            )
+        ipam_config = {}
+        for param in ("IPv4Address", "IPv6Address"):
+            if param in params:
+                ipam_config[param] = params.pop(param)
+        if ipam_config:
+            params["IPAMConfig"] = ipam_config
+        return params
+
+    def connect_container_to_network(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        network_id: str,
+        parameters: dict[str, t.Any] | None = None,
+    ) -> None:
+        parameters = (parameters or {}).copy()
+        params = self._create_endpoint_config(parameters or {})
+        data = {
+            "Container": container_id,
+            "EndpointConfig": params,
+        }
+        client.post_json("/networks/{0}/connect", network_id, data=data)
+
+    def create_container_supports_more_than_one_network(
+        self, client: AnsibleDockerClient
+    ) -> bool:
+        return client.docker_api_version >= LooseVersion("1.44")
+
+    def create_container(
+        self,
+        client: AnsibleDockerClient,
+        container_name: str,
+        create_parameters: dict[str, t.Any],
+        networks: dict[str, dict[str, t.Any]] | None = None,
+    ) -> str:
+        params = {"name": container_name}
+        if "platform" in create_parameters:
+            params["platform"] = create_parameters.pop("platform")
+        if networks is not None:
+            create_parameters = create_parameters.copy()
+            create_parameters["NetworkingConfig"] = {
+                "EndpointsConfig": dict(
+                    (network, self._create_endpoint_config(network_params))
+                    for network, network_params in networks.items()
+                )
+            }
+        new_container = client.post_json_to_json(
+            "/containers/create", data=create_parameters, params=params
+        )
+        client.report_warnings(new_container)
+        return new_container["Id"]
+
+    def start_container(self, client: AnsibleDockerClient, container_id: str) -> None:
+        client.post_json("/containers/{0}/start", container_id)
+
+    def wait_for_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        timeout: int | float | None = None,
+    ) -> int | None:
+        return client.post_json_to_json(
+            "/containers/{0}/wait", container_id, timeout=timeout
+        )["StatusCode"]
+
+    def get_container_output(
+        self, client: AnsibleDockerClient, container_id: str
+    ) -> tuple[bytes, t.Literal[True]] | tuple[str, t.Literal[False]]:
+        config = client.get_json("/containers/{0}/json", container_id)
+        logging_driver = config["HostConfig"]["LogConfig"]["Type"]
+        if logging_driver in ("json-file", "journald", "local"):
+            params = {
+                "stderr": 1,
+                "stdout": 1,
+                "timestamps": 0,
+                "follow": 0,
+                "tail": "all",
+            }
+            res = client._get(
+                client._url("/containers/{0}/logs", container_id), params=params
+            )
+            output = client._get_result_tty(False, res, config["Config"]["Tty"])
+            return output, True
+        return f"Result logged using `{logging_driver}` driver", False
+
+    def update_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        update_parameters: dict[str, t.Any],
+    ) -> None:
+        result = client.post_json_to_json(
+            "/containers/{0}/update", container_id, data=update_parameters
+        )
+        client.report_warnings(result)
+
+    def restart_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        timeout: int | float | None = None,
+    ) -> None:
+        client_timeout: int | float | None = client.timeout
+        if client_timeout is not None:
+            client_timeout += timeout or 10
+        client.post_call(
+            "/containers/{0}/restart",
+            container_id,
+            params={"t": timeout},
+            timeout=client_timeout,
+        )
+
+    def kill_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        kill_signal: str | None = None,
+    ) -> None:
+        params = {}
+        if kill_signal is not None:
+            params["signal"] = kill_signal
+        client.post_call("/containers/{0}/kill", container_id, params=params)
+
+    def stop_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        timeout: int | float | None = None,
+    ) -> None:
+        if timeout:
+            params = {"t": timeout}
+        else:
+            params = {}
+            timeout = 10
+        client_timeout = client.timeout
+        if client_timeout is not None:
+            client_timeout += timeout
+        count = 0
+        while True:
+            try:
+                client.post_call(
+                    "/containers/{0}/stop",
+                    container_id,
+                    params=params,
+                    timeout=client_timeout,
+                )
+            except APIError as exc:
+                if (
+                    "Unpause the container before stopping or killing"
+                    in exc.explanation
+                ):
+                    # New docker daemon versions do not allow containers to be removed
+                    # if they are paused. Make sure we do not end up in an infinite loop.
+                    if count == 3:
+                        raise RuntimeError(
+                            f"{exc} [tried to unpause three times]"
+                        ) from exc
+                    count += 1
+                    # Unpause
+                    try:
+                        self.unpause_container(client, container_id)
+                    except Exception as exc2:
+                        raise RuntimeError(f"{exc2} [while unpausing]") from exc2
+                    # Now try again
+                    continue
+                raise
+            # We only loop when explicitly requested by 'continue'
+            break
+
+    def remove_container(
+        self,
+        client: AnsibleDockerClient,
+        container_id: str,
+        remove_volumes: bool = False,
+        link: bool = False,
+        force: bool = False,
+    ) -> None:
+        params = {"v": remove_volumes, "link": link, "force": force}
+        count = 0
+        while True:
+            try:
+                client.delete_call("/containers/{0}", container_id, params=params)
+            except NotFound:
+                pass
+            except APIError as exc:
+                if (
+                    "Unpause the container before stopping or killing"
+                    in exc.explanation
+                ):
+                    # New docker daemon versions do not allow containers to be removed
+                    # if they are paused. Make sure we do not end up in an infinite loop.
+                    if count == 3:
+                        raise RuntimeError(
+                            f"{exc} [tried to unpause three times]"
+                        ) from exc
+                    count += 1
+                    # Unpause
+                    try:
+                        self.unpause_container(client, container_id)
+                    except Exception as exc2:
+                        raise RuntimeError(f"{exc2} [while unpausing]") from exc2
+                    # Now try again
+                    continue
+                if (
+                    "removal of container " in exc.explanation
+                    and " is already in progress" in exc.explanation
+                ):
+                    pass
+                else:
+                    raise
+            # We only loop when explicitly requested by 'continue'
+            break
+
+    def run(self, runner: Callable[[], None], client: AnsibleDockerClient) -> None:
+        try:
+            runner()
+        except DockerException as e:
+            client.fail(
+                f"An unexpected Docker error occurred: {e}",
+                exception=traceback.format_exc(),
+            )
+        except RequestException as e:
+            client.fail(
+                f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+                exception=traceback.format_exc(),
+            )
+
+
+class DockerAPIEngine(Engine[AnsibleDockerClient]):
+    def get_value(
+        self,
+        module: AnsibleModule,
+        container: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> dict[str, t.Any]:
+        return self._get_value(
+            module, container, api_version, options, image, host_info
+        )
+
+    def compare_value(
+        self, option: Option, param_value: t.Any, container_value: t.Any
+    ) -> bool:
+        if self._compare_value is not None:
+            return self._compare_value(option, param_value, container_value)
+        return super().compare_value(option, param_value, container_value)
+
+    def set_value(
+        self,
+        module: AnsibleModule,
+        data: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> None:
+        if self._set_value is not None:
+            self._set_value(module, data, api_version, options, values)
+
+    def get_expected_values(
+        self,
+        module: AnsibleModule,
+        client: AnsibleDockerClient,
+        api_version: LooseVersion,
+        options: list[Option],
+        image: dict[str, t.Any] | None,
+        values: dict[str, t.Any],
+        host_info: dict[str, t.Any] | None,
+    ) -> dict[str, t.Any]:
+        if self._get_expected_values is None:
+            return values
+        return self._get_expected_values(
+            module, client, api_version, options, image, values, host_info
+        )
+
+    def ignore_mismatching_result(
+        self,
+        module: AnsibleModule,
+        client: AnsibleDockerClient,
+        api_version: LooseVersion,
+        option: Option,
+        image: dict[str, t.Any] | None,
+        container_value: t.Any,
+        expected_value: t.Any,
+        host_info: dict[str, t.Any] | None,
+    ) -> bool:
+        if self._ignore_mismatching_result is None:
+            return False
+        return self._ignore_mismatching_result(
+            module,
+            client,
+            api_version,
+            option,
+            image,
+            container_value,
+            expected_value,
+            host_info,
+        )
+
+    def preprocess_value(
+        self,
+        module: AnsibleModule,
+        client: AnsibleDockerClient,
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> dict[str, t.Any]:
+        if self._preprocess_value is None:
+            return values
+        return self._preprocess_value(module, client, api_version, options, values)
+
+    def update_value(
+        self,
+        module: AnsibleModule,
+        data: dict[str, t.Any],
+        api_version: LooseVersion,
+        options: list[Option],
+        values: dict[str, t.Any],
+    ) -> None:
+        if self._update_value is not None:
+            self._update_value(module, data, api_version, options, values)
+
+    def can_set_value(self, api_version: LooseVersion) -> bool:
+        if self._can_set_value is None:
+            return self._set_value is not None
+        return self._can_set_value(api_version)
+
+    def can_update_value(self, api_version: LooseVersion) -> bool:
+        if self._can_update_value is None:
+            return self._update_value is not None
+        return self._can_update_value(api_version)
+
+    def needs_container_image(self, values: dict[str, t.Any]) -> bool:
+        if self._needs_container_image is None:
+            return False
+        return self._needs_container_image(values)
+
+    def needs_host_info(self, values: dict[str, t.Any]) -> bool:
+        if self._needs_host_info is None:
+            return False
+        return self._needs_host_info(values)
+
+    def __init__(
+        self,
+        get_value: Callable[
+            [
+                AnsibleModule,
+                dict[str, t.Any],
+                LooseVersion,
+                list[Option],
+                dict[str, t.Any] | None,
+                dict[str, t.Any] | None,
+            ],
+            dict[str, t.Any],
+        ],
+        preprocess_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any],
+                ],
+                dict[str, t.Any],
+            ]
+            | None
+        ) = None,
+        get_expected_values: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any] | None,
+                    dict[str, t.Any],
+                    dict[str, t.Any] | None,
+                ],
+                dict[str, t.Any],
+            ]
+            | None
+        ) = None,
+        ignore_mismatching_result: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    Option,
+                    dict[str, t.Any] | None,
+                    t.Any,
+                    t.Any,
+                    dict[str, t.Any] | None,
+                ],
+                bool,
+            ]
+            | None
+        ) = None,
+        set_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    dict[str, t.Any],
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any],
+                ],
+                None,
+            ]
+            | None
+        ) = None,
+        update_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    dict[str, t.Any],
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any],
+                ],
+                None,
+            ]
+            | None
+        ) = None,
+        can_set_value: Callable[[LooseVersion], bool] | None = None,
+        can_update_value: Callable[[LooseVersion], bool] | None = None,
+        min_api_version: str | None = None,
+        compare_value: Callable[[Option, t.Any, t.Any], bool] | None = None,
+        needs_container_image: Callable[[dict[str, t.Any]], bool] | None = None,
+        needs_host_info: Callable[[dict[str, t.Any]], bool] | None = None,
+        extra_option_minimal_versions: dict[str, dict[str, t.Any]] | None = None,
+    ):
+        self.min_api_version = min_api_version
+        self.min_api_version_obj = (
+            None if min_api_version is None else LooseVersion(min_api_version)
+        )
+        self.extra_option_minimal_versions = extra_option_minimal_versions
+        self._get_value = get_value
+        self._compare_value = compare_value
+        self._set_value = set_value
+        self._get_expected_values = get_expected_values
+        self._ignore_mismatching_result = ignore_mismatching_result
+        self._preprocess_value = preprocess_value
+        self._update_value = update_value
+        self._can_set_value = can_set_value
+        self._can_update_value = can_update_value
+        self._needs_container_image = needs_container_image
+        self._needs_host_info = needs_host_info
+
+    @classmethod
+    def config_value(
+        cls,
+        config_name: str,
+        postprocess_for_get: (
+            Callable[[AnsibleModule, LooseVersion, t.Any, Sentry], t.Any | Sentry]
+            | None
+        ) = None,
+        preprocess_for_set: (
+            Callable[[AnsibleModule, LooseVersion, t.Any], t.Any] | None
+        ) = None,
+        get_expected_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    dict[str, t.Any] | None,
+                    t.Any,
+                    Sentry,
+                ],
+                t.Any | Sentry,
+            ]
+            | None
+        ) = None,
+        ignore_mismatching_result: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    Option,
+                    dict[str, t.Any] | None,
+                    t.Any,
+                    t.Any,
+                    dict[str, t.Any] | None,
+                ],
+                bool,
+            ]
+            | None
+        ) = None,
+        min_api_version: str | None = None,
+        preprocess_value: (
+            Callable[[AnsibleModule, AnsibleDockerClient, LooseVersion, t.Any], t.Any]
+            | None
+        ) = None,
+        update_parameter: str | None = None,
+        extra_option_minimal_versions: dict[str, dict[str, t.Any]] | None = None,
+    ) -> DockerAPIEngine:
+        def preprocess_value_(
+            module: AnsibleModule,
+            client: AnsibleDockerClient,
+            api_version: LooseVersion,
+            options: list[Option],
+            values: dict[str, t.Any],
+        ) -> dict[str, t.Any]:
+            if len(options) != 1:
+                raise AssertionError(
+                    "config_value can only be used for a single option"
+                )
+            if preprocess_value is not None and options[0].name in values:
+                value = preprocess_value(
+                    module, client, api_version, values[options[0].name]
+                )
+                if value is None:
+                    del values[options[0].name]
+                else:
+                    values[options[0].name] = value
+            return values
+
+        def get_value(
+            module: AnsibleModule,
+            container: dict[str, t.Any],
+            api_version: LooseVersion,
+            options: list[Option],
+            image: dict[str, t.Any] | None,
+            host_info: dict[str, t.Any] | None,
+        ) -> dict[str, t.Any]:
+            if len(options) != 1:
+                raise AssertionError(
+                    "config_value can only be used for a single option"
+                )
+            value = container["Config"].get(config_name, _SENTRY)
+            if postprocess_for_get:
+                value = postprocess_for_get(module, api_version, value, _SENTRY)
+            if value is _SENTRY:
+                return {}
+            return {options[0].name: value}
+
+        get_expected_values_: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any] | None,
+                    dict[str, t.Any],
+                    dict[str, t.Any] | None,
+                ],
+                dict[str, t.Any],
+            ]
+            | None
+        ) = None
+        if get_expected_value:
+
+            def get_expected_values_(  # noqa: F811
+                module: AnsibleModule,
+                client: AnsibleDockerClient,
+                api_version: LooseVersion,
+                options: list[Option],
+                image: dict[str, t.Any] | None,
+                values: dict[str, t.Any],
+                host_info: dict[str, t.Any] | None,
+            ) -> dict[str, t.Any]:
+                if len(options) != 1:
+                    raise AssertionError(
+                        "host_config_value can only be used for a single option"
+                    )
+                value = values.get(options[0].name, _SENTRY)
+                value = get_expected_value(
+                    module, client, api_version, image, value, _SENTRY
+                )
+                if value is _SENTRY:
+                    return values
+                return {options[0].name: value}
+
+        def set_value(
+            module: AnsibleModule,
+            data: dict[str, t.Any],
+            api_version: LooseVersion,
+            options: list[Option],
+            values: dict[str, t.Any],
+        ) -> None:
+            if len(options) != 1:
+                raise AssertionError(
+                    "config_value can only be used for a single option"
+                )
+            if options[0].name not in values:
+                return
+            value = values[options[0].name]
+            if preprocess_for_set:
+                value = preprocess_for_set(module, api_version, value)
+            data[config_name] = value
+
+        update_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    dict[str, t.Any],
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any],
+                ],
+                None,
+            ]
+            | None
+        ) = None
+        if update_parameter:
+
+            def update_value(  # noqa: F811
+                module: AnsibleModule,
+                data: dict[str, t.Any],
+                api_version: LooseVersion,
+                options: list[Option],
+                values: dict[str, t.Any],
+            ) -> None:
+                if len(options) != 1:
+                    raise AssertionError(
+                        "update_parameter can only be used for a single option"
+                    )
+                if options[0].name not in values:
+                    return
+                value = values[options[0].name]
+                if preprocess_for_set:
+                    value = preprocess_for_set(module, api_version, value)
+                data[update_parameter] = value
+
+        return cls(
+            get_value=get_value,
+            preprocess_value=preprocess_value_,
+            get_expected_values=get_expected_values_,
+            ignore_mismatching_result=ignore_mismatching_result,
+            set_value=set_value,
+            min_api_version=min_api_version,
+            update_value=update_value,
+            extra_option_minimal_versions=extra_option_minimal_versions,
+        )
+
+    @classmethod
+    def host_config_value(
+        cls,
+        host_config_name: str,
+        postprocess_for_get: (
+            Callable[[AnsibleModule, LooseVersion, t.Any, Sentry], t.Any | Sentry]
+            | None
+        ) = None,
+        preprocess_for_set: (
+            Callable[[AnsibleModule, LooseVersion, t.Any], t.Any] | None
+        ) = None,
+        get_expected_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    dict[str, t.Any] | None,
+                    t.Any,
+                    Sentry,
+                ],
+                t.Any | Sentry,
+            ]
+            | None
+        ) = None,
+        ignore_mismatching_result: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    Option,
+                    dict[str, t.Any] | None,
+                    t.Any,
+                    t.Any,
+                    dict[str, t.Any] | None,
+                ],
+                bool,
+            ]
+            | None
+        ) = None,
+        min_api_version: str | None = None,
+        preprocess_value: (
+            Callable[[AnsibleModule, AnsibleDockerClient, LooseVersion, t.Any], t.Any]
+            | None
+        ) = None,
+        update_parameter: str | None = None,
+        extra_option_minimal_versions: dict[str, dict[str, t.Any]] | None = None,
+    ) -> DockerAPIEngine:
+        def preprocess_value_(
+            module: AnsibleModule,
+            client: AnsibleDockerClient,
+            api_version: LooseVersion,
+            options: list[Option],
+            values: dict[str, t.Any],
+        ) -> dict[str, t.Any]:
+            if len(options) != 1:
+                raise AssertionError(
+                    "host_config_value can only be used for a single option"
+                )
+            if preprocess_value is not None and options[0].name in values:
+                value = preprocess_value(
+                    module, client, api_version, values[options[0].name]
+                )
+                if value is None:
+                    del values[options[0].name]
+                else:
+                    values[options[0].name] = value
+            return values
+
+        def get_value(
+            module: AnsibleModule,
+            container: dict[str, t.Any],
+            api_version: LooseVersion,
+            options: list[Option],
+            image: dict[str, t.Any] | None,
+            host_info: dict[str, t.Any] | None,
+        ) -> dict[str, t.Any]:
+            if len(options) != 1:
+                raise AssertionError(
+                    "host_config_value can only be used for a single option"
+                )
+            value = container["HostConfig"].get(host_config_name, _SENTRY)
+            if postprocess_for_get:
+                value = postprocess_for_get(module, api_version, value, _SENTRY)
+            if value is _SENTRY:
+                return {}
+            return {options[0].name: value}
+
+        get_expected_values_: (
+            Callable[
+                [
+                    AnsibleModule,
+                    AnsibleDockerClient,
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any] | None,
+                    dict[str, t.Any],
+                    dict[str, t.Any] | None,
+                ],
+                dict[str, t.Any],
+            ]
+            | None
+        ) = None
+        if get_expected_value:
+
+            def get_expected_values_(  # noqa: F811
+                module: AnsibleModule,
+                client: AnsibleDockerClient,
+                api_version: LooseVersion,
+                options: list[Option],
+                image: dict[str, t.Any] | None,
+                values: dict[str, t.Any],
+                host_info: dict[str, t.Any] | None,
+            ) -> dict[str, t.Any]:
+                if len(options) != 1:
+                    raise AssertionError(
+                        "host_config_value can only be used for a single option"
+                    )
+                value = values.get(options[0].name, _SENTRY)
+                value = get_expected_value(
+                    module, client, api_version, image, value, _SENTRY
+                )
+                if value is _SENTRY:
+                    return values
+                return {options[0].name: value}
+
+        def set_value(
+            module: AnsibleModule,
+            data: dict[str, t.Any],
+            api_version: LooseVersion,
+            options: list[Option],
+            values: dict[str, t.Any],
+        ) -> None:
+            if len(options) != 1:
+                raise AssertionError(
+                    "host_config_value can only be used for a single option"
+                )
+            if options[0].name not in values:
+                return
+            if "HostConfig" not in data:
+                data["HostConfig"] = {}
+            value = values[options[0].name]
+            if preprocess_for_set:
+                value = preprocess_for_set(module, api_version, value)
+            data["HostConfig"][host_config_name] = value
+
+        update_value: (
+            Callable[
+                [
+                    AnsibleModule,
+                    dict[str, t.Any],
+                    LooseVersion,
+                    list[Option],
+                    dict[str, t.Any],
+                ],
+                None,
+            ]
+            | None
+        ) = None
+        if update_parameter:
+
+            def update_value(  # noqa: F811
+                module: AnsibleModule,
+                data: dict[str, t.Any],
+                api_version: LooseVersion,
+                options: list[Option],
+                values: dict[str, t.Any],
+            ) -> None:
+                if len(options) != 1:
+                    raise AssertionError(
+                        "update_parameter can only be used for a single option"
+                    )
+                if options[0].name not in values:
+                    return
+                value = values[options[0].name]
+                if preprocess_for_set:
+                    value = preprocess_for_set(module, api_version, value)
+                data[update_parameter] = value
+
+        return cls(
+            get_value=get_value,
+            preprocess_value=preprocess_value_,
+            get_expected_values=get_expected_values_,
+            ignore_mismatching_result=ignore_mismatching_result,
+            set_value=set_value,
+            min_api_version=min_api_version,
+            update_value=update_value,
+            extra_option_minimal_versions=extra_option_minimal_versions,
+        )
+
+
+def _normalize_port(port: str) -> str:
+    if "/" not in port:
+        return port + "/tcp"
+    return port
+
+
+def _get_default_host_ip(module: AnsibleModule, client: AnsibleDockerClient) -> str:
+    if module.params["default_host_ip"] is not None:
+        return module.params["default_host_ip"]
+    ip = "0.0.0.0"
+    for network_data in module.params["networks"] or []:
+        if network_data.get("name"):
+            network = client.get_network(network_data["name"])
+            if network is None:
+                client.fail(
+                    f"Cannot inspect the network '{network_data['name']}' to determine the default IP",
+                )
+            if network.get("Driver") == "bridge" and network.get("Options", {}).get(
+                "com.docker.network.bridge.host_binding_ipv4"
+            ):
+                ip = network["Options"]["com.docker.network.bridge.host_binding_ipv4"]
+                break
+    return ip
+
+
+def _get_value_detach_interactive(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    attach_stdin = container["Config"].get("OpenStdin")
+    attach_stderr = container["Config"].get("AttachStderr")
+    attach_stdout = container["Config"].get("AttachStdout")
+    return {
+        "interactive": bool(attach_stdin),
+        "detach": not (attach_stderr and attach_stdout),
+    }
+
+
+def _set_value_detach_interactive(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    interactive = values.get("interactive")
+    detach = values.get("detach")
+
+    data["AttachStdout"] = False
+    data["AttachStderr"] = False
+    data["AttachStdin"] = False
+    data["StdinOnce"] = False
+    data["OpenStdin"] = interactive
+    if not detach:
+        data["AttachStdout"] = True
+        data["AttachStderr"] = True
+        if interactive:
+            data["AttachStdin"] = True
+            data["StdinOnce"] = True
+
+
+def _get_expected_env_value(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    image: dict[str, t.Any] | None,
+    value: t.Any,
+    sentry: Sentry,
+) -> t.Any | Sentry:
+    expected_env = {}
+    if image and image["Config"].get("Env"):
+        for env_var in image["Config"]["Env"]:
+            parts = env_var.split("=", 1)
+            expected_env[parts[0]] = parts[1]
+    if value and value is not sentry:
+        for env_var in value:
+            parts = env_var.split("=", 1)
+            expected_env[parts[0]] = parts[1]
+    param_env = []
+    for key, env_value in expected_env.items():
+        param_env.append(f"{key}={env_value}")
+    return param_env
+
+
+def _preprocess_cpus(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if value is not None:
+        value = int(round(value * 1e9))
+    return value
+
+
+def _preprocess_devices(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if not value:
+        return value
+    expected_devices = []
+    for device in value:
+        parts = device.split(":")
+        if len(parts) == 1:
+            expected_devices.append(
+                {
+                    "CgroupPermissions": "rwm",
+                    "PathInContainer": parts[0],
+                    "PathOnHost": parts[0],
+                }
+            )
+        elif len(parts) == 2:
+            parts = device.split(":")
+            expected_devices.append(
+                {
+                    "CgroupPermissions": "rwm",
+                    "PathInContainer": parts[1],
+                    "PathOnHost": parts[0],
+                }
+            )
+        else:
+            expected_devices.append(
+                {
+                    "CgroupPermissions": parts[2],
+                    "PathInContainer": parts[1],
+                    "PathOnHost": parts[0],
+                }
+            )
+    return expected_devices
+
+
+def _preprocess_rate_bps(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if not value:
+        return value
+    devices = []
+    for device in value:
+        devices.append(
+            {
+                "Path": device["path"],
+                "Rate": human_to_bytes(device["rate"]),
+            }
+        )
+    return devices
+
+
+def _preprocess_rate_iops(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if not value:
+        return value
+    devices = []
+    for device in value:
+        devices.append(
+            {
+                "Path": device["path"],
+                "Rate": device["rate"],
+            }
+        )
+    return devices
+
+
+def _preprocess_device_requests(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if not value:
+        return value
+    device_requests = []
+    for dr in value:
+        device_requests.append(
+            {
+                "Driver": dr["driver"],
+                "Count": dr["count"],
+                "DeviceIDs": dr["device_ids"],
+                "Capabilities": dr["capabilities"],
+                "Options": dr["options"],
+            }
+        )
+    return device_requests
+
+
+def _preprocess_etc_hosts(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if value is None:
+        return value
+    results = []
+    for key, val in value.items():
+        results.append(f"{key}:{val}")
+    return results
+
+
+def _preprocess_healthcheck(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if value is None:
+        return value
+    if not value or not (
+        value.get("test")
+        or (value.get("test_cli_compatible") and value.get("test") is None)
+    ):
+        value = {"test": ["NONE"]}
+    elif "test" in value:
+        value["test"] = normalize_healthcheck_test(value["test"])
+    return omit_none_from_dict(
+        {
+            "Test": value.get("test"),
+            "Interval": value.get("interval"),
+            "Timeout": value.get("timeout"),
+            "StartPeriod": value.get("start_period"),
+            "StartInterval": value.get("start_interval"),
+            "Retries": value.get("retries"),
+        }
+    )
+
+
+def _postprocess_healthcheck_get_value(
+    module: AnsibleModule, api_version: LooseVersion, value: t.Any, sentry: Sentry
+) -> t.Any | Sentry:
+    if value is None or value is sentry or value.get("Test") == ["NONE"]:
+        return {"Test": ["NONE"]}
+    return value
+
+
+def _preprocess_convert_to_bytes(
+    module: AnsibleModule,
+    values: dict[str, t.Any],
+    name: str,
+    unlimited_value: int | None = None,
+) -> dict[str, t.Any]:
+    if name not in values:
+        return values
+    try:
+        value = values[name]
+        if unlimited_value is not None and value in ("unlimited", str(unlimited_value)):
+            value = unlimited_value
+        else:
+            value = human_to_bytes(value)
+        values[name] = value
+        return values
+    except ValueError as exc:
+        module.fail_json(msg=f"Failed to convert {name} to bytes: {exc}")
+
+
+def _get_image_labels(image: dict[str, t.Any] | None) -> dict[str, str]:
+    if not image:
+        return {}
+
+    # Cannot use get('Labels', {}) because 'Labels' may be present and be None
+    return image["Config"].get("Labels") or {}
+
+
+def _get_expected_labels_value(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    image: dict[str, t.Any] | None,
+    value: dict[str, t.Any],
+    sentry: Sentry,
+) -> dict[str, t.Any] | Sentry:
+    if value is sentry:
+        return sentry
+    expected_labels = {}
+    if module.params["image_label_mismatch"] == "ignore":
+        expected_labels.update(dict(_get_image_labels(image)))
+    expected_labels.update(value)
+    return expected_labels
+
+
+def _preprocess_links(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if value is None:
+        return None
+
+    result = []
+    for link in value:
+        parsed_link = link.split(":", 1)
+        if len(parsed_link) == 2:
+            link, alias = parsed_link
+        else:
+            link, alias = parsed_link[0], parsed_link[0]
+        result.append(f"/{link}:/{module.params['name']}/{alias}")
+
+    return result
+
+
+def _ignore_mismatching_label_result(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    option: Option,
+    image: dict[str, t.Any] | None,
+    container_value: t.Any,
+    expected_value: t.Any,
+    host_info: dict[str, t.Any] | None,
+) -> bool:
+    if (
+        option.comparison == "strict"
+        and module.params["image_label_mismatch"] == "fail"
+    ):
+        # If there are labels from the base image that should be removed and
+        # base_image_mismatch is fail we want raise an error.
+        image_labels = _get_image_labels(image)
+        would_remove_labels = []
+        labels_param = module.params["labels"] or {}
+        for label in image_labels:
+            if label not in labels_param:
+                # Format label for error message
+                would_remove_labels.append(f'"{label}"')
+        if would_remove_labels:
+            labels = ", ".join(would_remove_labels)
+            msg = (
+                "Some labels should be removed but are present in the base image. You can set image_label_mismatch to 'ignore' to ignore"
+                f" this error. Labels: {labels}"
+            )
+            client.fail(msg)
+    return False
+
+
+def _needs_host_info_network(values: dict[str, t.Any]) -> bool:
+    return values.get("network_mode") == "default"
+
+
+def _ignore_mismatching_network_result(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    option: Option,
+    image: dict[str, t.Any] | None,
+    container_value: t.Any,
+    expected_value: t.Any,
+    host_info: dict[str, t.Any] | None,
+) -> bool:
+    # 'networks' is handled out-of-band
+    if option.name == "networks":
+        return True
+    # The 'default' network_mode value is translated by the Docker daemon to 'bridge' on Linux and 'nat' on Windows.
+    # This happens since Docker 26.1.0 due to https://github.com/moby/moby/pull/47431; before, 'default' was returned.
+    if option.name == "network_mode" and expected_value == "default":
+        os_type = host_info.get("OSType") if host_info else None
+        if (container_value, os_type) in (("bridge", "linux"), ("nat", "windows")):
+            return True
+    return False
+
+
+def _preprocess_network_values(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> dict[str, t.Any]:
+    if "networks" in values:
+        for network in values["networks"]:
+            network["id"] = _get_network_id(module, client, network["name"])
+            if not network["id"]:
+                client.fail(
+                    f"Parameter error: network named {network['name']} could not be found. Does it exist?"
+                )
+
+    if "network_mode" in values:
+        values["network_mode"] = _preprocess_container_names(
+            module, client, api_version, values["network_mode"]
+        )
+
+    return values
+
+
+def _get_network_id(
+    module: AnsibleModule, client: AnsibleDockerClient, network_name: str
+) -> str | None:
+    try:
+        params = {"filters": json.dumps({"name": [network_name]})}
+        for network in client.get_json("/networks", params=params):
+            if network["Name"] == network_name:
+                return network["Id"]
+        return None
+    except Exception as exc:  # pylint: disable=broad-exception-caught
+        client.fail(f"Error getting network id for {network_name} - {exc}")
+
+
+def _get_values_network(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    value = container["HostConfig"].get("NetworkMode", _SENTRY)
+    if value is _SENTRY:
+        return {}
+    return {"network_mode": value}
+
+
+def _set_values_network(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "network_mode" not in values:
+        return
+    if "HostConfig" not in data:
+        data["HostConfig"] = {}
+    value = values["network_mode"]
+    data["HostConfig"]["NetworkMode"] = value
+
+
+def _get_values_mounts(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    volumes = container["Config"].get("Volumes")
+    binds = container["HostConfig"].get("Binds")
+    # According to https://github.com/moby/moby/, support for HostConfig.Mounts
+    # has been included at least since v17.03.0-ce, which has API version 1.26.
+    # The previous tag, v1.9.1, has API version 1.21 and does not have
+    # HostConfig.Mounts. I have no idea what about API 1.25...
+    mounts = container["HostConfig"].get("Mounts")
+    if mounts is not None:
+        mounts_list = []
+        empty_dict: dict[str, t.Any] = {}
+        for mount in mounts:
+            mounts_list.append(
+                {
+                    "type": mount.get("Type"),
+                    "source": mount.get("Source"),
+                    "target": mount.get("Target"),
+                    "read_only": mount.get(
+                        "ReadOnly", False
+                    ),  # golang's omitempty for bool returns None for False
+                    "consistency": mount.get("Consistency"),
+                    "propagation": mount.get("BindOptions", empty_dict).get(
+                        "Propagation"
+                    ),
+                    "no_copy": mount.get("VolumeOptions", empty_dict).get(
+                        "NoCopy", False
+                    ),
+                    "labels": mount.get("VolumeOptions", empty_dict).get(
+                        "Labels", empty_dict
+                    ),
+                    "volume_driver": mount.get("VolumeOptions", empty_dict)
+                    .get("DriverConfig", empty_dict)
+                    .get("Name"),
+                    "volume_options": mount.get("VolumeOptions", empty_dict)
+                    .get("DriverConfig", empty_dict)
+                    .get("Options", empty_dict),
+                    "tmpfs_size": mount.get("TmpfsOptions", empty_dict).get(
+                        "SizeBytes"
+                    ),
+                    "tmpfs_mode": mount.get("TmpfsOptions", empty_dict).get("Mode"),
+                    "non_recursive": mount.get("BindOptions", empty_dict).get(
+                        "NonRecursive"
+                    ),
+                    "create_mountpoint": mount.get("BindOptions", empty_dict).get(
+                        "CreateMountpoint"
+                    ),
+                    "read_only_non_recursive": mount.get("BindOptions", empty_dict).get(
+                        "ReadOnlyNonRecursive"
+                    ),
+                    "read_only_force_recursive": mount.get(
+                        "BindOptions", empty_dict
+                    ).get("ReadOnlyForceRecursive"),
+                    "subpath": mount.get("VolumeOptions", empty_dict).get("Subpath")
+                    or mount.get("ImageOptions", empty_dict).get("Subpath"),
+                    "tmpfs_options": mount.get("TmpfsOptions", empty_dict).get(
+                        "Options"
+                    ),
+                }
+            )
+        mounts = mounts_list
+    result = {}
+    if volumes is not None:
+        result["volumes"] = volumes
+    if binds is not None:
+        result["volume_binds"] = binds
+    if mounts is not None:
+        result["mounts"] = mounts
+    return result
+
+
+def _get_bind_from_dict(volume_dict: dict[str, t.Any] | None) -> list[str]:
+    results = []
+    if volume_dict:
+        for host_path, config in volume_dict.items():
+            if isinstance(config, dict) and config.get("bind"):
+                container_path = config.get("bind")
+                mode = config.get("mode", "rw")
+                results.append(f"{host_path}:{container_path}:{mode}")
+    return results
+
+
+def _get_image_binds(volumes: dict[str, t.Any] | list[dict[str, t.Any]]) -> list[str]:
+    """
+    Convert array of binds to array of strings with format host_path:container_path:mode
+
+    :param volumes: array of bind dicts
+    :return: array of strings
+    """
+    results = []
+    if isinstance(volumes, dict):
+        results += _get_bind_from_dict(volumes)
+    elif isinstance(volumes, list):
+        for vol in volumes:
+            results += _get_bind_from_dict(vol)
+    return results
+
+
+def _get_expected_values_mounts(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    values: dict[str, t.Any],
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    expected_values = {}
+
+    # binds
+    if "mounts" in values:
+        expected_values["mounts"] = values["mounts"]
+
+    # volumes
+    expected_vols = {}
+    if image and image["Config"].get("Volumes"):
+        expected_vols.update(image["Config"].get("Volumes"))
+    if "volumes" in values:
+        for vol in values["volumes"]:
+            # We only expect anonymous volumes to show up in the list
+            if ":" in vol:
+                parts = vol.split(":")
+                if len(parts) == 3:
+                    continue
+                if len(parts) == 2 and not _is_volume_permissions(parts[1]):
+                    continue
+            expected_vols[vol] = {}
+    if expected_vols:
+        expected_values["volumes"] = expected_vols
+
+    # binds
+    image_vols = []
+    if image:
+        image_vols = _get_image_binds(image["Config"].get("Volumes"))
+    param_vols = []
+    if "volume_binds" in values:
+        param_vols = values["volume_binds"]
+    expected_values["volume_binds"] = list(set(image_vols + param_vols))
+
+    return expected_values
+
+
+def _set_values_mounts(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "mounts" in values:
+        if "HostConfig" not in data:
+            data["HostConfig"] = {}
+        mounts: list[dict[str, t.Any]] = []
+        for mount in values["mounts"]:
+            mount_type = mount.get("type")
+            mount_res = {
+                "Target": mount.get("target"),
+                "Source": mount.get("source"),
+                "Type": mount_type,
+                "ReadOnly": mount.get("read_only"),
+            }
+            if "consistency" in mount:
+                mount_res["Consistency"] = mount["consistency"]
+            if mount_type == "bind":
+                bind_opts: dict[str, t.Any] = {}
+                if "propagation" in mount:
+                    bind_opts["Propagation"] = mount["propagation"]
+                if "non_recursive" in mount:
+                    bind_opts["NonRecursive"] = mount["non_recursive"]
+                if "create_mountpoint" in mount:
+                    bind_opts["CreateMountpoint"] = mount["create_mountpoint"]
+                if "read_only_non_recursive" in mount:
+                    bind_opts["ReadOnlyNonRecursive"] = mount["read_only_non_recursive"]
+                if "read_only_force_recursive" in mount:
+                    bind_opts["ReadOnlyForceRecursive"] = mount[
+                        "read_only_force_recursive"
+                    ]
+                if bind_opts:
+                    mount_res["BindOptions"] = bind_opts
+            if mount_type == "volume":
+                volume_opts: dict[str, t.Any] = {}
+                if mount.get("no_copy"):
+                    volume_opts["NoCopy"] = True
+                if mount.get("labels"):
+                    volume_opts["Labels"] = mount.get("labels")
+                if mount.get("volume_driver"):
+                    driver_config: dict[str, t.Any] = {
+                        "Name": mount.get("volume_driver"),
+                    }
+                    if mount.get("volume_options"):
+                        driver_config["Options"] = mount.get("volume_options")
+                    volume_opts["DriverConfig"] = driver_config
+                if "subpath" in mount:
+                    volume_opts["Subpath"] = mount["subpath"]
+                if volume_opts:
+                    mount_res["VolumeOptions"] = volume_opts
+            if mount_type == "tmpfs":
+                tmpfs_opts: dict[str, t.Any] = {}
+                if mount.get("tmpfs_mode"):
+                    tmpfs_opts["Mode"] = mount.get("tmpfs_mode")
+                if mount.get("tmpfs_size"):
+                    tmpfs_opts["SizeBytes"] = mount.get("tmpfs_size")
+                if "tmpfs_options" in mount:
+                    tmpfs_opts["Options"] = mount["tmpfs_options"]
+                if tmpfs_opts:
+                    mount_res["TmpfsOptions"] = tmpfs_opts
+            if mount_type == "image":
+                image_opts: dict[str, t.Any] = {}
+                if "subpath" in mount:
+                    image_opts["Subpath"] = mount["subpath"]
+                if image_opts:
+                    mount_res["ImageOptions"] = image_opts
+            mounts.append(mount_res)
+        data["HostConfig"]["Mounts"] = mounts
+    if "volumes" in values:
+        volumes: dict[str, t.Any] = {}
+        for volume in values["volumes"]:
+            # Only pass anonymous volumes to create container
+            if ":" in volume:
+                parts = volume.split(":")
+                if len(parts) == 3:
+                    continue
+                if len(parts) == 2 and not _is_volume_permissions(parts[1]):
+                    continue
+            volumes[volume] = {}
+        data["Volumes"] = volumes
+    if "volume_binds" in values:
+        if "HostConfig" not in data:
+            data["HostConfig"] = {}
+        data["HostConfig"]["Binds"] = values["volume_binds"]
+
+
+def _get_values_log(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    log_config = container["HostConfig"].get("LogConfig") or {}
+    return {
+        "log_driver": log_config.get("Type"),
+        "log_options": log_config.get("Config"),
+    }
+
+
+def _set_values_log(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "log_driver" not in values:
+        return
+    log_config = {
+        "Type": values["log_driver"],
+        "Config": values.get("log_options") or {},
+    }
+    if "HostConfig" not in data:
+        data["HostConfig"] = {}
+    data["HostConfig"]["LogConfig"] = log_config
+
+
+def _get_values_platform(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    if image and (image.get("Os") or image.get("Architecture") or image.get("Variant")):
+        return {
+            "platform": compose_platform_string(
+                os=image.get("Os"),
+                arch=image.get("Architecture"),
+                variant=image.get("Variant"),
+                daemon_os=host_info.get("OSType") if host_info else None,
+                daemon_arch=host_info.get("Architecture") if host_info else None,
+            )
+        }
+    return {
+        "platform": container.get("Platform"),
+    }
+
+
+def _get_expected_values_platform(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    values: dict[str, t.Any],
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    expected_values = {}
+    if "platform" in values:
+        try:
+            expected_values["platform"] = normalize_platform_string(
+                values["platform"],
+                daemon_os=host_info.get("OSType") if host_info else None,
+                daemon_arch=host_info.get("Architecture") if host_info else None,
+            )
+        except ValueError as exc:
+            module.fail_json(msg=f"Error while parsing platform parameer: {exc}")
+    return expected_values
+
+
+def _set_values_platform(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "platform" in values:
+        data["platform"] = values["platform"]
+
+
+def _needs_container_image_platform(values: dict[str, t.Any]) -> bool:
+    return "platform" in values
+
+
+def _needs_host_info_platform(values: dict[str, t.Any]) -> bool:
+    return "platform" in values
+
+
+def _get_values_restart(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    restart_policy = container["HostConfig"].get("RestartPolicy") or {}
+    return {
+        "restart_policy": restart_policy.get("Name"),
+        "restart_retries": restart_policy.get("MaximumRetryCount"),
+    }
+
+
+def _set_values_restart(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "restart_policy" not in values:
+        return
+    restart_policy = {
+        "Name": values["restart_policy"],
+        "MaximumRetryCount": values.get("restart_retries"),
+    }
+    if "HostConfig" not in data:
+        data["HostConfig"] = {}
+    data["HostConfig"]["RestartPolicy"] = restart_policy
+
+
+def _update_value_restart(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "restart_policy" not in values:
+        return
+    data["RestartPolicy"] = {
+        "Name": values["restart_policy"],
+        "MaximumRetryCount": values.get("restart_retries"),
+    }
+
+
+def _get_values_ports(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    host_config = container["HostConfig"]
+    config = container["Config"]
+
+    # "ExposedPorts": null returns None type & causes AttributeError - PR #5517
+    expected_exposed: list[str] = []
+    if config.get("ExposedPorts") is not None:
+        for port_and_protocol in config.get("ExposedPorts", {}):
+            port, protocol = _normalize_port(port_and_protocol).rsplit("/")
+            try:
+                start, end = port.split("-", 1)
+                start_port = int(start)
+                end_port = int(end)
+                for port_no in range(start_port, end_port + 1):
+                    expected_exposed.append(f"{port_no}/{protocol}")
+                continue
+            except ValueError:
+                # Either it is not a range, or a broken one - in both cases, simply add the original form
+                expected_exposed.append(f"{port}/{protocol}")
+
+    return {
+        "published_ports": host_config.get("PortBindings"),
+        "exposed_ports": expected_exposed,
+        "publish_all_ports": host_config.get("PublishAllPorts"),
+    }
+
+
+def _get_expected_values_ports(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    values: dict[str, t.Any],
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    expected_values: dict[str, t.Any] = {}
+
+    if "published_ports" in values:
+        expected_bound_ports = {}
+        for container_port, config in values["published_ports"].items():
+            if isinstance(container_port, int):
+                container_port = f"{container_port}/tcp"
+            if len(config) == 1:
+                if isinstance(config[0], int):
+                    expected_bound_ports[container_port] = [
+                        {"HostIp": "0.0.0.0", "HostPort": config[0]}
+                    ]
+                else:
+                    expected_bound_ports[container_port] = [
+                        {"HostIp": config[0], "HostPort": ""}
+                    ]
+            elif isinstance(config[0], tuple):
+                expected_bound_ports[container_port] = []
+                for host_ip, host_port in config:
+                    expected_bound_ports[container_port].append(
+                        {
+                            "HostIp": host_ip,
+                            "HostPort": to_text(
+                                host_port, errors="surrogate_or_strict"
+                            ),
+                        }
+                    )
+            else:
+                expected_bound_ports[container_port] = [
+                    {
+                        "HostIp": config[0],
+                        "HostPort": to_text(config[1], errors="surrogate_or_strict"),
+                    }
+                ]
+        expected_values["published_ports"] = expected_bound_ports
+
+    image_ports: set[str] = set()
+    if image:
+        image_exposed_ports = image["Config"].get("ExposedPorts") or {}
+        image_ports = {_normalize_port(p) for p in image_exposed_ports}
+    param_ports: set[str] = set()
+    if "ports" in values:
+        param_ports = {f"{p[0]}/{p[1]}" for p in values["ports"]}
+    result = sorted(image_ports | param_ports)
+    expected_values["exposed_ports"] = result
+
+    if "publish_all_ports" in values:
+        expected_values["publish_all_ports"] = values["publish_all_ports"]
+
+    return expected_values
+
+
+def _set_values_ports(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "ports" in values:
+        exposed_ports: dict[str, dict[str, t.Any]] = {}
+        for port_definition in values["ports"]:
+            port = port_definition
+            proto = "tcp"
+            if isinstance(port_definition, tuple):
+                if len(port_definition) == 2:
+                    proto = port_definition[1]
+                port = port_definition[0]
+            exposed_ports[f"{port}/{proto}"] = {}
+        data["ExposedPorts"] = exposed_ports
+    if "published_ports" in values:
+        if "HostConfig" not in data:
+            data["HostConfig"] = {}
+        data["HostConfig"]["PortBindings"] = convert_port_bindings(
+            values["published_ports"]
+        )
+    if "publish_all_ports" in values and values["publish_all_ports"]:
+        if "HostConfig" not in data:
+            data["HostConfig"] = {}
+        data["HostConfig"]["PublishAllPorts"] = values["publish_all_ports"]
+
+
+def _preprocess_value_ports(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> dict[str, t.Any]:
+    if "published_ports" not in values:
+        return values
+    found = False
+    for port_specs in values["published_ports"].values():
+        if not isinstance(port_specs, list):
+            port_specs = [port_specs]
+        for port_spec in port_specs:
+            if port_spec[0] == _DEFAULT_IP_REPLACEMENT_STRING:
+                found = True
+                break
+    if not found:
+        return values
+    default_ip = _get_default_host_ip(module, client)
+    for port, port_specs in values["published_ports"].items():
+        if isinstance(port_specs, list):
+            for index, port_spec in enumerate(port_specs):
+                if port_spec[0] == _DEFAULT_IP_REPLACEMENT_STRING:
+                    port_specs[index] = tuple([default_ip] + list(port_spec[1:]))
+        else:
+            if port_specs[0] == _DEFAULT_IP_REPLACEMENT_STRING:
+                values["published_ports"][port] = tuple(
+                    [default_ip] + list(port_specs[1:])
+                )
+    return values
+
+
+def _preprocess_container_names(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    value: t.Any,
+) -> t.Any:
+    if value is None or not value.startswith("container:"):
+        return value
+    container_name = value[len("container:") :]
+    # Try to inspect container to see whether this is an ID or a
+    # name (and in the latter case, retrieve its ID)
+    container = client.get_container(container_name)
+    if container is None:
+        # If we cannot find the container, issue a warning and continue with
+        # what the user specified.
+        module.warn(f'Cannot find a container with name or ID "{container_name}"')
+        return value
+    return f"container:{container['Id']}"
+
+
+def _get_value_command(
+    module: AnsibleModule,
+    container: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    value = container["Config"].get("Cmd", _SENTRY)
+    if value is _SENTRY:
+        return {}
+    return {"command": value}
+
+
+def _set_value_command(
+    module: AnsibleModule,
+    data: dict[str, t.Any],
+    api_version: LooseVersion,
+    options: list[Option],
+    values: dict[str, t.Any],
+) -> None:
+    if "command" not in values:
+        return
+    value = values["command"]
+    data["Cmd"] = value
+
+
+def _get_expected_values_command(
+    module: AnsibleModule,
+    client: AnsibleDockerClient,
+    api_version: LooseVersion,
+    options: list[Option],
+    image: dict[str, t.Any] | None,
+    values: dict[str, t.Any],
+    host_info: dict[str, t.Any] | None,
+) -> dict[str, t.Any]:
+    expected_values = {}
+    if "command" in values:
+        command = values["command"]
+        if command == [] and image and image["Config"].get("Cmd"):
+            command = image["Config"].get("Cmd")
+        expected_values["command"] = command
+    return expected_values
+
+
+def _needs_container_image_command(values: dict[str, t.Any]) -> bool:
+    return values.get("command") == []
+
+
+OPTION_AUTO_REMOVE.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("AutoRemove")
+)
+
+OPTION_BLKIO_WEIGHT.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("BlkioWeight", update_parameter="BlkioWeight"),
+)
+
+OPTION_CAPABILITIES.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("CapAdd")
+)
+
+OPTION_CAP_DROP.add_engine("docker_api", DockerAPIEngine.host_config_value("CapDrop"))
+
+OPTION_CGROUP_NS_MODE.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CgroupnsMode", min_api_version="1.41"),
+)
+
+OPTION_CGROUP_PARENT.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("CgroupParent")
+)
+
+OPTION_COMMAND.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_value_command,
+        set_value=_set_value_command,
+        get_expected_values=_get_expected_values_command,
+        needs_container_image=_needs_container_image_command,
+    ),
+)
+
+OPTION_CPU_PERIOD.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CpuPeriod", update_parameter="CpuPeriod"),
+)
+
+OPTION_CPU_QUOTA.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CpuQuota", update_parameter="CpuQuota"),
+)
+
+OPTION_CPUSET_CPUS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CpusetCpus", update_parameter="CpusetCpus"),
+)
+
+OPTION_CPUSET_MEMS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CpusetMems", update_parameter="CpusetMems"),
+)
+
+OPTION_CPU_SHARES.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("CpuShares", update_parameter="CpuShares"),
+)
+
+OPTION_ENTRYPOINT.add_engine("docker_api", DockerAPIEngine.config_value("Entrypoint"))
+
+OPTION_CPUS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("NanoCpus", preprocess_value=_preprocess_cpus),
+)
+
+OPTION_DETACH_INTERACTIVE.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_value_detach_interactive, set_value=_set_value_detach_interactive
+    ),
+)
+
+OPTION_DEVICES.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("Devices", preprocess_value=_preprocess_devices),
+)
+
+OPTION_DEVICE_READ_BPS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "BlkioDeviceReadBps", preprocess_value=_preprocess_rate_bps
+    ),
+)
+
+OPTION_DEVICE_WRITE_BPS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "BlkioDeviceWriteBps", preprocess_value=_preprocess_rate_bps
+    ),
+)
+
+OPTION_DEVICE_READ_IOPS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "BlkioDeviceReadIOps", preprocess_value=_preprocess_rate_iops
+    ),
+)
+
+OPTION_DEVICE_WRITE_IOPS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "BlkioDeviceWriteIOps", preprocess_value=_preprocess_rate_iops
+    ),
+)
+
+OPTION_DEVICE_REQUESTS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "DeviceRequests",
+        min_api_version="1.40",
+        preprocess_value=_preprocess_device_requests,
+    ),
+)
+
+OPTION_DEVICE_CGROUP_RULES.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("DeviceCgroupRules", min_api_version="1.28"),
+)
+
+OPTION_DNS_SERVERS.add_engine("docker_api", DockerAPIEngine.host_config_value("Dns"))
+
+OPTION_DNS_OPTS.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("DnsOptions")
+)
+
+OPTION_DNS_SEARCH_DOMAINS.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("DnsSearch")
+)
+
+OPTION_DOMAINNAME.add_engine("docker_api", DockerAPIEngine.config_value("Domainname"))
+
+OPTION_ENVIRONMENT.add_engine(
+    "docker_api",
+    DockerAPIEngine.config_value("Env", get_expected_value=_get_expected_env_value),
+)
+
+OPTION_ETC_HOSTS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "ExtraHosts", preprocess_value=_preprocess_etc_hosts
+    ),
+)
+
+OPTION_GROUPS.add_engine("docker_api", DockerAPIEngine.host_config_value("GroupAdd"))
+
+OPTION_HEALTHCHECK.add_engine(
+    "docker_api",
+    DockerAPIEngine.config_value(
+        "Healthcheck",
+        preprocess_value=_preprocess_healthcheck,
+        postprocess_for_get=_postprocess_healthcheck_get_value,
+        extra_option_minimal_versions={
+            "healthcheck.start_interval": {
+                "docker_api_version": "1.44",
+                "detect_usage": lambda c: c.module.params["healthcheck"]
+                and c.module.params["healthcheck"]["start_interval"] is not None,
+            },
+        },
+    ),
+)
+
+OPTION_HOSTNAME.add_engine("docker_api", DockerAPIEngine.config_value("Hostname"))
+
+OPTION_IMAGE.add_engine(
+    "docker_api",
+    DockerAPIEngine.config_value(
+        "Image",
+        ignore_mismatching_result=lambda module, client, api_version, option, image, container_value, expected_value, host_info: True,
+    ),
+)
+
+OPTION_INIT.add_engine("docker_api", DockerAPIEngine.host_config_value("Init"))
+
+OPTION_IPC_MODE.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "IpcMode", preprocess_value=_preprocess_container_names
+    ),
+)
+
+OPTION_KERNEL_MEMORY.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("KernelMemory", update_parameter="KernelMemory"),
+)
+
+OPTION_LABELS.add_engine(
+    "docker_api",
+    DockerAPIEngine.config_value(
+        "Labels",
+        get_expected_value=_get_expected_labels_value,
+        ignore_mismatching_result=_ignore_mismatching_label_result,
+    ),
+)
+
+OPTION_LINKS.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("Links", preprocess_value=_preprocess_links),
+)
+
+OPTION_LOG_DRIVER_OPTIONS.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_values_log,
+        set_value=_set_values_log,
+    ),
+)
+
+OPTION_MAC_ADDRESS.add_engine("docker_api", DockerAPIEngine.config_value("MacAddress"))
+
+OPTION_MEMORY.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("Memory", update_parameter="Memory")
+)
+
+OPTION_MEMORY_RESERVATION.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "MemoryReservation", update_parameter="MemoryReservation"
+    ),
+)
+
+OPTION_MEMORY_SWAP.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value("MemorySwap", update_parameter="MemorySwap"),
+)
+
+OPTION_MEMORY_SWAPPINESS.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("MemorySwappiness")
+)
+
+OPTION_STOP_TIMEOUT.add_engine(
+    "docker_api", DockerAPIEngine.config_value("StopTimeout")
+)
+
+OPTION_NETWORK.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        preprocess_value=_preprocess_network_values,
+        get_value=_get_values_network,
+        set_value=_set_values_network,
+        ignore_mismatching_result=_ignore_mismatching_network_result,
+        needs_host_info=_needs_host_info_network,
+        extra_option_minimal_versions={
+            "networks.mac_address": {
+                "docker_api_version": "1.44",
+                "detect_usage": lambda c: any(
+                    net_info.get("mac_address") is not None
+                    for net_info in (c.module.params["networks"] or [])
+                ),
+            },
+            "networks.driver_opts": {
+                "docker_api_version": "1.32",
+                "detect_usage": lambda c: any(
+                    net_info.get("driver_opts") is not None
+                    for net_info in (c.module.params["networks"] or [])
+                ),
+            },
+            "networks.gw_priority": {
+                "docker_api_version": "1.48",
+                "detect_usage": lambda c: any(
+                    net_info.get("gw_priority") is not None
+                    for net_info in (c.module.params["networks"] or [])
+                ),
+            },
+        },
+    ),
+)
+
+OPTION_OOM_KILLER.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("OomKillDisable")
+)
+
+OPTION_OOM_SCORE_ADJ.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("OomScoreAdj")
+)
+
+OPTION_PID_MODE.add_engine(
+    "docker_api",
+    DockerAPIEngine.host_config_value(
+        "PidMode", preprocess_value=_preprocess_container_names
+    ),
+)
+
+OPTION_PIDS_LIMIT.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("PidsLimit")
+)
+
+OPTION_PLATFORM.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_values_platform,
+        set_value=_set_values_platform,
+        get_expected_values=_get_expected_values_platform,
+        needs_container_image=_needs_container_image_platform,
+        needs_host_info=_needs_host_info_platform,
+        min_api_version="1.41",
+    ),
+)
+
+OPTION_PRIVILEGED.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("Privileged")
+)
+
+OPTION_READ_ONLY.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("ReadonlyRootfs")
+)
+
+OPTION_RESTART_POLICY.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_values_restart,
+        set_value=_set_values_restart,
+        update_value=_update_value_restart,
+    ),
+)
+
+OPTION_RUNTIME.add_engine("docker_api", DockerAPIEngine.host_config_value("Runtime"))
+
+OPTION_SECURITY_OPTS.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("SecurityOpt")
+)
+
+OPTION_SHM_SIZE.add_engine("docker_api", DockerAPIEngine.host_config_value("ShmSize"))
+
+OPTION_STOP_SIGNAL.add_engine("docker_api", DockerAPIEngine.config_value("StopSignal"))
+
+OPTION_STORAGE_OPTS.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("StorageOpt")
+)
+
+OPTION_SYSCTLS.add_engine("docker_api", DockerAPIEngine.host_config_value("Sysctls"))
+
+OPTION_TMPFS.add_engine("docker_api", DockerAPIEngine.host_config_value("Tmpfs"))
+
+OPTION_TTY.add_engine("docker_api", DockerAPIEngine.config_value("Tty"))
+
+OPTION_ULIMITS.add_engine("docker_api", DockerAPIEngine.host_config_value("Ulimits"))
+
+OPTION_USER.add_engine("docker_api", DockerAPIEngine.config_value("User"))
+
+OPTION_USERNS_MODE.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("UsernsMode")
+)
+
+OPTION_UTS.add_engine("docker_api", DockerAPIEngine.host_config_value("UTSMode"))
+
+OPTION_VOLUME_DRIVER.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("VolumeDriver")
+)
+
+OPTION_VOLUMES_FROM.add_engine(
+    "docker_api", DockerAPIEngine.host_config_value("VolumesFrom")
+)
+
+OPTION_WORKING_DIR.add_engine("docker_api", DockerAPIEngine.config_value("WorkingDir"))
+
+OPTION_MOUNTS_VOLUMES.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_values_mounts,
+        get_expected_values=_get_expected_values_mounts,
+        set_value=_set_values_mounts,
+        extra_option_minimal_versions={
+            "mounts.non_recursive": {
+                "docker_api_version": "1.40",
+                "detect_usage": lambda c: any(
+                    mount.get("non_recursive") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.create_mountpoint": {
+                "docker_api_version": "1.42",
+                "detect_usage": lambda c: any(
+                    mount.get("create_mountpoint") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.type=cluster": {
+                "docker_api_version": "1.42",
+                "detect_usage": lambda c: any(
+                    mount.get("type") == "cluster"
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.read_only_non_recursive": {
+                "docker_api_version": "1.44",
+                "detect_usage": lambda c: any(
+                    mount.get("read_only_non_recursive") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.read_only_force_recursive": {
+                "docker_api_version": "1.44",
+                "detect_usage": lambda c: any(
+                    mount.get("read_only_force_recursive") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.subpath": {
+                "docker_api_version": "1.45",
+                "detect_usage": lambda c: any(
+                    mount.get("subpath") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.tmpfs_options": {
+                "docker_api_version": "1.46",
+                "detect_usage": lambda c: any(
+                    mount.get("tmpfs_options") is not None
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+            "mounts.type=image": {
+                "docker_api_version": "1.47",
+                "detect_usage": lambda c: any(
+                    mount.get("type") == "image"
+                    for mount in (c.module.params["mounts"] or [])
+                ),
+            },
+        },
+    ),
+)
+
+OPTION_PORTS.add_engine(
+    "docker_api",
+    DockerAPIEngine(
+        get_value=_get_values_ports,
+        get_expected_values=_get_expected_values_ports,
+        set_value=_set_values_ports,
+        preprocess_value=_preprocess_value_ports,
+    ),
+)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_module_container/module.py b/ansible_collections/community/docker/plugins/module_utils/_module_container/module.py
new file mode 100644
index 00000000..5fdc6953
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_module_container/module.py
@@ -0,0 +1,1351 @@
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import re
+import typing as t
+from time import sleep
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._module_container.base import (
+    Client,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+    compare_generic,
+    is_image_name_id,
+    normalize_ip_address,
+    sanitize_result,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Sequence
+
+    from ansible.module_utils.basic import AnsibleModule
+
+    from .base import Engine, EngineDriver, Option, OptionGroup
+
+
+class Container(DockerBaseClass):
+    def __init__(
+        self, container: dict[str, t.Any] | None, engine_driver: EngineDriver
+    ) -> None:
+        super().__init__()
+        self.raw = container
+        self.id: str | None = None
+        self.image: str | None = None
+        self.image_name: str | None = None
+        self.container = container
+        self.engine_driver = engine_driver
+        if container:
+            self.id = engine_driver.get_container_id(container)
+            self.image = engine_driver.get_image_from_container(container)
+            self.image_name = engine_driver.get_image_name_from_container(container)
+        self.log(self.container, pretty_print=True)
+
+    @property
+    def exists(self) -> bool:
+        return bool(self.container)
+
+    @property
+    def removing(self) -> bool:
+        return (
+            self.engine_driver.is_container_removing(self.container)
+            if self.container
+            else False
+        )
+
+    @property
+    def running(self) -> bool:
+        return (
+            self.engine_driver.is_container_running(self.container)
+            if self.container
+            else False
+        )
+
+    @property
+    def paused(self) -> bool:
+        return (
+            self.engine_driver.is_container_paused(self.container)
+            if self.container
+            else False
+        )
+
+
+class ContainerManager(DockerBaseClass, t.Generic[Client]):
+    def __init__(
+        self,
+        module: AnsibleModule,
+        engine_driver: EngineDriver,
+        client: Client,
+        active_options: list[OptionGroup],
+    ) -> None:
+        super().__init__()
+        self.module = module
+        self.engine_driver = engine_driver
+        self.client = client
+        self.options = active_options
+        self.all_options = self._collect_all_options(active_options)
+        self.check_mode = self.module.check_mode
+        self.param_cleanup: bool = self.module.params["cleanup"]
+        self.param_container_default_behavior: t.Literal[
+            "compatibility", "no_defaults"
+        ] = self.module.params["container_default_behavior"]
+        self.param_default_host_ip: str | None = self.module.params["default_host_ip"]
+        self.param_debug: bool = self.module.params["debug"]
+        self.param_force_kill: bool = self.module.params["force_kill"]
+        self.param_image: str | None = self.module.params["image"]
+        self.param_image_comparison: t.Literal["desired-image", "current-image"] = (
+            self.module.params["image_comparison"]
+        )
+        self.param_image_label_mismatch: t.Literal["ignore", "fail"] = (
+            self.module.params["image_label_mismatch"]
+        )
+        self.param_image_name_mismatch: t.Literal["ignore", "recreate"] = (
+            self.module.params["image_name_mismatch"]
+        )
+        self.param_keep_volumes: bool = self.module.params["keep_volumes"]
+        self.param_kill_signal: str | None = self.module.params["kill_signal"]
+        self.param_name: str = self.module.params["name"]
+        self.param_networks_cli_compatible: bool = self.module.params[
+            "networks_cli_compatible"
+        ]
+        self.param_output_logs: bool = self.module.params["output_logs"]
+        self.param_paused: bool | None = self.module.params["paused"]
+        param_pull: t.Literal["never", "missing", "always", True, False] = (
+            self.module.params["pull"]
+        )
+        if param_pull is True:
+            param_pull = "always"
+        if param_pull is False:
+            param_pull = "missing"
+        self.param_pull: t.Literal["never", "missing", "always"] = param_pull
+        self.param_pull_check_mode_behavior: t.Literal[
+            "image_not_present", "always"
+        ] = self.module.params["pull_check_mode_behavior"]
+        self.param_recreate: bool = self.module.params["recreate"]
+        self.param_removal_wait_timeout: int | float | None = self.module.params[
+            "removal_wait_timeout"
+        ]
+        self.param_healthy_wait_timeout: int | float | None = self.module.params[
+            "healthy_wait_timeout"
+        ]
+        if (
+            self.param_healthy_wait_timeout is not None
+            and self.param_healthy_wait_timeout <= 0
+        ):
+            self.param_healthy_wait_timeout = None
+        self.param_restart: bool = self.module.params["restart"]
+        self.param_state: t.Literal[
+            "absent", "present", "healthy", "started", "stopped"
+        ] = self.module.params["state"]
+        self._parse_comparisons()
+        self._update_params()
+        self.results = {"changed": False, "actions": []}
+        self.diff: dict[str, t.Any] = {}
+        self.diff_tracker = DifferenceTracker()
+        self.facts: dict[str, t.Any] | None = {}
+        if self.param_default_host_ip:
+            valid_ip = False
+            if re.match(
+                r"^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$", self.param_default_host_ip
+            ):
+                valid_ip = True
+            if re.match(r"^\[[0-9a-fA-F:]+\]$", self.param_default_host_ip):
+                valid_ip = True
+            if re.match(r"^[0-9a-fA-F:]+$", self.param_default_host_ip):
+                self.param_default_host_ip = f"[{self.param_default_host_ip}]"
+                valid_ip = True
+            if not valid_ip:
+                self.fail(
+                    "The value of default_host_ip must be an empty string, an IPv4 address, "
+                    f'or an IPv6 address. Got "{self.param_default_host_ip}" instead.'
+                )
+        self.parameters: list[tuple[OptionGroup, dict[str, t.Any]]] | None = None
+
+    def _add_action(self, action: dict[str, t.Any]) -> None:
+        actions: list[dict[str, t.Any]] = self.results["actions"]  # type: ignore
+        actions.append(action)
+
+    def _collect_all_options(
+        self, active_options: list[OptionGroup]
+    ) -> dict[str, Option]:
+        all_options = {}
+        for options in active_options:
+            for option in options.options:
+                all_options[option.name] = option
+        return all_options
+
+    def _collect_all_module_params(self) -> set[str]:
+        all_module_options = set()
+        for option, data in self.module.argument_spec.items():
+            all_module_options.add(option)
+            if "aliases" in data:
+                for alias in data["aliases"]:
+                    all_module_options.add(alias)
+        return all_module_options
+
+    def _parse_comparisons(self) -> None:
+        # Keep track of all module params and all option aliases
+        all_module_options = self._collect_all_module_params()
+        comp_aliases = {}
+        for option_name, option in self.all_options.items():
+            if option.not_an_ansible_option:
+                continue
+            comp_aliases[option_name] = option_name
+            for alias in option.ansible_aliases:
+                comp_aliases[alias] = option_name
+        # Process comparisons specified by user
+        comparisons: dict[str, t.Any] | None = self.module.params.get("comparisons")
+        if comparisons:
+            # If '*' appears in comparisons, process it first
+            if "*" in comparisons:
+                value = comparisons["*"]
+                if value not in ("strict", "ignore"):
+                    self.fail(
+                        "The wildcard can only be used with comparison modes 'strict' and 'ignore'!"
+                    )
+                for option in self.all_options.values():
+                    # `networks` is special: only update if
+                    # some value is actually specified
+                    if (
+                        option.name == "networks"
+                        and self.module.params["networks"] is None
+                    ):
+                        continue
+                    option.comparison = value
+            # Now process all other comparisons.
+            comp_aliases_used: dict[str, str] = {}
+            for key, value in comparisons.items():
+                if key == "*":
+                    continue
+                # Find main key
+                key_main = comp_aliases.get(key)
+                if key_main is None:
+                    if key_main in all_module_options:
+                        self.fail(
+                            f"The module option '{key}' cannot be specified in the comparisons dict, "
+                            "since it does not correspond to container's state!"
+                        )
+                    if (
+                        key not in self.all_options
+                        or self.all_options[key].not_an_ansible_option
+                    ):
+                        self.fail(f"Unknown module option '{key}' in comparisons dict!")
+                    key_main = key
+                if key_main in comp_aliases_used:
+                    self.fail(
+                        f"Both '{key}' and '{comp_aliases_used[key_main]}' (aliases of {key_main}) are specified in comparisons dict!"
+                    )
+                comp_aliases_used[key_main] = key
+                # Check value and update accordingly
+                if value in ("strict", "ignore"):
+                    self.all_options[key_main].comparison = value
+                elif value == "allow_more_present":
+                    if self.all_options[key_main].comparison_type == "value":
+                        self.fail(
+                            f"Option '{key}' is a value and not a set/list/dict, so its comparison cannot be {value}"
+                        )
+                    self.all_options[key_main].comparison = value
+                else:
+                    self.fail(f"Unknown comparison mode '{value}'!")
+        # Copy values
+        for option in self.all_options.values():
+            if option.copy_comparison_from is not None:
+                option.comparison = self.all_options[
+                    option.copy_comparison_from
+                ].comparison
+
+    def _update_params(self) -> None:
+        if (
+            self.param_networks_cli_compatible is True
+            and self.module.params["networks"]
+            and self.module.params["network_mode"] is None
+        ):
+            # Same behavior as Docker CLI: if networks are specified, use the name of the first network as the value for network_mode
+            # (assuming no explicit value is specified for network_mode)
+            self.module.params["network_mode"] = self.module.params["networks"][0][
+                "name"
+            ]
+        if self.param_container_default_behavior == "compatibility":
+            old_default_values = {
+                "auto_remove": False,
+                "detach": True,
+                "init": False,
+                "interactive": False,
+                "memory": "0",
+                "paused": False,
+                "privileged": False,
+                "read_only": False,
+                "tty": False,
+            }
+            for param, value in old_default_values.items():
+                if self.module.params[param] is None:
+                    self.module.params[param] = value
+
+    def fail(self, *args: str, **kwargs: t.Any) -> t.NoReturn:
+        # mypy doesn't know that Client has fail() method
+        raise self.client.fail(*args, **kwargs)  # type: ignore
+
+    def run(self) -> None:
+        if self.param_state in ("stopped", "started", "present", "healthy"):
+            # mypy doesn't get that self.param_state has only one of the above values
+            self.present(self.param_state)  # type: ignore
+        elif self.param_state == "absent":
+            self.absent()
+
+        if not self.check_mode and not self.param_debug:
+            self.results.pop("actions")
+
+        if self.module._diff or self.param_debug:
+            self.diff["before"], self.diff["after"] = (
+                self.diff_tracker.get_before_after()
+            )
+            self.results["diff"] = self.diff
+
+        if self.facts:
+            self.results["container"] = self.facts
+
+    def wait_for_state(
+        self,
+        container_id: str,
+        *,
+        complete_states: Sequence[str | None] | None = None,
+        wait_states: Sequence[str | None] | None = None,
+        accept_removal: bool = False,
+        max_wait: int | float | None = None,
+        health_state: bool = False,
+    ) -> dict[str, t.Any] | None:
+        delay = 1.0
+        total_wait = 0.0
+        while True:
+            # Inspect container
+            result = self.engine_driver.inspect_container_by_id(
+                self.client, container_id
+            )
+            if result is None:
+                if accept_removal:
+                    return result
+                msg = f'Encontered vanished container while waiting for container "{container_id}"'
+                self.fail(msg)
+            # Check container state
+            state_info = result.get("State") or {}
+            if health_state:
+                state_info = state_info.get("Health") or {}
+            state = state_info.get("Status")
+            if complete_states is not None and state in complete_states:
+                return result
+            if wait_states is not None and state not in wait_states:
+                msg = f'Encontered unexpected state "{state}" while waiting for container "{container_id}"'
+                self.fail(msg, container=result)
+            # Wait
+            if max_wait is not None:
+                if total_wait > max_wait or delay < 1e-4:
+                    msg = f'Timeout of {max_wait} seconds exceeded while waiting for container "{container_id}"'
+                    self.fail(msg, container=result)
+                if total_wait + delay > max_wait:
+                    delay = max_wait - total_wait
+            sleep(delay)
+            total_wait += delay
+            # Exponential backoff, but never wait longer than 10 seconds
+            # (1.1**24 < 10, 1.1**25 > 10, so it will take 25 iterations
+            #  until the maximal 10 seconds delay is reached. By then, the
+            #  code will have slept for ~1.5 minutes.)
+            delay = min(delay * 1.1, 10)
+
+    def _collect_params(
+        self, active_options: list[OptionGroup]
+    ) -> list[tuple[OptionGroup, dict[str, t.Any]]]:
+        parameters = []
+        for options in active_options:
+            values = {}
+            engine = options.get_engine(self.engine_driver.name)
+            for option in options.all_options:
+                if (
+                    not option.not_an_ansible_option
+                    and self.module.params[option.name] is not None
+                ):
+                    values[option.name] = self.module.params[option.name]
+            values = options.preprocess(self.module, values)
+            engine.preprocess_value(
+                self.module,
+                self.client,
+                self.engine_driver.get_api_version(self.client),
+                options.options,
+                values,
+            )
+            parameters.append((options, values))
+        return parameters
+
+    def _needs_container_image(self) -> bool:
+        assert self.parameters is not None
+        for options, values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if engine.needs_container_image(values):
+                return True
+        return False
+
+    def _needs_host_info(self) -> bool:
+        assert self.parameters is not None
+        for options, values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if engine.needs_host_info(values):
+                return True
+        return False
+
+    def present(
+        self, state: t.Literal["stopped", "started", "present", "healthy"]
+    ) -> None:
+        self.parameters = self._collect_params(self.options)
+        container = self._get_container(self.param_name)
+        was_running = container.running
+        was_paused = container.paused
+        container_created = False
+
+        # If the image parameter was passed then we need to deal with the image
+        # version comparison. Otherwise we handle this depending on whether
+        # the container already runs or not; in the former case, in case the
+        # container needs to be restarted, we use the existing container's
+        # image ID.
+        image, container_image, comparison_image = self._get_image(
+            container, needs_container_image=self._needs_container_image()
+        )
+        self.log(image, pretty_print=True)
+        host_info = (
+            self.engine_driver.get_host_info(self.client)
+            if self._needs_host_info()
+            else None
+        )
+        if not container.exists or container.removing:
+            # New container
+            if container.removing:
+                self.log("Found container in removal phase")
+            else:
+                self.log("No container found")
+            if not self.param_image:
+                self.fail("Cannot create container when image is not specified!")
+            self.diff_tracker.add("exists", parameter=True, active=False)
+            if container.removing and not self.check_mode:
+                # Wait for container to be removed before trying to create it
+                assert container.id is not None
+                self.wait_for_state(
+                    container.id,
+                    wait_states=["removing"],
+                    accept_removal=True,
+                    max_wait=self.param_removal_wait_timeout,
+                )
+            new_container = self.container_create(self.param_image)
+            if new_container:
+                container = new_container
+            container_created = True
+        else:
+            # Existing container
+            assert container.id is not None
+            different, differences = self.has_different_configuration(
+                container, container_image, comparison_image, host_info
+            )
+            image_different = False
+            if self.all_options["image"].comparison == "strict":
+                image_different = self._image_is_different(image, container)
+                if (
+                    self.param_image_name_mismatch == "recreate"
+                    and self.param_image is not None
+                    and self.param_image != container.image_name
+                ):
+                    different = True
+                    self.diff_tracker.add(
+                        "image_name",
+                        parameter=self.param_image,
+                        active=container.image_name,
+                    )
+            if image_different or different or self.param_recreate:
+                self.diff_tracker.merge(differences)
+                self.diff["differences"] = (
+                    differences.get_legacy_docker_container_diffs()
+                )
+                if image_different:
+                    self.diff["image_different"] = True
+                self.log("differences")
+                self.log(
+                    differences.get_legacy_docker_container_diffs(), pretty_print=True
+                )
+                image_to_use = self.param_image
+                if not image_to_use and container and container.image:
+                    image_to_use = container.image
+                if not image_to_use:
+                    self.fail(
+                        "Cannot recreate container when image is not specified or cannot be extracted from current container!"
+                    )
+                if container.running:
+                    self.container_stop(container.id)
+                self.container_remove(container.id)
+                if not self.check_mode:
+                    self.wait_for_state(
+                        container.id,
+                        wait_states=["removing"],
+                        accept_removal=True,
+                        max_wait=self.param_removal_wait_timeout,
+                    )
+                new_container = self.container_create(image_to_use)
+                if new_container:
+                    container = new_container
+                container_created = True
+                comparison_image = image
+
+        if container and container.exists:
+            container = self.update_limits(
+                container, container_image, comparison_image, host_info
+            )
+            container = self.update_networks(container, container_created)
+
+            if state in ("started", "healthy") and not container.running:
+                self.diff_tracker.add("running", parameter=True, active=was_running)
+                assert container.id is not None
+                container = self.container_start(container.id)
+            elif state in ("started", "healthy") and self.param_restart:
+                self.diff_tracker.add("running", parameter=True, active=was_running)
+                self.diff_tracker.add("restarted", parameter=True, active=False)
+                assert container.id is not None
+                container = self.container_restart(container.id)
+            elif state == "stopped" and container.running:
+                self.diff_tracker.add("running", parameter=False, active=was_running)
+                assert container.id is not None
+                self.container_stop(container.id)
+                container = self._get_container(container.id)
+
+            if (
+                state in ("started", "healthy")
+                and self.param_paused is not None
+                and container.paused != self.param_paused
+            ):
+                self.diff_tracker.add(
+                    "paused", parameter=self.param_paused, active=was_paused
+                )
+                if not self.check_mode:
+                    assert container.id is not None
+                    try:
+                        if self.param_paused:
+                            self.engine_driver.pause_container(
+                                self.client, container.id
+                            )
+                        else:
+                            self.engine_driver.unpause_container(
+                                self.client, container.id
+                            )
+                    except Exception as exc:  # pylint: disable=broad-exception-caught
+                        self.fail(
+                            f"Error {'pausing' if self.param_paused else 'unpausing'} container {container.id}: {exc}"
+                        )
+                    container = self._get_container(container.id)
+                self.results["changed"] = True
+                self._add_action({"set_paused": self.param_paused})
+
+        self.facts = container.raw
+
+        if state == "healthy" and not self.check_mode:
+            # `None` means that no health check enabled; simply treat this as 'healthy'
+            assert container.id is not None
+            inspect_result = self.wait_for_state(
+                container.id,
+                wait_states=["starting", "unhealthy"],
+                complete_states=["healthy", None],
+                max_wait=self.param_healthy_wait_timeout,
+                health_state=True,
+            )
+            if inspect_result:
+                # Return the latest inspection results retrieved
+                self.facts = inspect_result
+
+    def absent(self) -> None:
+        container = self._get_container(self.param_name)
+        if container.exists:
+            assert container.id is not None
+            if container.running:
+                self.diff_tracker.add("running", parameter=False, active=True)
+                self.container_stop(container.id)
+            self.diff_tracker.add("exists", parameter=False, active=True)
+            self.container_remove(container.id)
+
+    def _output_logs(self, msg: str | bytes) -> None:
+        self.module.log(msg=msg)
+
+    def _get_container(self, container: str) -> Container:
+        """
+        Expects container ID or Name. Returns a container object
+        """
+        container_data = self.engine_driver.inspect_container_by_name(
+            self.client, container
+        )
+        return Container(container_data, self.engine_driver)
+
+    def _get_container_image(
+        self, container: Container, fallback: dict[str, t.Any] | None = None
+    ) -> dict[str, t.Any] | None:
+        if not container.exists or container.removing:
+            return fallback
+        image = container.image
+        assert image is not None
+        if is_image_name_id(image):
+            image_data = self.engine_driver.inspect_image_by_id(self.client, image)
+        else:
+            repository, tag = parse_repository_tag(image)
+            if not tag:
+                tag = "latest"
+            image_data = self.engine_driver.inspect_image_by_name(
+                self.client, repository, tag
+            )
+        return image_data or fallback
+
+    def _get_image(
+        self, container: Container, needs_container_image: bool = False
+    ) -> tuple[
+        dict[str, t.Any] | None, dict[str, t.Any] | None, dict[str, t.Any] | None
+    ]:
+        image_parameter = self.param_image
+        get_container_image = needs_container_image or not image_parameter
+        container_image = (
+            self._get_container_image(container) if get_container_image else None
+        )
+        if container_image:
+            self.log("current image")
+            self.log(container_image, pretty_print=True)
+        if not image_parameter:
+            self.log("No image specified")
+            return None, container_image, container_image
+        if is_image_name_id(image_parameter):
+            image = self.engine_driver.inspect_image_by_id(self.client, image_parameter)
+            if image is None:
+                self.fail(f"Cannot find image with ID {image_parameter}")
+        else:
+            repository, tag = parse_repository_tag(image_parameter)
+            if not tag:
+                tag = "latest"
+            image = self.engine_driver.inspect_image_by_name(
+                self.client, repository, tag
+            )
+            if not image and self.param_pull == "never":
+                self.fail(
+                    f"Cannot find image with name {repository}:{tag}, and pull=never"
+                )
+            if not image or self.param_pull == "always":
+                if not self.check_mode:
+                    self.log("Pull the image.")
+                    image, already_to_latest = self.engine_driver.pull_image(
+                        self.client,
+                        repository,
+                        tag,
+                        image_platform=self.module.params["platform"],
+                    )
+                    if already_to_latest:
+                        self.results["changed"] = False
+                        self._add_action(
+                            {"pulled_image": f"{repository}:{tag}", "changed": False}
+                        )
+                    else:
+                        self.results["changed"] = True
+                        self._add_action(
+                            {"pulled_image": f"{repository}:{tag}", "changed": True}
+                        )
+                elif not image or self.param_pull_check_mode_behavior == "always":
+                    # If the image is not there, or pull_check_mode_behavior == 'always', claim we'll
+                    # pull. (Implicitly: if the image is there, claim it already was latest unless
+                    # pull_check_mode_behavior == 'always'.)
+                    self.results["changed"] = True
+                    action: dict[str, t.Any] = {"pulled_image": f"{repository}:{tag}"}
+                    if not image:
+                        action["changed"] = True
+                    self._add_action(action)
+
+        self.log("image")
+        self.log(image, pretty_print=True)
+
+        comparison_image = image
+        if self.param_image_comparison == "current-image":
+            if not get_container_image:
+                container_image = self._get_container_image(container)
+            comparison_image = container_image
+
+        return image, container_image, comparison_image
+
+    def _image_is_different(
+        self, image: dict[str, t.Any] | None, container: Container
+    ) -> bool:
+        if (
+            image
+            and image.get("Id")
+            and container
+            and container.image
+            and image.get("Id") != container.image
+        ):
+            self.diff_tracker.add(
+                "image", parameter=image.get("Id"), active=container.image
+            )
+            return True
+        return False
+
+    def _compose_create_parameters(self, image: str) -> dict[str, t.Any]:
+        params: dict[str, t.Any] = {}
+        assert self.parameters is not None
+        for options, values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if engine.can_set_value(self.engine_driver.get_api_version(self.client)):
+                engine.set_value(
+                    self.module,
+                    params,
+                    self.engine_driver.get_api_version(self.client),
+                    options.options,
+                    values,
+                )
+        params["Image"] = image
+        return params
+
+    def _record_differences(
+        self,
+        differences: DifferenceTracker,
+        options: OptionGroup,
+        param_values: dict[str, t.Any],
+        engine: Engine,
+        container: Container,
+        container_image: dict[str, t.Any] | None,
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> None:
+        assert container.raw is not None
+        container_values = engine.get_value(
+            self.module,
+            container.raw,
+            self.engine_driver.get_api_version(self.client),
+            options.options,
+            container_image,
+            host_info,
+        )
+        expected_values = engine.get_expected_values(
+            self.module,
+            self.client,
+            self.engine_driver.get_api_version(self.client),
+            options.options,
+            image,
+            param_values.copy(),
+            host_info,
+        )
+        for option in options.options:
+            if option.name in expected_values:
+                param_value = expected_values[option.name]
+                container_value = container_values.get(option.name)
+                match = engine.compare_value(option, param_value, container_value)
+
+                if not match:
+                    # No match.
+                    if engine.ignore_mismatching_result(
+                        self.module,
+                        self.client,
+                        self.engine_driver.get_api_version(self.client),
+                        option,
+                        image,
+                        container_value,
+                        param_value,
+                        host_info,
+                    ):
+                        # Ignore the result
+                        continue
+
+                    # Record the differences
+                    p = param_value
+                    c = container_value
+                    if option.comparison_type == "set":
+                        # Since the order does not matter, sort so that the diff output is better.
+                        if p is not None:
+                            p = sorted(p)
+                        if c is not None:
+                            c = sorted(c)
+                    elif option.comparison_type == "set(dict)":
+                        # Since the order does not matter, sort so that the diff output is better.
+                        if option.name == "expected_mounts":
+                            # For selected values, use one entry as key
+                            def sort_key_fn(x: dict[str, t.Any]) -> t.Any:
+                                return x["target"]
+
+                        else:
+                            # We sort the list of dictionaries by using the sorted items of a dict as its key.
+                            def sort_key_fn(x: dict[str, t.Any]) -> t.Any:
+                                return sorted(
+                                    (a, to_text(b, errors="surrogate_or_strict"))
+                                    for a, b in x.items()
+                                )
+
+                        if p is not None:
+                            p = sorted(p, key=sort_key_fn)
+                        if c is not None:
+                            c = sorted(c, key=sort_key_fn)
+                    differences.add(option.name, parameter=p, active=c)
+
+    def has_different_configuration(
+        self,
+        container: Container,
+        container_image: dict[str, t.Any] | None,
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> tuple[bool, DifferenceTracker]:
+        differences = DifferenceTracker()
+        update_differences = DifferenceTracker()
+        assert self.parameters is not None
+        for options, param_values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if engine.can_update_value(self.engine_driver.get_api_version(self.client)):
+                self._record_differences(
+                    update_differences,
+                    options,
+                    param_values,
+                    engine,
+                    container,
+                    container_image,
+                    image,
+                    host_info,
+                )
+            else:
+                self._record_differences(
+                    differences,
+                    options,
+                    param_values,
+                    engine,
+                    container,
+                    container_image,
+                    image,
+                    host_info,
+                )
+        has_differences = not differences.empty
+        # Only consider differences of properties that can be updated when there are also other differences
+        if has_differences:
+            differences.merge(update_differences)
+        return has_differences, differences
+
+    def has_different_resource_limits(
+        self,
+        container: Container,
+        container_image: dict[str, t.Any] | None,
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> tuple[bool, DifferenceTracker]:
+        differences = DifferenceTracker()
+        assert self.parameters is not None
+        for options, param_values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if not engine.can_update_value(
+                self.engine_driver.get_api_version(self.client)
+            ):
+                continue
+            self._record_differences(
+                differences,
+                options,
+                param_values,
+                engine,
+                container,
+                container_image,
+                image,
+                host_info,
+            )
+        has_differences = not differences.empty
+        return has_differences, differences
+
+    def _compose_update_parameters(self) -> dict[str, t.Any]:
+        result: dict[str, t.Any] = {}
+        assert self.parameters is not None
+        for options, values in self.parameters:
+            engine = options.get_engine(self.engine_driver.name)
+            if not engine.can_update_value(
+                self.engine_driver.get_api_version(self.client)
+            ):
+                continue
+            engine.update_value(
+                self.module,
+                result,
+                self.engine_driver.get_api_version(self.client),
+                options.options,
+                values,
+            )
+        return result
+
+    def update_limits(
+        self,
+        container: Container,
+        container_image: dict[str, t.Any] | None,
+        image: dict[str, t.Any] | None,
+        host_info: dict[str, t.Any] | None,
+    ) -> Container:
+        limits_differ, different_limits = self.has_different_resource_limits(
+            container, container_image, image, host_info
+        )
+        if limits_differ:
+            self.log("limit differences:")
+            self.log(
+                different_limits.get_legacy_docker_container_diffs(), pretty_print=True
+            )
+            self.diff_tracker.merge(different_limits)
+        if limits_differ and not self.check_mode:
+            assert container.id is not None
+            self.container_update(container.id, self._compose_update_parameters())
+            return self._get_container(container.id)
+        return container
+
+    def has_network_differences(
+        self, container: Container
+    ) -> tuple[bool, list[dict[str, t.Any]]]:
+        """
+        Check if the container is connected to requested networks with expected options: links, aliases, ipv4, ipv6
+        """
+        different = False
+        differences: list[dict[str, t.Any]] = []
+
+        if not self.module.params["networks"]:
+            return different, differences
+
+        assert container.container is not None
+        if not container.container.get("NetworkSettings"):
+            self.fail(
+                "has_missing_networks: Error parsing container properties. NetworkSettings missing."
+            )
+
+        connected_networks = container.container["NetworkSettings"]["Networks"]
+        for network in self.module.params["networks"]:
+            network_info = connected_networks.get(network["name"])
+            if network_info is None:
+                different = True
+                differences.append({"parameter": network, "container": None})
+            else:
+                diff = False
+                network_info_ipam = network_info.get("IPAMConfig") or {}
+                if network.get("ipv4_address") and normalize_ip_address(
+                    network["ipv4_address"]
+                ) != normalize_ip_address(network_info_ipam.get("IPv4Address")):
+                    diff = True
+                if network.get("ipv6_address") and normalize_ip_address(
+                    network["ipv6_address"]
+                ) != normalize_ip_address(network_info_ipam.get("IPv6Address")):
+                    diff = True
+                if network.get("aliases") and not compare_generic(
+                    network["aliases"],
+                    network_info.get("Aliases"),
+                    "allow_more_present",
+                    "set",
+                ):
+                    diff = True
+                if network.get("links"):
+                    expected_links = []
+                    for link, alias in network["links"]:
+                        expected_links.append(f"{link}:{alias}")
+                    if not compare_generic(
+                        expected_links,
+                        network_info.get("Links"),
+                        "allow_more_present",
+                        "set",
+                    ):
+                        diff = True
+                if network.get("mac_address") and network[
+                    "mac_address"
+                ] != network_info.get("MacAddress"):
+                    diff = True
+                if diff:
+                    different = True
+                    differences.append(
+                        {
+                            "parameter": network,
+                            "container": {
+                                "name": network["name"],
+                                "ipv4_address": network_info_ipam.get("IPv4Address"),
+                                "ipv6_address": network_info_ipam.get("IPv6Address"),
+                                "aliases": network_info.get("Aliases"),
+                                "links": network_info.get("Links"),
+                                "mac_address": network_info.get("MacAddress"),
+                            },
+                        }
+                    )
+        return different, differences
+
+    def has_extra_networks(
+        self, container: Container
+    ) -> tuple[bool, list[dict[str, t.Any]]]:
+        """
+        Check if the container is connected to non-requested networks
+        """
+        extra_networks: list[dict[str, t.Any]] = []
+        extra = False
+
+        assert container.container is not None
+        if not container.container.get("NetworkSettings"):
+            self.fail(
+                "has_extra_networks: Error parsing container properties. NetworkSettings missing."
+            )
+
+        connected_networks = container.container["NetworkSettings"].get("Networks")
+        if connected_networks:
+            for network, network_config in connected_networks.items():
+                keep = False
+                if self.module.params["networks"]:
+                    for expected_network in self.module.params["networks"]:
+                        if expected_network["name"] == network:
+                            keep = True
+                if not keep:
+                    extra = True
+                    extra_networks.append(
+                        {"name": network, "id": network_config["NetworkID"]}
+                    )
+        return extra, extra_networks
+
+    def update_networks(
+        self, container: Container, container_created: bool
+    ) -> Container:
+        updated_container = container
+        if self.all_options["networks"].comparison != "ignore" or container_created:
+            has_network_differences, network_differences = self.has_network_differences(
+                container
+            )
+            if has_network_differences:
+                if self.diff.get("differences"):
+                    self.diff["differences"].append(
+                        {"network_differences": network_differences}
+                    )
+                else:
+                    self.diff["differences"] = [
+                        {"network_differences": network_differences}
+                    ]
+                for netdiff in network_differences:
+                    self.diff_tracker.add(
+                        f"network.{netdiff['parameter']['name']}",
+                        parameter=netdiff["parameter"],
+                        active=netdiff["container"],
+                    )
+                self.results["changed"] = True
+                updated_container = self._add_networks(container, network_differences)
+
+        purge_networks = (
+            self.all_options["networks"].comparison == "strict"
+            and self.module.params["networks"] is not None
+        )
+        if purge_networks:
+            has_extra_networks, extra_networks = self.has_extra_networks(container)
+            if has_extra_networks:
+                if self.diff.get("differences"):
+                    self.diff["differences"].append({"purge_networks": extra_networks})
+                else:
+                    self.diff["differences"] = [{"purge_networks": extra_networks}]
+                for extra_network in extra_networks:
+                    self.diff_tracker.add(
+                        f"network.{extra_network['name']}", active=extra_network
+                    )
+                self.results["changed"] = True
+                updated_container = self._purge_networks(container, extra_networks)
+        return updated_container
+
+    def _add_networks(
+        self, container: Container, differences: list[dict[str, t.Any]]
+    ) -> Container:
+        assert container.id is not None
+        for diff in differences:
+            # remove the container from the network, if connected
+            if diff.get("container"):
+                self._add_action({"removed_from_network": diff["parameter"]["name"]})
+                if not self.check_mode:
+                    try:
+                        self.engine_driver.disconnect_container_from_network(
+                            self.client, container.id, diff["parameter"]["id"]
+                        )
+                    except Exception as exc:  # pylint: disable=broad-exception-caught
+                        self.fail(
+                            f"Error disconnecting container from network {diff['parameter']['name']} - {exc}"
+                        )
+            # connect to the network
+            self._add_action(
+                {
+                    "added_to_network": diff["parameter"]["name"],
+                    "network_parameters": diff["parameter"],
+                }
+            )
+            if not self.check_mode:
+                params = {
+                    key: value
+                    for key, value in diff["parameter"].items()
+                    if key not in ("id", "name")
+                }
+                try:
+                    self.log(
+                        f"Connecting container to network {diff['parameter']['id']}"
+                    )
+                    self.log(params, pretty_print=True)
+                    self.engine_driver.connect_container_to_network(
+                        self.client, container.id, diff["parameter"]["id"], params
+                    )
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(
+                        f"Error connecting container to network {diff['parameter']['name']} - {exc}"
+                    )
+        return self._get_container(container.id)
+
+    def _purge_networks(
+        self, container: Container, networks: list[dict[str, t.Any]]
+    ) -> Container:
+        assert container.id is not None
+        for network in networks:
+            self._add_action({"removed_from_network": network["name"]})
+            if not self.check_mode:
+                try:
+                    self.engine_driver.disconnect_container_from_network(
+                        self.client, container.id, network["name"]
+                    )
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(
+                        f"Error disconnecting container from network {network['name']} - {exc}"
+                    )
+        return self._get_container(container.id)
+
+    def container_create(self, image: str) -> Container | None:
+        create_parameters = self._compose_create_parameters(image)
+        self.log("create container")
+        self.log(f"image: {image} parameters:")
+        self.log(create_parameters, pretty_print=True)
+        networks = {}
+        if self.param_networks_cli_compatible and self.module.params["networks"]:
+            network_list = self.module.params["networks"]
+            if not self.engine_driver.create_container_supports_more_than_one_network(
+                self.client
+            ):
+                network_list = network_list[:1]
+            for network in network_list:
+                networks[network["name"]] = {
+                    key: value
+                    for key, value in network.items()
+                    if key not in ("name", "id")
+                }
+        self._add_action(
+            {
+                "created": "Created container",
+                "create_parameters": create_parameters,
+                "networks": networks,
+            }
+        )
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                container_id = self.engine_driver.create_container(
+                    self.client, self.param_name, create_parameters, networks=networks
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error creating container: {exc}")
+            return self._get_container(container_id)
+        return None
+
+    def container_start(self, container_id: str) -> Container:
+        self.log(f"start container {container_id}")
+        self._add_action({"started": container_id})
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                self.engine_driver.start_container(self.client, container_id)
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error starting container {container_id}: {exc}")
+
+            if self.module.params["detach"] is False:
+                status = self.engine_driver.wait_for_container(
+                    self.client, container_id
+                )
+                # mypy doesn't know that Client has fail_results property
+                self.client.fail_results["status"] = status  # type: ignore
+                self.results["status"] = status
+
+                output: str | bytes
+                if self.module.params["auto_remove"]:
+                    output = "Cannot retrieve result as auto_remove is enabled"
+                    if self.param_output_logs:
+                        self.module.warn(
+                            "Cannot output_logs if auto_remove is enabled!"
+                        )
+                else:
+                    output, real_output = self.engine_driver.get_container_output(
+                        self.client, container_id
+                    )
+                    if real_output and self.param_output_logs:
+                        self._output_logs(msg=output)
+
+                if self.param_cleanup:
+                    self.container_remove(container_id, force=True)
+                insp = self._get_container(container_id)
+                if insp.raw:
+                    insp.raw["Output"] = output
+                else:
+                    insp.raw = {"Output": output}
+                if status != 0:
+                    # Set `failed` to True and return output as msg
+                    self.results["failed"] = True
+                    self.results["msg"] = output
+                return insp
+        return self._get_container(container_id)
+
+    def container_remove(
+        self, container_id: str, link: bool = False, force: bool = False
+    ) -> None:
+        volume_state = not self.param_keep_volumes
+        self.log(
+            f"remove container container:{container_id} v:{volume_state} link:{link} force{force}"
+        )
+        self._add_action(
+            {
+                "removed": container_id,
+                "volume_state": volume_state,
+                "link": link,
+                "force": force,
+            }
+        )
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                self.engine_driver.remove_container(
+                    self.client,
+                    container_id,
+                    remove_volumes=volume_state,
+                    link=link,
+                    force=force,
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error removing container {container_id}: {exc}")
+
+    def container_update(
+        self, container_id: str, update_parameters: dict[str, t.Any]
+    ) -> Container:
+        if update_parameters:
+            self.log(f"update container {container_id}")
+            self.log(update_parameters, pretty_print=True)
+            self._add_action(
+                {"updated": container_id, "update_parameters": update_parameters}
+            )
+            self.results["changed"] = True
+            if not self.check_mode:
+                try:
+                    self.engine_driver.update_container(
+                        self.client, container_id, update_parameters
+                    )
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(f"Error updating container {container_id}: {exc}")
+        return self._get_container(container_id)
+
+    def container_kill(self, container_id: str) -> None:
+        self._add_action({"killed": container_id, "signal": self.param_kill_signal})
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                self.engine_driver.kill_container(
+                    self.client, container_id, kill_signal=self.param_kill_signal
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error killing container {container_id}: {exc}")
+
+    def container_restart(self, container_id: str) -> Container:
+        self._add_action(
+            {"restarted": container_id, "timeout": self.module.params["stop_timeout"]}
+        )
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                self.engine_driver.restart_container(
+                    self.client, container_id, self.module.params["stop_timeout"] or 10
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error restarting container {container_id}: {exc}")
+        return self._get_container(container_id)
+
+    def container_stop(self, container_id: str) -> None:
+        if self.param_force_kill:
+            self.container_kill(container_id)
+            return
+        self._add_action(
+            {"stopped": container_id, "timeout": self.module.params["stop_timeout"]}
+        )
+        self.results["changed"] = True
+        if not self.check_mode:
+            try:
+                self.engine_driver.stop_container(
+                    self.client, container_id, self.module.params["stop_timeout"]
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error stopping container {container_id}: {exc}")
+
+
+def run_module(engine_driver: EngineDriver) -> None:
+    module, active_options, client = engine_driver.setup(
+        argument_spec={
+            "cleanup": {"type": "bool", "default": False},
+            "comparisons": {"type": "dict"},
+            "container_default_behavior": {
+                "type": "str",
+                "default": "no_defaults",
+                "choices": ["compatibility", "no_defaults"],
+            },
+            "command_handling": {
+                "type": "str",
+                "choices": ["compatibility", "correct"],
+                "default": "correct",
+            },
+            "default_host_ip": {"type": "str"},
+            "force_kill": {"type": "bool", "default": False, "aliases": ["forcekill"]},
+            "image": {"type": "str"},
+            "image_comparison": {
+                "type": "str",
+                "choices": ["desired-image", "current-image"],
+                "default": "desired-image",
+            },
+            "image_label_mismatch": {
+                "type": "str",
+                "choices": ["ignore", "fail"],
+                "default": "ignore",
+            },
+            "image_name_mismatch": {
+                "type": "str",
+                "choices": ["ignore", "recreate"],
+                "default": "recreate",
+            },
+            "keep_volumes": {"type": "bool", "default": True},
+            "kill_signal": {"type": "str"},
+            "name": {"type": "str", "required": True},
+            "networks_cli_compatible": {"type": "bool", "default": True},
+            "output_logs": {"type": "bool", "default": False},
+            "paused": {"type": "bool"},
+            "pull": {
+                "type": "raw",
+                "choices": ["never", "missing", "always", True, False],
+                "default": "missing",
+            },
+            "pull_check_mode_behavior": {
+                "type": "str",
+                "choices": ["image_not_present", "always"],
+                "default": "image_not_present",
+            },
+            "recreate": {"type": "bool", "default": False},
+            "removal_wait_timeout": {"type": "float"},
+            "restart": {"type": "bool", "default": False},
+            "state": {
+                "type": "str",
+                "default": "started",
+                "choices": ["absent", "present", "healthy", "started", "stopped"],
+            },
+            "healthy_wait_timeout": {"type": "float", "default": 300},
+        },
+        required_if=[
+            ("state", "present", ["image"]),
+        ],
+    )
+
+    def execute() -> t.NoReturn:
+        cm = ContainerManager(module, engine_driver, client, active_options)
+        cm.run()
+        module.exit_json(**sanitize_result(cm.results))
+
+    engine_driver.run(execute, client)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_platform.py b/ansible_collections/community/docker/plugins/module_utils/_platform.py
new file mode 100644
index 00000000..ffd9a95e
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_platform.py
@@ -0,0 +1,259 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on containerd's platforms Go module
+# (https://github.com/containerd/containerd/tree/main/platforms)
+#
+# Copyright (c) 2023 Felix Fontein <felix@fontein.de>
+# Copyright The containerd Authors
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import re
+import typing as t
+
+_VALID_STR = re.compile("^[A-Za-z0-9_-]+$")
+
+
+def _validate_part(string: str, part: str, part_name: str) -> str:
+    if not part:
+        raise ValueError(f'Invalid platform string "{string}": {part_name} is empty')
+    if not _VALID_STR.match(part):
+        raise ValueError(
+            f'Invalid platform string "{string}": {part_name} has invalid characters'
+        )
+    return part
+
+
+# See https://github.com/containerd/containerd/blob/main/platforms/database.go#L32-L38
+_KNOWN_OS = (
+    "aix",
+    "android",
+    "darwin",
+    "dragonfly",
+    "freebsd",
+    "hurd",
+    "illumos",
+    "ios",
+    "js",
+    "linux",
+    "nacl",
+    "netbsd",
+    "openbsd",
+    "plan9",
+    "solaris",
+    "windows",
+    "zos",
+)
+
+# See https://github.com/containerd/containerd/blob/main/platforms/database.go#L54-L60
+_KNOWN_ARCH = (
+    "386",
+    "amd64",
+    "amd64p32",
+    "arm",
+    "armbe",
+    "arm64",
+    "arm64be",
+    "ppc64",
+    "ppc64le",
+    "loong64",
+    "mips",
+    "mipsle",
+    "mips64",
+    "mips64le",
+    "mips64p32",
+    "mips64p32le",
+    "ppc",
+    "riscv",
+    "riscv64",
+    "s390",
+    "s390x",
+    "sparc",
+    "sparc64",
+    "wasm",
+)
+
+
+def _normalize_os(os_str: str) -> str:
+    # See normalizeOS() in https://github.com/containerd/containerd/blob/main/platforms/database.go
+    os_str = os_str.lower()
+    if os_str == "macos":
+        os_str = "darwin"
+    return os_str
+
+
+_NORMALIZE_ARCH = {
+    ("i386", None): ("386", ""),
+    ("x86_64", "v1"): ("amd64", ""),
+    ("x86-64", "v1"): ("amd64", ""),
+    ("amd64", "v1"): ("amd64", ""),
+    ("x86_64", None): ("amd64", None),
+    ("x86-64", None): ("amd64", None),
+    ("amd64", None): ("amd64", None),
+    ("aarch64", "8"): ("arm64", ""),
+    ("arm64", "8"): ("arm64", ""),
+    ("aarch64", "v8"): ("arm64", ""),
+    ("arm64", "v8"): ("arm64", ""),
+    ("aarch64", None): ("arm64", None),
+    ("arm64", None): ("arm64", None),
+    ("armhf", None): ("arm", "v7"),
+    ("armel", None): ("arm", "v6"),
+    ("arm", ""): ("arm", "v7"),
+    ("arm", "5"): ("arm", "v5"),
+    ("arm", "6"): ("arm", "v6"),
+    ("arm", "7"): ("arm", "v7"),
+    ("arm", "8"): ("arm", "v8"),
+    ("arm", None): ("arm", None),
+}
+
+
+def _normalize_arch(arch_str: str, variant_str: str) -> tuple[str, str]:
+    # See normalizeArch() in https://github.com/containerd/containerd/blob/main/platforms/database.go
+    arch_str = arch_str.lower()
+    variant_str = variant_str.lower()
+    res = _NORMALIZE_ARCH.get((arch_str, variant_str))
+    if res is None:
+        res = _NORMALIZE_ARCH.get((arch_str, None))
+    if res is None:
+        return arch_str, variant_str
+    arch_str = res[0]
+    if res[1] is not None:
+        variant_str = res[1]
+    return arch_str, variant_str
+
+
+class _Platform:
+    def __init__(
+        self, os: str | None = None, arch: str | None = None, variant: str | None = None
+    ) -> None:
+        self.os = os
+        self.arch = arch
+        self.variant = variant
+        if variant is not None:
+            if arch is None:
+                raise ValueError("If variant is given, architecture must be given too")
+            if os is None:
+                raise ValueError("If variant is given, os must be given too")
+
+    @classmethod
+    def parse_platform_string(
+        cls,
+        string: str | None,
+        daemon_os: str | None = None,
+        daemon_arch: str | None = None,
+    ) -> t.Self:
+        # See Parse() in https://github.com/containerd/containerd/blob/main/platforms/platforms.go
+        if string is None:
+            return cls()
+        if not string:
+            raise ValueError("Platform string must be non-empty")
+        parts = string.split("/", 2)
+        arch = None
+        variant = None
+        if len(parts) == 1:
+            _validate_part(string, string, "OS/architecture")
+            # The part is either OS or architecture
+            os = _normalize_os(string)
+            if os in _KNOWN_OS:
+                if daemon_arch is not None:
+                    arch, variant = _normalize_arch(daemon_arch, "")
+                return cls(os=os, arch=arch, variant=variant)
+            arch, variant = _normalize_arch(os, "")
+            if arch in _KNOWN_ARCH:
+                return cls(
+                    os=_normalize_os(daemon_os) if daemon_os else None,
+                    arch=arch or None,
+                    variant=variant or None,
+                )
+            raise ValueError(
+                f'Invalid platform string "{string}": unknown OS or architecture'
+            )
+        os = _validate_part(string, parts[0], "OS")
+        if not os:
+            raise ValueError(f'Invalid platform string "{string}": OS is empty')
+        arch = (
+            _validate_part(string, parts[1], "architecture") if len(parts) > 1 else None
+        )
+        if arch is not None and not arch:
+            raise ValueError(
+                f'Invalid platform string "{string}": architecture is empty'
+            )
+        variant = (
+            _validate_part(string, parts[2], "variant") if len(parts) > 2 else None
+        )
+        if variant is not None and not variant:
+            raise ValueError(f'Invalid platform string "{string}": variant is empty')
+        assert arch is not None  # otherwise variant would be None as well
+        arch, variant = _normalize_arch(arch, variant or "")
+        if len(parts) == 2 and arch == "arm" and variant == "v7":
+            variant = None
+        if len(parts) == 3 and arch == "arm64" and variant == "":
+            variant = "v8"
+        return cls(os=_normalize_os(os), arch=arch, variant=variant or None)
+
+    def __str__(self) -> str:
+        if self.variant:
+            assert (
+                self.os is not None and self.arch is not None
+            )  # ensured in constructor
+            parts: list[str] = [self.os, self.arch, self.variant]
+        elif self.os:
+            if self.arch:
+                parts = [self.os, self.arch]
+            else:
+                parts = [self.os]
+        elif self.arch is not None:
+            parts = [self.arch]
+        else:
+            parts = []
+        return "/".join(parts)
+
+    def __repr__(self) -> str:
+        return (
+            f"_Platform(os={self.os!r}, arch={self.arch!r}, variant={self.variant!r})"
+        )
+
+    def __eq__(self, other: object) -> bool:
+        if not isinstance(other, _Platform):
+            return NotImplemented
+        return (
+            self.os == other.os
+            and self.arch == other.arch
+            and self.variant == other.variant
+        )
+
+
+def normalize_platform_string(
+    string: str, daemon_os: str | None = None, daemon_arch: str | None = None
+) -> str:
+    return str(
+        _Platform.parse_platform_string(
+            string, daemon_os=daemon_os, daemon_arch=daemon_arch
+        )
+    )
+
+
+def compose_platform_string(
+    os: str | None = None,
+    arch: str | None = None,
+    variant: str | None = None,
+    daemon_os: str | None = None,
+    daemon_arch: str | None = None,
+) -> str:
+    if os is None and daemon_os is not None:
+        os = _normalize_os(daemon_os)
+    if arch is None and daemon_arch is not None:
+        arch, variant = _normalize_arch(daemon_arch, variant or "")
+        variant = variant or None
+    return str(_Platform(os=os, arch=arch, variant=variant or None))
+
+
+def compare_platform_strings(string1: str, string2: str) -> bool:
+    return _Platform.parse_platform_string(string1) == _Platform.parse_platform_string(
+        string2
+    )
diff --git a/ansible_collections/community/docker/plugins/module_utils/_scramble.py b/ansible_collections/community/docker/plugins/module_utils/_scramble.py
new file mode 100644
index 00000000..db05ecf8
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_scramble.py
@@ -0,0 +1,46 @@
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import base64
+import random
+
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+
+
+def generate_insecure_key() -> bytes:
+    """Do NOT use this for cryptographic purposes!"""
+    while True:
+        # Generate a one-byte key. Right now the functions below do not use more
+        # than one byte, so this is sufficient.
+        key = bytes([random.randint(0, 255)])
+        # Return anything that is not zero
+        if key != b"\x00":
+            return key
+
+
+def scramble(value: str, key: bytes) -> str:
+    """Do NOT use this for cryptographic purposes!"""
+    if len(key) < 1:
+        raise ValueError("Key must be at least one byte")
+    b_value = to_bytes(value)
+    k = key[0]
+    b_value = bytes([k ^ b for b in b_value])
+    return f"=S={to_text(base64.b64encode(b_value))}"
+
+
+def unscramble(value: str, key: bytes) -> str:
+    """Do NOT use this for cryptographic purposes!"""
+    if len(key) < 1:
+        raise ValueError("Key must be at least one byte")
+    if not value.startswith("=S="):
+        raise ValueError("Value does not start with indicator")
+    b_value = base64.b64decode(value[3:])
+    k = key[0]
+    b_value = bytes([k ^ b for b in b_value])
+    return to_text(b_value)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_socket_handler.py b/ansible_collections/community/docker/plugins/module_utils/_socket_handler.py
new file mode 100644
index 00000000..61a08f45
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_socket_handler.py
@@ -0,0 +1,240 @@
+# Copyright (c) 2019-2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import os
+import os.path
+import selectors
+import socket as pysocket
+import struct
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils import (
+    socket as docker_socket,
+)
+from ansible_collections.community.docker.plugins.module_utils._socket_helper import (
+    make_unblocking,
+    shutdown_writing,
+    write_to_socket,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+    from types import TracebackType
+
+    from ansible.module_utils.basic import AnsibleModule
+
+    from ansible_collections.community.docker.plugins.module_utils._socket_helper import (
+        SocketLike,
+    )
+
+
+PARAMIKO_POLL_TIMEOUT = 0.01  # 10 milliseconds
+
+
+def _empty_writer(msg: str) -> None:
+    pass
+
+
+class DockerSocketHandlerBase:
+    def __init__(
+        self, sock: SocketLike, log: Callable[[str], None] | None = None
+    ) -> None:
+        make_unblocking(sock)
+
+        self._log = log or _empty_writer
+        self._paramiko_read_workaround = hasattr(
+            sock, "send_ready"
+        ) and "paramiko" in str(type(sock))
+
+        self._sock = sock
+        self._block_done_callback: Callable[[int, bytes], None] | None = None
+        self._block_buffer: list[tuple[int, bytes]] = []
+        self._eof = False
+        self._read_buffer = b""
+        self._write_buffer = b""
+        self._end_of_writing = False
+
+        self._current_stream: int | None = None
+        self._current_missing = 0
+        self._current_buffer = b""
+
+        self._selector = selectors.DefaultSelector()
+        self._selector.register(self._sock, selectors.EVENT_READ)
+
+    def __enter__(self) -> t.Self:
+        return self
+
+    def __exit__(
+        self,
+        type_: type[BaseException] | None,
+        value: BaseException | None,
+        tb: TracebackType | None,
+    ) -> None:
+        self._selector.close()
+
+    def set_block_done_callback(
+        self, block_done_callback: Callable[[int, bytes], None]
+    ) -> None:
+        self._block_done_callback = block_done_callback
+        if self._block_done_callback is not None:
+            while self._block_buffer:
+                elt = self._block_buffer.pop(0)
+                self._block_done_callback(*elt)
+
+    def _add_block(self, stream_id: int, data: bytes) -> None:
+        if self._block_done_callback is not None:
+            self._block_done_callback(stream_id, data)
+        else:
+            self._block_buffer.append((stream_id, data))
+
+    def _read(self) -> None:
+        if self._eof:
+            return
+        data: bytes | None
+        if hasattr(self._sock, "recv"):
+            try:
+                data = self._sock.recv(262144)
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                # After calling self._sock.shutdown(), OpenSSL's/urllib3's
+                # WrappedSocket seems to eventually raise ZeroReturnError in
+                # case of EOF
+                if "OpenSSL.SSL.ZeroReturnError" in str(type(e)):
+                    self._eof = True
+                    return
+                raise
+        elif isinstance(self._sock, pysocket.SocketIO):  # type: ignore[unreachable]
+            data = self._sock.read()  # type: ignore
+        else:
+            data = os.read(self._sock.fileno())  # type: ignore  # TODO does this really work?!
+        if data is None:
+            # no data available
+            return  # type: ignore[unreachable]
+        self._log(f"read {len(data)} bytes")
+        if len(data) == 0:
+            # Stream EOF
+            self._eof = True
+            return
+        self._read_buffer += data
+        while len(self._read_buffer) > 0:
+            if self._current_missing > 0:
+                n = min(len(self._read_buffer), self._current_missing)
+                self._current_buffer += self._read_buffer[:n]
+                self._read_buffer = self._read_buffer[n:]
+                self._current_missing -= n
+                if self._current_missing == 0:
+                    assert self._current_stream is not None
+                    self._add_block(self._current_stream, self._current_buffer)
+                    self._current_buffer = b""
+            if len(self._read_buffer) < 8:
+                break
+            self._current_stream, self._current_missing = struct.unpack(
+                ">BxxxL", self._read_buffer[:8]
+            )
+            self._read_buffer = self._read_buffer[8:]
+            if self._current_missing < 0:
+                # Stream EOF (as reported by docker daemon)
+                self._eof = True
+                break
+
+    def _handle_end_of_writing(self) -> None:
+        if self._end_of_writing and len(self._write_buffer) == 0:
+            self._end_of_writing = False
+            self._log("Shutting socket down for writing")
+            shutdown_writing(self._sock, self._log)
+
+    def _write(self) -> None:
+        if len(self._write_buffer) > 0:
+            written = write_to_socket(self._sock, self._write_buffer)
+            self._write_buffer = self._write_buffer[written:]
+            self._log(f"wrote {written} bytes, {len(self._write_buffer)} are left")
+            if len(self._write_buffer) > 0:
+                self._selector.modify(
+                    self._sock, selectors.EVENT_READ | selectors.EVENT_WRITE
+                )
+            else:
+                self._selector.modify(self._sock, selectors.EVENT_READ)
+            self._handle_end_of_writing()
+
+    def select(
+        self, timeout: int | float | None = None, _internal_recursion: bool = False
+    ) -> bool:
+        if (
+            not _internal_recursion
+            and self._paramiko_read_workaround
+            and len(self._write_buffer) > 0
+        ):
+            # When the SSH transport is used, Docker SDK for Python internally uses Paramiko, whose
+            # Channel object supports select(), but only for reading
+            # (https://github.com/paramiko/paramiko/issues/695).
+            if self._sock.send_ready():  # type: ignore
+                self._write()
+                return True
+            while timeout is None or timeout > PARAMIKO_POLL_TIMEOUT:
+                result = int(
+                    self.select(PARAMIKO_POLL_TIMEOUT, _internal_recursion=True)
+                )
+                if self._sock.send_ready():  # type: ignore
+                    self._read()
+                    result += 1
+                if result > 0:
+                    return True
+                if timeout is not None:
+                    timeout -= PARAMIKO_POLL_TIMEOUT
+        self._log(f"select... ({timeout})")
+        events = self._selector.select(timeout)
+        for key, event in events:
+            if key.fileobj == self._sock:
+                ev_read = event & selectors.EVENT_READ != 0
+                ev_write = event & selectors.EVENT_WRITE != 0
+                self._log(f"select event read:{ev_read} write:{ev_write}")
+                if event & selectors.EVENT_READ != 0:
+                    self._read()
+                if event & selectors.EVENT_WRITE != 0:
+                    self._write()
+        result = len(events)
+        if self._paramiko_read_workaround and len(self._write_buffer) > 0 and self._sock.send_ready():  # type: ignore
+            self._write()
+            result += 1
+        return result > 0
+
+    def is_eof(self) -> bool:
+        return self._eof
+
+    def end_of_writing(self) -> None:
+        self._end_of_writing = True
+        self._handle_end_of_writing()
+
+    def consume(self) -> tuple[bytes, bytes]:
+        stdout = []
+        stderr = []
+
+        def append_block(stream_id: int, data: bytes) -> None:
+            if stream_id == docker_socket.STDOUT:
+                stdout.append(data)
+            elif stream_id == docker_socket.STDERR:
+                stderr.append(data)
+            else:
+                raise ValueError(f"{stream_id} is not a valid stream ID")
+
+        self.end_of_writing()
+
+        self.set_block_done_callback(append_block)
+        while not self._eof:
+            self.select()
+        return b"".join(stdout), b"".join(stderr)
+
+    def write(self, str_to_write: bytes) -> None:
+        self._write_buffer += str_to_write
+        if len(self._write_buffer) == len(str_to_write):
+            self._write()
+
+
+class DockerSocketHandlerModule(DockerSocketHandlerBase):
+    def __init__(self, sock: SocketLike, module: AnsibleModule) -> None:
+        super().__init__(sock, module.debug)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_socket_helper.py b/ansible_collections/community/docker/plugins/module_utils/_socket_helper.py
new file mode 100644
index 00000000..d9ecf31e
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_socket_helper.py
@@ -0,0 +1,79 @@
+# Copyright (c) 2019-2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import fcntl
+import os
+import os.path
+import socket as pysocket
+import typing as t
+from collections.abc import Callable
+
+if t.TYPE_CHECKING:
+    SocketLike = pysocket.socket
+
+
+def make_file_unblocking(file: SocketLike) -> None:
+    fcntl.fcntl(
+        file.fileno(),
+        fcntl.F_SETFL,
+        fcntl.fcntl(file.fileno(), fcntl.F_GETFL) | os.O_NONBLOCK,
+    )
+
+
+def make_file_blocking(file: SocketLike) -> None:
+    fcntl.fcntl(
+        file.fileno(),
+        fcntl.F_SETFL,
+        fcntl.fcntl(file.fileno(), fcntl.F_GETFL) & ~os.O_NONBLOCK,
+    )
+
+
+def make_unblocking(sock: SocketLike) -> None:
+    if hasattr(sock, "_sock"):
+        sock._sock.setblocking(0)
+    elif hasattr(sock, "setblocking"):
+        sock.setblocking(0)  # type: ignore  # TODO: CHECK!
+    else:
+        make_file_unblocking(sock)
+
+
+def _empty_writer(msg: str) -> None:
+    pass
+
+
+def shutdown_writing(
+    sock: SocketLike, log: Callable[[str], None] = _empty_writer
+) -> None:
+    # FIXME: This does **not work with SSLSocket**! Apparently SSLSocket does not allow to send
+    #        a close_notify TLS alert without completely shutting down the connection.
+    #        Calling sock.shutdown(pysocket.SHUT_WR) simply turns of TLS encryption and from that
+    #        point on the raw encrypted data is returned when sock.recv() is called. :-(
+    if hasattr(sock, "shutdown_write"):
+        sock.shutdown_write()
+    elif hasattr(sock, "shutdown"):
+        try:
+            sock.shutdown(pysocket.SHUT_WR)
+        except TypeError as e:
+            # probably: "TypeError: shutdown() takes 1 positional argument but 2 were given"
+            log(f"Shutting down for writing not possible; trying shutdown instead: {e}")
+            sock.shutdown()  # type: ignore
+    elif isinstance(sock, pysocket.SocketIO):  # type: ignore
+        sock._sock.shutdown(pysocket.SHUT_WR)  # type: ignore[unreachable]
+    else:
+        log("No idea how to signal end of writing")
+
+
+def write_to_socket(sock: SocketLike, data: bytes) -> int:
+    if hasattr(sock, "_send_until_done"):
+        # WrappedSocket (urllib3/contrib/pyopenssl) does not have `send`, but
+        # only `sendall`, which uses `_send_until_done` under the hood.
+        return sock._send_until_done(data)
+    if hasattr(sock, "send"):
+        return sock.send(data)
+    return os.write(sock.fileno(), data)
diff --git a/ansible_collections/community/docker/plugins/module_utils/_swarm.py b/ansible_collections/community/docker/plugins/module_utils/_swarm.py
new file mode 100644
index 00000000..ad643240
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_swarm.py
@@ -0,0 +1,312 @@
+# Copyright (c) 2019 Piotr Wojciechowski (@wojciechowskipiotr) <piotr@it-playground.pl>
+# Copyright (c) Thierry Bouvet (@tbouvet)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import json
+import typing as t
+from time import sleep
+
+try:
+    from docker.errors import APIError, NotFound
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    AnsibleDockerClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+
+class AnsibleDockerSwarmClient(AnsibleDockerClient):
+    def get_swarm_node_id(self) -> str | None:
+        """
+        Get the 'NodeID' of the Swarm node or 'None' if host is not in Swarm. It returns the NodeID
+        of Docker host the module is executed on
+        :return:
+            NodeID of host or 'None' if not part of Swarm
+        """
+
+        try:
+            info = self.info()
+        except APIError as exc:
+            self.fail(f"Failed to get node information for {exc}")
+
+        if info:
+            json_str = json.dumps(info, ensure_ascii=False)
+            swarm_info = json.loads(json_str)
+            if swarm_info["Swarm"]["NodeID"]:
+                return swarm_info["Swarm"]["NodeID"]
+        return None
+
+    def check_if_swarm_node(self, node_id: str | None = None) -> bool | None:
+        """
+        Checking if host is part of Docker Swarm. If 'node_id' is not provided it reads the Docker host
+        system information looking if specific key in output exists. If 'node_id' is provided then it tries to
+        read node information assuming it is run on Swarm manager. The get_node_inspect() method handles exception if
+        it is not executed on Swarm manager
+
+        :param node_id: Node identifier
+        :return:
+            bool: True if node is part of Swarm, False otherwise
+        """
+
+        if node_id is None:
+            try:
+                info = self.info()
+            except APIError:
+                self.fail("Failed to get host information.")
+
+            if info:
+                json_str = json.dumps(info, ensure_ascii=False)
+                swarm_info = json.loads(json_str)
+                if swarm_info["Swarm"]["NodeID"]:
+                    return True
+                return swarm_info["Swarm"]["LocalNodeState"] in (
+                    "active",
+                    "pending",
+                    "locked",
+                )
+            return False
+        try:
+            node_info = self.get_node_inspect(node_id=node_id)
+        except APIError:
+            return None
+
+        return node_info["ID"] is not None
+
+    def check_if_swarm_manager(self) -> bool:
+        """
+        Checks if node role is set as Manager in Swarm. The node is the docker host on which module action
+        is performed. The inspect_swarm() will fail if node is not a manager
+
+        :return: True if node is Swarm Manager, False otherwise
+        """
+
+        try:
+            self.inspect_swarm()
+            return True
+        except APIError:
+            return False
+
+    def fail_task_if_not_swarm_manager(self) -> None:
+        """
+        If host is not a swarm manager then Ansible task on this host should end with 'failed' state
+        """
+        if not self.check_if_swarm_manager():
+            self.fail(
+                "Error running docker swarm module: must run on swarm manager node"
+            )
+
+    def check_if_swarm_worker(self) -> bool:
+        """
+        Checks if node role is set as Worker in Swarm. The node is the docker host on which module action
+        is performed. Will fail if run on host that is not part of Swarm via check_if_swarm_node()
+
+        :return: True if node is Swarm Worker, False otherwise
+        """
+
+        return bool(self.check_if_swarm_node() and not self.check_if_swarm_manager())
+
+    def check_if_swarm_node_is_down(
+        self, node_id: str | None = None, repeat_check: int = 1
+    ) -> bool:
+        """
+        Checks if node status on Swarm manager is 'down'. If node_id is provided it query manager about
+        node specified in parameter, otherwise it query manager itself. If run on Swarm Worker node or
+        host that is not part of Swarm it will fail the playbook
+
+        :param repeat_check: number of check attempts with 5 seconds delay between them, by default check only once
+        :param node_id: node ID or name, if None then method will try to get node_id of host module run on
+        :return:
+            True if node is part of swarm but its state is down, False otherwise
+        """
+
+        repeat_check = max(1, repeat_check)
+
+        if node_id is None:
+            node_id = self.get_swarm_node_id()
+
+        for retry in range(0, repeat_check):
+            if retry > 0:
+                sleep(5)
+            node_info = self.get_node_inspect(node_id=node_id)
+            if node_info["Status"]["State"] == "down":
+                return True
+        return False
+
+    @t.overload
+    def get_node_inspect(
+        self, node_id: str | None = None, skip_missing: t.Literal[False] = False
+    ) -> dict[str, t.Any]: ...
+
+    @t.overload
+    def get_node_inspect(
+        self, node_id: str | None = None, skip_missing: bool = False
+    ) -> dict[str, t.Any] | None: ...
+
+    def get_node_inspect(
+        self, node_id: str | None = None, skip_missing: bool = False
+    ) -> dict[str, t.Any] | None:
+        """
+        Returns Swarm node info as in 'docker node inspect' command about single node
+
+        :param skip_missing: if True then function will return None instead of failing the task
+        :param node_id: node ID or name, if None then method will try to get node_id of host module run on
+        :return:
+            Single node information structure
+        """
+
+        if node_id is None:
+            node_id = self.get_swarm_node_id()
+
+        if node_id is None:
+            self.fail("Failed to get node information.")
+
+        try:
+            node_info = self.inspect_node(node_id=node_id)
+        except APIError as exc:
+            if exc.status_code == 503:
+                self.fail(
+                    "Cannot inspect node: To inspect node execute module on Swarm Manager"
+                )
+            if exc.status_code == 404 and skip_missing:
+                return None
+            self.fail(f"Error while reading from Swarm manager: {exc}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error inspecting swarm node: {exc}")
+
+        json_str = json.dumps(node_info, ensure_ascii=False)
+        node_info = json.loads(json_str)
+
+        if "ManagerStatus" in node_info and node_info["ManagerStatus"].get("Leader"):
+            # This is workaround of bug in Docker when in some cases the Leader IP is 0.0.0.0
+            # Check moby/moby#35437 for details
+            count_colons = node_info["ManagerStatus"]["Addr"].count(":")
+            if count_colons == 1:
+                swarm_leader_ip = (
+                    node_info["ManagerStatus"]["Addr"].split(":", 1)[0]
+                    or node_info["Status"]["Addr"]
+                )
+            else:
+                swarm_leader_ip = node_info["Status"]["Addr"]
+            node_info["Status"]["Addr"] = swarm_leader_ip
+        return node_info
+
+    def get_all_nodes_inspect(self) -> list[dict[str, t.Any]]:
+        """
+        Returns Swarm node info as in 'docker node inspect' command about all registered nodes
+
+        :return:
+            Structure with information about all nodes
+        """
+        try:
+            node_info = self.nodes()
+        except APIError as exc:
+            if exc.status_code == 503:
+                self.fail(
+                    "Cannot inspect node: To inspect node execute module on Swarm Manager"
+                )
+            self.fail(f"Error while reading from Swarm manager: {exc}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error inspecting swarm node: {exc}")
+
+        json_str = json.dumps(node_info, ensure_ascii=False)
+        node_info = json.loads(json_str)
+        return node_info
+
+    @t.overload
+    def get_all_nodes_list(self, output: t.Literal["short"] = "short") -> list[str]: ...
+
+    @t.overload
+    def get_all_nodes_list(
+        self, output: t.Literal["long"]
+    ) -> list[dict[str, t.Any]]: ...
+
+    def get_all_nodes_list(
+        self, output: t.Literal["short", "long"] = "short"
+    ) -> list[str] | list[dict[str, t.Any]]:
+        """
+        Returns list of nodes registered in Swarm
+
+        :param output: Defines format of returned data
+        :return:
+            If 'output' is 'short' then return data is list of nodes hostnames registered in Swarm,
+            if 'output' is 'long' then returns data is list of dict containing the attributes as in
+            output of command 'docker node ls'
+        """
+        nodes_inspect = self.get_all_nodes_inspect()
+
+        if output == "short":
+            nodes_list = []
+            for node in nodes_inspect:
+                nodes_list.append(node["Description"]["Hostname"])
+            return nodes_list
+        if output == "long":
+            nodes_info_list = []
+            for node in nodes_inspect:
+                node_property: dict[str, t.Any] = {}
+
+                node_property["ID"] = node["ID"]
+                node_property["Hostname"] = node["Description"]["Hostname"]
+                node_property["Status"] = node["Status"]["State"]
+                node_property["Availability"] = node["Spec"]["Availability"]
+                if "ManagerStatus" in node:
+                    if node["ManagerStatus"]["Leader"] is True:
+                        node_property["Leader"] = True
+                    node_property["ManagerStatus"] = node["ManagerStatus"][
+                        "Reachability"
+                    ]
+                node_property["EngineVersion"] = node["Description"]["Engine"][
+                    "EngineVersion"
+                ]
+
+                nodes_info_list.append(node_property)
+            return nodes_info_list
+
+    def get_node_name_by_id(self, nodeid: str) -> str:
+        return self.get_node_inspect(nodeid)["Description"]["Hostname"]
+
+    def get_unlock_key(self) -> dict[str, t.Any] | None:
+        if self.docker_py_version < LooseVersion("2.7.0"):
+            return None
+        return super().get_unlock_key()
+
+    def get_service_inspect(
+        self, service_id: str, skip_missing: bool = False
+    ) -> dict[str, t.Any] | None:
+        """
+        Returns Swarm service info as in 'docker service inspect' command about single service
+
+        :param service_id: service ID or name
+        :param skip_missing: if True then function will return None instead of failing the task
+        :return:
+            Single service information structure
+        """
+        try:
+            service_info = self.inspect_service(service_id)
+        except NotFound as exc:
+            if skip_missing is False:
+                self.fail(f"Error while reading from Swarm manager: {exc}")
+            else:
+                return None
+        except APIError as exc:
+            if exc.status_code == 503:
+                self.fail(
+                    "Cannot inspect service: To inspect service execute module on Swarm Manager"
+                )
+            self.fail(f"Error inspecting swarm service: {exc}")
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error inspecting swarm service: {exc}")
+
+        json_str = json.dumps(service_info, ensure_ascii=False)
+        service_info = json.loads(json_str)
+        return service_info
diff --git a/ansible_collections/community/docker/plugins/module_utils/_util.py b/ansible_collections/community/docker/plugins/module_utils/_util.py
new file mode 100644
index 00000000..1376bc0a
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_util.py
@@ -0,0 +1,551 @@
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import ipaddress
+import json
+import re
+import typing as t
+from datetime import timedelta
+from urllib.parse import urlparse
+
+from ansible.module_utils.basic import env_fallback
+from ansible.module_utils.common.collections import is_sequence
+from ansible.module_utils.common.text.converters import to_text
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+    from ansible.module_utils.basic import AnsibleModule
+
+    from ._common import AnsibleDockerClientBase as CADCB
+    from ._common_api import AnsibleDockerClientBase as CAPIADCB
+    from ._common_cli import AnsibleDockerClientBase as CCLIADCB
+
+    Client = t.Union[CADCB, CAPIADCB, CCLIADCB]  # noqa: UP007
+
+
+DEFAULT_DOCKER_HOST = "unix:///var/run/docker.sock"
+DEFAULT_TLS = False
+DEFAULT_TLS_VERIFY = False
+DEFAULT_TLS_HOSTNAME = "localhost"  # deprecated
+DEFAULT_TIMEOUT_SECONDS = 60
+
+DOCKER_COMMON_ARGS = {
+    "docker_host": {
+        "type": "str",
+        "default": DEFAULT_DOCKER_HOST,
+        "fallback": (env_fallback, ["DOCKER_HOST"]),
+        "aliases": ["docker_url"],
+    },
+    "tls_hostname": {
+        "type": "str",
+        "fallback": (env_fallback, ["DOCKER_TLS_HOSTNAME"]),
+    },
+    "api_version": {
+        "type": "str",
+        "default": "auto",
+        "fallback": (env_fallback, ["DOCKER_API_VERSION"]),
+        "aliases": ["docker_api_version"],
+    },
+    "timeout": {
+        "type": "int",
+        "default": DEFAULT_TIMEOUT_SECONDS,
+        "fallback": (env_fallback, ["DOCKER_TIMEOUT"]),
+    },
+    "ca_path": {"type": "path", "aliases": ["ca_cert", "tls_ca_cert", "cacert_path"]},
+    "client_cert": {"type": "path", "aliases": ["tls_client_cert", "cert_path"]},
+    "client_key": {"type": "path", "aliases": ["tls_client_key", "key_path"]},
+    "tls": {
+        "type": "bool",
+        "default": DEFAULT_TLS,
+        "fallback": (env_fallback, ["DOCKER_TLS"]),
+    },
+    "use_ssh_client": {"type": "bool", "default": False},
+    "validate_certs": {
+        "type": "bool",
+        "default": DEFAULT_TLS_VERIFY,
+        "fallback": (env_fallback, ["DOCKER_TLS_VERIFY"]),
+        "aliases": ["tls_verify"],
+    },
+    "debug": {"type": "bool", "default": False},
+}
+
+DOCKER_COMMON_ARGS_VARS = {
+    option_name: f"ansible_docker_{option_name}"
+    for option_name in DOCKER_COMMON_ARGS
+    if option_name != "debug"
+}
+
+DOCKER_MUTUALLY_EXCLUSIVE: list[tuple[str, ...] | list[str]] = []
+
+DOCKER_REQUIRED_TOGETHER: list[tuple[str, ...] | list[str]] = [
+    ["client_cert", "client_key"]
+]
+
+DEFAULT_DOCKER_REGISTRY = "https://index.docker.io/v1/"
+BYTE_SUFFIXES = ["B", "KB", "MB", "GB", "TB", "PB"]
+
+
+def is_image_name_id(name: str) -> bool:
+    """Check whether the given image name is in fact an image ID (hash)."""
+    return bool(re.match("^sha256:[0-9a-fA-F]{64}$", name))
+
+
+def is_valid_tag(tag: str, allow_empty: bool = False) -> bool:
+    """Check whether the given string is a valid docker tag name."""
+    if not tag:
+        return allow_empty
+    # See here ("Extended description") for a definition what tags can be:
+    # https://docs.docker.com/engine/reference/commandline/tag/
+    return bool(re.match("^[a-zA-Z0-9_][a-zA-Z0-9_.-]{0,127}$", tag))
+
+
+def sanitize_result(data: t.Any) -> t.Any:
+    """Sanitize data object for return to Ansible.
+
+    When the data object contains types such as docker.types.containers.HostConfig,
+    Ansible will fail when these are returned via exit_json or fail_json.
+    HostConfig is derived from dict, but its constructor requires additional
+    arguments. This function sanitizes data structures by recursively converting
+    everything derived from dict to dict and everything derived from list (and tuple)
+    to a list.
+    """
+    if isinstance(data, dict):
+        return dict((k, sanitize_result(v)) for k, v in data.items())
+    if isinstance(data, (list, tuple)):
+        return [sanitize_result(v) for v in data]
+    return data
+
+
+def log_debug(msg: t.Any, pretty_print: bool = False) -> None:
+    """Write a log message to docker.log.
+
+    If ``pretty_print=True``, the message will be pretty-printed as JSON.
+    """
+    with open("docker.log", "at", encoding="utf-8") as log_file:
+        if pretty_print:
+            log_file.write(
+                json.dumps(msg, sort_keys=True, indent=4, separators=(",", ": "))
+            )
+            log_file.write("\n")
+        else:
+            log_file.write(f"{msg}\n")
+
+
+class DockerBaseClass:
+    def __init__(self) -> None:
+        self.debug = False
+
+    def log(self, msg: t.Any, pretty_print: bool = False) -> None:
+        pass
+        # if self.debug:
+        #     log_debug(msg, pretty_print=pretty_print)
+
+
+def update_tls_hostname(
+    result: dict[str, t.Any],
+    old_behavior: bool = False,
+    deprecate_function: Callable[[str], None] | None = None,
+    uses_tls: bool = True,
+) -> None:
+    if result["tls_hostname"] is None:
+        # get default machine name from the url
+        parsed_url = urlparse(result["docker_host"])
+        result["tls_hostname"] = parsed_url.netloc.rsplit(":", 1)[0]
+
+
+def compare_dict_allow_more_present(av: dict, bv: dict) -> bool:
+    """
+    Compare two dictionaries for whether every entry of the first is in the second.
+    """
+    for key, value in av.items():
+        if key not in bv:
+            return False
+        if bv[key] != value:
+            return False
+    return True
+
+
+def compare_generic(
+    a: t.Any,
+    b: t.Any,
+    method: t.Literal["ignore", "strict", "allow_more_present"],
+    datatype: t.Literal["value", "list", "set", "set(dict)", "dict"],
+) -> bool:
+    """
+    Compare values a and b as described by method and datatype.
+
+    Returns ``True`` if the values compare equal, and ``False`` if not.
+
+    ``a`` is usually the module's parameter, while ``b`` is a property
+    of the current object. ``a`` must not be ``None`` (except for
+    ``datatype == 'value'``).
+
+    Valid values for ``method`` are:
+    - ``ignore`` (always compare as equal);
+    - ``strict`` (only compare if really equal)
+    - ``allow_more_present`` (allow b to have elements which a does not have).
+
+    Valid values for ``datatype`` are:
+    - ``value``: for simple values (strings, numbers, ...);
+    - ``list``: for ``list``s or ``tuple``s where order matters;
+    - ``set``: for ``list``s, ``tuple``s or ``set``s where order does not
+      matter;
+    - ``set(dict)``: for ``list``s, ``tuple``s or ``sets`` where order does
+      not matter and which contain ``dict``s; ``allow_more_present`` is used
+      for the ``dict``s, and these are assumed to be dictionaries of values;
+    - ``dict``: for dictionaries of values.
+    """
+    if method == "ignore":
+        return True
+    # If a or b is None:
+    if a is None or b is None:
+        # If both are None: equality
+        if a == b:
+            return True
+        # Otherwise, not equal for values, and equal
+        # if the other is empty for set/list/dict
+        if datatype == "value":
+            return False
+        # For allow_more_present, allow a to be None
+        if method == "allow_more_present" and a is None:
+            return True
+        # Otherwise, the iterable object which is not None must have length 0
+        return len(b if a is None else a) == 0
+    # Do proper comparison (both objects not None)
+    if datatype == "value":
+        return a == b
+    if datatype == "list":
+        if method == "strict":
+            return a == b
+        i = 0
+        for v in a:
+            while i < len(b) and b[i] != v:
+                i += 1
+            if i == len(b):
+                return False
+            i += 1
+        return True
+    if datatype == "dict":
+        if method == "strict":
+            return a == b
+        return compare_dict_allow_more_present(a, b)
+    if datatype == "set":
+        set_a = set(a)
+        set_b = set(b)
+        if method == "strict":
+            return set_a == set_b
+        return set_b >= set_a
+    if datatype == "set(dict)":
+        for av in a:
+            found = False
+            for bv in b:
+                if compare_dict_allow_more_present(av, bv):
+                    found = True
+                    break
+            if not found:
+                return False
+        if method == "strict":
+            # If we would know that both a and b do not contain duplicates,
+            # we could simply compare len(a) to len(b) to finish this test.
+            # We can assume that b has no duplicates (as it is returned by
+            # docker), but we do not know for a.
+            for bv in b:
+                found = False
+                for av in a:
+                    if compare_dict_allow_more_present(av, bv):
+                        found = True
+                        break
+                if not found:
+                    return False
+        return True
+
+
+class DifferenceTracker:
+    def __init__(self) -> None:
+        self._diff: list[dict[str, t.Any]] = []
+
+    def add(self, name: str, parameter: t.Any = None, active: t.Any = None) -> None:
+        self._diff.append(
+            {
+                "name": name,
+                "parameter": parameter,
+                "active": active,
+            }
+        )
+
+    def merge(self, other_tracker: DifferenceTracker) -> None:
+        self._diff.extend(other_tracker._diff)
+
+    @property
+    def empty(self) -> bool:
+        return len(self._diff) == 0
+
+    def get_before_after(self) -> tuple[dict[str, t.Any], dict[str, t.Any]]:
+        """
+        Return texts ``before`` and ``after``.
+        """
+        before = {}
+        after = {}
+        for item in self._diff:
+            before[item["name"]] = item["active"]
+            after[item["name"]] = item["parameter"]
+        return before, after
+
+    def has_difference_for(self, name: str) -> bool:
+        """
+        Returns a boolean if a difference exists for name
+        """
+        return any(diff for diff in self._diff if diff["name"] == name)
+
+    def get_legacy_docker_container_diffs(self) -> list[dict[str, t.Any]]:
+        """
+        Return differences in the docker_container legacy format.
+        """
+        result = []
+        for entry in self._diff:
+            item = {}
+            item[entry["name"]] = {
+                "parameter": entry["parameter"],
+                "container": entry["active"],
+            }
+            result.append(item)
+        return result
+
+    def get_legacy_docker_diffs(self) -> list[str]:
+        """
+        Return differences in the docker_container legacy format.
+        """
+        result = [entry["name"] for entry in self._diff]
+        return result
+
+
+def sanitize_labels(
+    labels: dict[str, t.Any] | None,
+    labels_field: str,
+    client: Client | None = None,
+    module: AnsibleModule | None = None,
+) -> None:
+    def fail(msg: str) -> t.NoReturn:
+        if client is not None:
+            client.fail(msg)
+        if module is not None:
+            module.fail_json(msg=msg)
+        raise ValueError(msg)
+
+    if labels is None:
+        return
+    for k, v in list(labels.items()):
+        if not isinstance(k, str):
+            fail(f"The key {k!r} of {labels_field} is not a string!")
+        if isinstance(v, (bool, float)):
+            fail(
+                f"The value {v!r} for {k!r} of {labels_field} is not a string or something than can be safely converted to a string!"
+            )
+        labels[k] = to_text(v)
+
+
+@t.overload
+def clean_dict_booleans_for_docker_api(
+    data: dict[str, t.Any], *, allow_sequences: t.Literal[False] = False
+) -> dict[str, str]: ...
+
+
+@t.overload
+def clean_dict_booleans_for_docker_api(
+    data: dict[str, t.Any], *, allow_sequences: bool
+) -> dict[str, str | list[str]]: ...
+
+
+def clean_dict_booleans_for_docker_api(
+    data: dict[str, t.Any] | None, *, allow_sequences: bool = False
+) -> dict[str, str] | dict[str, str | list[str]]:
+    """
+    Go does not like Python booleans 'True' or 'False', while Ansible is just
+    fine with them in YAML. As such, they need to be converted in cases where
+    we pass dictionaries to the Docker API (e.g. docker_network's
+    driver_options and docker_prune's filters). When `allow_sequences=True`
+    YAML sequences (lists, tuples) are converted to [str] instead of str([...])
+    which is the expected format of filters which accept lists such as labels.
+    """
+
+    def sanitize(value: t.Any) -> str:
+        if value is True:
+            return "true"
+        if value is False:
+            return "false"
+        return str(value)
+
+    result = {}
+    if data is not None:
+        for k, v in data.items():
+            result[str(k)] = (
+                [sanitize(e) for e in v]
+                if allow_sequences and is_sequence(v)
+                else sanitize(v)
+            )
+    return result
+
+
+def convert_duration_to_nanosecond(time_str: str) -> int:
+    """
+    Return time duration in nanosecond.
+    """
+    if not isinstance(time_str, str):
+        raise ValueError(f"Missing unit in duration - {time_str}")
+
+    regex = re.compile(
+        r"^(((?P<hours>\d+)h)?"
+        r"((?P<minutes>\d+)m(?!s))?"
+        r"((?P<seconds>\d+)s)?"
+        r"((?P<milliseconds>\d+)ms)?"
+        r"((?P<microseconds>\d+)us)?)$"
+    )
+    parts = regex.match(time_str)
+
+    if not parts:
+        raise ValueError(f"Invalid time duration - {time_str}")
+
+    parts_dict = parts.groupdict()
+    time_params = {}
+    for name, value in parts_dict.items():
+        if value:
+            time_params[name] = int(value)
+
+    delta = timedelta(**time_params)
+    time_in_nanoseconds = (
+        delta.microseconds + (delta.seconds + delta.days * 24 * 3600) * 10**6
+    ) * 10**3
+
+    return time_in_nanoseconds
+
+
+def normalize_healthcheck_test(test: t.Any) -> list[str]:
+    if isinstance(test, (tuple, list)):
+        return [str(e) for e in test]
+    return ["CMD-SHELL", str(test)]
+
+
+def normalize_healthcheck(
+    healthcheck: dict[str, t.Any], normalize_test: bool = False
+) -> dict[str, t.Any]:
+    """
+    Return dictionary of healthcheck parameters.
+    """
+    result = {}
+
+    # All supported healthcheck parameters
+    options = (
+        "test",
+        "test_cli_compatible",
+        "interval",
+        "timeout",
+        "start_period",
+        "start_interval",
+        "retries",
+    )
+
+    duration_options = ("interval", "timeout", "start_period", "start_interval")
+
+    for key in options:
+        if key in healthcheck:
+            value = healthcheck[key]
+            if value is None:
+                # due to recursive argument_spec, all keys are always present
+                # (but have default value None if not specified)
+                continue
+            if key in duration_options:
+                value = convert_duration_to_nanosecond(value)
+            if not value and not (
+                healthcheck.get("test_cli_compatible") and key == "test"
+            ):
+                continue
+            if key == "retries":
+                try:
+                    value = int(value)
+                except ValueError as exc:
+                    raise ValueError(
+                        f'Cannot parse number of retries for healthcheck. Expected an integer, got "{value}".'
+                    ) from exc
+            if key == "test" and value and normalize_test:
+                value = normalize_healthcheck_test(value)
+            result[key] = value
+
+    return result
+
+
+def parse_healthcheck(
+    healthcheck: dict[str, t.Any] | None,
+) -> tuple[dict[str, t.Any] | None, bool | None]:
+    """
+    Return dictionary of healthcheck parameters and boolean if
+    healthcheck defined in image was requested to be disabled.
+    """
+    if (not healthcheck) or (not healthcheck.get("test")):
+        return None, None
+
+    result = normalize_healthcheck(healthcheck, normalize_test=True)
+
+    if result["test"] == ["NONE"]:
+        # If the user explicitly disables the healthcheck, return None
+        # as the healthcheck object, and set disable_healthcheck to True
+        return None, True
+
+    return result, False
+
+
+def omit_none_from_dict(d: dict[str, t.Any]) -> dict[str, t.Any]:
+    """
+    Return a copy of the dictionary with all keys with value None omitted.
+    """
+    return {k: v for (k, v) in d.items() if v is not None}
+
+
+@t.overload
+def normalize_ip_address(ip_address: str) -> str: ...
+
+
+@t.overload
+def normalize_ip_address(ip_address: str | None) -> str | None: ...
+
+
+def normalize_ip_address(ip_address: str | None) -> str | None:
+    """
+    Given an IP address as a string, normalize it so that it can be
+    used to compare IP addresses as strings.
+    """
+    if ip_address is None:
+        return None
+    try:
+        return ipaddress.ip_address(ip_address).compressed
+    except ValueError:
+        # Fallback for invalid addresses: simply return the input
+        return ip_address
+
+
+@t.overload
+def normalize_ip_network(network: str) -> str: ...
+
+
+@t.overload
+def normalize_ip_network(network: str | None) -> str | None: ...
+
+
+def normalize_ip_network(network: str | None) -> str | None:
+    """
+    Given a network in CIDR notation as a string, normalize it so that it can be
+    used to compare networks as strings.
+    """
+    if network is None:
+        return None
+    try:
+        return ipaddress.ip_network(network).compressed
+    except ValueError:
+        # Fallback for invalid networks: simply return the input
+        return network
diff --git a/ansible_collections/community/docker/plugins/module_utils/_version.py b/ansible_collections/community/docker/plugins/module_utils/_version.py
new file mode 100644
index 00000000..2cb96615
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/module_utils/_version.py
@@ -0,0 +1,15 @@
+# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+"""Provide version object to compare version numbers."""
+
+from __future__ import annotations
+
+from ansible.module_utils.compat.version import (  # noqa: F401, pylint: disable=unused-import
+    LooseVersion,
+    StrictVersion,
+)
diff --git a/ansible_collections/community/docker/plugins/modules/current_container_facts.py b/ansible_collections/community/docker/plugins/modules/current_container_facts.py
new file mode 100644
index 00000000..77ff3053
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/current_container_facts.py
@@ -0,0 +1,148 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2020 Matt Clay <mclay@redhat.com>
+# Copyright (c) 2020 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: current_container_facts
+short_description: Return facts about whether the module runs in a container
+version_added: 1.1.0
+description:
+  - Return facts about whether the module runs in a Docker or podman container.
+  - This module attempts a best-effort detection. There might be special cases where it does not work; if you encounter one,
+    make sure that this is still a problem with the latest community.docker release, and if it is,
+    L(please file an issue, https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&template=bug_report.md).
+author:
+  - Felix Fontein (@felixfontein)
+extends_documentation_fragment:
+  - community.docker._attributes
+  - community.docker._attributes.facts
+  - community.docker._attributes.facts_module
+  - community.docker._attributes.idempotent_not_modify_state
+"""
+
+EXAMPLES = r"""
+---
+- name: Get facts on current container
+  community.docker.current_container_facts:
+
+- name: Print information on current container when running in a container
+  ansible.builtin.debug:
+    msg: "Container ID is {{ ansible_module_container_id }}"
+  when: ansible_module_running_in_container
+"""
+
+RETURN = r"""
+ansible_facts:
+  description: Ansible facts returned by the module.
+  type: dict
+  returned: always
+  contains:
+    ansible_module_running_in_container:
+      description:
+        - Whether the module was able to detect that it runs in a container or not.
+      returned: always
+      type: bool
+    ansible_module_container_id:
+      description:
+        - The detected container ID.
+        - Contains an empty string if no container was detected.
+      returned: always
+      type: str
+    ansible_module_container_type:
+      description:
+        - The detected container environment.
+        - Contains an empty string if no container was detected, or a non-empty string identifying the container environment.
+        - V(docker) indicates that the module ran inside a regular Docker container.
+        - V(azure_pipelines) indicates that the module ran on Azure Pipelines. This seems to no longer be reported.
+        - V(github_actions) indicates that the module ran inside a Docker container on GitHub Actions. It is supported since
+          community.docker 2.4.0.
+        - V(podman) indicates that the module ran inside a regular Podman container. It is supported since community.docker
+          3.3.0.
+      returned: always
+      type: str
+      choices:
+        - ''
+        - docker
+        - azure_pipelines
+        - github_actions
+        - podman
+"""
+
+import os
+import re
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main() -> None:
+    module = AnsibleModule({}, supports_check_mode=True)
+
+    cpuset_path = "/proc/self/cpuset"
+    mountinfo_path = "/proc/self/mountinfo"
+
+    container_id = ""
+    container_type = ""
+
+    contents = None
+    if os.path.exists(cpuset_path):
+        # File content varies based on the environment:
+        #   No Container: /
+        #   Docker: /docker/c86f3732b5ba3d28bb83b6e14af767ab96abbc52de31313dcb1176a62d91a507
+        #   Azure Pipelines (Docker): /azpl_job/0f2edfed602dd6ec9f2e42c867f4d5ee640ebf4c058e6d3196d4393bb8fd0891
+        #   Podman: /../../../../../..
+        # While this was true and worked well for a long time, this seems to be no longer accurate
+        # with newer Docker / Podman versions and/or with cgroupv2. That's why the /proc/self/mountinfo
+        # detection further down is done when this test is inconclusive.
+        with open(cpuset_path, "rb") as f:
+            contents = f.read().decode("utf-8")
+
+        cgroup_path, cgroup_name = os.path.split(contents.strip())
+
+        if cgroup_path == "/docker":
+            container_id = cgroup_name
+            container_type = "docker"
+
+        if cgroup_path == "/azpl_job":
+            container_id = cgroup_name
+            container_type = "azure_pipelines"
+
+        if cgroup_path == "/actions_job":
+            container_id = cgroup_name
+            container_type = "github_actions"
+
+    if not container_id and os.path.exists(mountinfo_path):
+        with open(mountinfo_path, "rb") as f:
+            contents = f.read().decode("utf-8")
+
+        # As to why this works, see the explanations by Matt Clay in
+        # https://github.com/ansible/ansible/blob/80d2f8da02052f64396da6b8caaf820eedbf18e2/test/lib/ansible_test/_internal/docker_util.py#L571-L610
+
+        for line in contents.splitlines():
+            parts = line.split()
+            if len(parts) >= 5 and parts[4] == "/etc/hostname":
+                m = re.match(".*/([a-f0-9]{64})/hostname$", parts[3])
+                if m:
+                    container_id = m.group(1)
+                    container_type = "docker"
+
+                m = re.match(".*/([a-f0-9]{64})/userdata/hostname$", parts[3])
+                if m:
+                    container_id = m.group(1)
+                    container_type = "podman"
+
+    module.exit_json(
+        ansible_facts={
+            "ansible_module_running_in_container": container_id != "",
+            "ansible_module_container_id": container_id,
+            "ansible_module_container_type": container_type,
+        }
+    )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_compose_v2.py b/ansible_collections/community/docker/plugins/modules/docker_compose_v2.py
new file mode 100644
index 00000000..afa01715
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_compose_v2.py
@@ -0,0 +1,748 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# Copyright (c) 2023, Léo El Amri (@lel-amri)
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_compose_v2
+
+short_description: Manage multi-container Docker applications with Docker Compose CLI plugin
+
+version_added: 3.6.0
+
+description:
+  - Uses Docker Compose to start or shutdown services.
+extends_documentation_fragment:
+  - community.docker._compose_v2
+  - community.docker._compose_v2.minimum_version
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+    details:
+      - In check mode, pulling the image does not result in a changed result.
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - If O(state=restarted) or O(recreate=always) the module is not idempotent.
+
+options:
+  state:
+    description:
+      - Desired state of the project.
+      - V(present) is equivalent to running C(docker compose up).
+      - V(stopped) is equivalent to running C(docker compose stop).
+      - V(absent) is equivalent to running C(docker compose down).
+      - V(restarted) is equivalent to running C(docker compose restart).
+    type: str
+    default: present
+    choices:
+      - absent
+      - stopped
+      - restarted
+      - present
+  pull:
+    description:
+      - Whether to pull images before running. This is used when C(docker compose up) is run.
+      - V(always) ensures that the images are always pulled, even when already present on the Docker daemon.
+      - V(missing) only pulls them when they are not present on the Docker daemon.
+      - V(never) never pulls images. If they are not present, the module will fail when trying to create the containers that
+        need them.
+      - V(policy) use the Compose file's C(pull_policy) defined for the service to figure out what to do.
+    type: str
+    choices:
+      - always
+      - missing
+      - never
+      - policy
+    default: policy
+  build:
+    description:
+      - Whether to build images before starting containers. This is used when C(docker compose up) is run.
+      - V(always) always builds before starting containers. This is equivalent to the C(--build) option of C(docker compose
+        up).
+      - V(never) never builds before starting containers. This is equivalent to the C(--no-build) option of C(docker compose
+        up).
+      - V(policy) uses the policy as defined in the Compose file.
+    type: str
+    choices:
+      - always
+      - never
+      - policy
+    default: policy
+  dependencies:
+    description:
+      - When O(state) is V(present) or V(restarted), specify whether or not to include linked services.
+    type: bool
+    default: true
+  ignore_build_events:
+    description:
+      - Ignores image building events for change detection.
+      - If O(state=present) and O(ignore_build_events=true) and O(build=always), a rebuild that does not trigger a container
+        restart no longer results in RV(ignore:changed=true).
+      - Note that Docker Compose 2.31.0 is the first Compose 2.x version to emit build events. For older versions, the behavior
+        is always as if O(ignore_build_events=true).
+    type: bool
+    default: true
+    version_added: 4.2.0
+  recreate:
+    description:
+      - By default containers will be recreated when their configuration differs from the service definition.
+      - Setting to V(never) ignores configuration differences and leaves existing containers unchanged.
+      - Setting to V(always) forces recreation of all existing containers.
+    type: str
+    default: auto
+    choices:
+      - always
+      - never
+      - auto
+  renew_anon_volumes:
+    description:
+      - Whether to recreate instead of reuse anonymous volumes from previous containers.
+      - V(true) is equivalent to the C(--renew-anon-volumes) option of C(docker compose up).
+    type: bool
+    default: false
+    version_added: 4.0.0
+  remove_images:
+    description:
+      - Use with O(state=absent) to remove all images or only local images.
+    type: str
+    choices:
+      - all
+      - local
+  remove_volumes:
+    description:
+      - Use with O(state=absent) to remove data volumes.
+    type: bool
+    default: false
+  remove_orphans:
+    description:
+      - Remove containers for services not defined in the Compose file.
+    type: bool
+    default: false
+  timeout:
+    description:
+      - Timeout in seconds for container shutdown when attached or when containers are already running.
+    type: int
+  services:
+    description:
+      - Specifies a subset of services to be targeted.
+    type: list
+    elements: str
+  scale:
+    description:
+      - Define how to scale services when running C(docker compose up).
+      - Provide a dictionary of key/value pairs where the key is the name of the service and the value is an integer count
+        for the number of containers.
+    type: dict
+    version_added: 3.7.0
+  wait:
+    description:
+      - When running C(docker compose up), pass C(--wait) to wait for services to be running/healthy.
+      - A timeout can be set with the O(wait_timeout) option.
+    type: bool
+    default: false
+    version_added: 3.8.0
+  wait_timeout:
+    description:
+      - When O(wait=true), wait at most this amount of seconds.
+    type: int
+    version_added: 3.8.0
+  assume_yes:
+    description:
+      - When O(assume_yes=true), pass C(-y)/C(--yes) to assume "yes" as answer to all prompts and run non-interactively.
+      - Right now a prompt is asked whenever a non-matching volume should be re-created. O(assume_yes=false)
+        results in the question being answered by "no", which will simply re-use the existing volume.
+      - This option is only available on Docker Compose 2.32.0 or newer.
+    type: bool
+    default: false
+    version_added: 4.5.0
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_compose_v2_pull
+"""
+
+EXAMPLES = r"""
+---
+# Examples use the django example at https://docs.docker.com/compose/django. Follow it to create the
+# flask directory
+
+- name: Run using a project directory
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Tear down existing services
+      community.docker.docker_compose_v2:
+        project_src: flask
+        state: absent
+
+    - name: Create and start services
+      community.docker.docker_compose_v2:
+        project_src: flask
+      register: output
+
+    - name: Show results
+      ansible.builtin.debug:
+        var: output
+
+    - name: Run `docker compose up` again
+      community.docker.docker_compose_v2:
+        project_src: flask
+      register: output
+
+    - name: Show results
+      ansible.builtin.debug:
+        var: output
+
+    - ansible.builtin.assert:
+        that: not output.changed
+
+    - name: Stop all services
+      community.docker.docker_compose_v2:
+        project_src: flask
+        state: stopped
+      register: output
+
+    - name: Show results
+      ansible.builtin.debug:
+        var: output
+
+    - name: Verify that web and db services are not running
+      ansible.builtin.assert:
+        that:
+          - web_container.State != 'running'
+          - db_container.State != 'running'
+      vars:
+        web_container: >-
+          {{ output.containers | selectattr("Service", "equalto", "web") | first }}
+        db_container: >-
+          {{ output.containers | selectattr("Service", "equalto", "db") | first }}
+
+    - name: Restart services
+      community.docker.docker_compose_v2:
+        project_src: flask
+        state: restarted
+      register: output
+
+    - name: Show results
+      ansible.builtin.debug:
+        var: output
+
+    - name: Verify that web and db services are running
+      ansible.builtin.assert:
+        that:
+          - web_container.State == 'running'
+          - db_container.State == 'running'
+      vars:
+        web_container: >-
+          {{ output.containers | selectattr("Service", "equalto", "web") | first }}
+        db_container: >-
+          {{ output.containers | selectattr("Service", "equalto", "db") | first }}
+"""
+
+RETURN = r"""
+containers:
+  description:
+    - A list of containers associated to the service.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    Command:
+      description:
+        - The container's command.
+      type: raw
+    CreatedAt:
+      description:
+        - The timestamp when the container was created.
+      type: str
+      sample: "2024-01-02 12:20:41 +0100 CET"
+    ExitCode:
+      description:
+        - The container's exit code.
+      type: int
+    Health:
+      description:
+        - The container's health check.
+      type: raw
+    ID:
+      description:
+        - The container's ID.
+      type: str
+      sample: "44a7d607219a60b7db0a4817fb3205dce46e91df2cb4b78a6100b6e27b0d3135"
+    Image:
+      description:
+        - The container's image.
+      type: str
+    Labels:
+      description:
+        - Labels for this container.
+      type: dict
+    LocalVolumes:
+      description:
+        - The local volumes count.
+      type: str
+    Mounts:
+      description:
+        - Mounts.
+      type: str
+    Name:
+      description:
+        - The container's primary name.
+      type: str
+    Names:
+      description:
+        - List of names of the container.
+      type: list
+      elements: str
+    Networks:
+      description:
+        - List of networks attached to this container.
+      type: list
+      elements: str
+    Ports:
+      description:
+        - List of port assignments as a string.
+      type: str
+    Publishers:
+      description:
+        - List of port assigments.
+      type: list
+      elements: dict
+      contains:
+        URL:
+          description:
+            - Interface the port is bound to.
+          type: str
+        TargetPort:
+          description:
+            - The container's port the published port maps to.
+          type: int
+        PublishedPort:
+          description:
+            - The port that is published.
+          type: int
+        Protocol:
+          description:
+            - The protocol.
+          type: str
+          choices:
+            - tcp
+            - udp
+    RunningFor:
+      description:
+        - Amount of time the container runs.
+      type: str
+    Service:
+      description:
+        - The name of the service.
+      type: str
+    Size:
+      description:
+        - The container's size.
+      type: str
+      sample: "0B"
+    State:
+      description:
+        - The container's state.
+      type: str
+      sample: running
+    Status:
+      description:
+        - The container's status.
+      type: str
+      sample: Up About a minute
+images:
+  description:
+    - A list of images associated to the service.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    ID:
+      description:
+        - The image's ID.
+      type: str
+      sample: sha256:c8bccc0af9571ec0d006a43acb5a8d08c4ce42b6cc7194dd6eb167976f501ef1
+    ContainerName:
+      description:
+        - Name of the conainer this image is used by.
+      type: str
+    Repository:
+      description:
+        - The repository where this image belongs to.
+      type: str
+    Tag:
+      description:
+        - The tag of the image.
+      type: str
+    Size:
+      description:
+        - The image's size in bytes.
+      type: int
+actions:
+  description:
+    - A list of actions that have been applied.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    what:
+      description:
+        - What kind of resource was changed.
+      type: str
+      sample: container
+      choices:
+        - container
+        - image
+        - network
+        - service
+        - unknown
+        - volume
+    id:
+      description:
+        - The ID of the resource that was changed.
+      type: str
+      sample: container
+    status:
+      description:
+        - The status change that happened.
+      type: str
+      sample: Creating
+      choices:
+        - Starting
+        - Exiting
+        - Restarting
+        - Creating
+        - Stopping
+        - Killing
+        - Removing
+        - Recreating
+        - Pulling
+        - Building
+"""
+
+import traceback
+import typing as t
+
+from ansible.module_utils.common.validation import check_type_int
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    BaseComposeManager,
+    common_compose_argspec_ex,
+    is_failed,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+
+class ServicesManager(BaseComposeManager):
+    def __init__(self, client: AnsibleModuleDockerClient) -> None:
+        super().__init__(client)
+        parameters = self.client.module.params
+
+        self.state: t.Literal["absent", "present", "stopped", "restarted"] = parameters[
+            "state"
+        ]
+        self.dependencies: bool = parameters["dependencies"]
+        self.pull: t.Literal["always", "missing", "never", "policy"] = parameters[
+            "pull"
+        ]
+        self.build: t.Literal["always", "never", "policy"] = parameters["build"]
+        self.ignore_build_events: bool = parameters["ignore_build_events"]
+        self.recreate: t.Literal["always", "never", "auto"] = parameters["recreate"]
+        self.remove_images: t.Literal["all", "local"] | None = parameters[
+            "remove_images"
+        ]
+        self.remove_volumes: bool = parameters["remove_volumes"]
+        self.remove_orphans: bool = parameters["remove_orphans"]
+        self.renew_anon_volumes: bool = parameters["renew_anon_volumes"]
+        self.timeout: int | None = parameters["timeout"]
+        self.services: list[str] = parameters["services"] or []
+        self.scale: dict[str, t.Any] = parameters["scale"] or {}
+        self.wait: bool = parameters["wait"]
+        self.wait_timeout: int | None = parameters["wait_timeout"]
+        self.yes: bool = parameters["assume_yes"]
+        if self.compose_version < LooseVersion("2.32.0") and self.yes:
+            self.fail(
+                f"assume_yes=true needs Docker Compose 2.32.0 or newer, not version {self.compose_version}"
+            )
+
+        for key, value in self.scale.items():
+            if not isinstance(key, str):
+                self.fail(f"The key {key!r} for `scale` is not a string")
+            try:
+                value = check_type_int(value)
+            except TypeError:
+                self.fail(f"The value {value!r} for `scale[{key!r}]` is not an integer")
+            if value < 0:
+                self.fail(f"The value {value!r} for `scale[{key!r}]` is negative")
+            self.scale[key] = value
+
+    def run(self) -> dict[str, t.Any]:
+        if self.state == "present":
+            result = self.cmd_up()
+        elif self.state == "stopped":
+            result = self.cmd_stop()
+        elif self.state == "restarted":
+            result = self.cmd_restart()
+        elif self.state == "absent":
+            result = self.cmd_down()
+        else:
+            raise AssertionError("Unexpected state")
+
+        result["containers"] = self.list_containers()
+        result["images"] = self.list_images()
+        self.cleanup_result(result)
+        return result
+
+    def get_up_cmd(self, dry_run: bool, no_start: bool = False) -> list[str]:
+        args = self.get_base_args() + ["up", "--detach", "--no-color", "--quiet-pull"]
+        if self.pull != "policy":
+            args.extend(["--pull", self.pull])
+        if self.remove_orphans:
+            args.append("--remove-orphans")
+        if self.recreate == "always":
+            args.append("--force-recreate")
+        if self.recreate == "never":
+            args.append("--no-recreate")
+        if self.renew_anon_volumes:
+            args.append("--renew-anon-volumes")
+        if not self.dependencies:
+            args.append("--no-deps")
+        if self.timeout is not None:
+            args.extend(["--timeout", f"{self.timeout}"])
+        if self.build == "always":
+            args.append("--build")
+        elif self.build == "never":
+            args.append("--no-build")
+        for key, value in sorted(self.scale.items()):
+            args.extend(["--scale", f"{key}={value}"])
+        if self.wait:
+            args.append("--wait")
+            if self.wait_timeout is not None:
+                args.extend(["--wait-timeout", str(self.wait_timeout)])
+        if no_start:
+            args.append("--no-start")
+        if dry_run:
+            args.append("--dry-run")
+        if self.yes:
+            # Note that for Docker Compose 2.32.x and 2.33.x, the long form is '--y' and not '--yes'.
+            # This was fixed in Docker Compose 2.34.0 (https://github.com/docker/compose/releases/tag/v2.34.0).
+            args.append(
+                "-y" if self.compose_version < LooseVersion("2.34.0") else "--yes"
+            )
+        args.append("--")
+        for service in self.services:
+            args.append(service)
+        return args
+
+    def cmd_up(self) -> dict[str, t.Any]:
+        result: dict[str, t.Any] = {}
+        args = self.get_up_cmd(self.check_mode)
+        rc, stdout, stderr = self.client.call_cli(*args, cwd=self.project_src)
+        events = self.parse_events(stderr, dry_run=self.check_mode, nonzero_rc=rc != 0)
+        self.emit_warnings(events)
+        self.update_result(
+            result,
+            events,
+            stdout,
+            stderr,
+            ignore_service_pull_events=True,
+            ignore_build_events=self.ignore_build_events,
+        )
+        self.update_failed(result, events, args, stdout, stderr, rc)
+        return result
+
+    def get_stop_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args() + ["stop"]
+        if self.timeout is not None:
+            args.extend(["--timeout", f"{self.timeout}"])
+        if dry_run:
+            args.append("--dry-run")
+        args.append("--")
+        for service in self.services:
+            args.append(service)
+        return args
+
+    def _are_containers_stopped(self) -> bool:
+        return all(
+            container["State"] in ("created", "exited", "stopped", "killed")
+            for container in self.list_containers_raw()
+        )
+
+    def cmd_stop(self) -> dict[str, t.Any]:
+        # Since 'docker compose stop' **always** claims it is stopping containers, even if they are already
+        # stopped, we have to do this a bit more complicated.
+
+        result: dict[str, t.Any] = {}
+        # Make sure all containers are created
+        args_1 = self.get_up_cmd(self.check_mode, no_start=True)
+        rc_1, stdout_1, stderr_1 = self.client.call_cli(*args_1, cwd=self.project_src)
+        events_1 = self.parse_events(
+            stderr_1, dry_run=self.check_mode, nonzero_rc=rc_1 != 0
+        )
+        self.emit_warnings(events_1)
+        self.update_result(
+            result,
+            events_1,
+            stdout_1,
+            stderr_1,
+            ignore_service_pull_events=True,
+            ignore_build_events=self.ignore_build_events,
+        )
+        is_failed_1 = is_failed(events_1, rc_1)
+        if not is_failed_1 and not self._are_containers_stopped():
+            # Make sure all containers are stopped
+            args_2 = self.get_stop_cmd(self.check_mode)
+            rc_2, stdout_2, stderr_2 = self.client.call_cli(
+                *args_2, cwd=self.project_src
+            )
+            events_2 = self.parse_events(
+                stderr_2, dry_run=self.check_mode, nonzero_rc=rc_2 != 0
+            )
+            self.emit_warnings(events_2)
+            self.update_result(result, events_2, stdout_2, stderr_2)
+        else:
+            args_2 = []
+            rc_2, stdout_2, stderr_2 = 0, b"", b""
+            events_2 = []
+        # Compose result
+        self.update_failed(
+            result,
+            events_1 + events_2,
+            args_1 if is_failed_1 else args_2,
+            stdout_1 if is_failed_1 else stdout_2,
+            stderr_1 if is_failed_1 else stderr_2,
+            rc_1 if is_failed_1 else rc_2,
+        )
+        return result
+
+    def get_restart_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args() + ["restart"]
+        if not self.dependencies:
+            args.append("--no-deps")
+        if self.timeout is not None:
+            args.extend(["--timeout", f"{self.timeout}"])
+        if dry_run:
+            args.append("--dry-run")
+        args.append("--")
+        for service in self.services:
+            args.append(service)
+        return args
+
+    def cmd_restart(self) -> dict[str, t.Any]:
+        result: dict[str, t.Any] = {}
+        args = self.get_restart_cmd(self.check_mode)
+        rc, stdout, stderr = self.client.call_cli(*args, cwd=self.project_src)
+        events = self.parse_events(stderr, dry_run=self.check_mode, nonzero_rc=rc != 0)
+        self.emit_warnings(events)
+        self.update_result(result, events, stdout, stderr)
+        self.update_failed(result, events, args, stdout, stderr, rc)
+        return result
+
+    def get_down_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args() + ["down"]
+        if self.remove_orphans:
+            args.append("--remove-orphans")
+        if self.remove_images:
+            args.extend(["--rmi", self.remove_images])
+        if self.remove_volumes:
+            args.append("--volumes")
+        if self.timeout is not None:
+            args.extend(["--timeout", f"{self.timeout}"])
+        if dry_run:
+            args.append("--dry-run")
+        args.append("--")
+        for service in self.services:
+            args.append(service)
+        return args
+
+    def cmd_down(self) -> dict[str, t.Any]:
+        result: dict[str, t.Any] = {}
+        args = self.get_down_cmd(self.check_mode)
+        rc, stdout, stderr = self.client.call_cli(*args, cwd=self.project_src)
+        events = self.parse_events(stderr, dry_run=self.check_mode, nonzero_rc=rc != 0)
+        self.emit_warnings(events)
+        self.update_result(result, events, stdout, stderr)
+        self.update_failed(result, events, args, stdout, stderr, rc)
+        return result
+
+
+def main() -> None:
+    argument_spec = {
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["absent", "present", "stopped", "restarted"],
+        },
+        "dependencies": {"type": "bool", "default": True},
+        "pull": {
+            "type": "str",
+            "choices": ["always", "missing", "never", "policy"],
+            "default": "policy",
+        },
+        "build": {
+            "type": "str",
+            "choices": ["always", "never", "policy"],
+            "default": "policy",
+        },
+        "recreate": {
+            "type": "str",
+            "default": "auto",
+            "choices": ["always", "never", "auto"],
+        },
+        "renew_anon_volumes": {"type": "bool", "default": False},
+        "remove_images": {"type": "str", "choices": ["all", "local"]},
+        "remove_volumes": {"type": "bool", "default": False},
+        "remove_orphans": {"type": "bool", "default": False},
+        "timeout": {"type": "int"},
+        "services": {"type": "list", "elements": "str"},
+        "scale": {"type": "dict"},
+        "wait": {"type": "bool", "default": False},
+        "wait_timeout": {"type": "int"},
+        "ignore_build_events": {"type": "bool", "default": True},
+        "assume_yes": {"type": "bool", "default": False},
+    }
+    argspec_ex = common_compose_argspec_ex()
+    argument_spec.update(argspec_ex.pop("argspec"))
+
+    client = AnsibleModuleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        needs_api_version=False,
+        **argspec_ex,
+    )
+
+    try:
+        manager = ServicesManager(client)
+        result = manager.run()
+        manager.cleanup()
+        client.module.exit_json(**result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_compose_v2_exec.py b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_exec.py
new file mode 100644
index 00000000..c8e2dbc3
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_exec.py
@@ -0,0 +1,308 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_compose_v2_exec
+
+short_description: Run command in a container of a Compose service
+
+version_added: 3.13.0
+
+description:
+  - Uses Docker Compose to run a command in a service's container.
+  - This can be used to run one-off commands in an existing service's container, and encapsulates C(docker compose exec).
+extends_documentation_fragment:
+  - community.docker._compose_v2
+  - community.docker._compose_v2.minimum_version
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: N/A
+    details:
+      - Whether the executed command is idempotent depends on the command.
+
+options:
+  service:
+    description:
+      - The service to run the command in.
+    type: str
+    required: true
+  index:
+    description:
+      - The index of the container to run the command in if the service has multiple replicas.
+    type: int
+  argv:
+    type: list
+    elements: str
+    description:
+      - The command to execute.
+      - Since this is a list of arguments, no quoting is needed.
+      - Exactly one of O(argv) or O(command) must be specified.
+  command:
+    type: str
+    description:
+      - The command to execute.
+      - Exactly one of O(argv) or O(command) must be specified.
+  chdir:
+    type: str
+    description:
+      - The directory to run the command in.
+  detach:
+    description:
+      - Whether to run the command synchronously (O(detach=false), default) or asynchronously (O(detach=true)).
+      - If set to V(true), O(stdin) cannot be provided, and the return values RV(stdout), RV(stderr), and RV(rc) are not returned.
+    type: bool
+    default: false
+  user:
+    type: str
+    description:
+      - If specified, the user to execute this command with.
+  stdin:
+    type: str
+    description:
+      - Set the stdin of the command directly to the specified value.
+      - Can only be used if O(detach=false).
+  stdin_add_newline:
+    type: bool
+    default: true
+    description:
+      - If set to V(true), appends a newline to O(stdin).
+  strip_empty_ends:
+    type: bool
+    default: true
+    description:
+      - Strip empty lines from the end of stdout/stderr in result.
+  privileged:
+    type: bool
+    default: false
+    description:
+      - Whether to give extended privileges to the process.
+  tty:
+    type: bool
+    default: true
+    description:
+      - Whether to allocate a TTY.
+  env:
+    description:
+      - Dictionary of environment variables with their respective values to be passed to the command ran inside the container.
+      - Values which might be parsed as numbers, booleans or other types by the YAML parser must be quoted (for example V("true"))
+        in order to avoid data loss.
+      - Please note that if you are passing values in with Jinja2 templates, like V("{{ value }}"), you need to add V(| string)
+        to prevent Ansible to convert strings such as V("true") back to booleans. The correct way is to use V("{{ value |
+        string }}").
+    type: dict
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_compose_v2
+
+notes:
+  - If you need to evaluate environment variables of the container in O(command) or O(argv), you need to pass the command
+    through a shell, like O(command=/bin/sh -c "echo $ENV_VARIABLE"). The same needs to be done in case you want to use glob patterns
+    or other shell features such as redirects.
+"""
+
+EXAMPLES = r"""
+---
+- name: Run a simple command (command)
+  community.docker.docker_compose_v2_exec:
+    service: foo
+    command: /bin/bash -c "ls -lah"
+    chdir: /root
+  register: result
+
+- name: Print stdout
+  ansible.builtin.debug:
+    var: result.stdout
+
+- name: Run a simple command (argv)
+  community.docker.docker_compose_v2_exec:
+    service: foo
+    argv:
+      - /bin/bash
+      - "-c"
+      - "ls -lah > /dev/stderr"
+    chdir: /root
+  register: result
+
+- name: Print stderr lines
+  ansible.builtin.debug:
+    var: result.stderr_lines
+"""
+
+RETURN = r"""
+stdout:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard output of the container command.
+stderr:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard error output of the container command.
+rc:
+  type: int
+  returned: success and O(detach=false)
+  sample: 0
+  description:
+    - The exit code of the command.
+"""
+
+import shlex
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    BaseComposeManager,
+    common_compose_argspec_ex,
+)
+
+
+class ExecManager(BaseComposeManager):
+    def __init__(self, client: AnsibleModuleDockerClient) -> None:
+        super().__init__(client)
+        parameters = self.client.module.params
+
+        self.service: str = parameters["service"]
+        self.index: int | None = parameters["index"]
+        self.chdir: str | None = parameters["chdir"]
+        self.detach: bool = parameters["detach"]
+        self.user: str | None = parameters["user"]
+        self.stdin: str | None = parameters["stdin"]
+        self.strip_empty_ends: bool = parameters["strip_empty_ends"]
+        self.privileged: bool = parameters["privileged"]
+        self.tty: bool = parameters["tty"]
+        self.env: dict[str, t.Any] = parameters["env"]
+
+        self.argv: list[str]
+        if parameters["command"] is not None:
+            self.argv = shlex.split(parameters["command"])
+        else:
+            self.argv = parameters["argv"]
+
+        if self.detach and self.stdin is not None:
+            self.fail("If detach=true, stdin cannot be provided.")
+
+        stdin_add_newline: bool = parameters["stdin_add_newline"]
+        if self.stdin is not None and stdin_add_newline:
+            self.stdin += "\n"
+
+        if self.env is not None:
+            for name, value in self.env.items():
+                if not isinstance(value, str):
+                    self.fail(
+                        "Non-string value found for env option. Ambiguous env options must be "
+                        "wrapped in quotes to avoid them being interpreted when directly specified "
+                        "in YAML, or explicitly converted to strings when the option is templated. "
+                        f"Key: {name}"
+                    )
+
+    def get_exec_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args(plain_progress=True) + ["exec"]
+        if self.index is not None:
+            args.extend(["--index", str(self.index)])
+        if self.chdir is not None:
+            args.extend(["--workdir", self.chdir])
+        if self.detach:
+            args.extend(["--detach"])
+        if self.user is not None:
+            args.extend(["--user", self.user])
+        if self.privileged:
+            args.append("--privileged")
+        if not self.tty:
+            args.append("--no-TTY")
+        if self.env:
+            for name, value in list(self.env.items()):
+                args.append("--env")
+                args.append(f"{name}={value}")
+        args.append("--")
+        args.append(self.service)
+        args.extend(self.argv)
+        return args
+
+    def run(self) -> dict[str, t.Any]:
+        args = self.get_exec_cmd(self.check_mode)
+        kwargs: dict[str, t.Any] = {
+            "cwd": self.project_src,
+        }
+        if self.stdin is not None:
+            kwargs["data"] = self.stdin.encode("utf-8")
+        if self.detach:
+            kwargs["check_rc"] = True
+        rc, stdout_b, stderr_b = self.client.call_cli(*args, **kwargs)
+        if self.detach:
+            return {}
+        stdout = to_text(stdout_b)
+        stderr = to_text(stderr_b)
+        if self.strip_empty_ends:
+            stdout = stdout.rstrip("\r\n")
+            stderr = stderr.rstrip("\r\n")
+        return {
+            "changed": True,
+            "rc": rc,
+            "stdout": stdout,
+            "stderr": stderr,
+        }
+
+
+def main() -> None:
+    argument_spec = {
+        "service": {"type": "str", "required": True},
+        "index": {"type": "int"},
+        "argv": {"type": "list", "elements": "str"},
+        "command": {"type": "str"},
+        "chdir": {"type": "str"},
+        "detach": {"type": "bool", "default": False},
+        "user": {"type": "str"},
+        "stdin": {"type": "str"},
+        "stdin_add_newline": {"type": "bool", "default": True},
+        "strip_empty_ends": {"type": "bool", "default": True},
+        "privileged": {"type": "bool", "default": False},
+        "tty": {"type": "bool", "default": True},
+        "env": {"type": "dict"},
+    }
+    argspec_ex = common_compose_argspec_ex()
+    argument_spec.update(argspec_ex.pop("argspec"))
+
+    client = AnsibleModuleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=False,
+        needs_api_version=False,
+        **argspec_ex,
+    )
+
+    try:
+        manager = ExecManager(client)
+        result = manager.run()
+        manager.cleanup()
+        client.module.exit_json(**result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_compose_v2_pull.py b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_pull.py
new file mode 100644
index 00000000..25b7e94b
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_pull.py
@@ -0,0 +1,216 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_compose_v2_pull
+
+short_description: Pull a Docker compose project
+
+version_added: 3.6.0
+
+description:
+  - Uses Docker Compose to pull images for a project.
+extends_documentation_fragment:
+  - community.docker._compose_v2
+  - community.docker._compose_v2.minimum_version
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+    details:
+      - If O(policy=always), the module will always indicate a change. Docker Compose does not give any information whether
+        pulling would update the image or not.
+  diff_mode:
+    support: none
+  idempotent:
+    support: full
+
+options:
+  policy:
+    description:
+      - Whether to pull images before running. This is used when C(docker compose up) is ran.
+      - V(always) ensures that the images are always pulled, even when already present on the Docker daemon.
+      - V(missing) only pulls them when they are not present on the Docker daemon. This is only supported since Docker Compose
+        2.22.0.
+    type: str
+    choices:
+      - always
+      - missing
+    default: always
+  ignore_buildable:
+    description:
+      - If set to V(true), will not pull images that can be built.
+    type: bool
+    default: false
+    version_added: 3.12.0
+  include_deps:
+    description:
+      - If set to V(true), also pull services that are declared as dependencies.
+      - This only makes sense if O(services) is used.
+    type: bool
+    default: false
+    version_added: 3.12.0
+  services:
+    description:
+      - Specifies a subset of services to be targeted.
+    type: list
+    elements: str
+    version_added: 3.12.0
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_compose_v2
+"""
+
+EXAMPLES = r"""
+---
+- name: Pull images for flask project
+  community.docker.docker_compose_v2_pull:
+    project_src: /path/to/flask
+"""
+
+RETURN = r"""
+actions:
+  description:
+    - A list of actions that have been applied.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    what:
+      description:
+        - What kind of resource was changed.
+      type: str
+      sample: container
+      choices:
+        - image
+        - unknown
+    id:
+      description:
+        - The ID of the resource that was changed.
+      type: str
+      sample: container
+    status:
+      description:
+        - The status change that happened.
+      type: str
+      sample: Pulling
+      choices:
+        - Pulling
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    BaseComposeManager,
+    common_compose_argspec_ex,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+
+class PullManager(BaseComposeManager):
+    def __init__(self, client: AnsibleModuleDockerClient) -> None:
+        super().__init__(client)
+        parameters = self.client.module.params
+
+        self.policy: t.Literal["always", "missing"] = parameters["policy"]
+        self.ignore_buildable: bool = parameters["ignore_buildable"]
+        self.include_deps: bool = parameters["include_deps"]
+        self.services: list[str] = parameters["services"] or []
+
+        if self.policy != "always" and self.compose_version < LooseVersion("2.22.0"):
+            # https://github.com/docker/compose/pull/10981 - 2.22.0
+            self.fail(
+                f"A pull policy other than always is only supported since Docker Compose 2.22.0. {self.client.get_cli()} has version {self.compose_version}"
+            )
+        if self.ignore_buildable and self.compose_version < LooseVersion("2.15.0"):
+            # https://github.com/docker/compose/pull/10134 - 2.15.0
+            self.fail(
+                f"--ignore-buildable is only supported since Docker Compose 2.15.0. {self.client.get_cli()} has version {self.compose_version}"
+            )
+
+    def get_pull_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args() + ["pull"]
+        if self.policy != "always":
+            args.extend(["--policy", self.policy])
+        if self.ignore_buildable:
+            args.append("--ignore-buildable")
+        if self.include_deps:
+            args.append("--include-deps")
+        if dry_run:
+            args.append("--dry-run")
+        args.append("--")
+        for service in self.services:
+            args.append(service)
+        return args
+
+    def run(self) -> dict[str, t.Any]:
+        result: dict[str, t.Any] = {}
+        args = self.get_pull_cmd(self.check_mode)
+        rc, stdout, stderr = self.client.call_cli(*args, cwd=self.project_src)
+        events = self.parse_events(stderr, dry_run=self.check_mode, nonzero_rc=rc != 0)
+        self.emit_warnings(events)
+        self.update_result(
+            result,
+            events,
+            stdout,
+            stderr,
+            ignore_service_pull_events=self.policy != "missing" and not self.check_mode,
+        )
+        self.update_failed(result, events, args, stdout, stderr, rc)
+        self.cleanup_result(result)
+        return result
+
+
+def main() -> None:
+    argument_spec = {
+        "policy": {
+            "type": "str",
+            "choices": ["always", "missing"],
+            "default": "always",
+        },
+        "ignore_buildable": {"type": "bool", "default": False},
+        "include_deps": {"type": "bool", "default": False},
+        "services": {"type": "list", "elements": "str"},
+    }
+    argspec_ex = common_compose_argspec_ex()
+    argument_spec.update(argspec_ex.pop("argspec"))
+
+    client = AnsibleModuleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        needs_api_version=False,
+        **argspec_ex,
+    )
+
+    try:
+        manager = PullManager(client)
+        result = manager.run()
+        manager.cleanup()
+        client.module.exit_json(**result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_compose_v2_run.py b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_run.py
new file mode 100644
index 00000000..ed034e3d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_compose_v2_run.py
@@ -0,0 +1,441 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_compose_v2_run
+
+short_description: Run command in a new container of a Compose service
+
+version_added: 3.13.0
+
+description:
+  - Uses Docker Compose to run a command in a new container for a service.
+  - This encapsulates C(docker compose run).
+extends_documentation_fragment:
+  - community.docker._compose_v2
+  - community.docker._compose_v2.minimum_version
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: N/A
+    details:
+      - Whether the executed command is idempotent depends on the command.
+
+options:
+  service:
+    description:
+      - The service to run the command in.
+    type: str
+    required: true
+  argv:
+    type: list
+    elements: str
+    description:
+      - The command to execute.
+      - Since this is a list of arguments, no quoting is needed.
+      - O(argv) or O(command) are mutually exclusive.
+  command:
+    type: str
+    description:
+      - The command to execute.
+      - O(argv) or O(command) are mutually exclusive.
+  build:
+    description:
+      - Build image before starting container.
+      - Note that building can insert information into RV(stdout) or RV(stderr).
+    type: bool
+    default: false
+  cap_add:
+    description:
+      - Linux capabilities to add to the container.
+    type: list
+    elements: str
+  cap_drop:
+    description:
+      - Linux capabilities to drop from the container.
+    type: list
+    elements: str
+  entrypoint:
+    description:
+      - Override the entrypoint of the container image.
+    type: str
+  interactive:
+    description:
+      - Whether to keep STDIN open even if not attached.
+    type: bool
+    default: true
+  labels:
+    description:
+      - Add or override labels to the container.
+    type: list
+    elements: str
+  name:
+    description:
+      - Assign a name to the container.
+    type: str
+  no_deps:
+    description:
+      - Do not start linked services.
+    type: bool
+    default: false
+  publish:
+    description:
+      - Publish a container's port(s) to the host.
+    type: list
+    elements: str
+  quiet_pull:
+    description:
+      - Pull without printing progress information.
+      - Note that pulling can insert information into RV(stdout) or RV(stderr).
+    type: bool
+    default: false
+  remove_orphans:
+    description:
+      - Remove containers for services not defined in the Compose file.
+    type: bool
+    default: false
+  cleanup:
+    description:
+      - Automatically remove th econtainer when it exits.
+      - Corresponds to the C(--rm) option of C(docker compose run).
+    type: bool
+    default: false
+  service_ports:
+    description:
+      - Run command with all service's ports enabled and mapped to the host.
+    type: bool
+    default: false
+  use_aliases:
+    description:
+      - Use the service's network C(useAliases) in the network(s) the container connects to.
+    type: bool
+    default: false
+  volumes:
+    description:
+      - Bind mount one or more volumes.
+    type: list
+    elements: str
+  chdir:
+    type: str
+    description:
+      - The directory to run the command in.
+  detach:
+    description:
+      - Whether to run the command synchronously (O(detach=false), default) or asynchronously (O(detach=true)).
+      - If set to V(true), O(stdin) cannot be provided, and the return values RV(stdout), RV(stderr), and RV(rc) are not returned.
+        Instead, the return value RV(container_id) is provided.
+    type: bool
+    default: false
+  user:
+    type: str
+    description:
+      - If specified, the user to execute this command with.
+  stdin:
+    type: str
+    description:
+      - Set the stdin of the command directly to the specified value.
+      - Can only be used if O(detach=false).
+  stdin_add_newline:
+    type: bool
+    default: true
+    description:
+      - If set to V(true), appends a newline to O(stdin).
+  strip_empty_ends:
+    type: bool
+    default: true
+    description:
+      - Strip empty lines from the end of stdout/stderr in result.
+  tty:
+    type: bool
+    default: true
+    description:
+      - Whether to allocate a TTY.
+  env:
+    description:
+      - Dictionary of environment variables with their respective values to be passed to the command ran inside the container.
+      - Values which might be parsed as numbers, booleans or other types by the YAML parser must be quoted (for example V("true"))
+        in order to avoid data loss.
+      - Please note that if you are passing values in with Jinja2 templates, like V("{{ value }}"), you need to add V(| string)
+        to prevent Ansible to convert strings such as V("true") back to booleans. The correct way is to use V("{{ value |
+        string }}").
+    type: dict
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_compose_v2
+
+notes:
+  - If you need to evaluate environment variables of the container in O(command) or O(argv), you need to pass the command
+    through a shell, like O(command=/bin/sh -c "echo $ENV_VARIABLE"). The same needs to be done in case you want to use glob patterns
+    or other shell features such as redirects.
+"""
+
+EXAMPLES = r"""
+---
+- name: Run a simple command (command)
+  community.docker.docker_compose_v2_run:
+    service: foo
+    command: /bin/bash -c "ls -lah"
+    chdir: /root
+  register: result
+
+- name: Print stdout
+  ansible.builtin.debug:
+    var: result.stdout
+
+- name: Run a simple command (argv)
+  community.docker.docker_compose_v2_run:
+    service: foo
+    argv:
+      - /bin/bash
+      - "-c"
+      - "ls -lah > /dev/stderr"
+    chdir: /root
+  register: result
+
+- name: Print stderr lines
+  ansible.builtin.debug:
+    var: result.stderr_lines
+"""
+
+RETURN = r"""
+container_id:
+  type: str
+  returned: success and O(detach=true)
+  description:
+    - The ID of the created container.
+stdout:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard output of the container command.
+stderr:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard error output of the container command.
+rc:
+  type: int
+  returned: success and O(detach=false)
+  sample: 0
+  description:
+    - The exit code of the command.
+"""
+
+import shlex
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    BaseComposeManager,
+    common_compose_argspec_ex,
+)
+
+
+class ExecManager(BaseComposeManager):
+    def __init__(self, client: AnsibleModuleDockerClient) -> None:
+        super().__init__(client)
+        parameters = self.client.module.params
+
+        self.service: str = parameters["service"]
+        self.build: bool = parameters["build"]
+        self.cap_add: list[str] | None = parameters["cap_add"]
+        self.cap_drop: list[str] | None = parameters["cap_drop"]
+        self.entrypoint: str | None = parameters["entrypoint"]
+        self.interactive: bool = parameters["interactive"]
+        self.labels: list[str] | None = parameters["labels"]
+        self.name: str | None = parameters["name"]
+        self.no_deps: bool = parameters["no_deps"]
+        self.publish: list[str] | None = parameters["publish"]
+        self.quiet_pull: bool = parameters["quiet_pull"]
+        self.remove_orphans: bool = parameters["remove_orphans"]
+        self.do_cleanup: bool = parameters["cleanup"]
+        self.service_ports: bool = parameters["service_ports"]
+        self.use_aliases: bool = parameters["use_aliases"]
+        self.volumes: list[str] | None = parameters["volumes"]
+        self.chdir: str | None = parameters["chdir"]
+        self.detach: bool = parameters["detach"]
+        self.user: str | None = parameters["user"]
+        self.stdin: str | None = parameters["stdin"]
+        self.strip_empty_ends: bool = parameters["strip_empty_ends"]
+        self.tty: bool = parameters["tty"]
+        self.env: dict[str, t.Any] | None = parameters["env"]
+
+        self.argv: list[str]
+        if parameters["command"] is not None:
+            self.argv = shlex.split(parameters["command"])
+        else:
+            self.argv = parameters["argv"]
+
+        if self.detach and self.stdin is not None:
+            self.fail("If detach=true, stdin cannot be provided.")
+
+        stdin_add_newline: bool = parameters["stdin_add_newline"]
+        if self.stdin is not None and stdin_add_newline:
+            self.stdin += "\n"
+
+        if self.env is not None:
+            for name, value in self.env.items():
+                if not isinstance(value, str):
+                    self.fail(
+                        "Non-string value found for env option. Ambiguous env options must be "
+                        "wrapped in quotes to avoid them being interpreted when directly specified "
+                        "in YAML, or explicitly converted to strings when the option is templated. "
+                        f"Key: {name}"
+                    )
+
+    def get_run_cmd(self, dry_run: bool) -> list[str]:
+        args = self.get_base_args(plain_progress=True) + ["run"]
+        if self.build:
+            args.append("--build")
+        if self.cap_add:
+            for cap in self.cap_add:
+                args.extend(["--cap-add", cap])
+        if self.cap_drop:
+            for cap in self.cap_drop:
+                args.extend(["--cap-drop", cap])
+        if self.entrypoint is not None:
+            args.extend(["--entrypoint", self.entrypoint])
+        if not self.interactive:
+            args.append("--no-interactive")
+        if self.labels:
+            for label in self.labels:
+                args.extend(["--label", label])
+        if self.name is not None:
+            args.extend(["--name", self.name])
+        if self.no_deps:
+            args.append("--no-deps")
+        if self.publish:
+            for publish in self.publish:
+                args.extend(["--publish", publish])
+        if self.quiet_pull:
+            args.append("--quiet-pull")
+        if self.remove_orphans:
+            args.append("--remove-orphans")
+        if self.do_cleanup:
+            args.append("--rm")
+        if self.service_ports:
+            args.append("--service-ports")
+        if self.use_aliases:
+            args.append("--use-aliases")
+        if self.volumes:
+            for volume in self.volumes:
+                args.extend(["--volume", volume])
+        if self.chdir is not None:
+            args.extend(["--workdir", self.chdir])
+        if self.detach:
+            args.extend(["--detach"])
+        if self.user is not None:
+            args.extend(["--user", self.user])
+        if not self.tty:
+            args.append("--no-TTY")
+        if self.env:
+            for name, value in list(self.env.items()):
+                args.append("--env")
+                args.append(f"{name}={value}")
+        args.append("--")
+        args.append(self.service)
+        if self.argv:
+            args.extend(self.argv)
+        return args
+
+    def run(self) -> dict[str, t.Any]:
+        args = self.get_run_cmd(self.check_mode)
+        kwargs: dict[str, t.Any] = {
+            "cwd": self.project_src,
+        }
+        if self.stdin is not None:
+            kwargs["data"] = self.stdin.encode("utf-8")
+        if self.detach:
+            kwargs["check_rc"] = True
+        rc, stdout_b, stderr_b = self.client.call_cli(*args, **kwargs)
+        if self.detach:
+            return {
+                "container_id": to_text(stdout_b.strip()),
+            }
+        stdout = to_text(stdout_b)
+        stderr = to_text(stderr_b)
+        if self.strip_empty_ends:
+            stdout = stdout.rstrip("\r\n")
+            stderr = stderr.rstrip("\r\n")
+        return {
+            "changed": True,
+            "rc": rc,
+            "stdout": stdout,
+            "stderr": stderr,
+        }
+
+
+def main() -> None:
+    argument_spec = {
+        "service": {"type": "str", "required": True},
+        "argv": {"type": "list", "elements": "str"},
+        "command": {"type": "str"},
+        "build": {"type": "bool", "default": False},
+        "cap_add": {"type": "list", "elements": "str"},
+        "cap_drop": {"type": "list", "elements": "str"},
+        "entrypoint": {"type": "str"},
+        "interactive": {"type": "bool", "default": True},
+        "labels": {"type": "list", "elements": "str"},
+        "name": {"type": "str"},
+        "no_deps": {"type": "bool", "default": False},
+        "publish": {"type": "list", "elements": "str"},
+        "quiet_pull": {"type": "bool", "default": False},
+        "remove_orphans": {"type": "bool", "default": False},
+        "cleanup": {"type": "bool", "default": False},
+        "service_ports": {"type": "bool", "default": False},
+        "use_aliases": {"type": "bool", "default": False},
+        "volumes": {"type": "list", "elements": "str"},
+        "chdir": {"type": "str"},
+        "detach": {"type": "bool", "default": False},
+        "user": {"type": "str"},
+        "stdin": {"type": "str"},
+        "stdin_add_newline": {"type": "bool", "default": True},
+        "strip_empty_ends": {"type": "bool", "default": True},
+        "tty": {"type": "bool", "default": True},
+        "env": {"type": "dict"},
+    }
+    argspec_ex = common_compose_argspec_ex()
+    argument_spec.update(argspec_ex.pop("argspec"))
+
+    client = AnsibleModuleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=False,
+        needs_api_version=False,
+        **argspec_ex,
+    )
+
+    try:
+        manager = ExecManager(client)
+        result = manager.run()
+        manager.cleanup()
+        client.module.exit_json(**result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_config.py b/ansible_collections/community/docker/plugins/modules/docker_config.py
new file mode 100644
index 00000000..1a1134ee
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_config.py
@@ -0,0 +1,447 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_config
+
+short_description: Manage docker configs
+
+description:
+  - Create and remove Docker configs in a Swarm environment. Similar to C(docker config create) and C(docker config rm).
+  - Adds to the metadata of new configs C(ansible_key), an encrypted hash representation of the data, which is then used in
+    future runs to test if a config has changed. If C(ansible_key) is not present, then a config will not be updated unless
+    the O(force) option is set.
+  - Updates to configs are performed by removing the config and creating it again.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - If O(force=true) the module is not idempotent.
+
+options:
+  data:
+    description:
+      - The value of the config.
+      - Mutually exclusive with O(data_src). One of O(data) and O(data_src) is required if O(state=present).
+    type: str
+  data_is_b64:
+    description:
+      - If set to V(true), the data is assumed to be Base64 encoded and will be decoded before being used.
+      - To use binary O(data), it is better to keep it Base64 encoded and let it be decoded by this option.
+    type: bool
+    default: false
+  data_src:
+    description:
+      - The file on the target from which to read the config.
+      - Mutually exclusive with O(data). One of O(data) and O(data_src) is required if O(state=present).
+    type: path
+    version_added: 1.10.0
+  labels:
+    description:
+      - A map of key:value meta data, where both the C(key) and C(value) are expected to be a string.
+      - If new meta data is provided, or existing meta data is modified, the config will be updated by removing it and creating
+        it again.
+    type: dict
+  force:
+    description:
+      - Use with O(state=present) to always remove and recreate an existing config.
+      - If V(true), an existing config will be replaced, even if it has not been changed.
+    type: bool
+    default: false
+  rolling_versions:
+    description:
+      - If set to V(true), configs are created with an increasing version number appended to their name.
+      - Adds a label containing the version number to the managed configs with the name C(ansible_version).
+    type: bool
+    default: false
+    version_added: 2.2.0
+  versions_to_keep:
+    description:
+      - When using O(rolling_versions), the number of old versions of the config to keep.
+      - Extraneous old configs are deleted after the new one is created.
+      - Set to V(-1) to keep everything or V(0) or V(1) to keep only the current one.
+    type: int
+    default: 5
+    version_added: 2.2.0
+  name:
+    description:
+      - The name of the config.
+    type: str
+    required: true
+  state:
+    description:
+      - Set to V(present), if the config should exist, and V(absent), if it should not.
+    type: str
+    default: present
+    choices:
+      - absent
+      - present
+  template_driver:
+    description:
+      - Set to V(golang) to use a Go template in O(data) or a Go template file in O(data_src).
+    type: str
+    choices:
+      - golang
+    version_added: 2.5.0
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.6.0"
+  - "Docker API >= 1.30"
+
+author:
+  - Chris Houseknecht (@chouseknecht)
+  - John Hu (@ushuz)
+"""
+
+EXAMPLES = r"""
+---
+- name: Create config foo (from a file on the control machine)
+  community.docker.docker_config:
+    name: foo
+    # If the file is JSON or binary, Ansible might modify it (because
+    # it is first decoded and later re-encoded). Base64-encoding the
+    # file directly after reading it prevents this to happen.
+    data: "{{ lookup('file', '/path/to/config/file') | b64encode }}"
+    data_is_b64: true
+    state: present
+
+- name: Create config foo (from a file on the target machine)
+  community.docker.docker_config:
+    name: foo
+    data_src: /path/to/config/file
+    state: present
+
+- name: Change the config data
+  community.docker.docker_config:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+    state: present
+
+- name: Add a new label
+  community.docker.docker_config:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+      # Adding a new label will cause a remove/create of the config
+      two: '2'
+    state: present
+
+- name: No change
+  community.docker.docker_config:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+      # Even though 'two' is missing, there is no change to the existing config
+    state: present
+
+- name: Update an existing label
+  community.docker.docker_config:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: monkey # Changing a label will cause a remove/create of the config
+      one: '1'
+    state: present
+
+- name: Force the (re-)creation of the config
+  community.docker.docker_config:
+    name: foo
+    data: Goodnight everyone!
+    force: true
+    state: present
+
+- name: Remove config foo
+  community.docker.docker_config:
+    name: foo
+    state: absent
+"""
+
+RETURN = r"""
+config_id:
+  description:
+    - The ID assigned by Docker to the config object.
+  returned: success and O(state=present)
+  type: str
+  sample: 'hzehrmyjigmcp2gb6nlhmjqcv'
+config_name:
+  description:
+    - The name of the created config object.
+  returned: success and O(state=present)
+  type: str
+  sample: 'awesome_config'
+  version_added: 2.2.0
+"""
+
+import base64
+import hashlib
+import traceback
+import typing as t
+
+try:
+    from docker.errors import APIError, DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible.module_utils.common.text.converters import to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    compare_generic,
+    sanitize_labels,
+)
+
+
+class ConfigManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.check_mode = self.client.check_mode
+
+        parameters = self.client.module.params
+        self.name = parameters.get("name")
+        self.state = parameters.get("state")
+        self.data = parameters.get("data")
+        if self.data is not None:
+            if parameters.get("data_is_b64"):
+                self.data = base64.b64decode(self.data)
+            else:
+                self.data = to_bytes(self.data)
+        data_src = parameters.get("data_src")
+        if data_src is not None:
+            try:
+                with open(data_src, "rb") as f:
+                    self.data = f.read()
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.client.fail(f"Error while reading {data_src}: {exc}")
+        self.labels = parameters.get("labels")
+        self.force = parameters.get("force")
+        self.rolling_versions = parameters.get("rolling_versions")
+        self.versions_to_keep = parameters.get("versions_to_keep")
+        self.template_driver = parameters.get("template_driver")
+
+        if self.rolling_versions:
+            self.version = 0
+        self.data_key: str | None = None
+        self.configs: list[dict[str, t.Any]] = []
+
+    def __call__(self) -> None:
+        self.get_config()
+        if self.state == "present":
+            self.data_key = hashlib.sha224(self.data).hexdigest()
+            self.present()
+            self.remove_old_versions()
+        elif self.state == "absent":
+            self.absent()
+
+    def get_version(self, config: dict[str, t.Any]) -> int:
+        try:
+            return int(
+                config.get("Spec", {}).get("Labels", {}).get("ansible_version", 0)
+            )
+        except ValueError:
+            return 0
+
+    def remove_old_versions(self) -> None:
+        if not self.rolling_versions or self.versions_to_keep < 0:
+            return
+        if not self.check_mode:
+            while len(self.configs) > max(self.versions_to_keep, 1):
+                self.remove_config(self.configs.pop(0))
+
+    def get_config(self) -> None:
+        """Find an existing config."""
+        try:
+            configs = self.client.configs(filters={"name": self.name})
+        except APIError as exc:
+            self.client.fail(f"Error accessing config {self.name}: {exc}")
+
+        if self.rolling_versions:
+            self.configs = [
+                config
+                for config in configs
+                if config["Spec"]["Name"].startswith(f"{self.name}_v")
+            ]
+            self.configs.sort(key=self.get_version)
+        else:
+            self.configs = [
+                config for config in configs if config["Spec"]["Name"] == self.name
+            ]
+
+    def create_config(self) -> str | None:
+        """Create a new config"""
+        config_id: str | dict[str, t.Any] | None = None
+        # We ca not see the data after creation, so adding a label we can use for idempotency check
+        labels = {"ansible_key": self.data_key}
+        if self.rolling_versions:
+            self.version += 1
+            labels["ansible_version"] = str(self.version)
+            self.name = f"{self.name}_v{self.version}"
+        if self.labels:
+            labels.update(self.labels)
+
+        try:
+            if not self.check_mode:
+                # only use templating argument when self.template_driver is defined
+                kwargs = {}
+                if self.template_driver:
+                    kwargs["templating"] = {"name": self.template_driver}
+                config_id = self.client.create_config(
+                    self.name, self.data, labels=labels, **kwargs
+                )
+                self.configs += self.client.configs(filters={"id": config_id})
+        except APIError as exc:
+            self.client.fail(f"Error creating config: {exc}")
+
+        if isinstance(config_id, dict):
+            return config_id["ID"]
+
+        return config_id
+
+    def remove_config(self, config: dict[str, t.Any]) -> None:
+        try:
+            if not self.check_mode:
+                self.client.remove_config(config["ID"])
+        except APIError as exc:
+            self.client.fail(f"Error removing config {config['Spec']['Name']}: {exc}")
+
+    def present(self) -> None:
+        """Handles state == 'present', creating or updating the config"""
+        if self.configs:
+            config = self.configs[-1]
+            self.results["config_id"] = config["ID"]
+            self.results["config_name"] = config["Spec"]["Name"]
+            data_changed = False
+            template_driver_changed = False
+            attrs = config.get("Spec", {})
+            if attrs.get("Labels", {}).get("ansible_key"):
+                if attrs["Labels"]["ansible_key"] != self.data_key:
+                    data_changed = True
+            else:
+                if not self.force:
+                    self.client.module.warn(
+                        "'ansible_key' label not found. Config will not be changed unless the force parameter is set to 'true'"
+                    )
+            # template_driver has changed if it was set in the previous config
+            # and now it differs, or if it was not set but now it is.
+            if attrs.get("Templating", {}).get("Name"):
+                if attrs["Templating"]["Name"] != self.template_driver:
+                    template_driver_changed = True
+            elif self.template_driver:
+                template_driver_changed = True
+            labels_changed = not compare_generic(
+                self.labels, attrs.get("Labels"), "allow_more_present", "dict"
+            )
+            if self.rolling_versions:
+                self.version = self.get_version(config)
+            if data_changed or template_driver_changed or labels_changed or self.force:
+                # if something changed or force, delete and re-create the config
+                if not self.rolling_versions:
+                    self.absent()
+                config_id = self.create_config()
+                self.results["changed"] = True
+                self.results["config_id"] = config_id
+                self.results["config_name"] = self.name
+        else:
+            self.results["changed"] = True
+            self.results["config_id"] = self.create_config()
+            self.results["config_name"] = self.name
+
+    def absent(self) -> None:
+        """Handles state == 'absent', removing the config"""
+        if self.configs:
+            for config in self.configs:
+                self.remove_config(config)
+            self.results["changed"] = True
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["absent", "present"],
+        },
+        "data": {"type": "str"},
+        "data_is_b64": {"type": "bool", "default": False},
+        "data_src": {"type": "path"},
+        "labels": {"type": "dict"},
+        "force": {"type": "bool", "default": False},
+        "rolling_versions": {"type": "bool", "default": False},
+        "versions_to_keep": {"type": "int", "default": 5},
+        "template_driver": {"type": "str", "choices": ["golang"]},
+    }
+
+    required_if = [
+        ("state", "present", ["data", "data_src"], True),
+    ]
+
+    mutually_exclusive = [
+        ("data", "data_src"),
+    ]
+
+    option_minimal_versions = {
+        "template_driver": {"docker_py_version": "5.0.3", "docker_api_version": "1.37"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_if=required_if,
+        mutually_exclusive=mutually_exclusive,
+        min_docker_version="2.6.0",
+        min_docker_api_version="1.30",
+        option_minimal_versions=option_minimal_versions,
+    )
+    sanitize_labels(client.module.params["labels"], "labels", client)
+
+    try:
+        results = {
+            "changed": False,
+        }
+
+        ConfigManager(client, results)()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_container.py b/ansible_collections/community/docker/plugins/modules/docker_container.py
new file mode 100644
index 00000000..3a55751d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_container.py
@@ -0,0 +1,1363 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_container
+
+short_description: manage Docker containers
+
+description:
+  - Manage the life cycle of Docker containers.
+  - Supports check mode. Run with C(--check) and C(--diff) to view config difference and list of actions to be taken.
+notes:
+  - For most config changes, the container needs to be recreated. This means that the existing container has to be destroyed
+    and a new one created. This can cause unexpected data loss and downtime. You can use the O(comparisons) option to prevent
+    this.
+  - If the module needs to recreate the container, it will only use the options provided to the module to create the new container
+    (except O(image)). Therefore, always specify B(all) options relevant to the container.
+  - When O(restart) is set to V(true), the module will only restart the container if no config changes are detected.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: partial
+    details:
+      - When trying to pull an image, the module assumes this is never changed in check mode except when the image is not
+        present on the Docker daemon.
+      - This behavior can be configured with O(pull_check_mode_behavior).
+  diff_mode:
+    support: full
+  idempotent:
+    support: partial
+    details:
+      - If O(recreate=true) or O(restart=true) the module is not idempotent.
+
+options:
+  auto_remove:
+    description:
+      - Enable auto-removal of the container on daemon side when the container's process exits.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  blkio_weight:
+    description:
+      - Block IO (relative weight), between 10 and 1000.
+    type: int
+  capabilities:
+    description:
+      - List of capabilities to add to the container.
+      - This is equivalent to C(docker run --cap-add), or the docker-compose option C(cap_add).
+    type: list
+    elements: str
+  cap_drop:
+    description:
+      - List of capabilities to drop from the container.
+    type: list
+    elements: str
+  cgroupns_mode:
+    description:
+      - Specify the cgroup namespace mode for the container.
+      - The Docker CLI calls this simply C(cgroupns).
+    type: str
+    choices:
+      - host
+      - private
+    version_added: 3.0.0
+  cgroup_parent:
+    description:
+      - Specify the parent cgroup for the container.
+    type: str
+    version_added: 1.1.0
+  cleanup:
+    description:
+      - Use with O(detach=false) to remove the container after successful execution.
+    type: bool
+    default: false
+  command:
+    description:
+      - Command to execute when the container starts. A command may be either a string or a list.
+      - Prior to version 2.4, strings were split on commas.
+      - See O(command_handling) for differences in how strings and lists are handled.
+    type: raw
+  comparisons:
+    description:
+      - Allows to specify how properties of existing containers are compared with module options to decide whether the container
+        should be recreated / updated or not.
+      - Only options which correspond to the state of a container as handled by the Docker daemon can be specified, as well
+        as O(networks).
+      - Must be a dictionary specifying for an option one of the keys V(strict), V(ignore) and V(allow_more_present).
+      - If V(strict) is specified, values are tested for equality, and changes always result in updating or restarting. If
+        V(ignore) is specified, changes are ignored.
+      - V(allow_more_present) is allowed only for lists, sets and dicts. If it is specified for lists or sets, the container
+        will only be updated or restarted if the module option contains a value which is not present in the container's options.
+        If the option is specified for a dict, the container will only be updated or restarted if the module option contains
+        a key which is not present in the container's option, or if the value of a key present differs.
+      - The wildcard option C(*) can be used to set one of the default values V(strict) or V(ignore) to I(all) comparisons
+        which are not explicitly set to other values.
+      - See the examples for details.
+    type: dict
+  container_default_behavior:
+    description:
+      - In older versions of this module, various module options used to have default values. This caused problems with containers
+        which use different values for these options.
+      - The default value is now V(no_defaults). To restore the old behavior, set it to V(compatibility), which will ensure
+        that the default values are used when the values are not explicitly specified by the user.
+      - This affects the O(auto_remove), O(detach), O(init), O(interactive), O(memory), O(paused), O(privileged), O(read_only),
+        and O(tty) options.
+    type: str
+    choices:
+      - compatibility
+      - no_defaults
+    default: no_defaults
+  command_handling:
+    description:
+      - The default behavior for O(command) (when provided as a list) and O(entrypoint) is to convert them to strings without
+        considering shell quoting rules. (For comparing idempotency, the resulting string is split considering shell quoting
+        rules).
+      - Also, setting O(command) to an empty list of string, and setting O(entrypoint) to an empty list will be handled as
+        if these options are not specified. This is different from idempotency handling for other container-config related
+        options.
+      - When this is set to V(compatibility), which was the default until community.docker 3.0.0, the current behavior will
+        be kept.
+      - When this is set to V(correct), these options are kept as lists, and an empty value or empty list will be handled
+        correctly for idempotency checks. This has been the default since community.docker 3.0.0.
+    type: str
+    choices:
+      - compatibility
+      - correct
+    version_added: 1.9.0
+    default: correct
+  cpu_period:
+    description:
+      - Limit CPU CFS (Completely Fair Scheduler) period.
+      - See O(cpus) for an easier to use alternative.
+    type: int
+  cpu_quota:
+    description:
+      - Limit CPU CFS (Completely Fair Scheduler) quota.
+      - See O(cpus) for an easier to use alternative.
+    type: int
+  cpus:
+    description:
+      - Specify how much of the available CPU resources a container can use.
+      - A value of V(1.5) means that at most one and a half CPU (core) will be used.
+    type: float
+  cpuset_cpus:
+    description:
+      - CPUs in which to allow execution.
+      - For example V(1,3) or V(1-3).
+    type: str
+  cpuset_mems:
+    description:
+      - Memory nodes (MEMs) in which to allow execution V(0-3) or V(0,1).
+    type: str
+  cpu_shares:
+    description:
+      - CPU shares (relative weight).
+    type: int
+  default_host_ip:
+    description:
+      - Define the default host IP to use.
+      - Must be an empty string, an IPv4 address, or an IPv6 address.
+      - With Docker 20.10.2 or newer, this should be set to an empty string (V("")) to avoid the port bindings without an
+        explicit IP address to only bind to IPv4. See U(https://github.com/ansible-collections/community.docker/issues/70)
+        for details.
+      - By default, the module will try to auto-detect this value from the C(bridge) network's C(com.docker.network.bridge.host_binding_ipv4)
+        option. If it cannot auto-detect it, it will fall back to V(0.0.0.0).
+    type: str
+    version_added: 1.2.0
+  detach:
+    description:
+      - Enable detached mode to leave the container running in background.
+      - If disabled, the task will reflect the status of the container run (failed if the command failed).
+      - If O(container_default_behavior=compatibility), this option has a default of V(true).
+    type: bool
+  devices:
+    description:
+      - List of host device bindings to add to the container.
+      - Each binding is a mapping expressed in the format C(<path_on_host>:<path_in_container>:<cgroup_permissions>).
+    type: list
+    elements: str
+  device_read_bps:
+    description:
+      - List of device path and read rate (bytes per second) from device.
+    type: list
+    elements: dict
+    suboptions:
+      path:
+        description:
+          - Device path in the container.
+        type: str
+        required: true
+      rate:
+        description:
+          - Device read limit in format C(<number>[<unit>]).
+          - Number is a positive integer. Unit can be one of V(B) (byte), V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte),
+            V(T) (tebibyte), or V(P) (pebibyte).
+          - Omitting the unit defaults to bytes.
+        type: str
+        required: true
+  device_write_bps:
+    description:
+      - List of device and write rate (bytes per second) to device.
+    type: list
+    elements: dict
+    suboptions:
+      path:
+        description:
+          - Device path in the container.
+        type: str
+        required: true
+      rate:
+        description:
+          - Device read limit in format C(<number>[<unit>]).
+          - Number is a positive integer. Unit can be one of V(B) (byte), V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte),
+            V(T) (tebibyte), or V(P) (pebibyte).
+          - Omitting the unit defaults to bytes.
+        type: str
+        required: true
+  device_read_iops:
+    description:
+      - List of device and read rate (IO per second) from device.
+    type: list
+    elements: dict
+    suboptions:
+      path:
+        description:
+          - Device path in the container.
+        type: str
+        required: true
+      rate:
+        description:
+          - Device read limit.
+          - Must be a positive integer.
+        type: int
+        required: true
+  device_write_iops:
+    description:
+      - List of device and write rate (IO per second) to device.
+    type: list
+    elements: dict
+    suboptions:
+      path:
+        description:
+          - Device path in the container.
+        type: str
+        required: true
+      rate:
+        description:
+          - Device read limit.
+          - Must be a positive integer.
+        type: int
+        required: true
+  device_requests:
+    description:
+      - Allows to request additional resources, such as GPUs.
+    type: list
+    elements: dict
+    suboptions:
+      capabilities:
+        description:
+          - List of lists of strings to request capabilities.
+          - The top-level list entries are combined by OR, and for every list entry, the entries in the list it contains are
+            combined by AND.
+          - The driver tries to satisfy one of the sub-lists.
+          - Available capabilities for the C(nvidia) driver can be found at U(https://github.com/NVIDIA/nvidia-container-runtime).
+        type: list
+        elements: list
+      count:
+        description:
+          - Number or devices to request.
+          - Set to V(-1) to request all available devices.
+        type: int
+      device_ids:
+        description:
+          - List of device IDs.
+        type: list
+        elements: str
+      driver:
+        description:
+          - Which driver to use for this device.
+        type: str
+      options:
+        description:
+          - Driver-specific options.
+        type: dict
+    version_added: 0.1.0
+  device_cgroup_rules:
+    description:
+      - List of cgroup rules to apply to the container.
+    type: list
+    elements: str
+    version_added: 3.11.0
+  dns_opts:
+    description:
+      - List of DNS options.
+    type: list
+    elements: str
+  dns_servers:
+    description:
+      - List of custom DNS servers.
+    type: list
+    elements: str
+  dns_search_domains:
+    description:
+      - List of custom DNS search domains.
+    type: list
+    elements: str
+  domainname:
+    description:
+      - Container domainname.
+    type: str
+  env:
+    description:
+      - Dictionary of key,value pairs.
+      - Values which might be parsed as numbers, booleans or other types by the YAML parser must be quoted (for example V("true"))
+        in order to avoid data loss.
+      - Please note that if you are passing values in with Jinja2 templates, like V("{{ value }}"), you need to add V(| string)
+        to prevent Ansible to convert strings such as V("true") back to booleans. The correct way is to use V("{{ value |
+        string }}").
+    type: dict
+  env_file:
+    description:
+      - Path to a file, present on the target, containing environment variables C(FOO=BAR).
+      - If variable also present in O(env), then the O(env) value will override.
+    type: path
+  entrypoint:
+    description:
+      - Command that overwrites the default C(ENTRYPOINT) of the image.
+      - See O(command_handling) for differences in how strings and lists are handled.
+    type: list
+    elements: str
+  etc_hosts:
+    description:
+      - Dict of host-to-IP mappings, where each host name is a key in the dictionary. Each host name will be added to the
+        container's C(/etc/hosts) file.
+      - Instead of an IP address, the special value V(host-gateway) can also be used, which resolves to the host's gateway
+        IP and allows containers to connect to services running on the host.
+    type: dict
+  exposed_ports:
+    description:
+      - List of additional container ports which informs Docker that the container listens on the specified network ports
+        at runtime.
+      - If the port is already exposed using C(EXPOSE) in a Dockerfile, it does not need to be exposed again.
+    type: list
+    elements: str
+    aliases:
+      - exposed
+      - expose
+  force_kill:
+    description:
+      - Use the kill command when stopping a running container.
+    type: bool
+    default: false
+    aliases:
+      - forcekill
+  groups:
+    description:
+      - List of additional group names and/or IDs that the container process will run as.
+    type: list
+    elements: str
+  healthcheck:
+    description:
+      - Configure a check that is run to determine whether or not containers for this service are "healthy".
+      - See the docs for the L(HEALTHCHECK Dockerfile instruction,https://docs.docker.com/engine/reference/builder/#healthcheck)
+        for details on how healthchecks work.
+      - 'O(healthcheck.interval), O(healthcheck.timeout), O(healthcheck.start_period), and O(healthcheck.start_interval) are
+        specified as durations. They accept duration as a string in a format that look like: V(5h34m56s), V(1m30s), and so
+        on. The supported units are V(us), V(ms), V(s), V(m) and V(h).'
+      - See also O(state=healthy).
+    type: dict
+    suboptions:
+      test:
+        description:
+          - Command to run to check health.
+          - Must be either a string or a list. If it is a list, the first item must be one of V(NONE), V(CMD) or V(CMD-SHELL).
+        type: raw
+      test_cli_compatible:
+        description:
+          - If set to V(true), omitting O(healthcheck.test) while providing O(healthcheck) does not disable healthchecks,
+            but simply overwrites the image's values by the ones specified in O(healthcheck). This is the behavior used by
+            the Docker CLI.
+          - If set to V(false), omitting O(healthcheck.test) will disable the container's health check. This is the classical
+            behavior of the module and currently the default behavior.
+        default: false
+        type: bool
+        version_added: 3.10.0
+      interval:
+        description:
+          - Time between running the check.
+          - The default used by the Docker daemon is V(30s).
+        type: str
+      timeout:
+        description:
+          - Maximum time to allow one check to run.
+          - The default used by the Docker daemon is V(30s).
+        type: str
+      retries:
+        description:
+          - Consecutive number of failures needed to report unhealthy.
+          - The default used by the Docker daemon is V(3).
+        type: int
+      start_period:
+        description:
+          - Start period for the container to initialize before starting health-retries countdown.
+          - The default used by the Docker daemon is V(0s).
+        type: str
+      start_interval:
+        description:
+          - Time between health checks during the start period. This option requires Docker Engine version 25.0 or later.
+          - The default used by the Docker daemon is V(5s).
+        type: str
+        version_added: 3.10.0
+  hostname:
+    description:
+      - The container's hostname.
+    type: str
+  image:
+    description:
+      - Repository path and tag used to create the container. If an image is not found or pull is true, the image will be
+        pulled from the registry. If no tag is included, V(latest) will be used.
+      - Can also be an image ID. If this is the case, the image is assumed to be available locally. The O(pull) option is
+        ignored for this case.
+    type: str
+  image_comparison:
+    description:
+      - Determines which image to use for idempotency checks that depend on image parameters.
+      - The default, V(desired-image), will use the image that is provided to the module with the O(image) parameter.
+      - V(current-image) will use the image that the container is currently using, if the container exists. It falls back
+        to the image that is provided in case the container does not yet exist.
+      - This affects the O(env), O(env_file), O(exposed_ports), O(labels), and O(volumes) options.
+    type: str
+    choices:
+      - desired-image
+      - current-image
+    default: desired-image
+    version_added: 3.0.0
+  image_label_mismatch:
+    description:
+      - How to handle labels inherited from the image that are not set explicitly.
+      - When V(ignore), labels that are present in the image but not specified in O(labels) will be ignored. This is useful
+        to avoid having to specify the image labels in O(labels) while keeping labels O(comparisons) V(strict).
+      - When V(fail), if there are labels present in the image which are not set from O(labels), the module will fail. This
+        prevents introducing unexpected labels from the base image.
+      - 'B(Warning:) This option is ignored unless C(labels: strict) or C(*: strict) is specified in the O(comparisons) option.'
+    type: str
+    choices:
+      - 'ignore'
+      - 'fail'
+    default: ignore
+    version_added: 2.6.0
+  image_name_mismatch:
+    description:
+      - Determines what the module does if the image matches, but the image name in the container's configuration does not
+        match the image name provided to the module.
+      - 'This is ignored if C(image: ignore) is set in O(comparisons).'
+      - If set to V(recreate) (default) the container will be recreated.
+      - If set to V(ignore) the container will not be recreated because of this. It might still get recreated for other reasons.
+        This has been the default behavior of the module for a long time, but might not be what users expect.
+      - The default changed from V(ignore) to V(recreate) in community.docker 4.0.0.
+    type: str
+    choices:
+      - recreate
+      - ignore
+    default: recreate
+    version_added: 3.2.0
+  init:
+    description:
+      - Run an init inside the container that forwards signals and reaps processes.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  interactive:
+    description:
+      - Keep stdin open after a container is launched, even if not attached.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  ipc_mode:
+    description:
+      - Set the IPC mode for the container.
+      - Can be one of V(container:<name|id>) to reuse another container's IPC namespace or V(host) to use the host's IPC namespace
+        within the container.
+    type: str
+  keep_volumes:
+    description:
+      - Retain anonymous volumes associated with a removed container.
+    type: bool
+    default: true
+  kill_signal:
+    description:
+      - Override default signal used to kill a running container.
+    type: str
+  kernel_memory:
+    description:
+      - Kernel memory limit in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+        1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte). Minimum is V(4M).
+      - Omitting the unit defaults to bytes.
+    type: str
+  labels:
+    description:
+      - Dictionary of key value pairs.
+    type: dict
+  links:
+    description:
+      - List of name aliases for linked containers in the format C(container_name:alias).
+      - Setting this will force container to be restarted.
+    type: list
+    elements: str
+  log_driver:
+    description:
+      - Specify the logging driver. Docker uses V(json-file) by default.
+      - See L(the Docker logging configuration documentation,https://docs.docker.com/config/containers/logging/configure/)
+        for possible choices.
+    type: str
+  log_options:
+    description:
+      - Dictionary of options specific to the chosen O(log_driver).
+      - See U(https://docs.docker.com/engine/admin/logging/overview/) for details.
+      - O(log_driver) needs to be specified for O(log_options) to take effect, even if using the default V(json-file) driver.
+    type: dict
+    aliases:
+      - log_opt
+  mac_address:
+    description:
+      - Container MAC address (for example, V(92:d0:c6:0a:29:33)).
+      - Note that the global container-wide MAC address is deprecated and no longer used since Docker API version 1.44.
+      - Use O(networks[].mac_address) instead.
+    type: str
+  memory:
+    description:
+      - Memory limit in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+        1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes.
+      - If O(container_default_behavior=compatibility), this option has a default of V("0").
+    type: str
+  memory_reservation:
+    description:
+      - Memory soft limit in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+        1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes.
+    type: str
+  memory_swap:
+    description:
+      - Total memory limit (memory + swap) in format C(<number>[<unit>]), or the special values V(unlimited) or V(-1) for
+        unlimited swap usage. Number is a positive integer. Unit can be V(B) (byte), V(K) (kibibyte, 1024B), V(M) (mebibyte),
+        V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes.
+    type: str
+  memory_swappiness:
+    description:
+      - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+      - If not set, the value will be remain the same if container exists and will be inherited from the host machine if it
+        is (re-)created.
+    type: int
+  mounts:
+    type: list
+    elements: dict
+    description:
+      - Specification for mounts to be added to the container. More powerful alternative to O(volumes).
+    suboptions:
+      target:
+        description:
+          - Path inside the container.
+        type: str
+        required: true
+      source:
+        description:
+          - Mount source.
+          - For example, this can be a volume name or a host path.
+          - If not supplied when O(mounts[].type=volume) an anonymous volume will be created.
+        type: str
+      type:
+        description:
+          - The mount type.
+          - Note that V(npipe) is only supported by Docker for Windows.
+          - V(cluster) requires Docker API 1.42+ and has been added in community.docker 4.8.0.
+          - V(image) requires Docker API 1.47+ and has been added in community.docker 4.8.0.
+        type: str
+        choices:
+          - bind
+          - npipe
+          - tmpfs
+          - volume
+          - cluster
+          - image
+        default: volume
+      read_only:
+        description:
+          - Whether the mount should be read-only.
+        type: bool
+      consistency:
+        description:
+          - The consistency requirement for the mount.
+        type: str
+        choices:
+          - cached
+          - consistent
+          - default
+          - delegated
+      create_mountpoint:
+        description:
+          - Create mount point on host if missing.
+          - Requires Docker API 1.42+.
+          - Only valid for O(mounts[].type=bind).
+        type: bool
+        version_added: 4.8.0
+      propagation:
+        description:
+          - Propagation mode. Only valid for the V(bind) type.
+        type: str
+        choices:
+          - private
+          - rprivate
+          - shared
+          - rshared
+          - slave
+          - rslave
+      no_copy:
+        description:
+          - False if the volume should be populated with the data from the target. Only valid for the V(volume) type.
+          - The default value is V(false).
+        type: bool
+      non_recursive:
+        description:
+          - Disable recursive bind mount.
+          - Requires Docker API 1.40+.
+          - Only valid for O(mounts[].type=bind).
+        type: bool
+        version_added: 4.8.0
+      read_only_non_recursive:
+        description:
+          - Make the mount non-recursively read-only, but still leave the mount recursive (unless NonRecursive is set to true in conjunction).
+          - Requires Docker API 1.44+.
+          - Only valid for O(mounts[].type=bind).
+        type: bool
+        version_added: 4.8.0
+      read_only_force_recursive:
+        description:
+          - Raise an error if the mount cannot be made recursively read-only.
+          - Requires Docker API 1.44+.
+          - Only valid for O(mounts[].type=bind).
+        type: bool
+        version_added: 4.8.0
+      labels:
+        description:
+          - User-defined name and labels for the volume. Only valid for the V(volume) type.
+        type: dict
+      volume_driver:
+        description:
+          - Specify the volume driver. Only valid for the V(volume) type.
+          - See L(here,https://docs.docker.com/storage/volumes/#use-a-volume-driver) for details.
+        type: str
+      volume_options:
+        description:
+          - Dictionary of options specific to the chosen volume_driver. See L(here,https://docs.docker.com/storage/volumes/#use-a-volume-driver)
+            for details.
+        type: dict
+      subpath:
+        type: str
+        description:
+          - Source path inside the volume/image. Must be relative without any back traversals.
+          - Requires Docker API 1.45+.
+          - Only valid for O(mounts[].type=volume) or O(mounts[].type=image).
+        version_added: 4.8.0
+      tmpfs_size:
+        description:
+          - The size for the tmpfs mount in bytes in format <number>[<unit>].
+          - Number is a positive integer. Unit can be one of V(B) (byte), V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte),
+            V(T) (tebibyte), or V(P) (pebibyte).
+          - Omitting the unit defaults to bytes.
+        type: str
+      tmpfs_mode:
+        description:
+          - The permission mode for the tmpfs mount.
+        type: str
+      tmpfs_options:
+        type: list
+        elements: dict
+        description:
+          - Options to be passed to the tmpfs mount.
+          - Every list element must be a dictionary with one key and a value.
+            All keys must be strings, and values can be either a string or V(null)/V(none) for a flag.
+          - Requires Docker API 1.46+.
+          - Only valid for O(mounts[].type=tmpfs).
+        version_added: 4.8.0
+  name:
+    description:
+      - Assign a name to a new container or match an existing container.
+      - When identifying an existing container name may be a name or a long or short container ID.
+    type: str
+    required: true
+  network_mode:
+    description:
+      - Connect the container to a network. Choices are V(bridge), V(host), V(none), C(container:<name|id>), C(<network_name>)
+        or V(default).
+      - Since community.docker 2.0.0, if O(networks_cli_compatible=true) and O(networks) contains at least one network, the
+        default value for O(network_mode) is the name of the first network in the O(networks) list. You can prevent this by
+        explicitly specifying a value for O(network_mode), like the default value V(default) which will be used by Docker
+        if O(network_mode) is not specified.
+    type: str
+  userns_mode:
+    description:
+      - Set the user namespace mode for the container. Currently, the only valid value are V(host) and the empty string (V("")).
+    type: str
+  networks:
+    description:
+      - List of networks the container belongs to.
+      - For examples of the data structure and usage see EXAMPLES below.
+      - 'To remove a container from one or more networks, use C(networks: strict) in the O(comparisons) option.'
+      - 'If O(networks_cli_compatible=false), this will not remove the default network if O(networks) is specified. This is
+        different from the behavior of C(docker run ...). You need to explicitly use C(networks: strict) in O(comparisons)
+        to enforce the removal of the default network (and all other networks not explicitly mentioned in O(networks)) in
+        that case.'
+    type: list
+    elements: dict
+    suboptions:
+      name:
+        description:
+          - The network's name.
+        type: str
+        required: true
+      ipv4_address:
+        description:
+          - The container's IPv4 address in this network.
+        type: str
+      ipv6_address:
+        description:
+          - The container's IPv6 address in this network.
+        type: str
+      links:
+        description:
+          - A list of containers to link to.
+        type: list
+        elements: str
+      aliases:
+        description:
+          - List of aliases for this container in this network. These names can be used in the network to reach this container.
+        type: list
+        elements: str
+      mac_address:
+        description:
+          - Endpoint MAC address (for example, V(92:d0:c6:0a:29:33)).
+          - This is only available for Docker API version 1.44 and later.
+          - Please note that when a container is attached to a network after creation, this is currently ignored by the Docker
+            Daemon at least in some cases. When passed on creation, this seems to work better.
+        type: str
+        version_added: 3.6.0
+      driver_opts:
+        description:
+          - Dictionary of driver options for this network endpoint.
+          - Allows setting endpoint-specific driver options like C(com.docker.network.endpoint.ifname) to set a custom network interface name.
+          - Requires Docker API version 1.32 or newer.
+        type: dict
+        version_added: 5.0.0
+      gw_priority:
+        description:
+          - Gateway priority for this network endpoint.
+          - When a container is connected to multiple networks, this controls which network's gateway is used as the default gateway.
+          - Higher values indicate higher priority.
+          - Requires Docker API version 1.48 or newer.
+        type: int
+        version_added: 5.0.0
+  networks_cli_compatible:
+    description:
+      - If O(networks_cli_compatible=true) (default), this module will behave as C(docker run --network) and will B(not) add
+        the default network if O(networks) is specified. If O(networks) is not specified, the default network will be attached.
+      - 'When O(networks_cli_compatible=false) and networks are provided to the module with the O(networks) option, the module
+        behaves differently than C(docker run --network): C(docker run --network other) will create a container with network
+        C(other) attached, but the default network not attached. This module with O(networks) set to C({name: other}) will
+        create a container with both C(default) and C(other) attached. If C(networks: strict) or C(*: strict) is set in O(comparisons),
+        the C(default) network will be removed afterwards.'
+    type: bool
+    default: true
+  oom_killer:
+    description:
+      - Whether or not to disable OOM Killer for the container.
+    type: bool
+  oom_score_adj:
+    description:
+      - An integer value containing the score given to the container in order to tune OOM killer preferences.
+    type: int
+  output_logs:
+    description:
+      - If set to true, output of the container command will be printed.
+      - Only effective when O(log_driver) is set to V(json-file), V(journald), or V(local).
+    type: bool
+    default: false
+  paused:
+    description:
+      - Use with the started state to pause running processes inside the container.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  pid_mode:
+    description:
+      - Set the PID namespace mode for the container.
+    type: str
+  pids_limit:
+    description:
+      - Set PIDs limit for the container. It accepts an integer value.
+      - Set V(-1) for unlimited PIDs.
+    type: int
+  platform:
+    description:
+      - Platform for the container in the format C(os[/arch[/variant]]).
+      - "Note that since community.docker 3.5.0, the module uses both the image's metadata and the Docker daemon's information
+        to normalize platform strings similarly to how Docker itself is doing this. If you notice idempotency problems, please
+        verify whether this is still a problem with the latest release of community.docker, and if it is,
+        L(create an issue in the community.docker GitHub repository,
+        https://github.com/ansible-collections/community.docker/issues/new?assignees=&labels=&projects=&template=bug_report.md).
+        For older community.docker versions, you can use the O(comparisons) option with C(platform: ignore) to prevent accidental
+        recreation of the container due to this."
+    type: str
+    version_added: 3.0.0
+  privileged:
+    description:
+      - Give extended privileges to the container.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  publish_all_ports:
+    description:
+      - Publish all ports to the host.
+      - Any specified port bindings from O(published_ports) will remain intact when V(true).
+    type: bool
+    version_added: 1.8.0
+  published_ports:
+    description:
+      - List of ports to publish from the container to the host.
+      - 'Use docker CLI syntax: V(8000), V(9000:8000), or V(0.0.0.0:9000:8000), where 8000 is a container port, 9000 is a
+        host port, and 0.0.0.0 is a host interface.'
+      - Port ranges can be used for source and destination ports. If two ranges with different lengths are specified, the
+        shorter range will be used. Since community.general 0.2.0, if the source port range has length 1, the port will not
+        be assigned to the first port of the destination range, but to a free port in that range. This is the same behavior
+        as for C(docker) command line utility.
+      - Bind addresses must be either IPv4 or IPv6 addresses. Hostnames are B(not) allowed. This is different from the C(docker)
+        command line utility. Use the P(community.general.dig#lookup) lookup to resolve hostnames.
+      - If O(networks) parameter is provided, will inspect each network to see if there exists a bridge network with optional
+        parameter C(com.docker.network.bridge.host_binding_ipv4). If such a network is found, then published ports where no
+        host IP address is specified will be bound to the host IP pointed to by C(com.docker.network.bridge.host_binding_ipv4).
+        Note that the first bridge network with a C(com.docker.network.bridge.host_binding_ipv4) value encountered in the
+        list of O(networks) is the one that will be used.
+      - The value V(all) was allowed in earlier versions of this module. Support for it was removed in community.docker 3.0.0.
+        Use the O(publish_all_ports) option instead.
+    type: list
+    elements: str
+    aliases:
+      - ports
+  pull:
+    description:
+      - If set to V(never), will never try to pull an image. Will fail if the image is not available on the Docker daemon.
+      - If set to V(missing) or V(false), only pull the image if it is not available on the Docker daemon. This is the default
+        behavior.
+      - If set to V(always) or V(true), always try to pull the latest version of the image.
+      - B(Note:) images are only pulled when specified by name. If the image is specified as a image ID (hash), it cannot
+        be pulled, and this option is ignored.
+      - B(Note:) the values V(never), V(missing), and V(always) are only available since community.docker 3.8.0. Earlier versions
+        only support V(true) and V(false).
+    type: raw
+    choices:
+      - never
+      - missing
+      - always
+      - true
+      - false
+    default: missing
+  pull_check_mode_behavior:
+    description:
+      - Allows to adjust the behavior when O(pull=always) or O(pull=true) in check mode.
+      - Since the Docker daemon does not expose any functionality to test whether a pull will result in a changed image, the
+        module by default acts like O(pull=always) only results in a change when the image is not present.
+      - If set to V(image_not_present) (default), only report changes in check mode when the image is not present.
+      - If set to V(always), always report changes in check mode.
+    type: str
+    default: image_not_present
+    choices:
+      - image_not_present
+      - always
+    version_added: 3.8.0
+  read_only:
+    description:
+      - Mount the container's root file system as read-only.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  recreate:
+    description:
+      - Use with present and started states to force the re-creation of an existing container.
+    type: bool
+    default: false
+  removal_wait_timeout:
+    description:
+      - When removing an existing container, the docker daemon API call exists after the container is scheduled for removal.
+        Removal usually is very fast, but it can happen that during high I/O load, removal can take longer. By default, the
+        module will wait until the container has been removed before trying to (re-)create it, however long this takes.
+      - By setting this option, the module will wait at most this many seconds for the container to be removed. If the container
+        is still in the removal phase after this many seconds, the module will fail.
+    type: float
+  restart:
+    description:
+      - Use with started state to force a matching container to be stopped and restarted.
+    type: bool
+    default: false
+  restart_policy:
+    description:
+      - Container restart policy.
+      - Place quotes around V(no) option.
+    type: str
+    choices:
+      - 'no'
+      - 'on-failure'
+      - 'always'
+      - 'unless-stopped'
+  restart_retries:
+    description:
+      - Use with restart policy to control maximum number of restart attempts.
+    type: int
+  runtime:
+    description:
+      - Runtime to use for the container.
+    type: str
+  shm_size:
+    description:
+      - Size of C(/dev/shm) in format C(<number>[<unit>]). Number is positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+        1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes. If you omit the size entirely, Docker daemon uses V(64M).
+    type: str
+  security_opts:
+    description:
+      - List of security options in the form of C("label:user:User").
+    type: list
+    elements: str
+  state:
+    description:
+      - V(absent) - A container matching the specified name will be stopped and removed. Use O(force_kill) to kill the container
+        rather than stopping it. Use O(keep_volumes) to retain anonymous volumes associated with the removed container.
+      - V(present) - Asserts the existence of a container matching the name and any provided configuration parameters. If
+        no container matches the name, a container will be created. If a container matches the name but the provided configuration
+        does not match, the container will be updated, if it can be. If it cannot be updated, it will be removed and re-created
+        with the requested config.
+      - V(started) - Asserts that the container is first V(present), and then if the container is not running moves it to
+        a running state. Use O(restart) to force a matching container to be stopped and restarted.
+      - V(healthy) - Asserts that the container is V(present) and V(started), and is actually healthy as well. This means
+        that the conditions defined in O(healthcheck) respectively in the image's C(HEALTHCHECK) (L(Docker reference for HEALTHCHECK,
+        https://docs.docker.com/reference/dockerfile/#healthcheck)) are satisfied. The time waited can be controlled with
+        O(healthy_wait_timeout). This state has been added in community.docker 3.11.0.
+      - V(stopped) - Asserts that the container is first V(present), and then if the container is running moves it to a stopped
+        state.
+      - 'To control what will be taken into account when comparing configuration, see the O(comparisons) option. To avoid
+        that the image version will be taken into account, you can also use the V(image: ignore) in the O(comparisons) option.'
+      - Use the O(recreate) option to always force re-creation of a matching container, even if it is running.
+      - If the container should be killed instead of stopped in case it needs to be stopped for recreation, or because O(state)
+        is V(stopped), please use the O(force_kill) option. Use O(keep_volumes) to retain anonymous volumes associated with
+        a removed container.
+      - Use O(keep_volumes) to retain anonymous volumes associated with a removed container.
+    type: str
+    default: started
+    choices:
+      - absent
+      - present
+      - healthy
+      - stopped
+      - started
+  stop_signal:
+    description:
+      - Override default signal used to stop the container.
+    type: str
+  healthy_wait_timeout:
+    description:
+      - When waiting for the container to become healthy if O(state=healthy), this option controls how long the module waits
+        until the container state becomes healthy.
+      - The timeout is specified in seconds. The default, V(300), is 5 minutes.
+      - Set this to 0 or a negative value to wait indefinitely. Note that depending on the container this can result in the
+        module not terminating.
+    default: 300
+    type: float
+    version_added: 3.11.0
+  stop_timeout:
+    description:
+      - Number of seconds to wait for the container to stop before sending C(SIGKILL). When the container is created by this
+        module, its C(StopTimeout) configuration will be set to this value.
+      - When the container is stopped, will be used as a timeout for stopping the container. In case the container has a custom
+        C(StopTimeout) configuration, the behavior depends on the version of the docker daemon. New versions of the docker
+        daemon will always use the container's configured C(StopTimeout) value if it has been configured.
+    type: int
+  storage_opts:
+    description:
+      - Storage driver options for this container as a key-value mapping.
+    type: dict
+    version_added: 1.3.0
+  tmpfs:
+    description:
+      - Mount a tmpfs directory.
+    type: list
+    elements: str
+  tty:
+    description:
+      - Allocate a pseudo-TTY.
+      - If O(container_default_behavior=compatibility), this option has a default of V(false).
+    type: bool
+  ulimits:
+    description:
+      - List of ulimit options. A ulimit is specified as V(nofile:262144:262144).
+    type: list
+    elements: str
+  sysctls:
+    description:
+      - Dictionary of key,value pairs.
+    type: dict
+  user:
+    description:
+      - Sets the username or UID used and optionally the groupname or GID for the specified command.
+      - Can be of the forms C(user), C(user:group), C(uid), C(uid:gid), C(user:gid) or C(uid:group).
+    type: str
+  uts:
+    description:
+      - Set the UTS namespace mode for the container.
+    type: str
+  volumes:
+    description:
+      - List of volumes to mount within the container.
+      - 'Use docker CLI-style syntax: C(/host:/container[:mode]).'
+      - Mount modes can be a comma-separated list of various modes such as V(ro), V(rw), V(consistent), V(delegated), V(cached),
+        V(rprivate), V(private), V(rshared), V(shared), V(rslave), V(slave), and V(nocopy). Note that the docker daemon might
+        not support all modes and combinations of such modes.
+      - SELinux hosts can additionally use V(z) or V(Z) to use a shared or private label for the volume.
+      - Note that Ansible 2.7 and earlier only supported one mode, which had to be one of V(ro), V(rw), V(z), and V(Z).
+    type: list
+    elements: str
+  volume_driver:
+    description:
+      - The container volume driver.
+    type: str
+  volumes_from:
+    description:
+      - List of container names or IDs to get volumes from.
+    type: list
+    elements: str
+  working_dir:
+    description:
+      - Path to the working directory.
+    type: str
+
+author:
+  - "Cove Schneider (@cove)"
+  - "Joshua Conner (@joshuaconner)"
+  - "Pavel Antonov (@softzilla)"
+  - "Thomas Steinbach (@ThomasSteinbach)"
+  - "Philippe Jandot (@zfil)"
+  - "Daan Oosterveld (@dusdanig)"
+  - "Chris Houseknecht (@chouseknecht)"
+  - "Kassian Sun (@kassiansun)"
+  - "Felix Fontein (@felixfontein)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Create a data container
+  community.docker.docker_container:
+    name: mydata
+    image: busybox
+    volumes:
+      - /data
+
+- name: Re-create a redis container
+  community.docker.docker_container:
+    name: myredis
+    image: redis
+    command: redis-server --appendonly yes
+    state: present
+    recreate: true
+    exposed_ports:
+      - 6379
+    volumes_from:
+      - mydata
+
+- name: Restart a container
+  community.docker.docker_container:
+    name: myapplication
+    image: someuser/appimage
+    state: started
+    restart: true
+    links:
+      - "myredis:aliasedredis"
+    devices:
+      - "/dev/sda:/dev/xvda:rwm"
+    ports:
+     # Publish container port 9000 as host port 8080
+      - "8080:9000"
+     # Publish container UDP port 9001 as host port 8081 on interface 127.0.0.1
+      - "127.0.0.1:8081:9001/udp"
+     # Publish container port 9002 as a random host port
+      - "9002"
+     # Publish container port 9003 as a free host port in range 8000-8100
+     # (the host port will be selected by the Docker daemon)
+      - "8000-8100:9003"
+     # Publish container ports 9010-9020 to host ports 7000-7010
+      - "7000-7010:9010-9020"
+    env:
+      SECRET_KEY: "ssssh"
+      # Values which might be parsed as numbers, booleans or other types by the YAML parser need to be quoted
+      BOOLEAN_KEY: "yes"
+
+- name: Container present
+  community.docker.docker_container:
+    name: mycontainer
+    state: present
+    image: ubuntu:14.04
+    command: sleep infinity
+
+- name: Stop a container
+  community.docker.docker_container:
+    name: mycontainer
+    state: stopped
+
+- name: Start 4 load-balanced containers
+  community.docker.docker_container:
+    name: "container{{ item }}"
+    recreate: true
+    image: someuser/anotherappimage
+    command: sleep 1d
+  with_sequence: count=4
+
+- name: Remove container
+  community.docker.docker_container:
+    name: ohno
+    state: absent
+
+- name: Syslogging output
+  community.docker.docker_container:
+    name: myservice
+    image: busybox
+    log_driver: syslog
+    log_options:
+      syslog-address: tcp://my-syslog-server:514
+      syslog-facility: daemon
+      # NOTE: in Docker 1.13+ the "syslog-tag" option was renamed to "tag" for
+      # older docker installs, use "syslog-tag" instead
+      tag: myservice
+
+- name: Create db container and connect to network
+  community.docker.docker_container:
+    name: db_test
+    image: "postgres:latest"
+    networks:
+      - name: "{{ docker_network_name }}"
+
+- name: Start container, connect to network and link
+  community.docker.docker_container:
+    name: sleeper
+    image: ubuntu:14.04
+    networks:
+      - name: TestingNet
+        ipv4_address: "172.16.1.100"
+        aliases:
+          - sleepyzz
+        links:
+          - db_test:db
+      - name: TestingNet2
+
+- name: Start a container with a command
+  community.docker.docker_container:
+    name: sleepy
+    image: ubuntu:14.04
+    command: ["sleep", "infinity"]
+
+- name: Add container to networks
+  community.docker.docker_container:
+    name: sleepy
+    networks:
+      - name: TestingNet
+        ipv4_address: 172.16.1.18
+        links:
+          - sleeper
+      - name: TestingNet2
+        ipv4_address: 172.16.10.20
+
+- name: Update network with aliases
+  community.docker.docker_container:
+    name: sleepy
+    networks:
+      - name: TestingNet
+        aliases:
+          - sleepyz
+          - zzzz
+
+- name: Remove container from one network
+  community.docker.docker_container:
+    name: sleepy
+    networks:
+      - name: TestingNet2
+    comparisons:
+      networks: strict
+
+- name: Remove container from all networks
+  community.docker.docker_container:
+    name: sleepy
+    comparisons:
+      networks: strict
+
+- name: Start a container and use an env file
+  community.docker.docker_container:
+    name: agent
+    image: jenkinsci/ssh-slave
+    env_file: /var/tmp/jenkins/agent.env
+
+- name: Create a container with limited capabilities
+  community.docker.docker_container:
+    name: sleepy
+    image: ubuntu:16.04
+    command: sleep infinity
+    capabilities:
+      - sys_time
+    cap_drop:
+      - all
+
+- name: Finer container restart/update control
+  community.docker.docker_container:
+    name: test
+    image: ubuntu:18.04
+    env:
+      arg1: "true"
+      arg2: "whatever"
+    volumes:
+      - /tmp:/tmp
+    comparisons:
+      image: ignore # do not restart containers with older versions of the image
+      env: strict # we want precisely this environment
+      volumes: allow_more_present # if there are more volumes, that's ok, as long as `/tmp:/tmp` is there
+
+- name: Finer container restart/update control II
+  community.docker.docker_container:
+    name: test
+    image: ubuntu:18.04
+    env:
+      arg1: "true"
+      arg2: "whatever"
+    comparisons:
+      '*': ignore # by default, ignore *all* options (including image)
+      env: strict # except for environment variables; there, we want to be strict
+
+- name: Start container with healthstatus
+  community.docker.docker_container:
+    name: nginx-proxy
+    image: nginx:1.13
+    state: started
+    healthcheck:
+      # Check if nginx server is healthy by curl'ing the server.
+      # If this fails or timeouts, the healthcheck fails.
+      test: ["CMD", "curl", "--fail", "http://nginx.host.com"]
+      interval: 1m30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+      start_interval: 10s
+
+- name: Remove healthcheck from container
+  community.docker.docker_container:
+    name: nginx-proxy
+    image: nginx:1.13
+    state: started
+    healthcheck:
+      # The "NONE" check needs to be specified
+      test: ["NONE"]
+
+- name: Create a tmpfs with a size and mode
+  community.docker.docker_container:
+    name: tmpfs test
+    image: ubuntu:22.04
+    state: started
+    mounts:
+      - type: tmpfs
+        target: /cache
+        tmpfs_mode: "1700" # only readable to the owner
+        tmpfs_size: "16G"
+
+- name: Start container with block device read limit
+  community.docker.docker_container:
+    name: test
+    image: ubuntu:18.04
+    state: started
+    device_read_bps:
+      # Limit read rate for /dev/sda to 20 mebibytes per second
+      - path: /dev/sda
+        rate: 20M
+    device_read_iops:
+      # Limit read rate for /dev/sdb to 300 IO per second
+      - path: /dev/sdb
+        rate: 300
+
+- name: Start container with GPUs
+  community.docker.docker_container:
+    name: test
+    image: ubuntu:18.04
+    state: started
+    device_requests:
+      # Add some specific devices to this container
+      - device_ids:
+          - '0'
+          - 'GPU-3a23c669-1f69-c64e-cf85-44e9b07e7a2a'
+      # Add nVidia GPUs to this container
+      - driver: nvidia
+        count: -1 # this means we want all
+        capabilities:
+        # We have one OR condition: 'gpu' AND 'utility'
+          - - gpu
+            - utility
+        # See https://github.com/NVIDIA/nvidia-container-runtime#supported-driver-capabilities
+        # for a list of capabilities supported by the nvidia driver
+
+- name: Start container with storage options
+  community.docker.docker_container:
+    name: test
+    image: ubuntu:18.04
+    state: started
+    storage_opts:
+      # Limit root filesystem to 12 MB - note that this requires special storage backends
+      # (https://fabianlee.org/2020/01/15/docker-use-overlay2-with-an-xfs-backing-filesystem-to-limit-rootfs-size/)
+      size: 12m
+"""
+
+RETURN = r"""
+container:
+  description:
+    - Facts representing the current state of the container. Matches the docker inspection output.
+    - Empty if O(state=absent).
+    - If O(detach=false), will include C(Output) attribute containing any output from container run.
+  returned: success; or when O(state=started) and O(detach=false), and when waiting for the container result did not fail
+  type: dict
+  sample: '{ "AppArmorProfile": "", "Args": [], "Config": { "AttachStderr": false, "AttachStdin": false, "AttachStdout": false,
+    "Cmd": [ "/usr/bin/supervisord" ], "Domainname": "", "Entrypoint": null, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ], "ExposedPorts": { "443/tcp": {}, "80/tcp": {} }, "Hostname": "8e47bf643eb9", "Image": "lnmp_nginx:v1", "Labels": {},
+    "OnBuild": null, "OpenStdin": false, "StdinOnce": false, "Tty": false, "User": "", "Volumes": { "/tmp/lnmp/nginx-sites/logs/":
+    {} }, ... }'
+status:
+  description:
+    - In case a container is started without detaching, this contains the exit code of the process in the container.
+    - Before community.docker 1.1.0, this was only returned when non-zero.
+  returned: when O(state=started) and O(detach=false), and when waiting for the container result did not fail
+  type: int
+  sample: 0
+"""
+
+from ansible_collections.community.docker.plugins.module_utils._module_container.docker_api import (
+    DockerAPIEngineDriver,
+)
+from ansible_collections.community.docker.plugins.module_utils._module_container.module import (
+    run_module,
+)
+
+
+def main() -> None:
+    engine_driver = DockerAPIEngineDriver()
+    run_module(engine_driver)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_container_copy_into.py b/ansible_collections/community/docker/plugins/modules/docker_container_copy_into.py
new file mode 100644
index 00000000..5114f753
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_container_copy_into.py
@@ -0,0 +1,1191 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_container_copy_into
+
+short_description: Copy a file into a Docker container
+
+version_added: 3.4.0
+
+description:
+  - Copy a file into a Docker container.
+  - Similar to C(docker cp).
+  - To copy files in a non-running container, you must provide the O(owner_id) and O(group_id) options. This is also necessary
+    if the container does not contain a C(/bin/sh) shell with an C(id) tool.
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+    details:
+      - Additional data will need to be transferred to compute diffs.
+      - The module uses R(the MAX_FILE_SIZE_FOR_DIFF ansible-core configuration,MAX_FILE_SIZE_FOR_DIFF) to determine for how
+        large files diffs should be computed.
+  idempotent:
+    support: partial
+    details:
+      - If O(force=true) the module is not idempotent.
+
+options:
+  container:
+    description:
+      - The name of the container to copy files to.
+    type: str
+    required: true
+  path:
+    description:
+      - Path to a file on the managed node.
+      - Mutually exclusive with O(content). One of O(content) and O(path) is required.
+    type: path
+  content:
+    description:
+      - The file's content.
+      - If you plan to provide binary data, provide it pre-encoded to base64, and set O(content_is_b64=true).
+      - Mutually exclusive with O(path). One of O(content) and O(path) is required.
+    type: str
+  content_is_b64:
+    description:
+      - If set to V(true), the content in O(content) is assumed to be Base64 encoded and will be decoded before being used.
+      - To use binary O(content), it is better to keep it Base64 encoded and let it be decoded by this option. Otherwise you
+        risk the data to be interpreted as UTF-8 and corrupted.
+    type: bool
+    default: false
+  container_path:
+    description:
+      - Path to a file inside the Docker container.
+      - Must be an absolute path.
+    type: str
+    required: true
+  follow:
+    description:
+      - This flag indicates that filesystem links in the Docker container, if they exist, should be followed.
+    type: bool
+    default: false
+  local_follow:
+    description:
+      - This flag indicates that filesystem links in the source tree (where the module is executed), if they exist, should
+        be followed.
+    type: bool
+    default: true
+  owner_id:
+    description:
+      - The owner ID to use when writing the file to disk.
+      - If provided, O(group_id) must also be provided.
+      - If not provided, the module will try to determine the user and group ID for the current user in the container. This
+        will only work if C(/bin/sh) is present in the container and the C(id) binary or shell builtin is available. Also
+        the container must be running.
+    type: int
+  group_id:
+    description:
+      - The group ID to use when writing the file to disk.
+      - If provided, O(owner_id) must also be provided.
+      - If not provided, the module will try to determine the user and group ID for the current user in the container. This
+        will only work if C(/bin/sh) is present in the container and the C(id) binary or shell builtin is available. Also
+        the container must be running.
+    type: int
+  mode:
+    description:
+      - The file mode to use when writing the file to disk.
+      - Will use the file's mode from the source system if this option is not provided.
+      - This option is parsed depending on how O(mode_parse) is set.
+    type: raw
+  mode_parse:
+    description:
+      - Determines how to parse the O(mode) parameter.
+    type: str
+    choices:
+      legacy:
+        - Parses the value of O(mode) as an integer.
+        - Note that if you provide an octal number as a string to O(mode), it will be parsed as a B(decimal) number.
+          If you provide an octal integer directly, though, it will work as expected.
+        - This has been the default behavior of the module since it was added to community.docker.
+      modern:
+        - Parses the value of O(mode) as an octal string, or takes the integer value if an integer has been provided.
+        - This is how M(ansible.builtin.copy) treats its O(ansible.builtin.copy#module:mode) option.
+      octal_string_only:
+        - Rejects everything that is not a string that can be parsed as an octal number.
+        - Use this value to ensure that no accidental conversion to integers happen.
+    default: legacy
+    version_added: 4.6.0
+  force:
+    description:
+      - If set to V(true), force writing the file (without performing any idempotency checks).
+      - If set to V(false), only write the file if it does not exist on the target. If a filesystem object exists at the destination,
+        the module will not do any change.
+      - If this option is not specified, the module will be idempotent. To verify idempotency, it will try to get information
+        on the filesystem object in the container, and if everything seems to match will download the file from the container
+        to compare it to the file to upload.
+    type: bool
+
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+author:
+  - "Felix Fontein (@felixfontein)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Copy a file into the container
+  community.docker.docker_container_copy_into:
+    container: mydata
+    path: /home/user/data.txt
+    container_path: /data/input.txt
+
+- name: Copy a file into the container with owner, group, and mode set
+  community.docker.docker_container_copy_into:
+    container: mydata
+    path: /home/user/bin/runme.o
+    container_path: /bin/runme
+    owner_id: 0 # root
+    group_id: 0 # root
+    mode: "0755" # readable and executable by all users, writable by root
+    mode_parse: modern # ensure that strings passed for 'mode' are passed as octal numbers
+"""
+
+RETURN = r"""
+container_path:
+  description:
+    - The actual path in the container.
+    - Can only be different from O(container_path) when O(follow=true).
+  type: str
+  returned: success
+"""
+
+import base64
+import io
+import os
+import stat
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible.module_utils.common.validation import check_type_int
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._copy import (
+    DockerFileCopyError,
+    DockerFileNotFound,
+    DockerUnexpectedError,
+    determine_user_group,
+    fetch_file_ex,
+    put_file,
+    put_file_content,
+    stat_file,
+)
+from ansible_collections.community.docker.plugins.module_utils._scramble import (
+    generate_insecure_key,
+    scramble,
+)
+
+if t.TYPE_CHECKING:
+    import tarfile
+
+
+def are_fileobjs_equal(f1: t.IO[bytes], f2: t.IO[bytes]) -> bool:
+    """Given two (buffered) file objects, compare their contents."""
+    f1on: t.IO[bytes] | None = f1
+    f2on: t.IO[bytes] | None = f2
+    blocksize = 65536
+    b1buf = b""
+    b2buf = b""
+    while True:
+        if f1on and len(b1buf) < blocksize:
+            f1b = f1on.read(blocksize)
+            if not f1b:
+                # f1 is EOF, so stop reading from it
+                f1on = None
+            b1buf += f1b
+        if f2on and len(b2buf) < blocksize:
+            f2b = f2on.read(blocksize)
+            if not f2b:
+                # f2 is EOF, so stop reading from it
+                f2on = None
+            b2buf += f2b
+        if not b1buf or not b2buf:
+            # At least one of f1 and f2 is EOF and all its data has
+            # been processed. If both are EOF and their data has been
+            # processed, the files are equal, otherwise not.
+            return not b1buf and not b2buf
+        # Compare the next chunk of data, and remove it from the buffers
+        buflen = min(len(b1buf), len(b2buf))
+        if b1buf[:buflen] != b2buf[:buflen]:
+            return False
+        b1buf = b1buf[buflen:]
+        b2buf = b2buf[buflen:]
+
+
+def are_fileobjs_equal_read_first(
+    f1: t.IO[bytes], f2: t.IO[bytes]
+) -> tuple[bool, bytes]:
+    """Given two (buffered) file objects, compare their contents.
+
+    Returns a tuple (is_equal, content_of_f1), where the first element indicates
+    whether the two file objects have the same content, and the second element is
+    the content of the first file object."""
+    f1on: t.IO[bytes] | None = f1
+    f2on: t.IO[bytes] | None = f2
+    blocksize = 65536
+    b1buf = b""
+    b2buf = b""
+    is_equal = True
+    content = []
+    while True:
+        if f1on and len(b1buf) < blocksize:
+            f1b = f1on.read(blocksize)
+            if not f1b:
+                # f1 is EOF, so stop reading from it
+                f1on = None
+            b1buf += f1b
+        if f2on and len(b2buf) < blocksize:
+            f2b = f2on.read(blocksize)
+            if not f2b:
+                # f2 is EOF, so stop reading from it
+                f2on = None
+            b2buf += f2b
+        if not b1buf or not b2buf:
+            # At least one of f1 and f2 is EOF and all its data has
+            # been processed. If both are EOF and their data has been
+            # processed, the files are equal, otherwise not.
+            is_equal = not b1buf and not b2buf
+            break
+        # Compare the next chunk of data, and remove it from the buffers
+        buflen = min(len(b1buf), len(b2buf))
+        if b1buf[:buflen] != b2buf[:buflen]:
+            is_equal = False
+            break
+        content.append(b1buf[:buflen])
+        b1buf = b1buf[buflen:]
+        b2buf = b2buf[buflen:]
+
+    content.append(b1buf)
+    if f1on:
+        content.append(f1on.read())
+
+    return is_equal, b"".join(content)
+
+
+def is_container_file_not_regular_file(container_stat: dict[str, t.Any]) -> bool:
+    return any(
+        container_stat["mode"] & 1 << bit != 0
+        for bit in (
+            # https://pkg.go.dev/io/fs#FileMode
+            32 - 1,  # ModeDir
+            32 - 4,  # ModeTemporary
+            32 - 5,  # ModeSymlink
+            32 - 6,  # ModeDevice
+            32 - 7,  # ModeNamedPipe
+            32 - 8,  # ModeSocket
+            32 - 11,  # ModeCharDevice
+            32 - 13,  # ModeIrregular
+        )
+    )
+
+
+def get_container_file_mode(container_stat: dict[str, t.Any]) -> int:
+    mode = container_stat["mode"] & 0xFFF
+    if container_stat["mode"] & (1 << (32 - 9)) != 0:  # ModeSetuid
+        mode |= stat.S_ISUID  # set UID bit
+    if container_stat["mode"] & (1 << (32 - 10)) != 0:  # ModeSetgid
+        mode |= stat.S_ISGID  # set GID bit
+    if container_stat["mode"] & (1 << (32 - 12)) != 0:  # ModeSticky
+        mode |= stat.S_ISVTX  # sticky bit
+    return mode
+
+
+def add_other_diff(
+    diff: dict[str, t.Any] | None, in_path: str, member: tarfile.TarInfo
+) -> None:
+    if diff is None:
+        return
+    diff["before_header"] = in_path
+    if member.isdir():
+        diff["before"] = "(directory)"
+    elif member.issym() or member.islnk():
+        diff["before"] = member.linkname
+    elif member.ischr():
+        diff["before"] = "(character device)"
+    elif member.isblk():
+        diff["before"] = "(block device)"
+    elif member.isfifo():
+        diff["before"] = "(fifo)"
+    elif member.isdev():
+        diff["before"] = "(device)"
+    elif member.isfile():
+        raise DockerUnexpectedError("should not be a regular file")
+    else:
+        diff["before"] = "(unknown filesystem object)"
+
+
+def retrieve_diff(
+    client: AnsibleDockerClient,
+    container: str,
+    container_path: str,
+    follow_links: bool,
+    diff: dict[str, t.Any] | None,
+    max_file_size_for_diff: int,
+    regular_stat: dict[str, t.Any] | None = None,
+    link_target: str | None = None,
+) -> None:
+    if diff is None:
+        return
+    if regular_stat is not None:
+        # First handle all filesystem object types that are not regular files
+        if regular_stat["mode"] & (1 << (32 - 1)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(directory)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 4)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(temporary file)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 5)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = link_target
+            return
+        if regular_stat["mode"] & (1 << (32 - 6)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(device)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 7)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(named pipe)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 8)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(socket)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 11)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(character device)"
+            return
+        if regular_stat["mode"] & (1 << (32 - 13)) != 0:
+            diff["before_header"] = container_path
+            diff["before"] = "(unknown filesystem object)"
+            return
+        # Check whether file is too large
+        if regular_stat["size"] > max_file_size_for_diff > 0:
+            diff["dst_larger"] = max_file_size_for_diff
+            return
+
+    # We need to get hold of the content
+    def process_none(in_path: str) -> None:
+        diff["before"] = ""
+
+    def process_regular(
+        in_path: str, tar: tarfile.TarFile, member: tarfile.TarInfo
+    ) -> None:
+        add_diff_dst_from_regular_member(
+            diff, max_file_size_for_diff, in_path, tar, member
+        )
+
+    def process_symlink(in_path: str, member: tarfile.TarInfo) -> None:
+        diff["before_header"] = in_path
+        diff["before"] = member.linkname
+
+    def process_other(in_path: str, member: tarfile.TarInfo) -> None:
+        add_other_diff(diff, in_path, member)
+
+    fetch_file_ex(
+        client,
+        container,
+        in_path=container_path,
+        process_none=process_none,
+        process_regular=process_regular,
+        process_symlink=process_symlink,
+        process_other=process_other,
+        follow_links=follow_links,
+    )
+
+
+def is_binary(content: bytes) -> bool:
+    if b"\x00" in content:  # noqa: SIM103
+        return True
+    # TODO: better detection
+    # (ansible-core also just checks for 0x00, and even just sticks to the first 8k, so this is not too bad...)
+    return False
+
+
+def are_fileobjs_equal_with_diff_of_first(
+    f1: t.IO[bytes],
+    f2: t.IO[bytes],
+    size: int,
+    diff: dict[str, t.Any] | None,
+    max_file_size_for_diff: int,
+    container_path: str,
+) -> bool:
+    if diff is None:
+        return are_fileobjs_equal(f1, f2)
+    if size > max_file_size_for_diff > 0:
+        diff["dst_larger"] = max_file_size_for_diff
+        return are_fileobjs_equal(f1, f2)
+    is_equal, content = are_fileobjs_equal_read_first(f1, f2)
+    if is_binary(content):
+        diff["dst_binary"] = 1
+    else:
+        diff["before_header"] = container_path
+        diff["before"] = to_text(content)
+    return is_equal
+
+
+def add_diff_dst_from_regular_member(
+    diff: dict[str, t.Any] | None,
+    max_file_size_for_diff: int,
+    container_path: str,
+    tar: tarfile.TarFile,
+    member: tarfile.TarInfo,
+) -> None:
+    if diff is None:
+        return
+    if member.size > max_file_size_for_diff > 0:
+        diff["dst_larger"] = max_file_size_for_diff
+        return
+
+    mf = tar.extractfile(member)
+    if not mf:
+        raise AssertionError("Member should be present for regular file")
+    with mf as tar_f:
+        content = tar_f.read()
+
+    if is_binary(content):
+        diff["dst_binary"] = 1
+    else:
+        diff["before_header"] = container_path
+        diff["before"] = to_text(content)
+
+
+def copy_dst_to_src(diff: dict[str, t.Any] | None) -> None:
+    if diff is None:
+        return
+    for frm, to in [
+        ("dst_size", "src_size"),
+        ("dst_binary", "src_binary"),
+        ("before_header", "after_header"),
+        ("before", "after"),
+    ]:
+        if frm in diff:
+            diff[to] = diff[frm]
+        elif to in diff:
+            diff.pop(to)
+
+
+def is_file_idempotent(
+    client: AnsibleDockerClient,
+    container: str,
+    managed_path: str,
+    container_path: str,
+    follow_links: bool,
+    local_follow_links: bool,
+    owner_id: int,
+    group_id: int,
+    mode: int | None,
+    force: bool | None = False,
+    diff: dict[str, t.Any] | None = None,
+    max_file_size_for_diff: int = 1,
+) -> tuple[str, int, bool]:
+    # Retrieve information of local file
+    try:
+        file_stat = (
+            os.stat(managed_path) if local_follow_links else os.lstat(managed_path)
+        )
+    except OSError as exc:
+        if exc.errno == 2:
+            raise DockerFileNotFound(f"Cannot find local file {managed_path}") from exc
+        raise
+    if mode is None:
+        mode = stat.S_IMODE(file_stat.st_mode)
+    if not stat.S_ISLNK(file_stat.st_mode) and not stat.S_ISREG(file_stat.st_mode):
+        raise DockerFileCopyError(
+            "Local path {managed_path} is not a symbolic link or file"
+        )
+
+    if diff is not None:
+        if file_stat.st_size > max_file_size_for_diff > 0:
+            diff["src_larger"] = max_file_size_for_diff
+        elif stat.S_ISLNK(file_stat.st_mode):
+            diff["after_header"] = managed_path
+            diff["after"] = os.readlink(managed_path)
+        else:
+            with open(managed_path, "rb") as f:
+                content = f.read()
+            if is_binary(content):
+                diff["src_binary"] = 1
+            else:
+                diff["after_header"] = managed_path
+                diff["after"] = to_text(content)
+
+    # When forcing and we are not following links in the container, go!
+    if force and not follow_links:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+        )
+        return container_path, mode, False
+
+    # Resolve symlinks in the container (if requested), and get information on container's file
+    real_container_path, regular_stat, link_target = stat_file(
+        client,
+        container,
+        in_path=container_path,
+        follow_links=follow_links,
+    )
+
+    # Follow links in the Docker container?
+    if follow_links:
+        container_path = real_container_path
+
+    # If the file was not found, continue
+    if regular_stat is None:
+        if diff is not None:
+            diff["before_header"] = container_path
+            diff["before"] = ""
+        return container_path, mode, False
+
+    # When forcing, go!
+    if force:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+
+    # If force is set to False, and the destination exists, assume there's nothing to do
+    if force is False:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        copy_dst_to_src(diff)
+        return container_path, mode, True
+
+    # Basic idempotency checks
+    if stat.S_ISLNK(file_stat.st_mode):
+        if link_target is None:
+            retrieve_diff(
+                client,
+                container,
+                container_path,
+                follow_links,
+                diff,
+                max_file_size_for_diff,
+                regular_stat,
+                link_target,
+            )
+            return container_path, mode, False
+        local_link_target = os.readlink(managed_path)
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, local_link_target == link_target
+    if link_target is not None:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if is_container_file_not_regular_file(regular_stat):
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if file_stat.st_size != regular_stat["size"]:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if mode != get_container_file_mode(regular_stat):
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+
+    # Fetch file from container
+    def process_none(in_path: str) -> tuple[str, int, bool]:
+        return container_path, mode, False
+
+    def process_regular(
+        in_path: str, tar: tarfile.TarFile, member: tarfile.TarInfo
+    ) -> tuple[str, int, bool]:
+        # Check things like user/group ID and mode
+        if any(
+            [
+                member.mode & 0xFFF != mode,
+                member.uid != owner_id,
+                member.gid != group_id,
+                not stat.S_ISREG(file_stat.st_mode),
+                member.size != file_stat.st_size,
+            ]
+        ):
+            add_diff_dst_from_regular_member(
+                diff, max_file_size_for_diff, in_path, tar, member
+            )
+            return container_path, mode, False
+
+        mf = tar.extractfile(member)
+        if mf is None:
+            raise AssertionError("Member should be present for regular file")
+        with mf as tar_f, open(managed_path, "rb") as local_f:
+            is_equal = are_fileobjs_equal_with_diff_of_first(
+                tar_f, local_f, member.size, diff, max_file_size_for_diff, in_path
+            )
+        return container_path, mode, is_equal
+
+    def process_symlink(in_path: str, member: tarfile.TarInfo) -> tuple[str, int, bool]:
+        if diff is not None:
+            diff["before_header"] = in_path
+            diff["before"] = member.linkname
+
+        # Check things like user/group ID and mode
+        if member.mode & 0xFFF != mode:
+            return container_path, mode, False
+        if member.uid != owner_id:
+            return container_path, mode, False
+        if member.gid != group_id:
+            return container_path, mode, False
+
+        if not stat.S_ISLNK(file_stat.st_mode):
+            return container_path, mode, False
+
+        local_link_target = os.readlink(managed_path)
+        return container_path, mode, member.linkname == local_link_target
+
+    def process_other(in_path: str, member: tarfile.TarInfo) -> tuple[str, int, bool]:
+        add_other_diff(diff, in_path, member)
+        return container_path, mode, False
+
+    return fetch_file_ex(
+        client,
+        container,
+        in_path=container_path,
+        process_none=process_none,
+        process_regular=process_regular,
+        process_symlink=process_symlink,
+        process_other=process_other,
+        follow_links=follow_links,
+    )
+
+
+def copy_file_into_container(
+    client: AnsibleDockerClient,
+    container: str,
+    managed_path: str,
+    container_path: str,
+    follow_links: bool,
+    local_follow_links: bool,
+    owner_id: int,
+    group_id: int,
+    mode: int | None,
+    force: bool | None = False,
+    do_diff: bool = False,
+    max_file_size_for_diff: int = 1,
+) -> t.NoReturn:
+    diff: dict[str, t.Any] | None
+    diff = {} if do_diff else None
+
+    container_path, mode, idempotent = is_file_idempotent(
+        client,
+        container,
+        managed_path,
+        container_path,
+        follow_links,
+        local_follow_links,
+        owner_id,
+        group_id,
+        mode,
+        force=force,
+        diff=diff,
+        max_file_size_for_diff=max_file_size_for_diff,
+    )
+    changed = not idempotent
+
+    if changed and not client.module.check_mode:
+        put_file(
+            client,
+            container,
+            in_path=managed_path,
+            out_path=container_path,
+            user_id=owner_id,
+            group_id=group_id,
+            mode=mode,
+            follow_links=local_follow_links,
+        )
+
+    result = {
+        "container_path": container_path,
+        "changed": changed,
+    }
+    if diff:
+        result["diff"] = diff
+    client.module.exit_json(**result)
+
+
+def is_content_idempotent(
+    client: AnsibleDockerClient,
+    container: str,
+    content: bytes,
+    container_path: str,
+    follow_links: bool,
+    owner_id: int,
+    group_id: int,
+    mode: int,
+    force: bool | None = False,
+    diff: dict[str, t.Any] | None = None,
+    max_file_size_for_diff: int = 1,
+) -> tuple[str, int, bool]:
+    if diff is not None:
+        if len(content) > max_file_size_for_diff > 0:
+            diff["src_larger"] = max_file_size_for_diff
+        elif is_binary(content):
+            diff["src_binary"] = 1
+        else:
+            diff["after_header"] = "dynamically generated"
+            diff["after"] = to_text(content)
+
+    # When forcing and we are not following links in the container, go!
+    if force and not follow_links:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+        )
+        return container_path, mode, False
+
+    # Resolve symlinks in the container (if requested), and get information on container's file
+    real_container_path, regular_stat, link_target = stat_file(
+        client,
+        container,
+        in_path=container_path,
+        follow_links=follow_links,
+    )
+
+    # Follow links in the Docker container?
+    if follow_links:
+        container_path = real_container_path
+
+    # If the file was not found, continue
+    if regular_stat is None:
+        if diff is not None:
+            diff["before_header"] = container_path
+            diff["before"] = ""
+        return container_path, mode, False
+
+    # When forcing, go!
+    if force:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+
+    # If force is set to False, and the destination exists, assume there's nothing to do
+    if force is False:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        copy_dst_to_src(diff)
+        return container_path, mode, True
+
+    # Basic idempotency checks
+    if link_target is not None:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if is_container_file_not_regular_file(regular_stat):
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if len(content) != regular_stat["size"]:
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+    if mode != get_container_file_mode(regular_stat):
+        retrieve_diff(
+            client,
+            container,
+            container_path,
+            follow_links,
+            diff,
+            max_file_size_for_diff,
+            regular_stat,
+            link_target,
+        )
+        return container_path, mode, False
+
+    # Fetch file from container
+    def process_none(in_path: str) -> tuple[str, int, bool]:
+        if diff is not None:
+            diff["before"] = ""
+        return container_path, mode, False
+
+    def process_regular(
+        in_path: str, tar: tarfile.TarFile, member: tarfile.TarInfo
+    ) -> tuple[str, int, bool]:
+        # Check things like user/group ID and mode
+        if any(
+            [
+                member.mode & 0xFFF != mode,
+                member.uid != owner_id,
+                member.gid != group_id,
+                member.size != len(content),
+            ]
+        ):
+            add_diff_dst_from_regular_member(
+                diff, max_file_size_for_diff, in_path, tar, member
+            )
+            return container_path, mode, False
+
+        mf = tar.extractfile(member)
+        if mf is None:
+            raise AssertionError("Member should be present for regular file")
+        with mf as tar_f:
+            is_equal = are_fileobjs_equal_with_diff_of_first(
+                tar_f,
+                io.BytesIO(content),
+                member.size,
+                diff,
+                max_file_size_for_diff,
+                in_path,
+            )
+        return container_path, mode, is_equal
+
+    def process_symlink(in_path: str, member: tarfile.TarInfo) -> tuple[str, int, bool]:
+        if diff is not None:
+            diff["before_header"] = in_path
+            diff["before"] = member.linkname
+
+        return container_path, mode, False
+
+    def process_other(in_path: str, member: tarfile.TarInfo) -> tuple[str, int, bool]:
+        add_other_diff(diff, in_path, member)
+        return container_path, mode, False
+
+    return fetch_file_ex(
+        client,
+        container,
+        in_path=container_path,
+        process_none=process_none,
+        process_regular=process_regular,
+        process_symlink=process_symlink,
+        process_other=process_other,
+        follow_links=follow_links,
+    )
+
+
+def copy_content_into_container(
+    client: AnsibleDockerClient,
+    container: str,
+    content: bytes,
+    container_path: str,
+    follow_links: bool,
+    owner_id: int,
+    group_id: int,
+    mode: int,
+    force: bool | None = False,
+    do_diff: bool = False,
+    max_file_size_for_diff: int = 1,
+) -> t.NoReturn:
+    diff: dict[str, t.Any] | None = {} if do_diff else None
+
+    container_path, mode, idempotent = is_content_idempotent(
+        client,
+        container,
+        content,
+        container_path,
+        follow_links,
+        owner_id,
+        group_id,
+        mode,
+        force=force,
+        diff=diff,
+        max_file_size_for_diff=max_file_size_for_diff,
+    )
+    changed = not idempotent
+
+    if changed and not client.module.check_mode:
+        put_file_content(
+            client,
+            container,
+            content=content,
+            out_path=container_path,
+            user_id=owner_id,
+            group_id=group_id,
+            mode=mode,
+        )
+
+    result = {
+        "container_path": container_path,
+        "changed": changed,
+    }
+    if diff:
+        # Since the content is no_log, make sure that the before/after strings look sufficiently different
+        key = generate_insecure_key()
+        diff["scrambled_diff"] = base64.b64encode(key)
+        for k in ("before", "after"):
+            if k in diff:
+                diff[k] = scramble(diff[k], key)
+        result["diff"] = diff
+    client.module.exit_json(**result)
+
+
+def parse_modern(mode: str | int) -> int:
+    if isinstance(mode, str):
+        return int(to_text(mode), 8)
+    if isinstance(mode, int):
+        return mode
+    raise TypeError(f"must be an octal string or an integer, got {mode!r}")
+
+
+def parse_octal_string_only(mode: str) -> int:
+    if isinstance(mode, str):
+        return int(to_text(mode), 8)
+    raise TypeError(f"must be an octal string, got {mode!r}")
+
+
+def main() -> None:
+    argument_spec = {
+        "container": {"type": "str", "required": True},
+        "path": {"type": "path"},
+        "container_path": {"type": "str", "required": True},
+        "follow": {"type": "bool", "default": False},
+        "local_follow": {"type": "bool", "default": True},
+        "owner_id": {"type": "int"},
+        "group_id": {"type": "int"},
+        "mode": {"type": "raw"},
+        "mode_parse": {
+            "type": "str",
+            "choices": ["legacy", "modern", "octal_string_only"],
+            "default": "legacy",
+        },
+        "force": {"type": "bool"},
+        "content": {"type": "str", "no_log": True},
+        "content_is_b64": {"type": "bool", "default": False},
+        # Undocumented parameters for use by the action plugin
+        "_max_file_size_for_diff": {"type": "int"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        min_docker_api_version="1.20",
+        supports_check_mode=True,
+        mutually_exclusive=[("path", "content")],
+        required_together=[("owner_id", "group_id")],
+        required_by={
+            "content": ["mode"],
+        },
+    )
+
+    container: str = client.module.params["container"]
+    managed_path: str | None = client.module.params["path"]
+    container_path: str = client.module.params["container_path"]
+    follow: bool = client.module.params["follow"]
+    local_follow: bool = client.module.params["local_follow"]
+    owner_id: int | None = client.module.params["owner_id"]
+    group_id: int | None = client.module.params["group_id"]
+    mode: t.Any = client.module.params["mode"]
+    force: bool | None = client.module.params["force"]
+    content_str: str | None = client.module.params["content"]
+    max_file_size_for_diff: int = client.module.params["_max_file_size_for_diff"] or 1
+
+    if mode is not None:
+        mode_parse: t.Literal["legacy", "modern", "octal_string_only"] = (
+            client.module.params["mode_parse"]
+        )
+        try:
+            if mode_parse == "legacy":
+                mode = check_type_int(mode)
+            elif mode_parse == "modern":
+                mode = parse_modern(mode)
+            elif mode_parse == "octal_string_only":
+                mode = parse_octal_string_only(mode)
+        except (TypeError, ValueError) as e:
+            client.fail(f"Error while parsing 'mode': {e}")
+        if mode < 0:
+            client.fail(f"'mode' must not be negative; got {mode}")
+
+    content: bytes | None = None
+    if content_str is not None:
+        if client.module.params["content_is_b64"]:
+            try:
+                content = base64.b64decode(content_str)
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                client.fail(f"Cannot Base64 decode the content option: {e}")
+        else:
+            content = to_bytes(content_str)
+
+    if not container_path.startswith(os.path.sep):
+        container_path = os.path.join(os.path.sep, container_path)
+    container_path = os.path.normpath(container_path)
+
+    try:
+        if owner_id is None or group_id is None:
+            owner_id, group_id = determine_user_group(client, container)
+
+        if content is not None:
+            assert mode is not None  # see required_by above
+            copy_content_into_container(
+                client,
+                container,
+                content,
+                container_path,
+                follow_links=follow,
+                owner_id=owner_id,
+                group_id=group_id,
+                mode=mode,
+                force=force,
+                do_diff=client.module._diff,
+                max_file_size_for_diff=max_file_size_for_diff,
+            )
+        elif managed_path is not None:
+            copy_file_into_container(
+                client,
+                container,
+                managed_path,
+                container_path,
+                follow_links=follow,
+                local_follow_links=local_follow,
+                owner_id=owner_id,
+                group_id=group_id,
+                mode=mode,
+                force=force,
+                do_diff=client.module._diff,
+                max_file_size_for_diff=max_file_size_for_diff,
+            )
+        else:
+            # Can happen if a user explicitly passes `content: null` or `path: null`...
+            client.fail("One of path and content must be supplied")
+    except NotFound as exc:
+        client.fail(f'Could not find container "{container}" or resource in it ({exc})')
+    except APIError as exc:
+        client.fail(
+            f'An unexpected Docker error occurred for container "{container}": {exc}',
+            exception=traceback.format_exc(),
+        )
+    except DockerException as exc:
+        client.fail(
+            f'An unexpected Docker error occurred for container "{container}": {exc}',
+            exception=traceback.format_exc(),
+        )
+    except RequestException as exc:
+        client.fail(
+            f'An unexpected requests error occurred for container "{container}" when trying to talk to the Docker daemon: {exc}',
+            exception=traceback.format_exc(),
+        )
+    except DockerUnexpectedError as exc:
+        client.fail(f"Unexpected error: {exc}", exception=traceback.format_exc())
+    except DockerFileCopyError as exc:
+        client.fail(to_text(exc))
+    except OSError as exc:
+        client.fail(f"Unexpected error: {exc}", exception=traceback.format_exc())
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_container_exec.py b/ansible_collections/community/docker/plugins/modules/docker_container_exec.py
new file mode 100644
index 00000000..aaf94034
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_container_exec.py
@@ -0,0 +1,345 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_container_exec
+
+short_description: Execute command in a docker container
+
+version_added: 1.5.0
+
+description:
+  - Executes a command in a Docker container.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: N/A
+    details:
+      - Whether the executed command is idempotent depends on the command.
+
+options:
+  container:
+    type: str
+    required: true
+    description:
+      - The name of the container to execute the command in.
+  argv:
+    type: list
+    elements: str
+    description:
+      - The command to execute.
+      - Since this is a list of arguments, no quoting is needed.
+      - Exactly one of O(argv) or O(command) must be specified.
+  command:
+    type: str
+    description:
+      - The command to execute.
+      - Exactly one of O(argv) or O(command) must be specified.
+  chdir:
+    type: str
+    description:
+      - The directory to run the command in.
+  detach:
+    description:
+      - Whether to run the command synchronously (O(detach=false), default) or asynchronously (O(detach=true)).
+      - If set to V(true), O(stdin) cannot be provided, and the return values RV(stdout), RV(stderr), and RV(rc) are not returned.
+    type: bool
+    default: false
+    version_added: 2.1.0
+  user:
+    type: str
+    description:
+      - If specified, the user to execute this command with.
+  stdin:
+    type: str
+    description:
+      - Set the stdin of the command directly to the specified value.
+      - Can only be used if O(detach=false).
+  stdin_add_newline:
+    type: bool
+    default: true
+    description:
+      - If set to V(true), appends a newline to O(stdin).
+  strip_empty_ends:
+    type: bool
+    default: true
+    description:
+      - Strip empty lines from the end of stdout/stderr in result.
+  tty:
+    type: bool
+    default: false
+    description:
+      - Whether to allocate a TTY.
+  env:
+    description:
+      - Dictionary of environment variables with their respective values to be passed to the command ran inside the container.
+      - Values which might be parsed as numbers, booleans or other types by the YAML parser must be quoted (for example V("true"))
+        in order to avoid data loss.
+      - Please note that if you are passing values in with Jinja2 templates, like V("{{ value }}"), you need to add V(| string)
+        to prevent Ansible to convert strings such as V("true") back to booleans. The correct way is to use V("{{ value |
+        string }}").
+    type: dict
+    version_added: 2.1.0
+
+notes:
+  - Does B(not work with TCP TLS sockets) when using O(stdin). This is caused by the inability to send C(close_notify) without
+    closing the connection with Python's C(SSLSocket)s. See U(https://github.com/ansible-collections/community.docker/issues/605)
+    for more information.
+  - If you need to evaluate environment variables of the container in O(command) or O(argv), you need to pass the command
+    through a shell, like O(command=/bin/sh -c "echo $ENV_VARIABLE"). The same needs to be done in case you want to use glob patterns
+    or other shell features such as redirects.
+author:
+  - "Felix Fontein (@felixfontein)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Run a simple command (command)
+  community.docker.docker_container_exec:
+    container: foo
+    command: /bin/bash -c "ls -lah"
+    chdir: /root
+  register: result
+
+- name: Print stdout
+  ansible.builtin.debug:
+    var: result.stdout
+
+- name: Run a simple command (argv)
+  community.docker.docker_container_exec:
+    container: foo
+    argv:
+      - /bin/bash
+      - "-c"
+      - "ls -lah > /dev/stderr"
+    chdir: /root
+  register: result
+
+- name: Print stderr lines
+  ansible.builtin.debug:
+    var: result.stderr_lines
+"""
+
+RETURN = r"""
+stdout:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard output of the container command.
+stderr:
+  type: str
+  returned: success and O(detach=false)
+  description:
+    - The standard error output of the container command.
+rc:
+  type: int
+  returned: success and O(detach=false)
+  sample: 0
+  description:
+    - The exit code of the command.
+exec_id:
+  type: str
+  returned: success and O(detach=true)
+  sample: 249d9e3075655baf705ed8f40488c5e9434049cf3431976f1bfdb73741c574c5
+  description:
+    - The execution ID of the command.
+  version_added: 2.1.0
+"""
+
+import shlex
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    format_environment,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._socket_handler import (
+    DockerSocketHandlerModule,
+)
+
+
+def main() -> None:
+    argument_spec = {
+        "container": {"type": "str", "required": True},
+        "argv": {"type": "list", "elements": "str"},
+        "command": {"type": "str"},
+        "chdir": {"type": "str"},
+        "detach": {"type": "bool", "default": False},
+        "user": {"type": "str"},
+        "stdin": {"type": "str"},
+        "stdin_add_newline": {"type": "bool", "default": True},
+        "strip_empty_ends": {"type": "bool", "default": True},
+        "tty": {"type": "bool", "default": False},
+        "env": {"type": "dict"},
+    }
+
+    option_minimal_versions = {
+        "chdir": {"docker_api_version": "1.35"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        option_minimal_versions=option_minimal_versions,
+        mutually_exclusive=[("argv", "command")],
+        required_one_of=[("argv", "command")],
+    )
+
+    container: str = client.module.params["container"]
+    argv: list[str] | None = client.module.params["argv"]
+    command: str | None = client.module.params["command"]
+    chdir: str | None = client.module.params["chdir"]
+    detach: bool = client.module.params["detach"]
+    user: str | None = client.module.params["user"]
+    stdin: str | None = client.module.params["stdin"]
+    strip_empty_ends: bool = client.module.params["strip_empty_ends"]
+    tty: bool = client.module.params["tty"]
+    env: dict[str, t.Any] | None = client.module.params["env"]
+
+    if env is not None:
+        for name, value in env.items():
+            if not isinstance(value, str):
+                client.module.fail_json(
+                    msg="Non-string value found for env option. Ambiguous env options must be "
+                    "wrapped in quotes to avoid them being interpreted when directly specified "
+                    "in YAML, or explicitly converted to strings when the option is templated. "
+                    f"Key: {name}"
+                )
+
+    if command is not None:
+        argv = shlex.split(command)
+    assert argv is not None
+
+    if detach and stdin is not None:
+        client.module.fail_json(msg="If detach=true, stdin cannot be provided.")
+
+    if stdin is not None and client.module.params["stdin_add_newline"]:
+        stdin += "\n"
+
+    try:
+        data = {
+            "Container": container,
+            "User": user or "",
+            "Privileged": False,
+            "Tty": False,
+            "AttachStdin": bool(stdin),
+            "AttachStdout": True,
+            "AttachStderr": True,
+            "Cmd": argv,
+            "Env": format_environment(env) if env is not None else None,
+        }
+        if chdir is not None:
+            data["WorkingDir"] = chdir
+
+        exec_data = client.post_json_to_json(
+            "/containers/{0}/exec", container, data=data
+        )
+        exec_id: str = exec_data["Id"]
+
+        data = {
+            "Tty": tty,
+            "Detach": detach,
+        }
+        if detach:
+            client.post_json_to_text("/exec/{0}/start", exec_id, data=data)
+            client.module.exit_json(changed=True, exec_id=exec_id)
+
+        else:
+            stdout: bytes | None
+            stderr: bytes | None
+            if stdin and not detach:
+                exec_socket = client.post_json_to_stream_socket(
+                    "/exec/{0}/start", exec_id, data=data
+                )
+                try:
+                    with DockerSocketHandlerModule(
+                        exec_socket, client.module
+                    ) as exec_socket_handler:
+                        if stdin:
+                            exec_socket_handler.write(to_bytes(stdin))
+
+                        stdout, stderr = exec_socket_handler.consume()
+                finally:
+                    exec_socket.close()
+            elif tty:
+                stdout, stderr = client.post_json_to_stream(
+                    "/exec/{0}/start",
+                    exec_id,
+                    data=data,
+                    stream=False,
+                    tty=True,
+                    demux=True,
+                )
+            else:
+                stdout, stderr = client.post_json_to_stream(
+                    "/exec/{0}/start",
+                    exec_id,
+                    data=data,
+                    stream=False,
+                    tty=False,
+                    demux=True,
+                )
+
+            result = client.get_json("/exec/{0}/json", exec_id)
+
+            stdout_t = to_text(stdout or b"")
+            stderr_t = to_text(stderr or b"")
+            if strip_empty_ends:
+                stdout_t = stdout_t.rstrip("\r\n")
+                stderr_t = stderr_t.rstrip("\r\n")
+
+            client.module.exit_json(
+                changed=True,
+                stdout=stdout_t,
+                stderr=stderr_t,
+                rc=result.get("ExitCode") or 0,
+            )
+    except NotFound:
+        client.fail(f'Could not find container "{container}"')
+    except APIError as e:
+        if e.response is not None and e.response.status_code == 409:
+            client.fail(f'The container "{container}" has been paused ({e})')
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_container_info.py b/ansible_collections/community/docker/plugins/modules/docker_container_info.py
new file mode 100644
index 00000000..a1ec48f7
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_container_info.py
@@ -0,0 +1,120 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_container_info
+
+short_description: Retrieves facts about docker container
+
+description:
+  - Retrieves facts about a docker container.
+  - Essentially returns the output of C(docker inspect <name>), similar to what M(community.docker.docker_container) returns
+    for a non-absent container.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - The name of the container to inspect.
+      - When identifying an existing container name may be a name or a long or short container ID.
+    type: str
+    required: true
+
+author:
+  - "Felix Fontein (@felixfontein)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get infos on container
+  community.docker.docker_container_info:
+    name: mydata
+  register: result
+
+- name: Does container exist?
+  ansible.builtin.debug:
+    msg: "The container {{ 'exists' if result.exists else 'does not exist' }}"
+
+- name: Print information about container
+  ansible.builtin.debug:
+    var: result.container
+  when: result.exists
+"""
+
+RETURN = r"""
+exists:
+  description:
+    - Returns whether the container exists.
+  type: bool
+  returned: always
+  sample: true
+container:
+  description:
+    - Facts representing the current state of the container. Matches the docker inspection output.
+    - Will be V(none) if container does not exist.
+  returned: always
+  type: dict
+  sample: '{ "AppArmorProfile": "", "Args": [], "Config": { "AttachStderr": false, "AttachStdin": false, "AttachStdout": false,
+    "Cmd": [ "/usr/bin/supervisord" ], "Domainname": "", "Entrypoint": null, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    ], "ExposedPorts": { "443/tcp": {}, "80/tcp": {} }, "Hostname": "8e47bf643eb9", "Image": "lnmp_nginx:v1", "Labels": {},
+    "OnBuild": null, "OpenStdin": false, "StdinOnce": false, "Tty": false, "User": "", "Volumes": { "/tmp/lnmp/nginx-sites/logs/":
+    {} }, ... }'
+"""
+
+import traceback
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    container_id: str = client.module.params["name"]
+    try:
+        container = client.get_container(container_id)
+
+        client.module.exit_json(
+            changed=False,
+            exists=bool(container),
+            container=container,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_context_info.py b/ansible_collections/community/docker/plugins/modules/docker_context_info.py
new file mode 100644
index 00000000..49c3b5af
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_context_info.py
@@ -0,0 +1,325 @@
+#!/usr/bin/python
+#
+# Copyright 2025 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_context_info
+
+short_description: Retrieve information on Docker contexts for the current user
+
+version_added: 4.4.0
+
+description:
+  - Return information on Docker contexts.
+  - This includes some generic information, as well as a RV(contexts[].config) dictionary that can be used for module defaults for all community.docker modules
+    that use the C(community.docker.docker) module defaults group.
+extends_documentation_fragment:
+  - community.docker._attributes
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  only_current:
+    description:
+      - If set to V(true), RV(contexts) will just contain the current context and none else.
+      - If set to V(false) (default), RV(contexts) will list all contexts, unless O(name) is specified.
+      - Mutually exclusive to O(name).
+    type: bool
+    default: false
+  name:
+    description:
+      - A specific Docker CLI context to query.
+      - The module will fail if this context does not exist. If you simply want to query whether a context exists,
+        do not specify this parameter and use Jinja2 to search the resulting list for a context of the given name instead.
+      - Mutually exclusive with O(only_current).
+    type: str
+  cli_context:
+    description:
+      - Override for the default context's name.
+      - This is preferably used for context selection when O(only_current=true),
+        and it is used to compute the return values RV(contexts[].current) and RV(current_context_name).
+    type: str
+
+author:
+  - "Felix Fontein (@felixfontein)"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get infos on contexts
+  community.docker.docker_context_info:
+  register: result
+
+- name: Show all contexts
+  ansible.builtin.debug:
+    msg: "{{ result.contexts }}"
+
+- name: Get current context
+  community.docker.docker_context_info:
+    only_current: true
+  register: docker_current_context
+
+- name: Run community.docker modules with current context
+  module_defaults:
+    group/community.docker.docker: "{{ docker_current_context.contexts[0].config }}"
+  block:
+    - name: Task using the current context
+      community.docker.docker_container:
+        image: ubuntu:latest
+        name: ubuntu
+        state: started
+"""
+
+RETURN = r"""
+contexts:
+  description:
+    - A list of all contexts (O(only_current=false), O(name) not specified),
+      only the current context (O(only_current=true)),
+      or the requested context (O(name) specified).
+  type: list
+  elements: dict
+  returned: success
+  contains:
+    current:
+      description:
+        - Whether this context is the current one.
+      type: bool
+      returned: success
+      sample: true
+    name:
+      description:
+        - The context's name.
+      type: bool
+      returned: success
+      sample: default
+    description:
+      description:
+        - The context's description, if available.
+      type: bool
+      returned: success
+      sample: My context
+    meta_path:
+      description:
+        - The path to the context's meta directory.
+        - Not present for RV(contexts[].name=default).
+      type: str
+      returned: success
+      sample: /home/felix/.docker/contexts/meta/0123456789abcdef01234567890abcdef0123456789abcdef0123456789abcde
+    tls_path:
+      description:
+        - The path to the context's TLS config directory.
+        - Not present for RV(contexts[].name=default).
+      type: str
+      returned: success
+      sample: /home/user/.docker/contexts/tls/0123456789abcdef01234567890abcdef0123456789abcdef0123456789abcde/
+    config:
+      description:
+        - In case the context is for Docker, contains option values to configure the community.docker modules to use this context.
+        - Note that the exact values returned here and their values might change over time if incompatibilities to existing modules are found.
+          The goal is that this configuration works fine with all modules in this collection, but we do not have the capabilities to
+          test all possible configuration options at the moment.
+      type: dict
+      returned: success
+      sample: {}
+      contains:
+        docker_host:
+          description:
+            - The Docker daemon to connect to.
+          type: str
+          returned: success and context is for Docker
+          sample: unix:///var/run/docker.sock
+        tls:
+          description:
+            - Whether the Docker context should use an unvalidated TLS connection.
+          type: bool
+          returned: success and context is for Docker
+          sample: false
+        ca_path:
+          description:
+            - The CA certificate used to validate the Docker daemon's certificate.
+          type: bool
+          returned: success, context is for Docker, TLS config is present, and CA cert is present
+          sample: /path/to/ca-cert.pem
+        client_cert:
+          description:
+            - The client certificate to authenticate with to the Docker daemon.
+          type: bool
+          returned: success, context is for Docker, TLS config is present, and client cert info is present
+          sample: /path/to/client-cert.pem
+        client_key:
+          description:
+            - The client certificate's key to authenticate with to the Docker daemon.
+          type: bool
+          returned: success, context is for Docker, TLS config is present, and client cert info is present
+          sample: /path/to/client-key.pem
+        validate_certs:
+          description:
+            - Whether the Docker context should use a validated TLS connection.
+          type: bool
+          returned: success, context is for Docker, and TLS config is present
+          sample: true
+
+current_context_name:
+  description:
+    - The name of the current Docker context.
+  type: str
+  returned: success
+  sample: default
+"""
+
+import traceback
+import typing as t
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.context.api import (
+    ContextAPI,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.context.config import (
+    get_current_context_name_with_source,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.context.context import (
+    IN_MEMORY,
+    Context,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    ContextException,
+    DockerException,
+)
+
+if t.TYPE_CHECKING:
+    from ansible_collections.community.docker.plugins.module_utils._api.tls import (
+        TLSConfig,
+    )
+
+
+def tls_context_to_json(context: TLSConfig | None) -> dict[str, t.Any] | None:
+    if context is None:
+        return None
+    return {
+        "client_cert": context.cert[0] if context.cert else None,
+        "client_key": context.cert[1] if context.cert else None,
+        "ca_cert": context.ca_cert,
+        "verify": context.verify,
+        # 'ssl_version': context.ssl_version,  -- this isn't used anymore
+    }
+
+
+def context_to_json(context: Context, current: bool) -> dict[str, t.Any]:
+    module_config: dict[str, t.Any] = {}
+    if "docker" in context.endpoints:
+        endpoint = context.endpoints["docker"]
+        if isinstance(endpoint.get("Host"), str):
+            host_str = to_text(endpoint["Host"])
+
+            # Adjust protocol name so that it works with the Docker CLI tool as well
+            proto = None
+            idx = host_str.find("://")
+            if idx >= 0:
+                proto = host_str[:idx]
+                host_str = host_str[idx + 3 :]
+            if proto in ("http", "https"):
+                proto = "tcp"
+            if proto == "http+unix":
+                proto = "unix"
+            if proto:
+                host_str = f"{proto}://{host_str}"
+
+            # Create config for the modules
+            module_config["docker_host"] = host_str
+            if context.tls_cfg.get("docker"):
+                tls_cfg = context.tls_cfg["docker"]
+                if tls_cfg.ca_cert:
+                    module_config["ca_path"] = tls_cfg.ca_cert
+                if tls_cfg.cert:
+                    module_config["client_cert"] = tls_cfg.cert[0]
+                    module_config["client_key"] = tls_cfg.cert[1]
+                module_config["validate_certs"] = tls_cfg.verify
+                module_config["tls"] = True
+            else:
+                module_config["tls"] = bool(endpoint.get("SkipTLSVerify"))
+    return {
+        "current": current,
+        "name": context.name,
+        "description": context.description,
+        "meta_path": None if context.meta_path is IN_MEMORY else context.meta_path,
+        "tls_path": None if context.tls_path is IN_MEMORY else context.tls_path,
+        "config": module_config,
+    }
+
+
+def main() -> None:
+    argument_spec = {
+        "only_current": {"type": "bool", "default": False},
+        "name": {"type": "str"},
+        "cli_context": {"type": "str"},
+    }
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        mutually_exclusive=[
+            ("only_current", "name"),
+        ],
+    )
+
+    only_current: bool = module.params["only_current"]
+    name: str | None = module.params["name"]
+    cli_context: str | None = module.params["cli_context"]
+    try:
+        if cli_context:
+            current_context_name, current_context_source = (
+                cli_context,
+                "cli_context module option",
+            )
+        else:
+            current_context_name, current_context_source = (
+                get_current_context_name_with_source()
+            )
+        if name:
+            context_or_none = ContextAPI.get_context(name)
+            if not context_or_none:
+                module.fail_json(msg=f"There is no context of name {name!r}")
+            contexts = [context_or_none]
+        elif only_current:
+            context_or_none = ContextAPI.get_context(current_context_name)
+            if not context_or_none:
+                module.fail_json(
+                    msg=f"There is no context of name {current_context_name!r}, which is configured as the default context ({current_context_source})",
+                )
+            contexts = [context_or_none]
+        else:
+            contexts = ContextAPI.contexts()
+
+        json_contexts = sorted(
+            [
+                context_to_json(context, context.name == current_context_name)
+                for context in contexts
+            ],
+            key=lambda entry: entry["name"],
+        )
+
+        module.exit_json(
+            changed=False,
+            contexts=json_contexts,
+            current_context_name=current_context_name,
+        )
+    except ContextException as e:
+        module.fail_json(
+            msg=f"Error when handling Docker contexts: {e}",
+            exception=traceback.format_exc(),
+        )
+    except DockerException as e:
+        module.fail_json(
+            msg=f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_host_info.py b/ansible_collections/community/docker/plugins/modules/docker_host_info.py
new file mode 100644
index 00000000..f117b302
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_host_info.py
@@ -0,0 +1,404 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2019 Piotr Wojciechowski <piotr@it-playground.pl>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_host_info
+
+short_description: Retrieves facts about docker host and lists of objects of the services
+
+description:
+  - Retrieves facts about a docker host.
+  - Essentially returns the output of C(docker system info).
+  - The module also allows to list object names for containers, images, networks and volumes. It also allows to query information
+    on disk usage.
+  - The output differs depending on API version of the docker daemon.
+  - If the docker daemon cannot be contacted or does not meet the API version requirements, the module will fail.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.idempotent_not_modify_state
+
+attributes:
+  check_mode:
+    support: full
+    details:
+      - This action does not modify state.
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+
+options:
+  containers:
+    description:
+      - Whether to list containers.
+    type: bool
+    default: false
+  containers_all:
+    description:
+      - By default, only running containers are returned.
+      - This corresponds to the C(--all) option to C(docker container list).
+    type: bool
+    default: false
+    version_added: 3.4.0
+  containers_filters:
+    description:
+      - A dictionary of filter values used for selecting containers to list.
+      - 'For example, C(until: 24h).'
+      - C(label) is a special case of filter which can be a string C(<key>) matching when a label is present, a string C(<key>=<value>)
+        matching when a label has a particular value, or a list of strings C(<key>)/C(<key>=<value).
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/container_prune/#filtering) for
+        more information on possible filters.
+    type: dict
+  images:
+    description:
+      - Whether to list images.
+    type: bool
+    default: false
+  images_filters:
+    description:
+      - A dictionary of filter values used for selecting images to list.
+      - 'For example, C(dangling: true).'
+      - C(label) is a special case of filter which can be a string C(<key>) matching when a label is present, a string C(<key>=<value>)
+        matching when a label has a particular value, or a list of strings C(<key>)/C(<key>=<value).
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/image_prune/#filtering) for more
+        information on possible filters.
+    type: dict
+  networks:
+    description:
+      - Whether to list networks.
+    type: bool
+    default: false
+  networks_filters:
+    description:
+      - A dictionary of filter values used for selecting networks to list.
+      - C(label) is a special case of filter which can be a string C(<key>) matching when a label is present, a string C(<key>=<value>)
+        matching when a label has a particular value, or a list of strings C(<key>)/C(<key>=<value).
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/network_prune/#filtering) for
+        more information on possible filters.
+    type: dict
+  volumes:
+    description:
+      - Whether to list volumes.
+    type: bool
+    default: false
+  volumes_filters:
+    description:
+      - A dictionary of filter values used for selecting volumes to list.
+      - C(label) is a special case of filter which can be a string C(<key>) matching when a label is present, a string C(<key>=<value>)
+        matching when a label has a particular value, or a list of strings C(<key>)/C(<key>=<value).
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/volume_prune/#filtering) for more
+        information on possible filters.
+    type: dict
+  disk_usage:
+    description:
+      - Summary information on used disk space by all Docker layers.
+      - The output is a sum of images, volumes, containers and build cache.
+    type: bool
+    default: false
+  verbose_output:
+    description:
+      - When set to V(true) and O(networks), O(volumes), O(images), O(containers), or O(disk_usage) is set to V(true) then
+        output will contain verbose information about objects matching the full output of API method. For details see the
+        documentation of your version of Docker API at U(https://docs.docker.com/engine/api/).
+      - The verbose output in this module contains only subset of information returned by this module for each type of the
+        objects.
+    type: bool
+    default: false
+
+author:
+  - Piotr Wojciechowski (@WojciechowskiPiotr)
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get info on docker host
+  community.docker.docker_host_info:
+  register: result
+
+- name: Get info on docker host and list images
+  community.docker.docker_host_info:
+    images: true
+  register: result
+
+- name: Get info on docker host and list images matching the filter
+  community.docker.docker_host_info:
+    images: true
+    images_filters:
+      label: "mylabel"
+  register: result
+
+- name: Get info on docker host and verbose list images
+  community.docker.docker_host_info:
+    images: true
+    verbose_output: true
+  register: result
+
+- name: Get info on docker host and used disk space
+  community.docker.docker_host_info:
+    disk_usage: true
+  register: result
+
+- name: Get info on docker host and list containers matching the filter
+  community.docker.docker_host_info:
+    containers: true
+    containers_filters:
+      label:
+        - key1=value1
+        - key2=value2
+  register: result
+
+- name: Show host information
+  ansible.builtin.debug:
+    var: result.host_info
+"""
+
+RETURN = r"""
+can_talk_to_docker:
+  description:
+    - Will be V(true) if the module can talk to the docker daemon.
+  returned: both on success and on error
+  type: bool
+
+host_info:
+  description:
+    - Facts representing the basic state of the docker host. Matches the C(docker system info) output.
+  returned: always
+  type: dict
+volumes:
+  description:
+    - List of dict objects containing the basic information about each volume. Keys matches the C(docker volume ls) output
+      unless O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(volumes=true)
+  type: list
+  elements: dict
+networks:
+  description:
+    - List of dict objects containing the basic information about each network. Keys matches the C(docker network ls) output
+      unless O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(networks=true)
+  type: list
+  elements: dict
+containers:
+  description:
+    - List of dict objects containing the basic information about each container. Keys matches the C(docker container ls)
+      output unless O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(containers=true)
+  type: list
+  elements: dict
+images:
+  description:
+    - List of dict objects containing the basic information about each image. Keys matches the C(docker image ls) output unless
+      O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(images=true)
+  type: list
+  elements: dict
+disk_usage:
+  description:
+    - Information on summary disk usage by images, containers and volumes on docker host unless O(verbose_output=true). See
+      description for O(verbose_output).
+  returned: When O(disk_usage=true)
+  type: dict
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    convert_filters,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+)
+
+
+class DockerHostManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.verbose_output = self.client.module.params["verbose_output"]
+
+        listed_objects = ["volumes", "networks", "containers", "images"]
+
+        self.results["host_info"] = self.get_docker_host_info()
+        # At this point we definitely know that we can talk to the Docker daemon
+        self.results["can_talk_to_docker"] = True
+        self.client.fail_results["can_talk_to_docker"] = True
+
+        if self.client.module.params["disk_usage"]:
+            self.results["disk_usage"] = self.get_docker_disk_usage_facts()
+
+        for docker_object in listed_objects:
+            if self.client.module.params[docker_object]:
+                returned_name = docker_object
+                filter_name = f"{docker_object}_filters"
+                filters = clean_dict_booleans_for_docker_api(
+                    client.module.params.get(filter_name), allow_sequences=True
+                )
+                self.results[returned_name] = self.get_docker_items_list(
+                    docker_object, filters
+                )
+
+    def get_docker_host_info(self) -> dict[str, t.Any]:
+        try:
+            return self.client.info()
+        except APIError as exc:
+            self.client.fail(f"Error inspecting docker host: {exc}")
+
+    def get_docker_disk_usage_facts(self) -> dict[str, t.Any]:
+        try:
+            if self.verbose_output:
+                return self.client.df()
+            return {"LayersSize": self.client.df()["LayersSize"]}
+        except APIError as exc:
+            self.client.fail(f"Error inspecting docker host: {exc}")
+
+    def get_docker_items_list(
+        self,
+        docker_object: str,
+        filters: dict[str, t.Any] | None = None,
+        verbose: bool = False,
+    ) -> list[dict[str, t.Any]]:
+        items = []
+
+        header_containers = [
+            "Id",
+            "Image",
+            "Command",
+            "Created",
+            "Status",
+            "Ports",
+            "Names",
+        ]
+        header_volumes = ["Driver", "Name"]
+        header_images = ["Id", "RepoTags", "Created", "Size"]
+        header_networks = ["Id", "Driver", "Name", "Scope"]
+
+        filter_arg = {}
+        if filters:
+            filter_arg["filters"] = filters
+        try:
+            if docker_object == "containers":
+                params = {
+                    "limit": -1,
+                    "all": 1 if self.client.module.params["containers_all"] else 0,
+                    "size": 0,
+                    "trunc_cmd": 0,
+                    "filters": convert_filters(filters) if filters else None,
+                }
+                items = self.client.get_json("/containers/json", params=params)
+            elif docker_object == "networks":
+                params = {"filters": convert_filters(filters or {})}
+                items = self.client.get_json("/networks", params=params)
+            elif docker_object == "images":
+                params = {
+                    "only_ids": 0,
+                    "all": 0,
+                    "filters": convert_filters(filters) if filters else None,
+                }
+                items = self.client.get_json("/images/json", params=params)
+            elif docker_object == "volumes":
+                params = {
+                    "filters": convert_filters(filters) if filters else None,
+                }
+                items = self.client.get_json("/volumes", params=params)
+                items = items["Volumes"]
+        except APIError as exc:
+            self.client.fail(
+                f"Error inspecting docker host for object '{docker_object}': {exc}"
+            )
+
+        if self.verbose_output:
+            return items
+
+        items_list = []
+        for item in items:
+            item_record = {}
+
+            if docker_object == "containers":
+                for key in header_containers:
+                    item_record[key] = item.get(key)
+            elif docker_object == "networks":
+                for key in header_networks:
+                    item_record[key] = item.get(key)
+            elif docker_object == "images":
+                for key in header_images:
+                    item_record[key] = item.get(key)
+            elif docker_object == "volumes":
+                for key in header_volumes:
+                    item_record[key] = item.get(key)
+            items_list.append(item_record)
+
+        return items_list
+
+
+def main() -> None:
+    argument_spec = {
+        "containers": {"type": "bool", "default": False},
+        "containers_all": {"type": "bool", "default": False},
+        "containers_filters": {"type": "dict"},
+        "images": {"type": "bool", "default": False},
+        "images_filters": {"type": "dict"},
+        "networks": {"type": "bool", "default": False},
+        "networks_filters": {"type": "dict"},
+        "volumes": {"type": "bool", "default": False},
+        "volumes_filters": {"type": "dict"},
+        "disk_usage": {"type": "bool", "default": False},
+        "verbose_output": {"type": "bool", "default": False},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        fail_results={
+            "can_talk_to_docker": False,
+        },
+    )
+    if (
+        client.module.params["api_version"] is None
+        or client.module.params["api_version"].lower() == "auto"
+    ):
+        # At this point we know that we can talk to Docker, since we asked it for the API version
+        client.fail_results["can_talk_to_docker"] = True
+
+    try:
+        results = {
+            "changed": False,
+        }
+
+        DockerHostManager(client, results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image.py b/ansible_collections/community/docker/plugins/modules/docker_image.py
new file mode 100644
index 00000000..827c6f99
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image.py
@@ -0,0 +1,1239 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image
+
+short_description: Manage docker images
+
+description:
+  - Build, load or pull an image, making the image available for creating containers. Also supports tagging an image, pushing
+    an image, and archiving an image to a C(.tar) file.
+  - We recommend to use the individual modules M(community.docker.docker_image_build), M(community.docker.docker_image_export),
+    M(community.docker.docker_image_load), M(community.docker.docker_image_pull), M(community.docker.docker_image_push),
+    M(community.docker.docker_image_remove), and M(community.docker.docker_image_tag) instead of this module.
+notes:
+  - Building images is done using Docker daemon's API. It is not possible to use BuildKit / buildx this way. Use M(community.docker.docker_image_build)
+    to build images with BuildKit.
+  - Exporting images is generally not idempotent. It depends on whether the image ID equals the IDs found in the generated tarball's C(manifest.json).
+    This was the case with the default storage backend up to Docker 28, but seems to have changed in Docker 29.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: partial
+    details:
+      - When trying to pull an image, the module assumes this is always changed in check mode.
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - Whether the module is idempotent depends on the exact parameters, in particular of O(force_source) and O(force_tag).
+      # TODO: improve idempotent details!
+
+options:
+  source:
+    description:
+      - Determines where the module will try to retrieve the image from.
+      - Use V(build) to build the image from a C(Dockerfile). O(build.path) must be specified when this value is used.
+      - Use V(load) to load the image from a C(.tar) file. O(load_path) must be specified when this value is used.
+      - Use V(pull) to pull the image from a registry.
+      - Use V(local) to make sure that the image is already available on the local docker daemon. This means that the module
+        does not try to build, pull or load the image.
+    type: str
+    choices:
+      - build
+      - load
+      - pull
+      - local
+  build:
+    description:
+      - Specifies options used for building images.
+    type: dict
+    suboptions:
+      cache_from:
+        description:
+          - List of image names to consider as cache source.
+        type: list
+        elements: str
+      dockerfile:
+        description:
+          - Use with O(state=present) and O(source=build) to provide an alternate name for the Dockerfile to use when building
+            an image.
+          - This can also include a relative path (relative to O(build.path)).
+        type: str
+      http_timeout:
+        description:
+          - Timeout for HTTP requests during the image build operation. Provide a positive integer value for the number of
+            seconds.
+        type: int
+      path:
+        description:
+          - Use with state 'present' to build an image. Will be the path to a directory containing the context and Dockerfile
+            for building an image.
+        type: path
+        required: true
+      pull:
+        description:
+          - When building an image downloads any updates to the FROM image in Dockerfile.
+        type: bool
+        default: false
+      rm:
+        description:
+          - Remove intermediate containers after build.
+        type: bool
+        default: true
+      network:
+        description:
+          - The network to use for C(RUN) build instructions.
+        type: str
+      nocache:
+        description:
+          - Do not use cache when building an image.
+        type: bool
+        default: false
+      etc_hosts:
+        description:
+          - Extra hosts to add to C(/etc/hosts) in building containers, as a mapping of hostname to IP address.
+          - Instead of an IP address, the special value V(host-gateway) can also be used, which resolves to the host's gateway
+            IP and allows building containers to connect to services running on the host.
+        type: dict
+      args:
+        description:
+          - Provide a dictionary of C(key:value) build arguments that map to Dockerfile ARG directive.
+          - Docker expects the value to be a string. For convenience any non-string values will be converted to strings.
+        type: dict
+      container_limits:
+        description:
+          - A dictionary of limits applied to each container created by the build process.
+        type: dict
+        suboptions:
+          memory:
+            description:
+              - Memory limit for build in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte),
+                V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+              - Omitting the unit defaults to bytes.
+              - Before community.docker 3.6.0, no units were allowed.
+            type: str
+          memswap:
+            description:
+              - Total memory limit (memory + swap) for build in format C(<number>[<unit>]), or the special values V(unlimited)
+                or V(-1) for unlimited swap usage. Number is a positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+                1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+              - Omitting the unit defaults to bytes.
+              - Before community.docker 3.6.0, no units were allowed, and neither was the special value V(unlimited).
+            type: str
+          cpushares:
+            description:
+              - CPU shares (relative weight).
+            type: int
+          cpusetcpus:
+            description:
+              - CPUs in which to allow execution.
+              - For example, V(0-3) or V(0,1).
+            type: str
+      use_config_proxy:
+        description:
+          - If set to V(true) and a proxy configuration is specified in the docker client configuration (by default C($HOME/.docker/config.json)),
+            the corresponding environment variables will be set in the container being built.
+        type: bool
+      target:
+        description:
+          - When building an image specifies an intermediate build stage by name as a final stage for the resulting image.
+        type: str
+      platform:
+        description:
+          - Platform in the format C(os[/arch[/variant]]).
+        type: str
+        version_added: 1.1.0
+      shm_size:
+        description:
+          - Size of C(/dev/shm) in format C(<number>[<unit>]). Number is positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+            1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+          - Omitting the unit defaults to bytes. If you omit the size entirely, Docker daemon uses V(64M).
+        type: str
+        version_added: 3.6.0
+      labels:
+        description:
+          - Dictionary of key value pairs.
+        type: dict
+        version_added: 3.6.0
+  archive_path:
+    description:
+      - Use with O(state=present) to archive an image to a C(.tar) file.
+    type: path
+  load_path:
+    description:
+      - Use with O(state=present) to load an image from a C(.tar) file.
+      - Set O(source=load) if you want to load the image.
+    type: path
+  force_source:
+    description:
+      - Use with O(state=present) to build, load or pull an image (depending on the value of the O(source) option) when the
+        image already exists.
+    type: bool
+    default: false
+  force_absent:
+    description:
+      - Use with O(state=absent) to un-tag and remove all images matching the specified name.
+    type: bool
+    default: false
+  force_tag:
+    description:
+      - Use with O(state=present) to force tagging an image.
+    type: bool
+    default: false
+  name:
+    description:
+      - 'Image name. Name format will be one of: C(name), C(repository/name), C(registry_server:port/name). When pushing or
+        pulling an image the name can optionally include the tag by appending C(:tag_name).'
+      - Note that image IDs (hashes) are only supported for O(state=absent), for O(state=present) with O(source=load), and
+        for O(state=present) with O(source=local).
+    type: str
+    required: true
+  pull:
+    description:
+      - Specifies options used for pulling images.
+    type: dict
+    version_added: 1.3.0
+    suboptions:
+      platform:
+        description:
+          - When pulling an image, ask for this specific platform.
+          - Note that this value is not used to determine whether the image needs to be pulled. This might change in the future
+            in a minor release, though.
+        type: str
+  push:
+    description:
+      - Push the image to the registry. Specify the registry as part of the O(name) or O(repository) parameter.
+    type: bool
+    default: false
+  repository:
+    description:
+      - Use with O(state=present) to tag the image.
+      - Expects format C(repository:tag). If no tag is provided, will use the value of the O(tag) parameter or V(latest).
+      - If O(push=true), O(repository) must either include a registry, or will be assumed to belong to the default registry
+        (Docker Hub).
+    type: str
+  state:
+    description:
+      - Make assertions about the state of an image.
+      - When V(absent) an image will be removed. Use the force option to un-tag and remove all images matching the provided
+        name.
+      - When V(present) check if an image exists using the provided name and tag. If the image is not found or the force option
+        is used, the image will either be pulled, built or loaded, depending on the O(source) option.
+    type: str
+    default: present
+    choices:
+      - absent
+      - present
+  tag:
+    description:
+      - Used to select an image when pulling. Will be added to the image when pushing, tagging or building. Defaults to V(latest).
+      - If O(name) parameter format is C(name:tag), then tag value from O(name) will take precedence.
+    type: str
+    default: latest
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Pavel Antonov (@softzilla)
+  - Chris Houseknecht (@chouseknecht)
+  - Sorin Sbarnea (@ssbarnea)
+
+seealso:
+  - module: community.docker.docker_image_build
+  - module: community.docker.docker_image_export
+  - module: community.docker.docker_image_info
+  - module: community.docker.docker_image_load
+  - module: community.docker.docker_image_pull
+  - module: community.docker.docker_image_push
+  - module: community.docker.docker_image_remove
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Pull an image
+  community.docker.docker_image:
+    name: pacur/centos-7
+    source: pull
+  # Select platform for pulling. If not specified, will pull whatever docker prefers.
+    pull:
+      platform: amd64
+
+- name: Tag and push to docker hub
+  community.docker.docker_image:
+    name: pacur/centos-7:56
+    repository: dcoppenhagan/myimage:7.56
+    push: true
+    source: local
+
+- name: Tag and push to local registry
+  community.docker.docker_image:
+  # Image will be centos:7
+    name: centos
+  # Will be pushed to localhost:5000/centos:7
+    repository: localhost:5000/centos
+    tag: 7
+    push: true
+    source: local
+
+- name: Add tag latest to image
+  community.docker.docker_image:
+    name: myimage:7.1.2
+    repository: myimage:latest
+  # As 'latest' usually already is present, we need to enable overwriting of existing tags:
+    force_tag: true
+    source: local
+
+- name: Remove image
+  community.docker.docker_image:
+    state: absent
+    name: registry.ansible.com/chouseknecht/sinatra
+    tag: v1
+
+- name: Build an image and push it to a private repo
+  community.docker.docker_image:
+    build:
+      path: ./sinatra
+    name: registry.ansible.com/chouseknecht/sinatra
+    tag: v1
+    push: true
+    source: build
+
+- name: Archive image
+  community.docker.docker_image:
+    name: registry.ansible.com/chouseknecht/sinatra
+    tag: v1
+    archive_path: my_sinatra.tar
+    source: local
+
+- name: Load image from archive and push to a private registry
+  community.docker.docker_image:
+    name: localhost:5000/myimages/sinatra
+    tag: v1
+    push: true
+    load_path: my_sinatra.tar
+    source: load
+
+- name: Build image and with build args
+  community.docker.docker_image:
+    name: myimage
+    build:
+      path: /path/to/build/dir
+      args:
+        log_volume: /var/log/myapp
+        listen_port: 8080
+    source: build
+
+- name: Build image using cache source
+  community.docker.docker_image:
+    name: myimage:latest
+    build:
+      path: /path/to/build/dir
+    # Use as cache source for building myimage
+      cache_from:
+        - nginx:latest
+        - alpine:3.8
+    source: build
+"""
+
+RETURN = r"""
+image:
+  description: Image inspection results for the affected image.
+  returned: success
+  type: dict
+  sample: {}
+stdout:
+  description: Docker build output when building an image.
+  returned: success
+  type: str
+  sample: ""
+  version_added: 1.0.0
+"""
+
+import base64
+import errno
+import json
+import os
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.auth import (
+    get_config_header,
+    resolve_repository_name,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.constants import (
+    CONTAINER_LIMITS_KEYS,
+    DEFAULT_DATA_CHUNK_SIZE,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.build import (
+    process_dockerfile,
+    tar,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    format_extra_hosts,
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._image_archive import (
+    ImageArchiveInvalidException,
+    api_image_id,
+    archived_image_manifest,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+    is_image_name_id,
+    is_valid_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+    from ansible.module_utils.basic import AnsibleModule
+
+
+def convert_to_bytes(
+    value: str | None,
+    module: AnsibleModule,
+    name: str,
+    unlimited_value: int | None = None,
+) -> int | None:
+    if value is None:
+        return value
+    try:
+        if unlimited_value is not None and value in ("unlimited", str(unlimited_value)):
+            return unlimited_value
+        return human_to_bytes(value)
+    except ValueError as exc:
+        module.fail_json(msg=f"Failed to convert {name} to bytes: {exc}")
+
+
+class ImageManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        """
+        Configure a docker_image task.
+
+        :param client: Ansible Docker Client wrapper over Docker client
+        :type client: AnsibleDockerClient
+        :param results: This task adds its output values to this dictionary
+        :type results: dict
+        """
+
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        parameters = self.client.module.params
+        self.check_mode = self.client.check_mode
+
+        self.source: t.Literal["build", "load", "pull", "local"] | None = parameters[
+            "source"
+        ]
+        build: dict[str, t.Any] = parameters["build"] or {}
+        pull: dict[str, t.Any] = parameters["pull"] or {}
+        self.archive_path: str | None = parameters["archive_path"]
+        self.cache_from: list[str] | None = build.get("cache_from")
+        self.container_limits: dict[str, t.Any] | None = build.get("container_limits")
+        if self.container_limits and "memory" in self.container_limits:
+            self.container_limits["memory"] = convert_to_bytes(
+                self.container_limits["memory"],
+                self.client.module,
+                "build.container_limits.memory",
+            )
+        if self.container_limits and "memswap" in self.container_limits:
+            self.container_limits["memswap"] = convert_to_bytes(
+                self.container_limits["memswap"],
+                self.client.module,
+                "build.container_limits.memswap",
+                unlimited_value=-1,
+            )
+        self.dockerfile: str | None = build.get("dockerfile")
+        self.force_source: bool = parameters["force_source"]
+        self.force_absent: bool = parameters["force_absent"]
+        self.force_tag: bool = parameters["force_tag"]
+        self.load_path: str | None = parameters["load_path"]
+        self.name: str = parameters["name"]
+        self.network: str | None = build.get("network")
+        self.extra_hosts: dict[str, str] = clean_dict_booleans_for_docker_api(
+            build.get("etc_hosts")  # type: ignore
+        )
+        self.nocache: bool = build.get("nocache", False)
+        self.build_path: str | None = build.get("path")
+        self.pull: bool | None = build.get("pull")
+        self.target: str | None = build.get("target")
+        self.repository: str | None = parameters["repository"]
+        self.rm: bool = build.get("rm", True)
+        self.state: t.Literal["absent", "present"] = parameters["state"]
+        self.tag: str = parameters["tag"]
+        self.http_timeout: int | None = build.get("http_timeout")
+        self.pull_platform: str | None = pull.get("platform")
+        self.push: bool = parameters["push"]
+        self.buildargs: dict[str, t.Any] | None = build.get("args")
+        self.build_platform: str | None = build.get("platform")
+        self.use_config_proxy: bool | None = build.get("use_config_proxy")
+        self.shm_size: int | None = convert_to_bytes(
+            build.get("shm_size"), self.client.module, "build.shm_size"
+        )
+        self.labels: dict[str, str] = clean_dict_booleans_for_docker_api(
+            build.get("labels")  # type: ignore
+        )
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        if not is_image_name_id(self.name):
+            repo, repo_tag = parse_repository_tag(self.name)
+            if repo_tag:
+                self.name = repo
+                self.tag = repo_tag
+
+        # Sanity check: fail early when we know that something will fail later
+        if self.repository and is_image_name_id(self.repository):
+            self.fail(f"`repository` must not be an image ID; got: {self.repository}")
+        if not self.repository and self.push and is_image_name_id(self.name):
+            self.fail(
+                f"Cannot push an image by ID; specify `repository` to tag and push the image with ID {self.name} instead"
+            )
+
+        if self.state == "present":
+            self.present()
+        elif self.state == "absent":
+            self.absent()
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def present(self) -> None:
+        """
+        Handles state = 'present', which includes building, loading or pulling an image,
+        depending on user provided parameters.
+
+        :returns None
+        """
+        if is_image_name_id(self.name):
+            image = self.client.find_image_by_id(self.name, accept_missing_image=True)
+        else:
+            image = self.client.find_image(name=self.name, tag=self.tag)
+
+        if not image or self.force_source:
+            if self.source == "build":
+                if is_image_name_id(self.name):
+                    self.fail(
+                        f"Image name must not be an image ID for source=build; got: {self.name}"
+                    )
+
+                # Build the image
+                assert self.build_path is not None
+                if not os.path.isdir(self.build_path):
+                    self.fail(
+                        f"Requested build path {self.build_path} could not be found or you do not have access."
+                    )
+                image_name = self.name
+                if self.tag:
+                    image_name = f"{self.name}:{self.tag}"
+                self.log(f"Building image {image_name}")
+                self.results["actions"].append(
+                    f"Built image {image_name} from {self.build_path}"
+                )
+                self.results["changed"] = True
+                if not self.check_mode:
+                    self.results.update(self.build_image())
+
+            elif self.source == "load":
+                assert self.load_path is not None
+                # Load the image from an archive
+                if not os.path.isfile(self.load_path):
+                    self.fail(
+                        f"Error loading image {self.name}. Specified path {self.load_path} does not exist."
+                    )
+                image_name = self.name
+                if self.tag and not is_image_name_id(image_name):
+                    image_name = f"{self.name}:{self.tag}"
+                self.results["actions"].append(
+                    f"Loaded image {image_name} from {self.load_path}"
+                )
+                self.results["changed"] = True
+                if not self.check_mode:
+                    self.results["image"] = self.load_image()
+            elif self.source == "pull":
+                if is_image_name_id(self.name):
+                    self.fail(
+                        f"Image name must not be an image ID for source=pull; got: {self.name}"
+                    )
+
+                # pull the image
+                self.results["actions"].append(f"Pulled image {self.name}:{self.tag}")
+                self.results["changed"] = True
+                if not self.check_mode:
+                    self.results["image"], dummy = self.client.pull_image(
+                        self.name, tag=self.tag, image_platform=self.pull_platform
+                    )
+            elif self.source == "local":
+                if image is None:
+                    name = self.name
+                    if self.tag and not is_image_name_id(name):
+                        name = f"{self.name}:{self.tag}"
+                    self.client.fail(f"Cannot find the image {name} locally.")
+            if (
+                not self.check_mode
+                and image
+                and image["Id"] == self.results["image"]["Id"]
+            ):
+                self.results["changed"] = False
+        else:
+            self.results["image"] = image
+
+        if self.archive_path:
+            self.archive_image(self.name, self.tag)
+
+        if self.push and not self.repository:
+            self.push_image(self.name, self.tag)
+        elif self.repository:
+            self.tag_image(self.name, self.tag, self.repository, push=self.push)
+
+    def absent(self) -> None:
+        """
+        Handles state = 'absent', which removes an image.
+
+        :return None
+        """
+        name = self.name
+        if is_image_name_id(name):
+            image = self.client.find_image_by_id(name, accept_missing_image=True)
+        else:
+            image = self.client.find_image(name, self.tag)
+            if self.tag:
+                name = f"{self.name}:{self.tag}"
+        if image:
+            if not self.check_mode:
+                try:
+                    self.client.delete_json(
+                        "/images/{0}", name, params={"force": self.force_absent}
+                    )
+                except NotFound:
+                    # If the image vanished while we were trying to remove it, do not fail
+                    pass
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(f"Error removing image {name} - {exc}")
+
+            self.results["changed"] = True
+            self.results["actions"].append(f"Removed image {name}")
+            self.results["image"]["state"] = "Deleted"
+
+    @staticmethod
+    def archived_image_action(
+        failure_logger: Callable[[str], None],
+        archive_path: str,
+        current_image_name: str,
+        current_image_id: str,
+    ) -> str | None:
+        """
+        If the archive is missing or requires replacement, return an action message.
+
+        :param failure_logger: a logging function that accepts one parameter of type str
+        :type failure_logger: Callable
+        :param archive_path: Filename to write archive to
+        :type archive_path: str
+        :param current_image_name: repo:tag
+        :type current_image_name: str
+        :param current_image_id: Hash, including hash type prefix such as "sha256:"
+        :type current_image_id: str
+
+        :returns: Either None, or an Ansible action message.
+        :rtype: str
+        """
+
+        def build_msg(reason: str) -> str:
+            return f"Archived image {current_image_name} to {archive_path}, {reason}"
+
+        try:
+            archived = archived_image_manifest(archive_path)
+        except ImageArchiveInvalidException as exc:
+            failure_logger(f"Unable to extract manifest summary from archive: {exc}")
+            return build_msg("overwriting an unreadable archive file")
+
+        if archived is None:
+            return build_msg("since none present")
+        if (
+            current_image_id == api_image_id(archived.image_id)
+            and [current_image_name] == archived.repo_tags
+        ):
+            return None
+        name = ", ".join(archived.repo_tags)
+
+        return build_msg(
+            f"overwriting archive with image {archived.image_id} named {name}"
+        )
+
+    def archive_image(self, name: str, tag: str | None) -> None:
+        """
+        Archive an image to a .tar file. Called when archive_path is passed.
+
+        :param name: Name/repository of the image
+        :type name: str
+        :param tag: Optional image tag; assumed to be "latest" if None
+        :type tag: str | None
+        """
+        assert self.archive_path is not None
+
+        if not tag:
+            tag = "latest"
+
+        if is_image_name_id(name):
+            image = self.client.find_image_by_id(name, accept_missing_image=True)
+            image_name = name
+        else:
+            image = self.client.find_image(name=name, tag=tag)
+            image_name = f"{name}:{tag}"
+
+        if not image:
+            self.log(f"archive image: image {image_name} not found")
+            return
+
+        # Will have a 'sha256:' prefix
+        image_id = image["Id"]
+
+        action = self.archived_image_action(
+            self.client.module.debug, self.archive_path, image_name, image_id
+        )
+
+        if action:
+            self.results["actions"].append(action)
+
+        self.results["changed"] = action is not None
+
+        if (not self.check_mode) and self.results["changed"]:
+            self.log(f"Getting archive of image {image_name}")
+            try:
+                saved_image = self.client._stream_raw_result(
+                    self.client._get(
+                        self.client._url("/images/{0}/get", image_name), stream=True
+                    ),
+                    chunk_size=DEFAULT_DATA_CHUNK_SIZE,
+                    decode=False,
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error getting image {image_name} - {exc}")
+
+            try:
+                with open(self.archive_path, "wb") as fd:
+                    for chunk in saved_image:
+                        fd.write(chunk)
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error writing image archive {self.archive_path} - {exc}")
+
+        self.results["image"] = image
+
+    def push_image(self, name: str, tag: str | None = None) -> None:
+        """
+        If the name of the image contains a repository path, then push the image.
+
+        :param name Name of the image to push.
+        :param tag Use a specific tag.
+        :return: None
+        """
+
+        if is_image_name_id(name):
+            self.fail(f"Cannot push an image ID: {name}")
+
+        repository = name
+        if not tag:
+            repository, tag = parse_repository_tag(name)
+        registry, repo_name = resolve_repository_name(repository)
+
+        self.log(f"push {self.name} to {registry}/{repo_name}:{tag}")
+
+        if registry:
+            self.results["actions"].append(
+                f"Pushed image {self.name} to {registry}/{repo_name}:{tag}"
+            )
+            self.results["changed"] = True
+            if not self.check_mode:
+                status = None
+                try:
+                    changed = False
+
+                    push_repository, push_tag = repository, tag
+                    if not push_tag:
+                        push_repository, push_tag = parse_repository_tag(
+                            push_repository
+                        )
+                    push_registry, dummy = resolve_repository_name(push_repository)
+                    headers = {}
+                    header = get_config_header(self.client, push_registry)
+                    if not header:
+                        # For some reason, from Docker 28.3.3 on not specifying X-Registry-Auth seems to be invalid.
+                        # See https://github.com/moby/moby/issues/50614.
+                        header = base64.urlsafe_b64encode(b"{}")
+                    headers["X-Registry-Auth"] = header
+                    response = self.client._post_json(
+                        self.client._url("/images/{0}/push", push_repository),
+                        data=None,
+                        headers=headers,
+                        stream=True,
+                        params={"tag": push_tag},
+                    )
+                    self.client._raise_for_status(response)
+                    for line in self.client._stream_helper(response, decode=True):
+                        self.log(line, pretty_print=True)
+                        if line.get("errorDetail"):
+                            raise RuntimeError(line["errorDetail"]["message"])
+                        status = line.get("status")
+                        if status in ("Pushing", "Pushed"):
+                            changed = True
+                    self.results["changed"] = changed
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    if "unauthorized" in str(exc):
+                        if "authentication required" in str(exc):
+                            self.fail(
+                                f"Error pushing image {registry}/{repo_name}:{tag} - {exc}. Try logging into {registry} first."
+                            )
+                        else:
+                            self.fail(
+                                f"Error pushing image {registry}/{repo_name}:{tag} - {exc}. Does the repository exist?"
+                            )
+                    self.fail(f"Error pushing image {repository}: {exc}")
+                self.results["image"] = self.client.find_image(name=repository, tag=tag)
+                if not self.results["image"]:
+                    self.results["image"] = {}
+                self.results["image"]["push_status"] = status
+
+    def tag_image(
+        self, name: str, tag: str, repository: str, push: bool = False
+    ) -> None:
+        """
+        Tag an image into a repository.
+
+        :param name: name of the image. required.
+        :param tag: image tag.
+        :param repository: path to the repository. required.
+        :param push: bool. push the image once it is tagged.
+        :return: None
+        """
+        repo, repo_tag = parse_repository_tag(repository)
+        if not repo_tag:
+            repo_tag = "latest"
+            if tag:
+                repo_tag = tag
+        image = self.client.find_image(name=repo, tag=repo_tag)
+        found = "found" if image else "not found"
+        self.log(f"image {repo} was {found}")
+
+        if not image or self.force_tag:
+            image_name = name
+            if not is_image_name_id(name) and tag and not name.endswith(":" + tag):
+                image_name = f"{name}:{tag}"
+            self.log(f"tagging {image_name} to {repo}:{repo_tag}")
+            self.results["changed"] = True
+            self.results["actions"].append(
+                f"Tagged image {image_name} to {repo}:{repo_tag}"
+            )
+            if not self.check_mode:
+                try:
+                    # Finding the image does not always work, especially running a localhost registry. In those
+                    # cases, if we do not set force=True, it errors.
+                    params = {
+                        "tag": repo_tag,
+                        "repo": repo,
+                        "force": True,
+                    }
+                    res = self.client._post(
+                        self.client._url("/images/{0}/tag", image_name), params=params
+                    )
+                    self.client._raise_for_status(res)
+                    if res.status_code != 201:
+                        raise RuntimeError("Tag operation failed.")
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(f"Error: failed to tag image - {exc}")
+                self.results["image"] = self.client.find_image(name=repo, tag=repo_tag)
+                if image and image["Id"] == self.results["image"]["Id"]:
+                    self.results["changed"] = False
+
+        if push:
+            self.push_image(repo, repo_tag)
+
+    @staticmethod
+    def _extract_output_line(line: dict[str, t.Any], output: list[str]) -> None:
+        """
+        Extract text line from stream output and, if found, adds it to output.
+        """
+        if "stream" in line or "status" in line:
+            # Make sure we have a string (assuming that line['stream'] and
+            # line['status'] are either not defined, falsish, or a string)
+            text_line = line.get("stream") or line.get("status") or ""
+            output.extend(text_line.splitlines())
+
+    def build_image(self) -> dict[str, t.Any]:
+        """
+        Build an image
+
+        :return: image dict
+        """
+        assert self.build_path is not None
+        remote = context = None
+        headers: dict[str, str | bytes] = {}
+        buildargs = {}
+        if self.buildargs:
+            for key, value in self.buildargs.items():
+                buildargs[key] = to_text(value)
+
+        container_limits = self.container_limits or {}
+        for key in container_limits:
+            if key not in CONTAINER_LIMITS_KEYS:
+                raise DockerException(f"Invalid container_limits key {key}")
+
+        dockerfile: tuple[str, str | None] | tuple[None, None] | str | None = (
+            self.dockerfile
+        )
+        if self.build_path.startswith(
+            ("http://", "https://", "git://", "github.com/", "git@")
+        ):
+            remote = self.build_path
+        elif not os.path.isdir(self.build_path):
+            raise TypeError("You must specify a directory to build in path")
+        else:
+            dockerignore = os.path.join(self.build_path, ".dockerignore")
+            exclude = None
+            if os.path.exists(dockerignore):
+                with open(dockerignore, "rt", encoding="utf-8") as f:
+                    exclude = list(
+                        filter(
+                            lambda x: x != "" and x[0] != "#",
+                            [line.strip() for line in f.read().splitlines()],
+                        )
+                    )
+            dockerfile_data = process_dockerfile(self.dockerfile, self.build_path)
+            dockerfile = dockerfile_data
+            context = tar(
+                self.build_path, exclude=exclude, dockerfile=dockerfile_data, gzip=False
+            )
+
+        params: dict[str, t.Any] = {
+            "t": f"{self.name}:{self.tag}" if self.tag else self.name,
+            "remote": remote,
+            "q": False,
+            "nocache": self.nocache,
+            "rm": self.rm,
+            "forcerm": self.rm,
+            "pull": self.pull,
+            "dockerfile": dockerfile,
+        }
+        params.update(container_limits)
+
+        if self.use_config_proxy:
+            proxy_args = self.client._proxy_configs.get_environment()
+            for k, v in proxy_args.items():
+                buildargs.setdefault(k, v)
+        if buildargs:
+            params.update({"buildargs": json.dumps(buildargs)})
+
+        if self.cache_from:
+            params.update({"cachefrom": json.dumps(self.cache_from)})
+
+        if self.target:
+            params.update({"target": self.target})
+
+        if self.network:
+            params.update({"networkmode": self.network})
+
+        if self.extra_hosts is not None:
+            params.update({"extrahosts": format_extra_hosts(self.extra_hosts)})
+
+        if self.build_platform is not None:
+            params["platform"] = self.build_platform
+
+        if self.shm_size is not None:
+            params["shmsize"] = self.shm_size
+
+        if self.labels:
+            params["labels"] = json.dumps(self.labels)
+
+        if context is not None:
+            headers["Content-Type"] = "application/tar"
+
+        self.client._set_auth_headers(headers)
+
+        response = self.client._post(
+            self.client._url("/build"),
+            data=context,
+            params=params,
+            headers=headers,
+            stream=True,
+            timeout=self.http_timeout,
+        )
+
+        if context is not None:
+            context.close()
+
+        build_output: list[str] = []
+        for line in self.client._stream_helper(response, decode=True):
+            # line = json.loads(line)
+            self.log(line, pretty_print=True)
+            self._extract_output_line(line, build_output)
+
+            if line.get("error"):
+                if line.get("errorDetail"):
+                    error_detail = line.get("errorDetail")
+                    self.fail(
+                        f"Error building {self.name} - code: {error_detail.get('code')}, message: {error_detail.get('message')}, logs: {build_output}"
+                    )
+                else:
+                    self.fail(
+                        f"Error building {self.name} - message: {line.get('error')}, logs: {build_output}"
+                    )
+
+        return {
+            "stdout": "\n".join(build_output),
+            "image": self.client.find_image(name=self.name, tag=self.tag),
+        }
+
+    def load_image(self) -> dict[str, t.Any] | None:
+        """
+        Load an image from a .tar archive
+
+        :return: image dict
+        """
+        # Load image(s) from file
+        assert self.load_path is not None
+        load_output: list[str] = []
+        has_output = False
+        try:
+            self.log(f"Opening image {self.load_path}")
+            with open(self.load_path, "rb") as image_tar:
+                self.log(f"Loading image from {self.load_path}")
+                res = self.client._post(
+                    self.client._url("/images/load"), data=image_tar, stream=True
+                )
+                if LooseVersion(self.client.api_version) >= LooseVersion("1.23"):
+                    has_output = True
+                    for line in self.client._stream_helper(res, decode=True):
+                        self.log(line, pretty_print=True)
+                        self._extract_output_line(line, load_output)
+                else:
+                    self.client._raise_for_status(res)
+                    self.client.module.warn(
+                        "The API version of your Docker daemon is < 1.23, which does not return the image"
+                        " loading result from the Docker daemon. Therefore, we cannot verify whether the"
+                        " expected image was loaded, whether multiple images where loaded, or whether the load"
+                        " actually succeeded. You should consider upgrading your Docker daemon."
+                    )
+        except EnvironmentError as exc:
+            if exc.errno == errno.ENOENT:
+                self.client.fail(f"Error opening image {self.load_path} - {exc}")
+            self.client.fail(
+                f"Error loading image {self.name} - {exc}",
+                stdout="\n".join(load_output),
+            )
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.client.fail(
+                f"Error loading image {self.name} - {exc}",
+                stdout="\n".join(load_output),
+            )
+
+        # Collect loaded images
+        if has_output:
+            # We can only do this when we actually got some output from Docker daemon
+            loaded_images = set()
+            loaded_image_ids = set()
+            for line in load_output:
+                if line.startswith("Loaded image:"):
+                    loaded_images.add(line[len("Loaded image:") :].strip())
+                if line.startswith("Loaded image ID:"):
+                    loaded_image_ids.add(
+                        line[len("Loaded image ID:") :].strip().lower()
+                    )
+
+            if not loaded_images and not loaded_image_ids:
+                self.client.fail(
+                    "Detected no loaded images. Archive potentially corrupt?",
+                    stdout="\n".join(load_output),
+                )
+
+            if is_image_name_id(self.name):
+                expected_image = self.name.lower()
+                found_image = expected_image not in loaded_image_ids
+            else:
+                expected_image = f"{self.name}:{self.tag}"
+                found_image = expected_image not in loaded_images
+            if found_image:
+                found_instead = ", ".join(
+                    sorted(
+                        [f"'{image}'" for image in loaded_images]
+                        + list(loaded_image_ids)
+                    )
+                )
+                self.client.fail(
+                    f"The archive did not contain image '{expected_image}'. Instead, found {found_instead}.",
+                    stdout="\n".join(load_output),
+                )
+            loaded_images.remove(expected_image)
+
+            if loaded_images:
+                found_more = ", ".join(
+                    sorted(
+                        [f"'{image}'" for image in loaded_images]
+                        + list(loaded_image_ids)
+                    )
+                )
+                self.client.module.warn(
+                    f"The archive contained more images than specified: {found_more}"
+                )
+
+        if is_image_name_id(self.name):
+            return self.client.find_image_by_id(self.name, accept_missing_image=True)
+        return self.client.find_image(self.name, self.tag)
+
+
+def main() -> None:
+    argument_spec = {
+        "source": {"type": "str", "choices": ["build", "load", "pull", "local"]},
+        "build": {
+            "type": "dict",
+            "options": {
+                "cache_from": {"type": "list", "elements": "str"},
+                "container_limits": {
+                    "type": "dict",
+                    "options": {
+                        "memory": {"type": "str"},
+                        "memswap": {"type": "str"},
+                        "cpushares": {"type": "int"},
+                        "cpusetcpus": {"type": "str"},
+                    },
+                },
+                "dockerfile": {"type": "str"},
+                "http_timeout": {"type": "int"},
+                "network": {"type": "str"},
+                "nocache": {"type": "bool", "default": False},
+                "path": {"type": "path", "required": True},
+                "pull": {"type": "bool", "default": False},
+                "rm": {"type": "bool", "default": True},
+                "args": {"type": "dict"},
+                "use_config_proxy": {"type": "bool"},
+                "target": {"type": "str"},
+                "etc_hosts": {"type": "dict"},
+                "platform": {"type": "str"},
+                "shm_size": {"type": "str"},
+                "labels": {"type": "dict"},
+            },
+        },
+        "archive_path": {"type": "path"},
+        "force_source": {"type": "bool", "default": False},
+        "force_absent": {"type": "bool", "default": False},
+        "force_tag": {"type": "bool", "default": False},
+        "load_path": {"type": "path"},
+        "name": {"type": "str", "required": True},
+        "pull": {
+            "type": "dict",
+            "options": {
+                "platform": {"type": "str"},
+            },
+        },
+        "push": {"type": "bool", "default": False},
+        "repository": {"type": "str"},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["absent", "present"],
+        },
+        "tag": {"type": "str", "default": "latest"},
+    }
+
+    required_if = [
+        ("state", "present", ["source"]),
+        ("source", "build", ["build"]),
+        ("source", "load", ["load_path"]),
+    ]
+
+    def detect_etc_hosts(client: AnsibleDockerClient) -> bool:
+        return client.module.params["build"] and bool(
+            client.module.params["build"].get("etc_hosts")
+        )
+
+    def detect_build_platform(client: AnsibleDockerClient) -> bool:
+        return (
+            client.module.params["build"]
+            and client.module.params["build"].get("platform") is not None
+        )
+
+    def detect_pull_platform(client: AnsibleDockerClient) -> bool:
+        return (
+            client.module.params["pull"]
+            and client.module.params["pull"].get("platform") is not None
+        )
+
+    option_minimal_versions = {
+        "build.etc_hosts": {
+            "docker_api_version": "1.27",
+            "detect_usage": detect_etc_hosts,
+        },
+        "build.platform": {
+            "docker_api_version": "1.32",
+            "detect_usage": detect_build_platform,
+        },
+        "pull.platform": {
+            "docker_api_version": "1.32",
+            "detect_usage": detect_pull_platform,
+        },
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        required_if=required_if,
+        supports_check_mode=True,
+        option_minimal_versions=option_minimal_versions,
+    )
+
+    if not is_valid_tag(client.module.params["tag"], allow_empty=True):
+        client.fail(f'"{client.module.params["tag"]}" is not a valid docker tag!')
+
+    if client.module.params["source"] == "build" and (
+        not client.module.params["build"]
+        or not client.module.params["build"].get("path")
+    ):
+        client.fail(
+            'If "source" is set to "build", the "build.path" option must be specified.'
+        )
+
+    try:
+        results = {"changed": False, "actions": [], "image": {}}
+
+        ImageManager(client, results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_build.py b/ansible_collections/community/docker/plugins/modules/docker_image_build.py
new file mode 100644
index 00000000..53d0f135
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_build.py
@@ -0,0 +1,647 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_build
+
+short_description: Build Docker images using Docker buildx
+
+version_added: 3.6.0
+
+description:
+  - This module allows you to build Docker images using Docker's buildx plugin (BuildKit).
+  - Note that the module is B(not idempotent) in the sense of classical Ansible modules. The only idempotence check is whether
+    the built image already exists. This check can be disabled with the O(rebuild) option.
+extends_documentation_fragment:
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - If O(rebuild=always) the module is not idempotent.
+
+options:
+  name:
+    description:
+      - 'Image name. Name format will be one of: C(name), C(repository/name), C(registry_server:port/name). When pushing or
+        pulling an image the name can optionally include the tag by appending C(:tag_name).'
+      - Note that image IDs (hashes) and names with digest cannot be used.
+    type: str
+    required: true
+  tag:
+    description:
+      - Tag for the image name O(name) that is to be tagged.
+      - If O(name)'s format is C(name:tag), then the tag value from O(name) will take precedence.
+    type: str
+    default: latest
+  path:
+    description:
+      - The path for the build environment.
+    type: path
+    required: true
+  dockerfile:
+    description:
+      - Provide an alternate name for the Dockerfile to use when building an image.
+      - This can also include a relative path (relative to O(path)).
+    type: str
+  cache_from:
+    description:
+      - List of image names to consider as cache source.
+    type: list
+    elements: str
+  pull:
+    description:
+      - When building an image downloads any updates to the FROM image in Dockerfile.
+    type: bool
+    default: false
+  network:
+    description:
+      - The network to use for C(RUN) build instructions.
+    type: str
+  nocache:
+    description:
+      - Do not use cache when building an image.
+    type: bool
+    default: false
+  etc_hosts:
+    description:
+      - Extra hosts to add to C(/etc/hosts) in building containers, as a mapping of hostname to IP address.
+      - Instead of an IP address, the special value V(host-gateway) can also be used, which resolves to the host's gateway
+        IP and allows building containers to connect to services running on the host.
+    type: dict
+  args:
+    description:
+      - Provide a dictionary of C(key:value) build arguments that map to Dockerfile ARG directive.
+      - Docker expects the value to be a string. For convenience any non-string values will be converted to strings.
+    type: dict
+  target:
+    description:
+      - When building an image specifies an intermediate build stage by name as a final stage for the resulting image.
+    type: str
+  platform:
+    description:
+      - Platforms in the format C(os[/arch[/variant]]).
+      - Since community.docker 3.10.0 this can be a list of platforms, instead of just a single platform.
+    type: list
+    elements: str
+  shm_size:
+    description:
+      - Size of C(/dev/shm) in format C(<number>[<unit>]). Number is positive integer. Unit can be V(B) (byte), V(K) (kibibyte,
+        1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes. If you omit the size entirely, Docker daemon uses V(64M).
+    type: str
+  labels:
+    description:
+      - Dictionary of key value pairs.
+    type: dict
+  rebuild:
+    description:
+      - Defines the behavior of the module if the image to build (as specified in O(name) and O(tag)) already exists.
+    type: str
+    choices:
+      - never
+      - always
+    default: never
+  secrets:
+    description:
+      - Secrets to expose to the build.
+    type: list
+    elements: dict
+    version_added: 3.10.0
+    suboptions:
+      id:
+        description:
+          - The secret identifier.
+          - The secret will be made available as a file in the container under C(/run/secrets/<id>).
+        type: str
+        required: true
+      type:
+        description:
+          - Type of the secret.
+        type: str
+        choices:
+          file:
+            - Reads the secret from a file on the target.
+            - The file must be specified in O(secrets[].src).
+          env:
+            - Reads the secret from an environment variable on the target.
+            - The environment variable must be named in O(secrets[].env).
+            - Note that this requires the Buildkit plugin to have version 0.6.0 or newer.
+          value:
+            - Provides the secret from a given value O(secrets[].value).
+            - B(Note) that the secret will be passed as an environment variable to C(docker compose). Use another mean of
+              transport if you consider this not safe enough.
+            - Note that this requires the Buildkit plugin to have version 0.6.0 or newer.
+        required: true
+      src:
+        description:
+          - Source path of the secret.
+          - Only supported and required for O(secrets[].type=file).
+        type: path
+      env:
+        description:
+          - Environment value of the secret.
+          - Only supported and required for O(secrets[].type=env).
+        type: str
+      value:
+        description:
+          - Value of the secret.
+          - B(Note) that the secret will be passed as an environment variable to C(docker compose). Use another mean of transport
+            if you consider this not safe enough.
+          - Only supported and required for O(secrets[].type=value).
+        type: str
+  outputs:
+    description:
+      - Output destinations.
+      - You can provide a list of exporters to export the built image in various places. Note that not all exporters might
+        be supported by the build driver used.
+      - Note that depending on how this option is used, no image with name O(name) and tag O(tag) might be created, which
+        can cause the basic idempotency this module offers to not work.
+      - Providing an empty list to this option is equivalent to not specifying it at all. The default behavior is a single
+        entry with O(outputs[].type=image).
+      - B(Note) that since community.docker 4.2.0, an entry for O(name)/O(tag) is added if O(outputs) has at least one entry
+        and no entry has type O(outputs[].type=image) and includes O(name)/O(tag) in O(outputs[].name). This is because the
+        module would otherwise pass C(--tag name:image) to the buildx plugin, which for some reason overwrites all images
+        in O(outputs) by the C(name:image) provided in O(name)/O(tag).
+    type: list
+    elements: dict
+    version_added: 3.10.0
+    suboptions:
+      type:
+        description:
+          - The type of exporter to use.
+        type: str
+        choices:
+          local:
+            - This export type writes all result files to a directory on the client. The new files will be owned by the current
+              user. On multi-platform builds, all results will be put in subdirectories by their platform.
+            - The destination has to be provided in O(outputs[].dest).
+          tar:
+            - This export type export type writes all result files as a single tarball on the client. On multi-platform builds,
+              all results will be put in subdirectories by their platform.
+            - The destination has to be provided in O(outputs[].dest).
+          oci:
+            - This export type writes the result image or manifest list as an L(OCI image layout,
+              https://github.com/opencontainers/image-spec/blob/v1.0.1/image-layout.md)
+              tarball on the client.
+            - The destination has to be provided in O(outputs[].dest).
+          docker:
+            - This export type writes the single-platform result image as a Docker image specification tarball on the client.
+              Tarballs created by this exporter are also OCI compatible.
+            - The destination can be provided in O(outputs[].dest). If not specified, the tar will be loaded automatically
+              to the local image store.
+            - The Docker context where to import the result can be provided in O(outputs[].context).
+          image:
+            - This exporter writes the build result as an image or a manifest list. When using this driver, the image will
+              appear in C(docker images).
+            - The image name can be provided in O(outputs[].name). If it is not provided, O(name) and O(tag) will be used.
+            - Optionally, image can be automatically pushed to a registry by setting O(outputs[].push=true).
+        required: true
+      dest:
+        description:
+          - The destination path.
+          - Required for O(outputs[].type=local), O(outputs[].type=tar), O(outputs[].type=oci).
+          - Optional for O(outputs[].type=docker).
+        type: path
+      context:
+        description:
+          - Name for the Docker context where to import the result.
+          - Optional for O(outputs[].type=docker).
+        type: str
+      name:
+        description:
+          - Name(s) under which the image is stored under.
+          - If not provided, O(name) and O(tag) will be used.
+          - Optional for O(outputs[].type=image).
+          - This can be a list of strings since community.docker 4.2.0.
+        type: list
+        elements: str
+      push:
+        description:
+          - Whether to push the built image to a registry.
+          - Only used for O(outputs[].type=image).
+        type: bool
+        default: false
+requirements:
+  - "Docker CLI with Docker buildx plugin"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_push
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Build Python 3.12 image
+  community.docker.docker_image_build:
+    name: localhost/python/3.12:latest
+    path: /home/user/images/python
+    dockerfile: Dockerfile-3.12
+
+- name: Build multi-platform image
+  community.docker.docker_image_build:
+    name: multi-platform-image
+    tag: "1.5.2"
+    path: /home/user/images/multi-platform
+    platform:
+      - linux/amd64
+      - linux/arm64/v8
+"""
+
+RETURN = r"""
+image:
+  description: Image inspection results for the affected image.
+  returned: success
+  type: dict
+  sample: {}
+
+command:
+  description: The command executed.
+  returned: success and for some failures
+  type: list
+  elements: str
+  version_added: 4.2.0
+"""
+
+import base64
+import os
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+    is_image_name_id,
+    is_valid_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.module_utils.basic import AnsibleModule
+
+
+def convert_to_bytes(
+    value: str | None,
+    module: AnsibleModule,
+    name: str,
+    unlimited_value: int | None = None,
+) -> int | None:
+    if value is None:
+        return value
+    try:
+        if unlimited_value is not None and value in ("unlimited", str(unlimited_value)):
+            return unlimited_value
+        return human_to_bytes(value)
+    except ValueError as exc:
+        module.fail_json(msg=f"Failed to convert {name} to bytes: {exc}")
+
+
+def dict_to_list(dictionary: dict[str, t.Any], concat: str = "=") -> list[str]:
+    return [f"{k}{concat}{v}" for k, v in sorted(dictionary.items())]
+
+
+def _quote_csv(text: str) -> str:
+    if text.strip() == text and all(i not in text for i in '",\r\n'):
+        return text
+    text = text.replace('"', '""')
+    return f'"{text}"'
+
+
+class ImageBuilder(DockerBaseClass):
+    def __init__(self, client: AnsibleModuleDockerClient) -> None:
+        super().__init__()
+        self.client = client
+        self.check_mode = self.client.check_mode
+        parameters = self.client.module.params
+
+        self.cache_from = parameters["cache_from"]
+        self.pull = parameters["pull"]
+        self.network = parameters["network"]
+        self.nocache = parameters["nocache"]
+        self.etc_hosts = clean_dict_booleans_for_docker_api(parameters["etc_hosts"])
+        self.args = clean_dict_booleans_for_docker_api(parameters["args"])
+        self.target = parameters["target"]
+        self.platform = parameters["platform"]
+        self.shm_size = convert_to_bytes(
+            parameters["shm_size"], self.client.module, "shm_size"
+        )
+        self.labels = clean_dict_booleans_for_docker_api(parameters["labels"])
+        self.rebuild = parameters["rebuild"]
+        self.secrets = parameters["secrets"]
+        self.outputs = parameters["outputs"]
+
+        buildx = self.client.get_client_plugin_info("buildx")
+        if buildx is None:
+            self.fail(
+                f"Docker CLI {self.client.get_cli()} does not have the buildx plugin installed"
+            )
+        buildx_version = buildx["Version"].lstrip("v")
+
+        if self.secrets:
+            for secret in self.secrets:
+                if secret["type"] in ("env", "value") and LooseVersion(
+                    buildx_version
+                ) < LooseVersion("0.6.0"):
+                    self.fail(
+                        f"The Docker buildx plugin has version {buildx_version}, but 0.6.0 is needed for secrets of type=env and type=value"
+                    )
+        if (
+            self.outputs
+            and len(self.outputs) > 1
+            and LooseVersion(buildx_version) < LooseVersion("0.13.0")
+        ):
+            self.fail(
+                f"The Docker buildx plugin has version {buildx_version}, but 0.13.0 is needed to specify more than one output"
+            )
+
+        self.path = parameters["path"]
+        if not os.path.isdir(self.path):
+            self.fail(f'"{self.path}" is not an existing directory')
+        self.dockerfile = parameters["dockerfile"]
+        if self.dockerfile and not os.path.isfile(
+            os.path.join(self.path, self.dockerfile)
+        ):
+            self.fail(
+                f'"{os.path.join(self.path, self.dockerfile)}" is not an existing file'
+            )
+
+        self.name = parameters["name"]
+        self.tag = parameters["tag"]
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.fail(f'"{self.tag}" is not a valid docker tag')
+        if is_image_name_id(self.name):
+            self.fail("Image name must not be a digest")
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        repo, repo_tag = parse_repository_tag(self.name)
+        if repo_tag:
+            self.name = repo
+            self.tag = repo_tag
+
+        if is_image_name_id(self.tag):
+            self.fail("Image name must not contain a digest, but have a tag")
+
+        if self.outputs:
+            found = False
+            name_tag = f"{self.name}:{self.tag}"
+            for output in self.outputs:
+                if output["type"] == "image":
+                    if not output["name"]:
+                        # Since we no longer pass --tag if --output is provided, we need to set this manually
+                        output["name"] = [name_tag]
+                    if output["name"] and name_tag in output["name"]:
+                        found = True
+            if not found:
+                self.outputs.append(
+                    {
+                        "type": "image",
+                        "name": [name_tag],
+                        "push": False,
+                    }
+                )
+                if LooseVersion(buildx_version) < LooseVersion("0.13.0"):
+                    self.fail(
+                        f"The output does not include an image with name {name_tag}, and the Docker"
+                        f" buildx plugin has version {buildx_version} which only supports one output."
+                    )
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        self.client.fail(msg, **kwargs)
+
+    def add_list_arg(self, args: list[str], option: str, values: list[str]) -> None:
+        for value in values:
+            args.extend([option, value])
+
+    def add_args(self, args: list[str]) -> dict[str, t.Any]:
+        environ_update = {}
+        if not self.outputs:
+            args.extend(["--tag", f"{self.name}:{self.tag}"])
+        if self.dockerfile:
+            args.extend(["--file", os.path.join(self.path, self.dockerfile)])
+        if self.cache_from:
+            self.add_list_arg(args, "--cache-from", self.cache_from)
+        if self.pull:
+            args.append("--pull")
+        if self.network:
+            args.extend(["--network", self.network])
+        if self.nocache:
+            args.append("--no-cache")
+        if self.etc_hosts:
+            self.add_list_arg(args, "--add-host", dict_to_list(self.etc_hosts, ":"))
+        if self.args:
+            self.add_list_arg(args, "--build-arg", dict_to_list(self.args))
+        if self.target:
+            args.extend(["--target", self.target])
+        if self.platform:
+            for platform in self.platform:
+                args.extend(["--platform", platform])
+        if self.shm_size:
+            args.extend(["--shm-size", str(self.shm_size)])
+        if self.labels:
+            self.add_list_arg(args, "--label", dict_to_list(self.labels))
+        if self.secrets:
+            random_prefix = None
+            for index, secret in enumerate(self.secrets):
+                sid = secret["id"]
+                if secret["type"] == "file":
+                    src = secret["src"]
+                    args.extend(["--secret", f"id={sid},type=file,src={src}"])
+                if secret["type"] == "env":
+                    env = secret["src"]
+                    args.extend(["--secret", f"id={sid},type=env,env={env}"])
+                if secret["type"] == "value":
+                    # We pass values on using environment variables. The user has been warned in the documentation
+                    # that they should only use this mechanism when being comfortable with it.
+                    if random_prefix is None:
+                        # Use /dev/urandom to generate some entropy to make the environment variable's name unguessable
+                        random_prefix = (
+                            base64.b64encode(os.urandom(16))
+                            .decode("utf-8")
+                            .replace("=", "")
+                        )
+                    env_name = (
+                        f"ANSIBLE_DOCKER_COMPOSE_ENV_SECRET_{random_prefix}_{index}"
+                    )
+                    environ_update[env_name] = secret["value"]
+                    args.extend(["--secret", f"id={sid},type=env,env={env_name}"])
+        if self.outputs:
+            for output in self.outputs:
+                subargs = []
+                if output["type"] == "local":
+                    dest = output["dest"]
+                    subargs.extend(["type=local", f"dest={dest}"])
+                if output["type"] == "tar":
+                    dest = output["dest"]
+                    subargs.extend(["type=tar", f"dest={dest}"])
+                if output["type"] == "oci":
+                    dest = output["dest"]
+                    subargs.extend(["type=oci", f"dest={dest}"])
+                if output["type"] == "docker":
+                    subargs.append("type=docker")
+                    dest = output["dest"]
+                    if output["dest"] is not None:
+                        subargs.append(f"dest={dest}")
+                    if output["context"] is not None:
+                        context = output["context"]
+                        subargs.append(f"context={context}")
+                if output["type"] == "image":
+                    subargs.append("type=image")
+                    if output["name"] is not None:
+                        name = ",".join(output["name"])
+                        subargs.append(f"name={name}")
+                    if output["push"]:
+                        subargs.append("push=true")
+                if subargs:
+                    args.extend(
+                        ["--output", ",".join(_quote_csv(subarg) for subarg in subargs)]
+                    )
+        return environ_update
+
+    def build_image(self) -> dict[str, t.Any]:
+        image = self.client.find_image(self.name, self.tag)
+        results: dict[str, t.Any] = {
+            "changed": False,
+            "actions": [],
+            "image": image or {},
+        }
+
+        if image and self.rebuild == "never":
+            return results
+
+        results["changed"] = True
+        if not self.check_mode:
+            args = ["buildx", "build", "--progress", "plain"]
+            environ_update = self.add_args(args)
+            args.extend(["--", self.path])
+            rc, stdout, stderr = self.client.call_cli(
+                *args, environ_update=environ_update
+            )
+            if rc != 0:
+                self.fail(
+                    f"Building {self.name}:{self.tag} failed",
+                    stdout=to_text(stdout),
+                    stderr=to_text(stderr),
+                    command=args,
+                )
+            results["stdout"] = to_text(stdout)
+            results["stderr"] = to_text(stderr)
+            results["image"] = self.client.find_image(self.name, self.tag) or {}
+            results["command"] = args
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "tag": {"type": "str", "default": "latest"},
+        "path": {"type": "path", "required": True},
+        "dockerfile": {"type": "str"},
+        "cache_from": {"type": "list", "elements": "str"},
+        "pull": {"type": "bool", "default": False},
+        "network": {"type": "str"},
+        "nocache": {"type": "bool", "default": False},
+        "etc_hosts": {"type": "dict"},
+        "args": {"type": "dict"},
+        "target": {"type": "str"},
+        "platform": {"type": "list", "elements": "str"},
+        "shm_size": {"type": "str"},
+        "labels": {"type": "dict"},
+        "rebuild": {"type": "str", "choices": ["never", "always"], "default": "never"},
+        "secrets": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "id": {"type": "str", "required": True},
+                "type": {
+                    "type": "str",
+                    "choices": ["file", "env", "value"],
+                    "required": True,
+                },
+                "src": {"type": "path"},
+                "env": {"type": "str"},
+                "value": {"type": "str", "no_log": True},
+            },
+            "required_if": [
+                ("type", "file", ["src"]),
+                ("type", "env", ["env"]),
+                ("type", "value", ["value"]),
+            ],
+            "mutually_exclusive": [
+                ("src", "env", "value"),
+            ],
+            "no_log": False,
+        },
+        "outputs": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "type": {
+                    "type": "str",
+                    "choices": ["local", "tar", "oci", "docker", "image"],
+                    "required": True,
+                },
+                "dest": {"type": "path"},
+                "context": {"type": "str"},
+                "name": {"type": "list", "elements": "str"},
+                "push": {"type": "bool", "default": False},
+            },
+            "required_if": [
+                ("type", "local", ["dest"]),
+                ("type", "tar", ["dest"]),
+                ("type", "oci", ["dest"]),
+            ],
+            "mutually_exclusive": [
+                ("dest", "name"),
+                ("dest", "push"),
+                ("context", "name"),
+                ("context", "push"),
+            ],
+        },
+    }
+
+    client = AnsibleModuleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        needs_api_version=False,
+    )
+
+    try:
+        results = ImageBuilder(client).build_image()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_export.py b/ansible_collections/community/docker/plugins/modules/docker_image_export.py
new file mode 100644
index 00000000..b5cc10f3
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_export.py
@@ -0,0 +1,303 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_export
+
+short_description: Export (archive) Docker images
+
+version_added: 3.7.0
+
+description:
+  - Creates an archive (tarball) from one or more Docker images.
+  - This can be copied to another machine and loaded with M(community.docker.docker_image_load).
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - Whether the module is idempotent depends on the storage API used for images,
+        which determines how the image ID is computed. The idempotency check needs
+        that the image ID equals the ID stored in archive's C(manifest.json).
+        This seemed to have worked fine with the default storage backend up to Docker 28,
+        but seems to have changed in Docker 29.
+
+options:
+  names:
+    description:
+      - 'One or more image names. Name format will be one of: C(name), C(repository/name), C(registry_server:port/name). When
+        pushing or pulling an image the name can optionally include the tag by appending C(:tag_name).'
+      - Note that image IDs (hashes) can also be used.
+    type: list
+    elements: str
+    required: true
+    aliases:
+      - name
+  tag:
+    description:
+      - Tag for the image name O(name) that is to be tagged.
+      - If O(name)'s format is C(name:tag), then the tag value from O(name) will take precedence.
+    type: str
+    default: latest
+  path:
+    description:
+      - The C(.tar) file the image should be exported to.
+    type: path
+  force:
+    description:
+      - Export the image even if the C(.tar) file already exists and seems to contain the right image.
+    type: bool
+    default: false
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image
+  - module: community.docker.docker_image_info
+  - module: community.docker.docker_image_load
+"""
+
+EXAMPLES = r"""
+---
+- name: Export an image
+  community.docker.docker_image_export:
+    name: pacur/centos-7
+    path: /tmp/centos-7.tar
+
+- name: Export multiple images
+  community.docker.docker_image_export:
+    names:
+      - hello-world:latest
+      - pacur/centos-7:latest
+    path: /tmp/various.tar
+"""
+
+RETURN = r"""
+images:
+  description: Image inspection results for the affected images.
+  returned: success
+  type: list
+  elements: dict
+  sample: []
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.constants import (
+    DEFAULT_DATA_CHUNK_SIZE,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._image_archive import (
+    ImageArchiveInvalidException,
+    api_image_id,
+    load_archived_image_manifest,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+    is_valid_tag,
+)
+
+
+class ImageExportManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+
+        self.client = client
+        parameters = self.client.module.params
+        self.check_mode = self.client.check_mode
+
+        self.path = parameters["path"]
+        self.force = parameters["force"]
+        self.tag = parameters["tag"]
+
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.fail(f'"{self.tag}" is not a valid docker tag')
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        self.names = []
+        for name in parameters["names"]:
+            if is_image_name_id(name):
+                self.names.append({"id": name, "joined": name})
+            else:
+                repo, repo_tag = parse_repository_tag(name)
+                if not repo_tag:
+                    repo_tag = self.tag
+                self.names.append(
+                    {"name": repo, "tag": repo_tag, "joined": f"{repo}:{repo_tag}"}
+                )
+
+        if not self.names:
+            self.fail("At least one image name must be specified")
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def get_export_reason(self) -> str | None:
+        if self.force:
+            return "Exporting since force=true"
+
+        try:
+            archived_images = load_archived_image_manifest(self.path)
+            if archived_images is None:
+                return "Overwriting since no image is present in archive"
+        except ImageArchiveInvalidException as exc:
+            self.log(f"Unable to extract manifest summary from archive: {exc}")
+            return "Overwriting an unreadable archive file"
+
+        left_names = list(self.names)
+        for archived_image in archived_images:
+            found = False
+            for i, name in enumerate(left_names):
+                if (
+                    name["id"] == api_image_id(archived_image.image_id)
+                    and [name["joined"]] == archived_image.repo_tags
+                ):
+                    del left_names[i]
+                    found = True
+                    break
+            if not found:
+                return f"Overwriting archive since it contains unexpected image {archived_image.image_id} named {', '.join(archived_image.repo_tags)}"
+        if left_names:
+            return f"Overwriting archive since it is missing image(s) {', '.join([name['joined'] for name in left_names])}"
+
+        return None
+
+    def write_chunks(self, chunks: t.Generator[bytes]) -> None:
+        try:
+            with open(self.path, "wb") as fd:
+                for chunk in chunks:
+                    fd.write(chunk)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(f"Error writing image archive {self.path} - {exc}")
+
+    def export_images(self) -> None:
+        image_names = [name["joined"] for name in self.names]
+        image_names_str = ", ".join(image_names)
+        if len(image_names) == 1:
+            self.log(f"Getting archive of image {image_names[0]}")
+            try:
+                chunks = self.client._stream_raw_result(
+                    self.client._get(
+                        self.client._url("/images/{0}/get", image_names[0]), stream=True
+                    ),
+                    chunk_size=DEFAULT_DATA_CHUNK_SIZE,
+                    decode=False,
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error getting image {image_names[0]} - {exc}")
+        else:
+            self.log(f"Getting archive of images {image_names_str}")
+            try:
+                chunks = self.client._stream_raw_result(
+                    self.client._get(
+                        self.client._url("/images/get"),
+                        stream=True,
+                        params={"names": image_names},
+                    ),
+                    chunk_size=DEFAULT_DATA_CHUNK_SIZE,
+                    decode=False,
+                )
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error getting images {image_names_str} - {exc}")
+
+        self.write_chunks(chunks)
+
+    def run(self) -> dict[str, t.Any]:
+        tag = self.tag
+        if not tag:
+            tag = "latest"
+
+        images = []
+        for name in self.names:
+            if "id" in name:
+                image = self.client.find_image_by_id(
+                    name["id"], accept_missing_image=True
+                )
+            else:
+                image = self.client.find_image(name=name["name"], tag=name["tag"])
+            if not image:
+                self.fail(f"Image {name['joined']} not found")
+            images.append(image)
+
+            # Will have a 'sha256:' prefix
+            name["id"] = image["Id"]
+
+        results = {
+            "changed": False,
+            "images": images,
+        }
+
+        reason = self.get_export_reason()
+        if reason is not None:
+            results["msg"] = reason
+            results["changed"] = True
+
+            if not self.check_mode:
+                self.export_images()
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "path": {"type": "path"},
+        "force": {"type": "bool", "default": False},
+        "names": {
+            "type": "list",
+            "elements": "str",
+            "required": True,
+            "aliases": ["name"],
+        },
+        "tag": {"type": "str", "default": "latest"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        results = ImageExportManager(client).run()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_info.py b/ansible_collections/community/docker/plugins/modules/docker_image_info.py
new file mode 100644
index 00000000..4ff72d30
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_info.py
@@ -0,0 +1,247 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_info
+
+short_description: Inspect docker images
+
+description:
+  - Provide one or more image names, and the module will inspect each, returning an array of inspection results.
+  - If an image does not exist locally, it will not appear in the results. If you want to check whether an image exists locally,
+    you can call the module with the image name, then check whether the result list is empty (image does not exist) or has
+    one element (the image exists locally).
+  - The module will not attempt to pull images from registries. Use M(community.docker.docker_image) with O(community.docker.docker_image#module:source=pull)
+    to ensure an image is pulled.
+notes:
+  - This module was called C(docker_image_facts) before Ansible 2.8. The usage did not change.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - An image name or a list of image names. Name format will be C(name[:tag]) or C(repository/name[:tag]), where C(tag)
+        is optional. If a tag is not provided, V(latest) will be used. Instead of image names, also image IDs can be used.
+      - If no name is provided, a list of all images will be returned.
+    type: list
+    elements: str
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Chris Houseknecht (@chouseknecht)
+"""
+
+EXAMPLES = r"""
+---
+- name: Inspect a single image
+  community.docker.docker_image_info:
+    name: pacur/centos-7
+
+- name: Inspect multiple images
+  community.docker.docker_image_info:
+    name:
+      - pacur/centos-7
+      - sinatra
+  register: result
+
+- name: Make sure that both images pacur/centos-7 and sinatra exist locally
+  ansible.builtin.assert:
+    that:
+      - result.images | length == 2
+"""
+
+RETURN = r"""
+images:
+  description:
+    - Inspection results for the selected images.
+    - The list only contains inspection results of images existing locally.
+  returned: always
+  type: list
+  elements: dict
+  sample: [
+    {
+      "Architecture": "amd64",
+      "Author": "",
+      "Comment": "",
+      "Config": {
+        "AttachStderr": false,
+        "AttachStdin": false,
+        "AttachStdout": false,
+        "Cmd": ["/etc/docker/registry/config.yml"],
+        "Domainname": "",
+        "Entrypoint": ["/bin/registry"],
+        "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
+        "ExposedPorts": {"5000/tcp": {}},
+        "Hostname": "e5c68db50333",
+        "Image": "c72dce2618dc8f7b794d2b2c2b1e64e0205ead5befc294f8111da23bd6a2c799",
+        "Labels": {},
+        "OnBuild": [],
+        "OpenStdin": false,
+        "StdinOnce": false,
+        "Tty": false,
+        "User": "",
+        "Volumes": {"/var/lib/registry": {}},
+        "WorkingDir": "",
+      },
+      "Container": "e83a452b8fb89d78a25a6739457050131ca5c863629a47639530d9ad2008d610",
+      "ContainerConfig": {
+        "AttachStderr": false,
+        "AttachStdin": false,
+        "AttachStdout": false,
+        "Cmd": ["/bin/sh", "-c", '#(nop) CMD ["/etc/docker/registry/config.yml"]'],
+        "Domainname": "",
+        "Entrypoint": ["/bin/registry"],
+        "Env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],
+        "ExposedPorts": {"5000/tcp": {}},
+        "Hostname": "e5c68db50333",
+        "Image": "c72dce2618dc8f7b794d2b2c2b1e64e0205ead5befc294f8111da23bd6a2c799",
+        "Labels": {},
+        "OnBuild": [],
+        "OpenStdin": false,
+        "StdinOnce": false,
+        "Tty": false,
+        "User": "",
+        "Volumes": {"/var/lib/registry": {}},
+        "WorkingDir": "",
+      },
+      "Created": "2016-03-08T21:08:15.399680378Z",
+      "DockerVersion": "1.9.1",
+      "GraphDriver": {
+        "Data": null,
+        "Name": "aufs",
+      },
+      "Id": "53773d8552f07b730f3e19979e32499519807d67b344141d965463a950a66e08",
+      "Name": "registry:2",
+      "Os": "linux",
+      "Parent": "f0b1f729f784b755e7bf9c8c2e65d8a0a35a533769c2588f02895f6781ac0805",
+      "RepoDigests": [],
+      "RepoTags": ["registry:2"],
+      "Size": 0,
+      "VirtualSize": 165808884,
+    },
+  ]
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+)
+
+
+class ImageManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.name = self.client.module.params.get("name")
+        self.log(f"Gathering facts for images: {self.name}")
+
+        if self.name:
+            self.results["images"] = self.get_facts()
+        else:
+            self.results["images"] = self.get_all_images()
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def get_facts(self) -> list[dict[str, t.Any]]:
+        """
+        Lookup and inspect each image name found in the names parameter.
+
+        :returns array of image dictionaries
+        """
+
+        results = []
+
+        names = self.name
+        if not isinstance(names, list):
+            names = [names]
+
+        for name in names:
+            if is_image_name_id(name):
+                self.log(f"Fetching image {name} (ID)")
+                image = self.client.find_image_by_id(name, accept_missing_image=True)
+            else:
+                repository, tag = parse_repository_tag(name)
+                if not tag:
+                    tag = "latest"
+                self.log(f"Fetching image {repository}:{tag}")
+                image = self.client.find_image(name=repository, tag=tag)
+            if image:
+                results.append(image)
+        return results
+
+    def get_all_images(self) -> list[dict[str, t.Any]]:
+        results = []
+        params = {
+            "only_ids": 0,
+            "all": 0,
+        }
+        images = self.client.get_json("/images/json", params=params)
+        for image in images:
+            try:
+                inspection = self.client.get_json("/images/{0}/json", image["Id"])
+            except NotFound:
+                inspection = None
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error inspecting image {image['Id']} - {exc}")
+            results.append(inspection)
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "list", "elements": "str"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        results = {"changed": False, "images": []}
+
+        ImageManager(client, results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_load.py b/ansible_collections/community/docker/plugins/modules/docker_image_load.py
new file mode 100644
index 00000000..fc70a24f
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_load.py
@@ -0,0 +1,211 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_load
+
+short_description: Load docker image(s) from archives
+
+version_added: 1.3.0
+
+description:
+  - Load one or multiple Docker images from a C(.tar) archive, and return information on the loaded image(s).
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: none
+
+options:
+  path:
+    description:
+      - The path to the C(.tar) archive to load Docker image(s) from.
+    type: path
+    required: true
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_export
+  - module: community.docker.docker_image_push
+  - module: community.docker.docker_image_remove
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Load all image(s) from the given tar file
+  community.docker.docker_image_load:
+    path: /path/to/images.tar
+  register: result
+
+- name: Print the loaded image names
+  ansible.builtin.debug:
+    msg: "Loaded the following images: {{ result.image_names | join(', ') }}"
+"""
+
+RETURN = r"""
+image_names:
+  description: List of image names and IDs loaded from the archive.
+  returned: success
+  type: list
+  elements: str
+  sample:
+    - 'hello-world:latest'
+    - 'sha256:e004c2cc521c95383aebb1fb5893719aa7a8eae2e7a71f316a4410784edb00a9'
+images:
+  description: Image inspection results for the loaded images.
+  returned: success
+  type: list
+  elements: dict
+  sample: []
+"""
+
+import errno
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+)
+
+
+class ImageManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        parameters = self.client.module.params
+        self.check_mode = self.client.check_mode
+
+        self.path = parameters["path"]
+
+        self.load_images()
+
+    @staticmethod
+    def _extract_output_line(line: dict[str, t.Any], output: list[str]) -> None:
+        """
+        Extract text line from stream output and, if found, adds it to output.
+        """
+        if "stream" in line or "status" in line:
+            # Make sure we have a string (assuming that line['stream'] and
+            # line['status'] are either not defined, falsish, or a string)
+            text_line = line.get("stream") or line.get("status") or ""
+            output.extend(text_line.splitlines())
+
+    def load_images(self) -> None:
+        """
+        Load images from a .tar archive
+        """
+        # Load image(s) from file
+        load_output: list[str] = []
+        try:
+            self.log(f"Opening image {self.path}")
+            with open(self.path, "rb") as image_tar:
+                self.log(f"Loading images from {self.path}")
+                res = self.client._post(
+                    self.client._url("/images/load"), data=image_tar, stream=True
+                )
+                for line in self.client._stream_helper(res, decode=True):
+                    self.log(line, pretty_print=True)
+                    self._extract_output_line(line, load_output)
+        except EnvironmentError as exc:
+            if exc.errno == errno.ENOENT:
+                self.client.fail(f"Error opening archive {self.path} - {exc}")
+            self.client.fail(
+                f"Error loading archive {self.path} - {exc}",
+                stdout="\n".join(load_output),
+            )
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.client.fail(
+                f"Error loading archive {self.path} - {exc}",
+                stdout="\n".join(load_output),
+            )
+
+        # Collect loaded images
+        loaded_images = []
+        for line in load_output:
+            if line.startswith("Loaded image:"):
+                loaded_images.append(line[len("Loaded image:") :].strip())
+            if line.startswith("Loaded image ID:"):
+                loaded_images.append(line[len("Loaded image ID:") :].strip())
+
+        if not loaded_images:
+            self.client.fail(
+                "Detected no loaded images. Archive potentially corrupt?",
+                stdout="\n".join(load_output),
+            )
+
+        images = []
+        for image_name in loaded_images:
+            if is_image_name_id(image_name):
+                images.append(self.client.find_image_by_id(image_name))
+            elif ":" in image_name:
+                image_name, tag = image_name.rsplit(":", 1)
+                images.append(self.client.find_image(image_name, tag))
+            else:
+                self.client.module.warn(
+                    f'Image name "{image_name}" is neither ID nor has a tag'
+                )
+
+        self.results["image_names"] = loaded_images
+        self.results["images"] = images
+        self.results["changed"] = True
+        self.results["stdout"] = "\n".join(load_output)
+
+
+def main() -> None:
+    client = AnsibleDockerClient(
+        argument_spec={
+            "path": {"type": "path", "required": True},
+        },
+        supports_check_mode=False,
+    )
+
+    try:
+        results: dict[str, t.Any] = {
+            "image_names": [],
+            "images": [],
+        }
+
+        ImageManager(client, results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_pull.py b/ansible_collections/community/docker/plugins/modules/docker_image_pull.py
new file mode 100644
index 00000000..4bcbbb3b
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_pull.py
@@ -0,0 +1,233 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_pull
+
+short_description: Pull Docker images from registries
+
+version_added: 3.6.0
+
+description:
+  - Pulls a Docker image from a registry.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: partial
+    details:
+      - When trying to pull an image with O(pull=always), the module assumes this is always changed in check mode.
+      - When check mode is combined with diff mode, the pulled image's ID is always shown as V(unknown) in the diff.
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  name:
+    description:
+      - Image name. Name format must be one of V(name), V(repository/name), or V(registry_server:port/name).
+      - The name can optionally include the tag by appending V(:tag_name), or it can contain a digest by appending V(@hash:digest).
+    type: str
+    required: true
+  tag:
+    description:
+      - Used to select an image when pulling. Defaults to V(latest).
+      - If O(name) parameter format is C(name:tag) or C(image@hash:digest), then O(tag) will be ignored.
+    type: str
+    default: latest
+  platform:
+    description:
+      - Ask for this specific platform when pulling.
+    type: str
+  pull:
+    description:
+      - Determines when to pull an image.
+      - If V(always), will always pull the image.
+      - If V(not_present), will only pull the image if no image of the name exists on the current Docker daemon, or if O(platform)
+        does not match.
+    type: str
+    choices:
+      - always
+      - not_present
+    default: always
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_pull
+  - module: community.docker.docker_image_remove
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Pull an image
+  community.docker.docker_image_pull:
+    name: pacur/centos-7
+    # Select platform for pulling. If not specified, will pull whatever docker prefers.
+    platform: amd64
+"""
+
+RETURN = r"""
+image:
+  description: Image inspection results for the affected image.
+  returned: success
+  type: dict
+  sample: {}
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._platform import (
+    compare_platform_strings,
+    compose_platform_string,
+    normalize_platform_string,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+    is_valid_tag,
+)
+
+
+def image_info(image: dict[str, t.Any] | None) -> dict[str, t.Any]:
+    result = {}
+    if image:
+        result["id"] = image["Id"]
+    else:
+        result["exists"] = False
+    return result
+
+
+class ImagePuller(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+
+        self.client = client
+        self.check_mode = self.client.check_mode
+
+        parameters = self.client.module.params
+        self.name: str = parameters["name"]
+        self.tag: str = parameters["tag"]
+        self.platform: str | None = parameters["platform"]
+        self.pull_mode: t.Literal["always", "not_present"] = parameters["pull"]
+
+        if is_image_name_id(self.name):
+            self.client.fail("Cannot pull an image by ID")
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.client.fail(f'"{self.tag}" is not a valid docker tag!')
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        repo, repo_tag = parse_repository_tag(self.name)
+        if repo_tag:
+            self.name = repo
+            self.tag = repo_tag
+
+    def pull(self) -> dict[str, t.Any]:
+        image = self.client.find_image(name=self.name, tag=self.tag)
+        actions: list[str] = []
+        diff = {"before": image_info(image), "after": image_info(image)}
+        results = {
+            "changed": False,
+            "actions": actions,
+            "image": image or {},
+            "diff": diff,
+        }
+
+        if image and self.pull_mode == "not_present":
+            if self.platform is None:
+                return results
+            host_info = self.client.info()
+            wanted_platform = normalize_platform_string(
+                self.platform,
+                daemon_os=host_info.get("OSType"),
+                daemon_arch=host_info.get("Architecture"),
+            )
+            image_platform = compose_platform_string(
+                os=image.get("Os"),
+                arch=image.get("Architecture"),
+                variant=image.get("Variant"),
+                daemon_os=host_info.get("OSType"),
+                daemon_arch=host_info.get("Architecture"),
+            )
+            if compare_platform_strings(wanted_platform, image_platform):
+                return results
+
+        actions.append(f"Pulled image {self.name}:{self.tag}")
+        if self.check_mode:
+            results["changed"] = True
+            diff["after"] = image_info({"Id": "unknown"})
+        else:
+            image, not_changed = self.client.pull_image(
+                self.name, tag=self.tag, image_platform=self.platform
+            )
+            results["image"] = image
+            results["changed"] = not not_changed
+            diff["after"] = image_info(image)
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "tag": {"type": "str", "default": "latest"},
+        "platform": {"type": "str"},
+        "pull": {
+            "type": "str",
+            "choices": ["always", "not_present"],
+            "default": "always",
+        },
+    }
+
+    option_minimal_versions = {
+        "platform": {"docker_api_version": "1.32"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        option_minimal_versions=option_minimal_versions,
+    )
+
+    try:
+        results = ImagePuller(client).pull()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_push.py b/ansible_collections/community/docker/plugins/modules/docker_image_push.py
new file mode 100644
index 00000000..09e4cdb0
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_push.py
@@ -0,0 +1,205 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_push
+
+short_description: Push Docker images to registries
+
+version_added: 3.6.0
+
+description:
+  - Pushes a Docker image to a registry.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: full
+
+options:
+  name:
+    description:
+      - Image name. Name format must be one of V(name), V(repository/name), or V(registry_server:port/name).
+      - The name can optionally include the tag by appending V(:tag_name), or it can contain a digest by appending V(@hash:digest).
+    type: str
+    required: true
+  tag:
+    description:
+      - Select which image to push. Defaults to V(latest).
+      - If O(name) parameter format is C(name:tag) or C(image@hash:digest), then O(tag) will be ignored.
+    type: str
+    default: latest
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_pull
+  - module: community.docker.docker_image_remove
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Push an image
+  community.docker.docker_image_push:
+    name: registry.example.com:5000/repo/image
+    tag: latest
+"""
+
+RETURN = r"""
+image:
+  description: Image inspection results for the affected image.
+  returned: success
+  type: dict
+  sample: {}
+"""
+
+import base64
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.auth import (
+    get_config_header,
+    resolve_repository_name,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+    is_valid_tag,
+)
+
+
+class ImagePusher(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+
+        self.client = client
+        self.check_mode = self.client.check_mode
+
+        parameters = self.client.module.params
+        self.name: str = parameters["name"]
+        self.tag: str = parameters["tag"]
+
+        if is_image_name_id(self.name):
+            self.client.fail("Cannot push an image by ID")
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.client.fail(f'"{self.tag}" is not a valid docker tag!')
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        repo, repo_tag = parse_repository_tag(self.name)
+        if repo_tag:
+            self.name = repo
+            self.tag = repo_tag
+
+        if is_image_name_id(self.tag):
+            self.client.fail("Cannot push an image by digest")
+        if not is_valid_tag(self.tag, allow_empty=False):
+            self.client.fail(f'"{self.tag}" is not a valid docker tag!')
+
+    def push(self) -> dict[str, t.Any]:
+        image = self.client.find_image(name=self.name, tag=self.tag)
+        if not image:
+            self.client.fail(f"Cannot find image {self.name}:{self.tag}")
+
+        actions: list[str] = []
+        results: dict[str, t.Any] = {
+            "changed": False,
+            "actions": actions,
+            "image": image,
+        }
+
+        push_registry, push_repo = resolve_repository_name(self.name)
+        try:
+            actions.append(f"Pushed image {self.name}:{self.tag}")
+
+            headers = {}
+            header = get_config_header(self.client, push_registry)
+            if not header:
+                # For some reason, from Docker 28.3.3 on not specifying X-Registry-Auth seems to be invalid.
+                # See https://github.com/moby/moby/issues/50614.
+                header = base64.urlsafe_b64encode(b"{}")
+            headers["X-Registry-Auth"] = header
+            response = self.client._post_json(
+                self.client._url("/images/{0}/push", self.name),
+                data=None,
+                headers=headers,
+                stream=True,
+                params={"tag": self.tag},
+            )
+            self.client._raise_for_status(response)
+            for line in self.client._stream_helper(response, decode=True):
+                self.log(line, pretty_print=True)
+                if line.get("errorDetail"):
+                    raise RuntimeError(line["errorDetail"]["message"])
+                status = line.get("status")
+                if status in ("Pushing", "Pushed"):
+                    results["changed"] = True
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            if "unauthorized" in str(exc):
+                if "authentication required" in str(exc):
+                    self.client.fail(
+                        f"Error pushing image {push_registry}/{push_repo}:{self.tag} - {exc}. Try logging into {push_registry} first."
+                    )
+                else:
+                    self.client.fail(
+                        f"Error pushing image {push_registry}/{push_repo}:{self.tag} - {exc}. Does the repository exist?"
+                    )
+            self.client.fail(f"Error pushing image {self.name}:{self.tag}: {exc}")
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "tag": {"type": "str", "default": "latest"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=False,
+    )
+
+    try:
+        results = ImagePusher(client).push()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_remove.py b/ansible_collections/community/docker/plugins/modules/docker_image_remove.py
new file mode 100644
index 00000000..327404ad
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_remove.py
@@ -0,0 +1,292 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_remove
+
+short_description: Remove Docker images
+
+version_added: 3.6.0
+
+description:
+  - Remove Docker images from the Docker daemon.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  name:
+    description:
+      - 'Image name. Name format will be one of: C(name), C(repository/name), C(registry_server:port/name). When pushing or
+        pulling an image the name can optionally include the tag by appending C(:tag_name).'
+      - Note that image IDs (hashes) can also be used.
+    type: str
+    required: true
+  tag:
+    description:
+      - Tag for the image name O(name) that is to be tagged.
+      - If O(name)'s format is C(name:tag), then the tag value from O(name) will take precedence.
+    type: str
+    default: latest
+  force:
+    description:
+      - Un-tag and remove all images matching the specified name.
+    type: bool
+    default: false
+  prune:
+    description:
+      - Delete untagged parent images.
+    type: bool
+    default: true
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_load
+  - module: community.docker.docker_image_pull
+  - module: community.docker.docker_image_tag
+"""
+
+EXAMPLES = r"""
+---
+- name: Remove an image
+  community.docker.docker_image_remove:
+    name: pacur/centos-7
+"""
+
+RETURN = r"""
+image:
+  description:
+    - Image inspection results for the affected image before removal.
+    - Empty if the image was not found.
+  returned: success
+  type: dict
+  sample: {}
+deleted:
+  description:
+    - The digests of the images that were deleted.
+  returned: success
+  type: list
+  elements: str
+  sample: []
+untagged:
+  description:
+    - The digests of the images that were untagged.
+  returned: success
+  type: list
+  elements: str
+  sample: []
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+    is_valid_tag,
+)
+
+
+class ImageRemover(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+
+        self.client = client
+        self.check_mode = self.client.check_mode
+        self.diff = self.client.module._diff
+
+        parameters = self.client.module.params
+        self.name = parameters["name"]
+        self.tag = parameters["tag"]
+        self.force = parameters["force"]
+        self.prune = parameters["prune"]
+
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.fail(f'"{self.tag}" is not a valid docker tag')
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        if not is_image_name_id(self.name):
+            repo, repo_tag = parse_repository_tag(self.name)
+            if repo_tag:
+                self.name = repo
+                self.tag = repo_tag
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def get_diff_state(self, image: dict[str, t.Any] | None) -> dict[str, t.Any]:
+        if not image:
+            return {"exists": False}
+        return {
+            "exists": True,
+            "id": image["Id"],
+            "tags": sorted(image.get("RepoTags") or []),
+            "digests": sorted(image.get("RepoDigests") or []),
+        }
+
+    def absent(self) -> dict[str, t.Any]:
+        actions: list[str] = []
+        deleted: list[str] = []
+        untagged: list[str] = []
+        results: dict[str, t.Any] = {
+            "changed": False,
+            "actions": actions,
+            "image": {},
+            "deleted": deleted,
+            "untagged": untagged,
+        }
+
+        name = self.name
+        if is_image_name_id(name):
+            image = self.client.find_image_by_id(name, accept_missing_image=True)
+        else:
+            image = self.client.find_image(name, self.tag)
+            if self.tag:
+                name = f"{self.name}:{self.tag}"
+
+        diff: dict[str, t.Any] = {}
+        if self.diff:
+            results["diff"] = diff
+            diff["before"] = self.get_diff_state(image)
+
+        if not image:
+            if self.diff:
+                diff["after"] = self.get_diff_state(image)
+            return results
+
+        results["changed"] = True
+        actions.append(f"Removed image {name}")
+        results["image"] = image
+
+        if not self.check_mode:
+            try:
+                res = self.client.delete_json(
+                    "/images/{0}",
+                    name,
+                    params={"force": self.force, "noprune": not self.prune},
+                )
+            except NotFound:
+                # If the image vanished while we were trying to remove it, do not fail
+                res = []
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error removing image {name} - {exc}")
+
+            for entry in res:
+                if entry.get("Untagged"):
+                    untagged.append(entry["Untagged"])
+                if entry.get("Deleted"):
+                    deleted.append(entry["Deleted"])
+
+            untagged[:] = sorted(untagged)
+            deleted[:] = sorted(deleted)
+
+            if self.diff:
+                image_after = self.client.find_image_by_id(
+                    image["Id"], accept_missing_image=True
+                )
+                diff["after"] = self.get_diff_state(image_after)
+
+        elif is_image_name_id(name):
+            deleted.append(image["Id"])
+            # TODO: the following is no longer correct with Docker 29+...
+            untagged[:] = sorted(
+                (image.get("RepoTags") or []) + (image.get("RepoDigests") or [])
+            )
+            if not self.force and results["untagged"]:
+                self.fail(
+                    "Cannot delete image by ID that is still in use - use force=true"
+                )
+            if self.diff:
+                diff["after"] = self.get_diff_state({})
+
+        elif is_image_name_id(self.tag):
+            untagged.append(name)
+            if (
+                len(image.get("RepoTags") or []) < 1
+                and len(image.get("RepoDigests") or []) < 2
+            ):
+                deleted.append(image["Id"])
+            if self.diff:
+                diff["after"] = self.get_diff_state(image)
+                try:
+                    diff["after"]["digests"].remove(name)
+                except ValueError:
+                    pass
+
+        else:
+            untagged.append(name)
+            if (
+                len(image.get("RepoTags") or []) < 2
+                and len(image.get("RepoDigests") or []) < 1
+            ):
+                deleted.append(image["Id"])
+            if self.diff:
+                diff["after"] = self.get_diff_state(image)
+                try:
+                    diff["after"]["tags"].remove(name)
+                except ValueError:
+                    pass
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "tag": {"type": "str", "default": "latest"},
+        "force": {"type": "bool", "default": False},
+        "prune": {"type": "bool", "default": True},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        results = ImageRemover(client).absent()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_image_tag.py b/ansible_collections/community/docker/plugins/modules/docker_image_tag.py
new file mode 100644
index 00000000..e59da144
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_image_tag.py
@@ -0,0 +1,304 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_image_tag
+
+short_description: Tag Docker images with new names and/or tags
+
+version_added: 3.6.0
+
+description:
+  - This module allows to tag Docker images with new names and/or tags.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  name:
+    description:
+      - 'Image name. Name format will be one of: C(name), C(repository/name), C(registry_server:port/name). When pushing or
+        pulling an image the name can optionally include the tag by appending C(:tag_name).'
+      - Note that image IDs (hashes) can also be used.
+    type: str
+    required: true
+  tag:
+    description:
+      - Tag for the image name O(name) that is to be tagged.
+      - If O(name)'s format is C(name:tag), then the tag value from O(name) will take precedence.
+    type: str
+    default: latest
+  repository:
+    description:
+      - List of new image names to tag the image as.
+      - Expects format C(repository:tag). If no tag is provided, will use the value of the O(tag) parameter if present, or
+        V(latest).
+    type: list
+    elements: str
+    required: true
+  existing_images:
+    description:
+      - Defines the behavior if the image to be tagged already exists and is another image than the one identified by O(name)
+        and O(tag).
+      - If set to V(keep), the tagged image is kept.
+      - If set to V(overwrite), the tagged image is overwritten by the specified one.
+    type: str
+    choices:
+      - keep
+      - overwrite
+    default: overwrite
+
+requirements:
+  - "Docker API >= 1.25"
+
+author:
+  - Felix Fontein (@felixfontein)
+
+seealso:
+  - module: community.docker.docker_image_push
+  - module: community.docker.docker_image_remove
+"""
+
+EXAMPLES = r"""
+---
+- name: Tag Python 3.12 image with two new names
+  community.docker.docker_image_tag:
+    name: python:3.12
+    repository:
+      - python-3:3.12
+      - local-registry:5000/python-3/3.12:latest
+"""
+
+RETURN = r"""
+image:
+  description: Image inspection results for the affected image.
+  returned: success
+  type: dict
+  sample: {}
+tagged_images:
+  description:
+    - A list of images that got tagged.
+  returned: success
+  type: list
+  elements: str
+  sample:
+    - python-3:3.12
+"""
+
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    parse_repository_tag,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    is_image_name_id,
+    is_valid_tag,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.module_utils.basic import AnsibleModule
+
+
+def convert_to_bytes(
+    value: str | None,
+    module: AnsibleModule,
+    name: str,
+    unlimited_value: int | None = None,
+) -> int | None:
+    if value is None:
+        return value
+    try:
+        if unlimited_value is not None and value in ("unlimited", str(unlimited_value)):
+            return unlimited_value
+        return human_to_bytes(value)
+    except ValueError as exc:
+        module.fail_json(msg=f"Failed to convert {name} to bytes: {exc}")
+
+
+def image_info(name: str, tag: str, image: dict[str, t.Any] | None) -> dict[str, t.Any]:
+    result: dict[str, t.Any] = {"name": name, "tag": tag}
+    if image:
+        result["id"] = image["Id"]
+    else:
+        result["exists"] = False
+    return result
+
+
+class ImageTagger(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+
+        self.client = client
+        parameters = self.client.module.params
+        self.check_mode = self.client.check_mode
+
+        self.name = parameters["name"]
+        self.tag = parameters["tag"]
+        if not is_valid_tag(self.tag, allow_empty=True):
+            self.fail(f'"{self.tag}" is not a valid docker tag')
+
+        # If name contains a tag, it takes precedence over tag parameter.
+        if not is_image_name_id(self.name):
+            repo, repo_tag = parse_repository_tag(self.name)
+            if repo_tag:
+                self.name = repo
+                self.tag = repo_tag
+
+        self.keep_existing_images = parameters["existing_images"] == "keep"
+
+        # Make sure names in repository are valid images, and add tag if needed
+        self.repositories = []
+        for i, repository in enumerate(parameters["repository"]):
+            if is_image_name_id(repository):
+                self.fail(
+                    f"repository[{i + 1}] must not be an image ID; got: {repository}"
+                )
+            repo, repo_tag = parse_repository_tag(repository)
+            if not repo_tag:
+                repo_tag = parameters["tag"]
+            elif not is_valid_tag(repo_tag, allow_empty=False):
+                self.fail(
+                    f"repository[{i + 1}] must not have a digest; got: {repository}"
+                )
+            self.repositories.append((repo, repo_tag))
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def tag_image(
+        self, image: dict[str, t.Any], name: str, tag: str
+    ) -> tuple[bool, str, dict[str, t.Any] | None]:
+        tagged_image = self.client.find_image(name=name, tag=tag)
+        if tagged_image:
+            # Idempotency checks
+            if tagged_image["Id"] == image["Id"]:
+                return (
+                    False,
+                    f"target image already exists ({tagged_image['Id']}) and is as expected",
+                    tagged_image,
+                )
+            if self.keep_existing_images:
+                return (
+                    False,
+                    f"target image already exists ({tagged_image['Id']}) and is not as expected, but kept",
+                    tagged_image,
+                )
+            msg = f"target image existed ({tagged_image['Id']}) and was not as expected"
+        else:
+            msg = "target image did not exist"
+
+        if not self.check_mode:
+            try:
+                params = {
+                    "tag": tag,
+                    "repo": name,
+                    "force": True,
+                }
+                res = self.client._post(
+                    self.client._url("/images/{0}/tag", image["Id"]), params=params
+                )
+                self.client._raise_for_status(res)
+                if res.status_code != 201:
+                    raise RuntimeError("Tag operation failed.")
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.fail(f"Error: failed to tag image as {name}:{tag} - {exc}")
+
+        return True, msg, tagged_image
+
+    def tag_images(self) -> dict[str, t.Any]:
+        if is_image_name_id(self.name):
+            image = self.client.find_image_by_id(self.name, accept_missing_image=False)
+        else:
+            image = self.client.find_image(name=self.name, tag=self.tag)
+            if not image:
+                self.fail(f"Cannot find image {self.name}:{self.tag}")
+        assert image is not None
+
+        before: list[dict[str, t.Any]] = []
+        after: list[dict[str, t.Any]] = []
+        tagged_images: list[str] = []
+        actions: list[str] = []
+        results: dict[str, t.Any] = {
+            "changed": False,
+            "actions": actions,
+            "image": image,
+            "tagged_images": tagged_images,
+            "diff": {"before": {"images": before}, "after": {"images": after}},
+        }
+        for repository, tag in self.repositories:
+            tagged, msg, old_image = self.tag_image(image, repository, tag)
+            before.append(image_info(repository, tag, old_image))
+            after.append(image_info(repository, tag, image if tagged else old_image))
+            if tagged:
+                results["changed"] = True
+                actions.append(
+                    f"Tagged image {image['Id']} as {repository}:{tag}: {msg}"
+                )
+                tagged_images.append(f"{repository}:{tag}")
+            else:
+                actions.append(
+                    f"Not tagged image {image['Id']} as {repository}:{tag}: {msg}"
+                )
+
+        return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "tag": {"type": "str", "default": "latest"},
+        "repository": {"type": "list", "elements": "str", "required": True},
+        "existing_images": {
+            "type": "str",
+            "choices": ["keep", "overwrite"],
+            "default": "overwrite",
+        },
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        results = ImageTagger(client).tag_images()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_login.py b/ansible_collections/community/docker/plugins/modules/docker_login.py
new file mode 100644
index 00000000..91f47388
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_login.py
@@ -0,0 +1,468 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2016 Olaf Kilian <olaf.kilian@symanex.com>
+#                    Chris Houseknecht, <house@redhat.com>
+#                    James Tanner, <jtanner@redhat.com>
+#
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_login
+short_description: Log into a Docker registry
+description:
+  - Provides functionality similar to the C(docker login) command.
+  - Authenticate with a docker registry and add the credentials to your local Docker config file respectively the credentials
+    store associated to the registry. Adding the credentials to the config files resp. the credential store allows future
+    connections to the registry using tools such as Ansible's Docker modules, the Docker CLI and Docker SDK for Python without
+    needing to provide credentials.
+  - Running in check mode will perform the authentication without updating the config file.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: full
+
+options:
+  registry_url:
+    description:
+      - The registry URL.
+    type: str
+    default: "https://index.docker.io/v1/"
+    aliases:
+      - registry
+      - url
+  username:
+    description:
+      - The username for the registry account.
+      - Required when O(state=present).
+    type: str
+  password:
+    description:
+      - The plaintext password for the registry account.
+      - Required when O(state=present).
+    type: str
+  reauthorize:
+    description:
+      - Refresh existing authentication found in the configuration file.
+    type: bool
+    default: false
+    aliases:
+      - reauth
+  config_path:
+    description:
+      - Custom path to the Docker CLI configuration file.
+    type: path
+    default: ~/.docker/config.json
+    aliases:
+      - dockercfg_path
+  state:
+    description:
+      - This controls the current state of the user. V(present) will login in a user, V(absent) will log them out.
+      - To logout you only need the registry server, which defaults to DockerHub.
+      - Before 2.1 you could ONLY log in.
+      - Docker does not support 'logout' with a custom config file.
+    type: str
+    default: 'present'
+    choices: ['present', 'absent']
+
+requirements:
+  - "Docker API >= 1.25"
+author:
+  - Olaf Kilian (@olsaki) <olaf.kilian@symanex.com>
+  - Chris Houseknecht (@chouseknecht)
+"""
+
+EXAMPLES = r"""
+---
+- name: Log into DockerHub
+  community.docker.docker_login:
+    username: docker
+    password: rekcod
+
+- name: Log into private registry and force re-authorization
+  community.docker.docker_login:
+    registry_url: your.private.registry.io
+    username: yourself
+    password: secrets3
+    reauthorize: true
+
+- name: Log into DockerHub using a custom config file
+  community.docker.docker_login:
+    username: docker
+    password: rekcod
+    config_path: /tmp/.mydockercfg
+
+- name: Log out of DockerHub
+  community.docker.docker_login:
+    state: absent
+"""
+
+RETURN = r"""
+login_result:
+  description: Result from the login.
+  returned: when O(state=present)
+  type: dict
+  sample: {"serveraddress": "localhost:5000", "username": "testuser"}
+"""
+
+import base64
+import json
+import os
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_bytes, to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api import auth
+from ansible_collections.community.docker.plugins.module_utils._api.auth import (
+    decode_auth,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.credentials.errors import (
+    CredentialsNotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.credentials.store import (
+    Store,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DEFAULT_DOCKER_REGISTRY,
+    DockerBaseClass,
+)
+
+
+class DockerFileStore:
+    """
+    A custom credential store class that implements only the functionality we need to
+    update the docker config file when no credential helpers is provided.
+    """
+
+    program = "<legacy config>"
+
+    def __init__(self, config_path: str) -> None:
+        self._config_path = config_path
+
+        # Make sure we have a minimal config if none is available.
+        self._config: dict[str, t.Any] = {"auths": {}}
+
+        try:
+            # Attempt to read the existing config.
+            with open(self._config_path, "rt", encoding="utf-8") as f:
+                config = json.load(f)
+        except (ValueError, IOError):
+            # No config found or an invalid config found so we'll ignore it.
+            config = {}
+
+        # Update our internal config with what ever was loaded.
+        self._config.update(config)
+
+    @property
+    def config_path(self) -> str:
+        """
+        Return the config path configured in this DockerFileStore instance.
+        """
+
+        return self._config_path
+
+    def get(self, server: str) -> dict[str, t.Any]:
+        """
+        Retrieve credentials for `server` if there are any in the config file.
+        Otherwise raise a `StoreError`
+        """
+
+        server_creds = self._config["auths"].get(server)
+        if not server_creds:
+            raise CredentialsNotFound("No matching credentials")
+
+        (username, password) = decode_auth(server_creds["auth"])
+
+        return {"Username": username, "Secret": password}
+
+    def _write(self) -> None:
+        """
+        Write config back out to disk.
+        """
+        # Make sure directory exists
+        directory = os.path.dirname(self._config_path)
+        if not os.path.exists(directory):
+            os.makedirs(directory)
+        # Write config; make sure it has permissions 0x600
+        content = json.dumps(self._config, indent=4, sort_keys=True).encode("utf-8")
+        f = os.open(self._config_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+        try:
+            os.write(f, content)
+        finally:
+            os.close(f)
+
+    def store(self, server: str, username: str, password: str) -> None:
+        """
+        Add a credentials for `server` to the current configuration.
+        """
+
+        b64auth = base64.b64encode(to_bytes(username) + b":" + to_bytes(password))
+        tauth = to_text(b64auth)
+
+        # build up the auth structure
+        if "auths" not in self._config:
+            self._config["auths"] = {}
+
+        self._config["auths"][server] = {"auth": tauth}
+
+        self._write()
+
+    def erase(self, server: str) -> None:
+        """
+        Remove credentials for the given server from the configuration.
+        """
+
+        if "auths" in self._config and server in self._config["auths"]:
+            self._config["auths"].pop(server)
+            self._write()
+
+
+class LoginManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        parameters = self.client.module.params
+        self.check_mode = self.client.check_mode
+
+        self.registry_url: str = parameters.get("registry_url")
+        self.username: str | None = parameters.get("username")
+        self.password: str | None = parameters.get("password")
+        self.reauthorize: bool = parameters.get("reauthorize")
+        self.config_path: str = parameters.get("config_path")
+        self.state: t.Literal["present", "absent"] = parameters.get("state")
+
+    def run(self) -> None:
+        """
+        Do the actual work of this task here. This allows instantiation for partial
+        testing.
+        """
+
+        if self.state == "present":
+            self.login()
+        else:
+            self.logout()
+
+    def fail(self, msg: str) -> t.NoReturn:
+        self.client.fail(msg)
+
+    def _login(self, reauth: bool) -> dict[str, t.Any]:
+        if self.config_path and os.path.exists(self.config_path):
+            self.client._auth_configs = auth.load_config(
+                self.config_path, credstore_env=self.client.credstore_env
+            )
+        elif not self.client._auth_configs or self.client._auth_configs.is_empty:
+            self.client._auth_configs = auth.load_config(
+                credstore_env=self.client.credstore_env
+            )
+
+        authcfg = self.client._auth_configs.resolve_authconfig(self.registry_url)
+        # If we found an existing auth config for this registry and username
+        # combination, we can return it immediately unless reauth is requested.
+        if authcfg and authcfg.get("username") == self.username and not reauth:
+            return authcfg
+
+        req_data = {
+            "username": self.username,
+            "password": self.password,
+            "email": None,
+            "serveraddress": self.registry_url,
+        }
+
+        response = self.client._post_json(self.client._url("/auth"), data=req_data)
+        if response.status_code == 200:
+            self.client._auth_configs.add_auth(
+                self.registry_url or auth.INDEX_NAME, req_data
+            )
+        return self.client._result(response, get_json=True)
+
+    def login(self) -> None:
+        """
+        Log into the registry with provided username/password. On success update the config
+        file with the new authorization.
+
+        :return: None
+        """
+
+        self.results["actions"].append(f"Logged into {self.registry_url}")
+        self.log(f"Log into {self.registry_url} with username {self.username}")
+        try:
+            response = self._login(self.reauthorize)
+        except Exception as exc:  # pylint: disable=broad-exception-caught
+            self.fail(
+                f"Logging into {self.registry_url} for user {self.username} failed - {exc}"
+            )
+
+        # If user is already logged in, then response contains password for user
+        if "password" in response:
+            # This returns correct password if user is logged in and wrong password is given.
+            # So if it returns another password as we passed, and the user did not request to
+            # reauthorize, still do it.
+            if not self.reauthorize and response["password"] != self.password:
+                try:
+                    response = self._login(True)
+                except Exception as exc:  # pylint: disable=broad-exception-caught
+                    self.fail(
+                        f"Logging into {self.registry_url} for user {self.username} failed - {exc}"
+                    )
+            response.pop("password", None)
+        self.results["login_result"] = response
+
+        self.update_credentials()
+
+    def logout(self) -> None:
+        """
+        Log out of the registry. On success update the config file.
+
+        :return: None
+        """
+
+        # Get the configuration store.
+        store = self.get_credential_store_instance(self.registry_url, self.config_path)
+
+        try:
+            store.get(self.registry_url)
+        except CredentialsNotFound:
+            # get raises an exception on not found.
+            self.log(f"Credentials for {self.registry_url} not present, doing nothing.")
+            self.results["changed"] = False
+            return
+
+        if not self.check_mode:
+            store.erase(self.registry_url)
+        self.results["changed"] = True
+
+    def update_credentials(self) -> None:
+        """
+        If the authorization is not stored attempt to store authorization values via
+        the appropriate credential helper or to the config file.
+
+        :return: None
+        """
+        # This is only called from login()
+        assert self.username is not None
+        assert self.password is not None
+
+        # Check to see if credentials already exist.
+        store = self.get_credential_store_instance(self.registry_url, self.config_path)
+
+        try:
+            current = store.get(self.registry_url)
+        except CredentialsNotFound:
+            # get raises an exception on not found.
+            current = {"Username": "", "Secret": ""}
+
+        if (
+            current["Username"] != self.username
+            or current["Secret"] != self.password
+            or self.reauthorize
+        ):
+            if not self.check_mode:
+                store.store(self.registry_url, self.username, self.password)
+            self.log(
+                f"Writing credentials to configured helper {store.program} for {self.registry_url}"
+            )
+            self.results["actions"].append(
+                f"Wrote credentials to configured helper {store.program} for {self.registry_url}"
+            )
+            self.results["changed"] = True
+
+    def get_credential_store_instance(
+        self, registry: str, dockercfg_path: str
+    ) -> Store | DockerFileStore:
+        """
+        Return an instance of docker.credentials.Store used by the given registry.
+
+        :return: A Store or None
+        :rtype: Union[docker.credentials.Store, NoneType]
+        """
+
+        credstore_env = self.client.credstore_env
+
+        config = auth.load_config(config_path=dockercfg_path)
+
+        store_name = auth.get_credential_store(config, registry)
+
+        # Make sure that there is a credential helper before trying to instantiate a
+        # Store object.
+        if store_name:
+            self.log(f"Found credential store {store_name}")
+            return Store(store_name, environment=credstore_env)
+
+        return DockerFileStore(dockercfg_path)
+
+
+def main() -> None:
+    argument_spec = {
+        "registry_url": {
+            "type": "str",
+            "default": DEFAULT_DOCKER_REGISTRY,
+            "aliases": ["registry", "url"],
+        },
+        "username": {"type": "str"},
+        "password": {"type": "str", "no_log": True},
+        "reauthorize": {"type": "bool", "default": False, "aliases": ["reauth"]},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "absent"],
+        },
+        "config_path": {
+            "type": "path",
+            "default": "~/.docker/config.json",
+            "aliases": ["dockercfg_path"],
+        },
+    }
+
+    required_if = [
+        ("state", "present", ["username", "password"]),
+    ]
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_if=required_if,
+    )
+
+    try:
+        results = {"changed": False, "actions": [], "login_result": {}}
+
+        manager = LoginManager(client, results)
+        manager.run()
+
+        if "actions" in results:
+            del results["actions"]
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_network.py b/ansible_collections/community/docker/plugins/modules/docker_network.py
new file mode 100644
index 00000000..99eebaf3
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_network.py
@@ -0,0 +1,886 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_network
+short_description: Manage Docker networks
+description:
+  - Create/remove Docker networks and connect containers to them.
+  - Performs largely the same function as the C(docker network) CLI subcommand.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: partial
+    details:
+      - If O(force=true) the module is not idempotent.
+
+options:
+  name:
+    description:
+      - Name of the network to operate on.
+    type: str
+    required: true
+    aliases:
+      - network_name
+
+  config_from:
+    description:
+      - Specifies the config only network to use the config from.
+    type: str
+    version_added: 3.10.0
+
+  config_only:
+    description:
+      - Sets that this is a config only network.
+    type: bool
+    version_added: 3.10.0
+
+  connected:
+    description:
+      - List of container names or container IDs to connect to a network.
+      - Please note that the module only makes sure that these containers are connected to the network, but does not care
+        about connection options. If you rely on specific IP addresses and so on, use the M(community.docker.docker_container)
+        module to ensure your containers are correctly connected to this network.
+    type: list
+    elements: str
+    default: []
+    aliases:
+      - containers
+
+  driver:
+    description:
+      - Specify the type of network. Docker provides bridge and overlay drivers, but 3rd party drivers can also be used.
+    type: str
+    default: bridge
+
+  driver_options:
+    description:
+      - Dictionary of network settings. Consult docker docs for valid options and values.
+    type: dict
+    default: {}
+
+  force:
+    description:
+      - With state V(present) will disconnect all containers for existing networks, delete the network and re-create the network.
+      - This option is required if you have changed the IPAM or driver options and want an existing network to be updated
+        to use the new options.
+    type: bool
+    default: false
+
+  appends:
+    description:
+      - By default the connected list is canonical, meaning containers not on the list are removed from the network.
+      - Use O(appends) to leave existing containers connected.
+    type: bool
+    default: false
+    aliases:
+      - incremental
+
+  enable_ipv4:
+    description:
+      - Enable IPv4 networking.
+      - This is enabled by default, but can be explicitly disabled.
+      - Requires Docker API 1.47 or newer.
+    type: bool
+    version_added: 4.5.0
+
+  enable_ipv6:
+    description:
+      - Enable IPv6 networking.
+    type: bool
+
+  ingress:
+    description:
+      - Enable Swarm routing-mesh.
+    type: bool
+    version_added: 4.2.0
+
+  ipam_driver:
+    description:
+      - Specify an IPAM driver.
+    type: str
+
+  ipam_driver_options:
+    description:
+      - Dictionary of IPAM driver options.
+    type: dict
+
+  ipam_config:
+    description:
+      - List of IPAM config blocks. Consult L(Docker docs,https://docs.docker.com/compose/compose-file/compose-file-v2/#ipam)
+        for valid options and values. Note that O(ipam_config[].iprange) is spelled differently here (we use the notation
+        from the Docker SDK for Python).
+    type: list
+    elements: dict
+    suboptions:
+      subnet:
+        description:
+          - IP subset in CIDR notation.
+        type: str
+      iprange:
+        description:
+          - IP address range in CIDR notation.
+        type: str
+      gateway:
+        description:
+          - IP gateway address.
+        type: str
+      aux_addresses:
+        description:
+          - Auxiliary IP addresses used by Network driver, as a mapping from hostname to IP.
+        type: dict
+
+  state:
+    description:
+      - V(absent) deletes the network. If a network has connected containers, these will be detached from the network.
+      - V(present) creates the network, if it does not already exist with the specified parameters, and connects the list
+        of containers provided by the O(connected) parameter. Containers not on the list will be disconnected. An empty list
+        will leave no containers connected to the network. Use the O(appends) option to leave existing containers connected.
+        Use the O(force) options to force re-creation of the network.
+    type: str
+    default: present
+    choices:
+      - absent
+      - present
+
+  internal:
+    description:
+      - Restrict external access to the network.
+    type: bool
+
+  labels:
+    description:
+      - Dictionary of labels.
+    type: dict
+    default: {}
+
+  scope:
+    description:
+      - Specify the network's scope.
+    type: str
+    choices:
+      - local
+      - global
+      - swarm
+
+  attachable:
+    description:
+      - If enabled, and the network is in the global scope, non-service containers on worker nodes will be able to connect
+        to the network.
+    type: bool
+
+notes:
+  - When network options are changed, the module disconnects all containers from the network, deletes the network, and re-creates
+    the network. It does not try to reconnect containers, except the ones listed in (O(connected), and even for these, it
+    does not consider specific connection options like fixed IP addresses or MAC addresses. If you need more control over
+    how the containers are connected to the network, loop the M(community.docker.docker_container) module to loop over your
+    containers to make sure they are connected properly.
+  - The module does not support Docker Swarm. This means that it will not try to disconnect or reconnect services. If services
+    are connected to the network, deleting the network will fail. When network options are changed, the network has to be
+    deleted and recreated, so this will fail as well.
+author:
+  - "Ben Keith (@keitwb)"
+  - "Chris Houseknecht (@chouseknecht)"
+  - "Dave Bendit (@DBendit)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Create a network
+  community.docker.docker_network:
+    name: network_one
+
+- name: Remove all but selected list of containers
+  community.docker.docker_network:
+    name: network_one
+    connected:
+      - container_a
+      - container_b
+      - container_c
+
+- name: Remove a single container
+  community.docker.docker_network:
+    name: network_one
+    connected: "{{ fulllist|difference(['container_a']) }}"
+
+- name: Add a container to a network, leaving existing containers connected
+  community.docker.docker_network:
+    name: network_one
+    connected:
+      - container_a
+    appends: true
+
+- name: Create a network with driver options
+  community.docker.docker_network:
+    name: network_two
+    driver_options:
+      com.docker.network.bridge.name: net2
+
+- name: Create a network with custom IPAM config
+  community.docker.docker_network:
+    name: network_three
+    ipam_config:
+      - subnet: 172.23.27.0/24
+        gateway: 172.23.27.2
+        iprange: 172.23.27.0/26
+        aux_addresses:
+          host1: 172.23.27.3
+          host2: 172.23.27.4
+
+- name: Create a network with labels
+  community.docker.docker_network:
+    name: network_four
+    labels:
+      key1: value1
+      key2: value2
+
+- name: Create a network with IPv6 IPAM config
+  community.docker.docker_network:
+    name: network_ipv6_one
+    enable_ipv6: true
+    ipam_config:
+      - subnet: fdd1:ac8c:0557:7ce1::/64
+
+- name: Create a network with IPv6 and custom IPv4 IPAM config
+  community.docker.docker_network:
+    name: network_ipv6_two
+    enable_ipv6: true
+    ipam_config:
+      - subnet: 172.24.27.0/24
+      - subnet: fdd1:ac8c:0557:7ce2::/64
+
+- name: Delete a network, disconnecting all containers
+  community.docker.docker_network:
+    name: network_one
+    state: absent
+"""
+
+RETURN = r"""
+network:
+  description:
+    - Network inspection results for the affected network.
+  returned: success
+  type: dict
+  sample: {}
+"""
+
+import re
+import time
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+    normalize_ip_address,
+    normalize_ip_network,
+    sanitize_labels,
+)
+
+
+class TaskParameters(DockerBaseClass):
+    name: str
+
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+        self.client = client
+
+        self.connected: list[str] = []
+        self.config_from: str | None = None
+        self.config_only: bool | None = None
+        self.driver: str = "bridge"
+        self.driver_options: dict[str, t.Any] = {}
+        self.ipam_driver: str | None = None
+        self.ipam_driver_options: dict[str, t.Any] | None = None
+        self.ipam_config: list[dict[str, t.Any]] | None = None
+        self.appends: bool = False
+        self.force: bool = False
+        self.internal: bool | None = None
+        self.labels: dict[str, t.Any] = {}
+        self.debug: bool = False
+        self.enable_ipv4: bool | None = None
+        self.enable_ipv6: bool | None = None
+        self.scope: t.Literal["local", "global", "swarm"] | None = None
+        self.attachable: bool | None = None
+        self.ingress: bool | None = None
+        self.state: t.Literal["present", "absent"] = "present"
+
+        for key, value in client.module.params.items():
+            setattr(self, key, value)
+
+        # config_only sets driver to 'null' (and scope to 'local') so force that here. Otherwise we get
+        # diffs of 'null' --> 'bridge' given that the driver option defaults to 'bridge'.
+        if self.config_only:
+            self.driver = "null"  # type: ignore[unreachable]
+
+
+def container_names_in_network(network: dict[str, t.Any]) -> list[str]:
+    return (
+        [c["Name"] for c in network["Containers"].values()]
+        if network["Containers"]
+        else []
+    )
+
+
+CIDR_IPV4 = re.compile(r"^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$")
+CIDR_IPV6 = re.compile(r"^[0-9a-fA-F:]+/([0-9]|[1-9][0-9]|1[0-2][0-9])$")
+
+
+def validate_cidr(cidr: str) -> t.Literal["ipv4", "ipv6"]:
+    """Validate CIDR. Return IP version of a CIDR string on success.
+
+    :param cidr: Valid CIDR
+    :type cidr: str
+    :return: ``ipv4`` or ``ipv6``
+    :rtype: str
+    :raises ValueError: If ``cidr`` is not a valid CIDR
+    """
+    # TODO: Use ipaddress for this instead of rolling your own...
+    if CIDR_IPV4.match(cidr):
+        return "ipv4"
+    if CIDR_IPV6.match(cidr):
+        return "ipv6"
+    raise ValueError(f'"{cidr}" is not a valid CIDR')
+
+
+def normalize_ipam_config_key(key: str) -> str:
+    """Normalizes IPAM config keys returned by Docker API to match Ansible keys.
+
+    :param key: Docker API key
+    :type key: str
+    :return Ansible module key
+    :rtype str
+    """
+    special_cases = {"AuxiliaryAddresses": "aux_addresses"}
+    return special_cases.get(key, key.lower())
+
+
+def dicts_are_essentially_equal(a: dict[str, t.Any], b: dict[str, t.Any]) -> bool:
+    """Make sure that a is a subset of b, where None entries of a are ignored."""
+    for k, v in a.items():
+        if v is None:
+            continue
+        if b.get(k) != v:
+            return False
+    return True
+
+
+def normalize_ipam_values(ipam_config: dict[str, t.Any]) -> dict[str, t.Any]:
+    result = {}
+    for key, value in ipam_config.items():
+        if key in ("subnet", "iprange"):
+            value = normalize_ip_network(value)
+        elif key in ("gateway",):
+            value = normalize_ip_address(value)
+        elif key in ("aux_addresses",) and value is not None:
+            value = {k: normalize_ip_address(v) for k, v in value.items()}
+        result[key] = value
+    return result
+
+
+class DockerNetworkManager:
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        self.client = client
+        self.parameters = TaskParameters(client)
+        self.check_mode = self.client.check_mode
+        self.actions: list[str] = []
+        self.results: dict[str, t.Any] = {"changed": False, "actions": self.actions}
+        self.diff = self.client.module._diff
+        self.diff_tracker = DifferenceTracker()
+        self.diff_result: dict[str, t.Any] = {}
+
+        self.existing_network = self.get_existing_network()
+
+        if not self.parameters.connected and self.existing_network:
+            self.parameters.connected = container_names_in_network(
+                self.existing_network
+            )
+
+        if self.parameters.ipam_config:
+            try:
+                for ipam_config in self.parameters.ipam_config:
+                    validate_cidr(ipam_config["subnet"])
+            except ValueError as e:
+                self.client.fail(to_text(e))
+
+        if self.parameters.driver_options:
+            self.parameters.driver_options = clean_dict_booleans_for_docker_api(
+                self.parameters.driver_options
+            )
+
+        state = self.parameters.state
+        if state == "present":
+            self.present()
+        elif state == "absent":
+            self.absent()
+
+        if self.diff or self.check_mode or self.parameters.debug:
+            if self.diff:
+                self.diff_result["before"], self.diff_result["after"] = (
+                    self.diff_tracker.get_before_after()
+                )
+            self.results["diff"] = self.diff_result
+
+    def get_existing_network(self) -> dict[str, t.Any] | None:
+        return self.client.get_network(name=self.parameters.name)
+
+    def has_different_config(
+        self, net: dict[str, t.Any]
+    ) -> tuple[bool, DifferenceTracker]:
+        """
+        Evaluates an existing network and returns a tuple containing a boolean
+        indicating if the configuration is different and a list of differences.
+
+        :param net: the inspection output for an existing network
+        :return: (bool, list)
+        """
+        differences = DifferenceTracker()
+        if (
+            self.parameters.config_only is not None
+            and self.parameters.config_only != net.get("ConfigOnly", False)
+        ):
+            differences.add(
+                "config_only",
+                parameter=self.parameters.config_only,
+                active=net.get("ConfigOnly", False),
+            )
+        if (
+            self.parameters.config_from is not None
+            and self.parameters.config_from
+            != net.get("ConfigFrom", {}).get("Network", "")
+        ):
+            differences.add(
+                "config_from",
+                parameter=self.parameters.config_from,
+                active=net.get("ConfigFrom", {}).get("Network", ""),
+            )
+        if self.parameters.driver and self.parameters.driver != net["Driver"]:
+            differences.add(
+                "driver", parameter=self.parameters.driver, active=net["Driver"]
+            )
+        if self.parameters.driver_options:
+            if not net.get("Options"):
+                differences.add(
+                    "driver_options",
+                    parameter=self.parameters.driver_options,
+                    active=net.get("Options"),
+                )
+            else:
+                for key, value in self.parameters.driver_options.items():
+                    if key not in net["Options"] or value != net["Options"][key]:
+                        differences.add(
+                            f"driver_options.{key}",
+                            parameter=value,
+                            active=net["Options"].get(key),
+                        )
+
+        if self.parameters.ipam_driver and (
+            not net.get("IPAM") or net["IPAM"]["Driver"] != self.parameters.ipam_driver
+        ):
+            differences.add(
+                "ipam_driver",
+                parameter=self.parameters.ipam_driver,
+                active=net.get("IPAM"),
+            )
+
+        if self.parameters.ipam_driver_options is not None:
+            ipam_driver_options = net["IPAM"].get("Options") or {}
+            if ipam_driver_options != self.parameters.ipam_driver_options:
+                differences.add(
+                    "ipam_driver_options",
+                    parameter=self.parameters.ipam_driver_options,
+                    active=ipam_driver_options,
+                )
+
+        if self.parameters.ipam_config is not None and self.parameters.ipam_config:
+            if not net.get("IPAM") or not net["IPAM"]["Config"]:
+                differences.add(
+                    "ipam_config",
+                    parameter=self.parameters.ipam_config,
+                    active=net.get("IPAM", {}).get("Config"),
+                )
+            else:
+                # Put network's IPAM config into the same format as module's IPAM config
+                net_ipam_configs = []
+                net_ipam_configs_normalized = []
+                for net_ipam_config in net["IPAM"]["Config"]:
+                    config = {}
+                    for k, v in net_ipam_config.items():
+                        config[normalize_ipam_config_key(k)] = v
+                    net_ipam_configs.append(config)
+                    net_ipam_configs_normalized.append(normalize_ipam_values(config))
+                # Compare lists of dicts as sets of dicts
+                for idx, ipam_config in enumerate(self.parameters.ipam_config):
+                    ipam_config_normalized = normalize_ipam_values(ipam_config)
+                    net_config = {}
+                    net_config_normalized = {}
+                    for net_ipam_config, net_ipam_config_normalized in zip(
+                        net_ipam_configs, net_ipam_configs_normalized
+                    ):
+                        if dicts_are_essentially_equal(
+                            ipam_config_normalized, net_ipam_config_normalized
+                        ):
+                            net_config = net_ipam_config
+                            net_config_normalized = net_ipam_config_normalized
+                            break
+                    for key, value in ipam_config.items():
+                        if value is None:
+                            # due to recursive argument_spec, all keys are always present
+                            # (but have default value None if not specified)
+                            continue
+                        if ipam_config_normalized[key] != net_config_normalized.get(
+                            key
+                        ):
+                            differences.add(
+                                f"ipam_config[{idx}].{key}",
+                                parameter=value,
+                                active=net_config.get(key),
+                            )
+
+        if (
+            self.parameters.enable_ipv4 is not None
+            and self.parameters.enable_ipv4 != net.get("EnableIPv4", False)
+        ):
+            differences.add(
+                "enable_ipv4",
+                parameter=self.parameters.enable_ipv4,
+                active=net.get("EnableIPv4", False),
+            )
+        if (
+            self.parameters.enable_ipv6 is not None
+            and self.parameters.enable_ipv6 != net.get("EnableIPv6", False)
+        ):
+            differences.add(
+                "enable_ipv6",
+                parameter=self.parameters.enable_ipv6,
+                active=net.get("EnableIPv6", False),
+            )
+
+        if (
+            self.parameters.internal is not None
+            and self.parameters.internal != net.get("Internal", False)
+        ):
+            differences.add(
+                "internal",
+                parameter=self.parameters.internal,
+                active=net.get("Internal"),
+            )
+
+        if self.parameters.scope is not None and self.parameters.scope != net.get(
+            "Scope"
+        ):
+            differences.add(
+                "scope", parameter=self.parameters.scope, active=net.get("Scope")
+            )
+
+        if (
+            self.parameters.attachable is not None
+            and self.parameters.attachable != net.get("Attachable", False)
+        ):
+            differences.add(
+                "attachable",
+                parameter=self.parameters.attachable,
+                active=net.get("Attachable"),
+            )
+        if self.parameters.ingress is not None and self.parameters.ingress != net.get(
+            "Ingress", False
+        ):
+            differences.add(
+                "ingress", parameter=self.parameters.ingress, active=net.get("Ingress")
+            )
+        if self.parameters.labels:
+            if not net.get("Labels"):
+                differences.add(
+                    "labels", parameter=self.parameters.labels, active=net.get("Labels")
+                )
+            else:
+                for key, value in self.parameters.labels.items():
+                    if key not in net["Labels"] or value != net["Labels"][key]:
+                        differences.add(
+                            f"labels.{key}",
+                            parameter=value,
+                            active=net["Labels"].get(key),
+                        )
+
+        return not differences.empty, differences
+
+    def create_network(self) -> None:
+        if not self.existing_network:
+            data: dict[str, t.Any] = {
+                "Name": self.parameters.name,
+                "Driver": self.parameters.driver,
+                "Options": self.parameters.driver_options,
+                "IPAM": None,
+                "CheckDuplicate": None,
+            }
+
+            if self.parameters.config_only is not None:
+                data["ConfigOnly"] = self.parameters.config_only
+            if self.parameters.config_from:
+                data["ConfigFrom"] = {"Network": self.parameters.config_from}
+            if self.parameters.enable_ipv6 is not None:
+                data["EnableIPv6"] = self.parameters.enable_ipv6
+            if self.parameters.enable_ipv4 is not None:
+                data["EnableIPv4"] = self.parameters.enable_ipv4
+            if self.parameters.internal:
+                data["Internal"] = True
+            if self.parameters.scope is not None:
+                data["Scope"] = self.parameters.scope
+            if self.parameters.attachable is not None:
+                data["Attachable"] = self.parameters.attachable
+            if self.parameters.ingress is not None:
+                data["Ingress"] = self.parameters.ingress
+            if self.parameters.labels is not None:
+                data["Labels"] = self.parameters.labels
+
+            ipam_pools = []
+            if self.parameters.ipam_config:
+                for ipam_pool in self.parameters.ipam_config:
+                    ipam_pools.append(
+                        {
+                            "Subnet": ipam_pool["subnet"],
+                            "IPRange": ipam_pool["iprange"],
+                            "Gateway": ipam_pool["gateway"],
+                            "AuxiliaryAddresses": ipam_pool["aux_addresses"],
+                        }
+                    )
+
+            if (
+                self.parameters.ipam_driver
+                or self.parameters.ipam_driver_options
+                or ipam_pools
+            ):
+                # Only add IPAM if a driver was specified or if IPAM parameters were
+                # specified. Leaving this parameter out can significantly speed up
+                # creation; on my machine creation with this option needs ~15 seconds,
+                # and without just a few seconds.
+                data["IPAM"] = {
+                    "Driver": self.parameters.ipam_driver,
+                    "Config": ipam_pools or [],
+                    "Options": self.parameters.ipam_driver_options,
+                }
+
+            if not self.check_mode:
+                resp = self.client.post_json_to_json("/networks/create", data=data)
+                self.client.report_warnings(resp, ["Warning"])
+                self.existing_network = self.client.get_network(network_id=resp["Id"])
+            self.actions.append(
+                f"Created network {self.parameters.name} with driver {self.parameters.driver}"
+            )
+            self.results["changed"] = True
+
+    def remove_network(self) -> None:
+        if self.existing_network:
+            self.disconnect_all_containers()
+            if not self.check_mode:
+                self.client.delete_call("/networks/{0}", self.parameters.name)
+                if self.existing_network.get("Scope", "local") == "swarm":
+                    while self.get_existing_network():
+                        time.sleep(0.1)
+            self.actions.append(f"Removed network {self.parameters.name}")
+            self.results["changed"] = True
+
+    def is_container_connected(self, container_name: str) -> bool:
+        if not self.existing_network:
+            return False
+        return container_name in container_names_in_network(self.existing_network)
+
+    def is_container_exist(self, container_name: str) -> bool:
+        try:
+            container = self.client.get_container(container_name)
+            return bool(container)
+
+        except DockerException as e:
+            self.client.fail(
+                f"An unexpected Docker error occurred: {e}",
+                exception=traceback.format_exc(),
+            )
+        except RequestException as e:
+            self.client.fail(
+                f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+                exception=traceback.format_exc(),
+            )
+
+    def connect_containers(self) -> None:
+        for name in self.parameters.connected:
+            if not self.is_container_connected(name) and self.is_container_exist(name):
+                if not self.check_mode:
+                    data = {
+                        "Container": name,
+                        "EndpointConfig": None,
+                    }
+                    self.client.post_json(
+                        "/networks/{0}/connect", self.parameters.name, data=data
+                    )
+                self.actions.append(f"Connected container {name}")
+                self.results["changed"] = True
+                self.diff_tracker.add(f"connected.{name}", parameter=True, active=False)
+
+    def disconnect_missing(self) -> None:
+        if not self.existing_network:
+            return
+        containers = self.existing_network["Containers"]
+        if not containers:
+            return
+        for c in containers.values():
+            name = c["Name"]
+            if name not in self.parameters.connected:
+                self.disconnect_container(name)
+
+    def disconnect_all_containers(self) -> None:
+        network = self.client.get_network(name=self.parameters.name)
+        if not network:
+            return
+        containers = network["Containers"]
+        if not containers:
+            return
+        for cont in containers.values():
+            self.disconnect_container(cont["Name"])
+
+    def disconnect_container(self, container_name: str) -> None:
+        if not self.check_mode:
+            data = {"Container": container_name, "Force": True}
+            self.client.post_json(
+                "/networks/{0}/disconnect", self.parameters.name, data=data
+            )
+        self.actions.append(f"Disconnected container {container_name}")
+        self.results["changed"] = True
+        self.diff_tracker.add(
+            f"connected.{container_name}", parameter=False, active=True
+        )
+
+    def present(self) -> None:
+        different = False
+        differences = DifferenceTracker()
+        if self.existing_network:
+            different, differences = self.has_different_config(self.existing_network)
+
+        self.diff_tracker.add(
+            "exists", parameter=True, active=self.existing_network is not None
+        )
+        if self.parameters.force or different:
+            self.remove_network()
+            self.existing_network = None
+
+        self.create_network()
+        self.connect_containers()
+        if not self.parameters.appends:
+            self.disconnect_missing()
+
+        if self.diff or self.check_mode or self.parameters.debug:
+            self.diff_result["differences"] = differences.get_legacy_docker_diffs()
+            self.diff_tracker.merge(differences)
+
+        if not self.check_mode and not self.parameters.debug:
+            self.results.pop("actions")
+
+        network_facts = self.get_existing_network()
+        self.results["network"] = network_facts
+
+    def absent(self) -> None:
+        self.diff_tracker.add(
+            "exists", parameter=False, active=self.existing_network is not None
+        )
+        self.remove_network()
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True, "aliases": ["network_name"]},
+        "config_from": {"type": "str"},
+        "config_only": {"type": "bool"},
+        "connected": {
+            "type": "list",
+            "default": [],
+            "elements": "str",
+            "aliases": ["containers"],
+        },
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "absent"],
+        },
+        "driver": {"type": "str", "default": "bridge"},
+        "driver_options": {"type": "dict", "default": {}},
+        "force": {"type": "bool", "default": False},
+        "appends": {"type": "bool", "default": False, "aliases": ["incremental"]},
+        "ipam_driver": {"type": "str"},
+        "ipam_driver_options": {"type": "dict"},
+        "ipam_config": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "subnet": {"type": "str"},
+                "iprange": {"type": "str"},
+                "gateway": {"type": "str"},
+                "aux_addresses": {"type": "dict"},
+            },
+        },
+        "enable_ipv4": {"type": "bool"},
+        "enable_ipv6": {"type": "bool"},
+        "internal": {"type": "bool"},
+        "labels": {"type": "dict", "default": {}},
+        "debug": {"type": "bool", "default": False},
+        "scope": {"type": "str", "choices": ["local", "global", "swarm"]},
+        "attachable": {"type": "bool"},
+        "ingress": {"type": "bool"},
+    }
+
+    option_minimal_versions = {
+        "config_from": {"docker_api_version": "1.30"},
+        "config_only": {"docker_api_version": "1.30"},
+        "scope": {"docker_api_version": "1.30"},
+        "attachable": {"docker_api_version": "1.26"},
+        "enable_ipv4": {"docker_api_version": "1.47"},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        # "The docker server >= 1.10.0"
+        option_minimal_versions=option_minimal_versions,
+    )
+    sanitize_labels(client.module.params["labels"], "labels", client)
+    try:
+        cm = DockerNetworkManager(client)
+        client.module.exit_json(**cm.results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_network_info.py b/ansible_collections/community/docker/plugins/modules/docker_network_info.py
new file mode 100644
index 00000000..7e3509e4
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_network_info.py
@@ -0,0 +1,140 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_network_info
+
+short_description: Retrieves facts about docker network
+
+description:
+  - Retrieves facts about a docker network.
+  - Essentially returns the output of C(docker network inspect <name>), similar to what M(community.docker.docker_network)
+    returns for a non-absent network.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - The name of the network to inspect.
+      - When identifying an existing network name may be a name or a long or short network ID.
+    type: str
+    required: true
+
+author:
+  - "Dave Bendit (@DBendit)"
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get infos on network
+  community.docker.docker_network_info:
+    name: mydata
+  register: result
+
+- name: Does network exist?
+  ansible.builtin.debug:
+    msg: "The network {{ 'exists' if result.exists else 'does not exist' }}"
+
+- name: Print information about network
+  ansible.builtin.debug:
+    var: result.network
+  when: result.exists
+"""
+
+RETURN = r"""
+exists:
+  description:
+    - Returns whether the network exists.
+  type: bool
+  returned: always
+  sample: true
+network:
+  description:
+    - Facts representing the current state of the network. Matches the docker inspection output.
+    - Will be V(none) if network does not exist.
+  returned: always
+  type: dict
+  sample: {
+    "Attachable": false,
+    "ConfigFrom": {"Network": ""},
+    "ConfigOnly": false,
+    "Containers": {},
+    "Created": "2018-12-07T01:47:51.250835114-06:00",
+    "Driver": "bridge",
+    "EnableIPv6": false,
+    "IPAM": {
+      "Config": [
+        {
+          "Gateway": "192.168.96.1",
+          "Subnet": "192.168.96.0/20",
+        },
+      ],
+      "Driver": "default",
+      "Options": null,
+    },
+    "Id": "0856968545f22026c41c2c7c3d448319d3b4a6a03a40b148b3ac4031696d1c0a",
+    "Ingress": false,
+    "Internal": false,
+    "Labels": {},
+    "Name": "ansible-test-f2700bba",
+    "Options": {},
+    "Scope": "local",
+  }
+"""
+
+import traceback
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        network = client.get_network(client.module.params["name"])
+
+        client.module.exit_json(
+            changed=False,
+            exists=bool(network),
+            network=network,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_node.py b/ansible_collections/community/docker/plugins/modules/docker_node.py
new file mode 100644
index 00000000..f9edb224
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_node.py
@@ -0,0 +1,320 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2019 Piotr Wojciechowski <piotr@it-playground.pl>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_node
+short_description: Manage Docker Swarm node
+description:
+  - Manages the Docker nodes through a Swarm Manager.
+  - This module allows to change the node's role, its availability, and to modify, add or remove node labels.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: full
+
+options:
+  hostname:
+    description:
+      - The hostname or ID of node as registered in Swarm.
+      - If more than one node is registered using the same hostname the ID must be used, otherwise module will fail.
+    type: str
+    required: true
+  labels:
+    description:
+      - User-defined key/value metadata that will be assigned as node attribute.
+      - Label operations in this module apply to the docker swarm node specified by O(hostname). Use M(community.docker.docker_swarm)
+        module to add/modify/remove swarm cluster labels.
+      - The actual state of labels assigned to the node when module completes its work depends on O(labels_state) and O(labels_to_remove)
+        parameters values. See description below.
+    type: dict
+  labels_state:
+    description:
+      - It defines the operation on the labels assigned to node and labels specified in O(labels) option.
+      - Set to V(merge) to combine labels provided in O(labels) with those already assigned to the node. If no labels are
+        assigned then it will add listed labels. For labels that are already assigned to the node, it will update their values.
+        The labels not specified in O(labels) will remain unchanged. If O(labels) is empty then no changes will be made.
+      - Set to V(replace) to replace all assigned labels with provided ones. If O(labels) is empty then all labels assigned
+        to the node will be removed.
+    type: str
+    default: 'merge'
+    choices:
+      - merge
+      - replace
+  labels_to_remove:
+    description:
+      - List of labels that will be removed from the node configuration. The list has to contain only label names, not their
+        values.
+      - If the label provided on the list is not assigned to the node, the entry is ignored.
+      - If the label is both on the O(labels_to_remove) and O(labels), then value provided in O(labels) remains assigned to
+        the node.
+      - If O(labels_state=replace) and O(labels) is not provided or empty then all labels assigned to node are removed and
+        O(labels_to_remove) is ignored.
+    type: list
+    elements: str
+  availability:
+    description: Node availability to assign. If not provided then node availability remains unchanged.
+    choices:
+      - active
+      - pause
+      - drain
+    type: str
+  role:
+    description: Node role to assign. If not provided then node role remains unchanged.
+    choices:
+      - manager
+      - worker
+    type: str
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.4.0"
+  - Docker API >= 1.25
+author:
+  - Piotr Wojciechowski (@WojciechowskiPiotr)
+  - Thierry Bouvet (@tbouvet)
+"""
+
+EXAMPLES = r"""
+---
+- name: Set node role
+  community.docker.docker_node:
+    hostname: mynode
+    role: manager
+
+- name: Set node availability
+  community.docker.docker_node:
+    hostname: mynode
+    availability: drain
+
+- name: Replace node labels with new labels
+  community.docker.docker_node:
+    hostname: mynode
+    labels:
+      key: value
+    labels_state: replace
+
+- name: Merge node labels and new labels
+  community.docker.docker_node:
+    hostname: mynode
+    labels:
+      key: value
+
+- name: Remove all labels assigned to node
+  community.docker.docker_node:
+    hostname: mynode
+    labels_state: replace
+
+- name: Remove selected labels from the node
+  community.docker.docker_node:
+    hostname: mynode
+    labels_to_remove:
+      - key1
+      - key2
+"""
+
+RETURN = r"""
+node:
+  description: Information about node after 'update' operation.
+  returned: success
+  type: dict
+"""
+
+import traceback
+import typing as t
+
+try:
+    from docker.errors import APIError, DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._swarm import (
+    AnsibleDockerSwarmClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    sanitize_labels,
+)
+
+
+class TaskParameters(DockerBaseClass):
+    hostname: str
+
+    def __init__(self, client: AnsibleDockerSwarmClient) -> None:
+        super().__init__()
+
+        # Spec
+        self.labels: dict[str, t.Any] | None = None
+        self.labels_state: t.Literal["merge", "replace"] = "merge"
+        self.labels_to_remove: list[str] | None = None
+
+        # Node
+        self.availability: t.Literal["active", "pause", "drain"] | None = None
+        self.role: t.Literal["worker", "manager"] | None = None
+
+        for key, value in client.module.params.items():
+            setattr(self, key, value)
+
+        sanitize_labels(self.labels, "labels", client)
+
+
+class SwarmNodeManager(DockerBaseClass):
+    def __init__(
+        self, client: AnsibleDockerSwarmClient, results: dict[str, t.Any]
+    ) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.check_mode = self.client.check_mode
+
+        self.client.fail_task_if_not_swarm_manager()
+
+        self.parameters = TaskParameters(client)
+
+        self.node_update()
+
+    def node_update(self) -> None:
+        if not (self.client.check_if_swarm_node(node_id=self.parameters.hostname)):
+            self.client.fail("This node is not part of a swarm.")
+
+        if self.client.check_if_swarm_node_is_down():
+            self.client.fail("Can not update the node. The node is down.")
+
+        try:
+            node_info = self.client.inspect_node(node_id=self.parameters.hostname)
+        except APIError as exc:
+            self.client.fail(f"Failed to get node information for {exc}")
+
+        changed = False
+        node_spec: dict[str, t.Any] = {
+            "Availability": self.parameters.availability,
+            "Role": self.parameters.role,
+            "Labels": self.parameters.labels,
+        }
+
+        if self.parameters.role is None:
+            node_spec["Role"] = node_info["Spec"]["Role"]
+        else:
+            if node_info["Spec"]["Role"] != self.parameters.role:
+                node_spec["Role"] = self.parameters.role
+                changed = True
+
+        if self.parameters.availability is None:
+            node_spec["Availability"] = node_info["Spec"]["Availability"]
+        else:
+            if node_info["Spec"]["Availability"] != self.parameters.availability:
+                node_info["Spec"]["Availability"] = self.parameters.availability
+                changed = True
+
+        if self.parameters.labels_state == "replace":
+            if self.parameters.labels is None:
+                node_spec["Labels"] = {}
+                if node_info["Spec"]["Labels"]:
+                    changed = True
+            else:
+                if (node_info["Spec"]["Labels"] or {}) != self.parameters.labels:
+                    node_spec["Labels"] = self.parameters.labels
+                    changed = True
+        elif self.parameters.labels_state == "merge":
+            labels: dict[str, str] = dict(node_info["Spec"]["Labels"] or {})
+            node_spec["Labels"] = labels
+            if self.parameters.labels is not None:
+                for key, value in self.parameters.labels.items():
+                    if labels.get(key) != value:
+                        labels[key] = value
+                        changed = True
+
+            if self.parameters.labels_to_remove is not None:
+                for key in self.parameters.labels_to_remove:
+                    if self.parameters.labels is not None:
+                        if not self.parameters.labels.get(key):
+                            if node_spec["Labels"].get(key):
+                                node_spec["Labels"].pop(key)
+                                changed = True
+                        else:
+                            self.client.module.warn(
+                                f"Label '{to_text(key)}' listed both in 'labels' and 'labels_to_remove'. "
+                                "Keeping the assigned label value."
+                            )
+                    else:
+                        if node_spec["Labels"].get(key):
+                            node_spec["Labels"].pop(key)
+                            changed = True
+
+        if changed is True:
+            if not self.check_mode:
+                try:
+                    self.client.update_node(
+                        node_id=node_info["ID"],
+                        version=node_info["Version"]["Index"],
+                        node_spec=node_spec,
+                    )
+                except APIError as exc:
+                    self.client.fail(f"Failed to update node : {exc}")
+            self.results["node"] = self.client.get_node_inspect(node_id=node_info["ID"])
+            self.results["changed"] = changed
+        else:
+            self.results["node"] = node_info
+            self.results["changed"] = changed
+
+
+def main() -> None:
+    argument_spec = {
+        "hostname": {"type": "str", "required": True},
+        "labels": {"type": "dict"},
+        "labels_state": {
+            "type": "str",
+            "default": "merge",
+            "choices": ["merge", "replace"],
+        },
+        "labels_to_remove": {"type": "list", "elements": "str"},
+        "availability": {"type": "str", "choices": ["active", "pause", "drain"]},
+        "role": {"type": "str", "choices": ["worker", "manager"]},
+    }
+
+    client = AnsibleDockerSwarmClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        min_docker_version="2.4.0",
+    )
+
+    try:
+        results = {
+            "changed": False,
+        }
+
+        SwarmNodeManager(client, results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_node_info.py b/ansible_collections/community/docker/plugins/modules/docker_node_info.py
new file mode 100644
index 00000000..33b5b838
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_node_info.py
@@ -0,0 +1,165 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2019 Piotr Wojciechowski <piotr@it-playground.pl>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_node_info
+
+short_description: Retrieves facts about docker swarm node from Swarm Manager
+
+description:
+  - Retrieves facts about a docker node.
+  - Essentially returns the output of C(docker node inspect <name>).
+  - Must be executed on a host running as Swarm Manager, otherwise the module will fail.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - The name of the node to inspect.
+      - The list of nodes names to inspect.
+      - If empty then return information of all nodes in Swarm cluster.
+      - When identifying the node use either the hostname of the node (as registered in Swarm) or node ID.
+      - If O(self=true) then this parameter is ignored.
+    type: list
+    elements: str
+  self:
+    description:
+      - If V(true), queries the node (that is, the docker daemon) the module communicates with.
+      - If V(true) then O(name) is ignored.
+      - If V(false) then query depends on O(name) presence and value.
+    type: bool
+    default: false
+
+author:
+  - Piotr Wojciechowski (@WojciechowskiPiotr)
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.4.0"
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get info on all nodes
+  community.docker.docker_node_info:
+  register: result
+
+- name: Get info on node
+  community.docker.docker_node_info:
+    name: mynode
+  register: result
+
+- name: Get info on list of nodes
+  community.docker.docker_node_info:
+    name:
+      - mynode1
+      - mynode2
+  register: result
+
+- name: Get info on host if it is Swarm Manager
+  community.docker.docker_node_info:
+    self: true
+  register: result
+"""
+
+RETURN = r"""
+nodes:
+  description:
+    - Facts representing the current state of the nodes. Matches the C(docker node inspect) output.
+    - Can contain multiple entries if more than one node provided in O(name), or O(name) is not provided.
+    - If O(name) contains a list of nodes, the output will provide information on all nodes registered at the swarm, including
+      nodes that left the swarm but have not been removed from the cluster on swarm managers and nodes that are unreachable.
+  returned: always
+  type: list
+  elements: dict
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._swarm import (
+    AnsibleDockerSwarmClient,
+)
+
+try:
+    from docker.errors import DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+
+def get_node_facts(client: AnsibleDockerSwarmClient) -> list[dict[str, t.Any]]:
+    results: list[dict[str, t.Any]] = []
+
+    if client.module.params["self"] is True:
+        self_node_id = client.get_swarm_node_id()
+        node_info = client.get_node_inspect(node_id=self_node_id)
+        results.append(node_info)
+        return results
+
+    if client.module.params["name"] is None:
+        node_info_list = client.get_all_nodes_inspect()
+        return node_info_list
+
+    nodes = client.module.params["name"]
+    if not isinstance(nodes, list):
+        nodes = [nodes]
+
+    for next_node_name in nodes:
+        next_node_info = client.get_node_inspect(
+            node_id=next_node_name, skip_missing=True
+        )
+        if next_node_info:
+            results.append(next_node_info)
+    return results
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "list", "elements": "str"},
+        "self": {"type": "bool", "default": False},
+    }
+
+    client = AnsibleDockerSwarmClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        min_docker_version="2.4.0",
+    )
+
+    client.fail_task_if_not_swarm_manager()
+
+    try:
+        nodes = get_node_facts(client)
+
+        client.module.exit_json(
+            changed=False,
+            nodes=nodes,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_plugin.py b/ansible_collections/community/docker/plugins/modules/docker_plugin.py
new file mode 100644
index 00000000..6a2f095d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_plugin.py
@@ -0,0 +1,455 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2021 Red Hat | Ansible Sakar Mehra<@sakarmehra100@gmail.com | @sakar97>
+# Copyright (c) 2019, Vladimir Porshkevich (@porshkevich) <neosonic@mail.ru>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_plugin
+short_description: Manage Docker plugins
+version_added: 1.3.0
+description:
+  - This module allows to install, delete, enable and disable Docker plugins.
+  - Performs largely the same function as the C(docker plugin) CLI subcommand.
+notes:
+  - The C(--grant-all-permissions) CLI flag is true by default in this module.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  plugin_name:
+    description:
+      - Name of the plugin to operate on.
+    required: true
+    type: str
+
+  state:
+    description:
+      - V(absent) remove the plugin.
+      - V(present) install the plugin, if it does not already exist.
+      - V(enable) enable the plugin.
+      - V(disable) disable the plugin.
+    default: present
+    choices:
+      - absent
+      - present
+      - enable
+      - disable
+    type: str
+
+  alias:
+    description:
+      - Local name for plugin.
+    type: str
+    version_added: 1.8.0
+
+  plugin_options:
+    description:
+      - Dictionary of plugin settings.
+    type: dict
+    default: {}
+
+  force_remove:
+    description:
+      - Remove even if the plugin is enabled.
+    default: false
+    type: bool
+
+  enable_timeout:
+    description:
+      - Timeout in seconds.
+    type: int
+    default: 0
+
+author:
+  - Sakar Mehra (@sakar97)
+  - Vladimir Porshkevich (@porshkevich)
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Install a plugin
+  community.docker.docker_plugin:
+    plugin_name: plugin_one
+    state: present
+
+- name: Remove a plugin
+  community.docker.docker_plugin:
+    plugin_name: plugin_one
+    state: absent
+
+- name: Enable the plugin
+  community.docker.docker_plugin:
+    plugin_name: plugin_one
+    state: enable
+
+- name: Disable the plugin
+  community.docker.docker_plugin:
+    plugin_name: plugin_one
+    state: disable
+
+- name: Install a plugin with options
+  community.docker.docker_plugin:
+    plugin_name: weaveworks/net-plugin:latest_release
+    plugin_options:
+      IPALLOC_RANGE: "10.32.0.0/12"
+      WEAVE_PASSWORD: "PASSWORD"
+"""
+
+RETURN = r"""
+plugin:
+  description:
+    - Plugin inspection results for the affected plugin.
+  returned: success
+  type: dict
+  sample: {}
+actions:
+  description:
+    - List of actions performed during task execution.
+  returned: when O(state) is not V(absent)
+  type: list
+"""
+
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api import auth
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+)
+
+
+class TaskParameters(DockerBaseClass):
+    plugin_name: str
+
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+        self.client = client
+        self.alias: str | None = None
+        self.plugin_options: dict[str, t.Any] = {}
+        self.debug: bool = False
+        self.force_remove: bool = False
+        self.enable_timeout: int = 0
+        self.state: t.Literal["present", "absent", "enable", "disable"] = "present"
+
+        for key, value in client.module.params.items():
+            setattr(self, key, value)
+
+
+def prepare_options(options: dict[str, t.Any] | None) -> list[str]:
+    return (
+        [f"{k}={v if v is not None else ''}" for k, v in options.items()]
+        if options
+        else []
+    )
+
+
+def parse_options(options_list: list[str] | None) -> dict[str, str]:
+    return dict(x.split("=", 1) for x in options_list) if options_list else {}
+
+
+class DockerPluginManager:
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        self.client = client
+
+        self.parameters = TaskParameters(client)
+        self.preferred_name = self.parameters.alias or self.parameters.plugin_name
+        self.check_mode = self.client.check_mode
+        self.diff = self.client.module._diff
+        self.diff_tracker = DifferenceTracker()
+        self.diff_result: dict[str, t.Any] = {}
+
+        self.actions: list[str] = []
+        self.changed = False
+
+        self.existing_plugin = self.get_existing_plugin()
+
+        state = self.parameters.state
+        if state == "present":
+            self.present()
+        elif state == "absent":
+            self.absent()
+        elif state == "enable":
+            self.enable()
+        elif state == "disable":
+            self.disable()
+
+        if self.diff:
+            self.diff_result["before"], self.diff_result["after"] = (
+                self.diff_tracker.get_before_after()
+            )
+
+    def get_existing_plugin(self) -> dict[str, t.Any] | None:
+        try:
+            return self.client.get_json("/plugins/{0}/json", self.preferred_name)
+        except NotFound:
+            return None
+        except APIError as e:
+            self.client.fail(to_text(e))
+
+    def has_different_config(self) -> DifferenceTracker:
+        """
+        Return the list of differences between the current parameters and the existing plugin.
+
+        :return: list of options that differ
+        """
+        assert self.existing_plugin is not None
+        differences = DifferenceTracker()
+        if self.parameters.plugin_options:
+            settings = self.existing_plugin.get("Settings")
+            if not settings:
+                differences.add(
+                    "plugin_options",
+                    parameter=self.parameters.plugin_options,
+                    active=settings,
+                )
+            else:
+                existing_options = parse_options(settings.get("Env"))
+
+                for key, value in self.parameters.plugin_options.items():
+                    if (
+                        (not existing_options.get(key) and value)
+                        or not value
+                        or value != existing_options[key]
+                    ):
+                        differences.add(
+                            f"plugin_options.{key}",
+                            parameter=value,
+                            active=existing_options.get(key),
+                        )
+
+        return differences
+
+    def install_plugin(self) -> None:
+        if not self.existing_plugin:
+            if not self.check_mode:
+                try:
+                    # Get privileges
+                    headers = {}
+                    registry, dummy_repo_name = auth.resolve_repository_name(
+                        self.parameters.plugin_name
+                    )
+                    header = auth.get_config_header(self.client, registry)
+                    if header:
+                        headers["X-Registry-Auth"] = header
+                    privileges = self.client.get_json(
+                        "/plugins/privileges",
+                        params={"remote": self.parameters.plugin_name},
+                        headers=headers,
+                    )
+                    # Pull plugin
+                    params = {
+                        "remote": self.parameters.plugin_name,
+                    }
+                    if self.parameters.alias:
+                        params["name"] = self.parameters.alias
+                    response = self.client._post_json(
+                        self.client._url("/plugins/pull"),
+                        params=params,
+                        headers=headers,
+                        data=privileges,
+                        stream=True,
+                    )
+                    self.client._raise_for_status(response)
+                    for dummy in self.client._stream_helper(response, decode=True):
+                        pass
+                    # Inspect and configure plugin
+                    self.existing_plugin = self.client.get_json(
+                        "/plugins/{0}/json", self.preferred_name
+                    )
+                    if self.parameters.plugin_options:
+                        data = prepare_options(self.parameters.plugin_options)
+                        self.client.post_json(
+                            "/plugins/{0}/set", self.preferred_name, data=data
+                        )
+                except APIError as e:
+                    self.client.fail(to_text(e))
+
+            self.actions.append(f"Installed plugin {self.preferred_name}")
+            self.changed = True
+
+    def remove_plugin(self) -> None:
+        force = self.parameters.force_remove
+        if self.existing_plugin:
+            if not self.check_mode:
+                try:
+                    self.client.delete_call(
+                        "/plugins/{0}", self.preferred_name, params={"force": force}
+                    )
+                except APIError as e:
+                    self.client.fail(to_text(e))
+
+            self.actions.append(f"Removed plugin {self.preferred_name}")
+            self.changed = True
+
+    def update_plugin(self) -> None:
+        if self.existing_plugin:
+            differences = self.has_different_config()
+            if not differences.empty:
+                if not self.check_mode:
+                    try:
+                        data = prepare_options(self.parameters.plugin_options)
+                        self.client.post_json(
+                            "/plugins/{0}/set", self.preferred_name, data=data
+                        )
+                    except APIError as e:
+                        self.client.fail(to_text(e))
+                self.actions.append(f"Updated plugin {self.preferred_name} settings")
+                self.changed = True
+        else:
+            self.client.fail("Cannot update the plugin: Plugin does not exist")
+
+    def present(self) -> None:
+        differences = DifferenceTracker()
+        if self.existing_plugin:
+            differences = self.has_different_config()
+
+        self.diff_tracker.add(
+            "exists", parameter=True, active=self.existing_plugin is not None
+        )
+
+        if self.existing_plugin:
+            self.update_plugin()
+        else:
+            self.install_plugin()
+
+        if self.diff or self.check_mode or self.parameters.debug:
+            self.diff_tracker.merge(differences)
+
+    def absent(self) -> None:
+        self.remove_plugin()
+
+    def enable(self) -> None:
+        timeout = self.parameters.enable_timeout
+        if self.existing_plugin:
+            if not self.existing_plugin.get("Enabled"):
+                if not self.check_mode:
+                    try:
+                        self.client.post_json(
+                            "/plugins/{0}/enable",
+                            self.preferred_name,
+                            params={"timeout": timeout},
+                        )
+                    except APIError as e:
+                        self.client.fail(to_text(e))
+                self.actions.append(f"Enabled plugin {self.preferred_name}")
+                self.changed = True
+        else:
+            self.install_plugin()
+            if not self.check_mode:
+                try:
+                    self.client.post_json(
+                        "/plugins/{0}/enable",
+                        self.preferred_name,
+                        params={"timeout": timeout},
+                    )
+                except APIError as e:
+                    self.client.fail(to_text(e))
+            self.actions.append(f"Enabled plugin {self.preferred_name}")
+            self.changed = True
+
+    def disable(self) -> None:
+        if self.existing_plugin:
+            if self.existing_plugin.get("Enabled"):
+                if not self.check_mode:
+                    try:
+                        self.client.post_json(
+                            "/plugins/{0}/disable", self.preferred_name
+                        )
+                    except APIError as e:
+                        self.client.fail(to_text(e))
+                self.actions.append(f"Disable plugin {self.preferred_name}")
+                self.changed = True
+        else:
+            self.client.fail("Plugin not found: Plugin does not exist.")
+
+    @property
+    def result(self) -> dict[str, t.Any]:
+        plugin_data = {}
+        if self.parameters.state != "absent":
+            try:
+                plugin_data = self.client.get_json(
+                    "/plugins/{0}/json", self.preferred_name
+                )
+            except NotFound:
+                # This can happen in check mode
+                pass
+        result: dict[str, t.Any] = {
+            "actions": self.actions,
+            "changed": self.changed,
+            "diff": self.diff_result,
+            "plugin": plugin_data,
+        }
+        if (
+            self.parameters.state == "present"
+            and not self.check_mode
+            and not self.parameters.debug
+        ):
+            result["actions"] = None
+        return {k: v for k, v in result.items() if v is not None}
+
+
+def main() -> None:
+    argument_spec = {
+        "alias": {"type": "str"},
+        "plugin_name": {"type": "str", "required": True},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "absent", "enable", "disable"],
+        },
+        "plugin_options": {"type": "dict", "default": {}},
+        "debug": {"type": "bool", "default": False},
+        "force_remove": {"type": "bool", "default": False},
+        "enable_timeout": {"type": "int", "default": 0},
+    }
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        cm = DockerPluginManager(client)
+        client.module.exit_json(**cm.result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_prune.py b/ansible_collections/community/docker/plugins/modules/docker_prune.py
new file mode 100644
index 00000000..211ce3e1
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_prune.py
@@ -0,0 +1,368 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_prune
+
+short_description: Allows to prune various docker objects
+
+description:
+  - Allows to run C(docker container prune), C(docker image prune), C(docker network prune) and C(docker volume prune) through
+    the Docker API.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  idempotent:
+    support: full
+
+options:
+  containers:
+    description:
+      - Whether to prune containers.
+    type: bool
+    default: false
+  containers_filters:
+    description:
+      - A dictionary of filter values used for selecting containers to delete.
+      - 'For example, C(until: 24h).'
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/container_prune/#filtering) for
+        more information on possible filters.
+    type: dict
+  images:
+    description:
+      - Whether to prune images.
+    type: bool
+    default: false
+  images_filters:
+    description:
+      - A dictionary of filter values used for selecting images to delete.
+      - 'For example, C(dangling: true).'
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/image_prune/#filtering) for more
+        information on possible filters.
+    type: dict
+  networks:
+    description:
+      - Whether to prune networks.
+    type: bool
+    default: false
+  networks_filters:
+    description:
+      - A dictionary of filter values used for selecting networks to delete.
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/network_prune/#filtering) for
+        more information on possible filters.
+    type: dict
+  volumes:
+    description:
+      - Whether to prune volumes.
+    type: bool
+    default: false
+  volumes_filters:
+    description:
+      - A dictionary of filter values used for selecting volumes to delete.
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/volume_prune/#filtering) for more
+        information on possible filters.
+    type: dict
+  builder_cache:
+    description:
+      - Whether to prune the builder cache.
+    type: bool
+    default: false
+  builder_cache_all:
+    description:
+      - Whether to remove all types of build cache.
+    type: bool
+    default: false
+    version_added: 3.10.0
+  builder_cache_filters:
+    description:
+      - A dictionary of filter values used for selecting images to delete.
+      - 'For example, C(until: 10m).'
+      - See L(the API documentation,https://docs.docker.com/engine/api/v1.44/#tag/Image/operation/BuildPrune) for more information
+        on possible filters.
+    type: dict
+    version_added: 3.10.0
+  builder_cache_keep_storage:
+    description:
+      - Amount of disk space to keep for cache in format C(<number>[<unit>]).".
+      - Number is a positive integer. Unit can be one of V(B) (byte), V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte),
+        V(T) (tebibyte), or V(P) (pebibyte).
+      - Omitting the unit defaults to bytes.
+    type: str
+    version_added: 3.10.0
+
+author:
+  - "Felix Fontein (@felixfontein)"
+
+notes:
+  - The module always returned C(changed=false) before community.docker 3.5.1.
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Prune containers older than 24h
+  community.docker.docker_prune:
+    containers: true
+    containers_filters:
+      # only consider containers created more than 24 hours ago
+      until: 24h
+
+- name: Prune containers with labels
+  community.docker.docker_prune:
+    containers: true
+    containers_filters:
+      # Prune containers whose "foo" label has value "bar", and
+      # whose "bam" label has value "baz". If you only want to
+      # compare one label, you can provide it as a string instead
+      # of a list with one element.
+      label:
+        - foo=bar
+        - bam=baz
+      # Prune containers whose label "bar" does *not* have value
+      # "baz". If you want to avoid more than one label, you can
+      # provide a list of multiple label-value pairs.
+      "label!": bar=baz
+
+- name: Prune everything
+  community.docker.docker_prune:
+    containers: true
+    images: true
+    networks: true
+    volumes: true
+    builder_cache: true
+
+- name: Prune everything (including non-dangling images)
+  community.docker.docker_prune:
+    containers: true
+    images: true
+    images_filters:
+      dangling: false
+    networks: true
+    volumes: true
+    builder_cache: true
+"""
+
+RETURN = r"""
+# containers
+containers:
+  description:
+    - List of IDs of deleted containers.
+  returned: O(containers=true)
+  type: list
+  elements: str
+  sample: []
+containers_space_reclaimed:
+  description:
+    - Amount of reclaimed disk space from container pruning in bytes.
+  returned: O(containers=true)
+  type: int
+  sample: 0
+
+# images
+images:
+  description:
+    - List of IDs of deleted images.
+  returned: O(images=true)
+  type: list
+  elements: str
+  sample: []
+images_space_reclaimed:
+  description:
+    - Amount of reclaimed disk space from image pruning in bytes.
+  returned: O(images=true)
+  type: int
+  sample: 0
+
+# networks
+networks:
+  description:
+    - List of IDs of deleted networks.
+  returned: O(networks=true)
+  type: list
+  elements: str
+  sample: []
+
+# volumes
+volumes:
+  description:
+    - List of IDs of deleted volumes.
+  returned: O(volumes=true)
+  type: list
+  elements: str
+  sample: []
+volumes_space_reclaimed:
+  description:
+    - Amount of reclaimed disk space from volumes pruning in bytes.
+  returned: O(volumes=true)
+  type: int
+  sample: 0
+
+# builder_cache
+builder_cache_space_reclaimed:
+  description:
+    - Amount of reclaimed disk space from builder cache pruning in bytes.
+  returned: O(builder_cache=true)
+  type: int
+  sample: 0
+builder_cache_caches_deleted:
+  description:
+    - The build caches that were deleted.
+  returned: O(builder_cache=true) and API version is 1.39 or later
+  type: list
+  elements: str
+  sample: []
+  version_added: 3.10.0
+"""
+
+import traceback
+
+from ansible.module_utils.common.text.formatters import human_to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    convert_filters,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    clean_dict_booleans_for_docker_api,
+)
+
+
+def main() -> None:
+    argument_spec = {
+        "containers": {"type": "bool", "default": False},
+        "containers_filters": {"type": "dict"},
+        "images": {"type": "bool", "default": False},
+        "images_filters": {"type": "dict"},
+        "networks": {"type": "bool", "default": False},
+        "networks_filters": {"type": "dict"},
+        "volumes": {"type": "bool", "default": False},
+        "volumes_filters": {"type": "dict"},
+        "builder_cache": {"type": "bool", "default": False},
+        "builder_cache_all": {"type": "bool", "default": False},
+        "builder_cache_filters": {"type": "dict"},
+        "builder_cache_keep_storage": {"type": "str"},  # convert to bytes
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        option_minimal_versions={
+            "builder_cache": {"docker_py_version": "1.31"},
+            "builder_cache_all": {"docker_py_version": "1.39"},
+            "builder_cache_filters": {"docker_py_version": "1.31"},
+            "builder_cache_keep_storage": {"docker_py_version": "1.39"},
+        },
+        # supports_check_mode=True,
+    )
+
+    builder_cache_keep_storage = None
+    if client.module.params.get("builder_cache_keep_storage") is not None:
+        try:
+            builder_cache_keep_storage = human_to_bytes(
+                client.module.params.get("builder_cache_keep_storage")
+            )
+        except ValueError as exc:
+            client.module.fail_json(
+                msg=f"Error while parsing value of builder_cache_keep_storage: {exc}"
+            )
+
+    try:
+        result = {}
+        changed = False
+
+        if client.module.params["containers"]:
+            filters = clean_dict_booleans_for_docker_api(
+                client.module.params.get("containers_filters"), allow_sequences=True
+            )
+            params = {"filters": convert_filters(filters)}
+            res = client.post_to_json("/containers/prune", params=params)
+            result["containers"] = res.get("ContainersDeleted") or []
+            result["containers_space_reclaimed"] = res["SpaceReclaimed"]
+            if result["containers"] or result["containers_space_reclaimed"]:
+                changed = True
+
+        if client.module.params["images"]:
+            filters = clean_dict_booleans_for_docker_api(
+                client.module.params.get("images_filters"), allow_sequences=True
+            )
+            params = {"filters": convert_filters(filters)}
+            res = client.post_to_json("/images/prune", params=params)
+            result["images"] = res.get("ImagesDeleted") or []
+            result["images_space_reclaimed"] = res["SpaceReclaimed"]
+            if result["images"] or result["images_space_reclaimed"]:
+                changed = True
+
+        if client.module.params["networks"]:
+            filters = clean_dict_booleans_for_docker_api(
+                client.module.params.get("networks_filters"), allow_sequences=True
+            )
+            params = {"filters": convert_filters(filters)}
+            res = client.post_to_json("/networks/prune", params=params)
+            result["networks"] = res.get("NetworksDeleted") or []
+            if result["networks"]:
+                changed = True
+
+        if client.module.params["volumes"]:
+            filters = clean_dict_booleans_for_docker_api(
+                client.module.params.get("volumes_filters"), allow_sequences=True
+            )
+            params = {"filters": convert_filters(filters)}
+            res = client.post_to_json("/volumes/prune", params=params)
+            result["volumes"] = res.get("VolumesDeleted") or []
+            result["volumes_space_reclaimed"] = res["SpaceReclaimed"]
+            if result["volumes"] or result["volumes_space_reclaimed"]:
+                changed = True
+
+        if client.module.params["builder_cache"]:
+            filters = clean_dict_booleans_for_docker_api(
+                client.module.params.get("builder_cache_filters"), allow_sequences=True
+            )
+            params = {"filters": convert_filters(filters)}
+            if client.module.params.get("builder_cache_all"):
+                params["all"] = "true"
+            if builder_cache_keep_storage is not None:
+                params["keep-storage"] = builder_cache_keep_storage
+            res = client.post_to_json("/build/prune", params=params)
+            result["builder_cache_space_reclaimed"] = res["SpaceReclaimed"]
+            if result["builder_cache_space_reclaimed"]:
+                changed = True
+            if "CachesDeleted" in res:
+                # API version 1.39+: return value CachesDeleted (list of str)
+                result["builder_cache_caches_deleted"] = res["CachesDeleted"]
+                if result["builder_cache_caches_deleted"]:
+                    changed = True
+
+        result["changed"] = changed
+        client.module.exit_json(**result)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_secret.py b/ansible_collections/community/docker/plugins/modules/docker_secret.py
new file mode 100644
index 00000000..5bcc696d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_secret.py
@@ -0,0 +1,417 @@
+#!/usr/bin/python
+#
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_secret
+
+short_description: Manage docker secrets
+
+description:
+  - Create and remove Docker secrets in a Swarm environment. Similar to C(docker secret create) and C(docker secret rm).
+  - Adds to the metadata of new secrets C(ansible_key), an encrypted hash representation of the data, which is then used in
+    future runs to test if a secret has changed. If C(ansible_key) is not present, then a secret will not be updated unless
+    the O(force) option is set.
+  - Updates to secrets are performed by removing the secret and creating it again.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  idempotent:
+    support: partial
+    details:
+      - If O(force=true) the module is not idempotent.
+
+options:
+  data:
+    description:
+      - The value of the secret.
+      - Mutually exclusive with O(data_src). One of O(data) and O(data_src) is required if O(state=present).
+    type: str
+  data_is_b64:
+    description:
+      - If set to V(true), the data is assumed to be Base64 encoded and will be decoded before being used.
+      - To use binary O(data), it is better to keep it Base64 encoded and let it be decoded by this option.
+    type: bool
+    default: false
+  data_src:
+    description:
+      - The file on the target from which to read the secret.
+      - Mutually exclusive with O(data). One of O(data) and O(data_src) is required if O(state=present).
+    type: path
+    version_added: 1.10.0
+  labels:
+    description:
+      - A map of key:value meta data, where both key and value are expected to be strings.
+      - If new meta data is provided, or existing meta data is modified, the secret will be updated by removing it and creating
+        it again.
+    type: dict
+  force:
+    description:
+      - Use with O(state=present) to always remove and recreate an existing secret.
+      - If V(true), an existing secret will be replaced, even if it has not changed.
+    type: bool
+    default: false
+  rolling_versions:
+    description:
+      - If set to V(true), secrets are created with an increasing version number appended to their name.
+      - Adds a label containing the version number to the managed secrets with the name C(ansible_version).
+    type: bool
+    default: false
+    version_added: 2.2.0
+  versions_to_keep:
+    description:
+      - When using O(rolling_versions), the number of old versions of the secret to keep.
+      - Extraneous old secrets are deleted after the new one is created.
+      - Set to V(-1) to keep everything or to V(0) or V(1) to keep only the current one.
+    type: int
+    default: 5
+    version_added: 2.2.0
+  name:
+    description:
+      - The name of the secret.
+    type: str
+    required: true
+  state:
+    description:
+      - Set to V(present), if the secret should exist, and V(absent), if it should not.
+    type: str
+    default: present
+    choices:
+      - absent
+      - present
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.1.0"
+  - "Docker API >= 1.25"
+
+author:
+  - Chris Houseknecht (@chouseknecht)
+"""
+
+EXAMPLES = r"""
+---
+- name: Create secret foo (from a file on the control machine)
+  community.docker.docker_secret:
+    name: foo
+    # If the file is JSON or binary, Ansible might modify it (because
+    # it is first decoded and later re-encoded). Base64-encoding the
+    # file directly after reading it prevents this to happen.
+    data: "{{ lookup('file', '/path/to/secret/file') | b64encode }}"
+    data_is_b64: true
+    state: present
+
+- name: Create secret foo (from a file on the target machine)
+  community.docker.docker_secret:
+    name: foo
+    data_src: /path/to/secret/file
+    state: present
+
+- name: Change the secret data
+  community.docker.docker_secret:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+    state: present
+
+- name: Add a new label
+  community.docker.docker_secret:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+      # Adding a new label will cause a remove/create of the secret
+      two: '2'
+    state: present
+
+- name: No change
+  community.docker.docker_secret:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: baz
+      one: '1'
+      # Even though 'two' is missing, there is no change to the existing secret
+    state: present
+
+- name: Update an existing label
+  community.docker.docker_secret:
+    name: foo
+    data: Goodnight everyone!
+    labels:
+      bar: monkey # Changing a label will cause a remove/create of the secret
+      one: '1'
+    state: present
+
+- name: Force the removal/creation of the secret
+  community.docker.docker_secret:
+    name: foo
+    data: Goodnight everyone!
+    force: true
+    state: present
+
+- name: Remove secret foo
+  community.docker.docker_secret:
+    name: foo
+    state: absent
+"""
+
+RETURN = r"""
+secret_id:
+  description:
+    - The ID assigned by Docker to the secret object.
+  returned: success and O(state=present)
+  type: str
+  sample: 'hzehrmyjigmcp2gb6nlhmjqcv'
+secret_name:
+  description:
+    - The name of the created secret object.
+  returned: success and O(state=present)
+  type: str
+  sample: 'awesome_secret'
+  version_added: 2.2.0
+"""
+
+import base64
+import hashlib
+import traceback
+import typing as t
+
+try:
+    from docker.errors import APIError, DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible.module_utils.common.text.converters import to_bytes
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    compare_generic,
+    sanitize_labels,
+)
+
+
+class SecretManager(DockerBaseClass):
+    def __init__(self, client: AnsibleDockerClient, results: dict[str, t.Any]) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.check_mode = self.client.check_mode
+
+        parameters = self.client.module.params
+        self.name = parameters.get("name")
+        self.state = parameters.get("state")
+        self.data = parameters.get("data")
+        if self.data is not None:
+            if parameters.get("data_is_b64"):
+                self.data = base64.b64decode(self.data)
+            else:
+                self.data = to_bytes(self.data)
+        data_src = parameters.get("data_src")
+        if data_src is not None:
+            try:
+                with open(data_src, "rb") as f:
+                    self.data = f.read()
+            except Exception as exc:  # pylint: disable=broad-exception-caught
+                self.client.fail(f"Error while reading {data_src}: {exc}")
+        self.labels = parameters.get("labels")
+        self.force = parameters.get("force")
+        self.rolling_versions = parameters.get("rolling_versions")
+        self.versions_to_keep = parameters.get("versions_to_keep")
+
+        if self.rolling_versions:
+            self.version = 0
+        self.data_key: str | None = None
+        self.secrets: list[dict[str, t.Any]] = []
+
+    def __call__(self) -> None:
+        self.get_secret()
+        if self.state == "present":
+            self.data_key = hashlib.sha224(self.data).hexdigest()
+            self.present()
+            self.remove_old_versions()
+        elif self.state == "absent":
+            self.absent()
+
+    def get_version(self, secret: dict[str, t.Any]) -> int:
+        try:
+            return int(
+                secret.get("Spec", {}).get("Labels", {}).get("ansible_version", 0)
+            )
+        except ValueError:
+            return 0
+
+    def remove_old_versions(self) -> None:
+        if not self.rolling_versions or self.versions_to_keep < 0:
+            return
+        if not self.check_mode:
+            while len(self.secrets) > max(self.versions_to_keep, 1):
+                self.remove_secret(self.secrets.pop(0))
+
+    def get_secret(self) -> None:
+        """Find an existing secret."""
+        try:
+            secrets = self.client.secrets(filters={"name": self.name})
+        except APIError as exc:
+            self.client.fail(f"Error accessing secret {self.name}: {exc}")
+
+        if self.rolling_versions:
+            self.secrets = [
+                secret
+                for secret in secrets
+                if secret["Spec"]["Name"].startswith(f"{self.name}_v")
+            ]
+            self.secrets.sort(key=self.get_version)
+        else:
+            self.secrets = [
+                secret for secret in secrets if secret["Spec"]["Name"] == self.name
+            ]
+
+    def create_secret(self) -> str | None:
+        """Create a new secret"""
+        secret_id: str | dict[str, t.Any] | None = None
+        # We cannot see the data after creation, so adding a label we can use for idempotency check
+        labels = {"ansible_key": self.data_key}
+        if self.rolling_versions:
+            self.version += 1
+            labels["ansible_version"] = str(self.version)
+            self.name = f"{self.name}_v{self.version}"
+        if self.labels:
+            labels.update(self.labels)
+
+        try:
+            if not self.check_mode:
+                secret_id = self.client.create_secret(
+                    self.name, self.data, labels=labels
+                )
+                self.secrets += self.client.secrets(filters={"id": secret_id})
+        except APIError as exc:
+            self.client.fail(f"Error creating secret: {exc}")
+
+        if isinstance(secret_id, dict):
+            return secret_id["ID"]
+
+        return secret_id
+
+    def remove_secret(self, secret: dict[str, t.Any]) -> None:
+        try:
+            if not self.check_mode:
+                self.client.remove_secret(secret["ID"])
+        except APIError as exc:
+            self.client.fail(f"Error removing secret {secret['Spec']['Name']}: {exc}")
+
+    def present(self) -> None:
+        """Handles state == 'present', creating or updating the secret"""
+        if self.secrets:
+            secret = self.secrets[-1]
+            self.results["secret_id"] = secret["ID"]
+            self.results["secret_name"] = secret["Spec"]["Name"]
+            data_changed = False
+            attrs = secret.get("Spec", {})
+            if attrs.get("Labels", {}).get("ansible_key"):
+                if attrs["Labels"]["ansible_key"] != self.data_key:
+                    data_changed = True
+            else:
+                if not self.force:
+                    self.client.module.warn(
+                        "'ansible_key' label not found. Secret will not be changed unless the force parameter is set to 'true'"
+                    )
+            labels_changed = not compare_generic(
+                self.labels, attrs.get("Labels"), "allow_more_present", "dict"
+            )
+            if self.rolling_versions:
+                self.version = self.get_version(secret)
+            if data_changed or labels_changed or self.force:
+                # if something changed or force, delete and re-create the secret
+                if not self.rolling_versions:
+                    self.absent()
+                secret_id = self.create_secret()
+                self.results["changed"] = True
+                self.results["secret_id"] = secret_id
+                self.results["secret_name"] = self.name
+        else:
+            self.results["changed"] = True
+            self.results["secret_id"] = self.create_secret()
+            self.results["secret_name"] = self.name
+
+    def absent(self) -> None:
+        """Handles state == 'absent', removing the secret"""
+        if self.secrets:
+            for secret in self.secrets:
+                self.remove_secret(secret)
+            self.results["changed"] = True
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["absent", "present"],
+        },
+        "data": {"type": "str", "no_log": True},
+        "data_is_b64": {"type": "bool", "default": False},
+        "data_src": {"type": "path"},
+        "labels": {"type": "dict"},
+        "force": {"type": "bool", "default": False},
+        "rolling_versions": {"type": "bool", "default": False},
+        "versions_to_keep": {"type": "int", "default": 5},
+    }
+
+    required_if = [
+        ("state", "present", ["data", "data_src"], True),
+    ]
+
+    mutually_exclusive = [
+        ("data", "data_src"),
+    ]
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_if=required_if,
+        mutually_exclusive=mutually_exclusive,
+        min_docker_version="2.1.0",
+    )
+    sanitize_labels(client.module.params["labels"], "labels", client)
+
+    try:
+        results = {"changed": False, "secret_id": "", "secret_name": ""}
+
+        SecretManager(client, results)()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_stack.py b/ansible_collections/community/docker/plugins/modules/docker_stack.py
new file mode 100644
index 00000000..2a2a2c4c
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_stack.py
@@ -0,0 +1,379 @@
+#!/usr/bin/python
+
+# Copyright (c) 2018 Dario Zanzico (git@dariozanzico.com)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_stack
+author: "Dario Zanzico (@dariko)"
+short_description: docker stack module
+description:
+  - Manage docker stacks using the C(docker stack) command on the target node (see examples).
+extends_documentation_fragment:
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+attributes:
+  check_mode:
+    support: none
+  diff_mode:
+    support: none
+  action_group:
+    version_added: 3.6.0
+  idempotent:
+    support: full
+options:
+  name:
+    description:
+      - Stack name.
+    type: str
+    required: true
+  state:
+    description:
+      - Service state.
+    type: str
+    default: "present"
+    choices:
+      - present
+      - absent
+  compose:
+    description:
+      - List of compose definitions. Any element may be a string referring to the path of the compose file on the target host
+        or the YAML contents of a compose file nested as dictionary.
+    type: list
+    elements: raw
+    default: []
+  prune:
+    description:
+      - If true will add the C(--prune) option to the C(docker stack deploy) command. This will have docker remove the services
+        not present in the current stack definition.
+    type: bool
+    default: false
+  detach:
+    description:
+      - If V(false), the C(--detach=false) option is added to the C(docker stack deploy) command, allowing Docker to wait
+        for tasks to converge before exiting.
+      - If V(true) (default), Docker exits immediately instead of waiting for tasks to converge.
+    type: bool
+    default: true
+    version_added: 4.1.0
+  with_registry_auth:
+    description:
+      - If true will add the C(--with-registry-auth) option to the C(docker stack deploy) command. This will have docker send
+        registry authentication details to Swarm agents.
+    type: bool
+    default: false
+  resolve_image:
+    description:
+      - If set will add the C(--resolve-image) option to the C(docker stack deploy) command. This will have docker query the
+        registry to resolve image digest and supported platforms. If not set, docker use "always" by default.
+    type: str
+    choices: ["always", "changed", "never"]
+  absent_retries:
+    description:
+      - If larger than V(0) and O(state=absent) the module will retry up to O(absent_retries) times to delete the stack until
+        all the resources have been effectively deleted. If the last try still reports the stack as not completely removed
+        the module will fail.
+    type: int
+    default: 0
+  absent_retries_interval:
+    description:
+      - Interval in seconds between consecutive O(absent_retries).
+    type: int
+    default: 1
+  docker_cli:
+    version_added: 3.6.0
+  docker_host:
+    version_added: 3.6.0
+  tls_hostname:
+    version_added: 3.6.0
+  api_version:
+    version_added: 3.6.0
+  ca_path:
+    version_added: 3.6.0
+  client_cert:
+    version_added: 3.6.0
+  client_key:
+    version_added: 3.6.0
+  tls:
+    version_added: 3.6.0
+  validate_certs:
+    version_added: 3.6.0
+  cli_context:
+    version_added: 3.6.0
+
+requirements:
+  - Docker CLI tool C(docker)
+  - jsondiff
+  - pyyaml
+"""
+
+RETURN = r"""
+stack_spec_diff:
+  description: |-
+    Dictionary containing the differences between the 'Spec' field
+    of the stack services before and after applying the new stack
+    definition.
+  sample: >
+    "stack_spec_diff":
+    {'test_stack_test_service': {'TaskTemplate': {'ContainerSpec': {delete: ['Env']}}}}
+  returned: on change
+  type: dict
+"""
+
+EXAMPLES = r"""
+---
+- name: Deploy stack from a compose file
+  community.docker.docker_stack:
+    state: present
+    name: mystack
+    compose:
+      - /opt/docker-compose.yml
+
+- name: Deploy stack from base compose file and override the web service
+  community.docker.docker_stack:
+    state: present
+    name: mystack
+    compose:
+      - /opt/docker-compose.yml
+      - version: '3'
+        services:
+          web:
+            image: nginx:latest
+            environment:
+              ENVVAR: envvar
+
+- name: Remove stack
+  community.docker.docker_stack:
+    name: mystack
+    state: absent
+"""
+
+
+import json
+import os
+import tempfile
+import traceback
+import typing as t
+from time import sleep
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+
+try:
+    from jsondiff import diff as json_diff
+
+    HAS_JSONDIFF = True
+except ImportError:
+    HAS_JSONDIFF = False
+
+try:
+    from yaml import dump as yaml_dump
+
+    HAS_YAML = True
+except ImportError:
+    HAS_YAML = False
+
+
+def docker_stack_services(
+    client: AnsibleModuleDockerClient, stack_name: str
+) -> list[str]:
+    dummy_rc, out, err = client.call_cli(
+        "stack", "services", stack_name, "--format", "{{.Name}}"
+    )
+    if to_text(err) == f"Nothing found in stack: {stack_name}\n":
+        return []
+    return to_text(out).strip().split("\n")
+
+
+def docker_service_inspect(
+    client: AnsibleModuleDockerClient, service_name: str
+) -> dict[str, t.Any] | None:
+    rc, out, dummy_err = client.call_cli("service", "inspect", service_name)
+    if rc != 0:
+        return None
+    ret = json.loads(out)[0]["Spec"]
+    return ret
+
+
+def docker_stack_deploy(
+    client: AnsibleModuleDockerClient, stack_name: str, compose_files: list[str]
+) -> tuple[int, str, str]:
+    command = ["stack", "deploy"]
+    if client.module.params["prune"]:
+        command += ["--prune"]
+    if not client.module.params["detach"]:
+        command += ["--detach=false"]
+    if client.module.params["with_registry_auth"]:
+        command += ["--with-registry-auth"]
+    if client.module.params["resolve_image"]:
+        command += ["--resolve-image", client.module.params["resolve_image"]]
+    for compose_file in compose_files:
+        command += ["--compose-file", compose_file]
+    command += [stack_name]
+    rc, out, err = client.call_cli(*command)
+    return rc, to_text(out), to_text(err)
+
+
+def docker_stack_inspect(
+    client: AnsibleModuleDockerClient, stack_name: str
+) -> dict[str, dict[str, t.Any] | None]:
+    ret: dict[str, dict[str, t.Any] | None] = {}
+    for service_name in docker_stack_services(client, stack_name):
+        ret[service_name] = docker_service_inspect(client, service_name)
+    return ret
+
+
+def docker_stack_rm(
+    client: AnsibleModuleDockerClient,
+    stack_name: str,
+    retries: int,
+    interval: int | float,
+) -> tuple[int, str, str]:
+    command = ["stack", "rm", stack_name]
+    if not client.module.params["detach"]:
+        command += ["--detach=false"]
+    rc, out, err = client.call_cli(*command)
+
+    while to_text(err) != f"Nothing found in stack: {stack_name}\n" and retries > 0:
+        sleep(interval)
+        retries = retries - 1
+        rc, out, err = client.call_cli(*command)
+    return rc, to_text(out), to_text(err)
+
+
+def main() -> None:
+    client = AnsibleModuleDockerClient(
+        argument_spec={
+            "name": {"type": "str", "required": True},
+            "compose": {"type": "list", "elements": "raw", "default": []},
+            "prune": {"type": "bool", "default": False},
+            "detach": {"type": "bool", "default": True},
+            "with_registry_auth": {"type": "bool", "default": False},
+            "resolve_image": {"type": "str", "choices": ["always", "changed", "never"]},
+            "state": {
+                "type": "str",
+                "default": "present",
+                "choices": ["present", "absent"],
+            },
+            "absent_retries": {"type": "int", "default": 0},
+            "absent_retries_interval": {"type": "int", "default": 1},
+        },
+        supports_check_mode=False,
+    )
+
+    if not HAS_JSONDIFF:
+        client.fail("jsondiff is not installed, try 'pip install jsondiff'")
+
+    if not HAS_YAML:
+        client.fail("yaml is not installed, try 'pip install pyyaml'")
+
+    try:
+        state = client.module.params["state"]
+        compose = client.module.params["compose"]
+        name = client.module.params["name"]
+        absent_retries = client.module.params["absent_retries"]
+        absent_retries_interval = client.module.params["absent_retries_interval"]
+
+        if state == "present":
+            if not compose:
+                client.fail(
+                    "compose parameter must be a list containing at least one element"
+                )
+
+            compose_files = []
+            for compose_def in compose:
+                if isinstance(compose_def, dict):
+                    compose_file_fd, compose_file = tempfile.mkstemp()
+                    client.module.add_cleanup_file(compose_file)
+                    with os.fdopen(compose_file_fd, "w") as stack_file:
+                        compose_files.append(compose_file)
+                        stack_file.write(yaml_dump(compose_def))
+                elif isinstance(compose_def, str):
+                    compose_files.append(compose_def)
+                else:
+                    client.fail(
+                        f"compose element '{compose_def}' must be a string or a dictionary"
+                    )
+
+            before_stack_services = docker_stack_inspect(client, name)
+
+            rc, out, err = docker_stack_deploy(client, name, compose_files)
+
+            after_stack_services = docker_stack_inspect(client, name)
+
+            if rc != 0:
+                client.fail(
+                    "docker stack up deploy command failed",
+                    rc=rc,
+                    stdout=out,
+                    stderr=err,
+                )
+
+            before_after_differences = json_diff(
+                before_stack_services, after_stack_services
+            )
+            for k in before_after_differences:
+                if isinstance(before_after_differences[k], dict):
+                    before_after_differences[k].pop("UpdatedAt", None)
+                    before_after_differences[k].pop("Version", None)
+                    if not list(before_after_differences[k].keys()):
+                        before_after_differences.pop(k)
+
+            if not before_after_differences:
+                client.module.exit_json(
+                    changed=False,
+                    rc=rc,
+                    stdout=out,
+                    stderr=err,
+                )
+            else:
+                client.module.exit_json(
+                    changed=True,
+                    rc=rc,
+                    stdout=out,
+                    stderr=err,
+                    stack_spec_diff=json_diff(
+                        before_stack_services,
+                        after_stack_services,
+                        dump=True,
+                    ),
+                )
+
+        else:
+            if docker_stack_services(client, name):
+                rc, out, err = docker_stack_rm(
+                    client, name, absent_retries, absent_retries_interval
+                )
+                if rc != 0:
+                    client.module.fail_json(
+                        msg="'docker stack down' command failed",
+                        rc=rc,
+                        stdout=out,
+                        stderr=err,
+                    )
+                else:
+                    client.module.exit_json(
+                        changed=True,
+                        msg=out,
+                        rc=rc,
+                        stdout=out,
+                        stderr=err,
+                    )
+            client.module.exit_json(changed=False)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_stack_info.py b/ansible_collections/community/docker/plugins/modules/docker_stack_info.py
new file mode 100644
index 00000000..59f684e0
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_stack_info.py
@@ -0,0 +1,112 @@
+#!/usr/bin/python
+
+# Copyright (c) 2020 Jose Angel Munoz (@imjoseangel)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_stack_info
+author: "Jose Angel Munoz (@imjoseangel)"
+short_description: Return information on all docker stacks
+description:
+  - Retrieve information on docker stacks using the C(docker stack) command on the target node (see examples).
+requirements:
+  - Docker CLI tool C(docker)
+extends_documentation_fragment:
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+attributes:
+  action_group:
+    version_added: 3.6.0
+options:
+  docker_cli:
+    version_added: 3.6.0
+  docker_host:
+    version_added: 3.6.0
+  tls_hostname:
+    version_added: 3.6.0
+  api_version:
+    version_added: 3.6.0
+  ca_path:
+    version_added: 3.6.0
+  client_cert:
+    version_added: 3.6.0
+  client_key:
+    version_added: 3.6.0
+  tls:
+    version_added: 3.6.0
+  validate_certs:
+    version_added: 3.6.0
+  cli_context:
+    version_added: 3.6.0
+seealso:
+  - module: community.docker.docker_stack_task_info
+    description: >-
+      To retrieve detailed information about the services under a specific stack use the M(community.docker.docker_stack_task_info)
+      module.
+"""
+
+RETURN = r"""
+results:
+  description:
+    - List of dictionaries containing the list of stacks on the target node.
+  sample:
+    - {"name": "grafana", "namespace": "default", "orchestrator": "Kubernetes", "services": "2"}
+  returned: always
+  type: list
+  elements: dict
+"""
+
+EXAMPLES = r"""
+---
+- name: Shows stack info
+  community.docker.docker_stack_info:
+  register: result
+
+- name: Show results
+  ansible.builtin.debug:
+    var: result.results
+"""
+
+import json
+import traceback
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+
+
+def main() -> None:
+    client = AnsibleModuleDockerClient(
+        argument_spec={},
+        supports_check_mode=True,
+    )
+
+    try:
+        rc, ret, stderr = client.call_cli_json_stream(
+            "stack", "ls", "--format={{json .}}", check_rc=True
+        )
+        client.module.exit_json(
+            changed=False,
+            rc=rc,
+            stdout="\n".join([json.dumps(entry) for entry in ret]),
+            stderr=to_text(stderr).strip(),
+            results=ret,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_stack_task_info.py b/ansible_collections/community/docker/plugins/modules/docker_stack_task_info.py
new file mode 100644
index 00000000..e6caefc5
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_stack_task_info.py
@@ -0,0 +1,121 @@
+#!/usr/bin/python
+
+# Copyright (c) 2020 Jose Angel Munoz (@imjoseangel)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_stack_task_info
+author: "Jose Angel Munoz (@imjoseangel)"
+short_description: Return information of the tasks on a docker stack
+description:
+  - Retrieve information on docker stacks tasks using the C(docker stack) command on the target node (see examples).
+extends_documentation_fragment:
+  - community.docker._docker.cli_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+attributes:
+  action_group:
+    version_added: 3.6.0
+options:
+  name:
+    description:
+      - Stack name.
+    type: str
+    required: true
+  docker_cli:
+    version_added: 3.6.0
+  docker_host:
+    version_added: 3.6.0
+  tls_hostname:
+    version_added: 3.6.0
+  api_version:
+    version_added: 3.6.0
+  ca_path:
+    version_added: 3.6.0
+  client_cert:
+    version_added: 3.6.0
+  client_key:
+    version_added: 3.6.0
+  tls:
+    version_added: 3.6.0
+  validate_certs:
+    version_added: 3.6.0
+  cli_context:
+    version_added: 3.6.0
+requirements:
+  - Docker CLI tool C(docker)
+"""
+
+RETURN = r"""
+results:
+  description:
+    - List of dictionaries containing the list of tasks associated to a stack name.
+  sample:
+    - CurrentState: Running
+      DesiredState: Running
+      Error: ""
+      ID: 7wqv6m02ugkw
+      Image: busybox
+      Name: test_stack.1
+      Node: swarm
+      Ports: ""
+  returned: always
+  type: list
+  elements: dict
+"""
+
+EXAMPLES = r"""
+---
+- name: Shows stack info
+  community.docker.docker_stack_task_info:
+    name: test_stack
+  register: result
+
+- name: Show results
+  ansible.builtin.debug:
+    var: result.results
+"""
+
+import json
+import traceback
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common_cli import (
+    AnsibleModuleDockerClient,
+    DockerException,
+)
+
+
+def main() -> None:
+    client = AnsibleModuleDockerClient(
+        argument_spec={"name": {"type": "str", "required": True}},
+        supports_check_mode=True,
+    )
+
+    try:
+        name = client.module.params["name"]
+        rc, ret, stderr = client.call_cli_json_stream(
+            "stack", "ps", name, "--format={{json .}}", check_rc=True
+        )
+        client.module.exit_json(
+            changed=False,
+            rc=rc,
+            stdout="\n".join([json.dumps(entry) for entry in ret]),
+            stderr=to_text(stderr).strip(),
+            results=ret,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_swarm.py b/ansible_collections/community/docker/plugins/modules/docker_swarm.py
new file mode 100644
index 00000000..65aca598
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_swarm.py
@@ -0,0 +1,755 @@
+#!/usr/bin/python
+
+# Copyright 2016 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_swarm
+short_description: Manage Swarm cluster
+description:
+  - Create a new Swarm cluster.
+  - Add/Remove nodes or managers to an existing cluster.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  advertise_addr:
+    description:
+      - Externally reachable address advertised to other nodes.
+      - This can either be an address/port combination in the form V(192.168.1.1:4567), or an interface followed by a port
+        number, like V(eth0:4567).
+      - If the port number is omitted, the port number from the listen address is used.
+      - If O(advertise_addr) is not specified, it will be automatically detected when possible.
+      - Only used when swarm is initialised or joined. Because of this it is not considered for idempotency checking.
+    type: str
+  default_addr_pool:
+    description:
+      - Default address pool in CIDR format.
+      - Only used when swarm is initialised. Because of this it is not considered for idempotency checking.
+      - Requires API version >= 1.39.
+    type: list
+    elements: str
+  subnet_size:
+    description:
+      - Default address pool subnet mask length.
+      - Only used when swarm is initialised. Because of this it is not considered for idempotency checking.
+      - Requires API version >= 1.39.
+    type: int
+  listen_addr:
+    description:
+      - Listen address used for inter-manager communication.
+      - This can either be an address/port combination in the form V(192.168.1.1:4567), or an interface followed by a port
+        number, like V(eth0:4567).
+      - If the port number is omitted, the default swarm listening port is used.
+      - Only used when swarm is initialised or joined. Because of this it is not considered for idempotency checking.
+    type: str
+    default: 0.0.0.0:2377
+  force:
+    description:
+      - Use with state V(present) to force creating a new Swarm, even if already part of one.
+      - Use with state V(absent) to Leave the swarm even if this node is a manager.
+    type: bool
+    default: false
+  state:
+    description:
+      - Set to V(present), to create/update a new cluster.
+      - Set to V(join), to join an existing cluster.
+      - Set to V(absent), to leave an existing cluster.
+      - Set to V(remove), to remove an absent node from the cluster. Note that removing requires Docker SDK for Python >=
+        2.4.0.
+      - M(community.docker.docker_node) can be used to demote a manager before removal.
+    type: str
+    default: present
+    choices:
+      - present
+      - join
+      - absent
+      - remove
+  node_id:
+    description:
+      - Swarm id of the node to remove.
+      - Used with O(state=remove).
+    type: str
+  join_token:
+    description:
+      - Swarm token used to join a swarm cluster.
+      - Used with O(state=join).
+      - If this value is specified, the corresponding value in the return values will be censored by Ansible. This is a side-effect
+        of this value not being logged.
+    type: str
+  remote_addrs:
+    description:
+      - Remote address of one or more manager nodes of an existing Swarm to connect to.
+      - Used with O(state=join).
+    type: list
+    elements: str
+  task_history_retention_limit:
+    description:
+      - Maximum number of tasks history stored.
+      - Docker default value is V(5).
+    type: int
+  snapshot_interval:
+    description:
+      - Number of logs entries between snapshot.
+      - Docker default value is V(10000).
+    type: int
+  keep_old_snapshots:
+    description:
+      - Number of snapshots to keep beyond the current snapshot.
+      - Docker default value is V(0).
+    type: int
+  log_entries_for_slow_followers:
+    description:
+      - Number of log entries to keep around to sync up slow followers after a snapshot is created.
+    type: int
+  heartbeat_tick:
+    description:
+      - Amount of ticks (in seconds) between each heartbeat.
+      - Docker default value is V(1) seconds.
+    type: int
+  election_tick:
+    description:
+      - Amount of ticks (in seconds) needed without a leader to trigger a new election.
+      - Docker default value is V(10) seconds.
+    type: int
+  dispatcher_heartbeat_period:
+    description:
+      - The delay (in nanoseconds) for an agent to send a heartbeat to the dispatcher.
+      - Docker default value is 5 seconds, which corresponds to a value of V(5000000000).
+    type: int
+  node_cert_expiry:
+    description:
+      - Automatic expiry for nodes certificates, given in nanoseconds.
+      - Docker default value is 90 days, which corresponds to a value of V(7776000000000000).
+    type: int
+  name:
+    description:
+      - The name of the swarm.
+    type: str
+  labels:
+    description:
+      - User-defined key/value metadata.
+      - Label operations in this module apply to the docker swarm cluster. Use M(community.docker.docker_node) module to add/modify/remove
+        swarm node labels.
+      - Requires API version >= 1.32.
+    type: dict
+  signing_ca_cert:
+    description:
+      - The desired signing CA certificate for all swarm node TLS leaf certificates, in PEM format.
+      - This must not be a path to a certificate, but the contents of the certificate.
+      - Requires API version >= 1.30.
+    type: str
+  signing_ca_key:
+    description:
+      - The desired signing CA key for all swarm node TLS leaf certificates, in PEM format.
+      - This must not be a path to a key, but the contents of the key.
+      - Requires API version >= 1.30.
+    type: str
+  ca_force_rotate:
+    description:
+      - An integer whose purpose is to force swarm to generate a new signing CA certificate and key, if none have been specified.
+      - Docker default value is V(0).
+      - Requires API version >= 1.30.
+    type: int
+  autolock_managers:
+    description:
+      - If set, generate a key and use it to lock data stored on the managers.
+      - Docker default value is V(false).
+      - M(community.docker.docker_swarm_info) can be used to retrieve the unlock key.
+    type: bool
+  rotate_worker_token:
+    description: Rotate the worker join token.
+    type: bool
+    default: false
+  rotate_manager_token:
+    description: Rotate the manager join token.
+    type: bool
+    default: false
+  data_path_addr:
+    description:
+      - Address or interface to use for data path traffic.
+      - This can either be an address in the form V(192.168.1.1), or an interface, like V(eth0).
+      - Only used when swarm is initialised or joined. Because of this it is not considered for idempotency checking.
+      - Requires API version >= 1.30.
+    type: str
+    version_added: 2.5.0
+  data_path_port:
+    description:
+      - Port to use for data path traffic.
+      - This needs to be a port number like V(9789).
+      - Only used when swarm is initialised. Because of this it is not considered for idempotency checking.
+      - Requires API version >= 1.40.
+    type: int
+    version_added: 3.1.0
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.0.0"
+  - Docker API >= 1.25
+author:
+  - Thierry Bouvet (@tbouvet)
+  - Piotr Wojciechowski (@WojciechowskiPiotr)
+"""
+
+EXAMPLES = r"""
+---
+- name: Init a new swarm with default parameters
+  community.docker.docker_swarm:
+    state: present
+
+- name: Update swarm configuration
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 5
+
+- name: Add nodes
+  community.docker.docker_swarm:
+    state: join
+    advertise_addr: 192.168.1.2
+    join_token: SWMTKN-1--xxxxx
+    remote_addrs: ['192.168.1.1:2377']
+
+- name: Leave swarm for a node
+  community.docker.docker_swarm:
+    state: absent
+
+- name: Remove a swarm manager
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+
+- name: Remove node from swarm
+  community.docker.docker_swarm:
+    state: remove
+    node_id: mynode
+
+- name: Init a new swarm with different data path interface
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: eth0
+    data_path_addr: ens10
+
+- name: Init a new swarm with a different data path port
+  community.docker.docker_swarm:
+    state: present
+    data_path_port: 9789
+"""
+
+RETURN = r"""
+swarm_facts:
+  description: Information about swarm.
+  returned: success
+  type: dict
+  contains:
+    JoinTokens:
+      description: Tokens to connect to the Swarm.
+      returned: success
+      type: dict
+      contains:
+        Worker:
+          description:
+            - Token to join the cluster as a new *worker* node.
+            - B(Note:) if this value has been specified as O(join_token), the value here will not be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER).
+              If you pass O(join_token), make sure your playbook/role does not depend on this return value!
+          returned: success
+          type: str
+          example: SWMTKN-1--xxxxx
+        Manager:
+          description:
+            - Token to join the cluster as a new *manager* node.
+            - B(Note:) if this value has been specified as O(join_token), the value here will not be the token, but C(VALUE_SPECIFIED_IN_NO_LOG_PARAMETER).
+              If you pass O(join_token), make sure your playbook/role does not depend on this return value!
+          returned: success
+          type: str
+          example: SWMTKN-1--xxxxx
+    UnlockKey:
+      description: The swarm unlock-key if O(autolock_managers=true).
+      returned: on success if O(autolock_managers=true) and swarm is initialised, or if O(autolock_managers) has changed.
+      type: str
+      example: SWMKEY-1-xxx
+
+actions:
+  description: Provides the actions done on the swarm.
+  returned: when action failed.
+  type: list
+  elements: str
+  example: ['This cluster is already a swarm cluster']
+"""
+
+import json
+import traceback
+import typing as t
+
+try:
+    from docker.errors import APIError, DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._swarm import (
+    AnsibleDockerSwarmClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+    sanitize_labels,
+)
+
+
+class TaskParameters(DockerBaseClass):
+    def __init__(self) -> None:
+        super().__init__()
+
+        self.advertise_addr: str | None = None
+        self.listen_addr: str | None = None
+        self.remote_addrs: list[str] | None = None
+        self.join_token: str | None = None
+        self.data_path_addr: str | None = None
+        self.data_path_port: int | None = None
+        self.spec = None
+
+        # Spec
+        self.snapshot_interval: int | None = None
+        self.task_history_retention_limit: int | None = None
+        self.keep_old_snapshots: int | None = None
+        self.log_entries_for_slow_followers: int | None = None
+        self.heartbeat_tick: int | None = None
+        self.election_tick: int | None = None
+        self.dispatcher_heartbeat_period: int | None = None
+        self.node_cert_expiry: int | None = None
+        self.name: str | None = None
+        self.labels: dict[str, t.Any] | None = None
+        self.log_driver = None
+        self.signing_ca_cert: str | None = None
+        self.signing_ca_key: str | None = None
+        self.ca_force_rotate: int | None = None
+        self.autolock_managers: bool | None = None
+        self.rotate_worker_token: bool | None = None
+        self.rotate_manager_token: bool | None = None
+        self.default_addr_pool: list[str] | None = None
+        self.subnet_size: int | None = None
+
+    @staticmethod
+    def from_ansible_params(client: AnsibleDockerSwarmClient) -> TaskParameters:
+        result = TaskParameters()
+        for key, value in client.module.params.items():
+            if key in result.__dict__:
+                setattr(result, key, value)
+
+        result.update_parameters(client)
+        return result
+
+    def update_from_swarm_info(self, swarm_info: dict[str, t.Any]) -> None:
+        spec = swarm_info["Spec"]
+
+        ca_config = spec.get("CAConfig") or {}
+        if self.node_cert_expiry is None:
+            self.node_cert_expiry = ca_config.get("NodeCertExpiry")
+        if self.ca_force_rotate is None:
+            self.ca_force_rotate = ca_config.get("ForceRotate")
+
+        dispatcher = spec.get("Dispatcher") or {}
+        if self.dispatcher_heartbeat_period is None:
+            self.dispatcher_heartbeat_period = dispatcher.get("HeartbeatPeriod")
+
+        raft = spec.get("Raft") or {}
+        if self.snapshot_interval is None:
+            self.snapshot_interval = raft.get("SnapshotInterval")
+        if self.keep_old_snapshots is None:
+            self.keep_old_snapshots = raft.get("KeepOldSnapshots")
+        if self.heartbeat_tick is None:
+            self.heartbeat_tick = raft.get("HeartbeatTick")
+        if self.log_entries_for_slow_followers is None:
+            self.log_entries_for_slow_followers = raft.get("LogEntriesForSlowFollowers")
+        if self.election_tick is None:
+            self.election_tick = raft.get("ElectionTick")
+
+        orchestration = spec.get("Orchestration") or {}
+        if self.task_history_retention_limit is None:
+            self.task_history_retention_limit = orchestration.get(
+                "TaskHistoryRetentionLimit"
+            )
+
+        encryption_config = spec.get("EncryptionConfig") or {}
+        if self.autolock_managers is None:
+            self.autolock_managers = encryption_config.get("AutoLockManagers")
+
+        if self.name is None:
+            self.name = spec["Name"]
+
+        if self.labels is None:
+            self.labels = spec.get("Labels") or {}
+
+        if "LogDriver" in spec["TaskDefaults"]:
+            self.log_driver = spec["TaskDefaults"]["LogDriver"]
+
+    def update_parameters(self, client: AnsibleDockerSwarmClient) -> None:
+        assign = {
+            "snapshot_interval": "snapshot_interval",
+            "task_history_retention_limit": "task_history_retention_limit",
+            "keep_old_snapshots": "keep_old_snapshots",
+            "log_entries_for_slow_followers": "log_entries_for_slow_followers",
+            "heartbeat_tick": "heartbeat_tick",
+            "election_tick": "election_tick",
+            "dispatcher_heartbeat_period": "dispatcher_heartbeat_period",
+            "node_cert_expiry": "node_cert_expiry",
+            "name": "name",
+            "labels": "labels",
+            "signing_ca_cert": "signing_ca_cert",
+            "signing_ca_key": "signing_ca_key",
+            "ca_force_rotate": "ca_force_rotate",
+            "autolock_managers": "autolock_managers",
+            "log_driver": "log_driver",
+        }
+        params = {}
+        for dest, source in assign.items():
+            if not client.option_minimal_versions[source]["supported"]:
+                continue
+            value = getattr(self, source)
+            if value is not None:
+                params[dest] = value
+        self.spec = client.create_swarm_spec(**params)
+
+    def compare_to_active(
+        self,
+        other: TaskParameters,
+        client: AnsibleDockerSwarmClient,
+        differences: DifferenceTracker,
+    ) -> DifferenceTracker:
+        for k in self.__dict__:
+            if k in (
+                "advertise_addr",
+                "listen_addr",
+                "remote_addrs",
+                "join_token",
+                "rotate_worker_token",
+                "rotate_manager_token",
+                "spec",
+                "default_addr_pool",
+                "subnet_size",
+                "data_path_addr",
+                "data_path_port",
+            ):
+                continue
+            if not client.option_minimal_versions[k]["supported"]:
+                continue
+            value = getattr(self, k)
+            if value is None:
+                continue
+            other_value = getattr(other, k)
+            if value != other_value:
+                differences.add(k, parameter=value, active=other_value)
+        if self.rotate_worker_token:
+            differences.add("rotate_worker_token", parameter=True, active=False)
+        if self.rotate_manager_token:
+            differences.add("rotate_manager_token", parameter=True, active=False)
+        return differences
+
+
+class SwarmManager(DockerBaseClass):
+    def __init__(
+        self, client: AnsibleDockerSwarmClient, results: dict[str, t.Any]
+    ) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.check_mode = self.client.check_mode
+        self.swarm_info: dict[str, t.Any] = {}
+
+        self.state: t.Literal["present", "join", "absent", "remove"] = (
+            client.module.params["state"]
+        )
+        self.force: bool = client.module.params["force"]
+        self.node_id: str | None = client.module.params["node_id"]
+
+        self.differences = DifferenceTracker()
+        self.parameters = TaskParameters.from_ansible_params(client)
+
+        self.created = False
+
+    def __call__(self) -> None:
+        choice_map = {
+            "present": self.init_swarm,
+            "join": self.join,
+            "absent": self.leave,
+            "remove": self.remove,
+        }
+
+        choice_map[self.state]()
+
+        if self.client.module._diff or self.parameters.debug:
+            diff = {}
+            diff["before"], diff["after"] = self.differences.get_before_after()
+            self.results["diff"] = diff
+
+    def inspect_swarm(self) -> None:
+        try:
+            data = self.client.inspect_swarm()
+            json_str = json.dumps(data, ensure_ascii=False)
+            self.swarm_info = json.loads(json_str)
+
+            self.results["changed"] = False
+            self.results["swarm_facts"] = self.swarm_info
+
+            unlock_key = self.get_unlock_key()
+            self.swarm_info.update(unlock_key)
+        except APIError:
+            pass
+
+    def get_unlock_key(self) -> dict[str, t.Any]:
+        default = {"UnlockKey": None}
+        if not self.has_swarm_lock_changed():
+            return default
+        try:
+            return self.client.get_unlock_key() or default
+        except APIError:
+            return default
+
+    def has_swarm_lock_changed(self) -> bool:
+        return bool(self.parameters.autolock_managers) and (
+            self.created or self.differences.has_difference_for("autolock_managers")
+        )
+
+    def init_swarm(self) -> None:
+        if not self.force and self.client.check_if_swarm_manager():
+            self.__update_swarm()
+            return
+
+        if not self.check_mode:
+            init_arguments: dict[str, t.Any] = {
+                "advertise_addr": self.parameters.advertise_addr,
+                "listen_addr": self.parameters.listen_addr,
+                "force_new_cluster": self.force,
+                "swarm_spec": self.parameters.spec,
+            }
+            if self.parameters.default_addr_pool is not None:
+                init_arguments["default_addr_pool"] = self.parameters.default_addr_pool
+            if self.parameters.subnet_size is not None:
+                init_arguments["subnet_size"] = self.parameters.subnet_size
+            if self.parameters.data_path_addr is not None:
+                init_arguments["data_path_addr"] = self.parameters.data_path_addr
+            if self.parameters.data_path_port is not None:
+                init_arguments["data_path_port"] = self.parameters.data_path_port
+            try:
+                self.client.init_swarm(**init_arguments)
+            except APIError as exc:
+                self.client.fail(f"Can not create a new Swarm Cluster: {exc}")
+
+        if not self.client.check_if_swarm_manager() and not self.check_mode:
+            self.client.fail("Swarm not created or other error!")
+
+        self.created = True
+        self.inspect_swarm()
+        self.results["actions"].append(
+            f"New Swarm cluster created: {self.swarm_info.get('ID')}"
+        )
+        self.differences.add("state", parameter="present", active="absent")
+        self.results["changed"] = True
+        self.results["swarm_facts"] = {
+            "JoinTokens": self.swarm_info.get("JoinTokens"),
+            "UnlockKey": self.swarm_info.get("UnlockKey"),
+        }
+
+    def __update_swarm(self) -> None:
+        try:
+            self.inspect_swarm()
+            version = self.swarm_info["Version"]["Index"]
+            self.parameters.update_from_swarm_info(self.swarm_info)
+            old_parameters = TaskParameters()
+            old_parameters.update_from_swarm_info(self.swarm_info)
+            self.parameters.compare_to_active(
+                old_parameters, self.client, self.differences
+            )
+            if self.differences.empty:
+                self.results["actions"].append("No modification")
+                self.results["changed"] = False
+                return
+            update_parameters = TaskParameters.from_ansible_params(self.client)
+            update_parameters.update_parameters(self.client)
+            if not self.check_mode:
+                self.client.update_swarm(
+                    version=version,
+                    swarm_spec=update_parameters.spec,
+                    rotate_worker_token=self.parameters.rotate_worker_token,
+                    rotate_manager_token=self.parameters.rotate_manager_token,
+                )
+        except APIError as exc:
+            self.client.fail(f"Can not update a Swarm Cluster: {exc}")
+
+        self.inspect_swarm()
+        self.results["actions"].append("Swarm cluster updated")
+        self.results["changed"] = True
+
+    def join(self) -> None:
+        if self.client.check_if_swarm_node():
+            self.results["actions"].append("This node is already part of a swarm.")
+            return
+        if not self.check_mode:
+            join_arguments = {
+                "remote_addrs": self.parameters.remote_addrs,
+                "join_token": self.parameters.join_token,
+                "listen_addr": self.parameters.listen_addr,
+                "advertise_addr": self.parameters.advertise_addr,
+            }
+            if self.parameters.data_path_addr is not None:
+                join_arguments["data_path_addr"] = self.parameters.data_path_addr
+            try:
+                self.client.join_swarm(**join_arguments)
+            except APIError as exc:
+                self.client.fail(f"Can not join the Swarm Cluster: {exc}")
+        self.results["actions"].append("New node is added to swarm cluster")
+        self.differences.add("joined", parameter=True, active=False)
+        self.results["changed"] = True
+
+    def leave(self) -> None:
+        if not self.client.check_if_swarm_node():
+            self.results["actions"].append("This node is not part of a swarm.")
+            return
+        if not self.check_mode:
+            try:
+                self.client.leave_swarm(force=self.force)
+            except APIError as exc:
+                self.client.fail(f"This node can not leave the Swarm Cluster: {exc}")
+        self.results["actions"].append("Node has left the swarm cluster")
+        self.differences.add("joined", parameter="absent", active="present")
+        self.results["changed"] = True
+
+    def remove(self) -> None:
+        if not self.client.check_if_swarm_manager():
+            self.client.fail("This node is not a manager.")
+
+        try:
+            status_down = self.client.check_if_swarm_node_is_down(
+                node_id=self.node_id, repeat_check=5
+            )
+        except APIError:
+            return
+
+        if not status_down:
+            self.client.fail(
+                "Can not remove the node. The status node is ready and not down."
+            )
+
+        if not self.check_mode:
+            try:
+                self.client.remove_node(node_id=self.node_id, force=self.force)
+            except APIError as exc:
+                self.client.fail(
+                    f"Can not remove the node from the Swarm Cluster: {exc}"
+                )
+        self.results["actions"].append("Node is removed from swarm cluster.")
+        self.differences.add("joined", parameter=False, active=True)
+        self.results["changed"] = True
+
+
+def _detect_remove_operation(client: AnsibleDockerSwarmClient) -> bool:
+    return client.module.params["state"] == "remove"
+
+
+def main() -> None:
+    # TODO: missing option log_driver?
+    argument_spec = {
+        "advertise_addr": {"type": "str"},
+        "data_path_addr": {"type": "str"},
+        "data_path_port": {"type": "int"},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "join", "absent", "remove"],
+        },
+        "force": {"type": "bool", "default": False},
+        "listen_addr": {"type": "str", "default": "0.0.0.0:2377"},
+        "remote_addrs": {"type": "list", "elements": "str"},
+        "join_token": {"type": "str", "no_log": True},
+        "snapshot_interval": {"type": "int"},
+        "task_history_retention_limit": {"type": "int"},
+        "keep_old_snapshots": {"type": "int"},
+        "log_entries_for_slow_followers": {"type": "int"},
+        "heartbeat_tick": {"type": "int"},
+        "election_tick": {"type": "int"},
+        "dispatcher_heartbeat_period": {"type": "int"},
+        "node_cert_expiry": {"type": "int"},
+        "name": {"type": "str"},
+        "labels": {"type": "dict"},
+        "signing_ca_cert": {"type": "str"},
+        "signing_ca_key": {"type": "str", "no_log": True},
+        "ca_force_rotate": {"type": "int"},
+        "autolock_managers": {"type": "bool"},
+        "node_id": {"type": "str"},
+        "rotate_worker_token": {"type": "bool", "default": False},
+        "rotate_manager_token": {"type": "bool", "default": False},
+        "default_addr_pool": {"type": "list", "elements": "str"},
+        "subnet_size": {"type": "int"},
+    }
+
+    required_if = [
+        ("state", "join", ["remote_addrs", "join_token"]),
+        ("state", "remove", ["node_id"]),
+    ]
+
+    option_minimal_versions = {
+        "labels": {"docker_py_version": "2.6.0", "docker_api_version": "1.32"},
+        "signing_ca_cert": {"docker_py_version": "2.6.0", "docker_api_version": "1.30"},
+        "signing_ca_key": {"docker_py_version": "2.6.0", "docker_api_version": "1.30"},
+        "ca_force_rotate": {"docker_py_version": "2.6.0", "docker_api_version": "1.30"},
+        "autolock_managers": {"docker_py_version": "2.6.0"},
+        "log_driver": {"docker_py_version": "2.6.0"},
+        "remove_operation": {
+            "docker_py_version": "2.4.0",
+            "detect_usage": _detect_remove_operation,
+            "usage_msg": "remove swarm nodes",
+        },
+        "default_addr_pool": {
+            "docker_py_version": "4.0.0",
+            "docker_api_version": "1.39",
+        },
+        "subnet_size": {"docker_py_version": "4.0.0", "docker_api_version": "1.39"},
+        "data_path_addr": {"docker_py_version": "4.0.0", "docker_api_version": "1.30"},
+        "data_path_port": {"docker_py_version": "6.0.0", "docker_api_version": "1.40"},
+    }
+
+    client = AnsibleDockerSwarmClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        required_if=required_if,
+        min_docker_version="2.0.0",
+        option_minimal_versions=option_minimal_versions,
+    )
+    sanitize_labels(client.module.params["labels"], "labels", client)
+
+    try:
+        results = {"changed": False, "result": "", "actions": []}
+
+        SwarmManager(client, results)()
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_swarm_info.py b/ansible_collections/community/docker/plugins/modules/docker_swarm_info.py
new file mode 100644
index 00000000..31cb4c87
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_swarm_info.py
@@ -0,0 +1,410 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2019 Piotr Wojciechowski <piotr@it-playground.pl>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_swarm_info
+
+short_description: Retrieves facts about Docker Swarm cluster
+
+description:
+  - Retrieves facts about a Docker Swarm.
+  - Returns lists of swarm objects names for the services - nodes, services, tasks.
+  - The output differs depending on API version available on docker host.
+  - Must be run on Swarm Manager node; otherwise module fails with error message. It does return boolean flags in on both
+    error and success which indicate whether the docker daemon can be communicated with, whether it is in Swarm mode, and
+    whether it is a Swarm Manager node.
+author:
+  - Piotr Wojciechowski (@WojciechowskiPiotr)
+
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  nodes:
+    description:
+      - Whether to list swarm nodes.
+    type: bool
+    default: false
+  nodes_filters:
+    description:
+      - A dictionary of filter values used for selecting nodes to list.
+      - 'For example, C(name: mynode).'
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/node_ls/#filtering) for more information
+        on possible filters.
+    type: dict
+  services:
+    description:
+      - Whether to list swarm services.
+    type: bool
+    default: false
+  services_filters:
+    description:
+      - A dictionary of filter values used for selecting services to list.
+      - 'For example, C(name: myservice).'
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/service_ls/#filtering) for more
+        information on possible filters.
+    type: dict
+  tasks:
+    description:
+      - Whether to list containers.
+    type: bool
+    default: false
+  tasks_filters:
+    description:
+      - A dictionary of filter values used for selecting tasks to list.
+      - 'For example, C(node: mynode-1).'
+      - See L(the docker documentation,https://docs.docker.com/engine/reference/commandline/service_ps/#filtering) for more
+        information on possible filters.
+    type: dict
+  unlock_key:
+    description:
+      - Whether to retrieve the swarm unlock key.
+    type: bool
+    default: false
+  verbose_output:
+    description:
+      - When set to V(true) and O(nodes), O(services), or O(tasks) is set to V(true), then the module output will contain
+        verbose information about objects matching the full output of API method.
+      - For details see the documentation of your version of Docker API at U(https://docs.docker.com/engine/api/).
+      - The verbose output in this module contains only subset of information returned by this info module for each type of
+        the objects.
+    type: bool
+    default: false
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.0.0"
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get info on Docker Swarm
+  community.docker.docker_swarm_info:
+  ignore_errors: true
+  register: result
+
+- name: Inform about basic flags
+  ansible.builtin.debug:
+    msg: |
+      Was able to talk to docker daemon: {{ result.can_talk_to_docker }}
+      Docker in Swarm mode: {{ result.docker_swarm_active }}
+      This is a Manager node: {{ result.docker_swarm_manager }}
+
+- name: Get info on Docker Swarm and list of registered nodes
+  community.docker.docker_swarm_info:
+    nodes: true
+  register: result
+
+- name: Get info on Docker Swarm and extended list of registered nodes
+  community.docker.docker_swarm_info:
+    nodes: true
+    verbose_output: true
+  register: result
+
+- name: Get info on Docker Swarm and filtered list of registered nodes
+  community.docker.docker_swarm_info:
+    nodes: true
+    nodes_filters:
+      name: mynode
+  register: result
+
+- name: Show swarm facts
+  ansible.builtin.debug:
+    var: result.swarm_facts
+
+- name: Get the swarm unlock key
+  community.docker.docker_swarm_info:
+    unlock_key: true
+  register: result
+
+- name: Print swarm unlock key
+  ansible.builtin.debug:
+    var: result.swarm_unlock_key
+"""
+
+RETURN = r"""
+can_talk_to_docker:
+  description:
+    - Will be V(true) if the module can talk to the docker daemon.
+  returned: both on success and on error
+  type: bool
+docker_swarm_active:
+  description:
+    - Will be V(true) if the module can talk to the docker daemon, and the docker daemon is in Swarm mode.
+  returned: both on success and on error
+  type: bool
+docker_swarm_manager:
+  description:
+    - Will be V(true) if the module can talk to the docker daemon, the docker daemon is in Swarm mode, and the current node
+      is a manager node.
+    - Only if this one is V(true), the module will not fail.
+  returned: both on success and on error
+  type: bool
+swarm_facts:
+  description:
+    - Facts representing the basic state of the docker Swarm cluster.
+    - Contains tokens to connect to the Swarm.
+  returned: always
+  type: dict
+swarm_unlock_key:
+  description:
+    - Contains the key needed to unlock the swarm.
+  returned: When O(unlock_key=true).
+  type: str
+nodes:
+  description:
+    - List of dict objects containing the basic information about each volume. Keys matches the C(docker node ls) output unless
+      O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(nodes=true)
+  type: list
+  elements: dict
+services:
+  description:
+    - List of dict objects containing the basic information about each volume. Keys matches the C(docker service ls) output
+      unless O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(services=true)
+  type: list
+  elements: dict
+tasks:
+  description:
+    - List of dict objects containing the basic information about each volume. Keys matches the C(docker service ps) output
+      unless O(verbose_output=true). See description for O(verbose_output).
+  returned: When O(tasks=true)
+  type: list
+  elements: dict
+"""
+
+import traceback
+import typing as t
+
+try:
+    from docker.errors import APIError, DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker_common
+    pass
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._swarm import (
+    AnsibleDockerSwarmClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+)
+
+
+class DockerSwarmManager(DockerBaseClass):
+    def __init__(
+        self, client: AnsibleDockerSwarmClient, results: dict[str, t.Any]
+    ) -> None:
+        super().__init__()
+
+        self.client = client
+        self.results = results
+        self.verbose_output = self.client.module.params["verbose_output"]
+
+        listed_objects: list[t.Literal["nodes", "tasks", "services"]] = [
+            "tasks",
+            "services",
+            "nodes",
+        ]
+
+        self.client.fail_task_if_not_swarm_manager()
+
+        self.results["swarm_facts"] = self.get_docker_swarm_facts()
+
+        for docker_object in listed_objects:
+            if self.client.module.params[docker_object]:
+                returned_name = docker_object
+                filter_name = docker_object + "_filters"
+                filters = clean_dict_booleans_for_docker_api(
+                    client.module.params.get(filter_name)
+                )
+                self.results[returned_name] = self.get_docker_items_list(
+                    docker_object, filters
+                )
+        if self.client.module.params["unlock_key"]:
+            self.results["swarm_unlock_key"] = self.get_docker_swarm_unlock_key()
+
+    def get_docker_swarm_facts(self) -> dict[str, t.Any]:
+        try:
+            return self.client.inspect_swarm()
+        except APIError as exc:
+            self.client.fail(f"Error inspecting docker swarm: {exc}")
+
+    def get_docker_items_list(
+        self,
+        docker_object: t.Literal["nodes", "tasks", "services"],
+        filters: dict[str, str],
+    ) -> list[dict[str, t.Any]]:
+        items_list: list[dict[str, t.Any]] = []
+
+        try:
+            if docker_object == "nodes":
+                items = self.client.nodes(filters=filters)
+            elif docker_object == "tasks":
+                items = self.client.tasks(filters=filters)
+            elif docker_object == "services":
+                items = self.client.services(filters=filters)
+            else:
+                raise ValueError(f"Invalid docker_object {docker_object}")
+        except APIError as exc:
+            self.client.fail(
+                f"Error inspecting docker swarm for object '{docker_object}': {exc}"
+            )
+
+        if self.verbose_output:
+            return items
+
+        for item in items:
+            item_record = {}
+
+            if docker_object == "nodes":
+                item_record = self.get_essential_facts_nodes(item)
+            elif docker_object == "tasks":
+                item_record = self.get_essential_facts_tasks(item)
+            elif docker_object == "services":
+                item_record = self.get_essential_facts_services(item)
+                if item_record.get("Mode") == "Global":
+                    item_record["Replicas"] = len(items)
+            items_list.append(item_record)
+
+        return items_list
+
+    @staticmethod
+    def get_essential_facts_nodes(item: dict[str, t.Any]) -> dict[str, t.Any]:
+        object_essentials = {}
+
+        object_essentials["ID"] = item.get("ID")
+        object_essentials["Hostname"] = item["Description"]["Hostname"]
+        object_essentials["Status"] = item["Status"]["State"]
+        object_essentials["Availability"] = item["Spec"]["Availability"]
+        if "ManagerStatus" in item:
+            object_essentials["ManagerStatus"] = item["ManagerStatus"]["Reachability"]
+            if (
+                "Leader" in item["ManagerStatus"]
+                and item["ManagerStatus"]["Leader"] is True
+            ):
+                object_essentials["ManagerStatus"] = "Leader"
+        else:
+            object_essentials["ManagerStatus"] = None
+        object_essentials["EngineVersion"] = item["Description"]["Engine"][
+            "EngineVersion"
+        ]
+
+        return object_essentials
+
+    def get_essential_facts_tasks(self, item: dict[str, t.Any]) -> dict[str, t.Any]:
+        object_essentials = {}
+
+        object_essentials["ID"] = item["ID"]
+        # Returning container ID to not trigger another connection to host
+        # Container ID is sufficient to get extended info in other tasks
+        object_essentials["ContainerID"] = item["Status"]["ContainerStatus"][
+            "ContainerID"
+        ]
+        object_essentials["Image"] = item["Spec"]["ContainerSpec"]["Image"]
+        object_essentials["Node"] = self.client.get_node_name_by_id(item["NodeID"])
+        object_essentials["DesiredState"] = item["DesiredState"]
+        object_essentials["CurrentState"] = item["Status"]["State"]
+        if "Err" in item["Status"]:
+            object_essentials["Error"] = item["Status"]["Err"]
+        else:
+            object_essentials["Error"] = None
+
+        return object_essentials
+
+    @staticmethod
+    def get_essential_facts_services(item: dict[str, t.Any]) -> dict[str, t.Any]:
+        object_essentials = {}
+
+        object_essentials["ID"] = item["ID"]
+        object_essentials["Name"] = item["Spec"]["Name"]
+        if "Replicated" in item["Spec"]["Mode"]:
+            object_essentials["Mode"] = "Replicated"
+            object_essentials["Replicas"] = item["Spec"]["Mode"]["Replicated"][
+                "Replicas"
+            ]
+        elif "Global" in item["Spec"]["Mode"]:
+            object_essentials["Mode"] = "Global"
+            # Number of replicas have to be updated in calling method or may be left as None
+            object_essentials["Replicas"] = None
+        object_essentials["Image"] = item["Spec"]["TaskTemplate"]["ContainerSpec"][
+            "Image"
+        ]
+        if item["Spec"].get("EndpointSpec") and "Ports" in item["Spec"]["EndpointSpec"]:
+            object_essentials["Ports"] = item["Spec"]["EndpointSpec"]["Ports"]
+        else:
+            object_essentials["Ports"] = []
+
+        return object_essentials
+
+    def get_docker_swarm_unlock_key(self) -> str | None:
+        unlock_key = self.client.get_unlock_key() or {}
+        return unlock_key.get("UnlockKey") or None
+
+
+def main() -> None:
+    argument_spec = {
+        "nodes": {"type": "bool", "default": False},
+        "nodes_filters": {"type": "dict"},
+        "tasks": {"type": "bool", "default": False},
+        "tasks_filters": {"type": "dict"},
+        "services": {"type": "bool", "default": False},
+        "services_filters": {"type": "dict"},
+        "unlock_key": {"type": "bool", "default": False},
+        "verbose_output": {"type": "bool", "default": False},
+    }
+    option_minimal_versions = {
+        "unlock_key": {"docker_py_version": "2.7.0"},
+    }
+
+    client = AnsibleDockerSwarmClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        min_docker_version="2.0.0",
+        option_minimal_versions=option_minimal_versions,
+        fail_results={
+            "can_talk_to_docker": False,
+            "docker_swarm_active": False,
+            "docker_swarm_manager": False,
+        },
+    )
+    client.fail_results["can_talk_to_docker"] = True
+    client.fail_results["docker_swarm_active"] = client.check_if_swarm_node()
+    client.fail_results["docker_swarm_manager"] = client.check_if_swarm_manager()
+
+    try:
+        results = {
+            "changed": False,
+        }
+
+        DockerSwarmManager(client, results)
+        results.update(client.fail_results)
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_swarm_service.py b/ansible_collections/community/docker/plugins/modules/docker_swarm_service.py
new file mode 100644
index 00000000..342a3b65
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_swarm_service.py
@@ -0,0 +1,3020 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2017, Dario Zanzico (git@dariozanzico.com)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_swarm_service
+author:
+  - "Dario Zanzico (@dariko)"
+  - "Jason Witkowski (@jwitko)"
+  - "Hannes Ljungberg (@hannseman)"
+  - "Piotr Wojciechowski (@wojciechowskipiotr)"
+short_description: docker swarm service
+description:
+  - Manages docker services through a swarm manager node.
+  - This modules does not support updating services in a stack.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: full
+
+options:
+  args:
+    description:
+      - List arguments to be passed to the container.
+      - Corresponds to the C(ARG) parameter of C(docker service create).
+    type: list
+    elements: str
+  command:
+    description:
+      - Command to execute when the container starts.
+      - A command may be either a string or a list or a list of strings.
+      - Corresponds to the C(COMMAND) parameter of C(docker service create).
+    type: raw
+  configs:
+    description:
+      - List of dictionaries describing the service configs.
+      - Corresponds to the C(--config) option of C(docker service create).
+      - Requires API version >= 1.30.
+    type: list
+    elements: dict
+    suboptions:
+      config_id:
+        description:
+          - Config's ID.
+        type: str
+      config_name:
+        description:
+          - Config's name as defined at its creation.
+        type: str
+        required: true
+      filename:
+        description:
+          - Name of the file containing the config. Defaults to the O(configs[].config_name) if not specified.
+        type: str
+      uid:
+        description:
+          - UID of the config file's owner.
+        type: str
+      gid:
+        description:
+          - GID of the config file's group.
+        type: str
+      mode:
+        description:
+          - File access mode inside the container. Must be an octal number (like V(0644) or V(0444)).
+        type: int
+  container_labels:
+    description:
+      - Dictionary of key value pairs.
+      - Corresponds to the C(--container-label) option of C(docker service create).
+    type: dict
+  sysctls:
+    description:
+      - Dictionary of key, value pairs.
+    version_added: 3.10.0
+    type: dict
+  dns:
+    description:
+      - List of custom DNS servers.
+      - Corresponds to the C(--dns) option of C(docker service create).
+    type: list
+    elements: str
+  dns_search:
+    description:
+      - List of custom DNS search domains.
+      - Corresponds to the C(--dns-search) option of C(docker service create).
+    type: list
+    elements: str
+  dns_options:
+    description:
+      - List of custom DNS options.
+      - Corresponds to the C(--dns-option) option of C(docker service create).
+    type: list
+    elements: str
+  endpoint_mode:
+    description:
+      - Service endpoint mode.
+      - Corresponds to the C(--endpoint-mode) option of C(docker service create).
+    type: str
+    choices:
+      - vip
+      - dnsrr
+  env:
+    description:
+      - List or dictionary of the service environment variables.
+      - If passed a list each items need to be in the format of C(KEY=VALUE).
+      - If passed a dictionary values which might be parsed as numbers, booleans or other types by the YAML parser must be
+        quoted (for example V("true")) in order to avoid data loss.
+      - Corresponds to the C(--env) option of C(docker service create).
+    type: raw
+  env_files:
+    description:
+      - List of paths to files, present on the target, containing environment variables C(FOO=BAR).
+      - The order of the list is significant in determining the value assigned to a variable that shows up more than once.
+      - If variable also present in O(env), then O(env) value will override.
+    type: list
+    elements: path
+  force_update:
+    description:
+      - Force update even if no changes require it.
+      - Corresponds to the C(--force) option of C(docker service update).
+    type: bool
+    default: false
+  groups:
+    description:
+      - List of additional group names and/or IDs that the container process will run as.
+      - Corresponds to the C(--group) option of C(docker service update).
+    type: list
+    elements: str
+  healthcheck:
+    description:
+      - Configure a check that is run to determine whether or not containers for this service are "healthy". See the docs
+        for the L(HEALTHCHECK Dockerfile instruction,https://docs.docker.com/engine/reference/builder/#healthcheck) for details
+        on how healthchecks work.
+      - 'O(healthcheck.interval), O(healthcheck.timeout), and O(healthcheck.start_period) are specified as durations. They
+        accept duration as a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are
+        V(us), V(ms), V(s), V(m) and V(h).'
+    type: dict
+    suboptions:
+      test:
+        description:
+          - Command to run to check health.
+          - Must be either a string or a list. If it is a list, the first item must be one of V(NONE), V(CMD) or V(CMD-SHELL).
+        type: raw
+      interval:
+        description:
+          - Time between running the check.
+        type: str
+      timeout:
+        description:
+          - Maximum time to allow one check to run.
+        type: str
+      retries:
+        description:
+          - Consecutive failures needed to report unhealthy. It accept integer value.
+        type: int
+      start_period:
+        description:
+          - Start period for the container to initialize before starting health-retries countdown.
+        type: str
+  hostname:
+    description:
+      - Container hostname.
+      - Corresponds to the C(--hostname) option of C(docker service create).
+    type: str
+  hosts:
+    description:
+      - Dict of host-to-IP mappings, where each host name is a key in the dictionary. Each host name will be added to the
+        container's /etc/hosts file.
+      - Corresponds to the C(--host) option of C(docker service create).
+    type: dict
+  image:
+    description:
+      - Service image path and tag.
+      - Corresponds to the C(IMAGE) parameter of C(docker service create).
+    type: str
+  init:
+    description:
+      - Use an init inside each service container to forward signals and reap processes.
+      - Corresponds to the C(--init) option of C(docker service create).
+      - Requires API version >= 1.37.
+    type: bool
+  labels:
+    description:
+      - Dictionary of key value pairs.
+      - Corresponds to the C(--label) option of C(docker service create).
+    type: dict
+  limits:
+    description:
+      - Configures service resource limits.
+    suboptions:
+      cpus:
+        description:
+          - Service CPU limit. V(0) equals no limit.
+          - Corresponds to the C(--limit-cpu) option of C(docker service create).
+        type: float
+      memory:
+        description:
+          - Service memory limit in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte), V(K)
+            (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+          - V(0) equals no limit.
+          - Omitting the unit defaults to bytes.
+          - Corresponds to the C(--limit-memory) option of C(docker service create).
+        type: str
+    type: dict
+  logging:
+    description:
+      - Logging configuration for the service.
+    suboptions:
+      driver:
+        description:
+          - Configure the logging driver for a service.
+          - Corresponds to the C(--log-driver) option of C(docker service create).
+        type: str
+      options:
+        description:
+          - Options for service logging driver.
+          - Corresponds to the C(--log-opt) option of C(docker service create).
+        type: dict
+    type: dict
+  mode:
+    description:
+      - Service replication mode.
+      - Service will be removed and recreated when changed.
+      - Corresponds to the C(--mode) option of C(docker service create).
+      - The value V(replicated-job) was added in community.docker 4.7.0, and requires API version >= 1.41 and Docker SDK for Python >= 6.0.0.
+    type: str
+    default: replicated
+    choices:
+      - replicated
+      - global
+      - replicated-job
+  mounts:
+    description:
+      - List of dictionaries describing the service mounts.
+      - Corresponds to the C(--mount) option of C(docker service create).
+    type: list
+    elements: dict
+    suboptions:
+      source:
+        description:
+          - Mount source (for example a volume name or a host path).
+          - Must be specified if O(mounts[].type) is not V(tmpfs).
+        type: str
+      target:
+        description:
+          - Container path.
+        type: str
+        required: true
+      type:
+        description:
+          - The mount type.
+          - Note that V(npipe) is only supported by Docker for Windows. Also note that V(npipe) was added in Ansible 2.9.
+        type: str
+        default: bind
+        choices:
+          - bind
+          - volume
+          - tmpfs
+          - npipe
+      readonly:
+        description:
+          - Whether the mount should be read-only.
+        type: bool
+      labels:
+        description:
+          - Volume labels to apply.
+        type: dict
+      propagation:
+        description:
+          - The propagation mode to use.
+          - Can only be used when O(mounts[].type=bind).
+        type: str
+        choices:
+          - shared
+          - slave
+          - private
+          - rshared
+          - rslave
+          - rprivate
+      no_copy:
+        description:
+          - Disable copying of data from a container when a volume is created.
+          - Can only be used when O(mounts[].type=volume).
+        type: bool
+      driver_config:
+        description:
+          - Volume driver configuration.
+          - Can only be used when O(mounts[].type=volume).
+        suboptions:
+          name:
+            description:
+              - Name of the volume-driver plugin to use for the volume.
+            type: str
+          options:
+            description:
+              - Options as key-value pairs to pass to the driver for this volume.
+            type: dict
+        type: dict
+      tmpfs_size:
+        description:
+          - Size of the tmpfs mount in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte),
+            V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+          - Can only be used when O(mounts[].type=tmpfs).
+        type: str
+      tmpfs_mode:
+        description:
+          - File mode of the tmpfs in octal.
+          - Can only be used when O(mounts[].type=tmpfs).
+        type: int
+  name:
+    description:
+      - Service name.
+      - Corresponds to the C(--name) option of C(docker service create).
+    type: str
+    required: true
+  networks:
+    description:
+      - List of the service networks names or dictionaries.
+      - When passed dictionaries valid sub-options are C(name), which is required, and C(aliases) and C(options).
+      - Prior to API version 1.29, updating and removing networks is not supported. If changes are made the service will then
+        be removed and recreated.
+      - Corresponds to the C(--network) option of C(docker service create).
+    type: list
+    elements: raw
+  placement:
+    description:
+      - Configures service placement preferences and constraints.
+    suboptions:
+      constraints:
+        description:
+          - List of the service constraints.
+          - Corresponds to the C(--constraint) option of C(docker service create).
+        type: list
+        elements: str
+      preferences:
+        description:
+          - List of the placement preferences as key value pairs.
+          - Corresponds to the C(--placement-pref) option of C(docker service create).
+          - Requires API version >= 1.27.
+        type: list
+        elements: dict
+      replicas_max_per_node:
+        description:
+          - Maximum number of tasks per node.
+          - Corresponds to the C(--replicas_max_per_node) option of C(docker service create).
+          - Requires API version >= 1.40.
+        type: int
+        version_added: 1.3.0
+    type: dict
+  publish:
+    description:
+      - List of dictionaries describing the service published ports.
+      - Corresponds to the C(--publish) option of C(docker service create).
+    type: list
+    elements: dict
+    suboptions:
+      published_port:
+        description:
+          - The port to make externally available.
+        type: int
+        required: false
+      target_port:
+        description:
+          - The port inside the container to expose.
+        type: int
+        required: true
+      protocol:
+        description:
+          - What protocol to use.
+        type: str
+        default: tcp
+        choices:
+          - tcp
+          - udp
+      mode:
+        description:
+          - What publish mode to use.
+          - Requires API version >= 1.32.
+        type: str
+        choices:
+          - ingress
+          - host
+  read_only:
+    description:
+      - Mount the containers root filesystem as read only.
+      - Corresponds to the C(--read-only) option of C(docker service create).
+    type: bool
+  replicas:
+    description:
+      - Number of containers instantiated in the service. Valid only if O(mode=replicated) or O(mode=replicated-job).
+      - If set to V(-1), and service is not present, service replicas will be set to V(1).
+      - If set to V(-1), and service is present, service replicas will be unchanged.
+      - Corresponds to the C(--replicas) option of C(docker service create).
+    type: int
+    default: -1
+  reservations:
+    description:
+      - Configures service resource reservations.
+    suboptions:
+      cpus:
+        description:
+          - Service CPU reservation. V(0) equals no reservation.
+          - Corresponds to the C(--reserve-cpu) option of C(docker service create).
+        type: float
+      memory:
+        description:
+          - Service memory reservation in format C(<number>[<unit>]). Number is a positive integer. Unit can be V(B) (byte),
+            V(K) (kibibyte, 1024B), V(M) (mebibyte), V(G) (gibibyte), V(T) (tebibyte), or V(P) (pebibyte).
+          - V(0) equals no reservation.
+          - Omitting the unit defaults to bytes.
+          - Corresponds to the C(--reserve-memory) option of C(docker service create).
+        type: str
+    type: dict
+  resolve_image:
+    description:
+      - If the current image digest should be resolved from registry and updated if changed.
+      - Requires API version >= 1.30.
+    type: bool
+    default: false
+  restart_config:
+    description:
+      - Configures if and how to restart containers when they exit.
+    suboptions:
+      condition:
+        description:
+          - Restart condition of the service.
+          - Corresponds to the C(--restart-condition) option of C(docker service create).
+        type: str
+        choices:
+          - none
+          - on-failure
+          - any
+      delay:
+        description:
+          - Delay between restarts.
+          - 'Accepts a a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--restart-delay) option of C(docker service create).
+        type: str
+      max_attempts:
+        description:
+          - Maximum number of service restarts.
+          - Corresponds to the C(--restart-condition) option of C(docker service create).
+        type: int
+      window:
+        description:
+          - Restart policy evaluation window.
+          - 'Accepts a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--restart-window) option of C(docker service create).
+        type: str
+    type: dict
+  rollback_config:
+    description:
+      - Configures how the service should be rolled back in case of a failing update.
+    suboptions:
+      parallelism:
+        description:
+          - The number of containers to rollback at a time. If set to 0, all containers rollback simultaneously.
+          - Corresponds to the C(--rollback-parallelism) option of C(docker service create).
+          - Requires API version >= 1.28.
+        type: int
+      delay:
+        description:
+          - Delay between task rollbacks.
+          - 'Accepts a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--rollback-delay) option of C(docker service create).
+          - Requires API version >= 1.28.
+        type: str
+      failure_action:
+        description:
+          - Action to take in case of rollback failure.
+          - Corresponds to the C(--rollback-failure-action) option of C(docker service create).
+          - Requires API version >= 1.28.
+        type: str
+        choices:
+          - continue
+          - pause
+      monitor:
+        description:
+          - Duration after each task rollback to monitor for failure.
+          - 'Accepts a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--rollback-monitor) option of C(docker service create).
+          - Requires API version >= 1.28.
+        type: str
+      max_failure_ratio:
+        description:
+          - Fraction of tasks that may fail during a rollback.
+          - Corresponds to the C(--rollback-max-failure-ratio) option of C(docker service create).
+          - Requires API version >= 1.28.
+        type: float
+      order:
+        description:
+          - Specifies the order of operations during rollbacks.
+          - Corresponds to the C(--rollback-order) option of C(docker service create).
+          - Requires API version >= 1.29.
+        type: str
+    type: dict
+  secrets:
+    description:
+      - List of dictionaries describing the service secrets.
+      - Corresponds to the C(--secret) option of C(docker service create).
+    type: list
+    elements: dict
+    suboptions:
+      secret_id:
+        description:
+          - Secret's ID.
+        type: str
+      secret_name:
+        description:
+          - Secret's name as defined at its creation.
+        type: str
+        required: true
+      filename:
+        description:
+          - Name of the file containing the secret. Defaults to the O(secrets[].secret_name) if not specified.
+          - Corresponds to the C(target) key of C(docker service create --secret).
+        type: str
+      uid:
+        description:
+          - UID of the secret file's owner.
+        type: str
+      gid:
+        description:
+          - GID of the secret file's group.
+        type: str
+      mode:
+        description:
+          - File access mode inside the container. Must be an octal number (like V(0644) or V(0444)).
+        type: int
+  state:
+    description:
+      - V(absent) - A service matching the specified name will be removed and have its tasks stopped.
+      - V(present) - Asserts the existence of a service matching the name and provided configuration parameters. Unspecified
+        configuration parameters will be set to docker defaults.
+    type: str
+    default: present
+    choices:
+      - present
+      - absent
+  stop_grace_period:
+    description:
+      - Time to wait before force killing a container.
+      - 'Accepts a duration as a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us),
+        V(ms), V(s), V(m) and V(h).'
+      - Corresponds to the C(--stop-grace-period) option of C(docker service create).
+    type: str
+  stop_signal:
+    description:
+      - Override default signal used to stop the container.
+      - Corresponds to the C(--stop-signal) option of C(docker service create).
+    type: str
+  tty:
+    description:
+      - Allocate a pseudo-TTY.
+      - Corresponds to the C(--tty) option of C(docker service create).
+    type: bool
+  update_config:
+    description:
+      - Configures how the service should be updated. Useful for configuring rolling updates.
+    suboptions:
+      parallelism:
+        description:
+          - Rolling update parallelism.
+          - Corresponds to the C(--update-parallelism) option of C(docker service create).
+        type: int
+      delay:
+        description:
+          - Rolling update delay.
+          - 'Accepts a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--update-delay) option of C(docker service create).
+        type: str
+      failure_action:
+        description:
+          - Action to take in case of container failure.
+          - Corresponds to the C(--update-failure-action) option of C(docker service create).
+          - Usage of V(rollback) requires API version >= 1.29.
+        type: str
+        choices:
+          - continue
+          - pause
+          - rollback
+      monitor:
+        description:
+          - Time to monitor updated tasks for failures.
+          - 'Accepts a string in a format that look like: V(5h34m56s), V(1m30s), and so on. The supported units are V(us), V(ms),
+            V(s), V(m) and V(h).'
+          - Corresponds to the C(--update-monitor) option of C(docker service create).
+        type: str
+      max_failure_ratio:
+        description:
+          - Fraction of tasks that may fail during an update before the failure action is invoked.
+          - Corresponds to the C(--update-max-failure-ratio) option of C(docker service create).
+        type: float
+      order:
+        description:
+          - Specifies the order of operations when rolling out an updated task.
+          - Corresponds to the C(--update-order) option of C(docker service create).
+          - Requires API version >= 1.29.
+        type: str
+    type: dict
+  user:
+    description:
+      - Sets the username or UID used for the specified command.
+      - Before Ansible 2.8, the default value for this option was V(root).
+      - The default has been removed so that the user defined in the image is used if no user is specified here.
+      - Corresponds to the C(--user) option of C(docker service create).
+    type: str
+  working_dir:
+    description:
+      - Path to the working directory.
+      - Corresponds to the C(--workdir) option of C(docker service create).
+    type: str
+  cap_add:
+    description:
+      - List of capabilities to add to the container.
+      - Requires API version >= 1.41.
+    type: list
+    elements: str
+    version_added: 2.2.0
+  cap_drop:
+    description:
+      - List of capabilities to drop from the container.
+      - Requires API version >= 1.41.
+    type: list
+    elements: str
+    version_added: 2.2.0
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.0.2"
+  - "Docker API >= 1.25"
+notes:
+  - Images will only resolve to the latest digest when using Docker API >= 1.30 and Docker SDK for Python >= 3.2.0. When using
+    older versions use O(force_update=true) to trigger the swarm to resolve a new image.
+"""
+
+RETURN = r"""
+swarm_service:
+  returned: always
+  type: dict
+  description:
+    - Dictionary of variables representing the current state of the service. Matches the module parameters format.
+    - Note that facts are not part of registered vars but accessible directly.
+    - Note that before Ansible 2.7.9, the return variable was documented as C(ansible_swarm_service), while the module actually
+      returned a variable called C(ansible_docker_service). The variable was renamed to RV(swarm_service) in both code and
+      documentation for Ansible 2.7.9 and Ansible 2.8.0. In Ansible 2.7.x, the old name C(ansible_docker_service) can still
+      be used.
+  sample: '{ "args": [ "3600" ], "cap_add": null, "cap_drop": [ "ALL" ], "command": [ "sleep" ], "configs": null, "constraints":
+    [ "node.role == manager", "engine.labels.operatingsystem == ubuntu 14.04" ], "container_labels": null, "sysctls": null,
+    "dns": null, "dns_options": null, "dns_search": null, "endpoint_mode": null, "env": [ "ENVVAR1=envvar1", "ENVVAR2=envvar2"
+    ], "force_update": null, "groups": null, "healthcheck": { "interval": 90000000000, "retries": 3, "start_period": 30000000000,
+    "test": [ "CMD", "curl", "--fail", "http://nginx.host.com" ], "timeout": 10000000000 }, "healthcheck_disabled": false,
+    "hostname": null, "hosts": null, "image": "alpine:latest@sha256:b3dbf31b77fd99d9c08f780ce6f5282aba076d70a513a8be859d8d3a4d0c92b8",
+    "labels": { "com.example.department": "Finance", "com.example.description": "Accounting webapp" }, "limit_cpu": 0.5, "limit_memory":
+    52428800, "log_driver": "fluentd", "log_driver_options": { "fluentd-address": "127.0.0.1:24224", "fluentd-async-connect":
+    "true", "tag": "myservice" }, "mode": "replicated", "mounts": [ { "readonly": false, "source": "/tmp/", "target": "/remote_tmp/",
+    "type": "bind", "labels": null, "propagation": null, "no_copy": null, "driver_config": null, "tmpfs_size": null, "tmpfs_mode":
+    null } ], "networks": null, "placement_preferences": [ { "spread": "node.labels.mylabel" } ], "publish": null, "read_only":
+    null, "replicas": 1, "replicas_max_per_node": 1, "reserve_cpu": 0.25, "reserve_memory": 20971520, "restart_policy": "on-failure",
+    "restart_policy_attempts": 3, "restart_policy_delay": 5000000000, "restart_policy_window": 120000000000, "secrets": null,
+    "stop_grace_period": null, "stop_signal": null, "tty": null, "update_delay": 10000000000, "update_failure_action": null,
+    "update_max_failure_ratio": null, "update_monitor": null, "update_order": "stop-first", "update_parallelism": 2, "user":
+    null, "working_dir": null }'
+changes:
+  returned: always
+  description:
+    - List of changed service attributes if a service has been altered, [] otherwise.
+  type: list
+  elements: str
+  sample: ['container_labels', 'replicas']
+rebuilt:
+  returned: always
+  description:
+    - True if the service has been recreated (removed and created).
+  type: bool
+  sample: true
+"""
+
+EXAMPLES = r"""
+---
+- name: Set command and arguments
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    command: sleep
+    args:
+      - "3600"
+
+- name: Set a bind mount
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    mounts:
+      - source: /tmp/
+        target: /remote_tmp/
+        type: bind
+
+- name: Set service labels
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    labels:
+      com.example.description: "Accounting webapp"
+      com.example.department: "Finance"
+
+- name: Set environment variables
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    env:
+      ENVVAR1: envvar1
+      ENVVAR2: envvar2
+    env_files:
+      - envs/common.env
+      - envs/apps/web.env
+
+- name: Set fluentd logging
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    logging:
+      driver: fluentd
+      options:
+        fluentd-address: "127.0.0.1:24224"
+        fluentd-async-connect: "true"
+        tag: myservice
+
+- name: Set restart policies
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    restart_config:
+      condition: on-failure
+      delay: 5s
+      max_attempts: 3
+      window: 120s
+
+- name: Set update config
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    update_config:
+      parallelism: 2
+      delay: 10s
+      order: stop-first
+
+- name: Set rollback config
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine
+    update_config:
+      failure_action: rollback
+    rollback_config:
+      parallelism: 2
+      delay: 10s
+      order: stop-first
+
+- name: Set placement preferences
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    placement:
+      preferences:
+        - spread: node.labels.mylabel
+      constraints:
+        - node.role == manager
+        - engine.labels.operatingsystem == ubuntu 14.04
+      replicas_max_per_node: 2
+
+- name: Set configs
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    configs:
+      - config_name: myconfig_name
+        filename: "/tmp/config.txt"
+
+- name: Set networks
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    networks:
+      - mynetwork
+
+- name: Set networks as a dictionary
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    networks:
+      - name: "mynetwork"
+        aliases:
+          - "mynetwork_alias"
+        options:
+          foo: bar
+
+- name: Set secrets
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    secrets:
+      - secret_name: mysecret_name
+        filename: "/run/secrets/secret.txt"
+
+- name: Start service with healthcheck
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: nginx:1.13
+    healthcheck:
+      # Check if nginx server is healthy by curl'ing the server.
+      # If this fails or timeouts, the healthcheck fails.
+      test: ["CMD", "curl", "--fail", "http://nginx.host.com"]
+      interval: 1m30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+- name: Configure service resources
+  community.docker.docker_swarm_service:
+    name: myservice
+    image: alpine:edge
+    reservations:
+      cpus: 0.25
+      memory: 20M
+    limits:
+      cpus: 0.50
+      memory: 50M
+
+- name: Remove service
+  community.docker.docker_swarm_service:
+    name: myservice
+    state: absent
+"""
+
+import shlex
+import time
+import traceback
+import typing as t
+
+from ansible.module_utils.basic import human_to_bytes
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+    clean_dict_booleans_for_docker_api,
+    convert_duration_to_nanosecond,
+    parse_healthcheck,
+    sanitize_labels,
+)
+from ansible_collections.community.docker.plugins.module_utils._version import (
+    LooseVersion,
+)
+
+try:
+    from docker import types
+    from docker.errors import (
+        APIError,
+        DockerException,
+        NotFound,
+    )
+    from docker.utils import (
+        format_environment,
+        parse_env_file,
+        parse_repository_tag,
+    )
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+
+def get_docker_environment(
+    env: str | dict[str, t.Any] | list[t.Any] | None, env_files: list[str] | None
+) -> list[str] | None:
+    """
+    Will return a list of "KEY=VALUE" items. Supplied env variable can
+    be either a list or a dictionary.
+
+    If environment files are combined with explicit environment variables,
+    the explicit environment variables take precedence.
+    """
+    env_dict: dict[str, str] = {}
+    if env_files:
+        for env_file in env_files:
+            parsed_env_file = parse_env_file(env_file)
+            for name, value in parsed_env_file.items():
+                env_dict[name] = str(value)
+    if env is not None and isinstance(env, str):
+        env = env.split(",")
+    if env is not None and isinstance(env, dict):
+        for name, value in env.items():
+            if not isinstance(value, str):
+                raise ValueError(
+                    "Non-string value found for env option. Ambiguous env options must be "
+                    "wrapped in quotes to avoid them being interpreted when directly specified "
+                    "in YAML, or explicitly converted to strings when the option is templated. "
+                    f"Key: {name}"
+                )
+            env_dict[name] = str(value)
+    elif env is not None and isinstance(env, list):
+        for item in env:
+            try:
+                name, value = item.split("=", 1)
+            except ValueError as exc:
+                raise ValueError(
+                    "Invalid environment variable found in list, needs to be in format KEY=VALUE."
+                ) from exc
+            env_dict[name] = value
+    elif env is not None:
+        raise ValueError(
+            f"Invalid type for env {env} ({type(env)}). Only list or dict allowed."
+        )
+    env_list = format_environment(env_dict)
+    if not env_list:
+        if env is not None or env_files is not None:
+            return []
+        return None
+    return sorted(env_list)
+
+
+@t.overload
+def get_docker_networks(
+    networks: list[str | dict[str, t.Any]], network_ids: dict[str, str]
+) -> list[dict[str, t.Any]]: ...
+
+
+@t.overload
+def get_docker_networks(
+    networks: list[str | dict[str, t.Any]] | None, network_ids: dict[str, str]
+) -> list[dict[str, t.Any]] | None: ...
+
+
+def get_docker_networks(
+    networks: list[str | dict[str, t.Any]] | None, network_ids: dict[str, str]
+) -> list[dict[str, t.Any]] | None:
+    """
+    Validate a list of network names or a list of network dictionaries.
+    Network names will be resolved to ids by using the network_ids mapping.
+    """
+    if networks is None:
+        return None
+    parsed_networks = []
+    for network in networks:
+        parsed_network: dict[str, t.Any]
+        if isinstance(network, str):
+            parsed_network = {"name": network}
+        elif isinstance(network, dict):
+            if "name" not in network:
+                raise TypeError(
+                    '"name" is required when networks are passed as dictionaries.'
+                )
+            name = network.pop("name")
+            parsed_network = {"name": name}
+            aliases = network.pop("aliases", None)
+            if aliases is not None:
+                if not isinstance(aliases, list):
+                    raise TypeError(
+                        '"aliases" network option is only allowed as a list'
+                    )
+                if not all(isinstance(alias, str) for alias in aliases):
+                    raise TypeError("Only strings are allowed as network aliases.")
+                parsed_network["aliases"] = aliases
+            options = network.pop("options", None)
+            if options is not None:
+                if not isinstance(options, dict):
+                    raise TypeError("Only dict is allowed as network options.")
+                parsed_network["options"] = clean_dict_booleans_for_docker_api(options)
+            # Check if any invalid keys left
+            if network:
+                invalid_keys = ", ".join(network.keys())
+                raise TypeError(
+                    f"{invalid_keys} are not valid keys for the networks option"
+                )
+
+        else:
+            raise TypeError(
+                "Only a list of strings or dictionaries are allowed to be passed as networks."
+            )
+        network_name = parsed_network.pop("name")
+        try:
+            parsed_network["id"] = network_ids[network_name]
+        except KeyError as e:
+            raise ValueError(f"Could not find a network named: {e}.") from None
+        parsed_networks.append(parsed_network)
+    return parsed_networks or []
+
+
+def get_nanoseconds_from_raw_option(name: str, value: t.Any) -> int | None:
+    if value is None:
+        return None
+    if isinstance(value, int):
+        return value
+    if isinstance(value, str):
+        try:
+            return int(value)
+        except ValueError:
+            return convert_duration_to_nanosecond(value)
+    raise ValueError(
+        f"Invalid type for {name} {value} ({type(value)}). Only string or int allowed."
+    )
+
+
+def get_value(key: str, values: dict[str, t.Any], default: t.Any = None) -> t.Any:
+    value = values.get(key)
+    return value if value is not None else default
+
+
+def has_dict_changed(
+    new_dict: dict[str, t.Any] | None, old_dict: dict[str, t.Any] | None
+) -> bool:
+    """
+    Check if new_dict has differences compared to old_dict while
+    ignoring keys in old_dict which are None in new_dict.
+    """
+    if new_dict is None:
+        return False
+    if not new_dict and old_dict:
+        return True
+    if not old_dict and new_dict:
+        return True
+    if old_dict is None:
+        # in this case new_dict is empty, only the type checker didn't notice
+        return False
+    defined_options = {
+        option: value for option, value in new_dict.items() if value is not None
+    }
+    for option, value in defined_options.items():
+        old_value = old_dict.get(option)
+        if not value and not old_value:
+            continue
+        if value != old_value:
+            return True
+    return False
+
+
+def has_list_changed(
+    new_list: list[t.Any] | None,
+    old_list: list[t.Any] | None,
+    sort_lists: bool = True,
+    sort_key: str | None = None,
+) -> bool:
+    """
+    Check two lists have differences. Sort lists by default.
+    """
+
+    def sort_list(unsorted_list: list[t.Any]) -> list[t.Any]:
+        """
+        Sort a given list.
+        The list may contain dictionaries, so use the sort key to handle them.
+        """
+
+        if unsorted_list and isinstance(unsorted_list[0], dict):
+            if not sort_key:
+                raise ValueError("A sort key was not specified when sorting list")
+            return sorted(unsorted_list, key=lambda k: k[sort_key])
+
+        # Either the list is empty or does not contain dictionaries
+        try:
+            return sorted(unsorted_list)
+        except TypeError:
+            return unsorted_list
+
+    if new_list is None:
+        return False
+    old_list = old_list or []
+    if len(new_list) != len(old_list):
+        return True
+
+    if sort_lists:
+        zip_data = zip(sort_list(new_list), sort_list(old_list))
+    else:
+        zip_data = zip(new_list, old_list)
+    for new_item, old_item in zip_data:
+        is_same_type = type(  # noqa: E721, pylint: disable=unidiomatic-typecheck
+            new_item
+        ) == type(  # noqa: E721, pylint: disable=unidiomatic-typecheck
+            old_item
+        )
+        if not is_same_type:
+            if isinstance(new_item, str) and isinstance(old_item, str):
+                # Even though the types are different between these items,
+                # they are both strings. Try matching on the same string type.
+                try:
+                    new_item_type = type(new_item)
+                    old_item_casted = new_item_type(old_item)
+                    if new_item != old_item_casted:
+                        return True
+                    continue
+                except UnicodeEncodeError:
+                    # Fallback to assuming the strings are different
+                    return True
+            else:
+                return True
+        if isinstance(new_item, dict):
+            if has_dict_changed(new_item, old_item):
+                return True
+        elif new_item != old_item:
+            return True
+
+    return False
+
+
+def have_networks_changed(
+    new_networks: list[dict[str, t.Any]] | None,
+    old_networks: list[dict[str, t.Any]] | None,
+) -> bool:
+    """Special case list checking for networks to sort aliases"""
+
+    if new_networks is None:
+        return False
+    old_networks = old_networks or []
+    if len(new_networks) != len(old_networks):
+        return True
+
+    zip_data = zip(
+        sorted(new_networks, key=lambda k: k["id"]),
+        sorted(old_networks, key=lambda k: k["id"]),
+    )
+
+    for new_item, old_item in zip_data:
+        new_item = dict(new_item)
+        old_item = dict(old_item)
+        # Sort the aliases
+        if "aliases" in new_item:
+            new_item["aliases"] = sorted(new_item["aliases"] or [])
+        if "aliases" in old_item:
+            old_item["aliases"] = sorted(old_item["aliases"] or [])
+
+        if has_dict_changed(new_item, old_item):
+            return True
+
+    return False
+
+
+class DockerService(DockerBaseClass):
+    def __init__(
+        self, docker_api_version: LooseVersion, docker_py_version: LooseVersion
+    ) -> None:
+        super().__init__()
+        self.image: str | None = ""
+        self.command: t.Any = None
+        self.args: list[str] | None = None
+        self.endpoint_mode: t.Literal["vip", "dnsrr"] | None = None
+        self.dns: list[str] | None = None
+        self.healthcheck: dict[str, t.Any] | None = None
+        self.healthcheck_disabled: bool | None = None
+        self.hostname: str | None = None
+        self.hosts: dict[str, t.Any] | None = None
+        self.tty: bool | None = None
+        self.dns_search: list[str] | None = None
+        self.dns_options: list[str] | None = None
+        self.env: t.Any = None
+        self.force_update: int | None = None
+        self.groups: list[str] | None = None
+        self.log_driver: str | None = None
+        self.log_driver_options: dict[str, t.Any] | None = None
+        self.labels: dict[str, t.Any] | None = None
+        self.container_labels: dict[str, t.Any] | None = None
+        self.sysctls: dict[str, t.Any] | None = None
+        self.limit_cpu: float | None = None
+        self.limit_memory: int | None = None
+        self.reserve_cpu: float | None = None
+        self.reserve_memory: int | None = None
+        self.mode: t.Literal["replicated", "global", "replicated-job"] = "replicated"
+        self.user: str | None = None
+        self.mounts: list[dict[str, t.Any]] | None = None
+        self.configs: list[dict[str, t.Any]] | None = None
+        self.secrets: list[dict[str, t.Any]] | None = None
+        self.constraints: list[str] | None = None
+        self.replicas_max_per_node: int | None = None
+        self.networks: list[t.Any] | None = None
+        self.stop_grace_period: int | None = None
+        self.stop_signal: str | None = None
+        self.publish: list[dict[str, t.Any]] | None = None
+        self.placement_preferences: list[dict[str, t.Any]] | None = None
+        self.replicas: int | None = -1
+        self.service_id = False
+        self.service_version = False
+        self.read_only: bool | None = None
+        self.restart_policy: t.Literal["none", "on-failure", "any"] | None = None
+        self.restart_policy_attempts: int | None = None
+        self.restart_policy_delay: str | None = None
+        self.restart_policy_window: str | None = None
+        self.rollback_config: dict[str, t.Any] | None = None
+        self.update_delay: str | None = None
+        self.update_parallelism: int | None = None
+        self.update_failure_action: (
+            t.Literal["continue", "pause", "rollback"] | None
+        ) = None
+        self.update_monitor: str | None = None
+        self.update_max_failure_ratio: float | None = None
+        self.update_order: str | None = None
+        self.working_dir: str | None = None
+        self.init: bool | None = None
+        self.cap_add: list[str] | None = None
+        self.cap_drop: list[str] | None = None
+
+        self.docker_api_version = docker_api_version
+        self.docker_py_version = docker_py_version
+
+    def get_facts(self) -> dict[str, t.Any]:
+        return {
+            "image": self.image,
+            "mounts": self.mounts,
+            "configs": self.configs,
+            "networks": self.networks,
+            "command": self.command,
+            "args": self.args,
+            "tty": self.tty,
+            "dns": self.dns,
+            "dns_search": self.dns_search,
+            "dns_options": self.dns_options,
+            "healthcheck": self.healthcheck,
+            "healthcheck_disabled": self.healthcheck_disabled,
+            "hostname": self.hostname,
+            "hosts": self.hosts,
+            "env": self.env,
+            "force_update": self.force_update,
+            "groups": self.groups,
+            "log_driver": self.log_driver,
+            "log_driver_options": self.log_driver_options,
+            "publish": self.publish,
+            "constraints": self.constraints,
+            "replicas_max_per_node": self.replicas_max_per_node,
+            "placement_preferences": self.placement_preferences,
+            "labels": self.labels,
+            "container_labels": self.container_labels,
+            "sysctls": self.sysctls,
+            "mode": self.mode,
+            "replicas": self.replicas,
+            "endpoint_mode": self.endpoint_mode,
+            "restart_policy": self.restart_policy,
+            "secrets": self.secrets,
+            "stop_grace_period": self.stop_grace_period,
+            "stop_signal": self.stop_signal,
+            "limit_cpu": self.limit_cpu,
+            "limit_memory": self.limit_memory,
+            "read_only": self.read_only,
+            "reserve_cpu": self.reserve_cpu,
+            "reserve_memory": self.reserve_memory,
+            "restart_policy_delay": self.restart_policy_delay,
+            "restart_policy_attempts": self.restart_policy_attempts,
+            "restart_policy_window": self.restart_policy_window,
+            "rollback_config": self.rollback_config,
+            "update_delay": self.update_delay,
+            "update_parallelism": self.update_parallelism,
+            "update_failure_action": self.update_failure_action,
+            "update_monitor": self.update_monitor,
+            "update_max_failure_ratio": self.update_max_failure_ratio,
+            "update_order": self.update_order,
+            "user": self.user,
+            "working_dir": self.working_dir,
+            "init": self.init,
+            "cap_add": self.cap_add,
+            "cap_drop": self.cap_drop,
+        }
+
+    @property
+    def can_update_networks(self) -> bool:
+        # Before Docker API 1.29 adding/removing networks was not supported
+        return self.docker_api_version >= LooseVersion(
+            "1.29"
+        ) and self.docker_py_version >= LooseVersion("2.7")
+
+    @property
+    def can_use_task_template_networks(self) -> bool:
+        # In Docker API 1.25 attaching networks to TaskTemplate is preferred over Spec
+        return self.docker_py_version >= LooseVersion("2.7")
+
+    @staticmethod
+    def get_restart_config_from_ansible_params(
+        params: dict[str, t.Any],
+    ) -> dict[str, t.Any]:
+        restart_config = params["restart_config"] or {}
+        condition = get_value(
+            "condition",
+            restart_config,
+        )
+        delay = get_value(
+            "delay",
+            restart_config,
+        )
+        delay = get_nanoseconds_from_raw_option("restart_policy_delay", delay)
+        max_attempts = get_value(
+            "max_attempts",
+            restart_config,
+        )
+        window = get_value(
+            "window",
+            restart_config,
+        )
+        window = get_nanoseconds_from_raw_option("restart_policy_window", window)
+        return {
+            "restart_policy": condition,
+            "restart_policy_delay": delay,
+            "restart_policy_attempts": max_attempts,
+            "restart_policy_window": window,
+        }
+
+    @staticmethod
+    def get_update_config_from_ansible_params(
+        params: dict[str, t.Any],
+    ) -> dict[str, t.Any]:
+        update_config = params["update_config"] or {}
+        parallelism = get_value(
+            "parallelism",
+            update_config,
+        )
+        delay = get_value(
+            "delay",
+            update_config,
+        )
+        delay = get_nanoseconds_from_raw_option("update_delay", delay)
+        failure_action = get_value(
+            "failure_action",
+            update_config,
+        )
+        monitor = get_value(
+            "monitor",
+            update_config,
+        )
+        monitor = get_nanoseconds_from_raw_option("update_monitor", monitor)
+        max_failure_ratio = get_value(
+            "max_failure_ratio",
+            update_config,
+        )
+        order = get_value(
+            "order",
+            update_config,
+        )
+        return {
+            "update_parallelism": parallelism,
+            "update_delay": delay,
+            "update_failure_action": failure_action,
+            "update_monitor": monitor,
+            "update_max_failure_ratio": max_failure_ratio,
+            "update_order": order,
+        }
+
+    @staticmethod
+    def get_rollback_config_from_ansible_params(
+        params: dict[str, t.Any],
+    ) -> dict[str, t.Any] | None:
+        if params["rollback_config"] is None:
+            return None
+        rollback_config = params["rollback_config"] or {}
+        delay = get_nanoseconds_from_raw_option(
+            "rollback_config.delay", rollback_config.get("delay")
+        )
+        monitor = get_nanoseconds_from_raw_option(
+            "rollback_config.monitor", rollback_config.get("monitor")
+        )
+        return {
+            "parallelism": rollback_config.get("parallelism"),
+            "delay": delay,
+            "failure_action": rollback_config.get("failure_action"),
+            "monitor": monitor,
+            "max_failure_ratio": rollback_config.get("max_failure_ratio"),
+            "order": rollback_config.get("order"),
+        }
+
+    @staticmethod
+    def get_logging_from_ansible_params(params: dict[str, t.Any]) -> dict[str, t.Any]:
+        logging_config = params["logging"] or {}
+        driver = get_value(
+            "driver",
+            logging_config,
+        )
+        options = get_value(
+            "options",
+            logging_config,
+        )
+        return {
+            "log_driver": driver,
+            "log_driver_options": options,
+        }
+
+    @staticmethod
+    def get_limits_from_ansible_params(params: dict[str, t.Any]) -> dict[str, t.Any]:
+        limits = params["limits"] or {}
+        cpus = get_value(
+            "cpus",
+            limits,
+        )
+        memory = get_value(
+            "memory",
+            limits,
+        )
+        if memory is not None:
+            try:
+                memory = human_to_bytes(memory)
+            except ValueError as exc:
+                raise ValueError(
+                    f"Failed to convert limit_memory to bytes: {exc}"
+                ) from exc
+        return {
+            "limit_cpu": cpus,
+            "limit_memory": memory,
+        }
+
+    @staticmethod
+    def get_reservations_from_ansible_params(
+        params: dict[str, t.Any],
+    ) -> dict[str, t.Any]:
+        reservations = params["reservations"] or {}
+        cpus = get_value(
+            "cpus",
+            reservations,
+        )
+        memory = get_value(
+            "memory",
+            reservations,
+        )
+
+        if memory is not None:
+            try:
+                memory = human_to_bytes(memory)
+            except ValueError as exc:
+                raise ValueError(
+                    f"Failed to convert reserve_memory to bytes: {exc}"
+                ) from exc
+        return {
+            "reserve_cpu": cpus,
+            "reserve_memory": memory,
+        }
+
+    @staticmethod
+    def get_placement_from_ansible_params(params: dict[str, t.Any]) -> dict[str, t.Any]:
+        placement = params["placement"] or {}
+        constraints = get_value("constraints", placement)
+
+        preferences = placement.get("preferences")
+        replicas_max_per_node = get_value("replicas_max_per_node", placement)
+
+        return {
+            "constraints": constraints,
+            "placement_preferences": preferences,
+            "replicas_max_per_node": replicas_max_per_node,
+        }
+
+    @classmethod
+    def from_ansible_params(
+        cls,
+        ap: dict[str, t.Any],
+        old_service: DockerService | None,
+        image_digest: str,
+        secret_ids: dict[str, str],
+        config_ids: dict[str, str],
+        network_ids: dict[str, str],
+        client: AnsibleDockerClient,
+    ) -> DockerService:
+        s = DockerService(client.docker_api_version, client.docker_py_version)
+        s.image = image_digest
+        s.args = ap["args"]
+        s.endpoint_mode = ap["endpoint_mode"]
+        s.dns = ap["dns"]
+        s.dns_search = ap["dns_search"]
+        s.dns_options = ap["dns_options"]
+        s.healthcheck, s.healthcheck_disabled = parse_healthcheck(ap["healthcheck"])
+        s.hostname = ap["hostname"]
+        s.hosts = ap["hosts"]
+        s.tty = ap["tty"]
+        s.labels = ap["labels"]
+        sanitize_labels(s.labels, "labels", client)
+        s.container_labels = ap["container_labels"]
+        sanitize_labels(s.container_labels, "container_labels", client)
+        s.sysctls = ap["sysctls"]
+        s.mode = ap["mode"]
+        s.stop_signal = ap["stop_signal"]
+        s.user = ap["user"]
+        s.working_dir = ap["working_dir"]
+        s.read_only = ap["read_only"]
+        s.init = ap["init"]
+        s.cap_add = ap["cap_add"]
+        s.cap_drop = ap["cap_drop"]
+
+        s.networks = get_docker_networks(ap["networks"], network_ids)
+
+        s.command = ap["command"]
+        if isinstance(s.command, str):
+            s.command = shlex.split(s.command)
+        elif isinstance(s.command, list):
+            invalid_items = [
+                (index, item)
+                for index, item in enumerate(s.command)
+                if not isinstance(item, str)
+            ]
+            if invalid_items:
+                errors = ", ".join(
+                    [
+                        f"{item} ({type(item)}) at index {index}"
+                        for index, item in invalid_items
+                    ]
+                )
+                raise ValueError(
+                    "All items in a command list need to be strings. "
+                    f"Check quoting. Invalid items: {errors}."
+                )
+            s.command = ap["command"]
+        elif s.command is not None:
+            raise ValueError(
+                f"Invalid type for command {s.command} ({type(s.command)}). "
+                "Only string or list allowed. Check quoting."
+            )
+
+        s.env = get_docker_environment(ap["env"], ap["env_files"])
+        s.rollback_config = cls.get_rollback_config_from_ansible_params(ap)
+
+        update_config = cls.get_update_config_from_ansible_params(ap)
+        for key, value in update_config.items():
+            setattr(s, key, value)
+
+        restart_config = cls.get_restart_config_from_ansible_params(ap)
+        for key, value in restart_config.items():
+            setattr(s, key, value)
+
+        logging_config = cls.get_logging_from_ansible_params(ap)
+        for key, value in logging_config.items():
+            setattr(s, key, value)
+
+        limits = cls.get_limits_from_ansible_params(ap)
+        for key, value in limits.items():
+            setattr(s, key, value)
+
+        reservations = cls.get_reservations_from_ansible_params(ap)
+        for key, value in reservations.items():
+            setattr(s, key, value)
+
+        placement = cls.get_placement_from_ansible_params(ap)
+        for key, value in placement.items():
+            setattr(s, key, value)
+
+        if ap["stop_grace_period"] is not None:
+            s.stop_grace_period = convert_duration_to_nanosecond(
+                ap["stop_grace_period"]
+            )
+
+        if ap["force_update"]:
+            s.force_update = int(str(time.time()).replace(".", ""))
+
+        if ap["groups"] is not None:
+            # In case integers are passed as groups, we need to convert them to
+            # strings as docker internally treats them as strings.
+            s.groups = [str(g) for g in ap["groups"]]
+
+        if ap["replicas"] == -1:
+            if old_service:
+                s.replicas = old_service.replicas
+            else:
+                s.replicas = 1
+        else:
+            s.replicas = ap["replicas"]
+
+        if ap["publish"] is not None:
+            s.publish = []
+            for param_p in ap["publish"]:
+                service_p = {}
+                service_p["protocol"] = param_p["protocol"]
+                service_p["mode"] = param_p["mode"]
+                service_p["published_port"] = param_p["published_port"]
+                service_p["target_port"] = param_p["target_port"]
+                s.publish.append(service_p)
+
+        if ap["mounts"] is not None:
+            s.mounts = []
+            for param_m in ap["mounts"]:
+                service_m = {}
+                service_m["readonly"] = param_m["readonly"]
+                service_m["type"] = param_m["type"]
+                if param_m["source"] is None and param_m["type"] != "tmpfs":
+                    raise ValueError(
+                        "Source must be specified for mounts which are not of type tmpfs"
+                    )
+                service_m["source"] = param_m["source"] or ""
+                service_m["target"] = param_m["target"]
+                service_m["labels"] = param_m["labels"]
+                service_m["no_copy"] = param_m["no_copy"]
+                service_m["propagation"] = param_m["propagation"]
+                service_m["driver_config"] = param_m["driver_config"]
+                service_m["tmpfs_mode"] = param_m["tmpfs_mode"]
+                tmpfs_size = param_m["tmpfs_size"]
+                if tmpfs_size is not None:
+                    try:
+                        tmpfs_size = human_to_bytes(tmpfs_size)
+                    except ValueError as exc:
+                        raise ValueError(
+                            f"Failed to convert tmpfs_size to bytes: {exc}"
+                        ) from exc
+
+                service_m["tmpfs_size"] = tmpfs_size
+                s.mounts.append(service_m)
+
+        if ap["configs"] is not None:
+            s.configs = []
+            for param_m in ap["configs"]:
+                service_c = {}
+                config_name = param_m["config_name"]
+                service_c["config_id"] = param_m["config_id"] or config_ids[config_name]
+                service_c["config_name"] = config_name
+                service_c["filename"] = param_m["filename"] or config_name
+                service_c["uid"] = param_m["uid"]
+                service_c["gid"] = param_m["gid"]
+                service_c["mode"] = param_m["mode"]
+                s.configs.append(service_c)
+
+        if ap["secrets"] is not None:
+            s.secrets = []
+            for param_m in ap["secrets"]:
+                service_s = {}
+                secret_name = param_m["secret_name"]
+                service_s["secret_id"] = param_m["secret_id"] or secret_ids[secret_name]
+                service_s["secret_name"] = secret_name
+                service_s["filename"] = param_m["filename"] or secret_name
+                service_s["uid"] = param_m["uid"]
+                service_s["gid"] = param_m["gid"]
+                service_s["mode"] = param_m["mode"]
+                s.secrets.append(service_s)
+
+        return s
+
+    def compare(self, os: DockerService) -> tuple[bool, DifferenceTracker, bool, bool]:
+        differences = DifferenceTracker()
+        needs_rebuild = False
+        force_update = False
+        if self.endpoint_mode is not None and self.endpoint_mode != os.endpoint_mode:
+            differences.add(
+                "endpoint_mode", parameter=self.endpoint_mode, active=os.endpoint_mode
+            )
+        if has_list_changed(self.env, os.env):
+            differences.add("env", parameter=self.env, active=os.env)
+        if self.log_driver is not None and self.log_driver != os.log_driver:
+            differences.add(
+                "log_driver", parameter=self.log_driver, active=os.log_driver
+            )
+        if self.log_driver_options is not None and self.log_driver_options != (
+            os.log_driver_options or {}
+        ):
+            differences.add(
+                "log_opt",
+                parameter=self.log_driver_options,
+                active=os.log_driver_options,
+            )
+        if self.mode != os.mode:
+            needs_rebuild = True
+            differences.add("mode", parameter=self.mode, active=os.mode)
+        if has_list_changed(self.mounts, os.mounts, sort_key="target"):
+            differences.add("mounts", parameter=self.mounts, active=os.mounts)
+        if has_list_changed(self.configs, os.configs, sort_key="config_name"):
+            differences.add("configs", parameter=self.configs, active=os.configs)
+        if has_list_changed(self.secrets, os.secrets, sort_key="secret_name"):
+            differences.add("secrets", parameter=self.secrets, active=os.secrets)
+        if have_networks_changed(self.networks, os.networks):
+            differences.add("networks", parameter=self.networks, active=os.networks)
+            needs_rebuild = not self.can_update_networks
+        if self.replicas != os.replicas:
+            differences.add("replicas", parameter=self.replicas, active=os.replicas)
+        if has_list_changed(self.command, os.command, sort_lists=False):
+            differences.add("command", parameter=self.command, active=os.command)
+        if has_list_changed(self.args, os.args, sort_lists=False):
+            differences.add("args", parameter=self.args, active=os.args)
+        if has_list_changed(self.constraints, os.constraints):
+            differences.add(
+                "constraints", parameter=self.constraints, active=os.constraints
+            )
+        if (
+            self.replicas_max_per_node is not None
+            and self.replicas_max_per_node != os.replicas_max_per_node
+        ):
+            differences.add(
+                "replicas_max_per_node",
+                parameter=self.replicas_max_per_node,
+                active=os.replicas_max_per_node,
+            )
+        if has_list_changed(
+            self.placement_preferences, os.placement_preferences, sort_lists=False
+        ):
+            differences.add(
+                "placement_preferences",
+                parameter=self.placement_preferences,
+                active=os.placement_preferences,
+            )
+        if has_list_changed(self.groups, os.groups):
+            differences.add("groups", parameter=self.groups, active=os.groups)
+        if self.labels is not None and self.labels != (os.labels or {}):
+            differences.add("labels", parameter=self.labels, active=os.labels)
+        if self.limit_cpu is not None and self.limit_cpu != os.limit_cpu:
+            differences.add("limit_cpu", parameter=self.limit_cpu, active=os.limit_cpu)
+        if self.limit_memory is not None and self.limit_memory != os.limit_memory:
+            differences.add(
+                "limit_memory", parameter=self.limit_memory, active=os.limit_memory
+            )
+        if self.reserve_cpu is not None and self.reserve_cpu != os.reserve_cpu:
+            differences.add(
+                "reserve_cpu", parameter=self.reserve_cpu, active=os.reserve_cpu
+            )
+        if self.reserve_memory is not None and self.reserve_memory != os.reserve_memory:
+            differences.add(
+                "reserve_memory",
+                parameter=self.reserve_memory,
+                active=os.reserve_memory,
+            )
+        if self.container_labels is not None and self.container_labels != (
+            os.container_labels or {}
+        ):
+            differences.add(
+                "container_labels",
+                parameter=self.container_labels,
+                active=os.container_labels,
+            )
+        if self.sysctls is not None and self.sysctls != (os.sysctls or {}):
+            differences.add("sysctls", parameter=self.sysctls, active=os.sysctls)
+        if self.stop_signal is not None and self.stop_signal != os.stop_signal:
+            differences.add(
+                "stop_signal", parameter=self.stop_signal, active=os.stop_signal
+            )
+        if (
+            self.stop_grace_period is not None
+            and self.stop_grace_period != os.stop_grace_period
+        ):
+            differences.add(
+                "stop_grace_period",
+                parameter=self.stop_grace_period,
+                active=os.stop_grace_period,
+            )
+        if self.has_publish_changed(os.publish):
+            differences.add("publish", parameter=self.publish, active=os.publish)
+        if self.read_only is not None and self.read_only != os.read_only:
+            differences.add("read_only", parameter=self.read_only, active=os.read_only)
+        if self.restart_policy is not None and self.restart_policy != os.restart_policy:
+            differences.add(
+                "restart_policy",
+                parameter=self.restart_policy,
+                active=os.restart_policy,
+            )
+        if (
+            self.restart_policy_attempts is not None
+            and self.restart_policy_attempts != os.restart_policy_attempts
+        ):
+            differences.add(
+                "restart_policy_attempts",
+                parameter=self.restart_policy_attempts,
+                active=os.restart_policy_attempts,
+            )
+        if (
+            self.restart_policy_delay is not None
+            and self.restart_policy_delay != os.restart_policy_delay
+        ):
+            differences.add(
+                "restart_policy_delay",
+                parameter=self.restart_policy_delay,
+                active=os.restart_policy_delay,
+            )
+        if (
+            self.restart_policy_window is not None
+            and self.restart_policy_window != os.restart_policy_window
+        ):
+            differences.add(
+                "restart_policy_window",
+                parameter=self.restart_policy_window,
+                active=os.restart_policy_window,
+            )
+        if has_dict_changed(self.rollback_config, os.rollback_config):
+            differences.add(
+                "rollback_config",
+                parameter=self.rollback_config,
+                active=os.rollback_config,
+            )
+        if self.update_delay is not None and self.update_delay != os.update_delay:
+            differences.add(
+                "update_delay", parameter=self.update_delay, active=os.update_delay
+            )
+        if (
+            self.update_parallelism is not None
+            and self.update_parallelism != os.update_parallelism
+        ):
+            differences.add(
+                "update_parallelism",
+                parameter=self.update_parallelism,
+                active=os.update_parallelism,
+            )
+        if (
+            self.update_failure_action is not None
+            and self.update_failure_action != os.update_failure_action
+        ):
+            differences.add(
+                "update_failure_action",
+                parameter=self.update_failure_action,
+                active=os.update_failure_action,
+            )
+        if self.update_monitor is not None and self.update_monitor != os.update_monitor:
+            differences.add(
+                "update_monitor",
+                parameter=self.update_monitor,
+                active=os.update_monitor,
+            )
+        if (
+            self.update_max_failure_ratio is not None
+            and self.update_max_failure_ratio != os.update_max_failure_ratio
+        ):
+            differences.add(
+                "update_max_failure_ratio",
+                parameter=self.update_max_failure_ratio,
+                active=os.update_max_failure_ratio,
+            )
+        if self.update_order is not None and self.update_order != os.update_order:
+            differences.add(
+                "update_order", parameter=self.update_order, active=os.update_order
+            )
+        has_image_changed, change = self.has_image_changed(os.image or "")
+        if has_image_changed:
+            differences.add("image", parameter=self.image, active=change)
+        if self.user and self.user != os.user:
+            differences.add("user", parameter=self.user, active=os.user)
+        if has_list_changed(self.dns, os.dns, sort_lists=False):
+            differences.add("dns", parameter=self.dns, active=os.dns)
+        if has_list_changed(self.dns_search, os.dns_search, sort_lists=False):
+            differences.add(
+                "dns_search", parameter=self.dns_search, active=os.dns_search
+            )
+        if has_list_changed(self.dns_options, os.dns_options):
+            differences.add(
+                "dns_options", parameter=self.dns_options, active=os.dns_options
+            )
+        if self.has_healthcheck_changed(os):
+            differences.add(
+                "healthcheck", parameter=self.healthcheck, active=os.healthcheck
+            )
+        if self.hostname is not None and self.hostname != os.hostname:
+            differences.add("hostname", parameter=self.hostname, active=os.hostname)
+        if self.hosts is not None and self.hosts != (os.hosts or {}):
+            differences.add("hosts", parameter=self.hosts, active=os.hosts)
+        if self.tty is not None and self.tty != os.tty:
+            differences.add("tty", parameter=self.tty, active=os.tty)
+        if self.working_dir is not None and self.working_dir != os.working_dir:
+            differences.add(
+                "working_dir", parameter=self.working_dir, active=os.working_dir
+            )
+        if self.force_update:
+            force_update = True
+        if self.init is not None and self.init != os.init:
+            differences.add("init", parameter=self.init, active=os.init)
+        if has_list_changed(self.cap_add, os.cap_add):
+            differences.add("cap_add", parameter=self.cap_add, active=os.cap_add)
+        if has_list_changed(self.cap_drop, os.cap_drop):
+            differences.add("cap_drop", parameter=self.cap_drop, active=os.cap_drop)
+        return (
+            not differences.empty or force_update,
+            differences,
+            needs_rebuild,
+            force_update,
+        )
+
+    def has_healthcheck_changed(self, old_publish: DockerService) -> bool:
+        if self.healthcheck_disabled is False and self.healthcheck is None:
+            return False
+        if self.healthcheck_disabled:
+            if old_publish.healthcheck is None:
+                return False
+            if old_publish.healthcheck.get("test") == ["NONE"]:
+                return False
+        return self.healthcheck != old_publish.healthcheck
+
+    def has_publish_changed(self, old_publish: list[dict[str, t.Any]] | None) -> bool:
+        if self.publish is None:
+            return False
+        old_publish = old_publish or []
+        if len(self.publish) != len(old_publish):
+            return True
+
+        def publish_sorter(item: dict[str, t.Any]) -> tuple[int, int, str]:
+            return (
+                item.get("published_port") or 0,
+                item.get("target_port") or 0,
+                item.get("protocol") or "",
+            )
+
+        publish = sorted(self.publish, key=publish_sorter)
+        old_publish = sorted(old_publish, key=publish_sorter)
+        for publish_item, old_publish_item in zip(publish, old_publish):
+            ignored_keys = set()
+            if not publish_item.get("mode"):
+                ignored_keys.add("mode")
+            # Create copies of publish_item dicts where keys specified in ignored_keys are left out
+            filtered_old_publish_item = {
+                k: v for k, v in old_publish_item.items() if k not in ignored_keys
+            }
+            filtered_publish_item = {
+                k: v for k, v in publish_item.items() if k not in ignored_keys
+            }
+            if filtered_publish_item != filtered_old_publish_item:
+                return True
+        return False
+
+    def has_image_changed(self, old_image: str) -> tuple[bool, str]:
+        assert self.image is not None
+        if "@" not in self.image:
+            old_image = old_image.split("@")[0]
+        return self.image != old_image, old_image
+
+    def build_container_spec(self) -> types.ContainerSpec:
+        mounts = None
+        if self.mounts is not None:
+            mounts = []
+            for mount_config in self.mounts:
+                mount_options = {
+                    "target": "target",
+                    "source": "source",
+                    "type": "type",
+                    "readonly": "read_only",
+                    "propagation": "propagation",
+                    "labels": "labels",
+                    "no_copy": "no_copy",
+                    "driver_config": "driver_config",
+                    "tmpfs_size": "tmpfs_size",
+                    "tmpfs_mode": "tmpfs_mode",
+                }
+                mount_args = {}
+                for option, mount_arg in mount_options.items():
+                    value = mount_config.get(option)
+                    if value is not None:
+                        mount_args[mount_arg] = value
+
+                mounts.append(types.Mount(**mount_args))
+
+        configs = None
+        if self.configs is not None:
+            configs = []
+            for config_config in self.configs:
+                config_args = {
+                    "config_id": config_config["config_id"],
+                    "config_name": config_config["config_name"],
+                }
+                filename = config_config.get("filename")
+                if filename:
+                    config_args["filename"] = filename
+                uid = config_config.get("uid")
+                if uid:
+                    config_args["uid"] = uid
+                gid = config_config.get("gid")
+                if gid:
+                    config_args["gid"] = gid
+                mode = config_config.get("mode")
+                if mode:
+                    config_args["mode"] = mode
+
+                configs.append(types.ConfigReference(**config_args))
+
+        secrets = None
+        if self.secrets is not None:
+            secrets = []
+            for secret_config in self.secrets:
+                secret_args = {
+                    "secret_id": secret_config["secret_id"],
+                    "secret_name": secret_config["secret_name"],
+                }
+                filename = secret_config.get("filename")
+                if filename:
+                    secret_args["filename"] = filename
+                uid = secret_config.get("uid")
+                if uid:
+                    secret_args["uid"] = uid
+                gid = secret_config.get("gid")
+                if gid:
+                    secret_args["gid"] = gid
+                mode = secret_config.get("mode")
+                if mode:
+                    secret_args["mode"] = mode
+
+                secrets.append(types.SecretReference(**secret_args))
+
+        dns_config_args: dict[str, t.Any] = {}
+        if self.dns is not None:
+            dns_config_args["nameservers"] = self.dns
+        if self.dns_search is not None:
+            dns_config_args["search"] = self.dns_search
+        if self.dns_options is not None:
+            dns_config_args["options"] = self.dns_options
+        dns_config = types.DNSConfig(**dns_config_args) if dns_config_args else None
+
+        container_spec_args: dict[str, t.Any] = {}
+        if self.command is not None:
+            container_spec_args["command"] = self.command
+        if self.args is not None:
+            container_spec_args["args"] = self.args
+        if self.env is not None:
+            container_spec_args["env"] = self.env
+        if self.user is not None:
+            container_spec_args["user"] = self.user
+        if self.container_labels is not None:
+            container_spec_args["labels"] = self.container_labels
+        if self.sysctls is not None:
+            container_spec_args["sysctls"] = self.sysctls
+        if self.healthcheck is not None:
+            container_spec_args["healthcheck"] = types.Healthcheck(**self.healthcheck)
+        elif self.healthcheck_disabled:
+            container_spec_args["healthcheck"] = types.Healthcheck(test=["NONE"])
+        if self.hostname is not None:
+            container_spec_args["hostname"] = self.hostname
+        if self.hosts is not None:
+            container_spec_args["hosts"] = self.hosts
+        if self.read_only is not None:
+            container_spec_args["read_only"] = self.read_only
+        if self.stop_grace_period is not None:
+            container_spec_args["stop_grace_period"] = self.stop_grace_period
+        if self.stop_signal is not None:
+            container_spec_args["stop_signal"] = self.stop_signal
+        if self.tty is not None:
+            container_spec_args["tty"] = self.tty
+        if self.groups is not None:
+            container_spec_args["groups"] = self.groups
+        if self.working_dir is not None:
+            container_spec_args["workdir"] = self.working_dir
+        if secrets is not None:
+            container_spec_args["secrets"] = secrets
+        if mounts is not None:
+            container_spec_args["mounts"] = mounts
+        if dns_config is not None:
+            container_spec_args["dns_config"] = dns_config
+        if configs is not None:
+            container_spec_args["configs"] = configs
+        if self.init is not None:
+            container_spec_args["init"] = self.init
+        if self.cap_add is not None:
+            container_spec_args["cap_add"] = self.cap_add
+        if self.cap_drop is not None:
+            container_spec_args["cap_drop"] = self.cap_drop
+
+        return types.ContainerSpec(self.image, **container_spec_args)
+
+    def build_placement(self) -> types.Placement | None:
+        placement_args: dict[str, t.Any] = {}
+        if self.constraints is not None:
+            placement_args["constraints"] = self.constraints
+        if self.replicas_max_per_node is not None:
+            placement_args["maxreplicas"] = self.replicas_max_per_node
+        if self.placement_preferences is not None:
+            placement_args["preferences"] = [
+                {key.title(): {"SpreadDescriptor": value}}
+                for preference in self.placement_preferences
+                for key, value in preference.items()
+            ]
+        return types.Placement(**placement_args) if placement_args else None
+
+    def build_update_config(self) -> types.UpdateConfig | None:
+        update_config_args: dict[str, t.Any] = {}
+        if self.update_parallelism is not None:
+            update_config_args["parallelism"] = self.update_parallelism
+        if self.update_delay is not None:
+            update_config_args["delay"] = self.update_delay
+        if self.update_failure_action is not None:
+            update_config_args["failure_action"] = self.update_failure_action
+        if self.update_monitor is not None:
+            update_config_args["monitor"] = self.update_monitor
+        if self.update_max_failure_ratio is not None:
+            update_config_args["max_failure_ratio"] = self.update_max_failure_ratio
+        if self.update_order is not None:
+            update_config_args["order"] = self.update_order
+        return types.UpdateConfig(**update_config_args) if update_config_args else None
+
+    def build_log_driver(self) -> types.DriverConfig | None:
+        log_driver_args: dict[str, t.Any] = {}
+        if self.log_driver is not None:
+            log_driver_args["name"] = self.log_driver
+        if self.log_driver_options is not None:
+            log_driver_args["options"] = self.log_driver_options
+        return types.DriverConfig(**log_driver_args) if log_driver_args else None
+
+    def build_restart_policy(self) -> types.RestartPolicy | None:
+        restart_policy_args: dict[str, t.Any] = {}
+        if self.restart_policy is not None:
+            restart_policy_args["condition"] = self.restart_policy
+        if self.restart_policy_delay is not None:
+            restart_policy_args["delay"] = self.restart_policy_delay
+        if self.restart_policy_attempts is not None:
+            restart_policy_args["max_attempts"] = self.restart_policy_attempts
+        if self.restart_policy_window is not None:
+            restart_policy_args["window"] = self.restart_policy_window
+        return (
+            types.RestartPolicy(**restart_policy_args) if restart_policy_args else None
+        )
+
+    def build_rollback_config(self) -> types.RollbackConfig | None:
+        if self.rollback_config is None:
+            return None
+        rollback_config_options = [
+            "parallelism",
+            "delay",
+            "failure_action",
+            "monitor",
+            "max_failure_ratio",
+            "order",
+        ]
+        rollback_config_args = {}
+        for option in rollback_config_options:
+            value = self.rollback_config.get(option)
+            if value is not None:
+                rollback_config_args[option] = value
+        return (
+            types.RollbackConfig(**rollback_config_args)
+            if rollback_config_args
+            else None
+        )
+
+    def build_resources(self) -> types.Resources | None:
+        resources_args: dict[str, t.Any] = {}
+        if self.limit_cpu is not None:
+            resources_args["cpu_limit"] = int(self.limit_cpu * 1000000000.0)
+        if self.limit_memory is not None:
+            resources_args["mem_limit"] = self.limit_memory
+        if self.reserve_cpu is not None:
+            resources_args["cpu_reservation"] = int(self.reserve_cpu * 1000000000.0)
+        if self.reserve_memory is not None:
+            resources_args["mem_reservation"] = self.reserve_memory
+        return types.Resources(**resources_args) if resources_args else None
+
+    def build_task_template(
+        self,
+        container_spec: types.ContainerSpec,
+        placement: types.Placement | None = None,
+    ) -> types.TaskTemplate:
+        log_driver = self.build_log_driver()
+        restart_policy = self.build_restart_policy()
+        resources = self.build_resources()
+
+        task_template_args: dict[str, t.Any] = {}
+        if placement is not None:
+            task_template_args["placement"] = placement
+        if log_driver is not None:
+            task_template_args["log_driver"] = log_driver
+        if restart_policy is not None:
+            task_template_args["restart_policy"] = restart_policy
+        if resources is not None:
+            task_template_args["resources"] = resources
+        if self.force_update:
+            task_template_args["force_update"] = self.force_update
+        if self.can_use_task_template_networks:
+            networks = self.build_networks()
+            if networks:
+                task_template_args["networks"] = networks
+        return types.TaskTemplate(container_spec=container_spec, **task_template_args)
+
+    def build_service_mode(self) -> types.ServiceMode:
+        if self.mode == "global":
+            self.replicas = None
+        return types.ServiceMode(self.mode, replicas=self.replicas)
+
+    def build_networks(self) -> list[dict[str, t.Any]] | None:
+        networks = None
+        if self.networks is not None:
+            networks = []
+            for network in self.networks:
+                docker_network = {"Target": network["id"]}
+                if "aliases" in network:
+                    docker_network["Aliases"] = network["aliases"]
+                if "options" in network:
+                    docker_network["DriverOpts"] = network["options"]
+                networks.append(docker_network)
+        return networks
+
+    def build_endpoint_spec(self) -> types.EndpointSpec | None:
+        endpoint_spec_args: dict[str, t.Any] = {}
+        if self.publish is not None:
+            ports = []
+            for port in self.publish:
+                port_spec = {
+                    "Protocol": port["protocol"],
+                    "TargetPort": port["target_port"],
+                }
+                if port.get("published_port"):
+                    port_spec["PublishedPort"] = port["published_port"]
+                if port.get("mode"):
+                    port_spec["PublishMode"] = port["mode"]
+                ports.append(port_spec)
+            endpoint_spec_args["ports"] = ports
+        if self.endpoint_mode is not None:
+            endpoint_spec_args["mode"] = self.endpoint_mode
+        return types.EndpointSpec(**endpoint_spec_args) if endpoint_spec_args else None
+
+    def build_docker_service(self) -> dict[str, t.Any]:
+        container_spec = self.build_container_spec()
+        placement = self.build_placement()
+        task_template = self.build_task_template(container_spec, placement)
+
+        update_config = self.build_update_config()
+        rollback_config = self.build_rollback_config()
+        service_mode = self.build_service_mode()
+        endpoint_spec = self.build_endpoint_spec()
+
+        service: dict[str, t.Any] = {
+            "task_template": task_template,
+            "mode": service_mode,
+        }
+        if update_config:
+            service["update_config"] = update_config
+        if rollback_config:
+            service["rollback_config"] = rollback_config
+        if endpoint_spec:
+            service["endpoint_spec"] = endpoint_spec
+        if self.labels:
+            service["labels"] = self.labels
+        if not self.can_use_task_template_networks:
+            networks = self.build_networks()
+            if networks:
+                service["networks"] = networks
+        return service
+
+
+class DockerServiceManager:
+    def __init__(self, client: AnsibleDockerClient):
+        self.client = client
+        self.retries = 2
+        self.diff_tracker: DifferenceTracker | None = None
+
+    def get_service(self, name: str) -> DockerService | None:
+        try:
+            raw_data = self.client.inspect_service(name)
+        except NotFound:
+            return None
+        ds = DockerService(
+            self.client.docker_api_version, self.client.docker_py_version
+        )
+
+        task_template_data = raw_data["Spec"]["TaskTemplate"]
+        ds.image = task_template_data["ContainerSpec"]["Image"]
+        ds.user = task_template_data["ContainerSpec"].get("User")
+        ds.env = task_template_data["ContainerSpec"].get("Env")
+        ds.command = task_template_data["ContainerSpec"].get("Command")
+        ds.args = task_template_data["ContainerSpec"].get("Args")
+        ds.groups = task_template_data["ContainerSpec"].get("Groups")
+        ds.stop_grace_period = task_template_data["ContainerSpec"].get(
+            "StopGracePeriod"
+        )
+        ds.stop_signal = task_template_data["ContainerSpec"].get("StopSignal")
+        ds.working_dir = task_template_data["ContainerSpec"].get("Dir")
+        ds.read_only = task_template_data["ContainerSpec"].get("ReadOnly")
+        ds.cap_add = task_template_data["ContainerSpec"].get("CapabilityAdd")
+        ds.cap_drop = task_template_data["ContainerSpec"].get("CapabilityDrop")
+        ds.sysctls = task_template_data["ContainerSpec"].get("Sysctls")
+
+        healthcheck_data = task_template_data["ContainerSpec"].get("Healthcheck")
+        if healthcheck_data:
+            options = {
+                "Test": "test",
+                "Interval": "interval",
+                "Timeout": "timeout",
+                "StartPeriod": "start_period",
+                "Retries": "retries",
+            }
+            healthcheck = {
+                options[key]: value
+                for key, value in healthcheck_data.items()
+                if value is not None and key in options
+            }
+            ds.healthcheck = healthcheck
+
+        update_config_data = raw_data["Spec"].get("UpdateConfig")
+        if update_config_data:
+            ds.update_delay = update_config_data.get("Delay")
+            ds.update_parallelism = update_config_data.get("Parallelism")
+            ds.update_failure_action = update_config_data.get("FailureAction")
+            ds.update_monitor = update_config_data.get("Monitor")
+            ds.update_max_failure_ratio = update_config_data.get("MaxFailureRatio")
+            ds.update_order = update_config_data.get("Order")
+
+        rollback_config_data = raw_data["Spec"].get("RollbackConfig")
+        if rollback_config_data:
+            ds.rollback_config = {
+                "parallelism": rollback_config_data.get("Parallelism"),
+                "delay": rollback_config_data.get("Delay"),
+                "failure_action": rollback_config_data.get("FailureAction"),
+                "monitor": rollback_config_data.get("Monitor"),
+                "max_failure_ratio": rollback_config_data.get("MaxFailureRatio"),
+                "order": rollback_config_data.get("Order"),
+            }
+
+        dns_config = task_template_data["ContainerSpec"].get("DNSConfig")
+        if dns_config:
+            ds.dns = dns_config.get("Nameservers")
+            ds.dns_search = dns_config.get("Search")
+            ds.dns_options = dns_config.get("Options")
+
+        ds.hostname = task_template_data["ContainerSpec"].get("Hostname")
+
+        hosts = task_template_data["ContainerSpec"].get("Hosts")
+        if hosts:
+            hosts = [
+                (
+                    list(reversed(host.split(":", 1)))
+                    if ":" in host
+                    else host.split(" ", 1)
+                )
+                for host in hosts
+            ]
+            ds.hosts = {hostname: ip for ip, hostname in hosts}
+        ds.tty = task_template_data["ContainerSpec"].get("TTY")
+
+        placement = task_template_data.get("Placement")
+        if placement:
+            ds.constraints = placement.get("Constraints")
+            ds.replicas_max_per_node = placement.get("MaxReplicas")
+            placement_preferences = []
+            for preference in placement.get("Preferences", []):
+                placement_preferences.append(
+                    {
+                        key.lower(): value["SpreadDescriptor"]
+                        for key, value in preference.items()
+                    }
+                )
+            ds.placement_preferences = placement_preferences or None
+
+        restart_policy_data = task_template_data.get("RestartPolicy")
+        if restart_policy_data:
+            ds.restart_policy = restart_policy_data.get("Condition")
+            ds.restart_policy_delay = restart_policy_data.get("Delay")
+            ds.restart_policy_attempts = restart_policy_data.get("MaxAttempts")
+            ds.restart_policy_window = restart_policy_data.get("Window")
+
+        raw_data_endpoint_spec = raw_data["Spec"].get("EndpointSpec")
+        if raw_data_endpoint_spec:
+            ds.endpoint_mode = raw_data_endpoint_spec.get("Mode")
+            raw_data_ports = raw_data_endpoint_spec.get("Ports")
+            if raw_data_ports:
+                ds.publish = []
+                for port in raw_data_ports:
+                    ds.publish.append(
+                        {
+                            "protocol": port["Protocol"],
+                            "mode": port.get("PublishMode", None),
+                            "published_port": port.get("PublishedPort", None),
+                            "target_port": int(port["TargetPort"]),
+                        }
+                    )
+
+        raw_data_limits = task_template_data.get("Resources", {}).get("Limits")
+        if raw_data_limits:
+            raw_cpu_limits = raw_data_limits.get("NanoCPUs")
+            if raw_cpu_limits:
+                ds.limit_cpu = float(raw_cpu_limits) / 1000000000
+
+            raw_memory_limits = raw_data_limits.get("MemoryBytes")
+            if raw_memory_limits:
+                ds.limit_memory = int(raw_memory_limits)
+
+        raw_data_reservations = task_template_data.get("Resources", {}).get(
+            "Reservations"
+        )
+        if raw_data_reservations:
+            raw_cpu_reservations = raw_data_reservations.get("NanoCPUs")
+            if raw_cpu_reservations:
+                ds.reserve_cpu = float(raw_cpu_reservations) / 1000000000
+
+            raw_memory_reservations = raw_data_reservations.get("MemoryBytes")
+            if raw_memory_reservations:
+                ds.reserve_memory = int(raw_memory_reservations)
+
+        ds.labels = raw_data["Spec"].get("Labels")
+        ds.log_driver = task_template_data.get("LogDriver", {}).get("Name")
+        ds.log_driver_options = task_template_data.get("LogDriver", {}).get("Options")
+        ds.container_labels = task_template_data["ContainerSpec"].get("Labels")
+
+        mode = raw_data["Spec"]["Mode"]
+        if "Replicated" in mode:
+            ds.mode = to_text("replicated", encoding="utf-8")  # type: ignore
+            ds.replicas = mode["Replicated"]["Replicas"]
+        elif "Global" in mode:
+            ds.mode = "global"
+        elif "ReplicatedJob" in mode:
+            ds.mode = to_text("replicated-job", encoding="utf-8")  # type: ignore
+            ds.replicas = mode["ReplicatedJob"]["TotalCompletions"]
+        else:
+            raise ValueError(f"Unknown service mode: {mode}")
+
+        raw_data_mounts = task_template_data["ContainerSpec"].get("Mounts")
+        if raw_data_mounts:
+            ds.mounts = []
+            for mount_data in raw_data_mounts:
+                bind_options = mount_data.get("BindOptions", {})
+                volume_options = mount_data.get("VolumeOptions", {})
+                tmpfs_options = mount_data.get("TmpfsOptions", {})
+                driver_config = volume_options.get("DriverConfig", {})
+                driver_config = {
+                    key.lower(): value for key, value in driver_config.items()
+                } or None
+                ds.mounts.append(
+                    {
+                        "source": mount_data.get("Source", ""),
+                        "type": mount_data["Type"],
+                        "target": mount_data["Target"],
+                        "readonly": mount_data.get("ReadOnly"),
+                        "propagation": bind_options.get("Propagation"),
+                        "no_copy": volume_options.get("NoCopy"),
+                        "labels": volume_options.get("Labels"),
+                        "driver_config": driver_config,
+                        "tmpfs_mode": tmpfs_options.get("Mode"),
+                        "tmpfs_size": tmpfs_options.get("SizeBytes"),
+                    }
+                )
+
+        raw_data_configs = task_template_data["ContainerSpec"].get("Configs")
+        if raw_data_configs:
+            ds.configs = []
+            for config_data in raw_data_configs:
+                ds.configs.append(
+                    {
+                        "config_id": config_data["ConfigID"],
+                        "config_name": config_data["ConfigName"],
+                        "filename": config_data["File"].get("Name"),
+                        "uid": config_data["File"].get("UID"),
+                        "gid": config_data["File"].get("GID"),
+                        "mode": config_data["File"].get("Mode"),
+                    }
+                )
+
+        raw_data_secrets = task_template_data["ContainerSpec"].get("Secrets")
+        if raw_data_secrets:
+            ds.secrets = []
+            for secret_data in raw_data_secrets:
+                ds.secrets.append(
+                    {
+                        "secret_id": secret_data["SecretID"],
+                        "secret_name": secret_data["SecretName"],
+                        "filename": secret_data["File"].get("Name"),
+                        "uid": secret_data["File"].get("UID"),
+                        "gid": secret_data["File"].get("GID"),
+                        "mode": secret_data["File"].get("Mode"),
+                    }
+                )
+
+        raw_networks_data = task_template_data.get(
+            "Networks", raw_data["Spec"].get("Networks")
+        )
+        if raw_networks_data:
+            ds.networks = []
+            for network_data in raw_networks_data:
+                network = {"id": network_data["Target"]}
+                if "Aliases" in network_data:
+                    network["aliases"] = network_data["Aliases"]
+                if "DriverOpts" in network_data:
+                    network["options"] = network_data["DriverOpts"]
+                ds.networks.append(network)
+        ds.service_version = raw_data["Version"]["Index"]
+        ds.service_id = raw_data["ID"]
+
+        ds.init = task_template_data["ContainerSpec"].get("Init", False)
+        return ds
+
+    def update_service(
+        self, name: str, old_service: DockerService, new_service: DockerService
+    ) -> None:
+        service_data = new_service.build_docker_service()
+        result = self.client.update_service(
+            old_service.service_id,
+            old_service.service_version,
+            name=name,
+            **service_data,
+        )
+        # Prior to Docker SDK 4.0.0 no warnings were returned and will thus be ignored.
+        # (see https://github.com/docker/docker-py/pull/2272)
+        self.client.report_warnings(result, ["Warning"])
+
+    def create_service(self, name: str, service: DockerService) -> None:
+        service_data = service.build_docker_service()
+        result = self.client.create_service(name=name, **service_data)
+        self.client.report_warnings(result, ["Warning"])
+
+    def remove_service(self, name: str) -> None:
+        self.client.remove_service(name)
+
+    def get_image_digest(self, name: str, resolve: bool = False) -> str:
+        if not name or not resolve:
+            return name
+        repo, tag = parse_repository_tag(name)
+        if not tag:
+            tag = "latest"
+        name = repo + ":" + tag
+        distribution_data = self.client.inspect_distribution(name)
+        digest = distribution_data["Descriptor"]["digest"]
+        return f"{name}@{digest}"
+
+    def get_networks_names_ids(self) -> dict[str, str]:
+        return {network["Name"]: network["Id"] for network in self.client.networks()}
+
+    def get_missing_secret_ids(self) -> dict[str, str]:
+        """
+        Resolve missing secret ids by looking them up by name
+        """
+        secret_names = [
+            secret["secret_name"]
+            for secret in self.client.module.params.get("secrets") or []
+            if secret["secret_id"] is None
+        ]
+        if not secret_names:
+            return {}
+        secrets = self.client.secrets(filters={"name": secret_names})
+        secrets = {
+            secret["Spec"]["Name"]: secret["ID"]
+            for secret in secrets
+            if secret["Spec"]["Name"] in secret_names
+        }
+        for secret_name in secret_names:
+            if secret_name not in secrets:
+                self.client.fail(f'Could not find a secret named "{secret_name}"')
+        return secrets
+
+    def get_missing_config_ids(self) -> dict[str, str]:
+        """
+        Resolve missing config ids by looking them up by name
+        """
+        config_names = [
+            config["config_name"]
+            for config in self.client.module.params.get("configs") or []
+            if config["config_id"] is None
+        ]
+        if not config_names:
+            return {}
+        configs = self.client.configs(filters={"name": config_names})
+        configs = {
+            config["Spec"]["Name"]: config["ID"]
+            for config in configs
+            if config["Spec"]["Name"] in config_names
+        }
+        for config_name in config_names:
+            if config_name not in configs:
+                self.client.fail(f'Could not find a config named "{config_name}"')
+        return configs
+
+    def run(self) -> tuple[str, bool, bool, list[str], dict[str, t.Any]]:
+        self.diff_tracker = DifferenceTracker()
+        module = self.client.module
+
+        image = module.params["image"]
+        try:
+            image_digest = self.get_image_digest(
+                name=image, resolve=module.params["resolve_image"]
+            )
+        except DockerException as e:
+            self.client.fail(f"Error looking for an image named {image}: {e}")
+
+        try:
+            current_service = self.get_service(module.params["name"])
+        except Exception as e:  # pylint: disable=broad-exception-caught
+            self.client.fail(
+                f"Error looking for service named {module.params['name']}: {e}"
+            )
+        try:
+            secret_ids = self.get_missing_secret_ids()
+            config_ids = self.get_missing_config_ids()
+            network_ids = self.get_networks_names_ids()
+            new_service = DockerService.from_ansible_params(
+                module.params,
+                current_service,
+                image_digest,
+                secret_ids,
+                config_ids,
+                network_ids,
+                self.client,
+            )
+        except Exception as e:  # pylint: disable=broad-exception-caught
+            return self.client.fail(f"Error parsing module parameters: {e}")
+
+        changed = False
+        msg = "noop"
+        rebuilt = False
+        differences = DifferenceTracker()
+        facts = {}
+
+        if current_service:
+            if module.params["state"] == "absent":
+                if not module.check_mode:
+                    self.remove_service(module.params["name"])
+                msg = "Service removed"
+                changed = True
+            else:
+                changed, differences, need_rebuild, force_update = new_service.compare(
+                    current_service
+                )
+                if changed:
+                    self.diff_tracker.merge(differences)
+                    if need_rebuild:
+                        if not module.check_mode:
+                            self.remove_service(module.params["name"])
+                            self.create_service(module.params["name"], new_service)
+                        msg = "Service rebuilt"
+                        rebuilt = True
+                    else:
+                        if not module.check_mode:
+                            self.update_service(
+                                module.params["name"], current_service, new_service
+                            )
+                        msg = "Service updated"
+                        rebuilt = False
+                else:
+                    if force_update:
+                        if not module.check_mode:
+                            self.update_service(
+                                module.params["name"], current_service, new_service
+                            )
+                        msg = "Service forcefully updated"
+                        rebuilt = False
+                        changed = True
+                    else:
+                        msg = "Service unchanged"
+                facts = new_service.get_facts()
+        else:
+            if module.params["state"] == "absent":
+                msg = "Service absent"
+            else:
+                if not module.check_mode:
+                    self.create_service(module.params["name"], new_service)
+                msg = "Service created"
+                changed = True
+                facts = new_service.get_facts()
+
+        return msg, changed, rebuilt, differences.get_legacy_docker_diffs(), facts
+
+    def run_safe(self) -> tuple[str, bool, bool, list[str], dict[str, t.Any]]:
+        while True:
+            try:
+                return self.run()
+            except APIError as e:
+                # Sometimes Version.Index will have changed between an inspect and
+                # update. If this is encountered we'll retry the update.
+                if self.retries > 0 and "update out of sequence" in str(e.explanation):
+                    self.retries -= 1
+                    time.sleep(1)
+                else:
+                    raise
+
+
+def _detect_publish_mode_usage(client: AnsibleDockerClient) -> bool:
+    return any(
+        publish_def.get("mode") for publish_def in client.module.params["publish"] or []
+    )
+
+
+def _detect_healthcheck_start_period(client: AnsibleDockerClient) -> bool:
+    if client.module.params["healthcheck"]:
+        return client.module.params["healthcheck"]["start_period"] is not None
+    return False
+
+
+def _detect_mount_tmpfs_usage(client: AnsibleDockerClient) -> bool:
+    for mount in client.module.params["mounts"] or []:
+        if mount.get("type") == "tmpfs":
+            return True
+        if mount.get("tmpfs_size") is not None:
+            return True
+        if mount.get("tmpfs_mode") is not None:
+            return True
+    return False
+
+
+def _detect_update_config_failure_action_rollback(client: AnsibleDockerClient) -> bool:
+    rollback_config_failure_action = (client.module.params["update_config"] or {}).get(
+        "failure_action"
+    )
+    return rollback_config_failure_action == "rollback"
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+        "image": {"type": "str"},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "absent"],
+        },
+        "mounts": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "source": {"type": "str"},
+                "target": {"type": "str", "required": True},
+                "type": {
+                    "type": "str",
+                    "default": "bind",
+                    "choices": ["bind", "volume", "tmpfs", "npipe"],
+                },
+                "readonly": {"type": "bool"},
+                "labels": {"type": "dict"},
+                "propagation": {
+                    "type": "str",
+                    "choices": [
+                        "shared",
+                        "slave",
+                        "private",
+                        "rshared",
+                        "rslave",
+                        "rprivate",
+                    ],
+                },
+                "no_copy": {"type": "bool"},
+                "driver_config": {
+                    "type": "dict",
+                    "options": {"name": {"type": "str"}, "options": {"type": "dict"}},
+                },
+                "tmpfs_size": {"type": "str"},
+                "tmpfs_mode": {"type": "int"},
+            },
+        },
+        "configs": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "config_id": {"type": "str"},
+                "config_name": {"type": "str", "required": True},
+                "filename": {"type": "str"},
+                "uid": {"type": "str"},
+                "gid": {"type": "str"},
+                "mode": {"type": "int"},
+            },
+        },
+        "secrets": {
+            "type": "list",
+            "elements": "dict",
+            "no_log": False,
+            "options": {
+                "secret_id": {"type": "str", "no_log": False},
+                "secret_name": {"type": "str", "required": True, "no_log": False},
+                "filename": {"type": "str"},
+                "uid": {"type": "str"},
+                "gid": {"type": "str"},
+                "mode": {"type": "int"},
+            },
+        },
+        "networks": {"type": "list", "elements": "raw"},
+        "command": {"type": "raw"},
+        "args": {"type": "list", "elements": "str"},
+        "env": {"type": "raw"},
+        "env_files": {"type": "list", "elements": "path"},
+        "force_update": {"type": "bool", "default": False},
+        "groups": {"type": "list", "elements": "str"},
+        "logging": {
+            "type": "dict",
+            "options": {
+                "driver": {"type": "str"},
+                "options": {"type": "dict"},
+            },
+        },
+        "publish": {
+            "type": "list",
+            "elements": "dict",
+            "options": {
+                "published_port": {"type": "int", "required": False},
+                "target_port": {"type": "int", "required": True},
+                "protocol": {
+                    "type": "str",
+                    "default": "tcp",
+                    "choices": ["tcp", "udp"],
+                },
+                "mode": {"type": "str", "choices": ["ingress", "host"]},
+            },
+        },
+        "placement": {
+            "type": "dict",
+            "options": {
+                "constraints": {"type": "list", "elements": "str"},
+                "preferences": {"type": "list", "elements": "dict"},
+                "replicas_max_per_node": {"type": "int"},
+            },
+        },
+        "tty": {"type": "bool"},
+        "dns": {"type": "list", "elements": "str"},
+        "dns_search": {"type": "list", "elements": "str"},
+        "dns_options": {"type": "list", "elements": "str"},
+        "healthcheck": {
+            "type": "dict",
+            "options": {
+                "test": {"type": "raw"},
+                "interval": {"type": "str"},
+                "timeout": {"type": "str"},
+                "start_period": {"type": "str"},
+                "retries": {"type": "int"},
+            },
+        },
+        "hostname": {"type": "str"},
+        "hosts": {"type": "dict"},
+        "labels": {"type": "dict"},
+        "container_labels": {"type": "dict"},
+        "sysctls": {"type": "dict"},
+        "mode": {
+            "type": "str",
+            "default": "replicated",
+            "choices": ["replicated", "global", "replicated-job"],
+        },
+        "replicas": {"type": "int", "default": -1},
+        "endpoint_mode": {"type": "str", "choices": ["vip", "dnsrr"]},
+        "stop_grace_period": {"type": "str"},
+        "stop_signal": {"type": "str"},
+        "limits": {
+            "type": "dict",
+            "options": {
+                "cpus": {"type": "float"},
+                "memory": {"type": "str"},
+            },
+        },
+        "read_only": {"type": "bool"},
+        "reservations": {
+            "type": "dict",
+            "options": {
+                "cpus": {"type": "float"},
+                "memory": {"type": "str"},
+            },
+        },
+        "resolve_image": {"type": "bool", "default": False},
+        "restart_config": {
+            "type": "dict",
+            "options": {
+                "condition": {"type": "str", "choices": ["none", "on-failure", "any"]},
+                "delay": {"type": "str"},
+                "max_attempts": {"type": "int"},
+                "window": {"type": "str"},
+            },
+        },
+        "rollback_config": {
+            "type": "dict",
+            "options": {
+                "parallelism": {"type": "int"},
+                "delay": {"type": "str"},
+                "failure_action": {"type": "str", "choices": ["continue", "pause"]},
+                "monitor": {"type": "str"},
+                "max_failure_ratio": {"type": "float"},
+                "order": {"type": "str"},
+            },
+        },
+        "update_config": {
+            "type": "dict",
+            "options": {
+                "parallelism": {"type": "int"},
+                "delay": {"type": "str"},
+                "failure_action": {
+                    "type": "str",
+                    "choices": ["continue", "pause", "rollback"],
+                },
+                "monitor": {"type": "str"},
+                "max_failure_ratio": {"type": "float"},
+                "order": {"type": "str"},
+            },
+        },
+        "user": {"type": "str"},
+        "working_dir": {"type": "str"},
+        "init": {"type": "bool"},
+        "cap_add": {"type": "list", "elements": "str"},
+        "cap_drop": {"type": "list", "elements": "str"},
+    }
+
+    option_minimal_versions = {
+        "dns": {"docker_py_version": "2.6.0"},
+        "dns_options": {"docker_py_version": "2.6.0"},
+        "dns_search": {"docker_py_version": "2.6.0"},
+        "endpoint_mode": {"docker_py_version": "3.0.0"},
+        "force_update": {"docker_py_version": "2.1.0"},
+        "healthcheck": {"docker_py_version": "2.6.0"},
+        "hostname": {"docker_py_version": "2.2.0"},
+        "hosts": {"docker_py_version": "2.6.0"},
+        "groups": {"docker_py_version": "2.6.0"},
+        "tty": {"docker_py_version": "2.4.0"},
+        "secrets": {"docker_py_version": "2.4.0"},
+        "configs": {"docker_py_version": "2.6.0", "docker_api_version": "1.30"},
+        "stop_signal": {"docker_py_version": "2.6.0", "docker_api_version": "1.28"},
+        "publish": {"docker_py_version": "3.0.0"},
+        "read_only": {"docker_py_version": "2.6.0", "docker_api_version": "1.28"},
+        "resolve_image": {"docker_api_version": "1.30", "docker_py_version": "3.2.0"},
+        "rollback_config": {"docker_py_version": "3.5.0", "docker_api_version": "1.28"},
+        "init": {"docker_py_version": "4.0.0", "docker_api_version": "1.37"},
+        "cap_add": {"docker_py_version": "5.0.3", "docker_api_version": "1.41"},
+        "cap_drop": {"docker_py_version": "5.0.3", "docker_api_version": "1.41"},
+        "sysctls": {"docker_py_version": "6.0.0", "docker_api_version": "1.40"},
+        # specials
+        "publish_mode": {
+            "docker_py_version": "3.0.0",
+            "detect_usage": _detect_publish_mode_usage,
+            "usage_msg": "set publish.mode",
+        },
+        "healthcheck_start_period": {
+            "docker_py_version": "2.6.0",
+            "docker_api_version": "1.29",
+            "detect_usage": _detect_healthcheck_start_period,
+            "usage_msg": "set healthcheck.start_period",
+        },
+        "update_config_max_failure_ratio": {
+            "docker_py_version": "2.1.0",
+            "detect_usage": lambda c: (c.module.params["update_config"] or {}).get(
+                "max_failure_ratio"
+            )
+            is not None,
+            "usage_msg": "set update_config.max_failure_ratio",
+        },
+        "update_config_failure_action": {
+            "docker_py_version": "3.5.0",
+            "docker_api_version": "1.28",
+            "detect_usage": _detect_update_config_failure_action_rollback,
+            "usage_msg": "set update_config.failure_action.rollback",
+        },
+        "update_config_monitor": {
+            "docker_py_version": "2.1.0",
+            "detect_usage": lambda c: (c.module.params["update_config"] or {}).get(
+                "monitor"
+            )
+            is not None,
+            "usage_msg": "set update_config.monitor",
+        },
+        "update_config_order": {
+            "docker_py_version": "2.7.0",
+            "docker_api_version": "1.29",
+            "detect_usage": lambda c: (c.module.params["update_config"] or {}).get(
+                "order"
+            )
+            is not None,
+            "usage_msg": "set update_config.order",
+        },
+        "placement_config_preferences": {
+            "docker_py_version": "2.4.0",
+            "docker_api_version": "1.27",
+            "detect_usage": lambda c: (c.module.params["placement"] or {}).get(
+                "preferences"
+            )
+            is not None,
+            "usage_msg": "set placement.preferences",
+        },
+        "placement_config_constraints": {
+            "docker_py_version": "2.4.0",
+            "detect_usage": lambda c: (c.module.params["placement"] or {}).get(
+                "constraints"
+            )
+            is not None,
+            "usage_msg": "set placement.constraints",
+        },
+        "placement_config_replicas_max_per_node": {
+            "docker_py_version": "4.4.3",
+            "docker_api_version": "1.40",
+            "detect_usage": lambda c: (c.module.params["placement"] or {}).get(
+                "replicas_max_per_node"
+            )
+            is not None,
+            "usage_msg": "set placement.replicas_max_per_node",
+        },
+        "mounts_tmpfs": {
+            "docker_py_version": "2.6.0",
+            "detect_usage": _detect_mount_tmpfs_usage,
+            "usage_msg": "set mounts.tmpfs",
+        },
+        "rollback_config_order": {
+            "docker_api_version": "1.29",
+            "detect_usage": lambda c: (c.module.params["rollback_config"] or {}).get(
+                "order"
+            )
+            is not None,
+            "usage_msg": "set rollback_config.order",
+        },
+        "mode_replicated_job": {
+            "docker_py_version": "6.0.0",
+            "docker_api_version": "1.41",
+            "detect_usage": lambda c: c.module.params.get("mode") == "replicated-job",
+            "usage_msg": "set mode",
+        },
+    }
+    required_if = [("state", "present", ["image"])]
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        required_if=required_if,
+        supports_check_mode=True,
+        min_docker_version="2.0.2",
+        option_minimal_versions=option_minimal_versions,
+    )
+
+    try:
+        dsm = DockerServiceManager(client)
+        msg, changed, rebuilt, changes, facts = dsm.run_safe()
+
+        results = {
+            "msg": msg,
+            "changed": changed,
+            "rebuilt": rebuilt,
+            "changes": changes,
+            "swarm_service": facts,
+        }
+        if client.module._diff:
+            assert dsm.diff_tracker is not None
+            before, after = dsm.diff_tracker.get_before_after()
+            results["diff"] = {"before": before, "after": after}
+
+        client.module.exit_json(**results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_swarm_service_info.py b/ansible_collections/community/docker/plugins/modules/docker_swarm_service_info.py
new file mode 100644
index 00000000..a037dfdb
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_swarm_service_info.py
@@ -0,0 +1,116 @@
+#!/usr/bin/python
+#
+# Copyright (c) 2019 Hannes Ljungberg <hannes.ljungberg@gmail.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_swarm_service_info
+
+short_description: Retrieves information about docker services from a Swarm Manager
+
+description:
+  - Retrieves information about a docker service.
+  - Essentially returns the output of C(docker service inspect <name>).
+  - Must be executed on a host running as Swarm Manager, otherwise the module will fail.
+extends_documentation_fragment:
+  - community.docker._docker
+  - community.docker._docker.docker_py_2_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - The name of the service to inspect.
+    type: str
+    required: true
+
+author:
+  - Hannes Ljungberg (@hannseman)
+
+requirements:
+  - "L(Docker SDK for Python,https://docker-py.readthedocs.io/en/stable/) >= 2.0.0"
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get info from a service
+  community.docker.docker_swarm_service_info:
+    name: myservice
+  register: result
+"""
+
+RETURN = r"""
+exists:
+  description:
+    - Returns whether the service exists.
+  type: bool
+  returned: always
+  sample: true
+service:
+  description:
+    - A dictionary representing the current state of the service. Matches the C(docker service inspect) output.
+    - Will be V(none) if service does not exist.
+  returned: always
+  type: dict
+"""
+
+import traceback
+import typing as t
+
+try:
+    from docker.errors import DockerException
+except ImportError:
+    # missing Docker SDK for Python handled in ansible.module_utils.docker.common
+    pass
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._swarm import (
+    AnsibleDockerSwarmClient,
+)
+
+
+def get_service_info(client: AnsibleDockerSwarmClient) -> dict[str, t.Any] | None:
+    service = client.module.params["name"]
+    return client.get_service_inspect(service_id=service, skip_missing=True)
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True},
+    }
+
+    client = AnsibleDockerSwarmClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        min_docker_version="2.0.0",
+    )
+
+    client.fail_task_if_not_swarm_manager()
+
+    try:
+        service = get_service_info(client)
+
+        client.module.exit_json(changed=False, service=service, exists=bool(service))
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when Docker SDK for Python tried to talk to the docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_volume.py b/ansible_collections/community/docker/plugins/modules/docker_volume.py
new file mode 100644
index 00000000..cca32b8c
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_volume.py
@@ -0,0 +1,353 @@
+#!/usr/bin/python
+#
+# Copyright 2017 Red Hat | Ansible, Alex Grönholm <alex.gronholm@nextday.fi>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_volume
+short_description: Manage Docker volumes
+description:
+  - Create/remove Docker volumes.
+  - Performs largely the same function as the C(docker volume) CLI subcommand.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: full
+  idempotent:
+    support: partial
+    details:
+      - If O(recreate=always) the module is not idempotent.
+
+options:
+  volume_name:
+    description:
+      - Name of the volume to operate on.
+    type: str
+    required: true
+    aliases:
+      - name
+
+  driver:
+    description:
+      - Specify the type of volume. Docker provides the V(local) driver, but 3rd party drivers can also be used.
+    type: str
+    default: local
+
+  driver_options:
+    description:
+      - 'Dictionary of volume settings. Consult the Docker documentation for valid options and values:
+        U(https://docs.docker.com/engine/reference/commandline/volume_create/#driver-specific-options).'
+    type: dict
+    default: {}
+
+  labels:
+    description:
+      - Dictionary of label key/values to set for the volume.
+    type: dict
+
+  recreate:
+    description:
+      - Controls when a volume will be recreated when O(state=present). Please note that recreating an existing volume will
+        cause B(any data in the existing volume to be lost!) The volume will be deleted and a new volume with the same name
+        will be created.
+      - The value V(always) forces the volume to be always recreated.
+      - The value V(never) makes sure the volume will not be recreated.
+      - The value V(options-changed) makes sure the volume will be recreated if the volume already exist and the driver, driver
+        options or labels differ.
+    type: str
+    default: never
+    choices:
+      - always
+      - never
+      - options-changed
+
+  state:
+    description:
+      - V(absent) deletes the volume.
+      - V(present) creates the volume, if it does not already exist.
+    type: str
+    default: present
+    choices:
+      - absent
+      - present
+
+author:
+  - Alex Grönholm (@agronholm)
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Create a volume
+  community.docker.docker_volume:
+    name: volume_one
+
+- name: Remove a volume
+  community.docker.docker_volume:
+    name: volume_one
+    state: absent
+
+- name: Create a volume with options
+  community.docker.docker_volume:
+    name: volume_two
+    driver_options:
+      type: btrfs
+      device: /dev/sda2
+"""
+
+RETURN = r"""
+volume:
+  description:
+    - Volume inspection results for the affected volume.
+  returned: success
+  type: dict
+  sample: {}
+"""
+
+import traceback
+import typing as t
+
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DifferenceTracker,
+    DockerBaseClass,
+    sanitize_labels,
+)
+
+
+class TaskParameters(DockerBaseClass):
+    volume_name: str
+
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        super().__init__()
+        self.client = client
+
+        self.driver: str = "local"
+        self.driver_options: dict[str, t.Any] = {}
+        self.labels: dict[str, t.Any] | None = None
+        self.recreate: t.Literal["always", "never", "options-changed"] = "never"
+        self.debug: bool = False
+        self.state: t.Literal["present", "absent"] = "present"
+
+        for key, value in client.module.params.items():
+            setattr(self, key, value)
+
+
+class DockerVolumeManager:
+    def __init__(self, client: AnsibleDockerClient) -> None:
+        self.client = client
+        self.parameters = TaskParameters(client)
+        self.check_mode = self.client.check_mode
+        self.actions: list[str] = []
+        self.results: dict[str, t.Any] = {"changed": False, "actions": self.actions}
+        self.diff = self.client.module._diff
+        self.diff_tracker = DifferenceTracker()
+        self.diff_result: dict[str, t.Any] = {}
+
+        self.existing_volume = self.get_existing_volume()
+
+        state = self.parameters.state
+        if state == "present":
+            self.present()
+        elif state == "absent":
+            self.absent()
+
+        if self.diff or self.check_mode or self.parameters.debug:
+            if self.diff:
+                self.diff_result["before"], self.diff_result["after"] = (
+                    self.diff_tracker.get_before_after()
+                )
+            self.results["diff"] = self.diff_result
+
+    def get_existing_volume(self) -> dict[str, t.Any] | None:
+        try:
+            volumes = self.client.get_json("/volumes")
+        except APIError as e:
+            self.client.fail(to_text(e))
+
+        if volumes["Volumes"] is None:
+            return None
+
+        for volume in volumes["Volumes"]:
+            if volume["Name"] == self.parameters.volume_name:
+                return volume
+
+        return None
+
+    def has_different_config(self) -> DifferenceTracker:
+        """
+        Return the list of differences between the current parameters and the existing volume.
+
+        :return: list of options that differ
+        """
+        assert self.existing_volume is not None
+        differences = DifferenceTracker()
+        if (
+            self.parameters.driver
+            and self.parameters.driver != self.existing_volume["Driver"]
+        ):
+            differences.add(
+                "driver",
+                parameter=self.parameters.driver,
+                active=self.existing_volume["Driver"],
+            )
+        if self.parameters.driver_options:
+            if not self.existing_volume.get("Options"):
+                differences.add(
+                    "driver_options",
+                    parameter=self.parameters.driver_options,
+                    active=self.existing_volume.get("Options"),
+                )
+            else:
+                for key, value in self.parameters.driver_options.items():
+                    if (
+                        not self.existing_volume["Options"].get(key)
+                        or value != self.existing_volume["Options"][key]
+                    ):
+                        differences.add(
+                            f"driver_options.{key}",
+                            parameter=value,
+                            active=self.existing_volume["Options"].get(key),
+                        )
+        if self.parameters.labels:
+            existing_labels = self.existing_volume.get("Labels") or {}
+            for label in self.parameters.labels:
+                if existing_labels.get(label) != self.parameters.labels.get(label):
+                    differences.add(
+                        f"labels.{label}",
+                        parameter=self.parameters.labels.get(label),
+                        active=existing_labels.get(label),
+                    )
+
+        return differences
+
+    def create_volume(self) -> None:
+        if not self.existing_volume:
+            if not self.check_mode:
+                try:
+                    data = {
+                        "Name": self.parameters.volume_name,
+                        "Driver": self.parameters.driver,
+                        "DriverOpts": self.parameters.driver_options,
+                    }
+                    if self.parameters.labels is not None:
+                        data["Labels"] = self.parameters.labels
+                    resp = self.client.post_json_to_json("/volumes/create", data=data)
+                    self.existing_volume = self.client.get_json(
+                        "/volumes/{0}", resp["Name"]
+                    )
+                except APIError as e:
+                    self.client.fail(to_text(e))
+
+            self.actions.append(
+                f"Created volume {self.parameters.volume_name} with driver {self.parameters.driver}"
+            )
+            self.results["changed"] = True
+
+    def remove_volume(self) -> None:
+        if self.existing_volume:
+            if not self.check_mode:
+                try:
+                    self.client.delete_call("/volumes/{0}", self.parameters.volume_name)
+                except APIError as e:
+                    self.client.fail(to_text(e))
+
+            self.actions.append(f"Removed volume {self.parameters.volume_name}")
+            self.results["changed"] = True
+
+    def present(self) -> None:
+        differences = DifferenceTracker()
+        if self.existing_volume:
+            differences = self.has_different_config()
+
+        self.diff_tracker.add(
+            "exists", parameter=True, active=self.existing_volume is not None
+        )
+        if (
+            not differences.empty and self.parameters.recreate == "options-changed"
+        ) or self.parameters.recreate == "always":
+            self.remove_volume()
+            self.existing_volume = None
+
+        self.create_volume()
+
+        if self.diff or self.check_mode or self.parameters.debug:
+            self.diff_result["differences"] = differences.get_legacy_docker_diffs()
+            self.diff_tracker.merge(differences)
+
+        if not self.check_mode and not self.parameters.debug:
+            self.results.pop("actions")
+
+        volume_facts = self.get_existing_volume()
+        self.results["volume"] = volume_facts
+
+    def absent(self) -> None:
+        self.diff_tracker.add(
+            "exists", parameter=False, active=self.existing_volume is not None
+        )
+        self.remove_volume()
+
+
+def main() -> None:
+    argument_spec = {
+        "volume_name": {"type": "str", "required": True, "aliases": ["name"]},
+        "state": {
+            "type": "str",
+            "default": "present",
+            "choices": ["present", "absent"],
+        },
+        "driver": {"type": "str", "default": "local"},
+        "driver_options": {"type": "dict", "default": {}},
+        "labels": {"type": "dict"},
+        "recreate": {
+            "type": "str",
+            "default": "never",
+            "choices": ["always", "never", "options-changed"],
+        },
+        "debug": {"type": "bool", "default": False},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+        # "The docker server >= 1.9.0"
+    )
+    sanitize_labels(client.module.params["labels"], "labels", client)
+
+    try:
+        cm = DockerVolumeManager(client)
+        client.module.exit_json(**cm.results)
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/modules/docker_volume_info.py b/ansible_collections/community/docker/plugins/modules/docker_volume_info.py
new file mode 100644
index 00000000..d162410c
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/modules/docker_volume_info.py
@@ -0,0 +1,126 @@
+#!/usr/bin/python
+#
+# Copyright 2017 Red Hat | Ansible, Alex Grönholm <alex.gronholm@nextday.fi>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: docker_volume_info
+short_description: Retrieve facts about Docker volumes
+description:
+  - Performs largely the same function as the C(docker volume inspect) CLI subcommand.
+extends_documentation_fragment:
+  - community.docker._docker.api_documentation
+  - community.docker._attributes
+  - community.docker._attributes.actiongroup_docker
+  - community.docker._attributes.info_module
+  - community.docker._attributes.idempotent_not_modify_state
+
+options:
+  name:
+    description:
+      - Name of the volume to inspect.
+    type: str
+    required: true
+    aliases:
+      - volume_name
+
+author:
+  - Felix Fontein (@felixfontein)
+
+requirements:
+  - "Docker API >= 1.25"
+"""
+
+EXAMPLES = r"""
+---
+- name: Get infos on volume
+  community.docker.docker_volume_info:
+    name: mydata
+  register: result
+
+- name: Does volume exist?
+  ansible.builtin.debug:
+    msg: "The volume {{ 'exists' if result.exists else 'does not exist' }}"
+
+- name: Print information about volume
+  ansible.builtin.debug:
+    var: result.volume
+  when: result.exists
+"""
+
+RETURN = r"""
+exists:
+  description:
+    - Returns whether the volume exists.
+  type: bool
+  returned: always
+  sample: true
+volume:
+  description:
+    - Volume inspection results for the affected volume.
+    - Will be V(none) if volume does not exist.
+  returned: success
+  type: dict
+  sample: '{ "CreatedAt": "2018-12-09T17:43:44+01:00", "Driver": "local", "Labels": null, "Mountpoint": "/var/lib/docker/volumes/ansible-test-bd3f6172/_data",
+    "Name": "ansible-test-bd3f6172", "Options": {}, "Scope": "local" }'
+"""
+
+import traceback
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+    NotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClient,
+    RequestException,
+)
+
+
+def get_existing_volume(
+    client: AnsibleDockerClient, volume_name: str
+) -> dict[str, t.Any] | None:
+    try:
+        return client.get_json("/volumes/{0}", volume_name)
+    except NotFound:
+        return None
+    except Exception as exc:  # pylint: disable=broad-exception-caught
+        client.fail(f"Error inspecting volume: {exc}")
+
+
+def main() -> None:
+    argument_spec = {
+        "name": {"type": "str", "required": True, "aliases": ["volume_name"]},
+    }
+
+    client = AnsibleDockerClient(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    try:
+        volume = get_existing_volume(client, client.module.params["name"])
+
+        client.module.exit_json(
+            changed=False,
+            exists=bool(volume),
+            volume=volume,
+        )
+    except DockerException as e:
+        client.fail(
+            f"An unexpected Docker error occurred: {e}",
+            exception=traceback.format_exc(),
+        )
+    except RequestException as e:
+        client.fail(
+            f"An unexpected requests error occurred when trying to talk to the Docker daemon: {e}",
+            exception=traceback.format_exc(),
+        )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/ansible_collections/community/docker/plugins/plugin_utils/_common.py b/ansible_collections/community/docker/plugins/plugin_utils/_common.py
new file mode 100644
index 00000000..fce415d0
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/plugin_utils/_common.py
@@ -0,0 +1,59 @@
+# Copyright (c) 2019-2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible.errors import AnsibleConnectionFailure
+from ansible.utils.display import Display
+
+from ansible_collections.community.docker.plugins.module_utils._common import (
+    AnsibleDockerClientBase,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DOCKER_COMMON_ARGS,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.plugins import AnsiblePlugin
+
+
+class AnsibleDockerClient(AnsibleDockerClientBase):
+    def __init__(
+        self,
+        plugin: AnsiblePlugin,
+        min_docker_version: str | None = None,
+        min_docker_api_version: str | None = None,
+    ) -> None:
+        self.plugin = plugin
+        self.display = Display()
+        super().__init__(
+            min_docker_version=min_docker_version,
+            min_docker_api_version=min_docker_api_version,
+        )
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        if kwargs:
+            msg += "\nContext:\n" + "\n".join(
+                f"  {k} = {v!r}" for (k, v) in kwargs.items()
+            )
+        raise AnsibleConnectionFailure(msg)
+
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        self.display.deprecated(
+            msg, version=version, date=date, collection_name=collection_name
+        )
+
+    def _get_params(self) -> dict[str, t.Any]:
+        return {option: self.plugin.get_option(option) for option in DOCKER_COMMON_ARGS}
diff --git a/ansible_collections/community/docker/plugins/plugin_utils/_common_api.py b/ansible_collections/community/docker/plugins/plugin_utils/_common_api.py
new file mode 100644
index 00000000..b073618d
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/plugin_utils/_common_api.py
@@ -0,0 +1,53 @@
+# Copyright (c) 2019-2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible.errors import AnsibleConnectionFailure
+from ansible.utils.display import Display
+
+from ansible_collections.community.docker.plugins.module_utils._common_api import (
+    AnsibleDockerClientBase,
+)
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    DOCKER_COMMON_ARGS,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.plugins import AnsiblePlugin
+
+
+class AnsibleDockerClient(AnsibleDockerClientBase):
+    def __init__(
+        self, plugin: AnsiblePlugin, min_docker_api_version: str | None = None
+    ) -> None:
+        self.plugin = plugin
+        self.display = Display()
+        super().__init__(min_docker_api_version=min_docker_api_version)
+
+    def fail(self, msg: str, **kwargs: t.Any) -> t.NoReturn:
+        if kwargs:
+            msg += "\nContext:\n" + "\n".join(
+                f"  {k} = {v!r}" for (k, v) in kwargs.items()
+            )
+        raise AnsibleConnectionFailure(msg)
+
+    def deprecate(
+        self,
+        msg: str,
+        version: str | None = None,
+        date: str | None = None,
+        collection_name: str | None = None,
+    ) -> None:
+        self.display.deprecated(
+            msg, version=version, date=date, collection_name=collection_name
+        )
+
+    def _get_params(self) -> dict[str, t.Any]:
+        return {option: self.plugin.get_option(option) for option in DOCKER_COMMON_ARGS}
diff --git a/ansible_collections/community/docker/plugins/plugin_utils/_socket_handler.py b/ansible_collections/community/docker/plugins/plugin_utils/_socket_handler.py
new file mode 100644
index 00000000..ea38679a
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/plugin_utils/_socket_handler.py
@@ -0,0 +1,28 @@
+# Copyright (c) 2019-2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._socket_handler import (
+    DockerSocketHandlerBase,
+)
+
+if t.TYPE_CHECKING:
+    from ansible.utils.display import Display
+
+    from ansible_collections.community.docker.plugins.module_utils._socket_helper import (
+        SocketLike,
+    )
+
+
+class DockerSocketHandler(DockerSocketHandlerBase):
+    def __init__(
+        self, display: Display, sock: SocketLike, container: str | None = None
+    ) -> None:
+        super().__init__(sock, log=lambda msg: display.vvvv(msg, host=container))
diff --git a/ansible_collections/community/docker/plugins/plugin_utils/_unsafe.py b/ansible_collections/community/docker/plugins/plugin_utils/_unsafe.py
new file mode 100644
index 00000000..19b085f8
--- /dev/null
+++ b/ansible_collections/community/docker/plugins/plugin_utils/_unsafe.py
@@ -0,0 +1,43 @@
+# Copyright (c) 2023, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note that this module util is **PRIVATE** to the collection. It can have breaking changes at any time.
+# Do not use this from other collections or standalone plugins/modules!
+
+from __future__ import annotations
+
+import re
+import typing as t
+from collections.abc import Mapping, Set
+
+from ansible.module_utils.common.collections import is_sequence
+from ansible.utils.unsafe_proxy import (
+    AnsibleUnsafe,
+)
+from ansible.utils.unsafe_proxy import wrap_var as _make_unsafe
+
+_RE_TEMPLATE_CHARS = re.compile("[{}]")
+_RE_TEMPLATE_CHARS_BYTES = re.compile(b"[{}]")
+
+
+def make_unsafe(value: t.Any) -> t.Any:
+    if value is None or isinstance(value, AnsibleUnsafe):
+        return value
+
+    if isinstance(value, Mapping):
+        return dict((make_unsafe(key), make_unsafe(val)) for key, val in value.items())
+    if isinstance(value, Set):
+        return set(make_unsafe(elt) for elt in value)
+    if is_sequence(value):
+        return type(value)(make_unsafe(elt) for elt in value)
+    if isinstance(value, bytes):
+        if _RE_TEMPLATE_CHARS_BYTES.search(value):
+            value = _make_unsafe(value)
+        return value
+    if isinstance(value, str):
+        if _RE_TEMPLATE_CHARS.search(value):
+            value = _make_unsafe(value)
+        return value
+
+    return value
diff --git a/ansible_collections/community/docker/ruff.toml b/ansible_collections/community/docker/ruff.toml
new file mode 100644
index 00000000..96fc5024
--- /dev/null
+++ b/ansible_collections/community/docker/ruff.toml
@@ -0,0 +1,37 @@
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+line-length = 160
+
+[lint]
+# https://docs.astral.sh/ruff/rules/
+
+select = ["A", "B", "E", "F", "FA", "FLY", "UP", "SIM"]
+ignore = [
+    # Better keep ignored (for now)
+    "F811",  # Redefinition of unused `xxx` (happens a lot for fixtures in unit tests)
+    "E402",  # Module level import not at top of file
+    "E741",  # Ambiguous variable name
+    "UP012",  # unnecessary-encode-utf8
+    "UP015",  # Unnecessary mode argument
+    "SIM105",  # suppressible-exception
+    "SIM108",  # if-else-block-instead-of-if-exp
+    # To fix later:
+    "B905",  # zip-without-explicit-strict - needs Python 3.10+
+    # To fix:
+    "UP024",  # Replace aliased errors with `OSError`
+]
+
+# Allow fix for all enabled rules (when `--fix`) is provided.
+fixable = ["ALL"]
+unfixable = []
+
+# Allow unused variables when underscore-prefixed or starting with dummy
+dummy-variable-rgx = "^(_|dummy).*$"
+
+[lint.isort]
+known-third-party = [
+    "ansible_collections.community.internal_test_tools",
+    "ansible_collections.community.library_inventory_filtering_v1",
+]
diff --git a/ansible_collections/community/docker/tests/config.yml b/ansible_collections/community/docker/tests/config.yml
new file mode 100644
index 00000000..38590f2e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/config.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# See template for more information:
+# https://github.com/ansible/ansible/blob/devel/test/lib/ansible_test/config/config.yml
+modules:
+  python_requires: default
diff --git a/ansible_collections/community/docker/tests/ee/all.yml b/ansible_collections/community/docker/tests/ee/all.yml
new file mode 100644
index 00000000..de61b68e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/ee/all.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  vars:
+    docker_test_image_alpine: quay.io/ansible/docker-test-containers:alpine3.8
+  tasks:
+    - name: Find all roles
+      ansible.builtin.find:
+        paths:
+          - "{{ (playbook_dir | default('.')) ~ '/roles' }}"
+        file_type: directory
+        depth: 1
+      register: result
+    - name: Include all roles
+      ansible.builtin.include_role:
+        name: "{{ item }}"
+      loop: "{{ result.files | map(attribute='path') | map('regex_replace', '.*/', '') | sort }}"
diff --git a/ansible_collections/community/docker/tests/ee/roles/current_container_facts/tasks/main.yml b/ansible_collections/community/docker/tests/ee/roles/current_container_facts/tasks/main.yml
new file mode 100644
index 00000000..5a78415b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/ee/roles/current_container_facts/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Retrieve information on current container
+  community.docker.current_container_facts:
+  register: result
+
+# The following two tasks are useful if we ever have to debug why this fails.
+
+- name: Print all Ansible facts
+  ansible.builtin.debug:
+    var: ansible_facts
+
+- name: Read some files
+  ansible.builtin.slurp:
+    src: "{{ path }}"
+  loop:
+    - /proc/self/cpuset
+    - /proc/1/cgroup
+    - /proc/1/environ
+  loop_control:
+    loop_var: path
+
+- name: Print facts returned by module
+  ansible.builtin.debug:
+    var: result.ansible_facts
+
+- name: Validate results
+  ansible.builtin.assert:
+    that:
+      - ansible_module_running_in_container
+      - ansible_module_container_type != ''
diff --git a/ansible_collections/community/docker/tests/ee/roles/docker_plain/tasks/main.yml b/ansible_collections/community/docker/tests/ee/roles/docker_plain/tasks/main.yml
new file mode 100644
index 00000000..53890d9f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/ee/roles/docker_plain/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Create random name prefix (for containers, networks, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    cname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+- name: Make sure image is absent
+  community.docker.docker_image:
+    name: "{{ docker_test_image_alpine }}"
+    state: absent
+
+- name: Make sure image is pulled
+  community.docker.docker_image:
+    name: "{{ docker_test_image_alpine }}"
+    source: pull
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname_prefix }}-1"
+    image: "{{ docker_test_image_alpine }}"
+    state: started
+
+- name: Remove container
+  community.docker.docker_container:
+    name: "{{ cname_prefix }}-1"
+    state: absent
+    stop_timeout: 1
+    force_kill: true
diff --git a/ansible_collections/community/docker/tests/ee/roles/docker_stack/tasks/main.yml b/ansible_collections/community/docker/tests/ee/roles/docker_stack/tasks/main.yml
new file mode 100644
index 00000000..5d4d5698
--- /dev/null
+++ b/ansible_collections/community/docker/tests/ee/roles/docker_stack/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Currently the docker_stack* modules are not supported in the EE since we'd need to install the Docker CLI client
diff --git a/ansible_collections/community/docker/tests/images/build.sh b/ansible_collections/community/docker/tests/images/build.sh
new file mode 100755
index 00000000..05301212
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/build.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ ! -e main.go ]; then
+    echo "Must be run in a directory that contains main.go."
+    exit 1
+fi
+
+set -eux
+IMAGE_NAME="${1:-localhost/$(basename "$(pwd)"):latest}"
+podman manifest rm "${IMAGE_NAME}" || true
+podman image rm "${IMAGE_NAME}" || true
+buildah manifest create "${IMAGE_NAME}"
+for ARCH in amd64 arm64 386; do
+    rm -f "main-${ARCH}"
+    GOARCH="${ARCH}" go build -ldflags "-s -w" -o "main-${ARCH}" main.go
+
+    WORKING_CONTAINER="$(buildah from --arch "${ARCH}" scratch)"
+    buildah copy "${WORKING_CONTAINER}" "main-${ARCH}" "/runme"
+    buildah config --entrypoint '["/runme"]' "${WORKING_CONTAINER}"
+    buildah commit --manifest "${IMAGE_NAME}" "${WORKING_CONTAINER}"
+
+    rm -f "main-${ARCH}"
+done
diff --git a/ansible_collections/community/docker/tests/images/copy-images.sh b/ansible_collections/community/docker/tests/images/copy-images.sh
new file mode 100755
index 00000000..704093a4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/copy-images.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+
+# Uncomment the container image to copy, and run this script to copy it.
+
+DESTINATION_REPO=ansible-collections/community.docker
+
+function convert_image {
+  echo "========================================================================================================="
+  local IMAGE_NAME="$1"
+  local DEST_IMAGE="$2"
+  echo "FROM ${IMAGE_NAME}" | podman build --annotation "org.opencontainers.image.source=https://github.com/${DESTINATION_REPO}" -t "ghcr.io/${DESTINATION_REPO}/${DEST_IMAGE}" -
+  podman push "ghcr.io/${DESTINATION_REPO}/${DEST_IMAGE}"
+  podman rmi "${IMAGE_NAME}"
+  podman rmi "ghcr.io/${DESTINATION_REPO}/${DEST_IMAGE}"
+}
+
+# convert_image docker.io/library/registry:2.6.1 docker-distribution:2.6.1
+# convert_image docker.io/library/registry:2.8.3 docker-distribution:2.8.3
+# convert_image docker.io/library/registry:3.0.0 docker-distribution:3.0.0
+convert_image docker.io/library/python:3-alpine docker-python:3-alpine
diff --git a/ansible_collections/community/docker/tests/images/healthcheck/build.sh b/ansible_collections/community/docker/tests/images/healthcheck/build.sh
new file mode 100755
index 00000000..b8f9915d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/healthcheck/build.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ ! -e main.go ]; then
+    echo "Must be run in a directory that contains main.go."
+    exit 1
+fi
+
+PROGRAMS="main is-healthy make-healthy"
+
+set -eux
+IMAGE_NAME="${1:-localhost/$(basename "$(pwd)"):latest}"
+podman manifest rm "${IMAGE_NAME}" || true
+podman image rm "${IMAGE_NAME}" || true
+buildah manifest create "${IMAGE_NAME}"
+for ARCH in amd64 arm64 386; do
+    for PROGRAM in ${PROGRAMS}; do
+        rm -f "${PROGRAM}-${ARCH}"
+        GOARCH="${ARCH}" go build -ldflags "-s -w" -o "${PROGRAM}-${ARCH}" "${PROGRAM}.go"
+    done
+
+    # Need format=docker for health checks to work
+    WORKING_CONTAINER="$(buildah from --arch "${ARCH}" --format docker scratch)"
+    for PROGRAM in ${PROGRAMS}; do
+        buildah copy "${WORKING_CONTAINER}" "${PROGRAM}-${ARCH}" "/${PROGRAM}"
+    done
+    buildah config --entrypoint '["/main"]' "${WORKING_CONTAINER}"
+    buildah config --healthcheck 'CMD /is-healthy' "${WORKING_CONTAINER}"
+    buildah config --healthcheck-interval 1s "${WORKING_CONTAINER}"
+    buildah config --healthcheck-retries 1 "${WORKING_CONTAINER}"
+    buildah config --healthcheck-start-period 10s "${WORKING_CONTAINER}"
+    buildah commit --format docker --manifest "${IMAGE_NAME}" "${WORKING_CONTAINER}"
+
+    for PROGRAM in ${PROGRAMS}; do
+        rm -f "${PROGRAM}-${ARCH}"
+    done
+done
diff --git a/ansible_collections/community/docker/tests/images/healthcheck/is-healthy.go b/ansible_collections/community/docker/tests/images/healthcheck/is-healthy.go
new file mode 100644
index 00000000..2b4069c8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/healthcheck/is-healthy.go
@@ -0,0 +1,35 @@
+/*
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+)
+
+func main() {
+	data, err := os.ReadFile("/health.txt")
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error while reading health status: %s\n", err)
+		os.Exit(1)
+	}
+	if bytes.Equal(data, []byte("healthy")) {
+		fmt.Fprintf(os.Stdout, "Healthy.\n")
+		os.Exit(0)
+	}
+	if bytes.Equal(data, []byte("unhealthy")) {
+		fmt.Fprintf(os.Stdout, "Unhealthy!\n")
+		os.Exit(1)
+	}
+	if bytes.Equal(data, []byte("starting")) {
+		fmt.Fprintf(os.Stdout, "Starting...\n")
+		os.Exit(1)
+	}
+	fmt.Fprintf(os.Stderr, "Unknown health status: %s\n", data)
+	os.Exit(1)
+}
diff --git a/ansible_collections/community/docker/tests/images/healthcheck/main.go b/ansible_collections/community/docker/tests/images/healthcheck/main.go
new file mode 100644
index 00000000..9d62b1b7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/healthcheck/main.go
@@ -0,0 +1,51 @@
+/*
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+)
+
+func main() {
+	os.WriteFile("health.txt", []byte("starting"), 0644)
+	if len(os.Args) > 3 || len(os.Args) < 2 {
+		fmt.Fprintf(os.Stderr, "%s must have 1 or 2 arguments, not %d arguments\n", os.Args[0], len(os.Args))
+		os.Exit(1)
+	}
+	runtimeDelay, err := time.ParseDuration(os.Args[1])
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot parse runtime duration: %s\n", err)
+		os.Exit(1)
+	}
+	if runtimeDelay.Microseconds() <= 0 {
+		fmt.Fprintf(os.Stderr, "Delay must be positive!\n")
+		os.Exit(1)
+	}
+	var healthyDelay time.Duration
+	if len(os.Args) == 3 {
+		healthyDelay, err = time.ParseDuration(os.Args[2])
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot parse healthy delay: %s\n", err)
+			os.Exit(1)
+		}
+		if healthyDelay.Microseconds() <= 0 {
+			fmt.Fprintf(os.Stderr, "Healthy delay must not be negative!\n")
+			os.Exit(1)
+		}
+	}
+	if healthyDelay.Microseconds() > 0 {
+		fmt.Fprintf(os.Stderr, "Waiting %s until setting to healthy...\n", healthyDelay)
+		time.Sleep(healthyDelay)
+		os.WriteFile("/health.txt", []byte("healthy"), 0644)
+		fmt.Fprintf(os.Stderr, "Set state to healthy.\n")
+	}
+	fmt.Fprintf(os.Stderr, "Waiting %s until quitting...\n", runtimeDelay)
+	time.Sleep(runtimeDelay)
+	fmt.Fprintf(os.Stderr, "Goodbye.\n")
+}
diff --git a/ansible_collections/community/docker/tests/images/healthcheck/make-healthy.go b/ansible_collections/community/docker/tests/images/healthcheck/make-healthy.go
new file mode 100644
index 00000000..fdece9e1
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/healthcheck/make-healthy.go
@@ -0,0 +1,35 @@
+/*
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+)
+
+func main() {
+	healthy := true
+	if len(os.Args) > 2 {
+		fmt.Fprintf(os.Stderr, "%s must have 0 or 1 argument, not %d arguments\n", os.Args[0], len(os.Args))
+		os.Exit(1)
+	} else if len(os.Args) == 2 {
+		var err error
+		healthy, err = strconv.ParseBool(os.Args[1])
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot parse boolean: %s\n", err)
+			os.Exit(1)
+		}
+	}
+	var state []byte
+	if healthy {
+		state = []byte("healthy")
+	} else {
+		state = []byte("unhealthy")
+	}
+	os.WriteFile("/health.txt", state, 0644)
+}
diff --git a/ansible_collections/community/docker/tests/images/simple-1/build.sh b/ansible_collections/community/docker/tests/images/simple-1/build.sh
new file mode 120000
index 00000000..669ce2a6
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/simple-1/build.sh
@@ -0,0 +1 @@
+../build.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/images/simple-1/main.go b/ansible_collections/community/docker/tests/images/simple-1/main.go
new file mode 100644
index 00000000..8af90a11
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/simple-1/main.go
@@ -0,0 +1,34 @@
+/*
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+)
+
+func main() {
+	var delay time.Duration
+	if len(os.Args) > 2 {
+		fmt.Fprintf(os.Stderr, "%s must have 0 or 1 argument, not %d arguments\n", os.Args[0], len(os.Args))
+		os.Exit(1)
+	} else if len(os.Args) == 2 {
+		var err error
+		delay, err = time.ParseDuration(os.Args[1])
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot parse delay duration: %s\n", err)
+			os.Exit(1)
+		}
+		if delay.Microseconds() < 0 {
+			fmt.Fprintf(os.Stderr, "Delay must not be negative!\n")
+			os.Exit(1)
+		}
+	}
+	fmt.Println("Hello!")
+	time.Sleep(delay)
+}
diff --git a/ansible_collections/community/docker/tests/images/simple-2/build.sh b/ansible_collections/community/docker/tests/images/simple-2/build.sh
new file mode 120000
index 00000000..669ce2a6
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/simple-2/build.sh
@@ -0,0 +1 @@
+../build.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/images/simple-2/main.go b/ansible_collections/community/docker/tests/images/simple-2/main.go
new file mode 100644
index 00000000..d505090b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/images/simple-2/main.go
@@ -0,0 +1,34 @@
+/*
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"time"
+)
+
+func main() {
+	var delay time.Duration
+	if len(os.Args) > 2 {
+		fmt.Fprintf(os.Stderr, "%s must have 0 or 1 argument, not %d arguments\n", os.Args[0], len(os.Args))
+		os.Exit(1)
+	} else if len(os.Args) == 2 {
+		var err error
+		delay, err = time.ParseDuration(os.Args[1])
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot parse delay duration: %s\n", err)
+			os.Exit(1)
+		}
+		if delay.Microseconds() < 0 {
+			fmt.Fprintf(os.Stderr, "Delay must not be negative!\n")
+			os.Exit(1)
+		}
+	}
+	fmt.Println("World!")
+	time.Sleep(delay)
+}
diff --git a/ansible_collections/community/docker/tests/integration/requirements.yml b/ansible_collections/community/docker/tests/integration/requirements.yml
new file mode 100644
index 00000000..0baadf34
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/requirements.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+collections:
+  - ansible.posix
+  - community.crypto
+  - community.general
+  - community.internal_test_tools
+  - community.library_inventory_filtering_v1
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection/aliases b/ansible_collections/community/docker/tests/integration/targets/connection/aliases
new file mode 100644
index 00000000..a02a2d61
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+hidden
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection/test.sh b/ansible_collections/community/docker/tests/integration/targets/connection/test.sh
new file mode 100755
index 00000000..793a85dd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection/test.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+[ -f "${INVENTORY}" ]
+
+# Run connection tests with both the default and C locale.
+
+ansible-playbook test_connection.yml -i "${INVENTORY}" "$@"
+
+if ansible --version | grep ansible | grep -E ' 2\.(9|10|11|12|13)\.'; then
+    LC_ALL=C LANG=C ansible-playbook test_connection.yml -i "${INVENTORY}" "$@"
+fi
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection/test_connection.yml b/ansible_collections/community/docker/tests/integration/targets/connection/test_connection.yml
new file mode 100644
index 00000000..b6327f8c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection/test_connection.yml
@@ -0,0 +1,48 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: "{{ target_hosts }}"  # noqa: syntax-check[specific]
+  gather_facts: false
+  serial: 1
+  tasks:
+
+    ### raw with unicode arg and output
+
+    - name: raw with unicode arg and output
+      raw: echo 汉语
+      register: command
+    - name: check output of raw with unicode arg and output
+      assert:
+        that:
+          - "'汉语' in command.stdout"
+          - command is changed # as of 2.2, raw should default to changed: true for consistency w/ shell/command/script modules
+
+    ### copy local file with unicode filename and content
+
+    - name: create local file with unicode filename and content
+      local_action: lineinfile dest={{ local_tmp }}-汉语/汉语.txt create=true line=汉语
+    - name: remove remote file with unicode filename and content
+      action: "{{ action_prefix }}file path={{ remote_tmp }}-汉语/汉语.txt state=absent"
+    - name: create remote directory with unicode name
+      action: "{{ action_prefix }}file path={{ remote_tmp }}-汉语 state=directory"
+    - name: copy local file with unicode filename and content
+      action: "{{ action_prefix }}copy src={{ local_tmp }}-汉语/汉语.txt dest={{ remote_tmp }}-汉语/汉语.txt"
+
+    ### fetch remote file with unicode filename and content
+
+    - name: remove local file with unicode filename and content
+      local_action: file path={{ local_tmp }}-汉语/汉语.txt state=absent
+    - name: fetch remote file with unicode filename and content
+      fetch: src={{ remote_tmp }}-汉语/汉语.txt dest={{ local_tmp }}-汉语/汉语.txt fail_on_missing=true validate_checksum=true flat=true
+
+    ### remove local and remote temp files
+
+    - name: remove local temp file
+      local_action: file path={{ local_tmp }}-汉语 state=absent
+    - name: remove remote temp file
+      action: "{{ action_prefix }}file path={{ remote_tmp }}-汉语 state=absent"
+
+    ### test wait_for_connection plugin
+    - ansible.builtin.wait_for_connection:
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/aliases b/ansible_collections/community/docker/tests/integration/targets/connection_docker/aliases
new file mode 100644
index 00000000..bc79a015
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+skip/docker  # coverage does not work if we're inside a docker container, since we cannot access this container's /tmp dir from the new container; also privileged doesn't work
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker/meta/main.yml
new file mode 100644
index 00000000..5769ff1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme-connection.sh b/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme-connection.sh
new file mode 120000
index 00000000..70aa5dbd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme-connection.sh
@@ -0,0 +1 @@
+../connection_posix/test.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme.sh b/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme.sh
new file mode 100755
index 00000000..3cd6bddb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/runme.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# If you use another image, you possibly also need to adjust
+# ansible_python_interpreter in test_connection.inventory.
+source ../setup_docker/vars/main.env
+IMAGE="${DOCKER_TEST_IMAGE_PYTHON3}"
+
+# Setup phase
+
+echo "Setup"
+ANSIBLE_ROLES_PATH=.. ansible-playbook setup.yml
+
+# If docker wasn't installed, don't run the tests
+if [ "$(command -v docker)" == "" ]; then
+    exit
+fi
+
+
+# Test phase
+
+CONTAINER_SUFFIX=-${RANDOM}
+
+DOCKER_CONTAINERS="docker-connection-test-container${CONTAINER_SUFFIX}"
+
+[[ -n "$DEBUG" || -n "$ANSIBLE_DEBUG" ]] && set -x
+
+set -euo pipefail
+
+cleanup() {
+    echo "Cleanup"
+    docker rm -f ${DOCKER_CONTAINERS}
+    echo "Shutdown"
+    ANSIBLE_ROLES_PATH=.. ansible-playbook shutdown.yml
+    echo "Done"
+}
+
+trap cleanup INT TERM EXIT
+
+echo "Start containers"
+for CONTAINER in ${DOCKER_CONTAINERS}; do
+    if [ "${ANSIBLE_TEST_COVERAGE:-}" == "" ]; then
+        docker run --rm --name "${CONTAINER}" --detach "${IMAGE}" /bin/sh -c 'sleep 10m'
+    else
+        docker run --rm --name "${CONTAINER}" --detach -v /tmp:/tmp "${IMAGE}" /bin/sh -c 'sleep 10m'
+        docker exec "${CONTAINER}" pip3 install coverage
+    fi
+    echo "${CONTAINER}"
+done
+
+cat > test_connection.inventory << EOF
+[docker]
+docker-no-pipelining ansible_pipelining=false
+docker-pipelining    ansible_pipelining=true
+docker-working-dir   ansible_docker_working_dir=/home
+docker-privileged    ansible_docker_privileged=true
+
+[docker:vars]
+ansible_host=docker-connection-test-container${CONTAINER_SUFFIX}
+ansible_connection=community.docker.docker
+ansible_python_interpreter=/usr/local/bin/python3
+EOF
+
+echo "Run tests"
+./runme-connection.sh "$@"
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/setup.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker/setup.yml
new file mode 100644
index 00000000..e18c2554
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/setup.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Setup docker
+      import_role:
+        name: setup_docker  # noqa: syntax-check[specific]
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker/shutdown.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker/shutdown.yml
new file mode 100644
index 00000000..122cf059
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker/shutdown.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Remove docker packages
+      action: "{{ ansible_facts.pkg_mgr }}"
+      args:
+        name:
+          - docker
+          - docker-ce
+          - docker-ce-cli
+        state: absent
+      when: not docker_skip_cleanup
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/aliases b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/aliases
new file mode 100644
index 00000000..bc79a015
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+skip/docker  # coverage does not work if we're inside a docker container, since we cannot access this container's /tmp dir from the new container; also privileged doesn't work
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme-connection.sh b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme-connection.sh
new file mode 120000
index 00000000..70aa5dbd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme-connection.sh
@@ -0,0 +1 @@
+../connection_posix/test.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme.sh b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme.sh
new file mode 100755
index 00000000..186e1e5c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/runme.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# If you use another image, you possibly also need to adjust
+# ansible_python_interpreter in test_connection.inventory.
+source ../setup_docker/vars/main.env
+IMAGE="${DOCKER_TEST_IMAGE_PYTHON3}"
+
+# Setup phase
+
+echo "Setup"
+ANSIBLE_ROLES_PATH=.. ansible-playbook setup.yml
+
+# If docker wasn't installed, don't run the tests
+if [ "$(command -v docker)" == "" ]; then
+    exit
+fi
+
+
+# Test phase
+
+CONTAINER_SUFFIX=-${RANDOM}
+
+DOCKER_CONTAINERS="docker-connection-test-container${CONTAINER_SUFFIX}"
+
+[[ -n "$DEBUG" || -n "$ANSIBLE_DEBUG" ]] && set -x
+
+set -euo pipefail
+
+cleanup() {
+    echo "Cleanup"
+    docker rm -f ${DOCKER_CONTAINERS}
+    echo "Shutdown"
+    ANSIBLE_ROLES_PATH=.. ansible-playbook shutdown.yml
+    echo "Done"
+}
+
+trap cleanup INT TERM EXIT
+
+echo "Start containers"
+for CONTAINER in ${DOCKER_CONTAINERS}; do
+    if [ "${ANSIBLE_TEST_COVERAGE:-}" == "" ]; then
+        docker run --rm --name "${CONTAINER}" --detach "${IMAGE}" /bin/sh -c 'sleep 10m'
+    else
+        docker run --rm --name "${CONTAINER}" --detach -v /tmp:/tmp "${IMAGE}" /bin/sh -c 'sleep 10m'
+        docker exec "${CONTAINER}" pip3 install coverage
+    fi
+    echo "${CONTAINER}"
+done
+
+cat > test_connection.inventory << EOF
+[docker_api]
+docker_api-no-pipelining ansible_pipelining=false
+docker_api-pipelining    ansible_pipelining=true
+docker_api-working-dir   ansible_docker_working_dir=/home
+docker_api-privileged    ansible_docker_privileged=true
+
+[docker_api:vars]
+ansible_host=docker-connection-test-container${CONTAINER_SUFFIX}
+ansible_connection=community.docker.docker_api
+ansible_python_interpreter=/usr/local/bin/python3
+EOF
+
+echo "Run tests"
+./runme-connection.sh "$@"
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/setup.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/setup.yml
new file mode 100644
index 00000000..2de0d882
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/setup.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Setup docker
+      import_role:
+        name: setup_docker  # noqa: syntax-check[specific]
+
+    - name: Setup docker Python deps
+      import_role:
+        name: setup_docker_python_deps  # noqa: syntax-check[specific]
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/shutdown.yml b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/shutdown.yml
new file mode 100644
index 00000000..122cf059
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_docker_api/shutdown.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Remove docker packages
+      action: "{{ ansible_facts.pkg_mgr }}"
+      args:
+        name:
+          - docker
+          - docker-ce
+          - docker-ce-cli
+        state: absent
+      when: not docker_skip_cleanup
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/aliases b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/aliases
new file mode 100644
index 00000000..40067d9d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/aliases
@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/5
+skip/docker  # this requires unfettered access to the container host
+skip/rhel7.9  # nsenter does not work out of the box
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/meta/main.yml
new file mode 100644
index 00000000..5769ff1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme-connection.sh b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme-connection.sh
new file mode 120000
index 00000000..70aa5dbd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme-connection.sh
@@ -0,0 +1 @@
+../connection_posix/test.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme.sh b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme.sh
new file mode 100755
index 00000000..5a2a84c3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/runme.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -euo pipefail
+
+[[ -n "${DEBUG:-}" || -n "${ANSIBLE_DEBUG:-}" ]] && set -x
+
+readonly IMAGE="quay.io/ansible/ansible-runner:devel"
+# shellcheck disable=SC2155
+readonly PYTHON="$(command -v python3 python | head -n1)"
+
+# Determine collection root
+COLLECTION_ROOT=./
+while true; do
+    if [ -e ${COLLECTION_ROOT}galaxy.yml ] || [ -e ${COLLECTION_ROOT}MANIFEST.json ]; then
+        break
+    fi
+    COLLECTION_ROOT="${COLLECTION_ROOT}../"
+done
+# shellcheck disable=SC2155
+readonly COLLECTION_ROOT="$(cd ${COLLECTION_ROOT} ; pwd)"
+
+# Setup phase
+echo "Setup"
+ANSIBLE_ROLES_PATH=.. ansible-playbook setup.yml
+
+# If docker wasn't installed, don't run the tests
+if [ "$(command -v docker)" == "" ]; then
+    exit
+fi
+
+cleanup() {
+    echo "Cleanup"
+    echo "Shutdown"
+    ANSIBLE_ROLES_PATH=.. ansible-playbook shutdown.yml
+    echo "Done"
+}
+
+envs=(--env "HOME=${HOME:-}")
+while IFS=$'\0' read -d '' -r line; do
+    key="$(echo "$line" | cut -d= -f1)"
+    value="$(echo "$line" | cut -d= -f2-)"
+    if [[ "${key}" =~ ^(ANSIBLE_|JUNIT_OUTPUT_DIR$|OUTPUT_DIR$|PYTHONPATH$) ]]; then
+        envs+=(--env "${key}=${value}")
+    fi
+done < <(printenv -0)
+
+# Test phase
+cat > test_connection.inventory << EOF
+[nsenter]
+nsenter-no-pipelining ansible_pipelining=false
+nsenter-pipelining    ansible_pipelining=true
+
+[nsenter:vars]
+ansible_host=localhost
+ansible_connection=community.docker.nsenter
+ansible_host_volume_mount=/host
+ansible_nsenter_pid=1
+ansible_python_interpreter=${PYTHON}
+EOF
+
+echo "Run tests"
+set -x
+docker run \
+    -i \
+    --rm \
+    --privileged \
+    --pid host \
+    "${envs[@]}" \
+    --volume "${COLLECTION_ROOT}:${COLLECTION_ROOT}" \
+    --workdir "$(pwd)" \
+    "${IMAGE}" \
+    ./runme-connection.sh "$@"
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/setup.yml b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/setup.yml
new file mode 100644
index 00000000..e18c2554
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/setup.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Setup docker
+      import_role:
+        name: setup_docker  # noqa: syntax-check[specific]
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/shutdown.yml b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/shutdown.yml
new file mode 100644
index 00000000..122cf059
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_nsenter/shutdown.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Remove docker packages
+      action: "{{ ansible_facts.pkg_mgr }}"
+      args:
+        name:
+          - docker
+          - docker-ce
+          - docker-ce-cli
+        state: absent
+      when: not docker_skip_cleanup
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_posix/aliases b/ansible_collections/community/docker/tests/integration/targets/connection_posix/aliases
new file mode 100644
index 00000000..44561e2f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_posix/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/connection
+hidden
diff --git a/ansible_collections/community/docker/tests/integration/targets/connection_posix/test.sh b/ansible_collections/community/docker/tests/integration/targets/connection_posix/test.sh
new file mode 100755
index 00000000..f374af7f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/connection_posix/test.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+# Connection tests for POSIX platforms use this script by linking to it from the appropriate 'connection_' target dir.
+# The name of the inventory group to test is extracted from the directory name following the 'connection_' prefix.
+
+PYTHON="$(command -v python3 python | head -n1)"
+
+group=$(${PYTHON} -c \
+    "from os import path; print(path.basename(path.abspath(path.dirname('$0'))).replace('connection_', ''))")
+
+cd ../connection
+
+INVENTORY="../connection_${group}/test_connection.inventory" ./test.sh \
+    -e target_hosts="${group}" \
+    -e action_prefix= \
+    -e local_tmp=/tmp/ansible-local \
+    -e remote_tmp=/tmp/ansible-remote \
+    "$@"
diff --git a/ansible_collections/community/docker/tests/integration/targets/current_container_facts/aliases b/ansible_collections/community/docker/tests/integration/targets/current_container_facts/aliases
new file mode 100644
index 00000000..8577a295
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/current_container_facts/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+skip/rhel
diff --git a/ansible_collections/community/docker/tests/integration/targets/current_container_facts/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/current_container_facts/tasks/main.yml
new file mode 100644
index 00000000..4ab6bfcd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/current_container_facts/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Get facts
+  community.docker.current_container_facts:
+  register: result
+
+  # WARNING: This is not a proper test as it won't fail when the module does not work!
+  #          To make this a proper test, we need to know the environment in which this
+  #          test runs, which we do not know in general...
+
+- name: Print facts
+  ansible.builtin.debug:
+    var: result.ansible_facts
+
+- name: Read files
+  ansible.builtin.slurp:
+    src: '{{ item }}'
+  loop:
+    - /proc/self/cgroup
+    - /proc/self/cpuset
+    - /proc/self/mountinfo
+  register: slurp
+  ignore_errors: true
+
+- name: Print files
+  ansible.builtin.debug:
+    msg: |-
+      {{ item.content | ansible.builtin.b64decode | split('
+      ') }}
+  loop: '{{ slurp.results }}'
+  loop_control:
+    label: '{{ item.source | default(item.item) }}'
+  when: item is not failed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/meta/main.yml
new file mode 100644
index 00000000..aefcf50f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_cli_compose
+  # The Python dependencies are needed for the other modules
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/main.yml
new file mode 100644
index 00000000..ebcad6fa
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Create random name prefix (for services, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    dnetworks: []
+    images: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+# Run the tests
+- block:
+    - name: Show docker compose --help output
+      ansible.builtin.command: docker compose --help
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      loop: "{{ cnames }}"
+      diff: false
+
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      loop: "{{ dnetworks }}"
+      diff: false
+
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      loop: "{{ images }}"
+      diff: false
+
+  when: docker_has_compose and docker_compose_version is version('2.18.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/build.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/build.yml
new file mode 100644
index 00000000..2844f5e7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/build.yml
@@ -0,0 +1,143 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-build"
+    cname: "{{ name_prefix }}-container"
+    iname: "{{ name_prefix }}-image"
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service: |
+      services:
+        {{ cname }}:
+          build: ./build
+          image: "{{ iname }}"
+          pull_policy: never
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+        images: "{{ images + [iname] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ item }}'
+        state: directory
+      loop:
+        - '{{ project_src }}'
+        - '{{ project_src }}/build'
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - name: Template Dockerfile
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/build/Dockerfile'
+        content: |
+          FROM {{ docker_test_image_alpine }}
+          ENTRYPOINT ["/bin/sh", "-c", "sleep 10m"]
+
+    - name: Present (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_1_check
+
+    - name: Present
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_1
+
+    - name: Present (idempotent check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_2_check
+
+    - name: Present (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_2
+
+    - name: Present (idempotent check, build=always, ignore_build_events=false)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        build: always
+        ignore_build_events: false
+      check_mode: true
+      register: present_3_check
+
+    - name: Present (idempotent, build=always, ignore_build_events=false)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        build: always
+        ignore_build_events: false
+      register: present_3
+
+    - name: Present (idempotent check, build=always, ignore_build_events=true)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        build: always
+        ignore_build_events: true
+      check_mode: true
+      register: present_4_check
+
+    - name: Present (idempotent, build=always, ignore_build_events=true)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        build: always
+        ignore_build_events: true
+      register: present_4
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - present_1.containers | length == 1
+          - present_1.containers[0].Name == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.images | length == 1
+          - >-
+            docker_compose_version is version('2.37.0', '>=') or
+            present_1.images[0].ContainerName == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.images[0].Repository == iname
+          - present_1.images[0].Tag == "latest"
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          # - present_3_check is changed   -- whether this is true depends on a combination of Docker CLI and Docker Compose version...
+          # Compose 2.37.3 with Docker 28.2.x results in 'changed', while Compose 2.37.3 with Docker 28.3.0 results in 'not changed'.
+          # It seems that Docker is now clever enough to notice that nothing is rebuilt...
+          # With Docker 29.0.0, the behvaior seems to change again... I'm currently tending to simply ignore this check, for that
+          # reason the next three lines are commented out:
+          # - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          # - ((present_3 is changed) if docker_compose_version is version('2.31.0', '>=') and docker_compose_version is version('2.32.2', '<') else (present_3 is not changed))
+          # - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          # Same as above:
+          # - present_4_check is changed
+          - present_4_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          # Also seems like a hopeless case with Docker 29:
+          # - present_4 is not changed
+          - present_4.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+  always:
+    - name: Cleanup
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/container-exit.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/container-exit.yml
new file mode 100644
index 00000000..3eeb32e5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/container-exit.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-exit"
+    cname: "{{ name_prefix }}-container"
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "exit 0"'
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - name: Present (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        wait: true
+      check_mode: true
+      register: present_1_check
+
+    - name: Present
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        wait: true
+      register: present_1
+      ignore_errors: true
+
+    - name: Cleanup
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is failed
+          - present_1.containers | length == 1
+          - present_1.containers[0].Name == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.containers[0].Image == docker_test_image_alpine
+          - present_1.containers[0].State == 'exited'
+          - present_1.containers[0].ExitCode == 0
+          - present_1.images | length == 1
+          - >-
+            docker_compose_version is version('2.37.0', '>=') or
+            present_1.images[0].ContainerName == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.images[0].Repository == (docker_test_image_alpine | split(':') | first)
+          - present_1.images[0].Tag == (docker_test_image_alpine | split(':') | last)
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - >-
+            ("container " ~ pname ~ '-' ~ cname ~ "-1 exited (0)") in present_1.msg
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/definition.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/definition.yml
new file mode 100644
index 00000000..807d8d2a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/definition.yml
@@ -0,0 +1,290 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-definition"
+    cname: "{{ name_prefix }}-container"
+    test_service: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 10m"'
+          stop_grace_period: 1s
+    test_service_mod: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 15m"'
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+####################################################################
+## Present #########################################################
+####################################################################
+
+    - name: Present (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      check_mode: true
+      register: present_1_check
+
+    - name: Present
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      register: present_1
+
+    - name: Present (idempotent check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      check_mode: true
+      register: present_2_check
+
+    - name: Present (idempotent)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      register: present_2
+
+    - name: Present (changed check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: present
+      check_mode: true
+      register: present_3_check
+
+    - name: Present (changed)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: present
+      register: present_3
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - present_1.containers | length == 1
+          - present_1.containers[0].Name == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.containers[0].Image == docker_test_image_alpine
+          - present_1.images | length == 1
+          - >-
+            docker_compose_version is version('2.37.0', '>=') or
+            present_1.images[0].ContainerName == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.images[0].Repository == (docker_test_image_alpine | split(':') | first)
+          - present_1.images[0].Tag == (docker_test_image_alpine | split(':') | last)
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3_check is changed
+          - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3 is changed
+          - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+####################################################################
+## Absent ##########################################################
+####################################################################
+
+    - name: Absent (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: absent
+      check_mode: true
+      register: absent_1_check
+
+    - name: Absent
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: absent
+      register: absent_1
+
+    - name: Absent (idempotent check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: absent
+      check_mode: true
+      register: absent_2_check
+
+    - name: Absent (idempotent)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service_mod | from_yaml }}'
+        state: absent
+      register: absent_2
+
+    - ansible.builtin.assert:
+        that:
+          - absent_1_check is changed
+          - absent_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_1 is changed
+          - absent_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_2_check is not changed
+          - absent_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_2 is not changed
+          - absent_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+####################################################################
+## Stopping and starting ###########################################
+####################################################################
+
+    - name: Present stopped (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      check_mode: true
+      register: present_1_check
+
+    - name: Present stopped
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      register: present_1
+
+    - name: Present stopped (idempotent check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      check_mode: true
+      register: present_2_check
+
+    - name: Present stopped (idempotent)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      register: present_2
+
+    - name: Started (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      check_mode: true
+      register: present_3_check
+
+    - name: Started
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      register: present_3
+
+    - name: Started (idempotent check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      check_mode: true
+      register: present_4_check
+
+    - name: Started (idempotent)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: present
+      register: present_4
+
+    - name: Restarted (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: restarted
+      check_mode: true
+      register: present_5_check
+
+    - name: Restarted
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: restarted
+      register: present_5
+
+    - name: Stopped (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      check_mode: true
+      register: present_6_check
+
+    - name: Stopped
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: stopped
+      register: present_6
+
+    - name: Restarted (check)
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: restarted
+      check_mode: true
+      register: present_7_check
+
+    - name: Restarted
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: restarted
+      register: present_7
+
+    - name: Cleanup
+      community.docker.docker_compose_v2:
+        project_name: '{{ pname }}'
+        definition: '{{ test_service | from_yaml }}'
+        state: absent
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3_check is changed
+          - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3 is changed
+          - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4_check is not changed
+          - present_4_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4 is not changed
+          - present_4.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5_check is changed
+          - present_5_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5 is changed
+          - present_5.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_6_check is changed
+          - present_6_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_6 is changed
+          - present_6.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_7_check is changed
+          - present_7_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_7 is changed
+          - present_7.warnings | default([]) | select('regex', ' please report this at ') | length == 0
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/pull.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/pull.yml
new file mode 100644
index 00000000..dfa330e8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/pull.yml
@@ -0,0 +1,226 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-pull"
+    cname: "{{ name_prefix }}-cont"
+    non_existing_image: does-not-exist:latest
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service_non_existing: |
+      services:
+        {{ cname }}:
+          image: {{ non_existing_image }}
+    test_service_simple: |
+      services:
+        {{ cname }}:
+          image: {{ docker_test_image_simple_1 }}
+          command: 10m
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+    - name: Make sure images are not around
+      community.docker.docker_image_remove:
+        name: '{{ item }}'
+      loop:
+        - '{{ non_existing_image }}'
+        - '{{ docker_test_image_simple_1 }}'
+
+####################################################################
+## Missing image ###################################################
+####################################################################
+
+    - name: Template project file with non-existing image
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service_non_existing }}'
+
+    - name: Present with pull=never (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: never
+      check_mode: true
+      register: present_1_check
+      ignore_errors: true
+
+    - name: Present with pull=never
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: never
+      register: present_1
+      ignore_errors: true
+
+    - name: Present without explicit pull (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_2_check
+      ignore_errors: true
+
+    - name: Present without explicit pull
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_2
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is failed or present_1_check is changed
+          - present_1_check is changed or 'General error:' in present_1_check.msg
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is failed
+          - >-
+            'General error:' in present_1.msg
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is failed
+          - present_2_check.msg.startswith('Error when processing ' ~ cname ~ ':') or
+            present_2_check.msg.startswith('Error when processing image ' ~ non_existing_image ~ ':')
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is failed
+          - present_2.msg.startswith('Error when processing ' ~ cname ~ ':') or
+            present_2.msg.startswith('Error when processing image ' ~ non_existing_image ~ ':')
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+####################################################################
+## Regular image ###################################################
+####################################################################
+
+    - name: Template project file with simple image
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service_simple }}'
+
+    - name: Present with pull=missing (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      check_mode: true
+      register: present_1_check
+
+    - name: Present with pull=missing
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      register: present_1
+
+    - name: Present with pull=missing (idempotent, check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      check_mode: true
+      register: present_2_check
+
+    - name: Present with pull=missing (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      register: present_2
+
+    - name: Present with pull=always (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: always
+      check_mode: true
+      register: present_3_check
+
+    - name: Present with pull=always
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: always
+      register: present_3
+
+    - name: Stopping service
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+
+    - name: Present with pull=never (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      check_mode: true
+      register: present_4_check
+
+    - name: Present with pull=never
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      register: present_4
+
+    - name: Present with pull=never (idempotent, check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      check_mode: true
+      register: present_5_check
+
+    - name: Present with pull=never (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        pull: missing
+      register: present_5
+
+    - name: Cleanup
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - (present_1_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+          - (present_1_check.actions | selectattr('status', 'eq', 'Creating') | first) is truthy
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - (present_1.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+          - (present_1.actions | selectattr('status', 'eq', 'Creating') | first) is truthy
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3_check is changed
+          - (present_3_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+          - present_3_check.actions | selectattr('status', 'eq', 'Creating') | length == 0
+          - present_3_check.actions | selectattr('status', 'eq', 'Recreating') | length == 0
+          - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3 is not changed
+          - (present_3.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+          - present_3.actions | selectattr('status', 'eq', 'Creating') | length == 0
+          - present_3.actions | selectattr('status', 'eq', 'Recreating') | length == 0
+          - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4_check is changed
+          - present_4_check.actions | selectattr('status', 'eq', 'Pulling') | length == 0
+          - present_4_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4 is changed
+          - present_4.actions | selectattr('status', 'eq', 'Pulling') | length == 0
+          - present_4.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5_check is not changed
+          - present_5_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5 is not changed
+          - present_5.warnings | default([]) | select('regex', ' please report this at ') | length == 0
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/start-stop.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/start-stop.yml
new file mode 100644
index 00000000..3b04ccc5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2/tasks/tests/start-stop.yml
@@ -0,0 +1,293 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-start-stop"
+    cname: "{{ name_prefix }}-container"
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 10m"'
+          stop_grace_period: 1s
+    test_service_mod: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 15m"'
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+####################################################################
+## Present #########################################################
+####################################################################
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - name: Present (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_1_check
+
+    - name: Present
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_1
+
+    - name: Present (idempotent check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_2_check
+
+    - name: Present (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_2
+
+    - name: Template modified project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service_mod }}'
+
+    - name: Present (changed check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_3_check
+
+    - name: Present (changed)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_3
+
+    - name: Present with --yes
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+        assume_yes: true
+      when: docker_compose_version is version('2.32.0', '>=')
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - present_1.containers | length == 1
+          - present_1.containers[0].Name == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.containers[0].Image == docker_test_image_alpine
+          - present_1.images | length == 1
+          - >-
+            docker_compose_version is version('2.37.0', '>=') or
+            present_1.images[0].ContainerName == (pname ~ '-' ~ cname ~ '-1')
+          - present_1.images[0].Repository == (docker_test_image_alpine | split(':') | first)
+          - present_1.images[0].Tag == (docker_test_image_alpine | split(':') | last)
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3_check is changed
+          - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3 is changed
+          - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+####################################################################
+## Absent ##########################################################
+####################################################################
+
+    - name: Absent (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+      check_mode: true
+      register: absent_1_check
+
+    - name: Absent
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+      register: absent_1
+
+    - name: Absent (idempotent check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+      check_mode: true
+      register: absent_2_check
+
+    - name: Absent (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+      register: absent_2
+
+    - ansible.builtin.assert:
+        that:
+          - absent_1_check is changed
+          - absent_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_1 is changed
+          - absent_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_2_check is not changed
+          - absent_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - absent_2 is not changed
+          - absent_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+
+####################################################################
+## Stopping and starting ###########################################
+####################################################################
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - name: Present stopped (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      check_mode: true
+      register: present_1_check
+
+    - name: Present stopped
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      register: present_1
+
+    - name: Present stopped (idempotent check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      check_mode: true
+      register: present_2_check
+
+    - name: Present stopped (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      register: present_2
+
+    - name: Started (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_3_check
+
+    - name: Started
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_3
+
+    - name: Started (idempotent check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      check_mode: true
+      register: present_4_check
+
+    - name: Started (idempotent)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: present
+      register: present_4
+
+    - name: Restarted (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: restarted
+      check_mode: true
+      register: present_5_check
+
+    - name: Restarted
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: restarted
+      register: present_5
+
+    - name: Stopped (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      check_mode: true
+      register: present_6_check
+
+    - name: Stopped
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: stopped
+      register: present_6
+
+    - name: Restarted (check)
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: restarted
+      check_mode: true
+      register: present_7_check
+
+    - name: Restarted
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: restarted
+      register: present_7
+
+    - name: Cleanup
+      community.docker.docker_compose_v2:
+        project_src: '{{ project_src }}'
+        state: absent
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_1 is changed
+          - present_1.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2_check is not changed
+          - present_2_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_2 is not changed
+          - present_2.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3_check is changed
+          - present_3_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_3 is changed
+          - present_3.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4_check is not changed
+          - present_4_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_4 is not changed
+          - present_4.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5_check is changed
+          - present_5_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_5 is changed
+          - present_5.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_6_check is changed
+          - present_6_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_6 is changed
+          - present_6.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_7_check is changed
+          - present_7_check.warnings | default([]) | select('regex', ' please report this at ') | length == 0
+          - present_7 is changed
+          - present_7.warnings | default([]) | select('regex', ' please report this at ') | length == 0
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/meta/main.yml
new file mode 100644
index 00000000..aefcf50f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_cli_compose
+  # The Python dependencies are needed for the other modules
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/main.yml
new file mode 100644
index 00000000..797d6b3c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Create random name prefix (for services, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    dnetworks: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+# Run the tests
+- block:
+    - name: Show docker compose --help output
+      ansible.builtin.command: docker compose --help
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      with_items: "{{ dnetworks }}"
+      diff: false
+
+  when: docker_has_compose and docker_compose_version is version('2.18.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/tests/basic.yml
new file mode 100644
index 00000000..a558c999
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_exec/tasks/tests/basic.yml
@@ -0,0 +1,97 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-start-stop"
+    cname: "{{ name_prefix }}-container"
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 10m"'
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - block:
+        - name: Start services
+          community.docker.docker_compose_v2:
+            project_src: '{{ project_src }}'
+            state: present
+
+        - name: Run command with command
+          community.docker.docker_compose_v2_exec:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "ls /"
+          register: result_1
+
+        - name: Run command with argv
+          community.docker.docker_compose_v2_exec:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            argv:
+              - /bin/sh
+              - "-c"
+              - whoami
+            user: "1234"
+          register: result_2
+          failed_when: result_2.rc != 1
+
+        - name: Run detached command
+          community.docker.docker_compose_v2_exec:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "sleep 1"
+            detach: true
+          register: result_3
+
+        - name: Run command with input
+          community.docker.docker_compose_v2_exec:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "cat"
+            stdin: This is a test
+          register: result_4
+
+        - ansible.builtin.assert:
+            that:
+              - result_1.rc == 0
+              - result_1.stderr == ""
+              - >-
+                "usr" in result_1.stdout_lines
+                and
+                "etc" in result_1.stdout_lines
+              - result_2.rc == 1
+              - >-
+                "whoami: unknown uid 1234" in result_2.stderr
+              - result_2.stdout == ""
+              - result_3.rc is not defined
+              - result_3.stdout is not defined
+              - result_3.stderr is not defined
+              - result_4.rc == 0
+              - result_4.stdout == "This is a test"
+              - result_4.stderr == ""
+
+      always:
+        - name: Cleanup
+          community.docker.docker_compose_v2:
+            project_src: '{{ project_src }}'
+            state: absent
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/meta/main.yml
new file mode 100644
index 00000000..aefcf50f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_cli_compose
+  # The Python dependencies are needed for the other modules
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/main.yml
new file mode 100644
index 00000000..7568febe
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Create random name prefix (for services, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    dnetworks: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- name: Show images
+  ansible.builtin.command: docker images --all --digests
+
+# Run the tests
+- block:
+    - name: Show docker compose --help output
+      ansible.builtin.command: docker compose --help
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      with_items: "{{ dnetworks }}"
+      diff: false
+
+  when: docker_has_compose and docker_compose_version is version('2.18.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/tests/pull.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/tests/pull.yml
new file mode 100644
index 00000000..c599f2c8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_pull/tasks/tests/pull.yml
@@ -0,0 +1,204 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-pull"
+    cname: "{{ name_prefix }}-cont"
+    non_existing_image: does-not-exist:latest
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service_non_existing: |
+      services:
+        {{ cname }}:
+          image: {{ non_existing_image }}
+    test_service_simple: |
+      services:
+        {{ cname }}:
+          image: {{ docker_test_image_simple_1 }}
+          command: 10m
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+    - name: Make sure images are not around
+      community.docker.docker_image_remove:
+        name: '{{ item }}'
+      loop:
+        - '{{ non_existing_image }}'
+        - '{{ docker_test_image_simple_1 }}'
+
+####################################################################
+## Missing image ###################################################
+####################################################################
+
+    - name: Template project file with non-existing image
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service_non_existing }}'
+
+    - name: Pull (check)
+      community.docker.docker_compose_v2_pull:
+        project_src: '{{ project_src }}'
+      check_mode: true
+      register: pull_1_check
+      ignore_errors: true
+
+    - name: Pull
+      community.docker.docker_compose_v2_pull:
+        project_src: '{{ project_src }}'
+      register: pull_1
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - pull_1_check is failed or pull_1_check is changed
+          - pull_1_check is changed or pull_1_check.msg.startswith('Error when processing ')
+          - pull_1_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+          - pull_1 is failed
+          - pull_1.msg.startswith('Error when processing ')
+          - pull_1.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+
+####################################################################
+## Regular image ###################################################
+####################################################################
+
+    - name: Template project file with simple image
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service_simple }}'
+
+    - when: docker_compose_version is version('2.22.0', '>=')
+      block:
+        - name: Pull with policy=missing (check)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: missing
+          check_mode: true
+          register: pull_1_check
+
+        - name: Pull with policy=missing
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: missing
+          register: pull_1
+
+        - name: Pull with policy=missing (idempotent, check)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: missing
+          check_mode: true
+          register: pull_2_check
+
+        - name: Pull with policy=missing (idempotent)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: missing
+          register: pull_2
+
+        - name: Make sure image is not around
+          community.docker.docker_image_remove:
+            name: '{{ docker_test_image_simple_1 }}'
+
+        - name: Pull with policy=always (check)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          check_mode: true
+          register: pull_3_check
+
+        - name: Pull with policy=always
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          register: pull_3
+
+        - name: Pull with policy=always (check, idempotent)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          check_mode: true
+          register: pull_4_check
+
+        - name: Pull with policy=always (idempotent)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          register: pull_4
+
+        - ansible.builtin.assert:
+            that:
+              - pull_1_check is changed
+              - (pull_1_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_1_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_1 is changed
+              - (pull_1.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_1.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_2_check is not changed
+              - pull_2_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_2 is not changed
+              - pull_2.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_3_check is changed
+              - (pull_3_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_3_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_3 is changed
+              - (pull_3.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_3.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_4_check is changed
+              - (pull_4_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_4_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_4 is not changed
+              - (pull_4.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_4.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+
+    - when: docker_compose_version is version('2.22.0', '<')
+      block:
+        - name: Pull with policy=always (check)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          check_mode: true
+          register: pull_1_check
+
+        - name: Pull with policy=always
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          register: pull_1
+
+        - name: Pull with policy=always (again, check)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          check_mode: true
+          register: pull_2_check
+
+        - name: Pull with policy=always (again)
+          community.docker.docker_compose_v2_pull:
+            project_src: '{{ project_src }}'
+            policy: always
+          register: pull_2
+
+        - ansible.builtin.assert:
+            that:
+              - pull_1_check is changed
+              - (pull_1_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_1_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_1 is changed
+              - (pull_1.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_1.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_2_check is changed
+              - (pull_2_check.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_2_check.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
+              - pull_2 is not changed
+              - (pull_2.actions | selectattr('status', 'eq', 'Pulling') | first) is truthy
+              - pull_2.warnings | default([]) | select('regex', 'Cannot parse event from ') | length == 0
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/meta/main.yml
new file mode 100644
index 00000000..aefcf50f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_cli_compose
+  # The Python dependencies are needed for the other modules
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/main.yml
new file mode 100644
index 00000000..797d6b3c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Create random name prefix (for services, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    dnetworks: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+# Run the tests
+- block:
+    - name: Show docker compose --help output
+      ansible.builtin.command: docker compose --help
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      with_items: "{{ dnetworks }}"
+      diff: false
+
+  when: docker_has_compose and docker_compose_version is version('2.18.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/tests/basic.yml
new file mode 100644
index 00000000..6abeacdc
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_compose_v2_run/tasks/tests/basic.yml
@@ -0,0 +1,105 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    pname: "{{ name_prefix }}-start-stop"
+    cname: "{{ name_prefix }}-container"
+    project_src: "{{ remote_tmp_dir }}/{{ pname }}"
+    test_service: |
+      services:
+        {{ cname }}:
+          image: "{{ docker_test_image_alpine }}"
+          command: '/bin/sh -c "sleep 10m"'
+          stop_grace_period: 1s
+
+  block:
+    - name: Registering container name
+      ansible.builtin.set_fact:
+        cnames: "{{ cnames + [pname ~ '-' ~ cname ~ '-1'] }}"
+        dnetworks: "{{ dnetworks + [pname ~ '_default'] }}"
+
+    - name: Create project directory
+      ansible.builtin.file:
+        path: '{{ project_src }}'
+        state: directory
+
+    - name: Template default project file
+      ansible.builtin.copy:
+        dest: '{{ project_src }}/docker-compose.yml'
+        content: '{{ test_service }}'
+
+    - block:
+        - name: Start services
+          community.docker.docker_compose_v2:
+            project_src: '{{ project_src }}'
+            state: present
+
+        - name: Run command with command
+          community.docker.docker_compose_v2_run:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "ls /"
+            cleanup: true
+          register: result_1
+
+        - name: Run command with argv
+          community.docker.docker_compose_v2_run:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            argv:
+              - /bin/sh
+              - "-c"
+              - whoami
+            user: "1234"
+            cleanup: true
+          register: result_2
+          failed_when: result_2.rc != 1
+
+        - name: Run detached command
+          community.docker.docker_compose_v2_run:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "sleep 1"
+            detach: true
+            cleanup: true
+          register: result_3
+
+        - name: Run command with input
+          community.docker.docker_compose_v2_run:
+            project_src: '{{ project_src }}'
+            service: '{{ cname }}'
+            command: /bin/sh -c "cat"
+            stdin: This is a test
+          register: result_4
+
+        - ansible.builtin.assert:
+            that:
+              - result_1.rc == 0
+              # Since Compose 5, unrelated output shows up in stderr...
+              - result_1.stderr == "" or ("Creating" in result_1.stderr and "Created" in result_1.stderr)
+              - >-
+                "usr" in result_1.stdout_lines
+                and
+                "etc" in result_1.stdout_lines
+              - result_1.container_id is not defined
+              - result_2.rc == 1
+              - >-
+                "whoami: unknown uid 1234" in result_2.stderr
+              - result_2.stdout == ""
+              - result_2.container_id is not defined
+              - result_3.rc is not defined
+              - result_3.stdout is not defined
+              - result_3.stderr is not defined
+              - result_3.container_id is string
+              - result_4.rc == 0
+              - result_4.stdout == "This is a test"
+              - result_4.stderr is string
+              - result_4.container_id is not defined
+
+      always:
+        - name: Cleanup
+          community.docker.docker_compose_v2:
+            project_src: '{{ project_src }}'
+            state: absent
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_config/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_config/aliases
new file mode 100644
index 00000000..fc581d54
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_config/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/3
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_config/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_config/meta/main.yml
new file mode 100644
index 00000000..9eeb6626
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_config/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/main.yml
new file mode 100644
index 00000000..a30c80c8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_docker_config.yml
+  when: docker_py_version is version('2.6.0', '>=') and docker_api_version is version('1.30', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_config tests!"
+  when: not(docker_py_version is version('2.6.0', '>=') and docker_api_version is version('1.30', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/test_docker_config.yml b/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/test_docker_config.yml
new file mode 100644
index 00000000..f22ed37f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_config/tasks/test_docker_config.yml
@@ -0,0 +1,334 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - ansible.builtin.shell: "docker info --format '{% raw %}{{json .}}{% endraw %}' | {{ ansible_python_interpreter }} -m json.tool"
+
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - ansible.builtin.shell: "docker info --format '{% raw %}{{json .}}{% endraw %}' | {{ ansible_python_interpreter }} -m json.tool"
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        name: default
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - name: Parameter name should be required
+      community.docker.docker_config:  # noqa: args[module]
+        state: present
+      ignore_errors: true
+      register: output
+
+    - name: Assert failure when called with no name
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "missing required arguments: name"'
+
+    - name: Test parameters
+      community.docker.docker_config:  # noqa: args[module]
+        name: foo
+        state: present
+      ignore_errors: true
+      register: output
+
+    - name: Assert failure when called with no data
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "state is present but any of the following are missing: data, data_src"'
+
+    - name: Create config
+      community.docker.docker_config:
+        name: db_password
+        data: opensesame!
+        state: present
+      register: output
+
+    - name: Create variable config_id
+      ansible.builtin.set_fact:
+        config_id: "{{ output.config_id }}"
+
+    - name: Inspect config
+      ansible.builtin.command: "docker config inspect {{ config_id }}"
+      register: inspect
+      ignore_errors: true
+
+    - ansible.builtin.debug:
+        var: inspect
+
+    - name: Assert config creation succeeded
+      ansible.builtin.assert:
+        that:
+          - "'db_password' in inspect.stdout"
+          - "'ansible_key' in inspect.stdout"
+      when: inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in inspect.stderr"
+      when: inspect is failed
+
+    - name: Create config again
+      community.docker.docker_config:
+        name: db_password
+        data: opensesame!
+        state: present
+      register: output
+
+    - name: Assert create config is idempotent
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+    - name: Write config into file
+      ansible.builtin.copy:
+        dest: "{{ remote_tmp_dir }}/data"
+        content: |-
+          opensesame!
+
+    - name: Create config again (from file)
+      community.docker.docker_config:
+        name: db_password
+        data_src: "{{ remote_tmp_dir }}/data"
+        state: present
+      register: output
+
+    - name: Assert create config is idempotent
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+    - name: Create config again (base64)
+      community.docker.docker_config:
+        name: db_password
+        data: b3BlbnNlc2FtZSE=
+        data_is_b64: true
+        state: present
+      register: output
+
+    - name: Assert create config (base64) is idempotent
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+    - name: Update config
+      community.docker.docker_config:
+        name: db_password
+        data: newpassword!
+        state: present
+      register: output
+
+    - name: Assert config was updated
+      ansible.builtin.assert:
+        that:
+          - output is changed
+          - output.config_id != config_id
+
+    - name: Remove config
+      community.docker.docker_config:
+        name: db_password
+        state: absent
+
+    - name: Check that config is removed
+      ansible.builtin.command: "docker config inspect {{ config_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: Assert config was removed
+      ansible.builtin.assert:
+        that:
+          - output is failed
+
+    - name: Remove config
+      community.docker.docker_config:
+        name: db_password
+        state: absent
+      register: output
+
+    - name: Assert remove config is idempotent
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+  # Rolling update
+
+    - name: Create rolling config
+      community.docker.docker_config:
+        name: rolling_password
+        data: opensesame!
+        rolling_versions: true
+        state: present
+      register: original_output
+
+    - name: Create variable config_id
+      ansible.builtin.set_fact:
+        config_id: "{{ original_output.config_id }}"
+
+    - name: Inspect config
+      ansible.builtin.command: "docker config inspect {{ config_id }}"
+      register: inspect
+      ignore_errors: true
+
+    - ansible.builtin.debug:
+        var: inspect
+
+    - name: Assert config creation succeeded
+      ansible.builtin.assert:
+        that:
+          - "'rolling_password' in inspect.stdout"
+          - "'ansible_key' in inspect.stdout"
+          - "'ansible_version' in inspect.stdout"
+          - original_output.config_name == 'rolling_password_v1'
+      when: inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in inspect.stderr"
+      when: inspect is failed
+
+    - name: Create config again
+      community.docker.docker_config:
+        name: rolling_password
+        data: newpassword!
+        rolling_versions: true
+        state: present
+      register: new_output
+
+    - name: Assert that new version is created
+      ansible.builtin.assert:
+        that:
+          - new_output is changed
+          - new_output.config_id != original_output.config_id
+          - new_output.config_name != original_output.config_name
+          - new_output.config_name == 'rolling_password_v2'
+
+    - name: Remove rolling configs
+      community.docker.docker_config:
+        name: rolling_password
+        rolling_versions: true
+        state: absent
+
+    - name: Check that config is removed
+      ansible.builtin.command: "docker config inspect {{ original_output.config_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: Assert config was removed
+      ansible.builtin.assert:
+        that:
+          - output is failed
+
+    - name: Check that config is removed
+      ansible.builtin.command: "docker config inspect {{ new_output.config_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: Assert config was removed
+      ansible.builtin.assert:
+        that:
+          - output is failed
+
+  # template_driver tests
+
+    - when: docker_py_version is version('5.0.3', '>=') and docker_api_version is version('1.37', '>=')
+      block:
+
+        - name: Create regular config
+          community.docker.docker_config:
+            name: db_password
+            data: opensesame!
+            state: present
+
+        - name: Update config with template_driver
+          community.docker.docker_config:
+            name: db_password
+            data: opensesame!
+            template_driver: golang
+            state: present
+          register: output
+
+        - name: Assert config was updated
+          ansible.builtin.assert:
+            that:
+              - output is changed
+
+        - name: Invalid template_driver
+          community.docker.docker_config:
+            name: db_password
+            data: opensesame!
+            template_driver: "not a template driver"  # noqa: args[module]
+            state: present
+          ignore_errors: true
+          register: output
+
+        - name: Assert failure when called with invalid template_driver
+          ansible.builtin.assert:
+            that:
+              - 'output is failed'
+              - 'output.msg == "value of template_driver must be one of: golang, got: not a template driver"'
+
+        - name: Create config again
+          community.docker.docker_config:
+            name: db_password
+            data: opensesame!
+            template_driver: golang
+            state: present
+          register: output
+
+        - name: Assert create config is idempotent
+          ansible.builtin.assert:
+            that:
+              - output is not changed
+
+        # data is the docker swarm's name
+        - name: Update config with template data
+          community.docker.docker_config:
+            name: db_password
+            data: "{{ '{{' }} .Service.Name {{ '}}' }}"
+            template_driver: golang
+            state: present
+          register: output
+
+        - name: Inspect config
+          ansible.builtin.command: "docker config inspect {{ output.config_id }}"
+          register: inspect
+
+        - name: Show inspection result
+          ansible.builtin.debug:
+            var: inspect
+
+        - name: Assert config creation succeeded
+          ansible.builtin.assert:
+            that:
+              - "'db_password' in inspect.stdout"
+              - "'ansible_key' in inspect.stdout"
+              # According to the API docs, 'Data' is "Base64-url-safe-encoded (RFC 4648) config data."
+              - "'\"Data\": \"e3sgLlNlcnZpY2UuTmFtZSB9fQ==\"' in inspect.stdout"
+              - "'Templating' in inspect.stdout"
+              - "'\"Name\": \"golang\"' in inspect.stdout"
+
+        - name: Remove config
+          community.docker.docker_config:
+            name: db_password
+            state: absent
+
+        - name: Check that config is removed
+          ansible.builtin.command: "docker config inspect {{ output.config_id }}"
+          register: output
+          ignore_errors: true
+
+        - name: Assert config was removed
+          ansible.builtin.assert:
+            that:
+              - output is failed
+
+  always:
+    - name: Remove a Swarm cluster
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_container/aliases
new file mode 100644
index 00000000..0837c740
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/5
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/files/env-file b/ansible_collections/community/docker/tests/integration/targets/docker_container/files/env-file
new file mode 100644
index 00000000..87bc9dec
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/files/env-file
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+TEST3=val3
+TEST4=val4
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/filter_plugins/ipaddr_tools.py b/ansible_collections/community/docker/tests/integration/targets/docker_container/filter_plugins/ipaddr_tools.py
new file mode 100644
index 00000000..7c6ef8eb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/filter_plugins/ipaddr_tools.py
@@ -0,0 +1,20 @@
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+
+def _normalize_ipaddr(ipaddr):
+    # Import when needed, to allow installation of that module in the test setup
+    import ipaddress
+    return ipaddress.ip_address(ipaddr).compressed
+
+
+class FilterModule:
+    """ IP address and network manipulation filters """
+
+    def filters(self):
+        return {
+            'normalize_ipaddr': _normalize_ipaddr,
+        }
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/main.yml
new file mode 100644
index 00000000..2717a635
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Gather facts on controller
+  ansible.builtin.setup:
+    gather_subset: '!all'
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: true
+
+- name: Make sure ipaddress is available on controller
+  ansible.builtin.pip:
+    name: ipaddress
+  delegate_to: localhost
+  when: hostvars['localhost'].ansible_facts.python.version.major < 3
+
+# Create random name prefix (for containers, networks, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    cname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    inames: []
+    dnetworks: []
+
+- ansible.builtin.debug:
+    msg: "Using container name prefix {{ cname_prefix }}"
+
+- name: Retrieve docker host info
+  community.docker.docker_host_info:
+  register: docker_host_info
+
+# Run the tests
+- module_defaults:
+    community.general.docker_container:
+      debug: true
+  block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      with_items: "{{ inames }}"
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      with_items: "{{ dnetworks }}"
+      diff: false
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run all docker_container tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/comparisons.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/comparisons.yml
new file mode 100644
index 00000000..ee0e382d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/comparisons.yml
@@ -0,0 +1,466 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-comparisons' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+####################################################################
+## value ###########################################################
+####################################################################
+
+- name: value
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.com
+  register: value_1
+
+- name: value (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.org
+    force_kill: true
+    comparisons:
+      hostname: ignore
+  register: value_2
+
+- name: value (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.org
+    force_kill: true
+    comparisons:
+      hostname: strict
+  register: value_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - value_1 is changed
+      - value_2 is not changed
+      - value_3 is changed
+
+####################################################################
+## list ############################################################
+####################################################################
+
+- name: list
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 1.1.1.1
+      - 8.8.8.8
+  register: list_1
+
+- name: list (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 9.9.9.9
+    force_kill: true
+    comparisons:
+      dns_servers: ignore
+  register: list_2
+
+- name: list (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 9.9.9.9
+    force_kill: true
+    comparisons:
+      dns_servers: strict
+  register: list_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - list_1 is changed
+      - list_2 is not changed
+      - list_3 is changed
+
+####################################################################
+## set #############################################################
+####################################################################
+
+- name: set
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1010"
+      - "1011"
+  register: set_1
+
+- name: set (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1010"
+      - "1011"
+      - "1012"
+    force_kill: true
+    comparisons:
+      groups: ignore
+  register: set_2
+
+- name: set (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1010"
+      - "1011"
+      - "1012"
+    force_kill: true
+    comparisons:
+      groups: allow_more_present
+  register: set_3
+
+- name: set (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1010"
+      - "1012"
+    force_kill: true
+    comparisons:
+      groups: allow_more_present
+  register: set_4
+
+- name: set (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1010"
+      - "1012"
+    force_kill: true
+    comparisons:
+      groups: strict
+  register: set_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - set_1 is changed
+      - set_2 is not changed
+      - set_3 is changed
+      - set_4 is not changed
+      - set_5 is changed
+
+####################################################################
+## set(dict) #######################################################
+####################################################################
+
+- name: set(dict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/urandom:/dev/virt-urandom:rwm"
+  register: set_dict_1
+
+- name: set(dict) (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/urandom:/dev/virt-urandom:rwm"
+      - "/dev/null:/dev/virt-null:rwm"
+    force_kill: true
+    comparisons:
+      devices: ignore
+  register: set_dict_2
+
+- name: set(dict) (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/urandom:/dev/virt-urandom:rwm"
+      - "/dev/null:/dev/virt-null:rwm"
+    force_kill: true
+    comparisons:
+      devices: allow_more_present
+  register: set_dict_3
+
+- name: set(dict) (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/null:/dev/virt-null:rwm"
+    force_kill: true
+    comparisons:
+      devices: allow_more_present
+  register: set_dict_4
+
+- name: set(dict) (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/null:/dev/virt-null:rwm"
+    force_kill: true
+    comparisons:
+      devices: strict
+  register: set_dict_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - set_dict_1 is changed
+      - set_dict_2 is not changed
+      - set_dict_3 is changed
+      - set_dict_4 is not changed
+      - set_dict_5 is changed
+
+####################################################################
+## dict ############################################################
+####################################################################
+
+- name: dict
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+  register: dict_1
+
+- name: dict (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      labels: ignore
+  register: dict_2
+
+- name: dict (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      labels: allow_more_present
+  register: dict_3
+
+- name: dict (change, allow_more_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      labels: allow_more_present
+  register: dict_4
+
+- name: dict (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      labels: strict
+  register: dict_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dict_1 is changed
+      - dict_2 is not changed
+      - dict_3 is changed
+      - dict_4 is not changed
+      - dict_5 is changed
+
+####################################################################
+## wildcard ########################################################
+####################################################################
+
+- name: Pull {{ docker_test_image_hello_world }} image to make sure wildcard_2 test succeeds
+  # If the image isn't there, it will pull it and return 'changed'.
+  community.docker.docker_image_pull:
+    name: "{{ docker_test_image_hello_world }}"
+
+- name: wildcard
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.com
+    stop_timeout: 1
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+      ansible.test.3: ansible
+  register: wildcard_1
+
+- name: wildcard (change, ignore)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.org
+    stop_timeout: 2
+    labels:
+      ansible.test.1: hello
+      ansible.test.4: ignore
+    force_kill: true
+    comparisons:
+      '*': ignore
+  register: wildcard_2
+
+- name: wildcard (change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.org
+    stop_timeout: 1
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      '*': strict
+  register: wildcard_3
+
+- name: wildcard (no change, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    hostname: example.org
+    stop_timeout: 1
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+      ansible.test.3: ansible
+    force_kill: true
+    comparisons:
+      '*': strict
+  register: wildcard_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - wildcard_1 is changed
+      - wildcard_2 is not changed
+      - wildcard_3 is changed
+      - wildcard_4 is not changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/compatibility.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/compatibility.yml
new file mode 100644
index 00000000..fbaa3207
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/compatibility.yml
@@ -0,0 +1,122 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-hi' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+####################################################################
+## container_default_behavior: compatibility #######################
+####################################################################
+
+- name: Start container (check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: compatibility
+  check_mode: true
+  register: start_1
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: compatibility
+  register: start_2
+
+- name: Start container (idempotent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: compatibility
+  register: start_3
+
+- name: Start container (idempotent check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    state: started
+    container_default_behavior: compatibility
+  check_mode: true
+  register: start_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - start_1 is changed
+      - start_2 is changed
+      - start_3 is not changed
+      - start_4 is not changed
+
+####################################################################
+## container_default_behavior: no_defaults #########################
+####################################################################
+
+- name: Start container (check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: no_defaults
+  check_mode: true
+  register: start_1
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: no_defaults
+  register: start_2
+
+- name: Start container (idempotent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: no_defaults
+  register: start_3
+
+- name: Start container (idempotent check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    state: started
+    container_default_behavior: no_defaults
+  check_mode: true
+  register: start_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - start_1 is changed
+      - start_2 is changed
+      - start_3 is not changed
+      - start_4 is not changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/healthy.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/healthy.yml
new file mode 100644
index 00000000..b6143e18
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/healthy.yml
@@ -0,0 +1,64 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-hi' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+- name: Prepare container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_healthcheck }}"
+    command: '10m'
+    state: stopped
+  register: healthy_1
+
+- ansible.builtin.debug: var=healthy_1.container.State
+
+- name: Start container (not healthy in time)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: healthy
+    healthy_wait_timeout: 1
+  register: healthy_2
+  ignore_errors: true
+
+- ansible.builtin.debug: var=healthy_2.container.State
+
+- name: Prepare container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_healthcheck }}"
+    command: '10m 5s'
+    state: stopped
+    force_kill: true
+  register: healthy_3
+
+- ansible.builtin.debug: var=healthy_3.container.State
+
+- name: Start container (healthy in time)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: healthy
+    healthy_wait_timeout: 10
+  register: healthy_4
+
+- ansible.builtin.debug: var=healthy_4.container.State
+
+- name: Cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+- ansible.builtin.assert:
+    that:
+      - healthy_2 is failed
+      - healthy_2.container.State.Health.Status == "starting"
+      - healthy_2.msg.startswith("Timeout of 1.0 seconds exceeded while waiting for container ")
+      - healthy_4 is changed
+      - healthy_4.container.State.Health.Status == "healthy"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/image-ids.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/image-ids.yml
new file mode 100644
index 00000000..e735b8c2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/image-ids.yml
@@ -0,0 +1,156 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-iid' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+- name: Pull images
+  community.docker.docker_image_pull:
+    name: "{{ image }}"
+  loop:
+    - "{{ docker_test_image_hello_world }}"
+    - "{{ docker_test_image_alpine }}"
+  loop_control:
+    loop_var: image
+
+- name: Get image ID of {{ docker_test_image_hello_world }} and {{ docker_test_image_alpine }} images
+  community.docker.docker_image_info:
+    name:
+      - "{{ docker_test_image_hello_world }}"
+      - "{{ docker_test_image_alpine }}"
+  register: image_info
+
+- ansible.builtin.assert:
+    that:
+      - image_info.images | length == 2
+
+- name: Print image IDs
+  ansible.builtin.debug:
+    msg: "{{ docker_test_image_hello_world }}: {{ image_info.images[0].Id }}; {{ docker_test_image_alpine }}: {{ image_info.images[1].Id }}"
+
+- name: Create container with {{ docker_test_image_hello_world }} image via ID
+  community.docker.docker_container:
+    image: "{{ image_info.images[0].Id }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: create_1
+
+- name: Create container with {{ docker_test_image_hello_world }} image via ID (idempotent)
+  community.docker.docker_container:
+    image: "{{ image_info.images[0].Id }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: create_2
+
+- name: Create container with {{ docker_test_image_alpine }} image via ID
+  community.docker.docker_container:
+    image: "{{ image_info.images[1].Id }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: create_3
+
+- name: Create container with {{ docker_test_image_alpine }} image via ID (idempotent)
+  community.docker.docker_container:
+    image: "{{ image_info.images[1].Id }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: create_4
+
+- name: Untag image
+  # Image will not be deleted since the container still uses it
+  community.docker.docker_image_remove:
+    name: "{{ docker_test_image_alpine }}"
+    force: true
+
+- name: Create container with {{ docker_test_image_alpine }} image via name (check mode, will pull, same image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: present
+    image_name_mismatch: ignore
+  register: create_5
+  check_mode: true
+
+- name: Create container with {{ docker_test_image_alpine }} image via name (will pull, same image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: present
+    image_name_mismatch: ignore
+  register: create_6
+
+- name: Cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - create_1 is changed
+      - create_2 is not changed
+      - create_3 is changed
+      - create_4 is not changed
+      - create_5 is changed
+      - create_6 is changed
+      - create_6.container.Image == image_info.images[1].Id
+      - create_6.container.Id == create_4.container.Id  # make sure container wasn't recreated
+
+- name: Create container with {{ docker_test_image_digest_base }} image via old digest
+  community.docker.docker_container:
+    image: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: digest_1
+
+- name: Create container with {{ docker_test_image_digest_base }} image via old digest (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: digest_2
+
+- name: Create container with {{ docker_test_image_digest_base }} image via old digest (idempotent, pull)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+    name: "{{ cname }}"
+    pull: true
+    debug: true
+    state: present
+    force_kill: true
+  register: digest_3
+
+- name: Update container with {{ docker_test_image_digest_base }} image via new digest
+  community.docker.docker_container:
+    image: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v2 }}"
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: digest_4
+
+- name: Cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - digest_1 is changed
+      - digest_2 is not changed
+      - digest_3 is not changed
+      - digest_4 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/mounts-volumes.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/mounts-volumes.yml
new file mode 100644
index 00000000..50d2de65
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/mounts-volumes.yml
@@ -0,0 +1,558 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-mounts' }}"
+    cname_h1: "{{ cname_prefix ~ '-mounts-h1' }}"
+    cname_h2: "{{ cname_prefix ~ '-mounts-h2' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname, cname_h1, cname_h2] }}"
+
+####################################################################
+## keep_volumes ####################################################
+####################################################################
+
+# TODO: - keep_volumes
+
+####################################################################
+## mounts ##########################################################
+####################################################################
+
+- name: mounts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+      - source: /
+        target: /whatever
+        type: bind
+        read_only: false
+  register: mounts_1
+
+- name: mounts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /
+        target: /whatever
+        type: bind
+        read_only: false
+      - source: /tmp
+        target: /tmp
+        type: bind
+  register: mounts_2
+
+- name: mounts (less mounts)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+  register: mounts_3
+
+- name: mounts (more mounts)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+      - source: /tmp
+        target: /somewhereelse
+        type: bind
+        read_only: true
+    force_kill: true
+  register: mounts_4
+
+- name: mounts (different modes)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+      - source: /tmp
+        target: /somewhereelse
+        type: bind
+        read_only: false
+    force_kill: true
+  register: mounts_5
+
+- name: mounts (endpoint collision)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /home
+        target: /x
+        type: bind
+      - source: /etc
+        target: /x
+        type: bind
+        read_only: false
+    force_kill: true
+  register: mounts_6
+  ignore_errors: true
+
+- name: mounts (anonymous volume)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /tmp
+        type: volume
+    force_kill: true
+  register: mounts_7
+
+- name: mounts (anonymous volume idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /tmp
+        type: volume
+    force_kill: true
+  register: mounts_8
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_1 is changed
+      - mounts_2 is not changed
+      - mounts_3 is not changed
+      - mounts_4 is changed
+      - mounts_5 is changed
+      - mounts_6 is failed
+      - "'The mount point \"/x\" appears twice in the mounts option' == mounts_6.msg"
+      - mounts_7 is changed
+      - mounts_8 is not changed
+
+####################################################################
+## tmpfs ###########################################################
+####################################################################
+
+- name: tmpfs
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /cache1
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+      - target: /cache2
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+    force_kill: true
+  register: tmpfs_1
+
+- name: tmpfs (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /cache2
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+      - target: /cache1
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+    force_kill: true
+  register: tmpfs_2
+
+- name: tmpfs (more mounts)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /cache1
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+      - target: /cache2
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+      - target: /cache3
+        type: tmpfs
+        tmpfs_mode: "1777"
+        tmpfs_size: "1GB"
+    force_kill: true
+  register: tmpfs_3
+
+- name: tmpfs (change mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /cache1
+        type: tmpfs
+        tmpfs_mode: "1700"
+        tmpfs_size: "1GB"
+    force_kill: true
+  register: tmpfs_4
+
+- name: tmpfs (change size)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - target: /cache1
+        type: tmpfs
+        tmpfs_mode: "1700"
+        tmpfs_size: "2GB"
+    force_kill: true
+  register: tmpfs_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - tmpfs_1 is changed
+      - tmpfs_2 is not changed
+      - tmpfs_3 is changed
+      - tmpfs_4 is changed
+      - tmpfs_5 is changed
+
+####################################################################
+## mounts + volumes ################################################
+####################################################################
+
+- name: mounts + volumes
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /
+        target: /whatever
+        type: bind
+        read_only: true
+    volumes:
+      - /tmp:/tmp
+  register: mounts_volumes_1
+
+- name: mounts + volumes (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /
+        target: /whatever
+        type: bind
+        read_only: true
+    volumes:
+      - /tmp:/tmp
+  register: mounts_volumes_2
+
+- name: mounts + volumes (switching)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+        read_only: false
+    volumes:
+      - /:/whatever:ro
+    force_kill: true
+  register: mounts_volumes_3
+
+- name: mounts + volumes (collision, should fail)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    mounts:
+      - source: /tmp
+        target: /tmp
+        type: bind
+        read_only: false
+    volumes:
+      - /tmp:/tmp
+    force_kill: true
+  register: mounts_volumes_4
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_volumes_1 is changed
+      - mounts_volumes_2 is not changed
+      - mounts_volumes_3 is changed
+      - mounts_volumes_4 is failed
+      - "'The mount point \"/tmp\" appears both in the volumes and mounts option' in mounts_volumes_4.msg"
+
+####################################################################
+## volume_driver ###################################################
+####################################################################
+
+- name: volume_driver
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    volume_driver: local
+    state: started
+  register: volume_driver_1
+
+- name: volume_driver (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    volume_driver: local
+    state: started
+  register: volume_driver_2
+
+- name: volume_driver (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    volume_driver: /
+    state: started
+    force_kill: true
+  register: volume_driver_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - volume_driver_1 is changed
+      - volume_driver_2 is not changed
+      - volume_driver_3 is changed
+
+####################################################################
+## volumes #########################################################
+####################################################################
+
+- name: volumes
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/tmp:/tmp"
+      - "/:/whatever:rw,z"
+      - "/anon:rw"
+  register: volumes_1
+
+- name: volumes (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/:/whatever:rw,z"
+      - "/tmp:/tmp"
+      - "/anon:rw"
+  register: volumes_2
+
+- name: volumes (less volumes)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/tmp:/tmp"
+  register: volumes_3
+
+- name: volumes (more volumes)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/tmp:/tmp"
+      - "/tmp:/somewhereelse:ro,Z"
+    force_kill: true
+  register: volumes_4
+
+- name: volumes (different modes)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/tmp:/tmp"
+      - "/tmp:/somewhereelse:ro"
+    force_kill: true
+  register: volumes_5
+
+- name: volumes (collision)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes:
+      - "/etc:/tmp"
+      - "/home:/tmp:ro"
+    force_kill: true
+  register: volumes_6
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - volumes_1 is changed
+      - volumes_1.container.Config.Volumes | length == 1
+      - volumes_1.container.Config.Volumes['/anon:rw'] | length == 0
+      - volumes_2 is not changed
+      - volumes_3 is not changed
+      - volumes_4 is changed
+      - not volumes_4.container.Config.Volumes
+      - volumes_5 is changed
+      - volumes_6 is failed
+      - "'The mount point \"/tmp\" appears twice in the volumes option' in volumes_6.msg"
+
+####################################################################
+## volumes_from ####################################################
+####################################################################
+
+- name: start helpers
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ container_name }}"
+    state: started
+    volumes:
+      - "{{ '/tmp:/tmp' if container_name == cname_h1 else '/:/whatever:ro' }}"
+  loop:
+    - "{{ cname_h1 }}"
+    - "{{ cname_h2 }}"
+  loop_control:
+    loop_var: container_name
+
+- name: volumes_from
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes_from: "{{ cname_h1 }}"
+  register: volumes_from_1
+
+- name: volumes_from (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes_from: "{{ cname_h1 }}"
+  register: volumes_from_2
+
+- name: volumes_from (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    volumes_from: "{{ cname_h2 }}"
+    force_kill: true
+  register: volumes_from_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname }}"
+    - "{{ cname_h1 }}"
+    - "{{ cname_h2 }}"
+  loop_control:
+    loop_var: container_name
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - volumes_from_1 is changed
+      - volumes_from_2 is not changed
+      - volumes_from_3 is changed
+
+####################################################################
+####################################################################
+####################################################################
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/network.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/network.yml
new file mode 100644
index 00000000..cf2940a8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/network.yml
@@ -0,0 +1,745 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-network' }}"
+    cname_h1: "{{ cname_prefix ~ '-network-h1' }}"
+    nname_1: "{{ cname_prefix ~ '-network-1' }}"
+    nname_2: "{{ cname_prefix ~ '-network-2' }}"
+    nname_3: "{{ cname_prefix ~ '-network-3' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname, cname_h1] }}"
+    dnetworks: "{{ dnetworks + [nname_1, nname_2, nname_3] }}"
+
+- name: Create networks
+  community.docker.docker_network:
+    name: "{{ network_name }}"
+    state: present
+  loop:
+    - "{{ nname_1 }}"
+    - "{{ nname_2 }}"
+  loop_control:
+    loop_var: network_name
+
+- ansible.builtin.set_fact:
+    subnet_ipv4_base: 10.{{ 16 + (240 | random) }}.{{ 16 + (240 | random) }}
+    subnet_ipv6_base: fdb6:feea:{{ '%0.4x:%0.4x' | format(65536 | random, 65536 | random) }}
+    # If netaddr would be installed on the controller, one could do:
+    # subnet_ipv4: "10.{{ 16 + (240 | random) }}.{{ 16 + (240 | random) }}.0/24"
+    # subnet_ipv6: "fdb6:feea:{{ '%0.4x:%0.4x' | format(65536 | random, 65536 | random) }}::/64"
+
+- ansible.builtin.set_fact:
+    subnet_ipv4: "{{ subnet_ipv4_base }}.0/24"
+    subnet_ipv6: "{{ subnet_ipv6_base }}::/64"
+    nname_3_ipv4_2: "{{ subnet_ipv4_base }}.2"
+    nname_3_ipv4_3: "{{ subnet_ipv4_base }}.3"
+    nname_3_ipv4_4: "{{ subnet_ipv4_base }}.4"
+    nname_3_ipv6_2: "{{ subnet_ipv6_base }}::2"
+    nname_3_ipv6_3: "{{ subnet_ipv6_base }}::3"
+    nname_3_ipv6_4: "{{ subnet_ipv6_base }}::4"
+    # If netaddr would be installed on the controller, one could do:
+    # nname_3_ipv4_2: "{{ subnet_ipv4 | ansible.netcommon.next_nth_usable(2) }}"
+    # nname_3_ipv4_3: "{{ subnet_ipv4 | ansible.netcommon.next_nth_usable(3) }}"
+    # nname_3_ipv4_4: "{{ subnet_ipv4 | ansible.netcommon.next_nth_usable(4) }}"
+    # nname_3_ipv6_2: "{{ subnet_ipv6 | ansible.netcommon.next_nth_usable(2) }}"
+    # nname_3_ipv6_3: "{{ subnet_ipv6 | ansible.netcommon.next_nth_usable(3) }}"
+    # nname_3_ipv6_4: "{{ subnet_ipv6 | ansible.netcommon.next_nth_usable(4) }}"
+
+- ansible.builtin.debug:
+    msg: "Chose random IPv4 subnet {{ subnet_ipv4 }} and random IPv6 subnet {{ subnet_ipv6 }}"
+
+- name: Create network with fixed IPv4 and IPv6 subnets
+  community.docker.docker_network:
+    name: "{{ nname_3 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: "{{ subnet_ipv4 }}"
+      - subnet: "{{ subnet_ipv6 }}"
+    state: present
+
+####################################################################
+## network_mode ####################################################
+####################################################################
+
+- name: network_mode
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    network_mode: host
+  register: network_mode_1
+
+- name: network_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    network_mode: host
+  register: network_mode_2
+
+- name: network_mode (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    network_mode: none
+    force_kill: true
+  register: network_mode_3
+
+- name: network_mode (container mode setup)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname_h1 }}"
+    state: started
+  register: cname_h1_id
+
+- name: network_mode (container mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    network_mode: "container:{{ cname_h1_id.container.Id }}"
+    force_kill: true
+  register: network_mode_4
+
+- name: network_mode (container mode idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    network_mode: "container:{{ cname_h1 }}"
+  register: network_mode_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname }}"
+    - "{{ cname_h1 }}"
+  loop_control:
+    loop_var: container_name
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - network_mode_1 is changed
+      - network_mode_1.container.HostConfig.NetworkMode == 'host'
+      - network_mode_2 is not changed
+      - network_mode_2.container.HostConfig.NetworkMode == 'host'
+      - network_mode_3 is changed
+      - network_mode_3.container.HostConfig.NetworkMode == 'none'
+      - network_mode_4 is changed
+      - network_mode_4.container.HostConfig.NetworkMode == ('container:' ~ cname_h1_id.container.Id)
+      - network_mode_5 is not changed
+      - network_mode_5.container.HostConfig.NetworkMode == ('container:' ~ cname_h1_id.container.Id)
+
+####################################################################
+## networks, purge_networks for networks_cli_compatible=no #########
+####################################################################
+
+- name: networks_cli_compatible=no, networks w/o purge_networks
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_1 }}"
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: false
+  register: networks_1
+
+- name: networks_cli_compatible=no, networks w/o purge_networks
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_1 }}"
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: false
+  register: networks_2
+
+- name: networks_cli_compatible=no, networks, purge_networks
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    comparisons:
+      networks: strict
+    networks:
+      - name: bridge
+      - name: "{{ nname_1 }}"
+    networks_cli_compatible: false
+    force_kill: true
+  register: networks_3
+
+- name: networks_cli_compatible=no, networks, purge_networks (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    comparisons:
+      networks: strict
+    networks:
+      - name: "{{ nname_1 }}"
+      - name: bridge
+    networks_cli_compatible: false
+  register: networks_4
+
+- name: networks_cli_compatible=no, networks (less networks)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: bridge
+    networks_cli_compatible: false
+  register: networks_5
+
+- name: networks_cli_compatible=no, networks, purge_networks (less networks)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    comparisons:
+      networks: strict
+    networks:
+      - name: bridge
+    networks_cli_compatible: false
+    force_kill: true
+  register: networks_6
+
+- name: networks_cli_compatible=no, networks, purge_networks (more networks)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    comparisons:
+      networks: strict
+    networks:
+      - name: bridge
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: false
+    force_kill: true
+  register: networks_7
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      # networks_1 has networks default, 'bridge', nname_1
+      - networks_1 is changed
+      - networks_1.container.NetworkSettings.Networks | length == 3
+      - nname_1 in networks_1.container.NetworkSettings.Networks
+      - nname_2 in networks_1.container.NetworkSettings.Networks
+      - "'default' in networks_1.container.NetworkSettings.Networks or 'bridge' in networks_1.container.NetworkSettings.Networks"
+      # networks_2 has networks default, 'bridge', nname_1
+      - networks_2 is not changed
+      - networks_2.container.NetworkSettings.Networks | length == 3
+      - nname_1 in networks_2.container.NetworkSettings.Networks
+      - nname_2 in networks_1.container.NetworkSettings.Networks
+      - "'default' in networks_1.container.NetworkSettings.Networks or 'bridge' in networks_1.container.NetworkSettings.Networks"
+      # networks_3 has networks 'bridge', nname_1
+      - networks_3 is changed
+      - networks_3.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_3.container.NetworkSettings.Networks
+      - "'default' in networks_3.container.NetworkSettings.Networks or 'bridge' in networks_3.container.NetworkSettings.Networks"
+      # networks_4 has networks 'bridge', nname_1
+      - networks_4 is not changed
+      - networks_4.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_4.container.NetworkSettings.Networks
+      - "'default' in networks_4.container.NetworkSettings.Networks or 'bridge' in networks_4.container.NetworkSettings.Networks"
+      # networks_5 has networks 'bridge', nname_1
+      - networks_5 is not changed
+      - networks_5.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_5.container.NetworkSettings.Networks
+      - "'default' in networks_5.container.NetworkSettings.Networks or 'bridge' in networks_5.container.NetworkSettings.Networks"
+      # networks_6 has networks 'bridge'
+      - networks_6 is changed
+      - networks_6.container.NetworkSettings.Networks | length == 1
+      - "'default' in networks_6.container.NetworkSettings.Networks or 'bridge' in networks_6.container.NetworkSettings.Networks"
+      # networks_7 has networks 'bridge', nname_2
+      - networks_7 is changed
+      - networks_7.container.NetworkSettings.Networks | length == 2
+      - nname_2 in networks_7.container.NetworkSettings.Networks
+      - "'default' in networks_7.container.NetworkSettings.Networks or 'bridge' in networks_7.container.NetworkSettings.Networks"
+
+####################################################################
+## networks for networks_cli_compatible=yes ########################
+####################################################################
+
+- name: networks_cli_compatible=yes, networks specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_1 }}"
+        aliases:
+          - alias1
+          - alias2
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: true
+  register: networks_1
+
+- name: networks_cli_compatible=yes, networks specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_1 }}"
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: true
+  register: networks_2
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- name: networks_cli_compatible=yes, empty networks list specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+  register: networks_3
+
+- name: networks_cli_compatible=yes, empty networks list specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+  register: networks_4
+
+- name: networks_cli_compatible=yes, empty networks list specified, purge_networks
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+    comparisons:
+      networks: strict
+    force_kill: true
+  register: networks_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- name: networks_cli_compatible=yes, networks not specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks_cli_compatible: true
+    force_kill: true
+  register: networks_6
+
+- name: networks_cli_compatible=yes, networks not specified
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks_cli_compatible: true
+  register: networks_7
+
+- name: networks_cli_compatible=yes, networks empty, purge_networks
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks_cli_compatible: true
+    comparisons:
+      networks: strict
+    networks: []
+    force_kill: true
+  register: networks_8
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.debug: var=networks_3
+
+- ansible.builtin.assert:
+    that:
+      # networks_1 has networks nname_1, nname_2
+      - networks_1 is changed
+      - networks_1.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_1.container.NetworkSettings.Networks
+      - nname_2 in networks_1.container.NetworkSettings.Networks
+      # networks_2 has networks nname_1, nname_2
+      - networks_2 is not changed
+      - networks_2.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_2.container.NetworkSettings.Networks
+      - nname_2 in networks_1.container.NetworkSettings.Networks
+      # networks_3 has networks 'bridge'
+      - networks_3 is changed
+      - networks_3.container.NetworkSettings.Networks | length == 1
+      - "'default' in networks_3.container.NetworkSettings.Networks or 'bridge' in networks_3.container.NetworkSettings.Networks"
+      # networks_4 has networks 'bridge'
+      - networks_4 is not changed
+      - networks_4.container.NetworkSettings.Networks | length == 1
+      - "'default' in networks_4.container.NetworkSettings.Networks or 'bridge' in networks_4.container.NetworkSettings.Networks"
+      # networks_5 has no networks
+      - networks_5 is changed
+      - networks_5.container.NetworkSettings.Networks | length == 0
+      # networks_6 has networks 'bridge'
+      - networks_6 is changed
+      - networks_6.container.NetworkSettings.Networks | length == 1
+      - "'default' in networks_6.container.NetworkSettings.Networks or 'bridge' in networks_6.container.NetworkSettings.Networks"
+      # networks_7 has networks 'bridge'
+      - networks_7 is not changed
+      - networks_7.container.NetworkSettings.Networks | length == 1
+      - "'default' in networks_7.container.NetworkSettings.Networks or 'bridge' in networks_7.container.NetworkSettings.Networks"
+      # networks_8 has no networks
+      - networks_8 is changed
+      - networks_8.container.NetworkSettings.Networks | length == 0
+
+####################################################################
+## networks with comparisons #######################################
+####################################################################
+
+- name: create container with one network
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_1 }}"
+    networks_cli_compatible: true
+  register: networks_1
+
+- name: different networks, comparisons=ignore
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: true
+    comparisons:
+      network_mode: ignore  # otherwise we'd have to set network_mode to nname_1
+      networks: ignore
+  register: networks_2
+
+- name: less networks, comparisons=ignore
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+    comparisons:
+      networks: ignore
+  register: networks_3
+
+- name: less networks, comparisons=allow_more_present
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+    comparisons:
+      networks: allow_more_present
+  register: networks_4
+
+- name: different networks, comparisons=allow_more_present
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: true
+    comparisons:
+      network_mode: ignore  # otherwise we'd have to set network_mode to nname_1
+      networks: allow_more_present
+    force_kill: true
+  register: networks_5
+
+- name: different networks, comparisons=strict
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_2 }}"
+    networks_cli_compatible: true
+    comparisons:
+      networks: strict
+    force_kill: true
+  register: networks_6
+
+- name: less networks, comparisons=strict
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks: []
+    networks_cli_compatible: true
+    comparisons:
+      networks: strict
+    force_kill: true
+  register: networks_7
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      # networks_1 has networks nname_1
+      - networks_1 is changed
+      - networks_1.container.NetworkSettings.Networks | length == 1
+      - nname_1 in networks_1.container.NetworkSettings.Networks
+      # networks_2 has networks nname_1
+      - networks_2 is not changed
+      - networks_2.container.NetworkSettings.Networks | length == 1
+      - nname_1 in networks_2.container.NetworkSettings.Networks
+      # networks_3 has networks nname_1
+      - networks_3 is not changed
+      - networks_3.container.NetworkSettings.Networks | length == 1
+      - nname_1 in networks_3.container.NetworkSettings.Networks
+      # networks_4 has networks nname_1
+      - networks_4 is not changed
+      - networks_4.container.NetworkSettings.Networks | length == 1
+      - nname_1 in networks_4.container.NetworkSettings.Networks
+      # networks_5 has networks nname_1, nname_2
+      - networks_5 is changed
+      - networks_5.container.NetworkSettings.Networks | length == 2
+      - nname_1 in networks_5.container.NetworkSettings.Networks
+      - nname_2 in networks_5.container.NetworkSettings.Networks
+      # networks_6 has networks nname_2
+      - networks_6 is changed
+      - networks_6.container.NetworkSettings.Networks | length == 1
+      - nname_2 in networks_6.container.NetworkSettings.Networks
+      # networks_7 has no networks
+      - networks_7 is changed
+      - networks_7.container.NetworkSettings.Networks | length == 0
+
+####################################################################
+## networks with IP address ########################################
+####################################################################
+
+- name: create container (stopped) with one network and fixed IP
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: stopped
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_2 }}"
+        ipv6_address: "{{ nname_3_ipv6_2 }}"
+    networks_cli_compatible: true
+  register: networks_1
+
+- name: create container (stopped) with one network and fixed IP (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: stopped
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_2 }}"
+        ipv6_address: "{{ nname_3_ipv6_2 }}"
+    networks_cli_compatible: true
+  register: networks_2
+
+- name: create container (stopped) with one network and fixed IP (different IPv4)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: stopped
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_3 }}"
+        ipv6_address: "{{ nname_3_ipv6_2 }}"
+    networks_cli_compatible: true
+  register: networks_3
+
+- name: create container (stopped) with one network and fixed IP (different IPv6)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: stopped
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_3 }}"
+        ipv6_address: "{{ nname_3_ipv6_3 }}"
+    networks_cli_compatible: true
+  register: networks_4
+
+- name: create container (started) with one network and fixed IP
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+  register: networks_5
+
+- name: create container (started) with one network and fixed IP (different IPv4)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_4 }}"
+        ipv6_address: "{{ nname_3_ipv6_3 }}"
+    networks_cli_compatible: true
+    force_kill: true
+  register: networks_6
+
+- name: create container (started) with one network and fixed IP (different IPv6)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_4 }}"
+        ipv6_address: "{{ nname_3_ipv6_4 }}"
+    networks_cli_compatible: true
+    force_kill: true
+  register: networks_7
+
+- name: create container (started) with one network and fixed IP (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    networks:
+      - name: "{{ nname_3 }}"
+        ipv4_address: "{{ nname_3_ipv4_4 }}"
+        ipv6_address: "{{ nname_3_ipv6_4 }}"
+    networks_cli_compatible: true
+  register: networks_8
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - networks_1 is changed
+      - networks_1.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_2
+      - networks_1.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_2 | normalize_ipaddr
+      - networks_1.container.NetworkSettings.Networks[nname_3].IPAddress == ""
+      - networks_1.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address == ""
+      - networks_2 is not changed
+      - networks_2.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_2
+      - networks_2.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_2 | normalize_ipaddr
+      - networks_2.container.NetworkSettings.Networks[nname_3].IPAddress == ""
+      - networks_2.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address == ""
+      - networks_3 is changed
+      - networks_3.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_3
+      - networks_3.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_2 | normalize_ipaddr
+      - networks_3.container.NetworkSettings.Networks[nname_3].IPAddress == ""
+      - networks_3.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address == ""
+      - networks_4 is changed
+      - networks_4.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_3
+      - networks_4.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_3 | normalize_ipaddr
+      - networks_4.container.NetworkSettings.Networks[nname_3].IPAddress == ""
+      - networks_4.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address == ""
+      - networks_5 is changed
+      - networks_5.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_3
+      - networks_5.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_3 | normalize_ipaddr
+      - networks_5.container.NetworkSettings.Networks[nname_3].IPAddress == nname_3_ipv4_3
+      - networks_5.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address | normalize_ipaddr == nname_3_ipv6_3 | normalize_ipaddr
+      - networks_6 is changed
+      - networks_6.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_4
+      - networks_6.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_3 | normalize_ipaddr
+      - networks_6.container.NetworkSettings.Networks[nname_3].IPAddress == nname_3_ipv4_4
+      - networks_6.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address | normalize_ipaddr == nname_3_ipv6_3 | normalize_ipaddr
+      - networks_7 is changed
+      - networks_7.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_4
+      - networks_7.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_4 | normalize_ipaddr
+      - networks_7.container.NetworkSettings.Networks[nname_3].IPAddress == nname_3_ipv4_4
+      - networks_7.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address | normalize_ipaddr == nname_3_ipv6_4 | normalize_ipaddr
+      - networks_8 is not changed
+      - networks_8.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv4Address == nname_3_ipv4_4
+      - networks_8.container.NetworkSettings.Networks[nname_3].IPAMConfig.IPv6Address | normalize_ipaddr == nname_3_ipv6_4 | normalize_ipaddr
+      - networks_8.container.NetworkSettings.Networks[nname_3].IPAddress == nname_3_ipv4_4
+      - networks_8.container.NetworkSettings.Networks[nname_3].GlobalIPv6Address | normalize_ipaddr == nname_3_ipv6_4 | normalize_ipaddr
+
+####################################################################
+####################################################################
+####################################################################
+
+- name: Delete networks
+  community.docker.docker_network:
+    name: "{{ network_name }}"
+    state: absent
+    force: true
+  loop:
+    - "{{ nname_1 }}"
+    - "{{ nname_2 }}"
+    - "{{ nname_3 }}"
+  loop_control:
+    loop_var: network_name
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/options.yml
new file mode 100644
index 00000000..e27a4aac
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/options.yml
@@ -0,0 +1,4943 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-options' }}"
+    cname_h1: "{{ cname_prefix ~ '-options-h1' }}"
+    cname_h2: "{{ cname_prefix ~ '-options-h2' }}"
+    cname_h3: "{{ cname_prefix ~ '-options-h3' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname, cname_h1, cname_h2, cname_h3] }}"
+
+####################################################################
+## auto_remove #####################################################
+####################################################################
+
+- name: auto_remove
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "echo"'
+    name: "{{ cname }}"
+    state: started
+    auto_remove: true
+  register: auto_remove_1
+
+- name: Give container 1 second to be sure it terminated
+  ansible.builtin.pause:
+    seconds: 1
+
+- name: auto_remove (verify)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: auto_remove_2
+
+- ansible.builtin.assert:
+    that:
+      - auto_remove_1 is changed
+      - auto_remove_2 is not changed
+
+####################################################################
+## blkio_weight ####################################################
+####################################################################
+
+- name: blkio_weight
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: 123
+  register: blkio_weight_1
+  ignore_errors: true
+
+- name: blkio_weight (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: 123
+  register: blkio_weight_2
+  ignore_errors: true
+
+- name: blkio_weight (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: 234
+    force_kill: true
+  register: blkio_weight_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- when: blkio_weight_1 is failed
+  ansible.builtin.assert:
+    that:
+      - "'setting cgroup config for procHooks process caused: failed to write' in blkio_weight_1.msg"
+
+- when: blkio_weight_1 is not failed
+  ansible.builtin.assert:
+    that:
+      - blkio_weight_1 is changed
+      - blkio_weight_2 is not failed
+      - >-
+        blkio_weight_2 is not changed or ('Docker warning: Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.' in (blkio_weight_2.warnings | default([])))
+      - blkio_weight_3 is not failed
+      - blkio_weight_3 is changed
+
+####################################################################
+## cap_drop, capabilities ##########################################
+####################################################################
+
+- name: capabilities, cap_drop
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    capabilities:
+      - sys_time
+    cap_drop:
+      - all
+  register: capabilities_1
+
+- name: capabilities, cap_drop (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    capabilities:
+      - sys_time
+    cap_drop:
+      - all
+  register: capabilities_2
+
+- name: capabilities, cap_drop (less)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    capabilities: []
+    cap_drop:
+      - all
+  register: capabilities_3
+
+- name: capabilities, cap_drop (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    capabilities:
+      - setgid
+    cap_drop:
+      - all
+    force_kill: true
+  register: capabilities_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - capabilities_1 is changed
+      - capabilities_2 is not changed
+      - capabilities_3 is not changed
+      - capabilities_4 is changed
+
+####################################################################
+## cgroupns_mode ###################################################
+####################################################################
+
+- name: cgroupns_mode
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    cgroupns_mode: host
+  register: cgroupns_mode_1
+  ignore_errors: true
+
+- name: cgroupns_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    cgroupns_mode: host
+  register: cgroupns_mode_2
+  ignore_errors: true
+
+- name: cgroupns_mode (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    cgroupns_mode: private
+  register: cgroupns_mode_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cgroupns_mode_1 is changed
+      - cgroupns_mode_2 is not changed and cgroupns_mode_2 is not failed
+      - >-
+        cgroupns_mode_3 is changed or
+        ('Docker warning: Your kernel does not support cgroup namespaces.  Cgroup namespace setting discarded.' in (cgroupns_mode_3.warnings | default([]))) or
+        (cgroupns_mode_3 is failed and 'error mounting "cgroup" to rootfs at "/sys/fs/cgroup"' in cgroupns_mode_3.msg)
+  when: docker_api_version is version('1.41', '>=') and cgroupns_mode_1 is not failed
+- ansible.builtin.assert:
+    that:
+      - >-
+        'error mounting "cgroup" to rootfs at "/sys/fs/cgroup"' in cgroupns_mode_1.msg
+  when: docker_api_version is version('1.41', '>=') and cgroupns_mode_1 is failed
+- ansible.builtin.assert:
+    that:
+      - cgroupns_mode_1 is failed
+      - |
+        ('API version is ' ~ docker_api_version ~ '.') in cgroupns_mode_1.msg and 'Minimum version required is 1.41 ' in cgroupns_mode_1.msg
+  when: docker_api_version is version('1.41', '<')
+
+####################################################################
+## cgroup_parent ###################################################
+####################################################################
+
+- name: cgroup_parent
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    cgroup_parent: ''
+  register: cgroup_parent_1
+
+- name: cgroup_parent (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    cgroup_parent: ''
+  register: cgroup_parent_2
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cgroup_parent_1 is changed
+      - cgroup_parent_2 is not changed
+
+####################################################################
+## command #########################################################
+####################################################################
+
+# old
+
+- name: command (compatibility)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    command: '/bin/sh -v -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: command_1
+
+- name: command (compatibility, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    command: '/bin/sh -v -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: command_2
+
+- name: command (compatibility, idempotency, list)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    command:
+      - /bin/sh
+      - '-v'
+      - '-c'
+      - '"sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: command_3
+
+- name: command (compatibility, fewer parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: command_4
+
+- name: command (compatibility, empty list)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    command: []
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: command_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - command_1 is changed
+      - command_2 is not changed
+      - command_3 is not changed
+      - command_4 is changed
+      - command_5 is not changed
+
+# new
+
+- name: command (correct)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command: '/bin/sh -v -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: command_1
+
+- name: command (correct, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command: '/bin/sh -v -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: command_2
+
+- name: command (correct, idempotency, list)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command:
+      - /bin/sh
+      - '-v'
+      - '-c'
+      - sleep 10m
+    name: "{{ cname }}"
+    state: started
+  register: command_3
+
+- name: command (correct, fewer parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: command_4
+
+- name: command (correct, empty list)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command: []
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: command_5
+
+- name: command (correct, empty list, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    command: []
+    name: "{{ cname }}"
+    state: present  # the container will use the default command and likely has been exited by this point, so don't use 'state: started' here
+    force_kill: true
+  register: command_6
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - command_1 is changed
+      - command_2 is not changed
+      - command_3 is not changed
+      - command_4 is changed
+      - command_5 is changed
+      - command_6 is not changed
+
+####################################################################
+## cpu_period ######################################################
+####################################################################
+
+- name: cpu_period
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_period: 90000
+    state: started
+  register: cpu_period_1
+
+- name: cpu_period (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_period: 90000
+    state: started
+  register: cpu_period_2
+
+- name: cpu_period (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_period: 50000
+    state: started
+    force_kill: true
+  register: cpu_period_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpu_period_1 is changed
+      - cpu_period_2 is not changed
+      - cpu_period_3 is changed
+
+####################################################################
+## cpu_quota #######################################################
+####################################################################
+
+- name: cpu_quota
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_quota: 150000
+    state: started
+  register: cpu_quota_1
+
+- name: cpu_quota (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_quota: 150000
+    state: started
+  register: cpu_quota_2
+
+- name: cpu_quota (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_quota: 50000
+    state: started
+    force_kill: true
+  register: cpu_quota_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpu_quota_1 is changed
+      - cpu_quota_2 is not changed
+      - cpu_quota_3 is changed
+
+####################################################################
+## cpu_shares ######################################################
+####################################################################
+
+- name: cpu_shares
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_shares: 900
+    state: started
+  register: cpu_shares_1
+
+- name: cpu_shares (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_shares: 900
+    state: started
+  register: cpu_shares_2
+
+- name: cpu_shares (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpu_shares: 1100
+    state: started
+    force_kill: true
+  register: cpu_shares_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpu_shares_1 is changed
+      - cpu_shares_2 is not changed
+      - cpu_shares_3 is changed
+
+####################################################################
+## cpuset_cpus #####################################################
+####################################################################
+
+- name: cpuset_cpus
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_cpus: "0"
+    state: started
+  register: cpuset_cpus_1
+
+- name: cpuset_cpus (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_cpus: "0"
+    state: started
+  register: cpuset_cpus_2
+
+- name: cpuset_cpus (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_cpus: "1"
+    state: started
+    force_kill: true
+  # This will fail if the system the test is run on doesn't have
+  # multiple CPUs/cores available.
+  ignore_errors: true
+  register: cpuset_cpus_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpuset_cpus_1 is changed
+      - cpuset_cpus_2 is not changed
+      - cpuset_cpus_3 is failed or cpuset_cpus_3 is changed
+
+####################################################################
+## cpuset_mems #####################################################
+####################################################################
+
+- name: cpuset_mems
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_mems: "0"
+    state: started
+  register: cpuset_mems_1
+
+- name: cpuset_mems (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_mems: "0"
+    state: started
+  register: cpuset_mems_2
+
+- name: cpuset_mems (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpuset_mems: "1"
+    state: started
+    force_kill: true
+  # This will fail if the system the test is run on doesn't have
+  # multiple MEMs available.
+  ignore_errors: true
+  register: cpuset_mems_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpuset_mems_1 is changed
+      - cpuset_mems_2 is not changed
+      - cpuset_mems_3 is failed or cpuset_mems_3 is changed
+
+####################################################################
+## cpus ############################################################
+####################################################################
+
+- name: cpus
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpus: 1
+    state: started
+  register: cpus_1
+
+- name: cpus (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpus: 1
+    state: started
+  register: cpus_2
+
+- name: cpus (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    cpus: 1.5
+    state: started
+    force_kill: true
+  # This will fail if the system the test is run on doesn't have
+  # multiple MEMs available.
+  register: cpus_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - cpus_1 is changed
+      - cpus_2 is not changed and cpus_2 is not failed
+      - cpus_3 is failed or cpus_3 is changed
+
+####################################################################
+## debug ###########################################################
+####################################################################
+
+- name: debug (create)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+    debug: true
+  register: debug_1
+
+- name: debug (start)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+    debug: true
+  register: debug_2
+
+- name: debug (stop)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: stopped
+    force_kill: true
+    debug: true
+  register: debug_3
+
+- name: debug (absent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    debug: true
+    force_kill: true
+  register: debug_4
+
+- ansible.builtin.assert:
+    that:
+      - debug_1 is changed
+      - debug_2 is changed
+      - debug_3 is changed
+      - debug_4 is changed
+
+####################################################################
+## detach, cleanup #################################################
+####################################################################
+
+- name: detach without cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_hello_world }}"
+    detach: false
+  register: detach_no_cleanup
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: detach_no_cleanup_cleanup
+  diff: false
+
+- name: detach with cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_hello_world }}"
+    detach: false
+    cleanup: true
+  register: detach_cleanup
+
+- name: cleanup (unnecessary)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: detach_cleanup_cleanup
+  diff: false
+
+- name: detach with auto_remove and cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_hello_world }}"
+    detach: false
+    auto_remove: true
+    cleanup: true
+  register: detach_auto_remove
+  ignore_errors: true
+
+- name: cleanup (unnecessary)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: detach_auto_remove_cleanup
+  diff: false
+
+- name: detach with cleanup and non-zero status
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "exit 42"'
+    detach: false
+    cleanup: true
+  register: detach_cleanup_nonzero
+  ignore_errors: true
+
+- ansible.builtin.assert:
+    that:
+      # NOTE that 'Output' sometimes fails to contain the correct output
+      #      of hello-world. We don't know why this happens, but it happens
+      #      often enough to be annoying. That's why we disable this for now,
+      #      and simply test that 'Output' is contained in the result.
+      - "'Output' in detach_no_cleanup.container"
+      - detach_no_cleanup.status == 0
+      # - "'Hello from Docker!' in detach_no_cleanup.container.Output"
+      - detach_no_cleanup_cleanup is changed
+      - "'Output' in detach_cleanup.container"
+      - detach_cleanup.status == 0
+      # - "'Hello from Docker!' in detach_cleanup.container.Output"
+      - detach_cleanup_cleanup is not changed
+      - detach_cleanup_nonzero is failed
+      - detach_cleanup_nonzero.status == 42
+      - "'Output' in detach_cleanup_nonzero.container"
+      - "detach_cleanup_nonzero.container.Output == ''"
+      - "'Cannot retrieve result as auto_remove is enabled' == detach_auto_remove.container.Output"
+      - detach_auto_remove_cleanup is not changed
+
+####################################################################
+## devices #########################################################
+####################################################################
+
+- name: devices
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/urandom:/dev/virt-urandom:rwm"
+  register: devices_1
+
+- name: devices (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/urandom:/dev/virt-urandom:rwm"
+      - "/dev/random:/dev/virt-random:rwm"
+  register: devices_2
+
+- name: devices (less)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+  register: devices_3
+
+- name: devices (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    devices:
+      - "/dev/random:/dev/virt-random:rwm"
+      - "/dev/null:/dev/virt-null:rwm"
+    force_kill: true
+  register: devices_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - devices_1 is changed
+      - devices_2 is not changed
+      - devices_3 is not changed
+      - devices_4 is changed
+
+####################################################################
+## device_read_bps #################################################
+####################################################################
+
+- name: device_read_bps
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_bps:
+      - path: /dev/random
+        rate: 20M
+      - path: /dev/urandom
+        rate: 10K
+  register: device_read_bps_1
+  ignore_errors: true
+
+- name: device_read_bps (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_bps:
+      - path: /dev/urandom
+        rate: 10K
+      - path: /dev/random
+        rate: 20M
+  register: device_read_bps_2
+  ignore_errors: true
+
+- name: device_read_bps (lesser entries)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_bps:
+      - path: /dev/random
+        rate: 20M
+  register: device_read_bps_3
+  ignore_errors: true
+
+- name: device_read_bps (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_bps:
+      - path: /dev/random
+        rate: 10M
+      - path: /dev/urandom
+        rate: 5K
+    force_kill: true
+  register: device_read_bps_4
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- when: device_read_bps_1 is not failed
+  ansible.builtin.assert:
+    that:
+      - device_read_bps_1 is not failed
+      - device_read_bps_1 is changed
+      - device_read_bps_2 is not failed
+      - device_read_bps_2 is not changed
+      - device_read_bps_3 is not failed
+      - device_read_bps_3 is not changed
+      - device_read_bps_4 is not failed
+      - device_read_bps_4 is changed
+
+- when: device_read_bps_1 is failed
+  ansible.builtin.assert:
+    that:
+      - "'error setting cgroup config for procHooks process' in device_read_bps_1.msg and 'blkio.throttle.read_bps_device: no such device' in device_read_bps_1.msg"
+
+####################################################################
+## device_read_iops ################################################
+####################################################################
+
+- name: device_read_iops
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_iops:
+      - path: /dev/random
+        rate: 10
+      - path: /dev/urandom
+        rate: 20
+  register: device_read_iops_1
+  ignore_errors: true
+
+- name: device_read_iops (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_iops:
+      - path: /dev/urandom
+        rate: "20"
+      - path: /dev/random
+        rate: 10
+  register: device_read_iops_2
+  ignore_errors: true
+
+- name: device_read_iops (less)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_iops:
+      - path: /dev/random
+        rate: 10
+  register: device_read_iops_3
+  ignore_errors: true
+
+- name: device_read_iops (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_read_iops:
+      - path: /dev/random
+        rate: 30
+      - path: /dev/urandom
+        rate: 50
+    force_kill: true
+  register: device_read_iops_4
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- when: device_read_iops_1 is not failed
+  ansible.builtin.assert:
+    that:
+      - device_read_iops_1 is not failed
+      - device_read_iops_1 is changed
+      - device_read_iops_2 is not failed
+      - device_read_iops_2 is not changed
+      - device_read_iops_3 is not failed
+      - device_read_iops_3 is not changed
+      - device_read_iops_4 is not failed
+      - device_read_iops_4 is changed
+
+- when: device_read_iops_1 is failed
+  ansible.builtin.assert:
+    that:
+      - "'error setting cgroup config for procHooks process' in device_read_iops_1.msg and 'blkio.throttle.read_iops_device: no such device' in device_read_iops_1.msg"
+
+####################################################################
+## device_write_bps and device_write_iops ##########################
+####################################################################
+
+- name: device_write_bps and device_write_iops
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_write_bps:
+      - path: /dev/random
+        rate: 10M
+    device_write_iops:
+      - path: /dev/urandom
+        rate: 30
+  register: device_write_limit_1
+  ignore_errors: true
+
+- name: device_write_bps and device_write_iops (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_write_bps:
+      - path: /dev/random
+        rate: 10M
+    device_write_iops:
+      - path: /dev/urandom
+        rate: 30
+  register: device_write_limit_2
+  ignore_errors: true
+
+- name: device_write_bps device_write_iops (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_write_bps:
+      - path: /dev/random
+        rate: 20K
+    device_write_iops:
+      - path: /dev/urandom
+        rate: 100
+    force_kill: true
+  register: device_write_limit_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- when: device_write_limit_1 is not failed
+  ansible.builtin.assert:
+    that:
+      - device_write_limit_1 is not failed and device_write_limit_2 is not failed and device_write_limit_3 is not failed
+      - device_write_limit_1 is changed
+      - device_write_limit_2 is not changed
+      - device_write_limit_3 is changed
+
+- when: device_write_limit_1 is failed
+  ansible.builtin.assert:
+    that:
+      - "'error setting cgroup config for procHooks process' in device_write_limit_1.msg and 'blkio.throttle.write_bps_device: no such device' in device_write_limit_1.msg"
+
+####################################################################
+## device_requests #################################################
+####################################################################
+
+- name: device_requests
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_requests: []
+  register: device_requests_1
+  ignore_errors: true
+
+- name: device_requests (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    device_requests: []
+  register: device_requests_2
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - device_requests_1 is changed
+      - device_requests_2 is not changed
+  when: docker_api_version is version('1.40', '>=')
+- ansible.builtin.assert:
+    that:
+      - device_requests_1 is failed
+      - |
+        ('API version is ' ~ docker_api_version ~ '.') in device_requests_1.msg and 'Minimum version required is 1.40 ' in device_requests_1.msg
+  when: docker_api_version is version('1.40', '<')
+
+####################################################################
+## device_cgroup_rules ###################################################
+####################################################################
+
+- name: device_cgroup_rules
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+    device_cgroup_rules:
+      - "c 42:* rmw"
+  register: device_cgroup_rules_1
+  ignore_errors: true
+
+- name: cgroupns_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+    device_cgroup_rules:
+      - "c 42:* rmw"
+  register: device_cgroup_rules_2
+  ignore_errors: true
+
+- name: cgroupns_mode (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+    device_cgroup_rules:
+      - "c 189:* rmw"
+  register: device_cgroup_rules_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - device_cgroup_rules_1 is changed
+      - device_cgroup_rules_2 is not changed
+      - device_cgroup_rules_3 is changed
+  when: docker_api_version is version('1.28', '>=')
+- ansible.builtin.assert:
+    that:
+      - device_cgroup_rules_1 is failed
+      - |
+        ('API version is ' ~ docker_api_version ~ '.') in device_cgroup_rules_1.msg and 'Minimum version required is 1.28 ' in device_cgroup_rules_1.msg
+  when: docker_api_version is version('1.28', '<')
+
+####################################################################
+## dns_opts ########################################################
+####################################################################
+
+- name: dns_opts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_opts:
+      - "timeout:10"
+      - rotate
+  register: dns_opts_1
+
+- name: dns_opts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_opts:
+      - rotate
+      - "timeout:10"
+  register: dns_opts_2
+
+- name: dns_opts (less resolv.conf options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_opts:
+      - "timeout:10"
+  register: dns_opts_3
+
+- name: dns_opts (more resolv.conf options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_opts:
+      - "timeout:10"
+      - no-check-names
+    force_kill: true
+  register: dns_opts_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_opts_1 is changed
+      - dns_opts_2 is not changed
+      - dns_opts_3 is not changed
+      - dns_opts_4 is changed
+
+####################################################################
+## dns_search_domains ##############################################
+####################################################################
+
+- name: dns_search_domains
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_search_domains:
+      - example.com
+      - example.org
+  register: dns_search_domains_1
+
+- name: dns_search_domains (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_search_domains:
+      - example.com
+      - example.org
+  register: dns_search_domains_2
+
+- name: dns_search_domains (different order)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_search_domains:
+      - example.org
+      - example.com
+    force_kill: true
+  register: dns_search_domains_3
+
+- name: dns_search_domains (changed elements)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_search_domains:
+      - ansible.com
+      - example.com
+    force_kill: true
+  register: dns_search_domains_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_search_domains_1 is changed
+      - dns_search_domains_2 is not changed
+      - dns_search_domains_3 is changed
+      - dns_search_domains_4 is changed
+
+####################################################################
+## dns_servers #####################################################
+####################################################################
+
+- name: dns_servers
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 1.1.1.1
+      - 8.8.8.8
+  register: dns_servers_1
+
+- name: dns_servers (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 1.1.1.1
+      - 8.8.8.8
+  register: dns_servers_2
+
+- name: dns_servers (changed order)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 8.8.8.8
+      - 1.1.1.1
+    force_kill: true
+  register: dns_servers_3
+
+- name: dns_servers (changed elements)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    dns_servers:
+      - 8.8.8.8
+      - 9.9.9.9
+    force_kill: true
+  register: dns_servers_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_servers_1 is changed
+      - dns_servers_2 is not changed
+      - dns_servers_3 is changed
+      - dns_servers_4 is changed
+
+####################################################################
+## domainname ######################################################
+####################################################################
+
+- name: domainname
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    domainname: example.com
+    state: started
+  register: domainname_1
+
+- name: domainname (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    domainname: example.com
+    state: started
+  register: domainname_2
+
+- name: domainname (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    domainname: example.org
+    state: started
+    force_kill: true
+  register: domainname_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - domainname_1 is changed
+      - domainname_2 is not changed
+      - domainname_3 is changed
+
+####################################################################
+## entrypoint ######################################################
+####################################################################
+
+# Old
+
+- name: entrypoint (compatibility)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint:
+      - /bin/sh
+      - "-v"
+      - "-c"
+      - "'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+  register: entrypoint_1
+
+- name: entrypoint (compatibility, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint:
+      - /bin/sh
+      - "-v"
+      - "-c"
+      - "'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+  register: entrypoint_2
+
+- name: entrypoint (compatibility, change order, should not be idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "'sleep 10m'"
+      - "-v"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_3
+
+- name: entrypoint (compatibility, fewer parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_4
+
+- name: entrypoint (compatibility, other parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "'sleep 5m'"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_5
+
+- name: entrypoint (compatibility, force empty)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: compatibility
+    entrypoint: []
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_6
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - entrypoint_1 is changed
+      - entrypoint_2 is not changed
+      - entrypoint_3 is changed
+      - entrypoint_4 is changed
+      - entrypoint_5 is changed
+      - entrypoint_6 is not changed
+
+# New
+
+- name: entrypoint (correct)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint:
+      - /bin/sh
+      - "-v"
+      - "-c"
+      - "sleep 10m"
+    name: "{{ cname }}"
+    state: started
+  register: entrypoint_1
+
+- name: entrypoint (correct, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint:
+      - /bin/sh
+      - "-v"
+      - "-c"
+      - "sleep 10m"
+    name: "{{ cname }}"
+    state: started
+  register: entrypoint_2
+
+- name: entrypoint (correct, change order, should not be idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "sleep 10m"
+      - "-v"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_3
+
+- name: entrypoint (correct, fewer parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "sleep 10m"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_4
+
+- name: entrypoint (correct, other parameters)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint:
+      - /bin/sh
+      - "-c"
+      - "sleep 5m"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_5
+
+- name: entrypoint (correct, force empty)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command_handling: correct
+    entrypoint: []
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: entrypoint_6
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - entrypoint_1 is changed
+      - entrypoint_2 is not changed
+      - entrypoint_3 is changed
+      - entrypoint_4 is changed
+      - entrypoint_5 is changed
+      - entrypoint_6 is changed
+
+####################################################################
+## env #############################################################
+####################################################################
+
+- name: env
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env:
+      TEST1: val1
+      TEST2: val2
+      TEST3: "False"
+      TEST4: "true"
+      TEST5: "yes"
+  register: env_1
+
+- name: env (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env:
+      TEST2: val2
+      TEST1: val1
+      TEST5: "yes"
+      TEST3: "False"
+      TEST4: "true"
+  register: env_2
+
+- name: env (less environment variables)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env:
+      TEST1: val1
+  register: env_3
+
+- name: env (more environment variables)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env:
+      TEST1: val1
+      TEST3: val3
+    force_kill: true
+  register: env_4
+
+- name: env (fail unwrapped values)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env:
+      TEST1: true
+    force_kill: true
+  register: env_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - env_1 is changed
+      - "'TEST1=val1' in env_1.container.Config.Env"
+      - "'TEST2=val2' in env_1.container.Config.Env"
+      - "'TEST3=False' in env_1.container.Config.Env"
+      - "'TEST4=true' in env_1.container.Config.Env"
+      - "'TEST5=yes' in env_1.container.Config.Env"
+      - env_2 is not changed
+      - env_3 is not changed
+      - "'TEST1=val1' in env_4.container.Config.Env"
+      - "'TEST2=val2' not in env_4.container.Config.Env"
+      - "'TEST3=val3' in env_4.container.Config.Env"
+      - env_4 is changed
+      - env_5 is failed
+      - "('Non-string value found for env option.') in env_5.msg"
+
+####################################################################
+## env_file #########################################################
+####################################################################
+
+- name: Copy env-file
+  ansible.builtin.copy:
+    src: env-file
+    dest: "{{ remote_tmp_dir }}/env-file"
+
+- name: env_file
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+  register: env_file_1
+
+- name: env_file (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+  register: env_file_2
+
+- name: env_file (with env, idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+    env:
+      TEST3: val3
+  register: env_file_3
+
+- name: env_file (with env)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+    env:
+      TEST1: val1
+      TEST3: val3
+    force_kill: true
+  register: env_file_4
+
+- name: env_file (with env, idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+    env:
+      TEST1: val1
+  register: env_file_5
+
+- name: env_file (with env, override)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    env_file: "{{ remote_tmp_dir }}/env-file"
+    env:
+      TEST2: val2
+      TEST4: val4alt
+    force_kill: true
+  register: env_file_6
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - env_file_1 is changed
+      - "'TEST3=val3' in env_file_1.container.Config.Env"
+      - "'TEST4=val4' in env_file_1.container.Config.Env"
+      - env_file_2 is not changed
+      - env_file_3 is not changed
+      - env_file_4 is changed
+      - "'TEST1=val1' in env_file_4.container.Config.Env"
+      - "'TEST3=val3' in env_file_4.container.Config.Env"
+      - "'TEST4=val4' in env_file_4.container.Config.Env"
+      - env_file_5 is not changed
+      - env_file_6 is changed
+      - "'TEST2=val2' in env_file_6.container.Config.Env"
+      - "'TEST3=val3' in env_file_6.container.Config.Env"
+      - "'TEST4=val4alt' in env_file_6.container.Config.Env"
+
+####################################################################
+## etc_hosts #######################################################
+####################################################################
+
+- name: etc_hosts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    etc_hosts:
+      example.com: 1.2.3.4
+      example.org: 4.3.2.1
+  register: etc_hosts_1
+
+- name: etc_hosts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    etc_hosts:
+      example.org: 4.3.2.1
+      example.com: 1.2.3.4
+  register: etc_hosts_2
+
+- name: etc_hosts (less hosts)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    etc_hosts:
+      example.com: 1.2.3.4
+  register: etc_hosts_3
+
+- name: etc_hosts (more hosts)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    etc_hosts:
+      example.com: 1.2.3.4
+      example.us: 1.2.3.5
+    force_kill: true
+  register: etc_hosts_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - etc_hosts_1 is changed
+      - etc_hosts_2 is not changed
+      - etc_hosts_3 is not changed
+      - etc_hosts_4 is changed
+
+####################################################################
+## exposed_ports ###################################################
+####################################################################
+
+- name: exposed_ports
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9001"
+      - "9002"
+  register: exposed_ports_1
+
+- name: exposed_ports (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9002"
+      - "9001"
+  register: exposed_ports_2
+
+- name: exposed_ports (less ports)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9002"
+  register: exposed_ports_3
+
+- name: exposed_ports (more ports)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9002"
+      - "9003"
+    force_kill: true
+  register: exposed_ports_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - exposed_ports_1 is changed
+      - exposed_ports_2 is not changed
+      - exposed_ports_3 is not changed
+      - exposed_ports_4 is changed
+
+####################################################################
+## force_kill ######################################################
+####################################################################
+
+# TODO: - force_kill
+
+####################################################################
+## groups ##########################################################
+####################################################################
+
+- name: groups
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1234"
+      - "5678"
+  register: groups_1
+
+- name: groups (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "5678"
+      - "1234"
+  register: groups_2
+
+- name: groups (less groups)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1234"
+  register: groups_3
+
+- name: groups (more groups)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    groups:
+      - "1234"
+      - "2345"
+    force_kill: true
+  register: groups_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - groups_1 is changed
+      - groups_2 is not changed
+      - groups_3 is not changed
+      - groups_4 is changed
+
+####################################################################
+## healthcheck #####################################################
+####################################################################
+
+- name: healthcheck
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - 1
+      timeout: 2s
+      interval: 0h0m2s3ms4us
+      retries: 2
+    force_kill: true
+  register: healthcheck_1
+
+- name: healthcheck (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - 1
+      timeout: 2s
+      interval: 0h0m2s3ms4us
+      retries: 2
+    force_kill: true
+  register: healthcheck_2
+
+- name: healthcheck (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - 1
+      timeout: 3s
+      interval: 0h1m2s3ms4us
+      retries: 3
+    force_kill: true
+  register: healthcheck_3
+
+- name: healthcheck (no change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: healthcheck_4
+
+- name: healthcheck (disabled)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - NONE
+    force_kill: true
+  register: healthcheck_5
+
+- name: healthcheck (disabled, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - NONE
+    force_kill: true
+  register: healthcheck_6
+
+- name: healthcheck (disabled, idempotency, strict)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test:
+        - NONE
+    force_kill: true
+    comparisons:
+      '*': strict
+  register: healthcheck_7
+
+- name: healthcheck (string in healthcheck test, changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test: "sleep 1"
+    force_kill: true
+  register: healthcheck_8
+
+- name: healthcheck (string in healthcheck test, idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    healthcheck:
+      test: "sleep 1"
+    force_kill: true
+  register: healthcheck_9
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - healthcheck_1 is changed
+      - healthcheck_2 is not changed
+      - healthcheck_3 is changed
+      - healthcheck_4 is not changed
+      - healthcheck_5 is changed
+      - healthcheck_6 is not changed
+      - healthcheck_7 is not changed
+      - healthcheck_8 is changed
+      - healthcheck_9 is not changed
+
+####################################################################
+## hostname ########################################################
+####################################################################
+
+- name: hostname
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    hostname: me.example.com
+    state: started
+  register: hostname_1
+
+- name: hostname (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    hostname: me.example.com
+    state: started
+  register: hostname_2
+
+- name: hostname (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    hostname: me.example.org
+    state: started
+    force_kill: true
+  register: hostname_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - hostname_1 is changed
+      - hostname_2 is not changed
+      - hostname_3 is changed
+
+####################################################################
+## init ############################################################
+####################################################################
+
+- name: init
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    init: true
+    state: started
+  register: init_1
+
+- name: init (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    init: true
+    state: started
+  register: init_2
+
+- name: init (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    init: false
+    state: started
+    force_kill: true
+  register: init_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - init_1 is changed
+      - init_2 is not changed
+      - init_3 is changed
+
+####################################################################
+## interactive #####################################################
+####################################################################
+
+- name: interactive
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    interactive: true
+    state: started
+  register: interactive_1
+
+- name: interactive (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    interactive: true
+    state: started
+  register: interactive_2
+
+- name: interactive (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    interactive: false
+    state: started
+    force_kill: true
+  register: interactive_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - interactive_1 is changed
+      - interactive_2 is not changed
+      - interactive_3 is changed
+
+####################################################################
+## image / image_comparison ########################################
+####################################################################
+
+- name: Pull images to make sure ignore_image test succeeds
+  # If the image isn't there, it will pull it and return 'changed'.
+  community.docker.docker_image_pull:
+    name: "{{ item }}"
+  loop:
+    - "{{ docker_test_image_hello_world }}"
+    - "{{ docker_test_image_registry_nginx }}"
+
+- name: image
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_1
+
+- name: image (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_2
+  diff: true
+
+- name: ignore_image
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    comparisons:
+      image: ignore
+    name: "{{ cname }}"
+    state: started
+  register: ignore_image
+  diff: true
+
+- name: ignore_image (labels and env differ in image, image_comparison=current-image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_registry_nginx }}"
+    comparisons:
+      image: ignore
+    image_comparison: current-image
+    name: "{{ cname }}"
+    state: started
+  register: ignore_image_2
+  diff: true
+
+- name: ignore_image (labels and env differ in image, image_comparison=desired-image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_registry_nginx }}"
+    comparisons:
+      image: ignore
+    image_comparison: desired-image
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: ignore_image_3
+  diff: true
+
+- name: image change
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: image_change
+  diff: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - image_1 is changed
+      - image_2 is not changed
+      - ignore_image is not changed
+      - ignore_image_2 is not changed
+      - ignore_image_3 is changed
+      - image_change is changed
+
+####################################################################
+## image_label_mismatch ############################################
+####################################################################
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    iname_labels: "{{ cname_prefix ~ '-labels' }}"
+- name: Registering image name
+  ansible.builtin.set_fact:
+    inames: "{{ inames + [iname_labels] }}"
+- name: build image with labels
+  ansible.builtin.command:
+    cmd: "docker build --label img_label=base --tag {{ iname_labels }} -"
+    stdin: "FROM {{ docker_test_image_alpine }}"
+
+- name: image_label_mismatch
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_label_mismatch_1
+
+- name: image_label_mismatch (ignore,unmanaged labels)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: ignore
+    state: started
+  register: image_label_mismatch_2
+
+- name: image_label_mismatch (ignore,missing img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: ignore
+    labels: {}
+    state: started
+  register: image_label_mismatch_3
+
+- name: image_label_mismatch (ignore,match img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: ignore
+    labels:
+      img_label: base
+    state: started
+  register: image_label_mismatch_4
+
+- name: image_label_mismatch (ignore,mismatched img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: ignore
+    labels:
+      img_label: override
+    state: started
+    force_kill: true
+  register: image_label_mismatch_5
+
+- name: image_label_mismatch (ignore,remove img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: ignore
+    labels: {}
+    state: started
+    force_kill: true
+  register: image_label_mismatch_6
+
+- name: image_label_mismatch (fail,unmanaged labels)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: fail
+    state: started
+  register: image_label_mismatch_7
+
+- name: image_label_mismatch (fail,non-strict,missing img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: fail
+    labels: {}
+    state: started
+  register: image_label_mismatch_8
+
+- name: image_label_mismatch (fail,strict,missing img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: fail
+    comparisons:
+      labels: strict
+    labels: {}
+    state: started
+  ignore_errors: true
+  register: image_label_mismatch_9
+
+- name: image_label_mismatch (fail,match img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: fail
+    labels:
+      img_label: base
+    state: started
+  register: image_label_mismatch_10
+
+- name: image_label_mismatch (fail,mismatched img label)
+  community.docker.docker_container:
+    image: "{{ iname_labels }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_label_mismatch: fail
+    labels:
+      img_label: override
+    state: started
+    force_kill: true
+  register: image_label_mismatch_11
+
+- name: cleanup container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- name: cleanup image
+  community.docker.docker_image_remove:
+    name: "{{ iname_labels }}"
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - image_label_mismatch_1 is changed
+      - image_label_mismatch_1.container.Config.Labels.img_label == "base"
+      - image_label_mismatch_2 is not changed
+      - image_label_mismatch_3 is not changed
+      - image_label_mismatch_4 is not changed
+      - image_label_mismatch_5 is changed
+      - image_label_mismatch_5.container.Config.Labels.img_label == "override"
+      - image_label_mismatch_6 is changed
+      - image_label_mismatch_6.container.Config.Labels.img_label == "base"
+      - image_label_mismatch_7 is not changed
+      - image_label_mismatch_8 is not changed
+      - image_label_mismatch_9 is failed
+      - >-
+        image_label_mismatch_9.msg == ("Some labels should be removed but are present in the base image. You can set image_label_mismatch to 'ignore' to ignore this error. " ~ 'Labels: "img_label"')
+      - image_label_mismatch_10 is not changed
+      - image_label_mismatch_11 is changed
+
+####################################################################
+## image_name_mismatch #############################################
+####################################################################
+
+- name: Pull images to make sure ignore_image test succeeds
+  # If the image isn't there, it will pull it and return 'changed'.
+  community.docker.docker_image_pull:
+    name: "{{ item }}"
+  loop:
+    - "{{ docker_test_image_hello_world }}"
+    - "{{ docker_test_image_registry_nginx }}"
+
+- name: image
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_1
+
+- name: image (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_2
+  diff: true
+
+- name: ignore_image
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    comparisons:
+      image: ignore
+    name: "{{ cname }}"
+    state: started
+  register: ignore_image
+  diff: true
+
+- name: ignore_image (labels and env differ in image, image_comparison=current-image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_registry_nginx }}"
+    image_comparison: current-image
+    comparisons:
+      image: ignore
+    name: "{{ cname }}"
+    state: started
+  register: ignore_image_2
+  diff: true
+
+- name: ignore_image (labels and env differ in image, image_comparison=desired-image)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_registry_nginx }}"
+    image_comparison: desired-image
+    comparisons:
+      image: ignore
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: ignore_image_3
+  diff: true
+
+- name: image change
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: image_change
+  diff: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - image_1 is changed
+      - image_2 is not changed
+      - ignore_image is not changed
+      - ignore_image_2 is not changed
+      - ignore_image_3 is changed
+      - image_change is changed
+
+####################################################################
+## image_name_mismatch #############################################
+####################################################################
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    iname_name_mismatch: "{{ cname_prefix ~ '-image-name' }}"
+- name: Registering image name
+  ansible.builtin.set_fact:
+    inames: "{{ inames + [iname_name_mismatch] }}"
+
+- name: Tag hello world image (pulled earlier) with new name
+  community.docker.docker_image_tag:
+    name: "{{ docker_test_image_registry_nginx }}"
+    repository: "{{ iname_name_mismatch }}:latest"
+
+- name: image_name_mismatch
+  community.docker.docker_container:
+    image: "{{ docker_test_image_registry_nginx }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+  register: image_name_mismatch_1
+
+- name: image_name_mismatch (ignore)
+  community.docker.docker_container:
+    image: "{{ iname_name_mismatch }}:latest"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_name_mismatch: ignore
+    state: started
+  register: image_name_mismatch_2
+
+- name: image_name_mismatch (recreate)
+  community.docker.docker_container:
+    image: "{{ iname_name_mismatch }}:latest"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    image_name_mismatch: recreate
+    state: started
+    force_kill: true
+  register: image_name_mismatch_3
+
+- name: Cleanup container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- name: Cleanup image
+  community.docker.docker_image_remove:
+    name: "{{ iname_name_mismatch }}"
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - image_name_mismatch_1 is changed
+      - image_name_mismatch_2 is not changed
+      - image_name_mismatch_3 is changed
+      - image_name_mismatch_3.container.Image == image_name_mismatch_2.container.Image
+
+####################################################################
+## ipc_mode ########################################################
+####################################################################
+
+- name: start helpers
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ container_name }}"
+    state: started
+    ipc_mode: shareable
+  loop:
+    - "{{ cname_h1 }}"
+  loop_control:
+    loop_var: container_name
+
+- name: ipc_mode
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ipc_mode: "container:{{ cname_h1 }}"
+    # ipc_mode: shareable
+  register: ipc_mode_1
+
+- name: ipc_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ipc_mode: "container:{{ cname_h1 }}"
+    # ipc_mode: shareable
+  register: ipc_mode_2
+
+- name: ipc_mode (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ipc_mode: private
+    force_kill: true
+  register: ipc_mode_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname }}"
+    - "{{ cname_h1 }}"
+  loop_control:
+    loop_var: container_name
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - ipc_mode_1 is changed
+      - ipc_mode_2 is not changed
+      - ipc_mode_3 is changed
+
+####################################################################
+## kernel_memory ###################################################
+####################################################################
+
+- name: kernel_memory
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    kernel_memory: 8M
+    state: started
+  register: kernel_memory_1
+  ignore_errors: true
+
+- name: kernel_memory (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    kernel_memory: 8M
+    state: started
+  register: kernel_memory_2
+  ignore_errors: true
+
+- name: kernel_memory (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    kernel_memory: 6M
+    state: started
+    force_kill: true
+  register: kernel_memory_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - kernel_memory_1 is changed
+      - kernel_memory_2 is not changed
+      - kernel_memory_3 is changed
+  when:
+    - kernel_memory_1 is not failed or 'kernel memory accounting disabled in this runc build' not in kernel_memory_1.msg
+    - >-
+      'Docker warning: Specifying a kernel memory limit is deprecated and will be removed in a future release.' not in (kernel_memory_1.warnings | default([]))
+    # API version 1.42 seems to remove the kernel memory option completely
+    - "'KernelMemory' in kernel_memory_1.container.HostConfig or docker_api_version is version('1.42', '<')"
+
+####################################################################
+## kill_signal #####################################################
+####################################################################
+
+# TODO: - kill_signal
+
+####################################################################
+## labels ##########################################################
+####################################################################
+
+- name: labels
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+  register: labels_1
+
+- name: labels (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.2: world
+      ansible.test.1: hello
+  register: labels_2
+
+- name: labels (less labels)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+  register: labels_3
+
+- name: labels (more labels)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+    force_kill: true
+  register: labels_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - labels_1 is changed
+      - labels_2 is not changed
+      - labels_3 is not changed
+      - labels_4 is changed
+
+####################################################################
+## links ###########################################################
+####################################################################
+
+- name: start helpers
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ container_name }}"
+    state: started
+  loop:
+    - "{{ cname_h1 }}"
+    - "{{ cname_h2 }}"
+    - "{{ cname_h3 }}"
+  loop_control:
+    loop_var: container_name
+
+- name: links
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    links:
+      - "{{ cname_h1 }}:test1"
+      - "{{ cname_h2 }}:test2"
+  register: links_1
+
+- name: links (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    links:
+      - "{{ cname_h2 }}:test2"
+      - "{{ cname_h1 }}:test1"
+  register: links_2
+
+- name: links (less links)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    links:
+      - "{{ cname_h1 }}:test1"
+  register: links_3
+
+- name: links (more links)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    links:
+      - "{{ cname_h1 }}:test1"
+      - "{{ cname_h3 }}:test3"
+    force_kill: true
+  register: links_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname }}"
+    - "{{ cname_h1 }}"
+    - "{{ cname_h2 }}"
+    - "{{ cname_h3 }}"
+  loop_control:
+    loop_var: container_name
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - links_1 is changed
+      - links_2 is not changed
+      - links_3 is not changed
+      - links_4 is changed
+
+####################################################################
+## log_driver ######################################################
+####################################################################
+
+- name: log_driver
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+  register: log_driver_1
+
+- name: log_driver (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+  register: log_driver_2
+
+- name: log_driver (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: syslog
+    force_kill: true
+  register: log_driver_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - log_driver_1 is changed
+      - log_driver_2 is not changed
+      - log_driver_3 is changed
+
+####################################################################
+## log_options #####################################################
+####################################################################
+
+- name: log_options
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+    log_options:
+      labels: production_status
+      env: os,customer
+      max-file: 5
+  register: log_options_1
+
+- name: log_options (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+    log_options:
+      env: os,customer
+      labels: production_status
+      max-file: 5
+  register: log_options_2
+
+- name: log_options (less log options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+    log_options:
+      labels: production_status
+  register: log_options_3
+
+- name: log_options (more log options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    log_driver: json-file
+    log_options:
+      labels: production_status
+      max-size: 10m
+    force_kill: true
+  register: log_options_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - log_options_1 is changed
+      - log_options_2 is not changed
+      - message in (log_options_2.warnings | default([]))
+      - log_options_3 is not changed
+      - log_options_4 is changed
+  vars:
+    message: >-
+      Non-string value found for log_options option 'max-file'. The value is automatically converted to '5'.
+      If this is not correct, or you want to avoid such warnings, please quote the value,
+      or explicitly convert the values to strings when templating them.
+
+####################################################################
+## mac_address #####################################################
+####################################################################
+
+- when: docker_api_version is version('1.44', '<')
+  block:
+    - name: mac_address
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        mac_address: 92:d0:c6:0a:29:33
+        state: started
+      register: mac_address_1
+
+    - name: mac_address (idempotency)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        mac_address: 92:d0:c6:0a:29:33
+        state: started
+      register: mac_address_2
+
+    - name: mac_address (change)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        mac_address: 92:d0:c6:0a:29:44
+        state: started
+        force_kill: true
+      register: mac_address_3
+
+    - name: cleanup
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+      diff: false
+
+    - ansible.builtin.assert:
+        that:
+          - mac_address_1 is changed
+          - mac_address_2 is not changed
+          - mac_address_3 is changed
+
+####################################################################
+## memory ##########################################################
+####################################################################
+
+- name: memory
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory: 64M
+    state: started
+  register: memory_1
+
+- name: memory (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory: 64M
+    state: started
+  register: memory_2
+
+- name: memory (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory: 48M
+    state: started
+    force_kill: true
+  register: memory_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - memory_1 is changed
+      - memory_2 is not changed
+      - memory_3 is changed
+
+####################################################################
+## memory_reservation ##############################################
+####################################################################
+
+- name: memory_reservation
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_reservation: 64M
+    state: started
+  register: memory_reservation_1
+
+- name: memory_reservation (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_reservation: 64M
+    state: started
+  register: memory_reservation_2
+
+- name: memory_reservation (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_reservation: 48M
+    state: started
+    force_kill: true
+  register: memory_reservation_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - memory_reservation_1 is changed
+      - memory_reservation_2 is not changed
+      - memory_reservation_3 is changed
+
+####################################################################
+## memory_swap #####################################################
+####################################################################
+
+- name: memory_swap
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    # Docker daemon does not accept memory_swap if memory is not specified
+    memory: 32M
+    memory_swap: 64M
+    state: started
+    debug: true
+  register: memory_swap_1
+
+- name: memory_swap (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    # Docker daemon does not accept memory_swap if memory is not specified
+    memory: 32M
+    memory_swap: 64M
+    state: started
+    debug: true
+  register: memory_swap_2
+
+- name: memory_swap (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    # Docker daemon does not accept memory_swap if memory is not specified
+    memory: 32M
+    memory_swap: 48M
+    state: started
+    force_kill: true
+    debug: true
+  register: memory_swap_3
+
+- name: memory_swap (unlimited)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    # Docker daemon does not accept memory_swap if memory is not specified
+    memory: 32M
+    memory_swap: unlimited
+    state: started
+    force_kill: true
+    debug: true
+  register: memory_swap_4
+
+- name: memory_swap (unlimited via -1)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    # Docker daemon does not accept memory_swap if memory is not specified
+    memory: 32M
+    memory_swap: -1
+    state: started
+    force_kill: true
+    debug: true
+  register: memory_swap_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - memory_swap_1 is changed
+      # Sometimes (in particular during integration tests, maybe when not running
+      # on a proper VM), memory_swap cannot be set and will be -1 afterwards.
+      - memory_swap_2 is not changed or memory_swap_2.container.HostConfig.MemorySwap == -1
+      - memory_swap_3 is changed
+      # Unlimited memory_swap (using 'unlimited') should be allowed
+      # (If the value was already -1 because of the above reasons, it won't change)
+      - (memory_swap_4 is changed or memory_swap_3.container.HostConfig.MemorySwap == -1) and memory_swap_4.container.HostConfig.MemorySwap == -1
+      # Unlimited memory_swap (using '-1') should be allowed
+      - memory_swap_5 is not changed and memory_swap_5.container.HostConfig.MemorySwap == -1
+
+- ansible.builtin.debug: var=memory_swap_1
+  when: memory_swap_2 is changed
+- ansible.builtin.debug: var=memory_swap_2
+  when: memory_swap_2 is changed
+- ansible.builtin.debug: var=memory_swap_3
+  when: memory_swap_2 is changed
+
+####################################################################
+## memory_swappiness ###############################################
+####################################################################
+
+- name: memory_swappiness
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_swappiness: 40
+    state: started
+  register: memory_swappiness_1
+
+- name: memory_swappiness (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_swappiness: 40
+    state: started
+  register: memory_swappiness_2
+
+- name: memory_swappiness (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    memory_swappiness: 60
+    state: started
+    force_kill: true
+  register: memory_swappiness_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - memory_swappiness_1 is changed
+      - memory_swappiness_2 is not changed
+      - memory_swappiness_3 is changed
+  when: >-
+    'Docker warning: Your kernel does not support memory swappiness capabilities or the cgroup is not mounted. Memory swappiness discarded.' not in (memory_swappiness_1.warnings | default([]))
+
+####################################################################
+## oom_killer ######################################################
+####################################################################
+
+- name: oom_killer
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_killer: true
+    state: started
+  register: oom_killer_1
+
+- name: oom_killer (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_killer: true
+    state: started
+  register: oom_killer_2
+
+- name: oom_killer (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_killer: false
+    state: started
+    force_kill: true
+  register: oom_killer_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - oom_killer_1 is changed
+      - oom_killer_2 is not changed
+      - oom_killer_3 is changed
+  when: >-
+    'Docker warning: Your kernel does not support OomKillDisable. OomKillDisable discarded.' not in (oom_killer_1.warnings | default([]))
+
+####################################################################
+## oom_score_adj ###################################################
+####################################################################
+
+- name: oom_score_adj
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_score_adj: 5
+    state: started
+  register: oom_score_adj_1
+
+- name: oom_score_adj (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_score_adj: 5
+    state: started
+  register: oom_score_adj_2
+
+- name: oom_score_adj (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    oom_score_adj: 7
+    state: started
+    force_kill: true
+  register: oom_score_adj_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - oom_score_adj_1 is changed
+      - oom_score_adj_2 is not changed
+      - oom_score_adj_3 is changed
+  when: >-
+    'Docker warning: Your kernel does not support OomScoreAdj. OomScoreAdj discarded.' not in (oom_score_adj_1.warnings | default([]))
+
+####################################################################
+## output_logs #####################################################
+####################################################################
+
+# TODO: - output_logs
+
+####################################################################
+## paused ##########################################################
+####################################################################
+
+- name: paused
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: "/bin/sh -c 'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+    paused: true
+    force_kill: true
+  register: paused_1
+
+- name: inspect paused
+  ansible.builtin.command: "docker inspect -f {% raw %}'{{.State.Status}} {{.State.Paused}}'{% endraw %} {{ cname }}"
+  register: paused_2
+
+- name: paused (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: "/bin/sh -c 'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+    paused: true
+    force_kill: true
+  register: paused_3
+
+- name: paused (continue)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: "/bin/sh -c 'sleep 10m'"
+    name: "{{ cname }}"
+    state: started
+    paused: false
+    force_kill: true
+  register: paused_4
+
+- name: inspect paused
+  ansible.builtin.command: "docker inspect -f {% raw %}'{{.State.Status}} {{.State.Paused}}'{% endraw %} {{ cname }}"
+  register: paused_5
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - paused_1 is changed
+      - 'paused_2.stdout == "paused true"'
+      - paused_3 is not changed
+      - paused_4 is changed
+      - 'paused_5.stdout == "running false"'
+
+####################################################################
+## pid_mode ########################################################
+####################################################################
+
+- name: start helpers
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname_h1 }}"
+    state: started
+  register: pid_mode_helper
+
+- name: pid_mode
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pid_mode: "container:{{ pid_mode_helper.container.Id }}"
+  register: pid_mode_1
+
+- name: pid_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pid_mode: "container:{{ cname_h1 }}"
+  register: pid_mode_2
+
+- name: pid_mode (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pid_mode: host
+    force_kill: true
+  register: pid_mode_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname }}"
+    - "{{ cname_h1 }}"
+  loop_control:
+    loop_var: container_name
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - pid_mode_1 is changed
+      - pid_mode_2 is not changed
+      - pid_mode_3 is changed
+
+####################################################################
+## pids_limit ######################################################
+####################################################################
+
+- name: pids_limit
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pids_limit: 10
+  register: pids_limit_1
+
+- name: pids_limit (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pids_limit: 10
+  register: pids_limit_2
+
+- name: pids_limit (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    pids_limit: 20
+    force_kill: true
+  register: pids_limit_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - pids_limit_1 is changed
+      - pids_limit_2 is not changed
+      - pids_limit_3 is changed
+
+####################################################################
+## platform ########################################################
+####################################################################
+
+- name: Remove test image
+  community.docker.docker_image_remove:
+    name: "{{ docker_test_image_simple_1 }}"
+
+- name: platform
+  community.docker.docker_container:
+    image: "{{ docker_test_image_simple_1 }}"
+    name: "{{ cname }}"
+    state: present
+    pull: true
+    platform: linux/amd64
+    debug: true
+  register: platform_1
+  ignore_errors: true
+
+- name: platform (idempotency with full name)
+  # Docker daemon only returns 'linux' as the platform for the container,
+  # so this has to be handled correctly by our additional code
+  community.docker.docker_container:
+    image: "{{ docker_test_image_simple_1 }}"
+    name: "{{ cname }}"
+    state: present
+    platform: linux/amd64
+    debug: true
+  register: platform_2
+  ignore_errors: true
+
+- name: platform (idempotency with shorter name)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_simple_1 }}"
+    name: "{{ cname }}"
+    state: present
+    platform: linux
+    debug: true
+  register: platform_3
+  ignore_errors: true
+
+- name: platform (idempotency with shorter name)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_simple_1 }}"
+    name: "{{ cname }}"
+    state: present
+    platform: amd64
+    debug: true
+  register: platform_4
+  ignore_errors: true
+
+- name: platform (changed)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_simple_1 }}"
+    name: "{{ cname }}"
+    state: present
+    pull: true
+    platform: linux/386
+    force_kill: true
+    debug: true
+    comparisons:
+      # Do not restart because of the changed image ID
+      image: ignore
+  register: platform_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - platform_1 is changed
+      - platform_2 is not changed and platform_2 is not failed
+      - platform_3 is not changed and platform_3 is not failed
+      - platform_4 is not changed and platform_4 is not failed
+      - platform_5 is changed
+  when: docker_api_version is version('1.41', '>=')
+- ansible.builtin.assert:
+    that:
+      - platform_1 is failed
+      - |
+        ('API version is ' ~ docker_api_version ~ '.') in platform_1.msg and 'Minimum version required is 1.41 ' in platform_1.msg
+  when: docker_api_version is version('1.41', '<')
+
+####################################################################
+## pull / pull_check_mode_behavior #################################
+####################################################################
+
+- name: Remove hello-world image
+  community.docker.docker_image_remove:
+    name: "{{ docker_test_image_hello_world }}"
+
+- name: pull (pull=never)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: never
+    debug: true
+  register: pull_1
+  ignore_errors: true
+
+- name: pull (pull=missing, check mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: missing
+    debug: true
+  register: pull_2
+  check_mode: true
+  ignore_errors: true
+
+- name: pull (pull=missing)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: missing
+    debug: true
+  register: pull_3
+  ignore_errors: true
+
+- name: pull (pull=missing, idempotent, check mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: missing
+    debug: true
+  register: pull_4
+  check_mode: true
+  ignore_errors: true
+
+- name: pull (pull=missing, idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: missing
+    debug: true
+  register: pull_5
+  ignore_errors: true
+
+- name: pull (pull=always, check mode, pull_check_mode_behavior=image_not_present)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: always
+    pull_check_mode_behavior: image_not_present
+    debug: true
+  register: pull_6
+  check_mode: true
+  ignore_errors: true
+
+- name: pull (pull=always, check mode, pull_check_mode_behavior=always)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: always
+    pull_check_mode_behavior: always
+    debug: true
+  register: pull_7
+  check_mode: true
+  ignore_errors: true
+
+- name: pull (pull=always)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_hello_world }}"
+    name: "{{ cname }}"
+    state: present
+    pull: always
+    debug: true
+  register: pull_8
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - pull_1 is failed
+      - pull_1.msg == ("Cannot find image with name " ~ docker_test_image_hello_world ~ ", and pull=never")
+      - pull_2 is changed
+      - pulled_image_action not in pull_2.actions
+      - pulled_image_action_changed in pull_2.actions
+      - pulled_image_action_unchanged not in pull_2.actions
+      - pull_3 is changed
+      - pulled_image_action not in pull_3.actions
+      - pulled_image_action_changed in pull_3.actions
+      - pulled_image_action_unchanged not in pull_3.actions
+      - pull_4 is not changed
+      - pulled_image_action not in pull_4.actions
+      - pulled_image_action_changed not in pull_4.actions
+      - pulled_image_action_unchanged not in pull_4.actions
+      - pull_5 is not changed
+      - pulled_image_action not in pull_5.actions
+      - pulled_image_action_changed not in pull_5.actions
+      - pulled_image_action_unchanged not in pull_5.actions
+      - pull_6 is not changed
+      - pulled_image_action not in pull_6.actions
+      - pulled_image_action_changed not in pull_6.actions
+      - pulled_image_action_unchanged not in pull_6.actions
+      - pull_7 is changed
+      - pulled_image_action in pull_7.actions
+      - pulled_image_action_changed not in pull_7.actions
+      - pulled_image_action_unchanged not in pull_7.actions
+      - pull_8 is not changed
+      - pulled_image_action not in pull_8.actions
+      - pulled_image_action_changed not in pull_8.actions
+      - pulled_image_action_unchanged in pull_8.actions
+  vars:
+    pulled_image_action:
+      pulled_image: "{{ docker_test_image_hello_world }}"
+    pulled_image_action_changed:
+      pulled_image: "{{ docker_test_image_hello_world }}"
+      changed: true
+    pulled_image_action_unchanged:
+      pulled_image: "{{ docker_test_image_hello_world }}"
+      changed: false
+
+####################################################################
+## privileged ######################################################
+####################################################################
+
+- name: privileged
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    privileged: true
+    state: started
+  register: privileged_1
+
+- name: privileged (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    privileged: true
+    state: started
+  register: privileged_2
+
+- name: privileged (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    privileged: false
+    state: started
+    force_kill: true
+  register: privileged_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - privileged_1 is changed
+      - privileged_2 is not changed
+      - privileged_3 is changed
+
+####################################################################
+## published_ports and default_host_ip #############################
+####################################################################
+
+- name: published_ports
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9001'
+      - '9002'
+  register: published_ports_1
+
+- name: published_ports (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+      - '9001'
+  register: published_ports_2
+
+- name: published_ports (less published_ports)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+  register: published_ports_3
+
+- name: published_ports (more published_ports)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+      - '9003'
+    force_kill: true
+  register: published_ports_4
+
+- name: published_ports (ports with IP addresses)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '127.0.0.1:9002:9002/tcp'
+      - '[::1]:9003:9003/tcp'
+      - '[fe80::1%test]:90:90/tcp'
+    force_kill: true
+  register: published_ports_5
+  when: docker_host_info.host_info.ServerVersion is version('27.0.0', '<')
+
+- name: published_ports (ports with IP addresses, idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '127.0.0.1:9002:9002/tcp'
+      - '[::1]:9003:9003/tcp'
+      - '[fe80::1%test]:90:90/tcp'
+  register: published_ports_6
+  when: docker_host_info.host_info.ServerVersion is version('27.0.0', '<')
+
+- name: published_ports (no published ports)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports: []
+    comparisons:
+      published_ports: strict
+    force_kill: true
+  register: published_ports_7
+
+- name: published_ports (default_host_ip not set)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9001'
+      - '9002'
+    force_kill: true
+  register: published_ports_8
+
+- name: published_ports (default_host_ip set to empty string)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+      - '9001'
+    default_host_ip: ''
+    force_kill: true
+  register: published_ports_9
+
+- name: published_ports (default_host_ip set to empty string, idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+      - '9001'
+    default_host_ip: ''
+  register: published_ports_10
+
+- name: published_ports (default_host_ip unset)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - '9002'
+      - '9001'
+    force_kill: true
+  register: published_ports_11
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - published_ports_1 is changed
+      - published_ports_2 is not changed
+      - published_ports_3 is not changed
+      - published_ports_4 is changed
+      - (published_ports_5 is changed and published_ports_5 is not skipped) or published_ports_5 is skipped
+      - (published_ports_6 is not changed and published_ports_6 is not skipped) or published_ports_6 is skipped
+      - published_ports_7 is changed
+      - published_ports_8 is changed
+      - published_ports_9 is changed
+      - published_ports_10 is not changed
+      - published_ports_11 is changed
+
+####################################################################
+## pull ############################################################
+####################################################################
+
+# TODO: - pull
+
+####################################################################
+## read_only #######################################################
+####################################################################
+
+- name: read_only
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    read_only: true
+    state: started
+  register: read_only_1
+
+- name: read_only (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    read_only: true
+    state: started
+  register: read_only_2
+
+- name: read_only (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    read_only: false
+    state: started
+    force_kill: true
+  register: read_only_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - read_only_1 is changed
+      - read_only_2 is not changed
+      - read_only_3 is changed
+
+####################################################################
+## restart_policy ##################################################
+####################################################################
+
+- name: restart_policy
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: always
+    state: started
+  register: restart_policy_1
+
+- name: restart_policy (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: always
+    state: started
+  register: restart_policy_2
+
+- name: restart_policy (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: unless-stopped
+    state: started
+    force_kill: true
+  register: restart_policy_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_policy_1 is changed
+      - restart_policy_2 is not changed
+      - restart_policy_3 is changed
+
+####################################################################
+## restart_retries #################################################
+####################################################################
+
+- name: restart_retries
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: on-failure
+    restart_retries: 5
+    state: started
+  register: restart_retries_1
+
+- name: restart_retries (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: on-failure
+    restart_retries: 5
+    state: started
+  register: restart_retries_2
+
+- name: restart_retries (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart_policy: on-failure
+    restart_retries: 2
+    state: started
+    force_kill: true
+  register: restart_retries_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_retries_1 is changed
+      - restart_retries_2 is not changed
+      - restart_retries_3 is changed
+
+####################################################################
+## runtime #########################################################
+####################################################################
+
+- name: runtime
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    runtime: runc
+    state: started
+  register: runtime_1
+
+- name: runtime (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    runtime: runc
+    state: started
+  register: runtime_2
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - runtime_1 is changed
+      - runtime_2 is not changed
+
+####################################################################
+## security_opts ###################################################
+####################################################################
+
+# In case some of the options stop working, here are some more
+# options which *currently* work with all integration test targets:
+#   no-new-privileges
+#   label:disable
+#   label=disable
+#   label:level:s0:c100,c200
+#   label=level:s0:c100,c200
+#   label:type:svirt_apache_t
+#   label=type:svirt_apache_t
+#   label:user:root
+#   label=user:root
+#   seccomp:unconfined
+#   seccomp=unconfined
+#   apparmor:docker-default
+#   apparmor=docker-default
+
+- name: security_opts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    security_opts:
+      - "label:level:s0:c100,c200"
+      - "no-new-privileges"
+  register: security_opts_1
+
+- name: security_opts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    security_opts:
+      - "no-new-privileges"
+      - "label:level:s0:c100,c200"
+  register: security_opts_2
+
+- name: security_opts (less security options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    security_opts:
+      - "no-new-privileges"
+  register: security_opts_3
+
+- name: security_opts (more security options)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    security_opts:
+      - "label:disable"
+      - "no-new-privileges"
+    force_kill: true
+  register: security_opts_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - security_opts_1 is changed
+      - security_opts_2 is not changed
+      - security_opts_3 is not changed
+      - security_opts_4 is changed
+
+####################################################################
+## shm_size ########################################################
+####################################################################
+
+- name: shm_size
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    shm_size: 96M
+    state: started
+  register: shm_size_1
+
+- name: shm_size (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    shm_size: 96M
+    state: started
+  register: shm_size_2
+
+- name: shm_size (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    shm_size: 75M
+    state: started
+    force_kill: true
+  register: shm_size_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - shm_size_1 is changed
+      - shm_size_2 is not changed
+      - shm_size_3 is changed
+
+####################################################################
+## stop_signal #####################################################
+####################################################################
+
+- name: stop_signal
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_signal: "30"
+    state: started
+  register: stop_signal_1
+
+- name: stop_signal (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_signal: "30"
+    state: started
+  register: stop_signal_2
+
+- name: stop_signal (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_signal: "9"
+    state: started
+    force_kill: true
+  register: stop_signal_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - stop_signal_1 is changed
+      - stop_signal_2 is not changed
+      - stop_signal_3 is changed
+
+####################################################################
+## stop_timeout ####################################################
+####################################################################
+
+- name: stop_timeout
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_timeout: 2
+    state: started
+  register: stop_timeout_1
+
+- name: stop_timeout (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_timeout: 2
+    state: started
+  register: stop_timeout_2
+
+- name: stop_timeout (no change)
+  # stop_timeout changes are ignored by default
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    stop_timeout: 1
+    state: started
+  register: stop_timeout_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - stop_timeout_1 is changed
+      - stop_timeout_2 is not changed
+      - stop_timeout_3 is not changed
+
+####################################################################
+## storage_opts ####################################################
+####################################################################
+
+- name: storage_opts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    storage_opts:
+      size: 12m
+    state: started
+  register: storage_opts_1
+  ignore_errors: true
+
+- name: storage_opts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    storage_opts:
+      size: 12m
+    state: started
+  register: storage_opts_2
+  ignore_errors: true
+
+- name: storage_opts (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    storage_opts:
+      size: 24m
+    state: started
+    force_kill: true
+  register: storage_opts_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - storage_opts_1 is changed
+      - storage_opts_2 is not failed and storage_opts_2 is not changed
+      - storage_opts_3 is not failed and storage_opts_3 is changed
+  when: storage_opts_1 is not failed
+
+- ansible.builtin.assert:
+    that:
+      - "'is supported only for' in storage_opts_1.msg"
+      - storage_opts_2 is failed
+      - storage_opts_3 is failed
+  when: storage_opts_1 is failed
+
+####################################################################
+## sysctls #########################################################
+####################################################################
+
+# In case some of the options stop working, here are some more
+# options which *currently* work with all integration test targets:
+#   net.ipv4.conf.default.log_martians: 1
+#   net.ipv4.conf.default.secure_redirects: 0
+#   net.ipv4.conf.default.send_redirects: 0
+#   net.ipv4.conf.all.log_martians: 1
+#   net.ipv4.conf.all.accept_redirects: 0
+#   net.ipv4.conf.all.secure_redirects: 0
+#   net.ipv4.conf.all.send_redirects: 0
+
+- name: sysctls
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    sysctls:
+      net.ipv4.icmp_echo_ignore_all: 1
+      net.ipv4.ip_forward: 1
+  register: sysctls_1
+
+- name: sysctls (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    sysctls:
+      net.ipv4.ip_forward: 1
+      net.ipv4.icmp_echo_ignore_all: 1
+  register: sysctls_2
+
+- name: sysctls (less sysctls)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    sysctls:
+      net.ipv4.icmp_echo_ignore_all: 1
+  register: sysctls_3
+
+- name: sysctls (more sysctls)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    sysctls:
+      net.ipv4.icmp_echo_ignore_all: 1
+      net.ipv6.conf.default.accept_redirects: 0
+    force_kill: true
+  register: sysctls_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - sysctls_1 is changed
+      - sysctls_2 is not changed
+      - sysctls_3 is not changed
+      - sysctls_4 is changed
+
+####################################################################
+## tmpfs ###########################################################
+####################################################################
+
+- name: tmpfs
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    tmpfs:
+      - "/test1:rw,noexec,nosuid,size=65536k"
+      - "/test2:rw,noexec,nosuid,size=65536k"
+  register: tmpfs_1
+
+- name: tmpfs (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    tmpfs:
+      - "/test2:rw,noexec,nosuid,size=65536k"
+      - "/test1:rw,noexec,nosuid,size=65536k"
+  register: tmpfs_2
+
+- name: tmpfs (less tmpfs)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    tmpfs:
+      - "/test1:rw,noexec,nosuid,size=65536k"
+  register: tmpfs_3
+
+- name: tmpfs (more tmpfs)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    tmpfs:
+      - "/test1:rw,noexec,nosuid,size=65536k"
+      - "/test3:rw,noexec,nosuid,size=65536k"
+    force_kill: true
+  register: tmpfs_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - tmpfs_1 is changed
+      - tmpfs_2 is not changed
+      - tmpfs_3 is not changed
+      - tmpfs_4 is changed
+
+####################################################################
+## tty #############################################################
+####################################################################
+
+- name: tty
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    tty: true
+    state: started
+  register: tty_1
+  ignore_errors: true
+
+- name: tty (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    tty: true
+    state: started
+  register: tty_2
+  ignore_errors: true
+
+- name: tty (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    tty: false
+    state: started
+    force_kill: true
+  register: tty_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - tty_1 is changed
+      - tty_2 is not changed and tty_2 is not failed
+      - tty_3 is changed
+  when: tty_1 is not failed
+
+- ansible.builtin.assert:
+    that:
+      - "'error during container init: open /dev/pts/' in tty_1.msg"
+      - "': operation not permitted: ' in tty_1.msg"
+  when: tty_1 is failed
+
+####################################################################
+## ulimits #########################################################
+####################################################################
+
+- name: ulimits
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ulimits:
+      - "nofile:1234:1234"
+      - "nproc:3:6"
+  register: ulimits_1
+
+- name: ulimits (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ulimits:
+      - "nproc:3:6"
+      - "nofile:1234:1234"
+  register: ulimits_2
+
+- name: ulimits (less ulimits)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ulimits:
+      - "nofile:1234:1234"
+  register: ulimits_3
+
+- name: ulimits (more ulimits)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    ulimits:
+      - "nofile:1234:1234"
+      - "sigpending:100:200"
+    force_kill: true
+  register: ulimits_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - ulimits_1 is changed
+      - ulimits_2 is not changed
+      - ulimits_3 is not changed
+      - ulimits_4 is changed
+
+####################################################################
+## user ############################################################
+####################################################################
+
+- name: user
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    user: nobody
+    state: started
+  register: user_1
+
+- name: user (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    user: nobody
+    state: started
+  register: user_2
+
+- name: user (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    user: root
+    state: started
+    force_kill: true
+  register: user_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - user_1 is changed
+      - user_2 is not changed
+      - user_3 is changed
+
+####################################################################
+## userns_mode #####################################################
+####################################################################
+
+- name: userns_mode
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    userns_mode: host
+    state: started
+  register: userns_mode_1
+
+- name: userns_mode (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    userns_mode: host
+    state: started
+  register: userns_mode_2
+
+- name: userns_mode (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    userns_mode: ""
+    state: started
+    force_kill: true
+  register: userns_mode_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - userns_mode_1 is changed
+      - userns_mode_2 is not changed
+      - userns_mode_3 is changed
+
+####################################################################
+## uts #############################################################
+####################################################################
+
+- name: uts
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    uts: host
+    state: started
+  register: uts_1
+
+- name: uts (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    uts: host
+    state: started
+  register: uts_2
+
+- name: uts (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    uts: ""
+    state: started
+    force_kill: true
+  register: uts_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - uts_1 is changed
+      - uts_2 is not changed
+      - uts_3 is changed
+
+####################################################################
+## working_dir #####################################################
+####################################################################
+
+- name: working_dir
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    working_dir: /tmp
+    state: started
+  register: working_dir_1
+
+- name: working_dir (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    working_dir: /tmp
+    state: started
+  register: working_dir_2
+
+- name: working_dir (change)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    working_dir: /
+    state: started
+    force_kill: true
+  register: working_dir_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - working_dir_1 is changed
+      - working_dir_2 is not changed
+      - working_dir_3 is changed
+
+####################################################################
+####################################################################
+####################################################################
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/ports.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/ports.yml
new file mode 100644
index 00000000..4581ca9a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/ports.yml
@@ -0,0 +1,476 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-options' }}"
+    cname2: "{{ cname_prefix ~ '-options-h1' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname, cname2] }}"
+
+####################################################################
+## published_ports: error handling #################################
+####################################################################
+
+- name: published_ports -- non-closing square bracket
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - "[::1:2000:3000"
+  register: published_ports_1
+  ignore_errors: true
+
+- name: published_ports -- forgot square brackets for IPv6
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - "::1:2000:3000"
+  register: published_ports_2
+  ignore_errors: true
+
+- name: published_ports -- disallow hostnames
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - "foo:2000:3000"
+  register: published_ports_3
+  ignore_errors: true
+
+- ansible.builtin.assert:
+    that:
+      - published_ports_1 is failed
+      - published_ports_1.msg == 'Cannot find closing "]" in input "[::1:2000:3000" for opening "[" at index 1!'
+      - published_ports_2 is failed
+      - published_ports_2.msg == 'Invalid port description "::1:2000:3000" - expected 1 to 3 colon-separated parts, but got 5. Maybe you forgot to use square brackets ([...]) around an IPv6 address?'
+      - published_ports_3 is failed
+      - "published_ports_3.msg == 'Bind addresses for published ports must be IPv4 or IPv6 addresses, not hostnames. Use the dig lookup to resolve hostnames. (Found hostname: foo)'"
+
+####################################################################
+## published_ports: port range #####################################
+####################################################################
+
+- name: published_ports -- port range
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9001"
+      - "9010-9050"
+    published_ports:
+      - "9001:9001"
+      - "9010-9050:9010-9050"
+    force_kill: true
+  register: published_ports_1
+
+- name: published_ports -- port range (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9001"
+      - "9010-9050"
+    published_ports:
+      - "9001:9001"
+      - "9010-9050:9010-9050"
+    force_kill: true
+  register: published_ports_2
+
+- name: published_ports -- port range (different range)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9001"
+      - "9010-9050"
+    published_ports:
+      - "9001:9001"
+      - "9020-9060:9020-9060"
+    force_kill: true
+  register: published_ports_3
+
+- name: published_ports -- port range (same range, but listed explicitly)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    exposed_ports:
+      - "9001"
+      - "9010"
+      - "9011"
+      - "9012"
+      - "9013"
+      - "9014"
+      - "9015"
+      - "9016"
+      - "9017"
+      - "9018"
+      - "9019"
+      - "9020"
+      - "9021"
+      - "9022"
+      - "9023"
+      - "9024"
+      - "9025"
+      - "9026"
+      - "9027"
+      - "9028"
+      - "9029"
+      - "9030"
+      - "9031"
+      - "9032"
+      - "9033"
+      - "9034"
+      - "9035"
+      - "9036"
+      - "9037"
+      - "9038"
+      - "9039"
+      - "9040"
+      - "9041"
+      - "9042"
+      - "9043"
+      - "9044"
+      - "9045"
+      - "9046"
+      - "9047"
+      - "9048"
+      - "9049"
+      - "9050"
+    published_ports:
+      - "9001:9001"
+      - "9020:9020"
+      - "9021:9021"
+      - "9022:9022"
+      - "9023:9023"
+      - "9024:9024"
+      - "9025:9025"
+      - "9026:9026"
+      - "9027:9027"
+      - "9028:9028"
+      - "9029:9029"
+      - "9030:9030"
+      - "9031:9031"
+      - "9032:9032"
+      - "9033:9033"
+      - "9034:9034"
+      - "9035:9035"
+      - "9036:9036"
+      - "9037:9037"
+      - "9038:9038"
+      - "9039:9039"
+      - "9040:9040"
+      - "9041:9041"
+      - "9042:9042"
+      - "9043:9043"
+      - "9044:9044"
+      - "9045:9045"
+      - "9046:9046"
+      - "9047:9047"
+      - "9048:9048"
+      - "9049:9049"
+      - "9050:9050"
+      - "9051:9051"
+      - "9052:9052"
+      - "9053:9053"
+      - "9054:9054"
+      - "9055:9055"
+      - "9056:9056"
+      - "9057:9057"
+      - "9058:9058"
+      - "9059:9059"
+      - "9060:9060"
+    force_kill: true
+  register: published_ports_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - published_ports_1 is changed
+      - published_ports_2 is not changed
+      - published_ports_3 is changed
+      - published_ports_4 is not changed
+
+####################################################################
+## published_ports: one-element container port range ###############
+####################################################################
+
+- name: published_ports -- one-element container port range
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ item }}"
+    state: started
+    published_ports:
+      - "9010-9050:9010"
+    force_kill: true
+  loop:
+    - '{{ cname }}'
+    - '{{ cname2 }}'
+  register: published_ports_1
+
+- name: published_ports -- one-element container port range (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ item }}"
+    state: started
+    published_ports:
+      - "9010-9050:9010"
+    force_kill: true
+  loop:
+    - '{{ cname }}'
+    - '{{ cname2 }}'
+  register: published_ports_2
+
+- name: published_ports -- one-element container port range (different range)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ item }}"
+    state: started
+    published_ports:
+      - "9010-9051:9010"
+    force_kill: true
+  loop:
+    - '{{ cname }}'
+    - '{{ cname2 }}'
+  register: published_ports_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ item }}"
+    state: absent
+    force_kill: true
+  loop:
+    - '{{ cname }}'
+    - '{{ cname2 }}'
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - published_ports_1 is changed
+      - published_ports_2 is not changed
+      - published_ports_3 is changed
+
+####################################################################
+## published_ports: duplicate ports ################################
+####################################################################
+
+- name: published_ports -- duplicate ports
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - 8000:80
+      - 10000:80
+  register: published_ports_1
+
+- name: published_ports -- duplicate ports (idempotency)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - 8000:80
+      - 10000:80
+    force_kill: true
+  register: published_ports_2
+
+- name: published_ports -- duplicate ports (idempotency w/ protocol)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    published_ports:
+      - 8000:80/tcp
+      - 10000:80/tcp
+    force_kill: true
+  register: published_ports_3
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - published_ports_1 is changed
+      - published_ports_2 is not changed
+      - published_ports_3 is not changed
+
+####################################################################
+## published_ports: IPv6 addresses #################################
+####################################################################
+
+- when: docker_host_info.host_info.ServerVersion is version('27.0.0', '<')
+  block:
+    - name: published_ports -- IPv6
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: started
+        published_ports:
+          - "[::1]:9001:9001"
+        force_kill: true
+      register: published_ports_1
+
+    - name: published_ports -- IPv6 (idempotency)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: started
+        published_ports:
+          - "[::1]:9001:9001"
+        force_kill: true
+      register: published_ports_2
+
+    - name: published_ports -- IPv6 (different IP)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: started
+        published_ports:
+          - "127.0.0.1:9001:9001"
+        force_kill: true
+      register: published_ports_3
+
+    - name: published_ports -- IPv6 (hostname)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: started
+        published_ports:
+          - "localhost:9001:9001"
+        force_kill: true
+      register: published_ports_4
+      ignore_errors: true
+
+    - name: cleanup
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+      diff: false
+
+    - ansible.builtin.assert:
+        that:
+          - published_ports_1 is changed
+          - published_ports_2 is not changed
+          - published_ports_3 is changed
+          - published_ports_4 is failed
+
+####################################################################
+## publish_all_ports ###############################################
+####################################################################
+
+- ansible.builtin.set_fact:
+    publish_all_ports_test_cases:
+      - test_name: no_options
+        changed: true
+      - test_name: null_to_true
+        publish_all_ports_value: true
+        changed: true
+      - test_name: true_idempotency
+        publish_all_ports_value: true
+        changed: false
+      - test_name: true_to_null
+        changed: false
+      - test_name: null_to_true_2
+        publish_all_ports_value: true
+        changed: false
+      - test_name: true_to_false
+        publish_all_ports_value: false
+        changed: true
+      - test_name: false_idempotency
+        publish_all_ports_value: false
+        changed: false
+      - test_name: false_to_null
+        changed: false
+      - test_name: null_with_published_ports
+        published_ports_value: &ports
+          - "9001:9001"
+          - "9010-9050:9010-9050"
+        changed: true
+      - test_name: null_to_true_with_published_ports
+        publish_all_ports_value: true
+        published_ports_value: *ports
+        changed: true
+      - test_name: true_idempotency_with_published_ports
+        publish_all_ports_value: true
+        published_ports_value: *ports
+        changed: false
+      - test_name: true_to_null_with_published_ports
+        published_ports_value: *ports
+        changed: false
+      - test_name: null_to_true_2_with_published_ports
+        publish_all_ports_value: true
+        published_ports_value: *ports
+        changed: false
+      - test_name: true_to_false_with_published_ports
+        publish_all_ports_value: false
+        published_ports_value: *ports
+        changed: true
+      - test_name: false_idempotency_with_published_ports
+        publish_all_ports_value: false
+        published_ports_value: *ports
+        changed: false
+      - test_name: false_to_null_with_published_ports
+        published_ports_value: *ports
+        changed: false
+
+- name: publish_all_ports ({{ test_case.test_name }})
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    publish_all_ports: "{{ test_case.publish_all_ports_value | default(omit) }}"
+    published_ports: "{{ test_case.published_ports_value | default(omit) }}"
+    force_kill: true
+  register: publish_all_ports
+  loop_control:
+    loop_var: test_case
+  loop: "{{ publish_all_ports_test_cases }}"
+
+- ansible.builtin.assert:
+    that:
+      - publish_all_ports.results[index].changed == test_case.changed
+  loop: "{{ publish_all_ports_test_cases }}"
+  loop_control:
+    index_var: index
+    loop_var: test_case
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/regression-45700-dont-parse-on-absent.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/regression-45700-dont-parse-on-absent.yml
new file mode 100644
index 00000000..869be913
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/regression-45700-dont-parse-on-absent.yml
@@ -0,0 +1,38 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Regression test for https://github.com/ansible/ansible/pull/45700
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-45700' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+- name: Start container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+
+- name: Stop container with a lot of invalid options
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    force_kill: true
+    # Some options with "invalid" values, which would
+    # have to be parsed. The values are "invalid" because
+    # the containers and networks listed here do not exist.
+    # This can happen because the networks are removed
+    # before the container is stopped (see
+    # https://github.com/ansible/ansible/issues/45486).
+    networks:
+      - name: "nonexistant-network-{{ (2**32) | random }}"
+    published_ports:
+      - '1:2'
+      - '3'
+    links:
+      - "nonexistant-container-{{ (2**32) | random }}:test"
+    state: absent
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/start-stop.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/start-stop.yml
new file mode 100644
index 00000000..d90959d7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/start-stop.yml
@@ -0,0 +1,459 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-hi' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+####################################################################
+## Creation ########################################################
+####################################################################
+
+- name: Create container (check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  check_mode: true
+  register: create_1
+
+- name: Create container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  register: create_2
+
+- name: Create container (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  register: create_3
+
+- name: Create container (idempotent check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  check_mode: true
+  register: create_4
+
+- ansible.builtin.assert:
+    that:
+      - create_1 is changed
+      - create_2 is changed
+      - create_3 is not changed
+      - create_4 is not changed
+
+####################################################################
+## Starting (after creation) #######################################
+####################################################################
+
+- name: Start container (check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+  check_mode: true
+  register: start_1
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+  register: start_2
+
+- name: Start container (idempotent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+  register: start_3
+
+- name: Start container (idempotent check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+  check_mode: true
+  register: start_4
+
+- ansible.builtin.assert:
+    that:
+      - start_1 is changed
+      - start_2 is changed
+      - start_3 is not changed
+      - start_4 is not changed
+
+####################################################################
+## Present check for running container #############################
+####################################################################
+
+- name: Present check for running container (check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  check_mode: true
+  register: present_check_1
+
+- name: Present check for running container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+  register: present_check_2
+
+- ansible.builtin.assert:
+    that:
+      - present_check_1 is not changed
+      - present_check_2 is not changed
+
+####################################################################
+## Starting (from scratch) #########################################
+####################################################################
+
+- name: Remove container (setup for starting from scratch)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+
+- name: Start container from scratch (check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    stop_timeout: 1
+    name: "{{ cname }}"
+    state: started
+  check_mode: true
+  register: start_scratch_1
+
+- name: Start container from scratch
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    stop_timeout: 1
+    name: "{{ cname }}"
+    state: started
+  register: start_scratch_2
+
+- name: Start container from scratch (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    stop_timeout: 1
+    name: "{{ cname }}"
+    state: started
+  register: start_scratch_3
+
+- name: Start container from scratch (idempotent check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    stop_timeout: 1
+    name: "{{ cname }}"
+    state: started
+  check_mode: true
+  register: start_scratch_4
+
+- ansible.builtin.assert:
+    that:
+      - start_scratch_1 is changed
+      - start_scratch_2 is changed
+      - start_scratch_3 is not changed
+      - start_scratch_4 is not changed
+
+####################################################################
+## Recreating ######################################################
+####################################################################
+
+- name: Recreating container (created)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: present
+    force_kill: true
+  register: recreate_1
+
+- name: Recreating container (created, recreate, check mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    recreate: true
+    state: present
+    force_kill: true
+  register: recreate_2
+  check_mode: true
+
+- name: Recreating container (created, recreate)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    recreate: true
+    state: present
+    force_kill: true
+  register: recreate_3
+
+- name: Recreating container (started)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    force_kill: true
+  register: recreate_4
+
+- name: Recreating container (started, recreate, check mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    recreate: true
+    removal_wait_timeout: 10
+    state: started
+    force_kill: true
+  register: recreate_5
+  check_mode: true
+
+- name: Recreating container (started, recreate)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    recreate: true
+    removal_wait_timeout: 10
+    state: started
+    force_kill: true
+  register: recreate_6
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.debug: var=recreate_1
+- ansible.builtin.debug: var=recreate_3
+- ansible.builtin.debug: var=recreate_4
+- ansible.builtin.debug: var=recreate_6
+
+- ansible.builtin.assert:
+    that:
+      - recreate_2 is changed
+      - recreate_3 is changed
+      - recreate_4 is changed
+      - recreate_5 is changed
+      - recreate_6 is changed
+      - recreate_1.container.Id == recreate_2.container.Id
+      - recreate_1.container.Id != recreate_3.container.Id
+      - recreate_3.container.Id == recreate_4.container.Id
+      - recreate_4.container.Id == recreate_5.container.Id
+      - recreate_4.container.Id != recreate_6.container.Id
+
+####################################################################
+## Restarting ######################################################
+####################################################################
+
+- name: Restarting
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    stop_timeout: 1
+    volumes:
+      - /tmp/tmp
+  register: restart_1
+
+- name: Restarting (restart, check mode)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart: true
+    state: started
+    stop_timeout: 1
+    force_kill: true
+  register: restart_2
+  check_mode: true
+
+- name: Restarting (restart)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    restart: true
+    state: started
+    stop_timeout: 1
+    force_kill: true
+  register: restart_3
+
+- name: Restarting (verify volumes)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    stop_timeout: 1
+    volumes:
+      - /tmp/tmp
+  register: restart_4
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_1 is changed
+      - restart_2 is changed
+      - restart_3 is changed
+      - restart_1.container.Id == restart_3.container.Id
+      - restart_4 is not changed
+
+####################################################################
+## Stopping ########################################################
+####################################################################
+
+- name: Stop container (check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+  check_mode: true
+  register: stop_1
+
+- name: Stop container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+  register: stop_2
+
+- name: Stop container (idempotent)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+  register: stop_3
+
+- name: Stop container (idempotent check)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+  check_mode: true
+  register: stop_4
+
+- ansible.builtin.assert:
+    that:
+      - stop_1 is changed
+      - stop_2 is changed
+      - stop_3 is not changed
+      - stop_4 is not changed
+
+####################################################################
+## Removing ########################################################
+####################################################################
+
+- name: Remove container (check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  check_mode: true
+  register: remove_1
+
+- name: Remove container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: remove_2
+
+- name: Remove container (idempotent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  register: remove_3
+
+- name: Remove container (idempotent check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+  check_mode: true
+  register: remove_4
+
+- ansible.builtin.assert:
+    that:
+      - remove_1 is changed
+      - remove_2 is changed
+      - remove_3 is not changed
+      - remove_4 is not changed
+
+####################################################################
+## Removing (from running) #########################################
+####################################################################
+
+- name: Start container (setup for removing from running)
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+
+- name: Remove container from running (check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  check_mode: true
+  register: remove_from_running_1
+
+- name: Remove container from running
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  register: remove_from_running_2
+
+- name: Remove container from running (idempotent)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  register: remove_from_running_3
+
+- name: Remove container from running (idempotent check)
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  check_mode: true
+  register: remove_from_running_4
+
+- ansible.builtin.assert:
+    that:
+      - remove_from_running_1 is changed
+      - remove_from_running_2 is changed
+      - remove_from_running_3 is not changed
+      - remove_from_running_4 is not changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/update.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/update.yml
new file mode 100644
index 00000000..2084e097
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container/tasks/tests/update.yml
@@ -0,0 +1,221 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-update' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+# We do not test cpuset_cpus and cpuset_mems since changing it fails if the system does
+# not have 'enough' CPUs. We do not test kernel_memory since it is deprecated and fails.
+
+- ansible.builtin.set_fact:
+    has_blkio_weight: true
+
+- name: Create container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: "{{ 123 if has_blkio_weight else omit }}"
+    cpu_period: 90000
+    cpu_quota: 150000
+    cpu_shares: 900
+    memory: 64M
+    memory_reservation: 64M
+    memory_swap: 64M
+    restart_policy: on-failure
+    restart_retries: 5
+  register: create
+  ignore_errors: true
+
+- when: create is failed
+  block:
+    - name: Make sure container is not there
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+
+    - when: "'setting cgroup config for procHooks process caused: failed to write' in create.msg and 'io.bfq.weight' in create.msg"
+      ansible.builtin.set_fact:
+        has_blkio_weight: false
+
+    - name: Create container again
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: started
+        blkio_weight: "{{ 123 if has_blkio_weight else omit }}"
+        cpu_period: 90000
+        cpu_quota: 150000
+        cpu_shares: 900
+        memory: 64M
+        memory_reservation: 64M
+        memory_swap: 64M
+        restart_policy: on-failure
+        restart_retries: 5
+      register: create_2
+
+    - when: "'setting cgroup config for procHooks process caused: failed to write' in create.msg and 'io.bfq.weight' in create.msg"
+      ansible.builtin.set_fact:
+        create: "{{ create_2 }}"
+
+- name: Update values
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: "{{ 234 if has_blkio_weight else omit }}"
+    cpu_period: 50000
+    cpu_quota: 50000
+    cpu_shares: 1100
+    memory: 48M
+    memory_reservation: 48M
+    memory_swap: unlimited
+    restart_policy: on-failure  # only on-failure can have restart_retries, so don't change it here
+    restart_retries: 2
+  register: update
+  diff: true
+
+- name: Update values again
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 10m"'
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: "{{ 135 if has_blkio_weight else omit }}"
+    cpu_period: 30000
+    cpu_quota: 40000
+    cpu_shares: 1000
+    memory: 32M
+    memory_reservation: 30M
+    memory_swap: 128M
+    restart_policy: always
+    restart_retries: 0
+  register: update2
+  diff: true
+
+- name: Recreate container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -c "sleep 20m"'  # this will force re-creation
+    name: "{{ cname }}"
+    state: started
+    blkio_weight: "{{ 234 if has_blkio_weight else omit }}"
+    cpu_period: 50000
+    cpu_quota: 50000
+    cpu_shares: 1100
+    memory: 48M
+    memory_reservation: 48M
+    memory_swap: unlimited
+    restart_policy: on-failure
+    restart_retries: 2
+    force_kill: true
+  register: recreate
+  diff: true
+
+- name: cleanup
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
+  diff: false
+
+- name: Check general things
+  ansible.builtin.assert:
+    that:
+      - create is changed
+      - update is changed
+      - update2 is changed
+      - recreate is changed
+
+      # Make sure the container was *not* recreated when it should not be
+      - create.container.Id == update.container.Id
+      - create.container.Id == update2.container.Id
+
+      # Make sure that the container was recreated when it should be
+      - create.container.Id != recreate.container.Id
+
+- name: Check diff for first update
+  ansible.builtin.assert:
+    that:
+      # blkio_weight sometimes cannot be set, then we end up with 0 instead of the value we had
+      - >-
+        not has_blkio_weight or update.diff.before.blkio_weight == 123 or ('Docker warning: Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.' in (create.warnings | default([])))
+      - not has_blkio_weight or update.diff.after.blkio_weight == 234
+      - update.diff.before.cpu_period == 90000
+      - update.diff.after.cpu_period == 50000
+      - update.diff.before.cpu_quota == 150000
+      - update.diff.after.cpu_quota == 50000
+      - update.diff.before.cpu_shares == 900
+      - update.diff.after.cpu_shares == 1100
+      - update.diff.before.memory == 67108864
+      - update.diff.after.memory == 50331648
+      - update.diff.before.memory_reservation == 67108864
+      - update.diff.after.memory_reservation == 50331648
+      - >-
+        (update.diff.before.memory_swap | default(0)) == 67108864 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - >-
+        (update.diff.after.memory_swap | default(0)) == -1 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - "'restart_policy' not in update.diff.before"
+      - update.diff.before.restart_retries == 5
+      - update.diff.after.restart_retries == 2
+
+- name: Check diff for second update
+  ansible.builtin.assert:
+    that:
+      - >-
+        not has_blkio_weight or update2.diff.before.blkio_weight == 234 or ('Docker warning: Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.' in (create.warnings | default([])))
+      - not has_blkio_weight or update2.diff.after.blkio_weight == 135
+      - update2.diff.before.cpu_period == 50000
+      - update2.diff.after.cpu_period == 30000
+      - update2.diff.before.cpu_quota == 50000
+      - update2.diff.after.cpu_quota == 40000
+      - update2.diff.before.cpu_shares == 1100
+      - update2.diff.after.cpu_shares == 1000
+      - update2.diff.before.memory == 50331648
+      - update2.diff.after.memory == 33554432
+      - update2.diff.before.memory_reservation == 50331648
+      - update2.diff.after.memory_reservation == 31457280
+      - >-
+        (update2.diff.before.memory_swap | default(0)) == -1 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - >-
+        (update2.diff.after.memory_swap | default(0)) == 134217728 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - update2.diff.before.restart_policy == 'on-failure'
+      - update2.diff.after.restart_policy == 'always'
+      - update2.diff.before.restart_retries == 2
+      - update2.diff.after.restart_retries == 0
+
+- name: Check diff for recreation
+  ansible.builtin.assert:
+    that:
+      - >-
+        not has_blkio_weight or recreate.diff.before.blkio_weight == 135 or ('Docker warning: Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.' in (create.warnings | default([])))
+      - not has_blkio_weight or recreate.diff.after.blkio_weight == 234
+      - recreate.diff.before.cpu_period == 30000
+      - recreate.diff.after.cpu_period == 50000
+      - recreate.diff.before.cpu_quota == 40000
+      - recreate.diff.after.cpu_quota == 50000
+      - recreate.diff.before.cpu_shares == 1000
+      - recreate.diff.after.cpu_shares == 1100
+      - recreate.diff.before.memory == 33554432
+      - recreate.diff.after.memory == 50331648
+      - recreate.diff.before.memory_reservation == 31457280
+      - recreate.diff.after.memory_reservation == 50331648
+      - >-
+        (recreate.diff.before.memory_swap | default(0)) == 134217728 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - >-
+        (recreate.diff.after.memory_swap | default(0)) == -1 or ('Docker warning: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.' in (create.warnings | default([])))
+      - recreate.diff.before.restart_policy == 'always'
+      - recreate.diff.after.restart_policy == 'on-failure'
+      - recreate.diff.before.restart_retries == 0
+      - recreate.diff.after.restart_retries == 2
+      - recreate.diff.before.command == ['/bin/sh', '-c', 'sleep 10m']
+      - recreate.diff.after.command == ['/bin/sh', '-c', 'sleep 20m']
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/meta/main.yml
new file mode 100644
index 00000000..f5b89789
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/main.yml
new file mode 100644
index 00000000..7c43f18a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Gather facts on controller
+  ansible.builtin.setup:
+    gather_subset: '!all'
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: true
+
+# Create random name prefix (for containers)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    cname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using container name prefix {{ cname_prefix }}"
+
+# Run the tests
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old Docker API version to run all docker_container_copy_into tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/content.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/content.yml
new file mode 100644
index 00000000..e0212ab5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/content.yml
@@ -0,0 +1,1381 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-c' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+# Create container
+
+- name: Create container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command:
+      - /bin/sh
+      - "-c"
+      - >-
+        mkdir /dir;
+        ln -s file /lnk;
+        ln -s lnk3 /lnk2;
+        ln -s lnk2 /lnk1;
+        sleep 10m;
+    name: "{{ cname }}"
+    state: started
+
+################################################################################################
+# Do tests
+
+- name: Copy content without mode
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+  register: result
+  ignore_errors: true
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result is failed
+      - |-
+        result.msg in [
+          "missing parameter(s) required by 'content': mode",
+        ]
+
+######################### Copy
+
+- name: Copy content (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  register: result_2
+
+- name: Copy content (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  register: result_4
+
+- name: Copy content (idempotent, check mode, base 64)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: "{{ 'Content 1\n' | b64encode }}"
+    content_is_b64: true
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3b64
+
+- name: Copy content (idempotent, check mode, base 64, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: "{{ 'Content 1\n' | b64encode }}"
+    content_is_b64: true
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3b64_diff
+
+- name: Copy content (idempotent, base 64)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: "{{ 'Content 1\n' | b64encode }}"
+    content_is_b64: true
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  register: result_4b64
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy content (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy content (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy content (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Copy content (force=false, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Some other content
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  check_mode: true
+  diff: false
+  register: result_9
+
+- name: Copy content (force=false, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Some other content
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  check_mode: true
+  diff: true
+  register: result_9_diff
+
+- name: Copy content (force=false)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Some other content
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  register: result_10
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_11
+
+- name: Copy content (octal mode, mode_parse=modern)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    # yamllint disable
+    mode: 0770
+    # yamllint enable
+    mode_parse: modern
+    owner_id: 0
+    group_id: 0
+  register: result_12
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_13
+
+- name: Copy content (octal mode, mode_parse=legacy)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    # yamllint disable
+    mode: 0707
+    # yamllint enable
+    mode_parse: legacy
+    owner_id: 0
+    group_id: 0
+  register: result_14
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_15
+
+- name: Copy content (string mode, mode_parse=legacy)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "420"
+    mode_parse: legacy
+    owner_id: 0
+    group_id: 0
+  register: result_16
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_17
+
+- name: Copy content (string mode, mode_parse=octal_string_only)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0600"
+    mode_parse: octal_string_only
+    owner_id: 0
+    group_id: 0
+  register: result_18
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_19
+
+- name: Restore state for next tasks
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: octal_string_only
+    owner_id: 0
+    group_id: 0
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == ''
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_3b64 is not changed
+      - "'diff' not in result_3b64"
+      - result_3b64_diff.diff.before == 'Content 1\n'
+      - result_3b64_diff.diff.before_header == '/file'
+      - result_3b64_diff.diff.after == 'Content 1\n'
+      - result_3b64_diff.diff.after_header == 'dynamically generated'
+      - result_3b64 == (result_3b64_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4b64 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /file'
+      - result_6 is changed
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 1\n'
+      - result_6_diff.diff.before_header == '/file'
+      - result_6_diff.diff.after == 'Content 1\n'
+      - result_6_diff.diff.after_header == 'dynamically generated'
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_8.stdout | b64decode == 'Content 1\n'
+      - result_8.stderr == '10 644 regular file 0 0 /file'
+      - result_9 is not changed
+      - "'diff' not in result_9"
+      - result_9_diff.diff.before == 'Content 1\n'
+      - result_9_diff.diff.before_header == '/file'
+      - result_9_diff.diff.after == 'Content 1\n'  # note that force=false
+      - result_9_diff.diff.after_header == '/file'  # note that force=false
+      - result_9 == (result_9_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_10 is not changed
+      - result_11.stdout | b64decode == 'Content 1\n'
+      - result_11.stderr == '10 644 regular file 0 0 /file'
+      - result_12 is changed
+      - result_13.stdout | b64decode == 'Content 1\n'
+      - result_13.stderr == '10 770 regular file 0 0 /file'
+      - result_14 is changed
+      - result_15.stdout | b64decode == 'Content 1\n'
+      - result_15.stderr == '10 707 regular file 0 0 /file'
+      - result_16 is changed
+      - result_17.stdout | b64decode == 'Content 1\n'
+      - result_17.stderr == '10 644 regular file 0 0 /file'
+      - result_18 is changed
+      - result_19.stdout | b64decode == 'Content 1\n'
+      - result_19.stderr == '10 600 regular file 0 0 /file'
+
+######################### Follow link - idempotence
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+    chdir: /root
+  register: result_0
+
+- name: Copy content following link (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content following link (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content following link
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+  register: result_2
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_3
+
+- name: Copy content following link (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+    force: true
+  check_mode: true
+  diff: false
+  register: result_4
+
+- name: Copy content following link (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+    force: true
+  check_mode: true
+  diff: true
+  register: result_4_diff
+
+- name: Copy content following link (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: true
+    force: true
+  register: result_5
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_6
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_0.stdout | b64decode == 'Content 1\n'
+      - result_0.stderr == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_1 is not changed
+      - result_1.container_path == '/file'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 1\n'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is not changed
+      - result_2.container_path == '/file'
+      - result_3.stdout | b64decode == 'Content 1\n'
+      - result_3.stderr_lines[0] == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_3.stderr_lines[1] == '10 644 regular file 0 0 /file'
+      - result_4 is changed
+      - result_4.container_path == '/file'
+      - "'diff' not in result_4"
+      - result_4_diff.diff.before == 'Content 1\n'
+      - result_4_diff.diff.before_header == '/file'
+      - result_4_diff.diff.after == 'Content 1\n'
+      - result_4_diff.diff.after_header == 'dynamically generated'
+      - result_4 == (result_4_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_5 is changed
+      - result_5.container_path == '/file'
+      - result_6.stdout | b64decode == 'Content 1\n'
+      - result_6.stderr_lines[0] == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_6.stderr_lines[1] == '10 644 regular file 0 0 /file'
+
+######################### Do not follow link - replace by file
+
+- name: Copy content not following link (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content not following link (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content not following link
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  register: result_2
+
+- name: Copy content not following link (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content not following link (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content not following link (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy content not following link (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy content not following link (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy content not following link (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/lnk'
+    mode: "0644"
+    mode_parse: modern
+    force: true
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - result_1.container_path == '/lnk'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == '/file'
+      - result_1_diff.diff.before_header == '/lnk'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_2.container_path == '/lnk'
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/lnk'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /lnk'
+      - result_6 is changed
+      - result_6.container_path == '/lnk'
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 1\n'
+      - result_6_diff.diff.before_header == '/lnk'
+      - result_6_diff.diff.after == 'Content 1\n'
+      - result_6_diff.diff.after_header == 'dynamically generated'
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_7.container_path == '/lnk'
+      - result_8.stdout | b64decode == 'Content 1\n'
+      - result_8.stderr == '10 644 regular file 0 0 /lnk'
+
+######################### Replace directory by file
+
+- name: Copy content to replace directory (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content to replace directory (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content to replace directory (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+    follow: false
+  register: result_2
+
+- name: Copy content to replace directory (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content to replace directory (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content to replace directory (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/dir'
+    mode: "0644"
+    mode_parse: modern
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /dir | base64;
+        stat -c '%s %a %F %u %g %N' /dir > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - result_1.container_path == '/dir'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == '(directory)'
+      - result_1_diff.diff.before_header == '/dir'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_2.container_path == '/dir'
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/dir'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /dir'
+
+######################### Modify
+
+- name: Copy content (changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content (changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content (changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0644"
+    mode_parse: modern
+  register: result_2
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_3
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 1\n'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3.stdout | b64decode == 'Content 2\nExtra line'
+      - result_3.stderr == '20 644 regular file 0 0 /file'
+
+######################### Change mode
+
+- name: Copy content (mode changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content (mode changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content (mode changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_2
+
+- name: Copy content (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 2\nExtra line'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 2\nExtra line'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 2\nExtra line'
+      - result_5.stderr == '20 707 regular file 0 0 /file'
+
+######################### Change owner and group
+
+- name: Copy content (owner/group changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content (owner/group changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content (owner/group changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_2
+
+- name: Copy content (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy content (owner/group changed again, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy content (owner/group changed again, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy content (owner/group changed again)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |-
+      Content 2
+      Extra line
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 2\nExtra line'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 2\nExtra line'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 2\nExtra line'
+      - result_5.stderr == '20 707 regular file 12 910 /file'
+      - result_6 is changed
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 2\nExtra line'
+      - result_6_diff.diff.before_header == '/file'
+      - result_6_diff.diff.after == 'Content 2\nExtra line'
+      - result_6_diff.diff.after_header == 'dynamically generated'
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_8.stdout | b64decode == 'Content 2\nExtra line'
+      - result_8.stderr == '20 707 regular file 13 13 /file'
+
+######################### Operate with stopped container
+
+- name: Stop container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+
+- name: Copy content (stopped container, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy content (stopped container, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy content (stopped container)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_2
+
+- name: Copy content (stopped container, idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy content (stopped container, idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy content (stopped container, idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_4
+
+- name: Copy content (stopped container, no owner/group provided, should fail)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    content: |
+      Content 1
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_5
+  ignore_errors: true
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_6
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == 'dynamically generated'
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == 'dynamically generated'
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5 is failed
+      - result_5.msg == ('Cannot execute command in paused container "' ~ cname ~ '"')
+      - result_6.stdout | b64decode == 'Content 1\n'
+      - result_6.stderr == '10 707 regular file 12 910 /file'
+
+################################################################################################
+# Cleanup
+
+- name: Remove container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/file.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/file.yml
new file mode 100644
index 00000000..0cbf4ec3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_copy_into/tasks/tests/file.yml
@@ -0,0 +1,1090 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-f' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+# Create container
+
+- name: Create container
+  community.docker.docker_container:
+    image: "{{ docker_test_image_alpine }}"
+    command:
+      - /bin/sh
+      - "-c"
+      - >-
+        mkdir /dir;
+        ln -s file /lnk;
+        ln -s lnk3 /lnk2;
+        ln -s lnk2 /lnk1;
+        sleep 10m;
+    name: "{{ cname }}"
+    state: started
+
+# Create files
+
+- name: Create file 1
+  ansible.builtin.copy:
+    dest: '{{ remote_tmp_dir }}/file_1'
+    content: |
+      Content 1
+    mode: "0644"
+
+- name: Create file 2
+  ansible.builtin.copy:
+    dest: '{{ remote_tmp_dir }}/file_2'
+    content: |-
+      Content 2
+      Extra line
+    mode: "0644"
+
+- name: Create link 1
+  ansible.builtin.file:
+    dest: '{{ remote_tmp_dir }}/link_1'
+    state: link
+    src: file_1
+    follow: false
+    mode: "0644"
+
+- name: Create link 2
+  ansible.builtin.file:
+    dest: '{{ remote_tmp_dir }}/link_2'
+    state: link
+    src: dead
+    force: true
+    follow: false
+    mode: "0644"
+
+################################################################################################
+# Do tests
+
+######################### Copy
+
+- name: Copy file (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  register: result_2
+
+- name: Copy file (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy file (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    force: true
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy file (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    force: true
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy file (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    force: true
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Copy file (force=false, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  check_mode: true
+  diff: false
+  register: result_9
+
+- name: Copy file (force=false, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  check_mode: true
+  diff: true
+  register: result_9_diff
+
+- name: Copy file (force=false)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0777"
+    mode_parse: modern
+    owner_id: 123
+    group_id: 321
+    force: false
+  register: result_10
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_11
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == ''
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /file'
+      - result_6 is changed
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 1\n'
+      - result_6_diff.diff.before_header == '/file'
+      - result_6_diff.diff.after == 'Content 1\n'
+      - result_6_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_8.stdout | b64decode == 'Content 1\n'
+      - result_8.stderr == '10 644 regular file 0 0 /file'
+      - result_9 is not changed
+      - "'diff' not in result_9"
+      - result_9_diff.diff.before == 'Content 1\n'
+      - result_9_diff.diff.before_header == '/file'
+      - result_9_diff.diff.after == 'Content 1\n'  # note that force=false
+      - result_9_diff.diff.after_header == '/file'  # note that force=false
+      - result_9 == (result_9_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_10 is not changed
+      - result_11.stdout | b64decode == 'Content 1\n'
+      - result_11.stderr == '10 644 regular file 0 0 /file'
+
+######################### Follow link - idempotence
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+    chdir: /root
+  register: result_0
+
+- name: Copy file following link (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file following link (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file following link
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+  register: result_2
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_3
+
+- name: Copy file following link (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+    force: true
+  check_mode: true
+  diff: false
+  register: result_4
+
+- name: Copy file following link (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+    force: true
+  check_mode: true
+  diff: true
+  register: result_4_diff
+
+- name: Copy file following link (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: true
+    force: true
+  register: result_5
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_6
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_0.stdout | b64decode == 'Content 1\n'
+      - result_0.stderr == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_1 is not changed
+      - result_1.container_path == '/file'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 1\n'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is not changed
+      - result_2.container_path == '/file'
+      - result_3.stdout | b64decode == 'Content 1\n'
+      - result_3.stderr_lines[0] == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_3.stderr_lines[1] == '10 644 regular file 0 0 /file'
+      - result_4 is changed
+      - result_4.container_path == '/file'
+      - "'diff' not in result_4"
+      - result_4_diff.diff.before == 'Content 1\n'
+      - result_4_diff.diff.before_header == '/file'
+      - result_4_diff.diff.after == 'Content 1\n'
+      - result_4_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_4 == (result_4_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_5 is changed
+      - result_5.container_path == '/file'
+      - result_6.stdout | b64decode == 'Content 1\n'
+      - result_6.stderr_lines[0] == "4 777 symbolic link 0 0 '/lnk' -> 'file'"
+      - result_6.stderr_lines[1] == '10 644 regular file 0 0 /file'
+
+######################### Do not follow link - replace by file
+
+- name: Copy file not following link (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: false
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file not following link (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: false
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file not following link
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    follow: false
+  register: result_2
+
+- name: Copy file not following link (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file not following link (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file not following link (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy file not following link (force, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    force: true
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy file not following link (force, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    force: true
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy file not following link (force)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/lnk'
+    force: true
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /lnk | base64;
+        stat -c '%s %a %F %u %g %N' /lnk > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - result_1.container_path == '/lnk'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == '/file'
+      - result_1_diff.diff.before_header == '/lnk'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_2.container_path == '/lnk'
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/lnk'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /lnk'
+      - result_6 is changed
+      - result_6.container_path == '/lnk'
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 1\n'
+      - result_6_diff.diff.before_header == '/lnk'
+      - result_6_diff.diff.after == 'Content 1\n'
+      - result_6_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_7.container_path == '/lnk'
+      - result_8.stdout | b64decode == 'Content 1\n'
+      - result_8.stderr == '10 644 regular file 0 0 /lnk'
+
+######################### Replace directory by file
+
+- name: Copy file to replace directory (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+    follow: false
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file to replace directory (check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+    follow: false
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file to replace directory (check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+    follow: false
+  register: result_2
+
+- name: Copy file to replace directory (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file to replace directory (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file to replace directory (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/dir'
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /dir | base64;
+        stat -c '%s %a %F %u %g %N' /dir > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - result_1.container_path == '/dir'
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == '(directory)'
+      - result_1_diff.diff.before_header == '/dir'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_2.container_path == '/dir'
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/dir'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 1\n'
+      - result_5.stderr == '10 644 regular file 0 0 /dir'
+
+######################### Modify
+
+- name: Copy file (changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file (changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file (changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+  register: result_2
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_3
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 1\n'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3.stdout | b64decode == 'Content 2\nExtra line'
+      - result_3.stderr == '20 644 regular file 0 0 /file'
+
+######################### Change mode
+
+- name: Copy file (mode changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file (mode changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file (mode changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_2
+
+- name: Copy file (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 2\nExtra line'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 2\nExtra line'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 2\nExtra line'
+      - result_5.stderr == '20 707 regular file 0 0 /file'
+
+######################### Change owner and group
+
+- name: Copy file (owner/group changed, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file (owner/group changed, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file (owner/group changed)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_2
+
+- name: Copy file (idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file (idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file (idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_4
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_5
+
+- name: Copy file (owner/group changed again, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  check_mode: true
+  diff: false
+  register: result_6
+
+- name: Copy file (owner/group changed again, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  check_mode: true
+  diff: true
+  register: result_6_diff
+
+- name: Copy file (owner/group changed again)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_2'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 13
+    group_id: 13
+  register: result_7
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_8
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 2\nExtra line'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 2\nExtra line'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 2\nExtra line'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5.stdout | b64decode == 'Content 2\nExtra line'
+      - result_5.stderr == '20 707 regular file 12 910 /file'
+      - result_6 is changed
+      - "'diff' not in result_6"
+      - result_6_diff.diff.before == 'Content 2\nExtra line'
+      - result_6_diff.diff.before_header == '/file'
+      - result_6_diff.diff.after == 'Content 2\nExtra line'
+      - result_6_diff.diff.after_header == (remote_tmp_dir ~ '/file_2')
+      - result_6 == (result_6_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_7 is changed
+      - result_8.stdout | b64decode == 'Content 2\nExtra line'
+      - result_8.stderr == '20 707 regular file 13 13 /file'
+
+######################### Operate with stopped container
+
+- name: Stop container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: stopped
+    stop_timeout: 1
+
+- name: Copy file (stopped container, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_1
+
+- name: Copy file (stopped container, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_1_diff
+
+- name: Copy file (stopped container)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_2
+
+- name: Copy file (stopped container, idempotent, check mode)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: false
+  register: result_3
+
+- name: Copy file (stopped container, idempotent, check mode, diff)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  check_mode: true
+  diff: true
+  register: result_3_diff
+
+- name: Copy file (stopped container, idempotent)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+    owner_id: 12
+    group_id: 910
+  register: result_4
+
+- name: Copy file (stopped container, no owner/group provided, should fail)
+  community.docker.docker_container_copy_into:
+    container: '{{ cname }}'
+    path: '{{ remote_tmp_dir }}/file_1'
+    container_path: '/file'
+    mode: "0707"
+    mode_parse: modern
+  register: result_5
+  ignore_errors: true
+
+- name: Start container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: started
+
+- name: Dump file
+  community.docker.docker_container_exec:
+    container: '{{ cname }}'
+    argv:
+      - /bin/sh
+      - "-c"
+      - >-
+        cat /file | base64;
+        stat -c '%s %a %F %u %g %N' /file > /dev/stderr
+    chdir: /root
+  register: result_6
+
+- name: Check results
+  ansible.builtin.assert:
+    that:
+      - result_1 is changed
+      - "'diff' not in result_1"
+      - result_1_diff.diff.before == 'Content 2\nExtra line'
+      - result_1_diff.diff.before_header == '/file'
+      - result_1_diff.diff.after == 'Content 1\n'
+      - result_1_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_1 == (result_1_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_2 is changed
+      - result_3 is not changed
+      - "'diff' not in result_3"
+      - result_3_diff.diff.before == 'Content 1\n'
+      - result_3_diff.diff.before_header == '/file'
+      - result_3_diff.diff.after == 'Content 1\n'
+      - result_3_diff.diff.after_header == (remote_tmp_dir ~ '/file_1')
+      - result_3 == (result_3_diff | dict2items | rejectattr('key', 'eq', 'diff') | items2dict)
+      - result_4 is not changed
+      - result_5 is failed
+      - result_5.msg == ('Cannot execute command in paused container "' ~ cname ~ '"')
+      - result_6.stdout | b64decode == 'Content 1\n'
+      - result_6.stderr == '10 707 regular file 12 910 /file'
+
+################################################################################################
+# Cleanup
+
+- name: Remove container
+  community.docker.docker_container:
+    name: "{{ cname }}"
+    state: absent
+    force_kill: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/tasks/main.yml
new file mode 100644
index 00000000..0b83a5ad
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_exec/tasks/main.yml
@@ -0,0 +1,246 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Create random container name
+      ansible.builtin.set_fact:
+        cname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Make sure container is not there
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+
+    - name: Execute in a non-present container
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        command: "/bin/bash -c 'ls -a'"
+      register: result
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - result is failed
+          - "'Could not find container' in result.msg"
+
+    - name: Make sure container exists
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        state: started
+        force_kill: true
+
+    - name: Execute in a present container (command)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        command: "/bin/sh -c 'ls -a'"
+      register: result_cmd
+
+    - ansible.builtin.assert:
+        that:
+          - result_cmd.rc == 0
+          - "'stdout' in result_cmd"
+          - "'stdout_lines' in result_cmd"
+          - "'stderr' in result_cmd"
+          - "'stderr_lines' in result_cmd"
+
+    - name: Execute in a present container (argv)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - ls -a
+      register: result_argv
+
+    - ansible.builtin.assert:
+        that:
+          - result_argv.rc == 0
+          - "'stdout' in result_argv"
+          - "'stdout_lines' in result_argv"
+          - "'stderr' in result_argv"
+          - "'stderr_lines' in result_argv"
+          - result_cmd.stdout == result_argv.stdout
+
+    - name: Execute in a present container (cat without stdin)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == ''
+          - result.stdout_lines == []
+          - result.stderr == ''
+          - result.stderr_lines == []
+
+    - name: Execute in a present container (cat with stdin)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat
+        stdin: Hello world!
+        strip_empty_ends: false
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == 'Hello world!\n'
+          - result.stdout_lines == ['Hello world!']
+          - result.stderr == ''
+          - result.stderr_lines == []
+
+    - name: Execute in a present container (cat with stdin, no newline)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat
+        stdin: Hello world!
+        stdin_add_newline: false
+        strip_empty_ends: false
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == 'Hello world!'
+          - result.stdout_lines == ['Hello world!']
+          - result.stderr == ''
+          - result.stderr_lines == []
+
+    - name: Execute in a present container (cat with stdin, newline but stripping)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat
+        stdin: Hello world!
+        stdin_add_newline: true
+        strip_empty_ends: true
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == 'Hello world!'
+          - result.stdout_lines == ['Hello world!']
+          - result.stderr == ''
+          - result.stderr_lines == []
+
+    - name: Prepare long string
+      ansible.builtin.set_fact:
+        very_long_string: "{{ 'something long ' * 10000 }}"
+        very_long_string2: "{{ 'something else ' * 5000 }}"
+
+    - name: Execute in a present container (long stdin)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat
+        stdin: |-
+          {{ very_long_string }}
+          {{ very_long_string2 }}
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result is changed
+          - result.rc == 0
+          - result.stdout == (very_long_string ~ '\n' ~ very_long_string2)
+          - result.stdout_lines == [very_long_string, very_long_string2]
+          - result.stderr == ''
+          - result.stderr_lines == []
+          - "'exec_id' not in result"
+
+    - name: Execute in a present container (detached)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - echo "Detach worked." > /result.txt
+        detach: true
+      register: result
+
+    - ansible.builtin.debug: var=result
+
+    - ansible.builtin.assert:
+        that:
+          - result is changed
+          - "'rc' not in result"
+          - "'stdout' not in result"
+          - "'stderr' not in result"
+          - result.exec_id is string
+
+    - name: Execute in a present container (environment variable)
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - 'echo "$FOO" ; echo $FOO > /dev/stderr'
+        env:
+          FOO: |-
+            bar
+            baz
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == 'bar\nbaz'
+          - result.stdout_lines == ['bar', 'baz']
+          - result.stderr == 'bar baz'
+          - result.stderr_lines == ['bar baz']
+
+    - name: Check result of detach test
+      community.docker.docker_container_exec:
+        container: "{{ cname }}"
+        argv:
+          - /bin/sh
+          - '-c'
+          - cat /result.txt
+        strip_empty_ends: false
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - result.rc == 0
+          - result.stdout == 'Detach worked.\n'
+          - result.stdout_lines == ['Detach worked.']
+          - result.stderr == ''
+          - result.stderr_lines == []
+
+  always:
+    - name: Cleanup
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_container_exec tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/aliases
new file mode 100644
index 00000000..0837c740
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/5
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_container_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/tasks/main.yml
new file mode 100644
index 00000000..797b42f8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_container_info/tasks/main.yml
@@ -0,0 +1,84 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Create random container name
+      ansible.builtin.set_fact:
+        cname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Make sure container is not there
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+
+    - name: Inspect a non-present container
+      community.docker.docker_container_info:
+        name: "{{ cname }}"
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - "not result.exists"
+          - "'container' in result"
+          - "result.container is none"
+
+    - name: Make sure container exists
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        state: started
+        force_kill: true
+
+    - name: Inspect a present container
+      community.docker.docker_container_info:
+        name: "{{ cname }}"
+      register: result
+    - name: Dump docker_container_info result
+      ansible.builtin.debug: var=result
+
+    - name: "Comparison: use 'docker inspect'"
+      ansible.builtin.command: docker inspect "{{ cname }}"
+      register: docker_inspect
+      ignore_errors: true
+    - block:
+        - ansible.builtin.set_fact:
+            docker_inspect_result: "{{ docker_inspect.stdout | from_json }}"
+        - name: Dump docker inspect result
+          ansible.builtin.debug: var=docker_inspect_result
+      when: docker_inspect is not failed
+
+    - ansible.builtin.assert:
+        that:
+          - result.exists
+          - "'container' in result"
+          - "result.container is truthy"
+
+    - ansible.builtin.assert:
+        that:
+          - "result.container == docker_inspect_result[0]"
+      when: docker_inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in docker_inspect.stderr"
+      when: docker_inspect is failed
+
+  always:
+    - name: Cleanup
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_container_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/aliases
new file mode 100644
index 00000000..0837c740
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/5
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/meta/main.yml
new file mode 100644
index 00000000..ca004bc0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_podman
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/main.yml
new file mode 100644
index 00000000..87c415ad
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Create random name prefix (for containers, networks, ...)
+- name: Create random container name prefix
+  ansible.builtin.set_fact:
+    cname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using container name prefix {{ cname_prefix }}"
+
+# Run the tests
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+      diff: false
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run all docker_container tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/default-context.yml b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/default-context.yml
new file mode 100644
index 00000000..bde75edf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/default-context.yml
@@ -0,0 +1,121 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cname: "{{ cname_prefix ~ '-hi' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname] }}"
+
+- name: Get current context
+  community.docker.docker_context_info:
+    only_current: true
+  register: docker_current_context
+
+- ansible.builtin.assert:
+    that:
+      - docker_current_context is not changed
+      # Some of the following tests will not be true on all machines, but they should be in CI:
+      - docker_current_context.current_context_name == 'default'
+      - docker_current_context.contexts | length == 1
+      - docker_current_context.contexts[0].name == 'default'
+      - docker_current_context.contexts[0].current == true
+      - docker_current_context.contexts[0].description == 'Current DOCKER_HOST based configuration'
+      - docker_current_context.contexts[0].meta_path is none
+      - docker_current_context.contexts[0].tls_path is none
+      - docker_current_context.contexts[0].config.docker_host == 'unix:///var/run/docker.sock'
+      - docker_current_context.contexts[0].config.tls == false
+
+- name: Run community.docker modules with current context
+  module_defaults:
+    group/community.docker.docker: "{{ docker_current_context.contexts[0].config }}"
+  block:
+    - name: Create container
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: present
+      register: create_1
+
+    - name: Create container (idempotent)
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        state: present
+      register: create_2
+
+    - ansible.builtin.assert:
+        that:
+          - create_1 is changed
+          - create_2 is not changed
+
+    - name: Inspect container with CLI tool
+      ansible.builtin.command:
+        cmd: docker inspect {{ cname }}
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - (result.stdout | from_json) | length == 1
+          - (result.stdout | from_json)[0].State.Status == "created"
+
+    - name: Start container
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: started
+      register: start_1
+
+    - name: Start container (idempotent)
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: started
+      register: start_2
+
+    - ansible.builtin.assert:
+        that:
+          - start_1 is changed
+          - start_2 is not changed
+
+    - name: Inspect container with CLI tool
+      ansible.builtin.command:
+        cmd: docker inspect {{ cname }}
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - (result.stdout | from_json) | length == 1
+          - (result.stdout | from_json)[0].State.Status == "running"
+
+    - name: Remove container
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+      register: remove_1
+
+    - name: Remove container (idempotent)
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        state: absent
+        force_kill: true
+      register: remove_2
+
+    - ansible.builtin.assert:
+        that:
+          - remove_1 is changed
+          - remove_2 is not changed
+
+    - name: Inspect container with CLI tool
+      ansible.builtin.command:
+        cmd: docker inspect {{ cname }}
+      register: result
+      failed_when: result.rc != 1
+
+    - ansible.builtin.assert:
+        that:
+          - (result.stdout | from_json) | length == 0
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/podman.yml b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/podman.yml
new file mode 100644
index 00000000..d0b64411
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_context_info/tasks/tests/podman.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: podman_cli_version is version('1.0.0', '>=')
+  block:
+    # The setup_podman role created a 'podman' context that we can use here.
+
+    - name: Get all contexts
+      community.docker.docker_context_info:
+      register: docker_contexts
+
+    - name: Ensure that there are at least two contexts
+      ansible.builtin.assert:
+        that:
+          - docker_contexts.contexts | length >= 2
+
+    - name: Get Podman context
+      community.docker.docker_context_info:
+        name: podman
+      register: docker_podman_context
+
+    - ansible.builtin.assert:
+        that:
+          - docker_podman_context.contexts | length == 1
+          - docker_podman_context.contexts[0].name == 'podman'
+          - docker_podman_context.contexts[0].current == false
+          - docker_podman_context.contexts[0].description == 'Podman'
+          - docker_podman_context.contexts[0].meta_path is string
+          - docker_podman_context.contexts[0].tls_path is string
+          - docker_podman_context.contexts[0].config.docker_host is string
+          - docker_podman_context.contexts[0].config.tls == false
+
+    - name: Run basic test with Podman context
+      module_defaults:
+        group/community.docker.docker: "{{ docker_podman_context.contexts[0].config }}"
+      block:
+
+        - name: Get info on Podman host
+          community.docker.docker_host_info:
+          register: output
+
+        - name: Check for some Podman specific values
+          ansible.builtin.assert:
+            that:
+              - output.host_info.ProductLicense == 'Apache-2.0'
+              - >-
+                "Rootless" in output.host_info
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_host_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_host_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/meta/main.yml
new file mode 100644
index 00000000..ca004bc0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_podman
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/main.yml
new file mode 100644
index 00000000..9ec9a7d9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_host_info.yml
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_host_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
+
+- when: podman_cli_version is version('1.0.0', '>=')
+  block:
+    - name: Get Podman context
+      community.docker.docker_context_info:
+        name: podman
+      register: docker_podman_context
+
+    - name: Run tests with Podman context
+      module_defaults:
+        group/community.docker.docker: "{{ docker_podman_context.contexts[0].config }}"
+      block:
+
+        - name: Get info on Podman host
+          community.docker.docker_host_info:
+          register: output
+
+        - name: Check for some Podman specific values
+          ansible.builtin.assert:
+            that:
+              - output.host_info.ProductLicense == 'Apache-2.0'
+              - >-
+                "Rootless" in output.host_info
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/test_host_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/test_host_info.yml
new file mode 100644
index 00000000..cd25fa95
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_host_info/tasks/test_host_info.yml
@@ -0,0 +1,391 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random container/volume name
+  ansible.builtin.set_fact:
+    cname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cname2: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    vname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+- ansible.builtin.debug:
+    msg: "Using container names '{{ cname }}' and '{{ cname2 }}', and volume name '{{ vname }}'"
+
+- block:
+    - name: Get info on Docker host
+      community.docker.docker_host_info:
+      register: output
+
+    - name: assert reading docker host facts when docker is running
+      ansible.builtin.assert:
+        that:
+          - output.host_info.Name is string
+          - output.containers is not defined
+          - output.networks is not defined
+          - output.volumes is not defined
+          - output.images is not defined
+          - output.disk_usage is not defined
+          - output.can_talk_to_docker is true
+
+- block:
+    - name: Get info on Docker host with invalid api_version
+      community.docker.docker_host_info:
+        api_version: 1.999.999
+      register: output
+      ignore_errors: true
+
+    - name: assert can_talk_is_docker is false
+      ansible.builtin.assert:
+        that:
+          - output is failed
+          - output.can_talk_to_docker is false
+
+- block:
+    - name: Get info on Docker host with invalid docker_host
+      community.docker.docker_host_info:
+        docker_host: tcp://127.0.0.1:80
+      register: output
+      ignore_errors: true
+
+    - name: assert can_talk_is_docker is false
+      ansible.builtin.assert:
+        that:
+          - output is failed
+          - output.can_talk_to_docker is false
+
+  # Container and volume are created so that all lists are non-empty:
+  # * container and volume lists are non-emtpy because of the created objects;
+  # * image list is non-empty because the image of the container is there;
+  # * network list is always non-empty (default networks).
+    - name: Create running container
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        command: '/bin/sh -c "sleep 10m"'
+        name: "{{ cname }}"
+        labels:
+          key1: value1
+          key2: value2
+        state: started
+      register: container_output
+
+    - name: Create running container
+      community.docker.docker_container:
+        image: "{{ docker_test_image_alpine }}"
+        name: "{{ cname2 }}"
+        labels:
+          key2: value2
+          key3: value3
+        state: stopped
+      register: container2_output
+
+    - ansible.builtin.assert:
+        that:
+          - container_output is changed
+          - container2_output is changed
+
+    - name: Create a volume
+      community.docker.docker_volume:
+        name: "{{ vname }}"
+      register: volume_output
+
+    - ansible.builtin.assert:
+        that:
+          - volume_output is changed
+
+    - name: Get info on Docker host and list containers
+      community.docker.docker_host_info:
+        containers: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list containers
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+          - 'output.containers[0].Image is string'
+          - 'output.containers[0].ImageID is not defined'
+
+    - name: Get info on Docker host and list containers matching filters (single label)
+      community.docker.docker_host_info:
+        containers: true
+        containers_filters:
+          label: key1=value1
+      register: output
+
+    - name: assert container is returned when filters are matched (single label)
+      ansible.builtin.assert:
+        that: "output.containers | length == 1"
+
+    - name: Get info on Docker host and list containers matching filters (multiple labels)
+      community.docker.docker_host_info:
+        containers: true
+        containers_filters:
+          label:
+            - key1=value1
+            - key2=value2
+      register: output
+
+    - name: assert container is returned when filters are matched (multiple labels)
+      ansible.builtin.assert:
+        that: "output.containers | length == 1"
+
+    - name: Get info on Docker host and do not list containers which do not match filters
+      community.docker.docker_host_info:
+        containers: true
+        containers_filters:
+          label:
+            - key1=value1
+            - key2=value2
+            - key3=value3
+      register: output
+
+    - name: assert no container is returned when filters are not matched
+      ansible.builtin.assert:
+        that: "output.containers | length == 0"
+
+    - name: Get info on Docker host and list containers matching filters (single label, not all containers)
+      community.docker.docker_host_info:
+        containers: true
+        containers_all: false
+        containers_filters:
+          label: key2=value2
+      register: output
+
+    - name: Get info on Docker host and list containers matching filters (single label, all containers)
+      community.docker.docker_host_info:
+        containers: true
+        containers_all: true
+        containers_filters:
+          label: key2=value2
+      register: output_all
+
+    - name: assert one resp. two container is returned
+      ansible.builtin.assert:
+        that:
+          - "output.containers | length == 1"
+          - "output_all.containers | length == 2"
+
+    - name: Get info on Docker host and list containers with verbose output
+      community.docker.docker_host_info:
+        containers: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list containers with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+          - 'output.containers[0].Image is string'
+          - 'output.containers[0].ImageID is string'
+
+    - name: Get info on Docker host and list images
+      community.docker.docker_host_info:
+        images: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list images
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images[0].Id is string'
+          - 'output.images[0].ParentId is not defined'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and list images with verbose output
+      community.docker.docker_host_info:
+        images: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list images with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images[0].Id is string'
+          - 'output.images[0].ParentId is string'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and list networks
+      community.docker.docker_host_info:
+        networks: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list networks
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks[0].Id is string'
+          - 'output.networks[0].Created is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and list networks with verbose output
+      community.docker.docker_host_info:
+        networks: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list networks with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks[0].Id is string'
+          - 'output.networks[0].Created is string'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and list volumes
+      community.docker.docker_host_info:
+        volumes: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list volumes
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes[0].Name is string'
+          - 'output.volumes[0].Mountpoint is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and list volumes with verbose output
+      community.docker.docker_host_info:
+        volumes: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and list volumes with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes[0].Name is string'
+          - 'output.volumes[0].Mountpoint is string'
+          - 'output.images is not defined'
+          - 'output.disk_usage is not defined'
+
+    - name: Get info on Docker host and get disk usage
+      community.docker.docker_host_info:
+        disk_usage: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and get disk usage
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage.LayersSize is number'
+          - 'output.disk_usage.Images is not defined'
+          - 'output.disk_usage.Containers is not defined'
+          - 'output.disk_usage.Volumes is not defined'
+
+    - name: Get info on Docker host and get disk usage with verbose output
+      community.docker.docker_host_info:
+        disk_usage: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and get disk usage with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers is not defined'
+          - 'output.networks is not defined'
+          - 'output.volumes is not defined'
+          - 'output.images is not defined'
+          - 'output.disk_usage.LayersSize is number'
+          - 'output.disk_usage.Images is sequence'
+          - 'output.disk_usage.Containers is sequence'
+          - 'output.disk_usage.Volumes is sequence'
+
+    - name: Get info on Docker host, disk usage and get all lists together
+      community.docker.docker_host_info:
+        volumes: true
+        containers: true
+        networks: true
+        images: true
+        disk_usage: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running, disk usage and get lists together
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers[0].Image is string'
+          - 'output.containers[0].ImageID is not defined'
+          - 'output.networks[0].Id is string'
+          - 'output.networks[0].Created is not defined'
+          - 'output.volumes[0].Name is string'
+          - 'output.volumes[0].Mountpoint is not defined'
+          - 'output.images[0].Id is string'
+          - 'output.images[0].ParentId is not defined'
+          - 'output.disk_usage.LayersSize is number'
+          - 'output.disk_usage.Images is not defined'
+          - 'output.disk_usage.Containers is not defined'
+          - 'output.disk_usage.Volumes is not defined'
+
+    - name: Get info on Docker host, disk usage and get all lists together with verbose output
+      community.docker.docker_host_info:
+        volumes: true
+        containers: true
+        networks: true
+        images: true
+        disk_usage: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading docker host facts when docker is running and get disk usage with verbose output
+      ansible.builtin.assert:
+        that:
+          - 'output.host_info.Name is string'
+          - 'output.containers[0].Image is string'
+          - 'output.containers[0].ImageID is string'
+          - 'output.networks[0].Id is string'
+          - 'output.networks[0].Created is string'
+          - 'output.volumes[0].Name is string'
+          - 'output.volumes[0].Mountpoint is string'
+          - 'output.images[0].Id is string'
+          - 'output.images[0].ParentId is string'
+          - 'output.disk_usage.LayersSize is number'
+          - 'output.disk_usage.Images is sequence'
+          - 'output.disk_usage.Containers is sequence'
+          - 'output.disk_usage.Volumes is sequence'
+
+  always:
+    - name: Delete containers
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      loop:
+        - "{{ cname }}"
+        - "{{ cname2 }}"
+
+    - name: Delete volume
+      community.docker.docker_volume:
+        name: "{{ vname }}"
+        state: absent
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/meta/main.yml
new file mode 100644
index 00000000..511f9e41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_registry
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/test.yml
new file mode 100644
index 00000000..4f086c1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/test.yml
@@ -0,0 +1,56 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- name: Create files directory
+  ansible.builtin.file:
+    path: '{{ remote_tmp_dir }}/files'
+    state: directory
+
+- name: Template files
+  ansible.builtin.template:
+    src: '{{ item }}'
+    dest: '{{ remote_tmp_dir }}/files/{{ item }}'
+  loop:
+    - ArgsDockerfile
+    - Dockerfile
+    - EtcHostsDockerfile
+    - MyDockerfile
+    - StagedDockerfile
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image:
+        name: "{{ item }}"
+        state: absent
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/basic.yml
new file mode 100644
index 00000000..b78ac2f9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/basic.yml
@@ -0,0 +1,139 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+## basic ###########################################################
+####################################################################
+
+- name: Make sure image is not there
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    state: absent
+    force_absent: true
+  register: absent_1
+
+- name: Make sure image is not there (idempotency)
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    state: absent
+  register: absent_2
+
+- ansible.builtin.assert:
+    that:
+      - absent_2 is not changed
+
+- name: Make sure image is there
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    state: present
+    source: pull
+    pull:
+      platform: amd64
+  register: present_1
+
+- name: Make sure image is there (idempotent)
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    state: present
+    source: pull
+    pull:
+      platform: amd64
+  register: present_2
+
+- ansible.builtin.assert:
+    that:
+      - present_1 is changed
+      - present_2 is not changed
+
+- name: Make sure tag is not there
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world_base }}:alias"
+    state: absent
+
+- name: Tag image with alias
+  community.docker.docker_image:
+    source: local
+    name: "{{ docker_test_image_hello_world }}"
+    repository: "{{ docker_test_image_hello_world_base }}:alias"
+  register: tag_1
+
+- name: Tag image with alias (idempotent)
+  community.docker.docker_image:
+    source: local
+    name: "{{ docker_test_image_hello_world }}"
+    repository: "{{ docker_test_image_hello_world_base }}:alias"
+  register: tag_2
+
+- name: Tag image with alias (force, still idempotent)
+  community.docker.docker_image:
+    source: local
+    name: "{{ docker_test_image_hello_world }}"
+    repository: "{{ docker_test_image_hello_world_base }}:alias"
+    force_tag: true
+  register: tag_3
+
+- name: Tag image with ID instead of name
+  community.docker.docker_image:
+    source: local
+    name: "{{ present_1.image.Id }}"
+    repository: "{{ docker_test_image_hello_world_base }}:alias"
+  register: tag_4
+
+- ansible.builtin.assert:
+    that:
+      - tag_1 is changed
+      - tag_2 is not changed
+      - tag_3 is not changed
+      - tag_4 is not changed
+
+- name: Cleanup alias tag
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world_base }}:alias"
+    state: absent
+
+- name: Tag image with ID instead of name (use ID for repository, must fail)
+  community.docker.docker_image:
+    source: local
+    name: "{{ docker_test_image_hello_world }}"
+    repository: "{{ present_1.image.Id }}"
+  register: fail_1
+  ignore_errors: true
+
+- name: Push image with ID (must fail)
+  community.docker.docker_image:
+    source: local
+    name: "{{ present_1.image.Id }}"
+    push: true
+  register: fail_2
+  ignore_errors: true
+
+- name: Pull image ID (must fail)
+  community.docker.docker_image:
+    source: pull
+    name: "{{ present_1.image.Id }}"
+    force_source: true
+  register: fail_3
+  ignore_errors: true
+
+- name: Build image ID (must fail)
+  community.docker.docker_image:
+    source: build
+    name: "{{ present_1.image.Id }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+    force_source: true
+  register: fail_4
+  ignore_errors: true
+
+- ansible.builtin.assert:
+    that:
+      - fail_1 is failed
+      - "'`repository` must not be an image ID' in fail_1.msg"
+      - fail_2 is failed
+      - "'Cannot push an image by ID' in fail_2.msg"
+      - fail_3 is failed
+      - "'Image name must not be an image ID for source=pull' in fail_3.msg"
+      - fail_4 is failed
+      - "'Image name must not be an image ID for source=build' in fail_4.msg"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/docker_image.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/docker_image.yml
new file mode 100644
index 00000000..c683886b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/docker_image.yml
@@ -0,0 +1,262 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    iname: "{{ name_prefix ~ '-options' }}"
+
+- name: Determining pushed image names
+  ansible.builtin.set_fact:
+    hello_world_image_base: "{{ registry_address | default('localhost') }}/test/hello-world"
+    test_image_base: "{{ registry_address | default('localhost') }}/test/{{ iname }}"
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    inames: "{{ inames + [iname, test_image_base ~ ':latest', test_image_base ~ ':other', hello_world_image_base ~ ':latest', hello_world_image_base ~ ':newtag', hello_world_image_base ~ ':newtag2'] }}"
+
+####################################################################
+## interact with test registry #####################################
+####################################################################
+
+- name: Run registry tests only when registry is present
+  when: registry_address is defined
+  block:
+    - name: Make sure image is not there
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}:latest"
+        state: absent
+        force_absent: true
+
+    - name: Make sure we have {{ docker_test_image_hello_world }}
+      community.docker.docker_image:
+        name: "{{ docker_test_image_hello_world }}"
+        source: pull
+
+    - name: Push image to test registry
+      community.docker.docker_image:
+        name: "{{ docker_test_image_hello_world }}"
+        repository: "{{ hello_world_image_base }}:latest"
+        push: true
+        source: local
+      register: push_1
+
+    - name: Push image to test registry (idempotent)
+      community.docker.docker_image:
+        name: "{{ docker_test_image_hello_world }}"
+        repository: "{{ hello_world_image_base }}:latest"
+        push: true
+        source: local
+      register: push_2
+
+    - name: Push image to test registry (force, still idempotent)
+      community.docker.docker_image:
+        name: "{{ docker_test_image_hello_world }}"
+        repository: "{{ hello_world_image_base }}:latest"
+        push: true
+        source: local
+        force_tag: true
+      register: push_3
+
+    - ansible.builtin.assert:
+        that:
+          - push_1 is changed
+          - push_2 is not changed
+          - push_3 is not changed
+
+    - name: Get facts of local image
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_1
+
+    - name: Make sure image is not there
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}:latest"
+        state: absent
+        force_absent: true
+
+    - name: Get facts of local image (absent)
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_2
+
+    - name: Pull image from test registry
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}:latest"
+        state: present
+        source: pull
+      register: pull_1
+
+    - name: Pull image from test registry (idempotency)
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}:latest"
+        state: present
+        source: pull
+      register: pull_2
+
+    - name: Get facts of local image (present)
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_3
+
+    - ansible.builtin.assert:
+        that:
+          - pull_1 is changed
+          - pull_2 is not changed
+          - facts_1.images | length == 1
+          - facts_2.images | length == 0
+          - facts_3.images | length == 1
+
+    - name: Pull image from test registry (with digest)
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}@{{ facts_3.images[0].RepoDigests[0] | regex_replace('.*@', '') }}"
+        state: present
+        source: pull
+        force_source: true
+      register: pull_digest
+
+    - name: Make sure that changed is still false
+      ansible.builtin.assert:
+        that:
+          - pull_digest is not changed
+
+    - name: Tag different image with new tag
+      community.docker.docker_image:
+        name: "{{ docker_test_image_alpine_different }}"
+        repository: "{{ hello_world_image_base }}:newtag"
+        push: false
+        source: pull
+
+    - name: Push different image with new tag
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}"
+        repository: "{{ hello_world_image_base }}"
+        tag: newtag
+        push: true
+        source: local
+      register: push_1_different
+
+    - name: Push different image with new tag (idempotent)
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}"
+        repository: "{{ hello_world_image_base }}"
+        tag: newtag
+        push: true
+        source: local
+      register: push_2_different
+
+    - ansible.builtin.assert:
+        that:
+          - push_1_different is changed
+          - push_2_different is not changed
+
+    - name: Tag same image with new tag
+      community.docker.docker_image:
+        name: "{{ docker_test_image_alpine_different }}"
+        repository: "{{ hello_world_image_base }}:newtag2"
+        push: false
+        source: pull
+
+    - name: Push same image with new tag
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}"
+        repository: "{{ hello_world_image_base }}"
+        tag: newtag2
+        push: true
+        source: local
+      register: push_1_same
+
+    - name: Push same image with new tag (idempotent)
+      community.docker.docker_image:
+        name: "{{ hello_world_image_base }}"
+        repository: "{{ hello_world_image_base }}"
+        tag: newtag2
+        push: true
+        source: local
+      register: push_2_same
+
+    - ansible.builtin.assert:
+        that:
+          # NOTE: This should be:
+          #   - push_1_same is changed
+          # Unfortunately docker does *NOT* report whether the tag already existed or not.
+          # Here are the logs returned by client.push() for both tasks (which are exactly the same):
+          #   push_1_same:
+          #     {"status": "The push refers to repository [localhost:32796/test/hello-world]"},
+          #     {"id": "3fc64803ca2d", "progressDetail": {}, "status": "Preparing"},
+          #     {"id": "3fc64803ca2d", "progressDetail": {}, "status": "Layer already exists"},
+          #     {"status": "newtag2: digest: sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b size: 528"},
+          #     {"aux": {"Digest": "sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b", "Size": 528, "Tag": "newtag2"}, "progressDetail": {}}
+          #   push_2_same:
+          #     {"status": "The push refers to repository [localhost:32796/test/hello-world]"},
+          #     {"id": "3fc64803ca2d", "progressDetail": {}, "status": "Preparing"},
+          #     {"id": "3fc64803ca2d", "progressDetail": {}, "status": "Layer already exists"},
+          #     {"status": "newtag2: digest: sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b size: 528"},
+          #     {"aux": {"Digest": "sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b", "Size": 528, "Tag": "newtag2"}, "progressDetail": {}}
+          - push_1_same is not changed
+          - push_2_same is not changed
+
+####################################################################
+## repository ######################################################
+####################################################################
+
+- name: Make sure image is not there
+  community.docker.docker_image:
+    name: "{{ test_image_base }}:latest"
+    state: absent
+    force_absent: true
+
+- name: repository
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      pull: false
+    repository: "{{ test_image_base }}"
+    source: build
+  register: repository_1
+
+- name: repository (idempotent)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    repository: "{{ test_image_base }}"
+    source: local
+  register: repository_2
+
+- name: repository, tag with ID
+  community.docker.docker_image:
+    name: "{{ repository_1.image.Id }}"
+    repository: "{{ test_image_base }}:other"
+    source: local
+  register: repository_3
+
+- name: repository, tag with ID (idempotent)
+  community.docker.docker_image:
+    name: "{{ repository_1.image.Id }}"
+    repository: "{{ test_image_base }}:other"
+    source: local
+    force_tag: true
+  register: repository_4
+
+- ansible.builtin.assert:
+    that:
+      - repository_1 is changed
+      - repository_2 is not changed
+      - repository_3 is changed
+      - repository_4 is not changed
+
+- name: Get facts of image
+  community.docker.docker_image_info:
+    name: "{{ test_image_base }}:latest"
+  register: facts_1
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ test_image_base }}:latest"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - facts_1.images | length == 1
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/options.yml
new file mode 100644
index 00000000..b391801a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/tasks/tests/options.yml
@@ -0,0 +1,508 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    iname: "{{ name_prefix ~ '-options' }}"
+    iname_1: "{{ name_prefix ~ '-options-1' }}"
+    hello_world_alt: "{{ name_prefix }}-hello-world-alt:v1.2.3-foo"
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    inames: "{{ inames + [iname, iname_1, hello_world_alt] }}"
+
+####################################################################
+## build.args ######################################################
+####################################################################
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- name: buildargs
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "ArgsDockerfile"
+      args:
+        IMAGE: "{{ docker_test_image_busybox }}"
+        TEST1: val1
+        TEST2: val2
+        TEST3: "True"
+      pull: false
+    source: build
+  register: buildargs_1
+  ignore_errors: true
+
+- name: buildargs (idempotency)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "ArgsDockerfile"
+      args:
+        IMAGE: "{{ docker_test_image_busybox }}"
+        TEST1: val1
+        TEST2: val2
+        TEST3: "True"
+      pull: false
+    source: build
+  register: buildargs_2
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - buildargs_1 is changed
+      - buildargs_2 is not failed and buildargs_2 is not changed
+
+####################################################################
+## build.container_limits ##########################################
+####################################################################
+
+- name: container_limits (Failed due to min memory limit)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      container_limits:
+        memory: 4KB
+      pull: false
+    source: build
+  ignore_errors: true
+  register: container_limits_1
+
+- name: container_limits
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      container_limits:
+        memory: 7MB
+        memswap: 8MB
+      pull: false
+    source: build
+  register: container_limits_2
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      # It *sometimes* happens that the first task does not fail.
+      # For now, we work around this by
+      #   a) requiring that if it fails, the message must
+      #      contain 'Minimum memory limit allowed is (4|6)MB', and
+      #   b) requiring that either the first task, or the second
+      #      task is changed, but not both.
+      - "not container_limits_1 is failed or ('Minimum memory limit allowed is ') in container_limits_1.msg"
+      - "container_limits_1 is changed or container_limits_2 is changed and not (container_limits_1 is changed and container_limits_2 is changed)"
+
+####################################################################
+## build.dockerfile ################################################
+####################################################################
+
+- name: dockerfile
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "MyDockerfile"
+      pull: false
+    source: build
+  register: dockerfile_1
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - dockerfile_1 is changed
+      - "('FROM ' ~ docker_test_image_alpine) in dockerfile_1.stdout"
+      - dockerfile_1['image']['Config']['WorkingDir'] == '/newdata'
+
+####################################################################
+## build.platform ##################################################
+####################################################################
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- name: build.platform
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      platform: linux
+      pull: false
+    source: build
+  register: platform_1
+  ignore_errors: true
+
+- name: build.platform (idempotency)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      platform: linux
+      pull: false
+    source: build
+  register: platform_2
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - platform_1 is changed
+      - platform_2 is not failed and platform_2 is not changed
+
+####################################################################
+## force ###########################################################
+####################################################################
+
+- name: Build an image
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      pull: false
+    source: build
+
+- name: force (changed)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "MyDockerfile"
+      pull: false
+    source: build
+    force_source: true
+  register: force_1
+
+- name: force (unchanged)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "MyDockerfile"
+      pull: false
+    source: build
+    force_source: true
+  register: force_2
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - force_1 is changed
+      - force_2 is not changed
+
+####################################################################
+## load path #######################################################
+####################################################################
+
+- name: Archive image
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    archive_path: "{{ remote_tmp_dir }}/image.tar"
+    source: pull
+  register: archive_image
+
+- ansible.builtin.assert:
+    that:
+      - archive_image is changed
+
+- name: Copy archive because we will mutate it but other tests need the original
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ remote_tmp_dir }}/image.tar"
+    dest: "{{ remote_tmp_dir }}/image_mutated.tar"
+
+- name: Archive image again (idempotent)
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    archive_path: "{{ remote_tmp_dir }}/image_mutated.tar"
+    source: local
+  register: archive_image_2
+
+- ansible.builtin.assert:
+    that:
+      - archive_image_2 is not changed
+  when: docker_cli_version is version("29.0.0", "<")
+  # Apparently idempotency no longer works with the default storage backend
+  # in Docker 29.0.0.
+  # https://github.com/ansible-collections/community.docker/pull/1199
+
+- name: Archive image 3rd time, should overwrite due to different id
+  community.docker.docker_image:
+    name: "{{ docker_test_image_alpine_different }}"
+    archive_path: "{{ remote_tmp_dir }}/image_mutated.tar"
+    source: pull
+  register: archive_image_3
+
+- ansible.builtin.assert:
+    that:
+      - archive_image_3 is changed
+
+- name: Reset archive
+  ansible.builtin.copy:
+    remote_src: true
+    src: "{{ remote_tmp_dir }}/image.tar"
+    dest: "{{ remote_tmp_dir }}/image_mutated.tar"
+
+- name: Tag image with different name
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    repository: "{{ hello_world_alt }}"
+    source: local
+
+- name: Archive image 4th time, should overwrite due to different name even when ID is same
+  community.docker.docker_image:
+    name: "{{ hello_world_alt }}"
+    # Tagged as docker_test_image_hello_world but has same hash/id (before this task overwrites it)
+    archive_path: "{{ remote_tmp_dir }}/image_mutated.tar"
+    source: local
+  register: archive_image_4
+
+- ansible.builtin.assert:
+    that:
+      - archive_image_4 is changed
+
+# This is the test that needs the original, non-mutated archive
+- name: Archive image by ID
+  community.docker.docker_image:
+    name: "{{ archive_image.image.Id }}"
+    archive_path: "{{ remote_tmp_dir }}/image_id.tar"
+    source: local
+  register: archive_image_id
+
+- name: Create invalid archive
+  ansible.builtin.copy:
+    dest: "{{ remote_tmp_dir }}/image-invalid.tar"
+    content: "this is not a valid image"
+
+- name: remove image
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    state: absent
+    force_absent: true
+
+- name: load image (changed)
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    load_path: "{{ remote_tmp_dir }}/image.tar"
+    source: load
+  register: load_image
+
+- name: load image (idempotency)
+  community.docker.docker_image:
+    name: "{{ docker_test_image_hello_world }}"
+    load_path: "{{ remote_tmp_dir }}/image.tar"
+    source: load
+  register: load_image_1
+
+- name: load image (wrong name)
+  community.docker.docker_image:
+    name: foo:bar
+    load_path: "{{ remote_tmp_dir }}/image.tar"
+    source: load
+  register: load_image_2
+  ignore_errors: true
+
+- name: load image (invalid image)
+  community.docker.docker_image:
+    name: foo:bar
+    load_path: "{{ remote_tmp_dir }}/image-invalid.tar"
+    source: load
+  register: load_image_3
+  ignore_errors: true
+
+- name: load image (ID, idempotency)
+  community.docker.docker_image:
+    name: "{{ archive_image.image.Id }}"
+    load_path: "{{ remote_tmp_dir }}/image_id.tar"
+    source: load
+  register: load_image_4
+
+- ansible.builtin.assert:
+    that:
+      - load_image is changed
+      - archive_image['image']['Id'] == load_image['image']['Id']
+      - load_image_1 is not changed
+      - load_image_2 is failed
+      - >-
+        ("The archive did not contain image 'foo:bar'. Instead, found '" ~ docker_test_image_hello_world ~ "'.") == load_image_2.msg
+      - load_image_3 is failed
+      - '"Detected no loaded images. Archive potentially corrupt?" == load_image_3.msg'
+      - load_image_4 is not changed
+
+####################################################################
+## build.path ######################################################
+####################################################################
+
+- name: Build image
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      pull: false
+    source: build
+  register: path_1
+
+- name: Build image (idempotency)
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      pull: false
+    source: build
+  register: path_2
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - path_1 is changed
+      - path_2 is not changed
+
+####################################################################
+## build.target ####################################################
+####################################################################
+
+- name: Build multi-stage image
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "StagedDockerfile"
+      target: first
+      pull: false
+    source: build
+  register: dockerfile_2
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - dockerfile_2 is changed
+      - dockerfile_2.image.Config.WorkingDir == '/first'
+
+####################################################################
+## build.etc_hosts #################################################
+####################################################################
+
+- name: Build image with custom etc_hosts
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "EtcHostsDockerfile"
+      pull: false
+      etc_hosts:
+        some-custom-host: "127.0.0.1"
+    source: build
+  register: path_1
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - path_1 is changed
+
+####################################################################
+## build.shm_size ##################################################
+####################################################################
+
+- name: Build image with custom shm_size
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "MyDockerfile"
+      pull: false
+      shm_size: 128MB
+    source: build
+  register: path_1
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- ansible.builtin.assert:
+    that:
+      - path_1 is changed
+
+####################################################################
+## build.labels ####################################################
+####################################################################
+
+- name: Build image with labels
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    build:
+      path: "{{ remote_tmp_dir }}/files"
+      dockerfile: "MyDockerfile"
+      pull: false
+      labels:
+        FOO: BAR
+        this is a label: this is the label's value
+    source: build
+  register: labels_1
+
+- name: cleanup
+  community.docker.docker_image:
+    name: "{{ iname }}"
+    state: absent
+    force_absent: true
+
+- name: Show image information
+  ansible.builtin.debug:
+    var: labels_1.image
+
+- ansible.builtin.assert:
+    that:
+      - labels_1 is changed
+      - labels_1.image.Config.Labels.FOO == 'BAR'
+      - labels_1.image.Config.Labels["this is a label"] == "this is the label's value"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/ArgsDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/ArgsDockerfile
new file mode 100644
index 00000000..dedd88a8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/ArgsDockerfile
@@ -0,0 +1,13 @@
+# Copyright (c) 2022, Felix Fontein
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+ARG IMAGE
+ARG TEST1
+ARG TEST2
+ARG TEST3
+
+FROM ${IMAGE}
+ENV foo /bar
+WORKDIR ${foo}
+RUN echo "${TEST1} - ${TEST2} - ${TEST3}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/Dockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/Dockerfile
new file mode 100644
index 00000000..286094b9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/Dockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }}
+ENV foo /bar
+WORKDIR ${foo}
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/EtcHostsDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/EtcHostsDockerfile
new file mode 100644
index 00000000..bc21b966
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/EtcHostsDockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }}
+# This should fail building if docker cannot resolve some-custom-host
+RUN ping -c1 some-custom-host
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/MyDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/MyDockerfile
new file mode 100644
index 00000000..24b1c926
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/MyDockerfile
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_alpine }}
+ENV INSTALL_PATH /newdata
+RUN mkdir -p $INSTALL_PATH
+
+WORKDIR $INSTALL_PATH
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/StagedDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/StagedDockerfile
new file mode 100644
index 00000000..da225342
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image/templates/StagedDockerfile
@@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }} AS first
+ENV dir /first
+WORKDIR ${dir}
+
+FROM {{ docker_test_image_busybox }} AS second
+ENV dir /second
+WORKDIR ${dir}
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/meta/main.yml
new file mode 100644
index 00000000..71ac98d4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_cli_buildx
+  # The Python dependencies are needed for the other modules
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/test.yml
new file mode 100644
index 00000000..6df5fddc
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/test.yml
@@ -0,0 +1,71 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- name: Create files directory
+  ansible.builtin.file:
+    path: '{{ remote_tmp_dir }}/files'
+    state: directory
+
+- name: Template files
+  ansible.builtin.template:
+    src: '{{ item }}'
+    dest: '{{ remote_tmp_dir }}/files/{{ item }}'
+  loop:
+    - ArgsDockerfile
+    - Dockerfile
+    - EtcHostsDockerfile
+    - MyDockerfile
+    - SecretsDockerfile
+    - StagedDockerfile
+
+- ansible.builtin.debug:
+    msg: "Has buildx plugin: {{ docker_has_buildx }}"
+
+- block:
+    - name: Determine plugin versions
+      ansible.builtin.command: docker info -f '{{ "{{" }}json .ClientInfo.Plugins{{ "}}" }}'
+      register: plugin_versions
+
+    - name: Determine buildx plugin version
+      ansible.builtin.set_fact:
+        buildx_version: >-
+          {{
+            (plugin_versions.stdout | from_json | selectattr('Name', 'eq', 'buildx') | map(attribute='Version') | first).lstrip('v')
+          }}
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image:
+        name: "{{ item }}"
+        state: absent
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=') and docker_cli_version is version('19.03', '>=') and docker_has_buildx
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=') and docker_cli_version is version('19.03', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6) and docker_has_buildx
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/tests/options.yml
new file mode 100644
index 00000000..c5008e40
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/tasks/tests/options.yml
@@ -0,0 +1,300 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    iname: "{{ name_prefix ~ '-options' }}"
+
+- name: Registering image name
+  ansible.builtin.set_fact:
+    inames: "{{ inames + [iname] }}"
+
+####################################################################
+## args ############################################################
+####################################################################
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- name: buildargs
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "ArgsDockerfile"
+    args:
+      IMAGE: "{{ docker_test_image_busybox }}"
+      TEST1: val1
+      TEST2: val2
+      TEST3: "True"
+    pull: false
+  register: buildargs_1
+
+- name: buildargs (idempotency)
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "ArgsDockerfile"
+    args:
+      IMAGE: "{{ docker_test_image_busybox }}"
+      TEST1: val1
+      TEST2: val2
+      TEST3: "True"
+    pull: false
+  register: buildargs_2
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - buildargs_1 is changed
+      - buildargs_2 is not changed
+
+####################################################################
+## dockerfile ######################################################
+####################################################################
+
+- name: dockerfile
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "MyDockerfile"
+    pull: false
+  register: dockerfile_1
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - dockerfile_1 is changed
+      - "('FROM ' ~ docker_test_image_alpine) in dockerfile_1.stderr"
+      - dockerfile_1['image']['Config']['WorkingDir'] == '/newdata'
+
+####################################################################
+## platform ########################################################
+####################################################################
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- name: platform
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    platform: linux
+    pull: false
+  register: platform_1
+
+- name: platform (idempotency)
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    platform: linux
+    pull: false
+  register: platform_2
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - platform_1 is changed
+      - platform_2 is not changed
+
+####################################################################
+## target ##########################################################
+####################################################################
+
+- name: Build multi-stage image
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "StagedDockerfile"
+    target: first
+    pull: false
+  register: dockerfile_2
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - dockerfile_2 is changed
+      - dockerfile_2.image.Config.WorkingDir == '/first'
+
+####################################################################
+## etc_hosts #######################################################
+####################################################################
+
+- name: Build image with custom etc_hosts
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "EtcHostsDockerfile"
+    pull: false
+    etc_hosts:
+      some-custom-host: "127.0.0.1"
+  register: path_1
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - path_1 is changed
+
+####################################################################
+## shm_size ########################################################
+####################################################################
+
+- name: Build image with custom shm_size
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "MyDockerfile"
+    pull: false
+    shm_size: 128MB
+  register: path_1
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- ansible.builtin.assert:
+    that:
+      - path_1 is changed
+
+####################################################################
+## labels ##########################################################
+####################################################################
+
+- name: Build image with labels
+  community.docker.docker_image_build:
+    name: "{{ iname }}"
+    path: "{{ remote_tmp_dir }}/files"
+    dockerfile: "MyDockerfile"
+    pull: false
+    labels:
+      FOO: BAR
+      this is a label: this is the label's value
+  register: labels_1
+
+- name: cleanup
+  community.docker.docker_image_remove:
+    name: "{{ iname }}"
+
+- name: Show image information
+  ansible.builtin.debug:
+    var: labels_1.image
+
+- ansible.builtin.assert:
+    that:
+      - labels_1 is changed
+      - labels_1.image.Config.Labels.FOO == 'BAR'
+      - labels_1.image.Config.Labels["this is a label"] == "this is the label's value"
+
+####################################################################
+## secrets #########################################################
+####################################################################
+
+- name: Generate secret
+  ansible.builtin.set_fact:
+    docker_image_build_secret_value: this is my secret {{ '%0x' % ((2**32) | random) }}
+
+- when: buildx_version is version('0.6.0', '>=')
+  block:
+    - name: Build image with secrets via environment variables
+      community.docker.docker_image_build:
+        name: "{{ iname }}"
+        path: "{{ remote_tmp_dir }}/files"
+        dockerfile: "SecretsDockerfile"
+        pull: false
+        secrets:
+          - id: my-awesome-secret
+            type: value
+            value: '{{ docker_image_build_secret_value }}'
+        nocache: true  # using a cache can result in the output step being CACHED
+      register: secrets_1
+
+    - name: cleanup
+      community.docker.docker_image_remove:
+        name: "{{ iname }}"
+
+    - name: Show image information
+      ansible.builtin.debug:
+        var: secrets_1.stderr_lines
+
+    - ansible.builtin.assert:
+        that:
+          - secrets_1 is changed
+          - (docker_image_build_secret_value | b64encode) in secrets_1.stderr
+
+####################################################################
+## outputs #########################################################
+####################################################################
+
+- when: buildx_version is version('0.13.0', '>=')
+  block:
+    - name: Make sure the image is not there
+      community.docker.docker_image_remove:
+        name: "{{ iname }}"
+
+    - name: Make sure the image tarball is not there
+      ansible.builtin.file:
+        path: "{{ remote_tmp_dir }}/container.tar"
+        state: absent
+
+    - name: Build image with outputs
+      community.docker.docker_image_build:
+        name: "{{ iname }}"
+        path: "{{ remote_tmp_dir }}/files"
+        dockerfile: "Dockerfile"
+        pull: false
+        outputs:
+          - type: tar
+            dest: "{{ remote_tmp_dir }}/container.tar"
+      ignore_errors: true
+      register: outputs_1
+
+    - when: outputs_1 is not failed
+      block:
+        - name: cleanup (should be changed)
+          community.docker.docker_image_remove:
+            name: "{{ iname }}"
+          register: outputs_1_cleanup
+
+        - name: Gather information on tarball
+          ansible.builtin.stat:
+            path: "{{ remote_tmp_dir }}/container.tar"
+          register: outputs_1_stat
+
+        - name: Show image information
+          ansible.builtin.debug:
+            var: outputs_1.image
+
+        - name: Show tarball information
+          ansible.builtin.debug:
+            var: outputs_1_stat.stat
+
+        - ansible.builtin.assert:
+            that:
+              - outputs_1 is changed
+              - outputs_1.image | length > 0
+              - outputs_1_cleanup is changed
+              - outputs_1_stat.stat.exists
+
+    - when: outputs_1 is failed
+      ansible.builtin.assert:
+        that:
+          - >-
+            'ERROR: multiple outputs currently unsupported by the current BuildKit daemon' in outputs_1.stderr
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/ArgsDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/ArgsDockerfile
new file mode 100644
index 00000000..dedd88a8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/ArgsDockerfile
@@ -0,0 +1,13 @@
+# Copyright (c) 2022, Felix Fontein
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+ARG IMAGE
+ARG TEST1
+ARG TEST2
+ARG TEST3
+
+FROM ${IMAGE}
+ENV foo /bar
+WORKDIR ${foo}
+RUN echo "${TEST1} - ${TEST2} - ${TEST3}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/Dockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/Dockerfile
new file mode 100644
index 00000000..286094b9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/Dockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }}
+ENV foo /bar
+WORKDIR ${foo}
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/EtcHostsDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/EtcHostsDockerfile
new file mode 100644
index 00000000..bc21b966
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/EtcHostsDockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }}
+# This should fail building if docker cannot resolve some-custom-host
+RUN ping -c1 some-custom-host
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/MyDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/MyDockerfile
new file mode 100644
index 00000000..24b1c926
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/MyDockerfile
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_alpine }}
+ENV INSTALL_PATH /newdata
+RUN mkdir -p $INSTALL_PATH
+
+WORKDIR $INSTALL_PATH
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/SecretsDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/SecretsDockerfile
new file mode 100644
index 00000000..31bec826
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/SecretsDockerfile
@@ -0,0 +1,7 @@
+# Copyright (c) 2024, Felix Fontein
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }}
+RUN --mount=type=secret,id=my-awesome-secret \
+    cat /run/secrets/my-awesome-secret | base64
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/StagedDockerfile b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/StagedDockerfile
new file mode 100644
index 00000000..da225342
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_build/templates/StagedDockerfile
@@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+FROM {{ docker_test_image_busybox }} AS first
+ENV dir /first
+WORKDIR ${dir}
+
+FROM {{ docker_test_image_busybox }} AS second
+ENV dir /second
+WORKDIR ${dir}
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/meta/main.yml
new file mode 100644
index 00000000..f5b89789
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/test.yml
new file mode 100644
index 00000000..63f8c04c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/test.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/tests/basic.yml
new file mode 100644
index 00000000..45345673
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_export/tasks/tests/basic.yml
@@ -0,0 +1,73 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.set_fact:
+    image_names:
+      - "{{ docker_test_image_hello_world }}"
+      - "{{ docker_test_image_simple_1 }}"
+      - "{{ docker_test_image_simple_2 }}"
+
+- name: Make sure images are there
+  community.docker.docker_image_pull:
+    name: "{{ item }}"
+  register: images
+  loop: "{{ image_names }}"
+
+- vars:
+    image_ids: "{{ images.results | map(attribute='image') | map(attribute='Id') | list }}"
+    all_images: "{{ image_names + (images.results | map(attribute='image') | map(attribute='Id') | list) }}"
+    image_tasks:
+      - file: archive-1.tar
+        images: "{{ image_names }}"
+      - file: archive-2.tar
+        images: "{{ image_ids }}"
+      - file: archive-3.tar
+        images:
+          - "{{ image_names[0] }}"
+          - "{{ image_ids[1] }}"
+      - file: archive-4.tar
+        images:
+          - "{{ image_ids[0] }}"
+          - "{{ image_names[0] }}"
+      - file: archive-5.tar
+        images:
+          - "{{ image_ids[0] }}"
+
+  block:
+    - name: Create archives
+      community.docker.docker_image_export:
+        names: "{{ item.images }}"
+        path: "{{ remote_tmp_dir }}/{{ item.file }}"
+      loop: "{{ image_tasks }}"
+      loop_control:
+        label: "{{ item.file }}"
+      register: result
+
+    - name: Extract manifest.json files
+      ansible.builtin.command: tar xvf "{{ remote_tmp_dir }}/{{ item.file }}" manifest.json --to-stdout  # noqa: command-instead-of-module
+      loop: "{{ image_tasks }}"
+      loop_control:
+        label: "{{ item.file }}"
+      register: manifests
+
+    - name: Do basic tests
+      ansible.builtin.assert:
+        that:
+          - item.0.images | length == item.1 | length
+          - item.1 | unique | length == item.2 | length
+          - manifest_json_images == export_image_ids
+      loop: "{{ image_tasks | zip(export_images, manifests_json) }}"
+      loop_control:
+        label: "{{ item.0.file }}"
+      vars:
+        filenames: "{{ image_tasks | map(attribute='file') }}"
+        export_images: "{{ result.results | map(attribute='images') | map('map', attribute='Id') }}"
+        manifests_json: "{{ manifests.results | map(attribute='stdout') | map('from_json') }}"
+        manifest_json_images: "{{ item.2 | map(attribute='Config') | map('regex_replace', '.json$', '') | map('regex_replace', '^blobs/sha256/', '') | sort }}"
+        export_image_ids: "{{ item.1 | map('regex_replace', '^sha256:', '') | unique | sort }}"
+      when: docker_cli_version is version("29.0.0", "<")
+      # Apparently idempotency no longer works with the default storage backend
+      # in Docker 29.0.0.
+      # https://github.com/ansible-collections/community.docker/pull/1199
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/tasks/main.yml
new file mode 100644
index 00000000..ca189363
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_info/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Make sure image is not there
+      community.docker.docker_image_remove:
+        name: "{{ docker_test_image_alpine_different }}"
+
+    - name: Inspect a non-available image
+      community.docker.docker_image_info:
+        name: "{{ docker_test_image_alpine_different }}"
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - "result.images|length == 0"
+
+    - name: Make sure images are there
+      community.docker.docker_image_pull:
+        name: "{{ item }}"
+      loop:
+        - "{{ docker_test_image_hello_world }}"
+        - "{{ docker_test_image_alpine }}"
+
+    - name: Inspect an available image
+      community.docker.docker_image_info:
+        name: "{{ docker_test_image_hello_world }}"
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - "result.images|length == 1"
+          - "docker_test_image_hello_world in result.images[0].RepoTags"
+
+    - name: Inspect multiple images
+      community.docker.docker_image_info:
+        name:
+          - "{{ docker_test_image_hello_world }}"
+          - "{{ docker_test_image_alpine }}"
+      register: result
+
+    - ansible.builtin.debug: var=result
+
+    - ansible.builtin.assert:
+        that:
+          - "result.images|length == 2"
+          - "docker_test_image_hello_world in result.images[0].RepoTags"
+          - "docker_test_image_alpine in result.images[1].RepoTags"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/meta/main.yml
new file mode 100644
index 00000000..f5b89789
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/test.yml
new file mode 100644
index 00000000..63f8c04c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/test.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/tests/basic.yml
new file mode 100644
index 00000000..3748c55d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_load/tasks/tests/basic.yml
@@ -0,0 +1,247 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.set_fact:
+    image_names:
+      - "{{ docker_test_image_hello_world }}"
+      - "{{ docker_test_image_simple_1 }}"
+      - "{{ docker_test_image_simple_2 }}"
+
+- name: Make sure images are there
+  community.docker.docker_image_pull:
+    name: "{{ item }}"
+  register: images
+  loop: "{{ image_names }}"
+
+- name: Compile list of all image names and IDs
+  ansible.builtin.set_fact:
+    image_ids: "{{ images.results | map(attribute='image') | map(attribute='Id') | list }}"
+    all_images: "{{ image_names + (images.results | map(attribute='image') | map(attribute='Id') | list) }}"
+
+- name: Create archives
+  community.docker.docker_image_export:
+    names: "{{ item.images }}"
+    path: "{{ remote_tmp_dir }}/{{ item.file }}"
+  loop:
+    - file: archive-1.tar
+      images: "{{ image_names }}"
+    - file: archive-2.tar
+      images: "{{ image_ids }}"
+    - file: archive-3.tar
+      images:
+        - "{{ image_names[0] }}"
+        - "{{ image_ids[1] }}"
+    - file: archive-4.tar
+      images:
+        - "{{ image_ids[0] }}"
+        - "{{ image_names[0] }}"
+    - file: archive-5.tar
+      images:
+        - "{{ image_ids[0] }}"
+
+# All images by IDs
+
+- name: Remove all images
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+    force: true
+  loop: "{{ all_images }}"
+  ignore_errors: true
+  register: remove_all_images
+
+- name: Prune all containers (if removing failed)
+  community.docker.docker_prune:
+    containers: true
+  when: remove_all_images is failed
+
+- name: Obtain all docker containers and images (if removing failed)
+  ansible.builtin.shell: docker ps -a ; docker images -a
+  when: remove_all_images is failed
+  register: docker_container_image_list
+
+- name: Show all docker containers and images (if removing failed)
+  ansible.builtin.debug:
+    var: docker_container_image_list.stdout_lines
+  when: remove_all_images is failed
+
+- name: Remove all images (after pruning)
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+    force: true
+  loop: "{{ all_images }}"
+  when: remove_all_images is failed
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Load all images (IDs)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-2.tar"
+  register: result
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result is changed
+      - result.image_names | sort == image_ids | sort
+      - result.image_names | length == result.images | length
+
+- name: Load all images (IDs, should be same result)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-2.tar"
+  register: result_2
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result_2.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result_2 is changed
+      - result_2.image_names | sort == image_ids | sort
+      - result_2.image_names | length == result_2.images | length
+
+# Mixed images and IDs
+
+- name: Remove all images
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+  loop: "{{ all_images }}"
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Load all images (mixed images and IDs)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-3.tar"
+  register: result
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Print loading log
+  ansible.builtin.debug:
+    var: result.stdout_lines
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result is changed
+      # For some reason, *sometimes* only the named image is found; in fact, in that case, the log only mentions that image and nothing else
+      # With Docker 29, a third possibility appears: just two entries.
+      - >-
+        result.images | length == 3
+        or ('Loaded image: ' ~ docker_test_image_hello_world) == result.stdout
+        or result.images | length == 2
+      - (result.image_names | sort) in [[image_names[0], image_ids[0], image_ids[1]] | sort, [image_names[0], image_ids[1]] | sort, [image_names[0]]]
+      - result.images | length in [1, 2, 3]
+      - (result.images | map(attribute='Id') | sort) in [[image_ids[0], image_ids[0], image_ids[1]] | sort, [image_ids[0], image_ids[1]] | sort, [image_ids[0]]]
+
+# Same image twice
+
+- name: Remove all images
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+  loop: "{{ all_images }}"
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Load all images (same image twice)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-4.tar"
+  register: result
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result is changed
+      - result.image_names | length in [1, 2]
+      - (result.image_names | sort) in [[image_names[0]], [image_names[0], image_ids[0]] | sort]
+      - result.images | length in [1, 2]
+      - result.images[0].Id == image_ids[0]
+      - result.images[1].Id | default(image_ids[0]) == image_ids[0]
+
+# Single image by ID
+
+- name: Remove all images
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+  loop: "{{ all_images }}"
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Load all images (single image by ID)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-5.tar"
+  register: result
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result is changed
+      - result.image_names | length == 1
+      - result.image_names[0] == image_ids[0]
+      - result.images | length == 1
+      - result.images[0].Id == image_ids[0]
+
+- name: Try to get image info by name
+  community.docker.docker_image_info:
+    name: "{{ image_names[0] }}"
+  register: result
+
+- name: Make sure that image does not exist by name
+  ansible.builtin.assert:
+    that:
+      - result.images | length == 0
+
+# All images by names
+
+- name: Remove all images
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+  loop: "{{ all_images }}"
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Load all images (names)
+  community.docker.docker_image_load:
+    path: "{{ remote_tmp_dir }}/archive-1.tar"
+  register: result
+
+- name: Show all images
+  ansible.builtin.command: docker image ls
+
+- name: Print loaded image names
+  ansible.builtin.debug:
+    var: result.image_names
+
+- ansible.builtin.assert:
+    that:
+      - result.image_names | sort == image_names | sort
+      - result.image_names | length == result.images | length
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/meta/main.yml
new file mode 100644
index 00000000..ff316450
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_registry
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/test.yml
new file mode 100644
index 00000000..63f8c04c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/test.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/basic.yml
new file mode 100644
index 00000000..7bb8daa0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/basic.yml
@@ -0,0 +1,203 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Basic pull tests
+  vars:
+    image_name: "{{ docker_test_image_simple_1 }}"
+  block:
+    - name: Make sure image is not there
+      community.docker.docker_image_remove:
+        name: "{{ image_name }}"
+        force: true
+
+    - name: Pull image (check mode)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+      register: present_1_check
+      check_mode: true
+
+    - ansible.builtin.debug:
+        var: present_1_check.diff
+
+    - name: Pull image
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+      register: present_1
+
+    - ansible.builtin.debug:
+        var: present_1.diff
+
+    - name: Pull image (idempotent 1, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+        pull: always
+      register: present_2_check
+      check_mode: true
+
+    - ansible.builtin.debug:
+        var: present_2_check.diff
+
+    - name: Pull image (idempotent 1)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+        pull: always
+      register: present_2
+
+    - ansible.builtin.debug:
+        var: present_2.diff
+
+    - name: Pull image (change, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: arm64
+        pull: always
+      register: present_3_check
+      check_mode: true
+
+    - ansible.builtin.debug:
+        var: present_3_check.diff
+
+    - name: Pull image (change)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: arm64
+        pull: always
+      register: present_3
+
+    - ansible.builtin.debug:
+        var: present_3.diff
+
+    - name: Pull image (idempotent 2, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: arm64
+        pull: not_present
+      register: present_4_check
+      check_mode: true
+
+    - ansible.builtin.debug:
+        var: present_4_check.diff
+
+    - name: Pull image (idempotent 2)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: arm64
+        pull: not_present
+      register: present_4
+
+    - ansible.builtin.debug:
+        var: present_4.diff
+
+    - name: Pull image (change, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+        pull: not_present
+      register: present_5_check
+      check_mode: true
+
+    - ansible.builtin.debug:
+        var: present_5_check.diff
+
+    - name: Pull image (change)
+      community.docker.docker_image_pull:
+        name: "{{ image_name }}"
+        platform: amd64
+        pull: not_present
+      register: present_5
+
+    - ansible.builtin.debug:
+        var: present_5.diff
+
+    - ansible.builtin.assert:
+        that:
+          - present_1_check is changed
+          - present_1_check.actions | length == 1
+          - present_1_check.actions[0] == ('Pulled image ' ~ image_name)
+          - present_1_check.diff.before.exists is false
+          - present_1_check.diff.after.id == 'unknown'
+          - present_1 is changed
+          - present_1.actions | length == 1
+          - present_1.actions[0] == ('Pulled image ' ~ image_name)
+          - present_1.diff.before.exists is false
+          - present_1.diff.after.id is string
+          - present_2_check is changed
+          - present_2_check.actions | length == 1
+          - present_2_check.actions[0] == ('Pulled image ' ~ image_name)
+          - present_2_check.diff.before.id == present_1.diff.after.id
+          - present_2_check.diff.after.id == 'unknown'
+          - present_2 is not changed
+          - present_2.actions | length == 1
+          - present_2.actions[0] == ('Pulled image ' ~ image_name)
+          - present_2.diff.before.id == present_1.diff.after.id
+          - present_2.diff.after.id == present_1.diff.after.id
+          - present_3_check is changed
+          - present_3_check.actions | length == 1
+          - present_3_check.actions[0] == ('Pulled image ' ~ image_name)
+          - present_3_check.diff.before.id == present_1.diff.after.id
+          - present_3_check.diff.after.id == 'unknown'
+    - ansible.builtin.assert:
+        that:
+          - present_3 is changed
+          - present_3.actions | length == 1
+          - present_3.actions[0] == ('Pulled image ' ~ image_name)
+          - present_3.diff.before.id == present_1.diff.after.id
+          - present_3.diff.after.id != present_1.diff.after.id
+          - present_3.diff.after.id is string
+          - present_4_check is not changed
+          - present_4_check.actions | length == 0
+          - present_4_check.diff.before.id == present_3.diff.after.id
+          - present_4_check.diff.after.id == present_3.diff.after.id
+          - present_4 is not changed
+          - present_4.actions | length == 0
+          - present_4.diff.before.id == present_3.diff.after.id
+          - present_4.diff.after.id == present_3.diff.after.id
+          - present_5_check is changed
+          - present_5_check.actions | length == 1
+          - present_5_check.actions[0] == ('Pulled image ' ~ image_name)
+          - present_5_check.diff.before.id == present_3.diff.after.id
+          - present_5_check.diff.after.id == 'unknown'
+          - present_5 is changed
+          - present_5.actions | length == 1
+          - present_5.actions[0] == ('Pulled image ' ~ image_name)
+          - present_5.diff.before.id == present_3.diff.after.id
+          - present_5.diff.after.id == present_1.diff.after.id
+      when: docker_cli_version is version("29.0.0", "<")
+      # From Docker 29 on, Docker won't pull images for other architectures
+      # if there are better matching ones. The above tests assume it will
+      # just do what it is told, and thus fail from 29.0.0 on.
+      # https://github.com/ansible-collections/community.docker/pull/1199
+
+  always:
+    - name: cleanup
+      community.docker.docker_image_remove:
+        name: "{{ image_name }}"
+        force: true
+
+- name: Pull image ID (must fail)
+  community.docker.docker_image_pull:
+    name: "{{ present_1.image.Id }}"
+  register: fail_1
+  ignore_errors: true
+
+- name: Pull invalid tag (must fail)
+  community.docker.docker_image_pull:
+    name: "{{ docker_test_image_hello_world }}"
+    tag: foo/bar
+  register: fail_2
+  ignore_errors: true
+
+- ansible.builtin.assert:
+    that:
+      - fail_1 is failed
+      - >-
+        'Cannot pull an image by ID' == fail_1.msg
+      - fail_2 is failed
+      - >-
+        '"foo/bar" is not a valid docker tag!' == fail_2.msg
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml
new file mode 100644
index 00000000..59c3d180
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/image-ids.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Image ID  pull tests
+  block:
+    - name: Make sure images are not there
+      community.docker.docker_image_remove:
+        name: "sha256:{{ item }}"
+        force: true
+      loop: "{{ docker_test_image_digest_v1_image_ids + docker_test_image_digest_v2_image_ids }}"
+
+    - name: Pull image 1
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+      register: present_1
+      diff: true
+
+    - name: Pull image 1 (idempotent, do pull)
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+        pull: always
+      register: present_2
+      diff: true
+
+    - name: Pull image 1 (idempotent, do not pull)
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+        pull: not_present
+      register: present_3
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - present_1 is changed
+          - present_1.actions | length == 1
+          - present_1.actions[0] == ('Pulled image ' ~ docker_test_image_digest_base ~ ':sha256:' ~ docker_test_image_digest_v1)
+          - present_1.diff.before.exists is false
+          - present_1.diff.after.id is string
+          - present_2 is not changed
+          - present_2.actions | length == 1
+          - present_2.actions[0] == ('Pulled image ' ~ docker_test_image_digest_base ~ ':sha256:' ~ docker_test_image_digest_v1)
+          - present_2.diff.before.id == present_1.diff.after.id
+          - present_2.diff.after.id == present_1.diff.after.id
+          - present_3 is not changed
+          - present_3.actions | length == 0
+          - present_3.diff.before.id == present_1.diff.after.id
+          - present_3.diff.after.id == present_1.diff.after.id
+
+    - name: Pull image 2 (check mode)
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v2 }}"
+        pull: always
+      register: present_4
+      diff: true
+      check_mode: true
+
+    - name: Pull image 2
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v2 }}"
+        pull: always
+      register: present_5
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - present_4 is changed
+          - present_4.actions | length == 1
+          - present_4.actions[0] == ('Pulled image ' ~ docker_test_image_digest_base ~ ':sha256:' ~ docker_test_image_digest_v2)
+          - present_4.diff.before.exists is false
+          - present_4.diff.after.id == 'unknown'
+          - present_5 is changed
+          - present_5.actions | length == 1
+          - present_5.actions[0] == ('Pulled image ' ~ docker_test_image_digest_base ~ ':sha256:' ~ docker_test_image_digest_v2)
+          - present_5.diff.before.exists is false
+          - present_5.diff.after.id != present_1.diff.after.id
+          - present_5.diff.after.id is string
+
+  always:
+    - name: cleanup
+      community.docker.docker_image_remove:
+        name: "sha256:{{ item }}"
+        force: true
+      loop: "{{ docker_test_image_digest_v1_image_ids + docker_test_image_digest_v2_image_ids }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/registry.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/registry.yml
new file mode 100644
index 00000000..0c3e49f9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_pull/tasks/tests/registry.yml
@@ -0,0 +1,126 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Run registry tests only when registry is present
+  when: registry_address is defined
+  block:
+    - name: Registering image name
+      ansible.builtin.set_fact:
+        iname: "{{ name_prefix ~ '-options' }}"
+
+    - name: Determining pushed image names
+      ansible.builtin.set_fact:
+        hello_world_image_base: "{{ registry_address }}/test/hello-world"
+
+    - name: Registering image name
+      ansible.builtin.set_fact:
+        inames: "{{ inames + [iname, hello_world_image_base ~ ':latest'] }}"
+
+    - name: Make sure image is not there
+      community.docker.docker_image_remove:
+        name: "{{ hello_world_image_base }}:latest"
+        force: true
+
+    - name: Make sure we have {{ docker_test_image_hello_world }}
+      community.docker.docker_image_pull:
+        name: "{{ docker_test_image_hello_world }}"
+      diff: true
+
+    - name: Tag image
+      community.docker.docker_image_tag:
+        name: "{{ docker_test_image_hello_world }}"
+        repository:
+          - "{{ hello_world_image_base }}:latest"
+
+    - name: Push image to test registry
+      community.docker.docker_image_push:
+        name: "{{ hello_world_image_base }}:latest"
+
+    - name: Get facts of local image
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_1
+
+    - name: Make sure image is not there
+      community.docker.docker_image_remove:
+        name: "{{ hello_world_image_base }}:latest"
+        force: true
+
+    - name: Get facts of local image (not there)
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_2
+
+    - name: Pull image from test registry (check mode)
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+      register: pull_1_check
+      diff: true
+      check_mode: true
+
+    - name: Pull image from test registry
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+      register: pull_1
+      diff: true
+
+    - name: Pull image from test registry (idempotency, not pulling, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+        pull: not_present
+      register: pull_2_check
+      diff: true
+      check_mode: true
+
+    - name: Pull image from test registry (idempotency, not pulling)
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+        pull: not_present
+      register: pull_2
+      diff: true
+
+    - name: Pull image from test registry (idempotency, pulling, check mode)
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+        pull: always
+      register: pull_3_check
+      diff: true
+      check_mode: true
+
+    - name: Pull image from test registry (idempotency, pulling)
+      community.docker.docker_image_pull:
+        name: "{{ hello_world_image_base }}:latest"
+        pull: always
+      register: pull_3
+      diff: true
+
+    - name: Get facts of local image (present)
+      community.docker.docker_image_info:
+        name: "{{ hello_world_image_base }}:latest"
+      register: facts_3
+
+    - ansible.builtin.assert:
+        that:
+          - pull_1_check is changed
+          - pull_1_check.diff.before.exists is false
+          - pull_1_check.diff.after.id == 'unknown'
+          - pull_1 is changed
+          - pull_1.diff.before.exists is false
+          - pull_1.diff.after.id == facts_1.images[0].Id
+          - pull_2_check is not changed
+          - pull_2_check.diff.before.id == facts_1.images[0].Id
+          - pull_2_check.diff.before == pull_2.diff.after
+          - pull_2 is not changed
+          - pull_2.diff.before.id == facts_1.images[0].Id
+          - pull_2.diff.before == pull_2.diff.after
+          - pull_3_check is changed
+          - pull_3_check.diff.before.id == facts_1.images[0].Id
+          - pull_3_check.diff.after.id == 'unknown'
+          - pull_3 is not changed
+          - pull_3.diff.before.id == facts_1.images[0].Id
+          - pull_3.diff.before == pull_2.diff.after
+          - facts_1.images | length == 1
+          - facts_2.images | length == 0
+          - facts_3.images | length == 1
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/meta/main.yml
new file mode 100644
index 00000000..ff316450
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_registry
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/test.yml
new file mode 100644
index 00000000..63f8c04c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/test.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    inames: []
+    cnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all images are removed"
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      with_items: "{{ inames }}"
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      with_items: "{{ cnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/basic.yml
new file mode 100644
index 00000000..5f780f85
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/basic.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- vars:
+    image_name: registry.example.com:5000/foo/bar:baz
+  block:
+    - name: Make sure image is not present
+      community.docker.docker_image_remove:
+        name: "{{ image_name }}"
+
+    - name: Push non-existing image (must fail)
+      community.docker.docker_image_push:
+        name: "{{ image_name }}"
+      register: fail_1
+      ignore_errors: true
+
+    - name: Push image ID (must fail)
+      community.docker.docker_image_push:
+        name: "sha256:{{ docker_test_image_digest_v1_image_ids[0] }}"
+      register: fail_2
+      ignore_errors: true
+
+    - name: Push image with digest (must fail)
+      community.docker.docker_image_push:
+        name: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+      register: fail_3
+      ignore_errors: true
+
+    - name: Push invalid tag (must fail)
+      community.docker.docker_image_push:
+        name: "{{ docker_test_image_hello_world }}"
+        tag: foo/bar
+      register: fail_4
+      ignore_errors: true
+
+    - name: Push invalid tag 2 (must fail)
+      community.docker.docker_image_push:
+        name: "{{ docker_test_image_digest_base }}:foo bar"
+      register: fail_5
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - fail_1 is failed
+          - >-
+            'Cannot find image registry.example.com:5000/foo/bar:baz' == fail_1.msg
+          - fail_2 is failed
+          - >-
+            'Cannot push an image by ID' == fail_2.msg
+          - fail_3 is failed
+          - >-
+            'Cannot push an image by digest' == fail_3.msg
+          - fail_4 is failed
+          - >-
+            '"foo/bar" is not a valid docker tag!' == fail_4.msg
+          - fail_5 is failed
+          - >-
+            '"foo bar" is not a valid docker tag!' == fail_5.msg
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/registry.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/registry.yml
new file mode 100644
index 00000000..b46d7c71
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_push/tasks/tests/registry.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Run registry tests only when registry is present
+  when: registry_address is defined
+  block:
+    - name: Pull images
+      community.docker.docker_image_pull:
+        name: "{{ item }}"
+      loop:
+        - "{{ docker_test_image_hello_world }}"
+        - "{{ docker_test_image_alpine }}"
+      register: pulled_images
+
+    - name: Determining pushed image names
+      ansible.builtin.set_fact:
+        image_name_base: "{{ registry_address }}/test/{{ name_prefix }}"
+        image_name_base2: "{{ registry_frontend2_address }}/test/{{ name_prefix }}"
+        image_tag: latest
+
+    - name: Registering image name
+      ansible.builtin.set_fact:
+        inames: "{{ inames + [image_name_base ~ ':' ~ image_tag, image_name_base2 ~ ':' ~ image_tag] }}"
+
+    - name: Tag first image
+      community.docker.docker_image_tag:
+        name: "{{ docker_test_image_hello_world }}"
+        repository:
+          - "{{ image_name_base }}:{{ image_tag }}"
+          - "{{ image_name_base2 }}:{{ image_tag }}"
+
+    - name: Push first image
+      community.docker.docker_image_push:
+        name: "{{ image_name_base }}:{{ image_tag }}"
+      register: push_1
+
+    - name: Push first image (idempotent)
+      community.docker.docker_image_push:
+        name: "{{ image_name_base }}:{{ image_tag }}"
+      register: push_2
+
+    - name: Tag second image
+      community.docker.docker_image_tag:
+        name: "{{ docker_test_image_alpine }}"
+        repository:
+          - "{{ image_name_base }}:{{ image_tag }}"
+
+    - name: Push second image with same name
+      community.docker.docker_image_push:
+        name: "{{ image_name_base }}:{{ image_tag }}"
+      register: push_3
+
+    - ansible.builtin.assert:
+        that:
+          - push_1 is changed
+          - push_1.image.Id == pulled_images.results[0].image.Id
+          - push_2 is not changed
+          - push_2.image.Id == pulled_images.results[0].image.Id
+          - push_3 is changed
+          - push_3.image.Id == pulled_images.results[1].image.Id
+
+    - when: registry_frontend2_address != 'n/a'
+      block:
+        - name: Make sure we are logged out from registry
+          community.docker.docker_login:
+            registry_url: "{{ registry_frontend2_address }}"
+            username: testuser
+            password: hunter2
+            state: absent
+
+        - name: Push image (unauthenticated)
+          community.docker.docker_image_push:
+            name: "{{ image_name_base2 }}:{{ image_tag }}"
+          register: push_4
+          ignore_errors: true
+
+        - ansible.builtin.assert:
+            that:
+              - push_4 is failed
+              - >-
+                push_4.msg.startswith('Error pushing image ' ~ image_name_base2 ~ ':' ~ image_tag ~ ': ')
+              - >-
+                push_4.msg.endswith(': no basic auth credentials')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/tasks/main.yml
new file mode 100644
index 00000000..1a9df982
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_remove/tasks/main.yml
@@ -0,0 +1,306 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- vars:
+    image: "{{ docker_test_image_hello_world }}"
+    image_ids: "{{ docker_test_image_hello_world_image_ids }}"
+  block:
+    - name: Pick image prefix
+      ansible.builtin.set_fact:
+        iname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Define image names
+      ansible.builtin.set_fact:
+        image_names:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+
+    - name: Remove image complete
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+        force: true
+      loop: "{{ image_ids }}"
+
+    - name: Remove tagged images
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      loop: "{{ image_names }}"
+
+    - name: Make sure image we work with is there
+      community.docker.docker_image_pull:
+        name: "{{ image }}"
+      register: pulled_image
+      diff: true
+
+    - name: Remove tagged image (not there, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_1_check
+      check_mode: true
+      diff: true
+
+    - name: Remove tagged image (not there)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_1
+      diff: true
+
+    - name: Inspect image
+      community.docker.docker_image_info:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: info_1
+
+    - ansible.builtin.assert:
+        that:
+          - remove_1_check is not changed
+          - remove_1_check.diff == remove_1.diff
+          - remove_1 is not changed
+          - remove_1.diff.before.exists is false
+          - remove_1.diff.after.exists is false
+          - remove_1.deleted | length == 0
+          - remove_1.untagged | length == 0
+          - remove_1_check.deleted == remove_1.deleted
+          - remove_1_check.untagged == remove_1.untagged
+          - info_1.images | length == 0
+
+    - name: Tag image 1
+      community.docker.docker_image_tag:
+        name: "{{ image }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+
+    - name: Remove tagged image (check mode)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_2_check
+      check_mode: true
+      diff: true
+
+    - name: Remove tagged image
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_2
+      diff: true
+
+    - name: Inspect image
+      community.docker.docker_image_info:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: info_2
+
+    - ansible.builtin.assert:
+        that:
+          - remove_2_check is changed
+          - remove_2_check.diff == remove_2.diff
+          - remove_2 is changed
+          - remove_2.diff.before.id == pulled_image.image.Id
+          - remove_2.diff.before.tags | length == 4
+          # With Docker 29, there are now two digests in before and after:
+          - remove_2.diff.before.digests | length in [1, 2]
+          - remove_2.diff.after.id == pulled_image.image.Id
+          - remove_2.diff.after.tags | length == 3
+          - remove_2.diff.after.digests | length in [1, 2]
+          - remove_2.deleted | length == 0
+          - remove_2.untagged | length == 1
+          - remove_2.untagged[0] == (iname_prefix ~ '-tagged-1:latest')
+          - remove_2_check.deleted == remove_2.deleted
+          - remove_2_check.untagged == remove_2.untagged
+          - info_2.images | length == 0
+
+    - name: Remove tagged image (idempotent, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_3_check
+      check_mode: true
+      diff: true
+
+    - name: Remove tagged image (idempotent)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:latest"
+      register: remove_3
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - remove_3_check is not changed
+          - remove_3_check.diff == remove_3.diff
+          - remove_3 is not changed
+          - remove_3.diff.before.exists is false
+          - remove_3.diff.after.exists is false
+          - remove_3.deleted | length == 0
+          - remove_3.untagged | length == 0
+          - remove_3_check.deleted == remove_3.deleted
+          - remove_3_check.untagged == remove_3.untagged
+
+    - name: Inspect image with tag foo and bar
+      community.docker.docker_image_info:
+        name:
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: info_3
+
+    - name: Remove tagged image (force, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:foo"
+        force: true
+      register: remove_4_check
+      check_mode: true
+      diff: true
+
+    - name: Remove tagged image (force)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:foo"
+        force: true
+      register: remove_4
+      diff: true
+
+    - name: Inspect image with tag foo and bar
+      community.docker.docker_image_info:
+        name:
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: info_4
+
+    - ansible.builtin.assert:
+        that:
+          - remove_4_check is changed
+          - remove_4_check.diff == remove_4.diff
+          - remove_4 is changed
+          - remove_4.diff.before.id == pulled_image.image.Id
+          - remove_4.diff.before.tags | length == 3
+          # With Docker 29, there are now two digests in before and after:
+          - remove_4.diff.before.digests | length in [1, 2]
+          - remove_4.diff.after.id == pulled_image.image.Id
+          - remove_4.diff.after.tags | length == 2
+          - remove_4.diff.after.digests | length in [1, 2]
+          - remove_4.deleted | length == 0
+          - remove_4.untagged | length == 1
+          - remove_4.untagged[0] == (iname_prefix ~ '-tagged-1:foo')
+          - remove_4_check.deleted == remove_4.deleted
+          - remove_4_check.untagged == remove_4.untagged
+          - info_3.images | length == 2
+          - info_3.images[0].Id == pulled_image.image.Id
+          - info_3.images[1].Id == pulled_image.image.Id
+          - info_4.images | length == 1
+          - info_4.images[0].Id == pulled_image.image.Id
+
+    - name: Remove image ID (force, idempotent, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:foo"
+        force: true
+      register: remove_5_check
+      check_mode: true
+      diff: true
+
+    - name: Remove image ID (force, idempotent)
+      community.docker.docker_image_remove:
+        name: "{{ iname_prefix }}-tagged-1:foo"
+        force: true
+      register: remove_5
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - remove_5_check is not changed
+          - remove_5_check.diff == remove_5.diff
+          - remove_5 is not changed
+          - remove_5.diff.before.exists is false
+          - remove_5.diff.after.exists is false
+          - remove_5.deleted | length == 0
+          - remove_5.untagged | length == 0
+          - remove_5_check.deleted == remove_5.deleted
+          - remove_5_check.untagged == remove_5.untagged
+
+    - name: Remove image ID (force, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ pulled_image.image.Id }}"
+        force: true
+      register: remove_6_check
+      check_mode: true
+      diff: true
+
+    - name: Remove image ID (force)
+      community.docker.docker_image_remove:
+        name: "{{ pulled_image.image.Id }}"
+        force: true
+      register: remove_6
+      diff: true
+
+    - name: Inspect image with tag foo and bar
+      community.docker.docker_image_info:
+        name:
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: info_5
+
+    - ansible.builtin.assert:
+        that:
+          - remove_6_check is changed
+          - remove_6_check.diff == remove_6.diff
+          - remove_6 is changed
+          - remove_6.diff.before.id == pulled_image.image.Id
+          - remove_6.diff.before.tags | length == 2
+          # With Docker 29, there are now two digests in before and after:
+          - remove_6.diff.before.digests | length in [1, 2]
+          - remove_6.diff.after.exists is false
+          - remove_6.deleted | length >= 1
+          - pulled_image.image.Id in remove_6.deleted
+          - remove_6.untagged | length in [2, 3]
+          - (iname_prefix ~ '-tagged-1:bar') in remove_6.untagged
+          - image in remove_6.untagged
+          - remove_6_check.deleted | length == 1
+          - remove_6_check.deleted[0] == pulled_image.image.Id
+          # The following is only true for Docker < 29...
+          # We use the CLI version as a proxy...
+          - >-
+            remove_6_check.untagged == remove_6.untagged
+            or
+            docker_cli_version is version("29.0.0", ">=")
+          - info_5.images | length == 0
+
+    - name: Remove image ID (force, idempotent, check mode)
+      community.docker.docker_image_remove:
+        name: "{{ pulled_image.image.Id }}"
+        force: true
+      register: remove_7_check
+      check_mode: true
+      diff: true
+
+    - name: Remove image ID (force, idempotent)
+      community.docker.docker_image_remove:
+        name: "{{ pulled_image.image.Id }}"
+        force: true
+      register: remove_7
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - remove_7_check is not changed
+          - remove_7_check.diff == remove_7.diff
+          - remove_7 is not changed
+          - remove_7.diff.before.exists is false
+          - remove_7.diff.after.exists is false
+          - remove_7.deleted | length == 0
+          - remove_7.untagged | length == 0
+          - remove_7_check.deleted == remove_7.deleted
+          - remove_7_check.untagged == remove_7.untagged
+
+  always:
+    - name: Remove tagged images
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      loop: "{{ image_names }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/tasks/main.yml
new file mode 100644
index 00000000..39ec2cb3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_image_tag/tasks/main.yml
@@ -0,0 +1,402 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Pick image prefix
+      ansible.builtin.set_fact:
+        iname_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Define image names
+      ansible.builtin.set_fact:
+        image_1: "{{ docker_test_image_hello_world }}"
+        image_2: "{{ docker_test_image_alpine }}"
+        image_3: "{{ docker_test_image_digest_base }}@sha256:{{ docker_test_image_digest_v1 }}"
+        image_names:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+          - "{{ iname_prefix }}-tagged-2:baz"
+
+    - name: Make sure images we work with are there
+      community.docker.docker_image_pull:
+        name: "{{ item }}"
+      loop:
+        - "{{ image_1 }}"
+        - "{{ image_2 }}"
+        - "{{ image_3 }}"
+      register: pulled_images
+      diff: true
+
+    - name: Remove tagged images
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      loop: "{{ image_names }}"
+
+    - name: Tag image 1 (check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+      register: tag_1_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 1
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+      register: tag_1
+      diff: true
+
+    - name: Fetch image infos
+      community.docker.docker_image_info:
+        name: "{{ image_names }}"
+      register: info_1
+
+    - ansible.builtin.assert:
+        that:
+          - tag_1 is changed
+          - tag_1.diff.before.images | length == 2
+          - tag_1.diff.before.images[0] != tag_1.diff.after.images[0]
+          - tag_1.diff.before.images[1] != tag_1.diff.after.images[1]
+          - tag_1.diff.before.images[0].exists is false
+          - tag_1.diff.before.images[1].exists is false
+          - tag_1.diff.after.images[0].id == pulled_images.results[0].image.Id
+          - tag_1.diff.after.images[1].id == pulled_images.results[0].image.Id
+          - info_1.images | length == 2
+          - info_1.images[0].Id == pulled_images.results[0].image.Id
+          - info_1.images[1].Id == pulled_images.results[0].image.Id
+          - tag_1_check == tag_1
+
+    - name: Tag image 1 (idempotent, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+      register: tag_2_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 1 (idempotent)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+      register: tag_2
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_2 is not changed
+          - tag_2.diff.before == tag_2.diff.after
+          - tag_2.diff.before.images | length == 2
+          - tag_2_check == tag_2
+
+    - name: Tag image 1 (idempotent, different input format, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        tag: foo
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1"
+      register: tag_3_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 1 (idempotent, different input format)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        tag: foo
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1"
+      register: tag_3
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_3 is not changed
+          - tag_3.diff.before == tag_3.diff.after
+          - tag_3.diff.before.images | length == 2
+          - tag_3_check == tag_3
+
+    - name: Tag image 1 (one more, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-2:baz"
+      register: tag_4_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 1 (one more)
+      community.docker.docker_image_tag:
+        name: "{{ image_1 }}"
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-2:baz"
+      register: tag_4
+      diff: true
+
+    - name: Fetch image infos
+      community.docker.docker_image_info:
+        name: "{{ image_names }}"
+      register: info_4
+
+    - ansible.builtin.assert:
+        that:
+          - tag_4 is changed
+          - tag_4.diff.before.images | length == 3
+          - tag_4.diff.before.images[0] == tag_4.diff.after.images[0]
+          - tag_4.diff.before.images[1] == tag_4.diff.after.images[1]
+          - tag_4.diff.before.images[2] != tag_4.diff.after.images[2]
+          - tag_4.diff.before.images[2].exists is false
+          - tag_4.diff.after.images[0].id == pulled_images.results[0].image.Id
+          - tag_4.diff.after.images[1].id == pulled_images.results[0].image.Id
+          - tag_4.diff.after.images[2].id == pulled_images.results[0].image.Id
+          - info_4.images | length == 3
+          - info_4.images[0].Id == pulled_images.results[0].image.Id
+          - info_4.images[1].Id == pulled_images.results[0].image.Id
+          - info_4.images[2].Id == pulled_images.results[0].image.Id
+          - tag_4_check == tag_4
+
+    - name: Tag image 2 (only change missing one, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: keep
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_5_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 2 (only change missing one)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: keep
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_5
+      diff: true
+
+    - name: Fetch image infos
+      community.docker.docker_image_info:
+        name: "{{ image_names }}"
+      register: info_5
+
+    - ansible.builtin.assert:
+        that:
+          - tag_5 is changed
+          - tag_5.diff.before.images | length == 3
+          - tag_5.diff.before.images[0] == tag_5.diff.after.images[0]
+          - tag_5.diff.before.images[1] == tag_5.diff.after.images[1]
+          - tag_5.diff.before.images[2] != tag_5.diff.after.images[2]
+          - tag_5.diff.before.images[2].exists is false
+          - tag_5.diff.after.images[0].id == pulled_images.results[0].image.Id
+          - tag_5.diff.after.images[1].id == pulled_images.results[0].image.Id
+          - tag_5.diff.after.images[2].id == pulled_images.results[1].image.Id
+          - info_5.images | length == 4
+          - info_5.images[0].Id == pulled_images.results[0].image.Id
+          - info_5.images[1].Id == pulled_images.results[0].image.Id
+          - info_5.images[2].Id == pulled_images.results[1].image.Id
+          - info_5.images[3].Id == pulled_images.results[0].image.Id
+          - tag_5_check == tag_5
+
+    - name: Tag image 2 (idempotent, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: keep
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_6_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 2 (idempotent)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: keep
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_6
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_6 is not changed
+          - tag_6.diff.before == tag_6.diff.after
+          - tag_6.diff.before.images | length == 3
+          - tag_6_check == tag_6
+
+    - name: Tag image 2 (only change wrong ones, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_7_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 2 (only change wrong ones)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_7
+      diff: true
+
+    - name: Fetch image infos
+      community.docker.docker_image_info:
+        name: "{{ image_names }}"
+      register: info_7
+
+    - ansible.builtin.assert:
+        that:
+          - tag_7 is changed
+          - tag_7.diff.before.images | length == 3
+          - tag_7.diff.before.images[0] != tag_7.diff.after.images[0]
+          - tag_7.diff.before.images[1] != tag_7.diff.after.images[1]
+          - tag_7.diff.before.images[2] == tag_7.diff.after.images[2]
+          - tag_7.diff.before.images[0].id == pulled_images.results[0].image.Id
+          - tag_7.diff.before.images[1].id == pulled_images.results[0].image.Id
+          - tag_7.diff.after.images[0].id == pulled_images.results[1].image.Id
+          - tag_7.diff.after.images[1].id == pulled_images.results[1].image.Id
+          - tag_7.diff.after.images[2].id == pulled_images.results[1].image.Id
+          - info_7.images | length == 4
+          - info_7.images[0].Id == pulled_images.results[1].image.Id
+          - info_7.images[1].Id == pulled_images.results[1].image.Id
+          - info_7.images[2].Id == pulled_images.results[1].image.Id
+          - info_7.images[3].Id == pulled_images.results[0].image.Id
+          - tag_7_check == tag_7
+
+    - name: Tag image 2 (idempotent, check mode)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_8_check
+      diff: true
+      check_mode: true
+
+    - name: Tag image 2 (idempotent)
+      community.docker.docker_image_tag:
+        name: "{{ image_2 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-1:latest"
+          - "{{ iname_prefix }}-tagged-1:foo"
+          - "{{ iname_prefix }}-tagged-1:bar"
+      register: tag_8
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_8 is not changed
+          - tag_8.diff.before == tag_8.diff.after
+          - tag_8.diff.before.images | length == 3
+          - tag_8_check == tag_8
+
+    - name: Tag image 3 (source image has digest)
+      community.docker.docker_image_tag:
+        name: "{{ image_3 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-2:baz"
+      register: tag_9
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_9 is changed
+          - tag_9.diff.before.images | length == 1
+          - tag_9.diff.before.images[0].id == pulled_images.results[0].image.Id
+          - tag_9.diff.after.images[0].id == pulled_images.results[2].image.Id
+
+    - name: Tag image 3 (source image is ID)
+      community.docker.docker_image_tag:
+        name: "{{ pulled_images.results[2].image.Id }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-1:foo"
+      register: tag_10
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_10 is changed
+          - tag_10.diff.before.images | length == 1
+          - tag_10.diff.before.images[0].id == pulled_images.results[1].image.Id
+          - tag_10.diff.after.images[0].id == pulled_images.results[2].image.Id
+
+    - name: Tag image 3 (fail because of digest)
+      community.docker.docker_image_tag:
+        name: "{{ image_3 }}"
+        existing_images: overwrite
+        repository:
+          - "{{ iname_prefix }}-tagged-2@sha256:{{ docker_test_image_digest_v1 }}"
+      register: tag_11
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_11 is failed
+          - >-
+            tag_11.msg == ('repository[1] must not have a digest; got: ' ~ iname_prefix ~ '-tagged-2@sha256:' ~ docker_test_image_digest_v1)
+
+    - name: Tag image 3 (fail because of image ID)
+      community.docker.docker_image_tag:
+        name: "{{ image_3 }}"
+        existing_images: overwrite
+        repository:
+          - "sha256:{{ docker_test_image_digest_v1 }}"
+      register: tag_12
+      ignore_errors: true
+
+    - ansible.builtin.assert:
+        that:
+          - tag_12 is failed
+          - >-
+            tag_12.msg == ('repository[1] must not be an image ID; got: sha256:' ~ docker_test_image_digest_v1)
+
+  always:
+    - name: Remove tagged images
+      community.docker.docker_image_remove:
+        name: "{{ item }}"
+      loop: "{{ image_names }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_login/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/meta/main.yml
new file mode 100644
index 00000000..ff316450
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_registry
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/main.yml
new file mode 100644
index 00000000..c9158e4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: test.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/test.yml
new file mode 100644
index 00000000..be366f53
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/test.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_image tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/docker_login.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/docker_login.yml
new file mode 100644
index 00000000..15bbe920
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/docker_login.yml
@@ -0,0 +1,150 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Log out server
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: absent
+
+    - name: Log in with wrong password (check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: "1234"
+        state: present
+      register: login_failed_check
+      ignore_errors: true
+      check_mode: true
+
+    - name: Log in with wrong password
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: "1234"
+        state: present
+      register: login_failed
+      ignore_errors: true
+
+    - name: Make sure that login failed
+      ansible.builtin.assert:
+        that:
+          - login_failed_check is failed
+          - "('login attempt to http://' ~ registry_frontend_address ~ '/v2/ failed') in login_failed_check.msg"
+          - login_failed is failed
+          - "('login attempt to http://' ~ registry_frontend_address ~ '/v2/ failed') in login_failed.msg"
+
+    - name: Log in (check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_1
+      check_mode: true
+
+    - name: Log in
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_2
+
+    - name: Get permissions of ~/.docker/config.json
+      ansible.builtin.stat:
+        path: ~/.docker/config.json
+      register: login_2_stat
+
+    - name: Log in (idempotent)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_3
+
+    - name: Log in (idempotent, check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_4
+      check_mode: true
+
+    - name: Make sure that login worked
+      ansible.builtin.assert:
+        that:
+          - login_1 is changed
+          - login_2 is changed
+          - login_3 is not changed
+          - login_4 is not changed
+          - login_2_stat.stat.mode == '0600'
+
+    - name: Log in again with wrong password (check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: "1234"
+        state: present
+      register: login_failed_check
+      ignore_errors: true
+      check_mode: true
+
+    - name: Log in again with wrong password
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: "1234"
+        state: present
+      register: login_failed
+      ignore_errors: true
+
+    - name: Make sure that login failed again
+      ansible.builtin.assert:
+        that:
+          - login_failed_check is failed
+          - "('login attempt to http://' ~ registry_frontend_address ~ '/v2/ failed') in login_failed_check.msg"
+          - login_failed is failed
+          - "('login attempt to http://' ~ registry_frontend_address ~ '/v2/ failed') in login_failed.msg"
+
+    - name: Log out (check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        state: absent
+      register: logout_1
+      check_mode: true
+
+    - name: Log out
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        state: absent
+      register: logout_2
+
+    - name: Log out (idempotent)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        state: absent
+      register: logout_3
+
+    - name: Log out (idempotent, check mode)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        state: absent
+      register: logout_4
+      check_mode: true
+
+    - name: Make sure that login worked
+      ansible.builtin.assert:
+        that:
+          - logout_1 is changed
+          - logout_2 is changed
+          - logout_3 is not changed
+          - logout_4 is not changed
+
+  when: registry_frontend_address != 'n/a'
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/multiple-servers.yml b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/multiple-servers.yml
new file mode 100644
index 00000000..05fbe110
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_login/tasks/tests/multiple-servers.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Log out server 1
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: absent
+
+    - name: Log out server 2
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend2_address }}"
+        username: testuser
+        password: hunter2
+        state: absent
+
+    - name: Log in server 1
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_1
+
+    - name: Log in server 2
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend2_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_2
+
+    - name: Log in server 1 (idempotent)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_1_2
+
+    - name: Log in server 2 (idempotent)
+      community.docker.docker_login:
+        registry_url: "{{ registry_frontend2_address }}"
+        username: testuser
+        password: hunter2
+        state: present
+      register: login_2_2
+
+    - name: Make sure that login worked
+      ansible.builtin.assert:
+        that:
+          - login_1 is changed
+          - login_2 is changed
+          - login_1_2 is not changed
+          - login_2_2 is not changed
+
+  when: registry_frontend_address != 'n/a' and registry_frontend2_address != 'n/a'
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_network/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/meta/main.yml
new file mode 100644
index 00000000..44bdbe8d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_docker_sdk_for_python  # for Swarm support
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/main.yml
new file mode 100644
index 00000000..7627af20
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: List inspection results for all docker networks
+  community.docker.docker_host_info:
+    networks: true
+    verbose_output: true
+  register: all_networks
+
+- name: Show inspection results for all docker networks
+  ansible.builtin.debug:
+    var: all_networks.networks
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    cnames: []
+    dnetworks: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all containers are removed"
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      loop: "{{ cnames }}"
+    - name: "Make sure all networks are removed"
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      loop: "{{ dnetworks }}"
+
+  when: docker_api_version is version('1.25', '>=')  # FIXME: find out API version!
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_network tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/basic.yml
new file mode 100644
index 00000000..cb4ecc00
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/basic.yml
@@ -0,0 +1,138 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container and network names
+  ansible.builtin.set_fact:
+    cname_1: "{{ name_prefix ~ '-container-1' }}"
+    cname_2: "{{ name_prefix ~ '-container-2' }}"
+    cname_3: "{{ name_prefix ~ '-container-3' }}"
+    nname_1: "{{ name_prefix ~ '-network-1' }}"
+    nname_2: "{{ name_prefix ~ '-network-2' }}"
+- name: Registering container and network names
+  ansible.builtin.set_fact:
+    cnames: "{{ cnames + [cname_1, cname_2, cname_3] }}"
+    dnetworks: "{{ dnetworks + [nname_1, nname_2] }}"
+
+- name: Create containers
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: /bin/sleep 10m
+    state: started
+  loop:
+    - "{{ cname_1 }}"
+    - "{{ cname_2 }}"
+    - "{{ cname_3 }}"
+  loop_control:
+    loop_var: container_name
+
+####################################################################
+
+- name: Create network
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+  register: networks_1
+
+- name: Connect network to containers 1
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_1 }}"
+  register: networks_2
+
+- name: Connect network to containers 1 (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_1 }}"
+  register: networks_2_idem
+
+- name: Connect network to containers 1 and 2
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_1 }}"
+      - "{{ cname_2 }}"
+  register: networks_3
+
+- name: Connect network to containers 1 and 2 (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_1 }}"
+      - "{{ cname_2 }}"
+  register: networks_3_idem
+
+- name: Connect network to container 3
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_3 }}"
+    appends: true
+  register: networks_4
+
+- name: Connect network to container 3 (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_3 }}"
+    appends: true
+  register: networks_4_idem
+
+- name: Disconnect network from container 1
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_2 }}"
+      - "{{ cname_3 }}"
+  register: networks_5
+
+- name: Disconnect network from container 1 (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+    connected:
+      - "{{ cname_2 }}"
+      - "{{ cname_3 }}"
+  register: networks_5_idem
+
+- name: Cleanup
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: absent
+
+- ansible.builtin.assert:
+    that:
+      - networks_1 is changed
+      - networks_2 is changed
+      - networks_2_idem is not changed
+      - networks_3 is changed
+      - networks_3_idem is not changed
+      - networks_4 is changed
+      - networks_4_idem is not changed
+      - networks_5 is changed
+      - networks_5_idem is not changed
+
+####################################################################
+
+- name: Delete containers
+  community.docker.docker_container:
+    name: "{{ container_name }}"
+    state: absent
+    force_kill: true
+  loop:
+    - "{{ cname_1 }}"
+    - "{{ cname_2 }}"
+    - "{{ cname_3 }}"
+  loop_control:
+    loop_var: container_name
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/ipam.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/ipam.yml
new file mode 100644
index 00000000..a3e0ffd0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/ipam.yml
@@ -0,0 +1,309 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering network names
+  ansible.builtin.set_fact:
+    nname_ipam_0: "{{ name_prefix ~ '-network-ipam-0' }}"
+    nname_ipam_1: "{{ name_prefix ~ '-network-ipam-1' }}"
+    nname_ipam_2: "{{ name_prefix ~ '-network-ipam-2' }}"
+    nname_ipam_3: "{{ name_prefix ~ '-network-ipam-3' }}"
+
+- name: Registering network names
+  ansible.builtin.set_fact:
+    dnetworks: "{{ dnetworks + [nname_ipam_0, nname_ipam_1, nname_ipam_2, nname_ipam_3] }}"
+
+
+#################### IPv4 IPAM config ####################
+
+- name: Create network with custom IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_1 }}"
+    ipam_config:
+      - subnet: 10.25.120.0/24
+        gateway: 10.25.120.2
+        iprange: 10.25.120.0/26
+        aux_addresses:
+          host1: 10.25.120.3
+          host2: 10.25.120.4
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+
+- name: Create network with custom IPAM config (idempotence)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_1 }}"
+    ipam_config:
+      - subnet: 10.25.120.0/24
+        gateway: 10.25.120.2
+        iprange: 10.25.120.0/26
+        aux_addresses:
+          host1: 10.25.120.3
+          host2: 10.25.120.4
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is not changed
+
+- name: Change of network created with custom IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_1 }}"
+    ipam_config:
+      - subnet: 10.25.121.0/24
+        gateway: 10.25.121.2
+        iprange: 10.25.121.0/26
+        aux_addresses:
+          host1: 10.25.121.3
+  register: network
+  diff: true
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+      - network.diff.differences | length == 4
+      - '"ipam_config[0].subnet" in network.diff.differences'
+      - '"ipam_config[0].gateway" in network.diff.differences'
+      - '"ipam_config[0].iprange" in network.diff.differences'
+      - '"ipam_config[0].aux_addresses" in network.diff.differences'
+
+- name: Remove gateway and iprange of network with custom IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_1 }}"
+    ipam_config:
+      - subnet: 10.25.121.0/24
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is not changed
+
+- name: Cleanup network with custom IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_1 }}"
+    state: absent
+
+
+#################### IPv6 IPAM config ####################
+
+- name: Create network with IPv6 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_2 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: fdd1:ac8c:0557:7ce0::/64
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+
+- name: Create network with IPv6 IPAM config (idempotence)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_2 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: fdd1:ac8c:0557:7ce0::/64
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is not changed
+
+- name: Change subnet of network with IPv6 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_2 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: fdd1:ac8c:0557:7ce1::/64
+  register: network
+  diff: true
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+      - network.diff.differences | length == 1
+      - network.diff.differences[0] == "ipam_config[0].subnet"
+
+- name: Change subnet of network with IPv6 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_2 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: "fdd1:ac8c:0557:7ce1::"
+  register: network
+  ignore_errors: true
+
+- ansible.builtin.assert:
+    that:
+      - network is failed
+      - "network.msg == '\"fdd1:ac8c:0557:7ce1::\" is not a valid CIDR'"
+
+- name: Cleanup network with IPv6 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_2 }}"
+    state: absent
+
+
+#################### IPv4 and IPv6 network ####################
+
+- name: Create network with IPv6 and custom IPv4 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: 10.26.120.0/24
+      - subnet: fdd1:ac8c:0557:7ce2::/64
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+
+- name: Change subnet order of network with IPv6 and custom IPv4 IPAM config (idempotence)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    enable_ipv6: true
+    ipam_config:
+      - subnet: fdd1:ac8c:0557:7ce2::/64
+      - subnet: 10.26.120.0/24
+  register: network
+
+- ansible.builtin.assert:
+    that:
+      - network is not changed
+
+- name: Remove IPv6 from network with custom IPv4 and IPv6 IPAM config (change)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    enable_ipv6: false
+    ipam_config:
+      - subnet: 10.26.120.0/24
+  register: network
+  diff: true
+
+- ansible.builtin.assert:
+    that:
+      - network is changed
+      - network.diff.differences | length == 1
+      - network.diff.differences[0] == "enable_ipv6"
+
+- name: Cleanup network with IPv6 and custom IPv4 IPAM config
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    state: absent
+
+
+#################### multiple IPv4 networks ####################
+
+- block:
+    - name: Create network with two IPv4 IPAM configs
+      community.docker.docker_network:
+        name: "{{ nname_ipam_3 }}"
+        driver: "macvlan"
+        driver_options:
+          parent: "{{ ansible_default_ipv4.alias }}"
+        ipam_config:
+          - subnet: 10.26.120.0/24
+          - subnet: 10.26.121.0/24
+      register: network
+
+    - ansible.builtin.assert:
+        that:
+          - network is changed
+
+    - name: Create network with two IPv4 IPAM configs (idempotence)
+      community.docker.docker_network:
+        name: "{{ nname_ipam_3 }}"
+        driver: "macvlan"
+        driver_options:
+          parent: "{{ ansible_default_ipv4.alias }}"
+        ipam_config:
+          - subnet: 10.26.121.0/24
+          - subnet: 10.26.120.0/24
+      register: network
+
+    - ansible.builtin.assert:
+        that:
+          - network is not changed
+
+    - name: Create network with two IPv4 IPAM configs (change)
+      community.docker.docker_network:
+        name: "{{ nname_ipam_3 }}"
+        driver: "macvlan"
+        driver_options:
+          parent: "{{ ansible_default_ipv4.alias }}"
+        ipam_config:
+          - subnet: 10.26.120.0/24
+          - subnet: 10.26.122.0/24
+      register: network
+      diff: true
+
+    - ansible.builtin.assert:
+        that:
+          - network is changed
+          - network.diff.differences | length == 1
+
+    - name: Create network with one IPv4 IPAM config (no change)
+      community.docker.docker_network:
+        name: "{{ nname_ipam_3 }}"
+        driver: "macvlan"
+        driver_options:
+          parent: "{{ ansible_default_ipv4.alias }}"
+        ipam_config:
+          - subnet: 10.26.122.0/24
+      register: network
+
+    - ansible.builtin.assert:
+        that:
+          - network is not changed
+
+    - name: Cleanup network
+      community.docker.docker_network:
+        name: "{{ nname_ipam_3 }}"
+        state: absent
+
+  when: ansible_facts.virtualization_type != 'docker' and ansible_default_ipv4.alias is defined
+
+
+#################### IPAM driver options ####################
+
+- name: Create network with IPAM driver options
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    ipam_driver: default
+    ipam_driver_options:
+      a: b
+  register: network_1
+  ignore_errors: true
+- name: Create network with IPAM driver options (idempotence)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    ipam_driver: default
+    ipam_driver_options:
+      a: b
+  diff: true
+  register: network_2
+  ignore_errors: true
+- name: Create network with IPAM driver options (change)
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    ipam_driver: default
+    ipam_driver_options:
+      a: c
+  diff: true
+  register: network_3
+  ignore_errors: true
+- name: Cleanup network
+  community.docker.docker_network:
+    name: "{{ nname_ipam_3 }}"
+    state: absent
+
+- ansible.builtin.assert:
+    that:
+      - network_1 is changed
+      - network_2 is not changed
+      - network_3 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/options.yml
new file mode 100644
index 00000000..c21b7e5b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/options.yml
@@ -0,0 +1,234 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering network name
+  ansible.builtin.set_fact:
+    nname_1: "{{ name_prefix ~ '-network-1' }}"
+- name: Registering network name
+  ansible.builtin.set_fact:
+    dnetworks: "{{ dnetworks + [nname_1] }}"
+
+####################################################################
+## internal ########################################################
+####################################################################
+
+- name: internal
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    internal: true
+  register: internal_1
+
+- name: internal (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    internal: true
+  register: internal_2
+
+- name: internal (change)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    internal: false
+  register: internal_3
+
+- name: cleanup
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: absent
+    force: true
+
+- ansible.builtin.assert:
+    that:
+      - internal_1 is changed
+      - internal_2 is not changed
+      - internal_3 is changed
+
+####################################################################
+## driver_options ##################################################
+####################################################################
+
+- name: driver_options
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    driver_options:
+      com.docker.network.bridge.enable_icc: 'false'
+  register: driver_options_1
+
+- name: driver_options (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    driver_options:
+      com.docker.network.bridge.enable_icc: 'false'
+  register: driver_options_2
+
+- name: driver_options (idempotency with string translation)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    driver_options:
+      com.docker.network.bridge.enable_icc: false
+  register: driver_options_3
+
+- name: driver_options (change)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    driver_options:
+      com.docker.network.bridge.enable_icc: 'true'
+  register: driver_options_4
+
+- name: driver_options (idempotency with string translation)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    driver_options:
+      com.docker.network.bridge.enable_icc: true
+  register: driver_options_5
+
+- name: cleanup
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: absent
+    force: true
+
+- ansible.builtin.assert:
+    that:
+      - driver_options_1 is changed
+      - driver_options_2 is not changed
+      - driver_options_3 is not changed
+      - driver_options_4 is changed
+      - driver_options_5 is not changed
+
+####################################################################
+## scope ###########################################################
+####################################################################
+
+- block:
+    - name: scope
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: bridge
+        scope: local
+      register: scope_1
+
+    - name: scope (idempotency)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: bridge
+        scope: local
+      register: scope_2
+
+    - name: swarm
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    # Driver change alongside scope is intentional - bridge doesn't appear to support anything but local, and overlay can't downgrade to local. Additionally, overlay reports as swarm for swarm OR global, so no change is reported in that case.
+    # Test output indicates that the scope is altered, at least, so manual inspection will be required to verify this going forward, unless we come up with a test driver that supports multiple scopes.
+    - name: scope (change)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        scope: swarm
+      register: scope_3
+
+    - name: cleanup network
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        state: absent
+        force: true
+
+    - ansible.builtin.assert:
+        that:
+          - scope_1 is changed
+          - scope_2 is not changed
+          - scope_3 is changed
+
+  always:
+    - name: cleanup swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+####################################################################
+## attachable ######################################################
+####################################################################
+
+- name: attachable
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    attachable: true
+  register: attachable_1
+  ignore_errors: true
+
+- name: attachable (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    attachable: true
+  register: attachable_2
+  ignore_errors: true
+
+- name: attachable (change)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    attachable: false
+  register: attachable_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: absent
+    force: true
+
+- ansible.builtin.assert:
+    that:
+      - attachable_1 is changed
+      - attachable_2 is not changed
+      - attachable_3 is changed
+
+####################################################################
+## labels ##########################################################
+####################################################################
+
+- name: labels
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+  register: labels_1
+
+- name: labels (idempotency)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    labels:
+      ansible.test.2: world
+      ansible.test.1: hello
+  register: labels_2
+
+- name: labels (less labels)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    labels:
+      ansible.test.1: hello
+  register: labels_3
+
+- name: labels (more labels)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+  register: labels_4
+
+- name: cleanup
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: absent
+    force: true
+
+- ansible.builtin.assert:
+    that:
+      - labels_1 is changed
+      - labels_2 is not changed
+      - labels_3 is not changed
+      - labels_4 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/overlay.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/overlay.yml
new file mode 100644
index 00000000..e0cd01bd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/overlay.yml
@@ -0,0 +1,104 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering network name
+  ansible.builtin.set_fact:
+    nname_1: "{{ name_prefix ~ '-network-1' }}"
+- name: Registering network name
+  ansible.builtin.set_fact:
+    dnetworks: "{{ dnetworks + [nname_1] }}"
+
+- block:
+    # Overlay networks require swarm initialization before they'll work
+    - name: swarm
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+  ####################################################################
+  ## overlay #########################################################
+  ####################################################################
+
+    - name: overlay
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        driver_options:
+          com.docker.network.driver.overlay.vxlanid_list: "257"
+      register: overlay_1
+
+    - name: overlay (idempotency)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        driver_options:
+          com.docker.network.driver.overlay.vxlanid_list: "257"
+      register: overlay_2
+
+    - name: overlay (change)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: bridge
+      register: overlay_3
+
+    - name: cleanup network
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        state: absent
+        force: true
+
+    - ansible.builtin.assert:
+        that:
+          - overlay_1 is changed
+          - overlay_2 is not changed
+          - overlay_3 is changed
+
+  ####################################################################
+  ## ingress #########################################################
+  ####################################################################
+
+    - name: cleanup default swarm ingress network
+      community.docker.docker_network:
+        name: ingress
+        state: absent
+
+    - name: ingress
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        ingress: true
+      register: ingress_1
+
+    - name: ingress (idempotency)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        ingress: true
+      register: ingress_2
+
+    - name: ingress (change)
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        driver: overlay
+        ingress: false
+      register: ingress_3
+
+    - name: cleanup network
+      community.docker.docker_network:
+        name: "{{ nname_1 }}"
+        state: absent
+        force: true
+
+    - ansible.builtin.assert:
+        that:
+          - ingress_1 is changed
+          - ingress_2 is not changed
+          - ingress_3 is changed
+
+  always:
+    - name: cleanup swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/substring.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/substring.yml
new file mode 100644
index 00000000..6a741f28
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network/tasks/tests/substring.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container and network names
+  ansible.builtin.set_fact:
+    nname_1: "{{ name_prefix ~ '-network-foo' }}"
+    nname_2: "{{ name_prefix ~ '-network-foobar' }}"
+- name: Registering container and network names
+  ansible.builtin.set_fact:
+    dnetworks: "{{ dnetworks + [nname_1, nname_2] }}"
+
+####################################################################
+
+- name: Create network (superstring)
+  community.docker.docker_network:
+    name: "{{ nname_2 }}"
+    state: present
+  register: networks_1
+
+- name: Create network (substring)
+  community.docker.docker_network:
+    name: "{{ nname_1 }}"
+    state: present
+  register: networks_2
+
+- name: Cleanup
+  community.docker.docker_network:
+    name: "{{ network_name }}"
+    state: absent
+  loop:
+    - "{{ nname_1 }}"
+    - "{{ nname_2 }}"
+  loop_control:
+    loop_var: network_name
+
+- ansible.builtin.assert:
+    that:
+      - networks_1 is changed
+      - networks_2 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_network_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/tasks/main.yml
new file mode 100644
index 00000000..29e64a80
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_network_info/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Create random network name
+      ansible.builtin.set_fact:
+        nname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Make sure network is not there
+      community.docker.docker_network:
+        name: "{{ nname }}"
+        state: absent
+        force: true
+
+    - name: Inspect a non-present network
+      community.docker.docker_network_info:
+        name: "{{ nname }}"
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - "not result.exists"
+          - "'network' in result"
+          - "result.network is none"
+
+    - name: Make sure network exists
+      community.docker.docker_network:
+        name: "{{ nname }}"
+        state: present
+
+    - name: Inspect a present network
+      community.docker.docker_network_info:
+        name: "{{ nname }}"
+      register: result
+    - name: Dump docker_network_info result
+      ansible.builtin.debug: var=result
+
+    - name: "Comparison: use 'docker network inspect'"
+      ansible.builtin.command: docker network inspect "{{ nname }}"
+      register: docker_inspect
+      ignore_errors: true
+    - block:
+        - ansible.builtin.set_fact:
+            docker_inspect_result: "{{ docker_inspect.stdout | from_json }}"
+        - name: Dump docker inspect result
+          ansible.builtin.debug: var=docker_inspect_result
+      when: docker_inspect is not failed
+
+    - name: Cleanup
+      community.docker.docker_network:
+        name: "{{ nname }}"
+        state: absent
+        force: true
+
+    - ansible.builtin.assert:
+        that:
+          - result.exists
+          - "'network' in result"
+          - "result.network is truthy"
+
+    - ansible.builtin.assert:
+        that:
+          - "result.network == docker_inspect_result[0]"
+      when: docker_inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in docker_inspect.stderr"
+      when: docker_inspect is failed
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_network_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_node/aliases
new file mode 100644
index 00000000..50e0e5f3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
+needs/root
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/main.yml
new file mode 100644
index 00000000..4fa9d061
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+# Run the tests
+- block:
+    - ansible.builtin.include_tasks: test_node.yml
+
+  always:
+    - name: Cleanup (trying)
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+      diff: false
+      ignore_errors: true
+
+    - name: Restart docker daemon
+      ansible.builtin.service:
+        name: docker
+        state: restarted
+      become: true
+    - name: Wait for docker daemon to be fully restarted
+      ansible.builtin.command: docker ps
+      ignore_errors: true
+
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+      diff: false
+
+  when: docker_py_version is version('2.4.0', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_node tests!"
+  when: not(docker_py_version is version('2.4.0', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/test_node.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/test_node.yml
new file mode 100644
index 00000000..dda9be34
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node/tasks/test_node.yml
@@ -0,0 +1,844 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Try to get docker_node_info when docker is not running in swarm mode
+      community.docker.docker_node_info:
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called when swarm is not in use or not run on manager node
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "Error running docker swarm module: must run on swarm manager node"'
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+      register: output
+
+    - name: assert changed when create a new swarm cluster
+      ansible.builtin.assert:
+        that:
+          - 'output is changed'
+          - '(output.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+
+    - name: Try to get docker_node_info when docker is running in swarm mode and as manager
+      community.docker.docker_node_info:
+      register: output
+
+    - name: assert reading docker swarm node facts
+      ansible.builtin.assert:
+        that:
+          - 'output.nodes | length > 0'
+          - 'output.nodes[0].ID is string'
+
+    - name: Register node ID
+      ansible.builtin.set_fact:
+        nodeid: "{{ output.nodes[0].ID }}"
+
+  ####################################################################
+  ## Set node as swarm manager #######################################
+  ####################################################################
+
+    - name: Try to set node as manager (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: manager
+      check_mode: true
+      register: set_as_manager_1
+
+    - name: Try to set node as manager
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: manager
+      register: set_as_manager_2
+
+    - name: Try to set node as manager (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: manager
+      register: set_as_manager_3
+
+    - name: Try to set node as manager (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: manager
+      check_mode: true
+      register: set_as_manager_4
+
+    - name: assert that node role does has not changed
+      ansible.builtin.assert:
+        that:
+          - 'set_as_manager_1 is not changed'
+          - 'set_as_manager_2 is not changed'
+          - 'set_as_manager_3 is not changed'
+          - 'set_as_manager_4 is not changed'
+          - 'set_as_manager_1.node.Spec.Role == "manager"'
+          - 'set_as_manager_2.node.Spec.Role == "manager"'
+          - 'set_as_manager_3.node.Spec.Role == "manager"'
+          - 'set_as_manager_4.node.Spec.Role == "manager"'
+
+  ####################################################################
+  ## Set node as swarm worker ########################################
+  ####################################################################
+
+    - name: Try to set node as worker (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: worker
+      check_mode: true
+      register: set_as_worker_1
+
+    - name: Try to set node as worker
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        role: worker
+      ignore_errors: true
+      register: set_as_worker_2
+
+    - name: assert that node cannot change role to worker
+      ansible.builtin.assert:
+        that:
+          - 'set_as_worker_1 is changed'
+          - 'set_as_worker_2 is failed'
+          - '(set_as_worker_2.msg | regex_search("attempting to demote the last manager of the swarm")) is truthy'
+
+  ####################################################################
+  ## Set node as pasued ##############################################
+  ####################################################################
+
+    - name: Try to set node availability as paused  (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: pause
+      check_mode: true
+      register: set_as_paused_1
+
+    - name: Try to set node availability as paused
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: pause
+      register: set_as_paused_2
+
+    - name: Try to set node availability as paused (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: pause
+      register: set_as_paused_3
+
+    - name: Try to set node availability as paused (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: pause
+      check_mode: true
+      register: set_as_paused_4
+
+    - name: assert node changed availability to paused
+      ansible.builtin.assert:
+        that:
+          - 'set_as_paused_1 is changed'
+          - 'set_as_paused_2 is changed'
+          - 'set_as_paused_3 is not changed'
+          - 'set_as_paused_4 is not changed'
+          - 'set_as_paused_2.node.Spec.Availability == "pause"'
+
+  ####################################################################
+  ## Set node as drained #############################################
+  ####################################################################
+
+    - name: Try to set node availability as drained (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: drain
+      check_mode: true
+      register: output_drain_1
+
+    - name: Try to set node availability as drained
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: drain
+      register: output_drain_2
+
+    - name: Try to set node availability as drained (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: drain
+      register: output_drain_3
+
+    - name: Try to set node availability as drained (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: drain
+      check_mode: true
+      register: output_drain_4
+
+    - name: assert node changed availability to drained
+      ansible.builtin.assert:
+        that:
+          - 'output_drain_1 is changed'
+          - 'output_drain_2 is changed'
+          - 'output_drain_3 is not changed'
+          - 'output_drain_4 is not changed'
+          - 'output_drain_2.node.Spec.Availability == "drain"'
+
+
+  ####################################################################
+  ## Set node as active ##############################################
+  ####################################################################
+
+    - name: Try to set node availability as active (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: active
+      check_mode: true
+      register: output_active_1
+
+    - name: Try to set node availability as active
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: active
+      register: output_active_2
+
+    - name: Try to set node availability as active (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: active
+      register: output_active_3
+
+    - name: Try to set node availability as active (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        availability: active
+      check_mode: true
+      register: output_active_4
+
+    - name: assert node changed availability to active
+      ansible.builtin.assert:
+        that:
+          - 'output_active_1 is changed'
+          - 'output_active_2 is changed'
+          - 'output_active_3 is not changed'
+          - 'output_active_4 is not changed'
+          - 'output_active_2.node.Spec.Availability == "active"'
+
+  ####################################################################
+  ## Add single label ###############################################
+  ####################################################################
+
+    - name: Try to add single label to swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1
+      check_mode: true
+      register: output_add_single_label_1
+
+    - name: Try to add single label to swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1
+      register: output_add_single_label_2
+
+    - name: Try to add single label to swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1
+      register: output_add_single_label_3
+
+    - name: Try to add single label to swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1
+      check_mode: true
+      register: output_add_single_label_4
+
+    - name: assert adding single label to swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_add_single_label_1 is changed'
+          - 'output_add_single_label_2 is changed'
+          - 'output_add_single_label_3 is not changed'
+          - 'output_add_single_label_4 is not changed'
+          - 'output_add_single_label_2.node.Spec.Labels | length == 1'
+          - 'output_add_single_label_2.node.Spec.Labels.label1 == "value1"'
+
+  ####################################################################
+  ## Add multiple labels #############################################
+  ####################################################################
+
+    - name: Try to add five labels to swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2
+          label3: value3
+          label4: value4
+          label5: value5
+          label6: value6
+      check_mode: true
+      register: output_add_multiple_labels_1
+
+    - name: Try to add five labels to swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2
+          label3: value3
+          label4: value4
+          label5: value5
+          label6: value6
+      register: output_add_multiple_labels_2
+
+    - name: Try to add five labels to swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2
+          label3: value3
+          label4: value4
+          label5: value5
+          label6: value6
+      register: output_add_multiple_labels_3
+
+    - name: Try to add five labels to swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2
+          label3: value3
+          label4: value4
+          label5: value5
+          label6: value6
+      check_mode: true
+      register: output_add_multiple_labels_4
+
+    - name: assert adding multiple labels to swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_add_multiple_labels_1 is changed'
+          - 'output_add_multiple_labels_2 is changed'
+          - 'output_add_multiple_labels_3 is not changed'
+          - 'output_add_multiple_labels_4 is not changed'
+          - 'output_add_multiple_labels_2.node.Spec.Labels | length == 6'
+          - 'output_add_multiple_labels_2.node.Spec.Labels.label1 == "value1"'
+          - 'output_add_multiple_labels_2.node.Spec.Labels.label6 == "value6"'
+
+  ####################################################################
+  ## Update label value ##############################################
+  ####################################################################
+
+    - name: Update value of existing label (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1111
+      check_mode: true
+      register: output_update_label_1
+
+    - name: Update value of existing label
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1111
+      register: output_update_label_2
+
+    - name: Update value of existing label (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1111
+      register: output_update_label_3
+
+    - name: Update value of existing label (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label1: value1111
+      check_mode: true
+      register: output_update_label_4
+
+    - name: assert updating single label assigned to swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_update_label_1 is changed'
+          - 'output_update_label_2 is changed'
+          - 'output_update_label_3 is not changed'
+          - 'output_update_label_4 is not changed'
+          - 'output_update_label_2.node.Spec.Labels | length == 6'
+          - 'output_update_label_2.node.Spec.Labels.label1 == "value1111"'
+          - 'output_update_label_2.node.Spec.Labels.label5 == "value5"'
+
+  ####################################################################
+  ## Update multiple labels values ###################################
+  ####################################################################
+
+    - name: Update value of multiple existing label (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2222
+          label3: value3333
+      check_mode: true
+      register: output_update_labels_1
+
+    - name: Update value of multiple existing label
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2222
+          label3: value3333
+      register: output_update_labels_2
+
+    - name: Update value of multiple existing label (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2222
+          label3: value3333
+      register: output_update_labels_3
+
+    - name: Update value of multiple existing label (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label2: value2222
+          label3: value3333
+      check_mode: true
+      register: output_update_labels_4
+
+    - name: assert updating multiple labels assigned to swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_update_labels_1 is changed'
+          - 'output_update_labels_2 is changed'
+          - 'output_update_labels_3 is not changed'
+          - 'output_update_labels_4 is not changed'
+          - 'output_update_labels_2.node.Spec.Labels | length == 6'
+          - 'output_update_labels_2.node.Spec.Labels.label1 == "value1111"'
+          - 'output_update_labels_2.node.Spec.Labels.label3 == "value3333"'
+          - 'output_update_labels_2.node.Spec.Labels.label5 == "value5"'
+
+  ####################################################################
+  ## Remove single label #############################################
+  ####################################################################
+
+    - name: Try to remove single existing label from swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label1
+      check_mode: true
+      register: output_remove_label_1
+
+    - name: Try to remove single existing label from swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label1
+      register: output_remove_label_2
+
+    - name: Try to remove single existing label from swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label1
+      register: output_remove_label_3
+
+    - name: Try to remove single existing label from swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label1
+      check_mode: true
+      register: output_remove_label_4
+
+    - name: assert removing single label from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_remove_label_1 is changed'
+          - 'output_remove_label_2 is changed'
+          - 'output_remove_label_3 is not changed'
+          - 'output_remove_label_4 is not changed'
+          - 'output_remove_label_2.node.Spec.Labels | length == 5'
+          - '"label1" not in output_remove_label_2.node.Spec.Labels'
+          - 'output_remove_label_2.node.Spec.Labels.label3 == "value3333"'
+          - 'output_remove_label_2.node.Spec.Labels.label5 == "value5"'
+
+
+  ####################################################################
+  ## Remove single not assigned to swarm label #######################
+  ####################################################################
+
+    - name: Try to remove single non-existing label from swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - labelnotexist
+      check_mode: true
+      register: output_remove_nonexist_label_1
+
+    - name: Try to remove single non-existing label from swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - labelnotexist
+      register: output_remove_nonexist_label_2
+
+    - name: Try to remove single non-existing label from swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - labelnotexist
+      register: output_remove_nonexist_label_3
+
+    - name: Try to remove single non-existing label from swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - labelnotexist
+      check_mode: true
+      register: output_remove_nonexist_label_4
+
+    - name: assert removing single non-existing label from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_remove_nonexist_label_1 is not changed'
+          - 'output_remove_nonexist_label_2 is not changed'
+          - 'output_remove_nonexist_label_3 is not changed'
+          - 'output_remove_nonexist_label_4 is not changed'
+          - 'output_remove_nonexist_label_2.node.Spec.Labels | length == 5'
+          - '"label1" not in output_remove_nonexist_label_2.node.Spec.Labels'
+          - 'output_remove_nonexist_label_2.node.Spec.Labels.label3 == "value3333"'
+          - 'output_remove_nonexist_label_2.node.Spec.Labels.label5 == "value5"'
+
+  ####################################################################
+  ## Remove multiple labels ##########################################
+  ####################################################################
+
+    - name: Try to remove two existing labels from swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label2
+          - label3
+      check_mode: true
+      register: output_remove_label_1
+
+    - name: Try to remove two existing labels from swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label2
+          - label3
+      register: output_remove_label_2
+
+    - name: Try to remove two existing labels from swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label2
+          - label3
+      register: output_remove_label_3
+
+    - name: Try to remove two existing labels from swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label2
+          - label3
+      check_mode: true
+      register: output_remove_label_4
+
+    - name: assert removing multiple labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_remove_label_1 is changed'
+          - 'output_remove_label_2 is changed'
+          - 'output_remove_label_3 is not changed'
+          - 'output_remove_label_4 is not changed'
+          - 'output_remove_label_2.node.Spec.Labels | length == 3'
+          - '"label1" not in output_remove_label_2.node.Spec.Labels'
+          - '"label2" not in output_remove_label_2.node.Spec.Labels'
+          - 'output_remove_label_2.node.Spec.Labels.label5 == "value5"'
+
+  ####################################################################
+  ## Remove multiple labels, mix assigned and not assigned  ##########
+  ####################################################################
+
+    - name: Try to remove mix of existing amd non-existing labels from swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label4
+          - labelisnotthere
+      check_mode: true
+      register: output_remove_mix_labels_1
+
+    - name: Try to remove mix of existing amd non-existing labels from swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label4
+          - labelisnotthere
+      register: output_remove_mix_labels_2
+
+    - name: Try to remove mix of existing amd non-existing labels from swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label4
+          - labelisnotthere
+      register: output_remove_mix_labels_3
+
+    - name: Try to remove mix of existing amd non-existing labels from swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_to_remove:
+          - label4
+          - labelisnotthere
+      check_mode: true
+      register: output_remove_mix_labels_4
+
+    - name: assert removing mix of existing and non-existing labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_remove_mix_labels_1 is changed'
+          - 'output_remove_mix_labels_2 is changed'
+          - 'output_remove_mix_labels_3 is not changed'
+          - 'output_remove_mix_labels_4 is not changed'
+          - 'output_remove_mix_labels_2.node.Spec.Labels | length == 2'
+          - '"label1" not in output_remove_mix_labels_2.node.Spec.Labels'
+          - '"label4" not in output_remove_mix_labels_2.node.Spec.Labels'
+          - 'output_remove_mix_labels_2.node.Spec.Labels.label5 == "value5"'
+
+  ####################################################################
+  ## Add and remove labels ###########################################
+  ####################################################################
+
+    - name: Try to add and remove nonoverlapping labels at the same time (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label7: value7
+          label8: value8
+        labels_to_remove:
+          - label5
+      check_mode: true
+      register: output_add_del_labels_1
+
+    - name: Try to add and remove nonoverlapping labels at the same time
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label7: value7
+          label8: value8
+        labels_to_remove:
+          - label5
+      register: output_add_del_labels_2
+
+    - name: Try to add and remove nonoverlapping labels at the same time (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label7: value7
+          label8: value8
+        labels_to_remove:
+          - label5
+      register: output_add_del_labels_3
+
+    - name: Try to add and remove nonoverlapping labels at the same time (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label7: value7
+          label8: value8
+        labels_to_remove:
+          - label5
+      check_mode: true
+      register: output_add_del_labels_4
+
+    - name: assert adding and removing nonoverlapping labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_add_del_labels_1 is changed'
+          - 'output_add_del_labels_2 is changed'
+          - 'output_add_del_labels_3 is not changed'
+          - 'output_add_del_labels_4 is not changed'
+          - 'output_add_del_labels_2.node.Spec.Labels | length == 3'
+          - '"label5" not in output_add_del_labels_2.node.Spec.Labels'
+          - 'output_add_del_labels_2.node.Spec.Labels.label8 == "value8"'
+
+  ####################################################################
+  ## Add and remove labels with label in both lists ##################
+  ####################################################################
+
+    - name: Try to add or update and remove overlapping labels at the same time (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label22: value22
+          label6: value6666
+        labels_to_remove:
+          - label6
+          - label7
+      check_mode: true
+      register: output_add_del_overlap_labels_1
+
+    - name: Try to add or update and remove overlapping labels at the same time
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label22: value22
+          label6: value6666
+        labels_to_remove:
+          - label6
+          - label7
+      register: output_add_del_overlap_labels_2
+
+    - name: Try to add or update and remove overlapping labels at the same time (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label22: value22
+          label6: value6666
+        labels_to_remove:
+          - label6
+          - label7
+      register: output_add_del_overlap_labels_3
+
+    - name: Try to add or update and remove overlapping labels at the same time (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label22: value22
+          label6: value6666
+        labels_to_remove:
+          - label6
+          - label7
+      check_mode: true
+      register: output_add_del_overlap_labels_4
+
+    - name: assert adding or updating and removing overlapping labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_add_del_overlap_labels_1 is changed'
+          - 'output_add_del_overlap_labels_2 is changed'
+          - 'output_add_del_overlap_labels_3 is not changed'
+          - 'output_add_del_overlap_labels_4 is not changed'
+          - 'output_add_del_overlap_labels_2.node.Spec.Labels | length == 3'
+          - '"label7" not in output_add_del_overlap_labels_2.node.Spec.Labels'
+          - 'output_add_del_overlap_labels_2.node.Spec.Labels.label6 == "value6666"'
+          - 'output_add_del_overlap_labels_2.node.Spec.Labels.label22 == "value22"'
+
+  ####################################################################
+  ## Replace labels #############################################
+  ####################################################################
+
+    - name: Replace labels on swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label11: value11
+          label12: value12
+        labels_state: replace
+      check_mode: true
+      register: output_replace_labels_1
+
+    - name: Replace labels on swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label11: value11
+          label12: value12
+        labels_state: replace
+      register: output_replace_labels_2
+
+    - name: Replace labels on swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label11: value11
+          label12: value12
+        labels_state: replace
+      register: output_replace_labels_3
+
+    - name: Replace labels on swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels:
+          label11: value11
+          label12: value12
+        labels_state: replace
+      check_mode: true
+      register: output_replace_labels_4
+
+    - name: assert replacing labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_replace_labels_1 is changed'
+          - 'output_replace_labels_2 is changed'
+          - 'output_replace_labels_3 is not changed'
+          - 'output_replace_labels_4 is not changed'
+          - 'output_replace_labels_2.node.Spec.Labels | length == 2'
+          - '"label6" not in output_replace_labels_2.node.Spec.Labels'
+          - 'output_replace_labels_2.node.Spec.Labels.label12 == "value12"'
+
+  ####################################################################
+  ## Remove all labels #############################################
+  ####################################################################
+
+    - name: Remove all labels from swarm node (check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_state: replace
+      check_mode: true
+      register: output_remove_labels_1
+
+    - name: Remove all labels from swarm node
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_state: replace
+      register: output_remove_labels_2
+
+    - name: Remove all labels from swarm node (idempotent)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_state: replace
+      register: output_remove_labels_3
+
+    - name: Remove all labels from swarm node (idempotent check)
+      community.docker.docker_node:
+        hostname: "{{ nodeid }}"
+        labels_state: replace
+      check_mode: true
+      register: output_remove_labels_4
+
+    - name: assert removing all labels from swarm node
+      ansible.builtin.assert:
+        that:
+          - 'output_remove_labels_1 is changed'
+          - 'output_remove_labels_2 is changed'
+          - 'output_remove_labels_3 is not changed'
+          - 'output_remove_labels_4 is not changed'
+          - 'output_remove_labels_2.node.Spec.Labels | length == 0'
+
+  always:
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/aliases
new file mode 100644
index 00000000..9eec55e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/main.yml
new file mode 100644
index 00000000..872273d0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_node_info.yml
+  when: docker_py_version is version('2.4.0', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_node_info tests!"
+  when: not(docker_py_version is version('2.4.0', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/test_node_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/test_node_info.yml
new file mode 100644
index 00000000..8a6e5e55
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_node_info/tasks/test_node_info.yml
@@ -0,0 +1,92 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Try to get docker_node_info when docker is not running in swarm mode
+      community.docker.docker_node_info:
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called when swarm is not in use or not run on manager node
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "Error running docker swarm module: must run on swarm manager node"'
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+      register: output
+
+    - name: assert changed when create a new swarm cluster
+      ansible.builtin.assert:
+        that:
+          - 'output is changed'
+          - '(output.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+
+    - name: Try to get docker_node_info when docker is running in swarm mode and as manager
+      community.docker.docker_node_info:
+      register: output
+
+    - name: assert reading docker swarm node facts
+      ansible.builtin.assert:
+        that:
+          - 'output.nodes | length > 0'
+          - 'output.nodes[0].ID is string'
+
+    - name: Try to get docker_node_info using the self parameter
+      community.docker.docker_node_info:
+        self: true
+      register: output
+
+    - name: assert reading swarm facts with list of nodes option
+      ansible.builtin.assert:
+        that:
+          - 'output.nodes | length == 1'
+          - 'output.nodes[0].ID is string'
+
+    - name: Get local docker node name
+      ansible.builtin.set_fact:
+        localnodename: "{{ output.nodes[0].Description.Hostname }}"
+
+
+    - name: Try to get docker_node_info using the local node name as parameter
+      community.docker.docker_node_info:
+        name: "{{ localnodename }}"
+      register: output
+
+    - name: assert reading reading swarm facts and using node filter (random node name)
+      ansible.builtin.assert:
+        that:
+          - 'output.nodes | length == 1'
+          - 'output.nodes[0].ID is string'
+
+    - name: Create random name
+      ansible.builtin.set_fact:
+        randomnodename: "{{ 'node-%0x' % ((2**32) | random) }}"
+
+    - name: Try to get docker_node_info using random node name as parameter
+      community.docker.docker_node_info:
+        name: "{{ randomnodename }}"
+      register: output
+
+    - name: assert reading reading swarm facts and using node filter (random node name)
+      ansible.builtin.assert:
+        that:
+          - 'output.nodes | length == 0'
+
+  always:
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/main.yml
new file mode 100644
index 00000000..5d20c8a3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "vieux/sshfs"
+    plugin_names: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- name: Check whether /dev/fuse exists
+  ansible.builtin.stat:
+    path: /dev/fuse
+  register: dev_fuse_stat
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure plugin is removed"
+      community.docker.docker_plugin:
+        plugin_name: "{{ item }}"
+        state: absent
+      with_items: "{{ plugin_names }}"
+
+  when: docker_api_version is version('1.25', '>=') and dev_fuse_stat.stat.exists
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_plugin tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic.yml
new file mode 100644
index 00000000..4e162bbf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic.yml
@@ -0,0 +1,192 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering plugin name
+  ansible.builtin.set_fact:
+    plugin_name: "{{ name_prefix }}"
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    plugin_names: "{{ plugin_names + [plugin_name] }}"
+
+############ basic test ############
+####################################
+
+- name: Create a plugin (check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: present
+  register: create_1_check
+  check_mode: true
+
+- name: Create a plugin
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: present
+  register: create_1
+
+- name: Create a plugin (Idempotent, check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: present
+  register: create_2_check
+  check_mode: true
+
+- name: Create a plugin (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: present
+  register: create_2
+
+- name: Enable a plugin (check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: enable
+  register: create_3_check
+  check_mode: true
+
+- name: Enable a plugin
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: enable
+  register: create_3
+
+- name: Enable a plugin (Idempotent, check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: enable
+  register: create_4_check
+  check_mode: true
+
+- name: Enable a plugin (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: enable
+  register: create_4
+
+- name: Disable a plugin (check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: disable
+  register: absent_1_check
+  check_mode: true
+
+- name: Disable a plugin
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: disable
+  register: absent_1
+
+- name: Disable a plugin (Idempotent, check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: disable
+  register: absent_2_check
+  check_mode: true
+
+- name: Disable a plugin (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: disable
+  register: absent_2
+
+- name: Remove a plugin (check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+  register: absent_3_check
+  check_mode: true
+
+- name: Remove a plugin
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+  register: absent_3
+
+- name: Remove a plugin (Idempotent, check mode)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+  register: absent_4_check
+  check_mode: true
+
+- name: Remove a plugin (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+  register: absent_4
+
+- name: Cleanup
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+    force_remove: true
+
+- ansible.builtin.assert:
+    that:
+      - create_1_check is changed
+      - create_1 is changed
+      - create_2_check is not changed
+      - create_2 is not changed
+      - create_3_check is changed
+      - create_3 is changed
+      - create_4_check is not changed
+      - create_4 is not changed
+      - absent_1_check is changed
+      - absent_1 is changed
+      - absent_2_check is not changed
+      - absent_2 is not changed
+      - absent_3_check is changed
+      - absent_3 is changed
+      - absent_4_check is not changed
+      - absent_4 is not changed
+
+############ Plugin_Options ############
+########################################
+
+- name: Install a plugin with options
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    plugin_options:
+      DEBUG: '1'
+    state: present
+  register: create_1
+
+- name: Install a plugin with options (idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    plugin_options:
+      DEBUG: '1'
+    state: present
+  register: create_2
+
+- name: Install a plugin with different options
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    plugin_options:
+      DEBUG: '0'
+    state: present
+  register: update_1
+
+- name: Install a plugin with different options (idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    plugin_options:
+      DEBUG: '0'
+    state: present
+  register: update_2
+
+- name: Cleanup
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    state: absent
+    force_remove: true
+
+- ansible.builtin.assert:
+    that:
+      - create_1 is changed
+      - create_2 is not changed
+      - update_1 is changed
+      - update_2 is not changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic_with_alias.yml b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic_with_alias.yml
new file mode 100644
index 00000000..fe5d2cf4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_plugin/tasks/tests/basic_with_alias.yml
@@ -0,0 +1,83 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Register plugin name and alias
+  ansible.builtin.set_fact:
+    plugin_name: "{{ name_prefix }}"
+    alias: "test"
+
+- name: Create a plugin with an alias
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: present
+  register: create_1
+
+- name: Create a plugin  with an alias (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: present
+  register: create_2
+
+- name: Enable a plugin with an alias
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: enable
+  register: create_3
+
+- name: Enable a plugin with an alias (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: enable
+  register: create_4
+
+- name: Disable a plugin with an alias
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: disable
+  register: absent_1
+
+- name: Disable a plugin with an alias (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: disable
+  register: absent_2
+
+- name: Remove a plugin with an alias
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: absent
+  register: absent_3
+
+- name: Remove a plugin with an alias (Idempotent)
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: absent
+  register: absent_4
+
+- ansible.builtin.assert:
+    that:
+      - create_1 is changed
+      - create_2 is not changed
+      - create_3 is changed
+      - create_4 is not changed
+      - absent_1 is changed
+      - absent_2 is not changed
+      - absent_3 is changed
+      - absent_4 is not changed
+
+- name: Cleanup plugin with an alias
+  community.docker.docker_plugin:
+    plugin_name: "{{ plugin_name }}"
+    alias: "{{ alias }}"
+    state: absent
+    force_remove: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_prune/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_prune/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_prune/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_prune/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_prune/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_prune/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_prune/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_prune/tasks/main.yml
new file mode 100644
index 00000000..33358766
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_prune/tasks/main.yml
@@ -0,0 +1,175 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Create random names
+  ansible.builtin.set_fact:
+    cname: "{{ 'ansible-container-%0x' % ((2**32) | random) }}"
+    nname: "{{ 'ansible-network-%0x' % ((2**32) | random) }}"
+    vname: "{{ 'ansible-volume-%0x' % ((2**32) | random) }}"
+
+- block:
+    # Create objects to be pruned
+    - name: Create container (without volume)
+      community.docker.docker_container:
+        name: "{{ cname }}"
+        image: "{{ docker_test_image_hello_world }}"
+        state: present
+      register: container
+    - name: Create network
+      community.docker.docker_network:
+        name: "{{ nname }}"
+        state: present
+      register: network
+    - name: Create named volume
+      community.docker.docker_volume:
+        name: "{{ vname }}"
+        state: present
+      register: volume
+    - name: Create anonymous volume
+      ansible.builtin.command: docker volume create
+      register: volume_anon
+
+    - name: List volumes
+      ansible.builtin.command: docker volume list
+
+    # Prune objects
+    - name: Prune everything
+      community.docker.docker_prune:
+        containers: true
+        images: true
+        networks: true
+        volumes: true
+        builder_cache: true
+      register: result
+
+    # Analyze result
+    - name: Show results
+      ansible.builtin.debug:
+        var: result
+    - name: General checks
+      ansible.builtin.assert:
+        that:
+          - result is changed
+          # containers
+          - container.container.Id in result.containers
+          - "'containers_space_reclaimed' in result"
+          # images
+          - "'images_space_reclaimed' in result"
+          # networks
+          - network.network.Name in result.networks
+          # volumes
+          - volume_anon.stdout in result.volumes
+          - "'volumes_space_reclaimed' in result"
+          # builder_cache
+          - "'builder_cache_space_reclaimed' in result"
+    - name: API-version specific volumes check (API version before 1.42)
+      ansible.builtin.assert:
+        that:
+          # For API version 1.41 and before, pruning always considers all volumes
+          - volume.volume.Name in result.volumes
+      when: docker_api_version is version('1.42', '<')
+    - name: API-version specific volumes check (API version 1.42+)
+      ansible.builtin.assert:
+        that:
+          # For API version 1.41 and before, pruning considers only anonymous volumes,
+          # so our named container is not removed
+          - volume.volume.Name not in result.volumes
+      when: docker_api_version is version('1.42', '>=')
+
+    # Prune objects again
+    - name: Prune everything again (should have no change)
+      community.docker.docker_prune:
+        containers: true
+        images: true
+        networks: true
+        volumes: true
+        builder_cache: true
+      register: result
+
+    # Analyze result
+    - name: Show results
+      ansible.builtin.debug:
+        var: result
+    - name: General checks
+      ansible.builtin.assert:
+        that:
+          - result is not changed
+          # containers
+          - result.containers == []
+          - result.containers_space_reclaimed == 0
+          # images
+          - result.images == []
+          - result.images_space_reclaimed == 0
+          # networks
+          - result.networks == []
+          # volumes
+          - result.volumes == []
+          # builder_cache
+          - result.builder_cache_space_reclaimed == 0
+
+    # Test with filters
+    - name: Prune with filters
+      community.docker.docker_prune:
+        images: true
+        images_filters:
+          dangling: true
+      register: result
+
+    - name: Show results
+      ansible.builtin.debug:
+        var: result
+
+    - name: Prune build cache (API version 1.39+)
+      when: docker_api_version is version('1.39', '>=')
+      block:
+        - name: Prune build cache with option
+          community.docker.docker_prune:
+            builder_cache: true
+            builder_cache_all: true
+            builder_cache_filters:
+              until: 10m
+            builder_cache_keep_storage: 1MB
+          register: result
+
+        - name: Show results
+          ansible.builtin.debug:
+            var: result
+
+        - name: Check results
+          ansible.builtin.assert:
+            that:
+              - "'builder_cache_space_reclaimed' in result"
+              - "'builder_cache_caches_deleted' in result"
+
+    - name: Prune volumes with all filter (API version 1.42+)
+      when: docker_api_version is version('1.42', '>=')
+      block:
+        - name: Prune with filters
+          community.docker.docker_prune:
+            volumes: true
+            volumes_filters:
+              all: true
+          register: result
+
+        - name: Show results
+          ansible.builtin.debug:
+            var: result
+
+        - name: Check results
+          ansible.builtin.assert:
+            that:
+              - result is changed
+              - volume.volume.Name in result.volumes
+              - "'volumes_space_reclaimed' in result"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_prune tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_secret/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_secret/aliases
new file mode 100644
index 00000000..fc581d54
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_secret/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/3
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_secret/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_secret/meta/main.yml
new file mode 100644
index 00000000..9eeb6626
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_secret/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/main.yml
new file mode 100644
index 00000000..7d222a3d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_secrets.yml
+  when: docker_py_version is version('2.1.0', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_secrets tests!"
+  when: not(docker_py_version is version('2.1.0', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/test_secrets.yml b/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/test_secrets.yml
new file mode 100644
index 00000000..6cf163c0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_secret/tasks/test_secrets.yml
@@ -0,0 +1,222 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - name: Parameter name should be required
+      community.docker.docker_secret:  # noqa: args[module]
+        state: present
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called with no name
+      ansible.builtin.assert:
+        that:
+          - 'output.failed'
+          - 'output.msg == "missing required arguments: name"'
+
+    - name: Test parameters
+      community.docker.docker_secret:  # noqa: args[module]
+        name: foo
+        state: present
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called with no data
+      ansible.builtin.assert:
+        that:
+          - 'output.failed'
+          - 'output.msg == "state is present but any of the following are missing: data, data_src"'
+
+    - name: Create secret
+      community.docker.docker_secret:
+        name: db_password
+        data: opensesame!
+        state: present
+      register: output
+
+    - name: Create variable secret_id
+      ansible.builtin.set_fact:
+        secret_id: "{{ output.secret_id }}"
+
+    - name: Inspect secret
+      ansible.builtin.command: "docker secret inspect {{ secret_id }}"
+      register: inspect
+      ignore_errors: true
+
+    - ansible.builtin.debug: var=inspect
+
+    - name: assert secret creation succeeded
+      ansible.builtin.assert:
+        that:
+          - "'db_password' in inspect.stdout"
+          - "'ansible_key' in inspect.stdout"
+      when: inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in inspect.stderr"
+      when: inspect is failed
+
+    - name: Create secret again
+      community.docker.docker_secret:
+        name: db_password
+        data: opensesame!
+        state: present
+      register: output
+
+    - name: assert create secret is idempotent
+      ansible.builtin.assert:
+        that:
+          - not output.changed
+
+    - name: Write secret into file
+      ansible.builtin.copy:
+        dest: "{{ remote_tmp_dir }}/data"
+        content: |-
+          opensesame!
+
+    - name: Create secret again (from file)
+      community.docker.docker_secret:
+        name: db_password
+        data_src: "{{ remote_tmp_dir }}/data"
+        state: present
+      register: output
+
+    - name: assert create secret is idempotent
+      ansible.builtin.assert:
+        that:
+          - not output.changed
+
+    - name: Create secret again (base64)
+      community.docker.docker_secret:
+        name: db_password
+        data: b3BlbnNlc2FtZSE=
+        data_is_b64: true
+        state: present
+      register: output
+
+    - name: assert create secret (base64) is idempotent
+      ansible.builtin.assert:
+        that:
+          - not output.changed
+
+    - name: Update secret
+      community.docker.docker_secret:
+        name: db_password
+        data: newpassword!
+        state: present
+      register: output
+
+    - name: assert secret was updated
+      ansible.builtin.assert:
+        that:
+          - output.changed
+          - output.secret_id != secret_id
+
+    - name: Remove secret
+      community.docker.docker_secret:
+        name: db_password
+        state: absent
+
+    - name: Check that secret is removed
+      ansible.builtin.command: "docker secret inspect {{ secret_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: assert secret was removed
+      ansible.builtin.assert:
+        that:
+          - output.failed
+
+  # Rolling update
+
+    - name: Create rolling secret
+      community.docker.docker_secret:
+        name: rolling_password
+        data: opensesame!
+        rolling_versions: true
+        state: present
+      register: original_output
+
+    - name: Create variable secret_id
+      ansible.builtin.set_fact:
+        secret_id: "{{ original_output.secret_id }}"
+
+    - name: Inspect secret
+      ansible.builtin.command: "docker secret inspect {{ secret_id }}"
+      register: inspect
+      ignore_errors: true
+
+    - ansible.builtin.debug: var=inspect
+
+    - name: assert secret creation succeeded
+      ansible.builtin.assert:
+        that:
+          - "'rolling_password' in inspect.stdout"
+          - "'ansible_key' in inspect.stdout"
+          - "'ansible_version' in inspect.stdout"
+          - original_output.secret_name == 'rolling_password_v1'
+      when: inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in inspect.stderr"
+      when: inspect is failed
+
+    - name: Create secret again
+      community.docker.docker_secret:
+        name: rolling_password
+        data: newpassword!
+        rolling_versions: true
+        state: present
+      register: new_output
+
+    - name: assert that new version is created
+      ansible.builtin.assert:
+        that:
+          - new_output.changed
+          - new_output.secret_id != original_output.secret_id
+          - new_output.secret_name != original_output.secret_name
+          - new_output.secret_name == 'rolling_password_v2'
+
+    - name: Remove rolling secrets
+      community.docker.docker_secret:
+        name: rolling_password
+        rolling_versions: true
+        state: absent
+
+    - name: Check that secret is removed
+      ansible.builtin.command: "docker secret inspect {{ original_output.secret_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: assert secret was removed
+      ansible.builtin.assert:
+        that:
+          - output.failed
+
+    - name: Check that secret is removed
+      ansible.builtin.command: "docker secret inspect {{ new_output.secret_id }}"
+      register: output
+      ignore_errors: true
+
+    - name: assert secret was removed
+      ansible.builtin.assert:
+        that:
+          - output.failed
+
+  always:
+    - name: Remove Swarm cluster
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_stack/aliases
new file mode 100644
index 00000000..9eec55e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/meta/main.yml
new file mode 100644
index 00000000..7665e161
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python  # needed for the Swarm modules
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/main.yml
new file mode 100644
index 00000000..86570b3e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_stack.yml
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_stack tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/test_stack.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/test_stack.yml
new file mode 100644
index 00000000..7365bc4f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/tasks/test_stack.yml
@@ -0,0 +1,117 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - name: install docker_stack python requirements
+      ansible.builtin.pip:
+        name: jsondiff,pyyaml
+
+    - name: Create a stack without name
+      register: output
+      community.docker.docker_stack:  # noqa: args[module]
+        state: present
+      ignore_errors: true
+
+    - name: assert failure when name not set
+      ansible.builtin.assert:
+        that:
+          - output is failed
+          - 'output.msg == "missing required arguments: name"'
+
+    - name: Create a stack without compose
+      register: output
+      community.docker.docker_stack:
+        name: test_stack
+      ignore_errors: true
+
+    - name: assert failure when compose not set
+      ansible.builtin.assert:
+        that:
+          - output is failed
+          - 'output.msg == "compose parameter must be a list containing at least one element"'
+
+    - name: Ensure stack is absent
+      register: output
+      community.docker.docker_stack:
+        state: absent
+        name: test_stack
+        absent_retries: 30
+
+    - name: Template compose files
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ remote_tmp_dir }}/"
+      with_items:
+        - stack_compose_base.yml
+        - stack_compose_overrides.yml
+
+    - name: Create stack with compose file
+      register: output
+      community.docker.docker_stack:
+        state: present
+        name: test_stack
+        compose:
+          - "{{ remote_tmp_dir }}/stack_compose_base.yml"
+
+    - name: assert test_stack changed on stack creation with compose file
+      ansible.builtin.assert:
+        that:
+          - output is changed
+
+    # FIXME: updating the stack prevents leaving the swarm on Shippable
+    # - name: Update stack with YAML
+    #   register: output
+    #   docker_stack:
+    #     state: present
+    #     name: test_stack
+    #     compose:
+    #     - "{{ stack_compose_base }}"
+    #     - "{{ stack_compose_overrides }}"
+    #
+    # - name: assert test_stack correctly changed on update with yaml
+    #   assert:
+    #     that:
+    #     - output is changed
+    #     - output.stack_spec_diff == stack_update_expected_diff
+
+    - name: Delete stack
+      register: output
+      community.docker.docker_stack:
+        state: absent
+        name: test_stack
+        absent_retries: 30
+
+    - name: assert delete of existing stack returns changed
+      ansible.builtin.assert:
+        that:
+          - output is changed
+
+    - name: Delete stack again
+      register: output
+      community.docker.docker_stack:
+        state: absent
+        name: test_stack
+        absent_retries: 30
+
+    - name: assert state=absent idempotency
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+  always:
+    - name: Remove a Swarm cluster
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_base.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_base.yml
new file mode 100644
index 00000000..86b89bb3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_base.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    image: "{{ docker_test_image_busybox }}"
+    command: sleep 3600
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_overrides.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_overrides.yml
new file mode 100644
index 00000000..16991c48
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/templates/stack_compose_overrides.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    environment:
+      envvar: value
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack/vars/main.yml
new file mode 100644
index 00000000..b0d58cf8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack/vars/main.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+stack_compose_base:
+  version: '3'
+  services:
+    busybox:
+      image: "{{ docker_test_image_busybox }}"
+      command: sleep 3600
+
+stack_compose_overrides:
+  version: '3'
+  services:
+    busybox:
+      environment:
+        envvar: value
+
+stack_update_expected_diff: '{"test_stack_busybox": {"TaskTemplate": {"ContainerSpec": {"Env": ["envvar=value"]}}}}'
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/aliases
new file mode 100644
index 00000000..9eec55e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/meta/main.yml
new file mode 100644
index 00000000..7665e161
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python  # needed for the Swarm modules
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/main.yml
new file mode 100644
index 00000000..3dab37da
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_stack_info.yml
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_stack tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/test_stack_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/test_stack_info.yml
new file mode 100644
index 00000000..a2d4c61e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/tasks/test_stack_info.yml
@@ -0,0 +1,78 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Get docker_stack_info when docker is not running in swarm mode
+      community.docker.docker_stack_info:
+      ignore_errors: true
+      register: output
+
+    - name: Assert failure when called when swarm is not running
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - '"Error response from daemon: This node is not a swarm manager" in output.msg'
+
+    - name: Create a swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - name: Get docker_stack_info when docker is running and not stack available
+      community.docker.docker_stack_info:
+      register: output
+
+    - name: Assert stack facts
+      ansible.builtin.assert:
+        that:
+          - 'output.results | type_debug == "list"'
+          - 'output.results | length == 0'
+
+    - name: Template compose files
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ remote_tmp_dir }}/"
+      with_items:
+        - stack_compose_base.yml
+        - stack_compose_overrides.yml
+
+    - name: Install docker_stack python requirements
+      ansible.builtin.pip:
+        name: jsondiff,pyyaml
+
+    - name: Create stack with compose file
+      register: output
+      community.docker.docker_stack:
+        state: present
+        name: test_stack
+        compose:
+          - "{{ remote_tmp_dir }}/stack_compose_base.yml"
+
+    - name: Assert test_stack changed on stack creation with compose file
+      ansible.builtin.assert:
+        that:
+          - output is changed
+
+    - name: Get docker_stack_info when docker is running
+      community.docker.docker_stack_info:
+      register: output
+
+    - name: assert stack facts
+      ansible.builtin.assert:
+        that:
+          - 'output.results | type_debug == "list"'
+          - 'output.results[0].Name == "test_stack"'
+          - 'output.results[0].Services == "1"'
+
+  always:
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_base.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_base.yml
new file mode 100644
index 00000000..86b89bb3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_base.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    image: "{{ docker_test_image_busybox }}"
+    command: sleep 3600
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_overrides.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_overrides.yml
new file mode 100644
index 00000000..16991c48
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/templates/stack_compose_overrides.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    environment:
+      envvar: value
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/vars/main.yml
new file mode 100644
index 00000000..b0d58cf8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_info/vars/main.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+stack_compose_base:
+  version: '3'
+  services:
+    busybox:
+      image: "{{ docker_test_image_busybox }}"
+      command: sleep 3600
+
+stack_compose_overrides:
+  version: '3'
+  services:
+    busybox:
+      environment:
+        envvar: value
+
+stack_update_expected_diff: '{"test_stack_busybox": {"TaskTemplate": {"ContainerSpec": {"Env": ["envvar=value"]}}}}'
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/aliases
new file mode 100644
index 00000000..9eec55e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/meta/main.yml
new file mode 100644
index 00000000..7665e161
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python  # needed for the Swarm modules
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/main.yml
new file mode 100644
index 00000000..e401421f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_stack_task_info.yml
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_stack tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/test_stack_task_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/test_stack_task_info.yml
new file mode 100644
index 00000000..46dd1e43
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/tasks/test_stack_task_info.yml
@@ -0,0 +1,88 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Get docker_stack_info when docker is not running in swarm mode
+      community.docker.docker_stack_info:
+      ignore_errors: true
+      register: output
+
+    - name: Assert failure when called when swarm is not running
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - '"Error response from daemon: This node is not a swarm manager" in output.msg'
+
+    - name: Create a swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - name: Get docker_stack_info when docker is running and not stack available
+      community.docker.docker_stack_info:
+      register: output
+
+    - name: Assert stack facts
+      ansible.builtin.assert:
+        that:
+          - 'output.results | type_debug == "list"'
+          - 'output.results | length == 0'
+
+    - name: Template compose files
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ remote_tmp_dir }}/"
+      with_items:
+        - stack_compose_base.yml
+        - stack_compose_overrides.yml
+
+    - name: Install docker_stack python requirements
+      ansible.builtin.pip:
+        name: jsondiff,pyyaml
+
+    - name: Create stack with compose file
+      register: output
+      community.docker.docker_stack:
+        state: present
+        name: test_stack
+        compose:
+          - "{{ remote_tmp_dir }}/stack_compose_base.yml"
+
+    - name: Assert test_stack changed on stack creation with compose file
+      ansible.builtin.assert:
+        that:
+          - output is changed
+
+    - name: Wait a bit to make sure stack is running
+      ansible.builtin.pause:
+        seconds: 5
+
+    - name: Get docker_stack_info when docker is running
+      community.docker.docker_stack_info:
+      register: output
+
+    - name: Get docker_stack_task_info first element
+      community.docker.docker_stack_task_info:
+        name: "{{ output.results[0].Name }}"
+      register: output
+
+    - name: assert stack facts
+      ansible.builtin.assert:
+        that:
+          - 'output.results | type_debug == "list"'
+          - 'output.results[0].DesiredState == "Running"'
+          - 'output.results[0].Image == docker_test_image_busybox'
+          - 'output.results[0].Name == "test_stack_busybox.1"'
+
+  always:
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_base.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_base.yml
new file mode 100644
index 00000000..86b89bb3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_base.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    image: "{{ docker_test_image_busybox }}"
+    command: sleep 3600
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_overrides.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_overrides.yml
new file mode 100644
index 00000000..16991c48
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/templates/stack_compose_overrides.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: '3'
+services:
+  busybox:
+    environment:
+      envvar: value
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/vars/main.yml
new file mode 100644
index 00000000..b0d58cf8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_stack_task_info/vars/main.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+stack_compose_base:
+  version: '3'
+  services:
+    busybox:
+      image: "{{ docker_test_image_busybox }}"
+      command: sleep 3600
+
+stack_compose_overrides:
+  version: '3'
+  services:
+    busybox:
+      environment:
+        envvar: value
+
+stack_update_expected_diff: '{"test_stack_busybox": {"TaskTemplate": {"ContainerSpec": {"Env": ["envvar=value"]}}}}'
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/aliases
new file mode 100644
index 00000000..19c65551
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/1
+destructive
+needs/root
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/meta/main.yml
new file mode 100644
index 00000000..13f97ae2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/meta/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
+  - setup_openssl
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/cleanup.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/cleanup.yml
new file mode 100644
index 00000000..076ffd31
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/cleanup.yml
@@ -0,0 +1,38 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: CLEANUP | Leave Docker Swarm
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+  ignore_errors: true
+  register: leave_swarm
+
+- name: CLEANUP | Kill Docker and cleanup
+  when: leave_swarm is failed
+  block:
+    - name: CLEANUP | Kill docker daemon
+      ansible.builtin.command: systemctl kill -s 9 docker
+      become: true
+
+    - name: CLEANUP | Clear out /var/lib/docker
+      ansible.builtin.shell: rm -rf  /var/lib/docker/*
+
+    - name: CLEANUP | Start docker daemon
+      ansible.builtin.service:
+        name: docker
+        state: started
+      become: true
+
+    - name: CLEANUP | Wait for docker daemon to be fully started
+      ansible.builtin.command: docker ps
+      register: result
+      until: result is success
+      retries: 10
+
+    - name: CLEANUP | Leave Docker Swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/main.yml
new file mode 100644
index 00000000..cf08537a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Run Docker Swarm tests
+  when:
+    - docker_py_version is version('1.10.0', '>=')
+    - docker_api_version is version('1.25', '>=')
+
+  block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - ansible.builtin.import_tasks: cleanup.yml
+
+- ansible.builtin.fail:
+    msg: "Too old docker / docker-py version to run docker_swarm tests!"
+  when:
+    - not(docker_py_version is version('1.10.0', '>=') and docker_api_version is version('1.25', '>='))
+    - (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/basic.yml
new file mode 100644
index 00000000..46e2a25f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/basic.yml
@@ -0,0 +1,163 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.debug:
+    msg: Running tests/basic.yml
+
+####################################################################
+## Errors ##########################################################
+####################################################################
+- name: Test parameters with state=join
+  community.docker.docker_swarm:  # noqa: args[module]
+    state: join
+  ignore_errors: true
+  register: output
+
+- name: assert failure when called with state=join and no remote_addrs,join_token
+  ansible.builtin.assert:
+    that:
+      - 'output.failed'
+      - 'output.msg == "state is join but all of the following are missing: remote_addrs, join_token"'
+
+- name: Test parameters with state=remove
+  community.docker.docker_swarm:  # noqa: args[module]
+    state: remove
+  ignore_errors: true
+  register: output
+
+- name: assert failure when called with state=remove and no node_id
+  ansible.builtin.assert:
+    that:
+      - 'output.failed'
+      - 'output.msg == "state is remove but all of the following are missing: node_id"'
+
+####################################################################
+## Creation ########################################################
+####################################################################
+
+- name: Create a Swarm cluster (check mode)
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: Create a Swarm cluster
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+  diff: true
+  register: output_2
+
+- name: Create a Swarm cluster (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+  diff: true
+  register: output_3
+
+- name: Create a Swarm cluster (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: Create a Swarm cluster (force re-create)
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+    force: true
+  diff: true
+  register: output_5
+
+- name: Create a Swarm cluster (force re-create, check mode)
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+    force: true
+  check_mode: true
+  diff: true
+  register: output_6
+
+- name: assert changed when create a new swarm cluster
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - '(output_2.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+      - 'output_2.swarm_facts.JoinTokens.Manager is truthy'
+      - 'output_2.swarm_facts.JoinTokens.Worker is truthy'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## Removal #########################################################
+####################################################################
+
+- name: Remove a Swarm cluster (check mode)
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: Remove a Swarm cluster
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+  diff: true
+  register: output_2
+
+- name: Remove a Swarm cluster (idempotent)
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+  diff: true
+  register: output_3
+
+- name: Remove a Swarm cluster (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: assert changed when remove a swarm cluster
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Node has left the swarm cluster"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+
+- ansible.builtin.include_tasks: cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options-ca.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options-ca.yml
new file mode 100644
index 00000000..c965162b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options-ca.yml
@@ -0,0 +1,133 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.debug:
+    msg: Running tests/options-ca.yml
+- name: options-ca
+  when: cryptography_version.stdout is version('1.6', '>=')
+  block:
+    - name: Generate privatekey
+      loop:
+        - key1
+        - key2
+      loop_control:
+        loop_var: key
+      community.crypto.openssl_privatekey:
+        path: '{{ remote_tmp_dir }}/ansible_{{ key }}.key'
+        size: 2048
+        mode: '0666'
+    - name: Generate CSR
+      loop:
+        - key1
+        - key2
+      loop_control:
+        loop_var: key
+      community.crypto.openssl_csr:
+        path: '{{ remote_tmp_dir }}/ansible_{{ key }}.csr'
+        privatekey_path: '{{ remote_tmp_dir }}/ansible_{{ key }}.key'
+        basic_constraints:
+          - CA:TRUE
+        key_usage:
+          - keyCertSign
+    - name: Generate self-signed certificate
+      loop:
+        - key1
+        - key2
+      loop_control:
+        loop_var: key
+      community.crypto.x509_certificate:
+        path: '{{ remote_tmp_dir }}/ansible_{{ key }}.pem'
+        privatekey_path: '{{ remote_tmp_dir }}/ansible_{{ key }}.key'
+        csr_path: '{{ remote_tmp_dir }}/ansible_{{ key }}.csr'
+        provider: selfsigned
+    - name: Load certificates
+      ansible.builtin.slurp:
+        src: '{{ remote_tmp_dir }}/{{ item }}'
+      loop:
+        - ansible_key1.pem
+        - ansible_key2.pem
+      register: ansible_certificates
+    - name: Load certificate keys
+      ansible.builtin.slurp:
+        src: '{{ remote_tmp_dir }}/{{ item }}'
+      loop:
+        - ansible_key1.key
+        - ansible_key2.key
+      register: ansible_keys
+    - name: signing_ca_cert and signing_ca_key (check mode)
+      community.docker.docker_swarm:
+        advertise_addr: '{{ ansible_default_ipv4.address | default("127.0.0.1") }}'
+        state: present
+        signing_ca_cert: '{{ ansible_certificates.results[0].content | b64decode }}'
+        signing_ca_key: '{{ ansible_keys.results[0].content | b64decode }}'
+        timeout: 120
+      check_mode: true
+      diff: true
+      register: output_1
+      ignore_errors: true
+    - name: signing_ca_cert and signing_ca_key
+      community.docker.docker_swarm:
+        advertise_addr: '{{ ansible_default_ipv4.address | default("127.0.0.1") }}'
+        state: present
+        signing_ca_cert: '{{ ansible_certificates.results[0].content | b64decode }}'
+        signing_ca_key: '{{ ansible_keys.results[0].content | b64decode }}'
+        timeout: 120
+      diff: true
+      register: output_2
+      ignore_errors: true
+    - name: Private key
+      ansible.builtin.debug: msg="{{ ansible_keys.results[0].content | b64decode }}"
+    - name: Cert
+      ansible.builtin.debug: msg="{{ ansible_certificates.results[0].content | b64decode }}"
+    - community.docker.docker_swarm_info:
+      register: output
+      ignore_errors: true
+    - ansible.builtin.debug: var=output
+    - name: signing_ca_cert and signing_ca_key (change, check mode)
+      community.docker.docker_swarm:
+        state: present
+        signing_ca_cert: '{{ ansible_certificates.results[1].content | b64decode }}'
+        signing_ca_key: '{{ ansible_keys.results[1].content | b64decode }}'
+        timeout: 120
+      check_mode: true
+      diff: true
+      register: output_5
+      ignore_errors: true
+    - name: signing_ca_cert and signing_ca_key (change)
+      community.docker.docker_swarm:
+        state: present
+        signing_ca_cert: '{{ ansible_certificates.results[1].content | b64decode }}'
+        signing_ca_key: '{{ ansible_keys.results[1].content | b64decode }}'
+        timeout: 120
+      diff: true
+      register: output_6
+      ignore_errors: true
+    - name: assert signing_ca_cert and signing_ca_key
+      ansible.builtin.assert:
+        that:
+          - output_1 is changed
+          - '(output_1.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+          - output_1.diff.before is defined
+          - output_1.diff.after is defined
+          - output_2 is changed
+          - '(output_2.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+          - output_2.diff.before is defined
+          - output_2.diff.after is defined
+          - output_5 is changed
+          - output_5.actions[0] == "Swarm cluster updated"
+          - output_5.diff.before is defined
+          - output_5.diff.after is defined
+          - output_6 is changed
+          - output_6.actions[0] == "Swarm cluster updated"
+          - output_6.diff.before is defined
+          - output_6.diff.after is defined
+      when: docker_py_version is version('2.6.0', '>=')
+    - ansible.builtin.assert:
+        that:
+          - output_1 is failed
+          - ('version is ' ~ docker_py_version ~ ' ') in output_1.msg
+          - '"Minimum version required is 2.6.0 " in output_1.msg'
+      when: docker_py_version is version('2.6.0', '<')
+    - ansible.builtin.include_tasks: cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options.yml
new file mode 100644
index 00000000..98fe693d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/options.yml
@@ -0,0 +1,1163 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.debug:
+    msg: Running tests/options.yml
+
+- name: Create a Swarm cluster
+  community.docker.docker_swarm:
+    state: present
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+    name: default
+  diff: true
+
+####################################################################
+## autolock_managers ###############################################
+####################################################################
+
+- name: autolock_managers (check mode)
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: true
+  check_mode: true
+  diff: true
+  register: output_1
+  ignore_errors: true
+
+- name: autolock_managers
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: true
+  diff: true
+  register: output_2
+  ignore_errors: true
+
+- name: autolock_managers (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: true
+  diff: true
+  register: output_3
+  ignore_errors: true
+
+- name: autolock_managers (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: true
+  check_mode: true
+  diff: true
+  register: output_4
+  ignore_errors: true
+
+- name: autolock_managers (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: false
+  check_mode: true
+  diff: true
+  register: output_5
+  ignore_errors: true
+
+- name: autolock_managers (change)
+  community.docker.docker_swarm:
+    state: present
+    autolock_managers: false
+  diff: true
+  register: output_6
+  ignore_errors: true
+
+- name: autolock_managers (force new swarm)
+  community.docker.docker_swarm:
+    state: present
+    force: true
+    advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+    autolock_managers: true
+  diff: true
+  register: output_7
+  ignore_errors: true
+
+- name: assert autolock_managers changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+  when: docker_py_version is version('2.6.0', '>=')
+
+- name: assert UnlockKey in swarm_facts
+  ansible.builtin.assert:
+    that:
+      - 'output_2.swarm_facts.UnlockKey is truthy'
+      - 'output_3.swarm_facts.UnlockKey is none'
+      - 'output_6.swarm_facts.UnlockKey is none'
+      - 'output_7.swarm_facts.UnlockKey is truthy'
+  when: docker_py_version is version('2.7.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - output_1 is failed
+      - "('version is ' ~ docker_py_version ~ ' ') in output_1.msg"
+      - "'Minimum version required is 2.6.0 ' in output_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## ca_force_rotate #################################################
+####################################################################
+
+- name: ca_force_rotate (check mode)
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 1
+  check_mode: true
+  diff: true
+  register: output_1
+  ignore_errors: true
+
+- name: ca_force_rotate
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 1
+  diff: true
+  register: output_2
+  ignore_errors: true
+
+- name: ca_force_rotate (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 1
+  diff: true
+  register: output_3
+  ignore_errors: true
+
+- name: ca_force_rotate (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 1
+  check_mode: true
+  diff: true
+  register: output_4
+  ignore_errors: true
+
+- name: ca_force_rotate (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 0
+  check_mode: true
+  diff: true
+  register: output_5
+  ignore_errors: true
+
+- name: ca_force_rotate (change)
+  community.docker.docker_swarm:
+    state: present
+    ca_force_rotate: 0
+  diff: true
+  register: output_6
+  ignore_errors: true
+
+- name: assert ca_force_rotate changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - output_1 is failed
+      - "('version is ' ~ docker_py_version ~ ' ') in output_1.msg"
+      - "'Minimum version required is 2.6.0 ' in output_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## dispatcher_heartbeat_period #####################################
+####################################################################
+
+- name: dispatcher_heartbeat_period (check mode)
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 10
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: dispatcher_heartbeat_period
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 10
+  diff: true
+  register: output_2
+
+- name: dispatcher_heartbeat_period (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 10
+  diff: true
+  register: output_3
+
+- name: dispatcher_heartbeat_period (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 10
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: dispatcher_heartbeat_period (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 23
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: dispatcher_heartbeat_period (change)
+  community.docker.docker_swarm:
+    state: present
+    dispatcher_heartbeat_period: 23
+  diff: true
+  register: output_6
+
+- name: assert dispatcher_heartbeat_period changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## election_tick ###################################################
+####################################################################
+
+- name: election_tick (check mode)
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 20
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: election_tick
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 20
+  diff: true
+  register: output_2
+
+- name: election_tick (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 20
+  diff: true
+  register: output_3
+
+- name: election_tick (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 20
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: election_tick (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 5
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: election_tick (change)
+  community.docker.docker_swarm:
+    state: present
+    election_tick: 5
+  diff: true
+  register: output_6
+
+- name: assert election_tick changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## heartbeat_tick ##################################################
+####################################################################
+
+- name: heartbeat_tick (check mode)
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 2
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: heartbeat_tick
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 2
+  diff: true
+  register: output_2
+
+- name: heartbeat_tick (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 2
+  diff: true
+  register: output_3
+
+- name: heartbeat_tick (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 2
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: heartbeat_tick (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 3
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: heartbeat_tick (change)
+  community.docker.docker_swarm:
+    state: present
+    heartbeat_tick: 3
+  diff: true
+  register: output_6
+
+- name: assert heartbeat_tick changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## keep_old_snapshots ##############################################
+####################################################################
+- name: keep_old_snapshots (check mode)
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 1
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: keep_old_snapshots
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 1
+  diff: true
+  register: output_2
+
+- name: keep_old_snapshots (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 1
+  diff: true
+  register: output_3
+
+- name: keep_old_snapshots (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 1
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: keep_old_snapshots (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 2
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: keep_old_snapshots (change)
+  community.docker.docker_swarm:
+    state: present
+    keep_old_snapshots: 2
+  diff: true
+  register: output_6
+
+- name: assert keep_old_snapshots changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## labels ##########################################################
+####################################################################
+- name: labels (check mode)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      b: v2
+  check_mode: true
+  diff: true
+  register: output_1
+  ignore_errors: true
+
+- name: labels
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      b: v2
+  diff: true
+  register: output_2
+  ignore_errors: true
+
+- name: labels (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      b: v2
+  diff: true
+  register: output_3
+  ignore_errors: true
+
+- name: labels (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      b: v2
+  check_mode: true
+  diff: true
+  register: output_4
+  ignore_errors: true
+
+- name: labels (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      c: v3
+  check_mode: true
+  diff: true
+  register: output_5
+  ignore_errors: true
+
+- name: labels (change)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      c: v3
+  diff: true
+  register: output_6
+  ignore_errors: true
+
+- name: labels (not specifying, check mode)
+  community.docker.docker_swarm:
+    state: present
+  check_mode: true
+  diff: true
+  register: output_7
+  ignore_errors: true
+
+- name: labels (not specifying)
+  community.docker.docker_swarm:
+    state: present
+  diff: true
+  register: output_8
+  ignore_errors: true
+
+- name: labels (idempotency, check that labels are still there)
+  community.docker.docker_swarm:
+    state: present
+    labels:
+      a: v1
+      c: v3
+  diff: true
+  register: output_9
+  ignore_errors: true
+
+- name: labels (empty, check mode)
+  community.docker.docker_swarm:
+    state: present
+    labels: {}
+  check_mode: true
+  diff: true
+  register: output_10
+  ignore_errors: true
+
+- name: labels (empty)
+  community.docker.docker_swarm:
+    state: present
+    labels: {}
+  diff: true
+  register: output_11
+  ignore_errors: true
+
+- name: labels (empty, idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    labels: {}
+  check_mode: true
+  diff: true
+  register: output_12
+  ignore_errors: true
+
+- name: labels (empty, idempotent)
+  community.docker.docker_swarm:
+    state: present
+    labels: {}
+  diff: true
+  register: output_13
+  ignore_errors: true
+
+- name: assert labels changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+      - 'output_7 is not changed'
+      - 'output_7.actions[0] == "No modification"'
+      - 'output_7.diff.before is defined'
+      - 'output_7.diff.after is defined'
+      - 'output_8 is not changed'
+      - 'output_8.actions[0] == "No modification"'
+      - 'output_8.diff.before is defined'
+      - 'output_8.diff.after is defined'
+      - 'output_9 is not changed'
+      - 'output_9.actions[0] == "No modification"'
+      - 'output_9.diff.before is defined'
+      - 'output_9.diff.after is defined'
+      - 'output_10 is changed'
+      - 'output_10.actions[0] == "Swarm cluster updated"'
+      - 'output_10.diff.before is defined'
+      - 'output_10.diff.after is defined'
+      - 'output_11 is changed'
+      - 'output_11.actions[0] == "Swarm cluster updated"'
+      - 'output_11.diff.before is defined'
+      - 'output_11.diff.after is defined'
+      - 'output_12 is not changed'
+      - 'output_12.actions[0] == "No modification"'
+      - 'output_12.diff.before is defined'
+      - 'output_12.diff.after is defined'
+      - 'output_13 is not changed'
+      - 'output_13.actions[0] == "No modification"'
+      - 'output_13.diff.before is defined'
+      - 'output_13.diff.after is defined'
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - output_1 is failed
+      - "('version is ' ~ docker_py_version ~ ' ') in output_1.msg"
+      - "'Minimum version required is 2.6.0 ' in output_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## log_entries_for_slow_followers ##################################
+####################################################################
+- name: log_entries_for_slow_followers (check mode)
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 42
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: log_entries_for_slow_followers
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 42
+  diff: true
+  register: output_2
+
+- name: log_entries_for_slow_followers (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 42
+  diff: true
+  register: output_3
+
+- name: log_entries_for_slow_followers (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 42
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: log_entries_for_slow_followers (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 23
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: log_entries_for_slow_followers (change)
+  community.docker.docker_swarm:
+    state: present
+    log_entries_for_slow_followers: 23
+  diff: true
+  register: output_6
+
+- name: assert log_entries_for_slow_followers changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## name ############################################################
+####################################################################
+- name: name (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    name: default
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: name (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    name: default
+  diff: true
+  register: output_2
+
+# The name 'default' is hardcoded in docker swarm. Trying to change
+# it causes a failure. This might change in the future, so we also
+# accept a change for this test.
+- name: name (change, should fail)
+  community.docker.docker_swarm:
+    state: present
+    name: foobar
+  diff: true
+  register: output_3
+  ignore_errors: true
+
+- name: assert name changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is not changed'
+      - 'output_1.actions[0] == "No modification"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is not changed'
+      - 'output_2.actions[0] == "No modification"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is failed or output_3 is changed'
+
+####################################################################
+## node_cert_expiry ################################################
+####################################################################
+- name: node_cert_expiry (check mode)
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 7896000000000000
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: node_cert_expiry
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 7896000000000000
+  diff: true
+  register: output_2
+
+- name: node_cert_expiry (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 7896000000000000
+  diff: true
+  register: output_3
+
+- name: node_cert_expiry (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 7896000000000000
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: node_cert_expiry (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 8766000000000000
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: node_cert_expiry (change)
+  community.docker.docker_swarm:
+    state: present
+    node_cert_expiry: 8766000000000000
+  diff: true
+  register: output_6
+
+- name: assert node_cert_expiry changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## rotate_manager_token ############################################
+####################################################################
+- name: rotate_manager_token (true, check mode)
+  community.docker.docker_swarm:
+    state: present
+    rotate_manager_token: true
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: rotate_manager_token (true)
+  community.docker.docker_swarm:
+    state: present
+    rotate_manager_token: true
+  diff: true
+  register: output_2
+
+- name: rotate_manager_token (false, idempotent)
+  community.docker.docker_swarm:
+    state: present
+    rotate_manager_token: false
+  diff: true
+  register: output_3
+
+- name: rotate_manager_token (false, check mode)
+  community.docker.docker_swarm:
+    state: present
+    rotate_manager_token: false
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: assert rotate_manager_token changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+
+####################################################################
+## rotate_worker_token #############################################
+####################################################################
+- name: rotate_worker_token (true, check mode)
+  community.docker.docker_swarm:
+    state: present
+    rotate_worker_token: true
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: rotate_worker_token (true)
+  community.docker.docker_swarm:
+    state: present
+    rotate_worker_token: true
+  diff: true
+  register: output_2
+
+- name: rotate_worker_token (false, idempotent)
+  community.docker.docker_swarm:
+    state: present
+    rotate_worker_token: false
+  diff: true
+  register: output_3
+
+- name: rotate_worker_token (false, check mode)
+  community.docker.docker_swarm:
+    state: present
+    rotate_worker_token: false
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: assert rotate_worker_token changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+
+####################################################################
+## snapshot_interval ###############################################
+####################################################################
+- name: snapshot_interval (check mode)
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 12345
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: snapshot_interval
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 12345
+  diff: true
+  register: output_2
+
+- name: snapshot_interval (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 12345
+  diff: true
+  register: output_3
+
+- name: snapshot_interval (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 12345
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: snapshot_interval (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 54321
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: snapshot_interval (change)
+  community.docker.docker_swarm:
+    state: present
+    snapshot_interval: 54321
+  diff: true
+  register: output_6
+
+- name: assert snapshot_interval changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+####################################################################
+## task_history_retention_limit ####################################
+####################################################################
+- name: task_history_retention_limit (check mode)
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 23
+  check_mode: true
+  diff: true
+  register: output_1
+
+- name: task_history_retention_limit
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 23
+  diff: true
+  register: output_2
+
+- name: task_history_retention_limit (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 23
+  diff: true
+  register: output_3
+
+- name: task_history_retention_limit (idempotent, check mode)
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 23
+  check_mode: true
+  diff: true
+  register: output_4
+
+- name: task_history_retention_limit (change, check mode)
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 7
+  check_mode: true
+  diff: true
+  register: output_5
+
+- name: task_history_retention_limit (change)
+  community.docker.docker_swarm:
+    state: present
+    task_history_retention_limit: 7
+  diff: true
+  register: output_6
+
+- name: assert task_history_retention_limit changes
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_1.actions[0] == "Swarm cluster updated"'
+      - 'output_1.diff.before is defined'
+      - 'output_1.diff.after is defined'
+      - 'output_2 is changed'
+      - 'output_2.actions[0] == "Swarm cluster updated"'
+      - 'output_2.diff.before is defined'
+      - 'output_2.diff.after is defined'
+      - 'output_3 is not changed'
+      - 'output_3.actions[0] == "No modification"'
+      - 'output_3.diff.before is defined'
+      - 'output_3.diff.after is defined'
+      - 'output_4 is not changed'
+      - 'output_4.actions[0] == "No modification"'
+      - 'output_4.diff.before is defined'
+      - 'output_4.diff.after is defined'
+      - 'output_5 is changed'
+      - 'output_5.actions[0] == "Swarm cluster updated"'
+      - 'output_5.diff.before is defined'
+      - 'output_5.diff.after is defined'
+      - 'output_6 is changed'
+      - 'output_6.actions[0] == "Swarm cluster updated"'
+      - 'output_6.diff.before is defined'
+      - 'output_6.diff.after is defined'
+
+- ansible.builtin.include_tasks: cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/remote-addr-pool.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/remote-addr-pool.yml
new file mode 100644
index 00000000..3c882645
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm/tasks/tests/remote-addr-pool.yml
@@ -0,0 +1,95 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- ansible.builtin.debug:
+    msg: Running tests/remote-addr-pool.yml
+
+####################################################################
+## default_addr_pool ###############################################
+####################################################################
+
+- name: default_addr_pool
+  community.docker.docker_swarm:
+    state: present
+    default_addr_pool:
+      - "2.0.0.0/16"
+  diff: true
+  register: output_1
+  ignore_errors: true
+
+- name: default_addr_pool (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    default_addr_pool:
+      - "2.0.0.0/16"
+  diff: true
+  register: output_2
+  ignore_errors: true
+
+- name: assert default_addr_pool
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_2 is not changed'
+      - 'output_2.swarm_facts.DefaultAddrPool == ["2.0.0.0/16"]'
+  when:
+    - docker_api_version is version('1.39', '>=')
+    - docker_py_version is version('4.0.0', '>=')
+
+- name: assert default_addr_pool failed when unsupported
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is failed'
+      - "'Minimum version required' in output_1.msg"
+  when: docker_api_version is version('1.39', '<') or
+        docker_py_version is version('4.0.0', '<')
+
+####################################################################
+## subnet_size #####################################################
+####################################################################
+- name: Leave swarm
+  community.docker.docker_swarm:
+    state: absent
+    force: true
+    default_addr_pool:
+      - "2.0.0.0/16"
+  diff: true
+
+- name: subnet_size
+  community.docker.docker_swarm:
+    state: present
+    force: true
+    subnet_size: 26
+  diff: true
+  register: output_1
+  ignore_errors: true
+
+- name: subnet_size (idempotent)
+  community.docker.docker_swarm:
+    state: present
+    subnet_size: 26
+  diff: true
+  register: output_2
+  ignore_errors: true
+
+- name: assert subnet_size
+  ansible.builtin.assert:
+    that:
+      - 'output_1 is changed'
+      - 'output_2 is not changed'
+      - 'output_2.swarm_facts.SubnetSize == 26'
+  when:
+    - docker_api_version is version('1.39', '>=')
+    - docker_py_version is version('4.0.0', '>=')
+
+- name: assert subnet_size failed when unsupported
+  ansible.builtin.assert:
+    that:
+      - output_1 is failed
+      - "'Minimum version required' in output_1.msg"
+  when: docker_api_version is version('1.39', '<') or
+        docker_py_version is version('4.0.0', '<')
+
+- ansible.builtin.include_tasks: cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/aliases
new file mode 100644
index 00000000..6f61c620
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/1
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/main.yml
new file mode 100644
index 00000000..c0886a23
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_swarm_info.yml
+  when: docker_py_version is version('1.10.0', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_swarm_info tests!"
+  when: not(docker_py_version is version('1.10.0', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/test_swarm_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/test_swarm_info.yml
new file mode 100644
index 00000000..c9bb82dd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_info/tasks/test_swarm_info.yml
@@ -0,0 +1,194 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Try to get docker_swarm_info when docker is not running in swarm mode
+      community.docker.docker_swarm_info:
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called when swarm is not in use or not run on manager node
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "Error running docker swarm module: must run on swarm manager node"'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == false'
+          - 'output.docker_swarm_manager == false'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+      register: output
+
+    - name: assert changed when create a new swarm cluster
+      ansible.builtin.assert:
+        that:
+          - 'output is changed'
+          - '(output.actions[0] | regex_search("New Swarm cluster created: ")) is truthy'
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+
+    - name: Try to get docker_swarm_info when docker is running in swarm mode and as manager
+      community.docker.docker_swarm_info:
+      register: output
+
+    - name: assert creding docker swarm facts
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+          - 'output.swarm_facts.ID is truthy'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Try to get docker_swarm_info and list of nodes when docker is running in swarm mode and as manager
+      community.docker.docker_swarm_info:
+        nodes: true
+      register: output
+
+    - name: assert reading swarm facts with list of nodes option
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+          - 'output.swarm_facts.ID is truthy'
+          - 'output.nodes[0].ID is string'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Get local docker node name
+      ansible.builtin.set_fact:
+        localnodename: "{{ output.nodes[0].Hostname }}"
+
+
+    - name: Try to get docker_swarm_info and verbose list of nodes when docker is running in swarm mode and as manager
+      community.docker.docker_swarm_info:
+        nodes: true
+        verbose_output: true
+      register: output
+
+    - name: assert reading swarm facts with list of nodes and versbose output options
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+          - 'output.swarm_facts.ID is truthy'
+          - 'output.nodes[0].ID is string'
+          - 'output.nodes[0].CreatedAt is truthy'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Try to get docker_swarm_info and list of nodes with filters providing existing node name
+      community.docker.docker_swarm_info:
+        nodes: true
+        nodes_filters:
+          name: "{{ localnodename }}"
+      register: output
+
+    - name: assert reading reading swarm facts and using node filter (random node name)
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+          - 'output.swarm_facts.ID is truthy'
+          - 'output.nodes | length == 1'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Create random name
+      ansible.builtin.set_fact:
+        randomnodename: "{{ 'node-%0x' % ((2**32) | random) }}"
+
+    - name: Try to get docker_swarm_info and list of nodes with filters providing non-existing random node name
+      community.docker.docker_swarm_info:
+        nodes: true
+        nodes_filters:
+          name: "{{ randomnodename }}"
+      register: output
+
+    - name: assert reading reading swarm facts and using node filter (random node name)
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_facts.JoinTokens.Manager is truthy'
+          - 'output.swarm_facts.JoinTokens.Worker is truthy'
+          - 'output.swarm_facts.ID is truthy'
+          - 'output.nodes | length == 0'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+          - 'output.swarm_unlock_key is not defined'
+
+    - name: Try to get docker_swarm_info and swarm_unlock_key on non a unlocked swarm
+      community.docker.docker_swarm_info:
+        unlock_key: true
+      register: output
+      ignore_errors: true
+
+    - name: assert reading swarm facts and non existing swarm unlock key
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_unlock_key is none'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+      when: docker_py_version is version('2.7.0', '>=')
+    - ansible.builtin.assert:
+        that:
+          - output is failed
+          - "('version is ' ~ docker_py_version ~ ' ') in output.msg"
+          - "'Minimum version required is 2.7.0 ' in output.msg"
+      when: docker_py_version is version('2.7.0', '<')
+
+    - name: Update swarm cluster to be locked
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+        autolock_managers: true
+      register: autolock_managers_update_output
+      ignore_errors: true
+
+    - name: Try to get docker_swarm_info and swarm_unlock_key
+      community.docker.docker_swarm_info:
+        unlock_key: true
+      register: output
+      ignore_errors: true
+
+    - name: assert reading swarm facts and swarm unlock key
+      ansible.builtin.assert:
+        that:
+          - 'output.swarm_unlock_key is string'
+          - 'output.swarm_unlock_key == autolock_managers_update_output.swarm_facts.UnlockKey'
+          - 'output.can_talk_to_docker == true'
+          - 'output.docker_swarm_active == true'
+          - 'output.docker_swarm_manager == true'
+      when: docker_py_version is version('2.7.0', '>=')
+    - ansible.builtin.assert:
+        that:
+          - output is failed
+          - "('version is ' ~ docker_py_version ~ ' ') in output.msg"
+          - "'Minimum version required is 2.7.0 ' in output.msg"
+      when: docker_py_version is version('2.7.0', '<')
+
+  always:
+    - name: Cleanup
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/aliases
new file mode 100644
index 00000000..fc581d54
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/3
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-1 b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-1
new file mode 100644
index 00000000..87bc9dec
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-1
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+TEST3=val3
+TEST4=val4
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-2 b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-2
new file mode 100644
index 00000000..7f36b44a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/files/env-file-2
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+TEST3=val5
+TEST5=val5
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/main.yml
new file mode 100644
index 00000000..ee966686
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/main.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+
+# Create random name prefix (for containers, networks, ...)
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    service_names: []
+    network_names: []
+    config_names: []
+    secret_names: []
+    volume_names: []
+
+- ansible.builtin.debug:
+    msg: "Using container name prefix {{ name_prefix }}"
+
+# Run the tests
+- block:
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: Make sure all services are removed
+      community.docker.docker_swarm_service:
+        name: "{{ item }}"
+        state: absent
+      loop: "{{ service_names }}"
+      ignore_errors: true
+
+    - name: Make sure all networks are removed
+      community.docker.docker_network:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      loop: "{{ network_names }}"
+      ignore_errors: true
+
+    - name: Make sure all configs are removed
+      community.docker.docker_config:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      loop: "{{ config_names }}"
+      ignore_errors: true
+
+    - name: Make sure all volumes are removed
+      community.docker.docker_volume:
+        name: "{{ item }}"
+        state: absent
+      loop: "{{ volume_names }}"
+      ignore_errors: true
+
+    - name: Make sure all secrets are removed
+      community.docker.docker_secret:
+        name: "{{ item }}"
+        state: absent
+        force: true
+      loop: "{{ secret_names }}"
+      ignore_errors: true
+
+    - name: Make sure swarm is removed
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+      ignore_errors: true
+  when: docker_py_version is version('2.0.2', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_swarm_service tests!"
+  when: not(docker_py_version is version('2.0.2', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/configs.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/configs.yml
new file mode 100644
index 00000000..44834735
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/configs.yml
@@ -0,0 +1,463 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-configs' }}"
+    config_name_1: "{{ name_prefix ~ '-configs-1' }}"
+    config_name_2: "{{ name_prefix ~ '-configs-2' }}"
+    config_name_3: "{{ name_prefix ~ '-configs-3' }}"
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    config_names: "{{ config_names + [config_name_1, config_name_2] }}"
+
+- community.docker.docker_config:
+    name: "{{ config_name_1 }}"
+    data: "hello"
+    state: present
+  register: "config_result_1"
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- community.docker.docker_config:
+    name: "{{ config_name_2 }}"
+    data: "test"
+    state: present
+  register: "config_result_2"
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- community.docker.docker_config:
+    name: "{{ config_name_3 }}"
+    data: "config3"
+    state: present
+    rolling_versions: true
+  register: "config_result_3"
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+####################################################################
+## configs #########################################################
+####################################################################
+
+- name: configs
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+  register: configs_1
+  ignore_errors: true
+
+- name: configs (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+  register: configs_2
+  ignore_errors: true
+
+- name: configs (add)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+      - config_name: "{{ config_name_2 }}"
+        filename: "/tmp/{{ config_name_2 }}.txt"
+  register: configs_3
+  ignore_errors: true
+
+- name: configs (add idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+      - config_id: "{{ config_result_2.config_id | default('') }}"
+        config_name: "{{ config_name_2 }}"
+        filename: "/tmp/{{ config_name_2 }}.txt"
+  register: configs_4
+  ignore_errors: true
+
+- name: configs (add idempotency no id)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+      - config_name: "{{ config_name_2 }}"
+        filename: "/tmp/{{ config_name_2 }}.txt"
+  register: configs_5
+  ignore_errors: true
+
+- name: configs (add idempotency no id and re-ordered)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_2 }}"
+        filename: "/tmp/{{ config_name_2 }}.txt"
+      - config_name: "{{ config_name_1 }}"
+        filename: "/tmp/{{ config_name_1 }}.txt"
+  register: configs_6
+  ignore_errors: true
+
+- name: configs (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs: []
+  register: configs_7
+  ignore_errors: true
+
+- name: configs (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs: []
+  register: configs_8
+  ignore_errors: true
+
+- name: rolling configs
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_3 }}_v1"
+        filename: "/run/configs/{{ config_name_3 }}.txt"
+  register: configs_9
+  ignore_errors: true
+
+- name: update rolling config
+  community.docker.docker_config:
+    name: "{{ config_name_3 }}"
+    data: "newconfig3"
+    state: "present"
+    rolling_versions: true
+  register: configs_10
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+  ignore_errors: true
+
+- name: rolling configs service update
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_name: "{{ config_name_3 }}_v2"
+        filename: "/run/configs/{{ config_name_3 }}.txt"
+  register: configs_11
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - configs_1 is changed
+      - configs_2 is not changed
+      - configs_3 is changed
+      - configs_4 is not changed
+      - configs_5 is not changed
+      - configs_6 is not changed
+      - configs_7 is changed
+      - configs_8 is not changed
+      - configs_9 is changed
+      - configs_10 is not failed
+      - configs_11 is changed
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - configs_1 is failed
+      - "'Minimum version required' in configs_1.msg"
+  when: docker_api_version is version('1.30', '<') or docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## configs (uid) ###################################################
+####################################################################
+
+- name: configs (uid int)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        uid: 1000
+  register: configs_1
+  ignore_errors: true
+
+- name: configs (uid int idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        uid: 1000
+  register: configs_2
+  ignore_errors: true
+
+- name: configs (uid int change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        uid: 1002
+  register: configs_3
+  ignore_errors: true
+
+- name: configs (uid str)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        uid: "1001"
+  register: configs_4
+  ignore_errors: true
+
+- name: configs (uid str idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        uid: "1001"
+  register: configs_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+- ansible.builtin.assert:
+    that:
+      - configs_1 is changed
+      - configs_2 is not changed
+      - configs_3 is changed
+      - configs_4 is changed
+      - configs_5 is not changed
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - configs_1 is failed
+      - "'Minimum version required' in configs_1.msg"
+  when: docker_api_version is version('1.30', '<') or docker_py_version is version('2.6.0', '<')
+
+
+####################################################################
+## configs (gid) ###################################################
+####################################################################
+
+- name: configs (gid int)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        gid: 1000
+  register: configs_1
+  ignore_errors: true
+
+- name: configs (gid int idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        gid: 1000
+  register: configs_2
+  ignore_errors: true
+
+- name: configs (gid int change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        gid: 1002
+  register: configs_3
+  ignore_errors: true
+
+- name: configs (gid str)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        gid: "1001"
+  register: configs_4
+  ignore_errors: true
+
+- name: configs (gid str idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        gid: "1001"
+  register: configs_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+- ansible.builtin.assert:
+    that:
+      - configs_1 is changed
+      - configs_2 is not changed
+      - configs_3 is changed
+      - configs_4 is changed
+      - configs_5 is not changed
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - configs_1 is failed
+      - "'Minimum version required' in configs_1.msg"
+  when: docker_api_version is version('1.30', '<') or docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## configs (mode) ##################################################
+####################################################################
+
+- name: configs (mode)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        mode: "0600"
+  register: configs_1
+  ignore_errors: true
+
+- name: configs (mode idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        mode: "0600"
+  register: configs_2
+  ignore_errors: true
+
+- name: configs (mode change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    configs:
+      - config_id: "{{ config_result_1.config_id | default('') }}"
+        config_name: "{{ config_name_1 }}"
+        mode: "0777"
+  register: configs_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+- ansible.builtin.assert:
+    that:
+      - configs_1 is changed
+      - configs_2 is not changed
+      - configs_3 is changed
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - configs_1 is failed
+      - "'Minimum version required' in configs_1.msg"
+  when: docker_api_version is version('1.30', '<') or docker_py_version is version('2.6.0', '<')
+
+####################################################################
+####################################################################
+####################################################################
+
+- name: Delete configs
+  community.docker.docker_config:
+    name: "{{ config_name }}"
+    state: absent
+    force: true
+  loop:
+    - "{{ config_name_1 }}"
+    - "{{ config_name_2 }}"
+    - "{{ config_name_3 }}"
+  loop_control:
+    loop_var: config_name
+  ignore_errors: true
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('2.6.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/logging.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/logging.yml
new file mode 100644
index 00000000..bc3952f1
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/logging.yml
@@ -0,0 +1,138 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-logging' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+####################################################################
+## logging.driver ##################################################
+####################################################################
+
+- name: logging.driver
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+  register: logging_driver_1
+
+- name: logging.driver (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+  register: logging_driver_2
+
+- name: logging.driver (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: syslog
+  register: logging_driver_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - logging_driver_1 is changed
+      - logging_driver_2 is not changed
+      - logging_driver_3 is changed
+
+####################################################################
+## logging.options #################################################
+####################################################################
+
+- name: logging_options
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+      options:
+        labels: production_status
+        env: os,customer
+  register: logging_options_1
+
+- name: logging_options (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+      options:
+        env: os,customer
+        labels: production_status
+  register: logging_options_2
+
+- name: logging_options (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+      options:
+        env: os,customer
+        labels: production_status
+        max-file: "1"
+  register: logging_options_3
+
+- name: logging_options (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+      options: {}
+  register: logging_options_4
+
+- name: logging_options (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    logging:
+      driver: json-file
+      options: {}
+  register: logging_options_5
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - logging_options_1 is changed
+      - logging_options_2 is not changed
+      - logging_options_3 is changed
+      - logging_options_4 is changed
+      - logging_options_5 is not changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/misc.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/misc.yml
new file mode 100644
index 00000000..548a1e95
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/misc.yml
@@ -0,0 +1,117 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- block:
+    - name: Create a swarm service without name
+      register: output
+      community.docker.docker_swarm_service:
+        state: present
+      ignore_errors: true
+
+    - name: assert failure when name not set
+      ansible.builtin.assert:
+        that:
+          - output is failed
+          - 'output.msg == "missing required arguments: name"'
+
+    - name: Remove an non-existing service
+      register: output
+      community.docker.docker_swarm_service:
+        state: absent
+        name: non_existing_service
+
+    - name: assert output not changed when deleting non-existing service
+      ansible.builtin.assert:
+        that:
+          - output is not changed
+
+    - name: create sample service
+      register: output
+      community.docker.docker_swarm_service:
+        name: test_service
+        endpoint_mode: dnsrr
+        image: "{{ docker_test_image_busybox }}"
+        resolve_image: false
+        args:
+          - sleep
+          - "3600"
+
+    - name: assert sample service is created
+      ansible.builtin.assert:
+        that:
+          - output is changed
+
+    - name: change service args
+      register: output
+      community.docker.docker_swarm_service:
+        name: test_service
+        image: "{{ docker_test_image_busybox }}"
+        resolve_image: false
+        args:
+          - sleep
+          - "1800"
+
+    - name: assert service args are correct
+      ansible.builtin.assert:
+        that:
+          - output.swarm_service.args == ['sleep', '1800']
+
+    - name: set service mode to global
+      register: output
+      community.docker.docker_swarm_service:
+        name: test_service
+        image: "{{ docker_test_image_busybox }}"
+        resolve_image: false
+        endpoint_mode: vip
+        mode: global
+        args:
+          - sleep
+          - "1800"
+
+    - name: assert service mode changed caused service rebuild
+      ansible.builtin.assert:
+        that:
+          - output.rebuilt
+
+    - name: add published ports to service
+      register: output
+      community.docker.docker_swarm_service:
+        name: test_service
+        image: "{{ docker_test_image_busybox }}"
+        resolve_image: false
+        mode: global
+        args:
+          - sleep
+          - "1800"
+        endpoint_mode: vip
+        publish:
+          - protocol: tcp
+            published_port: 60001
+            target_port: 60001
+          - protocol: udp
+            published_port: 60001
+            target_port: 60001
+
+    - name: fake image key as it is not predictable
+      ansible.builtin.set_fact:
+        ansible_docker_service_output: "{{ output.swarm_service | combine({'image': docker_test_image_busybox}) }}"
+
+    - name: assert service matches expectations
+      ansible.builtin.assert:
+        that:
+          - ansible_docker_service_output == service_expected_output
+
+    - name: delete sample service
+      register: output
+      community.docker.docker_swarm_service:
+        name: test_service
+        state: absent
+
+    - name: assert service deletion returns changed
+      ansible.builtin.assert:
+        that:
+          - output is success
+          - output is changed
+  when: docker_api_version is version('1.25', '>=') and docker_py_version is version('3.0.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/mounts.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/mounts.yml
new file mode 100644
index 00000000..bb36cb96
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/mounts.yml
@@ -0,0 +1,606 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-mounts' }}"
+    volume_name_1: "{{ name_prefix ~ '-volume-1' }}"
+    volume_name_2: "{{ name_prefix ~ '-volume-2' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+    volume_names: "{{ volume_names + [volume_name_1, volume_name_2] }}"
+
+- community.docker.docker_volume:
+    name: "{{ volume_name }}"
+    state: present
+  loop:
+    - "{{ volume_name_1 }}"
+    - "{{ volume_name_2 }}"
+  loop_control:
+    loop_var: volume_name
+
+####################################################################
+## mounts ##########################################################
+####################################################################
+
+- name: mounts
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+  register: mounts_1
+
+- name: mounts (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+  register: mounts_2
+
+- name: mounts (add)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+      - source: "/tmp/"
+        target: "/tmp/{{ volume_name_2 }}"
+        type: "bind"
+  register: mounts_3
+
+- name: mounts (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "/tmp/"
+        target: "/tmp/{{ volume_name_2 }}"
+        type: "bind"
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+  register: mounts_4
+
+- name: mounts (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts: []
+  register: mounts_5
+
+- name: mounts (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts: []
+  register: mounts_6
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_1 is changed
+      - mounts_2 is not changed
+      - mounts_3 is changed
+      - mounts_4 is not changed
+      - mounts_5 is changed
+      - mounts_6 is not changed
+
+####################################################################
+## mounts.readonly #################################################
+####################################################################
+
+- name: mounts.readonly
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        readonly: true
+  register: mounts_readonly_1
+
+
+- name: mounts.readonly (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        readonly: true
+  register: mounts_readonly_2
+
+- name: mounts.readonly (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        readonly: false
+  register: mounts_readonly_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_readonly_1 is changed
+      - mounts_readonly_2 is not changed
+      - mounts_readonly_3 is changed
+
+####################################################################
+## mounts.propagation ##############################################
+####################################################################
+
+- name: mounts.propagation
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "/tmp"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "bind"
+        propagation: "slave"
+  register: mounts_propagation_1
+
+
+- name: mounts.propagation (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "/tmp"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "bind"
+        propagation: "slave"
+  register: mounts_propagation_2
+
+- name: mounts.propagation (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "/tmp"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "bind"
+        propagation: "rprivate"
+  register: mounts_propagation_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_propagation_1 is changed
+      - mounts_propagation_2 is not changed
+      - mounts_propagation_3 is changed
+
+####################################################################
+## mounts.labels ##################################################
+####################################################################
+
+- name: mounts.labels
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        labels:
+          mylabel: hello-world
+          my-other-label: hello-mars
+  register: mounts_labels_1
+
+
+- name: mounts.labels (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        labels:
+          mylabel: hello-world
+          my-other-label: hello-mars
+  register: mounts_labels_2
+
+- name: mounts.labels (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        labels:
+          mylabel: hello-world
+  register: mounts_labels_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_labels_1 is changed
+      - mounts_labels_2 is not changed
+      - mounts_labels_3 is changed
+
+####################################################################
+## mounts.no_copy ##################################################
+####################################################################
+
+- name: mounts.no_copy
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        no_copy: true
+  register: mounts_no_copy_1
+
+
+- name: mounts.no_copy (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        no_copy: true
+  register: mounts_no_copy_2
+
+- name: mounts.no_copy (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        no_copy: false
+  register: mounts_no_copy_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_no_copy_1 is changed
+      - mounts_no_copy_2 is not changed
+      - mounts_no_copy_3 is changed
+
+####################################################################
+## mounts.driver_config ############################################
+####################################################################
+
+- name: mounts.driver_config
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        driver_config:
+          name: "nfs"
+          options:
+            addr: "127.0.0.1"
+  register: mounts_driver_config_1
+
+- name: mounts.driver_config
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        driver_config:
+          name: "nfs"
+          options:
+            addr: "127.0.0.1"
+  register: mounts_driver_config_2
+
+- name: mounts.driver_config
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "volume"
+        driver_config:
+          name: "local"
+  register: mounts_driver_config_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_driver_config_1 is changed
+      - mounts_driver_config_2 is not changed
+      - mounts_driver_config_3 is changed
+
+####################################################################
+## mounts.tmpfs_size ###############################################
+####################################################################
+
+- name: mounts.tmpfs_size
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_size: "50M"
+  register: mounts_tmpfs_size_1
+  ignore_errors: true
+
+- name: mounts.tmpfs_size (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_size: "50M"
+  register: mounts_tmpfs_size_2
+  ignore_errors: true
+
+- name: mounts.tmpfs_size (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_size: "25M"
+  register: mounts_tmpfs_size_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_size_1 is changed
+      - mounts_tmpfs_size_2 is not changed
+      - mounts_tmpfs_size_3 is changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_size_1 is failed
+      - "'Minimum version required' in mounts_tmpfs_size_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## mounts.tmpfs_mode ###############################################
+####################################################################
+
+- name: mounts.tmpfs_mode
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_mode: "0444"
+  register: mounts_tmpfs_mode_1
+  ignore_errors: true
+
+- name: mounts.tmpfs_mode (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_mode: "0444"
+  register: mounts_tmpfs_mode_2
+  ignore_errors: true
+
+- name: mounts.tmpfs_mode (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: "{{ volume_name_1 }}"
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+        tmpfs_mode: "0777"
+  register: mounts_tmpfs_mode_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_mode_1 is changed
+      - mounts_tmpfs_mode_2 is not changed
+      - mounts_tmpfs_mode_3 is changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_size_1 is failed
+      - "'Minimum version required' in mounts_tmpfs_size_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## mounts.source ###################################################
+####################################################################
+
+- name: mounts.source (empty for tmpfs)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: ""
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+  register: mounts_tmpfs_source_1
+  ignore_errors: true
+
+- name: mounts.source (empty for tmpfs idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - source: ""
+        target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+  register: mounts_tmpfs_source_2
+  ignore_errors: true
+
+- name: mounts.source (not specified for tmpfs idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mounts:
+      - target: "/tmp/{{ volume_name_1 }}"
+        type: "tmpfs"
+  register: mounts_tmpfs_source_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_source_1 is changed
+      - mounts_tmpfs_source_2 is not changed
+      - mounts_tmpfs_source_3 is not changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - mounts_tmpfs_source_1 is failed
+      - "'Minimum version required' in mounts_tmpfs_source_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+####################################################################
+####################################################################
+
+- name: Delete volumes
+  community.docker.docker_volume:
+    name: "{{ volume_name }}"
+    state: absent
+  loop:
+    - "{{ volume_name_1 }}"
+    - "{{ volume_name_2 }}"
+  loop_control:
+    loop_var: volume_name
+  ignore_errors: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/networks.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/networks.yml
new file mode 100644
index 00000000..716d54dd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/networks.yml
@@ -0,0 +1,453 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-networks' }}"
+    network_name_1: "{{ name_prefix ~ '-network-1' }}"
+    network_name_2: "{{ name_prefix ~ '-network-2' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+    network_names: "{{ network_names + [network_name_1, network_name_2] }}"
+
+- community.docker.docker_network:
+    name: "{{ network_name }}"
+    driver: "overlay"
+    state: present
+  loop:
+    - "{{ network_name_1 }}"
+    - "{{ network_name_2 }}"
+  loop_control:
+    loop_var: network_name
+
+#####################################################################
+## networks #########################################################
+#####################################################################
+
+- name: networks
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_1 }}"
+  register: networks_1
+
+- name: networks (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_1 }}"
+  register: networks_2
+
+- name: networks (dict idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+  register: networks_3
+
+- name: networks (change more)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_1 }}"
+      - "{{ network_name_2 }}"
+  register: networks_4
+
+- name: networks (change more idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_1 }}"
+      - "{{ network_name_2 }}"
+  register: networks_5
+
+- name: networks (change more dict idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+      - name: "{{ network_name_2 }}"
+  register: networks_6
+
+- name: networks (change more mixed idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+      - "{{ network_name_2 }}"
+  register: networks_7
+
+- name: networks (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_2 }}"
+      - name: "{{ network_name_1 }}"
+  register: networks_8
+
+- name: networks (change less)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_2 }}"
+  register: networks_9
+
+- name: networks (change less idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "{{ network_name_2 }}"
+  register: networks_10
+
+- name: networks (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks: []
+  register: networks_11
+
+- name: networks (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks: []
+  register: networks_12
+
+- name: networks (unknown network)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - "idonotexist"
+  register: networks_13
+  ignore_errors: true
+
+- name: networks (missing dict key name)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - foo: "bar"
+  register: networks_14
+  ignore_errors: true
+
+- name: networks (invalid list type)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - [1, 2, 3]
+  register: networks_15
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - networks_1 is changed
+      - networks_2 is not changed
+      - networks_3 is not changed
+      - networks_4 is changed
+      - networks_5 is not changed
+      - networks_6 is not changed
+      - networks_7 is not changed
+      - networks_8 is not changed
+      - networks_9 is changed
+      - networks_10 is not changed
+      - networks_11 is changed
+      - networks_12 is not changed
+      - networks_13 is failed
+      - '"Could not find a network named: ''idonotexist''" in networks_13.msg'
+      - networks_14 is failed
+      - "'\"name\" is required when networks are passed as dictionaries.' in networks_14.msg"
+      - networks_15 is failed
+      - "'Only a list of strings or dictionaries are allowed to be passed as networks' in networks_15.msg"
+
+- ansible.builtin.assert:
+    that:
+      - networks_4.rebuilt == false
+      - networks_7.rebuilt == false
+  when: docker_api_version is version('1.29', '>=') and docker_py_version is version('2.7.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - networks_4.rebuilt == true
+      - networks_7.rebuilt == true
+  when: docker_api_version is version('1.29', '<') or docker_py_version is version('2.7.0', '<')
+
+####################################################################
+## networks.aliases ################################################
+####################################################################
+
+- name: networks.aliases
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases:
+          - "alias1"
+          - "alias2"
+  register: networks_aliases_1
+
+- name: networks.aliases (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases:
+          - "alias1"
+          - "alias2"
+  register: networks_aliases_2
+
+- name: networks.aliases (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases:
+          - "alias2"
+          - "alias1"
+  register: networks_aliases_3
+
+- name: networks.aliases (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases:
+          - "alias1"
+  register: networks_aliases_4
+
+- name: networks.aliases (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases: []
+  register: networks_aliases_5
+
+- name: networks.aliases (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases: []
+  register: networks_aliases_6
+
+- name: networks.aliases (invalid type)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        aliases:
+          - [1, 2, 3]
+  register: networks_aliases_7
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - networks_aliases_1 is changed
+      - networks_aliases_2 is not changed
+      - networks_aliases_3 is not changed
+      - networks_aliases_4 is changed
+      - networks_aliases_5 is changed
+      - networks_aliases_6 is not changed
+      - networks_aliases_7 is failed
+      - "'Only strings are allowed as network aliases' in networks_aliases_7.msg"
+
+####################################################################
+## networks.options ################################################
+####################################################################
+
+- name: networks.options
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options:
+          foo: bar
+          test: hello
+  register: networks_options_1
+
+- name: networks.options (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options:
+          foo: bar
+          test: hello
+  register: networks_options_2
+
+- name: networks.options (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options:
+          foo: bar
+          test: hej
+  register: networks_options_3
+
+- name: networks.options (change less)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options:
+          foo: bar
+  register: networks_options_4
+
+- name: networks.options (invalid type)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options: [1, 2, 3]
+  register: networks_options_5
+  ignore_errors: true
+
+- name: networks.options (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options: {}
+  register: networks_options_6
+
+- name: networks.options (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    networks:
+      - name: "{{ network_name_1 }}"
+        options: {}
+  register: networks_options_7
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - networks_options_1 is changed
+      - networks_options_2 is not changed
+      - networks_options_3 is changed
+      - networks_options_4 is changed
+      - networks_options_5 is failed
+      - "'Only dict is allowed as network options' in networks_options_5.msg"
+      - networks_options_6 is changed
+      - networks_options_7 is not changed
+
+####################################################################
+####################################################################
+####################################################################
+
+- name: Delete networks
+  community.docker.docker_network:
+    name: "{{ network_name }}"
+    state: absent
+    force: true
+  loop:
+    - "{{ network_name_1 }}"
+    - "{{ network_name_2 }}"
+  loop_control:
+    loop_var: network_name
+  ignore_errors: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/options.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/options.yml
new file mode 100644
index 00000000..cb515608
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/options.yml
@@ -0,0 +1,2050 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-options' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+####################################################################
+## args ############################################################
+####################################################################
+
+- name: args
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    args:
+      - sleep
+      - "3600"
+  register: args_1
+
+- name: args (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    args:
+      - sleep
+      - "3600"
+  register: args_2
+
+- name: args (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    args:
+      - sleep
+      - "3400"
+  register: args_3
+
+- name: args (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    args: []
+  register: args_4
+
+- name: args (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    args: []
+  register: args_5
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - args_1 is changed
+      - args_2 is not changed
+      - args_3 is changed
+      - args_4 is changed
+      - args_5 is not changed
+
+####################################################################
+## command #########################################################
+####################################################################
+
+- name: command
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+  register: command_1
+
+- name: command (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+  register: command_2
+
+- name: command (less parameters)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -c "sleep 10m"'
+  register: command_3
+
+- name: command (as list)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command:
+      - "/bin/sh"
+      - "-c"
+      - "sleep 10m"
+  register: command_4
+
+- name: command (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: []
+  register: command_5
+
+- name: command (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: []
+  register: command_6
+
+- name: command (string failure)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: true
+  register: command_7
+  ignore_errors: true
+
+- name: command (list failure)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command:
+      - "/bin/sh"
+      - true
+  register: command_8
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - command_1 is changed
+      - command_2 is not changed
+      - command_3 is changed
+      - command_4 is not changed
+      - command_5 is changed
+      - command_6 is not changed
+      - command_7 is failed
+      - command_8 is failed
+
+####################################################################
+## container_labels ################################################
+####################################################################
+
+- name: container_labels
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    container_labels:
+      test_1: "1"
+      test_2: "2"
+  register: container_labels_1
+
+- name: container_labels (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    container_labels:
+      test_1: "1"
+      test_2: "2"
+  register: container_labels_2
+
+- name: container_labels (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    container_labels:
+      test_1: "1"
+      test_2: "3"
+  register: container_labels_3
+
+- name: container_labels (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    container_labels: {}
+  register: container_labels_4
+
+- name: container_labels (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    container_labels: {}
+  register: container_labels_5
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - container_labels_1 is changed
+      - container_labels_2 is not changed
+      - container_labels_3 is changed
+      - container_labels_4 is changed
+      - container_labels_5 is not changed
+
+####################################################################
+## dns #############################################################
+####################################################################
+
+- name: dns
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+  register: dns_1
+  ignore_errors: true
+
+- name: dns (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+  register: dns_2
+  ignore_errors: true
+
+- name: dns_servers (changed order)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns:
+      - 8.8.8.8
+      - 1.1.1.1
+  register: dns_3
+  ignore_errors: true
+
+- name: dns_servers (changed elements)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns:
+      - 8.8.8.8
+      - 9.9.9.9
+  register: dns_4
+  ignore_errors: true
+
+- name: dns_servers (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns: []
+  register: dns_5
+  ignore_errors: true
+
+- name: dns_servers (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns: []
+  register: dns_6
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_1 is changed
+      - dns_2 is not changed
+      - dns_3 is changed
+      - dns_4 is changed
+      - dns_5 is changed
+      - dns_6 is not changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - dns_1 is failed
+      - "'Minimum version required' in dns_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## dns_options #####################################################
+####################################################################
+
+- name: dns_options
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options:
+      - "timeout:10"
+      - rotate
+  register: dns_options_1
+  ignore_errors: true
+
+- name: dns_options (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options:
+      - "timeout:10"
+      - rotate
+  register: dns_options_2
+  ignore_errors: true
+
+- name: dns_options (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options:
+      - "timeout:10"
+      - no-check-names
+  register: dns_options_3
+  ignore_errors: true
+
+- name: dns_options (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options:
+      - no-check-names
+      - "timeout:10"
+  register: dns_options_4
+  ignore_errors: true
+
+- name: dns_options (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options: []
+  register: dns_options_5
+  ignore_errors: true
+
+- name: dns_options (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_options: []
+  register: dns_options_6
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_options_1 is changed
+      - dns_options_2 is not changed
+      - dns_options_3 is changed
+      - dns_options_4 is not changed
+      - dns_options_5 is changed
+      - dns_options_6 is not changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - dns_options_1 is failed
+      - "'Minimum version required' in dns_options_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## dns_search ######################################################
+####################################################################
+
+- name: dns_search
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search:
+      - example.com
+      - example.org
+  register: dns_search_1
+  ignore_errors: true
+
+- name: dns_search (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search:
+      - example.com
+      - example.org
+  register: dns_search_2
+  ignore_errors: true
+
+- name: dns_search (different order)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search:
+      - example.org
+      - example.com
+  register: dns_search_3
+  ignore_errors: true
+
+- name: dns_search (changed elements)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search:
+      - ansible.com
+      - example.com
+  register: dns_search_4
+  ignore_errors: true
+
+- name: dns_search (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search: []
+  register: dns_search_5
+  ignore_errors: true
+
+- name: dns_search (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    dns_search: []
+  register: dns_search_6
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - dns_search_1 is changed
+      - dns_search_2 is not changed
+      - dns_search_3 is changed
+      - dns_search_4 is changed
+      - dns_search_5 is changed
+      - dns_search_6 is not changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - dns_search_1 is failed
+      - "'Minimum version required' in dns_search_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## endpoint_mode ###################################################
+####################################################################
+
+- name: endpoint_mode
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    endpoint_mode: "dnsrr"
+  register: endpoint_mode_1
+  ignore_errors: true
+
+- name: endpoint_mode (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    endpoint_mode: "dnsrr"
+  register: endpoint_mode_2
+  ignore_errors: true
+
+- name: endpoint_mode (changes)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    endpoint_mode: "vip"
+  register: endpoint_mode_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - endpoint_mode_1 is changed
+      - endpoint_mode_2 is not changed
+      - endpoint_mode_3 is changed
+  when: docker_py_version is version('3.0.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - endpoint_mode_1 is failed
+      - "'Minimum version required' in endpoint_mode_1.msg"
+  when: docker_py_version is version('3.0.0', '<')
+
+####################################################################
+## env #############################################################
+####################################################################
+
+- name: env
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env:
+      - "TEST1=val1"
+      - "TEST2=val2"
+  register: env_1
+
+- name: env (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env:
+      TEST1: val1
+      TEST2: val2
+  register: env_2
+
+- name: env (changes)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env:
+      - "TEST1=val1"
+      - "TEST2=val3"
+  register: env_3
+
+- name: env (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env:
+      - "TEST2=val3"
+      - "TEST1=val1"
+  register: env_4
+
+- name: env (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env: []
+  register: env_5
+
+- name: env (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    env: []
+  register: env_6
+
+- name: env (fail unwrapped values)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env:
+      TEST1: true
+  register: env_7
+  ignore_errors: true
+
+- name: env (fail invalid formatted string)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env:
+      - "TEST1=val3"
+      - "TEST2"
+  register: env_8
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - env_1 is changed
+      - env_2 is not changed
+      - env_3 is changed
+      - env_4 is not changed
+      - env_5 is changed
+      - env_6 is not changed
+      - env_7 is failed
+      - env_8 is failed
+
+####################################################################
+## env_files #######################################################
+####################################################################
+
+- name: Copy env-files
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ remote_tmp_dir }}/{{ item }}"
+  loop:
+    - env-file-1
+    - env-file-2
+
+- name: env_files
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files:
+      - "{{ remote_tmp_dir }}/env-file-1"
+  register: env_file_1
+
+- name: env_files (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files:
+      - "{{ remote_tmp_dir }}/env-file-1"
+  register: env_file_2
+
+- name: env_files (more items)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files:
+      - "{{ remote_tmp_dir }}/env-file-1"
+      - "{{ remote_tmp_dir }}/env-file-2"
+  register: env_file_3
+
+- name: env_files (order)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files:
+      - "{{ remote_tmp_dir }}/env-file-2"
+      - "{{ remote_tmp_dir }}/env-file-1"
+  register: env_file_4
+
+- name: env_files (multiple idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files:
+      - "{{ remote_tmp_dir }}/env-file-2"
+      - "{{ remote_tmp_dir }}/env-file-1"
+  register: env_file_5
+
+- name: env_files (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files: []
+  register: env_file_6
+
+- name: env_files (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    env_files: []
+  register: env_file_7
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - env_file_1 is changed
+      - env_file_2 is not changed
+      - env_file_3 is changed
+      - env_file_4 is changed
+      - env_file_5 is not changed
+      - env_file_6 is changed
+      - env_file_7 is not changed
+
+###################################################################
+## force_update ###################################################
+###################################################################
+
+- name: force_update
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    args:
+      - sleep
+      - "3600"
+    force_update: true
+  register: force_update_1
+  ignore_errors: true
+
+- name: force_update (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    args:
+      - sleep
+      - "3600"
+    force_update: true
+  register: force_update_2
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - force_update_1 is changed
+      - force_update_2 is changed
+  when: docker_py_version is version('2.1.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - force_update_1 is failed
+      - "'Minimum version required' in force_update_1.msg"
+  when: docker_py_version is version('2.1.0', '<')
+
+####################################################################
+## groups ##########################################################
+####################################################################
+
+- name: groups
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups:
+      - "1234"
+      - "5678"
+  register: groups_1
+  ignore_errors: true
+
+- name: groups (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups:
+      - "1234"
+      - "5678"
+  register: groups_2
+  ignore_errors: true
+
+- name: groups (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups:
+      - "5678"
+      - "1234"
+  register: groups_3
+  ignore_errors: true
+
+- name: groups (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups:
+      - "1234"
+  register: groups_4
+  ignore_errors: true
+
+- name: groups (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups: []
+  register: groups_5
+  ignore_errors: true
+
+- name: groups (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    groups: []
+  register: groups_6
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - groups_1 is changed
+      - groups_2 is not changed
+      - groups_3 is not changed
+      - groups_4 is changed
+      - groups_5 is changed
+      - groups_6 is not changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - groups_1 is failed
+      - "'Minimum version required' in groups_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## healthcheck #####################################################
+####################################################################
+
+- name: healthcheck
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - "1"
+      timeout: 2s
+      interval: 0h0m2s3ms4us
+      retries: 2
+      start_period: 20s
+  register: healthcheck_1
+  ignore_errors: true
+
+- name: healthcheck (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - 1
+      timeout: 2s
+      interval: 0h0m2s3ms4us
+      retries: 2
+      start_period: 20s
+  register: healthcheck_2
+  ignore_errors: true
+
+- name: healthcheck (changed)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test:
+        - CMD
+        - sleep
+        - "1"
+      timeout: 3s
+      interval: 0h1m2s3ms4us
+      retries: 3
+  register: healthcheck_3
+  ignore_errors: true
+
+- name: healthcheck (disabled)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test:
+        - NONE
+  register: healthcheck_4
+  ignore_errors: true
+
+- name: healthcheck (disabled, idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test:
+        - NONE
+  register: healthcheck_5
+  ignore_errors: true
+
+- name: healthcheck (string in healthcheck test, changed)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test: "sleep 1"
+  register: healthcheck_6
+  ignore_errors: true
+
+- name: healthcheck (string in healthcheck test, idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck:
+      test: "sleep 1"
+  register: healthcheck_7
+  ignore_errors: true
+
+- name: healthcheck (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck: {}
+  register: healthcheck_8
+  ignore_errors: true
+
+- name: healthcheck (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    healthcheck: {}
+  register: healthcheck_9
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - healthcheck_1 is changed
+      - healthcheck_2 is not changed
+      - healthcheck_3 is changed
+      - healthcheck_4 is changed
+      - healthcheck_5 is not changed
+      - healthcheck_6 is changed
+      - healthcheck_7 is not changed
+      - healthcheck_8 is changed
+      - healthcheck_9 is not changed
+  when: docker_api_version is version('1.29', '>=') and docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - healthcheck_1 is failed
+      - "'Minimum version required' in healthcheck_1.msg"
+  when: docker_api_version is version('1.29', '<') or docker_py_version is version('2.6.0', '<')
+
+###################################################################
+## hostname #######################################################
+###################################################################
+
+- name: hostname
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hostname: me.example.com
+  register: hostname_1
+  ignore_errors: true
+
+- name: hostname (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hostname: me.example.com
+  register: hostname_2
+  ignore_errors: true
+
+- name: hostname (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hostname: me.example.org
+  register: hostname_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - hostname_1 is changed
+      - hostname_2 is not changed
+      - hostname_3 is changed
+  when: docker_py_version is version('2.2.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - hostname_1 is failed
+      - "'Minimum version required' in hostname_1.msg"
+  when: docker_py_version is version('2.2.0', '<')
+
+###################################################################
+## hosts ##########################################################
+###################################################################
+
+- name: hosts
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hosts:
+      example.com: 1.2.3.4
+      example.org: 4.3.2.1
+  register: hosts_1
+  ignore_errors: true
+
+- name: hosts (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hosts:
+      example.com: 1.2.3.4
+      example.org: 4.3.2.1
+  register: hosts_2
+  ignore_errors: true
+
+- name: hosts (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    hosts:
+      example.com: 1.2.3.4
+  register: hosts_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - hosts_1 is changed
+      - hosts_2 is not changed
+      - hosts_3 is changed
+  when: docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - hosts_1 is failed
+      - "'Minimum version required' in hosts_1.msg"
+  when: docker_py_version is version('2.6.0', '<')
+
+
+###################################################################
+## image ##########################################################
+###################################################################
+
+- name: image
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+  register: image_1
+
+- name: image (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+  register: image_2
+
+- name: image (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine_different }}"
+  register: image_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - image_1 is changed
+      - image_2 is not changed
+      - image_3 is changed
+
+####################################################################
+## labels ##########################################################
+####################################################################
+
+- name: labels
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    labels:
+      test_1: "1"
+      test_2: "2"
+  register: labels_1
+
+- name: labels (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    labels:
+      test_1: "1"
+      test_2: "2"
+  register: labels_2
+
+- name: labels (changes)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    labels:
+      test_1: "1"
+      test_2: "2"
+      test_3: "3"
+  register: labels_3
+
+- name: labels (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    labels: {}
+  register: labels_4
+
+- name: labels (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    labels: {}
+  register: labels_5
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - labels_1 is changed
+      - labels_2 is not changed
+      - labels_3 is changed
+      - labels_4 is changed
+      - labels_5 is not changed
+
+###################################################################
+## mode ###########################################################
+###################################################################
+
+- name: mode
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "replicated"
+    replicas: 1
+  register: mode_1
+
+- name: mode (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "replicated"
+    replicas: 1
+  register: mode_2
+
+- name: mode (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "global"
+    replicas: 1
+  register: mode_3
+
+- name: mode (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "replicated-job"
+    replicas: 1
+  register: mode_4
+  ignore_errors: true
+
+- name: mode (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "replicated-job"
+    replicas: 1
+  register: mode_5
+  ignore_errors: true
+
+- name: mode (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    mode: "replicated"
+    replicas: 1
+  register: mode_6
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - mode_1 is changed
+      - mode_2 is not changed
+      - mode_3 is changed
+
+- ansible.builtin.assert:
+    that:
+      - mode_4 is changed
+      - mode_5 is not changed and mode_5 is not failed
+      - mode_6 is changed
+  when: docker_api_version is version('1.41', '>=') and docker_py_version is version('6.0.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - mode_4 is failed
+      - "'Minimum version required' in mode_4.msg"
+  when: docker_api_version is version('1.41', '<') or docker_py_version is version('6.0.0', '<')
+
+####################################################################
+## stop_grace_period ###############################################
+####################################################################
+
+- name: stop_grace_period
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_grace_period: 60s
+  register: stop_grace_period_1
+
+- name: stop_grace_period (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_grace_period: 60s
+  register: stop_grace_period_2
+
+- name: stop_grace_period (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_grace_period: 1m30s
+  register: stop_grace_period_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - stop_grace_period_1 is changed
+      - stop_grace_period_2 is not changed
+      - stop_grace_period_3 is changed
+
+####################################################################
+## stop_signal #####################################################
+####################################################################
+
+- name: stop_signal
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_signal: "30"
+  register: stop_signal_1
+  ignore_errors: true
+
+- name: stop_signal (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_signal: "30"
+  register: stop_signal_2
+  ignore_errors: true
+
+- name: stop_signal (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    stop_signal: "9"
+  register: stop_signal_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - stop_signal_1 is changed
+      - stop_signal_2 is not changed
+      - stop_signal_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - stop_signal_1 is failed
+      - "'Minimum version required' in stop_signal_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('2.6.0', '<')
+
+####################################################################
+## publish #########################################################
+####################################################################
+
+- name: publish
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: tcp
+        published_port: 60001
+        target_port: 60001
+      - protocol: udp
+        published_port: 60002
+        target_port: 60002
+  register: publish_1
+  ignore_errors: true
+
+- name: publish (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: udp
+        published_port: 60002
+        target_port: 60002
+      - published_port: 60001
+        target_port: 60001
+  register: publish_2
+  ignore_errors: true
+
+- name: publish (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: tcp
+        published_port: 60002
+        target_port: 60003
+      - protocol: udp
+        published_port: 60001
+        target_port: 60001
+  register: publish_3
+  ignore_errors: true
+
+- name: publish (mode)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: tcp
+        published_port: 60002
+        target_port: 60003
+        mode: host
+      - protocol: udp
+        published_port: 60001
+        target_port: 60001
+        mode: host
+  register: publish_4
+  ignore_errors: true
+
+- name: publish (mode idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: udp
+        published_port: 60001
+        target_port: 60001
+        mode: host
+      - protocol: tcp
+        published_port: 60002
+        target_port: 60003
+        mode: host
+  register: publish_5
+  ignore_errors: true
+
+- name: publish (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish: []
+  register: publish_6
+  ignore_errors: true
+
+- name: publish (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish: []
+  register: publish_7
+  ignore_errors: true
+
+- name: publish (publishes the same port with both protocols)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: udp
+        published_port: 60001
+        target_port: 60001
+        mode: host
+      - protocol: tcp
+        published_port: 60001
+        target_port: 60001
+        mode: host
+  register: publish_8
+  ignore_errors: true
+- name: gather service info
+  community.docker.docker_swarm_service_info:
+    name: "{{ service_name }}"
+  register: publish_8_info
+
+- name: publish (without published_port)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: udp
+        target_port: 60001
+        mode: host
+  register: publish_9
+  ignore_errors: true
+- name: gather service info
+  community.docker.docker_swarm_service_info:
+    name: "{{ service_name }}"
+  register: publish_9_info
+
+- name: publish (without published_port, idempotence)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    publish:
+      - protocol: udp
+        target_port: 60001
+        mode: host
+  register: publish_10
+  ignore_errors: true
+- name: gather service info
+  community.docker.docker_swarm_service_info:
+    name: "{{ service_name }}"
+  register: publish_10_info
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - publish_1 is changed
+      - publish_2 is not changed
+      - publish_3 is changed
+      - publish_4 is changed
+      - publish_5 is not changed
+      - publish_6 is changed
+      - publish_7 is not changed
+      - publish_8 is changed
+      - (publish_8_info.service.Endpoint.Ports | length) == 2
+      - publish_9 is changed
+      - publish_10 is not changed
+  when: docker_py_version is version('3.0.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - publish_1 is failed
+      - "'Minimum version required' in publish_1.msg"
+  when: docker_py_version is version('3.0.0', '<')
+
+###################################################################
+## read_only ######################################################
+###################################################################
+
+- name: read_only
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    read_only: true
+  register: read_only_1
+  ignore_errors: true
+
+- name: read_only (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    read_only: true
+  register: read_only_2
+  ignore_errors: true
+
+- name: read_only (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    read_only: false
+  register: read_only_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - read_only_1 is changed
+      - read_only_2 is not changed
+      - read_only_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('2.6.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - read_only_1 is failed
+      - "'Minimum version required' in read_only_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('2.6.0', '<')
+
+###################################################################
+## replicas #######################################################
+###################################################################
+
+- name: replicas
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    replicas: 2
+  register: replicas_1
+
+- name: replicas (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    replicas: 2
+  register: replicas_2
+
+- name: replicas (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    replicas: 3
+  register: replicas_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - replicas_1 is changed
+      - replicas_2 is not changed
+      - replicas_3 is changed
+
+###################################################################
+# resolve_image ###################################################
+###################################################################
+
+- name: resolve_image (false)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -v -c "sleep 10m"'
+    resolve_image: false
+  register: resolve_image_1
+
+- name: resolve_image (false idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -v -c "sleep 10m"'
+    resolve_image: false
+  register: resolve_image_2
+
+- name: resolve_image (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    command: '/bin/sh -v -c "sleep 10m"'
+    resolve_image: true
+  register: resolve_image_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - resolve_image_1 is changed
+      - resolve_image_2 is not changed
+      - resolve_image_3 is changed
+  when: docker_api_version is version('1.30', '>=') and docker_py_version is version('3.2.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - resolve_image_1 is changed
+      - resolve_image_2 is not changed
+      - resolve_image_3 is failed
+      - "('version is ' ~ docker_py_version ~ ' ') in resolve_image_3.msg"
+      - "'Minimum version required is 3.2.0 ' in resolve_image_3.msg"
+  when: docker_api_version is version('1.30', '<') or docker_py_version is version('3.2.0', '<')
+
+###################################################################
+# tty #############################################################
+###################################################################
+
+- name: tty
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    tty: true
+  register: tty_1
+  ignore_errors: true
+
+- name: tty (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    tty: true
+  register: tty_2
+  ignore_errors: true
+
+- name: tty (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    tty: false
+  register: tty_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - tty_1 is changed
+      - tty_2 is not changed
+      - tty_3 is changed
+  when: docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - tty_1 is failed
+      - "'Minimum version required' in tty_1.msg"
+  when: docker_py_version is version('2.4.0', '<')
+
+###################################################################
+## user ###########################################################
+###################################################################
+
+- name: user
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    user: "operator"
+  register: user_1
+
+- name: user (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    user: "operator"
+  register: user_2
+
+- name: user (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    user: "root"
+  register: user_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - user_1 is changed
+      - user_2 is not changed
+      - user_3 is changed
+
+####################################################################
+## working_dir #####################################################
+####################################################################
+
+- name: working_dir
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    working_dir: /tmp
+  register: working_dir_1
+
+- name: working_dir (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    working_dir: /tmp
+  register: working_dir_2
+
+- name: working_dir (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    working_dir: /
+  register: working_dir_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - working_dir_1 is changed
+      - working_dir_2 is not changed
+      - working_dir_3 is changed
+
+####################################################################
+## init ############################################################
+####################################################################
+
+- name: init
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+  register: init_1
+
+- name: init (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+  register: init_2
+
+- name: init (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: false
+  register: init_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - init_1 is changed
+      - init_2 is not changed
+      - init_3 is changed
+  when: docker_api_version is version('1.37', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - init_1 is failed
+      - "('version is ' ~ docker_api_version ~'. Minimum version required is 1.37') in hosts_1.msg"
+  when: docker_api_version is version('1.37', '<')
+
+####################################################################
+## cap_drop, capabilities ##########################################
+####################################################################
+
+- name: capabilities, cap_drop
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+    cap_add:
+      - sys_time
+    cap_drop:
+      - all
+  register: capabilities_1
+  ignore_errors: true
+
+- name: capabilities, cap_drop (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+    cap_add:
+      - sys_time
+    cap_drop:
+      - all
+  register: capabilities_2
+  ignore_errors: true
+  diff: true
+
+- name: capabilities, cap_drop (less)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+    cap_add: []
+    cap_drop:
+      - all
+  register: capabilities_3
+  ignore_errors: true
+  diff: true
+
+- name: capabilities, cap_drop (changed)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    init: true
+    cap_add:
+      - setgid
+    cap_drop:
+      - all
+  register: capabilities_4
+  ignore_errors: true
+  diff: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - capabilities_1 is changed
+      - capabilities_2 is not changed
+      - capabilities_3 is changed
+      - capabilities_4 is changed
+  when: docker_api_version is version('1.41', '>=') and docker_py_version is version('5.0.3', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - capabilities_1 is failed
+      - >
+        (('version is ' ~ docker_py_version ~ ' ') in capabilities_1.msg and 'Minimum version required is 5.0.3 ' in capabilities_1.msg)
+        or (('Docker API version is ' ~ docker_api_version ~ '. ') in capabilities_1.msg and 'Minimum version required is 1.41 ' in capabilities_1.msg)
+  when: docker_api_version is version('1.41', '<') or docker_py_version is version('5.0.3', '<')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/placement.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/placement.yml
new file mode 100644
index 00000000..02587e2d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/placement.yml
@@ -0,0 +1,261 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-placement' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+
+####################################################################
+## placement.preferences ###########################################
+####################################################################
+
+- name: placement.preferences
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      preferences:
+        - spread: "node.labels.test"
+  register: placement_preferences_1
+  ignore_errors: true
+
+- name: placement.preferences (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      preferences:
+        - spread: "node.labels.test"
+  register: placement_preferences_2
+  ignore_errors: true
+
+- name: placement.preferences (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      preferences:
+        - spread: "node.labels.test2"
+  register: placement_preferences_3
+  ignore_errors: true
+
+- name: placement.preferences (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      preferences: []
+  register: placement_preferences_4
+  ignore_errors: true
+
+- name: placement.preferences (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      preferences: []
+  register: placement_preferences_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - placement_preferences_1 is changed
+      - placement_preferences_2 is not changed
+      - placement_preferences_3 is changed
+      - placement_preferences_4 is changed
+      - placement_preferences_5 is not changed
+  when: docker_api_version is version('1.27', '>=') and docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - placement_preferences_1 is failed
+      - "'Minimum version required' in placement_preferences_1.msg"
+  when: docker_api_version is version('1.27', '<') or docker_py_version is version('2.4.0', '<')
+
+####################################################################
+## placement.constraints #####################################################
+####################################################################
+
+- name: placement.constraints
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints:
+        - "node.role == manager"
+  register: constraints_1
+  ignore_errors: true
+
+- name: placement.constraints (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints:
+        - "node.role == manager"
+  register: constraints_2
+  ignore_errors: true
+
+- name: placement.constraints (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints:
+        - "node.role == worker"
+  register: constraints_3
+  ignore_errors: true
+
+- name: placement.constraints (add)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints:
+        - "node.role == worker"
+        - "node.label != non_existent_label"
+  register: constraints_4
+  ignore_errors: true
+
+- name: placement.constraints (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints:
+        - "node.label != non_existent_label"
+        - "node.role == worker"
+  register: constraints_5
+  ignore_errors: true
+
+- name: placement.constraints (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints: []
+  register: constraints_6
+  ignore_errors: true
+
+- name: placement.constraints (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      constraints: []
+  register: constraints_7
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - constraints_1 is changed
+      - constraints_2 is not changed
+      - constraints_3 is changed
+      - constraints_4 is changed
+      - constraints_5 is not changed
+      - constraints_6 is changed
+      - constraints_7 is not changed
+  when: docker_api_version is version('1.27', '>=') and docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - constraints_1 is failed
+      - "'Minimum version required' in constraints_1.msg"
+  when: docker_api_version is version('1.27', '<') or docker_py_version is version('2.4.0', '<')
+
+####################################################################
+## placement.replicas_max_per_node #####################################################
+####################################################################
+
+- name: placement.replicas_max_per_node
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      replicas_max_per_node: 1
+  register: replicas_max_per_node_1
+  ignore_errors: true
+
+- name: placement.replicas_max_per_node (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      replicas_max_per_node: 1
+  register: replicas_max_per_node_2
+  ignore_errors: true
+
+- name: placement.replicas_max_per_node (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    placement:
+      replicas_max_per_node: 2
+  register: replicas_max_per_node_3
+  ignore_errors: true
+
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - replicas_max_per_node_1 is changed
+      - replicas_max_per_node_2 is not changed
+      - replicas_max_per_node_3 is changed
+  when: docker_api_version is version('1.40', '>=') and docker_py_version is version('4.4.3', '>=')
+- ansible.builtin.assert:
+    that:
+      - replicas_max_per_node_1 is failed
+      - "'Minimum version required' in replicas_max_per_node_1.msg"
+  when: docker_api_version is version('1.40', '<') or docker_py_version is version('4.4.3', '<')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/resources.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/resources.yml
new file mode 100644
index 00000000..bc5fc799
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/resources.yml
@@ -0,0 +1,196 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-resources' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+####################################################################
+## limits.cpus #####################################################
+####################################################################
+
+- name: limits.cpus
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      cpus: 1
+  register: limit_cpu_1
+
+- name: limits.cpus (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      cpus: 1
+  register: limit_cpu_2
+
+- name: limits.cpus (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      cpus: 0.5
+  register: limit_cpu_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - limit_cpu_1 is changed
+      - limit_cpu_2 is not changed
+      - limit_cpu_3 is changed
+
+###################################################################
+## limits.memory ##################################################
+###################################################################
+
+- name: limits.memory
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      memory: 64M
+  register: limit_memory_1
+
+- name: limits.memory (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      memory: 64M
+  register: limit_memory_2
+
+- name: limits.memory (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    limits:
+      memory: 32M
+  register: limit_memory_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - limit_memory_1 is changed
+      - limit_memory_2 is not changed
+      - limit_memory_3 is changed
+
+###################################################################
+## reservations.cpus ##############################################
+###################################################################
+
+- name: reserve_cpu
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      cpus: 1
+  register: reserve_cpu_1
+
+- name: reserve_cpu (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      cpus: 1
+  register: reserve_cpu_2
+
+- name: reserve_cpu (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      cpus: 0.5
+  register: reserve_cpu_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - reserve_cpu_1 is changed
+      - reserve_cpu_2 is not changed
+      - reserve_cpu_3 is changed
+
+###################################################################
+## reservations.memory ############################################
+###################################################################
+
+- name: reservations.memory
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      memory: 64M
+  register: reserve_memory_1
+
+- name: reservations.memory (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      memory: 64M
+  register: reserve_memory_2
+
+- name: reservations.memory (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    reservations:
+      memory: 32M
+  register: reserve_memory_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - reserve_memory_1 is changed
+      - reserve_memory_2 is not changed
+      - reserve_memory_3 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/restart_config.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/restart_config.yml
new file mode 100644
index 00000000..313e689e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/restart_config.yml
@@ -0,0 +1,196 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-restart_config' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+###################################################################
+## restart_config.condition #######################################
+###################################################################
+
+- name: restart_config.condition
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      condition: "on-failure"
+  register: restart_policy_1
+
+- name: restart_config.condition (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      condition: "on-failure"
+  register: restart_policy_2
+
+- name: restart_config.condition (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      condition: "any"
+  register: restart_policy_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_policy_1 is changed
+      - restart_policy_2 is not changed
+      - restart_policy_3 is changed
+
+###################################################################
+## restart_config.max_attempts ####################################
+###################################################################
+
+- name: restart_config.max_attempts
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      max_attempts: 1
+  register: restart_policy_attempts_1
+
+- name: restart_config.max_attempts (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      max_attempts: 1
+  register: restart_policy_attempts_2
+
+- name: restart_config.max_attempts (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      max_attempts: 2
+  register: restart_policy_attempts_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_policy_attempts_1 is changed
+      - restart_policy_attempts_2 is not changed
+      - restart_policy_attempts_3 is changed
+
+###################################################################
+## restart_config.delay ###########################################
+###################################################################
+
+- name: restart_config.delay
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      delay: 5s
+  register: restart_policy_delay_1
+
+- name: restart_config.delay (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      delay: 5s
+  register: restart_policy_delay_2
+
+- name: restart_config.delay (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      delay: 10s
+  register: restart_policy_delay_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_policy_delay_1 is changed
+      - restart_policy_delay_2 is not changed
+      - restart_policy_delay_3 is changed
+
+###################################################################
+## restart_config.window ##########################################
+###################################################################
+
+- name: restart_config.window
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      window: 10s
+  register: restart_policy_window_1
+
+- name: restart_config.window (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      window: 10s
+  register: restart_policy_window_2
+
+- name: restart_config.window (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    restart_config:
+      window: 20s
+  register: restart_policy_window_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - restart_policy_window_1 is changed
+      - restart_policy_window_2 is not changed
+      - restart_policy_window_3 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/rollback_config.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/rollback_config.yml
new file mode 100644
index 00000000..b7253c4a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/rollback_config.yml
@@ -0,0 +1,342 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-rollback_config' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+###################################################################
+## rollback_config.delay ############################################
+###################################################################
+
+- name: rollback_config.delay
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      delay: 5s
+  register: rollback_config_delay_1
+  ignore_errors: true
+
+- name: rollback_config.delay (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      delay: 5s
+  register: rollback_config_delay_2
+  ignore_errors: true
+
+- name: rollback_config.delay (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      delay: 12s
+  register: rollback_config_delay_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_delay_1 is changed
+      - rollback_config_delay_2 is not changed
+      - rollback_config_delay_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_delay_1 is failed
+      - "'Minimum version required' in rollback_config_delay_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+## rollback_config.failure_action ###################################
+###################################################################
+
+- name: rollback_config.failure_action
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      failure_action: "pause"
+  register: rollback_config_failure_action_1
+  ignore_errors: true
+
+- name: rollback_config.failure_action (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      failure_action: "pause"
+  register: rollback_config_failure_action_2
+  ignore_errors: true
+
+- name: rollback_config.failure_action (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      failure_action: "continue"
+  register: rollback_config_failure_action_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_failure_action_1 is changed
+      - rollback_config_failure_action_2 is not changed
+      - rollback_config_failure_action_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_failure_action_1 is failed
+      - "'Minimum version required' in rollback_config_failure_action_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+## rollback_config.max_failure_ratio ################################
+###################################################################
+
+- name: rollback_config.max_failure_ratio
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      max_failure_ratio: 0.25
+  register: rollback_config_max_failure_ratio_1
+  ignore_errors: true
+
+- name: rollback_config.max_failure_ratio (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      max_failure_ratio: 0.25
+  register: rollback_config_max_failure_ratio_2
+  ignore_errors: true
+
+- name: rollback_config.max_failure_ratio (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      max_failure_ratio: 0.50
+  register: rollback_config_max_failure_ratio_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_max_failure_ratio_1 is changed
+      - rollback_config_max_failure_ratio_2 is not changed
+      - rollback_config_max_failure_ratio_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_max_failure_ratio_1 is failed
+      - "'Minimum version required' in rollback_config_max_failure_ratio_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+# rollback_config.monitor ###########################################
+###################################################################
+
+- name: rollback_config.monitor
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      monitor: 10s
+  register: rollback_config_monitor_1
+  ignore_errors: true
+
+- name: rollback_config.monitor (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      monitor: 10s
+  register: rollback_config_monitor_2
+  ignore_errors: true
+
+- name: rollback_config.monitor (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      monitor: 60s
+  register: rollback_config_monitor_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_monitor_1 is changed
+      - rollback_config_monitor_2 is not changed
+      - rollback_config_monitor_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_monitor_1 is failed
+      - "'Minimum version required' in rollback_config_monitor_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+# rollback_config.order #############################################
+###################################################################
+
+- name: rollback_config.order
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      order: "start-first"
+  register: rollback_config_order_1
+  ignore_errors: true
+
+- name: rollback_config.order (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      order: "start-first"
+  register: rollback_config_order_2
+  ignore_errors: true
+
+- name: rollback_config.order (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      order: "stop-first"
+  register: rollback_config_order_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_order_1 is changed
+      - rollback_config_order_2 is not changed
+      - rollback_config_order_3 is changed
+  when: docker_api_version is version('1.29', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_order_1 is failed
+      - "'Minimum version required' in rollback_config_order_1.msg"
+  when: docker_api_version is version('1.29', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+## rollback_config.parallelism ######################################
+###################################################################
+
+- name: rollback_config.parallelism
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      parallelism: 2
+  register: rollback_config_parallelism_1
+  ignore_errors: true
+
+- name: rollback_config.parallelism (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      parallelism: 2
+  register: rollback_config_parallelism_2
+  ignore_errors: true
+
+- name: rollback_config.parallelism (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    rollback_config:
+      parallelism: 1
+  register: rollback_config_parallelism_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - rollback_config_parallelism_1 is changed
+      - rollback_config_parallelism_2 is not changed
+      - rollback_config_parallelism_3 is changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - rollback_config_parallelism_1 is failed
+      - "'Minimum version required' in rollback_config_parallelism_1.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/secrets.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/secrets.yml
new file mode 100644
index 00000000..bd3aaa8e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/secrets.yml
@@ -0,0 +1,461 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-secrets' }}"
+    secret_name_1: "{{ name_prefix ~ '-secret-1' }}"
+    secret_name_2: "{{ name_prefix ~ '-secret-2' }}"
+    secret_name_3: "{{ name_prefix ~ '-secret-3' }}"
+
+- name: Registering container name
+  ansible.builtin.set_fact:
+    secret_names: "{{ secret_names + [secret_name_1, secret_name_2] }}"
+
+- community.docker.docker_secret:
+    name: "{{ secret_name_1 }}"
+    data: "secret1"
+    state: "present"
+  register: "secret_result_1"
+  when: docker_py_version is version('2.1.0', '>=')
+
+- community.docker.docker_secret:
+    name: "{{ secret_name_2 }}"
+    data: "secret2"
+    state: "present"
+  register: "secret_result_2"
+  when: docker_py_version is version('2.1.0', '>=')
+
+- community.docker.docker_secret:
+    name: "{{ secret_name_3 }}"
+    data: "secret3"
+    state: "present"
+    rolling_versions: true
+  register: "secret_result_3"
+  when: docker_py_version is version('2.1.0', '>=')
+
+####################################################################
+## secrets #########################################################
+####################################################################
+
+- name: secrets
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+  register: secrets_1
+  ignore_errors: true
+
+- name: secrets (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+  register: secrets_2
+  ignore_errors: true
+
+- name: secrets (add)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+      - secret_name: "{{ secret_name_2 }}"
+        filename: "/run/secrets/{{ secret_name_2 }}.txt"
+  register: secrets_3
+  ignore_errors: true
+
+- name: secrets (add idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+      - secret_id: "{{ secret_result_2.secret_id | default('') }}"
+        secret_name: "{{ secret_name_2 }}"
+        filename: "/run/secrets/{{ secret_name_2 }}.txt"
+  register: secrets_4
+  ignore_errors: true
+
+- name: secrets (add idempotency no id)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+      - secret_name: "{{ secret_name_2 }}"
+        filename: "/run/secrets/{{ secret_name_2 }}.txt"
+  register: secrets_5
+  ignore_errors: true
+
+- name: secrets (order idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_2 }}"
+        filename: "/run/secrets/{{ secret_name_2 }}.txt"
+      - secret_name: "{{ secret_name_1 }}"
+        filename: "/run/secrets/{{ secret_name_1 }}.txt"
+  register: secrets_6
+  ignore_errors: true
+
+- name: secrets (empty)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets: []
+  register: secrets_7
+  ignore_errors: true
+
+- name: secrets (empty idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets: []
+  register: secrets_8
+  ignore_errors: true
+
+- name: rolling secrets
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_3 }}_v1"
+        filename: "/run/secrets/{{ secret_name_3 }}.txt"
+  register: secrets_9
+  ignore_errors: true
+
+- name: update rolling secret
+  community.docker.docker_secret:
+    name: "{{ secret_name_3 }}"
+    data: "newsecret3"
+    state: "present"
+    rolling_versions: true
+  register: secrets_10
+  when: docker_py_version is version('2.1.0', '>=')
+  ignore_errors: true
+
+- name: rolling secrets service update
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_name: "{{ secret_name_3 }}_v2"
+        filename: "/run/secrets/{{ secret_name_3 }}.txt"
+  register: secrets_11
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is changed
+      - secrets_2 is not changed
+      - secrets_3 is changed
+      - secrets_4 is not changed
+      - secrets_5 is not changed
+      - secrets_6 is not changed
+      - secrets_7 is changed
+      - secrets_8 is not changed
+      - secrets_9 is changed
+      - secrets_10 is not failed
+      - secrets_11 is changed
+  when: docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is failed
+      - "'Minimum version required' in secrets_1.msg"
+  when: docker_py_version is version('2.4.0', '<')
+
+####################################################################
+## secrets (uid) ###################################################
+####################################################################
+
+- name: secrets (uid int)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        uid: 1000
+  register: secrets_1
+  ignore_errors: true
+
+- name: secrets (uid int idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        uid: 1000
+  register: secrets_2
+  ignore_errors: true
+
+- name: secrets (uid int change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        uid: 1002
+  register: secrets_3
+  ignore_errors: true
+
+- name: secrets (uid str)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        uid: "1001"
+  register: secrets_4
+  ignore_errors: true
+
+- name: secrets (uid str idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        uid: "1001"
+  register: secrets_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is changed
+      - secrets_2 is not changed
+      - secrets_3 is changed
+      - secrets_4 is changed
+      - secrets_5 is not changed
+  when: docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is failed
+      - "'Minimum version required' in secrets_1.msg"
+  when: docker_py_version is version('2.4.0', '<')
+
+####################################################################
+## secrets (gid) ###################################################
+####################################################################
+
+- name: secrets (gid int)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        gid: 1001
+  register: secrets_1
+  ignore_errors: true
+
+- name: secrets (gid int idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        gid: 1001
+  register: secrets_2
+  ignore_errors: true
+
+- name: secrets (gid int change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        gid: 1002
+  register: secrets_3
+  ignore_errors: true
+
+- name: secrets (gid str)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        gid: "1003"
+  register: secrets_4
+  ignore_errors: true
+
+- name: secrets (gid str idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        gid: "1003"
+  register: secrets_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is changed
+      - secrets_2 is not changed
+      - secrets_3 is changed
+      - secrets_4 is changed
+      - secrets_5 is not changed
+  when: docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is failed
+      - "'Minimum version required' in secrets_1.msg"
+  when: docker_py_version is version('2.4.0', '<')
+
+####################################################################
+## secrets (mode) ##################################################
+####################################################################
+
+- name: secrets (mode)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        mode: "0600"
+  register: secrets_1
+  ignore_errors: true
+
+- name: secrets (mode idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        mode: "0600"
+  register: secrets_2
+  ignore_errors: true
+
+- name: secrets (mode change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    secrets:
+      - secret_id: "{{ secret_result_1.secret_id | default('') }}"
+        secret_name: "{{ secret_name_1 }}"
+        mode: "0777"
+  register: secrets_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is changed
+      - secrets_2 is not changed
+      - secrets_3 is changed
+  when: docker_py_version is version('2.4.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - secrets_1 is failed
+      - "'Minimum version required' in secrets_1.msg"
+  when: docker_py_version is version('2.4.0', '<')
+
+####################################################################
+####################################################################
+####################################################################
+
+- name: Delete secrets
+  community.docker.docker_secret:
+    name: "{{ secret_name }}"
+    state: absent
+    force: true
+  loop:
+    - "{{ secret_name_1 }}"
+    - "{{ secret_name_2 }}"
+    - "{{ secret_name_3 }}"
+  loop_control:
+    loop_var: secret_name
+  ignore_errors: true
+  when: docker_py_version is version('2.1.0', '>=')
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/update_config.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/update_config.yml
new file mode 100644
index 00000000..4c971b4a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/tasks/tests/update_config.yml
@@ -0,0 +1,350 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_name: "{{ name_prefix ~ '-update_config' }}"
+
+- name: Registering service name
+  ansible.builtin.set_fact:
+    service_names: "{{ service_names + [service_name] }}"
+
+###################################################################
+## update_config.delay ############################################
+###################################################################
+
+- name: update_config.delay
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      delay: 5s
+  register: update_delay_1
+
+- name: update_config.delay (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      delay: 5s
+  register: update_delay_2
+
+- name: update_config.delay (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      delay: 12s
+  register: update_delay_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_delay_1 is changed
+      - update_delay_2 is not changed
+      - update_delay_3 is changed
+
+###################################################################
+## update_config.failure_action ###################################
+###################################################################
+
+- name: update_config.failure_action
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      failure_action: "pause"
+  register: update_failure_action_1
+
+- name: update_config.failure_action (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      failure_action: "pause"
+  register: update_failure_action_2
+
+- name: update_config.failure_action (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      failure_action: "continue"
+  register: update_failure_action_3
+
+- name: update_config.failure_action (rollback)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      failure_action: "rollback"
+  register: update_failure_action_4
+  ignore_errors: true
+
+- name: update_config.failure_action (rollback idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      failure_action: "rollback"
+  register: update_failure_action_5
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_failure_action_1 is changed
+      - update_failure_action_2 is not changed
+      - update_failure_action_3 is changed
+
+- ansible.builtin.assert:
+    that:
+      - update_failure_action_4 is changed
+      - update_failure_action_5 is not failed
+      - update_failure_action_5 is not changed
+  when: docker_api_version is version('1.28', '>=') and docker_py_version is version('3.5.0', '>=')
+
+- ansible.builtin.assert:
+    that:
+      - update_failure_action_4 is failed
+      - "'Minimum version required' in update_failure_action_4.msg"
+  when: docker_api_version is version('1.28', '<') or docker_py_version is version('3.5.0', '<')
+
+###################################################################
+## update_config.max_failure_ratio ################################
+###################################################################
+
+- name: update_config.max_failure_ratio
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      max_failure_ratio: 0.25
+  register: update_max_failure_ratio_1
+  ignore_errors: true
+
+- name: update_config.max_failure_ratio (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      max_failure_ratio: 0.25
+  register: update_max_failure_ratio_2
+  ignore_errors: true
+
+- name: update_config.max_failure_ratio (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      max_failure_ratio: 0.50
+  register: update_max_failure_ratio_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_max_failure_ratio_1 is changed
+      - update_max_failure_ratio_2 is not changed
+      - update_max_failure_ratio_3 is changed
+  when: docker_py_version is version('2.1.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - update_max_failure_ratio_1 is failed
+      - "'Minimum version required' in update_max_failure_ratio_1.msg"
+  when: docker_py_version is version('2.1.0', '<')
+
+###################################################################
+# update_config.monitor ###########################################
+###################################################################
+
+- name: update_config.monitor
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      monitor: 10s
+  register: update_monitor_1
+  ignore_errors: true
+
+- name: update_config.monitor (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      monitor: 10s
+  register: update_monitor_2
+  ignore_errors: true
+
+- name: update_config.monitor (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      monitor: 60s
+  register: update_monitor_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_monitor_1 is changed
+      - update_monitor_2 is not changed
+      - update_monitor_3 is changed
+  when: docker_py_version is version('2.1.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - update_monitor_1 is failed
+      - "'Minimum version required' in update_monitor_1.msg"
+  when: docker_py_version is version('2.1.0', '<')
+
+###################################################################
+# update_config.order #############################################
+###################################################################
+
+- name: update_config.order
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      order: "start-first"
+  register: update_order_1
+  ignore_errors: true
+
+- name: update_config.order (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      order: "start-first"
+  register: update_order_2
+  ignore_errors: true
+
+- name: update_config.order (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      order: "stop-first"
+  register: update_order_3
+  ignore_errors: true
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_order_1 is changed
+      - update_order_2 is not changed
+      - update_order_3 is changed
+  when: docker_api_version is version('1.29', '>=') and docker_py_version is version('2.7.0', '>=')
+- ansible.builtin.assert:
+    that:
+      - update_order_1 is failed
+      - "'Minimum version required' in update_order_1.msg"
+  when: docker_api_version is version('1.29', '<') or docker_py_version is version('2.7.0', '<')
+
+###################################################################
+## update_config.parallelism ######################################
+###################################################################
+
+- name: update_config.parallelism
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      parallelism: 2
+  register: update_parallelism_1
+
+- name: update_config.parallelism (idempotency)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      parallelism: 2
+  register: update_parallelism_2
+
+- name: update_config.parallelism (change)
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    image: "{{ docker_test_image_alpine }}"
+    resolve_image: false
+    command: '/bin/sh -v -c "sleep 10m"'
+    update_config:
+      parallelism: 1
+  register: update_parallelism_3
+
+- name: cleanup
+  community.docker.docker_swarm_service:
+    name: "{{ service_name }}"
+    state: absent
+  diff: false
+
+- ansible.builtin.assert:
+    that:
+      - update_parallelism_1 is changed
+      - update_parallelism_2 is not changed
+      - update_parallelism_3 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/vars/main.yml
new file mode 100644
index 00000000..bd8c799e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service/vars/main.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+service_expected_output:
+  args: [sleep, '1800']
+  cap_add: null
+  cap_drop: null
+  configs: null
+  constraints: null
+  container_labels: null
+  command: null
+  dns: null
+  dns_options: null
+  dns_search: null
+  endpoint_mode: vip
+  env: null
+  force_update: null
+  groups: null
+  healthcheck: null
+  healthcheck_disabled: null
+  hostname: null
+  hosts: null
+  image: "{{ docker_test_image_busybox }}"
+  labels: null
+  limit_cpu: null
+  limit_memory: null
+  log_driver: null
+  log_driver_options: null
+  mode: global
+  mounts: null
+  networks: null
+  secrets: null
+  stop_grace_period: null
+  stop_signal: null
+  placement_preferences: null
+  publish:
+    - {mode: null, protocol: tcp, published_port: 60001, target_port: 60001}
+    - {mode: null, protocol: udp, published_port: 60001, target_port: 60001}
+  read_only: null
+  replicas: null
+  replicas_max_per_node: null
+  reserve_cpu: null
+  reserve_memory: null
+  restart_policy: null
+  restart_policy_attempts: null
+  restart_policy_delay: null
+  restart_policy_window: null
+  rollback_config: null
+  tty: null
+  update_delay: null
+  update_failure_action: null
+  update_max_failure_ratio: null
+  update_monitor: null
+  update_order: null
+  update_parallelism: null
+  user: null
+  working_dir: null
+  init: null
+  sysctls: null
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/aliases
new file mode 100644
index 00000000..fc581d54
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/3
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/main.yml
new file mode 100644
index 00000000..f7cfcb46
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.include_tasks: test_docker_swarm_service_info.yml
+  when: docker_py_version is version('2.0.0', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_swarm_service_info tests!"
+  when: not(docker_py_version is version('2.0.0', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/test_docker_swarm_service_info.yml b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/test_docker_swarm_service_info.yml
new file mode 100644
index 00000000..6a69940d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_swarm_service_info/tasks/test_docker_swarm_service_info.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Generate service base name
+  ansible.builtin.set_fact:
+    service_base_name: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+- name: Registering service names
+  ansible.builtin.set_fact:
+    service_name: "{{ service_base_name ~ '-1' }}"
+
+- block:
+    - name: Make sure we're not already using Docker swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+    - name: Try to get docker_swarm_service_info when docker is not running in swarm mode
+      community.docker.docker_swarm_service_info:
+        name: "{{ service_name }}"
+      ignore_errors: true
+      register: output
+
+    - name: assert failure when called when swarm is not in use or not run on manager node
+      ansible.builtin.assert:
+        that:
+          - 'output is failed'
+          - 'output.msg == "Error running docker swarm module: must run on swarm manager node"'
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
+      register: output
+
+    - name: Create services
+      community.docker.docker_swarm_service:
+        name: "{{ service_name }}"
+        image: "{{ docker_test_image_alpine }}"
+
+    - name: Try to get docker_swarm_service_info for a single service
+      community.docker.docker_swarm_service_info:
+        name: "{{ service_name }}"
+      register: output
+
+    - name: assert reading reading service info
+      ansible.builtin.assert:
+        that:
+          - 'output.exists == true'
+          - 'output.service.ID is string'
+          - 'output.service.Spec.Name == service_name'
+
+    - name: Create random name
+      ansible.builtin.set_fact:
+        random_service_name: "{{ 'random-service-%0x' % ((2**32) | random) }}"
+
+    - name: Try to get docker_swarm_service_info using random service name as parameter
+      community.docker.docker_swarm_service_info:
+        name: "{{ random_service_name }}"
+      register: output
+
+    - name: assert reading reading service info
+      ansible.builtin.assert:
+        that:
+          - 'output.service is none'
+          - 'output.exists == false'
+
+  always:
+    - name: Remove services
+      community.docker.docker_swarm_service:
+        name: "{{ service_name }}"
+        state: absent
+      ignore_errors: true
+
+    - name: Remove swarm
+      community.docker.docker_swarm:
+        state: absent
+        force: true
+
+  when: docker_py_version is version('2.0.2', '>=') and docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_swarm_service_info tests!"
+  when: not(docker_py_version is version('2.0.2', '>=') and docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_volume/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/main.yml
new file mode 100644
index 00000000..48345999
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Create random name prefix
+  ansible.builtin.set_fact:
+    name_prefix: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+    vnames: []
+
+- ansible.builtin.debug:
+    msg: "Using name prefix {{ name_prefix }}"
+
+- block:
+    - ansible.builtin.include_tasks: run-test.yml
+      with_fileglob:
+        - "tests/*.yml"
+      loop_control:
+        loop_var: test_name
+
+  always:
+    - name: "Make sure all volumes are removed"
+      community.docker.docker_volume:
+        name: "{{ item }}"
+        state: absent
+      with_items: "{{ vnames }}"
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_volume tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/run-test.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/run-test.yml
new file mode 100644
index 00000000..d077f3e3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/run-test.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Loading tasks from {{ test_name }}"
+  ansible.builtin.include_tasks: "{{ test_name }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/tests/basic.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/tests/basic.yml
new file mode 100644
index 00000000..f08259ad
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume/tasks/tests/basic.yml
@@ -0,0 +1,191 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Registering volume name
+  ansible.builtin.set_fact:
+    vname: "{{ name_prefix ~ '-basic' }}"
+- name: Registering container name
+  ansible.builtin.set_fact:
+    vnames: "{{ vnames + [vname] }}"
+
+####################################################################
+## basic ###########################################################
+####################################################################
+
+- name: Create a volume
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+  register: create_1
+
+- name: Create a volume (idempotency)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+  register: create_2
+
+- name: "Create a volume (recreate: options-changed)"
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    recreate: options-changed
+  register: create_3
+
+- name: "Create a volume (recreate: always)"
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    recreate: always
+  register: create_4
+
+- name: Remove a volume
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    state: absent
+  register: absent_1
+
+- name: Remove a volume (idempotency)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    state: absent
+  register: absent_2
+
+- ansible.builtin.assert:
+    that:
+      - create_1 is changed
+      - create_2 is not changed
+      - create_3 is not changed
+      - create_4 is changed
+      - absent_1 is changed
+      - absent_2 is not changed
+
+####################################################################
+## driver_options ##################################################
+####################################################################
+
+- name: Create a volume with options
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    driver: local
+    driver_options:
+      type: tempfs
+      device: tmpfs
+      o: size=100m,uid=1000
+  register: driver_options_1
+
+- name: Create a volume with options (idempotency)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    driver: local
+    driver_options:
+      type: tempfs
+      device: tmpfs
+      o: size=100m,uid=1000
+  register: driver_options_2
+
+- name: Create a volume with options (changed)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    driver: local
+    driver_options:
+      type: tempfs
+      device: tmpfs
+      o: size=200m,uid=1000
+  register: driver_options_3
+
+- name: "Create a volume with options (changed, recreate: options-changed)"
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    driver: local
+    driver_options:
+      type: tempfs
+      device: tmpfs
+      o: size=200m,uid=1000
+    recreate: options-changed
+  register: driver_options_4
+
+- name: Cleanup
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    state: absent
+
+- ansible.builtin.assert:
+    that:
+      - driver_options_1 is changed
+      - driver_options_2 is not changed
+      - driver_options_3 is not changed
+      - driver_options_4 is changed
+
+####################################################################
+## labels ##########################################################
+####################################################################
+
+- name: Create a volume with an invalid label
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      foo: 1.0
+  register: driver_labels_invalid
+  ignore_errors: true
+
+- name: Create a volume with labels
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.1: hello
+      ansible.test.2: world
+  register: driver_labels_1
+
+- name: Create a volume with labels (idempotency)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.2: world
+      ansible.test.1: hello
+  register: driver_labels_2
+
+- name: Create a volume with labels (less)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.1: hello
+  register: driver_labels_3
+
+- name: "Create a volume with labels (less, recreate: options-changed)"
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.1: hello
+    recreate: options-changed
+  register: driver_labels_4
+
+- name: Create a volume with labels (more)
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+  register: driver_labels_5
+
+- name: "Create a volume with labels (more, recreate: options-changed)"
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    labels:
+      ansible.test.1: hello
+      ansible.test.3: ansible
+    recreate: options-changed
+  register: driver_labels_6
+
+- name: Cleanup
+  community.docker.docker_volume:
+    name: "{{ vname }}"
+    state: absent
+
+- ansible.builtin.assert:
+    that:
+      - driver_labels_invalid is failed
+      - driver_labels_invalid.msg == "The value 1.0 for 'foo' of labels is not a string or something than can be safely converted to a string!"
+      - driver_labels_1 is changed
+      - driver_labels_2 is not changed
+      - driver_labels_3 is not changed
+      - driver_labels_4 is not changed
+      - driver_labels_5 is not changed
+      - driver_labels_6 is changed
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/aliases b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/tasks/main.yml
new file mode 100644
index 00000000..1af98db6
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/docker_volume_info/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+    - name: Create random volume name
+      ansible.builtin.set_fact:
+        cname: "{{ 'ansible-docker-test-%0x' % ((2**32) | random) }}"
+
+    - name: Make sure volume is not there
+      community.docker.docker_volume:
+        name: "{{ cname }}"
+        state: absent
+
+    - name: Inspect a non-present volume
+      community.docker.docker_volume_info:
+        name: "{{ cname }}"
+      register: result
+
+    - ansible.builtin.assert:
+        that:
+          - "not result.exists"
+          - "'volume' in result"
+          - "result.volume is none"
+
+    - name: Make sure volume exists
+      community.docker.docker_volume:
+        name: "{{ cname }}"
+
+    - name: Inspect a present volume
+      community.docker.docker_volume_info:
+        name: "{{ cname }}"
+      register: result
+    - name: Dump docker_volume_info result
+      ansible.builtin.debug: var=result
+
+    - name: "Comparison: use 'docker volume inspect'"
+      ansible.builtin.command: docker volume inspect "{{ cname }}"
+      register: docker_volume_inspect
+      ignore_errors: true
+    - block:
+        - ansible.builtin.set_fact:
+            docker_volume_inspect_result: "{{ docker_volume_inspect.stdout | from_json }}"
+        - name: Dump docker volume inspect result
+          ansible.builtin.debug: var=docker_volume_inspect_result
+      when: docker_volume_inspect is not failed
+
+    - name: Cleanup
+      community.docker.docker_volume:
+        name: "{{ cname }}"
+        state: absent
+
+    - ansible.builtin.assert:
+        that:
+          - result.exists
+          - "'volume' in result"
+          - "result.volume is truthy"
+
+    - ansible.builtin.assert:
+        that:
+          - "result.volume == docker_volume_inspect_result[0]"
+      when: docker_volume_inspect is not failed
+    - ansible.builtin.assert:
+        that:
+          - "'is too new. Maximum supported API version is' in docker_volume_inspect.stderr"
+      when: docker_volume_inspect is failed
+
+  when: docker_api_version is version('1.25', '>=')
+
+- ansible.builtin.fail: msg="Too old docker / docker-py version to run docker_volume_info tests!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/aliases b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/aliases
new file mode 100644
index 00000000..2e1acc0a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/files/nginx.conf b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/files/nginx.conf
new file mode 100644
index 00000000..50f92c29
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/files/nginx.conf
@@ -0,0 +1,50 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+user root;
+
+events {
+    worker_connections 16;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    error_log /dev/stdout info;
+    access_log /dev/stdout;
+
+    server {
+        listen *:5000 ssl;
+        server_name daemon-tls.ansible.com;
+        server_name_in_redirect on;
+
+        ssl_protocols TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256';
+        ssl_ecdh_curve X25519:secp521r1:secp384r1;
+        ssl_prefer_server_ciphers on;
+        ssl_certificate /etc/nginx/cert.pem;
+        ssl_certificate_key /etc/nginx/cert.key;
+
+        location / {
+            proxy_pass http://unix:/var/run/docker.sock:/;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+        }
+    }
+
+    server {
+        listen *:6000;
+        server_name daemon.ansible.com;
+        server_name_in_redirect on;
+
+        location / {
+            proxy_pass http://unix:/var/run/docker.sock:/;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+        }
+    }
+}
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/filter_plugins/filter_attr.py b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/filter_plugins/filter_attr.py
new file mode 100644
index 00000000..7db34d4e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/filter_plugins/filter_attr.py
@@ -0,0 +1,19 @@
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+
+def sanitize_host_info(data):
+    data = data.copy()
+    for key in ('SystemTime', 'NFd', 'NGoroutines', ):
+        data.pop(key, None)
+    return data
+
+
+class FilterModule:
+    def filters(self):
+        return {
+            'sanitize_host_info': sanitize_host_info,
+        }
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/meta/main.yml
new file mode 100644
index 00000000..7440275b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
+  - setup_docker_current_container_network_ip
+  - setup_openssl
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/tasks/main.yml
new file mode 100644
index 00000000..ef88fb46
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/tasks/main.yml
@@ -0,0 +1,223 @@
+---
+# Copyright (c) 2022 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Create random nginx frontend name
+  ansible.builtin.set_fact:
+    daemon_nginx_frontend: '{{ "ansible-docker-test-daemon-frontend-%0x" % ((2**32) | random) }}'
+
+- block:
+    - name: Create volume for config files
+      community.docker.docker_volume:
+        name: '{{ daemon_nginx_frontend }}'
+        state: present
+
+    - name: Create container for nginx frontend for daemon
+      community.docker.docker_container:
+        state: stopped
+        name: '{{ daemon_nginx_frontend }}'
+        image: "{{ docker_test_image_registry_nginx }}"
+        volumes:
+          - '{{ daemon_nginx_frontend }}:/etc/nginx/'
+          - '/var/run/docker.sock:/var/run/docker.sock'
+        network_mode: '{{ current_container_network_ip | default(omit, true) }}'
+        networks: >-
+          {{
+            [dict([['name', current_container_network_ip]])]
+            if current_container_network_ip not in ['', 'bridge'] else omit
+          }}
+      register: nginx_container
+
+    - name: Copy config files
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "{{ remote_tmp_dir }}/{{ item }}"
+        mode: "0644"
+      loop:
+        - nginx.conf
+
+    - name: Copy static files into volume
+      community.docker.docker_container_copy_into:
+        container: '{{ daemon_nginx_frontend }}'
+        path: '{{ remote_tmp_dir }}/{{ item }}'
+        container_path: '/etc/nginx/{{ item }}'
+        owner_id: 0
+        group_id: 0
+      loop:
+        - nginx.conf
+      register: can_copy_files
+      ignore_errors: true
+
+    - when: can_copy_files is not failed
+      block:
+
+        - name: Create private keys
+          community.crypto.openssl_privatekey:
+            path: '{{ remote_tmp_dir }}/{{ item }}.key'
+            type: ECC
+            curve: secp256r1
+            force: true
+          loop:
+            - cert
+            - ca
+
+        - name: Create CSR for CA certificate
+          community.crypto.openssl_csr:
+            path: '{{ remote_tmp_dir }}/ca.csr'
+            privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+            subject:
+              commonName: Ansible test CA for Docker HTTPS connection tests
+            useCommonNameForSAN: false
+            basic_constraints:
+              - 'CA:TRUE'
+            basic_constraints_critical: true
+            key_usage:
+              - digitalSignature
+              - Certificate Sign
+            key_usage_critical: true
+            extended_key_usage:
+              - serverAuth  # the same as "TLS Web Server Authentication"
+            extended_key_usage_critical: true
+
+        - name: Create CA certificate
+          community.crypto.x509_certificate:
+            path: '{{ remote_tmp_dir }}/ca.pem'
+            csr_path: '{{ remote_tmp_dir }}/ca.csr'
+            privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+            provider: selfsigned
+
+        - name: Create CSR for frontend certificate
+          community.crypto.openssl_csr:
+            path: '{{ remote_tmp_dir }}/cert.csr'
+            privatekey_path: '{{ remote_tmp_dir }}/cert.key'
+            subject_alt_name:
+              - DNS:daemon-tls.ansible.com
+            subject_alt_name_critical: true
+
+        - name: Create frontend certificate
+          community.crypto.x509_certificate:
+            path: '{{ remote_tmp_dir }}/cert.pem'
+            csr_path: '{{ remote_tmp_dir }}/cert.csr'
+            privatekey_path: '{{ remote_tmp_dir }}/cert.key'
+            ownca_path: '{{ remote_tmp_dir }}/ca.pem'
+            ownca_privatekey_path: '{{ remote_tmp_dir }}/ca.key'
+            provider: ownca
+
+        - name: Copy dynamic files into volume
+          community.docker.docker_container_copy_into:
+            container: '{{ daemon_nginx_frontend }}'
+            path: '{{ remote_tmp_dir }}/{{ item }}'
+            container_path: '/etc/nginx/{{ item }}'
+            owner_id: 0
+            group_id: 0
+          loop:
+            - ca.pem
+            - cert.pem
+            - cert.key
+
+        - name: Start nginx frontend for daemon
+          community.docker.docker_container:
+            name: '{{ daemon_nginx_frontend }}'
+            state: started
+          register: nginx_container
+
+        - name: Output nginx container network settings
+          ansible.builtin.debug:
+            var: nginx_container.container.NetworkSettings
+
+        - name: Get proxied daemon URLs
+          ansible.builtin.set_fact:
+            # Since Docker 29, nginx_container.container.NetworkSettings.IPAddress no longer exists.
+            # Use the bridge network's IP address instead...
+            docker_daemon_frontend_https: >-
+              https://{{
+                nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress
+                if current_container_network_ip else (
+                  nginx_container.container.NetworkSettings.IPAddress
+                  | default(nginx_container.container.NetworkSettings.Networks['bridge'].IPAddress)
+                )
+              }}:5000
+            docker_daemon_frontend_http: >-
+              http://{{
+                nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress
+                if current_container_network_ip else (
+                  nginx_container.container.NetworkSettings.IPAddress
+                  | default(nginx_container.container.NetworkSettings.Networks['bridge'].IPAddress)
+                )
+              }}:6000
+
+        - name: Wait for registry frontend
+          ansible.builtin.uri:
+            url: '{{ docker_daemon_frontend_http }}/version'
+          register: result
+          until: result is success
+          retries: 5
+          delay: 1
+
+        - name: Get docker daemon information directly
+          community.docker.docker_host_info:
+          register: output_direct
+
+        - name: Show direct host info
+          ansible.builtin.debug:
+            var: output_direct.host_info | sanitize_host_info
+
+        - name: Get docker daemon information via HTTP
+          community.docker.docker_host_info:
+            docker_host: '{{ docker_daemon_frontend_http }}'
+          register: output_http
+
+        - name: Show HTTP host info
+          ansible.builtin.debug:
+            var: output_http.host_info | sanitize_host_info
+
+        - name: Check that information matches
+          ansible.builtin.assert:
+            that:
+              - (output_direct.host_info | sanitize_host_info) == (output_http.host_info | sanitize_host_info)
+
+        - name: Get docker daemon information via HTTPS
+          community.docker.docker_host_info:
+            docker_host: '{{ docker_daemon_frontend_https }}'
+            tls_hostname: daemon-tls.ansible.com
+            ca_cert: '{{ remote_tmp_dir }}/ca.pem'
+            tls: true
+            validate_certs: true
+          register: output_https
+
+        - name: Show HTTPS host info
+          ansible.builtin.debug:
+            var: output_https.host_info | sanitize_host_info
+
+        - name: Check that information matches
+          ansible.builtin.assert:
+            that:
+              - (output_direct.host_info | sanitize_host_info) == (output_https.host_info | sanitize_host_info)
+
+  always:
+    - name: Obtain logs from the nginx frontend
+      ansible.builtin.command: docker logs {{ daemon_nginx_frontend }}
+      register: output
+      ignore_errors: true
+    - ansible.builtin.debug:
+        var: output.stdout_lines
+      ignore_errors: true
+
+    - name: Remove container
+      community.docker.docker_container:
+        state: absent
+        name: '{{ daemon_nginx_frontend }}'
+        force_kill: true
+      ignore_errors: true
+
+    - name: Remove volume
+      community.docker.docker_volume:
+        name: '{{ daemon_nginx_frontend }}'
+        state: absent
+      ignore_errors: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/vars/main.yml
new file mode 120000
index 00000000..bacffb83
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_connection_tests/vars/main.yml
@@ -0,0 +1 @@
+../../setup_docker/vars/main.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/aliases b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/aliases
new file mode 100644
index 00000000..bf8cd7ed
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/aliases
@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
+needs/root
+needs/ssh
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/meta/main.yml
new file mode 100644
index 00000000..ee4a358c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_paramiko
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/tasks/main.yml
new file mode 100644
index 00000000..31939390
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/generic_ssh_connection/tasks/main.yml
@@ -0,0 +1,81 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Get docker daemon information directly
+  community.docker.docker_host_info:
+  register: output
+
+- name: Make sure we got information
+  ansible.builtin.assert:
+    that:
+      - 'output.host_info.Name is string'
+      - 'output.containers is not defined'
+      - 'output.networks is not defined'
+      - 'output.volumes is not defined'
+      - 'output.images is not defined'
+      - 'output.disk_usage is not defined'
+
+- name: Show contents of ~/.ssh
+  ansible.builtin.command: ls -lah ~/.ssh
+  ignore_errors: true
+
+- name: Recover home directory on remote
+  ansible.builtin.command: echo $HOME
+  register: remote_home
+
+- name: Print remote home directory
+  ansible.builtin.debug:
+    var: remote_home.stdout
+
+- name: Create SSH config
+  ansible.builtin.copy:
+    dest: "{{ remote_home.stdout }}/.ssh/config"
+    mode: '0600'
+    content: |
+      Host localhost
+      User root
+      IdentityFile ~/.ssh/id_rsa
+
+- name: Get docker daemon information via ssh (paramiko) to localhost
+  community.docker.docker_host_info:
+    docker_host: "ssh://root@localhost"
+  register: output
+  ignore_errors: true
+
+- name: Make sure we got information
+  ansible.builtin.assert:
+    that:
+      - 'output.host_info.Name is string'
+      - 'output.containers is not defined'
+      - 'output.networks is not defined'
+      - 'output.volumes is not defined'
+      - 'output.images is not defined'
+      - 'output.disk_usage is not defined'
+  when: output is succeeded or 'Failed to import the required Python library (paramiko)' not in output.msg
+  # Sometimes paramiko being installed isn't enough: importing it can fail
+  # due to 'ImportError: No module named x25519' when it executes
+  # `from cryptography.hazmat.primitives.asymmetric.x25519 import ...`.
+
+- name: Get docker daemon information via ssh (OpenSSH) to localhost
+  community.docker.docker_host_info:
+    docker_host: "ssh://root@localhost"
+    use_ssh_client: true
+  register: output
+
+- name: Make sure we got information
+  ansible.builtin.assert:
+    that:
+      - output is succeeded
+      - 'output.host_info.Name is string'
+      - 'output.containers is not defined'
+      - 'output.networks is not defined'
+      - 'output.volumes is not defined'
+      - 'output.images is not defined'
+      - 'output.disk_usage is not defined'
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/aliases b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/aliases
new file mode 100644
index 00000000..1485e0b2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/4
+destructive
+needs/root
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_1.docker.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_1.docker.yml
new file mode 100644
index 00000000..83fd6260
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_1.docker.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_containers
+docker_host: unix://var/run/docker.sock
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_2.docker.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_2.docker.yml
new file mode 100644
index 00000000..98349507
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/inventory_2.docker.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_containers
+docker_host: unix://var/run/docker.sock
+connection_type: ssh
+verbose_output: true
+add_legacy_groups: true
+default_ip: 1.2.3.4
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/meta/main.yml
new file mode 100644
index 00000000..471ddd41
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_cleanup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_cleanup.yml
new file mode 100644
index 00000000..ac45d40d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_cleanup.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  gather_facts: true
+  tasks:
+    - name: remove docker containers
+      community.docker.docker_container:
+        name: "{{ item }}"
+        state: absent
+        force_kill: true
+      loop:
+        - ansible-docker-test-docker-inventory-container-1
+        - ansible-docker-test-docker-inventory-container-2
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_setup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_setup.yml
new file mode 100644
index 00000000..cfe834fe
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/docker_setup.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Setup docker
+      ansible.builtin.import_role:
+        name: setup_docker  # noqa: syntax-check[specific]
+
+    - name: Setup Docker Python deps
+      ansible.builtin.import_role:
+        name: setup_docker_python_deps  # noqa: syntax-check[specific]
+
+    - name: Start containers
+      community.docker.docker_container:
+        name: "{{ item.name }}"
+        image: "{{ docker_test_image_alpine }}"
+        state: started
+        command: '/bin/sh -c "sleep 10m"'
+        published_ports:
+          - 22/tcp
+        labels:
+          foo: !unsafe 'EVALU{{ "" }}ATED'
+      loop:
+        - name: ansible-docker-test-docker-inventory-container-1
+        - name: ansible-docker-test-docker-inventory-container-2
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_1.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_1.yml
new file mode 100644
index 00000000..d868772b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_1.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  gather_facts: false
+  tasks:
+    - name: Show all groups
+      ansible.builtin.debug:
+        var: groups
+    - name: Make sure that the default groups are there, but no others
+      ansible.builtin.assert:
+        that:
+          - groups.all | length >= 2
+          - groups.ungrouped | length >= 2
+          - groups | length == 2
+
+- hosts: all
+  gather_facts: false
+  tasks:
+    - when:
+        # When the integration tests are run inside a docker container, there
+        # will be other containers.
+        - inventory_hostname.startswith('ansible-docker-test-docker-inventory-container-')
+      block:
+        - name: Run raw command
+          ansible.builtin.raw: ls /
+          register: output
+
+        - name: Check whether we have some directories we expect in the output
+          ansible.builtin.assert:
+            that:
+              - "'bin' in output.stdout_lines"
+              - "'dev' in output.stdout_lines"
+              - "'lib' in output.stdout_lines"
+              - "'proc' in output.stdout_lines"
+              - "'sys' in output.stdout_lines"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_2.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_2.yml
new file mode 100644
index 00000000..21354de4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/playbooks/test_inventory_2.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  gather_facts: false
+  tasks:
+    - name: Show all groups
+      ansible.builtin.debug:
+        var: groups
+    - name: Load variables
+      ansible.builtin.include_vars: ../../setup_docker/vars/main.yml
+    - name: Make sure that the expected groups are there
+      ansible.builtin.assert:
+        that:
+          - groups.all | length >= 2
+          - groups.ungrouped | length >= 0
+          - groups.running | length >= 2
+          - groups.stopped | length >= 0
+          - groups['image_' ~ docker_test_image_alpine] | length == 2
+          - groups['ansible-docker-test-docker-inventory-container-1'] | length == 1
+          - groups['ansible-docker-test-docker-inventory-container-2'] | length == 1
+          - groups['unix://var/run/docker.sock'] | length >= 2
+          - groups | length >= 12
+          # The four additional groups are IDs and short IDs of the containers.
+          # When the integration tests are run inside a docker container, there
+          # will be more groups (for the additional container(s)).
+
+- hosts: all
+  # We don't really want to connect to the nodes, since we have no SSH daemon running on them
+  connection: local
+  vars:
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  gather_facts: false
+  tasks:
+    - name: Show all variables
+      ansible.builtin.debug:
+        var: hostvars[inventory_hostname]
+    - name: Make sure SSH is set up
+      ansible.builtin.assert:
+        that:
+          - ansible_ssh_host == '1.2.3.4'
+          - ansible_ssh_port == docker_networksettings.Ports['22/tcp'][0].HostPort
+      when:
+        # When the integration tests are run inside a docker container, there
+        # will be other containers.
+        - inventory_hostname.startswith('ansible-docker-test-docker-inventory-container-')
+    - name: Write labels into file
+      ansible.builtin.copy:
+        dest: "/tmp/{{ inventory_hostname }}-labels.txt"
+        content: |-
+          {{ docker_config.Labels }}
+      delegate_to: localhost
+      when:
+        # When the integration tests are run inside a docker container, there
+        # will be other containers.
+        - inventory_hostname.startswith('ansible-docker-test-docker-inventory-container-')
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/runme.sh b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/runme.sh
new file mode 100755
index 00000000..318275d9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_containers/runme.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[[ -n "$DEBUG" || -n "$ANSIBLE_DEBUG" ]] && set -x
+
+set -euo pipefail
+
+cleanup() {
+    echo "Cleanup"
+    ansible-playbook playbooks/docker_cleanup.yml "$@"
+    echo "Done"
+}
+
+trap cleanup INT TERM EXIT
+
+echo "Setup"
+ANSIBLE_ROLES_PATH=.. ansible-playbook  playbooks/docker_setup.yml "$@"
+
+echo "Test docker_containers inventory 1"
+ansible-playbook -i inventory_1.docker.yml playbooks/test_inventory_1.yml "$@"
+
+echo "Test docker_containers inventory 2"
+rm -f /tmp/ansible-docker-test-docker-inventory-container-*-labels.txt
+ansible-playbook -i inventory_2.docker.yml playbooks/test_inventory_2.yml "$@"
+
+echo "Validate that 'EVALUATED' does not appear in the labels"
+for FILENAME in /tmp/ansible-docker-test-docker-inventory-container-*-labels.txt; do
+  grep -qv EVALUATED "${FILENAME}" || ( echo "${FILENAME} contains EVALUATED!" && exit 1 )
+done
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/aliases b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/aliases
new file mode 100644
index 00000000..956df459
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/aliases
@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+disabled
+destructive
+needs/root
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/docker-machine b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/docker-machine
new file mode 100644
index 00000000..40ef76e7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/docker-machine
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Mock Docker Machine wrapper for testing purposes
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[ "$MOCK_ERROR_IN" == "$1" ] && echo >&2 "Mock Docker Machine error" && exit 1
+case $1 in
+    env)
+        cat <<'EOF'
+export DOCKER_TLS_VERIFY="1"
+export DOCKER_HOST="tcp://134.209.204.160:2376"
+export DOCKER_CERT_PATH="/root/.docker/machine/machines/routinator"
+export DOCKER_MACHINE_NAME="routinator"
+# Run this command to configure your shell:
+# eval $(docker-machine env --shell=bash routinator)
+EOF
+        ;;
+
+    *)
+        /usr/bin/docker-machine $*
+        ;;
+esac
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_1.docker_machine.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_1.docker_machine.yml
new file mode 100644
index 00000000..f8fc6b0c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_1.docker_machine.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_machine
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_2.docker_machine.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_2.docker_machine.yml
new file mode 100644
index 00000000..817c5578
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_2.docker_machine.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_machine
+daemon_env: require
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_3.docker_machine.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_3.docker_machine.yml
new file mode 100644
index 00000000..95a6e827
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/inventory_3.docker_machine.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_machine
+daemon_env: optional
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/meta/main.yml
new file mode 100644
index 00000000..5769ff1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/pre-setup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/pre-setup.yml
new file mode 100644
index 00000000..88ec9b91
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/pre-setup.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  tasks:
+    - name: Setup docker
+      ansible.builtin.include_role:
+        name: setup_docker  # noqa: syntax-check[specific]
+
+    - name: Setup Docker Python deps
+      ansible.builtin.import_role:
+        name: setup_docker_python_deps  # noqa: syntax-check[specific]
+
+    # There seems to be no better way to install docker-machine. At least I couldn't find any packages for RHEL7/8.
+    - name: Download docker-machine binary
+      vars:
+        docker_machine_version: "0.16.1"
+      ansible.builtin.get_url:
+        url: "https://github.com/docker/machine/releases/download/v{{ docker_machine_version }}/docker-machine-{{ ansible_system }}-{{ ansible_userspace_architecture }}"
+        dest: /tmp/docker-machine
+    - name: Install docker-machine binary
+      ansible.builtin.command: install /tmp/docker-machine /usr/bin/docker-machine
+      become: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/setup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/setup.yml
new file mode 100644
index 00000000..70d086ba
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/setup.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  tasks:
+    - name: Request Docker Machine to use this machine as a generic VM
+      ansible.builtin.command: "docker-machine --debug create \
+        --driver generic \
+        --generic-ip-address=localhost \
+        --generic-ssh-key {{ lookup('env', 'HOME') }}/.ssh/id_rsa \
+        --generic-ssh-user root \
+        vm"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/teardown.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/teardown.yml
new file mode 100644
index 00000000..87e33a38
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/teardown.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  tasks:
+    - name: Request Docker Machine to remove this machine as a generic VM
+      ansible.builtin.command: "docker-machine rm vm -f"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/test_inventory_1.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/test_inventory_1.yml
new file mode 100644
index 00000000..4de8c15e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/playbooks/test_inventory_1.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  gather_facts: false
+  tasks:
+    - name: sanity check Docker Machine output
+      vars:
+        dm_ls_format: !unsafe '{{.Name}} | {{.DriverName}} | {{.State}} | {{.URL}} | {{.Error}}'  # noqa: jinja[invalid]
+        success_regex: "^vm | [^|]+ | Running | tcp://.+ |$"
+      ansible.builtin.command: docker-machine ls --format '{{ dm_ls_format }}'
+      register: result
+      failed_when: result.rc != 0 or result.stdout is not match(success_regex)
+
+    - name: verify Docker Machine ip
+      ansible.builtin.command: docker-machine ip vm
+      register: result
+      failed_when: result.rc != 0 or result.stdout != hostvars['vm'].ansible_host
+
+    - name: verify Docker Machine env
+      ansible.builtin.command: docker-machine env --shell=sh vm
+      register: result
+
+    - ansible.builtin.debug: var=result.stdout
+
+    - ansible.builtin.assert:
+        that:
+          - "'DOCKER_TLS_VERIFY=\"{{ hostvars['vm'].dm_DOCKER_TLS_VERIFY }}\"' in result.stdout"
+          - "'DOCKER_HOST=\"{{ hostvars['vm'].dm_DOCKER_HOST }}\"' in result.stdout"
+          - "'DOCKER_CERT_PATH=\"{{ hostvars['vm'].dm_DOCKER_CERT_PATH }}\"' in result.stdout"
+          - "'DOCKER_MACHINE_NAME=\"{{ hostvars['vm'].dm_DOCKER_MACHINE_NAME }}\"' in result.stdout"
+
+- hosts: vm
+  gather_facts: false
+  tasks:
+    - name: do something to verify that accept-new ssh setting was applied by the docker-machine inventory plugin
+      ansible.builtin.raw: uname -a
+      register: result
+
+    - ansible.builtin.debug: var=result.stdout
+
+- hosts: 127.0.0.1
+  gather_facts: false
+  environment:
+    DOCKER_CERT_PATH: "{{ hostvars['vm'].dm_DOCKER_CERT_PATH }}"
+    DOCKER_HOST: "{{ hostvars['vm'].dm_DOCKER_HOST }}"
+    DOCKER_MACHINE_NAME: "{{ hostvars['vm'].dm_DOCKER_MACHINE_NAME }}"
+    DOCKER_TLS_VERIFY: "{{ hostvars['vm'].dm_DOCKER_TLS_VERIFY }}"
+  tasks:
+    - name: run a Docker container on the target Docker Machine host to verify that Docker daemon connection settings from the docker-machine inventory plugin work as expected
+      community.docker.docker_container:
+        name: test
+        image: "{{ docker_test_image_hello_world }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/runme.sh b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/runme.sh
new file mode 100755
index 00000000..5d00aa66
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/runme.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+SCRIPT_DIR=$(dirname "$0")
+
+echo "Who am I:    $(whoami)"
+echo "Home:        ${HOME}"
+echo "PWD:         $(pwd)"
+echo "Script dir:  ${SCRIPT_DIR}"
+
+# restrict Ansible just to our inventory plugin, to prevent inventory data being matched by the test but being provided
+# by some other dynamic inventory provider
+export ANSIBLE_INVENTORY_ENABLED=docker_machine
+
+[[ -n "$DEBUG" || -n "$ANSIBLE_DEBUG" ]] && set -x
+
+set -euo pipefail
+
+SAVED_PATH="$PATH"
+
+cleanup() {
+    PATH="${SAVED_PATH}"
+    echo "Cleanup"
+    ansible-playbook -i teardown.docker_machine.yml playbooks/teardown.yml "$@"
+    echo "Done"
+}
+
+trap cleanup INT TERM EXIT
+
+echo "Pre-setup (install docker, docker-machine)"
+ANSIBLE_ROLES_PATH=.. ansible-playbook playbooks/pre-setup.yml "$@"
+
+echo "Print docker-machine version"
+docker-machine --version
+
+echo "Check preconditions"
+# Host should NOT be known to Ansible before the test starts
+ansible-inventory -i inventory_1.docker_machine.yml --host vm >/dev/null && exit 1
+
+echo "Test that the docker_machine inventory plugin is being loaded"
+ANSIBLE_DEBUG=yes ansible-inventory -i inventory_1.docker_machine.yml --list | grep -F "Loading InventoryModule 'docker_machine'"
+
+echo "Setup"
+ansible-playbook playbooks/setup.yml "$@"
+
+echo "Test docker_machine inventory 1"
+ansible-playbook -i inventory_1.docker_machine.yml playbooks/test_inventory_1.yml "$@"
+
+echo "Activate Docker Machine mock"
+PATH=${SCRIPT_DIR}:$PATH
+
+echo "Test docker_machine inventory 2: daemon_env=require daemon env success=yes"
+ansible-inventory -i inventory_2.docker_machine.yml --list
+
+echo "Test docker_machine inventory 2: daemon_env=require daemon env success=no"
+export MOCK_ERROR_IN=env
+ansible-inventory -i inventory_2.docker_machine.yml --list
+unset MOCK_ERROR_IN
+
+echo "Test docker_machine inventory 3: daemon_env=optional daemon env success=yes"
+ansible-inventory -i inventory_3.docker_machine.yml --list
+
+echo "Test docker_machine inventory 3: daemon_env=optional daemon env success=no"
+export MOCK_ERROR_IN=env
+ansible-inventory -i inventory_2.docker_machine.yml --list
+unset MOCK_ERROR_IN
+
+echo "Deactivate Docker Machine mock"
+PATH="${SAVED_PATH}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/teardown.docker_machine.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/teardown.docker_machine.yml
new file mode 100644
index 00000000..d1ce95ce
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_machine/teardown.docker_machine.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_machine
+daemon_env: skip
+running_required: false
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/aliases b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/aliases
new file mode 100644
index 00000000..50e0e5f3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/2
+destructive
+needs/root
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_1.docker_swarm.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_1.docker_swarm.yml
new file mode 100644
index 00000000..4371f6c1
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_1.docker_swarm.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_swarm
+docker_host: unix://var/run/docker.sock
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_2.docker_swarm.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_2.docker_swarm.yml
new file mode 100644
index 00000000..35fe21bf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/inventory_2.docker_swarm.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+plugin: community.docker.docker_swarm
+docker_host: unix://var/run/docker.sock
+verbose_output: false
+include_host_uri: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/meta/main.yml
new file mode 100644
index 00000000..6407d95b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_docker_sdk_for_python
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_cleanup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_cleanup.yml
new file mode 100644
index 00000000..dc6f50a0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_cleanup.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  gather_facts: true
+  tasks:
+    - name: Make sure swarm is removed
+      community.docker.docker_swarm:
+        state: absent
+        force: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_setup.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_setup.yml
new file mode 100644
index 00000000..be1216f4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/swarm_setup.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local
+  vars:
+    docker_skip_cleanup: true
+
+  tasks:
+    - name: Setup docker
+      ansible.builtin.import_role:
+        name: setup_docker  # noqa: syntax-check[specific]
+
+    - name: Setup Docker SDK for Python
+      ansible.builtin.import_role:
+        name: setup_docker_sdk_for_python
+
+    - name: Create a Swarm cluster
+      community.docker.docker_swarm:
+        state: present
+        advertise_addr: "{{ ansible_default_ipv4.address | default('127.0.0.1') }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_1.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_1.yml
new file mode 100644
index 00000000..def91ea5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_1.yml
@@ -0,0 +1,62 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  gather_facts: false
+  tasks:
+    - name: Show all groups
+      ansible.builtin.debug:
+        var: groups
+    - name: Make sure docker_swarm groups are there
+      ansible.builtin.assert:
+        that:
+          - groups.all | length > 0
+          - groups.leader | length == 1
+          - groups.manager | length > 0
+          - groups.worker | length >= 0
+          - groups.nonleaders | length >= 0
+
+- hosts: all
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  vars:
+    # for some reason, Ansible can't find the Python interpreter when connecting to the nodes,
+    # which is in fact just localhost in disguise. That's why we use ansible_playbook_python.
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  tasks:
+    - name: Check for groups
+      ansible.builtin.assert:
+        that:
+          - "groups.manager | length > 0"
+          - "groups.worker | length >= 0"
+          - "groups.leader | length == 1"
+      run_once: true
+
+    - name: List manager group
+      ansible.builtin.debug:
+        var: groups.manager
+      run_once: true
+
+    - name: List worker group
+      ansible.builtin.debug:
+        var: groups.worker
+      run_once: true
+
+    - name: List leader group
+      ansible.builtin.debug:
+        var: groups.leader
+      run_once: true
+
+    - name: Print ansible_host per host
+      ansible.builtin.debug:
+        var: ansible_host
+
+    - name: Make sure docker_swarm_node_attributes is available
+      ansible.builtin.assert:
+        that:
+          - docker_swarm_node_attributes is not undefined
+    - name: Print docker_swarm_node_attributes per host
+      ansible.builtin.debug:
+        var: docker_swarm_node_attributes
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_2.yml b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_2.yml
new file mode 100644
index 00000000..dfcd8bbf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/playbooks/test_inventory_2.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: 127.0.0.1
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  gather_facts: false
+  tasks:
+    - name: Show all groups
+      ansible.builtin.debug:
+        var: groups
+    - name: Make sure docker_swarm groups are there
+      ansible.builtin.assert:
+        that:
+          - groups.all | length > 0
+          - groups.leader | length == 1
+          - groups.manager | length > 0
+          - groups.worker | length >= 0
+          - groups.nonleaders | length >= 0
+
+- hosts: all
+  connection: local  # otherwise Ansible will complain that it cannot connect via ssh to 127.0.0.1:22
+  vars:
+    # for some reason, Ansible can't find the Python interpreter when connecting to the nodes,
+    # which is in fact just localhost in disguise. That's why we use ansible_playbook_python.
+    ansible_python_interpreter: "{{ ansible_playbook_python }}"
+  tasks:
+    - name: Make sure docker_swarm_node_attributes is not available
+      ansible.builtin.assert:
+        that:
+          - docker_swarm_node_attributes is undefined
+    - name: Make sure ansible_host_uri is available
+      ansible.builtin.assert:
+        that:
+          - ansible_host_uri is defined
+    - name: Print ansible_host_uri
+      ansible.builtin.debug:
+        var: ansible_host_uri
diff --git a/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/runme.sh b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/runme.sh
new file mode 100755
index 00000000..1759b888
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/inventory_docker_swarm/runme.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[[ -n "$DEBUG" || -n "$ANSIBLE_DEBUG" ]] && set -x
+
+set -euo pipefail
+
+cleanup() {
+    echo "Cleanup"
+    ansible-playbook playbooks/swarm_cleanup.yml "$@"
+    echo "Done"
+}
+
+trap cleanup INT TERM EXIT
+
+echo "Setup"
+ANSIBLE_ROLES_PATH=.. ansible-playbook  playbooks/swarm_setup.yml "$@"
+
+echo "Test docker_swarm inventory 1"
+ansible-playbook -i inventory_1.docker_swarm.yml playbooks/test_inventory_1.yml "$@"
+
+echo "Test docker_swarm inventory 2"
+ansible-playbook -i inventory_2.docker_swarm.yml playbooks/test_inventory_2.yml "$@"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_docker/aliases
new file mode 100644
index 00000000..0a430dff
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/setup_epel
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/defaults/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/defaults/main.yml
new file mode 100644
index 00000000..412fc564
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_cli_version: '0.0'
+docker_api_version: '0.0'
+docker_skip_cleanup: true
+docker_prereq_packages: []
+docker_packages:
+  - docker-ce
+docker_cli_packages:
+  - docker-ce-cli
+
+docker_cleanup_packages:
+  - docker
+  - docker-ce
+  - docker-ce-cli
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/handlers/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/handlers/main.yml
new file mode 100644
index 00000000..fc526152
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Remove docker packages
+  action: "{{ ansible_facts.pkg_mgr }}"
+  args:
+    name: "{{ docker_cleanup_packages }}"
+    state: absent
+  listen: cleanup docker
+  when: not docker_skip_cleanup
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/meta/main.yml
new file mode 100644
index 00000000..d4a5c7d0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Alpine.yml
new file mode 100644
index 00000000..ebfc929f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Alpine.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker
+  community.general.apk:
+    name:
+      - docker
+    update_cache: true
+  notify: cleanup docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Archlinux.yml
new file mode 100644
index 00000000..3a67ff2b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Archlinux.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker
+  community.general.pacman:
+    name: docker
+    update_cache: true
+  notify: cleanup docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Debian.yml
new file mode 100644
index 00000000..0f9bc958
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Debian.yml
@@ -0,0 +1,70 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Get OS version
+  ansible.builtin.command: uname -r
+  register: os_version
+
+- name: Install pre-reqs
+  ansible.builtin.apt:
+    name: '{{ docker_prereq_packages }}'
+    state: present
+    update_cache: true
+  notify: cleanup docker
+
+- when:
+    - (ansible_facts.distribution == "Ubuntu" and (ansible_facts.distribution_major_version | int) >= 22) or
+      (ansible_facts.distribution == "Debian" and (ansible_facts.distribution_major_version | int) >= 12)
+  name: Add Docker repo on Ubuntu 22+ or Debian 12+
+  block:
+    - name: Add gpg key
+      ansible.builtin.get_url:
+        url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
+        dest: /etc/apt/keyrings/docker.asc
+
+    - name: Add Docker repo
+      ansible.builtin.apt_repository:
+        repo: deb [arch={{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+        state: present
+
+- when:
+    - (ansible_facts.distribution == "Ubuntu" and (ansible_facts.distribution_major_version | int) < 22) or
+      (ansible_facts.distribution == "Debian" and (ansible_facts.distribution_major_version | int) < 12)
+  name: Add Docker repo on Ubuntu 20 or before, or Debian 11 or before
+  block:
+    - name: Add gpg key
+      ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg >key && apt-key add key  # noqa: command-instead-of-module
+
+    - name: Add Docker repo
+      ansible.builtin.apt_repository:
+        repo: deb [arch={{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable
+        state: present
+
+- block:
+    - name: Prevent service restart
+      ansible.builtin.copy:
+        content: exit 101
+        dest: /usr/sbin/policy-rc.d
+        backup: true
+        mode: '0755'
+      register: policy_rc_d
+
+    - name: Install Docker CE
+      ansible.builtin.apt:
+        name: '{{ docker_packages if needs_docker_daemon else docker_cli_packages }}'
+        state: present
+
+  always:
+    - name: Restore /usr/sbin/policy-rc.d (if needed)
+      ansible.builtin.command: mv {{ policy_rc_d.backup_file }} /usr/sbin/policy-rc.d
+      when:
+        - '"backup_file" in policy_rc_d'
+
+    - name: Remove /usr/sbin/policy-rc.d (if needed)
+      ansible.builtin.file:
+        path: /usr/sbin/policy-rc.d
+        state: absent
+      when:
+        - '"backup_file" not in policy_rc_d'
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Fedora.yml
new file mode 100644
index 00000000..738a9db1
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Fedora.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import GPG key
+  ansible.builtin.rpm_key:
+    key: https://download.docker.com/linux/fedora/gpg
+    state: present
+
+- name: Add repository
+  ansible.builtin.yum_repository:
+    file: docker-ce
+    name: docker-ce-stable
+    description: Docker CE Stable - $basearch
+    baseurl: https://download.docker.com/linux/fedora/{{ 31 if ansible_facts.distribution_major_version | int > 31 else '$releasever' }}/$basearch/stable
+    enabled: true
+    gpgcheck: true
+
+- name: Update cache
+  ansible.builtin.command: dnf makecache
+
+- name: Install docker
+  ansible.builtin.dnf:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    state: present
+    enablerepo: docker-ce-test
+  notify: cleanup docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-10.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-10.yml
new file mode 100644
index 00000000..24386bad
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-10.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The RHEL extras repository must be enabled to provide the container-selinux package.
+# See: https://docs.docker.com/engine/installation/linux/docker-ee/rhel/#install-using-the-repository
+
+- name: Install Docker pre-reqs
+  ansible.builtin.dnf:
+    name: "{{ docker_prereq_packages }}"
+    state: present
+  notify: cleanup docker
+  register: result
+  until: result is success
+  retries: 10
+  delay: 2
+
+# Docker broke their .repo file, so we set it up ourselves
+- name: Set-up repository
+  ansible.builtin.yum_repository:
+    name: docker-ce
+    description: docker-ce
+    baseurl: https://download.docker.com/linux/rhel/{{ ansible_facts.distribution_major_version }}/$basearch/stable
+    gpgcheck: true
+    gpgkey: https://download.docker.com/linux/rhel/gpg
+
+- name: Install docker
+  ansible.builtin.dnf:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    state: present
+  notify: cleanup docker
+
+- name: Make sure the docker daemon is running (failure expected inside docker container)
+  ansible.builtin.service:
+    name: docker
+    state: started
+  ignore_errors: "{{ ansible_virtualization_type in ['docker', 'container', 'containerd'] }}"
+  when: needs_docker_daemon
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-7.yml
new file mode 100644
index 00000000..b4315b12
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-7.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The RHEL extras repository must be enabled to provide the container-selinux package.
+# See: https://docs.docker.com/engine/installation/linux/docker-ee/rhel/#install-using-the-repository
+
+- name: Install Docker pre-reqs
+  ansible.builtin.dnf:
+    name: "{{ docker_prereq_packages }}"
+    state: present
+  notify: cleanup docker
+
+- name: Install epel repo which is missing on rhel-7 and is needed for pigz (needed for docker-ce 18)
+  ansible.builtin.include_role:
+    name: setup_epel
+
+- name: Enable extras repository for RHEL on AWS
+  # RHEL 7.6 uses REGION-rhel-server-extras and RHEL 7.7+ use rhel-7-server-rhui-extras-rpms
+  ansible.builtin.command: yum-config-manager --enable REGION-rhel-server-extras rhel-7-server-rhui-extras-rpms
+
+# Docker broke their .repo file, so we set it up ourselves
+- name: Set-up repository
+  ansible.builtin.yum_repository:
+    name: docker-ce
+    description: docker-ce
+    baseurl: https://download.docker.com/linux/centos/{{ ansible_facts.distribution_major_version }}/$basearch/stable
+    gpgcheck: true
+    gpgkey: https://download.docker.com/linux/centos/gpg
+
+- name: Update cache
+  ansible.builtin.command: yum -y makecache fast  # noqa: command-instead-of-module
+
+- name: Install docker
+  ansible.builtin.dnf:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    state: present
+  notify: cleanup docker
+
+- name: Make sure the docker daemon is running (failure expected inside docker container)
+  ansible.builtin.service:
+    name: docker
+    state: started
+  ignore_errors: "{{ ansible_virtualization_type in ['docker', 'container', 'containerd'] }}"
+  when: needs_docker_daemon
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-8.yml
new file mode 100644
index 00000000..2550888b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-8.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The RHEL extras repository must be enabled to provide the container-selinux package.
+# See: https://docs.docker.com/engine/installation/linux/docker-ee/rhel/#install-using-the-repository
+
+- name: Install Docker pre-reqs
+  ansible.builtin.dnf:
+    name: "{{ docker_prereq_packages }}"
+    state: present
+  notify: cleanup docker
+  register: result
+  until: result is success
+  retries: 10
+  delay: 2
+
+# Docker broke their .repo file, so we set it up ourselves
+- name: Set-up repository
+  ansible.builtin.yum_repository:
+    name: docker-ce
+    description: docker-ce
+    baseurl: https://download.docker.com/linux/centos/{{ ansible_facts.distribution_major_version }}/$basearch/stable
+    gpgcheck: true
+    gpgkey: https://download.docker.com/linux/centos/gpg
+
+- name: Install docker
+  ansible.builtin.dnf:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    state: present
+  notify: cleanup docker
+
+- name: Make sure the docker daemon is running (failure expected inside docker container)
+  ansible.builtin.service:
+    name: docker
+    state: started
+  ignore_errors: "{{ ansible_virtualization_type in ['docker', 'container', 'containerd'] }}"
+  when: needs_docker_daemon
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-9.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-9.yml
new file mode 100644
index 00000000..2550888b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/RedHat-9.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The RHEL extras repository must be enabled to provide the container-selinux package.
+# See: https://docs.docker.com/engine/installation/linux/docker-ee/rhel/#install-using-the-repository
+
+- name: Install Docker pre-reqs
+  ansible.builtin.dnf:
+    name: "{{ docker_prereq_packages }}"
+    state: present
+  notify: cleanup docker
+  register: result
+  until: result is success
+  retries: 10
+  delay: 2
+
+# Docker broke their .repo file, so we set it up ourselves
+- name: Set-up repository
+  ansible.builtin.yum_repository:
+    name: docker-ce
+    description: docker-ce
+    baseurl: https://download.docker.com/linux/centos/{{ ansible_facts.distribution_major_version }}/$basearch/stable
+    gpgcheck: true
+    gpgkey: https://download.docker.com/linux/centos/gpg
+
+- name: Install docker
+  ansible.builtin.dnf:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    state: present
+  notify: cleanup docker
+
+- name: Make sure the docker daemon is running (failure expected inside docker container)
+  ansible.builtin.service:
+    name: docker
+    state: started
+  ignore_errors: "{{ ansible_virtualization_type in ['docker', 'container', 'containerd'] }}"
+  when: needs_docker_daemon
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Suse.yml
new file mode 100644
index 00000000..18974cb2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/Suse.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker 17
+  community.general.zypper:
+    name: "{{ docker_packages if needs_docker_daemon else docker_cli_packages }}"
+    force: true
+    disable_gpg_check: true
+    update_cache: true
+  notify: cleanup docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/main.yml
new file mode 100644
index 00000000..bef9f1a2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/tasks/main.yml
@@ -0,0 +1,155 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Docker
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Detect whether we are running inside a container
+      community.docker.current_container_facts:
+
+    - name: Look for marker whether Docker was already set up
+      ansible.builtin.stat:
+        path: /root/community.docker-docker-is-set-up
+      register: docker_setup_marker
+
+    - when: not docker_setup_marker.stat.exists
+      block:
+        - name: Determine whether Docker Daemon needs to be installed
+          ansible.builtin.set_fact:
+            needs_docker_daemon: '{{ not ansible_module_running_in_container }}'
+
+        - name: Print information
+          ansible.builtin.debug:
+            msg: |-
+              OS family: {{ ansible_facts.os_family }}
+              Distribution: {{ ansible_facts.distribution }}
+              Distribution major version: {{ ansible_facts.distribution_major_version }}
+              Distribution full version: {{ ansible_facts.distribution_version }}
+
+        - name: Include distribution specific variables
+          ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+          vars:
+            params:
+              files:
+                - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.distribution }}.yml"
+                - "{{ ansible_facts.os_family }}.yml"
+                - default.yml
+              paths:
+                - "{{ role_path }}/vars"
+
+        - name: Include distribution specific tasks
+          ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
+          vars:
+            params:
+              files:
+                - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.distribution }}.yml"
+                - "{{ ansible_facts.os_family }}.yml"
+              paths:
+                - "{{ role_path }}/tasks"
+
+        - name: Make sure that docker is running
+          ansible.builtin.service:
+            name: docker
+            state: started
+          when: not ansible_module_running_in_container
+
+        - name: Set marker that Docker was already set up
+          ansible.builtin.file:
+            path: /root/community.docker-docker-is-set-up
+            state: touch
+          when: docker_skip_cleanup
+
+    # Detect docker API version
+    - name: Check Docker API version
+      ansible.builtin.command: "docker version -f {% raw %}'{{(index .Server.Components 0).Details.ApiVersion}}'{% endraw %}"
+      register: docker_api_version_stdout
+      ignore_errors: true
+
+    # Detect docker CLI and docker-py versions
+    - name: Check Docker CLI version
+      ansible.builtin.command: "docker version -f {% raw %}'{{.Client.Version}}'{% endraw %}"
+      register: docker_cli_version_stdout
+      ignore_errors: true
+
+    - ansible.builtin.set_fact:
+        docker_cli_version: "{{ docker_cli_version_stdout.stdout | default('0.0') }}"
+        docker_api_version: "{{ docker_api_version_stdout.stdout | default('0.0') }}"
+
+    - ansible.builtin.debug:
+        msg: "Docker CLI version: {{ docker_cli_version }}; Docker API version: {{ docker_api_version }}"
+
+    - block:
+        # Cleanup docker daemon
+        - name: Show all containers
+          ansible.builtin.command: 'docker ps --no-trunc --format {% raw %}"{{.Names}}"{% endraw %}'
+
+        - name: "Remove all ansible-docker-test-* docker containers"
+          ansible.builtin.shell: 'docker ps --no-trunc --format {% raw %}"{{.Names}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r docker rm -f'
+          register: docker_containers
+          retries: 3
+          delay: 3
+          until: docker_containers is success
+          ignore_errors: true
+
+        - name: "Remove all ansible-docker-test-* docker volumes"
+          ansible.builtin.shell: 'docker volume ls --format {% raw %}"{{.Name}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r docker volume rm -f'
+          register: docker_volumes
+          ignore_errors: true
+
+        - name: "Remove all ansible-docker-test-* docker networks"
+          ansible.builtin.shell: 'docker network ls --no-trunc --format {% raw %}"{{.Name}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r docker network rm'
+          register: docker_networks
+          ignore_errors: true
+
+        - name: Cleaned docker resources
+          ansible.builtin.debug:
+            var: docker_resources
+          vars:
+            docker_resources:
+              containers: "{{ docker_containers.stdout_lines | default([]) }}"
+              volumes: "{{ docker_volumes.stdout_lines | default([]) }}"
+              networks: "{{ docker_networks.stdout_lines | default([]) }}"
+
+        # List all existing docker resources
+        - name: List all docker containers
+          ansible.builtin.command: docker ps --no-trunc -a
+          register: docker_containers
+          ignore_errors: true
+
+        - name: List all docker volumes
+          ansible.builtin.command: docker volume ls
+          register: docker_volumes
+          ignore_errors: true
+
+        - name: List all docker networks
+          ansible.builtin.command: docker network ls --no-trunc
+          register: docker_networks
+          ignore_errors: true
+
+        - name: List all docker images
+          ansible.builtin.command: docker images --no-trunc -a
+          register: docker_images
+          ignore_errors: true
+
+        - name: Still existing docker resources
+          ansible.builtin.debug:
+            var: docker_resources
+          vars:
+            docker_resources:
+              containers: "{{ docker_containers.stdout_lines | default([]) }}"
+              volumes: "{{ docker_volumes.stdout_lines | default([]) }}"
+              networks: "{{ docker_networks.stdout_lines | default([]) }}"
+              images: "{{ docker_images.stdout_lines | default([]) }}"
+
+      when: docker_cli_version is version('0.0', '>')
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Debian.yml
new file mode 100644
index 00000000..629c179e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Debian.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - apt-transport-https
+  - ca-certificates
+  - curl
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Fedora.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Fedora.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-10.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-10.yml
new file mode 100644
index 00000000..eb17b245
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-10.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - yum-utils
+  - device-mapper-persistent-data
+  - lvm2
+  - libseccomp
+  - iptables
+  - "kernel-modules-extra-{{ ansible_facts.kernel }}"
+
+docker_packages:
+  - docker-ce # -19.03.13
+  - docker-ce-cli # -19.03.13
+docker_cli_packages:
+  - docker-ce-cli # -19.03.13
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-7.yml
new file mode 100644
index 00000000..bbf9ed32
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-7.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - yum-utils
+  - device-mapper-persistent-data
+  - lvm2
+  - libseccomp
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-8.yml
new file mode 100644
index 00000000..7609400a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-8.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - yum-utils
+  - device-mapper-persistent-data
+  - lvm2
+  - libseccomp
+  - iptables
+
+docker_packages:
+  - docker-ce-19.03.13
+  - docker-ce-cli-19.03.13
+docker_cli_packages:
+  - docker-ce-cli-19.03.13
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-9.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-9.yml
new file mode 100644
index 00000000..04fcae72
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/RedHat-9.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - yum-utils
+  - device-mapper-persistent-data
+  - lvm2
+  - libseccomp
+  - iptables
+
+docker_packages:
+  - docker-ce # -19.03.13
+  - docker-ce-cli # -19.03.13
+docker_cli_packages:
+  - docker-ce-cli # -19.03.13
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Suse.yml
new file mode 100644
index 00000000..ab71ef5d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Suse.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_packages:
+  - docker>=17
+
+# OpenSUSE 15 does not seem to have docker-client (https://software.opensuse.org/package/docker-client)
+# or any other Docker CLI-only package
+docker_cli_packages:
+  - docker>=17
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-14.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-14.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-14.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-22.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-22.yml
new file mode 100644
index 00000000..436eb2d6
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/Ubuntu-22.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_prereq_packages:
+  - ca-certificates
+  - curl
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.env b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.env
new file mode 100644
index 00000000..bbdd6a35
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.env
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Docker images for runme.sh based tests
+DOCKER_TEST_IMAGE_PYTHON3=ghcr.io/ansible-collections/community.docker/docker-python:3-alpine
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.yml
new file mode 100644
index 00000000..97445dd4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker/vars/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_test_image_digest_v1: e004c2cc521c95383aebb1fb5893719aa7a8eae2e7a71f316a4410784edb00a9
+docker_test_image_digest_v1_image_ids:
+  - 758ec7f3a1ee85f8f08399b55641bfb13e8c1109287ddc5e22b68c3d653152ee  # Docker 28 and before
+  - e004c2cc521c95383aebb1fb5893719aa7a8eae2e7a71f316a4410784edb00a9  # Docker 29
+docker_test_image_digest_v2: ee44b399df993016003bf5466bd3eeb221305e9d0fa831606bc7902d149c775b
+docker_test_image_digest_v2_image_ids:
+  - dc3bacd8b5ea796cea5d6070c8f145df9076f26a6bc1c8981fd5b176d37de843  # Docker 28 and before
+  - ee44b399df993016003bf5466bd3eeb221305e9d0fa831606bc7902d149c775b  # Docker 29
+docker_test_image_digest_base: quay.io/ansible/docker-test-containers
+docker_test_image_hello_world: quay.io/ansible/docker-test-containers:hello-world
+docker_test_image_hello_world_image_ids:
+  - sha256:bf756fb1ae65adf866bd8c456593cd24beb6a0a061dedf42b26a993176745f6b  # Docker 28 and before
+  - sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042  # Docker 29
+docker_test_image_hello_world_base: quay.io/ansible/docker-test-containers
+docker_test_image_busybox: quay.io/ansible/docker-test-containers:busybox
+docker_test_image_alpine: quay.io/ansible/docker-test-containers:alpine3.8
+docker_test_image_alpine_different: quay.io/ansible/docker-test-containers:alpine3.7
+docker_test_image_registry_nginx: quay.io/ansible/docker-test-containers:nginx-alpine
+docker_test_image_registry: ghcr.io/ansible-collections/community.docker/docker-distribution:3.0.0
+docker_test_image_simple_1: ghcr.io/ansible-collections/simple-1:tag
+docker_test_image_simple_2: ghcr.io/ansible-collections/simple-2:tag
+docker_test_image_healthcheck: ghcr.io/ansible-collections/healthcheck:check
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/meta/main.yml
new file mode 100644
index 00000000..5769ff1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Alpine.yml
new file mode 100644
index 00000000..8919f317
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Alpine.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Buildx is available from Alpine 3.14 on
+  ansible.builtin.set_fact:
+    docker_has_buildx: "{{ ansible_facts.distribution_version is version('3.14', '>=') }}"
+
+- name: Install Docker buildx CLI plugin
+  community.general.apk:
+    name: docker-cli-buildx
+  when: docker_has_buildx
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Archlinux.yml
new file mode 100644
index 00000000..5d270901
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Archlinux.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install Docker buildx CLI plugin
+  community.general.pacman:
+    name: docker-buildx
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Debian.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Debian.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Fedora.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Fedora.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-10.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-10.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-10.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-7.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-7.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-8.yml
new file mode 100644
index 00000000..834a2d14
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-8.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: For some reason we don't have the buildx plugin
+  ansible.builtin.set_fact:
+    docker_has_buildx: false
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-9.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-9.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/RedHat-9.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Suse.yml
new file mode 100644
index 00000000..f0d25df5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/Suse.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Buildx is available in OpenSuSE 15.5, not sure which versions before
+  ansible.builtin.set_fact:
+    docker_has_buildx: "{{ ansible_facts.distribution_version is version('15.5', '>=') }}"
+
+- name: Install Docker buildx CLI plugin
+  community.general.zypper:
+    name: docker-buildx
+    disable_gpg_check: true
+  when: docker_has_buildx
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/main.yml
new file mode 100644
index 00000000..4fb7eb7f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Docker
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Print information
+      ansible.builtin.debug:
+        msg: |-
+          OS family: {{ ansible_facts.os_family }}
+          Distribution: {{ ansible_facts.distribution }}
+          Distribution major version: {{ ansible_facts.distribution_major_version }}
+          Distribution full version: {{ ansible_facts.distribution_version }}
+
+    - name: Set facts for Docker features to defaults
+      ansible.builtin.set_fact:
+        docker_has_buildx: true
+
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+            - default.yml
+          paths:
+            - "{{ role_path }}/vars"
+
+    - name: Include distribution specific tasks
+      ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+          paths:
+            - "{{ role_path }}/tasks"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/nothing.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/nothing.yml
new file mode 100644
index 00000000..a93d788a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/tasks/nothing.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# nothing to do
+[]
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_buildx/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/meta/main.yml
new file mode 100644
index 00000000..5769ff1c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Alpine.yml
new file mode 100644
index 00000000..59fe6050
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Alpine.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Compose is available from Alpine 3.15 on
+  ansible.builtin.set_fact:
+    docker_has_compose: "{{ ansible_facts.distribution_version is version('3.15', '>=') }}"
+
+- name: Install Docker compose CLI plugin
+  community.general.apk:
+    name: docker-cli-compose
+  when: docker_has_compose
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Archlinux.yml
new file mode 100644
index 00000000..89dedb0b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Archlinux.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install Docker compose CLI plugin
+  community.general.pacman:
+    name: docker-compose
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Debian.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Debian.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Fedora.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Fedora.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-10.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-10.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-10.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-7.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-7.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-8.yml
new file mode 100644
index 00000000..15f04cdb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-8.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: For some reason we don't have the buildx plugin
+  ansible.builtin.set_fact:
+    docker_has_compose: false
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-9.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-9.yml
new file mode 120000
index 00000000..0b069514
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/RedHat-9.yml
@@ -0,0 +1 @@
+nothing.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Suse.yml
new file mode 100644
index 00000000..75241043
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/Suse.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Compose is available in OpenSuSE 15.5, not sure which versions before
+  ansible.builtin.set_fact:
+    docker_has_compose: "{{ ansible_facts.distribution_version is version('15.5', '>=') }}"
+
+- name: Install Docker compose CLI plugin
+  community.general.zypper:
+    name: docker-compose
+    disable_gpg_check: true
+  when: docker_has_compose
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/main.yml
new file mode 100644
index 00000000..72ce2d43
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Docker
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Print information
+      ansible.builtin.debug:
+        msg: |-
+          OS family: {{ ansible_facts.os_family }}
+          Distribution: {{ ansible_facts.distribution }}
+          Distribution major version: {{ ansible_facts.distribution_major_version }}
+          Distribution full version: {{ ansible_facts.distribution_version }}
+
+    - name: Set facts for Docker features to defaults
+      ansible.builtin.set_fact:
+        docker_has_compose: true
+        docker_compose_version: "0.0"
+
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+            - default.yml
+          paths:
+            - "{{ role_path }}/vars"
+
+    - name: Include distribution specific tasks
+      ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+          paths:
+            - "{{ role_path }}/tasks"
+
+    - name: Obtain Docker Compose version
+      when: docker_has_compose
+      block:
+        - name: Obtain docker info
+          ansible.builtin.command:
+            cmd: docker info --format '{% raw %}{{ json .ClientInfo.Plugins }}{% endraw %}'
+          register: docker_cli_plugins_stdout
+        - ansible.builtin.set_fact:
+            docker_has_compose: >-
+              {{ docker_cli_plugins_stdout.stdout | from_json | selectattr('Name', 'eq', 'compose') | map(attribute='Version') | length > 0 }}
+            docker_compose_version: >-
+              {{ docker_cli_plugins_stdout.stdout | from_json | selectattr('Name', 'eq', 'compose') | map(attribute='Version') | first | default('0.0') | regex_replace('^v', '') }}
+
+    - ansible.builtin.debug:
+        msg: "Has Docker compoes plugin: {{ docker_has_compose }}; Docker compose plugin version: {{ docker_compose_version }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/nothing.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/nothing.yml
new file mode 100644
index 00000000..a93d788a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/tasks/nothing.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# nothing to do
+[]
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_cli_compose/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/defaults/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/defaults/main.yml
new file mode 100644
index 00000000..4f84d3ac
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+skip_docker_compose: false
+docker_compose_packages:
+  - docker-compose-plugin
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/meta/main.yml
new file mode 100644
index 00000000..b6e985d7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker
+  - setup_remote_constraints
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Alpine.yml
new file mode 100644
index 00000000..933eae65
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Alpine.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  community.general.apk:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Archlinux.yml
new file mode 100644
index 00000000..1b4f5171
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Archlinux.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  community.general.pacman:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Debian.yml
new file mode 100644
index 00000000..3a0ba208
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Debian.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.apt:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Fedora.yml
new file mode 100644
index 00000000..bc66980e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Fedora.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.dnf:
+    name: "{{ docker_compose_packages }}"
+    state: present
+    enablerepo: docker-ce-test
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-10.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-10.yml
new file mode 100644
index 00000000..970db016
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-10.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.dnf:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-7.yml
new file mode 100644
index 00000000..970db016
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-7.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.dnf:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-8.yml
new file mode 100644
index 00000000..970db016
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-8.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.dnf:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-9.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-9.yml
new file mode 100644
index 00000000..970db016
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/RedHat-9.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  ansible.builtin.dnf:
+    name: "{{ docker_compose_packages }}"
+    state: present
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Suse.yml
new file mode 100644
index 00000000..46e50fd4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/Suse.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install docker-compose as system package
+  community.general.zypper:
+    name: "{{ docker_compose_packages }}"
+    force: true
+    disable_gpg_check: true
+    update_cache: true
+  notify: cleanup docker
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/main.yml
new file mode 100644
index 00000000..307d6cb0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.set_fact:
+    has_docker_compose: false
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6'] and ansible_python_version is version('3.7', '>=')
+  ansible.builtin.include_tasks:
+    file: setup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/setup.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/setup.yml
new file mode 100644
index 00000000..c8040e73
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/tasks/setup.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Include distribution specific variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+        - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+        - "{{ ansible_facts.distribution }}.yml"
+        - "{{ ansible_facts.os_family }}.yml"
+        - default.yml
+      paths:
+        - "{{ role_path }}/vars"
+
+- block:
+    - name: Include distribution specific tasks
+      ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+          paths:
+            - "{{ role_path }}/tasks"
+
+    - name: Install Python on Whales
+      ansible.builtin.pip:
+        state: present
+        name: python-on-whales
+        extra_args: "-c {{ remote_constraints }}"
+
+    - name: Register docker-compose version
+      ansible.builtin.command: "docker compose version --short"
+      register: docker_compose_version
+
+    - name: Declare docker-compose version
+      ansible.builtin.set_fact:
+        docker_compose_version: "{{ docker_compose_version.stdout }}"
+
+    - name: Declare docker-compose as existing
+      ansible.builtin.set_fact:
+        has_docker_compose: '{{ docker_compose_version is version("2.0", ">=") }}'
+
+  when: not skip_docker_compose
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Alpine.yml
new file mode 100644
index 00000000..c5d18002
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Alpine.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+skip_docker_compose: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Archlinux.yml
new file mode 100644
index 00000000..99d81828
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Archlinux.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_compose_packages:
+  - docker-compose
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Fedora.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Fedora.yml
new file mode 100644
index 00000000..c5d18002
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/Fedora.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+skip_docker_compose: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_compose_v2/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/meta/main.yml
new file mode 100644
index 00000000..2a770b72
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_docker_python_deps
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/tasks/main.yml
new file mode 100644
index 00000000..7e7ffcdd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_current_container_network_ip/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Docker
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Detect whether we are running inside a container
+      community.docker.current_container_facts:
+
+    - name: Inspect current container
+      community.docker.docker_container_info:
+        name: "{{ ansible_module_container_id }}"
+      register: current_container_info
+      when: ansible_module_running_in_container
+
+    - name: Determine network name
+      ansible.builtin.set_fact:
+        current_container_network_ip: "{{ (current_container_info.container.NetworkSettings.Networks | dictsort)[0].0 | default('') if ansible_module_running_in_container else '' }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/aliases
new file mode 100644
index 00000000..0a430dff
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/setup_epel
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/defaults/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/defaults/main.yml
new file mode 100644
index 00000000..cd11129e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_pip_api_packages:
+  - requests
+  # - paramiko
+  # - pyOpenSSL
+
+docker_pip_api_packages_python2:
+  - backports.ssl-match-hostname
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/meta/main.yml
new file mode 100644
index 00000000..d4a5c7d0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/tasks/main.yml
new file mode 100644
index 00000000..9d69346e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Install/upgrade Python requirements
+  ansible.builtin.pip:
+    name: "{{ docker_pip_api_packages + (docker_pip_api_packages_python2 if ansible_facts.python.version.major == 2 else []) }}"
+    extra_args: "-c {{ remote_constraints }}"
+    state: present
+  when: not (force_docker_sdk_for_python_dev | default(false))
+
+- name: Make sure git is installed
+  ansible.builtin.package:
+    name:
+      - git
+    state: present
+  when: force_docker_sdk_for_python_dev | default(false)
+
+- name: Install/upgrade Python requirements from source repositories
+  ansible.builtin.pip:
+    name:
+      - git+https://github.com/psf/requests
+      - git+https://github.com/urllib3/urllib3
+    extra_args: "-c {{ remote_constraints }}"
+    state: latest  # noqa: package-latest
+  when: force_docker_sdk_for_python_dev | default(false)
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/RedHat-7.yml
new file mode 100644
index 00000000..ff572017
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/RedHat-7.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_pip_api_packages:
+  # Not sure why RHEL7 needs this specific version of requests
+  - requests==2.6.0
+  # - paramiko
+  # - pyOpenSSL
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/Ubuntu-14.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/Ubuntu-14.yml
new file mode 100644
index 00000000..41a8bceb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/Ubuntu-14.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_pip_api_packages:
+  # Installing requests >=2.12.0 on Ubuntu 14.04 breaks certificate validation. We restrict to an older version
+  # to ensure out get_url tests work out fine. This is only an issue if pyOpenSSL is also installed.
+  - requests==2.6.0
+  # - paramiko
+  # - pyOpenSSL
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_python_deps/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/aliases
new file mode 100644
index 00000000..e1026a83
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/setup_docker
+needs/target/setup_docker_current_container_network_ip
+needs/target/setup_openssl
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.conf b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.conf
new file mode 100644
index 00000000..c3b0d334
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.conf
@@ -0,0 +1,50 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+events {
+    worker_connections 16;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    error_log /dev/stdout info;
+    access_log /dev/stdout;
+
+    server {
+        listen *:5000 ssl;
+        server_name test-registry.ansible.com;
+        server_name_in_redirect on;
+
+        ssl_protocols TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256';
+        ssl_ecdh_curve X25519:secp521r1:secp384r1;
+        ssl_prefer_server_ciphers on;
+        ssl_certificate /etc/nginx/cert.pem;
+        ssl_certificate_key /etc/nginx/cert.key;
+
+        location / {
+            return 401;
+        }
+
+        location /v2/ {
+            proxy_pass  http://real-registry:5000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Port $server_port;
+            proxy_set_header X-Request-Start $msec;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+
+            auth_basic "Ansible Test Docker Registry";
+            auth_basic_user_file /etc/nginx/nginx.htpasswd;
+        }
+    }
+}
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.htpasswd b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.htpasswd
new file mode 100644
index 00000000..e3ff626f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/files/nginx.htpasswd
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+testuser:{PLAIN}hunter2
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/cleanup.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/cleanup.yml
new file mode 100644
index 00000000..16d5b07e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/cleanup.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Make sure all images are removed"
+  community.docker.docker_image_remove:
+    name: "{{ item }}"
+  with_items: "{{ docker_registry_setup_inames }}"
+
+- name: "Get registry logs"
+  ansible.builtin.command: "docker logs {{ docker_registry_container_name_registry }}"
+  register: registry_logs
+  no_log: true
+  ignore_errors: true
+
+- name: "Printing registry logs"
+  ansible.builtin.debug:
+    var: registry_logs.stdout_lines
+  when: registry_logs is not failed
+
+- name: "Get nginx logs for first instance"
+  ansible.builtin.command: "docker logs {{ docker_registry_container_name_nginx }}"
+  register: nginx_logs
+  no_log: true
+  ignore_errors: true
+
+- name: "Get nginx logs for second instance"
+  ansible.builtin.command: "docker logs {{ docker_registry_container_name_nginx2 }}"
+  register: nginx2_logs
+  no_log: true
+  ignore_errors: true
+
+- name: "Printing nginx logs for first instance"
+  ansible.builtin.debug:
+    var: nginx_logs.stdout_lines
+  when: nginx_logs is not failed
+
+- name: "Printing nginx logs for second instance"
+  ansible.builtin.debug:
+    var: nginx2_logs.stdout_lines
+  when: nginx_logs is not failed
+
+- name: "Make sure all containers are removed"
+  community.docker.docker_container:
+    name: "{{ item }}"
+    state: absent
+    force_kill: true
+  with_items: "{{ docker_registry_setup_cnames }}"
+  register: result
+  retries: 3
+  delay: 3
+  until: result is success
+
+- name: "Make sure all volumes are removed"
+  ansible.builtin.command: "docker volume rm -f {{ item }}"
+  with_items: "{{ docker_registry_setup_vnames }}"
+  ignore_errors: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/main.yml
new file mode 100644
index 00000000..7cd8e63b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Remove test registry
+  ansible.builtin.include_tasks: ../handlers/cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/meta/main.yml
new file mode 100644
index 00000000..22aa405a
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  # - setup_docker  -- done in setup.yml, to work around cleanup problems!
+  # - setup_docker_current_container_network_ip
+  - setup_docker_python_deps
+  - setup_openssl
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/main.yml
new file mode 100644
index 00000000..15824726
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6']
+  ansible.builtin.include_tasks:
+    file: setup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml
new file mode 100644
index 00000000..4e467307
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup-frontend.yml
@@ -0,0 +1,130 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Set up first nginx frontend for registry
+- name: Start nginx frontend for registry
+  community.docker.docker_volume:
+    name: '{{ docker_registry_container_name_frontend }}'
+    state: present
+
+- name: Create container for nginx frontend for registry
+  community.docker.docker_container:
+    state: stopped
+    name: '{{ docker_registry_container_name_frontend }}'
+    image: "{{ docker_test_image_registry_nginx }}"
+    ports: 5000
+    # `links` does not work when using a network. That's why the docker_container task
+    # in setup.yml specifies `aliases` so we get the same effect.
+    links:
+      - '{{ docker_registry_container_name_registry }}:real-registry'
+    volumes:
+      - '{{ docker_registry_container_name_frontend }}:/etc/nginx/'
+    network_mode: '{{ current_container_network_ip | default(omit, true) }}'
+    networks: >-
+      {{
+        [dict([['name', current_container_network_ip]])]
+        if current_container_network_ip not in ['', 'bridge'] else omit
+      }}
+  register: nginx_container
+
+- name: Copy config files
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ remote_tmp_dir }}/{{ item }}"
+    mode: "0644"
+  loop:
+    - nginx.conf
+    - nginx.htpasswd
+
+- name: Copy static files into volume
+  community.docker.docker_container_copy_into:
+    container: '{{ docker_registry_container_name_frontend }}'
+    path: '{{ remote_tmp_dir }}/{{ item }}'
+    container_path: '/etc/nginx/{{ item }}'
+    owner_id: 0
+    group_id: 0
+  loop:
+    - nginx.conf
+    - nginx.htpasswd
+  register: can_copy_files
+  ignore_errors: true
+
+- when: can_copy_files is not failed
+  block:
+
+    - name: Create private key for frontend certificate
+      community.crypto.openssl_privatekey:
+        path: '{{ remote_tmp_dir }}/cert.key'
+        type: ECC
+        curve: secp256r1
+        force: true
+
+    - name: Create CSR for frontend certificate
+      community.crypto.openssl_csr:
+        path: '{{ remote_tmp_dir }}/cert.csr'
+        privatekey_path: '{{ remote_tmp_dir }}/cert.key'
+        subject_alt_name:
+          - DNS:test-registry.ansible.com
+
+    - name: Create frontend certificate
+      community.crypto.x509_certificate:
+        path: '{{ remote_tmp_dir }}/cert.pem'
+        csr_path: '{{ remote_tmp_dir }}/cert.csr'
+        privatekey_path: '{{ remote_tmp_dir }}/cert.key'
+        provider: selfsigned
+
+    - name: Copy dynamic files into volume
+      community.docker.docker_container_copy_into:
+        container: '{{ docker_registry_container_name_frontend }}'
+        path: '{{ remote_tmp_dir }}/{{ item }}'
+        container_path: '/etc/nginx/{{ item }}'
+        owner_id: 0
+        group_id: 0
+      loop:
+        - cert.pem
+        - cert.key
+
+    - name: Start nginx frontend for registry
+      community.docker.docker_container:
+        name: '{{ docker_registry_container_name_frontend }}'
+        state: started
+      register: nginx_container
+
+    - name: Output nginx container network settings
+      ansible.builtin.debug:
+        var: nginx_container.container.NetworkSettings
+
+    - name: Get registry URL
+      ansible.builtin.set_fact:
+        # Note that this host/port combination is used by the Docker daemon, that's why `localhost` is appropriate!
+        # This host/port combination cannot be used if the tests are running inside a docker container.
+        docker_registry_frontend_address: localhost:{{ nginx_container.container.NetworkSettings.Ports['5000/tcp'].0.HostPort }}
+        # The following host/port combination can be used from inside the docker container.
+        docker_registry_frontend_address_internal: >-
+          {{
+            nginx_container.container.NetworkSettings.Networks[current_container_network_ip].IPAddress
+            if current_container_network_ip else
+            (
+              nginx_container.container.NetworkSettings.IPAddress
+              | default(nginx_container.container.NetworkSettings.Networks['bridge'].IPAddress)
+            )
+          }}:5000
+        # Since Docker 29, nginx_container.container.NetworkSettings.IPAddress no longer exists.
+        # Use the bridge network's IP address instead...
+
+    - name: Wait for registry frontend
+      ansible.builtin.uri:
+        url: https://{{ docker_registry_frontend_address_internal }}/v2/
+        url_username: testuser
+        url_password: hunter2
+        validate_certs: false
+      register: result
+      until: result is success
+      retries: 5
+      delay: 1
+
+- ansible.builtin.set_fact:
+    docker_registry_frontend_address: 'n/a'
+  when: can_copy_files is failed
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup.yml
new file mode 100644
index 00000000..2a16f0c9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/tasks/setup.yml
@@ -0,0 +1,88 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Register registry cleanup
+  # This must be done **before** docker is set up (see next task), to ensure that the
+  # registry is removed **before** docker itself is removed. This is necessary as the
+  # registry and its frontends run as docker containers.
+  ansible.builtin.command: 'true'
+  notify: Remove test registry
+
+- name: Setup Docker
+  # Please note that we do setup_docker here and not via meta/main.yml to avoid the problem that
+  # our cleanup is called **after** setup_docker's cleanup has been called!
+  ansible.builtin.include_role:
+    name: setup_docker
+
+- name: Figure out current container's network IP
+  ansible.builtin.include_role:
+    name: setup_docker_current_container_network_ip
+
+- name: Create random name prefix and test registry name
+  ansible.builtin.set_fact:
+    docker_registry_container_name_registry: '{{ ''ansible-docker-test-registry-%0x'' % ((2**32) | random) }}'
+    docker_registry_container_name_nginx: '{{ ''ansible-docker-test-registry-frontend-%0x'' % ((2**32) | random) }}'
+    docker_registry_container_name_nginx2: '{{ ''ansible-docker-test-registry-frontend2-%0x'' % ((2**32) | random) }}'
+
+- name: Create image and container list
+  ansible.builtin.set_fact:
+    docker_registry_setup_inames: []
+    docker_registry_setup_cnames:
+      - '{{ docker_registry_container_name_registry }}'
+      - '{{ docker_registry_container_name_nginx }}'
+      - '{{ docker_registry_container_name_nginx2 }}'
+    docker_registry_setup_vnames:
+      - '{{ docker_registry_container_name_nginx }}'
+      - '{{ docker_registry_container_name_nginx2 }}'
+
+- ansible.builtin.debug:
+    msg: Using test registry name {{ docker_registry_container_name_registry }} and nginx frontend names {{ docker_registry_container_name_nginx }} and {{ docker_registry_container_name_nginx2 }}
+
+- ansible.builtin.fail: msg="Too old docker version to set up docker registry!"
+  when: not(docker_api_version is version('1.25', '>=')) and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
+
+- when: docker_api_version is version('1.25', '>=')
+  block:
+
+  # Set up registry container
+    - name: Start test registry
+      community.docker.docker_container:
+        name: '{{ docker_registry_container_name_registry }}'
+        image: "{{ docker_test_image_registry }}"
+        ports: 5000
+        network_mode: '{{ current_container_network_ip | default(omit, true) }}'
+        # We need to define the alias `real-registry` here because the global `links`
+        # option for the NGINX containers (see setup-frontend.yml) does not work when
+        # using networks.
+        networks: >-
+          {{
+            [dict([['name', current_container_network_ip], ['aliases', ['real-registry']]])]
+            if current_container_network_ip not in ['', 'bridge'] else omit
+          }}
+      register: registry_container
+
+    - name: Get registry URL
+      ansible.builtin.set_fact:
+        registry_address: localhost:{{ registry_container.container.NetworkSettings.Ports['5000/tcp'].0.HostPort }}
+
+    # Set up first nginx frontend for registry
+    - ansible.builtin.include_tasks: setup-frontend.yml
+      vars:
+        docker_registry_container_name_frontend: '{{ docker_registry_container_name_nginx }}'
+
+    - ansible.builtin.set_fact:
+        registry_frontend_address: '{{ docker_registry_frontend_address }}'
+
+    # Set up second nginx frontend for registry
+    - ansible.builtin.include_tasks: setup-frontend.yml
+      vars:
+        docker_registry_container_name_frontend: '{{ docker_registry_container_name_nginx2 }}'
+
+    - ansible.builtin.set_fact:
+        registry_frontend2_address: '{{ docker_registry_frontend_address }}'
+
+    # Print addresses for registry and frontends
+    - ansible.builtin.debug:
+        msg: "Registry available under {{ registry_address }}, NGINX frontends available under {{ registry_frontend_address }} and {{ registry_frontend2_address }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/vars/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/vars/main.yml
new file mode 120000
index 00000000..bacffb83
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_registry/vars/main.yml
@@ -0,0 +1 @@
+../../setup_docker/vars/main.yml
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/aliases
new file mode 100644
index 00000000..0a430dff
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/setup_epel
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/defaults/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/defaults/main.yml
new file mode 100644
index 00000000..bf128b1d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_py_version: '0.0'
+
+docker_pip_extra_packages: []
+docker_pip_package: docker
+docker_pip_package_limit: ''
+
+docker_pip_git_packages:
+  - git+https://github.com/psf/requests
+  - git+https://github.com/urllib3/urllib3
+  - git+https://github.com/docker/docker-py
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/meta/main.yml
new file mode 100644
index 00000000..d4a5c7d0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/tasks/main.yml
new file mode 100644
index 00000000..0477a499
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Docker SDK for Python
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+      vars:
+        params:
+          files:
+            - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+            - "{{ ansible_facts.distribution }}.yml"
+            - "{{ ansible_facts.os_family }}.yml"
+            - default.yml
+          paths:
+            - "{{ role_path }}/vars"
+
+    - name: Limit docker pypi package version to < 4.3.0
+      ansible.builtin.set_fact:
+        docker_pip_package_limit: '<4.3.0'
+      when: docker_api_version is version('1.39', '<')
+
+    - name: Make sure git is installed
+      ansible.builtin.package:
+        name:
+          - git
+      when: force_docker_sdk_for_python_dev | default(false)
+
+    - name: Install/upgrade Python requirements
+      ansible.builtin.pip:
+        name: >-
+          {{
+            docker_pip_git_packages
+            if (force_docker_sdk_for_python_dev | default(false)) else
+            ([docker_pip_package ~ docker_pip_package_limit] + docker_pip_extra_packages)
+          }}
+        extra_args: "-c {{ remote_constraints }}"
+        state: >-
+          {{
+            'latest' if (
+              (force_docker_sdk_for_python_pypi | default(false)) or
+              (force_docker_sdk_for_python_dev | default(false))
+            ) else 'present'
+          }}
+
+    - name: Check docker-py version
+      ansible.builtin.command: "{{ ansible_python.executable }} -c 'import docker; print(docker.__version__)'"
+      register: docker_py_version_stdout
+      ignore_errors: true
+
+    - ansible.builtin.set_fact:
+        docker_py_version: "{{ docker_py_version_stdout.stdout | default('0.0') }}"
+
+    - ansible.builtin.debug:
+        msg: "Docker SDK for Python version: {{ docker_py_version }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/RedHat-7.yml
new file mode 100644
index 00000000..9fa5efa5
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/RedHat-7.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_pip_extra_packages:
+  # Not sure why RHEL7 needs this specific version
+  - requests==2.6.0
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/Ubuntu-14.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/Ubuntu-14.yml
new file mode 100644
index 00000000..f701e1f7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/Ubuntu-14.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker_pip_extra_packages:
+  # Installing requests >=2.12.0 on Ubuntu 14.04 breaks certificate validation. We restrict to an older version
+  # to ensure out get_url tests work out fine. This is only an issue if pyOpenSSL is also installed.
+  - requests==2.6.0
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_docker_sdk_for_python/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_epel/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_epel/tasks/main.yml
new file mode 100644
index 00000000..c43a78d9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_epel/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Install EPEL
+  ansible.builtin.dnf:
+    name: https://s3.amazonaws.com/ansible-ci-files/test/integration/targets/setup_epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
+    disable_gpg_check: true
+  when: ansible_facts.distribution in ['RedHat', 'CentOS']
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/meta/main.yml
new file mode 100644
index 00000000..d4a5c7d0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/tasks/main.yml
new file mode 100644
index 00000000..d71de719
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Include OS-specific variables
+  ansible.builtin.include_vars: '{{ ansible_os_family }}.yml'
+  when: not ansible_os_family == "Darwin"
+
+- name: Install cryptography (Python 3)
+  become: true
+  ansible.builtin.package:
+    name: '{{ cryptography_package_name_python3 }}'
+  when: ansible_os_family != 'Darwin' and ansible_python_version is version('3.0', '>=')
+
+- name: Install cryptography (Python 2)
+  become: true
+  ansible.builtin.package:
+    name: '{{ cryptography_package_name }}'
+  when: ansible_os_family != 'Darwin' and ansible_python_version is version('3.0', '<')
+
+- name: Install cryptography (Darwin, and potentially upgrade for other OSes)
+  become: true
+  ansible.builtin.pip:
+    name: cryptography>=3.3.0
+    extra_args: "-c {{ remote_constraints }}"
+
+- name: Register cryptography version
+  ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
+  register: cryptography_version
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Alpine.yml
new file mode 100644
index 00000000..46007479
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Alpine.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: py-cryptography
+cryptography_package_name_python3: py3-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Archlinux.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Archlinux.yml
new file mode 100644
index 00000000..9fa799eb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Archlinux.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Debian.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Debian.yml
new file mode 100644
index 00000000..4a3dc629
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Debian.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/FreeBSD.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/FreeBSD.yml
new file mode 100644
index 00000000..0bf73ee8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/FreeBSD.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: py27-cryptography
+cryptography_package_name_python3: py36-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/RedHat.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/RedHat.yml
new file mode 100644
index 00000000..4a3dc629
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/RedHat.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Suse.yml b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Suse.yml
new file mode 100644
index 00000000..4a3dc629
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_openssl/vars/Suse.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+cryptography_package_name: python-cryptography
+cryptography_package_name_python3: python3-cryptography
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/meta/main.yml
new file mode 100644
index 00000000..7172cbe2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_constraints
+  - setup_openssl  # so cryptography is installed
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/tasks/main.yml
new file mode 100644
index 00000000..5d8ea9c3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_paramiko/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install paramiko from system repository
+  ansible.builtin.package:
+    name: python-paramiko
+  become: true
+  when:
+    - ansible_distribution == 'CentOS' and ansible_distribution_major_version|int <= 7
+
+- name: Install paramiko
+  ansible.builtin.pip:
+    name: "paramiko{% if cryptography_version.stdout is version('2.5.0', '<') %}<2.5.0{% endif %}"
+    extra_args: "-c {{ remote_constraints }}"
+  become: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_pkg_mgr/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_pkg_mgr/tasks/main.yml
new file mode 100644
index 00000000..a67e2f36
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_pkg_mgr/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- ansible.builtin.set_fact:
+    pkg_mgr: community.general.pkgng
+    ansible_pkg_mgr: community.general.pkgng
+    cacheable: true
+  when: ansible_os_family == "FreeBSD"
+
+- ansible.builtin.set_fact:
+    pkg_mgr: community.general.zypper
+    ansible_pkg_mgr: community.general.zypper
+    cacheable: true
+  when: ansible_os_family == "Suse"
+
+- ansible.builtin.shell:
+    # noqa: command-instead-of-module
+    cmd: |
+      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo
+      sed -i 's%#baseurl=http://mirror.centos.org/%baseurl=https://vault.centos.org/%g' /etc/yum.repos.d/*.repo
+  when: ansible_distribution in 'CentOS' and ansible_distribution_major_version == '7'
+
+- ansible.builtin.shell:
+    # noqa: command-instead-of-module
+    cmd: |
+      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-*.repo
+      sed -i 's%#baseurl=http://mirror.centos.org/$contentdir/$releasever/%baseurl=https://vault.centos.org/8.4.2105/%g' /etc/yum.repos.d/CentOS-Linux-*.repo
+  ignore_errors: true  # This fails for CentOS Stream 8
+  when: ansible_distribution in 'CentOS' and ansible_distribution_major_version == '8'
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_podman/aliases
new file mode 100644
index 00000000..0a430dff
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/target/setup_epel
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/defaults/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/defaults/main.yml
new file mode 100644
index 00000000..5217a34b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+has_podman: true
+podman_cli_version: '0.0'
+podman_skip_cleanup: true
+podman_packages:
+  - podman
+podman_socket_service: podman.socket
+
+podman_cleanup_packages:
+  - podman
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/handlers/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/handlers/main.yml
new file mode 100644
index 00000000..e7d6ca9c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Remove podman packages
+  action: "{{ ansible_facts.pkg_mgr }}"
+  args:
+    name: "{{ podman_cleanup_packages }}"
+    state: absent
+  listen: cleanup podman
+  when: not podman_skip_cleanup
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/meta/main.yml
new file mode 100644
index 00000000..2fcd152f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/tasks/main.yml
new file mode 100644
index 00000000..08913340
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/tasks/main.yml
@@ -0,0 +1,163 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Setup Podman
+  when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
+  block:
+    - name: Detect whether we are running inside a container
+      community.docker.current_container_facts:
+
+    - name: Look for marker whether Podman was already set up
+      ansible.builtin.stat:
+        path: /root/community.docker-podman-is-set-up
+      register: podman_setup_marker
+
+    - name: Figure out user ID
+      ansible.builtin.command: id -u
+      register: podman_user_id
+
+    - when: not podman_setup_marker.stat.exists and not ansible_module_running_in_container
+      block:
+        - name: Print information
+          ansible.builtin.debug:
+            msg: |-
+              OS family: {{ ansible_facts.os_family }}
+              Distribution: {{ ansible_facts.distribution }}
+              Distribution major version: {{ ansible_facts.distribution_major_version }}
+              Distribution full version: {{ ansible_facts.distribution_version }}
+
+        - name: Include distribution specific variables
+          ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+          vars:
+            params:
+              files:
+                - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml"
+                - "{{ ansible_facts.distribution }}.yml"
+                - "{{ ansible_facts.os_family }}.yml"
+                - default.yml
+              paths:
+                - "{{ role_path }}/vars"
+
+        - when: has_podman
+          block:
+            - name: Install podman
+              ansible.builtin.package:
+                name: "{{ podman_packages }}"
+              notify: cleanup podman
+
+            - name: Start podman socket for this user
+              ansible.builtin.systemd_service:
+                name: "{{ podman_socket_service }}"
+                state: started
+                scope: "{{ 'global' if podman_user_id.stdout == '0' and ansible_facts.os_family == 'RedHat' and (ansible_facts.distribution_major_version | int < 10) else 'user' }}"
+              environment:
+                XDG_RUNTIME_DIR: "{{ '/run' if podman_user_id.stdout == '0' else ('/run/user/' ~ podman_user_id.stdout) }}"
+
+        - name: Set marker that Podman was already set up
+          ansible.builtin.file:
+            path: /root/community.docker-podman-is-set-up
+            state: touch
+          when: podman_skip_cleanup
+
+    - when: not has_podman or ansible_module_running_in_container
+      block:
+        - ansible.builtin.set_fact:
+            podman_cli_version: "0.0"
+            podman_socket: "not available"
+
+    - when: has_podman and not ansible_module_running_in_container
+      block:
+        - name: Check Podman CLI version
+          ansible.builtin.command: "podman version -f {% raw %}'{{.Client.Version}}'{% endraw %}"
+          register: podman_cli_version_stdout
+          ignore_errors: true
+
+        - ansible.builtin.set_fact:
+            podman_cli_version: "{{ podman_cli_version_stdout.stdout | default('0.0', true) }}"
+            podman_socket: "unix://{{ '/run' if podman_user_id.stdout == '0' else ('/run/user/' ~ podman_user_id.stdout) }}/podman/podman.sock"
+
+        - name: Create podman Docker context
+          ansible.builtin.command:
+            cmd: >-
+              docker context
+              create podman
+              --description "Podman"
+              --docker "host={{ podman_socket }}"
+          ignore_errors: true
+
+    - ansible.builtin.debug:
+        msg: |-
+          Podman CLI version: {{ podman_cli_version }}
+          Podman socket: {{ podman_socket }}
+
+    - when: podman_cli_version is version('0.0', '>')
+      block:
+        # Cleanup podman
+        - name: Show all containers
+          ansible.builtin.command: 'podman ps --no-trunc --format {% raw %}"{{.Names}}"{% endraw %}'
+
+        - name: "Remove all ansible-docker-test-* podman containers"
+          ansible.builtin.shell: 'podman ps --no-trunc --format {% raw %}"{{.Names}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r podman container rm -f'
+          register: podman_containers
+          retries: 3
+          delay: 3
+          until: podman_containers is success
+          ignore_errors: true
+
+        - name: "Remove all ansible-docker-test-* podman volumes"
+          ansible.builtin.shell: 'podman volume ls --format {% raw %}"{{.Name}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r podman volume rm -f'
+          register: podman_volumes
+          ignore_errors: true
+
+        - name: "Remove all ansible-docker-test-* podman networks"
+          ansible.builtin.shell: 'podman network ls --no-trunc --format {% raw %}"{{.Name}}"{% endraw %} | grep "^ansible-docker-test-" | xargs -r podman network rm'
+          register: podman_networks
+          ignore_errors: true
+
+        - name: Cleaned podman resources
+          ansible.builtin.debug:
+            var: podman_resources
+          vars:
+            podman_resources:
+              containers: "{{ podman_containers.stdout_lines | default([]) }}"
+              volumes: "{{ podman_volumes.stdout_lines | default([]) }}"
+              networks: "{{ podman_networks.stdout_lines | default([]) }}"
+
+        # List all existing podman resources
+        - name: List all podman containers
+          ansible.builtin.command: podman ps --no-trunc -a
+          register: podman_containers
+          ignore_errors: true
+
+        - name: List all podman volumes
+          ansible.builtin.command: podman volume ls
+          register: podman_volumes
+          ignore_errors: true
+
+        - name: List all podman networks
+          ansible.builtin.command: podman network ls --no-trunc
+          register: podman_networks
+          ignore_errors: true
+
+        - name: List all podman images
+          ansible.builtin.command: podman images --no-trunc -a
+          register: podman_images
+          ignore_errors: true
+
+        - name: Still existing podman resources
+          ansible.builtin.debug:
+            var: podman_resources
+          vars:
+            podman_resources:
+              containers: "{{ podman_containers.stdout_lines | default([]) }}"
+              volumes: "{{ podman_volumes.stdout_lines | default([]) }}"
+              networks: "{{ podman_networks.stdout_lines | default([]) }}"
+              images: "{{ podman_images.stdout_lines | default([]) }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Alpine.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Alpine.yml
new file mode 100644
index 00000000..c74a9b30
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Alpine.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+podman_socket_service: podman
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-7.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-7.yml
new file mode 100644
index 00000000..cb149ddd
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-7.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# While CentOS 7 has podman, it doesn't come with a podman socket, so we treat it as whether it doesn't exist at all...
+has_podman: false
+podman_packages: []
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-8.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-8.yml
new file mode 100644
index 00000000..a1e98a63
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/RedHat-8.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# While CentOS 8 has podman, there's a strange conflict resolution issue with it
+# TODO: try to fix that issue!
+has_podman: false
+podman_packages: []
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Ubuntu-20.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Ubuntu-20.yml
new file mode 100644
index 00000000..aee6a58b
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/Ubuntu-20.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+has_podman: false
+podman_packages: []
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/default.yml
new file mode 100644
index 00000000..f55df21f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_podman/vars/default.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/aliases b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/aliases
new file mode 100644
index 00000000..27ce6b08
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+needs/file/tests/utils/constraints.txt
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/meta/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/meta/main.yml
new file mode 100644
index 00000000..982de6eb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/tasks/main.yml
new file mode 100644
index 00000000..169a128f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_constraints/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: record constraints.txt path on remote host
+  ansible.builtin.set_fact:
+    remote_constraints: "{{ remote_tmp_dir }}/constraints.txt"
+
+- name: copy constraints.txt to remote host
+  ansible.builtin.copy:
+    src: "{{ role_path }}/../../../utils/constraints.txt"
+    dest: "{{ remote_constraints }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml
new file mode 100644
index 00000000..5dce767d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: delete temporary directory
+  ansible.builtin.include_tasks: default-cleanup.yml
+
+- name: delete temporary directory (windows)
+  ansible.builtin.include_tasks: windows-cleanup.yml
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
new file mode 100644
index 00000000..ab9a8787
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: delete temporary directory
+  ansible.builtin.file:
+    path: "{{ remote_tmp_dir }}"
+    state: absent
+  no_log: true
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml
new file mode 100644
index 00000000..04eda43c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: .test
+  register: remote_tmp_dir
+  notify:
+    - delete temporary directory
+
+- name: record temporary directory
+  ansible.builtin.set_fact:
+    remote_tmp_dir: "{{ remote_tmp_dir.path }}"
diff --git a/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml
new file mode 100644
index 00000000..51e4b800
--- /dev/null
+++ b/ansible_collections/community/docker/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: make sure we have the ansible_os_family and ansible_distribution_version facts
+  ansible.builtin.setup:
+    gather_subset: distribution
+  when: ansible_facts == {}
+
+- ansible.builtin.include_tasks: "{{ lookup('first_found', files) }}"
+  vars:
+    files:
+      - "{{ ansible_os_family | lower }}.yml"
+      - "default.yml"
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt b/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt
new file mode 100644
index 00000000..1dbff5a7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt
@@ -0,0 +1,26 @@
+plugins/connection/docker.py no-assert
+plugins/connection/docker_api.py no-assert
+plugins/connection/nsenter.py no-assert
+plugins/module_utils/_api/api/client.py pep8:E704
+plugins/module_utils/_api/transport/sshconn.py no-assert
+plugins/module_utils/_api/utils/build.py no-assert
+plugins/module_utils/_api/utils/ports.py pep8:E704
+plugins/module_utils/_api/utils/proxy.py pep8:E704
+plugins/module_utils/_api/utils/socket.py pep8:E704
+plugins/module_utils/_common_cli.py pep8:E704
+plugins/module_utils/_module_container/module.py no-assert
+plugins/module_utils/_platform.py no-assert
+plugins/module_utils/_socket_handler.py no-assert
+plugins/module_utils/_swarm.py pep8:E704
+plugins/module_utils/_util.py pep8:E704
+plugins/modules/docker_container_copy_into.py no-assert
+plugins/modules/docker_container_copy_into.py validate-modules:undocumented-parameter # _max_file_size_for_diff is used by the action plugin
+plugins/modules/docker_container_exec.py no-assert
+plugins/modules/docker_container_exec.py pylint:unpacking-non-sequence
+plugins/modules/docker_image.py no-assert
+plugins/modules/docker_image_tag.py no-assert
+plugins/modules/docker_login.py no-assert
+plugins/modules/docker_plugin.py no-assert
+plugins/modules/docker_swarm_service.py no-assert
+plugins/modules/docker_swarm_service.py pep8:E704
+plugins/modules/docker_volume.py no-assert
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt.license b/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.17.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt b/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt
new file mode 100644
index 00000000..88e39985
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt
@@ -0,0 +1,25 @@
+plugins/connection/docker.py no-assert
+plugins/connection/docker_api.py no-assert
+plugins/connection/nsenter.py no-assert
+plugins/module_utils/_api/api/client.py pep8:E704
+plugins/module_utils/_api/transport/sshconn.py no-assert
+plugins/module_utils/_api/utils/build.py no-assert
+plugins/module_utils/_api/utils/ports.py pep8:E704
+plugins/module_utils/_api/utils/proxy.py pep8:E704
+plugins/module_utils/_api/utils/socket.py pep8:E704
+plugins/module_utils/_common_cli.py pep8:E704
+plugins/module_utils/_module_container/module.py no-assert
+plugins/module_utils/_platform.py no-assert
+plugins/module_utils/_socket_handler.py no-assert
+plugins/module_utils/_swarm.py pep8:E704
+plugins/module_utils/_util.py pep8:E704
+plugins/modules/docker_container_copy_into.py no-assert
+plugins/modules/docker_container_copy_into.py validate-modules:undocumented-parameter # _max_file_size_for_diff is used by the action plugin
+plugins/modules/docker_container_exec.py no-assert
+plugins/modules/docker_image.py no-assert
+plugins/modules/docker_image_tag.py no-assert
+plugins/modules/docker_login.py no-assert
+plugins/modules/docker_plugin.py no-assert
+plugins/modules/docker_swarm_service.py no-assert
+plugins/modules/docker_swarm_service.py pep8:E704
+plugins/modules/docker_volume.py no-assert
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt.license b/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.18.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt b/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt
new file mode 100644
index 00000000..dea97dcf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt
@@ -0,0 +1,17 @@
+plugins/connection/docker.py no-assert
+plugins/connection/docker_api.py no-assert
+plugins/connection/nsenter.py no-assert
+plugins/module_utils/_api/transport/sshconn.py no-assert
+plugins/module_utils/_api/utils/build.py no-assert
+plugins/module_utils/_module_container/module.py no-assert
+plugins/module_utils/_platform.py no-assert
+plugins/module_utils/_socket_handler.py no-assert
+plugins/modules/docker_container_copy_into.py no-assert
+plugins/modules/docker_container_copy_into.py validate-modules:undocumented-parameter # _max_file_size_for_diff is used by the action plugin
+plugins/modules/docker_container_exec.py no-assert
+plugins/modules/docker_image.py no-assert
+plugins/modules/docker_image_tag.py no-assert
+plugins/modules/docker_login.py no-assert
+plugins/modules/docker_plugin.py no-assert
+plugins/modules/docker_swarm_service.py no-assert
+plugins/modules/docker_volume.py no-assert
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt.license b/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.19.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt b/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt
new file mode 100644
index 00000000..dea97dcf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt
@@ -0,0 +1,17 @@
+plugins/connection/docker.py no-assert
+plugins/connection/docker_api.py no-assert
+plugins/connection/nsenter.py no-assert
+plugins/module_utils/_api/transport/sshconn.py no-assert
+plugins/module_utils/_api/utils/build.py no-assert
+plugins/module_utils/_module_container/module.py no-assert
+plugins/module_utils/_platform.py no-assert
+plugins/module_utils/_socket_handler.py no-assert
+plugins/modules/docker_container_copy_into.py no-assert
+plugins/modules/docker_container_copy_into.py validate-modules:undocumented-parameter # _max_file_size_for_diff is used by the action plugin
+plugins/modules/docker_container_exec.py no-assert
+plugins/modules/docker_image.py no-assert
+plugins/modules/docker_image_tag.py no-assert
+plugins/modules/docker_login.py no-assert
+plugins/modules/docker_plugin.py no-assert
+plugins/modules/docker_swarm_service.py no-assert
+plugins/modules/docker_volume.py no-assert
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt.license b/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.20.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt b/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt
new file mode 100644
index 00000000..dea97dcf
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt
@@ -0,0 +1,17 @@
+plugins/connection/docker.py no-assert
+plugins/connection/docker_api.py no-assert
+plugins/connection/nsenter.py no-assert
+plugins/module_utils/_api/transport/sshconn.py no-assert
+plugins/module_utils/_api/utils/build.py no-assert
+plugins/module_utils/_module_container/module.py no-assert
+plugins/module_utils/_platform.py no-assert
+plugins/module_utils/_socket_handler.py no-assert
+plugins/modules/docker_container_copy_into.py no-assert
+plugins/modules/docker_container_copy_into.py validate-modules:undocumented-parameter # _max_file_size_for_diff is used by the action plugin
+plugins/modules/docker_container_exec.py no-assert
+plugins/modules/docker_image.py no-assert
+plugins/modules/docker_image_tag.py no-assert
+plugins/modules/docker_login.py no-assert
+plugins/modules/docker_plugin.py no-assert
+plugins/modules/docker_swarm_service.py no-assert
+plugins/modules/docker_volume.py no-assert
diff --git a/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt.license b/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/docker/tests/sanity/ignore-2.21.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/docker/tests/unit/plugins/connection/test_docker.py b/ansible_collections/community/docker/tests/unit/plugins/connection/test_docker.py
new file mode 100644
index 00000000..680aad1e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/connection/test_docker.py
@@ -0,0 +1,85 @@
+# Copyright (c) 2020 Red Hat, Inc.
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+import unittest
+from io import StringIO
+from unittest import mock
+
+from ansible.errors import AnsibleError
+from ansible.playbook.play_context import PlayContext
+from ansible.plugins.loader import connection_loader
+
+
+class TestDockerConnectionClass(unittest.TestCase):
+    def setUp(self) -> None:
+        self.play_context = PlayContext()
+        self.play_context.prompt = (
+            "[sudo via ansible, key=ouzmdnewuhucvuaabtjmweasarviygqq] password: "
+        )
+        self.in_stream = StringIO()
+        with mock.patch(
+            "ansible_collections.community.docker.plugins.connection.docker.get_bin_path",
+            return_value="docker",
+        ):
+            self.dc = connection_loader.get(
+                "community.docker.docker", self.play_context, self.in_stream
+            )
+
+    def tearDown(self) -> None:
+        pass
+
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._old_docker_version",
+        return_value=("false", "garbage", "", 1),
+    )
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._new_docker_version",
+        return_value=("docker version", "1.2.3", "", 0),
+    )
+    def test_docker_connection_module_too_old(
+        self, mock_new_docker_version: t.Any, mock_old_docker_version: t.Any
+    ) -> None:
+        self.dc._version = None
+        self.dc.remote_user = "foo"
+        self.assertRaisesRegex(
+            AnsibleError,
+            "^docker connection type requires docker 1.3 or higher$",
+            self.dc._get_actual_user,
+        )
+
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._old_docker_version",
+        return_value=("false", "garbage", "", 1),
+    )
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._new_docker_version",
+        return_value=("docker version", "1.7.0", "", 0),
+    )
+    def test_docker_connection_module(
+        self, mock_new_docker_version: t.Any, mock_old_docker_version: t.Any
+    ) -> None:
+        self.dc._version = None
+
+    # old version and new version fail
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._old_docker_version",
+        return_value=("false", "garbage", "", 1),
+    )
+    @mock.patch(
+        "ansible_collections.community.docker.plugins.connection.docker.Connection._new_docker_version",
+        return_value=("false", "garbage", "", 1),
+    )
+    def test_docker_connection_module_wrong_cmd(
+        self, mock_new_docker_version: t.Any, mock_old_docker_version: t.Any
+    ) -> None:
+        self.dc._version = None
+        self.dc.remote_user = "foo"
+        self.assertRaisesRegex(
+            AnsibleError,
+            "^Docker version check (.*?) failed:",
+            self.dc._get_actual_user,
+        )
diff --git a/ansible_collections/community/docker/tests/unit/plugins/inventory/test_docker_containers.py b/ansible_collections/community/docker/tests/unit/plugins/inventory/test_docker_containers.py
new file mode 100644
index 00000000..7b8ec8ac
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/inventory/test_docker_containers.py
@@ -0,0 +1,333 @@
+# Copyright (c), Felix Fontein <felix@fontein.de>, 2020
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+from unittest.mock import create_autospec
+
+import pytest
+from ansible.inventory.data import InventoryData
+from ansible.parsing.dataloader import DataLoader
+from ansible.template import Templar
+from ansible_collections.community.internal_test_tools.tests.unit.utils.trust import (
+    make_trusted,
+)
+
+from ansible_collections.community.docker.plugins.inventory.docker_containers import (
+    InventoryModule,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+
+@pytest.fixture(scope="module", name="templar")
+def templar_fixture() -> Templar:
+    dataloader = create_autospec(DataLoader, instance=True)
+    return Templar(loader=dataloader)
+
+
+@pytest.fixture(scope="module", name="inventory")
+def inventory_fixture(templar: Templar) -> InventoryModule:
+    r = InventoryModule()
+    r.inventory = InventoryData()
+    r.templar = templar
+    return r
+
+
+LOVING_THARP = {
+    "Id": "7bd547963679e3209cafd52aff21840b755c96fd37abcd7a6e19da8da6a7f49a",
+    "Name": "/loving_tharp",
+    "Image": "sha256:349f492ff18add678364a62a67ce9a13487f14293ae0af1baf02398aa432f385",
+    "State": {
+        "Running": True,
+    },
+    "Config": {
+        "Image": "quay.io/ansible/ubuntu1804-test-container:1.21.0",
+    },
+}
+
+
+LOVING_THARP_STACK = {
+    "Id": "7bd547963679e3209cafd52aff21840b755c96fd37abcd7a6e19da8da6a7f49a",
+    "Name": "/loving_tharp",
+    "Image": "sha256:349f492ff18add678364a62a67ce9a13487f14293ae0af1baf02398aa432f385",
+    "State": {
+        "Running": True,
+    },
+    "Config": {
+        "Image": "quay.io/ansible/ubuntu1804-test-container:1.21.0",
+        "Labels": {
+            "com.docker.stack.namespace": "my_stack",
+        },
+    },
+    "NetworkSettings": {
+        "Ports": {
+            "22/tcp": [{"HostIp": "0.0.0.0", "HostPort": "32802"}],
+        },
+    },
+}
+
+
+LOVING_THARP_SERVICE = {
+    "Id": "7bd547963679e3209cafd52aff21840b755c96fd37abcd7a6e19da8da6a7f49a",
+    "Name": "/loving_tharp",
+    "Image": "sha256:349f492ff18add678364a62a67ce9a13487f14293ae0af1baf02398aa432f385",
+    "State": {
+        "Running": True,
+    },
+    "Config": {
+        "Image": "quay.io/ansible/ubuntu1804-test-container:1.21.0",
+        "Labels": {
+            "com.docker.swarm.service.name": "my_service",
+        },
+    },
+}
+
+
+def create_get_option(
+    options: dict[str, t.Any], default: t.Any = False
+) -> Callable[[str], t.Any]:
+    def get_option(option: str) -> t.Any:
+        if option in options:
+            return options[option]
+        return default
+
+    return get_option
+
+
+class FakeClient:
+    def __init__(self, *hosts: dict[str, t.Any]) -> None:
+        self.get_results: dict[str, t.Any] = {}
+        list_reply: list[dict[str, t.Any]] = []
+        for host in hosts:
+            list_reply.append(
+                {
+                    "Id": host["Id"],
+                    "Names": [host["Name"]] if host["Name"] else [],
+                    "Image": host["Config"]["Image"],
+                    "ImageId": host["Image"],
+                }
+            )
+            self.get_results[f"/containers/{host['Name']}/json"] = host
+            self.get_results[f"/containers/{host['Id']}/json"] = host
+        self.get_results["/containers/json"] = list_reply
+
+    def get_json(self, url: str, *param: str, **kwargs: t.Any) -> t.Any:
+        url = url.format(*param)
+        return self.get_results[url]
+
+
+def test_populate(inventory: InventoryModule, mocker: t.Any) -> None:
+    assert inventory.inventory is not None
+    client = FakeClient(LOVING_THARP)
+
+    inventory.get_option = mocker.MagicMock(  # type: ignore[method-assign]
+        side_effect=create_get_option(
+            {
+                "verbose_output": True,
+                "connection_type": "docker-api",
+                "add_legacy_groups": False,
+                "compose": {},
+                "groups": {},
+                "keyed_groups": {},
+                "filters": None,
+            }
+        )
+    )
+    inventory._populate(client)  # type: ignore
+
+    host_1 = inventory.inventory.get_host("loving_tharp")
+    assert host_1 is not None
+    host_1_vars = host_1.get_vars()
+
+    assert host_1_vars["ansible_host"] == "loving_tharp"
+    assert host_1_vars["ansible_connection"] == "community.docker.docker_api"
+    assert "ansible_ssh_host" not in host_1_vars
+    assert "ansible_ssh_port" not in host_1_vars
+    assert "docker_state" in host_1_vars
+    assert "docker_config" in host_1_vars
+    assert "docker_image" in host_1_vars
+
+    assert len(inventory.inventory.groups["ungrouped"].hosts) == 0
+    assert len(inventory.inventory.groups["all"].hosts) == 0
+    assert len(inventory.inventory.groups) == 2
+    assert len(inventory.inventory.hosts) == 1
+
+
+def test_populate_service(inventory: InventoryModule, mocker: t.Any) -> None:
+    assert inventory.inventory is not None
+    client = FakeClient(LOVING_THARP_SERVICE)
+
+    inventory.get_option = mocker.MagicMock(  # type: ignore[method-assign]
+        side_effect=create_get_option(
+            {
+                "verbose_output": False,
+                "connection_type": "docker-cli",
+                "add_legacy_groups": True,
+                "compose": {},
+                "groups": {},
+                "keyed_groups": {},
+                "docker_host": "unix://var/run/docker.sock",
+                "filters": None,
+            }
+        )
+    )
+    inventory._populate(client)  # type: ignore
+
+    host_1 = inventory.inventory.get_host("loving_tharp")
+    assert host_1 is not None
+    host_1_vars = host_1.get_vars()
+
+    assert host_1_vars["ansible_host"] == "loving_tharp"
+    assert host_1_vars["ansible_connection"] == "community.docker.docker"
+    assert "ansible_ssh_host" not in host_1_vars
+    assert "ansible_ssh_port" not in host_1_vars
+    assert "docker_state" not in host_1_vars
+    assert "docker_config" not in host_1_vars
+    assert "docker_image" not in host_1_vars
+
+    assert len(inventory.inventory.groups["ungrouped"].hosts) == 0
+    assert len(inventory.inventory.groups["all"].hosts) == 0
+    assert len(inventory.inventory.groups["7bd547963679e"].hosts) == 1
+    assert (
+        len(
+            inventory.inventory.groups[
+                "7bd547963679e3209cafd52aff21840b755c96fd37abcd7a6e19da8da6a7f49a"
+            ].hosts
+        )
+        == 1
+    )
+    assert (
+        len(
+            inventory.inventory.groups[
+                "image_quay.io/ansible/ubuntu1804-test-container:1.21.0"
+            ].hosts
+        )
+        == 1
+    )
+    assert len(inventory.inventory.groups["loving_tharp"].hosts) == 1
+    assert len(inventory.inventory.groups["running"].hosts) == 1
+    assert len(inventory.inventory.groups["stopped"].hosts) == 0
+    assert len(inventory.inventory.groups["service_my_service"].hosts) == 1
+    assert len(inventory.inventory.groups["unix://var/run/docker.sock"].hosts) == 1
+    assert len(inventory.inventory.groups) == 10
+    assert len(inventory.inventory.hosts) == 1
+
+
+def test_populate_stack(inventory: InventoryModule, mocker: t.Any) -> None:
+    assert inventory.inventory is not None
+    client = FakeClient(LOVING_THARP_STACK)
+
+    inventory.get_option = mocker.MagicMock(  # type: ignore[method-assign]
+        side_effect=create_get_option(
+            {
+                "verbose_output": False,
+                "connection_type": "ssh",
+                "add_legacy_groups": True,
+                "compose": {},
+                "groups": {},
+                "keyed_groups": {},
+                "docker_host": "unix://var/run/docker.sock",
+                "default_ip": "127.0.0.1",
+                "private_ssh_port": 22,
+                "filters": None,
+            }
+        )
+    )
+    inventory._populate(client)  # type: ignore
+
+    host_1 = inventory.inventory.get_host("loving_tharp")
+    assert host_1 is not None
+    host_1_vars = host_1.get_vars()
+
+    assert host_1_vars["ansible_ssh_host"] == "127.0.0.1"
+    assert host_1_vars["ansible_ssh_port"] == "32802"
+    assert "ansible_host" not in host_1_vars
+    assert "ansible_connection" not in host_1_vars
+    assert "docker_state" not in host_1_vars
+    assert "docker_config" not in host_1_vars
+    assert "docker_image" not in host_1_vars
+
+    assert len(inventory.inventory.groups["ungrouped"].hosts) == 0
+    assert len(inventory.inventory.groups["all"].hosts) == 0
+    assert len(inventory.inventory.groups["7bd547963679e"].hosts) == 1
+    assert (
+        len(
+            inventory.inventory.groups[
+                "7bd547963679e3209cafd52aff21840b755c96fd37abcd7a6e19da8da6a7f49a"
+            ].hosts
+        )
+        == 1
+    )
+    assert (
+        len(
+            inventory.inventory.groups[
+                "image_quay.io/ansible/ubuntu1804-test-container:1.21.0"
+            ].hosts
+        )
+        == 1
+    )
+    assert len(inventory.inventory.groups["loving_tharp"].hosts) == 1
+    assert len(inventory.inventory.groups["running"].hosts) == 1
+    assert len(inventory.inventory.groups["stopped"].hosts) == 0
+    assert len(inventory.inventory.groups["stack_my_stack"].hosts) == 1
+    assert len(inventory.inventory.groups["unix://var/run/docker.sock"].hosts) == 1
+    assert len(inventory.inventory.groups) == 10
+    assert len(inventory.inventory.hosts) == 1
+
+
+def test_populate_filter_none(inventory: InventoryModule, mocker: t.Any) -> None:
+    assert inventory.inventory is not None
+    client = FakeClient(LOVING_THARP)
+
+    inventory.get_option = mocker.MagicMock(  # type: ignore[method-assign]
+        side_effect=create_get_option(
+            {
+                "verbose_output": True,
+                "connection_type": "docker-api",
+                "add_legacy_groups": False,
+                "compose": {},
+                "groups": {},
+                "keyed_groups": {},
+                "filters": [
+                    {"exclude": True},
+                ],
+            }
+        )
+    )
+    inventory._populate(client)  # type: ignore
+
+    assert len(inventory.inventory.hosts) == 0
+
+
+def test_populate_filter(inventory: InventoryModule, mocker: t.Any) -> None:
+    assert inventory.inventory is not None
+    client = FakeClient(LOVING_THARP)
+
+    inventory.get_option = mocker.MagicMock(  # type: ignore[method-assign]
+        side_effect=create_get_option(
+            {
+                "verbose_output": True,
+                "connection_type": "docker-api",
+                "add_legacy_groups": False,
+                "compose": {},
+                "groups": {},
+                "keyed_groups": {},
+                "filters": [
+                    {"include": make_trusted("docker_state.Running is true")},
+                    {"exclude": True},
+                ],
+            }
+        )
+    )
+    inventory._populate(client)  # type: ignore
+
+    host_1 = inventory.inventory.get_host("loving_tharp")
+    assert host_1 is not None
+    host_1_vars = host_1.get_vars()
+
+    assert host_1_vars["ansible_host"] == "loving_tharp"
+    assert len(inventory.inventory.hosts) == 1
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/api/test_client.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/api/test_client.py
new file mode 100644
index 00000000..e86f6d04
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/api/test_client.py
@@ -0,0 +1,674 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import datetime
+import io
+import json
+import os
+import re
+import shutil
+import socket
+import struct
+import tempfile
+import threading
+import time
+import typing as t
+import unittest
+from http.server import BaseHTTPRequestHandler
+from socketserver import ThreadingTCPServer
+from unittest import mock
+
+import pytest
+import requests
+from requests.packages import urllib3
+
+from ansible_collections.community.docker.plugins.module_utils._api import (
+    constants,
+    errors,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+    APIClient,
+)
+from ansible_collections.community.docker.tests.unit.plugins.module_utils._api.constants import (
+    DEFAULT_DOCKER_API_VERSION,
+)
+
+from .. import fake_api
+
+if t.TYPE_CHECKING:
+    from ansible_collections.community.docker.plugins.module_utils._api.auth import (
+        AuthConfig,
+    )
+
+
+DEFAULT_TIMEOUT_SECONDS = constants.DEFAULT_TIMEOUT_SECONDS
+
+
+def create_response(
+    status_code: int = 200,
+    content: bytes | dict[str, t.Any] | list[dict[str, t.Any]] = b"",
+    headers: dict[str, str] | None = None,
+    reason: str = "",
+    elapsed: int = 0,
+    request: requests.PreparedRequest | None = None,
+    raw: urllib3.HTTPResponse | None = None,
+) -> requests.Response:
+    res = requests.Response()
+    res.status_code = status_code
+    if not isinstance(content, bytes):
+        content = json.dumps(content).encode("ascii")
+    res._content = content
+    res.headers = requests.structures.CaseInsensitiveDict(headers or {})
+    res.reason = reason
+    res.elapsed = datetime.timedelta(elapsed)
+    res.request = request  # type: ignore
+    res.raw = raw
+    return res
+
+
+def fake_resolve_authconfig(  # pylint: disable=keyword-arg-before-vararg
+    authconfig: AuthConfig, *args: t.Any, registry: str | None = None, **kwargs: t.Any
+) -> None:
+    return None
+
+
+def fake_inspect_container(self: object, container: str, tty: bool = False) -> t.Any:
+    return fake_api.get_fake_inspect_container(tty=tty)[1]
+
+
+def fake_resp(
+    method: str, url: str, *args: t.Any, **kwargs: t.Any
+) -> requests.Response:
+    key: str | tuple[str, str] | None = None
+    if url in fake_api.fake_responses:
+        key = url
+    elif (url, method) in fake_api.fake_responses:
+        key = (url, method)
+    if not key:
+        raise NotImplementedError(f"{method} {url}")
+    status_code, content = fake_api.fake_responses[key]()
+    return create_response(status_code=status_code, content=content)
+
+
+fake_request = mock.Mock(side_effect=fake_resp)
+
+
+def fake_get(
+    self: APIClient, url: str, *args: str, **kwargs: t.Any
+) -> requests.Response:
+    return fake_request("GET", url, *args, **kwargs)
+
+
+def fake_post(
+    self: APIClient, url: str, *args: str, **kwargs: t.Any
+) -> requests.Response:
+    return fake_request("POST", url, *args, **kwargs)
+
+
+def fake_put(
+    self: APIClient, url: str, *args: str, **kwargs: t.Any
+) -> requests.Response:
+    return fake_request("PUT", url, *args, **kwargs)
+
+
+def fake_delete(
+    self: APIClient, url: str, *args: str, **kwargs: t.Any
+) -> requests.Response:
+    return fake_request("DELETE", url, *args, **kwargs)
+
+
+def fake_read_from_socket(
+    self: APIClient,
+    response: requests.Response,
+    stream: bool,
+    tty: bool = False,
+    demux: bool = False,
+) -> bytes:
+    return b""
+
+
+url_base = f"{fake_api.prefix}/"  # pylint: disable=invalid-name
+url_prefix = f"{url_base}v{DEFAULT_DOCKER_API_VERSION}/"  # pylint: disable=invalid-name
+
+
+class BaseAPIClientTest(unittest.TestCase):
+    def setUp(self) -> None:
+        self.patcher = mock.patch.multiple(
+            "ansible_collections.community.docker.plugins.module_utils._api.api.client.APIClient",
+            get=fake_get,
+            post=fake_post,
+            put=fake_put,
+            delete=fake_delete,
+            _read_from_socket=fake_read_from_socket,
+        )
+        self.patcher.start()
+        self.client = APIClient(version=DEFAULT_DOCKER_API_VERSION)
+
+    def tearDown(self) -> None:
+        self.client.close()
+        self.patcher.stop()
+
+    def base_create_payload(
+        self, img: str = "busybox", cmd: list[str] | None = None
+    ) -> dict[str, t.Any]:
+        if not cmd:
+            cmd = ["true"]
+        return {
+            "Tty": False,
+            "Image": img,
+            "Cmd": cmd,
+            "AttachStdin": False,
+            "AttachStderr": True,
+            "AttachStdout": True,
+            "StdinOnce": False,
+            "OpenStdin": False,
+            "NetworkDisabled": False,
+        }
+
+
+class DockerApiTest(BaseAPIClientTest):
+    def test_ctor(self) -> None:
+        with pytest.raises(errors.DockerException) as excinfo:
+            APIClient(version=1.12)  # type: ignore
+
+        assert (
+            str(excinfo.value)
+            == "Version parameter must be a string or None. Found float"
+        )
+
+    def test_url_valid_resource(self) -> None:
+        url = self.client._url("/hello/{0}/world", "somename")
+        assert url == f"{url_prefix}hello/somename/world"
+
+        url = self.client._url("/hello/{0}/world/{1}", "somename", "someothername")
+        assert url == f"{url_prefix}hello/somename/world/someothername"
+
+        url = self.client._url("/hello/{0}/world", "some?name")
+        assert url == f"{url_prefix}hello/some%3Fname/world"
+
+        url = self.client._url("/images/{0}/push", "localhost:5000/image")
+        assert url == f"{url_prefix}images/localhost:5000/image/push"
+
+    def test_url_invalid_resource(self) -> None:
+        with pytest.raises(ValueError):
+            self.client._url("/hello/{0}/world", ["sakuya", "izayoi"])  # type: ignore
+
+    def test_url_no_resource(self) -> None:
+        url = self.client._url("/simple")
+        assert url == f"{url_prefix}simple"
+
+    def test_url_unversioned_api(self) -> None:
+        url = self.client._url("/hello/{0}/world", "somename", versioned_api=False)
+        assert url == f"{url_base}hello/somename/world"
+
+    def test_version(self) -> None:
+        self.client.version()
+
+        fake_request.assert_called_with(
+            "GET", url_prefix + "version", timeout=DEFAULT_TIMEOUT_SECONDS
+        )
+
+    def test_version_no_api_version(self) -> None:
+        self.client.version(False)
+
+        fake_request.assert_called_with(
+            "GET", url_base + "version", timeout=DEFAULT_TIMEOUT_SECONDS
+        )
+
+    def test_retrieve_server_version(self) -> None:
+        client = APIClient(version="auto")
+        assert isinstance(client._version, str)
+        assert client._version != "auto"
+        client.close()
+
+    def test_auto_retrieve_server_version(self) -> None:
+        version = self.client._retrieve_server_version()
+        assert isinstance(version, str)
+
+    def test_info(self) -> None:
+        self.client.info()
+
+        fake_request.assert_called_with(
+            "GET", url_prefix + "info", timeout=DEFAULT_TIMEOUT_SECONDS
+        )
+
+    def test_search(self) -> None:
+        self.client.get_json("/images/search", params={"term": "busybox"})
+
+        fake_request.assert_called_with(
+            "GET",
+            url_prefix + "images/search",
+            params={"term": "busybox"},
+            timeout=DEFAULT_TIMEOUT_SECONDS,
+        )
+
+    def test_login(self) -> None:
+        self.client.login("sakuya", "izayoi")
+        args = fake_request.call_args
+        assert args[0][0] == "POST"
+        assert args[0][1] == url_prefix + "auth"
+        assert json.loads(args[1]["data"]) == {
+            "username": "sakuya",
+            "password": "izayoi",
+        }
+        assert args[1]["headers"] == {"Content-Type": "application/json"}
+        assert self.client._auth_configs.auths["docker.io"] == {
+            "email": None,
+            "password": "izayoi",
+            "username": "sakuya",
+            "serveraddress": None,
+        }
+
+    def _socket_path_for_client_session(self, client: APIClient) -> str:
+        socket_adapter = client.get_adapter("http+docker://")
+        return socket_adapter.socket_path  # type: ignore[attr-defined]
+
+    def test_url_compatibility_unix(self) -> None:
+        c = APIClient(base_url="unix://socket", version=DEFAULT_DOCKER_API_VERSION)
+
+        assert self._socket_path_for_client_session(c) == "/socket"
+
+    def test_url_compatibility_unix_triple_slash(self) -> None:
+        c = APIClient(base_url="unix:///socket", version=DEFAULT_DOCKER_API_VERSION)
+
+        assert self._socket_path_for_client_session(c) == "/socket"
+
+    def test_url_compatibility_http_unix_triple_slash(self) -> None:
+        c = APIClient(
+            base_url="http+unix:///socket", version=DEFAULT_DOCKER_API_VERSION
+        )
+
+        assert self._socket_path_for_client_session(c) == "/socket"
+
+    def test_url_compatibility_http(self) -> None:
+        c = APIClient(
+            base_url="http://hostname:1234", version=DEFAULT_DOCKER_API_VERSION
+        )
+
+        assert c.base_url == "http://hostname:1234"
+
+    def test_url_compatibility_tcp(self) -> None:
+        c = APIClient(
+            base_url="tcp://hostname:1234", version=DEFAULT_DOCKER_API_VERSION
+        )
+
+        assert c.base_url == "http://hostname:1234"
+
+    def test_remove_link(self) -> None:
+        self.client.delete_call(
+            "/containers/{0}",
+            "3cc2351ab11b",
+            params={"v": False, "link": True, "force": False},
+        )
+
+        fake_request.assert_called_with(
+            "DELETE",
+            url_prefix + "containers/3cc2351ab11b",
+            params={"v": False, "link": True, "force": False},
+            timeout=DEFAULT_TIMEOUT_SECONDS,
+        )
+
+    def test_stream_helper_decoding(self) -> None:
+        status_code, content = fake_api.fake_responses[url_prefix + "events"]()
+        content_str = json.dumps(content).encode("utf-8")
+        body = io.BytesIO(content_str)
+
+        # mock a stream interface
+        raw_resp = urllib3.HTTPResponse(body=body)
+        raw_resp._fp.chunked = True
+        raw_resp._fp.chunk_left = len(body.getvalue()) - 1
+
+        # pass `decode=False` to the helper
+        raw_resp._fp.seek(0)
+        resp = create_response(status_code=status_code, content=content, raw=raw_resp)
+        result = next(self.client._stream_helper(resp))
+        assert result == content_str
+
+        # pass `decode=True` to the helper
+        raw_resp._fp.seek(0)
+        resp = create_response(status_code=status_code, content=content, raw=raw_resp)
+        result = next(self.client._stream_helper(resp, decode=True))
+        assert result == content
+
+        # non-chunked response, pass `decode=False` to the helper
+        raw_resp._fp.chunked = False
+        raw_resp._fp.seek(0)
+        resp = create_response(status_code=status_code, content=content, raw=raw_resp)
+        result = next(self.client._stream_helper(resp))
+        assert result == content_str.decode("utf-8")  # type: ignore
+
+        # non-chunked response, pass `decode=True` to the helper
+        raw_resp._fp.seek(0)
+        resp = create_response(status_code=status_code, content=content, raw=raw_resp)
+        result = next(self.client._stream_helper(resp, decode=True))
+        assert result == content
+
+
+class UnixSocketStreamTest(unittest.TestCase):
+    def setUp(self) -> None:
+        socket_dir = tempfile.mkdtemp()
+        self.build_context = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, socket_dir)
+        self.addCleanup(shutil.rmtree, self.build_context)
+        self.socket_file = os.path.join(socket_dir, "test_sock.sock")
+        self.server_socket = self._setup_socket()
+        self.stop_server = False
+        server_thread = threading.Thread(target=self.run_server)
+        server_thread.daemon = True
+        server_thread.start()
+        self.response: t.Any = None
+        self.request_handler: t.Any = None
+        self.addCleanup(server_thread.join)
+        self.addCleanup(self.stop)
+
+    def stop(self) -> None:
+        self.stop_server = True
+
+    def _setup_socket(self) -> socket.socket:
+        server_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        server_sock.bind(self.socket_file)
+        # Non-blocking mode so that we can shut the test down easily
+        server_sock.setblocking(0)  # type: ignore
+        server_sock.listen(5)
+        return server_sock
+
+    def run_server(self) -> None:
+        try:
+            while not self.stop_server:
+                try:
+                    connection, dummy_client_address = self.server_socket.accept()
+                except socket.error:
+                    # Probably no connection to accept yet
+                    time.sleep(0.01)
+                    continue
+
+                connection.setblocking(1)  # type: ignore
+                try:
+                    self.request_handler(connection)
+                finally:
+                    connection.close()
+        finally:
+            self.server_socket.close()
+
+    def early_response_sending_handler(self, connection: socket.socket) -> None:
+        data = b""
+        headers = None
+
+        connection.sendall(self.response)
+        while not headers:
+            data += connection.recv(2048)
+            parts = data.split(b"\r\n\r\n", 1)
+            if len(parts) == 2:
+                headers, data = parts
+
+        mo = re.search(r"Content-Length: ([0-9]+)", headers.decode())
+        assert mo
+        content_length = int(mo.group(1))
+
+        while True:
+            if len(data) >= content_length:
+                break
+
+            data += connection.recv(2048)
+
+    @pytest.mark.skipif(constants.IS_WINDOWS_PLATFORM, reason="Unix only")
+    def test_early_stream_response(self) -> None:
+        self.request_handler = self.early_response_sending_handler
+        lines = []
+        for i in range(0, 50):
+            line = str(i).encode()
+            lines += [f"{len(line):x}".encode(), line]
+        lines.append(b"0")
+        lines.append(b"")
+
+        self.response = (
+            b"HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n"
+        ) + b"\r\n".join(lines)
+
+        with APIClient(
+            base_url="http+unix://" + self.socket_file,
+            version=DEFAULT_DOCKER_API_VERSION,
+        ) as client:
+            for i in range(5):
+                try:
+                    params = {
+                        "t": None,
+                        "remote": None,
+                        "q": False,
+                        "nocache": False,
+                        "rm": False,
+                        "forcerm": False,
+                        "pull": False,
+                        "dockerfile": "Dockerfile",
+                    }
+                    headers = {"Content-Type": "application/tar"}
+                    data = b"..."
+                    response = client._post(
+                        client._url("/build"),
+                        params=params,
+                        headers=headers,
+                        data=data,
+                        stream=True,
+                    )
+                    stream = client._stream_helper(response, decode=False)
+                    break
+                except requests.ConnectionError as e:
+                    if i == 4:
+                        raise e
+
+            assert list(stream) == [str(i).encode() for i in range(50)]
+
+
+@pytest.mark.skip(
+    "This test requires starting a networking server and tries to access it. "
+    "This does not work with network separation with Docker-based unit tests, "
+    "but it does work with podman-based unit tests."
+)
+class TCPSocketStreamTest(unittest.TestCase):
+    stdout_data = b"""
+    Now, those children out there, they're jumping through the
+    flames in the hope that the god of the fire will make them fruitful.
+    Really, you can't blame them. After all, what girl would not prefer the
+    child of a god to that of some acne-scarred artisan?
+    """
+    stderr_data = b"""
+    And what of the true God? To whose glory churches and monasteries have been
+    built on these islands for generations past? Now shall what of Him?
+    """
+
+    server: ThreadingTCPServer
+    thread: threading.Thread
+    address: str
+
+    @classmethod
+    def setup_class(cls) -> None:
+        cls.server = ThreadingTCPServer(("", 0), cls.get_handler_class())
+        cls.thread = threading.Thread(target=cls.server.serve_forever)
+        cls.thread.daemon = True
+        cls.thread.start()
+        cls.address = f"http://{socket.gethostname()}:{cls.server.server_address[1]}"
+
+    @classmethod
+    def teardown_class(cls) -> None:
+        cls.server.shutdown()
+        cls.server.server_close()
+        cls.thread.join()
+
+    @classmethod
+    def get_handler_class(cls) -> type[BaseHTTPRequestHandler]:
+        stdout_data = cls.stdout_data
+        stderr_data = cls.stderr_data
+
+        class Handler(BaseHTTPRequestHandler):
+            def do_POST(self) -> None:  # pylint: disable=invalid-name
+                resp_data = self.get_resp_data()
+                self.send_response(101)
+                self.send_header("Content-Type", "application/vnd.docker.raw-stream")
+                self.send_header("Connection", "Upgrade")
+                self.send_header("Upgrade", "tcp")
+                self.end_headers()
+                self.wfile.flush()
+                time.sleep(0.2)
+                self.wfile.write(resp_data)
+                self.wfile.flush()
+
+            def get_resp_data(self) -> bytes:
+                path = self.path.split("/")[-1]
+                if path == "tty":
+                    return stdout_data + stderr_data
+                if path == "no-tty":
+                    data = b""
+                    data += self.frame_header(1, stdout_data)
+                    data += stdout_data
+                    data += self.frame_header(2, stderr_data)
+                    data += stderr_data
+                    return data
+                raise NotImplementedError(f"Unknown path {path}")
+
+            @staticmethod
+            def frame_header(stream: int, data: bytes) -> bytes:
+                return struct.pack(">BxxxL", stream, len(data))
+
+        return Handler
+
+    def request(
+        self,
+        stream: bool | None = None,
+        tty: bool | None = None,
+        demux: bool | None = None,
+    ) -> t.Any:
+        assert stream is not None and tty is not None and demux is not None
+        with APIClient(
+            base_url=self.address,
+            version=DEFAULT_DOCKER_API_VERSION,
+        ) as client:
+            if tty:
+                url = client._url("/tty")
+            else:
+                url = client._url("/no-tty")
+            resp = client._post(url, stream=True)
+            return client._read_from_socket(resp, stream=stream, tty=tty, demux=demux)
+
+    def test_read_from_socket_tty(self) -> None:
+        res = self.request(stream=True, tty=True, demux=False)
+        assert next(res) == self.stdout_data + self.stderr_data
+        with self.assertRaises(StopIteration):
+            next(res)
+
+    def test_read_from_socket_tty_demux(self) -> None:
+        res = self.request(stream=True, tty=True, demux=True)
+        assert next(res) == (self.stdout_data + self.stderr_data, None)
+        with self.assertRaises(StopIteration):
+            next(res)
+
+    def test_read_from_socket_no_tty(self) -> None:
+        res = self.request(stream=True, tty=False, demux=False)
+        assert next(res) == self.stdout_data
+        assert next(res) == self.stderr_data
+        with self.assertRaises(StopIteration):
+            next(res)
+
+    def test_read_from_socket_no_tty_demux(self) -> None:
+        res = self.request(stream=True, tty=False, demux=True)
+        assert (self.stdout_data, None) == next(res)
+        assert (None, self.stderr_data) == next(res)
+        with self.assertRaises(StopIteration):
+            next(res)
+
+    def test_read_from_socket_no_stream_tty(self) -> None:
+        res = self.request(stream=False, tty=True, demux=False)
+        assert res == self.stdout_data + self.stderr_data
+
+    def test_read_from_socket_no_stream_tty_demux(self) -> None:
+        res = self.request(stream=False, tty=True, demux=True)
+        assert res == (self.stdout_data + self.stderr_data, None)
+
+    def test_read_from_socket_no_stream_no_tty(self) -> None:
+        res = self.request(stream=False, tty=False, demux=False)
+        assert res == self.stdout_data + self.stderr_data
+
+    def test_read_from_socket_no_stream_no_tty_demux(self) -> None:
+        res = self.request(stream=False, tty=False, demux=True)
+        assert res == (self.stdout_data, self.stderr_data)
+
+
+class UserAgentTest(unittest.TestCase):
+    def setUp(self) -> None:
+        self.patcher = mock.patch.object(
+            APIClient,
+            "send",
+            return_value=fake_resp("GET", f"{fake_api.prefix}/version"),
+        )
+        self.mock_send = self.patcher.start()
+
+    def tearDown(self) -> None:
+        self.patcher.stop()
+
+    def test_default_user_agent(self) -> None:
+        client = APIClient(version=DEFAULT_DOCKER_API_VERSION)
+        client.version()
+
+        assert self.mock_send.call_count == 1
+        headers = self.mock_send.call_args[0][0].headers
+        expected = "ansible-community.docker"
+        assert headers["User-Agent"] == expected
+
+    def test_custom_user_agent(self) -> None:
+        client = APIClient(user_agent="foo/bar", version=DEFAULT_DOCKER_API_VERSION)
+        client.version()
+
+        assert self.mock_send.call_count == 1
+        headers = self.mock_send.call_args[0][0].headers
+        assert headers["User-Agent"] == "foo/bar"
+
+
+class DisableSocketTest(unittest.TestCase):
+    class DummySocket:
+        def __init__(self, timeout: int | float | None = 60) -> None:
+            self.timeout = timeout
+            self._sock: t.Any = None
+
+        def settimeout(self, timeout: int | float | None) -> None:
+            self.timeout = timeout
+
+        def gettimeout(self) -> int | float | None:
+            return self.timeout
+
+    def setUp(self) -> None:
+        self.client = APIClient(version=DEFAULT_DOCKER_API_VERSION)
+
+    def test_disable_socket_timeout(self) -> None:
+        """Test that the timeout is disabled on a generic socket object."""
+        the_socket = self.DummySocket()
+
+        self.client._disable_socket_timeout(the_socket)  # type: ignore
+
+        assert the_socket.timeout is None
+
+    def test_disable_socket_timeout2(self) -> None:
+        """Test that the timeouts are disabled on a generic socket object
+        and it's _sock object if present."""
+        the_socket = self.DummySocket()
+        the_socket._sock = self.DummySocket()  # type: ignore
+
+        self.client._disable_socket_timeout(the_socket)  # type: ignore
+
+        assert the_socket.timeout is None
+        assert the_socket._sock.timeout is None
+
+    def test_disable_socket_timout_non_blocking(self) -> None:
+        """Test that a non-blocking socket does not get set to blocking."""
+        the_socket = self.DummySocket()
+        the_socket._sock = self.DummySocket(0.0)  # type: ignore
+
+        self.client._disable_socket_timeout(the_socket)  # type: ignore
+
+        assert the_socket.timeout is None
+        assert the_socket._sock.timeout == 0.0
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/constants.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/constants.py
new file mode 100644
index 00000000..363ef02e
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/constants.py
@@ -0,0 +1,11 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+DEFAULT_DOCKER_API_VERSION = "1.45"
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_api.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_api.py
new file mode 100644
index 00000000..8fa543b2
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_api.py
@@ -0,0 +1,622 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api import constants
+from ansible_collections.community.docker.tests.unit.plugins.module_utils._api.constants import (
+    DEFAULT_DOCKER_API_VERSION,
+)
+
+from . import fake_stat
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+
+CURRENT_VERSION = f"v{DEFAULT_DOCKER_API_VERSION}"
+
+FAKE_CONTAINER_ID = "3cc2351ab11b"
+FAKE_IMAGE_ID = "e9aa60c60128"
+FAKE_EXEC_ID = "d5d177f121dc"
+FAKE_NETWORK_ID = "33fb6a3462b8"
+FAKE_IMAGE_NAME = "test_image"
+FAKE_TARBALL_PATH = "/path/to/tarball"
+FAKE_REPO_NAME = "repo"
+FAKE_TAG_NAME = "tag"
+FAKE_FILE_NAME = "file"
+FAKE_URL = "myurl"
+FAKE_PATH = "/path"
+FAKE_VOLUME_NAME = "perfectcherryblossom"
+FAKE_NODE_ID = "24ifsmvkjbyhk"
+FAKE_SECRET_ID = "epdyrw4tsi03xy3deu8g8ly6o"
+FAKE_SECRET_NAME = "super_secret"
+
+# Each method is prefixed with HTTP method (get, post...)
+# for clarity and readability
+
+
+def get_fake_version() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "ApiVersion": "1.35",
+        "Arch": "amd64",
+        "BuildTime": "2018-01-10T20:09:37.000000000+00:00",
+        "Components": [
+            {
+                "Details": {
+                    "ApiVersion": "1.35",
+                    "Arch": "amd64",
+                    "BuildTime": "2018-01-10T20:09:37.000000000+00:00",
+                    "Experimental": "false",
+                    "GitCommit": "03596f5",
+                    "GoVersion": "go1.9.2",
+                    "KernelVersion": "4.4.0-112-generic",
+                    "MinAPIVersion": "1.12",
+                    "Os": "linux",
+                },
+                "Name": "Engine",
+                "Version": "18.01.0-ce",
+            }
+        ],
+        "GitCommit": "03596f5",
+        "GoVersion": "go1.9.2",
+        "KernelVersion": "4.4.0-112-generic",
+        "MinAPIVersion": "1.12",
+        "Os": "linux",
+        "Platform": {"Name": ""},
+        "Version": "18.01.0-ce",
+    }
+
+    return status_code, response
+
+
+def get_fake_info() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "Containers": 1,
+        "Images": 1,
+        "Debug": False,
+        "MemoryLimit": False,
+        "SwapLimit": False,
+        "IPv4Forwarding": True,
+    }
+    return status_code, response
+
+
+def post_fake_auth() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Status": "Login Succeeded", "IdentityToken": "9cbaf023786cd7"}
+    return status_code, response
+
+
+def get_fake_ping() -> tuple[int, str]:
+    return 200, "OK"
+
+
+def get_fake_search() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [{"Name": "busybox", "Description": "Fake Description"}]
+    return status_code, response
+
+
+def get_fake_images() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [
+        {
+            "Id": FAKE_IMAGE_ID,
+            "Created": "2 days ago",
+            "Repository": "busybox",
+            "RepoTags": ["busybox:latest", "busybox:1.0"],
+        }
+    ]
+    return status_code, response
+
+
+def get_fake_image_history() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [
+        {"Id": "b750fe79269d", "Created": 1364102658, "CreatedBy": "/bin/bash"},
+        {"Id": "27cf78414709", "Created": 1364068391, "CreatedBy": ""},
+    ]
+
+    return status_code, response
+
+
+def post_fake_import_image() -> tuple[int, str]:
+    status_code = 200
+    response = "Import messages..."
+
+    return status_code, response
+
+
+def get_fake_containers() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [
+        {
+            "Id": FAKE_CONTAINER_ID,
+            "Image": "busybox:latest",
+            "Created": "2 days ago",
+            "Command": "true",
+            "Status": "fake status",
+        }
+    ]
+    return status_code, response
+
+
+def post_fake_start_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_resize_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_create_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def get_fake_inspect_container(tty: bool = False) -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "Id": FAKE_CONTAINER_ID,
+        "Config": {"Labels": {"foo": "bar"}, "Privileged": True, "Tty": tty},
+        "ID": FAKE_CONTAINER_ID,
+        "Image": "busybox:latest",
+        "Name": "foobar",
+        "State": {
+            "Status": "running",
+            "Running": True,
+            "Pid": 0,
+            "ExitCode": 0,
+            "StartedAt": "2013-09-25T14:01:18.869545111+02:00",
+            "Ghost": False,
+        },
+        "HostConfig": {
+            "LogConfig": {"Type": "json-file", "Config": {}},
+        },
+        "MacAddress": "02:42:ac:11:00:0a",
+    }
+    return status_code, response
+
+
+def get_fake_inspect_image() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "Id": FAKE_IMAGE_ID,
+        "Parent": "27cf784147099545",
+        "Created": "2013-03-23T22:24:18.818426-07:00",
+        "Container": FAKE_CONTAINER_ID,
+        "Config": {"Labels": {"bar": "foo"}},
+        "ContainerConfig": {
+            "Hostname": "",
+            "User": "",
+            "Memory": 0,
+            "MemorySwap": 0,
+            "AttachStdin": False,
+            "AttachStdout": False,
+            "AttachStderr": False,
+            "PortSpecs": "",
+            "Tty": True,
+            "OpenStdin": True,
+            "StdinOnce": False,
+            "Env": "",
+            "Cmd": ["/bin/bash"],
+            "Dns": "",
+            "Image": "base",
+            "Volumes": "",
+            "VolumesFrom": "",
+            "WorkingDir": "",
+        },
+        "Size": 6823592,
+    }
+    return status_code, response
+
+
+def get_fake_insert_image() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"StatusCode": 0}
+    return status_code, response
+
+
+def get_fake_wait() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"StatusCode": 0}
+    return status_code, response
+
+
+def get_fake_logs() -> tuple[int, bytes]:
+    status_code = 200
+    response = (
+        b"\x01\x00\x00\x00\x00\x00\x00\x00"
+        b"\x02\x00\x00\x00\x00\x00\x00\x00"
+        b"\x01\x00\x00\x00\x00\x00\x00\x11Flowering Nights\n"
+        b"\x01\x00\x00\x00\x00\x00\x00\x10(Sakuya Iyazoi)\n"
+    )
+    return status_code, response
+
+
+def get_fake_diff() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [{"Path": "/test", "Kind": 1}]
+    return status_code, response
+
+
+def get_fake_events() -> tuple[int, list[dict[str, t.Any]]]:
+    status_code = 200
+    response = [
+        {
+            "status": "stop",
+            "id": FAKE_CONTAINER_ID,
+            "from": FAKE_IMAGE_ID,
+            "time": 1423247867,
+        }
+    ]
+    return status_code, response
+
+
+def get_fake_export() -> tuple[int, str]:
+    status_code = 200
+    response = "Byte Stream...."
+    return status_code, response
+
+
+def post_fake_exec_create() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_EXEC_ID}
+    return status_code, response
+
+
+def post_fake_exec_start() -> tuple[int, bytes]:
+    status_code = 200
+    response = (
+        b"\x01\x00\x00\x00\x00\x00\x00\x11bin\nboot\ndev\netc\n"
+        b"\x01\x00\x00\x00\x00\x00\x00\x12lib\nmnt\nproc\nroot\n"
+        b"\x01\x00\x00\x00\x00\x00\x00\x0csbin\nusr\nvar\n"
+    )
+    return status_code, response
+
+
+def post_fake_exec_resize() -> tuple[int, str]:
+    status_code = 201
+    return status_code, ""
+
+
+def get_fake_exec_inspect() -> tuple[int, dict[str, t.Any]]:
+    return 200, {
+        "OpenStderr": True,
+        "OpenStdout": True,
+        "Container": get_fake_inspect_container()[1],
+        "Running": False,
+        "ProcessConfig": {
+            "arguments": ["hello world"],
+            "tty": False,
+            "entrypoint": "echo",
+            "privileged": False,
+            "user": "",
+        },
+        "ExitCode": 0,
+        "ID": FAKE_EXEC_ID,
+        "OpenStdin": False,
+    }
+
+
+def post_fake_stop_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_kill_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_pause_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_unpause_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_restart_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_rename_container() -> tuple[int, None]:
+    status_code = 204
+    return status_code, None
+
+
+def delete_fake_remove_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_image_create() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_IMAGE_ID}
+    return status_code, response
+
+
+def delete_fake_remove_image() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_IMAGE_ID}
+    return status_code, response
+
+
+def get_fake_get_image() -> tuple[int, str]:
+    status_code = 200
+    response = "Byte Stream...."
+    return status_code, response
+
+
+def post_fake_load_image() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_IMAGE_ID}
+    return status_code, response
+
+
+def post_fake_commit() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_push() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_IMAGE_ID}
+    return status_code, response
+
+
+def post_fake_build_container() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_CONTAINER_ID}
+    return status_code, response
+
+
+def post_fake_tag_image() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"Id": FAKE_IMAGE_ID}
+    return status_code, response
+
+
+def get_fake_stats() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = fake_stat.OBJ
+    return status_code, response
+
+
+def get_fake_top() -> tuple[int, dict[str, t.Any]]:
+    return 200, {
+        "Processes": [
+            [
+                "root",
+                "26501",
+                "6907",
+                "0",
+                "10:32",
+                "pts/55",
+                "00:00:00",
+                "sleep 60",
+            ],
+        ],
+        "Titles": [
+            "UID",
+            "PID",
+            "PPID",
+            "C",
+            "STIME",
+            "TTY",
+            "TIME",
+            "CMD",
+        ],
+    }
+
+
+def get_fake_volume_list() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "Volumes": [
+            {
+                "Name": "perfectcherryblossom",
+                "Driver": "local",
+                "Mountpoint": "/var/lib/docker/volumes/perfectcherryblossom",
+                "Scope": "local",
+            },
+            {
+                "Name": "subterraneananimism",
+                "Driver": "local",
+                "Mountpoint": "/var/lib/docker/volumes/subterraneananimism",
+                "Scope": "local",
+            },
+        ]
+    }
+    return status_code, response
+
+
+def get_fake_volume() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {
+        "Name": "perfectcherryblossom",
+        "Driver": "local",
+        "Mountpoint": "/var/lib/docker/volumes/perfectcherryblossom",
+        "Labels": {"com.example.some-label": "some-value"},
+        "Scope": "local",
+    }
+    return status_code, response
+
+
+def fake_remove_volume() -> tuple[int, None]:
+    return 204, None
+
+
+def post_fake_update_container() -> tuple[int, dict[str, t.Any]]:
+    return 200, {"Warnings": []}
+
+
+def post_fake_update_node() -> tuple[int, None]:
+    return 200, None
+
+
+def post_fake_join_swarm() -> tuple[int, None]:
+    return 200, None
+
+
+def get_fake_network_list() -> tuple[int, list[dict[str, t.Any]]]:
+    return 200, [
+        {
+            "Name": "bridge",
+            "Id": FAKE_NETWORK_ID,
+            "Scope": "local",
+            "Driver": "bridge",
+            "EnableIPv6": False,
+            "Internal": False,
+            "IPAM": {"Driver": "default", "Config": [{"Subnet": "172.17.0.0/16"}]},
+            "Containers": {
+                FAKE_CONTAINER_ID: {
+                    "EndpointID": "ed2419a97c1d99",
+                    "MacAddress": "02:42:ac:11:00:02",
+                    "IPv4Address": "172.17.0.2/16",
+                    "IPv6Address": "",
+                }
+            },
+            "Options": {
+                "com.docker.network.bridge.default_bridge": "true",
+                "com.docker.network.bridge.enable_icc": "true",
+                "com.docker.network.bridge.enable_ip_masquerade": "true",
+                "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+                "com.docker.network.bridge.name": "docker0",
+                "com.docker.network.driver.mtu": "1500",
+            },
+        }
+    ]
+
+
+def get_fake_network() -> tuple[int, dict[str, t.Any]]:
+    return 200, get_fake_network_list()[1][0]
+
+
+def post_fake_network() -> tuple[int, dict[str, t.Any]]:
+    return 201, {"Id": FAKE_NETWORK_ID, "Warnings": []}
+
+
+def delete_fake_network() -> tuple[int, None]:
+    return 204, None
+
+
+def post_fake_network_connect() -> tuple[int, None]:
+    return 200, None
+
+
+def post_fake_network_disconnect() -> tuple[int, None]:
+    return 200, None
+
+
+def post_fake_secret() -> tuple[int, dict[str, t.Any]]:
+    status_code = 200
+    response = {"ID": FAKE_SECRET_ID}
+    return status_code, response
+
+
+# Maps real api url to fake response callback
+prefix = "http+docker://localhost"  # pylint: disable=invalid-name
+if constants.IS_WINDOWS_PLATFORM:
+    prefix = "http+docker://localnpipe"  # pylint: disable=invalid-name
+
+fake_responses: dict[str | tuple[str, str], Callable] = {
+    f"{prefix}/version": get_fake_version,
+    f"{prefix}/{CURRENT_VERSION}/version": get_fake_version,
+    f"{prefix}/{CURRENT_VERSION}/info": get_fake_info,
+    f"{prefix}/{CURRENT_VERSION}/auth": post_fake_auth,
+    f"{prefix}/{CURRENT_VERSION}/_ping": get_fake_ping,
+    f"{prefix}/{CURRENT_VERSION}/images/search": get_fake_search,
+    f"{prefix}/{CURRENT_VERSION}/images/json": get_fake_images,
+    f"{prefix}/{CURRENT_VERSION}/images/test_image/history": get_fake_image_history,
+    f"{prefix}/{CURRENT_VERSION}/images/create": post_fake_import_image,
+    f"{prefix}/{CURRENT_VERSION}/containers/json": get_fake_containers,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/start": post_fake_start_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/resize": post_fake_resize_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/json": get_fake_inspect_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/rename": post_fake_rename_container,
+    f"{prefix}/{CURRENT_VERSION}/images/e9aa60c60128/tag": post_fake_tag_image,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/wait": get_fake_wait,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/logs": get_fake_logs,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/changes": get_fake_diff,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/export": get_fake_export,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/update": post_fake_update_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/exec": post_fake_exec_create,
+    f"{prefix}/{CURRENT_VERSION}/exec/d5d177f121dc/start": post_fake_exec_start,
+    f"{prefix}/{CURRENT_VERSION}/exec/d5d177f121dc/json": get_fake_exec_inspect,
+    f"{prefix}/{CURRENT_VERSION}/exec/d5d177f121dc/resize": post_fake_exec_resize,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/stats": get_fake_stats,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/top": get_fake_top,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/stop": post_fake_stop_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/kill": post_fake_kill_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/pause": post_fake_pause_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/unpause": post_fake_unpause_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b/restart": post_fake_restart_container,
+    f"{prefix}/{CURRENT_VERSION}/containers/3cc2351ab11b": delete_fake_remove_container,
+    # TODO: the following is a duplicate of the import endpoint further above!
+    f"{prefix}/{CURRENT_VERSION}/images/create": post_fake_image_create,  # noqa: F601
+    f"{prefix}/{CURRENT_VERSION}/images/e9aa60c60128": delete_fake_remove_image,
+    f"{prefix}/{CURRENT_VERSION}/images/e9aa60c60128/get": get_fake_get_image,
+    f"{prefix}/{CURRENT_VERSION}/images/load": post_fake_load_image,
+    f"{prefix}/{CURRENT_VERSION}/images/test_image/json": get_fake_inspect_image,
+    f"{prefix}/{CURRENT_VERSION}/images/test_image/insert": get_fake_insert_image,
+    f"{prefix}/{CURRENT_VERSION}/images/test_image/push": post_fake_push,
+    f"{prefix}/{CURRENT_VERSION}/commit": post_fake_commit,
+    f"{prefix}/{CURRENT_VERSION}/containers/create": post_fake_create_container,
+    f"{prefix}/{CURRENT_VERSION}/build": post_fake_build_container,
+    f"{prefix}/{CURRENT_VERSION}/events": get_fake_events,
+    (f"{prefix}/{CURRENT_VERSION}/volumes", "GET"): get_fake_volume_list,
+    (f"{prefix}/{CURRENT_VERSION}/volumes/create", "POST"): get_fake_volume,
+    (f"{prefix}/{CURRENT_VERSION}/volumes/{FAKE_VOLUME_NAME}", "GET"): get_fake_volume,
+    (
+        f"{prefix}/{CURRENT_VERSION}/volumes/{FAKE_VOLUME_NAME}",
+        "DELETE",
+    ): fake_remove_volume,
+    (
+        f"{prefix}/{CURRENT_VERSION}/nodes/{FAKE_NODE_ID}/update?version=1",
+        "POST",
+    ): post_fake_update_node,
+    (f"{prefix}/{CURRENT_VERSION}/swarm/join", "POST"): post_fake_join_swarm,
+    (f"{prefix}/{CURRENT_VERSION}/networks", "GET"): get_fake_network_list,
+    (f"{prefix}/{CURRENT_VERSION}/networks/create", "POST"): post_fake_network,
+    (f"{prefix}/{CURRENT_VERSION}/networks/{FAKE_NETWORK_ID}", "GET"): get_fake_network,
+    (
+        f"{prefix}/{CURRENT_VERSION}/networks/{FAKE_NETWORK_ID}",
+        "DELETE",
+    ): delete_fake_network,
+    (
+        f"{prefix}/{CURRENT_VERSION}/networks/{FAKE_NETWORK_ID}/connect",
+        "POST",
+    ): post_fake_network_connect,
+    (
+        f"{prefix}/{CURRENT_VERSION}/networks/{FAKE_NETWORK_ID}/disconnect",
+        "POST",
+    ): post_fake_network_disconnect,
+    f"{prefix}/{CURRENT_VERSION}/secrets/create": post_fake_secret,
+}
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_stat.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_stat.py
new file mode 100644
index 00000000..66ef0c64
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/fake_stat.py
@@ -0,0 +1,92 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+OBJ = {
+    "read": "2015-02-11T19:20:46.667237763+02:00",
+    "network": {
+        "rx_bytes": 567224,
+        "rx_packets": 3773,
+        "rx_errors": 0,
+        "rx_dropped": 0,
+        "tx_bytes": 1176,
+        "tx_packets": 13,
+        "tx_errors": 0,
+        "tx_dropped": 0,
+    },
+    "cpu_stats": {
+        "cpu_usage": {
+            "total_usage": 157260874053,
+            "percpu_usage": [52196306950, 24118413549, 53292684398, 27653469156],
+            "usage_in_kernelmode": 37140000000,
+            "usage_in_usermode": 62140000000,
+        },
+        "system_cpu_usage": 3.0881377e14,
+        "throttling_data": {"periods": 0, "throttled_periods": 0, "throttled_time": 0},
+    },
+    "memory_stats": {
+        "usage": 179314688,
+        "max_usage": 258166784,
+        "stats": {
+            "active_anon": 90804224,
+            "active_file": 2195456,
+            "cache": 3096576,
+            "hierarchical_memory_limit": 1.844674407371e19,
+            "inactive_anon": 85516288,
+            "inactive_file": 798720,
+            "mapped_file": 2646016,
+            "pgfault": 101034,
+            "pgmajfault": 1207,
+            "pgpgin": 115814,
+            "pgpgout": 75613,
+            "rss": 176218112,
+            "rss_huge": 12582912,
+            "total_active_anon": 90804224,
+            "total_active_file": 2195456,
+            "total_cache": 3096576,
+            "total_inactive_anon": 85516288,
+            "total_inactive_file": 798720,
+            "total_mapped_file": 2646016,
+            "total_pgfault": 101034,
+            "total_pgmajfault": 1207,
+            "total_pgpgin": 115814,
+            "total_pgpgout": 75613,
+            "total_rss": 176218112,
+            "total_rss_huge": 12582912,
+            "total_unevictable": 0,
+            "total_writeback": 0,
+            "unevictable": 0,
+            "writeback": 0,
+        },
+        "failcnt": 0,
+        "limit": 8039038976,
+    },
+    "blkio_stats": {
+        "io_service_bytes_recursive": [
+            {"major": 8, "minor": 0, "op": "Read", "value": 72843264},
+            {"major": 8, "minor": 0, "op": "Write", "value": 4096},
+            {"major": 8, "minor": 0, "op": "Sync", "value": 4096},
+            {"major": 8, "minor": 0, "op": "Async", "value": 72843264},
+            {"major": 8, "minor": 0, "op": "Total", "value": 72847360},
+        ],
+        "io_serviced_recursive": [
+            {"major": 8, "minor": 0, "op": "Read", "value": 10581},
+            {"major": 8, "minor": 0, "op": "Write", "value": 1},
+            {"major": 8, "minor": 0, "op": "Sync", "value": 1},
+            {"major": 8, "minor": 0, "op": "Async", "value": 10581},
+            {"major": 8, "minor": 0, "op": "Total", "value": 10582},
+        ],
+        "io_queue_recursive": [],
+        "io_service_time_recursive": [],
+        "io_wait_time_recursive": [],
+        "io_merged_recursive": [],
+        "io_time_recursive": [],
+        "sectors_recursive": [],
+    },
+}
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_auth.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_auth.py
new file mode 100644
index 00000000..3a9a873d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_auth.py
@@ -0,0 +1,800 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import os.path
+import random
+import shutil
+import tempfile
+import typing as t
+import unittest
+from unittest import mock
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api import auth, errors
+from ansible_collections.community.docker.plugins.module_utils._api.credentials.errors import (
+    CredentialsNotFound,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.credentials.store import (
+    Store,
+)
+
+
+class RegressionTest(unittest.TestCase):
+    def test_803_urlsafe_encode(self) -> None:
+        auth_data = {"username": "root", "password": "GR?XGR?XGR?XGR?X"}
+        encoded = auth.encode_header(auth_data)
+        assert b"/" not in encoded
+        assert b"_" in encoded
+
+
+class ResolveRepositoryNameTest(unittest.TestCase):
+    def test_resolve_repository_name_hub_library_image(self) -> None:
+        assert auth.resolve_repository_name("image") == ("docker.io", "image")
+
+    def test_resolve_repository_name_dotted_hub_library_image(self) -> None:
+        assert auth.resolve_repository_name("image.valid") == (
+            "docker.io",
+            "image.valid",
+        )
+
+    def test_resolve_repository_name_hub_image(self) -> None:
+        assert auth.resolve_repository_name("username/image") == (
+            "docker.io",
+            "username/image",
+        )
+
+    def test_explicit_hub_index_library_image(self) -> None:
+        assert auth.resolve_repository_name("docker.io/image") == ("docker.io", "image")
+
+    def test_explicit_legacy_hub_index_library_image(self) -> None:
+        assert auth.resolve_repository_name("index.docker.io/image") == (
+            "docker.io",
+            "image",
+        )
+
+    def test_resolve_repository_name_private_registry(self) -> None:
+        assert auth.resolve_repository_name("my.registry.net/image") == (
+            "my.registry.net",
+            "image",
+        )
+
+    def test_resolve_repository_name_private_registry_with_port(self) -> None:
+        assert auth.resolve_repository_name("my.registry.net:5000/image") == (
+            "my.registry.net:5000",
+            "image",
+        )
+
+    def test_resolve_repository_name_private_registry_with_username(self) -> None:
+        assert auth.resolve_repository_name("my.registry.net/username/image") == (
+            "my.registry.net",
+            "username/image",
+        )
+
+    def test_resolve_repository_name_no_dots_but_port(self) -> None:
+        assert auth.resolve_repository_name("hostname:5000/image") == (
+            "hostname:5000",
+            "image",
+        )
+
+    def test_resolve_repository_name_no_dots_but_port_and_username(self) -> None:
+        assert auth.resolve_repository_name("hostname:5000/username/image") == (
+            "hostname:5000",
+            "username/image",
+        )
+
+    def test_resolve_repository_name_localhost(self) -> None:
+        assert auth.resolve_repository_name("localhost/image") == ("localhost", "image")
+
+    def test_resolve_repository_name_localhost_with_username(self) -> None:
+        assert auth.resolve_repository_name("localhost/username/image") == (
+            "localhost",
+            "username/image",
+        )
+
+    def test_invalid_index_name(self) -> None:
+        with pytest.raises(errors.InvalidRepository):
+            auth.resolve_repository_name("-gecko.com/image")
+
+
+def encode_auth(auth_info: dict[str, t.Any]) -> bytes:
+    return base64.b64encode(
+        auth_info.get("username", "").encode("utf-8")
+        + b":"
+        + auth_info.get("password", "").encode("utf-8")
+    )
+
+
+class ResolveAuthTest(unittest.TestCase):
+    index_config = {"auth": encode_auth({"username": "indexuser"})}
+    private_config = {"auth": encode_auth({"username": "privateuser"})}
+    legacy_config = {"auth": encode_auth({"username": "legacyauth"})}
+
+    auth_config = auth.AuthConfig(
+        {
+            "auths": auth.parse_auth(
+                {
+                    "https://index.docker.io/v1/": index_config,
+                    "my.registry.net": private_config,
+                    "http://legacy.registry.url/v1/": legacy_config,
+                }
+            )
+        }
+    )
+
+    def test_resolve_authconfig_hostname_only(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "my.registry.net")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_no_protocol(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "my.registry.net/v1/")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_no_path(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "http://my.registry.net")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_no_path_trailing_slash(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "http://my.registry.net/")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_no_path_wrong_secure_proto(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "https://my.registry.net")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_no_path_wrong_insecure_proto(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "http://index.docker.io")
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_authconfig_path_wrong_proto(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "https://my.registry.net/v1/")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_default_registry(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config)
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_authconfig_default_explicit_none(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, None)
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_authconfig_fully_explicit(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "http://my.registry.net/v1/")
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_authconfig_legacy_config(self) -> None:
+        ac = auth.resolve_authconfig(self.auth_config, "legacy.registry.url")
+        assert ac is not None
+        assert ac["username"] == "legacyauth"
+
+    def test_resolve_authconfig_no_match(self) -> None:
+        assert auth.resolve_authconfig(self.auth_config, "does.not.exist") is None
+
+    def test_resolve_registry_and_auth_library_image(self) -> None:
+        image = "image"
+        ac = auth.resolve_authconfig(
+            self.auth_config, auth.resolve_repository_name(image)[0]
+        )
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_registry_and_auth_hub_image(self) -> None:
+        image = "username/image"
+        ac = auth.resolve_authconfig(
+            self.auth_config, auth.resolve_repository_name(image)[0]
+        )
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_registry_and_auth_explicit_hub(self) -> None:
+        image = "docker.io/username/image"
+        ac = auth.resolve_authconfig(
+            self.auth_config, auth.resolve_repository_name(image)[0]
+        )
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_registry_and_auth_explicit_legacy_hub(self) -> None:
+        image = "index.docker.io/username/image"
+        ac = auth.resolve_authconfig(
+            self.auth_config, auth.resolve_repository_name(image)[0]
+        )
+        assert ac is not None
+        assert ac["username"] == "indexuser"
+
+    def test_resolve_registry_and_auth_private_registry(self) -> None:
+        image = "my.registry.net/image"
+        ac = auth.resolve_authconfig(
+            self.auth_config, auth.resolve_repository_name(image)[0]
+        )
+        assert ac is not None
+        assert ac["username"] == "privateuser"
+
+    def test_resolve_registry_and_auth_unauthenticated_registry(self) -> None:
+        image = "other.registry.net/image"
+        assert (
+            auth.resolve_authconfig(
+                self.auth_config, auth.resolve_repository_name(image)[0]
+            )
+            is None
+        )
+
+    def test_resolve_auth_with_empty_credstore_and_auth_dict(self) -> None:
+        auth_config = auth.AuthConfig(
+            {
+                "auths": auth.parse_auth(
+                    {
+                        "https://index.docker.io/v1/": self.index_config,
+                    }
+                ),
+                "credsStore": "blackbox",
+            }
+        )
+        with mock.patch(
+            "ansible_collections.community.docker.plugins.module_utils._api.auth.AuthConfig._resolve_authconfig_credstore"
+        ) as m:
+            m.return_value = None
+            ac = auth.resolve_authconfig(auth_config, None)
+            assert ac is not None
+            assert ac["username"] == "indexuser"
+
+
+class LoadConfigTest(unittest.TestCase):
+    def test_load_config_no_file(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        cfg = auth.load_config(folder)
+        assert cfg is not None
+
+    def test_load_legacy_config(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        cfg_path = os.path.join(folder, ".dockercfg")
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        with open(cfg_path, "wt", encoding="utf-8") as f:
+            f.write(f"auth = {auth_}\n")
+            f.write("email = sakuya@scarlet.net")
+
+        cfg = auth.load_config(cfg_path)
+        assert auth.resolve_authconfig(cfg) is not None
+        assert cfg.auths[auth.INDEX_NAME] is not None
+        cfg2 = cfg.auths[auth.INDEX_NAME]
+        assert cfg2["username"] == "sakuya"
+        assert cfg2["password"] == "izayoi"
+        assert cfg2["email"] == "sakuya@scarlet.net"
+        assert cfg2.get("Auth") is None
+
+    def test_load_json_config(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        cfg_path = os.path.join(folder, ".dockercfg")
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        email = "sakuya@scarlet.net"
+        with open(cfg_path, "wt", encoding="utf-8") as f:
+            json.dump({auth.INDEX_URL: {"auth": auth_, "email": email}}, f)
+        cfg = auth.load_config(cfg_path)
+        assert auth.resolve_authconfig(cfg) is not None
+        assert cfg.auths[auth.INDEX_URL] is not None
+        cfg2 = cfg.auths[auth.INDEX_URL]
+        assert cfg2["username"] == "sakuya"
+        assert cfg2["password"] == "izayoi"
+        assert cfg2["email"] == email
+        assert cfg2.get("Auth") is None
+
+    def test_load_modern_json_config(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        cfg_path = os.path.join(folder, "config.json")
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        email = "sakuya@scarlet.net"
+        with open(cfg_path, "wt", encoding="utf-8") as f:
+            json.dump({"auths": {auth.INDEX_URL: {"auth": auth_, "email": email}}}, f)
+        cfg = auth.load_config(cfg_path)
+        assert auth.resolve_authconfig(cfg) is not None
+        assert cfg.auths[auth.INDEX_URL] is not None
+        cfg2 = cfg.auths[auth.INDEX_URL]
+        assert cfg2["username"] == "sakuya"
+        assert cfg2["password"] == "izayoi"
+        assert cfg2["email"] == email
+
+    def test_load_config_with_random_name(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+
+        dockercfg_path = os.path.join(folder, f".{random.randrange(100000)}.dockercfg")
+        registry = "https://your.private.registry.io"
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        config = {registry: {"auth": f"{auth_}", "email": "sakuya@scarlet.net"}}
+
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        cfg = auth.load_config(dockercfg_path).auths
+        assert registry in cfg
+        assert cfg[registry] is not None
+        cfg2 = cfg[registry]
+        assert cfg2["username"] == "sakuya"
+        assert cfg2["password"] == "izayoi"
+        assert cfg2["email"] == "sakuya@scarlet.net"
+        assert cfg2.get("auth") is None
+
+    def test_load_config_custom_config_env(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+
+        dockercfg_path = os.path.join(folder, "config.json")
+        registry = "https://your.private.registry.io"
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        config = {registry: {"auth": f"{auth_}", "email": "sakuya@scarlet.net"}}
+
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        with mock.patch.dict(os.environ, {"DOCKER_CONFIG": folder}):
+            cfg = auth.load_config(None).auths
+            assert registry in cfg
+            assert cfg[registry] is not None
+            cfg2 = cfg[registry]
+            assert cfg2["username"] == "sakuya"
+            assert cfg2["password"] == "izayoi"
+            assert cfg2["email"] == "sakuya@scarlet.net"
+            assert cfg2.get("auth") is None
+
+    def test_load_config_custom_config_env_with_auths(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+
+        dockercfg_path = os.path.join(folder, "config.json")
+        registry = "https://your.private.registry.io"
+        auth_ = base64.b64encode(b"sakuya:izayoi").decode("ascii")
+        config = {
+            "auths": {registry: {"auth": f"{auth_}", "email": "sakuya@scarlet.net"}}
+        }
+
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        with mock.patch.dict(os.environ, {"DOCKER_CONFIG": folder}):
+            cfg = auth.load_config(None)
+            assert registry in cfg.auths
+            cfg2 = cfg.auths[registry]
+            assert cfg2["username"] == "sakuya"
+            assert cfg2["password"] == "izayoi"
+            assert cfg2["email"] == "sakuya@scarlet.net"
+            assert cfg2.get("auth") is None
+
+    def test_load_config_custom_config_env_utf8(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+
+        dockercfg_path = os.path.join(folder, "config.json")
+        registry = "https://your.private.registry.io"
+        auth_ = base64.b64encode(b"sakuya\xc3\xa6:izayoi\xc3\xa6").decode("ascii")
+        config = {
+            "auths": {registry: {"auth": f"{auth_}", "email": "sakuya@scarlet.net"}}
+        }
+
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        with mock.patch.dict(os.environ, {"DOCKER_CONFIG": folder}):
+            cfg = auth.load_config(None)
+            assert registry in cfg.auths
+            cfg2 = cfg.auths[registry]
+            assert cfg2["username"] == b"sakuya\xc3\xa6".decode("utf8")
+            assert cfg2["password"] == b"izayoi\xc3\xa6".decode("utf8")
+            assert cfg2["email"] == "sakuya@scarlet.net"
+            assert cfg2.get("auth") is None
+
+    def test_load_config_unknown_keys(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        dockercfg_path = os.path.join(folder, "config.json")
+        config = {"detachKeys": "ctrl-q, ctrl-u, ctrl-i"}
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        cfg = auth.load_config(dockercfg_path)
+        assert dict(cfg) == {"auths": {}}
+
+    def test_load_config_invalid_auth_dict(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        dockercfg_path = os.path.join(folder, "config.json")
+        config = {"auths": {"scarlet.net": {"sakuya": "izayoi"}}}
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        cfg = auth.load_config(dockercfg_path)
+        assert dict(cfg) == {"auths": {"scarlet.net": {}}}
+
+    def test_load_config_identity_token(self) -> None:
+        folder = tempfile.mkdtemp()
+        registry = "scarlet.net"
+        token = "1ce1cebb-503e-7043-11aa-7feb8bd4a1ce"
+        self.addCleanup(shutil.rmtree, folder)
+        dockercfg_path = os.path.join(folder, "config.json")
+        auth_entry = encode_auth({"username": "sakuya"}).decode("ascii")
+        config = {"auths": {registry: {"auth": auth_entry, "identitytoken": token}}}
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config, f)
+
+        cfg = auth.load_config(dockercfg_path)
+        assert registry in cfg.auths
+        cfg2 = cfg.auths[registry]
+        assert "IdentityToken" in cfg2
+        assert cfg2["IdentityToken"] == token
+
+
+class CredstoreTest(unittest.TestCase):
+    def setUp(self) -> None:
+        self.authconfig = auth.AuthConfig({"credsStore": "default"})
+        self.default_store = InMemoryStore("default")
+        self.authconfig._stores["default"] = self.default_store
+        self.default_store.store(
+            "https://gensokyo.jp/v2",
+            "sakuya",
+            "izayoi",
+        )
+        self.default_store.store(
+            "https://default.com/v2",
+            "user",
+            "hunter2",
+        )
+
+    def test_get_credential_store(self) -> None:
+        auth_config = auth.AuthConfig(
+            {
+                "credHelpers": {
+                    "registry1.io": "truesecret",
+                    "registry2.io": "powerlock",
+                },
+                "credsStore": "blackbox",
+            }
+        )
+
+        assert auth_config.get_credential_store("registry1.io") == "truesecret"
+        assert auth_config.get_credential_store("registry2.io") == "powerlock"
+        assert auth_config.get_credential_store("registry3.io") == "blackbox"
+
+    def test_get_credential_store_no_default(self) -> None:
+        auth_config = auth.AuthConfig(
+            {
+                "credHelpers": {
+                    "registry1.io": "truesecret",
+                    "registry2.io": "powerlock",
+                },
+            }
+        )
+        assert auth_config.get_credential_store("registry2.io") == "powerlock"
+        assert auth_config.get_credential_store("registry3.io") is None
+
+    def test_get_credential_store_default_index(self) -> None:
+        auth_config = auth.AuthConfig(
+            {
+                "credHelpers": {"https://index.docker.io/v1/": "powerlock"},
+                "credsStore": "truesecret",
+            }
+        )
+
+        assert auth_config.get_credential_store(None) == "powerlock"
+        assert auth_config.get_credential_store("docker.io") == "powerlock"
+        assert auth_config.get_credential_store("images.io") == "truesecret"
+
+    def test_get_credential_store_with_plain_dict(self) -> None:
+        auth_config = {
+            "credHelpers": {"registry1.io": "truesecret", "registry2.io": "powerlock"},
+            "credsStore": "blackbox",
+        }
+
+        assert auth.get_credential_store(auth_config, "registry1.io") == "truesecret"
+        assert auth.get_credential_store(auth_config, "registry2.io") == "powerlock"
+        assert auth.get_credential_store(auth_config, "registry3.io") == "blackbox"
+
+    def test_get_all_credentials_credstore_only(self) -> None:
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+        }
+
+    def test_get_all_credentials_with_empty_credhelper(self) -> None:
+        self.authconfig["credHelpers"] = {
+            "registry1.io": "truesecret",
+        }
+        self.authconfig._stores["truesecret"] = InMemoryStore()
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "registry1.io": None,
+        }
+
+    def test_get_all_credentials_with_credhelpers_only(self) -> None:
+        del self.authconfig["credsStore"]
+        assert self.authconfig.get_all_credentials() == {}
+
+        self.authconfig["credHelpers"] = {
+            "https://gensokyo.jp/v2": "default",
+            "https://default.com/v2": "default",
+        }
+
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+        }
+
+    def test_get_all_credentials_with_auths_entries(self) -> None:
+        self.authconfig.add_auth(
+            "registry1.io",
+            {
+                "ServerAddress": "registry1.io",
+                "Username": "reimu",
+                "Password": "hakurei",
+            },
+        )
+
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "registry1.io": {
+                "ServerAddress": "registry1.io",
+                "Username": "reimu",
+                "Password": "hakurei",
+            },
+        }
+
+    def test_get_all_credentials_with_empty_auths_entry(self) -> None:
+        self.authconfig.add_auth("default.com", {})
+
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+        }
+
+    def test_get_all_credentials_credstore_overrides_auth_entry(self) -> None:
+        self.authconfig.add_auth(
+            "default.com",
+            {
+                "Username": "shouldnotsee",
+                "Password": "thisentry",
+                "ServerAddress": "https://default.com/v2",
+            },
+        )
+
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+        }
+
+    def test_get_all_credentials_helpers_override_default(self) -> None:
+        self.authconfig["credHelpers"] = {
+            "https://default.com/v2": "truesecret",
+        }
+        truesecret = InMemoryStore("truesecret")
+        truesecret.store("https://default.com/v2", "reimu", "hakurei")
+        self.authconfig._stores["truesecret"] = truesecret
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "reimu",
+                "Password": "hakurei",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "reimu",
+                "Password": "hakurei",
+                "ServerAddress": "https://default.com/v2",
+            },
+        }
+
+    def test_get_all_credentials_3_sources(self) -> None:
+        self.authconfig["credHelpers"] = {
+            "registry1.io": "truesecret",
+        }
+        truesecret = InMemoryStore("truesecret")
+        truesecret.store("registry1.io", "reimu", "hakurei")
+        self.authconfig._stores["truesecret"] = truesecret
+        self.authconfig.add_auth(
+            "registry2.io",
+            {
+                "ServerAddress": "registry2.io",
+                "Username": "reimu",
+                "Password": "hakurei",
+            },
+        )
+
+        assert self.authconfig.get_all_credentials() == {
+            "https://gensokyo.jp/v2": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "gensokyo.jp": {
+                "Username": "sakuya",
+                "Password": "izayoi",
+                "ServerAddress": "https://gensokyo.jp/v2",
+            },
+            "https://default.com/v2": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "default.com": {
+                "Username": "user",
+                "Password": "hunter2",
+                "ServerAddress": "https://default.com/v2",
+            },
+            "registry1.io": {
+                "ServerAddress": "registry1.io",
+                "Username": "reimu",
+                "Password": "hakurei",
+            },
+            "registry2.io": {
+                "ServerAddress": "registry2.io",
+                "Username": "reimu",
+                "Password": "hakurei",
+            },
+        }
+
+
+class InMemoryStore(Store):
+    def __init__(  # pylint: disable=super-init-not-called
+        self, *args: t.Any, **kwargs: t.Any
+    ) -> None:
+        self.__store: dict[str | bytes, dict[str, t.Any]] = {}
+
+    def get(self, server: str | bytes) -> dict[str, t.Any]:
+        try:
+            return self.__store[server]
+        except KeyError:
+            raise CredentialsNotFound() from None
+
+    def store(self, server: str, username: str, secret: str) -> bytes:
+        self.__store[server] = {
+            "ServerURL": server,
+            "Username": username,
+            "Secret": secret,
+        }
+        return b""
+
+    def list(self) -> dict[str | bytes, str]:
+        return dict((k, v["Username"]) for k, v in self.__store.items())
+
+    def erase(self, server: str | bytes) -> None:
+        del self.__store[server]
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_context.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_context.py
new file mode 100644
index 00000000..56262236
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_context.py
@@ -0,0 +1,68 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2025 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api import errors
+from ansible_collections.community.docker.plugins.module_utils._api.constants import (
+    DEFAULT_NPIPE,
+    DEFAULT_UNIX_SOCKET,
+    IS_WINDOWS_PLATFORM,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.context.api import (
+    ContextAPI,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.context.context import (
+    Context,
+)
+
+
+class BaseContextTest(unittest.TestCase):
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="Linux specific path check")
+    def test_url_compatibility_on_linux(self) -> None:
+        c = Context("test")
+        assert c.Host == DEFAULT_UNIX_SOCKET[5:]
+
+    @pytest.mark.skipif(not IS_WINDOWS_PLATFORM, reason="Windows specific path check")
+    def test_url_compatibility_on_windows(self) -> None:
+        c = Context("test")
+        assert c.Host == DEFAULT_NPIPE
+
+    def test_fail_on_default_context_create(self) -> None:
+        with pytest.raises(errors.ContextException):
+            ContextAPI.create_context("default")
+
+    def test_default_in_context_list(self) -> None:
+        found = False
+        ctx = ContextAPI.contexts()
+        for c in ctx:
+            if c.Name == "default":
+                found = True
+        assert found is True
+
+    def test_get_current_context(self) -> None:
+        context = ContextAPI.get_current_context()
+        assert context is not None
+        assert context.Name == "default"
+
+    def test_https_host(self) -> None:
+        c = Context("test", host="tcp://testdomain:8080", tls=True)
+        assert c.Host == "https://testdomain:8080"
+
+    def test_context_inspect_without_params(self) -> None:
+        ctx = ContextAPI.inspect_context()
+        assert ctx["Name"] == "default"
+        assert ctx["Metadata"]["StackOrchestrator"] == "swarm"
+        assert ctx["Endpoints"]["docker"]["Host"] in (
+            DEFAULT_NPIPE,
+            DEFAULT_UNIX_SOCKET[5:],
+        )
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_errors.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_errors.py
new file mode 100644
index 00000000..0b16a700
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/test_errors.py
@@ -0,0 +1,135 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+
+import requests
+
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    APIError,
+    DockerException,
+    create_api_error_from_http_exception,
+    create_unexpected_kwargs_error,
+)
+
+
+class APIErrorTest(unittest.TestCase):
+    def test_api_error_is_caught_by_dockerexception(self) -> None:
+        try:
+            raise APIError("this should be caught by DockerException")
+        except DockerException:
+            pass
+
+    def test_status_code_200(self) -> None:
+        """The status_code property is present with 200 response."""
+        resp = requests.Response()
+        resp.status_code = 200
+        err = APIError("", response=resp)
+        assert err.status_code == 200
+
+    def test_status_code_400(self) -> None:
+        """The status_code property is present with 400 response."""
+        resp = requests.Response()
+        resp.status_code = 400
+        err = APIError("", response=resp)
+        assert err.status_code == 400
+
+    def test_status_code_500(self) -> None:
+        """The status_code property is present with 500 response."""
+        resp = requests.Response()
+        resp.status_code = 500
+        err = APIError("", response=resp)
+        assert err.status_code == 500
+
+    def test_is_server_error_200(self) -> None:
+        """Report not server error on 200 response."""
+        resp = requests.Response()
+        resp.status_code = 200
+        err = APIError("", response=resp)
+        assert err.is_server_error() is False
+
+    def test_is_server_error_300(self) -> None:
+        """Report not server error on 300 response."""
+        resp = requests.Response()
+        resp.status_code = 300
+        err = APIError("", response=resp)
+        assert err.is_server_error() is False
+
+    def test_is_server_error_400(self) -> None:
+        """Report not server error on 400 response."""
+        resp = requests.Response()
+        resp.status_code = 400
+        err = APIError("", response=resp)
+        assert err.is_server_error() is False
+
+    def test_is_server_error_500(self) -> None:
+        """Report server error on 500 response."""
+        resp = requests.Response()
+        resp.status_code = 500
+        err = APIError("", response=resp)
+        assert err.is_server_error() is True
+
+    def test_is_client_error_500(self) -> None:
+        """Report not client error on 500 response."""
+        resp = requests.Response()
+        resp.status_code = 500
+        err = APIError("", response=resp)
+        assert err.is_client_error() is False
+
+    def test_is_client_error_400(self) -> None:
+        """Report client error on 400 response."""
+        resp = requests.Response()
+        resp.status_code = 400
+        err = APIError("", response=resp)
+        assert err.is_client_error() is True
+
+    def test_is_error_300(self) -> None:
+        """Report no error on 300 response."""
+        resp = requests.Response()
+        resp.status_code = 300
+        err = APIError("", response=resp)
+        assert err.is_error() is False
+
+    def test_is_error_400(self) -> None:
+        """Report error on 400 response."""
+        resp = requests.Response()
+        resp.status_code = 400
+        err = APIError("", response=resp)
+        assert err.is_error() is True
+
+    def test_is_error_500(self) -> None:
+        """Report error on 500 response."""
+        resp = requests.Response()
+        resp.status_code = 500
+        err = APIError("", response=resp)
+        assert err.is_error() is True
+
+    def test_create_error_from_exception(self) -> None:
+        resp = requests.Response()
+        resp.status_code = 500
+        err = APIError("")
+        try:
+            resp.raise_for_status()
+        except requests.exceptions.HTTPError as e:
+            try:
+                create_api_error_from_http_exception(e)
+            except APIError as e2:
+                err = e2
+        assert err.is_server_error() is True
+
+
+class CreateUnexpectedKwargsErrorTest(unittest.TestCase):
+    def test_create_unexpected_kwargs_error_single(self) -> None:
+        e = create_unexpected_kwargs_error("f", {"foo": "bar"})
+        assert str(e) == "f() got an unexpected keyword argument 'foo'"
+
+    def test_create_unexpected_kwargs_error_multiple(self) -> None:
+        e = create_unexpected_kwargs_error("f", {"foo": "bar", "baz": "bosh"})
+        assert str(e) == "f() got unexpected keyword arguments 'baz', 'foo'"
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_sshconn.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_sshconn.py
new file mode 100644
index 00000000..ce97478f
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_sshconn.py
@@ -0,0 +1,51 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+
+from ansible_collections.community.docker.plugins.module_utils._api.transport.sshconn import (
+    SSHHTTPAdapter,
+    SSHSocket,
+)
+
+
+class SSHAdapterTest(unittest.TestCase):
+    @staticmethod
+    def test_ssh_hostname_prefix_trim() -> None:
+        conn = SSHHTTPAdapter(base_url="ssh://user@hostname:1234", shell_out=True)
+        assert conn.ssh_host == "user@hostname:1234"
+
+    @staticmethod
+    def test_ssh_parse_url() -> None:
+        c = SSHSocket(host="user@hostname:1234")
+        assert c.host == "hostname"
+        assert c.port == "1234"
+        assert c.user == "user"
+
+    @staticmethod
+    def test_ssh_parse_hostname_only() -> None:
+        c = SSHSocket(host="hostname")
+        assert c.host == "hostname"
+        assert c.port is None
+        assert c.user is None
+
+    @staticmethod
+    def test_ssh_parse_user_and_hostname() -> None:
+        c = SSHSocket(host="user@hostname")
+        assert c.host == "hostname"
+        assert c.port is None
+        assert c.user == "user"
+
+    @staticmethod
+    def test_ssh_parse_hostname_and_port() -> None:
+        c = SSHSocket(host="hostname:22")
+        assert c.host == "hostname"
+        assert c.port == "22"
+        assert c.user is None
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_ssladapter.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_ssladapter.py
new file mode 100644
index 00000000..d40d0f78
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/transport/test_ssladapter.py
@@ -0,0 +1,85 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api.transport import (
+    ssladapter,
+)
+
+try:
+    from ssl import CertificateError, match_hostname  # type: ignore
+except ImportError:
+    HAS_MATCH_HOSTNAME = False  # pylint: disable=invalid-name
+else:
+    HAS_MATCH_HOSTNAME = True  # pylint: disable=invalid-name
+
+
+class SSLAdapterTest(unittest.TestCase):
+    def test_only_uses_tls(self) -> None:
+        ssl_context = ssladapter.urllib3.util.ssl_.create_urllib3_context()
+
+        assert ssl_context.options & OP_NO_SSLv3
+        # if OpenSSL is compiled without SSL2 support, OP_NO_SSLv2 will be 0
+        assert not bool(OP_NO_SSLv2) or ssl_context.options & OP_NO_SSLv2
+        assert not ssl_context.options & OP_NO_TLSv1
+
+
+@pytest.mark.skipif(not HAS_MATCH_HOSTNAME, reason="match_hostname is not available")
+class MatchHostnameTest(unittest.TestCase):
+    cert = {
+        "issuer": (
+            (("countryName", "US"),),
+            (("stateOrProvinceName", "California"),),
+            (("localityName", "San Francisco"),),
+            (("organizationName", "Docker Inc"),),
+            (("organizationalUnitName", "Docker-Python"),),
+            (("commonName", "localhost"),),
+            (("emailAddress", "info@docker.com"),),
+        ),
+        "notAfter": "Mar 25 23:08:23 2030 GMT",
+        "notBefore": "Mar 25 23:08:23 2016 GMT",
+        "serialNumber": "BD5F894C839C548F",
+        "subject": (
+            (("countryName", "US"),),
+            (("stateOrProvinceName", "California"),),
+            (("localityName", "San Francisco"),),
+            (("organizationName", "Docker Inc"),),
+            (("organizationalUnitName", "Docker-Python"),),
+            (("commonName", "localhost"),),
+            (("emailAddress", "info@docker.com"),),
+        ),
+        "subjectAltName": (
+            ("DNS", "localhost"),
+            ("DNS", "*.gensokyo.jp"),
+            ("IP Address", "127.0.0.1"),
+        ),
+        "version": 3,
+    }
+
+    def test_match_ip_address_success(self) -> None:
+        assert match_hostname(self.cert, "127.0.0.1") is None
+
+    def test_match_localhost_success(self) -> None:
+        assert match_hostname(self.cert, "localhost") is None
+
+    def test_match_dns_success(self) -> None:
+        assert match_hostname(self.cert, "touhou.gensokyo.jp") is None
+
+    def test_match_ip_address_failure(self) -> None:
+        with pytest.raises(CertificateError):
+            match_hostname(self.cert, "192.168.0.25")
+
+    def test_match_dns_failure(self) -> None:
+        with pytest.raises(CertificateError):
+            match_hostname(self.cert, "foobar.co.uk")
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_build.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_build.py
new file mode 100644
index 00000000..6dad47ee
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_build.py
@@ -0,0 +1,520 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import os
+import os.path
+import shutil
+import socket
+import tarfile
+import tempfile
+import typing as t
+import unittest
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api.constants import (
+    IS_WINDOWS_PLATFORM,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.build import (
+    exclude_paths,
+    tar,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Collection
+
+
+def make_tree(dirs: list[str], files: list[str]) -> str:
+    base = tempfile.mkdtemp()
+
+    for path in dirs:
+        os.makedirs(os.path.join(base, path))
+
+    for path in files:
+        with open(os.path.join(base, path), "wt", encoding="utf-8") as f:
+            f.write("content")
+
+    return base
+
+
+def convert_paths(collection: Collection[str]) -> set[str]:
+    return set(map(convert_path, collection))
+
+
+def convert_path(path: str) -> str:
+    return path.replace("/", os.path.sep)
+
+
+class ExcludePathsTest(unittest.TestCase):
+    dirs = [
+        "foo",
+        "foo/bar",
+        "bar",
+        "target",
+        "target/subdir",
+        "subdir",
+        "subdir/target",
+        "subdir/target/subdir",
+        "subdir/subdir2",
+        "subdir/subdir2/target",
+        "subdir/subdir2/target/subdir",
+    ]
+
+    files = [
+        "Dockerfile",
+        "Dockerfile.alt",
+        ".dockerignore",
+        "a.py",
+        "a.go",
+        "b.py",
+        "cde.py",
+        "foo/a.py",
+        "foo/b.py",
+        "foo/bar/a.py",
+        "bar/a.py",
+        "foo/Dockerfile3",
+        "target/file.txt",
+        "target/subdir/file.txt",
+        "subdir/file.txt",
+        "subdir/target/file.txt",
+        "subdir/target/subdir/file.txt",
+        "subdir/subdir2/file.txt",
+        "subdir/subdir2/target/file.txt",
+        "subdir/subdir2/target/subdir/file.txt",
+    ]
+
+    all_paths = set(dirs + files)
+
+    def setUp(self) -> None:
+        self.base = make_tree(self.dirs, self.files)
+
+    def tearDown(self) -> None:
+        shutil.rmtree(self.base)
+
+    def exclude(self, patterns: list[str], dockerfile: str | None = None) -> set[str]:
+        return set(exclude_paths(self.base, patterns, dockerfile=dockerfile))
+
+    def test_no_excludes(self) -> None:
+        assert self.exclude([""]) == convert_paths(self.all_paths)
+
+    def test_no_dupes(self) -> None:
+        paths = exclude_paths(self.base, ["!a.py"])
+        assert sorted(paths) == sorted(set(paths))
+
+    def test_wildcard_exclude(self) -> None:
+        assert self.exclude(["*"]) == set(["Dockerfile", ".dockerignore"])
+
+    def test_exclude_dockerfile_dockerignore(self) -> None:
+        """
+        Even if the .dockerignore file explicitly says to exclude
+        Dockerfile and/or .dockerignore, don't exclude them from
+        the actual tar file.
+        """
+        assert self.exclude(["Dockerfile", ".dockerignore"]) == convert_paths(
+            self.all_paths
+        )
+
+    def test_exclude_custom_dockerfile(self) -> None:
+        """
+        If we're using a custom Dockerfile, make sure that's not
+        excluded.
+        """
+        assert self.exclude(["*"], dockerfile="Dockerfile.alt") == set(
+            ["Dockerfile.alt", ".dockerignore"]
+        )
+
+        assert self.exclude(["*"], dockerfile="foo/Dockerfile3") == convert_paths(
+            set(["foo/Dockerfile3", ".dockerignore"])
+        )
+
+        # https://github.com/docker/docker-py/issues/1956
+        assert self.exclude(["*"], dockerfile="./foo/Dockerfile3") == convert_paths(
+            set(["foo/Dockerfile3", ".dockerignore"])
+        )
+
+    def test_exclude_dockerfile_child(self) -> None:
+        includes = self.exclude(["foo/"], dockerfile="foo/Dockerfile3")
+        assert convert_path("foo/Dockerfile3") in includes
+        assert convert_path("foo/a.py") not in includes
+
+    def test_single_filename(self) -> None:
+        assert self.exclude(["a.py"]) == convert_paths(self.all_paths - set(["a.py"]))
+
+    def test_single_filename_leading_dot_slash(self) -> None:
+        assert self.exclude(["./a.py"]) == convert_paths(self.all_paths - set(["a.py"]))
+
+    # As odd as it sounds, a filename pattern with a trailing slash on the
+    # end *will* result in that file being excluded.
+    def test_single_filename_trailing_slash(self) -> None:
+        assert self.exclude(["a.py/"]) == convert_paths(self.all_paths - set(["a.py"]))
+
+    def test_wildcard_filename_start(self) -> None:
+        assert self.exclude(["*.py"]) == convert_paths(
+            self.all_paths - set(["a.py", "b.py", "cde.py"])
+        )
+
+    def test_wildcard_with_exception(self) -> None:
+        assert self.exclude(["*.py", "!b.py"]) == convert_paths(
+            self.all_paths - set(["a.py", "cde.py"])
+        )
+
+    def test_wildcard_with_wildcard_exception(self) -> None:
+        assert self.exclude(["*.*", "!*.go"]) == convert_paths(
+            self.all_paths
+            - set(
+                [
+                    "a.py",
+                    "b.py",
+                    "cde.py",
+                    "Dockerfile.alt",
+                ]
+            )
+        )
+
+    def test_wildcard_filename_end(self) -> None:
+        assert self.exclude(["a.*"]) == convert_paths(
+            self.all_paths - set(["a.py", "a.go"])
+        )
+
+    def test_question_mark(self) -> None:
+        assert self.exclude(["?.py"]) == convert_paths(
+            self.all_paths - set(["a.py", "b.py"])
+        )
+
+    def test_single_subdir_single_filename(self) -> None:
+        assert self.exclude(["foo/a.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py"])
+        )
+
+    def test_single_subdir_single_filename_leading_slash(self) -> None:
+        assert self.exclude(["/foo/a.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py"])
+        )
+
+    def test_exclude_include_absolute_path(self) -> None:
+        base = make_tree([], ["a.py", "b.py"])
+        assert exclude_paths(base, ["/*", "!/*.py"]) == set(["a.py", "b.py"])
+
+    def test_single_subdir_with_path_traversal(self) -> None:
+        assert self.exclude(["foo/whoops/../a.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py"])
+        )
+
+    def test_single_subdir_wildcard_filename(self) -> None:
+        assert self.exclude(["foo/*.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py", "foo/b.py"])
+        )
+
+    def test_wildcard_subdir_single_filename(self) -> None:
+        assert self.exclude(["*/a.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py", "bar/a.py"])
+        )
+
+    def test_wildcard_subdir_wildcard_filename(self) -> None:
+        assert self.exclude(["*/*.py"]) == convert_paths(
+            self.all_paths - set(["foo/a.py", "foo/b.py", "bar/a.py"])
+        )
+
+    def test_directory(self) -> None:
+        assert self.exclude(["foo"]) == convert_paths(
+            self.all_paths
+            - set(
+                [
+                    "foo",
+                    "foo/a.py",
+                    "foo/b.py",
+                    "foo/bar",
+                    "foo/bar/a.py",
+                    "foo/Dockerfile3",
+                ]
+            )
+        )
+
+    def test_directory_with_trailing_slash(self) -> None:
+        assert self.exclude(["foo"]) == convert_paths(
+            self.all_paths
+            - set(
+                [
+                    "foo",
+                    "foo/a.py",
+                    "foo/b.py",
+                    "foo/bar",
+                    "foo/bar/a.py",
+                    "foo/Dockerfile3",
+                ]
+            )
+        )
+
+    def test_directory_with_single_exception(self) -> None:
+        assert self.exclude(["foo", "!foo/bar/a.py"]) == convert_paths(
+            self.all_paths
+            - set(["foo/a.py", "foo/b.py", "foo", "foo/bar", "foo/Dockerfile3"])
+        )
+
+    def test_directory_with_subdir_exception(self) -> None:
+        assert self.exclude(["foo", "!foo/bar"]) == convert_paths(
+            self.all_paths - set(["foo/a.py", "foo/b.py", "foo", "foo/Dockerfile3"])
+        )
+
+    @pytest.mark.skipif(
+        not IS_WINDOWS_PLATFORM, reason="Backslash patterns only on Windows"
+    )
+    def test_directory_with_subdir_exception_win32_pathsep(self) -> None:
+        assert self.exclude(["foo", "!foo\\bar"]) == convert_paths(
+            self.all_paths - set(["foo/a.py", "foo/b.py", "foo", "foo/Dockerfile3"])
+        )
+
+    def test_directory_with_wildcard_exception(self) -> None:
+        assert self.exclude(["foo", "!foo/*.py"]) == convert_paths(
+            self.all_paths - set(["foo/bar", "foo/bar/a.py", "foo", "foo/Dockerfile3"])
+        )
+
+    def test_subdirectory(self) -> None:
+        assert self.exclude(["foo/bar"]) == convert_paths(
+            self.all_paths - set(["foo/bar", "foo/bar/a.py"])
+        )
+
+    @pytest.mark.skipif(
+        not IS_WINDOWS_PLATFORM, reason="Backslash patterns only on Windows"
+    )
+    def test_subdirectory_win32_pathsep(self) -> None:
+        assert self.exclude(["foo\\bar"]) == convert_paths(
+            self.all_paths - set(["foo/bar", "foo/bar/a.py"])
+        )
+
+    def test_double_wildcard(self) -> None:
+        assert self.exclude(["**/a.py"]) == convert_paths(
+            self.all_paths - set(["a.py", "foo/a.py", "foo/bar/a.py", "bar/a.py"])
+        )
+
+        assert self.exclude(["foo/**/bar"]) == convert_paths(
+            self.all_paths - set(["foo/bar", "foo/bar/a.py"])
+        )
+
+    def test_single_and_double_wildcard(self) -> None:
+        assert self.exclude(["**/target/*/*"]) == convert_paths(
+            self.all_paths
+            - set(
+                [
+                    "target/subdir/file.txt",
+                    "subdir/target/subdir/file.txt",
+                    "subdir/subdir2/target/subdir/file.txt",
+                ]
+            )
+        )
+
+    def test_trailing_double_wildcard(self) -> None:
+        assert self.exclude(["subdir/**"]) == convert_paths(
+            self.all_paths
+            - set(
+                [
+                    "subdir/file.txt",
+                    "subdir/target/file.txt",
+                    "subdir/target/subdir/file.txt",
+                    "subdir/subdir2/file.txt",
+                    "subdir/subdir2/target/file.txt",
+                    "subdir/subdir2/target/subdir/file.txt",
+                    "subdir/target",
+                    "subdir/target/subdir",
+                    "subdir/subdir2",
+                    "subdir/subdir2/target",
+                    "subdir/subdir2/target/subdir",
+                ]
+            )
+        )
+
+    def test_double_wildcard_with_exception(self) -> None:
+        assert self.exclude(["**", "!bar", "!foo/bar"]) == convert_paths(
+            set(
+                [
+                    "foo/bar",
+                    "foo/bar/a.py",
+                    "bar",
+                    "bar/a.py",
+                    "Dockerfile",
+                    ".dockerignore",
+                ]
+            )
+        )
+
+    def test_include_wildcard(self) -> None:
+        # This may be surprising but it matches the CLI's behavior
+        # (tested with 18.05.0-ce on linux)
+        base = make_tree(["a"], ["a/b.py"])
+        assert exclude_paths(base, ["*", "!*/b.py"]) == set()
+
+    def test_last_line_precedence(self) -> None:
+        base = make_tree(
+            [],
+            [
+                "garbage.md",
+                "trash.md",
+                "README.md",
+                "README-bis.md",
+                "README-secret.md",
+            ],
+        )
+        assert exclude_paths(base, ["*.md", "!README*.md", "README-secret.md"]) == set(
+            ["README.md", "README-bis.md"]
+        )
+
+    def test_parent_directory(self) -> None:
+        base = make_tree([], ["a.py", "b.py", "c.py"])
+        # Dockerignore reference stipulates that absolute paths are
+        # equivalent to relative paths, hence /../foo should be
+        # equivalent to ../foo. It also stipulates that paths are run
+        # through Go's filepath.Clean, which explicitly "replace
+        # "/.."  by "/" at the beginning of a path".
+        assert exclude_paths(base, ["../a.py", "/../b.py"]) == set(["c.py"])
+
+
+class TarTest(unittest.TestCase):
+    def test_tar_with_excludes(self) -> None:
+        dirs = [
+            "foo",
+            "foo/bar",
+            "bar",
+        ]
+
+        files = [
+            "Dockerfile",
+            "Dockerfile.alt",
+            ".dockerignore",
+            "a.py",
+            "a.go",
+            "b.py",
+            "cde.py",
+            "foo/a.py",
+            "foo/b.py",
+            "foo/bar/a.py",
+            "bar/a.py",
+        ]
+
+        exclude = [
+            "*.py",
+            "!b.py",
+            "!a.go",
+            "foo",
+            "Dockerfile*",
+            ".dockerignore",
+        ]
+
+        expected_names = set(
+            [
+                "Dockerfile",
+                ".dockerignore",
+                "a.go",
+                "b.py",
+                "bar",
+                "bar/a.py",
+            ]
+        )
+
+        base = make_tree(dirs, files)
+        self.addCleanup(shutil.rmtree, base)
+
+        with tar(base, exclude=exclude) as archive, tarfile.open(
+            fileobj=archive
+        ) as tar_data:
+            assert sorted(tar_data.getnames()) == sorted(expected_names)
+
+    def test_tar_with_empty_directory(self) -> None:
+        base = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, base)
+        for d in ["foo", "bar"]:
+            os.makedirs(os.path.join(base, d))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert sorted(tar_data.getnames()) == ["bar", "foo"]
+
+    @pytest.mark.skipif(
+        IS_WINDOWS_PLATFORM or os.geteuid() == 0,
+        reason="root user always has access ; no chmod on Windows",
+    )
+    def test_tar_with_inaccessible_file(self) -> None:
+        base = tempfile.mkdtemp()
+        full_path = os.path.join(base, "foo")
+        self.addCleanup(shutil.rmtree, base)
+        with open(full_path, "wt", encoding="utf-8") as f:
+            f.write("content")
+        os.chmod(full_path, 0o222)
+        with pytest.raises(IOError) as ei:
+            tar(base)
+
+        assert f"Can not read file in context: {full_path}" in ei.exconly()
+
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="No symlinks on Windows")
+    def test_tar_with_file_symlinks(self) -> None:
+        base = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, base)
+        with open(os.path.join(base, "foo"), "wt", encoding="utf-8") as f:
+            f.write("content")
+        os.makedirs(os.path.join(base, "bar"))
+        os.symlink("../foo", os.path.join(base, "bar/foo"))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert sorted(tar_data.getnames()) == ["bar", "bar/foo", "foo"]
+
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="No symlinks on Windows")
+    def test_tar_with_directory_symlinks(self) -> None:
+        base = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, base)
+        for d in ["foo", "bar"]:
+            os.makedirs(os.path.join(base, d))
+        os.symlink("../foo", os.path.join(base, "bar/foo"))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert sorted(tar_data.getnames()) == ["bar", "bar/foo", "foo"]
+
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="No symlinks on Windows")
+    def test_tar_with_broken_symlinks(self) -> None:
+        base = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, base)
+        for d in ["foo", "bar"]:
+            os.makedirs(os.path.join(base, d))
+
+        os.symlink("../baz", os.path.join(base, "bar/foo"))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert sorted(tar_data.getnames()) == ["bar", "bar/foo", "foo"]
+
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="No UNIX sockets on Win32")
+    def test_tar_socket_file(self) -> None:
+        base = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, base)
+        for d in ["foo", "bar"]:
+            os.makedirs(os.path.join(base, d))
+        sock = socket.socket(socket.AF_UNIX)
+        self.addCleanup(sock.close)
+        sock.bind(os.path.join(base, "test.sock"))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert sorted(tar_data.getnames()) == ["bar", "foo"]
+
+    def tar_test_negative_mtime_bug(self) -> None:
+        base = tempfile.mkdtemp()
+        filename = os.path.join(base, "th.txt")
+        self.addCleanup(shutil.rmtree, base)
+        with open(filename, "wt", encoding="utf-8") as f:
+            f.write("Invisible Full Moon")
+        os.utime(filename, (12345, -3600.0))
+        with tar(base) as archive, tarfile.open(fileobj=archive) as tar_data:
+            assert tar_data.getnames() == ["th.txt"]
+            assert tar_data.getmember("th.txt").mtime == -3600
+
+    @pytest.mark.skipif(IS_WINDOWS_PLATFORM, reason="No symlinks on Windows")
+    def test_tar_directory_link(self) -> None:
+        dirs = ["a", "b", "a/c"]
+        files = ["a/hello.py", "b/utils.py", "a/c/descend.py"]
+        base = make_tree(dirs, files)
+        self.addCleanup(shutil.rmtree, base)
+        os.symlink(os.path.join(base, "b"), os.path.join(base, "a/c/b"))
+        with tar(base) as archive:
+            with tarfile.open(fileobj=archive) as tar_data:
+                names = tar_data.getnames()
+            for member in dirs + files:
+                assert member in names
+            assert "a/c/b" in names
+            assert "a/c/b/utils.py" not in names
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_config.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_config.py
new file mode 100644
index 00000000..48350e32
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_config.py
@@ -0,0 +1,122 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import json
+import os
+import shutil
+import tempfile
+import typing as t
+import unittest
+from collections.abc import Callable
+from unittest import mock
+
+from pytest import fixture, mark
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils import config
+
+
+class FindConfigFileTest(unittest.TestCase):
+    mkdir: Callable[[str], os.PathLike[str]]
+
+    @fixture(autouse=True)
+    def tmpdir(self, tmpdir: t.Any) -> None:
+        self.mkdir = tmpdir.mkdir
+
+    def test_find_config_fallback(self) -> None:
+        tmpdir = self.mkdir("test_find_config_fallback")
+
+        with mock.patch.dict(os.environ, {"HOME": str(tmpdir)}):
+            assert config.find_config_file() is None
+
+    def test_find_config_from_explicit_path(self) -> None:
+        tmpdir = self.mkdir("test_find_config_from_explicit_path")
+        config_path = tmpdir.ensure("my-config-file.json")  # type: ignore[attr-defined]
+
+        assert config.find_config_file(str(config_path)) == str(config_path)
+
+    def test_find_config_from_environment(self) -> None:
+        tmpdir = self.mkdir("test_find_config_from_environment")
+        config_path = tmpdir.ensure("config.json")  # type: ignore[attr-defined]
+
+        with mock.patch.dict(os.environ, {"DOCKER_CONFIG": str(tmpdir)}):
+            assert config.find_config_file() == str(config_path)
+
+    @mark.skipif("sys.platform == 'win32'")
+    def test_find_config_from_home_posix(self) -> None:
+        tmpdir = self.mkdir("test_find_config_from_home_posix")
+        config_path = tmpdir.ensure(".docker", "config.json")  # type: ignore[attr-defined]
+
+        with mock.patch.dict(os.environ, {"HOME": str(tmpdir)}):
+            assert config.find_config_file() == str(config_path)
+
+    @mark.skipif("sys.platform == 'win32'")
+    def test_find_config_from_home_legacy_name(self) -> None:
+        tmpdir = self.mkdir("test_find_config_from_home_legacy_name")
+        config_path = tmpdir.ensure(".dockercfg")  # type: ignore[attr-defined]
+
+        with mock.patch.dict(os.environ, {"HOME": str(tmpdir)}):
+            assert config.find_config_file() == str(config_path)
+
+    @mark.skipif("sys.platform != 'win32'")
+    def test_find_config_from_home_windows(self) -> None:
+        tmpdir = self.mkdir("test_find_config_from_home_windows")
+        config_path = tmpdir.ensure(".docker", "config.json")  # type: ignore[attr-defined]
+
+        with mock.patch.dict(os.environ, {"USERPROFILE": str(tmpdir)}):
+            assert config.find_config_file() == str(config_path)
+
+
+class LoadConfigTest(unittest.TestCase):
+    def test_load_config_no_file(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        cfg = config.load_general_config(folder)
+        assert cfg is not None
+        assert isinstance(cfg, dict)
+        assert not cfg
+
+    def test_load_config_custom_headers(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+
+        dockercfg_path = os.path.join(folder, "config.json")
+        config_data = {
+            "HttpHeaders": {"Name": "Spike", "Surname": "Spiegel"},
+        }
+
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config_data, f)
+
+        cfg = config.load_general_config(dockercfg_path)
+        assert "HttpHeaders" in cfg
+        assert cfg["HttpHeaders"] == {"Name": "Spike", "Surname": "Spiegel"}
+
+    def test_load_config_detach_keys(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        dockercfg_path = os.path.join(folder, "config.json")
+        config_data = {"detachKeys": "ctrl-q, ctrl-u, ctrl-i"}
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config_data, f)
+
+        cfg = config.load_general_config(dockercfg_path)
+        assert cfg == config_data
+
+    def test_load_config_from_env(self) -> None:
+        folder = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, folder)
+        dockercfg_path = os.path.join(folder, "config.json")
+        config_data = {"detachKeys": "ctrl-q, ctrl-u, ctrl-i"}
+        with open(dockercfg_path, "wt", encoding="utf-8") as f:
+            json.dump(config_data, f)
+
+        with mock.patch.dict(os.environ, {"DOCKER_CONFIG": folder}):
+            cfg = config.load_general_config(None)
+        assert cfg == config_data
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_decorators.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_decorators.py
new file mode 100644
index 00000000..a8f70fea
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_decorators.py
@@ -0,0 +1,51 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import typing as t
+import unittest
+
+from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+    APIClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.decorators import (
+    update_headers,
+)
+from ansible_collections.community.docker.tests.unit.plugins.module_utils._api.constants import (
+    DEFAULT_DOCKER_API_VERSION,
+)
+
+
+class DecoratorsTest(unittest.TestCase):
+    def test_update_headers(self) -> None:
+        sample_headers = {
+            "X-Docker-Locale": "en-US",
+        }
+
+        def f(self: t.Any, headers: t.Any = None) -> t.Any:
+            return headers
+
+        client = APIClient(version=DEFAULT_DOCKER_API_VERSION)
+        client._general_configs = {}
+
+        g = update_headers(f)
+        assert g(client, headers=None) is None
+        assert g(client, headers={}) == {}
+        assert g(client, headers={"Content-type": "application/json"}) == {
+            "Content-type": "application/json",
+        }
+
+        client._general_configs = {"HttpHeaders": sample_headers}
+
+        assert g(client, headers=None) == sample_headers
+        assert g(client, headers={}) == sample_headers
+        assert g(client, headers={"Content-type": "application/json"}) == {
+            "Content-type": "application/json",
+            "X-Docker-Locale": "en-US",
+        }
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_json_stream.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_json_stream.py
new file mode 100644
index 00000000..1abd6ea1
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_json_stream.py
@@ -0,0 +1,74 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import typing as t
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.json_stream import (
+    json_splitter,
+    json_stream,
+    stream_as_text,
+)
+
+if t.TYPE_CHECKING:
+    T = t.TypeVar("T")
+
+
+def create_generator(input_sequence: list[T]) -> t.Generator[T]:
+    yield from input_sequence
+
+
+class TestJsonSplitter:
+    def test_json_splitter_no_object(self) -> None:
+        data = '{"foo": "bar'
+        assert json_splitter(data) is None
+
+    def test_json_splitter_with_object(self) -> None:
+        data = '{"foo": "bar"}\n  \n{"next": "obj"}'
+        assert json_splitter(data) == ({"foo": "bar"}, '{"next": "obj"}')
+
+    def test_json_splitter_leading_whitespace(self) -> None:
+        data = '\n   \r{"foo": "bar"}\n\n   {"next": "obj"}'
+        assert json_splitter(data) == ({"foo": "bar"}, '{"next": "obj"}')
+
+
+class TestStreamAsText:
+    def test_stream_with_non_utf_unicode_character(self) -> None:
+        stream = create_generator([b"\xed\xf3\xf3"])
+        (output,) = stream_as_text(stream)
+        assert output == "���"
+
+    def test_stream_with_utf_character(self) -> None:
+        stream = create_generator(["ěĝ".encode("utf-8")])
+        (output,) = stream_as_text(stream)
+        assert output == "ěĝ"
+
+
+class TestJsonStream:
+    def test_with_falsy_entries(self) -> None:
+        stream = create_generator(
+            [
+                '{"one": "two"}\n{}\n',
+                "[1, 2, 3]\n[]\n",
+            ]
+        )
+        output = list(json_stream(stream))
+        assert output == [
+            {"one": "two"},
+            {},
+            [1, 2, 3],
+            [],
+        ]
+
+    def test_with_leading_whitespace(self) -> None:
+        stream = create_generator(
+            ['\n  \r\n  {"one": "two"}{"x": 1}', '  {"three": "four"}\t\t{"x": 2}']
+        )
+        output = list(json_stream(stream))
+        assert output == [{"one": "two"}, {"x": 1}, {"three": "four"}, {"x": 2}]
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_ports.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_ports.py
new file mode 100644
index 00000000..77b67d04
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_ports.py
@@ -0,0 +1,152 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.ports import (
+    build_port_bindings,
+    split_port,
+)
+
+
+class PortsTest(unittest.TestCase):
+    def test_split_port_with_host_ip(self) -> None:
+        internal_port, external_port = split_port("127.0.0.1:1000:2000")
+        assert internal_port == ["2000"]
+        assert external_port == [("127.0.0.1", "1000")]
+
+    def test_split_port_with_protocol(self) -> None:
+        for protocol in ["tcp", "udp", "sctp"]:
+            internal_port, external_port = split_port("127.0.0.1:1000:2000/" + protocol)
+            assert internal_port == ["2000/" + protocol]
+            assert external_port == [("127.0.0.1", "1000")]
+
+    def test_split_port_with_host_ip_no_port(self) -> None:
+        internal_port, external_port = split_port("127.0.0.1::2000")
+        assert internal_port == ["2000"]
+        assert external_port == [("127.0.0.1", None)]
+
+    def test_split_port_range_with_host_ip_no_port(self) -> None:
+        internal_port, external_port = split_port("127.0.0.1::2000-2001")
+        assert internal_port == ["2000", "2001"]
+        assert external_port == [("127.0.0.1", None), ("127.0.0.1", None)]
+
+    def test_split_port_with_host_port(self) -> None:
+        internal_port, external_port = split_port("1000:2000")
+        assert internal_port == ["2000"]
+        assert external_port == ["1000"]
+
+    def test_split_port_range_with_host_port(self) -> None:
+        internal_port, external_port = split_port("1000-1001:2000-2001")
+        assert internal_port == ["2000", "2001"]
+        assert external_port == ["1000", "1001"]
+
+    def test_split_port_random_port_range_with_host_port(self) -> None:
+        internal_port, external_port = split_port("1000-1001:2000")
+        assert internal_port == ["2000"]
+        assert external_port == ["1000-1001"]
+
+    def test_split_port_no_host_port(self) -> None:
+        internal_port, external_port = split_port("2000")
+        assert internal_port == ["2000"]
+        assert external_port is None
+
+    def test_split_port_range_no_host_port(self) -> None:
+        internal_port, external_port = split_port("2000-2001")
+        assert internal_port == ["2000", "2001"]
+        assert external_port is None
+
+    def test_split_port_range_with_protocol(self) -> None:
+        internal_port, external_port = split_port("127.0.0.1:1000-1001:2000-2001/udp")
+        assert internal_port == ["2000/udp", "2001/udp"]
+        assert external_port == [("127.0.0.1", "1000"), ("127.0.0.1", "1001")]
+
+    def test_split_port_with_ipv6_address(self) -> None:
+        internal_port, external_port = split_port("2001:abcd:ef00::2:1000:2000")
+        assert internal_port == ["2000"]
+        assert external_port == [("2001:abcd:ef00::2", "1000")]
+
+    def test_split_port_with_ipv6_square_brackets_address(self) -> None:
+        internal_port, external_port = split_port("[2001:abcd:ef00::2]:1000:2000")
+        assert internal_port == ["2000"]
+        assert external_port == [("2001:abcd:ef00::2", "1000")]
+
+    def test_split_port_invalid(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("0.0.0.0:1000:2000:tcp")
+
+    def test_split_port_invalid_protocol(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("0.0.0.0:1000:2000/ftp")
+
+    def test_non_matching_length_port_ranges(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("0.0.0.0:1000-1010:2000-2002/tcp")
+
+    def test_port_and_range_invalid(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("0.0.0.0:1000:2000-2002/tcp")
+
+    def test_port_only_with_colon(self) -> None:
+        with pytest.raises(ValueError):
+            split_port(":80")
+
+    def test_host_only_with_colon(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("localhost:")
+
+    def test_with_no_container_port(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("localhost:80:")
+
+    def test_split_port_empty_string(self) -> None:
+        with pytest.raises(ValueError):
+            split_port("")
+
+    def test_split_port_non_string(self) -> None:
+        assert split_port(1243) == (["1243"], None)
+
+    def test_build_port_bindings_with_one_port(self) -> None:
+        port_bindings = build_port_bindings(["127.0.0.1:1000:1000"])
+        assert port_bindings["1000"] == [("127.0.0.1", "1000")]
+
+    def test_build_port_bindings_with_matching_internal_ports(self) -> None:
+        port_bindings = build_port_bindings(
+            ["127.0.0.1:1000:1000", "127.0.0.1:2000:1000"]
+        )
+        assert port_bindings["1000"] == [("127.0.0.1", "1000"), ("127.0.0.1", "2000")]
+
+    def test_build_port_bindings_with_nonmatching_internal_ports(self) -> None:
+        port_bindings = build_port_bindings(
+            ["127.0.0.1:1000:1000", "127.0.0.1:2000:2000"]
+        )
+        assert port_bindings["1000"] == [("127.0.0.1", "1000")]
+        assert port_bindings["2000"] == [("127.0.0.1", "2000")]
+
+    def test_build_port_bindings_with_port_range(self) -> None:
+        port_bindings = build_port_bindings(["127.0.0.1:1000-1001:1000-1001"])
+        assert port_bindings["1000"] == [("127.0.0.1", "1000")]
+        assert port_bindings["1001"] == [("127.0.0.1", "1001")]
+
+    def test_build_port_bindings_with_matching_internal_port_ranges(self) -> None:
+        port_bindings = build_port_bindings(
+            ["127.0.0.1:1000-1001:1000-1001", "127.0.0.1:2000-2001:1000-1001"]
+        )
+        assert port_bindings["1000"] == [("127.0.0.1", "1000"), ("127.0.0.1", "2000")]
+        assert port_bindings["1001"] == [("127.0.0.1", "1001"), ("127.0.0.1", "2001")]
+
+    def test_build_port_bindings_with_nonmatching_internal_port_ranges(self) -> None:
+        port_bindings = build_port_bindings(
+            ["127.0.0.1:1000:1000", "127.0.0.1:2000:2000"]
+        )
+        assert port_bindings["1000"] == [("127.0.0.1", "1000")]
+        assert port_bindings["2000"] == [("127.0.0.1", "2000")]
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_proxy.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_proxy.py
new file mode 100644
index 00000000..75493152
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_proxy.py
@@ -0,0 +1,97 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import unittest
+
+from ansible_collections.community.docker.plugins.module_utils._api.utils.proxy import (
+    ProxyConfig,
+)
+
+HTTP = "http://test:80"
+HTTPS = "https://test:443"
+FTP = "ftp://user:password@host:23"
+NO_PROXY = "localhost,.localdomain"
+CONFIG = ProxyConfig(http=HTTP, https=HTTPS, ftp=FTP, no_proxy=NO_PROXY)
+ENV = {
+    "http_proxy": HTTP,
+    "HTTP_PROXY": HTTP,
+    "https_proxy": HTTPS,
+    "HTTPS_PROXY": HTTPS,
+    "ftp_proxy": FTP,
+    "FTP_PROXY": FTP,
+    "no_proxy": NO_PROXY,
+    "NO_PROXY": NO_PROXY,
+}
+
+
+class ProxyConfigTest(unittest.TestCase):
+    def test_from_dict(self) -> None:
+        config = ProxyConfig.from_dict(
+            {
+                "httpProxy": HTTP,
+                "httpsProxy": HTTPS,
+                "ftpProxy": FTP,
+                "noProxy": NO_PROXY,
+            }
+        )
+        self.assertEqual(CONFIG.http, config.http)
+        self.assertEqual(CONFIG.https, config.https)
+        self.assertEqual(CONFIG.ftp, config.ftp)
+        self.assertEqual(CONFIG.no_proxy, config.no_proxy)
+
+    def test_new(self) -> None:
+        config = ProxyConfig()
+        self.assertIsNone(config.http)
+        self.assertIsNone(config.https)
+        self.assertIsNone(config.ftp)
+        self.assertIsNone(config.no_proxy)
+
+        config = ProxyConfig(http="a", https="b", ftp="c", no_proxy="d")
+        self.assertEqual(config.http, "a")
+        self.assertEqual(config.https, "b")
+        self.assertEqual(config.ftp, "c")
+        self.assertEqual(config.no_proxy, "d")
+
+    def test_truthiness(self) -> None:
+        assert not ProxyConfig()
+        assert ProxyConfig(http="non-zero")
+        assert ProxyConfig(https="non-zero")
+        assert ProxyConfig(ftp="non-zero")
+        assert ProxyConfig(no_proxy="non-zero")
+
+    def test_environment(self) -> None:
+        self.assertDictEqual(CONFIG.get_environment(), ENV)
+        empty = ProxyConfig()
+        self.assertDictEqual(empty.get_environment(), {})
+
+    def test_inject_proxy_environment(self) -> None:
+        # Proxy config is non null, env is None.
+        envlist = CONFIG.inject_proxy_environment(None)
+        assert envlist is not None
+        self.assertSetEqual(
+            set(envlist),
+            set(f"{k}={v}" for k, v in ENV.items()),
+        )
+
+        # Proxy config is null, env is None.
+        self.assertIsNone(ProxyConfig().inject_proxy_environment(None), None)
+
+        env = ["FOO=BAR", "BAR=BAZ"]
+
+        # Proxy config is non null, env is non null
+        actual = CONFIG.inject_proxy_environment(env)
+        expected = [f"{k}={v}" for k, v in ENV.items()] + env
+        # It's important that the first 8 variables are the ones from the proxy
+        # config, and the last 2 are the ones from the input environment
+        self.assertSetEqual(set(actual[:8]), set(expected[:8]))
+        self.assertSetEqual(set(actual[-2:]), set(expected[-2:]))
+
+        # Proxy is null, and is non null
+        self.assertListEqual(ProxyConfig().inject_proxy_environment(env), env)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_utils.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_utils.py
new file mode 100644
index 00000000..42d7b923
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/test_utils.py
@@ -0,0 +1,481 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import os.path
+import shutil
+import tempfile
+import unittest
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._api.api.client import (
+    APIClient,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.constants import (
+    IS_WINDOWS_PLATFORM,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.errors import (
+    DockerException,
+)
+from ansible_collections.community.docker.plugins.module_utils._api.utils.utils import (
+    convert_filters,
+    convert_volume_binds,
+    decode_json_header,
+    format_environment,
+    kwargs_from_env,
+    parse_bytes,
+    parse_devices,
+    parse_env_file,
+    parse_host,
+    parse_repository_tag,
+    split_command,
+)
+from ansible_collections.community.docker.tests.unit.plugins.module_utils._api.constants import (
+    DEFAULT_DOCKER_API_VERSION,
+)
+
+TEST_CERT_DIR = os.path.join(
+    os.path.dirname(__file__),
+    "testdata/certs",
+)
+
+
+class KwargsFromEnvTest(unittest.TestCase):
+    os_environ: dict[str, str]
+
+    def setUp(self) -> None:
+        self.os_environ = os.environ.copy()
+
+    def tearDown(self) -> None:
+        for k, v in self.os_environ.items():
+            if os.environ.get(k) != v:
+                os.environ[k] = v
+        for k in os.environ:
+            if k not in self.os_environ:
+                os.environ.pop(k)
+
+    def test_kwargs_from_env_empty(self) -> None:
+        os.environ.update(DOCKER_HOST="", DOCKER_CERT_PATH="")
+        os.environ.pop("DOCKER_TLS_VERIFY", None)
+
+        kwargs = kwargs_from_env()
+        assert kwargs.get("base_url") is None
+        assert kwargs.get("tls") is None
+
+    def test_kwargs_from_env_tls(self) -> None:
+        os.environ.update(
+            DOCKER_HOST="tcp://192.168.59.103:2376",
+            DOCKER_CERT_PATH=TEST_CERT_DIR,
+            DOCKER_TLS_VERIFY="1",
+        )
+        kwargs = kwargs_from_env(assert_hostname=False)
+        assert kwargs["base_url"] == "tcp://192.168.59.103:2376"
+        assert "ca.pem" in kwargs["tls"].ca_cert
+        assert "cert.pem" in kwargs["tls"].cert[0]
+        assert "key.pem" in kwargs["tls"].cert[1]
+        assert kwargs["tls"].assert_hostname is False
+        assert kwargs["tls"].verify
+
+        parsed_host = parse_host(kwargs["base_url"], IS_WINDOWS_PLATFORM, True)
+        kwargs["version"] = DEFAULT_DOCKER_API_VERSION
+        try:
+            client = APIClient(**kwargs)
+            assert parsed_host == client.base_url
+            assert kwargs["tls"].ca_cert == client.verify
+            assert kwargs["tls"].cert == client.cert
+        except TypeError as e:
+            self.fail(e)
+
+    def test_kwargs_from_env_tls_verify_false(self) -> None:
+        os.environ.update(
+            DOCKER_HOST="tcp://192.168.59.103:2376",
+            DOCKER_CERT_PATH=TEST_CERT_DIR,
+            DOCKER_TLS_VERIFY="",
+        )
+        kwargs = kwargs_from_env(assert_hostname=True)
+        assert kwargs["base_url"] == "tcp://192.168.59.103:2376"
+        assert "ca.pem" in kwargs["tls"].ca_cert
+        assert "cert.pem" in kwargs["tls"].cert[0]
+        assert "key.pem" in kwargs["tls"].cert[1]
+        assert kwargs["tls"].assert_hostname is True
+        assert kwargs["tls"].verify is False
+        parsed_host = parse_host(kwargs["base_url"], IS_WINDOWS_PLATFORM, True)
+        kwargs["version"] = DEFAULT_DOCKER_API_VERSION
+        try:
+            client = APIClient(**kwargs)
+            assert parsed_host == client.base_url
+            assert kwargs["tls"].cert == client.cert
+            assert not kwargs["tls"].verify
+        except TypeError as e:
+            self.fail(e)
+
+    def test_kwargs_from_env_tls_verify_false_no_cert(self) -> None:
+        temp_dir = tempfile.mkdtemp()
+        cert_dir = os.path.join(temp_dir, ".docker")
+        shutil.copytree(TEST_CERT_DIR, cert_dir)
+
+        os.environ.update(
+            DOCKER_HOST="tcp://192.168.59.103:2376", HOME=temp_dir, DOCKER_TLS_VERIFY=""
+        )
+        os.environ.pop("DOCKER_CERT_PATH", None)
+        kwargs = kwargs_from_env(assert_hostname=True)
+        assert kwargs["base_url"] == "tcp://192.168.59.103:2376"
+
+    def test_kwargs_from_env_no_cert_path(self) -> None:
+        try:
+            temp_dir = tempfile.mkdtemp()
+            cert_dir = os.path.join(temp_dir, ".docker")
+            shutil.copytree(TEST_CERT_DIR, cert_dir)
+
+            os.environ.update(HOME=temp_dir, DOCKER_CERT_PATH="", DOCKER_TLS_VERIFY="1")
+
+            kwargs = kwargs_from_env()
+            assert kwargs["tls"].verify
+            assert cert_dir in kwargs["tls"].ca_cert
+            assert cert_dir in kwargs["tls"].cert[0]
+            assert cert_dir in kwargs["tls"].cert[1]
+        finally:
+            if temp_dir:
+                shutil.rmtree(temp_dir)
+
+    def test_kwargs_from_env_alternate_env(self) -> None:
+        # Values in os.environ are entirely ignored if an alternate is
+        # provided
+        os.environ.update(
+            DOCKER_HOST="tcp://192.168.59.103:2376",
+            DOCKER_CERT_PATH=TEST_CERT_DIR,
+            DOCKER_TLS_VERIFY="",
+        )
+        kwargs = kwargs_from_env(
+            environment={
+                "DOCKER_HOST": "http://docker.gensokyo.jp:2581",
+            }
+        )
+        assert kwargs["base_url"] == "http://docker.gensokyo.jp:2581"
+        assert "tls" not in kwargs
+
+
+class ConverVolumeBindsTest(unittest.TestCase):
+    def test_convert_volume_binds_empty(self) -> None:
+        assert convert_volume_binds({}) == []
+        assert convert_volume_binds([]) == []
+
+    def test_convert_volume_binds_list(self) -> None:
+        data = ["/a:/a:ro", "/b:/c:z"]
+        assert convert_volume_binds(data) == data
+
+    def test_convert_volume_binds_complete(self) -> None:
+        data: dict[str | bytes, dict[str, str]] = {
+            "/mnt/vol1": {"bind": "/data", "mode": "ro"}
+        }
+        assert convert_volume_binds(data) == ["/mnt/vol1:/data:ro"]
+
+    def test_convert_volume_binds_compact(self) -> None:
+        data: dict[str | bytes, str] = {"/mnt/vol1": "/data"}
+        assert convert_volume_binds(data) == ["/mnt/vol1:/data:rw"]
+
+    def test_convert_volume_binds_no_mode(self) -> None:
+        data: dict[str | bytes, dict[str, str]] = {"/mnt/vol1": {"bind": "/data"}}
+        assert convert_volume_binds(data) == ["/mnt/vol1:/data:rw"]
+
+    def test_convert_volume_binds_unicode_bytes_input(self) -> None:
+        expected = ["/mnt/지연:/unicode/박:rw"]
+
+        data: dict[str | bytes, dict[str, str | bytes]] = {
+            "/mnt/지연".encode("utf-8"): {
+                "bind": "/unicode/박".encode("utf-8"),
+                "mode": "rw",
+            }
+        }
+        assert convert_volume_binds(data) == expected
+
+    def test_convert_volume_binds_unicode_unicode_input(self) -> None:
+        expected = ["/mnt/지연:/unicode/박:rw"]
+
+        data: dict[str | bytes, dict[str, str]] = {
+            "/mnt/지연": {"bind": "/unicode/박", "mode": "rw"}
+        }
+        assert convert_volume_binds(data) == expected
+
+
+class ParseEnvFileTest(unittest.TestCase):
+    def generate_tempfile(self, file_content: str) -> str:
+        """
+        Generates a temporary file for tests with the content
+        of 'file_content' and returns the filename.
+        Don't forget to unlink the file with os.unlink() after.
+        """
+        with tempfile.NamedTemporaryFile(delete=False) as local_tempfile:
+            local_tempfile.write(file_content.encode("UTF-8"))
+        return local_tempfile.name
+
+    def test_parse_env_file_proper(self) -> None:
+        env_file = self.generate_tempfile(file_content="USER=jdoe\nPASS=secret")
+        get_parse_env_file = parse_env_file(env_file)
+        assert get_parse_env_file == {"USER": "jdoe", "PASS": "secret"}
+        os.unlink(env_file)
+
+    def test_parse_env_file_with_equals_character(self) -> None:
+        env_file = self.generate_tempfile(file_content="USER=jdoe\nPASS=sec==ret")
+        get_parse_env_file = parse_env_file(env_file)
+        assert get_parse_env_file == {"USER": "jdoe", "PASS": "sec==ret"}
+        os.unlink(env_file)
+
+    def test_parse_env_file_commented_line(self) -> None:
+        env_file = self.generate_tempfile(file_content="USER=jdoe\n#PASS=secret")
+        get_parse_env_file = parse_env_file(env_file)
+        assert get_parse_env_file == {"USER": "jdoe"}
+        os.unlink(env_file)
+
+    def test_parse_env_file_newline(self) -> None:
+        env_file = self.generate_tempfile(file_content="\nUSER=jdoe\n\n\nPASS=secret")
+        get_parse_env_file = parse_env_file(env_file)
+        assert get_parse_env_file == {"USER": "jdoe", "PASS": "secret"}
+        os.unlink(env_file)
+
+    def test_parse_env_file_invalid_line(self) -> None:
+        env_file = self.generate_tempfile(file_content="USER jdoe")
+        with pytest.raises(DockerException):
+            parse_env_file(env_file)
+        os.unlink(env_file)
+
+
+class ParseHostTest(unittest.TestCase):
+    def test_parse_host(self) -> None:
+        invalid_hosts = [
+            "foo://0.0.0.0",
+            "tcp://",
+            "udp://127.0.0.1",
+            "udp://127.0.0.1:2375",
+            "ssh://:22/path",
+            "tcp://netloc:3333/path?q=1",
+            "unix:///sock/path#fragment",
+            "https://netloc:3333/path;params",
+            "ssh://:clearpassword@host:22",
+        ]
+
+        valid_hosts = {
+            "0.0.0.1:5555": "http://0.0.0.1:5555",
+            ":6666": "http://127.0.0.1:6666",
+            "tcp://:7777": "http://127.0.0.1:7777",
+            "http://:7777": "http://127.0.0.1:7777",
+            "https://kokia.jp:2375": "https://kokia.jp:2375",
+            "unix:///var/run/docker.sock": "http+unix:///var/run/docker.sock",
+            "unix://": "http+unix:///var/run/docker.sock",
+            "12.234.45.127:2375/docker/engine": (
+                "http://12.234.45.127:2375/docker/engine"
+            ),
+            "somehost.net:80/service/swarm": ("http://somehost.net:80/service/swarm"),
+            "npipe:////./pipe/docker_engine": "npipe:////./pipe/docker_engine",
+            "[fd12::82d1]:2375": "http://[fd12::82d1]:2375",
+            "https://[fd12:5672::12aa]:1090": "https://[fd12:5672::12aa]:1090",
+            "[fd12::82d1]:2375/docker/engine": (
+                "http://[fd12::82d1]:2375/docker/engine"
+            ),
+            "ssh://[fd12::82d1]": "ssh://[fd12::82d1]:22",
+            "ssh://user@[fd12::82d1]:8765": "ssh://user@[fd12::82d1]:8765",
+            "ssh://": "ssh://127.0.0.1:22",
+            "ssh://user@localhost:22": "ssh://user@localhost:22",
+            "ssh://user@remote": "ssh://user@remote:22",
+        }
+
+        for host in invalid_hosts:
+            msg = f"Should have failed to parse invalid host: {host}"
+            with self.assertRaises(DockerException, msg=msg):
+                parse_host(host)
+
+        for host, expected in valid_hosts.items():
+            self.assertEqual(
+                parse_host(host),
+                expected,
+                msg=f"Failed to parse valid host: {host}",
+            )
+
+    def test_parse_host_empty_value(self) -> None:
+        unix_socket = "http+unix:///var/run/docker.sock"
+        npipe = "npipe:////./pipe/docker_engine"
+
+        for val in [None, ""]:
+            assert parse_host(val, is_win32=False) == unix_socket
+            assert parse_host(val, is_win32=True) == npipe
+
+    def test_parse_host_tls(self) -> None:
+        host_value = "myhost.docker.net:3348"
+        expected_result = "https://myhost.docker.net:3348"
+        assert parse_host(host_value, tls=True) == expected_result
+
+    def test_parse_host_tls_tcp_proto(self) -> None:
+        host_value = "tcp://myhost.docker.net:3348"
+        expected_result = "https://myhost.docker.net:3348"
+        assert parse_host(host_value, tls=True) == expected_result
+
+    def test_parse_host_trailing_slash(self) -> None:
+        host_value = "tcp://myhost.docker.net:2376/"
+        expected_result = "http://myhost.docker.net:2376"
+        assert parse_host(host_value) == expected_result
+
+
+class ParseRepositoryTagTest(unittest.TestCase):
+    sha = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+
+    def test_index_image_no_tag(self) -> None:
+        assert parse_repository_tag("root") == ("root", None)
+
+    def test_index_image_tag(self) -> None:
+        assert parse_repository_tag("root:tag") == ("root", "tag")
+
+    def test_index_user_image_no_tag(self) -> None:
+        assert parse_repository_tag("user/repo") == ("user/repo", None)
+
+    def test_index_user_image_tag(self) -> None:
+        assert parse_repository_tag("user/repo:tag") == ("user/repo", "tag")
+
+    def test_private_reg_image_no_tag(self) -> None:
+        assert parse_repository_tag("url:5000/repo") == ("url:5000/repo", None)
+
+    def test_private_reg_image_tag(self) -> None:
+        assert parse_repository_tag("url:5000/repo:tag") == ("url:5000/repo", "tag")
+
+    def test_index_image_sha(self) -> None:
+        assert parse_repository_tag(f"root@sha256:{self.sha}") == (
+            "root",
+            f"sha256:{self.sha}",
+        )
+
+    def test_private_reg_image_sha(self) -> None:
+        assert parse_repository_tag(f"url:5000/repo@sha256:{self.sha}") == (
+            "url:5000/repo",
+            f"sha256:{self.sha}",
+        )
+
+
+class ParseDeviceTest(unittest.TestCase):
+    def test_dict(self) -> None:
+        devices = parse_devices(
+            [
+                {
+                    "PathOnHost": "/dev/sda1",
+                    "PathInContainer": "/dev/mnt1",
+                    "CgroupPermissions": "r",
+                }
+            ]
+        )
+        assert devices[0] == {
+            "PathOnHost": "/dev/sda1",
+            "PathInContainer": "/dev/mnt1",
+            "CgroupPermissions": "r",
+        }
+
+    def test_partial_string_definition(self) -> None:
+        devices = parse_devices(["/dev/sda1"])
+        assert devices[0] == {
+            "PathOnHost": "/dev/sda1",
+            "PathInContainer": "/dev/sda1",
+            "CgroupPermissions": "rwm",
+        }
+
+    def test_permissionless_string_definition(self) -> None:
+        devices = parse_devices(["/dev/sda1:/dev/mnt1"])
+        assert devices[0] == {
+            "PathOnHost": "/dev/sda1",
+            "PathInContainer": "/dev/mnt1",
+            "CgroupPermissions": "rwm",
+        }
+
+    def test_full_string_definition(self) -> None:
+        devices = parse_devices(["/dev/sda1:/dev/mnt1:r"])
+        assert devices[0] == {
+            "PathOnHost": "/dev/sda1",
+            "PathInContainer": "/dev/mnt1",
+            "CgroupPermissions": "r",
+        }
+
+    def test_hybrid_list(self) -> None:
+        devices = parse_devices(
+            [
+                "/dev/sda1:/dev/mnt1:rw",
+                {
+                    "PathOnHost": "/dev/sda2",
+                    "PathInContainer": "/dev/mnt2",
+                    "CgroupPermissions": "r",
+                },
+            ]
+        )
+
+        assert devices[0] == {
+            "PathOnHost": "/dev/sda1",
+            "PathInContainer": "/dev/mnt1",
+            "CgroupPermissions": "rw",
+        }
+        assert devices[1] == {
+            "PathOnHost": "/dev/sda2",
+            "PathInContainer": "/dev/mnt2",
+            "CgroupPermissions": "r",
+        }
+
+
+class ParseBytesTest(unittest.TestCase):
+    def test_parse_bytes_valid(self) -> None:
+        assert parse_bytes("512MB") == 536870912
+        assert parse_bytes("512M") == 536870912
+        assert parse_bytes("512m") == 536870912
+
+    def test_parse_bytes_invalid(self) -> None:
+        with pytest.raises(DockerException):
+            parse_bytes("512MK")
+        with pytest.raises(DockerException):
+            parse_bytes("512L")
+        with pytest.raises(DockerException):
+            parse_bytes("127.0.0.1K")
+
+    def test_parse_bytes_float(self) -> None:
+        assert parse_bytes("1.5k") == 1536
+
+
+class UtilsTest(unittest.TestCase):
+    longMessage = True
+
+    def test_convert_filters(self) -> None:
+        tests: list[tuple[dict[str, bool | str | int | list[str | int]], str]] = [
+            ({"dangling": True}, '{"dangling": ["true"]}'),
+            ({"dangling": "true"}, '{"dangling": ["true"]}'),
+            ({"exited": 0}, '{"exited": ["0"]}'),
+            ({"exited": [0, 1]}, '{"exited": ["0", "1"]}'),
+        ]
+
+        for filters, expected in tests:
+            assert convert_filters(filters) == expected
+
+    def test_decode_json_header(self) -> None:
+        obj = {"a": "b", "c": 1}
+        data = base64.urlsafe_b64encode(bytes(json.dumps(obj), "utf-8"))
+        decoded_data = decode_json_header(data)
+        assert obj == decoded_data
+
+
+class SplitCommandTest(unittest.TestCase):
+    def test_split_command_with_unicode(self) -> None:
+        assert split_command("echo μμ") == ["echo", "μμ"]
+
+
+class FormatEnvironmentTest(unittest.TestCase):
+    def test_format_env_binary_unicode_value(self) -> None:
+        env_dict = {"ARTIST_NAME": b"\xec\x86\xa1\xec\xa7\x80\xec\x9d\x80"}
+        assert format_environment(env_dict) == ["ARTIST_NAME=송지은"]
+
+    def test_format_env_no_value(self) -> None:
+        env_dict = {
+            "FOO": None,
+            "BAR": "",
+        }
+        assert sorted(format_environment(env_dict)) == ["BAR=", "FOO"]
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/ca.pem b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/ca.pem
new file mode 100644
index 00000000..5c7093a3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/ca.pem
@@ -0,0 +1,7 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/cert.pem b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/cert.pem
new file mode 100644
index 00000000..5c7093a3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/cert.pem
@@ -0,0 +1,7 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/key.pem b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/key.pem
new file mode 100644
index 00000000..5c7093a3
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/_api/utils/testdata/certs/key.pem
@@ -0,0 +1,7 @@
+# This code is part of the Ansible collection community.docker, but is an independent component.
+# This particular file, and this file only, is based on the Docker SDK for Python (https://github.com/docker/docker-py/)
+#
+# Copyright (c) 2016-2022 Docker, Inc.
+#
+# It is licensed under the Apache 2.0 license (see LICENSES/Apache-2.0.txt in this collection)
+# SPDX-License-Identifier: Apache-2.0
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/compose_v2_test_cases.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/compose_v2_test_cases.py
new file mode 100644
index 00000000..d64be44c
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/compose_v2_test_cases.py
@@ -0,0 +1,10811 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# pylint: disable=line-too-long
+
+from __future__ import annotations
+
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    Event,
+)
+
+EVENT_TEST_CASES: list[tuple[str, str, bool, bool, str, list[Event], list[str]]] = [
+    # #######################################################################################################################
+    # ## Docker Compose 2.18.1 ##############################################################################################
+    # #######################################################################################################################
+    # docker_compose_v2: "Absent" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-absent",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-absent-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Resource is still in use\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                None,
+                "Resource is still in use",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Cleanup" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-cleanup",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopping\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopped\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removing\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removed\n"
+        " Network ansible-docker-test-01234567-pull_default  Removing\n"
+        " Network ansible-docker-test-01234567-pull_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present",
+        "2.18.1",
+        False,
+        False,
+        " ansible-docker-test-01234567-container Pulling \n"
+        " ansible-docker-test-01234567-container Pulled \n"
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 80c52c26780_ansible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 80c52c26780_ansible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "80c52c26780_ansible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "80c52c26780_ansible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 9121995872d_ansible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 9121995872d_ansible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "9121995872d_ansible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "9121995872d_ansible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-(changed)",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2-present-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-container Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-container Pulled \n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-container Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-container Pulled \n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-container",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-(idempotent-check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-(idempotent)",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-stopped",
+        "2.18.1",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-stopped-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=always",
+        "2.18.1",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 002a15404ac_ansible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 002a15404ac_ansible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "002a15404ac_ansible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "002a15404ac_ansible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container ec060c7b341_ansible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container ec060c7b341_ansible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ec060c7b341_ansible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ec060c7b341_ansible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=missing",
+        "2.18.1",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent)",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent,-check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.18.1",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.18.1",
+        False,
+        True,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        "Error response from daemon: No such image: does-not-exist:latest\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                "Error response from daemon: No such image: does-not-exist:latest",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-7c5458ac-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-dba91fb6-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-without-explicit-pull",
+        "2.18.1",
+        False,
+        True,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Error \n"
+        "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\n",  # noqa: E501
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied",  # noqa: E501
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-present-without-explicit-pull-(check)",
+        "2.18.1",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-restarted",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-restarted-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-started",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-started-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-stopped",
+        "2.18.1",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-07-docker_compose_v2-stopped-(check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2_pull-pull-(check)",
+        "2.18.1",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont  - Pull error for image: does-not-exist:latest \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.18.1",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2_pull-pull-with-policy=always-(again)",
+        "2.18.1",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.12-ubuntu1804
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.12-ubuntu1804
+    (
+        "2.18.1-2.12-ubuntu1804-2024-01-13-docker_compose_v2_pull-pull-with-policy=always-(again,-check)",
+        "2.18.1",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # #######################################################################################################################
+    # ## Docker Compose 2.21.0 ##############################################################################################
+    # #######################################################################################################################
+    # docker_compose_v2: "Absent" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-absent",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-absent-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Resource is still in use\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                None,
+                "Resource is still in use",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Cleanup" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-cleanup",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopping\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopped\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removing\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removed\n"
+        " Network ansible-docker-test-01234567-pull_default  Removing\n"
+        " Network ansible-docker-test-01234567-pull_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present",
+        "2.21.0",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 054e03eb5ea_ansible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 054e03eb5ea_ansible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "054e03eb5ea_ansible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "054e03eb5ea_ansible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 0a77f424a61_ansible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 0a77f424a61_ansible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "0a77f424a61_ansible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "0a77f424a61_ansible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 0e165a36533_ansible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 0e165a36533_ansible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "0e165a36533_ansible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "0e165a36533_ansible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 26bf8ff1675_ansible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 26bf8ff1675_ansible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "26bf8ff1675_ansible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "26bf8ff1675_ansible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 27c209a84a5_ansible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 27c209a84a5_ansible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "27c209a84a5_ansible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "27c209a84a5_ansible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 4b568108657_ansible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 4b568108657_ansible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "4b568108657_ansible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "4b568108657_ansible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 6dc8d091c94_ansible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 6dc8d091c94_ansible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "6dc8d091c94_ansible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "6dc8d091c94_ansible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 71b893893dc_ansible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 71b893893dc_ansible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "71b893893dc_ansible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "71b893893dc_ansible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 71e7a319c23_ansible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 71e7a319c23_ansible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "71e7a319c23_ansible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "71e7a319c23_ansible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 78e827e6673_ansible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 78e827e6673_ansible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "78e827e6673_ansible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "78e827e6673_ansible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 7971b0c189d_ansible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 7971b0c189d_ansible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "7971b0c189d_ansible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "7971b0c189d_ansible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 7b8d91093c9_ansible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 7b8d91093c9_ansible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "7b8d91093c9_ansible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "7b8d91093c9_ansible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 7bedd9b4513_ansible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 7bedd9b4513_ansible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "7bedd9b4513_ansible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "7bedd9b4513_ansible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container 87873e68934_ansible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container 87873e68934_ansible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "87873e68934_ansible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "87873e68934_ansible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container a81dce9774b_ansible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container a81dce9774b_ansible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "a81dce9774b_ansible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "a81dce9774b_ansible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container d28b7978587_ansible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container d28b7978587_ansible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "d28b7978587_ansible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "d28b7978587_ansible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container dea4aafe907_ansible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container dea4aafe907_ansible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "dea4aafe907_ansible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "dea4aafe907_ansible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container e508faa8323_ansible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container e508faa8323_ansible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "e508faa8323_ansible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "e508faa8323_ansible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container ef57cb7913f_ansible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container ef57cb7913f_ansible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ef57cb7913f_ansible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ef57cb7913f_ansible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container efe8857a191_ansible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container efe8857a191_ansible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "efe8857a191_ansible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "efe8857a191_ansible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container f0de40ba686_ansible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container f0de40ba686_ansible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "f0de40ba686_ansible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "f0de40ba686_ansible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container f6416652e13_ansible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container f6416652e13_ansible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "f6416652e13_ansible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "f6416652e13_ansible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-(changed)",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-07-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2-present-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-(idempotent-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-(idempotent)",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-stopped",
+        "2.21.0",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-stopped-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 0b4286904e0_ansible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 0b4286904e0_ansible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "0b4286904e0_ansible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "0b4286904e0_ansible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 0d5362bac93_ansible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 0d5362bac93_ansible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "0d5362bac93_ansible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "0d5362bac93_ansible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 3d7b7be6dbe_ansible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 3d7b7be6dbe_ansible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "3d7b7be6dbe_ansible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "3d7b7be6dbe_ansible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 49ff7fef052_ansible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 49ff7fef052_ansible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "49ff7fef052_ansible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "49ff7fef052_ansible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 5d30320650e_ansible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 5d30320650e_ansible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "5d30320650e_ansible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "5d30320650e_ansible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 611a044106b_ansible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 611a044106b_ansible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "611a044106b_ansible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "611a044106b_ansible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 61802a08aa6_ansible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 61802a08aa6_ansible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "61802a08aa6_ansible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "61802a08aa6_ansible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 61bd1b13d9c_ansible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 61bd1b13d9c_ansible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "61bd1b13d9c_ansible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "61bd1b13d9c_ansible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 769aec9cd4d_ansible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 769aec9cd4d_ansible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "769aec9cd4d_ansible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "769aec9cd4d_ansible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 813ca227a6f_ansible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 813ca227a6f_ansible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "813ca227a6f_ansible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "813ca227a6f_ansible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 8a586ed91d6_ansible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 8a586ed91d6_ansible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "8a586ed91d6_ansible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "8a586ed91d6_ansible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 8bec416e98d_ansible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 8bec416e98d_ansible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "8bec416e98d_ansible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "8bec416e98d_ansible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 906450ba6e7_ansible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 906450ba6e7_ansible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "906450ba6e7_ansible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "906450ba6e7_ansible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container a99ed30c7d6_ansible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container a99ed30c7d6_ansible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "a99ed30c7d6_ansible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "a99ed30c7d6_ansible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container b78faf8a742_ansible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container b78faf8a742_ansible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "b78faf8a742_ansible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "b78faf8a742_ansible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container be1b2a9ca28_ansible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container be1b2a9ca28_ansible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "be1b2a9ca28_ansible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "be1b2a9ca28_ansible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container c9d730c2613_ansible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container c9d730c2613_ansible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "c9d730c2613_ansible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "c9d730c2613_ansible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container da16aa68f6f_ansible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container da16aa68f6f_ansible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "da16aa68f6f_ansible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "da16aa68f6f_ansible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container dff4b309c58_ansible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container dff4b309c58_ansible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "dff4b309c58_ansible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "dff4b309c58_ansible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container ecd243ea972_ansible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container ecd243ea972_ansible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ecd243ea972_ansible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ecd243ea972_ansible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container f48d54a75fb_ansible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container f48d54a75fb_ansible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "f48d54a75fb_ansible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "f48d54a75fb_ansible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container fa8f62dfced_ansible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container fa8f62dfced_ansible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "fa8f62dfced_ansible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "fa8f62dfced_ansible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=missing",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent)",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent,-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.21.0",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.21.0",
+        False,
+        True,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        "Error response from daemon: No such image: does-not-exist:latest\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                "Error response from daemon: No such image: does-not-exist:latest",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.21.0",
+        False,
+        True,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        "Error response from daemon: no such image: does-not-exist:latest: No such image: does-not-exist:latest\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                "Error response from daemon: no such image: does-not-exist:latest: No such image: does-not-exist:latest",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-19ffba88-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1ba2643a-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-1f1d0d58-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-2460e737-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4baa7139-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.14-rhel9.0
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-4fcbaf1e-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-51914faa-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-5f3d2e16-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-601188b1-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-64d917f4-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-6aaaa304-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-834c1a9b-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-971ad57c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ad622acd-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-b2745d99-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ce1fa4d7-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d1d30700-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-devel-rhel9.3-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d2caf0c9-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d616c3a5-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-d6ae094c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-e700ac20-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-ede01681-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-without-explicit-pull",
+        "2.21.0",
+        False,
+        True,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Error \n"
+        "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\n",  # noqa: E501
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied",  # noqa: E501
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-present-without-explicit-pull-(check)",
+        "2.21.0",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-restarted",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-restarted-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-started",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-started-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-stopped",
+        "2.21.0",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-07-docker_compose_v2-stopped-(check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2_pull-pull-(check)",
+        "2.21.0",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont  - Pull error for image: does-not-exist:latest \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.15-rhel7.9
+    (
+        "2.21.0-2.15-rhel7.9-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]   34.2kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.15-rhel9.1
+    (
+        "2.21.0-2.15-rhel9.1-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.12kB/2.207MB\n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.16-rhel9.2
+    (
+        "2.21.0-2.16-rhel9.2-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.12kB/2.207MB\n"
+        " 486039affc0a Downloading [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-rhel9.3
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.16-centos7
+    (
+        "2.21.0-2.16-centos7-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [================================================>  ]   2.13MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-devel-ubuntu2204-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [===============================================>   ]  2.097MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-debian-bookworm
+    (
+        "2.21.0-devel-debian-bookworm-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==============================================>    ]  2.032MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-ubuntu2004
+    (
+        "2.21.0-devel-ubuntu2004-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [============================================>      ]  1.966MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in 2.15-centos7
+    (
+        "2.21.0-2.15-centos7-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [=======================================>           ]  1.737MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-debian-bullseye
+    (
+        "2.21.0-devel-debian-bullseye-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [=====================================>             ]  1.638MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2_pull-pull-with-policy=always-(again)",
+        "2.21.0",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (again, check)" on 2024-01-13 in devel-ubuntu2204
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.14-rhel9.0
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.15-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.15-rhel7.9
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.15-rhel9.1
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.16-centos7
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in 2.16-rhel9.2
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-debian-bookworm
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-debian-bullseye
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-rhel9.3
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-ubuntu2004
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-ubuntu2204
+    (
+        "2.21.0-2.14-rhel9.0-2024-01-13-docker_compose_v2_pull-pull-with-policy=always-(again,-check)",
+        "2.21.0",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # #######################################################################################################################
+    # ## Docker Compose 2.23.3 ##############################################################################################
+    # #######################################################################################################################
+    # docker_compose_v2: "Absent" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Absent" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-absent",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Absent (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Absent (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-absent-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removing\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Removed\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Removing\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Resource is still in use\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                None,
+                "Resource is still in use",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Cleanup" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Cleanup" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Stopping service" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-cleanup",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopping\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Stopped\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removing\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Removed\n"
+        " Network ansible-docker-test-01234567-pull_default  Removing\n"
+        " Network ansible-docker-test-01234567-pull_default  Removed\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Stopped",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removing",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Removed",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removing",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Removed",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present",
+        "2.23.3",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-07 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-(changed-check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container df477f7889c_ansible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container df477f7889c_ansible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "df477f7889c_ansible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "df477f7889c_ansible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2-present-(changed-check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " DRY-RUN MODE -  Container e3161c3ca1e_ansible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container e3161c3ca1e_ansible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "e3161c3ca1e_ansible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "e3161c3ca1e_ansible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (changed)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present (changed)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-(changed)",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreate\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Recreated\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2-present-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (check)" on 2024-01-07 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present (idempotent check)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started (idempotent check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-(idempotent-check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present (idempotent)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present (idempotent)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started (idempotent)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-(idempotent)",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present stopped" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-stopped",
+        "2.23.3",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present stopped (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present stopped (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-stopped-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-start-stop_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Created\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-start-stop_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Created",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=always" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=always",
+        "2.23.3",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-07 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=always-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container 9f33f2ddb62_ansible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container 9f33f2ddb62_ansible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "9f33f2ddb62_ansible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "9f33f2ddb62_ansible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=always (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2-present-with-pull=always-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreate\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Recreated\n"
+        " DRY-RUN MODE -  Container e6dd7e14964_ansible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container e6dd7e14964_ansible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreate",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Recreated",
+                None,
+            ),
+            Event(
+                "container",
+                "e6dd7e14964_ansible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "e6dd7e14964_ansible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=missing" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=missing",
+        "2.23.3",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (check)" on 2024-01-07 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=missing-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent)",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=missing (idempotent, check)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (idempotent, check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=missing-(idempotent,-check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Running\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Running",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.23.3",
+        False,
+        False,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=never",
+        "2.23.3",
+        False,
+        True,
+        " Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " Network ansible-docker-test-01234567-pull_default  Created\n"
+        " Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        "Error response from daemon: no such image: does-not-exist:latest: No such image: does-not-exist:latest\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                "Error response from daemon: no such image: does-not-exist:latest: No such image: does-not-exist:latest",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2-present-with-pull=never-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-26fefc5c-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present with pull=never (check)" on 2024-01-07 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-with-pull=never-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Creating\n"
+        " DRY-RUN MODE -  Network ansible-docker-test-01234567-pull_default  Created\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Creating\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1  Created\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Starting\n"
+        " DRY-RUN MODE -  Container nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1  Started\n",
+        [
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "ansible-docker-test-01234567-pull_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-pull-ansible-docker-test-01234567-cont-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "nsible-docker-test-bc362ba-pull-ansible-docker-test-01234567-cont-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present without explicit pull" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2_pull: "Pull" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-without-explicit-pull",
+        "2.23.3",
+        False,
+        True,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Error \n"
+        "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\n",  # noqa: E501
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "Error response from daemon: pull access denied for does-not-exist, repository does not exist or may require 'docker login': denied: requested access to the resource is denied",  # noqa: E501
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Present without explicit pull (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Present without explicit pull (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-present-without-explicit-pull-(check)",
+        "2.23.3",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-restarted",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Restarted (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-restarted-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Restarting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Restarting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-started",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Started (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Started (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-started-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Starting\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Started\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Stopped" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-stopped",
+        "2.23.3",
+        False,
+        False,
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2: "Stopped (check)" on 2024-01-07 in devel-archlinux
+    # Duplicated in: docker_compose_v2: "Stopped (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-07-docker_compose_v2-stopped-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Running\n"
+        "\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopping\n"
+        " DRY-RUN MODE -  Container ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1  Stopped\n",
+        [
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Running",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopping",
+                None,
+            ),
+            Event(
+                "container",
+                "ansible-docker-test-01234567-start-stop-ansible-docker-test-01234567-container-1",
+                "Stopped",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-(check)",
+        "2.23.3",
+        True,
+        True,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Error \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont  - Pull error for image: does-not-exist:latest \n"
+        "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed\n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Error",
+                "pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-with-policy=always",
+        "2.23.3",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=always (check)" on 2024-01-13 in devel-archlinux
+    # Duplicated in: docker_compose_v2_pull: "Pull with policy=missing (check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-with-policy=always-(check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulling \n"
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=missing" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-with-policy=missing",
+        "2.23.3",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Pulling \n"
+        " 486039affc0a Pulling fs layer \n"
+        " 486039affc0a Downloading [>                                                  ]  32.16kB/2.207MB\n"
+        " 486039affc0a Verifying Checksum \n"
+        " 486039affc0a Download complete \n"
+        " 486039affc0a Extracting [>                                                  ]  32.77kB/2.207MB\n"
+        " 486039affc0a Extracting [==========================================>        ]  1.868MB/2.207MB\n"
+        " 486039affc0a Extracting [==================================================>]  2.207MB/2.207MB\n"
+        " 486039affc0a Pull complete \n"
+        " ansible-docker-test-01234567-cont Pulled \n",
+        [
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Verifying Checksum",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "486039affc0a",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "service",
+                "ansible-docker-test-01234567-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=missing (idempotent)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-with-policy=missing-(idempotent)",
+        "2.23.3",
+        False,
+        False,
+        " ansible-docker-test-01234567-cont Skipped - Image is already present locally \n",
+        [
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Skipped",
+                "Image is already present locally",
+            ),
+        ],
+        [],
+    ),
+    # docker_compose_v2_pull: "Pull with policy=missing (idempotent, check)" on 2024-01-13 in devel-archlinux
+    (
+        "2.23.3-devel-archlinux-2024-01-13-docker_compose_v2_pull-pull-with-policy=missing-(idempotent,-check)",
+        "2.23.3",
+        True,
+        False,
+        " DRY-RUN MODE -  ansible-docker-test-01234567-cont Skipped - Image is already present locally \n",
+        [
+            Event(
+                "unknown",
+                "ansible-docker-test-01234567-cont",
+                "Skipped",
+                "Image is already present locally",
+            ),
+        ],
+        [],
+    ),
+]
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__compose_v2.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__compose_v2.py
new file mode 100644
index 00000000..419107f9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__compose_v2.py
@@ -0,0 +1,591 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._compose_v2 import (
+    Event,
+    parse_events,
+    parse_json_events,
+)
+
+from .compose_v2_test_cases import EVENT_TEST_CASES
+
+EXTRA_TEST_CASES: list[tuple[str, str, bool, bool, str, list[Event], list[str]]] = [
+    (
+        "2.24.2-manual-build-dry-run",
+        "2.24.2",
+        True,
+        False,
+        " DRY-RUN MODE -    build service foobar \n"
+        " DRY-RUN MODE -  ==> ==> writing image dryRun-8843d7f92416211de9ebb963ff4ce28125932878 \n"
+        " DRY-RUN MODE -  ==> ==> naming to my-python \n"
+        " DRY-RUN MODE -  Network compose_default  Creating\n"
+        " DRY-RUN MODE -  Network compose_default  Created\n"
+        " DRY-RUN MODE -  Container compose-foobar-1  Creating\n"
+        " DRY-RUN MODE -  Container compose-foobar-1  Created\n"
+        " DRY-RUN MODE -  Container ompose-foobar-1  Starting\n"
+        " DRY-RUN MODE -  Container ompose-foobar-1  Started\n",
+        [
+            Event(
+                "service",
+                "foobar",
+                "Building",
+                None,
+            ),
+            Event(
+                "network",
+                "compose_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "compose_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "compose-foobar-1",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "compose-foobar-1",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "ompose-foobar-1",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "ompose-foobar-1",
+                "Started",
+                None,
+            ),
+        ],
+        [],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/785
+        "2.20.0-manual-pull",
+        "2.20.0",
+        False,
+        False,
+        "4f4fb700ef54 Waiting\n"
+        "238022553356 Downloading     541B/541B\n"
+        "972e292d3a60 Downloading    106kB/10.43MB\n"
+        "f2543dc9f0a9 Downloading  25.36kB/2.425MB\n"
+        "972e292d3a60 Downloading  5.925MB/10.43MB\n"
+        "f2543dc9f0a9 Downloading  2.219MB/2.425MB\n"
+        "f2543dc9f0a9 Extracting  32.77kB/2.425MB\n"
+        "4f4fb700ef54 Downloading      32B/32B\n"
+        "f2543dc9f0a9 Extracting  2.425MB/2.425MB\n"
+        "972e292d3a60 Extracting  131.1kB/10.43MB\n"
+        "972e292d3a60 Extracting  10.43MB/10.43MB\n"
+        "238022553356 Extracting     541B/541B\n"
+        "4f4fb700ef54 Extracting      32B/32B\n",
+        [
+            Event(
+                "image-layer",
+                "4f4fb700ef54",
+                "Waiting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "238022553356",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "972e292d3a60",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "f2543dc9f0a9",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "972e292d3a60",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "f2543dc9f0a9",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "f2543dc9f0a9",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "4f4fb700ef54",
+                "Downloading",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "f2543dc9f0a9",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "972e292d3a60",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "972e292d3a60",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "238022553356",
+                "Extracting",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "4f4fb700ef54",
+                "Extracting",
+                None,
+            ),
+        ],
+        [],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/787
+        "2.20.3-logrus-warn",
+        "2.20.3",
+        False,
+        False,
+        'time="2024-02-02T08:14:10+01:00" level=warning msg="a network with name influxNetwork exists but was not'
+        ' created for project \\"influxdb\\".\\nSet `external: true` to use an existing network"\n',
+        [],
+        [
+            'a network with name influxNetwork exists but was not created for project "influxdb".\nSet `external: true` to use an existing network',
+        ],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/807
+        "2.20.3-image-warning-error",
+        "2.20.3",
+        False,
+        True,
+        " dummy3 Warning \n"
+        " dummy2 Warning \n"
+        " dummy Error \n"
+        " dummy4 Warning Foo bar \n"
+        " dummy5 Error Bar baz bam \n",
+        [
+            Event(
+                "unknown",
+                "dummy",
+                "Error",
+                None,
+            ),
+            Event(
+                "unknown",
+                "dummy5",
+                "Error",
+                "Bar baz bam",
+            ),
+        ],
+        [
+            "Unspecified warning for dummy3",
+            "Unspecified warning for dummy2",
+            "dummy4: Foo bar",
+        ],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/911
+        "2.28.1-image-pull-skipped",
+        "2.28.1",
+        False,
+        False,
+        # fmt: off
+        " bash_1 Skipped \n bash_2 Pulling \n bash_2 Pulled \n",
+        # fmt: on
+        [
+            Event(
+                "unknown",
+                "bash_1",
+                "Skipped",
+                None,
+            ),
+            Event(
+                "service",
+                "bash_2",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "bash_2",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/948
+        "2.28.1-unknown",  # TODO: find out actual version!
+        "2.28.1",  # TODO: find out actual version!
+        False,
+        True,
+        " prometheus Pulling \n"
+        " prometheus Pulled \n"
+        'network internet-monitoring-front-tier was found but has incorrect label com.docker.compose.network set to "internet-monitoring-front-tier"\n',
+        [
+            Event(
+                "service",
+                "prometheus",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "service",
+                "prometheus",
+                "Pulled",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                'network internet-monitoring-front-tier was found but has incorrect label com.docker.compose.network set to "internet-monitoring-front-tier"',
+            ),
+        ],
+        [],
+    ),
+    (
+        # https://github.com/ansible-collections/community.docker/issues/978
+        "2.28.1-unknown",  # TODO: find out actual version!
+        "2.28.1",  # TODO: find out actual version!
+        False,
+        True,
+        " Network create_users_db_default  Creating\n"
+        " Network create_users_db_default  Created\n"
+        " Container create_users_db-init  Creating\n"
+        " Container create_users_db-init  Created\n"
+        " Container create_users_db-init  Starting\n"
+        " Container create_users_db-init  Started\n"
+        " Container create_users_db-init  Waiting\n"
+        "container create_users_db-init exited (0)\n",
+        [
+            Event(
+                "network",
+                "create_users_db_default",
+                "Creating",
+                None,
+            ),
+            Event(
+                "network",
+                "create_users_db_default",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "create_users_db-init",
+                "Creating",
+                None,
+            ),
+            Event(
+                "container",
+                "create_users_db-init",
+                "Created",
+                None,
+            ),
+            Event(
+                "container",
+                "create_users_db-init",
+                "Starting",
+                None,
+            ),
+            Event(
+                "container",
+                "create_users_db-init",
+                "Started",
+                None,
+            ),
+            Event(
+                "container",
+                "create_users_db-init",
+                "Waiting",
+                None,
+            ),
+            Event(
+                "unknown",
+                "",
+                "Error",
+                "container create_users_db-init exited (0)",
+            ),
+        ],
+        [],
+    ),
+]
+
+_ALL_TEST_CASES = EVENT_TEST_CASES + EXTRA_TEST_CASES
+
+
+@pytest.mark.parametrize(
+    "test_id, compose_version, dry_run, nonzero_rc, stderr, events, warnings",
+    _ALL_TEST_CASES,
+    ids=[tc[0] for tc in _ALL_TEST_CASES],
+)
+def test_parse_events(
+    test_id: str,
+    compose_version: str,
+    dry_run: bool,
+    nonzero_rc: bool,
+    stderr: str,
+    events: list[Event],
+    warnings: list[str],
+) -> None:
+    collected_warnings = []
+
+    def collect_warning(msg: str) -> None:
+        collected_warnings.append(msg)
+
+    collected_events = parse_events(
+        stderr.encode("utf-8"),
+        dry_run=dry_run,
+        warn_function=collect_warning,
+        nonzero_rc=nonzero_rc,
+    )
+
+    print(collected_events)
+    print(collected_warnings)
+
+    assert collected_events == events
+    assert collected_warnings == warnings
+
+
+JSON_TEST_CASES: list[tuple[str, str, str, list[Event], list[str]]] = [
+    (
+        "pull-compose-2",
+        "2.40.3",
+        '{"level":"warning","msg":"/tmp/ansible.f9pcm_i3.test/ansible-docker-test-3c46cd06-pull/docker-compose.yml: the attribute `version`'
+        ' is obsolete, it will be ignored, please remove it to avoid potential confusion","time":"2025-12-06T13:16:30Z"}\n'
+        '{"id":"ansible-docker-test-3c46cd06-cont","text":"Pulling"}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Pulling fs layer"}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Downloading","status":"[\\u003e    '
+        '                                              ]   6.89kB/599.9kB","current":6890,"total":599883,"percent":1}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Download complete","percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Extracting","status":"[==\\u003e   '
+        '                                             ]  32.77kB/599.9kB","current":32768,"total":599883,"percent":5}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Extracting","status":"[============'
+        '======================================\\u003e]  599.9kB/599.9kB","current":599883,"total":599883,"percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Extracting","status":"[============'
+        '======================================\\u003e]  599.9kB/599.9kB","current":599883,"total":599883,"percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"ansible-docker-test-3c46cd06-cont","text":"Pull complete","percent":100}\n'
+        '{"id":"ansible-docker-test-3c46cd06-cont","text":"Pulled"}\n',
+        [
+            Event(
+                "unknown",
+                None,
+                "Warning",
+                "/tmp/ansible.f9pcm_i3.test/ansible-docker-test-3c46cd06-pull/docker-compose.yml: the attribute `version` is obsolete,"
+                " it will be ignored, please remove it to avoid potential confusion",
+            ),
+            Event(
+                "image",
+                "ansible-docker-test-3c46cd06-cont",
+                "Pulling",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Pulling fs layer",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Downloading",
+                "[>                                                  ]   6.89kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Download complete",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Extracting",
+                "[==>                                                ]  32.77kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Extracting",
+                "[==================================================>]  599.9kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Extracting",
+                "[==================================================>]  599.9kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "63a26ae4e8a8",
+                "Pull complete",
+                None,
+            ),
+            Event(
+                "image",
+                "ansible-docker-test-3c46cd06-cont",
+                "Pulled",
+                None,
+            ),
+        ],
+        [],
+    ),
+    (
+        "pull-compose-5",
+        "5.0.0",
+        '{"level":"warning","msg":"/tmp/ansible.1n0q46aj.test/ansible-docker-test-b2fa9191-pull/docker-compose.yml: the attribute'
+        ' `version` is obsolete, it will be ignored, please remove it to avoid potential confusion","time":"2025-12-06T13:08:22Z"}\n'
+        '{"id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"Pulling"}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working"}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"[\\u003e       '
+        '                                           ]   6.89kB/599.9kB","current":6890,"total":599883,"percent":1}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"[=============='
+        '====================================\\u003e]  599.9kB/599.9kB","current":599883,"total":599883,"percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working"}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Done","percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"[==\\u003e     '
+        '                                           ]  32.77kB/599.9kB","current":32768,"total":599883,"percent":5}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"[=============='
+        '====================================\\u003e]  599.9kB/599.9kB","current":599883,"total":599883,"percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Working","text":"[=============='
+        '====================================\\u003e]  599.9kB/599.9kB","current":599883,"total":599883,"percent":100}\n'
+        '{"id":"63a26ae4e8a8","parent_id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Done","percent":100}\n'
+        '{"id":"Image ghcr.io/ansible-collections/simple-1:tag","status":"Done","text":"Pulled"}\n',
+        [
+            Event(
+                "unknown",
+                None,
+                "Warning",
+                "/tmp/ansible.1n0q46aj.test/ansible-docker-test-b2fa9191-pull/docker-compose.yml: the attribute `version`"
+                " is obsolete, it will be ignored, please remove it to avoid potential confusion",
+            ),
+            Event(
+                "image",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Pulling",
+                "Working",
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                None,
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                "[>                                                  ]   6.89kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                "[==================================================>]  599.9kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                None,
+            ),
+            Event(
+                "image-layer", "ghcr.io/ansible-collections/simple-1:tag", "Done", None
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                "[==>                                                ]  32.77kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                "[==================================================>]  599.9kB/599.9kB",
+            ),
+            Event(
+                "image-layer",
+                "ghcr.io/ansible-collections/simple-1:tag",
+                "Working",
+                "[==================================================>]  599.9kB/599.9kB",
+            ),
+            Event(
+                "image-layer", "ghcr.io/ansible-collections/simple-1:tag", "Done", None
+            ),
+            Event(
+                "image", "ghcr.io/ansible-collections/simple-1:tag", "Pulled", "Done"
+            ),
+        ],
+        [],
+    ),
+]
+
+
+@pytest.mark.parametrize(
+    "test_id, compose_version, stderr, events, warnings",
+    JSON_TEST_CASES,
+    ids=[tc[0] for tc in JSON_TEST_CASES],
+)
+def test_parse_json_events(
+    test_id: str,
+    compose_version: str,
+    stderr: str,
+    events: list[Event],
+    warnings: list[str],
+) -> None:
+    collected_warnings = []
+
+    def collect_warning(msg: str) -> None:
+        collected_warnings.append(msg)
+
+    collected_events = parse_json_events(
+        stderr.encode("utf-8"),
+        warn_function=collect_warning,
+    )
+
+    print(collected_events)
+    print(collected_warnings)
+
+    assert collected_events == events
+    assert collected_warnings == warnings
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__copy.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__copy.py
new file mode 100644
index 00000000..7892b344
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__copy.py
@@ -0,0 +1,87 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._copy import (
+    _stream_generator_to_fileobj,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Sequence
+
+    T = t.TypeVar("T")
+
+
+def _simple_generator(sequence: Sequence[T]) -> t.Generator[T]:
+    yield from sequence
+
+
+@pytest.mark.parametrize(
+    "chunks, read_sizes",
+    [
+        (
+            [
+                (1, b"1"),
+                (1, b"2"),
+                (1, b"3"),
+                (1, b"4"),
+            ],
+            [
+                1,
+                2,
+                3,
+            ],
+        ),
+        (
+            [
+                (1, b"123"),
+                (1, b"456"),
+                (1, b"789"),
+            ],
+            [
+                1,
+                4,
+                2,
+                2,
+                2,
+            ],
+        ),
+        (
+            [
+                (10 * 1024 * 1024, b"0"),
+                (10 * 1024 * 1024, b"1"),
+            ],
+            [
+                1024 * 1024 - 5,
+                5 * 1024 * 1024 - 3,
+                10 * 1024 * 1024 - 2,
+                2 * 1024 * 1024 - 1,
+                2 * 1024 * 1024 + 5 + 3 + 2 + 1,
+            ],
+        ),
+    ],
+)
+def test__stream_generator_to_fileobj(
+    chunks: list[tuple[int, bytes]], read_sizes: list[int]
+) -> None:
+    data_chunks = [count * data for count, data in chunks]
+    stream = _simple_generator(data_chunks)
+    expected = b"".join(data_chunks)
+
+    buffer = b""
+    totally_read = 0
+    f = _stream_generator_to_fileobj(stream)
+    for read_size in read_sizes:
+        chunk = f.read(read_size)
+        assert len(chunk) == min(read_size, len(expected) - len(buffer))
+        buffer += chunk
+        totally_read += read_size
+
+    assert buffer == expected[: len(buffer)]
+    assert min(totally_read, len(expected)) == len(buffer)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_archive.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_archive.py
new file mode 100644
index 00000000..1a7340c8
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_archive.py
@@ -0,0 +1,97 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import tarfile
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._image_archive import (
+    ImageArchiveInvalidException,
+    api_image_id,
+    archived_image_manifest,
+)
+
+from ..test_support.docker_image_archive_stubbing import (
+    write_imitation_archive,
+    write_imitation_archive_with_manifest,
+    write_irrelevant_tar,
+)
+
+
+@pytest.fixture(name="tar_file_name")
+def tar_file_name_fixture(tmpdir: t.Any) -> str:
+    """
+    Return the name of a non-existing tar file in an existing temporary directory.
+    """
+
+    # Cast to str required by Python 2.x
+    return str(tmpdir.join("foo.tar"))
+
+
+@pytest.mark.parametrize(
+    "expected, value", [("sha256:foo", "foo"), ("sha256:bar", "bar")]
+)
+def test_api_image_id_from_archive_id(expected: str, value: str) -> None:
+    assert api_image_id(value) == expected
+
+
+def test_archived_image_manifest_extracts(tar_file_name: str) -> None:
+    expected_id = "abcde12345"
+    expected_tags = ["foo:latest", "bar:v1"]
+
+    write_imitation_archive(tar_file_name, expected_id, expected_tags)
+
+    actual = archived_image_manifest(tar_file_name)
+
+    assert actual is not None
+    assert actual.image_id == expected_id
+    assert actual.repo_tags == expected_tags
+
+
+def test_archived_image_manifest_extracts_nothing_when_file_not_present(
+    tar_file_name: str,
+) -> None:
+    image_id = archived_image_manifest(tar_file_name)
+
+    assert image_id is None
+
+
+def test_archived_image_manifest_raises_when_file_not_a_tar() -> None:
+    try:
+        archived_image_manifest(__file__)
+        raise AssertionError()
+    except ImageArchiveInvalidException as e:
+        assert isinstance(e.__cause__, tarfile.ReadError)
+        assert str(__file__) in str(e)
+
+
+def test_archived_image_manifest_raises_when_tar_missing_manifest(
+    tar_file_name: str,
+) -> None:
+    write_irrelevant_tar(tar_file_name)
+
+    try:
+        archived_image_manifest(tar_file_name)
+        raise AssertionError()
+    except ImageArchiveInvalidException as e:
+        assert isinstance(e.__cause__, KeyError)
+        assert "manifest.json" in str(e.__cause__)
+
+
+def test_archived_image_manifest_raises_when_manifest_missing_id(
+    tar_file_name: str,
+) -> None:
+    manifest = [{"foo": "bar"}]
+
+    write_imitation_archive_with_manifest(tar_file_name, manifest)
+
+    try:
+        archived_image_manifest(tar_file_name)
+        raise AssertionError()
+    except ImageArchiveInvalidException as e:
+        assert isinstance(e.__cause__, KeyError)
+        assert "Config" in str(e.__cause__)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_name.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_name.py
new file mode 100644
index 00000000..ec6e436d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__image_name.py
@@ -0,0 +1,271 @@
+# Copyright (c) 2025 Felix Fontein
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import re
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._image_name import (
+    ImageName,
+    is_digest,
+    is_tag,
+)
+
+TEST_IS_DIGEST: list[tuple[str, dict[str, t.Any], bool]] = [
+    ("", {}, False),
+    ("", {"allow_empty": True}, True),
+    ("sha256:abc", {}, False),
+    (f"sha256:{'a' * 63}", {}, False),
+    (f"sha256:{'a' * 64}", {}, True),
+    (f"sha256:{'a' * 65}", {}, False),
+    (
+        "sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        {},
+        True,
+    ),
+    ("1.25.3", {}, False),
+]
+
+
+@pytest.mark.parametrize("name, kwargs, expected", TEST_IS_DIGEST)
+def test_is_digest(name: str, kwargs: dict[str, t.Any], expected: bool) -> None:
+    assert is_digest(name, **kwargs) == expected
+
+
+TEST_IS_TAG: list[tuple[str, dict[str, t.Any], bool]] = [
+    ("", {}, False),
+    ("", {"allow_empty": True}, True),
+    ("foo", {}, True),
+    ("-foo", {}, False),
+    ("f" * 128, {}, True),
+    ("f" * 129, {}, False),
+    (
+        "sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        {},
+        False,
+    ),
+    ("1.25.3", {}, True),
+]
+
+
+@pytest.mark.parametrize("name, kwargs, expected", TEST_IS_TAG)
+def test_is_tag(name: str, kwargs: dict[str, t.Any], expected: bool) -> None:
+    assert is_tag(name, **kwargs) == expected
+
+
+TEST_IMAGE_NAME_VALIDATE_SUCCESS: list[ImageName] = [
+    ImageName(registry="localhost", path="nginx", tag=None, digest=None),
+    ImageName(registry=None, path="nginx", tag="1.25.3", digest=None),
+    ImageName(
+        registry=None,
+        path="nginx",
+        tag=None,
+        digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+    ),
+    ImageName(
+        registry=None,
+        path="nginx",
+        tag="1.25.3",
+        digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+    ),
+]
+
+
+@pytest.mark.parametrize("data", TEST_IMAGE_NAME_VALIDATE_SUCCESS)
+def test_imagename_validate_success(data: ImageName) -> None:
+    assert data.validate() is data
+
+
+TEST_IMAGE_NAME_VALIDATE_FAILED: list[tuple[ImageName, str]] = [
+    (
+        ImageName(registry="-foo", path="", tag=None, digest=None),
+        'Invalid registry name (-foo): must not begin or end with a "-".',
+    ),
+    (
+        ImageName(registry="foo:", path="", tag=None, digest=None),
+        'Invalid registry name (foo:): must not end with ":".',
+    ),
+    (ImageName(registry=None, path="", tag=None, digest=None), "Invalid path ()."),
+    (ImageName(registry=None, path="-", tag=None, digest=None), "Invalid path (-)."),
+    (ImageName(registry=None, path="/", tag=None, digest=None), "Invalid path (/)."),
+    (ImageName(registry=None, path="a", tag="-", digest=None), "Invalid tag (-)."),
+    (ImageName(registry=None, path="a", tag=None, digest="-"), "Invalid digest (-)."),
+]
+
+
+@pytest.mark.parametrize("data, expected", TEST_IMAGE_NAME_VALIDATE_FAILED)
+def test_imagename_validate_failed(data: ImageName, expected: str) -> None:
+    with pytest.raises(ValueError, match=f"^{re.escape(expected)}$"):
+        data.validate()
+
+
+TEST_IMAGE_NAME_PARSE: list[tuple[str, ImageName]] = [
+    ("", ImageName(registry=None, path="", tag=None, digest=None)),
+    ("foo", ImageName(registry=None, path="foo", tag=None, digest=None)),
+    ("foo:5000", ImageName(registry=None, path="foo", tag="5000", digest=None)),
+    ("foo:5000/", ImageName(registry="foo:5000", path="", tag=None, digest=None)),
+    ("foo:5000/bar", ImageName(registry="foo:5000", path="bar", tag=None, digest=None)),
+    ("/bar", ImageName(registry=None, path="/bar", tag=None, digest=None)),
+    (
+        "localhost/foo:5000",
+        ImageName(registry="localhost", path="foo", tag="5000", digest=None),
+    ),
+    (
+        "foo.bar/baz:5000",
+        ImageName(registry="foo.bar", path="baz", tag="5000", digest=None),
+    ),
+    (
+        "foo:bar/baz:bam:5000",
+        ImageName(registry="foo:bar", path="baz:bam", tag="5000", digest=None),
+    ),
+    ("foo:bar:baz", ImageName(registry=None, path="foo:bar", tag="baz", digest=None)),
+    ("foo@bar@baz", ImageName(registry=None, path="foo@bar", tag=None, digest="baz")),
+    ("nginx:1.25.3", ImageName(registry=None, path="nginx", tag="1.25.3", digest=None)),
+    (
+        "nginx@sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag=None,
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+    ),
+    (
+        "nginx:1.25.3@sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag="1.25.3",
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+    ),
+]
+
+
+@pytest.mark.parametrize("name, expected", TEST_IMAGE_NAME_PARSE)
+def test_imagename_parse(name: str, expected: ImageName) -> None:
+    assert ImageName.parse(name) == expected
+
+
+TEST_IMAGE_NAME_COMBINE: list[tuple[ImageName, str]] = [
+    (ImageName(registry=None, path="", tag=None, digest=None), ""),
+    (ImageName(registry=None, path="nginx", tag="1.25.3", digest=None), "nginx:1.25.3"),
+    (
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag=None,
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+        "nginx@sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+    ),
+    (
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag="1.25.3",
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+        "nginx:1.25.3@sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+    ),
+]
+
+
+@pytest.mark.parametrize("data, expected", TEST_IMAGE_NAME_COMBINE)
+def test_imagename_combine(data: ImageName, expected: str) -> None:
+    assert data.combine() == expected
+
+
+TEST_IMAGE_NAME_NORMALIZE: list[tuple[ImageName, ImageName]] = [
+    (
+        ImageName(registry=None, path="", tag=None, digest=None),
+        ImageName(registry="docker.io", path="", tag=None, digest=None),
+    ),
+    (
+        ImageName(registry="", path="", tag=None, digest=None),
+        ImageName(registry="docker.io", path="", tag=None, digest=None),
+    ),
+    (
+        ImageName(registry="index.docker.io", path="", tag=None, digest=None),
+        ImageName(registry="docker.io", path="", tag=None, digest=None),
+    ),
+    (
+        ImageName(registry="registry.hub.docker.com", path="", tag=None, digest=None),
+        ImageName(registry="docker.io", path="", tag=None, digest=None),
+    ),
+    (
+        ImageName(registry=None, path="foo/bar", tag=None, digest=None),
+        ImageName(registry="docker.io", path="foo/bar", tag=None, digest=None),
+    ),
+    (
+        ImageName(registry=None, path="nginx", tag="1.25.3", digest=None),
+        ImageName(
+            registry="docker.io", path="library/nginx", tag="1.25.3", digest=None
+        ),
+    ),
+    (
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag=None,
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+        ImageName(
+            registry="docker.io",
+            path="library/nginx",
+            tag=None,
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+    ),
+    (
+        ImageName(
+            registry=None,
+            path="nginx",
+            tag="1.25.3",
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+        ImageName(
+            registry="docker.io",
+            path="library/nginx",
+            tag="1.25.3",
+            digest="sha256:d02f9b9db4d759ef27dc26b426b842ff2fb881c5c6079612d27ec36e36b132dd",
+        ),
+    ),
+]
+
+
+@pytest.mark.parametrize("data, expected", TEST_IMAGE_NAME_NORMALIZE)
+def test_imagename_normalize(data: ImageName, expected: ImageName) -> None:
+    assert data.normalize() == expected
+
+
+TEST_IMAGE_NAME_HOSTNAME_AND_PORT: list[tuple[ImageName, str, int]] = [
+    (
+        ImageName(registry="docker.io", path="", tag=None, digest=None),
+        "index.docker.io",
+        443,
+    ),
+    (ImageName(registry="localhost", path="", tag=None, digest=None), "localhost", 443),
+    (ImageName(registry="foo:5000", path="", tag=None, digest=None), "foo", 5000),
+]
+
+
+@pytest.mark.parametrize(
+    "data, expected_hostname, expected_port", TEST_IMAGE_NAME_HOSTNAME_AND_PORT
+)
+def test_imagename_get_hostname_and_port(
+    data: ImageName, expected_hostname: str, expected_port: int
+) -> None:
+    hostname, port = data.get_hostname_and_port()
+    assert hostname == expected_hostname
+    assert port == expected_port
+
+
+def test_imagename_get_hostname_and_port_fail() -> None:
+    msg = "Cannot get hostname when there is no registry. Normalize first!"
+    with pytest.raises(ValueError, match=f"^{re.escape(msg)}$"):
+        ImageName(registry=None, path="", tag=None, digest=None).get_hostname_and_port()
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__logfmt.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__logfmt.py
new file mode 100644
index 00000000..43496b87
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__logfmt.py
@@ -0,0 +1,102 @@
+# Copyright (c) 2024, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._logfmt import (
+    InvalidLogFmt,
+    parse_line,
+)
+
+SUCCESS_TEST_CASES: list[tuple[str, dict[str, t.Any], dict[str, t.Any]]] = [
+    (
+        'time="2024-02-02T08:14:10+01:00" level=warning msg="a network with name influxNetwork exists but was not'
+        ' created for project \\"influxdb\\".\\nSet `external: true` to use an existing network"',
+        {},
+        {
+            "time": "2024-02-02T08:14:10+01:00",
+            "level": "warning",
+            "msg": 'a network with name influxNetwork exists but was not created for project "influxdb".\nSet `external: true` to use an existing network',
+        },
+    ),
+    (
+        'time="2024-02-02T08:14:10+01:00" level=warning msg="a network with name influxNetwork exists but was not'
+        ' created for project \\"influxdb\\".\\nSet `external: true` to use an existing network"',
+        {"logrus_mode": True},
+        {
+            "time": "2024-02-02T08:14:10+01:00",
+            "level": "warning",
+            "msg": 'a network with name influxNetwork exists but was not created for project "influxdb".\nSet `external: true` to use an existing network',
+        },
+    ),
+    (
+        'foo=bar a=14 baz="hello kitty" cool%story=bro f %^asdf',
+        {},
+        {
+            "foo": "bar",
+            "a": "14",
+            "baz": "hello kitty",
+            "cool%story": "bro",
+            "f": None,
+            "%^asdf": None,
+        },
+    ),
+    (
+        '{"foo":"bar"}',
+        {},
+        {
+            "{": None,
+            "foo": None,
+            ":": None,
+            "bar": None,
+            "}": None,
+        },
+    ),
+]
+
+
+FAILURE_TEST_CASES: list[tuple[str, dict[str, t.Any], str]] = [
+    (
+        'foo=bar a=14 baz="hello kitty" cool%story=bro f %^asdf',
+        {"logrus_mode": True},
+        'Key must always be followed by "=" in logrus mode',
+    ),
+    (
+        "{}",
+        {"logrus_mode": True},
+        'Key must always be followed by "=" in logrus mode',
+    ),
+    (
+        "[]",
+        {"logrus_mode": True},
+        'Key must always be followed by "=" in logrus mode',
+    ),
+    (
+        '{"foo=bar": "baz=bam"}',
+        {"logrus_mode": True},
+        'Key must always be followed by "=" in logrus mode',
+    ),
+]
+
+
+@pytest.mark.parametrize("line, kwargs, result", SUCCESS_TEST_CASES)
+def test_parse_line_success(
+    line: str, kwargs: dict[str, t.Any], result: dict[str, t.Any]
+) -> None:
+    res = parse_line(line, **kwargs)
+    print(repr(res))
+    assert res == result
+
+
+@pytest.mark.parametrize("line, kwargs, message", FAILURE_TEST_CASES)
+def test_parse_line_failure(line: str, kwargs: dict[str, t.Any], message: str) -> None:
+    with pytest.raises(InvalidLogFmt) as exc:
+        parse_line(line, **kwargs)
+
+    print(repr(exc.value.args[0]))
+    assert exc.value.args[0] == message
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__scramble.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__scramble.py
new file mode 100644
index 00000000..28683639
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__scramble.py
@@ -0,0 +1,30 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._scramble import (
+    scramble,
+    unscramble,
+)
+
+
+@pytest.mark.parametrize(
+    "plaintext, key, scrambled",
+    [
+        ("", b"0", "=S="),
+        ("hello", b"\x00", "=S=aGVsbG8="),
+        ("hello", b"\x01", "=S=aWRtbW4="),
+    ],
+)
+def test_scramble_unscramble(plaintext: str, key: bytes, scrambled: str) -> None:
+    scrambled_ = scramble(plaintext, key)
+    print(f"{scrambled_!r} == {scrambled!r}")
+    assert scrambled_ == scrambled
+
+    plaintext_ = unscramble(scrambled, key)
+    print(f"{plaintext_!r} == {plaintext!r}")
+    assert plaintext_ == plaintext
diff --git a/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__util.py b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__util.py
new file mode 100644
index 00000000..af69ca29
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/module_utils/test__util.py
@@ -0,0 +1,469 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._util import (
+    compare_dict_allow_more_present,
+    compare_generic,
+    convert_duration_to_nanosecond,
+    parse_healthcheck,
+)
+
+if t.TYPE_CHECKING:
+
+    class DAMSpec(t.TypedDict):
+        av: dict[str, t.Any]
+        bv: dict[str, t.Any]
+        result: bool
+
+    class Spec(t.TypedDict):
+        a: t.Any
+        b: t.Any
+        method: t.Literal["strict", "ignore", "allow_more_present"]
+        type: t.Literal["value", "list", "set", "set(dict)", "dict"]
+        result: bool
+
+
+DICT_ALLOW_MORE_PRESENT: list[DAMSpec] = [
+    {"av": {}, "bv": {"a": 1}, "result": True},
+    {"av": {"a": 1}, "bv": {"a": 1, "b": 2}, "result": True},
+    {"av": {"a": 1}, "bv": {"b": 2}, "result": False},
+    {"av": {"a": 1}, "bv": {"a": None, "b": 1}, "result": False},
+    {"av": {"a": None}, "bv": {"b": 1}, "result": False},
+]
+
+DICT_ALLOW_MORE_PRESENT_SPECS: list[Spec] = [
+    {
+        "a": entry["av"],
+        "b": entry["bv"],
+        "method": "allow_more_present",
+        "type": "dict",
+        "result": entry["result"],
+    }
+    for entry in DICT_ALLOW_MORE_PRESENT
+]
+
+COMPARE_GENERIC: list[Spec] = [
+    ########################################################################################
+    # value
+    {"a": 1, "b": 2, "method": "strict", "type": "value", "result": False},
+    {"a": "hello", "b": "hello", "method": "strict", "type": "value", "result": True},
+    {"a": None, "b": "hello", "method": "strict", "type": "value", "result": False},
+    {"a": None, "b": None, "method": "strict", "type": "value", "result": True},
+    {"a": 1, "b": 2, "method": "ignore", "type": "value", "result": True},
+    {"a": None, "b": 2, "method": "ignore", "type": "value", "result": True},
+    ########################################################################################
+    # list
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "y",
+        ],
+        "method": "strict",
+        "type": "list",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "x",
+            "x",
+        ],
+        "method": "strict",
+        "type": "list",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "strict",
+        "type": "list",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "y",
+            "x",
+        ],
+        "method": "strict",
+        "type": "list",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+        ],
+        "method": "allow_more_present",
+        "type": "list",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "allow_more_present",
+        "type": "list",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "allow_more_present",
+        "type": "list",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+            "z",
+        ],
+        "b": [
+            "x",
+            "y",
+            "x",
+            "z",
+        ],
+        "method": "allow_more_present",
+        "type": "list",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "y",
+            "x",
+        ],
+        "method": "ignore",
+        "type": "list",
+        "result": True,
+    },
+    ########################################################################################
+    # set
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "y",
+        ],
+        "method": "strict",
+        "type": "set",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "x",
+            "x",
+        ],
+        "method": "strict",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "strict",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "y",
+            "x",
+        ],
+        "method": "strict",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+        ],
+        "method": "allow_more_present",
+        "type": "set",
+        "result": False,
+    },
+    {
+        "a": [
+            "x",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "allow_more_present",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "x",
+            "y",
+        ],
+        "b": [
+            "x",
+            "y",
+        ],
+        "method": "allow_more_present",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "z",
+        ],
+        "b": [
+            "x",
+            "y",
+            "x",
+            "z",
+        ],
+        "method": "allow_more_present",
+        "type": "set",
+        "result": True,
+    },
+    {
+        "a": [
+            "x",
+            "a",
+        ],
+        "b": [
+            "y",
+            "z",
+        ],
+        "method": "ignore",
+        "type": "set",
+        "result": True,
+    },
+    ########################################################################################
+    # set(dict)
+    {
+        "a": [
+            {"x": 1},
+        ],
+        "b": [
+            {"y": 1},
+        ],
+        "method": "strict",
+        "type": "set(dict)",
+        "result": False,
+    },
+    {
+        "a": [
+            {"x": 1},
+        ],
+        "b": [
+            {"x": 1},
+        ],
+        "method": "strict",
+        "type": "set(dict)",
+        "result": True,
+    },
+    {
+        "a": [
+            {"x": 1},
+        ],
+        "b": [
+            {"x": 1, "y": 2},
+        ],
+        "method": "strict",
+        "type": "set(dict)",
+        "result": True,
+    },
+    {
+        "a": [
+            {"x": 1},
+            {"x": 2, "y": 3},
+        ],
+        "b": [
+            {"x": 1},
+            {"x": 2, "y": 3},
+        ],
+        "method": "strict",
+        "type": "set(dict)",
+        "result": True,
+    },
+    {
+        "a": [
+            {"x": 1},
+        ],
+        "b": [
+            {"x": 1, "z": 2},
+            {"x": 2, "y": 3},
+        ],
+        "method": "allow_more_present",
+        "type": "set(dict)",
+        "result": True,
+    },
+    {
+        "a": [
+            {"x": 1, "y": 2},
+        ],
+        "b": [
+            {"x": 1},
+            {"x": 2, "y": 3},
+        ],
+        "method": "allow_more_present",
+        "type": "set(dict)",
+        "result": False,
+    },
+    {
+        "a": [
+            {"x": 1, "y": 3},
+        ],
+        "b": [
+            {"x": 1},
+            {"x": 1, "y": 3, "z": 4},
+        ],
+        "method": "allow_more_present",
+        "type": "set(dict)",
+        "result": True,
+    },
+    {
+        "a": [
+            {"x": 1},
+            {"x": 2, "y": 3},
+        ],
+        "b": [
+            {"x": 1},
+        ],
+        "method": "ignore",
+        "type": "set(dict)",
+        "result": True,
+    },
+    ########################################################################################
+    # dict
+    {"a": {"x": 1}, "b": {"y": 1}, "method": "strict", "type": "dict", "result": False},
+    {
+        "a": {"x": 1},
+        "b": {"x": 1, "y": 2},
+        "method": "strict",
+        "type": "dict",
+        "result": False,
+    },
+    {"a": {"x": 1}, "b": {"x": 1}, "method": "strict", "type": "dict", "result": True},
+    {
+        "a": {"x": 1, "z": 2},
+        "b": {"x": 1, "y": 2},
+        "method": "strict",
+        "type": "dict",
+        "result": False,
+    },
+    {
+        "a": {"x": 1, "z": 2},
+        "b": {"x": 1, "y": 2},
+        "method": "ignore",
+        "type": "dict",
+        "result": True,
+    },
+]
+
+
+@pytest.mark.parametrize("entry", DICT_ALLOW_MORE_PRESENT)
+def test_dict_allow_more_present(entry: DAMSpec) -> None:
+    assert compare_dict_allow_more_present(entry["av"], entry["bv"]) == entry["result"]
+
+
+@pytest.mark.parametrize("entry", COMPARE_GENERIC + DICT_ALLOW_MORE_PRESENT_SPECS)
+def test_compare_generic(entry: Spec) -> None:
+    assert (
+        compare_generic(entry["a"], entry["b"], entry["method"], entry["type"])
+        == entry["result"]
+    )
+
+
+def test_convert_duration_to_nanosecond() -> None:
+    nanoseconds = convert_duration_to_nanosecond("5s")
+    assert nanoseconds == 5000000000
+    nanoseconds = convert_duration_to_nanosecond("1m5s")
+    assert nanoseconds == 65000000000
+    with pytest.raises(ValueError):
+        convert_duration_to_nanosecond([1, 2, 3])  # type: ignore
+    with pytest.raises(ValueError):
+        convert_duration_to_nanosecond("10x")
+
+
+def test_parse_healthcheck() -> None:
+    result, disabled = parse_healthcheck(
+        {
+            "test": "sleep 1",
+            "interval": "1s",
+        }
+    )
+    assert disabled is False
+    assert result == {"test": ["CMD-SHELL", "sleep 1"], "interval": 1000000000}
+
+    result, disabled = parse_healthcheck(
+        {
+            "test": ["NONE"],
+        }
+    )
+    assert result is None
+    assert disabled
+
+    result, disabled = parse_healthcheck({"test": "sleep 1", "interval": "1s423ms"})
+    assert result == {"test": ["CMD-SHELL", "sleep 1"], "interval": 1423000000}
+    assert disabled is False
+
+    result, disabled = parse_healthcheck(
+        {"test": "sleep 1", "interval": "1h1m2s3ms4us"}
+    )
+    assert result == {"test": ["CMD-SHELL", "sleep 1"], "interval": 3662003004000}
+    assert disabled is False
diff --git a/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_container_copy_into.py b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_container_copy_into.py
new file mode 100644
index 00000000..131ed660
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_container_copy_into.py
@@ -0,0 +1,84 @@
+# Copyright 2025 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.modules.docker_container_copy_into import (
+    parse_modern,
+    parse_octal_string_only,
+)
+
+
+@pytest.mark.parametrize(
+    "value, expected",
+    [
+        ("0777", 0o777),
+        ("777", 0o777),
+        ("0o777", 0o777),
+        ("0755", 0o755),
+        ("755", 0o755),
+        ("0o755", 0o755),
+        ("0644", 0o644),
+        ("644", 0o644),
+        ("0o644", 0o644),
+        (" 0644 ", 0o644),
+        (" 644 ", 0o644),
+        (" 0o644 ", 0o644),
+        ("-1", -1),
+    ],
+)
+def test_parse_string(value: str, expected: int) -> None:
+    assert parse_modern(value) == expected
+    assert parse_octal_string_only(value) == expected
+
+
+@pytest.mark.parametrize(
+    "value",
+    [
+        0o777,
+        0o755,
+        0o644,
+        12345,
+        123456789012345678901234567890123456789012345678901234567890,
+    ],
+)
+def test_parse_int(value: int) -> None:
+    assert parse_modern(value) == value
+    with pytest.raises(TypeError, match=f"^must be an octal string, got {value}L?$"):
+        parse_octal_string_only(value)  # type: ignore
+
+
+@pytest.mark.parametrize(
+    "value",
+    [
+        1.0,
+        755.5,
+        [],
+        {},
+    ],
+)
+def test_parse_bad_type(value: t.Any) -> None:
+    with pytest.raises(TypeError, match="^must be an octal string or an integer, got "):
+        parse_modern(value)
+    with pytest.raises(TypeError, match="^must be an octal string, got "):
+        parse_octal_string_only(value)
+
+
+@pytest.mark.parametrize(
+    "value",
+    [
+        "foo",
+        "8",
+        "9",
+    ],
+)
+def test_parse_bad_value(value: str) -> None:
+    with pytest.raises(ValueError):
+        parse_modern(value)
+    with pytest.raises(ValueError):
+        parse_octal_string_only(value)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image.py b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image.py
new file mode 100644
index 00000000..fb0d0543
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image.py
@@ -0,0 +1,121 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.module_utils._image_archive import (
+    api_image_id,
+)
+from ansible_collections.community.docker.plugins.modules.docker_image import (
+    ImageManager,
+)
+
+from ..test_support.docker_image_archive_stubbing import (
+    write_imitation_archive,
+    write_irrelevant_tar,
+)
+
+if t.TYPE_CHECKING:
+    from collections.abc import Callable
+
+
+def assert_no_logging(msg: str) -> t.NoReturn:
+    raise AssertionError(f"Should not have logged anything but logged {msg}")
+
+
+def capture_logging(messages: list[str]) -> Callable[[str], None]:
+    def capture(msg: str) -> None:
+        messages.append(msg)
+
+    return capture
+
+
+@pytest.fixture(name="tar_file_name")
+def tar_file_name_fixture(tmpdir: t.Any) -> str:
+    """
+    Return the name of a non-existing tar file in an existing temporary directory.
+    """
+
+    return tmpdir.join("foo.tar")
+
+
+def test_archived_image_action_when_missing(tar_file_name: str) -> None:
+    fake_name = "a:latest"
+    fake_id = "a1"
+
+    expected = f"Archived image {fake_name} to {tar_file_name}, since none present"
+
+    actual = ImageManager.archived_image_action(
+        assert_no_logging, tar_file_name, fake_name, api_image_id(fake_id)
+    )
+
+    assert actual == expected
+
+
+def test_archived_image_action_when_current(tar_file_name: str) -> None:
+    fake_name = "b:latest"
+    fake_id = "b2"
+
+    write_imitation_archive(tar_file_name, fake_id, [fake_name])
+
+    actual = ImageManager.archived_image_action(
+        assert_no_logging, tar_file_name, fake_name, api_image_id(fake_id)
+    )
+
+    assert actual is None
+
+
+def test_archived_image_action_when_invalid(tar_file_name: str) -> None:
+    fake_name = "c:1.2.3"
+    fake_id = "c3"
+
+    write_irrelevant_tar(tar_file_name)
+
+    expected = f"Archived image {fake_name} to {tar_file_name}, overwriting an unreadable archive file"
+
+    actual_log: list[str] = []
+    actual = ImageManager.archived_image_action(
+        capture_logging(actual_log), tar_file_name, fake_name, api_image_id(fake_id)
+    )
+
+    assert actual == expected
+
+    assert len(actual_log) == 1
+    assert actual_log[0].startswith("Unable to extract manifest summary from archive")
+
+
+def test_archived_image_action_when_obsolete_by_id(tar_file_name: str) -> None:
+    fake_name = "d:0.0.1"
+    old_id = "e5"
+    new_id = "d4"
+
+    write_imitation_archive(tar_file_name, old_id, [fake_name])
+
+    expected = f"Archived image {fake_name} to {tar_file_name}, overwriting archive with image {old_id} named {fake_name}"
+    actual = ImageManager.archived_image_action(
+        assert_no_logging, tar_file_name, fake_name, api_image_id(new_id)
+    )
+
+    assert actual == expected
+
+
+def test_archived_image_action_when_obsolete_by_name(tar_file_name: str) -> None:
+    old_name = "hi"
+    new_name = "d:0.0.1"
+    fake_id = "d4"
+
+    write_imitation_archive(tar_file_name, fake_id, [old_name])
+
+    expected = f"Archived image {new_name} to {tar_file_name}, overwriting archive with image {fake_id} named {old_name}"
+    actual = ImageManager.archived_image_action(
+        assert_no_logging, tar_file_name, new_name, api_image_id(fake_id)
+    )
+
+    print(f"actual   : {actual}")
+    print(f"expected : {expected}")
+    assert actual == expected
diff --git a/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image_build.py b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image_build.py
new file mode 100644
index 00000000..9ca54380
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_image_build.py
@@ -0,0 +1,25 @@
+# Copyright 2024 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import pytest
+
+from ansible_collections.community.docker.plugins.modules.docker_image_build import (
+    _quote_csv,
+)
+
+
+@pytest.mark.parametrize(
+    "value, expected",
+    [
+        ("", ""),
+        (" ", '" "'),
+        (",", '","'),
+        ('"', '""""'),
+        ('\rhello, "hi" !\n', '"\rhello, ""hi"" !\n"'),
+    ],
+)
+def test__quote_csv(value: str, expected: str) -> None:
+    assert _quote_csv(value) == expected
diff --git a/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_network.py b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_network.py
new file mode 100644
index 00000000..d548629d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_network.py
@@ -0,0 +1,46 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""Unit tests for docker_network."""
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.modules.docker_network import (
+    validate_cidr,
+)
+
+
+@pytest.mark.parametrize(
+    "cidr,expected",
+    [
+        ("192.168.0.1/16", "ipv4"),
+        ("192.168.0.1/24", "ipv4"),
+        ("192.168.0.1/32", "ipv4"),
+        ("fdd1:ac8c:0557:7ce2::/64", "ipv6"),
+        ("fdd1:ac8c:0557:7ce2::/128", "ipv6"),
+    ],
+)
+def test_validate_cidr_positives(
+    cidr: str, expected: t.Literal["ipv4", "ipv6"]
+) -> None:
+    assert validate_cidr(cidr) == expected
+
+
+@pytest.mark.parametrize(
+    "cidr",
+    [
+        "192.168.0.1",
+        "192.168.0.1/34",
+        "192.168.0.1/asd",
+        "fdd1:ac8c:0557:7ce2::",
+    ],
+)
+def test_validate_cidr_negatives(cidr: str) -> None:
+    with pytest.raises(ValueError) as e:
+        validate_cidr(cidr)
+    assert f'"{cidr}" is not a valid CIDR' == str(e.value)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_swarm_service.py b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_swarm_service.py
new file mode 100644
index 00000000..c8f1fbb4
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/modules/test_docker_swarm_service.py
@@ -0,0 +1,377 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+
+from ansible_collections.community.docker.plugins.modules import (
+    docker_swarm_service,
+)
+
+APIError = pytest.importorskip("docker.errors.APIError")
+
+
+def test_retry_on_out_of_sequence_error(mocker: t.Any) -> None:
+    run_mock = mocker.MagicMock(
+        side_effect=APIError(
+            message="",
+            response=None,
+            explanation="rpc error: code = Unknown desc = update out of sequence",
+        )
+    )
+    mocker.patch("time.sleep")
+    manager = docker_swarm_service.DockerServiceManager(client=None)  # type: ignore
+    manager.run = run_mock  # type: ignore
+    with pytest.raises(APIError):
+        manager.run_safe()
+    assert run_mock.call_count == 3
+
+
+def test_no_retry_on_general_api_error(mocker: t.Any) -> None:
+    run_mock = mocker.MagicMock(
+        side_effect=APIError(message="", response=None, explanation="some error")
+    )
+    mocker.patch("time.sleep")
+    manager = docker_swarm_service.DockerServiceManager(client=None)  # type: ignore
+    manager.run = run_mock  # type: ignore
+    with pytest.raises(APIError):
+        manager.run_safe()
+    assert run_mock.call_count == 1
+
+
+def test_get_docker_environment(mocker: t.Any) -> None:
+    env_file_result = {"TEST1": "A", "TEST2": "B", "TEST3": "C"}
+    env_dict = {"TEST3": "CC", "TEST4": "D"}
+    env_string = "TEST3=CC,TEST4=D"
+
+    env_list = ["TEST3=CC", "TEST4=D"]
+    expected_result = sorted(["TEST1=A", "TEST2=B", "TEST3=CC", "TEST4=D"])
+    mocker.patch.object(
+        docker_swarm_service, "parse_env_file", return_value=env_file_result
+    )
+    mocker.patch.object(
+        docker_swarm_service,
+        "format_environment",
+        side_effect=lambda d: [f"{key}={value}" for key, value in d.items()],
+    )
+    # Test with env dict and file
+    result = docker_swarm_service.get_docker_environment(
+        env_dict, env_files=["dummypath"]
+    )
+    assert result == expected_result
+    # Test with env list and file
+    result = docker_swarm_service.get_docker_environment(
+        env_list, env_files=["dummypath"]
+    )
+    assert result == expected_result
+    # Test with env string and file
+    result = docker_swarm_service.get_docker_environment(
+        env_string, env_files=["dummypath"]
+    )
+    assert result == expected_result
+
+    assert result == expected_result
+    # Test with empty env
+    result = docker_swarm_service.get_docker_environment([], env_files=None)
+    assert result == []
+    # Test with empty env_files
+    result = docker_swarm_service.get_docker_environment(None, env_files=[])
+    assert result == []
+
+
+def test_get_nanoseconds_from_raw_option() -> None:
+    value = docker_swarm_service.get_nanoseconds_from_raw_option("test", None)
+    assert value is None
+
+    value = docker_swarm_service.get_nanoseconds_from_raw_option("test", "1m30s535ms")
+    assert value == 90535000000
+
+    value = docker_swarm_service.get_nanoseconds_from_raw_option("test", 10000000000)
+    assert value == 10000000000
+
+    with pytest.raises(ValueError):
+        docker_swarm_service.get_nanoseconds_from_raw_option("test", [])
+
+
+def test_has_dict_changed() -> None:
+    assert not docker_swarm_service.has_dict_changed(
+        {"a": 1},
+        {"a": 1},
+    )
+    assert not docker_swarm_service.has_dict_changed({"a": 1}, {"a": 1, "b": 2})
+    assert docker_swarm_service.has_dict_changed({"a": 1}, {"a": 2, "b": 2})
+    assert docker_swarm_service.has_dict_changed({"a": 1, "b": 1}, {"a": 1})
+    assert not docker_swarm_service.has_dict_changed(None, {"a": 2, "b": 2})
+    assert docker_swarm_service.has_dict_changed({}, {"a": 2, "b": 2})
+    assert docker_swarm_service.has_dict_changed({"a": 1}, {})
+    assert docker_swarm_service.has_dict_changed({"a": 1}, None)
+    assert not docker_swarm_service.has_dict_changed({}, {})
+    assert not docker_swarm_service.has_dict_changed(None, None)
+    assert not docker_swarm_service.has_dict_changed({}, None)
+    assert not docker_swarm_service.has_dict_changed(None, {})
+
+
+def test_has_list_changed() -> None:
+    # List comparisons without dictionaries
+    # I could improve the indenting, but pycodestyle wants this instead
+    assert not docker_swarm_service.has_list_changed(None, None)
+    assert not docker_swarm_service.has_list_changed(None, [])
+    assert not docker_swarm_service.has_list_changed(None, [1, 2])
+
+    assert not docker_swarm_service.has_list_changed([], None)
+    assert not docker_swarm_service.has_list_changed([], [])
+    assert docker_swarm_service.has_list_changed([], [1, 2])
+
+    assert docker_swarm_service.has_list_changed([1, 2], None)
+    assert docker_swarm_service.has_list_changed([1, 2], [])
+
+    assert docker_swarm_service.has_list_changed([1, 2, 3], [1, 2])
+    assert docker_swarm_service.has_list_changed([1, 2], [1, 2, 3])
+
+    # Check list sorting
+    assert not docker_swarm_service.has_list_changed([1, 2], [2, 1])
+    assert docker_swarm_service.has_list_changed([1, 2], [2, 1], sort_lists=False)
+
+    # Check type matching
+    assert docker_swarm_service.has_list_changed([None, 1], [2, 1])
+    assert docker_swarm_service.has_list_changed([2, 1], [None, 1])
+    assert docker_swarm_service.has_list_changed(
+        ["command --with args"], ["command", "--with", "args"]
+    )
+    assert docker_swarm_service.has_list_changed(
+        ["sleep", "3400"], ["sleep", "3600"], sort_lists=False
+    )
+
+    # List comparisons with dictionaries
+    assert not docker_swarm_service.has_list_changed(
+        [{"a": 1}], [{"a": 1}], sort_key="a"
+    )
+
+    assert not docker_swarm_service.has_list_changed(
+        [{"a": 1}, {"a": 2}], [{"a": 1}, {"a": 2}], sort_key="a"
+    )
+
+    with pytest.raises(ValueError):
+        docker_swarm_service.has_list_changed(
+            [{"a": 1}, {"a": 2}], [{"a": 1}, {"a": 2}]
+        )
+
+    # List sort checking with sort key
+    assert not docker_swarm_service.has_list_changed(
+        [{"a": 1}, {"a": 2}], [{"a": 2}, {"a": 1}], sort_key="a"
+    )
+    assert docker_swarm_service.has_list_changed(
+        [{"a": 1}, {"a": 2}], [{"a": 2}, {"a": 1}], sort_lists=False
+    )
+
+    assert docker_swarm_service.has_list_changed(
+        [{"a": 1}, {"a": 2}, {"a": 3}], [{"a": 2}, {"a": 1}], sort_key="a"
+    )
+    assert docker_swarm_service.has_list_changed(
+        [{"a": 1}, {"a": 2}], [{"a": 1}, {"a": 2}, {"a": 3}], sort_lists=False
+    )
+
+    # Additional dictionary elements
+    assert not docker_swarm_service.has_list_changed(
+        [
+            {"src": 1, "dst": 2},
+            {"src": 1, "dst": 2, "protocol": "udp"},
+        ],
+        [
+            {"src": 1, "dst": 2, "protocol": "tcp"},
+            {"src": 1, "dst": 2, "protocol": "udp"},
+        ],
+        sort_key="dst",
+    )
+    assert not docker_swarm_service.has_list_changed(
+        [
+            {"src": 1, "dst": 2, "protocol": "udp"},
+            {"src": 1, "dst": 3, "protocol": "tcp"},
+        ],
+        [
+            {"src": 1, "dst": 2, "protocol": "udp"},
+            {"src": 1, "dst": 3, "protocol": "tcp"},
+        ],
+        sort_key="dst",
+    )
+    assert docker_swarm_service.has_list_changed(
+        [
+            {"src": 1, "dst": 2, "protocol": "udp"},
+            {"src": 1, "dst": 2},
+            {"src": 3, "dst": 4},
+        ],
+        [
+            {"src": 1, "dst": 3, "protocol": "udp"},
+            {"src": 1, "dst": 2, "protocol": "tcp"},
+            {"src": 3, "dst": 4, "protocol": "tcp"},
+        ],
+        sort_key="dst",
+    )
+    assert docker_swarm_service.has_list_changed(
+        [
+            {"src": 1, "dst": 3, "protocol": "tcp"},
+            {"src": 1, "dst": 2, "protocol": "udp"},
+        ],
+        [
+            {"src": 1, "dst": 2, "protocol": "tcp"},
+            {"src": 1, "dst": 2, "protocol": "udp"},
+        ],
+        sort_key="dst",
+    )
+    assert docker_swarm_service.has_list_changed(
+        [
+            {"src": 1, "dst": 2, "protocol": "udp"},
+            {"src": 1, "dst": 2, "protocol": "tcp", "extra": {"test": "foo"}},
+        ],
+        [
+            {"src": 1, "dst": 2, "protocol": "udp"},
+            {"src": 1, "dst": 2, "protocol": "tcp"},
+        ],
+        sort_key="dst",
+    )
+    assert not docker_swarm_service.has_list_changed(
+        [{"id": "123", "aliases": []}], [{"id": "123"}], sort_key="id"
+    )
+
+
+def test_have_networks_changed() -> None:
+    assert not docker_swarm_service.have_networks_changed(None, None)
+
+    assert not docker_swarm_service.have_networks_changed([], None)
+
+    assert not docker_swarm_service.have_networks_changed([{"id": 1}], [{"id": 1}])
+
+    assert docker_swarm_service.have_networks_changed(
+        [{"id": 1}], [{"id": 1}, {"id": 2}]
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2}], [{"id": 1}, {"id": 2}]
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2}], [{"id": 2}, {"id": 1}]
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2, "aliases": []}], [{"id": 1}, {"id": 2}]
+    )
+
+    assert docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2, "aliases": ["alias1"]}], [{"id": 1}, {"id": 2}]
+    )
+
+    assert docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2, "aliases": ["alias1", "alias2"]}],
+        [{"id": 1}, {"id": 2, "aliases": ["alias1"]}],
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2, "aliases": ["alias1", "alias2"]}],
+        [{"id": 1}, {"id": 2, "aliases": ["alias1", "alias2"]}],
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1}, {"id": 2, "aliases": ["alias1", "alias2"]}],
+        [{"id": 1}, {"id": 2, "aliases": ["alias2", "alias1"]}],
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [{"id": 1, "options": {}}, {"id": 2, "aliases": ["alias1", "alias2"]}],
+        [{"id": 1}, {"id": 2, "aliases": ["alias2", "alias1"]}],
+    )
+
+    assert not docker_swarm_service.have_networks_changed(
+        [
+            {"id": 1, "options": {"option1": "value1"}},
+            {"id": 2, "aliases": ["alias1", "alias2"]},
+        ],
+        [
+            {"id": 1, "options": {"option1": "value1"}},
+            {"id": 2, "aliases": ["alias2", "alias1"]},
+        ],
+    )
+
+    assert docker_swarm_service.have_networks_changed(
+        [
+            {"id": 1, "options": {"option1": "value1"}},
+            {"id": 2, "aliases": ["alias1", "alias2"]},
+        ],
+        [
+            {"id": 1, "options": {"option1": "value2"}},
+            {"id": 2, "aliases": ["alias2", "alias1"]},
+        ],
+    )
+
+
+def test_get_docker_networks() -> None:
+    network_names = [
+        "network_1",
+        "network_2",
+        "network_3",
+        "network_4",
+    ]
+    networks: list[str | dict[str, t.Any]] = [
+        network_names[0],
+        {"name": network_names[1]},
+        {"name": network_names[2], "aliases": ["networkalias1"]},
+        {
+            "name": network_names[3],
+            "aliases": ["networkalias2"],
+            "options": {"foo": "bar"},
+        },
+    ]
+    network_ids = {
+        network_names[0]: "1",
+        network_names[1]: "2",
+        network_names[2]: "3",
+        network_names[3]: "4",
+    }
+    parsed_networks = docker_swarm_service.get_docker_networks(networks, network_ids)
+    assert len(parsed_networks) == 4
+    for i, network in enumerate(parsed_networks):
+        assert "name" not in network
+        assert "id" in network
+        expected_name = network_names[i]
+        assert network["id"] == network_ids[expected_name]
+        if i == 2:
+            assert network["aliases"] == ["networkalias1"]
+        if i == 3:
+            assert network["aliases"] == ["networkalias2"]
+        if i == 3:
+            assert "foo" in network["options"]
+    # Test missing name
+    with pytest.raises(TypeError):
+        docker_swarm_service.get_docker_networks([{"invalid": "err"}], {"err": "x"})
+    # test for invalid aliases type
+    with pytest.raises(TypeError):
+        docker_swarm_service.get_docker_networks(
+            [{"name": "test", "aliases": 1}], {"test": "x"}
+        )
+    # Test invalid aliases elements
+    with pytest.raises(TypeError):
+        docker_swarm_service.get_docker_networks(
+            [{"name": "test", "aliases": [1]}], {"test": "x"}
+        )
+    # Test for invalid options type
+    with pytest.raises(TypeError):
+        docker_swarm_service.get_docker_networks(
+            [{"name": "test", "options": 1}], {"test": "x"}
+        )
+    # Test for non existing networks
+    with pytest.raises(ValueError):
+        docker_swarm_service.get_docker_networks(
+            [{"name": "idontexist"}], {"test": "x"}
+        )
+    # Test empty values
+    assert docker_swarm_service.get_docker_networks([], {}) == []
+    assert docker_swarm_service.get_docker_networks(None, {}) is None
+    # Test invalid options
+    with pytest.raises(TypeError):
+        docker_swarm_service.get_docker_networks(
+            [{"name": "test", "nonexisting_option": "foo"}], {"test": "1"}
+        )
diff --git a/ansible_collections/community/docker/tests/unit/plugins/plugin_utils/test__unsafe.py b/ansible_collections/community/docker/tests/unit/plugins/plugin_utils/test__unsafe.py
new file mode 100644
index 00000000..f9f17eac
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/plugin_utils/test__unsafe.py
@@ -0,0 +1,169 @@
+# Copyright (c) 2024, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import typing as t
+
+import pytest
+from ansible_collections.community.internal_test_tools.tests.unit.utils.trust import (
+    SUPPORTS_DATA_TAGGING,
+)
+from ansible_collections.community.internal_test_tools.tests.unit.utils.trust import (
+    is_trusted as _is_trusted,
+)
+from ansible_collections.community.internal_test_tools.tests.unit.utils.trust import (
+    make_trusted as _make_trusted,
+)
+from ansible_collections.community.internal_test_tools.tests.unit.utils.trust import (
+    make_untrusted as _make_untrusted,
+)
+
+from ansible_collections.community.docker.plugins.plugin_utils._unsafe import (
+    make_unsafe,
+)
+
+TEST_MAKE_UNSAFE: list[
+    tuple[t.Any, list[tuple[t.Any, ...]], list[tuple[t.Any, ...]]]
+] = [
+    (
+        _make_trusted("text"),
+        [],
+        [
+            (),
+        ],
+    ),
+    (
+        _make_trusted("{{text}}"),
+        [
+            (),
+        ],
+        [],
+    ),
+    (
+        {
+            _make_trusted("skey"): _make_trusted("value"),
+            _make_trusted("ukey"): _make_trusted("{{value}}"),
+            1: [
+                _make_trusted("value"),
+                _make_trusted("{{value}}"),
+                {
+                    1.0: _make_trusted("{{value}}"),
+                    2.0: _make_trusted("value"),
+                },
+            ],
+        },
+        [
+            ("ukey",),
+            (1, 1),
+            (1, 2, 1.0),
+        ],
+        [
+            ("skey",),
+            (1, 0),
+            (1, 2, 2.0),
+        ],
+    ),
+    (
+        [_make_trusted("value"), _make_trusted("{{value}}")],
+        [
+            (1,),
+        ],
+        [
+            (0,),
+        ],
+    ),
+]
+
+if not SUPPORTS_DATA_TAGGING:
+    TEST_MAKE_UNSAFE.extend(
+        [
+            (
+                _make_trusted(b"text"),
+                [],
+                [
+                    (),
+                ],
+            ),
+            (
+                _make_trusted(b"{{text}}"),
+                [
+                    (),
+                ],
+                [],
+            ),
+        ]
+    )
+
+
+@pytest.mark.parametrize(
+    "value, check_unsafe_paths, check_safe_paths", TEST_MAKE_UNSAFE
+)
+def test_make_unsafe(
+    value: t.Any,
+    check_unsafe_paths: list[tuple[t.Any, ...]],
+    check_safe_paths: list[tuple[t.Any, ...]],
+) -> None:
+    unsafe_value = make_unsafe(value)
+    assert unsafe_value == value
+    for check_path in check_unsafe_paths:
+        obj = unsafe_value
+        for elt in check_path:
+            obj = obj[elt]
+        assert not _is_trusted(obj)
+    for check_path in check_safe_paths:
+        obj = unsafe_value
+        for elt in check_path:
+            obj = obj[elt]
+        assert _is_trusted(obj)
+
+
+def test_make_unsafe_idempotence() -> None:
+    assert make_unsafe(None) is None
+
+    unsafe_str = _make_untrusted("{{test}}")
+    assert id(make_unsafe(unsafe_str)) == id(unsafe_str)
+
+    safe_str = _make_trusted("{{test}}")
+    assert id(make_unsafe(safe_str)) != id(safe_str)
+
+
+def test_make_unsafe_dict_key() -> None:
+    value: dict[t.Any, t.Any] = {
+        _make_trusted("test"): 2,
+    }
+    if not SUPPORTS_DATA_TAGGING:
+        value[_make_trusted(b"test")] = 1
+    unsafe_value = make_unsafe(value)
+    assert unsafe_value == value
+    for obj in unsafe_value:
+        assert _is_trusted(obj)
+
+    value = {
+        _make_trusted("{{test}}"): 2,
+    }
+    if not SUPPORTS_DATA_TAGGING:
+        value[_make_trusted(b"{{test}}")] = 1
+    unsafe_value = make_unsafe(value)
+    assert unsafe_value == value
+    for obj in unsafe_value:
+        assert not _is_trusted(obj)
+
+
+def test_make_unsafe_set() -> None:
+    value: set[t.Any] = set([_make_trusted("test")])
+    if not SUPPORTS_DATA_TAGGING:
+        value.add(_make_trusted(b"test"))
+    unsafe_value = make_unsafe(value)
+    assert unsafe_value == value
+    for obj in unsafe_value:
+        assert _is_trusted(obj)
+
+    value = set([_make_trusted("{{test}}")])
+    if not SUPPORTS_DATA_TAGGING:
+        value.add(_make_trusted(b"{{test}}"))
+    unsafe_value = make_unsafe(value)
+    assert unsafe_value == value
+    for obj in unsafe_value:
+        assert not _is_trusted(obj)
diff --git a/ansible_collections/community/docker/tests/unit/plugins/test_support/docker_image_archive_stubbing.py b/ansible_collections/community/docker/tests/unit/plugins/test_support/docker_image_archive_stubbing.py
new file mode 100644
index 00000000..d9369d20
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/plugins/test_support/docker_image_archive_stubbing.py
@@ -0,0 +1,64 @@
+# Copyright 2022 Red Hat | Ansible
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+import json
+import tarfile
+import typing as t
+from tempfile import TemporaryFile
+
+
+def write_imitation_archive(
+    file_name: str, image_id: str, repo_tags: list[str]
+) -> None:
+    """
+    Write a tar file meeting these requirements:
+
+    * Has a file manifest.json
+    * manifest.json contains a one-element array
+    * The element has a Config property with "[image_id].json" as the value name
+
+    :param file_name: Name of file to create
+    :type file_name: str
+    :param image_id: Fake sha256 hash (without the sha256: prefix)
+    :type image_id: str
+    :param repo_tags: list of fake image tags
+    :type repo_tags: list
+    """
+
+    manifest = [{"Config": f"{image_id}.json", "RepoTags": repo_tags}]
+
+    write_imitation_archive_with_manifest(file_name, manifest)
+
+
+def write_imitation_archive_with_manifest(
+    file_name: str, manifest: list[dict[str, t.Any]]
+) -> None:
+    with tarfile.open(file_name, "w") as tf, TemporaryFile() as f:
+        f.write(json.dumps(manifest).encode("utf-8"))
+
+        ti = tarfile.TarInfo("manifest.json")
+        ti.size = f.tell()
+
+        f.seek(0)
+        tf.addfile(ti, f)
+
+
+def write_irrelevant_tar(file_name: str) -> None:
+    """
+    Create a tar file that does not match the spec for "docker image save" / "docker image load" commands.
+
+    :param file_name: Name of tar file to create
+    :type file_name: str
+    """
+
+    with tarfile.open(file_name, "w") as tf, TemporaryFile() as f:
+        f.write("Hello, world.".encode("utf-8"))
+
+        ti = tarfile.TarInfo("hi.txt")
+        ti.size = f.tell()
+
+        f.seek(0)
+        tf.addfile(ti, f)
diff --git a/ansible_collections/community/docker/tests/unit/requirements.txt b/ansible_collections/community/docker/tests/unit/requirements.txt
new file mode 100644
index 00000000..755590c7
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/requirements.txt
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+docker
+requests
diff --git a/ansible_collections/community/docker/tests/unit/requirements.yml b/ansible_collections/community/docker/tests/unit/requirements.yml
new file mode 100644
index 00000000..c66f4e78
--- /dev/null
+++ b/ansible_collections/community/docker/tests/unit/requirements.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+collections:
+  - community.internal_test_tools
+  - community.library_inventory_filtering_v1
diff --git a/ansible_collections/community/docker/tests/utils/constraints.txt b/ansible_collections/community/docker/tests/utils/constraints.txt
new file mode 100644
index 00000000..6ba617eb
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/constraints.txt
@@ -0,0 +1,25 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+bcrypt < 3.2.0 ; python_version <= '3.6'
+certifi < 2022.5.18 ; python_version < '3.5' # certifi 2022.5.18 requires Python 3.5 or later
+cffi < 2.0.0 ; python_version < '3' # cffi supports Python 3.9+, but all versions except CentOS 7 with Python 2.7 get that...
+coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible
+coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible
+cryptography >= 1.3.0, < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6
+cryptography >= 1.3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7
+urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later
+wheel < 0.30.0 ; python_version < '2.7' # wheel 0.30.0 and later require python 2.7 or later
+paramiko < 2.4.0 ; python_version < '2.7' # paramiko 2.4.0 drops support for python 2.6
+paramiko < 3.0.0 ; python_version < '3.7' # paramiko 3.0.0 forces installation of a too new cryptography
+requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6
+requests < 2.28 ; python_version < '3.7' # requests 2.28.0 drops support for python < 3.7
+virtualenv < 16.0.0 ; python_version < '2.7' # virtualenv 16.0.0 and later require python 2.7 or later
+pyopenssl < 18.0.0 ; python_version < '2.7' # pyOpenSSL 18.0.0 and later require python 2.7 or later
+setuptools < 45 ; python_version <= '2.7' # setuptools 45 and later require python 3.5 or later
+websocket-client < 1.0.0 ; python_version <= '3.6'
+
+# Restrict docker versions depending on Python version
+docker < 5.0.0 ; python_version <= '3.6'
+docker-compose < 1.25.0 ; python_version <= '3.6'
diff --git a/ansible_collections/community/docker/tests/utils/shippable/alpine.sh b/ansible_collections/community/docker/tests/utils/shippable/alpine.sh
new file mode 120000
index 00000000..6ddb7768
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/alpine.sh
@@ -0,0 +1 @@
+remote.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/utils/shippable/fedora.sh b/ansible_collections/community/docker/tests/utils/shippable/fedora.sh
new file mode 120000
index 00000000..6ddb7768
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/fedora.sh
@@ -0,0 +1 @@
+remote.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/utils/shippable/linux-community.sh b/ansible_collections/community/docker/tests/utils/shippable/linux-community.sh
new file mode 100755
index 00000000..fb1d4be9
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/linux-community.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+declare -a args
+IFS='/:' read -ra args <<< "$1"
+
+image="${args[1]}"
+python="${args[2]}"
+
+if [ "${#args[@]}" -gt 3 ]; then
+    target="azp/${args[3]}/"
+else
+    target="azp/"
+fi
+
+if [[ "${python}" =~ -pypi-latest$ ]]; then
+    python="${python/-pypi-latest}"
+    echo 'force_docker_sdk_for_python_pypi: true' >> tests/integration/integration_config.yml
+fi
+if [[ "${python}" =~ -dev-latest$ ]]; then
+    python="${python/-dev-latest}"
+    echo 'force_docker_sdk_for_python_dev: true' >> tests/integration/integration_config.yml
+fi
+
+# shellcheck disable=SC2086
+ansible-test integration --color -v --retry-on-error "${target}" ${COVERAGE:+"$COVERAGE"} ${CHANGED:+"$CHANGED"} ${UNSTABLE:+"$UNSTABLE"} \
+    --docker "quay.io/ansible-community/test-image:${image}" --python "${python}"
diff --git a/ansible_collections/community/docker/tests/utils/shippable/linux.sh b/ansible_collections/community/docker/tests/utils/shippable/linux.sh
new file mode 100755
index 00000000..bef94069
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/linux.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+declare -a args
+IFS='/:' read -ra args <<< "$1"
+
+image="${args[1]}"
+
+if [ "${#args[@]}" -gt 2 ]; then
+    target="azp/${args[2]}/"
+else
+    target="azp/"
+fi
+
+if [[ "${image}" =~ -pypi-latest$ ]]; then
+    image="${image/-pypi-latest}"
+    echo 'force_docker_sdk_for_python_pypi: true' >> tests/integration/integration_config.yml
+fi
+if [[ "${image}" =~ -dev-latest$ ]]; then
+    image="${image/-dev-latest}"
+    echo 'force_docker_sdk_for_python_dev: true' >> tests/integration/integration_config.yml
+fi
+
+# shellcheck disable=SC2086
+ansible-test integration --color -v --retry-on-error "${target}" ${COVERAGE:+"$COVERAGE"} ${CHANGED:+"$CHANGED"} ${UNSTABLE:+"$UNSTABLE"} \
+    --docker "${image}"
diff --git a/ansible_collections/community/docker/tests/utils/shippable/remote.sh b/ansible_collections/community/docker/tests/utils/shippable/remote.sh
new file mode 100755
index 00000000..cd33325d
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/remote.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+declare -a args
+IFS='/:' read -ra args <<< "$1"
+
+platform="${args[0]}"
+version="${args[1]}"
+pyver=default
+
+# check for explicit python version like 8.3@3.8
+declare -a splitversion
+IFS='@' read -ra splitversion <<< "$version"
+
+if [ "${#splitversion[@]}" -gt 1 ]; then
+    version="${splitversion[0]}"
+    pyver="${splitversion[1]}"
+fi
+
+if [ "${#args[@]}" -gt 2 ]; then
+    target="azp/${args[2]}/"
+else
+    target="azp/"
+fi
+
+if [[ "${version}" =~ -pypi-latest$ ]]; then
+    version="${version/-pypi-latest}"
+    echo 'force_docker_sdk_for_python_pypi: true' >> tests/integration/integration_config.yml
+fi
+if [[ "${version}" =~ -dev-latest$ ]]; then
+    version="${version/-dev-latest}"
+    echo 'force_docker_sdk_for_python_dev: true' >> tests/integration/integration_config.yml
+fi
+
+stage="${S:-prod}"
+provider="${P:-default}"
+
+if [ "${platform}" == "rhel" ] && [[ "${version}" =~ ^8\. ]]; then
+    echo "pynacl >= 1.4.0, < 1.5.0; python_version == '3.6'" >> tests/utils/constraints.txt
+fi
+
+# shellcheck disable=SC2086
+ansible-test integration --color -v --retry-on-error "${target}" ${COVERAGE:+"$COVERAGE"} ${CHANGED:+"$CHANGED"} ${UNSTABLE:+"$UNSTABLE"} \
+    --python "${pyver}" --remote "${platform}/${version}" --remote-terminate always --remote-stage "${stage}" --remote-provider "${provider}"
diff --git a/ansible_collections/community/docker/tests/utils/shippable/rhel.sh b/ansible_collections/community/docker/tests/utils/shippable/rhel.sh
new file mode 120000
index 00000000..6ddb7768
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/rhel.sh
@@ -0,0 +1 @@
+remote.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/utils/shippable/sanity.sh b/ansible_collections/community/docker/tests/utils/shippable/sanity.sh
new file mode 100755
index 00000000..42610d08
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/sanity.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+if [ "${BASE_BRANCH:-}" ]; then
+    base_branch="origin/${BASE_BRANCH}"
+else
+    base_branch=""
+fi
+
+# shellcheck disable=SC2086
+ansible-test sanity --color -v --junit ${COVERAGE:+"$COVERAGE"} ${CHANGED:+"$CHANGED"} \
+    --docker --base-branch "${base_branch}" \
+    --allow-disabled
diff --git a/ansible_collections/community/docker/tests/utils/shippable/shippable.sh b/ansible_collections/community/docker/tests/utils/shippable/shippable.sh
new file mode 100755
index 00000000..9375b899
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/shippable.sh
@@ -0,0 +1,234 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+declare -a args
+IFS='/:' read -ra args <<< "$1"
+
+ansible_version="${args[0]}"
+script="${args[1]}"
+after_script="${args[2]}"
+
+function join {
+    local IFS="$1";
+    shift;
+    echo "$*";
+}
+
+# Ensure we can write other collections to this dir
+sudo chown -R "$(whoami)" "${PWD}/../../../"
+
+test="$(join / "${args[@]:1}")"
+
+docker images ansible/ansible
+docker images quay.io/ansible/*
+docker ps
+
+for container in $(docker ps --format '{{.Image}} {{.ID}}' | grep -v -e '^drydock/' -e '^quay.io/ansible/azure-pipelines-test-container:' | sed 's/^.* //'); do
+    docker rm -f "${container}" || true  # ignore errors
+done
+
+docker ps
+
+if [ -d /home/shippable/cache/ ]; then
+    ls -la /home/shippable/cache/
+fi
+
+command -v python
+python -V
+
+function retry
+{
+    # shellcheck disable=SC2034
+    for repetition in 1 2 3; do
+        set +e
+        "$@"
+        result=$?
+        set -e
+        if [ ${result} == 0 ]; then
+            return ${result}
+        fi
+        echo "@* -> ${result}"
+    done
+    echo "Command '@*' failed 3 times!"
+    exit 255
+}
+
+command -v pip
+pip --version
+pip list --disable-pip-version-check
+if [ "${ansible_version}" == "devel" ]; then
+    retry pip install https://github.com/ansible/ansible/archive/devel.tar.gz --disable-pip-version-check
+else
+    retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check
+fi
+
+export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
+
+# START: HACK
+
+COMMUNITY_CRYPTO_BRANCH=main
+if [ "${ansible_version}" == "2.16" ]; then
+    COMMUNITY_CRYPTO_BRANCH=stable-2
+fi
+if [ "${script}" == "linux" ] && [ "$after_script" == "ubuntu2004" ]; then
+    COMMUNITY_CRYPTO_BRANCH=stable-2
+fi
+
+retry git clone --depth=1 --single-branch --branch stable-1 https://github.com/ansible-collections/community.library_inventory_filtering.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/community/library_inventory_filtering_v1"
+# NOTE: we're installing with git to work around Galaxy being a huge PITA (https://github.com/ansible/galaxy/issues/2429)
+# retry ansible-galaxy -vvv collection install community.library_inventory_filtering_v1
+
+if [ "${test}" == "units/1" ]; then
+    # Nothing further should be added to this list.
+    # This is to prevent modules or plugins in this collection having a runtime dependency on other collections.
+    retry git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/community/internal_test_tools"
+    # NOTE: we're installing with git to work around Galaxy being a huge PITA (https://github.com/ansible/galaxy/issues/2429)
+    # retry ansible-galaxy -vvv collection install community.internal_test_tools
+fi
+
+if [ "${script}" != "sanity/1" ] && [ "${script}" != "units/1" ]; then
+    # To prevent Python dependencies on other collections only install other collections for integration tests
+    retry git clone --depth=1 --single-branch https://github.com/ansible-collections/ansible.posix.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/ansible/posix"
+    retry git clone --depth=1 --single-branch --branch "${COMMUNITY_CRYPTO_BRANCH}" https://github.com/ansible-collections/community.crypto.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/community/crypto"
+    retry git clone --depth=1 --single-branch https://github.com/ansible-collections/community.general.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/community/general"
+    # NOTE: we're installing with git to work around Galaxy being a huge PITA (https://github.com/ansible/galaxy/issues/2429)
+    # retry ansible-galaxy -vvv collection install ansible.posix
+    # retry ansible-galaxy -vvv collection install community.crypto
+    # retry ansible-galaxy -vvv collection install community.general
+fi
+# END: HACK
+
+
+export PYTHONIOENCODING='utf-8'
+
+if [ "${JOB_TRIGGERED_BY_NAME:-}" == "nightly-trigger" ]; then
+    COVERAGE=yes
+    COMPLETE=yes
+fi
+
+if [ -n "${COVERAGE:-}" ]; then
+    # on-demand coverage reporting triggered by setting the COVERAGE environment variable to a non-empty value
+    export COVERAGE="--coverage"
+elif [[ "${COMMIT_MESSAGE}" =~ ci_coverage ]]; then
+    # on-demand coverage reporting triggered by having 'ci_coverage' in the latest commit message
+    export COVERAGE="--coverage"
+else
+    # on-demand coverage reporting disabled (default behavior, always-on coverage reporting remains enabled)
+    export COVERAGE="--coverage-check"
+fi
+
+if [ -n "${COMPLETE:-}" ]; then
+    # disable change detection triggered by setting the COMPLETE environment variable to a non-empty value
+    export CHANGED=""
+elif [[ "${COMMIT_MESSAGE}" =~ ci_complete ]]; then
+    # disable change detection triggered by having 'ci_complete' in the latest commit message
+    export CHANGED=""
+else
+    # enable change detection (default behavior)
+    export CHANGED="--changed"
+fi
+
+if [ "${IS_PULL_REQUEST:-}" == "true" ]; then
+    # run unstable tests which are targeted by focused changes on PRs
+    export UNSTABLE="--allow-unstable-changed"
+else
+    # do not run unstable tests outside PRs
+    export UNSTABLE=""
+fi
+
+# remove empty core/extras module directories from PRs created prior to the repo-merge
+find plugins -type d -empty -print -delete
+
+function cleanup
+{
+    # for complete on-demand coverage generate a report for all files with no coverage on the "sanity/5" job so we only have one copy
+    if [ "${COVERAGE}" == "--coverage" ] && [ "${CHANGED}" == "" ] && [ "${test}" == "sanity/5" ]; then
+        stub="--stub"
+        # trigger coverage reporting for stubs even if no other coverage data exists
+        mkdir -p tests/output/coverage/
+    else
+        stub=""
+    fi
+
+    if [ -d tests/output/coverage/ ]; then
+        if find tests/output/coverage/ -mindepth 1 -name '.*' -prune -o -print -quit | grep -q .; then
+            process_coverage='yes'  # process existing coverage files
+        elif [ "${stub}" ]; then
+            process_coverage='yes'  # process coverage when stubs are enabled
+        else
+            process_coverage=''
+        fi
+
+        if [ "${process_coverage}" ]; then
+            # use python 3.7 for coverage to avoid running out of memory during coverage xml processing
+            # only use it for coverage to avoid the additional overhead of setting up a virtual environment for a potential no-op job
+            virtualenv --python /usr/bin/python3.7 ~/ansible-venv
+            set +ux
+            . ~/ansible-venv/bin/activate
+            set -ux
+
+            # shellcheck disable=SC2086
+            ansible-test coverage xml --color -v --requirements --group-by command --group-by version ${stub:+"$stub"}
+            cp -a tests/output/reports/coverage=*.xml "$SHIPPABLE_RESULT_DIR/codecoverage/"
+
+            if [ "${ansible_version}" != "2.9" ]; then
+                # analyze and capture code coverage aggregated by integration test target
+                ansible-test coverage analyze targets generate -v "$SHIPPABLE_RESULT_DIR/testresults/coverage-analyze-targets.json"
+            fi
+
+            # upload coverage report to codecov.io only when using complete on-demand coverage
+            if [ "${COVERAGE}" == "--coverage" ] && [ "${CHANGED}" == "" ]; then
+                for file in tests/output/reports/coverage=*.xml; do
+                    flags="${file##*/coverage=}"
+                    flags="${flags%-powershell.xml}"
+                    flags="${flags%.xml}"
+                    # remove numbered component from stub files when converting to tags
+                    flags="${flags//stub-[0-9]*/stub}"
+                    flags="${flags//=/,}"
+                    flags="${flags//[^a-zA-Z0-9_,]/_}"
+
+                    bash <(curl -s https://ansible-ci-files.s3.us-east-1.amazonaws.com/codecov/codecov.sh) \
+                        -f "${file}" \
+                        -F "${flags}" \
+                        -n "${test}" \
+                        -t 8450ed26-4e94-4d07-8831-d2023d6d20a3 \
+                        -X coveragepy \
+                        -X gcov \
+                        -X fix \
+                        -X search \
+                        -X xcode \
+                    || echo "Failed to upload code coverage report to codecov.io: ${file}"
+                done
+            fi
+        fi
+    fi
+
+    if [ -d  tests/output/junit/ ]; then
+      cp -aT tests/output/junit/ "$SHIPPABLE_RESULT_DIR/testresults/"
+    fi
+
+    if [ -d tests/output/data/ ]; then
+      cp -a tests/output/data/ "$SHIPPABLE_RESULT_DIR/testresults/"
+    fi
+
+    if [ -d  tests/output/bot/ ]; then
+      cp -aT tests/output/bot/ "$SHIPPABLE_RESULT_DIR/testresults/"
+    fi
+}
+
+if [ "${SHIPPABLE_BUILD_ID:-}" ]; then trap cleanup EXIT; fi
+
+if [[ "${COVERAGE:-}" == "--coverage" ]]; then
+    timeout=60
+else
+    timeout=50
+fi
+
+ansible-test env --dump --show --timeout "${timeout}" --color -v
+
+if [ "${SHIPPABLE_BUILD_ID:-}" ]; then "tests/utils/shippable/check_matrix.py"; fi
+"tests/utils/shippable/${script}.sh" "${test}"
diff --git a/ansible_collections/community/docker/tests/utils/shippable/ubuntu.sh b/ansible_collections/community/docker/tests/utils/shippable/ubuntu.sh
new file mode 120000
index 00000000..6ddb7768
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/ubuntu.sh
@@ -0,0 +1 @@
+remote.sh
\ No newline at end of file
diff --git a/ansible_collections/community/docker/tests/utils/shippable/units.sh b/ansible_collections/community/docker/tests/utils/shippable/units.sh
new file mode 100755
index 00000000..37685cb0
--- /dev/null
+++ b/ansible_collections/community/docker/tests/utils/shippable/units.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -o pipefail -eux
+
+declare -a args
+IFS='/:' read -ra args <<< "$1"
+
+group="${args[1]}"
+
+if [[ "${COVERAGE:-}" == "--coverage" ]]; then
+    timeout=90
+else
+    timeout=30
+fi
+
+group1=()
+
+case "${group}" in
+    1) options=("${group1[@]:+${group1[@]}}") ;;
+esac
+
+ansible-test env --timeout "${timeout}" --color -v
+
+# shellcheck disable=SC2086
+ansible-test units --color -v --docker default ${COVERAGE:+"$COVERAGE"} ${CHANGED:+"$CHANGED"} \
+    "${options[@]:+${options[@]}}" \
diff --git a/ansible_collections/community/sops/.git-blame-ignore-revs b/ansible_collections/community/sops/.git-blame-ignore-revs
new file mode 100644
index 00000000..b84b49fa
--- /dev/null
+++ b/ansible_collections/community/sops/.git-blame-ignore-revs
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Reformat YAML: https://github.com/ansible-collections/community.sops/pull/238
+67ed0dacb3b0457ee641337b33b6608a927ce885
diff --git a/ansible_collections/community/sops/.github/dependabot.yml b/ansible_collections/community/sops/.github/dependabot.yml
new file mode 100644
index 00000000..f71b322d
--- /dev/null
+++ b/ansible_collections/community/sops/.github/dependabot.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      ci:
+        patterns:
+          - "*"
diff --git a/ansible_collections/community/sops/.github/patchback.yml b/ansible_collections/community/sops/.github/patchback.yml
new file mode 100644
index 00000000..5ee7812e
--- /dev/null
+++ b/ansible_collections/community/sops/.github/patchback.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+backport_branch_prefix: patchback/backports/
+backport_label_prefix: backport-
+target_branch_prefix: stable-
+...
diff --git a/ansible_collections/community/sops/.github/pull_request_template.md b/ansible_collections/community/sops/.github/pull_request_template.md
new file mode 100644
index 00000000..917af7ed
--- /dev/null
+++ b/ansible_collections/community/sops/.github/pull_request_template.md
@@ -0,0 +1,8 @@
+### Motivation
+<!-- describe why this changes are necessary/useful -->
+
+### Changes description
+<!-- describe what changes are in this PR. Overview is OK, details shall be found in the git commits -->
+
+### Additional notes
+<!-- any note related to these changes, please add them here -->
diff --git a/ansible_collections/community/sops/.github/pull_request_template.md.license b/ansible_collections/community/sops/.github/pull_request_template.md.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/.github/pull_request_template.md.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/.github/workflows/docs-pr.yml b/ansible_collections/community/sops/.github/workflows/docs-pr.yml
new file mode 100644
index 00000000..3d399112
--- /dev/null
+++ b/ansible_collections/community/sops/.github/workflows/docs-pr.yml
@@ -0,0 +1,95 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Collection Docs
+concurrency:
+  group: docs-pr-${{ github.head_ref }}
+  cancel-in-progress: true
+'on':
+  pull_request_target:
+    types: [opened, synchronize, reopened, closed]
+
+env:
+  GHP_BASE_URL: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}
+
+jobs:
+  build-docs:
+    permissions:
+      contents: read
+    name: Build Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main
+    with:
+      collection-name: community.sops
+      init-lenient: false
+      init-fail-on-error: true
+      squash-hierarchy: true
+      init-project: Community.Sops Collection
+      init-copyright: Community.Sops Contributors
+      init-title: Community.Sops Collection Documentation
+      init-html-short-title: Community.Sops Collection Docs
+      init-extra-html-theme-options: |
+        documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
+      render-file-line: '> * `$<status>` [$<path_tail>](https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/pr/${{ github.event.number }}/$<path_tail>)'
+
+  publish-docs-gh-pages:
+    # for now we won't run this on forks
+    if: github.repository == 'ansible-collections/community.sops'
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
+    needs: [build-docs]
+    name: Publish Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    with:
+      artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
+      action: ${{ (github.event.action == 'closed' || needs.build-docs.outputs.changed != 'true') && 'teardown' || 'publish' }}
+      publish-gh-pages-branch: true
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  comment:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    needs: [build-docs, publish-docs-gh-pages]
+    name: PR comments
+    steps:
+      - name: PR comment
+        uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main
+        with:
+          body-includes: '## Docs Build'
+          reactions: heart
+          action: ${{ needs.build-docs.outputs.changed != 'true' && 'remove' || '' }}
+          on-closed-body: |
+            ## Docs Build 📝
+
+            This PR is closed and any previously published docsite has been unpublished.
+          on-merged-body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            This PR has been merged and the docs are now incorporated into `main`:
+            ${{ env.GHP_BASE_URL }}/branch/main
+          body: |
+            ## Docs Build 📝
+
+            Thank you for contribution!✨
+
+            The docs for **this PR** have been published here:
+            ${{ env.GHP_BASE_URL }}/pr/${{ github.event.number }}
+
+            You can compare to the docs for the `main` branch here:
+            ${{ env.GHP_BASE_URL }}/branch/main
+
+            The docsite for **this PR** is also available for download as an artifact from this run:
+            ${{ needs.build-docs.outputs.artifact-url }}
+
+            File changes:
+
+            ${{ needs.build-docs.outputs.diff-files-rendered }}
+
+            ${{ needs.build-docs.outputs.diff-rendered }}
diff --git a/ansible_collections/community/sops/.github/workflows/docs-push.yml b/ansible_collections/community/sops/.github/workflows/docs-push.yml
new file mode 100644
index 00000000..83d20d63
--- /dev/null
+++ b/ansible_collections/community/sops/.github/workflows/docs-push.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: Collection Docs
+concurrency:
+  group: docs-push-${{ github.sha }}
+  cancel-in-progress: true
+'on':
+  push:
+    branches:
+      - main
+      - stable-*
+    tags:
+      - '*'
+  # Run CI once per day (at 05:30 UTC)
+  schedule:
+    - cron: '30 5 * * *'
+  # Allow manual trigger (for newer antsibull-docs, sphinx-ansible-theme, ... versions)
+  workflow_dispatch:
+
+jobs:
+  build-docs:
+    permissions:
+      contents: read
+    name: Build Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main
+    with:
+      collection-name: community.sops
+      init-lenient: false
+      init-fail-on-error: true
+      squash-hierarchy: true
+      init-project: Community.Sops Collection
+      init-copyright: Community.Sops Contributors
+      init-title: Community.Sops Collection Documentation
+      init-html-short-title: Community.Sops Collection Docs
+      init-extra-html-theme-options: |
+        documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
+
+  publish-docs-gh-pages:
+    # for now we won't run this on forks
+    if: github.repository == 'ansible-collections/community.sops'
+    permissions:
+      contents: write
+      pages: write
+      id-token: write
+    needs: [build-docs]
+    name: Publish Ansible Docs
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    with:
+      artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
+      publish-gh-pages-branch: true
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ansible_collections/community/sops/.github/workflows/nox.yml b/ansible_collections/community/sops/.github/workflows/nox.yml
new file mode 100644
index 00000000..8ff6341e
--- /dev/null
+++ b/ansible_collections/community/sops/.github/workflows/nox.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: nox
+'on':
+  push:
+    branches:
+      - main
+      - stable-*
+  pull_request:
+  # Run CI once per day (at 05:30 UTC)
+  schedule:
+    - cron: '30 5 * * *'
+  workflow_dispatch:
+
+jobs:
+  nox:
+    runs-on: ubuntu-latest
+    name: "Run extra sanity tests"
+    steps:
+      - name: Check out collection
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - name: Run nox
+        uses: ansible-community/antsibull-nox@main
+
+  ansible-test:
+    uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-matrix.yml@main
+    with:
+      upload-codecov: true
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/ansible_collections/community/sops/.gitignore b/ansible_collections/community/sops/.gitignore
new file mode 100644
index 00000000..728531be
--- /dev/null
+++ b/ansible_collections/community/sops/.gitignore
@@ -0,0 +1,137 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+/tests/output/
+/changelogs/.plugin-cache.yaml
+/tests/integration/inventory
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
diff --git a/ansible_collections/community/sops/.yamllint b/ansible_collections/community/sops/.yamllint
new file mode 100644
index 00000000..102f9123
--- /dev/null
+++ b/ansible_collections/community/sops/.yamllint
@@ -0,0 +1,59 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+  *.sops.yaml
+  *.sops.yml
+  **/files/*.yaml
+  **/files/*.yml
+  /tests/integration/targets/vars_sops/test-extensions/group_vars/all.yml
+  /tests/integration/targets/vars_sops/test-extensions/group_vars/all/test.yml
+
+rules:
+  line-length:
+    max: 300
+    level: error
+  document-start:
+    present: true
+  document-end: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/sops/.yamllint-docs b/ansible_collections/community/sops/.yamllint-docs
new file mode 100644
index 00000000..de8947d7
--- /dev/null
+++ b/ansible_collections/community/sops/.yamllint-docs
@@ -0,0 +1,54 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 160
+    level: error
+  document-start:
+    present: false
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/sops/.yamllint-examples b/ansible_collections/community/sops/.yamllint-examples
new file mode 100644
index 00000000..062ac5aa
--- /dev/null
+++ b/ansible_collections/community/sops/.yamllint-examples
@@ -0,0 +1,54 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length:
+    max: 160
+    level: error
+  document-start:
+    present: true
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: 2
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
diff --git a/ansible_collections/community/sops/.yamllint-extra-docs b/ansible_collections/community/sops/.yamllint-extra-docs
new file mode 100644
index 00000000..52a041a7
--- /dev/null
+++ b/ansible_collections/community/sops/.yamllint-extra-docs
@@ -0,0 +1,50 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
+
+extends: default
+
+ignore: |
+  /changelogs/
+
+rules:
+  line-length: disable  # needed for SOPS files
+  document-start: disable
+  document-end:
+    present: false
+  truthy:
+    level: error
+    allowed-values:
+      - 'true'
+      - 'false'
+  indentation:
+    spaces: consistent  # needed for SOPS files
+    indent-sequences: true
+  key-duplicates: enable
+  trailing-spaces: enable
+  new-line-at-end-of-file: disable
+  hyphens:
+    max-spaces-after: 1
+  empty-lines:
+    max: 2
+    max-start: 0
+    max-end: 0
+  commas:
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  colons:
+    max-spaces-before: 0
+    max-spaces-after: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
+  comments: disable  # needed for SOPS files
+  comments-indentation: false
diff --git a/ansible_collections/community/sops/CHANGELOG.md b/ansible_collections/community/sops/CHANGELOG.md
new file mode 100644
index 00000000..055b2b1b
--- /dev/null
+++ b/ansible_collections/community/sops/CHANGELOG.md
@@ -0,0 +1,813 @@
+# Community SOPS Release Notes
+
+**Topics**
+
+- <a href="#v2-2-7">v2\.2\.7</a>
+    - <a href="#release-summary">Release Summary</a>
+    - <a href="#known-issues">Known Issues</a>
+- <a href="#v2-2-6">v2\.2\.6</a>
+    - <a href="#release-summary-1">Release Summary</a>
+    - <a href="#bugfixes">Bugfixes</a>
+- <a href="#v2-2-5">v2\.2\.5</a>
+    - <a href="#release-summary-2">Release Summary</a>
+    - <a href="#bugfixes-1">Bugfixes</a>
+- <a href="#v2-2-4">v2\.2\.4</a>
+    - <a href="#release-summary-3">Release Summary</a>
+    - <a href="#bugfixes-2">Bugfixes</a>
+- <a href="#v2-2-3">v2\.2\.3</a>
+    - <a href="#release-summary-4">Release Summary</a>
+    - <a href="#minor-changes">Minor Changes</a>
+    - <a href="#bugfixes-3">Bugfixes</a>
+- <a href="#v2-2-2">v2\.2\.2</a>
+    - <a href="#release-summary-5">Release Summary</a>
+    - <a href="#bugfixes-4">Bugfixes</a>
+- <a href="#v2-2-1">v2\.2\.1</a>
+    - <a href="#release-summary-6">Release Summary</a>
+    - <a href="#bugfixes-5">Bugfixes</a>
+- <a href="#v2-2-0">v2\.2\.0</a>
+    - <a href="#release-summary-7">Release Summary</a>
+    - <a href="#minor-changes-1">Minor Changes</a>
+- <a href="#v2-1-0">v2\.1\.0</a>
+    - <a href="#release-summary-8">Release Summary</a>
+    - <a href="#minor-changes-2">Minor Changes</a>
+- <a href="#v2-0-5">v2\.0\.5</a>
+    - <a href="#release-summary-9">Release Summary</a>
+- <a href="#v2-0-4">v2\.0\.4</a>
+    - <a href="#release-summary-10">Release Summary</a>
+    - <a href="#bugfixes-6">Bugfixes</a>
+- <a href="#v2-0-3">v2\.0\.3</a>
+    - <a href="#release-summary-11">Release Summary</a>
+    - <a href="#bugfixes-7">Bugfixes</a>
+- <a href="#v2-0-2">v2\.0\.2</a>
+    - <a href="#release-summary-12">Release Summary</a>
+    - <a href="#bugfixes-8">Bugfixes</a>
+- <a href="#v2-0-1">v2\.0\.1</a>
+    - <a href="#release-summary-13">Release Summary</a>
+- <a href="#v2-0-0">v2\.0\.0</a>
+    - <a href="#release-summary-14">Release Summary</a>
+    - <a href="#removed-features-previously-deprecated">Removed Features \(previously deprecated\)</a>
+- <a href="#v1-9-1">v1\.9\.1</a>
+    - <a href="#release-summary-15">Release Summary</a>
+    - <a href="#bugfixes-9">Bugfixes</a>
+- <a href="#v1-9-0">v1\.9\.0</a>
+    - <a href="#release-summary-16">Release Summary</a>
+    - <a href="#minor-changes-3">Minor Changes</a>
+- <a href="#v1-8-2">v1\.8\.2</a>
+    - <a href="#release-summary-17">Release Summary</a>
+    - <a href="#deprecated-features">Deprecated Features</a>
+- <a href="#v1-8-1">v1\.8\.1</a>
+    - <a href="#release-summary-18">Release Summary</a>
+    - <a href="#bugfixes-10">Bugfixes</a>
+- <a href="#v1-8-0">v1\.8\.0</a>
+    - <a href="#release-summary-19">Release Summary</a>
+    - <a href="#minor-changes-4">Minor Changes</a>
+    - <a href="#bugfixes-11">Bugfixes</a>
+- <a href="#v1-7-0">v1\.7\.0</a>
+    - <a href="#release-summary-20">Release Summary</a>
+    - <a href="#minor-changes-5">Minor Changes</a>
+    - <a href="#bugfixes-12">Bugfixes</a>
+- <a href="#v1-6-7">v1\.6\.7</a>
+    - <a href="#release-summary-21">Release Summary</a>
+    - <a href="#bugfixes-13">Bugfixes</a>
+- <a href="#v1-6-6">v1\.6\.6</a>
+    - <a href="#release-summary-22">Release Summary</a>
+    - <a href="#bugfixes-14">Bugfixes</a>
+- <a href="#v1-6-5">v1\.6\.5</a>
+    - <a href="#release-summary-23">Release Summary</a>
+    - <a href="#bugfixes-15">Bugfixes</a>
+- <a href="#v1-6-4">v1\.6\.4</a>
+    - <a href="#release-summary-24">Release Summary</a>
+    - <a href="#bugfixes-16">Bugfixes</a>
+- <a href="#v1-6-3">v1\.6\.3</a>
+    - <a href="#release-summary-25">Release Summary</a>
+    - <a href="#known-issues-1">Known Issues</a>
+- <a href="#v1-6-2">v1\.6\.2</a>
+    - <a href="#release-summary-26">Release Summary</a>
+    - <a href="#bugfixes-17">Bugfixes</a>
+- <a href="#v1-6-1">v1\.6\.1</a>
+    - <a href="#release-summary-27">Release Summary</a>
+    - <a href="#bugfixes-18">Bugfixes</a>
+- <a href="#v1-6-0">v1\.6\.0</a>
+    - <a href="#release-summary-28">Release Summary</a>
+    - <a href="#minor-changes-6">Minor Changes</a>
+- <a href="#v1-5-0">v1\.5\.0</a>
+    - <a href="#release-summary-29">Release Summary</a>
+    - <a href="#minor-changes-7">Minor Changes</a>
+    - <a href="#new-playbooks">New Playbooks</a>
+    - <a href="#new-roles">New Roles</a>
+- <a href="#v1-4-1">v1\.4\.1</a>
+    - <a href="#release-summary-30">Release Summary</a>
+    - <a href="#bugfixes-19">Bugfixes</a>
+- <a href="#v1-4-0">v1\.4\.0</a>
+    - <a href="#release-summary-31">Release Summary</a>
+    - <a href="#minor-changes-8">Minor Changes</a>
+- <a href="#v1-3-0">v1\.3\.0</a>
+    - <a href="#release-summary-32">Release Summary</a>
+    - <a href="#minor-changes-9">Minor Changes</a>
+- <a href="#v1-2-3">v1\.2\.3</a>
+    - <a href="#release-summary-33">Release Summary</a>
+- <a href="#v1-2-2">v1\.2\.2</a>
+    - <a href="#release-summary-34">Release Summary</a>
+    - <a href="#bugfixes-20">Bugfixes</a>
+- <a href="#v1-2-1">v1\.2\.1</a>
+    - <a href="#release-summary-35">Release Summary</a>
+- <a href="#v1-2-0">v1\.2\.0</a>
+    - <a href="#release-summary-36">Release Summary</a>
+    - <a href="#minor-changes-10">Minor Changes</a>
+    - <a href="#bugfixes-21">Bugfixes</a>
+- <a href="#v1-1-0">v1\.1\.0</a>
+    - <a href="#release-summary-37">Release Summary</a>
+    - <a href="#minor-changes-11">Minor Changes</a>
+    - <a href="#new-plugins">New Plugins</a>
+        - <a href="#filter">Filter</a>
+- <a href="#v1-0-6">v1\.0\.6</a>
+    - <a href="#release-summary-38">Release Summary</a>
+    - <a href="#bugfixes-22">Bugfixes</a>
+- <a href="#v1-0-5">v1\.0\.5</a>
+    - <a href="#release-summary-39">Release Summary</a>
+    - <a href="#bugfixes-23">Bugfixes</a>
+- <a href="#v1-0-4">v1\.0\.4</a>
+    - <a href="#release-summary-40">Release Summary</a>
+    - <a href="#security-fixes">Security Fixes</a>
+- <a href="#v1-0-3">v1\.0\.3</a>
+    - <a href="#release-summary-41">Release Summary</a>
+    - <a href="#bugfixes-24">Bugfixes</a>
+- <a href="#v1-0-2">v1\.0\.2</a>
+    - <a href="#release-summary-42">Release Summary</a>
+- <a href="#v1-0-1">v1\.0\.1</a>
+    - <a href="#release-summary-43">Release Summary</a>
+- <a href="#v1-0-0">v1\.0\.0</a>
+    - <a href="#release-summary-44">Release Summary</a>
+    - <a href="#minor-changes-12">Minor Changes</a>
+- <a href="#v0-2-0">v0\.2\.0</a>
+    - <a href="#release-summary-45">Release Summary</a>
+    - <a href="#minor-changes-13">Minor Changes</a>
+- <a href="#v0-1-0">v0\.1\.0</a>
+    - <a href="#release-summary-46">Release Summary</a>
+    - <a href="#new-plugins-1">New Plugins</a>
+        - <a href="#lookup">Lookup</a>
+        - <a href="#vars">Vars</a>
+    - <a href="#new-modules">New Modules</a>
+
+<a id="v2-2-7"></a>
+## v2\.2\.7
+
+<a id="release-summary"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="known-issues"></a>
+### Known Issues
+
+* When using the <code>community\.sops\.load\_vars</code> with ansible\-core 2\.20\, note that the deprecation of <code>INJECT\_FACTS\_AS\_VARS</code> causes deprecation warnings to be shown every time a variable loaded with <code>community\.sops\.load\_vars</code> is used\. This is due to ansible\-core deprecating <code>INJECT\_FACTS\_AS\_VARS</code> without providing an alternative for modules like <code>community\.sops\.load\_vars</code> to use\. If you do not like these deprecation warnings\, you have to explicitly set <code>INJECT\_FACTS\_AS\_VARS</code> to <code>true</code>\. <strong>DO NOT</strong> change the use of SOPS encrypted variables to <code>ansible\_facts</code>\. The situation will hopefully improve in ansible\-core 2\.21 through the promised API that allows action plugins to set variables\; community\.sops will adapt to use it\, which will make the warning go away\. \(The API was originally promised for ansible\-core 2\.20\, but then delayed\.\)
+
+<a id="v2-2-6"></a>
+## v2\.2\.6
+
+<a id="release-summary-1"></a>
+### Release Summary
+
+Bugfix and maintenance release\.
+
+<a id="bugfixes"></a>
+### Bugfixes
+
+* Clean up plugin code that does not run on the target \([https\://github\.com/ansible\-collections/community\.sops/pull/275](https\://github\.com/ansible\-collections/community\.sops/pull/275)\)\.
+* Note that the MIT licenced code in <code>plugins/module\_utils/\_six\.py</code> has been removed \([https\://github\.com/ansible\-collections/community\.sops/pull/275](https\://github\.com/ansible\-collections/community\.sops/pull/275)\)\.
+* sops vars plugin \- ensure that loaded vars are evaluated also with ansible\-core 2\.19\+ \([https\://github\.com/ansible\-collections/community\.sops/pull/273](https\://github\.com/ansible\-collections/community\.sops/pull/273)\)\.
+
+<a id="v2-2-5"></a>
+## v2\.2\.5
+
+<a id="release-summary-2"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-1"></a>
+### Bugfixes
+
+* load\_vars action \- avoid another deprecated module utils from ansible\-core \([https\://github\.com/ansible\-collections/community\.sops/pull/270](https\://github\.com/ansible\-collections/community\.sops/pull/270)\)\.
+* load\_vars action \- avoid deprecated import from ansible\-core that will be removed in ansible\-core 2\.21 \([https\://github\.com/ansible\-collections/community\.sops/pull/272](https\://github\.com/ansible\-collections/community\.sops/pull/272)\)\.
+
+<a id="v2-2-4"></a>
+## v2\.2\.4
+
+<a id="release-summary-3"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-2"></a>
+### Bugfixes
+
+* Fix accidental type extensions \([https\://github\.com/ansible\-collections/community\.sops/pull/269](https\://github\.com/ansible\-collections/community\.sops/pull/269)\)\.
+
+<a id="v2-2-3"></a>
+## v2\.2\.3
+
+<a id="release-summary-4"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="minor-changes"></a>
+### Minor Changes
+
+* Note that some new code in <code>plugins/module\_utils/\_six\.py</code> is MIT licensed \([https\://github\.com/ansible\-collections/community\.sops/pull/268](https\://github\.com/ansible\-collections/community\.sops/pull/268)\)\.
+
+<a id="bugfixes-3"></a>
+### Bugfixes
+
+* Avoid using <code>ansible\.module\_utils\.six</code> to avoid deprecation warnings with ansible\-core 2\.20 \([https\://github\.com/ansible\-collections/community\.sops/pull/268](https\://github\.com/ansible\-collections/community\.sops/pull/268)\)\.
+
+<a id="v2-2-2"></a>
+## v2\.2\.2
+
+<a id="release-summary-5"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-4"></a>
+### Bugfixes
+
+* Avoid deprecated functionality in ansible\-core 2\.20 \([https\://github\.com/ansible\-collections/community\.sops/pull/260](https\://github\.com/ansible\-collections/community\.sops/pull/260)\)\.
+* all modules and plugins \- the default of <code>enable\_local\_keyservice</code> changed from <code>false</code> to <code>true</code>\, and explicitly setting it to <code>false</code> now passes <code>\-\-enable\-local\-keyservice\=false</code>\. SOPS\' default has always been <code>true</code>\, and when setting this option to <code>true</code> so far it resulted in passing <code>\-\-enable\-local\-keyservice</code>\, which is equivalent to <code>\-\-enable\-local\-keyservice\=true</code> and had no effect\. This means that from now on\, setting <code>enable\_local\_keyservice</code> explicitly to <code>false</code> has an effect\. If <code>enable\_local\_keyservice</code> was not set before\, or was set to <code>true</code>\, nothing will change \([https\://github\.com/ansible\-collections/community\.sops/issues/261](https\://github\.com/ansible\-collections/community\.sops/issues/261)\, [https\://github\.com/ansible\-collections/community\.sops/pull/262](https\://github\.com/ansible\-collections/community\.sops/pull/262)\)\.
+
+<a id="v2-2-1"></a>
+## v2\.2\.1
+
+<a id="release-summary-6"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-5"></a>
+### Bugfixes
+
+* install role \- avoid deprecated parameter value for the <code>ansible\.builtin\.uri</code> module \([https\://github\.com/ansible\-collections/community\.sops/pull/255](https\://github\.com/ansible\-collections/community\.sops/pull/255)\)\.
+
+<a id="v2-2-0"></a>
+## v2\.2\.0
+
+<a id="release-summary-7"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-1"></a>
+### Minor Changes
+
+* load\_vars \- expressions can now be lazily evaluated when using ansible\-core 2\.19 or newer \([https\://github\.com/ansible\-collections/community\.sops/pull/229](https\://github\.com/ansible\-collections/community\.sops/pull/229)\)\.
+
+<a id="v2-1-0"></a>
+## v2\.1\.0
+
+<a id="release-summary-8"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-2"></a>
+### Minor Changes
+
+* Now supports specifying SSH private keys for age with the new <code>age\_ssh\_private\_keyfile</code> option \([https\://github\.com/ansible\-collections/community\.sops/pull/241](https\://github\.com/ansible\-collections/community\.sops/pull/241)\)\.
+
+<a id="v2-0-5"></a>
+## v2\.0\.5
+
+<a id="release-summary-9"></a>
+### Release Summary
+
+Maintenance release with updated SOPS version test coverage\.
+
+<a id="v2-0-4"></a>
+## v2\.0\.4
+
+<a id="release-summary-10"></a>
+### Release Summary
+
+Maintenance release with Data Tagging support\.
+
+<a id="bugfixes-6"></a>
+### Bugfixes
+
+* load\_vars \- make evaluation compatible with Data Tagging in upcoming ansible\-core release \([https\://github\.com/ansible\-collections/community\.sops/pull/225](https\://github\.com/ansible\-collections/community\.sops/pull/225)\)\.
+
+<a id="v2-0-3"></a>
+## v2\.0\.3
+
+<a id="release-summary-11"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-7"></a>
+### Bugfixes
+
+* install role \- <code>sops\_install\_on\_localhost\=false</code> was not working properly if the role was running on more than one host due to a bug in ansible\-core \([https\://github\.com/ansible\-collections/community\.sops/issues/223](https\://github\.com/ansible\-collections/community\.sops/issues/223)\, [https\://github\.com/ansible\-collections/community\.sops/pull/224](https\://github\.com/ansible\-collections/community\.sops/pull/224)\)\.
+
+<a id="v2-0-2"></a>
+## v2\.0\.2
+
+<a id="release-summary-12"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-8"></a>
+### Bugfixes
+
+* install role \- when used with Debian on ARM architecture\, the architecture name is now correctly translated from <code>aarch64</code> to <code>arm64</code> \([https\://github\.com/ansible\-collections/community\.sops/issues/220](https\://github\.com/ansible\-collections/community\.sops/issues/220)\, [https\://github\.com/ansible\-collections/community\.sops/pull/221](https\://github\.com/ansible\-collections/community\.sops/pull/221)\)\.
+
+<a id="v2-0-1"></a>
+## v2\.0\.1
+
+<a id="release-summary-13"></a>
+### Release Summary
+
+Maintenance release with updated documentation\.
+
+<a id="v2-0-0"></a>
+## v2\.0\.0
+
+<a id="release-summary-14"></a>
+### Release Summary
+
+Major verison that drops support for End of Life Ansible/ansible\-base/ansible\-core versions\.
+
+<a id="removed-features-previously-deprecated"></a>
+### Removed Features \(previously deprecated\)
+
+* The collection no longer supports Ansible 2\.9\, ansible\-base 2\.10\, ansible\-core 2\.11\, ansible\-core 2\.12\, ansible\-core 2\.13\, and ansible\-core 2\.14\. If you need to continue using End of Life versions of Ansible/ansible\-base/ansible\-core\, please use community\.sops 1\.x\.y \([https\://github\.com/ansible\-collections/community\.sops/pull/206](https\://github\.com/ansible\-collections/community\.sops/pull/206)\)\.
+
+<a id="v1-9-1"></a>
+## v1\.9\.1
+
+<a id="release-summary-15"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-9"></a>
+### Bugfixes
+
+* sops\_encrypt \- pass absolute paths to <code>module\.atomic\_move\(\)</code> \([https\://github\.com/ansible/ansible/issues/83950](https\://github\.com/ansible/ansible/issues/83950)\, [https\://github\.com/ansible\-collections/community\.sops/pull/208](https\://github\.com/ansible\-collections/community\.sops/pull/208)\)\.
+
+<a id="v1-9-0"></a>
+## v1\.9\.0
+
+<a id="release-summary-16"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-3"></a>
+### Minor Changes
+
+* decrypt filter plugin \- now supports the input and output type <code>ini</code> \([https\://github\.com/ansible\-collections/community\.sops/pull/204](https\://github\.com/ansible\-collections/community\.sops/pull/204)\)\.
+* sops lookup plugin \- new option <code>extract</code> allows extracting a single key out of a JSON or YAML file\, equivalent to sops\' <code>decrypt \-\-extract</code> \([https\://github\.com/ansible\-collections/community\.sops/pull/200](https\://github\.com/ansible\-collections/community\.sops/pull/200)\)\.
+* sops lookup plugin \- now supports the input and output type <code>ini</code> \([https\://github\.com/ansible\-collections/community\.sops/pull/204](https\://github\.com/ansible\-collections/community\.sops/pull/204)\)\.
+
+<a id="v1-8-2"></a>
+## v1\.8\.2
+
+<a id="release-summary-17"></a>
+### Release Summary
+
+Maintenance release with updated documentation and changelog\.
+
+<a id="deprecated-features"></a>
+### Deprecated Features
+
+* The collection deprecates support for all Ansible/ansible\-base/ansible\-core versions that are currently End of Life\, [according to the ansible\-core support matrix](https\://docs\.ansible\.com/ansible\-core/devel/reference\_appendices/release\_and\_maintenance\.html\#ansible\-core\-support\-matrix)\. This means that the next major release of the collection will no longer support Ansible 2\.9\, ansible\-base 2\.10\, ansible\-core 2\.11\, ansible\-core 2\.12\, ansible\-core 2\.13\, and ansible\-core 2\.14\.
+
+<a id="v1-8-1"></a>
+## v1\.8\.1
+
+<a id="release-summary-18"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-10"></a>
+### Bugfixes
+
+* Pass <code>config\_path</code> on SOPS 3\.9\.0 before the subcommand instead of after it \([https\://github\.com/ansible\-collections/community\.sops/issues/195](https\://github\.com/ansible\-collections/community\.sops/issues/195)\, [https\://github\.com/ansible\-collections/community\.sops/pull/197](https\://github\.com/ansible\-collections/community\.sops/pull/197)\)\.
+
+<a id="v1-8-0"></a>
+## v1\.8\.0
+
+<a id="release-summary-19"></a>
+### Release Summary
+
+Feature release for supporting improvements coming with SOPS 3\.9\.0\.
+
+<a id="minor-changes-4"></a>
+### Minor Changes
+
+* Detect SOPS 3\.9\.0 and use new <code>decrypt</code> and <code>encrypt</code> subcommands \([https\://github\.com/ansible\-collections/community\.sops/pull/190](https\://github\.com/ansible\-collections/community\.sops/pull/190)\)\.
+* sops vars plugin \- new option <code>handle\_unencrypted\_files</code> allows to control behavior when encountering unencrypted files with SOPS 3\.9\.0\+ \([https\://github\.com/ansible\-collections/community\.sops/pull/190](https\://github\.com/ansible\-collections/community\.sops/pull/190)\)\.
+
+<a id="bugfixes-11"></a>
+### Bugfixes
+
+* sops\_encrypt \- properly support <code>path\_regex</code> in <code>\.sops\.yaml</code> when SOPS 3\.9\.0 or later is used \([https\://github\.com/ansible\-collections/community\.sops/issues/153](https\://github\.com/ansible\-collections/community\.sops/issues/153)\, [https\://github\.com/ansible\-collections/community\.sops/pull/190](https\://github\.com/ansible\-collections/community\.sops/pull/190)\)\.
+
+<a id="v1-7-0"></a>
+## v1\.7\.0
+
+<a id="release-summary-20"></a>
+### Release Summary
+
+Bugfix and feature release to fix installation issues with SOPS 3\.9\.0\.
+
+<a id="minor-changes-5"></a>
+### Minor Changes
+
+* sops vars plugin \- allow to configure the valid extensions with an <code>ansible\.cfg</code> entry or with an environment variable \([https\://github\.com/ansible\-collections/community\.sops/pull/185](https\://github\.com/ansible\-collections/community\.sops/pull/185)\)\.
+
+<a id="bugfixes-12"></a>
+### Bugfixes
+
+* Fix RPM URL for the 3\.9\.0 release \([https\://github\.com/ansible\-collections/community\.sops/pull/188](https\://github\.com/ansible\-collections/community\.sops/pull/188)\)\.
+
+<a id="v1-6-7"></a>
+## v1\.6\.7
+
+<a id="release-summary-21"></a>
+### Release Summary
+
+Bugfix release\.
+
+<a id="bugfixes-13"></a>
+### Bugfixes
+
+* sops\_encrypt \- ensure that output\-type is set to <code>yaml</code> when the file extension <code>\.yml</code> is used\. Now both <code>\.yaml</code> and <code>\.yml</code> files use the SOPS <code>\-\-output\-type\=yaml</code> formatting \([https\://github\.com/ansible\-collections/community\.sops/issues/164](https\://github\.com/ansible\-collections/community\.sops/issues/164)\)\.
+
+<a id="v1-6-6"></a>
+## v1\.6\.6
+
+<a id="release-summary-22"></a>
+### Release Summary
+
+Make fully compatible with and test against sops 3\.8\.0\.
+
+<a id="bugfixes-14"></a>
+### Bugfixes
+
+* Fix RPM URL for the 3\.8\.0 release \([https\://github\.com/ansible\-collections/community\.sops/pull/161](https\://github\.com/ansible\-collections/community\.sops/pull/161)\)\.
+
+<a id="v1-6-5"></a>
+## v1\.6\.5
+
+<a id="release-summary-23"></a>
+### Release Summary
+
+Make compatible with and test against sops 3\.8\.0\-rc\.1\.
+
+<a id="bugfixes-15"></a>
+### Bugfixes
+
+* Avoid pre\-releases when picking the latest version when using the GitHub API method \([https\://github\.com/ansible\-collections/community\.sops/pull/159](https\://github\.com/ansible\-collections/community\.sops/pull/159)\)\.
+* Fix changed DEB and RPM URLs for 3\.8\.0 and its prerelease\(s\) \([https\://github\.com/ansible\-collections/community\.sops/pull/159](https\://github\.com/ansible\-collections/community\.sops/pull/159)\)\.
+
+<a id="v1-6-4"></a>
+## v1\.6\.4
+
+<a id="release-summary-24"></a>
+### Release Summary
+
+Maintenance/bugfix release for the move of sops to the new [getsops GitHub organization](https\://github\.com/getsops)\.
+
+<a id="bugfixes-16"></a>
+### Bugfixes
+
+* install role \- fix <code>sops\_github\_latest\_detection\=latest\-release</code>\, which broke due to sops moving to another GitHub organization \([https\://github\.com/ansible\-collections/community\.sops/pull/151](https\://github\.com/ansible\-collections/community\.sops/pull/151)\)\.
+
+<a id="v1-6-3"></a>
+## v1\.6\.3
+
+<a id="release-summary-25"></a>
+### Release Summary
+
+Maintenance release with updated documentation\.
+
+From this version on\, community\.sops is using the new [Ansible semantic markup](https\://docs\.ansible\.com/ansible/devel/dev\_guide/developing\_modules\_documenting\.html\#semantic\-markup\-within\-module\-documentation)
+in its documentation\. If you look at documentation with the ansible\-doc CLI tool
+from ansible\-core before 2\.15\, please note that it does not render the markup
+correctly\. You should be still able to read it in most cases\, but you need
+ansible\-core 2\.15 or later to see it as it is intended\. Alternatively you can
+look at [the devel docsite](https\://docs\.ansible\.com/ansible/devel/collections/community/sops/)
+for the rendered HTML version of the documentation of the latest release\.
+
+<a id="known-issues-1"></a>
+### Known Issues
+
+* Ansible markup will show up in raw form on ansible\-doc text output for ansible\-core before 2\.15\. If you have trouble deciphering the documentation markup\, please upgrade to ansible\-core 2\.15 \(or newer\)\, or read the HTML documentation on [https\://docs\.ansible\.com/ansible/devel/collections/community/sops/](https\://docs\.ansible\.com/ansible/devel/collections/community/sops/)\.
+
+<a id="v1-6-2"></a>
+## v1\.6\.2
+
+<a id="release-summary-26"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-17"></a>
+### Bugfixes
+
+* install role \- make sure that the <code>pkg\_mgr</code> fact is definitely available when installing on <code>localhost</code>\. This can improve error messages in some cases \([https\://github\.com/ansible\-collections/community\.sops/issues/145](https\://github\.com/ansible\-collections/community\.sops/issues/145)\, [https\://github\.com/ansible\-collections/community\.sops/pull/146](https\://github\.com/ansible\-collections/community\.sops/pull/146)\)\.
+
+<a id="v1-6-1"></a>
+## v1\.6\.1
+
+<a id="release-summary-27"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-18"></a>
+### Bugfixes
+
+* action plugin helper \- fix handling of deprecations for ansible\-core 2\.14\.2 \([https\://github\.com/ansible\-collections/community\.sops/pull/136](https\://github\.com/ansible\-collections/community\.sops/pull/136)\)\.
+* various plugins \- remove unnecessary imports \([https\://github\.com/ansible\-collections/community\.sops/pull/133](https\://github\.com/ansible\-collections/community\.sops/pull/133)\)\.
+
+<a id="v1-6-0"></a>
+## v1\.6\.0
+
+<a id="release-summary-28"></a>
+### Release Summary
+
+Feature release improving the installation role\.
+
+<a id="minor-changes-6"></a>
+### Minor Changes
+
+* install role \- add <code>sops\_github\_latest\_detection</code> option that allows to configure which method to use for detecting the latest release on GitHub\. By default \(<code>auto</code>\) first tries to retrieve a list of recent releases using the API\, and if that fails due to rate limiting\, tries to obtain the latest GitHub release from a semi\-documented URL \([https\://github\.com/ansible\-collections/community\.sops/pull/133](https\://github\.com/ansible\-collections/community\.sops/pull/133)\)\.
+* install role \- add <code>sops\_github\_token</code> option to allow passing a GitHub token\. This can for example be used to avoid rate limits when using the role in GitHub Actions \([https\://github\.com/ansible\-collections/community\.sops/pull/132](https\://github\.com/ansible\-collections/community\.sops/pull/132)\)\.
+* install role \- implement another method to determine the latest release on GitHub than using the GitHub API\, which can make installation fail due to rate\-limiting \([https\://github\.com/ansible\-collections/community\.sops/pull/131](https\://github\.com/ansible\-collections/community\.sops/pull/131)\)\.
+
+<a id="v1-5-0"></a>
+## v1\.5\.0
+
+<a id="release-summary-29"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-7"></a>
+### Minor Changes
+
+* Automatically install GNU Privacy Guard \(GPG\) in execution environments\. To install Mozilla sops a manual step needs to be added to the EE definition\, see the collection\'s documentation for details \([https\://github\.com/ansible\-collections/community\.sops/pull/98](https\://github\.com/ansible\-collections/community\.sops/pull/98)\)\.
+
+<a id="new-playbooks"></a>
+### New Playbooks
+
+* community\.sops\.install \- Installs sops and GNU Privacy Guard on all remote hosts
+* community\.sops\.install\_localhost \- Installs sops and GNU Privacy Guard on localhost
+
+<a id="new-roles"></a>
+### New Roles
+
+* community\.sops\.install \- Install Mozilla sops
+
+<a id="v1-4-1"></a>
+## v1\.4\.1
+
+<a id="release-summary-30"></a>
+### Release Summary
+
+Maintenance release to improve compatibility with future ansible\-core releases\.
+
+<a id="bugfixes-19"></a>
+### Bugfixes
+
+* load\_vars \- ensure compatibility with newer versions of ansible\-core \([https\://github\.com/ansible\-collections/community\.sops/pull/121](https\://github\.com/ansible\-collections/community\.sops/pull/121)\)\.
+
+<a id="v1-4-0"></a>
+## v1\.4\.0
+
+<a id="release-summary-31"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-8"></a>
+### Minor Changes
+
+* Allow to specify age keys as <code>age\_key</code>\, or age keyfiles as <code>age\_keyfile</code> \([https\://github\.com/ansible\-collections/community\.sops/issues/116](https\://github\.com/ansible\-collections/community\.sops/issues/116)\, [https\://github\.com/ansible\-collections/community\.sops/pull/117](https\://github\.com/ansible\-collections/community\.sops/pull/117)\)\.
+* sops\_encrypt \- allow to specify age recipients \([https\://github\.com/ansible\-collections/community\.sops/issues/116](https\://github\.com/ansible\-collections/community\.sops/issues/116)\, [https\://github\.com/ansible\-collections/community\.sops/pull/117](https\://github\.com/ansible\-collections/community\.sops/pull/117)\)\.
+
+<a id="v1-3-0"></a>
+## v1\.3\.0
+
+<a id="release-summary-32"></a>
+### Release Summary
+
+Feature release\.
+
+<a id="minor-changes-9"></a>
+### Minor Changes
+
+* All software licenses are now in the <code>LICENSES/</code> directory of the collection root\, and the collection repository conforms to the [REUSE specification](https\://reuse\.software/spec/) except for the changelog fragments \([https\://github\.com/ansible\-collections/community\.crypto/sops/108](https\://github\.com/ansible\-collections/community\.crypto/sops/108)\, [https\://github\.com/ansible\-collections/community\.sops/pull/113](https\://github\.com/ansible\-collections/community\.sops/pull/113)\)\.
+* sops vars plugin \- added a configuration option to temporarily disable the vars plugin \([https\://github\.com/ansible\-collections/community\.sops/pull/114](https\://github\.com/ansible\-collections/community\.sops/pull/114)\)\.
+
+<a id="v1-2-3"></a>
+## v1\.2\.3
+
+<a id="release-summary-33"></a>
+### Release Summary
+
+Fix formatting bug in documentation\. No code changes\.
+
+<a id="v1-2-2"></a>
+## v1\.2\.2
+
+<a id="release-summary-34"></a>
+### Release Summary
+
+Maintenance release\.
+
+<a id="bugfixes-20"></a>
+### Bugfixes
+
+* Include <code>simplified\_bsd\.txt</code> license file for the <code>sops</code> module utils\.
+
+<a id="v1-2-1"></a>
+## v1\.2\.1
+
+<a id="release-summary-35"></a>
+### Release Summary
+
+Maintenance release with updated documentation\.
+
+<a id="v1-2-0"></a>
+## v1\.2\.0
+
+<a id="release-summary-36"></a>
+### Release Summary
+
+Collection release for inclusion in Ansible 4\.9\.0 and 5\.1\.0\.
+
+This release contains a change allowing to configure generic plugin options with ansible\.cfg keys and env variables\.
+
+<a id="minor-changes-10"></a>
+### Minor Changes
+
+* sops lookup and vars plugin \- allow to configure almost all generic options by ansible\.cfg entries and environment variables \([https\://github\.com/ansible\-collections/community\.sops/pull/81](https\://github\.com/ansible\-collections/community\.sops/pull/81)\)\.
+
+<a id="bugfixes-21"></a>
+### Bugfixes
+
+* Fix error handling in calls of the <code>sops</code> binary when negative errors are returned \([https\://github\.com/ansible\-collections/community\.sops/issues/82](https\://github\.com/ansible\-collections/community\.sops/issues/82)\, [https\://github\.com/ansible\-collections/community\.sops/pull/83](https\://github\.com/ansible\-collections/community\.sops/pull/83)\)\.
+
+<a id="v1-1-0"></a>
+## v1\.1\.0
+
+<a id="release-summary-37"></a>
+### Release Summary
+
+A minor release for inclusion in Ansible 4\.2\.0\.
+
+<a id="minor-changes-11"></a>
+### Minor Changes
+
+* Avoid internal ansible\-core module\_utils in favor of equivalent public API available since at least Ansible 2\.9 \([https\://github\.com/ansible\-collections/community\.sops/pull/73](https\://github\.com/ansible\-collections/community\.sops/pull/73)\)\.
+
+<a id="new-plugins"></a>
+### New Plugins
+
+<a id="filter"></a>
+#### Filter
+
+* community\.sops\.decrypt \- Decrypt sops\-encrypted data
+
+<a id="v1-0-6"></a>
+## v1\.0\.6
+
+<a id="release-summary-38"></a>
+### Release Summary
+
+This release makes the collection compatible to the latest beta release of ansible\-core 2\.11\.
+
+<a id="bugfixes-22"></a>
+### Bugfixes
+
+* action\_module plugin helper \- make compatible with latest changes in ansible\-core 2\.11\.0b3 \([https\://github\.com/ansible\-collections/community\.sops/pull/58](https\://github\.com/ansible\-collections/community\.sops/pull/58)\)\.
+* community\.sops\.load\_vars \- make compatible with latest changes in ansible\-core 2\.11\.0b3 \([https\://github\.com/ansible\-collections/community\.sops/pull/58](https\://github\.com/ansible\-collections/community\.sops/pull/58)\)\.
+
+<a id="v1-0-5"></a>
+## v1\.0\.5
+
+<a id="release-summary-39"></a>
+### Release Summary
+
+This release fixes a bug that prevented correct YAML file to be created when the output was ending in <code>\.yaml</code>\.
+
+<a id="bugfixes-23"></a>
+### Bugfixes
+
+* community\.sops\.sops\_encrypt \- use output type <code>yaml</code> when path ends with <code>\.yaml</code> \([https\://github\.com/ansible\-collections/community\.sops/pull/56](https\://github\.com/ansible\-collections/community\.sops/pull/56)\)\.
+
+<a id="v1-0-4"></a>
+## v1\.0\.4
+
+<a id="release-summary-40"></a>
+### Release Summary
+
+This is a security release\, fixing a potential information leak in the <code>community\.sops\.sops\_encrypt</code> module\.
+
+<a id="security-fixes"></a>
+### Security Fixes
+
+* community\.sops\.sops\_encrypt \- mark the <code>aws\_secret\_access\_key</code> and <code>aws\_session\_token</code> parameters as <code>no\_log</code> to avoid leakage of secrets \([https\://github\.com/ansible\-collections/community\.sops/pull/54](https\://github\.com/ansible\-collections/community\.sops/pull/54)\)\.
+
+<a id="v1-0-3"></a>
+## v1\.0\.3
+
+<a id="release-summary-41"></a>
+### Release Summary
+
+This release include some fixes to Ansible docs and required changes for inclusion in Ansible\.
+
+<a id="bugfixes-24"></a>
+### Bugfixes
+
+* community\.sops\.sops lookup plugins \- fix wrong format of Ansible variables so that these are actually used \([https\://github\.com/ansible\-collections/community\.sops/pull/51](https\://github\.com/ansible\-collections/community\.sops/pull/51)\)\.
+* community\.sops\.sops vars plugins \- remove non\-working Ansible variables \([https\://github\.com/ansible\-collections/community\.sops/pull/51](https\://github\.com/ansible\-collections/community\.sops/pull/51)\)\.
+
+<a id="v1-0-2"></a>
+## v1\.0\.2
+
+<a id="release-summary-42"></a>
+### Release Summary
+
+Fix of 1\.0\.1 release which had no changelog entry\.
+
+<a id="v1-0-1"></a>
+## v1\.0\.1
+
+<a id="release-summary-43"></a>
+### Release Summary
+
+Re\-release of 1\.0\.0 to counteract error during release\.
+
+<a id="v1-0-0"></a>
+## v1\.0\.0
+
+<a id="release-summary-44"></a>
+### Release Summary
+
+First stable release\. This release is expected to be included in Ansible 3\.0\.0\.
+
+<a id="minor-changes-12"></a>
+### Minor Changes
+
+* All plugins and modules\: allow to pass generic sops options with new options <code>config\_path</code>\, <code>enable\_local\_keyservice</code>\, <code>keyservice</code>\. Also allow to pass AWS parameters with options <code>aws\_profile</code>\, <code>aws\_access\_key\_id</code>\, <code>aws\_secret\_access\_key</code>\, and <code>aws\_session\_token</code> \([https\://github\.com/ansible\-collections/community\.sops/pull/47](https\://github\.com/ansible\-collections/community\.sops/pull/47)\)\.
+* community\.sops\.sops\_encrypt \- allow to pass encryption\-specific options <code>kms</code>\, <code>gcp\_kms</code>\, <code>azure\_kv</code>\, <code>hc\_vault\_transit</code>\, <code>pgp</code>\, <code>unencrypted\_suffix</code>\, <code>encrypted\_suffix</code>\, <code>unencrypted\_regex</code>\, <code>encrypted\_regex</code>\, <code>encryption\_context</code>\, and <code>shamir\_secret\_sharing\_threshold</code> to sops \([https\://github\.com/ansible\-collections/community\.sops/pull/47](https\://github\.com/ansible\-collections/community\.sops/pull/47)\)\.
+
+<a id="v0-2-0"></a>
+## v0\.2\.0
+
+<a id="release-summary-45"></a>
+### Release Summary
+
+This release adds features for the lookup and vars plugins\.
+
+<a id="minor-changes-13"></a>
+### Minor Changes
+
+* community\.sops\.sops lookup plugin \- add <code>empty\_on\_not\_exist</code> option which allows to return an empty string instead of an error when the file does not exist \([https\://github\.com/ansible\-collections/community\.sops/pull/33](https\://github\.com/ansible\-collections/community\.sops/pull/33)\)\.
+* community\.sops\.sops vars plugin \- add option to control caching \([https\://github\.com/ansible\-collections/community\.sops/pull/32](https\://github\.com/ansible\-collections/community\.sops/pull/32)\)\.
+* community\.sops\.sops vars plugin \- add option to determine when vars are loaded \([https\://github\.com/ansible\-collections/community\.sops/pull/32](https\://github\.com/ansible\-collections/community\.sops/pull/32)\)\.
+
+<a id="v0-1-0"></a>
+## v0\.1\.0
+
+<a id="release-summary-46"></a>
+### Release Summary
+
+First release of the <code>community\.sops</code> collection\!
+This release includes multiple plugins\: an <code>action</code> plugin\, a <code>lookup</code> plugin and a <code>vars</code> plugin\.
+
+<a id="new-plugins-1"></a>
+### New Plugins
+
+<a id="lookup"></a>
+#### Lookup
+
+* community\.sops\.sops \- Read sops encrypted file contents
+
+<a id="vars"></a>
+#### Vars
+
+* community\.sops\.sops \- Loading sops\-encrypted vars files
+
+<a id="new-modules"></a>
+### New Modules
+
+* community\.sops\.load\_vars \- Load sops\-encrypted variables from files\, dynamically within a task
+* community\.sops\.sops\_encrypt \- Encrypt data with sops
diff --git a/ansible_collections/community/sops/CHANGELOG.md.license b/ansible_collections/community/sops/CHANGELOG.md.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/CHANGELOG.md.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/CHANGELOG.rst b/ansible_collections/community/sops/CHANGELOG.rst
new file mode 100644
index 00000000..83c5f5c3
--- /dev/null
+++ b/ansible_collections/community/sops/CHANGELOG.rst
@@ -0,0 +1,669 @@
+============================
+Community SOPS Release Notes
+============================
+
+.. contents:: Topics
+
+v2.2.7
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Known Issues
+------------
+
+- When using the ``community.sops.load_vars`` with ansible-core 2.20, note that the deprecation of ``INJECT_FACTS_AS_VARS`` causes deprecation warnings to be shown every time a variable loaded with ``community.sops.load_vars`` is used. This is due to ansible-core deprecating ``INJECT_FACTS_AS_VARS`` without providing an alternative for modules like ``community.sops.load_vars`` to use. If you do not like these deprecation warnings, you have to explicitly set ``INJECT_FACTS_AS_VARS`` to ``true``. **DO NOT** change the use of SOPS encrypted variables to ``ansible_facts``. The situation will hopefully improve in ansible-core 2.21 through the promised API that allows action plugins to set variables; community.sops will adapt to use it, which will make the warning go away. (The API was originally promised for ansible-core 2.20, but then delayed.)
+
+v2.2.6
+======
+
+Release Summary
+---------------
+
+Bugfix and maintenance release.
+
+Bugfixes
+--------
+
+- Clean up plugin code that does not run on the target (https://github.com/ansible-collections/community.sops/pull/275).
+- Note that the MIT licenced code in ``plugins/module_utils/_six.py`` has been removed (https://github.com/ansible-collections/community.sops/pull/275).
+- sops vars plugin - ensure that loaded vars are evaluated also with ansible-core 2.19+ (https://github.com/ansible-collections/community.sops/pull/273).
+
+v2.2.5
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- load_vars action - avoid another deprecated module utils from ansible-core (https://github.com/ansible-collections/community.sops/pull/270).
+- load_vars action - avoid deprecated import from ansible-core that will be removed in ansible-core 2.21 (https://github.com/ansible-collections/community.sops/pull/272).
+
+v2.2.4
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- Fix accidental type extensions (https://github.com/ansible-collections/community.sops/pull/269).
+
+v2.2.3
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Minor Changes
+-------------
+
+- Note that some new code in ``plugins/module_utils/_six.py`` is MIT licensed (https://github.com/ansible-collections/community.sops/pull/268).
+
+Bugfixes
+--------
+
+- Avoid using ``ansible.module_utils.six`` to avoid deprecation warnings with ansible-core 2.20 (https://github.com/ansible-collections/community.sops/pull/268).
+
+v2.2.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- Avoid deprecated functionality in ansible-core 2.20 (https://github.com/ansible-collections/community.sops/pull/260).
+- all modules and plugins - the default of ``enable_local_keyservice`` changed from ``false`` to ``true``, and explicitly setting it to ``false`` now passes ``--enable-local-keyservice=false``. SOPS' default has always been ``true``, and when setting this option to ``true`` so far it resulted in passing ``--enable-local-keyservice``, which is equivalent to ``--enable-local-keyservice=true`` and had no effect. This means that from now on, setting ``enable_local_keyservice`` explicitly to ``false`` has an effect. If ``enable_local_keyservice`` was not set before, or was set to ``true``, nothing will change (https://github.com/ansible-collections/community.sops/issues/261, https://github.com/ansible-collections/community.sops/pull/262).
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- install role - avoid deprecated parameter value for the ``ansible.builtin.uri`` module (https://github.com/ansible-collections/community.sops/pull/255).
+
+v2.2.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- load_vars - expressions can now be lazily evaluated when using ansible-core 2.19 or newer (https://github.com/ansible-collections/community.sops/pull/229).
+
+v2.1.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- Now supports specifying SSH private keys for age with the new ``age_ssh_private_keyfile`` option (https://github.com/ansible-collections/community.sops/pull/241).
+
+v2.0.5
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated SOPS version test coverage.
+
+v2.0.4
+======
+
+Release Summary
+---------------
+
+Maintenance release with Data Tagging support.
+
+Bugfixes
+--------
+
+- load_vars - make evaluation compatible with Data Tagging in upcoming ansible-core release (https://github.com/ansible-collections/community.sops/pull/225).
+
+v2.0.3
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- install role - ``sops_install_on_localhost=false`` was not working properly if the role was running on more than one host due to a bug in ansible-core (https://github.com/ansible-collections/community.sops/issues/223, https://github.com/ansible-collections/community.sops/pull/224).
+
+v2.0.2
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- install role - when used with Debian on ARM architecture, the architecture name is now correctly translated from ``aarch64`` to ``arm64`` (https://github.com/ansible-collections/community.sops/issues/220, https://github.com/ansible-collections/community.sops/pull/221).
+
+v2.0.1
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation.
+
+v2.0.0
+======
+
+Release Summary
+---------------
+
+Major verison that drops support for End of Life Ansible/ansible-base/ansible-core versions.
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- The collection no longer supports Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14. If you need to continue using End of Life versions of Ansible/ansible-base/ansible-core, please use community.sops 1.x.y (https://github.com/ansible-collections/community.sops/pull/206).
+
+v1.9.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- sops_encrypt - pass absolute paths to ``module.atomic_move()`` (https://github.com/ansible/ansible/issues/83950, https://github.com/ansible-collections/community.sops/pull/208).
+
+v1.9.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- decrypt filter plugin - now supports the input and output type ``ini`` (https://github.com/ansible-collections/community.sops/pull/204).
+- sops lookup plugin - new option ``extract`` allows extracting a single key out of a JSON or YAML file, equivalent to sops' ``decrypt --extract`` (https://github.com/ansible-collections/community.sops/pull/200).
+- sops lookup plugin - now supports the input and output type ``ini`` (https://github.com/ansible-collections/community.sops/pull/204).
+
+v1.8.2
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation and changelog.
+
+Deprecated Features
+-------------------
+
+- The collection deprecates support for all Ansible/ansible-base/ansible-core versions that are currently End of Life, `according to the ansible-core support matrix <https://docs.ansible.com/ansible-core/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix>`__. This means that the next major release of the collection will no longer support Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14.
+
+v1.8.1
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- Pass ``config_path`` on SOPS 3.9.0 before the subcommand instead of after it (https://github.com/ansible-collections/community.sops/issues/195, https://github.com/ansible-collections/community.sops/pull/197).
+
+v1.8.0
+======
+
+Release Summary
+---------------
+
+Feature release for supporting improvements coming with SOPS 3.9.0.
+
+Minor Changes
+-------------
+
+- Detect SOPS 3.9.0 and use new ``decrypt`` and ``encrypt`` subcommands (https://github.com/ansible-collections/community.sops/pull/190).
+- sops vars plugin - new option ``handle_unencrypted_files`` allows to control behavior when encountering unencrypted files with SOPS 3.9.0+ (https://github.com/ansible-collections/community.sops/pull/190).
+
+Bugfixes
+--------
+
+- sops_encrypt - properly support ``path_regex`` in ``.sops.yaml`` when SOPS 3.9.0 or later is used (https://github.com/ansible-collections/community.sops/issues/153, https://github.com/ansible-collections/community.sops/pull/190).
+
+v1.7.0
+======
+
+Release Summary
+---------------
+
+Bugfix and feature release to fix installation issues with SOPS 3.9.0.
+
+Minor Changes
+-------------
+
+- sops vars plugin - allow to configure the valid extensions with an ``ansible.cfg`` entry or with an environment variable (https://github.com/ansible-collections/community.sops/pull/185).
+
+Bugfixes
+--------
+
+- Fix RPM URL for the 3.9.0 release (https://github.com/ansible-collections/community.sops/pull/188).
+
+v1.6.7
+======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- sops_encrypt - ensure that output-type is set to ``yaml`` when the file extension ``.yml`` is used. Now both ``.yaml`` and ``.yml`` files use the SOPS ``--output-type=yaml`` formatting (https://github.com/ansible-collections/community.sops/issues/164).
+
+v1.6.6
+======
+
+Release Summary
+---------------
+
+Make fully compatible with and test against sops 3.8.0.
+
+Bugfixes
+--------
+
+- Fix RPM URL for the 3.8.0 release (https://github.com/ansible-collections/community.sops/pull/161).
+
+v1.6.5
+======
+
+Release Summary
+---------------
+
+Make compatible with and test against sops 3.8.0-rc.1.
+
+Bugfixes
+--------
+
+- Avoid pre-releases when picking the latest version when using the GitHub API method (https://github.com/ansible-collections/community.sops/pull/159).
+- Fix changed DEB and RPM URLs for 3.8.0 and its prerelease(s) (https://github.com/ansible-collections/community.sops/pull/159).
+
+v1.6.4
+======
+
+Release Summary
+---------------
+
+Maintenance/bugfix release for the move of sops to the new `getsops GitHub organization <https://github.com/getsops>`__.
+
+Bugfixes
+--------
+
+- install role - fix ``sops_github_latest_detection=latest-release``, which broke due to sops moving to another GitHub organization (https://github.com/ansible-collections/community.sops/pull/151).
+
+v1.6.3
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation.
+
+From this version on, community.sops is using the new `Ansible semantic markup
+<https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+in its documentation. If you look at documentation with the ansible-doc CLI tool
+from ansible-core before 2.15, please note that it does not render the markup
+correctly. You should be still able to read it in most cases, but you need
+ansible-core 2.15 or later to see it as it is intended. Alternatively you can
+look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/sops/>`__
+for the rendered HTML version of the documentation of the latest release.
+
+Known Issues
+------------
+
+- Ansible markup will show up in raw form on ansible-doc text output for ansible-core before 2.15. If you have trouble deciphering the documentation markup, please upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on https://docs.ansible.com/ansible/devel/collections/community/sops/.
+
+v1.6.2
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- install role - make sure that the ``pkg_mgr`` fact is definitely available when installing on ``localhost``. This can improve error messages in some cases (https://github.com/ansible-collections/community.sops/issues/145, https://github.com/ansible-collections/community.sops/pull/146).
+
+v1.6.1
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- action plugin helper - fix handling of deprecations for ansible-core 2.14.2 (https://github.com/ansible-collections/community.sops/pull/136).
+- various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.sops/pull/133).
+
+v1.6.0
+======
+
+Release Summary
+---------------
+
+Feature release improving the installation role.
+
+Minor Changes
+-------------
+
+- install role - add ``sops_github_latest_detection`` option that allows to configure which method to use for detecting the latest release on GitHub. By default (``auto``) first tries to retrieve a list of recent releases using the API, and if that fails due to rate limiting, tries to obtain the latest GitHub release from a semi-documented URL (https://github.com/ansible-collections/community.sops/pull/133).
+- install role - add ``sops_github_token`` option to allow passing a GitHub token. This can for example be used to avoid rate limits when using the role in GitHub Actions (https://github.com/ansible-collections/community.sops/pull/132).
+- install role - implement another method to determine the latest release on GitHub than using the GitHub API, which can make installation fail due to rate-limiting (https://github.com/ansible-collections/community.sops/pull/131).
+
+v1.5.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- Automatically install GNU Privacy Guard (GPG) in execution environments. To install Mozilla sops a manual step needs to be added to the EE definition, see the collection's documentation for details (https://github.com/ansible-collections/community.sops/pull/98).
+
+New Playbooks
+-------------
+
+- community.sops.install - Installs sops and GNU Privacy Guard on all remote hosts
+- community.sops.install_localhost - Installs sops and GNU Privacy Guard on localhost
+
+New Roles
+---------
+
+- community.sops.install - Install Mozilla sops
+
+v1.4.1
+======
+
+Release Summary
+---------------
+
+Maintenance release to improve compatibility with future ansible-core releases.
+
+Bugfixes
+--------
+
+- load_vars - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.sops/pull/121).
+
+v1.4.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- Allow to specify age keys as ``age_key``, or age keyfiles as ``age_keyfile`` (https://github.com/ansible-collections/community.sops/issues/116, https://github.com/ansible-collections/community.sops/pull/117).
+- sops_encrypt - allow to specify age recipients (https://github.com/ansible-collections/community.sops/issues/116, https://github.com/ansible-collections/community.sops/pull/117).
+
+v1.3.0
+======
+
+Release Summary
+---------------
+
+Feature release.
+
+Minor Changes
+-------------
+
+- All software licenses are now in the ``LICENSES/`` directory of the collection root, and the collection repository conforms to the `REUSE specification <https://reuse.software/spec/>`__ except for the changelog fragments (https://github.com/ansible-collections/community.crypto/sops/108, https://github.com/ansible-collections/community.sops/pull/113).
+- sops vars plugin - added a configuration option to temporarily disable the vars plugin (https://github.com/ansible-collections/community.sops/pull/114).
+
+v1.2.3
+======
+
+Release Summary
+---------------
+
+Fix formatting bug in documentation. No code changes.
+
+v1.2.2
+======
+
+Release Summary
+---------------
+
+Maintenance release.
+
+Bugfixes
+--------
+
+- Include ``simplified_bsd.txt`` license file for the ``sops`` module utils.
+
+v1.2.1
+======
+
+Release Summary
+---------------
+
+Maintenance release with updated documentation.
+
+v1.2.0
+======
+
+Release Summary
+---------------
+
+Collection release for inclusion in Ansible 4.9.0 and 5.1.0.
+
+This release contains a change allowing to configure generic plugin options with ansible.cfg keys and env variables.
+
+Minor Changes
+-------------
+
+- sops lookup and vars plugin - allow to configure almost all generic options by ansible.cfg entries and environment variables (https://github.com/ansible-collections/community.sops/pull/81).
+
+Bugfixes
+--------
+
+- Fix error handling in calls of the ``sops`` binary when negative errors are returned (https://github.com/ansible-collections/community.sops/issues/82, https://github.com/ansible-collections/community.sops/pull/83).
+
+v1.1.0
+======
+
+Release Summary
+---------------
+
+A minor release for inclusion in Ansible 4.2.0.
+
+Minor Changes
+-------------
+
+- Avoid internal ansible-core module_utils in favor of equivalent public API available since at least Ansible 2.9 (https://github.com/ansible-collections/community.sops/pull/73).
+
+New Plugins
+-----------
+
+Filter
+~~~~~~
+
+- community.sops.decrypt - Decrypt sops-encrypted data
+
+v1.0.6
+======
+
+Release Summary
+---------------
+
+This release makes the collection compatible to the latest beta release of ansible-core 2.11.
+
+Bugfixes
+--------
+
+- action_module plugin helper - make compatible with latest changes in ansible-core 2.11.0b3 (https://github.com/ansible-collections/community.sops/pull/58).
+- community.sops.load_vars - make compatible with latest changes in ansible-core 2.11.0b3 (https://github.com/ansible-collections/community.sops/pull/58).
+
+v1.0.5
+======
+
+Release Summary
+---------------
+
+This release fixes a bug that prevented correct YAML file to be created when the output was ending in ``.yaml``.
+
+Bugfixes
+--------
+
+- community.sops.sops_encrypt - use output type ``yaml`` when path ends with ``.yaml`` (https://github.com/ansible-collections/community.sops/pull/56).
+
+v1.0.4
+======
+
+Release Summary
+---------------
+
+This is a security release, fixing a potential information leak in the ``community.sops.sops_encrypt`` module.
+
+Security Fixes
+--------------
+
+- community.sops.sops_encrypt - mark the ``aws_secret_access_key`` and ``aws_session_token`` parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.sops/pull/54).
+
+v1.0.3
+======
+
+Release Summary
+---------------
+
+This release include some fixes to Ansible docs and required changes for inclusion in Ansible.
+
+Bugfixes
+--------
+
+- community.sops.sops lookup plugins - fix wrong format of Ansible variables so that these are actually used (https://github.com/ansible-collections/community.sops/pull/51).
+- community.sops.sops vars plugins - remove non-working Ansible variables (https://github.com/ansible-collections/community.sops/pull/51).
+
+v1.0.2
+======
+
+Release Summary
+---------------
+
+Fix of 1.0.1 release which had no changelog entry.
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Re-release of 1.0.0 to counteract error during release.
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+First stable release. This release is expected to be included in Ansible 3.0.0.
+
+Minor Changes
+-------------
+
+- All plugins and modules: allow to pass generic sops options with new options ``config_path``, ``enable_local_keyservice``, ``keyservice``. Also allow to pass AWS parameters with options ``aws_profile``, ``aws_access_key_id``, ``aws_secret_access_key``, and ``aws_session_token`` (https://github.com/ansible-collections/community.sops/pull/47).
+- community.sops.sops_encrypt - allow to pass encryption-specific options ``kms``, ``gcp_kms``, ``azure_kv``, ``hc_vault_transit``, ``pgp``, ``unencrypted_suffix``, ``encrypted_suffix``, ``unencrypted_regex``, ``encrypted_regex``, ``encryption_context``, and ``shamir_secret_sharing_threshold`` to sops (https://github.com/ansible-collections/community.sops/pull/47).
+
+v0.2.0
+======
+
+Release Summary
+---------------
+
+This release adds features for the lookup and vars plugins.
+
+Minor Changes
+-------------
+
+- community.sops.sops lookup plugin - add ``empty_on_not_exist`` option which allows to return an empty string instead of an error when the file does not exist (https://github.com/ansible-collections/community.sops/pull/33).
+- community.sops.sops vars plugin - add option to control caching (https://github.com/ansible-collections/community.sops/pull/32).
+- community.sops.sops vars plugin - add option to determine when vars are loaded (https://github.com/ansible-collections/community.sops/pull/32).
+
+v0.1.0
+======
+
+Release Summary
+---------------
+
+First release of the ``community.sops`` collection!
+This release includes multiple plugins: an ``action`` plugin, a ``lookup`` plugin and a ``vars`` plugin.
+
+New Plugins
+-----------
+
+Lookup
+~~~~~~
+
+- community.sops.sops - Read sops encrypted file contents
+
+Vars
+~~~~
+
+- community.sops.sops - Loading sops-encrypted vars files
+
+New Modules
+-----------
+
+- community.sops.load_vars - Load sops-encrypted variables from files, dynamically within a task
+- community.sops.sops_encrypt - Encrypt data with sops
diff --git a/ansible_collections/community/sops/CHANGELOG.rst.license b/ansible_collections/community/sops/CHANGELOG.rst.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/CHANGELOG.rst.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/CONTRIBUTING.md b/ansible_collections/community/sops/CONTRIBUTING.md
new file mode 100644
index 00000000..538d071f
--- /dev/null
+++ b/ansible_collections/community/sops/CONTRIBUTING.md
@@ -0,0 +1,37 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+# Contributing
+
+Hello and welcome! Thank you for being interested in contributing to this project.
+
+First of all get confident with the [Ansible Collections Overview](https://github.com/ansible-collections/overview).
+
+We accept pull requests for bugfixes, new features, and other improvements, assuming they pass our review. If you are planning a larger feature or refactoring, please create an issue first to discuss it with us.
+
+## :bug: Reporting an issue
+
+Please [search in the issue list](https://github.com/ansible-collections/community.sops/issues) and if has not been already reported, [open a new issue](https://github.com/ansible-collections/community.sops/issues/new/choose)
+
+## 🏗 To contribute
+
+A more extensive walk-through can be found in [Ansible's Contributing to collections](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#hacking-collections).
+
+1. Fork this repo (when checking it out, see [here](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#contributing-to-collections) for how to place the checkout correctly)
+1. Create a feature branch
+1. Commit and push your code. To make the process faster, please ensure:
+
+    - the tests are green. Tests runs using [GitHub Actions](https://help.github.com/en/actions)
+    - you added a [changelog fragment](https://docs.ansible.com/ansible/devel/community/collection_development_process.html#creating-a-changelog-fragment)
+
+Please note that all PRs that are not strictly documentation, testing, or add a new plugin or module, require a changelog fragment. See [Creating a changelog fragment](https://docs.ansible.com/ansible/devel/community/collection_development_process.html#creating-a-changelog-fragment) for information on that.
+
+Further resources:
+
+- [Ansible Developer guide: developing collections](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html)
+- [Ansible Developer guide](https://docs.ansible.com/ansible/devel/dev_guide/index.html)
+
+This repository adheres to the [Ansible Community code of conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html)
diff --git a/ansible_collections/community/sops/COPYING b/ansible_collections/community/sops/COPYING
new file mode 100644
index 00000000..f288702d
--- /dev/null
+++ b/ansible_collections/community/sops/COPYING
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
diff --git a/ansible_collections/community/sops/FILES.json b/ansible_collections/community/sops/FILES.json
new file mode 100644
index 00000000..5942877c
--- /dev/null
+++ b/ansible_collections/community/sops/FILES.json
@@ -0,0 +1,2861 @@
+{
+ "files": [
+  {
+   "name": ".",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".git-blame-ignore-revs",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "240383e1da76190c543f280f543919ff228955e32e2dd6e826f7f84bd1e73709",
+   "format": 1
+  },
+  {
+   "name": "REUSE.toml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "646b5ce1ce1d31715c0e6a8ad9c2cc2828973e92badb73d1d6e7be33a3d2af3f",
+   "format": 1
+  },
+  {
+   "name": "codecov.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "17878b1333a5ad4dfeb48c0fef67b5c8b8fe4842cda8cbf8827defda286435f6",
+   "format": 1
+  },
+  {
+   "name": "LICENSES",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "LICENSES/GPL-3.0-or-later.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986",
+   "format": 1
+  },
+  {
+   "name": "LICENSES/BSD-2-Clause.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f11e51ed1eec39ad21d458ba44d805807a301c17ee9fe39538ccc9e2b280936c",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b250d439f466daa20c9b93929c5dbabe925d13667389879c766b0ca385530f1",
+   "format": 1
+  },
+  {
+   "name": "antsibull-nox.toml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4d161631daafe2695bb5070f8c63106ce020cc40cc66bcdbf95474e0e67447f",
+   "format": 1
+  },
+  {
+   "name": "plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/vars/sops.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aaf409d27a082a7c0e6cfff3514398f40c5b96a69423d96a0095a3e1f150b6d3",
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments/attributes.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd20b67c4716e782c2886d449736f3cb3497459f840fe19430cf4ac2ada11ceb",
+   "format": 1
+  },
+  {
+   "name": "plugins/doc_fragments/sops.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad9bb7ab9fc2ae8aa6ab3e2203bbbd6d2852072f3f6d3b1112cbadd4f513427f",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/sops.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b35351fdedbc012f4ce53990e63181ab4b60986f72733f9f28c40785a8b6c44",
+   "format": 1
+  },
+  {
+   "name": "plugins/action",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/action/load_vars.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fb79848293274c039a28519e6fafa2c3af91006250e38568785978f8d12d94bc",
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/plugin_utils/action_module.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84ce1d4152b9ab591a1ef6ed7310e7397b01525aff1c02f65cbd971b8b2f2db3",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/io.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08ab98d9caf94092cb20f7309214a777c7f37c60b446645c060c6a08123dabe1",
+   "format": 1
+  },
+  {
+   "name": "plugins/module_utils/sops.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c65ec76ee4263540b0e3b5c7a4095053c0d051d537cee09e3328f6a352964f99",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/decrypt.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34db0c4c9c7950af9875dc6d2c4b6d01aa79633b1b29ab7758c565516b592474",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/_latest_version.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e4e714672e5ccbde99e2cfd5e207401098bec8bb57885c6a7bbee5e97d71a80",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/load_vars.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d36234762970e48a30a2ed6bcfac60771e52d624964e0dc82e921d0d0176f358",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/sops_encrypt.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00010a75467e00c68c24a36daa19d34b82e376f889607f2cabd24fd8d5a7cfe1",
+   "format": 1
+  },
+  {
+   "name": ".yamllint",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3621ef23d44aace7e076ff90311ec0664c72befb95a9ccd0c50364b2bce5f3d0",
+   "format": 1
+  },
+  {
+   "name": ".yamllint-extra-docs",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d641e32566474c19a3d7b95e45eae7e80a24888b04f6942436e4f516c70471d4",
+   "format": 1
+  },
+  {
+   "name": "tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34d67cc292af0d76f381fffa39b54c32a345827b7435598fc9006864729f3662",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files/wrong.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files/simple.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a783da7d3b05e334118ad81a9f159450a450dfea34eddd670eb59004d7774f6",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files/simple.sops.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeda8f8497e64451b74ce7fcb28acc5f990ffc39bca0801f250600b720d65f31",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/roles/lookup_sops/files/wrong.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "774ac4e358eb8d7bc880231586957139e77b8025d9f313cabe4d47e7c1409072",
+   "format": 1
+  },
+  {
+   "name": "tests/ee/all.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34eaea22a6ab72535f9ed1e47e0bdf0c93648e900869b72b78b863118b3ec40e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "216a9c645dfa2235de7de88e6cd6632cc3d77385763e6e97ac90cdbcb853f412",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e11ca6edae518cc531ab425daa9eb93f78f89b9ddd515deabd239e8c7925323d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_latest/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f30f584423afb135316f4e2526bc6a556895eee2918bfb66f87cda5ce4cfa946",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter__latest_version",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter__latest_version/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter__latest_version/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb403955be963645a440cc08e3b80cd5a20b831b51a7a54d05a63b2f56874626",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter__latest_version/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5ced53ad61a1730fd8027e388426ff76ab537963c84bee1ad84ad5fc57dbb2a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops/tasks/install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f17b917f4283017363fdae3f425a8db6a4764824c8f33675b5c58b80c8b779a3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c9e2272b3b407bf5e34ea9da15b1755ef374d456dd365eafc51c30ecd1f360ad",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_sops/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e11ca6edae518cc531ab425daa9eb93f78f89b9ddd515deabd239e8c7925323d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "594627e64e5cb619d5d2a817b6f94c8750c61f21452ebfe3e85427d59996ec06",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "54730c80c5fa787eea72dac59c88627036aeae96c48e27cbec02f9c1bd49a2d2",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "665db3263e44a68e5bd728127a0b1a6dcf93a93eb529e80900a4c4c3fa06d68e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb71bb93b6958a495a1486357d097e5bc9ee2071a16dcc17f27780ad8af5ef77",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6a4ab74aa8a162551b1ad57bb8b3307959a616db4b65ce4b3db3bf2fabec96bc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e11ca6edae518cc531ab425daa9eb93f78f89b9ddd515deabd239e8c7925323d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_version/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e45effc3296ceba464e927b222581850a6a06e387bb178921d6aa64d488464d8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/proper-vars.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09617f1563ee9c9113eb061fe3d6c379195f1f0063aa6ed7670655616b1d53c3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/proper-vars-2.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c67d6bf4c6727441de8c2fc4fc471c4e020f0cca5deb3113a3871e554449f37c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/simple.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/empty.sops.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "df2b650065df0ea33eb3b222cf0ef497d40d51c08d9784529c76b40a59ac7e95",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeda8f8497e64451b74ce7fcb28acc5f990ffc39bca0801f250600b720d65f31",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/empty.sops.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/vars/wrong.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3db0d7497d88af37e0459662c8de65f4b16d52a9e7125a4ac757000f1800d29a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "19326d529d6efc76060e8f0eb94c843150e4ca8c3cfd283d1cf543156d60c6e1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52509d6021ae312164ec913cd4cdd76c0517a999a1664c6ec7036d1e3d543565",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/load_vars/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7661171157841040640d901cb4bdb167adb9a547424b57c61e757cb95514ad4a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/setup.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66c0fce5439d5e26021c162a46663401b3642dc745362bc9532ea5dd2447983c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/1.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be93bbe2194bab694623d3546a9cefd61e4a7b1dc1a084e51aad71829a76af4e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/.gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97f36d8c16c1eb370fcf9b8b9744cefc3ba77072ea6ee2297772f9f290280b45",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "890f837d78392031d57bd4f9ef58befc28ea87dd75300b7e5dbd281b8266a963",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-no-cache/2.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/setup.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66c0fce5439d5e26021c162a46663401b3642dc745362bc9532ea5dd2447983c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/1.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af2f6bd5c2e04a8bbf573705286e6c6b134a28e07d2935130b94548f84dff4e4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/.gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97f36d8c16c1eb370fcf9b8b9744cefc3ba77072ea6ee2297772f9f290280b45",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa2fe10272ab1590be0c541979ddd32c8305ca9c99aead8c024470c53d029e05",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-cache/2.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/setup.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66c0fce5439d5e26021c162a46663401b3642dc745362bc9532ea5dd2447983c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/1.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cad9eef1c4d915cbc950077855a2f450c7c521ced63af7906341923b1b305439",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/.gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97f36d8c16c1eb370fcf9b8b9744cefc3ba77072ea6ee2297772f9f290280b45",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa2fe10272ab1590be0c541979ddd32c8305ca9c99aead8c024470c53d029e05",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-task-cache/2.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3211649df618b304cc222453606ded722eceb0517f1e2c27dac1d07baa48e3bd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/group_vars/all.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3db0d7497d88af37e0459662c8de65f4b16d52a9e7125a4ac757000f1800d29a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/min-version.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3fb09596b06c06ec91ad7e757b946dead33682f9b90fc0d58923ff12bf73dce3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d55b2b54f888a407111fba2ecc8e34ed88d9e51f5e7cdf2d99c8371c5d03160",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/min-version",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07332f6810639c13c53ccc9bbe9b3093d73d997994e8146e8f05a04ab39cd0d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-skip/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/run-tests.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "80e62af27e9d754b915ca281d136cb0b53e332968f9e8e114655a230a502b2bd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/run-test.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "875bd9db24712c0a7cf1caf7e9bfc0a9aab09800d291bb1da3c39b1a0b8837e0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/setup.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66c0fce5439d5e26021c162a46663401b3642dc745362bc9532ea5dd2447983c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/1.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "226c5f21843ce39cfb19514ccf8a5b353842130addebf9b272a98c49cbc70a73",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/.gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97f36d8c16c1eb370fcf9b8b9744cefc3ba77072ea6ee2297772f9f290280b45",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa2fe10272ab1590be0c541979ddd32c8305ca9c99aead8c024470c53d029e05",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-stage-inv-no-cache/2.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52509d6021ae312164ec913cd4cdd76c0517a999a1664c6ec7036d1e3d543565",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/setup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac1747e8244b5a6e548f485c4a854a6a14dd91f45f679ca2d371709dc70de9de",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/group_vars/all.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/group_vars/all",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/group_vars/all/test-template.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "090c1e78de8629816ed4a5398972a9590970d6c6d0b1c62294280f840d7d9bfe",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/group_vars/all/test.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8b7a796ca17d69217be9493fba5d4050d8ca5aa984d64a98b0102d050dd3c6a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/host_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f6272b7880f68b10a514feb4d9db987c640a90232503706081eb3acf629f8c19",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4060937137a2b2e254805ed81e6d02c71c39b9adaaa9989c5a8fe35ef306fb9f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-not-dir",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-not-dir/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3eeaf6e0b19a4abe0fb3272069ea106e3d852de01e46c72acd9e2835845f3dff",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-not-dir/group_vars",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02de562c6658595ae581a5896e447a309c0b6a648ced86815ee3b271c52f0850",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-not-dir/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7112dadd139c189e733635f90156572181e9f845dd24dabcb115788bcbe056e4",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-not-dir/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1186d204e02390b3a193cf7067c77a46fa6c90b210a9219ab361e286dac2b61c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/group_vars/all.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3db0d7497d88af37e0459662c8de65f4b16d52a9e7125a4ac757000f1800d29a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/min-version.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "773c0b58b5192501cd29c6807ecb5787fb153d59432a990eb3f63c4694edc7ef",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d55b2b54f888a407111fba2ecc8e34ed88d9e51f5e7cdf2d99c8371c5d03160",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/min-version",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07332f6810639c13c53ccc9bbe9b3093d73d997994e8146e8f05a04ab39cd0d7",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-warn/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/.gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bfdfca5b406d8e4878fcd339be9ecc57574200b9a37ef9c58d25f27a30344cf6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eba5d1c9f3bef78527d1c794faf91d13ff41d577efd24065820c803e89e0ee63",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaed8ac4f4b87877e124b6cdefd42b6994519d9ae97246dc4bc11fccb074a080",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/group_vars/all",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/group_vars/all/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6c19c1f55ba438db601ab40184d921edc9aeaea04e5f943a6a74d5884a539bb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/group_vars/all.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e861b6423b8cb695cf1e9619ef06d852cb2a676f96a3961cd40662b4cae1703",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fba778eac2a8ba31239bcc92c2b9b0676ab76e0949a3b635a8744a6e19b6f28d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb20ba0278cae87f3b1585ced67d3b29d573cfb5b9d73ffda531325b447d0fe0",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/host_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f6272b7880f68b10a514feb4d9db987c640a90232503706081eb3acf629f8c19",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a281b048e4005a30f42f28c42dce6e1b612e49218960b0d8f432f25281ba6cd2",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bc578e5023ad323f79f074c8bc22be9063d656bf5370b6c0361556fa9a50f0f",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d60869452fe10424cf1f1a2c335018cd9a1f2a0ca31258744efe2b554132af26",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-disable-sops/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeda8f8497e64451b74ce7fcb28acc5f990ffc39bca0801f250600b720d65f31",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/validate.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e2460d80b356ea9f62b26940e07e4c3b7cec13898732e62caf7fbe62ab77545",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/group_vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/group_vars/all.sops.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3db0d7497d88af37e0459662c8de65f4b16d52a9e7125a4ac757000f1800d29a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/run.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "546994b8f9a11a93c2a5e588e6f65db0f909e5454c7546053c43a5c3c3f3d1cd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/playbook.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d55b2b54f888a407111fba2ecc8e34ed88d9e51f5e7cdf2d99c8371c5d03160",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/test-bad-file-error/hosts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce6a439f1bdce812664b04096894bb32a403f45d48c29c9ebd7b72205e49034b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/vars_sops/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5ced53ad61a1730fd8027e388426ff76ab537963c84bee1ad84ad5fc57dbb2a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr/tasks/archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd071a182e3762f530cddc36a67e55e9c1ea8c404bbc18316d8d12347f4fbe01",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/setup_pkg_mgr/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0fb106d2ee26ad02f4d9f5328055b76932dbef01bc491dd336d2684ace8ee673",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dad09d9dd69e638cdf24fe6de80bc23814e5f92040a949780d286e32531ec0dd",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52509d6021ae312164ec913cd4cdd76c0517a999a1664c6ec7036d1e3d543565",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57d163281b9b1c914944b5cbd55171a191f99deda0c86cad40ccbbce33493c7e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9766120534987766979b39f4f65f07d24f072c6fd63d4c07e14bd77c5ec470f3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/rstrip.sops.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9766120534987766979b39f4f65f07d24f072c6fd63d4c07e14bd77c5ec470f3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/fake-sops-val.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "600f10d79db3a5bea9f628adca64245c51f7f0c6e36014768a94c996b755f278",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/rstrip.sops",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c3b02c75c417d5f59e39fff32233fd6fa7353320516de0a056212f199ad5881",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/simple.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a783da7d3b05e334118ad81a9f159450a450dfea34eddd670eb59004d7774f6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8351dcbf94b7e163364b51222760ef2ee6254d1e0a106606e1fda000b9b730a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/simple.sops.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/binary.sops",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7a905c43f10dd195a2eea154cfafb57c410caf85c337a950485f1b35edc3534",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-json.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-yaml.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/binary.sops.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeda8f8497e64451b74ce7fcb28acc5f990ffc39bca0801f250600b720d65f31",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06c1d23eebd6cf6298b4f244e40f17474d5815c1eb072e6d0080785187003a96",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/fake-sops.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3789c363d753216c8cb2c5c7aa854eecdaea8b76c2b1101dc6be1f87b3ab9e46",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/fake-sops-rep.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a19245065178617e87cf36c758991a86f50b972450e09c669a1e76e5e8f52f1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8351dcbf94b7e163364b51222760ef2ee6254d1e0a106606e1fda000b9b730a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/filter_decrypt/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5ced53ad61a1730fd8027e388426ff76ab537963c84bee1ad84ad5fc57dbb2a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/tasks/test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37538e41a00d4c5bf666b2ec18e591b27380671723b81bb73ace6ffd0ac76ccc",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0419c735f9303bef3e3792a1fe74c3745ad5d0d814e3300cfb0444aa4ae926b5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc66f3ccd8b2c53eee76bd77ac62eae64fa4e969f2095c3794be0d10f75e1c36",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/age/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "470b53b780d099e0c1f82cf652e55bce5eb4986d585b02ec728665520dac4d38",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "018841939375e5af3b49f69ac5d1d2d16de585fe5156cbab1d839630eb1b2507",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e11ca6edae518cc531ab425daa9eb93f78f89b9ddd515deabd239e8c7925323d",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/role_install_localhost_remote/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d434e2c8d436bbd2b9b9af7539f126714f355859097e12a21147328fd8925fa1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0058b6cedc8a16b576d3e58da88e6e6e89952e22cb9cca11931629d552d0f676",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc66f3ccd8b2c53eee76bd77ac62eae64fa4e969f2095c3794be0d10f75e1c36",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/files/broken-json-yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2c893ee6494b8be5bc4e5cf9770c69f5ea7076ee62aab16f8e8c028c9114a81",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/files/broken-json-yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/files/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d9a553ab8caa4a8a3c3884226487054e090647d7d7c05c426c16077d45bedeb6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/files/wrong.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3db0d7497d88af37e0459662c8de65f4b16d52a9e7125a4ac757000f1800d29a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/sops_encrypt/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "470b53b780d099e0c1f82cf652e55bce5eb4986d585b02ec728665520dac4d38",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b327ceafb65f1b7f99389efa5fa9b7d5433237a6d580239c8fa0ab2d9187780",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52509d6021ae312164ec913cd4cdd76c0517a999a1664c6ec7036d1e3d543565",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57d163281b9b1c914944b5cbd55171a191f99deda0c86cad40ccbbce33493c7e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9766120534987766979b39f4f65f07d24f072c6fd63d4c07e14bd77c5ec470f3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/rstrip.sops.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9766120534987766979b39f4f65f07d24f072c6fd63d4c07e14bd77c5ec470f3",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0ea5e7739b3987f67e48cd7a70b28637745f85792817fd77ff38de7297fd2c6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/extract.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/fake-sops-val.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26d8124c99350c25bcaf44b22833c9e27253dbfb22589356639ec58d571211aa",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/rstrip.sops",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c3b02c75c417d5f59e39fff32233fd6fa7353320516de0a056212f199ad5881",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/wrong.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/simple.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a783da7d3b05e334118ad81a9f159450a450dfea34eddd670eb59004d7774f6",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8351dcbf94b7e163364b51222760ef2ee6254d1e0a106606e1fda000b9b730a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/simple.sops.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/binary.sops",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7a905c43f10dd195a2eea154cfafb57c410caf85c337a950485f1b35edc3534",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-json.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a280b4e00c70f46e801d0ee2a072776ceb8350b196af57d97500d1a99369ef9",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-yaml.json.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/binary.sops.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/.sops.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeda8f8497e64451b74ce7fcb28acc5f990ffc39bca0801f250600b720d65f31",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06c1d23eebd6cf6298b4f244e40f17474d5815c1eb072e6d0080785187003a96",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/wrong.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "774ac4e358eb8d7bc880231586957139e77b8025d9f313cabe4d47e7c1409072",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/extract.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01f058bee06782cf2d0122982e7818e31804cc844d5505f3460a633563a41074",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/extract.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/fake-sops.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a706b8cc2838a8f142b81126fd41afd159d0725b32a23e37e141c4540452ded",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/extract.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cdf206f1f592b61e1721304619611ac32ca61009d78912b83999f93ed0ac213e",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/fake-sops-rep.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9812984ee2aea316f49380318664247f093c2c794892accc9e54916054cab2d8",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8351dcbf94b7e163364b51222760ef2ee6254d1e0a106606e1fda000b9b730a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/lookup_sops/aliases",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5ced53ad61a1730fd8027e388426ff76ab537963c84bee1ad84ad5fc57dbb2a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/requirements.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e459b16d4c383a28e6b6030410eceddeab67cc7e6fed1900da9c3f1f02788a5e",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.17.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.20.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.21.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.18.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.20.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.18.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.19.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.17.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.21.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.16.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.15.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "339f0feb36bead5f3e7ea0b6f9e2a87c0c3206f495d294ecfad057f7defa0225",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.16.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.15.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/sanity/ignore-2.19.txt.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "tests/config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "498d46cf08b5abb09880088fa8fd142315f7f775e94cdc7d41364ed20fc2cd65",
+   "format": 1
+  },
+  {
+   "name": "meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "meta/execution-environment.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c7db7c82053279bd826cc4c66fa24c647faa5372757897fa925e1a9d98039d67",
+   "format": 1
+  },
+  {
+   "name": "meta/ee-bindep.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8e29f260b34c124f718cc779c30a6837ef867ee9aea33b0a1b03fa96b4548cde",
+   "format": 1
+  },
+  {
+   "name": "meta/runtime.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "990f7818232f77939ae2eec617bb78d1c27e0e7761ad5fa9415e7f3f8eede99d",
+   "format": 1
+  },
+  {
+   "name": "roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Debian-10.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7105ecc5fd0abddd3671660be86555a44088050e564b74f2b1136d1b2b6db735",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/OS-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c8db91a48f120ad6285cfb5c7af8fc883a50d8b201791d0c91bbc21ee60def6",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Ubuntu-18.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7105ecc5fd0abddd3671660be86555a44088050e564b74f2b1136d1b2b6db735",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c8db91a48f120ad6285cfb5c7af8fc883a50d8b201791d0c91bbc21ee60def6",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7105ecc5fd0abddd3671660be86555a44088050e564b74f2b1136d1b2b6db735",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Ubuntu-20.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7105ecc5fd0abddd3671660be86555a44088050e564b74f2b1136d1b2b6db735",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Fedora.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c8db91a48f120ad6285cfb5c7af8fc883a50d8b201791d0c91bbc21ee60def6",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c8db91a48f120ad6285cfb5c7af8fc883a50d8b201791d0c91bbc21ee60def6",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/vars/D-Ubuntu-16.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7105ecc5fd0abddd3671660be86555a44088050e564b74f2b1136d1b2b6db735",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d52cae5de555ad64e8ad8ba3d0ed8e3e58f5d9a3a6d85e1e96bddddfd0be51ae",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e30e175feea52ea8700b747162d2bb04a48993152b7a8381064635d30de790ae",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07ac7d3cc67a5ab083da48b82b291eaf4c33a6ce2369d0b92500dadfb4c4c61a",
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/_install_age/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64b0ffb3994173665d42d8d1e5a642a02d85080eaa146529bdbc36a1a86ee036",
+   "format": 1
+  },
+  {
+   "name": "roles/install",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars/OS-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a9a290ff0ba75f3e706ba9c1e9f088a62d21686eb9e24d690c218752531b70b",
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars/D-Archlinux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c75bbf18af712a90df2c56709ac74582406c84a84e60baefc653012726cd318",
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars/default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "70c1ffe02d84556e3ec3919f090e16cc55f7a867007036715e7b7f1008208d4a",
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars/OS-RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ecc56ee700e39e192c33a5a66278689d45270c3250ba364a06c24aaf7e5a99d",
+   "format": 1
+  },
+  {
+   "name": "roles/install/vars/D-Alpine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b5cc289609a2404abb08ebf6282d1384dd637e276cc7ec41f141a15ff10d3db",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/github_api.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3dc6d2da9fbae52228765cc4f5f6d3a4a18af8a5d7691c13963943000df8219",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/github.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc4e81c94004071e67503bfd48a4d8165a4c68b01d52e5e42b415c172e9a611c",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/github_latest_release.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e73f490c81a2cf9368e1ff124f5f1e0af5ca2f52089dbaf8a0b6e902074989e3",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/detect_source.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "589eceb03f8ef9037fb4a3aa04fe5752d7d8ef60f572035f2c49568e3eb0cb8d",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/system.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2b15e04a613b810a43cbdca2e258cd53e315d40a9e69b056416b1b779622e5e",
+   "format": 1
+  },
+  {
+   "name": "roles/install/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d0e58c84abd7752e18796a1d9c548ce79ec5af950736dd4492bb211e3f7c2e5e",
+   "format": 1
+  },
+  {
+   "name": "roles/install/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/install/meta/argument_specs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a4458b73b41e326fd2edd9cb16abd0bdbc80f52efca1f811642543358c2f711e",
+   "format": 1
+  },
+  {
+   "name": "roles/install/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "55e84a1c972d7be0b99a3e807e0ab6067ed8217006cbffa20a03f8ed81965462",
+   "format": 1
+  },
+  {
+   "name": "roles/install/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07ac7d3cc67a5ab083da48b82b291eaf4c33a6ce2369d0b92500dadfb4c4c61a",
+   "format": 1
+  },
+  {
+   "name": "roles/install/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/install/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e21e3d199dfa4e67150043423d7246df7178fefbb6a4708ea89a0d2170191a29",
+   "format": 1
+  },
+  {
+   "name": "playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/install_localhost.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd27aece296cd2067350eeb8fc86f9daf59e016562cf3cee2e3e15a3688382de",
+   "format": 1
+  },
+  {
+   "name": "playbooks/install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e6a7256239a8e06076943378085fa4efe479356ed8d6ecbb65253590a8c3854",
+   "format": 1
+  },
+  {
+   "name": ".yamllint-docs",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4ff8aace264eb4b3c2acb26002f4075fb5341e152490ade5db2defc992cf2a6",
+   "format": 1
+  },
+  {
+   "name": "docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/links.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22fe754871b51314d75985ec36e0ec21cc6425d55e7fe351742b4ef1e1d42bd6",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/extra-docs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48427a12a6ad4b45d88a54221a229ff06541e0b9c95955371f76d795b1f2fb76",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/rst",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/rst/guide.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a0cf72c626993b16cb9569be8bfa760b999e18932496aad04d6fc5e094fe9d0",
+   "format": 1
+  },
+  {
+   "name": "docs/docsite/config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c5ec9ff76cf4db33b5d3f771419ef50d448e5d510cb7a98fc07dd9ecee69c4e",
+   "format": 1
+  },
+  {
+   "name": "changelogs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "changelogs/changelog.yaml.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "changelogs/fragments",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "changelogs/fragments/.keep",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "changelogs/config.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4113e1cd052310bbee6e8097368ef2dfb19f1a04750ee1dfc17b05bf025bbdd5",
+   "format": 1
+  },
+  {
+   "name": "changelogs/changelog.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "29fcf08442fb8c3902ac0eb876a70c15cd9bdc601e379bfa5fc64b373edf35a2",
+   "format": 1
+  },
+  {
+   "name": "README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0f17a47865a1cb7a4f8e3a0060dc96048b03fdb216c222c8b376b722fc37b65f",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.rst.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "COPYING",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986",
+   "format": 1
+  },
+  {
+   "name": ".gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd221ff5caf14bfd0480118704ec6066f4d7e666d954110c62a349c7cc64f227",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.md.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": "CONTRIBUTING.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9fec1efe56d0405d4a67e9594bd4cb0705bf720279d097e931a6880f0a34a411",
+   "format": 1
+  },
+  {
+   "name": ".github",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/docs-pr.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc82687db73b0ba3f10feb5d5ef57c780be5b37afc914662f82c2b4daabe4e48",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/nox.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7afd8d22ca93777a07ce0fbde34ea77c1e20a4fa13b9997c022ff779c89126e4",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/docs-push.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0328a7a5264ca592f6c5ff39fd79d247842f8bb9a7e3ba14ade1cbccb21b64a8",
+   "format": 1
+  },
+  {
+   "name": ".github/pull_request_template.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b21ab066348ab442ca1036e16ba8c201945c9d902941745bb1c547eff97eb6ec",
+   "format": 1
+  },
+  {
+   "name": ".github/pull_request_template.md.license",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb915239f9f35407fa68fdc41ed6522f1fdcce11badbdcd6057548023179ac1",
+   "format": 1
+  },
+  {
+   "name": ".github/patchback.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6a23e48e2562604318540e6ddcac75213ad2c367258d76fc75914e9b939d380e",
+   "format": 1
+  },
+  {
+   "name": ".github/dependabot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "673731e08adb20eb69f8b1a19a3ecb6b1989ac7d8f8e9a5b477aaeb480dffa1f",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25434b94aad10d1bdc5dade824f740d39070b323e7ec9a2aff01bea30bf062c5",
+   "format": 1
+  },
+  {
+   "name": ".yamllint-examples",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0318dedf44e374936934d8f16887df85ac793a0ddd9c0b410972574c700249cb",
+   "format": 1
+  },
+  {
+   "name": "noxfile.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe73fd8df292548f2090cea7fbeef2a352f841cfa9d3f1658837d2007fe4a079",
+   "format": 1
+  }
+ ],
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/LICENSES/BSD-2-Clause.txt b/ansible_collections/community/sops/LICENSES/BSD-2-Clause.txt
new file mode 100644
index 00000000..6810e04e
--- /dev/null
+++ b/ansible_collections/community/sops/LICENSES/BSD-2-Clause.txt
@@ -0,0 +1,8 @@
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/ansible_collections/community/sops/LICENSES/GPL-3.0-or-later.txt b/ansible_collections/community/sops/LICENSES/GPL-3.0-or-later.txt
new file mode 120000
index 00000000..012065c8
--- /dev/null
+++ b/ansible_collections/community/sops/LICENSES/GPL-3.0-or-later.txt
@@ -0,0 +1 @@
+../COPYING
\ No newline at end of file
diff --git a/ansible_collections/community/sops/MANIFEST.json b/ansible_collections/community/sops/MANIFEST.json
new file mode 100644
index 00000000..1e5ad06b
--- /dev/null
+++ b/ansible_collections/community/sops/MANIFEST.json
@@ -0,0 +1,37 @@
+{
+ "collection_info": {
+  "namespace": "community",
+  "name": "sops",
+  "version": "2.2.7",
+  "authors": [
+   "Edoardo Tenani"
+  ],
+  "readme": "README.md",
+  "tags": [
+   "sops",
+   "encryption",
+   "decryption",
+   "secret",
+   "vault"
+  ],
+  "description": "Support usage of SOPS (getsops/sops) from your Ansible playbooks",
+  "license": [
+   "GPL-3.0-or-later",
+   "BSD-2-Clause"
+  ],
+  "license_file": null,
+  "dependencies": {},
+  "repository": "https://github.com/ansible-collections/community.sops",
+  "documentation": null,
+  "homepage": "https://github.com/ansible-collections/community.sops",
+  "issues": "https://github.com/ansible-collections/community.sops/issues"
+ },
+ "file_manifest_file": {
+  "name": "FILES.json",
+  "ftype": "file",
+  "chksum_type": "sha256",
+  "chksum_sha256": "d6a32bb2e00581e2d48d02e472b018d2e958cff2cacac32329d0375611666f34",
+  "format": 1
+ },
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/README.md b/ansible_collections/community/sops/README.md
new file mode 100644
index 00000000..694a6d3b
--- /dev/null
+++ b/ansible_collections/community/sops/README.md
@@ -0,0 +1,362 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+# Community SOPS Collection
+[![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/sops/)
+[![CI](https://github.com/ansible-collections/community.sops/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.sops/actions)
+[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.sops)](https://codecov.io/gh/ansible-collections/community.sops)
+[![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.sops)](https://api.reuse.software/info/github.com/ansible-collections/community.sops)
+
+The `community.sops` collection allows integrating [CNCF SOPS (`getsops/sops`)](https://github.com/getsops/sops) in Ansible.
+
+`getsops/sops` is a tool for encryption and decryption of files using secure keys (GPG, KMS, age). It can be leveraged in Ansible to provide an easy to use and flexible to manage way to manage ecrypted secrets' files.
+
+Please note that this collection does **not** support Windows targets.
+
+## SOPS version compatibility
+
+The following table shows which versions of SOPS were tested with which versions of the collection. Older (or newer) versions of SOPS can still work fine, it just means that we did not test them. In some cases, it could be that a minimal required version of SOPS is explicitly documented for a specific feature. This is the case from community.sops 1.8.0 on; from that version on the collection automatically detects the SOPS version to determine whether a feature is supported or not.
+
+|`community.sops` version|SOPS versions|
+|---|---|
+|`main` branch|`3.5.0`, `3.6.0`, `3.6.1`, `3.7.0`, `3.7.3`, `3.8.0`, `3.8.1`, `3.9.0`, `3.9.1`, `3.9.2`, `3.9.3`, `3.10.0`, `3.10.1`, `3.10.2`, `3.11.0`|
+
+## Code of Conduct
+
+We follow [Ansible Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html) in all our interactions within this project.
+
+If you encounter abusive behavior violating the [Ansible Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html), please refer to the [policy violations](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html#policy-violations) section of the Code of Conduct for information on how to raise a complaint.
+
+## Communication
+
+* Join the Ansible forum:
+  * [Get Help](https://forum.ansible.com/c/help/6): get help or help others.Please add appropriate tags if you start new discussions, for example the `sops` tag.
+  * [Posts tagged with 'sops'](https://forum.ansible.com/tag/sops): subscribe to participate in SOPS related conversations.
+  * [Social Spaces](https://forum.ansible.com/c/chat/4): gather and interact with fellow enthusiasts.
+  * [News & Announcements](https://forum.ansible.com/c/news/5): track project-wide announcements including social events.
+
+* The Ansible [Bullhorn newsletter](https://docs.ansible.com/ansible/devel/community/communication.html#the-bullhorn): used to announce releases and important changes.
+
+For more information about communication, see the [Ansible communication guide](https://docs.ansible.com/ansible/devel/community/communication.html).
+
+## Tested with Ansible
+
+Tested with the current ansible-core 2.15, ansible-core 2.16, ansible-core 2.17, ansible-core 2.18, and ansible-core 2.19 releases and the current development version of ansible-core. Ansible versions before 2.15.0 are not supported.
+
+## External requirements
+
+<!-- List any external resources the collection depends on, for example minimum versions of an OS, libraries, or utilities. Do not list other Ansible collections here. -->
+
+You will need to install [the `sops` CLI tool](https://github.com/getsops/sops) manually before using plugins provided by this
+collection.
+
+## Collection Documentation
+
+Browsing the [**latest** collection documentation](https://docs.ansible.com/ansible/latest/collections/community/sops) will show docs for the _latest version released in the Ansible package_, not the latest version of the collection released on Galaxy.
+
+Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/sops) shows docs for the _latest version released on Galaxy_.
+
+We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.sops/branch/main/) which shows docs for the _latest commit in the `main` branch_.
+
+If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
+
+## Included content
+
+<!-- Galaxy will eventually list the module docs within the UI, but until that is ready, you may need to either describe your plugins etc here, or point to an external docsite to cover that information. -->
+
+This collection provides:
+
+- a [lookup plugin](https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#playbooks-lookups) `community.sops.sops` that allows looking up a SOPS-encrypted file content;
+- a [filter plugin](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html) `community.sops.decrypt` that allows decrypting SOPS-encrypted data;
+- a [vars plugin](https://docs.ansible.com/ansible/latest/plugins/vars.html) `community.sops.sops` that allows loading Ansible vars from SOPS-encrypted files for hosts and groups;
+- an [action plugin](https://docs.ansible.com/ansible/latest/plugins/action.html) `community.sops.load_vars` that allows loading Ansible vars from a SOPS-encrypted file dynamically during a playbook or role;
+- a [module](https://docs.ansible.com/ansible/latest/user_guide/basic_concepts.html#modules) `community.sops.sops_encrypt` which allows to encrypt data with SOPS.
+- a [role](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html) `community.sops.install` which allows to install SOPS and GNU Privacy Guard.
+- two [playbooks](https://docs.ansible.com/ansible/latest/user_guide/playbooks_intro.html) `community.sops.install` and `community.sops.install_localhost` which allow to install SOPS and GNU Privacy Guard.
+
+## Using this collection
+
+### Installing SOPS
+
+To install SOPS, you can use the `community.sops.install` role. The role also installs [GNU Privacy Guard (GPG)](https://en.wikipedia.org/wiki/GNU_Privacy_Guard).
+
+Examples:
+
+```yaml
+tasks:
+  # To use the sops_encrypt module on a remote host, you need to install SOPS on it:
+  - name: Install SOPS on remote hosts
+    ansible.builtin.include_role:
+      name: community.sops.install
+    vars:
+      sops_version: 2.7.0  # per default installs the latest version
+
+  # To use the lookup plugin, filter plugin, vars plugin, or the load_vars action,
+  # you need SOPS installed on localhost:
+  - name: Install SOPS on localhost
+    ansible.builtin.include_role:
+      name: community.sops.install
+    vars:
+      sops_install_on_localhost: true
+```
+
+### lookup plugin
+
+The lookup plugin can be accessed with the `community.sops.sops` key.
+
+Examples:
+
+```yaml
+tasks:
+  - name: Output secrets to screen (BAD IDEA!)
+    ansible.builtin.debug:
+      msg: "Content: {{ lookup('community.sops.sops', '/path/to/sops-encrypted-file.enc.yaml') }}"
+
+  - name: Add SSH private key
+    ansible.builtin.copy:
+      content: "{{ lookup('community.sops.sops', user + '-id_rsa') }}"
+      dest: /home/{{ user }}/.ssh/id_rsa
+      owner: "{{ user }}"
+      group: "{{ user }}"
+      mode: 0600
+    no_log: true  # avoid content to be written to log
+```
+
+See [Lookup Plugins](https://docs.ansible.com/ansible/latest/plugins/lookup.html) for more details on lookup plugins.
+
+### filter plugin
+
+The filter plugin can be used in Jinja2 expressions by the name `community.sops.decrypt`. It can decrypt SOPS-encrypted data coming from other sources than files.
+
+Example:
+
+```yaml
+tasks:
+  - name: Load SOPS encrypted data
+    ansible.builtin.set_fact:
+      encrypted_data: "{{ lookup('file', '/path/to/sops-encrypted-file.enc.yaml') }}"
+
+  - name: Output secrets to screen (BAD IDEA!)
+    ansible.builtin.debug:
+      msg: "Content: {{ encrypted_data | community.sops.decrypt(output_type='yaml') }}"
+```
+
+See [Filter Plugins](https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html) for more details on filters.
+
+Please note that if you put a Jinja2 expression in a variable, it will be evaluated **every time it is used**. Decrypting data takes a certain amount of time. If you need to use an expression multiple times, it is better to store its evaluated form as a fact with `ansible.bulitin.set_fact` first:
+
+```yaml
+tasks:
+  - name: Decrypt data once
+    ansible.builtin.set_fact:
+      decrypted_data: "{{ encrypted_data | community.sops.decrypt }}"
+    run_once: true  # if encrypted_data is identical on all hosts
+
+  - name: Use decrypted secrets multiple times
+    ansible.builtin.openssl_privatekey:
+      path: "/path/to/private_{{ item }}.pem"
+      passphrase: "{{ decrypted_data }}"
+      cipher: auto
+    loop:
+      - foo
+      - bar
+      - baz
+```
+
+By using `{{ encrypted_data | community.sops.decrypt }}` instead of `{{ decrypted_data }}` in the `openssl_privatekey` task, the data would be decrypted three times for every host this is executed for. With the `ansible.builtin.set_fact` and `run_once: true`, it is evaluated only once.
+
+### vars plugin
+
+Vars plugins only work in ansible >= 2.10 and require explicit enabling.  One
+way to enable the plugin is by adding the following to the `defaults` section of
+your `ansible.cfg`:
+
+```ini
+vars_plugins_enabled = host_group_vars,community.sops.sops
+```
+
+See [VARIABLE_PLUGINS_ENABLED](https://docs.ansible.com/ansible/devel/reference_appendices/config.html#variable-plugins-enabled) for more details.
+
+After the plugin is enabled, correctly named group and host vars files will be
+transparently decrypted with SOPS.
+
+The files must end with one of these extensions:
+
+* `.sops.yaml`
+* `.sops.yml`
+* `.sops.json`
+
+(These extensions can be adjusted, check out the vars plugin's options for details.) Here is an example file structure:
+
+```
+├── inventory/
+│   ├── group_vars/
+│   │   └── all.sops.yml
+│   ├── host_vars/
+│   │   ├── server1.sops.yml
+│   │   └── server2/
+│   │       └── data.sops.yml
+│   └── hosts
+├── playbooks/
+│   └── setup-server.yml
+└── ansible.cfg
+```
+
+You could execute the playbook in this example with the following command. The
+SOPS-encrypted vars files would be decrypted and used.
+
+```console
+$ ansible-playbook playbooks/setup-server.yml -i inventory/hosts
+```
+
+#### Determine when to load variables
+
+Ansible 2.10 allows to determine [when vars plugins load the data](https://docs.ansible.com/ansible/latest/plugins/vars.html#using-vars-plugins).
+
+To run the SOPS vars plugin right after importing inventory, you can add the following to `ansible.cfg`:
+
+```ini
+[community.sops]
+vars_stage = inventory
+```
+
+#### Caching variable files
+
+By default, the vars plugin caches decrypted files to avoid having to decrypt them every task. If this is not wanted, it can be explicitly disabled in `ansible.cfg`:
+
+```ini
+[community.sops]
+vars_cache = false
+```
+
+Please note that when using vars plugin staging, this setting only has effect if the variables are not only loaded during the `inventory` stage. See the documentation of the `community.sops.sops` vars plugin for more details.
+
+### load_vars action plugin
+
+The `load_vars` action plugin can be used similarly to Ansible's `include_vars`, except that it right now only supports single files. Also, it does not allow to load proper variables (i.e. "unsafe" Jinja2 expressions which evaluate on usage), but only facts. This is a restriction imposed by ansible-core. The plugin does allow to evaluate expressions on load-time, though.
+
+Examples:
+
+```yaml
+tasks:
+  - name: Load variables from file and store them in a variable
+    community.sops.load_vars:
+      file: path/to/sops-encrypted-file.sops.yaml
+      name: variable_to_store_contents_in
+
+  - name: Load variables from file into global namespace, and evaluate Jinja2 expressions
+    community.sops.load_vars:
+      file: path/to/sops-encrypted-file-with-jinja2-expressions.sops.yaml
+      # The following allows to use Jinja2 expressions in the encrypted file!
+      # They are evaluated right now, i.e. not later like when loaded with include_vars.
+      expressions: evaluate-on-load
+```
+
+### sops_encrypt module
+
+The `sops_encrypt` module can be used to create and update SOPS-encrypted files. It assumes that SOPS is configured via environment variables or a `.sops.yaml` file.
+
+Examples:
+
+```yaml
+tasks:
+  - name: Store secret text SOPS-encrypted
+    community.sops.sops_encrypt:
+      path: path/to/sops-encrypted-file.sops
+      content_text: This is some secret text.
+
+  - name: Store secret binary data SOPS-encrypted
+    community.sops.sops_encrypt:
+      path: path/to/sops-encrypted-file.sops
+      content_binary: "{{ some_secret_binary_data | b64encode }}"
+
+  - name: Store secret JSON data
+    community.sops.sops_encrypt:
+      path: path/to/sops-encrypted-file.sops.json
+      content_json:
+        key1: value1
+        key2:
+          - value2
+          - key3: value3
+            key4: value5
+
+  - name: Store secret YAML data
+    community.sops.sops_encrypt:
+      path: path/to/sops-encrypted-file.sops.yaml
+      content_yaml:
+        key1: value1
+        key2:
+          - value2
+          - key3: value3
+            key4: value5
+```
+
+## Troubleshooting
+
+### Spurious failures during encryption and decryption with gpg
+
+Older versions of SOPS calls `gpg` with `--use-agent`. When running multiple of these in parallel, for example when loading variables or looking up files for various hosts at once, some of these can randomly fail with messages such as
+```
+Failed to get the data key required to decrypt the SOPS file.
+
+Group 0: FAILED
+  D13xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
+    - | could not decrypt data key with PGP key:
+      | golang.org/x/crypto/openpgp error: Reading PGP message
+      | failed: openpgp: incorrect key; GPG binary error: exit
+      | status 2
+
+  828xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: FAILED
+    - | could not decrypt data key with PGP key:
+      | golang.org/x/crypto/openpgp error: Reading PGP message
+      | failed: openpgp: incorrect key; GPG binary error: exit
+      | status 2
+
+Recovery failed because no master key was able to decrypt the file. In
+order for SOPS to recover the file, at least one key has to be successful,
+but none were.
+```
+This is a limitation of gpg-agent which can be fixed by adding `auto-expand-secmem` to `~/.gnupg/gpg-agent.conf` ([reference on option](https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#index-ssh_002dfingerprint_002ddigest), [reference on config file](https://www.gnupg.org/documentation/manuals/gnupg/Agent-Configuration.html)).
+
+(See https://github.com/ansible-collections/community.sops/issues/34 and https://dev.gnupg.org/T4146 for more details.)
+
+## Contributing to this collection
+
+<!--Describe how the community can contribute to your collection. At a minimum, include how and where users can create issues to report problems or request features for this collection.  List contribution requirements, including preferred workflows and necessary testing, so you can benefit from community PRs. If you are following general Ansible contributor guidelines, you can link to - [Ansible Community Guide](https://docs.ansible.com/ansible/latest/community/index.html). -->
+
+See [CONTRIBUTING.md](https://github.com/ansible-collections/community.sops/blob/main/CONTRIBUTING.md)
+
+## Release notes
+
+See [CHANGELOG.md](https://github.com/ansible-collections/community.sops/blob/main/CHANGELOG.md).
+
+## Releasing, Versioning and Deprecation
+
+This collection follows [Semantic Versioning](https://semver.org/). More details on versioning can be found [in the Ansible docs](https://docs.ansible.com/ansible/latest/dev_guide/developing_collections.html#collection-versions).
+
+We plan to regularly release new minor or bugfix versions once new features or bugfixes have been implemented.
+
+Releasing the current major version happens from the `main` branch. We will create a `stable-1` branch for 1.x.y versions once we start working on a 2.0.0 release, to allow backporting bugfixes and features from the 2.0.0 branch (`main`) to `stable-1`. A `stable-2` branch will be created once we work on a 3.0.0 release, and so on.
+
+We currently are not planning any deprecations or new major releases like 2.0.0 containing backwards incompatible changes. If backwards incompatible changes are needed, we plan to deprecate the old behavior as early as possible. We also plan to backport at least bugfixes for the old major version for some time after releasing a new major version. We will not block community members from backporting other bugfixes and features from the latest stable version to older release branches, under the condition that these backports are of reasonable quality.
+
+## More information
+
+<!-- List out where the user can find additional information, such as working group meeting times, slack/IRC channels, or documentation for the product this collection automates. At a minimum, link to: -->
+
+- [Ansible Collection overview](https://github.com/ansible-collections/overview)
+- [Ansible User guide](https://docs.ansible.com/ansible/latest/user_guide/index.html)
+- [Ansible Developer guide](https://docs.ansible.com/ansible/latest/dev_guide/index.html)
+
+## Licensing
+
+This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
+
+See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.sops/blob/main/COPYING) for the full text.
+
+Parts of the collection are licensed under the [BSD 2-Clause license](https://github.com/ansible-collections/community.sops/blob/main/LICENSES/BSD-2-Clause.txt).
+
+All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).
diff --git a/ansible_collections/community/sops/REUSE.toml b/ansible_collections/community/sops/REUSE.toml
new file mode 100644
index 00000000..ff95bb82
--- /dev/null
+++ b/ansible_collections/community/sops/REUSE.toml
@@ -0,0 +1,11 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version = 1
+
+[[annotations]]
+path = "changelogs/fragments/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "Ansible Project"
+SPDX-License-Identifier = "GPL-3.0-or-later"
diff --git a/ansible_collections/community/sops/antsibull-nox.toml b/ansible_collections/community/sops/antsibull-nox.toml
new file mode 100644
index 00000000..38f61d84
--- /dev/null
+++ b/ansible_collections/community/sops/antsibull-nox.toml
@@ -0,0 +1,355 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[collection_sources]
+"community.internal_test_tools" = "git+https://github.com/ansible-collections/community.internal_test_tools.git,main"
+"community.general" = "git+https://github.com/ansible-collections/community.general.git,main"
+
+[collection_sources_per_ansible.'2.15']
+# community.general's main branch needs ansible-core >= 2.16
+"community.general" = "git+https://github.com/ansible-collections/community.general.git,stable-10"
+
+[collection_sources_per_ansible.'2.16']
+# community.general's main branch needs ansible-core >= 2.17
+"community.general" = "git+https://github.com/ansible-collections/community.general.git,stable-11"
+
+[vcs]
+vcs = "git"
+development_branch = "main"
+stable_branches = [ "stable-*" ]
+
+[sessions]
+
+[sessions.lint]
+run_isort = false
+run_black = false
+run_flake8 = false
+run_pylint = false
+run_yamllint = true
+yamllint_config = ".yamllint"
+yamllint_config_plugins = ".yamllint-docs"
+yamllint_config_plugins_examples = ".yamllint-examples"
+yamllint_config_extra_docs = ".yamllint-extra-docs"
+run_mypy = false
+
+[sessions.docs_check]
+validate_collection_refs="all"
+codeblocks_restrict_types = [
+    "ansible-output",
+    "console",
+    "ini",
+    "yaml",
+    "yaml+jinja",
+]
+codeblocks_restrict_type_exact_case = true
+codeblocks_allow_without_type = false
+codeblocks_allow_literal_blocks = false
+
+[sessions.license_check]
+
+[sessions.extra_checks]
+run_no_unwanted_files = true
+no_unwanted_files_module_extensions = [".py"]
+no_unwanted_files_yaml_extensions = [".yml"]
+run_action_groups = true
+run_no_trailing_whitespace = true
+run_avoid_characters = true
+
+[[sessions.extra_checks.avoid_character_group]]
+name = "tab"
+regex = "\\x09"
+skip_extensions = [
+    ".json",
+]
+skip_directories = [
+    "tests/integration/targets/filter_decrypt/files/",
+    "tests/integration/targets/lookup_sops/files/",
+    "tests/integration/targets/sops_encrypt/files/",
+]
+
+[sessions.build_import_check]
+run_galaxy_importer = true
+
+[sessions.ansible_test_sanity]
+include_devel = true
+
+[sessions.ansible_test_integration]
+
+[sessions.ansible_test_integration.ansible_vars]
+github_token = { type = "env", name = "GITHUB_TOKEN", unset_if_not_set = true }
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-main"
+description = "Meta-session for all ansible-test-integration-main-* sessions."
+session_name_template = "ansible-test-integration-main-{ansible_core}{dash_docker_short}{dash_override_sops_version}{dash_gha_arm_lower}"
+display_name_template = "main+Ⓐ{ansible_core}+SOPS-{override_sops_version}{plus_docker_short}{plus_py_python_version}{plus_gha_arm}"
+description_template = "Run main integration tests with ansible-core {ansible_core}, {docker_short}, SOPS {override_sops_version}{comma_gha_arm}"
+target = "gha/main/"
+gha_container = "ubuntu-latest"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.5.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.6.1" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.7.3" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.8.1" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.9.3" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = ["ubuntu2204", "ubuntu2404", "fedora42"]
+ansible_vars = { override_sops_version = "3.11.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.15"
+docker = "ubuntu2004"
+ansible_vars = { override_sops_version = "3.10.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.15"
+docker = "ubuntu2204"
+ansible_vars = { override_sops_version = "3.6.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.15"
+docker = "quay.io/ansible-community/test-image:debian-bullseye"
+python_version = "3.9"
+ansible_vars = { override_sops_version = "latest" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.16"
+docker = "ubuntu2004"
+ansible_vars = { override_sops_version = "3.7.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.16"
+docker = "ubuntu2204"
+ansible_vars = { override_sops_version = "3.7.3" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.17"
+docker = "ubuntu2204"
+ansible_vars = { override_sops_version = "3.8.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.17"
+docker = "fedora39"
+ansible_vars = { override_sops_version = "3.10.1" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.18"
+docker = "ubuntu2404"
+ansible_vars = { override_sops_version = "3.9.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.18"
+docker = "fedora40"
+ansible_vars = { override_sops_version = "3.9.2" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+docker = "ubuntu2404"
+ansible_vars = { override_sops_version = "3.10.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+docker = "fedora41"
+ansible_vars = { override_sops_version = "3.10.2" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2204"
+ansible_vars = { override_sops_version = "3.6.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2204"
+ansible_vars = { override_sops_version = "3.7.0" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2404"
+ansible_vars = { override_sops_version = "3.9.1" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:archlinux"
+python_version = "3.13"
+ansible_vars = { override_sops_version = "latest" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:debian-bookworm"
+python_version = "3.11"
+ansible_vars = { override_sops_version = "latest" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:debian-13-trixie"
+python_version = "3.13"
+ansible_vars = { override_sops_version = "latest" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2404"
+gha_container = "ubuntu-24.04-arm"
+ansible_vars = { override_sops_version = "latest" }
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-install-1"
+description = "Meta-session for all ansible-test-integration-install-1-* sessions."
+session_name_template = "ansible-test-integration-install-1-{ansible_core}{dash_docker_short}{dash_gha_arm_lower}"
+display_name_template = "install-1+Ⓐ{ansible_core}{plus_docker_short}{plus_py_python_version}{plus_gha_arm}"
+description_template = "Run install role integration tests (specific SOPS version) with ansible-core {ansible_core}, {docker_short}{comma_gha_arm}"
+target = "gha/install/1/"
+gha_container = "ubuntu-latest"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.17"
+docker = ["ubuntu2204", "fedora39"]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.18"
+docker = ["ubuntu2404", "fedora40"]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+docker = ["ubuntu2404", "fedora41"]
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2404"
+gha_container = "ubuntu-24.04-arm"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-install-2"
+description = "Meta-session for all ansible-test-integration-install-2-* sessions."
+session_name_template = "ansible-test-integration-install-2-{ansible_core}{dash_docker_short}{dash_gha_arm_lower}"
+display_name_template = "install-2+Ⓐ{ansible_core}{plus_docker_short}{plus_py_python_version}{plus_gha_arm}"
+description_template = "Run install role integration tests (localhost vs. remote host) with ansible-core {ansible_core}, {docker_short}{comma_gha_arm}"
+target = "gha/install/2/"
+gha_container = "ubuntu-latest"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2204"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2204"
+gha_container = "ubuntu-24.04-arm"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups]]
+session_name = "ansible-test-integration-install-3"
+description = "Meta-session for all ansible-test-integration-install-3-* sessions."
+session_name_template = "ansible-test-integration-install-3-{ansible_core}{dash_docker_short}{dash_gha_arm_lower}"
+display_name_template = "install-3+Ⓐ{ansible_core}{plus_docker_short}{plus_py_python_version}{plus_gha_arm}"
+description_template = "Run install role integration tests (latest SOPS version) with ansible-core {ansible_core}, {docker_short}{comma_gha_arm}"
+target = "gha/install/3/"
+gha_container = "ubuntu-latest"
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:archlinux"
+python_version = "3.13"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:debian-13-trixie"
+python_version = "3.13"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "quay.io/ansible-community/test-image:debian-bookworm"
+python_version = "3.11"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.16"
+docker = "quay.io/ansible-community/test-image:debian-bullseye"
+python_version = "3.9"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+docker = "fedora41"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "fedora42"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2204"
+ansible_vars = { github_latest_detection = "api" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "ubuntu2404"
+ansible_vars = { github_latest_detection = "latest-release" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "2.19"
+docker = "alpine321"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "alpine322"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ansible_test_integration.groups.sessions]]
+ansible_core = "devel"
+docker = "alpine322"
+gha_container = "ubuntu-24.04-arm"
+ansible_vars = { github_latest_detection = "auto" }
+
+[[sessions.ee_check.execution_environments]]
+name = "devel-ubi-9"
+description = "ansible-core devel @ RHEL UBI 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "docker.io/redhat/ubi9:latest"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/devel.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.dependencies.python_interpreter.package_system = "python3.12 python3.12-pip python3.12-wheel python3.12-cryptography"
+config.dependencies.python_interpreter.python_path = "/usr/bin/python3.12"
+config.additional_build_steps.append_final = [
+    "RUN ansible-playbook -v community.sops.install_localhost",
+]
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
+
+[[sessions.ee_check.execution_environments]]
+name = "2.15-rocky-9"
+description = "ansible-core 2.15 @ Rocky Linux 9"
+test_playbooks = ["tests/ee/all.yml"]
+config.images.base_image.name = "quay.io/rockylinux/rockylinux:9"
+config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.15.tar.gz"
+config.dependencies.ansible_runner.package_pip = "ansible-runner"
+config.additional_build_steps.append_final = [
+    "RUN ansible-playbook -v community.sops.install_localhost",
+]
+runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
diff --git a/ansible_collections/community/sops/changelogs/changelog.yaml b/ansible_collections/community/sops/changelogs/changelog.yaml
new file mode 100644
index 00000000..443926ab
--- /dev/null
+++ b/ansible_collections/community/sops/changelogs/changelog.yaml
@@ -0,0 +1,606 @@
+---
+ancestor: null
+releases:
+  0.1.0:
+    changes:
+      release_summary: 'First release of the ``community.sops`` collection!
+
+        This release includes multiple plugins: an ``action`` plugin, a ``lookup``
+        plugin and a ``vars`` plugin.'
+    fragments:
+      - 0.1.0.yml
+    modules:
+      - description: Load sops-encrypted variables from files, dynamically within
+          a task
+        name: load_vars
+        namespace: ''
+      - description: Encrypt data with sops
+        name: sops_encrypt
+        namespace: ''
+    plugins:
+      lookup:
+        - description: Read sops encrypted file contents
+          name: sops
+          namespace: null
+      vars:
+        - description: Loading sops-encrypted vars files
+          name: sops
+          namespace: null
+    release_date: '2020-10-23'
+  0.2.0:
+    changes:
+      minor_changes:
+        - community.sops.sops lookup plugin - add ``empty_on_not_exist`` option which
+          allows to return an empty string instead of an error when the file does
+          not exist (https://github.com/ansible-collections/community.sops/pull/33).
+        - community.sops.sops vars plugin - add option to control caching (https://github.com/ansible-collections/community.sops/pull/32).
+        - community.sops.sops vars plugin - add option to determine when vars are
+          loaded (https://github.com/ansible-collections/community.sops/pull/32).
+      release_summary: This release adds features for the lookup and vars plugins.
+    fragments:
+      - 0.2.0.yml
+      - 32-vars-stage.yml
+      - 33-lookup-empty_on_not_exist.yml
+    release_date: '2020-12-16'
+  1.0.0:
+    changes:
+      minor_changes:
+        - 'All plugins and modules: allow to pass generic sops options with new options
+          ``config_path``, ``enable_local_keyservice``, ``keyservice``. Also allow
+          to pass AWS parameters with options ``aws_profile``, ``aws_access_key_id``,
+          ``aws_secret_access_key``, and ``aws_session_token`` (https://github.com/ansible-collections/community.sops/pull/47).'
+        - community.sops.sops_encrypt - allow to pass encryption-specific options
+          ``kms``, ``gcp_kms``, ``azure_kv``, ``hc_vault_transit``, ``pgp``, ``unencrypted_suffix``,
+          ``encrypted_suffix``, ``unencrypted_regex``, ``encrypted_regex``, ``encryption_context``,
+          and ``shamir_secret_sharing_threshold`` to sops (https://github.com/ansible-collections/community.sops/pull/47).
+      release_summary: First stable release. This release is expected to be included
+        in Ansible 3.0.0.
+    fragments:
+      - 1.0.0.yml
+      - 47-sops-options.yml
+    release_date: '2021-01-14'
+  1.0.1:
+    changes:
+      release_summary: Re-release of 1.0.0 to counteract error during release.
+    release_date: '2021-01-14'
+  1.0.2:
+    changes:
+      release_summary: Fix of 1.0.1 release which had no changelog entry.
+    fragments:
+      - 1.0.2.yml
+    release_date: '2021-01-14'
+  1.0.3:
+    changes:
+      bugfixes:
+        - community.sops.sops lookup plugins - fix wrong format of Ansible variables
+          so that these are actually used (https://github.com/ansible-collections/community.sops/pull/51).
+        - community.sops.sops vars plugins - remove non-working Ansible variables
+          (https://github.com/ansible-collections/community.sops/pull/51).
+      release_summary: This release include some fixes to Ansible docs and required
+        changes for inclusion in Ansible.
+    fragments:
+      - 1.0.3.yml
+      - 51-fix-vars-arguments.yml
+    release_date: '2021-01-22'
+  1.0.4:
+    changes:
+      release_summary: This is a security release, fixing a potential information
+        leak in the ``community.sops.sops_encrypt`` module.
+      security_fixes:
+        - community.sops.sops_encrypt - mark the ``aws_secret_access_key`` and ``aws_session_token``
+          parameters as ``no_log`` to avoid leakage of secrets (https://github.com/ansible-collections/community.sops/pull/54).
+    fragments:
+      - 1.0.4.yml
+      - 54-no_log-fixes.yml
+    release_date: '2021-02-06'
+  1.0.5:
+    changes:
+      bugfixes:
+        - community.sops.sops_encrypt - use output type ``yaml`` when path ends with
+          ``.yaml`` (https://github.com/ansible-collections/community.sops/pull/56).
+      release_summary: This release fixes a bug that prevented correct YAML file to
+        be created when the output was ending in ``.yaml``.
+    fragments:
+      - 1.0.5.yml
+      - 56-sops_encrypt-yaml-output.yaml
+    release_date: '2021-03-05'
+  1.0.6:
+    changes:
+      bugfixes:
+        - action_module plugin helper - make compatible with latest changes in ansible-core
+          2.11.0b3 (https://github.com/ansible-collections/community.sops/pull/58).
+        - community.sops.load_vars - make compatible with latest changes in ansible-core
+          2.11.0b3 (https://github.com/ansible-collections/community.sops/pull/58).
+      release_summary: This release makes the collection compatible to the latest
+        beta release of ansible-core 2.11.
+    fragments:
+      - 1.0.6.yml
+      - 58-actionmodule-plugin-utils-ansible-core-2.11.yml
+    release_date: '2021-03-21'
+  1.1.0:
+    changes:
+      minor_changes:
+        - Avoid internal ansible-core module_utils in favor of equivalent public API
+          available since at least Ansible 2.9 (https://github.com/ansible-collections/community.sops/pull/73).
+      release_summary: A minor release for inclusion in Ansible 4.2.0.
+    fragments:
+      - 1.1.0.yml
+      - 71-decrypt-filter.yml
+      - ansible-core-_text.yml
+    plugins:
+      filter:
+        - description: Decrypt sops-encrypted data
+          name: decrypt
+          namespace: null
+    release_date: '2021-06-29'
+  1.2.0:
+    changes:
+      bugfixes:
+        - Fix error handling in calls of the ``sops`` binary when negative errors
+          are returned (https://github.com/ansible-collections/community.sops/issues/82,
+          https://github.com/ansible-collections/community.sops/pull/83).
+      minor_changes:
+        - sops lookup and vars plugin - allow to configure almost all generic options
+          by ansible.cfg entries and environment variables (https://github.com/ansible-collections/community.sops/pull/81).
+      release_summary: 'Collection release for inclusion in Ansible 4.9.0 and 5.1.0.
+
+
+        This release contains a change allowing to configure generic plugin options
+        with ansible.cfg keys and env variables.'
+    fragments:
+      - 1.2.0.yml
+      - 81-plugin-options.yml
+      - 83-fix-error-handling.yml
+    release_date: '2021-11-16'
+  1.2.1:
+    changes:
+      release_summary: Maintenance release with updated documentation.
+    fragments:
+      - 1.2.1.yml
+    release_date: '2022-03-22'
+  1.2.2:
+    changes:
+      bugfixes:
+        - Include ``simplified_bsd.txt`` license file for the ``sops`` module utils.
+      release_summary: Maintenance release.
+    fragments:
+      - 1.2.2.yml
+      - simplified-bsd-license.yml
+    release_date: '2022-06-02'
+  1.2.3:
+    changes:
+      release_summary: Fix formatting bug in documentation. No code changes.
+    fragments:
+      - 1.2.3.yml
+    release_date: '2022-06-29'
+  1.3.0:
+    changes:
+      minor_changes:
+        - All software licenses are now in the ``LICENSES/`` directory of the collection
+          root, and the collection repository conforms to the `REUSE specification
+          <https://reuse.software/spec/>`__ except for the changelog fragments (https://github.com/ansible-collections/community.crypto/sops/108,
+          https://github.com/ansible-collections/community.sops/pull/113).
+        - sops vars plugin - added a configuration option to temporarily disable the
+          vars plugin (https://github.com/ansible-collections/community.sops/pull/114).
+      release_summary: Feature release.
+    fragments:
+      - 1.3.0.yml
+      - 108-licenses.yml
+      - 114-disable-vars-plugin.yml
+    release_date: '2022-08-23'
+  1.4.0:
+    changes:
+      minor_changes:
+        - Allow to specify age keys as ``age_key``, or age keyfiles as ``age_keyfile``
+          (https://github.com/ansible-collections/community.sops/issues/116, https://github.com/ansible-collections/community.sops/pull/117).
+        - sops_encrypt - allow to specify age recipients (https://github.com/ansible-collections/community.sops/issues/116,
+          https://github.com/ansible-collections/community.sops/pull/117).
+      release_summary: Feature release.
+    fragments:
+      - 1.4.0.yml
+      - 117-age.yml
+    release_date: '2022-09-11'
+  1.4.1:
+    changes:
+      bugfixes:
+        - load_vars - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.sops/pull/121).
+      release_summary: Maintenance release to improve compatibility with future ansible-core
+        releases.
+    fragments:
+      - 1.4.1.yml
+      - 121-action-module-compat.yml
+    release_date: '2022-09-23'
+  1.5.0:
+    changes:
+      minor_changes:
+        - Automatically install GNU Privacy Guard (GPG) in execution environments.
+          To install Mozilla sops a manual step needs to be added to the EE definition,
+          see the collection's documentation for details (https://github.com/ansible-collections/community.sops/pull/98).
+      release_summary: Feature release.
+    fragments:
+      - 1.5.0.yml
+      - 98-playbooks.yml
+    objects:
+      playbook:
+        - description: Installs sops and GNU Privacy Guard on all remote hosts
+          name: install
+          namespace: null
+        - description: Installs sops and GNU Privacy Guard on localhost
+          name: install_localhost
+          namespace: null
+      role:
+        - description: Install Mozilla sops
+          name: install
+          namespace: null
+    release_date: '2022-12-02'
+  1.6.0:
+    changes:
+      minor_changes:
+        - install role - add ``sops_github_latest_detection`` option that allows to
+          configure which method to use for detecting the latest release on GitHub.
+          By default (``auto``) first tries to retrieve a list of recent releases
+          using the API, and if that fails due to rate limiting, tries to obtain the
+          latest GitHub release from a semi-documented URL (https://github.com/ansible-collections/community.sops/pull/133).
+        - install role - add ``sops_github_token`` option to allow passing a GitHub
+          token. This can for example be used to avoid rate limits when using the
+          role in GitHub Actions (https://github.com/ansible-collections/community.sops/pull/132).
+        - install role - implement another method to determine the latest release
+          on GitHub than using the GitHub API, which can make installation fail due
+          to rate-limiting (https://github.com/ansible-collections/community.sops/pull/131).
+      release_summary: Feature release improving the installation role.
+    fragments:
+      - 1.6.0.yml
+      - 131.yml
+      - 132.yml
+      - 133.yml
+    release_date: '2023-01-01'
+  1.6.1:
+    changes:
+      bugfixes:
+        - action plugin helper - fix handling of deprecations for ansible-core 2.14.2
+          (https://github.com/ansible-collections/community.sops/pull/136).
+        - various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.sops/pull/133).
+      release_summary: Maintenance release.
+    fragments:
+      - 1.6.1.yml
+      - 136-action-module.yml
+      - remove-unneeded-imports.yml
+    release_date: '2023-02-20'
+  1.6.2:
+    changes:
+      bugfixes:
+        - install role - make sure that the ``pkg_mgr`` fact is definitely available
+          when installing on ``localhost``. This can improve error messages in some
+          cases (https://github.com/ansible-collections/community.sops/issues/145,
+          https://github.com/ansible-collections/community.sops/pull/146).
+      release_summary: Maintenance release.
+    fragments:
+      - 1.6.2.yml
+      - 146-install-facts.yml
+    release_date: '2023-06-15'
+  1.6.3:
+    changes:
+      known_issues:
+        - Ansible markup will show up in raw form on ansible-doc text output for ansible-core
+          before 2.15. If you have trouble deciphering the documentation markup, please
+          upgrade to ansible-core 2.15 (or newer), or read the HTML documentation
+          on https://docs.ansible.com/ansible/devel/collections/community/sops/.
+      release_summary: 'Maintenance release with updated documentation.
+
+
+        From this version on, community.sops is using the new `Ansible semantic markup
+
+        <https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+
+        in its documentation. If you look at documentation with the ansible-doc CLI
+        tool
+
+        from ansible-core before 2.15, please note that it does not render the markup
+
+        correctly. You should be still able to read it in most cases, but you need
+
+        ansible-core 2.15 or later to see it as it is intended. Alternatively you
+        can
+
+        look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/sops/>`__
+
+        for the rendered HTML version of the documentation of the latest release.
+
+        '
+    fragments:
+      - 1.6.3.yml
+      - semantic-markup.yml
+    release_date: '2023-06-27'
+  1.6.4:
+    changes:
+      bugfixes:
+        - install role - fix ``sops_github_latest_detection=latest-release``, which
+          broke due to sops moving to another GitHub organization (https://github.com/ansible-collections/community.sops/pull/151).
+      release_summary: Maintenance/bugfix release for the move of sops to the new
+        `getsops GitHub organization <https://github.com/getsops>`__.
+    fragments:
+      - 1.6.4.yml
+      - 151-github.yml
+    release_date: '2023-06-30'
+  1.6.5:
+    changes:
+      bugfixes:
+        - Avoid pre-releases when picking the latest version when using the GitHub
+          API method (https://github.com/ansible-collections/community.sops/pull/159).
+        - Fix changed DEB and RPM URLs for 3.8.0 and its prerelease(s) (https://github.com/ansible-collections/community.sops/pull/159).
+      release_summary: Make compatible with and test against sops 3.8.0-rc.1.
+    fragments:
+      - 1.6.5.yml
+      - 159-new-releases.yml
+    release_date: '2023-08-25'
+  1.6.6:
+    changes:
+      bugfixes:
+        - Fix RPM URL for the 3.8.0 release (https://github.com/ansible-collections/community.sops/pull/161).
+      release_summary: Make fully compatible with and test against sops 3.8.0.
+    fragments:
+      - 1.6.6.yml
+      - 161-rhel-3.8.0.yml
+    release_date: '2023-09-15'
+  1.6.7:
+    changes:
+      bugfixes:
+        - sops_encrypt - ensure that output-type is set to ``yaml`` when the file
+          extension ``.yml`` is used. Now both ``.yaml`` and ``.yml`` files use the
+          SOPS ``--output-type=yaml`` formatting (https://github.com/ansible-collections/community.sops/issues/164).
+      release_summary: Bugfix release.
+    fragments:
+      - 1.6.7.yml
+      - 165-yaml-output-for-yml-extension.yaml
+    release_date: '2023-10-29'
+  1.7.0:
+    changes:
+      bugfixes:
+        - Fix RPM URL for the 3.9.0 release (https://github.com/ansible-collections/community.sops/pull/188).
+      minor_changes:
+        - sops vars plugin - allow to configure the valid extensions with an ``ansible.cfg``
+          entry or with an environment variable (https://github.com/ansible-collections/community.sops/pull/185).
+      release_summary: Bugfix and feature release to fix installation issues with
+        SOPS 3.9.0.
+    fragments:
+      - 1.7.0.yml
+      - 185-vars-valid-extensions.yml
+      - 188-sops-3.9.0.yml
+    release_date: '2024-06-28'
+  1.8.0:
+    changes:
+      bugfixes:
+        - sops_encrypt - properly support ``path_regex`` in ``.sops.yaml`` when SOPS
+          3.9.0 or later is used (https://github.com/ansible-collections/community.sops/issues/153,
+          https://github.com/ansible-collections/community.sops/pull/190).
+      minor_changes:
+        - Detect SOPS 3.9.0 and use new ``decrypt`` and ``encrypt`` subcommands (https://github.com/ansible-collections/community.sops/pull/190).
+        - sops vars plugin - new option ``handle_unencrypted_files`` allows to control
+          behavior when encountering unencrypted files with SOPS 3.9.0+ (https://github.com/ansible-collections/community.sops/pull/190).
+      release_summary: Feature release for supporting improvements coming with SOPS
+        3.9.0.
+    fragments:
+      - 1.8.0.yml
+      - 190-sops-3.9.0.yml
+    release_date: '2024-07-09'
+  1.8.1:
+    changes:
+      bugfixes:
+        - Pass ``config_path`` on SOPS 3.9.0 before the subcommand instead of after
+          it (https://github.com/ansible-collections/community.sops/issues/195, https://github.com/ansible-collections/community.sops/pull/197).
+      release_summary: Bugfix release.
+    fragments:
+      - 1.8.1.yml
+      - 197-sops-3.9.0-order.yml
+    release_date: '2024-07-18'
+  1.8.2:
+    changes:
+      deprecated_features:
+        - The collection deprecates support for all Ansible/ansible-base/ansible-core
+          versions that are currently End of Life, `according to the ansible-core
+          support matrix <https://docs.ansible.com/ansible-core/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix>`__.
+          This means that the next major release of the collection will no longer
+          support Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core
+          2.12, ansible-core 2.13, and ansible-core 2.14.
+      release_summary: Maintenance release with updated documentation and changelog.
+    fragments:
+      - 1.8.2.yml
+      - deprecate-eol-ansible-core.yml
+    release_date: '2024-08-13'
+  1.9.0:
+    changes:
+      minor_changes:
+        - decrypt filter plugin - now supports the input and output type ``ini`` (https://github.com/ansible-collections/community.sops/pull/204).
+        - sops lookup plugin - new option ``extract`` allows extracting a single key
+          out of a JSON or YAML file, equivalent to sops' ``decrypt --extract`` (https://github.com/ansible-collections/community.sops/pull/200).
+        - sops lookup plugin - now supports the input and output type ``ini`` (https://github.com/ansible-collections/community.sops/pull/204).
+      release_summary: Feature release.
+    fragments:
+      - 1.9.0.yml
+      - 200-lookup-extract.yaml
+      - 204-input-output-type-ini.yml
+    release_date: '2024-09-09'
+  1.9.1:
+    changes:
+      bugfixes:
+        - sops_encrypt - pass absolute paths to ``module.atomic_move()`` (https://github.com/ansible/ansible/issues/83950,
+          https://github.com/ansible-collections/community.sops/pull/208).
+      release_summary: Bugfix release.
+    fragments:
+      - 1.9.1.yml
+      - 208-atomic.yml
+    release_date: '2024-10-04'
+  2.0.0:
+    changes:
+      release_summary: Major verison that drops support for End of Life Ansible/ansible-base/ansible-core
+        versions.
+      removed_features:
+        - The collection no longer supports Ansible 2.9, ansible-base 2.10, ansible-core
+          2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14. If you
+          need to continue using End of Life versions of Ansible/ansible-base/ansible-core,
+          please use community.sops 1.x.y (https://github.com/ansible-collections/community.sops/pull/206).
+    fragments:
+      - 2.0.0.yml
+    release_date: '2024-10-20'
+  2.0.1:
+    changes:
+      release_summary: Maintenance release with updated documentation.
+    fragments:
+      - 2.0.1.yml
+    release_date: '2024-12-31'
+  2.0.2:
+    changes:
+      bugfixes:
+        - install role - when used with Debian on ARM architecture, the architecture
+          name is now correctly translated from ``aarch64`` to ``arm64`` (https://github.com/ansible-collections/community.sops/issues/220,
+          https://github.com/ansible-collections/community.sops/pull/221).
+      release_summary: Bugfix release.
+    fragments:
+      - 2.0.2.yml
+      - 221-install-architecture.yml
+    release_date: '2025-02-09'
+  2.0.3:
+    changes:
+      bugfixes:
+        - install role - ``sops_install_on_localhost=false`` was not working properly
+          if the role was running on more than one host due to a bug in ansible-core
+          (https://github.com/ansible-collections/community.sops/issues/223, https://github.com/ansible-collections/community.sops/pull/224).
+      release_summary: Bugfix release.
+    fragments:
+      - 2.0.3.yml
+      - 224-install.yml
+    release_date: '2025-03-03'
+  2.0.4:
+    changes:
+      bugfixes:
+        - load_vars - make evaluation compatible with Data Tagging in upcoming ansible-core
+          release (https://github.com/ansible-collections/community.sops/pull/225).
+      release_summary: Maintenance release with Data Tagging support.
+    fragments:
+      - 2.0.4.yml
+      - 225-data-tagging.yml
+    release_date: '2025-04-14'
+  2.0.5:
+    changes:
+      release_summary: Maintenance release with updated SOPS version test coverage.
+    fragments:
+      - 2.0.5.yml
+    release_date: '2025-04-21'
+  2.1.0:
+    changes:
+      minor_changes:
+        - Now supports specifying SSH private keys for age with the new ``age_ssh_private_keyfile``
+          option (https://github.com/ansible-collections/community.sops/pull/241).
+      release_summary: Feature release.
+    fragments:
+      - 2.1.0.yml
+      - 241-support-ssh-keys-for-age.yaml
+    release_date: '2025-06-14'
+  2.2.0:
+    changes:
+      minor_changes:
+        - load_vars - expressions can now be lazily evaluated when using ansible-core
+          2.19 or newer (https://github.com/ansible-collections/community.sops/pull/229).
+      release_summary: Feature release.
+    fragments:
+      - 2.2.0.yml
+      - 229-lazy-evaluation.yml
+    release_date: '2025-07-21'
+  2.2.1:
+    changes:
+      bugfixes:
+        - install role - avoid deprecated parameter value for the ``ansible.builtin.uri``
+          module (https://github.com/ansible-collections/community.sops/pull/255).
+      release_summary: Bugfix release.
+    fragments:
+      - 2.2.1.yml
+      - 255-install-redirects.yml
+    release_date: '2025-08-03'
+  2.2.2:
+    changes:
+      bugfixes:
+        - Avoid deprecated functionality in ansible-core 2.20 (https://github.com/ansible-collections/community.sops/pull/260).
+        - all modules and plugins - the default of ``enable_local_keyservice`` changed
+          from ``false`` to ``true``, and explicitly setting it to ``false`` now passes
+          ``--enable-local-keyservice=false``. SOPS' default has always been ``true``,
+          and when setting this option to ``true`` so far it resulted in passing ``--enable-local-keyservice``,
+          which is equivalent to ``--enable-local-keyservice=true`` and had no effect.
+          This means that from now on, setting ``enable_local_keyservice`` explicitly
+          to ``false`` has an effect. If ``enable_local_keyservice`` was not set before,
+          or was set to ``true``, nothing will change (https://github.com/ansible-collections/community.sops/issues/261,
+          https://github.com/ansible-collections/community.sops/pull/262).
+      release_summary: Bugfix release.
+    fragments:
+      - 2.2.2.yml
+      - 260-deprecations.yml
+      - 262-local-keyservice.yml
+    release_date: '2025-08-31'
+  2.2.3:
+    changes:
+      bugfixes:
+        - Avoid using ``ansible.module_utils.six`` to avoid deprecation warnings with
+          ansible-core 2.20 (https://github.com/ansible-collections/community.sops/pull/268).
+      minor_changes:
+        - Note that some new code in ``plugins/module_utils/_six.py`` is MIT licensed
+          (https://github.com/ansible-collections/community.sops/pull/268).
+      release_summary: Maintenance release.
+    fragments:
+      - 2.2.3.yml
+      - 268-six.yml
+    release_date: '2025-10-03'
+  2.2.4:
+    changes:
+      bugfixes:
+        - Fix accidental type extensions (https://github.com/ansible-collections/community.sops/pull/269).
+      release_summary: Maintenance release.
+    fragments:
+      - 2.2.4.yml
+      - 269-fix.yml
+    release_date: '2025-10-05'
+  2.2.5:
+    changes:
+      bugfixes:
+        - load_vars action - avoid another deprecated module utils from ansible-core
+          (https://github.com/ansible-collections/community.sops/pull/270).
+        - load_vars action - avoid deprecated import from ansible-core that will be
+          removed in ansible-core 2.21 (https://github.com/ansible-collections/community.sops/pull/272).
+      release_summary: Maintenance release.
+    fragments:
+      - 2.2.5.yml
+      - 270-deprecate.yml
+      - 272-ansible-core-2.21.yml
+    release_date: '2025-10-25'
+  2.2.6:
+    changes:
+      bugfixes:
+        - Clean up plugin code that does not run on the target (https://github.com/ansible-collections/community.sops/pull/275).
+        - Note that the MIT licenced code in ``plugins/module_utils/_six.py`` has
+          been removed (https://github.com/ansible-collections/community.sops/pull/275).
+        - sops vars plugin - ensure that loaded vars are evaluated also with ansible-core
+          2.19+ (https://github.com/ansible-collections/community.sops/pull/273).
+      release_summary: Bugfix and maintenance release.
+    fragments:
+      - 2.2.6.yml
+      - 273-vars-eval.yml
+      - 275-py3.yml
+    release_date: '2025-10-25'
+  2.2.7:
+    changes:
+      known_issues:
+        - When using the ``community.sops.load_vars`` with ansible-core 2.20, note
+          that the deprecation of ``INJECT_FACTS_AS_VARS`` causes deprecation warnings
+          to be shown every time a variable loaded with ``community.sops.load_vars``
+          is used. This is due to ansible-core deprecating ``INJECT_FACTS_AS_VARS``
+          without providing an alternative for modules like ``community.sops.load_vars``
+          to use. If you do not like these deprecation warnings, you have to explicitly
+          set ``INJECT_FACTS_AS_VARS`` to ``true``. **DO NOT** change the use of SOPS
+          encrypted variables to ``ansible_facts``. The situation will hopefully improve
+          in ansible-core 2.21 through the promised API that allows action plugins
+          to set variables; community.sops will adapt to use it, which will make the
+          warning go away. (The API was originally promised for ansible-core 2.20,
+          but then delayed.)
+      release_summary: Maintenance release.
+    fragments:
+      - 2.2.7.yml
+      - ansible-core-2.20-warning.yml
+    release_date: '2025-11-02'
diff --git a/ansible_collections/community/sops/changelogs/changelog.yaml.license b/ansible_collections/community/sops/changelogs/changelog.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/changelogs/changelog.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/changelogs/config.yaml b/ansible_collections/community/sops/changelogs/config.yaml
new file mode 100644
index 00000000..ae4ddaa9
--- /dev/null
+++ b/ansible_collections/community/sops/changelogs/config.yaml
@@ -0,0 +1,43 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+output_formats:
+  - rst
+  - md
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sections:
+  - - major_changes
+    - Major Changes
+  - - minor_changes
+    - Minor Changes
+  - - breaking_changes
+    - Breaking Changes / Porting Guide
+  - - deprecated_features
+    - Deprecated Features
+  - - removed_features
+    - Removed Features (previously deprecated)
+  - - security_fixes
+    - Security Fixes
+  - - bugfixes
+    - Bugfixes
+  - - known_issues
+    - Known Issues
+title: Community SOPS
+trivial_section_name: trivial
+use_fqcn: true
+add_plugin_period: true
+changelog_nice_yaml: true
+changelog_sort: version
+vcs: auto
diff --git a/ansible_collections/community/sops/changelogs/fragments/.keep b/ansible_collections/community/sops/changelogs/fragments/.keep
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/community/sops/codecov.yml b/ansible_collections/community/sops/codecov.yml
new file mode 100644
index 00000000..7f0932ba
--- /dev/null
+++ b/ansible_collections/community/sops/codecov.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+fixes:
+  - "ansible_collections/community/sops/::"
diff --git a/ansible_collections/community/sops/docs/docsite/config.yml b/ansible_collections/community/sops/docs/docsite/config.yml
new file mode 100644
index 00000000..1d6cf855
--- /dev/null
+++ b/ansible_collections/community/sops/docs/docsite/config.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+changelog:
+  write_changelog: true
diff --git a/ansible_collections/community/sops/docs/docsite/extra-docs.yml b/ansible_collections/community/sops/docs/docsite/extra-docs.yml
new file mode 100644
index 00000000..3224ebdc
--- /dev/null
+++ b/ansible_collections/community/sops/docs/docsite/extra-docs.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+sections:
+  - title: Scenario Guide
+    toctree:
+      - guide
diff --git a/ansible_collections/community/sops/docs/docsite/links.yml b/ansible_collections/community/sops/docs/docsite/links.yml
new file mode 100644
index 00000000..ef1be3f6
--- /dev/null
+++ b/ansible_collections/community/sops/docs/docsite/links.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+edit_on_github:
+  repository: ansible-collections/community.sops
+  branch: main
+  path_prefix: ''
+
+extra_links:
+  - description: Ask for help (SOPS)
+    url: https://forum.ansible.com/tags/c/help/6/none/sops
+  - description: Submit a bug report
+    url: https://github.com/ansible-collections/community.sops/issues/new?assignees=&labels=&template=bug_report.md
+  - description: Request a feature
+    url: https://github.com/ansible-collections/community.sops/issues/new?assignees=&labels=&template=feature_request.md
+
+communication:
+  matrix_rooms:
+    - topic: General usage and support questions
+      room: '#users:ansible.im'
+  irc_channels:
+    - topic: General usage and support questions
+      network: Libera
+      channel: '#ansible'
+  forums:
+    - topic: "Ansible Forum: General usage and support questions"
+      # The following URL directly points to the "Get Help" section
+      url: https://forum.ansible.com/c/help/6/none
+    - topic: "Ansible Forum: Discussions about SOPS"
+      # The following URL directly points to the "sops" tag
+      url: https://forum.ansible.com/tag/sops
diff --git a/ansible_collections/community/sops/docs/docsite/rst/guide.rst b/ansible_collections/community/sops/docs/docsite/rst/guide.rst
new file mode 100644
index 00000000..602efc30
--- /dev/null
+++ b/ansible_collections/community/sops/docs/docsite/rst/guide.rst
@@ -0,0 +1,495 @@
+..
+  Copyright (c) Ansible Project
+  GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+  SPDX-License-Identifier: GPL-3.0-or-later
+
+.. _ansible_collections.community.sops.docsite.guide:
+
+Protecting Ansible secrets with SOPS
+====================================
+
+`CNCF SOPS <https://github.com/getsops/sops>`_ allows to encrypt and decrypt files using various key sources (GPG, AWS KMS, GCP KMS, ...). For structured data, such as YAML, JSON, INI and ENV files, it will encrypt values, but not mapping keys. For YAML files, it also encrypts comments. This makes it a great tool for encrypting credentials with Ansible: you can easily see which files contain which variable, but the variables themselves are encrypted.
+
+The ability to utilize various keysources makes it easier to use in complex environments than :ref:`Ansible Vault <vault_guide_index>`.
+
+.. contents::
+   :local:
+   :depth: 1
+
+Installing SOPS
+---------------
+
+You can find binaries and packages `on the project's release page <https://github.com/getsops/sops/releases>`_. Depending on your operating system, you might also be able to install it with your system's package manager.
+
+This collection provides a :ansplugin:`role community.sops.install <community.sops.install#role>` which allows to install SOPS and `GNU Privacy Guard (GPG) <https://en.wikipedia.org/wiki/GNU_Privacy_Guard>`__. The role allows to install SOPS from the system's package manager or from GitHub; see :ansopt:`community.sops.install#role:main:sops_source` for details. Both SOPS and GPG can be installed on the remote hosts or the Ansible controller; see :ansopt:`community.sops.install#role:main:sops_install_on_localhost` for details.
+
+.. code-block:: yaml
+
+    - name: Playbook to install SOPS
+      hosts: all
+      tasks:
+        # To use the sops_encrypt module on a remote host, you need to install SOPS on it:
+        - name: Install SOPS on remote hosts
+          ansible.builtin.include_role:
+            name: community.sops.install
+          vars:
+            sops_version: 2.7.0  # per default installs the latest version
+
+        # To use the lookup plugin, filter plugin, vars plugin, or the load_vars action,
+        # you need SOPS installed on localhost:
+        - name: Install SOPS on localhost
+          ansible.builtin.include_role:
+            name: community.sops.install
+          vars:
+            sops_install_on_localhost: true
+
+When using ansible-core 2.11 or later, you can also use two convenience playbooks:
+
+.. code-block:: console
+
+    # Install SOPS on Ansible controller
+    $ ansible-playbook community.sops.install_localhost
+
+    # Install SOPS on remote servers
+    $ ansible-playbook community.sops.install --inventory /path/to/inventory
+
+Installing community.sops in an Execution Environment
+-----------------------------------------------------
+
+When building an execution environment containing community.sops, please note that by default SOPS is not automatically installed. This is due to a limitation of the dependency specification system for execution environments. If you are building an execution environment that contains community.sops, you should make sure that SOPS is installed in it.
+
+The simplest way of ensuring this is to use the ``community.sops.install_localhost`` playbook. When defining an execution environment, you can add a ``RUN`` additional build step to your ``execution-environment.yml``:
+
+.. code-block:: yaml
+
+    ---
+    version: 3
+    dependencies:
+      galaxy: requirements.yml
+    additional_build_steps:
+      append_final:
+        # Ensure that SOPS is installed in the EE, assuming the EE is for ansible-core 2.11 or newer
+        - RUN ansible-playbook -v community.sops.install_localhost
+
+Note that this only works if the execution environment is built with ansible-core 2.11 or newer. When using an execution environment with Ansible 2.9, you have to use the :ansplugin:`community.sops.install#role` role manually. Also note that you need to make sure that Ansible 2.9 uses the correct Python interpreter to be able to install system packages with; in the below example we are assuming a RHEL/CentOS based execution environment base image:
+
+.. code-block:: yaml
+
+    ---
+    version: 3
+    dependencies:
+      galaxy: requirements.yml
+    additional_build_steps:
+      append_final:
+        # Special step needed for Ansible 2.9 based EEs
+        - >-
+          RUN ansible localhost -m include_role -a name=community.sops.install
+              -e sops_install_on_localhost=true
+              -e ansible_python_interpreter=/usr/libexec/platform-python
+
+Once this step has been taken care of, you can use all plugins and modules (on ``localhost``) from community.sops in the execution environment.
+
+Setting up SOPS
+---------------
+
+From now on this guide assumes that you have installed SOPS.
+
+For simplicity, you can work with GPG keys. If you do not have one, or do not want to use yours, you can run ``gpg --quick-generate-key me@example.com`` to create a GPG key for the user ID ``me@example.com``. You will need its 40 hex-digit key ID that is printed at the end. The first step is to create a ``.sops.yaml`` file in the directory tree you are working in:
+
+.. code-block:: yaml
+
+    creation_rules:
+      - pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4'
+
+Here, ``FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4`` is the 40 hex-digit key ID. With this file you can create a SOPS-encrypted file by running the following in the directory where ``.sops.yaml`` was placed, or a subdirectory of it:
+
+.. code-block:: console
+
+    $ sops test.sops.yaml
+
+This will open an editor window with an example YAML file. Put the following content in:
+
+.. code-block:: yaml
+
+    # This is a comment
+    hello: world
+    foo:
+      - bar
+      - baz
+
+After closing the editor, SOPS will create ``test.sops.yaml`` with the encrypted contents:
+
+.. code-block:: yaml
+
+    #ENC[AES256_GCM,data:r6Ok05DzzHBO4tonlz2t49CF,iv:Y0P39iXwaGYU9NG5oRC3NuaGVL40uruSze0CxbDTpTk=,tag:EzoG+X+BJAHbxE0asSyGlQ==,type:comment]
+    hello: ENC[AES256_GCM,data:onBZqWk=,iv:bwj4bwaeh3vpVDYqY2AnYo1thF955i5vbFpCC1DwJtM=,tag:4qbVzuHTaPrXm64r2Rqz1Q==,type:str]
+    foo:
+        - ENC[AES256_GCM,data:UsY8,iv:USv71rKfvbTF+3a5T2WO56wGVu609/0uigqkO0pa6U4=,tag:s8NdqLp+8OOQg4xDfE78oA==,type:str]
+        - ENC[AES256_GCM,data:Dhmo,iv:qWs5gN2SCXYq0EfGelZhODsdViKB9w2taQMhsqy0D2g=,tag:I+ZFvuxnsvQmywqz+a/M9w==,type:str]
+    sops:
+        kms: []
+        gcp_kms: []
+        azure_kv: []
+        hc_vault: []
+        age: []
+        lastmodified: "2021-06-15T19:36:34Z"
+        mac: ENC[AES256_GCM,data:HAvLeOvt7xWI7B5TCeDEsL6sOSzGGeTbgBSJaZkwadmoAm3Ny4IZPF8JAbFaPPLmN8FJVAt4D61aIWa6Xwi3xMj1g6DmxFfgK6JFJqWqW122UlMhqZ/WuMWFV6yVxpTLDXgemndgGDJqUTUi14FMh/MzPDg4f6kFP64kA9fpLrY=,iv:LdhswnMymZG8J9na/jnF3WYnX0DvzvoBlvjUCu4nI6c=,tag:Qt4d7L3FXsgfmg9iOs8P4A==,type:str]
+        pgp:
+            - created_at: "2021-06-15T19:36:01Z"
+              enc: |-
+                -----BEGIN PGP MESSAGE-----
+
+                wcBMAyUpShfNkFB/AQgAT8OAKnWLBQRG3kT5lZCmyoPzK6RwF0zRkwCzJkLNl6xg
+                nQjUjpD03ZD4FtiRidspXEj7NvCLDghJ0UETtDjmrwsTeJ5YAK/JxouWmoNhVVdF
+                p0qOlj/THXIV+ypVaqrisZGZiTqeWjUNFuayknvjm3XduOOPZA1MIJ14pQxcgca4
+                NWmKwPwXTWEy3RJ0ZsnjjjYvKHjHyvbHdbDgARu8R1jEgdNPKPBRVpEY6RNeafXI
+                gFBVRfrhPKD6HmnmNvjHwUc/K+wOa1ciIYVrT4mPXoyBsFkyV0egh/QRf0JO8+X7
+                Ut/jEtCrl9BXJCNYGmC5EU3PPiFlAu1MRxlCiPNWltLmASn2w62wMpgih6f+OpI/
+                zyEOdz0qx80LEfhv3+jBbDfBwz4GqpAHUr0fCXDzeDiKfzlU6isagoIAhJfwX6oG
+                NeQ47ktk1XhPmgIwxxuvonG14iQoU2cA
+                =GoXQ
+                -----END PGP MESSAGE-----
+              fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+        unencrypted_suffix: _unencrypted
+        version: 3.7.1
+
+The first line contains the encrypted content. The second line contains the unencrypted key of ``hello: world``, and the encrypted string value ``world``. The next few lines contain the unencrypted key ``foo`` with the encrypted list elements.
+
+At the end, the ``sops`` section contains metadata, which includes the private key needed to decrypt the file encrypted with the public key of the GPG key ID ``FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4``. If you had multiple GPG keys configured, or also other key sources, you can also find the file secret key encrypted with these keys here.
+
+Working with encrypted files
+----------------------------
+
+You can decrypt SOPS-encrypted files with the :ansplugin:`community.sops.sops lookup plugin <community.sops.sops#lookup>`, and dynamically encrypt data with the :ansplugin:`community.sops.sops_encrypt module <community.sops.sops_encrypt#module>`. Being able to encrypt is useful when you create or update secrets in your Ansible playbooks.
+
+Assume that you have an encrypted private key ``keys/private_key.pem.sops``, which was in PEM format before being encrypted by SOPS:
+
+.. code-block:: console
+
+    $ openssl genrsa -out keys/private_key.pem 2048
+    $ sops --encrypt keys/private_key.pem > keys/private_key.pem.sops
+    $ wipe keys/private_key.pem
+
+To use it in a playbook, for example to pass it to the :ansplugin:`community.crypto.openssl_csr module <community.crypto.openssl_csr#module>` to create a certificate signing request (CSR), you can use the :ansplugin:`community.sops.sops lookup plugin <community.sops.sops#lookup>` to load it:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Load SOPS-encrypted private key
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - name: Create CSR with encrypted private key
+          community.crypto.openssl_csr:
+            # The private key is provided with SOPS:
+            privatekey_content: "{{ lookup('community.sops.sops', 'keys/private_key.pem.sops') }}"
+            # Store the CSR on disk unencrypted:
+            path: ansible.com.csr
+            # This is going to be a CSR for ansible.com and www.ansible.com
+            subject_alt_name:
+              - DNS:ansible.com
+              - DNS:www.ansible.com
+            use_common_name_for_san: false
+
+This results in the following output:
+
+.. code-block:: ansible-output
+
+    PLAY [Load SOPS-encrypted private key] ***************************************************************************
+
+    TASK [Create CSR with encrypted private key] *********************************************************************
+    ok: [localhost]
+
+    PLAY RECAP *******************************************************************************************************
+    localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
+
+Afterwards, you will have a CSR ``ansible.com.csr`` for the encrypted private key ``keys/private_key.pem.sops``.
+
+If you want to use Ansible to generate (or update) the encrypted private key, you can use the :ansplugin:`community.crypto.openssl_privatekey_pipe module <community.crypto.openssl_privatekey_pipe#module>` to generate (or update) the private key, and use the :ansplugin:`community.sops.sops_encrypt module <community.sops.sops_encrypt#module>` to write it to disk in encrypted form:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Create SOPS-encrypted private key
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - block:
+            - name: Create private key
+              community.crypto.openssl_privatekey_pipe:
+                size: 2048
+              no_log: true  # Always use this with openssl_privatekey_pipe!
+              register: private_key
+
+            - name: Write encrypted key to disk
+              community.sops.sops_encrypt:
+                path: keys/private_key.pem.sops
+                content_text: "{{ private_key.privatekey }}"
+
+          always:
+            - name: Wipe private key from Ansible's facts
+              # This is particularly important if the playbook doesn't end here!
+              set_fact:
+                private_key: ''
+
+This playbook creates a new key on every run. If you want the private key creation to be idempotent, you need to do a little more work:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Create SOPS-encrypted private key
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - block:
+            - name: Create private key
+              community.crypto.openssl_privatekey_pipe:
+                size: 2048
+                content: >-
+                  {{ lookup(
+                        'community.sops.sops',
+                        'keys/private_key.pem.sops',
+                        empty_on_not_exist=true
+                     ) }}
+              no_log: true  # Always use this with openssl_privatekey_pipe!
+              register: private_key
+
+            - name: Write encrypted key to disk
+              community.sops.sops_encrypt:
+                path: keys/private_key.pem.sops
+                content_text: "{{ private_key.privatekey }}"
+              when: private_key is changed
+
+          always:
+            - name: Wipe private key from Ansible's facts
+              # This is particularly important if the playbook doesn't end here!
+              set_fact:
+                private_key: ''
+
+The :ansopt:`community.sops.sops#lookup:empty_on_not_exist=true` flag is needed to avoid the lookup to fail when the key does not yet exist. When this playbook is run twice, the output will be:
+
+.. code-block:: ansible-output
+
+    PLAY [Create SOPS-encrypted private key] *************************************************************************
+
+    TASK [Create private key] ****************************************************************************************
+    ok: [localhost]
+
+    TASK [Write encrypted key to disk] *******************************************************************************
+    skipping: [localhost]
+
+    TASK [Wipe private key from Ansible's facts] *********************************************************************
+    ok: [localhost]
+
+    PLAY RECAP *******************************************************************************************************
+    localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
+
+Working with encrypted data from other sources
+----------------------------------------------
+
+You can use the :ansplugin:`community.sops.decrypt Jinja2 filter <community.sops.decrypt#filter>` to decrypt arbitrary data. This can be data read earlier from a file, returned from an action, or obtained through some other means.
+
+For example, assume that you want to decrypt a file retrieved from a HTTPS server with the :ansplugin:`ansible.builtin.uri module <ansible.builtin.uri#module>`. To use the :ansplugin:`community.sops.sops lookup <community.sops.sops#lookup>`, you have to write it to a file first. With the filter, you can directly decrypt it:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Decrypt file fetched from URL
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - name: Fetch file from URL
+          ansible.builtin.uri:
+            url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
+            return_content: true
+          register: encrypted_content
+
+        - name: Show encrypted data
+          debug:
+            msg: "{{ encrypted_content.content | ansible.builtin.from_yaml }}"
+
+        - name: Decrypt data and decode decrypted YAML
+          set_fact:
+            decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
+
+        - name: Show decrypted data
+          debug:
+            msg: "{{ decrypted_data }}"
+
+The output will be:
+
+.. code-block:: ansible-output
+
+    PLAY [Decrypt file fetched from URL] *****************************************************************************
+
+    TASK [Fetch file from URL] ***************************************************************************************
+    ok: [localhost]
+
+    TASK [Show encrypted data] ***************************************************************************************
+    ok: [localhost] => {
+        "msg": {
+            "dolor": "ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str]",
+            "lorem": "ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str]",
+            "sops": {
+                "age": [],
+                "azure_kv": [],
+                "gcp_kms": [],
+                "hc_vault": [],
+                "kms": [],
+                "lastmodified": "2020-10-07T15:49:13Z",
+                "mac": "ENC[AES256_GCM,data:2dhyKdHYSynjXPwYrn9356wA7vRKw+T5qwBenI2vZrgthpQBOCQG4M6f7eeH3VLTxB4mN4CAchb25dsNRoGr6A38VruaSSAhPco3Rh4AlvKSvXuhgRnzZvNxE/bnHX1D4K5cdTb4FsJg/Ue1l7UcWrlrv1s3H3SwLHP/nf+suD0=,iv:6xBYURjjaQzlUOKOrs2NWOChiNFZVAGPJZQZ59MwX3o=,tag:uXD5VYme+c8eHcCc5TD2YA==,type:str]",
+                "pgp": [
+                    {
+                        "created_at": "2019-08-29T21:52:32Z",
+                        "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMAyUpShfNkFB/AQgAlvpTj0NYqF4mQyIeM7wX2SHLb4U07/flpqDpp2W/30Pz\nAHA7sYrgP0l8BrjT2kwtgCN0cdfoIHJudezrNjANp2P5TbP2b9kYYNxpehzB9PFj\nFixnCS7Zp8WIt1yXr1TX+ANZoXLopVcRbMaQ5OdH7CN1pNQtMR+R3FR3X/IqKxiU\nDo1YLaooRJICUC8LJw2Tb4K+lYnTSqd/HalLGym++ivFvdDB1Ya1GhT1FswXidXK\nIRjsOVbxV0q5VeNOR0zxsheOvuHyCje16c7NXJtATJVWtTFABJB8u7CY5HhZSgq+\nrXJHyLHqVLzJ8E4WqHQkMNUlVcrqAz7glZ6xbAhfI9JeAYk5SuBOQOQ4yvASqH4K\nb0N3+/abluBY7YPqKuRZBiEtmcYlZ+zIHuOTP1rD/7L5VY8CwE5U8SFlEqwM7nQJ\n6/vtl6qngOFjwt34WrhZzUfLPB/wRV/m1Qv2kr0RNA==\n=Ykiw\n-----END PGP MESSAGE-----\n",
+                        "fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+                    }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.6.1"
+            }
+        }
+    }
+
+    TASK [Decrypt data] **********************************************************************************************
+    ok: [localhost]
+
+    TASK [Show decrypted data] ***************************************************************************************
+    ok: [localhost] => {
+        "msg": {
+            "dolor": "sit",
+            "lorem": "ipsum"
+        }
+    }
+
+    PLAY RECAP *******************************************************************************************************
+    localhost                  : ok=4    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
+
+Please note that if you put a Jinja2 expression in a variable, it will be evaluated **every time it is used**. Decrypting data takes a certain amount of time. If you need to use an expression multiple times, it is better to store its evaluated form as a fact with :ansplugin:`ansible.bulitin.set_fact <ansible.builtin.set_fact#module>` first. This can be important if decrypted data should be passed to a role
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Decrypt file fetched from URL
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - name: Fetch file from URL
+          ansible.builtin.uri:
+            url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
+            return_content: true
+          register: encrypted_content
+
+        # BAD: every time the role uses decrypted_data, the data will be decrypted!
+
+        - name: Call role with decrypted data
+          include_role:
+            name: myrole
+          vars:
+            role_parameter: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
+
+        # GOOD: the data is decrypted once before the role is called,
+
+        - name: Store decrypted data as fact
+          set_fact:
+            decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
+
+        - name: Call role with decrypted data
+          include_role:
+            name: myrole
+          vars:
+            role_parameter: "{{ decrypted_data }}"
+
+Working with encrypted variables
+--------------------------------
+
+You can load encrypted variables similarly to the :ansplugin:`ansible.builtin.host_group_vars vars plugin <ansible.builtin.host_group_vars#vars>` with the :ansplugin:`community.sops.sops vars plugin <community.sops.sops#vars>`. If you need to load variables dynamically similarly to the :ansplugin:`ansible.builtin.include_vars action <ansible.builtin.include_vars#module>`, you can use the :ansplugin:`community.sops.load_vars action <community.sops.load_vars#module>`.
+
+To use the vars plugin, you need to enable it in your Ansible config file (``ansible.cfg``):
+
+.. code-block:: ini
+
+    [defaults]
+    vars_plugins_enabled = host_group_vars,community.sops.sops
+
+See :ref:`VARIABLE_PLUGINS_ENABLED <VARIABLE_PLUGINS_ENABLED>` for more details on enabling vars plugins. Then you can put files with the following extensions into the ``group_vars`` and ``host_vars`` directories:
+
+- ``.sops.yaml``
+- ``.sops.yml``
+- ``.sops.json``
+
+(The list of extensions can be adjusted with :ansopt:`community.sops.sops#vars:valid_extensions`.) The vars plugin will decrypt them and you can use their unencrypted content transparently.
+
+If you need to dynamically load encrypted variables, similar to the built-in :ansplugin:`ansible.builtin.include_vars action <ansible.builtin.include_vars#module>`, you can use the :ansplugin:`community.sops.load_vars action <community.sops.load_vars#module>` action. Please note that it is not a perfect replacement, since the built-in action relies on some hard-coded special casing in ansible-core which allows it to load the variables actually as variables (more precisely: as "unsafe" Jinja2 expressions which are automatically evaluated when used). Other action plugins, such as :ansplugin:`community.sops.load_vars#module`, cannot do that and have to load the variables as facts instead.
+
+This is mostly relevant if you use Jinja2 expressions in the encrypted variable file. When :ansplugin:`ansible.builtin.include_vars#module` loads a variable file with expressions, these expressions will only be evaluated when the variable that defines them needs to be evaluated (lazy evaluation). Since :ansplugin:`community.sops.load_vars#module` returns facts, it has to directly evaluate expressions at load time. (For this, set its :ansopt:`community.sops.load_vars#module:expressions` option to :ansval:`evaluate-on-load`.) This is mostly relevant if you want to refer to other variables from the same file: this will not work, since Ansible does not know the other variable yet while evaluating the first. It will only "know" them as facts after all have been evaluated and the action finishes.
+
+For the following example, assume you have the encrypted file ``keys/credentials.sops.yml`` which decrypts to:
+
+.. code-block:: yaml
+
+    encrypted_password: foo
+    expression: "{{ inventory_hostname }}"
+
+Consider the following playbook:
+
+.. code-block:: yaml+jinja
+
+    ---
+    - name: Create SOPS-encrypted private key
+      hosts: localhost
+      gather_facts: false
+      tasks:
+        - name: Load encrypted credentials
+          community.sops.load_vars:
+            file: keys/credentials.sops.yml
+            expressions: ignore  # explicitly do not evaluate expressions
+                                 # on load (this is the default)
+
+        - name: Show password
+          debug:
+            msg: "The password is {{ encrypted_password }}"
+
+        - name: Show expression
+          debug:
+            msg: "The expression is {{ expression }}"
+
+Running it produces:
+
+.. code-block:: ansible-output
+
+    PLAY [Create SOPS-encrypted private key] *************************************************************************
+
+    TASK [Load encrypted credentials] ********************************************************************************
+    ok: [localhost]
+
+    TASK [Show password] *********************************************************************************************
+    ok: [localhost] => {
+        "msg": "The password is foo"
+    }
+
+    TASK [Show expression] *******************************************************************************************
+    ok: [localhost] => {
+        "msg": "The expression is {{ inventory_hostname }}"
+    }
+
+    PLAY RECAP *******************************************************************************************************
+    localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
+
+If you change the variable loading task to:
+
+.. code-block:: yaml+jinja
+
+        - name: Load encrypted credentials
+          community.sops.load_vars:
+            file: keys/credentials.sops.yml
+            expressions: evaluate-on-load
+
+The last task will now show the evaluated expression:
+
+.. code-block:: ansible-output
+
+    TASK [Show expression] *******************************************************************************************
+    ok: [localhost] => {
+        "msg": "The expression is localhost"
+    }
diff --git a/ansible_collections/community/sops/meta/ee-bindep.txt b/ansible_collections/community/sops/meta/ee-bindep.txt
new file mode 100644
index 00000000..9ca64d74
--- /dev/null
+++ b/ansible_collections/community/sops/meta/ee-bindep.txt
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gnupg [platform:dpkg]
+gnupg2 [platform:rpm]
diff --git a/ansible_collections/community/sops/meta/execution-environment.yml b/ansible_collections/community/sops/meta/execution-environment.yml
new file mode 100644
index 00000000..00cd8f37
--- /dev/null
+++ b/ansible_collections/community/sops/meta/execution-environment.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+version: 1
+dependencies:
+  system: meta/ee-bindep.txt
diff --git a/ansible_collections/community/sops/meta/runtime.yml b/ansible_collections/community/sops/meta/runtime.yml
new file mode 100644
index 00000000..855df871
--- /dev/null
+++ b/ansible_collections/community/sops/meta/runtime.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+requires_ansible: '>=2.15.0'
diff --git a/ansible_collections/community/sops/noxfile.py b/ansible_collections/community/sops/noxfile.py
new file mode 100644
index 00000000..9e8ef50b
--- /dev/null
+++ b/ansible_collections/community/sops/noxfile.py
@@ -0,0 +1,32 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The following metadata allows Python runners and nox to install the required
+# dependencies for running this Python script:
+#
+# /// script
+# dependencies = ["nox>=2025.02.09", "antsibull-nox"]
+# ///
+
+import sys
+
+import nox
+
+
+# We try to import antsibull-nox, and if that doesn't work, provide a more useful
+# error message to the user.
+try:
+    import antsibull_nox
+except ImportError:
+    print("You need to install antsibull-nox in the same Python environment as nox.")
+    sys.exit(1)
+
+
+antsibull_nox.load_antsibull_nox_toml()
+
+
+# Allow to run the noxfile with `python noxfile.py`, `pipx run noxfile.py`, or similar.
+# Requires nox >= 2025.02.09
+if __name__ == "__main__":
+    nox.main()
diff --git a/ansible_collections/community/sops/playbooks/install.yml b/ansible_collections/community/sops/playbooks/install.yml
new file mode 100644
index 00000000..479a5d86
--- /dev/null
+++ b/ansible_collections/community/sops/playbooks/install.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install SOPS
+  gather_facts: true
+  hosts: all
+  tasks:
+    - name: Install SOPS on remote hosts
+      ansible.builtin.include_role:
+        name: community.sops.install
diff --git a/ansible_collections/community/sops/playbooks/install_localhost.yml b/ansible_collections/community/sops/playbooks/install_localhost.yml
new file mode 100644
index 00000000..0dedf645
--- /dev/null
+++ b/ansible_collections/community/sops/playbooks/install_localhost.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install SOPS on localhost
+  gather_facts: false
+  hosts: localhost
+  tasks:
+    - name: Install SOPS on localhost
+      ansible.builtin.include_role:
+        name: community.sops.install
+      vars:
+        sops_install_on_localhost: true
diff --git a/ansible_collections/community/sops/plugins/action/load_vars.py b/ansible_collections/community/sops/plugins/action/load_vars.py
new file mode 100644
index 00000000..35087f4e
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/action/load_vars.py
@@ -0,0 +1,110 @@
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+from collections.abc import Sequence, Mapping
+
+from ansible.module_utils.common.text.converters import to_native
+from ansible.utils.display import Display
+
+from ansible_collections.community.sops.plugins.module_utils.sops import Sops, get_sops_argument_spec
+
+from ansible_collections.community.sops.plugins.plugin_utils.action_module import ActionModuleBase, ArgumentSpec
+
+try:
+    from ansible.template import trust_as_template as _trust_as_template
+    HAS_DATATAGGING = True
+except ImportError:
+    HAS_DATATAGGING = False
+
+display = Display()
+
+
+def _make_safe(value):
+    if HAS_DATATAGGING and isinstance(value, str):
+        return _trust_as_template(value)
+    return value
+
+
+class ActionModule(ActionModuleBase):
+
+    def _load(self, filename, module):
+        def get_option_value(argument_name):
+            return module.params.get(argument_name)
+
+        output = Sops.decrypt(filename, display=display, get_option_value=get_option_value)
+
+        data = self._loader.load(output, file_name=filename, show_content=False)
+        if not data:
+            data = dict()
+        if not isinstance(data, dict):
+            # Should not happen with sops-encrypted files
+            raise Exception('{0} must be stored as a dictionary/hash'.format(to_native(filename)))
+        return data
+
+    def _evaluate(self, value):
+        if isinstance(value, str):
+            # must come *before* Sequence, as strings are also instances of Sequence
+            return self._templar.template(_make_safe(value))
+        if isinstance(value, Sequence):
+            return [self._evaluate(v) for v in value]
+        if isinstance(value, Mapping):
+            return dict((k, self._evaluate(v)) for k, v in value.items())
+        return value
+
+    def _make_safe(self, value):
+        if isinstance(value, str):
+            # must come *before* Sequence, as strings are also instances of Sequence
+            return _make_safe(value)
+        if isinstance(value, Sequence):
+            return [self._make_safe(v) for v in value]
+        if isinstance(value, Mapping):
+            return dict((k, self._make_safe(v)) for k, v in value.items())
+        return value
+
+    @staticmethod
+    def setup_module():
+        argument_spec = ArgumentSpec(
+            argument_spec=dict(
+                file=dict(type='path', required=True),
+                name=dict(type='str'),
+                expressions=dict(type='str', default='ignore', choices=['ignore', 'evaluate-on-load', 'lazy-evaluation']),
+            ),
+        )
+        argument_spec.argument_spec.update(get_sops_argument_spec())
+        return argument_spec, {}
+
+    def run_module(self, module):
+        expressions = module.params['expressions']
+        if expressions == 'lazy-evaluation' and not HAS_DATATAGGING:
+            module.fail_json(msg='expressions=lazy-evaluation requires ansible-core 2.19+ with Data Tagging support.')
+
+        data = dict()
+        files = []
+        try:
+            filename = self._find_needle('vars', module.params['file'])
+            data.update(self._load(filename, module))
+            files.append(filename)
+        except Exception as e:
+            module.fail_json(msg=to_native(e))
+
+        name = module.params['name']
+        if name is None:
+            value = data
+        else:
+            value = dict()
+            value[name] = data
+
+        if expressions == 'evaluate-on-load':
+            value = self._evaluate(value)
+
+        if expressions == 'lazy-evaluation':
+            value = self._make_safe(value)
+
+        module.exit_json(
+            ansible_included_var_files=files,
+            ansible_facts=value,
+            _ansible_no_log=True,
+        )
diff --git a/ansible_collections/community/sops/plugins/doc_fragments/attributes.py b/ansible_collections/community/sops/plugins/doc_fragments/attributes.py
new file mode 100644
index 00000000..d2e8372a
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/doc_fragments/attributes.py
@@ -0,0 +1,88 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+
+    # Standard documentation fragment
+    DOCUMENTATION = r"""
+options: {}
+attributes:
+  check_mode:
+    description: Can run in C(check_mode) and return changed status prediction without modifying target.
+  diff_mode:
+    description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+  idempotent:
+    description:
+      - When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change.
+      - This assumes that the system controlled/queried by the module has not changed in a relevant way.
+"""
+
+    # Should be used together with the standard fragment
+    IDEMPOTENT_NOT_MODIFY_STATE = r"""
+options: {}
+attributes:
+  idempotent:
+    support: full
+    details:
+      - This action does not modify state.
+"""
+
+    # Should be used together with the standard fragment
+    INFO_MODULE = r'''
+options: {}
+attributes:
+  check_mode:
+    support: full
+    details:
+      - This action does not modify state.
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+'''
+
+    FACTS = r"""
+options: {}
+attributes:
+  facts:
+    description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
+"""
+
+    # Should be used together with the standard fragment and the FACTS fragment
+    FACTS_MODULE = r'''
+options: {}
+attributes:
+  check_mode:
+    support: full
+    details:
+      - This action does not modify state.
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+  facts:
+    support: full
+'''
+
+    FILES = r"""
+options: {}
+attributes:
+  safe_file_operations:
+    description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
+"""
+
+    FLOW = r"""
+options: {}
+attributes:
+  action:
+    description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
+  async:
+    description: Supports being used with the C(async) keyword.
+"""
diff --git a/ansible_collections/community/sops/plugins/doc_fragments/sops.py b/ansible_collections/community/sops/plugins/doc_fragments/sops.py
new file mode 100644
index 00000000..7384df79
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/doc_fragments/sops.py
@@ -0,0 +1,318 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2020 Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+class ModuleDocFragment(object):
+    DOCUMENTATION = r"""
+requirements:
+  - A binary executable C(sops) (U(https://github.com/getsops/sops)) must exist either in E(PATH) or configured as O(sops_binary).
+options:
+  sops_binary:
+    description:
+      - Path to the SOPS binary.
+      - By default uses C(sops).
+    type: path
+    version_added: 1.0.0
+  age_key:
+    description:
+      - One or more age private keys that can be used to decrypt encrypted files.
+      - Will be set as the E(SOPS_AGE_KEY) environment variable when calling SOPS.
+      - Requires SOPS 3.7.1+.
+    type: str
+    version_added: 1.4.0
+  age_keyfile:
+    description:
+      - The file containing the age private keys that SOPS can use to decrypt encrypted files.
+      - Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling SOPS.
+      - By default, SOPS looks for C(sops/age/keys.txt) inside your user configuration directory.
+      - Requires SOPS 3.7.0+.
+    type: path
+    version_added: 1.4.0
+  age_ssh_private_keyfile:
+    description:
+      - The file containing the SSH private key that SOPS can use to decrypt encrypted files.
+      - Will be set as the E(SOPS_AGE_SSH_PRIVATE_KEY_FILE) environment variable when calling SOPS.
+      - By default, SOPS looks for C(~/.ssh/id_ed25519) and falls back to C(~/.ssh/id_rsa).
+      - Requires SOPS 3.10.0+.
+    type: path
+    version_added: 1.4.0
+  aws_profile:
+    description:
+      - The AWS profile to use for requests to AWS.
+      - This corresponds to the SOPS C(--aws-profile) option.
+    type: str
+    version_added: 1.0.0
+  aws_access_key_id:
+    description:
+      - The AWS access key ID to use for requests to AWS.
+      - Sets the environment variable E(AWS_ACCESS_KEY_ID) for the SOPS call.
+    type: str
+    version_added: 1.0.0
+  aws_secret_access_key:
+    description:
+      - The AWS secret access key to use for requests to AWS.
+      - Sets the environment variable E(AWS_SECRET_ACCESS_KEY) for the SOPS call.
+    type: str
+    version_added: 1.0.0
+  aws_session_token:
+    description:
+      - The AWS session token to use for requests to AWS.
+      - Sets the environment variable E(AWS_SESSION_TOKEN) for the SOPS call.
+    type: str
+    version_added: 1.0.0
+  config_path:
+    description:
+      - Path to the SOPS configuration file.
+      - If not set, SOPS will recursively search for the config file starting at the file that is encrypted or decrypted.
+      - This corresponds to the SOPS C(--config) option.
+    type: path
+    version_added: 1.0.0
+  enable_local_keyservice:
+    description:
+      - Tell SOPS to use local key service.
+      - When set to V(false), this corresponds to the SOPS C(--enable-local-keyservice=false) option.
+    type: bool
+    default: true
+    version_added: 1.0.0
+  keyservice:
+    description:
+      - Specify key services to use next to the local one.
+      - A key service must be specified in the form C(protocol://address), for example C(tcp://myserver.com:5000).
+      - This corresponds to the SOPS C(--keyservice) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+"""
+
+    ANSIBLE_VARIABLES = r'''
+options:
+  sops_binary:
+    vars:
+      - name: sops_binary
+  age_key:
+    vars:
+      - name: sops_age_key
+  age_keyfile:
+    vars:
+      - name: sops_age_keyfile
+  age_ssh_private_keyfile:
+    vars:
+      - name: sops_age_ssh_private_keyfile
+  aws_profile:
+    vars:
+      - name: sops_aws_profile
+  aws_access_key_id:
+    vars:
+      - name: sops_aws_access_key_id
+  aws_secret_access_key:
+    vars:
+      - name: sops_aws_secret_access_key
+  aws_session_token:
+    vars:
+      - name: sops_session_token
+      - name: sops_aws_session_token
+        version_added: 1.2.0
+  config_path:
+    vars:
+      - name: sops_config_path
+  enable_local_keyservice:
+    vars:
+      - name: sops_enable_local_keyservice
+  keyservice:
+    vars:
+      - name: sops_keyservice
+'''
+
+    ANSIBLE_ENV = r'''
+options:
+  sops_binary:
+    env:
+      - name: ANSIBLE_SOPS_BINARY
+        version_added: 1.2.0
+  age_key:
+    env:
+      - name: ANSIBLE_SOPS_AGE_KEY
+  age_keyfile:
+    env:
+      - name: ANSIBLE_SOPS_AGE_KEYFILE
+  age_ssh_private_keyfile:
+    env:
+      - name: ANSIBLE_SOPS_AGE_SSH_PRIVATE_KEYFILE
+  aws_profile:
+    env:
+      - name: ANSIBLE_SOPS_AWS_PROFILE
+        version_added: 1.2.0
+  aws_access_key_id:
+    env:
+      - name: ANSIBLE_SOPS_AWS_ACCESS_KEY_ID
+        version_added: 1.2.0
+  aws_secret_access_key:
+    env:
+      - name: ANSIBLE_SOPS_AWS_SECRET_ACCESS_KEY
+        version_added: 1.2.0
+  aws_session_token:
+    env:
+      - name: ANSIBLE_SOPS_AWS_SESSION_TOKEN
+        version_added: 1.2.0
+  config_path:
+    env:
+      - name: ANSIBLE_SOPS_CONFIG_PATH
+        version_added: 1.2.0
+  enable_local_keyservice:
+    env:
+      - name: ANSIBLE_SOPS_ENABLE_LOCAL_KEYSERVICE
+        version_added: 1.2.0
+  keyservice:
+    env:
+      - name: ANSIBLE_SOPS_KEYSERVICE
+        version_added: 1.2.0
+'''
+
+    ANSIBLE_INI = r'''
+options:
+  sops_binary:
+    ini:
+      - section: community.sops
+        key: binary
+        version_added: 1.2.0
+  # We do not provide an INI key for
+  #     age_key
+  # to make sure that secrets cannot be provided in ansible.ini. Use environment variables or another mechanism for that.
+  age_keyfile:
+    ini:
+      - section: community.sops
+        key: age_keyfile
+  age_ssh_private_keyfile:
+    ini:
+      - section: community.sops
+        key: age_ssh_private_keyfile
+  aws_profile:
+    ini:
+      - section: community.sops
+        key: aws_profile
+        version_added: 1.2.0
+  aws_access_key_id:
+    ini:
+      - section: community.sops
+        key: aws_access_key_id
+        version_added: 1.2.0
+  # We do not provide an INI key for
+  #     aws_secret_access_key
+  # to make sure that secrets cannot be provided in ansible.ini. Use environment variables or another mechanism for that.
+  aws_session_token:
+    ini:
+      - section: community.sops
+        key: aws_session_token
+        version_added: 1.2.0
+  config_path:
+    ini:
+      - section: community.sops
+        key: config_path
+        version_added: 1.2.0
+  enable_local_keyservice:
+    ini:
+      - section: community.sops
+        key: enable_local_keyservice
+        version_added: 1.2.0
+  keyservice:
+    ini:
+      - section: community.sops
+        key: keyservice
+        version_added: 1.2.0
+'''
+
+    ENCRYPT_SPECIFIC = r'''
+options:
+  age:
+    description:
+      - Age fingerprints to use.
+      - This corresponds to the SOPS C(--age) option.
+    type: list
+    elements: str
+    version_added: 1.4.0
+  kms:
+    description:
+      - List of KMS ARNs to use.
+      - This corresponds to the SOPS C(--kms) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  gcp_kms:
+    description:
+      - GCP KMS resource IDs to use.
+      - This corresponds to the SOPS C(--gcp-kms) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  azure_kv:
+    description:
+      - Azure Key Vault URLs to use.
+      - This corresponds to the SOPS C(--azure-kv) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  hc_vault_transit:
+    description:
+      - HashiCorp Vault key URIs to use.
+      - For example, C(https://vault.example.org:8200/v1/transit/keys/dev).
+      - This corresponds to the SOPS C(--hc-vault-transit) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  pgp:
+    description:
+      - PGP fingerprints to use.
+      - This corresponds to the SOPS C(--pgp) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  unencrypted_suffix:
+    description:
+      - Override the unencrypted key suffix.
+      - This corresponds to the SOPS C(--unencrypted-suffix) option.
+    type: str
+    version_added: 1.0.0
+  encrypted_suffix:
+    description:
+      - Override the encrypted key suffix.
+      - When set to an empty string, all keys will be encrypted that are not explicitly
+        marked by O(unencrypted_suffix).
+      - This corresponds to the SOPS C(--encrypted-suffix) option.
+    type: str
+    version_added: 1.0.0
+  unencrypted_regex:
+    description:
+      - Set the unencrypted key suffix.
+      - When specified, only keys matching the regular expression will be left unencrypted.
+      - This corresponds to the SOPS C(--unencrypted-regex) option.
+    type: str
+    version_added: 1.0.0
+  encrypted_regex:
+    description:
+      - Set the encrypted key suffix.
+      - When specified, only keys matching the regular expression will be encrypted.
+      - This corresponds to the SOPS C(--encrypted-regex) option.
+    type: str
+    version_added: 1.0.0
+  encryption_context:
+    description:
+      - List of KMS encryption context pairs of format C(key:value).
+      - This corresponds to the SOPS C(--encryption-context) option.
+    type: list
+    elements: str
+    version_added: 1.0.0
+  shamir_secret_sharing_threshold:
+    description:
+      - The number of distinct keys required to retrieve the data key with
+        L(Shamir's Secret Sharing, https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
+      - If not set here and in the SOPS config file, will default to V(0).
+      - This corresponds to the SOPS C(--shamir-secret-sharing-threshold) option.
+    type: int
+    version_added: 1.0.0
+'''
diff --git a/ansible_collections/community/sops/plugins/filter/_latest_version.py b/ansible_collections/community/sops/plugins/filter/_latest_version.py
new file mode 100644
index 00000000..2f6a3e37
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/filter/_latest_version.py
@@ -0,0 +1,63 @@
+# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: _latest_version
+short_description: "[INTERNAL] Get latest version from a list of versions"
+version_added: 1.4.0
+author:
+  - Felix Fontein (@felixfontein)
+description:
+  - B(This is an internal tool and must only be used from roles in this collection!) If you use it from outside this collection,
+    be warned that its behavior can change and it can be removed at any time, even in bugfix releases!
+  - Given a list of version numbers, returns the largest of them.
+options:
+  _input:
+    description:
+      - A list of strings. Every string must be a version number.
+    type: list
+    elements: string
+    required: true
+"""
+
+EXAMPLES = r"""
+---
+- name: Print latest version
+  ansible.builtin.debug:
+    msg: "{{ versions | community.sops._latest_version }}"
+  vars:
+    versions:
+      - 1.0.0
+      - 1.0.0rc1
+      - 1.1.0
+"""
+
+RETURN = r"""
+_value:
+  description:
+    - The latest version from the input.
+    - Returns the empty string if the input was empty.
+  type: string
+"""
+
+from ansible.module_utils.compat.version import LooseVersion
+
+
+def pick_latest_version(version_list):
+    '''Pick latest version from a list of versions.'''
+    # Remove all prereleases (versions with '+' or '-' in them)
+    version_list = [v for v in version_list if '-' not in v and '+' not in v]
+    if not version_list:
+        return ''
+    return sorted(version_list, key=LooseVersion, reverse=True)[0]
+
+
+class FilterModule:
+    '''Helper filters.'''
+    def filters(self):
+        return {
+            '_latest_version': pick_latest_version,
+        }
diff --git a/ansible_collections/community/sops/plugins/filter/decrypt.py b/ansible_collections/community/sops/plugins/filter/decrypt.py
new file mode 100644
index 00000000..f5538e94
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/filter/decrypt.py
@@ -0,0 +1,173 @@
+# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: decrpyt
+short_description: Decrypt SOPS-encrypted data
+version_added: 1.1.0
+author:
+  - Felix Fontein (@felixfontein)
+description:
+  - Decrypt SOPS-encrypted data.
+  - Allows to decrypt data that has been provided by an arbitrary source.
+  - Note that due to Ansible lazy-evaluating expressions, it is better to use M(ansible.builtin.set_fact) to store the result
+    of an evaluation in a fact to avoid recomputing the value every time the expression is used.
+options:
+  _input:
+    description:
+      - The data to decrypt.
+    type: string
+    required: true
+  rstrip:
+    description:
+      - Whether to remove trailing newlines and spaces.
+    type: bool
+    default: true
+  input_type:
+    description:
+      - Tell SOPS how to interpret the encrypted data.
+      - There is no auto-detection since we do not have a filename. By default SOPS is told to treat the input as YAML. If
+        that is wrong, please set this option to the correct value.
+      - The value V(ini) is available since community.sops 1.9.0.
+    type: str
+    choices:
+      - binary
+      - json
+      - yaml
+      - dotenv
+      - ini
+    default: yaml
+  output_type:
+    description:
+      - Tell SOPS how to interpret the decrypted file.
+      - Please note that the output is always text or bytes, depending on the value of O(decode_output). To parse the resulting
+        JSON or YAML, use corresponding filters such as P(ansible.builtin.from_json#filter) and P(ansible.builtin.from_yaml#filter).
+      - The value V(ini) is available since community.sops 1.9.0.
+    type: str
+    choices:
+      - binary
+      - json
+      - yaml
+      - dotenv
+      - ini
+    default: yaml
+  decode_output:
+    description:
+      - Whether to decode the output to bytes.
+      - When O(output_type=binary), and the file is not known to contain UTF-8 encoded text, this should better be set to
+        V(false) to prevent mangling the data with UTF-8 decoding.
+    type: bool
+    default: true
+extends_documentation_fragment:
+  - community.sops.sops
+seealso:
+  - plugin: community.sops.sops
+    plugin_type: lookup
+  - plugin: community.sops.sops
+    plugin_type: vars
+  - module: community.sops.load_vars
+"""
+
+EXAMPLES = r"""
+---
+- name: Decrypt file fetched from URL
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Fetch file from URL
+      ansible.builtin.uri:
+        url: https://raw.githubusercontent.com/getsops/sops/master/functional-tests/res/comments.enc.yaml
+        return_content: true
+      register: encrypted_content
+
+    - name: Show encrypted data
+      debug:
+        msg: "{{ encrypted_content.content | ansible.builtin.from_yaml }}"
+
+    - name: Decrypt data and decode decrypted YAML
+      set_fact:
+        decrypted_data: "{{ encrypted_content.content | community.sops.decrypt | ansible.builtin.from_yaml }}"
+
+    - name: Show decrypted data
+      debug:
+        msg: "{{ decrypted_data }}"
+"""
+
+RETURN = r"""
+_value:
+  description:
+    - Decrypted data as text (O(decode_output=true), default) or binary string (O(decode_output=false)).
+  type: string
+"""
+
+from ansible.errors import AnsibleFilterError
+from ansible.module_utils.common.text.converters import to_bytes, to_native
+from ansible.utils.display import Display
+
+from ansible_collections.community.sops.plugins.module_utils.sops import Sops, SopsError
+
+
+_VALID_TYPES = set(['binary', 'json', 'yaml', 'dotenv', 'ini'])
+
+
+def decrypt_filter(data, input_type='yaml', output_type='yaml', sops_binary='sops', rstrip=True, decode_output=True,
+                   aws_profile=None, aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None,
+                   config_path=None, enable_local_keyservice=True, keyservice=None, age_key=None, age_keyfile=None, age_ssh_private_keyfile=None):
+    '''Decrypt sops-encrypted data.'''
+
+    # Check parameters
+    if input_type not in _VALID_TYPES:
+        raise AnsibleFilterError('input_type must be one of {expected}; got "{value}"'.format(
+            expected=', '.join(sorted(_VALID_TYPES)), value=input_type))
+    if output_type not in _VALID_TYPES:
+        raise AnsibleFilterError('output_type must be one of {expected}; got "{value}"'.format(
+            expected=', '.join(sorted(_VALID_TYPES)), value=output_type))
+
+    # Create option value querier
+    def get_option_value(argument_name):
+        if argument_name == 'sops_binary':
+            return sops_binary
+        if argument_name == 'age_key':
+            return age_key
+        if argument_name == 'age_keyfile':
+            return age_keyfile
+        if argument_name == 'age_ssh_private_keyfile':
+            return age_ssh_private_keyfile
+        if argument_name == 'aws_profile':
+            return aws_profile
+        if argument_name == 'aws_access_key_id':
+            return aws_access_key_id
+        if argument_name == 'aws_secret_access_key':
+            return aws_secret_access_key
+        if argument_name == 'aws_session_token':
+            return aws_session_token
+        if argument_name == 'config_path':
+            return config_path
+        if argument_name == 'enable_local_keyservice':
+            return enable_local_keyservice
+        if argument_name == 'keyservice':
+            return keyservice
+        raise AssertionError('internal error: should not be reached')
+
+    # Decode
+    data = to_bytes(data)
+    try:
+        output = Sops.decrypt(
+            None, content=data, display=Display(), rstrip=rstrip, decode_output=decode_output,
+            input_type=input_type, output_type=output_type, get_option_value=get_option_value)
+    except SopsError as e:
+        raise AnsibleFilterError(to_native(e))
+
+    return output
+
+
+class FilterModule:
+    '''Ansible jinja2 filters'''
+
+    def filters(self):
+        return {
+            'decrypt': decrypt_filter,
+        }
diff --git a/ansible_collections/community/sops/plugins/lookup/sops.py b/ansible_collections/community/sops/plugins/lookup/sops.py
new file mode 100644
index 00000000..cb9e9f5e
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/lookup/sops.py
@@ -0,0 +1,166 @@
+# Copyright 2018 Edoardo Tenani <e.tenani@arduino.cc> (@endorama)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: sops
+author: Edoardo Tenani (@endorama) <e.tenani@arduino.cc>
+short_description: Read SOPS-encrypted file contents
+version_added: '0.1.0'
+description:
+  - This lookup returns the contents from a file on the Ansible controller's file system.
+  - This lookup requires the C(sops) executable to be available in the controller PATH.
+options:
+  _terms:
+    description: Path(s) of files to read.
+    required: true
+    type: list
+    elements: str
+  rstrip:
+    description: Whether to remove trailing newlines and spaces.
+    type: bool
+    default: true
+  base64:
+    description:
+      - Base64-encodes the parsed result.
+      - Use this if you want to store binary data in Ansible variables.
+    type: bool
+    default: false
+  input_type:
+    description:
+      - Tell SOPS how to interpret the encrypted file.
+      - By default, SOPS will chose the input type from the file extension. If it detects the wrong type for a file, this
+        could result in decryption failing.
+      - The value V(ini) is available since community.sops 1.9.0.
+    type: str
+    choices:
+      - binary
+      - json
+      - yaml
+      - dotenv
+      - ini
+  output_type:
+    description:
+      - Tell SOPS how to interpret the decrypted file.
+      - By default, SOPS will chose the output type from the file extension. If it detects the wrong type for a file, this
+        could result in decryption failing.
+      - The value V(ini) is available since community.sops 1.9.0.
+    type: str
+    choices:
+      - binary
+      - json
+      - yaml
+      - dotenv
+      - ini
+  empty_on_not_exist:
+    description:
+      - When set to V(true), will not raise an error when a file cannot be found, but return an empty string instead.
+    type: bool
+    default: false
+  extract:
+    description:
+      - Tell SOPS to extract a specific key from a JSON or YAML file.
+      - Expects a string with the same 'querystring' syntax as SOPS' C(--encrypt) option, for example V(["somekey"][0]).
+      - B(Note:) Escape quotes appropriately.
+    type: str
+    version_added: 1.9.0
+extends_documentation_fragment:
+  - community.sops.sops
+  - community.sops.sops.ansible_variables
+  - community.sops.sops.ansible_env
+  - community.sops.sops.ansible_ini
+notes:
+  - This lookup does not understand 'globbing' - use the P(ansible.builtin.fileglob#lookup) lookup instead.
+seealso:
+  - plugin: community.sops.decrypt
+    plugin_type: filter
+    description: The decrypt filter can be used to descrypt SOPS-encrypted in-memory data.
+  - plugin: community.sops.sops
+    plugin_type: vars
+    description: The sops vars plugin can be used to load SOPS-encrypted host or group variables.
+  - module: community.sops.load_vars
+"""
+
+EXAMPLES = r"""
+---
+- name: Output secrets to screen (BAD IDEA!)
+  ansible.builtin.debug:
+    msg: "Content: {{ lookup('community.sops.sops', item) }}"
+  loop:
+    - sops-encrypted-file.enc.yaml
+
+- name: Add SSH private key
+  ansible.builtin.copy:
+  # Note that rstrip=false is necessary for some SSH versions to be able to use the key
+    content: "{{ lookup('community.sops.sops', user + '-id_rsa', rstrip=false) }}"
+    dest: /home/{{ user }}/.ssh/id_rsa
+    owner: "{{ user }}"
+    group: "{{ user }}"
+    mode: "0600"
+  no_log: true # avoid content to be written to log
+
+- name: The file file.json is a YAML file, which contains the encryption of binary data
+  ansible.builtin.debug:
+    msg: "Content: {{ lookup('community.sops.sops', 'file.json', input_type='yaml', output_type='binary') }}"
+"""
+
+RETURN = r"""
+_raw:
+  description: Decrypted file content.
+  type: list
+  elements: str
+"""
+
+import base64
+
+from ansible.errors import AnsibleLookupError
+from ansible.plugins.lookup import LookupBase
+from ansible.module_utils.common.text.converters import to_native
+from ansible_collections.community.sops.plugins.module_utils.sops import Sops, SopsError
+
+from ansible.utils.display import Display
+display = Display()
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+        self.set_options(var_options=variables, direct=kwargs)
+        rstrip = self.get_option('rstrip')
+        use_base64 = self.get_option('base64')
+        input_type = self.get_option('input_type')
+        output_type = self.get_option('output_type')
+        empty_on_not_exist = self.get_option('empty_on_not_exist')
+        extract = self.get_option('extract')
+
+        ret = []
+
+        def get_option_value(argument_name):
+            return self.get_option(argument_name)
+
+        for term in terms:
+            display.debug("Sops lookup term: %s" % term)
+            lookupfile = self.find_file_in_search_path(variables, 'files', term, ignore_missing=empty_on_not_exist)
+            display.vvvv(u"Sops lookup using %s as file" % lookupfile)
+
+            if not lookupfile:
+                if empty_on_not_exist:
+                    ret.append('')
+                    continue
+                raise AnsibleLookupError("could not locate file in lookup: %s" % to_native(term))
+
+            try:
+                output = Sops.decrypt(
+                    lookupfile, display=display, rstrip=rstrip, decode_output=(not use_base64),
+                    input_type=input_type, output_type=output_type, get_option_value=get_option_value, extract=extract)
+            except SopsError as e:
+                raise AnsibleLookupError(to_native(e))
+
+            if use_base64:
+                output = to_native(base64.b64encode(output))
+
+            ret.append(output)
+
+        return ret
diff --git a/ansible_collections/community/sops/plugins/module_utils/io.py b/ansible_collections/community/sops/plugins/module_utils/io.py
new file mode 100644
index 00000000..1a845620
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/module_utils/io.py
@@ -0,0 +1,53 @@
+# Copyright (c), Yanis Guenane <yanis+ansible@guenane.org>, 2016
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import os
+import tempfile
+
+
+# This is taken from community.crypto
+
+def write_file(module, content):
+    '''
+    Writes content into destination file as securely as possible.
+    Uses file arguments from module.
+    '''
+    # Find out parameters for file
+    file_args = module.load_file_common_arguments(module.params)
+    # Create tempfile name
+    tmp_fd, tmp_name = tempfile.mkstemp(prefix=b'.ansible_tmp')
+    try:
+        os.close(tmp_fd)
+    except Exception:
+        pass
+    module.add_cleanup_file(tmp_name)  # if we fail, let Ansible try to remove the file
+    try:
+        try:
+            # Create tempfile
+            file = os.open(tmp_name, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+            os.write(file, content)
+            os.close(file)
+        except Exception as e:
+            try:
+                os.remove(tmp_name)
+            except Exception:
+                pass
+            module.fail_json(msg='Error while writing result into temporary file: {0}'.format(e))
+        # Update destination to wanted permissions
+        if os.path.exists(file_args['path']):
+            module.set_fs_attributes_if_different(file_args, False)
+        # Move tempfile to final destination
+        module.atomic_move(os.path.abspath(tmp_name), os.path.abspath(file_args['path']))
+        # Try to update permissions again
+        module.set_fs_attributes_if_different(file_args, False)
+    except Exception as e:
+        try:
+            os.remove(tmp_name)
+        except Exception:
+            pass
+        module.fail_json(msg='Error while writing result: {0}'.format(e))
diff --git a/ansible_collections/community/sops/plugins/module_utils/sops.py b/ansible_collections/community/sops/plugins/module_utils/sops.py
new file mode 100644
index 00000000..73345707
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/module_utils/sops.py
@@ -0,0 +1,436 @@
+# Copyright (c), Edoardo Tenani <e.tenani@arduino.cc>, 2018-2020
+# Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
+# SPDX-License-Identifier: BSD-2-Clause
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import collections
+import json
+import os
+import re
+
+from ansible.module_utils.common.text.converters import to_text, to_native
+
+# Since this is used both by plugins and modules, we need subprocess in case the `module` parameter is not used
+from subprocess import Popen, PIPE
+
+
+# From https://github.com/getsops/sops/blob/master/cmd/sops/codes/codes.go
+# Should be manually updated
+SOPS_ERROR_CODES = {
+    1: "ErrorGeneric",
+    2: "CouldNotReadInputFile",
+    3: "CouldNotWriteOutputFile",
+    4: "ErrorDumpingTree",
+    5: "ErrorReadingConfig",
+    6: "ErrorInvalidKMSEncryptionContextFormat",
+    7: "ErrorInvalidSetFormat",
+    8: "ErrorConflictingParameters",
+    21: "ErrorEncryptingMac",
+    23: "ErrorEncryptingTree",
+    24: "ErrorDecryptingMac",
+    25: "ErrorDecryptingTree",
+    49: "CannotChangeKeysFromNonExistentFile",
+    51: "MacMismatch",
+    52: "MacNotFound",
+    61: "ConfigFileNotFound",
+    85: "KeyboardInterrupt",
+    91: "InvalidTreePathFormat",
+    100: "NoFileSpecified",
+    128: "CouldNotRetrieveKey",
+    111: "NoEncryptionKeyFound",
+    200: "FileHasNotBeenModified",
+    201: "NoEditorFound",
+    202: "FailedToCompareVersions",
+    203: "FileAlreadyEncrypted"
+}
+
+_SOPS_VERSION = re.compile(r'^sops ([0-9]+)\.([0-9]+)\.([0-9]+)')
+
+
+def _add_argument(arguments_pre, arguments_post, *args, **kwargs):
+    pre = kwargs.pop('pre', False)
+    (arguments_pre if pre else arguments_post).extend(args)
+
+
+def _create_single_arg(argument_name, pre=False):
+    def f(value, arguments_pre, arguments_post, env, version):
+        _add_argument(arguments_pre, arguments_post, argument_name, to_native(value), pre=pre)
+
+    return f
+
+
+def _create_comma_separated(argument_name, pre=False):
+    def f(value, arguments_pre, arguments_post, env, version):
+        value = ','.join([to_native(v) for v in value])
+        _add_argument(arguments_pre, arguments_post, argument_name, value, pre=pre)
+
+    return f
+
+
+def _create_repeated(argument_name, pre=False):
+    def f(value, arguments_pre, arguments_post, env, version):
+        for v in value:
+            _add_argument(arguments_pre, arguments_post, argument_name, to_native(v), pre=pre)
+
+    return f
+
+
+def _create_boolean(argument_name, pre=False, invert=False):
+    def f(value, arguments_pre, arguments_post, env, version):
+        if value ^ invert:
+            _add_argument(arguments_pre, arguments_post, argument_name, pre=pre)
+
+    return f
+
+
+def _create_env_variable(argument_name):
+    def f(value, arguments_pre, arguments_post, env, version):
+        env[argument_name] = value
+
+    return f
+
+
+GENERAL_OPTIONS = {
+    'age_key': _create_env_variable('SOPS_AGE_KEY'),
+    'age_keyfile': _create_env_variable('SOPS_AGE_KEY_FILE'),
+    'age_ssh_private_keyfile': _create_env_variable('SOPS_AGE_SSH_PRIVATE_KEY_FILE'),
+    'aws_profile': _create_single_arg('--aws-profile'),
+    'aws_access_key_id': _create_env_variable('AWS_ACCESS_KEY_ID'),
+    'aws_secret_access_key': _create_env_variable('AWS_SECRET_ACCESS_KEY'),
+    'aws_session_token': _create_env_variable('AWS_SESSION_TOKEN'),
+    'config_path': _create_single_arg('--config', pre=True),
+    'enable_local_keyservice': _create_boolean('--enable-local-keyservice=false', invert=True),
+    'keyservice': _create_repeated('--keyservice'),
+}
+
+
+ENCRYPT_OPTIONS = {
+    'age': _create_comma_separated('--age'),
+    'kms': _create_comma_separated('--kms'),
+    'gcp_kms': _create_comma_separated('--gcp-kms'),
+    'azure_kv': _create_comma_separated('--azure-kv'),
+    'hc_vault_transit': _create_comma_separated('--hc-vault-transit'),
+    'pgp': _create_comma_separated('--pgp'),
+    'unencrypted_suffix': _create_single_arg('--unencrypted-suffix'),
+    'encrypted_suffix': _create_single_arg('--encrypted-suffix'),
+    'unencrypted_regex': _create_single_arg('--unencrypted-regex'),
+    'encrypted_regex': _create_single_arg('--encrypted-regex'),
+    'encryption_context': _create_comma_separated('--encryption-context'),
+    'shamir_secret_sharing_threshold': _create_single_arg('--shamir-secret-sharing-threshold'),
+}
+
+
+class SopsError(Exception):
+    ''' Extend Exception class with sops specific information '''
+
+    def __init__(self, filename, exit_code, message, decryption=True, operation=None):
+        if operation is None:
+            operation = 'decrypt' if decryption else 'encrypt'
+        if exit_code in SOPS_ERROR_CODES:
+            exception_name = SOPS_ERROR_CODES[exit_code]
+            message = "error with file %s: %s exited with code %d: %s" % (
+                filename, exception_name, exit_code, to_native(message))
+        else:
+            message = "could not %s file %s; Unknown sops error code: %s; message: %s" % (
+                operation, filename, exit_code, to_native(message))
+        super(SopsError, self).__init__(message)
+
+
+SopsFileStatus = collections.namedtuple('SopsFileStatus', ['encrypted'])
+
+
+class SopsRunner(object):
+    def _add_options(self, command_pre, command_post, env, get_option_value, options):
+        if get_option_value is None:
+            return
+        for option, f in options.items():
+            v = get_option_value(option)
+            if v is not None:
+                f(v, command_pre, command_post, env, self.version)
+
+    def _debug(self, message):
+        if self.display:
+            self.display.vvvv(message)
+        elif self.module:
+            self.module.debug(message)
+
+    def _warn(self, message):
+        if self.display:
+            self.display.warning(message)
+        elif self.module:
+            self.module.warn(message)
+
+    def __init__(self, binary, module=None, display=None):
+        self.binary = binary
+        self.module = module
+        self.display = display
+
+        self.version = (3, 7, 3)  # if --disable-version-check is not supported, this is version 3.7.3 or older
+        self.version_string = '(before 3.8.0)'
+
+        exit_code, output, err = self._run_command([self.binary, '--version', '--disable-version-check'])
+        if exit_code == 0:
+            m = _SOPS_VERSION.match(output.decode('utf-8'))
+            if m:
+                self.version = int(m.group(1)), int(m.group(2)), int(m.group(3))
+                self.version_string = '%d.%d.%d' % self.version
+                self._debug('SOPS version detected as %s' % (self.version, ))
+            else:
+                self._warn('Cannot extract SOPS version from: %s' % repr(output))
+        else:
+            self._debug('Cannot detect SOPS version efficiently, likely a version before 3.8.0')
+
+    def _run_command(self, command, env=None, data=None, cwd=None):
+        if self.module:
+            return self.module.run_command(command, environ_update=env, cwd=cwd, encoding=None, data=data, binary_data=True)
+
+        process = Popen(command, stdin=None if data is None else PIPE, stdout=PIPE, stderr=PIPE, cwd=cwd, env=env)
+        output, err = process.communicate(input=data)
+        return process.returncode, output, err
+
+    def decrypt(self, encrypted_file, content=None,
+                decode_output=True, rstrip=True, input_type=None, output_type=None, get_option_value=None, extract=None):
+        # Run sops directly, python module is deprecated
+        command = [self.binary]
+        command_post = []
+        env = os.environ.copy()
+        self._add_options(command, command_post, env, get_option_value, GENERAL_OPTIONS)
+        if self.version >= (3, 9, 0):
+            command.append("decrypt")
+        command.extend(command_post)
+        if input_type is not None:
+            command.extend(["--input-type", input_type])
+        if output_type is not None:
+            command.extend(["--output-type", output_type])
+        if self.version < (3, 9, 0):
+            command.append("--decrypt")
+        if extract is not None:
+            command.extend(["--extract", extract])
+        if content is not None:
+            encrypted_file = '/dev/stdin'
+        command.append(encrypted_file)
+
+        exit_code, output, err = self._run_command(command, env=env, data=content)
+
+        if decode_output:
+            # output is binary, we want UTF-8 string
+            output = to_text(output, errors='surrogate_or_strict')
+            # the process output is the decrypted secret; be cautious
+
+        # sops logs always to stderr, as stdout is used for
+        # file content
+        if err:
+            self._debug(u'Unexpected stderr:\n' + to_text(err, errors='surrogate_or_strict'))
+
+        if exit_code != 0:
+            raise SopsError(encrypted_file, exit_code, err, decryption=True)
+
+        if rstrip:
+            output = output.rstrip()
+
+        return output
+
+    def encrypt(self, data, cwd=None, input_type=None, output_type=None, filename=None, get_option_value=None):
+        # Run sops directly, python module is deprecated
+        command = [self.binary]
+        command_post = []
+        env = os.environ.copy()
+        self._add_options(command, command_post, env, get_option_value, GENERAL_OPTIONS)
+        self._add_options(command, command_post, env, get_option_value, ENCRYPT_OPTIONS)
+        if self.version >= (3, 9, 0):
+            command.append("encrypt")
+        command.extend(command_post)
+        if input_type is not None:
+            command.extend(["--input-type", input_type])
+        if output_type is not None:
+            command.extend(["--output-type", output_type])
+        if self.version < (3, 9, 0):
+            command.append("--encrypt")
+        if self.version >= (3, 9, 0) and filename:
+            command.extend(["--filename-override", filename])
+        command.append("/dev/stdin")
+
+        exit_code, output, err = self._run_command(command, env=env, data=data, cwd=cwd)
+
+        # sops logs always to stderr, as stdout is used for
+        # file content
+        if err:
+            self._debug(u'Unexpected stderr:\n' + to_text(err, errors='surrogate_or_strict'))
+
+        if exit_code != 0:
+            raise SopsError('to stdout', exit_code, err, decryption=False)
+
+        return output
+
+    def has_filestatus(self):
+        return self.version >= (3, 9, 0)
+
+    def get_filestatus(self, path):
+        command = [self.binary, 'filestatus', path]
+
+        exit_code, output, err = self._run_command(command)
+
+        # sops logs always to stderr, as stdout is used for
+        # file content
+        if err:
+            self._debug(u'Unexpected stderr:\n' + to_text(err, errors='surrogate_or_strict'))
+
+        if exit_code != 0:
+            raise SopsError(path, exit_code, err, operation='inspect')
+
+        try:
+            result = json.loads(output)
+            return SopsFileStatus(result['encrypted'])
+        except Exception as exc:
+            self._debug(u'Unexpected stdout:\n' + to_text(output, errors='surrogate_or_strict'))
+            raise SopsError(path, 0, 'Cannot decode filestatus result: %s' % exc, operation='inspect')
+
+
+_SOPS_RUNNER_CACHE = dict()
+
+
+class Sops():
+    ''' Utility class to perform sops CLI actions '''
+
+    @staticmethod
+    def get_sops_binary(get_option_value):
+        cmd = get_option_value('sops_binary') if get_option_value else None
+        if cmd is None:
+            cmd = 'sops'
+        return cmd
+
+    @staticmethod
+    def get_sops_runner_from_binary(sops_binary, module=None, display=None):
+        candidates = _SOPS_RUNNER_CACHE.get(sops_binary, [])
+        for cand_module, cand_runner in candidates:
+            if cand_runner is module:
+                return cand_runner
+        runner = SopsRunner(sops_binary, module=module, display=display)
+        candidates.append((module, runner))
+        _SOPS_RUNNER_CACHE[sops_binary] = candidates
+        return runner
+
+    @staticmethod
+    def get_sops_runner_from_options(get_option_value, module=None, display=None):
+        return Sops.get_sops_runner_from_binary(Sops.get_sops_binary(get_option_value), module=module, display=display)
+
+    @staticmethod
+    def decrypt(encrypted_file, content=None,
+                display=None, decode_output=True, rstrip=True, input_type=None, output_type=None, get_option_value=None, module=None, extract=None):
+        runner = Sops.get_sops_runner_from_options(get_option_value, module=module, display=display)
+        return runner.decrypt(
+            encrypted_file,
+            content=content,
+            decode_output=decode_output,
+            rstrip=rstrip,
+            input_type=input_type,
+            output_type=output_type,
+            get_option_value=get_option_value,
+            extract=extract,
+        )
+
+    @staticmethod
+    def encrypt(data, display=None, cwd=None, input_type=None, output_type=None, get_option_value=None, module=None, filename=None):
+        runner = Sops.get_sops_runner_from_options(get_option_value, module=module, display=display)
+        return runner.encrypt(
+            data,
+            cwd=cwd,
+            input_type=input_type,
+            output_type=output_type,
+            get_option_value=get_option_value,
+            filename=filename,
+        )
+
+
+def get_sops_argument_spec(add_encrypt_specific=False):
+    argument_spec = {
+        'sops_binary': {
+            'type': 'path',
+        },
+        'age_key': {
+            'type': 'str',
+            'no_log': True,
+        },
+        'age_keyfile': {
+            'type': 'path',
+        },
+        'age_ssh_private_keyfile': {
+            'type': 'path',
+        },
+        'aws_profile': {
+            'type': 'str',
+        },
+        'aws_access_key_id': {
+            'type': 'str',
+        },
+        'aws_secret_access_key': {
+            'type': 'str',
+            'no_log': True,
+        },
+        'aws_session_token': {
+            'type': 'str',
+            'no_log': True,
+        },
+        'config_path': {
+            'type': 'path',
+        },
+        'enable_local_keyservice': {
+            'type': 'bool',
+            'default': True,
+        },
+        'keyservice': {
+            'type': 'list',
+            'elements': 'str',
+        },
+    }
+    if add_encrypt_specific:
+        argument_spec.update({
+            'age': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'kms': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'gcp_kms': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'azure_kv': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'hc_vault_transit': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'pgp': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'unencrypted_suffix': {
+                'type': 'str',
+            },
+            'encrypted_suffix': {
+                'type': 'str',
+            },
+            'unencrypted_regex': {
+                'type': 'str',
+            },
+            'encrypted_regex': {
+                'type': 'str',
+            },
+            'encryption_context': {
+                'type': 'list',
+                'elements': 'str',
+            },
+            'shamir_secret_sharing_threshold': {
+                'type': 'int',
+                'no_log': False,
+            },
+        })
+    return argument_spec
diff --git a/ansible_collections/community/sops/plugins/modules/load_vars.py b/ansible_collections/community/sops/plugins/modules/load_vars.py
new file mode 100644
index 00000000..c8e872e4
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/modules/load_vars.py
@@ -0,0 +1,117 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+DOCUMENTATION = r"""
+author: Felix Fontein (@felixfontein)
+module: load_vars
+short_description: Load SOPS-encrypted variables from files, dynamically within a task
+version_added: '0.1.0'
+description:
+  - Loads SOPS-encrypted YAML/JSON variables dynamically from a file during task runtime.
+  - To assign included variables to a different host than C(inventory_hostname), use C(delegate_to) and set C(delegate_facts=true).
+options:
+  file:
+    description:
+      - The file name from which variables should be loaded.
+      - If the path is relative, it will look for the file in C(vars/) subdirectory of a role or relative to playbook.
+    type: path
+  name:
+    description:
+      - The name of a variable into which assign the included vars.
+      - If omitted (V(null)) they will be made top level vars.
+    type: str
+  expressions:
+    description:
+      - This option controls how Jinja2 expressions in values in the loaded file are handled.
+      - If set to V(ignore), expressions will not be evaluated, but treated as regular strings.
+      - If set to V(evaluate-on-load), expressions will be evaluated on execution of this module, in other words, when the
+        file is loaded.
+      - If set to V(lazy-evaluation), expressions will be lazily evaluated. This requires ansible-core 2.19 or newer
+        and is the same behavior than M(ansible.builtin.include_vars). V(lazy-evaluation) has been added in community.sops 2.2.0.
+    type: str
+    default: ignore
+    choices:
+      - ignore
+      - evaluate-on-load
+      - lazy-evaluation
+extends_documentation_fragment:
+  - community.sops.sops
+  - community.sops.attributes
+  - community.sops.attributes.facts
+  - community.sops.attributes.flow
+attributes:
+  action:
+    support: full
+  async:
+    support: none
+    details:
+      - This action runs completely on the controller.
+  check_mode:
+    support: full
+  diff_mode:
+    support: N/A
+    details:
+      - This action does not modify state.
+  facts:
+    support: full
+  idempotent:
+    support: N/A
+    details:
+      - The action has no C(changed) state.
+seealso:
+  - module: ansible.builtin.set_fact
+  - module: ansible.builtin.include_vars
+  - ref: playbooks_delegation
+    description: More information related to task delegation.
+  - plugin: community.sops.sops
+    plugin_type: lookup
+    description: The sops lookup can be used decrypt SOPS-encrypted files.
+  - plugin: community.sops.decrypt
+    plugin_type: filter
+    description: The decrypt filter can be used to descrypt SOPS-encrypted in-memory data.
+  - plugin: community.sops.sops
+    plugin_type: vars
+    description: The sops vars plugin can be used to load SOPS-encrypted host or group variables.
+"""
+
+EXAMPLES = r"""
+---
+- name: Include variables of stuff.sops.yaml into the 'stuff' variable
+  community.sops.load_vars:
+    file: stuff.sops.yaml
+    name: stuff
+    expressions: evaluate-on-load # interpret Jinja2 expressions in stuf.sops.yaml on load-time!
+
+- name: Conditionally decide to load in variables into 'plans' when x is 0, otherwise do not
+  community.sops.load_vars:
+    file: contingency_plan.sops.yaml
+    name: plans
+    expressions: ignore # do not interpret possible Jinja2 expressions
+  when: x == 0
+
+- name: Load variables into the global namespace
+  community.sops.load_vars:
+    file: contingency_plan.sops.yaml
+"""
+
+RETURN = r"""
+ansible_facts:
+  description: Variables that were included and their values.
+  returned: success
+  type: dict
+  sample: {'variable': 'value'}
+ansible_included_var_files:
+  description: A list of files that were successfully included.
+  returned: success
+  type: list
+  elements: str
+  sample: [/path/to/file.sops.yaml]
+"""
diff --git a/ansible_collections/community/sops/plugins/modules/sops_encrypt.py b/ansible_collections/community/sops/plugins/modules/sops_encrypt.py
new file mode 100644
index 00000000..6d1a1a44
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/modules/sops_encrypt.py
@@ -0,0 +1,239 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+DOCUMENTATION = r"""
+author: Felix Fontein (@felixfontein)
+module: sops_encrypt
+short_description: Encrypt data with SOPS
+version_added: '0.1.0'
+description:
+  - Allows to encrypt binary data (Base64 encoded), text data, JSON or YAML data with SOPS.
+options:
+  path:
+    description:
+      - The SOPS encrypt file.
+    type: path
+    required: true
+  force:
+    description:
+      - Force rewriting the encrypted file.
+    type: bool
+    default: false
+  content_text:
+    description:
+      - The data to encrypt. Must be a Unicode text.
+      - Please note that the module might not be idempotent if the text can be parsed as JSON or YAML.
+      - Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml) must be specified.
+    type: str
+  content_binary:
+    description:
+      - The data to encrypt. Must be L(Base64 encoded,https://en.wikipedia.org/wiki/Base64) binary data.
+      - Please note that the module might not be idempotent if the data can be parsed as JSON or YAML.
+      - Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml) must be specified.
+    type: str
+  content_json:
+    description:
+      - The data to encrypt. Must be a JSON dictionary.
+      - Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml) must be specified.
+    type: dict
+  content_yaml:
+    description:
+      - The data to encrypt. Must be a YAML dictionary.
+      - Please note that Ansible only allows to pass data that can be represented as a JSON dictionary.
+      - Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml) must be specified.
+    type: dict
+extends_documentation_fragment:
+  - ansible.builtin.files
+  - community.sops.sops
+  - community.sops.sops.encrypt_specific
+  - community.sops.attributes
+  - community.sops.attributes.files
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+  safe_file_operations:
+    support: full
+  idempotent:
+    support: full
+seealso:
+  - plugin: community.sops.sops
+    plugin_type: lookup
+    description: The sops lookup can be used decrypt SOPS-encrypted files.
+"""
+
+EXAMPLES = r"""
+---
+- name: Encrypt a secret text
+  community.sops.sops_encrypt:
+    path: text-data.sops
+    content_text: This is a secret text.
+
+- name: Encrypt the contents of a file
+  community.sops.sops_encrypt:
+    path: binary-data.sops
+    content_binary: "{{ lookup('ansible.builtin.file', '/path/to/file', rstrip=false) | b64encode }}"
+
+- name: Encrypt some datastructure as YAML
+  community.sops.sops_encrypt:
+    path: stuff.sops.yaml
+    content_yaml: "{{ result }}"
+"""
+
+RETURN = r"""#"""
+
+
+import base64
+import json
+import os
+import traceback
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+from ansible.module_utils.common.text.converters import to_text
+
+from ansible_collections.community.sops.plugins.module_utils.io import write_file
+from ansible_collections.community.sops.plugins.module_utils.sops import Sops, SopsError, get_sops_argument_spec
+
+try:
+    import yaml
+    YAML_IMP_ERR = None
+    HAS_YAML = True
+except ImportError:
+    YAML_IMP_ERR = traceback.format_exc()
+    HAS_YAML = False
+    yaml = None
+
+
+def get_data_type(module):
+    if module.params['content_text'] is not None:
+        return 'binary'
+    if module.params['content_binary'] is not None:
+        return 'binary'
+    if module.params['content_json'] is not None:
+        return 'json'
+    if module.params['content_yaml'] is not None:
+        return 'yaml'
+    module.fail_json(msg='Internal error: unknown content type')
+
+
+def compare_encoded_content(module, binary_data, content):
+    if module.params['content_text'] is not None:
+        return content == module.params['content_text'].encode('utf-8')
+    if module.params['content_binary'] is not None:
+        return content == binary_data
+    if module.params['content_json'] is not None:
+        # Compare JSON
+        try:
+            return json.loads(content) == module.params['content_json']
+        except Exception:
+            # Treat parsing errors as content not equal
+            return False
+    if module.params['content_yaml'] is not None:
+        # Compare YAML
+        try:
+            return yaml.safe_load(content) == module.params['content_yaml']
+        except Exception:
+            # Treat parsing errors as content not equal
+            return False
+    module.fail_json(msg='Internal error: unknown content type')
+
+
+def get_encoded_type_content(module, binary_data):
+    if module.params['content_text'] is not None:
+        return 'binary', module.params['content_text'].encode('utf-8')
+    if module.params['content_binary'] is not None:
+        return 'binary', binary_data
+    if module.params['content_json'] is not None:
+        return 'json', json.dumps(module.params['content_json']).encode('utf-8')
+    if module.params['content_yaml'] is not None:
+        return 'yaml', yaml.safe_dump(module.params['content_yaml']).encode('utf-8')
+    module.fail_json(msg='Internal error: unknown content type')
+
+
+def main():
+    argument_spec = dict(
+        path=dict(type='path', required=True),
+        force=dict(type='bool', default=False),
+        content_text=dict(type='str', no_log=True),
+        content_binary=dict(type='str', no_log=True),
+        content_json=dict(type='dict', no_log=True),
+        content_yaml=dict(type='dict', no_log=True),
+    )
+    argument_spec.update(get_sops_argument_spec(add_encrypt_specific=True))
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        mutually_exclusive=[
+            ('content_text', 'content_binary', 'content_json', 'content_yaml'),
+        ],
+        required_one_of=[
+            ('content_text', 'content_binary', 'content_json', 'content_yaml'),
+        ],
+        supports_check_mode=True,
+        add_file_common_args=True,
+    )
+
+    # Check YAML
+    if module.params['content_yaml'] is not None and not HAS_YAML:
+        module.fail_json(msg=missing_required_lib('pyyaml'), exception=YAML_IMP_ERR)
+
+    # Decode binary data
+    binary_data = None
+    if module.params['content_binary'] is not None:
+        try:
+            binary_data = base64.b64decode(module.params['content_binary'])
+        except Exception as e:
+            module.fail_json(msg='Cannot decode Base64 encoded data: {0}'.format(e))
+
+    path = module.params['path']
+    directory = os.path.dirname(path) or None
+    changed = False
+
+    def get_option_value(argument_name):
+        return module.params.get(argument_name)
+
+    try:
+        if module.params['force'] or not os.path.exists(path):
+            # Simply encrypt
+            changed = True
+        else:
+            # Change detection: check if encrypted data equals new data
+            decrypted_content = Sops.decrypt(
+                path, decode_output=False, output_type=get_data_type(module), rstrip=False,
+                get_option_value=get_option_value, module=module,
+            )
+            if not compare_encoded_content(module, binary_data, decrypted_content):
+                changed = True
+
+        if changed and not module.check_mode:
+            input_type, input_data = get_encoded_type_content(module, binary_data)
+            output_type = None
+            if path.endswith('.json'):
+                output_type = 'json'
+            elif path.endswith(('.yml', '.yaml')):
+                output_type = 'yaml'
+            data = Sops.encrypt(
+                data=input_data, cwd=directory, input_type=input_type, output_type=output_type,
+                filename=os.path.relpath(path, directory) if directory is not None else path,
+                get_option_value=get_option_value, module=module,
+            )
+            write_file(module, data)
+    except SopsError as e:
+        module.fail_json(msg=to_text(e))
+
+    file_args = module.load_file_common_arguments(module.params)
+    changed = module.set_fs_attributes_if_different(file_args, changed)
+
+    module.exit_json(changed=changed)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/community/sops/plugins/plugin_utils/action_module.py b/ansible_collections/community/sops/plugins/plugin_utils/action_module.py
new file mode 100644
index 00000000..025a4d5e
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/plugin_utils/action_module.py
@@ -0,0 +1,239 @@
+# Copyright (c) 2012-2013 Michael DeHaan <michael.dehaan@gmail.com>
+# Copyright (c) 2016 Toshio Kuratomi <tkuratomi@ansible.com>
+# Copyright (c) 2019 Ansible Project
+# Copyright (c) 2020 Felix Fontein <felix@fontein.de>
+# Copyright (c) 2021 Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Parts taken from ansible.module_utils.basic and ansible.module_utils.common.warnings.
+
+# NOTE: THIS IS ONLY FOR ACTION PLUGINS!
+
+from __future__ import annotations
+
+
+import abc
+import copy
+import traceback
+
+from ansible.errors import AnsibleError
+from ansible.module_utils.basic import SEQUENCETYPE, remove_values
+from collections.abc import Mapping
+from ansible.plugins.action import ActionBase
+
+from ansible.module_utils.common.arg_spec import ArgumentSpecValidator
+from ansible.module_utils.errors import UnsupportedError
+
+try:
+    from ansible.module_utils.common.validation import (
+        safe_eval,
+    )
+except ImportError:
+    safe_eval = None
+
+
+class _ModuleExitException(Exception):
+    def __init__(self, result):
+        super().__init__()
+        self.result = result
+
+
+class AnsibleActionModule:
+    def __init__(self, action_plugin, argument_spec, bypass_checks=False,
+                 mutually_exclusive=None, required_together=None,
+                 required_one_of=None, supports_check_mode=False,
+                 required_if=None, required_by=None):
+        # Internal data
+        self.__action_plugin = action_plugin
+        self.__warnings = []
+        self.__deprecations = []
+
+        # AnsibleModule data
+        self._name = self.__action_plugin._task.action
+        self.argument_spec = argument_spec
+        self.supports_check_mode = supports_check_mode
+        self.check_mode = self.__action_plugin._play_context.check_mode
+        self.bypass_checks = bypass_checks
+        self.no_log = self.__action_plugin._play_context.no_log
+
+        self.mutually_exclusive = mutually_exclusive
+        self.required_together = required_together
+        self.required_one_of = required_one_of
+        self.required_if = required_if
+        self.required_by = required_by
+        self._diff = self.__action_plugin._play_context.diff
+        self._verbosity = self.__action_plugin._display.verbosity
+
+        self.aliases = {}
+        self._legal_inputs = []
+        self._options_context = list()
+
+        self.params = copy.deepcopy(self.__action_plugin._task.args)
+        self.no_log_values = set()
+        self._validator = ArgumentSpecValidator(
+            self.argument_spec,
+            self.mutually_exclusive,
+            self.required_together,
+            self.required_one_of,
+            self.required_if,
+            self.required_by,
+        )
+        self._validation_result = self._validator.validate(self.params)
+        self.params.update(self._validation_result.validated_parameters)
+        self.no_log_values.update(self._validation_result._no_log_values)
+
+        try:
+            error = self._validation_result.errors[0]
+        except IndexError:
+            error = None
+
+        # We cannot use ModuleArgumentSpecValidator directly since it uses mechanisms for reporting
+        # warnings and deprecations that do not work in plugins. This is a copy of that code adjusted
+        # for our use-case:
+        for d in self._validation_result._deprecations:
+            # Before ansible-core 2.14.2, deprecations were always for aliases:
+            if 'name' in d:
+                self.deprecate(
+                    "Alias '{name}' is deprecated. See the module docs for more information".format(name=d['name']),
+                    version=d.get('version'), date=d.get('date'), collection_name=d.get('collection_name'))
+            # Since ansible-core 2.14.2, a message is present that can be directly printed:
+            if 'msg' in d:
+                self.deprecate(d['msg'], version=d.get('version'), date=d.get('date'), collection_name=d.get('collection_name'))
+
+        for w in self._validation_result._warnings:
+            self.warn('Both option {option} and its alias {alias} are set.'.format(option=w['option'], alias=w['alias']))
+
+        # Fail for validation errors, even in check mode
+        if error:
+            msg = self._validation_result.errors.msg
+            if isinstance(error, UnsupportedError):
+                msg = "Unsupported parameters for ({name}) {kind}: {msg}".format(name=self._name, kind='module', msg=msg)
+
+            self.fail_json(msg=msg)
+
+    def safe_eval(self, value, locals=None, include_exceptions=False):
+        if safe_eval is None:
+            raise ValueError("safe_eval is not available since ansible-core 2.21")
+        return safe_eval(value, locals, include_exceptions)
+
+    def warn(self, warning):
+        # Copied from ansible.module_utils.common.warnings:
+        if isinstance(warning, str):
+            self.__warnings.append(warning)
+        else:
+            raise TypeError("warn requires a string not a %s" % type(warning))
+
+    def deprecate(self, msg, version=None, date=None, collection_name=None):
+        if version is not None and date is not None:
+            raise AssertionError("implementation error -- version and date must not both be set")
+
+        # Copied from ansible.module_utils.common.warnings:
+        if isinstance(msg, str):
+            # For compatibility, we accept that neither version nor date is set,
+            # and treat that the same as if version would haven been set
+            if date is not None:
+                self.__deprecations.append({'msg': msg, 'date': date, 'collection_name': collection_name})
+            else:
+                self.__deprecations.append({'msg': msg, 'version': version, 'collection_name': collection_name})
+        else:
+            raise TypeError("deprecate requires a string not a %s" % type(msg))
+
+    def _return_formatted(self, kwargs):
+        if 'invocation' not in kwargs:
+            kwargs['invocation'] = {'module_args': self.params}
+
+        if 'warnings' in kwargs:
+            if isinstance(kwargs['warnings'], list):
+                for w in kwargs['warnings']:
+                    self.warn(w)
+            else:
+                self.warn(kwargs['warnings'])
+
+        if self.__warnings:
+            kwargs['warnings'] = self.__warnings
+
+        if 'deprecations' in kwargs:
+            if isinstance(kwargs['deprecations'], list):
+                for d in kwargs['deprecations']:
+                    if isinstance(d, SEQUENCETYPE) and len(d) == 2:
+                        self.deprecate(d[0], version=d[1])
+                    elif isinstance(d, Mapping):
+                        self.deprecate(d['msg'], version=d.get('version'), date=d.get('date'),
+                                       collection_name=d.get('collection_name'))
+                    else:
+                        self.deprecate(d)  # pylint: disable=ansible-deprecated-no-version
+            else:
+                self.deprecate(kwargs['deprecations'])  # pylint: disable=ansible-deprecated-no-version
+
+        if self.__deprecations:
+            kwargs['deprecations'] = self.__deprecations
+
+        kwargs = remove_values(kwargs, self.no_log_values)
+        raise _ModuleExitException(kwargs)
+
+    def exit_json(self, **kwargs):
+        result = dict(kwargs)
+        if 'failed' not in result:
+            result['failed'] = False
+        self._return_formatted(result)
+
+    def fail_json(self, msg, **kwargs):
+        result = dict(kwargs)
+        result['failed'] = True
+        result['msg'] = msg
+        self._return_formatted(result)
+
+
+class ActionModuleBase(ActionBase, metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def setup_module(self):
+        """Return pair (ArgumentSpec, kwargs)."""
+        pass
+
+    @abc.abstractmethod
+    def run_module(self, module):
+        """Run module code"""
+        module.fail_json(msg='Not implemented.')
+
+    def run(self, tmp=None, task_vars=None):
+        if task_vars is None:
+            task_vars = dict()
+
+        result = super().run(tmp, task_vars)
+        del tmp  # tmp no longer has any effect
+
+        try:
+            argument_spec, kwargs = self.setup_module()
+            module = argument_spec.create_ansible_module_helper(AnsibleActionModule, (self, ), **kwargs)
+            self.run_module(module)
+            raise AnsibleError('Internal error: action module did not call module.exit_json()')
+        except _ModuleExitException as mee:
+            result.update(mee.result)
+            return result
+        except Exception as dummy:
+            result['failed'] = True
+            result['msg'] = 'MODULE FAILURE'
+            result['exception'] = traceback.format_exc()
+            return result
+
+
+class ArgumentSpec:
+    def __init__(self, argument_spec, mutually_exclusive=None, required_together=None, required_one_of=None, required_if=None, required_by=None):
+        self.argument_spec = argument_spec
+        self.mutually_exclusive = mutually_exclusive or []
+        self.required_together = required_together or []
+        self.required_one_of = required_one_of or []
+        self.required_if = required_if or []
+        self.required_by = required_by or {}
+
+    def create_ansible_module_helper(self, clazz, args, **kwargs):
+        return clazz(
+            *args,
+            argument_spec=self.argument_spec,
+            mutually_exclusive=self.mutually_exclusive,
+            required_together=self.required_together,
+            required_one_of=self.required_one_of,
+            required_if=self.required_if,
+            required_by=self.required_by,
+            **kwargs)
diff --git a/ansible_collections/community/sops/plugins/vars/sops.py b/ansible_collections/community/sops/plugins/vars/sops.py
new file mode 100644
index 00000000..02b98751
--- /dev/null
+++ b/ansible_collections/community/sops/plugins/vars/sops.py
@@ -0,0 +1,246 @@
+# Copyright (c) 2018 Edoardo Tenani <e.tenani@arduino.cc> (@endorama)
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: sops
+author: Edoardo Tenani (@endorama) <e.tenani@arduino.cc>
+short_description: Loading SOPS-encrypted vars files
+version_added: '0.1.0'
+description:
+  - Load encrypted YAML files into corresponding groups/hosts in C(group_vars/) and C(host_vars/) directories.
+  - Files are encrypted prior to reading, making this plugin an effective companion to P(ansible.builtin.host_group_vars#vars)
+    plugin.
+  - Files are restricted to V(.sops.yaml), V(.sops.yml), V(.sops.json) extensions, unless configured otherwise with O(valid_extensions).
+  - Hidden files are ignored.
+options:
+  valid_extensions:
+    default: [".sops.yml", ".sops.yaml", ".sops.json"]
+    description:
+      - Check all of these extensions when looking for 'variable' files.
+      - These files must be SOPS encrypted YAML or JSON files.
+      - By default the plugin will produce errors when encountering files matching these extensions that are not SOPS encrypted.
+        This behavior can be controlled with the O(handle_unencrypted_files) option.
+    type: list
+    elements: string
+    ini:
+      - key: valid_extensions
+        section: community.sops
+        version_added: 1.7.0
+    env:
+      - name: ANSIBLE_VARS_SOPS_PLUGIN_VALID_EXTENSIONS
+        version_added: 1.7.0
+  stage:
+    version_added: 0.2.0
+    ini:
+      - key: vars_stage
+        section: community.sops
+    env:
+      - name: ANSIBLE_VARS_SOPS_PLUGIN_STAGE
+  cache:
+    description:
+      - Whether to cache decrypted files or not.
+      - If the cache is disabled, the files will be decrypted for almost every task. This is very slow!
+      - Only disable caching if you modify the variable files during a playbook run and want the updated result to be available
+        from the next task on.
+      - 'Note that setting O(stage=inventory) has the same effect as setting O(cache=true): the variables will be loaded only
+        once (during inventory loading) and the vars plugin will not be called for every task.'
+    type: bool
+    default: true
+    version_added: 0.2.0
+    ini:
+      - key: vars_cache
+        section: community.sops
+    env:
+      - name: ANSIBLE_VARS_SOPS_PLUGIN_CACHE
+  disable_vars_plugin_temporarily:
+    description:
+      - Temporarily disable this plugin.
+      - Useful if ansible-inventory is supposed to be run without decrypting secrets (in AWX for instance).
+    type: bool
+    default: false
+    version_added: 1.3.0
+    env:
+      - name: SOPS_ANSIBLE_AWX_DISABLE_VARS_PLUGIN_TEMPORARILY
+  handle_unencrypted_files:
+    description:
+      - How to handle files that match the extensions in O(valid_extensions) that are not SOPS encrypted.
+      - The default value V(error) will produce an error.
+      - The value V(skip) will simply skip these files. This requires SOPS 3.9.0 or later.
+      - The value V(warn) will skip these files and emit a warning. This requires SOPS 3.9.0 or later.
+      - B(Note) that this will not help if the store SOPS uses cannot parse the file, for example because it is no valid JSON/YAML/...
+        file despite its file extension. For extensions other than the default ones SOPS uses the binary store, which tries
+        to parse the file as JSON.
+    type: string
+    choices:
+      - skip
+      - warn
+      - error
+    default: error
+    version_added: 1.8.0
+    ini:
+      - key: handle_unencrypted_files
+        section: community.sops
+    env:
+      - name: ANSIBLE_VARS_SOPS_PLUGIN_HANDLE_UNENCRYPTED_FILES
+extends_documentation_fragment:
+  - ansible.builtin.vars_plugin_staging
+  - community.sops.sops
+  - community.sops.sops.ansible_env
+  - community.sops.sops.ansible_ini
+seealso:
+  - plugin: community.sops.sops
+    plugin_type: lookup
+    description: The sops lookup can be used decrypt SOPS-encrypted files.
+  - plugin: community.sops.decrypt
+    plugin_type: filter
+    description: The decrypt filter can be used to decrypt SOPS-encrypted in-memory data.
+  - module: community.sops.load_vars
+"""
+
+import os
+from collections.abc import Sequence, Mapping
+
+from ansible.errors import AnsibleParserError
+from ansible.inventory.host import Host
+from ansible.inventory.group import Group
+from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
+from ansible.plugins.vars import BaseVarsPlugin
+from ansible.utils.display import Display
+from ansible.utils.vars import combine_vars
+from ansible_collections.community.sops.plugins.module_utils.sops import Sops, SopsError
+
+try:
+    from ansible.template import trust_as_template as _trust_as_template
+    HAS_DATATAGGING = True
+except ImportError:
+    HAS_DATATAGGING = False
+
+
+display = Display()
+
+FOUND = {}
+DECRYPTED = {}
+
+
+def _make_safe(value):
+    if isinstance(value, str):
+        # must come *before* Sequence, as strings are also instances of Sequence
+        if HAS_DATATAGGING and isinstance(value, str):
+            return _trust_as_template(value)
+        return value
+    if isinstance(value, Sequence):
+        return [_make_safe(v) for v in value]
+    if isinstance(value, Mapping):
+        return dict((k, _make_safe(v)) for k, v in value.items())
+    return value
+
+
+class VarsModule(BaseVarsPlugin):
+
+    def get_vars(self, loader, path, entities, cache=None):
+        ''' parses the inventory file '''
+
+        if not isinstance(entities, list):
+            entities = [entities]
+
+        super().get_vars(loader, path, entities)
+
+        def get_option_value(argument_name):
+            return self.get_option(argument_name)
+
+        if cache is None:
+            cache = self.get_option('cache')
+
+        if self.get_option('disable_vars_plugin_temporarily'):
+            return {}
+
+        valid_extensions = self.get_option('valid_extensions')
+        handle_unencrypted_files = self.get_option('handle_unencrypted_files')
+
+        data = {}
+        for entity in entities:
+            if isinstance(entity, Host):
+                subdir = 'host_vars'
+            elif isinstance(entity, Group):
+                subdir = 'group_vars'
+            else:
+                raise AnsibleParserError("Supplied entity must be Host or Group, got %s instead" % (type(entity)))
+
+            # avoid 'chroot' type inventory hostnames /path/to/chroot
+            if not entity.name.startswith(os.path.sep):
+                try:
+                    found_files = []
+                    # load vars
+                    b_opath = os.path.realpath(to_bytes(os.path.join(self._basedir, subdir)))
+                    opath = to_text(b_opath)
+                    key = '%s.%s' % (entity.name, opath)
+                    self._display.vvvv("key: %s" % (key))
+                    if cache and key in FOUND:
+                        found_files = FOUND[key]
+                    else:
+                        # no need to do much if path does not exist for basedir
+                        if os.path.exists(b_opath):
+                            if os.path.isdir(b_opath):
+                                self._display.debug("\tprocessing dir %s" % opath)
+                                # NOTE: iterating without extension allow retrieving files recursively
+                                # A filter is then applied by iterating on all results and filtering by
+                                # extension.
+                                # See:
+                                # - https://github.com/ansible-collections/community.sops/pull/6
+                                found_files = loader.find_vars_files(opath, entity.name, extensions=valid_extensions, allow_dir=False)
+                                found_files.extend([file_path for file_path in loader.find_vars_files(opath, entity.name)
+                                                    if any(to_text(file_path).endswith(extension) for extension in valid_extensions)])
+                                FOUND[key] = found_files
+                            else:
+                                self._display.warning("Found %s that is not a directory, skipping: %s" % (subdir, opath))
+
+                    for found in found_files:
+                        if cache and found in DECRYPTED:
+                            file_content = DECRYPTED[found]
+                        else:
+                            sops_runner = Sops.get_sops_runner_from_options(get_option_value, display=display)
+                            if handle_unencrypted_files != 'error' and not sops_runner.has_filestatus():
+                                raise AnsibleParserError(
+                                    'Cannot use handle_unencrypted_files=%s with SOPS %s' % (handle_unencrypted_files, sops_runner.version_string)
+                                )
+                            try:
+                                file_content = sops_runner.decrypt(found, get_option_value=get_option_value)
+                            except SopsError as exc:
+                                skip = False
+                                if sops_runner.has_filestatus():
+                                    # Check whether sops thinks the file might be encrypted. If it thinks it is not,
+                                    # skip it. Otherwise, re-raise the original error
+                                    try:
+                                        file_status = sops_runner.get_filestatus(found)
+                                        if not file_status.encrypted:
+                                            if handle_unencrypted_files == 'skip':
+                                                self._display.vvvv("SOPS vars plugin: skipping unencrypted file %s" % found)
+                                                skip = True
+                                            elif handle_unencrypted_files == 'warn':
+                                                self._display.warning("SOPS vars plugin: skipping unencrypted file %s" % found)
+                                                skip = True
+                                            elif handle_unencrypted_files == 'error':
+                                                raise AnsibleParserError("SOPS vars plugin: file %s is not encrypted" % found)
+                                    except SopsError as status_exc:
+                                        # The filestatus operation can fail for example if sops cannot parse the file
+                                        # as JSON/YAML. In that case, also re-raise the original error
+                                        self._display.warning("SOPS vars plugin: cannot obtain file status of %s: %s" % (found, status_exc))
+                                if skip:
+                                    continue
+                                raise
+                            DECRYPTED[found] = file_content
+                        new_data = _make_safe(loader.load(file_content))
+                        if new_data:  # ignore empty files
+                            data = combine_vars(data, new_data)
+
+                except AnsibleParserError:
+                    raise
+                except SopsError as e:
+                    raise AnsibleParserError(to_native(e))
+                except Exception as e:
+                    raise AnsibleParserError('Unexpected error in the SOPS vars plugin: %s' % to_native(e))
+
+        return data
diff --git a/ansible_collections/community/sops/roles/_install_age/README.md b/ansible_collections/community/sops/roles/_install_age/README.md
new file mode 100644
index 00000000..a8541545
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/README.md
@@ -0,0 +1,7 @@
+<!--
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: 2022, Felix Fontein
+-->
+
+See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/).
diff --git a/ansible_collections/community/sops/roles/_install_age/defaults/main.yml b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml
new file mode 100644
index 00000000..83e6bea5
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+sops_install_on_localhost: false
+sops_become_on_install: true
diff --git a/ansible_collections/community/sops/roles/_install_age/meta/main.yml b/ansible_collections/community/sops/roles/_install_age/meta/main.yml
new file mode 100644
index 00000000..28b22dce
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+galaxy_info:
+  standalone: false
+  description: >
+    [INTERNAL] Install age (https://age-encryption.org/).
+
+dependencies: []
diff --git a/ansible_collections/community/sops/roles/_install_age/tasks/main.yml b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml
new file mode 100644
index 00000000..91aa3896
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Gather required information on localhost
+  when: sops_install_on_localhost
+  ansible.builtin.setup:
+    gather_subset:
+      - '!all'
+      - '!min'
+      - architecture
+      - distribution
+      - distribution_major_version
+      - distribution_version
+      - os_family
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: true
+
+- vars:
+    _community_sops_install_age_facts: >-
+      {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }}
+  block:
+    - name: Show system information
+      ansible.builtin.debug:
+        msg: |-
+          Architecture: {{ _community_sops_install_age_facts.architecture }}
+          Distribution: {{ _community_sops_install_age_facts.distribution }} {{ _community_sops_install_age_facts.distribution_major_version }}
+          Distribution version: {{ _community_sops_install_age_facts.distribution_version }}
+          OS family: {{ _community_sops_install_age_facts.os_family }}
+
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+      vars:
+        params:
+          files:
+            - >-
+              D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_version }}.yml
+            - >-
+              D-{{ _community_sops_install_age_facts.distribution }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml
+            - >-
+              D-{{ _community_sops_install_age_facts.distribution }}.yml
+            - >-
+              OS-{{ _community_sops_install_age_facts.os_family }}-{{ _community_sops_install_age_facts.distribution_major_version }}.yml
+            - >-
+              OS-{{ _community_sops_install_age_facts.os_family }}.yml
+            - default.yml
+          paths:
+            - '{{ role_path }}/vars'
+
+    - name: Install system packages
+      ansible.builtin.package:
+        name: '{{ _community_sops_install_age_system_packages }}'
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_age_system_packages | length > 0
+
+    - name: Set results
+      ansible.builtin.set_fact:
+        age_installed: "{{ _community_sops_install_age_has_age }}"
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      delegate_facts: '{{ true if sops_install_on_localhost else omit }}'
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Alpine.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+  - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Archlinux.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+  - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml
new file mode 120000
index 00000000..0abaec16
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Debian-10.yml
@@ -0,0 +1 @@
+default.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Fedora.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+  - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml
new file mode 120000
index 00000000..0abaec16
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-16.yml
@@ -0,0 +1 @@
+default.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml
new file mode 120000
index 00000000..0abaec16
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-18.yml
@@ -0,0 +1 @@
+default.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml
new file mode 120000
index 00000000..0abaec16
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/D-Ubuntu-20.yml
@@ -0,0 +1 @@
+default.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml
new file mode 100644
index 00000000..002c8136
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/OS-Debian.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages:
+  - age
+
+_community_sops_install_age_has_age: true
diff --git a/ansible_collections/community/sops/roles/_install_age/vars/default.yml b/ansible_collections/community/sops/roles/_install_age/vars/default.yml
new file mode 100644
index 00000000..5ee19d4c
--- /dev/null
+++ b/ansible_collections/community/sops/roles/_install_age/vars/default.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_age_system_packages: []
+
+_community_sops_install_age_has_age: false
diff --git a/ansible_collections/community/sops/roles/install/README.md b/ansible_collections/community/sops/roles/install/README.md
new file mode 100644
index 00000000..a8541545
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/README.md
@@ -0,0 +1,7 @@
+<!--
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: 2022, Felix Fontein
+-->
+
+See [the documentation](https://docs.ansible.com/ansible/devel/collections/community/sops/).
diff --git a/ansible_collections/community/sops/roles/install/defaults/main.yml b/ansible_collections/community/sops/roles/install/defaults/main.yml
new file mode 100644
index 00000000..7e793f13
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+sops_version: latest
+sops_source: auto
+sops_install_on_localhost: false
+sops_become_on_install: true
+sops_github_latest_detection: auto
diff --git a/ansible_collections/community/sops/roles/install/meta/argument_specs.yml b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml
new file mode 100644
index 00000000..e5d332cd
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/meta/argument_specs.yml
@@ -0,0 +1,103 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+argument_specs:
+  main:
+    short_description: Install SOPS
+    version_added: 1.5.0
+    description:
+      - This role installs L(SOPS,https://github.com/getsops/sops) and GNU Privacy Guard (GPG).
+      - >-
+        This role supports the following operating systems:
+        Alpine (new enough),
+        Arch Linux,
+        CentOS 7, Stream 8, or newer,
+        Debian 10 (Buster) or newer,
+        Fedora (new enough),
+        RHEL 7 or newer,
+        Ubuntu 16.04 or newer LTS versions
+      - The Ansible facts C(ansible_facts.architecture), C(ansible_facts.distribution), C(ansible_facts.distribution_major_version),
+        C(ansible_facts.distribution_version), and C(ansible_facts.os_family) are expected to be present if O(sops_install_on_localhost) is V(false).
+    author:
+      - Felix Fontein (@felixfontein)
+    options:
+      sops_version:
+        default: latest
+        description:
+          - The version of SOPS to install.
+          - Should be a version like V(3.7.2). The special value V(latest) will select the latest version available form the given source.
+        type: str
+      sops_source:
+        default: auto
+        description:
+          - Determines the source from where SOPS is installed.
+          - The value V(github) will install SOPS from the SOPS releases on GitHub (U(https://github.com/getsops/sops/releases/)).
+          - The value V(system) will install SOPS from the system packages. Note that not all system package repositories support SOPS.
+          - The value V(auto) will determine the best source to install SOPS from. Here, system package repositories are preferred over GitHub.
+        type: str
+        choices:
+          - auto
+          - github
+          - system
+      sops_install_on_localhost:
+        default: false
+        description:
+          - Installs SOPS on the Ansible controller (C(localhost)) instead of the remote host.
+        type: bool
+      sops_become_on_install:
+        default: true
+        description:
+          - 'Whether the role should use C(become: true) when installing packages.'
+        type: bool
+      sops_github_latest_detection:
+        description:
+          - When installing the latest SOPS version from GitHub, configures how the latest release is detected.
+          - V(auto) tries V(api) first and then uses V(latest-release).
+          - V(api) asks the GitHub API for a list of recent releases and picks the highest version. Pre-releases are avoided.
+          - V(latest-release) uses a not fully documented URL to retrieve the release marked as "latest" by the repository maintainers.
+        type: str
+        choices:
+          - auto
+          - api
+          - latest-release
+        version_added: 1.6.0
+      sops_github_token:
+        description:
+          - Token to provide when querying the GitHub API for the latest release. Without the token
+            there are rather strict rate limits.
+          - Should mainly be used in GitHub Actions.
+        type: str
+        version_added: 1.6.0
+    attributes:
+      check_mode:
+        description: Can run in C(check_mode) and return changed status prediction without modifying target.
+        support: none
+        details:
+          - The role currently does not work in check mode.
+          # TODO: add 'check_mode: false' to tasks that prepare something
+      diff_mode:
+        description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
+        support: partial
+        details:
+          - The role supports diff mode if the M(ansible.builtin.package) action for the system supports it.
+      idempotent:
+        description:
+          - When run twice in a row outside check mode, with the same arguments, the second invocation indicates no change.
+          - This assumes that the system controlled/queried by the module has not changed in a relevant way.
+        support: partial
+        details:
+          - The role is idempotent if the M(ansible.builtin.package) action for the system is idempotent.
+          - This is usually the case, but if packages need to be installed from GitHub (that is, through an URL), idempotence might not hold.
+      platform:
+        description: Target OS/families that can be operated against.
+        support: full
+        platforms:
+          - Alpine (new enough)
+          - Arch Linux
+          - CentOS 7, Stream 8, or newer
+          - Debian 10 (Buster) or newer
+          - Fedora (new enough)
+          - RHEL 7 or newer
+          - Ubuntu 16.04 or newer LTS versions
diff --git a/ansible_collections/community/sops/roles/install/meta/main.yml b/ansible_collections/community/sops/roles/install/meta/main.yml
new file mode 100644
index 00000000..79f041be
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/meta/main.yml
@@ -0,0 +1,11 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+galaxy_info:
+  standalone: false
+  description: >
+    Install SOPS (https://github.com/getsops/sops).
+
+dependencies: []
diff --git a/ansible_collections/community/sops/roles/install/tasks/detect_source.yml b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml
new file mode 100644
index 00000000..9e109bfd
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/detect_source.yml
@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Check whether system packages are a valid source of SOPS {{ sops_version }}
+  when:
+    - _community_sops_install_system_has_system
+    - not (sops_version != 'latest' and _community_sops_install_system_has_system_latest_only)
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_source: system
+
+- name: Check whether GitHub is a valid source of SOPS
+  when:
+    - _community_sops_install_system_has_github
+    - _community_sops_install_effective_sops_source == 'auto'
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_source: github
+
+- name: Ensure that something was detected
+  ansible.builtin.fail:
+    msg: >-
+      Was not able to determine installation source for SOPS {{ sops_version }}
+      for {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+      Please open an issue in https://github.com/ansible-collections/community.sops/issues if you think this should work.
+  when: _community_sops_install_effective_sops_source == 'auto'
diff --git a/ansible_collections/community/sops/roles/install/tasks/github.yml b/ansible_collections/community/sops/roles/install/tasks/github.yml
new file mode 100644
index 00000000..1c5b6204
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github.yml
@@ -0,0 +1,50 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that SOPS can be installed from GitHub
+  ansible.builtin.fail:
+    msg: >-
+      SOPS cannot be installed from GitHub for
+      {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+  when: not _community_sops_install_system_has_github
+
+- name: Start determining SOPS version
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: '{{ "" if sops_version == "latest" else sops_version }}'
+
+# This method uses the GitHub API, which is rate-limited.
+- name: Determine latest version (fallback)
+  when:
+    - _community_sops_install_effective_sops_version == ''
+    - sops_github_latest_detection in ['auto', 'api']
+  ansible.builtin.include_tasks: github_api.yml
+
+# This method asks GitHub for the latest release, which depends on the release to be
+# correctly marked as "latest" in the GitHub UI. Fortunately this is not as aggressively
+# rate-limited as the API (used in the fallback).
+- name: Determine latest version
+  when:
+    - _community_sops_install_effective_sops_version == ''
+    - sops_github_latest_detection in ['auto', 'latest-release']
+  ansible.builtin.include_tasks: github_latest_release.yml
+
+- name: Fail when latest version could not be selected
+  ansible.builtin.fail:
+    msg: Could not determine the latest GitHub release
+  when: _community_sops_install_effective_sops_version == ''
+
+- name: Show selected version
+  ansible.builtin.debug:
+    msg: The latest SOPS version is SOPS {{ _community_sops_install_effective_sops_version }}.
+  when: sops_version == 'latest'
+
+- name: Set variables
+  ansible.builtin.set_fact:
+    _community_sops_install_system_packages_actual: >-
+      {{ _community_sops_install_system_packages + _community_sops_install_system_packages_github }}
+    _community_sops_install_system_packages_unsigned_actual: >-
+      {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_github }}
+    _community_sops_install_system_package_deb_actual: >-
+      {{ _community_sops_install_system_package_deb_github }}
diff --git a/ansible_collections/community/sops/roles/install/tasks/github_api.yml b/ansible_collections/community/sops/roles/install/tasks/github_api.yml
new file mode 100644
index 00000000..43dc526b
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github_api.yml
@@ -0,0 +1,38 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch list of releases from GitHub
+  ansible.builtin.uri:
+    headers:
+      Accept: application/vnd.github+json
+      Authorization: "{{ ('Bearer ' ~ sops_github_token) if sops_github_token is defined and sops_github_token else '' }}"
+    status_code:
+      - 200
+      - 403  # "HTTP Error 403: rate limit exceeded"
+    url: https://api.github.com/repos/getsops/sops/releases
+  register: _community_sops_install_github_releases
+  delegate_to: localhost
+  run_once: true
+
+- name: In case rate limit was exceeded, inform user
+  ansible.builtin.debug:
+    msg: >-
+      Rate limit exceeded! Make sure to provide a GitHub token
+      as `sops_github_token` to reduce the chance of this error.
+  when: _community_sops_install_github_releases.status == 403
+
+- name: Determine the latest release
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: >-
+      {{
+        (
+          _community_sops_install_github_releases.json
+          | rejectattr("prerelease")
+          | rejectattr("draft")
+          | map(attribute="tag_name")
+          | map("ansible.builtin.regex_replace", "^v", "")
+          | community.sops._latest_version
+        ) if _community_sops_install_github_releases.status == 200 else ''
+      }}
diff --git a/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml
new file mode 100644
index 00000000..b49b1722
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/github_latest_release.yml
@@ -0,0 +1,34 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Fetch the latest release from GitHub
+  ansible.builtin.uri:
+    follow_redirects: "none"
+    status_code:
+      - 302
+      - 307
+    url: https://github.com/getsops/sops/releases/latest/
+  register: _community_sops_install_github_latest_release
+  delegate_to: localhost
+  run_once: true
+
+- name: Determine the latest release
+  ansible.builtin.set_fact:
+    _community_sops_install_effective_sops_version: >-
+      {{
+        _community_sops_install_github_latest_release.location
+        | default("", true)
+        | ansible.builtin.regex_search("(?<=/releases/tag/)([0-9a-z._-]+)")
+        | default("", true)
+        | ansible.builtin.regex_replace("^v", "")
+      }}
+
+- name: In case this failed, inform user
+  ansible.builtin.debug:
+    msg: >-
+      Could not obtain latest version from https://github.com/getsops/sops/releases/latest/.
+      Please create an issue in https://github.com/ansible-collections/community.sops/issues/
+      if there is not already one.
+  when: _community_sops_install_effective_sops_version == ''
diff --git a/ansible_collections/community/sops/roles/install/tasks/main.yml b/ansible_collections/community/sops/roles/install/tasks/main.yml
new file mode 100644
index 00000000..4ae5adfe
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/main.yml
@@ -0,0 +1,102 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Gather required information on localhost
+  when: sops_install_on_localhost
+  ansible.builtin.setup:
+    gather_subset:
+      - '!all'
+      - '!min'
+      - architecture
+      - distribution
+      - distribution_major_version
+      - distribution_version
+      - os_family
+      - pkg_mgr
+  delegate_to: localhost
+  delegate_facts: true
+  run_once: true
+
+- vars:
+    _community_sops_install_facts: >-
+      {{ hostvars['localhost' if sops_install_on_localhost else inventory_hostname].ansible_facts }}
+  block:
+    - name: Show system information
+      ansible.builtin.debug:
+        msg: |-
+          Architecture: {{ _community_sops_install_facts.architecture }}
+          Distribution: {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_major_version }}
+          Distribution version: {{ _community_sops_install_facts.distribution_version }}
+          OS family: {{ _community_sops_install_facts.os_family }}
+          System package manager: {{ _community_sops_install_facts.pkg_mgr }}
+
+    - name: Include distribution specific variables
+      ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+      vars:
+        params:
+          files:
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_version }}.yml
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+            - >-
+              D-{{ _community_sops_install_facts.distribution }}.yml
+            - >-
+              OS-{{ _community_sops_install_facts.os_family }}-{{ _community_sops_install_facts.distribution_major_version }}.yml
+            - >-
+              OS-{{ _community_sops_install_facts.os_family }}.yml
+            - default.yml
+          paths:
+            - '{{ role_path }}/vars'
+
+    - name: Start determining source
+      ansible.builtin.set_fact:
+        _community_sops_install_effective_sops_source: '{{ sops_source }}'
+
+    - name: Auto-detect source to install SOPS from
+      ansible.builtin.include_tasks: detect_source.yml
+      when: _community_sops_install_effective_sops_source == 'auto'
+
+    - name: Install SOPS from GitHub
+      ansible.builtin.include_tasks: github.yml
+      when: _community_sops_install_effective_sops_source == 'github'
+
+    - name: Install SOPS from system package repositories
+      ansible.builtin.include_tasks: system.yml
+      when: _community_sops_install_effective_sops_source == 'system'
+
+    - name: Install system packages
+      ansible.builtin.package:
+        name: '{{ _community_sops_install_system_packages_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_packages_actual | length > 0
+
+    - name: Install unsigned system packages
+      ansible.builtin.package:
+        name: '{{ _community_sops_install_system_packages_unsigned_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+        disable_gpg_check: true
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_packages_unsigned_actual | length > 0
+
+    - name: Install packages from URL/path (Debian)
+      ansible.builtin.apt:
+        deb: '{{ _community_sops_install_system_package_deb_actual }}'
+        allow_downgrade: '{{ true if _community_sops_install_allow_downgrade and sops_version != "latest" else omit }}'
+      become: '{{ sops_become_on_install }}'
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      run_once: '{{ sops_install_on_localhost }}'
+      when: _community_sops_install_system_package_deb_actual is string
+
+    - name: Set results
+      ansible.builtin.set_fact:
+        sops_installed: true
+      delegate_to: '{{ "localhost" if sops_install_on_localhost else omit }}'
+      delegate_facts: '{{ true if sops_install_on_localhost else omit }}'
diff --git a/ansible_collections/community/sops/roles/install/tasks/system.yml b/ansible_collections/community/sops/roles/install/tasks/system.yml
new file mode 100644
index 00000000..ecde47ca
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/tasks/system.yml
@@ -0,0 +1,26 @@
+---
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2022, Felix Fontein
+
+- name: Make sure that SOPS can be installed from system packages
+  ansible.builtin.fail:
+    msg: >-
+      SOPS cannot be installed from system packages for
+      {{ _community_sops_install_facts.distribution }} {{ _community_sops_install_facts.distribution_version }}.
+  when: not _community_sops_install_system_has_system
+
+- name: Make sure that systems only supporting 'latest' are not told to install another version
+  ansible.builtin.fail:
+    msg: >-
+      SOPS version {{ sops_version }} was requested, but we can only install latest SOPS from system packages.
+  when: sops_version != 'latest' and _community_sops_install_system_has_system_latest_only
+
+- name: Set variables
+  ansible.builtin.set_fact:
+    _community_sops_install_system_packages_actual: >-
+      {{ _community_sops_install_system_packages + _community_sops_install_system_packages_system }}
+    _community_sops_install_system_packages_unsigned_actual: >-
+      {{ _community_sops_install_system_packages_unsigned + _community_sops_install_system_packages_unsigned_system }}
+    _community_sops_install_system_package_deb_actual: >-
+      {{ _community_sops_install_system_package_deb_system }}
diff --git a/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml
new file mode 100644
index 00000000..27577c48
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/D-Alpine.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: true
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages:
+  - gpg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system:
+  - sops
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml
new file mode 100644
index 00000000..51e34a8d
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/D-Archlinux.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: true
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages:
+  - gnupg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system:
+  - sops
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml
new file mode 100644
index 00000000..804cf3c9
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/OS-Debian.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: true
+
+_community_sops_install_allow_downgrade: '{{ ansible_version.full is version("2.12", ">=") }}'
+
+_community_sops_install_system_packages:
+  - gnupg
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_arch_transform:
+  x86_64: amd64
+  aarch64: arm64
+_community_sops_install_system_package_deb_github: >-
+  https://github.com/getsops/sops/releases/download/v{{
+    _community_sops_install_effective_sops_version
+  }}/sops_{{
+    _community_sops_install_effective_sops_version.replace('-', '.')
+  }}_{{
+    _community_sops_install_arch_transform.get(ansible_facts.architecture, ansible_facts.architecture)
+  }}.deb
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml
new file mode 100644
index 00000000..0e7f213d
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/OS-RedHat.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: true
+
+_community_sops_install_allow_downgrade: true
+
+_community_sops_install_system_packages:
+  - gnupg2
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github:
+  - >-
+    https://github.com/getsops/sops/releases/download/v{{
+      _community_sops_install_effective_sops_version
+    }}/sops-{{
+      (_community_sops_install_effective_sops_version is version('3.6.0', '<')) | ternary('v', '')
+    }}{{
+      _community_sops_install_effective_sops_version.replace('-', '.')
+    }}{{
+      (
+        _community_sops_install_effective_sops_version is version('3.8.0', '<') or
+        _community_sops_install_effective_sops_version is version('3.9.0', '>=')
+      ) | ternary('-1', '')
+    }}.{{
+      ansible_facts.architecture
+    }}.rpm
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/roles/install/vars/default.yml b/ansible_collections/community/sops/roles/install/vars/default.yml
new file mode 100644
index 00000000..24d14b18
--- /dev/null
+++ b/ansible_collections/community/sops/roles/install/vars/default.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+_community_sops_install_system_has_system: false
+_community_sops_install_system_has_system_latest_only: true
+_community_sops_install_system_has_github: false
+
+_community_sops_install_allow_downgrade: false
+
+_community_sops_install_system_packages: []
+_community_sops_install_system_packages_unsigned: []
+
+_community_sops_install_system_package_deb_github: false
+_community_sops_install_system_packages_github: []
+_community_sops_install_system_packages_unsigned_github: []
+
+_community_sops_install_system_package_deb_system: false
+_community_sops_install_system_packages_system: []
+_community_sops_install_system_packages_unsigned_system: []
diff --git a/ansible_collections/community/sops/tests/config.yml b/ansible_collections/community/sops/tests/config.yml
new file mode 100644
index 00000000..38590f2e
--- /dev/null
+++ b/ansible_collections/community/sops/tests/config.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# See template for more information:
+# https://github.com/ansible/ansible/blob/devel/test/lib/ansible_test/config/config.yml
+modules:
+  python_requires: default
diff --git a/ansible_collections/community/sops/tests/ee/all.yml b/ansible_collections/community/sops/tests/ee/all.yml
new file mode 100644
index 00000000..f42fdb63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/all.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  tasks:
+    - name: Download sops test GPG key on localhost
+      get_url:
+        url: https://raw.githubusercontent.com/getsops/sops/master/pgp/sops_functional_tests_key.asc
+        dest: /tmp/sops_functional_tests_key.asc
+    - name: Import sops test GPG key on localhost
+      command: gpg --import /tmp/sops_functional_tests_key.asc
+      failed_when: false
+    - name: Find all roles
+      find:
+        paths:
+          - "{{ (playbook_dir | default('.')) ~ '/roles' }}"
+        file_type: directory
+        depth: 1
+      register: result
+    - name: Include all roles
+      include_role:
+        name: "{{ item }}"
+      loop: "{{ result.files | map(attribute='path') | map('regex_replace', '.*/', '') | sort }}"
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/.sops.yaml b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/.sops.yaml
new file mode 100644
index 00000000..3660222c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/.sops.yaml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml
new file mode 100644
index 00000000..d7bfc2ea
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml
@@ -0,0 +1,25 @@
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml.license b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/simple.sops.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml
new file mode 100644
index 00000000..2df12739
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml
@@ -0,0 +1,2 @@
+---
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml.license b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/files/wrong.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/ee/roles/lookup_sops/tasks/main.yml b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/tasks/main.yml
new file mode 100644
index 00000000..b17c8017
--- /dev/null
+++ b/ansible_collections/community/sops/tests/ee/roles/lookup_sops/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test lookup with missing file
+  set_fact:
+    sops_file_does_not_exists: "{{ lookup('community.sops.sops', 'file-does-not-exists.sops.yml') }}"
+  ignore_errors: true
+  register: sops_lookup_missing_file
+
+- assert:
+    that:
+      - "sops_lookup_missing_file is failed"
+      - "'could not locate file in lookup: file-does-not-exists.sops.yml' in sops_lookup_missing_file.msg"
+
+- name: Test lookup with missing file with empty_on_not_exist
+  set_fact:
+    sops_file_does_not_exists_empty: "{{ lookup('community.sops.sops', 'file-does-not-exists.sops.yml', empty_on_not_exist=true) }}"
+  register: sops_lookup_missing_file_empty_on_not_exist
+
+- assert:
+    that:
+      - "sops_lookup_missing_file_empty_on_not_exist is success"
+      - "sops_file_does_not_exists_empty == ''"
+
+- name: Test lookup of non-sops file
+  set_fact:
+    sops_wrong_file: "{{ lookup('community.sops.sops', 'wrong.yaml') }}"
+  ignore_errors: true
+  register: sops_lookup_wrong_file
+
+- assert:
+    that:
+      - "sops_lookup_wrong_file is failed"
+      - "'sops metadata not found' in sops_lookup_wrong_file.msg"
+
+- name: Test simple lookup
+  set_fact:
+    sops_success: "{{ lookup('community.sops.sops', 'simple.sops.yaml') }}"
+  register: sops_lookup_simple
+
+- assert:
+    that:
+      - "sops_lookup_simple is success"
+      - "sops_success == 'foo: bar'"
diff --git a/ansible_collections/community/sops/tests/integration/requirements.yml b/ansible_collections/community/sops/tests/integration/requirements.yml
new file mode 100644
index 00000000..9efa2991
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/requirements.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+collections:
+  - community.general
diff --git a/ansible_collections/community/sops/tests/integration/targets/age/aliases b/ansible_collections/community/sops/tests/integration/targets/age/aliases
new file mode 100644
index 00000000..3a9daf6c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/age/aliases
@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
diff --git a/ansible_collections/community/sops/tests/integration/targets/age/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/age/meta/main.yml
new file mode 100644
index 00000000..344e8b86
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/age/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/sops/tests/integration/targets/age/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/age/tasks/main.yml
new file mode 100644
index 00000000..ebb10c64
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/age/tasks/main.yml
@@ -0,0 +1,82 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Determine whether sops, age, and sops with age are supported
+  set_fact:
+    supports_sops_and_age: >-
+      {{ sops_installed and age_installed and sops_version_remote is version('3.7.0', '>=') }}
+
+- when: supports_sops_and_age
+  block:
+    - name: Create local temporary directory
+      tempfile:
+        state: directory
+        suffix: .test
+      delegate_to: localhost
+      register: local_tmp_dir
+
+    - name: Record local temporary directory
+      set_fact:
+        local_tmp_dir: "{{ local_tmp_dir.path }}"
+
+    - name: Create age keys
+      command: age-keygen --output {{ local_tmp_dir }}/{{ item }}
+      delegate_to: localhost
+      loop:
+        - identity_1
+        - identity_2
+        - identity_3
+        - identity_4
+
+    - vars:
+        identity_files:
+          - name: identities_all
+            id_files:
+              - identity_1
+              - identity_2
+              - identity_3
+              - identity_4
+          - name: identities_1_2_3
+            id_files:
+              - identity_1
+              - identity_2
+              - identity_3
+          - name: identities_4
+            id_files:
+              - identity_4
+      block:
+        - name: Create local identity files
+          copy:
+            dest: '{{ local_tmp_dir }}/{{ item.name }}'
+            content: |
+              {% for id_file in item.id_files %}
+              {{   lookup('file', local_tmp_dir ~ '/' ~ id_file) }}
+              {% endfor %}
+          delegate_to: localhost
+          loop: '{{ identity_files }}'
+
+        - name: Create remote identity files
+          copy:
+            dest: '{{ remote_tmp_dir }}/{{ item.name }}'
+            content: |
+              {% for id_file in item.id_files %}
+              {{   lookup('file', local_tmp_dir ~ '/' ~ id_file) }}
+              {% endfor %}
+          loop: '{{ identity_files }}'
+
+    - name: Read identity public keys
+      set_fact:
+        identity_1: "{{ lookup('file', local_tmp_dir ~ '/identity_1') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_2: "{{ lookup('file', local_tmp_dir ~ '/identity_2') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_3: "{{ lookup('file', local_tmp_dir ~ '/identity_3') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_4: "{{ lookup('file', local_tmp_dir ~ '/identity_4') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+
+    - include_tasks: test.yml
+  always:
+    - name: Delete temporary directory
+      file:
+        path: '{{ local_tmp_dir }}'
+        state: absent
+      delegate_to: localhost
diff --git a/ansible_collections/community/sops/tests/integration/targets/age/tasks/test.yml b/ansible_collections/community/sops/tests/integration/targets/age/tasks/test.yml
new file mode 100644
index 00000000..9bf8bd21
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/age/tasks/test.yml
@@ -0,0 +1,132 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create encrypted files
+  sops_encrypt:
+    path: '{{ remote_tmp_dir }}/{{ item.name }}.sops.yaml'
+    age: '{{ item.identities }}'
+    age_keyfile: '{{ remote_tmp_dir }}/identities_all'
+    content_yaml: '{{ item.data }}'
+  loop: '{{ data }}'
+  vars:
+    data:
+      - name: enc-1
+        identities:
+          - '{{ identity_1 }}'
+          - '{{ identity_2 }}'
+          - '{{ identity_3 }}'
+          - '{{ identity_4 }}'
+        data:
+          foo: bar
+          baz: this is a secret
+          bam: true
+          int: 3
+      - name: enc-2
+        identities:
+          - '{{ identity_1 }}'
+          - '{{ identity_2 }}'
+          - '{{ identity_4 }}'
+        data:
+          foo: 19
+          bar: this is another secret
+      - name: enc-3
+        identities:
+          - '{{ identity_4 }}'
+        data:
+          foo: 23
+
+- name: Copy encrypted files to localhost
+  fetch:
+    src: '{{ remote_tmp_dir }}/{{ item }}.sops.yaml'
+    dest: '{{ local_tmp_dir }}/'
+    flat: true
+  loop:
+    - enc-1
+    - enc-2
+    - enc-3
+
+- name: Decrypt some data (3.7.0+)
+  set_fact:
+    decrypt_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_1_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+    decrypt_1_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
+    decrypt_1_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"
+    decrypt_1_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+    decrypt_1_1_2_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_1_2_3') | from_yaml }}"
+    decrypt_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_2_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+    decrypt_2_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
+    decrypt_2_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+    decrypt_2_1_2_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_1_2_3') | from_yaml }}"
+    decrypt_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_3_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+
+- name: Validate decryption
+  assert:
+    that:
+      - decrypt_1.foo == 'bar'
+      - decrypt_1.baz == 'this is a secret'
+      - decrypt_1.bam == true
+      - decrypt_1.int == 3
+      - decrypt_1 == decrypt_1_1
+      - decrypt_1 == decrypt_1_2
+      - decrypt_1 == decrypt_1_3
+      - decrypt_1 == decrypt_1_4
+      - decrypt_1 == decrypt_1_1_2_3
+      - decrypt_2.foo == 19
+      - decrypt_2.bar == 'this is another secret'
+      - decrypt_2.bam is undefined
+      - decrypt_2.int is undefined
+      - decrypt_2 == decrypt_2_1
+      - decrypt_2 == decrypt_2_2
+      - decrypt_2 == decrypt_2_4
+      - decrypt_2 == decrypt_2_1_2_3
+      - decrypt_3.foo == 23
+      - decrypt_3.bar is undefined
+      - decrypt_3.bam is undefined
+      - decrypt_3.int is undefined
+      - decrypt_3 == decrypt_3_4
+
+- when: >-
+    sops_version_controller is version('3.7.1', '>=')
+  block:
+    - name: Decrypt some data (3.7.1+)
+      set_fact:
+        decrypt_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_all')) | from_yaml }}"
+        decrypt_1_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_1')) | from_yaml }}"
+        decrypt_1_2b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_2')) | from_yaml }}"
+        decrypt_1_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_3')) | from_yaml }}"
+        decrypt_1_4b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_4')) | from_yaml }}"
+        decrypt_1_1_2_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_1_2_3')) | from_yaml }}"
+
+    - name: Validate decryption
+      assert:
+        that:
+          - decrypt_1 == decrypt_1b
+          - decrypt_1 == decrypt_1_1b
+          - decrypt_1 == decrypt_1_2b
+          - decrypt_1 == decrypt_1_3b
+          - decrypt_1 == decrypt_1_4b
+          - decrypt_1 == decrypt_1_1_2_3b
+
+- name: Failed encryption 1
+  debug:
+    msg: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"
+  ignore_errors: true
+  register: failure_1
+
+- name: Failed encryption 2
+  debug:
+    msg: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+  ignore_errors: true
+  register: failure_2
+
+- name: Validate failed decryption
+  assert:
+    that:
+      - failure_1 is failed
+      - "'CouldNotRetrieveKey' in failure_1.msg"
+      - failure_2 is failed
+      - "'CouldNotRetrieveKey' in failure_2.msg"
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/aliases b/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/aliases
new file mode 100644
index 00000000..977ec388
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/aliases
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
+skip/python2.6  # lookups are controller only, and we no longer support Python 2.6 on the controller
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/tasks/main.yml
new file mode 100644
index 00000000..6d1ba661
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter__latest_version/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test _latest_version filter
+  ansible.builtin.assert:
+    that:
+      - list_0 | community.sops._latest_version == '1.0.0'
+      - list_1 | community.sops._latest_version == '1.2.1'
+      - list_2 | community.sops._latest_version == '1.2.1'
+      - list_3 | community.sops._latest_version == '1.2.3'
+      - list_4 | community.sops._latest_version == ''
+      - "[] | community.sops._latest_version == ''"
+  vars:
+    list_0:
+      - '1'
+      - '1.0'
+      - 1.0.0
+    list_1:
+      - '1.0'
+      - 1.2.1
+      - 1.0.0
+    list_2:
+      - '1.0'
+      - 1.2.1
+      - 1.2.1-rc.1
+      - 1.0.0
+    list_3:
+      - '1.0'
+      - 1.2.3
+      - 1.4.0-rc.1
+      - 1.4.0-a1+5
+      - 1.4.0+5
+      - 1.0.0
+    list_4:
+      - 1.4.0-rc.1
+      - 1.4.0-a1+5
+      - 1.4.0+5
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/aliases b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/aliases
new file mode 100644
index 00000000..977ec388
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/aliases
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
+skip/python2.6  # lookups are controller only, and we no longer support Python 2.6 on the controller
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/.sops.yaml
new file mode 100644
index 00000000..3660222c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/.sops.yaml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops
new file mode 100644
index 00000000..af344ef2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:TrEN6YJBOg==,iv:aUozScYsBrM4khbqD2lMbGpEEXXO0Vy8YytBoG4HIf4=,tag:JlLZHqj2fsTi6v1rGeaxWw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-02T18:26:32Z",
+		"mac": "ENC[AES256_GCM,data:m4PPDNMYOPcDECiKJLF9Hg4jIInHj/xpj5bnGUkQxMm4XO2CDPal9g1FwTzwjOK9rXLUkdhWc8FuRh542EviVV8vOyUkjVAwN0x0bpXodBXB5r/9PPDwtObe/CUWnjo90Ow7IuX/BnQI6lf1sdPHf0MeTjGN9/l7tr6xg+92bIc=,iv:7q+TxZ65n2a+Vdb9KY6ISX92c1lEG2yTpa9KCt/QcUk=,tag:uR1AfcNd1dvH6LZy2oBDiw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-02T18:26:31Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAR4QrVAJ5LhfX41457whWBdB74/O4OEZ76CkUGBvCVkGb\nHjJf9PAHFYH12UVnHEK3ZHKxKrVKPM2Pf3hsMGPuruS2wDuCWLteuMfQtlvCg1Xv\nLxiOfyEUEFc7Rl7uKmvni7XBeexIYN0DpxYa1Paz28ptQJCxZ84FK9y2jrFg2bUF\nq8R1JSTiY+YDXQBKSw3XgdJjjX2Yrpe85BV/l7pgREcwKEG4ZIU8n/zH2mgCObxp\nVfa50dAs5mfooU4g+xF34INhk7L+JPF0EBAbdrPyiw/7220dQSfCW0K3rgQkL1ZE\nB0wjH3S2anRO5t8E4S/YvXerq8LwtpCMczflLsCZ89LgAeStGGLFgZU53ASmq2dt\nqwQw4dCY4CngwuG/PuCt4nYV6VPgz+V+txpuq/aKQvcuFNhGsRtm4oP/vUlhqZQA\nivnqgO/DveCH5MxW9oMGLnYj4Jkbp0gRyALiqwNRz+HfSgA=\n=3dNe\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/binary.sops.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-rep.sh b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-rep.sh
new file mode 100755
index 00000000..0c1ab43f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-rep.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--keyservice" ] || [ "$2" != "a" ] || [ "$3" != "--keyservice" ] || [ "$4" != "b" ] || [ "$5" != "--input-type" ] || [ "$6" != "yaml" ] || [ "$7" != "--output-type" ] || [ "$8" != "yaml" ] || [ "$9" != "--decrypt" ] || [ "${10}" != "/dev/stdin" ] || [ "${11}" != "" ]; then
+    echo "Command (fake-sops-rep): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_SESSION_TOKEN}" != "zzz" ]; then
+    echo "AWS_SESSION_TOKEN is '${AWS_SESSION_TOKEN}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output 3'
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-val.sh b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-val.sh
new file mode 100755
index 00000000..6e8b3667
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops-val.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--config" ] || [ "$2" != "/path/to/asdf" ] || [ "$3" != "--input-type" ] || [ "$4" != "yaml" ] || [ "$5" != "--output-type" ] || [ "$6" != "yaml" ] || [ "$7" != "--decrypt" ] || [ "$8" != "/dev/stdin" ] || [ "$9" != "" ]; then
+    echo "Command (fake-sops-val): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_SECRET_ACCESS_KEY}" != "yyy" ]; then
+    echo "AWS_SECRET_ACCESS_KEY is '${AWS_SECRET_ACCESS_KEY}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output 2'
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops.sh b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops.sh
new file mode 100755
index 00000000..676292c7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/fake-sops.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--enable-local-keyservice=false" ] || [ "$2" != "--input-type" ] || [ "$3" != "yaml" ] || [ "$4" != "--output-type" ] || [ "$5" != "yaml" ] || [ "$6" != "--decrypt" ] || [ "$7" != "/dev/stdin" ] || [ "$8" != "" ]; then
+    echo "Command (fake-sops): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_ACCESS_KEY_ID}" != "xxx" ]; then
+    echo "AWS_ACCESS_KEY_ID is '${AWS_ACCESS_KEY_ID}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output'
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml
new file mode 100644
index 00000000..8ac6f945
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json
new file mode 100644
index 00000000..8ac6f945
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml
new file mode 100644
index 00000000..b6175280
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+      - created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary-yaml.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-binary.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-json.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml
new file mode 100644
index 00000000..d3a52a22
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json
new file mode 100644
index 00000000..d3a52a22
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml
new file mode 100644
index 00000000..5ae3291d
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+      - created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/hidden-yaml.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops
new file mode 100644
index 00000000..a704dbad
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:+x5Q1yGxpgvMQiwwMiCAiU0B5KA7i1eMvuRRxNLpKH0LEEs/7rpOInqKtA==,iv:96ihzWMxW45FqN28BCtX1emDBcXln9FN87Yf8bTlbbA=,tag:a8SiDQjFffOYHwKp5IhU2Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-02T18:14:42Z",
+		"mac": "ENC[AES256_GCM,data:CyLyYbG6rVwT8sRqLxLBuWUrgtUHz8XVwCx7iyiJDL925jzMvkA2ZEYxH6CsiWwc5/7tcFGLDSCjYw3AHD9x42LmsaAefk7F4X55++EI5VZbmSwyHdxCqvMVycKLJm3YXfodos8bbEWDDXhbmMT92uJs7H/IBXywnQHG3qoJWJE=,iv:ljY/d++R5v8VY5Q8nV0lnNwaeuEiKG4VTY8fSgFJD+w=,tag:MEtTIFuiSj8ReQOZNxO1IQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-02T18:11:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAblvrgBIPsg01TJjde7YskLvPKC/1jt1kI/eoOQ/KdemW\ngaJf4PIWGzFUxZEXeRzo70HTS+sPTi0TQDDkwOfcNjlGb3dC1KQdIZ1UiuqhL1//\n1G0doMMztEyZ63SOElv3OaWHjcnvmP224rTuFpO6Pm8HHMKEbaw9N7YHObgSdIpk\nfqEP369xj6bk/yQNEuMbgQOk+7LAYPs8na7oxIrdkWrmIlVj5jEz08lVS/FJecty\nUDalNDBkRrqMgTvSAw0vJTzaPzw/V+6WTrHh/0FRvLKJlKOsesaoxahW2/H1Dxmr\npySYTs2omqOtr3RzkCrUXmHijim9DIwg0JsIjo5xytLgAeSjSr9/W1EucekSGbeM\nmYK+4cN/4ILgRuH75OAw4qu0IgrgWuX6Eo7vO2HPrUiFLA/j+7/Bi+HkBZZuMrlR\njhd7C7MQGuD85NF3TzP2hW895ZiDznjWutHi69caRuEeZQA=\n=Aqvj\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/rstrip.sops.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml
new file mode 100644
index 00000000..d7bfc2ea
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml
@@ -0,0 +1,25 @@
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml.license b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/files/simple.sops.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/meta/main.yml
new file mode 100644
index 00000000..b7f89500
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
diff --git a/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/tasks/main.yml
new file mode 100644
index 00000000..08fe87bf
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/filter_decrypt/tasks/main.yml
@@ -0,0 +1,132 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: sops_installed
+  block:
+    - name: Test bad parameter detection (1/2)
+      set_fact:
+        sops_bad_input_type: "{{ 'this-is-not: a sops file' | community.sops.decrypt(input_type='foo') }}"
+      ignore_errors: true
+      register: sops_bad_input_type
+
+    - name: Test bad parameter detection (2/2)
+      set_fact:
+        sops_bad_output_type: "{{ 'this-is-not: a sops file' | community.sops.decrypt(output_type=23) }}"
+      ignore_errors: true
+      register: sops_bad_output_type
+
+    - assert:
+        that:
+          - "sops_bad_input_type is failed"
+          - "'input_type must be one of' in sops_bad_input_type.msg"
+          - "'; got \"foo\"' in sops_bad_input_type.msg"
+          - "sops_bad_output_type is failed"
+          - "'output_type must be one of' in sops_bad_output_type.msg"
+          - "'; got \"23\"' in sops_bad_output_type.msg"
+
+    - name: Test decrypt of non-sops file
+      set_fact:
+        sops_wrong_file: "{{ 'this-is-not: a sops file' | community.sops.decrypt }}"
+      ignore_errors: true
+      register: sops_filter_wrong_file
+
+    - assert:
+        that:
+          - "sops_filter_wrong_file is failed"
+          - "'sops metadata not found' in sops_filter_wrong_file.msg"
+
+    - name: Test simple filter
+      set_fact:
+        sops_success: "{{ lookup('file', 'simple.sops.yaml') | community.sops.decrypt }}"
+      register: sops_filter_simple
+
+    - assert:
+        that:
+          - "sops_filter_simple is success"
+          - "sops_success == 'foo: bar'"
+
+    - name: Test rstrip
+      set_fact:
+        with_rstrip: "{{ lookup('file', 'rstrip.sops') | community.sops.decrypt(rstrip=true, output_type='binary') }}"
+        without_rstrip: "{{ lookup('file', 'rstrip.sops') | community.sops.decrypt(rstrip=false, output_type='binary') }}"
+        default_rstrip: "{{ lookup('file', 'rstrip.sops') | community.sops.decrypt(output_type='binary') }}"
+
+    - assert:
+        that:
+          - with_rstrip == 'This file has three newlines at the end.'
+          - without_rstrip == 'This file has three newlines at the end.\n\n\n'
+          - default_rstrip == 'This file has three newlines at the end.'
+
+    - name: Test binary
+      set_fact:
+        binary_with_rstrip: "{{ lookup('file', 'binary.sops') | community.sops.decrypt(rstrip=true, decode_output=false, output_type='binary') | b64encode }}"
+        binary_without_rstrip: "{{ lookup('file', 'binary.sops') | community.sops.decrypt(rstrip=false, decode_output=false, output_type='binary') | b64encode }}"
+
+    - assert:
+        that:
+          - binary_with_rstrip == 'AQIDAAQ='
+          - binary_without_rstrip == 'AQIDAAQgCg=='
+
+    - name: Test hidden binary
+      set_fact:
+        hidden_binary: "{{ lookup('file', 'hidden-binary') | community.sops.decrypt(output_type='binary') }}"
+        hidden_binary__json: "{{ lookup('file', 'hidden-binary.json') | community.sops.decrypt(output_type='binary') }}"
+        hidden_binary__yaml: "{{ lookup('file', 'hidden-binary.yaml') | community.sops.decrypt(output_type='binary') }}"
+        hidden_binary_yaml: "{{ lookup('file', 'hidden-binary-yaml') | community.sops.decrypt(input_type='yaml', output_type='binary') }}"
+        hidden_binary_yaml__json: "{{ lookup('file', 'hidden-binary-yaml.json') | community.sops.decrypt(input_type='yaml', output_type='binary') }}"
+        hidden_binary_yaml__yaml: "{{ lookup('file', 'hidden-binary-yaml.yaml') | community.sops.decrypt(input_type='yaml', output_type='binary') }}"
+        hidden_json: "{{ lookup('file', 'hidden-json') | community.sops.decrypt(input_type='json', output_type='json') | from_json }}"
+        hidden_json__json: "{{ lookup('file', 'hidden-json.json') | community.sops.decrypt(input_type='json', output_type='json') | from_json }}"
+        hidden_json__yaml: "{{ lookup('file', 'hidden-json.yaml') | community.sops.decrypt(input_type='json', output_type='json') | from_json }}"
+        hidden_yaml: "{{ lookup('file', 'hidden-yaml') | community.sops.decrypt(input_type='yaml', output_type='yaml') }}"
+        hidden_yaml__json: "{{ lookup('file', 'hidden-yaml.json') | community.sops.decrypt(input_type='yaml', output_type='yaml') }}"
+        hidden_yaml__yaml: "{{ lookup('file', 'hidden-yaml.yaml') | community.sops.decrypt(input_type='yaml', output_type='yaml') }}"
+        hidden_json__as_yaml: "{{ lookup('file', 'hidden-json') | community.sops.decrypt(input_type='json', output_type='yaml') }}"
+        hidden_json__json__as_yaml: "{{ lookup('file', 'hidden-json.json') | community.sops.decrypt(input_type='json', output_type='yaml') }}"
+        hidden_json__yaml__as_yaml: "{{ lookup('file', 'hidden-json.yaml') | community.sops.decrypt(input_type='json', output_type='yaml') }}"
+        hidden_yaml__as_json: "{{ lookup('file', 'hidden-yaml') | community.sops.decrypt(input_type='yaml', output_type='json') | from_json }}"
+        hidden_yaml__json__as_json: "{{ lookup('file', 'hidden-yaml.json') | community.sops.decrypt(input_type='yaml', output_type='json') | from_json }}"
+        hidden_yaml__yaml__as_json: "{{ lookup('file', 'hidden-yaml.yaml') | community.sops.decrypt(input_type='yaml', output_type='json') | from_json }}"
+
+    - assert:
+        that:
+          - hidden_binary == test_str_abcd
+          - hidden_binary__json == test_str_abcd
+          - hidden_binary__yaml == test_str_abcd
+          - hidden_binary_yaml == test_str_binary_data
+          - hidden_binary_yaml__json == test_str_binary_data
+          - hidden_binary_yaml__yaml == test_str_binary_data
+          - hidden_json == test_dict
+          - hidden_json__json == test_dict
+          - hidden_json__yaml == test_dict
+          - hidden_yaml == test_dict_yaml
+          - hidden_yaml__json == test_dict_yaml
+          - hidden_yaml__yaml == test_dict_yaml
+          - hidden_json__as_yaml == test_dict_yaml
+          - hidden_json__json__as_yaml == test_dict_yaml
+          - hidden_json__yaml__as_yaml == test_dict_yaml
+          - hidden_yaml__as_json == test_dict
+          - hidden_yaml__json__as_json == test_dict
+          - hidden_yaml__yaml__as_json == test_dict
+      vars:
+        test_dict:
+          a: b
+          c: d
+        test_dict_yaml:
+          "a: b\nc: d"
+        test_str_binary_data: This is binary data.
+        test_str_abcd: a is b, and c is d
+
+    - name: Test fake sops binary
+      set_fact:
+        fake_sops_output: "{{ lookup('file', 'simple.sops.yaml') | community.sops.decrypt(sops_binary=role_path ~ '/files/fake-sops.sh', enable_local_keyservice=False, aws_access_key_id='xxx') }}"
+        fake_sops_output_2: "{{ lookup('file', 'simple.sops.yaml') | community.sops.decrypt(sops_binary=role_path ~ '/files/fake-sops-val.sh', config_path='/path/to/asdf', aws_secret_access_key='yyy') }}"
+        fake_sops_output_3: "{{ lookup('file', 'simple.sops.yaml') | community.sops.decrypt(sops_binary=role_path ~ '/files/fake-sops-rep.sh', keyservice=['a', 'b'], aws_session_token='zzz') }}"
+
+    - assert:
+        that:
+          - fake_sops_output == 'fake sops output'
+          - fake_sops_output_2 == 'fake sops output 2'
+          - fake_sops_output_3 == 'fake sops output 3'
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/aliases b/ansible_collections/community/sops/tests/integration/targets/load_vars/aliases
new file mode 100644
index 00000000..ba51f599
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/aliases
@@ -0,0 +1,10 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
+skip/python2.6  # lookups are controller only, and we no longer support Python 2.6 on the controller
+context/controller
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/load_vars/meta/main.yml
new file mode 100644
index 00000000..b7f89500
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/load_vars/tasks/main.yml
new file mode 100644
index 00000000..1f5c587a
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/tasks/main.yml
@@ -0,0 +1,158 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: sops_installed
+  block:
+    - name: Test load_vars with missing option
+      community.sops.load_vars:
+      register: load_vars_missing_option
+      failed_when: load_vars_missing_option is not failed
+
+    - assert:
+        that:
+          - '"missing required arguments: file" in load_vars_missing_option.msg'
+
+    - name: Test load_vars with wrong choice value
+      community.sops.load_vars:
+        file: a
+        expressions: invalid value
+      register: load_vars_invalid_value
+      failed_when: load_vars_invalid_value is not failed
+
+    - assert:
+        that:
+          - '"value of expressions must be one of: ignore, evaluate-on-load, lazy-evaluation, got: invalid value" in load_vars_invalid_value.msg'
+
+    - name: Test load_vars with missing file
+      community.sops.load_vars:
+        file: non-existent.sops.yaml
+      register: load_vars_missing_file
+      failed_when: load_vars_missing_file is not failed
+
+    - assert:
+        that:
+          - |
+            "Could not find or access 'non-existent.sops.yaml'\n" in load_vars_missing_file.msg
+
+    - name: Test load_vars with non-sops file
+      community.sops.load_vars:
+        file: wrong.yaml
+      register: load_vars_wrong_file
+      failed_when: load_vars_wrong_file is not failed
+
+    - assert:
+        that:
+          - "'sops metadata not found' in load_vars_wrong_file.msg"
+
+    - name: Test load_vars with simple file into variable
+      community.sops.load_vars:
+        file: simple.sops.yaml
+        name: dest_variable
+      register: load_vars_simple
+
+    - assert:
+        that:
+          - load_vars_simple is success
+          - "load_vars_simple.ansible_facts == {'dest_variable': {'foo': 'bar'}}"
+          - dest_variable.foo == 'bar'
+          - foo is undefined
+
+    - name: Test load_vars with empty file
+      community.sops.load_vars:
+        file: empty.sops.json
+      register: load_vars_empty
+
+    - assert:
+        that:
+          - load_vars_empty is success
+          - load_vars_empty.ansible_facts | length == 0
+
+    - name: Test load_vars with simple file into global namespace
+      community.sops.load_vars:
+        file: simple.sops.yaml
+      register: load_vars_simple_global
+
+    - assert:
+        that:
+          - load_vars_simple_global is success
+          - "load_vars_simple_global.ansible_facts == {'foo': 'bar'}"
+          - foo == 'bar'
+
+    - name: Test load_vars with expressions ignored
+      community.sops.load_vars:
+        file: proper-vars.sops.yaml
+        expressions: ignore
+      register: load_vars_expr_ignore
+
+    - assert:
+        that:
+          - load_vars_expr_ignore is success
+          - test1 == '{' ~ '{ bar }' ~ '}'
+          - test2 == '{' ~ '{ this_will_not_get_evaluated }' ~ '}'
+          - bar == 'baz'
+
+    - set_fact:
+        to_be_defined_earlier: something_defined_before
+        bar_2: baz
+
+    - name: Test load_vars with expressions evaluated now
+      community.sops.load_vars:
+        file: proper-vars-2.sops.yaml
+        expressions: evaluate-on-load
+      register: load_vars_expr_evaluated_now
+
+    - set_fact:
+        to_be_defined_earlier: something_else
+
+    - assert:
+        that:
+          - load_vars_expr_evaluated_now is success
+          - test1_2 == 'baz'
+          - test2_2 == 'something_defined_before'
+          - test3_2[0] == 'baz'
+          - test4_2.test_4_2_1 == 'bazbaz'
+
+    - name: Test load_vars with expressions evaluated now (again)
+      community.sops.load_vars:
+        file: proper-vars-2.sops.yaml
+        expressions: evaluate-on-load
+      register: load_vars_expr_evaluated_now_2
+
+    - assert:
+        that:
+          - load_vars_expr_evaluated_now_2 is success
+          - test2_2 == 'something_else'
+
+    - when: ansible_version.full is version('2.19', '>=')
+      block:
+        - set_fact:
+            to_be_defined_earlier: something_defined_before
+            bar_2: baz
+
+        - name: Test load_vars with expressions evaluated lazily
+          community.sops.load_vars:
+            file: proper-vars-2.sops.yaml
+            expressions: lazy-evaluation
+          register: load_vars_expr_lazy_evaluated
+
+        - assert:
+            that:
+              - load_vars_expr_lazy_evaluated is success
+              - test1_2 == 'baz'
+              - test2_2 == 'something_defined_before'
+              - test3_2[0] == 'baz'
+              - test4_2.test_4_2_1 == 'bazbaz'
+
+        - set_fact:
+            to_be_defined_earlier: something_else
+            bar_2: buzz
+
+        - assert:
+            that:
+              - load_vars_expr_lazy_evaluated is success
+              - test1_2 == 'buzz'
+              - test2_2 == 'something_else'
+              - test3_2[0] == 'buzz'
+              - test4_2.test_4_2_1 == 'buzzbuzz'
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/.sops.yaml
new file mode 100644
index 00000000..3660222c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/.sops.yaml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json
new file mode 100644
index 00000000..82c8cf38
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json
@@ -0,0 +1,19 @@
+{
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-09-21T05:20:22Z",
+		"mac": "ENC[AES256_GCM,data:/lmY2rbeFuc9D1CvPQVWfgBsMiO9A+xDvUlO5vxovcXTrI+FHV/O8NO0VyCuXxvPpzXpsbJq9g7YjBVyllsH1Y2zveWAPNH7hoPdMTsa7g0D/qANLnkDIkr0Gj5EIi1Pek1CT631u1SPHBih60AinwulkArEWs4Z4Sh9t881jSc=,iv:CSwOl2eqZb+bw53m2GTuWdmvFYOjDlH1um5MHAB1gxg=,tag:IQ3AXbHZ1RYlHjcY0JSr9Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-09-21T05:20:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAYKF/spYZXKeQlZ0kl6RiJCcbfbRBL69jQREerUvET78Q\nqystnEdijf3Dhf0i5wrIFdSrN7uxCQISAYaxa/upklsOuoWD5tQQIVctKDfGgrSH\nVcQrcBO19PQaH6ESF0T1udbalqdjWo8UXIbVzi1aLnaPlUYuzlqPzUTbhl9H0EGE\nNThYC3tfqbsM11d/qkRkxhqyVBOlt/tMkIQZqWc3eITs6ilT1PmkBcSUdoUTpVqi\nuxuTVP5DDoMi23/AGLbXowNn36FvcytPNnMFiRQffrFOv2lBkFgfoYOGeenYfPof\nm6A+b08DlPlNJBMhtyVYo0fzWY8uJqO9NtFdxPPaHNLgAeQunj4ltnJ5644D71Tp\nceSH4Rb74ETgqOEU6eD14oSdeIXgIeWG0zzYuaCDGyU9hWLvc3SEBS8/CMMetVvx\nzKMDxxsaM+Bd5J8z8kw/c6LSUGTSaAr55XziFq0PW+Fw/QA=\n=P0+p\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json.license b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/empty.sops.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars-2.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars-2.sops.yaml
new file mode 100644
index 00000000..bffe0521
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars-2.sops.yaml
@@ -0,0 +1,37 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+test1_2: ENC[AES256_GCM,data:iNGUgLK6RdJZQWA=,iv:FEx7YO17wTadHLcppnpElb5G5UIukfcHDatUkPzZ0rU=,tag:bKx9qwKiirzi7/lR0EQTEA==,type:str]
+test2_2: ENC[AES256_GCM,data:4rFASWUQQLqJgLnL3KAYIWpBoMGz38pTt4+w,iv:42avbhH4HzHhsCNdiPvZbowKbaWx76c+OYD8iZMELyk=,tag:9GSsbCYDQHX698S68cZe+g==,type:str]
+test3_2:
+- ENC[AES256_GCM,data:nna0AD3fT6ySb7o=,iv:oX4yr3haXMCKvPNvbuzbnY1VeJQtT6svyij5IxkM8U4=,tag:T5C0b67m4Gu5OMFQLua7cw==,type:str]
+- ENC[AES256_GCM,data:iFsZo/M=,iv:Rt0S7vSQqT9eBt74/xLkUeRu91jLaroPs1oU707dqZ0=,tag:PHE2U6vUjOwc+vuERU5M8A==,type:int]
+test4_2:
+    test_4_2_1: ENC[AES256_GCM,data:PdqR2Sj2YI9YgWxrHd+iLszygZnzLA==,iv:rzY3GH7WH1E56vDirZ820R3oP7GTqjh1h/p0blTOBts=,tag:IDYNvBfTm2iklZVAI5Y4dw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T19:09:46Z'
+    mac: ENC[AES256_GCM,data:ukYXQmbbOnausOseL6dcmBxZrPE5oHRirIebO8IUorFlas3NTUVFJCPJgJBA6cUa8KhFJDzfv2O+49y5h8j4Xu4w+3EuR42YukATVNbqLR1zQCO3N9fythqWWbxeiTlCXIK+Q+7FhC+UrY0FhFIKDc2iQOWdFYDSeBYg9vx1Spg=,iv:ksQOlDfvr4x25s+bbZywsRqVhvfbe2l81tBKzYVUBwI=,tag:mUD6aR6VbtCSF42dZwwnqg==,type:str]
+    pgp:
+      - created_at: '2020-09-20T20:29:09Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAXN27E1QUMoQcdyFW1D/vNJ1B022/1q8Sg+G9FbsXLTBL
+            XXLRpm+H2R8OEBT9zfW0gTp+RUcffcbEQ4zFPYghXTcfEWB18Dyz4YsemrbjW4NB
+            oHsto+5sqGAALo7grBnUeNFxp3W263YodUSbRnG8lgQeBHulK4IhOoMBr2JnRDJg
+            w/qrZBDBKQQjhl1nr6QtnKA/jlckbyw7wbtDxi8b/0w76un1gpgou+dSaF6rWo1R
+            R7gaCbOzEUm3jdIRARFPeEn7YYgm8Pacxy8krPldjHk1EDuOTL9Ubs2NGHFo2WKo
+            iZqxTPw8MhrNmWC+y90KKFx1JHmS0KLMvi5x4/cqpNLgAeQEW4NCFfCu7wZ8UvfE
+            Xcd44dol4ETgmeH8EOAy4kS1MjrgvuWQPrw+f5VRfUpd0F7RcdLmKSSn9yZ4JGoz
+            eXgIH/SWy+Bu5MgUwqKeFy/Y6BICNKdziLriOvVIYOH4dAA=
+            =VJGY
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars.sops.yaml
new file mode 100644
index 00000000..95f3bbf0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/proper-vars.sops.yaml
@@ -0,0 +1,33 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+test1: ENC[AES256_GCM,data:9Pqw99u2f3qG,iv:AhLP4qOm/OVA2GuRgAxARR8t5tdxjLxU5Cqjq2rSalU=,tag:6mKhNKuv7SQ43SiL1FcrPg==,type:str]
+test2: ENC[AES256_GCM,data:hDPhuyLcFDVddSf4V0bCc67AB6Je62EIYhLT3lr6wfL0,iv:RwY/Upk/es5Y5xzCkZawNDp8wjGkS/qzZo9ErKIwYbc=,tag:h73bPO+pYM08q9Wjx/6N2w==,type:str]
+bar: ENC[AES256_GCM,data:l4r5,iv:bxtHopVoSImLBY0u+1FUPe5qwJGk9nfy2ODI4vYhgiI=,tag:FjdNMkU0YFisswXbgEjCjA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T18:48:09Z'
+    mac: ENC[AES256_GCM,data:u4+EQNjFXHsN2nF/WvXXoIkpFgAnagpH+NexBjicZbvAyrWuUgJxKQQxA6RtFdbvf1B3dT5PncPU+FyuUneN4/2ZMgcSGDl0HrA5+C3k7jKWwpk3lRBnkhPth+M4P51ThZ8mZRxRUKoRTivCip6/tL7NDqfCMPUmVG1NplRwhn4=,iv:k79E4eAU7EQLDi840VAPZXbFRmHKlx5HbAyJEBszztM=,tag:kknO0CvGVZaRFLB+plyctg==,type:str]
+    pgp:
+      - created_at: '2020-09-20T20:07:20Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAkSnBl8glONDFOH6XOjo9YbfYCf3L/i8aYueZ/O9VlIX8
+            uyG5JzSfhQu0Yy9BXwuZfELo54SvxqQvlTIF0lQ3VDjBVcZgosaxN+yvMsB9jn6b
+            gbdK0nqduXcwuZGUJqcnq8TBixiWQI+oFMSQUsHrA4O0IqDb0UzGcTDMmVv0FqZu
+            p3C5Femn1z1E/QqLKRU2YGAHbbfBVdNkQiAFAvT6AlchnvNEIyaLeS3D8yueIrBR
+            B76/YNsjSVUff1ZnHm2B0zn/HnC+vQQuMLDnKrQffXJHRJ2AEt0lls/al+NXLiOm
+            TlkE0F6/ZGPIfznt9+tpXhUyAXsOpEZXWYPIfrheodLgAeS3rZfS0Ey7RI02QSq0
+            Jk/g4dSl4DjgAOGcW+Dl4gnGdMjgUuV1tnG4e5riZleM7a+5TSoWZWIJFJqAXO/6
+            EqdSmUvN2uAS5O3DU0mrnMTHTDX4Ghjorh3iPwK2++GT8QA=
+            =SfPv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/simple.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/simple.sops.yaml
new file mode 100644
index 00000000..02ad8294
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/simple.sops.yaml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/wrong.yaml b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/wrong.yaml
new file mode 100644
index 00000000..3f3fff63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/load_vars/vars/wrong.yaml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/aliases b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/aliases
new file mode 100644
index 00000000..977ec388
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/aliases
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
+skip/python2.6  # lookups are controller only, and we no longer support Python 2.6 on the controller
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/.sops.yaml
new file mode 100644
index 00000000..3660222c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/.sops.yaml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops
new file mode 100644
index 00000000..af344ef2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:TrEN6YJBOg==,iv:aUozScYsBrM4khbqD2lMbGpEEXXO0Vy8YytBoG4HIf4=,tag:JlLZHqj2fsTi6v1rGeaxWw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-02T18:26:32Z",
+		"mac": "ENC[AES256_GCM,data:m4PPDNMYOPcDECiKJLF9Hg4jIInHj/xpj5bnGUkQxMm4XO2CDPal9g1FwTzwjOK9rXLUkdhWc8FuRh542EviVV8vOyUkjVAwN0x0bpXodBXB5r/9PPDwtObe/CUWnjo90Ow7IuX/BnQI6lf1sdPHf0MeTjGN9/l7tr6xg+92bIc=,iv:7q+TxZ65n2a+Vdb9KY6ISX92c1lEG2yTpa9KCt/QcUk=,tag:uR1AfcNd1dvH6LZy2oBDiw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-02T18:26:31Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAR4QrVAJ5LhfX41457whWBdB74/O4OEZ76CkUGBvCVkGb\nHjJf9PAHFYH12UVnHEK3ZHKxKrVKPM2Pf3hsMGPuruS2wDuCWLteuMfQtlvCg1Xv\nLxiOfyEUEFc7Rl7uKmvni7XBeexIYN0DpxYa1Paz28ptQJCxZ84FK9y2jrFg2bUF\nq8R1JSTiY+YDXQBKSw3XgdJjjX2Yrpe85BV/l7pgREcwKEG4ZIU8n/zH2mgCObxp\nVfa50dAs5mfooU4g+xF34INhk7L+JPF0EBAbdrPyiw/7220dQSfCW0K3rgQkL1ZE\nB0wjH3S2anRO5t8E4S/YvXerq8LwtpCMczflLsCZ89LgAeStGGLFgZU53ASmq2dt\nqwQw4dCY4CngwuG/PuCt4nYV6VPgz+V+txpuq/aKQvcuFNhGsRtm4oP/vUlhqZQA\nivnqgO/DveCH5MxW9oMGLnYj4Jkbp0gRyALiqwNRz+HfSgA=\n=3dNe\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/binary.sops.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json
new file mode 100644
index 00000000..aca3918c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json
@@ -0,0 +1,29 @@
+{
+	"foo": "ENC[AES256_GCM,data:yi6Y,iv:Eflygn9pqdyIXQisSPar0rOpdEScU7qo3ux8NDDyhpU=,tag:HwKdjMJaA/PW4N0nyFh/hA==,type:str]",
+	"bar": "ENC[AES256_GCM,data:nccS,iv:U41nqqAV2VpgW9R9rnxxRzN5SRkdvCNd58OQhhuaZYQ=,tag:dvlOpTuZvfvbcfD8HD7zvQ==,type:str]",
+	"baz": {
+		"bar": [
+			"ENC[AES256_GCM,data:CRMt,iv:6s5PcOsmqzNwGSyNGjxPDp1/cTXjp5QCXLC1717xAAw=,tag:NTyJsPgIQzBtTG2Sp4H4PQ==,type:str]",
+			"ENC[AES256_GCM,data:zIZJ,iv:KY4ABl0WieDmYEKUGfeAnDbA8/V79YpWg2bcrwUh0+E=,tag:4je4L70Fc0OmaOlCTjBedg==,type:str]",
+			"ENC[AES256_GCM,data:dbbZ,iv:BQVW4cEMnX+IFz3SXdenlDZv4o1iwpB+ZuFKV6qE0OI=,tag:kdb/8TNjoVvLiw3kna7okg==,type:str]"
+		]
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-08-20T19:29:14Z",
+		"mac": "ENC[AES256_GCM,data:r8ECKCCtb6A3db1SXoaIFS/wTSOvab4Ui5GDHu0CXikCluGOqpWWHaVccdBIG5myvzSJPiLmxuFCaciiAjl4fQJCqrR4cau9Via2Kx7rbQzmXWsqXTCry/ISeqdKS4oQ5UL3+YcPq7mN3zkC8UIrDhc4CCbp9rFYqIKQp8xqnqo=,iv:wU7+lDSdQzfFfCudyfgCagVpmXBIRI1/gVSI/bUxpGk=,tag:kUPCPNkfhfc1ipzYC/sLaw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-08-20T19:27:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMAyUpShfNkFB/AQf/eMDcnG0qtwov/cfFAqUv9EE7RmNvipHB2hnnjO2fT1ud\nMZeiBbIZ3R5wWkZFsVHNO+pb3cv+txDDy2e8Td3FHQNZOqJ889D1reeXVVkHnMJ2\nwVJgy91m2f8eERmiRQO+jwa2UFPx80dI84ve8WT3jnxNyvxtrdm14WYNfv5ZOfte\n9IDnpv4YQZQj8BYh+Ag1//bRG7i8OcwBMAngMHbeYrW5WmHB6AH8PwJCqag7wA+5\nu7oRA0VppyIYrGUSogxcaOhhYBGcMVJxzvpIQvlGGC7SSXl4LcuRChRP/pCT5kQy\n44RQXnQTFwJR/l4RXixcQ3fqqgVMj/sOIyOgCFCegtJeAdEYCxDH59fomb5ejvuA\n96G0WlILPirSjvdECOQna/2XFcnKOPUPur0Rn/y9TUN6pIVaCeoJH+Fj6Y4P3Gk2\nJqWWYELsgKKmyf798Nv2yoTts2TYUEOZ374Y3F0HYQ==\n=RgW1\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml
new file mode 100644
index 00000000..29330432
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml
@@ -0,0 +1,33 @@
+foo: ENC[AES256_GCM,data:Ping,iv:+Ehv7ZgqHiqeZfx98xzZskOS31i53AXq79N7OOlCz3Y=,tag:+dhNWa+Se0xPLIbs2OI4OQ==,type:str]
+bar: ENC[AES256_GCM,data:CAdf,iv:JzgxIFcLl9KKP34GfMsZtemIrW8UJOATdML2jTJByak=,tag:X5LI0mDNep1+dfGifRm/DQ==,type:str]
+baz:
+    bar:
+        - ENC[AES256_GCM,data:sCC+,iv:n+Kz+sYPQckZfAiyWYsMde5q7kXCcJcrj6dTcmyTZIg=,tag:8EfSOibdo4W0kDA60iVJoQ==,type:str]
+        - ENC[AES256_GCM,data:ohn1,iv:nSIRsVG1OsOL9tqhswJAMPjqHI/TjX7kU8AnBPwFUMM=,tag:QR1Ja0IRis+mwgtqcMeoVg==,type:str]
+        - ENC[AES256_GCM,data:Bnl0,iv:SVGDhCFup2yeu01pvFMIJPmfmRYmWXdroWF9x5U8WQ4=,tag:lLVSoS8hHW6Yu8RPIcWa3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-08-20T19:27:52Z"
+    mac: ENC[AES256_GCM,data:k1k3lpvr/KN0eaM3Fvf1lECjw1pUym56OY0WMwcGnEyM5SadE8t2LQ3nLd6CLoSqkZSlhmXZdtt2vMnE1gJzfvQ29joKd2GVwEKe0KVHzrwKEaHix48x0WAO7EYgk6g6jn+VFv0GeESZKOpn8niduOAFjr9Fz04UMyyQiC813M4=,iv:F3uwk6/nQSkHDMQSv3roXew3zkyAiL/I2CudS/Bs8ds=,tag:SyA6fZlBM0XLVTk8U5JIQQ==,type:str]
+    pgp:
+        - created_at: "2024-08-20T19:27:21Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAyUpShfNkFB/AQf/YNyhkK7Dws/fuu4TnlzNm21HDbZu5Vbv/l8alB1QJelM
+            NbrtyOnG1SscUoWR567A7SMlXAHIGMJnyNz5rdL1Csl82wY9EHBV3QLy7zhrOvsz
+            GWzs5YFpT4YURzUDqOHuFTodmNQL1J/8/81ROHrH9aV2TdXmFRa4iBjqSvzK45As
+            xMuIV0AY4X54zRwPLXjnS8xlYQZfEY3dpRFeje2X92JsMYo8JZpgw1eVbzXc3+sU
+            pJfQZdiJJYUft7Zxz+5kjXSea3xBPOvoZOCDmFLjSv5nzo9dimmqek+S0rQGUfz7
+            LCcD43uz7KyZneGqrNwx7M2HW8dkH4izUXnDa/EqYNJRAS3X6AWklvBcAsoA20U1
+            i6UJr88mSJKExlZGjyPeTrSr2VBfbebnO+gxPMUK1+TI4qnr5cLwP1TvTOzuJjKw
+            CZUGPN6bA2CrGSgqZ8QsIxVB
+            =8HdX
+            -----END PGP MESSAGE-----
+          fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/extract.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-rep.sh b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-rep.sh
new file mode 100755
index 00000000..74f22ac2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-rep.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--keyservice" ] || [ "$2" != "a" ] || [ "$3" != "--keyservice" ] || [ "$4" != "b" ] || [ "$5" != "--decrypt" ] || [ "$(basename "$6")" != "simple.sops.yaml" ] || [ "$7" != "" ]; then
+    echo "Command (fake-sops-rep): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_SESSION_TOKEN}" != "zzz" ]; then
+    echo "AWS_SESSION_TOKEN is '${AWS_SESSION_TOKEN}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output 3'
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-val.sh b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-val.sh
new file mode 100755
index 00000000..f29b9f7e
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops-val.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--config" ] || [ "$2" != "/path/to/asdf" ] || [ "$3" != "--decrypt" ] || [ "$(basename "$4")" != "simple.sops.yaml" ] || [ "$5" != "" ]; then
+    echo "Command (fake-sops-val): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_SECRET_ACCESS_KEY}" != "yyy" ]; then
+    echo "AWS_SECRET_ACCESS_KEY is '${AWS_SECRET_ACCESS_KEY}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output 2'
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops.sh b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops.sh
new file mode 100755
index 00000000..ac795ed4
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/fake-sops.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+if [ "$1" != "--enable-local-keyservice=false" ] || [ "$2" != "--decrypt" ] || [ "$(basename "$3")" != "simple.sops.yaml" ] || [ "$4" != "" ]; then
+    echo "Command (fake-sops): $*" > /dev/stderr
+    exit 1
+fi
+if [ "${AWS_ACCESS_KEY_ID}" != "xxx" ]; then
+    echo "AWS_ACCESS_KEY_ID is '${AWS_ACCESS_KEY_ID}'" > /dev/stderr
+    exit 1
+fi
+echo 'fake sops output'
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml
new file mode 100644
index 00000000..8ac6f945
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json
new file mode 100644
index 00000000..8ac6f945
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml
new file mode 100644
index 00000000..b6175280
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml
@@ -0,0 +1,26 @@
+data: ENC[AES256_GCM,data:Mf66wk+/MdrPhiG3WMYkfTcs5Fdl,iv:r/CUJSou0b0w3pF7i3heDecV49jn82pTw2oQrMYModI=,tag:y342mhP4BfgsI5feBsJgoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:25:54Z'
+    mac: ENC[AES256_GCM,data:srcP514/YUzHZErkByGupUKTF/QqfbzGkNC4Ojmyks5lHw0yWcz7T0GvuZEvXfrHAKUdBYjgaKvQnmed7CfBg5zlb8PL7Pg8b36WPM27EAJkAJzJG39xBov2u8l6sK7JcXMO31qIgzJDhPGsPfkk8yqs45EQC43DmYKU8dZkVaU=,iv:v8MeNADiPdl4fQPwfMSX12y3M0WoP7+9OXF4BWM8bkM=,tag:bXBIzoRtKydGp56fOTTctQ==,type:str]
+    pgp:
+      - created_at: '2020-10-07T20:25:49Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAb66JsAFfpWA1r11UevicTHKtZ6U8aT4wLlOWK9JilyTc
+            YlS0SfoU8v/CKbTlMndskCQOlhdK7b3LJG294/Gj6+v1bAz/yC9ivxmO/WeLupsl
+            XlcxrbMJcUASq0qsh4XYOhbNt1p47Ay5to8Ov+K/vPwA1a1QbsO5YbtMVrqQGNor
+            SoThRkVQ51yaxvIMStHXqPKuq4hdn4//pa+afThvbCCEopyc4SYbKXgNTX7+l7+N
+            r2LOKzDxg/koVN1HSpQ+kBDXiF4i4zSaBPBXN35Tv1y4vC0KUzdzVWiekMWksOqA
+            5ibGSLPhoOzIIz/Vda2t5o2LMeCaa36VXSbcXoL3i9LgAeQuZoNyyhrfwBOhARbi
+            ge7d4Q+o4ODgOOFSjeCr4msn9j3gCOX4+rKE2e9ZSFmSZzGv2vgWEo+h6qDxN29A
+            m2vhUzvrd+Br5DZRGB3LtEr3O4/lAN8DfwriyUDGKOEKRgA=
+            =4sXd
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary-yaml.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml
new file mode 100644
index 00000000..5f1a9a9b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:oJurKkZjXi4HVqV51shzRbl8,iv:OIg1gqchya6dMQtjYTMBeEfcddQLCtxL+ONnhR0jXEo=,tag:z0toZPLcUG3ZWB/tu59tqQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:46Z",
+		"mac": "ENC[AES256_GCM,data:fIH8AhiNyca43zDcKRFy5vkTHHY/OyWA1LXRCPRUJyHSFu8TQwJJ+7+5c7F/mI3P3exNjWv+sG53VAcxImqRsrd98QhllLJ6OjnVxpwKFTOjLJWfsvPEmoD+TpCnpuKxZSk303j2jCnIJ2cW0gOpPiUjm6LQ7JroMrBXKki71Ss=,iv:qM2PPktRKd7E5e1xmvmJzRaHnIOFk3dkaQ38Gg8idiw=,tag:ki7fs/rDf6vovyqBknVVHA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:39Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAfr3xj1fG9yF91g+WMV1SG1dA+vR+nDkuGdNq3mn88660\nKiXOkEA8A6FrSpstKqsUb9Q6cotYiq3ld3dGPHve0AP9KzWvZEcogCpuk+CKaTnh\nimswI1Rr7jxZ9DecGn2koS07nGhNCXSdy2eAy0pDHpXbJnmb0CgHMXISeXiBZfs8\n19NtCMpcTbek4uR5jhazd0zSZWf1Gxls6pupBNaapwX0YyY+4cxc9O/spgDBd/R8\nrGNVOlA8svOnBQ8G0Ha+mn4p8ia7diSmPorRw1OGT9fJqnveVGsqk71rwem/5lv0\nEGSdXeYazjMP6Vlx0AaVBJFDNas9ozH3FMX2BRqWJNLgAeQE2dWrcbysQIi+QS6v\nfn3a4XYH4BzgcuHoQuAU4jqpMC3gv+UpiN+WK/Vc4Df/iMWQJB9uUm5iEbPRWwQx\n29a574BPbeBk5FxrDyMROm9YKb9GKa0F6WrimK5sdeF6VgA=\n=lJUR\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-binary.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml
new file mode 100644
index 00000000..61dc55e9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml
@@ -0,0 +1,21 @@
+{
+	"a": "ENC[AES256_GCM,data:/Q==,iv:q+yypwZjX2frKGNruAFF+XSnmz+IU3AQ5XuUMWhhyhA=,tag:skm5wsq8a3/EESLVic8yKw==,type:str]",
+	"c": "ENC[AES256_GCM,data:DQ==,iv:JvvR1pXyp6L+i4keXDwLM79oxP6K1nqeGkIC5OgR38c=,tag:QbtjRLx47fN5M4+zaaQBVA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T20:21:33Z",
+		"mac": "ENC[AES256_GCM,data:rbWY/H6bj2UFpybJHqsS02wjy8VMvNvzQUtd6fBMSsvvv1fYWWoULO32LGA635spoFkVyOpX4hipqVyjRfQ1KyP1rNssggaHMz+nRUUFOmiQAcT9wi/Y0IKWjgN1cjI1stCU10b5cfJZQ0SPi/OFC8KcptMaHpfDVF47ZfnprFs=,iv:rVtp2Ti4xHNOWeS4MKju1jFZ/VyE7oXXdTSpp4jSU34=,tag:kd0IeyLXY598kdvSX0+1DA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T20:21:18Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAPQ6Bn3MlvYUPs+e0njFUoq4AZAhR38BIWGAzTAMeWfIH\n0JZwol5f1leoyKX5Bmye1S+n72zZz3C4FxhSqh80boxNpHuVyeLrAkzv25AaAS8Q\n/9mSYquvJcIL7nWX/QmgTVTaXrqlxZSVva6Slwf7zlaLBqVJfv1RDwT6JEWDIJig\nJp35PKpwRe70IZDGAelcDtJicmjQrvfVhyb1/0kTTv4JdylixVnQdh9X/zw5ZSBG\nusEW/JG9nZ/xzKsEQpafCBLhP80jx3z37zKbsJ+4K2xsBTGQQdU5KdDSnosw/L/b\nHlOCwaMQgb/dQPA5fpwVyGnVas6GK7gQvzznHAiHc9LgAeT0brybsEaAPOuA94/V\nA/ny4cub4Mzg0eFWf+C94i6lS1/gtuWI2PEva3259aEycV6gpYSOoPh3tYlBoVlM\ntj01l2eYfeBn5MNIWuhqfGTL4mLuzfiYsvnigdvTsOEIwgA=\n=yKCo\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-json.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml
new file mode 100644
index 00000000..d3a52a22
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json
new file mode 100644
index 00000000..d3a52a22
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+    -   created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml
new file mode 100644
index 00000000..5ae3291d
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml
@@ -0,0 +1,27 @@
+a: ENC[AES256_GCM,data:lQ==,iv:8RdyROFAynjfYVNniCd0t8OQrFEboZREoBzAAOSudig=,tag:700olmYZs3sRhqcwnzor9A==,type:str]
+c: ENC[AES256_GCM,data:wQ==,iv:11sU7IEMYeDWHwNFsx6CgvUNG8Inc26vujykniuF+dc=,tag:ijRW/zjV+G0w3mwnHp4I8Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-10-07T20:21:14Z'
+    mac: ENC[AES256_GCM,data:QHcAe20/paYldZucaM1PN21K0i5ngS0UxMMryReTi9M40x9J18pNXo8TUoQuq/4iWZqgAKph1/m/u5pTU8LyKTeBX/HGlkWLjYUH521OJoBWJ0gDKHcZ01L3djlPi8Gts0w5MW/hrUlVqE3hyccy32VsCseuQckkq6dWnvtOmw4=,iv:dMqoZy2JhitE9dAwDxaI5q0NIo0N+rTiXjlnZBUG06k=,tag:8D9RcA8RGV6pCq/HLayGWw==,type:str]
+    pgp:
+      - created_at: '2020-10-07T20:21:08Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgAmsvCa83tx8AfOH2cVM4DMNcFSPeR8hQcrILjkvcWqk5s
+            dd9YqTo+b6nxbZGcRUcvMmMOUo8OOIjVGyT7Yk6itLm2AFjY4T40wE2UyNEW3Jys
+            ZG3Tvel28T++FXquMhhs0iqfEOFDwRyOAbW/dDCEfzqmPGnjHNYiiE70EwJ6dlQG
+            xqhmUQrEgcdgBO9fmCsREA8IJt6z1Le1SGAQPhBAYwJU/Gr8OzI5GvlHj8vdLWmJ
+            dSPG62Ju6MhGIpOdkKY6zH/XVRFrP1v1LwJ+kigUFNuSORczITHPGFbH8Mpysp2G
+            uz1y+LX49Ynq1MApJxoCMSapWwYE1nv4w0eDwjLJzdLgAeThTu8/4A029VVXtiu9
+            dxtt4V0i4CPgkuFo0eB34hoAk4fgu+Vpe7jKQlaKKDYG0/hDUVcoEA+GBTO1GpKC
+            I0hrHJt5O+DY5Ecvy/je21+8tQOOfoohMT/i6tB0wuE56wA=
+            =NXWv
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/hidden-yaml.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops
new file mode 100644
index 00000000..a704dbad
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:+x5Q1yGxpgvMQiwwMiCAiU0B5KA7i1eMvuRRxNLpKH0LEEs/7rpOInqKtA==,iv:96ihzWMxW45FqN28BCtX1emDBcXln9FN87Yf8bTlbbA=,tag:a8SiDQjFffOYHwKp5IhU2Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-02T18:14:42Z",
+		"mac": "ENC[AES256_GCM,data:CyLyYbG6rVwT8sRqLxLBuWUrgtUHz8XVwCx7iyiJDL925jzMvkA2ZEYxH6CsiWwc5/7tcFGLDSCjYw3AHD9x42LmsaAefk7F4X55++EI5VZbmSwyHdxCqvMVycKLJm3YXfodos8bbEWDDXhbmMT92uJs7H/IBXywnQHG3qoJWJE=,iv:ljY/d++R5v8VY5Q8nV0lnNwaeuEiKG4VTY8fSgFJD+w=,tag:MEtTIFuiSj8ReQOZNxO1IQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-02T18:11:54Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAblvrgBIPsg01TJjde7YskLvPKC/1jt1kI/eoOQ/KdemW\ngaJf4PIWGzFUxZEXeRzo70HTS+sPTi0TQDDkwOfcNjlGb3dC1KQdIZ1UiuqhL1//\n1G0doMMztEyZ63SOElv3OaWHjcnvmP224rTuFpO6Pm8HHMKEbaw9N7YHObgSdIpk\nfqEP369xj6bk/yQNEuMbgQOk+7LAYPs8na7oxIrdkWrmIlVj5jEz08lVS/FJecty\nUDalNDBkRrqMgTvSAw0vJTzaPzw/V+6WTrHh/0FRvLKJlKOsesaoxahW2/H1Dxmr\npySYTs2omqOtr3RzkCrUXmHijim9DIwg0JsIjo5xytLgAeSjSr9/W1EucekSGbeM\nmYK+4cN/4ILgRuH75OAw4qu0IgrgWuX6Eo7vO2HPrUiFLA/j+7/Bi+HkBZZuMrlR\njhd7C7MQGuD85NF3TzP2hW895ZiDznjWutHi69caRuEeZQA=\n=Aqvj\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/rstrip.sops.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml
new file mode 100644
index 00000000..d7bfc2ea
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml
@@ -0,0 +1,25 @@
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/simple.sops.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml
new file mode 100644
index 00000000..2df12739
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml
@@ -0,0 +1,2 @@
+---
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml.license b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/files/wrong.yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/meta/main.yml
new file mode 100644
index 00000000..b7f89500
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
diff --git a/ansible_collections/community/sops/tests/integration/targets/lookup_sops/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/tasks/main.yml
new file mode 100644
index 00000000..2eedb8e0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/lookup_sops/tasks/main.yml
@@ -0,0 +1,197 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: sops_installed
+  block:
+
+    - name: Test lookup with missing file
+      set_fact:
+        sops_file_does_not_exists: "{{ lookup('community.sops.sops', 'file-does-not-exists.sops.yml') }}"
+      ignore_errors: true
+      register: sops_lookup_missing_file
+
+    - assert:
+        that:
+          - "sops_lookup_missing_file is failed"
+          - "'could not locate file in lookup: file-does-not-exists.sops.yml' in sops_lookup_missing_file.msg"
+
+    - name: Test lookup with missing file with empty_on_not_exist
+      set_fact:
+        sops_file_does_not_exists_empty: "{{ lookup('community.sops.sops', 'file-does-not-exists.sops.yml', empty_on_not_exist=true) }}"
+      register: sops_lookup_missing_file_empty_on_not_exist
+
+    - assert:
+        that:
+          - "sops_lookup_missing_file_empty_on_not_exist is success"
+          - "sops_file_does_not_exists_empty == ''"
+
+    - name: Test lookup of non-sops file
+      set_fact:
+        sops_wrong_file: "{{ lookup('community.sops.sops', 'wrong.yaml') }}"
+      ignore_errors: true
+      register: sops_lookup_wrong_file
+
+    - assert:
+        that:
+          - "sops_lookup_wrong_file is failed"
+          - "'sops metadata not found' in sops_lookup_wrong_file.msg"
+
+    - name: Test simple lookup
+      set_fact:
+        sops_success: "{{ lookup('community.sops.sops', 'simple.sops.yaml') }}"
+      register: sops_lookup_simple
+
+    - assert:
+        that:
+          - "sops_lookup_simple is success"
+          - "sops_success == 'foo: bar'"
+
+    - name: Test extract
+      set_fact:
+        simple_yaml_with_extract: >-
+          {{ lookup('community.sops.sops', 'extract.yaml', extract="['foo']") }}
+        simple_json_with_extract: >-
+          {{ lookup('community.sops.sops', 'extract.json', extract="['bar']") }}
+        nested_yaml_with_extract: >-
+          {{ lookup('community.sops.sops', 'extract.yaml', extract="['baz']['bar'][0]") }}
+        nested_json_with_extract: >-
+          {{ lookup('community.sops.sops', 'extract.json', extract="['baz']['bar'][2]") }}
+      register: sops_lookup_extract
+
+    - assert:
+        that:
+          - "sops_lookup_extract is success"
+          - "simple_yaml_with_extract == 'bar'"
+          - "simple_json_with_extract == 'baz'"
+          - "nested_yaml_with_extract == 'zab'"
+          - "nested_json_with_extract == 'oof'"
+
+    - name: Test rstrip
+      set_fact:
+        with_rstrip: "{{ lookup('community.sops.sops', 'rstrip.sops', rstrip=true) }}"
+        without_rstrip: "{{ lookup('community.sops.sops', 'rstrip.sops', rstrip=false) }}"
+        default_rstrip: "{{ lookup('community.sops.sops', 'rstrip.sops') }}"
+
+    - assert:
+        that:
+          - with_rstrip == 'This file has three newlines at the end.'
+          - without_rstrip == 'This file has three newlines at the end.\n\n\n'
+          - default_rstrip == 'This file has three newlines at the end.'
+
+    - name: Test binary
+      set_fact:
+        binary_with_rstrip: "{{ lookup('community.sops.sops', 'binary.sops', rstrip=true, base64=true) }}"
+        binary_without_rstrip: "{{ lookup('community.sops.sops', 'binary.sops', rstrip=false, base64=true) }}"
+
+    - assert:
+        that:
+          - binary_with_rstrip == 'AQIDAAQ='
+          - binary_without_rstrip == 'AQIDAAQgCg=='
+
+    - name: Test hidden binary
+      set_fact:
+        hidden_binary: "{{ lookup('community.sops.sops', 'hidden-binary', output_type='binary') }}"
+        hidden_binary__json: "{{ lookup('community.sops.sops', 'hidden-binary.json', output_type='binary') }}"
+        hidden_binary__yaml: "{{ lookup('community.sops.sops', 'hidden-binary.yaml', output_type='binary') }}"
+        hidden_binary_yaml: "{{ lookup('community.sops.sops', 'hidden-binary-yaml', input_type='yaml', output_type='binary') }}"
+        hidden_binary_yaml__json: "{{ lookup('community.sops.sops', 'hidden-binary-yaml.json', input_type='yaml', output_type='binary') }}"
+        hidden_binary_yaml__yaml: "{{ lookup('community.sops.sops', 'hidden-binary-yaml.yaml', input_type='yaml', output_type='binary') }}"
+        hidden_json: "{{ lookup('community.sops.sops', 'hidden-json', input_type='json', output_type='json') | from_json }}"
+        hidden_json__json: "{{ lookup('community.sops.sops', 'hidden-json.json', input_type='json', output_type='json') | from_json }}"
+        hidden_json__yaml: "{{ lookup('community.sops.sops', 'hidden-json.yaml', input_type='json', output_type='json') | from_json }}"
+        hidden_yaml: "{{ lookup('community.sops.sops', 'hidden-yaml', input_type='yaml', output_type='yaml') }}"
+        hidden_yaml__json: "{{ lookup('community.sops.sops', 'hidden-yaml.json', input_type='yaml', output_type='yaml') }}"
+        hidden_yaml__yaml: "{{ lookup('community.sops.sops', 'hidden-yaml.yaml', input_type='yaml', output_type='yaml') }}"
+        hidden_json__as_yaml: "{{ lookup('community.sops.sops', 'hidden-json', input_type='json', output_type='yaml') }}"
+        hidden_json__json__as_yaml: "{{ lookup('community.sops.sops', 'hidden-json.json', input_type='json', output_type='yaml') }}"
+        hidden_json__yaml__as_yaml: "{{ lookup('community.sops.sops', 'hidden-json.yaml', input_type='json', output_type='yaml') }}"
+        hidden_yaml__as_json: "{{ lookup('community.sops.sops', 'hidden-yaml', input_type='yaml', output_type='json') | from_json }}"
+        hidden_yaml__json__as_json: "{{ lookup('community.sops.sops', 'hidden-yaml.json', input_type='yaml', output_type='json') | from_json }}"
+        hidden_yaml__yaml__as_json: "{{ lookup('community.sops.sops', 'hidden-yaml.yaml', input_type='yaml', output_type='json') | from_json }}"
+
+    - assert:
+        that:
+          - hidden_binary == test_str_abcd
+          - hidden_binary__json == test_str_abcd
+          - hidden_binary__yaml == test_str_abcd
+          - hidden_binary_yaml == test_str_binary_data
+          - hidden_binary_yaml__json == test_str_binary_data
+          - hidden_binary_yaml__yaml == test_str_binary_data
+          - hidden_json == test_dict
+          - hidden_json__json == test_dict
+          - hidden_json__yaml == test_dict
+          - hidden_yaml == test_dict_yaml
+          - hidden_yaml__json == test_dict_yaml
+          - hidden_yaml__yaml == test_dict_yaml
+          - hidden_json__as_yaml == test_dict_yaml
+          - hidden_json__json__as_yaml == test_dict_yaml
+          - hidden_json__yaml__as_yaml == test_dict_yaml
+          - hidden_yaml__as_json == test_dict
+          - hidden_yaml__json__as_json == test_dict
+          - hidden_yaml__yaml__as_json == test_dict
+      vars:
+        test_dict:
+          a: b
+          c: d
+        test_dict_yaml:
+          "a: b\nc: d"
+        test_str_binary_data: This is binary data.
+        test_str_abcd: a is b, and c is d
+
+    - name: Test fake sops binary (lookup parameters)
+      set_fact:
+        fake_sops_output: "{{ lookup('community.sops.sops', 'simple.sops.yaml', sops_binary=role_path ~ '/files/fake-sops.sh', enable_local_keyservice=False, aws_access_key_id='xxx') }}"
+        fake_sops_output_2: "{{ lookup('community.sops.sops', 'simple.sops.yaml', sops_binary=role_path ~ '/files/fake-sops-val.sh', config_path='/path/to/asdf', aws_secret_access_key='yyy') }}"
+        fake_sops_output_3: "{{ lookup('community.sops.sops', 'simple.sops.yaml', sops_binary=role_path ~ '/files/fake-sops-rep.sh', keyservice=['a', 'b'], aws_session_token='zzz') }}"
+
+    - assert:
+        that:
+          - fake_sops_output == 'fake sops output'
+          - fake_sops_output_2 == 'fake sops output 2'
+          - fake_sops_output_3 == 'fake sops output 3'
+
+    - name: Work around Ansible bug for next test
+      # https://github.com/ansible/ansible/issues/73268
+      set_fact:
+        sops_binary: "{{ role_path }}/files/fake-sops.sh"
+    - name: Test fake sops binary (Ansible variables, 1/3)
+      set_fact:
+        fake_sops_output: "{{ lookup('community.sops.sops', 'simple.sops.yaml') }}"
+      vars:
+        # sops_binary: "{{ role_path }}/files/fake-sops.sh"
+        sops_enable_local_keyservice: false
+        sops_aws_access_key_id: xxx
+
+    - name: Work around Ansible bug for next test
+      # https://github.com/ansible/ansible/issues/73268
+      set_fact:
+        sops_binary: "{{ role_path }}/files/fake-sops-val.sh"
+    - name: Test fake sops binary (Ansible variables, 2/3)
+      set_fact:
+        fake_sops_output_2: "{{ lookup('community.sops.sops', 'simple.sops.yaml') }}"
+      vars:
+        # sops_binary: "{{ role_path }}/files/fake-sops-val.sh"
+        sops_config_path: /path/to/asdf
+        sops_aws_secret_access_key: yyy
+
+    - name: Work around Ansible bug for next test
+      # https://github.com/ansible/ansible/issues/73268
+      set_fact:
+        sops_binary: "{{ role_path }}/files/fake-sops-rep.sh"
+    - name: Test fake sops binary (Ansible variables, 3/3)
+      set_fact:
+        fake_sops_output_3: "{{ lookup('community.sops.sops', 'simple.sops.yaml') }}"
+      vars:
+        # sops_binary: "{{ role_path }}/files/fake-sops-rep.sh"
+        sops_keyservice:
+          - a
+          - b
+        sops_session_token: zzz
+
+    - assert:
+        that:
+          - fake_sops_output == 'fake sops output'
+          - fake_sops_output_2 == 'fake sops output 2'
+          - fake_sops_output_3 == 'fake sops output 3'
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_latest/aliases b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/aliases
new file mode 100644
index 00000000..9493a6ee
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/install/3
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_latest/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/meta/main.yml
new file mode 100644
index 00000000..2fcd152f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_latest/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/tasks/main.yml
new file mode 100644
index 00000000..5f7952ae
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_latest/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Show some basic system info
+  debug:
+    msg: |
+      Architecture: {{ ansible_architecture }}
+      OS family: {{ ansible_os_family }}
+      Distribution: {{ ansible_distribution }}
+      Distribution version: {{ ansible_distribution_version }}
+
+- name: Install latest sops
+  include_role:
+    name: community.sops.install
+  vars:
+    sops_version: latest
+    sops_github_token: "{{ github_token | default('') }}"
+    sops_github_latest_detection: "{{ github_latest_detection | default('auto') }}"
+
+- name: Figure out sops version
+  command:
+    cmd: sops --version
+  register: output
+
+- name: Print sops version
+  debug:
+    msg: '{{ output.stdout_lines | first }}'
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/aliases b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/aliases
new file mode 100644
index 00000000..c8f115fa
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/install/2
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/meta/main.yml
new file mode 100644
index 00000000..2fcd152f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/tasks/main.yml
new file mode 100644
index 00000000..a68c2251
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_localhost_remote/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Show some basic system info
+  debug:
+    msg: |
+      Architecture: {{ ansible_architecture }}
+      OS family: {{ ansible_os_family }}
+      Distribution: {{ ansible_distribution }}
+      Distribution version: {{ ansible_distribution_version }}
+
+- vars:
+    sops_version_1: "{{ '3.7.3' if ansible_architecture == 'x86_64' else '3.9.2' }}"
+    sops_version_2: "{{ '3.7.0' if ansible_architecture == 'x86_64' else '3.8.1' }}"
+  block:
+    - name: Install sops {{ sops_version_1 }} on localhost
+      include_role:
+        name: community.sops.install
+      vars:
+        sops_version: "{{ sops_version_1 }}"
+        sops_install_on_localhost: true
+        sops_github_token: "{{ github_token | default('') | string }}"
+
+    - name: Install sops {{ sops_version_2 }} on remote
+      include_role:
+        name: community.sops.install
+      vars:
+        sops_version: "{{ sops_version_2 }}"
+        sops_install_on_localhost: false
+        sops_github_token: "{{ github_token | default('') | string }}"
+
+    - name: Figure out sops version on localhost
+      command:
+        cmd: sops --version
+      delegate_to: localhost
+      register: output_localhost
+
+    - name: Figure out sops version on remote host
+      command:
+        cmd: sops --version
+      register: output_remote
+
+    - name: Check sops version
+      assert:
+        that:
+          - >-
+            ('sops ' ~ sops_version_1) in output_localhost.stdout
+          - >-
+            ('sops ' ~ sops_version_2) in output_remote.stdout
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_version/aliases b/ansible_collections/community/sops/tests/integration/targets/role_install_version/aliases
new file mode 100644
index 00000000..eb3fa263
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_version/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/install/1
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_version/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_version/meta/main.yml
new file mode 100644
index 00000000..2fcd152f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_version/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/sops/tests/integration/targets/role_install_version/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/role_install_version/tasks/main.yml
new file mode 100644
index 00000000..4b2a7e80
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/role_install_version/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Show some basic system info
+  debug:
+    msg: |
+      Architecture: {{ ansible_architecture }}
+      OS family: {{ ansible_os_family }}
+      Distribution: {{ ansible_distribution }}
+      Distribution version: {{ ansible_distribution_version }}
+
+- vars:
+    sops_version_1: "{{ '3.7.3' if ansible_architecture == 'x86_64' else '3.9.2' }}"
+    sops_version_2: "{{ '3.7.0' if ansible_architecture == 'x86_64' else '3.8.1' }}"
+    sops_version_3: 3.8.0-rc.1
+  block:
+    - name: Install sops {{ sops_version_1 }}
+      include_role:
+        name: community.sops.install
+      vars:
+        sops_version: "{{ sops_version_1 }}"
+        sops_github_token: "{{ github_token | default('') | string }}"
+
+    - name: Figure out sops version
+      command:
+        cmd: sops --version
+      register: output
+
+    - name: Check sops version
+      assert:
+        that:
+          - >-
+            ('sops ' ~ sops_version_1) in output.stdout
+
+    - name: Install sops {{ sops_version_2 }}
+      include_role:
+        name: community.sops.install
+      vars:
+        sops_version: "{{ sops_version_2 }}"
+        sops_github_token: "{{ github_token | default('') | string }}"
+
+    - name: Figure out sops version
+      command:
+        cmd: sops --version
+      register: output
+
+    - name: Check sops version
+      assert:
+        that:
+          - >-
+            ('sops ' ~ sops_version_2) in output.stdout
+
+    - name: Install sops {{ sops_version_3 }}
+      include_role:
+        name: community.sops.install
+      vars:
+        sops_version: "{{ sops_version_3 }}"
+        sops_github_token: "{{ github_token | default('') | string }}"
+
+    - name: Figure out sops version
+      command:
+        cmd: sops --version --disable-version-check
+      register: output
+
+    - name: Check sops version
+      assert:
+        that:
+          - >-
+            ('sops ' ~ sops_version_3) == output.stdout
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/archlinux.yml b/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/archlinux.yml
new file mode 100644
index 00000000..f471cc19
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/archlinux.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Since Arch Linux is a rolling distribution, it regularly needs its packages upgraded, otherwise some tests might
+# stop working due to conflicts during package installation. Since there is no good way to do this on container
+# startup time, we use the setup_pkg_mgr setup role to do this once per CI run (hopefully). In case the Arch Linux
+# tests are run outside of a container, we're using a date-based tag (see below) to avoid this running more than
+# once per day.
+
+- name: Create tag
+  copy:
+    dest: /tmp/.ansible_archlinux_sysupgrade_tag
+    content: |
+      Last ArchLinux system upgrade by integration tests was done on {{ ansible_facts.date_time.date }}.
+  register: archlinux_upgrade_tag
+
+- name: Upgrade all packages
+  pacman:
+    update_cache: true
+    upgrade: true
+  when: archlinux_upgrade_tag is changed
+
+- name: Remove EXTERNALLY-MANAGED file
+  file:
+    path: /usr/lib/python{{ ansible_python.version.major }}.{{ ansible_python.version.minor }}/EXTERNALLY-MANAGED
+    state: absent
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/main.yml
new file mode 100644
index 00000000..5b4c0be3
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_pkg_mgr/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: ansible_os_family == "Archlinux"
+  block:
+    - name: ArchLinux specific setup
+      include_tasks: archlinux.yml
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml
new file mode 100644
index 00000000..f1c55b04
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: delete temporary directory
+  include_tasks: default-cleanup.yml
+
+- name: delete temporary directory (windows)
+  include_tasks: windows-cleanup.yml
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
new file mode 100644
index 00000000..cc74b70a
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default-cleanup.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: delete temporary directory
+  file:
+    path: "{{ remote_tmp_dir }}"
+    state: absent
+  no_log: true
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml
new file mode 100644
index 00000000..c9d871c6
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/default.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: create temporary directory
+  tempfile:
+    state: directory
+    suffix: .test
+  register: remote_tmp_dir
+  notify:
+    - delete temporary directory
+
+- name: record temporary directory
+  set_fact:
+    remote_tmp_dir: "{{ remote_tmp_dir.path }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml
new file mode 100644
index 00000000..babbdad0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_remote_tmp_dir/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: make sure we have the ansible_os_family and ansible_distribution_version facts
+  setup:
+    gather_subset: distribution
+  when: ansible_facts == {}
+
+- include_tasks: "{{ lookup('first_found', files)}}"
+  vars:
+    files:
+      - "{{ ansible_os_family | lower }}.yml"
+      - "default.yml"
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_sops/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/setup_sops/meta/main.yml
new file mode 100644
index 00000000..2fcd152f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_sops/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_pkg_mgr
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/install.yml b/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/install.yml
new file mode 100644
index 00000000..087f26e6
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/install.yml
@@ -0,0 +1,80 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Show some basic system info
+  debug:
+    msg: |
+      Architecture: {{ ansible_architecture }}
+      OS family: {{ ansible_os_family }}
+      Distribution: {{ ansible_distribution }}
+      Distribution version: {{ ansible_distribution_version }}
+
+- name: Install SOPS on localhost
+  include_role:
+    name: community.sops.install
+  vars:
+    sops_install_on_localhost: true
+    sops_version: '{{ override_sops_version | default("latest") }}'
+    sops_github_token: "{{ github_token | default('') | string }}"
+
+- name: Install age on localhost
+  include_role:
+    name: community.sops._install_age
+  vars:
+    sops_install_on_localhost: true
+
+- name: Get temporary filename for SOPS test GPG key
+  ansible.builtin.tempfile:
+    prefix: sops-functional-tests-key.
+    suffix: .asc
+  register: _tempfile
+  delegate_to: localhost
+
+- name: Download SOPS test GPG key on localhost
+  get_url:
+    headers:
+      Accept: application/vnd.github+json
+      Authorization: "{{ ('Bearer ' ~ github_token) if github_token is defined and github_token else '' }}"
+    url: https://raw.githubusercontent.com/getsops/sops/master/pgp/sops_functional_tests_key.asc
+    dest: "{{ _tempfile.path }}"
+    force: true
+  delegate_to: localhost
+
+- name: Import SOPS test GPG key on localhost
+  command: gpg --import {{ _tempfile.path | ansible.builtin.quote }}
+  failed_when: false
+  delegate_to: localhost
+
+# ---------------------------------------------------------------------------
+
+- name: Install SOPS on remote
+  include_role:
+    name: community.sops.install
+  vars:
+    sops_version: '{{ override_sops_version | default("latest") }}'
+    sops_github_token: "{{ github_token | default('') | string }}"
+
+- name: Install age on remote
+  include_role:
+    name: community.sops._install_age
+
+- name: Get temporary filename for SOPS test GPG key
+  ansible.builtin.tempfile:
+    prefix: sops-functional-tests-key.
+    suffix: .asc
+  register: _tempfile
+
+- name: Download SOPS test GPG key on remote
+  get_url:
+    headers:
+      Accept: application/vnd.github+json
+      Authorization: "{{ ('Bearer ' ~ github_token) if github_token is defined and github_token else '' }}"
+    url: https://raw.githubusercontent.com/getsops/sops/master/pgp/sops_functional_tests_key.asc
+    dest: "{{ _tempfile.path }}"
+    force: true
+
+- name: Import SOPS test GPG key on remote
+  command: gpg --import {{ _tempfile.path | ansible.builtin.quote }}
+  failed_when: false
diff --git a/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/main.yml
new file mode 100644
index 00000000..90c672f7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/setup_sops/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Show some basic system info
+  debug:
+    msg: |
+      Architecture: {{ ansible_architecture }}
+      OS family: {{ ansible_os_family }}
+      Distribution: {{ ansible_distribution }}
+      Distribution version: {{ ansible_distribution_version }}
+
+- name: Test whether sops is installed
+  command: sops --help
+  failed_when: false
+  changed_when: false
+  register: sops_help_command
+
+- name: Install sops
+  include_tasks: install.yml
+  when: sops_help_command.rc != 0
+
+- name: Skip sops installation
+  when: sops_help_command.rc == 0
+  block:
+    - name: Test whether age is installed
+      command: age --version
+      failed_when: false
+      changed_when: false
+      register: age_version_command
+
+    - name: Set results
+      set_fact:
+        sops_installed: true
+        age_installed: '{{ age_version_command.rc == 0 }}'
+
+- name: Determine SOPS versions
+  when: sops_version_remote is not defined or sops_version_controller is not defined
+  block:
+    - name: Determine SOPS version on remote
+      command: sops --version --disable-version-check
+      changed_when: false
+      ignore_errors: true
+      register: sops_version_remote_tmp
+
+    - name: Determine SOPS version on remote, try 2
+      command: sops --version
+      changed_when: false
+      register: sops_version_remote_tmp_2
+      when: sops_version_remote_tmp is failed
+
+    - name: Determine SOPS version on controller
+      command: sops --version --disable-version-check
+      delegate_to: localhost
+      changed_when: false
+      ignore_errors: true
+      register: sops_version_controller_tmp
+
+    - name: Determine SOPS version on controller, try 2
+      command: sops --version {{ '--disable-version-check' if sops_version_controller_tmp is not defined else '' }}
+      delegate_to: localhost
+      changed_when: false
+      register: sops_version_controller_tmp_2
+      when: sops_version_controller_tmp is failed
+
+    - name: Set versions
+      set_fact:
+        sops_version_remote: >-
+          {{
+            (sops_version_remote_tmp_2 if sops_version_remote_tmp is failed else sops_version_remote_tmp).stdout_lines[0]
+            | regex_replace(".*sops ([0-9]+\.[0-9]+\.[0-9]+).*", "\1")
+            | trim
+          }}
+        sops_version_controller: >-
+          {{
+            (sops_version_controller_tmp_2 if sops_version_controller_tmp is failed else sops_version_controller_tmp).stdout_lines[0]
+            | regex_replace(".*sops ([0-9]+\.[0-9]+\.[0-9]+).*", "\1")
+            | trim
+          }}
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/aliases b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/aliases
new file mode 100644
index 00000000..3a9daf6c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/aliases
@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/.sops.yaml
new file mode 100644
index 00000000..64b47f7d
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/.sops.yaml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - path_regex: test_json
+    unencrypted_regex: ^key1$
+    pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml
new file mode 100644
index 00000000..d6d7f7f2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:Gw==,iv:zVZEcknNNtMsjB7jLYUZglzdLIrHS658uwjOD4Kth6A=,tag:gzP41dCGjBAedV+XiQFepw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-10-07T19:25:02Z",
+		"mac": "ENC[AES256_GCM,data:KnhqQH9rRqJ0XC40qhI79WtNBSiE9ym3SO58Bw09Bev9kq6uMVxAm9iOZvjQazOupELHaJiLO6fWT3FCoZfiU0IJBkN8JzFsKr2C59UH4B8f0RJZhNrAJ3AriBFPateFneDbrwjld0xEhP+2f286yIFv/xc/DEEPduIKRvkVN4I=,iv:yg06T0+gQ4j+bF3NAxQqwwPlJGBCcHTV6APzKT1x334=,tag:cVQ7oAh0HJ2rM8b6gVpdUg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-10-07T19:24:59Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgApb3VzPV0KmRyGRSiqPVRaM0cBthJtHu9H22QGXFAb8X/\nBLPXFBlFoFKbg9eUzG0EfKDzF1f5Aeeme3Fq6cGjmtU1oyynQLFtb3369zAC+Itf\nZo3u8pjC8YDPg2NpEFrAg4YZgVIr56UdEjjC4CDvzgYd08WCIYABIO6iedSneTh2\nBcqCDc5WY5vzUnon29kUnpolOPHXjDE3PHCynbdoELrlYY3lmw4ymD0sBdtcBDER\nAtM4s3Xz7C5XhF134GmxMdQ5P/QdxSR2L1vgludDs8/Q62OxSGw3vnLXFXkHmaBQ\nxYrt+0ehNAreL/TaR5em0Bu3Bk00RxmQnrUFLc1G2dLgAeRUspltx0tjMT7eiBxx\nwQ0I4W5u4PvgVOGSG+Bp4uin1nXgduUcQnRT3Dmr1EpBbDAhZ9ldlthrxk7Ir15H\ndEJxe7jtsOAk5HlYOWliZOyFb2JtqtNqMGjimD4JPeEXOgA=\n=eh24\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml.license b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/wrong.yaml b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/wrong.yaml
new file mode 100644
index 00000000..3f3fff63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/wrong.yaml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/meta/main.yml
new file mode 100644
index 00000000..344e8b86
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
+  - setup_remote_tmp_dir
diff --git a/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/tasks/main.yml b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/tasks/main.yml
new file mode 100644
index 00000000..077b4bbc
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/sops_encrypt/tasks/main.yml
@@ -0,0 +1,425 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- when: sops_installed
+  block:
+    - name: Place .sops.yaml
+      copy:
+        src: ".sops.yaml"
+        dest: "{{ remote_tmp_dir }}/.sops.yaml"
+
+    - name: Define test objects
+      set_fact:
+        text_value_1: This is a text.
+        text_value_2: |+
+          This is another text!
+
+          it has two newlines at the end.
+
+        binary_value_1_b64: 'AQIDAAQ='
+        binary_value_2_b64: 'AQIDAAQgCg=='
+        json_value_1:
+          key1: value1
+          key2:
+            - value2.1
+            - value2.2
+        json_value_2:
+          key1: value1
+          key3:
+            - value3.1
+            - value3.2
+            - value3.3
+            - value3.4
+
+    # Invalid Base64
+
+    - name: Create binary file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_bad_base64"
+        content_binary: This is not Base64
+      register: result_not_base64
+      failed_when: result_not_base64 is not failed
+
+    - assert:
+        that:
+          - '"Cannot decode Base64 encoded data" in result_not_base64.msg'
+
+    # Broken file overwrite
+
+    - name: Place broken file
+      copy:
+        dest: "{{ remote_tmp_dir }}/broken"
+        content: I'm not sops encrypted
+
+    - name: Cannot decode existing file (overwrite, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/broken"
+        content_text: Test
+      register: result_cannot_decode_check
+      failed_when: result_cannot_decode_check is not failed
+      check_mode: true
+
+    - name: Cannot decode existing file (overwrite)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/broken"
+        content_text: Test
+      register: result_cannot_decode
+      failed_when: result_cannot_decode is not failed
+
+    - name: Cannot decode existing file (force, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/broken"
+        content_text: Test
+        force: true
+      register: result_cannot_decode_force_check
+      check_mode: true
+
+    - name: Cannot decode existing file (force)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/broken"
+        content_text: Test
+        force: true
+      register: result_cannot_decode_force
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/broken' }}"
+      register: slurp
+    - set_fact:
+        value: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') }}"
+
+    - assert:
+        that:
+          - result_cannot_decode_force_check is changed
+          - result_cannot_decode_force is changed
+          - value == 'Test'
+
+    # Text content
+
+    - name: Create text file (check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_1 }}"
+      check_mode: true
+      register: result_check
+
+    - name: Create text file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_1 }}"
+      register: result
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_text' }}"
+      register: slurp
+    - set_fact:
+        value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') }}"
+
+    - name: Create text file (idempotency, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_1 }}"
+      check_mode: true
+      register: result_idempotent_check
+
+    - name: Create text file (idempotency)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_1 }}"
+      register: result_idempotent
+
+    - name: Create text file (change, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_2 }}"
+      check_mode: true
+      register: result_change_check
+
+    - name: Create text file (change)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_text"
+        content_text: "{{ text_value_2 }}"
+      register: result_change
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_text' }}"
+      register: slurp
+    - set_fact:
+        value_2: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=false, output_type='binary') }}"
+
+    - assert:
+        that:
+          - result_check is changed
+          - result is changed
+          - value_1 == text_value_1
+          - result_idempotent_check is not changed
+          - result_idempotent is not changed
+          - result_change_check is changed
+          - result_change is changed
+          - value_2 == text_value_2
+
+    # Binary content
+
+    - name: Create binary file (check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_1_b64 }}"
+      check_mode: true
+      register: result_check
+
+    - name: Create binary file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_1_b64 }}"
+      register: result
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_binary' }}"
+      register: slurp
+    - set_fact:
+        value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') | b64encode }}"
+
+    - name: Create binary file (idempotency, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_1_b64 }}"
+      check_mode: true
+      register: result_idempotent_check
+
+    - name: Create binary file (idempotency)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_1_b64 }}"
+      register: result_idempotent
+
+    - name: Create binary file (change, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_2_b64 }}"
+      check_mode: true
+      register: result_change_check
+
+    - name: Create binary file (change)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_binary"
+        content_binary: "{{ binary_value_2_b64 }}"
+      register: result_change
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_binary' }}"
+      register: slurp
+    - set_fact:
+        value_2: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=false, output_type='binary') | b64encode }}"
+
+    - assert:
+        that:
+          - result_check is changed
+          - result is changed
+          - value_1 == binary_value_1_b64
+          - result_idempotent_check is not changed
+          - result_idempotent is not changed
+          - result_change_check is changed
+          - result_change is changed
+          - value_2 == binary_value_2_b64
+
+    # JSON content
+
+    - name: Create JSON file (check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_1 }}"
+      check_mode: true
+      register: result_check
+
+    - name: Create JSON file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_1 }}"
+      register: result
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_json' }}"
+      register: slurp
+    - set_fact:
+        value_1_raw: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | b64encode }}"
+        value_1: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | from_json }}"
+
+    - name: "SOPS 3.9.0+: check whether path_regex in .sops.yaml works"
+      assert:
+        that:
+          - >-
+            '"key1": "value1"' in slurp.content | b64decode
+          - >-
+            '"unencrypted_regex": "^key1$"' in slurp.content | b64decode
+      when: sops_version_remote is version('3.9.0', '>=')
+    - name: "SOPS before 3.9.0: check whether path_regex in .sops.yaml did not work"
+      assert:
+        that:
+          - >-
+            '"key1": "value1"' not in slurp.content | b64decode
+          - >-
+            '"unencrypted_regex": "^key1$"' not in slurp.content | b64decode
+      when: sops_version_remote is version('3.9.0', '<')
+
+    - name: Create JSON file (idempotency, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_1 }}"
+      check_mode: true
+      register: result_idempotent_check
+
+    - name: Create JSON file (idempotency)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_1 }}"
+      register: result_idempotent
+
+    - name: Create JSON file (change, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_2 }}"
+      check_mode: true
+      register: result_change_check
+
+    - name: Create JSON file (change)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json"
+        content_json: "{{ json_value_2 }}"
+      register: result_change
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_json' }}"
+      register: slurp
+    - set_fact:
+        value_2: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | from_json }}"
+
+    - name: Place broken JSON file
+      copy:
+        src: "broken-json-yaml"
+        dest: "{{ remote_tmp_dir }}/test_json_broken"
+
+    - name: Update broken JSON file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_json_broken"
+        content_json: "{{ json_value_1 }}"
+      register: result_broken_change
+
+    - assert:
+        that:
+          - result_check is changed
+          - result is changed
+          - (value_1_raw | b64decode).startswith('{')
+          - value_1 == json_value_1
+          - result_idempotent_check is not changed
+          - result_idempotent is not changed
+          - result_change_check is changed
+          - result_change is changed
+          - value_2 == json_value_2
+          - result_broken_change is changed
+
+    # YAML content
+
+    - name: Create YAML file (check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_1 }}"
+      check_mode: true
+      register: result_check
+
+    - name: Create YAML file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_1 }}"
+      register: result
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_yaml' }}"
+      register: slurp
+    - set_fact:
+        value_1_raw: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | b64encode }}"
+        value_1: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | from_yaml }}"
+
+    - name: Create YAML file (idempotency, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_1 }}"
+      check_mode: true
+      register: result_idempotent_check
+
+    - name: Create YAML file (idempotency)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_1 }}"
+      register: result_idempotent
+
+    - name: Create YAML file (change, check mode)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_2 }}"
+      check_mode: true
+      register: result_change_check
+
+    - name: Create YAML file (change)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml"
+        content_yaml: "{{ json_value_2 }}"
+      register: result_change
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_yaml' }}"
+      register: slurp
+    - set_fact:
+        value_2: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | from_yaml }}"
+
+    - name: Place broken YAML file
+      copy:
+        src: "broken-json-yaml"
+        dest: "{{ remote_tmp_dir }}/test_yaml_broken"
+
+    - name: Update broken YAML file
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_yaml_broken"
+        content_json: "{{ json_value_1 }}"
+      register: result_broken_change
+
+    - assert:
+        that:
+          - result_check is changed
+          - result is changed
+          - not (value_1_raw | b64decode).startswith('{')
+          - value_1 == json_value_1
+          - result_idempotent_check is not changed
+          - result_idempotent is not changed
+          - result_change_check is changed
+          - result_change is changed
+          - value_2 == json_value_2
+          - result_broken_change is changed
+
+    # Output type JSON
+
+    - name: Create text file with output type JSON
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_output_type.json"
+        content_text: "{{ text_value_1 }}"
+      register: result
+
+    - slurp:
+        src: "{{ remote_tmp_dir ~ '/test_output_type.json' }}"
+      register: slurp
+    - set_fact:
+        value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='json') | from_json }}"
+        value_2: "{{ slurp.content | b64decode | from_json }}"
+
+    - name: Create text file with output type JSON (idempotency)
+      community.sops.sops_encrypt:
+        path: "{{ remote_tmp_dir }}/test_output_type.json"
+        content_text: "{{ text_value_1 }}"
+      register: result_idem
+
+    - assert:
+        that:
+          - result_idem is not changed
+          - value_1.data == text_value_1
+          - '"data" in value_2'
+          - value_2.data.startswith('ENC[')
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/.gitignore b/ansible_collections/community/sops/tests/integration/targets/vars_sops/.gitignore
new file mode 100644
index 00000000..d35533bf
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/.gitignore
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+*/out
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/.sops.yaml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/.sops.yaml
new file mode 100644
index 00000000..3660222c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/.sops.yaml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+creation_rules:
+  - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/README.md b/ansible_collections/community/sops/tests/integration/targets/vars_sops/README.md
new file mode 100644
index 00000000..dad222e7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/README.md
@@ -0,0 +1,26 @@
+<!--
+Copyright (c) Ansible Project
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+## How the tests work
+
+`ansible-test integration --docker ubuntu1804 -v var_sops` essentially executes `runme.sh`. That script does:
+
+1. Make sure it isn't run for Ansible 2.9 (which does not support vars plugins);
+2. Use the `setup.yml` playbook to install the requirements (sops);
+3. Look at all subdirectories called `test-*`, and for each of them:
+   1. Execute the playbook `playbook.yml` in it;
+   2. Call `validate.sh` in it with parameters `<exit_code> <path_to_captured_output>`;
+   3. If `validate.sh` exists with an exit code not equal to 0, the test has failed.
+
+## Adding more tests
+
+If possible, extend an existing test. If that's not possible, or if you are afraid to pollute one's test environment with more data, create a new one:
+
+1. Create a subdirectory `test-<name_of_your_test>`;
+2. Create a `playbook.yml` and `validate.sh` in there (copy from a similar test and adjust);
+3. Create subdirectories `group_vars` and/or `host_vars` and fill them as needed.
+
+For creating sops encrypted files, use the private GPG keys from https://raw.githubusercontent.com/getsops/sops/master/pgp/sops_functional_tests_key.asc. There is a `.sops.yaml` file in this directory which makes sure that sops automatically uses the correct one of the keys provided in that file.
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/aliases b/ansible_collections/community/sops/tests/integration/targets/vars_sops/aliases
new file mode 100644
index 00000000..977ec388
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/aliases
@@ -0,0 +1,9 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd
+skip/python2.6  # lookups are controller only, and we no longer support Python 2.6 on the controller
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/meta/main.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/meta/main.yml
new file mode 100644
index 00000000..b7f89500
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-test.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-test.sh
new file mode 100755
index 00000000..fa937d54
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-test.sh
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$(command -v sops)" == "" ]; then
+    echo "sops is not installed"
+    exit 1
+fi
+
+if [ $# -lt 2 ]; then
+    echo "First parameter must be test name, second parameter the SOPS version!"
+    exit 1
+fi
+TEST="$1"
+SOPS_VERSION="$2"
+
+if [ -e "${TEST}/min-version" ]; then
+    MIN_VERSION="$(cat "${TEST}/min-version")"
+    if [ "$(echo -e "${SOPS_VERSION}\n${MIN_VERSION}" | sort -V | head -1)" != "${MIN_VERSION}" ]; then
+        exit
+    fi
+fi
+if [ -e "${TEST}/max-version" ]; then
+    MAX_VERSION="$(cat "${TEST}/max-version")"
+    if [ "$(echo -e "${SOPS_VERSION}\n${MAX_VERSION}" | sort -V | head -1)" != "${SOPS_VERSION}" ]; then
+        exit
+    fi
+fi
+
+shift 2
+
+(
+    cd "${TEST}"
+    if [ -x "setup.sh" ]; then
+        ./setup.sh
+    fi
+    if [ -x "run.sh" ]; then
+        ANSIBLE_VARS_ENABLED=host_group_vars,community.sops.sops ./run.sh "$@" 2>&1 | tee out
+        RESULT=${PIPESTATUS[0]}
+    else
+        ANSIBLE_VARS_ENABLED=host_group_vars,community.sops.sops ansible-playbook playbook.yml -i hosts -v "$@" 2>&1 | tee out
+        RESULT=${PIPESTATUS[0]}
+    fi
+    ./validate.sh "${RESULT}" out
+)
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-tests.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-tests.sh
new file mode 100755
index 00000000..002f2b19
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/run-tests.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$(command -v sops)" == "" ]; then
+    echo "sops is not installed"
+    exit 1
+fi
+
+# Get hold of SOPS version
+set +e
+SOPS_VERSION_RAW="$(sops --version --disable-version-check)" || SOPS_VERSION_RAW="$(sops --version)"
+set -e
+SOPS_VERSION="$(echo "${SOPS_VERSION_RAW}" | sed -E 's/^sops ([0-9.]+).*/\1/g')"
+
+# Run all tests
+for TEST in $(find . -maxdepth 1 -type d -name 'test-*' | sort); do
+    ./run-test.sh "${TEST}" "${SOPS_VERSION}" "$@"
+done
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/runme.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/runme.sh
new file mode 100755
index 00000000..eb17d081
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/runme.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+# Install sops
+ANSIBLE_ROLES_PATH=.. ansible-playbook setup.yml
+
+if [ "$(command -v sops)" == "" ]; then
+    # sops was not installed
+    exit
+fi
+
+./run-tests.sh
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/setup.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/setup.yml
new file mode 100644
index 00000000..d1a65821
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/setup.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  tasks:
+    - name: Setup sops
+      import_role:
+        name: setup_sops
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/group_vars/all.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/group_vars/all.sops.yml
new file mode 100644
index 00000000..3f3fff63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/group_vars/all.sops.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/playbook.yml
new file mode 100644
index 00000000..b5329165
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/playbook.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was found
+      debug:
+        msg: '{{ foo }}'
+    - name: Make sure group_vars/all/test.sops.yaml was found
+      debug:
+        msg: '{{ bar }}'
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/run.sh
new file mode 100755
index 00000000..07d08ebb
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_HANDLE_UNENCRYPTED_FILES=error \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/validate.sh
new file mode 100755
index 00000000..920371fa
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-error/validate.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 4 ]; then
+    exit 1
+fi
+
+( grep -F "ERROR! error with file" "$2" && grep "sops metadata not found" "$2" ) || ( grep -F "[ERROR]: error with file" "$2" && grep "sops metadata not found" "$2" ) || ( grep -F "ERROR! SOPS vars plugin: file" "$2" && grep "is not encrypted" "$2" ) || ( grep -F "[ERROR]: SOPS vars plugin: file" "$2" && grep "is not encrypted" "$2" )
+( grep -vF "[WARNING]: SOPS vars plugin: skipping unencrypted file" "$2" )
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/group_vars/all.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/group_vars/all.sops.yml
new file mode 100644
index 00000000..3f3fff63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/group_vars/all.sops.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version
new file mode 100644
index 00000000..b72ad011
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version
@@ -0,0 +1 @@
+3.9.0
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version.license b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/min-version.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/playbook.yml
new file mode 100644
index 00000000..b5329165
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/playbook.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was found
+      debug:
+        msg: '{{ foo }}'
+    - name: Make sure group_vars/all/test.sops.yaml was found
+      debug:
+        msg: '{{ bar }}'
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/run.sh
new file mode 100755
index 00000000..8d952bae
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_HANDLE_UNENCRYPTED_FILES=skip \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/validate.sh
new file mode 100755
index 00000000..11b12e90
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-skip/validate.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 2 ]; then
+    exit 1
+fi
+
+( grep -vF "ERROR! SOPS vars plugin: file" "$2" && grep -v "is not encrypted" "$2" )
+( grep -vF "[WARNING]: SOPS vars plugin: skipping unencrypted file" "$2" )
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/group_vars/all.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/group_vars/all.sops.yml
new file mode 100644
index 00000000..3f3fff63
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/group_vars/all.sops.yml
@@ -0,0 +1,6 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+this-is-not: a sops file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version
new file mode 100644
index 00000000..b72ad011
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version
@@ -0,0 +1 @@
+3.9.0
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version.license b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/min-version.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/playbook.yml
new file mode 100644
index 00000000..b5329165
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/playbook.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was found
+      debug:
+        msg: '{{ foo }}'
+    - name: Make sure group_vars/all/test.sops.yaml was found
+      debug:
+        msg: '{{ bar }}'
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/run.sh
new file mode 100755
index 00000000..284a5229
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_HANDLE_UNENCRYPTED_FILES=warn \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/validate.sh
new file mode 100755
index 00000000..cc18c07b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-bad-file-warn/validate.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 2 ]; then
+    exit 1
+fi
+
+( grep -vF "ERROR! SOPS vars plugin: file" "$2" && grep -v "is not encrypted" "$2" )
+( grep -F "[WARNING]: SOPS vars plugin: skipping unencrypted file" "$2" )
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/group_vars b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/group_vars
new file mode 120000
index 00000000..3b9d1c52
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/group_vars
@@ -0,0 +1 @@
+../test-success/group_vars
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/hosts
new file mode 120000
index 00000000..6baa8b39
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/hosts
@@ -0,0 +1 @@
+../test-success/hosts
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/playbook.yml
new file mode 100644
index 00000000..12de052b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/playbook.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was not loaded.
+      debug:
+        msg: '{{ foo }}' # Will throw an undefined error.
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/run.sh
new file mode 100755
index 00000000..db563575
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+SOPS_ANSIBLE_AWX_DISABLE_VARS_PLUGIN_TEMPORARILY=true \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/validate.sh
new file mode 100755
index 00000000..615f0d67
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-disable-sops/validate.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 2 ]; then
+    exit 1
+fi
+
+grep -F "'foo' is undefined" "$2"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all.yml
new file mode 100644
index 00000000..02ad8294
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all/test.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all/test.yml
new file mode 100644
index 00000000..8d9120d2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/group_vars/all/test.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+bar: ENC[AES256_GCM,data:UGteX9JKWhU=,iv:hgH8BeRf2W4gY4FSyXR/VKR879piGW2MSKJIppFgIJo=,tag:2XKpN3jGGEBBXiJPHi93ew==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-09-01T16:17:15Z'
+    mac: ENC[AES256_GCM,data:jw/wSpkqwN1Nun1VGLecyJy/yZLtyB57kmoODRhK9/c7nZU8pgTfcATfysyUq0YXWGvpy3mxvlGhaMrHu0DzNCGlsic6OXWDJBPVX3xYeeiUw5KmLxbYPpIXXLYfyu/mWDrToY2o1rpGzJqT7SuZwfFIEX1gZMFnATdROXwVKBU=,iv:ZrgM8BoaLHh4knvJlTqsycOdHNt2oqiFCl/81fr9zP0=,tag:UfhMIr1ByFQhY9B9GpYAmQ==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json
new file mode 100644
index 00000000..f2b777a5
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json
@@ -0,0 +1,19 @@
+{
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-09-21T05:55:39Z",
+		"mac": "ENC[AES256_GCM,data:Igq1Of0up5cBLd4blecOJSeSqSc+qExqlcEmgaHbhL88e+YxfOd0HxIELYd4SuEAnzYxroQDop741frXLm3RbkFGJuoyW8Ur/GHHx/0e1GsNHGWJL3yfI5NKt0zb3D/pxLP0MrKmsdqlnEnewxeCb5M0xRDJqtRSLP4X4VHOop0=,iv:wzYu6PJsY1FtxuQnNhxDivCCUwfciZpBT232TS/qXZI=,tag:wg8Ijf3mqkfnt7BZ3DSBWQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-09-21T05:55:37Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAY4Sok1zPyUO/sm8PcSWii6QDoOKkLB0LYNaCtJXcGttx\nenLAYAQtNKb4OgeSr2mrgUi5ceyMDAWME9xA0MQSHqU6IrTDRnBOM57wJb+4f029\nbh2PaPuwONcS6jZm+PobJ4sXbKrzigqF6NYdCHjc+3QSWuC2cklKWm1bX5Z0dBwu\nW+7pap7Ol+DCaWmrPx8qjZFR/E0aKcWQGuSryCfZNa6lXXlRxBB/47EBybG6Juks\nyGQBYDLyLxXsd4f0qVRs+A4ra5MkKF5UdAXjrBt5CgUjx2HVSqCD0ScQVwHuiC7L\n2hz3u2EDTB18kf87MFEs7M0Ef9+flJPozPw0Hjih4dLgAeSyNr8t/mZriYpTRIGg\nm1Ll4WKY4A7gkeHcfuA94oS488TgkuUeLeFnZyjEyWGNS8jcgcEXUQKtGKWm4DKk\nD73Cf7UUJOAu5Gdwq+SSwwXZLf1GkX3HSJzieu937OHvEwA=\n=ruyt\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json.license b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/host_vars/localhost.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/hosts
new file mode 120000
index 00000000..6baa8b39
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/hosts
@@ -0,0 +1 @@
+../test-success/hosts
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/playbook.yml
new file mode 100644
index 00000000..e8a8fd19
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/playbook.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.yaml was found
+      debug:
+        msg: '{{ foo }}'
+    - name: Make sure group_vars/all/test.yaml was found
+      debug:
+        msg: '{{ bar }}'
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/run.sh
new file mode 100755
index 00000000..4214176d
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/run.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_VALID_EXTENSIONS=".yml, .yaml, .json" \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/validate.sh
new file mode 120000
index 00000000..93cd4cd9
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-extensions/validate.sh
@@ -0,0 +1 @@
+../test-success/validate.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/group_vars b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/group_vars
new file mode 100644
index 00000000..6ffd5ab0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/group_vars
@@ -0,0 +1,3 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/playbook.yml
new file mode 100644
index 00000000..814477e3
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/playbook.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Idle
+      debug:
+        msg: ''
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/validate.sh
new file mode 100755
index 00000000..bc3804f5
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-not-dir/validate.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 0 ]; then
+    exit 1
+fi
+
+grep -F "[WARNING]: Found group_vars that is not a directory, skipping:" "$2"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/.gitignore b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/.gitignore
new file mode 100644
index 00000000..c93c3681
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/.gitignore
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+group_vars/
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/1.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/1.sops.yml
new file mode 120000
index 00000000..924f9a2c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/1.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/1.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/2.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/2.sops.yml
new file mode 120000
index 00000000..444680d8
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/2.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/2.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/playbook.yml
new file mode 100644
index 00000000..18326389
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/playbook.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
+    - name: Replace group_vars/all.sops.yaml
+      copy:
+        src: 2.sops.yml
+        dest: group_vars/all.sops.yaml
+    - name: Make sure that updated group_vars/all.sops.yaml was not loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/run.sh
new file mode 100755
index 00000000..f05dbab3
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/run.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_STAGE=inventory \
+ANSIBLE_VARS_SOPS_PLUGIN_CACHE=true \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/setup.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/setup.sh
new file mode 120000
index 00000000..ba8fcac0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/setup.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/setup.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/validate.sh
new file mode 120000
index 00000000..52c886ab
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-cache/validate.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/validate.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/.gitignore b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/.gitignore
new file mode 100644
index 00000000..c93c3681
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/.gitignore
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+group_vars/
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/1.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/1.sops.yml
new file mode 100644
index 00000000..02ad8294
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/1.sops.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/2.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/2.sops.yml
new file mode 100644
index 00000000..8d9120d2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/2.sops.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+bar: ENC[AES256_GCM,data:UGteX9JKWhU=,iv:hgH8BeRf2W4gY4FSyXR/VKR879piGW2MSKJIppFgIJo=,tag:2XKpN3jGGEBBXiJPHi93ew==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-09-01T16:17:15Z'
+    mac: ENC[AES256_GCM,data:jw/wSpkqwN1Nun1VGLecyJy/yZLtyB57kmoODRhK9/c7nZU8pgTfcATfysyUq0YXWGvpy3mxvlGhaMrHu0DzNCGlsic6OXWDJBPVX3xYeeiUw5KmLxbYPpIXXLYfyu/mWDrToY2o1rpGzJqT7SuZwfFIEX1gZMFnATdROXwVKBU=,iv:ZrgM8BoaLHh4knvJlTqsycOdHNt2oqiFCl/81fr9zP0=,tag:UfhMIr1ByFQhY9B9GpYAmQ==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/playbook.yml
new file mode 100644
index 00000000..18326389
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/playbook.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
+    - name: Replace group_vars/all.sops.yaml
+      copy:
+        src: 2.sops.yml
+        dest: group_vars/all.sops.yaml
+    - name: Make sure that updated group_vars/all.sops.yaml was not loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/run.sh
new file mode 100755
index 00000000..fd848bdc
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/run.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_STAGE=inventory \
+ANSIBLE_VARS_SOPS_PLUGIN_CACHE=false \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/setup.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/setup.sh
new file mode 100755
index 00000000..e4448001
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/setup.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+rm -rf group_vars/
+mkdir -p group_vars/
+cp 1.sops.yml group_vars/all.sops.yaml
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/validate.sh
new file mode 100755
index 00000000..bbd8c591
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-inv-no-cache/validate.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 0 ]; then
+    exit 1
+fi
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/.gitignore b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/.gitignore
new file mode 100644
index 00000000..c93c3681
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/.gitignore
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+group_vars/
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/1.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/1.sops.yml
new file mode 120000
index 00000000..924f9a2c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/1.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/1.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/2.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/2.sops.yml
new file mode 120000
index 00000000..444680d8
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/2.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/2.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/playbook.yml
new file mode 100644
index 00000000..18326389
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/playbook.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
+    - name: Replace group_vars/all.sops.yaml
+      copy:
+        src: 2.sops.yml
+        dest: group_vars/all.sops.yaml
+    - name: Make sure that updated group_vars/all.sops.yaml was not loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/run.sh
new file mode 100755
index 00000000..4fcc013b
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/run.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_STAGE=task \
+ANSIBLE_VARS_SOPS_PLUGIN_CACHE=true \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/setup.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/setup.sh
new file mode 120000
index 00000000..ba8fcac0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/setup.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/setup.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/validate.sh
new file mode 120000
index 00000000..52c886ab
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-cache/validate.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/validate.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/.gitignore b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/.gitignore
new file mode 100644
index 00000000..c93c3681
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/.gitignore
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+group_vars/
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/1.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/1.sops.yml
new file mode 120000
index 00000000..924f9a2c
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/1.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/1.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/2.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/2.sops.yml
new file mode 120000
index 00000000..444680d8
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/2.sops.yml
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/2.sops.yml
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/playbook.yml
new file mode 100644
index 00000000..f654090d
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/playbook.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was loaded
+      assert:
+        that:
+          - foo is defined
+          - bar is not defined
+    - name: Replace group_vars/all.sops.yaml
+      copy:
+        src: 2.sops.yml
+        dest: group_vars/all.sops.yaml
+    - name: Make sure that updated group_vars/all.sops.yaml was loaded
+      assert:
+        that:
+          - foo is not defined
+          - bar is defined
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/run.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/run.sh
new file mode 100755
index 00000000..4b6fa33f
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/run.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -e
+ANSIBLE_VARS_SOPS_PLUGIN_STAGE=task \
+ANSIBLE_VARS_SOPS_PLUGIN_CACHE=false \
+ansible-playbook playbook.yml -i hosts -v "$@"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/setup.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/setup.sh
new file mode 120000
index 00000000..ba8fcac0
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/setup.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/setup.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/validate.sh
new file mode 120000
index 00000000..52c886ab
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-stage-task-no-cache/validate.sh
@@ -0,0 +1 @@
+../test-stage-inv-no-cache/validate.sh
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all.sops.yml
new file mode 100644
index 00000000..02ad8294
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all.sops.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+foo: ENC[AES256_GCM,data:a25L,iv:X8ILHZr+YiyLWa90Y+cwoMD1nVuel7JyTs0A5+oiOOo=,tag:GbBtp+Yqx1KEjdyztqS4EQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-02-20T10:44:32Z'
+    mac: ENC[AES256_GCM,data:BAwQqD9sHgHkmlxPQLKq28Xy48qPp1B/+GDLEsIxir6WNhZgw8OgjVF1u/wCAad6qHkmN02Bwenr+aay6uKfCuOEsTRSvZ7v80yAU+h0wL3zJ/KMkRsE3QP3CWxcLQxInt+YaBjR+Q0IUjDXKm3u6ZomixZe5F5pwWr36ErV6Y0=,iv:e/iiyXQiCh8C2w/bc8mr/Psv+ehmqEMqEC1/bbGFHpY=,tag:NSDo2HISIBJhYvsqrU0mSA==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test-template.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test-template.sops.yml
new file mode 100644
index 00000000..cff17950
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test-template.sops.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+var_with_template: ENC[AES256_GCM,data:J599a0lRSlyAkV4=,iv:L7fYDZJ3iptUXQvquI+Tpghuhqw6OVEfWkZqwLMQHVw=,tag:aevkuuAHQhmKYA9oVE9W/g==,type:str]
+sops:
+    lastmodified: "2025-10-25T13:00:31Z"
+    mac: ENC[AES256_GCM,data:kcBCrt8J4msGxn5k8h36Tr77Ntxm5OAL9tlf5wq2IxGPeQGVsiTx682EMwXShDO1KimHJs1TeH17jy5w8bex7TWblPp+6UVSv8mRBziCYlWs7jB/Pys9UEEmWQnRWe2n56YIk/GWvi9cVB8jE/lIS3pEx2dHelz5ZhUYWNYeIO0=,iv:EJubN2uC9ACkzXaat+1TBumk6lTNUKdyHj9ICME9BCU=,tag:DPq/zHTcP/jDHNUMU/C15w==,type:str]
+    pgp:
+        - created_at: "2025-10-25T13:00:14Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQf9GqFo7ukpsCO6AYVnaSGopKb/U+ajTa/mABeuWGls0mfS
+            P6xoZfYCBBPD4iKp09fKB0k4TIOWV1qFB5C/a08tTOl+UwuYE8K3eN9Fjdaa+ELd
+            HPfdhSgGyi5RGrGmX7NZXhT0LyqkeGeOBchzbfkMOvnAYwOUn3Ga6Iywuojp1/65
+            e0zr3IR4iJB3sDmj7uFZ/PbnWQVAlS6oILPva7lRH6i9Bv1jzC5sf/ZwVu8pOekC
+            IH1vv+QHwvW2MQIYVtDoUZwbx7JU2N19ZLL67oWX/2GqB+088Z4GqtVWbuG9/QKA
+            mjcjQYzjSPHPfhpsFmsi9v4gjxrKCA4oIZqRgOzJedJRAX0rVVkOfO9tNlq3orZM
+            OUueosVkriPnMjgl7a4ceIaavjb1pSPr6yJvVDjgV2gljkUxte1qz/hQYdoyTENY
+            mZDinIhW0n5G4ihNPs8CWlyL
+            =ZTt+
+            -----END PGP MESSAGE-----
+          fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test.sops.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test.sops.yml
new file mode 100644
index 00000000..8d9120d2
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/group_vars/all/test.sops.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+bar: ENC[AES256_GCM,data:UGteX9JKWhU=,iv:hgH8BeRf2W4gY4FSyXR/VKR879piGW2MSKJIppFgIJo=,tag:2XKpN3jGGEBBXiJPHi93ew==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-09-01T16:17:15Z'
+    mac: ENC[AES256_GCM,data:jw/wSpkqwN1Nun1VGLecyJy/yZLtyB57kmoODRhK9/c7nZU8pgTfcATfysyUq0YXWGvpy3mxvlGhaMrHu0DzNCGlsic6OXWDJBPVX3xYeeiUw5KmLxbYPpIXXLYfyu/mWDrToY2o1rpGzJqT7SuZwfFIEX1gZMFnATdROXwVKBU=,iv:ZrgM8BoaLHh4knvJlTqsycOdHNt2oqiFCl/81fr9zP0=,tag:UfhMIr1ByFQhY9B9GpYAmQ==,type:str]
+    pgp:
+      - created_at: '2020-02-20T10:44:32Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMAyUpShfNkFB/AQgALJTUwdx6rAPckJ+reP5TEq+lXzHI1Zi7aHYOqZQBnA2s
+            z8h1gRce/fn7RPkmdsjsdSYmxGGKqwDXxUYsbN1aWXk6mb4Juktdvjl/GndF6PkU
+            TiN/l1GM6upgS+GPxA01NKsGkVmEtKR5NhsNEnE6OzY29+PFLsBX2vO1Zfg7kzBz
+            cDl6PT8fbFTEaFeyuYl9IslIV8yYsj1oHL3CF76RjCP6b18NSOHM23ytlH+KVaBV
+            ntoSVkTyWDx5o9iEHBEWSEGNpaCWWiEgkDEkA1VqMHdUlsW+IjZ8ggg5NJbcVtrG
+            YkN8rlGsNEzx+g4O4b1160A2K6AdTBcoGHwHD3u3XdLgAeTqT1ekE2N3yNT6w4sm
+            6uET4eTS4Cvg1OFCgOC34uUzlY3gbuVy20h8RNyQoAfhSN4DD2MexKqcMMCVCtn0
+            OhRMTP2jjOCe5Ex3/p3awcVxwx7qeJ26Vnfiwtg6ueFI5AA=
+            =tcnq
+            -----END PGP MESSAGE-----
+        fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
+    unencrypted_suffix: _unencrypted
+    version: 3.4.0
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json
new file mode 100644
index 00000000..f2b777a5
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json
@@ -0,0 +1,19 @@
+{
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"lastmodified": "2020-09-21T05:55:39Z",
+		"mac": "ENC[AES256_GCM,data:Igq1Of0up5cBLd4blecOJSeSqSc+qExqlcEmgaHbhL88e+YxfOd0HxIELYd4SuEAnzYxroQDop741frXLm3RbkFGJuoyW8Ur/GHHx/0e1GsNHGWJL3yfI5NKt0zb3D/pxLP0MrKmsdqlnEnewxeCb5M0xRDJqtRSLP4X4VHOop0=,iv:wzYu6PJsY1FtxuQnNhxDivCCUwfciZpBT232TS/qXZI=,tag:wg8Ijf3mqkfnt7BZ3DSBWQ==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2020-09-21T05:55:37Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAY4Sok1zPyUO/sm8PcSWii6QDoOKkLB0LYNaCtJXcGttx\nenLAYAQtNKb4OgeSr2mrgUi5ceyMDAWME9xA0MQSHqU6IrTDRnBOM57wJb+4f029\nbh2PaPuwONcS6jZm+PobJ4sXbKrzigqF6NYdCHjc+3QSWuC2cklKWm1bX5Z0dBwu\nW+7pap7Ol+DCaWmrPx8qjZFR/E0aKcWQGuSryCfZNa6lXXlRxBB/47EBybG6Juks\nyGQBYDLyLxXsd4f0qVRs+A4ra5MkKF5UdAXjrBt5CgUjx2HVSqCD0ScQVwHuiC7L\n2hz3u2EDTB18kf87MFEs7M0Ef9+flJPozPw0Hjih4dLgAeSyNr8t/mZriYpTRIGg\nm1Ll4WKY4A7gkeHcfuA94oS488TgkuUeLeFnZyjEyWGNS8jcgcEXUQKtGKWm4DKk\nD73Cf7UUJOAu5Gdwq+SSwwXZLf1GkX3HSJzieu937OHvEwA=\n=ruyt\n-----END PGP MESSAGE-----",
+				"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.6.1"
+	}
+}
\ No newline at end of file
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json.license b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/host_vars/localhost.sops.json.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/hosts b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/hosts
new file mode 100644
index 00000000..f43ae790
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/hosts
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+[all]
+localhost ansible_connection=local ansible_python_interpreter="{{ ansible_playbook_python }}"
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/playbook.yml b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/playbook.yml
new file mode 100644
index 00000000..5221d433
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/playbook.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Make sure group_vars/all.sops.yaml was found
+      debug:
+        msg: '{{ foo }}'
+    - name: Make sure group_vars/all/test.sops.yaml was found
+      debug:
+        msg: '{{ bar }}'
+    - name: Make sure group_vars/all/test-template.sops.yml was found
+      debug:
+        msg: '{{ var_with_template }}'
+    - name: Ensure that templates group_vars/all/test-template.sops.yml were evaluated
+      assert:
+        that:
+          - (var_with_template | int) == 2
diff --git a/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/validate.sh b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/validate.sh
new file mode 100755
index 00000000..bbd8c591
--- /dev/null
+++ b/ansible_collections/community/sops/tests/integration/targets/vars_sops/test-success/validate.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+set -eux
+
+if [ "$1" != 0 ]; then
+    exit 1
+fi
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.15.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.16.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.17.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.18.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.19.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.20.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt b/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt
new file mode 100644
index 00000000..787dfec7
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt
@@ -0,0 +1,4 @@
+tests/integration/targets/filter_decrypt/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/filter_decrypt/files/hidden-json.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-binary.yaml yamllint:error
+tests/integration/targets/lookup_sops/files/hidden-json.yaml yamllint:error
diff --git a/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt.license b/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt.license
new file mode 100644
index 00000000..edff8c76
--- /dev/null
+++ b/ansible_collections/community/sops/tests/sanity/ignore-2.21.txt.license
@@ -0,0 +1,3 @@
+GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-FileCopyrightText: Ansible Project
diff --git a/ansible_collections/debops/debops/FILES.json b/ansible_collections/debops/debops/FILES.json
new file mode 100644
index 00000000..745e29ab
--- /dev/null
+++ b/ansible_collections/debops/debops/FILES.json
@@ -0,0 +1,32604 @@
+{
+ "files": [
+  {
+   "name": ".",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/connection",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/connection/lxc_ssh.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ba70782caeb5db8419c49b7d64c39e3e8ab0deb2faa8072a61256983180866f",
+   "format": 1
+  },
+  {
+   "name": "plugins/connection_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/connection_plugins/lxc_ssh.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ba70782caeb5db8419c49b7d64c39e3e8ab0deb2faa8072a61256983180866f",
+   "format": 1
+  },
+  {
+   "name": "plugins/callback_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/callback_plugins/profile_tasks.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2774784062a8621749232ea0cb10c1cdc7efce9b43cf6e31544089fddb02a00d",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/lists.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a06516fbdd11faee8030731ccf066c95935b586dce36939b04d79ed1a935e0d",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/template_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ddb4461ea18487b8118bd0504c77e6b17f42359c871cbf32320ff22db0eb607f",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/file_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2e5a83df2a43fe702614678b9cbad45f29d2cd6df94f9d92391c9f9520dd756",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/dig_srv.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "403e0cb45fc984bdde5e1a3bd374f230f65fa0a0b4ff0e2bde48e5ffde5b1911",
+   "format": 1
+  },
+  {
+   "name": "plugins/lookup/task_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "064ac858362e38139d08f0c0aee363e7ef6909295e4117daf41afb6d01aa412c",
+   "format": 1
+  },
+  {
+   "name": "plugins/callback",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/callback/profile_tasks.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2774784062a8621749232ea0cb10c1cdc7efce9b43cf6e31544089fddb02a00d",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/debops_filter_plugins.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc7fb5e64cc5e680b78fec85a62235e48f0f47f325089ccfbe8bb5cb2499c681",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/globmatch.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "488b0eccafe91d5324a2a9631862e8b70b5c9c623b6e92584f86653583834903",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/etc_aliases_parse_recipients.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4ea15ac85e8c66aa233d639054eed666feb5df719e3b71772847170726f68de",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/split.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2df8708a7a108eb61e7197ddeec32e311ad8b00364a3084b5f5cb864e1ac2d3c",
+   "format": 1
+  },
+  {
+   "name": "plugins/filter/toml.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a777729ba9dc11619331f19f70a642bb8eef3c773cfd559e29891e4bc9cdf045",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/dpkg_divert.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ea7140405a1834914ca88e8978b460e165c3b236307402d15c87e58272e35ec",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/apache2_module.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd546e2faa691e19cfded80a0cf6fe245918acea86454ab70ad650be7c92e0da",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/cran.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e312c834c755bc59a801dfffe0ac05dc787b051e6f76dc4b3992fe29b72280c",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/ldap_attrs.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b1fe4fc4fb9999c5340f60d64203a364090b8ce908a875fc2853bef0b768d7d",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/btrfs_subvolume.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60537b86ee51ad4fd7c575c620763462000234523bb812a79a4eb675bbd618cc",
+   "format": 1
+  },
+  {
+   "name": "roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a02b19ff400b7d62772918e7b82ae2e4ef32b14d49faa9a2fe288f8b35263e10",
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3c0da23f67bdb7fc7ee5b3daaa56039d0d45d461a245a2ae4b180f451cf80639",
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e02161620ff3ed83ef8828d7385145fc8a7fe27166ce201f3037e6209aa059ff",
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc/freeradius",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc/freeradius/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a2052e13d56632311a836f6e9f9cee180a719f3a41218a99d42ab6f3a22f92c5",
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/templates/etc/ansible/facts.d/freeradius.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ca7073f7b20b8c4bffb229e99f75358d55caf9f819a1ca74bb7117cc8103108",
+   "format": 1
+  },
+  {
+   "name": "roles/freeradius/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab2d41ac651c0dfaf2f190123a43448dedc0032cbc3c6fe65c686645ad942675",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3bb18103b2703ac15b8f75859f1cc143d28148878e22dbc7161c357395663994",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b39627af7ebdbdce65d5e6bec7180050800af87a9f4ac59a1fd1265f9e179c9a",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "890385b5459eda787b9e3bc3ee70734bbd158495f8e5701579d86098b5fd019f",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto/acl.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0386eff53691b093369b0071cd3a57cd9be19e3a8a7b3f9d18fb70f522994afb",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto/conf.d/listener.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "276b1ccfd1a608bab9282c0188a8ca35ce2a89b921c6b676c9d2c7529f0d8a5f",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto/conf.d/bridge.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d935f2df50e0e3b1063b2af2ee8a18d7ccb03d8ca752bb3e91dedcfc17119c0",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/mosquitto/conf.d/default.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "55c2751ed0d8bb7b545af7216834a8c34870eedc649c1c58b60852fb9ec63c5e",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/avahi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/avahi/services",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/avahi/services/mosquitto.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79416c53f0241bfa1a8da99fddeb7355293dbd76234b99714dd7c40fae4ebce3",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/templates/etc/ansible/facts.d/mosquitto.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b8f646fb571dcdf13b875988634e7c601b7c61d68d50631fe716accdf5600d2",
+   "format": 1
+  },
+  {
+   "name": "roles/mosquitto/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e47bd833b8e00fc2d6f7cf6ec8c56a1499304e209b8097d8c44697c30c183f5",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0988ee0333e674835e8de9021d431fefd1c9bdc33e8396f47718bc55a72543aa",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9cbd34b4f460853e6766f848df1edae62e04664c80b17dec46b867cef2518622",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24b1b5d1da6b3efbdde32f0d07e03ad087fc04fe4e1b36587a59f862101cee9e",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5451c7f88eb5572bc3e4067b135e728e07eec40881cd70e401de612c31f759ab",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cdeabc70cf4c5dec702a06241462d0a5b447ebc1e18a3c90c806f84943aafb03",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/playbooks/btrfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31c82f8a164f08aefe32814b117eb92e273a06023119a6f42d61cff637f78602",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bc0271513a469e65bd44a605ed9aaa6bc952e372d8ae1ef50c8a6c16b8a94e8",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa128e59c5d55f648f68361eea7fb4e520402711d5148296a963de63b36daad1",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "909530c99305e299d4c08de73cf8bbab1894d4714c69b7566d9fcac6fd38f18e",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d162602daa91ab17a0cacba199d23fa219996f90e8517b393607fe182e6ea9a6",
+   "format": 1
+  },
+  {
+   "name": "roles/btrfs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94d6717c1b43109f2e398eb19b4bba283c8cad9181d14203b7fdc545e3747741",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks/install_postgresql.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0adad82d6ff2f5e7ee015cbf0b54db833f926ef026f35cbaf5a0961d1e370210",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks/manage_clusters.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d60ece991338905fb9f19499f8c9db710db261766427cc2404dda7b4e74da453",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks/secure_installation.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f290e7470f1a510e84264fd9aa139beda8d0a515ed425da52a88f4b96c1c234c",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks/manage_autopostgresqlbackup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e724650d7c3f4a570dfca67e4087386b245756ecbe4f8179d7a9465043874d4",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b81dece7054ca01a4d39fa262b9563a75243b49bfe5ed1d3e4f0d9c283ebb079",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2144cb9bf238fc180d0abe62e8a95daf51857efac72f6173b66545edb8856ebd",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90090b604006d237d01a7dc5aa347d48f5252f91b62e9bf56a250696a53453bf",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/usr/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/usr/sbin/autopostgresqlbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb8fe7ba35382e6174184d41930c52142b8deea50fb088404317f3df7dda35a8",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/start.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ba3bd8bbb1ea74164753208b491465c36d4e9615ccb5e96b7d3ac04362d2c20",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/postgresql.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5fbf68b5fecbf6575b22341d64d2cdc82a4757c72bee418ac83d9ddd70be03d",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/pg_hba.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e024941b0245c3d32050d26a1bbd4f4ea0e72f7beae66d0971c1026ebaaded7",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/environment.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd73a2685dc1caa72ceec301cce4a8d26a1cfd5d90cbf5ac78e6997c5cbf65ae",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/pg_ident.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "45ee17a071c4f64f7c1b205450765972b4354e2ff7f9e8e1b2e05e8ce1eb04ac",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/postgresql/trusted.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9a1e045f2b2836b72b53f814356841e4f70a4dd79f45b79b638a786eb84ebb3",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/cron.daily",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/cron.daily/autopostgresqlbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5abb599e02dc42b0e5c6e0b0ec2885dfa070f9c4d014fff93c27f683ceeade65",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/default/autopostgresqlbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "537c9f9613003bacc5a2040eaa4f42731d6a5455e0424ee97666d6be3899dcac",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/templates/etc/ansible/facts.d/postgresql.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2959fb4f9fae72c9baaef0163bfce85c0ef620d66cbc91e0fafb2a1d0f04faaf",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "32a9abe92e97c6edefdccdf8b76eb825a3bf206007316f9a1f75defa872461ce",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks/iscsi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks/iscsi/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "556a627a7022bf9b4c5fcb8f41d7683de8536c8803b554f6992bc5409e0b6945",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks/iscsi/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "556a627a7022bf9b4c5fcb8f41d7683de8536c8803b554f6992bc5409e0b6945",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks/manage_lvm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "993fd477a04186e1d5c5cc3474a37647bdda75315c822590ebcab2b854adf1b6",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1f93b4e93e96691e7f1ff7d0afe9f7650c4363cf2391d2eecc2883f9991e6f9",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b577955e31ba0ff7f5c62fb1dac400492a6e7eddff725ddd64cbbbca9c325575",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d11ae9cab9b90654b7dd6dd9a0755087302c201cbbb8c507fc4bd4621e67c335",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/templates/etc/ansible/facts.d/iscsi.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2da18a8445649352122ae7caeddf148956b099c199ec7e9cc001dc716a0e9a31",
+   "format": 1
+  },
+  {
+   "name": "roles/iscsi/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4c08995fdd83e86b4baaeb3350b67753717d4507bf10a6ef6210992e47c1135",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4519b9ac41a2c58be8e25fc2c730dace6e25c688f8c87bd756f5c6b313c48d9f",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/meta/watch-docker-registry",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "878618a9cc0d4fbcd7912cfc6d7778913eb233d56775a098e05a6e6633fba0e5",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0aaa8482008344656b7815aba23d917fc84337ccc0f5d769d72607648ba2d342",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af3e0dafc1cf62c13324d515e46c071f389a6798c7e55baec65ad53e30fb2b85",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/usr/local/bin/docker-registry-gc.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7c9faac93671225e15227054f87aac8b27ee9fbf5724693f195bbded20e11f4",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/sudoers.d/docker-registry-gc.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad712c8cbc5ce226895a99d41717a778b81873ae84457cf831cf91e357dd03e0",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/docker",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/docker/registry",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/docker/registry/config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2779e7bdc5cf7899fe9e5853efb9ccdd3c14dd4a14c320b8355474e9b4a80f7",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/systemd/system/docker-registry.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdee83064b336fb4b9745d3a11e439b2efc53e0ca05239f20ffcee33f68d1e54",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/templates/etc/ansible/facts.d/docker_registry.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e74bfb3eb9ad2158d915fed9d6d95a50c4ced435b803bf89f8ed8f4d4005bd8",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_registry/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d801d1915c214471cede19bcd341b15fc7d81b4801094f61a3ef5eb66a6c0694",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "784356e735b552e43a46d59412be34cb0818901aef3e97961a05977778bd38a2",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "30fb647f6277842d8349283d4cb91dfb333e86822c7f54bbea10afe0970049e4",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b39b16b1af2079ae156b0a4538d4e38f35c3aa59db398595e88c3ce55aa95a41",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/modprobe.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/modprobe.d/nfs-server.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07610ef26623d5495315ac6b9e43b3ab9a38a42f4af3a96268a5b5cdd53c2a32",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/default/nfs-common.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "310138cc3f292ec265a51ba53dbc7ff626e9d6e38d11769108e046e839365073",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/default/nfs-kernel-server.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13cb641c7f92f1e6271422c06baace8e200675cf139d01a659ac0298d15d2975",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/exports.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/templates/etc/exports.d/ansible.exports.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c8173dc48c6517f51e0114c9d8299ec99fcfac7e2d91998b256565cfd0e2aba",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "17fee964fdf43b34bf6526480d4531f16102eb28e531cbb205e46c712ece33ec",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b750b623341325b066ad709b21ae4aa3a1f623dd20a8e74dea62995c247e98f3",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a7ebe37fa1d1fb6f3a512ce65872814f1dcd30828875563d8f3aa80b78c51303",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8e9cc5eb1560de757055374b987610f59704d2ba9f22ed31898d96ecb4e92120",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bef6aa8873e19c3b9308f1d4f488e35a3cbfbb7bca9ef8e7d6c72701c7d139e",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/redis",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/redis/sentinel-instance",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/redis/sentinel-instance/reconfig.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d003192c67baf41a89bd91823614ecdac78311c312f4d1a8e91237d600a9c18",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/redis/sentinel-instance/sentinel.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "182ade679d508f27d289f19d6c637cbc5158d9234250176e0ae3ba91eb7a2a30",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/redis/sentinel-instance/notify.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d16fd909cdf4849a76f488b3c8f00d9c766101020219686d855072e3a74669c",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc44480d57717ec6a19d0615006e5a206dcee6894c49824c087fb235088f4fd2",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.d/ansible-override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16c0a36e7776b2ae7b6a71ced4e6d6f49a8d65499f86c5405ed9c3c5e7495978",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "30f12015227c1dffd3d1450fa3f40cbc6ac4a410edb8cc1c92a697413ee81df4",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/etc/ansible/facts.d/redis_sentinel.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e01284965dcde4f207152daa1c80708faed45b27b2dcc0009c98d9b79a91f15",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/lookup/redis_sentinel__filtered_instances.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6be75330a9f4ae82955805e802ee2eecca9a7565ac81889f6fa01c43da9e9855",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/templates/lookup/redis_sentinel__env_ports.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "389a4f32942a14aedeee39028707a3693ccec1cfba7b6d1c51fff0eb27eb94c0",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_sentinel/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ac94bb2101343bde93ef169e13b0ffbf40642377a7df5b253c1f3431438d00f",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4f9d9deb6f5804823009af32b7bcab92fa9700ad260dd21c7cad2a379f1449c4",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bd4c4f292a044f54b951664d4a6eef2c8f80b9f6d825efac8f413ae97f37b5b",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de2abc2f2c1fee42f36f89edc2070a7a7c274baba838514c3e407060a419dbcd",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc/default/tftpd-hpa.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf30b79cfff8960015756f41b60c2e509af47449565191f488f9c6081aecc4c7",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/templates/etc/ansible/facts.d/tftpd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27f01f7c5894ed4ba974160b70862f2902aee29e203b7dd9622a0a612d677af1",
+   "format": 1
+  },
+  {
+   "name": "roles/tftpd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f43e519277183adb102d0ac9648d7d669b858dc7fe6a992d5002dc0d0f603163",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f4c56983952c2dead217184f3c849aa03d64e328f3b511ea1aa645775515253",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf39eb9789727b66ce8d5d37a5cf4807f51044137a6927fffcf839ac1e812e6f",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2c391b6d750c835aaa06b05dd3997202bf5a0f9605743663ab82b84c0296f93",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/sudoers.d/system_groups.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c401345663099735f856073813849381dffe22c1e8f35501aa32cf06e59558ee",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/ansible/facts.d/system_groups.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "852349470b5497997ca46126d8d3833dfec90fe7bee867e8eaabb9b8fe7344ba",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/tmpfiles.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/etc/tmpfiles.d/system_groups.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "700af5b1e352e965e096039795c6c9549672027bc3acb8b9aea4d63f6a10db27",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/templates/lookup/system_groups_members.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95109272a677cbec25c7a8c5010a8ea4c0fb68a087f87d93d3a35786349ed4df",
+   "format": 1
+  },
+  {
+   "name": "roles/system_groups/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "868912fdb7977d9d78a9888eab97b68cf3f106f2c9737da5f290e7363db407ec",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f95739360ef532778c620e1051bb3449768082efb11bd7a415a147db28f8b7d9",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97067a6d03df74ffa3785bee8c7f110c2ff8f9ac35a0d61767a3888b48949531",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f4470d09f17abaf94c1b6de42bbe063a3b19ed9091cb0e2da80312c479d1078",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/default/lldpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1bf06080ea2d974d62bb9c31d543b53bf0606f16cd9bc3d311084e760856d701",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/ansible/facts.d/lldpd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4518d870920da8b6059759ba0d0e1e9f94739c36b50b0b4f1c81c0c4c61cfbf6",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/lldpd.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/templates/etc/lldpd.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e9208e5aa4d1d6d94359861399828c45fce306bb9ad787b4f7dfdb88a42d0b0",
+   "format": 1
+  },
+  {
+   "name": "roles/lldpd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af2c58657d03a6b1f326f48835184d7007bbddb2cc8cb51ba21cfece1eaf2ee7",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b4150d5e650add126f3a69b5bb49cfe418d4cfb07c88cd05dbf96499d0f3541",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "720b2bd08cc92dc99ea6852e75c110f6a81f1ef90cfd61c234841b53ae94465b",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa6a59dd18017bd8aa671e272bef01024ba9b836e0d5b9f7a884949d49802fe0",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc/postgresql-common",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc/postgresql-common/user_clusters.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "acc07e893a5c4c7a8c7e01198cbb31293e0d0753b6a134ed50669961060c5561",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/templates/etc/ansible/facts.d/postgresql.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e30b654dca71323e7de4beced4a29edf4e72ba7c7fcfc7321dd89e7ddda3c11c",
+   "format": 1
+  },
+  {
+   "name": "roles/postgresql/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8438ed94349fd53598c2551849c9391372edbc6cc5c698d27d0c3b53ab8d6a3e",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c71948bc4d8adc5be922e547df9fc4f2c075afcc42b684395d137805a88aea6d",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a037cbe832ae8163103a08e851dfedb8a1c9f29766ef0d813e2590f324d8f878",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd0c6004a6d0d4f2e03fc8e37333fc82311decafd9adbe276ba103b4e96d0834",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates/etc/ansible/facts.d/netbase.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "192360ad47dea08b38a4882c729463d2e964feace71228c04bf86fb182762888",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/templates/etc/hosts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "efbe15c03e55cefcfb0ebb242355809c91f9f1c52422c3cd2edc5c71de2f91af",
+   "format": 1
+  },
+  {
+   "name": "roles/netbase/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f08bfb4900390582422ce15db8f81dab1ba5c29fb07283faf3d07c783ddcbbdf",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6d9a5b8cb16264f34d2643408092926b6ba1793f5b513a8d5fd2f49df9663ce",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5b7a38393317dbbdf4dcc84dd739446ae373b295db50435ceceb52209223a507",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c26a66126e7d7812a150c0529049cf2de7121c1b9cfb54e1420aa0be88048aaa",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/default/saslauthd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57a3d3d6fbb700083f285e5ac86c889958b12b68a41e84b15da0f9562372a85d",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/ansible/facts.d/saslauthd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2849baf6a1c4eed17f1a5c3d322d52feb5444f91da01361377bf6faa26d64c8",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/instance.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2c8b1a4d73dfd2aa32197ebe37f28b4eb273bee47ce58b0610f0fe1df39fdef",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/templates/etc/saslauthd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "620f0a4b76e957348b738b8d20f8fbea834ebcde83b5eb9a15b8c7ce66065235",
+   "format": 1
+  },
+  {
+   "name": "roles/saslauthd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "facfdfb710c626e4c0c060e0176d3179ba7b2af1c6190f23c7c48fdaa99141f5",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cac9506e7e024548b90210f5115ed4e51b82a5ca5689b713cacbaefb94c7aac",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/meta/watch-etesync",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba98dfc8233ce5f7f7d34f56f2501396319340aa03e7d1f10226dd33841e76bb",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aabb81f6519d4e8fc6250d041ecff22a2c3d5cd623f70902a40bb871ee1cd444",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e28a9ca4500511d7a858733394405a9650946d78bdeb2e91f07a8bfbfbdb1bc6",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr/local/lib/etesync",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr/local/lib/etesync/app",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/usr/local/lib/etesync/app/etesync_site_settings.py.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "672ebc3f52f2b871f7bc9c36044dfb47aefd3b32fb5e516d2f173ec0f7729218",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/etesync-server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/etesync-server/etesync-server.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba038141cca9013447ac6b1a5cf54fc2d924177c91888b17b8833dd819c2366e",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/etesync-server/secret.txt.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e147c97b3541c21d971c9986437ed62ee9db0603af6d0b9a69a9aef69f679179",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/templates/etc/ansible/facts.d/etesync.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdcb4757938b5315dad5010c141fc190b90a8ac69dd13e1c7289cea354d9483f",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5dca00f90fbe37e4ade6bd8ce197d7f70c6c418c670c514f09ae1759e1d353b6",
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etesync/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59f77851276d38f8a96b167e5eca4b930f81bdc601a52e6a5ee6ef4fcc9c3870",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "663db52aac0cd7e5976fd5d8053b0acca3d9be70ae88095a493fa22c06049382",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/meta/watch-netbox",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c98fe3a0164d2516b682d9c914f40c816b83ee7c6e9c58ca92e908a43fd1c90",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da4ab2d5f64d1ff491fe39de0cf43791376b3b30eab0cef74af82dfbcba46a57",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f415e5e990dc7a744c45beefaffefd0f7cc53dc8e6e35b5b2483bd448b51b020",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/bin/netbox-manage.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d213b705d8d9b2832081077f2813e52f2a6f97d4021468bec0c183b4d3a7d6e",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/lib/netbox",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/lib/netbox/ldap_config.py.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c63564d0354bec0f046b3cdd31e8178810addd2369a3cc719e862dbe435abb6",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/usr/local/lib/netbox/configuration.py.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "72fc337c80b48ae634cb3bcdbc6efe998d76ef71e9c5a9905bdb7f8cf199f427",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd/system/netbox-rq.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2536360e087a7e08a565fa67c82579de82b84d45bb3aede5991fffafbf89275d",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd/system/netbox-housekeeping.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b5a901190acb739045899c581c68c8cf2691136402acd4af188a51081ab09b6",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd/system/netbox.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b2d0c544e72dfe6c7f0d9b65f0e4a1918bfb6300760e2e95425e1f0fc1dbabd",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/systemd/system/netbox-housekeeping.timer.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5b70e5c669a756ed4b95dce705997560e5127699679fe7ce5e365a5c5b514a6a",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/etc/ansible/facts.d/netbox.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "adecf825ad0527c0ce62448f41de2f519d0767885c618738caa069929233e819",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/templates/lookup/netbox__config_admins.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e315b4d12f47602a8a5544783460c65a6bed6f8fd617d56e0155b2ab29e37d9",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "44b408c174ba6ea2d694628e43893f4f78fc5cb99a3dfa87a336eb0ad641d7bf",
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/netbox/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d8c46261a832b12b0ec2eb331492c9b055b6842ab7db5d616dc3dcf0467df66",
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34f1a7bc80debebf0a0adf41b0f09c99cf7524cc746a5979d06a1ec594d8e545",
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e51b1cdc758418e804f64300bd0a5456389a79379aa30eb15d0d53c4aa9931d2",
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5bc0e780534523ed68293e97cda3633a6be7e754923dcba19f5b48e28cf0662d",
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/templates/etc/ansible/facts.d/nodejs.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27a25f5aa11121842717c6fba95c4e1f45016ca6fc484e3359f7baf0a5562841",
+   "format": 1
+  },
+  {
+   "name": "roles/nodejs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a573e197ee7fe9083b9c8277a8820e15f4ea9134e997d632839d76e12ebc3e6f",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/tasks/main_cfgdir.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "241f98e0b4952a6cb3a668bff715a177acf8f15553a9d68f442c319bc74d07b5",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/tasks/main_dkim.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d0a6109969b38e06716dc771c4e8319dbc485f59f5533c8cc6667ad63ead28c",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "49ca8334e423dd41a3da8a557f881d1210a3df4080e90338438fa5a23ec678df",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8cff32d614c3bf5c23618e16cb6b74567909d94d57413828d59923fc2c23d146",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb23b09340e75e03102448f537dbcb940b4d7a515049d4272e999941058c5750",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files/usr/local/sbin/rspamd-dkim-update",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afbcbd1a66e564706cf33a3b3c5f260a2cacb4fdbb0b09dae116d6bf70a0ea4c",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/files/usr/local/sbin/rspamd-dkim-keygen",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e28f898f0212d4f8dd6f860c9a4b52c374e4184c60bd255983eb37aad6895b71",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/rspamd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/rspamd/dkim-json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33b0e5f8ef6644886d7a04207532f6cffc5e83a46317246baba74755540eaa80",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/rspamd/snippet.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf86d4165dd8812cf58a142d7f31d971cdca08352a3f68baf9eaa0d4684916dc",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/templates/etc/ansible/facts.d/rspamd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95d98eb7466c32fabc0596f6d5ca458f0d501b152061faf1f86585117d532b96",
+   "format": 1
+  },
+  {
+   "name": "roles/rspamd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "265803b464f5352be4be431ae68dd5cb7d8858df048ece2e9989f2074f67c3f4",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8e8e27685d1353b53c53cdf158839bbbb592e04e3b98ea7c36182e639c3fb132",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed34e42f679664bc1ebba93661b580eb9322b54dbd875c1f09cf2202a5ac45e4",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "476c34c0cb4458dd18aee224957051b4d826649ce5f63a578fe765f3a080388e",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d76455a0560f2807d0308d88ba02e8a3f48b204ce563610860063386eccf858",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/includes/role.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff6120c9033872e7c706679efed4db25d61f1934473a04e23578165a9870bb34",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3a867764385fde07374b03402483580a2be6ecc1a945e61ad4a385299a273c1",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/playbooks/bitcoind.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01cc815d97c9c3b55391d20f8833b66bd831f6a58145ce0e3d514037b391a8e6",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50f9f756d9dbfd2cf8424f05cca856f907cee9d4309bb5746c45befa40ba45c6",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2023bc2ac5006ec2a021c6870c198b0f13e545d4e312672fc154894ed9bf2eb",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e244578ff47271bc2f23718c5cfa367d04fe627880811024ab9a04e61ab592a",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c6525da06af3b80c757bd35e87de1309d00f931ed066e1558422e0e652d2b9cc",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc/systemd/system/bitcoind.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95e3666362671004818f3e0c33feb37557c74581d190b23cc8d2d82893658209",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc/bitcoin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/templates/etc/bitcoin/bitcoin.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e67cad37e38bcc2b6151722b9f4dc93e90c3f758bfe3a60bc2002158f3d250e3",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3be3f404c47702a10b01639c63093f4e5f5c8d02636882215af30d257f557254",
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bitcoind/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e546805e0c952f62bf3f398ea764ef27ffb54c078a518fd232c9e25af9d0352c",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/tasks/slapd_tasks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b6c7682d7f276001270023bfbbd3960d3addeee23e6399c3a1460346b1d01f03",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/tasks/prepare_rfc2307bis.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4f05e5d765e24e96aec2c16ca2e7b409f739445c8c674376583db76b17faaa4",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "10b6feafadf5f46db67ba7709af2eb999a28e76e286336eeff30eda188883660",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e4db7211b4c6bfd1b87bd20ca2c4d69c9bd94229df8d45030ddc8cad09318f7",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b7989c0fb3368ed97cf98f2beeed7eec465054cf52d4e6fe7877cdaff01476fb",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/usr/local/sbin/slapd-snapshot",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8c06ce77f13f2e94d8cd3226d64f71d22d4e548612c14b4651aed52c219a40d",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/usr/local/sbin/slapd-config",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20e0118df1b350eb6b5c32b86d3c7c9d74ff3c918a3ea00b85c0f33c39740f05",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/nextuidgid.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbece32379e6e9b81d03ca4c0eb5a948302cbfaf130296a3aa4e7d40001bdbb0",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cc45384efecb6ab22c1078d3b8ccd11766e290119e05ed69b8d53659ed4836e",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/groupofentries.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b18d1f5027cae5d2a2a2fd46b826a160a68679ddc4661654b0d3070a80a641d",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "229278b223d3a9df50490d8c0f7ae6123abae1ab49391a4b06e5e03b4d6a59f1",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/nextcloud.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0341b35c9a139f70b627f20ad380f20da1db5355aadb9523f20f609647464f6e",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/schac.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01918a00fa4a1eda714fc6305f3ba2c5bd3885943819eb1c4dbd145413efec49",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv4.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5fd0b315810da99f7eb6d16e70d8d6063e2deaa7e6e52275476b4e8e38e0963",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv6.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "177bb72f243ea20e7ae28eb4059bd6c1e1ebdd1c928dd9b5b1491aee93ec0367",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/posixgroupid.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd1bbfe493784fa3336356f7628cee4204cfca446641eb38609ac2a7cc685d62",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/orgstructure.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "569e48d458c00aaffeef34d0b1a87341f1e78af7c68dedfe44fc862bd5329930",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius-radacct.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94984d8f287a4151962e60792395f3dc6afbf72f000d4b375800ceca447c0bd1",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/openssh-lpk.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "218b05b92b63e7aa2164fa9050052f6959180ee2a90a6f3483bdb9a6c8ac0bfb",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius-client.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa6e3835283a6bf006a811f67e1d15016c15874305fc4a7bb6aa10e255527a3f",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/mailservice.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6208a21516ae225bd28392ba01398bc0d6b3316f35e8f56f9f06880c1ae90fec",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/freeradius-profile.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d016c0cdb5bc4df395b4cb58269419cfecb4e6c40e98a13e7ae46c6dc9cae19",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/eduperson.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1007e406cc77d174bad053cdfe3d5b3b4f801ea55d02f29ae5cbe89d5904d58",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/etc/ldap/schema/debops/debops.schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e49ef110b5f33fa36f7437d48a8b99340e76c6cd71cea7debc5ef035f1bc9363",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/files/script/ldap-load-schema",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "888bd622364f96ca67e0161b24a938d03d4c4e47e5313049623c99470fdaeddc",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/ldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/ldap/slapacl-test-suite.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa51758e6d545d8a2999b21a594256e5eb6a21d4b7f5ed19536bdbca14dbce3f",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/default/slapd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "039eb422e7d2312d2daa31ac20c321b0642768df4995151f6a1b6eee6b195315",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/templates/etc/ansible/facts.d/slapd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a87ffaf0214722a498a68f38ae2846917a3ddedf333cfba560337a5f5be0c9c",
+   "format": 1
+  },
+  {
+   "name": "roles/slapd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81a16a7e3d6bba3b1388ff449e00458079c5089d7f58863adce9e1cb83f787a0",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/tasks/debian_netboot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "137787344fe93071de61bc8fc523d4b5839f98a6a43d49531fe7e1e55c3f3dfc",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4f5677c9e562f7948143d96b4d52608260889fa7691b5203aefe2f9f38a3115",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-netboot-bullseye",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0a17ebe526f392f380eef741812968016e0e9823da2e8819c447d4bf15c8a82",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-firmware-bullseye",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1449dfabbc1491c91ec8f05fcbdb20ef8f634ac593b6abef47ff23d1b96311ed",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-firmware-bookworm",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fc44e9909a63ba52d534f6b29e3968090ab36f1011af657ee8bf1d41a3fc9ca",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-netboot-bookworm",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b884e54ceca4f7bdf4ec1a8c96a7e02b43e6e0d6ae190852d3709aaa7e218405",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-netboox-trixie",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0096a345a2c70ce16696d7df722aadc5708dc3a800043354be7c63027d0c63af",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/watch-firmware-trixie",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "373b78e7ee93940294f1f27a07e49830dbc67564e1af3e6f88150ebbcb66e14b",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16e95be29b4e95c86649ad2c4b630735bfb4e67ab04b770f2942cb53bd196dd8",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4d09439b4a21b512f8dcb8cd391487488002af2f1512dbcdf57b77e35108cbfd",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/etc/ansible/facts.d/ipxe.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af1ec8cef7bef00bdcd491aad47ef4cfec77d28c0ad2bea03e740b3fc180eece",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/srv/tftp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/templates/srv/tftp/template.ipxe.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00773bb5f17200e4ba6b229743f2b68c556ef2591b80e13abc263e1d22c9219e",
+   "format": 1
+  },
+  {
+   "name": "roles/ipxe/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "465a3d8adb755378b3c07632ac5510b93898533ed20186e9fa1cb69bb3507fd1",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "525bc7ce33b2068088e027606603269db1e2b2088d8644c82c0b5e236fab0e9d",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "108c18dd5ee302066970c8b52df6228ae3e496ec180c14c7c3c9cbb2a1f3c6a3",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4158279a05bb0876c079e0cbd7c584f2b045c734be671c7c1e3bfba4f5e2ccdb",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc/extrepo",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc/extrepo/config.yaml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8869df63bad7e86652e773d0be80838d5fe2a5e92a3f11a6ed6c45f688eb88a0",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/templates/etc/ansible/facts.d/extrepo.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd18e5b040afd50677ee09be472d7f52fcbdf9ff9297fecaa646fc95d797cf82",
+   "format": 1
+  },
+  {
+   "name": "roles/extrepo/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bafb387b4d64dc1b07f585276af8bf5e6cbda1e544f1d66ac6652eb8f73e2d2",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "870aa0a186c4063a5c5d65ecd1ccd9843751d92100d79ac6032de5faa4f43497",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1122b331f11cf6b289ae487963ee1cb18493fc8ded46e8e66bea5a11e1a26ffe",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee69b1fda57a277ae6a11c4523df2d2b769a08d5ade87c2e98fc46993c884e18",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/templates/etc/ansible/facts.d/influxdata.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "93328fb1aa12c85ea323909e2b8529c9921e02f696f8b4f369f35ec334c09a36",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdata/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4064b1466f32e4534b472287742e935862ad765e9e2601d860f1d37a771f6d31",
+   "format": 1
+  },
+  {
+   "name": "roles/journald",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff7c9103dc3024855a37758bad699c6d5bba480c3a03bafda860dd145d74b21a",
+   "format": 1
+  },
+  {
+   "name": "roles/journald/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08980473e5de5b3276e4273c56af9e4657d8e28de4da1aac3e1e2a6f6bfcb6dd",
+   "format": 1
+  },
+  {
+   "name": "roles/journald/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36a3b1be4c56d596f8cc466ec50f9d059fd43f22a2fdb0a734715036252c4031",
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/systemd/journald.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/systemd/journald.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11df4d259a1b5fb0a6e6fabfe9a0aed701a3fd50c907933dea0a11dd773ca4cd",
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/journald/templates/etc/ansible/facts.d/journald.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20fa05ee753fb95dc7a11d215aca26cf203abde1746435b02b1180f34a846a53",
+   "format": 1
+  },
+  {
+   "name": "roles/journald/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3af9526c69ddb76b9598cf295491380f8a6bcefd4d9d3c73bc06038b34476ca6",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8bcb2b1fcd7c5d89ec171f050a9db88c640dc23b6e6ec56380f81362c4ff5ff",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ccae6acf5121a46717004a5e35eb327dd581ad1324500295204107cd7f74371",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d0131ca192f561a399cdc60b8b13b075d0d3939ffd258d168fbc37fdad780f2",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "311078a42132d027e166133fdf972f55c055c82d33cf3c4f78395b98ad7cd9bb",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/rules.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/rules.d/rule.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe4df013bf0e02bcd1a583dc517dc712ea30afae7f3b1c4dea8936f2dabc0199",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/recent.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4210bbe1d1adb4fad29282822db8e6530760c89f73f2513dc5d7e0ce4d9f7ba8",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/default_policy.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6544c7087f189b466f9275fa6b359117fca2b2df06b640c2a72caee1c31c2db2",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/dmz.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ccf4110a820f156d4748cda5b5d2c8ddebf1254473fb4a149c000054cdd24e5",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/include.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e58db9a5e312a7840397aa213c563daf9bcaa39aeccfc9e2d2d6940db7b67d99",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/accept.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47a258dbf3f5fa5086a885af9beab503563cfbdccf42073fa620ddfded2d2723",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/log.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b0aafb9c13713c8dbe64bf0b080ab8333d8cef4ae3e6762b9c7ef29de123892",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/custom.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c4696aff29713613955367bf5de42996584c50cc710f7425e12948d114b073d",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/masquerade.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0f58fb88dda19bc10a9830a6bee66e9b3b69f95770a0a4cc433705571fdb3fa8",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/hashlimit.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d24a0083c21174de213425aa64871aeb6e31a61ab1ac2613145fe37c550ae273",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/fail2ban.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cfce3e253b5a8be972db08a4b87eb9e9d859cdfce719af921e17ef6cb2ce7e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/connection_tracking.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cc13c503fe7b12cdd9d0e6d4c53ff5fbe42526cef8fdd9f0ec1a9a3c8fc0509",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/ansible_controller.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8358fcac6c7cc9ad7c80f83889b57903d293821f4886cc29c4073bb0a8549fa",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/ferm.d/reject.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "551bb30718285a5492c1a043cb0d800891dd0701e9594f39160701cf89923663",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/include.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a54e9a2fe31b6a265bc533a04593e10fb7d78044d47f9115726e1807e1e05e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/accept.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a54e9a2fe31b6a265bc533a04593e10fb7d78044d47f9115726e1807e1e05e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/custom.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "196cf5419c450c70c33959331b743f42ec2f0a6966c7541b8b86c5e1b16c4103",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/dport_accept.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a54e9a2fe31b6a265bc533a04593e10fb7d78044d47f9115726e1807e1e05e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/jump.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a54e9a2fe31b6a265bc533a04593e10fb7d78044d47f9115726e1807e1e05e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ferm/filter-input.d/dport_limit.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf6f7bf160bcff0ddfb6f76096b5c80e11e1b62132d9bd0d8af73cc0a5b29a2c",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/default/ferm.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "024c1cdeb139e4a5a61b3d4356ec3292a930fe7297e17e01d627603600db180a",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/etc/ansible/facts.d/ferm.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77ae24f57ab90242082f576d8f42c0443a4cb8b3e0e8f07c064e0b6fe723adc6",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/lookup/ferm__fix_dependent_rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4e4409b5c87ac26ce84c828b11195da344a04dcb736cbbbfbba6e34ac1abfd2",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/lookup/ferm__parsed_rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a62d06dcd203a5e9094a5a713680b092f4c64aa2705dd2cd66e760457daadff3",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/import",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/templates/import/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e32a42d7e566ae3556cd05839d76c71bdb0650c2d9db47cefcd5a21410cbc499",
+   "format": 1
+  },
+  {
+   "name": "roles/ferm/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "75ac5a39907c378ddd3bd2099568eb180334a51b78d7812b8b04e3502128cda2",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee2b5af84c5933a2cc42cf5c74dc79f6f290e7f4c132c22055e44702ed3d15dc",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a19dbcdbef78710842707d1fc6e6936b9152b414ecba65885b9fbc369940ac0",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "215a628baafef04fdf2c226130dc08c50f52fa594e6b652a301d94185fad4523",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/systemd/networkd.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/systemd/networkd.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca404eb174596fea98f68639332e07d431195404fa31b81b51cf25a4e4da7a3c",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/systemd/network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/systemd/network/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e919210bfa30a824f7deeebf7eb0f2ce3d8b1e8316d3a7a8175f917d42c09079",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/templates/etc/ansible/facts.d/networkd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dfbb4d10378b9c37f80f337e18e13e69269c09cdb5f16f836c7654f14b503d67",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b5a8a519af1a44b9a8bc59197afc9e8ed044bd172e5ffe9e18f76daee91ba2d",
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/networkd/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0aefe36dd990f0dd508629035992e847e0461a2eb640ae8cc89b236b96eb3312",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9236a8590b17be9ecba139de3f21517ad91c721a5f3918a3de15f03f9ef2a836",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/meta/watch-etherpad-lite",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "700f15aa05087061b1cf9ff15b1a501b4b98b46aa15e79c8364a6899c18c7df1",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e77def55f1237436bdb566c203619d41c4176503c00b6961c0dacc7dfddebac5",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01471a70e4c13bf61a6422b6721d5d9da55148045f61773e4a77ef333430526a",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/init.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/init.d/etherpad-lite.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8afaaa0453065d07ac5c8a61214b3bcc2ab901dfd3bc49d99aa778015b74bba",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/systemd/system/etherpad-lite.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3705ca0af276212de606f841b2ceb6035bd67d3441703d3467559411f4b15668",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/default/etherpad-lite.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d25806c2ef3457d6881d3463107f3464359ec9b72775371bee7b46fade8597b",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/etc/ansible/facts.d/etherpad.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "539faa825bd74e3365ef17683bec08d29d9f6b775a2cf82b5372b8e8c06e2a91",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var/local/etherpad-lite",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/settings.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3178e3bcaae5c9c3edbca46d7430fa9bf1c79639f429746aae3b68af7d77c6e8",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/git.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b0441bffb14844bc34f6af7b9718e61ae6616b5c09161e799aabe7640c7ec93",
+   "format": 1
+  },
+  {
+   "name": "roles/etherpad/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c7913203b53e2dcb920019182b93d836b27a568785697761df2df10135cf2cb",
+   "format": 1
+  },
+  {
+   "name": "roles/locales",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69ec847dd9805a960b1c88a8e1363666f220f09663565515e10de1782eed7fdc",
+   "format": 1
+  },
+  {
+   "name": "roles/locales/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16c2b8a8dd63e51861af0d609d2c9957e357f9756749f5909d977566a3985088",
+   "format": 1
+  },
+  {
+   "name": "roles/locales/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3cd89edc107f2bcb22a98a41f7e967dcbb9417dc3bae645ca6e025ba9e5fbe8",
+   "format": 1
+  },
+  {
+   "name": "roles/locales/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/locales/templates/etc/ansible/facts.d/locales.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d29282e8cc3d4ee134b3d0faea4c59bb6fcb61a5246643659cd274fdad44443f",
+   "format": 1
+  },
+  {
+   "name": "roles/locales/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "080d12b3a69a2719860f934112e90a9c4925b55ca6fb11faf8143b509a6c1e55",
+   "format": 1
+  },
+  {
+   "name": "roles/core",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f3ac9d0ccc814f8cb21993edbfefa4ec17caecd060b84640c108b217d21a959",
+   "format": 1
+  },
+  {
+   "name": "roles/core/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "569ec1332aa5c8a50409042478a7a99f06cb17353eae371a7c46f6a76b9808d0",
+   "format": 1
+  },
+  {
+   "name": "roles/core/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5594dea0b9c0efb833d322f0ec1e647530916abcd6feb1821f5996ee1118b5f5",
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates/etc/ansible/facts.d/core.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d94561daeb8efd4198fa805c9461702b66c9c3ee9ef97874cd987299c7b1bc52",
+   "format": 1
+  },
+  {
+   "name": "roles/core/templates/etc/ansible/facts.d/tags.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "883d1fffbee7835bf8da7da73de76fb93e329819ca28ad8e1345a2c26f4e6a79",
+   "format": 1
+  },
+  {
+   "name": "roles/core/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89d5b10069cafc54e598975b620a7fea2fbdbc13033c0000bdb168753e595ae3",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f62d14997a838dec6c8eecd4bf5e69dea109d064443ef9e44888456b3f193714",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bce05d80eeeb62ac9fb792ba945f009ea1297b51fa53bf602d353a26c4a3a284",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "328aebbfc44d18ffff9e0ed82f64b3f52f392c18f5461134336a0182655312af",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/gitlab",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/gitlab/gitlab.rb.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65cb9317c795463ca31ada72adaf345bc2ba7b7a0d1607498da1d29b0987790e",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/ansible/facts.d/gitlab.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30f3ad8f2fd0f277e7276bf0830876ed46a8c415facd134856b1260c2c82736",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/cron.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/cron.d/backup-gitlab-omnibus.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9911529ab17f8a7f912eada4fda0140881df0403acdb21c3ee54d52948971720",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/templates/etc/pki/hooks/gitlab.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1eb496883265486d7686a621c719731ef640e026a537c2422473320b0f725d1",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2fd2461258704695794afc5740b4c964e1d903b0865b72cb8c8cb5df59953d3",
+   "format": 1
+  },
+  {
+   "name": "roles/postldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ee470f9abbf1fc55c44d716f8e05cf2ea32c8f33fdce405bd4f4879d15ffd8d",
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9719271e59889dae3f38041bc9d864e0762c88b0e77b5ffad4db427550750a7d",
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e404db05d3a20b90690a81f66e55858698b69c92b6b5478ce394d5fc965fc002",
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/templates/etc/ansible/facts.d/postldap.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33b85e9bd760331f5e574b058f4cb0b5d94b4ee4a0ad0ab90e6810abf6e76372",
+   "format": 1
+  },
+  {
+   "name": "roles/postldap/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc6cb0d7a6013e5c413e8c99b136074b83d60fb469a024f4cd1965abeedb56d9",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/tasks/dokuwiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/tasks/dokuwiki/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a8eeea21f3f0697230b5ae1c0339384a1da9904e644d6190a5f6d2f35a0c4d6",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/tasks/dokuwiki/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a8eeea21f3f0697230b5ae1c0339384a1da9904e644d6190a5f6d2f35a0c4d6",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e8b4fb642878cae049ec104d712009d4e646fa487551c818545e549a4819fc2",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/meta/watch-dokuwiki",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f6a5e0f1bdde3d05378d3050a9bc3f3f5c4f68c70eba6c1ee2830a7db269c83",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f86c0c4cb22d034892eaae0f6f2bd271272077cf558146b399ba24e916013166",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e98f0e71962a60c51df55e7c9c32f73c121ed1926a997b85d5a18506974dd2d",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/README",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62f9354be73893fe8e8b941a911e9660761836250804e62391ae19af274cd0cc",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_attic",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_attic/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/locks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/locks/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_meta/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/cache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/cache/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/meta/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/attic",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/attic/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/index",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/index/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/syntax.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8b2701275e914f423a63eadeab11ec7d08a138e29b4ad4944a207dfee428216",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/dokuwiki.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09a840a35ddea88c2b26b071930576b712fcacf16d6238b46ea2812fdc9c000f",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/tmp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/tmp/_dummy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media/wiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media/wiki/dokuwiki-128.png",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de98dffc73400115b5062da0b481ae49a20b8b5c197fb59d8417d509e2d57478",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/users.auth.php",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7399965e9a754d368a5e55ecdf2e8ab397ef5a6893b08341f0dc24fe4c809fd5",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/plugins.local.php",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "156ad2f257fa03afbe938543887563b0cac82cea95edf0eb3217a6416c9b8e73",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/acl.auth.php",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ceeffb71ca32c668b21d0731a366b971ffd6b9930a4ec01ac3ad327767a01db",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.protected.php",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f8ac3e72e2968a509499ac16570c9f62095d14ab7b45d2783c7285e0c98681c7",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.php",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b65c3eb03bcc9028850120ac8cafcbf60646249d62d9f612857fd586b5dd40f8",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/etc/cron.daily",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/etc/cron.daily/dokuwiki-cleanup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f90eb8cc5626ccf8190d0b64ecbd3d1ca4db4f9389f9994ba77b01751901720",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/etc/cron.weekly",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/etc/cron.weekly/dokuwiki-wikipedia-blacklist.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3e20dbc02295fe2582d7d8515b37f592d81186b0c89b2b1a98d8574a95cc130",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/inc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/inc/preload.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3f6d354833826470bcbf718180e40be22e82357c07d6ee4cccbe8dc12fc4310",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/local.protected.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf569335543612fa803b729ef6868a4ca6917f451da694e8c087fabd7b8d13ef",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/plugins.protected.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5a6b03aa1fee63beff44884ce9141727911ea2a692c78d90b51302b401769148",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/mime.local.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26c1bdbcced990e4550c6f676602c1e27cb6e6dad64329903b0dc54ff7f5a0b1",
+   "format": 1
+  },
+  {
+   "name": "roles/dokuwiki/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "215f0eb6af52204f193c94dfda72ad8b506e44b5fa572eedf864237b62b3e7f5",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a70661f35c56b9692ccf4a31716f941692d8a1bc5a7527155bfba248eaa8cf14",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9df86658acc1b168df62f621b7d46005a3b670be7b5f3b87e881cfa2365ff3ec",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81cf7bdf9b36aac06933db9a2464bb7518fd604ec356fabfe56569274d44bef4",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/files/script/apt-mark-status3",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38b6881e5c5757edc6b39d81ffe4227a3e3db6db3c6708a142f0ed898ff7b6a8",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/files/script/apt-mark-status2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c9ecfd18fe5459a2b750ab6de1d6db4e16742437339ca6813af57a89903758b",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/ansible/facts.d/apt_mark.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6235961f58cf47da012ae407ce97214cce53f1cd20dcc49d0244765f758676ea",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/apt/apt.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/templates/etc/apt/apt.conf.d/25autoremove-recommends.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4de580b3cecfb0ebb62b4f6871db045dc7cf03634a800b6ea01c896c60a272f",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mark/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "942cc7311b21e4139e2a2200c443298022675e7b4229d6a46b9e12f3fb2926fa",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cf6a6c9f7e2b44a6a16ca819deb9a1d071bbaa24ec71a61e9e3a1b527f61c59",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4cc713f8d6b2a380e4a30ee244c70a6fb133c6a4e456c6a267874b5532cfc916",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4355194df35599cfb55a3981ef3900b46bb96b9515fef86aa7d0bf698d1c9be5",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c9e715ec9a0bfd50b81260d22c03f0dcd2bbc9b4fad505f9efaa3500cc0138f",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d76455a0560f2807d0308d88ba02e8a3f48b204ce563610860063386eccf858",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88bd5a6e62da4efc1692711ab8631ac69ffbbb04ce0d80a4aa3c5b0c648dc0b9",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50f9f756d9dbfd2cf8424f05cca856f907cee9d4309bb5746c45befa40ba45c6",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "071666d5bedb3b76ce24dfb2fdc11042daafdc6434af2b83d92476b9b297d95f",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76d600c8e8a5539ed7d515ced0f436126470e225aad8f0e3174bc1b9b53af019",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85a8f2f63b73418dec09a2e38b4cd54d157879200575a666b79d39a3cd215a9e",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/systemd/system/home-assistant.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d35d81116d7ef5ffe2c924d6ab28f1a62f57ea459a94b42e6d70b9b0607b342",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/nginx",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/nginx/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/templates/etc/nginx/conf.d/debops.homeassistant.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f40300fef537e9255785cbacfff821708ea031aae8d8f22bc38e1acc7a7dc3bb",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f4b39e0514fc074e3dbd2074414519255c7df7d770cc48bbd25445e9a44977f",
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/homeassistant/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7be706dbb9033184fd8630b53cd512407b64aba50d14089bed63480ff24527a4",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/tasks/manage_contents.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2c10a89f05bd31c936feb534ad28b149cd941338df1ca3f8e00858bdac599917",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c18b8348278861dfcf058e130b7a0ce98bd123ee632ebed83b15abc314d24325",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37cc5de4fa594fbbf1cec03580841c221d55169bf3e590f243af2178c68e7c62",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac57d301c20bfbe6f2204ffc2ebd583d764d9987121cde1d9407aaa31dcad85c",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/home",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/home/my.cnf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e64a4d6e393f2bc9fb2a6da6165d902414b15c46963b8d92dda173154b637d9b",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/ansible/facts.d/mariadb.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b62c13794885102688735b690d3067b2659aba117c9d433ebae2df91913d2d5e",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/mysql",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/mysql/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/templates/etc/mysql/conf.d/client.cnf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "45911e11875665c3d8bec49907cb2a04375bcaba956e552d50f9436ed5918532",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d213ca75b13544c9bafdc619adfa4e75f8577763721abf4bf7cd154a575ad4cf",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks/dovecot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks/dovecot/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbfc60adec22d7e1bc2796fa7ce200fd5e4a737784ff8371224de79148f23325",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks/dovecot/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbfc60adec22d7e1bc2796fa7ce200fd5e4a737784ff8371224de79148f23325",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53b99182e131ee620001f87e8cfeee67ab396dd43a2df5a1c0ac6ddd05a0075e",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "790d8ce9939930a854dcdc24e8cd342329e93cf05bcb72f20a5baf16b2834d1c",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaef59a932abab57afd68e56da7b870520d03d1b494fae1a84ad6314fd9c75c7",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8304213c9c4a3193218d219f7f027a509259c5411586f62af4cab97451c851fb",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f029ec125f13a2d0b7c2f380907c00c741b3b835421f845139d9c72a0801d5e",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot/dovecot-ldap-passdb.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3632ea91075e8e4ded2ad8c7cff4bfba45d55057ba64d8afa5c8e45dd720a55",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot/dovecot.deny.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cbe7d569eb6e943fbda646732aae1a552e206f089b44e12ef81ebbf0d40f2210",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot/dovecot-sql.conf.ext.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58701b31efe69bac801cf39ebbbc18db96bfc63f31e267e9edcee54b77c70339",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/dovecot/dovecot.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc5ec72233e4aaece9f1f2daba2e8d4a1ec47692a18f8aa1d5498ae18879560b",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/ansible/facts.d/dovecot.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e45535b35b2f5490219bd67077f998cd761d2e20a9b036b9e80d74700f7683cb",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/templates/etc/pki/hooks/dovecot.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b855220f3eae197fe5f68ce8d7e911c99044dbf7bacf3cf0e811604e47fce48",
+   "format": 1
+  },
+  {
+   "name": "roles/dovecot/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27c422bf899366230dc9fc5fca6a1d1cfbfe9314216f5cb511763795ea6225d8",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2b80367328933ab8976275bcbc57897e2674e899ef446037f0dffa21322c201",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "962726a0657a970122b862d76900541b9a42a390732779ef0de34ab5b93669e6",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2093395f2ce246c9ae27604f590ca735ad74c2735bc4f804fedf4627914e0136",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/telegraf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/telegraf/telegraf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/telegraf/telegraf.d/plugin.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ddb0724da754948fa73bc90d06c9aa27c5d981d6c3a97e0fcea78b4f1f73e01c",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/telegraf/telegraf.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "40af20e4338579cb2213fe74cd3fc36b67f52c70028b834d4df57baff31d83ff",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/templates/etc/ansible/facts.d/telegraf.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "127a4cba5ef1f6a3d1dc52c00fd96415e4ee1891ddf258b1e6478664e5e40493",
+   "format": 1
+  },
+  {
+   "name": "roles/telegraf/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0c38c8d3557e534ab41c921af617b1b36602eed5e1d01e0df0caf2bcb524826",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01a01e7526ba5dc8331f595d5f03a828f884f8971f60febb16e10a2f0be313f8",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78bc3b8e793901cf000265fd662164bcf2502e4a6d589fb0ec386c42d791d74b",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04cb5703b431c392b6a9d3bc5427b1662ffc7bf45b3de44224b11fc26f1a636a",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "751b4e73779700fe386bd42a0438de8d0ce39e62ad5f7e60e959bc08e37c1ab8",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc/kibana",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc/kibana/kibana.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b400f3f4937d04b3a060a103e17d054bb3f8b9b90fe57d414436190b0838732",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/etc/ansible/facts.d/kibana.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "51d9e1cefaa70170379acaa3eeaac4cabcf715a82917e2ca825af4798eae539c",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/lookup/kibana__plugin_configuration.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c277e62781d02d47161f0966de034073bdf85baf0c94f535b9d395938774c9fa",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/lookup/kibana__dependent_configuration_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "313535cdbeca3d7e2bd2bcc753663fa93730fcc89cb3e4231ff6918592fc96c4",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/lookup/kibana__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eadf6a6641e93c7dc61433a10db4e55ce616bd44b558e95ae71bf85ef6abdaf5",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/secret/kibana",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/secret/kibana/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/templates/secret/kibana/dependent_config/config.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c97697b0569ee6bdd0f285c6e3fb54dabab04c60661e79295e716ea1381538ca",
+   "format": 1
+  },
+  {
+   "name": "roles/kibana/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ed7589a4af75c5b75428bb3713f653ac44b5df75c064f6af0f9a5c5c6ae26dd",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1fc3362a43777831db174079d55adbabd06923cbd9b9b43e684825e13808a7a3",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1bae91ec7cdf127961fe285334f5f8fb4cdd754af7f80f8c168c6be78d2cded5",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f76b0c56cca0680689fe0f01935755d5a8734f7343ab9149836402ade2d4bccf",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates/etc/default/nfs-common.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "514cc0193a2e0af490266db5e29a66d920972746400035a11f9bedd9ccbd1e6c",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/templates/lookup/mount_options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ddf83c254229067cb0979ba54271ba9a51dbfcbf1e2f19a7409c028d581685a",
+   "format": 1
+  },
+  {
+   "name": "roles/nfs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e05130391995cf1f43d61f305fc9349d76e8e105454784c2293997544a9c9d9",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b7c2bfc02d1c4d21e4102fb038c2c730700b3aa0cbdf949d66d3275ab22ffa4",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74768f2dea19cbe40b8ac9e88eac016caac0a2c32f5bc1c730aa57cb78f6fc93",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7216da25425b7938769e4dc417675512303fc18cf529ffd089cddd33eb036870",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/templates/etc/apt/preferences.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/templates/etc/apt/preferences.d/pin.pref.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2fe687c3a2b1d4cc64b50fe29efaa25361b8523a1b4f9ab9b5b53ff34ebb0642",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_preferences/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06f819870c863d62918edffd611b05a95911e1cfe82c6392e263145176499dda",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c403f909b344db4a126463088222db7039c71e572c036489da6a682523f136a",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/tasks/configure_clients.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee274277fef63ddd59910b88814d90137140041f0b60c20ed3e1a4e9b421ae32",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/tasks/configure_servers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3c63ca577414df8833dbcc329e35e533927c0a8ad415b37e1ab33cc729f8c15",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4194c91dd81f2e74def87aea71a62c13fee7b8f84759c0ac35bd7cdbcd6192fe",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e5973491b426e0707375cd42bcee3db98ced4a9a537aa09baadde5b05e2eaeb",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52cb4a475dd1f7dd52435e748a7805b7fd5ef29f409242ea4dfa68cef7b8b5f4",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup/bbackupd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup/bbackupd/NotifySysadmin.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77e96bef40e50d56da9bfc345a6ad2d78f01498eff646cdb98570391af888c80",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup/bbstored.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "996cce72aee5f694d52ba501fc22cef342498a16acea0f6409c23310eb24c00a",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup/bbackupd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35479110960724349bfe4cb0a04ca787bc51f75e0733b30f93beda3cfa86609a",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/etc/boxbackup/raidfile.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c0d004067496c017836afb262adabf675007a602628b3a518a8d327d1b10464",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/templates/sign-cert.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0eeb20cf5e868ce2ba97eab379c63a969acdf6188dde9a3bcdbcd1ecac4cf29e",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d24f0501f73cc4697b254034db4dc483993961ebdd8bfe68b1e2de7ed49ffee5",
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/boxbackup/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "405c2a826d5dc8e3a3e1c1e74ef05bff7f851ba51af39de9664067c874076912",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20ef06e3ae03a7d56d826f6b48f5542c56a99f04fa3e1b2bf76d5fdcbb51ecd7",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "062ff6f902ffe49d4529b917d638670e944ddfdc7f02e8eba05646fbafa473ba",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b7ad6ab96d1aec71d459c49117064b07ad24c966b08f65ddd55decda55bf04ff",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc/ansible/facts.d/zabbix_agent.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ed2b2c4239770c28cccd1b4c998ecf06331eda1bd33c9d34b7573b0b2a11239",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc/zabbix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/templates/etc/zabbix/zabbix_agentd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62f57c60dfa243c6c92d8810fc7f6b08ebf0dfae34ed9c090b2427eb61150165",
+   "format": 1
+  },
+  {
+   "name": "roles/zabbix_agent/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d57ed4f68edff2c8abc84a70125c3e09eb9eac6fe2c6d59adafcd385f69259a",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66d49f2c64ab6ceae643f3bdab6c8ce1ee134deff9e556865940ad50bbd3da37",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b3a79afe36ea4105af6914b60566f6ea862ce5c066e704aa9f57bd6392a2398",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c0724e6addd7d9dc479004fb87bb4056e51a119661af5330d86db7d26d6464de",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/files/script/getent_passwd.py3",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d74a6687e2af0079f959050abb120d3758506a1e2066d020faf0c3ac7240afd",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/etc/ansible/facts.d/system_users.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ca9a3c07e4ae12434b33bc35d93815547e065ca13788a2655127ca1f53f979c",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/templates/lookup/system_users__shell_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a2a6f22650c723ab92ee79d7469d91da500ee9d7460288c4bfb7176226d853f3",
+   "format": 1
+  },
+  {
+   "name": "roles/system_users/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "069d3ddc6c7cc24904a38456384e16a22e4fc81267439010596477f1b7dbbee0",
+   "format": 1
+  },
+  {
+   "name": "roles/python",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/tasks/main_raw.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fad705ca1670ad38926e9ff5f34c6314884ad95a7ad051d2a98326bb8283bcd5",
+   "format": 1
+  },
+  {
+   "name": "roles/python/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bc9b70b97ba704d01e510cc378debc1ba283b639965a8144406be88db7368d9",
+   "format": 1
+  },
+  {
+   "name": "roles/python/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc48644f2858f25a0e1f578b6c7ab15a16aec25e3ed21be93b352e8ab1bb9652",
+   "format": 1
+  },
+  {
+   "name": "roles/python/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43bc8077f4288dc6efc02029904b0c325fbe87d5d6bd1fe1124b42744414622c",
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates/etc/ansible/facts.d/python.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59179b16853358d48ffafefc5f9f4171e75150083586107f5c9671de7e479bfb",
+   "format": 1
+  },
+  {
+   "name": "roles/python/templates/etc/pip.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b2dc6bc91eed5bd6c0cc94de039ddfbdfe28aa08316e7018a20567871eb856a",
+   "format": 1
+  },
+  {
+   "name": "roles/python/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf6c91a07a389853336e981bf712a12b71d1e594230e8f15739ef61b24532ada",
+   "format": 1
+  },
+  {
+   "name": "roles/reboot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00d189723968d289952f2ab318c8efddd1e04fd3504dc85d1589c561470371db",
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90f885807db5aacbb98d9599879e0a700ab1f4f497c6a290a48154523ea52840",
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9cb79c1d5c0e67ec6c8d88219a8df7ee42c6116826cd29d77df46f6d987a72d5",
+   "format": 1
+  },
+  {
+   "name": "roles/reboot/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1d3b63fdf6d2aaf633a0a25c6919eee5026589d825f587ed416d02a88b11500",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da6aad8b999ea501385c5642f854b1b13b57306510e8aa3fb12e0e71ebd1dc6f",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-serf",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88f00bb4894cfb247f93fc89c71d553e6e59578e7a30a502a72cf3e2eb5a8226",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-packer",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83da57db8f70f97e09450f20a1c0c15ccd5b8cac4a4e76fd01f2a532ad606766",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-nomad",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63fb48f75f46bbdcabd560bc4d91081fe7108456578eee364d4d8a7bbded75c8",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-terraform",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b954571b30f208645adcb784ff1c52c9fa7f81e4dc47a21e88c2fad39eca2caa",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-consul",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09da9371b4830bfc6269eeae1c442d6864c587ac50de443aa2ec999c093495c8",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-vault",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8e5ef63fcee6120616ee46ae587aa81307a4d7d3b7ade06609a6bfd85d13cc6",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-consul-template",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73021bcb7883fc061c5f1cac262ea18da958167516d65bc096ac7a4c4373015b",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-vault-ssh-helper",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3560e617f78f525b4f010902c6dc0fdae92d3f2291e4d96104fbcf2d8ea7ddb4",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-atlas-upload-cli",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3141721e8d773e15b4284fffb0e2135e959031c02956ec2917ae4788f52ca927",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-docker-basetool",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56830d852c9d3db83a61f0e321e935a9a6662e4abbfbef12cc22c547c8c3f86c",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-envconsul",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2cb73eb1af5c3a5fc047c1fa110997c1116bc0d43fa55bd3ed2e1ced6a74b08",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-docker-base",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20a89a21b5f99ed563556616b372885b375933c80e8eda7b871d08feb4c4b5f0",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-consul-replicate",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ea4ea90e705ff2194d6c94c6a1543b642624d763b02a5cea753b6167e3dfd740",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/watch-otto",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b36864e5bbd3d6d871ce3e8e297605b6fd43fda7081bdafd10d3f51845b1dbf",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "decf167413e99355486db0bde08710f9fc2cd5c8a014ccb6810b6030c3de8429",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25bc308e64f4e5e8029473d2e07dffffb4241e8ca59fab8e34df2312363523cc",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/templates/etc/ansible/facts.d/hashicorp.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97825fde32aecf15e5a9c30d976273b1d011b4ae85c33d5d4dc70bf417dd990e",
+   "format": 1
+  },
+  {
+   "name": "roles/hashicorp/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b1d07278007e0004ac4945cead1b5d9ad473b9ab03f28ed74f46f1948d220c81",
+   "format": 1
+  },
+  {
+   "name": "roles/atd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52c7264e869a8ab4a80f91baed06d922617d0d9640952ecdbc110970d48867ad",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b65096a6ea09ee1a1baf1d1f919e682cc672ce968109a83617cd0ace55ba0f1f",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bf82cc43b2bf033f6bcdac13f688731c077e0190180eb3e59daf595f8741018",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/systemd/system/atd.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b13c9855ac6cd0381f15250572f083d80048f12964fe0e8b15ee8ecddcb2bb2",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/default/atd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d61bc85b5960deca6ca9b37d68637b743342257f5148909bea9a43b15680390f",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/atd/templates/etc/ansible/facts.d/atd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5e22a1fc5c3bc3d8891e20b565f74a7e4fa34ba5c55ab47a1b50e3378bb1058",
+   "format": 1
+  },
+  {
+   "name": "roles/atd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1207b1f3d34931634a7b64b2ec0cf3f9f10eb2e8d4af4ed9a00f1828fcfca0b8",
+   "format": 1
+  },
+  {
+   "name": "roles/auth",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks/auth",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks/auth/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e7ebbb7dca0bd78aadb717168927cec86f27342770fddbb8436d991d2c694713",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks/auth/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e7ebbb7dca0bd78aadb717168927cec86f27342770fddbb8436d991d2c694713",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26f2e6bf1300f46a5969af164bfd465d089b982ea82be749bfe7ff3b0ce87e9e",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/tasks/pam_pwhistory.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3a0ab794b1d91b433c8907426536306c5f08aefac43328158b0c3f635968cec",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "244d9013e26595971fef4aebd9dafd439b57d35931f3d518d6dac3feea76f838",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ee8a9de81f689cd6f064eab2b5f2474ff6652c3145ffaf0ac19db301c2b79b4",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates/usr/share",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates/usr/share/pam-configs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates/usr/share/pam-configs/cracklib.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e2b7632c0f38071fd5d88d9ebb47b7ab7ac11a6dfa45212030dbcfb00552b09c",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/templates/usr/share/pam-configs/pwhistory.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d36a9b6a5a778e4ef4ac950222175615ab6f62c035c1646afe98f9cb7770c127",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e557e5096ce80df607df729011b704f05e3d5b26af2472b5e7779eb45e60c13",
+   "format": 1
+  },
+  {
+   "name": "roles/auth/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/auth/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b5b2737b9c81de7033a9a0fc3613ab21cdb8213cc4e070224711c8d33c00ca4",
+   "format": 1
+  },
+  {
+   "name": "roles/golang",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/tasks/golang_build_install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f49b174a31a47e4ee38998fd71810b90b0b6d72c4700f0dfe265cf691bcc930a",
+   "format": 1
+  },
+  {
+   "name": "roles/golang/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe035ab9f51829788484c805eb9a0f1cf54da9e431b0648bd3a33151ed280c10",
+   "format": 1
+  },
+  {
+   "name": "roles/golang/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9b281fad5f2c14df8371259b919263b418e00ef8dcdae951e2f95815a9924d0",
+   "format": 1
+  },
+  {
+   "name": "roles/golang/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d931aba7d622b61c9e32084ad34bb30d07c62a0f082e85aea2ec88f8392bad29",
+   "format": 1
+  },
+  {
+   "name": "roles/golang/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/golang/templates/etc/ansible/facts.d/golang.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3e813c7aa7451b00fb318070fb4b5b9f52e083839411fffb25d731925399a62",
+   "format": 1
+  },
+  {
+   "name": "roles/golang/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc8536e76dfe45631b98f3268ec0da141f3b6d2c6564a27bd2a09c0947103d4b",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a687dd6344cd8154c9a1ecc61814e954f4515ff709f648f36dbf6017e3f979ce",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8886bd3eef23e776dc4424ef22ce9b995617ca9bbe7f88db5353356c39a68cc",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c1c9bb3a8e52d9ba890f2a302a12bd380f6ca9292395f145f7f4daa64df91b3",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "68e84adbb6573d03b13aee7a8a3dc60c40d5f30305c897681d31c663120ee422",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/rabbitmq",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq.config.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "15526136e356b46fea27891660dd1defd3679196a6a73d2acee74171a8f98287",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq-env.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7f19b96f44016c148aa6f34bc2861726e6fe992e0afc73ba1e2443de816c5ab",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/etc/ansible/facts.d/rabbitmq_server.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a20f4f4078cb5a6e796ba85f49f0c051dceed55d643a611d117c2370571c9232",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__dependent_config_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c5227f350cc5b5e94a9cbed7cd9e9e71e6575a4c0ecd0e68cf4294a0cecc1b18",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__accounts_vhosts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "75fd3f6625e03c5064be4ba7baa814eb0336eeb758f89d181191df6b8ce77140",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__policies_vhosts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e82aeac1b5796f07eba74e08c07e446b74d197ad7b960d907fde0d583bcf905",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9eaa767c9055eff19b1caa3537fe8d5337cedbfe07e468e6806d1e43e0d39a6",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__admin_accounts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c7a7da16241ec6491e809ac5395f1a18b1059f414811e97424e453a76c7c363",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/lookup/rabbitmq_server__parameters_vhosts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "15aa7cd62bace4d2bf861e741b217fdde69d0013e88db1b9c6ace47c1ad41da4",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/secret/rabbitmq_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config/inventory_hostname/config.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57691b66813c1dedd0cbcecf0cf1eafd29d9096ad0ebbf67876885f3c50df89f",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c95a692736320da5a7a6db9bf9fe6f9d3a622950ff14bc17b2ce93cf0049438",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/tasks/sysctl",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/tasks/sysctl/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d454fabbebd505c2400e7d93d8a818491b04f8cd89e113944cf06bdd2feb17ce",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/tasks/sysctl/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d454fabbebd505c2400e7d93d8a818491b04f8cd89e113944cf06bdd2feb17ce",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe09717c24fa00329b34777761879017ade46805806c59ede293068d7f7335ec",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb126d6f4345e23f4a02b290f6a84514e830d1e45b1ad1812af0f5dc7690e3b4",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f7b2998c4d514256e0d4c6d9a3731122911a6f9f9224d1a0a585fa53c2835a4",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc/sysctl.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc/sysctl.d/parameters.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0423ec119b31b50f92a09595f2bfdd8f4dcd6100fdd32581ccb77a9e48eaa3b",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/templates/etc/ansible/facts.d/sysctl.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1983e51cd587ba743f95e4a6f1697d9304c7079da6de7ba53bdebd71970cb1c",
+   "format": 1
+  },
+  {
+   "name": "roles/sysctl/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "df6ae6f7c72c1d6c6169b88f450ae58dfb83f7fcef50e1d52aca56ba32a30f00",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a21483b73d4b3c3afd8e6b285a87e1c4483e97f97fec58326e1e4fbba1acf497",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8956bf5379e96623139cfadc48c4fde66fb612cd846600d54443822b9946bca8",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20e175b2352d7679eee6c13f45fc4b478fdbb13e6ba2ee4799f9415be30ba717",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/metricbeat",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/metricbeat/snippets.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/metricbeat/snippets.d/snippet.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "182c2e486c2e915138e2738e1ccd850fdce117a4acdcc304997198c9e4569e73",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/metricbeat/metricbeat.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95271dd3414598f6288b7c517c10054de674f6324deb5a2015ffea36dcb60d85",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/templates/etc/ansible/facts.d/metricbeat.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f8fee15db3fd49535b8f5c82e2c6f695dbb7900e210ed8f70c94aa8f778919f6",
+   "format": 1
+  },
+  {
+   "name": "roles/metricbeat/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b2156190eb6ca673701aadc5d9a6f8e1a26914f68800dc8a76f82a366d0c60b",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/authorized_keys_lookup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0300e18a22561fbfb4155678af60a9d434abc37fd69e357f53efa50b856932d2",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37cb4992514bec67b20712d2fdcdfb63215ffe792f032dd108fdac01118ae1f5",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/sshd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/sshd/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02c24166a09a56b5a25d54ca9a2c414b9a336b5e4bb2d173b0ee790472c85bf9",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/sshd/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02c24166a09a56b5a25d54ca9a2c414b9a336b5e4bb2d173b0ee790472c85bf9",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "72fb70be1b00584a0e69831192e300d5d9d29ee402ed57acba8e7a8c94b74825",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2935512a49be33af0e1ce64a7208a8eb35e988ed2fa0ac0995309daff797d420",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aabe905551e6065191f9e19bc51ce9ad1d0a6f020eece020e3d526d35c244424",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/systemd/system/ssh.socket.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/systemd/system/ssh.socket.d/listen.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b19e00076aab907f9a2017108df6756edacc2d77ea10e3f0805deb8f969f58f8",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ansible/facts.d/sshd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ecef3f8f6554fcb20996bbf03749f702ba2a4676427b9162083b36d4147eab2",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/pam.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/pam.d/sshd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "80484b126f5c17495e81af42b4e3c896a29046173c9d864e4a285934e343b92f",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/authorized_keys_lookup.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/sss.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d5fc510d6fcf277cbc126a73a811228de19c4e3ea811785ebb805dffb997cb3",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/ldap.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13953a275ef5ff9b3a732279d8db559badfb887e861d89edcdd53b5e363a0e9a",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/authorized_keys_lookup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b9c345e031a9f03a56d446022a80a641efa555ba798456b78c8344dafdc160f",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/ldap_authorized_keys_bindpw.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef2495f355826613093a3ff417f14fefdfac033c47f6af75aa91471e44de6b07",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/trusted_user_ca_file.pem.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ddd669cf4201ff3307b08ce54e81cd014d93448144e063b6f6a82c7d3f39d0e",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/templates/etc/ssh/sshd_config.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f15801509c5923e09e85eac8f90616ea4539c888da65289234cc0dccb4c5a77b",
+   "format": 1
+  },
+  {
+   "name": "roles/sshd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e2be99f7dc3be9d18fc2fd6073a494b1dd978c7707197c07e975f56e7dedbe1a",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "486123ccfd5cb72920fff4e20ecdfb82c8e0571c4d0c36c00c5fb135047ea404",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4cb251e0e6b861ff6bf54aedfd901211e3123f2a7e57ef134100ad999326283c",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2a3e8ba05ff80d25ac2bc6eeba688bcc858ba06808c7aab88de1eb17f7892e6",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/filebeat",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/filebeat/filebeat.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b194b29d1feed840f91ddb019835b3d41cea9e4d8078fa1fda1a306e0c74bfb5",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/filebeat/snippets.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/filebeat/snippets.d/snippet.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8765d717ae7e1c25c92ce1d185e02a12ed0fe98f882cb1d376625f223c774714",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/templates/etc/ansible/facts.d/filebeat.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "095d81aae2d028700edc2345bd3aba2fe2582919236152976ced170922969e6e",
+   "format": 1
+  },
+  {
+   "name": "roles/filebeat/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb65a437458752e1af15f81dbd15f30e36c43a39eb864610305efc9cac1318f3",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c57b68d2ab2ecd08cd3d8c99239d5f8aa081748b13cc5af79fc2981678c48c34",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b5e317ec823b827b8c99dbec56307493e2686a2c53d35de9ee5999d5e714f74",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e0eb444b3c0a43f0f8a49423a3d9a6be406de3b3805126179c3a27fc9833b31",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6a859e99b3e6ec6fe8b9a8be92ad734ae11cd8a84a996594b9a6406451e63dc4",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/etc/aliases.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7fd6b458191a1e19b5a096c06fe73aa3bc4f62910d14fd9b254bfee653676932",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/etc/ansible/facts.d/etc_aliases.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de30c10d32a333a12d4d1ae09050b8c54434101016a424dfbc4def46e224a05d",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/lookup/etc_aliases__dependent_recipients_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ad791eb64781a0d52df4f418a9db0084034bb250f51d67344ebd92bd5f85191",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/lookup/etc_aliases__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "841569d0e70ccbf7e1f2fd25a91733d7a0603dbc3b56db2c7af23a4dbc8254c3",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/secret/etc_aliases",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/secret/etc_aliases/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/secret/etc_aliases/dependent_config/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/templates/secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9a069c2bb508cc1c0f52f93d60d1e87a9b96f9b99ff96686bc1203b6fe1b0e1",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_aliases/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "51f3d2bc083feaf43fb7cf3cbf4611f2808d61a9cdcadfbda092bdb1d7388799",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/tasks/configure_gnupg.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "241da58643efa351c052af264171d425233d911a4e53e4c98638179695438ad2",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3eda35cf634e64ae75919a873f6e17740c7b3a786a5caaeeebdd5359196d45f6",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/tasks/configure_reprepro.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbd8538622f5dacce4ff8e4a1a9a41aaabf04ab2773460e64e218dc9d7adf43d",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "df2b141daaa1d86c399cea602c6957b8d06ab83ee448338c7c12551521237c40",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e95b2b622ae3ec4ec1eaa0e2da1d1a9702005df08c99ac31e7f79e4b5ce4127d",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "503506b1fa0df45fa79e570125fe521fb96a1d1cf7d56797bcde45d580627683",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/uploaders",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/uploaders/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ce59b4444ece2c28920ac3b8cf80c17f7fd5bc713d402468800a586e025c0a0",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/incoming.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b5780c81843be01b0730aa8cd95ddea75500ad96915e1f9bb1c8a5e661d705a",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/pulls.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c62ba4adf458bfba4b549f1e111288279b6ebf623042ae9ff91f0be772e0e4e9",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/distributions.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bea6e2d05bc0dc697e700f8079209de9e6df3f7cda9328765c8cf1b4bdddb31b",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/updates.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "653fb8f53337f40243c820984007d242a0dd691859b8fbddb3f55972fb075176",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/email-changes.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09922cf79a71ae6a0d8064d2cbf9bdb9e2711dc2f60d7677c6068f0eeb7ff91f",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/repositories/instance/conf/options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a84bbd527844a1628a7f91d8cc5c8d5fe4b8c001ce0bec59879a1d582c564fa",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/gnupg-key-template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88f5e3fdcd2e6a3c6c13d66c67c3d405ef2fdc88c7675dcc266dbdf6829971dc",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/gnupg",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/home/reprepro/gnupg/gpg.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47639541392cc4aa08a35cd7d68aff0e09a41100d2e5cb7430c5084f51fe8be4",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.path.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c74a2e61dd52c682ed3f3144cb4564b9ee79db392f962d7e1dea56a3073ce84",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f147182f2ba40ffdeea03cbd4a01a36ffed1354b522a64346d41e12e26ff77e9",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/etc/ansible/facts.d/reprepro.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48c995083ff6b99ad327b38945288ccdf801235fad4a253de2effe788868bc18",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/templates/lookup/reprepro__env_nginx_servers.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ebae9168ff423c4dcaed7c4f44e09ea7ca8621bef92b96b70deffafa8540ec28",
+   "format": 1
+  },
+  {
+   "name": "roles/reprepro/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58b6708b1c865fade3d33f3d57de5e7e5386bd33d7490a7aa2abd3d24882a31b",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39d079a9772eb3e7fc4412a343ead9758b04e0028f27ca3aac61ee35af099ca2",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4aa32d43e643d7d685e00bf8cab481438a276b759e99891722ddd37c0db4f47",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce4c7d55bcb4e561df697af47522b609a36bcd66bc3730936182ba1aff06cb90",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/logind.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/logind.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f0fe7880eb5916e8a9528c1787108988e45c327c4d04bee9c77699bc606a8fc3",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/system.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/system.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ebff05db1b5d1e8cd434799a409c5d92d2283a143b831999de2799fed6be83f4",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/user",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/user/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e919210bfa30a824f7deeebf7eb0f2ce3d8b1e8316d3a7a8175f917d42c09079",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/system/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e919210bfa30a824f7deeebf7eb0f2ce3d8b1e8316d3a7a8175f917d42c09079",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/user.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/systemd/user.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38a65b791bc5d8e550c4940c5dd77b7f578113f045ff88522a6c34b576872683",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/templates/etc/ansible/facts.d/systemd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cda8850066b843475605c3c895b2058f1a0495430f0e5d29bb8f8d7880c356fe",
+   "format": 1
+  },
+  {
+   "name": "roles/systemd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dfa4ea371302e8f52c985bee2670ef69ddc2d0d1a96d7e608ebf2331849ea889",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/tasks/ldap_tasks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5859009de41bc144cb1430f4e99b3794ecb52601ac7409f6f266a5d4fc1f4f1d",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4625afeb9936aa46d36ef547749062b1498393350726c8fb9535a60c43bdbd63",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b62ea502e5e6c551101fc4c4046e9564cfd82efe3d5df8ab91b73a82c1061fa2",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47cb625ed853ad6cec4db126f6dcc0407e64f4fffb4b4139b970c6a1040b35aa",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc/ldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc/ldap/ldap.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83606b41d0b19518bb08769c040905259b59e2756459f8a301a4c6ad7fba6d8b",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/etc/ansible/facts.d/ldap.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "477ff900524043f8907355f0e7364b4721a9e1d96f7846a53688581aff32e268",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/lookup/ldap__device_ip_addresses.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f1d3913819c9ffd8b2fdf5ef998298d528b689f037320224a8f103deba8dc70",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/templates/lookup/ldap__device_mac_addresses.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef633d49785f0bdd82bca6e64b9b6448ffa37e4c96f600960be1b18f18e7fd64",
+   "format": 1
+  },
+  {
+   "name": "roles/ldap/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9bd6473f9db102848e4cc587129ac5dbadea03a5381cccabff9bc35a30819ef2",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "060fcdac8090ac180c9f8d5ddedc8b606c8e54de7b51c118f29f678a791b40de",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be87f8a624eeb6033817a8ecbc6c767695d62adde28ed728f8d1bc9ced8426c7",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58518aaf15a5f9fa01322d0d8fc98e7b9a16decddddd22894e9efaf9eccb03c1",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98297478be9836b018d863db4d12117e886aa10f5689f51361bc4dc574e6a74e",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/templates/etc/dbconfig-common",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cf0cd6ddabdb3368323ee38ac04a3577621343381d8c008fe69d6e568a0c8bb",
+   "format": 1
+  },
+  {
+   "name": "roles/phpmyadmin/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ce801e67c40380a1124b6389c84b1eff33ddeb45b7c835ca566d5d77959d26b",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e618584ba4b739feefa7639e9d98d6d8e3659f4c7f1cf5e6f999dd60c39d82d3",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/meta/watch-opensearch",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aec7125b8a0acd5f9e2f1846b868a6d6bab795282b38fe8025c251f5db451151",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b5c32a5d10f88db2d3cda2098e032c5258c916288b00f1e39963f5b59174be91",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd0ac339df5f36de6378cd1d7262bb2f970c6175a5d4f1a1368ea5332d0fa22b",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/systemd/system/opensearch.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20e64f4d3ac01924055e945698ed976a49a39af6af40990333000bdc0e7f89e0",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/opensearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/opensearch/opensearch.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13ae7d720d3ced076d419ca7cd7635c3b5b66140f5d313a3974fc7d262feec65",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/opensearch/jvm.options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "67a68b22ffc79def34354ba8481d59e854efcf5aa0b6bd7c4a8c57765f30c2f8",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/templates/etc/ansible/facts.d/opensearch.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bafbbc033454b6781d4f64b59778550ae65bf1c41efc225c3eb0d2d37ec0f0e6",
+   "format": 1
+  },
+  {
+   "name": "roles/opensearch/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76f95e97c6501245b2027096e4d956c375e4079be877fce8154d1a59dcebe6a7",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/tasks/avahi_alias.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eac9cd2f36147f5cea79ffda01c1094623b395d5da5d49444a77dc4371f9f1a8",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35d8eccf657fef86b395355c2e479cc59c3d5c809ef72c24bbfe1a41992a61d1",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65f9ccd193dcd57b888bb8dd9baa3d67b26b79d3060ec7fac920c8dd028cf40a",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b02ef92ba33eeff217cb6329d6e05ae9ab110477629ecd1d9317ea1dcb172ce",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/files/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/files/usr/local/sbin/avahi-alias",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c3ae3a20ccec1ed9d7c330a8e5318259ecd140dd0b7951fbed7f3e06f1fdd52",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/system/avahi-daemon.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/system/avahi-daemon.service.d/exec-override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb91cac9c4fcd18849bc3494a50a2f72b9687e1c10903f5bef2866b907b892b4",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/system/avahi-alias.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f71ce9039fa6aa63b1095d3518cd67e74d9ffa47bbfd52297f39daa4a8ccb33",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/resolved.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/systemd/resolved.conf.d/avahi-mdns.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8e073e406f100a3cd46187c63be11b4103c613ed413ac74fdbd2d89688d66aa",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/avahi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/avahi/avahi-daemon.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9861af8c608febaa5d2099dfbcd0dd6d60a95ac87d0eb7db20ba39f539cd50db",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/avahi/services",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/avahi/services/avahi.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca99bf81f443d64e19d3db4d0a9d2117121afb10779a1d415bc5a1e6bf1e014c",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/etc/ansible/facts.d/avahi.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f11d006d0b6c0298b933c992198372b64e9967072d9c5c7e9630d4369f1738e",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/lookup/avahi__combined_services.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52d1f4443d0bba878ea6e97b32f1fb05c844165357ae9a22b7e504d11aacbd37",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/import",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/templates/import/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11192827720e781c766b4bf336c83cabcfaf829f931fe1810ffbad5c695fc79f",
+   "format": 1
+  },
+  {
+   "name": "roles/avahi/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e2d701e8eb49aaaed51db4e4c5881add0e08d783a4d6a29574f65d7db8f8187",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0515b6fb2990b59fab8105de465f2e2e98fdc0b46ce4f79026bb4a34d66dcfc",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9024279d944838e8c60b55a42971cb5b38a3698d959f4dc8069d4d48f8c6e24e",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26860e2f57342fc935d4277cd1ba92851f16e4fe63152043755bed55e7cd140b",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/files/patches",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.45.patch",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "793d712965f19353e5c46b8288c4919f6752fd4d34d9528c22647e10310ac1d7",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.37.patch",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c597b881b524b907ecfb11fbde90fe6a3c97db7b5959dd79be0b798e2e616879",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-lxc.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "18d13092c033c8cefeafd2c81e6ba0a61946c8839c99ba133c4ed08152fb5d7b",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-libvirt.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d921070b6dc7125e3ec6b568bd7ffacc9f5ca5cf0e6dca4a37ccf475e3059a4e",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/ansible/facts.d/gitlab_runner.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07c20213cc7f7eacbce72ed854d106e484cb0757012904a84ebfb87a2d171fea",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/gitlab-runner",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/gitlab-runner/ansible.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36528733457eed6775e5e1b0cbbbb85672b6f7cc11284f3f740a6a5d8b67adbb",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/etc/gitlab-runner/config.toml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f08adbc8b4812bdbc903ea1d9ac6cb7539e13ac7586b360eed1d8efc6c310d17",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/templates/lookup/gitlab_runner__shell_tags.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cce58efed7d5d37149e35f6632eb097a0ac22eddd0bb0f6c841c048a15be8334",
+   "format": 1
+  },
+  {
+   "name": "roles/gitlab_runner/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5414f93d12a96a259c6af9435eb6567050353c0db0b4e20ce76b59abc4b37290",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/configure_mysql.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b15ba22fd19473359792181105dbd13425e80192865fd4902841bd2f3a23bbfc",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/deploy_roundcube.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3d598b667865ca70aa3cecd424241a6b8337355f26162a849c341b115708ebe",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/roundcube",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/roundcube/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60a73ab20a37cbacf2d8c37109a858303a657d0673b6f538a5550c28737bad56",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/roundcube/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60a73ab20a37cbacf2d8c37109a858303a657d0673b6f538a5550c28737bad56",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/configure_postgresql.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b5ac9c432d709cd9428467165fc0097abf2d26e7caa06d486496ee8edfa8a53f",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13ff6f01d9233ca23c330929d3a9915a3489e5e93e05209b22708c20fa9e4048",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/tasks/configure_skins.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba49b87342368e10a6ed937b7b61987b100ea5fb1419d3f2853e1b50bdb921be",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/meta/watch-roundcubemail",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8b72452f7838ea3a1e3b8902735869703b283d88cec65b9d2316825f1f57c782",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eea891b26a01c17c76ad0e06fe2205624ee4e491cb62676d57cbf31a1081154c",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fb780bd71ea76a8b72d4439b8956a3e9bd6f6bb6af3f15a9c9de26b506d6c469",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/etc/ansible/facts.d/roundcube.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "983e2651b2537ff329cd2f10b4aef953534b4cf9409e0503150ee47e226bc432",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public/composer.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9fb4b98d6ac3b69753ee7e7a83b115c85581420375fd85e3ae834397ac8cd02f",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public/config/config.inc.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dba7d75ae2fb6f7820b2da7c09131c9e5e91f6c14e0437167f4da2fddaccffca",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public/plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/templates/srv/www/sites/roundcube/public/plugins/config.inc.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b399217916901c8fd11eac597c070e2160c5b1585f6e805e5d6292b9329e45e",
+   "format": 1
+  },
+  {
+   "name": "roles/roundcube/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b0305f5fc100c4db32c04154814da740b2d3d2a964de1ca375f7686fdb1a31e",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/tasks/phpipam-scripts.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8205217500abaa7318078169f540832b8c37f46a27f3ac7f362711fdb367bb10",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/tasks/phpipam.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a4c4f4091ace8679a8c138c90e0a8e87e5f6b8222920db0dcea86825cc7e28c",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4537f1142df5aeded93cf0586bffdb029b98fce2bc3fd732684d3dc07c5391a7",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/meta/watch-phpipam",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "95b085d9af68126c9c45139183a9725cf59dfef66f832540bd6ea7e20f8ec3fc",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c492ebe2e311339f1302bc51b185c11717cfa797f6ec5907b5b6850eb6a156b",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74b5de680fd7c2429cd869f9afab1bbf2d49d72ce0148edc7ebf7fc10e51fdc9",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/usr/local/sbin/phpipam-hosts-wrapper.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "082a64d78a5ba6306833eee56d6842b340f4ee196e11b134a92fb52eefc3a75d",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/etc/dhcp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/etc/dhcp/phpipam.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff1866311ba8f8124e6fdf0e6e2ae0978f62745a9d0af4f8a6e10133a725ef2b",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/templates/srv/www/sites/config.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "28eac76412a38a73fb5492c34c9515b84a95982b45f663d63b9465c4cee7865c",
+   "format": 1
+  },
+  {
+   "name": "roles/phpipam/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0055323701b93cd4b4bdf581c28ef83897eabee50a97dff532d9ef5ef53c5956",
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1269e991a8f79e3ecba2a3fcfb01a59e0510a61f4eaac3fd46e03e47d1407354",
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5673463b99f4cee88b61fdf16fc8958ce92468b0f4f3c517ce3a4453602a0f8d",
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "029feeb2540b29d75a3b2bb97eb35257e061571127b9e50b78aa45a82d4b0af6",
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/templates/etc/ansible/facts.d/elastic_co.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04f2458e300c7ff3dddb3ee758d67934405affb28686857121e72b301e1abe4e",
+   "format": 1
+  },
+  {
+   "name": "roles/elastic_co/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6358d9e50062de90684d67cd93ad49f6cee591f5932af6205660b64dda488c71",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52590f0efd4041d6a4cf873da0ed2d6976aa3ec43c6108505018a41a215a1229",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2079260584b4b88101a4379b25bc288bbc6e2d813b214dbc27365fa1425f5b2e",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4707fec2e89ed4c83aaa3384285533029db08baedd9d33d30e256e30131d838",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5451c7f88eb5572bc3e4067b135e728e07eec40881cd70e401de612c31f759ab",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cdeabc70cf4c5dec702a06241462d0a5b447ebc1e18a3c90c806f84943aafb03",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/playbooks/x2go_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d37e61f9d257b42942fda31550059da29f567c5cc8a36018a6f1169412b0bbf",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/inventory",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/inventory/debops_service_x2go_server_global_role_vars.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36df89eabb30525373280a367826d5a2ad0464d0c1d37129038a5274a31556b7",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bc0271513a469e65bd44a605ed9aaa6bc952e372d8ae1ef50c8a6c16b8a94e8",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e3ae06c36a3aecdd5ed398810f50622fe2538477bbec738239519d0a81a1fa1",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c9661374956be7b28e283fe5d1537d101b505f5202536dfdcabe336889d58067",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc58904571445955cbae9ce6349f0794fcc7ed5456cf0d94c461e9da988d19c6",
+   "format": 1
+  },
+  {
+   "name": "roles/x2go_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b94700f4ee4833316719e5ef2c70ac79382e69a1415f69a8e5cd75f31cac46f6",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "908e55ef2b6c77ff0508edb44569be0ffc508161be358a9115903f3cebfa2894",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8b92f14d47df8649bcde800c3c96e2bbaf6403df04d31c66705331a50c5f39d6",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e041cdbc37f21aa4761cba49acc6ace61f8a45114a9de1d587e3046a0270c5d",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/etc/ansible/facts.d/foodsoft.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b35f8d39e878214d39ffcebf9ae190b1170958a44ca8619001d94a9683399d7",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app/config/app_config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c445a0d9d900687d9f0d1b6403ce9e76cb743c3f5573185d5893e9ee942c866",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app/config/database.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3b4b819114d5e8edf79a7b55d000e8ea2b4777097dca94baa23fbf104bdcea4",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app/config/initializers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/templates/srv/www/foodsoft/app/config/initializers/secret_token.rb.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2232abd1ba7ed43d52b0d6a7ef6711dc2f9066e1692c04e4337dcf4e6ce6b7c0",
+   "format": 1
+  },
+  {
+   "name": "roles/foodsoft/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87994f60b564dab71830459fe3241e535fb3d957dcc04ca26b5c7b4b5bd0226f",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "730b4a22baa2fb1e248aac462bd41089087608e06bf3e6407f8c91d7a2fa2871",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02e94075fccd6347a7a5bbe1c31cfc0bfb297003ec280ab6af311516add5c688",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aeac4dcd03bb2c2c00f85466efeeef70ffb68e8d6eb12d4f817dd9cde4861e23",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/etc/ansible/facts.d/authorized_keys.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd817a643fcc7277373a4dac7f92633828ef0f871603acaf0193a6773fc0c7eb",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/templates/lookup/authorized_keys__identities.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f6c61ba8b4f8203f6704dbb16b986dfe20d9ce212b41cf701c24cf3a85278157",
+   "format": 1
+  },
+  {
+   "name": "roles/authorized_keys/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61a400eb8e25684c4e7c429e0ddacee95aef3990226f8f7a30ef9aaa4485c15c",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf10755f4f63dff38949ad97050fd416179c3fff8c2f94c546c757e8944c9024",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12097933f14920ebe1a7a8411d73acbf870b40dfb83d4b645df9f8dd39873893",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "edc734e4df17b3a51b30414e532128f33679b3ab890720539d02f9ed76658812",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban/filter.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban/filter.d/owncloud.local",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9b94b20943ea17cc9d0c54ac53fa67db653c4426f9c7277d73e5da5dfa3d4fd",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban/action.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois.local",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f2b525cd75b70ff421752e96f4ada3d45727f204adcddedb2a9dd753f8b0fe3",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois-lines.local",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f2b525cd75b70ff421752e96f4ada3d45727f204adcddedb2a9dd753f8b0fe3",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/jail.local.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/jail.local.d/jail.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ae37db39a7a2e7a42bd650f3d3b3d8ee6d09720ada025fc42c7e041b1255565",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/jail.local.d/default.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9351d25a59e45e4692da1e6336db0e9bcc82055f25de820e2e729ec8c440356e",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/filter.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/filter.d/filter.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eee317b0cef3cbcdfb930a83976a376af9f6f3c46403169e9002508aaa990ddc",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/fail2ban.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8c77f8c5a725db7b8075d42ea3db5ceebe65d18ba48c022344853b894e15a75",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/action.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/action.d/action.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d21adaa483d64200b4313289b183f99718d7ad91ca59bdee39ac998e178ad305",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo-reject.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59633ddc19cf1d8946aa57c7313e95db941eb9be4ab2132be95b2b9bb3360e17",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo.local.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34e8956160f8fab18452a75b52aeafb4ff0a0bb3107c41d5291537c313657ea8",
+   "format": 1
+  },
+  {
+   "name": "roles/fail2ban/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "545daf3dadcdc4a6643aa1db7271d0c3a88351ab3329319f79cfd2215d5d8d05",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/tasks/legacy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2705b0253619ea6740d9ad68da4f09642bd11e5f83259fe5795a363c9e88767",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f10bd8ccbaa6e9a537551a3f178f194e327201e2263f1c24b78a665975d7527",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c1e5ff37e44e0e7ac64dfc2b20d1ef20fe30c607deecd2799d52fa31e650cecd",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06625fb3bb539ceec92522098b6e897fa0629965f44c60b5caaa699b9146f5db",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/templates/etc/ansible/facts.d/tzdata.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0cbdfafc7cb9e6bfe9542e6bbbf1e9cefdfb6c27c073e8fc272073ddd5b340e6",
+   "format": 1
+  },
+  {
+   "name": "roles/tzdata/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fca50fa711c3bcff11ca9d7cb3e92a6686ff3ea7d47bbbbca695f24f34b09e19",
+   "format": 1
+  },
+  {
+   "name": "roles/resources",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks/resources",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks/resources/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "225becb24caaae0f7a87831002bf3d2247f516e3e08e24259dee5a5661e38fce",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks/resources/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "225becb24caaae0f7a87831002bf3d2247f516e3e08e24259dee5a5661e38fce",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks/shell_commands.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01f14f4a4d76dbda49555bc4d6a888631594f8900e4a003e6a34b6fb4b60a340",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "056221bd5ef4501aa9422409aaad567ae84ef1f95477f4e46802a1cdf0936675",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resources/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "616939f3f122e5bad0c016ffd97087fb4b153265da4d67f55f53134d352fa2cd",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resources/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da7f9bc0fab082492abbab8209a137883adc7958a7da5ee9eb03d319d25a74ee",
+   "format": 1
+  },
+  {
+   "name": "roles/resources/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8310996c5d0453db15a79e0a34d855905cdf19bbef5b99959a174343e5850a73",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4280501736e6308c849ea62a5d2b68cacf9cf0dfb6a5ba6a6a41f4435935680",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f1583dcf01e913259e564f4ff4b42b938c24d6a445f0d163376fba2106ce468",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c18c0113701634680b9558b01fe723de426d9551acc51a50c9a20b3df5f5c41",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9265395a862d49c2cca69addbfca1033e181adc4d1b1a9bc5eb2bade69a49aa",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc/sysfs.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc/sysfs.d/attribute.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec2a215c49c06cc15770ad343e2d554fc7f6f53aedc9c38689f1a04a871d86d6",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/etc/ansible/facts.d/sysfs.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a6d14f40db7ba73f3c254ec8a6e4f7c6ab0b603d8dedfdc4891c94dd1c3a79b",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/lookup/sysfs__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85b82e0fa3d86c0d60b31fede2993f3e7c9a3558ca7f5766dccf7d61633c7656",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/lookup/sysfs__dependent_attributes_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2e25bfaad2353dfee9ac09f6e83ebc91415c7067f877dfd3daec7493f4d176c",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/secret/sysfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/secret/sysfs/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/secret/sysfs/dependent_config/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/templates/secret/sysfs/dependent_config/inventory_hostname/attributes.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bcf395282eeb671b130e58a18bc02d6e919ad3043da575081a19dd65091973a8",
+   "format": 1
+  },
+  {
+   "name": "roles/sysfs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d055cd5615642da3af2a0ae155dd7ac4e44b47e0023fb6a5f52b76954447283",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf588cdb8d9aece2925d247cace07e79f03c099a047bedba779c6293bacb3763",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ddc0dfc6886fbf4e6a4b3a427e0d84917da0b1c679f9731e8bd0385c4c538a9c",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce462c5477947a8db6ce8bf679a363c281ade0e95d23b2aa0e8bd0cd262e86f8",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc/prosody",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "012a2345632c5de46bdcbc2accc4f1b9c6d9d13379d4f29cdd24de19cbff27c2",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/etc/pki/hooks/prosody.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12e034dccf6717738462613cf2cae0ff4855e4708ca4fe18d5c74982c6acde2d",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/import",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/templates/import/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e32a42d7e566ae3556cd05839d76c71bdb0650c2d9db47cefcd5a21410cbc499",
+   "format": 1
+  },
+  {
+   "name": "roles/prosody/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3d6739ce122da7092319a5f9b602b97e59a39288aaea5b457ee50ab58683796",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff2667a0b3234df0f99eff8cd8ccf56955e5e4fbb6234b6d6ad13b526a44f302",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3e1ff190d39ee963df121ac4196f3b1e5f1a96c0a379e5921ed8bfe3940d364",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "976e01c5e65b18291d89aa188b9e574fa76945a9db1ea1d799bef429cc32269e",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/templates/etc/logrotate.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "697bcacbc32b6ad9b7cbafcd5f259abed35aa6c24b7e33ccdb4f770ab21aa54d",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/templates/etc/logrotate.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/templates/etc/logrotate.d/config.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2e86a23cc6e175a81ea0ecf8133cfc65a064bd13e6e0b4558d373d5e910f323",
+   "format": 1
+  },
+  {
+   "name": "roles/logrotate/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a0464b724bdc907dad3fcfd34d473e287912baa74eca6d5051b4f7b25dcacef7",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/tasks/init_postgresql.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "619803c12af86cc5d4519341cb04e701c49e0d89804a8d6139c7d276b5fa3912",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03fd4b448ac743ffcd5c981669e50008df629b14d349e00e53dc9ebbbc229a3f",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "70acbabf5916331da17eefc84f745a89d81e8c64b4a28853be25ff7f91ed2f31",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "911d45603aeb23460d1ce58b7c01cb68c49e9b0a8e14192a02127083dce57892",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc/powerdns",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc/powerdns/pdns.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "49a254273cab6e2c550521d8e9feba96974321a1cfe02f14b69a31ba6913516c",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/templates/etc/ansible/facts.d/pdns.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d214fa1b0b81c8df3e0ad33a1d39e78deb2dd90911010fbbb0e71e15b528396",
+   "format": 1
+  },
+  {
+   "name": "roles/pdns/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1bb3cf6da0cc70909a96d588c89b31792d8eddb90cae00b2413821f4ae300f86",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c80802a72106e6984bba0a83f7e02ea4a7aa6ad29866d6f9c48acbfddd9f2fd2",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9bce07a27cb8c4eae786078377662b56843e93cae14ebe3ab778f7c503284eb",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e8749ce1ce59d9d223c050694f9e2eee30458a1b89bae2a8681d91b354dd1a4",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/rsyslog.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d2513734c79a75ecc2df8444b087527a8dc024c1774e684c28eb0bdef49a18b",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/ansible/facts.d/rsyslog.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0268fd4c3c8f847f69d9de2861ec7336cf858fe1bf4e3509b0e11c93c70d6a9",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/rsyslog.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/templates/etc/rsyslog.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1e0595820da6d417114a126c8f30a70e77877de41bbe6bf3c27cd2c845ccd75",
+   "format": 1
+  },
+  {
+   "name": "roles/rsyslog/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a76dde0b86b80bf23186669e55eab294e2a938f63b47ddb593c664db0ffbf26e",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f5aacdc78bfd6f7d8a13e3e17e6dbaa0ad0efbc5f31a98a220bc78d3c62350a",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "41e1ac69aec69255189ee3fa74a7941f828f42246bf2b1bef34c37330bfb50cf",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7c1cead3d35b977eed04bc45de2f2805d7f830fb6c38208aff0be18689d7168",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5451c7f88eb5572bc3e4067b135e728e07eec40881cd70e401de612c31f759ab",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cdeabc70cf4c5dec702a06241462d0a5b447ebc1e18a3c90c806f84943aafb03",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/playbooks/fuse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a6116f5d85811c938e8740d2806c701e4489bc54d3930f67334d6e96fa7deee",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bc0271513a469e65bd44a605ed9aaa6bc952e372d8ae1ef50c8a6c16b8a94e8",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc9e13b355799062ce5f9bf815b2c3641fff5bf66f985b83f3220a9f4a888892",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c9882db754a49ceaf7afd4094066e3e88d3fd7f2b6df638198f7d5f0a58148b",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f925e652a109a182caa854ee8d0f30a361c82f7469c4318bbc2a6174d4db2d4",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates/etc/udev",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates/etc/udev/rules.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates/etc/udev/rules.d/fuse.rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "49396c0fe89a61fd6067186bc380e5c609251edb7824dc7efb884c13f8fbc6d8",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/templates/etc/fuse.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39e558fdc3efb1e5c067e707d1f7d3cb69aee2622fd6845d76ebef8cb8a9b6ef",
+   "format": 1
+  },
+  {
+   "name": "roles/fuse/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24640bbf9a75656f1f91d28f62e9a340d64f4a23b21d13c2e1f22bf5833274b9",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a4a368e9c2a31728f2ab163a741aa066036684d8b371c36a312512a29a5f66f",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1cbf9c758010f94d82cc46f916cb7c7ae21dbb6eff7655c1bf19b05ba25cbc9a",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d9babef65825f696cc7efb5050c4589539d0d3696174497c58914759db45049",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc/ansible/debops_fact.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc7d16a7d31097ca087e4986497b389a4beaacd8ec09239e7f8a7d9b348cfd94",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc/ansible/debops_fact_priv.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0bdff3a24eaaf71667e88ba56af9956a7ef6395a81f74203636db064083eb8f1",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/templates/etc/ansible/facts.d/debops_fact.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e772e3009e132547b2656c36c8121c431d7a26cf68336e27a19f902d61d851fc",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_fact/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae3135bff9f99981f48622b23415032b7d4b3f9687c2bdb2a48a331dd49eb6e4",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/tasks/configure_snmpv3_credentials.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3a52feb77c38a6ae2d231deae425388cbf09a8c36870e6529abaf628e2f95c1",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "678a8692a351a65e10f2e7726c26ace8be8a94e95198258b1bd0ba826e49b452",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8afee71bca4582f4a19031fd9cb97f9271fe6b13702f2871d63b5ae32216d802",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ac44fea2aeb9f6e5f7354c0977cf0a10c78176a18c9978eaf2551cf03694bea",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/usr/local/lib/snmpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/usr/local/lib/snmpd/os-release",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d41132c7a62179851ba9822dab6e71f6cbaf19939a212c23734f5e1946552843",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/files/etc/systemd/system/snmpd.service",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8ae7c3583e61733d0a447b71741c5f713fac81023e7106a15d9699b456784b9",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/snmp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/snmp/snmpd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e259462abad8ff900ff9cb2662dd4059a8ae60f81969f49d4206f4233d8aed0a",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/snmp/ansible-local-password.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff290a4848ab4522bf931b33ac61d37b30c6945973919f4fab5b4c0c4ddafddd",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/snmp/snmp.local.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d14c800d2bb6ff0a325780e41461a809e36263bff9a41fed5fb5057ccb788b8a",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/default/snmpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a97924948fb69d20db43b8c078ea1a6dcc04c8c7d62c9378d5143ee516395f92",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/templates/etc/ansible/facts.d/snmpd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f3db4c0cf11b3f617ff3f8c95c0a9e0366b2f94ecee19d71e8bc3ee13d80af1",
+   "format": 1
+  },
+  {
+   "name": "roles/snmpd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3308d9f02d2476eba802e578dd9b4bce5f6a59a1a4e166576c54c178163ef52",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/setup_owncloud.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1364412396765a3a4f9e6fc17e5c4b6946314e4d2e71d5766e04d4917aa8e05a",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/copy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe1ac033133bf256ead1a7a91513fe119145a1059114c06aaf543973ef5e1b61",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c921ac8b55f8ce5a55671c456b06756147648f719fdfd3874960bdac8244788",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/ldap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "97f87b662e7ef25d08a587177cc9af84ab8834fd7ee9d038fc02b03d7457080f",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/system_package_management.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74c5885bd47b5e039bc0bbdd32fcb64ea4a70fa3192515f6d9b9d282ba272de6",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/theme.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc8740c699ff6537127d5f2ed710b36a8277c006f49188b7617db79378ee680d",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/run_occ_app_set.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01bedd4eb8f4383fd541297d515ee3d839be8a45e285c489b60dd9eec5b49438",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/run_occ.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "75b9ed6e8b87eab529ea22020c2fa9cb3259a0c6e341bb49bdc71cfd6f945ede",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/tarball.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc510b60ce65f8cd3f2a17493cf88f7a4a7c6bf3a331aa78bcdda8a14e99795d",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/deploy_state_absent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ea3b872f845103fad1759a631c7abfdb5f4ceaa030b5f80fee52d56fff4c43f7",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c82f253e277847120f689bd242e7dbb45dad88f3dff6814743914db0f300a6c5",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/meta/watch-nextcloud",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e7f91242b846d05c3ab78c2f19f78534a7ad2818602c277f23d817d98721bb43",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9ea9ef3abef1d054d49ebad0c8175f21875fabd8360b3ca90a60ff619671d4a",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78532a39c82f65b48e084350235430505fd880e4c5091f704e85e0c3b1904493",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local/src",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local/src/owncloud",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local/src/owncloud/keyring",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local/src/owncloud/keyring/0xAB7C32C35180350A",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae53326322326245be75d91aa676af38afa847c6f54e0d7523dcdefe85f0f8f6",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/files/usr/local/src/owncloud/keyring/0x47AE7F72479BC94B",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb5ad5c6a3c1cda887845e02ab65b4228658c66ee5660e47eed1414dec44a33b",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/usr/local/bin/occ.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d034b0496244d7447991b79ae59617cac3ccaada8a3e922b7bdcc88e5e1d141",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/php",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/php/cli",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/php/cli/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/php/cli/conf.d/enable_apc.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3486b50ac5779042d3f1ee900f990fe92379929f2c6acb1db0ae8edc6ef91cb0",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/ansible/facts.d/owncloud.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a0612f882956a59838494dcb71d4f1d901f1ec35434e29adaa5360704a631655",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/apt/sources.list.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/etc/apt/sources.list.d/debops_owncloud.list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a3f4ec8f960474dbad182f63f8d50435d1a9584035f86849a620ffcb9859bd6",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/config/debops.config.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9cd58f9a75bdbec43a3f3f2cf220d798736d11480ee1530efaf3a0055b769e74",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/config/mail.config.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ffcb277c55cfd696416c2edd83c132c54b9fae617f1cb7a08b5296dd3a69f310",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/config/theme.config.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a24e8cc5ee53ad267ca28ccad1a4b718fec36b5b22ed3190c68205749ab0bd17",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/themes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/themes/debops-template",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/templates/srv/www/sites/themes/debops-template/defaults.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74ad3744c5b4d72ec81322ee7b646c5b4d148e0295af0af3b7c7def6246d0e78",
+   "format": 1
+  },
+  {
+   "name": "roles/owncloud/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66efe7c437caad3d6059f2fb78ba107e68e0e3f3181f2e649eb3b63f63be0cd3",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ecfff701adf589f8ea7d7121b175a3de78607804c1c680b8e88c1a67e8e9cb62",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dae544afdde8a44243f6810a63eaf8fc2c355e6d475c2fd691f46cdf841f5de6",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34a901e56ccfa2108f7b9378b40a8ba32abd43adcf667c7ad6e9087796d23328",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files/usr/local/sbin/rsnapshot-scheduler",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be216d9f66e7cd684bf0aaa7cede4b1dfec591ce0067c9fd3b9b9dba1861af97",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/files/usr/local/sbin/rsync-no-vanished",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7fe6227e424a92e981306ba14ff092e9ae016e1dce77def1ac9008d2ec891dd4",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot/hosts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot/hosts/include.txt.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a78f8ec6304e46e0982a367764537e03679ca2f461c23071d6304c756d79af5",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot/hosts/exclude.txt.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4f0a250e9fd44ca81d8092ceda85786a66a683fe28b748311fde99a3843d8ff",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot/hosts/rsnapshot.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84a5b9c7806b0382153301e37e6191c8e0ddee53d0ad2bc6325070a1d973df4e",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/ansible/facts.d/rsnapshot.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2032d5335ac684476c1bcb3fed6ec166de7a383393c887f84e346a31a79c2cfe",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/rsnapshot-scheduler.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f400bc1dd91dabbc0156ee40fa573b44faa18bc84c629112d6303beb82456fa2",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/cron",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/templates/etc/cron/rsnapshot-wrapper.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca921485026dcc821fe20aff486cefd88c835e7e9f03c1bcda90a1ddadcc3013",
+   "format": 1
+  },
+  {
+   "name": "roles/rsnapshot/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "719d5eafd2c409f45d189274a146c8657cb8a83e17873ca9a8d85a605b1b2304",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5396d75dee2dd2c6d8cbdd997a7a00c9e049a08873efee965304c8eac0efaaa",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d09ce2ad054511359c1544011268dc7c68911c4798cbaaa1552a86ece5d1c4f6",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e35cb81cacd50821b0c5fff20a02a3e837d727f9ec44508da35552d53ca44f37",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e871d1c023c2b184f229ea3f33c1eb727c9a8527abe3bb50f1c6bc42a3eaf3bc",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/bin/sendsms.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2acd3efc3c85183ae28312a7144c51c17978880fea22570d789d42b97a4f490f",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/test-sms-on-reboot.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4e284c9dcd373a9344c6635ef06077d0fd920daf26bf489b6036e11411e945d",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/postfix_transport.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "168741980ced0b4eee6277396bf76d81831dd7277cb01171e3b42d5bf32feacb",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/fix-device-permissions.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f684637edf0f9f3120ccf5f5165d281e31902723ec7b1688a652c08482d60c16",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/postfix_recipient_canonical_map.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61f6bd0a5e1af3277e12ec70e5d16e9c4f58e1fed6e1bf282d718aeb486d84a5",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/sms-transport.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d1d2264d556902911ffecfd8f712cf73e1569c3c89c33b610a1e960017de060",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/postfix_virtual_alias_map.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d98088742dbdfcfd06f5522bb4fd3f12e50dab1b5e406ced5fbf01cb27a233e1",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/postfix_relay_recipient_map.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c8a55231ced510d524ef30f59492978e56a49003551359d6f3602d5d146942c",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/usr/local/lib/smstools/sms-service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0be3033f99218c187a229b34316d4a724142dd2a366700d38ca96357ac392397",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/smsd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d799074ebdfb299bdc4bd34608ed4e4341301e1017744a55d7eaa89b3ff33f3",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/sudoers.d/smstools.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f15e5ccb0cf0f3b70cf550f3082d48ca98d54c89520d1edfd390b247d6755d22",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/xinetd.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/xinetd.d/sms.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c3501d6c3116f8d1e516650554b1cffd1cd4343a52dce8076b3efffcf86d31b",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/sms-senders.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f01d45355a6878c6b23281ae37e44401a2ee46e354d81160434788fc06e5e350",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/sms-transport.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fb87b91f1ea2f28018085f4af3683e22bf01fbe13f9bc3bf2ffcf110caeb8f1e",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/sms-msgdel.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "721d0c3e30b62d7d869b14eb8c6465b53289175c08ef5099dc96aef453724574",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/rsyslog.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/rsyslog.d/smstools.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c9fc9f0286916a0fa16ba48ab3d1571bef95960146b75639c467ba297837574",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/logrotate.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/templates/etc/logrotate.d/sms.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1700c048495324bce782fde2de85fe12ab6a29c35adedecc8babe5e1e20272fd",
+   "format": 1
+  },
+  {
+   "name": "roles/smstools/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58b6b94d0a233756a7b8527faf61ba99b0066be535ffe0e10871fd8957eee2a9",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/tasks/handle_tunables.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "903ec6ecb63a18bd8fc0e414f042dbb6c09e519ed67abc212904d2388f34555a",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/tasks/handle_profiles.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c0adab5ee39f43502d7e7b8c67f0e51e2515c810af540537af3ba17b865cd1a",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/tasks/handle_locals.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61741e6dfd9dd4448cd2eee6ed055ec23b3ba4f66b18e278235544f9c971794e",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "96d29ca22e6c1fdeaa3ac501f6c37b31961d45d1ad681cce7eedc015b25698e4",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85afffbde1e6c80140ffeddf26c74a6f113dab289125dd869e633c8056192a4d",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee18aaf1266e473231d23c4b2c912042613f569670ed49d4c3a51f4f23fbf18e",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/default/grub.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/default/grub.d/debops.apparmor.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3794a05b897a17ed6e46332694a069d3b7027d253efe7a4838830ed5b7a2fce4",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/ansible/facts.d/apparmor.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f36f040d7a7d66059c8963cd1a7fbd37bb86e077ad797da9c873efceb90bb13",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/apparmor.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/templates/etc/apparmor.d/snippet.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d95d8ad7aa83977ba1488d16ffd148c4be13250d21df76754d0bdcfa3c0f10e3",
+   "format": 1
+  },
+  {
+   "name": "roles/apparmor/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "290d46a053baa8603b07c6f295824b11145be921c1462f30bafd913cea4b9b3e",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeaa3d98c827aa45390289f9d0d9c550546446cf40ca300ea89dc8cc7ffc9eab",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4dd2cd4b9232c5fc95e753b341bb1b6dfe6841322f6b44f0544fb10c82fd97dc",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e230cf03ac3321fff164c5abf445071cb9793729bcd16127670fb3c6a5c44234",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d02c1e698537323c7333c1cf8d183a5bf5d70615b62779794ab865d6fd13755a",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/files/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/files/secret/opendkim",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/files/secret/opendkim/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/files/secret/opendkim/lib/extract-domainkey-zone",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "265d3893dcbad6a6413ae68dbbf045c76330ae2027d28fde99cdaf4f6e501071",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/opendkim.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a7645626818c04d785bb545966425e8ea152b8186932a58d492e5a427f71fb12",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/systemd/system/opendkim.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/systemd/system/opendkim.service.d/pid-socket.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6aa5350f1ef2c4eec343b01f65cd098b8ad17c7bf9334d631852bf434dca4626",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/default/opendkim.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "349f41b09d44d1d7d66b814970da9e7a6258d0ae32e01f572f637a57d7890bf9",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/ansible/facts.d/opendkim.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "163a998ab00f0fdb7bc186bfd88f1e135649918db734249134dae1cd11a16a44",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/dkimkeys",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/dkimkeys/SigningTable.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83a7b931054bfae94e30396d33bd3ededec8190bc4570e2254def2b4150198c3",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/dkimkeys/TrustedHosts.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c74f4a38b2ebe1e9556595a24dd71ff728011f54a9cfef4f66c56746bffff36b",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/etc/dkimkeys/KeyTable.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8dea962c3f0a1079a70d0c3028a27988f58d1cefa2290baf66229e4e1a625bc6",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/templates/lookup/opendkim__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7aa94d4ed691529ab4e1eeee0dbb09d9d014a618f459761d5b4d10b06ea617e",
+   "format": 1
+  },
+  {
+   "name": "roles/opendkim/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc9d54c99b25a72d5913af05ddd56199b5461014ec8fda9a66f482a85831920e",
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25fdc4cf69ec3a273b01f13f0822f123353cfc18db2b2544105f7b02f11abc9c",
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04a928d671d8ca2ea5a26681c4cefcae610f538f3d062ea5c81708badc3490ec",
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce47cc049b15a12e3f18b4f83a69cf2d3aed054015d53efe01ecee1cb8fd6034",
+   "format": 1
+  },
+  {
+   "name": "roles/hwraid/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "344e93d19582a81dc792860694eb5ffeafd0fa101017d1879a3d29d62e384e08",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/tasks/other_vcs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8dd8013c9138e56b4ba5c308e9fb821c94fb76aee8a174ddfa8e2f2ceab95396",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3fee99ba98756eba2b24982e7f6aff74e6e1e63c6f44ea8b20f6208c31040e7",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "697d0b3e3e6eeae5871e8e1ea705aacaf4e9d8a5d404e8f7077daefb149ac7ec",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5314086614bfa87c5e14811aa151d70b6cebba32136232c25aa2cade5b88063a",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/etckeeper",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/etckeeper/commit.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/etckeeper/commit.d/99email.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1608b8d7c708521ee9dd1c876da228b87797d980f52c30dbdaeab6bb020e302c",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/etckeeper/etckeeper.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d50c38f18fcb7c71e10f3c014a391adb76adc463681570dfbd9b748242fb686",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/ansible/facts.d/etckeeper.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38f09359c22511b8d0117981d2066920215a53607e4ebb2bb4492f5267f65361",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/templates/etc/gitattributes.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89b110369faea9813e5fa49432197b442612eb36ac21f6242c666022ed68ab8e",
+   "format": 1
+  },
+  {
+   "name": "roles/etckeeper/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b700123e7851f52dcf0f1edbae110aee4c32ae0127bc446349d8556857d4b3d5",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/tasks/tgt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/tasks/tgt/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480fd494e6a388c05244ddc7ebcc91c469be8e82e5db4ea9fe78655f21808d35",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/tasks/tgt/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480fd494e6a388c05244ddc7ebcc91c469be8e82e5db4ea9fe78655f21808d35",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37760bd40577e3bc9554b42a638a8cd9e3734b1f8c31f49cf6882c2a40b63a5d",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b888e40dc5450689f1452dd793f50107d1dcba82ec5b9ec1833fa8685ce573a",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "91ba5112e23085241abfbddbba1816e99baadb05bfc4c16073bb0b7cd9f7b408",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/tgt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/tgt/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/tgt/conf.d/00_tgt_options.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa356907c254b58b1a2e7ebf756e431726e884269f094feb354c689176680651",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/tgt/conf.d/target.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8530bdcb5261a327c07a035ba7647a4ef6d2f52a5c2a4a252d160533efdfd14",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/templates/etc/ansible/facts.d/tgt.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ada3c8f80a5d1e8360eb0b2eeb8b77a3fef8a9b78144ed4884065c1cc9d50e33",
+   "format": 1
+  },
+  {
+   "name": "roles/tgt/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0599020220bdae0843199773224e4ca2723251e117071ded59bfb736fe5fe5f3",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f810038161f08e6bd040e0aa1aa289f8cd1514a23a641f43fdc59133b877c49",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a43ab97fd956435d4538d1f8cb87d043d535bf7a2982b1ea665ff3f76fd2c6e9",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3e4088939acd5be1948010a1f5260bd3b98ea0f0a2b23a900d3aa47fa5889d0",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/usr/share",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/usr/share/pam-configs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/usr/share/pam-configs/mkhomedir.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "281b5c54c68d483e2ce81c15af2d55242e24a9b140a936a379f1a4f6f490900d",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc/sssd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc/sssd/sssd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3cdd09b4c4947c19a072591989a1e54c11a43d6067b9dd47a5f6a8a29e21de1",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/templates/etc/ansible/facts.d/sssd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92f79b8e26347955a4e0b36a1886e79985e1640735cf6e8c46d16ff8298dc961",
+   "format": 1
+  },
+  {
+   "name": "roles/sssd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a8dd3e1587916ed7ae784d3aeac6b524d1a37ced63b51b421482647f27210d9",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "375aa31133ae46880b90d1bdb7f5d68b7cab6fd271d8d25025e91d2c5b2da6e8",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/meta/watch-librenms",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba5163ccff97fdc750c16132debedcdf7e61a504d2aa09b785bcc5d3d0fbcf33",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b48993a92dbada292a9be1897c83c26c2ddc08f6203f29a10dc8dc635a1a045c",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ec4f5ce1171c88f553ab8f29e81b8aab29f9c115b31aa889059c887b31fc7a9",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/home",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/home/snmp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/home/snmp/snmp.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01fda9f5bd13d3b1fead4d6070d5784f6840f4f874f6240e6b5ace3c8f32ba4c",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/home/my.cnf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e14893cce7c84eee6185db1c5e3f68017d2caec1a899a3eff0b7a3e64214769",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/etc/cron.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/etc/cron.d/librenms.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4edc6c72801e6d8332556dfef0c461ea65a699afdbac2a145bcc0e4ddae11471",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/srv/www/sites/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/templates/srv/www/sites/public/config.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ccfb6c2d35a87a582511fd3096a31c5111c03c9d83d61fa813c69d67b91bcc2d",
+   "format": 1
+  },
+  {
+   "name": "roles/librenms/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d9eb35e9156463014cfe5388dcb2ead02de3ec537144a3326fdaa4248acc71b",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "130deb9ef5cb8f3141630e7543beae3d0ab3308f94749ab1a55bef78a4187ee3",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb3958a14e31a66f28f97fe022dea376274fcbd9bd1e3c0d2076ad39123b1048",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ea8a33fb8ce4c40d7295d83b8c6e57a581c326592399fa7341385156385a978",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d76455a0560f2807d0308d88ba02e8a3f48b204ce563610860063386eccf858",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/includes/role.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e2879120cc0e709ddeb95bf19b17ab131a052e96894e0a05a7f69f1a04fcfbd",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3a867764385fde07374b03402483580a2be6ecc1a945e61ad4a385299a273c1",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50f9f756d9dbfd2cf8424f05cca856f907cee9d4309bb5746c45befa40ba45c6",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3044540b9c57a020392210c529b21eb0a6d9d153231ba55639c7d48f5c97ae9",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7943876bfc6f8669553c001edea87da6206a48449f92c701603fc164045eefb6",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0eff9e75bb67a49b91d3161de0c6065f4760d4c550ca8553346fb4756b40edc7",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates/etc/polkit-1",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates/etc/polkit-1/localauthority",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates/etc/polkit-1/localauthority/50-local.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/templates/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce9b858c1881aac0ec9cc403eaa7ffbfdcc8e71ac321634c6e5f0afc392b383a",
+   "format": 1
+  },
+  {
+   "name": "roles/kodi/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "042c1bac5db63c0995a7fdea2d2af7dfd418e1753ac7240c9867128e63168aa5",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "982d0c6f2f40a59196b1d0c2db62425a92d137867231e00a1e304d2d286d14f5",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34209b0a5677e8e010e692b1720037cdeb5d6362ab6e5d458ce102a5ebce1093",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/web_configuration.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d67b941fd20c57c5c8a391d1bbf2d6e2bf77dda168544a024c06d01264d3a055",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/hyperkitty_configuration.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be74fe545bf25f7cff5ff652e782dac979419f39aba63a6d8f9d4c24058b80e2",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/environment.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afd28d2f3883a62b7dd8e1aabf0f218eb94784019c1d4ccae5f7f3c6de8f4697",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/ldap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c72b9657576b6726959c9bb48729fe5362dcee437ae52678f54d3c09e5396e69",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/dependent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c01076084663d5906c321dd69f823d0674204fecacd4460cbb69733b821613d3",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/core_configuration.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88ee096e509a96f9d1818cfaf935a528aac80f53b76752487e3e61150b0958e5",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/defaults/main/templates.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d2fe4344e3883696dec799016e4570fc5afa1e36313fa5db316d0e51be49cba",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd/system/mailman3-web.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd/system/mailman3-web.service.d/dependencies.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b788e96c3a564e7d15985b41f316628e7ded1659b7b737f6070d33da6da2627a",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd/system/mailman3.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/systemd/system/mailman3.service.d/dependencies.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6667b37faae65ea253160fc23579e16154a1fce68d772cc19f739b6f538c6cb3",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/mailman3",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/mailman3/mailman-hyperkitty.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7255d5cb6cbaa21724d9c752821015ca0f17734bd00fd5e9dee36251a3efaf3",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/mailman3/mailman-web.py.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bbaf7c89c8ec045700f3b117cecd544d3277c764497990e4edac78013ff2e793",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/mailman3/mailman.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6e1161e08ee4f89aa7823578e71425392bbf243da0d5e70d03de2d617320b44",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/templates/etc/ansible/facts.d/mailman.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56fd495ff508647b440864ffc46b1f54971c660922bdd02ed1f70faa506b3062",
+   "format": 1
+  },
+  {
+   "name": "roles/mailman/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ec1a48a6f0912ac3f0444d3fbea9ff68ec7935027583248c37df7cc505b7648",
+   "format": 1
+  },
+  {
+   "name": "roles/java",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5808d473685581a7056ba4aeda949c26fbede1e7a800fdfeead6746d9f05554",
+   "format": 1
+  },
+  {
+   "name": "roles/java/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c844a7903623e60568e23756803ba23e45be9e0096b445eaabe98f809f8ce2b4",
+   "format": 1
+  },
+  {
+   "name": "roles/java/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e009c36461412d19a6db500da25c87557551805549c6c69106e028e547a573c",
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/java-x-openjdk",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/java-x-openjdk/security",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/java-x-openjdk/security/java.policy.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f550cae2a6210b38fa824e075f99a54b1fc5fa9c2175ed5b10b2be19887e2d2",
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/java/templates/etc/ansible/facts.d/java.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "381763be1c49adea4fa54f3576c67d645d862e800a750d2c1903cab7ce714eae",
+   "format": 1
+  },
+  {
+   "name": "roles/java/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5af4f5d879a2926bb19794b42e34d0314c9446b03970e902854234a47ace55a4",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f48a2749c3fd64b43393c84e9f05c506f7d38605b7d17aabb70e524378483a75",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0bb4d7f9688058c583fe76394f6b8e0a6effb75338d7e4dcb2eaeab6b0fb7afc",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59029cf2fc86c338519d63882d1d64f233b9c44c1f963dc84a531f8b555bc74f",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/etc/ansible/facts.d/preseed.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02463e644a5305349364b46c24e94c3674cd102cde9b755d69bc8d43c945fa2d",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www/sites/debian-preseed",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www/sites/debian-preseed/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www/sites/debian-preseed/public/postinst.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2be8b9857ab6c3c0dfcb32715d96215d4e6599788c6d12eec0f31bfb4f0f461",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/templates/srv/www/sites/debian-preseed/public/preseed.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1950cbf1897ee8d470c753c669151c1af059f713ed348ad7fb7f7ae87ad922e4",
+   "format": 1
+  },
+  {
+   "name": "roles/preseed/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e37717fd1279b6d630868fc9fa41441b833276b7ac46c03f1c3c0f7d1f4f362",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3fa474716fb17d49a428f914dac025a9a38faf42f9c99f25540b05f4de097584",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85ae055e14b2d60557c62ffbdfb2c89a72948c5ca58e83d13c4b091852094987",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1be35ffae01c103e1c6df5cf637cd86ca6d12da6fce7abea71757a58df25f035",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/ansible/facts.d/postscreen.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5acdcf789a5b7c211cabe3e509c3e0dc02ac1536668e88ef72be59ad797d6877",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/postfix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/postfix/postscreen_dnsbl_reply_map.pcre.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3be47731779038cfdf633fc8650079d8e53c6ec488545a845adac84d96f7a8fe",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/templates/etc/postfix/postscreen_access.cidr.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98435fbfe6f1b2dc9bf85b00022c2c503ef67b68f63b78a608cb8ce915fe0ecd",
+   "format": 1
+  },
+  {
+   "name": "roles/postscreen/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b6064f0f85cd6b8320da4202ed7ae1357fc3b38db516758600711837ad437205",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/tasks/newer_releases.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec23f2b12dee41f41c106fe6171b00e2ad374d11e07d0dcf391414519bdbd2f2",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/tasks/older_releases.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b875ee18c0c5f18118b5a9332c9ce1e32756b9ac3ba6553f33d25efd0dec4a81",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "022cc8aa82451353c2b3476689338650d8c2d47760e4b8b398a0b05d15473b1b",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c94e6c179032cbfa550bb3a7803e783fc8be7970a9949fd2dd4d26f99d29687",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7eef81584df63de80e7fc0b5e147ac50fbd7b501824f959a3dc94662bd9d8e73",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/files/script/start-gunicorn-instances",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8433bdc8c859e119d1e055b664629f5cfa682627e6680e136eda4ff68b46968",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd/system/gunicorn@application.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd/system/gunicorn@application.service.d/instance.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3845a43a943c2f1f8061f8ad81157ab48c21c47d410293c7aca0eea78a657cb8",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd/system/gunicorn@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2892e725fd6c20535b05a9961e96d4653c7d43b6881c4ba4135d2b7f19e8e05a",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/systemd/system/gunicorn.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e77fe8aafb108db583ed2b22e01df34db1cfb822e7e7a41dc76f21599efa2572",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/gunicorn.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/gunicorn.d/application.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac1eb97ff36d2f7f0c56132415183bfcef04119ae15fb073b1dcc3a0565d16cd",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/gunicorn",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/gunicorn/application.conf.py.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c91caf49ccea9a78a1edd07de5e98069e10156bf242692f04a8b48803df59151",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/ansible/facts.d/gunicorn.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d55abfff4a14dad55a0d412d845b3ece51cd4184367e1fe88c50398f762a2f7b",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/logrotate.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/templates/etc/logrotate.d/gunicorn.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d11029ffffb3cea9608e83c474a50e7511e875f6eeecea4fb3cf4ec5b579af4",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6e7d5f9f8b245d26d202edc02e7ea53f6d09e1bd15e57e363b51ec5eafa391e",
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gunicorn/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bda6a66ac30ace5b42daddd76e232001c540265ee1571a9b527525470f1502d",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cbf8a65e69c1e960505aff983a5715dfc100a11af9a647329b922c7def8612c5",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5b56f1cdfc29eef9423c19dbfd2e42475464aac4cc26c57a3c722d7f0d71826",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc3d4768e7ed366afc7362baeb2b4d28bea45db90f702e0387f57918ba27ea05",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/system/systemd-resolved.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b7fea7a7f3f20735886c77eac08d65fb050623442090e56f00105c9b6c80f1e",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/resolved.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/resolved.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39d7c2e831f34d1013969f7eda9320cab309963371ce249910aa323fd9f49ad3",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63179674fcf1f0031a34e2160beefe34a6792d55e1258f968b9857554220e56a",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/dnssd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/systemd/dnssd/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e919210bfa30a824f7deeebf7eb0f2ce3d8b1e8316d3a7a8175f917d42c09079",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/templates/etc/ansible/facts.d/resolved.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd8d624e925e322dbb0927e8c6ecc12f5eda7d5403002345c912a782930f7176",
+   "format": 1
+  },
+  {
+   "name": "roles/resolved/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a90137e36b9f5046242aca211c5244795bae56f3e39ab365136bdb7303192551",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/tasks/manage_pools.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98fd40ebdfc54373488b9f720cc830ab03de96a40199e8b114bd296a894758c9",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/tasks/manage_networks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5942ffb64fcafed09167a92963270e9be763cc361a360e400ea5f7eeb8290e6b",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e3086b0506e2b8efb63f11ca7ea4a663b58033eecaabf042112131a45119be2",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8453687298951bbed1d984773396170d3e3c62b67806db444105a9216c756e7e",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e95c76ce8c4ca8c5c7bc0970c1c53e68d086713a3be98dae8ed03739a5bb3f8",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/home",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/home/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/home/config/libvirt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/home/config/libvirt/libvirt.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc7e1f14ce94a660a71f1d997149e6d97b7859c70b02cd001f73557fc7267b45",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/network/bridge.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1305f4878c4f606b1cafed1ab393987cbdc25e6a99333578e05e186445caae55",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/network/dnsmasq.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b6757755bebef33e31922de82d1893ec00b31d189028a90583a685a1fe1c6f9",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/network/direct.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b00d398385dc0677f838102737e38e2ce075f0dff3f36d3741c4ddbfaed4672",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/pool",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/pool/zfs.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e40a83dbf093f883b2d7f92465f2182facedbf8b4ddd7cdc09e5218f3683effe",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/pool/dir.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0114fbd8eec4ef1639077147dd68f0433bbb7dc23aab05d704656b8043abf46c",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/pool/nfs.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "15be40fd519eb6592b402d1bfb34168e8bbf7ea9ec576584015943b9f932bdc3",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/templates/lookup/pool/logical.xml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "079e3aec07ddb3529a2e5580b6f0d9c8a23067ec6ec7f385bda5750c803c0118",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirt/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "343c1fa9aaf84f3a48d30b206fe0366ff353da8110ef190c7bd80fa04a5448e8",
+   "format": 1
+  },
+  {
+   "name": "roles/php",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/tasks/packages_absent_for_version.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4be1b6ffc6e8dde48469e1087f73af8583752c3e5c71807bfabdfcf7cf1ae5a9",
+   "format": 1
+  },
+  {
+   "name": "roles/php/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e40faebc4e0ec4db8ea10fac6881d31fc9c652c7a97acb5bb0ab88b17f25bc86",
+   "format": 1
+  },
+  {
+   "name": "roles/php/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73b546a91eb37d5b2f765832a84f0c5d3d4ef8a7e0d35696df027a61aec74bf7",
+   "format": 1
+  },
+  {
+   "name": "roles/php/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/meta/watch-composer",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "855d0da01c313b93fb336d19ab451be36c71d4752dde60a054863ad9ca981e10",
+   "format": 1
+  },
+  {
+   "name": "roles/php/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "052ec52dd8a599c0873c8bb0e283b03c45c3b45847807880252c5152f33bb498",
+   "format": 1
+  },
+  {
+   "name": "roles/php/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5907b24bf35e03b42c55cc08e3a604fd4a7810197121c493738c0a81c10f0b2c",
+   "format": 1
+  },
+  {
+   "name": "roles/php/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/files/script/php-filter-packages.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff3f32d3be2fff7ccd37d101c72791b7e63c5b57d2c4c804e642ef63f1c2e3ef",
+   "format": 1
+  },
+  {
+   "name": "roles/php/files/script/php-synchronize-config.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7d16b0415a6241f257354cf366308306c6cba94ca5c9b2392f652ea9a40e3ae",
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/sudoers.d/php-fpm_webadmins.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7908f0b72b77e7482c173c0e5b9450cea49bc54c048c8abb17dc0f281f773a91",
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/fpm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/fpm/php-fpm.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6135c6d2640aa747329d22b1d3d18f9f4ec7cf36b6b254844fe3d957c4a3be24",
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/fpm/pool.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/fpm/pool.d/pool.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "793503f4a3825beece03c947d83dda81ab8fee1e5d53b97e39ba02d6fd60b609",
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/php/ansible/php.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4878e66121c13a30ee05e35863927b393d0245def067666f0d382b7e4154fbf",
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/templates/etc/ansible/facts.d/php.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "569e73f8b359fbc582212068a8723579de89d598a60a7c3813a0b21a98cfd781",
+   "format": 1
+  },
+  {
+   "name": "roles/php/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7222cc0d493cc754f633f939ff270cf808e1f55fb925fb9489a03db7a26e61cc",
+   "format": 1
+  },
+  {
+   "name": "roles/php/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/php/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db34bc0319d7ced08639974ad0dfcec13e4844ea3a8a46fc14ab25a5e713042b",
+   "format": 1
+  },
+  {
+   "name": "roles/minio",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "132b5aa65da40c746d87bd7f94c4bb56c4f6e893c35eb7abab754917300e31fc",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "927135a979c1a5f47e02d41c46264224207af9bffb509d7b14081c9ef664910c",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/meta/watch-minio",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4955a3c7fb724491c178948dc7a1cefa372c19b9fda20cfba924beec90ea8f23",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9980d562f64613d13838b9c607411d8ced51d4b104d5619935bd9f3978a3e954",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c264c6e520c371db6ec7e5523477ee94cbc4bd32fab3ef03630b1f15a077479",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/systemd/system/minio@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd90470729b6383521e6f361e11f7e9875659eb98fa1e19d3ad86ae8b12c6245",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/systemd/system/minio.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb9c711df1d0a5e8e20ad338a6f48d1390e4bb322a28f90e9777de0ec85f7cfb",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/minio",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/minio/instance.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e924e341f82f937d0da6dd919fd259113ba41dca9164687456725d9ba336dd4",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/ansible/facts.d/minio.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3dae1f00d411da2a456850d0336cf5b2f7f7188125daeb517ec136bb020bcbe6",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/etc/pki/hooks/minio.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f630b9d0e8acc49e065c638e87c3155079ff52a95f9e3e2473e39e6821190c01",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/lookup/minio__env_nginx_dependent_upstreams.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b145bb7a0b43708b9443195d2bb08f40803aca29877aafd9fe461671db53c30b",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/lookup/minio__env_nginx_dependent_servers.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b2b3e50779870d15a20687034f51e83b26d0d30ce56a24d4448e4413a3c9a2f",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/lookup/minio__env_ferm_dependent_rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4e81f06252722537c6ea821474b007d84c0be83782c7ab6748218c6d4b7f17f",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/templates/lookup/minio__env_etc_services_dependent_list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c20609ab548b1934950b3c3459e02af73253da01c12e7d2700e4c2f83e242179",
+   "format": 1
+  },
+  {
+   "name": "roles/minio/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b58da3b4142b0db50eaafed73deda4be44dbb69a5f9ca1dc2736cea4e4246529",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eadada5608695f14a53fa742db0d619f484cb07cd459cdda5049293dca4e7426",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/meta/watch-wp-cli",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9bacd679a2d8e7a7ffaf0aaf9ffa19c8b96a7a904dd0eb08dd6026140f6ac7b4",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31d0d8a30518cacf2081b86b3a0fa0e0656e0be2d660a99b7a45abb077c108d5",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d80b6c6d7838b01e5d6a88a1ce93dc9e9711b784478fbf3f76a4b386021b870e",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/files/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/files/usr/local/bin/run-wp-cron",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd28ab5a8ac1e2d09403a5e695db591e5bfaad33efcbff3f871a47ad3b6cdc5b",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/templates/etc/ansible/facts.d/wpcli.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d6099da5deb7511bee5ba012ab87f10745237961fa0afc49fdeda931d147f1c2",
+   "format": 1
+  },
+  {
+   "name": "roles/wpcli/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fe63b6bcc5e670d38bb53bf1654df0ea4e3946ceda04f621748dbfae3c4ac5be",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/tasks/configure_snapper_volume.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "05255312060837e7ae02c955a40a43d7b29f3cf45b4e2b82586523891f36fa57",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc6cd7e3f89b08868fdd66b451021220805113f8ada9f4f7f27580fcbd1a1840",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "740a0aa6e836fcdd544d172756f26312e128da49e6a73f18bb0e766128c671c7",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4d42e33786d0f596d31ad98244acf37aed7433f7c79c67a9a567f4f298ba8426",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cfad86e72ff371496897772158e9a4907563e0858889f54feeef46150d0f5eb6",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7c696a9ee500b33a5f922f2953073c4cd0d1eef717787baeff93f48c242c8c1",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/playbooks/snapshot_snapper.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c814599563640b53519e51ac8f76280068be56850a0edd95538d4e0f480b7a65",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e45e5c309567a2bd4cbde6dd8b8f0ce8c0505282d2e5e319aceb1300b1d320f4",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2291dd7c27cff6aa3845dda6f0fb34022411543188aa436be259d91984655c0",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6fbe07dbbaa3946dc439ef25d40fac22b098dfc983e48ced0b9f54621ba4395",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bade6dbacc2566c19fe45a67158da358b95c3af3f382832004112c543c19124",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/templates/etc/snapper",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/templates/etc/snapper/config-templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/templates/etc/snapper/config-templates/item.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "878f154070d1c86f25574b16bb4dd373ffac0b60879535fb27bf2e48ef8c06be",
+   "format": 1
+  },
+  {
+   "name": "roles/snapshot_snapper/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b121a62896e2ef6413f3c9810bcf4904305ce4eb9acb4d56796591e2670a6aeb",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/tasks/manage_devices.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afadcc22dd18f11f42b05a99e53bfbd1d6b975c8a0accefa7824de7b8eac2503",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0cf8ae9f66f7e7f4368d3cb1bb84681c2938a6a6931e26fe2c3be2e2a3a14369",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2093589cea50f7eeca50acfc4a9b2387af16879e7836d07cc44ce010d530babb",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5cefd7d1c1204bd94b2f5b24c85bbef07d5a780a855d41155b8cc8920117a4d",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/templates/lookup/cryptsetup__devices_crypttab_options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c77833231dba4f245a0e960b9bf66f5b62d5de52591502d5143a27c4677ad1b7",
+   "format": 1
+  },
+  {
+   "name": "roles/cryptsetup/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef05c1cfa728a67a59ec304a5eff1aafba1dbefd59faeed45ef54bd86b93cd42",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02ed815617c9c653532f6be48a8f81cf52ca62b4d1594148d66da1ff10ba16db",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94a90e9dff3f389eb987e34935535768a824a5869ebf1a6b7c855fed1a34da8b",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff4250a2332b09475acd2d61405742e887c3dd956533ee005ed08d00d39f0930",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/ansible/facts.d/neurodebian.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b527553d83ed16219cd6149d8e1745c431aa13d825e4ca8333e034374df7bbed",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/apt/sources.list.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/templates/etc/apt/sources.list.d/neurodebian.sources.list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12fa4c9a21dd4c9886f56588d689649d4e8226582c84cf3082eeae3cca14b94a",
+   "format": 1
+  },
+  {
+   "name": "roles/neurodebian/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d1d363b731654d1eeeba9f881e4552e29176617e8f55207fe87afc4a2de11e5",
+   "format": 1
+  },
+  {
+   "name": "roles/controller",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "435c3ee4e6c46c6eb4bc823ac2c330a38a344a6b7e4fcc15b690bfd22cf17550",
+   "format": 1
+  },
+  {
+   "name": "roles/controller/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94b53c2aeb19d4a8fc70712ec9268291e03c2abdfeccd2eaf7de4306800afde2",
+   "format": 1
+  },
+  {
+   "name": "roles/controller/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cbb0c2a09dfbf5ae624a100af3023e7d8959af18013ac58de89b7cf3257d8258",
+   "format": 1
+  },
+  {
+   "name": "roles/controller/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/templates/etc/debops.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52e4296708334536d1f4806dcfb8f3066009627e27b6cbed8de8a1f096b70be4",
+   "format": 1
+  },
+  {
+   "name": "roles/controller/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "efb7f639cc8c45dd575af118c6d9a2c7eaf459e0b25eba8d19f67cd59a457bd7",
+   "format": 1
+  },
+  {
+   "name": "roles/controller/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/controller/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "879dccb800dba0f88e0e8541c4d5b1507d98ecb14b632a972f82d4f3b6878665",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7eb5b76d3d7aec359b77d78c06d0607ae0cf6e7c3715e2d7206f0cfc03140a5a",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/deploy_keys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bcf3164965087496951a81aac6b8a91aeabb29203d22258f152c2b0a6b77a73c",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/local_facts.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc72f2f3d2fbdd59a20efb638892e174682373c740aca9ee3f09205eb1123dae",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd094dfe9a8d973083d9869c9dc39ae96c2bf11221dea648b6a49e6fa507c1e4",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/database.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c3a2c4baac461c82a0a474407f45efe03bb7a7f8af11846824ebaa8655babd1",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/system.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2a3800f2b8f21a5710aee08536c28faf4d059efe1c8f5dfc03a1cb4df457a53",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee59693433b461bb6b0e33615dbe72b43d1a0b4c3d9d2ca12f4d01a43c67d8d1",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c107436bd22013a0a4a744674f8708fb553696566974c59266c7c7c604032cde",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09e6cd20c42abf646151b075268107e82d3c9e5e6e447be49a6e6e401224de23",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/init.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/init.d/service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dcd196a6c41c966f6101676c5681650e015c45c8b5f039816437080277ab2e9f",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/default/app.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39e58a398807d10c43bfa8a46ccf905d02e39d172d47d3445defd092b5e13474",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/ansible/facts.d/rails_deploy.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da61539b2934f2f29930aa6ef46c671aa7218e5d749bc83c38af0be302c1844b",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/logrotate.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/templates/etc/logrotate.d/service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba389c278b237de0478015b389f41e2a33e4f7c4c7bb4012086762b340892aa7",
+   "format": 1
+  },
+  {
+   "name": "roles/rails_deploy/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "42f2a2c10ce1448db94b5032a48bbde04055543593ec7b038b88cd4644adb056",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/tasks/manage_contents.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b6dc807d18e5475e9d6e05b87ad146156a44213b0abc2a7b710bf0cbccd09667",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb0ba661e17fe8f8c6f4b0f3887e69b6b9be47aeb963dfeb7a081f5b96b11618",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e19ed361ae721174fe9ffbd5d4db827f1e162ae5f127fe85ce0d7c7da940de9",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "46b5bf1e1d80c98f12673e53987af72ffa21f8cafa9d4326e43a30b8d39e60d8",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/templates/etc/ansible/facts.d/influxdb.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8833844801abf8c059cc32c1d613574b6394a33368546ab5d8ddae28aeb46b79",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "189566dfb1f737627ed0f2926d9470b8387646dec8ba1801d43420b0b41ebeb2",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/ntpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7736b4a8b0a03ebbd3d503e479e525cfeb41b82c4af14b543c4bd7da5b3820bd",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/chrony.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2953b5a7c357dfd3311a1c0913acea2fc1643b27de65f1807fbf9a6211aac318",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/openntpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b84bf911864fe34c31bafde4fe98ccff0b332ae198551bd757fac84dd93cbcf",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "32bafadbf25a75633fc78b2ed7e6ef1f762bb475ba50c296bf496e40501fc1f5",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4f8a96d980be0941dc393c7847eea664a66d7af72a2bb881e04afe251867253b",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/tasks/systemd-timesyncd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8749334a2f21bcdbfba5596b4d0dfa0fbd283bc8f729b81eadab713d4351fbc",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "45d1ede16474e324d36ddd794cab8c792714dc9d410c9803cce157cb2368954a",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1a5853c302d209dae2b4d06a241e9efc4bbf13da83b6ffcf34c5a74c6ca0a76",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3052ac4491b952ade1aa35fee6b0838d3e35862f6a8b7fd8391438cf5b84a68",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/ntpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/ntpd/ntp.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94322b5f478587185c74fde2886977cae0b205a852db51f042c207ec5a87edf1",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/systemd/timesyncd.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85a046f7e67b7febfaa04d7c076bda9ef96d06e8a3051c09bfade7e0d566a3eb",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/network/if-up.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/network/if-up.d/openntpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a503409fc64aa8eb51ac7ce8bd084bfdcbfab8e9951996dbe43eb79b41dfb93",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/default/openntpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e03c3845b5f8ea22b12b263111a7ded2b12f9a6842d8d61940d97628411e79e",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/ansible/facts.d/ntp.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "21dbc709c6972831d8b556ca0821eaf7b7462e9f0ea4f61105f76aa17502f4d1",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/openntpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/openntpd/ntpd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31fd8eb8dba1ba6d5870d7d9bfbd919477d14620b6c57433e3d81e7602a2cec7",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/chrony",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/chrony/chrony.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc46a6e8ec9197bea14e2a4eb82eb5b2df415d998a8c9c2f62e455b1742a4872",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/dpkg",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/dpkg/dpkg.cfg.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/templates/etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7122c8c3bdde22915793882e82fefe4292ff52af17d8c40c6d8105dfc889522b",
+   "format": 1
+  },
+  {
+   "name": "roles/ntp/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2c791e49535cadd965fe15cfcf328a0bee50cc9b07d0d7b6829d5540cedf45a8",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0f222ba0f13b74aecf16bc9ca423f4977306de3cafffd3d0630b17e38597aa25",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d5ef7f4c3e038432f030b7ed8f3a7d429fb2d251565c58cca528acb601f5a77",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ecc84de1d0ee24cd32e8fe36d03ca87a146ffe0a2fbd16b50b017d43e0ec21f",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/files/script/bootstrap-ansible",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c53b36dcad3d24595d5ffecfe6bc7fb6375a7c221d52808091e3b4d794acbee5",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/templates/etc/ansible/facts.d/ansible.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d73728ab1b83f7560e0d18299c4513ecd6cf78df209ad0c719b6b5e0d8b10e0",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de3dfddac41b5d20225058b1bd4af54f5ed75fb7d364ad9dffb25dbe9da729e7",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d9140d3051858eeac7b6b4a7f641abcd52d9591d71c4e11d5026c93568fb64c0",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83dfa83cc09740170a561c4ef4ddc09f676271e15001c157c2fb17c2619313c7",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc04d6fb518146d10aff762fbc516104a2aa7feb74df7d2729d2e3d369346ce3",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ferm/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ferm/hooks/post.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ferm/hooks/post.d/restart-docker.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6cf589f7661b90bdd318890855f235dc99962a076505058ad88077a958b2ee43",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/docker",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/docker/daemon.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd21a8c7a34c09122954b39c89d4e9dae5db946286d1c4b9845b3d486715cf9c",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/systemd/resolved.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/systemd/resolved.conf.d/docker.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "032d9154186d1564d52e66dfd4dd4c0933551c91dfaef9167f5920f018da6512",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/templates/etc/ansible/facts.d/docker_server.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "80a67ea9de5ddbf990e29ccf38b4b025894e5882d2f96350c9037f29cabf12cb",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bbe7cab295460bd6ff077185614e43b8debbcaed77da7a517d90c7ae49ede0dc",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "334cc753de62726b87b74c56deb3c75a67467131ea64823cc12af077f5104943",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b8a87cead102564dc97d2dfae085f09cc721fe1aee763d7cc75bca0fbac7d038",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ced731eae071a2581c66586aa0a8cb2bb7559303cc8ea311a8fc5b4b3a867000",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ed9c2a40427e4882101be3130e44eea9d183fe4a9368c72fd0543aeb15b6e36",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/usr/local/lib/tinc-down-wrapper.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bac3b18012925d813d6ceac3adaf5e12fa416ad9a3a92bd486b79722c92c904b",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/systemd/system/tinc@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b04a1386da3cb0d2d1e5e9b79d7402628d114eb6709af3de6a1dc5e92c8a99d",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/systemd/system/tinc.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c907d2cf6445ee0accfe25b671214acb0a7b0d9227964fcb052445ff58d1fe26",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/default/tinc.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92878f55422ca06ccd7df4506f1594507cf90021a80ca4b1c15fd0a42a5412fe",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/default/tinc-network.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "613f18ccff64064a9eb894774115cc5245e4f44a42675813bfc9541a3da71879",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/ansible/facts.d/tinc.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d3b8cc763f7dcd47c75cc7e653a806917861799f85f686ebc8b784f46d14fb0",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/nets.boot.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb4de9e6653c3d27bfe74eb04baf7e133a59caeced3e5000264b7140482dd7ee",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/gitignore.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5701f123ba109e78419e83d16ced31eadbaf409da145fc0d80e57f4be946d8da",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network/tinc-up.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cebdc12ee72b90a507c5b68e9290577049c4043ebd80e53dba1d555efeb1654",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network/tinc-down.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd2ffc9c165bb1078bca608bd6ae940e023e441399adac797632b5bec29b648c",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network/tinc.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2471e4d542bbb194989f5f889d97a4de9f23eaed13b2f374cf2d31c4c8276d06",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network/hosts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/etc/tinc/network/hosts/host-config.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f6cf64d67f46eadd1a9ba5dde1c57214ab3044da0291b65fb2cbe0ddcf47744",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__ferm__dependent_rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "05e65cfbde578653ad4f2521b25c9dc01358c2adc14f8987e041fc416584e6ab",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__network_list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6136435189f19e16da329e88b36ec9ece29231540e4874ac9f7d1092b6ea95f",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__secret_directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "644e98d95cb134f378c2c24fd6d19842d987f0f1780e4bcc9c919eb712d16a86",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__etc_services__dependent_list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "168ba675f863aa2fb9d2fffed26e6351e4d90f2e35de48d61559d2dc5210f595",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__inventory_groups.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1ca8c4ca06db7f95743a1e4ce5718458c6dabd509443d0c2020869c46b93011",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__exclude_addresses.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eaaec6b03f84831818bb92fd2415739db807c636dc98ea863c36d7e2d6daf4f5",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/templates/lookup/tinc__combined_networks.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4f45d9a1d1bc390d0913941bdb8f47458af3ef734669694881dafc1e4eb11be7",
+   "format": 1
+  },
+  {
+   "name": "roles/tinc/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b750abdb189c443bdeebd1347a0e81f0f5925eff9b3e649ed3ef3be5032fc44",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b69f6f80d6627bc43411b183ce8517a420cf2b3f4b998da0a1b66d8d863b239f",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "beee22378bc733b3253e69fc8d7c43ae169da3eda840d202c15814df73352e97",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cdba7fd87f05de815466c840568a659c7e62bfb4e47285e2c23aa0a8d4196f60",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7fb62bb906c605e3a9b127bb53b3435e75e5f1c849922b6957036cef129adb6e",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/etc/ansible/facts.d/postconf.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26bf0477122a1f3f6cc851aecdcf1fdfa028e070aa4cc5abfe1292b1f16d49e0",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/templates/lookup/postconf__env_capabilities.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "873c3db6185da83b5b560f42bf225a00528c941f5069cedd3ea16f392722bbf7",
+   "format": 1
+  },
+  {
+   "name": "roles/postconf/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "54adc7c378a27e6d79b7e93393e59eef6cd6c561b04b022e8e25b484b7ca6d9b",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "292bf9b2b58dbe2761cf3883f1f450ff2718e9bd3d822e02259ab8b0f137498b",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "451f23250bb255ac17c90049d396b0e04185b6a4897a896dfb31c5d8151ecc37",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "034fa326ef437686737976f4eaea428120e6c6e96149e74bb6d07617ffc0a9b4",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates/etc/ansible/facts.d/memcached.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d1a6ada1cd656bde4ae9eaf7d32966799fbd0aabc6e057e44bb2926adb6a8302",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/templates/etc/memcached.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e3d052876ddf313bd9e6eaa10bf7682016505a8523130fb3ea9e8acecae0c9b",
+   "format": 1
+  },
+  {
+   "name": "roles/memcached/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c8e829d1c804ba34b934a17f1ef327a043187ededd9a7b224d682b7bfa17990",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b30a1204146437101769a6a8a838b0a3a9d4d6de6580a82ab58d6cec34cee8b2",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3627161ef343064c1a49e12ac41be5acf63321eaf1adb4b4b14e306d066b7476",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98763c7a56f2bd1d02b61c14c97dca41976da0b48398515d22d4a0b6b172e442",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/default/isc-dhcp-server.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bc861d67b485cf9764a9891bda5fec3894394a34a649c0b5dce1b4b3b1ae718b",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/ansible/facts.d/dhcpd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fb784aa7de2cdca4ab831d611f0a0d478fc14263c20229841f08521b9475abe",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/ansible_ipxe.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9328257d56cc9f7f327c7e0a29bab8060b75b4bbece2ec72d4d4f9a553fc557",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/ansible_keys.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "55fcfb92be6452b76c3ec469d5b12e6b1cb073ac4862293861c14e047598a19f",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/dhcpd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a22a61cec619f17b445fae12d4e676cffc36ea7852d725fa54e39844315c2c75",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/ansible_zones.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9b744caf9ca5d05bb0ac7cc1b28cbbad4711896fefd65addcfc35f2ea195d80",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_pool.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01da3d58217e2bc095bda464afb5d4bdd502f1ce310d0d5ecd91b6e48b041680",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_class.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbeadc188420ba34ff09495b5d057e7f1ce204590c84720b775ee5a074163889",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_group.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66e3fd7850f87d5e2a39870a07534b029d6a42764c3e48b805fa5d44de29fc98",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/ansible_failovers.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f35a91f3cd397d728591263a7ed386acb95b2a5cfeb376d129f95ab024818769",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_host.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "541649908f3f4080064f1420e6defa4fa3d66c61f99d8e97074fba9e24e69d52",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_shared_network.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0936a1583bdede1240979de7e39436a58fc70851b73c766e4229d5417ba735ec",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/templates/etc/dhcp/macro_subnet.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "44919d44e42767025b32f8a3436747a6b6528ca78827cb66798b6567b31b4e03",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcpd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "501522ca415836e14e8519666b3d253d562d1db2f2706940df4ffe753230c854",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d29031e7f7cfb2fc31a8da1663384fcd2458c7444af77dbb45db43c78a8956f",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bd644eebdce6fe3108c208a54a5b9add35d8208da8a8b18d9000559454dc058",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "997ab2e1d91061cd1e71f57cbad693c91afa03d8c147fd23bf3b48d788d40365",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13ca63a066bada301c8abfc2a1b37c2351551a2fd7b248ab7f80a3a4628b0501",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/files/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/files/usr/local/bin/redis-password",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9a938718c759d1185bc587eee6544a1b8afb5905cef0c879569c7f612af760f",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/redis",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/redis/instance",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/redis/instance/ansible-redis-dynamic.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdaee06a057b32ba089e17735b55e9964533e7ca3879453c05b01cdedb868fff",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/redis/instance/ansible-redis-static.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76f1ac5425b63b1b9dcbddb78b7842721cced22b83963e7a10edf2b3ed0905c4",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd/system/redis-server@.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd/system/redis-server@.service.d/ansible-override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16c0a36e7776b2ae7b6a71ced4e6d6f49a8d65499f86c5405ed9c3c5e7495978",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd/system/redis-server@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a39a2e3f71971a57d78d6a62a3622d7bbec4282e155222d4ec783935112f1371",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/systemd/system/redis-server.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c52b89b7383ed26ae662739f472b7f9f86cc7e623ea532a932dfb7220c97ac0",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/etc/ansible/facts.d/redis_server.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92ed927b8a198e6fddef6f04fca33245b26ce970682b1fbeaa5cdaa597974b56",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/lookup/redis_server__filtered_instances.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd7b91623825c252bcca103be2ee6636799b47cbb1ea5648294b10ed45e93a81",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/templates/lookup/redis_server__env_ports.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa63f8e9aea8f3c3286925a257ae03b964136235416c029871e6750e8bf2db3d",
+   "format": 1
+  },
+  {
+   "name": "roles/redis_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6dbb2fdfdf349d3e5acf31d04d989a660c3cee89ec25c9228909b1336019f8d6",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/tasks/lxc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/tasks/lxc/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c14eedbf2edab69aa8bb5cd8887cc6a7406315ecf77672ee22e8d96e506b3277",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/tasks/lxc/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c14eedbf2edab69aa8bb5cd8887cc6a7406315ecf77672ee22e8d96e506b3277",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08ad778f3af84d0d116c171f52c0101db12c39ea375dff01af3c8e055b4bad4b",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f93c86151549de88395e8ae545ea966a5c98e8239c1916c50124b8733f10fb17",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "abde72b4be9f6e4c78996f0a1dd71841e79203d89d23f7d18c736845ecdda654",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/bin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/bin/lxc-hwaddr-static",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9f60812d63f49bd46405d00b829ddb1c66d3e9afc19d3b7fb2e0c90edf8b018",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/bin/lxc-prepare-ssh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76aa890446621349d918f036cba37a124df0a84a998dce2bc30db503666dbfcf",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/bin/lxc-new-unprivileged",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57eba3c9608a547aad3e6978beef1f1a7cd279735b716c7fc2b7b297a51fbe5c",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/lib/lxc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/lib/lxc/lxc-destroy-systemd-instance",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2fe52fe16d323e3292a0267c70c2967b9b74433821977e5991f8fdbf1b8a4568",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/lib/lxc/lxc-net-systemd-resolved",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9985928e4e801f0c7e6ba4af59dab7fe357f0dd936f6f0a1d31e715fa3fd0b02",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/files/usr/local/lib/lxc/lxc-net-resolvconf",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c12e5fefb89a663de35c9dea378afc66f42c99f1dfb251e4b2eb2d889fea70a",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ferm/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ferm/hooks/post.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ferm/hooks/post.d/restart-lxc-net.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b8a7ea2438627c89cea3c7e789b3ce14b76d38b8559b71cc31e9f4df72d1217",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc@.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc@.service.d/partof.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02b5560de482a55d1926ee5d3f2d02905a191d83f04605a7a3348cea55517e69",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc@.service.d/poweroff.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d9fd60308cb8c628131c638a4fea45dd291993468baec0e1e87d88cb929c8266",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc@.service.d/ansible-override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "09cf378b875ca4d73e9c18f4d5d2bd65e1316b9bd7fab876e02223920ad87224",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc-net.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc-net.service.d/resolvconf.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc6d54b3a0473d693d9e0fce85409dcc630f9d8536d04b17d35ef7c5efbc4c96",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc-net.service.d/systemd-resolved.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83c0ac879ddda76d229cbb53283872384d3fae898e84450ba29329968c444454",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/systemd/system/lxc.service.d/exec-override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22fbcbd236f4e48495a720d2b04ae113998cf591d482208ff9b7db3fbb2389fe",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/default/lxc-net.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78d071e0e120121a988da2f1873480c13d0ad2e5797c727d0561c29243e45465",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/ansible/facts.d/lxc.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a82a10e2511bc4b7cf1581c0d14de3c5fefb2a593ac66d78fd4f4438efba7bf",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/lxc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/lxc/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef1cae6ad8cd75ed5cd178b725bffe0ea6bca5ea2a96b259892a3e56129f3092",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/templates/etc/lxc/lxc-net-dnsmasq.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f8e9bc405660ef12970fc81fa49374029a017e403873cbdfa68c4acebad51a30",
+   "format": 1
+  },
+  {
+   "name": "roles/lxc/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c1bfe73a762faa33322c43f5c88856253721ed218c9ce278b3e066dd0c3f4b4",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a593011d378430f38c819512054756d2992659acd2ee901f0b9693e79500a3f",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/meta/watch-lxd",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48bc805ff39abd9063392c5adbc09b87ea29d80b1dbdb10159f1e61f713d38e8",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53aa8e7cb12d96f397b1ed2ec6142f3bfc8456d06dc97d4bef9d124f2143369b",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8aadef797710e2553702580a99e6321d88e7b0d7b480086515f877d28b8a557f",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd/system/lxd-net.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "085ad51438d98f561d3068df4d34515ab4fd0db11a87589f236e6760cd8b7099",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd/system/lxd-containers.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06c72013998460690cfdf5a207051f3d99ff331eaa1304f86fdb405de4596c60",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd/system/lxd.socket.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf89f04f7e5f72fdc23abb060a764c6a5b377208dfa7224c839414531303e717",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/systemd/system/lxd.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "18e1259074839e536bb2bf5c34740f3e29adc8c94b67d2dc271cf3d90d2ddf5d",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/etc/ansible/facts.d/lxd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "999829090f4a792993527c4dc298062029a44e28ec80a60b6b0a514968978d28",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/templates/lookup/lxd__preseed_data.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f01978735bcbf96f873a3ad8ab46c0c8f6a2b7160c5b428e2f3cc9803b7f73d",
+   "format": 1
+  },
+  {
+   "name": "roles/lxd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c1c1c42503c2ff059b49ef8c3c28be6f38e513584d8fa8cd5c43b2f172d239ff",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b716a8323b3b94370de14d3e87d6a40dae42d67273be73d19cdf2cc814b0ee20",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4986551176b60b6e2d0ab5f480e938232ce3d89cb3d1e7b5542fcfbb40d3c85a",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37aa92300d6a5ea72296d04b0c947c3d3497cda4bbc394a7ee4f789e54b7721f",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd/system/user@.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd/system/user@.service.d/hidepid.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d0ef83545236bc7360866da3016d4fcc35ddfa93d3a8f284f8e038b978b8e8b",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd/system/systemd-logind.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58c67201a72a8045efa9a72ac6f62530b9890fa04a98e0e956e4f24533d8be1b",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/ansible/facts.d/proc_hidepid.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f54d521dd4ddcb04f60353e256a1f0b86c80bb82076701ec7d00a1d03bf1ea4a",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/tmpfiles.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/templates/etc/tmpfiles.d/proc-sched_debug.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "32d3a53eba89e45eb53d271212a49ff0a2590b67e204464a7e298ea11ba66074",
+   "format": 1
+  },
+  {
+   "name": "roles/proc_hidepid/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "143e5558ec929b32a74918c015d1522a2105ac89054c1984e91b6331d5206a55",
+   "format": 1
+  },
+  {
+   "name": "roles/salt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "44f8c00d66004a542589d9a014a017885f2b1fe697bbce5c674bbda1a6ccb360",
+   "format": 1
+  },
+  {
+   "name": "roles/salt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c8b02e9877dd0b9af17b6a6f1d7533c2a55a85c4e16be0ca9b27674de179ecd",
+   "format": 1
+  },
+  {
+   "name": "roles/salt/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4177f1692a2ecc127f534e34e606bf05e33852ec8f58775895601d408c9a02e9",
+   "format": 1
+  },
+  {
+   "name": "roles/salt/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/templates/etc/salt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/templates/etc/salt/master.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/salt/templates/etc/salt/master.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3dfbf2ba7b63413802cfc92e2858563091bb83d600d726ad298e3891e42082c",
+   "format": 1
+  },
+  {
+   "name": "roles/salt/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a17a3b1622f1b7c040ca293d93d9f0a6472a6cd60f5c6b36c45e929aee2c874a",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "910f75776f30f62c8fc5558a3699679ea752dfc59b2d072f4bafbde727c2dc75",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d66d8fbc74b5ff766a2e41c9e1008fb4d89bfeb58d2067ab0d88b88dd4aca10e",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "388f525a97aec57b15d0c611a4370be5620eba383aed1fb3cd7d867c3c251f9f",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/unattended_upgrades__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf396006867313546e07964fae38d2fe874aa62b302efb5aaa6723cece376672",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf396006867313546e07964fae38d2fe874aa62b302efb5aaa6723cece376672",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3c87fa2a35e0b02709f90f69d6a07a7d7580333c3825f8c75b7269c7a959ce0",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt/apt.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt/apt.conf.d/unattended_upgrades__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf396006867313546e07964fae38d2fe874aa62b302efb5aaa6723cece376672",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20periodic.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f174a65dab00e30b9f1600ce59ba77aac0c03c7b736776d105925837d2b426cd",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20auto-upgrades.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de65328c3d3a68c93712004bee273c75fa259e5c2582c26a07dadad27441ef99",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ccb8c7bcada8f63e2a2e20be67ff7e793908d547e9101569968b7d0826ae434d",
+   "format": 1
+  },
+  {
+   "name": "roles/unattended_upgrades/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4bad8b7949ee5c8da668a2df7ce88d0b5070cf0091a9aa34a10da9204e38c671",
+   "format": 1
+  },
+  {
+   "name": "roles/cran",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "05463911aadfc9f374dfd42a582beda0c712a0577b79dc3b9e3272f2b0212ea2",
+   "format": 1
+  },
+  {
+   "name": "roles/cran/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c7b908810aca784777e004591656c2c88d0b213b08fae6a39ca9b56923d47b2f",
+   "format": 1
+  },
+  {
+   "name": "roles/cran/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cfdbcc8f2cd1641ff652e2f5b59061c32425505c34ffa9f81678f1f9f55f32e3",
+   "format": 1
+  },
+  {
+   "name": "roles/cran/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cran/templates/etc/ansible/facts.d/cran.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2f2d6965ba2532b86ed5c0e14c48c51893029897e3f53d68c13cd8b99939c1d",
+   "format": 1
+  },
+  {
+   "name": "roles/cran/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c03d24125c9c1786040f226fc599d6e60e17d8da1b7b42fddf1c97d78081a304",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac4a1b9b5b1038b01b0d9e67e56f65a4c8904f4cb242cd25cd1d69f3c2861953",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ff733c9fcddc7e1c4180924dbf3c29b38c533723be7139a8a2196bda1c9d8cd",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4dcd43394a56cc532c88a24ce32233e9f9cc465030b7edbd22f9f3b07a7b7bc7",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc/ansible/facts.d/apt_listchanges.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c1f68a3f950d364d97de0c49dd80119afbd002001b11f61d2b970bbe588ab9f",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/templates/etc/apt/listchanges.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce0e3ef4b96f6b1e91971b9083649a6611a99c1890ac02adc53f2d98f6dc0553",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_listchanges/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f5c480b006ea85a0dc8021aa270b16d22ca60c88fda18620a14540c27bf8d18",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "058970ec48563d0249395e759e6d557b34f2b33ed0148989dfc8dbef92c573a8",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fb9fa2740cc68facd08c15134bc44d7f3251532b5ee4732cedca545c568a947f",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f232720097ab6dc5ac25c2259d070c932fec24bb118167db5bc6d6c96a3ccaa",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/usr/local/lib/resolvconf-static.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b49da18a506e381ccfe0b2ccd53db730b128c26afe5bf9fb3c3add993b2f61e",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/systemd/system/resolvconf.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/systemd/system/resolvconf.service.d/static.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77fb22d9254aa65f8c217db11e7c948a632d23f48acc52c918511715938d8622",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/ansible/facts.d/resolvconf.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0da54d6cb365f4729d42f7970cfc1bb9a79d489d6191985b0244e53cc1f12738",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/resolvconf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/templates/etc/resolvconf/interface-order.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "474dd5af43e99bdc2486cd4333bf3bd488be0f909d57c806a940a5c152c80a2d",
+   "format": 1
+  },
+  {
+   "name": "roles/resolvconf/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92e49ac25826ba90b7696c9605590c699db62bbf53fa202185f377bf41db5059",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1db5c0ece9c59014308f6f6741c75fee4deabe7038eb7fb7c551d09974654fd0",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6aa1cf6b3ed78f0aca9c7f89529493ccb2482494630a024ff65460dad395ad0e",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de086ef6806d8bc0272364aaa4e101b27af871aa627a11df0fed629f587edb1f",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates/etc/nscd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0bd5f0b67fc982037baed1091cdc882f7016e9e1f891a21b0970deb28d3cb262",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/templates/etc/ansible/facts.d/nscd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37b57ed4c682322a1fc23b652e6a493a65f679416f3ee00cd7d92c6fca6b465b",
+   "format": 1
+  },
+  {
+   "name": "roles/nscd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0f034dd823184d0bca4c8673c4991a55978b3bd68c1f6a06305d0f829698abfa",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33efc5f9bf51663c728da5889d4f3dde3fb714eacf7f6b51961802af1500efb1",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d7f35407d391ef5e9c70d5eb0167aa0e5d62d77a5acbf028faf0132b736996e",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/pki.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a51a9be863a4ab446d53b16ffbcce083f7dd73cd59aa81640dab6d070c3d2c43",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/opendkim.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61a609ddbc89daa0e65610884778243510d7a050b49f708cd6ce4bba3c9aca28",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/stunnel.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e4f384c88cc08dfe9abd9f643a2232cc78fae8a0252ddc43ca1b63c57b7b9af0",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/smstools.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "159ffcbf6707f9ba87d0c4e6c0518a592261effdaf1ea612e20f44c73eec5912",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/telegraf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "666b7fb7da569831f74b149ad3015c50368df0affc7536993e4a4aeb1822941d",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/snmpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4d8a179d35c7353835b194c552e080c989d6a710461f60d0f8094f3b9f5475d",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/zabbix_agent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "959b4d428e19fd4054661e5b424bdf9800a24b288f60863e389dec4c70b02a92",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/systemd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "caaaca8b9ee43db8eae724dec4d0c00fa5f07e2cf32679cf86d59777a03f9e5b",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/bind.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "895fab0e55d4d810d0fb30ded1b491ef8fc1ee7eaba90bb663b875c794690ddf",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/sysfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aac57e40493bbf4e447c87ce382c46ee2bb3b58ed85c66e5dc85599bdfd9fa37",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/grub.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f0fe593963db35ad3b82d5e45f3030ddc732e6766f46f0e0512a73de74fce76",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/etc_aliases.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00518538255a8d1c3854a76394eeffefc6e7d8e61436f900380e135523c43405",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/minio.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "821f24f37e428a443d53e1c88e2b6a123232fb5319c33bdbc9d7cb21bf5ac400",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/etckeeper.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f7b7e3c59b60f24e8c1eaf514966c4f06deace198f4ef1025d61643324595d7",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/tinc.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66b9f875a428e24b48029a9bbff5501d1447036d9c4f2f94b629d9e17ae390c6",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/mosquitto.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a541882e2548c875c9cf264e836ba12279b19afb17f34f38bb5a214827390c0",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/timesyncd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a7602fca2ff7b15a824cf7751744de64ea3e5ca0218fc1eedc89499bf726260b",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/radvd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "96de366d3acbfb507119a5457c9caca99a448078071463ca94b95807f64180e8",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/fail2ban.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "589f3c4e31d72f374917b36e66f0415d74a3a7337ee2ac35753d9ab04b198ce4",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ba751c40111a9643f93bc0f309f12ca4ce90915359be6f4bb1e81c09a85d125",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/rabbitmq_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d75c9fff53b8ac794c27c46356989ed92df23492646c9b67c805aac6b3125463",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/atd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff7b91799e85e22642978b8155a50437b116e11840ee31191aa64407bb8f5703",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/miniflux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25a728013dd0bc96c8e7be0fd29bf562fcff1d8f77eb5d02b32c5b90544d28dd",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/memcached.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e816555069f99384e724db4884278ce196b14572bfae21b984198f0a79d26a2",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/postfix.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1d4428b91dad9007d23f126f218a93ccc1fa6e4d7770c61cdef86bc5a95d507",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/resolvconf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "829118324eead61b61c2e208f64a8cf18204fb7fc4a764694403fe16d7f7e85e",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/unbound.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b95da8f4c19d5cc36a92d24c65f22d46fa7876ce8a577c7f5e5337210b62262c",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/monit.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56479b95ad4ca56542573f91833c001f30f76cc11aecda30615091b2529c3fb4",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/reprepro.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2df17b99467ea5d9f87e9878dabc382008611068b5c4dab5984bc1b82194b888",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/kibana.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e21877fa290908bd0ddbff33bc1f730fd291ad1077bd08affe65ada378d593e3",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/nullmailer.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f8820663270dd4046ddd8eb70cc648cdcd5583a815a81a16fa0a3f8b76a2800",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/apt_cacher_ng.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33ae15d1c86831a86d04e773b1f10f7ca246e245904f8785737e12330cc56eea",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/prosody.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e7c389162a0a562fbfc583072a421e91bb1e6b43355bd1f97d3afbe746ff0b66",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/dhcp_probe.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1e8d046a1f545feb009cbc9914d3328bb2648a87c87641ee741c5e9d8e205e6",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/gitlab.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c677d399e6258bff576e6859d96604aaa488cd4e424fb748b09e0a4c2748a445",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/avahi.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "23019701f157fc156f872edcab697c393d735861329380ce8d6a8f914976ba72",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/meta.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b6fe4bb731851045de1f41a91f72ad0ccded7c8fcb5bbc132a7c73c1e1ec449d",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/metricbeat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb6e5c1b9536526f3b3f7d7e3abe2594f8ef8136f08004ad0513330c01c17a1",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/etherpad.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13641f83d417bb25416a2890b8d0e5214eae50d8239eac425f5d563f0b898468",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/sks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3bb1f4bf31013ccad0fec759203eb490d93147b1cd9033a395805bd975359072",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/icinga.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c6a0025782ced63a289e71ad92ed8924aefc0d0873edcbbb15a386a7ba0915a2",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/iscsi.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22487fe54f82e2131a240444481786fc5cd1da45e666adfda7df986fe9a20f45",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/freeradius.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeee129533536f71831cba146049a85581c8d63b8056dc5631a269b40e1cadc8",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/rsyslog.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6ef5723ede5489ea5be26351b049b420380ec7fd2f27029d09134c339e59456",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/tinyproxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0f73d8a21ce34464cb050b7b76815bb11c0915f77f4b2543ea9b124f0a6701f9",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/docker_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83a102dace83b286a9d274f427b06c1ec40c3bcdb3bb104d63d20f92ad774a0f",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/libvirtd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5bcf3343ec298980f23a7b5e4ed29f222f991eaf5cd8a307ffbdfa10b94c705",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/opensearch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a657226f4ccd3d840d4475d0efed44b4580592baa683f022cd9370b4443d8d59",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/tcpwrappers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4bb385f5238e5ec3a056117c1753ef5b7dae6bf90f65b972a77933eb49c31d8",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/dhcpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a86d89f1d435fd3d9787fb21be3cf20d5a6f2b3eb5ac05212e6466e29bbaaa83",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/ntp.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f2c6af2239a376e205e0d38cd7ed7b1b00d5801540e6be31d6f62d1cf1c90bd",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/saslauthd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27e1d82eb090a1bb9d985391d47832dfd28b44049e9f3e195217f270460d34ef",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/elasticsearch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "041692375fd123af903f5a1c09ccc7064f1ae9be8b47892c22ca452933983d34",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/ferm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "419826d968bb1507fae470b69b0aba1c387d9cd400a46b86af7e276504c89884",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/influxdb_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed8996c5f1b0d8c2281a57e4a85b0e6c6837e36b99e04117385374bbf0dc4f17",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/resolved.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e8d5158304103a2f16e0874d2e3849cad2339284967e9c6f5a13f6d4cc819a1",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/rstudio_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "127dc20a9d4066a45967751926c821320158edc1dd99393d13bf78be1f1cf981",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/pdns.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fb05d44f66329436390a666617b023570b986bca53bf4352b41db3916b3d3781",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/dhcrelay.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59c15efbc623360bdf87a3c5866550f3cd832226525b60451d418af64662bb09",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/slapd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f8f4f36b74e589a1353ee24d5cfc48692d5c27ca2b55c40d3d4ac444df9ed430",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/sshd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "df2ba23bc2e11dcaa8c3b6f2b2cf2902c0d275acb6125d78e41dc79ab5248bad",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/filebeat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "724887f466107e15023d20f839c43533e6e9bef192581b7fa6f7f7c92c0a26af",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/imapproxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "779ed1b6b93fa339a22efeaf4e419fe48d851e17d133a0e9a4a435264c53caef",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/apparmor.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "284aac5c15893c0caa394e3608084a323f70d5a0fdcc5af509b57ade922e953a",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/docker_gen.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b9caa76c2be85233ee231c012482e631e35fddb94d636c22d356765996f073e",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/samba.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65313aebf092696a2416026838373882540d45559441e68b45a1896f032de24a",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be3252753abd30127133a64614b4ea7d7a6c465fb0f9b4e35cad6bdc99e04acc",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/lldpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4e8c20d76ebbf5f5194f8ef1d025dc6e35bf184b53a2f95e94ac70f4e8da7ff5",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/nfs_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b9f6c3ddc427e267ac7ab3be0b8a5a58887add38ed5602dec1c83439772b65e",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/keepalived.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b14be665e3d5dadde65eb201a6baf50872401f27100617f61659f718bdc04c8",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/docker_registry.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d37e2ad519095009e78a7371993faced8da459dd964bd1cbaff2f1322d20b603",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/salt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5eb39297616694d0c124dc1ce32f0ed709d5d60dc76f6f0021d34c45ed34a25",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/tftpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08d98480729a1f1fd21f522236b2fbd5fd061eef3af80fb5ff8f9af8bdb1d366",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/tgt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c314d7ba239280fc03de9304e4ff694cba863b09e1999746453b4cb7855d96cd",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/dnsmasq.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c16a4ed8353cdd4c6e833bce0d3baaaeec53b9f52d9ba9560f34f355cca1d74",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/mailman.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f146846418d494ac9acb9a29e65ccdd86d159281332182354b35fd9dfd0a93cf",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/dovecot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43a4160dd7f275c8b751de9b159193b4ea3347151bbb89b89ee419d51c19c6cb",
+   "format": 1
+  },
+  {
+   "name": "roles/global_handlers/handlers/rspamd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de45daeedf5f67d93adcd3f8e8befb1b5ded01803ee4eff5f4e5358e2576b946",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "28e54dd46c39eddcd6446c03f8dd182d1b03b8d8bc3e2d867b66e60a7a0f544c",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "585f27a5a3d2cf71f76b48dba668fbdde6ac8082e82b52707da36256a165a61e",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f80fc35b8eb0a551b731b41cf0bd1c9830ea78194579dc109e23553fba00350",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates/etc/libuser.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ea275e651a9a6b370540a5da1b3d9bcaed5a6181825d363c00bc944a180e3abe",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/templates/etc/ansible/facts.d/libuser.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62193739215761aea3fc3f06c16f7c1c3ad534101e05eface0688a747052aff8",
+   "format": 1
+  },
+  {
+   "name": "roles/libuser/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22215780ceb3e77f0588d117167230750b2a63591eaf9769ac3e07fb9205c9fe",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c88e2f6ee62142e88015cd5fb5c2907fc50a405de56d9f262c87b091f2d9f720",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "289be89a98071214d7fba2b60ae208014ca66ac55eb8f3e273137b7cea95d39e",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2798f16bdd22f351ee6a6bd3ae1cdb661c2e4666ea4c58a2912a094cb8a7c390",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/etc/ansible/facts.d/persistent_paths.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee3edc1f33b83a20a24faa30b2633d49b6a156b1dfec5dbf9685bfeeaec4a65a",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/rw",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/rw/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/rw/config/qubes-bind-dirs.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/templates/rw/config/qubes-bind-dirs.d/default.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50302bc9610793686e0d63852aded6e152ed58e6da3ee7461241630e700cd926",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "abe715329742d8c394c6a5cee6b423440cfdc8d797194228767af5ad4ef5ef32",
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/persistent_paths/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4fa1b4fa1af807b3cbcc3ea960bdd266bd6bfb2a5b7d384eef1b00fb53e2d68",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e2a9d97fcb5ab1eebe01a07bf90f9547765ca76ba961507954fb14f2f892a149",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/tasks/modprobe.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e454bb0f4a8a1cd97c70b3cd1c9420e8d8eaf10571f729b82ba97d3ad9884ec",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03d98d1bf76fa4f685e9ed854998393c9d7429fffd8fcf6ccd98263cd79728db",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ffcf0139492f6dc879286b6bb95eea60621c99c05657f50379d5b7df6e8f4f2",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/modules-load.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/modules-load.d/module.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3df6d62a32ddbe759313c1485527fc5f550c6b9c0eaad4aa7359cdff09c2d9a8",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/modprobe.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/modprobe.d/module.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b544c348f09f2a56c63ce2925062f6ed59cf384c04295a09a72600071f29e2b6",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/templates/etc/ansible/facts.d/kmod.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c9d4a2e2bc420ed3787edcf3eebaeb3a2298510b43aab3cedd2c9dde8c062402",
+   "format": 1
+  },
+  {
+   "name": "roles/kmod/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3893c6a540c47c51605c4d9f707329d983ed288968a963b83da2756a69138599",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "17bc5cec9ada3594cb19a13d5d5948e5989913713c60eb1c5227f7a3557b674d",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "161825417cef705bdd8a39a4cb1d410e69ea7f93da41f9d6d2ed67f81146cee9",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7a902e7f7cb52c11d2ecc33cb13458f5b57ae8542f0bcbf3eafa255155319c0",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a1efa012cd13ea3fb985ad199e043eebf8368e2fda05093c67ccb32e7dd2702",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc/ansible/facts.d/icinga.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa38d0b7e4f4b9ccf96652fd0515b5e60dc4e9b5042346445d2f3b91044f926e",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc/icinga2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/etc/icinga2/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6c78b6c01a4491149c424162bab4ccfa10b45e988349d8998253ab0b82da84e",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/lookup/icinga__dependent_configuration_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "677152eb6c5366161311d10f408f284184c7280fe3598d0c43413bac4bb47926",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/lookup/icinga__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8d5e54a91fe015f7a408846be20582820d100bdfeba71311285862a81d6370b",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/secret/icinga",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/secret/icinga/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/secret/icinga/dependent_config/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/templates/secret/icinga/dependent_config/inventory_hostname/configuration.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "68798ae49ba493b2eb1efa50722d63239e1ad56953823573df2a14cde94377fd",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8ce9cc58ee7b27bef43dee3c4bb018fcec529f770510538f9cdc9f7f9ecf7a1",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07f5184b2ba252a3d8537c25cfb8c52c92060177f814bb1ae70f761d9b2da2b1",
+   "format": 1
+  },
+  {
+   "name": "roles/tor",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "46268ee2a7649e32c192d1cbc2e610fb14fd3fc10a450436701c7662d041edfa",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35bf86bff0b01e2a0e6e1a8137e17b8868c26be744f1ca6c6910d3812a7e73aa",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "056434ee0cbe8093ebe05231130ff72c898a58625bc1e8c81cd313db1ab0b9c3",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d76455a0560f2807d0308d88ba02e8a3f48b204ce563610860063386eccf858",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88bd5a6e62da4efc1692711ab8631ac69ffbbb04ce0d80a4aa3c5b0c648dc0b9",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/inventory",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/inventory/debops_service_tor_global_role_vars.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "20505f319ce887799fcf09ff9db52719f4335ae409568fe527d5c0f9cd9b4d65",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50f9f756d9dbfd2cf8424f05cca856f907cee9d4309bb5746c45befa40ba45c6",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "660b004d823fd94dc8a347792731a135669257eee20f3fb8d96c09fa5ff10720",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6ef56a07bb4df71b5b1e97876a59217207001936d7609e02a24992ab0754af6",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tor/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b5e5259d600274b770b424f1d4551a2e21610f425fa5081983abda0d4fc4730d",
+   "format": 1
+  },
+  {
+   "name": "roles/tor/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1927eda3b549145e50f75f5a7087ff7a29a00dae69799c6e344d2e0b3789ced8",
+   "format": 1
+  },
+  {
+   "name": "roles/samba",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34f54b5773de308f9a388e0efcd03c65e7598da32d45c886b865639e8ea6e47e",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3f573dc75d0ebde4edc2fe3b5064079349426d0558508cbdb0be6c867a2cb5a",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/docs/examples.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d7322824e700383b733a530d7d8df4ec7ef7e80deaa7a0a7dfc819b96f118a6",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8bf96572418c4a53fffa724939ee9b768001c1a6bbd0d76a58624eeefd9ec29",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/usr/local/sbin/samba-homedir.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "efd6e072959da8e2b6079cc550bda04e872312199aac7c125bd091036df6a28f",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/etc/modules-load.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/etc/modules-load.d/ansible-samba.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "46a5f25e3b72fb3dafe9dafedcbd23725d90a9fcfc969a9399a23a38aecb7575",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/etc/samba",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/samba/templates/etc/samba/smb.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c870aba2c6a1a77312cb39b454443353f723f78dbafa7094937bdb6b1d535eb3",
+   "format": 1
+  },
+  {
+   "name": "roles/samba/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6cab36afca402ddac37e99dca73fe5176ca85bfe7463f64653ab3e0517cf477c",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx_servers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e8e2aa8d2b9ce4ef5b15db5ac099efe9b7f757031724a7f854d52f065b6ff19f",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx_configs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8f0ad41ee57692ae0c27ad6059c05ff657de24a59fdfecc0ede0c5038a65552",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbce5aa6cc4a1448f9ef49b18b350cb4464ee56d230ebf87c718170f1362e4c3",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbce5aa6cc4a1448f9ef49b18b350cb4464ee56d230ebf87c718170f1362e4c3",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/passenger_config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e00f32b5c1e6193958bddaea7bb982473643e7e31b81bb02cdfae5e53955ef78",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/nginx_htpasswd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47fb70b2abd4dbd0814333deab04a2fe42cc13c4270cb5c896898bb23a8d1227",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9b93d244ec0a4f69e0023d590fab7620ad6ab2aeeff8c9877244b013322f42f",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a87d78c14c2164b9908b560e027768f23594d4a502b0ed9fa96ceafb95718d1",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "254966e8fea07ae93a27e3509c249389cc0e83a95898619f087f5fad38668520",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/sudoers.d/nginx_webadmins.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2bf419c7ad2cc8b79fe06e4fc9514f1a2b8cb375516831cce55365d751e16b88",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/systemd/system/nginx.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/systemd/system/nginx.service.d/wait-for-network.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a42dce030b9f76e604694d1936b0a9ef20b8ad433246aab629b2b38d555791e",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/ansible/facts.d/nginx.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6292d2b1aa44749ef02307bc0131b1733af4895a5bd7de949dad75bbff7f1310",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/snippets",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/snippets/acme-challenge.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f51a26b9aa16caba54010efd720d21618c419db56e615add34a5cfed4a2c3ac7",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/snippets/ssl.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39b126e770ccfba386c78f500f907382e0e655d8e4fdca662a4ecc2784072b76",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/nginx.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a71f6440d4b869375c220526cf1ac3851ac763391d30cab006954db297d9ace",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/rails.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0bdb9d8be7b6b933541a8d2e01ca87e4d40a9055655d2c6d61b147884fc607c",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/custom.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4abdfe11e95330e99f7685ceae8b1ca8c7a6347e0edabd9a71d21a5cf892a454",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/default.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b4596e53ff4ffe6a4af31b5fca12be39d2c67795174332ba84d7afd88e26a89",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e48b2a2b4666c4d4a21effb7b718260d5dd896e80a3e042837835a3d31af549",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/php5.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d18f5109c3d5957c9e53c0fbd84313166feac956cc5074d538eaa1cb5ca4f60",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/proxy.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c04887614fcf9ceec8286bdb62db416d09458b8d8dfb8bcb3ea04d2e3a9b5256",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/sites-available/php.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f25193c087ee698a4ff176c1e1774dba8d63dfe8641a6485c26558437d0ed38b",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/custom.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db73ec17c143fdb9bc7d663cee338e2b4be71ba2f2308d9ae40a04d4bb4ac68e",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/upstream_php5.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4d236fb7a29c340072d721eff616a0aa8cbefdf1ac949360055f48004647bce",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/log_format.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9383bf8f95439b1d41780bf018c84357f86f858dd53507794630e3d63caad69b",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/upstream_default.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db3d4c49ce970e0cd0df3056717aad7b083fa0b6a6cb569163e57a8268f641c5",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/upstream_php.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77d6d122bcd655116c4fc6dfb3f26a8b34e251e68c0499012106ea218bbfef71",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/upstream_rails.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53ed122ce3477878f65c1c94a7ac90162902cfcde461dca1a37c50095726778d",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/nginx/conf.d/map.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3d53d1564443b18958b2ede3b9e55425f6db6c26b9d538880d43b346362b3ea",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/etc/pki/hooks/nginx.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f83f14efe55da261eb3b9aed8a4cfe4332557833113c77d0dfb323f67ca2d70",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www/sites/welcome",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www/sites/welcome/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www/sites/welcome/public/index.html.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "728cf552bd75fcb13bcc97c6d832a48cb65753b9db92deb89c6b17fcbeddae3f",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/templates/srv/www/sites/welcome/public/normalize.css",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7bc84e4e3f8f41336aaf3a64129d51c4e3e2cde9f39689e1d1303be896698eab",
+   "format": 1
+  },
+  {
+   "name": "roles/nginx/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d000ddb44dfeef2b0e366d4d36249b7cd4178dd28c32e2bc50fea1d571c679d3",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c99a313f20875f27b3ef9ba4fe7c68f2f224c928b66944e00b6ab869eb70e1a1",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed43d0d551e212624c52e687676628145d0a36ee6251a5680b199c5bd841e1cf",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "050e576977f3dc85ee07553d225b451e3b083d43bac01f9a481187203e5aacac",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/ansible/facts.d/keyring.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0800a9ba10941197d5d6e4de91794d8a7e2dae089436f2872f0afae87378e28",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/apt/auth.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/templates/etc/apt/auth.conf.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "907264bd38e20a3f5c9fe1f138719a4a4cfe41fc355eb335529fff99ecda480c",
+   "format": 1
+  },
+  {
+   "name": "roles/keyring/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "366626c720b978e1c68069128ec22a6092cbfb3c7da42956c989046b6a372541",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3d6f6e24e654f457accbd6b497930c0a4ca40e1eb764131685034988ba37409",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab4d5a0267a6d2c068f50b9b223c37545d82b0fadabc6c46b7f26e4e05515a5f",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "17bdb1f8abe3d9cb78996a25beb9a313634cb7ce3a1c90cde05cdebbb6489e9f",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr/local/lib/dhcp-probe",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/dhcp_probe_notify2.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd1bb7af9c1865cf1d083b2188efcc494fadf0071e52589b7923349b2133dea1",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/mail-throttled.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89ecd4ec9e8303995121573336165309d9d922bb9aaa3c9f859b49db629e70ce",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4735e61229b43e6eb53d43f049d6eb83f8dcd3e5b4b041e49bf74581e06e96b6",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d260dd5f8a82746ce7da1f05e419570daf0056fa549322bac77e5d3e4cd228fd",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/ansible/facts.d/dhcp_probe.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb3651ed11f0de03b327a385bcde692caf27c31ee49d97484a75648671b865e1",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/etc/dhcp_probe.cf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bbfc14e8c499f683d59e563e6ac79c032d360e034481da71865f95bca02edb08",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/templates/lookup/dhcp_probe__default_interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5a833046e021d2191698bac001ca04abb846b51e0cd859a1fddc26a3cf64aff",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcp_probe/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "556e2eda54bdd904754b9d9fb79a81027f86bb24626355828e07185439522d8c",
+   "format": 1
+  },
+  {
+   "name": "roles/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c6f3f26f6088b55deeb4d3ef269bf59cc99e5562d897142d50a49ac92f19d105",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69b4c813e21570da0d652f75d053e0dfbf35fcf6a37d65ad2b766e99a916775d",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad277b5872415f1f5f991e8f8c91cb025bcdbf99c681faadff5c3730f1250a55",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/ansible/facts.d/apt.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1334b16816758441e5612f1aba67fb25c9d4be1a48f00cc9558c6392d79dff5",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt/apt.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt/apt.conf.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b864c1935986bf3ea283f543a84c1a4b89fdc36642d4cc043ab125a40ad7fa6b",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt/auth.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt/auth.conf.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "907264bd38e20a3f5c9fe1f138719a4a4cfe41fc355eb335529fff99ecda480c",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/templates/etc/apt/sources.list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53a537be3d4dbec11602c558f583d94f9057c51119ebaafbf58aac3ceda98945",
+   "format": 1
+  },
+  {
+   "name": "roles/apt/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7fcbf92794de150507c324b934fa7395fc2127ea2a0eb4ad709ac7bd8c9d52d5",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/tasks/stunnel",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/tasks/stunnel/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480fd494e6a388c05244ddc7ebcc91c469be8e82e5db4ea9fe78655f21808d35",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/tasks/stunnel/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480fd494e6a388c05244ddc7ebcc91c469be8e82e5db4ea9fe78655f21808d35",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac8742d7235305a181ff7be91ee80cace33d1f5dec65414048169eea6bb0d24d",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2632889ddd4e7dab37aa5598ace1a6ca40213341c30f79cd421e16abcc73da46",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ca6e0eca6156ab7aad27b582ce0b1ebcc6efeef929fa4da99132588abb802a3",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates/etc/default/stunnel4.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66ebb1f75616c6740da86af08b7e1a8d39ef372c01fa11b42ea3705d1154b445",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates/etc/stunnel",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/templates/etc/stunnel/service.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "135609825e5602555e72ad9eb3c0430b330b239d875ac315b571a44ff29da065",
+   "format": 1
+  },
+  {
+   "name": "roles/stunnel/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26de31ce46facc0f90038b8ae5686a663d15ed6a6fa6048d8293636da89460f7",
+   "format": 1
+  },
+  {
+   "name": "roles/machine",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae6821e634081abaa598a1fcf85f6a836ce322eea484aa3f6be7e07bc1c4fa56",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd5627f09e20e7cd60311776b775c47d25fef9671e4b9c19d8338b886c6e04cb",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a46a54f94ac5d5db2af8aa8e328b74a4a41d0560d479bfe4e7dc53f24dd536a",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/files/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/files/etc/update-motd.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/files/etc/update-motd.d/ansible",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "227a6825c77beeb1a2c16a8031ed8bedaa8ff1e0229fae83b18b62dc2dfb188b",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/files/etc/update-motd.d/fortune",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "095e7ce4e40471350470235df7795af672f6db348c6568702c2602f010ab8bb7",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc/issue.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2774d5f56ebc11e00cccdfd70162bce5f9d1d4135ad5de9795820d117169b70d",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc/ansible/facts.d/machine.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ff3a2e0cf87488fd46a3d480b8868a06191e86649613c9325028da8a96aec64",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/templates/etc/machine-info.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82406da609c7fcdc42721867febd2144238282e84cb48dceefdd1f485ae43563",
+   "format": 1
+  },
+  {
+   "name": "roles/machine/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38a48f0f162137637c85156e38575dbdc7ba0e04c62df62265ec456d0cc7493f",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "15f61f6863149f00e0d86cee76dd78c9c42cb0727ff8115c0ce875be9d7a6662",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57de7f05e649717dfb1f9866eb50bb4673f66cbb7c7c904a57deba4cecb9ef36",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd0c627b063f56d180060341010e32d2136efdda4e81c48159fabc1857699f10",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc/security",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc/security/access.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b28f32ab3049c6ae6aac6cbb684bf3d613dc7bf439d7a2d958d7e93e0c2ef72b",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/templates/etc/ansible/facts.d/pam_access.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2ec6b94843b2d2d541e64dee477d2165fab5e61d4d0d91c5213cccbc085c53d",
+   "format": 1
+  },
+  {
+   "name": "roles/pam_access/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "df55952808946e1ef3e724a2d12fedbe6431524b258426cc5037213e34b65645",
+   "format": 1
+  },
+  {
+   "name": "roles/sks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76b90341d971d9719aaf24f44fe22dce0fd425a7facf8d6cd8ce8c46cc329c9d",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/tasks/sks_frontend.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77fe180437993f1e40c412a4946dfcb63b0a6e018d6ee42ee421d37fbc378d23",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b3bf3bfaf1cb1d52e66e3c36d114c0d2ab1e109f96daf75db7acad04c6368b7b",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b661968a5561fc7fe217b4e248fd1f3a1baa6e76437660698e4da5298f938133",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "538774b0084d46c9796a1ab13747a51e89bc3cc39367af0ca55c4b1b937348e7",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www/sites",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www/sites/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www/sites/default/public",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www/sites/default/public/index.html",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6a1d04ff28c6da6872a1367a57a4a1d3fb6f6a72fe10ac1853b41da3837cc61",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/files/srv/www/sites/default/public/robots.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "331ea9090db0c9f6f597bd9840fd5b171830f6e0b3ba1cb24dfa91f0c95aedc1",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/ferm/filter-input.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/ferm/filter-input.d/sks.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dde4d40e238c1e7393290fda22ed689a81c15ef94ca2eacc68f64780d64a03f1",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/default/sks.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8d4bbc247b5e4f426655844ee084ac09af614eeb754fa33992f319e1240ead3",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/sks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/sks/membership.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61256869f5d0b37d4496d2bd071c1427655c7eeb7afea885509fea18a897300c",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/sks/mailsync.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5fba4b5e8907448407d803fa7b2765489c17fa4bbde421ee8cfb482b64042d0",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/templates/etc/sks/sksconf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8dd9beb000d5f607b53e47aad838cf1346a71f439751faf825ea70a1ad30094",
+   "format": 1
+  },
+  {
+   "name": "roles/sks/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c478458f7310e7c22ace3dd2de00bb0e33bae73a8484015023e5c7730cae8de7",
+   "format": 1
+  },
+  {
+   "name": "roles/users",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/tasks/users",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/tasks/users/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf9ccd721b4a3d187c634c374ab1bce21ef9605d7c1d65891015a3a3c0e67387",
+   "format": 1
+  },
+  {
+   "name": "roles/users/tasks/users/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf9ccd721b4a3d187c634c374ab1bce21ef9605d7c1d65891015a3a3c0e67387",
+   "format": 1
+  },
+  {
+   "name": "roles/users/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f563957c86f6c7369874c9f822886f19421d2c2cc7a446d169876fe7087599e6",
+   "format": 1
+  },
+  {
+   "name": "roles/users/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6fc321ab940e8eb1c068ec613d88541d0a3ad3e2800e3ff3d1dc9c607a5a1a3c",
+   "format": 1
+  },
+  {
+   "name": "roles/users/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1cb98308cfcd8226e3bdaba841334aa2b4bb098ca132fc2c3bb03bce812c3376",
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/etc/ansible/facts.d/users.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "156b7a6b7b30d9d92467bee0ec65bc059451abf6727dc6553e777760b0e1acb4",
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/users/templates/lookup/users__shell_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb39c3bea49febf71893c164973c57835afe5de4acb578ce6f8dcd474fc34372",
+   "format": 1
+  },
+  {
+   "name": "roles/users/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38e95d36433a5fa65aa8f465ca431eb9a4dcb99a9960df7155bd77074fc6be61",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "54a93ab21e4ccd311065a212cbecadeeb18a803a95c846c2b7f8d6e1bf7919dd",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad08f3c8c633b3e90c9da064b7805dcbe65893cbf56afad3da21e9fec3ed51b8",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d3373ffe4c2322f651b99df376cdc00d942cbca7ee4ca55ff32bdcb67c3c916",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/usr/local/lib/dpkg-cleanup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/usr/local/lib/dpkg-cleanup/package.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "32f7f019cf93702337204f0566f35b2bb0da759bdf1f0b44f2655f2f503118cf",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/etc/dpkg",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/etc/dpkg/dpkg.cfg.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/templates/etc/dpkg/dpkg.cfg.d/dpkg-cleanup-package.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b118daa616ca0afb63491874781ddb6c38843f96c10b06322732d9627af7b170",
+   "format": 1
+  },
+  {
+   "name": "roles/dpkg_cleanup/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "867ffa18984848f5620b3d773c4f865af96fb1a66cd3d1fd7b2f23890f285fcd",
+   "format": 1
+  },
+  {
+   "name": "roles/grub",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d995de6f377e64a0ab804d79de28edf64a7817a1eca79da1b20ad57f4ad603f4",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "058aaab6a91acab0f8d58c3aea4ae0d1ddb15c01fd05118f7353a0765b084ea6",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "46ed2347d74734615db4960d5faed8971af6af5d8848fd5d78840fc7ddfabe23",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/default/grub.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/default/grub.d/ansible.cfg.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2717333574b89b99140481d31368a119ed97003820a5477fc953ed5b077097c",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/grub.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/grub.d/01_users.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb5bd1c183590f1595b9c04eb0aa63b29420fe7d8843f97a1f97b7c8f7cec081",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/etc/ansible/facts.d/grub.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02194e3e40aae366eb7ae470c5321baa7d9bb9068af273cb042988f3b7a478d4",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret/credentials",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret/credentials/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret/credentials/inventory_hostname/grub",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret/credentials/inventory_hostname/grub/user_name",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grub/templates/secret/credentials/inventory_hostname/grub/user_name/password_mkpasswd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab258db6dc8f786882a0e710e2ec08912871796e64200d544edd21d6629d6083",
+   "format": 1
+  },
+  {
+   "name": "roles/grub/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "128205f2497943fe3e3301f54988a1010376c5df924eb74273688eb2d8c407ad",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "347ea78840c451c7ae16302940d720c06c345889323e567aacee61df6875b5ab",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7975a5c998eef01135a9eacff14b93fbc366e25014f69fa1d44e049efa0510aa",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "577fb4dfef437ab7c8016ee6561c87308d6840719d1b358f803200849a2b8cb7",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/ansible/facts.d/icinga_db.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66a0d0c5ac55b1e8fd57fec8a18dd53b4060785e44609e1b0bab1837c8e878e1",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/icinga2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/icinga2/features-available",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/templates/etc/icinga2/features-available/ido-db.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5241f55854d3e9cbb3c259b4ec40b8dc8c933f041b52cb93f6bbad004cdd1f0a",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_db/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2317d01ce11bf3c2b5600e9c2712f4f3d938fa272f97aae0d4f4a63d66ec22dc",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/tasks/apt_install",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/tasks/apt_install/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cb65d94de2a4c476c45092663ca6d3860707ec9a9b5add24e99e07bd1d23021",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/tasks/apt_install/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2cb65d94de2a4c476c45092663ca6d3860707ec9a9b5add24e99e07bd1d23021",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5f304de0a84fe2c505bf42ec4f49f168f202c3774ee2aec23735b39436e5ca0",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa7b18f03dd80f2ff0064080260b5e3837afdbc6ef305333f444b8664f1d70af",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eabc46c690a381fa7370907529375dab40ce11395da60bf48026a9186993c0d0",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/needrestart",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/needrestart/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/needrestart/conf.d/no-kernel-hints.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e182a65b7231b5d1985b74238e80e7098d9d2a2b1c774b7c996b247cd74c5769",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/etc/ansible/facts.d/apt_install.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "638f5a45e53c958a39a9cc7a5108811ec01a904ab5cbf76f1571772d163cadaa",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/templates/lookup/apt_install__all_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61ea2f841570f861bb19cb4527c94e89faaff3d42d09ad236e46c1b64ae8427f",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_install/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1073fb26585bd86731547883d996a12e862852819112d1ff369be23b4e51a479",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f409c70d316a06c50d21b07c87d7fd1a86266aaac6745ad478f545876c7a565",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b7e932dc668e5412762b25266c221e26f03fbb075f65ddf0da2bd11e84394cc4",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef769a3c4bd0dcf2535e4f58a1acec72164b7290f0b0640e5682bfc6f9790262",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/templates/etc/services.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/templates/etc/services.d/00_ansible.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1d5a472b02c67ee7374cf32a25f45421fb6cee2c426750b3810f5455246725e",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/templates/etc/services.d/local_service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "435b6d597e0d0928d016f87f29646ff0dda517db8fa04dfb3a908b062183a4e2",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d1be1ce63ae71207ae6e3b56670ffadf122a073511369b203d1d1b3e831d39d1",
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/etc_services/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7ec9662012c6868d2c338e831fa3006d701cf4c10dbb6956cfc8a3687396c477",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31ab5b4512ffa13fad2aa5d554fc3b96acdfe7974b5f717e9b5c48d90bb4a75f",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "424fb6b2442b28d2a49f7361a3f86356dbaaac184321e91eb1e3254dd63eacb9",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c1c954d36ed2a5852a27f53358f2e2f10424c16cdfe5112a0413a9d4b3bf338",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/usr/share",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/usr/share/pam-configs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/usr/share/pam-configs/mkhomedir.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a2c40381bfcfca729c198feff26a0ebb75d9f0099a1f382ab07b566ba6d351e0",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/etc/ansible/facts.d/nslcd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a10a884cdc736687c3f789683b709c07ef74008b950f6c3695f6d64e625dd8e3",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/templates/etc/nslcd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7718ea3e19fe5187a4862195683d3e740df468bca73b9cf94854fd709bdda7d1",
+   "format": 1
+  },
+  {
+   "name": "roles/nslcd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "40541f4b91ebd4ae24491d63cabfa1f41e71d8a9baadf754800bccd482466b5a",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/tasks/manage_dotfiles.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11982423f999f1810ec270c945c47adfbb4078e60e53c1e58b6d942b57f771ac",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/tasks/upstream_yadm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bacd2a439a6de9ead520329b673573a55acc272135919034e94b0c733906ab05",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d3b104576b15dbdc3249d348ee52b197a1a8d7179e7f4976b5890b36e0cb488",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/meta/watch-yadm",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3d7bff4f1f0fddcb8cbc5d186005b8f1d8c4f6837636968137d1c2db10697ef",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dcad733eb45a7d1d7a30610b1faf5b1d7e9305d970d444997097766112270840",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b26f02d83b4ee724e8cf1d542e70f95ed8dd98eff453e0aa40d463969762f07f",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/templates/etc/ansible/facts.d/yadm.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "636b7ec036fa797b303cef22933671f2195fc10be9259a760908f36341a1253d",
+   "format": 1
+  },
+  {
+   "name": "roles/yadm/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8381f0997c0d72c4c69d6403a31467af63a49a7652e006c755783003029e66e8",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5312f7d651498ec28e72a1aa7ae6a3b22b1242865b32b1a57349490270ffa2ed",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35114fd1b751ce1bfbb012e2f4c9c12936c9f2daf133beba697c9ba6a1f9eeb4",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6eb53c28f606d8c4c3272c4166991be38ef2ede4d0c679b04b328bef8982dfc9",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates/etc/ansible/facts.d/minidlna.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8fe52f84626eb3d15d34253a626c61dff9890b7ff57e124a15b317b32e8770c",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/templates/etc/minidlna.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cee3a374a87c38bbfb374246c509b03dee3b3ae794ac1563ea705a0921c424af",
+   "format": 1
+  },
+  {
+   "name": "roles/minidlna/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3ef81b5dc9a062fcf312bc820adef54717b01e4f3e7c21b4732de1b43e71060",
+   "format": 1
+  },
+  {
+   "name": "roles/monit",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9743ab7f9fd219b5f69e6c24010f574554687782273960bd61a07d53d528f4fd",
+   "format": 1
+  },
+  {
+   "name": "roles/monit/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7d6f0480f4413cb7906ba34889ebc83500d1f8bd7e66fe9f4547b7f6e7c05526",
+   "format": 1
+  },
+  {
+   "name": "roles/monit/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59aaabcda0fda81fa8732e298f8e80a7e427bde490033af95f1fdfc9adc22bf2",
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/ansible/facts.d/monit.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2092d4fb3c806be462f42f28634f4a78035cd2909655baa4b72c34551ca26934",
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/monit",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/monit/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/monit/templates/etc/monit/conf.d/template.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a8a877fe014a20d84975d36d697b6cc5a69f3960f363a66380e9f8577841cdb",
+   "format": 1
+  },
+  {
+   "name": "roles/monit/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08f082e995c0413525eee2312d0f01c3b92560c04a6356b56800f5ea6345bff3",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0714bc040c880d0a3962819b27c3f2f5bb7eb41f771353f791b2aa394bb88733",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/meta/watch-rstudio",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1adb13326503d578ac9c3667eda6f684024bab4687325e33b54c85e67bbe194",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "836cb05728cd115d2a55ef81417ce1a7ad191da256c9bd0bdaf8f41084b8e73e",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24125a2d89964d966526f23b8ececcdfec37ce7e1a9279e4721b9ae6ddbb5abb",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/rstudio",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/rstudio/rserver.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f5516a4e0e7a9c3c3dc41357ca302db28693a73dfbcfd59354411a8c260ce1c",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/rstudio/rsession.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc9a59e2803ec6873500fe5401c2ded4ac1c3ba70630a9378555f5d21e515ba5",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/templates/etc/ansible/facts.d/rstudio_server.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e820590a0367e05da674c807eb6fd619b8c9c53726b741e13bca2196bd784b60",
+   "format": 1
+  },
+  {
+   "name": "roles/rstudio_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7b797a196087a9d297f91e636b0b6509d9284855f10936d68c4a1393b525a0ba",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f6034e379ba7d91aaf56ed286aaf51cb86030b30f2a1598fcaeb7d0c93a722ed",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-map",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c57b647ef0ac691de3fa61dd011e6e972d4cd714b68d61170b0929835244a1a2",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-elasticsearch",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c650161fa8f825558f38e8d83a87125b57bd12aa317eb92e1e7ae32cbf87e834",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-director",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24e8c1db561fdea7e3fb2c51fff39f3cc963d6374307271353d1ab5327645af2",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-ipl",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bbb50f1aca51888ea1aecce6f70e140d34f9f7f5e6830ee85560f093be84a3be",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-cube",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f43b7ef9a3f50ee0cefa0cb2affbfda6dc4e373972177f4593804a2f1f8259a3",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-toplevelview",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "314e9ae5b48002758be1808380255c386795605dd3df59276462a398d006b7f9",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-pnp",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50111fc3d7aa8f1d335096b5075de76ccc56b1c4f934ff5b10d3f29a3ad68d6d",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-reactbundle",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dea4a12db71c21536e020306027e1f7ff508838d28cfe04713c9b89268bc9965",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-x509",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "19b70a38a9979e71f0b5182f63189f8e5dc768a1273c088da29fbe9f053410ce",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-incubator",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8bf135629bbfe1f6b60fc7455a748fe738b0a1e3aba07b075548e3820cea000e",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-grafana",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "724f270ae39e199dc6a700d19008e8b1f7d5355abdbfb97a1fed54ba44201c1e",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-businessprocess",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e2a235501d31acfcd3103178e6cef0f3d6824fc6ca22ab8432b0adc6e28779ea",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1180c57f0e2094a128da03c421a8b3fcbc812c3d2b40cdf4d1b58512e1bdb0ca",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-graphite",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9fae453a2f95e60c34ba698cdd3dd3a08e8873f66e07ab778224d7c28b0df84",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/meta/watch-generictts",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "750b841a5f36c04283ead9bd57b00bce3f1ec3cf77f9cddadab17ff7121f5af8",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d1f7f5394575ffdf7f6e93af0891c4924b835dcf5de2a0fbca4736d477de700f",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/files/script/icingaweb-config2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5f0159d98bfc8fcb109d3c9c89927e14d7ad8f05696cd1b975045bd9e2def4ff",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/files/script/icingaweb-config3",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b4e3938f169020d739548c4a054f4277ff0f13cef6c7ea4350e405cccdb1cab",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/systemd/system/icinga-director.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3c62ecd83e3bc782ae21885b821b1bd799206e37a1dee0be920d1d958e34e787",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/icingaweb2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/icingaweb2/template.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14b5f8133281aa798d23cb0fc5f946d407c20bdf3ed8cd2a706337de265ba4b0",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/etc/ansible/facts.d/icinga_web.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "980eeb3801d73d28ab25942ec8616c332c1ec3f8a6a2b85d3047bae8b9f46df4",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/tmp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/templates/tmp/icingaweb-initial-data.sql.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77b77923165ae04d5370818baf3260fc1a97e9d7e171628019aee35d387c8eae",
+   "format": 1
+  },
+  {
+   "name": "roles/icinga_web/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5768d5b74e9bc9da93dbdd8e5fea9f4a6eba252f8a1b277e8be81d57c5480e80",
+   "format": 1
+  },
+  {
+   "name": "roles/mount",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57a1377d27feee1ebdd3a5173242605f3a470bc44e902120377b8945adbbd1e7",
+   "format": 1
+  },
+  {
+   "name": "roles/mount/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de973d5e87d03136b2bcb84439a3af32f5c0c46bbd43abddb0c6e89abc60d7b9",
+   "format": 1
+  },
+  {
+   "name": "roles/mount/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a70205f9dc78f1e2fc7fa16542519e57a3ec43bb181d909b9bef62614b0835d",
+   "format": 1
+  },
+  {
+   "name": "roles/mount/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mount/templates/etc/ansible/facts.d/mount.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9848007fe568c6f3fcd4f46e58e5bfd02ab0a48cdb1f6381dca32490d0067e9",
+   "format": 1
+  },
+  {
+   "name": "roles/mount/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c3387c21c9fd85bb7e889a89da0db17f852250662fff2c6ae5784ee0af1cd56",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a4ea5fe10a15bf5256cd3efba9257d532c4a34c551b5a8fb634eea810bf07778",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3ff087868d460853f7ab67663fdac9d5f9b2ec652d5483566eaa97f095efd69",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00b166dd94812d670921c70917ad9acdbf71653783c2a3ae3702f591a683b940",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aaabab0fcfc23ba9e97c34d1aaa77b3bfd2a5868485940f887cc6ec2f27ea56e",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/etc/xinetd.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd6.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a58c8c2b28678db1e4b5cfa3315b2e8595a7bdd2be44c4b683cd049068a8d59",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "164cba884492920f9e66b1b95c1e5bd4d9a67f1ddb76c2547264063e35ddec46",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/templates/lookup/nullmailer__remotes.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1383a1a18b808a47f260e50d20bc78c591f797728809acaaf791db7e6386877e",
+   "format": 1
+  },
+  {
+   "name": "roles/nullmailer/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92a86848e878a5b3e4879b66861af051763ab7219ec8b56ecb173ff918d47e14",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/groups_absent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2856a669a54c6daf23f8a8b685559904b28c95520e61b62a386d75d1d60f4656",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/sshkeys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f613ad608df57e8c350b5ca2b528f2619f5a6d66b4c2f93cfbe7406d42334f30",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/gitusers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a144ef3cb57fdf791259f119b89ecae401009611f37c017d686806e1ecebfcb0",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/forward.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38163bff418db0288a5d5ecbabd4f02ed3544d627abc9efd1a1303d5a8316dd2",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/groups_present.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3131219f7ebcd6ce4bcaffc59e194865e563a2bba279332eb8e115081aedef90",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/git-shell.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36372e4bdc958a5ade6c2c3008b07a30da59bb583ceddebf809914011de59111",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b4bc72a2bbe93aee0711d3dc881fe5adff065af3da3de151cc5dc83ea65128c",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa0d7518e123a6f077e7ad296fc32f4047db9ae93ff382478a6567786ff4cc25",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1a1390c610cce8073ff604ebcec2e8568cacdac0a9646b5c39285b6bc0dd7f0",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/bare",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c34a4a3a97d784d14124f5a4068502e20bdea734487db825467d915ecafc59d",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/init",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c2ef4e3737d615b52c3d9b6feaca35d22e406ac017a42a8e138803d7fbf6700",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/snapshot",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a92515534af2b6d6ed7102517fef0d744a7d85846e17551a65c121f910c21553",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/checkout",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "541c6516ab940546747d2f97b8c351738e877f14ffe088b393ed1343f1f1162b",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/info",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b2f4e3e835efa3c0851a6238afca5074a25887794b046941d8b143c8ce0d3a5",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/clean",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec56e0dd41c122c248fdd2dc4c5cc681b908bf008d2690a6ff3a807049523ea9",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/publish",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e9d009717babfafb346ee22424ab6d6d926a6dadd2571c3798b40bc822e79aab",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/drop",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "99c0814ded08a1822e6364f301f5761c06b6426b6bab1cd36fa5d60e0a0228ac",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/list",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "872f21da7bc79d8c4a3ba9e2825bf1164e11621883b553faa73b5f36b66df6f2",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/rename",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81aa719e7593b8816f1e755bf5625a6d949f92895fd98fdb38742cb469003225",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/sshkey",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "289c4fa795373553f23613c73f3eefe4e76ce6fb71cb03a6d5f18925de0022b2",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/userdir",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "992871d2cc480a1a1248f3b2385c26c395681fdbe9cb13e748302b8cce214853",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/git-shell-commands/help",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "52678eaf7dc47aaad8d6448bd3a0ffdbb8bccff1e6e3b602195de05d5b8e6566",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/functions.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0aff222fb5582609128dee037350adb0713dcce761f742ced2aacb2cdefa6219",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/jekyll",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb3649eb0a015c6180273e98e6a0ebd67de0808fa07288d58cd3ed3681a012ff",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/00_submodule",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64f984aa6b76bbefff745dc38f09ee8c939bae0cac7ab15512e054360fee917a",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/deploy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9bbda87209590761c24ac5e415a7d91a95f5faccdd3ad3760c4c5febe58c272",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/hook-chain",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "edf70f46184cc625e80f9998f19d10372fcc0399cc2ef0a3044893bfad38bf9c",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-receive.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/files/var/lib/gitusers/hooks/post-receive.d/00_checkout",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58f7df078ed57825a0496c22438f18e9d967a2d40967c3889527b1207019ea90",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates/srv",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates/srv/gitusers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates/srv/gitusers/motd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c9e579f78840e52cf247a124b437558f8e0d063cb98f1a918e627e3586b84c0",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates/srv/gitusers/forward.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5cc7e537104a7717f2bc58eaecb0cbf6835f71a188e0064c06d661fc24c269c2",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/templates/srv/gitusers/gitconfig.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48e01f4c39416f474c3f77b82a57f1c4700b7863d29443c890b24cd59787706d",
+   "format": 1
+  },
+  {
+   "name": "roles/gitusers/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "689d03ecf46f64d4289f381c4d5d44b4df1f6e603127053e8203c3bcc42c3616",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "859463385a3671d85104c00c11eae04113572d5d8e068d8eef21ce61c8d127da",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d42fcb8f71edb4024725b0809b822fe3a6e192018a4f8b1c4f21da7c951e23f6",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "91122d39a2e0506d7a6d31e673cfa0dcff5745cb22b3829d64c281d88565f570",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ferm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ferm/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ferm/hooks/post.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ferm/hooks/post.d/reload-libvirtd.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7499a9eaea51fe0a173be9416abf1ed486e663694a6b1fac10b1cbac493bfde0",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/sysfs.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/sysfs.d/ksm.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a721142c00a1156bad8f4344500a3e9c29c8f855c7f0b0fc2fc9a67e1e5e0b1e",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/libvirt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/libvirt/libvirt.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3a300eb6b90668a0ec6117ebee81a4a4f5d3223bab38b7f66d1c15dd7dd1df0",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/libvirt/libvirtd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc17db0689afdc6548fd4198b8e1dd120f916c6767d39d453c02f57dc4d2fd5f",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/templates/etc/ansible/facts.d/libvirtd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "061fe86c9decef926e436461341883570670ba2d145385e4f11125d3fd3337fa",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f49ea25ef735226c4e1ef3c55bad0d1164f2d729696f5f55d80ae74b911faef3",
+   "format": 1
+  },
+  {
+   "name": "roles/environment",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13434bb61d0b1714c0d2eb91224d401f28e0a991f059772f01203fc2b35b7cd9",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d40ba486c0d0cf69fd38816796e0d261e4e66472f271e1ba91ef36d01e638331",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "faa9052d66ba4b03b815d44dfc5e70e91f586570c78bac1087647d82b2ab1ca1",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/etc/ansible/facts.d/environment.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0d589393455c630b3ad7da1c0c28547c6c048944bfd4c530d938373a9a1b68b",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/lookup/environment__variables.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4484baab0825c6390c46fdba96925a2d1a89980c9d4362c61f0759aa6426205e",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/templates/lookup/environment__enabled.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a82198f2a1adcf8e57a48ca4913db7ebca1b3a0da16a47daf8daa7d5c2b3dd3",
+   "format": 1
+  },
+  {
+   "name": "roles/environment/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7594480619030baef576fe3d0b9fcd7858c29a236b6a27c90e2193ba6223954e",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af615e2c961fe26c608637ce7db597b50796b393ab63829b45041d1c87b03e4f",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12e8b60fd8b932899c26193685eee8cf000ec2c1101d4ff618cf04b70b0b8ca6",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "44b9b30c689720304bb1cd1a7dfad09b8decc1f9e47c6f4e8b348d19fb596a09",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr/local/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr/local/etc/backup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr/local/etc/backup/pre-hook.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/files/usr/local/etc/backup/pre-hook.d/dpkg-selections",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd195101fc01eba56281741eee803d787da564f43ad7f292c4973da98c9a8d6d",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates/etc/backup2l.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd3b5c43d4d74ecb9b63bd335fea11785f6f08004303edb17f44cd1feca702e2",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/templates/etc/ansible/facts.d/backup2l.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d99e757462ce20aef1494c126b71bf5acc95641f7f51f218e9a90179b1c3e476",
+   "format": 1
+  },
+  {
+   "name": "roles/backup2l/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a628ffb868bcdad7ce86b67a0b29a92d6820d4aa11612666b45f54b73ed77d3",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63928adabd08725bb69a1b0bf29f0f24f9082641288b3523c0b4f45c2285b488",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76f0eccf7a004c38038a0cd4ed4e5a3ab3c3a6bb39637350fb90482a5c1cce08",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c5bf22fd5d10e6ec02d6014f79522c45497ed1a084638b4ca12e430bb4c5f6f",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc/ansible/facts.d/tinyproxy.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1052bd9266a97bc21ce3c83fae99039b926c21b38bd6e0cdf64b392de5cec6cb",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc/tinyproxy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/templates/etc/tinyproxy/tinyproxy.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5696da3b53a680fba5a392ca1bf2e03139a8f4ede57b03b35cd7bfc06d401ef4",
+   "format": 1
+  },
+  {
+   "name": "roles/tinyproxy/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb60355f4c0c211e5f70a3f59cad5fa7cb384f3a2d0d11b97130cd6a2dbb38c0",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb0459ecfab564bb88f935965f30958c4457250ab7fe8121c683b4e9101a9951",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c87434e1b01b82cfbd4167bcc8f6ca62bf125ecede8a6a97d7c4b96a7b86979f",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6cd85e3a4bccf1f7a993f2bdf06b4c74bebb3dadaf4aa6139f8a240013fa425c",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/dropbear",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/dropbear/initramfs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/dropbear/initramfs/dropbear.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "733e58d249aff1f4ecd9b443f14d796f70fa80cb5edacf99f95d1d5c8bb5cf35",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-top",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0a4f84978682233774ffe670c2a718e36be1444f6aa18a267f5de419eb66c59",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-bottom",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58a99001fdfaab35846c2bd9d3d7634a2fc04c25808b210c1c40fa365d7b40eb",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/etc/initramfs-tools/conf.d/role.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be0fb3254a87f0ed4e14445382cb11dfe31786f4e4b50b76a8351c558714735c",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/lookup/dropbear_initramfs__combined_interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "883ce06fed1a87351d88cd7d8b572eb3617bb64a381c4eb973fc7438eb3e7a92",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/import",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/templates/import/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0bfbbbe371707104f48045e4a1d82c07d77eb4443a888d7ec08f17ebc3a2afd3",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c90047f5e82af2923104f72aeecdfb76f3e3e4fc97a65f247168f490823aa1f0",
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dropbear_initramfs/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b6fef25a826d5f4601cf40d11381f178630f544d586cb937c1da22f1039b0323",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/tasks/configure_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2a86787248eceb70694552beff060380d846eba072c0fc4cf1392490eede51d",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/tasks/secure_installation.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c336c16615cc27d992a76904c5a4e2b7fad6abc2d43b7793ea63442b6223d6dd",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f30466faddece930501cb0c9b2b236236690531195f70cebf6334f0eb7e03323",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4946457f18c2b92dc0e268cdf3dcd92c1d61418455c4d6ea38054acae435a4b9",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0673b2c63e9caf7bd88cdabb980c255cf811d8fcd30efd5da994e5fae869e56d",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/default/automysqlbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26471781e9472588286ae578b6233ba54c8a94805430324d8dccd4c3e8e87076",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/ansible/facts.d/mariadb.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f3a175918a86cb3c5aa87f4757bdfdeaac829b8015ab4f635acb695ab3606291",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/mysql",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/mysql/conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/mysql/conf.d/mysqld.cnf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0896a1447c0c3a832984d8a6823a4489c7683f582d452bb108cb328b0e0dfc36",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/templates/etc/mysql/conf.d/client.cnf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02ee97828f9ded986d246ba8922e0c33ecd5d7e2beef4aa0b4e2c605be0ff6d3",
+   "format": 1
+  },
+  {
+   "name": "roles/mariadb_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "96e17af4223fbd75cb4014f4bb18e5e5481f6c5c999e725042a2cd13db0c46a5",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "665fa3ddbf8fbd307b4e1816388d20a9c0ce4e7fcd24a17add3e2c654cd9b204",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ca6aeb7023fecb38e6ec52933b788e31377fdd16adbd6c775fd5e193752ebc92",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3badf85505dc0814f225fa58354f71afaae5a2f9e2c8fcbca34e7bf0169b819e",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/files/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/files/usr/local/lib/get-reachable-apt-proxy",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64946bfafbf64bbdc18129594eeed319abbc42863dcb09684d545a05bdd5b9c1",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/templates/etc/apt/apt.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/templates/etc/apt/apt.conf.d/apt_proxy.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f25d42516f1ad7440d0b77cf1dc653ecfddaee597a950fbc867b385d70ed6d12",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_proxy/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3c27e56bb1db5ef55356a506a29e98dbe3aca90c40888eeba4667da10c06a881",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a014e8f49a0bf7fdd959ce855ea4c59b7e1093df55ca602da65a9f344bdefed2",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b0458c7836822d793246931abe40674c05fd44d5d41187dfaf4807eef4c46ce",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "615a89baa47beb7fffd931b50be0c253c8501e72a4e2146fd987344b06dc6d8e",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/templates/etc/libvirt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/templates/etc/libvirt/qemu.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14169be5cf2f2cb6f764f1975b0b0c83c79f1226d46569dcd544aea64cecb87e",
+   "format": 1
+  },
+  {
+   "name": "roles/libvirtd_qemu/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38f2c876a809dbc3c4cb0e7f56feaf145a8aca207af09bc900e56a3170ff0145",
+   "format": 1
+  },
+  {
+   "name": "roles/fhs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb9bd90e3d045578256161085a87baa34266cfe364d595e2687b8a2366379b60",
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59825980f3cad757f38838b2cdef9ec7b00adb6c60ccea7a4d0254c58e13fc6a",
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4521768af8bef51f36f68b94f3af7f6b311d798dfffcb2ad4582618af8bd3ebf",
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/templates/etc/ansible/facts.d/fhs.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f56d9adc4c576f891c86212e2acd0ba43e0c61b95c3f35553d63b0eb5a962ba",
+   "format": 1
+  },
+  {
+   "name": "roles/fhs/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b81dc53df7d50011dacb9d6688d5e6c3c824e84224e473874a883b709de8fed",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/tasks/ifup_systemd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5199dc323ba372b9df8c42b22f74bdb665a17ca1174536e6039cc94a8ad50d3",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ea8e4be67eabbd48673b7d162fc4317bf186ebaae29f5b3a7a3ad2dfc7da42c4",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/tasks/divert_interfaces.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "57d1b1c9b914e47eaad6f5c413e7a41acb5d58db944873dffb9c8d754da72745",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa688c23110a92dc475aef03a3ced541ba5e6f3828cd047a6c5fee40bc3ee309",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84a60a885964407b8f6cf8382dbac90a57e07f36bce2f24736703422fb5c79ba",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a403b970e16eaa5a2f19b75fff7b1c5d7c852bbb56b9f59c868704b404b8a6f7",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/files/script",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/files/script/ifupdown-reconfigure-interfaces",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "153fc51edebfbd339c6d43a7bf62624e0e59c228bdd7b530e1c886ec31fe9174",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/systemd/system/iface@.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5394d2850ada02d25b9d5efc3c1269896bc5ab78b5897db62dc322ff36e16c67",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/systemd/system/ifup-allow-boot.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f5a3c2b7435ef7208cb9756ad504778a76536225ef856a281baa4315bf5297a",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/systemd/system/ifup-wait-all-auto.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61301d3ce2408bfbfe2e628f36a87907e67c44bf9a8deca2d9738d29ad655e5e",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/network",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/network/interfaces.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/network/interfaces.d/iface.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "407d0dd369d8b8f6a674461bec4cee1cc58a36fb91258e38dc6efccccf32c35e",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/network/interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "431a0406b662241f2d0be4d8c1ade6c1b82d16be28c9602935ae3d7b41104713",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/ansible/facts.d/ifupdown.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "416dbc6252ceedde0da6c6ca3ffc0f66f5a5dc8fa9730307d1cbfd1f21299103",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/dhcp",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/dhcp/dhclient-enter-hooks.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/etc/dhcp/dhclient-enter-hooks.d/filter-dhcp-options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbf6352f8e8c76901a419e99d8bccae294272ab2322a90c0edfda5809b0ab889",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__ethernet_interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a3ca5914a7def213439aed6e1b12010f778ec9fc1871e274f4371d40b41e675e",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__sysctl__dependent_parameters.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2fd5b146ee984e5ded83dff3b3d8c223b22cc93555bde1069b0025ee288ba287",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__dynamic_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e1aaa77e8deca3a579a9ed29ec3c34a86a5428b8877fa6e980c45b40730c66a",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__external_interface.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "afedee5fe46dc31a73bd5cd92b8bd8a4b4b1b7a0a0043624e58f0063ab2142e1",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__combined_interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c389d5e4ac4255d58be1af8644622c5f547fe45ef1a9f220ab0bc73a7e401679",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__ferm__dependent_rules.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "34f5892944b830ac6a37d76557f3668095cea76de7c8bb97a8c47d9e0dd8c9ea",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__kmod__dependent_load.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "37ce0dd82d57171c9f1a2f6917d9c24849109dcc1ad405d04f4d2c6be0477601",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/lookup/ifupdown__internal_interface.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "626bd40fc2481514d04378eb9e2aad9e0478d5b42655617a33279b85830f68c1",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/import",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/templates/import/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11192827720e781c766b4bf336c83cabcfaf829f931fe1810ffbad5c695fc79f",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5b65ae8a24b3b0f7e0425a96cc8d4fd0c33a99c345565474eff8cfae449a1936",
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ifupdown/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c743e343dc54901561623dafaa6ebe55d022a24da05496991c766cf6c6445fe3",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "973df3ca7e68da57a55d3b522bd2185cd8f0ba5ec0eec998397deb2009d584ca",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c116c26d91912c3f7f53205cf0e88f82a8d71bf413ab780c44bbb81d321d99f1",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bcc667d7e6453b3cdd6612aa32312f028f1462dc99ab2d9afa16c7370d629d6a",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/etc/ansible/facts.d/root_account.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f78eae255826171aab1394893903ce94421290510b546d6b89117042ba56ea8",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/templates/lookup/root_account__shell_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6ba1da1b48876796f34bce57981f14ccdaa9a140798bd8fcfdd5f1eff961237b",
+   "format": 1
+  },
+  {
+   "name": "roles/root_account/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7fa66326bf33f747456415ab5ded93868cf76bc9b2d1fb4977e6fbf7c2a4408",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82e966a9c19619d5fcd4b898852be4156584d2dcf689fb121c7349ba8037a0a4",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e33a6af236d57dfe13c36e42787d8a7ece91fa702203b1093740832c53724898",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "86f5e150d4945cae6270680b0757db3d4b4b6efa4151b0d942e1fd76bdd9c48c",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "28b1e6867c106cd6394fc76c9d85d0ea599a97d21ef310e1ddecb384b7c9fb6e",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/ansible/facts.d/postfix.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85f5a70833559a61ede733980cd66bda96dcb7d217517f37199dae7dbc33e408",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/postfix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/postfix/Makefile.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4dc63ca6af94a51b51a34f3e5a3d3d6a70365b8f48377275b28939b3d5acd0a4",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/postfix/lookup_table.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43b7fb3d9600b28328c93c2a3bb1462e8103d9a14ff6c54ee4b0e24ab7d70aeb",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/postfix/main.cf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef9243df5239173980b74160676475b9625be33703d3a177f35031e5a580b9bf",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/postfix/master.cf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b7a802f4203727aa0a658fa826afac16327c2d499585268eae15d89a0a4bda7",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/etc/pki/hooks/postfix.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "053632f8d88872bde4e8f635c087b20fb6f37b2cfe29eed5d917e01de56f3f42",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup/postfix__env_active_services.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06297726f77690c247a1455e5c604efcc4a836c21c320167209c49d34c73d505",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup/postfix__env_persistent_maincf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7024d717a4ec1800ef298bd064a2dfa4969ed6e3373f8982aff9fb2c6a5b480d",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup/postfix__init_maincf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13cc97800e45746423b432a10ffa99e74b4c46ba5291482b2d1628b9ed2db0bf",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup/postfix__env_persistent_mastercf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b27b6e6bfc408e7d2c76caa97e1dc78c5d3480ded7ee7365479d7c7da82bf6e7",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/lookup/postfix__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a4fb39a2993a557e7ad3399b645776a50d56d4a6e79fb432dbafd988d0755ac2",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret/postfix",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret/postfix/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/mastercf.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b7a392d6b5dd9c326da03ff88f1562e6c50d8c677a9736a551a6ed6acb736727",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/maincf.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98601bde2f38618fa50165a12eb8dd0547e262a50af6dfb725e2adf9cd9126d8",
+   "format": 1
+  },
+  {
+   "name": "roles/postfix/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "400a254c8ef2463c6917e708598f4b2453273a337161952aaca270f5ffc28094",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14f3967bac23b917ad358c97f1cbd613f0ddb9b705f52b087ef26ef17fbb69e9",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b3af42c8c1aafb489d3b153d8b74a66b360a2e00745c6776fcd51933fc73100",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "016eaedcfd3d63a2416889b65305a9618ad8da5ab5f0074a2bc264fe7ca11250",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "156350f7a51f393cf801f189a0fe8bbcbf0bb7ba846b64209481ea51090069bb",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d76455a0560f2807d0308d88ba02e8a3f48b204ce563610860063386eccf858",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/includes/role.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3691c50f5b4d544480ea7782a061d89227290a117d3d2f3522ef3ca3d7a54d14",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3a867764385fde07374b03402483580a2be6ecc1a945e61ad4a385299a273c1",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/playbooks/volkszaehler-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a2d039c2c64b81018cb03613386847fd93fcb129ac0557fa328de05ebec6927e",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/playbooks/volkszaehler.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50465bb3f3bce357fa6d4d9428a186d7fc3f2e2c46f4e2f3e9e521f21866b9af",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/playbooks/volkszaehler-apache.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83fa9c22a032115347f7ba298e72acb339dc697aa7f6df93d0ba990fb740329f",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50f9f756d9dbfd2cf8424f05cca856f907cee9d4309bb5746c45befa40ba45c6",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "02eea035e35cb0e609c0bf5d6b8b60a6637b24b77743042c3c548c90c9282eac",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c157781cb9b15c020a08da5a26a1ff5759eddf455416c3c0eaa3e1ec5c15a6d5",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "130d244814cb2188741161302169eda9c5313ba91392e10a4d5c4e89517b1ec5",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates/etc/volkszaehler.conf.php.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e560c9cccd4c8f0d2533cff886d5dae2127a8fca40f1053539dec56b32d8c61e",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/templates/etc/ansible/facts.d/volkszaehler.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9339ed0427f121de600c5f3476e43f4c1ef0247d66d12c8133975f8a84b8cf6",
+   "format": 1
+  },
+  {
+   "name": "roles/volkszaehler/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66b2e7afc5ec5dfaff071c4b62addd5f1159a29f737cfcedaee2516a32ac4591",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/tasks/shell_commands.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00eeba775038d78debbf27462e3168f755037b71048d84fdd7fde04eacb5bfe0",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af5c1fc5430da87f83e8a898fb325f3ee00f3f6d9730d65a95bfe56dca199044",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "052d391c4d34fcad2a7a87b35f1d479cd0f64c92090015b65858ae9eeda81600",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62cb03ea8157dc0a26835442bb145319b07c609f29d1d59deb030f03e6d9b179",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/templates/lookup/debconf__fact_reconfigure_packages.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e4a7c3cc3d51e5470f7acf636f7d8c2dd9b90ee621c42acebaf4931a77fbf003",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/templates/lookup/debconf__filtered_entries.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2fff0f88992ba79a8941b6765307a2c7dd252d407bccb875113ebff5d3d3bde4",
+   "format": 1
+  },
+  {
+   "name": "roles/debconf/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "51c733cc8b44427ff13dfb603b637b31affcf36ff8cced83dc32f383f6a862bf",
+   "format": 1
+  },
+  {
+   "name": "roles/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/secret/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/secret/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3223cb80eec1d2f1f4467a4e5446e50eaf086b03b1eddb8492a0c35b4d3cccc7",
+   "format": 1
+  },
+  {
+   "name": "roles/secret/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/secret/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbda3febf2af314040a65c56e2e286a7270ea574ee706b4942b695e1a0cd2312",
+   "format": 1
+  },
+  {
+   "name": "roles/secret/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/secret/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "114dbcd25b61e334798c71e0e453c9bc7f3f6b6d385b1b278cd2a21e679ef72e",
+   "format": 1
+  },
+  {
+   "name": "roles/secret/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fab96962fb4028b0cca99f5a03c8cce708b57bf473205e4d8502168975fe6d00",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed0f7b7ccdc15e97c01e229527f6b2504508c2fcce7d97af6fc4f9b529124b85",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "464685c3f0ca4cb0a4133b9c700bdb18a4ed19cb63c28826bdc20a9a58a1dcfb",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "682e0bfab907cfec328b6579d4ec978aa01cabddcc1484b0c5d20ae9a899fb16",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/ansible/facts.d/apt_mirror.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f0fd8bad74f27a4e78b556cb0210f230fd2244c859eef4b3deb42d27cb68e60",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/apt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/apt/mirror.list.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12e30c941f405230af4dd4c65022e126fe71bb1ed280b718e03e470759f22324",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/cron.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/templates/etc/cron.d/apt-mirror.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c5907b1352f718dfe505ee23634738d79e41ffc3dbe5e92803506dc5f555f940",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_mirror/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c2b3532969f0155173cca59092b09fd5b2a2bf2dc860193fc5125ea67d349ff6",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5447248aa6d68b0c9fe340a233f95abfa75c940c72be47fd806053d4c437d8b3",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "78688ab30c3c9f7d9b6f275e04947f8d6464041a767ff1e0c3037c12244028d3",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/meta/watch-mc",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "678c0a656ea2bbf39cd0322e0337dcecabe429abfb6171487ce8860ac40c5029",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53a75b7a84c6e5f30562c22a4d00c059dab62097430435dbf0a7716829f3d28f",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6f4a253073bf96bfb28b24670486a9e8784a56c99f4c892c894e30823ad3535",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/templates/etc/ansible/facts.d/mcli.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "18640380de255293ee0f44e58f215de6647b945318108a30efd1662fae4ca61d",
+   "format": 1
+  },
+  {
+   "name": "roles/mcli/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e3510a5f20950ffc28190b61a6df3d671549b3cfe63ca0d88c4bd207335fbca",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "af41e909617722d5f4a2acd8f64672f077d0193f83b94e157b9f3000b6f57701",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5670a6b979fc3d363edf35441c6c793956db88a0788266176e136581864d2eb2",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "70ea819a9d1aa87493a125c5c9ecfa1c61bab2847a13cf5688876f4211ec36bc",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/systemd/timesyncd.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d6f2bc5b0295388ac52a8f99c617d13fd0bcd419b222f54c3e5fbd772961133",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/templates/etc/ansible/facts.d/timesyncd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c1df4fd507a0c94197a3acac9d3fcd71a8ea5e87ccc0abd911bbe712a22e80de",
+   "format": 1
+  },
+  {
+   "name": "roles/timesyncd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "550dca455197a366c09715f3563edee5b742f6c7cdfee064dba165a10091960b",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9bd9f766bbf28666d7eb60e0ff860843c8dcc93a871baf5f6f379456244d14ca",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "96ace170a6818cb410d97886fdb7918e3529c7ffcd4dd9b258a046e9696a3c17",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0158edaa6edaed11e067dde726657b43616cc74d435410f55dc9327deec124ee",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc/ansible/facts.d/keepalived.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9390bd8dcfea6a43b2cdc13e2c279c391103c58ec232ddca1e23438a910b2c8a",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc/keepalived",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/templates/etc/keepalived/keepalived.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1091c5c53d8754be07729c1526b3fea3c1b2041e741b305e55a4b24bb12b5e68",
+   "format": 1
+  },
+  {
+   "name": "roles/keepalived/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de8109fec6ec6d65500877b730cd5156df9c634732d992977ee0571754d18446",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/tasks/autoinfluxdbbackup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "86bd168d39224355cf5a3343fce55f35db10c211757d2d21164fccefe7ff8ec0",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a769865427e39e47e68b17b3b35922149b1367dad3e14344407fcf9000aa182",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e19ed361ae721174fe9ffbd5d4db827f1e162ae5f127fe85ce0d7c7da940de9",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1986f797e28c13fe10c05dc489b5abb30c54994ae3b57d08636771738c20a427",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/files/usr/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/files/usr/sbin/autoinfluxdbbackup",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9945feb993abee75761fbaacde92ee302adef4ac688bdbdb2c39f545130cab4b",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/cron.daily",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/cron.daily/autoinfluxdbbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d042813895c63bb9d49ad59d85a3bb1e613eb39560e37b7723cf56a020aa6023",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/default/autoinfluxdbbackup.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e84fed3bf695e7a3f6b23c04cc7611ee0796c9b5cf9c64c04a0c3bc98695e44a",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/influxdb",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/influxdb/influxdb.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "795c44ebcef99ee77ab41239f3659b5d3d91fc43b4552f229f882048827c9578",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/ansible/facts.d/influxdb_server.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4707a7d4dad8ec6f72564885db3875ee641612d8d4faa71e9a9a37553d89bb3",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/templates/etc/ansible/facts.d/influxdb.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed22338f0a585b58643e5d6224a10213c64c43cbb1dc379e896448d1e47be17f",
+   "format": 1
+  },
+  {
+   "name": "roles/influxdb_server/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "189566dfb1f737627ed0f2926d9470b8387646dec8ba1801d43420b0b41ebeb2",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d1dfa4d74dc1838fa164aafb2a86677f4028ce3bcc428f3238e990186bd3c2dd",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/meta/watch-miniflux",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "23c887433c4e8872c4cc3bfd4bca9330966e9a8af630231bceb5812a10a50ae3",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "32deda82ffddcc036fbbec0f6cdb1e788961a4b38b076563d9d19136628828a3",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb657a36fbe6982c91d0d678f71ae382b22596ee68bbb527c92761e3570b856d",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/systemd/system/miniflux.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5c47e8af4a705658cedac8f9f47b159d5110b3e37d67333084f4529177358b6",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/miniflux.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c1564816dc6e636eb83f621b07e721b2d532d38ac5df50cb82cc1c445ff5000",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/templates/etc/ansible/facts.d/miniflux.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f181de7b008dda9a27ce5c8892883e6ea1ca785c78f86f42ebca2ae931c35cf6",
+   "format": 1
+  },
+  {
+   "name": "roles/miniflux/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "91549c9d335c0017cc0d48e97319f184aab86b3598b1cb82c933961420babe21",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bab66bfb579857eb02a880fdfdf9154b8b3dba0f81384291abc1c6aeca7f900f",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b2e0801f8d06e613e442d084578c6597976449b0e9a272cf9a9102372621d79",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "967742cee3fdcb5cb2389bbd7ab120b39dc3e6fef643aef7c9ca5f235ed49ec9",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc/ansible/facts.d/sysnews.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa989ac77cab7471473c8d1969e7f450a39f0eeb6e2247c5d7aa4f7a8324b89e",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc/profile.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/templates/etc/profile.d/sysnews.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7fba3525042cad83cb65aa9fa036b73eb7d245e599bb8ea467407411db7e3165",
+   "format": 1
+  },
+  {
+   "name": "roles/sysnews/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "602f729c9b1ef9f756f36db517f0d3c4f07baed579ec08a0a9e54193f42bd177",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "75e01dac871c83e781a8e01259655fd665270496cdb60433a99164ea4afbc1d5",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "716b332a258d497b955df4c5f8a8b912f026ea03423122532996ac9dbd6b9524",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b42c2aca1e10c94fe796f72d2b834830749228da55d0f345b3d6ae7619e4ca44",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/sudoers.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/sudoers.d/config.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "813c5aa4060b8c0ef5e9be1ebc0290fa295cfc48ccd0b52657cf0a6be0b8b10a",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/ansible/facts.d/sudo.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8009de3932415d15ffe9aaee6e504e658f75dedbaf9513a05ba6e9e8321335d5",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/sudo-ldap.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6de6fc3c513264681b91b5b04e5338c796606b918440a3acc9e35a559c68a6d7",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/profile.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/templates/etc/profile.d/sudo_logind_session.sh.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d021b86b91b98b8fde05a11fa18e4ecda8633f976142c1f43410f1662d80f26",
+   "format": 1
+  },
+  {
+   "name": "roles/sudo/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "05068f93b8f6f37b507a9b9b9d847fc0d620238b96a4666b4f61d4df85db99dc",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59531fb70395bec28b8c1455894df0dda7378b2d652238e2821c6b23149c7bfe",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0abf5ce9225be7260ac29065e9fbfe8b101ee3a006d59c001078446ae47ce7ab",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c257dd8687b9c73df62284e77ff9ebe2b772e51d5063bd41f4b39d67eb222ce0",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/ansible/facts.d/unbound.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7cc0b572b44acf3cdcc4cb63a7f1285cfae646ecf6cc706f0186c476e765bf44",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound/unbound.conf.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-server.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0367e43baf65a98db14d769f3a7cfcf42614503c38ffce1b0de42c092a3e09e9",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound/unbound.conf.d/macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3366b3b8b4d586074a3abf8a262d3f643ee0ab5ba4334fa0865ce24d3321a27e",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-remote-control.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "553d2f272f2f2c76468478afea02ea578414be53919d0807024e6a9aa2957817",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/templates/etc/unbound/unbound.conf.d/zone.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16562ebf65c999090167f78cd2dfe293154c38ac5fd4af0f1e91cd7f993eccff",
+   "format": 1
+  },
+  {
+   "name": "roles/unbound/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65f6284d50b254a0eba63ce4b3128c2299d568b0f424ae4665471491558b85d3",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d55ebbbf00ed3eb5a27e9b68b627a9e1c4cc3e9011049645ab59c153109fb98b",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "343a8899480f0a44751231cdbbb8fc81b59b8d275cf25770e89f38f427b3b86d",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aa69d0b4df1fbf2f8e6cff92096de5c08470e0dbe688b8a75dd81820bdabd9bd",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf9fe98d88333bd90566d81d2eb7d2efede43520697b48cee6893c7c3a6fd465",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/security.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ad729dba93158335ae987dde157a603cf4103551c14cff541ffc486174cd069",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_debian.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb07a616da8171049d2765cba6b11ab0b91baf639c66b9f5bea520205ec14ca5",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_ubuntu.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0408b3b4d62ab5c33b925ed4450533e04f23ca3587311c48d1010b8ca133a18",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/userinfo.html.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d69783926088922eee6e6e5449db50ad24c3dfe8705931e21ef91401326f35d",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/acng.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480178988ad19baddebe0ae20aa6005efc6be277d8fbfcf1f9a4efd301c77365",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_gentoo.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "46ed41478f8ff19bb117706de0eef634c8802b6d0f9da05becb65810876b25a8",
+   "format": 1
+  },
+  {
+   "name": "roles/apt_cacher_ng/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a08955c578d9b35bf372e668abf14d169c24b7a2271432c115715b4481fd9984",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "54356a6b8a298f352574c57371e755c28353691ee7a384c572699f1785002210",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/meta/watch-docker-gen",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0751020e2de503a369512b3f086a815e63025ef0a5e14e993ed5afb703c698a2",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a00d71504e87551e121352b786b2cb97c905fa94df626493f3176a507424f41d",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "824baf188ee161af1f43415e5f99ed5a4f2702b08385a0d335eb262d9412106c",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files/usr/local/lib/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/files/usr/local/lib/templates/nginx-upstreams.conf.tmpl",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d94129c2f4370cd1d18dd95e93da744e25572f736ada45e3aa3ddafa77767f50",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/init.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/init.d/docker-gen.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "601a284ba729ad00c16ee34f66a57613b107ebfcc60ad6be81726b4a9aa5726e",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/systemd/system/docker-gen.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1bbb21fd6870581ef20894e2c8f3e348429f28ddb3198240bce7ecf36031eb9",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/docker-gen.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bba528bdb285ec45c0ae935b1969a6f91a7fcd213be3cf73f9036f3c3d0a3914",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/templates/etc/default/docker-gen.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4614b49c18080eac9dad4f184f1956b956c19c5f8545c8c263a3d8f127354c95",
+   "format": 1
+  },
+  {
+   "name": "roles/docker_gen/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "962b357224b83fde2ba6220ae67ced854e9fca11d4a2e11a1b1a281b0176a0fe",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a4b4d933094954541dcddc35fea9d2236968c4f82043b31e4bffcd7d96e08377",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b140657815c02d67bc7c94e4d8079c77ce17bf5ea73904b96d3b595a613ced20",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35f304609be423479f1b507000985a4eb6b7ea2bb26e811dd59810541cc55744",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/usr/local/lib/postwhite.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e16a5f9af8fffeeb1b97c5277eed25b43f6c17bea0651b5133e8ee56be3087ec",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/etc/ansible/facts.d/postwhite.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5acdcf789a5b7c211cabe3e509c3e0dc02ac1536668e88ef72be59ad797d6877",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/templates/etc/postwhite.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac8907f82029b6dcb6f73539a8b9392cda709ea86a6f187f573dcf3433bd758e",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd4eacf962e945ff8dfb5403904b08e46fb25f5e63a1552cfd9944d43da9e284",
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/postwhite/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "24c0930eebc997a206f900f377a2370f34fd3144037603f3e124f78145c41cc1",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8962039b31998c19f0dd0cfc50cd3560777497a81b2f1b5744969d47d01c2a1e",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5036ca6e085046541a7817c1d9023f02074e75f2c10715f6f6ab5dd9d32631df",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/index.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "10aca25a6b5b4667255f7ffb54147ccf23f4b0cf2b26872138b63db48022ef41",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/copyright.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e13f2c98b53f65a0fc6acc6d73954d49c08a3c2ee08efa88687c3f0ba72347f7",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/defaults-detailed.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e16f70a5043b1ee5d67161fd31d589bc36c5b990e79f39bfded9028f6724e096",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/includes/role.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee762dfb32571c9f2a0c3715f5513e80caede6e1739f14d060798279bec3130b",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/includes/all.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5520fd325c0de692dcaddcd6fa87799a2df34cfa2db7e2371e1c7c69a71a38e4",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/playbooks/firejail.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "715868565bde5587e2fc6240e50e6713e870201298e8c6569983a93dfcc968f6",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/ansible-integration.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f8a22294c4875cc6e867d64126465a8aea1ebe0c7e211155b4325cdc050e7db",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/changelog.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4003125b8d4b8b34fef407ef3d206b7ce46179666ae551320e8696d365085c99",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/introduction.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a91eceb8bb494c51e0cd4a1bd3780baf561eb86ffde52b3ff034a6fd7ae5ac09",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/docs/getting-started.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf27c1763e2b6aaf19e67408af74c39ed6acbcbae696737cee86d7f9e2de3155",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3124da0749ac628f0d12470e2b424252af6a90a4d25c19bcf2a1cc3d3f2bb1e8",
+   "format": 1
+  },
+  {
+   "name": "roles/firejail/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a87c84ed773a3ed724179a528e46a8f535f7332c0df869f9a1c63be2528cc35",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/tasks/configure_systemd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7460e831eb69088329fef1bd7caae8ba1afd282b2969a7c0095b17cf8d154c8f",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/tasks/configure_sysvinit.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79657b02784341e289d55c98821e97f79102f7717ecc15ed5b2b3f2a68cf7adb",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc05ae7c58cc44cda9364b1aae26ed33a9b015e77f648739485805bec7b464b3",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ccfe9d5762f2b1b2e6e025db6b5f3c76981312cbe5acf961e4f30bd7a6d523f1",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ee9ce8b78859746d4e12387d07f268f3e1604adecbe315f33a6490991c139ffe",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.socket.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01495540c87bc4ac93c413ae69e10df9b210e674e730a0a382f829dab773fc71",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8b43016c730ddd52de292805b6738a76eb0769a10333cd5818f339a9d10753b8",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/templates/etc/default/fcgiwrap-instance.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c52080109433a9aeb491cdd26209106431a923d98e3abab9d0a5db3556841d1c",
+   "format": 1
+  },
+  {
+   "name": "roles/fcgiwrap/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b17b348e58f46a0d37fba9fe37e48a64afd1190bc361adb665a148d17d026e9d",
+   "format": 1
+  },
+  {
+   "name": "roles/bind",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/tasks/main_keys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0194c50b8150066e3898f6e5688d1a22d2602c3312077cfa60ee18f41e098955",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e6d92626bc695717ac12e2a03283de0db81578719bae504d69ef06fd7f56653",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed56a4965208f2380f5c440624e4f425da8b4b51d6c0af42ae07e0934c586476",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8bd1ecf06bae9915eccadd36e114d15a2f859fe25d4437f451b09897a4d0415d",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files/usr/local/sbin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files/usr/local/sbin/debops-bind-rollkey",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74f046bdce8cceff273357e4905124ebad2a462a11a092427b233fbce1f16ff7",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/files/usr/local/sbin/debops-bind-snapshot",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "27f20864e2ba63219841ee2f7f004f0c12c41affb14d09e2fcac11db71683687",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/ansible/facts.d/bind.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "64dc18eb49ffc5e2461b43a9cc8dd93845378da653379018945a92052cc87cc5",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/bind",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/bind/named.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "154b3e6b099b77c47099c813b1d4e76e755308bc40e0da68e6c9915356252ed6",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/bind/debops-bind-rollkey.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f529aa549b56c7099d55f29f4a0bca7d03188a34cb2a7a8866f225f9dbdd5768",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/etc/pki/hooks/bind.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb50e9d94f510ccaff2dd015b2b573e44b635de6ec8857f7d61838c3384e8816",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib/bind",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib/bind/views",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib/bind/views/view",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib/bind/views/view/zone",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/bind/templates/var/lib/bind/views/view/zone/db.zone.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f57f388b4b8fca5dc724041272da31a8bd9f555ec429e2b392e8ef50ba01f35e",
+   "format": 1
+  },
+  {
+   "name": "roles/bind/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2786f9cff446e18288466bb4c27928c190ca72e7b1497ec729c0ee6a17940a3b",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e18633e2afdc8f2c8bd1b2298c0975abc253337b6c66f65ea25be28d4c71999",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2c6e8ce85b1696dae0744309c870c424dbd56016f275a3a237c05d6235ccd725",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a60c6d8cf63092daf03f657d60aebbab37b4d0159539001c4d21396c444cb353",
+   "format": 1
+  },
+  {
+   "name": "roles/rabbitmq_management/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47dc2bc9dbf8d5cc6b1fff499845b7d873e2f571d4297c36ab704133ca8d7df4",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins/lists.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a06516fbdd11faee8030731ccf066c95935b586dce36939b04d79ed1a935e0d",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins/template_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be83db603855c16769071dbb4e3b7a2aeacaa5c438c2e35b2b76774cdfc570fc",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins/file_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "83cc65044d3a11075e2809bbb6c412443dbb5fe80b96fe1b494449a1e5a0ffed",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins/dig_srv.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "403e0cb45fc984bdde5e1a3bd374f230f65fa0a0b4ff0e2bde48e5ffde5b1911",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/lookup_plugins/task_src.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc4b32ae1397c1c70734d4a0a76defdaed59aa8f91e81a149f13b2ac59f1645a",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins/debops_filter_plugins.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc7fb5e64cc5e680b78fec85a62235e48f0f47f325089ccfbe8bb5cb2499c681",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins/globmatch.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "488b0eccafe91d5324a2a9631862e8b70b5c9c623b6e92584f86653583834903",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins/etc_aliases_parse_recipients.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f4ea15ac85e8c66aa233d639054eed666feb5df719e3b71772847170726f68de",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins/split.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2df8708a7a108eb61e7197ddeec32e311ad8b00364a3084b5f5cb864e1ac2d3c",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/filter_plugins/toml.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a777729ba9dc11619331f19f70a642bb8eef3c773cfd559e29891e4bc9cdf045",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3105185b19e9cb38c76d64c2778b215eed1a7840c36db63db9a51fbbdf479642",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/library",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/library/dpkg_divert.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ea7140405a1834914ca88e8978b460e165c3b236307402d15c87e58272e35ec",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/library/cran.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e312c834c755bc59a801dfffe0ac05dc787b051e6f76dc4b3992fe29b72280c",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/library/ldap_attrs.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "293d5142353fc00ca479257d79cbb69f71cf558daa80c90ef95aa45f495dbf04",
+   "format": 1
+  },
+  {
+   "name": "roles/ansible_plugins/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac1279bbf60e347e51d235431c6ea657c8f3b237000d9086c6e2940791d2e42f",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "82a9a792072999be54a6387f75ca770bb18d7b7d2df631f5ce9d9995bf5b91c3",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1b62c922cd9a5c9656b9564b04f56ffcb6ecae7d6c48e5f2431bb9e8053fde4",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61c4da027eb9eaf392532517fb26e372141bb10d1ffdf42ae93c3a1426ad9ce0",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/usr/local/lib/dhparam-generate-params.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e2b8897040a3e830f5d392d6046154eaf5a3a56931b3d1b1e75592d3f6c56d1",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8707bc52dc0dc401b231270a6df4ec38cc39aa7a7f59f99d339fb1a22970dbf2",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.timer.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9a38e0ddd6ba83d39a47a0564f568b1bf9e050c298688b1912da3a15a07c262",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/templates/etc/ansible/facts.d/dhparam.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60e5a284dd286a55b7e8e086486448a2de2d37a423f7a8e9a1dfdc61c3e6c0d3",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ceee66977afe793d645ddb138a50cef867f2e1b8138cb3bbbc827ff04d3b7f40",
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhparam/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e384719fa6ca1c6c6a1924e7f9221d387a02d9ac96a7be93f768b2ddaf09cdbf",
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14115659a6213b3d37599d0dc394518f73dd58a4a94b689b25e249be2ca8397a",
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0fb0a14c0d340d08917fa1f8af83c71934055c3caab06b71eb09b80c02286cd2",
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e1f144e164a4e4333b98e9c63cd47af982fbb3f0acbed25ca9561d85e6d49519",
+   "format": 1
+  },
+  {
+   "name": "roles/swapfile/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d70222379e5ed0fa3bd74158244a5d0218b0ca12f2806b76929d13cae774d889",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f0a18c28f6ac657b2873cb628f81fc182490a76bdcced7bba83c993899da4399",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dee3583c19d41f0058d5d56fda2cbc437a534eca804f34c0960e47a15840a7a8",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "41383e77f1aecb4cf7930bb196c7640b84d7998dbe387ee8fa73b53940fc5e89",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/etc/ansible/facts.d/radvd.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "261e3662a53ea049b9e91498fe309c7c4364271346186ca40622a1a392d2b926",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/etc/radvd.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e4e769af915d2be2fe7cc7b800c36179bb207c257f0cec2f718ab4a30ff4969",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/templates/lookup/radvd__default_interfaces.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "61f08cab8b3e077e7ad0ee8d43f9fa190ad75707638f4555a09ec242456af838",
+   "format": 1
+  },
+  {
+   "name": "roles/radvd/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9da44984352294cbbd20e63078dd8f258d18ca13f809433047a1ed6bdf24668",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "28409f01ad24bbc2fc3519bdaa454f3d8a708a2b1e6acd0a5a663b04814134c9",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35ed677cc6939e95f3820434259e09a638400d4b22282aa52136c347f457d0e6",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "445fbb417e8f0eb8090ed2684ef0bffd549529b00e0981dfd9a393ef636d4408",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/hosts.allow.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/hosts.allow.d/ansible_controller.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8db4a9f20bbc19328792437068437a907317b3f3caf510a8b3e4834af9fa597f",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/hosts.allow.d/allow.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65b6aec8b9acf7398507f9714dce48d8410ecba3a1a067394d19e56a0155be97",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/hosts.allow.d/00_ansible.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06927ba7c02dd1b905c2d559a2b14c77d2c62ba4b4d85ddd149eec310af97a71",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/templates/etc/ansible/facts.d/tcpwrappers.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43da1a2b604a9a4c22f7ef7029ce4815c6b781d690efac788409b0946d87da91",
+   "format": 1
+  },
+  {
+   "name": "roles/tcpwrappers/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "42c6c058da6a69b9394614d831bffb7d58962fcae6a649790cfbf6362299ed3e",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/authentication_v8.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0057a00086c8ae7948add9fc3b84e48839e74d9cb3f79e676921ef59ef65ef1",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "024384e808a7ea48e1cf30f72dd3b53ae137f463ad0bf649ddbf652aa1e7ded2",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/reset_password.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "92bcbf10119531ce2b0525ba1e94317d3d9a486d614bc6eade542d6cec58e60c",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/roles_users.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c26367f42e66757d100abd3d5a41e7a74cf28b940dfc108a234d070d9e348317",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/authentication.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f514cdd8c0301b1ab5968970ce6a82d365383736bc26cf9452081fa06b3dceb1",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b16488603a076826226284e37b3fb36345ee5da82bccdfd7617694d9b5c27f6",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "43b917907688bfca9a7f18fbe0d6732d6de81b8a489adfa506fc05c984ef9049",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2dc20c2152e3007f36748073b247efbdaad0efefc90bf7b8113b3ff41ac952af",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share/elasticsearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share/elasticsearch/jdk",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security/java.policy.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9bdabdf5d07f1735efcc1d57ed0479202badb455ef7cfd161f2a992f50a3b059",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/systemd",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/systemd/system",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d/ansible.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "841c0512e8557ecb9e731cbed934179c1f975a3374954395cfd7129bd627e4fb",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/ansible/facts.d/elasticsearch.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f91dac54309fae3f25c0706f9203a7018ebf622b8d8dea63c8fefab3c0eb6af3",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/elasticsearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3bb6bcfc172e5c6df62f067aea1ddf81fae128d7d8e3429efec1aae8784cd69b",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/etc/elasticsearch/jvm.options.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac8980cc9c3934448b04399cabf9547a91daa919f077229124ed08a2e4dee505",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/lookup/elasticsearch__dependent_configuration_filter.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6c4948cc5ef6e4229e99c56dae6f57cff8fc2fd18c7de03a86236cc5619c625",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/lookup/elasticsearch__secret__directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "525d8fd11cb78325a70749e10405ae7aafad42c7951c73b888ca360d8dc9ef27",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/lookup/elasticsearch__plugin_configuration.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b3b990e4d3fa26d3e45ec1de6e7253e2197bbb9e1cd4c6c60bf978e45d9e1b7",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/secret/elasticsearch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/secret/elasticsearch/dependent_config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/templates/secret/elasticsearch/dependent_config/config.json.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a77883601d46c859aaa8e47f9bbc4740bf9cea3adfb76166f3ae7676a794343a",
+   "format": 1
+  },
+  {
+   "name": "roles/elasticsearch/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8d542f15b9cd19729ca30f85908e98759e2f29dbd3b9385f06f5bd1e6a915b7b",
+   "format": 1
+  },
+  {
+   "name": "roles/apache",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f703f24b63c03901a6daa094f4561167fff55dd91fd59b53f14ae0c93441186a",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/tasks/apache_module_state.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "86781262cc197d20ed8a083bbeea1aaac7e4320f4a7944b69f4616ca675f4a13",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8351505b8ff9d2505e0706cd347b51ff3acf09a5df5d935fd602cbe247f55b2d",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "91fe32fe5eba96f887df1d29a4d64829cd83f2e2abc4cb3328178ef8fce2f968",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "68258ad92eb06184b91a2fb5d67a429acc21b0d55c195375d0a4a16e3ea82166",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/ansible/facts.d/apache.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ef25f80b8b118bf164ecbc456c09b40e1c778f1327f48604989cf65e13c243d1",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/sites-available",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/sites-available/raw.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "76e3b9a5cfdd9d59e0e3ba9f677b6f668bc755eeb98763464773e9588e685dcc",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/sites-available/default.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "659339cb515c5a3948bd5efa010d79a923868985585ba6e243d75a20ac4f1328",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/conf-available",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/conf-available/raw.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "666f06096c3132e4f115fa348549b91a83c1c0f809ce7c2c4a957568fd4b6ae3",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/conf-available/local-debops_apache.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7de77dbca6cea73758ef4d9c77857940abc4868cbfe52e9539ab217aac05c631",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/templates/etc/apache2/conf-available/local-debops_apache_security_module.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73293124bc43c75e4dc42ca8b1e09332461899f3130d8c14f9da58e9d5341691",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "338d77227834e4f3d119dde12349af0cf2aead3a89afaa0fac5cf2e7736e201a",
+   "format": 1
+  },
+  {
+   "name": "roles/apache/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/apache/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb788aafc014eb9e2629b19cba2fecd8ce17c5e7208e200b8d9667d35ba4591e",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f0b2ffcd79c58b1cceb44643a7f00e4f8fd207290595b632206d8e7e47ca0bd",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab65d069d18b6dbbd9cbf53736fd812b803a84077743684d3bf3df19b814d59d",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7050ffe4e83d01115853b7e12bb6bd70a57b996aa5a8a20b6011ce3efd763753",
+   "format": 1
+  },
+  {
+   "name": "roles/debops_legacy/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c00d25f82e874cbe339b26abc41f2621b6d2feaf8c408d4d53d3fc5eafea3b3d",
+   "format": 1
+  },
+  {
+   "name": "roles/ruby",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8df99d2e7c266b468c5d340f4d5fa091469da18f39d96f82cb80c1a3d8e6a8b1",
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62081b2bc93db8b98b69cfb1f4be88aef5f44e9b41962395c44bff4a078428c3",
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a4e1fd733037a8dffdfec0e6106252aed0aec6490d9804a86af8f986ae969cc",
+   "format": 1
+  },
+  {
+   "name": "roles/ruby/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48199b5de6a60ed0a3d1d10b76f58ec923d731964911fc81d38992e4624e8193",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d5f38090d43d621cf13c78d4c483cf14efe3c184bb8ba474e547363fe208175",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba6b197dc06cf23d31b9f850bba1ec8e8c5f95789dc491f52a38e76e8eeac077",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c5899b66745316c2a6018d2c748bf8534e80e5d252c3821cbb6d081c4233cdc6",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc/default/isc-dhcp-relay.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd79b3a1c4dc06d87c4915992df17739c803d5db0a0bdbbdb2c64074a9df88df",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/templates/etc/ansible/facts.d/dhcrelay.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e7ff35b8f733814e0c9a3968792fa28400da9ad0f0e2523341e6126fa3740f82",
+   "format": 1
+  },
+  {
+   "name": "roles/dhcrelay/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f21da79cd92da46b149f5ddc78831e13303f86cef422bba735e049572ea84fe6",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdfa1976334d1e05fc1bc5674f16c897eb049ddf85029c7cbaef148d12c2055c",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c34de94116dec5106a14b7cfdffb1a2936069ecde82d329da03ff87e1a0c4971",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e8fc750de077ec8503de0793b995e5ca76490b2137786e4dbb32734f003085d",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/ansible/facts.d/imapproxy.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be8d9229c30f6c283e596ced3c1f06059de7e224cdd7472bb1db2bbb9cf7b8b8",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/imapproxy.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2468a318e7f6c6df54c05013a1082cc02bccb7db6ad660fc6ac6d352b92864d",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/pki/hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/templates/etc/pki/hooks/imapproxy.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "40748d9fb127e034d50bac796a16d385fe0ebdf1eacc139842eb33530737073b",
+   "format": 1
+  },
+  {
+   "name": "roles/imapproxy/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e64b3ba3b4cb51b2577ccb9fa05d9805d6c60fdf548b2e8c26972b10dfe23ad9",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_debian_stretch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da863204e7b7399d57d54d89e54950171a30d8b4c2bfc6fd8e49cb998111c725",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.02.168.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "da863204e7b7399d57d54d89e54950171a30d8b4c2bfc6fd8e49cb998111c725",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_ubuntu.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a197e47d95e06193953cc05e86bfc8cfc4458abb14ccff79469580870798f3e",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.03.02.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30b298ca20ed9317e8501e5d9be315ac91790ce4f99667ce94409f4087aea10",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.02.95.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdb82170b5eea9a48e4df50ed3070a69893a55b03f433965ca73b3d746f48c5a",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30b298ca20ed9317e8501e5d9be315ac91790ce4f99667ce94409f4087aea10",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.02.111.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63ced78420f95a9b56fba175f465d208f4f3c3aad2a5dcedd4fd99cd30020b63",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_debian_wheezy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdb82170b5eea9a48e4df50ed3070a69893a55b03f433965ca73b3d746f48c5a",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.02.66.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81eda1c07490fff461187c35e61d6246427982399df8e93ea4a1ccd4d5242513",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_ubuntu_trusty.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a197e47d95e06193953cc05e86bfc8cfc4458abb14ccff79469580870798f3e",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_2.02.98.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4a197e47d95e06193953cc05e86bfc8cfc4458abb14ccff79469580870798f3e",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_ubuntu_precise.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81eda1c07490fff461187c35e61d6246427982399df8e93ea4a1ccd4d5242513",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_default.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30b298ca20ed9317e8501e5d9be315ac91790ce4f99667ce94409f4087aea10",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_debian_buster.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a30b298ca20ed9317e8501e5d9be315ac91790ce4f99667ce94409f4087aea10",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/vars/lvm_config_debian_jessie.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "63ced78420f95a9b56fba175f465d208f4f3c3aad2a5dcedd4fd99cd30020b63",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/tasks/manage_lvm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc1c97565c223a200a3cd3222d4b74873e160c953197cbe4a802d2de1885561e",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bda86ffb7225b7db2a2b070ba3bb68b7debb88d3763d4da247ba39d2f9c90c8",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ba8474f7bf75760e4f927306f6e773e27a32c6197b5b1b099b70acd6c5cb4968",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "127ee0f96e52297f0200ccfb53a6e0b6538444b65a9eca00d5d52c44edee1df7",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/templates/etc/lvm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/templates/etc/lvm/lvm.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b13a9d8161feed20996c8fac733e4851857461b79fdc227676568cdca0a549e3",
+   "format": 1
+  },
+  {
+   "name": "roles/lvm/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5502b0447a21f6076c4245007a491f0ecfaabce906730ef93e03d6d4772ff63d",
+   "format": 1
+  },
+  {
+   "name": "roles/cron",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3f06e44b5c3880f179b7dae1f622a82f18bf8b03b7642bb1cb6d230509d3ca6",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "06d99be443c31a701951c53d51da254f3fa69cc55ce50d671f341627d0a98925",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3c459ec1e84e528d01851aea5bbb2c01f1f45879fc337b53b7cb05ef0186ea08",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/etc/ansible/facts.d/cron.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c6f626e2312357adceb38a900eca011a254da87c7e62925fefcf2c487a5a214",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/etc/crontab.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47b96f88a8f0dd60851ce476430ff68cd55a4e69c7b8eb8ebf4ce333e811fd04",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/cron/templates/lookup/cron__combined_jobs.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f138c7f31eb04931ca0dc5daca9d1bc719c955d8e6594f31f76747a9261c214f",
+   "format": 1
+  },
+  {
+   "name": "roles/cron/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0396126e418278cbee65926bcd738316429e6690f046deb386a56e0efccc72e9",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81b4de82c28b97fad0628e871f2ae7b28010d92d47766d26fe4897f7d7e87944",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2166be473909d6968f3df6208c95c173f27aec3f05c98eafc1461d28697110f",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1ebce329da1216bcf17cf818563213b2ff4798cc161d38394a8d5202113f186c",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9e9e7bfc324991211a58934e8dfe65da8de758cda5d699efc1128706b50a55e",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/default/dnsmasq.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9103a8cb467be240ea8d69d867201ae77da19a73459d21db0570d7c504fd8143",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/dnsmasq.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/dnsmasq.d/template.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98bb7fdff3eb7d97013c59e2269514daf753d983cca8ef6d03717bbf54d45509",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/dnsmasq.d/dhcp-dns-options.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9d2ed360f2570e1346f2b86516417094ea2faef2cce7dcf42131118f3b23ec02",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/ansible/facts.d/dnsmasq.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fbf0c0b88ec98f713c556d2858aec4ddc38162fd6f891a58e57a3c8f3ff36ad2",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/resolvconf",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/etc/resolvconf/upstream.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "259e366e82335b4013d1c947c7a97a86a27b0951b8be52805c1ea3a5d84558fe",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/lookup/dnsmasq__interface_configuration.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48e9af76f1f4620cb20c8c6e99fcc7c68f8151c88752aae5607af397b54ee244",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/templates/lookup/dnsmasq__tcpwrappers__dependent_allow.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdfe0cd29110197ac3cb76641b5423b662c9abd035dc5634315562e7e48a36b6",
+   "format": 1
+  },
+  {
+   "name": "roles/dnsmasq/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8d820ede801d6472998b4269c9dc73f72ea31d4f1803e1c47990bde4dd8911b1",
+   "format": 1
+  },
+  {
+   "name": "roles/console",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/console/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/console/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c0c17de7e11807b29939054fa1b37d9495e2da7902520fbad3c18dfb223d14f",
+   "format": 1
+  },
+  {
+   "name": "roles/console/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/console/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c0ba44c4ea0010b4d6e713aea056cb71515a5907a1aea03d96c03e3e604954d8",
+   "format": 1
+  },
+  {
+   "name": "roles/console/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/console/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5477edc81253db70e21873a1ee560a25a91a5f152fe409502b8801225c34375",
+   "format": 1
+  },
+  {
+   "name": "roles/console/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b169cc6a1da12149a378a329fa39f93e5f85560bb60c50a40ca43c4442d03a4e",
+   "format": 1
+  },
+  {
+   "name": "roles/console/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/console/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8031c90ca08235a3e47becb732050f6125b86f2e7f0dcb385967596d77c3b848",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d9bec3341d984ddb1c82988ca322607e8e78ca9290948d0437707828e13b5d1",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7c3215b16383ccfe6e6b9854b016a04d011bf78552cfd61a781b1fed3be7bcc4",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ae5d4584c65951797642c6c30ebd0054cee4621b9c7d83fbe90a7829d67e2c55",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates/etc/nsswitch.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d0abf4b1b0925c5c43edf7d8c0d7af65d98396f77ee29018b6646258dea9bc4",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/templates/etc/ansible/facts.d/nsswitch.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58e746e504dc8a67769c20f070c84e189face1229864d390c5056455cbe8ad94",
+   "format": 1
+  },
+  {
+   "name": "roles/nsswitch/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c0f185040039e00651466da7bc0cafd2e1fde551d17871fda054cfa1a80c9ba8",
+   "format": 1
+  },
+  {
+   "name": "roles/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/acme_tiny.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2a885d03e49f4c7fd2ec2728f69f8cee9e13284e60d280f17afab71c86df736",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/main_env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "557db82fdca8975466e827193edaf30420a0d4803ab2f207d5d9b0d66ccb3854",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/ca_certificates.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "913179d291a4f6093b6511e0ac2a95a066c3a344f0f0add302adb501ec4a61f4",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/certbot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d321198c022d094349937e9fb3c030861a2397af6d35d221220af7acb28fa1c0",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1abcf38b9d195d450bb720beec228c85f50380c015bcfb1b933989be170dc735",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/pki/pre_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a2dbe703ee9f6bb04cd0de8c835f57818e5eab580d672598877aa413f1e8508",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/tasks/pki/post_main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a2dbe703ee9f6bb04cd0de8c835f57818e5eab580d672598877aa413f1e8508",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e395838276d91a547903f7d829610dcd4e8962dfb4fee558db7db0e059d7979",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d2e35d7c31b8d1a137a49c9cd193bf23750e39b643f8f09976af3428e5efcebf",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/usr",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/usr/local",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/usr/local/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/usr/local/lib/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/usr/local/lib/pki/pki-realm",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22b60252541b16d5b516e8d9f0dd950aa145d22c8adeabc043f786a2bd295713",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt/renewal-hooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt/renewal-hooks/post",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt/renewal-hooks/post/000-fix-permissions",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f08c5048709b3c9fb40ce6de1d1deb5804af6a5e007544cccc092c5ba633a8a",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt/renewal-hooks/deploy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/etc/letsencrypt/renewal-hooks/deploy/pki-realm-refresh-keys",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22ca6bfd17c9513fcae9dc27c9ca3e908f792709120f998186d863d22fc031dd",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/secret",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/secret/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/secret/pki/lib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/files/secret/pki/lib/pki-authority",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90652d928873e84f77763d8233f98cc5af0f8d3c3a4c440e3c62cdba8421d98f",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/letsencrypt",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/letsencrypt/cli.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "660393e87e16f2ded738df1c518191019fa40f7e59ebe1d5efc9ce8d6ab9b42b",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/ca-certificates.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b80bac495e8081b230bbbd745bfbee4a3d7efd4b47f77e683bd6057338f86a8",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/ansible",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/ansible/facts.d",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/ansible/facts.d/pki.fact.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd3c102a0c540097709b12e593c84d1d1d8bcabcd83f5c98b12305c5d73b4d25",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki/gitignore.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "325f362f3eb641932c1ed66e7ee7e84058fdca135c82a06c83f1c867dfb6bc1b",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki/realms",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki/realms/realm",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki/realms/realm/config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/etc/pki/realms/realm/config/environment.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5a7aa893fc91afc9e467ac1e6c55bf28bab8b94776341865683e37cd3de12c4c",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/lookup",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/pki/templates/lookup/pki_env_secret_directories.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3902d94d55286a2d344513739884704af150b195cce1af4b7d4cf87c11cc1563",
+   "format": 1
+  },
+  {
+   "name": "roles/pki/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1cfb13c8711a785cdfcf76ef24a21f27d5e67ae6dd4d0c0b74160fa62e248623",
+   "format": 1
+  },
+  {
+   "name": "playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/common.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "205e8391077a45740444083d3f2045c1618acaa906451995f8931aa86f6ab31d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/tools",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/tools/6to4.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5a18b22d980e5b4a9fb781d78bc511dfb3cb44248587f0601bd360bcc36bafb4",
+   "format": 1
+  },
+  {
+   "name": "playbooks/tools/debug.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1c1832e9fe60b85b9a3ab75160b6301ac67dbfa4e643e1c51d61124ffd382d23",
+   "format": 1
+  },
+  {
+   "name": "playbooks/tools/dist-upgrade.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b7e46cd8591efce8643b6405b29314d5ff9645b92a99c63af646909db1e22b82",
+   "format": 1
+  },
+  {
+   "name": "playbooks/site.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c06d417dec59f8f58ccec3b45697d8f17b253e33cd2887f6b5f78d0c1cb32e1",
+   "format": 1
+  },
+  {
+   "name": "playbooks/upgrade.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f89b6ca735c67c60f66a190e8760abd0fad0fe5f61d9db5981420d14ec812b0c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/ldap",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/ldap/get-uuid.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "311023bca8bf5fe2219eb62d8f5bd4b2a2a589be8fb633962fec3c215e4b9ee8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/ldap/init-directory.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2f524d41fdfe7771885956b811524dd9179ebea548e491beecb8be51bd43f5c5",
+   "format": 1
+  },
+  {
+   "name": "playbooks/ldap/save-credential.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "35680e6be71e89b9935baa078848a13abcb9332f74df06e375068baef00e92e8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/bootstrap-sss.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0faad2333e5a7c190e112f5124c76a711514a3e44e28c84b98e5905f5f7e09fc",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/common.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e074cb63375471e20c2a0ba29cd38db6bccbe248654dc412f0e158966f5b86e7",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/systemd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08f092ef2513d32683cce56e287d81db4edabdf5205ecc9c39e7404bd49f019e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/hw.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "72d253cf3afc9d6f36e5f009b8395901404b69b8e4f0a947a9ea5a9602a373bb",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/net.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e20381738fc071fcf222b51adac6523e62819ee373199267176246b1b9197a36",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/env.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd721d0c5e49c27a9a76231faa2b8d7127ee06ff67c240a697e7e961d62e7b4a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/srv.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "65d28035261124d8df321cd88584f91da1dcdd9cc243358690e0d48fa8f9c36c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/virt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f87f1dabc34784b8de7bb99f93410b17b8e321d8eb4ca9b63f77005fba63bd0b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/sys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3bc709133db0e4af430c635d2fad335edda27af2dba6c449016e88e303301777",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/agent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c675bae69261631a7cba4fd2f60eb00c8165cd70111fbc21855e4b8c30bd431",
+   "format": 1
+  },
+  {
+   "name": "playbooks/layer/app.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "780e18e5e8e991065846a705024d3e7c38c0f102d6f415878146006da4e4cab0",
+   "format": 1
+  },
+  {
+   "name": "playbooks/bootstrap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4fe7175a6dd3ad18900ee365860a41b94510425fbf4a9ee432685efdd116c588",
+   "format": 1
+  },
+  {
+   "name": "playbooks/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/templates/debops__tpl_macros.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "349d29b002d54eea7b04f658db404cc92405276fce27fa38426ec562df418f92",
+   "format": 1
+  },
+  {
+   "name": "playbooks/COPYRIGHT",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4a39f7be6e43bd9bc57aa822b50d3851141068f40c0b41de9a6872d45203e41",
+   "format": 1
+  },
+  {
+   "name": "playbooks/bootstrap-ldap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1af0b39e37cc9c37fbb2dcb2678f1b776863abde34eab1a5944f102d9ef1e570",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/pki.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb7b0b2477135d0afd3699e8e7066b32662c6a2faab6e56ddfe09afe44055324",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/secret.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "94fe8ca79a1d07a852f97e1849ef2036ef35af1312496a8e2238340358a13563",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/libvirtd_qemu.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04163b4b4b45ee18acf32dd923d6de46df2f64d19d1523b718b86a918ca5fb29",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/opendkim.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6b748182d9a38ef5153a6efc6a01dc17f1498883be168f663fa1209f39deea9d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/pdns-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5ef93592381101b887f0aef50b957f032e008757ee52b794d6747e4d3d9d719c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ipxe.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ab992cebb6536aa37af91ee54da14b78cfdd111a33cd8947d4afcca169debb42",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/fcgiwrap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a4af46912ff2af67dc0f928658b1b7220569a933fe07eceb00d3d394274b72a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/logrotate.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f83941bc8641af9c5a8dc1a7cad26d6ad83a15a9bf9ab10111df5cb89a3a09eb",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sssd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a7aaed4eaa8b1a8d96d16f931665526e64a155695f640ba318b70d3504d7d40a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/stunnel.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85fc3b6927c49b7ef96d6dc5ab476aab48b0dd2d00e9a657f50a1ab090ec77b4",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/smstools.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c0649ba0e8b59597fd6741d25372f77f469aabf618f9eb1cd1db37de2d192ac",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/telegraf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7132f03ff1155606d79959fb6c3aa06d8876dbffd769235a840e53aef0eae9cf",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/snmpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6dd2ae5a8386da7c23e73a2524aaa085e0607123dffcf6dff5d45d5f40123bf7",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_proxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f9020f516649f759ee410287d62da040c7a3221964e94f7ededcbeabb5cdabd4",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/netbox.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec5f136d68fc668afd9627298d20e7f742fd436421513a6767377571f7c1c834",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/zabbix_agent.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0f214311e2bb383d6c0885fdb711cbea8779d1ea0c47054e98cbaeede0b555b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/owncloud-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0880c49c66106981afbaa553edc52e9b2c41f346fdc1045fac916448506c9acf",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/pdns-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd85e43dfac93f5673bd8d8a7f9b519da398eaa841c933b8e6c414374e5971fd",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/pam_access.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6ed7cd9e8a59699d1732d71e6e8075d81a0600a242e86546f7ff3402fd5477f8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/php.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8d7f810b878d0a5803d7f5cbdbe07ad2161fcf56f3f2972e03a07078019460fc",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/systemd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ffc39886d8f683265feaa3724ee54295f15991ab4f64c15b9fd747680a11a737",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/bind.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "10052b4de364e3f30fb49744ac1b2ba9e6097e3293353e8d3d18500f5f97e078",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/persistent_paths.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "552705290e6ca47b319743f0fd7668898ee4d3123ab58ca4b0087a5ab8535189",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sysfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ac741553984e8d6ed0bfb030808fc7a7e326e11bb8a103c683135046843ad2b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/grub.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "356a3f6f16470070ffd399c706451aa6028d68258543cd8f360777844c58ed5f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/etc_aliases.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0a756851f6899d3f5ae12c24b2dc2981e8fa83f286bc8fce1d8e81a694eea9af",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mariadb.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cf45a9b30bea20a7e6c52a1c1c4832a00fbf49003dae5299aff30ef4c7818401",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/gitlab_runner.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "724fc35e74fb7926511713b1303209068c282a7f8d3aedeb72316481ecc631c0",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/core.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1f47837eed1212740ae3f09059a9f97bd22520dbe676f487464e5aad43041ef",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postwhite.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9a2287948884026c6544129c313c93f744e688989e6780420122e2f1400b135d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/minio.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d9d0cc2f0de25951b9978e512e609e2bc256b16ecf13f5f514b8809e7da2ff6",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/wpcli.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01c15e0d6232ecbd956eead267e4d12cfc2b645a18634ef60af6e83bf1e25895",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/etckeeper.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ff4feaa2643a662355e9109005406c02280a4d2686e59162af1dee9951db8581",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/unattended_upgrades.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "851ef3a4b881761c3d3473ce67a2cf1c7b9df8c34dcbfc30e078354618a7ac2f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tinc.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e6046d3393a5a5748a370243b2e0e6ffa3632fa3a0f4602dd8c1c4dfbf49ec8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sudo.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "70c8b9e9d0990cb8f1b6a1c71ea5c8a264ac401a38f53f49eec46bd77dac6008",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/environment.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc89054c6f34adfb0358c467462547b898c2fa75d5394cf77bab83efc172f52e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nodejs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b890914a786ffd7f1ef749f61bdb3f52a21535d6437e61db5741b7acd6a92cb",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/redis_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9964a84c947f4257c6e8a8308c898df1271d6c616123f5ebdf789563e91153cb",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mosquitto.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16457f02aedf43655cb5159172fbc62dde87e3cc12f3bc8a1893237948007451",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tinc-persistent_paths.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7645b4ccb10f4d07283de76e45739a8143f0cf07ef0f7e5b5cb420a69dd7606",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/timesyncd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d612441f552e0bf83c13c358272c327cd828da9762a49784d15a181113cd5c26",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/system_groups.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8afb105c82137d0baaaaa744d41cca6074ddc31205a4d6ab2d5fb8cd63d886c1",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/cryptsetup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "739f56ba40eaf83fe47e3f613847a438d1fdcfd8dd18f8e3e0567f06957d7e60",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/golang.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f18079ca7de225e0b6d66e457ebdbef3490aeccb06580b1e2766f8f30db2a422",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/journald.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2373f64875dee1ca80e64d2b7121cd0c917e8639da415be525b87a40af657d51",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/proc_hidepid.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ab5597de10d2ff88bca5e8ec820a28db1a2ef3e222b2f0d03e0a6a0a52a1d39",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/influxdata.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "063a5fc3b0ac367288a76031150c3886bfdc9d5e7bb4ac8880d5ee82a6eef6b6",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/radvd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1227ff347089db2cd1af301fa69817699cc634312490e30115d9c72ef625f459",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ldap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "480b7916b065ac81053ca79e722eb453282751e67ece4d255e49f65914eb646b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/users.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a028a9aaff0d51dab0d2dd810aac7d22e9a65369f65bf843b6cc026ffc4b481d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postgresql.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "36082ac70c94604efd58ac38edfdbdbc748b4acfc0f03379cc37fa5186d96aae",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/fail2ban.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ea8643ce2840e8bd19d247c6139933507aa68149d5eebbe4cdd5d94d647f30c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/gitusers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e72f841d778b02fcc5e7d62dbfd8f1c4ff8a355d36191ee48cec4a8381c1edd",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/icinga_web.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f7a0a72a8eed3ef78b66b630aa7c272c2dba391231628fae358515eeffd2c282",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/cron.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f532720b37b2b12ef792a7f1af787a7013049f26a8b534ce337bad9e64e7a5bf",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5144573ca1cc9e8b8731a20f92f7b846667d3b2f0fdaad0bcfa5830c9159541d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/phpmyadmin.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b21bf5809946b1d5bda074f3e748be3ccc3e04bdb7d6194fd66c33e7da102ed",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/console.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6908fb1fd40ea29a15f4560e72c234e15fa0e16615521b4a3a1dfbb7b9529777",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nscd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "311ddce931a473acc8de4ed584622874bcec8ee4cb19e93b49e44c3a0f78745a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rabbitmq_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "485f46650f5649373e4970521ee403a98432194f980ef6b267463162d240f9d7",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rabbitmq_management.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a79b7551bb639fe780c447ef700befefd35ea4a84da23599e7e24dfab0e68860",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ansible.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "31e004c67a106b443f8e821af5dd2fc5a5e5a3da2d5919e8226e78d98c15e948",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/neurodebian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7063f9e2cf6ab0502098487322e40fc7358e6b72c10ae09f4721ce71b4ecf03d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/librenms.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d8b8807fc9074ac5d244593637886d3dc2b4de8a93a76f8889714ef0b25be77",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mcli.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4acd6ac991b6fbdeea98df3c4ed6cf41741e411ef0b94c0fcdbcd8d48f101e1f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/networkd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c9ae267c6d60a8485e06133fbc1c9225da498bbdd5e8949753eb74793ce2100b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/root_account.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4b2fe0455a3c4d1a88c395ac00c09f8b9b207d57c5c8cdd1d476145305089725",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/cryptsetup-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7421e30bf119f189cfadda24dcbfbe6ff431ada756523d70630934db81adad05",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/owncloud-apache.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01d5bd0c6911f720d4a945b0999be1b665d73db9eb120c75fed5063483b1652d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/python_raw.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d76a5d597d9fcd6d29022c8a83a43d414681a66c509a90458403329c3cea4697",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/atd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dcc23332b3637f361f4c7149115002c3dc36ce71c3aa2a8010632b3ae1ed8d6e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/debops_fact.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4dce78e3729915be1ebc7df9a1b20b0b279208c17900165e55223b7647c98bb3",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/miniflux.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f5d24b23be98b97ce05f766d7f3eafbb429bdd1745419ad29af585cd166506a7",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/resources.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "93d6385dab7b1918bae2f7f3b58acb17de508a0bdc8d2d008729bae35879f490",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/debconf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9621c2b5b86bbe0a117ad3130af3cfa4910c9ddd91800dfb182348fc4a03cb22",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postldap.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eb522c427082b21de7de9ad76f7206c94a62f9401c094a1ad0b11190cede6fad",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/hwraid.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b8c93f449a160be714a602e91504a1df462ea92df76ad10cfefdb726769e7ec2",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/memcached.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8047b0c2510825a8c26abbcaa742b737b79c32785fe74ba649dc10df67879767",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postfix.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "022a72e4aea1169ead02b0884dbf519c55d5fd2d7640995448b968f98e7b21d2",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/resolvconf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c84bea0db7041653bb0bbdf6a91f733a4fe2e358b792055e9bf3c2ffdb2d7fba",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/minidlna.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ed120f92262381e5ef57f1c90f3c933841fb005cac5b23b5982b5e9d8e66a2b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/hashicorp.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "67b22723ae9a6117cac282048f713e9d297bf5cafc5f56fa3cf910b5dad76d59",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dnsmasq-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db7366a0aadf59ff77ea0cd6b5892f3c2c5160fe8a207b797612b2b050a9f053",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/extrepo.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1303e038ec0bd14c8fe582c9d2ad97ccc078cef5ccbcfc53329a7a7e7280c569",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/gunicorn.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5069fc9c5cc0922fd9d64b8e65aa406196216ea2b2c020f7e2aef786cc551884",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/etc_services.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "69ec5a6143873a83573137e96dc67441db3ec02bec0e198ca301747047bb7af2",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/owncloud.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b4ac0f0fce7f99c0395d116be3deb5e75bf0b786ecf2c5a11dfba766609beddb",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/debops_legacy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac84a4a92ef550c2de1e190b913bbab6267e2064c30155251fe2b4bc0fcf1acc",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/unbound.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d8506c27f1b13035006843fea836ed64538e8dceaa6efb92a94755e969b5c996",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/monit.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3f08ddd29f315da00cea4336580e80fe4e423af24207dc160003765c70ac0e58",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/authorized_keys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1dad860832d233ef370d7f1506a92299692ec3e3459b6fe18d339e5b759a092",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/elastic_co.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9ff06f17ee113616a94332ee5ac2b05ec0e4665e0ff05470252c9f51188250f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/reprepro.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ce2d47706bf183d7f61f14408e8184ebaa543a176044fcbb4acf4ccdc46da31b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/cran.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb63c82b89f4a1e9eba091ae8059688fda1b2ea8af255dd2a5dd56ce5fbdeec0",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/kibana.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dfb211916b7b0efec2b16badeb9d2692d33c142952a190b9fbfb255c7d77ddbd",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nullmailer.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1650058cb918b611e2fe9396bc5e571b5fcd40011977bccf17ae74b43897a51b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postscreen.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "007d19b8bcb365396422d3531934cd4cf648db8dcab239dfc51dc69c3de50359",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/phpipam.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11b147e07271ff171882c82d917f05c2c6dc8e9a7cc17cc8f36b90ff54e26943",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_cacher_ng.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ccaa502e6f956a58fbac0a762dff0273c4519328720d0e2a56c36a107cb5934",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/prosody.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3d3d09f7834d296ba19d302a6455ab67ad5173b3a0baccdecd324f47dcca6852",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dhcp_probe.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1b731011c94078bccb5cfaa3bf5d8b729a090219ac87730cfc7500323e83dd62",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/gitlab.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f437f993c0b520605736323addba474046bf1ff759157686e68acc8d771fc24",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/icinga_db.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7f2aef24810c2a10380e246ea2a32c059d51ee1b4733a86b6fa9b860dcde5719",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/java.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4b0c24a7927486b52c1aa64e448ec07498806389449c4bd64049568f151a3c0",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tinc-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a89ec5e9c5fbd87a1956638950c0189fd9b95f4c76a217fb5b4bc1c2e110bdbf",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_mirror.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4378982c4de9ec371f9cb6128e80d6e04786a69bcdfa0452451647b40aae341a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_preferences.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f50f329dbe8d5d38a91a049f61c8f63567263d68a0b0c333670773e7b6fc576",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/avahi.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01c8e8340fcc2c327419668b33b5cf24a0ec068f333c35aaa609e5a8a292a7ae",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/fhs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "703efafd37d5b45872c3963af53e942ad78bba6e9ff317d42532566ffb83ee91",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/metricbeat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9d820a93763883de10184503c4e4a27005ececabc493169fe1f9b5d863b33ea",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dropbear_initramfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a8aa2d94f4a809c9aac77a59d41c7f7ff9dbf4bb0f2d3ee0ed3e4a96cc28b18a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apache.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dfeb230a5ee35eac204fee10b713103eeaad28b17aa720f580a38ff211ed42c0",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/etesync.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "77f9d2f5a395f5c3891f174846bd1eca15f9e516f0df9a7b80a27bc0cfa15d4f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dnsmasq-persistent_paths.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "010105e3671db14192772141702762ac1cde60d114ca39e11eba5f20bda471e6",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tzdata.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6a02b5e7131f4c04f57a78054b0c20055bcc42b2d7d8668f839a0c2f2f31cdd",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/netbase.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "beaa9b025b2d106a0411fb686aa12062747a1f1f7d10b65aa47decdfa3085a95",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/etherpad.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60b5d2738512a05c2737f5c352c3b9d89324beab592a732749ea35ed32756264",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sks.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eec520174fa370bf17fdb5848003e0ca2be2c5ae530f110e797b1e99709f4b84",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/keyring.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56bf6c6db04f0f226b754f92fb9f4881176ff02b08ce4d327809ea1fbb8bbdc5",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dhparam.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e6f0f6f77cda217cac375cf4e732fef38c10b59f330ea5b015596ed521e7e451",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/boxbackup.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fc57c4cff78f90d215d259a1bd14ee1951c4306b299be76f70cfcc1bf6c4bc65",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/icinga.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3a8d25cdd28c36ce9a0e6469f7e387e526217fa9fb5568fe8b50497c9065c6e7",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_listchanges.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5bddf11b5a4d1a127ba1f8e9a8699521e277a24649873eeab6b9b8a8bdafd009",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/locales.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "74c08c369af38497fd1ccd61e059ea553472103910ddda546585fb8e986a55c3",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/iscsi.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "efe2ee5d32e3c4b512eb982f75aa2c0710f57d3e131f206fd4bb25c9c2b5ee6f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/freeradius.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d1b0e1101f0238520c540685ab72ec67dde0c3dd3a6bb5015df988357da52b05",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postconf.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "30ffba964c60c808df3acb0dac5ceb7291ecb7c1dea252647b9567820e3f920d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rsyslog.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48ac47d4b2a779c21522ce300301fa78af3b164a71f8ee390b220875962ee486",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dd7bdf057a040af4f88f196e4876ef61fc890cf21c7bbefb2ef15d34147bb511",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tinyproxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ba24f35a0d0a20a6c3eff556cc14719e63c48b1c92474ffdfcaec9ad9d04faf",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/swapfile.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeb276a694ee36b05af558b991f1700340e45aa2e108b20c80d322aec60b3c00",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/docker_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "51a5f832ab24d0fe93b6384e2d87ebdcb6ddf84b9a86b85f9cb349cc0e690022",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/libvirtd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c16da8729c990ce213b173c37254048e4bac71c52edf40f6087ab96246973dc2",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nslcd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7602371cef12f6deb9e6232f172d0c22b87109ba7c24ddb8d8f2bac92c8d6545",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nsswitch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "061d46830db4b222c67b2c5b77defb90ee5773a8dffc18fa61fdd59ec205ee79",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/influxdb.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2c70b1e436e3cd80f204fb63f432986cdb00de4d24aba2b2dc77f3193efe5dd",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/yadm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "81acc45816f2c86fde4992ed2357948df2cf0b5a8d93df5f1d40641fc300fbfc",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/opensearch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "742fcbcef5713d827bc432af83a1c25740c3afff5a93a371591fd6eb18fc7403",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ifupdown.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "71bc70aca735c6039a821929f17032b3dde69f903e9ed9410bae6abd7fd1b06d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "515e684bc48ae52d21a3eb6e48d55197aa6fb00ecee5312a120a931527ff9c7e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tcpwrappers.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "96d63d80ade6f82a2f1283ee482823a8c00ed091c19c5d5c730d48c4ebb15423",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/roundcube.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fd5baccf775eed2de2b38b4ea5d3c3abfdda86c534f9be24eed5e77471dd6e17",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dhcpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b5e75ee60733f36241ec809cd0cdb61ea04ba5ea076deaae0a40c60c33aa396b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ntp.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9bb5653280d41244279a328b037b158daa3d086e53f37cce9f25b7654ab5e439",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/saslauthd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e974c94ca3eac3d083f73f9b9243ef78162e8eba4925828e544115f969b60e26",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/elasticsearch.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dc7ffba5f629895efcb773e804f89f81054a87b8384e91b1bbd3f8b51b85e1e9",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/libvirt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9ad073a03022f853fe4aca6d1fc22248197296c3429cd153769d30a0d3d12d5e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/lvm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12b6073b09eae65ec002e4fcf59525fec3ceb9e6d0facef938717ead53c01d0d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ferm.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c00b49ba2c67af03729cdcefca22cc3da1e07ac6e83d95c010444e576832b7c9",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/influxdb_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d3e610aef1428b7a9db6987e1fb3a1c62f785702f9de8eec7b1a3ed27efb7512",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/resolved.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "483d81f93cbe472a1652f7d3df10486721957ba82377470379f9c98e1959a662",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rstudio_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c0955cea6ba6efee07f2fe84e8c0ecc4f28eb4fec4bd05cb61bccfb92b87f590",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/lxd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bbfab3679587d6433cc048728f91eddbfa2e096e3dccef817b20b7998fd8e33c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/libuser.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "adedc497dd1f0334cbe26c34b4b9cc9f532f585c240114d3cac3fb45e7a64a08",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/machine.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "460fc37af69862630640ce02fc0f68aab71088c9425115c76975f4d7c0481860",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/kmod.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13af2e4c0c2cc67514b212fee5fcb6c84453a4955867a9cc1905d34c44679732",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/system_users.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "11e6f83ffea5d12856da9dec82635202802cbb6827432e1f7d61f8152f43b3c5",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/pdns.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e61e46690f056300976339806ce5a2caf642c7796ff8be0aec07d7d3d9249b45",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dhcrelay.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0995fb4ff28b826f90a8afc9868fadb61c4404c7f04e051c5358ff98a589a361",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/slapd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "41352ef914fa4e1f44f917a2b10e3dc788f0a9635fd396258ac7c017740fe3b8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b263379e89a083cb0f696d3ed77ee93a9fb31a7f1da4668d67be1abd7b10c4a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sshd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f395896292283de72dfc1756f51bab01e4bbf1046c25753e73347a28f4a179ac",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/filebeat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ed69c754e6e0f3d45642bd36bbaf99a8df2b8a2d28c0dafede5fd04a723e068a",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/backup2l.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0da0117790a137b05aed51b548e451a79821e8bd8fc78d2105b8ce860bcf429f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dokuwiki.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d6d66239b90700e86829d90d3ab46e1e35aecb27cb701ac96f02abcf37f908b",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sysctl.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6bf10be032036b1e0b99d375a266369ed60f2e40af711a7c476dfc33237ad54e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/imapproxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5317d0c0a05dba3150c3a55f6d4143c44e1f3d1a28cfc78dccf6e90ecd5e32e8",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/redis_sentinel.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25385b69923408b32311f8ab0be7dca8b1ace9492524c586ab05268b2a7a057c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/controller.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "01d6b384109a668839305b445622edf7b3e58dd471bfd5fe1bca20152b4e1d86",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apt_mark.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fdad3a61e056ed200086105d98ff88fe3e93f79247a8afea5d1b9d332c9aa1c1",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/auth.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "42415618db624b3ca472e057572d08985b1bf6741f43137ee30e042f5da4f152",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/apparmor.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3889be5db37e8d08c2223cd44cc07b95ed8d49a2ae14d0d67a6d4f5961dc4ba2",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rsnapshot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "19427d07ef0743886a6997d7a141d135069d90fa2d1dbf6d3d2b4f005ccba373",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mariadb_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2c6098abf34acc1e5f6d50c0840395a690cf7c5daa8c352354b764ea29c86500",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mosquitto-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8113a1855b4609bde180453f02d69cf7a0e83c68d6306699a4e11fceea5e0019",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/preseed.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd97ae9e091da6ff894eb1c192617f55cb63445255a7b92bc6fc6d81a1ab641d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/docker_gen.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d945d5017d83c5260cda04d6f88124f847c03b7e1b4f7aa30cc7bee5d610cf67",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/samba.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d7b5b413042fe4e0c77ea6b2af587e0e992d6465c48cd8d8cb786620b93c41b5",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mount.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbcca2469889456595d73eb2b97b0ef968a5e434fece89e609a51f1efa13b938",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/cryptsetup-persistent_paths.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c9a5b31cfa15d13054a9a6bad333e5e2dcfa48d56650d1eb9ded9c7da51172c",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/python.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b6700a279cca472a37cd8b8748d36bf400256044dbded4f97af807457951951",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mosquitto-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2ef1f7e1b3a86d8ec3b6173104eb74d346d487b8c6a467fd2038b63c9aae9478",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/lldpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "990679dd36935e44bf09f41c9a2011a4163330578b41b0e28c902b114da713fe",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/nfs_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbfd3cf3ea64e2ed96070d0ec80a26211f56965b39178b9d25d3279668e3767e",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/sysnews.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b86748ea7219ca22dd88ed98abd9f837107517f387fec5602182d5fc4f86638",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/keepalived.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1d569e08eac842b2afcbfe1687833240a281d1d56c94e46ec3e2b9c5c3ad07ff",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/ruby.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0826cc5d87711cd000ab81a9f5d8f54aa46ec5194f2ba87956eb7ce643e14f22",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/docker_registry.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e0bbda5a87ad418515cc6ff7f5b12356911edb1c48e8f6aa23dee31a04eb0f1d",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/salt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4780887df0f7b0e1053d72cc7e2a3624af47d2d8926a9fb53c30bf261ccd5425",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tftpd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d5e677fd2072cfbd259b1f7142eba97cd58c6a776ad79691290070691153920",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/tgt.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "12b5cecfbc57c193a2cfa6adfaa9a1e5397535c2e81c0cb10191945c7e74f904",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dnsmasq.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bfdbd915ca64b089705800777d00719a4756a35ae4ccbc7d97d24c927453511f",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/mailman.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d5f56084971003c1ff527942beccbd79c41aab919fbd3afbe312bb20143e5855",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/lxc.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "07c8249434a8ccb81b5f09c5e9c5884e5955e3e5430352be0302422af9235b53",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/postgresql_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "822e4d7fd03926e7c32831df43a4a187dc63ebb72bbe2fcb02666480669e5631",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/dovecot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5aabdf7e7e8ea3df2c7b36c24b1bd6c02ba706a93a345a6507eaefbfe58e38d5",
+   "format": 1
+  },
+  {
+   "name": "playbooks/service/rspamd.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "48ca9b7c5d4b79f15fb7219763d90b7245a9cbde2ad615f81905da61d713c1da",
+   "format": 1
+  },
+  {
+   "name": "playbooks/reboot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89fe0791f9ff10fbb463e560dc21d0c7acc86e4552db8859669c29effc41f80e",
+   "format": 1
+  },
+  {
+   "name": "collections",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/meta/runtime.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1016526739a253c9c77d6aa36037e2f66dfb53d74ae6930bc1ef521fe5165527",
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/CHANGELOG.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6992923cab2328386361b56e626a9a80b59d48127d76fbbc670a1fb721ff911f",
+   "format": 1
+  },
+  {
+   "name": "collections/ansible_collections/debops/debops/galaxy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6259fdb70f40cb38ecfbeb07fee50f7a54c0a44859fb3d8fde03e5717a0bddee",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/README.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "edc5857655817971d8f360adac1ca063f54a40567299e8f4271e10d2c0c43ca1",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/homeassistant-plain.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6e87ba687d091ab33afc207d9794fedfe620bbbf1fffae478ed379d9f59dc299",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/bitcoind.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73e95d6ab4ca8a613376a09b717b2cc9e15d283c87b126b7c4d9764dcc846633",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/homeassistant-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac57621f920f4f5baebd2f6e95b0b4189b6010fbd2edda387e2ef4628a0de9d8",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/btrfs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5c2f5dd5e062f771c58ce5cfd8347dd71a8d7c4ff01cc2541913bcf34292773f",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/volkszaehler-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f134306cdf7fa6bb4bc2eefbf86ba795647c091a9cb6e201547b5a34991e2717",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/foodsoft.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "79f8145a75bb7e233390ef7fe06bccbdde7a4f4a483ed5b291dc22d39b76c1a8",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/kodi.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f36b509977881787f4fd0e5d85c35503e2a4d2a38695174b277d962932e3958d",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/tor.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "038126043fa6c82d5a2199985c4b1c2605f85415933502fd037151cd7e899692",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/homeassistant.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cb89bd536afda8dead2f8d65feeb0cc258958e0ab6b4ba299660bb670d401084",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/volkszaehler.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b1dd195bdd770b55f3f9d96a4641fd9920aa587e2ccb33f2c94fb78f0e5ea5aa",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/all.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "45672f22ca05c41f780eb87366c73facc1e677f56247e4c533411e249757d468",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/apt_cacher_ng.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3cac90451208444c1bdbfa9b92e17225c6464e41e1528b387656d2fe59d8c028",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/snapshot_snapper.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d30da10e51105d7d001fe39e9655b5c7840952f9d0ecc14fad31f399a7f9b111",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/foodsoft-nginx.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9e366e35edfc5c291ef2cebfa50f0678080fc5cfa62009d4f66125e6bbcdfc64",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/volkszaehler-apache.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e5f9aefc7f1a312cd2ba23728a58501744c833d83f42bb24c5cb6d3530d81c60",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/fuse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "375b5df1b45a66d5492404e874aac5fcb629b43e86ead163ac6a3e3e96d64b35",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/firejail.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2267f15c238b95aab01ebd6e08168b5b857c46b01522ca8ab684f327d722115d",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/x2go_server.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d03cb677861ed43e4818f824c9574b16aa4f7574b73216dddddf2c6e4c1a7123",
+   "format": 1
+  },
+  {
+   "name": "debops-contrib-playbooks/service/dnsmasq.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98b5e35b697fa186a8811d8bc7827c4ec10ca2fb92c171f14648994bd0a5c74e",
+   "format": 1
+  }
+ ],
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/MANIFEST.json b/ansible_collections/debops/debops/MANIFEST.json
new file mode 100644
index 00000000..0be8e7d8
--- /dev/null
+++ b/ansible_collections/debops/debops/MANIFEST.json
@@ -0,0 +1,50 @@
+{
+ "collection_info": {
+  "namespace": "debops",
+  "name": "debops",
+  "version": "1.0.0",
+  "authors": [
+   "Maciej Delmanowski <drybjed@gmail.com>",
+   "DebOps Developers <debops-users@lists.debops.org>"
+  ],
+  "readme": "README.md",
+  "tags": [
+   "debian",
+   "ubuntu",
+   "linux",
+   "infrastructure",
+   "debops",
+   "sysadmin",
+   "cluster",
+   "datacenter"
+  ],
+  "description": "Your Debian-based data center in a box",
+  "license": [
+   "GPL-3.0-or-later"
+  ],
+  "license_file": null,
+  "dependencies": {
+   "ansible.posix": "*",
+   "ansible.utils": "*",
+   "community.crypto": "*",
+   "community.docker": "*",
+   "community.general": "*",
+   "community.libvirt": "*",
+   "community.mysql": "*",
+   "community.postgresql": "*",
+   "community.rabbitmq": "*"
+  },
+  "repository": "https://github.com/debops/debops",
+  "documentation": "https://docs.debops.org/en/master/ansible/role-index.html",
+  "homepage": "https://debops.org/",
+  "issues": "https://github.com/debops/debops/issues"
+ },
+ "file_manifest_file": {
+  "name": "FILES.json",
+  "ftype": "file",
+  "chksum_type": "sha256",
+  "chksum_sha256": "aade0f4576395cb597f1f5e697f6d8087dfa924603ef01436b5489962583d844",
+  "format": 1
+ },
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/CHANGELOG.rst b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/CHANGELOG.rst
new file mode 100644
index 00000000..585d9610
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/CHANGELOG.rst
@@ -0,0 +1,10 @@
+DebOps Collection Changelog
+===========================
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This is a "stub" changelog meant for the "ansible-lint" tool which complains if
+a changelog file is not found in an Ansible Collection. The real changelog is
+located in the root of the DebOps repository.
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/galaxy.yml b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/galaxy.yml
new file mode 100644
index 00000000..51418b35
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/galaxy.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2021-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# A "stub" configuration file for the 'ansible-galaxy' command which ensures
+# that the DebOps monorepo is recognized as an Ansible Collection.
+# Don't use this file to create real Ansible Collections with DebOps content.
+
+namespace: "debops"
+name: "debops"
+version: "1.0.0"
+description: "Your Debian-based data center in a box"
+
+authors:
+  - "Maciej Delmanowski <drybjed@gmail.com>"
+  - "DebOps Developers <debops-users@lists.debops.org>"
+
+repository: "https://github.com/debops/debops"
+documentation: "https://docs.debops.org/en/master/ansible/role-index.html"
+homepage: "https://debops.org/"
+issues: "https://github.com/debops/debops/issues"
+
+readme: "README.md"
+license:
+  - "GPL-3.0-or-later"
+
+tags:
+  - "debian"
+  - "ubuntu"
+  - "linux"
+  - "infrastructure"
+  - "debops"
+  - "sysadmin"
+  - "cluster"
+  - "datacenter"
+
+dependencies:
+  "ansible.posix": "*"
+  "ansible.utils": "*"
+  "community.crypto": "*"
+  "community.docker": "*"
+  "community.general": "*"
+  "community.libvirt": "*"
+  "community.mysql": "*"
+  "community.postgresql": "*"
+  "community.rabbitmq": "*"
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/meta/runtime.yml b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/meta/runtime.yml
new file mode 100644
index 00000000..c0bbf908
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/meta/runtime.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2023-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# The version of ansible-core required to use this collection
+# Ref: https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_structure.html#meta-directory-and-runtime-yml
+requires_ansible: '>=2.16.0'
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/playbooks b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/playbooks
new file mode 120000
index 00000000..7050a7e1
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/playbooks
@@ -0,0 +1 @@
+../../../../playbooks
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/plugins b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/plugins
new file mode 120000
index 00000000..2cdf59af
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/plugins
@@ -0,0 +1 @@
+../../../../plugins
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/roles b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/roles
new file mode 120000
index 00000000..4bdbcbad
--- /dev/null
+++ b/ansible_collections/debops/debops/collections/ansible_collections/debops/debops/roles
@@ -0,0 +1 @@
+../../../../roles
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/README.rst b/ansible_collections/debops/debops/debops-contrib-playbooks/README.rst
new file mode 100644
index 00000000..e99e1d07
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/README.rst
@@ -0,0 +1,70 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017-2018 Maciej Delmanowski <drybjed@gmail.com>
+.. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+|debops_logo| DebOps Contrib playbooks
+======================================
+
+Ansible playbooks to run `DebOps Contrib <https://github.com/debops-contrib/debops-contrib>`_ roles.
+
+Here are a few services that are available
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+**DNS and Networking**
+
++-------------+----------+------+
+| apt_cacher_ | dnsmasq_ | tor_ |
++-------------+----------+------+
+
+**Fully loaded ready to go applications**
+
++-----------+-----------+----------------+-------+---------------+
+| bitcoind_ | foodsoft_ | homeassistant_ | kodi_ | volkszaehler_ |
++-----------+-----------+----------------+-------+---------------+
+
+**Security**
+
++-----------+
+| Firejail_ |
++-----------+
+
+**Service monitoring and logging**
+
++-------------------+
+| `CheckMK agent`_ |
++-------------------+
+
+**System**
+
++--------+-------+---------------------+
+| BTRFS_ | FUSE_ | `snapshot snapper`_ |
++--------+-------+---------------------+
+
+**Workstations and clients**
+
++----------------+
+| `X2Go Server`_ |
++----------------+
+
+.. |debops_logo| image:: http://debops.org/images/debops-small.png
+
+.. _apt_cacher: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/apt_cacher.yml
+.. _tor: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/tor.yml
+.. _dnsmasq: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/dnsmasq.yml
+
+.. _bitcoind: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/bitcoind.yml
+.. _foodsoft: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/foodsoft.yml
+.. _homeassistant: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/homeassistant.yml
+.. _kodi: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/kodi.yml
+.. _volkszaehler: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/volkszaehler.yml
+
+.. _Firejail: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/firejail.yml
+
+.. _`CheckMK agent`: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/checkmk_agent.yml
+
+.. _BTRFS: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/btrfs.yml
+.. _FUSE: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/fuse.yml
+.. _`snapshot snapper`: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/snapshot_snapper.yml
+
+.. _X2Go Server: https://github.com/debops/debops/tree/master/ansible/debops-contrib-playbooks/service/x2go_server.yml
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/all.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/all.yml
new file mode 100644
index 00000000..0ff9dac9
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/all.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Configure APT Cacher NG with AppArmor
+  import_playbook: apt_cacher_ng.yml
+
+- name: Configure Bitcoin Daemon
+  import_playbook: bitcoind.yml
+
+- name: Configure brtfs filesystem
+  import_playbook: btrfs.yml
+
+- name: Configure DNSmasq with AppArmor
+  import_playbook: dnsmasq.yml
+
+- name: Configure Firejail service
+  import_playbook: firejail.yml
+
+- name: Configure Foodsoft application
+  import_playbook: foodsoft.yml
+
+- name: Configure FUSE service
+  import_playbook: fuse.yml
+
+- name: Configure HomeAssistant
+  import_playbook: homeassistant.yml
+
+- name: Configure Kodi application
+  import_playbook: kodi.yml
+
+- name: Configure snapshot-snapper for btrfs
+  import_playbook: snapshot_snapper.yml
+
+- name: Configure Tor Relay
+  import_playbook: tor.yml
+
+- name: Configure Volkszaehler application
+  import_playbook: volkszaehler.yml
+
+- name: Configure X2Go Server
+  import_playbook: x2go_server.yml
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/apt_cacher_ng.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/apt_cacher_ng.yml
new file mode 100644
index 00000000..3939de87
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/apt_cacher_ng.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## Basically the same playbook as the one in DebOps core with the difference
+## that this playbook also uses the debops-contrib.apparmor role to configure
+## AppArmor.
+- name: Install and manage the caching HTTP proxy Apt-Cacher NG.
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_contrib_service_apt_cacher_ng' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ apt_cacher_ng__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_cacher_ng__apt_preferences__dependent_list }}'
+        - '{{ nginx_apt_preferences_dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apt_cacher_ng__ferm__dependent_rules }}'
+        - '{{ nginx_ferm_dependent_rules }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx_servers:
+        - '{{ apt_cacher_ng__nginx__servers }}'
+      nginx_upstreams:
+        - '{{ apt_cacher_ng__nginx__upstream }}'
+
+    - role: apparmor
+      tags: [ 'role::apparmor' ]
+      apparmor__local_dependent_config: '{{ apt_cacher_ng__apparmor__dependent_config }}'
+      apparmor__tunables_dependent: '{{ apt_cacher_ng__apparmor__tunables_dependent }}'
+
+    - role: apt_cacher_ng
+      tags: [ 'role::apt_cacher_ng' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/bitcoind.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/bitcoind.yml
new file mode 100644
index 00000000..e4b210c9
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/bitcoind.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage bitcoind
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_bitcoind' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ bitcoind__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ bitcoind__ferm__dependent_rules }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::bitcoind' ]
+      keyring__dependent_apt_keys:
+        - '{{ bitcoind__keyring__dependent_apt_keys }}'
+
+    - role: bitcoind
+      tags: [ 'role::bitcoind' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/btrfs.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/btrfs.yml
new file mode 100644
index 00000000..154235de
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/btrfs.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Btrfs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_btrfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: btrfs
+      tags: [ 'role::btrfs' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/dnsmasq.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/dnsmasq.yml
new file mode 100644
index 00000000..84bbd243
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/dnsmasq.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## Basically the same playbook as the one in DebOps core with the difference
+## that this playbook also uses the debops-contrib.apparmor role to configure
+## AppArmor.
+
+- name: Configure dnsmasq
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_contrib_service_dnsmasq' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: apparmor
+      tags: [ 'role::apparmor' ]
+      apparmor__local_dependent_config: '{{ dnsmasq__apparmor__local_dependent_config }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/firejail.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/firejail.yml
new file mode 100644
index 00000000..116f7f72
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/firejail.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and configure Firejail
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_firejail' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: firejail
+      tags: [ 'role::firejail' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft-nginx.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft-nginx.yml
new file mode 100644
index 00000000..c751f075
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft-nginx.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage Foodsoft with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_foodsoft_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ foodsoft__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ foodsoft__mariadb__dependent_users }}'
+      when: (foodsoft__database == 'mariadb')
+
+    - role: ruby
+      tags: [ 'role::ruby' ]
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_servers:
+        - '{{ foodsoft__nginx__dependent_servers }}'
+
+    - role: foodsoft
+      tags: [ 'role::foodsoft' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft.yml
new file mode 100644
index 00000000..a7bbb554
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/foodsoft.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure Foodsoft
+  import_playbook: foodsoft-nginx.yml
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/fuse.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/fuse.yml
new file mode 100644
index 00000000..837ef17f
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/fuse.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure Filesystem in Userspace (FUSE)
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fuse' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fuse
+      tags: [ 'role::fuse' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-nginx.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-nginx.yml
new file mode 100644
index 00000000..ea4a943d
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-nginx.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage Home Assistant with Nginx as reverse proxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_homeassistant_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare homeassistant environment
+      ansible.builtin.import_role:
+        name: 'homeassistant'
+        tasks_from: 'main_env'
+      tags: [ 'role::homeassistant', 'role::nginx' ]
+
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ homeassistant__nginx__dependent_upstreams }}'
+      nginx__dependent_htpasswd:
+        - '{{ homeassistant__nginx__dependent_htpasswd }}'
+      nginx__dependent_servers:
+        - '{{ homeassistant__nginx__dependent_servers }}'
+
+    - role: homeassistant
+      tags: [ 'role::homeassistant' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-plain.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-plain.yml
new file mode 100644
index 00000000..d22f4205
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant-plain.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage Home Assistant
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_homeassistant' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: homeassistant
+      tags: [ 'role::homeassistant' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant.yml
new file mode 100644
index 00000000..fe45ab98
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/homeassistant.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup HomeAssistant as standalone
+  import_playbook: homeassistant-plain.yml
+
+- name: Setup HomeAssistant behind nginx
+  import_playbook: homeassistant-nginx.yml
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/kodi.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/kodi.yml
new file mode 100644
index 00000000..9405da63
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/kodi.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage Kodi
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_kodi' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: kodi
+      tags: [ 'role::kodi' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/snapshot_snapper.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/snapshot_snapper.yml
new file mode 100644
index 00000000..892b2cb0
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/snapshot_snapper.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Configure volume snapshots with snapper
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_snapshot_snapper' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: snapshot_snapper
+      tags: [ 'role::snapshot_snapper' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/tor.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/tor.yml
new file mode 100644
index 00000000..8dbcbf76
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/tor.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Tor relay
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tor' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::tor' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ tor__ferm__dependent_rules }}'
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ tor__unattended_upgrades__dependent_origins }}'
+
+    - role: tor
+      tags: [ 'role::tor' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-apache.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-apache.yml
new file mode 100644
index 00000000..aa53225c
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-apache.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage volkszaehler with Apache as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: apache
+      tags: [ 'role::apache' ]
+      apache__dependent_vhosts:
+        - '{{ volkszaehler__apache__dependent_vhosts }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-nginx.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-nginx.yml
new file mode 100644
index 00000000..017dcf21
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler-nginx.yml
@@ -0,0 +1,69 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage volkszaehler with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ volkszaehler__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ volkszaehler__nginx__dependent_servers }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler.yml
new file mode 100644
index 00000000..d2e56262
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/volkszaehler.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Deploy volkszaehler with Apache
+  import_playbook: volkszaehler-apache.yml
+
+- name: Deploy volkszehler with nginx
+  import_playbook: volkszaehler-nginx.yml
diff --git a/ansible_collections/debops/debops/debops-contrib-playbooks/service/x2go_server.yml b/ansible_collections/debops/debops/debops-contrib-playbooks/service/x2go_server.yml
new file mode 100644
index 00000000..4cf18bec
--- /dev/null
+++ b/ansible_collections/debops/debops/debops-contrib-playbooks/service/x2go_server.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup and manage the server-side of X2Go
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_x2go_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::x2go_server' ]
+      keyring__dependent_apt_keys:
+        - '{{ x2go_server__keyring__dependent_apt_keys }}'
+
+    - role: x2go_server
+      tags: [ 'role::x2go_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/COPYRIGHT b/ansible_collections/debops/debops/playbooks/COPYRIGHT
new file mode 100644
index 00000000..af57ba2d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/COPYRIGHT
@@ -0,0 +1,20 @@
+debops-playbooks - Set of Ansible playbooks for DebOps Project
+
+Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/playbooks/bootstrap-ldap.yml b/ansible_collections/debops/debops/playbooks/bootstrap-ldap.yml
new file mode 100644
index 00000000..3c83eea7
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/bootstrap-ldap.yml
@@ -0,0 +1,202 @@
+---
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap new Debian/Ubuntu host to be used with
+# LDAP environment. It will automatically enable LDAP support and prepare
+# secure access to the LDAP directory, including PAM/NSS and SSH key lookups.
+#
+# The configuration applied by this playbook is minimal, just enough to be able
+# to login via SSH using information gathered from LDAP. You should apply the
+# DebOps 'common.yml' playbook on a host afterwards to complete the initial
+# configuration, for example firewall/TCP Wrappers setup.
+#
+# Note that an alternative is provided by bootstrap-sss which relies on the
+# sssd daemon rather than the nslcd/nscd daemons.
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap-ldap -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap-ldap --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management with LDAP
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Automatically enable LDAP support on new hosts
+    ldap__enabled: True
+
+  pre_tasks:
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nslcd__ldap__dependent_tasks }}'
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+
+    - role: nslcd
+      tags: [ 'role::nslcd', 'skip::nslcd' ]
+      when: (ansible_local.ldap.posix_enabled | d()) | bool
+
+    - role: nscd
+      tags: [ 'role::nscd', 'skip::nscd' ]
+      when: (ansible_local.ldap.posix_enabled | d()) | bool
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ nslcd__nsswitch__dependent_services }}'
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]
diff --git a/ansible_collections/debops/debops/playbooks/bootstrap-sss.yml b/ansible_collections/debops/debops/playbooks/bootstrap-sss.yml
new file mode 100644
index 00000000..b141ec99
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/bootstrap-sss.yml
@@ -0,0 +1,200 @@
+---
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap new Debian/Ubuntu host to be used with
+# LDAP environment. It will automatically enable LDAP support and prepare
+# secure access to the LDAP directory, including PAM/NSS and SSH key lookups.
+#
+# The configuration applied by this playbook is minimal, just enough to be able
+# to login via SSH using information gathered from LDAP. You should apply the
+# DebOps 'common.yml' playbook on a host afterwards to complete the initial
+# configuration, for example firewall/TCP Wrappers setup.
+#
+# Note that this playbook is an alternative to the bootstrap-ldap playbook,
+# which sets up the target system with nslcd/nscd integration, whereas this
+# playbook instead relies on sssd (but should otherwise be identical).
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap-sss -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap-sss --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management with LDAP
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Automatically enable LDAP support on new hosts
+    ldap__enabled: True
+
+  pre_tasks:
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+        - '{{ sssd__ldap__dependent_tasks }}'
+
+    - role: sssd
+      tags: [ 'role::sssd', 'skip::sssd' ]
+      when: ansible_local.ldap.posix_enabled | d() | bool
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ sssd__nsswitch__dependent_services }}'
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]
diff --git a/ansible_collections/debops/debops/playbooks/bootstrap.yml b/ansible_collections/debops/debops/playbooks/bootstrap.yml
new file mode 100644
index 00000000..f831a782
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/bootstrap.yml
@@ -0,0 +1,113 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to bootstrap freshly installed minimal Debian
+# system for Ansible management. The expected state the host:
+#   - host is already configured in Ansible inventory/hosts file;
+#   - local user has prepared SSH key pair in RSA format;
+#   - host has OpenSSH server installed;
+#
+# Modifications that will be made on the host:
+#   - playbook will install Python support with some essential software;
+#   - a system 'admins' group will be created for users who have administrator
+#     privileges (full sudo permissions);
+#   - a system administrator account will be created and added to the 'admins'
+#     group; If you are connecting directly as root, this account will be named
+#     after your local user account, otherwise it will be named after the user
+#     you are connecting as (option `-u` or ansible_ssh_user from some config- or
+#     inventory-file).
+#   - no passwords are set or modified on any account;
+#   - if set, playbook will configure hostname and domain on the host using
+#     'inventory_hostname' and 'netbase__domain' variables;
+#
+# Usage:
+# To connect directly as root, run:
+#
+#     debops bootstrap -u root -k --limit host
+#
+# To connect as normal user and switch to sudo, run:
+#
+#     debops bootstrap --become --limit host
+
+
+- name: Bootstrap Python support on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  strategy: linear
+  gather_facts: False
+  become: True
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw', 'role::python' ]
+
+
+- name: Bootstrap APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: 'service/core.yml'
+
+
+- name: Bootstrap host for Ansible management
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_bootstrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo', 'role::system_groups' ]
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
diff --git a/ansible_collections/debops/debops/playbooks/common.yml b/ansible_collections/debops/debops/playbooks/common.yml
new file mode 100644
index 00000000..dd0bf163
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/common.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This is a stub playbook to allow execution of the common playbook directly,
+# for backwards compatibility.
+- name: Apply common configuration on hosts
+  import_playbook: 'layer/common.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/agent.yml b/ansible_collections/debops/debops/playbooks/layer/agent.yml
new file mode 100644
index 00000000..be6c57b3
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/agent.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Filebeat service
+  import_playbook: '../service/filebeat.yml'
+
+- name: Configure Metricbeat service
+  import_playbook: '../service/metricbeat.yml'
+
+- name: Configure GitLab Runner service
+  import_playbook: '../service/gitlab_runner.yml'
+
+- name: Configure Telegraf service
+  import_playbook: '../service/telegraf.yml'
+
+- name: Configure Zabbix Agent
+  import_playbook: '../service/zabbix_agent.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/app.yml b/ansible_collections/debops/debops/playbooks/layer/app.yml
new file mode 100644
index 00000000..f15eb6ea
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/app.yml
@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure SKS Keyserver service
+  import_playbook: '../service/sks.yml'
+
+- name: Configure iPXE service
+  import_playbook: '../service/ipxe.yml'
+
+- name: Configure backup2l service
+  import_playbook: '../service/backup2l.yml'
+
+- name: Configure rsnapshot service
+  import_playbook: '../service/rsnapshot.yml'
+
+- name: Configure Mailman service
+  import_playbook: '../service/mailman.yml'
+
+- name: Configure Miniflux service
+  import_playbook: '../service/miniflux.yml'
+
+- name: Configure LibreNMS application
+  import_playbook: '../service/librenms.yml'
+
+- name: Configure DokuWiki application
+  import_playbook: '../service/dokuwiki.yml'
+
+- name: Configure NetBox application
+  import_playbook: '../service/netbox.yml'
+
+- name: Configure Etherpad application
+  import_playbook: '../service/etherpad.yml'
+
+- name: Configure Debian Preseed service
+  import_playbook: '../service/preseed.yml'
+
+- name: Configure ownCloud/Nextcloud application
+  import_playbook: '../service/owncloud.yml'
+
+- name: Configure phpMyAdmin application
+  import_playbook: '../service/phpmyadmin.yml'
+
+- name: Configure phpIPAM application
+  import_playbook: '../service/phpipam.yml'
+
+- name: Configure RStudio Server service
+  import_playbook: '../service/rstudio_server.yml'
+
+- name: Configure GitLab Omnibus application
+  import_playbook: '../service/gitlab.yml'
+
+- name: Configure Ansible tool
+  import_playbook: '../service/ansible.yml'
+
+- name: Configure Ansible Controller environment
+  import_playbook: '../service/controller.yml'
+
+- name: Configure Roundcube application
+  import_playbook: '../service/roundcube.yml'
+
+- name: Configure IMAP Proxy service
+  import_playbook: '../service/imapproxy.yml'
+
+- name: Configure Debconf-based application packages
+  import_playbook: '../service/debconf.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/common.yml b/ansible_collections/debops/debops/playbooks/layer/common.yml
new file mode 100644
index 00000000..0f521eee
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/common.yml
@@ -0,0 +1,273 @@
+---
+# Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Security assertions
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'all' ]
+  tags: [ 'play::security-assertions' ]
+  gather_facts: False
+  become: False
+
+  tasks:
+
+    - name: Check for Ansible version without known vulnerabilities
+      ansible.builtin.assert:
+        that:
+          - 'ansible_version.full is version_compare("2.1.5.0", ">=")'
+          - '((ansible_version.minor == 2) and
+              (ansible_version.full is version_compare("2.2.2.0", ">="))) or
+             (ansible_version.minor != 2)'
+        msg: |
+          VULNERABLE or unsupported Ansible version DETECTED, please update to
+          Ansible >= v2.1.5 or a newer Ansible release >= v2.2.2! To skip, add
+          "--skip-tags play::security-assertions" parameter. Check the
+          debops-playbook changelog for details. Exiting.
+      run_once: True
+      delegate_to: 'localhost'
+
+- name: Prepare APT configuration on a host
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', '!debops_no_common' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
+
+
+- name: Apply core configuration
+  import_playbook: '../service/core.yml'
+
+
+- name: Common configuration for all hosts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', '!debops_no_common' ]
+  gather_facts: True
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare nullmailer environment
+      ansible.builtin.import_role:
+        name: 'nullmailer'
+        tasks_from: 'main_env'
+      tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: debops_fact
+      tags: [ 'role::debops_fact', 'skip::debops_fact' ]
+
+    - role: environment
+      tags: [ 'role::environment', 'skip::environment' ]
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+        - '{{ apt_install__apt_preferences__dependent_list }}'
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: tzdata
+      tags: [ 'role::tzdata', 'skip::tzdata' ]
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
+
+    - role: lldpd
+      tags: [ 'role::lldpd', 'skip::lldpd' ]
+
+    # LDAP client initialization should be done separately to prepare local
+    # facts for other roles to use in configuration.
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nullmailer__ldap__dependent_tasks }}'
+        - '{{ sudo__ldap__dependent_tasks }}'
+        - '{{ sshd__ldap__dependent_tasks }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    # The 'sudo' APT package modifies '/etc/nsswitch.conf' by itself, running
+    # this role after 'debops.sudo' role skips additional changes done in the
+    # configuration later on.
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+
+    - role: root_account
+      tags: [ 'role::root_account', 'skip::root_account' ]
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: apt_listchanges
+      tags: [ 'role::apt_listchanges', 'skip::apt_listchanges' ]
+
+    - role: apt_install
+      tags: [ 'role::apt_install', 'skip::apt_install' ]
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ resolved__etc_services__dependent_list }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ rsyslog__logrotate__dependent_config }}'
+
+    - role: auth
+      tags: [ 'role::auth', 'skip::auth' ]
+
+    - role: users
+      tags: [ 'role::users', 'skip::users' ]
+
+    - role: mount
+      tags: [ 'role::mount', 'skip::mount' ]
+
+    - role: resources
+      tags: [ 'role::resources', 'skip::resources' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nullmailer__ferm__dependent_rules }}'
+        - '{{ rsyslog__ferm__dependent_rules }}'
+        - '{{ sshd__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers_dependent_allow:
+        - '{{ nullmailer__tcpwrappers__dependent_allow }}'
+        - '{{ sshd__tcpwrappers__dependent_allow }}'
+
+    - role: locales
+      tags: [ 'role::locales', 'skip::locales' ]
+
+    - role: proc_hidepid
+      tags: [ 'role::proc_hidepid', 'skip::proc_hidepid' ]
+
+    - role: console
+      tags: [ 'role::console', 'skip::console' ]
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+
+    - role: nullmailer
+      tags: [ 'role::nullmailer', 'skip::nullmailer' ]
+
+    - role: systemd
+      tags: [ 'role::systemd', 'skip::systemd' ]
+
+    - role: timesyncd
+      tags: [ 'role::timesyncd', 'skip::timesyncd' ]
+
+    - role: journald
+      tags: [ 'role::journald', 'skip::journald' ]
+
+    - role: rsyslog
+      tags: [ 'role::rsyslog', 'skip::rsyslog' ]
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+
+    - role: authorized_keys
+      tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]
+
+    - role: apt_mark
+      tags: [ 'role::apt_mark', 'skip::apt_mark' ]
diff --git a/ansible_collections/debops/debops/playbooks/layer/env.yml b/ansible_collections/debops/debops/playbooks/layer/env.yml
new file mode 100644
index 00000000..56136000
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/env.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage NodeJS environment
+  import_playbook: '../service/nodejs.yml'
+
+- name: Manage Ruby environment
+  import_playbook: '../service/ruby.yml'
+
+- name: Manage Go language environment
+  import_playbook: '../service/golang.yml'
+
+- name: Manage Java environment
+  import_playbook: '../service/java.yml'
+
+- name: Manage CRAN APT repositories
+  import_playbook: '../service/cran.yml'
+
+- name: Manage PHP environment
+  import_playbook: '../service/php.yml'
+
+- name: Manage fcgiwrap service
+  import_playbook: '../service/fcgiwrap.yml'
+
+- name: Manage WordPress CLI tool
+  import_playbook: '../service/wpcli.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/hw.yml b/ansible_collections/debops/debops/playbooks/layer/hw.yml
new file mode 100644
index 00000000..f4cd66bd
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/hw.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Hardware RAID monitoring
+  import_playbook: '../service/hwraid.yml'
+
+- name: Configure GRUB bootloader
+  import_playbook: '../service/grub.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/net.yml b/ansible_collections/debops/debops/playbooks/layer/net.yml
new file mode 100644
index 00000000..23e0a5a0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/net.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure network interfaces via networkd
+  import_playbook: '../service/networkd.yml'
+
+- name: Configure network interfaces via ifupdown
+  import_playbook: '../service/ifupdown.yml'
+
+- name: Configure IPv6 Router Advertisement daemon
+  import_playbook: '../service/radvd.yml'
+
+- name: Configure ISC DHCP daemon
+  import_playbook: '../service/dhcpd.yml'
+
+- name: Configure NTP service
+  import_playbook: '../service/ntp.yml'
+
+- name: Configure unbound service
+  import_playbook: '../service/unbound.yml'
+
+- name: Configure DNSmasq service
+  import_playbook: '../service/dnsmasq.yml'
+
+- name: Configure Tinc VPN service
+  import_playbook: '../service/tinc.yml'
+
+- name: Configure ISC DHCP Relay service
+  import_playbook: '../service/dhcrelay.yml'
+
+- name: Configure DHCP Probe service
+  import_playbook: '../service/dhcp_probe.yml'
+
+- name: Configure SSL Tunnel service
+  import_playbook: '../service/stunnel.yml'
+
+- name: Configure keepalived service
+  import_playbook: '../service/keepalived.yml'
+
+- name: Configure Avahi service
+  import_playbook: '../service/avahi.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/srv.yml b/ansible_collections/debops/debops/playbooks/layer/srv.yml
new file mode 100644
index 00000000..8d649ffb
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/srv.yml
@@ -0,0 +1,175 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure /etc/aliases database
+  import_playbook: '../service/etc_aliases.yml'
+
+- name: Configure etesync service
+  import_playbook: '../service/etesync.yml'
+
+- name: Install HashiCorp applications
+  import_playbook: '../service/hashicorp.yml'
+
+- name: Configure APT-Cacher-NG service
+  import_playbook: '../service/apt_cacher_ng.yml'
+
+- name: Configure APT mirror service
+  import_playbook: '../service/apt_mirror.yml'
+
+- name: Configure docker-gen service
+  import_playbook: '../service/docker_gen.yml'
+
+- name: Configure gunicorn service
+  import_playbook: '../service/gunicorn.yml'
+
+- name: Configure Postfix SMTP server
+  import_playbook: '../service/postfix.yml'
+
+- name: Configure saslauthd service
+  import_playbook: '../service/saslauthd.yml'
+
+- name: Configure Dovecot IMAP/POP3 server
+  import_playbook: '../service/dovecot.yml'
+
+- name: Configure postscreen Postfix service
+  import_playbook: '../service/postscreen.yml'
+
+- name: Configure Postwhite Postfix service
+  import_playbook: '../service/postwhite.yml'
+
+- name: Manage Postfix service configuration
+  import_playbook: '../service/postconf.yml'
+
+- name: Configure Postfix LDAP support
+  import_playbook: '../service/postldap.yml'
+
+- name: Configure OpenDKIM service
+  import_playbook: '../service/opendkim.yml'
+
+- name: Configure Apache webserver
+  import_playbook: '../service/apache.yml'
+
+- name: Configure nginx webserver
+  import_playbook: '../service/nginx.yml'
+
+- name: Configure Mosquitto service
+  import_playbook: '../service/mosquitto.yml'
+
+- name: Configure SNMP daemon
+  import_playbook: '../service/snmpd.yml'
+
+- name: Configure Monit service
+  import_playbook: '../service/monit.yml'
+
+- name: Configure TFTP daemon
+  import_playbook: '../service/tftpd.yml'
+
+- name: Configure Samba service
+  import_playbook: '../service/samba.yml'
+
+- name: Configure TGT, userspace iSCSI client
+  import_playbook: '../service/tgt.yml'
+
+- name: Configure MariaDB/MySQL database
+  import_playbook: '../service/mariadb_server.yml'
+
+- name: Configure MariaDB/MySQL client
+  import_playbook: '../service/mariadb.yml'
+
+- name: Configure PostgreSQL service
+  import_playbook: '../service/postgresql_server.yml'
+
+- name: Configure PostgreSQL client
+  import_playbook: '../service/postgresql.yml'
+
+- name: Configure Elastic APT repositories
+  import_playbook: '../service/elastic_co.yml'
+
+- name: Configure Elasticsearch database
+  import_playbook: '../service/elasticsearch.yml'
+
+- name: Configure Kibana service
+  import_playbook: '../service/kibana.yml'
+
+- name: Configure InfluxData APT repositories
+  import_playbook: '../service/influxdata.yml'
+
+- name: Configure InfluxDB database
+  import_playbook: '../service/influxdb_server.yml'
+
+- name: Configure InfluxDB client
+  import_playbook: '../service/influxdb.yml'
+
+- name: Configure Icinga 2 service
+  import_playbook: '../service/icinga.yml'
+
+- name: Configure Icinga 2 database
+  import_playbook: '../service/icinga_db.yml'
+
+- name: Configure Icinga 2 Web frontend
+  import_playbook: '../service/icinga_web.yml'
+
+- name: Configure RabbitMQ service
+  import_playbook: '../service/rabbitmq_server.yml'
+
+- name: Configure RabbitMQ management webconsole
+  import_playbook: '../service/rabbitmq_management.yml'
+
+- name: Configure memcached service
+  import_playbook: '../service/memcached.yml'
+
+- name: Configure Redis database
+  import_playbook: '../service/redis_server.yml'
+
+- name: Configure Redis Sentinel service
+  import_playbook: '../service/redis_sentinel.yml'
+
+- name: Configure MinIO service
+  import_playbook: '../service/minio.yml'
+
+- name: Configure MinIO Client
+  import_playbook: '../service/mcli.yml'
+
+- name: Configure Docker Registry service
+  import_playbook: '../service/docker_registry.yml'
+
+- name: Configure reprepro APT repository
+  import_playbook: '../service/reprepro.yml'
+
+- name: Configure SMS Gateway service
+  import_playbook: '../service/smstools.yml'
+
+- name: Install Salt Master service
+  import_playbook: '../service/salt.yml'
+
+- name: Configure Fail2ban service
+  import_playbook: '../service/fail2ban.yml'
+
+- name: Configure Prosody XMPP server
+  import_playbook: '../service/prosody.yml'
+
+- name: Configure FreeRADIUS service
+  import_playbook: '../service/freeradius.yml'
+
+- name: Configure Tinyproxy service
+  import_playbook: '../service/tinyproxy.yml'
+
+- name: Configure libuser library
+  import_playbook: '../service/libuser.yml'
+
+- name: Configure MiniDLNA service
+  import_playbook: '../service/minidlna.yml'
+
+- name: Configure PowerDNS service
+  import_playbook: '../service/pdns.yml'
+
+- name: Configure BIND DNS server
+  import_playbook: '../service/bind.yml'
+
+- name: Configure rspamd service
+  import_playbook: '../service/rspamd.yml'
+
+- name: Configure OpenSearch database
+  import_playbook: '../service/opensearch.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/sys.yml b/ansible_collections/debops/debops/playbooks/layer/sys.yml
new file mode 100644
index 00000000..b96a780f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/sys.yml
@@ -0,0 +1,64 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure mount points
+  import_playbook: '../service/mount.yml'
+
+- name: Configure network information database
+  import_playbook: '../service/netbase.yml'
+
+- name: Configure sysnews service
+  import_playbook: '../service/sysnews.yml'
+
+- name: Configure kernel modules
+  import_playbook: '../service/kmod.yml'
+
+- name: Configure sysfs attributes
+  import_playbook: '../service/sysfs.yml'
+
+- name: Configure swap files
+  import_playbook: '../service/swapfile.yml'
+
+- name: Configure LVM subsystem
+  import_playbook: '../service/lvm.yml'
+
+- name: Configure NFS server service
+  import_playbook: '../service/nfs_server.yml'
+
+- name: Configure NFS client service
+  import_playbook: '../service/nfs.yml'
+
+- name: Configure gitusers environment
+  import_playbook: '../service/gitusers.yml'
+
+- name: Configure OpenLDAP service
+  import_playbook: '../service/slapd.yml'
+
+- name: Configure nslcd service
+  import_playbook: '../service/nslcd.yml'
+
+- name: Configure nscd service
+  import_playbook: '../service/nscd.yml'
+
+- name: Configure sssd service
+  import_playbook: '../service/sssd.yml'
+
+- name: Configure iSCSI devices
+  import_playbook: '../service/iscsi.yml'
+
+- name: Configure cryptsetup subsystem
+  import_playbook: '../service/cryptsetup.yml'
+
+- name: Configure QubesOS persistent paths
+  import_playbook: '../service/persistent_paths.yml'
+
+- name: Configure external APT repositories
+  import_playbook: '../service/extrepo.yml'
+
+- name: Configure NeuroDebian APT repository
+  import_playbook: '../service/neurodebian.yml'
+
+- name: Configure dropbear SSH server in initramfs
+  import_playbook: '../service/dropbear_initramfs.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/systemd.yml b/ansible_collections/debops/debops/playbooks/layer/systemd.yml
new file mode 100644
index 00000000..a7ce6265
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/systemd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure system and service manager
+  import_playbook: '../service/systemd.yml'
+
+- name: Configure system journal and log service
+  import_playbook: '../service/journald.yml'
+
+- name: Configure network manager service
+  import_playbook: '../service/networkd.yml'
+
+- name: Configure time synchronization service
+  import_playbook: '../service/timesyncd.yml'
+
+- name: Configure system resolver
+  import_playbook: '../service/resolved.yml'
diff --git a/ansible_collections/debops/debops/playbooks/layer/virt.yml b/ansible_collections/debops/debops/playbooks/layer/virt.yml
new file mode 100644
index 00000000..33e63b8c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/layer/virt.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure LXC service
+  import_playbook: '../service/lxc.yml'
+
+- name: Configure LXD service
+  import_playbook: '../service/lxd.yml'
+
+- name: Configure Docker Engine service
+  import_playbook: '../service/docker_server.yml'
+
+- name: Configure libvirt daemon service
+  import_playbook: '../service/libvirtd.yml'
+
+- name: Configure libvirt qemu support
+  import_playbook: '../service/libvirtd_qemu.yml'
+
+- name: Configure libvirt client environment
+  import_playbook: '../service/libvirt.yml'
diff --git a/ansible_collections/debops/debops/playbooks/ldap/get-uuid.yml b/ansible_collections/debops/debops/playbooks/ldap/get-uuid.yml
new file mode 100644
index 00000000..b3321e8b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/ldap/get-uuid.yml
@@ -0,0 +1,75 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# DebOps uses the "to_uuid" Ansible filter to convert LDAP Distinguished Names
+# to UUID strings that are safe to use in shell and store in the filesystem.
+# This playbook can be used to convert Distinguished Names to UUID strings to
+# help locate specific data about a particular Distinguished Name, for example
+# a password stored in the 'secret/ldap/credentials/' directory or in the
+# 'pass' database.
+#
+# To use this playbook, it is best to apply it against a specific host that is
+# configured to use LDAP via the 'ldap' Ansible role. If that's not the case,
+# the playbook will still work, however the resulting UUIDs might not be
+# correct.
+#
+# Remember to specify Distinguished Name attributes separated by commas,
+# without spaces between them. For example, don't use:
+#
+#     uid=user, ou=People, dc=example, dc=org
+#
+# Specify the DN as:
+#
+#     uid=user,ou=People,dc=example,dc=org
+#
+# Usage: debops ldap/get-uuid -l ldap-host
+
+
+- name: Convert LDAP Distinguished Name to UUID
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'all' ]
+  serial: '1'
+  gather_subset: [ '!all' ]
+
+  vars:
+
+    # LDAP base Distinguished Name
+    ldap_base_dn: '{{ ansible_local.ldap.base_dn
+                      if (ansible_local.ldap.base_dn | d())
+                      else (ansible_domain.split(".")
+                            | map("regex_replace", "^(.*)$", "dc=\1")
+                            | list) }}'
+
+    # Relative Distinguished Name of the LDAP object that contains the personal
+    # user accounts
+    ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+    # Relative Distinguished Name of an user account to convert to an UUID
+    person_rdn: 'uid={{ person_uid.user_input }}'
+
+    # Distinguished Name of an LDAP object to convert to an UUID
+    object_dn: '{{ (([ person_rdn, ldap_people_rdn ] + ldap_base_dn) | join(","))
+                   if person_uid.user_input | d()
+                   else object_dn_string.user_input }}'
+
+  tasks:
+
+    - name: Get the UUID of an user account based on uid
+      ansible.builtin.pause:
+        prompt: 'uid (case-sensitive)'
+      register: person_uid
+
+    - name: Get the UUID of a Distinguished Name
+      ansible.builtin.pause:
+        prompt: 'dn (case-sensitive)'
+      register: object_dn_string
+      when: not person_uid.user_input | d()
+
+    - name: LDAP object information
+      ansible.builtin.debug:
+        msg: '{{ {"DN:": object_dn,
+                  "UUID:": (object_dn | to_uuid)} }}'
+      when: object_dn | d()
diff --git a/ansible_collections/debops/debops/playbooks/ldap/init-directory.yml b/ansible_collections/debops/debops/playbooks/ldap/init-directory.yml
new file mode 100644
index 00000000..0ce9622f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/ldap/init-directory.yml
@@ -0,0 +1,155 @@
+---
+# Copyright (C) 2019-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Initialize new LDAP directory
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_slapd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars_prompt:
+
+    - name: 'admin_input_plaintext_password'
+      prompt: 'New password for your LDAP user account (enter=random)'
+      default: ''
+      private: True
+
+    - name: 'admin_use_password_store'
+      default: 'yes'
+      prompt: 'Use Password Store? (default=yes)'
+
+  vars:
+
+    # Username of the current Ansible user on the Ansible Controller
+    admin_user: '{{ lookup("env", "USER") }}'
+
+    # Information from the 'passwd' database for the current user on the
+    # Ansible Controller
+    admin_gecos: '{{ getent_passwd[admin_user][3] | d() }}'
+
+    # SSH public keys in the 'ssh-agent'
+    admin_sshkeys: '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || true").split("\n") }}'
+
+    # Plaintext administrator password. If no password has been provided,
+    # a random password will be generated and stored either in a file or
+    # in the Password Store on the Ansible Controller. If a password has
+    # been provided and the Password Store is not used, the password will
+    # not be stored.
+    admin_plaintext_password: '{{ admin_input_plaintext_password
+                                  if admin_input_plaintext_password | d()
+                                  else (lookup("password", "/dev/null length=32")
+                                        if admin_use_password_store | d(True) | bool
+                                        else
+                                        lookup("password",
+                                               secret + "/ldap/credentials/"
+                                               + admin_dn | to_uuid
+                                               + ".password length=32")) }}'
+
+    # This variable is used to store the administrator password in the Password
+    # Store on the Ansible Controller, if requested
+    admin_saved_password: '{{ lookup("passwordstore",
+                                     ldap__admin_passwordstore_path
+                                     + "/" + admin_dn | to_uuid
+                                     + " create=true overwrite=true userpass="
+                                     + admin_plaintext_password) }}'
+
+    # The Relative Distinguished Name of the administrator account in the LDAP
+    # directory
+    admin_rdn: 'uid={{ admin_user }}'
+
+    # The Distinguished Name of the administrator account
+    admin_dn: '{{ ([ admin_rdn, ldap__people_rdn ] + ldap__base_dn) | join(",") }}'
+
+    # Override the check if the LDAP support is enabled on the host, we don't
+    # care at this point
+    ldap__enabled: True
+
+    # Override the check if the LDAP support is configured on the host, we
+    # don't care at this point
+    ldap__configured: True
+
+    # Run the 'ldap' role in dependent mode; don't configure anything related
+    # to LDAP on the host itself, perform only LDAP tasks
+    ldap__dependent_play: True
+
+    # Override the list of LDAP servers detected automatically by the role
+    ldap__servers: [ '{{ ansible_fqdn }}' ]
+
+    # Use the RootDN credential to access the LDAP directory directly via the
+    # superuser account
+    ldap__admin_binddn: '{{ ([ "cn=admin" ] + ldap__base_dn) | join(",") }}'
+
+    # Use the RootPW credential generated by the 'debops.slapd' role to
+    # authenticate to the LDAP directory
+    ldap__admin_bindpw: '{{ lookup("password", secret + "/slapd/credentials/"
+                                   + ldap__admin_binddn | to_uuid
+                                   + ".password").split()[0] }}'
+
+    ldap__dependent_tasks:
+
+      - name: 'Create personal account for {{ admin_user }}'
+        dn: '{{ [ admin_rdn, ldap__people_rdn ] + ldap__base_dn }}'
+        objectClass: [ 'inetOrgPerson', 'posixAccount', 'shadowAccount',
+                       'posixGroup', 'posixGroupId', 'ldapPublicKey',
+                       'authorizedServiceObject', 'hostObject' ]
+        attributes:
+
+          # inetOrgPerson attributes
+          commonName:   '{{ admin_gecos.split(",")[0] if admin_gecos | d() else (admin_user | capitalize) }}'
+          givenName:    '{{ (admin_gecos.split(",")[0].split()[0]) if (admin_gecos | d() and " " in admin_gecos) else (admin_user | capitalize) }}'
+          surname:      '{{ (admin_gecos.split(",")[0].split()[1]) if (admin_gecos | d() and " " in admin_gecos) else "AdminUser" }}'
+          userPassword: '{{ admin_plaintext_password }}'
+
+          # POSIX attributes
+          uid:           '{{ admin_rdn.split("=")[1] }}'
+          gid:           '{{ admin_rdn.split("=")[1] }}'
+          uidNumber:     '{{ ldap__groupid_max | int + 1 }}'
+          gidNumber:     '{{ ldap__groupid_max | int + 1 }}'
+          homeDirectory: '{{ ldap__home + "/" + admin_user }}'
+          loginShell:    '{{ ldap__shell }}'
+
+          # Other attributes
+          authorizedService: 'all'
+          host: 'posix:all'
+          sshPublicKey: '{{ admin_sshkeys }}'
+
+      - name: 'Add admin account to cn=LDAP Administrator role'
+        dn: '{{ [ "cn=LDAP Administrator", ldap__roles_rdn ] + ldap__base_dn }}'
+        attributes:
+          roleOccupant: '{{ admin_dn }}'
+
+      - name: 'Add admin account to cn=UNIX Administrators group'
+        dn: '{{ [ "cn=UNIX Administrators", ldap__groups_rdn ] + ldap__base_dn }}'
+        attributes:
+          member: '{{ admin_dn }}'
+          owner: '{{ admin_dn }}'
+
+  pre_tasks:
+
+    - name: Check local user information
+      ansible.builtin.getent:
+        database: 'passwd'
+        key: '{{ admin_user }}'
+      delegate_to: 'localhost'
+      become: False
+      failed_when: False
+
+    - name: Save admin credential in the password store
+      ansible.builtin.set_fact:
+        admin_stored_password: '{{ admin_saved_password }}'
+      when: admin_use_password_store | d(True) | bool
+      no_log: '{{ debops__no_log | d(True) }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  roles:
+
+    - role: 'ldap'
+      tags: [ 'role::ldap', 'skip::ldap' ]
diff --git a/ansible_collections/debops/debops/playbooks/ldap/save-credential.yml b/ansible_collections/debops/debops/playbooks/ldap/save-credential.yml
new file mode 100644
index 00000000..6d3ec664
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/ldap/save-credential.yml
@@ -0,0 +1,116 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This playbook can be used to save the LDAP password in the password store
+# (encrypted with user's GPG key). The password can then be used later by the
+# 'ldap' role to perform LDAP tasks on behalf of the user.
+#
+# Check the documentation of the 'ldap' Ansible role for more details.
+
+- name: Save personal credential in the password store
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_slapd' ]
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    # Don't make any changes related to LDAP on the host against which this
+    # playbook is executed. The playbook relies on the role default variables
+    # (or their inventory overrides) to find the full DN of the user account.
+    ldap__enabled: False
+
+    # The username of the credential owner
+    person_rdn: 'uid={{ person_uid.user_input }}'
+
+    # The LDAP Distinguished Name of the credential owner
+    person_dn: '{{ object_dn.user_input
+                   if object_dn.user_input | d()
+                   else ((([ person_rdn, ldap__people_rdn ] + ldap__base_dn) | join(","))
+                         if person_uid.user_input | d()
+                         else "") }}'
+
+    # This variable defines the lookup plugin command that will be executed by
+    # the 'set_fact' task later on to trigger the 'passwordstore' lookup plugin
+    # to save the new password given by the user.
+    person_store_password: '{{ lookup("passwordstore", ldap__admin_passwordstore_path
+                                      + "/" + (person_dn | to_uuid)
+                                      + " create=true overwrite=true userpass="
+                                      + person_password) }}'
+
+  pre_tasks:
+
+    - name: 'Specify username'
+      ansible.builtin.pause:
+        prompt: 'LDAP username (uid=%s,{{ ([ldap__people_rdn] + ldap__base_dn) | join(",") }})'
+      register: person_uid
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: 'Username not provided, specify DN'
+      ansible.builtin.pause:
+        prompt: 'LDAP Distinguished Name'
+      register: object_dn
+      when: person_uid is undefined or not person_uid.user_input | d()
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Make sure that we have a Distinguished Name
+      ansible.builtin.assert:
+        that:
+          - person_dn | d()
+        fail_msg: 'No Distinguished Name provided, aborting'
+        success_msg: 'dn: {{ person_dn }} | UUID: {{ person_dn | to_uuid }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: 'Specify password'
+      ansible.builtin.pause:
+        prompt: 'LDAP password [random]'
+        echo: False
+      register: person_plaintext_password
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Generate random password if not specified
+      ansible.builtin.set_fact:
+        person_password: '{{ person_plaintext_password.user_input
+                             if person_plaintext_password.user_input | d()
+                             else lookup("password", "/dev/null length=42") }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+    - name: Save credential in the password store
+      ansible.builtin.set_fact:
+        person_saved_password: '{{ person_store_password }}'
+      no_log: '{{ debops__no_log | d(True) }}'
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  post_tasks:
+
+    - name: Display randomly generated password
+      ansible.builtin.debug:
+        msg: '{{ {"Distinguished Name": person_dn,
+                  "UUID": (person_dn | to_uuid),
+                  "Stored password": person_password} }}'
+      when: not person_plaintext_password.user_input | d()
+      delegate_to: 'localhost'
+      become: False
+      run_once: True
+
+  roles:
+
+    - role: 'ldap'
+      tags: [ 'role::ldap', 'skip::ldap' ]
diff --git a/ansible_collections/debops/debops/playbooks/reboot.yml b/ansible_collections/debops/debops/playbooks/reboot.yml
new file mode 100644
index 00000000..777c06d3
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/reboot.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2020 Nicolas Quiniou-Briand <nqb@azyx.fr>
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This playbook will reboot all DebOps hosts (use with caution)
+# if required, or if forced.
+
+- name: Reboot DebOps hosts
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+
+  gather_facts: False
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: reboot
+      tags: [ 'role::reboot', 'skip::reboot' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ansible.yml b/ansible_collections/debops/debops/playbooks/service/ansible.yml
new file mode 100644
index 00000000..7c1c2fb0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ansible.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and configure Ansible
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ansible' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::ansible' ]
+      keyring__dependent_apt_keys:
+        - '{{ ansible__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ ansible__apt_preferences__dependent_list }}'
+
+    - role: ansible
+      tags: [ 'role::ansible', 'skip::ansible' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apache.yml b/ansible_collections/debops/debops/playbooks/service/apache.yml
new file mode 100644
index 00000000..4095e1e6
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apache.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage and configure the Apache HTTP Server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: apache
+      tags: [ 'role::apache', 'skip::apache' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apparmor.yml b/ansible_collections/debops/debops/playbooks/service/apparmor.yml
new file mode 100644
index 00000000..2c347ebc
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apparmor.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and configure AppArmor
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apparmor' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apparmor
+      tags: [ 'role::apparmor', 'skip::apparmor' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt.yml b/ansible_collections/debops/debops/playbooks/service/apt.yml
new file mode 100644
index 00000000..cb072afd
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Advanced Package Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_cacher_ng.yml b/ansible_collections/debops/debops/playbooks/service/apt_cacher_ng.yml
new file mode 100644
index 00000000..8745106f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_cacher_ng.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage the caching HTTP proxy Apt-Cacher NG.
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apt_cacher_ng' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ apt_cacher_ng__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_cacher_ng__apt_preferences__dependent_list }}'
+        - '{{ nginx_apt_preferences_dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apt_cacher_ng__ferm__dependent_rules }}'
+        - '{{ nginx_ferm_dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx_servers:
+        - '{{ apt_cacher_ng__nginx__servers }}'
+      nginx_upstreams:
+        - '{{ apt_cacher_ng__nginx__upstream }}'
+
+    - role: apt_cacher_ng
+      tags: [ 'role::apt_cacher_ng', 'skip::apt_cacher_ng' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_install.yml b/ansible_collections/debops/debops/playbooks/service/apt_install.yml
new file mode 100644
index 00000000..64b5b535
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_install.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install APT packages
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_install' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ apt_install__apt_preferences__dependent_list }}'
+
+    - role: apt_install
+      tags: [ 'role::apt_install', 'skip::apt_install' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_listchanges.yml b/ansible_collections/debops/debops/playbooks/service/apt_listchanges.yml
new file mode 100644
index 00000000..a5fd70fb
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_listchanges.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure apt-listchanges
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_listchanges' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_listchanges
+      tags: [ 'role::apt_listchanges', 'skip::apt_listchanges' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_mark.yml b/ansible_collections/debops/debops/playbooks/service/apt_mark.yml
new file mode 100644
index 00000000..01fb355b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_mark.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Mark APT package state
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_mark' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_mark
+      tags: [ 'role::apt_mark', 'skip::apt_mark' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_mirror.yml b/ansible_collections/debops/debops/playbooks/service/apt_mirror.yml
new file mode 100644
index 00000000..b5338936
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_mirror.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure APT mirroring service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_apt_mirror' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ apt_mirror__nginx__dependent_servers }}'
+
+    - role: apt_mirror
+      tags: [ 'role::apt_mirror', 'skip::apt_mirror' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_preferences.yml b/ansible_collections/debops/debops/playbooks/service/apt_preferences.yml
new file mode 100644
index 00000000..3e04a521
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_preferences.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage APT preferences
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_preferences' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/apt_proxy.yml b/ansible_collections/debops/debops/playbooks/service/apt_proxy.yml
new file mode 100644
index 00000000..929ac0f1
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/apt_proxy.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure APT proxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_apt_proxy' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_proxy
+      tags: [ 'role::apt_proxy', 'skip::apt_proxy' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/atd.yml b/ansible_collections/debops/debops/playbooks/service/atd.yml
new file mode 100644
index 00000000..be777dfe
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/atd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage at service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_atd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: atd
+      tags: [ 'role::atd', 'skip::atd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/auth.yml b/ansible_collections/debops/debops/playbooks/service/auth.yml
new file mode 100644
index 00000000..a04c71f5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/auth.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage authentication and authorization
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_auth' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: auth
+      tags: [ 'role::auth', 'skip::auth' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/authorized_keys.yml b/ansible_collections/debops/debops/playbooks/service/authorized_keys.yml
new file mode 100644
index 00000000..168078cc
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/authorized_keys.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage SSH public keys
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_authorized_keys' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: authorized_keys
+      tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/avahi.yml b/ansible_collections/debops/debops/playbooks/service/avahi.yml
new file mode 100644
index 00000000..7844690c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/avahi.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Avahi service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_avahi' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::avahi' ]
+      python__dependent_packages3:
+        - '{{ avahi__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ avahi__python__dependent_packages2 }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ avahi__ferm__dependent_rules }}'
+
+    - role: avahi
+      tags: [ 'role::avahi', 'skip::avahi' ]
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/backup2l.yml b/ansible_collections/debops/debops/playbooks/service/backup2l.yml
new file mode 100644
index 00000000..263c99fb
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/backup2l.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure backup2l service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_backup2l' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: backup2l
+      tags: [ 'role::backup2l', 'skip::backup2l' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/bind.yml b/ansible_collections/debops/debops/playbooks/service/bind.yml
new file mode 100644
index 00000000..d8d37318
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/bind.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage BIND servers
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_bind' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences',
+              'role::nginx' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ bind__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm', 'role::nginx' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+        - '{{ bind__ferm__dependent_rules }}'
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'bind'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ slapd__logrotate__dependent_config }}'
+      when:
+        - '"dnssec" in bind__features'
+        - bind__dnssec_script_enabled | d(False)
+
+    - role: bind
+      tags: [ 'role::bind', 'skip::bind' ]
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ bind__nginx__dependent_servers }}'
+      # Run the role even if it is not being used by any
+      # BIND features so that the BIND-specific server can be disabled,
+      # if appropriate.
+      when: ansible_local.nginx.enabled | d(False) or
+            bind__features | intersect([ "doh_proxy", "stats_proxy" ]) | length > 0
diff --git a/ansible_collections/debops/debops/playbooks/service/boxbackup.yml b/ansible_collections/debops/debops/playbooks/service/boxbackup.yml
new file mode 100644
index 00000000..796b1940
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/boxbackup.yml
@@ -0,0 +1,136 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage BoxBackup service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_boxbackup' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: pki
+      when: boxbackup_server is defined and boxbackup_server == ansible_fqdn
+
+      pki_private_groups_present: [ 'bbstored' ]
+
+      pki_realms:
+
+        - source: 'boxbackup-{{ boxbackup_server }}-server'
+          destination: 'boxbackup-server'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          private_group: 'bbstored'
+          default: '{{ ansible_fqdn }}'
+          default_ca: 'CA/boxbackup-{{ boxbackup_server }}-client-CA.crt'
+          default_crl: 'revoked/boxbackup-{{ boxbackup_server }}-client-CA.crl'
+          ca: [ 'boxbackup-{{ boxbackup_server }}-client' ]
+
+      pki_authorities:
+
+        - name: 'root/boxbackup-{{ boxbackup_server }}-server'
+          grants: 'server'
+          filename: 'boxbackup-{{ boxbackup_server }}-server-CA'
+          policy: 'custom'
+          default_dn: False
+          cn: 'Backup system server root'
+          lock: False
+
+        - name: 'root/boxbackup-{{ boxbackup_server }}-client'
+          grants: 'client'
+          filename: 'boxbackup-{{ boxbackup_server }}-client-CA'
+          policy: 'custom'
+          default_dn: False
+          cn: 'Backup system client root'
+          lock: False
+
+      pki_routes:
+
+        - name: 'boxbackup-{{ boxbackup_server }}-client-ca'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/CA'
+          readlink: 'CA.crt'
+
+        - name: 'boxbackup-{{ boxbackup_server }}-client-crl'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/revoked'
+          readlink: 'default.crl'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-cert'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server/certs'
+          realm: 'boxbackup-{{ boxbackup_server }}-server/certs'
+          file: '{{ ansible_fqdn }}.crt'
+
+      pki_certificates:
+
+        - source: 'boxbackup-{{ boxbackup_server }}-server'
+          destination: 'boxbackup-server'
+          default_dn: False
+          cn: '{{ ansible_fqdn }}'
+
+    - role: pki
+      when: boxbackup_server is defined and boxbackup_server != ansible_fqdn
+
+      pki_realms:
+
+        - source: 'boxbackup-{{ ansible_fqdn }}-client'
+          destination: 'boxbackup-client'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client'
+          private_group: 'root'
+          default: '{{ ansible_fqdn + "-" + boxbackup_account }}'
+          default_ca: 'CA/boxbackup-{{ boxbackup_server }}-server-CA.crt'
+          default_crl: 'revoked/boxbackup-{{ boxbackup_server }}-server-CA.crl'
+          ca: [ 'boxbackup-{{ boxbackup_server }}-server' ]
+
+      pki_routes:
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-ca'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/CA'
+          readlink: 'CA.crt'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-server-crl'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-server'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/revoked'
+          readlink: 'default.crl'
+
+        - name: 'boxbackup-{{ ansible_fqdn }}-client-cert'
+          authority: 'root/boxbackup-{{ boxbackup_server }}-client/certs'
+          realm: 'boxbackup-{{ ansible_fqdn }}-client/certs'
+          file: '{{ ansible_fqdn + "-" + boxbackup_account }}.crt'
+
+      pki_authorities: []
+
+      pki_certificates:
+        - source: 'boxbackup-{{ ansible_fqdn }}-client'
+          destination: 'boxbackup-client'
+          default_dn: False
+          filename: '{{ ansible_fqdn + "-" + boxbackup_account }}'
+          cn: 'BACKUP-{{ boxbackup_account }}'
+
+    - role: etc_services
+      etc_services_dependency_list:
+
+        - name: 'boxbackup'
+          protocols: [ 'tcp' ]
+          port: '2201'
+          comment: 'BoxBackup server'
+
+    - role: ferm
+      when: boxbackup_server is defined and boxbackup_server == ansible_fqdn
+      ferm_input_list:
+
+        - type: 'dport_accept'
+          dport: [ 'boxbackup' ]
+          saddr: '{{ boxbackup_allow }}'
+          accept_any: True
+          filename: 'boxbackup_dependency_accept'
+          weight: '20'
+
+    - role: boxbackup
+      tags: [ 'role::boxbackup', 'skip::boxbackup' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/console.yml b/ansible_collections/debops/debops/playbooks/service/console.yml
new file mode 100644
index 00000000..66aae7ac
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/console.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage console configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_console' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: console
+      tags: [ 'role::console', 'skip::console' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/controller.yml b/ansible_collections/debops/debops/playbooks/service/controller.yml
new file mode 100644
index 00000000..c6908036
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/controller.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare host to be used as Ansible Controller
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_controller' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::ansible' ]
+      keyring__dependent_apt_keys:
+        - '{{ ansible__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ ansible__apt_preferences__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::controller' ]
+      python__dependent_packages3:
+        - '{{ controller__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ controller__python__dependent_packages2 }}'
+
+    - role: ansible
+      tags: [ 'role::ansible', 'skip::ansible' ]
+
+    - role: controller
+      tags: [ 'role::controller', 'skip::controller' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/core.yml b/ansible_collections/debops/debops/playbooks/service/core.yml
new file mode 100644
index 00000000..45b56dad
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/core.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare core environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_core',
+           'debops_service_bootstrap' ]
+  become: False
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: core
+      tags: [ 'role::core', 'skip::core' ]
+      become: True
diff --git a/ansible_collections/debops/debops/playbooks/service/cran.yml b/ansible_collections/debops/debops/playbooks/service/cran.yml
new file mode 100644
index 00000000..07fee0f2
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/cran.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage the Comprehensive R Archive Network packages
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cran' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::cran' ]
+      keyring__dependent_apt_keys:
+        - '{{ cran__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ cran__apt_preferences__dependent_list }}'
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
+      java__install_jdk: True
+      when: cran__java_integration | bool
+
+    - role: cran
+      tags: [ 'role::cran', 'skip::cran' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/cron.yml b/ansible_collections/debops/debops/playbooks/service/cron.yml
new file mode 100644
index 00000000..1e5e34b0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/cron.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage cron jobs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_cron' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/cryptsetup-persistent_paths.yml b/ansible_collections/debops/debops/playbooks/service/cryptsetup-persistent_paths.yml
new file mode 100644
index 00000000..52bdc158
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/cryptsetup-persistent_paths.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage encrypted filesystems and ensure persistence
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cryptsetup_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cryptsetup
+      tags: [ 'role::cryptsetup', 'skip::cryptsetup' ]
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
+      persistent_paths__dependent_paths: '{{ cryptsetup__persistent_paths__dependent_paths }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/cryptsetup-plain.yml b/ansible_collections/debops/debops/playbooks/service/cryptsetup-plain.yml
new file mode 100644
index 00000000..a716a72e
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/cryptsetup-plain.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage encrypted filesystems
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_cryptsetup' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cryptsetup
+      tags: [ 'role::cryptsetup', 'skip::cryptsetup' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/cryptsetup.yml b/ansible_collections/debops/debops/playbooks/service/cryptsetup.yml
new file mode 100644
index 00000000..009ae33d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/cryptsetup.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular cryptsetup installation
+  import_playbook: 'cryptsetup-plain.yml'
+
+- name: Manage cryptsetup on QbesOS
+  import_playbook: 'cryptsetup-persistent_paths.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/debconf.yml b/ansible_collections/debops/debops/playbooks/service/debconf.yml
new file mode 100644
index 00000000..77f4db60
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/debconf.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage debconf-based services
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_debconf' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debconf
+      tags: [ 'role::debconf', 'skip::debconf' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/debops_fact.yml b/ansible_collections/debops/debops/playbooks/service/debops_fact.yml
new file mode 100644
index 00000000..1ed70d72
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/debops_fact.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Ansible local facts for other roles
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_debops_fact' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debops_fact
+      tags: [ 'role::debops_fact', 'skip::debops_fact' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/debops_legacy.yml b/ansible_collections/debops/debops/playbooks/service/debops_legacy.yml
new file mode 100644
index 00000000..c2e09850
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/debops_legacy.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Clean up legacy configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: debops_legacy
+      tags: [ 'role::debops_legacy', 'skip::debops_legacy' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dhcp_probe.yml b/ansible_collections/debops/debops/playbooks/service/dhcp_probe.yml
new file mode 100644
index 00000000..7c579d2c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dhcp_probe.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage dhcp_probe service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcp_probe' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dhcp_probe
+      tags: [ 'role::dhcp_probe', 'skip::dhcp_probe' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dhcpd.yml b/ansible_collections/debops/debops/playbooks/service/dhcpd.yml
new file mode 100644
index 00000000..cf5bdf97
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dhcpd.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2014-2018, 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage ISC DHCP server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcpd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ dhcpd__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dhcpd__ferm__dependent_rules }}'
+
+    - role: dhcpd
+      tags: [ 'role::dhcpd', 'skip::dhcpd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dhcrelay.yml b/ansible_collections/debops/debops/playbooks/service/dhcrelay.yml
new file mode 100644
index 00000000..1493e70f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dhcrelay.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage ISC DHCP relay
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dhcrelay' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dhcrelay
+      tags: [ 'role::dhcrelay', 'skip::dhcrelay' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dhparam.yml b/ansible_collections/debops/debops/playbooks/service/dhparam.yml
new file mode 100644
index 00000000..c84b534b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dhparam.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Diffie-Hellman parameters
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_dhparam' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: dhparam
+      tags: [ 'role::dhparam', 'skip::dhparam' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dnsmasq-persistent_paths.yml b/ansible_collections/debops/debops/playbooks/service/dnsmasq-persistent_paths.yml
new file mode 100644
index 00000000..a0f5900f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dnsmasq-persistent_paths.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure dnsmasq and ensure persistence
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dnsmasq_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'dnsmasq'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
+      persistent_paths__dependent_paths: '{{ dnsmasq__persistent_paths__dependent_paths }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/dnsmasq-plain.yml b/ansible_collections/debops/debops/playbooks/service/dnsmasq-plain.yml
new file mode 100644
index 00000000..6ed084ad
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dnsmasq-plain.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure dnsmasq
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dnsmasq' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      ansible.builtin.import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'dnsmasq'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dnsmasq__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ dnsmasq__env_tcpwrappers__dependent_allow }}'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dnsmasq.yml b/ansible_collections/debops/debops/playbooks/service/dnsmasq.yml
new file mode 100644
index 00000000..79875c69
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dnsmasq.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular dnsmasq installation
+  import_playbook: 'dnsmasq-plain.yml'
+
+- name: Manage dnsmasq installation on QbesOS
+  import_playbook: 'dnsmasq-persistent_paths.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/docker_gen.yml b/ansible_collections/debops/debops/playbooks/service/docker_gen.yml
new file mode 100644
index 00000000..bf051569
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/docker_gen.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage docker-gen service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_gen' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: docker_gen
+      tags: [ 'role::docker_gen', 'skip::docker_gen' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/docker_registry.yml b/ansible_collections/debops/debops/playbooks/service/docker_registry.yml
new file mode 100644
index 00000000..04f1ede2
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/docker_registry.yml
@@ -0,0 +1,77 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Docker Registry
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_registry' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nginx', 'role::docker_registry' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_keys:
+        - '{{ docker_registry__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list | d([]) }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ docker_registry__etc_services__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::docker_registry' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ docker_registry__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ docker_registry__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_maps:
+        - '{{ docker_registry__nginx__dependent_maps }}'
+      nginx__dependent_upstreams:
+        - '{{ docker_registry__nginx__dependent_upstreams }}'
+      nginx__dependent_htpasswd:
+        - '{{ docker_registry__nginx__dependent_htpasswd }}'
+      nginx__dependent_servers:
+        - '{{ docker_registry__nginx__dependent_servers }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      when: docker_registry__upstream | bool
+
+    - role: docker_registry
+      tags: [ 'role::docker_registry', 'skip::docker_registry' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/docker_server.yml b/ansible_collections/debops/debops/playbooks/service/docker_server.yml
new file mode 100644
index 00000000..9fbb7cbf
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/docker_server.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Docker server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_docker_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo' ]
+      extrepo__dependent_sources:
+        - '{{ docker_server__extrepo__dependent_sources }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services', 'role::ferm' ]
+      etc_services__dependent_list:
+        - '{{ docker_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ docker_server__ferm__dependent_rules }}'
+
+    - role: docker_server
+      tags: [ 'role::docker_server', 'skip::docker_server' ]
+
+    - role: systemd
+      tags: [ 'role::systemd', 'skip::systemd' ]
+      systemd__dependent_units:
+        - '{{ docker_server__systemd__dependent_units }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/dokuwiki.yml b/ansible_collections/debops/debops/playbooks/service/dokuwiki.yml
new file mode 100644
index 00000000..691ee49c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dokuwiki.yml
@@ -0,0 +1,83 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage DokuWiki
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dokuwiki' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::nginx' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ dokuwiki__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ dokuwiki__php__dependent_pools }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ dokuwiki__ldap__dependent_tasks }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ dokuwiki__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ dokuwiki__nginx__dependent_servers }}'
+
+    - role: dokuwiki
+      tags: [ 'role::dokuwiki', 'skip::dokuwiki' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dovecot.yml b/ansible_collections/debops/debops/playbooks/service/dovecot.yml
new file mode 100644
index 00000000..ac6856d5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dovecot.yml
@@ -0,0 +1,77 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Dovecot service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dovecot' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare dovecot environment
+      ansible.builtin.import_role:
+        name: 'dovecot'
+        tasks_from: 'main_env'
+      tags: [ 'role::dovecot', 'role::secret', 'role::ferm' ]
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'dovecot'
+            config: '{{ dovecot__postfix__dependent_maincf }}'
+        postfix__dependent_mastercf:
+          - role: 'dovecot'
+            config: '{{ dovecot__postfix__dependent_mastercf }}'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ dovecot__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ dovecot__ferm__dependent_rules }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'dovecot'
+          config: '{{ dovecot__postfix__dependent_maincf }}'
+      postfix__dependent_mastercf:
+        - role: 'dovecot'
+          config: '{{ dovecot__postfix__dependent_mastercf }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ dovecot__ldap__dependent_tasks }}'
+
+    - role: dovecot
+      tags: [ 'role::dovecot', 'skip::dovecot' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/dropbear_initramfs.yml b/ansible_collections/debops/debops/playbooks/service/dropbear_initramfs.yml
new file mode 100644
index 00000000..e80e4a5f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/dropbear_initramfs.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Setup the dropbear ssh server in initramfs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_dropbear_initramfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: dropbear_initramfs
+      tags: [ 'role::dropbear_initramfs', 'skip::dropbear_initramfs' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/elastic_co.yml b/ansible_collections/debops/debops/playbooks/service/elastic_co.yml
new file mode 100644
index 00000000..55491838
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/elastic_co.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Elastic APT repositories
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_elastic_co' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::elastic_co' ]
+      keyring__dependent_apt_keys:
+        - '{{ elastic_co__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ elastic_co__apt_preferences__dependent_list }}'
+
+    - role: elastic_co
+      tags: [ 'role::elastic_co', 'skip::elastic_co' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/elasticsearch.yml b/ansible_collections/debops/debops/playbooks/service/elasticsearch.yml
new file mode 100644
index 00000000..bf3733f9
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/elasticsearch.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Elasticsearch cluster
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_elasticsearch',
+           'debops_service_elasticsearch_master',
+           'debops_service_elasticsearch_data',
+           'debops_service_elasticsearch_ingest',
+           'debops_service_elasticsearch_lb' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare elasticsearch environment
+      ansible.builtin.import_role:
+        name: 'elasticsearch'
+        tasks_from: 'main_env'
+      tags: [ 'role::elasticsearch', 'role::secret', 'role::elasticsearch:config' ]
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo', 'role::elasticsearch' ]
+      extrepo__dependent_sources:
+        - '{{ elasticsearch__extrepo__dependent_sources }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::elasticsearch', 'role::elasticsearch:config' ]
+      secret__directories:
+        - '{{ elasticsearch__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ elasticsearch__etc_services__dependent_list }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ elasticsearch__sysctl__dependent_parameters }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ elasticsearch__ferm__dependent_rules }}'
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
+
+    - role: elasticsearch
+      tags: [ 'role::elasticsearch', 'skip::elasticsearch' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/environment.yml b/ansible_collections/debops/debops/playbooks/service/environment.yml
new file mode 100644
index 00000000..4a36674c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/environment.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage system environment variables
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_environment' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: environment
+      tags: [ 'role::environment', 'skip::environment' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/etc_aliases.yml b/ansible_collections/debops/debops/playbooks/service/etc_aliases.yml
new file mode 100644
index 00000000..0dcebdaf
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/etc_aliases.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage /etc/aliases database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etc_aliases' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare etc_aliases environment
+      ansible.builtin.import_role:
+        name: 'etc_aliases'
+        tasks_from: 'main_env'
+      tags: [ 'role::etc_aliases', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::etc_aliases' ]
+      secret__directories:
+        - '{{ etc_aliases__secret__directories }}'
+
+    - role: etc_aliases
+      tags: [ 'role::etc_aliases', 'skip::etc_aliases' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/etc_services.yml b/ansible_collections/debops/debops/playbooks/service/etc_services.yml
new file mode 100644
index 00000000..68ab9a75
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/etc_services.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage /etc/services database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_etc_services' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/etckeeper.yml b/ansible_collections/debops/debops/playbooks/service/etckeeper.yml
new file mode 100644
index 00000000..0af564d3
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/etckeeper.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Put /etc under version control using etckeeper
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_etckeeper' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ etckeeper__apt_preferences__dependent_list }}'
+
+    - role: etckeeper
+      tags: [ 'role::etckeeper', 'skip::etckeeper' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/etesync.yml b/ansible_collections/debops/debops/playbooks/service/etesync.yml
new file mode 100644
index 00000000..41c4a598
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/etesync.yml
@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Deploy and manage the EteSync server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etesync' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nginx', 'role::etesync' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_keys:
+        - '{{ etesync__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ gunicorn__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::gunicorn', 'role::etesync' ]
+      python__dependent_packages3:
+        - '{{ gunicorn__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ etesync__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ gunicorn__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: gunicorn
+      tags: [ 'role::gunicorn', 'skip::gunicorn' ]
+      gunicorn__dependent_applications:
+        - '{{ etesync__gunicorn__dependent_applications }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ etesync__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ etesync__nginx__dependent_servers }}'
+
+    - role: etesync
+      tags: [ 'role::etesync', 'skip::etesync' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/etherpad.yml b/ansible_collections/debops/debops/playbooks/service/etherpad.yml
new file mode 100644
index 00000000..140a1a53
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/etherpad.yml
@@ -0,0 +1,91 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Etherpad service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_etherpad' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::nodejs', 'role::mariadb', 'role::postgresql', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nodejs__keyring__dependent_apt_keys }}'
+        - '{{ mariadb__keyring__dependent_apt_keys if (etherpad__database == "mysql") else [] }}'
+        - '{{ postgresql__keyring__dependent_apt_keys if (etherpad__database == "postgresql") else [] }}'
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ etherpad__etc_services__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ etherpad__logrotate__dependent_config }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ nodejs__apt_preferences__dependent_list }}'
+
+    - role: nodejs
+      tags: [ 'role::nodejs', 'skip::nodejs' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ postgresql__python__dependent_packages3 if etherpad__database == "postgres" else [] }}'
+        - '{{ mariadb__python__dependent_packages3 if etherpad__database == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ postgresql__python__dependent_packages2 if etherpad__database == "postgres" else [] }}'
+        - '{{ mariadb__python__dependent_packages2 if etherpad__database == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users:
+        - '{{ etherpad__mariadb__dependent_users }}'
+      mariadb__dependent_databases:
+        - '{{ etherpad__mariadb__dependent_databases }}'
+      when: etherpad__database == 'mysql'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ etherpad__postgresql__dependent_roles }}'
+      postgresql__dependent_databases:
+        - '{{ etherpad__postgresql__dependent_databases }}'
+      when: etherpad__database == 'postgres'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ etherpad__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ etherpad__nginx__dependent_upstreams }}'
+
+    - role: etherpad
+      tags: [ 'role::etherpad', 'skip::etherpad' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/extrepo.yml b/ansible_collections/debops/debops/playbooks/service/extrepo.yml
new file mode 100644
index 00000000..c0071136
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/extrepo.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage external APT sources
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_extrepo' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/fail2ban.yml b/ansible_collections/debops/debops/playbooks/service/fail2ban.yml
new file mode 100644
index 00000000..1094db45
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/fail2ban.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage fail2ban service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fail2ban' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fail2ban
+      tags: [ 'role::fail2ban', 'skip::fail2ban' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/fcgiwrap.yml b/ansible_collections/debops/debops/playbooks/service/fcgiwrap.yml
new file mode 100644
index 00000000..c2c3deec
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/fcgiwrap.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage fcgiwrap instances
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fcgiwrap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fcgiwrap
+      tags: [ 'role::fcgiwrap', 'skip::fcgiwrap' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ferm.yml b/ansible_collections/debops/debops/playbooks/service/ferm.yml
new file mode 100644
index 00000000..c681cfd9
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ferm.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage firewall using ferm
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_ferm' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/fhs.yml b/ansible_collections/debops/debops/playbooks/service/fhs.yml
new file mode 100644
index 00000000..43a47c02
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/fhs.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure base directory hierarchy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_fhs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fhs
+      tags: [ 'role::fhs', 'skip::fhs' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/filebeat.yml b/ansible_collections/debops/debops/playbooks/service/filebeat.yml
new file mode 100644
index 00000000..b832702a
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/filebeat.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Filebeat service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_filebeat' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo', 'role::filebeat' ]
+      extrepo__dependent_sources:
+        - '{{ filebeat__extrepo__dependent_sources }}'
+
+    - role: filebeat
+      tags: [ 'role::filebeat', 'skip::filebeat' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/freeradius.yml b/ansible_collections/debops/debops/playbooks/service/freeradius.yml
new file mode 100644
index 00000000..05b53dcd
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/freeradius.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage FreeRADIUS service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_freeradius' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ freeradius__ferm__dependent_rules }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ freeradius__logrotate__dependent_config }}'
+
+    - role: freeradius
+      tags: [ 'role::freeradius', 'skip::freeradius' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/gitlab.yml b/ansible_collections/debops/debops/playbooks/service/gitlab.yml
new file mode 100644
index 00000000..f31e2495
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/gitlab.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+
+- name: Manage GitLab Omnibus service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_gitlab' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring' ]
+      keyring__dependent_apt_keys:
+        - '{{ gitlab__keyring__dependent_apt_keys }}'
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo' ]
+      extrepo__dependent_sources:
+        - '{{ gitlab__extrepo__dependent_sources }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ gitlab__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ gitlab__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ gitlab__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ gitlab__ldap__dependent_tasks }}'
+
+    - role: gitlab
+      tags: [ 'role::gitlab', 'skip::gitlab' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/gitlab_runner.yml b/ansible_collections/debops/debops/playbooks/service/gitlab_runner.yml
new file mode 100644
index 00000000..f7118aa0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/gitlab_runner.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage GitLab Runner service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_gitlab_runner' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::gitlab_runner' ]
+      keyring__dependent_apt_keys:
+        - '{{ gitlab_runner__keyring__dependent_apt_keys }}'
+
+    - role: gitlab_runner
+      tags: [ 'role::gitlab_runner', 'skip::gitlab_runner' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/gitusers.yml b/ansible_collections/debops/debops/playbooks/service/gitusers.yml
new file mode 100644
index 00000000..ccf13e08
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/gitusers.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage users with git-shell accounts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_gitusers' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
+
+    - role: gitusers
+      tags: [ 'role::gitusers', 'skip::gitusers' ]
+
+    - role: authorized_keys
+      tags: [ 'role::authorized_keys', 'skip::authorized_keys' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/golang.yml b/ansible_collections/debops/debops/playbooks/service/golang.yml
new file mode 100644
index 00000000..1ac23742
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/golang.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Go environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_golang' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
+      keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ golang__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/grub.yml b/ansible_collections/debops/debops/playbooks/service/grub.yml
new file mode 100644
index 00000000..84602e86
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/grub.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure GRUB
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_grub' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: grub
+      tags: [ 'role::grub', 'skip::grub' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/gunicorn.yml b/ansible_collections/debops/debops/playbooks/service/gunicorn.yml
new file mode 100644
index 00000000..2375bdfb
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/gunicorn.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Green Unicorn service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_gunicorn' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ gunicorn__logrotate__dependent_config }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::gunicorn' ]
+      python__dependent_packages3:
+        - '{{ gunicorn__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ gunicorn__python__dependent_packages2 }}'
+
+    - role: gunicorn
+      tags: [ 'role::gunicorn', 'skip::gunicorn' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/hashicorp.yml b/ansible_collections/debops/debops/playbooks/service/hashicorp.yml
new file mode 100644
index 00000000..dc415de8
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/hashicorp.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install HashiCorp applications
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_hashicorp' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::hashicorp' ]
+      keyring__dependent_gpg_keys:
+        - '{{ hashicorp__keyring__dependent_gpg_keys }}'
+
+    - role: hashicorp
+      tags: [ 'role::hashicorp', 'skip::hashicorp' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/hwraid.yml b/ansible_collections/debops/debops/playbooks/service/hwraid.yml
new file mode 100644
index 00000000..503ef6f6
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/hwraid.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure HWRaid support
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_hwraid' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::hwraid' ]
+      keyring__dependent_apt_keys:
+        - '{{ hwraid__keyring__dependent_apt_keys }}'
+
+    - role: hwraid
+      tags: [ 'role::hwraid', 'skip::hwraid' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/icinga.yml b/ansible_collections/debops/debops/playbooks/service/icinga.yml
new file mode 100644
index 00000000..df5f59a4
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/icinga.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Icinga service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_icinga' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare icinga environment
+      ansible.builtin.import_role:
+        name: 'icinga'
+        tasks_from: 'main_env'
+      tags: [ 'role::icinga', 'role::secret' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::icinga' ]
+      keyring__dependent_apt_keys:
+        - '{{ icinga__keyring__dependent_apt_keys }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::icinga' ]
+      secret__directories:
+        - '{{ icinga__secret__directories | d([]) }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ icinga__etc_services__dependent_list }}'
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ icinga__unattended_upgrades__dependent_origins }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ icinga__ferm__dependent_rules }}'
+
+    - role: icinga
+      tags: [ 'role::icinga', 'skip::icinga' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/icinga_db.yml b/ansible_collections/debops/debops/playbooks/service/icinga_db.yml
new file mode 100644
index 00000000..28346c2f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/icinga_db.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+# Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Icinga database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_icinga_db' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_databases: '{{ icinga_db__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ icinga_db__mariadb__dependent_users }}'
+      when: icinga_db__type == 'mariadb'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles: '{{ icinga_db__postgresql__dependent_roles }}'
+      postgresql__dependent_databases: '{{ icinga_db__postgresql__dependent_databases }}'
+      when: icinga_db__type == 'postgresql'
+
+    - role: icinga_db
+      tags: [ 'role::icinga_db', 'skip::icinga_db' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/icinga_web.yml b/ansible_collections/debops/debops/playbooks/service/icinga_web.yml
new file mode 100644
index 00000000..5228bb1a
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/icinga_web.yml
@@ -0,0 +1,118 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Icinga Web service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_icinga_web' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+          - '{{ postgresql__keyring__dependent_apt_keys if (icinga_web__database_type == "postgresql") else [] }}'
+          - '{{ mariadb__keyring__dependent_apt_keys
+                if (icinga_web__database_type == "mariadb" or icinga_web__x509_enabled)
+                else [] }}'
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::php', 'role::nginx', 'role::postgresql', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ icinga_web__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ postgresql__python__dependent_packages3 if icinga_web__database_type == "postgresql" else [] }}'
+        - '{{ mariadb__python__dependent_packages3
+              if (icinga_web__database_type == "mariadb" or icinga_web__x509_enabled)
+              else [] }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ postgresql__python__dependent_packages2 if icinga_web__database_type == "postgresql" else [] }}'
+        - '{{ mariadb__python__dependent_packages2
+              if (icinga_web__database_type == "mariadb" or icinga_web__x509_enabled)
+              else [] }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ icinga_web__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ icinga_web__php__dependent_pools }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ icinga_web__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ icinga_web__nginx__dependent_upstreams }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ icinga_web__ldap__dependent_tasks }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ icinga_web__postgresql__dependent_roles }}'
+      postgresql__dependent_groups:
+        - '{{ icinga_web__postgresql__dependent_groups }}'
+      postgresql__dependent_databases:
+        - '{{ icinga_web__postgresql__dependent_databases }}'
+      postgresql__dependent_privileges:
+        - '{{ icinga_web__postgresql__dependent_privileges }}'
+      postgresql__dependent_extensions:
+        - '{{ icinga_web__postgresql__dependent_extensions }}'
+      when: icinga_web__database_type == 'postgresql'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_databases:
+        - '{{ icinga_web__mariadb__dependent_databases }}'
+      mariadb__dependent_users:
+        - '{{ icinga_web__mariadb__dependent_users }}'
+      when: icinga_web__database_type == 'mariadb' or
+            icinga_web__x509_enabled | bool
+
+    - role: icinga_web
+      tags: [ 'role::icinga_web', 'skip::icinga_web' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ifupdown.yml b/ansible_collections/debops/debops/playbooks/service/ifupdown.yml
new file mode 100644
index 00000000..44482b54
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ifupdown.yml
@@ -0,0 +1,54 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage network configuration using ifupdown
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ifupdown' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare ifupdown environment
+      ansible.builtin.import_role:
+        name: 'ifupdown'
+        tasks_from: 'main_env'
+      tags: [ 'role::ifupdown', 'role::kmod', 'role::ferm', 'role::sysctl' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__enabled: True
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::kmod' ]
+      python__dependent_packages3:
+        - '{{ kmod__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ kmod__python__dependent_packages2 }}'
+
+    - role: kmod
+      tags: [ 'role::kmod', 'skip::kmod' ]
+      kmod__dependent_load:
+        - '{{ ifupdown__env_kmod__dependent_load }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ ifupdown__env_ferm__dependent_rules }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ ifupdown__env_sysctl__dependent_parameters }}'
+
+    - role: ifupdown
+      tags: [ 'role::ifupdown', 'skip::ifupdown' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/imapproxy.yml b/ansible_collections/debops/debops/playbooks/service/imapproxy.yml
new file mode 100644
index 00000000..e965079d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/imapproxy.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage imapproxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_imapproxy' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ imapproxy__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ imapproxy__ferm__dependent_rules }}'
+
+    - role: imapproxy
+      tags: [ 'role::imapproxy', 'skip::imapproxy' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/influxdata.yml b/ansible_collections/debops/debops/playbooks/service/influxdata.yml
new file mode 100644
index 00000000..344b3235
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/influxdata.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage InfluxData APT repositories
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_influxdata' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::influxdata' ]
+      keyring__dependent_apt_keys:
+        - '{{ influxdata__keyring__dependent_apt_keys }}'
+
+    - role: influxdata
+      tags: [ 'role::influxdata', 'skip::influxdata' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/influxdb.yml b/ansible_collections/debops/debops/playbooks/service/influxdb.yml
new file mode 100644
index 00000000..a12c027b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/influxdb.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage InfluxDB client
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_influxdb' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::influxdb' ]
+      python__dependent_packages3:
+        - '{{ influxdb__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ influxdb__python__dependent_packages2 }}'
+
+    - role: influxdb
+      tags: [ 'role::influxdb', 'skip::influxdb' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/influxdb_server.yml b/ansible_collections/debops/debops/playbooks/service/influxdb_server.yml
new file mode 100644
index 00000000..3c4c4b56
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/influxdb_server.yml
@@ -0,0 +1,48 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage InfluxDB server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_influxdb_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::influxdata' ]
+      keyring__dependent_apt_keys:
+        - '{{ influxdata__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ influxdb_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ influxdb_server__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::influxdb_server' ]
+      python__dependent_packages3:
+        - '{{ influxdb_server__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ influxdb_server__python__dependent_packages2 }}'
+
+    - role: influxdata
+      tags: [ 'role::influxdata', 'skip::influxdata' ]
+      influxdata__dependent_packages:
+        - '{{ influxdb_server__influxdata__dependent_packages }}'
+
+    - role: influxdb_server
+      tags: [ 'role::influxdb_server', 'skip::influxdb_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ipxe.yml b/ansible_collections/debops/debops/playbooks/service/ipxe.yml
new file mode 100644
index 00000000..809c8f01
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ipxe.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage iPXE configuration files
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ipxe' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ipxe
+      tags: [ 'role::ipxe', 'skip::ipxe' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/iscsi.yml b/ansible_collections/debops/debops/playbooks/service/iscsi.yml
new file mode 100644
index 00000000..30769ecc
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/iscsi.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure iSCSI Initiator
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_iscsi' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+      unattended_upgrades__dependent_blacklist: '{{ iscsi__unattended_upgrades__dependent_blacklist }}'
+
+    - role: lvm
+      tags: [ 'role::lvm', 'skip::lvm' ]
+
+    - role: iscsi
+      tags: [ 'role::iscsi', 'skip::iscsi' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/java.yml b/ansible_collections/debops/debops/playbooks/service/java.yml
new file mode 100644
index 00000000..44168b8a
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/java.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Java environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_java' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/journald.yml b/ansible_collections/debops/debops/playbooks/service/journald.yml
new file mode 100644
index 00000000..0811762e
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/journald.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage systemd journal service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_journald' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: journald
+      tags: [ 'role::journald', 'skip::journald' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/keepalived.yml b/ansible_collections/debops/debops/playbooks/service/keepalived.yml
new file mode 100644
index 00000000..aaacf3c5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/keepalived.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Advanced Package Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_keepalived' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ keepalived__sysctl__dependent_parameters }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ keepalived__ferm__dependent_rules }}'
+
+    - role: keepalived
+      tags: [ 'role::keepalived', 'skip::keepalived' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/keyring.yml b/ansible_collections/debops/debops/playbooks/service/keyring.yml
new file mode 100644
index 00000000..1a6728f8
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/keyring.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage APT and GPG keyrings
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_keyring' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/kibana.yml b/ansible_collections/debops/debops/playbooks/service/kibana.yml
new file mode 100644
index 00000000..73355413
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/kibana.yml
@@ -0,0 +1,71 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Kibana service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_kibana' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare kibana environment
+      ansible.builtin.import_role:
+        name: 'kibana'
+        tasks_from: 'main_env'
+      tags: [ 'role::kibana', 'role::secret', 'role::kibana:config' ]
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo', 'role::kibana' ]
+      extrepo__dependent_sources:
+        - '{{ kibana__extrepo__dependent_sources }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx', 'role::elastic_co' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::kibana', 'role::kibana:config' ]
+      secret__directories:
+        - '{{ kibana__secret__directories }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ kibana__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ kibana__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ kibana__nginx__dependent_upstreams }}'
+
+    - role: kibana
+      tags: [ 'role::kibana', 'skip::kibana' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/kmod.yml b/ansible_collections/debops/debops/playbooks/service/kmod.yml
new file mode 100644
index 00000000..297e3723
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/kmod.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage kernel modules
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_kmod' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::kmod' ]
+      python__dependent_packages3:
+        - '{{ kmod__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ kmod__python__dependent_packages2 }}'
+
+    - role: kmod
+      tags: [ 'role::kmod', 'skip::kmod' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ldap.yml b/ansible_collections/debops/debops/playbooks/service/ldap.yml
new file mode 100644
index 00000000..95a98283
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ldap.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage LDAP basic configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_ldap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/librenms.yml b/ansible_collections/debops/debops/playbooks/service/librenms.yml
new file mode 100644
index 00000000..77d75fad
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/librenms.yml
@@ -0,0 +1,87 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage LibreNMS service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_librenms' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+          - '{{ mariadb__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::nginx', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+        - '{{ librenms__logrotate__dependent_config }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
+      python__dependent_packages3:
+        - '{{ librenms__python__dependent_packages3 }}'
+        - '{{ mariadb__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ librenms__python__dependent_packages2 }}'
+        - '{{ mariadb__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ librenms__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ librenms__php__dependent_pools }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ librenms__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ librenms__nginx__dependent_upstreams }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users:
+        - '{{ librenms__mariadb__dependent_users }}'
+
+    - role: librenms
+      tags: [ 'role::librenms', 'skip::librenms' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/libuser.yml b/ansible_collections/debops/debops/playbooks/service/libuser.yml
new file mode 100644
index 00000000..790e86a6
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/libuser.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local users and groups
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_libuser' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/libvirt.yml b/ansible_collections/debops/debops/playbooks/service/libvirt.yml
new file mode 100644
index 00000000..59293c84
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/libvirt.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage libvirt hosts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_libvirt' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ libvirt__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ libvirt__python__dependent_packages2 }}'
+
+    - role: libvirt
+      tags: [ 'role::libvirt', 'skip::libvirt' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/libvirtd.yml b/ansible_collections/debops/debops/playbooks/service/libvirtd.yml
new file mode 100644
index 00000000..9024dfde
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/libvirtd.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage libvirtd
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_libvirtd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ libvirtd__nsswitch__dependent_services }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ libvirtd__ferm__dependent_rules }}'
+        - '{{ libvirtd_qemu__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ libvirtd__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ libvirtd__python__dependent_packages2 }}'
+
+    - role: libvirtd
+      tags: [ 'role::libvirtd', 'skip::libvirtd' ]
+
+    - role: libvirtd_qemu
+      tags: [ 'role::libvirtd_qemu', 'skip::libvirtd_qemu', 'role::libvirtd', 'skip::libvirtd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/libvirtd_qemu.yml b/ansible_collections/debops/debops/playbooks/service/libvirtd_qemu.yml
new file mode 100644
index 00000000..2c5e2fb2
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/libvirtd_qemu.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage libvirtd QEMU configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_libvirtd_qemu' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ libvirtd_qemu__ferm__dependent_rules }}'
+
+    - role: libvirtd_qemu
+      tags: [ 'role::libvirtd_qemu', 'skip::libvirtd_qemu' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/lldpd.yml b/ansible_collections/debops/debops/playbooks/service/lldpd.yml
new file mode 100644
index 00000000..907ee53f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/lldpd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage LLDP service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_lldpd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: lldpd
+      tags: [ 'role::lldpd', 'skip::lldpd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/locales.yml b/ansible_collections/debops/debops/playbooks/service/locales.yml
new file mode 100644
index 00000000..d755e99f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/locales.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure localization and internationalization
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_locales' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: locales
+      tags: [ 'role::locales', 'skip::locales' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/logrotate.yml b/ansible_collections/debops/debops/playbooks/service/logrotate.yml
new file mode 100644
index 00000000..34888324
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/logrotate.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage log rotation configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_logrotate' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/lvm.yml b/ansible_collections/debops/debops/playbooks/service/lvm.yml
new file mode 100644
index 00000000..f84081a4
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/lvm.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Logical Volume Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_lvm' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: lvm
+      tags: [ 'role::lvm', 'skip::lvm' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/lxc.yml b/ansible_collections/debops/debops/playbooks/service/lxc.yml
new file mode 100644
index 00000000..17fc2760
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/lxc.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage LXC hosts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_lxc' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: root_account
+      tags: [ 'role::root_account', 'skip::root_account' ]
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ lxc__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ lxc__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::lxc' ]
+      python__dependent_packages3:
+        - '{{ lxc__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ lxc__python__dependent_packages2 }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ lxc__sysctl__dependent_parameters }}'
+
+    - role: lxc
+      tags: [ 'role::lxc', 'skip::lxc' ]
+
+# If a host has 'debops.dnsmasq' or 'debops.unbound' roles configured, execute
+# its playbook in case that configuration applied by the 'lxc' role needs to be
+# applied to 'dnsmasq' or 'unbound' services. This should ensure that the
+# '*.lxc' subdomain for internal LXC containers is resolvable on the LXC host.
+#
+# If the host is not in the Ansible inventory groups required by the
+# 'dnsmasq.yml' or the 'unbound.yml' playbooks, this should not impact
+# anything.
+
+- name: Configure dnsmasq service
+  import_playbook: 'dnsmasq.yml'
+
+- name: Configure unbound service
+  import_playbook: 'unbound.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/lxd.yml b/ansible_collections/debops/debops/playbooks/service/lxd.yml
new file mode 100644
index 00000000..caf66c02
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/lxd.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage LXD service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_lxd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: root_account
+      tags: [ 'role::root_account', 'skip::root_account' ]
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
+      keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ golang__keyring__dependent_gpg_keys }}'
+      golang__dependent_packages:  # noqa var-naming[no-role-prefix]
+        - '{{ lxd__golang__dependent_packages }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list }}'
+        - '{{ lxc__apt_preferences__dependent_list }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      golang__dependent_packages:
+        - '{{ lxd__golang__dependent_packages }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ lxd__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ lxc__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::lxc' ]
+      python__dependent_packages3:
+        - '{{ lxc__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ lxc__python__dependent_packages2 }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ lxc__sysctl__dependent_parameters }}'
+        - '{{ lxd__sysctl__dependent_parameters }}'
+
+    - role: lxc
+      tags: [ 'role::lxc', 'skip::lxc' ]
+
+    - role: lxd
+      tags: [ 'role::lxd', 'skip::lxd' ]
+
+# If a host has 'debops.dnsmasq' or 'debops.unbound' roles configured, execute
+# its playbook in case that configuration applied by the 'lxd' role needs to be
+# applied to 'dnsmasq' or 'unbound' services. This should ensure that the
+# '*.lxd' subdomain for internal LXD containers is resolvable on the LXD host.
+#
+# If the host is not in the Ansible inventory groups required by the
+# 'dnsmasq.yml' or the 'unbound.yml' playbooks, this should not impact
+# anything.
+
+- name: Configure dnsmasq service
+  import_playbook: 'dnsmasq.yml'
+
+- name: Configure unbound service
+  import_playbook: 'unbound.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/machine.yml b/ansible_collections/debops/debops/playbooks/service/machine.yml
new file mode 100644
index 00000000..d9a4dfb7
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/machine.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local machine information
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_machine' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: machine
+      tags: [ 'role::machine', 'skip::machine' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mailman.yml b/ansible_collections/debops/debops/playbooks/service/mailman.yml
new file mode 100644
index 00000000..405cb57d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mailman.yml
@@ -0,0 +1,83 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Mailman service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mailman' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'mailman'
+            config: '{{ mailman__postfix__dependent_maincf }}'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+        - '{{ postfix__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 | d([]) }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ mailman__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 | d([]) }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+        - '{{ mailman__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ mailman__ldap__dependent_tasks }}'
+      when: mailman__ldap_enabled | bool
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'mailman'
+          config: '{{ mailman__postfix__dependent_maincf }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ mailman__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ mailman__nginx__dependent_upstreams }}'
+
+    - role: mailman
+      tags: [ 'role::mailman', 'skip::mailman' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mariadb.yml b/ansible_collections/debops/debops/playbooks/service/mariadb.yml
new file mode 100644
index 00000000..94f6f10e
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mariadb.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage MariaDB client
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mariadb' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
+      keyring__dependent_apt_keys:
+        - '{{ mariadb__keyring__dependent_apt_keys }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
+      python__dependent_packages3:
+        - '{{ mariadb__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ mariadb__python__dependent_packages2 }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mariadb_server.yml b/ansible_collections/debops/debops/playbooks/service/mariadb_server.yml
new file mode 100644
index 00000000..4217df74
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mariadb_server.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage MariaDB server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mariadb_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb_server' ]
+      keyring__dependent_apt_keys:
+        - '{{ mariadb_server__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ mariadb_server__etc_services__dependent_rules }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ mariadb_server__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ mariadb_server__tcpwrappers__dependent_allow }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb_server' ]
+      python__dependent_packages3:
+        - '{{ mariadb_server__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ mariadb_server__python__dependent_packages2 }}'
+
+    - role: mariadb_server
+      tags: [ 'role::mariadb_server', 'skip::mariadb_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mcli.yml b/ansible_collections/debops/debops/playbooks/service/mcli.yml
new file mode 100644
index 00000000..4e1d38b9
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mcli.yml
@@ -0,0 +1,45 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage MinIO Client (mcli) installation
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mcli' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare mcli environment
+      ansible.builtin.import_role:
+        name: 'mcli'
+        tasks_from: 'main_env'
+      tags: [ 'role::mcli', 'role::keyring', 'role::golang' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
+      keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ golang__keyring__dependent_gpg_keys }}'
+      golang__dependent_packages:  # noqa var-naming[no-role-prefix]
+        - '{{ mcli__golang__dependent_packages }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      golang__dependent_packages:
+        - '{{ mcli__golang__dependent_packages }}'
+
+    - role: mcli
+      tags: [ 'role::mcli', 'skip::mcli' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/memcached.yml b/ansible_collections/debops/debops/playbooks/service/memcached.yml
new file mode 100644
index 00000000..4a713f5c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/memcached.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage memcached server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_memcached' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ memcached__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ memcached__ferm__dependent_rules }}'
+
+    - role: memcached
+      tags: [ 'role::memcached', 'skip::memcached' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/metricbeat.yml b/ansible_collections/debops/debops/playbooks/service/metricbeat.yml
new file mode 100644
index 00000000..9e4fe63b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/metricbeat.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Metricbeat service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_metricbeat' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: extrepo
+      tags: [ 'role::extrepo', 'skip::extrepo', 'role::metricbeat' ]
+      extrepo__dependent_sources:
+        - '{{ metricbeat__extrepo__dependent_sources }}'
+
+    - role: metricbeat
+      tags: [ 'role::metricbeat', 'skip::metricbeat' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/minidlna.yml b/ansible_collections/debops/debops/playbooks/service/minidlna.yml
new file mode 100644
index 00000000..fab9ed94
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/minidlna.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2021-2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage MiniDLNA
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_minidlna' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ minidlna_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ minidlna__ferm__dependent_rules }}'
+
+    - role: minidlna
+      tags: [ 'role::minidlna', 'skip::minidlna' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/miniflux.yml b/ansible_collections/debops/debops/playbooks/service/miniflux.yml
new file mode 100644
index 00000000..f31a125a
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/miniflux.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Miniflux service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_miniflux' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
+      keyring__dependent_apt_keys:
+        - '{{ miniflux__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+        - '{{ golang__keyring__dependent_gpg_keys }}'
+      golang__dependent_packages:  # noqa var-naming[no-role-prefix]
+        - '{{ miniflux__golang__dependent_packages }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ miniflux__postgresql__dependent_roles }}'
+      postgresql__dependent_groups:
+        - '{{ miniflux__postgresql__dependent_groups }}'
+      postgresql__dependent_databases:
+        - '{{ miniflux__postgresql__dependent_databases }}'
+      postgresql__dependent_extensions:
+        - '{{ miniflux__postgresql__dependent_extensions }}'
+      postgresql__dependent_pgpass:
+        - '{{ miniflux__postgresql__dependent_pgpass }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ miniflux__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ miniflux__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ miniflux__nginx__dependent_upstreams }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      golang__dependent_packages:
+        - '{{ miniflux__golang__dependent_packages }}'
+
+    - role: miniflux
+      tags: [ 'role::miniflux', 'skip::miniflux' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/minio.yml b/ansible_collections/debops/debops/playbooks/service/minio.yml
new file mode 100644
index 00000000..d4bbf288
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/minio.yml
@@ -0,0 +1,94 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage MinIO service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_minio' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare minio environment
+      ansible.builtin.import_role:
+        name: 'minio'
+        tasks_from: 'main_env'
+      tags: [ 'role::minio', 'role::etc_services', 'role::ferm',
+              'role::keyring', 'role::golang', 'role::nginx' ]
+
+    - name: Prepare sysfs environment
+      ansible.builtin.import_role:
+        name: 'sysfs'
+        tasks_from: 'main_env'
+      tags: [ 'role::sysfs', 'role::secret' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::golang' ]
+      keyring__dependent_gpg_user: '{{ golang__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+        - '{{ golang__keyring__dependent_gpg_keys }}'
+      golang__dependent_packages:  # noqa var-naming[no-role-prefix]
+        - '{{ minio__golang__dependent_packages }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::sysfs' ]
+      secret__directories:
+        - '{{ sysfs__secret__directories | d([]) }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ golang__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ minio__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ minio__ferm__dependent_rules }}'
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ minio__sysctl__dependent_parameters }}'
+
+    - role: sysfs
+      tags: [ 'role::sysfs', 'skip::sysfs' ]
+      sysfs__dependent_attributes:
+        - '{{ minio__sysfs__dependent_attributes }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ minio__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ minio__nginx__dependent_servers }}'
+
+    - role: golang
+      tags: [ 'role::golang', 'skip::golang' ]
+      golang__dependent_packages:
+        - '{{ minio__golang__dependent_packages }}'
+
+    - role: minio
+      tags: [ 'role::minio', 'skip::minio' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/monit.yml b/ansible_collections/debops/debops/playbooks/service/monit.yml
new file mode 100644
index 00000000..df3f4b28
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/monit.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Monit service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_monit' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: monit
+      tags: [ 'role::monit', 'skip::monit' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mosquitto-nginx.yml b/ansible_collections/debops/debops/playbooks/service/mosquitto-nginx.yml
new file mode 100644
index 00000000..78138a2e
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mosquitto-nginx.yml
@@ -0,0 +1,62 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Mosquitto service with Nginx
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mosquitto_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx', 'role::mosquitto' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+        - '{{ mosquitto__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ mosquitto__etc_services__dependent_list }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ mosquitto__tcpwrappers__dependent_allow }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ mosquitto__ferm__dependent_rules }}'
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::nginx', 'role::mosquitto' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ mosquitto__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+        - '{{ mosquitto__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ mosquitto__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ mosquitto__nginx__dependent_upstreams }}'
+
+    - role: mosquitto
+      tags: [ 'role::mosquitto', 'skip::mosquitto' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mosquitto-plain.yml b/ansible_collections/debops/debops/playbooks/service/mosquitto-plain.yml
new file mode 100644
index 00000000..a1a5b929
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mosquitto-plain.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Mosquitto service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_mosquitto' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::mosquitto' ]
+      keyring__dependent_apt_keys:
+        - '{{ mosquitto__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ mosquitto__etc_services__dependent_list }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ mosquitto__tcpwrappers__dependent_allow }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ mosquitto__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mosquitto' ]
+      python__dependent_packages3:
+        - '{{ mosquitto__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ mosquitto__python__dependent_packages2 }}'
+
+    - role: mosquitto
+      tags: [ 'role::mosquitto', 'skip::mosquitto' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/mosquitto.yml b/ansible_collections/debops/debops/playbooks/service/mosquitto.yml
new file mode 100644
index 00000000..168fa9c1
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mosquitto.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular Mosquitto installation
+  import_playbook: 'mosquitto-plain.yml'
+
+- name: Manage Mosquitto service with nginx frontend
+  import_playbook: 'mosquitto-nginx.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/mount.yml b/ansible_collections/debops/debops/playbooks/service/mount.yml
new file mode 100644
index 00000000..0f1dbb1d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/mount.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local device and bind mounts
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_mount' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: mount
+      tags: [ 'role::mount', 'skip::mount' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/netbase.yml b/ansible_collections/debops/debops/playbooks/service/netbase.yml
new file mode 100644
index 00000000..c9eed2f7
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/netbase.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local host and network database
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_netbase' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::netbase' ]
+      python__dependent_packages3:
+        - '{{ netbase__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ netbase__python__dependent_packages2 }}'
+
+    - role: netbase
+      tags: [ 'role::netbase', 'skip::netbase' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/netbox.yml b/ansible_collections/debops/debops/playbooks/service/netbox.yml
new file mode 100644
index 00000000..b90d248c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/netbox.yml
@@ -0,0 +1,89 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage NetBox IPAM/DCIM application
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_netbox' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::postgresql', 'role::nginx', 'role::netbox' ]
+      keyring__dependent_apt_keys:
+        - '{{ postgresql__keyring__dependent_apt_keys }}'
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_keys:
+        - '{{ netbox__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ gunicorn__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::postgresql', 'role::gunicorn', 'role::netbox' ]
+      python__dependent_packages3:
+        - '{{ gunicorn__python__dependent_packages3 }}'
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ netbox__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ postgresql__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ gunicorn__python__dependent_packages2 }}'
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ netbox__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+        - '{{ postgresql__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ netbox__ldap__dependent_tasks }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ netbox__postgresql__dependent_roles }}'
+      postgresql__dependent_groups:
+        - '{{ netbox__postgresql__dependent_groups }}'
+      postgresql__dependent_databases:
+        - '{{ netbox__postgresql__dependent_databases }}'
+      postgresql__dependent_pgpass:
+        - '{{ netbox__postgresql__dependent_pgpass }}'
+
+    - role: gunicorn
+      tags: [ 'role::gunicorn', 'skip::gunicorn' ]
+      gunicorn__dependent_applications:
+        - '{{ netbox__gunicorn__dependent_applications }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ netbox__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ netbox__nginx__dependent_servers }}'
+
+    - role: netbox
+      tags: [ 'role::netbox', 'skip::netbox' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/networkd.yml b/ansible_collections/debops/debops/playbooks/service/networkd.yml
new file mode 100644
index 00000000..1670e189
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/networkd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage systemd-networkd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_networkd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: networkd
+      tags: [ 'role::networkd', 'skip::networkd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/neurodebian.yml b/ansible_collections/debops/debops/playbooks/service/neurodebian.yml
new file mode 100644
index 00000000..06a48591
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/neurodebian.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install packages from the NeuroDebian repository
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_neurodebian' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ neurodebian__apt_preferences__dependent_list }}'
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::neurodebian' ]
+      keyring__dependent_apt_keys:
+        - '{{ neurodebian__keyring__dependent_apt_keys }}'
+
+    - role: neurodebian
+      tags: [ 'role::neurodebian', 'skip::neurodebian' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nfs.yml b/ansible_collections/debops/debops/playbooks/service/nfs.yml
new file mode 100644
index 00000000..11e84991
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nfs.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage NFS shares
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: nfs
+      tags: [ 'role::nfs', 'skip::nfs' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nfs_server.yml b/ansible_collections/debops/debops/playbooks/service/nfs_server.yml
new file mode 100644
index 00000000..afe90d4a
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nfs_server.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure NFS Server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nfs_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services', 'role::ferm' ]
+      etc_services__dependent_list:
+        - '{{ nfs_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nfs_server__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ nfs_server__tcpwrappers__dependent_allow }}'
+
+    - role: nfs_server
+      tags: [ 'role::nfs_server', 'skip::nfs_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nginx.yml b/ansible_collections/debops/debops/playbooks/service/nginx.yml
new file mode 100644
index 00000000..dcbb4662
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nginx.yml
@@ -0,0 +1,42 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage nginx webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nodejs.yml b/ansible_collections/debops/debops/playbooks/service/nodejs.yml
new file mode 100644
index 00000000..d5f8827d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nodejs.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage NodeJS environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nodejs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
+      keyring__dependent_apt_keys:
+        - '{{ nodejs__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nodejs__apt_preferences__dependent_list }}'
+
+    - role: nodejs
+      tags: [ 'role::nodejs', 'skip::nodejs' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nscd.yml b/ansible_collections/debops/debops/playbooks/service/nscd.yml
new file mode 100644
index 00000000..929ece02
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nscd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Name Service Cache Daemon
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nscd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: nscd
+      tags: [ 'role::nscd', 'skip::nscd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nslcd.yml b/ansible_collections/debops/debops/playbooks/service/nslcd.yml
new file mode 100644
index 00000000..01b8da75
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nslcd.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage nslcd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_nslcd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nslcd__ldap__dependent_tasks }}'
+
+    - role: nslcd
+      tags: [ 'role::nslcd', 'skip::nslcd' ]
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ nslcd__nsswitch__dependent_services }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/nsswitch.yml b/ansible_collections/debops/debops/playbooks/service/nsswitch.yml
new file mode 100644
index 00000000..9b2fb9f2
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nsswitch.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Name Service Switch configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_nsswitch' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ntp.yml b/ansible_collections/debops/debops/playbooks/service/ntp.yml
new file mode 100644
index 00000000..29f754d7
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ntp.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Network Time Protocol service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ntp' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ ntp__ferm__dependent_rules }}'
+
+    - role: ntp
+      tags: [ 'role::ntp', 'skip::ntp' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/nullmailer.yml b/ansible_collections/debops/debops/playbooks/service/nullmailer.yml
new file mode 100644
index 00000000..c77ebfa5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/nullmailer.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage nullmailer SMTP server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_nullmailer' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare nullmailer environment
+      ansible.builtin.import_role:
+        name: 'nullmailer'
+        tasks_from: 'main_env'
+      tags: [ 'role::nullmailer', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ nullmailer__ldap__dependent_tasks }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nullmailer__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ nullmailer__tcpwrappers__dependent_allow }}'
+
+    - role: nullmailer
+      tags: [ 'role::nullmailer', 'skip::nullmailer' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/opendkim.yml b/ansible_collections/debops/debops/playbooks/service/opendkim.yml
new file mode 100644
index 00000000..79f9aa04
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/opendkim.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage OpenDKIM service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_opendkim' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare opendkim environment
+      ansible.builtin.import_role:
+        name: 'opendkim'
+        tasks_from: 'main_env'
+      tags: [ 'role::opendkim', 'role::secret' ]
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'opendkim'
+            config: '{{ opendkim__postfix__dependent_maincf }}'
+      when: opendkim__postfix_integration | bool
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::opendkim', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories  | d([]) }}'
+        - '{{ opendkim__secret__directories | d([]) }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'opendkim'
+          config: '{{ opendkim__postfix__dependent_maincf }}'
+      when: opendkim__postfix_integration | bool
+
+    - role: opendkim
+      tags: [ 'role::opendkim', 'skip::opendkim' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/opensearch.yml b/ansible_collections/debops/debops/playbooks/service/opensearch.yml
new file mode 100644
index 00000000..b538073b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/opensearch.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Install and manage OpenSearch
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_opensearch' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring' ]
+      keyring__dependent_gpg_keys:
+        - '{{ opensearch__keyring__dependent_gpg_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ opensearch__etc_services__dependent_list }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ opensearch__sysctl__dependent_parameters }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ opensearch__ferm__dependent_rules }}'
+
+    - role: opensearch
+      tags: [ 'role::opensearch', 'skip::opensearch' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/owncloud-apache.yml b/ansible_collections/debops/debops/playbooks/service/owncloud-apache.yml
new file mode 100644
index 00000000..95f0e75c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/owncloud-apache.yml
@@ -0,0 +1,130 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage ownCloud instances with Apache as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_owncloud_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ mariadb__keyring__dependent_apt_keys if (owncloud__database == "mariadb") else [] }}'
+          - '{{ postgresql__keyring__dependent_apt_keys if (owncloud__database == "postgresql") else [] }}'
+          - '{{ owncloud__keyring__dependent_apt_keys }}'
+        keyring__dependent_gpg_keys:
+          - '{{ owncloud__keyring__dependent_gpg_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php',
+              'role::mariadb', 'role::postgresql', 'role::owncloud' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+    - name: Prepare owncloud environment
+      ansible.builtin.import_role:
+        name: 'owncloud'
+        tasks_from: 'main_env'
+      tags: [ 'role::owncloud', 'role::owncloud:env' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ owncloud__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ mariadb__python__dependent_packages3
+              if (owncloud__database == "mariadb")
+              else [] }}'
+        - '{{ postgresql__python__dependent_packages3
+              if (owncloud__database == "postgresql")
+              else [] }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ mariadb__python__dependent_packages2
+              if (owncloud__database == "mariadb")
+              else [] }}'
+        - '{{ postgresql__python__dependent_packages2
+              if (owncloud__database == "postgresql")
+              else [] }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ owncloud__ldap__dependent_tasks }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users: '{{ owncloud__mariadb__dependent_users }}'
+      when: (owncloud__database == 'mariadb')
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles: '{{ owncloud__postgresql__dependent_roles }}'
+      postgresql__dependent_groups: '{{ owncloud__postgresql__dependent_groups }}'
+      postgresql__dependent_databases: '{{ owncloud__postgresql__dependent_databases }}'
+      when: (owncloud__database == 'postgresql')
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ owncloud__unattended_upgrades__dependent_origins }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ owncloud__php__dependent_packages }}'
+      php__dependent_configuration:
+        - '{{ owncloud__php__dependent_configuration }}'
+      php__dependent_pools:
+        - '{{ owncloud__php__dependent_pools }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+        - '{{ owncloud__logrotate__dependent_config }}'
+
+    - role: apache
+      tags: [ 'role::apache', 'skip::apache' ]
+      apache__dependent_snippets: '{{ owncloud__apache__dependent_snippets }}'
+      apache__dependent_vhosts:
+        - '{{ owncloud__apache__dependent_vhosts }}'
+
+    - role: owncloud
+      tags: [ 'role::owncloud', 'skip::owncloud' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/owncloud-nginx.yml b/ansible_collections/debops/debops/playbooks/service/owncloud-nginx.yml
new file mode 100644
index 00000000..e09dba3d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/owncloud-nginx.yml
@@ -0,0 +1,133 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage ownCloud instances with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_owncloud', 'debops_service_owncloud_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ mariadb__keyring__dependent_apt_keys if (owncloud__database == "mariadb") else [] }}'
+          - '{{ postgresql__keyring__dependent_apt_keys if (owncloud__database == "postgresql") else [] }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+          - '{{ owncloud__keyring__dependent_apt_keys }}'
+        keyring__dependent_gpg_keys:
+          - '{{ owncloud__keyring__dependent_gpg_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php',
+              'role::mariadb', 'role::postgresql',
+              'role::nginx', 'role::owncloud' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+    - name: Prepare owncloud environment
+      ansible.builtin.import_role:
+        name: 'owncloud'
+        tasks_from: 'main_env'
+      tags: [ 'role::owncloud', 'role::owncloud:env', 'role::nginx' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences', 'role::nginx', 'role::php' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ owncloud__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm', 'role::nginx' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ mariadb__python__dependent_packages3
+              if (owncloud__database == "mariadb")
+              else [] }}'
+        - '{{ postgresql__python__dependent_packages3
+              if (owncloud__database == "postgresql")
+              else [] }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ mariadb__python__dependent_packages2
+              if (owncloud__database == "mariadb")
+              else [] }}'
+        - '{{ postgresql__python__dependent_packages2
+              if (owncloud__database == "postgresql")
+              else [] }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ owncloud__ldap__dependent_tasks }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_databases: '{{ owncloud__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ owncloud__mariadb__dependent_users }}'
+      when: (owncloud__database == 'mariadb')
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles: '{{ owncloud__postgresql__dependent_roles }}'
+      postgresql__dependent_groups: '{{ owncloud__postgresql__dependent_groups }}'
+      postgresql__dependent_databases: '{{ owncloud__postgresql__dependent_databases }}'
+      when: (owncloud__database == 'postgresql')
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
+      unattended_upgrades__dependent_origins: '{{ owncloud__unattended_upgrades__dependent_origins }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ owncloud__php__dependent_packages }}'
+      php__dependent_configuration:
+        - '{{ owncloud__php__dependent_configuration }}'
+      php__dependent_pools:
+        - '{{ owncloud__php__dependent_pools }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+        - '{{ owncloud__logrotate__dependent_config }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_maps:
+        - '{{ owncloud__nginx__dependent_maps }}'
+      nginx__dependent_servers:
+        - '{{ owncloud__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ owncloud__nginx__dependent_upstreams }}'
+
+    - role: owncloud
+      tags: [ 'role::owncloud', 'skip::owncloud' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/owncloud.yml b/ansible_collections/debops/debops/playbooks/service/owncloud.yml
new file mode 100644
index 00000000..d267e070
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/owncloud.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage ownCloud/Nextcloud with Apache frontend
+  import_playbook: 'owncloud-apache.yml'
+
+- name: Manage ownCloud/Nextcloud with nginx frontend
+  import_playbook: 'owncloud-nginx.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/pam_access.yml b/ansible_collections/debops/debops/playbooks/service/pam_access.yml
new file mode 100644
index 00000000..ff420bb1
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/pam_access.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage PAM Access Control Lists
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_pam_access' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/pdns-nginx.yml b/ansible_collections/debops/debops/playbooks/service/pdns-nginx.yml
new file mode 100644
index 00000000..425a606b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/pdns-nginx.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage PowerDNS authoritative server with Nginx
+  hosts: [ 'debops_service_pdns_nginx' ]
+  become: True
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ pdns__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+        - '{{ pdns__ferm__dependent_rules }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ pdns__postgresql__dependent_roles }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ pdns__nginx__dependent_servers }}'
+
+    - role: pdns
+      tags: [ 'role::pdns', 'skip::pdns' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/pdns-plain.yml b/ansible_collections/debops/debops/playbooks/service/pdns-plain.yml
new file mode 100644
index 00000000..723470b6
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/pdns-plain.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage PowerDNS authoritative server
+  hosts: [ 'debops_service_pdns' ]
+  become: True
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ pdns__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ pdns__ferm__dependent_rules }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - '{{ pdns__postgresql__dependent_roles }}'
+
+    - role: pdns
+      tags: [ 'role::pdns', 'skip::pdns' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/pdns.yml b/ansible_collections/debops/debops/playbooks/service/pdns.yml
new file mode 100644
index 00000000..bbaa4202
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/pdns.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage regular PowerDNS server installation
+  import_playbook: 'pdns-plain.yml'
+
+- name: Manage PowerDNS server installation with nginx frontend
+  import_playbook: 'pdns-nginx.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/persistent_paths.yml b/ansible_collections/debops/debops/playbooks/service/persistent_paths.yml
new file mode 100644
index 00000000..225d5135
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/persistent_paths.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure paths are stored on persistent storage
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_persistent_paths' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/php.yml b/ansible_collections/debops/debops/playbooks/service/php.yml
new file mode 100644
index 00000000..b459e224
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/php.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage PHP environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_php' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/phpipam.yml b/ansible_collections/debops/debops/playbooks/service/phpipam.yml
new file mode 100644
index 00000000..a2d186c0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/phpipam.yml
@@ -0,0 +1,87 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage phpIPAM service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_phpipam' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+          - '{{ mariadb__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::nginx', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
+      python__dependent_packages3:
+        - '{{ mariadb__python__dependent_packages3 }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ mariadb__python__dependent_packages2 }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ phpipam__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ phpipam__php__dependent_pools }}'
+      when: (phpipam__mode is defined and 'webui' in phpipam__mode)
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ phpipam__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ phpipam__nginx__dependent_upstreams }}'
+      when: (phpipam__mode is defined and 'webui' in phpipam__mode)
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users:
+        - '{{ phpipam__mariadb__dependent_users }}'
+
+    - role: phpipam
+      tags: [ 'role::phpipam', 'skip::phpipam' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/phpmyadmin.yml b/ansible_collections/debops/debops/playbooks/service/phpmyadmin.yml
new file mode 100644
index 00000000..b1cd896d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/phpmyadmin.yml
@@ -0,0 +1,76 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage phpMyAdmin service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_phpmyadmin' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::nginx' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ phpmyadmin__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ phpmyadmin__php__dependent_pools }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ phpmyadmin__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ phpmyadmin__nginx__dependent_upstreams }}'
+
+    - role: phpmyadmin
+      tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/pki.yml b/ansible_collections/debops/debops/playbooks/service/pki.yml
new file mode 100644
index 00000000..f79470ef
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/pki.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Public Key Infrastructure
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_pki' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare pki environment
+      ansible.builtin.import_role:
+        name: 'pki'
+        tasks_from: 'main_env'
+      tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
+      secret_directories:
+        - '{{ pki_env_secret_directories }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: pki
+      tags: [ 'role::pki', 'skip::pki' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postconf.yml b/ansible_collections/debops/debops/playbooks/service/postconf.yml
new file mode 100644
index 00000000..b3817edf
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postconf.yml
@@ -0,0 +1,66 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Postfix configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postconf' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+
+    secret__directories:
+      - '{{ postfix__secret__directories }}'
+
+    ferm__dependent_rules:
+      - '{{ postfix__ferm__dependent_rules }}'
+
+    postfix__dependent_packages:
+      - '{{ postconf__postfix__dependent_packages }}'
+
+    postfix__dependent_maincf:
+      - role: 'postconf'
+        config: '{{ postconf__postfix__dependent_maincf }}'
+        state: '{{ postconf__deploy_state }}'
+
+    postfix__dependent_mastercf:
+      - role: 'postconf'
+        config: '{{ postconf__postfix__dependent_mastercf }}'
+        state: '{{ postconf__deploy_state }}'
+
+    postfix__dependent_lookup_tables:
+      - '{{ postconf__postfix__dependent_lookup_tables }}'
+
+  pre_tasks:
+
+    - name: Prepare postconf environment
+      ansible.builtin.import_role:
+        name: 'postconf'
+        tasks_from: 'main_env'
+      tags: [ 'role::postconf', 'role::postfix', 'role::ferm' ]
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+
+    - role: postconf
+      tags: [ 'role::postconf', 'skip::postconf' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postfix.yml b/ansible_collections/debops/debops/playbooks/service/postfix.yml
new file mode 100644
index 00000000..2e69aa76
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postfix.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Postfix SMTP service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postfix' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare etc_aliases environment
+      ansible.builtin.import_role:
+        name: 'etc_aliases'
+        tasks_from: 'main_env'
+      tags: [ 'role::etc_aliases', 'role::secret', 'role::postfix' ]
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ etc_aliases__secret__directories }}'
+        - '{{ postfix__secret__directories }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ postfix__ferm__dependent_rules }}'
+
+    - role: etc_aliases
+      tags: [ 'role::etc_aliases', 'skip::etc_aliases' ]
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postgresql.yml b/ansible_collections/debops/debops/playbooks/service/postgresql.yml
new file mode 100644
index 00000000..7337acb5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postgresql.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage PostgreSQL client
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postgresql' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::postgresql' ]
+      keyring__dependent_apt_keys:
+        - '{{ postgresql__keyring__dependent_apt_keys }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ postgresql__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ postgresql__python__dependent_packages2 }}'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postgresql_server.yml b/ansible_collections/debops/debops/playbooks/service/postgresql_server.yml
new file mode 100644
index 00000000..1176219f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postgresql_server.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage PostgreSQL server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postgresql_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::postgresql_server' ]
+      keyring__dependent_apt_keys:
+        - '{{ postgresql_server__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ postgresql_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ postgresql_server__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ postgresql_server__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ postgresql_server__python__dependent_packages2 }}'
+
+    - role: locales
+      tags: [ 'role::locales', 'skip::locales' ]
+      locales__dependent_list:
+        - '{{ postgresql_server__locales__dependent_list }}'
+
+    - role: postgresql_server
+      tags: [ 'role::postgresql_server', 'skip::postgresql_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postldap.yml b/ansible_collections/debops/debops/playbooks/service/postldap.yml
new file mode 100644
index 00000000..6f2310a5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postldap.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Postfix service with Virtual Mail LDAP backend
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postldap' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_packages:
+          - '{{ postldap__postfix__dependent_packages }}'
+        postfix__dependent_lookup_tables:
+          - '{{ postldap__postfix__dependent_lookup_tables }}'
+        postfix__dependent_maincf:
+          - role: 'postldap'
+            config: '{{ postldap__postfix__dependent_maincf }}'
+      tags: [ 'role::postfix:env', 'role::postfix', 'role::postldap', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix', 'role::postldap' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: postldap
+      tags: [ 'role::postldap', 'skip::postldap', 'role::postfix' ]
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ postldap__ldap__dependent_tasks }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_packages:
+        - '{{ postldap__postfix__dependent_packages }}'
+      postfix__dependent_lookup_tables:
+        - '{{ postldap__postfix__dependent_lookup_tables }}'
+      postfix__dependent_maincf:
+        - role: 'postldap'
+          config: '{{ postldap__postfix__dependent_maincf }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/postscreen.yml b/ansible_collections/debops/debops/playbooks/service/postscreen.yml
new file mode 100644
index 00000000..f24b5df9
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postscreen.yml
@@ -0,0 +1,52 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Postfix postscreen configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postscreen' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_packages:
+          - '{{ postscreen__postfix__dependent_packages }}'
+        postfix__dependent_maincf:
+          - role: 'postscreen'
+            config: '{{ postscreen__postfix__dependent_maincf }}'
+        postfix__dependent_mastercf:
+          - role: 'postscreen'
+            config: '{{ postscreen__postfix__dependent_mastercf }}'
+      tags: [ 'role::postfix', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_packages:
+        - '{{ postscreen__postfix__dependent_packages }}'
+      postfix__dependent_maincf:
+        - role: 'postscreen'
+          config: '{{ postscreen__postfix__dependent_maincf }}'
+      postfix__dependent_mastercf:
+        - role: 'postscreen'
+          config: '{{ postscreen__postfix__dependent_mastercf }}'
+
+    - role: postscreen
+      tags: [ 'role::postscreen', 'skip::postscreen' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/postwhite.yml b/ansible_collections/debops/debops/playbooks/service/postwhite.yml
new file mode 100644
index 00000000..bae971bd
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/postwhite.yml
@@ -0,0 +1,48 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Postwhite service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_postwhite' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'postwhite'
+            config: '{{ postwhite__postfix__dependent_maincf }}'
+      when: (ansible_local | d() and ansible_local.postfix | d() and
+             (ansible_local.postfix.installed | d()) | bool)
+      tags: [ 'role::postfix', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+      when: (ansible_local | d() and ansible_local.postfix | d() and
+             (ansible_local.postfix.installed | d()) | bool)
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'postwhite'
+          config: '{{ postwhite__postfix__dependent_maincf }}'
+      when: (ansible_local | d() and ansible_local.postfix | d() and
+             (ansible_local.postfix.installed | d()) | bool)
+
+    - role: postwhite
+      tags: [ 'role::postwhite', 'skip::postwhite' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/preseed.yml b/ansible_collections/debops/debops/playbooks/service/preseed.yml
new file mode 100644
index 00000000..514a0976
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/preseed.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Provide Debian Preseed configuration files over HTTP
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_preseed' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__servers:
+        - '{{ preseed__nginx__dependent_servers }}'
+
+    - role: preseed
+      tags: [ 'role::preseed', 'skip::preseed' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/proc_hidepid.yml b/ansible_collections/debops/debops/playbooks/service/proc_hidepid.yml
new file mode 100644
index 00000000..1eefec86
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/proc_hidepid.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage /proc hidepid= configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_proc_hidepid' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: proc_hidepid
+      tags: [ 'role::proc_hidepid', 'skip::proc_hidepid' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/prosody.yml b/ansible_collections/debops/debops/playbooks/service/prosody.yml
new file mode 100644
index 00000000..52d0f289
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/prosody.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Prosody
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_prosody' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ prosody__ferm__dependent_rules }}'
+
+    - role: prosody
+      tags: [ 'role::prosody', 'skip::prosody' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/python.yml b/ansible_collections/debops/debops/playbooks/service/python.yml
new file mode 100644
index 00000000..676bc497
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/python.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Python environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_python' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/python_raw.yml b/ansible_collections/debops/debops/playbooks/service/python_raw.yml
new file mode 100644
index 00000000..aa8ec874
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/python_raw.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Bootstrap Python environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_python' ]
+  strategy: linear
+  become: True
+  gather_facts: False
+
+  tasks:
+
+    - name: Initialize Ansible support via raw tasks
+      ansible.builtin.import_role:
+        name: 'python'
+        tasks_from: 'main_raw'
+      tags: [ 'role::python_raw', 'skip::python_raw' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/rabbitmq_management.yml b/ansible_collections/debops/debops/playbooks/service/rabbitmq_management.yml
new file mode 100644
index 00000000..5fb8d180
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rabbitmq_management.yml
@@ -0,0 +1,73 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure RabbitMQ Management Console
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_rabbitmq_management' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare rabbitmq_server environment
+      ansible.builtin.import_role:
+        name: 'rabbitmq_server'
+        tasks_from: 'main_env'
+      tags: [ 'role::rabbitmq_server', 'role::secret', 'role::rabbitmq_server:config' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: secret
+      tags: [ 'role::secret', 'role::rabbitmq_server', 'role::rabbitmq_server:config' ]
+      secret__directories:
+        - '{{ rabbitmq_server__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ rabbitmq_management__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ rabbitmq_management__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ rabbitmq_management__nginx__dependent_upstreams }}'
+
+    - role: rabbitmq_server
+      tags: [ 'role::rabbitmq_server', 'skip::rabbitmq_server' ]
+      rabbitmq_server__dependent_role: 'rabbitmq_management'
+      rabbitmq_server__dependent_state: '{{ rabbitmq_management__deploy_state }}'
+      rabbitmq_server__dependent_config:
+        - '{{ rabbitmq_management__rabbitmq_server__dependent_config }}'
+
+    - role: rabbitmq_management
+      tags: [ 'role::rabbitmq_management', 'skip::rabbitmq_management' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/rabbitmq_server.yml b/ansible_collections/debops/debops/playbooks/service/rabbitmq_server.yml
new file mode 100644
index 00000000..6dabe545
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rabbitmq_server.yml
@@ -0,0 +1,42 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage RabbitMQ service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_rabbitmq_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare rabbitmq_server environment
+      ansible.builtin.import_role:
+        name: 'rabbitmq_server'
+        tasks_from: 'main_env'
+      tags: [ 'role::rabbitmq_server', 'role::secret', 'role::rabbitmq_server:config' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::rabbitmq_server', 'role::rabbitmq_server:config' ]
+      secret__directories:
+        - '{{ rabbitmq_server__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ rabbitmq_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ rabbitmq_server__ferm__dependent_rules }}'
+
+    - role: rabbitmq_server
+      tags: [ 'role::rabbitmq_server', 'skip::rabbitmq_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/radvd.yml b/ansible_collections/debops/debops/playbooks/service/radvd.yml
new file mode 100644
index 00000000..ed27b6e0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/radvd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Router Advertisement Daemon
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_radvd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: radvd
+      tags: [ 'role::radvd', 'skip::radvd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/redis_sentinel.yml b/ansible_collections/debops/debops/playbooks/service/redis_sentinel.yml
new file mode 100644
index 00000000..515aea4f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/redis_sentinel.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Redis Sentinel service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_redis_sentinel' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare redis_sentinel environment
+      ansible.builtin.import_role:
+        name: 'redis_sentinel'
+        tasks_from: 'main_env'
+      tags: [ 'role::redis_sentinel', 'role::ferm' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ redis_sentinel__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ redis_sentinel__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ redis_sentinel__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::redis_sentinel' ]
+      python__dependent_packages3:
+        - '{{ redis_sentinel__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ redis_sentinel__python__dependent_packages2 }}'
+
+    - role: redis_sentinel
+      tags: [ 'role::redis_sentinel', 'skip::redis_sentinel' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/redis_server.yml b/ansible_collections/debops/debops/playbooks/service/redis_server.yml
new file mode 100644
index 00000000..11360d7b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/redis_server.yml
@@ -0,0 +1,70 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Redis server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_redis_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare sysfs environment
+      ansible.builtin.import_role:
+        name: 'sysfs'
+        tasks_from: 'main_env'
+      tags: [ 'role::sysfs', 'role::secret' ]
+
+    - name: Prepare redis_server environment
+      ansible.builtin.import_role:
+        name: 'redis_server'
+        tasks_from: 'main_env'
+      tags: [ 'role::redis_server', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::sysfs' ]
+      secret__directories:
+        - '{{ sysfs__secret__directories | d([]) }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ redis_server__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ redis_server__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ redis_server__ferm__dependent_rules }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ redis_server__sysctl__dependent_parameters }}'
+
+    - role: sysfs
+      tags: [ 'role::sysfs', 'skip::sysfs' ]
+      sysfs__dependent_attributes:
+        - '{{ redis_server__sysfs__dependent_attributes }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
+      python__dependent_packages3:
+        - '{{ redis_server__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ redis_server__python__dependent_packages2 }}'
+
+    - role: redis_server
+      tags: [ 'role::redis_server', 'skip::redis_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/reprepro.yml b/ansible_collections/debops/debops/playbooks/service/reprepro.yml
new file mode 100644
index 00000000..16206a59
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/reprepro.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage reprepro repositories
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_reprepro' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare reprepro environment
+      ansible.builtin.import_role:
+        name: 'reprepro'
+        tasks_from: 'main_env'
+      tags: [ 'role::reprepro', 'role::nginx' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx', 'role::reprepro' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+      keyring__dependent_gpg_user: '{{ reprepro__keyring__dependent_gpg_user }}'
+      keyring__dependent_gpg_keys:
+        - '{{ reprepro__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ reprepro__nginx__dependent_servers }}'
+
+    - role: reprepro
+      tags: [ 'role::reprepro', 'skip::reprepro' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/resolvconf.yml b/ansible_collections/debops/debops/playbooks/service/resolvconf.yml
new file mode 100644
index 00000000..68e7e329
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/resolvconf.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage system-wide DNS resolver configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_resolvconf' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/resolved.yml b/ansible_collections/debops/debops/playbooks/service/resolved.yml
new file mode 100644
index 00000000..98982277
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/resolved.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage systemd-resolved service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_resolved' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ resolved__etc_services__dependent_list }}'
+
+    - role: resolved
+      tags: [ 'role::resolved', 'skip::resolved' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/resources.yml b/ansible_collections/debops/debops/playbooks/service/resources.yml
new file mode 100644
index 00000000..4889ebed
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/resources.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage custom resources
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_resources' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: resources
+      tags: [ 'role::resources', 'skip::resources' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/root_account.yml b/ansible_collections/debops/debops/playbooks/service/root_account.yml
new file mode 100644
index 00000000..a3c193e8
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/root_account.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage root system account
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_root_account' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: root_account
+      tags: [ 'role::root_account', 'skip::root_account' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/roundcube.yml b/ansible_collections/debops/debops/playbooks/service/roundcube.yml
new file mode 100644
index 00000000..728acf34
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/roundcube.yml
@@ -0,0 +1,126 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage Roundcube Web mail
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_roundcube' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+          - '{{ nodejs__keyring__dependent_apt_keys }}'
+          - '{{ nginx__keyring__dependent_apt_keys }}'
+          - '{{ mariadb__keyring__dependent_apt_keys }}'
+        keyring__dependent_gpg_user: '{{ roundcube__keyring__dependent_gpg_user }}'
+        keyring__dependent_gpg_keys:
+          - '{{ roundcube__keyring__dependent_gpg_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::php', 'role::nodejs', 'role::nginx', 'role::mariadb',
+              'role::roundcube' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences',
+              'role::nginx', 'role::php', 'role::nodejs' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+        - '{{ nodejs__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm', 'role::nginx' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb', 'role::postgresql' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ mariadb__python__dependent_packages3 if roundcube__database_map[roundcube__database].dbtype == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages3 }}'
+        - '{{ postgresql__python__dependent_packages3 if roundcube__database_map[roundcube__database].dbtype == "postgresql" else [] }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ mariadb__python__dependent_packages2 if roundcube__database_map[roundcube__database].dbtype == "mysql" else [] }}'
+        - '{{ nginx__python__dependent_packages2 }}'
+        - '{{ postgresql__python__dependent_packages2 if roundcube__database_map[roundcube__database].dbtype == "postgresql" else [] }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ roundcube__ldap__dependent_tasks }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ roundcube__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ roundcube__php__dependent_pools }}'
+
+    - role: nodejs
+      tags: [ 'role::nodejs', 'skip::nodejs' ]
+      nodejs__npm_dependent_packages:
+        - '{{ roundcube__nodejs__npm_dependent_packages }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ roundcube__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ roundcube__nginx__dependent_upstreams }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
+      mariadb__dependent_users:
+        - database: '{{ roundcube__database_map[roundcube__database].dbname }}'
+          user: '{{ roundcube__database_map[roundcube__database].dbuser }}'
+          password: '{{ roundcube__database_map[roundcube__database].dbpass }}'
+          owner: '{{ roundcube__user }}'
+          group: '{{ roundcube__group }}'
+          home: '{{ roundcube__home }}'
+          system: True
+          priv_aux: False
+      mariadb__server: '{{ roundcube__database_map[roundcube__database].dbhost }}'
+      when: roundcube__database_map[roundcube__database].dbtype == 'mysql'
+
+    - role: postgresql
+      tags: [ 'role::postgresql', 'skip::postgresql' ]
+      postgresql__dependent_roles:
+        - db: '{{ roundcube__database_map[roundcube__database].dbname }}'
+          role: '{{ roundcube__database_map[roundcube__database].dbuser }}'
+          password: '{{ roundcube__database_map[roundcube__database].dbpass }}'
+      postgresql__server: '{{ roundcube__database_map[roundcube__database].dbhost
+                              if roundcube__database_map[roundcube__database].dbhost != "localhost"
+                              else "" }}'
+      when: roundcube__database_map[roundcube__database].dbtype == 'postgresql'
+
+    - role: roundcube
+      tags: [ 'role::roundcube', 'skip::roundcube' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/rsnapshot.yml b/ansible_collections/debops/debops/playbooks/service/rsnapshot.yml
new file mode 100644
index 00000000..0bba62c0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rsnapshot.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage rsnapshot service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_rsnapshot' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: rsnapshot
+      tags: [ 'role::rsnapshot', 'skip::rsnapshot' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/rspamd.yml b/ansible_collections/debops/debops/playbooks/service/rspamd.yml
new file mode 100644
index 00000000..0db1652d
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rspamd.yml
@@ -0,0 +1,80 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage rspamd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_rspamd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'rspamd'
+            config: '{{ rspamd__postfix__dependent_maincf }}'
+      tags: [ 'role::postfix' ]
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ rspamd__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+        - '{{ rspamd__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ rspamd__logrotate__dependent_config }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ rspamd__nginx__dependent_servers }}'
+      when: rspamd__nginx_enabled | d(False) | bool
+
+    - role: rspamd
+      tags: [ 'role::rspamd', 'skip::rspamd' ]
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'rspamd'
+          config: '{{ rspamd__postfix__dependent_maincf }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/rstudio_server.yml b/ansible_collections/debops/debops/playbooks/service/rstudio_server.yml
new file mode 100644
index 00000000..3d61e241
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rstudio_server.yml
@@ -0,0 +1,66 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage RStudio Server service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_rstudio_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring',
+              'role::cran', 'role::nginx', 'role::rstudio_server' ]
+      keyring__dependent_apt_keys:
+        - '{{ cran__keyring__dependent_apt_keys | d([]) }}'
+        - '{{ nginx__keyring__dependent_apt_keys | d([]) }}'
+      keyring__dependent_gpg_keys:
+        - '{{ rstudio_server__keyring__dependent_gpg_keys | d([]) }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ rstudio_server__etc_services__dependent_list }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ cran__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ rstudio_server__nginx__dependent_servers }}'
+
+    - role: java
+      tags: [ 'role::java', 'skip::java' ]
+      java__install_jdk: True
+      when: cran__java_integration | bool
+
+    - role: cran
+      tags: [ 'role::cran', 'skip::cran' ]
+      cran__dependent_packages:
+        - '{{ rstudio_server__cran__dependent_packages }}'
+
+    - role: rstudio_server
+      tags: [ 'role::rstudio_server', 'skip::rstudio_server' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/rsyslog.yml b/ansible_collections/debops/debops/playbooks/service/rsyslog.yml
new file mode 100644
index 00000000..d53289d3
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/rsyslog.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage rsyslog service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_rsyslog' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ rsyslog__ferm__dependent_rules }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ rsyslog__logrotate__dependent_config }}'
+
+    - role: rsyslog
+      tags: [ 'role::rsyslog', 'skip::rsyslog' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/ruby.yml b/ansible_collections/debops/debops/playbooks/service/ruby.yml
new file mode 100644
index 00000000..b5c93e5c
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/ruby.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Ruby environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_ruby' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ruby
+      tags: [ 'role::ruby', 'skip::ruby' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/salt.yml b/ansible_collections/debops/debops/playbooks/service/salt.yml
new file mode 100644
index 00000000..b4af22ea
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/salt.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Salt Master service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_salt' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::salt' ]
+      keyring__dependent_apt_keys:
+        - '{{ salt__keyring__dependent_apt_keys }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ salt__etc_services__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ salt__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ salt__python__dependent_packages2 }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ salt__ferm__dependent_rules }}'
+
+    - role: salt
+      tags: [ 'role::salt', 'skip::salt' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/samba.yml b/ansible_collections/debops/debops/playbooks/service/samba.yml
new file mode 100644
index 00000000..583b078f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/samba.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Samba service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_samba' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ samba__ferm__dependent_rules }}'
+
+    - role: samba
+      tags: [ 'role::samba', 'skip::samba' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/saslauthd.yml b/ansible_collections/debops/debops/playbooks/service/saslauthd.yml
new file mode 100644
index 00000000..9abdc164
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/saslauthd.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Cyrus SASL authentication service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_saslauthd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ saslauthd__ldap__dependent_tasks }}'
+
+    - role: saslauthd
+      tags: [ 'role::saslauthd', 'skip::saslauthd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/secret.yml b/ansible_collections/debops/debops/playbooks/service/secret.yml
new file mode 100644
index 00000000..0d763529
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/secret.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure secret storage space
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sks.yml b/ansible_collections/debops/debops/playbooks/service/sks.yml
new file mode 100644
index 00000000..f8c5281b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sks.yml
@@ -0,0 +1,53 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage SKS Keyserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_sks' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ sks__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
+      nginx__dependent_servers:
+        - '{{ sks__nginx__dependent_servers }}'
+      nginx__dependent_upstreams:
+        - '{{ sks__nginx__dependent_upstreams }}'
+
+    - role: sks
+      tags: [ 'role::sks', 'skip::sks' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/slapd.yml b/ansible_collections/debops/debops/playbooks/service/slapd.yml
new file mode 100644
index 00000000..6f1e51e2
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/slapd.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage OpenLDAP service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_slapd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ slapd__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ slapd__tcpwrappers__dependent_allow }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ slapd__logrotate__dependent_config }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::slapd' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+        - '{{ slapd__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+        - '{{ slapd__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ saslauthd__ldap__dependent_tasks }}'
+      when: slapd__saslauthd_enabled | bool
+
+    - role: saslauthd
+      tags: [ 'role::saslauthd', 'skip::saslauthd' ]
+      saslauthd__dependent_instances:
+        - '{{ slapd__saslauthd__dependent_instances }}'
+      when: slapd__saslauthd_enabled | bool
+
+    - role: slapd
+      tags: [ 'role::slapd', 'skip::slapd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/smstools.yml b/ansible_collections/debops/debops/playbooks/service/smstools.yml
new file mode 100644
index 00000000..ce9b9ba8
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/smstools.yml
@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage SMS Gateway service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_smstools' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare postfix environment
+      ansible.builtin.import_role:
+        name: 'postfix'
+        tasks_from: 'main_env'
+      vars:
+        postfix__dependent_maincf:
+          - role: 'smstools'
+            config: '{{ smstools__postfix__dependent_maincf }}'
+        postfix__dependent_mastercf:
+          - role: 'smstools'
+            config: '{{ smstools__postfix__dependent_mastercf }}'
+      tags: [ 'role::postfix', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::postfix' ]
+      secret__directories:
+        - '{{ postfix__secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ smstools__etc_services__dependent_list }}'
+
+    - role: rsyslog
+      tags: [ 'role::rsyslog', 'skip::rsyslog' ]
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ smstools__tcpwrappers__dependent_allow }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ postfix__ferm__dependent_rules }}'
+        - '{{ smstools__ferm__dependent_rules }}'
+
+    - role: postfix
+      tags: [ 'role::postfix', 'skip::postfix' ]
+      postfix__dependent_maincf:
+        - role: 'smstools'
+          config: '{{ smstools__postfix__dependent_maincf }}'
+      postfix__dependent_mastercf:
+        - role: 'smstools'
+          config: '{{ smstools__postfix__dependent_mastercf }}'
+
+    - role: smstools
+      tags: [ 'role::smstools', 'skip::smstools' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/snmpd.yml b/ansible_collections/debops/debops/playbooks/service/snmpd.yml
new file mode 100644
index 00000000..f2706437
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/snmpd.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage SNMP service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_snmpd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ snmpd_ferm_dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers_dependent_allow:
+        - '{{ snmpd_tcpwrappers_dependent_allow }}'
+
+    - role: snmpd
+      tags: [ 'role::snmpd', 'skip::snmpd' ]
+
+    - role: lldpd
+      tags: [ 'role::lldpd', 'skip::lldpd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sshd.yml b/ansible_collections/debops/debops/playbooks/service/sshd.yml
new file mode 100644
index 00000000..912419c5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sshd.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage OpenSSH Server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_sshd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare sshd environment
+      ansible.builtin.import_role:
+        name: 'sshd'
+        tasks_from: 'main_env'
+      tags: [ 'role::sshd', 'role::ldap' ]
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ sshd__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers_dependent_allow:
+        - '{{ sshd__tcpwrappers__dependent_allow }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sshd__ldap__dependent_tasks }}'
+
+    - role: pam_access
+      tags: [ 'role::pam_access', 'skip::pam_access' ]
+      pam_access__dependent_rules:
+        - '{{ sshd__pam_access__dependent_rules }}'
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+      sudo__dependent_sudoers:
+        - '{{ sshd__sudo__dependent_sudoers }}'
+
+    - role: sshd
+      tags: [ 'role::sshd', 'skip::sshd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sssd.yml b/ansible_collections/debops/debops/playbooks/service/sssd.yml
new file mode 100644
index 00000000..6c05dea0
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sssd.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage sssd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_sssd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sssd__ldap__dependent_tasks }}'
+
+    - role: sssd
+      tags: [ 'role::sssd', 'skip::sssd' ]
+
+    - role: nsswitch
+      tags: [ 'role::nsswitch', 'skip::nsswitch' ]
+      nsswitch__dependent_services:
+        - '{{ sssd__nsswitch__dependent_services }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/stunnel.yml b/ansible_collections/debops/debops/playbooks/service/stunnel.yml
new file mode 100644
index 00000000..43c92161
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/stunnel.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure stunnel
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_stunnel' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services_dependent_list: '{{ stunnel_services }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm_input_dependent_list: '{{ stunnel_services }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers_dependent_allow: '{{ stunnel_services }}'
+
+    - role: stunnel
+      tags: [ 'role::stunnel', 'skip::stunnel' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sudo.yml b/ansible_collections/debops/debops/playbooks/service/sudo.yml
new file mode 100644
index 00000000..03244992
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sudo.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure sudo service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_sudo' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/swapfile.yml b/ansible_collections/debops/debops/playbooks/service/swapfile.yml
new file mode 100644
index 00000000..1a60a43b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/swapfile.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure swap files
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_swapfile' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: swapfile
+      tags: [ 'role::swapfile', 'skip::swapfile' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sysctl.yml b/ansible_collections/debops/debops/playbooks/service/sysctl.yml
new file mode 100644
index 00000000..05c9597b
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sysctl.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage kernel parameters using sysctl
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_sysctl' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sysfs.yml b/ansible_collections/debops/debops/playbooks/service/sysfs.yml
new file mode 100644
index 00000000..a8d349f4
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sysfs.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure sysfs options
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_sysfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare sysfs environment
+      ansible.builtin.import_role:
+        name: 'sysfs'
+        tasks_from: 'main_env'
+      tags: [ 'role::sysfs', 'role::secret' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::sysfs' ]
+      secret__directories:
+        - '{{ sysfs__secret__directories | d([]) }}'
+
+    - role: sysfs
+      tags: [ 'role::sysfs', 'skip::sysfs' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/sysnews.yml b/ansible_collections/debops/debops/playbooks/service/sysnews.yml
new file mode 100644
index 00000000..e81eb529
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/sysnews.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage System News entries
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_sysnews' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: sysnews
+      tags: [ 'role::sysnews', 'skip::sysnews' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/system_groups.yml b/ansible_collections/debops/debops/playbooks/service/system_groups.yml
new file mode 100644
index 00000000..4cb4b566
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/system_groups.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure UNIX system groups
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_system_groups' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::ldap' ]
+      python__dependent_packages3:
+        - '{{ ldap__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ ldap__python__dependent_packages2 }}'
+
+    - role: ldap
+      tags: [ 'role::ldap', 'skip::ldap' ]
+      ldap__dependent_tasks:
+        - '{{ sudo__ldap__dependent_tasks }}'
+
+    - role: sudo
+      tags: [ 'role::sudo', 'skip::sudo' ]
+
+    - role: system_groups
+      tags: [ 'role::system_groups', 'skip::system_groups' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/system_users.yml b/ansible_collections/debops/debops/playbooks/service/system_users.yml
new file mode 100644
index 00000000..b6715a26
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/system_users.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local users and groups
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_system_users' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: system_users
+      tags: [ 'role::system_users', 'skip::system_users' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/systemd.yml b/ansible_collections/debops/debops/playbooks/service/systemd.yml
new file mode 100644
index 00000000..c8a5ba18
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/systemd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage systemd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_systemd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: systemd
+      tags: [ 'role::systemd', 'skip::systemd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tcpwrappers.yml b/ansible_collections/debops/debops/playbooks/service/tcpwrappers.yml
new file mode 100644
index 00000000..d213c6c5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tcpwrappers.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage TCP Wrappers
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_tcpwrappers' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/telegraf.yml b/ansible_collections/debops/debops/playbooks/service/telegraf.yml
new file mode 100644
index 00000000..f6221af6
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/telegraf.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Manage Telegraf instance
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_telegraf' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::influxdata' ]
+      keyring__dependent_apt_keys:
+        - '{{ influxdata__keyring__dependent_apt_keys }}'
+
+    - role: influxdata
+      tags: [ 'role::influxdata', 'skip::influxdata' ]
+      influxdata__dependent_packages:
+        - '{{ telegraf__influxdata__dependent_packages }}'
+
+    - role: telegraf
+      tags: [ 'role::telegraf', 'skip::telegraf' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tftpd.yml b/ansible_collections/debops/debops/playbooks/service/tftpd.yml
new file mode 100644
index 00000000..b55e5367
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tftpd.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage TFTP service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tftpd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ tftpd__ferm__dependent_rules }}'
+
+    - role: tcpwrappers
+      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
+      tcpwrappers__dependent_allow:
+        - '{{ tftpd__tcpwrappers__dependent_allow }}'
+
+    - role: tftpd
+      tags: [ 'role::tftpd', 'skip::tftpd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tgt.yml b/ansible_collections/debops/debops/playbooks/service/tgt.yml
new file mode 100644
index 00000000..9a9a1a18
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tgt.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage iSCSI Target service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tgt' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ tgt__ferm__dependent_rules }}'
+
+    - role: tgt
+      tags: [ 'role::tgt', 'skip::tgt' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/timesyncd.yml b/ansible_collections/debops/debops/playbooks/service/timesyncd.yml
new file mode 100644
index 00000000..d869b0dd
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/timesyncd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage systemd-timesyncd service
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_timesyncd' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: timesyncd
+      tags: [ 'role::timesyncd', 'skip::timesyncd' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tinc-persistent_paths.yml b/ansible_collections/debops/debops/playbooks/service/tinc-persistent_paths.yml
new file mode 100644
index 00000000..a1436553
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tinc-persistent_paths.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Tinc VPN and ensure persistence
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tinc_persistent_paths', 'debops_service_tinc_aux' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare tinc environment
+      ansible.builtin.import_role:
+        name: 'tinc'
+        tasks_from: 'main_env'
+      tags: [ 'role::tinc', 'role::tinc:secret', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::tinc:secret' ]
+      secret__directories: '{{ tinc__env_secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list: '{{ tinc__env_etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules: '{{ tinc__env_ferm__dependent_rules }}'
+
+    - role: tinc
+      tags: [ 'role::tinc', 'skip::tinc' ]
+
+    - role: persistent_paths
+      tags: [ 'role::persistent_paths', 'skip::persistent_paths' ]
+      persistent_paths__dependent_paths: '{{ tinc__persistent_paths__dependent_paths }}'
diff --git a/ansible_collections/debops/debops/playbooks/service/tinc-plain.yml b/ansible_collections/debops/debops/playbooks/service/tinc-plain.yml
new file mode 100644
index 00000000..365c1a24
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tinc-plain.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure Tinc VPN
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tinc', 'debops_service_tinc_aux' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare tinc environment
+      ansible.builtin.import_role:
+        name: 'tinc'
+        tasks_from: 'main_env'
+      tags: [ 'role::tinc', 'role::tinc:secret', 'role::secret', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::tinc:secret' ]
+      secret__directories: '{{ tinc__env_secret__directories }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list: '{{ tinc__env_etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules: '{{ tinc__env_ferm__dependent_rules }}'
+
+    - role: tinc
+      tags: [ 'role::tinc', 'skip::tinc' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tinc.yml b/ansible_collections/debops/debops/playbooks/service/tinc.yml
new file mode 100644
index 00000000..512a3fff
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tinc.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage regular Tinc VPN installation
+  import_playbook: 'tinc-plain.yml'
+
+- name: Manage Tinc VPN installation on QubesOS
+  import_playbook: 'tinc-persistent_paths.yml'
diff --git a/ansible_collections/debops/debops/playbooks/service/tinyproxy.yml b/ansible_collections/debops/debops/playbooks/service/tinyproxy.yml
new file mode 100644
index 00000000..5b6bc451
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tinyproxy.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Tinyproxy
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_tinyproxy' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ tinyproxy__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ tinyproxy__ferm__dependent_rules }}'
+
+    - role: tinyproxy
+      tags: [ 'role::tinyproxy', 'skip::tinyproxy' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/tzdata.yml b/ansible_collections/debops/debops/playbooks/service/tzdata.yml
new file mode 100644
index 00000000..710da6fa
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/tzdata.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage time zone configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_tzdata' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: tzdata
+      tags: [ 'role::tzdata', 'skip::tzdata' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/unattended_upgrades.yml b/ansible_collections/debops/debops/playbooks/service/unattended_upgrades.yml
new file mode 100644
index 00000000..a8743639
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/unattended_upgrades.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage unattended APT upgrades
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_unattended_upgrades' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: unattended_upgrades
+      tags: [ 'role::unattended_upgrades', 'skip::unattended_upgrades' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/unbound.yml b/ansible_collections/debops/debops/playbooks/service/unbound.yml
new file mode 100644
index 00000000..79e40334
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/unbound.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Unbound, local DNS resolver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_unbound' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'unbound'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ unbound__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ unbound__python__dependent_packages2 }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ unbound__etc_services__dependent_list }}'
+
+    - role: unbound
+      tags: [ 'role::unbound', 'skip::unbound' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/users.yml b/ansible_collections/debops/debops/playbooks/service/users.yml
new file mode 100644
index 00000000..769829b8
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/users.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2019 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage local users and groups
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_users' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: libuser
+      tags: [ 'role::libuser', 'skip::libuser' ]
+
+    - role: users
+      tags: [ 'role::users', 'skip::users' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/wpcli.yml b/ansible_collections/debops/debops/playbooks/service/wpcli.yml
new file mode 100644
index 00000000..ef16058f
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/wpcli.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install WP-CLI framework
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_wpcli' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      ansible.builtin.import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+        keyring__dependent_gpg_keys:
+          - '{{ wpcli__keyring__dependent_gpg_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php', 'role::wpcli' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
+      php__dependent_packages:
+        - '{{ wpcli__php__dependent_packages }}'
+
+    - role: wpcli
+      tags: [ 'role::wpcli', 'skip::wpcli' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/yadm.yml b/ansible_collections/debops/debops/playbooks/service/yadm.yml
new file mode 100644
index 00000000..27c31817
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/yadm.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure yadm, Yet Another Dotfiles Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_all_hosts', 'debops_service_yadm' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
+      keyring__dependent_gpg_keys:
+        - '{{ yadm__keyring__dependent_gpg_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ yadm__apt_preferences__dependent_list }}'
+
+    - role: yadm
+      tags: [ 'role::yadm', 'skip::yadm' ]
diff --git a/ansible_collections/debops/debops/playbooks/service/zabbix_agent.yml b/ansible_collections/debops/debops/playbooks/service/zabbix_agent.yml
new file mode 100644
index 00000000..df3616c4
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/service/zabbix_agent.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2021-2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and manage Zabbix agent
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_zabbix_agent' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ zabbix_agent__ferm__dependent_rules }}'
+
+    - role: zabbix_agent
+      tags: [ 'role::zabbix_agent', 'skip::zabbix_agent' ]
diff --git a/ansible_collections/debops/debops/playbooks/site.yml b/ansible_collections/debops/debops/playbooks/site.yml
new file mode 100644
index 00000000..91630235
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/site.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This is main entry point for DebOps playbooks. An example execution command:
+#
+#    debops run site -l <host>
+#
+# This playbook can be slow depending on the network and I/O on Ansible
+# Controller and remote hosts. You can use sub-playbooks to make execution
+# faster. For example, to apply a common set of Ansible roles on a host, you
+# can run the command:
+#
+#    debops run common -l <host>
+
+
+  # This playbook manages network infrastructure, like creation and management
+  # of separate subnets, DNS, DHCP services, routing configuration, etc.
+- name: Manage network layer
+  import_playbook: 'layer/net.yml'
+
+  # This playbook manages internal system plumbing expected on the host by
+  # services, like user accounts, NFS mounts from remote hosts, and so on.
+  # Everything that is not common, but enabled on a per group/host basis.
+- name: Manage system service layer
+  import_playbook: 'layer/sys.yml'
+
+  # This playbook contains roles that are run on all hosts in the inventory
+  # - common services like SMTP server, administrative tasks, authentication
+  # and authorization control, system services used by other applications like
+  # firewall, etc.
+- name: Manage services common on all hosts
+  import_playbook: 'layer/common.yml'
+
+  # This playbook manages different programming language environments available
+  # on each host, enabled using Ansible groups.
+- name: Manage programming language environments
+  import_playbook: 'layer/env.yml'
+
+  # This playbook manages system services enabled using Ansible groups, like
+  # databases, webservers, application servers, and so on.
+- name: Manage userspace service layer
+  import_playbook: 'layer/srv.yml'
+
+  # This playbook contains plays which install and manage more complex
+  # applications which can use multiple services at a time, or are user-facing
+  # applications like webservices.
+- name: Manage userspace applications
+  import_playbook: 'layer/app.yml'
+
+  # This playbook manages virtualized environments installed on hosts, like
+  # OpenVZ Hardware Nodes, support for LXC containers in a host, or support for
+  # KVM virtual machines. This is meant for the host-side of the virtualization
+  # support, guest-side is managed by the rest of the playbook without the use
+  # of the plays contained here.
+- name: Manage virtual machine layer
+  import_playbook: 'layer/virt.yml'
+
+  # This playbook manages hardware-related roles - device management, disk
+  # partitioning, hardware monitoring, kernel management, any roles that would
+  # require a reboot.
+- name: Manage hardware layer
+  import_playbook: 'layer/hw.yml'
+
+  # This playbook manages services or applications that are used as agents by
+  # other services, on local or remote hosts. These agents may contact their
+  # parent services to register themselves or provide data about their
+  # environment, therefore they should be executed after the hosts they run on
+  # are configured.
+- name: Manage service agents
+  import_playbook: 'layer/agent.yml'
diff --git a/ansible_collections/debops/debops/playbooks/templates/debops__tpl_macros.j2 b/ansible_collections/debops/debops/playbooks/templates/debops__tpl_macros.j2
new file mode 100644
index 00000000..0a3b59a7
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/templates/debops__tpl_macros.j2
@@ -0,0 +1,225 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be imported in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps https://debops.org/
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in templates which are called by {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be imported like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{#
+## Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{%  macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{#
+## Recursively merges nested dictionaries or a nested dictionary with a list of
+## dictionaries. In the second case, a key name can be given whose value will
+## be used as top-level key for the dictionary item. Note that for merging simple
+## dictionaries you should use the regular `combined` Jinja filter.
+##
+## This can be used to define default variables as YAML dictionaries and then
+## use YAML lists of dictionaries either in the inventory or in role dependent
+## variables which lets you add multiple YAML lists together.
+##
+## Arguments:
+##   current_dict:   Nested dictionary whose values might get overwritten if
+##                   defined in `to_merge_dict`.
+##   to_merge_dict:  Dictionary or list of dictionaries being merged into `current_dict`.
+##   dict_key:       Key in the `to_merge_dict` item which is used to match the
+##                   dictionary item being merged in `current_dict` in case `to_merge_dict`
+##                   is a list of dictionaries.
+##
+## Return: JSON-formatted dictionary
+##
+## Examples:
+##
+## 1. Merge single-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'},
+##                                        'item2': {'key3': 'val3', 'key4': 'val4'}},
+##                                       {'item1': {'key2': 'new_val2'},
+##                                        'item2': {'key5': 'val5'    }}) }}
+##
+##     Will output: {"item1": {"key1": "val1", "key2": "new_val2"},
+##                   "item2": {"key3": "val3", "key4": "val4", "key5": "val5"}}
+##
+## 2. Merge double-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'prop1': {'key1': 'val1'}}},
+##                                       {'item1': {'prop1': {'key3': 'val3'},
+##                                                  'prop2': {'key2': 'val2'}}}) }}
+##
+##     Will output: {"item1": {"prop1": {"key1": "val1", "key3": "val3"},
+##                             "prop2": {"key2": "val2"}}}
+##
+## 3. Merge nested dictionary with list of dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'}},
+##                                       [{'name': 'item2', 'key3': 'val3'},
+##                                        {'name': 'item3', 'key4': 'val4'}]) }}
+##
+##     Will output: {"item1: {"key1": "val1", "key2": "val2"},
+##                   "item2: {"name": "item2", "key3": "val3"},
+##                   "item3: {"name": "item3", "key4": "val4"}}
+#}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happyily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Returns flattened object as JSON which you will need to deserialize using `from_yaml`.
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/playbooks/tools/6to4.yml b/ansible_collections/debops/debops/playbooks/tools/6to4.yml
new file mode 100644
index 00000000..67ef86a5
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/tools/6to4.yml
@@ -0,0 +1,66 @@
+---
+
+# DebOps playbook: tools/6to4
+# Copyright (C) 2014 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This playbook sets up and enables IPv6 6to4 tunnel interface to connect your
+# IPv4 host to IPv6 network. More information about 6to4 transition mechanism:
+# https://en.wikipedia.org/wiki/6to4
+#
+# This playbook requires 'ipaddr()' Ansible filter plugin, available in
+# https://github.com/debops/debops-playbooks/ repository.
+
+
+- name: Configure and enable IPv6 6to4 tunnel
+  hosts: debops_6to4
+  become: True
+
+  vars:
+
+    # Default 6to4 interface name
+    debops_6to4_var_iface: '{{ debops_6to4_iface | default("6to4") }}'
+
+    # IPv4 interface which will be used to calculate 6to4 address
+    debops_6to4_var_ipv4_interface: '{{ debops_6to4_ipv4_interface | default(ansible_default_ipv4.interface) }}'
+
+    # IPv6 address converted from IPv4 public address
+    debops_6to4_var_ipv6_address: '{{ hostvars[inventory_hostname]["ansible_" + debops_6to4_var_ipv4_interface].ipv4.address | ansible.utils.ipv4("6to4") }}'
+
+
+  pre_tasks:
+
+    - name: Make sure that host has a public IPv4 address
+      ansible.builtin.assert:
+        that: [ '{{ debops_6to4_var_ipv6_address != "False" }}' ]
+
+
+  roles:
+
+    - role: ifupdown
+      tags: ifupdown
+      ifupdown_dependent_interfaces:
+
+        - iface: '{{ debops_6to4_var_iface }}'
+          type: '6to4'
+          tunnel_6to4_ipv4_interface: '{{ debops_6to4_var_ipv4_interface }}'
+          filename: 'debops_6to4_tunnel_{{ debops_6to4_var_ipv4_interface }}'
+          weight: '30'
+
+    - role: ferm
+      tags: ferm
+      ferm_input_dependent_list:
+
+        - type: 'custom'
+          dport: []
+          by_role: 'DebOps playbook: net/ipv6/6to4'
+          filename: 'debops_6to4_tunnel_{{ debops_6to4_var_ipv4_interface }}'
+          weight: '30'
+          rules: |
+            {% if debops_6to4_var_ipv6_address is defined and debops_6to4_var_ipv6_address %}
+            # Allow IPv6-in-IPv4 traffic
+            @if @eq($DOMAIN, ip) protocol ipv6 interface {{ debops_6to4_var_ipv4_interface }} ACCEPT;
+            {% else %}
+            # IPv6-in-IPv4 traffic not allowed
+            {% endif %}
diff --git a/ansible_collections/debops/debops/playbooks/tools/debug.yml b/ansible_collections/debops/debops/playbooks/tools/debug.yml
new file mode 100644
index 00000000..1c26b70e
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/tools/debug.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Debug host variables
+  hosts: all
+  tasks:
+    - name: Display all variables/facts known for a host
+      ansible.builtin.debug:
+        var: hostvars[inventory_hostname]
diff --git a/ansible_collections/debops/debops/playbooks/tools/dist-upgrade.yml b/ansible_collections/debops/debops/playbooks/tools/dist-upgrade.yml
new file mode 100644
index 00000000..2813ec18
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/tools/dist-upgrade.yml
@@ -0,0 +1,233 @@
+---
+
+# dist-upgrade - upgrade a Debian/Ubuntu system to next release
+# Copyrignt (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+
+# ===========================================================================
+# Warning: Before using this playbook, consult the list of issues on GitHub:
+# https://github.com/debops/debops-playbooks/labels/dist-upgrade
+# This list will be updated with issues as they are discovered and reported.
+# ===========================================================================
+
+
+- name: Upgrade all the things!
+  hosts: all:!localhost
+  become: True
+
+  vars:
+
+    # Map of current and next distribution releases
+    # Redundant in the following places, please update all copies:
+    # Only upgrades up to Debian Stable are enabled here.
+    # To prevent unintentional upgrades to testing, those mappings are
+    # commented out here.
+    #
+    # * ansible/roles/apt/defaults/main.yml
+    # * ansible/roles/apt_preferences/defaults/main.yml
+    # * ansible/roles/reprepro/defaults/main.yml
+    # * ansible/playbooks/tools/dist-upgrade.yml
+    dist_upgrade_version_map:
+      'stretch': 'buster'
+      'buster': 'bullseye'
+      'bullseye': 'bookworm'
+      'bookworm': 'trixie'
+      'trixie': 'forky'
+      'trusty': 'utopic'
+
+    # Current release
+    dist_upgrade_current_release: '{{ ansible_distribution_release }}'
+
+    # Next release
+    dist_upgrade_new_release: '{{ dist_upgrade_version_map[dist_upgrade_current_release] }}'
+
+    # If this file exists, failed upgrade will be tried again
+    dist_upgrade_lockfile: '/tmp/dist-upgrade-in-progress'
+
+    # Host to send the mail to
+    dist_upgrade_mail_host: 'localhost'
+
+    # Port to send the mail to
+    dist_upgrade_mail_port: 25
+
+    # Secure mode to send the mail
+    dist_upgrade_mail_secure: 'try'
+
+    # List of mail recipients
+    dist_upgrade_mail_to: [ '{{ "root@" + ansible_domain }}' ]
+
+    # Mail subject
+    dist_upgrade_mail_subject: '{{ ansible_fqdn }} has been upgraded from {{ ansible_distribution }} {{ dist_upgrade_current_release | capitalize }} to {{ ansible_distribution }} {{ dist_upgrade_new_release | capitalize }}'
+
+    # Mail contents
+    dist_upgrade_mail_body: |
+      Ansible performed an unattended 'apt-get dist-upgrade' on host
+
+          {{ ansible_fqdn }}
+
+      Upgrade has been orchestrated by {{ansible_env.SUDO_USER | d("root")}}.
+      You should reboot {{ ansible_fqdn }} as soon
+      as possible to complete the upgrade process and boot
+      with new kernel.
+
+      Log from the upgrade is included below:
+
+      ============================
+          apt-get dist-upgrade
+      ============================
+
+      {% for line in dist_upgrade_register_upgrade.stdout_lines %}
+      {% if not line | regex_search('^\(Reading\s+database.*%') and
+            not line | regex_search('^\(Reading\s+database\s+\.\.\.\s+$') %}
+      {{ line }}
+      {% endif %}
+      {% endfor %}
+
+      ==========================
+          apt-get autoremove
+      ==========================
+
+      {% for line in dist_upgrade_register_autoremove.stdout_lines %}
+      {% if not line | regex_search('^\(Reading\s+database.*%') and
+            not line | regex_search('^\(Reading\s+database\s+\.\.\.\s+$') %}
+      {{ line }}
+      {% endif %}
+      {% endfor %}
+
+      =========================
+          apt-get autoclean
+      =========================
+
+      {% for line in dist_upgrade_register_autoclean.stdout_lines %}
+      {% if not line | regex_search('^\(Reading\s+database.*%') and
+            not line | regex_search('^\(Reading\s+database\s+\.\.\.\s+$') %}
+      {{ line }}
+      {% endif %}
+      {% endfor %}
+
+
+  tasks:
+
+    - name: Check if lockfile exists
+      ansible.builtin.stat:
+        path: '{{ dist_upgrade_lockfile }}'
+      register: dist_upgrade_register_lockfile
+
+    - name: Find all apt sources.list files
+      ansible.builtin.find:
+        paths: "/etc/apt/"
+        patterns: "*.list"
+        recurse: True
+      register: dist_upgrade_register_apt_sources
+
+    - name: Change current release in APT sources
+      ansible.builtin.replace:
+        dest: "{{ item.path }}"
+        regexp: '{{ dist_upgrade_current_release }}'
+        replace: '{{ dist_upgrade_new_release }}'
+      register: dist_upgrade_register_replace
+      with_items:
+        - "{{ dist_upgrade_register_apt_sources.files }}"
+      when: dist_upgrade_current_release in dist_upgrade_version_map.keys() and
+            dist_upgrade_new_release is defined and dist_upgrade_new_release
+
+    - name: Fix APT sources (buster/updates becomes bullseye-security)
+      ansible.builtin.replace:
+        dest: "{{ item.path }}"
+        regexp: '\s{{ dist_upgrade_new_release }}/updates\s'
+        replace: ' {{ dist_upgrade_new_release }}-security '
+      with_items:
+        - "{{ dist_upgrade_register_apt_sources.files }}"
+      when: dist_upgrade_new_release == 'bullseye'
+
+    - name: Remove all APT preferences for backported packages
+      ansible.builtin.shell: "set -o nounset -o pipefail -o errexit && grep -lrIZ 'Pin: release .*={{ dist_upgrade_current_release }}-backports' /etc/apt/preferences.d | xargs -0 rm -f -- || true"  # noqa no-handler
+      args:
+        executable: 'bash'
+      register: dist_upgrade_register_remove
+      changed_when: dist_upgrade_register_remove.changed | bool
+      when: dist_upgrade_register_replace is defined and dist_upgrade_register_replace is changed
+
+    - name: Create a lockfile
+      ansible.builtin.file:  # noqa no-handler
+        path: '{{ dist_upgrade_lockfile }}'
+        state: 'touch'
+        mode: '0644'
+      when: dist_upgrade_register_replace is defined and dist_upgrade_register_replace is changed
+
+    - name: Perform apt-get dist-upgrade (this might take a while)
+      ansible.builtin.apt:  # noqa no-handler
+        update_cache: True
+        upgrade: 'dist'
+      register: dist_upgrade_register_upgrade
+      when: ((dist_upgrade_register_replace is defined and
+              dist_upgrade_register_replace is changed) or
+             (dist_upgrade_register_lockfile is defined and
+              dist_upgrade_register_lockfile.stat.exists))
+
+
+    - name: Check what init system is active
+      ansible.builtin.stat:
+        path: '/sbin/init'
+      register: dist_upgrade_register_init
+
+    - name: Install dbus package (required by systemd)
+      ansible.builtin.apt:
+        name: 'dbus'
+        state: 'present'
+        install_recommends: False
+      when: dist_upgrade_register_init.stat.lnk_source is defined and
+            dist_upgrade_register_init.stat.lnk_source == '/lib/systemd/systemd'
+
+    - name: Automatically remove packages that are no longer needed
+      ansible.builtin.apt:
+        autoremove: True
+      register: dist_upgrade_register_autoremove
+      when: dist_upgrade_register_upgrade is defined and
+            dist_upgrade_register_upgrade is changed
+
+    - name: Clean APT package cache
+      ansible.builtin.apt:
+        autoclean: True
+      register: dist_upgrade_register_autoclean
+      when: dist_upgrade_register_upgrade is defined and
+            dist_upgrade_register_upgrade is changed
+
+    - name: Check if /etc/services.d exists
+      ansible.builtin.stat:  # noqa no-handler
+        path: '/etc/services.d'
+      register: dist_upgrade_register_etc_services
+      when: dist_upgrade_register_upgrade is defined and
+            dist_upgrade_register_upgrade is changed
+
+    - name: Assemble /etc/services
+      ansible.builtin.assemble:
+        src: '/etc/services.d'
+        dest: '/etc/services'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        backup: False
+      when: dist_upgrade_register_etc_services is not skipped and
+            dist_upgrade_register_etc_services is defined and
+            dist_upgrade_register_etc_services.stat.exists
+
+    - name: Remove the lockfile
+      ansible.builtin.file:
+        path: '{{ dist_upgrade_lockfile }}'
+        state: 'absent'
+
+    - name: Send mail with information about the upgrade
+      community.general.mail:  # noqa no-handler
+        host: '{{ dist_upgrade_mail_host }}'
+        port: '{{ dist_upgrade_mail_port }}'
+        secure: '{{ dist_upgrade_mail_secure }}'
+        from: '{{ "root@" + ansible_fqdn }}'
+        to: '{{ dist_upgrade_mail_to | join(",") }}'
+        subject: '{{ dist_upgrade_mail_subject }}'
+        charset: 'utf8'
+        body: '{{ dist_upgrade_mail_body }}'
+      when: dist_upgrade_register_upgrade is defined and
+            dist_upgrade_register_upgrade is changed
diff --git a/ansible_collections/debops/debops/playbooks/upgrade.yml b/ansible_collections/debops/debops/playbooks/upgrade.yml
new file mode 100644
index 00000000..ba373577
--- /dev/null
+++ b/ansible_collections/debops/debops/playbooks/upgrade.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2020 Ellen Papsch <ellenpapsch@gmail.com>
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# Upgrade packages which are safe to be updated. This means no
+# packages will be removed.
+#
+# You can chain the 'reboot.yml' playbook to tell the host to reboot after an
+# upgrade:
+#
+#   debops run upgrade reboot -l <host>
+#
+# The 'reboot' DebOps role will check if the reboot is required and do it only
+# when needed.
+
+- name: Upgrade a machine using APT
+  hosts: [ 'debops_all_hosts' ]
+  become: True
+  gather_facts: False
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  tasks:
+
+    - name: Upgrade safe packages with refreshed cache
+      ansible.builtin.apt:
+        update_cache: True
+        upgrade: 'safe'
diff --git a/ansible_collections/debops/debops/plugins/callback/profile_tasks.py b/ansible_collections/debops/debops/plugins/callback/profile_tasks.py
new file mode 100644
index 00000000..d0ccb19e
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/callback/profile_tasks.py
@@ -0,0 +1,75 @@
+# profile_tasks.py: an Ansible plugin for timing tasks
+
+# Copyright (C) 2014 Jharrod LaFon <jharrod.lafon@gmail.com>
+# SPDX-License-Identifier: MIT
+# https://github.com/jlafon/ansible-profile/
+# Included with permission
+
+
+# The MIT License (MIT)
+#
+# Copyright (c) 2014 Jharrod LaFon
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+from ansible.plugins.callback import CallbackBase
+import time
+
+
+class CallbackModule(CallbackBase):
+    """
+    A plugin for timing tasks
+    """
+    def __init__(self):
+        self.stats = {}
+        self.current = None
+
+    def playbook_on_task_start(self, name, is_conditional):
+        """
+        Logs the start of each task
+        """
+        if self.current is not None:
+            # Record the running time of the last executed task
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Record the start time of the current task
+        self.current = name
+        self.stats[self.current] = time.time()
+
+    def playbook_on_stats(self, stats):
+        """
+        Prints the timings
+        """
+        # Record the timing of the very last task
+        if self.current is not None:
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Sort the tasks by their running time
+        results = sorted(self.stats.items(),
+                         key=lambda value: value[1], reverse=True)
+
+        # Just keep the top 10
+        results = results[:10]
+
+        # Print the timings
+        for name, elapsed in results:
+            print("{0:-<70}{1:->9}".format(
+                    '{0} '.format(name),
+                    ' {0:.02f}s'.format(elapsed)))
diff --git a/ansible_collections/debops/debops/plugins/callback_plugins/profile_tasks.py b/ansible_collections/debops/debops/plugins/callback_plugins/profile_tasks.py
new file mode 100644
index 00000000..d0ccb19e
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/callback_plugins/profile_tasks.py
@@ -0,0 +1,75 @@
+# profile_tasks.py: an Ansible plugin for timing tasks
+
+# Copyright (C) 2014 Jharrod LaFon <jharrod.lafon@gmail.com>
+# SPDX-License-Identifier: MIT
+# https://github.com/jlafon/ansible-profile/
+# Included with permission
+
+
+# The MIT License (MIT)
+#
+# Copyright (c) 2014 Jharrod LaFon
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+from ansible.plugins.callback import CallbackBase
+import time
+
+
+class CallbackModule(CallbackBase):
+    """
+    A plugin for timing tasks
+    """
+    def __init__(self):
+        self.stats = {}
+        self.current = None
+
+    def playbook_on_task_start(self, name, is_conditional):
+        """
+        Logs the start of each task
+        """
+        if self.current is not None:
+            # Record the running time of the last executed task
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Record the start time of the current task
+        self.current = name
+        self.stats[self.current] = time.time()
+
+    def playbook_on_stats(self, stats):
+        """
+        Prints the timings
+        """
+        # Record the timing of the very last task
+        if self.current is not None:
+            self.stats[self.current] = time.time() - self.stats[self.current]
+
+        # Sort the tasks by their running time
+        results = sorted(self.stats.items(),
+                         key=lambda value: value[1], reverse=True)
+
+        # Just keep the top 10
+        results = results[:10]
+
+        # Print the timings
+        for name, elapsed in results:
+            print("{0:-<70}{1:->9}".format(
+                    '{0} '.format(name),
+                    ' {0:.02f}s'.format(elapsed)))
diff --git a/ansible_collections/debops/debops/plugins/connection/lxc_ssh.py b/ansible_collections/debops/debops/plugins/connection/lxc_ssh.py
new file mode 100644
index 00000000..c9c43c1e
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/connection/lxc_ssh.py
@@ -0,0 +1,1495 @@
+# Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# SSH + lxc-attach connection module for Ansible 2.0
+#
+# Adapted from ansible/plugins/connection/ssh.py
+# Forked from https://github.com/chifflier/ansible-lxc-ssh
+# Hosted on https://github.com/andreasscherbaum/ansible-lxc-ssh
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import errno
+import fcntl
+import hashlib
+import os
+import pipes
+import pty
+import shlex
+import subprocess
+import sys
+import time
+
+from ansible.release import __version__ as ansible_version
+from functools import wraps
+from ansible import constants as C
+from ansible.errors import (
+    AnsibleError,
+    AnsibleConnectionFailure,
+    AnsibleFileNotFound,
+)
+from ansible.errors import AnsibleOptionsError
+from ansible.compat import selectors
+from ansible.module_utils.six import PY3, text_type, binary_type
+from ansible.module_utils.six.moves import shlex_quote
+from ansible.module_utils._text import to_bytes, to_native, to_text
+from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean
+from ansible.plugins.connection import ConnectionBase, BUFSIZE
+from ansible.utils.path import unfrackpath, makedirs_safe
+
+from ansible.module_utils._text import (
+    to_bytes,
+    to_text as to_unicode,
+    to_native as to_str,
+)
+
+DOCUMENTATION = """
+    name: lxc_ssh
+    short_description: connect via ssh and lxc to remote lxc guest
+    description:
+        - This connection plugin allows ansible to communicate to the target
+          machines via normal ssh and lxc cli.
+        - Ansible does not expose a channel to allow communication between the
+          user and the ssh process to accept a password manually to decrypt an
+          ssh key when using this connection plugin (which is the default). The
+          use of ``ssh-agent`` is highly recommended.
+    author: Pierre Chifflier
+    notes:
+        - Many options default to 'None' here but that only means we don't
+          override the ssh tool's defaults and/or configuration.
+          For example, if you specify the port in this plugin it will override
+          any C(Port) entry in your C(.ssh/config).
+    options:
+      host:
+          description: Hostname/ip to connect to.
+          vars:
+               - name: inventory_hostname
+               - name: ansible_host
+               - name: ansible_ssh_host
+               - name: delegated_vars['ansible_host']
+               - name: delegated_vars['ansible_ssh_host']
+      host_key_checking:
+          description: Determines if ssh should check host keys
+          type: boolean
+          ini:
+              - section: defaults
+                key: 'host_key_checking'
+              - section: ssh_connection
+                key: 'host_key_checking'
+                version_added: '2.5'
+          env:
+              - name: ANSIBLE_HOST_KEY_CHECKING
+              - name: ANSIBLE_SSH_HOST_KEY_CHECKING
+                version_added: '2.5'
+          vars:
+              - name: ansible_host_key_checking
+                version_added: '2.5'
+              - name: ansible_ssh_host_key_checking
+                version_added: '2.5'
+      password:
+          description: Authentication password for the C(remote_user).
+                       Can be supplied as CLI option.
+          vars:
+              - name: ansible_password
+              - name: ansible_ssh_pass
+              - name: ansible_ssh_password
+      sshpass_prompt:
+          description: Password prompt that sshpass should search for.
+                       Supported by sshpass 1.06 and up.
+          default: ''
+          ini:
+              - section: 'ssh_connection'
+                key: 'sshpass_prompt'
+          env:
+              - name: ANSIBLE_SSHPASS_PROMPT
+          vars:
+              - name: ansible_sshpass_prompt
+          version_added: '2.10'
+      ssh_args:
+          description: Arguments to pass to all ssh cli tools
+          default: '-C -o ControlMaster=auto -o ControlPersist=60s'
+          ini:
+              - section: 'ssh_connection'
+                key: 'ssh_args'
+          env:
+              - name: ANSIBLE_SSH_ARGS
+          vars:
+              - name: ansible_ssh_args
+                version_added: '2.7'
+          cli:
+              - name: ssh_args
+      ssh_common_args:
+          description: Common extra args for all ssh CLI tools
+          ini:
+              - section: 'ssh_connection'
+                key: 'ssh_common_args'
+                version_added: '2.7'
+          env:
+              - name: ANSIBLE_SSH_COMMON_ARGS
+                version_added: '2.7'
+          vars:
+              - name: ansible_ssh_common_args
+          cli:
+              - name: ssh_common_args
+      ssh_executable:
+          default: ssh
+          description:
+            - This defines the location of the ssh binary.
+              It defaults to ``ssh`` which will use the first ssh binary
+              available in $PATH.
+            - This option is usually not required, it might be useful when
+              access to system ssh is restricted,
+              or when using ssh wrappers to connect to remote hosts.
+          env: [{name: ANSIBLE_SSH_EXECUTABLE}]
+          ini:
+          - {key: ssh_executable, section: ssh_connection}
+          #const: ANSIBLE_SSH_EXECUTABLE
+          version_added: "2.2"
+          vars:
+              - name: ansible_ssh_executable
+                version_added: '2.7'
+      sftp_executable:
+          default: sftp
+          description:
+            - This defines the location of the sftp binary. It defaults to
+              ``sftp`` which will use the first binary available in $PATH.
+          env: [{name: ANSIBLE_SFTP_EXECUTABLE}]
+          ini:
+          - {key: sftp_executable, section: ssh_connection}
+          version_added: "2.6"
+          vars:
+              - name: ansible_sftp_executable
+                version_added: '2.7'
+      scp_executable:
+          default: scp
+          description:
+            - This defines the location of the scp binary. It defaults to
+              `scp` which will use the first binary available in $PATH.
+          env: [{name: ANSIBLE_SCP_EXECUTABLE}]
+          ini:
+          - {key: scp_executable, section: ssh_connection}
+          version_added: "2.6"
+          vars:
+              - name: ansible_scp_executable
+                version_added: '2.7'
+      scp_extra_args:
+          description: Extra exclusive to the ``scp`` CLI
+          vars:
+              - name: ansible_scp_extra_args
+          env:
+            - name: ANSIBLE_SCP_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: scp_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: scp_extra_args
+      sftp_extra_args:
+          description: Extra exclusive to the ``sftp`` CLI
+          vars:
+              - name: ansible_sftp_extra_args
+          env:
+            - name: ANSIBLE_SFTP_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: sftp_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: sftp_extra_args
+      ssh_extra_args:
+          description: Extra exclusive to the 'ssh' CLI
+          vars:
+              - name: ansible_ssh_extra_args
+          env:
+            - name: ANSIBLE_SSH_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: ssh_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: ssh_extra_args
+      retries:
+          description: Number of attempts to connect.
+          default: 3
+          type: integer
+          env:
+            - name: ANSIBLE_SSH_RETRIES
+          ini:
+            - section: connection
+              key: retries
+            - section: ssh_connection
+              key: retries
+          vars:
+            - name: ansible_ssh_retries
+              version_added: '2.7'
+      port:
+          description: Remote port to connect to.
+          type: int
+          ini:
+            - section: defaults
+              key: remote_port
+          env:
+            - name: ANSIBLE_REMOTE_PORT
+          vars:
+            - name: ansible_port
+            - name: ansible_ssh_port
+      remote_user:
+          description:
+              - User name with which to login to the remote server, normally
+                set by the remote_user keyword.
+              - If no user is supplied, Ansible will let the ssh client binary
+                choose the user as it normally
+          ini:
+            - section: defaults
+              key: remote_user
+          env:
+            - name: ANSIBLE_REMOTE_USER
+          vars:
+            - name: ansible_user
+            - name: ansible_ssh_user
+          cli:
+            - name: user
+      pipelining:
+          env:
+            - name: ANSIBLE_PIPELINING
+            - name: ANSIBLE_SSH_PIPELINING
+          ini:
+            - section: connection
+              key: pipelining
+            - section: ssh_connection
+              key: pipelining
+          vars:
+            - name: ansible_pipelining
+            - name: ansible_ssh_pipelining
+
+      private_key_file:
+          description:
+              - Path to private key file to use for authentication
+          ini:
+            - section: defaults
+              key: private_key_file
+          env:
+            - name: ANSIBLE_PRIVATE_KEY_FILE
+          vars:
+            - name: ansible_private_key_file
+            - name: ansible_ssh_private_key_file
+          cli:
+            - name: private_key_file
+
+      control_path:
+        description:
+          - This is the location to save ssh's ControlPath sockets, it uses
+            ssh's variable substitution.
+          - Since 2.3, if null (default), ansible will generate a unique hash.
+            Use `%(directory)s` to indicate where to use the control dir path
+            setting.
+          - Before 2.3 it defaulted to
+            `control_path=%(directory)s/ansible-ssh-%%h-%%p-%%r`.
+          - Be aware that this setting is ignored if `-o ControlPath` is set
+            in ssh args.
+        env:
+          - name: ANSIBLE_SSH_CONTROL_PATH
+        ini:
+          - key: control_path
+            section: ssh_connection
+        vars:
+          - name: ansible_control_path
+            version_added: '2.7'
+      control_path_dir:
+        default: ~/.ansible/cp
+        description:
+          - This sets the directory to use for ssh control path if the control
+            path setting is null.
+          - Also, provides the `%(directory)s` variable for the control
+            path setting.
+        env:
+          - name: ANSIBLE_SSH_CONTROL_PATH_DIR
+        ini:
+          - section: ssh_connection
+            key: control_path_dir
+        vars:
+          - name: ansible_control_path_dir
+            version_added: '2.7'
+      sftp_batch_mode:
+        default: 'yes'
+        description: 'TODO: write it'
+        env: [{name: ANSIBLE_SFTP_BATCH_MODE}]
+        ini:
+        - {key: sftp_batch_mode, section: ssh_connection}
+        type: bool
+        vars:
+          - name: ansible_sftp_batch_mode
+            version_added: '2.7'
+      ssh_transfer_method:
+        default: smart
+        description:
+            - "Preferred method to use when transferring files over ssh"
+            - Setting to 'smart' (default) will try them in order, until one
+              succeeds or they all fail
+            - Using 'piped' creates an ssh pipe with ``dd`` on either side to
+              copy the data
+        choices: ['sftp', 'scp', 'piped', 'smart']
+        env: [{name: ANSIBLE_SSH_TRANSFER_METHOD}]
+        ini:
+            - {key: transfer_method, section: ssh_connection}
+      scp_if_ssh:
+        default: smart
+        description:
+          - "Preferred method to use when transferring files over ssh"
+          - When set to smart, Ansible will try them until one succeeds or they
+            all fail
+          - If set to True, it will force 'scp', if False it will use 'sftp'
+        env: [{name: ANSIBLE_SCP_IF_SSH}]
+        ini:
+        - {key: scp_if_ssh, section: ssh_connection}
+        vars:
+          - name: ansible_scp_if_ssh
+            version_added: '2.7'
+      use_tty:
+        version_added: '2.5'
+        default: 'yes'
+        description: add -tt to ssh commands to force tty allocation
+        env: [{name: ANSIBLE_SSH_USETTY}]
+        ini:
+        - {key: usetty, section: ssh_connection}
+        type: bool
+        vars:
+          - name: ansible_ssh_use_tty
+            version_added: '2.7'
+      timeout:
+        default: 10
+        description:
+            - This is the default amount of time we will wait while
+              establishing an ssh connection
+            - It also controls how long we can wait to access reading the
+              connection once established (select on the socket)
+        env:
+            - name: ANSIBLE_TIMEOUT
+            - name: ANSIBLE_SSH_TIMEOUT
+              version_added: '2.11'
+        ini:
+            - key: timeout
+              section: defaults
+            - key: timeout
+              section: ssh_connection
+              version_added: '2.11'
+        vars:
+          - name: ansible_ssh_timeout
+            version_added: '2.11'
+        cli:
+          - name: timeout
+        type: integer
+      lxc_host:
+        description:
+            The lxc host to connect to.
+        env:
+            - name: LXC_HOST
+            - name: LXC_CONTAINER
+        ini:
+            - key: lxc_host
+              section: lxc_ssh_connection
+            - key: lxc_container
+              section: lxc_ssh_connection
+        vars:
+          - name: lxc_host
+          - name: lxc_container
+        cli:
+          - name: lxc_host
+          - name: lxc_container
+"""
+
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+
+    display = Display()
+
+
+class AnsibleControlPersistBrokenPipeError(AnsibleError):
+    """ControlPersist broken pipe"""
+
+    pass
+
+
+def _ssh_retry(func):
+    """
+    Decorator to retry ssh/scp/sftp in the case of a connection failure
+
+    Will retry if:
+    * an exception is caught
+    * ssh returns 255
+    Will not retry if
+    * remaining_tries is <2
+    * retries limit reached
+    """
+
+    @wraps(func)
+    def wrapped(self, *args, **kwargs):
+        remaining_tries = int(self.get_option("retries")) + 1
+        cmd_summary = "%s..." % args[0]
+        for attempt in range(remaining_tries):
+            cmd = args[0]
+            if attempt != 0 and self._play_context.password and isinstance(cmd, list):
+                # If this is a retry, the fd/pipe for sshpass is closed,
+                # and we need a new one
+                self.sshpass_pipe = os.pipe()
+                cmd[1] = b"-d" + to_bytes(
+                    self.sshpass_pipe[0],
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                )
+
+            try:
+                try:
+                    return_tuple = func(self, *args, **kwargs)
+                    display.vvv(return_tuple, host=self.host)
+                    # 0 = success
+                    # 1-254 = remote command return code
+                    # 255 = failure from the ssh command itself
+                except (AnsibleControlPersistBrokenPipeError) as e:
+                    # Retry one more time because of the ControlPersist
+                    # broken pipe (see #16731)
+                    display.vvv("RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE")
+                    return_tuple = func(self, *args, **kwargs)
+
+                if return_tuple[0] != 255:
+                    break
+                else:
+                    raise AnsibleConnectionFailure(
+                        "Failed to connect to the host via ssh: %s"
+                        % to_native(return_tuple[2])
+                    )
+            except (AnsibleConnectionFailure, Exception) as e:
+                if attempt == remaining_tries - 1:
+                    raise
+                else:
+                    pause = 2 ** attempt - 1
+                    if pause > 30:
+                        pause = 30
+
+                    if isinstance(e, AnsibleConnectionFailure):
+                        msg = (
+                            "ssh_retry: attempt: %d, ssh return code is 255. "
+                            "cmd (%s), pausing for %d seconds"
+                            % (attempt, cmd_summary, pause)
+                        )
+                    else:
+                        msg = (
+                            "ssh_retry: attempt: %d, caught exception(%s) "
+                            "from cmd (%s), pausing for %d seconds"
+                            % (attempt, e, cmd_summary, pause)
+                        )
+
+                    display.vv(msg, host=self.host)
+
+                    time.sleep(pause)
+                    continue
+
+        return return_tuple
+
+    return wrapped
+
+
+class Connection(ConnectionBase):
+    """ssh+lxc_attach connection"""
+
+    transport = "lxc_ssh"
+
+    def __init__(self, play_context, new_stdin, *args, **kwargs):
+        super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
+        self.host = self._play_context.remote_addr
+        self.port = self._play_context.port
+        self.user = self._play_context.remote_user
+        self.control_path = None
+        self.control_path_dir = None
+
+    def _set_version(self):
+        # LXC v1 uses 'lxc-info', 'lxc-attach' and so on
+        # LXC v2 uses just 'lxc'
+        (returncode2, stdout2, stderr2) = self._exec_command("which lxc", None, False)
+        (returncode1, stdout1, stderr1) = self._exec_command(
+            "which lxc-info", None, False
+        )
+        if returncode2 == 0:
+            self.lxc_version = 2
+            display.vvv("LXC v2")
+        elif returncode1 == 0:
+            self.lxc_version = 1
+            display.vvv("LXC v1")
+        else:
+            raise AnsibleConnectionFailure("Cannot identify LXC version")
+            sys.exit(1)
+
+    def set_options(self, *args, **kwargs):
+        super(Connection, self).set_options(*args, **kwargs)
+        self._set_version()
+
+    # The connection is created by running ssh/scp/sftp from the exec_command,
+    # put_file, and fetch_file methods, so we don't need to do any connection
+    # management here.
+    def _connect(self):
+        """connect to the lxc; nothing to do here"""
+        display.vvv("XXX connect")
+        super(Connection, self)._connect()
+        self.container_name = self.get_option("lxc_host")
+
+    @staticmethod
+    def _create_control_path(host, port, user, connection=None):
+        """Make a hash for the controlpath based on con attributes"""
+        pstring = "%s-%s-%s" % (host, port, user)
+        if connection:
+            pstring += "-%s" % connection
+        m = hashlib.sha1()
+        m.update(to_bytes(pstring))
+        digest = m.hexdigest()
+        cpath = "%(directory)s/" + digest[:10]
+        return cpath
+
+    @staticmethod
+    def _persistence_controls(b_command):
+        """
+        Takes a command array and scans it for ControlPersist and ControlPath
+        settings and returns two booleans indicating whether either was found.
+        This could be smarter, e.g. returning false if ControlPersist is 'no',
+        but for now we do it simple way.
+        """
+
+        controlpersist = False
+        controlpath = False
+
+        for b_arg in (a.lower() for a in b_command):
+            if b"controlpersist" in b_arg:
+                controlpersist = True
+            elif b"controlpath" in b_arg:
+                controlpath = True
+
+        return controlpersist, controlpath
+
+    @staticmethod
+    def _split_args(argstring):
+        """
+        Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a
+        list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to
+        the argument list. The list will not contain any empty elements.
+        """
+        if sys.version_info[0] >= 3:
+            return [
+                to_unicode(x.strip())
+                for x in shlex.split(to_bytes(argstring).decode())
+                if x.strip()
+            ]
+        else:
+            return [
+                to_unicode(x.strip())
+                for x in shlex.split(to_bytes(argstring))
+                if x.strip()
+            ]
+
+    def _add_args(self, b_command, b_args, explanation):
+        """
+        Adds arguments to the ssh command and displays a caller-supplied
+        explanation of why.
+        :arg b_command: A list containing the command to add the new arguments
+            to. This list will be modified by this method.
+        :arg b_args: An iterable of new arguments to add.  This iterable is
+            used more than once so it must be persistent (ie: a list is okay
+            but a StringIO would not)
+        :arg explanation: A text string containing explaining why the arguments
+            were added.  It will be displayed with a high enough verbosity.
+        .. note:: This function does its work via side-effect.
+                  The b_command list has the new arguments appended.
+        """
+        display.vvvvv(
+            "SSH: %s: (%s)" % (explanation, ")(".join(to_text(a) for a in b_args)),
+            host=self._play_context.remote_addr,
+        )
+        b_command += b_args
+
+    def _build_command(self, binary, subsystem, *other_args):
+        """
+        Takes an executable (ssh, scp, sftp or wrapper) and optional extra
+        arguments and returns the remote command wrapped in local ssh shell
+        commands and ready for execution.
+
+        :arg binary: actual executable to use to execute command.
+        :arg subsystem: type of executable provided, ssh/sftp/scp,
+                        needed because wrappers for ssh might have diff names.
+        :arg other_args: dict of, value pairs passed as arguments to the ssh
+                         binary
+        """
+
+        b_command = []
+        conn_password = self.get_option("password") or self._play_context.password
+
+        #
+        # First, the command to invoke
+        #
+
+        # If we want to use password authentication, we have to set up a pipe to
+        # write the password to sshpass.
+
+        if conn_password:
+            if not self._sshpass_available():
+                raise AnsibleError(
+                    "to use the 'ssh' connection type with passwords, "
+                    " you must install the sshpass program"
+                )
+
+            self.sshpass_pipe = os.pipe()
+            b_command += [
+                b"sshpass",
+                b"-d"
+                + to_bytes(
+                    self.sshpass_pipe[0],
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                ),
+            ]
+
+            password_prompt = self.get_option("sshpass_prompt")
+            if password_prompt:
+                b_command += [
+                    b"-P",
+                    to_bytes(password_prompt, errors="surrogate_or_strict"),
+                ]
+
+        b_command += [to_bytes(binary, errors="surrogate_or_strict")]
+
+        #
+        # Next, additional arguments based on the configuration.
+        #
+
+        # sftp batch mode allows us to correctly catch failed transfers, but can
+        # be disabled if the client side doesn't support the option. However,
+        # sftp batch mode does not prompt for passwords so it must be disabled
+        # if not using controlpersist and using sshpass
+        if subsystem == "sftp" and self.get_option("sftp_batch_mode"):
+            if conn_password:
+                b_args = [b"-o", b"BatchMode=no"]
+                self._add_args(b_command, b_args, "disable batch mode for sshpass")
+            b_command += [b"-b", b"-"]
+
+        if self._play_context.verbosity > 3:
+            b_command.append(b"-vvv")
+
+        # Next, we add ssh_args
+        ssh_args = self.get_option("ssh_args")
+        if ssh_args:
+            b_args = [
+                to_bytes(a, errors="surrogate_or_strict")
+                for a in self._split_ssh_args(ssh_args)
+            ]
+            self._add_args(b_command, b_args, u"ansible.cfg set ssh_args")
+
+        # Now we add various arguments that have their own specific settings
+        # defined in docs above.
+        if not self.get_option("host_key_checking"):
+            b_args = (b"-o", b"StrictHostKeyChecking=no")
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled",
+            )
+
+        self.port = self.get_option("port")
+        if self.port is not None:
+            b_args = (
+                b"-o",
+                b"Port="
+                + to_bytes(
+                    self.port,
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                ),
+            )
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set",
+            )
+
+        key = self.get_option("private_key_file")
+        if key:
+            b_args = (
+                b"-o",
+                b'IdentityFile="'
+                + to_bytes(os.path.expanduser(key), errors="surrogate_or_strict")
+                + b'"',
+            )
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/"
+                "ansible_ssh_private_key_file set",
+            )
+
+        if not conn_password:
+            self._add_args(
+                b_command,
+                (
+                    b"-o",
+                    b"KbdInteractiveAuthentication=no",
+                    b"-o",
+                    b"PreferredAuthentications=publickey,gssapi-with-mic,"
+                    b"gssapi-keyex,hostbased",
+                    b"-o",
+                    b"PasswordAuthentication=no",
+                ),
+                "ansible_password/ansible_ssh_password not set",
+            )
+
+        self.user = self.get_option("remote_user")
+
+        if self.user:
+            self._add_args(
+                b_command,
+                (
+                    b"-o",
+                    b'User="%s"' % to_bytes(self.user, errors="surrogate_or_strict"),
+                ),
+                "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set",
+            )
+
+        timeout = self.get_option("timeout")
+        self._add_args(
+            b_command,
+            (
+                b"-o",
+                b"ConnectTimeout="
+                + to_bytes(
+                    timeout,
+                    errors="surrogate_or_strict",
+                    nonstring="simplerepr",
+                ),
+            ),
+            "ANSIBLE_TIMEOUT/timeout set",
+        )
+
+        # Add in any common or binary-specific arguments from the PlayContext
+        # (i.e. inventory or task settings or overrides on the command line).
+
+        for opt in ("ssh_common_args", "{0}_extra_args".format(subsystem)):
+            attr = self.get_option(opt)
+            if attr is not None:
+                b_args = [
+                    to_bytes(a, errors="surrogate_or_strict")
+                    for a in self._split_ssh_args(attr)
+                ]
+                self._add_args(b_command, b_args, "Set %s" % opt)
+
+        # Check if ControlPersist is enabled and add a ControlPath if one hasn't
+        # already been set.
+
+        controlpersist, controlpath = self._persistence_controls(b_command)
+
+        if controlpersist:
+            self._persistent = True
+
+            if not controlpath:
+                self.control_path_dir = self.get_option("control_path_dir")
+                cpdir = unfrackpath(self.control_path_dir)
+                b_cpdir = to_bytes(cpdir, errors="surrogate_or_strict")
+
+                # The directory must exist and be writable.
+                makedirs_safe(b_cpdir, 0o700)
+                if not os.access(b_cpdir, os.W_OK):
+                    raise AnsibleError(
+                        "Cannot write to ControlPath %s" % to_native(cpdir)
+                    )
+
+                self.control_path = self.get_option("control_path")
+                if not self.control_path:
+                    self.control_path = self._create_control_path(
+                        self.host, self.port, self.user
+                    )
+                b_args = (
+                    b"-o",
+                    b"ControlPath="
+                    + to_bytes(
+                        self.control_path % dict(directory=cpdir),
+                        errors="surrogate_or_strict",
+                    ),
+                )
+                self._add_args(
+                    b_command,
+                    b_args,
+                    "found only ControlPersist; added ControlPath",
+                )
+
+        # Finally, we add any caller-supplied extras.
+        if other_args:
+            b_command += [to_bytes(a) for a in other_args]
+
+        return b_command
+
+    def _send_initial_data(self, fh, in_data):
+        """
+        Writes initial data to the stdin filehandle of the subprocess and closes
+        it. (The handle must be closed; otherwise, for example, "sftp -b -" will
+        just hang forever waiting for more commands.)
+        """
+
+        display.debug("Sending initial data")
+
+        try:
+            fh.write(to_bytes(in_data))
+            fh.close()
+        except (OSError, IOError):
+            raise AnsibleConnectionFailure(
+                'SSH Error: data could not be sent to remote host "%s". '
+                "Make sure this host can be reached over ssh" % self.host
+            )
+
+        display.debug("Sent initial data (%d bytes)" % len(in_data))
+
+    # Used by _run() to kill processes on failures
+    @staticmethod
+    def _terminate_process(p):
+        """Terminate a process, ignoring errors"""
+        try:
+            p.terminate()
+        except (OSError, IOError):
+            pass
+
+    # This is separate from _run() because we need to do the same
+    # thing for stdout and stderr.
+    def _examine_output(self, source, state, b_chunk, sudoable):
+        """
+        Takes a string, extracts complete lines from it, tests to see if they
+        are a prompt, error message, etc., and sets appropriate flags in self.
+        Prompt and success lines are removed.
+        Returns the processed (i.e. possibly-edited) output and the unprocessed
+        remainder (to be processed with the next chunk) as strings.
+        """
+
+        output = []
+        for b_line in b_chunk.splitlines(True):
+            display_line = to_text(b_line).rstrip("\r\n")
+            suppress_output = False
+
+            if self._play_context.prompt and self.check_password_prompt(b_line):
+                display.debug(
+                    "become_prompt: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_prompt"] = True
+                suppress_output = True
+            elif self._play_context.success_key and self.check_become_success(b_line):
+                display.debug(
+                    "become_success: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_success"] = True
+                suppress_output = True
+            elif sudoable and self.check_incorrect_password(b_line):
+                display.debug(
+                    "become_error: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_error"] = True
+            elif sudoable and self.check_missing_password(b_line):
+                display.debug(
+                    "become_nopasswd_error: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_nopasswd_error"] = True
+
+            if not suppress_output:
+                output.append(b_line)
+
+        # The chunk we read was most likely a series of complete lines, but just
+        # in case the last line was incomplete (and not a prompt, which we would
+        # have removed from the output), we retain it to be processed with the
+        # next chunk.
+
+        remainder = b""
+        if output and not output[-1].endswith(b"\n"):
+            remainder = output[-1]
+            output = output[:-1]
+
+        return b"".join(output), remainder
+
+    def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True):
+        """
+        Starts the command and communicates with it until it ends.
+        """
+
+        display_cmd = list(map(shlex_quote, map(to_text, cmd)))
+        display.vvv("SSH: EXEC {0}".format(" ".join(display_cmd)), host=self.host)
+
+        # Start the given command. If we don't need to pipeline data, we can try
+        # to use a pseudo-tty (ssh will have been invoked with -tt). If we are
+        # pipelining data, or can't create a pty, we fall back to using plain
+        # old pipes.
+
+        p = None
+
+        if isinstance(cmd, (text_type, binary_type)):
+            cmd = to_bytes(cmd)
+        else:
+            if sys.version_info[0] >= 3:
+                cmd = list(map(to_bytes, cmd))
+            else:
+                cmd = map(to_bytes, cmd)
+
+        if not in_data:
+            try:
+                # Make sure stdin is a proper pty to avoid tcgetattr errors
+                master, slave = pty.openpty()
+                if PY3 and self._play_context.password:
+                    p = subprocess.Popen(
+                        cmd,
+                        stdin=slave,
+                        stdout=subprocess.PIPE,
+                        stderr=subprocess.PIPE,
+                        pass_fds=self.sshpass_pipe,
+                    )
+                else:
+                    p = subprocess.Popen(
+                        cmd,
+                        stdin=slave,
+                        stdout=subprocess.PIPE,
+                        stderr=subprocess.PIPE,
+                    )
+                stdin = os.fdopen(master, "wb", 0)
+                os.close(slave)
+            except (OSError, IOError):
+                p = None
+
+        if not p:
+            if PY3 and self._play_context.password:
+                p = subprocess.Popen(
+                    cmd,
+                    stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                    pass_fds=self.sshpass_pipe,
+                )
+            else:
+                p = subprocess.Popen(
+                    cmd,
+                    stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                )
+            stdin = p.stdin
+
+        # If we are using SSH password authentication, write the password into
+        # the pipe we opened in _build_command.
+
+        if self._play_context.password:
+            os.close(self.sshpass_pipe[0])
+            try:
+                os.write(
+                    self.sshpass_pipe[1],
+                    to_bytes(self._play_context.password) + b"\n",
+                )
+            except OSError as e:
+                # Ignore broken pipe errors if the sshpass process has exited.
+                if e.errno != errno.EPIPE or p.poll() is None:
+                    raise
+            os.close(self.sshpass_pipe[1])
+
+        #
+        # SSH state machine
+        #
+
+        # Now we read and accumulate output from the running process until it
+        # exits. Depending on the circumstances, we may also need to write an
+        # escalation password and/or pipelined input to the process.
+
+        states = [
+            "awaiting_prompt",
+            "awaiting_escalation",
+            "ready_to_send",
+            "awaiting_exit",
+        ]
+
+        # Are we requesting privilege escalation? Right now, we may be invoked
+        # to execute sftp/scp with sudoable=True, but we can request escalation
+        # only when using ssh. Otherwise we can send initial data straight away.
+
+        state = states.index("ready_to_send")
+        if b"ssh" in cmd:
+            if self._play_context.prompt:
+                # We're requesting escalation with a password, so we have to
+                # wait for a password prompt.
+                state = states.index("awaiting_prompt")
+                display.debug(
+                    "Initial state: %s: %s" % (states[state], self._play_context.prompt)
+                )
+            elif self._play_context.become and self._play_context.success_key:
+                # We're requesting escalation without a password, so we have to
+                # detect success/failure before sending any initial data.
+                state = states.index("awaiting_escalation")
+                display.debug(
+                    "Initial state: %s: %s"
+                    % (states[state], self._play_context.success_key)
+                )
+
+        # We store accumulated stdout and stderr output from the process here,
+        # but strip any privilege escalation prompt/confirmation lines first.
+        # Output is accumulated into tmp_*, complete lines are extracted into
+        # an array, then checked and removed or copied to stdout or stderr. We
+        # set any flags based on examining the output in self._flags.
+
+        b_stdout = b_stderr = b""
+        b_tmp_stdout = b_tmp_stderr = b""
+
+        self._flags = dict(
+            become_prompt=False,
+            become_success=False,
+            become_error=False,
+            become_nopasswd_error=False,
+        )
+
+        # select timeout should be longer than the connect timeout, otherwise
+        # they will race each other when we can't connect, and the connect
+        # timeout usually fails
+        timeout = 2 + self._play_context.timeout
+        for fd in (p.stdout, p.stderr):
+            fcntl.fcntl(
+                fd,
+                fcntl.F_SETFL,
+                fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK,
+            )
+
+        # TODO: bcoca would like to use SelectSelector() when open
+        # filehandles is low, then switch to more efficient ones when higher.
+        # select is faster when filehandles is low.
+        selector = selectors.DefaultSelector()
+        selector.register(p.stdout, selectors.EVENT_READ)
+        selector.register(p.stderr, selectors.EVENT_READ)
+
+        # If we can send initial data without waiting for anything, we do so
+        # before we start polling
+        if states[state] == "ready_to_send" and in_data:
+            self._send_initial_data(stdin, in_data)
+            state += 1
+
+        try:
+            while True:
+                poll = p.poll()
+                events = selector.select(timeout)
+
+                # We pay attention to timeouts only while negotiating a prompt.
+
+                if not events:
+                    # We timed out
+                    if state <= states.index("awaiting_escalation"):
+                        # If the process has already exited, then it's not
+                        # really a timeout; we'll let the normal error
+                        # handling deal with it.
+                        if poll is not None:
+                            break
+                        self._terminate_process(p)
+                        raise AnsibleError(
+                            "Timeout (%ds) waiting for privilege escalation "
+                            " prompt: %s" % (timeout, to_native(b_stdout))
+                        )
+
+                # Read whatever output is available on stdout and stderr,
+                # and stop listening to the pipe if it's been closed.
+
+                for key, event in events:
+                    if key.fileobj == p.stdout:
+                        b_chunk = p.stdout.read()
+                        if b_chunk == b"":
+                            # stdout has been closed, stop watching it
+                            selector.unregister(p.stdout)
+                            # When ssh has ControlMaster (+ControlPath/Persist)
+                            # enabled, the first connection goes into the
+                            # background and we never see EOF on stderr. If we
+                            # see EOF on stdout, lower the select timeout
+                            # to reduce the time wasted selecting on stderr if
+                            # we observe that the process has not yet existed
+                            # after this EOF. Otherwise we may spend a long
+                            # timeout period waiting for an EOF that is not
+                            # going to arrive until the persisted connection
+                            # closes.
+                            timeout = 1
+                        b_tmp_stdout += b_chunk
+                        display.debug(
+                            "stdout chunk (state=%s):\n>>>%s<<<\n"
+                            % (state, to_text(b_chunk))
+                        )
+                    elif key.fileobj == p.stderr:
+                        b_chunk = p.stderr.read()
+                        if b_chunk == b"":
+                            # stderr has been closed, stop watching it
+                            selector.unregister(p.stderr)
+                        b_tmp_stderr += b_chunk
+                        display.debug(
+                            "stderr chunk (state=%s):\n>>>%s<<<\n"
+                            % (state, to_text(b_chunk))
+                        )
+
+                # We examine the output line-by-line until we have negotiated
+                # any privilege escalation prompt and subsequent success/error
+                # message.
+                # Afterwards, we can accumulate output without looking at it.
+
+                if state < states.index("ready_to_send"):
+                    if b_tmp_stdout:
+                        b_output, b_unprocessed = self._examine_output(
+                            "stdout", states[state], b_tmp_stdout, sudoable
+                        )
+                        b_stdout += b_output
+                        b_tmp_stdout = b_unprocessed
+
+                    if b_tmp_stderr:
+                        b_output, b_unprocessed = self._examine_output(
+                            "stderr", states[state], b_tmp_stderr, sudoable
+                        )
+                        b_stderr += b_output
+                        b_tmp_stderr = b_unprocessed
+                else:
+                    b_stdout += b_tmp_stdout
+                    b_stderr += b_tmp_stderr
+                    b_tmp_stdout = b_tmp_stderr = b""
+
+                # If we see a privilege escalation prompt, we send the password.
+                # (If we're expecting a prompt but the escalation succeeds, we
+                # didn't need the password and can carry on regardless.)
+
+                if states[state] == "awaiting_prompt":
+                    if self._flags["become_prompt"]:
+                        display.debug("Sending become_pass in response to prompt")
+                        stdin.write(to_bytes(self._play_context.become_pass) + b"\n")
+                        self._flags["become_prompt"] = False
+                        state += 1
+                    elif self._flags["become_success"]:
+                        state += 1
+
+                # We've requested escalation (with or without a password),
+                # now we wait for an error message or a successful escalation.
+
+                if states[state] == "awaiting_escalation":
+                    if self._flags["become_success"]:
+                        display.debug("Escalation succeeded")
+                        self._flags["become_success"] = False
+                        state += 1
+                    elif self._flags["become_error"]:
+                        display.debug("Escalation failed")
+                        self._terminate_process(p)
+                        self._flags["become_error"] = False
+                        raise AnsibleError(
+                            "Incorrect %s password" % self._play_context.become_method
+                        )
+                    elif self._flags["become_nopasswd_error"]:
+                        display.debug("Escalation requires password")
+                        self._terminate_process(p)
+                        self._flags["become_nopasswd_error"] = False
+                        raise AnsibleError(
+                            "Missing %s password" % self._play_context.become_method
+                        )
+                    elif self._flags["become_prompt"]:
+                        # This shouldn't happen, because we should see the
+                        # "Sorry, try again" message first.
+                        display.debug("Escalation prompt repeated")
+                        self._terminate_process(p)
+                        self._flags["become_prompt"] = False
+                        raise AnsibleError(
+                            "Incorrect %s password" % self._play_context.become_method
+                        )
+
+                # Once we're sure that the privilege escalation prompt,
+                # if any, has been dealt with, we can send any initial data
+                # and start waiting for output.
+
+                if states[state] == "ready_to_send":
+                    if in_data:
+                        self._send_initial_data(stdin, in_data)
+                    state += 1
+
+                # Now we're awaiting_exit: has the child process exited?
+                # If it has, and we've read all available output from it,
+                # we're done.
+
+                if poll is not None:
+                    if not selector.get_map() or not events:
+                        break
+                    # We should not see further writes to the stdout/stderr file
+                    # descriptors after the process has closed, set the select
+                    # timeout to gather any last writes we may have missed.
+                    timeout = 0
+                    continue
+
+                # If the process has not yet exited, but we've already read
+                # EOF from its stdout and stderr (and thus no longer watching
+                # any file descriptors), we can just wait for it to exit.
+
+                elif not selector.get_map():
+                    p.wait()
+                    break
+
+                # Otherwise there may still be outstanding data to read.
+        finally:
+            selector.close()
+            # close stdin after process is terminated and stdout/stderr are read
+            # completely (see also issue #848)
+            stdin.close()
+
+        if self.get_option("host_key_checking"):
+            if cmd[0] == b"sshpass" and p.returncode == 6:
+                raise AnsibleError(
+                    "Using a SSH password instead of a key is not possible "
+                    "because Host Key checking is enabled and sshpass does not "
+                    "support this.  Please add this host's fingerprint to your "
+                    " known_hosts file to manage this host."
+                )
+
+        controlpersisterror = (
+            b"Bad configuration option: ControlPersist" in b_stderr
+            or b"unknown configuration option: ControlPersist" in b_stderr
+        )
+        if p.returncode != 0 and controlpersisterror:
+            raise AnsibleError(
+                "using -c ssh on certain older ssh versions may not support "
+                ' ControlPersist, set ANSIBLE_SSH_ARGS="" '
+                "(or ssh_args in [ssh_connection] section of the config file) "
+                "before running again"
+            )
+
+        # If we find a broken pipe because of ControlPersist timeout expiring
+        # (see #16731),
+        # we raise a special exception so that we can retry a connection.
+        controlpersist_broken_pipe = (
+            b"mux_client_hello_exchange: write packet: Broken pipe" in b_stderr
+        )
+        if p.returncode == 255 and controlpersist_broken_pipe:
+            raise AnsibleControlPersistBrokenPipeError(
+                "SSH Error: data could not be sent because of ControlPersist "
+                "broken pipe."
+            )
+
+        if p.returncode == 255 and in_data and checkrc:
+            raise AnsibleConnectionFailure(
+                'SSH Error: data could not be sent to remote host "%s". '
+                "Make sure this host can be reached over ssh" % self.host
+            )
+
+        return (p.returncode, b_stdout, b_stderr)
+
+    @_ssh_retry
+    def _run(self, cmd, in_data, sudoable=True, checkrc=True):
+        """Wrapper around _bare_run that retries the connection"""
+        return self._bare_run(cmd, in_data, sudoable, checkrc)
+
+    def _exec_command(self, cmd, in_data=None, sudoable=True):
+        """run a command on the remote host"""
+
+        super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
+
+        display.vvv(
+            "ESTABLISH SSH CONNECTION FOR USER: {0}".format(
+                self._play_context.remote_user
+            ),
+            host=self._play_context.remote_addr,
+        )
+
+        # we can only use tty when we are not pipelining the modules. piping
+        # data into /usr/bin/python inside a tty automatically invokes the
+        # python interactive-mode but the modules are not compatible with the
+        # interactive-mode ("unexpected indent" mainly because of empty lines)
+
+        ssh_executable = self.get_option("ssh_executable")
+        if in_data:
+            cmd = self._build_command(ssh_executable, "ssh", self.host, cmd)
+        else:
+            cmd = self._build_command(ssh_executable, "ssh", "-tt", self.host, cmd)
+
+        (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
+
+        return (returncode, stdout, stderr)
+
+    def dir_print(self, obj):
+        for attr_name in dir(obj):
+            try:
+                attr_value = getattr(obj, attr_name)
+                print(attr_name, attr_value, callable(attr_value))
+            except AttributeError:
+                pass
+
+    #
+    # Main public methods
+    #
+    def exec_command(self, cmd, in_data=None, sudoable=False):
+        """run a command on the chroot"""
+        display.vvv("XXX exec_command: %s" % cmd)
+        super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
+
+        ssh_executable = self.get_option("ssh_executable")
+        h = self.container_name
+        if self.lxc_version == 2:
+            lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        elif self.lxc_version == 1:
+            lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        if in_data:
+            cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+        else:
+            cmd = self._build_command(ssh_executable, "ssh", "-tt", self.host, lxc_cmd)
+        (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
+        return (returncode, stdout, stderr)
+
+    def put_file(self, in_path, out_path):
+        """transfer a file from local to lxc"""
+        super(Connection, self).put_file(in_path, out_path)
+        display.vvv("PUT {0} TO {1}".format(in_path, out_path), host=self.host)
+        ssh_executable = self.get_option("ssh_executable")
+
+        if not os.path.exists(to_bytes(in_path, errors="surrogate_or_strict")):
+            raise AnsibleFileNotFound(
+                "file or module does not exist: {0}".format(to_native(in_path))
+            )
+
+        if sys.version_info[0] >= 3:
+            with open(in_path, "rb") as in_f:
+                in_data = in_f.read()
+                if len(in_data) == 0:
+                    # define a shortcut for empty files - nothing ro read so
+                    # the ssh pipe will hang
+                    cmd = "touch %s; echo -n done" % pipes.quote(out_path)
+                else:
+                    # regular command
+                    cmd = "cat > %s; echo -n done" % pipes.quote(out_path)
+                h = self.container_name
+                if self.lxc_version == 2:
+                    lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                elif self.lxc_version == 1:
+                    lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                if in_data:
+                    cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+                else:
+                    cmd = self._build_command(
+                        ssh_executable, "ssh", "-tt", self.host, lxc_cmd
+                    )
+                (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
+                return (returncode, stdout, stderr)
+        else:
+            with open(in_path, "r") as in_f:
+                in_data = in_f.read()
+                if len(in_data) == 0:
+                    # define a shortcut for empty files - nothing ro read so
+                    # the ssh pipe will hang
+                    cmd = "touch %s; echo -n done" % pipes.quote(out_path)
+                else:
+                    # regular command
+                    cmd = "cat > %s; echo -n done" % pipes.quote(out_path)
+                h = self.container_name
+                if self.lxc_version == 2:
+                    lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                elif self.lxc_version == 1:
+                    lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                if in_data:
+                    cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+                else:
+                    cmd = self._build_command(
+                        ssh_executable, "ssh", "-tt", self.host, lxc_cmd
+                    )
+                (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
+                return (returncode, stdout, stderr)
+
+    def fetch_file(self, in_path, out_path):
+        """fetch a file from lxc to local"""
+        super(Connection, self).fetch_file(in_path, out_path)
+        display.vvv("FETCH {0} TO {1}".format(in_path, out_path), host=self.host)
+        ssh_executable = self.get_option("ssh_executable")
+
+        cmd = "cat < %s" % pipes.quote(in_path)
+        h = self.container_name
+        if self.lxc_version == 2:
+            lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        elif self.lxc_version == 1:
+            lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+
+        cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+        (returncode, stdout, stderr) = self._run(cmd, None, sudoable=False)
+
+        if returncode != 0:
+            raise AnsibleError(
+                "failed to transfer file from {0}:\n{1}\n{2}".format(
+                    in_path, stdout, stderr
+                )
+            )
+
+        if sys.version_info[0] >= 3:
+            with open(out_path, "wb") as out_f:
+                out_f.write(stdout)
+        else:
+            with open(out_path, "w") as out_f:
+                out_f.write(stdout)
+
+        return (returncode, stdout, stderr)
+
+    def reset(self):
+        # If we have a persistent ssh connection (ControlPersist),
+        # we can ask it to stop listening.
+        cmd = self._build_command(
+            self.get_option("ssh_executable"), "ssh", "-O", "stop", self.host
+        )
+        controlpersist, controlpath = self._persistence_controls(cmd)
+        if controlpersist:
+            display.vvv("sending stop: %s" % cmd)
+            p = subprocess.Popen(
+                cmd,
+                stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+            )
+            stdout, stderr = p.communicate()
+            status_code = p.wait()
+            if status_code != 0:
+                raise AnsibleError("Cannot reset connection:\n%s" % stderr)
+        self.close()
+
+    def close(self):
+        """terminate the connection; nothing to do here"""
+        display.vvv("XXX close")
+        super(Connection, self).close()
+        # self.ssh.close()
+        self._connected = False
diff --git a/ansible_collections/debops/debops/plugins/connection_plugins/lxc_ssh.py b/ansible_collections/debops/debops/plugins/connection_plugins/lxc_ssh.py
new file mode 100644
index 00000000..c9c43c1e
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/connection_plugins/lxc_ssh.py
@@ -0,0 +1,1495 @@
+# Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# SSH + lxc-attach connection module for Ansible 2.0
+#
+# Adapted from ansible/plugins/connection/ssh.py
+# Forked from https://github.com/chifflier/ansible-lxc-ssh
+# Hosted on https://github.com/andreasscherbaum/ansible-lxc-ssh
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import errno
+import fcntl
+import hashlib
+import os
+import pipes
+import pty
+import shlex
+import subprocess
+import sys
+import time
+
+from ansible.release import __version__ as ansible_version
+from functools import wraps
+from ansible import constants as C
+from ansible.errors import (
+    AnsibleError,
+    AnsibleConnectionFailure,
+    AnsibleFileNotFound,
+)
+from ansible.errors import AnsibleOptionsError
+from ansible.compat import selectors
+from ansible.module_utils.six import PY3, text_type, binary_type
+from ansible.module_utils.six.moves import shlex_quote
+from ansible.module_utils._text import to_bytes, to_native, to_text
+from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean
+from ansible.plugins.connection import ConnectionBase, BUFSIZE
+from ansible.utils.path import unfrackpath, makedirs_safe
+
+from ansible.module_utils._text import (
+    to_bytes,
+    to_text as to_unicode,
+    to_native as to_str,
+)
+
+DOCUMENTATION = """
+    name: lxc_ssh
+    short_description: connect via ssh and lxc to remote lxc guest
+    description:
+        - This connection plugin allows ansible to communicate to the target
+          machines via normal ssh and lxc cli.
+        - Ansible does not expose a channel to allow communication between the
+          user and the ssh process to accept a password manually to decrypt an
+          ssh key when using this connection plugin (which is the default). The
+          use of ``ssh-agent`` is highly recommended.
+    author: Pierre Chifflier
+    notes:
+        - Many options default to 'None' here but that only means we don't
+          override the ssh tool's defaults and/or configuration.
+          For example, if you specify the port in this plugin it will override
+          any C(Port) entry in your C(.ssh/config).
+    options:
+      host:
+          description: Hostname/ip to connect to.
+          vars:
+               - name: inventory_hostname
+               - name: ansible_host
+               - name: ansible_ssh_host
+               - name: delegated_vars['ansible_host']
+               - name: delegated_vars['ansible_ssh_host']
+      host_key_checking:
+          description: Determines if ssh should check host keys
+          type: boolean
+          ini:
+              - section: defaults
+                key: 'host_key_checking'
+              - section: ssh_connection
+                key: 'host_key_checking'
+                version_added: '2.5'
+          env:
+              - name: ANSIBLE_HOST_KEY_CHECKING
+              - name: ANSIBLE_SSH_HOST_KEY_CHECKING
+                version_added: '2.5'
+          vars:
+              - name: ansible_host_key_checking
+                version_added: '2.5'
+              - name: ansible_ssh_host_key_checking
+                version_added: '2.5'
+      password:
+          description: Authentication password for the C(remote_user).
+                       Can be supplied as CLI option.
+          vars:
+              - name: ansible_password
+              - name: ansible_ssh_pass
+              - name: ansible_ssh_password
+      sshpass_prompt:
+          description: Password prompt that sshpass should search for.
+                       Supported by sshpass 1.06 and up.
+          default: ''
+          ini:
+              - section: 'ssh_connection'
+                key: 'sshpass_prompt'
+          env:
+              - name: ANSIBLE_SSHPASS_PROMPT
+          vars:
+              - name: ansible_sshpass_prompt
+          version_added: '2.10'
+      ssh_args:
+          description: Arguments to pass to all ssh cli tools
+          default: '-C -o ControlMaster=auto -o ControlPersist=60s'
+          ini:
+              - section: 'ssh_connection'
+                key: 'ssh_args'
+          env:
+              - name: ANSIBLE_SSH_ARGS
+          vars:
+              - name: ansible_ssh_args
+                version_added: '2.7'
+          cli:
+              - name: ssh_args
+      ssh_common_args:
+          description: Common extra args for all ssh CLI tools
+          ini:
+              - section: 'ssh_connection'
+                key: 'ssh_common_args'
+                version_added: '2.7'
+          env:
+              - name: ANSIBLE_SSH_COMMON_ARGS
+                version_added: '2.7'
+          vars:
+              - name: ansible_ssh_common_args
+          cli:
+              - name: ssh_common_args
+      ssh_executable:
+          default: ssh
+          description:
+            - This defines the location of the ssh binary.
+              It defaults to ``ssh`` which will use the first ssh binary
+              available in $PATH.
+            - This option is usually not required, it might be useful when
+              access to system ssh is restricted,
+              or when using ssh wrappers to connect to remote hosts.
+          env: [{name: ANSIBLE_SSH_EXECUTABLE}]
+          ini:
+          - {key: ssh_executable, section: ssh_connection}
+          #const: ANSIBLE_SSH_EXECUTABLE
+          version_added: "2.2"
+          vars:
+              - name: ansible_ssh_executable
+                version_added: '2.7'
+      sftp_executable:
+          default: sftp
+          description:
+            - This defines the location of the sftp binary. It defaults to
+              ``sftp`` which will use the first binary available in $PATH.
+          env: [{name: ANSIBLE_SFTP_EXECUTABLE}]
+          ini:
+          - {key: sftp_executable, section: ssh_connection}
+          version_added: "2.6"
+          vars:
+              - name: ansible_sftp_executable
+                version_added: '2.7'
+      scp_executable:
+          default: scp
+          description:
+            - This defines the location of the scp binary. It defaults to
+              `scp` which will use the first binary available in $PATH.
+          env: [{name: ANSIBLE_SCP_EXECUTABLE}]
+          ini:
+          - {key: scp_executable, section: ssh_connection}
+          version_added: "2.6"
+          vars:
+              - name: ansible_scp_executable
+                version_added: '2.7'
+      scp_extra_args:
+          description: Extra exclusive to the ``scp`` CLI
+          vars:
+              - name: ansible_scp_extra_args
+          env:
+            - name: ANSIBLE_SCP_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: scp_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: scp_extra_args
+      sftp_extra_args:
+          description: Extra exclusive to the ``sftp`` CLI
+          vars:
+              - name: ansible_sftp_extra_args
+          env:
+            - name: ANSIBLE_SFTP_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: sftp_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: sftp_extra_args
+      ssh_extra_args:
+          description: Extra exclusive to the 'ssh' CLI
+          vars:
+              - name: ansible_ssh_extra_args
+          env:
+            - name: ANSIBLE_SSH_EXTRA_ARGS
+              version_added: '2.7'
+          ini:
+            - key: ssh_extra_args
+              section: ssh_connection
+              version_added: '2.7'
+          cli:
+            - name: ssh_extra_args
+      retries:
+          description: Number of attempts to connect.
+          default: 3
+          type: integer
+          env:
+            - name: ANSIBLE_SSH_RETRIES
+          ini:
+            - section: connection
+              key: retries
+            - section: ssh_connection
+              key: retries
+          vars:
+            - name: ansible_ssh_retries
+              version_added: '2.7'
+      port:
+          description: Remote port to connect to.
+          type: int
+          ini:
+            - section: defaults
+              key: remote_port
+          env:
+            - name: ANSIBLE_REMOTE_PORT
+          vars:
+            - name: ansible_port
+            - name: ansible_ssh_port
+      remote_user:
+          description:
+              - User name with which to login to the remote server, normally
+                set by the remote_user keyword.
+              - If no user is supplied, Ansible will let the ssh client binary
+                choose the user as it normally
+          ini:
+            - section: defaults
+              key: remote_user
+          env:
+            - name: ANSIBLE_REMOTE_USER
+          vars:
+            - name: ansible_user
+            - name: ansible_ssh_user
+          cli:
+            - name: user
+      pipelining:
+          env:
+            - name: ANSIBLE_PIPELINING
+            - name: ANSIBLE_SSH_PIPELINING
+          ini:
+            - section: connection
+              key: pipelining
+            - section: ssh_connection
+              key: pipelining
+          vars:
+            - name: ansible_pipelining
+            - name: ansible_ssh_pipelining
+
+      private_key_file:
+          description:
+              - Path to private key file to use for authentication
+          ini:
+            - section: defaults
+              key: private_key_file
+          env:
+            - name: ANSIBLE_PRIVATE_KEY_FILE
+          vars:
+            - name: ansible_private_key_file
+            - name: ansible_ssh_private_key_file
+          cli:
+            - name: private_key_file
+
+      control_path:
+        description:
+          - This is the location to save ssh's ControlPath sockets, it uses
+            ssh's variable substitution.
+          - Since 2.3, if null (default), ansible will generate a unique hash.
+            Use `%(directory)s` to indicate where to use the control dir path
+            setting.
+          - Before 2.3 it defaulted to
+            `control_path=%(directory)s/ansible-ssh-%%h-%%p-%%r`.
+          - Be aware that this setting is ignored if `-o ControlPath` is set
+            in ssh args.
+        env:
+          - name: ANSIBLE_SSH_CONTROL_PATH
+        ini:
+          - key: control_path
+            section: ssh_connection
+        vars:
+          - name: ansible_control_path
+            version_added: '2.7'
+      control_path_dir:
+        default: ~/.ansible/cp
+        description:
+          - This sets the directory to use for ssh control path if the control
+            path setting is null.
+          - Also, provides the `%(directory)s` variable for the control
+            path setting.
+        env:
+          - name: ANSIBLE_SSH_CONTROL_PATH_DIR
+        ini:
+          - section: ssh_connection
+            key: control_path_dir
+        vars:
+          - name: ansible_control_path_dir
+            version_added: '2.7'
+      sftp_batch_mode:
+        default: 'yes'
+        description: 'TODO: write it'
+        env: [{name: ANSIBLE_SFTP_BATCH_MODE}]
+        ini:
+        - {key: sftp_batch_mode, section: ssh_connection}
+        type: bool
+        vars:
+          - name: ansible_sftp_batch_mode
+            version_added: '2.7'
+      ssh_transfer_method:
+        default: smart
+        description:
+            - "Preferred method to use when transferring files over ssh"
+            - Setting to 'smart' (default) will try them in order, until one
+              succeeds or they all fail
+            - Using 'piped' creates an ssh pipe with ``dd`` on either side to
+              copy the data
+        choices: ['sftp', 'scp', 'piped', 'smart']
+        env: [{name: ANSIBLE_SSH_TRANSFER_METHOD}]
+        ini:
+            - {key: transfer_method, section: ssh_connection}
+      scp_if_ssh:
+        default: smart
+        description:
+          - "Preferred method to use when transferring files over ssh"
+          - When set to smart, Ansible will try them until one succeeds or they
+            all fail
+          - If set to True, it will force 'scp', if False it will use 'sftp'
+        env: [{name: ANSIBLE_SCP_IF_SSH}]
+        ini:
+        - {key: scp_if_ssh, section: ssh_connection}
+        vars:
+          - name: ansible_scp_if_ssh
+            version_added: '2.7'
+      use_tty:
+        version_added: '2.5'
+        default: 'yes'
+        description: add -tt to ssh commands to force tty allocation
+        env: [{name: ANSIBLE_SSH_USETTY}]
+        ini:
+        - {key: usetty, section: ssh_connection}
+        type: bool
+        vars:
+          - name: ansible_ssh_use_tty
+            version_added: '2.7'
+      timeout:
+        default: 10
+        description:
+            - This is the default amount of time we will wait while
+              establishing an ssh connection
+            - It also controls how long we can wait to access reading the
+              connection once established (select on the socket)
+        env:
+            - name: ANSIBLE_TIMEOUT
+            - name: ANSIBLE_SSH_TIMEOUT
+              version_added: '2.11'
+        ini:
+            - key: timeout
+              section: defaults
+            - key: timeout
+              section: ssh_connection
+              version_added: '2.11'
+        vars:
+          - name: ansible_ssh_timeout
+            version_added: '2.11'
+        cli:
+          - name: timeout
+        type: integer
+      lxc_host:
+        description:
+            The lxc host to connect to.
+        env:
+            - name: LXC_HOST
+            - name: LXC_CONTAINER
+        ini:
+            - key: lxc_host
+              section: lxc_ssh_connection
+            - key: lxc_container
+              section: lxc_ssh_connection
+        vars:
+          - name: lxc_host
+          - name: lxc_container
+        cli:
+          - name: lxc_host
+          - name: lxc_container
+"""
+
+
+try:
+    from __main__ import display
+except ImportError:
+    from ansible.utils.display import Display
+
+    display = Display()
+
+
+class AnsibleControlPersistBrokenPipeError(AnsibleError):
+    """ControlPersist broken pipe"""
+
+    pass
+
+
+def _ssh_retry(func):
+    """
+    Decorator to retry ssh/scp/sftp in the case of a connection failure
+
+    Will retry if:
+    * an exception is caught
+    * ssh returns 255
+    Will not retry if
+    * remaining_tries is <2
+    * retries limit reached
+    """
+
+    @wraps(func)
+    def wrapped(self, *args, **kwargs):
+        remaining_tries = int(self.get_option("retries")) + 1
+        cmd_summary = "%s..." % args[0]
+        for attempt in range(remaining_tries):
+            cmd = args[0]
+            if attempt != 0 and self._play_context.password and isinstance(cmd, list):
+                # If this is a retry, the fd/pipe for sshpass is closed,
+                # and we need a new one
+                self.sshpass_pipe = os.pipe()
+                cmd[1] = b"-d" + to_bytes(
+                    self.sshpass_pipe[0],
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                )
+
+            try:
+                try:
+                    return_tuple = func(self, *args, **kwargs)
+                    display.vvv(return_tuple, host=self.host)
+                    # 0 = success
+                    # 1-254 = remote command return code
+                    # 255 = failure from the ssh command itself
+                except (AnsibleControlPersistBrokenPipeError) as e:
+                    # Retry one more time because of the ControlPersist
+                    # broken pipe (see #16731)
+                    display.vvv("RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE")
+                    return_tuple = func(self, *args, **kwargs)
+
+                if return_tuple[0] != 255:
+                    break
+                else:
+                    raise AnsibleConnectionFailure(
+                        "Failed to connect to the host via ssh: %s"
+                        % to_native(return_tuple[2])
+                    )
+            except (AnsibleConnectionFailure, Exception) as e:
+                if attempt == remaining_tries - 1:
+                    raise
+                else:
+                    pause = 2 ** attempt - 1
+                    if pause > 30:
+                        pause = 30
+
+                    if isinstance(e, AnsibleConnectionFailure):
+                        msg = (
+                            "ssh_retry: attempt: %d, ssh return code is 255. "
+                            "cmd (%s), pausing for %d seconds"
+                            % (attempt, cmd_summary, pause)
+                        )
+                    else:
+                        msg = (
+                            "ssh_retry: attempt: %d, caught exception(%s) "
+                            "from cmd (%s), pausing for %d seconds"
+                            % (attempt, e, cmd_summary, pause)
+                        )
+
+                    display.vv(msg, host=self.host)
+
+                    time.sleep(pause)
+                    continue
+
+        return return_tuple
+
+    return wrapped
+
+
+class Connection(ConnectionBase):
+    """ssh+lxc_attach connection"""
+
+    transport = "lxc_ssh"
+
+    def __init__(self, play_context, new_stdin, *args, **kwargs):
+        super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
+        self.host = self._play_context.remote_addr
+        self.port = self._play_context.port
+        self.user = self._play_context.remote_user
+        self.control_path = None
+        self.control_path_dir = None
+
+    def _set_version(self):
+        # LXC v1 uses 'lxc-info', 'lxc-attach' and so on
+        # LXC v2 uses just 'lxc'
+        (returncode2, stdout2, stderr2) = self._exec_command("which lxc", None, False)
+        (returncode1, stdout1, stderr1) = self._exec_command(
+            "which lxc-info", None, False
+        )
+        if returncode2 == 0:
+            self.lxc_version = 2
+            display.vvv("LXC v2")
+        elif returncode1 == 0:
+            self.lxc_version = 1
+            display.vvv("LXC v1")
+        else:
+            raise AnsibleConnectionFailure("Cannot identify LXC version")
+            sys.exit(1)
+
+    def set_options(self, *args, **kwargs):
+        super(Connection, self).set_options(*args, **kwargs)
+        self._set_version()
+
+    # The connection is created by running ssh/scp/sftp from the exec_command,
+    # put_file, and fetch_file methods, so we don't need to do any connection
+    # management here.
+    def _connect(self):
+        """connect to the lxc; nothing to do here"""
+        display.vvv("XXX connect")
+        super(Connection, self)._connect()
+        self.container_name = self.get_option("lxc_host")
+
+    @staticmethod
+    def _create_control_path(host, port, user, connection=None):
+        """Make a hash for the controlpath based on con attributes"""
+        pstring = "%s-%s-%s" % (host, port, user)
+        if connection:
+            pstring += "-%s" % connection
+        m = hashlib.sha1()
+        m.update(to_bytes(pstring))
+        digest = m.hexdigest()
+        cpath = "%(directory)s/" + digest[:10]
+        return cpath
+
+    @staticmethod
+    def _persistence_controls(b_command):
+        """
+        Takes a command array and scans it for ControlPersist and ControlPath
+        settings and returns two booleans indicating whether either was found.
+        This could be smarter, e.g. returning false if ControlPersist is 'no',
+        but for now we do it simple way.
+        """
+
+        controlpersist = False
+        controlpath = False
+
+        for b_arg in (a.lower() for a in b_command):
+            if b"controlpersist" in b_arg:
+                controlpersist = True
+            elif b"controlpath" in b_arg:
+                controlpath = True
+
+        return controlpersist, controlpath
+
+    @staticmethod
+    def _split_args(argstring):
+        """
+        Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a
+        list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to
+        the argument list. The list will not contain any empty elements.
+        """
+        if sys.version_info[0] >= 3:
+            return [
+                to_unicode(x.strip())
+                for x in shlex.split(to_bytes(argstring).decode())
+                if x.strip()
+            ]
+        else:
+            return [
+                to_unicode(x.strip())
+                for x in shlex.split(to_bytes(argstring))
+                if x.strip()
+            ]
+
+    def _add_args(self, b_command, b_args, explanation):
+        """
+        Adds arguments to the ssh command and displays a caller-supplied
+        explanation of why.
+        :arg b_command: A list containing the command to add the new arguments
+            to. This list will be modified by this method.
+        :arg b_args: An iterable of new arguments to add.  This iterable is
+            used more than once so it must be persistent (ie: a list is okay
+            but a StringIO would not)
+        :arg explanation: A text string containing explaining why the arguments
+            were added.  It will be displayed with a high enough verbosity.
+        .. note:: This function does its work via side-effect.
+                  The b_command list has the new arguments appended.
+        """
+        display.vvvvv(
+            "SSH: %s: (%s)" % (explanation, ")(".join(to_text(a) for a in b_args)),
+            host=self._play_context.remote_addr,
+        )
+        b_command += b_args
+
+    def _build_command(self, binary, subsystem, *other_args):
+        """
+        Takes an executable (ssh, scp, sftp or wrapper) and optional extra
+        arguments and returns the remote command wrapped in local ssh shell
+        commands and ready for execution.
+
+        :arg binary: actual executable to use to execute command.
+        :arg subsystem: type of executable provided, ssh/sftp/scp,
+                        needed because wrappers for ssh might have diff names.
+        :arg other_args: dict of, value pairs passed as arguments to the ssh
+                         binary
+        """
+
+        b_command = []
+        conn_password = self.get_option("password") or self._play_context.password
+
+        #
+        # First, the command to invoke
+        #
+
+        # If we want to use password authentication, we have to set up a pipe to
+        # write the password to sshpass.
+
+        if conn_password:
+            if not self._sshpass_available():
+                raise AnsibleError(
+                    "to use the 'ssh' connection type with passwords, "
+                    " you must install the sshpass program"
+                )
+
+            self.sshpass_pipe = os.pipe()
+            b_command += [
+                b"sshpass",
+                b"-d"
+                + to_bytes(
+                    self.sshpass_pipe[0],
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                ),
+            ]
+
+            password_prompt = self.get_option("sshpass_prompt")
+            if password_prompt:
+                b_command += [
+                    b"-P",
+                    to_bytes(password_prompt, errors="surrogate_or_strict"),
+                ]
+
+        b_command += [to_bytes(binary, errors="surrogate_or_strict")]
+
+        #
+        # Next, additional arguments based on the configuration.
+        #
+
+        # sftp batch mode allows us to correctly catch failed transfers, but can
+        # be disabled if the client side doesn't support the option. However,
+        # sftp batch mode does not prompt for passwords so it must be disabled
+        # if not using controlpersist and using sshpass
+        if subsystem == "sftp" and self.get_option("sftp_batch_mode"):
+            if conn_password:
+                b_args = [b"-o", b"BatchMode=no"]
+                self._add_args(b_command, b_args, "disable batch mode for sshpass")
+            b_command += [b"-b", b"-"]
+
+        if self._play_context.verbosity > 3:
+            b_command.append(b"-vvv")
+
+        # Next, we add ssh_args
+        ssh_args = self.get_option("ssh_args")
+        if ssh_args:
+            b_args = [
+                to_bytes(a, errors="surrogate_or_strict")
+                for a in self._split_ssh_args(ssh_args)
+            ]
+            self._add_args(b_command, b_args, u"ansible.cfg set ssh_args")
+
+        # Now we add various arguments that have their own specific settings
+        # defined in docs above.
+        if not self.get_option("host_key_checking"):
+            b_args = (b"-o", b"StrictHostKeyChecking=no")
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled",
+            )
+
+        self.port = self.get_option("port")
+        if self.port is not None:
+            b_args = (
+                b"-o",
+                b"Port="
+                + to_bytes(
+                    self.port,
+                    nonstring="simplerepr",
+                    errors="surrogate_or_strict",
+                ),
+            )
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set",
+            )
+
+        key = self.get_option("private_key_file")
+        if key:
+            b_args = (
+                b"-o",
+                b'IdentityFile="'
+                + to_bytes(os.path.expanduser(key), errors="surrogate_or_strict")
+                + b'"',
+            )
+            self._add_args(
+                b_command,
+                b_args,
+                "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/"
+                "ansible_ssh_private_key_file set",
+            )
+
+        if not conn_password:
+            self._add_args(
+                b_command,
+                (
+                    b"-o",
+                    b"KbdInteractiveAuthentication=no",
+                    b"-o",
+                    b"PreferredAuthentications=publickey,gssapi-with-mic,"
+                    b"gssapi-keyex,hostbased",
+                    b"-o",
+                    b"PasswordAuthentication=no",
+                ),
+                "ansible_password/ansible_ssh_password not set",
+            )
+
+        self.user = self.get_option("remote_user")
+
+        if self.user:
+            self._add_args(
+                b_command,
+                (
+                    b"-o",
+                    b'User="%s"' % to_bytes(self.user, errors="surrogate_or_strict"),
+                ),
+                "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set",
+            )
+
+        timeout = self.get_option("timeout")
+        self._add_args(
+            b_command,
+            (
+                b"-o",
+                b"ConnectTimeout="
+                + to_bytes(
+                    timeout,
+                    errors="surrogate_or_strict",
+                    nonstring="simplerepr",
+                ),
+            ),
+            "ANSIBLE_TIMEOUT/timeout set",
+        )
+
+        # Add in any common or binary-specific arguments from the PlayContext
+        # (i.e. inventory or task settings or overrides on the command line).
+
+        for opt in ("ssh_common_args", "{0}_extra_args".format(subsystem)):
+            attr = self.get_option(opt)
+            if attr is not None:
+                b_args = [
+                    to_bytes(a, errors="surrogate_or_strict")
+                    for a in self._split_ssh_args(attr)
+                ]
+                self._add_args(b_command, b_args, "Set %s" % opt)
+
+        # Check if ControlPersist is enabled and add a ControlPath if one hasn't
+        # already been set.
+
+        controlpersist, controlpath = self._persistence_controls(b_command)
+
+        if controlpersist:
+            self._persistent = True
+
+            if not controlpath:
+                self.control_path_dir = self.get_option("control_path_dir")
+                cpdir = unfrackpath(self.control_path_dir)
+                b_cpdir = to_bytes(cpdir, errors="surrogate_or_strict")
+
+                # The directory must exist and be writable.
+                makedirs_safe(b_cpdir, 0o700)
+                if not os.access(b_cpdir, os.W_OK):
+                    raise AnsibleError(
+                        "Cannot write to ControlPath %s" % to_native(cpdir)
+                    )
+
+                self.control_path = self.get_option("control_path")
+                if not self.control_path:
+                    self.control_path = self._create_control_path(
+                        self.host, self.port, self.user
+                    )
+                b_args = (
+                    b"-o",
+                    b"ControlPath="
+                    + to_bytes(
+                        self.control_path % dict(directory=cpdir),
+                        errors="surrogate_or_strict",
+                    ),
+                )
+                self._add_args(
+                    b_command,
+                    b_args,
+                    "found only ControlPersist; added ControlPath",
+                )
+
+        # Finally, we add any caller-supplied extras.
+        if other_args:
+            b_command += [to_bytes(a) for a in other_args]
+
+        return b_command
+
+    def _send_initial_data(self, fh, in_data):
+        """
+        Writes initial data to the stdin filehandle of the subprocess and closes
+        it. (The handle must be closed; otherwise, for example, "sftp -b -" will
+        just hang forever waiting for more commands.)
+        """
+
+        display.debug("Sending initial data")
+
+        try:
+            fh.write(to_bytes(in_data))
+            fh.close()
+        except (OSError, IOError):
+            raise AnsibleConnectionFailure(
+                'SSH Error: data could not be sent to remote host "%s". '
+                "Make sure this host can be reached over ssh" % self.host
+            )
+
+        display.debug("Sent initial data (%d bytes)" % len(in_data))
+
+    # Used by _run() to kill processes on failures
+    @staticmethod
+    def _terminate_process(p):
+        """Terminate a process, ignoring errors"""
+        try:
+            p.terminate()
+        except (OSError, IOError):
+            pass
+
+    # This is separate from _run() because we need to do the same
+    # thing for stdout and stderr.
+    def _examine_output(self, source, state, b_chunk, sudoable):
+        """
+        Takes a string, extracts complete lines from it, tests to see if they
+        are a prompt, error message, etc., and sets appropriate flags in self.
+        Prompt and success lines are removed.
+        Returns the processed (i.e. possibly-edited) output and the unprocessed
+        remainder (to be processed with the next chunk) as strings.
+        """
+
+        output = []
+        for b_line in b_chunk.splitlines(True):
+            display_line = to_text(b_line).rstrip("\r\n")
+            suppress_output = False
+
+            if self._play_context.prompt and self.check_password_prompt(b_line):
+                display.debug(
+                    "become_prompt: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_prompt"] = True
+                suppress_output = True
+            elif self._play_context.success_key and self.check_become_success(b_line):
+                display.debug(
+                    "become_success: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_success"] = True
+                suppress_output = True
+            elif sudoable and self.check_incorrect_password(b_line):
+                display.debug(
+                    "become_error: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_error"] = True
+            elif sudoable and self.check_missing_password(b_line):
+                display.debug(
+                    "become_nopasswd_error: (source=%s, state=%s): '%s'"
+                    % (source, state, display_line)
+                )
+                self._flags["become_nopasswd_error"] = True
+
+            if not suppress_output:
+                output.append(b_line)
+
+        # The chunk we read was most likely a series of complete lines, but just
+        # in case the last line was incomplete (and not a prompt, which we would
+        # have removed from the output), we retain it to be processed with the
+        # next chunk.
+
+        remainder = b""
+        if output and not output[-1].endswith(b"\n"):
+            remainder = output[-1]
+            output = output[:-1]
+
+        return b"".join(output), remainder
+
+    def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True):
+        """
+        Starts the command and communicates with it until it ends.
+        """
+
+        display_cmd = list(map(shlex_quote, map(to_text, cmd)))
+        display.vvv("SSH: EXEC {0}".format(" ".join(display_cmd)), host=self.host)
+
+        # Start the given command. If we don't need to pipeline data, we can try
+        # to use a pseudo-tty (ssh will have been invoked with -tt). If we are
+        # pipelining data, or can't create a pty, we fall back to using plain
+        # old pipes.
+
+        p = None
+
+        if isinstance(cmd, (text_type, binary_type)):
+            cmd = to_bytes(cmd)
+        else:
+            if sys.version_info[0] >= 3:
+                cmd = list(map(to_bytes, cmd))
+            else:
+                cmd = map(to_bytes, cmd)
+
+        if not in_data:
+            try:
+                # Make sure stdin is a proper pty to avoid tcgetattr errors
+                master, slave = pty.openpty()
+                if PY3 and self._play_context.password:
+                    p = subprocess.Popen(
+                        cmd,
+                        stdin=slave,
+                        stdout=subprocess.PIPE,
+                        stderr=subprocess.PIPE,
+                        pass_fds=self.sshpass_pipe,
+                    )
+                else:
+                    p = subprocess.Popen(
+                        cmd,
+                        stdin=slave,
+                        stdout=subprocess.PIPE,
+                        stderr=subprocess.PIPE,
+                    )
+                stdin = os.fdopen(master, "wb", 0)
+                os.close(slave)
+            except (OSError, IOError):
+                p = None
+
+        if not p:
+            if PY3 and self._play_context.password:
+                p = subprocess.Popen(
+                    cmd,
+                    stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                    pass_fds=self.sshpass_pipe,
+                )
+            else:
+                p = subprocess.Popen(
+                    cmd,
+                    stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.PIPE,
+                )
+            stdin = p.stdin
+
+        # If we are using SSH password authentication, write the password into
+        # the pipe we opened in _build_command.
+
+        if self._play_context.password:
+            os.close(self.sshpass_pipe[0])
+            try:
+                os.write(
+                    self.sshpass_pipe[1],
+                    to_bytes(self._play_context.password) + b"\n",
+                )
+            except OSError as e:
+                # Ignore broken pipe errors if the sshpass process has exited.
+                if e.errno != errno.EPIPE or p.poll() is None:
+                    raise
+            os.close(self.sshpass_pipe[1])
+
+        #
+        # SSH state machine
+        #
+
+        # Now we read and accumulate output from the running process until it
+        # exits. Depending on the circumstances, we may also need to write an
+        # escalation password and/or pipelined input to the process.
+
+        states = [
+            "awaiting_prompt",
+            "awaiting_escalation",
+            "ready_to_send",
+            "awaiting_exit",
+        ]
+
+        # Are we requesting privilege escalation? Right now, we may be invoked
+        # to execute sftp/scp with sudoable=True, but we can request escalation
+        # only when using ssh. Otherwise we can send initial data straight away.
+
+        state = states.index("ready_to_send")
+        if b"ssh" in cmd:
+            if self._play_context.prompt:
+                # We're requesting escalation with a password, so we have to
+                # wait for a password prompt.
+                state = states.index("awaiting_prompt")
+                display.debug(
+                    "Initial state: %s: %s" % (states[state], self._play_context.prompt)
+                )
+            elif self._play_context.become and self._play_context.success_key:
+                # We're requesting escalation without a password, so we have to
+                # detect success/failure before sending any initial data.
+                state = states.index("awaiting_escalation")
+                display.debug(
+                    "Initial state: %s: %s"
+                    % (states[state], self._play_context.success_key)
+                )
+
+        # We store accumulated stdout and stderr output from the process here,
+        # but strip any privilege escalation prompt/confirmation lines first.
+        # Output is accumulated into tmp_*, complete lines are extracted into
+        # an array, then checked and removed or copied to stdout or stderr. We
+        # set any flags based on examining the output in self._flags.
+
+        b_stdout = b_stderr = b""
+        b_tmp_stdout = b_tmp_stderr = b""
+
+        self._flags = dict(
+            become_prompt=False,
+            become_success=False,
+            become_error=False,
+            become_nopasswd_error=False,
+        )
+
+        # select timeout should be longer than the connect timeout, otherwise
+        # they will race each other when we can't connect, and the connect
+        # timeout usually fails
+        timeout = 2 + self._play_context.timeout
+        for fd in (p.stdout, p.stderr):
+            fcntl.fcntl(
+                fd,
+                fcntl.F_SETFL,
+                fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK,
+            )
+
+        # TODO: bcoca would like to use SelectSelector() when open
+        # filehandles is low, then switch to more efficient ones when higher.
+        # select is faster when filehandles is low.
+        selector = selectors.DefaultSelector()
+        selector.register(p.stdout, selectors.EVENT_READ)
+        selector.register(p.stderr, selectors.EVENT_READ)
+
+        # If we can send initial data without waiting for anything, we do so
+        # before we start polling
+        if states[state] == "ready_to_send" and in_data:
+            self._send_initial_data(stdin, in_data)
+            state += 1
+
+        try:
+            while True:
+                poll = p.poll()
+                events = selector.select(timeout)
+
+                # We pay attention to timeouts only while negotiating a prompt.
+
+                if not events:
+                    # We timed out
+                    if state <= states.index("awaiting_escalation"):
+                        # If the process has already exited, then it's not
+                        # really a timeout; we'll let the normal error
+                        # handling deal with it.
+                        if poll is not None:
+                            break
+                        self._terminate_process(p)
+                        raise AnsibleError(
+                            "Timeout (%ds) waiting for privilege escalation "
+                            " prompt: %s" % (timeout, to_native(b_stdout))
+                        )
+
+                # Read whatever output is available on stdout and stderr,
+                # and stop listening to the pipe if it's been closed.
+
+                for key, event in events:
+                    if key.fileobj == p.stdout:
+                        b_chunk = p.stdout.read()
+                        if b_chunk == b"":
+                            # stdout has been closed, stop watching it
+                            selector.unregister(p.stdout)
+                            # When ssh has ControlMaster (+ControlPath/Persist)
+                            # enabled, the first connection goes into the
+                            # background and we never see EOF on stderr. If we
+                            # see EOF on stdout, lower the select timeout
+                            # to reduce the time wasted selecting on stderr if
+                            # we observe that the process has not yet existed
+                            # after this EOF. Otherwise we may spend a long
+                            # timeout period waiting for an EOF that is not
+                            # going to arrive until the persisted connection
+                            # closes.
+                            timeout = 1
+                        b_tmp_stdout += b_chunk
+                        display.debug(
+                            "stdout chunk (state=%s):\n>>>%s<<<\n"
+                            % (state, to_text(b_chunk))
+                        )
+                    elif key.fileobj == p.stderr:
+                        b_chunk = p.stderr.read()
+                        if b_chunk == b"":
+                            # stderr has been closed, stop watching it
+                            selector.unregister(p.stderr)
+                        b_tmp_stderr += b_chunk
+                        display.debug(
+                            "stderr chunk (state=%s):\n>>>%s<<<\n"
+                            % (state, to_text(b_chunk))
+                        )
+
+                # We examine the output line-by-line until we have negotiated
+                # any privilege escalation prompt and subsequent success/error
+                # message.
+                # Afterwards, we can accumulate output without looking at it.
+
+                if state < states.index("ready_to_send"):
+                    if b_tmp_stdout:
+                        b_output, b_unprocessed = self._examine_output(
+                            "stdout", states[state], b_tmp_stdout, sudoable
+                        )
+                        b_stdout += b_output
+                        b_tmp_stdout = b_unprocessed
+
+                    if b_tmp_stderr:
+                        b_output, b_unprocessed = self._examine_output(
+                            "stderr", states[state], b_tmp_stderr, sudoable
+                        )
+                        b_stderr += b_output
+                        b_tmp_stderr = b_unprocessed
+                else:
+                    b_stdout += b_tmp_stdout
+                    b_stderr += b_tmp_stderr
+                    b_tmp_stdout = b_tmp_stderr = b""
+
+                # If we see a privilege escalation prompt, we send the password.
+                # (If we're expecting a prompt but the escalation succeeds, we
+                # didn't need the password and can carry on regardless.)
+
+                if states[state] == "awaiting_prompt":
+                    if self._flags["become_prompt"]:
+                        display.debug("Sending become_pass in response to prompt")
+                        stdin.write(to_bytes(self._play_context.become_pass) + b"\n")
+                        self._flags["become_prompt"] = False
+                        state += 1
+                    elif self._flags["become_success"]:
+                        state += 1
+
+                # We've requested escalation (with or without a password),
+                # now we wait for an error message or a successful escalation.
+
+                if states[state] == "awaiting_escalation":
+                    if self._flags["become_success"]:
+                        display.debug("Escalation succeeded")
+                        self._flags["become_success"] = False
+                        state += 1
+                    elif self._flags["become_error"]:
+                        display.debug("Escalation failed")
+                        self._terminate_process(p)
+                        self._flags["become_error"] = False
+                        raise AnsibleError(
+                            "Incorrect %s password" % self._play_context.become_method
+                        )
+                    elif self._flags["become_nopasswd_error"]:
+                        display.debug("Escalation requires password")
+                        self._terminate_process(p)
+                        self._flags["become_nopasswd_error"] = False
+                        raise AnsibleError(
+                            "Missing %s password" % self._play_context.become_method
+                        )
+                    elif self._flags["become_prompt"]:
+                        # This shouldn't happen, because we should see the
+                        # "Sorry, try again" message first.
+                        display.debug("Escalation prompt repeated")
+                        self._terminate_process(p)
+                        self._flags["become_prompt"] = False
+                        raise AnsibleError(
+                            "Incorrect %s password" % self._play_context.become_method
+                        )
+
+                # Once we're sure that the privilege escalation prompt,
+                # if any, has been dealt with, we can send any initial data
+                # and start waiting for output.
+
+                if states[state] == "ready_to_send":
+                    if in_data:
+                        self._send_initial_data(stdin, in_data)
+                    state += 1
+
+                # Now we're awaiting_exit: has the child process exited?
+                # If it has, and we've read all available output from it,
+                # we're done.
+
+                if poll is not None:
+                    if not selector.get_map() or not events:
+                        break
+                    # We should not see further writes to the stdout/stderr file
+                    # descriptors after the process has closed, set the select
+                    # timeout to gather any last writes we may have missed.
+                    timeout = 0
+                    continue
+
+                # If the process has not yet exited, but we've already read
+                # EOF from its stdout and stderr (and thus no longer watching
+                # any file descriptors), we can just wait for it to exit.
+
+                elif not selector.get_map():
+                    p.wait()
+                    break
+
+                # Otherwise there may still be outstanding data to read.
+        finally:
+            selector.close()
+            # close stdin after process is terminated and stdout/stderr are read
+            # completely (see also issue #848)
+            stdin.close()
+
+        if self.get_option("host_key_checking"):
+            if cmd[0] == b"sshpass" and p.returncode == 6:
+                raise AnsibleError(
+                    "Using a SSH password instead of a key is not possible "
+                    "because Host Key checking is enabled and sshpass does not "
+                    "support this.  Please add this host's fingerprint to your "
+                    " known_hosts file to manage this host."
+                )
+
+        controlpersisterror = (
+            b"Bad configuration option: ControlPersist" in b_stderr
+            or b"unknown configuration option: ControlPersist" in b_stderr
+        )
+        if p.returncode != 0 and controlpersisterror:
+            raise AnsibleError(
+                "using -c ssh on certain older ssh versions may not support "
+                ' ControlPersist, set ANSIBLE_SSH_ARGS="" '
+                "(or ssh_args in [ssh_connection] section of the config file) "
+                "before running again"
+            )
+
+        # If we find a broken pipe because of ControlPersist timeout expiring
+        # (see #16731),
+        # we raise a special exception so that we can retry a connection.
+        controlpersist_broken_pipe = (
+            b"mux_client_hello_exchange: write packet: Broken pipe" in b_stderr
+        )
+        if p.returncode == 255 and controlpersist_broken_pipe:
+            raise AnsibleControlPersistBrokenPipeError(
+                "SSH Error: data could not be sent because of ControlPersist "
+                "broken pipe."
+            )
+
+        if p.returncode == 255 and in_data and checkrc:
+            raise AnsibleConnectionFailure(
+                'SSH Error: data could not be sent to remote host "%s". '
+                "Make sure this host can be reached over ssh" % self.host
+            )
+
+        return (p.returncode, b_stdout, b_stderr)
+
+    @_ssh_retry
+    def _run(self, cmd, in_data, sudoable=True, checkrc=True):
+        """Wrapper around _bare_run that retries the connection"""
+        return self._bare_run(cmd, in_data, sudoable, checkrc)
+
+    def _exec_command(self, cmd, in_data=None, sudoable=True):
+        """run a command on the remote host"""
+
+        super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
+
+        display.vvv(
+            "ESTABLISH SSH CONNECTION FOR USER: {0}".format(
+                self._play_context.remote_user
+            ),
+            host=self._play_context.remote_addr,
+        )
+
+        # we can only use tty when we are not pipelining the modules. piping
+        # data into /usr/bin/python inside a tty automatically invokes the
+        # python interactive-mode but the modules are not compatible with the
+        # interactive-mode ("unexpected indent" mainly because of empty lines)
+
+        ssh_executable = self.get_option("ssh_executable")
+        if in_data:
+            cmd = self._build_command(ssh_executable, "ssh", self.host, cmd)
+        else:
+            cmd = self._build_command(ssh_executable, "ssh", "-tt", self.host, cmd)
+
+        (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
+
+        return (returncode, stdout, stderr)
+
+    def dir_print(self, obj):
+        for attr_name in dir(obj):
+            try:
+                attr_value = getattr(obj, attr_name)
+                print(attr_name, attr_value, callable(attr_value))
+            except AttributeError:
+                pass
+
+    #
+    # Main public methods
+    #
+    def exec_command(self, cmd, in_data=None, sudoable=False):
+        """run a command on the chroot"""
+        display.vvv("XXX exec_command: %s" % cmd)
+        super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
+
+        ssh_executable = self.get_option("ssh_executable")
+        h = self.container_name
+        if self.lxc_version == 2:
+            lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        elif self.lxc_version == 1:
+            lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        if in_data:
+            cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+        else:
+            cmd = self._build_command(ssh_executable, "ssh", "-tt", self.host, lxc_cmd)
+        (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
+        return (returncode, stdout, stderr)
+
+    def put_file(self, in_path, out_path):
+        """transfer a file from local to lxc"""
+        super(Connection, self).put_file(in_path, out_path)
+        display.vvv("PUT {0} TO {1}".format(in_path, out_path), host=self.host)
+        ssh_executable = self.get_option("ssh_executable")
+
+        if not os.path.exists(to_bytes(in_path, errors="surrogate_or_strict")):
+            raise AnsibleFileNotFound(
+                "file or module does not exist: {0}".format(to_native(in_path))
+            )
+
+        if sys.version_info[0] >= 3:
+            with open(in_path, "rb") as in_f:
+                in_data = in_f.read()
+                if len(in_data) == 0:
+                    # define a shortcut for empty files - nothing ro read so
+                    # the ssh pipe will hang
+                    cmd = "touch %s; echo -n done" % pipes.quote(out_path)
+                else:
+                    # regular command
+                    cmd = "cat > %s; echo -n done" % pipes.quote(out_path)
+                h = self.container_name
+                if self.lxc_version == 2:
+                    lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                elif self.lxc_version == 1:
+                    lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                if in_data:
+                    cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+                else:
+                    cmd = self._build_command(
+                        ssh_executable, "ssh", "-tt", self.host, lxc_cmd
+                    )
+                (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
+                return (returncode, stdout, stderr)
+        else:
+            with open(in_path, "r") as in_f:
+                in_data = in_f.read()
+                if len(in_data) == 0:
+                    # define a shortcut for empty files - nothing ro read so
+                    # the ssh pipe will hang
+                    cmd = "touch %s; echo -n done" % pipes.quote(out_path)
+                else:
+                    # regular command
+                    cmd = "cat > %s; echo -n done" % pipes.quote(out_path)
+                h = self.container_name
+                if self.lxc_version == 2:
+                    lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                elif self.lxc_version == 1:
+                    lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                        pipes.quote(h),
+                        pipes.quote(cmd),
+                    )
+                if in_data:
+                    cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+                else:
+                    cmd = self._build_command(
+                        ssh_executable, "ssh", "-tt", self.host, lxc_cmd
+                    )
+                (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
+                return (returncode, stdout, stderr)
+
+    def fetch_file(self, in_path, out_path):
+        """fetch a file from lxc to local"""
+        super(Connection, self).fetch_file(in_path, out_path)
+        display.vvv("FETCH {0} TO {1}".format(in_path, out_path), host=self.host)
+        ssh_executable = self.get_option("ssh_executable")
+
+        cmd = "cat < %s" % pipes.quote(in_path)
+        h = self.container_name
+        if self.lxc_version == 2:
+            lxc_cmd = "lxc exec %s --mode=non-interactive -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+        elif self.lxc_version == 1:
+            lxc_cmd = "lxc-attach --name %s -- /bin/sh -c %s" % (
+                pipes.quote(h),
+                pipes.quote(cmd),
+            )
+
+        cmd = self._build_command(ssh_executable, "ssh", self.host, lxc_cmd)
+        (returncode, stdout, stderr) = self._run(cmd, None, sudoable=False)
+
+        if returncode != 0:
+            raise AnsibleError(
+                "failed to transfer file from {0}:\n{1}\n{2}".format(
+                    in_path, stdout, stderr
+                )
+            )
+
+        if sys.version_info[0] >= 3:
+            with open(out_path, "wb") as out_f:
+                out_f.write(stdout)
+        else:
+            with open(out_path, "w") as out_f:
+                out_f.write(stdout)
+
+        return (returncode, stdout, stderr)
+
+    def reset(self):
+        # If we have a persistent ssh connection (ControlPersist),
+        # we can ask it to stop listening.
+        cmd = self._build_command(
+            self.get_option("ssh_executable"), "ssh", "-O", "stop", self.host
+        )
+        controlpersist, controlpath = self._persistence_controls(cmd)
+        if controlpersist:
+            display.vvv("sending stop: %s" % cmd)
+            p = subprocess.Popen(
+                cmd,
+                stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+            )
+            stdout, stderr = p.communicate()
+            status_code = p.wait()
+            if status_code != 0:
+                raise AnsibleError("Cannot reset connection:\n%s" % stderr)
+        self.close()
+
+    def close(self):
+        """terminate the connection; nothing to do here"""
+        display.vvv("XXX close")
+        super(Connection, self).close()
+        # self.ssh.close()
+        self._connected = False
diff --git a/ansible_collections/debops/debops/plugins/filter/debops_filter_plugins.py b/ansible_collections/debops/debops/plugins/filter/debops_filter_plugins.py
new file mode 100644
index 00000000..2971b800
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/filter/debops_filter_plugins.py
@@ -0,0 +1,1461 @@
+# A set of custom Ansible filter plugins used by DebOps
+
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see <https://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+
+__metaclass__ = type
+
+try:
+    unicode = unicode
+except NameError:
+    # 'unicode' is undefined, must be Python 3
+    str = str
+    unicode = str
+    bytes = bytes
+    basestring = (str, bytes)
+else:
+    # 'unicode' exists, must be Python 2
+    str = str
+    unicode = unicode
+    bytes = str
+    basestring = basestring
+
+
+def _check_if_key_in_nested_dict(key, dictionary):
+    if isinstance(dictionary, dict):
+        for k, v in dictionary.items():
+            if k == key:
+                return True
+            elif isinstance(v, dict):
+                if _check_if_key_in_nested_dict(key, v):
+                    return True
+            elif isinstance(v, list):
+                for d in v:
+                    if _check_if_key_in_nested_dict(key, d):
+                        return True
+
+    return False
+
+
+def _handle_copy_id_from(parsed_config, element, current_param):
+    if 'copy_id_from' in element:
+        if element['copy_id_from'] in parsed_config:
+            id_src = element['copy_id_from']
+            current_param['id'] = (
+                int(parsed_config[id_src]['id']) +
+                int(parsed_config[id_src].get('weight', 0)))
+
+
+def _handle_weight(element, current_param):
+    if 'weight' in element:
+        current_param['weight'] = (
+            int(element.get('weight',
+                current_param.get('weight', 0))) +
+            int(current_param.get('weight', 0)))
+
+
+def _get_real_weight(current_param):
+    return int(current_param['id']) + int(current_param['weight'])
+
+
+def _parse_kv_value(current_data, new_data, data_index):
+    """Parse the parameter values and merge
+    with existing ones conditionally.
+    """
+
+    if 'value' in new_data:
+        old_value = current_data.get('value')
+        old_state = current_data.get('state', 'present')
+        new_value = new_data['value']
+        new_value_cast = new_data.get('value_cast', None)
+
+        if (new_value is None or
+                isinstance(new_value, (basestring, int, float, bool))):
+            if (old_value is None or isinstance(old_value,
+                                                (basestring, int,
+                                                 float, bool, dict))):
+                if new_value_cast in ['null', 'none', 'None']:
+                    current_data['value'] = None
+                elif new_value_cast in ['int', 'integer']:
+                    current_data['value'] = int(new_value)
+                elif new_value_cast in ['str', 'string']:
+                    current_data['value'] = str(new_value)
+                elif new_value_cast in ['bool', 'boolean']:
+                    current_data['value'] = bool(new_value)
+                elif new_value_cast == 'float':
+                    current_data['value'] = float(new_value)
+                else:
+                    current_data['value'] = new_value
+
+            # TODO(drybjed): This never evaluates to true.
+            #  if (old_value is not None and old_state in ['comment'] and
+            #          current_data['state'] != 'comment'):
+            #      current_data['state'] = 'present'
+
+        elif isinstance(new_value, list):
+            if isinstance(old_value, dict):
+                dict_value = current_data.get('value', {}).copy()
+            else:
+                dict_value = {}
+
+            for element_index, element in enumerate(new_value):
+                if isinstance(element, (basestring, int)):
+                    dict_element = dict_value.get(element, {}).copy()
+                    if not dict_element.get('name'):
+                        dict_element.update({
+                            'name': element,
+                            'id': ((data_index * 10) + element_index),
+                            'weight': dict_element.get('weight', 0),
+                            'state': 'present'})
+
+                        dict_element['real_weight'] = _get_real_weight(
+                                dict_element)
+                        dict_value[element] = dict_element
+                        current_data['value'] = dict_value
+
+                elif (isinstance(element, dict) and
+                        element.get('param', element.get('name')) and
+                        element.get('state', 'present') != 'ignore'):
+                    element_name = element.get('param', element.get('name'))
+
+                    for cursor in ([element_name]
+                                   if isinstance(element_name,
+                                                 (basestring, int))
+                                   else element_name):
+                        dict_element = dict_value.get(cursor, {}).copy()
+                        dict_element.update({
+                            'name': cursor,
+                            'id': ((data_index * 10) + element_index),
+                            'weight': int(dict_element.get('weight', 0)),
+                            'state': element.get('state', 'present')
+                        })
+
+                        _handle_copy_id_from(dict_value, element, dict_element)
+
+                        if 'weight' in element:
+                            dict_element['weight'] = (
+                                int(element.get('weight',
+                                    dict_element.get('weight', 0))) +
+                                int(dict_element.get('weight', 0)))
+
+                        dict_element['real_weight'] = _get_real_weight(
+                                dict_element)
+
+                        # Include any unknown keys.
+                        for key in element.keys():
+                            if key not in ['name', 'state', 'id', 'weight',
+                                           'real_weight', 'param',
+                                           'copy_id_from']:
+                                dict_element[key] = element.get(key)
+
+                        dict_value.update({cursor: dict_element})
+                        current_data.update({'value': dict_value})
+
+
+def parse_kv_config(*args, **kwargs):
+    """Return a parsed list of key/value configuration options
+
+    Optional arguments:
+
+        name
+            string, name of the primary dictionary key used as an indicator to
+            merge the related dictionaries together. If not specified, 'name'
+            will be set as default.
+    """
+    name = kwargs.get('name', "name")
+    input_args = []
+    parsed_config = {}
+
+    # Flatten the input list.
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    for element_index, element in enumerate(input_args):
+
+        if isinstance(element, (basestring)):
+
+            # This is a simple string, let's make it a dictionary so that it
+            # can be correctly processed.
+            # We assume that the string should be a 'name' parameter.
+            element = {name: element}
+
+        if isinstance(element, dict):
+            if any(x in [name] for x in element):
+
+                if element.get('state', 'present') != 'ignore':
+
+                    param_name = element.get(name)
+
+                    if element.get('state', 'present') == 'append':
+
+                        # In append mode, don't create new config entries
+                        if (parsed_config.get(param_name, {})
+                                .get('state', 'present') == 'init'):
+                            continue
+
+                    current_param = (parsed_config[param_name].copy()
+                                     if param_name in parsed_config
+                                     else {})
+
+                    if element.get('state', 'present') == 'append':
+                        current_param['state'] = current_param.get(
+                                'state', 'present')
+                    else:
+                        current_param['state'] = (
+                            element.get('state', current_param.get(
+                                'state', 'present')))
+
+                    if (current_param['state'] == 'init' and
+                        (element.get('state', 'present') != 'init' and
+                            _check_if_key_in_nested_dict(
+                            'value', current_param))):
+                        current_param['state'] = 'present'
+
+                    current_param.update({
+                        name: param_name,  # in case of a new entry
+                        'id': int(current_param.get('id',
+                                                    (element_index * 10))),
+                        'weight': int(current_param.get('weight', 0)),
+                        'separator': element.get('separator',
+                                                 current_param.get('separator',
+                                                                   False)),
+                        'section': element.get('section',
+                                               current_param.get('section',
+                                                                 'unknown'))
+                    })
+
+                    _handle_copy_id_from(parsed_config, element, current_param)
+                    _handle_weight(element, current_param)
+
+                    current_param['real_weight'] = (
+                            _get_real_weight(current_param))
+
+                    _parse_kv_value(current_param, element,
+                                    current_param.get('id'))
+
+                    if 'option' in element:
+                        current_param['option'] = element.get('option')
+
+                    if 'comment' in element:
+                        current_param['comment'] = element.get('comment')
+
+                    merge_keys = []
+                    if isinstance(kwargs.get('merge_keys'), list):
+                        merge_keys.extend(kwargs.get('merge_keys'))
+
+                    if 'options' not in merge_keys:
+                        merge_keys.append('options')
+
+                    for key_name in merge_keys:
+                        if key_name in element:
+                            current_options = current_param.get(key_name, [])
+                            current_param[key_name] = parse_kv_config(
+                                current_options + element.get(key_name),
+                                merge_keys=merge_keys)
+
+                    # Include any unknown keys
+                    for unknown_key in element.keys():
+                        if (unknown_key not in merge_keys
+                            and unknown_key not in [name, 'state', 'id',
+                                                    'weight', 'real_weight',
+                                                    'separator', 'value',
+                                                    'comment', 'option',
+                                                    'section']):
+                            current_param[unknown_key] = (
+                                    element.get(unknown_key))
+
+                    parsed_config.update({param_name: current_param})
+
+            # These parameters are special and should not be interpreted
+            # directly as configuration options
+            elif not all(x in [name, 'option', 'state', 'comment',
+                               'section', 'weight', 'value', 'copy_id_from']
+                         for x in element):
+                for key, value in element.items():
+                    current_param = (parsed_config[key].copy()
+                                     if key in parsed_config else {})
+                    current_param.update({
+                        name: key,
+                        'state': 'present',
+                        'id': int(current_param.get('id',
+                                                    (element_index * 10))),
+                        'weight': int(current_param.get('weight', 0)),
+                        'section': current_param.get('section', 'unknown')
+                    })
+
+                    current_param['real_weight'] = _get_real_weight(
+                            current_param)
+
+                    _parse_kv_value(current_param,
+                                    {'value': value},
+                                    current_param.get('id'))
+
+                    parsed_config.update({key: current_param})
+
+    # Expand the dictionary of configuration options into a list,
+    # and return sorted by weight.
+    output = []
+    for key, params in parsed_config.items():
+        if isinstance(params.get('value'), dict):
+            params['value'] = sorted(
+                params.get('value').values(),
+                key=itemgetter('real_weight')
+            )
+
+        output.append(params)
+
+    return sorted(output, key=itemgetter('real_weight'))
+
+
+def parse_kv_items(*args, **kwargs):
+    """Return a parsed list of with_items elements
+    Optional arguments:
+
+        name
+            string, name of the primary dictionary key used as an indicator to
+            merge the related dictionaries together. If not specified, 'name'
+            will be set as default.
+
+        empty
+            dictionary, keys are parameter names which might be empty, values
+            are key name or list of key names, first key with a value other
+            than None will be used as the specified parameter. Examples:
+                empty={'some_param':  'other_param',
+                       'empty_param': ['param2', 'param1']}
+
+        defaults
+            dictionary, keys are parameter names, values are default values to
+            use when a parameter is not specified. Examples:
+                      defaults={'some_param': 'default_value'}
+
+        merge_keys
+            list of keys in the dictionary that will be merged together. If not
+            specified, 'options' key instances will be merged by default.
+    """
+    name = kwargs.get('name', "name")
+    empty = kwargs.get('empty', {})
+    defaults = kwargs.get('defaults', {})
+    merge_keys = list(set(kwargs.get('merge_keys', set())))
+
+    if 'options' not in merge_keys:
+        merge_keys.append('options')
+
+    input_args = []
+
+    # Flatten the input list.
+    for sublist in args:
+        input_args.extend(sublist)
+
+    parsed_config = {}
+
+    for element_index, element in enumerate(input_args):
+
+        if isinstance(element, dict):
+            element_state = element.get('state', 'present')
+        elif isinstance(element, (basestring)):
+
+            # This is a simple string, let's make it a dictionary so that it
+            # can be correctly processed.
+            # We assume that the string should be a 'name' parameter.
+            element = {name: element}
+            element_state = 'present'
+
+        if isinstance(element, dict):
+            if (any(x in [name] for x in element) and
+                    element_state != 'ignore'):
+
+                param_name = element.get(name)
+
+                if element_state == 'append':
+
+                    # In append mode, don't create new config entries.
+                    if (param_name not in parsed_config or
+                        parsed_config[param_name].get('state',
+                                                      'present') == 'init'):
+                        continue
+
+                current_param = (parsed_config[param_name].copy()
+                                 if param_name in parsed_config
+                                 else {})
+
+                if element_state == 'append':
+                    current_param['state'] = current_param.get(
+                            'state', 'present')
+                else:
+                    current_param['state'] = (
+                        element.get('state', current_param.get(
+                            'state', 'present')))
+
+                if (current_param['state'] == 'init' and
+                        (element_state != 'init' and
+                            _check_if_key_in_nested_dict(
+                                'value', current_param))):
+                    current_param['state'] = 'present'
+
+                current_param.update({
+                    name: param_name,  # in case of a new entry
+                    'id': int(current_param.get('id', (element_index * 10))),
+                    'weight': int(current_param.get('weight', 0)),
+                    'separator': element.get('separator',
+                                             current_param.get('separator',
+                                                               False))
+                })
+
+                _handle_copy_id_from(parsed_config, element, current_param)
+                _handle_weight(element, current_param)
+
+                current_param['real_weight'] = _get_real_weight(current_param)
+
+                if 'comment' in element:
+                    current_param['comment'] = element.get('comment')
+
+                # Set any default keys defined for the filter.
+                for k, v in defaults.items():
+                    current_param[k] = current_param.get(k, v)
+
+                for key_name in merge_keys:
+                    if key_name in element:
+                        current_options = current_param.get(key_name, [])
+                        current_param[key_name] = parse_kv_config(
+                            current_options + element.get(key_name),
+                            merge_keys=merge_keys)
+
+                known_keys = [name, 'state', 'id', 'weight',
+                              'real_weight', 'separator',
+                              'comment', 'options']
+
+                # Include any unknown keys.
+                for unknown_key in element.keys():
+                    if (unknown_key not in known_keys and
+                            unknown_key not in merge_keys):
+                        current_param[unknown_key] = element.get(unknown_key)
+
+                # Fill any empty keys using other keys.
+                for key_to_set, keys_to_check in empty.items():
+                    if key_to_set in current_param:
+                        continue
+
+                    for key_to_check in keys_to_check:
+                        if key_to_check in current_param:
+                            current_param[key_to_set] = \
+                                    current_param[key_to_check]
+                            break
+
+                parsed_config[param_name] = current_param
+
+    # Expand the dictionary of configuration options into a list,
+    # and return sorted by weight.
+    output = []
+    for key, params in parsed_config.items():
+        # FIXME: Make recursive.
+        if isinstance(params.get('value'), dict):
+            params['value'] = sorted(
+                params.get('value').values(),
+                key=itemgetter('real_weight')
+            )
+
+        output.append(params)
+
+    return sorted(output, key=itemgetter('real_weight'))
+
+
+class FilterModule(object):
+    """Register custom filter plugins in Ansible"""
+
+    def filters(self):
+        return {
+            'parse_kv_config': parse_kv_config,
+            'parse_kv_items': parse_kv_items
+        }
+
+
+if __name__ == '__main__':
+    import unittest
+    import textwrap
+    import yaml
+
+    class Test(unittest.TestCase):
+
+        def test_parse_kv_value_simple(self):
+            current_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value: 'test'
+            '''))
+
+            new_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value: 'test2'
+            '''))
+
+            _parse_kv_value(current_data, new_data, 0)
+
+            #  print(yaml.dump(current_data, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(current_data, new_data)
+
+        def test_parse_kv_value_mixed(self):
+            current_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value:
+              - 'alpha'
+              - 'test'
+            '''))
+
+            new_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value:
+              - 'beta'
+            '''))
+
+            # FIXME: Not getting it. Why does the _parse_kv_value behave like
+            # this?
+            expected_data = yaml.safe_load(textwrap.dedent('''
+            name: local
+            value:
+              beta:
+                id: 0
+                name: beta
+                real_weight: 0
+                state: present
+                weight: 0
+            '''))
+
+            _parse_kv_value(current_data, new_data, 0)
+
+            #  print(yaml.dump(current_data, default_flow_style=False))
+            #  print(yaml.dump(new_data, default_flow_style=False))
+
+            self.assertEqual(current_data, expected_data)
+
+        def test_parse_kv_config(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: present
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_absent(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'absent'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: absent
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_init(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'init'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: init
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_ignore(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_ignore_existing(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+              state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_simple_string(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - 'simple_string'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: simple_string
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_null_to_list(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: null
+            - name: 'local'
+              value: ['test1']
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value:
+              - id: 0
+                name: test1
+                real_weight: 0
+                state: present
+                weight: 0
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_renamed(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'local'
+              value: 'test'
+            - renamed: 'local2'
+              value: 'test2'
+            - renamed: 'local'
+              value: 'test3'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              renamed: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              renamed: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items, name='renamed')
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_simple_string(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - 'simple_string'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: simple_string
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_empty(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'name should be used as comment'
+              options:
+
+                - name: 'second level is ignored'
+                  service: |-
+                    second level is ignored so service will not become the
+                    comment
+                  value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - comment: name should be used as comment
+              id: 0
+              name: name should be used as comment
+              options:
+              - id: 0
+                name: second level is ignored
+                real_weight: 0
+                section: unknown
+                separator: false
+                service: |-
+                    second level is ignored so service will not become the
+                    comment
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(
+                    input_items, empty={'comment': ['service', 'name']})
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_defaults(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'something'
+              key1: 'existing'
+              value: 'something'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              key1: existing
+              key2: value2
+              name: something
+              real_weight: 0
+              separator: false
+              state: present
+              value: something
+              weight: 0
+            '''))
+
+            items = parse_kv_items(
+                    input_items, defaults={'key1': 'value1', 'key2': 'value2'})
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_merge_keys(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'something'
+              key1: 'existing'
+              options:
+
+                - name: 'nested1'
+                  value: 'value1'
+
+              test:
+
+                - name: 'test_nested1'
+                  value: 'test_value1'
+
+            - name: 'something'
+              options:
+
+                - name: 'nested2'
+                  value: 'value2'
+
+              test:
+
+                - name: 'test_nested2'
+                  value: 'test_value2'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              key1: existing
+              name: something
+              options:
+              - id: 0
+                name: nested1
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: value1
+                weight: 0
+              - id: 10
+                name: nested2
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                value: value2
+                weight: 0
+              test:
+              - id: 0
+                name: test_nested1
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test_value1
+                weight: 0
+              - id: 10
+                name: test_nested2
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                value: test_value2
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items, merge_keys=['test'])
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_copy_id_from(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'second'
+              weight: 10
+              value: 'value1'
+
+            - name: 'first'
+              weight: -10
+              copy_id_from: 'second'
+              value: 'value2'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - copy_id_from: second
+              id: 10
+              name: first
+              real_weight: 0
+              separator: false
+              state: present
+              value: value2
+              weight: -10
+            - id: 0
+              name: second
+              real_weight: 10
+              separator: false
+              state: present
+              value: value1
+              weight: 10
+            '''))
+
+            items = parse_kv_items(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - name: 'should-stay-init'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+
+            - name: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+            - name: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - name: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+                  state: 'init'
+
+              state: 'init'
+
+            - name: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - name: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  comment: 'This comment should survive.'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - name: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test2'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: should-stay-init
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: init
+              weight: 0
+            - id: 10
+              name: should-become-present
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 10
+              separator: false
+              state: present
+              weight: 0
+            - id: 30
+              name: should-become-present2
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 30
+              separator: false
+              state: present
+              weight: 0
+            - id: 50
+              name: should-become-present3
+              options:
+              - comment: This comment should survive.
+                id: 0
+                name: local1
+                options:
+                - id: 0
+                  name: local2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test2
+                  weight: 0
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              - id: 10
+                name: external1
+                options:
+                - id: 0
+                  name: external2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test
+                  weight: 0
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              real_weight: 50
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_renamed(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'should-stay-init'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+
+            - renamed: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+            - renamed: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - renamed: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+                  state: 'init'
+
+              state: 'init'
+
+            - renamed: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - renamed: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  comment: 'This comment should survive.'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test2'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              renamed: should-stay-init
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: init
+              weight: 0
+            - id: 10
+              renamed: should-become-present
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 10
+              separator: false
+              state: present
+              weight: 0
+            - id: 30
+              renamed: should-become-present2
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 30
+              separator: false
+              state: present
+              weight: 0
+            - id: 50
+              renamed: should-become-present3
+              options:
+              - comment: This comment should survive.
+                id: 0
+                name: local1
+                options:
+                - id: 0
+                  name: local2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test2
+                  weight: 0
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              - id: 10
+                name: external1
+                options:
+                - id: 0
+                  name: external2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test
+                  weight: 0
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              real_weight: 50
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2, name='renamed')
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_ignore_raw(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - name: 'test-item'
+              options:
+
+                - name: 'test-option'
+                  raw: 'test-is-present'
+                  state: 'present'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - name: 'test-item'
+              options:
+
+                - name: 'test-option'
+                  raw: 'test-is-ignored'
+                  state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: test-item
+              options:
+              - id: 0
+                name: test-option
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                raw: test-is-present
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+    unittest.main()
diff --git a/ansible_collections/debops/debops/plugins/filter/etc_aliases_parse_recipients.py b/ansible_collections/debops/debops/plugins/filter/etc_aliases_parse_recipients.py
new file mode 100644
index 00000000..34438f4b
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/filter/etc_aliases_parse_recipients.py
@@ -0,0 +1,193 @@
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see <https://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+
+try:
+    unicode = unicode
+except NameError:
+    # py3
+    unicode = str
+
+__metaclass__ = type
+
+
+def _mangle_recipients(name, *args):
+    """Modify the recipient address if it's the same as alias
+    to prevent mail forwarding loops
+    Ref: https://serverfault.com/questions/471604/
+    """
+
+    input_args = []
+
+    # Flatten the input list
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    if name in input_args:
+        return [w.replace(name, '\\' + name) for w in input_args]
+    else:
+        return input_args
+
+
+def _update_recipients(current_data, new_data, *args, **kwargs):
+    """Replace the current list of recipients with a new one"""
+
+    for selector in args:
+        if selector in new_data:
+            new_recipients = ([new_data.get(selector)]
+                              if isinstance(new_data.get(selector),
+                                            (str, unicode))
+                              else new_data.get(selector))
+            current_data.update({'recipients':
+                                _mangle_recipients(current_data.get('name'),
+                                                   new_recipients)})
+
+
+def _add_recipients(current_data, new_data, *args, **kwargs):
+    """Add mail recipients to an existing list of recipients"""
+
+    for selector in args:
+        if selector in new_data:
+            current_recipients = current_data.get('recipients', [])
+            current_recipients.extend([new_data.get(selector)]
+                                      if isinstance(new_data.get(selector),
+                                                    (str, unicode))
+                                      else new_data.get(selector))
+            current_data.update({'recipients':
+                                _mangle_recipients(current_data.get('name'),
+                                                   current_recipients)})
+
+
+def _del_recipients(current_data, new_data, *args, **kwargs):
+    """Remove mail recipients from an existing list"""
+
+    for selector in args:
+        if selector in new_data:
+            deleted_recipients = ([new_data.get(selector)]
+                                  if isinstance(new_data.get(selector),
+                                                (str, unicode))
+                                  else new_data.get(selector))
+            current_recipients = current_data.get('recipients', [])
+            new_recipients = [x for x in current_recipients
+                              if x not in deleted_recipients]
+            current_data.update({'recipients': new_recipients})
+
+
+def etc_aliases_parse_recipients(*args, **kwargs):
+    """Return a parsed list of mail aliases and recipients"""
+
+    input_args = []
+    parsed_aliases = {}
+
+    # Flatten the input list
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    for element in input_args:
+        if isinstance(element, dict):
+            if (any(x in element for x in ['name', 'alias']) and
+                    element.get('state', 'present') != 'ignore'):
+
+                alias_name = element.get('alias', element.get('name'))
+                current_alias = (parsed_aliases[alias_name].copy()
+                                 if alias_name in parsed_aliases
+                                 else {})
+
+                current_alias.update({
+                    'name': alias_name,  # in case of a new entry
+                    'state': element.get('state',
+                                         current_alias.get('state',
+                                                           'present')),
+                    'weight': int(element.get('weight',
+                                  current_alias.get('weight', 0))),
+                    'section': element.get('section',
+                                           current_alias.get('section',
+                                                             'unknown'))
+                })
+
+                _update_recipients(current_alias, element, 'dest', 'to')
+
+                _add_recipients(current_alias, element,
+                                'add_dest', 'add_to', 'cc', 'bcc')
+
+                _del_recipients(current_alias, element,
+                                'del_dest', 'del_to')
+
+                if 'real_name' in element or 'real_alias' in element:
+                    current_alias['real_name'] = (
+                        element.get('real_name',
+                                    element.get('real_alias')))
+
+                if 'comment' in element:
+                    current_alias['comment'] = element.get('comment')
+
+                if not current_alias.get('recipients', ''):
+                    current_alias['state'] = 'comment'
+
+                parsed_aliases.update({alias_name: current_alias})
+
+            # These parameters are special and should not be interpreted
+            # directly as mail aliases.
+            elif not all(x in ['name', 'alias', 'state', 'comment',
+                               'section', 'weight', 'dest', 'to',
+                               'add_dest', 'add_to', 'cc', 'bcc',
+                               'del_dest', 'del_to']
+                         for x in element):
+                for key, value in element.items():
+                    current_alias = parsed_aliases.get(key, {}).copy()
+                    current_alias.update({
+                        'name': key,
+                        'recipients': (_mangle_recipients(
+                                       current_alias.get('name'), [value]
+                                       if isinstance(value, (str, unicode))
+                                       else value)),
+                        'state': 'present',
+                        'weight': int(element.get('weight',
+                                      current_alias.get('weight', 0))),
+                        'section': current_alias.get('section', 'unknown')
+                    })
+
+                    current_alias.update({
+                        'recipients': (_mangle_recipients(
+                                       current_alias.get('name'),
+                                       ([value]
+                                        if isinstance(value, (str, unicode))
+                                        else value)))
+                    })
+
+                    if not current_alias.get('recipients', ''):
+                        current_alias['state'] = 'comment'
+
+                    parsed_aliases[key] = current_alias
+
+    # Expand the dictionary of aliases into a list,
+    # and return sorted by weight.
+    return sorted(parsed_aliases.values(), key=itemgetter('weight', 'name'))
+
+
+class FilterModule(object):
+    """Register custom filter plugins in Ansible"""
+
+    def filters(self):
+        return {'etc_aliases_parse_recipients': etc_aliases_parse_recipients}
diff --git a/ansible_collections/debops/debops/plugins/filter/globmatch.py b/ansible_collections/debops/debops/plugins/filter/globmatch.py
new file mode 100644
index 00000000..7230852f
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/filter/globmatch.py
@@ -0,0 +1,60 @@
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <https://www.gnu.org/licenses/>.
+
+from ansible import errors
+
+try:
+    import fnmatch
+except Exception as e:
+    raise errors.AnsibleFilterError('fnmatch python library not found')
+
+
+def globmatch_filter(value, pattern):
+    ''' Return string or list of items matching given glob pattern(s). '''
+
+    if not isinstance(pattern, (list, tuple)):
+        pattern = [pattern]
+
+    if isinstance(value, (list, tuple)):
+        _ret = []
+
+        for element in pattern:
+            for entry in value:
+                if fnmatch.fnmatch(str(entry), str(element)):
+                    if entry not in _ret:
+                        _ret.append(entry)
+
+        if _ret:
+            return _ret
+        else:
+            return list()
+
+    else:
+
+        for element in pattern:
+            if fnmatch.fnmatch(str(value), str(element)):
+                return value
+
+
+class FilterModule(object):
+
+    ''' Return string or list of items matching given glob pattern(s). '''
+    def filters(self):
+        return {
+            'globmatch': globmatch_filter
+        }
diff --git a/ansible_collections/debops/debops/plugins/filter/split.py b/ansible_collections/debops/debops/plugins/filter/split.py
new file mode 100644
index 00000000..2a962dd6
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/filter/split.py
@@ -0,0 +1,152 @@
+# (c) 2014 Tim Raasveld <info@webtrein.nl>
+# https://github.com/timraasveld/ansible-string-split-filter/
+# (c) 2014 Maciej Delmanowski <drybjed@gmail.com>
+# https://debops.org/
+# SPDX-License-Identifier: CC0-1.0
+
+
+# License: CC0 1.0 Universal
+#
+# Statement of Purpose
+#
+# The laws of most jurisdictions throughout the world automatically confer
+# exclusive Copyright and Related Rights (defined below) upon the creator and
+# subsequent owner(s) (each and all, an "owner") of an original work of
+# authorship and/or a database (each, a "Work").
+#
+# Certain owners wish to permanently relinquish those rights to a Work for the
+# purpose of contributing to a commons of creative, cultural and scientific
+# works ("Commons") that the public can reliably and without fear of later
+# claims of infringement build upon, modify, incorporate in other works, reuse
+# and redistribute as freely as possible in any form whatsoever and for any
+# purposes, including without limitation commercial purposes. These owners may
+# contribute to the Commons to promote the ideal of a free culture and the
+# further production of creative, cultural and scientific works, or to gain
+# reputation or greater distribution for their Work in part through the use and
+# efforts of others.
+#
+# For these and/or other purposes and motivations, and without any expectation
+# of additional consideration or compensation, the person associating CC0 with
+# a Work (the "Affirmer"), to the extent that he or she is an owner of
+# Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to
+# the Work and publicly distribute the Work under its terms, with knowledge of
+# his or her Copyright and Related Rights in the Work and the meaning and
+# intended legal effect of CC0 on those rights.
+#
+# 1. Copyright and Related Rights. A Work made available under CC0 may be
+# protected by copyright and related or neighboring rights ("Copyright and
+# Related Rights"). Copyright and Related Rights include, but are not limited
+# to, the following:
+#
+#   i. the right to reproduce, adapt, distribute, perform, display,
+#   communicate, and translate a Work;
+#
+#   ii. moral rights retained by the original author(s) and/or performer(s);
+#
+#   iii. publicity and privacy rights pertaining to a person's image or
+#   likeness depicted in a Work;
+#
+#   iv. rights protecting against unfair competition in regards to a Work,
+#   subject to the limitations in paragraph 4(a), below;
+#
+#   v. rights protecting the extraction, dissemination, use and reuse of data
+#   in a Work;
+#
+#   vi. database rights (such as those arising under Directive 96/9/EC of the
+#   European Parliament and of the Council of 11 March 1996 on the legal
+#   protection of databases, and under any national implementation thereof,
+#   including any amended or successor version of such directive); and
+#
+#   vii. other similar, equivalent or corresponding rights throughout the world
+#   based on applicable law or treaty, and any national implementations
+#   thereof.
+#
+# 2. Waiver. To the greatest extent permitted by, but not in contravention of,
+# applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
+# unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
+# and Related Rights and associated claims and causes of action, whether now
+# known or unknown (including existing as well as future claims and causes of
+# action), in the Work (i) in all territories worldwide, (ii) for the maximum
+# duration provided by applicable law or treaty (including future time
+# extensions), (iii) in any current or future medium and for any number of
+# copies, and (iv) for any purpose whatsoever, including without limitation
+# commercial, advertising or promotional purposes (the "Waiver"). Affirmer
+# makes the Waiver for the benefit of each member of the public at large and to
+# the detriment of Affirmer's heirs and successors, fully intending that such
+# Waiver shall not be subject to revocation, rescission, cancellation,
+# termination, or any other legal or equitable action to disrupt the quiet
+# enjoyment of the Work by the public as contemplated by Affirmer's express
+# Statement of Purpose.
+#
+# 3. Public License Fallback. Should any part of the Waiver for any reason be
+# judged legally invalid or ineffective under applicable law, then the Waiver
+# shall be preserved to the maximum extent permitted taking into account
+# Affirmer's express Statement of Purpose. In addition, to the extent the
+# Waiver is so judged Affirmer hereby grants to each affected person
+# a royalty-free, non transferable, non sublicensable, non exclusive,
+# irrevocable and unconditional license to exercise Affirmer's Copyright and
+# Related Rights in the Work (i) in all territories worldwide, (ii) for the
+# maximum duration provided by applicable law or treaty (including future time
+# extensions), (iii) in any current or future medium and for any number of
+# copies, and (iv) for any purpose whatsoever, including without limitation
+# commercial, advertising or promotional purposes (the "License"). The License
+# shall be deemed effective as of the date CC0 was applied by Affirmer to the
+# Work. Should any part of the License for any reason be judged legally invalid
+# or ineffective under applicable law, such partial invalidity or
+# ineffectiveness shall not invalidate the remainder of the License, and in
+# such case Affirmer hereby affirms that he or she will not (i) exercise any of
+# his or her remaining Copyright and Related Rights in the Work or (ii) assert
+# any associated claims and causes of action with respect to the Work, in
+# either case contrary to Affirmer's express Statement of Purpose.
+#
+# 4. Limitations and Disclaimers.
+#
+#   a. No trademark or patent rights held by Affirmer are waived, abandoned,
+#   surrendered, licensed or otherwise affected by this document.
+#
+#   b. Affirmer offers the Work as-is and makes no representations or
+#   warranties of any kind concerning the Work, express, implied, statutory or
+#   otherwise, including without limitation warranties of title,
+#   merchantability, fitness for a particular purpose, non infringement, or the
+#   absence of latent or other defects, accuracy, or the present or absence of
+#   errors, whether or not discoverable, all to the greatest extent permissible
+#   under applicable law.
+#
+#   c. Affirmer disclaims responsibility for clearing rights of other persons
+#   that may apply to the Work or any use thereof, including without limitation
+#   any person's Copyright and Related Rights in the Work. Further, Affirmer
+#   disclaims responsibility for obtaining any necessary consents, permissions
+#   or other rights required for any use of the Work.
+#
+#   d. Affirmer understands and acknowledges that Creative Commons is not a
+#   party to this document and has no duty or obligation with respect to this
+#   CC0 or use of the Work.
+#
+# For more information, please see
+# <http://creativecommons.org/publicdomain/zero/1.0/>
+
+
+import re
+
+
+def split_string(string, separator=None, maxsplit=-1):
+    try:
+        return string.split(separator, maxsplit)
+    except Exception:
+        return list(string)
+
+
+def split_regex(string, seperator_pattern):
+    try:
+        return re.split(seperator_pattern, string)
+    except Exception:
+        return list(string)
+
+
+class FilterModule(object):
+    ''' A filter to split a string into a list. '''
+    def filters(self):
+        return {
+            'split': split_string,
+            'split_regex': split_regex,
+        }
diff --git a/ansible_collections/debops/debops/plugins/filter/toml.py b/ansible_collections/debops/debops/plugins/filter/toml.py
new file mode 100644
index 00000000..72aa54f1
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/filter/toml.py
@@ -0,0 +1,53 @@
+# Copyright (C) 2017, Matt Martz <matt@sivel.net>
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import functools
+
+from ansible.plugins.inventory.toml import HAS_TOML, toml_dumps
+try:
+    from ansible.plugins.inventory.toml import toml
+except ImportError:
+    pass
+
+from ansible.errors import AnsibleFilterError
+from ansible.module_utils._text import to_text
+from ansible.module_utils.common._collections_compat import MutableMapping
+from ansible.module_utils.six import string_types
+
+
+def _check_toml(func):
+    @functools.wraps(func)
+    def inner(o):
+        if not HAS_TOML:
+            raise AnsibleFilterError('The %s filter plugin requires '
+                                     'the python "toml" library' % func.__name__)
+        return func(o)
+    return inner
+
+
+@_check_toml
+def from_toml(o):
+    if not isinstance(o, string_types):
+        raise AnsibleFilterError('from_toml requires a string, got %s' % type(o))
+    return toml.loads(to_text(o, errors='surrogate_or_strict'))
+
+
+@_check_toml
+def to_toml(o):
+    if not isinstance(o, MutableMapping):
+        raise AnsibleFilterError('to_toml requires a dict, got %s' % type(o))
+    return to_text(toml_dumps(o), errors='surrogate_or_strict')
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'to_toml': to_toml,
+            'from_toml': from_toml
+        }
diff --git a/ansible_collections/debops/debops/plugins/lookup/dig_srv.py b/ansible_collections/debops/debops/plugins/lookup/dig_srv.py
new file mode 100644
index 00000000..4dddcef4
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/lookup/dig_srv.py
@@ -0,0 +1,117 @@
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+#
+# Based on community.general.dig, which is:
+#   (c) 2015, Jan-Piet Mens <jpmens(at)gmail.com>
+#   (c) 2017 Ansible Project
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+from ansible.module_utils.common.text.converters import to_native
+
+__metaclass__ = type
+
+try:
+    import dns.exception
+    import dns.name
+    import dns.resolver
+    import dns.reversename
+    import dns.rdataclass
+    from dns.rdatatype import SRV
+except ImportError:
+    raise AnsibleError("dig_srv: dnspython library is not installed")
+
+
+def make_rdata_dict(rdata):
+    supported_types = {
+        SRV: ['priority', 'weight', 'port', 'target'],
+    }
+
+    rd = {}
+
+    if rdata.rdtype not in supported_types:
+        raise AnsibleError("dig_srv: unknown rdtype returned")
+
+    fields = supported_types[rdata.rdtype]
+    for f in fields:
+        val = rdata.__getattribute__(f)
+
+        if isinstance(val, dns.name.Name):
+            val = dns.name.Name.to_text(val)
+
+        if f == "target":
+            rd[f] = val.rstrip('.')
+        else:
+            rd[f] = val
+
+    return rd
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+        if len(terms) != 3:
+            raise AnsibleError("dig_srv: three arguments expected")
+
+        myres = dns.resolver.Resolver(configure=True)
+        edns_size = 4096
+        myres.use_edns(0, ednsflags=dns.flags.DO, payload=edns_size)
+
+        domain = terms[0]
+        if not domain.endswith('.'):
+            domain += '.'
+        default_domain = terms[1]
+        default_port = terms[2]
+        qtype = 'SRV'
+        rdclass = dns.rdataclass.from_text('IN')
+
+        ret = []
+
+        try:
+            answers = myres.query(domain, qtype, rdclass=rdclass)
+            for rdata in answers:
+                try:
+                    rd = make_rdata_dict(rdata)
+                    rd['owner'] = answers.canonical_name.to_text().rstrip('.')
+                    rd['type'] = dns.rdatatype.to_text(rdata.rdtype)
+                    rd['ttl'] = answers.rrset.ttl
+                    rd['class'] = dns.rdataclass.to_text(rdata.rdclass)
+                    rd['dig_srv_src'] = 'dns'
+                    ret.append(rd)
+
+                except Exception as e:
+                    raise AnsibleError("dig_srv: can't parse response %s" % to_native(e))
+
+        except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+            ret.append({
+                "class": "IN",
+                "owner": domain.rstrip('.'),
+                "port": default_port,
+                "priority": 0,
+                "target": default_domain,
+                "ttl": 0,
+                "type": "SRV",
+                "weight": 0,
+                "dig_srv_src": "fallback"
+            })
+        except dns.resolver.Timeout:
+            raise AnsibleError("dig_srv: timeout")
+        except dns.exception.DNSException as e:
+            raise AnsibleError("dig_srv: unhandled exception %s" % to_native(e))
+
+        for r in ret:
+            r.update({"target_port": r["target"] + ":" + str(r["port"])})
+
+        # This is in reverse order of importance, i.e. least important first.
+        # Note that the TTL field shows the remaining TTL when a RR is cached,
+        # so sorting on that field is not a good idea.
+        ret.sort(key=itemgetter("port"))
+        ret.sort(key=itemgetter("target"))
+        ret.sort(key=itemgetter("weight"), reverse=True)
+        ret.sort(key=itemgetter("priority"))
+
+        return ret
diff --git a/ansible_collections/debops/debops/plugins/lookup/file_src.py b/ansible_collections/debops/debops/plugins/lookup/file_src.py
new file mode 100644
index 00000000..5cef924f
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/lookup/file_src.py
@@ -0,0 +1,195 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `file_src` lookup filter for Ansible.  In difference
+to the `file` filter, this searches values based on the `file-paths`
+variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'files_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'file-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from packaging.version import parse
+from ansible import __version__ as __ansible_version__
+
+
+if parse(__ansible_version__) < parse("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = utils.path_dwim_relative(
+                            inject['_original_file'], 'files',
+                            '', self.basedir, check=False)
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = self._loader.path_dwim_relative(
+                            variables['role_path'], 'files', '')
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/plugins/lookup/lists.py b/ansible_collections/debops/debops/plugins/lookup/lists.py
new file mode 100644
index 00000000..e6a2c960
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/lookup/lists.py
@@ -0,0 +1,66 @@
+# Copyright (C) 2012 Michael DeHaan <michael.dehaan@gmail.com>
+# Copyright (C) 2015 Hartmut Goebel <h.goebel@crazy-compilers.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Based on `runner/lookup_plugins/items.py` for Ansible
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `with_lists` lookup filter for Ansible. In
+differenceto `with_items`, this one does *not* flatten the lists passed to.
+
+Example:
+
+  - debug: msg="{{item.0}} -- {{item.1}} -- {{item.2}}"
+    with_lists:
+     - ["General", "Verbosity", "0"]
+     - ["Mapping", "Nobody-User", "nobody"]
+     - ["Mapping", "Nobody-Group", "nogroup"]
+
+Output (shortened):
+    "msg": "General -- Verbosity -- 0"
+    "msg": "Mapping -- Nobody-User -- nobody"
+    "msg": "Mapping -- Nobody-Group -- nogroup"
+'''
+
+import ansible.utils as utils
+import ansible.errors as errors
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+
+class LookupModule(LookupBase):
+
+    def __init__(self, basedir=None, **kwargs):
+        self.basedir = basedir
+
+    def run(self, terms, inject=None, **kwargs):
+        terms = utils.listify_lookup_plugin_terms(terms, self.basedir, inject)
+
+        if not isinstance(terms, (list, set)):
+            raise errors.AnsibleError("with_list expects a list or a set")
+
+        for i, elem in enumerate(terms):
+            if not isinstance(elem, (list, tuple)):
+                raise errors.AnsibleError(
+                        "with_list expects a list (or a set) of lists"
+                        " or tuples, but elem %i is not")
+
+        return terms
diff --git a/ansible_collections/debops/debops/plugins/lookup/task_src.py b/ansible_collections/debops/debops/plugins/lookup/task_src.py
new file mode 100644
index 00000000..7be170b8
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/lookup/task_src.py
@@ -0,0 +1,197 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `task_src` lookup filter for Ansible.  In difference
+to the `file` filter, this searches values based on the `task-paths`
+variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'tasks_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'task-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from packaging.version import parse
+from ansible import __version__ as __ansible_version__
+
+
+if parse(__ansible_version__) < parse("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = utils.path_dwim_relative(
+                            inject['_original_file'], 'tasks', '',
+                            self.basedir, check=False)
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = (
+                            self._loader.path_dwim_relative(
+                                variables['role_path'],
+                                'tasks', ''))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/plugins/lookup/template_src.py b/ansible_collections/debops/debops/plugins/lookup/template_src.py
new file mode 100644
index 00000000..cc76d6e4
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/lookup/template_src.py
@@ -0,0 +1,199 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `template_src` lookup filter for Ansible. In
+difference to the `template` filter, this searches values based on the
+`template-paths` variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'templates_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'template-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from packaging.version import parse
+from ansible import __version__ as __ansible_version__
+
+
+if parse(__ansible_version__) < parse("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = (
+                            utils.path_dwim_relative(
+                                inject['_original_file'], 'templates',
+                                '', self.basedir, check=False))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = (
+                            self._loader.path_dwim_relative(
+                                variables['role_path'], 'templates',
+                                ''))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/plugins/modules/apache2_module.py b/ansible_collections/debops/debops/plugins/modules/apache2_module.py
new file mode 100644
index 00000000..355edcbe
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/modules/apache2_module.py
@@ -0,0 +1,206 @@
+# Copyright (C) 2013-2014, Christian Berendt <berendt@b1-systems.de>
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier:  GPL-3.0-or-later
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import re
+
+# import module snippets
+from ansible.module_utils.basic import AnsibleModule
+
+DOCUMENTATION = '''
+---
+module: apache2_module
+author:
+    - Christian Berendt (@berendt)
+    - Ralf Hertel (@n0trax)
+    - Robin Roth (@robinro)
+    - Julien Lecomte
+short_description: Enables/disables a module of the Apache2 webserver.
+description:
+   - Enables or disables a specified module of the Apache2 webserver.
+options:
+   name:
+     type: str
+     description:
+        - Name of the module to enable/disable as given to C(a2enmod/a2dismod).
+     required: true
+   identifier:
+     type: str
+     description:
+        - Deprecated. Ignored.
+     required: False
+   force:
+     description:
+        - Force disabling of default modules and override Debian warnings.
+     required: false
+     type: bool
+     default: False
+   state:
+     type: str
+     description:
+        - Desired state of the module.
+     choices: ['present', 'absent']
+     default: present
+   ignore_configcheck:
+     description:
+        - Deprecated. Ignored.
+     type: bool
+     default: False
+requirements: ["a2enmod","a2dismod"]
+notes:
+  - This does not work on RedHat-based distributions.
+    Whether it works on others depend on whether the C(a2enmod), C(a2dismod),
+    and C(a2query) tools are available or not.
+'''
+
+EXAMPLES = '''
+- name: Enable the Apache2 module wsgi
+  community.general.apache2_module:
+    state: present
+    name: wsgi
+
+- name: Disables the Apache2 module wsgi
+  community.general.apache2_module:
+    state: absent
+    name: wsgi
+
+- name: Disable default modules for Debian
+  community.general.apache2_module:
+    state: absent
+    name: autoindex
+    force: True
+'''
+
+RETURN = '''
+result:
+    description: message about action taken
+    returned: always
+    type: str
+warnings:
+    description: list of warning messages
+    returned: when needed
+    type: list
+rc:
+    description: return code of underlying command
+    returned: failed
+    type: int
+stdout:
+    description: stdout of underlying command
+    returned: failed
+    type: str
+stderr:
+    description: stderr of underlying command
+    returned: failed
+    type: str
+'''
+
+_re_threaded = re.compile(r'threaded: *yes')
+
+
+def _run_threaded(module):
+    control_binary = _get_ctl_binary(module)
+    result, stdout, stderr = module.run_command([control_binary, "-V"])
+
+    return bool(_re_threaded.search(stdout))
+
+
+def _get_ctl_binary(module):
+    ctl_binary = module.get_bin_path('a2query')
+    if ctl_binary is not None:
+        return ctl_binary
+
+    module.fail_json(msg="a2query not found. Apache query binary is necessary.")
+
+
+def _module_is_enabled(module):
+    control_binary = _get_ctl_binary(module)
+    result, stdout, stderr = module.run_command([control_binary,
+                                                "-m", module.params['name']])
+
+    if result in [0, 1, 32]:
+        return result == 0
+    else:
+        error_msg = "Error executing %s: %s" % (control_binary, stderr)
+        module.fail_json(msg=error_msg)
+
+
+def _set_state(module, state):
+    name = module.params['name']
+    force = module.params['force']
+
+    want_enabled = state == 'present'
+    state_string = {'present': 'enabled', 'absent': 'disabled'}[state]
+    a2mod_binary = {'present': 'a2enmod', 'absent': 'a2dismod'}[state]
+    success_msg = "Module %s %s" % (name, state_string)
+
+    module.run_command_environ_update = dict(LANG='C', LC_ALL='C',
+                                             LC_MESSAGES='C', LC_CTYPE='C')
+
+    if module.check_mode:
+        enabled_state = _module_is_enabled(module)
+        module.exit_json(changed=(enabled_state == want_enabled),
+                         result=success_msg,
+                         warnings=module.warnings)
+
+    a2mod_binary_path = module.get_bin_path(a2mod_binary)
+    if a2mod_binary_path is None:
+        module.fail_json(msg="%s not found."
+                         + " "
+                         + "Perhaps this system does not use %s to manage apache"
+                         % (a2mod_binary, a2mod_binary))
+
+    a2mod_binary_cmd = [a2mod_binary_path]
+
+    if not want_enabled and force:
+        # force exists only for a2dismod on debian
+        a2mod_binary_cmd.append('-f')
+
+    result, stdout, stderr = module.run_command(a2mod_binary_cmd + [name])
+
+    if result == 0:
+        module.exit_json(changed=(' already ' not in stdout),
+                         result=success_msg,
+                         warnings=module.warnings)
+    else:
+        msg = (
+            'Failed to set module {name} to {state}:\n'
+            '{stdout}\n'
+        ).format(
+            name=name,
+            state=state_string,
+            stdout=stdout,
+        )
+        module.fail_json(msg=msg,
+                         rc=result,
+                         stdout=stdout,
+                         stderr=stderr)
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            name=dict(required=True),
+            force=dict(type='bool', default=False),
+            state=dict(default='present', choices=['absent', 'present']),
+        ),
+        supports_check_mode=True,
+    )
+
+    module.warnings = []
+
+    name = module.params['name']
+    if name == 'cgi' and _run_threaded(module):
+        module.fail_json(msg="Your MPM seems to be threaded."
+                         + " "
+                         + "No automatic actions on module cgi possible.")
+
+    if module.params['state'] in ['present', 'absent']:
+        _set_state(module, module.params['state'])
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/plugins/modules/btrfs_subvolume.py b/ansible_collections/debops/debops/plugins/modules/btrfs_subvolume.py
new file mode 100644
index 00000000..c28269ab
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/modules/btrfs_subvolume.py
@@ -0,0 +1,200 @@
+# Copyright (c) 2014, Ilya Barsukov <barsukov@selectel.ru>, Selectel LLC
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <https://www.gnu.org/licenses/>.
+
+# import module snippets
+from ansible.module_utils.basic import *
+import os
+
+
+DOCUMENTATION = """
+---
+module: btrfs_subvolume
+short_description: Provides `create` and `delete` subvolumes methods.
+description:
+     - The M(btrfs_subvolume) module takes the command name followed by
+       a list of space-delimited arguments.
+     - The given command will be executed on all selected nodes.
+version_added: 0.1
+author: Ilya Barsukov
+options:
+    state:
+        description:
+            - creates or deletes subvolume
+        required: true
+        choices: ["present", "absent"]
+    path:
+        description:
+            - subvolume absolute path
+        required: true
+        default: null
+    qgroups:
+        required: false
+        description:
+            - list of qgroup ids, adds the newly created subvolume to a qgroup
+        default: []
+    commit:
+        required: false
+        description:
+            - wait for transaction commit at the end of the operation
+              or of the each
+        choices: ["each", "after", "no"]
+        default: "no"
+    recursive:
+        required: false
+        choices: [true, false]
+        description:
+            - create or delete subvolumes recursively
+        default: false
+"""
+
+EXAMPLES = """
+# Example for Ansible Playbooks.
+- name: Recursive create given subvolume path
+  btrfs_subvolume:
+    state: 'present'
+    path: '/storage/test/test1/test2'
+    qgroups:
+      - '1/100'
+      - '1/101'
+    recursive: True
+
+- name: Delete given Btrfs subvolume
+  btrfs_subvolume:
+    state: 'absent'
+    path: '/storage/test/test1/test2'
+    commit: 'each'
+"""
+
+
+def get_subvolumes(path, subs=None):
+    if subs is None:
+        subs = []
+    subvolumes = os.listdir(path)
+    for sub in subvolumes:
+        sub = os.path.sep.join([path, sub])
+
+        if not os.path.isdir(sub):
+            continue
+
+        subs.append(sub)
+        subs = get_subvolumes(sub, subs=subs)
+
+    return subs
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            state=dict(required=True, choices=['present', 'absent'],
+                       type='str'),
+            path=dict(required=True, default=None, type='str'),
+            qgroups=dict(default=[], type='list'),
+            commit=dict(default='no', choices=['after', 'each', 'no'],
+                        type='str'),
+            recursive=dict(default='False', type='bool')
+        ),
+        supports_check_mode=True
+    )
+    result = {
+        'changed': False,
+        'commands': [],
+        'check': module.check_mode
+    }
+    param_path = module.params['path'].rstrip(os.path.sep)
+
+    if module.params['state'] == 'present':
+        # Creating subvolume
+        if not os.path.exists(param_path) and not module.params['recursive']:
+            cmd = 'btrfs subvolume create {qgroups} {subvolume}'.format(
+                qgroups=' -i '.join(['']+module.params['qgroups']),
+                subvolume=param_path,
+            )
+            result['commands'].append(cmd)
+            if not module.check_mode:
+                module.run_command(cmd, check_rc=True)
+                result['changed'] = True
+
+        elif module.params['recursive']:
+            # Check parent subvolumes and create it if they doesn't exist
+            parents = param_path.split(os.path.sep)
+            for idx, subvolume in enumerate(parents):
+                if len(subvolume) == 0:
+                    continue
+
+                subvolume = os.path.sep.join(parents[:idx+1])
+
+                if not os.path.exists(subvolume):
+                    cmd = ('btrfs subvolume create '
+                           '{qgroups} {subvolume}').format(
+                        qgroups=' -i '.join(['']+module.params['qgroups']),
+                        subvolume=subvolume,
+                    )
+
+                    result['commands'].append(cmd)
+                    if not module.check_mode:
+                        module.run_command(cmd, check_rc=True)
+                        result['changed'] = True
+
+    elif module.params['state'] == 'absent':
+        # Delete subvolume
+        commit = ''
+        if module.params['commit'] != 'no':
+            commit = '--commit-{}'.format(module.params['commit'])
+
+        if os.path.exists(param_path):
+            if not module.params['recursive']:
+                cmd = 'btrfs subvolume delete {commit} {subvolume}'.format(
+                    commit=commit, subvolume=param_path
+                )
+                result['commands'].append(cmd)
+                if not module.check_mode:
+                    module.run_command(cmd, check_rc=True)
+                    result['changed'] = True
+
+            elif module.params['recursive']:
+                # reversed parent directories from end to beginning
+                subvolumes = get_subvolumes(param_path)
+                subvolumes.insert(0, param_path)
+
+                for sub in reversed(subvolumes):
+
+                    if os.path.exists(sub):
+                        cmd = ('btrfs subvolume delete '
+                               '{commit} {subvolume}').format(
+                            commit=commit, subvolume=sub
+                        )
+
+                        result['commands'].append(cmd)
+                        if not module.check_mode:
+                            module.run_command(cmd, check_rc=True)
+                            result['changed'] = True
+
+    if module.check_mode and result['commands']:
+        result['changed'] = True
+
+    if not module.check_mode:
+        del result['check']
+
+    if not result['commands']:
+        del result['commands']
+
+    module.exit_json(**result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/plugins/modules/cran.py b/ansible_collections/debops/debops/plugins/modules/cran.py
new file mode 100644
index 00000000..6b102e2c
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/modules/cran.py
@@ -0,0 +1,116 @@
+# cran.py: install or remove R packages
+# Homepage: https://github.com/yutannihilation/ansible-module-cran
+
+# Copyright (C) 2016 Hiroaki Yutani <yutani.ini@gmail.com>
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+from ansible.module_utils.basic import AnsibleModule
+
+DOCUMENTATION = '''
+---
+module: cran
+short_description: Install R packages.
+options:
+  name:
+    description:
+      - The name of an R package.
+    required: true
+    default: null
+  state:
+    description:
+      - The state of module
+    required: false
+    choices: ['present', 'absent']
+    default: present
+  repo:
+    description:
+      - The repository
+    required: false
+    default: "https://cran.rstudio.com/"
+'''
+
+RSCRIPT = '/usr/bin/Rscript'
+
+
+def get_installed_version(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'p <- installed.packages(); cat(p[p[,1] == "{name:}",'
+            '3])'.format(name=module.params['name'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=False)
+    return stdout.strip() if rc == 0 else None
+
+
+def install(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'install.packages(pkgs="{name:}",repos="{repos:}")'
+            ''.format(name=module.params['name'],
+                      repos=module.params['repo'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=True)
+    return stderr
+
+
+def uninstall(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'remove.packages(pkgs="{name:}")'
+            ''.format(name=module.params['name'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=True)
+    return stderr
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            state=dict(default='present', choices=['present', 'absent']),
+            name=dict(required=True),
+            repo=dict(default='https://cran.rstudio.com/')
+        )
+    )
+    state = module.params['state']
+    name = module.params['name']
+    changed = False
+    version = get_installed_version(module)
+
+    if state == 'present' and not version:
+        stderr = install(module)
+        version = get_installed_version(module)
+        if not version:
+            module.fail_json(
+                msg='Failed to install {name:}: {err:}'.format(
+                    name=name, err=stderr, version=version))
+        changed = True
+
+    elif state == 'absent' and version:
+        stderr = uninstall(module)
+        version = get_installed_version(module)
+        if version:
+            module.fail_json(
+                msg='Failed to install {name:}: {err:}'.format(
+                    name=name, err=stderr))
+        changed = True
+
+    module.exit_json(changed=changed, name=name, version=version)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/plugins/modules/dpkg_divert.py b/ansible_collections/debops/debops/plugins/modules/dpkg_divert.py
new file mode 100644
index 00000000..0c72ee36
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/modules/dpkg_divert.py
@@ -0,0 +1,409 @@
+# Copyright (c) 2017-2018, Yann Amar <quidame@poivron.org>
+# Copyright (c) 2019,      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (c) 2019,      DebOps https://debops.org/
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Source: https://github.com/quidame/ansible-module-dpkg_divert
+
+from __future__ import absolute_import, division, print_function
+from ansible.module_utils.basic import AnsibleModule
+import os.path
+import errno
+import os
+import re
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}
+
+DOCUMENTATION = '''
+---
+module: dpkg_divert
+short_description: Override a package's version of a file
+description:
+    - A diversion is for C(dpkg) the knowledge that only a given I(package)
+      is allowed to install a file at a given I(path). Other packages shipping
+      their own version of this file will be forced to I(divert) it, i.e. to
+      install it at another location. It allows one to keep changes in a file
+      provided by a debian package by preventing its overwrite at package
+      upgrade.
+    - This module manages diversions of debian packages files using the
+      C(dpkg-divert)(1) commandline tool. It can either create or remove a
+      diversion for a given file, but also update an existing diversion to
+      modify its holder and/or its divert path.
+    - It's a feature of this module to mimic C(dpkg-divert)'s behaviour
+      regarding the renaming of files when removing as well as adding a
+      diversion; existing files are never overwritten.
+version_added: "2.4"
+author: "quidame@poivron.org"
+options:
+    path:
+        description:
+            - The original and absolute path of the file to be diverted or
+              undiverted. This path is unique, i.e. it is not possible to get
+              two diversions for the same I(path).
+        required: true
+        type: 'path'
+        aliases: [ 'name' ]
+    state:
+        description:
+            - When I(state=absent), remove the diversion of the specified
+              I(path); when I(state=present), create the diversion if it does
+              not exist, or update its I(package) holder or I(divert) path,
+              if any, and if I(force) is C(True).
+            - Unless I(force) is C(True), the removal of I(path)'s diversion
+              only happens if the diversion matches the I(divert) and
+              I(package) values, if any.
+        type: 'string'
+        default: 'present'
+        choices: [ 'absent', 'present' ]
+    package:
+        description:
+            - The name of the package whose copy of file is not diverted, also
+              known as the diversion holder or the package the diversion
+              belongs to.
+            - The actual package does not have to be installed or even to exist
+              for its name to be valid. If not specified, the diversion is held
+              by 'LOCAL', which is reserved for local diversions.
+            - Removing or updating a diversion fails if the diversion exists
+              and belongs to another package, unless I(force) is C(True).
+    divert:
+        description:
+            - The location where the versions of file will be diverted.
+            - The default suffix is C(.distrib) for diversions defined by a
+              package and C(.dpkg-divert) for 'LOCAL' diversions.
+        type: 'path'
+    rename:
+        description:
+            - Actually move the file aside (or back).
+            - Renaming is skipped (but module doesn't fail) in case the
+              destination file already exists. This is a C(dpkg-divert)
+              feature, and its purpose is to never overwrite a file. It also
+              makes the command itself idempotent, and the module's I(force)
+              parameter has no effect on this behaviour.
+            - Also, I(rename) is ignored if the diversion entry is unchanged
+              in the diversion database (adding an already existing diversion
+              or removing a non-existing one).
+        type: 'bool'
+        default: true
+    delete:
+        description:
+            - When I(yes), delete the file in place of the original before
+              reverting. This only applies with I(state=absent) to avoid
+              C(dpkg-divert) command complaining about existing file in place
+              of the diverted one.
+        type: 'bool'
+        default: false
+    force:
+        description:
+            - Force to divert file when diversion already exists and is hold
+              by another I(package) or points to another I(divert). There is
+              no need to use it for I(remove) action if I(divert) or I(package)
+              are not used.
+            - This doesn't override the rename's lock feature, i.e. it doesn't
+              help to force I(rename), but only to force the diversion for
+              dpkg.
+        type: 'bool'
+        default: false
+requirements: [ dpkg-divert, env ]
+'''
+
+EXAMPLES = '''
+# Divert /etc/screenrc to /etc/screenrc.dpkg-divert and rename the file
+- name: Create local diversion
+  dpkg_divert: path=/etc/screenrc
+
+# Divert /etc/screenrc to /etc/screenrc.distrib for package 'branding' and
+# rename the file
+- name: Create diversion for APT package
+  dpkg_divert:
+    name: /etc/screenrc
+    package: branding
+
+- name: Delete the file in place of the original and remove the diversion
+  dpkg_divert:
+    name: /etc/screenrc
+    state: absent
+    delete: yes
+
+- name: remove the screenrc diversion only if belonging to 'branding'
+  dpkg_divert:
+    name: /etc/screenrc
+    package: branding
+    state: absent
+
+# Divert screenrc to screenrc.dpkg-divert, but don't rename the file
+- name: Divert with custom rename
+  dpkg_divert:
+    path: /etc/screenrc
+    divert: /etc/screenrc.dpkg-divert
+    rename: no
+
+# Divert and rename screenrc to screenrc.dpkg-divert, even if diversion is
+# already set
+- name: Divert with custom rename
+  dpkg_divert:
+    path: /etc/screenrc
+    divert: /etc/screenrc.dpkg-divert
+    rename: yes
+    force: yes
+
+  # Remove the screenrc diversion and maybe move the diverted file to its
+  # original place
+- name: Remove diversion and rename file
+  dpkg_divert:
+    path: /etc/screenrc
+    state: absent
+    rename: yes
+'''
+
+
+def main():
+
+    # Mimic the behaviour of the dpkg-divert(1) command: '--add' is implicit
+    # when not using '--remove'; '--rename' takes care to never overwrite
+    # existing files; and options are intended to not conflict between them.
+
+    # 'force' is an option of the module, not of the command, and implies to
+    # run the command twice. Its purpose is to allow one to re-divert a file
+    # with another target path or to 'give' it to another package, in one task.
+    # This is very easy because one of the values is unique in the diversion
+    # database, and dpkg-divert itself is idempotent (does nothing when nothing
+    # needs doing).
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            path=dict(required=True,  type='path', aliases=['name']),
+            state=dict(required=False, type='str', default='present',
+                       choices=['absent', 'present']),
+            package=dict(required=False, type='str', default='LOCAL'),
+            divert=dict(required=False, type='path'),
+            rename=dict(required=False, type='bool', default=True),
+            delete=dict(required=False, type='bool', default=False),
+            force=dict(required=False, type='bool', default=False),
+        ),
+        supports_check_mode=True,
+    )
+
+    path = module.params['path']
+    state = module.params['state']
+    package = module.params['package']
+    divert = module.params['divert']
+    rename = module.params['rename']
+    delete = module.params['delete']
+    force = module.params['force']
+
+    DPKG_DIVERT = module.get_bin_path('dpkg-divert', required=True)
+    # We need to parse the command's output, which is localized.
+    # So we have to reset environment variable (LC_ALL).
+    ENVIRONMENT = module.get_bin_path('env', required=True)
+
+    # Start to build the commandline we'll have to run
+    COMMANDLINE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, path]
+
+    # Then insert options as requested in the task parameters:
+    if state == 'absent':
+        COMMANDLINE.insert(3, '--remove')
+    elif state == 'present':
+        COMMANDLINE.insert(3, '--add')
+
+    if rename:
+        COMMANDLINE.insert(3, '--rename')
+
+    if divert:
+        COMMANDLINE.insert(3, '--divert')
+        COMMANDLINE.insert(4, divert)
+    else:
+        if package == 'LOCAL':
+            COMMANDLINE.insert(3, '--divert')
+            COMMANDLINE.insert(4, '.'.join([path, 'dpkg-divert']))
+        elif package:
+            COMMANDLINE.insert(3, '--divert')
+            COMMANDLINE.insert(4, '.'.join([path, 'distrib']))
+
+    if package == 'LOCAL':
+        COMMANDLINE.insert(3, '--local')
+    elif package:
+        COMMANDLINE.insert(3, '--package')
+        COMMANDLINE.insert(4, package)
+
+    # dpkg-divert has a useful --test option that we will use in check mode or
+    # when needing to parse output before actually doing anything.
+    TESTCOMMAND = list(COMMANDLINE)
+    TESTCOMMAND.insert(3, '--test')
+    if module.check_mode:
+        COMMANDLINE = list(TESTCOMMAND)
+
+    cmd = ' '.join(COMMANDLINE)
+
+    # `dpkg-divert --listpackage FILE` always returns 0, but not diverted files
+    # provide no output.
+    rc, listpackage, _ = module.run_command(
+            [DPKG_DIVERT, '--listpackage', path])
+    rc, placeholder, _ = module.run_command(TESTCOMMAND)
+
+    # There is probably no need to do more than that. Please read the first
+    # sentence of the next comment for a better understanding of the following
+    # `if` statement:
+    if rc == 0 or not force or not listpackage:
+
+        # If requested, delete the file to make way for the reverted one, but
+        # only of the diversion currently exists.
+        if not module.check_mode:
+            if state == 'absent' and listpackage and delete:
+                try:
+                    os.unlink(path)
+                except OSError as e:
+                    # It may already have been removed
+                    if e.errno != errno.ENOENT:
+                        raise AnsibleModuleError(
+                                results={'msg': "unlinking failed: %s "
+                                         % to_native(e), 'path': path})
+
+        # In the check mode, the 'dpkg-divert' command still tests the
+        # diversion removal for real and returns with an error when a changed
+        # file is in place. In that specific case, we instead simulate a file
+        # deletion and diversion removal ourselves to have the check mode
+        # succeed.
+        if (module.check_mode and state == 'absent' and delete and
+                listpackage and os.path.exists(path)):
+            fake_stdout = ['Deleting', path, 'and', 'removing']
+            if package == 'LOCAL':
+                fake_stdout.append('local')
+            fake_stdout.extend(['diversion', 'of', path, 'to'])
+            if divert:
+                fake_stdout.append(divert)
+            else:
+                if package == 'LOCAL':
+                    fake_stdout.append('.'.join([path, 'dpkg-divert']))
+                elif package:
+                    fake_stdout.append('.'.join([path, 'distrib']))
+
+            rc, stdout, stderr = [0, ' '.join(fake_stdout), '']
+        else:
+            rc, stdout, stderr = module.run_command(COMMANDLINE, check_rc=True)
+
+        if re.match('^(Leaving|No diversion)', stdout):
+            module.exit_json(changed=False, stdout=stdout,
+                             stderr=stderr, cmd=cmd)
+        else:
+            module.exit_json(changed=True, stdout=stdout,
+                             stderr=stderr, cmd=cmd)
+
+    # So, here we are: the test failed AND force is true AND a diversion exists
+    # for the file.  Anyway, we have to remove it first (then stop here, or add
+    # a new diversion for the same file), and without failure. Cases of failure
+    # with dpkg-divert are:
+    # - The diversion does not belong to the same package (or LOCAL)
+    # - The divert filename is not the same (e.g. path.distrib != path.divert)
+    # So: force removal by stripping '--package' and '--divert' options... and
+    # their arguments. Fortunately, this module accepts only a few parameters,
+    # so we can rebuild a whole command line from scratch at no cost:
+    FORCEREMOVE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, '--remove', path]
+    module.check_mode and FORCEREMOVE.insert(3, '--test')
+    rename and FORCEREMOVE.insert(3, '--rename')
+    forcerm = ' '.join(FORCEREMOVE)
+
+    if state == 'absent':
+        rc, stdout, stderr = module.run_command(FORCEREMOVE, check_rc=True)
+        module.exit_json(changed=True, stdout=stdout,
+                         stderr=stderr, cmd=forcerm)
+
+    # The situation is that we want to modify the settings (package or divert)
+    # of an existing diversion. dpkg-divert does not handle this, and we have
+    # to remove the diversion and set a new one. First, get state info:
+    rc, truename, _ = module.run_command([DPKG_DIVERT, '--truename', path])
+    rc, rmout, rmerr = module.run_command(FORCEREMOVE, check_rc=True)
+    if module.check_mode:
+        module.exit_json(changed=True, cmd=[forcerm, cmd],
+                         msg=[rmout,
+                              "*** RUNNING IN CHECK MODE ***",
+                              "The next step can't be actually performed - "
+                              "even dry-run - without error (since the "
+                              "previous removal didn't happen) but is "
+                              "supposed to achieve the task."])
+
+    old = truename.rstrip()
+    if divert:
+        new = divert
+    else:
+        if package == 'LOCAL':
+            new = '.'.join([path, 'dpkg-divert'])
+        elif package:
+            new = '.'.join([path, 'distrib'])
+
+    # Store state of files as they may change
+    old_exists = os.path.isfile(old)
+    new_exists = os.path.isfile(new)
+
+    # RENAMING NOT REMAINING
+    # The behaviour of this module is to NEVER overwrite a file, i.e. never
+    # change file contents but only file paths and only if not conflicting,
+    # as does dpkg-divert. It means that if there is already a diversion for
+    # a given file and the divert file exists too, the divert file must be
+    # moved from old to new divert paths between the two dpkg-divert commands,
+    # because:
+    #
+    # src = /etc/screenrc           (tweaked ; exists)
+    # old = /etc/screentc.distrib   (default ; exists)
+    # new = /etc/screenrc.ansible   (not existing yet)
+    #
+    # Without extra move:
+    # 1. dpkg-divert --rename --remove src
+    #    => dont move old to src because src exists
+    # 2. dpkg-divert --rename --divert new --add src
+    #    => move src to new because new doesn't exist
+    # Results:
+    #   - old still exists with default contents
+    #   - new holds the tweaked contents
+    #   - src is missing
+    #   => confusing, kind of breakage
+    #
+    # With extra move:
+    # 1. dpkg-divert --rename --remove src
+    #    => dont move old to src because src exists
+    # 2. os.path.rename(old, new) [conditional]
+    #    => move old to new because new doesn't exist
+    # 3. dpkg-divert --rename --divert new --add src
+    #    => dont move src to new because new exists
+    # Results:
+    #   - old does not exist anymore
+    #   - src is still the same tweaked file
+    #   - new exists with default contents
+    #   => idempotency for next times, and no breakage
+    #
+    if rename and old_exists and not new_exists:
+        os.rename(old, new)
+
+    rc, stdout, stderr = module.run_command(COMMANDLINE)
+    rc == 0 and module.exit_json(changed=True, stdout=stdout, stderr=stderr,
+                                 cmd=[forcerm, cmd], msg=[rmout, stdout])
+
+    # Damn! FORCEREMOVE succeeded and COMMANDLINE failed. Try to restore old
+    # state and end up with a 'failed' status anyway.
+    if (rename and (old_exists and not os.path.isfile(old)) and
+            (os.path.isfile(new) and not new_exists)):
+        os.rename(new, old)
+
+    RESTORE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, '--divert', old, path]
+    old_pkg = listpackage.rstrip()
+    if old_pkg == "LOCAL":
+        RESTORE.insert(3, '--local')
+    else:
+        RESTORE.insert(3, '--package')
+        RESTORE.insert(4, old_pkg)
+    rename and RESTORE.insert(3, '--rename')
+
+    module.run_command(RESTORE, check_rc=True)
+    module.exit_json(failed=True, changed=True, stdout=stdout,
+                     stderr=stderr, cmd=[forcerm, cmd])
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/plugins/modules/ldap_attrs.py b/ansible_collections/debops/debops/plugins/modules/ldap_attrs.py
new file mode 100644
index 00000000..7261f402
--- /dev/null
+++ b/ansible_collections/debops/debops/plugins/modules/ldap_attrs.py
@@ -0,0 +1,408 @@
+# Copyright (c) 2016, Peter Sagerson <psagers@ignorare.net>
+# Copyright (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
+# Copyright (c) 2017, Alexander Korinek <noles@a3k.net>
+# Copyright (c) 2019, Maciej Delmanowski <drybjed@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_native, to_bytes
+
+import traceback
+import re
+
+try:
+    import ldap
+    import ldap.sasl
+
+    HAS_LDAP = True
+except ImportError:
+    HAS_LDAP = False
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+
+DOCUMENTATION = """
+---
+module: ldap_attrs
+short_description: Add or remove multiple LDAP attribute values.
+description:
+  - Add or remove multiple LDAP attribute values.
+notes:
+  - This only deals with attributes on existing entries. To add or remove
+    whole entries, see M(ldap_entry).
+  - The default authentication settings will attempt to use a SASL EXTERNAL
+    bind over a UNIX domain socket. This works well with the default Ubuntu
+    install for example, which includes a cn=peercred,cn=external,cn=auth ACL
+    rule allowing root to modify the server configuration. If you need to use
+    a simple bind to access your server, pass the credentials in I(bind_dn)
+    and I(bind_pw).
+  - For I(state=present) and I(state=absent), all value comparisons are
+    performed on the server for maximum accuracy. For I(state=exact), values
+    have to be compared in Python, which obviously ignores LDAP matching
+    rules. This should work out in most cases, but it is theoretically
+    possible to see spurious changes when target and actual values are
+    semantically identical but lexically distinct.
+version_added: '2.5'
+author:
+  - Jiri Tyr (@jtyr)
+  - Alexander Korinek (@noles)
+requirements:
+  - python-ldap
+options:
+  bind_dn:
+    required: false
+    default: null
+    description:
+      - A DN to bind with. If this is omitted, we'll try a SASL bind with
+        the EXTERNAL mechanism. If this is blank, we'll use an anonymous
+        bind.
+  bind_pw:
+    required: false
+    default: null
+    description:
+      - The password to use with I(bind_dn).
+  dn:
+    required: true
+    description:
+      - The DN of the entry to modify.
+  server_uri:
+    required: false
+    default: ldapi:///
+    description:
+      - A URI to the LDAP server. The default value lets the underlying
+        LDAP client library look for a UNIX domain socket in its default
+        location.
+  start_tls:
+    required: false
+    choices: ['yes', 'no']
+    default: 'no'
+    description:
+      - If true, we'll use the START_TLS LDAP extension.
+  state:
+    required: false
+    choices: [present, absent, exact]
+    default: present
+    description:
+      - The state of the attribute values. If C(present), all given
+        values will be added if they're missing. If C(absent), all given
+        values will be removed if present. If C(exact), the set of values
+        will be forced to exactly those provided and no others. If
+        I(state=exact) and I(value) is empty, all values for this
+        attribute will be removed.
+  attributes:
+    required: true
+    description:
+      - The attribute(s) and value(s) to add or remove. The complex argument
+        format is required in order to pass a list of strings (see examples).
+  ordered:
+    required: false
+    choices: ['yes', 'no']
+    default: 'no'
+    description:
+      - If C(yes), prepend list values with X-ORDERED index numbers in all
+        attributes specified in the current task. This is useful mostly with
+        I(olcAccess) attribute to easily manage LDAP Access Control Lists.
+  validate_certs:
+    required: false
+    choices: ['yes', 'no']
+    default: 'yes'
+    description:
+      - If C(no), SSL certificates will not be validated. This should only be
+        used on sites using self-signed certificates.
+"""
+
+
+EXAMPLES = """
+- name: Configure directory number 1 for example.com
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+      olcSuffix: dc=example,dc=com
+    state: exact
+
+# The complex argument format is required here to pass a list of ACL strings.
+- name: Set up the ACL
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+      olcAccess:
+        - >-
+          {0}to attrs=userPassword,shadowLastChange
+          by self write
+          by anonymous auth
+          by dn="cn=admin,dc=example,dc=com" write
+          by * none'
+        - >-
+          {1}to dn.base="dc=example,dc=com"
+          by dn="cn=admin,dc=example,dc=com" write
+          by * read
+    state: exact
+
+# An alternative approach with automatic X-ORDERED numbering
+- name: Set up the ACL
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+      olcAccess:
+        - >-
+          to attrs=userPassword,shadowLastChange
+          by self write
+          by anonymous auth
+          by dn="cn=admin,dc=example,dc=com" write
+          by * none'
+        - >-
+          to dn.base="dc=example,dc=com"
+          by dn="cn=admin,dc=example,dc=com" write
+          by * read
+    ordered: yes
+    state: exact
+
+- name: Declare some indexes
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+      olcDbIndex:
+        - objectClass eq
+        - uid eq
+
+- name: Set up a root user, which we can use later to bootstrap the directory
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+      olcRootDN: cn=root,dc=example,dc=com
+      olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
+    state: exact
+
+- name: Get rid of an unneeded attribute
+  ldap_attrs:
+    dn: uid=jdoe,ou=people,dc=example,dc=com
+    attributes:
+      shadowExpire: ""
+    state: exact
+    server_uri: ldap://localhost/
+    bind_dn: cn=admin,dc=example,dc=com
+    bind_pw: password
+
+#
+# The same as in the previous example but with the authentication details
+# stored in the ldap_auth variable:
+#
+# ldap_auth:
+#   server_uri: ldap://localhost/
+#   bind_dn: cn=admin,dc=example,dc=com
+#   bind_pw: password
+- name: Get rid of an unneeded attribute
+  ldap_attrs:
+    dn: uid=jdoe,ou=people,dc=example,dc=com
+    attributes:
+      shadowExpire: ""
+    state: exact
+    params: "{{ ldap_auth }}"
+"""
+
+
+RETURN = """
+modlist:
+  description: list of modified parameters
+  returned: success
+  type: list
+  sample: '[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]'
+"""
+
+
+class LdapAttr(object):
+    def __init__(self, module):
+        # Shortcuts
+        self.module = module
+        self.bind_dn = self.module.params['bind_dn']
+        self.bind_pw = self.module.params['bind_pw']
+        self.dn = self.module.params['dn']
+        self.server_uri = self.module.params['server_uri']
+        self.start_tls = self.module.params['start_tls']
+        self.state = self.module.params['state']
+        self.verify_cert = self.module.params['validate_certs']
+        self.attrs = self.module.params['attributes']
+        self.ordered = self.module.params['ordered']
+
+        # Establish connection
+        self.connection = self._connect_to_ldap()
+
+    def _order_values(self, values):
+        """ Prepend X-ORDERED index numbers to attribute's values. """
+        ordered_values = []
+
+        if isinstance(values, list):
+            for index, value in enumerate(values):
+                cleaned_value = re.sub(r'^\{\d+\}', '', value)
+                ordered_values.append('{' + str(index) + '}' + cleaned_value)
+
+        return ordered_values
+
+    def _normalize_values(self, values):
+        """ Normalize attribute's values. """
+        norm_values = []
+
+        if isinstance(values, list):
+            if self.ordered:
+                norm_values = list(map(to_bytes,
+                                   self._order_values(list(map(str,
+                                                               values)))))
+            else:
+                norm_values = list(map(to_bytes, values))
+        elif values != "":
+            norm_values = [to_bytes(str(values))]
+
+        return norm_values
+
+    def add(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            for value in norm_values:
+                if self._is_value_absent(name, value):
+                    modlist.append((ldap.MOD_ADD, name, value))
+
+        return modlist
+
+    def delete(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            for value in norm_values:
+                if self._is_value_present(name, value):
+                    modlist.append((ldap.MOD_DELETE, name, value))
+
+        return modlist
+
+    def exact(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            try:
+                results = self.connection.search_s(
+                    self.dn, ldap.SCOPE_BASE, attrlist=[name])
+            except ldap.LDAPError as e:
+                self.module.fail_json(
+                    msg="Cannot search for attribute %s" % name,
+                    details=to_native(e))
+
+            current = results[0][1].get(name, [])
+
+            if frozenset(norm_values) != frozenset(current):
+                if len(current) == 0:
+                    modlist.append((ldap.MOD_ADD, name, norm_values))
+                elif len(norm_values) == 0:
+                    modlist.append((ldap.MOD_DELETE, name, None))
+                else:
+                    modlist.append((ldap.MOD_REPLACE, name, norm_values))
+
+        return modlist
+
+    def _is_value_present(self, name, value):
+        """ True if the target attribute has the given value. """
+        try:
+            is_present = bool(
+                self.connection.compare_s(self.dn, name, value))
+        except ldap.NO_SUCH_ATTRIBUTE:
+            is_present = False
+
+        return is_present
+
+    def _is_value_absent(self, name, value):
+        """ True if the target attribute doesn't have the given value. """
+        return not self._is_value_present(name, value)
+
+    def _connect_to_ldap(self):
+        if not self.verify_cert:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+
+        connection = ldap.initialize(self.server_uri)
+
+        if self.start_tls:
+            try:
+                connection.start_tls_s()
+            except ldap.LDAPError as e:
+                self.module.fail_json(msg="Cannot start TLS.",
+                                      details=to_native(e))
+
+        try:
+            if self.bind_dn is not None:
+                connection.simple_bind_s(self.bind_dn, self.bind_pw)
+            else:
+                connection.sasl_interactive_bind_s('', ldap.sasl.external())
+        except ldap.LDAPError as e:
+            self.module.fail_json(
+                msg="Cannot bind to the server.", details=to_native(e))
+
+        return connection
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec={
+            'bind_dn': dict(default=None),
+            'bind_pw': dict(default='', no_log=True),
+            'dn': dict(required=True),
+            'params': dict(type='dict'),
+            'server_uri': dict(default='ldapi:///'),
+            'start_tls': dict(default=False, type='bool'),
+            'state': dict(
+                default='present',
+                choices=['present', 'absent', 'exact']),
+            'attributes': dict(required=True, type='dict'),
+            'ordered': dict(default=False, type='bool'),
+            'validate_certs': dict(default=True, type='bool'),
+        },
+        supports_check_mode=True,
+    )
+
+    if not HAS_LDAP:
+        module.fail_json(
+            msg="Missing required 'ldap' module (pip install python-ldap)")
+
+    # Update module parameters with user's parameters if defined
+    if 'params' in module.params and isinstance(module.params['params'], dict):
+        module.params.update(module.params['params'])
+        # Remove the params
+        module.params.pop('params', None)
+
+    # Instantiate the LdapAttr object
+    ldap = LdapAttr(module)
+
+    state = module.params['state']
+
+    # Perform action
+    if state == 'present':
+        modlist = ldap.add()
+    elif state == 'absent':
+        modlist = ldap.delete()
+    elif state == 'exact':
+        modlist = ldap.exact()
+
+    changed = False
+
+    if len(modlist) > 0:
+        changed = True
+
+        if not module.check_mode:
+            try:
+                ldap.connection.modify_s(ldap.dn, modlist)
+            except Exception as e:
+                module.fail_json(msg="Attribute action failed.",
+                                 details=to_native(e),
+                                 exception=traceback.format_exc())
+
+    module.exit_json(changed=changed, modlist=modlist)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/ansible/COPYRIGHT b/ansible_collections/debops/debops/roles/ansible/COPYRIGHT
new file mode 100644
index 00000000..1e60bd2f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.ansible - Install Ansible on a Debian/Ubuntu host using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ansible/defaults/main.yml b/ansible_collections/debops/debops/roles/ansible/defaults/main.yml
new file mode 100644
index 00000000..082b0d40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/defaults/main.yml
@@ -0,0 +1,112 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ansible__ref_defaults:
+
+# debops.ansible default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation, APT packages [[[
+# ------------------------------
+
+# .. envvar:: ansible__deploy_type [[[
+#
+# Select how Ansible should be installed by the role:
+#
+# - ``system``: install Ansible using current OS packages, possibly from the
+#               backports repository.
+#
+# - ``upstream``: install Ansible from the upstream APT repository on
+#                 Launchpad (PPA, usable on Debian as well).
+#
+# - ``bootstrap``: install APT packages required for Ansible and build a local
+#                  ``.deb`` package using the upstream GitHub repository.
+#
+ansible__deploy_type: '{{ "upstream"
+                          if (ansible_distribution_release in
+                              ["trusty", "xenial"])
+                          else "system" }}'
+
+                                                                   # ]]]
+# .. envvar:: ansible__upstream_apt_key [[[
+#
+# The OpenPGP key of the Ansible upstream APT repository.
+ansible__upstream_apt_key: '6125 E2A8 C77F 2818 FB7B D15B 93C4 A3FD 7BB9 C367'
+
+                                                                   # ]]]
+# .. envvar:: ansible__upstream_apt_repository [[[
+#
+# The APT repository URI of the upstream Ansible repository.
+ansible__upstream_apt_repository: 'deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main'
+
+                                                                   # ]]]
+# .. envvar:: ansible__base_packages [[[
+#
+# List of APT packages to install for Ansible support.
+ansible__base_packages:
+  - '{{ "ansible"
+        if (ansible__deploy_type in ["system", "upstream"])
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: ansible__packages [[[
+#
+# List of additional APT packages to install with Ansible.
+ansible__packages: []
+
+                                                                   # ]]]
+# .. envvar:: ansible__bootstrap_version [[[
+#
+# Specify the :command:`git` repository branch, tag or commit id which should
+# be used by the :command:`bootstrap-ansible` script to build the Ansible
+# ``.deb`` package.
+ansible__bootstrap_version: 'devel'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: ansible__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+ansible__apt_preferences__dependent_list:
+
+  - package: 'ansible'
+    backports: [ "stretch", "buster" ]
+    reason: 'Compatibility with upstream release'
+    by_role: 'debops_ansible'
+    state: '{{ "absent"
+               if (ansible__deploy_type == "upstream")
+               else "present" }}'
+
+  - package: 'ansible'
+    pin: 'release o=LP-PPA-ansible-ansible'
+    priority: '600'
+    by_role: 'debops_ansible'
+    filename: 'debops_ansible_upstream.pref'
+    reason: 'Recent version from upstream PPA'
+    state: '{{ "present"
+               if (ansible__deploy_type == "upstream")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: ansible__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+ansible__keyring__dependent_apt_keys:
+
+  - id: '{{ ansible__upstream_apt_key }}'
+    repo: '{{ ansible__upstream_apt_repository }}'
+    state: '{{ "present" if (ansible__deploy_type == "upstream") else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ansible/files/script/bootstrap-ansible b/ansible_collections/debops/debops/roles/ansible/files/script/bootstrap-ansible
new file mode 100755
index 00000000..ddde8d48
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/files/script/bootstrap-ansible
@@ -0,0 +1,160 @@
+#!/usr/bin/env bash
+
+# bootstrap-ansible: download and build Ansible on a Debian/Ubuntu host
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+# This program is free software; you can redistribute
+# it and/or modify it under the terms of the
+# GNU General Public License as published by the Free
+# Software Foundation; either version 3 of the License,
+# or (at your option) any later version.
+#
+# This program is distributed in the hope that it will
+# be useful, but WITHOUT ANY WARRANTY; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU General
+# Public License along with this program; if not,
+# write to the Free Software Foundation, Inc., 59
+# Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# An on-line copy of the GNU General Public License can
+# be downloaded from the FSF web page at:
+# https://www.gnu.org/copyleft/gpl.html
+
+
+# Usage: ./bootstrap-ansible [branch] [build_directory]
+
+set -o nounset -o pipefail -o errexit
+
+
+DEBIAN_VERSION="$(sed 's/\..*//' /etc/debian_version)"
+readonly DEBIAN_VERSION
+
+ansible_branch="${1:-devel}"
+build_dir="${2:-}"
+
+if [ -z "${build_dir}" ] ; then
+    build_dir="$(mktemp -d)"
+    # shellcheck disable=SC2064
+    trap "rm -rf ${build_dir}" EXIT
+fi
+
+install_ansible_requirements () {
+
+    local -a apt_packages
+
+    apt_packages=( git devscripts cdbs debhelper dpkg-dev fakeroot sshpass \
+                   asciidoc xmlto build-essential lsb-release dh-python )
+
+    apt_packages+=(
+        python-crypto \
+        python-cryptography \
+        python-dnspython \
+        python-httplib2 \
+        python-jinja2 \
+        python-ldap \
+        python-nose \
+        python-paramiko \
+        python-passlib \
+        python-setuptools \
+        python-sphinx \
+        python-yaml
+    )
+
+    if [ "${DEBIAN_VERSION}" -gt 8 ] ; then
+        apt_packages+=( python-packaging )
+    fi
+
+    sudo apt-get --no-install-recommends -y install  "${apt_packages[@]}"
+}
+
+build_ansible_deb () {
+
+    # Build Debian package
+    if [ -n "$(grep 'local_deb' Makefile || true)" ] ; then
+        LANG=C make local_deb > /tmp/ansible-deb-build.log \
+            || tail -n 50 /tmp/ansible-deb-build.log
+    else
+        LANG=C make deb > /tmp/ansible-deb-build.log \
+            || tail -n 50 /tmp/ansible-deb-build.log
+    fi
+
+    # Check if .deb package with new method is present
+    if [ -n "$(find deb-build/unstable/ -name "ansible_*_all.deb" 2>/dev/null)" ]; then
+
+        sudo dpkg -i deb-build/unstable/ansible_*_all.deb
+
+    # Otherwise, look for package generated with old method
+    elif [ -n "$(find .. -name "ansible_*_all.deb" 2>/dev/null)" ]; then
+
+        sudo dpkg -i ../ansible_*_all.deb
+
+    fi
+
+}
+
+bootstrap_ansible_deb () {
+
+    local ansible_branch
+    local build_dir
+    local ansible_git_repo
+    local ansible_source_dir
+
+    ansible_branch="${1:-devel}"
+    build_dir="${2:-$(mktemp -d)}"
+    ansible_git_repo="${3:-https://github.com/ansible/ansible}"
+    ansible_source_dir="ansible"
+
+    if [ ! -d "${build_dir}" ] ; then
+        mkdir -p "${build_dir}"
+    fi
+
+    cd "${build_dir}" || exit 1
+
+    if [ -d "${ansible_source_dir}" ] ; then
+
+        cd "${ansible_source_dir}" || exit 1
+
+        local old_git_checkout
+        local current_branch_name
+        local current_branch_name
+        local current_branch_name
+
+        old_git_checkout="$(git rev-parse HEAD)"
+        current_branch_name="$(git symbolic-ref HEAD 2>/dev/null)" ||
+        current_branch_name="(unnamed branch)"     # detached HEAD
+        current_branch_name=${current_branch_name##refs/heads/}
+
+        if [ "${current_branch_name}" != "${ansible_branch}" ] ; then
+            git checkout "${ansible_branch}"
+        fi
+
+        git pull --quiet
+        git submodule update
+
+        local current_git_checkout
+
+        current_git_checkout="$(git rev-parse HEAD)"
+
+        if [ "${old_git_checkout}" != "${current_git_checkout}" ] ; then
+            build_ansible_deb
+        fi
+
+    else
+
+        install_ansible_requirements
+        git clone --branch "${ansible_branch}" --recursive "${ansible_git_repo}" "${ansible_source_dir}"
+        cd "${ansible_source_dir}" || exit 1
+        build_ansible_deb
+
+    fi
+}
+
+bootstrap_ansible_deb "${ansible_branch}" "${build_dir}"
diff --git a/ansible_collections/debops/debops/roles/ansible/meta/main.yml b/ansible_collections/debops/debops/roles/ansible/meta/main.yml
new file mode 100644
index 00000000..4f5d0bd1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install Ansible on Debian/Ubuntu host using Ansible'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ansible
diff --git a/ansible_collections/debops/debops/roles/ansible/tasks/main.yml b/ansible_collections/debops/debops/roles/ansible/tasks/main.yml
new file mode 100644
index 00000000..78866671
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (ansible__base_packages
+                              + ansible__packages)) }}'
+    state: 'present'
+  register: ansible__register_packages
+  until: ansible__register_packages is succeeded
+
+- name: Bootstrap Ansible from source
+  ansible.builtin.script: 'script/bootstrap-ansible "{{ ansible__bootstrap_version }}"'
+  when: (ansible__deploy_type == 'bootstrap' and
+         (ansible_local is undefined or
+          (ansible_local.ansible is undefined or
+           not (ansible_local.ansible.installed | d()) | bool or
+                (ansible_local.ansible.deploy_type | d(ansible__deploy_type) != 'bootstrap'))))
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ansible.fact.j2'
+    dest: '/etc/ansible/facts.d/ansible.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/ansible/templates/etc/ansible/facts.d/ansible.fact.j2 b/ansible_collections/debops/debops/roles/ansible/templates/etc/ansible/facts.d/ansible.fact.j2
new file mode 100644
index 00000000..f60e48c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible/templates/etc/ansible/facts.d/ansible.fact.j2
@@ -0,0 +1,29 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"installed": False,
+                      "deploy_type": ansible__deploy_type}
+                     | to_nice_json }}''')
+
+output['installed'] = cmd_exists('ansible-playbook')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/COPYRIGHT b/ansible_collections/debops/debops/roles/ansible_plugins/COPYRIGHT
new file mode 100644
index 00000000..7bdc2bfc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.ansible_plugins - Custom Ansible plugins used by DebOps
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/debops_filter_plugins.py b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/debops_filter_plugins.py
new file mode 100644
index 00000000..2971b800
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/debops_filter_plugins.py
@@ -0,0 +1,1461 @@
+# A set of custom Ansible filter plugins used by DebOps
+
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see <https://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+
+__metaclass__ = type
+
+try:
+    unicode = unicode
+except NameError:
+    # 'unicode' is undefined, must be Python 3
+    str = str
+    unicode = str
+    bytes = bytes
+    basestring = (str, bytes)
+else:
+    # 'unicode' exists, must be Python 2
+    str = str
+    unicode = unicode
+    bytes = str
+    basestring = basestring
+
+
+def _check_if_key_in_nested_dict(key, dictionary):
+    if isinstance(dictionary, dict):
+        for k, v in dictionary.items():
+            if k == key:
+                return True
+            elif isinstance(v, dict):
+                if _check_if_key_in_nested_dict(key, v):
+                    return True
+            elif isinstance(v, list):
+                for d in v:
+                    if _check_if_key_in_nested_dict(key, d):
+                        return True
+
+    return False
+
+
+def _handle_copy_id_from(parsed_config, element, current_param):
+    if 'copy_id_from' in element:
+        if element['copy_id_from'] in parsed_config:
+            id_src = element['copy_id_from']
+            current_param['id'] = (
+                int(parsed_config[id_src]['id']) +
+                int(parsed_config[id_src].get('weight', 0)))
+
+
+def _handle_weight(element, current_param):
+    if 'weight' in element:
+        current_param['weight'] = (
+            int(element.get('weight',
+                current_param.get('weight', 0))) +
+            int(current_param.get('weight', 0)))
+
+
+def _get_real_weight(current_param):
+    return int(current_param['id']) + int(current_param['weight'])
+
+
+def _parse_kv_value(current_data, new_data, data_index):
+    """Parse the parameter values and merge
+    with existing ones conditionally.
+    """
+
+    if 'value' in new_data:
+        old_value = current_data.get('value')
+        old_state = current_data.get('state', 'present')
+        new_value = new_data['value']
+        new_value_cast = new_data.get('value_cast', None)
+
+        if (new_value is None or
+                isinstance(new_value, (basestring, int, float, bool))):
+            if (old_value is None or isinstance(old_value,
+                                                (basestring, int,
+                                                 float, bool, dict))):
+                if new_value_cast in ['null', 'none', 'None']:
+                    current_data['value'] = None
+                elif new_value_cast in ['int', 'integer']:
+                    current_data['value'] = int(new_value)
+                elif new_value_cast in ['str', 'string']:
+                    current_data['value'] = str(new_value)
+                elif new_value_cast in ['bool', 'boolean']:
+                    current_data['value'] = bool(new_value)
+                elif new_value_cast == 'float':
+                    current_data['value'] = float(new_value)
+                else:
+                    current_data['value'] = new_value
+
+            # TODO(drybjed): This never evaluates to true.
+            #  if (old_value is not None and old_state in ['comment'] and
+            #          current_data['state'] != 'comment'):
+            #      current_data['state'] = 'present'
+
+        elif isinstance(new_value, list):
+            if isinstance(old_value, dict):
+                dict_value = current_data.get('value', {}).copy()
+            else:
+                dict_value = {}
+
+            for element_index, element in enumerate(new_value):
+                if isinstance(element, (basestring, int)):
+                    dict_element = dict_value.get(element, {}).copy()
+                    if not dict_element.get('name'):
+                        dict_element.update({
+                            'name': element,
+                            'id': ((data_index * 10) + element_index),
+                            'weight': dict_element.get('weight', 0),
+                            'state': 'present'})
+
+                        dict_element['real_weight'] = _get_real_weight(
+                                dict_element)
+                        dict_value[element] = dict_element
+                        current_data['value'] = dict_value
+
+                elif (isinstance(element, dict) and
+                        element.get('param', element.get('name')) and
+                        element.get('state', 'present') != 'ignore'):
+                    element_name = element.get('param', element.get('name'))
+
+                    for cursor in ([element_name]
+                                   if isinstance(element_name,
+                                                 (basestring, int))
+                                   else element_name):
+                        dict_element = dict_value.get(cursor, {}).copy()
+                        dict_element.update({
+                            'name': cursor,
+                            'id': ((data_index * 10) + element_index),
+                            'weight': int(dict_element.get('weight', 0)),
+                            'state': element.get('state', 'present')
+                        })
+
+                        _handle_copy_id_from(dict_value, element, dict_element)
+
+                        if 'weight' in element:
+                            dict_element['weight'] = (
+                                int(element.get('weight',
+                                    dict_element.get('weight', 0))) +
+                                int(dict_element.get('weight', 0)))
+
+                        dict_element['real_weight'] = _get_real_weight(
+                                dict_element)
+
+                        # Include any unknown keys.
+                        for key in element.keys():
+                            if key not in ['name', 'state', 'id', 'weight',
+                                           'real_weight', 'param',
+                                           'copy_id_from']:
+                                dict_element[key] = element.get(key)
+
+                        dict_value.update({cursor: dict_element})
+                        current_data.update({'value': dict_value})
+
+
+def parse_kv_config(*args, **kwargs):
+    """Return a parsed list of key/value configuration options
+
+    Optional arguments:
+
+        name
+            string, name of the primary dictionary key used as an indicator to
+            merge the related dictionaries together. If not specified, 'name'
+            will be set as default.
+    """
+    name = kwargs.get('name', "name")
+    input_args = []
+    parsed_config = {}
+
+    # Flatten the input list.
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    for element_index, element in enumerate(input_args):
+
+        if isinstance(element, (basestring)):
+
+            # This is a simple string, let's make it a dictionary so that it
+            # can be correctly processed.
+            # We assume that the string should be a 'name' parameter.
+            element = {name: element}
+
+        if isinstance(element, dict):
+            if any(x in [name] for x in element):
+
+                if element.get('state', 'present') != 'ignore':
+
+                    param_name = element.get(name)
+
+                    if element.get('state', 'present') == 'append':
+
+                        # In append mode, don't create new config entries
+                        if (parsed_config.get(param_name, {})
+                                .get('state', 'present') == 'init'):
+                            continue
+
+                    current_param = (parsed_config[param_name].copy()
+                                     if param_name in parsed_config
+                                     else {})
+
+                    if element.get('state', 'present') == 'append':
+                        current_param['state'] = current_param.get(
+                                'state', 'present')
+                    else:
+                        current_param['state'] = (
+                            element.get('state', current_param.get(
+                                'state', 'present')))
+
+                    if (current_param['state'] == 'init' and
+                        (element.get('state', 'present') != 'init' and
+                            _check_if_key_in_nested_dict(
+                            'value', current_param))):
+                        current_param['state'] = 'present'
+
+                    current_param.update({
+                        name: param_name,  # in case of a new entry
+                        'id': int(current_param.get('id',
+                                                    (element_index * 10))),
+                        'weight': int(current_param.get('weight', 0)),
+                        'separator': element.get('separator',
+                                                 current_param.get('separator',
+                                                                   False)),
+                        'section': element.get('section',
+                                               current_param.get('section',
+                                                                 'unknown'))
+                    })
+
+                    _handle_copy_id_from(parsed_config, element, current_param)
+                    _handle_weight(element, current_param)
+
+                    current_param['real_weight'] = (
+                            _get_real_weight(current_param))
+
+                    _parse_kv_value(current_param, element,
+                                    current_param.get('id'))
+
+                    if 'option' in element:
+                        current_param['option'] = element.get('option')
+
+                    if 'comment' in element:
+                        current_param['comment'] = element.get('comment')
+
+                    merge_keys = []
+                    if isinstance(kwargs.get('merge_keys'), list):
+                        merge_keys.extend(kwargs.get('merge_keys'))
+
+                    if 'options' not in merge_keys:
+                        merge_keys.append('options')
+
+                    for key_name in merge_keys:
+                        if key_name in element:
+                            current_options = current_param.get(key_name, [])
+                            current_param[key_name] = parse_kv_config(
+                                current_options + element.get(key_name),
+                                merge_keys=merge_keys)
+
+                    # Include any unknown keys
+                    for unknown_key in element.keys():
+                        if (unknown_key not in merge_keys
+                            and unknown_key not in [name, 'state', 'id',
+                                                    'weight', 'real_weight',
+                                                    'separator', 'value',
+                                                    'comment', 'option',
+                                                    'section']):
+                            current_param[unknown_key] = (
+                                    element.get(unknown_key))
+
+                    parsed_config.update({param_name: current_param})
+
+            # These parameters are special and should not be interpreted
+            # directly as configuration options
+            elif not all(x in [name, 'option', 'state', 'comment',
+                               'section', 'weight', 'value', 'copy_id_from']
+                         for x in element):
+                for key, value in element.items():
+                    current_param = (parsed_config[key].copy()
+                                     if key in parsed_config else {})
+                    current_param.update({
+                        name: key,
+                        'state': 'present',
+                        'id': int(current_param.get('id',
+                                                    (element_index * 10))),
+                        'weight': int(current_param.get('weight', 0)),
+                        'section': current_param.get('section', 'unknown')
+                    })
+
+                    current_param['real_weight'] = _get_real_weight(
+                            current_param)
+
+                    _parse_kv_value(current_param,
+                                    {'value': value},
+                                    current_param.get('id'))
+
+                    parsed_config.update({key: current_param})
+
+    # Expand the dictionary of configuration options into a list,
+    # and return sorted by weight.
+    output = []
+    for key, params in parsed_config.items():
+        if isinstance(params.get('value'), dict):
+            params['value'] = sorted(
+                params.get('value').values(),
+                key=itemgetter('real_weight')
+            )
+
+        output.append(params)
+
+    return sorted(output, key=itemgetter('real_weight'))
+
+
+def parse_kv_items(*args, **kwargs):
+    """Return a parsed list of with_items elements
+    Optional arguments:
+
+        name
+            string, name of the primary dictionary key used as an indicator to
+            merge the related dictionaries together. If not specified, 'name'
+            will be set as default.
+
+        empty
+            dictionary, keys are parameter names which might be empty, values
+            are key name or list of key names, first key with a value other
+            than None will be used as the specified parameter. Examples:
+                empty={'some_param':  'other_param',
+                       'empty_param': ['param2', 'param1']}
+
+        defaults
+            dictionary, keys are parameter names, values are default values to
+            use when a parameter is not specified. Examples:
+                      defaults={'some_param': 'default_value'}
+
+        merge_keys
+            list of keys in the dictionary that will be merged together. If not
+            specified, 'options' key instances will be merged by default.
+    """
+    name = kwargs.get('name', "name")
+    empty = kwargs.get('empty', {})
+    defaults = kwargs.get('defaults', {})
+    merge_keys = list(set(kwargs.get('merge_keys', set())))
+
+    if 'options' not in merge_keys:
+        merge_keys.append('options')
+
+    input_args = []
+
+    # Flatten the input list.
+    for sublist in args:
+        input_args.extend(sublist)
+
+    parsed_config = {}
+
+    for element_index, element in enumerate(input_args):
+
+        if isinstance(element, dict):
+            element_state = element.get('state', 'present')
+        elif isinstance(element, (basestring)):
+
+            # This is a simple string, let's make it a dictionary so that it
+            # can be correctly processed.
+            # We assume that the string should be a 'name' parameter.
+            element = {name: element}
+            element_state = 'present'
+
+        if isinstance(element, dict):
+            if (any(x in [name] for x in element) and
+                    element_state != 'ignore'):
+
+                param_name = element.get(name)
+
+                if element_state == 'append':
+
+                    # In append mode, don't create new config entries.
+                    if (param_name not in parsed_config or
+                        parsed_config[param_name].get('state',
+                                                      'present') == 'init'):
+                        continue
+
+                current_param = (parsed_config[param_name].copy()
+                                 if param_name in parsed_config
+                                 else {})
+
+                if element_state == 'append':
+                    current_param['state'] = current_param.get(
+                            'state', 'present')
+                else:
+                    current_param['state'] = (
+                        element.get('state', current_param.get(
+                            'state', 'present')))
+
+                if (current_param['state'] == 'init' and
+                        (element_state != 'init' and
+                            _check_if_key_in_nested_dict(
+                                'value', current_param))):
+                    current_param['state'] = 'present'
+
+                current_param.update({
+                    name: param_name,  # in case of a new entry
+                    'id': int(current_param.get('id', (element_index * 10))),
+                    'weight': int(current_param.get('weight', 0)),
+                    'separator': element.get('separator',
+                                             current_param.get('separator',
+                                                               False))
+                })
+
+                _handle_copy_id_from(parsed_config, element, current_param)
+                _handle_weight(element, current_param)
+
+                current_param['real_weight'] = _get_real_weight(current_param)
+
+                if 'comment' in element:
+                    current_param['comment'] = element.get('comment')
+
+                # Set any default keys defined for the filter.
+                for k, v in defaults.items():
+                    current_param[k] = current_param.get(k, v)
+
+                for key_name in merge_keys:
+                    if key_name in element:
+                        current_options = current_param.get(key_name, [])
+                        current_param[key_name] = parse_kv_config(
+                            current_options + element.get(key_name),
+                            merge_keys=merge_keys)
+
+                known_keys = [name, 'state', 'id', 'weight',
+                              'real_weight', 'separator',
+                              'comment', 'options']
+
+                # Include any unknown keys.
+                for unknown_key in element.keys():
+                    if (unknown_key not in known_keys and
+                            unknown_key not in merge_keys):
+                        current_param[unknown_key] = element.get(unknown_key)
+
+                # Fill any empty keys using other keys.
+                for key_to_set, keys_to_check in empty.items():
+                    if key_to_set in current_param:
+                        continue
+
+                    for key_to_check in keys_to_check:
+                        if key_to_check in current_param:
+                            current_param[key_to_set] = \
+                                    current_param[key_to_check]
+                            break
+
+                parsed_config[param_name] = current_param
+
+    # Expand the dictionary of configuration options into a list,
+    # and return sorted by weight.
+    output = []
+    for key, params in parsed_config.items():
+        # FIXME: Make recursive.
+        if isinstance(params.get('value'), dict):
+            params['value'] = sorted(
+                params.get('value').values(),
+                key=itemgetter('real_weight')
+            )
+
+        output.append(params)
+
+    return sorted(output, key=itemgetter('real_weight'))
+
+
+class FilterModule(object):
+    """Register custom filter plugins in Ansible"""
+
+    def filters(self):
+        return {
+            'parse_kv_config': parse_kv_config,
+            'parse_kv_items': parse_kv_items
+        }
+
+
+if __name__ == '__main__':
+    import unittest
+    import textwrap
+    import yaml
+
+    class Test(unittest.TestCase):
+
+        def test_parse_kv_value_simple(self):
+            current_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value: 'test'
+            '''))
+
+            new_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value: 'test2'
+            '''))
+
+            _parse_kv_value(current_data, new_data, 0)
+
+            #  print(yaml.dump(current_data, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(current_data, new_data)
+
+        def test_parse_kv_value_mixed(self):
+            current_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value:
+              - 'alpha'
+              - 'test'
+            '''))
+
+            new_data = yaml.safe_load(textwrap.dedent('''
+            name: 'local'
+            value:
+              - 'beta'
+            '''))
+
+            # FIXME: Not getting it. Why does the _parse_kv_value behave like
+            # this?
+            expected_data = yaml.safe_load(textwrap.dedent('''
+            name: local
+            value:
+              beta:
+                id: 0
+                name: beta
+                real_weight: 0
+                state: present
+                weight: 0
+            '''))
+
+            _parse_kv_value(current_data, new_data, 0)
+
+            #  print(yaml.dump(current_data, default_flow_style=False))
+            #  print(yaml.dump(new_data, default_flow_style=False))
+
+            self.assertEqual(current_data, expected_data)
+
+        def test_parse_kv_config(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: present
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_absent(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'absent'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: absent
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_init(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'init'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            - id: 30
+              name: local_null
+              real_weight: 30
+              section: unknown
+              separator: false
+              state: init
+              value: null
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_ignore(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+            - name: 'local_null'
+              value: null
+              state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_ignore_existing(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: 'test'
+            - name: 'local2'
+              value: 'test2'
+            - name: 'local'
+              value: 'test3'
+              state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test
+              weight: 0
+            - id: 10
+              name: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_simple_string(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - 'simple_string'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: simple_string
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_null_to_list(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'local'
+              value: null
+            - name: 'local'
+              value: ['test1']
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value:
+              - id: 0
+                name: test1
+                real_weight: 0
+                state: present
+                weight: 0
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_config_renamed(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'local'
+              value: 'test'
+            - renamed: 'local2'
+              value: 'test2'
+            - renamed: 'local'
+              value: 'test3'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              renamed: local
+              real_weight: 0
+              section: unknown
+              separator: false
+              state: present
+              value: test3
+              weight: 0
+            - id: 10
+              renamed: local2
+              real_weight: 10
+              section: unknown
+              separator: false
+              state: present
+              value: test2
+              weight: 0
+            '''))
+
+            items = parse_kv_config(input_items, name='renamed')
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_simple_string(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - 'simple_string'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: simple_string
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_empty(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'name should be used as comment'
+              options:
+
+                - name: 'second level is ignored'
+                  service: |-
+                    second level is ignored so service will not become the
+                    comment
+                  value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - comment: name should be used as comment
+              id: 0
+              name: name should be used as comment
+              options:
+              - id: 0
+                name: second level is ignored
+                real_weight: 0
+                section: unknown
+                separator: false
+                service: |-
+                    second level is ignored so service will not become the
+                    comment
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(
+                    input_items, empty={'comment': ['service', 'name']})
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_defaults(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'something'
+              key1: 'existing'
+              value: 'something'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              key1: existing
+              key2: value2
+              name: something
+              real_weight: 0
+              separator: false
+              state: present
+              value: something
+              weight: 0
+            '''))
+
+            items = parse_kv_items(
+                    input_items, defaults={'key1': 'value1', 'key2': 'value2'})
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_merge_keys(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'something'
+              key1: 'existing'
+              options:
+
+                - name: 'nested1'
+                  value: 'value1'
+
+              test:
+
+                - name: 'test_nested1'
+                  value: 'test_value1'
+
+            - name: 'something'
+              options:
+
+                - name: 'nested2'
+                  value: 'value2'
+
+              test:
+
+                - name: 'test_nested2'
+                  value: 'test_value2'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              key1: existing
+              name: something
+              options:
+              - id: 0
+                name: nested1
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: value1
+                weight: 0
+              - id: 10
+                name: nested2
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                value: value2
+                weight: 0
+              test:
+              - id: 0
+                name: test_nested1
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test_value1
+                weight: 0
+              - id: 10
+                name: test_nested2
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                value: test_value2
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items, merge_keys=['test'])
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_copy_id_from(self):
+            input_items = yaml.safe_load(textwrap.dedent('''
+            - name: 'second'
+              weight: 10
+              value: 'value1'
+
+            - name: 'first'
+              weight: -10
+              copy_id_from: 'second'
+              value: 'value2'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - copy_id_from: second
+              id: 10
+              name: first
+              real_weight: 0
+              separator: false
+              state: present
+              value: value2
+              weight: -10
+            - id: 0
+              name: second
+              real_weight: 10
+              separator: false
+              state: present
+              value: value1
+              weight: 10
+            '''))
+
+            items = parse_kv_items(input_items)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - name: 'should-stay-init'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+
+            - name: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+            - name: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - name: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+                  state: 'init'
+
+              state: 'init'
+
+            - name: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - name: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  comment: 'This comment should survive.'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - name: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test2'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: should-stay-init
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: init
+              weight: 0
+            - id: 10
+              name: should-become-present
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 10
+              separator: false
+              state: present
+              weight: 0
+            - id: 30
+              name: should-become-present2
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 30
+              separator: false
+              state: present
+              weight: 0
+            - id: 50
+              name: should-become-present3
+              options:
+              - comment: This comment should survive.
+                id: 0
+                name: local1
+                options:
+                - id: 0
+                  name: local2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test2
+                  weight: 0
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              - id: 10
+                name: external1
+                options:
+                - id: 0
+                  name: external2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test
+                  weight: 0
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              real_weight: 50
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_renamed(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'should-stay-init'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+
+            - renamed: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+
+              state: 'init'
+
+            - renamed: 'should-become-present'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - renamed: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test'
+                  state: 'init'
+
+              state: 'init'
+
+            - renamed: 'should-become-present2'
+              options:
+
+                - name: 'local'
+                  value: 'test2'
+
+
+            - renamed: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  comment: 'This comment should survive.'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+                      state: 'init'
+
+                  state: 'init'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - renamed: 'should-become-present3'
+              options:
+
+                - name: 'local1'
+                  options:
+
+                    - name: 'local2'
+                      value: 'test2'
+
+                - name: 'external1'
+                  options:
+
+                    - name: 'external2'
+                      value: 'test'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              renamed: should-stay-init
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: init
+              weight: 0
+            - id: 10
+              renamed: should-become-present
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 10
+              separator: false
+              state: present
+              weight: 0
+            - id: 30
+              renamed: should-become-present2
+              options:
+              - id: 0
+                name: local
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                value: test2
+                weight: 0
+              real_weight: 30
+              separator: false
+              state: present
+              weight: 0
+            - id: 50
+              renamed: should-become-present3
+              options:
+              - comment: This comment should survive.
+                id: 0
+                name: local1
+                options:
+                - id: 0
+                  name: local2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test2
+                  weight: 0
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              - id: 10
+                name: external1
+                options:
+                - id: 0
+                  name: external2
+                  real_weight: 0
+                  section: unknown
+                  separator: false
+                  state: present
+                  value: test
+                  weight: 0
+                real_weight: 10
+                section: unknown
+                separator: false
+                state: present
+                weight: 0
+              real_weight: 50
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2, name='renamed')
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+        def test_parse_kv_items_ignore_raw(self):
+            input_items1 = yaml.safe_load(textwrap.dedent('''
+            - name: 'test-item'
+              options:
+
+                - name: 'test-option'
+                  raw: 'test-is-present'
+                  state: 'present'
+            '''))
+
+            input_items2 = yaml.safe_load(textwrap.dedent('''
+            - name: 'test-item'
+              options:
+
+                - name: 'test-option'
+                  raw: 'test-is-ignored'
+                  state: 'ignore'
+            '''))
+
+            expected_items = yaml.safe_load(textwrap.dedent('''
+            - id: 0
+              name: test-item
+              options:
+              - id: 0
+                name: test-option
+                real_weight: 0
+                section: unknown
+                separator: false
+                state: present
+                raw: test-is-present
+                weight: 0
+              real_weight: 0
+              separator: false
+              state: present
+              weight: 0
+            '''))
+
+            items = parse_kv_items(input_items1, input_items2)
+
+            #  print(yaml.dump(items, default_flow_style=False))
+            #  print(yaml.dump(expected_items, default_flow_style=False))
+
+            self.assertEqual(items, expected_items)
+
+    unittest.main()
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/etc_aliases_parse_recipients.py b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/etc_aliases_parse_recipients.py
new file mode 100644
index 00000000..34438f4b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/etc_aliases_parse_recipients.py
@@ -0,0 +1,193 @@
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see <https://www.gnu.org/licenses/>.
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+
+try:
+    unicode = unicode
+except NameError:
+    # py3
+    unicode = str
+
+__metaclass__ = type
+
+
+def _mangle_recipients(name, *args):
+    """Modify the recipient address if it's the same as alias
+    to prevent mail forwarding loops
+    Ref: https://serverfault.com/questions/471604/
+    """
+
+    input_args = []
+
+    # Flatten the input list
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    if name in input_args:
+        return [w.replace(name, '\\' + name) for w in input_args]
+    else:
+        return input_args
+
+
+def _update_recipients(current_data, new_data, *args, **kwargs):
+    """Replace the current list of recipients with a new one"""
+
+    for selector in args:
+        if selector in new_data:
+            new_recipients = ([new_data.get(selector)]
+                              if isinstance(new_data.get(selector),
+                                            (str, unicode))
+                              else new_data.get(selector))
+            current_data.update({'recipients':
+                                _mangle_recipients(current_data.get('name'),
+                                                   new_recipients)})
+
+
+def _add_recipients(current_data, new_data, *args, **kwargs):
+    """Add mail recipients to an existing list of recipients"""
+
+    for selector in args:
+        if selector in new_data:
+            current_recipients = current_data.get('recipients', [])
+            current_recipients.extend([new_data.get(selector)]
+                                      if isinstance(new_data.get(selector),
+                                                    (str, unicode))
+                                      else new_data.get(selector))
+            current_data.update({'recipients':
+                                _mangle_recipients(current_data.get('name'),
+                                                   current_recipients)})
+
+
+def _del_recipients(current_data, new_data, *args, **kwargs):
+    """Remove mail recipients from an existing list"""
+
+    for selector in args:
+        if selector in new_data:
+            deleted_recipients = ([new_data.get(selector)]
+                                  if isinstance(new_data.get(selector),
+                                                (str, unicode))
+                                  else new_data.get(selector))
+            current_recipients = current_data.get('recipients', [])
+            new_recipients = [x for x in current_recipients
+                              if x not in deleted_recipients]
+            current_data.update({'recipients': new_recipients})
+
+
+def etc_aliases_parse_recipients(*args, **kwargs):
+    """Return a parsed list of mail aliases and recipients"""
+
+    input_args = []
+    parsed_aliases = {}
+
+    # Flatten the input list
+    for sublist in list(args):
+        for item in sublist:
+            input_args.append(item)
+
+    for element in input_args:
+        if isinstance(element, dict):
+            if (any(x in element for x in ['name', 'alias']) and
+                    element.get('state', 'present') != 'ignore'):
+
+                alias_name = element.get('alias', element.get('name'))
+                current_alias = (parsed_aliases[alias_name].copy()
+                                 if alias_name in parsed_aliases
+                                 else {})
+
+                current_alias.update({
+                    'name': alias_name,  # in case of a new entry
+                    'state': element.get('state',
+                                         current_alias.get('state',
+                                                           'present')),
+                    'weight': int(element.get('weight',
+                                  current_alias.get('weight', 0))),
+                    'section': element.get('section',
+                                           current_alias.get('section',
+                                                             'unknown'))
+                })
+
+                _update_recipients(current_alias, element, 'dest', 'to')
+
+                _add_recipients(current_alias, element,
+                                'add_dest', 'add_to', 'cc', 'bcc')
+
+                _del_recipients(current_alias, element,
+                                'del_dest', 'del_to')
+
+                if 'real_name' in element or 'real_alias' in element:
+                    current_alias['real_name'] = (
+                        element.get('real_name',
+                                    element.get('real_alias')))
+
+                if 'comment' in element:
+                    current_alias['comment'] = element.get('comment')
+
+                if not current_alias.get('recipients', ''):
+                    current_alias['state'] = 'comment'
+
+                parsed_aliases.update({alias_name: current_alias})
+
+            # These parameters are special and should not be interpreted
+            # directly as mail aliases.
+            elif not all(x in ['name', 'alias', 'state', 'comment',
+                               'section', 'weight', 'dest', 'to',
+                               'add_dest', 'add_to', 'cc', 'bcc',
+                               'del_dest', 'del_to']
+                         for x in element):
+                for key, value in element.items():
+                    current_alias = parsed_aliases.get(key, {}).copy()
+                    current_alias.update({
+                        'name': key,
+                        'recipients': (_mangle_recipients(
+                                       current_alias.get('name'), [value]
+                                       if isinstance(value, (str, unicode))
+                                       else value)),
+                        'state': 'present',
+                        'weight': int(element.get('weight',
+                                      current_alias.get('weight', 0))),
+                        'section': current_alias.get('section', 'unknown')
+                    })
+
+                    current_alias.update({
+                        'recipients': (_mangle_recipients(
+                                       current_alias.get('name'),
+                                       ([value]
+                                        if isinstance(value, (str, unicode))
+                                        else value)))
+                    })
+
+                    if not current_alias.get('recipients', ''):
+                        current_alias['state'] = 'comment'
+
+                    parsed_aliases[key] = current_alias
+
+    # Expand the dictionary of aliases into a list,
+    # and return sorted by weight.
+    return sorted(parsed_aliases.values(), key=itemgetter('weight', 'name'))
+
+
+class FilterModule(object):
+    """Register custom filter plugins in Ansible"""
+
+    def filters(self):
+        return {'etc_aliases_parse_recipients': etc_aliases_parse_recipients}
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/globmatch.py b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/globmatch.py
new file mode 100644
index 00000000..7230852f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/globmatch.py
@@ -0,0 +1,60 @@
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <https://www.gnu.org/licenses/>.
+
+from ansible import errors
+
+try:
+    import fnmatch
+except Exception as e:
+    raise errors.AnsibleFilterError('fnmatch python library not found')
+
+
+def globmatch_filter(value, pattern):
+    ''' Return string or list of items matching given glob pattern(s). '''
+
+    if not isinstance(pattern, (list, tuple)):
+        pattern = [pattern]
+
+    if isinstance(value, (list, tuple)):
+        _ret = []
+
+        for element in pattern:
+            for entry in value:
+                if fnmatch.fnmatch(str(entry), str(element)):
+                    if entry not in _ret:
+                        _ret.append(entry)
+
+        if _ret:
+            return _ret
+        else:
+            return list()
+
+    else:
+
+        for element in pattern:
+            if fnmatch.fnmatch(str(value), str(element)):
+                return value
+
+
+class FilterModule(object):
+
+    ''' Return string or list of items matching given glob pattern(s). '''
+    def filters(self):
+        return {
+            'globmatch': globmatch_filter
+        }
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/split.py b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/split.py
new file mode 100644
index 00000000..2a962dd6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/split.py
@@ -0,0 +1,152 @@
+# (c) 2014 Tim Raasveld <info@webtrein.nl>
+# https://github.com/timraasveld/ansible-string-split-filter/
+# (c) 2014 Maciej Delmanowski <drybjed@gmail.com>
+# https://debops.org/
+# SPDX-License-Identifier: CC0-1.0
+
+
+# License: CC0 1.0 Universal
+#
+# Statement of Purpose
+#
+# The laws of most jurisdictions throughout the world automatically confer
+# exclusive Copyright and Related Rights (defined below) upon the creator and
+# subsequent owner(s) (each and all, an "owner") of an original work of
+# authorship and/or a database (each, a "Work").
+#
+# Certain owners wish to permanently relinquish those rights to a Work for the
+# purpose of contributing to a commons of creative, cultural and scientific
+# works ("Commons") that the public can reliably and without fear of later
+# claims of infringement build upon, modify, incorporate in other works, reuse
+# and redistribute as freely as possible in any form whatsoever and for any
+# purposes, including without limitation commercial purposes. These owners may
+# contribute to the Commons to promote the ideal of a free culture and the
+# further production of creative, cultural and scientific works, or to gain
+# reputation or greater distribution for their Work in part through the use and
+# efforts of others.
+#
+# For these and/or other purposes and motivations, and without any expectation
+# of additional consideration or compensation, the person associating CC0 with
+# a Work (the "Affirmer"), to the extent that he or she is an owner of
+# Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to
+# the Work and publicly distribute the Work under its terms, with knowledge of
+# his or her Copyright and Related Rights in the Work and the meaning and
+# intended legal effect of CC0 on those rights.
+#
+# 1. Copyright and Related Rights. A Work made available under CC0 may be
+# protected by copyright and related or neighboring rights ("Copyright and
+# Related Rights"). Copyright and Related Rights include, but are not limited
+# to, the following:
+#
+#   i. the right to reproduce, adapt, distribute, perform, display,
+#   communicate, and translate a Work;
+#
+#   ii. moral rights retained by the original author(s) and/or performer(s);
+#
+#   iii. publicity and privacy rights pertaining to a person's image or
+#   likeness depicted in a Work;
+#
+#   iv. rights protecting against unfair competition in regards to a Work,
+#   subject to the limitations in paragraph 4(a), below;
+#
+#   v. rights protecting the extraction, dissemination, use and reuse of data
+#   in a Work;
+#
+#   vi. database rights (such as those arising under Directive 96/9/EC of the
+#   European Parliament and of the Council of 11 March 1996 on the legal
+#   protection of databases, and under any national implementation thereof,
+#   including any amended or successor version of such directive); and
+#
+#   vii. other similar, equivalent or corresponding rights throughout the world
+#   based on applicable law or treaty, and any national implementations
+#   thereof.
+#
+# 2. Waiver. To the greatest extent permitted by, but not in contravention of,
+# applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
+# unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
+# and Related Rights and associated claims and causes of action, whether now
+# known or unknown (including existing as well as future claims and causes of
+# action), in the Work (i) in all territories worldwide, (ii) for the maximum
+# duration provided by applicable law or treaty (including future time
+# extensions), (iii) in any current or future medium and for any number of
+# copies, and (iv) for any purpose whatsoever, including without limitation
+# commercial, advertising or promotional purposes (the "Waiver"). Affirmer
+# makes the Waiver for the benefit of each member of the public at large and to
+# the detriment of Affirmer's heirs and successors, fully intending that such
+# Waiver shall not be subject to revocation, rescission, cancellation,
+# termination, or any other legal or equitable action to disrupt the quiet
+# enjoyment of the Work by the public as contemplated by Affirmer's express
+# Statement of Purpose.
+#
+# 3. Public License Fallback. Should any part of the Waiver for any reason be
+# judged legally invalid or ineffective under applicable law, then the Waiver
+# shall be preserved to the maximum extent permitted taking into account
+# Affirmer's express Statement of Purpose. In addition, to the extent the
+# Waiver is so judged Affirmer hereby grants to each affected person
+# a royalty-free, non transferable, non sublicensable, non exclusive,
+# irrevocable and unconditional license to exercise Affirmer's Copyright and
+# Related Rights in the Work (i) in all territories worldwide, (ii) for the
+# maximum duration provided by applicable law or treaty (including future time
+# extensions), (iii) in any current or future medium and for any number of
+# copies, and (iv) for any purpose whatsoever, including without limitation
+# commercial, advertising or promotional purposes (the "License"). The License
+# shall be deemed effective as of the date CC0 was applied by Affirmer to the
+# Work. Should any part of the License for any reason be judged legally invalid
+# or ineffective under applicable law, such partial invalidity or
+# ineffectiveness shall not invalidate the remainder of the License, and in
+# such case Affirmer hereby affirms that he or she will not (i) exercise any of
+# his or her remaining Copyright and Related Rights in the Work or (ii) assert
+# any associated claims and causes of action with respect to the Work, in
+# either case contrary to Affirmer's express Statement of Purpose.
+#
+# 4. Limitations and Disclaimers.
+#
+#   a. No trademark or patent rights held by Affirmer are waived, abandoned,
+#   surrendered, licensed or otherwise affected by this document.
+#
+#   b. Affirmer offers the Work as-is and makes no representations or
+#   warranties of any kind concerning the Work, express, implied, statutory or
+#   otherwise, including without limitation warranties of title,
+#   merchantability, fitness for a particular purpose, non infringement, or the
+#   absence of latent or other defects, accuracy, or the present or absence of
+#   errors, whether or not discoverable, all to the greatest extent permissible
+#   under applicable law.
+#
+#   c. Affirmer disclaims responsibility for clearing rights of other persons
+#   that may apply to the Work or any use thereof, including without limitation
+#   any person's Copyright and Related Rights in the Work. Further, Affirmer
+#   disclaims responsibility for obtaining any necessary consents, permissions
+#   or other rights required for any use of the Work.
+#
+#   d. Affirmer understands and acknowledges that Creative Commons is not a
+#   party to this document and has no duty or obligation with respect to this
+#   CC0 or use of the Work.
+#
+# For more information, please see
+# <http://creativecommons.org/publicdomain/zero/1.0/>
+
+
+import re
+
+
+def split_string(string, separator=None, maxsplit=-1):
+    try:
+        return string.split(separator, maxsplit)
+    except Exception:
+        return list(string)
+
+
+def split_regex(string, seperator_pattern):
+    try:
+        return re.split(seperator_pattern, string)
+    except Exception:
+        return list(string)
+
+
+class FilterModule(object):
+    ''' A filter to split a string into a list. '''
+    def filters(self):
+        return {
+            'split': split_string,
+            'split_regex': split_regex,
+        }
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/toml.py b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/toml.py
new file mode 100644
index 00000000..72aa54f1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/filter_plugins/toml.py
@@ -0,0 +1,53 @@
+# Copyright (C) 2017, Matt Martz <matt@sivel.net>
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Make coding more python3-ish
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import functools
+
+from ansible.plugins.inventory.toml import HAS_TOML, toml_dumps
+try:
+    from ansible.plugins.inventory.toml import toml
+except ImportError:
+    pass
+
+from ansible.errors import AnsibleFilterError
+from ansible.module_utils._text import to_text
+from ansible.module_utils.common._collections_compat import MutableMapping
+from ansible.module_utils.six import string_types
+
+
+def _check_toml(func):
+    @functools.wraps(func)
+    def inner(o):
+        if not HAS_TOML:
+            raise AnsibleFilterError('The %s filter plugin requires '
+                                     'the python "toml" library' % func.__name__)
+        return func(o)
+    return inner
+
+
+@_check_toml
+def from_toml(o):
+    if not isinstance(o, string_types):
+        raise AnsibleFilterError('from_toml requires a string, got %s' % type(o))
+    return toml.loads(to_text(o, errors='surrogate_or_strict'))
+
+
+@_check_toml
+def to_toml(o):
+    if not isinstance(o, MutableMapping):
+        raise AnsibleFilterError('to_toml requires a dict, got %s' % type(o))
+    return to_text(toml_dumps(o), errors='surrogate_or_strict')
+
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'to_toml': to_toml,
+            'from_toml': from_toml
+        }
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/library/cran.py b/ansible_collections/debops/debops/roles/ansible_plugins/library/cran.py
new file mode 100644
index 00000000..6b102e2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/library/cran.py
@@ -0,0 +1,116 @@
+# cran.py: install or remove R packages
+# Homepage: https://github.com/yutannihilation/ansible-module-cran
+
+# Copyright (C) 2016 Hiroaki Yutani <yutani.ini@gmail.com>
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+from ansible.module_utils.basic import AnsibleModule
+
+DOCUMENTATION = '''
+---
+module: cran
+short_description: Install R packages.
+options:
+  name:
+    description:
+      - The name of an R package.
+    required: true
+    default: null
+  state:
+    description:
+      - The state of module
+    required: false
+    choices: ['present', 'absent']
+    default: present
+  repo:
+    description:
+      - The repository
+    required: false
+    default: "https://cran.rstudio.com/"
+'''
+
+RSCRIPT = '/usr/bin/Rscript'
+
+
+def get_installed_version(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'p <- installed.packages(); cat(p[p[,1] == "{name:}",'
+            '3])'.format(name=module.params['name'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=False)
+    return stdout.strip() if rc == 0 else None
+
+
+def install(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'install.packages(pkgs="{name:}",repos="{repos:}")'
+            ''.format(name=module.params['name'],
+                      repos=module.params['repo'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=True)
+    return stderr
+
+
+def uninstall(module):
+    cmnd = [RSCRIPT, '--slave', '--no-save', '--no-restore-history', '-e',
+            'remove.packages(pkgs="{name:}")'
+            ''.format(name=module.params['name'])]
+    (rc, stdout, stderr) = module.run_command(cmnd, check_rc=True)
+    return stderr
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            state=dict(default='present', choices=['present', 'absent']),
+            name=dict(required=True),
+            repo=dict(default='https://cran.rstudio.com/')
+        )
+    )
+    state = module.params['state']
+    name = module.params['name']
+    changed = False
+    version = get_installed_version(module)
+
+    if state == 'present' and not version:
+        stderr = install(module)
+        version = get_installed_version(module)
+        if not version:
+            module.fail_json(
+                msg='Failed to install {name:}: {err:}'.format(
+                    name=name, err=stderr, version=version))
+        changed = True
+
+    elif state == 'absent' and version:
+        stderr = uninstall(module)
+        version = get_installed_version(module)
+        if version:
+            module.fail_json(
+                msg='Failed to install {name:}: {err:}'.format(
+                    name=name, err=stderr))
+        changed = True
+
+    module.exit_json(changed=changed, name=name, version=version)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/library/dpkg_divert.py b/ansible_collections/debops/debops/roles/ansible_plugins/library/dpkg_divert.py
new file mode 100644
index 00000000..0c72ee36
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/library/dpkg_divert.py
@@ -0,0 +1,409 @@
+# Copyright (c) 2017-2018, Yann Amar <quidame@poivron.org>
+# Copyright (c) 2019,      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (c) 2019,      DebOps https://debops.org/
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# Source: https://github.com/quidame/ansible-module-dpkg_divert
+
+from __future__ import absolute_import, division, print_function
+from ansible.module_utils.basic import AnsibleModule
+import os.path
+import errno
+import os
+import re
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}
+
+DOCUMENTATION = '''
+---
+module: dpkg_divert
+short_description: Override a package's version of a file
+description:
+    - A diversion is for C(dpkg) the knowledge that only a given I(package)
+      is allowed to install a file at a given I(path). Other packages shipping
+      their own version of this file will be forced to I(divert) it, i.e. to
+      install it at another location. It allows one to keep changes in a file
+      provided by a debian package by preventing its overwrite at package
+      upgrade.
+    - This module manages diversions of debian packages files using the
+      C(dpkg-divert)(1) commandline tool. It can either create or remove a
+      diversion for a given file, but also update an existing diversion to
+      modify its holder and/or its divert path.
+    - It's a feature of this module to mimic C(dpkg-divert)'s behaviour
+      regarding the renaming of files when removing as well as adding a
+      diversion; existing files are never overwritten.
+version_added: "2.4"
+author: "quidame@poivron.org"
+options:
+    path:
+        description:
+            - The original and absolute path of the file to be diverted or
+              undiverted. This path is unique, i.e. it is not possible to get
+              two diversions for the same I(path).
+        required: true
+        type: 'path'
+        aliases: [ 'name' ]
+    state:
+        description:
+            - When I(state=absent), remove the diversion of the specified
+              I(path); when I(state=present), create the diversion if it does
+              not exist, or update its I(package) holder or I(divert) path,
+              if any, and if I(force) is C(True).
+            - Unless I(force) is C(True), the removal of I(path)'s diversion
+              only happens if the diversion matches the I(divert) and
+              I(package) values, if any.
+        type: 'string'
+        default: 'present'
+        choices: [ 'absent', 'present' ]
+    package:
+        description:
+            - The name of the package whose copy of file is not diverted, also
+              known as the diversion holder or the package the diversion
+              belongs to.
+            - The actual package does not have to be installed or even to exist
+              for its name to be valid. If not specified, the diversion is held
+              by 'LOCAL', which is reserved for local diversions.
+            - Removing or updating a diversion fails if the diversion exists
+              and belongs to another package, unless I(force) is C(True).
+    divert:
+        description:
+            - The location where the versions of file will be diverted.
+            - The default suffix is C(.distrib) for diversions defined by a
+              package and C(.dpkg-divert) for 'LOCAL' diversions.
+        type: 'path'
+    rename:
+        description:
+            - Actually move the file aside (or back).
+            - Renaming is skipped (but module doesn't fail) in case the
+              destination file already exists. This is a C(dpkg-divert)
+              feature, and its purpose is to never overwrite a file. It also
+              makes the command itself idempotent, and the module's I(force)
+              parameter has no effect on this behaviour.
+            - Also, I(rename) is ignored if the diversion entry is unchanged
+              in the diversion database (adding an already existing diversion
+              or removing a non-existing one).
+        type: 'bool'
+        default: true
+    delete:
+        description:
+            - When I(yes), delete the file in place of the original before
+              reverting. This only applies with I(state=absent) to avoid
+              C(dpkg-divert) command complaining about existing file in place
+              of the diverted one.
+        type: 'bool'
+        default: false
+    force:
+        description:
+            - Force to divert file when diversion already exists and is hold
+              by another I(package) or points to another I(divert). There is
+              no need to use it for I(remove) action if I(divert) or I(package)
+              are not used.
+            - This doesn't override the rename's lock feature, i.e. it doesn't
+              help to force I(rename), but only to force the diversion for
+              dpkg.
+        type: 'bool'
+        default: false
+requirements: [ dpkg-divert, env ]
+'''
+
+EXAMPLES = '''
+# Divert /etc/screenrc to /etc/screenrc.dpkg-divert and rename the file
+- name: Create local diversion
+  dpkg_divert: path=/etc/screenrc
+
+# Divert /etc/screenrc to /etc/screenrc.distrib for package 'branding' and
+# rename the file
+- name: Create diversion for APT package
+  dpkg_divert:
+    name: /etc/screenrc
+    package: branding
+
+- name: Delete the file in place of the original and remove the diversion
+  dpkg_divert:
+    name: /etc/screenrc
+    state: absent
+    delete: yes
+
+- name: remove the screenrc diversion only if belonging to 'branding'
+  dpkg_divert:
+    name: /etc/screenrc
+    package: branding
+    state: absent
+
+# Divert screenrc to screenrc.dpkg-divert, but don't rename the file
+- name: Divert with custom rename
+  dpkg_divert:
+    path: /etc/screenrc
+    divert: /etc/screenrc.dpkg-divert
+    rename: no
+
+# Divert and rename screenrc to screenrc.dpkg-divert, even if diversion is
+# already set
+- name: Divert with custom rename
+  dpkg_divert:
+    path: /etc/screenrc
+    divert: /etc/screenrc.dpkg-divert
+    rename: yes
+    force: yes
+
+  # Remove the screenrc diversion and maybe move the diverted file to its
+  # original place
+- name: Remove diversion and rename file
+  dpkg_divert:
+    path: /etc/screenrc
+    state: absent
+    rename: yes
+'''
+
+
+def main():
+
+    # Mimic the behaviour of the dpkg-divert(1) command: '--add' is implicit
+    # when not using '--remove'; '--rename' takes care to never overwrite
+    # existing files; and options are intended to not conflict between them.
+
+    # 'force' is an option of the module, not of the command, and implies to
+    # run the command twice. Its purpose is to allow one to re-divert a file
+    # with another target path or to 'give' it to another package, in one task.
+    # This is very easy because one of the values is unique in the diversion
+    # database, and dpkg-divert itself is idempotent (does nothing when nothing
+    # needs doing).
+
+    module = AnsibleModule(
+        argument_spec=dict(
+            path=dict(required=True,  type='path', aliases=['name']),
+            state=dict(required=False, type='str', default='present',
+                       choices=['absent', 'present']),
+            package=dict(required=False, type='str', default='LOCAL'),
+            divert=dict(required=False, type='path'),
+            rename=dict(required=False, type='bool', default=True),
+            delete=dict(required=False, type='bool', default=False),
+            force=dict(required=False, type='bool', default=False),
+        ),
+        supports_check_mode=True,
+    )
+
+    path = module.params['path']
+    state = module.params['state']
+    package = module.params['package']
+    divert = module.params['divert']
+    rename = module.params['rename']
+    delete = module.params['delete']
+    force = module.params['force']
+
+    DPKG_DIVERT = module.get_bin_path('dpkg-divert', required=True)
+    # We need to parse the command's output, which is localized.
+    # So we have to reset environment variable (LC_ALL).
+    ENVIRONMENT = module.get_bin_path('env', required=True)
+
+    # Start to build the commandline we'll have to run
+    COMMANDLINE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, path]
+
+    # Then insert options as requested in the task parameters:
+    if state == 'absent':
+        COMMANDLINE.insert(3, '--remove')
+    elif state == 'present':
+        COMMANDLINE.insert(3, '--add')
+
+    if rename:
+        COMMANDLINE.insert(3, '--rename')
+
+    if divert:
+        COMMANDLINE.insert(3, '--divert')
+        COMMANDLINE.insert(4, divert)
+    else:
+        if package == 'LOCAL':
+            COMMANDLINE.insert(3, '--divert')
+            COMMANDLINE.insert(4, '.'.join([path, 'dpkg-divert']))
+        elif package:
+            COMMANDLINE.insert(3, '--divert')
+            COMMANDLINE.insert(4, '.'.join([path, 'distrib']))
+
+    if package == 'LOCAL':
+        COMMANDLINE.insert(3, '--local')
+    elif package:
+        COMMANDLINE.insert(3, '--package')
+        COMMANDLINE.insert(4, package)
+
+    # dpkg-divert has a useful --test option that we will use in check mode or
+    # when needing to parse output before actually doing anything.
+    TESTCOMMAND = list(COMMANDLINE)
+    TESTCOMMAND.insert(3, '--test')
+    if module.check_mode:
+        COMMANDLINE = list(TESTCOMMAND)
+
+    cmd = ' '.join(COMMANDLINE)
+
+    # `dpkg-divert --listpackage FILE` always returns 0, but not diverted files
+    # provide no output.
+    rc, listpackage, _ = module.run_command(
+            [DPKG_DIVERT, '--listpackage', path])
+    rc, placeholder, _ = module.run_command(TESTCOMMAND)
+
+    # There is probably no need to do more than that. Please read the first
+    # sentence of the next comment for a better understanding of the following
+    # `if` statement:
+    if rc == 0 or not force or not listpackage:
+
+        # If requested, delete the file to make way for the reverted one, but
+        # only of the diversion currently exists.
+        if not module.check_mode:
+            if state == 'absent' and listpackage and delete:
+                try:
+                    os.unlink(path)
+                except OSError as e:
+                    # It may already have been removed
+                    if e.errno != errno.ENOENT:
+                        raise AnsibleModuleError(
+                                results={'msg': "unlinking failed: %s "
+                                         % to_native(e), 'path': path})
+
+        # In the check mode, the 'dpkg-divert' command still tests the
+        # diversion removal for real and returns with an error when a changed
+        # file is in place. In that specific case, we instead simulate a file
+        # deletion and diversion removal ourselves to have the check mode
+        # succeed.
+        if (module.check_mode and state == 'absent' and delete and
+                listpackage and os.path.exists(path)):
+            fake_stdout = ['Deleting', path, 'and', 'removing']
+            if package == 'LOCAL':
+                fake_stdout.append('local')
+            fake_stdout.extend(['diversion', 'of', path, 'to'])
+            if divert:
+                fake_stdout.append(divert)
+            else:
+                if package == 'LOCAL':
+                    fake_stdout.append('.'.join([path, 'dpkg-divert']))
+                elif package:
+                    fake_stdout.append('.'.join([path, 'distrib']))
+
+            rc, stdout, stderr = [0, ' '.join(fake_stdout), '']
+        else:
+            rc, stdout, stderr = module.run_command(COMMANDLINE, check_rc=True)
+
+        if re.match('^(Leaving|No diversion)', stdout):
+            module.exit_json(changed=False, stdout=stdout,
+                             stderr=stderr, cmd=cmd)
+        else:
+            module.exit_json(changed=True, stdout=stdout,
+                             stderr=stderr, cmd=cmd)
+
+    # So, here we are: the test failed AND force is true AND a diversion exists
+    # for the file.  Anyway, we have to remove it first (then stop here, or add
+    # a new diversion for the same file), and without failure. Cases of failure
+    # with dpkg-divert are:
+    # - The diversion does not belong to the same package (or LOCAL)
+    # - The divert filename is not the same (e.g. path.distrib != path.divert)
+    # So: force removal by stripping '--package' and '--divert' options... and
+    # their arguments. Fortunately, this module accepts only a few parameters,
+    # so we can rebuild a whole command line from scratch at no cost:
+    FORCEREMOVE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, '--remove', path]
+    module.check_mode and FORCEREMOVE.insert(3, '--test')
+    rename and FORCEREMOVE.insert(3, '--rename')
+    forcerm = ' '.join(FORCEREMOVE)
+
+    if state == 'absent':
+        rc, stdout, stderr = module.run_command(FORCEREMOVE, check_rc=True)
+        module.exit_json(changed=True, stdout=stdout,
+                         stderr=stderr, cmd=forcerm)
+
+    # The situation is that we want to modify the settings (package or divert)
+    # of an existing diversion. dpkg-divert does not handle this, and we have
+    # to remove the diversion and set a new one. First, get state info:
+    rc, truename, _ = module.run_command([DPKG_DIVERT, '--truename', path])
+    rc, rmout, rmerr = module.run_command(FORCEREMOVE, check_rc=True)
+    if module.check_mode:
+        module.exit_json(changed=True, cmd=[forcerm, cmd],
+                         msg=[rmout,
+                              "*** RUNNING IN CHECK MODE ***",
+                              "The next step can't be actually performed - "
+                              "even dry-run - without error (since the "
+                              "previous removal didn't happen) but is "
+                              "supposed to achieve the task."])
+
+    old = truename.rstrip()
+    if divert:
+        new = divert
+    else:
+        if package == 'LOCAL':
+            new = '.'.join([path, 'dpkg-divert'])
+        elif package:
+            new = '.'.join([path, 'distrib'])
+
+    # Store state of files as they may change
+    old_exists = os.path.isfile(old)
+    new_exists = os.path.isfile(new)
+
+    # RENAMING NOT REMAINING
+    # The behaviour of this module is to NEVER overwrite a file, i.e. never
+    # change file contents but only file paths and only if not conflicting,
+    # as does dpkg-divert. It means that if there is already a diversion for
+    # a given file and the divert file exists too, the divert file must be
+    # moved from old to new divert paths between the two dpkg-divert commands,
+    # because:
+    #
+    # src = /etc/screenrc           (tweaked ; exists)
+    # old = /etc/screentc.distrib   (default ; exists)
+    # new = /etc/screenrc.ansible   (not existing yet)
+    #
+    # Without extra move:
+    # 1. dpkg-divert --rename --remove src
+    #    => dont move old to src because src exists
+    # 2. dpkg-divert --rename --divert new --add src
+    #    => move src to new because new doesn't exist
+    # Results:
+    #   - old still exists with default contents
+    #   - new holds the tweaked contents
+    #   - src is missing
+    #   => confusing, kind of breakage
+    #
+    # With extra move:
+    # 1. dpkg-divert --rename --remove src
+    #    => dont move old to src because src exists
+    # 2. os.path.rename(old, new) [conditional]
+    #    => move old to new because new doesn't exist
+    # 3. dpkg-divert --rename --divert new --add src
+    #    => dont move src to new because new exists
+    # Results:
+    #   - old does not exist anymore
+    #   - src is still the same tweaked file
+    #   - new exists with default contents
+    #   => idempotency for next times, and no breakage
+    #
+    if rename and old_exists and not new_exists:
+        os.rename(old, new)
+
+    rc, stdout, stderr = module.run_command(COMMANDLINE)
+    rc == 0 and module.exit_json(changed=True, stdout=stdout, stderr=stderr,
+                                 cmd=[forcerm, cmd], msg=[rmout, stdout])
+
+    # Damn! FORCEREMOVE succeeded and COMMANDLINE failed. Try to restore old
+    # state and end up with a 'failed' status anyway.
+    if (rename and (old_exists and not os.path.isfile(old)) and
+            (os.path.isfile(new) and not new_exists)):
+        os.rename(new, old)
+
+    RESTORE = [ENVIRONMENT, 'LC_ALL=C', DPKG_DIVERT, '--divert', old, path]
+    old_pkg = listpackage.rstrip()
+    if old_pkg == "LOCAL":
+        RESTORE.insert(3, '--local')
+    else:
+        RESTORE.insert(3, '--package')
+        RESTORE.insert(4, old_pkg)
+    rename and RESTORE.insert(3, '--rename')
+
+    module.run_command(RESTORE, check_rc=True)
+    module.exit_json(failed=True, changed=True, stdout=stdout,
+                     stderr=stderr, cmd=[forcerm, cmd])
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/library/ldap_attrs.py b/ansible_collections/debops/debops/roles/ansible_plugins/library/ldap_attrs.py
new file mode 100644
index 00000000..c06c855a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/library/ldap_attrs.py
@@ -0,0 +1,408 @@
+# Copyright (c) 2016, Peter Sagerson <psagers@ignorare.net>
+# Copyright (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
+# Copyright (c) 2017, Alexander Korinek <noles@a3k.net>
+# Copyright (c) 2019, Maciej Delmanowski <drybjed@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# GNU General Public License v3.0+
+# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_native, to_bytes
+
+import traceback
+import re
+
+try:
+    import ldap
+    import ldap.sasl
+
+    HAS_LDAP = True
+except ImportError:
+    HAS_LDAP = False
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+                    'status': ['preview'],
+                    'supported_by': 'community'}
+
+
+DOCUMENTATION = """
+---
+module: ldap_attrs
+short_description: Add or remove multiple LDAP attribute values.
+description:
+  - Add or remove multiple LDAP attribute values.
+notes:
+  - This only deals with attributes on existing entries. To add or remove
+    whole entries, see M(ldap_entry).
+  - The default authentication settings will attempt to use a SASL EXTERNAL
+    bind over a UNIX domain socket. This works well with the default Ubuntu
+    install for example, which includes a cn=peercred,cn=external,cn=auth ACL
+    rule allowing root to modify the server configuration. If you need to use
+    a simple bind to access your server, pass the credentials in I(bind_dn)
+    and I(bind_pw).
+  - For I(state=present) and I(state=absent), all value comparisons are
+    performed on the server for maximum accuracy. For I(state=exact), values
+    have to be compared in Python, which obviously ignores LDAP matching
+    rules. This should work out in most cases, but it is theoretically
+    possible to see spurious changes when target and actual values are
+    semantically identical but lexically distinct.
+version_added: '2.5'
+author:
+  - Jiri Tyr (@jtyr)
+  - Alexander Korinek (@noles)
+requirements:
+  - python-ldap
+options:
+  bind_dn:
+    required: false
+    default: null
+    description:
+      - A DN to bind with. If this is omitted, we'll try a SASL bind with
+        the EXTERNAL mechanism. If this is blank, we'll use an anonymous
+        bind.
+  bind_pw:
+    required: false
+    default: null
+    description:
+      - The password to use with I(bind_dn).
+  dn:
+    required: true
+    description:
+      - The DN of the entry to modify.
+  server_uri:
+    required: false
+    default: ldapi:///
+    description:
+      - A URI to the LDAP server. The default value lets the underlying
+        LDAP client library look for a UNIX domain socket in its default
+        location.
+  start_tls:
+    required: false
+    choices: ['yes', 'no']
+    default: 'no'
+    description:
+      - If true, we'll use the START_TLS LDAP extension.
+  state:
+    required: false
+    choices: [present, absent, exact]
+    default: present
+    description:
+      - The state of the attribute values. If C(present), all given
+        values will be added if they're missing. If C(absent), all given
+        values will be removed if present. If C(exact), the set of values
+        will be forced to exactly those provided and no others. If
+        I(state=exact) and I(value) is empty, all values for this
+        attribute will be removed.
+  attributes:
+    required: true
+    description:
+      - The attribute(s) and value(s) to add or remove. The complex argument
+        format is required in order to pass a list of strings (see examples).
+  ordered:
+    required: false
+    choices: ['yes', 'no']
+    default: 'no'
+    description:
+      - If C(yes), prepend list values with X-ORDERED index numbers in all
+        attributes specified in the current task. This is useful mostly with
+        I(olcAccess) attribute to easily manage LDAP Access Control Lists.
+  validate_certs:
+    required: false
+    choices: ['yes', 'no']
+    default: 'yes'
+    description:
+      - If C(no), SSL certificates will not be validated. This should only be
+        used on sites using self-signed certificates.
+"""
+
+
+EXAMPLES = """
+- name: Configure directory number 1 for example.com
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+        olcSuffix: dc=example,dc=com
+    state: exact
+
+# The complex argument format is required here to pass a list of ACL strings.
+- name: Set up the ACL
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+        olcAccess:
+          - >-
+            {0}to attrs=userPassword,shadowLastChange
+            by self write
+            by anonymous auth
+            by dn="cn=admin,dc=example,dc=com" write
+            by * none'
+          - >-
+            {1}to dn.base="dc=example,dc=com"
+            by dn="cn=admin,dc=example,dc=com" write
+            by * read
+    state: exact
+
+# An alternative approach with automatic X-ORDERED numbering
+- name: Set up the ACL
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+        olcAccess:
+          - >-
+            to attrs=userPassword,shadowLastChange
+            by self write
+            by anonymous auth
+            by dn="cn=admin,dc=example,dc=com" write
+            by * none'
+          - >-
+            to dn.base="dc=example,dc=com"
+            by dn="cn=admin,dc=example,dc=com" write
+            by * read
+    ordered: yes
+    state: exact
+
+- name: Declare some indexes
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+        olcDbIndex:
+            - objectClass eq
+            - uid eq
+
+- name: Set up a root user, which we can use later to bootstrap the directory
+  ldap_attrs:
+    dn: olcDatabase={1}hdb,cn=config
+    attributes:
+        olcRootDN: cn=root,dc=example,dc=com
+        olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
+    state: exact
+
+- name: Get rid of an unneeded attribute
+  ldap_attrs:
+    dn: uid=jdoe,ou=people,dc=example,dc=com
+    attributes:
+        shadowExpire: ""
+    state: exact
+    server_uri: ldap://localhost/
+    bind_dn: cn=admin,dc=example,dc=com
+    bind_pw: password
+
+#
+# The same as in the previous example but with the authentication details
+# stored in the ldap_auth variable:
+#
+# ldap_auth:
+#   server_uri: ldap://localhost/
+#   bind_dn: cn=admin,dc=example,dc=com
+#   bind_pw: password
+- name: Get rid of an unneeded attribute
+  ldap_attrs:
+    dn: uid=jdoe,ou=people,dc=example,dc=com
+    attributes:
+        shadowExpire: ""
+    state: exact
+    params: "{{ ldap_auth }}"
+"""
+
+
+RETURN = """
+modlist:
+  description: list of modified parameters
+  returned: success
+  type: list
+  sample: '[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]'
+"""
+
+
+class LdapAttr(object):
+    def __init__(self, module):
+        # Shortcuts
+        self.module = module
+        self.bind_dn = self.module.params['bind_dn']
+        self.bind_pw = self.module.params['bind_pw']
+        self.dn = self.module.params['dn']
+        self.server_uri = self.module.params['server_uri']
+        self.start_tls = self.module.params['start_tls']
+        self.state = self.module.params['state']
+        self.verify_cert = self.module.params['validate_certs']
+        self.attrs = self.module.params['attributes']
+        self.ordered = self.module.params['ordered']
+
+        # Establish connection
+        self.connection = self._connect_to_ldap()
+
+    def _order_values(self, values):
+        """ Prepend X-ORDERED index numbers to attribute's values. """
+        ordered_values = []
+
+        if isinstance(values, list):
+            for index, value in enumerate(values):
+                cleaned_value = re.sub(r'^\{\d+\}', '', value)
+                ordered_values.append('{' + str(index) + '}' + cleaned_value)
+
+        return ordered_values
+
+    def _normalize_values(self, values):
+        """ Normalize attribute's values. """
+        norm_values = []
+
+        if isinstance(values, list):
+            if self.ordered:
+                norm_values = list(map(to_bytes,
+                                   self._order_values(list(map(str,
+                                                               values)))))
+            else:
+                norm_values = list(map(to_bytes, values))
+        elif values != "":
+            norm_values = [to_bytes(str(values))]
+
+        return norm_values
+
+    def add(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            for value in norm_values:
+                if self._is_value_absent(name, value):
+                    modlist.append((ldap.MOD_ADD, name, value))
+
+        return modlist
+
+    def delete(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            for value in norm_values:
+                if self._is_value_present(name, value):
+                    modlist.append((ldap.MOD_DELETE, name, value))
+
+        return modlist
+
+    def exact(self):
+        modlist = []
+        for name, values in self.module.params['attributes'].items():
+            norm_values = self._normalize_values(values)
+            try:
+                results = self.connection.search_s(
+                    self.dn, ldap.SCOPE_BASE, attrlist=[name])
+            except ldap.LDAPError as e:
+                self.module.fail_json(
+                    msg="Cannot search for attribute %s" % name,
+                    details=to_native(e))
+
+            current = results[0][1].get(name, [])
+
+            if frozenset(norm_values) != frozenset(current):
+                if len(current) == 0:
+                    modlist.append((ldap.MOD_ADD, name, norm_values))
+                elif len(norm_values) == 0:
+                    modlist.append((ldap.MOD_DELETE, name, None))
+                else:
+                    modlist.append((ldap.MOD_REPLACE, name, norm_values))
+
+        return modlist
+
+    def _is_value_present(self, name, value):
+        """ True if the target attribute has the given value. """
+        try:
+            is_present = bool(
+                self.connection.compare_s(self.dn, name, value))
+        except ldap.NO_SUCH_ATTRIBUTE:
+            is_present = False
+
+        return is_present
+
+    def _is_value_absent(self, name, value):
+        """ True if the target attribute doesn't have the given value. """
+        return not self._is_value_present(name, value)
+
+    def _connect_to_ldap(self):
+        if not self.verify_cert:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+
+        connection = ldap.initialize(self.server_uri)
+
+        if self.start_tls:
+            try:
+                connection.start_tls_s()
+            except ldap.LDAPError as e:
+                self.module.fail_json(msg="Cannot start TLS.",
+                                      details=to_native(e))
+
+        try:
+            if self.bind_dn is not None:
+                connection.simple_bind_s(self.bind_dn, self.bind_pw)
+            else:
+                connection.sasl_interactive_bind_s('', ldap.sasl.external())
+        except ldap.LDAPError as e:
+            self.module.fail_json(
+                msg="Cannot bind to the server.", details=to_native(e))
+
+        return connection
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec={
+            'bind_dn': dict(default=None),
+            'bind_pw': dict(default='', no_log=True),
+            'dn': dict(required=True),
+            'params': dict(type='dict'),
+            'server_uri': dict(default='ldapi:///'),
+            'start_tls': dict(default=False, type='bool'),
+            'state': dict(
+                default='present',
+                choices=['present', 'absent', 'exact']),
+            'attributes': dict(required=True, type='dict'),
+            'ordered': dict(default=False, type='bool'),
+            'validate_certs': dict(default=True, type='bool'),
+        },
+        supports_check_mode=True,
+    )
+
+    if not HAS_LDAP:
+        module.fail_json(
+            msg="Missing required 'ldap' module (pip install python-ldap)")
+
+    # Update module parameters with user's parameters if defined
+    if 'params' in module.params and isinstance(module.params['params'], dict):
+        module.params.update(module.params['params'])
+        # Remove the params
+        module.params.pop('params', None)
+
+    # Instantiate the LdapAttr object
+    ldap = LdapAttr(module)
+
+    state = module.params['state']
+
+    # Perform action
+    if state == 'present':
+        modlist = ldap.add()
+    elif state == 'absent':
+        modlist = ldap.delete()
+    elif state == 'exact':
+        modlist = ldap.exact()
+
+    changed = False
+
+    if len(modlist) > 0:
+        changed = True
+
+        if not module.check_mode:
+            try:
+                ldap.connection.modify_s(ldap.dn, modlist)
+            except Exception as e:
+                module.fail_json(msg="Attribute action failed.",
+                                 details=to_native(e),
+                                 exception=traceback.format_exc())
+
+    module.exit_json(changed=changed, modlist=modlist)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/dig_srv.py b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/dig_srv.py
new file mode 100644
index 00000000..4dddcef4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/dig_srv.py
@@ -0,0 +1,117 @@
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+#
+# Based on community.general.dig, which is:
+#   (c) 2015, Jan-Piet Mens <jpmens(at)gmail.com>
+#   (c) 2017 Ansible Project
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+from operator import itemgetter
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+from ansible.module_utils.common.text.converters import to_native
+
+__metaclass__ = type
+
+try:
+    import dns.exception
+    import dns.name
+    import dns.resolver
+    import dns.reversename
+    import dns.rdataclass
+    from dns.rdatatype import SRV
+except ImportError:
+    raise AnsibleError("dig_srv: dnspython library is not installed")
+
+
+def make_rdata_dict(rdata):
+    supported_types = {
+        SRV: ['priority', 'weight', 'port', 'target'],
+    }
+
+    rd = {}
+
+    if rdata.rdtype not in supported_types:
+        raise AnsibleError("dig_srv: unknown rdtype returned")
+
+    fields = supported_types[rdata.rdtype]
+    for f in fields:
+        val = rdata.__getattribute__(f)
+
+        if isinstance(val, dns.name.Name):
+            val = dns.name.Name.to_text(val)
+
+        if f == "target":
+            rd[f] = val.rstrip('.')
+        else:
+            rd[f] = val
+
+    return rd
+
+
+class LookupModule(LookupBase):
+
+    def run(self, terms, variables=None, **kwargs):
+        if len(terms) != 3:
+            raise AnsibleError("dig_srv: three arguments expected")
+
+        myres = dns.resolver.Resolver(configure=True)
+        edns_size = 4096
+        myres.use_edns(0, ednsflags=dns.flags.DO, payload=edns_size)
+
+        domain = terms[0]
+        if not domain.endswith('.'):
+            domain += '.'
+        default_domain = terms[1]
+        default_port = terms[2]
+        qtype = 'SRV'
+        rdclass = dns.rdataclass.from_text('IN')
+
+        ret = []
+
+        try:
+            answers = myres.query(domain, qtype, rdclass=rdclass)
+            for rdata in answers:
+                try:
+                    rd = make_rdata_dict(rdata)
+                    rd['owner'] = answers.canonical_name.to_text().rstrip('.')
+                    rd['type'] = dns.rdatatype.to_text(rdata.rdtype)
+                    rd['ttl'] = answers.rrset.ttl
+                    rd['class'] = dns.rdataclass.to_text(rdata.rdclass)
+                    rd['dig_srv_src'] = 'dns'
+                    ret.append(rd)
+
+                except Exception as e:
+                    raise AnsibleError("dig_srv: can't parse response %s" % to_native(e))
+
+        except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+            ret.append({
+                "class": "IN",
+                "owner": domain.rstrip('.'),
+                "port": default_port,
+                "priority": 0,
+                "target": default_domain,
+                "ttl": 0,
+                "type": "SRV",
+                "weight": 0,
+                "dig_srv_src": "fallback"
+            })
+        except dns.resolver.Timeout:
+            raise AnsibleError("dig_srv: timeout")
+        except dns.exception.DNSException as e:
+            raise AnsibleError("dig_srv: unhandled exception %s" % to_native(e))
+
+        for r in ret:
+            r.update({"target_port": r["target"] + ":" + str(r["port"])})
+
+        # This is in reverse order of importance, i.e. least important first.
+        # Note that the TTL field shows the remaining TTL when a RR is cached,
+        # so sorting on that field is not a good idea.
+        ret.sort(key=itemgetter("port"))
+        ret.sort(key=itemgetter("target"))
+        ret.sort(key=itemgetter("weight"), reverse=True)
+        ret.sort(key=itemgetter("priority"))
+
+        return ret
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/file_src.py b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/file_src.py
new file mode 100644
index 00000000..ebe96fb4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/file_src.py
@@ -0,0 +1,195 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `file_src` lookup filter for Ansible.  In difference
+to the `file` filter, this searches values based on the `file-paths`
+variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'files_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'file-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from distutils.version import LooseVersion
+from ansible import __version__ as __ansible_version__
+
+
+if LooseVersion(__ansible_version__) < LooseVersion("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = utils.path_dwim_relative(
+                            inject['_original_file'], 'files',
+                            '', self.basedir, check=False)
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = self._loader.path_dwim_relative(
+                            variables['role_path'], 'files', '')
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/lists.py b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/lists.py
new file mode 100644
index 00000000..e6a2c960
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/lists.py
@@ -0,0 +1,66 @@
+# Copyright (C) 2012 Michael DeHaan <michael.dehaan@gmail.com>
+# Copyright (C) 2015 Hartmut Goebel <h.goebel@crazy-compilers.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Based on `runner/lookup_plugins/items.py` for Ansible
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `with_lists` lookup filter for Ansible. In
+differenceto `with_items`, this one does *not* flatten the lists passed to.
+
+Example:
+
+  - debug: msg="{{item.0}} -- {{item.1}} -- {{item.2}}"
+    with_lists:
+     - ["General", "Verbosity", "0"]
+     - ["Mapping", "Nobody-User", "nobody"]
+     - ["Mapping", "Nobody-Group", "nogroup"]
+
+Output (shortened):
+    "msg": "General -- Verbosity -- 0"
+    "msg": "Mapping -- Nobody-User -- nobody"
+    "msg": "Mapping -- Nobody-Group -- nogroup"
+'''
+
+import ansible.utils as utils
+import ansible.errors as errors
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+
+class LookupModule(LookupBase):
+
+    def __init__(self, basedir=None, **kwargs):
+        self.basedir = basedir
+
+    def run(self, terms, inject=None, **kwargs):
+        terms = utils.listify_lookup_plugin_terms(terms, self.basedir, inject)
+
+        if not isinstance(terms, (list, set)):
+            raise errors.AnsibleError("with_list expects a list or a set")
+
+        for i, elem in enumerate(terms):
+            if not isinstance(elem, (list, tuple)):
+                raise errors.AnsibleError(
+                        "with_list expects a list (or a set) of lists"
+                        " or tuples, but elem %i is not")
+
+        return terms
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/task_src.py b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/task_src.py
new file mode 100644
index 00000000..2df4d05a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/task_src.py
@@ -0,0 +1,198 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `task_src` lookup filter for Ansible.  In difference
+to the `file` filter, this searches values based on the `task-paths`
+variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'tasks_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'task-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from distutils.version import LooseVersion
+from ansible import __version__ as __ansible_version__
+
+
+if LooseVersion(__ansible_version__) < LooseVersion("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = utils.path_dwim_relative(
+                            inject['_original_file'], 'tasks', '',
+                            self.basedir, check=False)
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = (
+                            self._loader.path_dwim_relative(
+                                variables['role_path'],
+                                'tasks', ''))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/template_src.py b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/template_src.py
new file mode 100644
index 00000000..495f70d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/lookup_plugins/template_src.py
@@ -0,0 +1,198 @@
+# (c) 2015, Robert Chady <rchady@sitepen.com>
+# Based on `runner/lookup_plugins/file.py` for Ansible
+#   (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# This file is part of Debops.
+# This file is NOT part of Ansible yet.
+#
+# Debops is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Debops.  If not, see <https://www.gnu.org/licenses/>.
+'''
+
+This file implements the `template_src` lookup filter for Ansible. In
+difference to the `template` filter, this searches values based on the
+`template-paths` variable (colon separated) as configured in DebOps.
+
+NOTE: This means this filter relies on DebOps.
+
+'''
+
+__author__ = "Robert Chady <rchady@sitepen.com>"
+__copyright__ = "Copyright 2015 by Robert Chady <rchady@sitepen.com>"
+__license__ = "GNU General Public LIcense version 3 (GPL v3) or later"
+
+import os
+
+try:
+    import debops
+    debops_version = debops.__version__.__version__
+    conf_section = 'override_paths'
+    conf_key = 'templates_path'
+except AttributeError:
+    try:
+        from debops import *
+        from debops.cmds import *
+        debops_version = '2.3.0'
+        conf_section = 'paths'
+        conf_key = 'template-paths'
+    except ImportError:
+        pass
+except ModuleNotFoundError:
+    conf_section = ''
+    conf_key = ''
+    pass
+
+try:
+    from ansible.plugins.lookup import LookupBase
+except ImportError:
+    LookupBase = object
+
+from distutils.version import LooseVersion
+from ansible import __version__ as __ansible_version__
+
+
+if LooseVersion(__ansible_version__) < LooseVersion("2.0"):
+    from ansible import utils, errors
+
+    class LookupModule(object):
+
+        def __init__(self, basedir, *args, **kwargs):
+            self.basedir = basedir
+
+        def run(self, terms, inject=None, **kwargs):
+
+            terms = utils.listify_lookup_plugin_terms(
+                    terms, self.basedir, inject)
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if '_original_file' in inject:
+                    relative_path = (
+                            utils.path_dwim_relative(
+                                inject['_original_file'], 'templates',
+                                '', self.basedir, check=False))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise errors.AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
+
+else:
+    from ansible.errors import AnsibleError
+    from ansible.plugins.lookup import LookupBase
+
+    class LookupModule(LookupBase):
+
+        def run(self, terms, variables=None, **kwargs):
+            ret = []
+            config = {}
+            places = []
+
+            # this can happen if the variable contains a string,
+            # strictly not desired for lookup plugins, but users may
+            # try it, so make it work.
+            if not isinstance(terms, list):
+                terms = [terms]
+
+            try:
+                project_config = debops.config.Configuration()
+                project_dir = debops.projectdir.ProjectDir(
+                        config=project_config)
+                project_root = project_dir.path
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
+            except NameError:
+                try:
+                    project_root = find_debops_project(required=False)
+                    config = read_config(project_root)
+                except NameError:
+                    pass
+            except NotADirectoryError:
+                # This is not a DebOps project directory, so continue as normal
+                pass
+
+            if conf_section in config and conf_key in config[conf_section]:
+                custom_places = (
+                        config[conf_section][conf_key].split(':'))
+                for custom_path in custom_places:
+                    if os.path.isabs(custom_path):
+                        places.append(custom_path)
+                    else:
+                        places.append(os.path.join(
+                            project_root, custom_path))
+
+            for term in terms:
+                if 'role_path' in variables:
+                    relative_path = (
+                            self._loader.path_dwim_relative(
+                                variables['role_path'], 'templates',
+                                ''))
+                    places.append(relative_path)
+                for path in places:
+                    template = os.path.join(path, term)
+                    if template and os.path.exists(template):
+                        ret.append(template)
+                        break
+                else:
+                    raise AnsibleError(
+                            "could not locate file in lookup: %s"
+                            % term)
+
+            return ret
diff --git a/ansible_collections/debops/debops/roles/ansible_plugins/meta/main.yml b/ansible_collections/debops/debops/roles/ansible_plugins/meta/main.yml
new file mode 100644
index 00000000..c015835c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ansible_plugins/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'A set of custom Ansible plugins used by DebOps roles'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ansible
+    - debops
diff --git a/ansible_collections/debops/debops/roles/apache/COPYRIGHT b/ansible_collections/debops/debops/roles/apache/COPYRIGHT
new file mode 100644
index 00000000..6c72f641
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.apache - Manage and configure the Apache HTTP Server
+
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apache/defaults/main.yml b/ansible_collections/debops/debops/roles/apache/defaults/main.yml
new file mode 100644
index 00000000..933e60e6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/defaults/main.yml
@@ -0,0 +1,1042 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apache__ref_defaults:
+
+# debops.apache default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+# .. include:: ../includes/role.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: apache__base_packages [[[
+#
+# List of base packages to install.
+apache__base_packages:
+  - 'apache2'
+  - '{{ "libapache2-mod-security2" if (apache__security_module_enabled | bool) else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__packages [[[
+#
+# List of custom APT packages installed with Apache.
+apache__packages: []
+
+                                                                   # ]]]
+# .. envvar:: apache__group_packages [[[
+#
+# List of custom APT packages installed on hosts in a specific group
+# in Ansible inventory.
+apache__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apache__host_packages [[[
+#
+# List of custom APT packages installed on specific hosts in Ansible
+# inventory.
+apache__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apache__dependent_packages [[[
+#
+# List of APT packages to install for other Ansible roles, for usage as
+# a dependent role.
+apache__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apache__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Apache is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Apache is uninstalled and it's configuration is removed.
+#   FIXME: You might need to run:
+#
+#   .. code-block:: shell
+#
+#      for file in /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/000-default.conf /etc/apache2/conf-available/security.conf
+#      do
+#          dpkg-divert --remove $file
+#      done
+#      rm /etc/apache2 -rf
+#
+apache__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Server configuration [[[
+# ------------------------
+
+# .. envvar:: apache__fqdn [[[
+#
+# The Fully Qualified Domain Name of the host running Apache.
+apache__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__domain [[[
+#
+# The domain name of the host running Apache.
+apache__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__config_path [[[
+#
+# Base path where the Apache configuration is stored.
+apache__config_path: '/etc/apache2'
+
+                                                                   # ]]]
+# .. envvar:: apache__service_name [[[
+#
+# The name of the Apache service.
+apache__service_name: 'apache2'
+
+                                                                   # ]]]
+# .. envvar:: apache__user [[[
+#
+# The user under which Apache is running during normal operation.
+apache__user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: apache__server_name [[[
+#
+# The ``ServerName`` to use for the default virtual host to prevent Apache from
+# trying to determine it’s FQDN.
+apache__server_name: '{{ apache__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__server_admin [[[
+#
+# Default server admin contact information. Either a Email address or a URL
+# (preferable on another webserver if this one fails).
+# Refer to :ref:`item.server_admin <apache__ref_vhost_server_admin>` for
+# how to overwrite this for a virtual host.
+apache__server_admin: '{{ ansible_local.core.admin_public_email[0]
+                          if (ansible_local.core.admin_public_email | d())
+                          else (apache__user + "@" + apache__fqdn) }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__server_tokens [[[
+#
+# Control what is included in the ``Server`` HTTP header field send back to
+# clients.
+# The default is to only reveal the product name ``Apache``.
+# Refer to the `Apache ServerTokens directive documentation`_ for details.
+# Check the `Apache security module`_ section if you want more flexibility then
+# what ``ServerTokens`` provides.
+apache__server_tokens: 'ProductOnly'
+
+                                                                   # ]]]
+# .. envvar:: apache__server_signature [[[
+#
+# Should Apache identify itself in error messages generated by Apache?
+# This will not be done by default which also matches the upstream default as
+# of Apache 2.4.
+# Refer to the `Apache ServerSignature directive documentation`_ for details.
+apache__server_signature: 'Off'
+
+                                                                   # ]]]
+# .. envvar:: apache__trace_enabled [[[
+#
+# Should HTTP ``TRACE`` requests be allowed?
+# Refer to the `Apache TraceEnable directive documentation`_ for details.
+apache__trace_enabled: 'Off'
+
+                                                                   # ]]]
+# .. envvar:: apache__http_listen [[[
+#
+# List of transport layer ports to listen on for HTTP connections.
+# Note that changing this variable is currently not supported.
+apache__http_listen: [ 80 ]
+
+                                                                   # ]]]
+# .. envvar:: apache__https_listen [[[
+#
+# List of transport layer ports to listen on for HTTPS connections.
+# Note that changing this variable is currently not supported.
+apache__https_listen: [ 443 ]
+
+                                                                   # ]]]
+# .. envvar:: apache__config_use_if_version [[[
+#
+# Should the `Apache IfVersion directive` be used to generate a generic form
+# of the Apache configuration?
+#
+# ``True``
+#   Default.
+#   Use the `Apache IfVersion directive` to generate a configuration which is
+#   intended to work with as many Apache versions as this role supports.
+#
+#   This has the advantage that if your Apache version does not already support
+#   all features which this role is able to configure then you can upgrade
+#   Apache independently of this role and the new features will be used in
+#   Apache as soon as a recent enough version of Apache starts up.
+#
+#   Note however that it is still recommended to rerun this role against your
+#   host after version upgrades because if certain features are enabled might
+#   not only depend on the Apache version. For example the version of the used
+#   cryptography library (OpenSSL) is also relevant and checked by this role at
+#   Ansible role execution time.
+#
+# ``False``
+#   The configuration is specifically generated for the Apache version which
+#   is detected at Ansible role execution time.
+#
+#   This has the advantage that the generated configuration is potentially
+#   smaller and easier to read.
+#
+apache__config_use_if_version: True
+
+                                                                   # ]]]
+# .. envvar:: apache__config_min_version [[[
+#
+# Specifies the minimum Apache version to support when
+# :envvar:`apache__config_use_if_version` is set to ``True``.
+# By default, this defaults to the current Apache major and minor version detected
+# because ``major.minor`` version downgrades are considered uncommon and to
+# avoid too much legacy directives.
+# (You can still do such downgrades if the role supports the Apache version
+# you are downgrading to but then you might need to rerun the role so that a
+# suitable configuration can be generated.)
+#
+# Supported special strings:
+#
+# ``current_major_minor``
+#   Gets replaced by the currently detected ``major.minor`` version.
+#
+apache__config_min_version: 'current_major_minor'
+                                                                   # ]]]
+                                                                   # ]]]
+# Filesystem access [[[
+# ---------------------
+
+# TODO: Not implemented yet.
+# Default set of filesystem access permissions.
+# Note that the main :file:`apache2.conf` already contains a default set of
+# restrictions which work in conjunction with the settings below.
+#
+# Refer to `Apache DirectoryMatch directive documentation`_ for details.
+
+# .. envvar:: apache__default_directory_match [[[
+#
+# Default ``DirectoryMatch`` directives maintained by this Ansible role.
+apache__default_directory_match:
+  '/.': 'Require all denied'
+
+                                                                   # ]]]
+# .. envvar:: apache__directory_match [[[
+#
+# This variable is intended to be used in Ansible’s global inventory as needed.
+apache__directory_match: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__group_directory_match [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+apache__group_directory_match: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__host_directory_match [[[
+#
+# This variable is intended to be used in the inventory of hosts as needed.
+apache__host_directory_match: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__combined_directory_match [[[
+#
+# The dictionaries which holds the actual Apache modules combined from the
+# above variables.
+apache__combined_directory_match: '{{ apache__default_directory_match
+                                      | combine(apache__directory_match)
+                                      | combine(apache__group_directory_match)
+                                      | combine(apache__host_directory_match) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: apache__allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# to Apache by the firewall.
+# This variable is intended to be used in Ansible’s global inventory.
+apache__allow: []
+
+                                                                   # ]]]
+# .. envvar:: apache__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# to Apache by the firewall.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+apache__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: apache__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# to Apache by the firewall.
+# This variable is intended to be used in the inventory of hosts.
+apache__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Apache modules [[[
+# ------------------
+
+# The Apache module configuration is defined in multiple YAML dictionaries
+# which are combined together. This allows the configuration of Apache modules
+# on different inventory levels as needed.
+#
+# See :ref:`apache__ref_modules` for more details.
+
+# .. envvar:: apache__modules [[[
+#
+# This variable is intended to be used in Ansible’s global inventory as needed.
+apache__modules: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__group_modules [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+apache__group_modules: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__host_modules [[[
+#
+# This variable is intended to be used in the inventory of hosts as needed.
+apache__host_modules: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__role_modules [[[
+#
+# Apache modules managed by this Ansible role.
+apache__role_modules:
+  'headers': True
+  'alias': True
+  'ssl':
+    enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
+  'security2':
+    enabled: '{{ apache__security_module_enabled | bool }}'
+  'status':
+    enabled: '{{ apache__status_enabled | bool }}'
+    config: |
+      <Location /server-status>
+          # Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
+          Require all denied
+      </Location>
+  'socache_shmcb':
+    enabled: '{{ True
+                 if (apache__ocsp_stapling_enabled | bool
+                     and "shmcb" in apache__ocsp_stapling_cache)
+                 else omit }}'
+  'authz_host':
+    enabled: '{{ True
+                 if (apache__status_enabled | bool
+                     and apache__status_allow_localhost)
+                 else omit }}'
+  'rewrite':
+    enabled: '{{ True
+                 if (apache__register_mod_rewrite_used is defined and
+                     apache__register_mod_rewrite_used.rc | d(1) == 0)
+                 else omit }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__combined_modules [[[
+#
+# The dictionaries which holds the actual Apache modules combined from the
+# above variables.
+apache__combined_modules: '{{ apache__role_modules
+                              | combine(apache__modules)
+                              | combine(apache__group_modules)
+                              | combine(apache__host_modules) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Apache security module [[[
+# --------------------------
+
+# .. envvar:: apache__security_module_enabled [[[
+#
+# Enable the ``security2`` module for Apache.
+apache__security_module_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: apache__security_module_server_signature [[[
+#
+# Refer to the `ModSecurity SecServerSignature directive documentation`_.
+# This directive is not set if the special value ``omit`` is set.
+apache__security_module_server_signature: '{{ omit }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Multi-processing module [[[
+# ---------------------------
+
+# Selection of the MPM to use is left to Debian package maintainer scripts
+# which will select a suitable MPM.
+# Note that some Apache modules can depend on certain MPMs being used which
+# will be configured in the package maintainer scripts of those modules.
+#
+
+# .. envvar:: apache__mpm_max_connections_per_child [[[
+#
+# Number of requests a child process will handle before terminating.
+# Refer to the `Apache MaxConnectionsPerChild directive documentation`_ for details.
+apache__mpm_max_connections_per_child: '0'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration snippets [[[
+# --------------------------
+
+# Apache configuration snippets can be defined in multiple YAML dictionaries
+# which are combined together. This allows configuration of Apache on different
+# inventory levels as needed.
+#
+# See :ref:`apache__ref_snippets` for more details.
+
+# .. envvar:: apache__snippets [[[
+#
+# This variable is intended to be used in Ansible’s global inventory as needed.
+apache__snippets: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__group_snippets [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+apache__group_snippets: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__host_snippets [[[
+#
+# This variable is intended to be used in the inventory of hosts as needed.
+apache__host_snippets: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__dependent_snippets [[[
+#
+# This variable is intended for other Ansible roles to be used when using
+# ``debops.apache`` as role dependency.
+apache__dependent_snippets: {}
+
+                                                                   # ]]]
+# .. envvar:: apache__role_snippets [[[
+#
+# Apache snippets used internally by this role.
+apache__role_snippets:
+  'local-debops_apache': True
+
+  'security':
+    type: 'divert'
+    raw: |
+      # This file exists here to make Debian package scripts happy.
+      # For the actual security directives enabled in server context refer to
+      # the `local-debops_apache.conf` file.
+      #
+      # `postinst` of the `apache2` package normally tries to enable the
+      # `security` snippet in server context without checking if it is actually
+      # there. The package provided `security.conf` snippet has been diverted
+      # to `package-security.conf` and is not enabled to allow `debops.apache`
+      # to configure and change security related settings.
+    divert_filename: 'package-security'
+    divert_suffix: ''
+
+  'local-debops_apache_security_module':
+    state: '{{ apache__security_module_enabled | bool | ternary("present", "absent") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__combined_snippets [[[
+#
+# The dictionaries which holds the actual Apache _snippets combined from the
+# above variables.
+apache__combined_snippets: '{{ apache__dependent_snippets
+                               | combine(apache__role_snippets)
+                               | combine(apache__snippets)
+                               | combine(apache__group_snippets)
+                               | combine(apache__host_snippets) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# HTTPS/TLS related configuration [[[
+# -----------------------------------
+
+# .. envvar:: apache__https_enabled [[[
+#
+# Should HTTPS be enabled by loading the required modules and creating HTTPS
+# virtual hosts?
+# Defaults to ``True`` if :ref:`debops.pki` is enabled on the remote host.
+apache__https_enabled: '{{ ansible_local | d() and ansible_local.pki | d() and
+                           (ansible_local.pki.enabled | d() | bool) and
+                           apache__https_listen | length > 0 }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__redirect_to_https [[[
+#
+# This defines the default for each vhost's ``redirect_to_https`` variable.
+# Defaults to ``True``.
+apache__redirect_to_https: '{{ apache__https_enabled | bool }}'
+
+                                                                   # ]]]
+# PKI [[[
+# ~~~~~~~
+
+# .. envvar:: apache__pki_realm_path [[[
+#
+# Directory path where PKI realm live.
+apache__pki_realm_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__pki_realm [[[
+#
+# Default PKI realm to use.
+apache__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__pki_crt_filename [[[
+#
+# Default CRT file name to use.
+apache__pki_crt_filename: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__pki_key_filename [[[
+#
+# Default private key file name to use.
+apache__pki_key_filename: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__pki_ca_filename [[[
+#
+# Default CA certificate file name to use.
+apache__pki_ca_filename: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__pki_trusted_filename [[[
+#
+# Default CA certificate file name to use.
+apache__pki_trusted_filename: '{{ ansible_local.pki.trusted | d("trusted.crt") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# TLS ciphers and protocol versions [[[
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# .. envvar:: apache__tls_cipher_suite_set_name [[[
+#
+# Default set of cipher suites to use.
+# Refer to ``apache_ssl_ciphers`` for details.
+apache__tls_cipher_suite_set_name: '{{ "mozilla_modern"
+                                      if apache__tls_protocols | length == 5 and
+                                        apache__tls_protocols[4] == "-TLSv1.2"
+                                      else "mozilla_intermediate" }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__tls_protocols [[[
+#
+# Default set of TLS protocols to use. TLSv1.3 is only supported on apache
+# version 2.4.38 and up. To enforce TLSv1.3 only, use [ "all", "-SSLv3", "-TLSv1", "-TLSv1.1", "-TLSv1.2" ]
+#
+# See also: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
+apache__tls_protocols: [ "all", "-SSLv3", "-TLSv1", "-TLSv1.1" ]
+
+                                                                   # ]]]
+# .. envvar:: apache__tls_cipher_suite_sets [[[
+#
+# Hash of SSL ciphers available to use in apache server definitions
+# You can select a set of ciphers using 'ssl_ciphers' variable
+# Default set of ciphers is set in apache_default_ssl_ciphers variable
+apache__tls_cipher_suite_sets:
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/theory/cipher_suites/recommended.tex
+  # This will come at a certain cost of excluding many clients!
+  # If you want even higher security then the default values of this role then
+  # consider to use a preset for this role maintained by ypid:
+  # https://github.com/ypid/ypid-ansible-inventory
+  bettercrypto_org__set_a: 'EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3'
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/apache/default-ec
+  bettercrypto_org__set_b: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/apache/default-ec
+  # But only cipher suites which support PFS. Only drops support for Android 2.3.7 which is negligible.
+  bettercrypto_org__set_b_pfs: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH'
+
+  # https://cipherli.st/
+  cipherli_st: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
+
+  # Perfect Forward Secrecy (https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-apache-and-openssl-for-forward-secrecy)
+  # String taken on 2014-04-11
+  pfs: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'
+
+  # Perfect Forward Secrecy + RC4
+  # String taken on 2014-04-11
+  pfs_rc4: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
+
+  # Hardened SSL cipher list (https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
+  # String taken on 2014-04-11
+  hardened: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+
+  # TLS recommendations from Mozilla Foundation (https://wiki.mozilla.org/Security/Server_Side_TLS)
+  # String taken on 2014-04-11
+  mozilla: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
+
+  # Modern TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # Actually they do not specify a ciphersuite, because "modern" means TLSv1.3 only,
+  # which has its own ciphers, while TLSv1.2 and lower ciphers are not used.
+  # Therefore, we just repeat mozilla_intermediate here, to avoid a security hole
+  # that would be created with apache default ciphersuite and accidental
+  # activation of TLSv1.2 or lower.
+  # String taken on 2020-07-27
+  mozilla_modern: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+
+  # Intermediate TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # String taken on 2020-07-27
+  mozilla_intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+
+  # Old TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # String taken on 2020-07-27
+  mozilla_old: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
+
+  # FIPS 140-2 compliant (https://en.wikipedia.org/wiki/FIPS_140-2)
+  # https://community.qualys.com/thread/12182
+  fips: 'FIPS@STRENGTH:!aNULL:!eNULL'
+
+  # 'good' cipher suite from NCSC-NL TLS Guidelines v2.0
+  # https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
+  ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
+
+  # This cipher set disables the 'ssl_ciphers' option in 'apache' and the
+  # default set of SSL ciphers for a given platform will be used.
+  # This is recommended when TLSv1.3 is the only protocol in use.
+  default: ''
+                                                                   # ]]]
+# .. envvar:: apache__tls_honor_cipher_order [[[
+#
+# Whether to prefer cipher preference order of the server.
+# Refer to the `Apache SSLHonorCipherOrder directive documentation`_ for details.
+apache__tls_honor_cipher_order: 'on'
+
+                                                                   # ]]]
+# .. envvar:: apache__tls_compression [[[
+#
+# Whether compression is enabled or disabled on the TLS level.
+# Refer to the `Apache SSLCompression directive documentation`_ for details.
+apache__tls_compression: 'off'
+                                                                   # ]]]
+                                                                   # ]]]
+# Key exchange (Diffie–Hellman) [[[
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# .. envvar:: apache__tls_dhparam_set_name [[[
+#
+# Name of the ``dhparam`` set to use.
+# Note that this setting is only honored if you are running Apache 2.4.8 and
+# newer and OpenSSL 1.0.2 or later. Before that the ``dhparam`` set configured
+# by :ref:`debops.pki` will be used.
+# Refer to :ref:`debops.dhparam` for more details.
+apache__tls_dhparam_set_name: 'default'
+
+                                                                   # ]]]
+# .. envvar:: apache__tls_dhparam_file [[[
+#
+# File path for the custom set of Diffie-Hellman parameters to use by the webserver.
+# Refer to :ref:`debops.dhparam` for more details.
+apache__tls_dhparam_file: '{{ ansible_local.dhparam[apache__tls_dhparam_set_name]
+                              if (ansible_local | d() and ansible_local.dhparam | d() and
+                                  ansible_local.dhparam[apache__tls_dhparam_set_name] | d())
+                              else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# OCSP Stapling [[[
+# ~~~~~~~~~~~~~~~~~
+
+# .. envvar:: apache__ocsp_stapling_enabled [[[
+#
+# Enable or disable OCSP Stapling.
+# Refer to the `Apache SSLUseStapling directive documentation`_ for details.
+apache__ocsp_stapling_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: apache__ocsp_stapling_cache [[[
+#
+# Cache used to store OCSP responses which get included in the TLS handshake.
+# Refer to the `Apache SSLStaplingCache directive documentation`_ for details.
+apache__ocsp_stapling_cache: 'shmcb:${APACHE_RUN_DIR}/ocsp_scache(512000)'
+
+                                                                   # ]]]
+# .. envvar:: apache__ocsp_stapling_response_max_age [[[
+#
+# This option sets the maximum allowable age ("freshness") when considering
+# OCSP responses, in seconds.
+# Refer to the `Apache SSLStaplingResponseMaxAge directive documentation`_ for details.
+# The default update interval of `Let's Encrypt`_ is 7 days.
+# Ref: `Is there a rate limit on OCSP requests? <https://community.letsencrypt.org/t/is-there-a-rate-limit-on-ocsp-requests/7747/5>`_
+# Enforcing 30 days as default should be a good start compared to the
+# Apache default which imposes no limit.
+apache__ocsp_stapling_response_max_age: '{{ 30 * 24 * 3600 }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__ocsp_stapling_force_url [[[
+#
+# This directive overrides the URI of an OCSP responder as obtained from the
+# authorityInfoAccess (AIA) extension of the certificate. One potential use is
+# when a proxy is used for retrieving OCSP queries.
+# Refer to the `Apache SSLStaplingForceURL directive documentation`_ for details.
+apache__ocsp_stapling_force_url: False
+
+                                                                   # ]]]
+# .. envvar:: apache__ocsp_stapling_verify [[[
+#
+# Verify OCSP responses from the server which requires chained intermediate and
+# Root CA certificates.
+# Note: Currently not implemented.
+# Ref: https://github.com/debops/ansible-apache/issues/2
+apache__ocsp_stapling_verify: '{{ apache__ocsp_stapling_enabled | bool }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# HTTPS related security headers [[[
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# .. envvar:: apache__hsts_enabled [[[
+#
+# Should `HTTP Strict Transport Security`_ be enabled?
+apache__hsts_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: apache__hsts_max_age [[[
+#
+# Maximum age in seconds for which clients should remember to only make secure
+# connections.
+# Defaults to six earth months.
+apache__hsts_max_age: '15768000'
+
+                                                                   # ]]]
+# .. envvar:: apache__hsts_subdomains [[[
+#
+# Should HSTS_ also include subdomains?
+# Note that all subdomains have to support HTTPS if you use this!
+apache__hsts_subdomains: True
+
+                                                                   # ]]]
+# .. envvar:: apache__hsts_preload [[[
+#
+# Should the ``preload`` parameter be added to the HSTS header?
+# Refer to the `HSTS Preload List Submission`_ page to make use of this
+# feature.
+# It is disabled by default because setting this to ``True`` alone does
+# nothing, it is just one requirement to get included in the preloading list.
+# Please feel encouraged to get to know HSTS preloading and enable it when you
+# are ready!
+apache__hsts_preload: False
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
+# HTTP security headers [[[
+# -------------------------
+
+# Sensible default configuration of HTTP security headers.
+# Note that a few security headers can not be reasonably set by default because they
+# have to be fine-tuned for the website in question.
+# Refer :ref:`apache__ref_servers_http_security_headers` for details.
+
+# .. envvar:: apache__http_csp_append [[[
+#
+# CSP directives to append to all policies. This can be used to set the
+# ``report-uri`` globally.
+# The string MUST end with a semicolon but MUST NOT begin with one.
+# Refer :ref:`apache__ref_servers_http_security_headers` for details.
+apache__http_csp_append: ''
+
+                                                                   # ]]]
+# .. envvar:: apache__http_frame_options [[[
+#
+# Default value for the ``X-Frame-Options`` header. Set to ``False`` to omit
+# this header.
+# Refer to the :rfc:`7034` for details.
+apache__http_frame_options: 'SAMEORIGIN'
+
+                                                                   # ]]]
+# .. envvar:: apache__http_xss_protection [[[
+#
+# Refer to :ref:`item.http_xss_protection <apache__ref_vhost_http_xss_protection>` for details.
+apache__http_xss_protection: '1; mode=block'
+
+                                                                   # ]]]
+# .. envvar:: apache__http_referrer_policy [[[
+#
+# Refer to :ref:`item.http_referrer_policy <apache__ref_vhost_http_referrer_policy>` for details.
+apache__http_referrer_policy: 'same-origin'
+
+                                                                   # ]]]
+# .. envvar:: apache__http_content_type_options [[[
+#
+# FIXME
+apache__http_content_type_options: 'nosniff'
+
+                                                                   # ]]]
+# .. envvar:: apache__http_sec_headers_directive_options [[[
+#
+# What ``condition`` and ``action`` should be used for the `Header directives`_
+# generated from this section?
+# Two popular options are ``always set`` and ``set``.
+# Note that if ``Header set`` is used in :file:`.htaccess` for example while
+# using ``always set`` for this variable then Apache will add the header a
+# second time which you probably don’t want.
+apache__http_sec_headers_directive_options: 'set'
+                                                                   # ]]]
+                                                                   # ]]]
+# Virtual hosts [[[
+# -----------------
+
+# The Apache virtual hosts can be defined as lists of YAML dictionaries. This
+# allows the configuration of Apache virtual hosts on different inventory
+# levels as needed.
+#
+# See :ref:`apache__ref_vhosts` for more details.
+
+# .. envvar:: apache__vhosts [[[
+#
+# This variable is intended to be used in Ansible’s global inventory as needed.
+apache__vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: apache__default_vhost [[[
+#
+# Default virtual host which will receive all requests which don’t match other virtual hosts.
+# Refer to the `Apache virtual host matching documentation`_ for details.
+apache__default_vhost:
+  name: '{{ apache__default_vhost_name }}'
+  filename: '000-default'
+  root: '/var/www/html'
+
+                                                                   # ]]]
+# .. envvar:: apache__default_vhost_name [[[
+#
+# Default virtual host name.
+# Ideally, this a FQDN for which a valid certificate is present so that Apache
+# does not complain about a certificate subject mismatch.
+apache__default_vhost_name: 'default.{{ apache__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__group_vhosts [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+apache__group_vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: apache__host_vhosts [[[
+#
+# This variable is intended to be used in the inventory of hosts as needed.
+apache__host_vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: apache__role_vhosts [[[
+#
+# Used internally by this role. Order is important.
+apache__role_vhosts:
+
+  - name: '000-default'
+    type: 'divert'
+    divert_filename: 'package-default'
+    divert_suffix: ''
+    comment: |
+      `postinst` of the `apache2` package normally tries to enable
+      the `000-default` site without checking if it is actually there.
+      Divert the package provided `000-default` site file away, we will not need it :)
+
+  - name: 'default-ssl'
+    type: 'divert'
+    divert_filename: 'package-default-https'
+    divert_suffix: ''
+    comment: |
+      Divert the package provided `default-ssl` site file away, we will not need it :)
+
+  - '{{ apache__default_vhost }}'
+  - '{{ apache__status_vhost }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__dependent_vhosts [[[
+#
+# This variable is intended for other Ansible roles to be used when using
+# ``debops.apache`` as role dependency.
+apache__dependent_vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: apache__combined_vhosts [[[
+#
+# The list which holds the actual Apache virtual hosts combined from the
+# above variables.
+apache__combined_vhosts: '{{ apache__vhosts +
+                             apache__group_vhosts +
+                             apache__host_vhosts +
+                             apache__role_vhosts +
+                             apache__dependent_vhosts }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__vhost_type [[[
+#
+# The default template type to use for virtual hosts.
+# See :ref:`apache__ref_vhosts` for more details.
+apache__vhost_type: 'default'
+
+                                                                   # ]]]
+# .. envvar:: apache__vhost_allow_override [[[
+#
+# The default ``AllowOverride`` to use for virtual hosts.
+# Refer to the `Apache AllowOverride directive documentation`_ for details.
+apache__vhost_allow_override: 'None'
+
+                                                                   # ]]]
+# .. envvar:: apache__vhost_options [[[
+#
+# The default ``Options`` to use for virtual hosts.
+# Refer to the `Apache Options directive documentation`_ for details.
+apache__vhost_options: [ '+FollowSymLinks' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Logging [[[
+# -----------
+
+# .. envvar:: apache__log_level [[[
+#
+# The default log level to use.
+# Refer to the `Apache LogLevel directive documentation`_ for details.
+apache__log_level: 'warn'
+
+                                                                   # ]]]
+# .. envvar:: apache__access_log_format [[[
+#
+# Default log format as defined in :file:`/etc/apache2/apache2.conf`.
+# Refer to the `Apache LogFormat directive documentation`_ for details.
+apache__access_log_format: 'combined'
+                                                                   # ]]]
+                                                                   # ]]]
+# Apache Status [[[
+# -----------------
+
+# Refer to the `Apache mod_status documentation`_ for details.
+
+# .. envvar:: apache__status_enabled [[[
+#
+# Should the Apache server status be enabled by loading the required modules?
+apache__status_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: apache__status_vhost_enabled [[[
+#
+# Should the Apache server status page be accessible using an independent
+# virtual host bound to localhost?
+apache__status_vhost_enabled: '{{ apache__status_enabled }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__status_for_vhost_enabled [[[
+#
+# Should the Apache server status page be enabled in all virtual hosts?
+#
+# Note that even when this option evaluates to ``False``, the hardcoded
+# ``/server-status`` URL path is not fully neutralized. That is because the `Apache
+# SetHandler directive`_ is set by the Apache Debian package in server config
+# context.  All access granted by package defaults is of course revoked by this
+# Ansible role, again in server config context. But this means that for any
+# virtual host, a request against ``/server-status`` (regardless of the value
+# of :envvar:`apache__status_location`) will be answered with a 403 Forbidden.
+# If that causes a problem, the role could be changed to not enable the default
+# module configuration and load the module directly from server config context.
+# Or maybe someone has a workaround which does not involve changing the package
+# module defaults.
+#
+# Refer to :ref:`item.status_enabled <apache__ref_vhost_status_enabled>` for
+# how to overwrite this for a virtual host.
+apache__status_for_vhost_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: apache__status_location [[[
+#
+# The ``Location`` or URL path by which the Apache server status should be
+# accessible.
+# Refer to :ref:`item.status_location <apache__ref_vhost_status_location>` for
+# how to overwrite this for a virtual host.
+apache__status_location: '/server-status'
+
+                                                                   # ]]]
+# .. envvar:: apache__status_allow_localhost [[[
+#
+# Allow access to the Apache server status using the ``Require local``
+# directive (refer to the `Apache host Require directive documentation`_).
+# Refer to :ref:`item.status_allow_localhost <apache__ref_vhost_status_allow_localhost>` for
+# how to overwrite this for a virtual host.
+apache__status_allow_localhost: False
+
+                                                                   # ]]]
+# .. envvar:: apache__status_directives [[[
+#
+# Additional directives included into the ``Location`` sections for the Apache
+# server status configuration. Can be used to customize access for example.
+# Refer to :ref:`item.status_directives <apache__ref_vhost_status_directives>` for
+# how to overwrite this for a virtual host.
+apache__status_directives: ''
+
+                                                                   # ]]]
+# .. envvar:: apache__status_extended_enabled [[[
+#
+# This option tracks additional data per worker about the currently executing
+# request and creates a utilization summary.
+# Refer to the `Apache ExtendedStatus directive documentation`_ for details.
+# Note that this setting cannot be changed during a graceful restart. You will
+# need to restart Apache yourself for a change to take effect!
+apache__status_extended_enabled: '{{ apache__status_enabled | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: apache__status_vhost_name [[[
+#
+# Virtual host name for providing the Apache server status.
+apache__status_vhost_name:
+  - 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: apache__status_vhost [[[
+#
+# Optional virtual host for providing the Apache server status.
+apache__status_vhost:
+  name: '{{ apache__status_vhost_name }}'
+  filename: 'debops.apache-status'
+  status_enabled: True
+  status_allow_localhost: True
+  listen_http: [ 'localhost:80' ]
+  https_enabled: False
+  enabled: '{{ apache__status_vhost_enabled | bool }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: apache__ferm__dependent_rules [[[
+#
+# Configuration for :ref:`debops.ferm` Ansible role.
+apache__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: '{{ apache__http_listen | union(apache__https_listen) }}'
+    saddr: '{{ apache__allow + apache__group_allow + apache__host_allow }}'
+    accept_any: True
+    weight: '40'
+    by_role: 'debops.apache'
+    name: 'http_https'
+    multiport: True
+    rule_state: '{{ apache__deploy_state }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apache/handlers/main.yml b/ansible_collections/debops/debops/roles/apache/handlers/main.yml
new file mode 100644
index 00000000..b7447bee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/handlers/main.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test apache and reload
+  ansible.builtin.command: apache2ctl configtest
+  register: apache__register_reload
+  changed_when: apache__register_reload.changed | bool
+  notify: [ 'Reload apache' ]
+
+# - name: Test apache and restart
+#   ansible.builtin.command: apache2ctl configtest
+#   notify: [ 'Restart apache' ]
+
+- name: Reload apache
+  ansible.builtin.service:
+    name: '{{ apache__service_name }}'
+    state: 'reloaded'
+
+## Listed here for completeness but not used.
+## Refer to ../docs/ansible-integration.rst
+# - name: Restart apache
+#   ansible.builtin.service:
+#     name: '{{ apache__service_name }}'
+#     state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/apache/meta/main.yml b/ansible_collections/debops/debops/roles/apache/meta/main.yml
new file mode 100644
index 00000000..467fc498
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider'
+  description: 'Manage and configure the Apache HTTP Server'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - web
+    - webserver
diff --git a/ansible_collections/debops/debops/roles/apache/tasks/apache_module_state.yml b/ansible_collections/debops/debops/roles/apache/tasks/apache_module_state.yml
new file mode 100644
index 00000000..7e83c98b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/tasks/apache_module_state.yml
@@ -0,0 +1,20 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Enable/disable Apache modules
+  debops.debops.apache2_module:
+    name: '{{ item.key }}'
+    state: '{{ (item.value.enabled
+                if (item.value is mapping)
+                else item.value) | bool | ternary("present", "absent") }}'
+    force: '{{ item.value.force | d(False) | bool }}'
+  notify: [ 'Test apache and reload' ]
+  when: (item.key in apache__tpl_available_modules
+         and item.value.enabled | d(True) != omit
+         and apache__deploy_state == "present")
+  with_dict: '{{ apache__combined_modules }}'
+  tags: [ 'role::apache:modules' ]
diff --git a/ansible_collections/debops/debops/roles/apache/tasks/main.yml b/ansible_collections/debops/debops/roles/apache/tasks/main.yml
new file mode 100644
index 00000000..5d1396ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/tasks/main.yml
@@ -0,0 +1,170 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+# Manage optional system packages [[[1
+- name: Ensure optional packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", (apache__packages
+                              + apache__group_packages
+                              + apache__host_packages
+                              + apache__dependent_packages)) }}'
+    state: '{{ "present" if (apache__deploy_state == "present") else "absent" }}'
+  register: apache__register_packages
+  until: apache__register_packages is succeeded
+
+# Manage Apache modules [[[1
+- name: Get list of available modules
+  ansible.builtin.find:
+    file_type: 'file'
+    paths: [ '{{ apache__config_path + "/mods-available/" }}' ]
+    patterns: [ '*.load' ]
+  register: apache__register_mods_available
+  tags: [ 'role::apache:modules' ]
+
+- name: Set list of available modules
+  ansible.builtin.set_fact:
+    apache__tpl_available_modules: '{{ apache__register_mods_available.files | d({})
+                                       | map(attribute="path")
+                                       | map("replace", apache__config_path + "/mods-available/", "")
+                                       | map("regex_replace", "\.load$", "") | list }}'
+  tags: [ 'role::apache:modules' ]
+
+- name: Configure Apache module state
+  ansible.builtin.include_tasks: apache_module_state.yml
+
+# Manage Apache configuration snippets [[[1
+- name: Divert conf-available configuration
+  debops.debops.dpkg_divert:
+    path: '{{ apache__config_path + "/conf-available/" + item.key + ".conf" }}'
+    divert: '{{ (item.value.divert
+                 | d(apache__config_path + "/conf-available/"
+                     + (item.value.divert_filename | d(item.key)) + ".conf"))
+                + item.value.divert_suffix | d(".dpkg-divert") }}'
+  when: (item.value.type | d("default") in ["divert"])
+  with_dict: '{{ apache__combined_snippets }}'
+
+- name: Remove conf-available snippets
+  ansible.builtin.file:
+    path: '{{ apache__config_path + "/conf-available/" + item.key + ".conf" }}'
+    state: 'absent'
+  when: (item.value.state | d("present") == "absent")
+  with_dict: '{{ apache__combined_snippets }}'
+  tags: [ 'role::apache:vhosts' ]
+
+- name: Create conf-available snippets
+  ansible.builtin.template:
+    src: 'etc/apache2/conf-available/{{ "raw"
+                                        if (item.value.type | d("default") in ["divert", "raw"] and
+                                            item.value.raw | d())
+                                        else item.key }}.conf.j2'
+    dest: '{{ apache__config_path + "/conf-available/" + item.key + ".conf" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (item.value.state | d("present") != "absent" and
+         (item.value.type | d("default") not in ["divert", "dont-create"] or item.value.raw | d()))
+  with_dict: '{{ apache__combined_snippets }}'
+  notify: [ 'Test apache and reload' ]
+
+- name: Enable/disable configuration snippets
+  ansible.builtin.file:
+    path: '{{ apache__config_path + "/conf-enabled/" + item.key + ".conf" }}'
+    src: '{{ (((item.value.enabled | d(True)
+                  if (item.value is mapping)
+                  else item.value | d(True)))
+                 if (item.value.state | d("present") != "absent")
+                 else False) | bool
+                 | ternary("../conf-available/" + item.key + ".conf",
+                           omit) }}'
+    mode: '0644'
+    force: '{{ ansible_check_mode | d() | bool }}'
+    state: '{{ (((item.value.enabled | d(True)
+                  if (item.value is mapping)
+                  else item.value | d(True)))
+                 if (item.value.state | d("present") != "absent")
+                 else False) | bool | ternary("link", "absent") }}'
+  when: (item.value.type | d("default") not in ["divert"])
+  with_dict: '{{ apache__combined_snippets }}'
+  notify: [ 'Test apache and reload' ]
+
+# Manage Apache virtual hosts [[[1
+- name: Divert sites-available configuration
+  debops.debops.dpkg_divert:
+    path: '{{ apache__config_path + "/sites-available/"
+              + item.filename | d([item.name] | flatten | first | d("default"))
+              + ".conf" }}'
+    divert: '{{ (item.divert
+                 | d(apache__config_path + "/sites-available/"
+                     + item.divert_filename | d(item.filename | d([item.name] | flatten | first | d("default")))
+                     + ".conf")
+                 + item.divert_suffix | d(".dpkg-divert")) }}'
+  when: (item.type | d(apache__vhost_type) in ["divert"])
+  loop: '{{ q("flattened", apache__combined_vhosts) }}'
+
+- name: Remove sites-available configuration
+  ansible.builtin.file:
+    path: '{{ apache__config_path }}/sites-available/{{ item.filename | d(item.name
+                                                                          if (item.name is string)
+                                                                          else item.name[0] | d("default")) }}.conf'
+    state: 'absent'
+  when: (item.state | d("present") == 'absent')
+  loop: '{{ q("flattened", apache__combined_vhosts) }}'
+  tags: [ 'role::apache:vhosts' ]
+
+- name: Create sites-available configuration
+  ansible.builtin.template:
+    src: 'etc/apache2/sites-available/{{ item.type | d(apache__vhost_type) }}.conf.j2'
+    dest: '{{ apache__config_path }}/sites-available/{{ item.filename | d(item.name
+                                                                          if (item.name is string)
+                                                                          else item.name[0] | d("default")) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Test apache and reload' ]
+  when: (item.state | d("present") != "absent" and item.type | d(apache__vhost_type) not in ["divert", "dont-create"])
+  loop: '{{ q("flattened", apache__combined_vhosts) }}'
+  tags: [ 'role::apache:vhosts' ]
+
+- name: Enable/disable Apache virtual hosts
+  ansible.builtin.file:
+    path: '{{ apache__config_path }}/sites-enabled/{{ item.filename | d(item.name
+                                                                        if (item.name is string)
+                                                                        else item.name[0] | d("default")) }}.conf'
+    src: '{{ ("../sites-available/" + item.filename
+                                      | d(item.name
+                                          if (item.name is string)
+                                          else item.name[0] | d("default")) + ".conf")
+             if (item.enabled | d(True) | bool and (item.state | d("present") != "absent"))
+             else omit }}'
+    force: '{{ item.force | d(ansible_check_mode) | bool }}'
+    state: '{{ item.enabled | d(True) | bool | ternary("link", "absent")
+               if (item.state | d("present") != "absent")
+               else "absent" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Test apache and reload' ]
+  when: (item.type | d(apache__vhost_type) not in ["divert"])
+  loop: '{{ q("flattened", apache__combined_vhosts) }}'
+  tags: [ 'role::apache:vhosts' ]
+
+
+# Manage Apache modules, part 2 [[[1
+- name: Detect if the rewrite module has been used in the active configuration
+  ansible.builtin.shell: grep --recursive --ignore-case '^\s*RewriteEngine On' {{ apache__config_path | quote }}
+  register: apache__register_mod_rewrite_used
+  check_mode: False
+  failed_when: apache__register_mod_rewrite_used.rc not in [0, 1]
+  changed_when: False
+  when: apache__register_mod_rewrite_used is undefined
+
+- name: Finish configuration of Apache module state
+  ansible.builtin.include_tasks: apache_module_state.yml
diff --git a/ansible_collections/debops/debops/roles/apache/tasks/main_env.yml b/ansible_collections/debops/debops/roles/apache/tasks/main_env.yml
new file mode 100644
index 00000000..a29bbc14
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/tasks/main_env.yml
@@ -0,0 +1,41 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+# Manage required system packages [[[1
+- name: Ensure base packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ item }}'
+    state: '{{ "present" if (apache__deploy_state == "present") else "absent" }}'
+  loop: '{{ q("flattened", apache__base_packages) }}'
+  register: apache__register_base_packages
+  until: apache__register_base_packages is succeeded
+  tags: [ 'role::apache:pkgs' ]
+
+# Ansible facts [[[1
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create local facts of Apache
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apache.fact.j2'
+    dest: '/etc/ansible/facts.d/apache.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/ansible/facts.d/apache.fact.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/ansible/facts.d/apache.fact.j2
new file mode 100644
index 00000000..13ccfbc5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/ansible/facts.d/apache.fact.j2
@@ -0,0 +1,39 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import re
+
+output = loads('''{{ ({
+    "enabled": (apache__deploy_state == "present"),
+    "user": apache__user,
+    "use_if_version": apache__config_use_if_version,
+    "min_version": apache__config_min_version,
+    }) | to_nice_json }}''')
+
+try:
+    apache_v = subprocess.check_output(
+            ['apache2', '-v']).decode('utf-8').split('\n')
+
+    for line in apache_v:
+        _re = re.match(r'Server version: Apache/(?P<version>[^ ]+)', line)
+        if _re:
+            output['version'] = _re.group('version')
+
+    if output['use_if_version']:
+        if output['min_version'] == 'current_major_minor':
+            output['min_version'] = '.'.join(
+                    output['version'].split('.')[:2])
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache.conf.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache.conf.j2
new file mode 100644
index 00000000..e1f303eb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache.conf.j2
@@ -0,0 +1,362 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("1.0.2") }}
+{% endmacro %}
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}
+{% macro debops_indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{# Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}
+{% macro get_min_version_wrapped(content, version, compare_operator) %}{# [[[ #}
+{# Examples:
+
+{{ get_min_version_wrapped('# 2.3.0 directive', "2.3", ">=") }}
+{{ get_min_version_wrapped('# 2.4.0 directive', "2.4", ">=") }}
+{{ get_min_version_wrapped('# 2.4.1 directive', "2.4.1", ">=") }}
+{{ get_min_version_wrapped('# 2.5.0 directive', "2.5", ">=") }}
+
+#}
+{% set version = '==' if (version == '=') else version %}
+{% set apache__tpl_compare_operator_includes_equal = True if (compare_operator in ['>=', '<=', '==']) else False %}
+{% if (version is version_compare(get_apache_min_version(), compare_operator))
+    or (version is version_compare(get_apache_min_version(), ">")) %}
+{%   if apache__tpl_compare_operator_includes_equal and (version is version_compare(get_apache_min_version(), "==")) %}
+{{     content -}}
+{%   else %}
+<IfVersion {{ compare_operator }} {{ version }}>
+    {{ debops_indent(content, 4) }}
+</IfVersion>
+{%   endif %}
+{% endif %}
+{% endmacro %}
+{% macro get_version_wrapped(content, version, compare_operator, fallback_content=False) %}{# [[[ #}
+{# This macro has not been extensively tested yet. If it contains bugs please try to debug it if you need it.
+
+Examples:
+
+{{ get_version_wrapped('# 2.3.0 directive', "2.3", ">=", '# Prior to 2.3 directive') }}
+{{ get_version_wrapped('# 2.4.0 directive', "2.4", ">=", '# Prior to 2.4 directive') }}
+{{ get_version_wrapped('# 2.4.1 directive', "2.4.1", ">=", '# Prior to 2.4.1 directive') }}
+{{ get_version_wrapped('# 2.5.0 directive', "2.5", ">=", '# Prior to 2.5 directive') }}
+
+#}
+{% set version = '==' if (version == '=') else version %}
+{% set apache__tpl_xor_compare_operator_map = {} %}
+{% set apache__tpl_xor_compare_operator_list = [
+    ('==', '!='),
+    ('>=', '<'),
+    ('<=', '>'),
+] %}
+{% for compare_operator, xor_compare_operator in apache__tpl_xor_compare_operator_list %}
+{%   set _ = apache__tpl_xor_compare_operator_map.update({ compare_operator: xor_compare_operator }) %}
+{%   set _ = apache__tpl_xor_compare_operator_map.update({ xor_compare_operator: compare_operator }) %}
+{% endfor %}
+{% if apache__config_use_if_version | bool %}
+{{   get_min_version_wrapped(content, version, compare_operator) -}}
+{%   if fallback_content != False %}
+{{     get_min_version_wrapped(fallback_content, version, apache__tpl_xor_compare_operator_map[compare_operator]) -}}
+{%   endif %}
+{% else %}
+{%   if get_apache_version() is version_compare(version, compare_operator) %}
+{{     content -}}
+{%   elif fallback_content != False %}
+{{     fallback_content -}}
+{%   endif %}
+{% endif %}
+{% endmacro %}
+{% macro get_server_name_aliases(name_item) %}{# [[[ #}
+{% set apache__tpl_names = get_yaml_list_for_elem(name_item) | from_yaml %}
+{% if not apache__tpl_names %}
+{% set apache__tpl_names = [ apache__server_name ] %}
+{% endif %}
+ServerName {{ apache__tpl_names[0] | quote }}
+{% if apache__tpl_names | length > 1 %}
+ServerAlias {{ apache__tpl_names[1:] | map("quote") | join(" ") }}
+{% endif %}
+{% endmacro %}
+{% macro get_listen_sockets(item_listen_list, server_port_listen_list) %}{# [[[ #}
+{% set apache__tpl_listen_sockets = [] %}
+{% if item_listen_list | length == 0 %}
+{%   set item_listen_list = server_port_listen_list %}
+{% endif %}
+{% for item_listen in item_listen_list %}
+{%   if ':' not in item_listen | string %}
+{# {%     if item_listen in server_port_listen_list %}
+## Apparently, this is not even needed for Apache to (re)start without issues. #}
+{%     set _ = apache__tpl_listen_sockets.append("*:" + item_listen | string) %}
+{%   else %}
+{%     set _ = apache__tpl_listen_sockets.append(item_listen | string) %}
+{%   endif %}
+{% endfor %}
+{{ apache__tpl_listen_sockets | join(" ") -}}
+{% endmacro %}
+{% macro get_header_comments(item) %}{# [[[ #}
+{% if item.by_role | d() %}
+
+# Generated by Ansible role: {{ item.by_role }}
+{% endif %}
+{% endmacro %}
+{% macro get_server_directives(item) %}{# [[[ #}
+{% set sanitized_name = (get_yaml_list_for_elem(item.filename | d(item.name)) | from_yaml)[0] | replace(".", "_") %}
+{% if item.name | d([]) %}
+{{ get_server_name_aliases(item.name | d([])) }}
+{% endif %}
+ServerAdmin {{ item.server_admin | d(apache__server_admin) | quote }}
+CustomLog {{ item.custom_log | d('${APACHE_LOG_DIR}/' + sanitized_name + '_access.log' + ' ' + apache__access_log_format + ' ' + item.custom_log_condition | d()) }}
+ErrorLog {{ item.error_log | d('${APACHE_LOG_DIR}/' + sanitized_name + '_error.log') }}
+{% endmacro %}
+{% macro get_server_status_directives(item, enabled) %}{# [[[ #}
+{% if enabled | bool %}
+<Location {{ item.status_location | d(apache__status_location) | quote }}>
+    SetHandler server-status
+{%   if item.status_allow_localhost | d(apache__status_allow_localhost) | bool %}
+    Require local
+{%   endif %}
+{%   if item.status_directives | d(apache__status_directives) %}
+    {{ item.status_directives | d(apache__status_directives) }}
+{%   elif not (item.status_allow_localhost | d(apache__status_allow_localhost) | bool) %}
+    Require all denied
+{%   endif %}
+</Location>
+{% endif %}
+{% endmacro %}
+{% macro get_vhost_content_directives(item, mode='https', https_enabled=True) %}{# [[[ #}
+{% set apache__tpl_use_redirect_module = 'alias' %}
+{% set apache__tpl_status_enabled = item.status_enabled | d(apache__status_for_vhost_enabled) | bool %}
+{{ get_server_status_directives(item, apache__tpl_status_enabled) -}}
+{% if apache__tpl_status_enabled | bool and (
+        (mode == 'http' and (item.redirect_http | d() or item.redirect_to_https | d(apache__redirect_to_https) | bool)) or
+        (mode == 'https' and item.redirect_https | d())
+    ) %}
+<IfModule mod_rewrite>
+RewriteEngine On
+RewriteRule "^{{ item.status_location | d(apache__status_location) }}" "-" [L]
+</IfModule>
+{%   set apache__tpl_use_redirect_module = 'rewrite' %}
+{% endif %}
+{% if mode == 'http' and item.redirect_http | d() %}
+{{ get_redirect(item.redirect_http_code | d(307), "/", item.redirect_http, apache__tpl_use_redirect_module) }}
+{% elif mode == 'http' and item.redirect_to_https | d(apache__redirect_to_https) | bool %}
+{{ get_redirect(item.redirect_to_https_with_code | d("301"), "/", "https://" + (get_yaml_list_for_elem(item.name) | from_yaml)[0], apache__tpl_use_redirect_module) }}
+{% elif mode == 'https' and item.redirect_https | d() %}
+{{ get_redirect(item.redirect_https_code | d(307), "/", item.redirect_https, apache__tpl_use_redirect_module) }}
+{% else %}
+{{ get_content_directives(item) }}
+{% endif %}
+{% endmacro %}
+{% macro get_document_root_directives(item) %}{# [[[ #}
+Options {{ get_yaml_list_for_elem(item.options | d(apache__vhost_options)) | from_yaml | join(" ") }}
+AllowOverride {{ get_yaml_list_for_elem(item.allow_override | d(apache__vhost_allow_override)) | from_yaml | join(" ") }}
+
+{{ get_version_wrapped('Require all granted', "2.4", ">=",
+'Order allow,deny
+Allow from all') -}}
+{% if item.root_directives | d() %}
+
+{{ item.root_directives }}
+{% endif %}
+{% endmacro %}
+{% macro get_content_directives(item) %}{# [[[ #}
+{% if item.include | d() %}
+{% for include_file in get_yaml_list_for_elem(item.include) | from_yaml %}
+Include {{ include_file | quote }}
+{% endfor %}
+{% endif %}
+{% if item.include_optional | d() %}
+{% for include_optional_file in get_yaml_list_for_elem(item.include_optional) | from_yaml %}
+IncludeOptional {{ include_optional_file | quote }}
+{% endfor %}
+{% endif %}
+{% if item.root | d(item.document_root | d()) %}
+DocumentRoot {{ item.root | d(item.document_root) | quote }}
+
+{% if item.index | d() %}
+DirectoryIndex {{ get_yaml_list_for_elem(item.index) | from_yaml | join(" ") }}
+{% endif %}
+{% if item.alias | d() %}
+{{ get_alias(item.alias, item.alias_path | d(item.root) | d(item.document_root)) }}
+{%- endif %}
+<Directory {{ item.root | d(item.document_root) | quote }}>
+    {{ debops_indent(get_document_root_directives(item), 4) }}
+</Directory>
+{% endif %}
+{% if item.raw_content | d() %}
+
+{{ item.raw_content }}
+{% endif %}
+{% endmacro %}
+{% macro get_default_tls_directives(item) %}{# [[[ #}
+{# Included in server context to provide sane defaults (there might be vhosts
+# not controlled by this template) and in virtual host context to ensure those
+# settings are appliend and to allow per-vhost changes.
+# Refer to Applied-Crypto-Hardening_bettercrypto/src/configuration/Webservers/Apache/default-ssl for details.
+#}
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory /usr/lib/cgi-bin>
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-6]" \
+    nokeepalive ssl-unclean-shutdown \
+    downgrade-1.0 force-response-1.0
+# MSIE 7 and newer should be able to use keepalive
+BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+# TLS cipher suites set: {{ item.tls_cipher_suite_set_name | d(apache__tls_cipher_suite_set_name) | quote }}
+SSLCipherSuite       {{ apache__tls_cipher_suite_sets[item.tls_cipher_suite_set_name | d(apache__tls_cipher_suite_set_name)] | quote }}
+SSLProtocol          {{ item.tls_protocols | d(apache__tls_protocols) | join(" ") }}
+SSLHonorCipherOrder  {{ item.tls_honor_cipher_order | d(apache__tls_honor_cipher_order) | quote }}
+SSLCompression       {{ item.tls_compression | d(apache__tls_compression) | quote }}
+
+{#
+# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+# https://github.com/sovereign/sovereign/issues/373
+#}
+{% if get_apache_version() is version_compare("2.4.8", ">=") and get_openssl_version() is version_compare("1.0.2", ">=") %}
+# SSLOpenSSLConfCmd DHParameters {{ item.tls_dhparam_file | d(apache__tls_dhparam_file) | quote }}
+{% endif %}
+{% endmacro %}
+{% macro get_https_directives(item) %}{# [[[ #}
+SSLEngine on
+
+{{ get_default_tls_directives(item) }}
+{% set apache__tpl_pki_realm = item.pki_realm | d((get_realm_yaml_list(item.name, apache__pki_realm) | from_yaml)[0]) %}
+{% set apache__tpl_pki_realm_path = apache__pki_realm_path + "/" + apache__tpl_pki_realm %}
+SSLCertificateFile      {{ item.tls_crt | d(apache__tpl_pki_realm_path + "/" + (item.pki_crt | d(apache__pki_crt_filename))) | quote }}
+SSLCertificateKeyFile   {{ item.tls_key | d(apache__tpl_pki_realm_path + "/" + (item.pki_key | d(apache__pki_key_filename))) | quote }}
+{% if item.ocsp_stapling_enabled | d(apache__ocsp_stapling_enabled) | bool and get_openssl_version() is version_compare("0.9.8h", ">=") %}
+SSLUseStapling on
+{% endif %}
+
+{% if item.hsts_enabled | d(apache__hsts_enabled) | bool %}
+Header always set Strict-Transport-Security "max-age={{ item.hsts_max_age | d(apache__hsts_max_age) }}{{ "; includeSubDomains" if item.hsts_subdomains | d(apache__hsts_subdomains) | bool else "" }}{{ "; preload" if ((item.hsts_preload | d(apache__hsts_preload)) | bool) else "" }}"
+{% endif %}
+{% endmacro %}
+{% macro get_http_security_headers(item) %}{# [[[ #}
+{% set apache__tpl_directive_options = get_yaml_list_for_elem(item.http_sec_headers_directive_options | d(apache__http_sec_headers_directive_options)) | from_yaml | map("quote") | join(" ") %}
+{% if item.csp_enabled | d(False) | bool %}
+Header {{ apache__tpl_directive_options }} Content-Security-Policy "{{ item.csp | d("default-src https: ;") + (" " + item.csp_append | d(apache__http_csp_append) if (item.csp_append | d(apache__http_csp_append)) else "") }}"
+{% endif %}
+{% if item.csp_report_enabled | d(False) | bool %}
+Header {{ apache__tpl_directive_options }} Content-Security-Policy-Report-Only "{{ item.csp_report | d(item.csp | d("default-src https: ;")) + (" " + item.csp_append | d(apache__http_csp_append) if (item.csp_append | d(apache__http_csp_append)) else "") }}"
+{% endif %}
+{% if item.http_frame_options | d(apache__http_frame_options) != omit %}
+Header {{ apache__tpl_directive_options }} X-Frame-Options "{{ item.http_frame_options | d(apache__http_frame_options) }}"
+{% endif %}
+{% if item.http_xss_protection | d(apache__http_xss_protection) != omit %}
+Header {{ apache__tpl_directive_options }} X-XSS-Protection "{{ item.http_xss_protection | d(apache__http_xss_protection) }}"
+{% endif %}
+{% if item.http_referrer_policy | d(apache__http_referrer_policy) != omit %}
+Header {{ apache__tpl_directive_options }} Referrer-Policy "{{ item.http_referrer_policy | d(apache__http_referrer_policy) }}"
+{% endif %}
+{% if item.http_content_type_options | d(apache__http_content_type_options) != omit %}
+Header {{ apache__tpl_directive_options }} X-Content-Type-Options "{{ item.http_content_type_options | d(apache__http_content_type_options) }}"
+{% endif %}
+{% endmacro %}
+{% macro get_common_headers(item) %}{# [[[ #}
+{% if item.http_clacks_overhead | d(apache__http_clacks_overhead | d(True)) | bool %}
+{#
+# Respect the will of the DebOps Creator.
+# Ref: https://github.com/debops/ansible-nginx/commit/d6cd455c68a7584b2592053fd98d3e539054e09a
+#}
+Header always set X-Clacks-Overhead "GNU Terry Pratchett"
+{% endif %}
+{% endmacro %}
+{% macro get_redirect(code, from, to, module) %}{# [[[ #}
+{# Prefer the alias module but support the use of the rewrite module in case
+other rewrite rules are used in the same context because the rewrite rules are
+handled before all the directives from the alias module.
+#}
+{% set to = to + ("/" if (to[-1] != "/") else "") %}
+{% if module == 'alias' %}
+Redirect {{ code | string }} "{{ from }}" "{{ to }}"
+{% elif module == 'rewrite' %}
+<IfModule mod_rewrite>
+RewriteRule "^{{ from }}?(.*)" "{{ to }}$1" [L,R={{ code }},NE]
+</IfModule>
+{% endif %}
+{% endmacro %}
+{% macro get_alias(url_path, fs_directory) %}{# [[[ #}
+Alias {{ url_path | quote }} {{ (fs_directory + ("/" if (fs_directory[-1] != "/") else "")) | quote }}
+{% endmacro %}
+
+{#
+# It seems that Apache does not allow to overwrite directives in the same context (server config):
+# Examples: LogLevel
+# It is probably not good practice to change that in server context anyway.
+#}
+
+MaxConnectionsPerChild {{ apache__mpm_max_connections_per_child | quote }}
+
+ExtendedStatus {{ apache__status_extended_enabled | bool | ternary("On", "Off") }}
+
+
+{% for module_name, value in apache__combined_modules|dictsort %}
+{%   if value is mapping and 'config' in value %}
+
+<IfModule {{ module_name }}_module>
+    {{ value.config | indent(4) }}
+</IfModule>
+{%   endif %}
+{% endfor %}
+
+ServerTokens {{ apache__server_tokens }}
+ServerSignature {{ apache__server_signature }}
+TraceEnable {{ apache__trace_enabled }}
+LogLevel {{ apache__log_level }}
+
+{{ get_common_headers(item) | indent(4) }}
+
+{# Don’t use apache__combined_modules because of heavy use of template macros. #}
+<IfModule ssl_module>
+{{ get_default_tls_directives(item.value | d({})) }}
+
+{% if get_openssl_version() is version_compare("0.9.8h", ">=") %}
+SSLStaplingCache {{ apache__ocsp_stapling_cache | quote }}
+SSLStaplingResponseMaxAge {{ apache__ocsp_stapling_response_max_age | string }}
+{%   if apache__ocsp_stapling_force_url %}
+SSLStaplingForceURL {{ apache__ocsp_stapling_force_url | quote }}
+{%   endif %}
+{% endif %}
+</IfModule>
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache_security_module.conf.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache_security_module.conf.j2
new file mode 100644
index 00000000..b995a44f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/local-debops_apache_security_module.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if apache__security_module_server_signature != omit %}
+SecServerSignature "{{ apache__security_module_server_signature }}"
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/raw.conf.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/raw.conf.j2
new file mode 100644
index 00000000..855220ad
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/conf-available/raw.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% if item.value.raw | d() %}
+
+{{ item.value.raw }}
+{%- endif %}
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/default.conf.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/default.conf.j2
new file mode 100644
index 00000000..8e34f962
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/default.conf.j2
@@ -0,0 +1,355 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("1.0.2") }}
+{% endmacro %}
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}
+{% macro debops_indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{# Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}
+{% macro get_min_version_wrapped(content, version, compare_operator) %}{# [[[ #}
+{# Examples:
+
+{{ get_min_version_wrapped('# 2.3.0 directive', "2.3", ">=") }}
+{{ get_min_version_wrapped('# 2.4.0 directive', "2.4", ">=") }}
+{{ get_min_version_wrapped('# 2.4.1 directive', "2.4.1", ">=") }}
+{{ get_min_version_wrapped('# 2.5.0 directive', "2.5", ">=") }}
+
+#}
+{% set version = '==' if (version == '=') else version %}
+{% set apache__tpl_compare_operator_includes_equal = True if (compare_operator in ['>=', '<=', '==']) else False %}
+{% if (version is version_compare(get_apache_min_version(), compare_operator))
+    or (version is version_compare(get_apache_min_version(), ">")) %}
+{%   if apache__tpl_compare_operator_includes_equal and (version is version_compare(get_apache_min_version(), "==")) %}
+{{     content -}}
+{%   else %}
+<IfVersion {{ compare_operator }} {{ version }}>
+    {{ debops_indent(content, 4) }}
+</IfVersion>
+{%   endif %}
+{% endif %}
+{% endmacro %}
+{% macro get_version_wrapped(content, version, compare_operator, fallback_content=False) %}{# [[[ #}
+{# This macro has not been extensively tested yet. If it contains bugs please try to debug it if you need it.
+
+Examples:
+
+{{ get_version_wrapped('# 2.3.0 directive', "2.3", ">=", '# Prior to 2.3 directive') }}
+{{ get_version_wrapped('# 2.4.0 directive', "2.4", ">=", '# Prior to 2.4 directive') }}
+{{ get_version_wrapped('# 2.4.1 directive', "2.4.1", ">=", '# Prior to 2.4.1 directive') }}
+{{ get_version_wrapped('# 2.5.0 directive', "2.5", ">=", '# Prior to 2.5 directive') }}
+
+#}
+{% set version = '==' if (version == '=') else version %}
+{% set apache__tpl_xor_compare_operator_map = {} %}
+{% set apache__tpl_xor_compare_operator_list = [
+    ('==', '!='),
+    ('>=', '<'),
+    ('<=', '>'),
+] %}
+{% for compare_operator, xor_compare_operator in apache__tpl_xor_compare_operator_list %}
+{%   set _ = apache__tpl_xor_compare_operator_map.update({ compare_operator: xor_compare_operator }) %}
+{%   set _ = apache__tpl_xor_compare_operator_map.update({ xor_compare_operator: compare_operator }) %}
+{% endfor %}
+{% if apache__config_use_if_version | bool %}
+{{   get_min_version_wrapped(content, version, compare_operator) -}}
+{%   if fallback_content != False %}
+{{     get_min_version_wrapped(fallback_content, version, apache__tpl_xor_compare_operator_map[compare_operator]) -}}
+{%   endif %}
+{% else %}
+{%   if get_apache_version() is version_compare(version, compare_operator) %}
+{{     content -}}
+{%   elif fallback_content != False %}
+{{     fallback_content -}}
+{%   endif %}
+{% endif %}
+{% endmacro %}
+{% macro get_server_name_aliases(name_item) %}{# [[[ #}
+{% set apache__tpl_names = get_yaml_list_for_elem(name_item) | from_yaml %}
+{% if not apache__tpl_names %}
+{% set apache__tpl_names = [ apache__server_name ] %}
+{% endif %}
+ServerName {{ apache__tpl_names[0] | quote }}
+{% if apache__tpl_names | length > 1 %}
+ServerAlias {{ apache__tpl_names[1:] | map("quote") | join(" ") }}
+{% endif %}
+{% endmacro %}
+{% macro get_listen_sockets(item_listen_list, server_port_listen_list) %}{# [[[ #}
+{% set apache__tpl_listen_sockets = [] %}
+{% if item_listen_list | length == 0 %}
+{%   set item_listen_list = server_port_listen_list %}
+{% endif %}
+{% for item_listen in item_listen_list %}
+{%   if ':' not in item_listen | string %}
+{# {%     if item_listen in server_port_listen_list %}
+## Apparently, this is not even needed for Apache to (re)start without issues. #}
+{%     set _ = apache__tpl_listen_sockets.append("*:" + item_listen | string) %}
+{%   else %}
+{%     set _ = apache__tpl_listen_sockets.append(item_listen | string) %}
+{%   endif %}
+{% endfor %}
+{{ apache__tpl_listen_sockets | join(" ") -}}
+{% endmacro %}
+{% macro get_header_comments(item) %}{# [[[ #}
+{% if item.by_role | d() %}
+
+# Generated by Ansible role: {{ item.by_role }}
+{% endif %}
+{% endmacro %}
+{% macro get_server_directives(item) %}{# [[[ #}
+{% set sanitized_name = (get_yaml_list_for_elem(item.filename | d(item.name)) | from_yaml)[0] | replace(".", "_") %}
+{% if item.name | d([]) %}
+{{ get_server_name_aliases(item.name | d([])) }}
+{% endif %}
+ServerAdmin {{ item.server_admin | d(apache__server_admin) | quote }}
+CustomLog {{ item.custom_log | d('${APACHE_LOG_DIR}/' + sanitized_name + '_access.log' + ' ' + apache__access_log_format + ' ' + item.custom_log_condition | d()) }}
+ErrorLog {{ item.error_log | d('${APACHE_LOG_DIR}/' + sanitized_name + '_error.log') }}
+{% endmacro %}
+{% macro get_server_status_directives(item, enabled) %}{# [[[ #}
+{% if enabled | bool %}
+<Location {{ item.status_location | d(apache__status_location) | quote }}>
+    SetHandler server-status
+{%   if item.status_allow_localhost | d(apache__status_allow_localhost) | bool %}
+    Require local
+{%   endif %}
+{%   if item.status_directives | d(apache__status_directives) %}
+    {{ item.status_directives | d(apache__status_directives) }}
+{%   elif not (item.status_allow_localhost | d(apache__status_allow_localhost) | bool) %}
+    Require all denied
+{%   endif %}
+</Location>
+{% endif %}
+{% endmacro %}
+{% macro get_vhost_content_directives(item, mode='https', https_enabled=True) %}{# [[[ #}
+{% set apache__tpl_use_redirect_module = 'alias' %}
+{% set apache__tpl_status_enabled = item.status_enabled | d(apache__status_for_vhost_enabled) | bool %}
+{{ get_server_status_directives(item, apache__tpl_status_enabled) -}}
+{% if apache__tpl_status_enabled | bool and (
+        (mode == 'http' and (item.redirect_http | d() or item.redirect_to_https | d(apache__redirect_to_https) | bool)) or
+        (mode == 'https' and item.redirect_https | d())
+    ) %}
+<IfModule mod_rewrite>
+RewriteEngine On
+RewriteRule "^{{ item.status_location | d(apache__status_location) }}" "-" [L]
+</IfModule>
+{%   set apache__tpl_use_redirect_module = 'rewrite' %}
+{% endif %}
+{% if mode == 'http' and item.redirect_http | d() %}
+{{ get_redirect(item.redirect_http_code | d(307), "/", item.redirect_http, apache__tpl_use_redirect_module) }}
+{% elif mode == 'http' and item.redirect_to_https | d(apache__redirect_to_https) | bool %}
+{{ get_redirect(item.redirect_to_https_with_code | d("301"), "/", "https://" + (get_yaml_list_for_elem(item.name) | from_yaml)[0], apache__tpl_use_redirect_module) }}
+{% elif mode == 'https' and item.redirect_https | d() %}
+{{ get_redirect(item.redirect_https_code | d(307), "/", item.redirect_https, apache__tpl_use_redirect_module) }}
+{% else %}
+{{ get_content_directives(item) }}
+{% endif %}
+{% endmacro %}
+{% macro get_document_root_directives(item) %}{# [[[ #}
+Options {{ get_yaml_list_for_elem(item.options | d(apache__vhost_options)) | from_yaml | join(" ") }}
+AllowOverride {{ get_yaml_list_for_elem(item.allow_override | d(apache__vhost_allow_override)) | from_yaml | join(" ") }}
+
+{{ get_version_wrapped('Require all granted', "2.4", ">=",
+'Order allow,deny
+Allow from all') -}}
+{% if item.root_directives | d() %}
+
+{{ item.root_directives }}
+{% endif %}
+{% endmacro %}
+{% macro get_content_directives(item) %}{# [[[ #}
+{% if item.include | d() %}
+{% for include_file in get_yaml_list_for_elem(item.include) | from_yaml %}
+Include {{ include_file | quote }}
+{% endfor %}
+{% endif %}
+{% if item.include_optional | d() %}
+{% for include_optional_file in get_yaml_list_for_elem(item.include_optional) | from_yaml %}
+IncludeOptional {{ include_optional_file | quote }}
+{% endfor %}
+{% endif %}
+{% if item.root | d(item.document_root | d()) %}
+DocumentRoot {{ item.root | d(item.document_root) | quote }}
+
+{% if item.index | d() %}
+DirectoryIndex {{ get_yaml_list_for_elem(item.index) | from_yaml | join(" ") }}
+{% endif %}
+{% if item.alias | d() %}
+{{ get_alias(item.alias, item.alias_path | d(item.root) | d(item.document_root)) }}
+{%- endif %}
+<Directory {{ item.root | d(item.document_root) | quote }}>
+    {{ debops_indent(get_document_root_directives(item), 4) }}
+</Directory>
+{% endif %}
+{% if item.raw_content | d() %}
+
+{{ item.raw_content }}
+{% endif %}
+{% endmacro %}
+{% macro get_default_tls_directives(item) %}{# [[[ #}
+{# Included in server context to provide sane defaults (there might be vhosts
+# not controlled by this template) and in virtual host context to ensure those
+# settings are appliend and to allow per-vhost changes.
+# Refer to Applied-Crypto-Hardening_bettercrypto/src/configuration/Webservers/Apache/default-ssl for details.
+#}
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory /usr/lib/cgi-bin>
+    SSLOptions +StdEnvVars
+</Directory>
+
+BrowserMatch "MSIE [2-6]" \
+    nokeepalive ssl-unclean-shutdown \
+    downgrade-1.0 force-response-1.0
+# MSIE 7 and newer should be able to use keepalive
+BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+# TLS cipher suites set: {{ item.tls_cipher_suite_set_name | d(apache__tls_cipher_suite_set_name) | quote }}
+SSLCipherSuite       {{ apache__tls_cipher_suite_sets[item.tls_cipher_suite_set_name | d(apache__tls_cipher_suite_set_name)] | quote }}
+SSLProtocol          {{ item.tls_protocols | d(apache__tls_protocols) | join(" ") }}
+SSLHonorCipherOrder  {{ item.tls_honor_cipher_order | d(apache__tls_honor_cipher_order) | quote }}
+SSLCompression       {{ item.tls_compression | d(apache__tls_compression) | quote }}
+
+{#
+# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+# https://github.com/sovereign/sovereign/issues/373
+#}
+{% if get_apache_version() is version_compare("2.4.8", ">=") and get_openssl_version() is version_compare("1.0.2", ">=") %}
+# SSLOpenSSLConfCmd DHParameters {{ item.tls_dhparam_file | d(apache__tls_dhparam_file) | quote }}
+{% endif %}
+{% endmacro %}
+{% macro get_https_directives(item) %}{# [[[ #}
+SSLEngine on
+
+{{ get_default_tls_directives(item) }}
+{% set apache__tpl_pki_realm = item.pki_realm | d((get_realm_yaml_list(item.name, apache__pki_realm) | from_yaml)[0]) %}
+{% set apache__tpl_pki_realm_path = apache__pki_realm_path + "/" + apache__tpl_pki_realm %}
+SSLCertificateFile      {{ item.tls_crt | d(apache__tpl_pki_realm_path + "/" + (item.pki_crt | d(apache__pki_crt_filename))) | quote }}
+SSLCertificateKeyFile   {{ item.tls_key | d(apache__tpl_pki_realm_path + "/" + (item.pki_key | d(apache__pki_key_filename))) | quote }}
+{% if item.ocsp_stapling_enabled | d(apache__ocsp_stapling_enabled) | bool and get_openssl_version() is version_compare("0.9.8h", ">=") %}
+SSLUseStapling on
+{% endif %}
+
+{% if item.hsts_enabled | d(apache__hsts_enabled) | bool %}
+Header always set Strict-Transport-Security "max-age={{ item.hsts_max_age | d(apache__hsts_max_age) }}{{ "; includeSubDomains" if item.hsts_subdomains | d(apache__hsts_subdomains) | bool else "" }}{{ "; preload" if ((item.hsts_preload | d(apache__hsts_preload)) | bool) else "" }}"
+{% endif %}
+{% endmacro %}
+{% macro get_http_security_headers(item) %}{# [[[ #}
+{% set apache__tpl_directive_options = get_yaml_list_for_elem(item.http_sec_headers_directive_options | d(apache__http_sec_headers_directive_options)) | from_yaml | map("quote") | join(" ") %}
+{% if item.csp_enabled | d(False) | bool %}
+Header {{ apache__tpl_directive_options }} Content-Security-Policy "{{ item.csp | d("default-src https: ;") + (" " + item.csp_append | d(apache__http_csp_append) if (item.csp_append | d(apache__http_csp_append)) else "") }}"
+{% endif %}
+{% if item.csp_report_enabled | d(False) | bool %}
+Header {{ apache__tpl_directive_options }} Content-Security-Policy-Report-Only "{{ item.csp_report | d(item.csp | d("default-src https: ;")) + (" " + item.csp_append | d(apache__http_csp_append) if (item.csp_append | d(apache__http_csp_append)) else "") }}"
+{% endif %}
+{% if item.http_frame_options | d(apache__http_frame_options) != omit %}
+Header {{ apache__tpl_directive_options }} X-Frame-Options "{{ item.http_frame_options | d(apache__http_frame_options) }}"
+{% endif %}
+{% if item.http_xss_protection | d(apache__http_xss_protection) != omit %}
+Header {{ apache__tpl_directive_options }} X-XSS-Protection "{{ item.http_xss_protection | d(apache__http_xss_protection) }}"
+{% endif %}
+{% if item.http_referrer_policy | d(apache__http_referrer_policy) != omit %}
+Header {{ apache__tpl_directive_options }} Referrer-Policy "{{ item.http_referrer_policy | d(apache__http_referrer_policy) }}"
+{% endif %}
+{% if item.http_content_type_options | d(apache__http_content_type_options) != omit %}
+Header {{ apache__tpl_directive_options }} X-Content-Type-Options "{{ item.http_content_type_options | d(apache__http_content_type_options) }}"
+{% endif %}
+{% endmacro %}
+{% macro get_common_headers(item) %}{# [[[ #}
+{% if item.http_clacks_overhead | d(apache__http_clacks_overhead | d(True)) | bool %}
+{#
+# Respect the will of the DebOps Creator.
+# Ref: https://github.com/debops/ansible-nginx/commit/d6cd455c68a7584b2592053fd98d3e539054e09a
+#}
+Header always set X-Clacks-Overhead "GNU Terry Pratchett"
+{% endif %}
+{% endmacro %}
+{% macro get_redirect(code, from, to, module) %}{# [[[ #}
+{# Prefer the alias module but support the use of the rewrite module in case
+other rewrite rules are used in the same context because the rewrite rules are
+handled before all the directives from the alias module.
+#}
+{% set to = to + ("/" if (to[-1] != "/") else "") %}
+{% if module == 'alias' %}
+Redirect {{ code | string }} "{{ from }}" "{{ to }}"
+{% elif module == 'rewrite' %}
+<IfModule mod_rewrite>
+RewriteRule "^{{ from }}?(.*)" "{{ to }}$1" [L,R={{ code }},NE]
+</IfModule>
+{% endif %}
+{% endmacro %}
+{% macro get_alias(url_path, fs_directory) %}{# [[[ #}
+Alias {{ url_path | quote }} {{ (fs_directory + ("/" if (fs_directory[-1] != "/") else "")) | quote }}
+{% endmacro %}
+{% set apache__tpl_vhost_http_enabled = True if (get_listen_sockets(item.listen_http | d([]), apache__http_listen)) else False %}
+{% set apache__tpl_vhost_https_enabled = True if (item.https_enabled | d(apache__https_enabled) | bool and get_listen_sockets(item.listen_https | d([]), apache__https_listen)) else False %}
+{{ get_header_comments(item) }}
+
+{% if apache__tpl_vhost_http_enabled | bool %}
+# Virtual host handling HTTP [[[
+<VirtualHost {{ get_listen_sockets(item.listen_http | d([]), apache__http_listen) }}>
+
+    {{ debops_indent(get_server_directives(item), 4) }}
+
+    {{ debops_indent(get_vhost_content_directives(item, mode='http', https_enabled=apache__tpl_vhost_https_enabled), 4) }}
+
+</VirtualHost>
+# ]]]
+{% endif %}
+
+{% if apache__tpl_vhost_https_enabled | bool %}
+# Virtual host handling HTTPS  [[[
+<IfModule ssl_module>
+<VirtualHost {{ get_listen_sockets(item.listen_https | d([]), apache__https_listen) }}>
+
+    {{ debops_indent(get_server_directives(item), 4) }}
+
+    {{ debops_indent(get_https_directives(item), 4) }}
+    {{ debops_indent(get_http_security_headers(item), 4) }}
+    {{ debops_indent(get_common_headers(item), 4) }}
+
+    {{ debops_indent(get_vhost_content_directives(item, mode='https'), 4) }}
+
+</VirtualHost>
+</IfModule>
+# ]]]
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/raw.conf.j2 b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/raw.conf.j2
new file mode 100644
index 00000000..ad4407f6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apache/templates/etc/apache2/sites-available/raw.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% if item.raw | d() %}
+
+{{ item.raw }}
+{%- endif %}
diff --git a/ansible_collections/debops/debops/roles/apparmor/COPYRIGHT b/ansible_collections/debops/debops/roles/apparmor/COPYRIGHT
new file mode 100644
index 00000000..adba2c67
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/COPYRIGHT
@@ -0,0 +1,20 @@
+apparmor - Install and configure AppArmor
+
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+Copyright (C) 2015-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apparmor/defaults/main.yml b/ansible_collections/debops/debops/roles/apparmor/defaults/main.yml
new file mode 100644
index 00000000..85eaca15
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/defaults/main.yml
@@ -0,0 +1,228 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apparmor__ref_defaults:
+
+# Default variables
+# =================
+#
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: apparmor__base_packages [[[
+#
+# List of base packages to install.
+apparmor__base_packages:
+  - 'apparmor'
+  - 'apparmor-utils'
+  - 'apparmor-profiles'
+  - 'apparmor-profiles-extra'
+
+                                                                   # ]]]
+# .. envvar:: apparmor__packages [[[
+#
+# List of additional packages to install.
+apparmor__packages: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__enabled [[[
+#
+# Enable or disable support the AppArmor. Since the role is included from the
+# DebOps ``common`` playbook, this allows a manual override of the default
+# behavior.
+apparmor__enabled: '{{ ansible_local.apparmor.enabled
+                       | d(False
+                           if (ansible_distribution_release in ["stretch"] or
+                               (ansible_virtualization_role | d("") == "guest"
+                                and
+                                ansible_virtualization_type | d("") in
+                                  ["container"]))
+                           else True) }}'
+
+                                                                   # ]]]
+# .. envvar:: apparmor__manage_grub [[[
+#
+# Enable or disable support for adding kernel parameters via GRUB which cause
+# the AppArmor security module to be enabled at boot. Note that the normal
+# Debian/Ubuntu kernel packages already include and enable this support by
+# default, so this is only necessary for old distributions and/or customized
+# kernel builds.
+apparmor__manage_grub: '{{ ansible_local.apparmor.grub_enabled
+                           | d(True
+                               if (apparmor__enabled | d(False) | bool and
+                                   ansible_distribution_release in ["stretch"])
+                               else False) }}'
+
+                                                                   # ]]]
+# .. envvar:: apparmor__kernel_parameters [[[
+#
+# Kernel parameters needed to enable AppArmor (if not already enabled by
+# default, as in recent Debian/Ubuntu kernel packages). Only relevant if
+# :envvar:`apparmor__manage_grub` is enabled.
+apparmor__kernel_parameters:
+  - 'apparmor=1'
+  - 'security=apparmor'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# AppArmor profiles [[[
+# ---------------------
+
+# These variables control the state of individual AppArmor profiles. See
+# :ref:`apparmor__ref_profiles` for more details.
+
+# .. envvar:: apparmor__default_profiles [[[
+#
+# List of profiles to enable/disable, defined by the role.
+apparmor__default_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__profiles [[[
+#
+# List of profiles to enable/disable, defined for all hosts in the Ansible
+# inventory.
+apparmor__profiles: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__group_profiles [[[
+#
+# List of profiles to enable/disable, defined on hosts in a specific Ansible
+# inventory group.
+apparmor__group_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__host_profiles [[[
+#
+# List of profiles to enable/disable, defined on specific hosts in the Ansible
+# inventory.
+apparmor__host_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__dependent_profiles [[[
+#
+# Variable definitions managed by roles using this role as dependency.
+apparmor__dependent_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__combined_profiles [[[
+#
+# A combination of the profiles to enable/disable, defined by the other
+# variables, used in role tasks.
+apparmor__combined_profiles: '{{ apparmor__default_profiles
+                                 + apparmor__profiles
+                                 + apparmor__group_profiles
+                                 + apparmor__host_profiles
+                                 + apparmor__dependent_profiles }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# AppArmor local profile modifications [[[
+# ----------------------------------------
+
+# These variables control local profile modifications. See
+# :ref:`apparmor__ref_locals` for more details.
+
+# .. envvar:: apparmor__default_locals [[[
+#
+# List of default local profile modifications defined by the role.
+apparmor__default_locals: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__locals [[[
+#
+# List of local profile modifications defined for all hosts in the Ansible
+# inventory.
+apparmor__locals: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__group_locals [[[
+#
+# List of local profile modifications defined on hosts in a specific Ansible
+# inventory group.
+apparmor__group_locals: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__host_locals [[[
+#
+# List of local profile modifications defined on specific hosts in the Ansible
+# inventory.
+apparmor__host_locals: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__dependent_locals [[[
+#
+# Variable definitions managed by roles using this role as dependency.
+apparmor__dependent_locals: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__combined_locals [[[
+#
+# A combination of the local profile modifications defined by the other
+# variables, used in role tasks.
+apparmor__combined_locals: '{{ apparmor__default_locals
+                               + apparmor__locals
+                               + apparmor__group_locals
+                               + apparmor__host_locals
+                               + apparmor__dependent_locals }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# AppArmor tunables [[[
+# ---------------------
+
+# These variables control profile tunables. See :ref:`apparmor__ref_tunables`
+# for more details.
+
+# .. envvar:: apparmor__default_tunables [[[
+#
+# List of default tunables defined by the role.
+apparmor__default_tunables: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__tunables [[[
+#
+# List of tunables defined for all hosts in the Ansible inventory.
+apparmor__tunables: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__group_tunables [[[
+#
+# List of tunables defined on hosts in a specific Ansible inventory group.
+apparmor__group_tunables: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__host_tunables [[[
+#
+# List of tunables defined on specific hosts in the Ansible inventory.
+apparmor__host_tunables: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__dependent_tunables [[[
+#
+# Variable definitions managed by roles using this role as dependency.
+apparmor__dependent_tunables: []
+
+                                                                   # ]]]
+# .. envvar:: apparmor__combined_tunables [[[
+#
+# A combination of the tunables defined by the other variables, used in
+# role tasks.
+apparmor__combined_tunables: '{{ apparmor__default_tunables
+                                 + apparmor__tunables
+                                 + apparmor__group_tunables
+                                 + apparmor__host_tunables
+                                 + apparmor__dependent_tunables }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apparmor/meta/main.yml b/ansible_collections/debops/debops/roles/apparmor/meta/main.yml
new file mode 100644
index 00000000..b5873121
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Install and configure AppArmor'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - security
+    - hardening
+    - mac
diff --git a/ansible_collections/debops/debops/roles/apparmor/tasks/handle_locals.yml b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_locals.yml
new file mode 100644
index 00000000..d2ebfa34
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_locals.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create base directory for local modification {{ item.name }}
+  ansible.builtin.file:
+    path: '{{ "/etc/apparmor.d/local/" + item.name | dirname }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when:
+    - item.state | d("present") == "present"
+    - item.name | dirname != ""
+  tags: [ 'role::apparmor:locals' ]
+
+- name: Create local modification {{ item.name }}
+  ansible.builtin.template:
+    src: 'etc/apparmor.d/snippet.j2'
+    dest: '{{ "/etc/apparmor.d/local/" + item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: item.state | d("present") == "present"
+  vars:
+    apparmor__var_template_title: 'AppArmor local modification'
+    apparmor__var_template_suffix: ','
+    apparmor__var_template_operator: ' '
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:locals' ]
+
+- name: Check the presence of profile {{ item.name }}
+  ansible.builtin.stat:
+    path: '{{ "/etc/apparmor.d/" + item.name }}'
+  register: apparmor__register_local_profile
+  when: item.state | d("present") == "absent"
+  tags: [ 'role::apparmor:locals' ]
+
+- name: Truncate local modification {{ item.name }}
+  ansible.builtin.copy:
+    dest: '{{ "/etc/apparmor.d/local/" + item.name }}'
+    content: ''
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when:
+    - item.state | d("present") == "absent"
+    - apparmor__register_local_profile.stat.exists | d(False)
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:locals' ]
+
+- name: Remove local modification {{ item.name }}
+  ansible.builtin.file:
+    path: '{{ "/etc/apparmor.d/local/" + item.name }}'
+    state: 'absent'
+  when:
+    - item.state | d("present") == "absent"
+    - not apparmor__register_local_profile.stat.exists | d(False)
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:locals' ]
diff --git a/ansible_collections/debops/debops/roles/apparmor/tasks/handle_profiles.yml b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_profiles.yml
new file mode 100644
index 00000000..ba46486d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_profiles.yml
@@ -0,0 +1,45 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure a valid state for profile {{ item.name }}
+  ansible.builtin.assert:
+    that: item.state | d() in [ "enforce", "complain", "disable", "ignore" ]
+    quiet: True
+  tags: [ 'role::apparmor:profiles' ]
+
+- name: Check presence of profile {{ item.name }}
+  ansible.builtin.stat:
+    path: '{{ "/etc/apparmor.d/" + item.name }}'
+  register: apparmor__stat_profile
+  when: item.state != "ignore"
+  tags: [ 'role::apparmor:profiles' ]
+
+# Note: the aa-* utils happily exit with 0 even when the profile doesn't exist
+- name: Ensure existence of profile {{ item.name }}
+  ansible.builtin.assert:
+    that: apparmor__stat_profile.stat.exists | d(False)
+    quiet: True
+  when: item.state != "ignore"
+  tags: [ 'apparmor:profiles' ]
+
+- name: Register current AppArmor state
+  ansible.builtin.command: aa-status --json
+  register: apparmor__register_old_status
+  changed_when: False
+  when: item.state != "ignore"
+  tags: [ 'role::apparmor:profiles' ]
+
+# Note: can't use --no-reload here, because aa-status won't show any changes
+- name: Set profile {{ item.name + " to " + item.state }}
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         aa-{{ item.state }} {{ ("/etc/apparmor.d/" + item.name) | quote }}
+            > /dev/null 2>&1 &&
+         aa-status --json
+  args:
+    executable: bash
+  register: apparmor__register_new_status
+  changed_when: apparmor__register_new_status.stdout != apparmor__register_old_status.stdout
+  when: item.state != "ignore"
+  tags: [ 'role::apparmor:profiles' ]
diff --git a/ansible_collections/debops/debops/roles/apparmor/tasks/handle_tunables.yml b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_tunables.yml
new file mode 100644
index 00000000..69154efd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/tasks/handle_tunables.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Note: these two could be merged, but it makes the output much more confusing
+- name: Remove tunable {{ item.name }}
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/apparmor.d/tunables/" + item.name }}'
+    state: 'absent'
+    delete: True
+  when: item.state | d("present") == "absent"
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:tunables' ]
+
+- name: Divert tunable {{ item.name }}
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/apparmor.d/tunables/" + item.name }}'
+    state: 'present'
+    delete: True
+  when: item.state | d("present") == "present"
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:tunables' ]
+
+- name: Create base directory for tunable {{ item.name }}
+  ansible.builtin.file:
+    path: '{{ "/etc/apparmor.d/tunables/" + item.name | dirname }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when:
+    - item.state | d("present") == "present"
+    - item.name | dirname != ""
+  tags: [ 'role::apparmor:tunables' ]
+
+- name: Create tunable {{ item.name }}
+  ansible.builtin.template:
+    src: 'etc/apparmor.d/snippet.j2'
+    dest: '{{ "/etc/apparmor.d/tunables/" + item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  vars:
+    apparmor__var_template_title: 'AppArmor tunable'
+    apparmor__var_template_suffix: ''
+    apparmor__var_template_operator: '='
+  when: item.state | d("present") == "present"
+  notify: [ 'Reload all AppArmor profiles' ]
+  tags: [ 'role::apparmor:tunables' ]
diff --git a/ansible_collections/debops/debops/roles/apparmor/tasks/main.yml b/ansible_collections/debops/debops/roles/apparmor/tasks/main.yml
new file mode 100644
index 00000000..b59454f6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/tasks/main.yml
@@ -0,0 +1,127 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (apparmor__base_packages
+                              + apparmor__packages)) }}'
+    state: 'present'
+  register: apparmor__register_packages
+  until: apparmor__register_packages is succeeded
+  tags: [ 'role::apparmor:pkg' ]
+
+- name: Make sure that the Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save AppArmor local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apparmor.fact.j2'
+    dest: '/etc/ansible/facts.d/apparmor.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Add AppArmor kernel parameters to GRUB configuration
+  ansible.builtin.template:
+    src: 'etc/default/grub.d/debops.apparmor.cfg.j2'
+    dest: '/etc/default/grub.d/debops.apparmor.cfg'
+    mode: '0644'
+  when: >
+    apparmor__enabled | d(False) | bool and
+    apparmor__manage_grub | d(False) | bool
+  notify: [ 'Update GRUB' ]
+  tags: [ 'role::apparmor:grub' ]
+
+- name: Remove AppArmor kernel parameters from GRUB configuration
+  ansible.builtin.file:
+    path: '/etc/default/grub.d/debops.apparmor.cfg'
+    state: 'absent'
+  when: >
+    not apparmor__enabled | d(False) | bool or
+    not apparmor__manage_grub | d(False) | bool
+  notify: [ 'Update GRUB' ]
+  tags: [ 'role::apparmor:grub' ]
+
+- name: Remove legacy GRUB configuration options
+  ansible.builtin.lineinfile:
+    dest: '/etc/default/grub'
+    regexp: '^GRUB_CMDLINE_LINUX="(.*?)\$GRUB_CMDLINE_LINUX_ANSIBLE_APPARMOR(.*)"'
+    line: 'GRUB_CMDLINE_LINUX="\1 \2"'
+    backrefs: yes
+    mode: '0644'
+  notify: [ 'Update GRUB' ]
+  tags: [ 'role::apparmor:grub' ]
+
+- name: Configure tunables
+  ansible.builtin.include_tasks: handle_tunables.yml
+  loop: '{{ apparmor__combined_tunables | debops.debops.parse_kv_items() }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::apparmor:tunables' ]
+
+- name: Configure local changes to system profiles
+  ansible.builtin.include_tasks: handle_locals.yml
+  loop: '{{ apparmor__combined_locals | debops.debops.parse_kv_items() }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::apparmor:locals' ]
+
+- name: Configure profiles
+  ansible.builtin.include_tasks: handle_profiles.yml
+  loop: '{{ apparmor__combined_profiles | debops.debops.parse_kv_items() }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::apparmor:profiles' ]
+
+- name: Start and enable the AppArmor service
+  ansible.builtin.service:
+    name: 'apparmor'
+    state: 'started'
+    enabled: True
+  when:
+    - apparmor__enabled | d(False) | bool
+    - ansible_local.apparmor.installed | d(False) | bool
+  tags: [ 'role::apparmor:service' ]
+
+- name: Reload AppArmor profiles if necessary
+  ansible.builtin.meta: 'flush_handlers'
+  tags: [ 'role::apparmor:profiles' ]
+
+- name: Stop and disable the AppArmor service
+  ansible.builtin.service:
+    name: 'apparmor'
+    state: 'stopped'
+    enabled: False
+  when:
+    - not apparmor__enabled | d(False) | bool
+    - ansible_local.apparmor.installed | d(False) | bool
+  tags: [ 'role::apparmor:service' ]
+
+- name: Unload all AppArmor profiles
+  ansible.builtin.command: aa-teardown
+  when:
+    - not apparmor__enabled | d(False) | bool
+    - ansible_local.apparmor.installed | d(False) | bool
+  register: apparmor__register_teardown
+  changed_when: apparmor__register_teardown.changed | bool
+  tags: [ 'role::apparmor:profiles' ]
diff --git a/ansible_collections/debops/debops/roles/apparmor/templates/etc/ansible/facts.d/apparmor.fact.j2 b/ansible_collections/debops/debops/roles/apparmor/templates/etc/ansible/facts.d/apparmor.fact.j2
new file mode 100644
index 00000000..52c58893
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/templates/etc/ansible/facts.d/apparmor.fact.j2
@@ -0,0 +1,45 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def read_kernel_bool(path):
+    value = 'N'
+
+    try:
+        with open(path, 'r') as file:
+            value = file.read().strip()
+
+    except Exception:
+        pass
+
+    return value.upper() == 'Y'
+
+
+output = loads('''{{ {
+                       "enabled": apparmor__enabled | d(False) | bool,
+                       "grub_enabled" apparmor__manage_grub | d(False) | bool
+                     } | to_nice_json }}''')
+
+output.append({'installed': (cmd_exists('aa-status') and
+                             cmd_exists('aa-teardown'))})
+output.append({'kernel_enabled':
+               read_kernel_bool('/sys/module/apparmor/parameters/enabled')})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apparmor/templates/etc/apparmor.d/snippet.j2 b/ansible_collections/debops/debops/roles/apparmor/templates/etc/apparmor.d/snippet.j2
new file mode 100644
index 00000000..0ccf94ae
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/templates/etc/apparmor.d/snippet.j2
@@ -0,0 +1,54 @@
+{#
+ # Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# {{ item.name }} - {{ appamor__var_template_title | d('Configuration snippet') }}
+
+{% macro print_option(option, commented, loop_first, level) %}
+{%   if option.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set prefix = ("{:^" + level | string + "}").format('') %}
+{%     set comment_prefix = (prefix + "# ") %}
+{%     if commented or option.state | d('present') == 'comment' %}
+{%       set commented = True %}
+{%       set prefix = comment_prefix %}
+{%     endif %}
+{%     if option.separator | d(False) or level == 0 or (option.comment | d() and not loop_first) %}
+{{       '' }}
+{%     endif %}
+{%     if option.comment | d() %}
+{{       option.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%     endif %}
+{%     if option.raw | d() and commented %}
+{{       '{}'.format(option.raw | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='')) -}}
+{%     elif option.raw | d() and not commented %}
+{{       '{}{}'.format(prefix, option.raw | regex_replace('\n$', '')) }}
+{%     elif option.options | d() %}
+{{       '{}{} {{'.format(prefix, option.option | d(option.name) | regex_replace('\n$', '')) }}
+{%       for option in option.options %}
+{{         print_option(option, commented, loop.first, level + 1) -}}
+{%       endfor %}
+{{       '{}}}'.format(prefix) }}
+{%     else %}
+{%       if option.operator | d() %}
+{%         set operator = option.operator %}
+{%       elif option.option | d(option.name) == '#include' %}
+{%         set operator = ' ' %}
+{%       else %}
+{%         set operator = apparmor__var_template_operator | d('=') %}
+{%       endif %}
+{%       set suffix = option.suffix | d(apparmor__var_template_suffix | d('')) %}
+{{       '{}{}{}{}{}'.format(prefix,
+                             option.option | d(option.name),
+                             operator,
+                             option.value | d(""),
+                             suffix) }}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{##}
+{% for option in item.options %}
+{{   print_option(option, False, loop.first, 0) -}}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/apparmor/templates/etc/default/grub.d/debops.apparmor.cfg.j2 b/ansible_collections/debops/debops/roles/apparmor/templates/etc/default/grub.d/debops.apparmor.cfg.j2
new file mode 100644
index 00000000..932e7cb6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apparmor/templates/etc/default/grub.d/debops.apparmor.cfg.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+GRUB_CMDLINE_LINUX_DEBOPS_APPARMOR="{{ apparmor__kernel_parameters | d([]) | flatten | join(' ') }}"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $GRUB_CMDLINE_LINUX_DEBOPS_APPARMOR"
diff --git a/ansible_collections/debops/debops/roles/apt/COPYRIGHT b/ansible_collections/debops/debops/roles/apt/COPYRIGHT
new file mode 100644
index 00000000..2b7dcbc8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.apt - Manage APT repositories and keys using Ansible
+
+Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt/defaults/main.yml b/ansible_collections/debops/debops/roles/apt/defaults/main.yml
new file mode 100644
index 00000000..2cd18b39
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/defaults/main.yml
@@ -0,0 +1,793 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt__ref_defaults:
+
+# debops.apt default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: apt__enabled [[[
+#
+# Enable or disable management of the APT configuration and sources using this
+# role.
+apt__enabled: '{{ True if (ansible_pkg_mgr == "apt") else False }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__deploy_state [[[
+#
+# Enable (if ``present``) or disable (if ``absent``) management of the
+# :file:`/etc/apt/sources.list` configuration file by the role.
+apt__deploy_state: '{{ "present"
+                       if (ansible_facts.distribution in ["Debian", "Raspbian", "Ubuntu", "Devuan"])
+                       else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__cache_valid_time [[[
+#
+# Update APT cache early in the playbook if it's older than 24h
+# Set to False to disable update (useful when changing APT mirrors)
+apt__cache_valid_time: '{{ ansible_local.core.cache_valid_time | d(60 * 60 * 24) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Packages to install [[[
+# -----------------------
+
+# .. envvar:: apt__base_packages [[[
+#
+# Default base packages to install for APT support. You can use the
+# :ref:`debops.apt_install` role to install other packages not related to the
+# package manager.
+apt__base_packages:
+  - 'lsb-release'
+  - 'ca-certificates'
+  - '{{ "apt-transport-https"
+        if (ansible_distribution_release in
+            ["stretch", "trusty", "xenial"])
+        else [] }}'
+  - 'gnupg'
+
+                                                                   # ]]]
+# .. envvar:: apt__packages [[[
+#
+# List of additional APT packages to install for APT support. You can use the
+# :ref:`debops.apt_install` role to install other packages not related to the
+# package manager.
+apt__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`/etc/apt/sources.list` defaults [[[
+# ----------------------------------------------
+
+# These variables are used in configuration options of the
+# :file:`/etc/apt/sources.list` configuration file. They are exposed here for
+# convenience.
+
+# .. envvar:: apt__archive_types [[[
+#
+# List of source types to configure for the default package sources. Supported
+# choices: ``deb``, ``deb-src``.
+apt__archive_types: [ 'deb', 'deb-src' ]
+
+                                                                   # ]]]
+# .. envvar:: apt__archive_sources_disabled [[[
+#
+# If enabled, the 'deb-src' APT archive sources will be commented out by
+# default to make APT updates faster.
+apt__archive_sources_disabled: True
+
+                                                                   # ]]]
+# .. envvar:: apt__architecture [[[
+#
+# The default system architecture present on the host.
+apt__architecture: '{{ apt__architecture_map[ansible_facts.architecture]
+                       | d(ansible_facts.architecture) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__architecture_map [[[
+#
+# A YAML dictionary which defines a mapping between Ansible architectures and
+# Debian/Ubuntu ports. Only definitions that are different from the detected
+# ones are listed here, otherwise the value of ``ansible_architecture`` is
+# used.
+apt__architecture_map:
+  'x86_64': 'amd64'
+  'armv7l': 'armhf'
+  'aarch64': 'arm64'
+
+                                                                   # ]]]
+# .. envvar:: apt__distribution [[[
+#
+# The Linux distribution present on the host.
+# Note: this deliberately does not default to ansible_local.core.distribution
+# because this local fact is set by the 'core' role, which runs later in the
+# common playbook.
+# Ref: https://github.com/debops/debops/issues/2046#issuecomment-1086702657
+apt__distribution: '{{ ansible_facts.lsb.id | d(ansible_facts.distribution) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__distribution_release [[[
+#
+# The Linux distribution release present on the host.
+# Note: this deliberately does not default to
+# ansible_local.core.distribution_release because this local fact is set by the
+# 'core' role, which runs later in the common playbook.
+# Ref: https://github.com/debops/debops/issues/2046#issuecomment-1086702657
+apt__distribution_release: '{{ ansible_facts.lsb.codename
+                               | d(ansible_facts.distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__distribution_version [[[
+#
+# The OS distribution version, used for specific APT repositories.
+apt__distribution_version: '{{ ansible_facts.distribution_version }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__nonfree [[[
+#
+# Boolean. If enabled, non-free sections of a given distribution repository
+# will be enabled, otherwise they won't be present.
+#
+# By default non-free sections are enabled on hardware-based hosts due to
+# a possible requirement for non-free firmware packages. The fact script will
+# also check if non-free section was enabled in the original
+# :file:`sources.list` file and enable it accordingly.
+apt__nonfree: '{{ ansible_facts.ansible_local.apt.nonfree
+                  | d(True
+                      if (ansible_facts.virtualization_role is undefined or
+                          ansible_facts.virtualization_role != "guest")
+                      else False) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__nonfree_firmware [[[
+#
+# Boolean. If enabled, sections of a given distribution repository which
+# contain non-free firmware packages will be enabled, otherwise they won't be
+# present.
+#
+# By default non-free firmware sections are enabled on hardware-based hosts due
+# to a possible requirement for non-free firmware packages.
+apt__nonfree_firmware: '{{ True
+                           if (ansible_facts.virtualization_role is undefined or
+                               ansible_facts.virtualization_role != "guest")
+                           else False }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__distribution_repository_map [[[
+#
+# YAML dictionary which maps the distribution OS to its default APT repository.
+# Values from here are used in multiple entries in the
+# :file:`/etc/apt/sources.list` configuration and are exposed here for
+# convenience.
+apt__distribution_repository_map:
+  'Debian': 'http://deb.debian.org/debian'
+  'Devuan': 'http://deb.devuan.org/merged'
+  'Ubuntu': '{{ "http://archive.ubuntu.com/ubuntu"
+                if (apt__architecture in ["amd64", "i386"])
+                else "http://ports.ubuntu.com/ubuntu-ports" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__debian_archived_releases [[[
+#
+# List of Debian releases which have been archived and are not available in the
+# default APT repositories. This variable is used conditionally to detect if
+# a given OS release is archived.
+apt__debian_archived_releases: [ 'wheezy', 'jessie', 'stretch', 'buster' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`/etc/apt/sources.list` configuration entries [[[
+# -----------------------------------------------------------
+
+# .. _apt__ref_sources_defaults:
+
+# These variables define the contents of the :file:`/etc/apt/sources.list`
+# configuration file. See :ref:`apt__ref_sources` for more details.
+
+# .. envvar:: apt__debian_sources [[[
+#
+# APT source entries for the Debian distribution.
+apt__debian_sources:
+
+  - name: 'debian-release'
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Debian | d() }}'
+    suites:
+      - '{{ apt__distribution_release }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Debian")
+               else "ignore" }}'
+
+  - name: 'debian-release'
+    uri: 'http://archive.debian.org/debian'
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release in apt__debian_archived_releases)
+               else "ignore" }}'
+
+  - name: 'debian-release'
+    suites:
+      - '{{ apt__distribution_release + "-updates" }}'
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release not in apt__debian_archived_releases and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'debian-release'
+    suites:
+      - '{{ apt__distribution_release + "-backports" }}'
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'debian-release'
+    components: [ 'non-free-firmware' ]
+    state: '{{ "ignore"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release in ["wheezy", "jessie", "stretch",
+                                                 "buster", "bullseye"])
+               else ("present"
+                     if (apt__distribution == "Debian" and
+                         apt__nonfree_firmware | bool)
+                     else "ignore") }}'
+
+  - name: 'debian-release'
+    components: [ 'contrib', 'non-free' ]
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'debian-release-security'
+    types: '{{ apt__archive_types }}'
+    uri: 'http://deb.debian.org/debian-security/'
+    suites:
+      - '{{ apt__distribution_release + "-security" }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release not in apt__debian_archived_releases and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'debian-release-security'
+    uri: 'http://security.debian.org/'
+    suites:
+
+      # For some reason, filter doesn't accept '' string to reset the list of
+      # suites, so let's reset it "manually" for now.
+      - name: '{{ apt__distribution_release + "-security" }}'
+        state: 'absent'
+
+      - '{{ apt__distribution_release + "/updates" }}'
+
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release not in apt__debian_archived_releases and
+                   apt__distribution_release in ["buster"] and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'debian-release-security'
+    components: [ 'non-free-firmware' ]
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release not in apt__debian_archived_releases and
+                   apt__distribution_release not in ["buster", "bullseye"] and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree_firmware | bool)
+               else "ignore" }}'
+
+  - name: 'debian-release-security'
+    components: [ 'contrib', 'non-free' ]
+    state: '{{ "present"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release not in apt__debian_archived_releases and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__devuan_sources [[[
+#
+# APT source entries for the Devuan distribution.
+apt__devuan_sources:
+
+  - name: 'devuan-release'
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Devuan | d() }}'
+    suites:
+      - '{{ apt__distribution_release }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Devuan")
+               else "ignore" }}'
+
+  - name: 'devuan-release'
+    uri: 'http://archive.devuan.org/merged'
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__distribution_release in ["jessie", "ascii"])
+               else "ignore" }}'
+
+  - name: 'devuan-release'
+    suites:
+      - '{{ apt__distribution_release + "-updates" }}'
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__distribution_release not in ["jessie", "ascii"] and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'devuan-release'
+    suites:
+      - '{{ apt__distribution_release + "-backports" }}'
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__distribution_release not in ["jessie"] and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'devuan-release'
+    components: [ 'contrib', 'non-free' ]
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'devuan-release-security'
+    types: '{{ apt__archive_types }}'
+    uri: 'http://pkgmaster.devuan.org/merged'
+    suites:
+      - '{{ apt__distribution_release + "-security" }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__distribution_release not in ["jessie", "ascii"] and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'devuan-release-security'
+    components: [ 'contrib', 'non-free' ]
+    state: '{{ "present"
+               if (apt__distribution == "Devuan" and
+                   apt__distribution_release not in ["jessie", "ascii"] and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__ubuntu_sources [[[
+#
+# APT source entries for the Ubuntu distribution.
+apt__ubuntu_sources:
+
+  - name: 'ubuntu-release'
+    comment: |
+      See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+      newer versions of the distribution.
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release'
+    components: [ 'restricted' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-updates'
+    comment: |
+      Major bug fix updates produced after the final release of the
+      distribution.
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release + "-updates" }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-updates'
+    components: [ 'restricted' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-universe'
+    comment: |
+      N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+      team. Also, please note that software in universe WILL NOT receive any
+      review or updates from the Ubuntu security team.
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release }}'
+      - '{{ apt__distribution_release + "-updates" }}'
+    components: [ 'universe' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-multiverse'
+    comment: |
+      N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+      team, and may not be under a free licence. Please satisfy yourself as to
+      your rights to use the software. Also, please note that software in
+      multiverse WILL NOT receive any review or updates from the Ubuntu
+      security team.
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release }}'
+      - '{{ apt__distribution_release + "-updates" }}'
+    components: [ 'multiverse' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-backports'
+    comment: |
+      N.B. software from this repository may not have been tested as
+      extensively as that contained in the main release, although it includes
+      newer versions of some applications which may provide useful features.
+      Also, please note that software in backports WILL NOT receive any review
+      or updates from the Ubuntu security team.
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release + "-backports" }}'
+    components: [ 'main' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-backports'
+    components: [ 'restricted' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-backports'
+    components: [ 'universe' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-backports'
+    components: [ 'multiverse' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-partner'
+    comment: |
+      Uncomment the following two lines to add software from Canonical's
+      'partner' repository.
+      This software is not part of Ubuntu, but is offered by Canonical and the
+      respective vendors as a service to Ubuntu users.
+    types: '{{ apt__archive_types }}'
+    uri: 'http://archive.canonical.com/ubuntu'
+    suites:
+      - '{{ apt__distribution_release }}'
+    components: [ 'partner' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-security'
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release + "-security" }}'
+    components: [ 'main' ]
+    separate: False
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-security'
+    components: [ 'restricted' ]
+    separate: False
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-universe-security'
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release + "-security" }}'
+    components: [ 'universe' ]
+    separate: False
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a")
+               else "ignore" }}'
+
+  - name: 'ubuntu-release-multiverse-security'
+    types: '{{ apt__archive_types }}'
+    uri: '{{ apt__distribution_repository_map.Ubuntu | d() }}'
+    suites:
+      - '{{ apt__distribution_release + "-security" }}'
+    components: [ 'multiverse' ]
+    state: '{{ "present"
+               if (apt__distribution == "Ubuntu" and
+                   apt__distribution_version != "n/a" and
+                   apt__nonfree | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt__sources [[[
+#
+# List of APT sources defined on all hosts in the Ansible inventory.
+apt__sources: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_sources [[[
+#
+# List of APT sources defined on hosts in a specific Ansible inventory group.
+apt__group_sources: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_sources [[[
+#
+# List of APT sources defined on specific hosts in the Ansible inventory.
+apt__host_sources: []
+
+                                                                   # ]]]
+# .. envvar:: apt__combined_sources [[[
+#
+# This variable combines all of the :file:`/etc/apt/sources.list` configuration
+# lists and is used in role tasks and templates.
+apt__combined_sources: '{{ apt__debian_sources
+                           + apt__devuan_sources
+                           + apt__ubuntu_sources
+                           + apt__sources
+                           + apt__group_sources
+                           + apt__host_sources }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Extra architectures [[[
+# -----------------------
+
+# These lists define extra architectures to be enabled on the host.
+# The main architecture does not need to be defined that way.
+
+# .. envvar:: apt__extra_architectures [[[
+#
+# List of extra architectures to configure on all hosts in Ansible inventory.
+apt__extra_architectures: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_extra_architectures [[[
+#
+# List of extra architectures to configure on hosts in specific Ansible inventory
+# group.
+apt__group_extra_architectures: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_extra_architectures [[[
+#
+# List of extra architectures to configure on specific hosts in Ansible inventory.
+apt__host_extra_architectures: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages to purge [[[
+# -------------------------
+
+# These lists define what APT packages should be purged (removed along with
+# their configuration, data files and unused dependencies) from the hosts after
+# APT repositories have been configured. Since this role is applied in the
+# bootstrap playbooks, the packages will be purged early on; this might be
+# useful in certain provisioning setups.
+#
+# Use only simple APT package names here. For conditional removal, refer to the
+# :ref:`debops.apt_install` role.
+
+# .. envvar:: apt__purge_packages [[[
+#
+# List of APT packages to purge on all hosts in the Ansible inventory.
+apt__purge_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt__purge_group_packages [[[
+#
+# List of APT packages to purge on hosts in a specific Ansible inventory group.
+apt__purge_group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt__purge_host_packages [[[
+#
+# List of APT packages to purge on specific hosts in the Ansible inventory.
+apt__purge_host_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT repository keys [[[
+# -----------------------
+
+# These lists define APT GPG keys to configure on hosts to enable authenticated
+# access to additional APT repositories. See :ref:`apt__ref_keys` for more
+# details.
+
+# .. envvar:: apt__keys [[[
+#
+# List of APT GPG keys to configure on all hosts in Ansible inventory.
+apt__keys: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_keys [[[
+#
+# List of APT GPG keys to configure on hosts in specific Ansible inventory
+# group.
+apt__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_keys [[[
+#
+# List of APT GPG keys to configure on specific hosts in Ansible inventory.
+apt__host_keys: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT repositories [[[
+# --------------------
+
+# These lists define additional APT repositories in the
+# :file:`/etc/apt/sources.list.d/` directory. See :ref:`apt__ref_repositories` for
+# more details.
+
+# .. envvar:: apt__repositories [[[
+#
+# List of additional APT repositories for all hosts in Ansible inventory.
+apt__repositories: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_repositories [[[
+#
+# List of additional APT repositories for hosts in specific Ansible inventory
+# group.
+apt__group_repositories: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_repositories [[[
+#
+# List of additional APT repositories for specific hosts in Ansible inventory.
+apt__host_repositories: []
+
+                                                                   # ]]]
+# .. envvar:: apt__combined_repositories [[[
+#
+# Variable which combines all of the repository lists and is used in role tasks
+# and templates.
+apt__combined_repositories: '{{ apt__repositories
+                                + apt__group_repositories
+                                + apt__host_repositories }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT authentication files [[[
+# ----------------------------
+
+# These lists define APT authentication information for repositories which
+# require HTTP Basic Authentication to access. See :ref:`apt__ref_auth_files`
+# for more details.
+
+# .. envvar:: apt__auth_files [[[
+#
+# Authentication configuration files which should be present on all hosts in
+# the Ansible inventory.
+apt__auth_files: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_auth_files [[[
+#
+# Authentication configuration files which should be present on hosts in
+# a specific Ansible inventory group.
+apt__group_auth_files: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_auth_files [[[
+#
+# Authentication configuration files which should be present on specific hosts
+# in the Ansible inventory.
+apt__host_auth_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT configuration files [[[
+# ---------------------------
+
+# These lists define additional APT configuration files in
+# :file:`/etc/apt/apt.conf.d/` directory.
+# See :ref:`apt__ref_configuration` for more details.
+
+# .. envvar:: apt__default_configuration [[[
+#
+# List of default APT configuration entries defined by the role.
+apt__default_configuration:
+
+  - name: 'non-free-firmware-note'
+    filename: 'non-free-firmware-note.conf'
+    comment: 'Disable note about Debian Bookworm moving firmware to a separate section'
+    raw: |
+      APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";
+    state: '{{ "ignore"
+               if (apt__distribution == "Debian" and
+                   apt__distribution_release in ["wheezy", "jessie", "stretch",
+                                                 "buster", "bullseye"])
+               else "present" }}'
+
+  - name: 'no-recommends'
+    filename: '25no-recommends.conf'
+    comment: 'Should APT install recommended or suggested packages?'
+    raw: |
+      APT::Install-Recommends "false";
+      APT::Install-Suggests "false";
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: apt__configuration [[[
+#
+# List of additional APT configuration to add on all hosts in Ansible inventory.
+apt__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt__group_configuration [[[
+#
+# List of additional APT configuration to add on hosts in specific Ansible
+# inventory group.
+apt__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt__host_configuration [[[
+#
+# List of additional APT configuration to add on specific hosts in Ansible
+# inventory.
+apt__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt__combined_configuration [[[
+#
+# Variable which combines all of the APT configuration lists and is used in
+# role tasks and templates.
+apt__combined_configuration: '{{ apt__default_configuration
+                                 + apt__configuration
+                                 + apt__group_configuration
+                                 + apt__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt/meta/main.yml b/ansible_collections/debops/debops/roles/apt/meta/main.yml
new file mode 100644
index 00000000..db495ada
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage APT repositories and keys'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - packages
+    - apt
diff --git a/ansible_collections/debops/debops/roles/apt/tasks/main.yml b/ansible_collections/debops/debops/roles/apt/tasks/main.yml
new file mode 100644
index 00000000..ab936e3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/tasks/main.yml
@@ -0,0 +1,239 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'debops.debops.global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'debops.debops.secret'
+
+- name: Validate configuration of APT repositories
+  ansible.builtin.assert:
+    that:
+      - 'item.filename is defined'
+      - 'item.repo is defined or item.uris is defined or item.state in ["divert", "absent"]'
+    fail_msg: 'You need to specify "filename" and either "repo" or "uris" as parameters'
+    quiet: True
+  loop: '{{ apt__combined_repositories | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ item.name }}'
+
+- name: Configure custom APT keys
+  ansible.builtin.apt_key:
+    data:      '{{ item.data | d(omit) }}'
+    file:      '{{ item.file | d(omit) }}'
+    id:        '{{ item.id | d(omit) }}'
+    keyring:   '{{ item.keyring | d(omit) }}'
+    keyserver: '{{ item.keyserver | d(omit) }}'
+    url:       '{{ item.url | d(omit) }}'
+    state:     '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", apt__keys
+                           + apt__group_keys
+                           + apt__host_keys) }}'
+  register: apt__register_apt_key
+  until: apt__register_apt_key is succeeded
+  when: apt__enabled | bool and (item.url | d() or item.data | d() or item.id | d() or item.file | d())
+  tags: [ 'role::apt:keys' ]
+
+- name: Add/remove diversion of repository sources
+  debops.debops.dpkg_divert:
+    path: '/etc/apt/sources.list.d/{{ item.filename }}'
+    state: '{{ "present"
+               if (item.state | d("present") == "divert")
+               else "absent" }}'
+    delete: True
+  loop: '{{ apt__combined_repositories | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: apt__register_divert_repositories
+  when: (apt__enabled | bool and item.filename and item.repo is undefined and item.uris is undefined and
+         (item.state | d("present")) in [ "divert", "absent" ])
+
+- name: Configure custom APT repositories
+  ansible.builtin.apt_repository:
+    update_cache: False
+    repo:     '{{ item.repo }}'
+    codename: '{{ item.codename | d(omit) }}'
+    filename: '{{ item.filename | regex_replace(".list$", "") | regex_replace(".sources$", "") }}'
+    mode:     '{{ item.mode | d(omit) }}'
+    state:    '{{ item.state | d("present") }}'
+  loop: '{{ apt__combined_repositories | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: apt__register_apt_repositories
+  when: (apt__enabled | bool and item.repo | d() and item.uris is undefined and
+         (item.state | d("present")) not in [ "divert", "ignore", "init" ])
+
+- name: Configure custom APT Deb822 repositories
+  ansible.builtin.deb822_repository:
+    uris:              '{{ item.uris }}'
+    name:              '{{ item.filename | regex_replace(".sources$", "") | regex_replace(".list$", "") }}'
+    allow_downgrade_to_insecure: '{{ item.allow_downgrade_to_insecure | d(omit) }}'
+    allow_insecure:    '{{ item.allow_insecure | d(omit) }}'
+    allow_weak:        '{{ item.allow_weak | d(omit) }}'
+    architectures:     '{{ item.architectures | d(omit) }}'
+    by_hash:           '{{ item.by_hash | d(omit) }}'
+    check_date:        '{{ item.check_date | d(omit) }}'
+    check_valid_until: '{{ item.check_valid_until | d(omit) }}'
+    components:        '{{ item.components | d(omit) }}'
+    data_max_future:   '{{ item.date_max_future | d(omit) }}'
+    enabled:           '{{ item.enabled | d(omit) }}'
+    inrelease_path:    '{{ item.inrelease_path | d(omit) }}'
+    languages:         '{{ item.languages | d(omit) }}'
+    mode:              '{{ item.mode | d(omit) }}'
+    pdiffs:            '{{ item.pdiffs | d(omit) }}'
+    signed_by:         '{{ item.signed_by | d(omit) }}'
+    state:             '{{ item.state | d("present") }}'
+    suites:            '{{ item.suites | d(omit) }}'
+    targets:           '{{ item.targets | d(omit) }}'
+    trusted:           '{{ item.trusted | d(omit) }}'
+    types:             '{{ item.types | d("deb") }}'
+  loop: '{{ apt__combined_repositories | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: apt__register_deb822_repositories
+  when: (apt__enabled|bool and item.uris | d() and item.repo is undefined and
+         (item.state | d("present")) not in [ "divert", "ignore", "init" ])
+
+- name: Remove APT auth configuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/apt/auth.conf.d/" + (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", (apt__auth_files + apt__group_auth_files + apt__host_auth_files)) }}'
+  when: apt__enabled | bool and item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate APT auth configuration
+  ansible.builtin.template:
+    src: 'etc/apt/auth.conf.d/template.conf.j2'
+    dest: '{{ "/etc/apt/auth.conf.d/" + (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) }}'
+    mode: '0640'
+  loop: '{{ q("flattened", (apt__auth_files + apt__group_auth_files + apt__host_auth_files)) }}'
+  when: apt__enabled | bool and item.machine | d() and item.login | d() and item.password | d() and
+        item.state | d('present') not in ['absent', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Update APT cache on first run
+  ansible.builtin.apt:
+    update_cache: True
+    cache_valid_time: '{{ apt__cache_valid_time }}'
+  register: apt__register_apt_first_update
+  until: apt__register_apt_first_update is succeeded
+  when: (apt__enabled | bool and
+         not (ansible_local.apt.configured | d()) | bool)
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name: '{{ (apt__base_packages + apt__packages) | flatten }}'
+    state: 'present'
+    install_recommends: False
+  register: apt__register_packages
+  until: apt__register_packages is succeeded
+  when: apt__enabled | bool
+
+- name: Enable extra architectures
+  ansible.builtin.command: dpkg --add-architecture {{ item }}
+  loop: '{{ q("flattened", apt__extra_architectures
+                           + apt__group_extra_architectures
+                           + apt__host_extra_architectures) }}'
+  register: apt__register_add_architecture
+  changed_when: apt__register_add_architecture.changed | bool
+  when: apt__enabled | bool and item not in ansible_facts.ansible_local.apt.foreign_architectures | d()
+  notify: [ 'Refresh host facts' ]
+
+- name: Add/remove diversion of APT configuration files
+  debops.debops.dpkg_divert:
+    path:  '{{ "/etc/apt/apt.conf.d/" + (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) }}'
+    state: '{{ "present"
+               if (item.state | d("present") == "divert")
+               else "absent" }}'
+    delete: True
+  loop: '{{ apt__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: apt__enabled | bool and item.state | d("present") in [ "divert", "absent" ]
+
+- name: Delete APT configuration files on remote hosts
+  ansible.builtin.file:
+    path:  '{{ "/etc/apt/apt.conf.d/" + (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) }}'
+    state: 'absent'
+  loop: '{{ apt__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: apt__enabled | bool and item.raw | d() and item.state | d('present') == 'absent'
+
+- name: Generate APT configuration files
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/template.conf.j2'
+    dest: '{{ "/etc/apt/apt.conf.d/" + (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) }}'
+    mode: '0644'
+  loop: '{{ apt__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: apt__enabled | bool and item.raw | d() and
+        item.state | d('present') not in [ 'divert', 'absent', 'ignore', 'init' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
+
+- name: Save APT local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apt.fact.j2'
+    dest: '/etc/ansible/facts.d/apt.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Add/remove diversion of /etc/apt/sources.list
+  debops.debops.dpkg_divert:
+    path: '/etc/apt/sources.list'
+    state: '{{ apt__deploy_state }}'
+    delete: True
+  register: apt__register_sources_diversion
+  when: (apt__enabled | bool and apt__deploy_state in ['absent', 'present'])
+
+- name: Configure operating system sources.list
+  ansible.builtin.template:
+    src: 'etc/apt/sources.list.j2'
+    dest: '/etc/apt/sources.list'
+    mode: '0644'
+  register: apt__register_sources_template
+  when: (apt__enabled | bool and apt__deploy_state == 'present')
+
+- name: Update APT cache
+  ansible.builtin.apt:
+    update_cache: True
+    cache_valid_time: '{{ omit
+                         if (apt__register_sources_template is changed or
+                             apt__register_sources_diversion is changed or
+                             apt__register_apt_repositories is changed)
+                         else apt__cache_valid_time }}'
+  register: apt__register_apt_update
+  until: apt__register_apt_update is succeeded
+  when: apt__enabled | bool
+
+- name: Purge APT packages if requested
+  ansible.builtin.apt:
+    name: '{{ (apt__purge_packages
+               + apt__purge_group_packages
+               + apt__purge_host_packages) | flatten }}'
+    state: 'absent'
+    purge: True
+    autoremove: True
+  register: apt__register_purge_packages
+  until: apt__register_purge_packages is succeeded
+  when: apt__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/apt/templates/etc/ansible/facts.d/apt.fact.j2 b/ansible_collections/debops/debops/roles/apt/templates/etc/ansible/facts.d/apt.fact.j2
new file mode 100644
index 00000000..260b3403
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/templates/etc/ansible/facts.d/apt.fact.j2
@@ -0,0 +1,75 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import os
+
+sources_list = ['/etc/apt/sources.list.dpkg-divert',
+                '/etc/apt/sources.list']
+
+nonfree_components = ['non-free', 'restricted', 'multiverse']
+nonfree_firmware_components = ['non-free-firmware']
+
+output = loads('''{{ ({
+        "enabled": apt__enabled,
+        "configured": True,
+        "components": [],
+        "nonfree": False,
+        "nonfree_firmware": False}) | to_nice_json }}''')
+
+try:
+
+    for sources_file in sources_list:
+        if (os.path.isfile(sources_file)
+                and os.access(sources_file, os.R_OK)):
+            fh = open(sources_file)
+
+            for line in fh:
+                if (line.startswith('deb') or
+                        line.startswith('deb-src')):
+                    source = line.split()
+                    for component in source[3:]:
+                        if component not in output['components']:
+                            output['components'].append(component)
+                        if component in nonfree_components:
+                            output['nonfree'] = True
+                        if component in nonfree_firmware_components:
+                            output['nonfree_firmware'] = True
+
+            fh.close()
+
+except Exception:
+    pass
+
+try:
+    main_arch = subprocess.check_output(
+        ['dpkg', '--print-architecture'],
+        stderr=subprocess.STDOUT).decode('utf-8').strip()
+    if main_arch:
+        output.update({'architecture': main_arch})
+
+except subprocess.CalledProcessError:
+    pass
+
+try:
+    foreign_arch = subprocess.check_output(
+        ['dpkg', '--print-foreign-architectures'],
+        stderr=subprocess.STDOUT).decode('utf-8').strip()
+    if foreign_arch:
+        output.update({'foreign_architectures':
+                       foreign_arch.split('\n')})
+
+except subprocess.CalledProcessError:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt/templates/etc/apt/apt.conf.d/template.conf.j2 b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/apt.conf.d/template.conf.j2
new file mode 100644
index 00000000..7092fc63
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/apt.conf.d/template.conf.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(decoration='// ', prefix='', postfix='') -}}
+{% endif %}
+{% if item.raw | d() %}
+{{   item.raw | regex_replace('\n$', '') -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/apt/templates/etc/apt/auth.conf.d/template.conf.j2 b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/auth.conf.d/template.conf.j2
new file mode 100644
index 00000000..887028f5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/auth.conf.d/template.conf.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# Authentication credentials for "{{ item.name }}" APT repository
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{{ 'machine {} login {} password {}'.format(item.machine, item.login, item.password) }}
diff --git a/ansible_collections/debops/debops/roles/apt/templates/etc/apt/sources.list.j2 b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/sources.list.j2
new file mode 100644
index 00000000..8f90cd6e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt/templates/etc/apt/sources.list.j2
@@ -0,0 +1,84 @@
+{# Copyright (C) 2013-2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for element in apt__combined_sources | debops.debops.parse_kv_items(merge_keys=['types', 'uris', 'suites', 'components']) %}
+{%   if element.state not in ['absent', 'ignore', 'init'] %}
+{%     set element_comment = ('#' if (element.state == 'comment') else '') %}
+{%     if element.comment | d() %}
+{{       element.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     if element.raw | d() %}
+{%       if element_comment %}
+{{         element.raw | regex_replace('\n$', '') | comment(decoration='#', prefix='', postfix='') -}}
+{%       else %}
+{{         element.raw | regex_replace('\n$', '') }}
+{%       endif %}
+{%     else %}
+{%       set types = [] %}
+{%       set uris = [] %}
+{%       set suites = [] %}
+{%       set components = [] %}
+{%       if element.type | d() %}
+{%         set _ = types.append(element.type) %}
+{%       endif %}
+{%       if element.types | d() %}
+{%         set _ = types.extend(element.types | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) %}
+{%       endif %}
+{%       if not types %}
+{%         set _ = types.extend(apt__archive_types) %}
+{%       endif %}
+{%       if element.uri | d() %}
+{%         set _ = uris.append(element.uri) %}
+{%       endif %}
+{%       if element.uris | d() %}
+{%         set _ = uris.extend(element.uris | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) %}
+{%       endif %}
+{%       if element.suite | d() %}
+{%         set _ = suites.append(element.suite) %}
+{%       endif %}
+{%       if element.suites | d() %}
+{%         set suites = element.suites | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+{%       endif %}
+{%       if element.component | d() %}
+{%         set _ = components.append(element.component) %}
+{%       endif %}
+{%       if element.components | d() %}
+{%         set components = element.components | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+{%       endif %}
+{%       set source_options = '' %}
+{%       set parsed_options = [] %}
+{%       if element.options | d() %}
+{%         for option in element.options %}
+{%           if option.value is string %}
+{%             set option_string = option.name + '=' + option.value %}
+{%           else %}
+{%             set option_string = option.name + '=' + option.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(',') %}
+{%           endif %}
+{%           set _ = parsed_options.append(option_string) %}
+{%         endfor %}
+{%       endif %}
+{%       if parsed_options %}
+{%         set source_options = ' [' + parsed_options | join(' ') + ']' %}
+{%       endif %}
+{%       for uri in uris %}
+{%         for suite in suites %}
+{%           for type in types %}
+{%             if type == 'deb-src' and apt__archive_sources_disabled | bool %}
+{%                 set element_comment = '#' %}
+{%               else %}
+{%                 set element_comment = ('#' if (element.state == 'comment') else '') %}
+{%             endif %}
+{{             '{}{}{} {} {} {}'.format(element_comment, type, source_options, uri, suite, components | join(' ')) }}
+{%           endfor %}
+{%         endfor %}
+{%       endfor %}
+{%     endif %}
+{%     if element.separate | d(True) and not loop.last %}
+{{       '' }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_cacher_ng/COPYRIGHT
new file mode 100644
index 00000000..4d735c6e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.apt_cacher_ng - Install and manage the caching HTTP proxy Apt-Cacher NG
+
+Copyright (C) 2016-2017,2021 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017,2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_cacher_ng/defaults/main.yml
new file mode 100644
index 00000000..5b001ddd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/defaults/main.yml
@@ -0,0 +1,591 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_cacher_ng__ref_defaults:
+
+# debops.apt_cacher_ng default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: apt_cacher_ng__base_packages [[[
+#
+# List of base packages to install.
+apt_cacher_ng__base_packages:
+  - 'apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__enabled [[[
+#
+# Should the Apt-Cacher NG service be enabled?
+apt_cacher_ng__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Apt-Cacher NG is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Apt-Cacher NG is uninstalled and it's configuration is removed.
+#
+# ``purge``
+#   Same as ``absent`` but additionally also ensures that the cache directories
+#   is removed.
+#
+apt_cacher_ng__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__configuration_files [[[
+#
+# This variable allows you to change which configuration files this role is
+# going to create and which permissions to use for them.
+#
+# ``path``
+#   String, required, defines the path to the configuration file on the host.
+#
+# ``src``
+#   String, optional, defines the path to the template file. Defaults to
+#   ``path`` with any leading ``/`` removed.
+#
+# ``owner``
+#   String, optional, defaults to ``root``. Unix user which owns the
+#   configuration file.
+#
+# ``group``
+#   String, optional, defaults to ``root``. Unix group of the configuration file.
+#
+# ``mode``
+#   String, optional, defaults to ``0640``. Unix permissions of the
+#   configuration file.
+#
+# ``divert``
+#   Boolean, optional, defaults to ``True``. Should the original configuration file
+#   be diverted away before creating our version of the file?
+#
+apt_cacher_ng__configuration_files:
+
+  - path: '/etc/apt-cacher-ng/backends_debian'
+    mode: '0644'
+  - path: '/etc/apt-cacher-ng/backends_ubuntu'
+    mode: '0644'
+  - path: '/etc/apt-cacher-ng/backends_gentoo'
+    mode: '0644'
+    divert: False
+  - path: '/etc/apt-cacher-ng/acng.conf'
+    mode: '0644'
+  - path: '/etc/apt-cacher-ng/security.conf'
+    group: 'apt-cacher-ng'
+    mode: '0640'
+  - path: '/etc/apt-cacher-ng/userinfo.html'
+    mode: '0644'
+    divert: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Network related settings [[[
+# ----------------------------
+
+# .. envvar:: apt_cacher_ng__port [[[
+#
+# TCP server port for incoming http (or HTTP proxy) connections.
+# Can be set to ``9999`` to emulate :program:`apt-proxy`.
+apt_cacher_ng__port: 3142
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__bind_address [[[
+#
+# List of addresses or hostnames to listen on. Each entry must be an exact
+# local address which is associated with a local interface. DNS resolution is
+# performed using :manpage:`getaddrinfo(3)` for all available protocols (IPv4,
+# IPv6, ...). Using a protocol specific format will create binding(s) only on
+# protocol specific socket(s), e. g.  ``0.0.0.0`` will listen only to IPv4.
+#
+# Examples:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_cacher_ng__bind_address:
+#      - 'localhost'
+#      - '192.168.7.254'
+#      - 'publicNameOnMainInterface'
+#
+# Defaults to listening on all interfaces and protocols.
+apt_cacher_ng__bind_address: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__fqdn [[[
+#
+# The FQDN subdomain of the Apt-Cacher NG proxy which will be used by
+# :program:`nginx` webserver.
+apt_cacher_ng__fqdn: 'software-cache.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__proxy [[[
+#
+# The specification of another HTTP proxy which shall be used for downloads.
+# It can include user name and password but see the manual for limitations.
+#
+# Examples:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_cacher_ng__proxy: 'https://username:proxypassword@proxy.example.net:3129'
+#
+# Defaults to using a direct connection.
+apt_cacher_ng__proxy: ''
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__connect_protocol [[[
+#
+# Specifies the IP protocol families to use for remote connections. Order does
+# matter, first specified are considered first.
+#
+# Examples:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_cacher_ng__connect_protocol:
+#      - 'v4'
+#      # - 'v6'
+#
+# Only use IPv4 connections for connecting to upstream mirrors.
+#
+# Defaults to using native order of the system's TCP/IP stack, influenced by
+# the :envvar:`apt_cacher_ng__bind_address` value.
+apt_cacher_ng__connect_protocol: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__offline_mode [[[
+#
+# Forbid outgoing connections and work without an internet connection or
+# respond with 503 error where it's not possible.
+apt_cacher_ng__offline_mode: False
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__network_timeout [[[
+#
+# Network timeout for outgoing connections, in seconds.
+apt_cacher_ng__network_timeout: 60
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__max_download_speed_kib [[[
+#
+# It's possible to limit the processing speed of download agents to set an
+# overall download speed limit. Unit: KiB/s, Default: unlimited.
+apt_cacher_ng__max_download_speed_kib: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Upstream mirrors [[[
+# --------------------
+
+# .. envvar:: apt_cacher_ng__upstream_mirror_debian [[[
+#
+# Which upstream mirror(s) should be used for Debian repositories?
+# One mirror per line.
+# Set to an empty string to let the package scripts from Apt-Cacher NG decide
+# which upstream mirror to use.
+apt_cacher_ng__upstream_mirror_debian: '{{ ansible_local.apt.default_sources_map.Debian[0]
+                                            | d("http://deb.debian.org/debian") }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__upstream_mirror_ubuntu [[[
+#
+# Which upstream mirror(s) should be used for Ubuntu repositories?
+# One mirror per line.
+# Set to an empty string to let the package scripts from Apt-Cacher NG decide
+# which upstream mirror to use.
+apt_cacher_ng__upstream_mirror_ubuntu: '{{ ansible_local.apt.default_sources_map.Ubuntu[0]
+                                            | d("http://archive.ubuntu.com/ubuntu") }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__upstream_mirror_gentoo [[[
+#
+# Which upstream mirror(s) should be used for Gentoo repositories?
+# One mirror per line.
+# Set to an empty string to let the package scripts from Apt-Cacher NG decide
+# which upstream mirror to use.
+apt_cacher_ng__upstream_mirror_gentoo: '{{ ansible_local.apt.default_sources_map.Gentoo[0] | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Cache directory [[[
+# -------------------
+
+# .. envvar:: apt_cacher_ng__cache_dir [[[
+#
+# Storage directory for downloaded data and related maintenance activity.
+apt_cacher_ng__cache_dir: '/var/cache/apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__cache_dir_owner [[[
+#
+# Unix user which owns the cache directory and it's contents.
+apt_cacher_ng__cache_dir_owner: 'apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__cache_dir_group [[[
+#
+# Unix group of the cache directory and it's contents..
+apt_cacher_ng__cache_dir_group: 'apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__dir_perms [[[
+#
+# Default permission set of freshly created files and directories, as octal
+# numbers (see :manpage:`chmod(1)` for details).
+# Can by limited by the umask value (see :manpage:`umask(2)` for details) if it's set in
+# the environment of the starting shell, e. g. in apt-cacher-ng init script or
+# in its configuration file.
+apt_cacher_ng__dir_perms: '02755'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__file_perms [[[
+#
+# Default permission set of freshly created files and directories, as octal
+# numbers (see :manpage:`chmod(1)` for details).
+# Can by limited by the umask value (see :manpage:`umask(2)` for details) if it's set in
+# the environment of the starting shell, e. g. in apt-cacher-ng init script or
+# in its configuration file.
+apt_cacher_ng__file_perms: '00644'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__cache_dir_enforce_permissions [[[
+#
+# Should the permissions of the cache directory and it's content be enforced
+# (changed to the specified owner, group and mode)?
+#
+# Options:
+#
+# ``strict``
+#   Go thought all files and directories and enforce the permissions on each Ansible run.
+#
+#   .. warning:: This can slow down the role execution time even
+#        when the changes have already been applied. The main factor is
+#        the number of files/directories in your cache directory.
+#
+# ``lazy``
+#   Check the :file:`_expending_damaged` file in the root of
+#   :envvar:`apt_cacher_ng__cache_dir` and only enforce permissions on all other
+#   files if this one file needed to be changed.
+#
+# ``disabled``
+#   Don't enforce permissions.
+#
+apt_cacher_ng__cache_dir_enforce_permissions: 'lazy'
+                                                                   # ]]]
+                                                                   # ]]]
+# Management credentials [[[
+# --------------------------
+
+# .. envvar:: apt_cacher_ng__user [[[
+#
+# Username for basic authentication required to visit pages with administrative
+# functionality.
+apt_cacher_ng__user: 'admin'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__password [[[
+#
+# Password for basic authentication required to visit pages with administrative
+# functionality.
+apt_cacher_ng__password: '{{ lookup("password", secret + "/credentials/" +
+                             inventory_hostname + "/apt_cacher_ng/" +
+                             apt_cacher_ng__user + "/password length=24") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Tuning, debugging and further options [[[
+# -----------------------------------------
+
+# .. envvar:: apt_cacher_ng__log_dir [[[
+#
+# Log file directory, can be set empty to disable logging.
+apt_cacher_ng__log_dir: '/var/log/apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__support_dir [[[
+#
+# A place to look for additional configuration and resource files if they are not
+# found in the configuration directory.
+apt_cacher_ng__support_dir: '/usr/lib/apt-cacher-ng'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__debug [[[
+#
+# A bitmask type value declaring the logging verbosity and behavior of the error
+# log writing. Non-zero value triggers at least faster log file flushing.
+#
+# Some higher bits only working with a special debug build of apt-cacher-ng,
+# see the manual for details. The setting has an alias named ``UnbufferLogs``.
+# Setting ``apt_cacher_ng__debug: 1`` will result in unbuffer log writes.
+#
+# .. warning:: This can write significant amount of data into the
+#      :file:`apt-cacher.err` logfile.
+#
+# 0. No debug printing.
+#
+# 1. Log file buffers are flushed faster.
+#
+# 2. Some additional information appears within usual transfer/error logs.
+#
+# 4. Extra debug information is written to apt-cacher.err (also enables lots of additional trace
+#    points when apt-cacher-ng binary is built with debug configuration, see section 9.6 for
+#    details).
+#
+apt_cacher_ng__debug: 0
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__verbose_log [[[
+#
+# Enables extended client information in log entries. When set to ``True``,
+# only activity type, time and transfer sizes are logged.
+apt_cacher_ng__verbose_log: True
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__force_managed [[[
+#
+# Forbid downloads from locations that are directly specified in the user
+# request, i.e. all downloads must be processed by the preconfigured remapping
+# backends.
+# Set to ``False`` by default to allow to download other repositories via the proxy like
+# `download.owncloud.org <https://download.owncloud.org/download/repositories/>`_.
+apt_cacher_ng__force_managed: False
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__expiration_threshold [[[
+#
+# Days before considering an unreferenced file expired (to be deleted).
+#
+# .. warning:: If the value is set too low and particular index files are not
+#      available for some days (mirror downtime) then there is a risk of removal of
+#      still useful package files.
+#
+apt_cacher_ng__expiration_threshold: 4
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__expiration_abort_on_problems [[[
+#
+# Stop expiration when a critical problem appears, issue like a failed update
+# of an index file in the preparation step.
+#
+# .. warning:: Don't set this option to zero or empty without considering possible
+#      consequences like a sudden and complete cache data loss.
+#
+apt_cacher_ng__expiration_abort_on_problems: 'default'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__dns_cache_seconds [[[
+#
+# There is a small in-memory cache for DNS resolution data, expired by
+# this timeout (in seconds). Internal caching is disabled if set to a value
+# less than zero.
+apt_cacher_ng__dns_cache_seconds: 1800
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__log_submitted_origin [[[
+#
+# Trust the downstream HTTP proxy and log the X-Forwarded-For header as the
+# client IP address.
+apt_cacher_ng__log_submitted_origin: True
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__user_agent [[[
+#
+# The version string reported to the peer, to be displayed as HTTP client (and
+# version) in the logs of the mirror.
+#
+# .. warning:: Expect side effects! Some archives use this header to guess
+#      capabilities of the client (i.e. allow redirection and/or https links) and
+#      change their behaviour accordingly but ACNG might not support the expected
+#      features.
+#
+# Default is the compiled in UserAgent: Yet Another HTTP Client/1.2.3p4
+apt_cacher_ng__user_agent: 'default'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__recompress_bz2 [[[
+#
+# In some cases the Import and Expiration tasks might create fresh volatile
+# data for internal use by reconstructing them using patch files. This
+# by-product might be recompressed with bzip2 and with some luck the resulting
+# file becomes identical to the ``*.bz2`` file on the server which can be used by
+# APT when requesting a complete version of this file.
+# The downside of this feature is higher CPU load on the server during
+# the maintenance tasks, and the outcome might have not much value in a LAN
+# where all clients update their data often and regularly and therefore usually
+# don't need the full version of the index file.
+apt_cacher_ng__recompress_bz2: False
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__custom [[[
+#
+# Configuration block for Apt-Cacher NG for additional configuration for
+# example custom remap settings.
+apt_cacher_ng__custom: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Network accessibility [[[
+# -------------------------
+
+# .. envvar:: apt_cacher_ng__allow [[[
+#
+# Allow access to Apt-Cacher NG from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+apt_cacher_ng__allow: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__group_allow [[[
+#
+# Allow access to Apt-Cacher NG from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+apt_cacher_ng__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__host_allow [[[
+#
+# Allow access to Apt-Cacher NG from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+apt_cacher_ng__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__interfaces [[[
+#
+# List of network interfaces from which to allow access to Apt-Cacher NG.
+# If not specified, allows access from all interfaces.
+apt_cacher_ng__interfaces: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Role-dependent configuration [[[
+# --------------------------------
+
+# .. envvar:: apt_cacher_ng__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` role which registers port
+# numbers for Apt-Cacher NG.
+apt_cacher_ng__etc_services__dependent_list:
+
+  - name: 'acng'
+    port: '{{ apt_cacher_ng__port }}'
+    comment: 'Apt-Cacher NG caching proxy server'
+    delete: '{{ apt_cacher_ng__deploy_state != "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` role.
+apt_cacher_ng__apt_preferences__dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__ferm__dependent_rules [[[
+#
+# Configuration for :command:`ferm` firewall. It should be added when
+# :ref:`debops.ferm` role is used to configure Apt-Cacher NG firewall rules.
+apt_cacher_ng__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'acng' ]
+    saddr: '{{ (apt_cacher_ng__allow | d([]) | list) +
+               (apt_cacher_ng__group_allow | d([]) | list) +
+               (apt_cacher_ng__host_allow | d([]) | list) }}'
+    accept_any: True
+    interface: '{{ apt_cacher_ng__interfaces }}'
+    weight: '40'
+    by_role: 'debops.apt_cacher_ng'
+    name: 'http_proxy'
+    rule_state: '{{ apt_cacher_ng__deploy_state }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__apparmor__dependent_config [[[
+#
+# Configuration for the ``debops-contrib.apparmor`` role.
+apt_cacher_ng__apparmor__dependent_config:
+
+  'usr.sbin.apt-cacher-ng':
+      ## Seems this change is not possible thought the ``@{APT_CACHE_DIR}``
+      ## variable without changing the profile file directly?
+    - comment: 'Allow Apt-Cacher-Ng access to the cache directory'
+      by_role: 'debops.apt_cacher_ng'
+      delete: '{{ apt_cacher_ng__deploy_state != "present" }}'
+      rules:
+        - '{{ apt_cacher_ng__cache_dir }}/ r'
+        - '{{ apt_cacher_ng__cache_dir }}/** rw'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__upstream_servers [[[
+#
+# List of upstream :program:`nginx` proxy servers.
+apt_cacher_ng__upstream_servers:
+  - 'localhost:{{ apt_cacher_ng__port }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__nginx__upstream [[[
+#
+# The :program:`nginx` upstream configuration, managed by :ref:`debops.nginx` role.
+apt_cacher_ng__nginx__upstream:
+  enabled: True
+  name: 'apt-cacher-ng'
+  server: '{{ apt_cacher_ng__upstream_servers }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_cacher_ng__nginx__servers [[[
+#
+# List of :program:`nginx` server configurations managed by the
+# :ref:`debops.nginx` role.
+# There is a separate configuration for HTTP and HTTPS
+# connections to allow access for hosts without SSL support installed.
+apt_cacher_ng__nginx__servers:
+
+  - by_role: 'debops.apt_cacher_ng'
+    name: [ '{{ apt_cacher_ng__fqdn }}' ]
+    filename: 'debops.apt_cacher_ng_http'
+    enabled: True
+    allow: '{{ apt_cacher_ng__allow + apt_cacher_ng__group_allow + apt_cacher_ng__host_allow }}'
+    ssl: False
+    webroot_create: False
+    type: 'proxy'
+    proxy_pass: 'http://apt-cacher-ng'
+    proxy_options: |
+      if ($request_uri !~ "^/.*(\.js|\.css|\.html|\.ico)(.*)?$") {
+              rewrite ^/(.*)$ /$host/$1 break;
+      }
+      proxy_redirect off;
+      proxy_buffering off;
+    options: |
+      location ~ /acng-report.html {
+              return 307 https://$host$request_uri;
+      }
+
+  - by_role: 'debops.apt_cacher_ng'
+    name: [ '{{ apt_cacher_ng__fqdn }}' ]
+    filename: 'debops.apt_cacher_ng_https'
+    enabled: True
+    allow: '{{ apt_cacher_ng__allow + apt_cacher_ng__group_allow + apt_cacher_ng__host_allow }}'
+    state: '{{ "present" if (ansible_local.pki | d()) else "absent" }}'
+    listen: False
+    webroot_create: False
+    type: 'proxy'
+    proxy_pass: 'http://apt-cacher-ng'
+    proxy_options: |
+      if ($request_uri !~ "^/.*(\.js|\.css|\.html|\.ico)(.*)?$") {
+              rewrite ^/(.*)$ /$host/$1 break;
+      }
+      proxy_redirect off;
+      proxy_buffering off;
+
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/meta/main.yml b/ansible_collections/debops/debops/roles/apt_cacher_ng/meta/main.yml
new file mode 100644
index 00000000..84412cdd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2016-2017,2021 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Install and manage the caching HTTP proxy Apt-Cacher NG'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - proxy
+    - caching
+    - packages
+    - apt
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_cacher_ng/tasks/main.yml
new file mode 100644
index 00000000..f6a9f230
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/tasks/main.yml
@@ -0,0 +1,106 @@
+---
+# Copyright (C) 2016-2017,2021 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Disable autoconfiguration
+  ansible.builtin.debconf:
+    name: 'apt-cacher-ng'
+    question: 'apt-cacher-ng/gentargetmode'
+    vtype: 'select'
+    value: 'No automated setup'
+  when: apt_cacher_ng__deploy_state == 'present'
+
+- name: Add/remove configuration file diversions
+  debops.debops.dpkg_divert:
+    path: '{{ item.path }}'
+    state: '{{ "present" if apt_cacher_ng__deploy_state == "present"
+               else "absent" }}'
+    delete: True
+  loop: '{{ apt_cacher_ng__configuration_files }}'
+  when: item.divert | d(True)
+
+- name: Install/remove packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", apt_cacher_ng__base_packages) }}'
+    state: '{{ "present" if apt_cacher_ng__deploy_state == "present"
+               else "absent" }}'
+  register: apt_cacher_ng__register_packages
+  until: apt_cacher_ng__register_packages is succeeded
+
+- name: Generate configuration files
+  ansible.builtin.template:
+    src: '{{ item.src | d(item.path | regex_replace("^/", "")) }}.j2'
+    dest: '{{ item.path }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode: '{{ item.mode | d("0640") }}'
+  loop: '{{ apt_cacher_ng__configuration_files }}'
+  notify: [ 'Restart apt-cacher-ng' ]
+  when: apt_cacher_ng__deploy_state == 'present'
+
+- name: Create the cache directory
+  ansible.builtin.file:
+    state: 'directory'
+    path:  '{{ apt_cacher_ng__cache_dir }}'
+    owner: '{{ apt_cacher_ng__cache_dir_owner }}'
+    group: '{{ apt_cacher_ng__cache_dir_group }}'
+    mode:  '{{ apt_cacher_ng__dir_perms }}'
+  when: apt_cacher_ng__deploy_state == 'present'
+
+- name: Lazy check cache directory permissions
+  ansible.builtin.file:
+    state: 'file'
+    path:  '{{ apt_cacher_ng__cache_dir }}/_expending_damaged'
+    owner: '{{ apt_cacher_ng__cache_dir_owner }}'
+    group: '{{ apt_cacher_ng__cache_dir_group }}'
+    mode:  '{{ apt_cacher_ng__file_perms }}'
+  failed_when: False
+  register: apt_cacher_ng__register_cache_perms
+  when: (apt_cacher_ng__deploy_state == 'present' and
+         apt_cacher_ng__cache_dir_enforce_permissions == 'lazy')
+
+# Note: doing this using native Ansible tasks is too slow
+- name: Change cache directory permissions  # noqa no-free-form
+  ansible.builtin.shell: |
+    chown --recursive {{ apt_cacher_ng__cache_dir_owner }}:{{ apt_cacher_ng__cache_dir_group }} .
+    find . -type d -exec chmod {{ apt_cacher_ng__dir_perms }} {} \;
+    find . -type f -exec chmod {{ apt_cacher_ng__file_perms }} {} \;
+  args:
+    chdir: '{{ apt_cacher_ng__cache_dir }}'
+  register: apt_cacher_ng__register_chmod
+  changed_when: apt_cacher_ng__register_chmod.changed | bool
+  when: (apt_cacher_ng__deploy_state == 'present' and
+         (apt_cacher_ng__cache_dir_enforce_permissions == "strict" or
+          (apt_cacher_ng__cache_dir_enforce_permissions == "lazy" and
+           apt_cacher_ng__register_cache_perms is changed)))
+
+- name: Enable/disable service
+  ansible.builtin.service:
+    name: 'apt-cacher-ng'
+    state: '{{ "started" if apt_cacher_ng__enabled | d(True) else "stopped" }}'
+    enabled: '{{ True if apt_cacher_ng__enabled | d(True) else False }}'
+  when: apt_cacher_ng__deploy_state == 'present'
+
+- name: Remove configuration files
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'absent'
+  loop: '{{ apt_cacher_ng__configuration_files }}'
+  when: (apt_cacher_ng__deploy_state in ['absent', 'purge'] and
+         not item.divert | d(True))
+
+- name: Remove the cache directory
+  ansible.builtin.file:
+    path: '{{ apt_cacher_ng__cache_dir }}'
+    state: 'absent'
+  when: apt_cacher_ng__deploy_state == 'purge'
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/acng.conf.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/acng.conf.j2
new file mode 100644
index 00000000..1ff8a7dd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/acng.conf.j2
@@ -0,0 +1,590 @@
+{# Copyright (C) 2016-2017,2021 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017,2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# IMPORTANT NOTE:
+#
+# THIS FILE IS MAYBE JUST ONE OF MANY CONFIGURATION FILES IN THIS DIRECTORY.
+# SETTINGS MADE IN OTHER FILES CAN OVERRIDE VALUES THAT YOU CHANGE HERE. GO
+# LOOK FOR OTHER CONFIGURATION FILES! CHECK THE MANUAL AND INSTALLATION NOTES
+# (like README.Debian) FOR MORE DETAILS!
+#
+
+# This is a configuration file for apt-cacher-ng, a smart caching proxy for
+# software package downloads. It's supposed to be in a directory specified by
+# the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details.
+# RULES:
+# - letter case in variable names does not matter
+# - names and values are separated by colon or equals sign
+# - for boolean variables, zero means false, non-zero means true
+# - "default value" means built-in (!) defaults, i.e. something which the
+#   program uses if the option is not set here or in other config files.
+#   That value might be explicitly mentioned in the description. Where it is
+#   not, there is no reason to assume any of the examples to be the default
+#   value! In doubt, use acngtool to query the value of the particular variable.
+
+# Storage directory for downloaded data and related maintenance activity.
+#
+# Note: When the value for CacheDir is changed, change the file
+# /lib/systemd/system/apt-cacher-ng.service too
+#
+CacheDir: {{ apt_cacher_ng__cache_dir }}
+
+# Log file directory, can be set empty to disable logging
+#
+LogDir: {{ apt_cacher_ng__log_dir }}
+
+# A place to look for additional configuration and resource files if they are not
+# found in the configuration directory
+#
+SupportDir: {{ apt_cacher_ng__support_dir }}
+
+# TCP server port for incoming http (or HTTP proxy) connections.
+# Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server
+# (SocketPath must be set in this case).
+#
+Port:{{ apt_cacher_ng__port }}
+
+# Addresses or hostnames to listen on. Multiple addresses must be separated by
+# spaces. Each entry must be an exact local address which is associated with a
+# local interface. DNS resolution is performed using getaddrinfo(3) for all
+# available protocols (IPv4, IPv6, ...). Using a protocol specific format will
+# create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
+# listen only to IPv4. The endpoint can also be specified as host:port (or
+# [ipv6-address]:port) which allows binding on non-standard ports (Port
+# directive is ignored in this case).
+#
+# Default: listens on all interfaces and protocols
+#
+# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface
+{{ ("BindAddress: " + apt_cacher_ng__bind_address | join(" ")) if apt_cacher_ng__bind_address else "" }}
+
+# The specification of another HTTP proxy which shall be used for downloads.
+# It can include user name and password but see the manual for limitations.
+#
+# Default: uses direct connection
+#
+# Proxy: http://www-proxy.example.net:3128
+# Proxy: https://username:proxypassword@proxy.example.net:3129
+{{ ("Proxy: " + apt_cacher_ng__proxy) if apt_cacher_ng__proxy else "" }}
+
+# Repository remapping. See manual for details.
+# In this example, some backends files might be generated during package
+# installation using information collected on the system.
+# Examples:
+Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
+Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
+Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
+Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
+Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
+Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+Remap-fedora: file:fedora_mirrors # Fedora Linux
+Remap-epel:   file:epel_mirrors # Fedora EPEL
+Remap-slrep:  file:sl_mirrors # Scientific Linux
+Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
+Remap-secdeb: security.debian.org security.debian.org/debian-security deb.debian.org/debian-security /debian-security ; deb.debian.org/debian-security security.debian.org
+
+# Virtual page accessible in a web browser to see statistics and status
+# information, i.e. under http://localhost:3142/acng-report.html
+# NOTE: This option must be configured to run maintenance jobs (even when used
+# via acngtool in cron scripts). The AdminAuth option can be used to restrict
+# access to sensitive areas on that page.
+#
+# Default: not set, should be set by the system administrator
+#
+ReportPage: acng-report.html
+
+# Socket file for accessing through local UNIX socket instead of TCP/IP. Can be
+# used with inetd (via bridge tool in.acng from apt-cacher-ng package), is also
+# used internally for administrative purposes.
+#
+# Default: /run/apt-cacher-ng/socket
+#
+# SocketPath: /var/run/apt-cacher-ng/socket
+
+# If set to 1, makes log files be written to disk on every new line. Default
+# is 0, buffers are flushed after the client disconnects. Technically,
+# it's a convenience alias for the Debug option, see below for details.
+#
+# UnbufferLogs: 0
+
+# Enables extended client information in log entries. When set to 0, only
+# activity type, time and transfer sizes are logged.
+#
+# VerboseLog: 1
+VerboseLog: {{ "1" if apt_cacher_ng__verbose_log | bool else "0" }}
+
+# Don't detach from the starting console.
+#
+# ForeGround: 0
+
+# Store the pid of the daemon process in the specified text file.
+# Default: disabled
+#
+# PidFile: /var/run/apt-cacher-ng/pid
+
+# Forbid outgoing connections and work without an internet connection or
+# respond with 503 error where it's not possible.
+#
+# Offlinemode: 0
+Offlinemode: {{ "1" if apt_cacher_ng__offline_mode | bool else "0" }}
+
+# Forbid downloads from locations that are directly specified in the user
+# request, i.e. all downloads must be processed by the preconfigured remapping
+# backends (see above).
+#
+# ForceManaged: 0
+ForceManaged: {{ "1" if apt_cacher_ng__force_managed | bool else "0" }}
+
+# Days before considering an unreferenced file expired (to be deleted).
+# WARNING: if the value is set too low and particular index files are not
+# available for some days (mirror downtime) then there is a risk of removal of
+# still useful package files.
+#
+# ExThreshold: 4
+{{ ("ExTreshold: " + apt_cacher_ng__expiration_threshold | string) if (apt_cacher_ng__expiration_threshold != "default") else "" }}
+
+# If the expiration is run daily, it sometimes does not make much sense to do
+# it because the expected changes (i.e. removal of expired files) don't justify
+# the extra processing time or additional downloads for expiration operation
+# itself. This discrepancy might be especially worse if the local client
+# installations are small or are rarely updated but the daily changes of
+# the remote archive metadata are heavy.
+#
+# The following option enables a possible trade-off: the expiration run is
+# suppressed until a certain amount of data has been downloaded through
+# apt-cacher-ng since the last expiration execution (which might indicate that
+# packages were replaced with newer versions).
+#
+# The number can have a suffix (k,K,m,M for Kb,KiB,Mb,MiB)
+#
+# ExStartTradeOff: 500m
+
+# Stop expiration when a critical problem appears, issue like a failed update
+# of an index file in the preparation step.
+#
+# WARNING: don't set this option to zero or empty without considering possible
+# consequences like a sudden and complete cache data loss.
+#
+# ExAbortOnProblems: 1
+{{ ("ExAbortOnProblems: " + apt_cacher_ng__expiration_abort_on_problems | string) if (apt_cacher_ng__expiration_abort_on_problems != "default") else "" }}
+
+# Number of failed nightly expiration runs which are considered acceptable and
+# do not trigger an error notification to the admin (e.g. via daily cron job)
+# before the (day) count is reached. Might be useful with whacky internet
+# connections.
+#
+# Default: a guessed value, 1 if ExThreshold is 5 or more, 0 otherwise.
+#
+# ExSuppressAdminNotification: 1
+
+# Modify file names to work around limitations of some file systems.
+# WARNING: experimental feature, subject to change
+#
+# StupidFs: 0
+
+# Experimental feature for apt-listbugs: pass-through SOAP requests and
+# responses to/from bugs.debian.org.
+# Default: guessed value, true unless ForceManaged is enabled
+#
+# ForwardBtsSoap: 1
+
+# There is a small in-memory cache for DNS resolution data, expired by
+# this timeout (in seconds). Internal caching is disabled if set to a value
+# less than zero.
+#
+# DnsCacheSeconds: 1800
+{{ ("DnsCacheSeconds: " + apt_cacher_ng__dns_cache_seconds | string) if (apt_cacher_ng__dns_cache_seconds != "default") else "" }}
+
+###############################################################################
+#
+# WARNING: don't modify thread and file matching parameters without a clear
+# idea of what is happening behind the scene!
+#
+# Max. count of connection threads kept ready (for faster response in the
+# future). Should be a sane value between 0 and average number of connections,
+# and depend on the amount of spare RAM.
+# MaxStandbyConThreads: 8
+#
+# Hard limit of active thread count for incoming connections, i.e. operation
+# is refused when this value is reached (below zero = unlimited).
+# MaxConThreads: -1
+#
+# Timeout for a forced disconnect in cases where a client connection is about
+# to be closed but remote refuses to confirm the disconnect request. Setting
+# this to a lower value mitigates the effects of resource starvation in case of
+# a DOS attack but increases the risk of failing to flush the remaining portion
+# of data.
+# DisconnectTimeout: 15
+
+# By default, if a remote suddenly reconnects, ACNG tries at least two times to
+# redownload from the same or different location (if known).
+# DlMaxRetries: 2
+
+# Pigeonholing files (like static vs. volatile contents) is done by (extended)
+# regular expressions.
+#
+# The following patterns are available for the purposes detailed, where
+# the latter takes precedence over the former:
+# - «PFilePattern» for static data that doesn't change silently on the server.
+# - «VFilePattern» for volatile data that may change like every hour. Files
+#   that match both PFilePattern and VfilePattern will be treated as volatile.
+# - Static data with file names that match VFilePattern may be overridden being
+#   treated as volatile by making it match the special static data pattern,
+#   «SPfilePattern».
+# - «SVfilePattern» or the "special volatile data" pattern is for the
+#   convenience of specifying any exceptions to matches with SPfilePattern,
+#   for cases where data must still be treated as volatile.
+# - «WfilePattern» specifies a "whitelist pattern" for the regular expiration
+#   job, telling it to keep the files even if they are not referenced by
+#   others, like crypto signatures with which clients begin their downloads.
+#
+# There are two versions. The pattern variables mentioned above should not be
+# set without good reason, because they would override the built-in defaults
+# (that might impact updates to future versions of apt-cacher-ng). There are
+# also versions of those patterns ending with Ex, which may be modified by the
+# local administrator. They are evaluated in addition to the regular patterns
+# at runtime.
+#
+# To see examples of the expected syntax, run: apt-cacher-ng -p debug=1
+#
+# PfilePatternEx:
+# VfilePatternEx:
+# SPfilePatternEx:
+# SVfilePatternEx:
+# WfilePatternEx:
+#
+###############################################################################
+
+# A bitmask type value declaring the logging verbosity and behavior of the error
+# log writing. Non-zero value triggers at least faster log file flushing.
+#
+# Some higher bits only working with a special debug build of apt-cacher-ng,
+# see the manual for details.
+#
+# WARNING: this can write significant amount of data into apt-cacher.err logfile.
+#
+# Default: 0
+#
+# Debug:3
+{{ ("Debug: " + apt_cacher_ng__debug | string) if (apt_cacher_ng__debug != "") else "" }}
+
+# Usually, general purpose proxies like Squid expose the IP address of the
+# client user to the remote server using the X-Forwarded-For HTTP header. This
+# behaviour can be optionally turned on with the Expose-Origin option.
+#
+# ExposeOrigin: 0
+
+# When logging the originating IP address, trust the information supplied by
+# the client in the X-Forwarded-For header.
+#
+# LogSubmittedOrigin: 0
+LogSubmittedOrigin: {{ "1" if apt_cacher_ng__log_submitted_origin | bool else "0" }}
+
+# The version string reported to the peer, to be displayed as HTTP client (and
+# version) in the logs of the mirror.
+#
+# WARNING: Expect side effects! Some archives use this header to guess
+# capabilities of the client (i.e. allow redirection and/or https links) and
+# change their behaviour accordingly but ACNG might not support the expected
+# features.
+#
+# Default:
+#
+# UserAgent: Yet Another HTTP Client/1.2.3p4
+{{ ("UserAgent: " + apt_cacher_ng__user_agent) if (apt_cacher_ng__user_agent != "default") else "" }}
+
+# In some cases the Import and Expiration tasks might create fresh volatile
+# data for internal use by reconstructing them using patch files. This
+# by-product might be recompressed with bzip2 and with some luck the resulting
+# file becomes identical to the *.bz2 file on the server which can be used by
+# APT when requesting a complete version of this file.
+# The downside of this feature is higher CPU load on the server during
+# the maintenance tasks, and the outcome might have not much value in a LAN
+# where all clients update their data often and regularly and therefore usually
+# don't need the full version of the index file.
+#
+# RecompBz2: 0
+RecompBz2: {{ "1" if apt_cacher_ng__recompress_bz2 else "0" }}
+
+# Network timeout for outgoing connections, in seconds.
+#
+# NetworkTimeout: 40
+{{ ("NetworkTimeout: " + apt_cacher_ng__network_timeout | string) if (apt_cacher_ng__network_timeout != "") else "" }}
+
+# Fast fallback timeout, in seconds. This is the time to wait before
+# alternative target addresses for a client connection are tried, which can be
+# useful for quick fallback to IPv4 in case of whacky IPv6 configuration.
+#
+# FastTimeout = 4
+
+# Sometimes it makes sense to not store the data in cache and just return the
+# package data to client while it comes in. The following DontCache* parameters
+# can enable this behaviour for certain URL types. The tokens are extended
+# regular expressions which the URLs are evaluated against.
+#
+# DontCacheRequested is applied to the URL as it comes in from the client.
+# Example: exclude packages built with kernel-package for x86
+# DontCacheRequested: linux-.*_10\...\.Custo._i386
+# Example usecase: exclude popular private IP ranges from caching
+# DontCacheRequested: 192.168.0 ^10\..* 172.30
+#
+# DontCacheResolved is applied to URLs after mapping to the target server. If
+# multiple backend servers are specified then it's only matched against the
+# download link for the FIRST possible source (due to implementation limits).
+#
+# Example usecase: all Ubuntu stuff comes from a local mirror (specified as
+# backend), don't cache it again:
+# DontCacheResolved: ubuntumirror.local.net
+#
+# DontCache directive sets (overrides) both, DontCacheResolved and
+# DontCacheRequested.  Provided for convenience, see those directives for
+# details.
+#
+# Example:
+# DontCache: .*.local.university.int
+
+# Default permission set of freshly created files and directories, as octal
+# numbers (see chmod(1) for details).
+# Can by limited by the umask value (see umask(2) for details) if it's set in
+# the environment of the starting shell, e.g. in apt-cacher-ng init script or
+# in its configuration file.
+#
+# DirPerms: 00755
+{{ ("DirPerms: " + apt_cacher_ng__dir_perms) if (apt_cacher_ng__dir_perms != "") else "" }}
+# FilePerms: 00664
+{{ ("FilePerms: " + apt_cacher_ng__file_perms) if (apt_cacher_ng__file_perms != "") else "" }}
+
+# It's possible to use use apt-cacher-ng as a regular web server with a limited
+# feature set, i.e. directory browsing, downloads of any files, Content-Type
+# based on /etc/mime.types, but without sorting, CGI execution, index page
+# redirection and other funny things.
+# To get this behavior, mappings between virtual directories and real
+# directories on the server must be defined with the LocalDirs directive.
+# Virtual and real directories are separated by spaces, multiple pairs are
+# separated by semi-colons. Real directories must be absolute paths.
+# NOTE: Since the names of that key directories share the same namespace as
+# repository names (see Remap-...) it is administrator's job to avoid conflicts
+# between them or explicitly create them.
+#
+# LocalDirs: woo /data/debarchive/woody ; hamm /data/debarchive/hamm
+LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
+
+# Precache a set of files referenced by specified index files. This can be used
+# to create a partial mirror usable for offline work. There are certain limits
+# and restrictions on the path specification, see manual and the cache control
+# web site for details. A list of (maybe) relevant index files could be
+# retrieved via "apt-get --print-uris update" on a client machine.
+#
+# Example:
+# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages*
+
+# Arbitrary set of data to append to request headers sent over the wire. Should
+# be a well formatted HTTP headers part including newlines (DOS style) which
+# can be entered as escape sequences (\r\n).
+#
+# RequestAppendix: X-Tracking-Choice: do-not-track\r\n
+
+# Specifies the IP protocol families to use for remote connections. Order does
+# matter, first specified are considered first. Possible combinations:
+# v6 v4
+# v4 v6
+# v6
+# v4
+# Default: use native order of the system's TCP/IP stack, influenced by the
+# BindAddress value.
+#
+# ConnectProto: v6 v4
+{% if apt_cacher_ng__connect_protocol | length >= 1 %}
+ConnectProto: {{ apt_cacher_ng__connect_protocol | join(" ") }}
+{% endif %}
+
+# Regular expiration algorithm finds package files which are no longer listed
+# in any index file and removes them of them after a safety period.
+# This option allows to keep more versions of a package in the cache after
+# the safety period is over.
+#
+# KeepExtraVersions: 0
+
+# Optionally uses TCP access control provided by libwrap, see hosts_access(5)
+# for details. Daemon name is apt-cacher-ng.
+#
+# Default: guessed on startup by looking for explicit mention of apt-cacher-ng
+# in /etc/hosts.allow or /etc/hosts.deny files.
+#
+# UseWrap: 0
+
+# If many machines from the same local network attempt to update index files
+# (apt-get update) at nearly the same time, the known state of these index file
+# is temporarily frozen and multiple requests receive the cached response
+# without contacting the remote server again. This parameter (in seconds)
+# specifies the length of this period before these (volatile) files are
+# considered outdated.
+# Setting this value too low transfers more data and increases remote server
+# load, setting this too high (more than a couple of minutes) increases the
+# risk of delivering inconsistent responses to the clients.
+#
+# FreshIndexMaxAge: 27
+
+# Usually the users are not allowed to specify custom TCP ports of remote
+# mirrors in the requests, only the default HTTP port can be used (as
+# workaround, proxy administrator can create Remap- rules with custom ports).
+# This restriction can be disabled by specifying a list of allowed ports or 0
+# for any port.
+#
+# AllowUserPorts: 80
+
+# Normally the HTTP redirection responses are forwarded to the original caller
+# (i.e. APT) which starts a new download attempt from the new URL. This
+# solution is ok for client configurations with proxy mode but doesn't work
+# well with configurations using URL prefixes in sources.list. To work around
+# this the server can restart its own download with a redirection URL,
+# configured with the following option. The downside is that this might be used
+# to circumvent download source policies by malicious users.
+# The RedirMax option specifies how many such redirects the server is allowed
+# to follow per request, 0 disables the internal redirection.
+# Default: guessed on startup, 0 if ForceManaged is used and 5 otherwise.
+#
+# RedirMax: 5
+
+# There some broken HTTP servers and proxy servers in the wild which don't
+# support the If-Range header correctly and return incorrect data when the
+# contents of a (volatile) file changed. Setting VfileUseRangeOps to zero
+# disables Range-based requests while retrieving volatile files, using
+# If-Modified-Since and requesting the complete file instead. Setting it to
+# a negative value removes even If-Modified-Since headers.
+#
+# VfileUseRangeOps: 1
+
+# Allow data pass-through mode for certain hosts when requested by the client
+# using a CONNECT request. This is particularly useful to allow access to SSL
+# sites (https proxying). The string is a regular expression which should cover
+# the server name with port and must be correctly formatted and terminated.
+# Examples:
+# PassThroughPattern: private-ppa\.launchpad\.net:443$
+# PassThroughPattern: .* # this would allow CONNECT to everything
+#
+# Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
+# PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
+
+# It's possible that an evil client requests a volatile file but does not
+# retrieve the response and keeps the connection effectively stuck over
+# many hours, blocking the particular file for other download attempts (which
+# leads to not reporting file changes on server side to other users). In such
+# case the file descriptor can be moved aside although this might reduce cache
+# efficiency.
+#
+# Default time is based on the value of FreshIndexMaxAge with a safety factor.
+#
+# ResponseFreezeDetectTime: 60
+
+# Keep outgoing connections alive and reuse them for later downloads from
+# the same server as long as possible.
+#
+# ReuseConnections: 1
+
+# Maximum number of requests sent in a batch to remote servers before the first
+# response is expected. Using higher values can greatly improve average
+# throughput depending on network latency and the implementation of remote
+# servers. Makes most sense when also enabled on the client side, see apt.conf
+# documentation for details.
+#
+# Default: 10 if ReuseConnections is set, 1 otherwise
+#
+# PipelineDepth: 10
+
+# Path to the system directory containing trusted CA certificates used for
+# outgoing connections, see OpenSSL documentation for details.
+#
+# CApath: /etc/ssl/certs
+#
+# Path to a single trusted trusted CA certificate used for outgoing
+# connections, see OpenSSL documentation for details.
+#
+# CAfile:
+
+# There are different ways to detect that an upstream proxy is broken and turn
+# off its use and connect directly. The first is through a custom command -
+# when it returns successfully, the proxy is used, otherwise not and the
+# command will be rerun only after a specified period.
+# Another way is to try to connect to the proxy first and detect a connection
+# timeout. The connection will then be made without HTTP proxy for the life
+# time of the particular download stream and it may also affect other other
+# parallel downloads.
+# NOTE: this operation modes are still experimental and are subject to change!
+# Unwanted side effects may occur with multiple simultaneous user connections
+# or with specific per-repository proxy settings.
+#
+# Shell command, default: not set. Executed with the default shell and
+# permissions of the apt-cacher-ng's process user. Examples:
+# /bin/ip route | grep -q 192.168.117
+# /usr/sbin/arp | grep -q 00:22:1f:51:8e:c1
+#
+# OptProxyCheckCommand: ...
+#
+# Check interval, in seconds.
+#
+# OptProxyCheckInterval: 99
+#
+# Connection timeout in seconds, default: negative, means disabled.
+#
+# OptProxyTimeout: -1
+
+# It's possible to limit the processing speed of download agents to set an
+# overall download speed limit. Unit: KiB/s, Default: unlimited.
+#
+# MaxDlSpeed: 500
+{{ ("MaxDlSpeed: " + apt_cacher_ng__max_download_speed_kib | string) if (apt_cacher_ng__max_download_speed_kib != "") else "" }}
+
+# In special corner cases, download clients attempt to download random chunks
+# of a files headers, i.e. the first kilobytes. The "don't get client stuck"
+# policy converts this usually to a 200 response starting the body from the
+# beginning but that confuses some clients. When this option is set to a
+# certain value, this modifies the behaviour and allows to start a file
+# download where the distance between available data and the specified range
+# lies within that bounds. This can look like random lag for the user but
+# should be harmless apart from that.
+#
+# MaxInresponsiveDlSize: 64000
+
+# In mobile environments having an adhoc connection with a redirection to some
+# id verification side, this redirect might damage the cache since the data is
+# involuntarily stored as package data. There is a mechanism which attempts to
+# detect a such situation and mitigate the mentioned effects by not storing the
+# data and also dropping the DNS cache. The trigger is the occurrence of a
+# specific SUBSTRING in the content type field of the final download target
+# (i.e. the auth web site) and at least one followed redirection.
+#
+# BadRedirDetectMime: text/html
+
+# When a BUS signal is received (typically on IO errors), a shell command can be
+# executed before the daemon is terminated.
+# Example:
+# BusAction: ls -l /proc/$PPID/ | mail -s SIGBUS! root
+
+# Only set this value for debugging purposes. It disables SSL security checks
+# like strict host verification. 0 means no, any other value can have
+# different meaning in the future.
+#
+# NoSSLChecks: 0
+
+# Setting this value means: on file downloads from/via cache, tag relevant
+# files. And when acngtool runs the shrink command, it will look at the day
+# when the file was retrieved from cache last time (and not when it was
+# originally downloaded).
+#
+# TrackFileUse: 0
+
+# Controls preallocation of file system space where this feature is supported.
+# This might reduce disk fragmentation and therefore improve later read
+# performance. However, write performance can be reduced which could be
+# exploited by malicious users.
+# The value defines a size limit of how much to report to the OS as expected
+# file size (starting from the beginning of the file).
+# Set to zero to disable this feature completely. Default: one megabyte
+#
+# ReserveSpace: 1048576
+
+{{ apt_cacher_ng__custom }}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_debian.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_debian.j2
new file mode 100644
index 00000000..d3105633
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_debian.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ apt_cacher_ng__upstream_mirror_debian }}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_gentoo.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_gentoo.j2
new file mode 100644
index 00000000..326ddfab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_gentoo.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ apt_cacher_ng__upstream_mirror_gentoo }}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_ubuntu.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_ubuntu.j2
new file mode 100644
index 00000000..3d57f1f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/backends_ubuntu.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ apt_cacher_ng__upstream_mirror_ubuntu }}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/security.conf.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/security.conf.j2
new file mode 100644
index 00000000..6e245a7e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/security.conf.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This file contains confidential data and should be protected with file
+# permissions from being read by untrusted users.
+#
+# NOTE: permissions are fixated with dpkg-statoverride on Debian systems.
+# Read its manual page for details.
+
+# Basic authentication with username and password, required to
+# visit pages with administrative functionality. Format: username:password
+
+AdminAuth: {{ apt_cacher_ng__user | default('admin') }}:{{ apt_cacher_ng__password | default('password') }}
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/userinfo.html.j2 b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/userinfo.html.j2
new file mode 100644
index 00000000..5f6e3c05
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/templates/etc/apt-cacher-ng/userinfo.html.j2
@@ -0,0 +1,71 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<!DOCTYPE html>
+<html lang="en">
+   <head>
+      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+      <meta http-equiv="X-UA-Compatible" content="IE=8" />
+      <meta name="MSSmartTagsPreventParsing" content="true" />
+      <title>Not Found or APT Reconfiguration required</title>
+      <link rel="stylesheet" type="text/css" href="/style.css" />
+   </head>
+   <body>
+      <table border=0 cellspacing=0 cellpadding=0 width=580 class="center">
+         <tr>
+            <td class="title" style="width:580px;">The requested page is not accessible.</td>
+         </tr>
+         <tr>
+            <td>
+               <div class="visarea" style="width:580px;text-align:left;"><br>
+                  You attempted to browse the contents of a virtual HTTP repository.
+                  However, the intended way of use is the configuration of APT and
+                  related package management systems to retrieve the software packages
+                  through this service.
+                  <p>To configure APT for use of Apt-Cacher&nbsp;NG you need to...
+                  <br>
+                  <ul>
+                     <li>
+                     <b>EITHER:</b>  Configure APT to use a HTTP proxy by specifying
+                     it in apt.conf or related configuration files, see
+                     apt.conf manual page for details. Server and Port need to match
+                     the values used to visit this page. For example,
+                     edit&nbsp;<i>/etc/apt/apt.conf</i> (or create a new file called like <i>/etc/apt/apt.conf.d/00aptproxy</i>) and add the line:
+                     <p />
+            <div class="rawstyle">Acquire::http::Proxy "http://{{ apt_cacher_ng__fqdn }}";</div>
+                     <p />
+                     </li>
+
+                     <li>
+                     <b>OR:</b>
+                     Edit the <i>/etc/apt/sources.list</i> file and edit the source lines
+                     therein, replacing the mirror hostname with the hostname of this
+                     server machine. For example:
+                     <p /><div class="rawstyle" style="color:gray;">
+                        deb http://ftp.debian.org/debian stable main contrib non-free<br>
+                     deb-src http://ftp.debian.org/debian stable main contrib non-free<br>
+                     deb https://get.docker.com/ubuntu docker main<br></div><p/>
+                     becomes:<p/>
+                     <div class="rawstyle">deb http://<span style="color:red">{{ apt_cacher_ng__fqdn }}/</span>ftp.debian.org/debian stable main contrib non-free<br/>
+                        deb-src http://<span style="color:red">{{ apt_cacher_ng__fqdn }}/</span>ftp.debian.org/debian stable main contrib non-free<br/>
+                        deb <span style="color:red">http://{{ apt_cacher_ng__fqdn }}//HTTPS///</span>get.docker.com/ubuntu docker main</div><p/>
+                     Depending on the configuration, it might be possible to use a shortcut
+                     for the base URLs without knowing the mirror, for example:<p/>
+                     <div class="rawstyle">deb http://{{ apt_cacher_ng__fqdn }}/debian stable main contrib non-free</div><p/>
+                     Ask your system administrator for details.
+                     </li>
+                  </ul>
+                  <h3>Related links</h3>
+                  <ul>
+                     <li><a href="${cfg:ReportPage}">Statistics report and configuration page</a> for this Apt-Cacher NG installation</li>
+                     <li><a href="https://www.unix-ag.uni-kl.de/~bloch/acng/">Project Homepage</a>
+                  </ul>
+
+                  ${footer}
+               </div>
+            </td>
+         </tr>
+      </table>
+   </body>
+</html>
diff --git a/ansible_collections/debops/debops/roles/apt_cacher_ng/vars/main.yml b/ansible_collections/debops/debops/roles/apt_cacher_ng/vars/main.yml
new file mode 100644
index 00000000..7e355126
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_cacher_ng/vars/main.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# .. envvar:: apt_cacher_ng__apparmor__tunables_dependent
+#
+# Configuration for the ``debops-contrib.apparmor`` role.
+#
+# Example::
+#
+#    apt_cacher_ng__apparmor__tunables_dependent: '@{APT_CACHE_DIR}+={{ apt_cacher_ng__cache_dir }}'
+#
+# Does not work. Error is: Variable was previously declared. Not sure if this is supposed to work?
+# ``apt_cacher_ng__apparmor__dependent_config`` works without issues.
+apt_cacher_ng__apparmor__tunables_dependent: ''
diff --git a/ansible_collections/debops/debops/roles/apt_install/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_install/COPYRIGHT
new file mode 100644
index 00000000..127509a9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.apt_install - Manage APT packages using Ansible
+
+Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_install/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_install/defaults/main.yml
new file mode 100644
index 00000000..5455f688
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/defaults/main.yml
@@ -0,0 +1,435 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_install__ref_defaults:
+
+# debops.apt_install default variables [[[
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role configuration [[[
+# ----------------------
+
+# .. envvar:: apt_install__enabled [[[
+#
+# Enable or disable support for ``debops.apt_install`` role.
+apt_install__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: apt_install__distribution [[[
+#
+# The variable that indicates host operating system distribution, used to
+# conditionally select packages for installation.
+apt_install__distribution: '{{ ansible_local.core.distribution
+                                | d(ansible_lsb.id | d(ansible_distribution)) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__distribution_release [[[
+#
+# The variable that indicates host distribution release, used to conditionally
+# select packages for installation.
+apt_install__distribution_release: '{{ ansible_local.core.distribution_release
+                                        | d(ansible_lsb.codename | d(ansible_distribution_release)) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__archive_areas_map [[[
+#
+# A dictionary that maps different parts of the package archive to each
+# distribution. By default the role expects all of the archives to be enabled.
+apt_install__archive_areas_map:
+  'Debian': [ 'main', 'contrib', 'non-free' ]
+  'Ubuntu': [ 'main', 'restricted', 'universe', 'multiverse' ]
+
+                                                                   # ]]]
+# .. envvar:: apt_install__archive_areas [[[
+#
+# List of package archive areas which are currently available. This list is
+# used to conditionally enable packages for installation, depending on
+# availability of a given archive area.
+apt_install__archive_areas: '{{ ansible_local.apt.components
+                                 | d(apt_install__archive_areas_map[apt_install__distribution] | d([])) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__condition_map [[[
+#
+# Definition of the values to compare :ref:`apt_install__all_packages` against.
+# This map is used internally in the :envvar:`apt_install__all_packages` lookup
+# template.
+apt_install__condition_map:
+  'distribution': '{{ apt_install__distribution }}'
+  'release': '{{ apt_install__distribution_release }}'
+  'areas': '{{ apt_install__archive_areas }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__state [[[
+#
+# How the :command:`apt` Ansible module should install the selected packages:
+#
+# ``present``
+#   Only make sure that the packages on the list are present on the host.
+#
+# ``latest``
+#   Install the latest version of available packages, according to APT
+#   preferences.
+#
+# By default role will make sure to update the packages to their latest version
+# on first run, and just keep the current version on subsequent runs.
+apt_install__state: '{{ "present"
+                        if (ansible_local | d() and ansible_local.apt_install | d() and
+                            (ansible_local.apt_install.configured | d(True)) | bool)
+                        else "latest" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__no_kernel_hints [[[
+#
+# Enable or disable configuration of the hints about upgraded kernel requiring
+# a reboot of the host, created by the :command:`needrestart` package.  By
+# default these hints will be disabled, which helps with non-interactive APT
+# package installation done by Ansible.
+apt_install__no_kernel_hints: '{{ True
+                                  if ("needrestart" in apt_install__conditional_whitelist_packages)
+                                  else False }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__recommends [[[
+#
+# Boolean variable that controls installation of recommended packages.
+apt_install__recommends: False
+
+                                                                   # ]]]
+# .. envvar:: apt_install__update_cache [[[
+#
+# Enable or disable APT cache updates.
+apt_install__update_cache: True
+
+                                                                   # ]]]
+# .. envvar:: apt_install__cache_valid_time [[[
+#
+# Amount of time between APT cache updates in seconds.
+apt_install__cache_valid_time: '{{ ansible_local.core.cache_valid_time | d(60 * 60 * 24 * 7) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Debconf package configuration [[[
+# --------------------------------
+
+# These lists can be used to insert new values into the debconf database. This
+# allow to overwrite some default answer before installing a package and avoid
+# using ``dpkg-reconfigure`` to set the wanted answer.
+# See :ref:`apt_install__ref_debconf` for more details.
+
+# .. envvar:: apt_install__debconf [[[
+#
+# List of values to configure for all hosts in the Ansible inventory.
+apt_install__debconf: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__group_debconf [[[
+#
+# List of values to configure for hosts in specific Ansible
+# inventory group.
+apt_install__group_debconf: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__host_debconf [[[
+#
+# List of values to configure for specific hosts in the Ansible
+# inventory.
+apt_install__host_debconf: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package lists [[[
+# ---------------------
+
+# The APT packages to install are split into multiple lists to easier
+# modification. You can specify name of each package directly or use a YAML
+# dictionary to better control when a package should be installed. See
+# :ref:`apt_install__all_packages` for more details.
+
+# .. envvar:: apt_install__base_packages [[[
+#
+# Default base packages to install.
+apt_install__base_packages:
+  - 'ed'
+  - 'lsb-release'
+  - 'make'
+  - 'git'
+  - 'curl'
+  - 'rsync'
+  - 'bsdutils'
+  - 'acl'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__shell_packages [[[
+#
+# Command line creature comforts, when you need to login to the remote host.
+apt_install__shell_packages:
+  - 'ncurses-term'
+  - 'tmux'
+  - 'less'
+  - 'file'
+  - 'psmisc'
+  - 'lsof'
+  - 'tree'
+  - 'htop'
+  - 'iftop'
+  - 'nload'
+  - 'nmon'
+  - 'mtr-tiny'
+  - 'mc'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__editor_packages [[[
+#
+# List of text editors to install.
+apt_install__editor_packages:
+
+  # The role also sets ``vim.basic`` as the default editor via
+  # the :envvar:`apt_install__default_alternatives` variable.
+  # If you change this list, remember to update that variable as well,
+  # otherwise the playbook execution will break.
+  - 'vim'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__packages [[[
+#
+# List of APT packages to install on all hosts in Ansible inventory.
+apt_install__packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__group_packages [[[
+#
+# List of APT packages to install on hosts in a specific group in Ansible
+# inventory.
+apt_install__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__host_packages [[[
+#
+# List of APT packages to install on specific hosts in Ansible inventory.
+apt_install__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__dependent_packages [[[
+#
+# List of APT packages to install for other Ansible roles, for usage as
+# a dependent role.
+apt_install__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__conditional_whitelist_packages [[[
+#
+# List of APT package names which will be used to compare against packages
+# requested for installation. This list is exposed in the defaults so that you
+# don't need to modify the conditional list below to enable or disable
+# packages.
+apt_install__conditional_whitelist_packages:
+  - 'irqbalance'
+  - 'uptimed'
+  - 'libpam-systemd'
+  - 'haveged'
+  - 'gnupg-curl'
+  - 'needrestart'
+  - 'open-vm-tools'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__conditional_packages [[[
+#
+# List of APT packages installed under certain conditions.
+apt_install__conditional_packages:
+
+  - name: 'irqbalance'
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present"
+               if (ansible_processor_cores >= 2 and
+                   (ansible_virtualization_role is undefined or
+                    ansible_virtualization_role not in ["guest"]))
+               else "absent" }}'
+
+  - name: 'uptimed'
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present"
+               if (ansible_virtualization_role is undefined or
+                   ansible_virtualization_role not in ["guest"])
+               else "absent" }}'
+
+  - name: 'libpam-systemd'
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present" if (ansible_service_mgr == "systemd") else "absent" }}'
+
+  - name: 'haveged'
+    # KVM is capable of providing entropy to guests however this needs to be
+    # configured on the hypervisor host and thus can not always be done if one
+    # only controls a guest.
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present"
+               if (ansible_virtualization_role | d("guest") in ["guest"] and
+                   ansible_virtualization_type | d("unknown") not in ["lxc", "openvz"] and
+                   not (ansible_local | d() and ansible_local.apt_install | d() and
+                        ansible_local.apt_install.have_virtual_rng | d(False) | bool))
+               else "absent" }}'
+
+  - name: 'gnupg-curl'
+    # This package is needed when you want to access HKPS keyservers.
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present"
+               if ansible_distribution_release in
+                  ["trusty", "xenial"]
+               else "absent" }}'
+
+  - name: 'needrestart'
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: 'present'
+
+  - name: 'open-vm-tools'
+    whitelist: '{{ apt_install__conditional_whitelist_packages }}'
+    state: '{{ "present"
+               if (ansible_virtualization_role | d("guest") in ["guest"] and
+                   ansible_virtualization_type | d("unknown") in ["VMware"])
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__firmware_packages [[[
+#
+# Certain systems require free or non-free firmware for correct operation. This
+# list of packages will ensure that the required firmware is installed.
+apt_install__firmware_packages:
+
+  - name: 'amd64-microcode'
+    # Non-free microcode firmware for AMD CPUs. These patches mitigate security
+    # issues like Spectre and fix other types of incorrect processor behaviour.
+    # The package only needs to be installed on physical machines. To protect
+    # virtual machines, be sure to set the correct CPU flags in QEMU:
+    # https://www.qemu.org/docs/master/system/target-i386.html#important-cpu-features-for-intel-x86-hosts
+    distribution: [ 'Debian', 'Devuan', 'Ubuntu' ]
+    areas: '{{ ["main"]
+               if ansible_distribution in ["Ubuntu"]
+               else ["non-free"] }}'
+    state: '{{ "present"
+               if ansible_virtualization_role == "host" and
+                  "AuthenticAMD" in ansible_processor
+               else "absent" }}'
+
+  - name: 'firmware-linux-free'
+    distribution: [ 'Debian' ]
+    state: '{{ "present" if (ansible_form_factor in ["Rack Mount Chassis"])
+                         and (ansible_virtualization_role is undefined or
+                              ansible_virtualization_role not in ["guest"])
+                         and (ansible_kernel.find("-pve") == "-1")
+                         else "absent" }}'
+
+  - name: 'firmware-linux-nonfree'
+    distribution: [ 'Debian' ]
+    areas: [ 'non-free' ]
+    state: '{{ "present" if (ansible_form_factor in ["Rack Mount Chassis"])
+                         and (ansible_virtualization_role is undefined or
+                              ansible_virtualization_role not in ["guest"])
+                         and (ansible_kernel.find("-pve") == "-1")
+                         else "absent" }}'
+
+  - name: 'intel-microcode'
+    # Same as amd64-microcode, but for Intel CPUs.
+    distribution: [ 'Debian', 'Devuan', 'Ubuntu' ]
+    areas: '{{ ["main"]
+               if ansible_distribution in ["Ubuntu"]
+               else ["non-free"] }}'
+    state: '{{ "present" if ansible_virtualization_role == "host" and
+                            "GenuineIntel" in ansible_processor
+                         else "absent" }}'
+
+  - name: 'linux-firmware'
+    distribution: [ 'Ubuntu' ]
+    state: '{{ "present" if (ansible_form_factor in ["Rack Mount Chassis"])
+                             and (ansible_virtualization_role is undefined or
+                              ansible_virtualization_role not in ["guest"])
+                         else "absent" }}'
+
+  - name: 'linux-firmware-nonfree'
+    distribution: [ 'Ubuntu' ]
+    release: [ 'precise', 'trusty', 'wily' ]
+    areas: [ 'multiverse' ]
+    state: '{{ "present" if (ansible_form_factor in ["Rack Mount Chassis"])
+                             and (ansible_virtualization_role is undefined or
+                              ansible_virtualization_role not in ["guest"])
+                         else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__all_packages [[[
+#
+# The master list of APT packages to install, passed to the lookup template for
+# conditional processing.
+apt_install__all_packages:
+  - '{{ apt_install__base_packages }}'
+  - '{{ apt_install__shell_packages }}'
+  - '{{ apt_install__editor_packages }}'
+  - '{{ apt_install__packages }}'
+  - '{{ apt_install__group_packages }}'
+  - '{{ apt_install__host_packages }}'
+  - '{{ apt_install__dependent_packages }}'
+  - '{{ apt_install__conditional_packages }}'
+  - '{{ apt_install__firmware_packages }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Alternative package symlinks [[[
+# --------------------------------
+
+# These lists can be used to define alternative symlinks for certain packages
+# which provide similar functionality, using ``update-alternatives`` package.
+# See :ref:`apt_install__ref_alternatives` for more details.
+
+# .. envvar:: apt_install__default_alternatives [[[
+#
+# List of default alternative symlinks set by the role.
+apt_install__default_alternatives:
+
+  # The role also installs the ``vim`` package via the
+  # :envvar:`apt_install__editor_packages` variable.
+  - name: 'editor'
+    path: '/usr/bin/vim.basic'
+
+                                                                   # ]]]
+# .. envvar:: apt_install__alternatives [[[
+#
+# List of alternative symlinks configured for all packages in the Ansible
+# inventory.
+apt_install__alternatives: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__group_alternatives [[[
+#
+# List of alternative symlinks configured for hosts in specific Ansible
+# inventory group.
+apt_install__group_alternatives: []
+
+                                                                   # ]]]
+# .. envvar:: apt_install__host_alternatives [[[
+#
+# List of alternative symlinks configured for specific hosts in the Ansible
+# inventory.
+apt_install__host_alternatives: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: apt_install__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` role.
+apt_install__apt_preferences__dependent_list:
+
+  - package: 'needrestart needrestart-*'
+    backports: [ 'trusty' ]
+    reason: 'Better support for container technologies'
+    by_role: 'debops.apt_install'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_install/meta/main.yml b/ansible_collections/debops/debops/roles/apt_install/meta/main.yml
new file mode 100644
index 00000000..2a8b16e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Install APT packages on Debian and other compatible systems'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - apt
+    - packages
+    - packaging
+    - deployment
+    - software
diff --git a/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/post_main.yml b/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/post_main.yml
new file mode 100644
index 00000000..09877439
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/post_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/pre_main.yml b/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/pre_main.yml
new file mode 100644
index 00000000..09877439
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/tasks/apt_install/pre_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/apt_install/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_install/tasks/main.yml
new file mode 100644
index 00000000..004b2b9f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/tasks/main.yml
@@ -0,0 +1,112 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "apt_install/pre_main.yml") }}'
+
+- name: Make sure that Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: apt_install__enabled | bool
+
+- name: Save local Ansible facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apt_install.fact.j2'
+    dest: '/etc/ansible/facts.d/apt_install.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: apt_install__enabled | bool
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Debconf module dependencies
+  ansible.builtin.apt:
+    name:
+      - 'debconf'
+      - 'debconf-utils'
+    state: 'present'
+    install_recommends: '{{ apt_install__recommends | bool }}'
+  register: apt_install__register_debconf_packages
+  until: apt_install__register_debconf_packages is succeeded
+
+- name: Apply requested packages configuration
+  ansible.builtin.debconf:
+    name:      '{{ item.name }}'
+    question:  '{{ item.question | d(omit) }}'
+    selection: '{{ item.selection | d(omit) }}'
+    setting:   '{{ item.setting | d(omit) }}'
+    unseen:    '{{ item.unseen | d(omit) }}'
+    value:     '{{ item.value | d(omit) }}'
+    answer:    '{{ item.answer | d(omit) }}'
+    vtype:     '{{ item.vtype | d(omit) }}'
+  loop: '{{ q("flattened", apt_install__debconf
+                           + apt_install__group_debconf
+                           + apt_install__host_debconf) }}'
+  when: item.name | d()
+
+- name: Install requested APT packages
+  ansible.builtin.apt:
+    name: '{{ q("flattened", lookup("template",
+                             "lookup/apt_install__all_packages.j2",
+                             convert_data=False) | from_yaml) }}'
+    state: '{{ apt_install__state }}'
+    install_recommends: '{{ apt_install__recommends | bool }}'
+    update_cache: '{{ apt_install__update_cache | bool }}'
+    cache_valid_time: '{{ apt_install__cache_valid_time }}'
+  register: apt_install__register_packages
+  until: apt_install__register_packages is succeeded
+  when: apt_install__enabled | bool
+
+- name: Configure alternative symlinks
+  community.general.alternatives:
+    name:     '{{ item.name }}'
+    path:     '{{ item.path }}'
+    link:     '{{ item.link | d(omit) }}'
+    priority: '{{ item.priority | d(omit) }}'
+  loop: '{{ q("flattened", apt_install__default_alternatives
+                           + apt_install__alternatives
+                           + apt_install__group_alternatives
+                           + apt_install__host_alternatives) }}'
+  when: item.name | d() and item.path | d()
+
+- name: Configure automatic alternatives
+  ansible.builtin.command: update-alternatives --auto {{ item.name }}
+  register: apt_install__register_alternatives
+  loop: '{{ q("flattened", apt_install__alternatives
+                           + apt_install__group_alternatives
+                           + apt_install__host_alternatives) }}'
+  when: item.name | d() and not item.path | d()
+  changed_when: apt_install__register_alternatives.stdout | d()
+
+- name: Disable kernel hints about pending upgrades
+  ansible.builtin.template:
+    src: 'etc/needrestart/conf.d/no-kernel-hints.conf.j2'
+    dest: '/etc/needrestart/conf.d/no-kernel-hints.conf'
+    mode: '0644'
+  when: apt_install__enabled | bool and apt_install__no_kernel_hints | bool
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "apt_install/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/apt_install/templates/etc/ansible/facts.d/apt_install.fact.j2 b/ansible_collections/debops/debops/roles/apt_install/templates/etc/ansible/facts.d/apt_install.fact.j2
new file mode 100644
index 00000000..9d6ac8e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/templates/etc/ansible/facts.d/apt_install.fact.j2
@@ -0,0 +1,30 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import os
+
+
+def dir_exists(path):
+    return os.path.isdir(path)
+
+
+def module_loaded(mod):
+    return dir_exists(os.path.join('/sys/module', mod))
+
+
+output = {
+    'configured': True,
+    'have_virtual_rng': module_loaded('virtio_rng')
+}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_install/templates/etc/needrestart/conf.d/no-kernel-hints.conf.j2 b/ansible_collections/debops/debops/roles/apt_install/templates/etc/needrestart/conf.d/no-kernel-hints.conf.j2
new file mode 100644
index 00000000..63eb7c6b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/templates/etc/needrestart/conf.d/no-kernel-hints.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Kernel upgrade hints are disabled to allow for non-interactive APT package
+# installs. Without this, non-interactive APT operations, for example performed
+# by Ansible, will hang indefinitely - waiting for user interaction.
+$nrconf{kernelhints} = 0;
diff --git a/ansible_collections/debops/debops/roles/apt_install/templates/lookup/apt_install__all_packages.j2 b/ansible_collections/debops/debops/roles/apt_install/templates/lookup/apt_install__all_packages.j2
new file mode 100644
index 00000000..70ff777e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_install/templates/lookup/apt_install__all_packages.j2
@@ -0,0 +1,47 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro get_yaml_list_from_string_or_list(package_map, item) %}{# ((( #}
+{{ ([ package_map[item] ]
+   if (package_map[item] is string)
+   else (package_map[item] | list)) | to_yaml }}
+{% endmacro %}{# ))) #}
+{% macro process_packages(packages, apt_install__tpl_package_list) %}{# ((( #}
+{%   for element in packages %}
+{%     if element is string %}
+{%       set _ = apt_install__tpl_package_list.append(element) %}
+{%     elif element is mapping %}
+{%       if element.state | d('present') == 'present' and element.name | d() %}
+{%         set apt_install__tpl_to_meet_condition_list = apt_install__condition_map.keys() %}
+{%         set apt_install__tpl_met_condition_list = [] %}
+{%         for condition_name_to_meet in apt_install__tpl_to_meet_condition_list %}
+{%           if element[condition_name_to_meet] is defined %}
+{%             for condition_item_to_meet in get_yaml_list_from_string_or_list(element, condition_name_to_meet) | from_yaml | map('lower') %}
+{%               if condition_item_to_meet in (get_yaml_list_from_string_or_list(apt_install__condition_map, condition_name_to_meet) | from_yaml | map('lower')) %}
+{%                 set _ = apt_install__tpl_met_condition_list.append(condition_name_to_meet) %}
+{%               endif %}
+{%             endfor %}
+{%           else %}
+{%             set _ = apt_install__tpl_met_condition_list.append(condition_name_to_meet) %}
+{%           endif %}
+{%         endfor %}
+{%         if (apt_install__tpl_met_condition_list | unique | length) == (apt_install__tpl_to_meet_condition_list | unique | length) %}
+{%           set _ = apt_install__tpl_package_list.append(get_yaml_list_from_string_or_list(element, 'name') | from_yaml
+                       | intersect(element.whitelist | d(get_yaml_list_from_string_or_list(element, 'name') | from_yaml)) | list) %}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       for things in element %}
+{%         set _ = process_packages(things, apt_install__tpl_package_list) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}{# ))) #}
+
+{% set apt_install__tpl_package_list = [] %}
+{% for elements in apt_install__all_packages %}
+{%   set _ = process_packages(elements, apt_install__tpl_package_list) %}
+{% endfor %}
+{{ [ apt_install__tpl_package_list ] | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_listchanges/COPYRIGHT
new file mode 100644
index 00000000..ef9809fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.apt_listchanges - Manage apt-listchanges using Ansible
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_listchanges/defaults/main.yml
new file mode 100644
index 00000000..401cdf11
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/defaults/main.yml
@@ -0,0 +1,136 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_listchanges__ref_defaults:
+
+# debops.apt_listchanges default variables [[[
+# ============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT package and installation [[[
+# --------------------------------
+
+# .. envvar:: apt_listchanges__deploy_state [[[
+#
+# Specify if the :command:`apt-listchanges` package should be installed (``present``)
+# or not installed (``absent``). All specified packages will be purged if the
+# role is disabled using this variable.
+apt_listchanges__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__base_packages [[[
+#
+# List of APT packages to install.
+apt_listchanges__base_packages: [ 'apt-listchanges' ]
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__packages [[[
+#
+# List of additional APT packages to install with :command:`apt-listpackages`.
+apt_listchanges__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Main configuration options [[[
+# ------------------------------
+
+# .. envvar:: apt_listchanges__mail_to [[[
+#
+# List of e-mail accounts to which messages from :command:`apt-listchanges` will be
+# sent.
+apt_listchanges__mail_to: '{{ ansible_local.core.admin_private_email | d(["root"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__apt_frontend [[[
+#
+# Specify which :command:`apt-listchanges` frontend to use when the script is executed
+# by APT operations. By default the frontend is ``mail`` unless ``apticron`` is
+# detected in which case the APT frontend is disabled, since ``apticron`` will
+# send virtually the same e-mails anyway.
+#
+# See :command:`apt-listchanges(1)` for list of available frontends.
+apt_listchanges__apt_frontend: '{{ "none"
+                                   if (ansible_local | d() and ansible_local.apticron | d() and
+                                       ansible_local.apticron.enabled | bool)
+                                   else (ansible_local.apt_listchanges.apt.frontend
+                                         if (ansible_local.apt_listchanges.apt | d() and
+                                             ansible_local.apt_listchanges.apt.frontend | d())
+                                         else "mail") }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__apt_which [[[
+#
+# Specify what information should be sent when the script is run by APT
+# operations. Choices: ``news``, ``changelogs``, ``both``. By default only
+# important NEWS items will be sent.
+apt_listchanges__apt_which: 'news'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__apticron_frontend [[[
+#
+# Specify what frontend to use when the script is executed by ``apticron``. See
+# :command:`apt-listchanges(1)` for information about available frontends.
+apt_listchanges__apticron_frontend: 'mail'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__apticron_which [[[
+#
+# Specify what information should be sent when the script is run by
+# ``apticron``. Choices: ``news``, ``changelogs``, ``both``.
+apt_listchanges__apticron_which: 'both'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration profiles [[[
+# --------------------------
+
+# .. envvar:: apt_listchanges__profiles [[[
+#
+# YAML dictionary with information about :command:`apt-listchanges` profiles which
+# should be configured. Each value should be a YAML dictionary with key: value
+# pairs which define the configuration options. See :command:`apt-listchanges(1)` for
+# information about what options can be configured in a profile.
+apt_listchanges__profiles:
+  'cmdline':  '{{ apt_listchanges__profile_cmdline }}'
+  'apt':      '{{ apt_listchanges__profile_apt }}'
+  'apticron': '{{ apt_listchanges__profile_apticron }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__profile_cmdline [[[
+#
+# Profile used when :command:`apt-listchanges` is run from the command line, according
+# th the manual.
+apt_listchanges__profile_cmdline:
+  frontend: 'pager'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__profile_apt [[[
+#
+# Profile used when :command:`apt-listchanges` is executed during APT operations.
+apt_listchanges__profile_apt:
+  frontend: '{{ apt_listchanges__apt_frontend }}'
+  email_address: '{{ apt_listchanges__mail_to | join(",") }}'
+  confirm: '0'
+  which: '{{ apt_listchanges__apt_which }}'
+  save_seen: '/var/lib/apt/listchanges.db'
+
+                                                                   # ]]]
+# .. envvar:: apt_listchanges__profile_apticron [[[
+#
+# Profile used when :command:`apt-listchanges` is run by ``apticron``.
+apt_listchanges__profile_apticron:
+  frontend: '{{ apt_listchanges__apticron_frontend }}'
+  email_address: '{{ apt_listchanges__mail_to | join(",") }}'
+  confirm: '0'
+  which: '{{ apt_listchanges__apticron_which }}'
+  save_seen: '/var/lib/apt/listchanges.db'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/meta/main.yml b/ansible_collections/debops/debops/roles/apt_listchanges/meta/main.yml
new file mode 100644
index 00000000..29a82c52
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage apt-listchanges service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - apt
+    - changelog
+    - news
+    - debian
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_listchanges/tasks/main.yml
new file mode 100644
index 00000000..f9ab840e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (apt_listchanges__base_packages
+                              + apt_listchanges__packages)) }}'
+    state: '{{ apt_listchanges__deploy_state }}'
+    purge: True
+  register: apt_listchanges__register_packages
+  until: apt_listchanges__register_packages is succeeded
+
+- name: Configure apt-listchanges
+  ansible.builtin.template:
+    src: 'etc/apt/listchanges.conf.j2'
+    dest: '/etc/apt/listchanges.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: apt_listchanges__deploy_state == 'present'
+
+- name: Make sure that Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save apt-listchanges facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apt_listchanges.fact.j2'
+    dest: '/etc/ansible/facts.d/apt_listchanges.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/ansible/facts.d/apt_listchanges.fact.j2 b/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/ansible/facts.d/apt_listchanges.fact.j2
new file mode 100644
index 00000000..b5cafe68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/ansible/facts.d/apt_listchanges.fact.j2
@@ -0,0 +1,40 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+from os import path
+
+try:
+    from configparser import ConfigParser
+except ImportError:
+    from ConfigParser import ConfigParser
+
+conf_file = '/etc/apt/listchanges.conf'
+output = {"installed": True}
+
+if path.isfile(conf_file):
+    config = ConfigParser()
+    config.read(conf_file)
+
+    for section in config.sections():
+        output[section] = {}
+
+        for name, value in config.items(section):
+            output[section][name] = [x.strip() for x in value.split() if x]
+            if len(output[section][name]) == 1:
+                output[section][name] = output[section][name][0]
+            elif len(output[section][name]) == 0:
+                output[section][name] = ''
+
+else:
+    output = {"installed": False}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/apt/listchanges.conf.j2 b/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/apt/listchanges.conf.j2
new file mode 100644
index 00000000..4a0b5e5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_listchanges/templates/etc/apt/listchanges.conf.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for name, profile in apt_listchanges__profiles | dictsort %}
+[{{ name }}]
+{% for key, value in profile | dictsort %}
+{{ key }} = {{ value }}
+{% endfor %}
+
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/apt_mark/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_mark/COPYRIGHT
new file mode 100644
index 00000000..bfa3bca4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.apt_mark - Set desired APT package state using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_mark/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_mark/defaults/main.yml
new file mode 100644
index 00000000..d47841f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/defaults/main.yml
@@ -0,0 +1,110 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_mark__ref_defaults:
+
+# debops.apt_mark default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: apt_mark__enabled [[[
+#
+# Enable or disable support for marking APT package state.
+apt_mark__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__autoremove_recommends_important [[[
+#
+# If ``True`` (default), APT will consider packages installed via
+# ``Recommends:`` dependencies as important and not remove them automatically.
+#
+# Any entries in the ``apt_mark__*_packages`` lists will enable autoremoval of
+# APT packages installed via ``Recommends:`` dependencies, which you can then
+# control by marking them as installed manually or automatically.
+apt_mark__autoremove_recommends_important: '{{ False
+                                               if (apt_mark__default_packages | d()
+                                                   or apt_mark__packages | d()
+                                                   or apt_mark__group_packages | d()
+                                                   or apt_mark__host_packages | d())
+                                               else True }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__autoremove_suggests_important [[[
+#
+# If ``True`` (default), APT will consider packages installed via ``Suggests:``
+# dependencies as important and not remove them automatically.
+#
+# Any entries in the ``apt_mark__*_packages`` lists will enable autoremoval of
+# APT packages installed via ``Suggests:`` dependencies, which you can then
+# control by marking them as installed manually or automatically.
+apt_mark__autoremove_suggests_important: '{{ False
+                                             if (apt_mark__default_packages | d()
+                                                 or apt_mark__packages | d()
+                                                 or apt_mark__group_packages | d()
+                                                 or apt_mark__host_packages | d())
+                                             else True }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package state configuration [[[
+# -----------------------------------
+
+# These lists define the APT packages which the role will operate on, and their
+# desired state. See :ref:`apt_mark__ref_packages` for more details.
+
+# .. envvar:: apt_mark__default_packages [[[
+#
+# List of APT package states defined by the role
+apt_mark__default_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__packages [[[
+#
+# List of APT package states which should be applied on all hosts in the
+# Ansible inventory.
+apt_mark__packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__group_packages [[[
+#
+# List of APT package states which should be applied on hosts in a specific
+# Ansible inventory group.
+apt_mark__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__host_packages [[[
+#
+# List of APT package states which should be applied on specific hosts in the
+# Ansible inventory.
+apt_mark__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__dependent_packages [[[
+#
+# List of APT package states defined by other Ansible roles via role dependent
+# variables.
+apt_mark__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mark__combined_packages [[[
+#
+# Variable which combines all of the APT state lists and is passed to the role
+# tasks.
+apt_mark__combined_packages: '{{ apt_mark__default_packages
+                                 + apt_mark__dependent_packages
+                                 + apt_mark__packages
+                                 + apt_mark__group_packages
+                                 + apt_mark__host_packages }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status2 b/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status2
new file mode 100755
index 00000000..03325147
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status2
@@ -0,0 +1,31 @@
+#!/usr/bin/env python2
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+from __future__ import print_function
+from json import dumps
+from subprocess import Popen, PIPE
+import os
+import signal
+
+
+def run_command(command_args):
+    """Gather information about APT packages"""
+    process = Popen(command_args, stdout=PIPE, stderr=PIPE,
+                    preexec_fn=os.setsid)
+    stdout, stderr = process.communicate()
+    if stdout:
+        return stdout.decode('utf-8').strip().split('\n')
+    else:
+        return []
+
+
+output = {'installed':
+          run_command(["dpkg-query", "-f", "${binary:Package}\n", "-W"]),
+          'auto':      run_command(["apt-mark", "showauto"]),
+          'hold':      run_command(["apt-mark", "showhold"]),
+          'manual':    run_command(["apt-mark", "showmanual"])}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status3 b/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status3
new file mode 100755
index 00000000..c031df43
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/files/script/apt-mark-status3
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+from __future__ import print_function
+from json import dumps
+from subprocess import Popen, PIPE
+import os
+import signal
+
+
+def run_command(command_args):
+    """Gather information about APT packages"""
+    process = Popen(command_args, stdout=PIPE, stderr=PIPE,
+                    preexec_fn=os.setsid)
+    stdout, stderr = process.communicate()
+    if stdout:
+        return stdout.decode('utf-8').strip().split('\n')
+    else:
+        return []
+
+
+output = {'installed':
+          run_command(["dpkg-query", "-f", "${binary:Package}\n", "-W"]),
+          'auto':      run_command(["apt-mark", "showauto"]),
+          'hold':      run_command(["apt-mark", "showhold"]),
+          'manual':    run_command(["apt-mark", "showmanual"])}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_mark/meta/main.yml b/ansible_collections/debops/debops/roles/apt_mark/meta/main.yml
new file mode 100644
index 00000000..3e12c5d7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Set desired APT package state using apt-mark'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - apt
diff --git a/ansible_collections/debops/debops/roles/apt_mark/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_mark/tasks/main.yml
new file mode 100644
index 00000000..4033c712
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/tasks/main.yml
@@ -0,0 +1,96 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Configure APT autoremove options
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/25autoremove-recommends.conf.j2'
+    dest: '/etc/apt/apt.conf.d/25autoremove-recommends.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: apt_mark__enabled | bool
+
+- name: Check state of the APT packages
+  ansible.builtin.script: 'script/apt-mark-status{{ "2" if (ansible_python_version is version_compare("3.5", "<")) else "3" }}'
+  register: apt_mark__register_state
+  changed_when: False
+  check_mode: False
+  when: apt_mark__enabled | bool
+
+- name: Set facts about APT package state
+  ansible.builtin.set_fact:
+    apt_mark__fact_auto:      '{{ (apt_mark__register_state.stdout | from_json)["auto"] }}'
+    apt_mark__fact_hold:      '{{ (apt_mark__register_state.stdout | from_json)["hold"] }}'
+    apt_mark__fact_installed: '{{ (apt_mark__register_state.stdout | from_json)["installed"] }}'
+    apt_mark__fact_manual:    '{{ (apt_mark__register_state.stdout | from_json)["manual"] }}'
+  when: apt_mark__enabled | bool
+
+- name: Set package state as installed automatically
+  ansible.builtin.command: apt-mark auto {{ ((item.packages | d([item.name])) | intersect(apt_mark__fact_installed)) | join(' ') }}
+  with_items: '{{ apt_mark__combined_packages | debops.debops.parse_kv_items }}'
+  register: apt_mark__register_auto
+  changed_when: apt_mark__register_auto.changed | bool
+  when: (apt_mark__enabled | bool and
+         (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+         | symmetric_difference(apt_mark__fact_manual) and
+         (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+         | difference(apt_mark__fact_auto) and
+         item.state | d('manual') in ['auto', 'auto-hold', 'auto-unhold'])
+
+- name: Set package state as installed manually
+  ansible.builtin.command: apt-mark manual {{ ((item.packages | d([item.name]))
+                               | intersect(apt_mark__fact_installed)) | join(' ') }}
+  with_items: '{{ apt_mark__combined_packages | debops.debops.parse_kv_items }}'
+  register: apt_mark__register_manual
+  changed_when: apt_mark__register_manual.changed | bool
+  when: (apt_mark__enabled | bool and
+         (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+         | symmetric_difference(apt_mark__fact_auto) and
+         (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+         | difference(apt_mark__fact_manual) and
+         item.state | d('manual') in ['manual', 'manual-hold', 'manual-unhold'])
+
+- name: Hold current package state
+  ansible.builtin.command: apt-mark hold {{ ((item.packages | d([item.name]))
+                             | intersect(apt_mark__fact_installed)) | join(' ') }}
+  with_items: '{{ apt_mark__combined_packages | debops.debops.parse_kv_items }}'
+  register: apt_mark__register_hold
+  changed_when: apt_mark__register_hold.changed | bool
+  when: (apt_mark__enabled | bool and
+        (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+        | difference(apt_mark__fact_hold) and
+        item.state | d('manual') in ['hold', 'auto-hold', 'manual-hold'])
+
+- name: Unhold current package state
+  ansible.builtin.command: apt-mark unhold {{ ((item.packages | d([item.name]))
+                               | intersect(apt_mark__fact_installed)) | join(' ') }}
+  with_items: '{{ apt_mark__combined_packages | debops.debops.parse_kv_items }}'
+  register: apt_mark__register_unhold
+  changed_when: apt_mark__register_unhold.changed | bool
+  when: (apt_mark__enabled | bool and
+        (item.packages | d([item.name]) | intersect(apt_mark__fact_installed))
+        | intersect(apt_mark__fact_hold) and
+        item.state | d('manual') in ['unhold', 'auto-unhold', 'manual-unhold'])
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save apt-mark local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apt_mark.fact.j2'
+    dest: '/etc/ansible/facts.d/apt_mark.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/apt_mark/templates/etc/ansible/facts.d/apt_mark.fact.j2 b/ansible_collections/debops/debops/roles/apt_mark/templates/etc/ansible/facts.d/apt_mark.fact.j2
new file mode 100644
index 00000000..fe032a67
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/templates/etc/ansible/facts.d/apt_mark.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads("""{{ {'configured': True,
+                      'enabled': apt_mark__enabled | bool}
+                     | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_mark/templates/etc/apt/apt.conf.d/25autoremove-recommends.conf.j2 b/ansible_collections/debops/debops/roles/apt_mark/templates/etc/apt/apt.conf.d/25autoremove-recommends.conf.j2
new file mode 100644
index 00000000..6208a140
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mark/templates/etc/apt/apt.conf.d/25autoremove-recommends.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+
+// Specify if APT should treat packages installed via Recommends or Suggests
+// dependencies as important. If True, they will not be considered for
+// autoremoval.
+APT::AutoRemove::RecommendsImportant "{{ apt_mark__autoremove_recommends_important | bool | lower }}";
+APT::AutoRemove::SuggestsImportant "{{ apt_mark__autoremove_suggests_important | bool | lower }}";
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_mirror/COPYRIGHT
new file mode 100644
index 00000000..8970ad5f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.apt_mirror - Create a mirror of multiple APT repositories
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_mirror/defaults/main.yml
new file mode 100644
index 00000000..19fc05b1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/defaults/main.yml
@@ -0,0 +1,226 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _apt_mirror__ref_defaults:
+
+# debops.apt_mirror default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, UNIX environment, cron defaults [[[
+# -------------------------------------------------
+
+# .. envvar:: apt_mirror__base_packages [[[
+#
+# List of Debian packages required for :command:`apt-mirror` support.
+apt_mirror__base_packages: [ 'apt-mirror' ]
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__packages [[[
+#
+# List of additional packages to install with :command:`apt-mirror` package.
+apt_mirror__packages: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__cron_environment [[[
+#
+# YAML dictionary which defines the environment variables (keys) and their
+# values which will be defined in the :command:`cron` runtime environment for
+# the :command:`apt-mirror` cron jobs. See :man:`crontab(5)` for details.
+apt_mirror__cron_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__cron_time [[[
+#
+# The default time specification for :command:`apt-mirror` cron jobs, specified
+# in the :man:`crontab(5)` format. This value can be overridden per-mirror
+# configuration using the ``item.cron_time`` parameter.
+apt_mirror__cron_time: "0 4\t* * *"
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__user [[[
+#
+# The UNIX account of the :command:`apt-mirror` service.
+apt_mirror__user: 'apt-mirror'
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__group [[[
+#
+# The UNIX group of the :command:`apt-mirror` service.
+apt_mirror__group: 'apt-mirror'
+                                                                   # ]]]
+                                                                   # ]]]
+# Web server configuration [[[
+# ----------------------------
+
+# .. envvar:: apt_mirror__fqdn [[[
+#
+# The Fully Qualified Domain Name on which mirrored APT repositories will be
+# published.
+apt_mirror__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__web_root [[[
+#
+# Absolute path to the directory with mirrored APT repositories.
+apt_mirror__web_root: '/var/spool/apt-mirror/mirror'
+                                                                   # ]]]
+                                                                   # ]]]
+# The default :command:`apt-mirror` configuration options [[[
+# -----------------------------------------------------------
+
+# .. envvar:: apt_mirror__default_options [[[
+#
+# List of YAML dictionaries which define default set of :command:`apt-mirror`
+# configuration options. These options can be overridden in specific instances
+# if necessary. See :ref:`apt_mirror__ref_configuration` for more details.
+apt_mirror__default_options:
+
+  - name: 'base_path'
+    value: '/var/spool/apt-mirror'
+    state: 'comment'
+
+  - name: 'mirror_path'
+    value: '$base_path/mirror'
+    state: 'comment'
+
+  - name: 'skel_path'
+    value: '$base_path/skel'
+    state: 'comment'
+
+  - name: 'var_path'
+    value: '$base_path/var'
+    state: 'dynamic'
+
+  - name: 'cleanscript'
+    value: '$var_path/clean.sh'
+    state: 'comment'
+
+  - name: 'defaultarch'
+    value: '<running host architecture>'
+    state: 'comment'
+
+  - name: 'postmirror_script'
+    value: '$var_path/postmirror.sh'
+    state: 'comment'
+
+  - name: 'run_postmirror'
+    value: 0
+    state: 'comment'
+
+  - name: 'nthreads'
+    value: 20
+
+  - name: '_tilde'
+    value: 0
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`apt-mirror` instance configuration [[[
+# ----------------------------------------------------
+
+# The variables below define configuration of :command:`apt-mirror`
+# "instances". See :ref:`apt_mirror__ref_configuration` for more details.
+
+# .. envvar:: apt_mirror__default_configuration [[[
+#
+# The default instance configuration defined by the role.
+apt_mirror__default_configuration:
+
+  - name: 'default'
+    filename: 'mirror.list'
+    sources:
+
+      - name: 'debian-stable'
+        type: 'deb'
+        uri: 'http://deb.debian.org/debian'
+        suite: 'stable'
+        components: [ 'main', 'contrib', 'non-free' ]
+        state: 'comment'
+
+      - name: 'debian-stable-src'
+        raw: 'deb-src http://deb.debian.org/debian stable main contrib non-free'
+        state: 'comment'
+
+      - name: 'clean-debian'
+        comment: 'Generate a clean.sh script for Debian mirror'
+        type: 'clean'
+        uri: 'http://deb.debian.org/debian'
+        weight: 1000
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__configuration [[[
+#
+# The :command:`apt-mirror` instance configuration defined on all hosts in the
+# Ansible inventory.
+apt_mirror__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__group_configuration [[[
+#
+# The :command:`apt-mirror` instance configuration defined on hosts in
+# a specific Ansible inventory group.
+apt_mirror__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__host_configuration [[[
+#
+# The :command:`apt-mirror` instance configuration defined on specific hosts in the
+# Ansible inventory.
+apt_mirror__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: apt_mirror__combined_configuration [[[
+#
+# Variable which combines all instance configuration variables and is used in
+# role tasks and templates.
+apt_mirror__combined_configuration: '{{ apt_mirror__default_configuration
+                                        + apt_mirror__configuration
+                                        + apt_mirror__group_configuration
+                                        + apt_mirror__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: apt_mirror__nginx__servers [[[
+#
+# List of :program:`nginx` server configurations managed by the
+# :ref:`debops.nginx` role.
+apt_mirror__nginx__dependent_servers:
+
+  - by_role: 'debops.apt_mirror'
+    enabled: True
+    ssl: False  # disable port 443
+    filename: 'debops.apt_mirror_http'
+    name: '{{ apt_mirror__fqdn }}'
+    root: '{{ apt_mirror__web_root }}'
+    webroot_create: False
+    location:
+      '/': |
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+    state: 'present'
+
+  - by_role: 'debops.apt_mirror'
+    enabled: True
+    listen: False  # disable port 80
+    filename: 'debops.apt_mirror_https'
+    name: '{{ apt_mirror__fqdn }}'
+    root: '{{ apt_mirror__web_root }}'
+    webroot_create: False
+    location:
+      '/': |
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+    state: '{{ "present" if (ansible_local.pki.enabled | d()) | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/meta/main.yml b/ansible_collections/debops/debops/roles/apt_mirror/meta/main.yml
new file mode 100644
index 00000000..aeea2f07
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage mirrors of multiple APT repositories'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.14.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - apt
+    - mirror
+    - proxy
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_mirror/tasks/main.yml
new file mode 100644
index 00000000..544fcd4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/tasks/main.yml
@@ -0,0 +1,119 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (apt_mirror__base_packages + apt_mirror__packages) | flatten }}'
+    state: 'present'
+  register: apt_mirror__register_install
+  until: apt_mirror__register_install is succeeded
+
+- name: Get list of dpkg-stateoverride paths
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit && dpkg-statoverride --list | awk '{print $4}'
+  args:
+    executable: 'bash'
+  register: apt_mirror__register_statoverride
+  changed_when: False
+  check_mode: False
+
+  # apt-mirror stores passwords included in URLs as plaintext inside of its
+  # spool directory - it cannot be world-readable
+- name: Fix permissions for apt-mirror spool directory
+  ansible.builtin.command: |
+    dpkg-statoverride --update --add {{ apt_mirror__user }} {{ apt_mirror__group }} 0750 /var/spool/apt-mirror/var
+  register: apt_mirror__register_statoverride_set
+  changed_when: apt_mirror__register_statoverride_set.changed | bool
+  when: '"/var/spool/apt-mirror/var" not in apt_mirror__register_statoverride.stdout_lines'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save apt_mirror local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/apt_mirror.fact.j2'
+    dest: '/etc/ansible/facts.d/apt_mirror.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert the original apt-mirror configuration
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+    state: 'present'
+  loop:
+    - '/etc/apt/mirror.list'
+    - '/etc/cron.d/apt-mirror'
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Remove apt-mirror configuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/apt/" + (item.filename | d("mirror." + item.name + ".list")) }}'
+    state: 'absent'
+  loop: '{{ apt_mirror__combined_configuration | flatten
+            | debops.debops.parse_kv_items(merge_keys=["sources"]) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: item.state | d('present') == 'absent'
+
+- name: Generate apt-mirror configuration files
+  ansible.builtin.template:
+    src: 'etc/apt/mirror.list.j2'
+    dest: '{{ "/etc/apt/" + (item.filename | d("mirror." + item.name + ".list")) }}'
+    owner: '{{ apt_mirror__user }}'
+    group: '{{ apt_mirror__group }}'
+    mode: '0640'
+  loop: '{{ apt_mirror__combined_configuration | flatten
+            | debops.debops.parse_kv_items(defaults={"options": (apt_mirror__default_options | debops.debops.parse_kv_config)},
+                                           merge_keys=["sources"]) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: item.state | d('present') not in [ 'absent', 'ignore', 'init' ]
+
+- name: Create data directories for separate mirror instances
+  ansible.builtin.file:
+    path: '{{ "/var/spool/apt-mirror/var/var." + item.name }}'
+    owner: '{{ apt_mirror__user }}'
+    group: '{{ apt_mirror__group }}'
+    mode: '0750'
+    state: 'directory'
+  loop: '{{ apt_mirror__combined_configuration | flatten
+            | debops.debops.parse_kv_items(defaults={"options": (apt_mirror__default_options | debops.debops.parse_kv_config)},
+                                           merge_keys=["sources"]) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: item.state | d('present') not in [ 'absent', 'ignore', 'init' ]
+
+- name: Create postmirror.sh script for separate mirror instances
+  ansible.builtin.file:
+    path: '{{ "/var/spool/apt-mirror/var/var." + item.name + "/postmirror.sh" }}'
+    owner: '{{ apt_mirror__user }}'
+    group: '{{ apt_mirror__group }}'
+    mode: '0755'
+    state: 'touch'
+    modification_time: 'preserve'
+    access_time: 'preserve'
+  loop: '{{ apt_mirror__combined_configuration | flatten
+            | debops.debops.parse_kv_items(defaults={"options": (apt_mirror__default_options | debops.debops.parse_kv_config)},
+                                           merge_keys=["sources"]) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: item.state | d('present') not in [ 'absent', 'ignore', 'init' ]
+
+- name: Generate cron configuration for apt-mirror
+  ansible.builtin.template:
+    src: 'etc/cron.d/apt-mirror.j2'
+    dest: '/etc/cron.d/apt-mirror'
+    mode: '0644'
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/ansible/facts.d/apt_mirror.fact.j2 b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/ansible/facts.d/apt_mirror.fact.j2
new file mode 100644
index 00000000..8701252c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/ansible/facts.d/apt_mirror.fact.j2
@@ -0,0 +1,25 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('apt-mirror')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/apt/mirror.list.j2 b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/apt/mirror.list.j2
new file mode 100644
index 00000000..9a5271dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/apt/mirror.list.j2
@@ -0,0 +1,74 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+############# config ##################
+#
+{% for element in item.options %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('# ' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%     if element.state | d('present') == 'dynamic' %}
+{%       if element.name == 'var_path' %}
+{%         set element_value = '$base_path/var/var.' + item.name %}
+{%       endif %}
+{%     endif %}
+{%     if element.comment | d() %}
+{{       '' }}
+{{       element.comment | regex_replace('$\n', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{{     '{}set {} {}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
+#
+############# end config ##############
+
+{% for element in item.sources %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.raw | d() %}
+{%       set element_value = element.raw %}
+{%     elif element.type | d() and element.uri | d() %}
+{%       set element_entry = [] %}
+{%       set _ = element_entry.append(element.type) %}
+{%       set _ = element_entry.append(element.uri) %}
+{%       if element.suite | d() %}
+{%         set _ = element_entry.append(element.suite) %}
+{%       endif %}
+{%       if element.component | d() %}
+{%         set _ = element_entry.append(element.component) %}
+{%       endif %}
+{%       if element.components | d() %}
+{%         set _ = element_entry.extend(element.components) %}
+{%       endif %}
+{%       set element_value = element_entry | join(' ') %}
+{%     endif %}
+{%     if element.comment | d() %}
+{{       '' }}
+{{       element.comment | regex_replace('$\n', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{{     '{}{}'.format(element_comment, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/cron.d/apt-mirror.j2 b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/cron.d/apt-mirror.j2
new file mode 100644
index 00000000..bb5f699e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_mirror/templates/etc/cron.d/apt-mirror.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+#
+# Regular cron jobs for the apt-mirror package
+#
+
+{% if apt_mirror__cron_environment %}
+{{   '# Environment variables' }}
+{%   for key, value in apt_mirror__cron_environment.items() %}
+{{     '{}={}'.format(key, value) }}
+{%   endfor %}
+
+{% endif %}
+{% for element in apt_mirror__combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     set cron_time = element.cron_time | d(apt_mirror__cron_time) %}
+{%     set cron_user = element.cron_user | d(apt_mirror__user) %}
+{%     set cron_command = element.cron_command | d('/usr/bin/flock /var/spool/apt-mirror/var /usr/bin/apt-mirror /etc/apt/'
+                                                   + (element.filename | d('mirror.' + element.name + '.list'))
+                                                   + ' > /var/spool/apt-mirror/var/cron.' + element.name + '.log') %}
+{{     '{}{}\t{}\t{}'.format(element_comment, cron_time, cron_user, cron_command) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/apt_preferences/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_preferences/COPYRIGHT
new file mode 100644
index 00000000..8742c50d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_preferences/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.apt_preferences - Manage APT preferences using Ansible
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/apt_preferences/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_preferences/defaults/main.yml
new file mode 100644
index 00000000..7c12ec64
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_preferences/defaults/main.yml
@@ -0,0 +1,216 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_preferences__ref_defaults:
+
+# apt_preferences default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT preferences lists [[[
+# -------------------------
+
+# .. envvar:: apt_preferences__list [[[
+#
+# List of :manpage:`apt_preferences(5)` pins to configure in
+# :file:`/etc/apt/preferences.d/`.  These pins will be configured on all hosts
+# in the cluster, if set in :file:`inventory/group_vars/debops_all_hosts/`. See
+# :ref:`apt_preferences__list` for more details.
+apt_preferences__list: []
+
+                                                                   # ]]]
+# .. envvar:: apt_preferences__group_list [[[
+#
+# List of :manpage:`apt_preferences(5)` pins to configure in
+# :file:`/etc/apt/preferences.d/`.  These pins will be configured on hosts in a
+# specified group, if set in :file:`inventory/group_vars/group_name/`. Only one
+# group "level" is supported.
+apt_preferences__group_list: []
+
+                                                                   # ]]]
+# .. envvar:: apt_preferences__host_list [[[
+#
+# List of :manpage:`apt_preferences(5)` pins to configure in
+# :file:`/etc/apt/preferences.d/`.  These pins will be configured on specific
+# hosts, if set in :file:`inventory/host_vars/host_name/`.
+apt_preferences__host_list: []
+
+                                                                   # ]]]
+# .. envvar:: apt_preferences__dependent_list [[[
+#
+# List of :manpage:`apt_preferences(5)` pins to configure in
+# :file:`/etc/apt/preferences.d/`.  This variable is meant to be used from a
+# role dependency in :file:`role/meta/main.yml` or in a playbook.
+apt_preferences__dependent_list: []
+                                                                   # ]]]
+                                                                   # ]]]
+# APT preference presets [[[
+# --------------------------
+
+# This section contains presets of APT preferences intended for advanced users
+# who want to install software from different releases but want to keep there
+# main system on the stable release.
+#
+# When enabling these presets, you will need to set explicit preferences for
+# packages you want to install from different releases.
+# Examples for such explicit preferences can be found in the
+# `defaults file of the ypid.packages`_ (search for "Package origin presets for
+# Debian GNU/Linux").
+#
+# .. Debian backports have a priority of 100 by default so you will automatically
+#    not upgrade to packages from them.
+#
+
+# .. envvar:: apt_preferences__debian_stable_default_preset_list [[[
+#
+# Preset for the stable release of Debian GNU/Linux.
+#
+# Configuring this in APT is needed because releases (stable, testing,
+# unstable) have by default the same priority 500 so when including different
+# releases, APT would just select the newest version (usually unstable). To
+# avoid this, APT preferences are used to change the preferences to prefer
+# stable over testing over unstable.
+apt_preferences__debian_stable_default_preset_list:
+  - package: '*'
+    by_role: 'debops.apt_preferences'
+    suffix: '_Debian'
+    raw: |
+      Explanation: Configure the installed release explicitly to slightly higher than the default priority of 500 so that release packages are preferred over third party repos.
+      Package: *
+      Pin: release o=Debian,n={{ ansible_distribution_release }}
+      Pin-Priority: 550
+
+      Explanation: Configure the security updates explicitly to slightly higher than the default priority of 500 so that security updates are not missing
+      Package: *
+      Pin: release o=Debian,n={{ ansible_distribution_release }}-security
+      Pin-Priority: 550
+
+      Explanation: Configure the stable-updates explicitly to slightly higher than the default priority of 500 so that stable-updates are not missing
+      Package: *
+      Pin: release o=Debian,n={{ ansible_distribution_release }}-updates
+      Pin-Priority: 550
+
+      Explanation: Configure the installed release explicitly to slightly higher than the default priority of 500 so that release packages are preferred over third party repos.
+      Package: *
+      Pin: release o=Qubes Debian,n={{ ansible_distribution_release }}
+      Pin-Priority: 550
+
+      Explanation: The default priority of packages from backports is 100 which is even lower then testing and unstable (500).
+      Explanation: Prefer backports over testing and unstable but don’t automatically upgrade to them.
+      Package: *
+      Pin: release o=Debian Backports,n={{ ansible_distribution_release }}-backports
+      Pin-Priority: 400
+
+      Explanation: Pin NeuroDebian with priority 80 which is lower then the official Debian backports (100).
+      Explanation: This also works with this pinning configuration where Debian backports is
+      Explanation: set to 400 and Debian testing is decreased to 50.
+      Explanation: It is done here additionally to the neurodebian role to allow soft migration to extrepo.
+      Package: *
+      Pin: release o=NeuroDebian
+      Pin-Priority: 80
+
+      Explanation: In case ansible_distribution_release is not (anymore) the current stable release don’t automatically upgrade to it.
+      Package: *
+      Pin: release o=Debian,a=stable
+      Pin-Priority: 60
+
+      Explanation: Install packages from testing if no package with the same name is available in release archives or backports or other archives.
+      Package: *
+      Pin: release o=Debian,a=testing
+      Pin-Priority: 50
+
+      Explanation: Only install packages from unstable if explicitly asked for or the package is pinned.
+      Package: *
+      Pin: release o=Debian,a=unstable
+      Pin-Priority: -1
+
+      Explanation: Only install packages from experimental if explicitly asked for or the package is pinned.
+      Package: *
+      Pin: release o=Debian,a=experimental
+      Pin-Priority: -1
+
+# ]]]
+# .. envvar:: apt_preferences__preset_list [[[
+#
+# Appropriate preset for your distribution, when one is available.
+# To use it, add the following:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_preferences__list:
+#      - '{{ apt_preferences__preset_list | list }}'
+#
+# to your inventory.
+#
+apt_preferences__preset_list: '{{
+    ((apt_preferences__debian_stable_default_preset_list | list) if (ansible_distribution == "Debian") else [])
+  }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Role pin defaults [[[
+# ---------------------
+
+# .. envvar:: apt_preferences__priority_default [[[
+#
+# Default pin priority used, if custom priority is not specified in a pin
+# definition.
+apt_preferences__priority_default: 500
+
+                                                                   # ]]]
+# .. envvar:: apt_preferences__priority_version [[[
+#
+# Default pin priority used if custom priority is not specified in a versioned
+# pin definition.
+apt_preferences__priority_version: 1001
+                                                                   # ]]]
+                                                                   # ]]]
+# Role internals [[[
+# ------------------
+
+# .. envvar:: apt_preferences__next_release [[[
+#
+# Dictionary of future releases of current stable distributions. This is used to
+# check if the role can create autogenerated pins with preference for backported
+# packages from the ``<release>-backports`` repository.
+#
+# .. Redundant in the following places, please update all copies:
+#
+#    * ansible/roles/debops.apt/defaults/main.yml
+#    * ansible/roles/debops.apt_preferences/defaults/main.yml
+#    * ansible/roles/debops.reprepro/defaults/main.yml
+#    * ansible/playbooks/tools/dist-upgrade.yml
+#
+apt_preferences__next_release:
+
+  # Debian releases
+  'stretch':  'buster'
+  'buster':   'bullseye'
+  'bullseye': 'bookworm'
+  'bookworm': 'trixie'
+  'trixie':   'forky'
+
+  # Ubuntu releases
+  'trusty':   'utopic'
+  'utopic':   'vivid'
+  'vivid':    'wily'
+  'wily':     'xenial'
+  'xenial':   'yakkety'
+
+                                                                   # ]]]
+# .. Documentation, external links [[[
+
+# .. _`defaults file of the ypid.packages`: https://github.com/ypid/ansible-packages/blob/master/defaults/main.yml
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_preferences/meta/main.yml b/ansible_collections/debops/debops/roles/apt_preferences/meta/main.yml
new file mode 100644
index 00000000..fe87baec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_preferences/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+allow_duplicates: True
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage APT pins in /etc/apt/preferences.d/'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - apt
diff --git a/ansible_collections/debops/debops/roles/apt_preferences/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_preferences/tasks/main.yml
new file mode 100644
index 00000000..5d8e0a8d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_preferences/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Remove legacy APT preferences
+  ansible.builtin.file:
+    dest: '/etc/apt/preferences.d/{{ item.filename | d((item.role | d(item.by_role | d("pin")))
+                                                       + "_" + ((item.package.split(" ")[0]
+                                                                 if item.package is string
+                                                                 else item.package[0])
+                                                                if item.package | d()
+                                                                else (item.packages.split(" ")[0]
+                                                                      if item.packages is string
+                                                                      else item.packages[0]))
+                                                       + (item.suffix | d("")) + ".pref") | replace("*", "all") }}'
+    state: 'absent'
+  loop: '{{ q("flattened", apt_preferences_list | d([])
+                           + apt_preferences_group_list | d([])
+                           + apt_preferences_host_list | d([])
+                           + apt_preferences_dependent_list | d([])
+                           + apt_preferences__list
+                           + apt_preferences__group_list
+                           + apt_preferences__host_list
+                           + apt_preferences__dependent_list) }}'
+  when: ("." in item.role | d(item.by_role | d("")))
+
+- name: Remove APT preferences
+  ansible.builtin.file:
+    dest: '/etc/apt/preferences.d/{{ item.filename | d((item.role | d(item.by_role | d("pin"))) | replace(".", "_")
+                                     + "_" + ((item.package.split(" ")[0]
+                                               if item.package is string
+                                               else item.package[0])
+                                              if item.package | d()
+                                              else (item.packages.split(" ")[0]
+                                                    if item.packages is string
+                                                    else item.packages[0]))
+                                     + (item.suffix | d("")) + ".pref") | replace("*", "all") }}'
+    state: 'absent'
+  loop: '{{ q("flattened", apt_preferences_list | d([])
+                           + apt_preferences_group_list | d([])
+                           + apt_preferences_host_list | d([])
+                           + apt_preferences_dependent_list | d([])
+                           + apt_preferences__list
+                           + apt_preferences__group_list
+                           + apt_preferences__host_list
+                           + apt_preferences__dependent_list) }}'
+  when: ((((item.state | d() and item.state == 'absent') or item.delete | d() | bool) and
+          (item.package | d() or item.packages | d()) and
+          (item.version is undefined or (item.version is defined and not item.version))) or
+         (item.raw is undefined and
+          item.pin is undefined and
+          (item.backports is undefined or
+           (item.backports is iterable and item.backports and
+            ansible_distribution_release not in item.backports)) and
+           ansible_distribution_release not in apt_preferences__next_release.keys()))
+
+- name: Create APT preferences
+  ansible.builtin.template:
+    src: 'etc/apt/preferences.d/pin.pref.j2'
+    dest: '/etc/apt/preferences.d/{{ item.filename | d((item.role | d(item.by_role | d("pin"))) | replace(".", "_")
+                                     + "_" + ((item.package.split(" ")[0]
+                                               if item.package is string
+                                               else item.package[0])
+                                              if item.package | d()
+                                              else (item.packages.split(" ")[0]
+                                                    if item.packages is string
+                                                    else item.packages[0]))
+                                     + (item.suffix | d("")) + ".pref") | replace("*", "all") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", apt_preferences_list | d([])
+                           + apt_preferences_group_list | d([])
+                           + apt_preferences_host_list | d([])
+                           + apt_preferences_dependent_list | d([])
+                           + apt_preferences__list
+                           + apt_preferences__group_list
+                           + apt_preferences__host_list
+                           + apt_preferences__dependent_list) }}'
+  when: ((((item.state | d('present')) != 'absent' and (not (item.delete | d() | bool))) and
+          (item.package | d() or item.packages | d())) and
+         (item.raw | d() or
+          item.version | d() or
+          (item.pin is undefined and
+           (item.backports is undefined or
+            (item.backports is iterable and item.backports and
+             ansible_distribution_release in item.backports)) and
+            ansible_distribution_release in apt_preferences__next_release.keys()) or
+           item.pin | d()))
diff --git a/ansible_collections/debops/debops/roles/apt_preferences/templates/etc/apt/preferences.d/pin.pref.j2 b/ansible_collections/debops/debops/roles/apt_preferences/templates/etc/apt/preferences.d/pin.pref.j2
new file mode 100644
index 00000000..6158fa0e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_preferences/templates/etc/apt/preferences.d/pin.pref.j2
@@ -0,0 +1,37 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.raw is undefined %}
+{%   if item.role | d( item.by_role | d() ) %}
+Explanation: Pin added by role: {{ item.role | d(item.by_role) }}
+{%   endif %}
+Explanation: {{ (item.reason | d('Reason not specified')).split('\n') | join('\nExplanation: ') }}
+{%   if item.package | d() %}
+{%     if item.package is string %}
+Package: {{ item.package }}
+{%     else %}
+Package: {{ item.package | join(" ") }}
+{%     endif %}
+{%   elif item.packages | d() %}
+{%     if item.packages is string %}
+Package: {{ item.packages }}
+{%     else %}
+Package: {{ item.packages | join(" ") }}
+{%     endif %}
+{%   endif %}
+{%   if item.when | d(True) | bool %}
+{%     if item.version | d() %}
+Pin: version {{ item.version + '*' }}
+Pin-Priority: {{ item.priority | d(apt_preferences__priority_version) }}
+{%     else %}
+Pin: {{ item.pin | d('release a=' + ansible_distribution_release + '-backports') }}
+Pin-Priority: {{ item.priority | d(apt_preferences__priority_default) }}
+{%     endif %}
+{%   else %}
+Explanation: Pin disabled by item.when condition
+{%   endif %}
+{% elif item.raw | d() %}
+{{ item.raw }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/COPYRIGHT b/ansible_collections/debops/debops/roles/apt_proxy/COPYRIGHT
new file mode 100644
index 00000000..3eb14068
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/COPYRIGHT
@@ -0,0 +1,18 @@
+debops.apt_proxy - Manage HTTP/HTTPS/FTP proxy for APT with Ansible
+
+Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/defaults/main.yml b/ansible_collections/debops/debops/roles/apt_proxy/defaults/main.yml
new file mode 100644
index 00000000..c8250250
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/defaults/main.yml
@@ -0,0 +1,194 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _apt_proxy__ref_defaults:
+
+# debops.apt_proxy default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Required packages [[[
+# ---------------------
+
+# .. envvar:: apt_proxy__base_packages [[[
+#
+# List of base packages to install.
+apt_proxy__base_packages:
+  - '{{ ["python3-apt"]
+        if (apt_proxy__temporally_avoid_unreachable | bool)
+        else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Main configuration [[[
+# ----------------------
+
+# .. envvar:: apt_proxy__deploy_state [[[
+#
+# Specify if an APT proxy configuration should be present or absent. It will be
+# automatically enabled if :envvar:`apt_proxy__http_url`, :envvar:`apt_proxy__https_url` or
+# :envvar:`apt_proxy__ftp_url` are set in the host environment. See
+# :ref:`debops.environment` role for more details.
+apt_proxy__deploy_state: '{{ "present"
+                             if (apt_proxy__http_url or
+                                 apt_proxy__https_url or
+                                 apt_proxy__ftp_url)
+                             else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__filename [[[
+#
+# Name of the configuration file used by the role in :file:`/etc/apt/apt.conf.d/`.
+# You shouldn't change this name when ``debops.apt_proxy`` is enabled.
+apt_proxy__filename: '00apt_proxy'
+                                                                   # ]]]
+                                                                   # ]]]
+# HTTP proxy configuration [[[
+# ----------------------------
+
+# .. envvar:: apt_proxy__http_url [[[
+#
+# The URL of the HTTP proxy used by APT. If empty, HTTP proxy won't be enabled.
+apt_proxy__http_url: '{{ ansible_env.http_proxy | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__http_direct [[[
+#
+# List of hostnames to which APT should connect directly instead of through
+# HTTP proxy.
+apt_proxy__http_direct: []
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__http_options [[[
+#
+# A YAML dictionary with key/value parameters for the HTTP proxy. Each key is
+# the name of the ``Acquire::HTTP::*`` APT configuration option, and value is
+# it's value. The keys containing ``::`` sequences need to be quoted.
+# See :manpage:`apt.conf(5)` for more information. Example:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_proxy__http_options:
+#      User-Agent: 'Debian APT-HTTP/1.3'
+#
+apt_proxy__http_options: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# HTTPS proxy configuration [[[
+# -----------------------------
+
+# .. envvar:: apt_proxy__https_url [[[
+#
+# The URL of the HTTPS proxy used by APT. If empty, HTTPS proxy won't be
+# enabled.
+apt_proxy__https_url: '{{ ansible_env.https_proxy | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__https_direct [[[
+#
+# List of hostnames to which APT should connect directly instead of through
+# HTTPS proxy.
+apt_proxy__https_direct: []
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__https_options [[[
+#
+# A YAML dictionary with key/value parameters for the HTTPS proxy. Each key is
+# the name of the ``Acquire::HTTPS::*`` APT configuration option, and value is
+# it's value. The keys containing ``::`` sequences need to be quoted.
+# See :manpage:`apt.conf(5)` for more information. Example:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_proxy__https_options:
+#      User-Agent: 'Debian APT-HTTP/1.3'
+#
+apt_proxy__https_options: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# FTP proxy configuration [[[
+# ---------------------------
+
+# .. envvar:: apt_proxy__ftp_url [[[
+#
+# The URL of the FTP proxy used by APT. If empty, FTP proxy won't be
+# enabled.
+apt_proxy__ftp_url: '{{ ansible_env.ftp_proxy | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__ftp_direct [[[
+#
+# List of hostnames to which APT should connect directly instead of through
+# FTP proxy.
+apt_proxy__ftp_direct: []
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__ftp_login [[[
+#
+# List of commands sent to the FTP proxy to login to it and specify what host
+# to connect to. See :manpage:`apt.conf(5)` for more details.
+apt_proxy__ftp_login:
+  - 'USER $(PROXY_USER)'
+  - 'PASS $(PROXY_PASS)'
+  - 'USER $(SITE_USER)@$(SITE):$(SITE_PORT)'
+  - 'PASS $(SITE_PASS)'
+
+                                                                   # ]]]
+# .. envvar:: apt_proxy__ftp_options [[[
+#
+# A YAML dictionary with key/value parameters for the FTP proxy. Each key is
+# the name of the ``Acquire::FTP::*`` APT configuration option, and value is
+# it's value. The keys containing ``::`` sequences need to be quoted.
+# See :manpage:`apt.conf(5)` for more information. Example:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    apt_proxy__ftp_options:
+#      'Proxy::Passive": 'true'
+#
+apt_proxy__ftp_options: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Proxy online detection [[[
+# --------------------------
+
+# By default (Debian, DebOps), APT will fail when the configured proxy can not
+# be reached.
+#
+# DebOps provides a script which hooks into APT using a
+# ``Acquire::HTTP::Proxy-Auto-Detect`` script which checks if the proxy is
+# currently reachable.
+# With this, APT will fall back to "DIRECT" (no proxy) if the proxy
+# is (temporally) not reachable.
+
+# .. envvar:: apt_proxy__temporally_avoid_unreachable [[[
+#
+# Configures the behaviour if the proxy is not reachable.
+# ``True`` will cause APT to silently ignore offline proxies.
+# ``False`` will cause APT to return with an error if the proxy is offline.
+# This is currently only supported for HTTPS and HTTP proxies.
+apt_proxy__temporally_avoid_unreachable: False
+                                                                   # ]]]
+
+# .. envvar:: apt_proxy__proxy_auto_detect [[[
+#
+# Value to set as ``Acquire::HTTP::Proxy-Auto-Detect``. Set to ``{{ omit }}`` to
+# avoid setting it.
+apt_proxy__proxy_auto_detect: '{{ "/usr/local/lib/get-reachable-apt-proxy"
+                                  if (apt_proxy__temporally_avoid_unreachable | bool)
+                                  else omit }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/files/usr/local/lib/get-reachable-apt-proxy b/ansible_collections/debops/debops/roles/apt_proxy/files/usr/local/lib/get-reachable-apt-proxy
new file mode 100755
index 00000000..5956e50d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/files/usr/local/lib/get-reachable-apt-proxy
@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2017-2018 Robin Schneider <ypid@riseup.net>
+# SPDX-License-Identifier: GPL-3.0-only
+
+"""
+Check if the proxy specified as Acquire::HTTP::Proxy or Acquire::HTTPS::Proxy
+are currently reachable before promoting them to be used by the currently
+running apt process. Without this script, apt will fail when the proxy can not
+be reached.  With this script, apt silently falls back to "DIRECT" (no proxy)
+if the proxy is (temporally) not reachable.
+
+To use this script, set:
+
+    Acquire::HTTP::Proxy-Auto-Detect "/usr/local/lib/get-reachable-apt-proxy";
+
+in your APT configuration.
+"""
+
+from __future__ import (print_function, unicode_literals,
+                        absolute_import, division)
+
+import argparse
+import logging
+
+#  from future.standard_library import install_aliases
+#  install_aliases()
+
+from urllib.parse import urlparse
+from urllib.request import urlopen
+from urllib.error import URLError, HTTPError
+
+import apt_pkg
+
+__version__ = '0.1.1'
+
+LOG = logging.getLogger(__name__)
+
+
+def get_first_up_proxy(target_uri_raw):
+    LOG.debug("Trying to find proxy for URI: {}".format(target_uri_raw))
+
+    target_uri = urlparse(target_uri_raw)
+
+    apt_config_key = "Acquire::{}::Proxy".format(
+        target_uri.scheme.upper()
+    )
+
+    if apt_pkg.config.exists(apt_config_key):
+        proxy_uris = apt_pkg.config.get(apt_config_key)
+        for proxy_uri_raw in proxy_uris.split(' '):
+
+            if proxy_uri_raw.upper() in ['DIRECT']:
+                LOG.debug("Skipping special proxy keyword: {}".format(
+                    proxy_uri_raw))
+                continue
+            else:
+                LOG.debug("Checking possible proxy URI: {}".format(
+                    proxy_uri_raw))
+
+            proxy_uri = urlparse(proxy_uri_raw)
+
+            if proxy_uri.scheme in ['https', 'http']:
+                try:
+                    urlopen(proxy_uri_raw, timeout=1)
+                except HTTPError as err:
+                    LOG.debug("Proxy responded with: {}".format(err))
+                    pass
+                except URLError as err:
+                    LOG.debug("Proxy not suitable: {}".format(err))
+                    continue
+
+                LOG.info("Selected suitable proxy: {}".format(
+                    proxy_uri_raw))
+                return proxy_uri_raw
+            else:
+                raise NotImplementedError(
+                    "URI scheme {} is not yet implemented.".format())
+
+    return 'DIRECT'
+
+
+def get_args_parser():
+    args_parser = argparse.ArgumentParser(
+        prog='get-reachable-apt-proxy',
+        epilog=__doc__,
+    )
+    args_parser.add_argument(
+        '-V', '--version',
+        action='version',
+        version=__version__,
+    )
+    args_parser.add_argument(
+        '-d', '--debug',
+        help="Write debugging and higher to STDOUT|STDERR.",
+        action="store_const",
+        dest="loglevel",
+        const=logging.DEBUG,
+    )
+    args_parser.add_argument(
+        '-v', '--verbose',
+        help="Write information and higher to STDOUT|STDERR.",
+        action="store_const",
+        dest="loglevel",
+        const=logging.INFO,
+    )
+    args_parser.add_argument(
+        'uri',
+    )
+
+    return args_parser
+
+
+def main():
+    args_parser = get_args_parser()
+    args_parser.set_defaults(loglevel=logging.WARN)
+    args = args_parser.parse_args()
+
+    logging.basicConfig(
+        format='%(levelname)s{}, %(asctime)s: %(message)s'.format(
+            ' (%(filename)s:%(lineno)s)'
+            if args.loglevel <= logging.DEBUG else '',
+        ),
+        level=args.loglevel,
+    )
+
+    apt_pkg.init_config()
+    print(get_first_up_proxy(args.uri))
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/meta/main.yml b/ansible_collections/debops/debops/roles/apt_proxy/meta/main.yml
new file mode 100644
index 00000000..96abcacf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage APT proxy configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: GenericLinux
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+
+  galaxy_tags:
+  - apt
+  - proxy
+  - squid
+  - cache
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/tasks/main.yml b/ansible_collections/debops/debops/roles/apt_proxy/tasks/main.yml
new file mode 100644
index 00000000..1c59e463
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install requested system packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", apt_proxy__base_packages) }}'
+    state: 'present'
+  when: apt_proxy__deploy_state == 'present' and apt_proxy__temporally_avoid_unreachable | bool
+  register: apt_proxy__register_packages
+  until: apt_proxy__register_packages is succeeded
+
+- name: Copy get-reachable-apt-proxy to remote host
+  ansible.builtin.copy:
+    dest:     '{{ apt_proxy__proxy_auto_detect }}'
+    src:      'usr/local/lib/get-reachable-apt-proxy'
+    owner:    'root'
+    group:    'root'
+    mode:     '0755'
+  when: apt_proxy__deploy_state == 'present' and apt_proxy__temporally_avoid_unreachable | bool
+
+- name: Remove APT proxy configuration
+  ansible.builtin.file:
+    path: '/etc/apt/apt.conf.d/{{ apt_proxy__filename }}'
+    state: 'absent'
+  when: apt_proxy__deploy_state == 'absent'
+
+- name: Generate APT proxy configuration
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/apt_proxy.conf.j2'
+    dest: '/etc/apt/apt.conf.d/{{ apt_proxy__filename }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: apt_proxy__deploy_state == 'present'
diff --git a/ansible_collections/debops/debops/roles/apt_proxy/templates/etc/apt/apt.conf.d/apt_proxy.conf.j2 b/ansible_collections/debops/debops/roles/apt_proxy/templates/etc/apt/apt.conf.d/apt_proxy.conf.j2
new file mode 100644
index 00000000..eb742c6c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/apt_proxy/templates/etc/apt/apt.conf.d/apt_proxy.conf.j2
@@ -0,0 +1,69 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+
+{% if apt_proxy__http_url %}
+Acquire::HTTP {
+{%   if apt_proxy__proxy_auto_detect != omit %}
+  Proxy-Auto-Detect "{{ apt_proxy__proxy_auto_detect }}";
+{%   endif %}
+  Proxy "{{ apt_proxy__http_url }}";
+{%   if apt_proxy__http_direct %}
+{%     for host in apt_proxy__http_direct %}
+  Proxy::{{ host }} "DIRECT";
+{%     endfor %}
+{%   endif %}
+{%   if apt_proxy__http_options %}
+{%     for key, value in apt_proxy__http_options | dictsort %}
+{{ ('%s "%s";' | format(key, value)) | indent(2, true) }}
+{%     endfor %}
+{%   endif %}
+};
+{% elif apt_proxy__proxy_auto_detect != omit %}
+Acquire::HTTP::Proxy-Auto-Detect "{{ apt_proxy__proxy_auto_detect }}";
+{% endif %}
+{% if apt_proxy__https_url %}
+Acquire::HTTPS {
+{%   if apt_proxy__proxy_auto_detect != omit %}
+  Proxy-Auto-Detect "{{ apt_proxy__proxy_auto_detect }}";
+{%   endif %}
+  Proxy "{{ apt_proxy__https_url }}";
+{%   if apt_proxy__https_direct %}
+{%     for host in apt_proxy__https_direct %}
+  Proxy::{{ host }} "DIRECT";
+{%     endfor %}
+{%   endif %}
+{%   if apt_proxy__https_options %}
+{%     for key, value in apt_proxy__https_options | dictsort %}
+{{ ('%s "%s";' | format(key, value)) | indent(2, true) }}
+{%     endfor %}
+{%   endif %}
+};
+{% elif apt_proxy__proxy_auto_detect != omit %}
+Acquire::HTTPS::Proxy-Auto-Detect "{{ apt_proxy__proxy_auto_detect }}";
+{% endif %}
+{% if apt_proxy__ftp_url %}
+Acquire::FTP {
+  Proxy "{{ apt_proxy__ftp_url }}";
+{%   if apt_proxy__ftp_direct %}
+{%     for host in apt_proxy__ftp_direct %}
+  Proxy::{{ host }} "DIRECT";
+{%     endfor %}
+{%   endif %}
+{%   if apt_proxy__ftp_login %}
+  ProxyLogin {
+{%     for line in apt_proxy__ftp_login %}
+{{ ('"%s";' | format(line)) | indent(4, true) }}
+{%     endfor %}
+  };
+{%   endif %}
+{%   if apt_proxy__ftp_options %}
+{%     for key, value in apt_proxy__ftp_options | dictsort %}
+{{ ('%s "%s";' | format(key, value)) | indent(2, true) }}
+{%     endfor %}
+{%   endif %}
+};
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/atd/COPYRIGHT b/ansible_collections/debops/debops/roles/atd/COPYRIGHT
new file mode 100644
index 00000000..b9feb70e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.atd - Manage at and batch commands using Ansible
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/atd/defaults/main.yml b/ansible_collections/debops/debops/roles/atd/defaults/main.yml
new file mode 100644
index 00000000..d0a609a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/defaults/main.yml
@@ -0,0 +1,142 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _atd__ref_defaults:
+
+# debops.atd default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Job scheduler configuration [[[
+# -------------------------------
+
+# .. envvar:: atd_enabled [[[
+#
+# Enable or disable support for :command:`at` and :command:`batch` commands. Setting this
+# variable to ``False`` will uninstall the ``at`` package.
+atd_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: atd_default_allow [[[
+#
+# List of default UNIX user accounts which are allowed to use :command:`at` and
+# :command:`batch` commands. If this list is empty and ``atd_allow`` is also empty, any
+# account is allowed to use these commands.
+atd_default_allow: [ '{{ (ansible_user
+                          if (ansible_user | d() and
+                              ansible_user != "root")
+                          else lookup("env", "USER")) }}' ]
+
+                                                                   # ]]]
+# .. envvar:: atd_allow [[[
+#
+# List of UNIX user accounts which are allowed to use :command:`at` and :command:`batch`. If
+# this list is empty any user can use them as long as the :file:`/etc/at.deny` file is
+# present, otherwise only the superuser is granted access. This list is meant to be
+# used for user accounts on all hosts in the cluster.
+atd_allow: []
+
+                                                                   # ]]]
+# .. envvar:: atd_group_allow [[[
+#
+# List of UNIX user accounts which are allowed to use :command:`at` and :command:`batch`. If
+# this list is empty any user can use them as long as the :file:`/etc/at.deny` file is
+# present, otherwise only the superuser is granted access. This list is meant to be
+# used for user accounts on a group of hosts in the cluster, only one group is
+# supported at a time.
+atd_group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: atd_host_allow [[[
+#
+# List of UNIX user accounts which are allowed to use :command:`at` and :command:`batch`. If
+# this list is empty any user can use them as long as the :file:`/etc/at.deny` file is
+# present, otherwise only the superuser is granted access. This list is meant to be
+# used for user accounts on specific hosts.
+atd_host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: atd_default_deny [[[
+#
+# List of default UNIX user accounts which are denied access to :command:`at` and
+# :command:`batch` commands.
+atd_default_deny: []
+
+                                                                   # ]]]
+# .. envvar:: atd_deny [[[
+#
+# List of UNIX user accounts which are denied access to :command:`at` and :command:`batch`
+# commands.
+atd_deny: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Batch job scheduler configuration [[[
+# -------------------------------------
+
+# .. envvar:: atd_batch_base [[[
+#
+# Base number of CPU threads that will be used to calculate minimum load
+# average which prevents job execution.
+atd_batch_base: '{{ ansible_processor_vcpus }}'
+
+                                                                   # ]]]
+# .. envvar:: atd_multiplier_min [[[
+#
+# Minimum percentage of CPU load average boundary.
+atd_multiplier_min: '80'
+
+                                                                   # ]]]
+# .. envvar:: atd_multiplier_max [[[
+#
+# Maximum percentage of CPU load average boundary.
+atd_multiplier_max: '100'
+
+                                                                   # ]]]
+# .. envvar:: atd_batch_multiplier [[[
+#
+# This variable will be multiplied the by number of CPUs available on a host to
+# modify the final CPU load average which prevents batch job execution.
+atd_batch_multiplier: '{{ ((atd_multiplier_max | int |
+                            random(atd_multiplier_min | int)) / 100) }}'
+
+                                                                   # ]]]
+# .. envvar:: atd_batch_load [[[
+#
+# CPU load average which will prevent batch job execution and will hold the
+# batch queue.
+atd_batch_load: '{{ (ansible_local.atd.batch_load
+                     if (ansible_local.atd.batch_load | d())
+                     else ((atd_batch_base | float) *
+                           (atd_batch_multiplier | float))) }}'
+
+                                                                   # ]]]
+# .. envvar:: atd_interval_min [[[
+#
+# Minimum time between batch job execution in seconds.
+atd_interval_min: '30'
+
+                                                                   # ]]]
+# .. envvar:: atd_interval_max [[[
+#
+# Maximum time between batch job execution in seconds.
+atd_interval_max: '120'
+
+                                                                   # ]]]
+# .. envvar:: atd_batch_interval [[[
+#
+# Time in seconds between batch job execution.
+atd_batch_interval: '{{ (ansible_local.atd.batch_interval
+                         if (ansible_local.atd.batch_interval | d())
+                         else (atd_interval_max | int |
+                               random(atd_interval_min | int))) }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/atd/meta/main.yml b/ansible_collections/debops/debops/roles/atd/meta/main.yml
new file mode 100644
index 00000000..1a3e0c3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure atd service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - at
+    - batch
+    - jobqueue
+    - jobs
diff --git a/ansible_collections/debops/debops/roles/atd/tasks/main.yml b/ansible_collections/debops/debops/roles/atd/tasks/main.yml
new file mode 100644
index 00000000..df376197
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/tasks/main.yml
@@ -0,0 +1,111 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install atd
+  ansible.builtin.apt:
+    name: 'at'
+    state: '{{ "present" if atd_enabled | bool else "absent" }}'
+    purge: True
+    install_recommends: False
+  register: atd__register_packages
+  until: atd__register_packages is succeeded
+
+- name: Generate consistent atd variables
+  ansible.builtin.set_fact:
+    atd_fact_batch_interval: '{{ atd_batch_interval }}'
+    atd_fact_batch_load: '{{ atd_batch_load }}'
+  when: atd_enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Configure atd and batch
+  ansible.builtin.template:
+    src: 'etc/default/atd.j2'
+    dest: '/etc/default/atd'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart atd' ]
+  when: atd_enabled | bool
+
+- name: Install custom atd.service unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/atd.service.j2'
+    dest: '/etc/systemd/system/atd.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: atd_enabled | bool
+  notify: [ 'Reload systemd units', 'Restart atd' ]
+
+- name: Configure /etc/at.allow
+  ansible.builtin.lineinfile:
+    dest: '/etc/at.allow'
+    regexp: '^{{ item }}$'
+    line: '{{ item }}'
+    state: 'present'
+    create: True
+    owner: 'root'
+    group: 'daemon'
+    mode: '0640'
+  loop: '{{ q("flattened", atd_default_allow
+                           + atd_allow
+                           + atd_group_allow
+                           + atd_host_allow) }}'
+  when: (atd_enabled | bool and
+         (atd_default_allow | d() or atd_allow | d() or
+          atd_group_allow | d() or atd_host_allow | d()) and
+          item | d())
+  tags: [ 'role::atd:users' ]
+
+- name: Remove /etc/at.allow if list is empty
+  ansible.builtin.file:
+    path: '/etc/at.allow'
+    state: 'absent'
+  when: (atd_enabled | bool and
+         (not atd_default_allow | d() and not atd_allow | d() and
+          not atd_group_allow | d() and not atd_host_allow | d()))
+  tags: [ 'role::atd:users' ]
+
+- name: Configure /etc/at.deny
+  ansible.builtin.lineinfile:
+    dest: '/etc/at.deny'
+    regexp: '^{{ item }}$'
+    line: '{{ item }}'
+    state: 'present'
+    create: True
+    owner: 'root'
+    group: 'daemon'
+    mode: '0640'
+  loop: '{{ q("flattened", atd_default_deny
+                           + atd_deny) }}'
+  when: (atd_enabled | bool and
+         (atd_default_deny | d() or atd_deny | d()) and
+          item | d())
+  tags: [ 'role::atd:users' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save atd facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/atd.fact.j2'
+    dest: '/etc/ansible/facts.d/atd.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Gather Ansible facts if needed
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/atd/templates/etc/ansible/facts.d/atd.fact.j2 b/ansible_collections/debops/debops/roles/atd/templates/etc/ansible/facts.d/atd.fact.j2
new file mode 100644
index 00000000..8207f6c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/templates/etc/ansible/facts.d/atd.fact.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{
+"batch_interval": "{{ ansible_local.atd.batch_interval | d(atd_fact_batch_interval | d('')) }}",
+"batch_load": "{{ ansible_local.atd.batch_load | d(atd_fact_batch_load | d('')) }}",
+"enabled": "{{ atd_enabled | bool | lower }}"
+}
diff --git a/ansible_collections/debops/debops/roles/atd/templates/etc/default/atd.j2 b/ansible_collections/debops/debops/roles/atd/templates/etc/default/atd.j2
new file mode 100644
index 00000000..8ee4de87
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/templates/etc/default/atd.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration of atd and batch
+
+# Average CPU load above which batch jobs are kept on hold
+BATCH_LOAD={{ atd_fact_batch_load }}
+
+# Minimum interval in seconds between start of two batch jobs
+BATCH_INTERVAL={{ atd_fact_batch_interval }}
+
+# Options passed to atd
+EXTRA_OPTS="-l ${BATCH_LOAD} -b ${BATCH_INTERVAL}"
diff --git a/ansible_collections/debops/debops/roles/atd/templates/etc/systemd/system/atd.service.j2 b/ansible_collections/debops/debops/roles/atd/templates/etc/systemd/system/atd.service.j2
new file mode 100644
index 00000000..d12c8467
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/atd/templates/etc/systemd/system/atd.service.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2013 Ansgar Burchardt <ansgar@debian.org>
+ # Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-2.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Deferred execution scheduler
+Documentation=man:atd(8)
+
+[Service]
+EnvironmentFile=-/etc/default/atd
+ExecStart=/usr/sbin/atd -f -l $BATCH_LOAD -b $BATCH_INTERVAL
+IgnoreSIGPIPE=false
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/auth/COPYRIGHT b/ansible_collections/debops/debops/roles/auth/COPYRIGHT
new file mode 100644
index 00000000..e412e1d3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.auth - Manage authentication and authorization configuration
+              using Ansible
+
+Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/auth/defaults/main.yml b/ansible_collections/debops/debops/roles/auth/defaults/main.yml
new file mode 100644
index 00000000..f016bb52
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/defaults/main.yml
@@ -0,0 +1,45 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _auth__ref_defaults:
+
+# debops.auth default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# .. envvar:: auth_packages [[[
+#
+# List of Debian/Ubuntu packages installed by debops.auth
+auth_packages:
+  - '{{ "libpam-cracklib"
+        if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+        else [] }}'
+
+                                                                   # ]]]
+# Local user account configuration [[[
+# ------------------------------------
+
+# .. envvar:: auth_pwhistory_remember [[[
+#
+# Size of local password history, set to False to disable
+auth_pwhistory_remember: '5'
+
+                                                                   # ]]]
+# .. envvar:: auth_cracklib [[[
+#
+# Enable password checking via cracklib
+auth_cracklib: '{{ True
+                   if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+                   else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/auth/handlers/main.yml b/ansible_collections/debops/debops/roles/auth/handlers/main.yml
new file mode 100644
index 00000000..ed35d370
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update PAM common configuration
+  ansible.builtin.shell: pam-auth-update --package libpam-modules 2>/dev/null
+  register: auth__register_pam_update
+  changed_when: auth__register_pam_update.changed | bool
+  when: ansible_distribution_release not in ["bionic", "buster"]
diff --git a/ansible_collections/debops/debops/roles/auth/meta/main.yml b/ansible_collections/debops/debops/roles/auth/meta/main.yml
new file mode 100644
index 00000000..35436c7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Set up basic user authentication and authorization'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.6'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/auth/tasks/auth/post_main.yml b/ansible_collections/debops/debops/roles/auth/tasks/auth/post_main.yml
new file mode 100644
index 00000000..7d649a99
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/tasks/auth/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/auth/tasks/auth/pre_main.yml b/ansible_collections/debops/debops/roles/auth/tasks/auth/pre_main.yml
new file mode 100644
index 00000000..7d649a99
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/tasks/auth/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/auth/tasks/main.yml b/ansible_collections/debops/debops/roles/auth/tasks/main.yml
new file mode 100644
index 00000000..fae09726
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'auth/pre_main.yml') }}"
+
+- name: Install auth-related packages
+  ansible.builtin.apt:
+    name: '{{ auth_packages | flatten }}'
+    state: 'present'
+    install_recommends: 'no'
+  register: auth__register_packages
+  until: auth__register_packages is succeeded
+
+- name: Configure pam_cracklib
+  ansible.builtin.template:
+    src: 'usr/share/pam-configs/cracklib.j2'
+    dest: '/usr/share/pam-configs/cracklib'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Update PAM common configuration' ]
+  when: auth_cracklib | bool
+
+- name: Configure PAM password history module
+  ansible.builtin.include_tasks: pam_pwhistory.yml
+  when: auth_pwhistory_remember is defined and auth_pwhistory_remember
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'auth/post_main.yml') }}"
diff --git a/ansible_collections/debops/debops/roles/auth/tasks/pam_pwhistory.yml b/ansible_collections/debops/debops/roles/auth/tasks/pam_pwhistory.yml
new file mode 100644
index 00000000..29024b04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/tasks/pam_pwhistory.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if password history database exists
+  ansible.builtin.stat:
+    path: '/etc/security/opasswd'
+  register: auth_register_opasswd
+
+- name: Configure password history database
+  ansible.builtin.file:
+    path: '/etc/security/opasswd'
+    state: 'touch'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  when: auth_register_opasswd is defined and not auth_register_opasswd.stat.exists
+
+- name: Configure pam_pwhistory
+  ansible.builtin.template:
+    src: 'usr/share/pam-configs/pwhistory.j2'
+    dest: '/usr/share/pam-configs/pwhistory'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Update PAM common configuration' ]
diff --git a/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/cracklib.j2 b/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/cracklib.j2
new file mode 100644
index 00000000..0413876a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/cracklib.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Enable support for libpam-cracklib in PAM
+
+Name: Cracklib password strength checking
+Default: yes
+Priority: 1024
+Conflicts: unix-zany
+Password-Type: Primary
+Password:
+	requisite			pam_cracklib.so reject_username retry={{ auth_cracklib_retry | d('3') }} minlen={{ auth_cracklib_minlen | d('18') }} difok={{ auth_cracklib_difok | d('3') }} maxrepeat={{ auth_cracklib_maxrepeat | d('2') }} minclass={{ auth_cracklib_minclass | d('4') }} lcredit={{ auth_cracklib_lcredit | d('0') }} ucredit={{ auth_cracklib_ucredit | d('2') }} dcredit={{ auth_cracklib_dcredit | d('1') }} ocredit={{ auth_cracklib_ocredit | d('1') }} use_authtok
+Password-Initial:
+	requisite			pam_cracklib.so reject_username retry={{ auth_cracklib_retry | d('3') }} minlen={{ auth_cracklib_minlen | d('18') }} difok={{ auth_cracklib_difok | d('3') }} maxrepeat={{ auth_cracklib_maxrepeat | d('2') }} minclass={{ auth_cracklib_minclass | d('4') }} lcredit={{ auth_cracklib_lcredit | d('0') }} ucredit={{ auth_cracklib_ucredit | d('2') }} dcredit={{ auth_cracklib_dcredit | d('1') }} ocredit={{ auth_cracklib_ocredit | d('1') }}
diff --git a/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/pwhistory.j2 b/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/pwhistory.j2
new file mode 100644
index 00000000..d92bd375
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/auth/templates/usr/share/pam-configs/pwhistory.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Remember previous local passwords to enforce rotation
+
+Name: Unix password history
+Default: yes
+Priority: 500
+Auth-Type: Primary
+Password-Type: Primary
+Password:
+	required			pam_pwhistory.so use_authtok enforce_for_root remember={{ auth_pwhistory_remember }}
+Password-Initial:
+	required			pam_pwhistory.so enforce_for_root remember={{ auth_pwhistory_remember }}
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/COPYRIGHT b/ansible_collections/debops/debops/roles/authorized_keys/COPYRIGHT
new file mode 100644
index 00000000..ac985339
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.authorized_keys - Manage SSH public keys using Ansible
+
+Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/defaults/main.yml b/ansible_collections/debops/debops/roles/authorized_keys/defaults/main.yml
new file mode 100644
index 00000000..651612ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/defaults/main.yml
@@ -0,0 +1,84 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _authorized_keys__ref_defaults:
+
+# debops.authorized_keys default variables
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Main configuration [[[
+# ----------------------
+
+# .. envvar:: authorized_keys__enabled [[[
+#
+# Enable or disable management of SSH public keys in a central location.
+authorized_keys__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__path [[[
+#
+# Path to the directory where SSH public keys are stored.
+authorized_keys__path: '/etc/ssh/authorized_keys'
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__system [[[
+#
+# If enabled, new groups created by the role will be "system" groups with
+# GID < 1000, otherwise new groups will be "normal" groups with GID > 1000.
+authorized_keys__system: True
+                                                                   # ]]]
+                                                                   # ]]]
+# SSH public key identities [[[
+# -----------------------------
+
+# These lists define SSH public key identities managed by the role with
+# corresponding UNIX accounts. See :ref:`authorized_keys__ref_identities` for
+# more details.
+
+# .. envvar:: authorized_keys__identities [[[
+#
+# The list of SSH key identities defined on all hosts in the Ansible inventory.
+authorized_keys__identities: []
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__group_identities [[[
+#
+# The list of SSH key identities defined on hosts in a specific Ansible
+# inventory group.
+authorized_keys__group_identities: []
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__host_identities [[[
+#
+# The list of SSH key identities defined on specific hosts in the Ansible
+# inventory.
+authorized_keys__host_identities: []
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__dependent_identities [[[
+#
+# The list of SSH key identities defined by other Ansible roles via role
+# dependent variables.
+authorized_keys__dependent_identities: []
+
+                                                                   # ]]]
+# .. envvar:: authorized_keys__combined_identities [[[
+#
+# Variable which combines all of the SSH key identities lists and is used in
+# role tasks and templates.
+authorized_keys__combined_identities: '{{ authorized_keys__identities
+                                          + authorized_keys__group_identities
+                                          + authorized_keys__host_identities
+                                          + authorized_keys__dependent_identities }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/meta/main.yml b/ansible_collections/debops/debops/roles/authorized_keys/meta/main.yml
new file mode 100644
index 00000000..65386665
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage SSH public keys in /etc/ssh/authorized_keys/'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - ssh
+    - publickey
+    - security
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/tasks/main.yml b/ansible_collections/debops/debops/roles/authorized_keys/tasks/main.yml
new file mode 100644
index 00000000..f62fc1df
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+# Copyright (C) 2016-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Ensure that SSH identity datastore exists
+  ansible.builtin.file:
+    path: '{{ authorized_keys__path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: authorized_keys__enabled | bool
+
+- name: Ensure the required groups exist
+  ansible.builtin.group:
+    name: '{{ item.group }}'
+    gid: '{{ item.gid | d(omit) }}'
+    system: '{{ item.system | bool }}'
+    state: 'present'
+  loop: '{{ lookup("template", "lookup/authorized_keys__identities.j2") | from_yaml }}'
+  loop_control:
+    label: '{{ {"identity": item.identity, "group": item.group} }}'
+  when: authorized_keys__enabled | bool and item.group | d() and
+        item.state | d('present') not in ['absent', 'ignore', 'init'] and
+        item.file_state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Get list of all groups
+  ansible.builtin.getent:
+    database: 'group'
+    split: ':'
+  when: authorized_keys__enabled | bool
+
+- name: Get list of all users
+  ansible.builtin.getent:
+    database: 'passwd'
+    split: ':'
+  when: authorized_keys__enabled | bool
+
+- name: Configure authorized keys for users
+  ansible.posix.authorized_key:
+    key:         '{{ item.key }}'
+    user:        '{{ item.user if (item.home | d()) | bool else "root" }}'
+    manage_dir:  '{{ item.manage_dir }}'
+    state:       '{{ item.state | d("present") }}'
+    key_options: '{{ item.key_options | d(omit) }}'
+    comment:     '{{ item.comment | d(omit) }}'
+    path:        '{{ item.path | d(omit) }}'
+    exclusive:   '{{ item.exclusive | d(omit) }}'
+    follow:      '{{ item.follow | d(omit) }}'
+  loop: '{{ lookup("template", "lookup/authorized_keys__identities.j2") | from_yaml }}'
+  loop_control:
+    label: '{{ {"identity": item.identity,
+                "state": (item.state | d("present")
+                          if (item.user in getent_passwd.keys() and (item.home | d()) | bool)
+                          else ("no user"
+                                if (item.user not in getent_passwd.keys() and (item.home | d()) | bool)
+                                else item.state | d("present"))),
+                "user": item.user,
+                "path": item.path | d("~" + item.user + "/.ssh/authorized_keys")} }}'
+  when: (authorized_keys__enabled | bool and
+         item.file_state | d('present') != 'absent' and
+         ((item.home | d()) | bool and item.user in getent_passwd.keys()) or
+          not (item.home | d()) | bool)
+
+- name: Enforce state of authorized_keys user files
+  ansible.builtin.file:
+    path:  '{{ item.path }}'
+    owner: '{{ item.owner if (item.owner | d() and item.owner in getent_passwd.keys()) else "root" }}'
+    group: '{{ (item.group
+                if (item.group | d() and item.group in (getent_group | d({})).keys())
+                else (getent_passwd[item.owner][2] | d({})
+                      if (item.owner in getent_passwd | d({}))
+                      else omit)) }}'
+    mode:  '{{ item.mode }}'
+    state: '{{ "absent" if (item.file_state | d("present") == "absent") else omit }}'
+  loop: '{{ lookup("template", "lookup/authorized_keys__identities.j2") | from_yaml }}'
+  loop_control:
+    label: '{{ {"identity": item.identity,
+                "state": item.file_state | d("present"),
+                "group": (item.group
+                          if (item.group | d() and item.group in (getent_group | d({})).keys())
+                          else (getent_passwd[item.owner | d("root")][2] | d({})
+                                if (item.owner | d("root") in getent_passwd | d({}))
+                                else "root")),
+                "path": item.path} }}'
+  when: authorized_keys__enabled | bool and item.path | d() and not item.manage_dir | bool and
+        item.state | d('present') not in ['absent', 'ignore', 'init'] and not ansible_check_mode
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save authorized_keys local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/authorized_keys.fact.j2'
+    dest: '/etc/ansible/facts.d/authorized_keys.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/templates/etc/ansible/facts.d/authorized_keys.fact.j2 b/ansible_collections/debops/debops/roles/authorized_keys/templates/etc/ansible/facts.d/authorized_keys.fact.j2
new file mode 100644
index 00000000..953ed97c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/templates/etc/ansible/facts.d/authorized_keys.fact.j2
@@ -0,0 +1,21 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+
+output = loads('''{{ {"configured": True,
+                      "enabled": authorized_keys__enabled | bool,
+                      "datastore": authorized_keys__path
+                     } | to_nice_json }}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/authorized_keys/templates/lookup/authorized_keys__identities.j2 b/ansible_collections/debops/debops/roles/authorized_keys/templates/lookup/authorized_keys__identities.j2
new file mode 100644
index 00000000..e80b376b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/authorized_keys/templates/lookup/authorized_keys__identities.j2
@@ -0,0 +1,68 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{% for identity in (q("flattened", authorized_keys__combined_identities) | debops.debops.parse_kv_items(merge_keys=["accounts"])) %}
+{%   if (identity.state | d('present') not in [ 'init', 'ignore' ] and (identity.sshkeys | d() or identity.url | d())) %}
+{%     for account in identity.accounts | d([]) %}
+{%       set parsed_account = {'identity': identity.name,
+                               'user': account.name} %}
+{%       if identity.sshkeys | d() %}
+{%         set _ = parsed_account.update({'key': ([ identity.sshkeys ]
+                                                  if identity.sshkeys is string
+                                                  else identity.sshkeys)
+                                                 | join('\n')}) %}
+{%       elif identity.url | d() %}
+{%         set _ = parsed_account.update({'key': identity.url}) %}
+{%       endif %}
+{%       set _ = parsed_account.update({'state': ('present'
+                                                  if (account.state | d('present') != 'absent'
+                                                      and identity.state | d('present') != 'absent')
+                                                  else 'absent')
+                                       }) %}
+{%       if (account.home | d() ) | bool %}
+{%         set _ = parsed_account.update({'manage_dir': True, 'home': True}) %}
+{%       else %}
+{%         set _ = parsed_account.update({'manage_dir': False,
+                                          'home':       False,
+                                          'path':       (authorized_keys__path + '/' + account.name),
+                                          'owner':      (account.owner      | d('root')),
+                                          'group':      (account.group      | d(account.name)),
+                                          'system':     (account.system     | d(authorized_keys__system)),
+                                          'mode':       (account.mode       | d('0640')),
+                                          'file_state': (account.file_state | d('present'))
+                                         }) %}
+{%         if account.gid | d() %}
+{%           set _ = parsed_account.update({'gid': account.gid}) %}
+{%         endif %}
+{%       endif %}
+{%       if (account.comment | d(identity.comment | d())) %}
+{%         set _ = parsed_account.update({'comment': (account.comment | d(identity.comment))}) %}
+{%       endif %}
+{%       set key_options = [] %}
+{%       if identity.options | d() %}
+{%         set _ = key_options.extend(identity.options | map(attribute='name') | list) %}
+{%       endif %}
+{%       if account.options | d() %}
+{%         set _ = key_options.extend(account.options | map(attribute='name') | list) %}
+{%       endif %}
+{%       for key, value in ((identity.environment | d({})) | combine(account.environment | d({}))) | dictsort %}
+{%         set _ = key_options.append('environment="' + key + '=' + value + '"') %}
+{%       endfor %}
+{%       if account.command | d() %}
+{%         set _ = key_options.append('command="' + account.command + '"') %}
+{%       elif identity.command | d() %}
+{%         set _ = key_options.append('command="' + identity.command + '"') %}
+{%       endif %}
+{%       if key_options %}
+{%         set _ = parsed_account.update({'key_options': key_options | unique | join(',')}) %}
+{%       endif %}
+{%       if (account.exclusive | d()) | bool %}
+{%         set _ = parsed_account.update({'exclusive': True}) %}
+{%       endif %}
+{%       set _ = output.append(parsed_account) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ output | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/avahi/COPYRIGHT b/ansible_collections/debops/debops/roles/avahi/COPYRIGHT
new file mode 100644
index 00000000..8ebad2bc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.avahi - configure Avahi service using Ansible
+
+Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/avahi/defaults/main.yml b/ansible_collections/debops/debops/roles/avahi/defaults/main.yml
new file mode 100644
index 00000000..1ef9358e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/defaults/main.yml
@@ -0,0 +1,420 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _avahi__ref_defaults:
+
+# debops.avahi default variables [[[
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: avahi__enabled [[[
+#
+# Should the Avahi service be enabled?
+avahi__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: avahi__base_packages [[[
+#
+# List of APT packages to install for Avahi support.
+avahi__base_packages: [ 'avahi-daemon', 'avahi-utils', 'libnss-mdns' ]
+
+                                                                   # ]]]
+# .. envvar:: avahi__packages [[[
+#
+# List of additional APT packages to install with Avahi.
+avahi__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Avahi daemon configuration [[[
+# ------------------------------
+
+# .. envvar:: avahi__domain [[[
+#
+# The DNS domain used by Avahi. You shouldn't change that unless you know what
+# you are doing. This is not a "real" DNS domain, and if the same one is
+# detected by Avahi as defined in a real DNS, things will break.
+avahi__domain: 'local'
+
+                                                                   # ]]]
+# .. envvar:: avahi__use_ipv4 [[[
+#
+# Enable or disable Avahi on IPv4 network.
+avahi__use_ipv4: True
+
+                                                                   # ]]]
+# .. envvar:: avahi__use_ipv6 [[[
+#
+# Enable or disable Avahi on IPv6 network. IPv6 support will be automatically
+# disabled if there are no IPv6 addresses present.
+avahi__use_ipv6: '{{ True
+                     if (ansible_all_ipv6_addresses
+                         | difference(ansible_all_ipv6_addresses
+                         | ansible.utils.ipv6("link-local")))
+                     else False }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__allow_interfaces [[[
+#
+# List of network interfaces which Avahi should listen to. If empty, Avahi
+# listens on all interfaces except ``loopback`` and point-to-point.
+avahi__allow_interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: avahi__deny_interfaces [[[
+#
+# List of network interfaces which Avahi should ignore. All other interfaces
+# will be used, unless :envvar:`avahi__allow_interfaces` is also specified.
+avahi__deny_interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: avahi__check_response_ttl [[[
+#
+# If enabled, Avahi will check if the packet's TTL field is set to 255. This
+# might not work with newer implementations of mDNS.
+avahi__check_response_ttl: False
+
+                                                                   # ]]]
+# .. envvar:: avahi__use_iff_running [[[
+#
+# When enabled, Avahi will use the ``IFF_RUNNING`` flag of the network
+# interface to check connection state.
+avahi__use_iff_running: False
+
+                                                                   # ]]]
+# .. envvar:: avahi__enable_dbus [[[
+#
+# Enable or disable D-BUS support.
+avahi__enable_dbus: True
+
+                                                                   # ]]]
+# .. envvar:: avahi__disallow_other_stacks [[[
+#
+# When enabled, Avahi will block other processes from use of the UDP port 5353
+# (``mdns``) and will use it exclusively.
+avahi__disallow_other_stacks: True
+
+                                                                   # ]]]
+# .. envvar:: avahi__add_service_cookie [[[
+#
+# When enabled, Avahi will include a "cookie" (random number generated at the
+# start of the daemon) TXT entry with each local service. This can be used to
+# recognize the same services on different network interfaces.
+avahi__add_service_cookie: True
+
+                                                                   # ]]]
+# .. envvar:: avahi__publish_hinfo [[[
+#
+# When enabled, Avahi will publish a HINFO record on all network interfaces
+# with information about the operating system and CPU.
+avahi__publish_hinfo: False
+
+                                                                   # ]]]
+# .. envvar:: avahi__publish_workstation [[[
+#
+# When enabled, Avahi will register a ``_workstation._tcp`` service.
+avahi__publish_workstation: False
+
+                                                                   # ]]]
+# .. envvar:: avahi__publish_device_info [[[
+#
+# When enabled, Avahi will register a special ``_device-info._tcp`` service
+# which helps configure the host's appearance on compatible devices.
+avahi__publish_device_info: '{{ True
+                                if not avahi__publish_workstation | bool
+                                else False }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__publish_ssh [[[
+#
+# When enabled, Avahi will register a SSH and SFTP service.
+avahi__publish_ssh: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Contents of main configuration file [[[
+# ---------------------------------------
+
+# These variables control what parameters are set in the
+# :file:`/etc/avahi/avahi-daemon.conf` configuration file. See
+# :ref:`avahi__ref_daemon_conf` for more details.
+
+# .. envvar:: avahi__daemon_conf_default_server [[[
+#
+# The default configuration of the ``[server]`` section.
+avahi__daemon_conf_default_server:
+  'use-ipv4':                '{{ avahi__use_ipv4 }}'
+  'use-ipv6':                '{{ avahi__use_ipv6 }}'
+  'allow-interfaces':        '{{ avahi__allow_interfaces }}'
+  'deny-interfaces':         '{{ avahi__deny_interfaces }}'
+  'check-response-ttl':      '{{ avahi__check_response_ttl }}'
+  'use-iff-running':         '{{ avahi__use_iff_running }}'
+  'enable-dbus':             '{{ avahi__enable_dbus }}'
+  'disallow-other-stacks':   '{{ avahi__disallow_other_stacks }}'
+  'ratelimit-interval-usec': 1000000
+  'ratelimit-burst':         1000
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_server [[[
+#
+# Custom configuration of the ``[server]`` section, combined with the default.
+avahi__daemon_conf_server: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_default_wide_area [[[
+#
+# The default configuration of the ``[wide-area]`` section.
+avahi__daemon_conf_default_wide_area:
+  'enable-wide-area': True
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_wide_area [[[
+#
+# Custom configuration of the ``[wide-area]`` section, combined with the
+# default.
+avahi__daemon_conf_wide_area: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_default_publish [[[
+#
+# The default configuration of the ``[publish]`` section.
+avahi__daemon_conf_default_publish:
+  'add-service-cookie':  '{{ avahi__add_service_cookie }}'
+  'publish-hinfo':       '{{ avahi__publish_hinfo }}'
+  'publish-workstation': '{{ avahi__publish_workstation }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_publish [[[
+#
+# Custom configuration of the ``[publish]`` section, combined with the default.
+avahi__daemon_conf_publish: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_default_reflector [[[
+#
+# The default configuration of the ``[reflector]`` section.
+avahi__daemon_conf_default_reflector:
+  'enable-reflector': False
+  'reflect-ipv':      False
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_reflector [[[
+#
+# Custom configuration of the ``[reflector]`` section, combined with the
+# default.
+avahi__daemon_conf_reflector: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_default_rlimits [[[
+#
+# The default configuration of the ``[rlimits]`` section.
+avahi__daemon_conf_default_rlimits:
+  'rlimit-as':     ''
+  'rlimit-core':   0
+  'rlimit-data':   4194304
+  'rlimit-fsize':  0
+  'rlimit-nofile': 768
+  'rlimit-stack':  4194304
+  'rlimit-nproc':  32
+
+                                                                   # ]]]
+# .. envvar:: avahi__daemon_conf_rlimits [[[
+#
+# Custom configuration of the ``[rlimits]`` section, combined with the default.
+avahi__daemon_conf_rlimits: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: avahi__allow [[[
+#
+# List of IP addresses or CIDR subnets which can access the Avahi service over
+# the firewall. If nothing is specified, any host is allowed.
+avahi__allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# CNAME mDNS support [[[
+# ----------------------
+
+# A separate service script is used to support CNAME mDNS records.
+# See :ref:`avahi__ref_alias_support` for more details.
+
+# .. envvar:: avahi__alias_enabled [[[
+#
+# Enable CNAME mDNS support via custom Python script.
+avahi__alias_enabled: '{{ True
+                          if (ansible_local | d() and ansible_local.python | d() and
+                              (ansible_local.python.installed2 | d()) | bool)
+                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__alias_install_path [[[
+#
+# Absolute path to the directory where the :command:`avahi-alias` script will
+# be installed.
+avahi__alias_install_path: '{{ ansible_local.fhs.sbin | d("/usr/local/sbin") }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__alias_config_file [[[
+#
+# Absolute path to the file which contains a list of CNAME aliases to register.
+avahi__alias_config_file: '/etc/avahi/aliases'
+                                                                   # ]]]
+                                                                   # ]]]
+# Static host entries [[[
+# -----------------------
+
+# Avahi can register static IP address entries in mDNS network to point to
+# other hosts that don't support mDNS themselves. This is done by setting YAML
+# dictionaries, with dictionary key as the IP address and dictionary string
+# value as the hostname, either with or without the Avahi ``.local`` domain (it
+# will be added automatically). For example:
+#
+# .. code-block:: yaml
+#
+#    avahi__hosts:
+#      '192.0.2.1': 'router.local'
+#      '192.0.2.5': 'storage'
+#
+# You still need to configure the relevant service entries separately.
+# See :ref:`avahi__ref_services` for more details.
+
+# .. envvar:: avahi__hosts [[[
+#
+# YAML dictionary with static IP address entries which should be set on all
+# hosts in Ansible inventory.
+avahi__hosts: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__group_hosts [[[
+#
+# YAML dictionary with static IP address entries which should be set on hosts
+# in specific Ansible inventory group.
+avahi__group_hosts: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__host_hosts [[[
+#
+# YAML dictionary with static IP address entries which should be set on
+# specific hosts in Ansible inventory.
+avahi__host_hosts: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Avahi services [[[
+# ------------------
+
+# The variables below define what services are published by Avahi.
+# See :ref:`avahi__ref_services` for more details.
+
+# .. envvar:: avahi__default_services [[[
+#
+# Variable which contains default services published by Avahi.
+avahi__default_services:
+
+  'device-info':
+    comment: 'Set server icon for this host on compatible devices'
+    type: '_device-info._tcp'
+    txt: 'model=RackMac'
+    state: '{{ "present"
+               if avahi__publish_device_info | bool
+               else "absent" }}'
+
+  'sftp-ssh':
+    name: 'SFTP on %h'
+    type: '_sftp-ssh._tcp'
+    port: '22'
+    state: '{{ "present"
+               if avahi__publish_ssh | bool
+               else "absent" }}'
+
+  'ssh':
+    name: 'SSH on %h'
+    type: '_ssh._tcp'
+    port: '22'
+    state: '{{ "present"
+               if avahi__publish_ssh | bool
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: avahi__dependent_services [[[
+#
+# Variable which contains services published by Avahi configured by other
+# Ansible roles using role dependent variables.
+avahi__dependent_services: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__services [[[
+#
+# Variable which contains services published by Avahi configured on all hosts
+# in the Ansible inventory.
+avahi__services: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__group_services [[[
+#
+# Variable which contains services published by Avahi configured on hosts in
+# specific Ansible inventory group.
+avahi__group_services: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__host_services [[[
+#
+# Variable which contains services published by Avahi configured on specific
+# hosts in the Ansible inventory.
+avahi__host_services: {}
+
+                                                                   # ]]]
+# .. envvar:: avahi__combined_services [[[
+#
+# Variable which contains services published by Avahi, combined from all other
+# variables. This variable is used to generate configuration from templates.
+avahi__combined_services: '{{ lookup("template",
+                              "lookup/avahi__combined_services.j2",
+                              convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: avahi__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+# Currently there is no python3-avahi package available in Debian.
+# Ref: https://bugs.debian.org/853239
+avahi__python__dependent_packages3: []
+
+                                                                   # ]]]
+# .. envvar:: avahi__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+avahi__python__dependent_packages2:
+
+  - 'python-avahi'
+
+                                                                   # ]]]
+# .. envvar:: avahi__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm`.
+avahi__ferm__dependent_rules:
+
+  - name: 'avahi'
+    type: 'accept'
+    dport: 'mdns'
+    saddr: '{{ avahi__allow }}'
+    protocol: 'udp'
+    accept_any: True
+    rule_state: '{{ "present" if (avahi__enabled | bool) else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/avahi/files/usr/local/sbin/avahi-alias b/ansible_collections/debops/debops/roles/avahi/files/usr/local/sbin/avahi-alias
new file mode 100755
index 00000000..96881486
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/files/usr/local/sbin/avahi-alias
@@ -0,0 +1,86 @@
+#!/usr/bin/env python
+
+# Copyright 2017 George C. Hawkins (https://github.com/george-hawkins)
+# Copyright 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Homepage: https://github.com/george-hawkins/avahi-aliases-notes
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Warning: at the moment (2019) Debian does not provide 'python3-avahi'
+# package, Python 2.7 is required to run this script. The installation of the
+# 'avahi' Python package from PyPI is broken.
+# Ref: https://bugs.debian.org/853239
+
+import avahi
+import dbus
+import time
+import sys
+import locale
+from encodings.idna import ToASCII
+
+# Got these from /usr/include/avahi-common/defs.h
+CLASS_IN = 0x01
+TYPE_CNAME = 0x05
+
+TTL = 60
+
+
+def publish_cname(cname):
+    bus = dbus.SystemBus()
+    server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
+                                           avahi.DBUS_PATH_SERVER),
+                            avahi.DBUS_INTERFACE_SERVER)
+    group = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
+                                          server.EntryGroupNew()),
+                           avahi.DBUS_INTERFACE_ENTRY_GROUP)
+
+    rdata = createRR(server.GetHostNameFqdn())
+    cname = encode_dns(cname)
+
+    group.AddRecord(avahi.IF_UNSPEC, avahi.PROTO_UNSPEC, dbus.UInt32(0),
+                    cname, CLASS_IN, TYPE_CNAME, TTL, rdata)
+    group.Commit()
+    print("Published " + cname.decode())
+
+
+def encode_dns(name):
+    out = []
+    for part in name.split('.'):
+        if len(part) == 0:
+            continue
+        out.append(ToASCII(part))
+    return b'.'.join(out)
+
+
+def createRR(name):
+    out = []
+    for part in name.split('.'):
+        if len(part) == 0:
+            continue
+        out.append(chr(len(part)).encode())
+        out.append(ToASCII(part))
+    out.append(b'\0')
+    return b''.join(out)
+
+
+if __name__ == '__main__':
+    for name in sys.argv[1:]:
+        publish_cname(name)
+    try:
+        # Just loop forever
+        while 1:
+            time.sleep(60)
+    except KeyboardInterrupt:
+        print("Exiting")
diff --git a/ansible_collections/debops/debops/roles/avahi/meta/main.yml b/ansible_collections/debops/debops/roles/avahi/meta/main.yml
new file mode 100644
index 00000000..4481d10e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Avahi service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mdns
+    - zeroconf
+    - bonjour
+    - discovery
diff --git a/ansible_collections/debops/debops/roles/avahi/tasks/avahi_alias.yml b/ansible_collections/debops/debops/roles/avahi/tasks/avahi_alias.yml
new file mode 100644
index 00000000..16612f3c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/tasks/avahi_alias.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install avahi-alias script
+  ansible.builtin.copy:
+    src: 'usr/local/sbin/avahi-alias'
+    dest: '{{ avahi__alias_install_path }}/avahi-alias'
+    mode: '0755'
+  register: avahi__register_alias_script
+
+- name: Install avahi-alias.service
+  ansible.builtin.template:
+    src: 'etc/systemd/system/avahi-alias.service.j2'
+    dest: '/etc/systemd/system/avahi-alias.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: avahi__register_alias_service
+
+- name: Make sure that the CNAME alias file exists
+  ansible.builtin.file:  # noqa no-handler
+    path: '{{ avahi__alias_config_file }}'
+    state: 'touch'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: avahi__register_alias_script is changed
+
+- name: Manage list of CNAME entries
+  ansible.builtin.lineinfile:
+    dest: '{{ avahi__alias_config_file }}'
+    regexp: '{{ "^" + (item.value.cname
+                       if item.value.cname.endswith("." + avahi__domain)
+                       else (item.value.cname + "." + avahi__domain)) + "$" }}'
+    line: '{{ (item.value.cname
+               if item.value.cname.endswith("." + avahi__domain)
+               else (item.value.cname + "." + avahi__domain)) }}'
+    state: '{{ "present"
+               if item.value.cname_state | d(item.value.state | d("present")) != "absent"
+               else "absent" }}'
+    mode: '0644'
+  with_dict: '{{ avahi__combined_services }}'
+  register: avahi__register_aliases
+  when: item.value.cname | d()
+
+- name: Manage avahi-alias.service
+  ansible.builtin.systemd:
+    name: 'avahi-alias.service'
+    enabled: '{{ True if avahi__register_alias_script is changed else omit }}'
+    daemon_reload: '{{ True if (avahi__register_alias_script is changed or
+                                avahi__register_alias_service is changed) else omit }}'
+    state: '{{ "restarted" if (avahi__register_alias_script is changed or
+                               avahi__register_alias_service is changed or
+                               avahi__register_aliases is changed) else omit }}'
+  when: ansible_service_mgr == 'systemd'
diff --git a/ansible_collections/debops/debops/roles/avahi/tasks/main.yml b/ansible_collections/debops/debops/roles/avahi/tasks/main.yml
new file mode 100644
index 00000000..0d825351
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/tasks/main.yml
@@ -0,0 +1,160 @@
+---
+# Copyright (C) 2017-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# The tasks below are a fix for an issue where Avahi service cannot start in an
+# LXC container. Without this, installation of the 'avahi-daemon' package will
+# result in a dpkg error. More information:
+# https://lists.linuxcontainers.org/pipermail/lxc-devel/2012-April/002395.html
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create systemd-resolved configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: (ansible_service_mgr == 'systemd' and
+         (ansible_local.resolved.installed | d()) | bool)
+
+- name: Disable MulticastDNS support in systemd-resolved
+  ansible.builtin.template:
+    src: 'etc/systemd/resolved.conf.d/avahi-mdns.conf.j2'
+    dest: '/etc/systemd/resolved.conf.d/avahi-mdns.conf'
+    mode: '0644'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: (ansible_service_mgr == 'systemd' and
+         (ansible_local.resolved.installed | d()) | bool)
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Make sure that Avahi config directory exists
+  ansible.builtin.file:
+    path: '/etc/avahi'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Divert the avahi-daemon configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/avahi/{{ item }}'
+  loop:
+    - 'avahi-daemon.conf'
+    - 'hosts'
+  register: avahi__register_divert
+  notify: [ 'Restart avahi-daemon' ]
+
+- name: Configure avahi-daemon
+  ansible.builtin.template:
+    src: 'etc/avahi/avahi-daemon.conf.j2'
+    dest: '/etc/avahi/avahi-daemon.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart avahi-daemon' ]
+
+- name: Create a stub mDNS hosts configuration file
+  ansible.builtin.file:  # noqa no-handler
+    state: 'touch'
+    dest: '/etc/avahi/hosts'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: avahi__register_divert is changed
+
+- name: Create avahi-daemon systemd override directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/avahi-daemon.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: ansible_service_mgr == 'systemd' and
+        ansible_virtualization_type in ['lxc', 'docker'] and
+        ansible_virtualization_role == 'guest'
+
+- name: Install avahi-daemon exec override on LXC guests
+  ansible.builtin.template:
+    src: 'etc/systemd/system/avahi-daemon.service.d/exec-override.conf.j2'
+    dest: '/etc/systemd/system/avahi-daemon.service.d/exec-override.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: ansible_service_mgr == 'systemd' and
+        ansible_virtualization_type in ['lxc', 'docker'] and
+        ansible_virtualization_role == 'guest'
+
+# The rest of the role continues as normal.
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (avahi__base_packages
+                              + avahi__packages)) }}'
+    state: 'present'
+  register: avahi__register_packages
+  until: avahi__register_packages is succeeded
+
+- name: Manage advertisement of additional hosts over Avahi
+  ansible.builtin.lineinfile:
+    dest: '/etc/avahi/hosts'
+    regexp: '{{ "^" + item.key + "\s+" }}'
+    line: '{{ item.key }} {{ (item.value
+                              if item.value.endswith("." + avahi__domain)
+                              else (item.value + "." + avahi__domain)) }}'
+    state: 'present'
+    mode: '0644'
+  with_dict: '{{ avahi__hosts | combine(avahi__group_hosts) | combine(avahi__host_hosts) }}'
+  when: item.key | d() and item.value | d()
+
+- name: Configure Avahi CNAME aliases
+  ansible.builtin.include_tasks: avahi_alias.yml
+  when: avahi__alias_enabled | bool
+  tags: [ 'role::avahi:alias' ]
+
+- name: Remove Avahi services if requested
+  ansible.builtin.file:
+    path: '/etc/avahi/services/{{ item.value.filename | d(item.key) }}.service'
+    state: 'absent'
+  with_dict: '{{ avahi__combined_services }}'
+  when: item.value.filename | d(item.key) and item.value.state | d('present') == 'absent'
+  tags: [ 'role::avahi:alias', 'role::avahi:services' ]
+
+- name: Configure Avahi services
+  ansible.builtin.template:
+    src: 'etc/avahi/services/avahi.service.j2'
+    dest: '/etc/avahi/services/{{ item.value.filename | d(item.key) }}.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_dict: '{{ avahi__combined_services }}'
+  when: (item.value.filename | d(item.key) and item.value.state | d('present') != 'absent' and
+         (item.value.services | d() or item.value.type | d()))
+  tags: [ 'role::avahi:alias', 'role::avahi:services' ]
+
+- name: Ensure that the avahi-daemon service in in the desired state
+  ansible.builtin.service:
+    name: 'avahi-daemon'
+    enabled: '{{ avahi__enabled | bool }}'
+    state: '{{ "started" if (avahi__enabled | bool) else "stopped" }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Avahi local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/avahi.fact.j2'
+    dest: '/etc/ansible/facts.d/avahi.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/ansible/facts.d/avahi.fact.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/ansible/facts.d/avahi.fact.j2
new file mode 100644
index 00000000..d3b7e22a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/ansible/facts.d/avahi.fact.j2
@@ -0,0 +1,29 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"configured": True,
+                      "enabled": avahi__enabled | bool,
+                      "ipv4": avahi__use_ipv4 | bool,
+                      "ipv6": avahi__use_ipv6 | bool} | to_nice_json }}''')
+
+output['installed'] = cmd_exists('avahi-daemon')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/avahi-daemon.conf.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/avahi-daemon.conf.j2
new file mode 100644
index 00000000..8755d561
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/avahi-daemon.conf.j2
@@ -0,0 +1,59 @@
+{# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-2.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# This file is part of avahi.
+#
+# avahi is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+#
+# avahi is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with avahi; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA.
+
+# See avahi-daemon.conf(5) for more information on this configuration
+# file!
+
+{% macro print_config(section, data) %}
+[{{ section }}]
+{%   for key in data.keys() %}
+{%     if data[key] is iterable and data[key] is not string and data[key] is not mapping %}
+{%       if data[key] %}
+{{ key }}={{ data[key] | join(', ') }}
+{%       else %}
+#{{ key }}={{ data[key] | join(', ') }}
+{%       endif %}
+{%     elif data[key] | bool and data[key] is not iterable %}
+{{ key }}=yes
+{%     elif not data[key] | bool and data[key] is not iterable %}
+{%       if data[key] is not none %}
+{%         if data[key] | int or data[key] | string == '0' %}
+{{ key }}={{ data[key] }}
+{%         else %}
+{{ key }}=no
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       if data[key] %}
+{{ key }}={{ data[key] }}
+{%       else %}
+#{{ key }}={{ data[key] }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{{ print_config('server',    avahi__daemon_conf_default_server    | combine(avahi__daemon_conf_server)) }}
+{{ print_config('wide-area', avahi__daemon_conf_default_wide_area | combine(avahi__daemon_conf_wide_area)) }}
+{{ print_config('publish',   avahi__daemon_conf_default_publish   | combine(avahi__daemon_conf_publish)) }}
+{{ print_config('reflector', avahi__daemon_conf_default_reflector | combine(avahi__daemon_conf_reflector)) }}
+{{ print_config('rlimits',   avahi__daemon_conf_default_rlimits   | combine(avahi__daemon_conf_rlimits)) }}
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/services/avahi.service.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/services/avahi.service.j2
new file mode 100644
index 00000000..a9203106
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/avahi/services/avahi.service.j2
@@ -0,0 +1,69 @@
+{# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set service_dict = item.value %}
+<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+
+<!-- {{ ansible_managed }} -->
+{% if service_dict.comment | d() %}
+
+{{ service_dict.comment | comment(style='xml') }}
+{% endif %}
+
+<service-group>
+
+  <name replace-wildcards="{{ 'yes' if service_dict.replace_wildcards | d(True) | bool else 'no' }}">{{ service_dict.name if service_dict.name | d() else '%h' }}</name>
+
+{% for service in service_dict.services %}
+{%   if service.protocol | d() %}
+  <service protocol="{{ service.protocol }}">
+{%   else %}
+  <service>
+{%   endif %}
+    <type>{{ service.type }}</type>
+{%   if service.subtype | d() %}
+{%     if service.subtype is string %}
+    <subtype>{{ service.subtype }}</subtype>
+{%     else %}
+{%       for element in service.subtype %}
+    <subtype>{{ element }}</subtype>
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+    <port>{{ service.port }}</port>
+{%   if service.domain | d() %}
+    <domain-name>{{ service.domain }}</domain-name>
+{%   elif service.domain_name | d() %}
+    <domain-name>{{ service.domain_name }}</domain-name>
+{%   endif %}
+{%   if service.hostname | d() %}
+    <host-name>{{ service.hostname }}</host-name>
+{%   elif service.host_name | d() %}
+    <host-name>{{ service.host_name }}</host-name>
+{%   elif service.fqdn | d() %}
+    <host-name>{{ service.fqdn }}</host-name>
+{%   endif %}
+{%   if service.txt | d() %}
+{%     if service.txt is string %}
+    <txt-record>{{ service.txt }}</txt-record>
+{%     else %}
+{%       for element in service.txt %}
+    <txt-record>{{ element }}</txt-record>
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if service.txt_record | d() %}
+{%     if service.txt_record is string %}
+    <txt-record>{{ service.txt_record }}</txt-record>
+{%     else %}
+{%       for element in service.txt_record %}
+    <txt-record>{{ element }}</txt-record>
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+  </service>
+
+{% endfor %}
+</service-group>
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/resolved.conf.d/avahi-mdns.conf.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/resolved.conf.d/avahi-mdns.conf.j2
new file mode 100644
index 00000000..1a5ebc81
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/resolved.conf.d/avahi-mdns.conf.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# The internal mDNS resolver and responder in systemd-resolved conflicts with
+# Avahi, which wants to use the same 5353/udp port for its service. Since
+# various other tools that come with Avahi (for example avahi-browse) don't
+# want to work when avahi-daemon service is not running, we need to yield to
+# Avahi in this case and stop resolving Multicast DNS in systemd-resolved.
+[Resolve]
+MulticastDNS=no
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-alias.service.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-alias.service.j2
new file mode 100644
index 00000000..3683b6e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-alias.service.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+# avahi-alias.service unit file
+# Copyright (C) Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+[Unit]
+Description=Avahi CNAME support
+After=avahi-daemon.service
+
+[Service]
+User=nobody
+ExecStart=/bin/bash -c '{{ avahi__alias_install_path }}/avahi-alias $(<"{{ avahi__alias_config_file }}")'
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-daemon.service.d/exec-override.conf.j2 b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-daemon.service.d/exec-override.conf.j2
new file mode 100644
index 00000000..6727f9c2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/etc/systemd/system/avahi-daemon.service.d/exec-override.conf.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Avoid issues with low nproc limits on LXC hosts with unprivileged LXC
+# containers sharing host UIDs/GIDs
+# Ref: https://github.com/lxc/lxd/issues/2948
+# Ref: https://loune.net/2011/02/avahi-setrlimit-nproc-and-lxc/
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/avahi-daemon -s --no-rlimits
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/import/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/avahi/templates/import/debops__tpl_macros.j2
new file mode 100644
index 00000000..de4fc5c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/import/debops__tpl_macros.j2
@@ -0,0 +1,181 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be imported in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in templates which are called by {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be imported like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{# Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/avahi/templates/lookup/avahi__combined_services.j2 b/ansible_collections/debops/debops/roles/avahi/templates/lookup/avahi__combined_services.j2
new file mode 100644
index 00000000..3d6acf76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/avahi/templates/lookup/avahi__combined_services.j2
@@ -0,0 +1,54 @@
+{# Copyright (C) 2017-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+{% set avahi__tpl_merge_1 = (debops__tpl_macros.merge_dict(avahi__default_services, avahi__dependent_services, 'filename') | from_yaml) %}
+{% set avahi__tpl_merge_2 = (debops__tpl_macros.merge_dict(avahi__tpl_merge_1, avahi__services, 'filename')                | from_yaml) %}
+{% set avahi__tpl_merge_3 = (debops__tpl_macros.merge_dict(avahi__tpl_merge_2, avahi__group_services, 'filename')          | from_yaml) %}
+{% set avahi__tpl_merge_4 = (debops__tpl_macros.merge_dict(avahi__tpl_merge_3, avahi__host_services, 'filename')           | from_yaml) %}
+{% set avahi__tpl_filtered_services = {} %}
+{% for filename, params in avahi__tpl_merge_4.items() %}
+{%   set service_filename = (params.filename | d(filename)) %}
+{%   if params.services is undefined and params.type | d() %}
+{%     set avahi__tpl_service = {} %}
+{%     if params.type | d() %}
+{%       set _ = avahi__tpl_service.update({'type': params.type }) %}
+{%     endif %}
+{%     if params.subtype | d() %}
+{%       set _ = avahi__tpl_service.update({'subtype': params.subtype }) %}
+{%     endif %}
+{%     if params.port | d() %}
+{%       set _ = avahi__tpl_service.update({'port': params.port }) %}
+{%     else %}
+{%       set _ = avahi__tpl_service.update({'port': '0' }) %}
+{%     endif %}
+{%     if params.protocol | d() %}
+{%       set _ = avahi__tpl_service.update({'protocol': params.protocol }) %}
+{%     endif %}
+{%     if params.hostname | d() %}
+{%       set _ = avahi__tpl_service.update({'fqdn': params.hostname }) %}
+{%     endif %}
+{%     if params.host_name | d() %}
+{%       set _ = avahi__tpl_service.update({'fqdn': params.host_name }) %}
+{%     endif %}
+{%     if params.fqdn | d() %}
+{%       set _ = avahi__tpl_service.update({'fqdn': params.fqdn }) %}
+{%     endif %}
+{%     if params.domain | d() %}
+{%       set _ = avahi__tpl_service.update({'domain': params.domain }) %}
+{%     endif %}
+{%     if params.domain_name | d() %}
+{%       set _ = avahi__tpl_service.update({'domain': params.domain_name }) %}
+{%     endif %}
+{%     if params.txt | d() %}
+{%       set _ = avahi__tpl_service.update({'txt': params.txt }) %}
+{%     endif %}
+{%     if params.txt_record | d() %}
+{%       set _ = avahi__tpl_service.update({'txt_record': params.txt_record }) %}
+{%     endif %}
+{%     set _ = params.update({'services': [ avahi__tpl_service ] }) %}
+{%   endif %}
+{%   set _ = avahi__tpl_filtered_services.update({service_filename:params}) %}
+{% endfor %}
+{{ avahi__tpl_filtered_services | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/backup2l/COPYRIGHT b/ansible_collections/debops/debops/roles/backup2l/COPYRIGHT
new file mode 100644
index 00000000..e4527302
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.backup2l - Manage backup2l script using Ansible
+
+Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/backup2l/defaults/main.yml b/ansible_collections/debops/debops/roles/backup2l/defaults/main.yml
new file mode 100644
index 00000000..2bc9b05c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/defaults/main.yml
@@ -0,0 +1,249 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# debops.backup2l default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: backup2l__base_packages [[[
+#
+# List of required APT packages to install.
+backup2l__base_packages: [ 'backup2l' ]
+
+                                                                   # ]]]
+# .. envvar:: backup2l__packages [[[
+#
+# List of additional APT packages to install with :command:`backup2l`.
+backup2l__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory and file paths [[[
+# ----------------------------
+
+# .. envvar:: backup2l__backup_dev [[[
+#
+# Optional, absolute path of a mount point which will be automatically mounted
+# and unmounted by the :command:`backup2l` script. This needs to be configured
+# beforehand in the :file:`/etc/fstab` file.
+backup2l__backup_dev: ''
+
+                                                                   # ]]]
+# .. envvar:: backup2l__backup_dir [[[
+#
+# Absolute path to the directory where :command:`backup2l` script maintains
+# backups. This path will be excluded from the backups.
+backup2l__backup_dir: '{{ (ansible_local.fhs.backup | d("/var/backups"))
+                          + "/backup2l" }}'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__pre_hook_dir [[[
+#
+# Absolute path to a directory with scripts executed by the
+# :command:`run-parts` command before backups are performed.
+backup2l__pre_hook_dir: '{{ (ansible_local.fhs.etc | d("/usr/local/etc"))
+                            + "/backup/pre-hook.d" }}'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__post_hook_dir [[[
+#
+# Absolute path to a directory with scripts executed by the
+# :command:`run-parts` command after backups are finished.
+backup2l__post_hook_dir: '{{ (ansible_local.fhs.etc | d("/usr/local/etc"))
+                             + "/backup/post-hook.d" }}'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__include_file [[[
+#
+# Absolute path to a text file which contains a list of paths to include in
+# a backup, one per line. This file can be modified by other software to
+# include additional paths.
+backup2l__include_file: '{{ (ansible_local.fhs.etc | d("/usr/local/etc"))
+                            + "/backup/include" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Directories and files to archive [[[
+# ------------------------------------
+
+# These lists define absolute paths of directories and files to include in the
+# :command:`backup2l` archive.
+
+# .. envvar:: backup2l__default_include [[[
+#
+# Default list of directories to backup, defined by the role.
+backup2l__default_include:
+  - '/etc'
+  - '/home'
+  - '/opt'
+  - '/root'
+  - '/srv'
+  - '/usr/local'
+  - '/var/backups'
+  - '/var/local'
+  - '/var/mail'
+  - '/var/spool/cron'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__include [[[
+#
+# List of directories to backup defined on all hosts in the Ansible inventory.
+backup2l__include: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__group_include [[[
+#
+# List of directories to backup defined on hosts in a specific Ansible
+# inventory group.
+backup2l__group_include: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__host_include [[[
+#
+# List of directories to backup defined on specific hosts in the Ansible
+# inventory.
+backup2l__host_include: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__srclist_from_file [[[
+#
+# Boolean. If ``True``, the :command:`backup2l` script will read the list of
+# paths to archive from an external file. If ``False``, the script will use
+# a static list of paths defined in its configuration file.
+backup2l__srclist_from_file: True
+
+                                                                   # ]]]
+# .. envvar:: backup2l__srclist [[[
+#
+# List of paths to archive saved in the configuration file.
+backup2l__srclist: '{{ (backup2l__default_include
+                        + backup2l__include
+                        + backup2l__group_include
+                        + backup2l__host_include)
+                       | join(" ") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Exclude patterns [[[
+# --------------------
+
+# These lists define the arguments passed to the :command:`find` command, which
+# can be used to exclude certain files or directories from the archive.
+# See :man:`find(1)` for specific details about available patterns.
+
+# .. envvar:: backup2l__default_exclude [[[
+#
+# List of default exclusion patterns defined by the role.
+backup2l__default_exclude:
+  - '-wholename "{{ backup2l__backup_dir }}" -prune'
+  - '-path "*.ansible/tmp*"'
+  - '-path "*.cache*"'
+  - '-path "*.nobackup*"'
+  - '-name "*.o"'
+  - '-name "*.pyc"'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__exclude [[[
+#
+# List of exclusion patterns defined on all hosts in the Ansible inventory.
+backup2l__exclude: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__group_exclude [[[
+#
+# List of exclusion patterns defined on hosts in a specific Ansible inventory
+# group.
+backup2l__group_exclude: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__host_exclude [[[
+#
+# List of exclusion patterns defined on specific hosts in the Ansible
+# inventory.
+backup2l__host_exclude: []
+
+                                                                   # ]]]
+# .. envvar:: backup2l__skipcond [[[
+#
+# List of exclude patterns saved in the configuration file.
+backup2l__skipcond: '{{ (backup2l__default_exclude
+                         + backup2l__exclude
+                         + backup2l__group_exclude
+                         + backup2l__host_exclude)
+                        | join(" -o ") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Other configuration options [[[
+# -------------------------------
+
+# .. envvar:: backup2l__volname [[[
+#
+# Prefix used by all files managed by this :command:`backup2l` script instance.
+backup2l__volname: 'all'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__max_level [[[
+#
+# Number of levels of differential backups (1..9).
+backup2l__max_level: '3'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__max_per_level [[[
+#
+# Maximum number of differential backups per level (1..9).
+backup2l__max_per_level: '8'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__max_full [[[
+#
+# Maximum number of full backups (1..8).
+backup2l__max_full: '2'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__generations [[[
+#
+# For differential backups: number of generations to keep per level;
+# old backups are removed such that at least GENERATIONS * MAX_PER_LEVEL
+# recent versions are still available for the respective level.
+backup2l__generations: '1'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__create_check_file [[[
+#
+# When enabled, a check file is automatically generated.
+backup2l__create_check_file: True
+
+                                                                   # ]]]
+# .. envvar:: backup2l__autorun [[[
+#
+# When enabled, :command:`backup2l` script will create a backup automatically
+# without any arguments needed.
+backup2l__autorun: False
+
+                                                                   # ]]]
+# .. envvar:: backup2l__size_units [[[
+#
+# Size units used in the :command:`backup2l` script output. Set to ``B``,
+# ``K``, ``M`` or ``G`` to have unified units in the generated summary.
+backup2l__size_units: ''
+
+                                                                   # ]]]
+# .. envvar:: backup2l__timezone [[[
+#
+# Specify the timezone used for metadata. The default value is recommended.
+backup2l__timezone: 'UTC'
+
+                                                                   # ]]]
+# .. envvar:: backup2l__create_driver [[[
+#
+# Archive driver for new backups.
+backup2l__create_driver: 'DRIVER_TAR_GZ_RSYNCABLE'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/backup2l/files/usr/local/etc/backup/pre-hook.d/dpkg-selections b/ansible_collections/debops/debops/roles/backup2l/files/usr/local/etc/backup/pre-hook.d/dpkg-selections
new file mode 100755
index 00000000..1328ae0d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/files/usr/local/etc/backup/pre-hook.d/dpkg-selections
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+if ! dpkg --get-selections | diff - /var/backups/dpkg-selections.log > /dev/null 2>&1 ; then
+    printf "  %s\\n" "Writing dpkg selections to /var/backups/dpkg-selections.log..."
+    dpkg --get-selections > /var/backups/dpkg-selections.log
+fi
diff --git a/ansible_collections/debops/debops/roles/backup2l/meta/main.yml b/ansible_collections/debops/debops/roles/backup2l/meta/main.yml
new file mode 100644
index 00000000..db32c488
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage backup2l service'
+  company: 'DebOps'
+  license: 'GPL-3.0'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - archive
+    - backup
diff --git a/ansible_collections/debops/debops/roles/backup2l/tasks/main.yml b/ansible_collections/debops/debops/roles/backup2l/tasks/main.yml
new file mode 100644
index 00000000..a661cb94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/tasks/main.yml
@@ -0,0 +1,75 @@
+---
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (backup2l__base_packages
+                              + backup2l__packages)) }}'
+    state: 'present'
+
+- name: Divert the original backup2l config file
+  debops.debops.dpkg_divert:
+    path: '/etc/backup2l.conf'
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    mode: '{{ item.mode | d("0755") }}'
+  with_items:
+    - { path: '{{ backup2l__backup_dir }}', mode: '0750' }
+    - { path: '{{ backup2l__pre_hook_dir }}' }
+    - { path: '{{ backup2l__post_hook_dir }}' }
+
+- name: Install pre-hook scripts
+  ansible.builtin.copy:
+    src: 'usr/local/etc/backup/pre-hook.d/'
+    dest: '{{ backup2l__pre_hook_dir }}/'
+    mode: '0755'
+
+- name: Add paths to backup in an include file
+  ansible.builtin.lineinfile:
+    dest: '{{ backup2l__include_file }}'
+    regexp: "^{{ item.path | d(item) }}$"
+    line: '{{ item.path | d(item) }}'
+    state: '{{ item.state | d("present") }}'
+    create: True
+    mode: '0644'
+  loop: '{{ q("flattened", backup2l__default_include
+                           + backup2l__include
+                           + backup2l__group_include
+                           + backup2l__host_include) }}'
+  when: backup2l__srclist_from_file | bool
+
+- name: Generate backup2l configuration
+  ansible.builtin.template:
+    src: 'etc/backup2l.conf.j2'
+    dest: '/etc/backup2l.conf'
+    mode: '0644'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save backup2l local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/backup2l.fact.j2'
+    dest: '/etc/ansible/facts.d/backup2l.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/backup2l/templates/etc/ansible/facts.d/backup2l.fact.j2 b/ansible_collections/debops/debops/roles/backup2l/templates/etc/ansible/facts.d/backup2l.fact.j2
new file mode 100644
index 00000000..c95526a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/templates/etc/ansible/facts.d/backup2l.fact.j2
@@ -0,0 +1,32 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"backup_dev": backup2l__backup_dev,
+                      "backup_dir": backup2l__backup_dir,
+                      "include_file": backup2l__include_file,
+                      "pre_hook_dir": backup2l__pre_hook_dir,
+                      "post_hook_dir": backup2l__post_hook_dir,
+                      "srclist_from_file": backup2l__srclist_from_file | bool
+                     } | to_nice_json }}''')
+
+output['installed'] = cmd_exists('backup2l')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/backup2l/templates/etc/backup2l.conf.j2 b/ansible_collections/debops/debops/roles/backup2l/templates/etc/backup2l.conf.j2
new file mode 100644
index 00000000..dade5953
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/backup2l/templates/etc/backup2l.conf.j2
@@ -0,0 +1,467 @@
+{# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+##################################################
+# Configuration file for backup2l                #
+##################################################
+
+
+# Define the backup2l version for which the configuration file is written.
+# This way, future versions can automatically warn if the syntax has changed.
+FOR_VERSION=1.5
+
+
+##################################################
+# Volume identification
+
+# This is the prefix for all output files;
+# multiple volumes can be handled by using different configuration files
+VOLNAME="{{ backup2l__volname }}"
+
+
+
+##################################################
+# Source files
+
+# List of directories to make backups of.
+# All paths MUST be absolute and start with a '/'!
+{% if backup2l__srclist_from_file | bool %}
+readarray -t SRCLIST < {{ backup2l__include_file }}
+{% else %}
+SRCLIST=( {{ backup2l__srclist }} )
+{% endif %}
+
+# The following expression specifies the files not to be archived.
+# See the find(1) man page for further info. It is discouraged to
+# use anything different from conditions (e. g. actions) as it may have
+# unforeseeable side effects.
+
+# This example skips all files and directories with a path name containing
+# '.nobackup' and all .o files:
+SKIPCOND=( {{ backup2l__skipcond }} )
+
+# Some background on 'SKIPCOND': The method of using a find(1) expression to determine
+# files to backup or to skip is very powerful. Some of the following examples result from feature
+# requests by various users who were not always aware that their "feature" was already implemented. ;-)
+#
+# If you want to exclude several directories use the following expression:
+#   SKIPCOND=(-path '/path1' -o -path '/path1/*' -o -path '/path2' -o -path '/path2/*')
+#
+# If you do not have anything to skip, use:
+#   SKIPCOND=(-false)     # "SKIPCOND=()" does not work
+#
+# To skip directory trees (for performance reasons) you can add the '-prune' action to your SKIPCOND setting, e.g.:
+#   SKIPCOND=( -name "unimportant_dir" -prune )
+#
+# To prevent backup2l from crossing filesystem boundaries you can add '-xdev' or '-mount' to your SKIPCOND setting.
+
+
+
+
+##################################################
+# Destination
+
+# Mount point of backup device (optional)
+BACKUP_DEV="{{ backup2l__backup_dev }}"
+
+# Destination directory for backups;
+# it must exist and must not be the top-level of BACKUP_DEV
+BACKUP_DIR="{{ backup2l__backup_dir }}"
+
+
+
+##################################################
+# Backup parameters
+
+# Number of levels of differential backups (1..9)
+MAX_LEVEL="{{ backup2l__max_level }}"
+
+# Maximum number of differential backups per level (1..9)
+MAX_PER_LEVEL="{{ backup2l__max_per_level }}"
+
+# Maximum number of full backups (1..8)
+MAX_FULL="{{ backup2l__max_full }}"
+
+# For differential backups: number of generations to keep per level;
+# old backups are removed such that at least GENERATIONS * MAX_PER_LEVEL
+# recent versions are still available for the respective level
+GENERATIONS="{{ backup2l__generations }}"
+
+# If the following variable is 1, a check file is automatically generated
+CREATE_CHECK_FILE="{{ '1' if backup2l__create_check_file | bool else '0' }}"
+
+
+
+##################################################
+# Pre-/Post-backup functions
+
+# This user-defined bash function is executed before a backup is made
+PRE_BACKUP ()
+{
+    #echo "  pre-backup: nothing to do"
+
+    # e. g., shut down some mail/db servers if their files are to be backup'ed
+
+    # On a Debian system, the following statements dump a machine-readable list of
+    # all installed packages to a file.
+    #echo "  writing dpkg selections to /root/dpkg-selections.log..."
+    #dpkg --get-selections | diff - /root/dpkg-selections.log > /dev/null || dpkg --get-selections > /root/dpkg-selections.log
+    run-parts {{ backup2l__pre_hook_dir }}
+}
+
+# This user-defined bash function is executed after a backup is made
+POST_BACKUP ()
+{
+    # e. g., restart some mail/db server if its files are to be backup'ed
+    #echo "  post-backup: nothing to do"
+    run-parts {{ backup2l__post_hook_dir }}
+}
+
+
+
+##################################################
+# Misc.
+
+# Create a backup when invoked without arguments?
+AUTORUN="{{ '1' if (backup2l__autorun | bool) else '0' }}"
+
+# Size units
+SIZE_UNITS="{{ backup2l__size_units }}"   # set to "B", "K", "M" or "G" to obtain unified units in summary list
+
+# Time zone for meta data
+TIME_ZONE="{{ backup2l__timezone }}" # if unset (= ""), the local time zone is used for backup meta data;
+                # For new archives, the value "UTC" is recommended. However, older versions (<= 1.5) used local time,
+                # and changing the value causes backup2l to consider ALL files as new. So, change this value with care!
+
+# Remove this line after the setup is finished.
+#UNCONFIGURED=1
+
+# Archive driver for new backups (default = "DRIVER_TAR_GZ")
+CREATE_DRIVER="{{ backup2l__create_driver }}"
+
+# Usable built-in drivers for CREATE_DRIVER:
+# DRIVER_TAR, DRIVER_TAR_GZ, DRIVER_TAR_BZ2, DRIVER_AFIOZ
+
+
+
+##################################################
+# User-defined archive drivers (optional)
+
+# This section demonstrates how user-defined archive drivers can be added.
+# The example shows a modified version of the "afioz" driver with some additional parameters
+# one may want to pass to afio in order to tune the speed, archive size etc. .
+# An archive driver consists of a bash function named
+# "DRIVER_<your-driver-name>" implementing the (sometimes simple) operations "-test", "-suffix",
+# "-create", "-toc", and "-extract".
+
+# If you do not want to write your own archive driver, you can remove the remainder of this file.
+
+# registering custom drivers below for use as CREATE_DRIVER (optional)
+#USER_DRIVER_LIST="DRIVER_MY_AFIOZ DRIVER_MY_AFIOBZ2 DRIVER_GZ_SPLIT DRIVER_ZIP"
+
+DRIVER_MY_AFIOZ ()
+{
+    case $1 in
+        -test)
+            # This function should check whether all prerequisites are met, especially if all
+            # required tools are installed. This prevents backup2l to fail in inconvenient
+            # situations, e. g. during a backup or restore operation. If everything is ok, the
+            # string "ok" should be returned. Everything else is interpreted as a failure.
+            require_tools afio
+                # The function 'require_tools' checks for the existence of all tools passed as
+                # arguments. If one of the tools is not found by which(1), an error message is
+                # displayed and the function does not return.
+            echo "ok"
+            ;;
+        -suffix)
+            # This function should return the suffix of backup archive files. If the driver
+            # does not create a file (e. g. transfers the backup data immediately to a tape
+            # or network device), an empty string has to be returned. backup2l uses this suffix
+            # to select a driver for unpacking. If a user-configured driver supports the same
+            # suffix as a built-in driver, the user driver is preferred (as in this case).
+            echo "afioz"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            # This function is called to create a backup file. The argument $3 is the full file
+            # name of the archive file including path and suffix. $4 contains an alphabetically
+            # sorted  list of files (full pathname) to be backed up. Directories are not contained,
+            # they are handled by backup2l directly without using the driver.
+            # All output to stderr should be directed to stdout ("2>&1").
+            afio -Zo -G 9 -M 30m -T 2k $3 < $4 2>&1
+                # This line passes some additional options to afio (see afio(1)):
+                # '-G 9' maximizes the compression by gzip.
+                # '-M 30m' increases the size of the internal file buffer. Larger files have to
+                #     be compressed twice.
+                # '-T 2k' prevents the compression of files smaller than 2k in order to save time.
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            # This function is used to validate the correct generation of an archive file.
+            # The output is compared to the list file passed to the '-create' function.
+            # Any difference is reported as an error.
+            afio -Zt $3 | sed 's#^#/#'
+                # The sed command adds a leading slash to each entry.
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            # This function is called by backup2l's restore procedure for each archive.
+            # It is extremely important that only those files contained in $4 are restored.
+            # Otherwise it may happen that files are overwritten by incorrect (e. g. older)
+            # versions of the same file.
+            afio -Zinw $4 $3 2>&1
+            ;;
+    esac
+}
+
+
+
+##################################################
+# More sample archive drivers (optional)
+
+# This is an unordered collection of drivers that may be useful for you,
+# either to use them directly or to derive own drivers.
+
+
+
+# Here's a version of the standard DRIVER_TAR_GZ driver,
+# modified to split the output archive file into multiple sections.
+# (donated by Michael Moedt)
+DRIVER_TAR_GZ_SPLIT ()
+{
+    case $1 in
+        -test)
+            require_tools tar split cat
+            echo "ok"
+            ;;
+        -suffix)
+            echo "tgz_split"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            mkdir -p ${3}
+            tar cz -T $4 --no-recursion | split --bytes=725100100 - ${3}/part_
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            cat ${3}/part_* | tar tz | sed 's#^#/#'
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            cat ${3}/part_* | tar xz --same-permission --same-owner -T $4 2>&1
+            ;;
+    esac
+}
+
+
+
+# The following driver is equivalent to the built-in DRIVER_TAR_GZ driver, but
+# does not change the access times of the original files during backup
+# (Adrian Bunk, Gundolf Kiefer)
+DRIVER_TAR_GZ ()
+{
+    case $1 in
+        -test)
+            require_tools tar
+            echo "ok"
+            ;;
+        -suffix)
+            echo "tar.gz"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            tar czf $3 -T $4 --no-recursion --atime-preserve 2>&1 \
+                | grep -v 'tar: Removing leading .* from .* names'
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            tar tzf $3 | sed 's#^#/#'
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            tar zx --same-permission --same-owner -f $3 -T $4 2>&1
+            ;;
+    esac
+}
+
+
+# Submitted by: Jason D. Hildebrand  (2011-01-06 20:24)
+# When the initial backup (all.1.tar.gz) is re-created (for me about
+# 20G) the transfer takes several days. If backup2l could create the
+# tar.gz files using gzip's --rsyncable option, then this would speed
+# things up substantially.
+# simple wrapper around the existing DRIVER_TAR_GZ using --rsyncable
+DRIVER_TAR_GZ_RSYNCABLE ()
+{
+    export GZIP="--rsyncable"
+    DRIVER_TAR_GZ "$@"
+}
+
+
+# This driver uses afio and bzip2, where bzip2 is invoked by afio.
+# (donated by Carl Staelin)
+DRIVER_MY_AFIOBZ2 ()
+{
+    case $1 in
+        -test)
+            require_tools afio bzip2
+            echo "ok"
+            ;;
+        -suffix)
+            echo "afio-bz2"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            afio -z -1 m -P bzip2 -Q -9 -Z -M 50m -T 1k -o $3 <$4 2>&1
+                # This line passes some additional options to afio (see afio(1)):
+                # '-P bzip2' utilizes bzip2 as an external compressor
+                # '-Q 9' maximizes the compression by bzip2.
+                # '-M 50m' increases the size of the internal file buffer. Larger files have to
+                #     be compressed twice.
+                # '-T 1k' prevents the compression of files smaller than 1k in order to save time.
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            afio -t -Z -P bzip2 -Q -d - <$3 | sed 's#^#/#'
+                # The sed command adds a leading slash to each entry.
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            afio -Zinw $4 -P bzip2 -Q -d - <$3 2>&1
+            ;;
+    esac
+}
+
+
+# This driver uses afio and bzip2, such that the I/O stream is piped through bzip2.
+# (donated by Carl Staelin)
+DRIVER_MY_AFIO_BZ2 ()
+{
+    case $1 in
+        -test)
+            require_tools afio bzip2
+            echo "ok"
+            ;;
+        -suffix)
+            echo "afio.bz2"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            afio -o - < $4 | bzip2 --best > $3 2>&1
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            bzip2 -d < $3 | afio -t - | sed 's#^#/#'
+                # The sed command adds a leading slash to each entry.
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            bzip2 -d < $3 | afio -inw $4 - 2>&1
+            ;;
+    esac
+}
+
+
+
+# This driver uses the Info-ZIP tools to generate zip files. Unfortunately unzip
+# expects all file names to be on the command line. So unless there is a work-
+# around it's not possible to use the "-extract" command.
+# (donated by Georg Lutz)
+DRIVER_ZIP ()
+{
+    case $1 in
+        test)
+            require_tools zip
+            echo "ok"
+           ;;
+        -suffix)
+            echo "zip"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            cat $4| zip -qy $3 -@
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            zipinfo -1 $3| sed 's#^#/#'
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+           echo "Not implemented yet! Sorry."
+           #unzip $3
+            ;;
+    esac
+}
+
+
+
+# This driver uses tar and pipes the output through gnupg. You can specify
+# the passphrase in a file (/etc/backup2l.pass in the example). You have to
+# invoke gpg at least one time before backup because gnupg has to initiate
+# first thing in the home directory.
+DRIVER_TAR_GPG ()
+{
+    case $1 in
+        test)
+            require_tools tar gpg
+            echo "ok"
+            ;;
+        -suffix)
+            echo "tar.pgp"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            tar -c -T $4 --no-recursion | /usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -c -  > $3
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            /usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar t | sed 's#^#/#'
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+             /usr/bin/gpg --batch --no-tty -q --passphrase-fd 3 3</etc/backup2l.pass -d $3 2>/dev/null | tar -x --same-permission --same-owner -T $4 2>&1
+            ;;
+    esac
+}
+
+
+
+# PIGZ driver (donated by Thomas R. Bailey <siggma@trbailey.net>)
+#
+# NOTES: USE ONLY WITH MULTI CORE CPU
+# REQUIRES YOU TO DOWNLOAD AND COMPILE PIGZ
+# OR INSTALL IT FROM YOUR DISTRO REPOSITORY
+# https://www.zlib.net/pigz/
+#
+DRIVER_TAR_GZ_PIGZ () {
+    case $1 in
+        -test)
+            require_tools tar gzip pigz cat
+            echo "ok"
+            ;;
+        -suffix)
+            echo "tar.gz"
+            ;;
+        -create) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            tar cf - --files-from=$4 | pigz --best > $3 2>&1
+            ;;
+#         Using tar tz  for the toc verifies the PIGZ archive is usable
+        -toc) # Arguments: $2 = BID, $3 = archive file name
+            cat $3 | tar tz | sed 's#^#/#'
+            ;;
+        -extract) # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+#     Uncomment the next line and comment the line below it to uncompress using tar instead of pigz
+#        cat $3 | tar xz --same-permission --same-owner -T $4 2>&1
+         cat $3 | pigz -d | tar x --same-permission --same-owner --files-from=$4 2>&1
+            ;;
+    esac
+}
+
+
+
+# This driver uses tar and LZMA (lzip) compression. LZMA compresses better than
+# bzip2, but at the expense of more memory usage. (donated by Amedee Van Gasse)
+DRIVER_TAR_LZ ()
+{
+    case $1 in
+        -test)
+            require_tools tar lzip
+            echo "ok"
+            ;;
+        -suffix)
+            echo "tar.lz"
+            ;;
+        -create)        # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            tar -c -T $4 --no-recursion | lzip --best -c > $3 2>&1 \
+                | grep -v 'tar: Removing leading .* from .*'
+            ;;
+        -toc)           # Arguments: $2 = BID, $3 = archive file name
+            lzip -d $3 -c | tar t | sed 's#^#/#'
+            ;;
+        -extract)       # Arguments: $2 = BID, $3 = archive file name, $4 = file list file
+            lzip -d $3 -c | tar -x --same-permission --same-owner -T $4 2>&1
+            ;;
+    esac
+}
diff --git a/ansible_collections/debops/debops/roles/bind/COPYRIGHT b/ansible_collections/debops/debops/roles/bind/COPYRIGHT
new file mode 100644
index 00000000..936d2208
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.bind - Manage the BIND DNS server using Ansible
+
+Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+Copyright (C) 2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/bind/defaults/main.yml b/ansible_collections/debops/debops/roles/bind/defaults/main.yml
new file mode 100644
index 00000000..4599463f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/defaults/main.yml
@@ -0,0 +1,1551 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _bind__ref_defaults:
+
+# debops.bind default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: bind__features [[[
+#
+# List of features which should be installed and enabled (if supported
+# by the installed BIND version and local environment). See
+# :ref:`bind__ref_configuration_features` for details.
+bind__features:
+  - 'dns'
+  - 'dnssec'
+  - '{{ "dot" if bind__pki else [] }}'
+  - '{{ "doh_https"
+        if (bind__pki
+            and not ansible_local.nginx.enabled | d(False)
+            and not ansible_local.apache.enabled | d(False)
+            and "debops_service_nginx" not in group_names
+            and "debops_service_apache" not in group_names)
+        else [] }}'
+  - '{{ "doh_proxy"
+        if (bind__pki and ansible_local.nginx.enabled | d(False)
+            or "debops_service_nginx" in group_names)
+        else [] }}'
+  - '{{ "stats_proxy"
+        if (bind__pki and ansible_local.nginx.enabled | d(False)
+            or "debops_service_nginx" in group_names)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__version [[[
+#
+# The BIND version which is installed on the host. Obtained from Ansible
+# local facts, but also defined here to simplify the role and to allow
+# the version to be overridden.
+bind__version: '{{ ansible_local.bind.version | d("0.0.0") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__fqdn [[[
+#
+# The FQDN of the BIND server, used in case DNS over HTTP(S) is configured
+# using :ref:`debops.nginx` as a proxy.
+bind__fqdn: 'dns.{{ bind__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__domain [[[
+#
+# The main domain of the BIND server, used the create the FQDN above.
+bind__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__blocked_domains [[[
+#
+# Domains for which BIND should return ``NXDOMAIN`` rather than a proper
+# response. See :ref:`bind__ref_dot_doh_firefox` for an explanation of
+# the default value.
+bind__blocked_domains: [ 'use-application-dns.net' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: bind__user [[[
+#
+# Name of the UNIX account used by the BIND server.
+bind__user: 'bind'
+
+                                                                   # ]]]
+# .. envvar:: bind__additional_groups [[[
+#
+# List of additional UNIX groups the BIND account should have access to.
+bind__additional_groups: [ 'ssl-cert' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: bind__base_packages [[[
+#
+# List of APT packages required for BIND.
+bind__base_packages: [ 'bind9', 'bind9-dnsutils' ]
+
+                                                                   # ]]]
+# .. envvar:: bind__packages [[[
+#
+# List of additional APT packages to install together with BIND.
+bind__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Backup snapshots [[[
+# --------------------
+
+# These variables configure periodic backup snapshots of the BIND
+# configuration and zones. See :ref:`bind__ref_backup_restore`
+# for more details.
+
+# .. envvar:: bind__snapshot_enabled [[[
+#
+# If ``True``, the snapshot :command:`cron` jobs will be configured to run
+# the :command:`debops-bind-snapshot` script periodically to create snapshots
+# of the BIND configuration and zones. If ``False``, the :command:`cron`
+# jobs will be removed.
+bind__snapshot_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: bind__snapshot_cron_jobs [[[
+#
+# List of :command:`cron` periods during which the
+# :command:`debops-bind-snapshot` script should be executed to create BIND
+# snapshots.
+bind__snapshot_cron_jobs: [ 'daily', 'weekly', 'monthly' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# DNSSEC configuration [[[
+# ------------------------
+
+# These variables control the signing of zones. See :ref:`bind__ref_dnssec`
+# for further details.
+
+# .. envvar:: bind__dnssec_use_nsec3 [[[
+#
+# Whether DNSSEC signed zones should, by default, use ``NSEC3`` instead of
+# ``NSEC``. ``NSEC3`` makes it more difficult to enumerate a zone, but with
+# some added computational complexity. See the `DNSSEC Guide`__ for more
+# details.
+#
+# .. __: https://bind9.readthedocs.io/en/latest/dnssec-guide.html#proof-of-non-existence-nsec-and-nsec3
+bind__dnssec_use_nsec3: True
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_enabled [[[
+#
+# Whether the DNSSEC rollover script should be enabled. See
+# :ref:`bind__ref_dnssec_rollover_script` for details. Note that the default
+# value might change once a majority of registries/registrars support
+# ``CDN``/``CDNSKEY`` based automatic updates
+# (see :ref:`bind__ref_dnssec_rollover`).
+bind__dnssec_script_enabled: '{{ True if "dnssec" in bind__features else False }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_domains [[[
+#
+# Domains which the DNSSEC rollover script should monitor for key changes.
+# List of strings in the form ``<domain>`` or ``<domain>/<view>``.
+# An empty list means the script will attempt to monitor all domains.
+bind__dnssec_script_domains: []
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_method [[[
+#
+# The method to use when DNSSEC keys need to be published/withdrawn in
+# the parent zone.
+#
+# Supported values are:
+#
+# log
+#   Key updates will simply be logged to a file.
+# email
+#   Emails will be sent to the admin email address for manual handling.
+# external
+#   An external script will be executed when keys need to be updated.
+bind__dnssec_script_method: 'email'
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_default_configuration [[[
+#
+# The default configuration for the DNSSEC rollover script.
+bind__dnssec_script_default_configuration:
+  - name: 'method'
+    value: '{{ bind__dnssec_script_method }}'
+
+  - name: 'log_file'
+    value: '/var/log/debops-bind-rollkey.log'
+
+  - name: 'email_to'
+    value: '{{ ansible_local.core.admin_public_email[0]
+               | d("root@" + ansible_domain) }}'
+
+  - name: 'email_from'
+    value: '{{ "noreply@" + ansible_domain }}'
+
+  - name: 'email_host'
+    value: 'localhost'
+
+  - name: 'email_port'
+    value: 25
+
+  - name: 'email_subject'
+    value: 'BIND DNSSEC key updates'
+
+  - name: 'external_script'
+    value: '/usr/local/sbin/debops-bind-rollkey-action'
+
+  - name: 'zones'
+    value: '{{ bind__dnssec_script_domains }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_configuration [[[
+#
+# The configuration for the DNSSEC rollover script defined for all hosts
+# in the Ansible inventory.
+bind__dnssec_script_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_group_configuration [[[
+#
+# The configuration for the DNSSEC rollover script defined for all hosts
+# in a specific Ansible inventory group.
+bind__dnssec_script_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_host_configuration [[[
+#
+# The configuration for the DNSSEC rollover script defined for a specific
+# host in the Ansible inventory.
+bind__dnssec_script_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__dnssec_script_combined_configuration [[[
+#
+# The combined configuration for the DNSSEC rollover script. Used to
+# create :file:`/etc/bind/debops-bind-rollkey.json`.
+bind__dnssec_script_combined_configuration: '{{
+  bind__dnssec_script_default_configuration
+  + bind__dnssec_script_configuration
+  + bind__dnssec_script_group_configuration
+  + bind__dnssec_script_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS over HTTP(S) [[[
+# --------------------
+
+# See :ref:`bind__ref_dot_doh` for further details.
+
+# .. envvar:: bind__doh_endpoints [[[
+#
+# List of HTTP query paths on which to listen if DNS-over-HTTP(S) is
+# enabled.
+bind__doh_endpoints: [ '/dns-query' ]
+
+                                                                   # ]]]
+# .. envvar:: bind__doh_proxy_port [[[
+#
+# Port on the loopback interface to use by :command:`named` in case DNS over
+# HTTP(S) is enabled using a real webserver as a proxy.
+bind__doh_proxy_port: 83
+
+                                                                   # ]]]
+# .. envvar:: bind__doh_proxy_allow [[[
+#
+# List of IP addresses or CIDR ranges which should have access to the
+# DNS over HTTP(S) interface exposed using the proxy via the
+# :envvar:`bind__doh_endpoints` paths. Default: all local networks.
+bind__doh_proxy_allow: >-
+  {%- set cidrs = [] -%}
+  {%- for item in ((ansible_interfaces
+                    | map('extract', ansible_facts, 'ipv4')
+                    | select('defined') | list | flatten) +
+                   (ansible_interfaces
+                    | map('extract', ansible_facts, 'ipv6')
+                    | select('defined') | list | flatten)) | d([]) -%}
+  {%-   if item.address | d() and not item.address | ansible.utils.ipaddr('link-local') -%}
+  {%-     set address = item.address -%}
+  {%-     set prefix_or_mask = item.prefix | d(item.netmask) -%}
+  {%-     set cidr = '{}/{}'.format(address, prefix_or_mask) -%}
+  {%-     set _ = cidrs.append(cidr | ansible.utils.ipaddr('network/prefix')) -%}
+  {%-   endif -%}
+  {%- endfor -%}
+  {{ cidrs | unique | sort }}
+
+                                                                   # ]]]
+# .. envvar:: bind__doh_proxy_access_policy [[[
+#
+# Name of the nginx access policy to use for the DNS over HTTP(S) proxy.
+# See :ref:`debops.nginx` for more details.
+bind__doh_proxy_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: bind__stats_proxy_port [[[
+#
+# Port on the loopback interface to use by :command:`named` in case statistics
+# should be provided over HTTP(S) using a real webserver as a proxy.
+bind__stats_proxy_port: 84
+
+                                                                   # ]]]
+# .. envvar:: bind__stats_proxy_allow [[[
+#
+# List of IP addresses or CIDR ranges which should have access to the
+# DNS statistics web interface exposed using the proxy. Default: all local
+# IP addresses.
+bind__stats_proxy_allow: '{{ ["127.0.0.1", "::1"]
+                             + ansible_all_ipv4_addresses | d([])
+                             + (ansible_all_ipv6_addresses | d([])
+                                | difference(ansible_all_ipv6_addresses | d([])
+                                             | ansible.utils.ipaddr("link-local")))
+                             | unique | sort }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__stats_proxy_access_policy [[[
+#
+# Name of the nginx access policy to use for the statistics proxy.
+# See :ref:`debops.nginx` for more details.
+bind__stats_proxy_access_policy: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Main configuration file [[[
+# ---------------------------
+
+# These variables define the contents of the main :file:`/etc/bind/named.conf`
+# configuration file. See :ref:`bind__ref_configuration` for further details.
+
+# .. envvar:: bind__default_configuration [[[
+#
+# The default configuration defined by the role.
+bind__default_configuration:
+
+  - name: 'debops-tls'
+    option: 'tls "debops-tls"'
+    comment: 'TLS options for DoH and DoT'
+    state: '{{ "present" if bind__features | intersect(["dot", "doh_https"])
+               else "absent" }}'
+    options:
+
+      - name: 'ciphers'
+        value: '"{{ bind__tls_cipher_list }}"'
+
+      - name: 'dhparam-file'
+        value: '"{{ bind__tls_dh_file }}"'
+        state: '{{ "present" if bind__dhparam else "absent" }}'
+
+      - name: 'cert-file'
+        value: '"{{ bind__pki_path + "/" + bind__pki_realm + "/" + bind__pki_crt }}"'
+
+      - name: 'key-file'
+        value: '"{{ bind__pki_path + "/" + bind__pki_realm + "/" + bind__pki_key }}"'
+
+      - name: 'protocols'
+        options:
+
+          - name: 'protocols'
+            raw: '{{ bind__tls_protocols | d([]) | join("; ") }};'
+
+      - name: 'session-tickets'
+        value: 'no'
+
+      - name: 'prefer-server-ciphers'
+        value: 'yes'
+
+      - name: 'ca-file'
+        state: 'absent'
+
+      - name: 'remote-hostname'
+        state: 'absent'
+
+  - name: 'http "debops-http"'
+    comment: 'DoH options'
+    state: '{{ "present"
+               if bind__features | intersect(["doh_https", "doh_proxy", "doh_http"])
+               else "absent" }}'
+    options:
+
+      - name: 'endpoints'
+        options:
+
+          - name: 'endpoints'
+            raw: "{{ bind__doh_endpoints | map('regex_replace', '^(.*)$', '\"\\1\";') | join(' ') }}"
+
+      - name: 'listener-clients'
+        state: 'absent'
+
+      - name: 'streams-per-connection'
+        state: 'absent'
+
+  - name: 'statistics-channels'
+    comment: 'Make stats available via a reverse proxy'
+    state: '{{ "present" if "stats_proxy" in bind__features else "absent" }}'
+    options:
+
+      - name: 'statistics-localhost'
+        raw: 'inet 127.0.0.1 port {{ bind__stats_proxy_port }} allow { any; };'
+
+  - name: 'options'
+    options:
+
+      - name: 'directory'
+        comment: 'For storage of non-authoritative/secondary zones'
+        value: '"/var/cache/bind"'
+
+      - name: 'forwarders'
+        state: 'absent'
+        options:
+
+          - name: 'forwarder-1'
+            raw: '1.1.1.1;'
+
+      - name: 'zone-statistics'
+        comment: 'Collect stats for all zones, available via rndc stats'
+        value: 'yes'
+
+      - name: 'listen-dns-v4'
+        option: 'listen-on'
+        comment: 'Regular DNS (Do53) - IPv4'
+        state: '{{ "present" if "dns" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-dot-v4'
+        option: 'listen-on port 853 tls debops-tls'
+        comment: 'DNS over TLS (DoT) - IPv4'
+        state: '{{ "present" if "dot" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-doh-https-v4'
+        option: 'listen-on port 443 tls debops-tls http debops-http'
+        comment: 'DNS over HTTPS (DoH) - IPv4'
+        state: '{{ "present" if "doh_https" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-doh-http-v4'
+        option: 'listen-on port 80 tls none http debops-http'
+        comment: 'DNS over HTTP (DoH) - IPv4'
+        state: '{{ "present" if "doh_http" in bind__features else "absent" }}'
+        options:
+
+          - name: 'localhost'
+            raw: 'any;'
+
+      - name: 'listen-doh-proxy-v4'
+        option: 'listen-on port {{ bind__doh_proxy_port | d("83") }} tls none http debops-http'
+        comment: 'DNS over HTTP (DoH), behind proxy - IPv4'
+        state: '{{ "present" if "doh_proxy" in bind__features else "absent" }}'
+        options:
+
+          - name: 'localhost'
+            raw: '127.0.0.1;'
+
+      - name: 'listen-dns-v6'
+        option: 'listen-on-v6'
+        comment: 'Regular DNS (Do53) - IPv6'
+        state: '{{ "present" if "dns" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-dns-dot-v6'
+        option: 'listen-on-v6 port 853 tls debops-tls'
+        comment: 'DNS over TLS (DoT) - IPv6'
+        state: '{{ "present" if "dot" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-doh-https-v6'
+        option: 'listen-on-v6 port 443 tls debops-tls http debops-http'
+        comment: 'DNS over HTTPS (DoH) - IPv6'
+        state: '{{ "present" if "doh_https" in bind__features else "absent" }}'
+        options:
+
+          - name: 'any'
+            raw: 'any;'
+
+      - name: 'listen-doh-http-v6'
+        option: 'listen-on-v6 port 80 tls none http debops-http'
+        state: '{{ "present" if "doh_http" in bind__features else "absent" }}'
+        comment: 'DNS over HTTP (DoH) - IPv6'
+        options:
+
+          - name: 'localhost'
+            raw: 'any;'
+
+      - name: 'listen-doh-proxy-v6'
+        option: 'listen-on-v6 port {{ bind__doh_proxy_port | d("83") }} tls none http debops-http'
+        comment: 'DNS over HTTP (DoH), behind proxy - IPv6'
+        state: '{{ "present" if "doh_proxy" in bind__features else "absent" }}'
+        options:
+
+          - name: 'localhost'
+            raw: '::1;'
+
+      - name: 'qname-minimization'
+        comment: 'Perform strict QNAME minimization (RFC7816)'
+        value: 'strict'
+        state: 'comment'
+
+      - name: 'dnssec-validation'
+        comment: 'This is for when BIND acts as a resolver'
+        value: 'auto'
+
+      - name: 'key-directory'
+        comment: 'For storage of DNSSEC keys'
+        value: '"/var/lib/bind/dnssec-keys"'
+        state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+
+      - name: 'dnssec-dnskey-kskonly'
+        comment: 'https://gitlab.isc.org/isc-projects/bind9/-/issues/1316'
+        state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+        value: 'yes'
+
+      - name: 'response-policy-blocked-domains'
+        raw: 'response-policy { zone "rpz.local"; } break-dnssec yes;'
+        state: '{{ "present" if bind__blocked_domains | d([]) | length > 0 else "absent" }}'
+
+      - name: 'max-udp-size'
+        comment: 'https://www.isc.org/blogs/dns-flag-day-2020-2/'
+        value: '1220'
+
+      - name: 'edns-udp-size'
+        comment: 'https://www.isc.org/blogs/dns-flag-day-2020-2/'
+        value: '1220'
+
+      - name: 'serial-update-method'
+        comment: 'Make the serial numbers meaningful to a human admin'
+        value: 'date'
+
+  - name: 'logging'
+    state: 'absent'
+    options:
+
+      - name: 'channel client_spam_channel'
+        options:
+
+          - name: 'file'
+            value: '"/var/log/named/named_recent_client.log" versions 3 size 5m suffix increment'
+
+          - name: 'severity'
+            value: 'info'
+
+          - name: 'print-time'
+            value: 'yes'
+
+          - name: 'print-category'
+            value: 'yes'
+
+          - name: 'print-severity'
+            value: 'yes'
+
+          - name: 'buffered'
+            value: 'no'
+
+      - name: 'channel server_spam_channel'
+        options:
+
+          - name: 'file'
+            value: '"/var/log/named/named_recent_server.log" versions 3 size 5m suffix increment'
+
+          - name: 'severity'
+            value: 'info'
+
+          - name: 'print-time'
+            value: 'yes'
+
+          - name: 'print-category'
+            value: 'yes'
+
+          - name: 'print-severity'
+            value: 'yes'
+
+          - name: 'buffered'
+            value: 'no'
+
+      - name: 'category client'
+        options:
+
+          - name: 'channel-1'
+            raw: 'client_spam_channel;'
+
+      - name: 'category query-errors'
+        options:
+
+          - name: 'channel-1'
+            raw: 'client_spam_channel;'
+
+      - name: 'category resolver'
+        options:
+
+          - name: 'channel-1'
+            raw: 'client_spam_channel;'
+
+      - name: 'category security'
+        options:
+
+          - name: 'channel-1'
+            raw: 'client_spam_channel;'
+
+      - name: 'category spill'
+        options:
+
+          - name: 'channel-1'
+            raw: 'client_spam_channel;'
+
+      - name: 'category cname'
+        options:
+
+          - name: 'channel-1'
+            raw: 'server_spam_channel;'
+
+      - name: 'category edns-disabled'
+        options:
+
+          - name: 'channel-1'
+            raw: 'server_spam_channel;'
+
+      - name: 'category lame-servers'
+        options:
+
+          - name: 'channel-1'
+            raw: 'server_spam_channel;'
+
+  - name: 'generated-keys'
+    comment: 'Keys defined by the Ansible role'
+    state: '{{ "present"
+               if bind__combined_keys
+                  | flatten
+                  | debops.debops.parse_kv_items
+                  | selectattr("state", "equalto", "present")
+                  | length > 0
+               else "absent" }}'
+    autovalue: 'keys'
+
+  - name: 'acl debops-acl'
+    state: '{{ "present"
+               if "debops-key" in (bind__combined_keys
+                                   | flatten
+                                   | debops.debops.parse_kv_items
+                                   | selectattr("state", "equalto", "present")
+                                   | map(attribute="name"))
+               else "absent" }}'
+    options:
+
+      - name: 'debops-key'
+        raw: 'key debops-key;'
+
+  - name: 'dnssec-policy-csk'
+    option: 'dnssec-policy "csk"'
+    comment: 'Single CSK without rollover (BINDs default policy)'
+    state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+    options:
+
+      - name: 'keys'
+        options:
+
+          - name: 'csk'
+            value: 'key-directory lifetime unlimited algorithm ecdsap256sha256'
+
+      - name: 'nsec3param'
+        comment: |
+          If you consider changing these values, first read:
+          https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-3.1
+        state: '{{ "present" if bind__dnssec_use_nsec3 | d(False) else "absent" }}'
+        value: 'iterations 0 optout no salt-length 0'
+
+      - name: 'dnskey-ttl'
+        comment: 'Key timings'
+        separator: True
+        value: '3600'
+
+      - name: 'publish-safety'
+        value: '1h'
+
+      - name: 'retire-safety'
+        value: '1h'
+
+      - name: 'purge-keys'
+        value: 'P90D'
+
+      - name: 'signatures-refresh'
+        comment: 'Signature timings'
+        separator: True
+        value: '5d'
+
+      - name: 'signatures-validity'
+        value: '14d'
+
+      - name: 'signatures-validity-dnskey'
+        value: '14d'
+
+      - name: 'max-zone-ttl'
+        comment: 'Zone parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'zone-propagation-delay'
+        value: '300'
+
+      - name: 'parent-ds-ttl'
+        comment: 'Parent parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'parent-propagation-delay'
+        value: '1h'
+
+  - name: 'dnssec-policy-csk-rollover'
+    option: 'dnssec-policy "csk-rollover"'
+    comment: 'Single CSK with rollover'
+    state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+    options:
+
+      - name: 'keys'
+        options:
+
+          - name: 'csk'
+            value: 'key-directory lifetime 365d algorithm ecdsap256sha256'
+
+      - name: 'nsec3param'
+        comment: |
+          If you consider changing these values, first read:
+          https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-3.1
+        state: '{{ "present" if bind__dnssec_use_nsec3 | d(False) else "absent" }}'
+        value: 'iterations 0 optout no salt-length 0'
+
+      - name: 'dnskey-ttl'
+        comment: 'Key timings'
+        separator: True
+        value: '3600'
+
+      - name: 'publish-safety'
+        value: '1h'
+
+      - name: 'retire-safety'
+        value: '1h'
+
+      - name: 'purge-keys'
+        value: 'P90D'
+
+      - name: 'signatures-refresh'
+        comment: 'Signature timings'
+        separator: True
+        value: '5d'
+
+      - name: 'signatures-validity'
+        value: '14d'
+
+      - name: 'signatures-validity-dnskey'
+        value: '14d'
+
+      - name: 'max-zone-ttl'
+        comment: 'Zone parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'zone-propagation-delay'
+        value: '300'
+
+      - name: 'parent-ds-ttl'
+        comment: 'Parent parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'parent-propagation-delay'
+        value: '1h'
+
+  - name: 'dnssec-policy-kskzsk'
+    option: 'dnssec-policy "kskzsk"'
+    comment: 'Separate KSK and ZSK without rollover'
+    state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+    options:
+
+      - name: 'keys'
+        options:
+
+          - name: 'ksk'
+            value: 'key-directory lifetime unlimited algorithm ecdsap256sha256'
+
+          - name: 'zsk'
+            value: 'key-directory lifetime unlimited algorithm ecdsap256sha256'
+
+      - name: 'nsec3param'
+        comment: |
+          If you consider changing these values, first read:
+          https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-3.1
+        state: '{{ "present" if bind__dnssec_use_nsec3 | d(False) else "absent" }}'
+        value: 'iterations 0 optout no salt-length 0'
+
+      - name: 'dnskey-ttl'
+        comment: 'Key timings'
+        separator: True
+        value: '3600'
+
+      - name: 'publish-safety'
+        value: '1h'
+
+      - name: 'retire-safety'
+        value: '1h'
+
+      - name: 'purge-keys'
+        value: 'P90D'
+
+      - name: 'signatures-refresh'
+        comment: 'Signature timings'
+        separator: True
+        value: '5d'
+
+      - name: 'signatures-validity'
+        value: '14d'
+
+      - name: 'signatures-validity-dnskey'
+        value: '14d'
+
+      - name: 'max-zone-ttl'
+        comment: 'Zone parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'zone-propagation-delay'
+        value: '300'
+
+      - name: 'parent-ds-ttl'
+        comment: 'Parent parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'parent-propagation-delay'
+        value: '1h'
+
+  - name: 'dnssec-policy-kskzsk-rollover'
+    option: 'dnssec-policy "kskzsk-rollover"'
+    comment: 'Separate KSK and ZSK with rollover (the traditional policy)'
+    state: '{{ "present" if "dnssec" in bind__features else "absent" }}'
+    options:
+
+      - name: 'keys'
+        options:
+
+          - name: 'ksk'
+            value: 'key-directory lifetime 365d algorithm ecdsap256sha256'
+
+          - name: 'zsk'
+            value: 'key-directory lifetime 60d algorithm ecdsap256sha256'
+
+      - name: 'nsec3param'
+        comment: |
+          If you consider changing these values, first read:
+          https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10#section-3.1
+        state: '{{ "present" if bind__dnssec_use_nsec3 | d(False) else "absent" }}'
+        value: 'iterations 0 optout no salt-length 0'
+
+      - name: 'dnskey-ttl'
+        comment: 'Key timings'
+        separator: True
+        value: '3600'
+
+      - name: 'publish-safety'
+        value: '1h'
+
+      - name: 'retire-safety'
+        value: '1h'
+
+      - name: 'purge-keys'
+        value: 'P90D'
+
+      - name: 'signatures-refresh'
+        comment: 'Signature timings'
+        separator: True
+        value: '5d'
+
+      - name: 'signatures-validity'
+        value: '14d'
+
+      - name: 'signatures-validity-dnskey'
+        value: '14d'
+
+      - name: 'max-zone-ttl'
+        comment: 'Zone parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'zone-propagation-delay'
+        value: '300'
+
+      - name: 'parent-ds-ttl'
+        comment: 'Parent parameters'
+        separator: True
+        value: '86400'
+
+      - name: 'parent-propagation-delay'
+        value: '1h'
+
+  - name: 'generated-zones'
+    comment: 'Views/zones defined by the Ansible role'
+    autovalue: 'zones'
+    weight: 10000
+
+                                                                   # ]]]
+# .. envvar:: bind__configuration [[[
+#
+# The configuration defined for all hosts in the Ansible inventory.
+bind__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_configuration [[[
+#
+# The configuration options defined for hosts in a specific Ansible inventory
+# group.
+bind__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_configuration [[[
+#
+# The configuration defined for a specific host in the Ansible inventory.
+bind__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: bind__combined_configuration [[[
+#
+# This variable combines the other configuration variables for use in the
+# :file:`/etc/bind/named.conf` template.
+bind__combined_configuration: '{{ bind__default_configuration
+                                   + bind__configuration
+                                   + bind__group_configuration
+                                   + bind__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Key configuration [[[
+# ---------------------
+
+# These variables control the automated generation of keys which can be used
+# e.g. by remote hosts for dynamic updates via :command:`nsupdate` and which
+# can be automatically included in the :file:`/etc/bind/named.conf`
+# configuration. See :ref:`bind__ref_keys` for more details.
+
+# .. envvar:: bind__default_keys [[[
+#
+# The default keys defined by the role.
+bind__default_keys:
+
+  - name: 'debops-key'
+    algorithm: 'hmac-sha512'
+    type: 'tsig'
+
+                                                                   # ]]]
+# .. envvar:: bind__keys [[[
+#
+# The keys defined for all hosts in the Ansible inventory.
+bind__keys: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_keys [[[
+#
+# The keys defined for hosts in a specific Ansible inventory group.
+bind__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_keys [[[
+#
+# The keys defined for a specific host in the Ansible inventory.
+bind__host_keys: []
+
+                                                                   # ]]]
+# .. envvar:: bind__combined_keys [[[
+#
+# The variable that combines all keys for use in the role tasks and
+# templates.
+bind__combined_keys: '{{ bind__default_keys
+                          + bind__keys
+                          + bind__group_keys
+                          + bind__host_keys }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Zone configuration [[[
+# ----------------------
+
+# These variables define zones which are to be controlled via Ansible and which
+# can be automatically included in the configuration. See
+# :ref:`bind__ref_zones` for further details.
+
+# .. envvar:: bind__default_zone_ttl [[[
+#
+# The default TTL value for generated zones.
+bind__default_zone_ttl: '1D'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_primary [[[
+#
+# The default primary server for generated zones, a FQDN with a trailing
+# period. Used in the SOA RR.
+bind__default_zone_soa_primary: '{{ ansible_fqdn | regex_replace("\.*$", ".") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_email [[[
+#
+# The default contact email address for generated zones, with the @ replaced by
+# a period and a trailing period. Periods can be escaped using a backslash.
+#
+# For example:
+#  * ``hostmaster@example.com`` -> ``hostmaster.example.com.``
+#  * ``john.doe@example.com`` -> ``john\.doe.example.com.``
+#
+# Used in the SOA RR.
+bind__default_zone_soa_email: '{{ "hostmaster." + ansible_domain + "." }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_serial [[[
+#
+# The default initial serial number for generated zones (may be automatically
+# updated by the :command:`bind` server, e.g. due to automatic `DNSSEC` signing
+# or dynamic DNS updates, which is why the ``YYYYMMDDnn`` is not followed).
+# Used in the SOA RR.
+bind__default_zone_soa_serial: 1
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_refresh [[[
+#
+# The default refresh time for generated zones (how often secondary servers
+# should query the master to detect zone changes). This and the following
+# defaults follow the recommendations from `this internet draft`__.
+# Used in the SOA RR.
+#
+# .. __: https://datatracker.ietf.org/doc/html/draft-koch-dns-soa-values-00
+bind__default_zone_soa_refresh: '1D'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_retry [[[
+#
+# The default retry time for generated zones (how often secondary servers
+# should reattempt querying the master to detect zone changes upon failure,
+# must be smaller than the :envvar:`bind__default_zone_soa_refresh` value.
+# Used in the SOA RR.
+bind__default_zone_soa_retry: '2H'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_soa_expire [[[
+#
+# The default expiry time for generated zones (how long before secondary
+# servers should stop answering requests for this zone if the master is
+# unreachable, must be larger than :envvar:`bind__default_zone_soa_refresh`
+# plus :envvar:`bind__default_zone_soa_retry`. Used in the SOA RR.
+bind__default_zone_soa_expire: '1000H'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zone_neg_ttl [[[
+#
+# The default TTL for negative responses for generated zones.  Used in the SOA
+# RR.
+bind__default_zone_soa_neg_ttl: '2D'
+
+                                                                   # ]]]
+# .. envvar:: bind__default_zones [[[
+#
+# The default :command:`bind` configuration options defined by the role. See
+# :ref:`bind__ref_configuration_syntax` for details. The reason that the
+# blocklist is defined here and not in :envvar:`bind__default_generic_zones`
+# is that it is unlikely to be desirable to have the blocklist present in
+# multiple views (e.g. in a setup with an external/internal view).
+bind__default_zones:
+
+  - name: 'rpz.local'
+    force: True
+    comment: 'Domain blocklist'
+    state: '{{ "present" if bind__blocked_domains | d([]) | length > 0 else "absent" }}'
+    options:
+
+      - name: 'type'
+        value: 'master'
+
+      - name: 'file'
+        autovalue: 'zone_file_path'
+
+    content: '{{ ["@	IN NS localhost."]
+                 + bind__blocked_domains | d([]) | map("regex_replace", "^(.*)$", "\1 CNAME .")
+              }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__zones [[[
+#
+# The :command:`bind` configuration options defined for all hosts in the
+# Ansible inventory.
+bind__zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_zones [[[
+#
+# The :command:`bind` configuration options defined for hosts in a
+# specific Ansible inventory group.
+bind__group_zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_zones [[[
+#
+# The :command:`bind` configuration options defined for a specific host
+# in the Ansible inventory.
+bind__host_zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__combined_zones [[[
+#
+# The variable that combines other :command:`bind` configuration options for
+# use in the :file:`/etc/bind/named.conf` template.
+bind__combined_zones: '{{ bind__default_zones
+                           + bind__zones
+                           + bind__group_zones
+                           + bind__host_zones }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Generic zone configuration [[[
+# ------------------------------
+
+# These variables definel the zones which are to be included in all views (e.g.
+# root server hints and :rfc:`1912` zones). See :ref:`bind__ref_zones_generic`
+# for further details.
+
+# .. envvar:: bind__default_generic_zones [[[
+#
+# The default generic zones defined by the role.
+bind__default_generic_zones:
+
+  - name: '.'
+    comment: 'prime the server with knowledge of the root servers'
+    options:
+
+      - name: 'type'
+        value: 'hint'
+
+      - name: 'file'
+        value: '"/usr/share/dns/root.hints"'
+
+  - name: 'localhost'
+    comment: be authoritative for the localhost forward zone (RFC1912, 4.1)
+    options:
+
+      - name: 'type'
+        value: 'master'
+
+      - name: 'file'
+        value: '"/etc/bind/db.local"'
+
+  - name: '127.in-addr.arpa'
+    comment: be authoritative for the localhost reverse zone (RFC1912, 4.1)
+    options:
+
+      - name: 'type'
+        value: 'master'
+
+      - name: 'file'
+        value: '"/etc/bind/db.127"'
+
+
+  - name: '0.in-addr.arpa'
+    comment: be authoritative for this network (RFC1912, 4.1)
+    options:
+
+      - name: 'type'
+        value: 'master'
+
+      - name: 'file'
+        value: '"/etc/bind/db.0"'
+
+
+  - name: '255.in-addr.arpa'
+    comment: be authoritative for the broadcast zone (RFC1912, 4.1)
+    options:
+
+      - name: 'type'
+        value: 'master'
+
+      - name: 'file'
+        value: '"/etc/bind/db.255"'
+
+                                                                   # ]]]
+# .. envvar:: bind__generic_zones [[[
+#
+# The generic zones defined for all hosts in the Ansible inventory.
+bind__generic_zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_generic_zones [[[
+#
+# The generic zones defined for hosts in a specific Ansible inventory group.
+bind__group_generic_zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_generic_zones [[[
+#
+# The generic zones defined for a specific host in the Ansible inventory.
+bind__host_generic_zones: []
+
+                                                                   # ]]]
+# .. envvar:: bind__combined_generic_zones [[[
+#
+# This variable combines the other generic zone variables for use in the
+# role tasks and templates.
+bind__combined_generic_zones: '{{ bind__default_generic_zones
+                                   + bind__generic_zones
+                                   + bind__group_generic_zones
+                                   + bind__host_generic_zones }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI / TLS configuration [[[
+# ---------------------------
+
+# .. envvar:: bind__pki [[[
+#
+# Enable or disable support for DNS over HTTPS/TLS using :ref:`debops.pki`.
+bind__pki: '{{ True
+               if (ansible_local.pki.enabled | d(False) | bool
+                   and bind__version is version("9.18.0", ">="))
+               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_path [[[
+#
+# Base PKI directory.
+bind__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_realm [[[
+#
+# Default PKI realm.
+bind__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_ca [[[
+#
+# Name of the Root Certificate Authority certificate file, relative to the PKI
+# realm directory.
+bind__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_crt [[[
+#
+# Default certificate, relative to the :envvar:`bind__pki_realm` variable.
+bind__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_key [[[
+#
+# Default private key, relative to the :envvar:`bind__pki_realm` variable.
+bind__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__tls_ca_cert_dir [[[
+#
+# Directory containing X509 Certification Authority certificates.
+bind__tls_ca_cert_dir: '/etc/ssl/certs/'
+
+                                                                   # ]]]
+# .. envvar:: bind__tls_protocols [[[
+#
+# List of TLS cipher(s) to support. TLS version 1.2 and higher are
+# supported by BIND. The default assumes that all clients support
+# recent TLS versions since DoH/DoT/etc are quite recent concepts.
+bind__tls_protocols: [ "TLSv1.3" ]
+
+                                                                   # ]]]
+# .. envvar:: bind__tls_cipher_list [[[
+#
+# SSL ciphers to use.
+bind__tls_cipher_list: 'HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_hook_name [[[
+#
+# Name of the :ref:`debops.pki` hook script.
+bind__pki_hook_name: 'bind'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_hook_path [[[
+#
+# Directory for the :ref:`debops.pki` hooks.
+bind__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__pki_hook_action [[[
+#
+# Specify how changes in PKI should affect BIND, either 'reload' or
+# 'restart'.
+bind__pki_hook_action: 'reload'
+                                                                   # ]]]
+                                                                   # ]]]
+# Diffie-Hellman parameters [[[
+# -----------------------------
+
+# .. envvar:: bind__dhparam [[[
+#
+# Enable or disable support for custom Diffie-Hellman parameters managed by the
+# :ref:`debops.dhparam` Ansible role. Note that having this enabled is
+# essential for enabling perfect forward secrecy capable ciphers in TLSv1.2.
+bind__dhparam: '{{ ansible_local.dhparam.enabled | d(False) }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__dhparam_set [[[
+#
+# Name of the Diffie-Hellman parameter set to use. See the
+# :ref:`debops.dhparam` Ansible role for more details.
+bind__dhparam_set: 'default'
+
+                                                                   # ]]]
+# .. envvar:: bind__tls_dh_file [[[
+#
+# Absolute path to the Diffie-Hellman parameters file which should be used.
+bind__tls_dh_file: '{{ ansible_local.dhparam[bind__dhparam_set] | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network access [[[
+# ------------------
+
+# .. envvar:: bind__tcp_ports [[[
+#
+# List of TCP service names of the ports on which BIND will listen for
+# network connections. These ports will be opened in the firewall so that
+# other hosts can contact the DNS service.
+bind__tcp_ports:
+
+  # Regular DNS queries via TCP (used e.g. by :command:`nsupdate` for
+  # large requests and for AXFR/zone transfer requests)
+  - '{{ "domain" if "dns" in bind__features else [] }}'
+
+  # DNS-over-TLS, DoT (RFC7858)
+  - '{{ "domain-s" if "dot" in bind__features else [] }}'
+
+  # DNS-over-HTTP, DoH (RFC8484)
+  - '{{ "http" if "doh_http" in bind__features else [] }}'
+
+  # DNS-over-HTTPS, DoH (RFC8484)
+  - '{{ "https" if "doh_https" in bind__features else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__udp_ports [[[
+#
+# List of UDP service names of the ports on which BIND will listen for
+# network connections. These ports will be opened in the firewall so that
+# other hosts can contact the DNS service.
+bind__udp_ports:
+
+  # Regular DNS queries
+  - '{{ "domain" if "dns" in bind__features else [] }}'
+
+  # DNS-over-DTLS (RFC8094), not supported
+  #- 'domain-s'
+
+  # DNS-over-HTTP3/QUIC, DoH3/DoQ (RFC9250), not supported
+  #- 'https'
+
+                                                                   # ]]]
+# .. envvar:: bind__accept_any [[[
+#
+# If ``True``, the role will configure the firewall to accept connections
+# to the BIND server from any network. Specific IP addresses and/or
+# subnets can be blocked using the ``bind__*_deny`` variables.
+#
+# If ``False``, the role will block connections to the BIND server by
+# default; hosts/subnets which are allowed to connect must be specified
+# via the ``bind__*_allow`` variables.
+bind__accept_any: '{{ True
+                      if bind__features
+                         | intersect(["dns", "dot", "doh_http", "doh_https"])
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: bind__deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the BIND server, defined on all hosts in the Ansible inventory.
+bind__deny: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the BIND server, defined on hosts in a specific Ansible inventory group.
+bind__group_deny: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the BIND server, defined on specific hosts in the Ansible inventory.
+bind__host_deny: []
+
+                                                                   # ]]]
+# .. envvar:: bind__allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the BIND
+# server, defined on all hosts in the Ansible inventory.
+bind__allow: []
+
+                                                                   # ]]]
+# .. envvar:: bind__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the BIND
+# server, defined on hosts in a specific Ansible inventory group.
+bind__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: bind__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the BIND
+# server, defined on specific hosts in the Ansible inventory.
+bind__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: bind__ferm__dependent_rules [[[
+#
+# Firewall configuration managed by the :ref:`debops.ferm` Ansible role.
+bind__ferm__dependent_rules:
+
+  - name: 'reject_bind_tcp'
+    type: 'accept'
+    protocol: 'tcp'
+    dport: '{{ q("flattened", bind__tcp_ports) }}'
+    multiport: True
+    saddr: '{{ bind__deny + bind__group_deny + bind__host_deny }}'
+    weight: '45'
+    by_role: 'debops.bind'
+    target: 'REJECT'
+    rule_state: '{{ "present"
+                    if (bind__deny + bind__group_deny + bind__host_deny)
+                    else "absent" }}'
+
+  - name: 'reject_bind_udp'
+    type: 'accept'
+    protocol: 'udp'
+    dport: '{{ q("flattened", bind__udp_ports) }}'
+    multiport: True
+    saddr: '{{ bind__deny + bind__group_deny + bind__host_deny }}'
+    weight: '45'
+    by_role: 'debops.bind'
+    target: 'REJECT'
+    rule_state: '{{ "present"
+                    if (bind__deny + bind__group_deny + bind__host_deny)
+                    else "absent" }}'
+
+  - name: 'accept_bind_tcp'
+    type: 'accept'
+    protocol: 'tcp'
+    dport: '{{ q("flattened", bind__tcp_ports) }}'
+    multiport: True
+    saddr: '{{ bind__allow + bind__group_allow + bind__host_allow }}'
+    accept_any: '{{ bind__accept_any }}'
+    weight: '50'
+    by_role: 'debops.bind'
+
+  - name: 'accept_bind_udp'
+    type: 'accept'
+    protocol: 'udp'
+    dport: '{{ q("flattened", bind__udp_ports) }}'
+    multiport: True
+    saddr: '{{ bind__allow + bind__group_allow + bind__host_allow }}'
+    accept_any: '{{ bind__accept_any }}'
+    weight: '50'
+    by_role: 'debops.bind'
+
+                                                                   # ]]]
+# .. envvar:: bind__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` role. Used to
+# setup a DNS over HTTPS proxy, if requested.
+bind__nginx__dependent_servers:
+
+  - name: '{{ bind__fqdn }}'
+    filename: 'debops.bind'
+    by_role: 'debops.bind'
+    type: 'default'
+    webroot_create: False
+    state: '{{ "present"
+               if bind__features | intersect(["doh_proxy", "stats_proxy"])
+               else "absent" }}'
+    root: False
+    maintenance: False
+
+    toplevel_options: |-
+      {% if "doh_proxy" in bind__features | d([]) %}
+      # address and port of the DoH server, serving unencrypted HTTP/2
+      upstream http2-doh {
+              server 127.0.0.1:{{ bind__doh_proxy_port }};
+      }{% endif %}
+
+    location_list: >-
+      {%- set locations =  [{
+                "pattern": "/",
+                "options": "proxy_pass http://127.0.0.1:"
+                            + bind__stats_proxy_port | string + ";",
+                "allow": bind__stats_proxy_allow,
+                "access_policy": bind__stats_proxy_access_policy,
+                "enabled": True if "stats_proxy" in bind__features else False
+          }] -%}
+      {%- for endpoint in bind__doh_endpoints | d([]) -%}
+      {%-   set _ = locations.append({
+                      "pattern": endpoint,
+                      "options": "grpc_pass grpc://http2-doh;",
+                      "allow": bind__doh_proxy_allow,
+                      "access_policy": bind__doh_proxy_access_policy,
+                      "enabled": True if "doh_proxy" in bind__features else False
+            }) -%}
+      {%- endfor -%}
+      {{ locations }}
+
+                                                                   # ]]]
+# .. envvar:: bind__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+bind__logrotate__dependent_config:
+
+  - filename: 'debops-bind-rollkeys'
+    state: '{{ "present"
+                if ("dnssec" in bind__features and
+                    bind__dnssec_script_enabled | d(False))
+                else "absent" }}'
+    sections:
+
+      - logs: '/var/log/debops-bind-rollkey.log'
+        options: |
+          notifempty
+          missingok
+          yearly
+          rotate 10
+          compress
+        comment: 'BIND DNSSEC key rollover logs'
+
+                                                                   # ]]]
+# .. envvar:: bind__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+bind__apt_preferences__dependent_list:
+
+  - packages: [ 'bind9', 'bind9-dnsutils', 'bind9-libs', 'bind9-utils' ]
+    backports: [ 'bullseye' ]
+    reason: 'Support for DNS-over-TLS/HTTPS'
+    by_role: 'debops.bind'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-rollkey b/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-rollkey
new file mode 100755
index 00000000..d0549cc1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-rollkey
@@ -0,0 +1,721 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+"""BIND DNSSEC key rollover parent zone update/notification script
+
+This script is meant to be called periodically from cron and will check
+for keys which need to be added to, or removed from, the parent zone.
+
+When such keys are detected, an external utility will be executed or
+an email will be sent to the administrator, requesting manual action.
+"""
+
+import os
+import re
+import sys
+import json
+import shutil
+import socket
+import smtplib
+import logging
+import argparse
+import datetime
+import subprocess
+
+__license__ = 'GPL-3.0'
+__author__ = 'David Härdeman <david@hardeman.nu>'
+__version__ = '1.0.0'
+
+LOG = logging.getLogger(__name__)
+
+
+def die(msg):
+    if msg is not None:
+        LOG.error(msg)
+    sys.exit(1)
+
+
+def run_process(config, args, change_locale=True):
+    """Runs some external program and returns its stdout"""
+
+    result = {}
+    LOG.debug('Executing: "{}"'.format(' '.join(args)))
+    tmp_env = os.environ.copy()
+    if change_locale:
+        tmp_env["LC_ALL"] = "C"
+
+    with subprocess.Popen(args, text=True, env=tmp_env,
+                          stdout=subprocess.PIPE,
+                          stderr=subprocess.PIPE) as process:
+        stdout, stderr = process.communicate()
+        result.stdout = stdout.strip()
+        result.stderr = stderr.strip()
+        result.rc = process.returncode
+
+        if process.returncode != 0:
+            cmd = ' '.join(args)
+            msg = 'Command "{}" failed ({})'.format(cmd, stderr.strip())
+            LOG.debug('Command {} rc: {}'.format(cmd, process.returncode))
+            LOG.debug('Command {} stdout: {}'.format(cmd, stdout.strip()))
+            LOG.debug('Command {} stderr: {}'.format(cmd, stderr.strip()))
+            write_log_msg(config, msg + "\n")
+            result.error_msg = msg
+
+    return result
+
+
+def run_process_get_stdout(config, args):
+    result = do_run_process(config, args, change_locale=True)
+    if result.rc != 0:
+        die(result.error_msg)
+    else:
+        return result.stdout
+
+
+def run_process_ok(config, args):
+    result = do_run_process(config, args, change_locale=False)
+    if result.rc != 0:
+        LOG.error(result.error_msg)
+        return False
+    else:
+        return True
+
+
+class Key:
+    """Keeps track of a zone key.
+
+    Attributes:
+        alg_num:        Mapping from algorithm names to IANA assigned numbers
+
+    See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml.
+    """
+    alg_num = {
+        "DSA": "3",
+        "RSASHA1": "5",
+        "DSA-NSEC3-SHA1": "6",
+        "RSASHA1-NSEC3-SHA1": "7",
+        "RSASHA256": "8",
+        "RSASHA512": "10",
+        "ECC-GOST": "12",
+        "ECDSAP256SHA256": "13",
+        "ECDSAP384SHA384": "14",
+        "ED25519": "15",
+        "ED448": "16"
+    }
+
+    def __init__(self, zone, line):
+        self.valid = False
+        self.zone = zone
+        self.goal = None
+        self.ds_state = None
+        self.key_id = None
+        self.key_alg = None
+        self.key_alg_num = None
+        self.key_type = None
+
+        line = re.sub('\\s+', ' ', line.strip())
+        parts = line.split()
+
+        if len(parts) != 4:
+            LOG.debug('Invalid key description ({})'.format(line))
+            return
+
+        self.key_id = parts[1]
+
+        self.key_alg = parts[2].strip(' ,()')
+        if self.key_alg.upper() in Key.alg_num:
+            self.key_alg_num = Key.alg_num[self.key_alg.upper()]
+        else:
+            LOG.debug('Unknown key alg {} for key {}'.format(self.key_alg, self.key_id))
+            return
+
+        self.key_type = parts[3].upper()
+        if self.key_type not in ['KSK', 'CSK', 'ZSK']:
+            LOG.debug('Unknown key type {}, key {}'.format(self.key_type, self.key_id))
+            return
+
+        self.valid = True
+
+    def print(self):
+        if not self.valid:
+            LOG.debug('Invalid key')
+            return
+
+        LOG.debug('ID  : {}'.format(self.key_id))
+        LOG.debug('Alg : {}'.format(self.key_alg))
+        LOG.debug('AlgN: {}'.format(self.key_alg_num))
+        LOG.debug('Type: {}'.format(self.key_type))
+        LOG.debug('Goal: {}'.format(
+            self.goal if self.goal is not None else "<unknown>"))
+        LOG.debug('DS  : {}'.format(
+            self.ds_state if self.ds_state is not None else "<unknown>"))
+
+    def is_publishable(self):
+        if not self.valid:
+            return False
+        elif self.key_type.upper() not in ['KSK', 'CSK']:
+            return False
+        elif self.goal is None or self.ds_state is None:
+            return False
+        else:
+            return True
+
+    def needs_publication(self):
+        if not self.is_publishable():
+            return False
+        elif self.goal.lower() != 'omnipresent':
+            return False
+        elif self.ds_state.lower() != 'rumoured':
+            return False
+        return True
+
+    def needs_withdrawal(self):
+        if not self.is_publishable():
+            return False
+        elif self.goal.lower() != 'hidden':
+            return False
+        elif self.ds_state.lower() != 'unretentive':
+            return False
+        return True
+
+    def parse_line(self, line):
+        line = re.sub('\\s+', ' ', line.strip().lower())
+        parts = line.split(':')
+
+        if len(parts) != 2:
+            return
+
+        param = parts[0].strip()
+        value = parts[1].strip()
+        if value in ['hidden', 'rumoured', 'omnipresent', 'unretentive']:
+            state = value
+        else:
+            state = None
+
+        if param == '- goal':
+            if state is None:
+                LOG.debug('Unknown key goal: {}'.format(value))
+            else:
+                self.goal = state
+
+        elif param == '- ds':
+            if state is None:
+                LOG.debug('Unknown DS state: {}'.format(value))
+            else:
+                self.ds_state = state
+
+
+class Zone:
+    """Keeps track of a zone"""
+
+    def __init__(self, name, rr_class, view):
+        self.name = name
+        self.rr_class = rr_class
+        self.view = view
+        self.keys = None
+
+    def get_keys(self, config, rndc_output=None):
+        """Get the currently known keys for a zone"""
+
+        if self.keys is not None:
+            return self.keys
+
+        if rndc_output is None:
+            args = ["rndc", "dnssec", "-status",
+                    self.name, self.rr_class, self.view]
+            rndc_output = run_process(config, args)
+
+        """
+        Entries can have the following states:
+
+         * hidden (not published)
+         * rumoured (partially published)
+         * omnipresent (completely published)
+         * unretentive (stale)
+
+        This is an example of the kind of output we need to parse:
+
+        root@foobar:~# rndc dnssec -status example.com
+        dnssec-policy: kskzsk
+        current time:  Sat Jul 30 20:43:25 2022
+
+        key: 38979 (ECDSAP256SHA256), KSK
+          published:      yes - since Fri Jul 29 23:12:42 2022
+          key signing:    yes - since Fri Jul 29 23:12:42 2022
+
+          Next rollover scheduled on Sat Jul 29 23:12:42 2023
+          - goal:           omnipresent
+          - dnskey:         omnipresent
+          - ds:             rumoured
+          - key rrsig:      omnipresent
+
+        key: 3732 (ECDSAP256SHA256), ZSK
+          published:      yes - since Fri Jul 29 22:58:05 2022
+          zone signing:   yes - since Fri Jul 29 22:58:05 2022
+
+          Next rollover scheduled on Tue Sep 27 22:55:05 2022
+          - goal:           omnipresent
+          - dnskey:         omnipresent
+          - zone rrsig:     omnipresent
+
+        key: 52180 (ECDSAP256SHA256), KSK
+          published:      yes - since Fri Jul 29 22:58:05 2022
+          key signing:    yes - since Fri Jul 29 22:58:05 2022
+
+          Rollover is due since Fri Jul 29 23:18:42 2022
+          - goal:           hidden
+          - dnskey:         omnipresent
+          - ds:             unretentive
+          - key rrsig:      omnipresent
+
+
+        Note that there is:
+
+         * one KSK (38979) which has a goal state of omnipresent but where the DS
+           record is rumoured (i.e. not known to be published in the parent zone)
+
+         * one KSK (52180) which has a goal state of hidden but where the DS record
+           is unretentive (i.e. not known to be removed from the parent zone)
+
+        """
+
+        self.keys = []
+        key = None
+        for line in rndc_output.splitlines():
+            if line.startswith('key:'):
+                if key is not None:
+                    self.keys.append(key)
+                key = Key(self, line)
+                continue
+            elif key is None:
+                continue
+            else:
+                key.parse_line(line)
+
+        if key is not None:
+            self.keys.append(key)
+
+    def get_keys_to_publish(self):
+        if self.rr_class.upper() != 'IN':
+            return []
+        elif self.keys is None:
+            return []
+
+        keys = []
+        for key in self.keys:
+            if key.needs_publication():
+                keys.append(key)
+
+        return keys
+
+    def get_keys_to_withdraw(self):
+        if self.rr_class.upper() != 'IN':
+            return []
+        elif self.keys is None:
+            return []
+
+        keys = []
+        for key in self.keys:
+            if key.needs_withdrawal():
+                keys.append(key)
+
+        return keys
+
+    def print_keys(self):
+        if self.keys is None:
+            return
+
+        for key in self.keys:
+            key.print()
+            LOG.debug('')
+
+    def print_zone(self):
+        LOG.debug('View: {}, Zone: {}, Keys: {}'.format(
+                  self.name,
+                  self.view,
+                  "<undefined>" if self.keys is None else len(self.keys)))
+
+    @classmethod
+    def get_zones(cls, config, path='/var/cache/bind/named_dump.db'):
+        """Creates a list of zones, possibly by parsing BINDs dumpfile"""
+        zones = []
+
+        if "zones" in config and len(config["zones"]) > 0:
+            for zone in config["zones"]:
+                parts = zone.split("/")
+
+                if len(parts) > 2:
+                    die('Invalid zone: "{}"'.format(zone))
+                elif len(parts) > 1:
+                    view = parts[1].strip()
+                else:
+                    view = "_default"
+
+                name = parts[0].strip()
+                rr_class = "IN"
+
+                if len(name) < 1 or len(view) < 1:
+                    die('Invalid zone: "{}"'.format(zone))
+
+                zone = Zone(name, rr_class, view)
+                zones.append(zone)
+
+            return zones
+
+        # No zones defined, time to dig in rndc dump files to autodetect them...
+        args = ["rndc", "dumpdb", "-zones"]
+
+        if not run_process_ok(config, args):
+            die(None)
+
+        """
+        This is an example of the kind of output we need to parse:
+
+        Note that the '(signed)' suffix may or may not be present for signed
+        zones depending on the version of BIND.
+
+        Without views:
+        ;
+        ; Start view _default
+        ;
+        ; Zone dump of 'example.com/IN'
+        ;
+        ...
+        ;
+        ; Zone dump of 'example.net/IN (signed)'
+        ;
+        ...
+
+        With views:
+        ;
+        ; Start view foo
+        ;
+        ; Zone dump of 'example.com/IN/foo'
+        ;
+        ...
+        ;
+        ; Start view bar
+        ;
+        ; Zone dump of 'example.net/IN/bar (signed)'
+        ;
+        ...
+        """
+
+        start_view = '_default'
+        with open(path) as file:
+            for line in file:
+                if not line.startswith(';'):
+                    continue
+                line = line[1:].strip()
+                if line.startswith('Start view '):
+                    start_view = line[len('Start view '):]
+                    continue
+                elif not line.startswith('Zone dump of '):
+                    continue
+
+                line = line[len('Zone dump of '):].strip().strip("'")
+
+                if line.endswith('(signed)'):
+                    line = line[:-len('(signed)')].strip()
+
+                parts = line.split('/')
+                if len(parts) < 2 or len(parts) > 3:
+                    LOG.debug('Invalid zone line ({})'.format(line))
+                    continue
+
+                name = parts[0].strip()
+                rr_class = parts[1].strip()
+                view = start_view
+
+                if len(parts) == 3:
+                    view = parts[2].strip()
+                    if view != start_view:
+                        LOG.debug('Invalid zone view ({}, expected {})'.format(
+                            view, start_view))
+                        continue
+
+                if rr_class != 'IN':
+                    continue
+
+                if view == '_bind':
+                    continue
+
+                zone = Zone(name, rr_class, view)
+                zones.append(zone)
+
+        return zones
+
+
+def get_args_parser():
+    args_parser = argparse.ArgumentParser(
+        prog='debops-bind-rollkey',
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=__doc__,
+        description="Publish/unpublish DNSSEC keys.",
+    )
+    args_parser.add_argument(
+        '-V', '--version',
+        action='version',
+        version=__version__,
+    )
+    args_parser.add_argument(
+        '-d', '--debug',
+        help="Enable debug output",
+        action='store_const',
+        dest='loglevel',
+        const=logging.DEBUG,
+    )
+    args_parser.add_argument(
+        '-v', '--verbose',
+        help="Enable verbose output",
+        action='store_const',
+        dest='loglevel',
+        const=logging.INFO,
+    )
+    args_parser.add_argument(
+        '-c', '--config',
+        help="Configuration file path",
+        default="/etc/bind/debops-bind-rollkey.json",
+        dest="config_path",
+    )
+    args_parser.add_argument(
+        '-C', '--print-config',
+        help="Print a configuration file example",
+        action="store_true",
+        default=False,
+        dest="print_config",
+    )
+
+    return args_parser
+
+
+def get_default_config():
+    return {
+        "method": "log/email/external",
+        "log_file": "/var/log/debops-bind-rollkey.log",
+        "email_to": "root@localhost",
+        "email_from": "noreply@{}".format(socket.getfqdn()),
+        "email_host": "localhost",
+        "email_port": 25,
+        "email_subject": "BIND DNSSEC key updates",
+        "external_script": "/usr/local/sbin/debops-bind-rollkey-action",
+    }
+
+
+def print_example_config():
+    config = get_default_config()
+    config["zones"] = ["zone1/view1", "zone2/view2", "(optional)"]
+    print(json.dumps(config, sort_keys=False, indent=4))
+    sys.exit(0)
+
+
+def read_config_file(path):
+    config = get_default_config()
+
+    try:
+        with open(path, "r") as f:
+            data = f.read()
+    except Exception as err:
+        LOG.info("Can't open cfg file {}: {}".format(path, str(err)))
+        data = None
+
+    if data is not None:
+        try:
+            j = json.loads(data)
+            config.update(j)
+        except Exception as err:
+            die("Can't parse cfg file {}: {}".format(path, str(err)))
+
+    if not config["method"]:
+        die("Method not configured")
+
+    elif config["method"] == "log":
+        if not config["log_file"]:
+            die("Log file path not configured")
+
+    elif config["method"] == "email":
+        if not config["email_to"]:
+            die("Recipient email address not configured")
+
+        if not config["email_host"]:
+            die("SMTP host not configured")
+
+        if not config["email_port"]:
+            die("SMTP port not configured")
+
+        if not config["email_subject"]:
+            die("Email subject not configured")
+
+    elif config["method"] == "external":
+        if not config["external_script"]:
+            die("External script not configured")
+
+        if not os.access(config["external_script"], os.F_OK):
+            die("External script not found")
+
+        if not os.access(config["external_script"], os.X_OK):
+            die("External script not executable")
+
+    else:
+        die("Invalid method configured")
+
+    return config
+
+
+def get_actionable_keys(zones):
+    keys = []
+
+    for zone in zones:
+        pub_keys = zone.get_keys_to_publish()
+        for key in pub_keys:
+            key.action = "Publish"
+            key.action_goal = "published"
+            keys.append(key)
+
+        unpub_keys = zone.get_keys_to_withdraw()
+        for key in unpub_keys:
+            key.action = "Withdraw"
+            key.action_goal = "withdrawn"
+            keys.append(key)
+
+    return keys
+
+
+def do_external(config, zones):
+    keys = get_actionable_keys(zones)
+    failures = False
+
+    for key in keys:
+        args_ext = [config["external_script"],
+                    key.action.lower(),
+                    key.key_id,
+                    key.key_alg_num,
+                    key.zone.name,
+                    key.zone.rr_class,
+                    key.zone.view]
+        args_rndc = ["rndc",
+                     "dnssec",
+                     "-checkds",
+                     "-key",
+                     key.key_id,
+                     "-alg",
+                     key.key_alg_num,
+                     key.action_goal,
+                     key.zone.name,
+                     key.zone.rr_class]
+        if key.zone.view != '_default':
+            args_rndc.append(key.zone.view)
+
+        if not run_process_ok(config, args_ext):
+            failures = True
+        elif not run_process_ok(config, args_rndc):
+            failures = True
+
+    if failures:
+        write_log_msg(config, "Some commands failed\n\n")
+    else:
+        write_log_msg(config, "Done\n\n")
+
+
+def create_message(config, keys, sep):
+    msg = "{}{}Executed at {}{}".format(
+        sys.argv[0],
+        sep,
+        datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"),
+        sep)
+
+    msg += "The following DNSSEC key changes need to be made" + sep
+    msg += "================================================" + sep
+
+    if len(keys) == 0:
+        msg += "None" + sep
+    else:
+        for key in keys:
+            msg += "{} {} {} {} IN {}{}".format(
+                key.action,
+                key.key_id,
+                key.key_alg_num,
+                key.zone.name,
+                key.zone.view,
+                sep)
+
+    msg += "================================================" + sep
+    msg += sep
+    return msg
+
+
+def do_email(config, zones):
+    keys = get_actionable_keys(zones)
+    if len(keys) == 0:
+        return
+
+    msg = "From: {}\r\nTo: {}\r\nSubject: {}\r\n\r\n".format(
+        config["email_from"],
+        config["email_to"],
+        config["email_subject"])
+
+    msg += create_message(config, keys, "\r\n")
+
+    with smtplib.SMTP(host=config["email_host"],
+                      port=config["email_port"]) as smtp:
+        # smtp.set_debuglevel(1)
+        smtp.sendmail(config["email_from"], config["email_to"], msg)
+
+
+def write_log_msg(config, msg):
+    if not config["log_file"]:
+        return
+
+    with open(config["log_file"], "a") as f:
+        f.write(msg)
+
+
+def do_log(config, zones):
+    keys = get_actionable_keys(zones)
+    msg = create_message(config, keys, "\n")
+    write_log_msg(config, msg)
+    if len(keys) == 0:
+        LOG.debug("Nothing to do")
+
+
+def main():
+    args_parser = get_args_parser()
+    args_parser.set_defaults(loglevel=logging.WARN)
+    args = args_parser.parse_args()
+
+    logging.basicConfig(
+        format='%(levelname)s{}, %(asctime)s: %(message)s'.format(
+            ' (%(filename)s:%(lineno)s)'
+            if args.loglevel <= logging.DEBUG else '',
+        ),
+        level=args.loglevel,
+    )
+
+    if args.print_config:
+        print_example_config()
+
+    config = read_config_file(args.config_path)
+
+    if shutil.which("rndc") is None:
+        die("rndc executable not found")
+
+    zones = Zone.get_zones(config)
+
+    for zone in zones:
+        zone.get_keys(config)
+        zone.print_zone()
+        zone.print_keys()
+
+    do_log(config, zones)
+
+    if config["method"] == "email":
+        do_email(config, zones)
+    elif config["method"] == "external":
+        do_external(config, zones)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-snapshot b/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-snapshot
new file mode 100755
index 00000000..5f4b0d20
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/files/usr/local/sbin/debops-bind-snapshot
@@ -0,0 +1,270 @@
+#!/usr/bin/env bash
+
+# This file is managed remotely, all changes will be lost
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Create .tar.gz backup snapshots of the BIND config and master zones.
+# The script will automatically freeze/sync/thaw the zones as necessary,
+# while keeping track of whether they were already frozen (e.g. manually
+# by the administrator) and not thawing them again in that case.
+
+
+set -o nounset -o pipefail -o errexit
+
+umask 027
+
+SCRIPT="$(basename "${0}")"
+readonly SCRIPT
+readonly PID="$$"
+readonly PIDFILE="/run/${SCRIPT}.pid"
+readonly SUBCOMMAND="${1:-}"
+readonly RNDC="/usr/sbin/rndc"
+
+BACKUP_USER="backup"
+BACKUP_GROUP="backup"
+BACKUP_ROOT="$(getent passwd "${BACKUP_USER}" | cut -f6 -d:)/bind"
+FROZEN_FLAG="/var/lib/bind/.debops.frozen"
+TAR="/bin/tar"
+
+if [ -f "/etc/default/debops-bind-snapshot" ] ; then
+    # shellcheck disable=SC1091
+    . "/etc/default/debops-bind-snapshot"
+fi
+
+print_usage () {
+    cat <<EOF
+Usage: ${SCRIPT} <daily|weekly|monthly|latest|now>
+
+Create periodic backup snapshots of the BIND configuration and zones
+EOF
+}
+
+
+log_message () {
+    # Display a message if script is used interactively, otherwise send it to syslog
+    local msg="${1:-}"
+
+    if [ -n "${msg}" ] ; then
+        if tty -s > /dev/null 2>&1 ; then
+            echo "${SCRIPT}: ${msg}" 1>&2
+        elif type logger > /dev/null 2>&1 ; then
+            logger -t "${SCRIPT}[${PID}]" "${msg}"
+        fi
+    fi
+}
+
+
+clean_up () {
+    # Clean up pidfile
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        rm -f "${pidfile}"
+    fi
+    exit 0
+}
+
+
+wait_for_pid () {
+    # Wait for the specified process to exit
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        local wait_pid
+        wait_pid="$(< "${pidfile}")"
+        while kill -0 "${wait_pid}" > /dev/null 2>&1 ; do
+            log_message "Waiting for PID ${wait_pid} to finish"
+            sleep $(( ( RANDOM % 30 ) + 5 ))
+        done
+        if [ -f "${pidfile}" ] ; then
+            rm -f "${pidfile}"
+        fi
+    fi
+}
+
+
+create_lock () {
+    local pidfile="${1}"
+    local pid="${PID}"
+
+    # Try and lock the script operation
+    echo "${pid}" > "${pidfile}"
+    sleep 0.5
+
+    # Exclusive lock failed
+    if [ "$(cat "${pidfile}")" != "${pid}" ] ; then
+        log_message "BIND snapshot procedure started by $(< "${pidfile}")"
+        exit 0
+    fi
+
+    # Exclusive lock succeeded
+    # shellcheck disable=SC2064
+    trap "clean_up ${pidfile}" EXIT
+}
+
+
+enable_read_only_mode () {
+    local output
+
+
+    if ! pidof -q named > /dev/null 2>&1; then
+        log_message "Not freezing zones, named isn't running"
+    else
+        if ! output="$(LC_ALL=C "${RNDC}" freeze 2>&1)"; then
+            if [[ "${output}" == *"already frozen"* ]]; then
+                log_message "Not freezing zones, already frozen"
+            else
+                log_message "Unable to freeze zones: ${output}"
+                exit 1
+            fi
+        else
+            log_message "Freezing zone updates"
+            touch "${FROZEN_FLAG}"
+        fi
+
+        log_message "Synchronizing all zones"
+        "${RNDC}" sync -clean
+    fi
+}
+
+
+disable_read_only_mode () {
+    if ! pidof -q named > /dev/null 2>&1; then
+        log_message "Not thawing zones, named isn't running"
+    elif ! [ -e "${FROZEN_FLAG}" ]; then
+        log_message "Not thawing zones, not frozen by this script"
+    else
+        log_message "Thawing zone updates"
+        "${RNDC}" thaw
+        rm -f "${FROZEN_FLAG}"
+    fi
+}
+
+
+create_snapshot () {
+    local backup_user
+    local backup_group
+    local backup_root
+    local backup_file
+    local backup_dir
+
+    backup_user="${BACKUP_USER}"
+    backup_group="${BACKUP_GROUP}"
+    backup_root="${BACKUP_ROOT}"
+    backup_file="${1}"
+    backup_dir="$(dirname "${backup_file}")"
+
+    if [ ! -d "${backup_dir}" ] ; then
+        mkdir -p "${backup_dir}"
+        chown -R "${backup_user}:${backup_group}" "${backup_root}"
+    fi
+
+    enable_read_only_mode
+    log_message "Dumping the BIND configuration and zones"
+    "${TAR}" -cf "${backup_file}" -C / etc/bind var/lib/bind
+    disable_read_only_mode
+
+    if [ -f "${backup_file}.gz.gpg" ] ; then
+        rm -f "${backup_file}.gz.gpg"
+    fi
+
+    if [ -f "${backup_file}.gz.asc" ] ; then
+        rm -f "${backup_file}.gz.asc"
+    fi
+
+    nice gzip -f "${backup_file}"
+    chown "${backup_user}:${backup_group}" "${backup_file}.gz"
+}
+
+
+snapshot_daily () {
+    local backup_root
+    local day
+    local weekday
+    local backup_file
+
+    backup_root="${BACKUP_ROOT}"
+    day="$(date +%w)"
+    weekday="$(date +%A)"
+    backup_file="${backup_root}/daily/bind_day${day}_${weekday}.tar"
+
+    log_message "Creating daily snapshot of the BIND zones and config"
+    create_snapshot "${backup_file}"
+    log_message "Daily snapshot of the BIND zones and config created successfully"
+}
+
+
+snapshot_weekly () {
+    local backup_root
+    local week
+    local backup_file
+
+    backup_root="${BACKUP_ROOT}"
+    # Find out the week number in the current month
+    week="$(( ( $(date +%_d) - 1 ) / 7 + 1 ))"
+    backup_file="${backup_root}/weekly/bind_week${week}.tar"
+
+    log_message "Creating weekly snapshot of the BIND zones and config"
+    create_snapshot "${backup_file}"
+    log_message "Weekly snapshot of the BIND zones and config created successfully"
+}
+
+
+snapshot_monthly () {
+    local backup_root
+    local month
+    local month_name
+    local backup_file
+
+    backup_root="${BACKUP_ROOT}"
+    month="$(date +%m)"
+    month_name="$(date +%B)"
+    backup_file="${backup_root}/monthly/bind_month${month}_${month_name}.tar"
+
+    log_message "Creating monthly snapshot of the BIND zones and config"
+    create_snapshot "${backup_file}"
+    log_message "Monthly snapshot of the BIND zones and config created successfully"
+}
+
+
+snapshot_latest () {
+    local backup_root
+    local current_date
+    local backup_file
+
+    backup_root="${BACKUP_ROOT}"
+    current_date="$(date +%F_%R)"
+    backup_file="${backup_root}/latest/bind_${current_date}.tar"
+
+    if [ -d "${backup_root}/latest" ] ; then
+        # Remove old set of database backups
+        find "${backup_root}/latest" -type f -name "bind_*.*" -delete
+    fi
+
+    log_message "Creating a snapshot of the BIND zones and config"
+    create_snapshot "${backup_file}"
+    log_message "Snapshot of the BIND zones and config created successfully"
+}
+
+
+main () {
+    local pidfile="${PIDFILE}"
+    local subcommand="${SUBCOMMAND}"
+
+    wait_for_pid "${pidfile}"
+    create_lock "${pidfile}"
+
+    case "${subcommand}" in
+        daily)      snapshot_daily  ;;
+        weekly)     snapshot_weekly ;;
+        monthly)    snapshot_monthly ;;
+        now|latest) snapshot_latest ;;
+        *)          print_usage && exit 1 ;;
+    esac
+}
+
+main
diff --git a/ansible_collections/debops/debops/roles/bind/meta/main.yml b/ansible_collections/debops/debops/roles/bind/meta/main.yml
new file mode 100644
index 00000000..5243319b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'David Härdeman'
+  description: 'Configure the BIND DNS server'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - bind
+    - bind9
+    - named
+    - dns
diff --git a/ansible_collections/debops/debops/roles/bind/tasks/main.yml b/ansible_collections/debops/debops/roles/bind/tasks/main.yml
new file mode 100644
index 00000000..46bcc1f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/tasks/main.yml
@@ -0,0 +1,349 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+  tags: [ 'role::bind:config' ]
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+  tags: [ 'role::bind:keys' ]
+
+- name: Install packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", bind__base_packages + bind__packages) }}'
+    state: 'present'
+  register: bind__register_packages
+  until: bind__register_packages is succeeded
+  tags: [ 'role::bind:packages' ]
+
+- name: Make sure that the Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  tags: [ 'role::bind:config' ]
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/bind.fact.j2'
+    dest: '/etc/ansible/facts.d/bind.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts', 'role::bind:config' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+  tags: [ 'role::bind:config' ]
+
+- name: Enable/disable resolvconf integration
+  ansible.builtin.service:
+    name: 'named-resolvconf'
+    enabled: '{{ ansible_local.resolvconf.installed | d(False) | bool }}'
+  when: ansible_service_mgr == "systemd"
+  tags: [ 'role::bind:config' ]
+
+- name: Allow access to additional UNIX groups
+  ansible.builtin.user:
+    name: '{{ bind__user }}'
+    groups: '{{ bind__additional_groups }}'
+    append: True
+    state: 'present'
+  register: bind__register_unix_groups
+  notify: [ 'Test named configuration and restart' ]
+
+- name: Create base directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'bind'
+    mode: '{{ item.mode | d("0775") }}'
+  loop:
+    - { path: '/etc/bind', mode: '02755' }
+    - { path: '/etc/bind/keys', mode: '02750' }
+    - { path: '/var/cache/bind' }
+    - { path: '/var/lib/bind' }
+    - { path: '/var/lib/bind/views' }
+    - { path: '/var/lib/bind/dnssec-keys', mode: '02770' }
+    - { path: '/var/log/named' }
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:config' ]
+
+- name: Create keys
+  ansible.builtin.include_tasks: 'main_keys.yml'
+  tags: [ 'role::bind:config', 'role::bind:keys' ]
+
+- name: Generate list of toplevel views
+  ansible.builtin.set_fact:
+    bind__tmp_top_views: '{{ bind__combined_zones
+                             | debops.debops.parse_kv_items(name="view")
+                             | selectattr("state", "eq", "present") }}'
+  tags: [ 'role::bind:config' ]
+
+- name: Generate list of toplevel zones
+  ansible.builtin.set_fact:
+    bind__tmp_top_zones: '{{ bind__combined_zones
+                             | debops.debops.parse_kv_items(name="name")
+                             | selectattr("state", "eq", "present") }}'
+  tags: [ 'role::bind:config' ]
+
+- name: Make sure either zones or views are defined
+  ansible.builtin.assert:
+    that: bind__tmp_top_views | length == 0 or bind__tmp_top_zones | length == 0
+  tags: [ 'role::bind:config' ]
+
+- name: Assign zones to the default view
+  ansible.builtin.set_fact:
+    bind__tmp_top_views:
+      - view: '_default'
+        zones: '{{ bind__tmp_top_zones }}'
+  when: bind__tmp_top_views | length == 0
+  tags: [ 'role::bind:config' ]
+
+- name: Create list of generic zones
+  ansible.builtin.set_fact:
+    bind__tmp_generic_zones: '{{ bind__combined_generic_zones
+                                 | debops.debops.parse_kv_items(name="name")
+                                 | selectattr("state", "eq", "present") }}'
+  tags: [ 'role::bind:config' ]
+
+- name: Add generic zones to each view
+  ansible.builtin.set_fact:
+    bind__tmp_full_views: '{{ bind__tmp_full_views | d([])
+                              + [item | combine({"zones": item["zones"]
+                                                          + bind__tmp_generic_zones})] }}'
+  loop: '{{ bind__tmp_top_views }}'
+  loop_control:
+    label: '{{ item.view }}'
+  tags: [ 'role::bind:config' ]
+
+- name: Register the view in each zone
+  ansible.builtin.set_fact:
+    bind__views: '{{ bind__views | d([])
+                     + [item | combine({"zones": (item["zones"]
+                                                  | map("combine", {"view": item["view"]}))})] }}'
+  loop: '{{ bind__tmp_full_views }}'
+  loop_control:
+    label: '{{ item.view }}'
+  tags: [ 'role::bind:config' ]
+
+- name: Create zone directories
+  ansible.builtin.file:
+    path: '{{ item.dir | d("/var/lib/bind/views/" + item.view + "/" + item.name) }}'
+    state: 'directory'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("bind") }}'
+    mode: '{{ item.mode | d("0775") }}'
+  loop: '{{ bind__views | map(attribute="zones") | flatten }}'
+  when:
+    - item.content is defined
+    - item.state | d("present") == "present"
+  loop_control:
+    label: '{{ item.dir | d("/var/lib/bind/views/" + item.view + "/" + item.name) }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:config' ]
+
+  # Note: the changed_when status for the freeze/thaw tasks is kind of a lie...
+- name: Suspend dynamic updates
+  ansible.builtin.shell: |
+    if pidof -q named > /dev/null 2>&1; then
+      rndc freeze && exit 222
+    else true; fi
+  environment:
+    LC_ALL: 'C'
+  register: bind__register_freeze
+  changed_when: False
+  failed_when: >
+    (bind__register_freeze.rc not in [ 0, 222 ]) and
+    ("already frozen" not in bind__register_freeze.stderr | lower)
+  tags: [ 'role::bind:config' ]
+
+- name: Register the fact that this role suspended dynamic updates
+  ansible.builtin.file:
+    path: '/var/lib/bind/.debops.frozen'
+    state: 'touch'
+    mode: '0644'
+  changed_when: False
+  when: bind__register_freeze.rc == 222
+  tags: [ 'role::bind:config' ]
+
+- name: Generate zone files
+  ansible.builtin.template:
+    src: 'var/lib/bind/views/view/zone/db.zone.j2'
+    dest: '{{ (item.dir | d("/var/lib/bind/views/" + item.view + "/" + item.name)) + "/db.zone" }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("bind") }}'
+    mode: '{{ item.mode | d("0644") }}'
+    force: '{{ item.force | d(False) }}'
+  loop: '{{ bind__views | map(attribute="zones") | flatten }}'
+  when:
+    - item.content is defined
+    - item.state | d("present") == "present"
+  loop_control:
+    label: '{{ (item.dir | d("/var/lib/bind/views/" + item.view + "/" + item.name)) + "/db.zone" }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:config' ]
+
+- name: Divert the BIND configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/bind/named.conf'
+  tags: [ 'role::bind:config' ]
+
+- name: Generate BIND configuration
+  ansible.builtin.template:
+    src: 'etc/bind/named.conf.j2'
+    dest: '/etc/bind/named.conf'
+    owner: 'root'
+    group: 'bind'
+    mode: '0644'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:config' ]
+
+- name: Make sure named is restarted, if necessary
+  ansible.builtin.meta: 'flush_handlers'
+  tags: [ 'role::bind:config' ]
+
+- name: Check if dynamic updates should be resumed
+  ansible.builtin.stat:
+    path: '/var/lib/bind/.debops.frozen'
+  changed_when: False
+  register: bind__register_should_thaw
+  tags: [ 'role::bind:config' ]
+
+- name: Resume dynamic updates
+  ansible.builtin.command: rndc thaw
+  when: bind__register_should_thaw.stat.exists | d(False)
+  register: bind__register_thaw
+  until: bind__register_thaw is succeeded
+  changed_when: False
+  tags: [ 'role::bind:config' ]
+
+- name: Remove dynamic update flag file
+  ansible.builtin.file:
+    path: '/var/lib/bind/.debops.frozen'
+    state: 'absent'
+  changed_when: False
+  tags: [ 'role::bind:config' ]
+
+- name: Install backup snapshot script
+  ansible.builtin.copy:
+    src: 'usr/local/sbin/debops-bind-snapshot'
+    dest: '/usr/local/sbin/debops-bind-snapshot'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'role::bind:backup' ]
+
+- name: Configure backup snapshots as cron jobs
+  ansible.builtin.cron:
+    name: 'Create {{ item }} backup snapshots of BIND configuration and zones'
+    special_time: '{{ item }}'
+    cron_file: 'debops-bind-snapshot'
+    user: 'root'
+    state: '{{ "present"
+               if (bind__snapshot_enabled | d(False) | bool
+                   and item in bind__snapshot_cron_jobs)
+               else "absent" }}'
+    job: '/usr/local/sbin/debops-bind-snapshot {{ item }}'
+  loop: [ 'daily', 'weekly', 'monthly' ]
+  loop_control:
+    label: '{{ {"state": ("present"
+                          if (bind__snapshot_enabled | d(False) | bool
+                              and item in bind__snapshot_cron_jobs)
+                          else "absent"),
+                "cron_job": item} }}'
+  tags: [ 'role::bind:backup' ]
+
+- name: Make sure that the PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ bind__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: '"dot" in bind__features or "doh_https" in bind__features'
+  tags: [ 'role::bind:pki' ]
+
+- name: Install the BIND PKI hook
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/bind.j2'
+    dest: '{{ bind__pki_hook_path + "/" + bind__pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: '"dot" in bind__features or "doh_https" in bind__features'
+  tags: [ 'role::bind:pki' ]
+
+- name: Remove the BIND PKI hook
+  ansible.builtin.file:
+    dest: '{{ bind__pki_hook_path + "/" + bind__pki_hook_name }}'
+    state: 'absent'
+  when: '"dot" not in bind__features and "doh_https" not in bind__features'
+  tags: [ 'role::bind:pki' ]
+
+- name: Install DNSSEC rollover configuration
+  ansible.builtin.template:
+    src: 'etc/bind/debops-bind-rollkey.json.j2'
+    dest: '/etc/bind/debops-bind-rollkey.json'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: '"dnssec" in bind__features and bind__dnssec_script_enabled | d(False)'
+  tags: [ 'role::bind:dnssec' ]
+
+- name: Install DNSSEC rollover script
+  ansible.builtin.copy:
+    src: 'usr/local/sbin/debops-bind-rollkey'
+    dest: '/usr/local/sbin/debops-bind-rollkey'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: '"dnssec" in bind__features and bind__dnssec_script_enabled | d(False)'
+  tags: [ 'role::bind:dnssec' ]
+
+- name: Install DNSSEC rollover external script
+  ansible.builtin.copy:
+    src: '{{ lookup("debops.debops.file_src",
+                    "usr/local/sbin/debops-bind-rollkey-action") }}'
+    dest: '/usr/local/sbin/debops-bind-rollkey-action'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when:
+    - '"dnssec" in bind__features'
+    - bind__dnssec_script_enabled | d(False)
+    - bind__dnssec_script_method | d("") == 'external'
+  tags: [ 'role::bind:dnssec' ]
+
+- name: Enable DNSSEC rollover cron job
+  ansible.builtin.cron:
+    name: 'Rollover DNSSEC keys for BIND'
+    special_time: 'weekly'
+    cron_file: 'debops-bind-rollkey'
+    user: 'root'
+    job: '/usr/local/sbin/debops-bind-rollkey'
+    state: '{{ "present"
+                if ("dnssec" in bind__features and
+                    bind__dnssec_script_enabled | d(False))
+                else "absent" }}'
+  tags: [ 'role::bind:dnssec' ]
+
+- name: Remove DNSSEC rollover script
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop:
+    - '/usr/local/sbin/debops-bind-rollkey'
+    - '/usr/local/sbin/debops-bind-rollkey-action'
+    - '/etc/bind/debops-bind-rollkey.json'
+  when: '"dnssec" not in bind__features or not bind__dnssec_script_enabled | d(False)'
+  tags: [ 'role::bind:dnssec' ]
diff --git a/ansible_collections/debops/debops/roles/bind/tasks/main_keys.yml b/ansible_collections/debops/debops/roles/bind/tasks/main_keys.yml
new file mode 100644
index 00000000..ed2e43e6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/tasks/main_keys.yml
@@ -0,0 +1,214 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create sanitised list of keys
+  ansible.builtin.set_fact:
+    bind__tmp_keys: '{{ bind__tmp_keys | d([])
+                        + [item | combine({"state": item.state | d("present") | lower,
+                                           "type": item.type | mandatory | upper,
+                                           "dir": item.dir | d("/etc/bind/keys/"),
+                                           "owner": item.owner | d("root"),
+                                           "group": item.group | d("bind"),
+                                           "include": (item.include | d(True) | bool)
+                                                      if item.type | d("") | upper == "TSIG"
+                                                      else False,
+                                           "download": item.download | d(True if item.source | d("host") == "host" else False) | bool,
+                                           "source": item.source | d("host"),
+                                           "source_path": item.source_path | d(""),
+                                           "remove_private_key": item.remove_private_key | d(True) | bool,
+                                           "algorithm": (item.algorithm | mandatory)
+                                                        if item.type | d("") | upper == "TSIG"
+                                                        else ("%03d" | format(item.algorithm | mandatory | int))
+                                                        if item.type | d("") | upper == "SIG(0)"
+                                                        else omit,
+                                           "creates": (item.name + ".key")
+                                                      if item.type | d("") | upper == "TSIG"
+                                                      else ("K" + item.name + "+" + "%03d" | format(item.algorithm | int) + "+*.key")
+                                                      if item.type | d("") | upper == "SIG(0)"
+                                                      else omit,
+                                           "removes": (item.name + ".key")
+                                                      if item.type | d("") | upper == "TSIG"
+                                                      else ("K" + item.name + "+" + "%03d" | format(item.algorithm | int) + "+*.*")
+                                                      if item.type | d("") | upper == "SIG(0)"
+                                                      else omit,
+                                           "public_key": (item.name + ".key")
+                                                         if item.type | d("") | upper == "TSIG"
+                                                         else ("K" + item.name + "+" + "%03d" | format(item.algorithm | int) + "+*.key")
+                                                         if item.type | d("") | upper == "SIG(0)"
+                                                         else omit,
+                                           "private_key": (item.name + ".key")
+                                                          if item.type | d("") | upper == "TSIG"
+                                                          else ("K" + item.name + "+" + "%03d" | format(item.algorithm | int) + "+*.private")
+                                                          if item.type | d("") | upper == "SIG(0)"
+                                                          else omit})] }}'
+  when:
+    - item.name | d("") | length > 0
+    - item.state | d("present") | lower in [ 'present', 'absent' ]
+  loop: '{{ bind__combined_keys | d([]) | debops.debops.parse_kv_items(name="name") }}'
+  loop_control:
+    label: '{{ item.name | d("unknown") }}'
+  tags: [ 'role::bind:config', 'role::bind:keys' ]
+
+  # Note, this ensures both:
+  #   a) that keynames are valid in the bind config; and
+  #   b) that working with unquoted globs is safe
+- name: Verify key sanity
+  ansible.builtin.assert:
+    that:
+      - item.name | regex_replace('([^a-zA-Z0-9-.])', '') == item.name
+      - item.type in [ 'TSIG', 'SIG(0)' ]
+      - item.algorithm != "000"
+      - item.source in [ "host", "controller" ]
+      - not (item.download and item.source == "controller")
+    quiet: true
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::bind:config', 'role::bind:keys' ]
+
+- name: Create TSIG keys
+  ansible.builtin.shell:
+    chdir: '{{ item.dir }}'
+    cmd: umask 027;
+         tsig-keygen -a {{ item.algorithm | quote }} {{ item.name | quote }}
+         > {{ item.creates | quote }} &&
+         chown {{ (item.owner + ":" + item.group) | quote }} {{ item.creates | quote }}
+    creates: '{{ item.creates }}'
+  when:
+    - item.state == 'present'
+    - item.type == 'TSIG'
+    - item.source == 'host'
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:keys' ]
+
+- name: Fetch TSIG keys
+  ansible.builtin.fetch:
+    src: '{{ item.dir + "/" + item.public_key }}'
+    dest: '{{ secret + "/bind/" + inventory_hostname + "/" }}'
+    flat: True
+  when:
+    - item.state == 'present'
+    - item.type == 'TSIG'
+    - item.download
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Create SIG(0) keys
+  ansible.builtin.shell:
+    chdir: '{{ item.dir }}'
+    cmd: umask 027;
+         dnssec-keygen -C -a {{ item.algorithm | quote }} -n HOST -T KEY {{ item.name | quote }} &&
+         chown {{ (item.owner + ":" + item.group) | quote }} {{ item.creates }}
+    creates: '{{ item.creates }}'
+  when:
+    - item.state == 'present'
+    - item.type == 'SIG(0)'
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:keys' ]
+
+- name: Find SIG(0) keys to fetch
+  ansible.builtin.find:
+    paths: '{{ item.dir }}'
+    use_regex: False
+    recurse: False
+    patterns:
+      - '{{ item.public_key }}'
+      - '{{ item.private_key }}'
+  when:
+    - item.state == 'present'
+    - item.type == 'SIG(0)'
+    - item.download
+  register: bind__tmp_find_sig0_keys
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Build combined list of SIG(0) keys to fetch
+  ansible.builtin.set_fact:
+    bind__tmp_sig0_fetch: '{{ bind__tmp_sig0_fetch | d([]) + item.files | map(attribute="path") }}'  # noqa jinja[invalid]
+  loop: '{{ bind__tmp_find_sig0_keys.results | d([]) }}'
+  when: item.files is defined
+  loop_control:
+    label: '{{ item.item.name }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Fetch SIG(0) keys
+  ansible.builtin.fetch:
+    src: '{{ item }}'
+    dest: '{{ secret + "/bind/" + inventory_hostname + "/" }}'
+    flat: True
+  loop: '{{ bind__tmp_sig0_fetch | d([]) }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Find SIG(0) private keys to remove
+  ansible.builtin.find:
+    paths: '{{ item.dir }}'
+    use_regex: False
+    recurse: False
+    patterns:
+      - '{{ item.private_key }}'
+  when:
+    - item.state == 'present'
+    - item.type == 'SIG(0)'
+    - item.remove_private_key
+  register: bind__tmp_find_sig0_keys
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Build combined list of SIG(0) private keys to remove
+  ansible.builtin.set_fact:
+    bind__tmp_sig0_remove: '{{ bind__tmp_sig0_remove | d([]) + item.files | d([]) | map(attribute="path") }}'
+  loop: '{{ bind__tmp_find_sig0_keys.results | d([]) }}'
+  when: item.files is defined
+  loop_control:
+    label: '{{ item.item.name }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Remove SIG(0) private keys
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: absent
+  loop: '{{ bind__tmp_sig0_remove | d([]) }}'
+  tags: [ 'role::bind:keys' ]
+
+- name: Remove TSIG/SIG(0) keys configured as absent
+  ansible.builtin.shell:  # noqa command-instead-of-shell no-free-form
+    chdir: '{{ item.dir }}'
+    cmd: rm -f {{ item.removes }}
+    removes: '{{ item.removes }}'
+  when:
+    - item.state == 'absent'
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:keys' ]
+
+- name: Upload TSIG/SIG(0) keys from the controller
+  ansible.builtin.copy:
+    src: '{{ item.source_path if item.source_path.startswith("/") else secret + "/" + item.source_path }}'
+    dest: '{{ item.dir + "/" + item.source_path | basename }}'
+    owner: '{{ item.owner }}'
+    group: '{{ item.group }}'
+    mode: '0640'
+  when:
+    - item.state == 'present'
+    - item.source == 'controller'
+  loop: '{{ bind__tmp_keys | d([]) }}'
+  loop_control:
+    label: '{{ item.name }}'
+  notify: [ 'Test named configuration and restart' ]
+  tags: [ 'role::bind:keys' ]
diff --git a/ansible_collections/debops/debops/roles/bind/templates/etc/ansible/facts.d/bind.fact.j2 b/ansible_collections/debops/debops/roles/bind/templates/etc/ansible/facts.d/bind.fact.j2
new file mode 100644
index 00000000..ea9ab518
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/templates/etc/ansible/facts.d/bind.fact.j2
@@ -0,0 +1,33 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('named')}
+
+try:
+    output['version'] = subprocess.check_output(
+            ["named", "-v"]
+            ).decode('utf-8').strip().split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/bind/templates/etc/bind/debops-bind-rollkey.json.j2 b/ansible_collections/debops/debops/roles/bind/templates/etc/bind/debops-bind-rollkey.json.j2
new file mode 100644
index 00000000..538b8730
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/templates/etc/bind/debops-bind-rollkey.json.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = { "_comments": [ ansible_managed ] } %}
+{% for opt in bind__dnssec_script_combined_configuration | debops.debops.parse_kv_items %}
+{%   set _ = output.update({ opt.name : opt.value }) %}
+{% endfor %}
+{{ output | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/bind/templates/etc/bind/named.conf.j2 b/ansible_collections/debops/debops/roles/bind/templates/etc/bind/named.conf.j2
new file mode 100644
index 00000000..3d2c9e8c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/templates/etc/bind/named.conf.j2
@@ -0,0 +1,138 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+//
+// /etc/bind/named.conf - Main configuration file for bind.
+//
+// {{ ansible_managed }}
+//
+{% macro print_zone(zone, commented, loop_first, level) %}
+{%   if zone.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     set prefix = ("{:^" + (level * global.indent) | string + "}").format('') %}
+{%     set comment_prefix = (prefix + "// ") %}
+{%     if commented or zone.state | d('present') == 'comment' %}
+{%       set commented = True %}
+{%       set prefix = comment_prefix %}
+{%     endif %}
+{%     if not loop_first %}
+{{       '' }}
+{%     endif %}
+{%     if zone.comment | d() %}
+{{       zone.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%     endif %}
+{{     '{}zone "{}" {{'.format(prefix, zone.name) }}
+{%     for option in zone.options | d([]) %}
+{{       print_option(option, commented, loop.first, level + 1) -}}
+{%     endfor %}
+{{     '{}}};'.format(prefix) }}
+{%   endif %}
+{% endmacro %}
+{##}
+{% macro print_views(commented, level) %}
+{%   for view in bind__views | d([]) %}
+{%     if view.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%       set global.view = view.view | d("<unknown>") %}
+{%       set prefix = ("{:^" + (level * global.indent) | string + "}").format('') %}
+{%       set comment_prefix = (prefix + "// ") %}
+{%       if commented or view.state | d('present') == 'comment' %}
+{%         set commented = True %}
+{%         set prefix = comment_prefix %}
+{%       endif %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{%       if view.comment | d() %}
+{{         view.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%       endif %}
+{%       if view.view | d('_default') != '_default' %}
+{{         '{}view "{}" {{'.format(prefix, view.view) }}
+{%         set level = level + 1 %}
+{%       endif %}
+{%       for option in view.options | d([]) %}
+{{         print_option(option, commented, loop.first, level) -}}
+{%       endfor %}
+{%       for zone in view.zones | d([]) %}
+{%         set global.zone = zone.name | d("<unknown>") %}
+{%         set global.zone_file = '"{}/db.zone"'.format(zone.dir | d("/var/lib/bind/views/" + zone.view + "/" + zone.name)) %}
+{{         print_zone(zone, commented, loop.first, level) -}}
+{%       endfor %}
+{%       if view.view | d('_default') != '_default' %}
+{{         '{}}};'.format(prefix) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{##}
+{% macro print_keys(commented, level) %}
+{%   for key in bind__tmp_keys | d([]) %}
+{%     if key.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%       set prefix = ("{:^" + (level * global.indent) | string + "}").format('') %}
+{%       set comment_prefix = (prefix + "// ") %}
+{%       if commented or key.state | d('present') == 'comment' %}
+{%         set commented = True %}
+{%         set prefix = comment_prefix %}
+{%       endif %}
+{%       if key.include | d(True) | bool and key.dir | d() and key.public_key | d() %}
+{{         '{}include "{}/{}";'.format(prefix, key.dir | regex_replace('/*$', ''), key.public_key) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{##}
+{% macro print_autovalue(option, autovalue, commented, level) %}
+{%   set prefix = ("{:^" + (level * global.indent) | string + "}").format('') %}
+{%   set comment_prefix = (prefix + "// ") %}
+{%   if commented %}
+{%     set commented = True %}
+{%     set prefix = comment_prefix %}
+{%   endif %}
+{%   if autovalue == 'keys' %}
+{{     print_keys(commented, level) -}}
+{%   elif autovalue == 'zones' %}
+{{     print_views(commented, level) -}}
+{%   elif autovalue == 'zone_file_path' %}
+{{     '{}{} {};'.format(prefix, option.option | d(option.name), global.zone_file) }}
+{%   endif %}
+{% endmacro %}
+{##}
+{% macro print_option(option, commented, loop_first, level) %}
+{%   if option.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set prefix = ("{:^" + (level * global.indent) | string + "}").format('') %}
+{%     set comment_prefix = (prefix + "// ") %}
+{%     if commented or option.state | d('present') == 'comment' %}
+{%       set commented = True %}
+{%       set prefix = comment_prefix %}
+{%     endif %}
+{%     if option.separator | d(False) or level == 0 or (option.comment | d() and not loop_first) %}
+{{       '' }}
+{%     endif %}
+{%     if option.comment | d() %}
+{{       option.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%     endif %}
+{%     if option.raw | d() and commented %}
+{{       '{}'.format(option.raw | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='')) -}}
+{%     elif option.raw | d() and not commented %}
+{{       '{}{}'.format(prefix, option.raw | regex_replace('\n$', '')) }}
+{%     elif option.options | d() %}
+{{       '{}{} {{'.format(prefix, option.option | d(option.name) | regex_replace('\n$', '')) }}
+{%       for option in option.options %}
+{{         print_option(option, commented, loop.first, level + 1) -}}
+{%       endfor %}
+{{       '{}}};'.format(prefix) }}
+{%     elif option.autovalue | d() %}
+{{       print_autovalue(option, option.autovalue, commented, level) -}}
+{%     else %}
+{{       '{}{} {};'.format(prefix, option.option | d(option.name), option.value | d("")) }}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{##}
+{% set global = namespace() %}
+{% set global.indent = 8 %}
+{% set global.view = "<undefined>" %}
+{% set global.zone = "<undefined>" %}
+{% set global.zone_file = "<undefined>" %}
+{% for option in bind__combined_configuration | debops.debops.parse_kv_config %}
+{{   print_option(option, False, loop.first, 0) -}}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/bind/templates/etc/pki/hooks/bind.j2 b/ansible_collections/debops/debops/roles/bind/templates/etc/pki/hooks/bind.j2
new file mode 100644
index 00000000..c89da305
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/templates/etc/pki/hooks/bind.j2
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Copyright (C)      2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# Based on the postfix hook which is:
+# Copyright (C)      2020 Rainer Schuth <devel@reixd.net>
+# Copyright (C)      2018 Norbert Summer <git@o-g.at>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart named on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+bind_config="/etc/bind/named.conf"
+bind_action="{{ bind__pki_hook_action }}"
+bind_service="named.service"
+
+# Check if current PKI realm is used by the 'named' server
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${bind_config} || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                bind_state="$(systemctl is-active ${bind_service})"
+                if [ "${bind_state}" = "active" ] ; then
+		    systemctl "${bind_action}" "${bind_service}"
+                fi
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/bind/templates/var/lib/bind/views/view/zone/db.zone.j2 b/ansible_collections/debops/debops/roles/bind/templates/var/lib/bind/views/view/zone/db.zone.j2
new file mode 100644
index 00000000..5fcd7aa2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bind/templates/var/lib/bind/views/view/zone/db.zone.j2
@@ -0,0 +1,73 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+;
+{% if item.view | d("_default") == "_default" %}
+; BIND db file for zone {{ item.name }}
+{% else %}
+; BIND db file for zone {{ item.name }} in view {{ item.view }}
+{% endif %}
+;
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', decoration='; ', postfix='') -}}
+;
+{% endif %}
+
+$TTL		{{ item.ttl | d(bind__default_zone_ttl) }}
+$ORIGIN		{{ item.origin | d(item.name) | regex_replace("\.*$", ".") }}
+@	IN	SOA	{{ item.soa_primary | d(bind__default_zone_soa_primary) }} {{ item.soa_email | d(bind__default_zone_soa_email) }} (
+		     	{{ '{:<7}'.format(item.soa_serial | d(bind__default_zone_soa_serial) | int) }} ; Serial
+		     	{{ '{:<7}'.format(item.soa_refresh | d(bind__default_zone_soa_refresh)) }} ; Refresh
+		     	{{ '{:<7}'.format(item.soa_retry | d(bind__default_zone_soa_retry)) }} ; Retry
+		     	{{ '{:<7}'.format(item.soa_expire | d(bind__default_zone_soa_expire)) }} ; Expire
+		     	{{ '{:<7}'.format(item.soa_neg_ttl | d(bind__default_zone_soa_neg_ttl)) }} ; Negative Cache TTL
+			)
+
+{% if item.content is string %}
+{{   item.content }}
+{% elif item.content is iterable and item.content is not mapping and item.content[0] is string %}
+{%   for line in item.content %}
+{{     line }}
+{%   endfor %}
+{% else %}
+{%   set rrs = item.content | d([]) | debops.debops.parse_kv_items(name='name') %}
+{%   set owner_maxlen = { 'value': 21 } %}
+{%   for rr in rrs %}
+{%     if rr.state | d("present") in [ "present", "commented" ] and rr.raw is not defined %}
+{%       if rr.owner | d(rr.name) | d() and rr.type | d() and rr.rdata | d(rr.value) | d() %}
+{%         set owner_len = rr.owner | d(rr.name) | length %}
+{%         if rr.state | d("present") == "commented" %}
+{%           set owner_len = owner_len + 2 %}
+{%         endif %}
+{%         if owner_len > owner_maxlen.value %}
+{%           if owner_maxlen.update({ 'value': owner_len }) %}
+{#             do nothing #}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{%   for rr in rrs %}
+{%     if rr.state | d("present") in [ "present", "commented "] %}
+{%       if rr.comment | d() %}
+{{         rr.comment | regex_replace('\n$', '') | comment(prefix='', decoration='; ', postfix='') -}}
+{%       endif %}
+{%       if rr.state | d("present") == "commented" %}
+{%         set prefix = "; " %}
+{%       else %}
+{%         set prefix = "" %}
+{%       endif %}
+{%       if rr.raw | d() %}
+{{         rr.raw | regex_replace('\n$', '') | comment(prefix='', decoration=prefix, postfix='') -}}
+{%       elif rr.owner | d(rr.name) | d() and rr.type | d() and rr.rdata | d(rr.value) | d() %}
+{%         set owner = rr.owner | d(rr.name) %}
+{%         set ttl = rr.ttl | d("") %}
+{%         set class = rr.class | d("") %}
+{%         set type = rr.type %}
+{%         set rdata = rr.rdata | d(rr.value) %}
+{{         ('{}{:<' + owner_maxlen.value | string + '}   {:<7} {:<7} {:<7} {}').format(prefix, owner, ttl, class, type, rdata) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/bitcoind/COPYRIGHT b/ansible_collections/debops/debops/roles/bitcoind/COPYRIGHT
new file mode 100644
index 00000000..9cd203fa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/COPYRIGHT
@@ -0,0 +1,19 @@
+bitcoind - Setup and manage bitcoind
+
+Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/bitcoind/defaults/main.yml b/ansible_collections/debops/debops/roles/bitcoind/defaults/main.yml
new file mode 100644
index 00000000..1a301255
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/defaults/main.yml
@@ -0,0 +1,293 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# .. _bitcoind__ref_defaults:
+
+# debops-contrib.bitcoind default variables [[[
+# =============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: bitcoind__base_packages [[[
+#
+# List of base packages to install.
+bitcoind__base_packages:
+  - 'bitcoind'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that bitcoind is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that bitcoind is uninstalled and it's configuration is removed.
+#   This mode is not fully tested and might not remove all "traces".
+#
+bitcoind__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT repository configuration [[[
+# --------------------------------
+
+# .. envvar:: bitcoind__upstream_repository [[[
+#
+# APT URLs of the upstream Bitcoin repositories based on the OS distribution.
+bitcoind__upstream_repository:
+  Ubuntu: 'ppa:bitcoin/bitcoin'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__upstream_key_fingerprint [[[
+#
+# The OpenPGP key fingerprint for the key by which the upstream APT
+# repository is signed.
+bitcoind__upstream_key_fingerprint: 'C70E F1F0 305A 1ADB 9986 DBD8 D46F 4542 8842 CE5E'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: bitcoind__allow [[[
+#
+# Allow access to bitcoind from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+bitcoind__allow: []
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__group_allow [[[
+#
+# Allow access to bitcoind from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+bitcoind__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__host_allow [[[
+#
+# Allow access to bitcoind from specified IP addresses or CIDR networks.
+# If not specified, allows access from all networks.
+bitcoind__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__interfaces [[[
+#
+# List of network interfaces from which to allow access to bitcoind.
+# If not specified, allows access from all interfaces.
+bitcoind__interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__port [[[
+#
+# Bitcoin P2P TCP port.
+bitcoind__port: '{{ 8333 if (not bitcoind__testnet | bool) else 18333 }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__rpc_port [[[
+#
+# Bitcoin JSON-RPC TCP port.
+bitcoind__rpc_port: '{{ 8332 if (not bitcoind__testnet | bool) else 18332 }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__max_connections [[[
+#
+# Maximum number of inbound+outbound connections.
+# ``{{ omit }}`` will not configure this option explicitly which will cause
+# bitcoind to fallback to it’s compiled in default.
+# Refer to :manpage:`bitcoind(1)` for details.
+bitcoind__max_connections: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__listen_onion [[[
+#
+# Automatically create Tor hidden service.
+bitcoind__listen_onion: True
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__tor_control [[[
+#
+# Tor control port to use if onion listening enabled.
+bitcoind__tor_control: '[::1]:9051'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__tor_password [[[
+#
+# Tor control port password. Default is an empty password.
+bitcoind__tor_password: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# File and directory paths [[[
+# ----------------------------
+
+# .. envvar:: bitcoind__home_path [[[
+#
+# The bitcoind system account home directory.
+bitcoind__home_path: '{{ (ansible_local.fhs.home | d("/var/local"))
+                         + "/" + bitcoind__user }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__data_directory [[[
+#
+# The bitcoind data directory.
+bitcoind__data_directory: '{{ bitcoind__home_path + "/.bitcoin" }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__pid_file_path [[[
+#
+# The bitcoind PID file path.
+bitcoind__pid_file_path: '{{ bitcoind__data_directory + "/bitcoind.pid" }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__config_dir_path [[[
+#
+# The bitcoind config directory path.
+# Not using :file:`/etc/bitcoin` because Bitcoin tools do not expect this.
+bitcoind__config_dir_path: '{{ bitcoind__data_directory }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__config_file_path [[[
+#
+# The bitcoind config file path.
+bitcoind__config_file_path: '{{ bitcoind__config_dir_path + "/bitcoin.conf" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System user and group [[[
+# -------------------------
+
+# .. envvar:: bitcoind__user [[[
+#
+# System UNIX account under which bitcoind is run.
+bitcoind__user: 'bitcoind'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__group [[[
+#
+# System UNIX group used by bitcoind.
+bitcoind__group: 'bitcoind'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__gecos [[[
+#
+# Contents of the GECOS field set for the bitcoind account.
+bitcoind__gecos: 'Bitcoin distributed currency'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__shell [[[
+#
+# The default shell set on the bitcoind account.
+bitcoind__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# bitcoind configuration [[[
+# --------------------------
+
+# .. envvar:: bitcoind__testnet [[[
+#
+# Run on the test network instead of the real Bitcoin network.
+bitcoind__testnet: False
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__txindex [[[
+#
+# Maintain a full transaction index, used by the ``getrawtransaction`` RPC call.
+bitcoind__txindex: False
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__max_mem_pool_limit [[[
+#
+# The float variable used to limit the maximum RAM available for the
+# transaction memory pool, by default ~50 % of system memory.
+bitcoind__max_mem_pool_limit: 0.5
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__max_mem_pool [[[
+#
+# Keep the transaction memory pool below the given number of megabytes.
+bitcoind__max_mem_pool: '{{ (ansible_memtotal_mb * bitcoind__max_mem_pool_limit) | round | int }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__max_upload_target [[[
+#
+# Tries to keep outbound traffic under the given target (in MiB per 24h),
+# ``0`` means no limit.
+bitcoind__max_upload_target: 0
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__print_to_console [[[
+#
+# Send trace/debug info to console instead of debug.log file.
+# Can be set to ``True`` so that logging can be handled by systemd.
+bitcoind__print_to_console: False
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__disable_wallet [[[
+#
+# Do not load the wallet and disable wallet RPC calls.
+bitcoind__disable_wallet: True
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__custom_options [[[
+#
+# Custom options to append to the :file:`bitcoin.conf` file.
+bitcoind__custom_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: bitcoind__etc_services__dependent_list [[[
+#
+# Configuration for the debops.etc_services_ role which registers port
+# numbers for bitcoind.
+bitcoind__etc_services__dependent_list:
+
+  - name: 'bitcoin'
+    port: '{{ bitcoind__port }}'
+    comment: 'bitcoin P2P'
+    state: '{{ "present" if (bitcoind__deploy_state != "purged") else "absent" }}'
+
+  - name: 'bitcoin-rpc'
+    port: '{{ bitcoind__rpc_port }}'
+    comment: 'bitcoin JSON-RPC'
+    state: '{{ "present" if (bitcoind__deploy_state != "purged") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+bitcoind__keyring__dependent_apt_keys:
+
+  - id: '{{ bitcoind__upstream_key_fingerprint }}'
+    repo: '{{ bitcoind__upstream_repository[ansible_distribution] }}'
+    state: '{{ "present" if (bitcoind__deploy_state == "present") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: bitcoind__ferm__dependent_rules [[[
+#
+# Configuration for debops.ferm_ firewall. It should be added when
+# debops.ferm_ role is used to configure bitcoind firewall rules.
+bitcoind__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'bitcoin' ]
+    saddr: '{{ bitcoind__allow + bitcoind__group_allow + bitcoind__host_allow }}'
+    accept_any: True
+    interface: '{{ bitcoind__interfaces }}'
+    weight: '40'
+    by_role: 'debops-contrib.bitcoind'
+    name: 'bitcoin_p2p'
+    rule_state: '{{ "present" if (bitcoind__deploy_state != "purged") else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/changelog.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/changelog.rst
new file mode 100644
index 00000000..6d01c6ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/copyright.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/copyright.rst
new file mode 100644
index 00000000..ce69ac9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/getting-started.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/getting-started.rst
new file mode 100644
index 00000000..7f9a8560
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/getting-started.rst
@@ -0,0 +1,59 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _bitcoind__ref_getting_started:
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To manage bitcoind on a given host or set of hosts, they need to
+be added to the ``[debops_service_bitcoind]`` Ansible group in the inventory:
+
+.. code:: ini
+
+   [debops_service_bitcoind]
+   hostname
+
+Example playbook
+----------------
+
+If you are using this role without DebOps, here's an example Ansible playbook
+that uses the ``debops-contrib.bitcoind`` role:
+
+.. literalinclude:: playbooks/bitcoind.yml
+   :language: yaml
+   :lines: 1,5-
+
+The playbook is shipped with this role under
+:file:`./docs/playbooks/bitcoind.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::bitcoind``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::bitcoind:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/includes/all.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/includes/all.rst
new file mode 100644
index 00000000..3d8020e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/includes/all.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
+.. include:: includes/role.rst
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/includes/role.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/includes/role.rst
new file mode 100644
index 00000000..86c8050f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/includes/role.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _Bitcoin: https://bitcoin.org
+.. _bitcoind: https://en.bitcoin.it/wiki/Bitcoind
+.. _full node: https://en.bitcoin.it/wiki/Full_node
+.. _Running A Full Node: https://bitcoin.org/en/full-node
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/index.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/index.rst
new file mode 100644
index 00000000..14f14fed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.bitcoind:
+
+Ansible role: debops-contrib.bitcoind
+=====================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/introduction.rst b/ansible_collections/debops/debops/roles/bitcoind/docs/introduction.rst
new file mode 100644
index 00000000..950e5ca6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/introduction.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.bitcoind`` role allows you to manage and configure bitcoind_.
+bitcoind can be used to run a `full node`_ in the distributed cryptocurrency network Bitcoin_.
+A full node is a program that fully validates transactions and blocks and
+therefore enforces all of the rules of Bitcoin.
+
+Refer to `Running A Full Node`_ for details.
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.5``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.bitcoind
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/bitcoind/docs/playbooks/bitcoind.yml b/ansible_collections/debops/debops/roles/bitcoind/docs/playbooks/bitcoind.yml
new file mode 100644
index 00000000..782a7841
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/docs/playbooks/bitcoind.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage bitcoind
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_bitcoind' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: etc_services
+      tags: [ 'role::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ bitcoind__etc_services__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ bitcoind__ferm__dependent_rules }}'
+
+    - role: bitcoind
+      tags: [ 'role::bitcoind' ]
diff --git a/ansible_collections/debops/debops/roles/bitcoind/handlers/main.yml b/ansible_collections/debops/debops/roles/bitcoind/handlers/main.yml
new file mode 100644
index 00000000..0454666e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart bitcoind
+  ansible.builtin.systemd:
+    name: 'bitcoind'
+    state: 'restarted'
+  when: (not bitcoind__register_systemd_unit_state is changed and ansible_distribution_release not in ["trusty"])
diff --git a/ansible_collections/debops/debops/roles/bitcoind/meta/main.yml b/ansible_collections/debops/debops/roles/bitcoind/meta/main.yml
new file mode 100644
index 00000000..2912ea33
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider'
+  description: 'Setup and manage bitcoind'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: Ubuntu
+      versions:
+        # - trusty
+        - xenial
+
+  galaxy_tags:
+    - currency
+    - money
+    - bank
+    - bitcoin
+    - fullnode
+    - btc
+    - p2p
+    - cryptocurrency
+    - cryptography
diff --git a/ansible_collections/debops/debops/roles/bitcoind/tasks/main.yml b/ansible_collections/debops/debops/roles/bitcoind/tasks/main.yml
new file mode 100644
index 00000000..557b1302
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/tasks/main.yml
@@ -0,0 +1,69 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", bitcoind__base_packages) }}'
+    state: '{{ "present" if (bitcoind__deploy_state == "present") else "absent" }}'
+  register: bitcoind__register_packages
+  until: bitcoind__register_packages is succeeded
+  tags: [ 'role::bitcoind:pkgs' ]
+
+# System user and group [[[
+- name: Create bitcoind system group
+  ansible.builtin.group:
+    name: '{{ bitcoind__group }}'
+    state: '{{ "present" if (bitcoind__deploy_state == "present") else "absent" }}'
+    system: True
+
+- name: Create bitcoind system user
+  ansible.builtin.user:
+    name: '{{ bitcoind__user }}'
+    group: '{{ bitcoind__group }}'
+    append: False
+    home: '{{ bitcoind__home_path }}'
+    comment: '{{ bitcoind__gecos }}'
+    shell: '{{ bitcoind__shell }}'
+    state: '{{ "present" if (bitcoind__deploy_state == "present") else "absent" }}'
+    system: True
+# ]]]
+
+- name: Ensure bitcoind config dir exists
+  ansible.builtin.file:
+    path: '{{ bitcoind__config_dir_path }}'
+    owner: '{{ bitcoind__user }}'
+    group: '{{ bitcoind__group }}'
+    mode: '0750'
+    state: 'directory'
+  when: (bitcoind__deploy_state == "present")
+
+- name: Configure bitcoind
+  ansible.builtin.template:
+    src: 'etc/bitcoin/bitcoin.conf.j2'
+    dest: '{{ bitcoind__config_file_path }}'
+    owner: '{{ bitcoind__user }}'
+    group: '{{ bitcoind__group }}'
+    mode: '0640'
+  when: (bitcoind__deploy_state == "present")
+
+- name: Configure systemd unit file for bitcoind
+  ansible.builtin.template:
+    src: 'etc/systemd/system/bitcoind.service.j2'
+    dest: '/etc/systemd/system/bitcoind.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: bitcoind__register_systemd_unit_file
+  when: (bitcoind__deploy_state == "present")
+
+- name: Set bitcoind state using systemd
+  ansible.builtin.systemd:
+    name: 'bitcoind'
+    state: '{{ "started" if (bitcoind__deploy_state == "present") else "stopped" }}'
+    enabled: True
+    masked: False
+    daemon_reload: '{{ bitcoind__register_systemd_unit_file is changed }}'
+  register: bitcoind__register_systemd_unit_state
+  when: (bitcoind__deploy_state == "present" and ansible_distribution_release not in ["trusty"])
diff --git a/ansible_collections/debops/debops/roles/bitcoind/templates/etc/bitcoin/bitcoin.conf.j2 b/ansible_collections/debops/debops/roles/bitcoind/templates/etc/bitcoin/bitcoin.conf.j2
new file mode 100644
index 00000000..77ec5a30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/templates/etc/bitcoin/bitcoin.conf.j2
@@ -0,0 +1,43 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+##
+## bitcoin.conf configuration file. Lines beginning with # are comments.
+## https://en.bitcoin.it/wiki/Running_Bitcoin
+##
+
+datadir={{ bitcoind__data_directory | quote }}
+
+# Network-related settings
+# ~~~~~~~~~~~~~~~~~~~~~~~~
+
+testnet={{ bitcoind__testnet | bool | ternary("1", "0") }}
+
+listenonion={{ bitcoind__listen_onion | bool | ternary("1", "0") }}
+torcontrol={{ bitcoind__tor_control }}
+torpassword={{ bitcoind__tor_password }}
+
+# Connect via a SOCKS5 proxy
+#proxy=127.0.0.1:9050
+
+{% if bitcoind__max_connections == omit %}
+#maxconnections=
+{% else %}
+maxconnections={{ bitcoind__max_connections | int }}
+{% endif %}
+
+# Miscellaneous options
+# ~~~~~~~~~~~~~~~~~~~~~
+
+maxuploadtarget={{ bitcoind__max_upload_target | int }}
+
+txindex={{ bitcoind__txindex | bool | ternary("1", "0") }}
+maxmempool={{ bitcoind__max_mem_pool | int }}
+{% if bitcoind__custom_options %}
+
+# Miscellaneous options (bitcoind__custom_options)
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+{{ bitcoind__custom_options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/bitcoind/templates/etc/systemd/system/bitcoind.service.j2 b/ansible_collections/debops/debops/roles/bitcoind/templates/etc/systemd/system/bitcoind.service.j2
new file mode 100644
index 00000000..dad9aa91
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/bitcoind/templates/etc/systemd/system/bitcoind.service.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# Source: https://raw.githubusercontent.com/bitcoin/bitcoin/master/contrib/init/bitcoind.service
+
+[Unit]
+Description=Bitcoin's distributed currency daemon
+After=network.target
+
+[Service]
+User={{ bitcoind__user }}
+Group={{ bitcoind__group }}
+
+Type=forking
+PIDFile={{ bitcoind__pid_file_path | quote }}
+ExecStart=/usr/bin/bitcoind -daemon {{ "-printtoconsole" if bitcoind__print_to_console | bool else "" }} {{ "-disablewallet" if bitcoind__disable_wallet | bool else "" }} \
+    -pid={{ bitcoind__pid_file_path | quote }} \
+    -conf={{ bitcoind__config_file_path | quote }}
+
+Restart=always
+PrivateTmp=true
+TimeoutStopSec=60s
+TimeoutStartSec=2s
+StartLimitInterval=120s
+StartLimitBurst=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/boxbackup/COPYRIGHT b/ansible_collections/debops/debops/roles/boxbackup/COPYRIGHT
new file mode 100644
index 00000000..b4bb06d4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.boxbackup - Manage BoxBackup backup service
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/boxbackup/defaults/main.yml b/ansible_collections/debops/debops/roles/boxbackup/defaults/main.yml
new file mode 100644
index 00000000..c25f38ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/defaults/main.yml
@@ -0,0 +1,124 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _boxbackup__ref_defaults:
+
+# debops.boxbackup default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# .. envvar:: boxbackup_server [[[
+#
+# FQDN address of the Box Backup server to use
+boxbackup_server: '{{ hostvars[groups.debops_boxbackup[0]]["ansible_fqdn"] }}'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_allow [[[
+#
+# Set to list of IP addresses / network ranges to allow access only from these
+# networks. Empty list allows access from any host / network.
+boxbackup_allow: []
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_storage [[[
+#
+# Directory where boxbackup-server is storing backups
+boxbackup_storage: '/var/local/boxbackup'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_listenAddresses [[[
+#
+# boxbackup-server is listening on this IP address (all interfaces by default)
+boxbackup_listenaddresses: '0.0.0.0'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_verbose [[[
+#
+# Enable/Disable verbose logging
+boxbackup_verbose: 'no'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_account [[[
+#
+# 32-bit hexadecimal number representing the boxbackup-client account on the server
+boxbackup_account: '{{ (ansible_fqdn | sha1)[:8] }}'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_softlimit [[[
+#
+# Soft limit for storage space in megabytes, by default it's calculated as
+# total disk space of a given host. When used space is bigger than this,
+# boxbackup-server starts to remove old and deleted data
+boxbackup_softlimit:
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_hardlimit [[[
+#
+# Hard limit for storage space in megabytes. by default it's calculated as
+# soft limit * multiplier (see below). When used space reaches this limit,
+# server refuses to accept new data
+boxbackup_hardlimit:
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_softlimit_padding [[[
+#
+# Additional disk space added to soft limit, in megabytes. If this number is
+# negative, you will subtract given amount of disk space from calculated soft
+# limit
+boxbackup_softlimit_padding: 1024
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_hardlimit_multiplier [[[
+#
+# Hard limit multiplier will by default set hard limit to equal
+# soft limit + 50%. If you set this number lower than 1.0, you will have
+# smaller hard limit than soft limit, which is not a good idea
+boxbackup_hardlimit_multiplier: 1.5
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_email [[[
+#
+# Email address which will receive alerts from boxbackup. By default it's
+# <backup@localhost>, which is usually aliased to root account
+boxbackup_email: 'backup'
+
+                                                                   # ]]]
+# .. envvar:: boxbackup_locations [[[
+#
+# List of directories to back up; directory is a hash key, optional
+# exclude/include directives should be written as a text block. Examples can be
+# found in the /etc/boxbackup/bbackupd.conf config file
+boxbackup_locations:
+  '/etc': |
+    ExcludeFile = /etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw
+
+  '/home':
+
+  '/opt':
+
+  '/root':
+
+  '/srv':
+
+  '/usr/local':
+
+  '/var': |
+    ExcludeDir = /var/spool/postfix/dev
+
+# ]]]
+# .. envvar:: boxbackup_locations_custom [[[
+#
+# List of additional directories / mount points to back up, format is the same
+# as a list above
+boxbackup_locations_custom:
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/boxbackup/handlers/main.yml b/ansible_collections/debops/debops/roles/boxbackup/handlers/main.yml
new file mode 100644
index 00000000..16114ebd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart boxbackup-server
+  ansible.builtin.service:
+    name: 'boxbackup-server'
+    state: 'restarted'
+
+- name: Restart boxbackup-client
+  ansible.builtin.service:
+    name: 'boxbackup-client'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/boxbackup/meta/main.yml b/ansible_collections/debops/debops/roles/boxbackup/meta/main.yml
new file mode 100644
index 00000000..d9e6efe5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure BoxBackup as a centralized backup service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - backup
+    - system
diff --git a/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_clients.yml b/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_clients.yml
new file mode 100644
index 00000000..db9558f0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_clients.yml
@@ -0,0 +1,87 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install Box Backup client package
+  ansible.builtin.package:
+    name: 'boxbackup-client'
+    state: 'present'
+  register: boxbackup__register_client_packages
+  until: boxbackup__register_client_packages is succeeded
+
+- name: Set backup softlimit size for client hosts
+  ansible.builtin.set_fact:
+    boxbackup_softlimit: '{{ (ansible_mounts | sum(attribute="size_total") / 1024 / 1024
+                              + boxbackup_softlimit_padding) | int }}'
+  when: (boxbackup_softlimit is undefined or not boxbackup_softlimit)
+
+- name: Set backup hardlimit size for client hosts
+  ansible.builtin.set_fact:
+    boxbackup_hardlimit: '{{ (boxbackup_softlimit | float * boxbackup_hardlimit_multiplier | float) | int }}'
+  when: (boxbackup_hardlimit is undefined or not boxbackup_hardlimit)
+
+- name: Create accounts for client hosts
+  ansible.builtin.command: bbstoreaccounts create {{ boxbackup_account }} {{ boxbackup_discnum }}
+                                  {{ boxbackup_softlimit }}M {{ boxbackup_hardlimit }}M
+  args:
+    creates: '{{ boxbackup_storage }}/backup/{{ boxbackup_account }}/info.rfw'
+  delegate_to: '{{ boxbackup_server }}'
+
+- name: Make sure that boxbackup client directories exists
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
+  with_items: [ '/etc/boxbackup', '/etc/boxbackup/bbackupd', '/etc/boxbackup/servers/{{ boxbackup_server }}' ]
+
+- name: Check if encryption key exists on Ansible Controller
+  ansible.builtin.stat:
+    path: '{{ secret + "/storage/boxbackup/clients/" + ansible_fqdn + "/" + boxbackup_account + "-FileEncKeys.raw" }}'
+  register: boxbackup_register_enckeys
+  delegate_to: 'localhost'
+  become: False
+
+- name: Download BoxBackup encryption key from archive
+  ansible.builtin.copy:
+    src: '{{ secret + "/storage/boxbackup/clients/" + ansible_fqdn + "/" + boxbackup_account + "-FileEncKeys.raw" }}'
+    dest: '/etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  when: boxbackup_register_enckeys.stat.exists
+  notify: [ 'Restart boxbackup-client' ]
+
+- name: Create encryption key on client hosts
+  ansible.builtin.command: openssl rand -out /etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw
+                        {{ boxbackup_encrypt_bits }}
+  args:
+    creates: '/etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw'
+  notify:
+    - Restart boxbackup-client
+
+- name: Archive client encryption key
+  ansible.builtin.fetch:
+    src: '/etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw'
+    dest: '{{ secret }}/storage/boxbackup/clients/{{ ansible_fqdn }}/{{ boxbackup_account }}-FileEncKeys.raw'
+    flat: 'yes'
+
+- name: Install notification script on client hosts
+  ansible.builtin.template:
+    src: 'etc/boxbackup/bbackupd/NotifySysadmin.sh.j2'
+    dest: '/etc/boxbackup/bbackupd/NotifySysadmin.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
+
+- name: Configure client hosts
+  ansible.builtin.template:
+    src: 'etc/boxbackup/bbackupd.conf.j2'
+    dest: '/etc/boxbackup/bbackupd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify:
+    - Restart boxbackup-client
diff --git a/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_servers.yml b/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_servers.yml
new file mode 100644
index 00000000..f0dec9c1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/tasks/configure_servers.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install Box Backup server packages
+  ansible.builtin.package:
+    name: 'boxbackup-server'
+    state: 'present'
+  register: boxbackup__register_server_packages
+  until: boxbackup__register_server_packages is succeeded
+
+- name: Make sure that boxbackup server directories exists
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'bbstored'
+    group: 'bbstored'
+    mode: '0700'
+  with_items: [ '/etc/boxbackup', '/etc/boxbackup/bbstored',
+                '{{ boxbackup_storage }}', '{{ boxbackup_storage }}/backup' ]
+
+- name: Check block size of storage device
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          dumpe2fs -h $(df {{ boxbackup_storage }} | tail -n 1 \
+          | awk '{ print $1 }') | grep 'Block size' | awk '{ print $3 }'"
+  args:
+    executable: 'bash'
+  register: boxbackup_storage_blocksize
+  changed_when: False
+
+- name: Make sure accounts.txt file exists
+  ansible.builtin.copy:
+    force: false
+    dest: /etc/boxbackup/bbstored/accounts.txt
+    content: ''
+    owner: bbstored
+    group: bbstored
+    mode: '0600'
+
+- name: Configure boxbackup server
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'bbstored'
+    group: 'bbstored'
+    mode: '0640'
+  with_items: [ 'etc/boxbackup/raidfile.conf', 'etc/boxbackup/bbstored.conf' ]
+  notify:
+    - Restart boxbackup-server
diff --git a/ansible_collections/debops/debops/roles/boxbackup/tasks/main.yml b/ansible_collections/debops/debops/roles/boxbackup/tasks/main.yml
new file mode 100644
index 00000000..d110333c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure server-side
+  ansible.builtin.include_tasks: configure_servers.yml
+  when: boxbackup_server is defined and boxbackup_server == ansible_fqdn
+
+- name: Configure client-side
+  ansible.builtin.include_tasks: configure_clients.yml
+  when: boxbackup_server is defined and boxbackup_server != ansible_fqdn
diff --git a/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd.conf.j2 b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd.conf.j2
new file mode 100644
index 00000000..95d801fc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd.conf.j2
@@ -0,0 +1,205 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+StoreHostname = {{ boxbackup_server }}
+AccountNumber = 0x{{ boxbackup_account }}
+KeysFile = /etc/boxbackup/bbackupd/{{ boxbackup_account }}-FileEncKeys.raw
+
+CertificateFile = /etc/pki/boxbackup-client/default.crt
+PrivateKeyFile = /etc/pki/boxbackup-client/default.key
+TrustedCAsFile = /etc/pki/boxbackup-client/CA.crt
+
+DataDirectory = /var/run
+
+{#	# This script is run whenever bbackupd changes state or encounters a
+	# problem which requires the system administrator to assist:
+	#
+	# 1) The store is full, and no more data can be uploaded.
+	# 2) Some files or directories were not readable.
+	# 3) A backup run starts or finishes.
+	#
+	# The default script emails the system administrator, except for backups
+	# starting and stopping, where it does nothing. #}
+NotifyScript = /etc/boxbackup/bbackupd/NotifySysadmin.sh
+
+{% if boxbackup_mode is defined and boxbackup_mode == 'lazy' %}
+{#	# The number of seconds between backup runs under normal conditions. To avoid
+	# cycles of load on the server, this time is randomly adjusted by a small
+	# percentage as the daemon runs. #}
+UpdateStoreInterval = {{ (boxbackup_interval | default(60) * 60 | int) | round | int | string }}
+{#
+	# The minimum age of a file, in seconds, that will be uploaded. Avoids
+	# repeated uploads of a file which is constantly being modified. #}
+MinimumFileAge = {{ (boxbackup_minimumfileage | default(6) * 60 * 60 | int) | round | int | string }}
+{#
+	# If a file is modified repeated, it won't be uploaded immediately in case
+	# it's modified again, due to the MinimumFileAge specified above. However, it
+	# should be uploaded eventually even if it is being modified repeatedly. This
+	# is how long we should wait, in seconds, after first noticing a change.
+	# (86400 seconds = 1 day) #}
+MaxUploadWait = {{ (boxbackup_maxuploadwait | default(24) * 60 * 60 | int) | round | int | string }}
+{#
+	# If the connection is idle for some time (e.g. over 10 minutes or 600
+	# seconds, not sure exactly how long) then the server will give up and
+	# disconnect the client, resulting in Connection Protocol_Timeout errors
+	# on the server and TLSReadFailed or TLSWriteFailed errors on the client.
+	# Also, some firewalls and NAT gateways will kill idle connections after
+	# similar lengths of time.
+	#
+	# This can happen for example when most files are backed up already and
+	# don't need to be sent to the store again, while scanning a large
+	# directory, or while calculating diffs of a large file. To avoid this,
+	# KeepAliveTime specifies that special keep-alive messages should be sent
+	# when the connection is otherwise idle for a certain length of time,
+	# specified here in seconds.
+	#
+	# The default is that these messages are never sent, equivalent to setting
+	# this option to zero, but we recommend that all users enable this. #}
+KeepAliveTime = 120
+{% elif boxbackup_mode is defined and boxbackup_mode == 'snapshot' %}
+# This configuration file is written for snapshot mode.
+# You will need to run bbackupctl to instruct the daemon to upload files.
+
+AutomaticBackup = no
+UpdateStoreInterval = 0
+MinimumFileAge = 0
+MaxUploadWait = 0
+{% endif %}
+
+{#	# Files above this size (in bytes) are tracked, and if they are renamed they will simply be
+	# renamed on the server, rather than being uploaded again. (64k - 1) #}
+FileTrackingSizeThreshold = {{ boxbackup_filetrackingsizethreshold | default('65535') }}
+{#
+	# The daemon does "changes only" uploads for files above this size (in bytes).
+	# Files less than it are uploaded whole without this extra processing. #}
+DiffingUploadSizeThreshold = {{ boxbackup_diffinguploadsizethreshold | default('8192') }}
+{#
+	# The limit on how much time is spent diffing files, in seconds. Most files
+	# shouldn't take very long, but if you have really big files you can use this
+	# to limit the time spent diffing them.
+	#
+	# * Reduce if you are having problems with processor usage.
+	#
+	# * Increase if you have large files, and think the upload of changes is too
+	#   large and you want bbackupd to spend more time searching for unchanged
+	#   blocks. #}
+MaximumDiffingTime = {{ boxbackup_maximumdiffingtime | default('120') }}
+
+{#	# More verbose logging #}
+ExtendedLogging = {{ boxbackup_verbose | default('no') }}
+
+{#	# This specifies a program or script which is run just before each
+	# sync, and ideally the full path to the interpreter. It will be run as the
+	# same user bbackupd is running as, usually root.
+	#
+	# The script must output (print) either "now" or a number to STDOUT (and a
+	# terminating newline, no quotes).
+	#
+	# If the result was "now", then the sync will happen. If it's a number, then
+	# no backup will happen for that number of seconds (bbackupd will pause) and
+	# then the script will be run again.
+	#
+	# Use this to temporarily stop bbackupd from synchronising or connecting to the
+	# store. For example, you could use this on a laptop to only backup when on a
+	# specific network, or when it has a working Internet connection.
+	# SyncAllowScript = /path/to/interpreter/or/exe script-name parameters etc #}
+{% if boxbackup_syncallowscript is defined and boxbackup_syncallowscript %}
+SyncAllowScript = {{ boxbackup_syncallowscript }}
+
+{% endif %}
+{# # Where the command socket is created in the filesystem. #}
+CommandSocket = /var/run/bbackupd.sock
+
+{#	# Uncomment the StoreObjectInfoFile to enable the experimental archiving
+	# of the daemon's state (including client store marker and configuration)
+	# between backup runs. This saves time and increases efficiency when
+	# bbackupd is frequently stopped and started, since it removes the need
+	# to rescan all directories on the remote server. However, it is new and
+	# not yet heavily tested, so use with caution.
+	# StoreObjectInfoFile = /var/run/bbackupd.state #}
+Server
+{
+	PidFile = /var/run/bbackupd.pid
+}
+
+{#	# BackupLocations specifies which locations on disc should be backed up. Each
+	# directory is in the format
+	#
+	#	name
+	#	{
+	#		Path = /path/of/directory
+	#		(optional exclude directives)
+	#	}
+	#
+	# 'name' is derived from the Path by the config script, but should merely be
+	# unique.
+	#
+	# The exclude directives are of the form
+	#
+	#	[Exclude|AlwaysInclude][File|Dir][|sRegex] = regex or full pathname
+	#
+	# (The regex suffix is shown as 'sRegex' to make File or Dir plural)
+	#
+	# For example:
+	#
+	#	ExcludeDir = /home/guest-user
+	#	ExcludeFilesRegex = .(mp3|MP3)$
+	#	AlwaysIncludeFile = /home/username/veryimportant.mp3
+	#
+	# This excludes the directory /home/guest-user from the backup along with all mp3
+	# files, except one MP3 file in particular.
+	#
+	# In general, Exclude excludes a file or directory, unless the directory is
+	# explicitly mentioned in a AlwaysInclude directive. However, Box Backup
+	# does NOT scan inside excluded directories and will never back up an
+	# AlwaysIncluded file or directory inside an excluded directory or any
+	# subdirectory thereof.
+	#
+	# To back up a directory inside an excluded directory, use a configuration
+	# like this, to ensure that each directory in the path to the important
+	# files is included, but none of their contents will be backed up except
+	# the directories further down that path to the important one.
+	#
+	# ExcludeDirsRegex = ^/home/user/bigfiles/
+	# ExcludeFilesRegex = ^/home/user/bigfiles/
+	# AlwaysIncludeDir = /home/user/bigfiles/path
+	# AlwaysIncludeDir = /home/user/bigfiles/path/to
+	# AlwaysIncludeDir = /home/user/bigfiles/path/important
+	# AlwaysIncludeDir = /home/user/bigfiles/path/important/files
+	# AlwaysIncludeDirsRegex = ^/home/user/bigfiles/path/important/files/
+	# AlwaysIncludeFilesRegex = ^/home/user/bigfiles/path/important/files/
+	#
+	# If a directive ends in Regex, then it is a regular expression rather than a
+	# explicit full pathname. See
+	#
+	#	man 7 re_format
+	#
+	# for the regex syntax on your platform. #}
+BackupLocations
+{
+{% if boxbackup_locations is defined and boxbackup_locations %}
+{% for location, options in boxbackup_locations.items() %}
+{{ location | replace("/","",1) | replace("/","-") | indent(8,true) }}
+        {
+                Path = {{ location }}
+{% if options is defined and options %}
+{{ options | indent(16,true) }}
+{% endif %}
+        }
+{% endfor %}
+{% endif %}
+{% if boxbackup_locations_custom is defined and boxbackup_locations_custom %}
+{% for location, options in boxbackup_locations_custom.items() %}
+{{ location | replace("/","",1) | replace("/","-") | indent(8,true) }}
+        {
+                Path = {{ location }}
+{% if options is defined and options %}
+{{ options | indent(16,true) }}
+{% endif %}
+        }
+{% endfor %}
+{% endif %}
+}
diff --git a/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd/NotifySysadmin.sh.j2 b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd/NotifySysadmin.sh.j2
new file mode 100755
index 00000000..6065cc73
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbackupd/NotifySysadmin.sh.j2
@@ -0,0 +1,74 @@
+#!/bin/sh
+
+# Copyright (C) 2003-2010 Ben Summers and contributors.
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# This file is managed by Ansible, all changes will be lost
+
+# This script is run whenever bbackupd changes state or encounters a
+# problem which requires the system administrator to assist:
+#
+# 1) The store is full, and no more data can be uploaded.
+# 2) Some files or directories were not readable.
+# 3) A backup run starts or finishes.
+#
+# The default script emails the system administrator, except for backups
+# starting and stopping, where it does nothing.
+
+SUBJECT="BACKUP PROBLEM on host {{ ansible_fqdn }}"
+SENDTO="{{ boxbackup_email }}"
+
+if [ "$1" = "" ]; then
+	echo "Usage: $0 <store-full|read-error|backup-error|backup-start|backup-finish>" >&2
+	exit 2
+elif [ "$1" = store-full ]; then
+	/usr/sbin/sendmail "$SENDTO" <<EOM
+Subject: $SUBJECT (store full)
+To: $SENDTO
+
+The store account for {{ ansible_fqdn }} is full.
+
+=============================
+FILES ARE NOT BEING BACKED UP
+=============================
+
+Please adjust the limits on account {{ boxbackup_account }} on server {{ boxbackup_server }}.
+
+EOM
+elif [ "$1" = read-error ]; then
+/usr/sbin/sendmail "$SENDTO" <<EOM
+Subject: $SUBJECT (read errors)
+To: $SENDTO
+
+Errors occurred reading some files or directories for backup on {{ ansible_fqdn }}.
+
+===================================
+THESE FILES ARE NOT BEING BACKED UP
+===================================
+
+Check the logs on {{ ansible_fqdn }} for the files and directories which caused
+these errors, and take appropriate action.
+
+Other files are being backed up.
+
+EOM
+elif [ "$1" = backup-start ] || [ "$1" = backup-finish ] || [ "$1" = backup-ok ]; then
+	# do nothing by default
+	true
+else
+/usr/sbin/sendmail "$SENDTO" <<EOM
+Subject: $SUBJECT (unknown)
+To: $SENDTO
+
+The backup daemon on {{ ansible_fqdn }} reported an unknown error ($1).
+
+==========================
+FILES MAY NOT BE BACKED UP
+==========================
+
+Please check the logs on {{ ansible_fqdn }}.
+
+EOM
+fi
diff --git a/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbstored.conf.j2 b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbstored.conf.j2
new file mode 100644
index 00000000..f2b28163
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/bbstored.conf.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+RaidFileConf = /etc/boxbackup/raidfile.conf
+AccountDatabase = /etc/boxbackup/bbstored/accounts.txt
+
+# More verbose logging
+ExtendedLogging = {{ boxbackup_verbose | default('no') }}
+
+# scan all accounts for files which need deleting every {{ boxbackup_housekeeping | default(15) }} minutes.
+TimeBetweenHousekeeping = {{ (boxbackup_housekeeping | default(15) * 60 | int) | round | int | string }}
+
+Server
+{
+	User = bbstored
+	PidFile = /var/run/bbstored.pid
+	ListenAddresses = inet:{{ boxbackup_listenaddresses | default('0.0.0.0') }}
+	CertificateFile = /etc/pki/boxbackup-server/default.crt
+	PrivateKeyFile = /etc/pki/boxbackup-server/default.key
+	TrustedCAsFile = /etc/pki/boxbackup-server/CA.crt
+}
diff --git a/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/raidfile.conf.j2 b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/raidfile.conf.j2
new file mode 100644
index 00000000..daecef09
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/templates/etc/boxbackup/raidfile.conf.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+disc0
+{
+	SetNumber = 0
+	BlockSize = {{ boxbackup_storage_blocksize.stdout | default('4096') }}
+	Dir0 = {{ boxbackup_storage }}/
+	Dir1 = {{ boxbackup_storage }}/
+	Dir2 = {{ boxbackup_storage }}/
+}
diff --git a/ansible_collections/debops/debops/roles/boxbackup/templates/sign-cert.j2 b/ansible_collections/debops/debops/roles/boxbackup/templates/sign-cert.j2
new file mode 100755
index 00000000..0ad7380e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/templates/sign-cert.j2
@@ -0,0 +1,164 @@
+#!/usr/bin/perl
+use strict;
+
+# Copyright (C) 2003-2010 Ben Summers and contributors.
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# This file is managed by Ansible, all changes will be lost
+
+# Modified script based on the "bbstored-certs" Perl script from
+# boxbackup-server Debian package
+
+# validity period for client certificates
+my $sign_period = '{{ boxbackup_ssl_sign }}';
+
+# check and get command line parameters
+if($#ARGV < 0)
+{
+	print <<__E;
+
+sign-cert helper script
+
+Bad command line parameters.
+Usage:
+	sign-cert path/to/account-id-csr.pem
+
+Signing requires confirmation that the certificate is correct and should be signed.
+
+__E
+	exit(1);
+}
+
+# check for OPENSSL_CONF environment var being set
+if(exists $ENV{'OPENSSL_CONF'})
+{
+	print <<__E;
+
+---------------------------------------
+
+WARNING:
+    You have the OPENSSL_CONF environment variable set.
+    Use of non-standard openssl configs may cause problems.
+
+---------------------------------------
+
+__E
+}
+
+# check parameters
+my $cert_dir = "{{ secret }}/storage/boxbackup/servers/{{ boxbackup_server }}/ca";
+my @args = @ARGV;
+
+if(!-d $cert_dir)
+{
+	die "$cert_dir does not exist";
+}
+
+&cmd_sign;
+
+sub cmd_sign
+{
+	my $csr = $args[0];
+
+	if(!-f $csr)
+	{
+		die "$csr does not exist";
+	}
+
+	# get the common name specified in this certificate
+	my $common_name = get_csr_common_name($csr);
+
+	# look OK?
+	unless($common_name =~ m/\ABACKUP-([A-Fa-f0-9]+)\Z/)
+	{
+		die "The certificate presented does not appear to be a backup client certificate"
+	}
+
+	my $acc = $1;
+
+	# check against filename
+	if(!($csr =~ m/(\A|\/)([A-Fa-f0-9]+)-/) || $2 ne $acc)
+	{
+		die "Certificate request filename does not match name in certificate ($common_name)"
+	}
+
+	print <<__E;
+
+This certificate is for backup account
+
+   $acc
+
+Ensure this matches the account number you are expecting. The filename is
+
+   $csr
+
+which should include this account number, and additionally, you should check
+that you received it from the right person.
+
+Signing the wrong certificate compromises the security of your backup system.
+
+Would you like to sign this certificate? (type 'yes' to confirm)
+__E
+
+	return unless get_confirmation();
+
+	# out certificate
+	my $out_cert = "$cert_dir/clients/$acc"."-cert.pem";
+
+	# sign it!
+	if(system("openssl x509 -req -in $csr -sha1 -extensions usr_crt -CAserial $cert_dir/roots/clientCA.srl -CAcreateserial -CA $cert_dir/roots/clientCA.pem -CAkey $cert_dir/keys/clientRootKey.pem -out $out_cert -days $sign_period") != 0)
+	{
+		die "Signing failed"
+	}
+
+	# tell user what to do next
+	print <<__E;
+
+
+Certificate signed.
+
+Send the files
+
+   $out_cert
+   $cert_dir/roots/serverCA.pem
+
+to the client.
+
+__E
+}
+
+sub get_csr_common_name
+{
+	my $csr = $_[0];
+
+	open CSRTEXT,"openssl req -text -in $csr |" or die "Can't open openssl for reading";
+
+	my $subject;
+	while(<CSRTEXT>)
+	{
+		$subject = $1 if m/Subject:.+?CN=([-\.\w]+)/
+	}
+	close CSRTEXT;
+
+	if($subject eq '')
+	{
+		die "No subject found in CSR $csr"
+	}
+
+	return $subject
+}
+
+sub get_confirmation()
+{
+	my $line = <STDIN>;
+	chomp $line;
+	if(lc $line ne 'yes')
+	{
+		print "CANCELLED\n";
+		return 0;
+	}
+
+	return 1;
+}
diff --git a/ansible_collections/debops/debops/roles/boxbackup/vars/main.yml b/ansible_collections/debops/debops/roles/boxbackup/vars/main.yml
new file mode 100644
index 00000000..33377a12
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/boxbackup/vars/main.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# boxbackup backup mode - lazy / snapshot
+# Currently only lazy mode is fully supported
+boxbackup_mode: 'lazy'
+
+# Encryption key size
+boxbackup_encrypt_bits: 2048
+
+# Housekeeping process interval in minutes
+boxbackup_housekeeping: 15
+
+# Disc set to use (currently only 0 supported)
+boxbackup_discnum: 0
+
+# The number of minutes between backup runs under normal conditions. To avoid
+# cycles of load on the server, this time is randomly adjusted by a small
+# percentage as the daemon runs.
+boxbackup_interval: 60
+
+# The minimum age of a file, in hours, that will be uploaded. Avoids
+# repeated uploads of a file which is constantly being modified.
+boxbackup_minimumfileage: 4
+
+# If a file is modified repeated, it won't be uploaded immediately in case
+# it's modified again, due to the MinimumFileAge specified above. However, it
+# should be uploaded eventually even if it is being modified repeatedly. This
+# is how long we should wait, in hours, after first noticing a change.
+boxbackup_maxuploadwait: 24
+
+# Files above this size (in bytes) are tracked, and if they are renamed they will simply be
+# renamed on the server, rather than being uploaded again. (64k - 1)
+boxbackup_filetrackingsizethreshold: 65535
+
+# The daemon does "changes only" uploads for files above this size (in bytes).
+# Files less than it are uploaded whole without this extra processing.
+boxbackup_diffinguploadsizethreshold: 8192
+
+# The limit on how much time is spent diffing files, in seconds. Most files
+# shouldn't take very long, but if you have really big files you can use this
+# to limit the time spent diffing them.
+boxbackup_maximumdiffingtime: 120
+
+# This specifies a program or script which is run just before each
+# sync, and ideally the full path to the interpreter. It will be run as the
+# same user bbackupd is running as, usually root.
+#
+# The script must output (print) either "now" or a number to STDOUT (and a
+# terminating newline, no quotes).
+#
+# If the result was "now", then the sync will happen. If it's a number, then
+# no backup will happen for that number of seconds (bbackupd will pause) and
+# then the script will be run again.
+#
+# Use this to temporarily stop bbackupd from synchronising or connecting to the
+# store. For example, you could use this on a laptop to only backup when on a
+# specific network, or when it has a working Internet connection.
+boxbackup_syncallowscript: False
diff --git a/ansible_collections/debops/debops/roles/btrfs/COPYRIGHT b/ansible_collections/debops/debops/roles/btrfs/COPYRIGHT
new file mode 100644
index 00000000..10716146
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/COPYRIGHT
@@ -0,0 +1,19 @@
+btrfs - Manage Btrfs
+
+Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/btrfs/defaults/main.yml b/ansible_collections/debops/debops/roles/btrfs/defaults/main.yml
new file mode 100644
index 00000000..5dae1752
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/defaults/main.yml
@@ -0,0 +1,50 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _btrfs__ref_defaults:
+
+# debops-contrib.btrfs default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Required packages [[[
+# ---------------------
+
+# .. envvar:: btrfs__base_packages [[[
+#
+# List of base packages to install.
+btrfs__base_packages:
+  - 'btrfs-progs'
+                                                                   # ]]]
+                                                                   # ]]]
+# Subvolumes [[[
+# --------------
+
+# .. envvar:: btrfs__subvolumes [[[
+#
+# Dict of BTRFS subvolumes.
+btrfs__subvolumes: {}
+
+                                                                   # ]]]
+# .. envvar:: btrfs__subvolumes_host_group [[[
+#
+# See :envvar:`btrfs__subvolumes`.
+btrfs__subvolumes_host_group: {}
+
+                                                                   # ]]]
+# .. envvar:: btrfs__subvolumes_host [[[
+#
+# See :envvar:`btrfs__subvolumes`.
+btrfs__subvolumes_host: {}
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/changelog.rst b/ansible_collections/debops/debops/roles/btrfs/docs/changelog.rst
new file mode 100644
index 00000000..b3ca1e2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/copyright.rst b/ansible_collections/debops/debops/roles/btrfs/docs/copyright.rst
new file mode 100644
index 00000000..a8b5ec4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/getting-started.rst b/ansible_collections/debops/debops/roles/btrfs/docs/getting-started.rst
new file mode 100644
index 00000000..d40ade13
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/getting-started.rst
@@ -0,0 +1,58 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Getting started
+===============
+
+.. contents::
+   :local:
+
+.. include:: includes/all.rst
+
+
+Example inventory
+-----------------
+
+To manage Btrfs on host given in ``debops_service_btrfs`` Ansible inventory
+group:
+
+.. code:: ini
+
+    [debops_service_btrfs]
+    hostname
+
+Example playbook
+----------------
+
+Here's an example playbook that can be used to manage Btrfs:
+
+.. literalinclude:: playbooks/btrfs.yml
+   :language: yaml
+   :lines: 1,5-
+
+This playbooks is shipped with this role under
+:file:`docs/playbooks/btrfs.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider
+using the `DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::btrfs``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::btrfs:pkts``
+  Tasks related to the installation of required packages.
+
+``role::btrfs:subvolumes``
+  Tasks related to managing Btrfs subvolumes.
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/includes/all.rst b/ansible_collections/debops/debops/roles/btrfs/docs/includes/all.rst
new file mode 100644
index 00000000..73d42c4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/index.rst b/ansible_collections/debops/debops/roles/btrfs/docs/index.rst
new file mode 100644
index 00000000..ec3c1e9e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.btrfs:
+
+Ansible role: debops-contrib.btrfs
+==================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/introduction.rst b/ansible_collections/debops/debops/roles/btrfs/docs/introduction.rst
new file mode 100644
index 00000000..248a1c84
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/introduction.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.btrfs`` Ansible role allows you manage your Btrfs.
+Currently the role supports management of Btrfs subvolumes.
+More can be implemented as needed.
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.3``. To install it, run::
+
+    ansible-galaxy install debops-contrib.btrfs
+
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/btrfs/docs/playbooks/btrfs.yml b/ansible_collections/debops/debops/roles/btrfs/docs/playbooks/btrfs.yml
new file mode 100644
index 00000000..3d3dde02
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/docs/playbooks/btrfs.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Btrfs
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_btrfs' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: btrfs
+      tags: [ 'role::btrfs' ]
diff --git a/ansible_collections/debops/debops/roles/btrfs/meta/main.yml b/ansible_collections/debops/debops/roles/btrfs/meta/main.yml
new file mode 100644
index 00000000..4e425a6d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Manage Btrfs'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - securystem
+    - btrfs
diff --git a/ansible_collections/debops/debops/roles/btrfs/tasks/main.yml b/ansible_collections/debops/debops/roles/btrfs/tasks/main.yml
new file mode 100644
index 00000000..93cb5642
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/btrfs/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Combine BTRFS subvolumes
+  ansible.builtin.set_fact:
+    btrfs__subvolumes_combined: '{{
+                btrfs__subvolumes
+      | combine(btrfs__subvolumes_host_group)
+      | combine(btrfs__subvolumes_host) }}'
+
+- name: Ensure required packages are installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", btrfs__base_packages) }}'
+    state: 'present'
+  register: btrfs__register_packages
+  until: btrfs__register_packages is succeeded
+  tags: [ 'role::btrfs:pkts' ]
+
+- name: Create BTRFS subvolumes
+  debops.debops.btrfs_subvolume:
+    state: 'present'
+    path: '{{ item.key }}'
+    qgroups: '{{ item.value.qgroups | d(omit) }}'
+    commit: '{{ item.value.commit | d(omit) }}'
+    recursive: '{{ item.value.recursive | d(omit) }}'
+  when: (item.value.state | d("present") == "present")
+  with_dict: '{{ btrfs__subvolumes_combined }}'
+  tags: [ 'role::btrfs:subvolumes' ]
+
+- name: Remove BTRFS subvolumes
+  debops.debops.btrfs_subvolume:
+    state: 'absent'
+    path: '{{ item.key }}'
+  when: (item.value.state | d("present") != "present")
+  with_dict: '{{ btrfs__subvolumes_combined }}'
+  tags: [ 'role::btrfs:subvolumes' ]
+
+- name: Set directory permissions
+  ansible.builtin.file:
+    path:   '{{ item.key }}'
+    state:  'directory'
+    owner:  '{{ item.value.dir_owner | d(omit) }}'
+    group:  '{{ item.value.dir_group | d(omit) }}'
+    mode:   '{{ item.value.dir_mode | d(omit) }}'
+  when: (item.value.state | d("present") == "present")
+  with_dict: '{{ btrfs__subvolumes_combined }}'
+  tags: [ 'role::btrfs:subvolumes' ]
diff --git a/ansible_collections/debops/debops/roles/console/COPYRIGHT b/ansible_collections/debops/debops/roles/console/COPYRIGHT
new file mode 100644
index 00000000..7139e8f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/console/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.console - Manage misc console-related parameters
+
+Copyright (C) 2013-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/console/defaults/main.yml b/ansible_collections/debops/debops/roles/console/defaults/main.yml
new file mode 100644
index 00000000..e8b1193d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/console/defaults/main.yml
@@ -0,0 +1,83 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _console__ref_defaults:
+
+# debops.console default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# .. envvar:: console_serial [[[
+#
+# Enable or disable serial console (allows you to use 'lxc-console',
+# 'virsh console' and other similar commands)
+console_serial: False
+
+                                                                   # ]]]
+# .. envvar:: console_serial_port [[[
+#
+# Serial console port
+console_serial_port: 'ttyS0'
+
+                                                                   # ]]]
+# .. envvar:: console_serial_baud [[[
+#
+# Serial console baud rate
+console_serial_baud: '115200'
+
+                                                                   # ]]]
+# .. envvar:: console_serial_term [[[
+#
+# Serial console TERM string used to define terminal capabilities
+console_serial_term: 'xterm'
+
+                                                                   # ]]]
+# .. envvar:: console_serial_inittab [[[
+#
+# String used to enable serial console in sysvinit /etc/inittab
+console_serial_inittab: 'S0:2345:respawn:/sbin/getty -L {{ console_serial_port }} {{ console_serial_baud }} {{ console_serial_term }}'
+
+                                                                   # ]]]
+# .. envvar:: console_base_packages [[[
+#
+# List of required console packages
+console_base_packages: [ 'locales' ]
+
+                                                                   # ]]]
+# .. envvar:: console_conditional_packages [[[
+#
+# List of packages to install depending on a condition
+console_conditional_packages:
+
+  # Install NFS support when remote filesystems are configured
+  - [ '{{ "nfs-common"
+          if (console_mounts_nfs | d() or
+              console_group_mounts_nfs | d() or
+              console_host_mounts_nfs | d())
+          else [] }}' ]
+
+                                                                   # ]]]
+# .. envvar:: console_fsckfix [[[
+#
+# Enable or disable FSCKFIX option in /etc/default/rcS
+# This option controls the behaviour of fsck during boot time, if it's enabled,
+# fsck will automatically repair filesystems without stopping the boot
+# process. Choices: yes, no.
+console_fsckfix: 'yes'
+
+                                                                   # ]]]
+# .. envvar:: console_fsckfix_releases [[[
+#
+# List of OS distribution releases which use the FSCKFIX option in a configuration file.
+console_fsckfix_releases: [ 'trusty', 'xenial' ]
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/console/handlers/main.yml b/ansible_collections/debops/debops/roles/console/handlers/main.yml
new file mode 100644
index 00000000..dc2b70da
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/console/handlers/main.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2013-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload sysvinit
+  ansible.builtin.command: telinit q
+  register: console__register_telinit
+  changed_when: console__register_telinit.changed | bool
+
+# FIXME: To be integrated in the 'nfs' role
+#- name: Restart remote-fs.target
+#  ansible.builtin.systemd:
+#    daemon_reload: True
+#    state: 'restarted'
+#    name: 'remote-fs.target'
+#  with_items:
+#    - '{{ console__register_nfs_mount_points.results }}'
+#    - '{{ console__register_mount_points.results }}'
+#  when: (ansible_service_mgr == 'systemd' and item.changed) and
+#        ((item.opts | default(console_default_mount_nfs_options) is match(".*x-systemd.automount.*")
+#          and item.fstype is match("nfs.*")) or
+#        (item.opts | default(console_default_mount_options) is match(".*x-systemd.automount.*")))
diff --git a/ansible_collections/debops/debops/roles/console/meta/main.yml b/ansible_collections/debops/debops/roles/console/meta/main.yml
new file mode 100644
index 00000000..bb07e0fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/console/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure system console and terminal-related options'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/console/tasks/main.yml b/ansible_collections/debops/debops/roles/console/tasks/main.yml
new file mode 100644
index 00000000..f6a60cc3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/console/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+# Copyright (C) 2013-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install requested packages
+  ansible.builtin.apt:
+    name: '{{ (console_base_packages + console_conditional_packages) | flatten }}'
+    state: 'present'
+    install_recommends: False
+  register: console__register_packages
+  until: console__register_packages is succeeded
+  when: item is defined and item
+  tags: [ 'meta::provision' ]
+
+- name: Check if /etc/inittab exists
+  ansible.builtin.stat:
+    path: '/etc/inittab'
+  register: console_register_inittab
+
+- name: Disable serial console in /etc/inittab
+  ansible.builtin.lineinfile:
+    dest: '/etc/inittab'
+    regexp: '^{{ console_serial_inittab }}'
+    state: 'absent'
+  when: ((console_serial is undefined or (console_serial is defined and not console_serial)) and
+         ((console_register_inittab is defined and console_register_inittab) and
+          console_register_inittab.stat.exists))
+  notify: [ 'Reload sysvinit' ]
+
+- name: Enable serial console in /etc/inittab
+  ansible.builtin.lineinfile:
+    dest: '/etc/inittab'
+    regexp: '^{{ console_serial_inittab }}'
+    state: 'present'
+    line: '{{ console_serial_inittab }}'
+    mode: '0644'
+  when: ((console_serial is defined and console_serial) and
+         ((console_register_inittab is defined and console_register_inittab) and
+          console_register_inittab.stat.exists))
+  notify: [ 'Reload sysvinit' ]
+
+- name: Configure fsck behaviour on boot
+  ansible.builtin.lineinfile:
+    dest: '/etc/default/rcS'
+    regexp: 'FSCKFIX='
+    state: 'present'
+    line: 'FSCKFIX={{ console_fsckfix }}'
+    mode: '0644'
+  when: ansible_distribution_release in console_fsckfix_releases
diff --git a/ansible_collections/debops/debops/roles/controller/COPYRIGHT b/ansible_collections/debops/debops/roles/controller/COPYRIGHT
new file mode 100644
index 00000000..8b790fe8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.controller - Prepare host to be used as Ansible Controller
+
+Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/controller/defaults/main.yml b/ansible_collections/debops/debops/roles/controller/defaults/main.yml
new file mode 100644
index 00000000..4b021fe3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/defaults/main.yml
@@ -0,0 +1,133 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _controller__ref_defaults:
+
+# debops.controller default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: controller__base_packages [[[
+#
+# List of APT packages required on Ansible Controller.
+controller__base_packages: [ 'git', 'uuid-runtime' ]
+
+                                                                   # ]]]
+# .. envvar:: controller__packages [[[
+#
+# List of additional APT packages to install on the Ansible Controller.
+controller__packages: []
+
+                                                                   # ]]]
+# .. envvar:: controller__pip_packages [[[
+#
+# List of packages to install from PyPI using the :command:`pip` command.
+controller__pip_packages: [ 'debops' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Playbook and role installation [[[
+# ----------------------------------
+
+# .. envvar:: controller__install_systemwide [[[
+#
+# Download DebOps playbooks and roles to a system-wide location, on
+# installation. If set to ``False`` the playbooks and roles will be installed
+# locally for the current Ansible user.
+controller__install_systemwide: True
+
+                                                                   # ]]]
+# .. envvar:: controller__update_method [[[
+#
+# Specify the method which should be used to download playbooks and roles:
+#
+# - ``batch``: use the ``batch`` command from the ``at`` package, depends on system
+#   load, sends back email with results;
+#
+# - ``async``: use ``async`` Ansible support, does not create any output;
+#
+# - ``sync``: immediately sync and only continue after everything is in place
+#
+controller__update_method: '{{ ("batch"
+                                if (ansible_local | d() and ansible_local.atd | d() and
+                                    ansible_local.atd.enabled | bool)
+                                else "async") }}'
+
+                                                                   # ]]]
+# .. envvar:: controller__async_timeout [[[
+#
+# Specify timeout of the ``async`` Ansible command that downloads DebOps
+# playbooks and roles, in seconds.
+controller__async_timeout: '{{ (60 * 20) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DebOps system-wide configuration [[[
+# ------------------------------------
+
+# .. envvar:: controller__data_path [[[
+#
+# Path where DebOps playbooks and roles will be installed system-wide.
+controller__data_path: '{{ (ansible_local.fhs.share | d("/usr/local/share"))
+                            + "/debops" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DebOps project configuration [[[
+# --------------------------------
+
+# .. envvar:: controller__project_git_repo [[[
+#
+# Git URL to a DebOps project repository which will be cloned after installing
+# DebOps.
+controller__project_git_repo: ''
+
+                                                                   # ]]]
+# .. envvar:: controller__project_name [[[
+#
+# Name of a new DebOps project to initialize or name of the project download
+# directory in case :envvar:`controller__project_git_repo` is defined.
+controller__project_name: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: controller__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+controller__python__dependent_packages3:
+
+  - 'python3-dev'
+  - 'python3-dnspython'
+  - 'python3-netaddr'
+  - 'python3-passlib'
+  - 'python3-setuptools'
+  - '{{ ([]
+         if (ansible_distribution_release in
+             ["stretch", "trusty", "xenial"])
+         else "python3-ldap") }}'
+
+                                                                   # ]]]
+# .. envvar:: controller__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+controller__python__dependent_packages2:
+
+  - 'python-dev'
+  - 'python-dnspython'
+  - 'python-ldap'
+  - 'python-netaddr'
+  - 'python-passlib'
+  - 'python-setuptools'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/controller/handlers/main.yml b/ansible_collections/debops/debops/roles/controller/handlers/main.yml
new file mode 100644
index 00000000..2f3cfea0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/handlers/main.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update DebOps in the background with async
+  become: '{{ controller__install_systemwide | bool }}'
+  ansible.builtin.command: debops-update
+  async: '{{ controller__async_timeout | int }}'
+  poll: 0
+  register: controller__register_update_async
+  changed_when: controller__register_update_async.changed | bool
+  when: not controller__update_method == 'sync'
+
+- name: Update DebOps in the background with batch
+  become: '{{ controller__install_systemwide | bool }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    type debops-update > /dev/null 2>&1 && (echo 'debops-update' | batch > /dev/null 2>&1) || true
+  args:
+    executable: 'bash'
+  register: controller__register_update_batch
+  changed_when: controller__register_update_batch.changed | bool
+  when: (not controller__update_method == 'sync' and
+         (ansible_local | d() and ansible_local.atd | d() and
+          ansible_local.atd.enabled | bool))
diff --git a/ansible_collections/debops/debops/roles/controller/meta/main.yml b/ansible_collections/debops/debops/roles/controller/meta/main.yml
new file mode 100644
index 00000000..388fcffa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Prepare host to be used as Ansible Controller'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ansible
+    - debops
diff --git a/ansible_collections/debops/debops/roles/controller/tasks/main.yml b/ansible_collections/debops/debops/roles/controller/tasks/main.yml
new file mode 100644
index 00000000..f7cf9e9a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (controller__base_packages
+                              + controller__packages)) }}'
+    state: 'present'
+  register: controller__register_packages
+  until: controller__register_packages is succeeded
+
+- name: Install DebOps from PyPI
+  ansible.builtin.pip:
+    name: '{{ q("flattened", controller__pip_packages) }}'
+    state: 'present'
+  register: controller__register_pip_install
+  until: controller__register_pip_install is succeeded
+  notify: '{{ ["Update DebOps in the background with " + controller__update_method]
+              if not controller__update_method == "sync" else omit }}'
+
+- name: Configure system-wide DebOps scripts
+  ansible.builtin.template:
+    src: 'etc/debops.cfg.j2'
+    dest: '/etc/debops.cfg'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: controller__install_systemwide | bool
+
+- name: Update roles and playbooks
+  become: '{{ controller__install_systemwide | bool }}'
+  ansible.builtin.command: debops-update
+  register: controller__register_update
+  changed_when: controller__register_update.changed | bool
+  when: controller__update_method == 'sync'
+
+- name: Clone project repository
+  become: '{{ controller__install_systemwide | bool }}'
+  ansible.builtin.git:
+    repo: '{{ controller__project_git_repo }}'
+    dest: '{{ controller__project_name if controller__project_name else controller__project_git_repo | basename }}'
+    version: 'master'
+    update: True
+  when: controller__project_git_repo | d()
+
+- name: Initialize new project
+  become: '{{ controller__install_systemwide | bool }}'
+  ansible.builtin.command: debops-init '{{ controller__project_name }}'
+  args:
+    creates: '{{ controller__project_name }}/.debops.cfg'
+  when: controller__project_name | d() and
+        not controller__project_git_repo | d()
diff --git a/ansible_collections/debops/debops/roles/controller/templates/etc/debops.cfg.j2 b/ansible_collections/debops/debops/roles/controller/templates/etc/debops.cfg.j2
new file mode 100644
index 00000000..af4397c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/controller/templates/etc/debops.cfg.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# DebOps system-wide configuration
+
+{% if controller__install_systemwide | bool %}
+[paths]
+data-home = {{ controller__data_path }}
+
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/core/COPYRIGHT b/ansible_collections/debops/debops/roles/core/COPYRIGHT
new file mode 100644
index 00000000..9fc03649
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.core - Prepare Ansible environment for DebOps roles
+
+Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/core/defaults/main.yml b/ansible_collections/debops/debops/roles/core/defaults/main.yml
new file mode 100644
index 00000000..186c9b4b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/defaults/main.yml
@@ -0,0 +1,265 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _core__ref_defaults:
+
+# debops.core default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Custom local facts [[[
+# ----------------------
+
+# .. envvar:: core__facts [[[
+#
+# Dictionary of custom facts that are set globally on all hosts.
+core__facts: {}
+
+                                                                   # ]]]
+# .. envvar:: core__group_facts [[[
+#
+# Dictionary of custom facts that are set in a group of hosts.
+core__group_facts: {}
+
+                                                                   # ]]]
+# .. envvar:: core__host_facts [[[
+#
+# Dictionary of custom facts that are set on specific hosts.
+core__host_facts: {}
+
+                                                                   # ]]]
+# .. envvar:: core__remove_facts [[[
+#
+# List of custom fact keys which will be removed if found.
+core__remove_facts: []
+
+                                                                   # ]]]
+# .. envvar:: core__reset_facts [[[
+#
+# If ``True``, Ansible will not add facts that are already present on a host to
+# the dictionary, and only store those specified in inventory.
+core__reset_facts: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Tags stored as local facts [[[
+# ------------------------------
+
+# .. envvar:: core__tags [[[
+#
+# Global list of tags to set on all hosts.
+core__tags: []
+
+                                                                   # ]]]
+# .. envvar:: core__group_tags [[[
+#
+# List of tags to set for a group of hosts.
+core__group_tags: []
+
+                                                                   # ]]]
+# .. envvar:: core__host_tags [[[
+#
+# List of tags to set on a given host.
+core__host_tags: []
+
+                                                                   # ]]]
+# .. envvar:: core__static_tags [[[
+#
+# Override any combination of global, group or host tags with a static set.
+core__static_tags: []
+
+                                                                   # ]]]
+# .. envvar:: core__remove_tags [[[
+#
+# Specify a list of tags to remove from a tag list, if they're present.
+core__remove_tags: []
+
+                                                                   # ]]]
+# .. envvar:: core__reset_tags [[[
+#
+# If ``True``, Ansible will not merge current set of tags on a host and will
+# create a new list of tags from inventory variables.
+core__reset_tags: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Core facts [[[
+# --------------
+
+# .. envvar:: core__ansible_controllers [[[
+#
+# List of IP addresses or CIDR subnets which contain hosts that are used to
+# execute Ansible playbooks. Other roles that maintain host security can source
+# the ``ansible_local.core.ansible_controllers`` list and add the entries found
+# there to IP address whitelist.
+core__ansible_controllers: []
+
+                                                                   # ]]]
+# .. envvar:: core__active_controller [[[
+#
+# IP address from which the SSH connection to a given host originates. It
+# usually is the external IP address of Ansible Controller host, but it might be
+# an internal IP address of a gateway or SSH jumphost through which the
+# connection is proxied. This IP address will be added to list of Ansible
+# Controllers defined above.
+core__active_controller: '{{ ((ansible_env.SSH_CLIENT.split(" ") | first)
+                              if (ansible_env | d() and ansible_env.SSH_CLIENT | d())
+                              else "") }}'
+
+                                                                   # ]]]
+# .. envvar:: core__admin_groups [[[
+#
+# List of the system groups which contain the system administrator accounts.
+# If you don't want this functionality, make this list empty.
+core__admin_groups: [ 'admins' ]
+
+                                                                   # ]]]
+# .. envvar:: core__admin_users [[[
+#
+# List of system administrator accounts. Ansible will check what accounts are
+# in the groups specified above and include them in this list automatically.
+# These accounts are used in different roles to automatically create
+# administrative accounts in different services.
+#
+# To override the admin accounts autodetected by Ansible, specify them in this
+# list.
+core__admin_users: '{{ ((ansible_local.core.admin_users
+                         if (ansible_local.core.admin_users | d())
+                         else [])
+                        + [ansible_user
+                           if (ansible_user is defined and
+                               ansible_user not in
+                               (core__admin_blacklist_default_users
+                                + core__admin_blacklist_users))
+                           else lookup("env", "USER")])
+                        | unique }}'
+
+                                                                   # ]]]
+# .. envvar:: core__admin_blacklist_default_users [[[
+#
+# List of user accounts which will not be included by Ansible in the system
+# administrator account list. This is used to avoid creating common, static
+# admin account names in various services.
+core__admin_blacklist_default_users:
+  - 'admin'
+  - 'ansible'
+  - 'debian'
+  - 'pi'
+  - 'root'
+  - 'ubuntu'
+  - 'user'
+
+                                                                   # ]]]
+# .. envvar:: core__admin_blacklist_users [[[
+#
+# Additional list of user accounts to not include in the system administrator
+# account list.
+core__admin_blacklist_users: []
+
+                                                                   # ]]]
+# .. envvar:: core__admin_public_email [[[
+#
+# List of public system administrator e-mail addresses. The addresses specified
+# here will be used as publicly visible admin contact information by the
+# Ansible roles that use them.
+#
+# This variable can be used as a final destination by the system MTA.
+core__admin_public_email: [ '{{ ("root@" + ansible_domain)
+                                if ansible_domain | d()
+                                else "root" }}' ]
+
+                                                                   # ]]]
+# .. envvar:: core__admin_private_email [[[
+#
+# List of private system administrator e-mail addresses. They will be used by
+# other Ansible roles to sent important system messages to the administrator.
+# These e-mail addresses are visible to all users on a given host, but should
+# not be visible from outside of a host.
+#
+# If none are specified, list of admin user accounts will be used instead. The
+# mail delivery to these accounts is left to the system MTA.
+#
+# This variable shouldn't be used as a final destination by the system MTA,
+# otherwise it might result in an undeliverable error. It can be used as an
+# alias.
+core__admin_private_email: []
+
+                                                                   # ]]]
+# .. envvar:: core__cache_valid_time [[[
+#
+# Time in seconds which specifies how long APT cache should be considered
+# valid between updates.
+core__cache_valid_time: '{{ (60 * 60 * 24) }}'
+
+                                                                   # ]]]
+# .. envvar:: core__distribution [[[
+#
+# You can override this variable if you use a Linux distribution that is not
+# correctly detected by Ansible, like Raspberry Pi OS. It is stored as a local
+# fact and takes precedence over Ansible's auto-detected distribution name on
+# all roles that support it.
+# Ref: https://github.com/debops/debops/issues/2046
+core__distribution: '{{ ansible_lsb.id
+                        if (ansible_lsb.id | d())
+                        else ansible_distribution }}'
+
+                                                                   # ]]]
+# .. envvar:: core__distribution_release [[[
+#
+# You can override this variable if you use a Linux distribution release that
+# is not correctly detected by Ansible. It is stored as a local fact and takes
+# precedence over Ansible's auto-detected distribution release on all roles
+# that support it.
+core__distribution_release: '{{ ansible_lsb.codename
+                                if (ansible_lsb.codename | d())
+                                else ansible_distribution_release }}'
+
+                                                                   # ]]]
+# .. envvar:: core__homedir_umask [[[
+#
+# Default umask for home directories.
+core__homedir_umask: '0027'
+
+                                                                   # ]]]
+# .. envvar:: core__unsafe_writes [[[
+#
+# Enable or disable use of the ``unsafe_writes`` parameter in Ansible tasks
+# that deal with files. See :ref:`core__ref_unsafe_writes` for more details.
+core__unsafe_writes: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Core packages [[[
+# -----------------
+
+# .. envvar:: core__base_packages [[[
+#
+# List of packages required by Ansible local fact scripts.
+core__base_packages: [ 'bash', 'libcap2-bin', 'lsb-release', 'dbus', 'dirmngr' ]
+
+                                                                   # ]]]
+# .. envvar:: core__packages [[[
+#
+# List of additional packages to install.
+core__packages: []
+
+                                                                   # ]]]
+# .. envvar:: core__group_packages [[[
+#
+# List of additional packages to install for a group.
+core__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: core__host_packages [[[
+#
+# List of additional packages to install for a host.
+core__host_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/core/meta/main.yml b/ansible_collections/debops/debops/roles/core/meta/main.yml
new file mode 100644
index 00000000..b4bb9145
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install a set of Ansible local facts on remote host'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/core/tasks/main.yml b/ansible_collections/debops/debops/roles/core/tasks/main.yml
new file mode 100644
index 00000000..6f97efe9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Ensure that APT cache is valid
+  ansible.builtin.apt:
+    update_cache: True
+    cache_valid_time: '{{ "86400" if ansible_local | d() else omit }}'
+  register: core__register_apt_update
+  until: core__register_apt_update is succeeded
+  when: ansible_pkg_mgr == 'apt'
+  tags: [ 'meta::provision' ]
+
+- name: Install required core packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (core__base_packages
+                              + core__packages
+                              + core__group_packages
+                              + core__host_packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: core__register_packages
+  until: core__register_packages is succeeded
+  tags: [ 'meta::provision' ]
+
+- name: Re-gather facts on package installation
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check IP address of current Ansible Controller
+  ansible.builtin.set_fact:
+    core__fact_ansible_controller: '{{ core__active_controller }}'
+  when: core__fact_ansible_controller is undefined and ansible_connection != "local"
+  tags: [ 'role::core', 'role::ferm', 'role::ferm:config', 'role::tcpwrappers' ]
+  become: False
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/{{ item }}.fact.j2'
+    dest: '/etc/ansible/facts.d/{{ item }}.fact'
+    mode: '0755'
+  with_items: [ 'core', 'tags' ]
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Gather local facts if they changed
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/core.fact.j2 b/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/core.fact.j2
new file mode 100644
index 00000000..9f04ba85
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/core.fact.j2
@@ -0,0 +1,146 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit, version_info, maxsize
+from grp import getgrall
+import socket
+
+
+PY2 = version_info[0] == 2
+PY3 = version_info[0] == 3
+
+if PY3:
+    string_types = str
+else:
+    string_types = basestring
+
+# Workaround to allow Jinja template inside of a Python script
+"""
+{% set core__tpl_facts = {} %}
+{% if not core__reset_facts | d(False) %}
+{%   if ansible_local | d() and ansible_local.core | d() %}
+{%     for key, value in ansible_local.core.items() %}
+{%       if key not in (core__remove_facts | d([]) + [ 'admin_users' ]) %}
+{%         set _ = core__tpl_facts.update({ key: value }) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if core__facts | d() %}
+{%   for key, value in core__facts.items() %}
+{%     if key not in core__remove_facts | d([]) %}
+{%       set _ = core__tpl_facts.update({ key: value }) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if core__group_facts | d() %}
+{%   for key, value in core__group_facts.items() %}
+{%     if key not in core__remove_facts | d([]) %}
+{%       set _ = core__tpl_facts.update({ key: value }) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if core__host_facts | d() %}
+{%   for key, value in core__host_facts.items() %}
+{%     if key not in core__remove_facts | d([]) %}
+{%       set _ = core__tpl_facts.update({ key: value }) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set core__tpl_ansible_controllers = [] %}
+{% if core__tpl_facts.ansible_controllers | d() %}
+{%   for element in core__tpl_facts.ansible_controllers %}
+{%     set _ = core__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% if core__ansible_controllers | d() %}
+{%   for element in ([ core__ansible_controllers ]
+                     if (core__ansible_controllers is string)
+                     else core__ansible_controllers) %}
+{%     set _ = core__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% if core__fact_ansible_controller | d() %}
+{%   set _ = core__tpl_ansible_controllers.append(
+                 core__fact_ansible_controller) %}
+{% endif %}
+{% if core__tpl_ansible_controllers %}
+{%   set _ = core__tpl_facts.update({ "ansible_controllers":
+                                          (core__tpl_ansible_controllers
+                                           | sort | unique) }) %}
+{% endif %}
+{%   set _ = core__tpl_facts.update({ "admin_groups": core__admin_groups }) %}
+{%   set _ = core__tpl_facts.update({ "admin_users": core__admin_users }) %}
+{%   set _ = core__tpl_facts.update({ "admin_public_email":
+                                          core__admin_public_email }) %}
+{%   set _ = core__tpl_facts.update({ "admin_private_email":
+                                          core__admin_private_email }) %}
+{%   set _ = core__tpl_facts.update({ "distribution": core__distribution }) %}
+{%   set _ = core__tpl_facts.update({ "distribution_release":
+                                          core__distribution_release }) %}
+{%   set _ = core__tpl_facts.update({ "homedir_umask":
+                                          core__homedir_umask }) %}
+{%   set _ = core__tpl_facts.update({ "cache_valid_time":
+                                          core__cache_valid_time }) %}
+{%   set _ = core__tpl_facts.update({ "unsafe_writes":
+                                          core__unsafe_writes | bool }) %}
+"""
+
+output = loads('''{{ core__tpl_facts | to_nice_json }}''')
+
+admin_blacklist_users = loads('''{{ (core__admin_blacklist_default_users
+                                     + core__admin_blacklist_users)
+                                     | unique | to_nice_json }}''')
+
+groups = getgrall()
+admin_users = set()
+
+if output['admin_users']:
+    if isinstance(output['admin_users'], string_types):
+        admin_users.add(output['admin_users'])
+    elif isinstance(output['admin_users'], list):
+        admin_users.update(set(output['admin_users']))
+    else:
+        raise RuntimeError("Expected string or list, but got %r" % (
+            output['admin_users']))
+
+if output['admin_groups']:
+    for group in groups:
+        if group.gr_name in output['admin_groups']:
+            for name in group.gr_mem:
+                if name not in admin_blacklist_users:
+                    admin_users.add(name)
+
+if admin_users:
+    output.update({"admin_users": sorted(list(admin_users))})
+
+if not output['admin_private_email']:
+    if output['admin_users']:
+
+        try:
+            mail_domain = socket.getfqdn().split('.', 1)[1]
+        except IndexError:
+            # Oh no, we don't have a real domain...
+            mail_domain = socket.getfqdn()
+
+        output.update({"admin_private_email":
+                       sorted(list(
+                           [s + '@' + mail_domain
+                            for s in admin_users]))})
+    else:
+        output.update({"admin_private_email": ["root"]})
+
+if maxsize > 2**32:
+    output.update({"is_64bits": True})
+else:
+    output.update({"is_64bits": False})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/tags.fact.j2 b/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/tags.fact.j2
new file mode 100644
index 00000000..41be041d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/core/templates/etc/ansible/facts.d/tags.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+# Workaround to allow Jinja template inside of a Python script
+"""
+{% set core__tpl_tags = [] %}
+{% if not core__reset_tags | d(False) %}
+{%   if ansible_local | d() and ansible_local.tags | d() %}
+{%     for element in ansible_local.tags %}
+{%       set _ = core__tpl_tags.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set core__tpl_tags_list = (core__tpl_tags + core__tags | d([])
+                              + core__group_tags | d([])
+                              + core__host_tags | d([]))
+                             | difference(core__remove_tags | d([])) %}
+{% if core__static_tags | d() %}
+{%   set core__tpl_tags_list = core__static_tags | d([])
+                               | difference(core__remove_tags | d([])) %}
+{% endif %}
+"""
+
+output = loads('''{{ core__tpl_tags_list | sort | unique | to_nice_json }}''')
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/cran/COPYRIGHT b/ansible_collections/debops/debops/roles/cran/COPYRIGHT
new file mode 100644
index 00000000..d80364a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cran/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.cran - Manage the Comprehensive R Archive Network packages
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/cran/defaults/main.yml b/ansible_collections/debops/debops/roles/cran/defaults/main.yml
new file mode 100644
index 00000000..20c4d599
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cran/defaults/main.yml
@@ -0,0 +1,191 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _cran__ref_defaults:
+
+# debops.cran default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Upstream configuration [[[
+# --------------------------
+
+# .. envvar:: cran__upstream [[[
+#
+# Enable or disable configuration of upstream CRAN APT repositories. If
+# disabled, R APT packages from the current OS release will be used instead.
+# You can find more information about upstream R packages at
+# https://cran.r-project.org/bin/linux/debian/
+cran__upstream: True
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_mirror [[[
+#
+# The default CRAN mirror used by the APT package manager, as well as the
+# source of R packages to install system-wide.
+# See https://cran.r-project.org/mirrors.html for more details.
+cran__upstream_mirror: 'https://cloud.r-project.org/'
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_apt_key_map [[[
+#
+# YAML dictionary that maps GPG keys of the upstream CRAN APT repositories to
+# the OS distributions.
+cran__upstream_apt_key_map:
+  'Debian': 'E19F5F87128899B192B1A2C2AD5F960A256A04AF'
+  'Ubuntu': 'E298A3A825C0D65DFD57CBB651716619E084DAB9'
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_apt_key [[[
+#
+# The GPG key of the upstream CRAN APT repository.
+cran__upstream_apt_key: '{{ cran__upstream_apt_key_map[ansible_distribution] }}'
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_apt_suite_map [[[
+#
+# YAML dictionary that maps APT suites of the CRAN APT repository to OS
+# distributions.
+cran__upstream_apt_suite_map:
+  'Debian': '{{ ansible_distribution_release + "-cran35/" }}'
+  'Ubuntu': '{{ ansible_distribution_release + "-cran35/" }}'
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_apt_suite [[[
+#
+# The APT suite of the upstream CRAN APT repository.
+cran__upstream_apt_suite: '{{ cran__upstream_apt_suite_map[ansible_distribution] }}'
+
+                                                                   # ]]]
+# .. envvar:: cran__upstream_apt_repo [[[
+#
+# The URL of the upstream CRAN APT repository to configure on the host.
+cran__upstream_apt_repo: '{{ "deb " + cran__upstream_mirror + "bin/linux/"
+                             + ansible_distribution | lower + " "
+                             + cran__upstream_apt_suite }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: cran__base_packages [[[
+#
+# List of the default APT packages to install for R support.
+cran__base_packages: [ 'r-base', 'r-base-dev', 'r-recommended' ]
+
+                                                                   # ]]]
+# .. envvar:: cran__packages [[[
+#
+# List of APT packages to install with R on all hosts in the Ansible inventory.
+cran__packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__group_packages [[[
+#
+# List of APT packages to install with R on hosts in a specific Ansible
+# inventory group.
+cran__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__host_packages [[[
+#
+# List of APT packages to install with R on specific hosts in the Ansible
+# inventory.
+cran__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__dependent_packages [[[
+#
+# List of APT packages to install with R that are requested by other Ansible
+# roles via role dependent variables.
+cran__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# R packages [[[
+# --------------
+
+# These variables define what R packages will be installed or removed
+# system-wide (in :file:`/usr/local/lib/R/site-library/` directory).
+# See :ref:`cran__ref_r_packages` for more details.
+
+# .. envvar:: cran__r_packages [[[
+#
+# List of the R packages to manage system-wide on all hosts in the Ansible
+# inventory.
+cran__r_packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__group_r_packages [[[
+#
+# List of the R packages to manage system-wide on hosts in a specific Ansible
+# inventory group.
+cran__group_r_packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__host_r_packages [[[
+#
+# List of the R packages to manage system-wide on specific hosts in the Ansible
+# inventory.
+cran__host_r_packages: []
+
+                                                                   # ]]]
+# .. envvar:: cran__dependent_r_packages [[[
+#
+# List of the R packages to manage system-wide requested by other Ansible roles
+# via role dependent variables.
+cran__dependent_r_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Other configuration options [[[
+# -------------------------------
+
+# .. envvar:: cran__java_integration [[[
+#
+# Enable or disable Java integration if Java environment is detected on a host.
+# Java might be required to install some R packages.
+cran__java_integration: '{{ True
+                            if (ansible_local | d() and ansible_local.java | d() and
+                                (ansible_local.java.installed | d()) | bool)
+                            else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: cran__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences`.
+cran__apt_preferences__dependent_list:
+
+  - packages: [ 'r-cran-coda', 'rkward' ]
+    pin: 'release o=CRAN'
+    priority: '600'
+    by_role: 'debops_cran'
+    reason: |
+      Packages in Debian Archive incompatible with upstream CRAN packages
+      https://cran.r-project.org/bin/linux/debian/#debian-stretch-stable
+    filename: 'debops_cran.pref'
+    state: '{{ "present"
+               if (ansible_distribution == "Debian" and cran__upstream | bool)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: cran__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+cran__keyring__dependent_apt_keys:
+
+  - id: '{{ cran__upstream_apt_key }}'
+    repo: '{{ cran__upstream_apt_repo }}'
+    state: '{{ "present" if cran__upstream | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/cran/meta/main.yml b/ansible_collections/debops/debops/roles/cran/meta/main.yml
new file mode 100644
index 00000000..eca1c686
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cran/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage the Comprehensive R Archive Network (CRAN) packages'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cran
+    - rlang
+    - rstudio
+    - programming
+    - development
+    - statistics
diff --git a/ansible_collections/debops/debops/roles/cran/tasks/main.yml b/ansible_collections/debops/debops/roles/cran/tasks/main.yml
new file mode 100644
index 00000000..56b17b85
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cran/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Install system packages required for R support
+  ansible.builtin.package:
+    name: '{{ q("flattened", (cran__base_packages
+                              + cran__packages
+                              + cran__group_packages
+                              + cran__host_packages
+                              + cran__dependent_packages)) }}'
+    state: 'present'
+  register: cran__register_packages
+  until: cran__register_packages is succeeded
+
+- name: Configure Java environment in R
+  ansible.builtin.command: R CMD javareconf
+  register: cran__register_java_reconf
+  changed_when: cran__register_java_reconf.changed | bool
+  when: (cran__java_integration | bool and
+         (ansible_local | d() and ansible_local.cran is undefined))
+
+- name: Manage R packages
+  cran:  # noqa fqcn
+    name:  '{{ item.name | d(item) }}'
+    repo:  '{{ item.repo | d(cran__upstream_mirror) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", cran__r_packages
+                           + cran__group_r_packages
+                           + cran__host_r_packages
+                           + cran__dependent_r_packages) }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save CRAN local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/cran.fact.j2'
+    dest: '/etc/ansible/facts.d/cran.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/cran/templates/etc/ansible/facts.d/cran.fact.j2 b/ansible_collections/debops/debops/roles/cran/templates/etc/ansible/facts.d/cran.fact.j2
new file mode 100644
index 00000000..33d26a2f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cran/templates/etc/ansible/facts.d/cran.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = loads('''{{ {"installed": True,
+                      "mirror": cran__upstream_mirror
+                     } | to_json }}''')
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        cran_stdout = subprocess.check_output(
+            ["/usr/bin/R --version"],
+            shell=True, stderr=devnull).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if cran_stdout:
+    for line in cran_stdout.split('\n'):
+        if 'R version' in line:
+            output['version'] = line.split()[2]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/cron/COPYRIGHT b/ansible_collections/debops/debops/roles/cron/COPYRIGHT
new file mode 100644
index 00000000..0caa7bc1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.cron - Manage cron jobs using Ansible
+
+Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/cron/defaults/main.yml b/ansible_collections/debops/debops/roles/cron/defaults/main.yml
new file mode 100644
index 00000000..d62fbc9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/defaults/main.yml
@@ -0,0 +1,281 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _cron__ref_defaults:
+
+# debops.cron default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: cron__enabled [[[
+#
+# Enable or disable :program:`cron` management using this role.
+cron__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: cron__base_packages [[[
+#
+# List of APT packages to install for :program:`cron` support.
+cron__base_packages: [ 'cron' ]
+
+                                                                   # ]]]
+# .. envvar:: cron__packages [[[
+#
+# List of additional APT packages to install with :program:`cron`.
+cron__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of the periodic system jobs [[[
+# ---------------------------------------------
+
+# .. envvar:: cron__crontab_deploy_state [[[
+#
+# If ``present``, the custom :file:`/etc/crontab` configuration will be applied
+# on the host. If ``absent``, the original configuration will be restored.
+cron__crontab_deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_seed [[[
+#
+# A string which is used as the base of the random seed used to generate
+# various :man:`crontab(5)` time parameters. It should be unique on each host
+# in the Ansible inventory.
+cron__crontab_seed: '{{ inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_offset_seeds [[[
+#
+# A list of pseudo-random strings which are randomly added to the base seed in
+# variouse :man:`crontab(5)` entries. High number of pseudo-random strings
+# gives more variety in the final configuration entries. At least 8 seed
+# strings are required by the default configuration.
+#
+# The offset seeds will be stored on the remote hosts in the local fact script
+# to ensure idempotency.
+cron__crontab_offset_seeds: '{{ ansible_local.cron.crontab_offset_seeds
+                                if (ansible_local.cron.crontab_offset_seeds | d())
+                                else ((ansible_all_ipv4_addresses
+                                       + ansible_all_ipv6_addresses
+                                       + (ansible_default_ipv4.values() | d([])) | list
+                                       + [ansible_machine_id | d(), ansible_memtotal_mb]
+                                       + [ansible_product_name, ansible_product_version]
+                                       + [ansible_kernel])
+                                      | map("regex_replace", "^(.*)$",
+                                            (ansible_date_time.epoch | string + "\1"))
+                                      | map("hash", "sha256") | list | unique) }}'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_hours [[[
+#
+# YAML list which defines the hours which will be used in the daily, weekly and
+# monthly :man:`crontab(5)` entries. The role will randomly select an hour for
+# each job type. The default allows job execution outside of normal workday
+# hours.
+cron__crontab_hours: [ 0, 1, 2, 3, 4, 5, 6,
+                       18, 19, 20, 21, 22, 23 ]
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_weekday_days [[[
+#
+# YAML list which specifies the days of the week which will be used by the
+# weekly :man:`crontab(5)` entry. The default will execute the jobs on one of
+# the weekend days only.
+cron__crontab_weekday_days: [ 6, 7 ]
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_day_ranges [[[
+#
+# YAML list which specifies the range of days to use in the monthly
+# :man:`crontab(5)` entry. The default is selected to ensure that jobs are
+# executed on the first week of each month.
+cron__crontab_day_ranges: [ 1, 7 ]
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_default_environment [[[
+#
+# YAML dictionary which defines default set of environment variables set in the
+# :man:`crontab(5)` configuration file. Each key is a variable name and its
+# value is the contents of the variable.
+cron__crontab_default_environment:
+  SHELL: '/bin/sh'
+  PATH: '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_environment [[[
+#
+# YAML dictionary with environment variables set in the :man:`crontab(5)`
+# configuration file, defined for all hosts in the Ansible inventory.
+cron__crontab_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_group_environment [[[
+#
+# YAML dictionary with environment variables set in the :man:`crontab(5)`
+# configuration file, defined for hosts in a specific Ansible inventory group.
+cron__crontab_group_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_host_environment [[[
+#
+# YAML dictionary with environment variables set in the :man:`crontab(5)`
+# configuration file, defined for specific hosts in the Ansible inventory.
+cron__crontab_host_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_combined_environment [[[
+#
+# Variable which combines all other :man:`crontab(5)` environment variables and
+# is used in the template.
+cron__crontab_combined_environment: '{{ cron__crontab_default_environment
+                                        | combine(cron__crontab_environment,
+                                                  cron__crontab_group_environment,
+                                                  cron__crontab_host_environment) }}'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_default_jobs [[[
+#
+# A list of the default :man:`crontab(5)` system jobs defined by the role.
+# See :ref:`cron__ref_crontab_jobs` for more details.
+cron__crontab_default_jobs:
+
+  - name: 'crontab-hourly'
+    minute: '{{ 59 | random(seed=(cron__crontab_seed
+                                  + (cron__crontab_offset_seeds
+                                     | random(seed=cron__crontab_offset_seeds[0])))) }}'
+    user: 'root'
+    job: 'cd / && run-parts --report /etc/cron.hourly'
+
+  - name: 'crontab-daily'
+    minute: '{{ 59 | random(seed=(cron__crontab_seed
+                                  + (cron__crontab_offset_seeds
+                                     | random(seed=cron__crontab_offset_seeds[1])))) }}'
+    hour: '{{ cron__crontab_hours | random(seed=(cron__crontab_seed
+                                                 + (cron__crontab_offset_seeds
+                                                    | random(seed=cron__crontab_offset_seeds[2])))) }}'
+    user: 'root'
+    job: 'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )'
+
+  - name: 'crontab-weekly'
+    minute: '{{ 59 | random(seed=(cron__crontab_seed
+                                  + (cron__crontab_offset_seeds
+                                     | random(seed=cron__crontab_offset_seeds[3])))) }}'
+    hour: '{{ cron__crontab_hours | random(seed=(cron__crontab_seed
+                                                 + (cron__crontab_offset_seeds
+                                                    | random(seed=cron__crontab_offset_seeds[4])))) }}'
+    weekday: '{{ cron__crontab_weekday_days
+                 | random(seed=(cron__crontab_seed
+                                + (cron__crontab_offset_seeds
+                                   | random(seed=cron__crontab_offset_seeds[5])))) }}'
+    user: 'root'
+    job: 'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )'
+
+  - name: 'crontab-monthly'
+    minute: '{{ 59 | random(seed=(cron__crontab_seed
+                                  + (cron__crontab_offset_seeds
+                                     | random(seed=cron__crontab_offset_seeds[6])))) }}'
+    hour: '{{ cron__crontab_hours | random(seed=(cron__crontab_seed
+                                                 + (cron__crontab_offset_seeds
+                                                    | random(seed=cron__crontab_offset_seeds[7])))) }}'
+    day: '{{ cron__crontab_day_ranges[1]
+             | random(start=cron__crontab_day_ranges[0],
+                      seed=(cron__crontab_seed
+                            + (cron__crontab_offset_seeds
+                               | random(seed=cron__crontab_offset_seeds[8])))) }}'
+    user: 'root'
+    job: 'test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )'
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_jobs [[[
+#
+# A list of the :man:`crontab(5)` system jobs defined on all hosts in the
+# Ansible inventory. See :ref:`cron__ref_crontab_jobs` for more details.
+cron__crontab_jobs: []
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_group_jobs [[[
+#
+# A list of the :man:`crontab(5)` system jobs defined on hosts in a specific
+# Ansible inventory group. See :ref:`cron__ref_crontab_jobs` for more details.
+cron__crontab_group_jobs: []
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_host_jobs [[[
+#
+# A list of the :man:`crontab(5)` system jobs defined on specific hosts in the
+# Ansible inventory. See :ref:`cron__ref_crontab_jobs` for more details.
+cron__crontab_host_jobs: []
+
+                                                                   # ]]]
+# .. envvar:: cron__crontab_combined_jobs [[[
+#
+# The variable which combines other :man:`crontab(5)` job variables and is used
+# in the role template.
+cron__crontab_combined_jobs: '{{ cron__crontab_default_jobs
+                                 + cron__crontab_jobs
+                                 + cron__crontab_group_jobs
+                                 + cron__crontab_host_jobs }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Scheduled job configuration [[[
+# -------------------------------
+
+# The variables below define :program:`cron` jobs managed by the :program:`cron`
+# Ansible module. See :ref:`cron__ref_jobs` for more details.
+
+# .. envvar:: cron__default_jobs [[[
+#
+# YAML dictionary with a set of default :program:`cron` jobs to configure on
+# a host (currently none).
+cron__default_jobs: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__dependent_jobs [[[
+#
+# YAML dictionary with a set of :program:`cron` jobs defined by other Ansible
+# roles through the role dependent variables.
+cron__dependent_jobs: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__jobs [[[
+#
+# YAML dictionary with a set of :program:`cron` jobs defined for all hosts in
+# the Ansible inventory.
+cron__jobs: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__group_jobs [[[
+#
+# YAML dictionary with a set of :program:`cron` jobs defined for hosts in
+# a given Ansible inventory group.
+cron__group_jobs: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__host_jobs [[[
+#
+# YAML dictionary with a set of :program:`cron` jobs defined for specific hosts
+# in the Ansible inventory.
+cron__host_jobs: {}
+
+                                                                   # ]]]
+# .. envvar:: cron__combined_jobs [[[
+#
+# YAML dictionary which combines the :command:`cron` jobs defined in other
+# variables. This variable is used in the Ansible tasks.
+cron__combined_jobs: '{{ lookup("template",
+                         "lookup/cron__combined_jobs.j2",
+                         convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/cron/meta/main.yml b/ansible_collections/debops/debops/roles/cron/meta/main.yml
new file mode 100644
index 00000000..fde7be08
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage cron jobs using Ansible inventory'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - cron
diff --git a/ansible_collections/debops/debops/roles/cron/tasks/main.yml b/ansible_collections/debops/debops/roles/cron/tasks/main.yml
new file mode 100644
index 00000000..310b63e3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/tasks/main.yml
@@ -0,0 +1,125 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install cron packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (cron__base_packages
+                              + cron__packages)) }}'
+    state: 'present'
+  register: cron__register_packages
+  until: cron__register_packages is succeeded
+  when: cron__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  tags: [ 'role::cron:crontab' ]
+
+- name: Save cron local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/cron.fact.j2'
+    dest: '/etc/ansible/facts.d/cron.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts', 'role::cron:crontab' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+  tags: [ 'role::cron:crontab' ]
+
+- name: Divert the original crontab configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/crontab'
+    state: '{{ cron__crontab_deploy_state }}'
+    delete: True
+  when: cron__enabled | bool and ansible_pkg_mgr == 'apt'
+  tags: [ 'role::cron:crontab' ]
+
+- name: Generate crontab configuration file
+  ansible.builtin.template:
+    src: 'etc/crontab.j2'
+    dest: '/etc/crontab'
+    mode: '0644'
+  when: cron__enabled | bool and
+        cron__crontab_deploy_state == 'present'
+  tags: [ 'role::cron:crontab' ]
+
+- name: Remove custom cron files
+  ansible.builtin.file:
+    dest: '{{ item.1.dest }}'
+    state: 'absent'
+  with_subelements:
+    - '{{ cron__combined_jobs | selectattr("custom_files", "defined") | list }}'
+    - 'custom_files'
+  when: (cron__enabled | bool and (item.0.state | d('present') == 'absent' or item.1.state | d('present') == 'absent') and
+         (item.1.src | d() or item.1.content | d()) and item.1.dest | d())
+
+- name: Manage custom cron files
+  ansible.builtin.copy:
+    dest:    '{{ item.1.dest }}'
+    src:     '{{ item.1.src | d(omit) }}'
+    content: '{{ item.1.content | d(omit) }}'
+    owner:   '{{ item.1.owner | d("root") }}'
+    group:   '{{ item.1.group | d("root") }}'
+    mode:    '{{ item.1.mode | d("0755") }}'
+    force:   '{{ item.1.force | d(omit) }}'
+  with_subelements:
+    - '{{ cron__combined_jobs | selectattr("custom_files", "defined") | list }}'
+    - 'custom_files'
+  when: (cron__enabled | bool and item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.1.state | d('present') != 'absent' and
+         (item.1.src | d() or item.1.content | d()) and item.1.dest | d())
+
+- name: Remove cron job files
+  ansible.builtin.file:
+    path: '/etc/cron.d/{{ item.0.file | d(item.0.cron_file) }}'
+    state: 'absent'
+  with_subelements:
+    - '{{ cron__combined_jobs }}'
+    - 'jobs'
+  when: cron__enabled | bool and item.0.state | d('present') == 'absent'
+
+- name: Manage cron environment variables
+  ansible.builtin.cron:
+    cron_file:  '{{ item.0.file | d(item.0.cron_file) }}'
+    name:       '{{ item.1.keys() | list | first }}'
+    value:      '{{ item.1.values() | list | first }}'
+    user:       '{{ item.0.user | d("root") }}'
+    state:      'present'
+    env:        True
+  with_subelements:
+    - '{{ cron__combined_jobs | selectattr("environment", "defined") | list }}'
+    - 'environment'
+  when: cron__enabled | bool and item.0.state | d('present') not in ['absent', 'ignore']
+
+- name: Manage cron jobs
+  ansible.builtin.cron:
+    name:         '{{ item.1.name }}'
+    job:          '{{ item.1.job }}'
+    cron_file:    '{{ item.0.file | d(item.0.cron_file) }}'
+    disabled:     '{{ item.1.disabled | d(omit) }}'
+    minute:       '{{ item.1.minute | d(omit) }}'
+    hour:         '{{ item.1.hour | d(omit) }}'
+    day:          '{{ item.1.day | d(omit) }}'
+    month:        '{{ item.1.month | d(omit) }}'
+    weekday:      '{{ item.1.weekday | d(omit) }}'
+    special_time: '{{ item.1.special_time | d(omit) }}'
+    backup:       '{{ item.0.backup | d(omit) }}'
+    user:         '{{ item.0.user | d("root") }}'
+    state:        '{{ item.1.state | d("present") }}'
+  with_subelements:
+    - '{{ cron__combined_jobs }}'
+    - 'jobs'
+  when: cron__enabled | bool and item.0.state | d('present') not in ['absent', 'ignore']
diff --git a/ansible_collections/debops/debops/roles/cron/templates/etc/ansible/facts.d/cron.fact.j2 b/ansible_collections/debops/debops/roles/cron/templates/etc/ansible/facts.d/cron.fact.j2
new file mode 100644
index 00000000..a096e20f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/templates/etc/ansible/facts.d/cron.fact.j2
@@ -0,0 +1,28 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('cron'), 'enabled': True}
+
+output['crontab_offset_seeds'] = loads('''{{ cron__crontab_offset_seeds
+                                             | to_nice_json }}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/cron/templates/etc/crontab.j2 b/ansible_collections/debops/debops/roles/cron/templates/etc/crontab.j2
new file mode 100644
index 00000000..3c7f493a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/templates/etc/crontab.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/crontab: system-wide crontab
+# Unlike any other crontab you don't have to run the `crontab'
+# command to install the new version when you edit this file
+# and files in /etc/cron.d. These files also have username fields,
+# that none of the other crontabs do.
+
+{% for variable, value in cron__crontab_combined_environment | dictsort %}
+{{ '{}={}'.format(variable | upper, value) }}
+{% endfor %}
+
+# Example of job definition:
+# .---------------- minute (0 - 59)
+# | .-------------- hour (0 - 23)
+# | |  .----------- day of month (1 - 31)
+# | |  |  .-------- month (1 - 12) OR jan,feb,mar,apr ...
+# | |  |  |  .----- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
+# | |  |  |  |
+# * *  *  *  *  user-name  command to be executed
+{% for element in cron__crontab_combined_jobs | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.job | d() and element.state | d('present') not in [ 'absent', 'ignore', 'imit' ] %}
+{%     if element.special_time | d() %}
+{%       if element.special_time in [ 'reboot', 'yearly', 'annually', 'monthly', 'weekly', 'daily', 'midnight', 'hourly' ] %}
+{{ '{:<15} {}\t{}'.format(
+    ('@' + element.special_time),
+    element.user | d('root'),
+    element.job) }}
+{%       else %}
+{{ '{:<15} {}\t{}'.format(
+    element.special_time,
+    element.user | d('root'),
+    element.job) }}
+{%       endif %}
+{%     else %}
+{{ '{:<2}  {:<2} {:<2} {:<2} {:<2} {}\t{}'.format(
+    element.minute  | d('*'),
+    element.hour    | d('*'),
+    element.day     | d('*'),
+    element.month   | d('*'),
+    element.weekday | d('*'),
+    element.user    | d('root'),
+    element.job) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/cron/templates/lookup/cron__combined_jobs.j2 b/ansible_collections/debops/debops/roles/cron/templates/lookup/cron__combined_jobs.j2
new file mode 100644
index 00000000..8330eae4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cron/templates/lookup/cron__combined_jobs.j2
@@ -0,0 +1,86 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}
+{% set cron__tpl_merge_default =   (merge_dict({},                        cron__default_jobs,   'file') | from_yaml) %}
+{% set cron__tpl_merge_dependent = (merge_dict(cron__tpl_merge_default,   cron__dependent_jobs, 'file') | from_yaml) %}
+{% set cron__tpl_merge_all =       (merge_dict(cron__tpl_merge_dependent, cron__jobs,           'file') | from_yaml) %}
+{% set cron__tpl_merge_group =     (merge_dict(cron__tpl_merge_all,       cron__group_jobs,     'file') | from_yaml) %}
+{% set cron__tpl_items =           (merge_dict(cron__tpl_merge_group,     cron__host_jobs,      'file') | from_yaml) %}
+{% set cron__tpl_filtered_items = [] %}
+{% for item_name, params in cron__tpl_items.items() %}
+{%   set cron_file = (params["file"] | d(item_name)) %}
+{%   if params["cron_file"] is undefined %}
+{%     set _ = params.update({"cron_file":cron_file}) %}
+{%   endif %}
+{%   if params["name"] is undefined %}
+{%     set _ = params.update({"name":"Autogenerated name for " + cron_file}) %}
+{%   endif %}
+{%   if params["jobs"] is undefined %}
+{%     set _ = params.update({"jobs":[]}) %}
+{%     set cron__tpl_job = {} %}
+{%     for parameter in params.keys() | sort %}
+{%       if parameter not in [ 'file', 'cron_file', 'backup', 'environment', 'user', 'jobs', 'custom_files' ] %}
+{%         set _ = cron__tpl_job.update({parameter:params[parameter]}) %}
+{%       endif %}
+{%     endfor %}
+{%     set _ = params["jobs"].append(cron__tpl_job) %}
+{%   elif params["jobs"] %}
+{%     set cron__tpl_filtered_jobs = [] %}
+{%     for job in params["jobs"] %}
+{%       set cron__tpl_job = {} %}
+{%       for parameter in params.keys() | sort %}
+{%         if parameter not in [ 'file', 'cron_file', 'backup', 'environment', 'user', 'jobs', 'name', 'job', 'custom_files' ] %}
+{%           set _ = cron__tpl_job.update({parameter:params[parameter]}) %}
+{%         endif %}
+{%       endfor %}
+{%       if job is string %}
+{%         set _ = cron__tpl_job.update({"job":job}) %}
+{%       elif job is mapping %}
+{%         for parameter in job.keys() | sort %}
+{%           if parameter not in [ 'file', 'cron_file', 'backup', 'environment', 'user', 'jobs', 'custom_files' ] %}
+{%             set _ = cron__tpl_job.update({parameter:job[parameter]}) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       if cron__tpl_job["name"] is undefined %}
+{%         set _ = cron__tpl_job.update({"name":"Autogenerated name for " + cron_file + ", job #" + loop.index | string}) %}
+{%       endif %}
+{%       set _ = cron__tpl_filtered_jobs.append(cron__tpl_job) %}
+{%     endfor %}
+{%     set _ = params.update({"jobs":cron__tpl_filtered_jobs}) %}
+{%   endif %}
+{%   if params["environment"] | d() %}
+{%     if params["environment"] is mapping %}
+{%       set cron__tpl_filtered_environment = [] %}
+{%       for env_key, env_value in params["environment"].items() %}
+{%         set _ = cron__tpl_filtered_environment.append({env_key:env_value}) %}
+{%       endfor %}
+{%       set _ = params.update({"environment":cron__tpl_filtered_environment}) %}
+{%     endif %}
+{%   endif %}
+{%   set _ = cron__tpl_filtered_items.append(params) %}
+{% endfor %}
+{{ cron__tpl_filtered_items | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/COPYRIGHT b/ansible_collections/debops/debops/roles/cryptsetup/COPYRIGHT
new file mode 100644
index 00000000..6776a151
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.cryptsetup - Setup and manage encrypted filesystems
+
+Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/defaults/main.yml b/ansible_collections/debops/debops/roles/cryptsetup/defaults/main.yml
new file mode 100644
index 00000000..c3dd7ca1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/defaults/main.yml
@@ -0,0 +1,402 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _cryptsetup__ref_defaults:
+
+# debops.cryptsetup default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Required packages [[[
+# ---------------------
+
+# .. envvar:: cryptsetup__base_packages [[[
+#
+# List of base packages to install.
+cryptsetup__base_packages:
+  - 'cryptsetup'
+                                                                   # ]]]
+                                                                   # ]]]
+# List of encrypted filesystems [[[
+# ---------------------------------
+
+# .. envvar:: cryptsetup__devices [[[
+#
+# Global definition list of encrypted devices.
+#
+# Refer to the :ref:`documentation of all options <cryptsetup__devices>` for more details.
+cryptsetup__devices: []
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__group_devices [[[
+#
+# Host group definition list of encrypted devices.
+cryptsetup__group_devices: []
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__host_devices [[[
+#
+# Host definition list of encrypted devices.
+cryptsetup__host_devices: []
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__combined_devices [[[
+#
+# Combined list of encrypted devices in the order as they will be processed.
+cryptsetup__combined_devices: '{{ (cryptsetup__devices | list) +
+                                  (cryptsetup__group_devices | list) +
+                                  (cryptsetup__host_devices | list) }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__devices_execution_strategy [[[
+#
+# The execution strategy to use for processing the
+# :envvar:`cryptsetup__combined_devices` list.
+#
+# ``serial``
+#   Process one device at a time (from start to finish) before processing the
+#   next one in the list.
+#
+#   This is more verbose.
+#
+# ``parallel``
+#   Process all devices in parallel meaning that every task (like creating the
+#   keyfile or initializing LUKS) is done with all devices at a time before
+#   moving on to the next task. This means that all devices will be done at the
+#   same time.
+#
+#   This is more compact.
+#
+# You will only need to change this when you want to use the `Plaintext device
+# mapper target` of one item as the `Ciphertext block device` of another item.
+# Refer to :ref:`cryptsetup__ref_devices_chaining_multiple_ciphers` for
+# details.
+cryptsetup__devices_execution_strategy: 'parallel'
+                                                                   # ]]]
+                                                                   # ]]]
+# Keyfile settings [[[
+# --------------------
+
+# .. envvar:: cryptsetup__secret_path [[[
+#
+# Location where keyfiles are generated and stored on the Ansible controller.
+cryptsetup__secret_path: '{{ secret + "/cryptsetup/" + ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__secret_owner [[[
+#
+# System user who owns the secret directory and all files in it on the Ansible controller.
+# You might want to change that if you run this role as root on the Ansible
+# controller itself but the secrets directory is managed by another user.
+# The default is set to the special value ``omit`` to use the owner under which
+# the role is run.
+cryptsetup__secret_owner: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__secret_group [[[
+#
+# System group of the secret directory and all files in it on the Ansible controller.
+# You might want to change that if you run this role as root on the Ansible
+# controller itself but the secrets directory is managed by another user.
+# The default is set to the special value ``omit`` to use the primary group
+# under which the role is run.
+cryptsetup__secret_group: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__secret_mode [[[
+#
+# File mode used for the secret directory and all files in it on the Ansible controller.
+cryptsetup__secret_mode: 'u=rwX,g=,o='
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_remote_location [[[
+#
+# Directory where the keyfiles will be stored on the remote system.
+cryptsetup__keyfile_remote_location: '{{ (ansible_local.fhs.var | d("/var/local"))
+                                         + "/keyfiles" }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_owner [[[
+#
+# System user who owns the keyfiles on the remote system.
+cryptsetup__keyfile_owner: 'root'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_group [[[
+#
+# System group of the keyfiles on the remote system.
+cryptsetup__keyfile_group: 'root'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_mode [[[
+#
+# File mode used for the keyfiles on the remote system.
+cryptsetup__keyfile_mode: '0600'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_source_dev [[[
+#
+# The source device where the keyfile will be read from using :command:`dd`.
+cryptsetup__keyfile_source_dev: '/dev/random'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_gen_type [[[
+#
+# Type of keyfile to generate. Supported choices: ``binary``, ``text``.
+# Refer to :ref:`item.keyfile_gen_type <cryptsetup__devices_keyfile_gen_type>` for details.
+cryptsetup__keyfile_gen_type: 'binary'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_gen_command [[[
+#
+# The command which should be used to generate the keyfile when
+# :ref:`item.keyfile_gen_type <cryptsetup__devices_keyfile_gen_type>` is set to
+# ``text``.
+# Refer to :ref:`item.keyfile_gen_command <cryptsetup__devices_keyfile_gen_command>` for details.
+cryptsetup__keyfile_gen_command: 'pwgen --secure 123 1'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__keyfile_shred_command [[[
+#
+# Command plus options to use when shredding/deleting the keyfile on the remote
+# system. The file to delete will be passed as last argument.
+#
+# Depending on which filesystem and lower levels the keyfile is stored on, the
+# ``shred`` operation might be of limited use e. g. because of snapshots or
+# copy-on-write. Try it anyway.
+# Note that there is still at least one copy of the keyfile on the Ansible controller.
+cryptsetup__keyfile_shred_command: 'shred --remove --zero --iterations=42'
+                                                                   # ]]]
+                                                                   # ]]]
+# LUKS header backup [[[
+# ----------------------
+
+# .. envvar:: cryptsetup__header_backup_remote_location [[[
+#
+# Directory where the header backups from LUKS will be stored on the remote system.
+#
+# The LUKS header backup will be stored in this file:
+#
+# .. code-block:: jinja
+#    :linenos:
+#
+#    {{ cryptsetup__header_backup_remote_location + "/" + item.name + "_header_backup.raw" }}
+#
+# on the Ansible controller.
+cryptsetup__header_backup_remote_location: '{{ (ansible_local.fhs.backup | d("/var/backups"))
+                                               + "/luks_header_backup" }}'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__header_backup [[[
+#
+# Should a header backup be created and stored on the remote system and the
+# Ansible controller?
+# Refer to :ref:`item.backup_header <cryptsetup__devices_backup_header>` for details.
+cryptsetup__header_backup: True
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__header_backup_shred_command [[[
+#
+# Command plus options to use when shredding/deleting the header backup on the
+# remote system. The file to delete will be passed as last argument.
+#
+# This is technically not needed as the LUKS header is still present and
+# left intact on the `ciphertext block device`, but ``absent`` is designed to
+# remove all files/traces previously created by the role.
+#
+# Also note the comment about the effectiveness on
+# :envvar:`cryptsetup__keyfile_shred_command`.
+cryptsetup__header_backup_shred_command: 'shred --remove --zero --iterations=2'
+                                                                   # ]]]
+                                                                   # ]]]
+# Ciphertext block device options [[[
+# -----------------------------------
+
+# .. envvar:: cryptsetup__use_uuid [[[
+#
+# Use the UUID of the ciphertext block device in :file:`/etc/crypttab` instead
+# of the file path given by
+# :ref:`item.ciphertext_block_device <cryptsetup__devices_ciphertext_block_device>`.
+# Refer to :ref:`item.use_uuid <cryptsetup__devices_use_uuid>` for details.
+cryptsetup__use_uuid: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Swap options [[[
+# ----------------
+
+# .. envvar:: cryptsetup__swap_priority [[[
+#
+# Default swap device priority, from ``-1`` to ``32767``.
+# Higher numbers indicate higher priority.
+# Refer to :ref:`item.swap_priority <cryptsetup__devices_swap_priority>` for details.
+cryptsetup__swap_priority: -1
+                                                                   # ]]]
+                                                                   # ]]]
+# Filesystem options [[[
+# ----------------------
+
+# .. envvar:: cryptsetup__fstype [[[
+#
+# Default filesystem to create and configure in :file:`/etc/fstab`.
+# Refer to :ref:`item.fstype <cryptsetup__devices_fstype>` for details.
+cryptsetup__fstype: 'ext4'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__fstab_file [[[
+#
+# File path to the :manpage:`fstab(5)` file where file systems should be
+# configured.
+cryptsetup__fstab_file: '/etc/fstab'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__mount_options [[[
+#
+# List of default mount options.
+# Refer to :ref:`item.mount_options <cryptsetup__devices_mount_options>` for details.
+cryptsetup__mount_options:
+  - 'noatime'
+  - 'nodiratime'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__state [[[
+#
+# Default ``state`` for all devices.
+# Refer to :ref:`item.state <cryptsetup__devices_state>` for details.
+cryptsetup__state: 'mounted'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__mountpoint_parent_directory [[[
+#
+# Parent directory under which all encrypted filesystems will be mounted.
+cryptsetup__mountpoint_parent_directory: '/media'
+                                                                   # ]]]
+                                                                   # ]]]
+# Cryptography defaults [[[
+# -------------------------
+
+# .. envvar:: cryptsetup__crypttab_options [[[
+#
+# Default list of options to configure for each device in
+# :file:`/etc/crypttab`.
+# Refer to :ref:`item.crypttab_options <cryptsetup__devices_crypttab_options>` for details.
+cryptsetup__crypttab_options: []
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__crypttab_file [[[
+#
+# File path to the :manpage:`crypttab(5)` file where encrypted file systems
+# should be configured.
+cryptsetup__crypttab_file: '/etc/crypttab'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__hash [[[
+#
+# Specifies the passphrase hash.
+# For the ``luks`` :ref:`item.mode <cryptsetup__devices_mode>` it
+# specifies the hash used in the LUKS key setup scheme and
+# volume key digest for :command:`cryptsetup luksFormat`.
+# Corresponds with the ``--hash`` parameter.
+#
+# The current default of :command:`cryptsetup` (as shown by
+# :command:`cryptsetup --help`) is ``sha1``.
+# Set to ``default`` to use the compiled-in default of :command:`cryptsetup`.
+#
+# Refs: https://security.stackexchange.com/a/40218
+#
+# This is the default for :ref:`item.hash <cryptsetup__devices_hash>`.
+cryptsetup__hash: 'sha512'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__cipher [[[
+#
+# Cipher specification string.
+# Corresponds with the ``--cipher`` parameter.
+#
+# The current default of :command:`cryptsetup` (as shown by
+# :command:`cryptsetup --help`) is ``aes-xts-plain64``.
+# Set to ``default`` to use the compiled-in default of :command:`cryptsetup`.
+#
+# This is the default for :ref:`item.cipher <cryptsetup__devices_cipher>`.
+cryptsetup__cipher: 'aes-xts-plain64'
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__key_size [[[
+#
+# Key size in bits. The argument has to be a multiple of 8. The possible
+# key-sizes are limited by the :envvar:`cipher <cryptsetup__cipher>`
+# and :ref:`mode <cryptsetup__devices_mode>` used.
+# Corresponds with the ``--key-size`` parameter.
+#
+# The current default of :command:`cryptsetup` (as shown by
+# :command:`cryptsetup --help`) is ``256``.
+# Set to ``default`` to use the compiled-in default of :command:`cryptsetup`.
+#
+# Note that in XTS mode, only half of the key size specified here will be used
+# for the block cypher (512 will result in AES-256).
+# Using AES-128 is still considered secure and is faster in most cases.
+# The reason to go with a different default value then the compiled-in default
+# of :command:`cryptsetup` was to have long-term secure storage even when
+# quantum-computing with enough stable qubits become available to your adversary.
+# Plus, with hardware acceleration available in most x86 CPUs nowadays, it
+# really does not make much of a difference anymore (at least for AES).
+#
+# Refs: https://crypto.stackexchange.com/a/7869
+#
+# This is the default for :ref:`item.key_size <cryptsetup__devices_key_size>`.
+cryptsetup__key_size: 512
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__use_dev_random [[[
+#
+# Should :file:`/dev/random` be used to generate the LUKS master key?
+# Corresponds with the ``--use-random`` and ``--use-urandom`` parameters.
+#
+# The current default of :command:`cryptsetup` (as shown by
+# :command:`cryptsetup --help`) is :file:`/dev/urandom`.
+# Set to ``default`` to use the compiled-in default of :command:`cryptsetup`.
+#
+# Check :manpage:`random(4)` and https://bettercrypto.org/ for details.
+cryptsetup__use_dev_random: True
+
+                                                                   # ]]]
+# .. envvar:: cryptsetup__iter_time [[[
+#
+# The number of milliseconds to spend with PBKDF2 passphrase processing.
+# Corresponds with the ``--iter-time`` parameter.
+#
+# The current default of :command:`cryptsetup` (as shown by
+# :command:`cryptsetup --help`) is ``1000`` milliseconds.
+# Set to ``default`` to use the compiled-in default of :command:`cryptsetup`.
+#
+# This is the default for :ref:`item.iter_time <cryptsetup__devices_iter_time>`.
+cryptsetup__iter_time: 'default'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: cryptsetup__persistent_paths__dependent_paths [[[
+#
+# Configuration for the :ref:`debops.persistent_paths`.
+cryptsetup__persistent_paths__dependent_paths:
+
+  '50_debops_cryptsetup':
+    by_role: 'debops.cryptsetup'
+    paths:
+      - '{{ cryptsetup__fstab_file }}'
+      - '{{ cryptsetup__crypttab_file }}'
+      - '{{ cryptsetup__keyfile_remote_location }}'
+      - '{{ cryptsetup__header_backup_remote_location }}'
+      - '{{ cryptsetup__mountpoint_parent_directory }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/meta/main.yml b/ansible_collections/debops/debops/roles/cryptsetup/meta/main.yml
new file mode 100644
index 00000000..cfb57440
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup and manage encrypted filesystems'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - encryption
+    - security
+    - filesystem
+    - cryptsetup
+    - dmcrypt
+    - luks
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/tasks/main.yml b/ansible_collections/debops/debops/roles/cryptsetup/tasks/main.yml
new file mode 100644
index 00000000..b06b6d07
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+## Preparation and error checking (((
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check for Ansible version without known vulnerabilities
+  ansible.builtin.assert:
+    that:
+      - 'ansible_version.full is version_compare("2.2.3.0", ">=")'
+    msg: |
+      VULNERABLE or unsupported Ansible version DETECTED, please update to
+      Ansible >= v2.2.3 or a newer!
+      To skip, add "--skip-tags play::security-assertions" parameter. Refer to
+      the changelog of debops.cryptsetup for details. Exiting.
+  run_once: True
+  delegate_to: 'localhost'
+  tags:
+    - 'play::security-assertions'
+    - 'role::cryptsetup:backup'
+
+- name: Assert that combined device configuration is valid
+  ansible.builtin.assert:
+    that:
+      - '(cryptsetup__combined_devices | map(attribute="ciphertext_block_device")
+          | unique | length) == (cryptsetup__combined_devices | length)'
+      - '(cryptsetup__combined_devices | map(attribute="name")
+          | unique | length) == (cryptsetup__combined_devices | length)'
+  run_once: True
+  delegate_to: 'localhost'
+
+- name: Assert that /dev/shm/ is stored in RAM (assumed to be non-persistent)
+  ## Also assuming that the keyfile is not swapped out in the short time it is
+  ## going to exist in tmpfs.
+  ansible.builtin.command: df /dev/shm --type tmpfs
+  changed_when: False
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", cryptsetup__base_packages) }}'
+    state: 'present'
+  register: cryptsetup__register_packages
+  until: cryptsetup__register_packages is succeeded
+
+- name: Create keyfile and backup directories on the remote system
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
+  when: item.condition
+  loop:
+    - path: '{{ cryptsetup__keyfile_remote_location }}'
+      condition: '{{ (cryptsetup__combined_devices
+                      | selectattr("remote_keyfile", "undefined") | list | length) > 0 }}'
+    - path: '{{ cryptsetup__header_backup_remote_location }}'
+      condition: '{{ ((cryptsetup__combined_devices
+                       | selectattr("backup_header", "defined")
+                       | selectattr("backup_header") | list | length) > 0) or
+                     (cryptsetup__header_backup | bool and ((cryptsetup__combined_devices
+                                                           | selectattr("backup_header", "undefined")
+                                                           | list | length) > 0)) }}'
+
+# Making the execution_strategy configurable per device would also be possible
+# using Jinja filters but that seems to fail for some reason:
+#
+# - debug:
+#     msg: '{{ ([{"execution_strategy": "serial"}, {"some":23}])
+#              | selectattr("execution_strategy", "equalto", "serial") | list }}'
+#
+- name: Manage Cryptsetup devices in parallel
+  ansible.builtin.include_tasks: 'manage_devices.yml'
+  when: cryptsetup__devices_execution_strategy == 'parallel'
+  vars:
+    cryptsetup__process_devices: '{{ cryptsetup__combined_devices }}'
+
+- name: Manage Cryptsetup devices sequentially
+  ansible.builtin.include_tasks: 'manage_devices.yml'
+  when: cryptsetup__devices_execution_strategy == 'serial'
+  with_items: '{{ cryptsetup__combined_devices }}'
+  loop_control:
+    loop_var: cryptsetup__process_device
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/tasks/manage_devices.yml b/ansible_collections/debops/debops/roles/cryptsetup/tasks/manage_devices.yml
new file mode 100644
index 00000000..59cd2910
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/tasks/manage_devices.yml
@@ -0,0 +1,464 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+## Prepare [[[
+- name: Set device list to process to a single device
+  ansible.builtin.set_fact:
+    cryptsetup__process_devices: '{{ [cryptsetup__process_device] }}'
+  when: cryptsetup__process_device is defined
+
+- name: Assert that device configuration is valid
+  ansible.builtin.assert:
+    that:
+      - item.state | d(cryptsetup__state) in
+        ['mounted', 'ansible_controller_mounted', 'unmounted', 'present', 'absent']
+      - item.name is defined and item.name is string
+      - (item.state | d(cryptsetup__state) == 'ansible_controller_mounted' and 'remote_keyfile' not in item) or
+        item.state | d(cryptsetup__state) != 'ansible_controller_mounted'
+      - item.keyfile_gen_type | d(cryptsetup__keyfile_gen_type) in ['binary', 'text']
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Create secrets directory on Ansible controller
+  ansible.builtin.file:
+    path:  '{{ cryptsetup__secret_path + "/" + item.name }}'
+    state: 'directory'
+    owner: '{{ cryptsetup__secret_owner }}'
+    group: '{{ cryptsetup__secret_group }}'
+    mode:  '{{ cryptsetup__secret_mode }}'
+  become: False
+  delegate_to: 'localhost'
+  when: (item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present']
+         and 'remote_keyfile' not in item)
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+## ]]]
+
+## Generate keyfile and copy it to the remote system [[[
+
+- name: Generate binary keyfile on the Ansible controller  # noqa no-shorthand
+  ansible.builtin.shell: head -c {{ ((512 / 8) if (item.key_size | d(cryptsetup__key_size) == "default")
+                             else ((item.key_size | d(cryptsetup__key_size)) / 8)) | int }} \
+                 {{ cryptsetup__keyfile_source_dev | quote }} > \
+                 {{ (item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw")) | quote }}
+  args:
+    creates: '{{ item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw") }}'
+  become: False
+  delegate_to: 'localhost'
+  register: cryptsetup__register_keyfile_gen
+  when: (item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+         ('remote_keyfile' not in item) and (item.keyfile_gen_type | d(cryptsetup__keyfile_gen_type) == 'binary'))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Generate text/passphrase keyfile on the Ansible controller
+  ansible.builtin.shell: 'set -o nounset -o pipefail -o errexit &&
+          {{ item.keyfile_gen_command | d(cryptsetup__keyfile_gen_command) }} \
+          | tr -d "\n" > {{ (item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw")) | quote }}'
+  args:
+    executable: 'bash'
+    creates: '{{ item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw") }}'
+  become: False
+  delegate_to: 'localhost'
+  register: cryptsetup__register_keyfile_gen
+  when: (item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+         ('remote_keyfile' not in item) and (item.keyfile_gen_type | d(cryptsetup__keyfile_gen_type) == 'text'))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Enforce permissions of the keyfile on the Ansible controller
+  tags: [ 'role::cryptsetup:backup' ]
+  ansible.builtin.file:
+    path:  '{{ item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw") }}'
+    owner: '{{ cryptsetup__secret_owner }}'
+    group: '{{ cryptsetup__secret_group }}'
+    mode:  '{{ cryptsetup__secret_mode }}'
+  become: False
+  delegate_to: 'localhost'
+  when: (item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present']
+         and not ansible_check_mode and 'remote_keyfile' not in item)
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Copy keyfiles to remote system
+  ansible.builtin.copy:
+    dest: '{{ ("/dev/shm"
+              if (item.state | d(cryptsetup__state) == "ansible_controller_mounted")
+              else cryptsetup__keyfile_remote_location)
+              + "/" + item.name + "_keyfile.raw" }}'
+    backup:   '{{ item.keyfile_backup | d(omit) }}'
+    follow:   '{{ item.keyfile_follow | d(omit) }}'
+    force:    '{{ item.keyfile_force | d(omit) }}'
+    group:    '{{ item.keyfile_group | d(cryptsetup__keyfile_group) }}'
+    mode:     '{{ item.keyfile_mode | d(cryptsetup__keyfile_mode) }}'
+    owner:    '{{ item.keyfile_owner | d(cryptsetup__keyfile_owner) }}'
+    selevel:  '{{ item.keyfile_selevel | d(omit) }}'
+    serole:   '{{ item.keyfile_serole | d(omit) }}'
+    setype:   '{{ item.keyfile_setype | d(omit) }}'
+    seuser:   '{{ item.keyfile_seuser | d(omit) }}'
+    src:      '{{ item.keyfile | d(cryptsetup__secret_path + "/" + item.name + "/keyfile.raw") }}'
+    validate: '{{ item.keyfile_validate | d(omit) }}'
+  when: (item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present']
+         and not ansible_check_mode and 'remote_keyfile' not in item)
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+## ]]]
+
+## Create and open crypto layer [[[
+
+# You will have to do this with another role if you need it.
+#
+# ``create_partition_on_block_device``
+#   Optional. False by default. Should the block device by partitioned and the encryption layer be
+#   created on the first partition instead of the block device given by
+#   ``ciphertext_block_device``?
+#
+# - name: Partition additional disks
+#   ansible.builtin.shell: |
+#     if [ -b {{ item.ciphertext_block_device }} ]
+#     then
+#         [ -b {{ item.ciphertext_block_device }}{{ item.label_of_first_partition | d("1") }} ] \
+#         || parted --script "{{ item.ciphertext_block_device }}" mklabel gpt mkpart primary 1MiB 100%
+#     fi
+#   args:
+#     creates: '{{ item.ciphertext_block_device }}{{ item.label_of_first_partition | d("1") }}'
+#     executable: 'bash'
+#   when: (item.state | d(cryptsetup__state) in
+#          [ 'mounted', 'ansible_controller_mounted', 'present' ] and
+#          item.create_partition_on_block_device | d(False))
+#   with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Check if ciphertext block device exists
+  ansible.builtin.stat:
+    path: '{{ item.ciphertext_block_device }}'
+    get_checksum: False
+  register: cryptsetup__register_ciphertext_device
+  when: (item.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'])
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+  tags: [ 'role::cryptsetup:backup' ]
+
+- name: Fail when ciphertext block device does not exist but the state requires for it to exist
+  ansible.builtin.fail:
+    msg: |
+      Ciphertext block device {{ item.0.ciphertext_block_device }} does not
+      exist and state was requested to be {{ item.0.state | d(cryptsetup__state) }}!
+  when: (item.0.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted'] and
+         not item.1.stat.exists)
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Fail when ciphertext block device does not exist but the keyfile has changed
+  ansible.builtin.fail:  # noqa no-handler
+    msg: |
+      Ciphertext block device {{ item.0.ciphertext_block_device }} does not
+      exist but the keyfile has just been generated. You will need to make the
+      block device available during a later Ansible run so that the encryption
+      and filesystem layer can be setup. You will not see this error on later
+      runs but that does not mean that the encryption and filesystem setup was
+      successfully until you make the block device available. See documentation
+      for details.
+  when: (item.0.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+         not item.1.stat.exists and item.2 is changed)
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+    - '{{ cryptsetup__register_keyfile_gen.results | d([]) }}'
+
+## Using {{ lookup("file", item.0.keyfile | d(…)) | b64encode }}
+## does not work because Ansible/Python tries to decode the random bytes as UTF-8.
+## Issue: https://github.com/ansible/ansible/issues/7957
+# - name: Read the content of the keyfile and encoding it using base64
+#   ansible.builtin.command: base64 '{{ item.0.keyfile | d(cryptsetup__secret_path + "/" + item.0.name + "/keyfile.raw") }}'
+#   register: cryptsetup__register_keyfile_b64encode
+#   become: False
+#   delegate_to: 'localhost'
+
+## The `luks_device` Ansible module is way too limited in terms of supported
+## parameters as of Ansible 2.9 to replace this yet unfortunately.
+- name: Create encryption layer  # noqa no-shorthand
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         cryptsetup isLuks "{{ item.0.ciphertext_block_device }}" || cryptsetup luksFormat
+         --batch-mode --verbose
+         {{ "" if (item.0.hash | d(cryptsetup__hash) == "default")
+               else ("--hash=" + item.0.hash | d(cryptsetup__hash)) }}
+         {{ "" if (item.0.cipher | d(cryptsetup__cipher) == "default")
+               else ("--cipher=" + item.0.cipher | d(cryptsetup__cipher)) }}
+         {{ "" if (item.0.key_size | d(cryptsetup__key_size) == "default")
+               else ("--key-size=" + item.0.key_size | d(cryptsetup__key_size) | string) }}
+         {{ "" if (item.0.iter_time | d(cryptsetup__iter_time) == "default")
+               else ("--iter-time=" + item.0.iter_time | d(cryptsetup__iter_time) | string) }}
+         {% if cryptsetup__use_dev_random | d("default") != "default" %}
+         {{ "--use-random" if cryptsetup__use_dev_random else "--use-urandom" }}
+         {% endif %}
+         --key-file '{{ item.0.remote_keyfile | d(("/dev/shm"
+                        if (item.0.state | d(cryptsetup__state) == "ansible_controller_mounted")
+                        else cryptsetup__keyfile_remote_location)
+                        + "/" + item.0.name + "_keyfile.raw") }}'
+         '{{ item.0.ciphertext_block_device }}'
+  args:
+    executable: 'bash'
+  register: cryptsetup__register_cmd
+  changed_when: ("Command successful." == cryptsetup__register_cmd.stdout)
+  when: (item.0.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present']
+         and item.1.stat.exists and item.0.mode | d("luks") == "luks")
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Get UUID for ciphertext block device
+  ansible.builtin.command: blkid -s UUID -o value "{{ item.0.ciphertext_block_device }}"
+  register: cryptsetup__register_ciphertext_blkid
+  changed_when: False
+  failed_when: (cryptsetup__register_ciphertext_blkid.rc not in [0, 2])
+  check_mode: False
+  when: (item.0.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present']
+         and item.1.stat.exists)
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Ensure ciphertext block device is configured in crypttab
+  community.general.crypttab:
+    backing_device: '{{ ("UUID=" + item.1.stdout)
+                        if (item.1.stdout | d() and item.0.use_uuid | d(cryptsetup__use_uuid) | bool)
+                        else item.0.ciphertext_block_device }}'
+    name: '{{ item.0.name }}'
+    opts: '{{ (item.2.crypttab_options | d(cryptsetup__crypttab_options | d([])) | list | sort | unique | join(","))
+              if ((item.2.crypttab_options | d(cryptsetup__crypttab_options | d([])) | list | length) > 0)
+              else "none" }}'
+    ## ``none`` is required by :command:`cryptdisks_start` if no options are given.
+    ## Also `crypttab(5)` says that "all four fields are mandatory and that
+    ## a missing field will lead to unspecified behaviour."
+    password: '{{ item.0.remote_keyfile | d(("/dev/shm"
+                  if (item.0.state | d(cryptsetup__state) == "ansible_controller_mounted")
+                  else cryptsetup__keyfile_remote_location)
+                  + "/" + item.0.name + "_keyfile.raw") }}'
+    path: '{{ item.0.crypttab_path | d(omit) }}'
+    state: 'present'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: (item.0.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'])
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_blkid.results | d([]) }}'
+    - '{{ lookup("template", "lookup/cryptsetup__devices_crypttab_options.j2") | from_yaml }}'
+
+- name: Start plaintext device mapper target
+  ansible.builtin.command: cryptdisks_start "{{ item.0.name }}"
+  register: cryptsetup__register_cryptdisks_start
+  changed_when: ("(started)" in cryptsetup__register_cryptdisks_start.stdout)
+  when: (item.0.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+         item.1.stat.exists)
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Check if plaintext device mapper target exists
+  ansible.builtin.stat:
+    path: '/dev/mapper/{{ item.name }}'
+  register: cryptsetup__register_plaintext_device
+  when: (item.state | d(cryptsetup__state) in
+         ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+         (item.manage_filesystem | d(True) | bool))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Create filesystem on plaintext device mapper target
+  community.general.filesystem:
+    dev:    '/dev/mapper/{{ item.0.name }}'
+    force:  '{{ item.0.format_force | d(omit) }}'
+    fstype: '{{ item.0.fstype | d(cryptsetup__fstype) }}'
+    opts:   '{{ item.0.format_options | d(omit) }}'
+  when: (item.1 | d() and item.1.stat | d() and item.1.stat.exists | d() and
+         (item.0.create_filesystem | d(item.0.manage_filesystem | d(True)) | bool) and
+         not (item.0.swap | d(False) | bool))
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_plaintext_device.results | d([]) }}'
+
+- name: Ensure mount directories exist when manually mounted
+  ansible.builtin.file:
+    path: '{{ item.mount | d(cryptsetup__mountpoint_parent_directory + "/" + item.name) }}'
+    state: 'directory'
+    mode: '0755'
+  when: (item.state | d(cryptsetup__state) in ['present'] and (item.manage_filesystem | d(True) | bool))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+## ]]]
+
+## LUKS header backup [[[
+
+## The header backup might change for example when new keys are added manually.
+## Thus we need to do the following steps each time the role is executed.
+- name: Create LUKS header backup
+  tags: [ 'role::cryptsetup:backup' ]
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    rm -f {{ (cryptsetup__header_backup_remote_location + "/" + item.0.name + "_header_backup.raw") | quote }}
+    cryptsetup luksHeaderBackup {{ item.0.ciphertext_block_device | quote }} \
+      --header-backup-file {{ (cryptsetup__header_backup_remote_location + "/"
+                               + item.0.name + "_header_backup.raw") | quote }}
+  args:
+    executable: 'bash'
+  changed_when: False
+  when: ((item.0.backup_header | d(cryptsetup__header_backup) | bool) and
+          item.0.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+          item.1.stat.exists and item.0.mode | d("luks") == "luks")
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Store the header backup in secret directory on to the Ansible controller
+  tags: [ 'role::cryptsetup:backup' ]
+  ansible.builtin.fetch:
+    src:  '{{ cryptsetup__header_backup_remote_location + "/" + item.0.name + "_header_backup.raw" }}'
+    dest: '{{ cryptsetup__secret_path + "/" + item.0.name + "/header_backup.raw" }}'
+    fail_on_missing: True
+    flat: True
+  when: ((item.0.backup_header | d(cryptsetup__header_backup) | bool) and
+          item.0.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+          item.1.stat.exists and item.0.mode | d("luks") == "luks")
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+- name: Enforce permissions of the header backup on the Ansible controller
+  tags: [ 'role::cryptsetup:backup' ]
+  ansible.builtin.file:
+    path:  '{{ cryptsetup__secret_path + "/" + item.0.name + "/header_backup.raw" }}'
+    owner: '{{ cryptsetup__secret_owner }}'
+    group: '{{ cryptsetup__secret_group }}'
+    mode:  '{{ cryptsetup__secret_mode }}'
+  become: False
+  delegate_to: 'localhost'
+  when: ((item.0.backup_header | d(cryptsetup__header_backup) | bool) and
+          item.0.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted', 'unmounted', 'present'] and
+          item.1.stat.exists and item.0.mode | d("luks") == "luks" and
+          not ansible_check_mode)
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_ciphertext_device.results | d([]) }}'
+
+## ]]]
+
+## Handle plaintext device mapper target [[[
+- name: Manage fstab and mount state of the plaintext device mapper targets
+  ansible.posix.mount:
+    src:    '/dev/mapper/{{ item.name }}'
+    fstype: '{{ item.fstype | d(cryptsetup__fstype) }}'
+    name:   '{{ item.mount | d(cryptsetup__mountpoint_parent_directory + "/" + item.name) }}'
+    opts:   '{{ (item.mount_options | d(cryptsetup__mount_options | d([]))) | list | sort | unique | join(",") }}'
+    dump:   '{{ item.mount_dump | d(omit) }}'
+    passno: '{{ item.mount_passno | d(omit) }}'
+    fstab:  '{{ item.fstab_path | d(cryptsetup__fstab_file) }}'
+    state:  '{{ "mounted"
+                if (item.state | d(cryptsetup__state) == "ansible_controller_mounted")
+                else item.state | d(cryptsetup__state) }}'
+  when: ((item.manage_filesystem | d(True) | bool) and not (item.swap | d(False) | bool))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Disable swap devices when requested
+  ansible.builtin.shell: |
+    if [ -e {{ ("/dev/mapper/" + item.name) | quote }} ]
+    then swapoff {{ ("/dev/mapper/" + item.name) | quote }}
+    else true
+    fi
+  changed_when: False
+  when: ((item.swap | d(False) | bool) and (item.state | d(cryptsetup__state) in ["unmounted", "absent"]))
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Manage swap devices in fstab
+  ansible.posix.mount:
+    src:    '{{ "/dev/mapper/" + item.name }}'
+    name:   'none'
+    fstype: 'swap'
+    opts:   '{{ ((item.swap_options | d([]) | list) +
+                 (["pri=" + (item.priority | d(cryptsetup__swap_priority) | string)]))
+                | list | sort | unique | join(",") }}'
+    dump:   '0'
+    passno: '0'
+    fstab:  '{{ item.fstab_path | d(cryptsetup__fstab_file) }}'
+    state:  '{{ (item.state | d(cryptsetup__state) == "absent") | ternary("absent", "present") }}'
+  register: cryptsetup__register_swap_fstab
+  when: item.swap | d(False) | bool
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Enable swap devices
+  ansible.builtin.command: swapon --priority {{ (item.item.priority | d(cryptsetup__swap_priority) | string) | quote }}
+           {{ ("/dev/mapper/" + item.item.name) | quote }}
+  register: cryptsetup__register_swapon
+  changed_when: cryptsetup__register_swapon.changed | bool
+  when: (item is changed and (item.item.swap | d(False) | bool) and
+         (item.item.state | d(cryptsetup__state) in ['mounted', 'ansible_controller_mounted']))
+  with_items: '{{ cryptsetup__register_swap_fstab.results | d([]) }}'  # noqa no-handler
+## ]]]
+
+## Close crypto layer and remove [[[
+
+- name: Ensure mount directory is absent
+  ansible.builtin.file:
+    path: '{{ item.mount | d(cryptsetup__mountpoint_parent_directory + "/" + item.name) }}'
+    state: 'absent'
+  when: (item.state | d(cryptsetup__state) in ['absent'])
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Stop plaintext device mapper target
+  ansible.builtin.command: 'cryptdisks_stop "{{ item.0.name }}"'  # noqa no-handler
+  register: cryptsetup__register_cryptdisks_stop
+  changed_when: ("(stopping)" in cryptsetup__register_cryptdisks_stop.stdout)
+  failed_when: (cryptsetup__register_cryptdisks_stop.rc != 0 and not
+                (('Stopping crypto disk...' == cryptsetup__register_cryptdisks_stop.stdout or
+                  'failed, not found in crypttab' in cryptsetup__register_cryptdisks_stop.stdout)
+                   and cryptsetup__register_cryptdisks_stop.rc == 1))
+  when: (item.0.state | d(cryptsetup__state) in ['unmounted', 'absent'] or
+          (item.0.state | d(cryptsetup__state) in ['present'] and item.1 is changed))
+  with_together:
+    - '{{ cryptsetup__process_devices | d([]) }}'
+    - '{{ cryptsetup__register_cryptdisks_start.results | d([]) }}'
+
+- name: Ensure ciphertext block device is absent in crypttab
+  community.general.crypttab:
+    name:  '{{ item.name }}'
+    path:  '{{ item.crypttab_path | d(omit) }}'
+    state: 'absent'
+  when: (item.state | d(cryptsetup__state) in ['absent'])
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Check if remote keyfiles are regular files
+  ansible.builtin.stat:
+    path: '{{ (item.remote_keyfile | d(("/dev/shm"
+               if (item.state | d(cryptsetup__state) == "ansible_controller_mounted")
+               else cryptsetup__keyfile_remote_location)
+               + "/" + item.name + "_keyfile.raw")) }}'
+  register: cryptsetup__register_stat_remote_keyfile
+  when: (item.state | d(cryptsetup__state) in ['ansible_controller_mounted', 'absent'])
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+
+- name: Ensure keyfile is unaccessible on the remote system
+  ansible.builtin.command: '{{ cryptsetup__keyfile_shred_command }}
+            {{ item.stat.path | quote }}'
+  args:
+    removes: '{{ item.stat.path }}'
+  when: (item.item.state | d(cryptsetup__state) in ['ansible_controller_mounted', 'absent'] and
+         item.stat.exists and item.stat.isreg)
+  with_items: '{{ cryptsetup__register_stat_remote_keyfile.results | d([]) }}'
+
+## Note that there are still two copies of the header on the ciphertext block device
+## and on the Ansible controller.
+- name: Ensure header backup is unaccessible on the remote system
+  ansible.builtin.command: '{{ cryptsetup__header_backup_shred_command }}
+            {{ cryptsetup__header_backup_remote_location + "/" + item.name + "_header_backup.raw" | quote }}'
+  args:
+    removes: '{{ cryptsetup__header_backup_remote_location + "/" + item.name + "_header_backup.raw" }}'
+  when: ((item.state | d(cryptsetup__state) == 'absent' or
+          not (item.backup_header | d(cryptsetup__header_backup) | bool))
+          and 'remote_keyfile' not in item)
+  with_items: '{{ cryptsetup__process_devices | d([]) }}'
+  tags: [ 'role::cryptsetup:backup' ]
+
+## ]]]
diff --git a/ansible_collections/debops/debops/roles/cryptsetup/templates/lookup/cryptsetup__devices_crypttab_options.j2 b/ansible_collections/debops/debops/roles/cryptsetup/templates/lookup/cryptsetup__devices_crypttab_options.j2
new file mode 100644
index 00000000..b53179fe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/cryptsetup/templates/lookup/cryptsetup__devices_crypttab_options.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{#
+# Ansible `with_together` seems to flatten lists it gets so we return a list of dicts here.
+#}
+{% set cryptsetup__tpl_devices = [] %}
+{% for device in cryptsetup__process_devices | d([]) %}
+{%   set _ = cryptsetup__tpl_devices.append({
+       'crypttab_options': (
+         (["swap"] if (device.swap | d(False) | bool) else []) +
+         ([device.mode | d("luks")] | difference(["plain"])) +
+         (device.crypttab_options | d(cryptsetup__crypttab_options) | list) +
+         ((
+           ([] if (device.hash | d(cryptsetup__hash) == "default") else ["hash=" + device.hash | d(cryptsetup__hash)]) +
+           ([] if (device.cipher | d(cryptsetup__cipher) == "default") else ["cipher=" + device.cipher | d(cryptsetup__cipher)]) +
+           ([] if (device.key_size | d(cryptsetup__key_size) == "default") else ["size=" + (device.key_size | d(cryptsetup__key_size) | string)])
+         ) if device.mode | d("luks") == "plain" else [])
+       ),
+     }) %}
+{% endfor %}
+{{ cryptsetup__tpl_devices | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/debconf/COPYRIGHT b/ansible_collections/debops/debops/roles/debconf/COPYRIGHT
new file mode 100644
index 00000000..5a9f37c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.debconf - Configure APT packages using Debconf database
+
+Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2024 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/debconf/defaults/main.yml b/ansible_collections/debops/debops/roles/debconf/defaults/main.yml
new file mode 100644
index 00000000..ca6166fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/defaults/main.yml
@@ -0,0 +1,173 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _debconf__ref_defaults:
+
+# debops.debconf default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# The :command:`debconf` configuration database [[[
+# -------------------------------------------------
+
+# Variables which define what configuration entries should be set in the Debconf
+# database. See :ref:`debconf__ref_entries` for more details.
+
+# .. envvar:: debconf__entries [[[
+#
+# List of Debconf database entries to set on all hosts in the Ansible inventory.
+debconf__entries: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__group_entries [[[
+#
+# List of Debconf database entries to set on hosts in a specific Ansible
+# inventory group.
+debconf__group_entries: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__host_entries [[[
+#
+# List of Debconf database entries to set on specific hosts in the Ansible
+# inventory.
+debconf__host_entries: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__combined_entries [[[
+#
+# Variable which combines all other Debconf database entry lists and is used as
+# an input for the configuration filtering template.
+debconf__combined_entries: '{{ debconf__entries
+                                  + debconf__group_entries
+                                  + debconf__host_entries }}'
+
+                                                                   # ]]]
+# .. envvar:: debconf__filtered_entries [[[
+#
+# Variable that contains the output of the template that filters the
+# configuration of the Debconf database entries and is used in role tasks and
+# templates.
+debconf__filtered_entries: '{{ lookup("template",
+                                     "lookup/debconf__filtered_entries.j2",
+                                     convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package installation [[[
+# ----------------------------
+
+# .. envvar:: debconf__cache_valid_time [[[
+#
+# The role will ensure that the APT cache is updated to account for new package
+# releases that might be more frequent than the OS package updates. By default
+# APT cache will be updated if it's older than an hour.
+debconf__cache_valid_time: '{{ (60 * 60) }}'
+
+                                                                   # ]]]
+# .. envvar:: debconf__apt_state [[[
+#
+# Specify the state of the APT packages installed by the :ref:`debops.debconf`
+# role. Either ``present`` (packages will be installed but not upgraded) or
+# ``latest`` (packages will be installed or upgraded if already present). It's
+# best to use this variable on the command line to avoid issues with
+# idempotency.
+debconf__apt_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: debconf__packages [[[
+#
+# List of APT packages which should be installed by the :ref:`debops.debconf`
+# role on all hosts in the Ansible inventory.
+debconf__packages: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__group_packages [[[
+#
+# List of APT packages which should be installed by the :ref:`debops.debconf`
+# role on hosts in a specific Ansible inventory group.
+debconf__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__host_packages [[[
+#
+# List of APT packages which should be installed by the :ref:`debops.debconf`
+# role on specific hosts in the Ansible inventory.
+debconf__host_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Alternative package symlinks [[[
+# --------------------------------
+
+# These lists can be used to define alternative symlinks for certain packages
+# which provide similar functionality, using ``update-alternatives`` package.
+# See :ref:`debconf__ref_alternatives` for more details.
+
+# .. envvar:: debconf__alternatives [[[
+#
+# List of symlink configuration entries defined on all hosts in the Ansible
+# inventory.
+debconf__alternatives: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__group_alternatives [[[
+#
+# List of symlink configuration entries defined on hosts in a specific Ansible
+# inventory group.
+debconf__group_alternatives: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__host_alternatives [[[
+#
+# List of symlink configuration entries defined on specific hosts in the Ansible
+# inventory.
+debconf__host_alternatives: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom shell commands [[[
+# -------------------------
+
+# The variables below let you define shell commands (or even small shell
+# scripts) to execute on the remote hosts as the ``root`` UNIX account. You
+# need to ensure idempotency by yourself. This is not a replacement for
+# a normal Ansible role.
+#
+# See :ref:`debconf__ref_commands` for more details.
+
+# .. envvar:: debconf__commands [[[
+#
+# List of shell commands which should be executed on all hosts in the Ansible
+# inventory.
+debconf__commands: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__group_commands [[[
+#
+# List of shell commands which should be executed on hosts in a specific Ansible
+# inventory group.
+debconf__group_commands: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__host_commands [[[
+#
+# List of shell commands which should be executed on specific hosts in the
+# Ansible inventory.
+debconf__host_commands: []
+
+                                                                   # ]]]
+# .. envvar:: debconf__combined_commands [[[
+#
+# Variable which combines all other shell command variables and is used in the
+# role tasks.
+debconf__combined_commands: '{{ debconf__commands
+                                   + debconf__group_commands
+                                   + debconf__host_commands }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/debconf/meta/main.yml b/ansible_collections/debops/debops/roles/debconf/meta/main.yml
new file mode 100644
index 00000000..0c892b7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Debian packages using Debconf database'
+  company: 'DebOps'
+  license: 'GPLv3'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - packages
+    - configuration
diff --git a/ansible_collections/debops/debops/roles/debconf/tasks/main.yml b/ansible_collections/debops/debops/roles/debconf/tasks/main.yml
new file mode 100644
index 00000000..2dca550d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Refresh APT cache when needed
+  ansible.builtin.apt:
+    update_cache: True
+    cache_valid_time: '{{ debconf__cache_valid_time }}'
+  register: debconf__register_apt_update
+  until: debconf__register_apt_update is succeeded
+
+- name: Install debconf module dependencies
+  ansible.builtin.apt:
+    name: [ 'debconf', 'debconf-utils' ]
+    state: 'present'
+  register: debconf__register_debconf_packages
+  until: debconf__register_debconf_packages is succeeded
+
+- name: Apply requested package configuration in debconf
+  ansible.builtin.debconf:
+    name:      '{{ item.name }}'
+    question:  '{{ item.question | d(omit) }}'
+    unseen:    '{{ item.unseen | d(omit) }}'
+    value:     '{{ item.value | d(omit) }}'
+    vtype:     '{{ item.vtype | d(omit) }}'
+  loop: '{{ debconf__filtered_entries }}'
+  register: debconf__register_entries
+  when: item.state | d('present') not in [ 'init', 'ignore' ]
+  no_log: '{{ debops__no_log | d(True
+                                 if (item.vtype == "password")
+                                 else False) }}'
+
+- name: Detect packages which need to be reconfigured
+  ansible.builtin.set_fact:
+    debconf__fact_reconfigure_packages: '{{ lookup("template", "lookup/debconf__fact_reconfigure_packages.j2",
+                                                   convert_data=False) | from_yaml | flatten }}'
+
+- name: Install requested APT packages
+  ansible.builtin.apt:
+    name: '{{ q("flattened", debconf__packages
+                             + debconf__group_packages
+                             + debconf__host_packages) }}'
+    state: '{{ debconf__apt_state }}'
+  register: debconf__register_packages
+  until: debconf__register_packages is succeeded
+
+- name: Reconfigure packages using debconf
+  ansible.builtin.command: 'dpkg-reconfigure --frontend noninteractive {{ item }}'
+  loop: '{{ debconf__fact_reconfigure_packages }}'
+  register: debconf__register_reconfigure
+  when: item is defined
+  changed_when: debconf__register_reconfigure.rc == 0
+
+- name: Configure alternative symlinks
+  community.general.alternatives:
+    name:     '{{ item.name }}'
+    path:     '{{ item.path }}'
+    link:     '{{ item.link | d(omit) }}'
+    priority: '{{ item.priority | d(omit) }}'
+  loop: '{{ q("flattened", debconf__default_alternatives
+                           + debconf__alternatives
+                           + debconf__group_alternatives
+                           + debconf__host_alternatives) }}'
+  when: item.name | d() and item.path | d()
+
+- name: Configure automatic alternatives
+  ansible.builtin.command: update-alternatives --auto {{ item.name }}
+  register: debconf__register_alternatives
+  loop: '{{ q("flattened", debconf__alternatives
+                           + debconf__group_alternatives
+                           + debconf__host_alternatives) }}'
+  when: item.name | d() and not item.path | d()
+  changed_when: debconf__register_alternatives.stdout | d()
+
+# Execute custom shell commands [[[1
+# This is not an alternative to a fully-fledged Ansible role.
+- name: Execute shell commands
+  ansible.builtin.include_tasks: 'shell_commands.yml'
+  loop: '{{ q("flattened", debconf__combined_commands) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name} }}'
+  when: item.name | d() and item.state | d('present') not in [ 'absent', 'ignore' ]
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+  tags: [ 'role::debconf:commands' ]
diff --git a/ansible_collections/debops/debops/roles/debconf/tasks/shell_commands.yml b/ansible_collections/debops/debops/roles/debconf/tasks/shell_commands.yml
new file mode 100644
index 00000000..ccf5735e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/tasks/shell_commands.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  ansible.builtin.shell: '{{ item.script | d(item.shell | d(item.command)) }}'  # noqa command-instead-of-shell
+  args:
+    chdir:      '{{ item.chdir | d(omit) }}'
+    creates:    '{{ item.creates | d(omit) }}'
+    removes:    '{{ item.removes | d(omit) }}'
+    executable: '{{ item.executable | d("bash") }}'
+  when: item.name | d() and item.state not in ['absent', 'ignore']
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+  tags: [ 'role::late_tasks:commands' ]
diff --git a/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__fact_reconfigure_packages.j2 b/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__fact_reconfigure_packages.j2
new file mode 100644
index 00000000..3d2a6a06
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__fact_reconfigure_packages.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% set filtered_results = [] %}
+{% for element in debconf__register_entries.results %}
+{%   if element.changed | bool %}
+{%     if element.item.reconfigure | bool %}
+{%       set _ = filtered_results.append(element.item.name) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ filtered_results | unique | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__filtered_entries.j2 b/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__filtered_entries.j2
new file mode 100644
index 00000000..8555c22b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debconf/templates/lookup/debconf__filtered_entries.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% set filtered_entries = [] %}
+{% for element in debconf__combined_entries | debops.debops.parse_kv_items %}
+{%   for option in element.options %}
+{%     set entry = {} %}
+{%     set _ = entry.update({'name': element.name}) %}
+{%     if '/' in option.name %}
+{%       set _ = entry.update({'question': option.name}) %}
+{%     else %}
+{%       set _ = entry.update({'question': element.name + '/' + option.name}) %}
+{%     endif %}
+{%     if option.unseen | d() %}
+{%       set _ = entry.update({'unseen': option.unseen}) %}
+{%     endif %}
+{%     set _ = entry.update({'value': option.value}) %}
+{%     set _ = entry.update({'vtype': option.vtype | d('string')}) %}
+{%     set _ = entry.update({'reconfigure': element.reconfigure | d(True) }) %}
+{%     set _ = filtered_entries.append(entry) %}
+{%   endfor %}
+{% endfor %}
+{{ filtered_entries | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/debops_fact/COPYRIGHT b/ansible_collections/debops/debops/roles/debops_fact/COPYRIGHT
new file mode 100644
index 00000000..90e4c57e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.debops_fact - Manage Ansible local facts for other roles
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/debops_fact/defaults/main.yml b/ansible_collections/debops/debops/roles/debops_fact/defaults/main.yml
new file mode 100644
index 00000000..58b8310c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/defaults/main.yml
@@ -0,0 +1,87 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _debops_fact__ref_defaults:
+
+# debops.debops_fact default variables [[[
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# DebOps fact main configuration [[[
+# ----------------------------------
+
+# .. envvar:: debops_fact__enabled [[[
+#
+# Enable or disable support for DebOps facts.
+debops_fact__enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# DebOps fact storage configuration [[[
+# -------------------------------------
+
+# .. envvar:: debops_fact__public_path [[[
+#
+# Path to the file which holds the public parameters.
+debops_fact__public_path: '/etc/ansible/debops_fact.ini'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__private_path [[[
+#
+# Path to the file which holds the private parameters.
+debops_fact__private_path: '/etc/ansible/debops_fact_priv.ini'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__private_group [[[
+#
+# The system group which will be able to access the private facts file. It will
+# be automatically created if it doesn't exist.
+debops_fact__private_group: 'root'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__private_mode [[[
+#
+# The file permissions of the private Ansible facts file.
+debops_fact__private_mode: '0640'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__config_files [[[
+#
+# List of INI configuration files to read by the fact script.
+debops_fact__config_files:
+  - '{{ debops_fact__public_path }}'
+  - '{{ debops_fact__private_path }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DebOps fact sections [[[
+# ------------------------
+
+# .. envvar:: debops_fact__default_section [[[
+#
+# Name of the "default" INI section, not added in a subkey.
+debops_fact__default_section: 'default'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__public_section [[[
+#
+# Name of the "public" section available by default, stored in the public fact
+# file.
+debops_fact__public_section: 'global'
+
+                                                                   # ]]]
+# .. envvar:: debops_fact__private_section [[[
+#
+# Name of the "private" section available by default, stored in the private
+# fact file.
+debops_fact__private_section: 'secret'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/debops_fact/meta/main.yml b/ansible_collections/debops/debops/roles/debops_fact/meta/main.yml
new file mode 100644
index 00000000..d4ed96e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Ansible local facts for other roles'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags:
+    - ansible
+    - ipc
+    - facts
diff --git a/ansible_collections/debops/debops/roles/debops_fact/tasks/main.yml b/ansible_collections/debops/debops/roles/debops_fact/tasks/main.yml
new file mode 100644
index 00000000..3b553494
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Ensure that the private fact group exists
+  ansible.builtin.group:
+    name: '{{ debops_fact__private_group }}'
+    system: True
+    state: 'present'
+  when: debops_fact__enabled | bool
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: debops_fact__enabled | bool
+
+- name: Install local fact script
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/debops_fact.fact.j2'
+    dest: '/etc/ansible/facts.d/debops_fact.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: debops_fact__enabled | bool
+
+- name: Initialize public DebOps fact file
+  ansible.builtin.template:
+    src: 'etc/ansible/debops_fact.ini.j2'
+    dest: '{{ debops_fact__public_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    force: False
+  when: debops_fact__enabled | bool
+
+- name: Initialize private DebOps fact file
+  ansible.builtin.template:
+    src: 'etc/ansible/debops_fact_priv.ini.j2'
+    dest: '{{ debops_fact__private_path }}'
+    owner: 'root'
+    group: '{{ debops_fact__private_group }}'
+    mode: '{{ debops_fact__private_mode }}'
+    force: False
+  when: debops_fact__enabled | bool
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact.ini.j2 b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact.ini.j2
new file mode 100644
index 00000000..3e382f52
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact.ini.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[{{ debops_fact__default_section }}]
+enabled = true
+public_facts = "{{ debops_fact__public_path }}"
+public_section = "{{ debops_fact__public_section }}"
+default_section = "{{ debops_fact__default_section }}"
+
+[{{ debops_fact__public_section }}]
diff --git a/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact_priv.ini.j2 b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact_priv.ini.j2
new file mode 100644
index 00000000..a89d73af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/debops_fact_priv.ini.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[{{ debops_fact__default_section }}]
+private_facts = "{{ debops_fact__private_path }}"
+private_section = "{{ debops_fact__private_section }}"
+
+[{{ debops_fact__private_section }}]
diff --git a/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/facts.d/debops_fact.fact.j2 b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/facts.d/debops_fact.fact.j2
new file mode 100644
index 00000000..6c59a5ca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_fact/templates/etc/ansible/facts.d/debops_fact.fact.j2
@@ -0,0 +1,56 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from os import path, access, R_OK
+
+try:
+    from configparser import ConfigParser
+except ImportError:
+    from ConfigParser import ConfigParser
+
+conf_files = loads('''{{ debops_fact__config_files | to_json }}''')
+default_section = '{{ debops_fact__default_section }}'
+output = {}
+
+
+def read_facts(config_file, data):
+
+    out_facts = data
+
+    if path.isfile(config_file) and access(config_file, R_OK):
+        config = ConfigParser()
+        config.read(conf_file)
+
+        for section in config.sections():
+
+            if section == default_section:
+                for name, value in config.items(section):
+                    try:
+                        out_facts[name] = loads(value)
+                    except ValueError:
+                        out_facts[name] = value
+
+            else:
+                out_facts[section] = {}
+
+                for name, value in config.items(section):
+                    try:
+                        out_facts[section][name] = loads(value)
+                    except ValueError:
+                        out_facts[section][name] = value
+
+    return out_facts
+
+
+for conf_file in conf_files:
+    output = read_facts(conf_file, output)
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/debops_legacy/COPYRIGHT b/ansible_collections/debops/debops/roles/debops_legacy/COPYRIGHT
new file mode 100644
index 00000000..10978795
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_legacy/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.debops_legacy - Clean up legacy content using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/debops_legacy/defaults/main.yml b/ansible_collections/debops/debops/roles/debops_legacy/defaults/main.yml
new file mode 100644
index 00000000..7b509c95
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_legacy/defaults/main.yml
@@ -0,0 +1,235 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _debops_legacy__ref_defaults:
+
+# debops.debops_legacy default variables
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: debops_legacy__enabled [[[
+#
+# Enable or disable support for removing legacy files, packages and diversions
+# managed by DebOps.
+debops_legacy__enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Diversion cleanup [[[
+# ---------------------
+
+# These lists define what diversions created by the :command:`dpkg-divert`
+# command should be removed. The modified files specified here will be removed,
+# and the original files which were diverted will be moved back into place.
+# See :ref:`debops_legacy__ref_remove_diversions` for more details.
+
+# .. envvar:: debops_legacy__remove_default_diversions [[[
+#
+# The list of diversions to remove defined by the role.
+debops_legacy__remove_default_diversions:
+
+  # Diversion created by the old 'debops.redis' Ansible role
+  - name: '/etc/redis/redis.conf'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Diversion created by the old 'debops.redis' Ansible role
+  - name: '/etc/redis/sentinel.conf'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_diversions [[[
+#
+# The list of diversions to remove on all hosts in the Ansible inventory.
+debops_legacy__remove_diversions: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_group_diversions [[[
+#
+# The list of diversions to remove on hosts in a specific Ansible inventory
+# group.
+debops_legacy__remove_group_diversions: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_host_diversions [[[
+#
+# The list of diversions to remove on specific hosts in the Ansible inventory.
+debops_legacy__remove_host_diversions: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_combined_diversions [[[
+#
+# The list which combines all of the diversion configuration variables and is
+# used in the role tasks.
+debops_legacy__remove_combined_diversions: '{{ debops_legacy__remove_default_diversions
+                                               + debops_legacy__remove_diversions
+                                               + debops_legacy__remove_group_diversions
+                                               + debops_legacy__remove_host_diversions }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package cleanup [[[
+# -----------------------
+
+# These lists define what APT packages should be removed on hosts managed by
+# DebOps. See :ref:`debops_legacy__ref_remove_packages` for more details.
+
+# .. envvar:: debops_legacy__remove_default_packages [[[
+#
+# List of APT packages to remove defined by the role.
+debops_legacy__remove_default_packages: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_packages [[[
+#
+# List of APT packages to remove on all hosts in the Ansible inventory.
+debops_legacy__remove_packages: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_group_packages [[[
+#
+# List of APT packages to remove on hosts in a specific Ansible inventory
+# group.
+debops_legacy__remove_group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_host_packages [[[
+#
+# List of APT packages to remove on specific hosts in the Ansible inventory.
+debops_legacy__remove_host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_combined_packages [[[
+#
+# The list which combines all of the APT package lists and is used in the role
+# tasks.
+debops_legacy__remove_combined_packages: '{{ debops_legacy__remove_default_packages
+                                             + debops_legacy__remove_packages
+                                             + debops_legacy__remove_group_packages
+                                             + debops_legacy__remove_host_packages }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# File cleanup [[[
+# ----------------
+
+# These lists define what files or directories will be removed by the role on
+# hosts managed by DebOps. See :ref:`debops_legacy__ref_remove_files` for more
+# details.
+
+# .. envvar:: debops_legacy__remove_default_files [[[
+#
+# List of files or directories to remove defined by the role.
+debops_legacy__remove_default_files:
+
+  # This is a legacy file that configured 'sudo' to allow members of the
+  # 'admins' UNIX group privileged access without password authentication.
+  #
+  # The replacement file is: '/etc/sudoers.d/system_groups-admins'.
+  - name: '/etc/sudoers.d/admins'
+    state: '{{ "absent"
+               if (ansible_local | d() and ansible_local.system_groups | d() and
+                   (ansible_local.system_groups.configured | d() | bool))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' Ansible local fact
+  - name: '/etc/ansible/facts.d/redis.fact'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' configuration directory
+  - name: '/etc/redis/notify.d'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' configuration directory
+  - name: '/etc/redis/trigger.d'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' script directory
+  - name: '/usr/local/lib/redis'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' configuration file
+  - name: '/etc/redis/ansible-redis-dynamic.conf'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Legacy 'debops.redis' configuration file
+  - name: '/etc/redis/ansible-redis-static.conf'
+    state: '{{ "absent"
+               if (ansible_local | d() and
+                   (ansible_local.redis_server is defined or
+                    ansible_local.redis_sentinel is defined))
+               else "ignore" }}'
+
+  # Old IP forwarding configuration defined by 'debops.ferm' role
+  - name: '/etc/sysctl.d/30-ferm.conf'
+    state: '{{ "absent"
+               if (ansible_local | d() and ansible_local.ferm is defined)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_files [[[
+#
+# List of files or directories to remove on all hosts in the Ansible inventory.
+debops_legacy__remove_files: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_group_files [[[
+#
+# List of files or directories to remove on hosts in a specific Ansible
+# inventory group.
+debops_legacy__remove_group_files: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_host_files [[[
+#
+# List of files or directories to remove on specific hosts in the Ansible
+# inventory.
+debops_legacy__remove_host_files: []
+
+                                                                   # ]]]
+# .. envvar:: debops_legacy__remove_combined_files [[[
+#
+# The list which combines all of the file/directory lists and is used in the
+# role tasks.
+debops_legacy__remove_combined_files: '{{ debops_legacy__remove_default_files
+                                          + debops_legacy__remove_files
+                                          + debops_legacy__remove_group_files
+                                          + debops_legacy__remove_host_files }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/debops_legacy/meta/main.yml b/ansible_collections/debops/debops/roles/debops_legacy/meta/main.yml
new file mode 100644
index 00000000..f6ccb4d7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_legacy/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Clean up legacy files, directories, packages or diversions'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - legacy
+    - cleanup
diff --git a/ansible_collections/debops/debops/roles/debops_legacy/tasks/main.yml b/ansible_collections/debops/debops/roles/debops_legacy/tasks/main.yml
new file mode 100644
index 00000000..17768f68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/debops_legacy/tasks/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Remove legacy diversions
+  debops.debops.dpkg_divert:
+    path: '{{ item.name }}'
+    divert: '{{ item.diversion | d(item.name + ".dpkg-divert") }}'
+    state: 'absent'
+    delete: True
+  with_items: '{{ debops_legacy__remove_combined_diversions | debops.debops.parse_kv_items }}'
+  when: debops_legacy__enabled | bool and item.state | d('present') == 'absent'
+
+- name: Remove legacy packages
+  ansible.builtin.package:
+    name: '{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ debops_legacy__remove_combined_packages | debops.debops.parse_kv_items }}'
+  when: debops_legacy__enabled | bool and item.state | d('present') == 'absent'
+
+- name: Remove legacy files and directories
+  ansible.builtin.file:
+    path: '{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ debops_legacy__remove_combined_files | debops.debops.parse_kv_items }}'
+  when: debops_legacy__enabled | bool and item.state | d('present') == 'absent'
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/COPYRIGHT b/ansible_collections/debops/debops/roles/dhcp_probe/COPYRIGHT
new file mode 100644
index 00000000..e049593a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.dhcp_probe - Configure DHCP Probe using Ansible
+
+Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/defaults/main.yml b/ansible_collections/debops/debops/roles/dhcp_probe/defaults/main.yml
new file mode 100644
index 00000000..180e8c10
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/defaults/main.yml
@@ -0,0 +1,166 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dhcp_probe__ref_defaults:
+
+# debops.dhcp_probe default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: dhcp_probe__base_packages [[[
+#
+# List of APT packages required for DHCP Probe service.
+dhcp_probe__base_packages: [ 'dhcp-probe' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__packages [[[
+#
+# List of additional APT packages to install with DHCP Probe.
+dhcp_probe__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom directories, scripts [[[
+# -------------------------------
+
+# .. envvar:: dhcp_probe__cache [[[
+#
+# Absolute path of the cache directory where :command:`mail-throttled` script
+# state is stored.
+dhcp_probe__cache: '{{ (ansible_local.fhs.cache | d("/var/cache"))
+                       + "/dhcp-probe" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__lib [[[
+#
+# Absolute path where the custom scripts used by the DHCP Probe service are
+# stored.
+dhcp_probe__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                     + "/dhcp-probe" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Monitored network interfaces [[[
+# --------------------------------
+
+# These variables define on which network interfaces DHCP Probe will listen for
+# rogue DHCP servers. By default Ethernet interfaces, bridges, VLAN interfaces,
+# bonds and various uplink interfaces with IPv4 addresses will be monitored.
+# See :ref:`dhcp_probe__ref_interfaces` for more details.
+
+# .. envvar:: dhcp_probe__default_interfaces [[[
+#
+# List of default network interfaces to listen on for rogue DHCP servers.
+dhcp_probe__default_interfaces: '{{ lookup("template", "lookup/dhcp_probe__default_interfaces.j2",
+                                    convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__interfaces [[[
+#
+# Additional list of network interfaces to listen on for rogue DHCP servers.
+dhcp_probe__interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__combined_interfaces [[[
+#
+# The variable that combines the interface lists and is used in the role tasks.
+dhcp_probe__combined_interfaces: '{{ dhcp_probe__default_interfaces
+                                     + dhcp_probe__interfaces }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DHCP Probe configuration [[[
+# ----------------------------
+
+# .. envvar:: dhcp_probe__alert_program [[[
+#
+# Absolute path of the script executed by DHCP Probe when new rogue DHCP server
+# is detected. By default an e-mail message will be generated and sent to the
+# system administrator. Set to an empty string to disable.
+dhcp_probe__alert_program: '{{ dhcp_probe__lib + "/dhcp_probe_notify2" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__legal_servers [[[
+#
+# List of IPv4 addresses of the DHCP servers that are allowed on the network.
+# If both an IP address list and a hardware address list are specified, both
+# elements must match.
+dhcp_probe__legal_servers: []
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__legal_servers_ethersrc [[[
+#
+# List of hardware (MAC) addresses of the DHCP servers that are allowed on the
+# network. If both an IP address list and a hardware address list are
+# specified, both elements must match.
+dhcp_probe__legal_servers_ethersrc: []
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__options [[[
+#
+# A string or YAML text block with custom :command:`dhcp_probe` options.
+# See :man:`dhcp_probe.cf(5)` for more details about available options.
+dhcp_probe__options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Mail and pager notification [[[
+# -------------------------------
+
+# These variables are used to configure the custom mail notification script
+# used by DHCP Probe to notify the system administrator about rogue DHCP
+# servers found on the network.
+
+# .. envvar:: dhcp_probe__domain [[[
+#
+# The DNS domain used to send e-mail notifications about rogue DHCP servers.
+dhcp_probe__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__mail_from [[[
+#
+# The sender of the notification mail. The default ``root`` will be expanded to
+# a full e-mail address by the SMTP server.
+dhcp_probe__mail_from: 'root'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__mail_to [[[
+#
+# The list of the e-mail addresses of recipients which should get the
+# notification mail.
+dhcp_probe__mail_to: [ 'root@{{ dhcp_probe__domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__mail_subject [[[
+#
+# The prefix of the notification mail subject.
+dhcp_probe__mail_subject: 'Unexpected BOOTP/DHCP server'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__mail_timeout [[[
+#
+# Time in seconds between successive notification mail messages.
+dhcp_probe__mail_timeout: '{{ 20 * 60 }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__page_to [[[
+#
+# The list of e-mail addresses of recipients which will receive short e-mail
+# messages, suitable for pagers.
+dhcp_probe__page_to: []
+
+                                                                   # ]]]
+# .. envvar:: dhcp_probe__page_timeout [[[
+#
+# Time in seconds between successive notification pager messages.
+dhcp_probe__page_timeout: '{{ 20 * 60 }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/meta/main.yml b/ansible_collections/debops/debops/roles/dhcp_probe/meta/main.yml
new file mode 100644
index 00000000..60882137
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure DHCP Probe service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.6.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions:
+        - bionic
+
+    - name: 'Debian'
+      versions:
+        - stretch
+        - buster
+
+  galaxy_tags:
+    - dhcp
+    - networking
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/tasks/main.yml b/ansible_collections/debops/debops/roles/dhcp_probe/tasks/main.yml
new file mode 100644
index 00000000..51db9df7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/tasks/main.yml
@@ -0,0 +1,111 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (dhcp_probe__base_packages + dhcp_probe__packages)) }}'
+    state: 'present'
+  register: dhcp_probe__register_packages
+  until: dhcp_probe__register_packages is succeeded
+
+- name: Ensure that sysvinit dhcp-probe service is stopped on install
+  ansible.builtin.systemd:
+    name: 'dhcp-probe.service'
+    state: 'stopped'
+  when: ((ansible_local is undefined or
+          ansible_local.dhcp_probe is undefined) and
+         ansible_service_mgr == 'systemd')
+
+- name: Install custom systemd unit files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/{{ item }}.j2'
+    dest: '/etc/systemd/system/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: [ 'dhcp-probe@.service', 'dhcp-probe.service' ]
+  notify: [ 'Reload service manager' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Reload systemd configuration when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Disable DHCP Probe instances if requested
+  ansible.builtin.systemd:
+    name: 'dhcp-probe@{{ item.name }}.service'
+    state: 'stopped'
+    enabled: False
+  loop: '{{ dhcp_probe__combined_interfaces | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state} }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+
+- name: Enable DHCP Probe instances if requested
+  ansible.builtin.systemd:
+    name: 'dhcp-probe@{{ item.name }}.service'
+    enabled: True
+  loop: '{{ dhcp_probe__combined_interfaces | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state} }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') != 'absent'
+  notify: [ 'Restart dhcp-probe' ]
+
+- name: Ensure that required directories exist
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: [ '{{ dhcp_probe__cache }}', '{{ dhcp_probe__lib }}' ]
+
+- name: Install custom notification scripts
+  ansible.builtin.template:
+    src: 'usr/local/lib/dhcp-probe/{{ item }}.j2'
+    dest: '{{ dhcp_probe__lib + "/" + item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: [ 'dhcp_probe_notify2', 'mail-throttled' ]
+
+- name: Generate dhcp_probe.cf configuration file
+  ansible.builtin.template:
+    src: 'etc/dhcp_probe.cf.j2'
+    dest: '/etc/dhcp_probe.cf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart dhcp-probe' ]
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Setup DHCP Probe local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dhcp_probe.fact.j2'
+    dest: '/etc/ansible/facts.d/dhcp_probe.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/ansible/facts.d/dhcp_probe.fact.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/ansible/facts.d/dhcp_probe.fact.j2
new file mode 100644
index 00000000..9dfeb829
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/ansible/facts.d/dhcp_probe.fact.j2
@@ -0,0 +1,24 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('/usr/sbin/dhcp_probe')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/dhcp_probe.cf.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/dhcp_probe.cf.j2
new file mode 100644
index 00000000..19d70910
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/dhcp_probe.cf.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if dhcp_probe__alert_program | d() %}
+# Send mail messages about unauthorized DHCP servers
+alert_program_name2 {{ dhcp_probe__alert_program }}
+{% endif %}
+{% if dhcp_probe__legal_servers | d() %}
+
+# List of IP addresses of legal DHCP servers
+{%   for address in ([ dhcp_probe__legal_servers ] if dhcp_probe__legal_servers is string else dhcp_probe__legal_servers) %}
+legal_server {{ address }}
+{%   endfor %}
+{% endif %}
+{% if dhcp_probe__legal_servers_ethersrc | d() %}
+
+# List of MAC addresses of legal DHCP servers
+{%   for address in ([ dhcp_probe__legal_servers_ethersrc ] if dhcp_probe__legal_servers_ethersrc is string else dhcp_probe__legal_servers_ethersrc) %}
+legal_server_ethersrc {{ address }}
+{%   endfor %}
+{% endif %}
+{% if dhcp_probe__options | d() %}
+
+# Custom options
+{{ dhcp_probe__options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe.service.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe.service.j2
new file mode 100644
index 00000000..3440359f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe.service.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Daemon to survery DHCP/BOOTP servers on LAN
+After=network-online.target
+Documentation=man:dhcp_probe(8)
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecReload=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe@.service.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe@.service.j2
new file mode 100644
index 00000000..43c4181f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/etc/systemd/system/dhcp-probe@.service.j2
@@ -0,0 +1,38 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Daemon to survey DHCP/BOOTP servers on LAN
+After=network-online.target
+Documentation=man:dhcp_probe(8)
+ConditionPathExists=/etc/dhcp_probe.cf
+PartOf=dhcp-probe.service
+ReloadPropagatedFrom=dhcp-probe.service
+Before=dhcp-probe.service
+
+[Service]
+Type=forking
+Slice=system-dhcp-probe.slice
+ExecStart=/usr/sbin/dhcp_probe -T -p /var/run/dhcp-probe/dhcp_probe.%i.pid %i
+
+PIDFile=/var/run/dhcp-probe/dhcp_probe.%i.pid
+
+# dhcp_probe ignores SIGTERM
+KillMode=control-group
+KillSignal=SIGKILL
+SuccessExitStatus=SIGKILL
+
+RuntimeDirectory=dhcp-probe
+RuntimeDirectoryMode=0755
+
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome=yes
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=dhcp-probe.service
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/lookup/dhcp_probe__default_interfaces.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/lookup/dhcp_probe__default_interfaces.j2
new file mode 100644
index 00000000..7bff7945
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/lookup/dhcp_probe__default_interfaces.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set dhcp_probe__tpl_interfaces = [] %}
+{% for element in ansible_interfaces %}
+{%   if element.startswith(('bond', 'br', 'en', 'eth', 'mesh', 'sit', 'sl', 'tap', 'tun', 'vlan', 'wl', 'ww')) %}
+{%     if hostvars[inventory_hostname]['ansible_' + element]['ipv4'] is defined %}
+{%       set _ = dhcp_probe__tpl_interfaces.append({
+  'name': element,
+  'state': 'present'
+}) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ dhcp_probe__tpl_interfaces | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/dhcp_probe_notify2.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/dhcp_probe_notify2.j2
new file mode 100644
index 00000000..96ef0e8f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/dhcp_probe_notify2.j2
@@ -0,0 +1,299 @@
+#!/usr/bin/perl -w
+
+# {{ ansible_managed }}
+
+# Copyright (C) 2008      Irwin Tillman <networking@princeton.edu>
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: BSD-4-Clause
+
+
+# dhcp_probe was created by the Network Systems Group at Princeton University's
+# Office of Information Technology, networking at princeton dot edu.
+# It was written by Irwin Tillman.
+#
+# Portions of this software are copyrighted by other organizations or individuals;
+# see below for details one which portions, and what legal notices apply
+# to each of those portions.
+#
+# Those portions of the software which have not identified below as copyrighted
+# by other organizations or individuals are themselves Copyright (©) 2000-2008,
+# The Trustees of Princeton University, All Rights Reserved.
+#
+# Redistribution and use in source and binary form, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# * The redistribution, use, or modification shall not violate any of the additional
+#  copyrights, patents, or other restrictions below.
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#  list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice, this
+#  list of conditions and the following disclaimer in the documentation and/or
+#  other materials provided with the distribution.
+#
+# * If redistribution includes any portion of the software that is copyrighted by other
+#  organizations or individuals (as detailed below), the copyright notice associated with
+#  that portion of the software also must be retained.
+#
+# * Neither the names of the individual authors or contributos, nor the
+#  name of "Princeton University" may be used to endorse or promote products
+#  derived from this software without specific prior written permission.
+#
+# This software is provided "as is" and any express or implied
+# warranties, including, but not limited to, the implied warranties of
+# mechantability and fitness for a particular purpose are disclaimed. In
+# no event shall the authors or Princeton University be liable for any
+# direct, indirect, incidental, special exemplary, or consequential
+# damages (including, but not limited to, procurement of substitute goods
+# or services; loss of use, data, or profits; or business interruption)
+# however caused and on any theory of liability, whether in contract,
+# strict liability, or tort (including negligence or otherwise) arising
+# in any way out of the use of this software, even if advised of the
+# possibility of such damage.
+
+
+# dhcp_probe_notify2 -p calling_prog_name -I interface_name -i IPaddress -m MACaddress [-y yiaddr]
+#
+# An external program called by dhcp_probe upon response of a response from an unexpected BootP/DHCP server.
+#
+# Called via specification of 'alert_program_name2' in /etc/dhcp_probe.cf file.
+# This version obeys the syntax provided by the 'alert_program_name2' statement,
+# not the syntax provided by the older 'alert_program_name' statement.
+#
+# Required options:
+#   -p calling_prog_name     the name of the calling program (e.g. 'dhcp_probe')
+#   -I interface_name        the name of the interface on which the unexpected response packet arrived (e.g. 'qfe0')
+#   -i IPaddress             the IP source address of the unexpected response packet (e.g. '192.168.0.1')
+#   -m MACaddress            the Ethernet source address of the unexpected response packet (e.g. '0:1:2:3:4:5')
+#
+# Optional options:
+#   -y yiaddr                the response packet's non-zero yiaddr value, when it falls within a "Lease Network of Interest" (e.g. '172.16.1.2')
+#
+# May send email subject to throttling.
+# May send page subject to throttling.
+#
+# You will need to edit the definitions below.
+#
+# Irwin Tillman
+
+
+use Sys::Hostname;
+use Sys::Syslog qw(:DEFAULT setlogsock);
+use Time::HiRes qw(gettimeofday); # from CPAN
+use Getopt::Std;
+use strict;
+
+#############################################################################
+#
+# Definitions you may need to edit
+
+my $SYSLOG_FACILITY="daemon";                   # name of facility to use if syslogging (e.g. 'daemon')
+my $SYSLOG_OPT = 'pid,cons';                    # comma-separated syslog options to use if syslogging (e.g. 'pid,cons') , ignored if not syslogging
+
+use vars qw($VERBOSE);
+$VERBOSE = 1;	# set to true to produce more verbose messages
+
+# We may send one piece of mail this way, subject to frequency throttling.
+# Use this set of definitions for a piece of email that is delivered as regular email (not a page).
+use vars qw($THROTTLE_MAIL_CMD $THROTTLE_MAIL_TIMEOUT $THROTTLE_MAIL_FROM $THROTTLE_MAIL_RECIPIENT $THROTTLE_MAIL_RECIPIENT_TEST $THROTTLE_MAIL_SUBJECT);
+{% if dhcp_probe__mail_to | d() %}
+$THROTTLE_MAIL_CMD = "{{ dhcp_probe__lib + '/mail-throttled' }}"; # set to "" to disable
+{% else %}
+$THROTTLE_MAIL_CMD = ""; # set to "" to disable
+{% endif %}
+$THROTTLE_MAIL_TIMEOUT = {{ dhcp_probe__mail_timeout | default('600') }}; # seconds
+$THROTTLE_MAIL_FROM = "{{ dhcp_probe__mail_from | replace('@', '\@') }}"; # e.g. "root"
+$THROTTLE_MAIL_RECIPIENT = "{{ dhcp_probe__mail_to | join(' ') | replace('@','\@') }}"; # space-separated email addresses, remember to escape '@' characters
+$THROTTLE_MAIL_SUBJECT = "{{ dhcp_probe__mail_subject }}";
+
+
+# We may also send another piece of email this way, subject to frequency throttling.
+# Use this set of definitions for a piece of email that is delivered to a pager (not as regular email).
+use vars qw($THROTTLE_PAGE_CMD $THROTTLE_PAGE_TIMEOUT $THROTTLE_PAGE_RECIPIENT);
+{% if dhcp_probe__page_to | d() %}
+$THROTTLE_PAGE_CMD = "{{ dhcp_probe__lib + '/mail-throttled' }}"; # set to "" to disable
+{% else %}
+$THROTTLE_PAGE_CMD = ""; # set to "" to disable
+{% endif %}
+$THROTTLE_PAGE_TIMEOUT = {{ dhcp_probe__page_timeout | default('600') }}; # seconds
+$THROTTLE_PAGE_RECIPIENT = "{{ dhcp_probe__page_to | join(' ') | replace('@','\@') }}"; # space-separated email addresses, remember to escape '@' characters
+
+
+# End of definitions you may need to edit
+#
+#############################################################################
+
+(my $prog = $0) =~ s/.*\///;
+
+# init our use of syslog
+# setlogsock('unix'); # talk to syslog with UNIX domain socket, not INET domain. XXX causes failure in Solaris 7
+openlog($prog, $SYSLOG_OPT, $SYSLOG_FACILITY);
+
+#############################################################################
+#
+# Parse options and arguments
+
+# We must use getopt() instead of getopts() to avoid throwing an error
+# if we are passed an unrecognized option.
+# We must silently ignore unrecognized options to be forward compatible with enhancements to dhcp_probe.
+use vars qw($opt_i $opt_I $opt_m $opt_p $opt_y);
+# &getopt('p:i:I:m:y:');
+&getopt('piImy');
+
+# Required options
+my $calling_program = $opt_p;
+my $ifname = $opt_I;
+my $ip_src = $opt_i;
+my $ether_src = $opt_m;
+#
+# Optional options
+my $yiaddr = $opt_y || "";
+
+
+# Enforce presence of required options
+unless ($calling_program) {
+	my_message('LOG_ERR', "${prog}: missing -p calling_program option");
+	exit 100;
+}
+unless ($ifname)  {
+	my_message('LOG_ERR', "${prog}: missing -I interface_name option");
+	exit 101;
+}
+unless ($ip_src)  {
+	my_message('LOG_ERR', "${prog}: missing -i ip_src_address option");
+	exit 102;
+}
+unless ($ether_src)  {
+	my_message('LOG_ERR', "${prog}: missing -m ether_src_address option");
+	exit 103;
+}
+
+# Done parsing options and arguments
+#
+#############################################################################
+
+# Miscellaneous Initialization
+
+my $hostname = hostname();
+
+my ($seconds, $microseconds) = gettimeofday;    # from Time::HiRes on CPAN
+my $timestamp = scalar(localtime($seconds));
+$timestamp =~ s/(\d\d:\d\d:\d\d)/$1.$microseconds/; # glue microsends to end of seconds
+
+
+
+# When we pass a key to THROTTLE_MAIL_CMD, we want the key to also include an indication
+# of whether the yiaddr option was specified.  (If we didn't include such an indication,
+# the following could happen: The first response we detect from a rogue server doesn't
+# distribute an "address of concern", so the yiaddr option wasn't specified.  We alert
+# based on that.  The next response we detect from a rogue server does distribute an
+# "address of concern", so the yiaddr is specified.  Our alert gets throttled since
+# the first alert we sent was "recent".  But this means the administrator doesn't get
+# notified that the rogue distributed an "address of interest".  So we need to
+# include the state of yiaddr option in the key we pass to THROTTLE_MAIL_CMD,
+# to ensure the second response isn't throttled using the same key as the first response.)
+#
+# We can't just use the value of yiaddr itself as the string to incorporate into the key,
+# as that would result in a unique key for each distributed IP address.  Instead, we
+# will use the state of yiaddr (set or unset).
+#
+# Note this means that when a rogue DHCP server is distributing IP addresses that fall into "Networks of Concern",
+# we will very likely send more than one notification for it within each throttle period.
+# That's because while some of the responses from the rogue will have a yiaddr within a "Networks of Concern",
+# others (for example, DHCPNAK responses) will not.  This is unfortunate, but is better than the
+# alternative approach (of not taking into account the yiaddr state in the key), since that will
+# sometimes cause you to not be alerted at all to the "yiaddr falls into a Network of Concern" situation.
+#
+# Create a string based on the state of yiaddr, for later incorporation into the key.
+my $yiaddr_option_state = $yiaddr ? "yiaddr=set" : "yiaddr=unset";
+
+#############################################################################
+
+if ($THROTTLE_MAIL_CMD) {
+	# This command suppresses the message if it's sent a message to 'key' within 'throttle_seconds'
+	# I use the calling program's name and the offender's hardware address as the key.
+
+	my $subject_yiaddr_addendum = "";
+	$subject_yiaddr_addendum = ", YIADDR=$yiaddr" if $yiaddr;
+
+	unless (open(THROTTLE_MAIL, "| $THROTTLE_MAIL_CMD -l -k ${calling_program}_mail_${ether_src}_$yiaddr_option_state -t $THROTTLE_MAIL_TIMEOUT -f \"$THROTTLE_MAIL_FROM\" -r \"$THROTTLE_MAIL_RECIPIENT\" -s\"$THROTTLE_MAIL_SUBJECT (MAC=${ether_src}, IP=${ip_src}${subject_yiaddr_addendum})\"")) {
+
+		my_message('LOG_ERR', "${prog}: failure trying to send throttled email: can't execute '${THROTTLE_MAIL_CMD}': open(): $!");
+		exit 20;
+	}
+
+	print THROTTLE_MAIL
+			$timestamp, "\n",
+			"\n",
+			"$calling_program detected an unexpected BOOTP/DHCP server.\n",
+			"Host=$hostname, interface=${ifname}, IP source=${ip_src}, Ethernet source=${ether_src}\n";
+	print THROTTLE_MAIL "\nThis means that *there is* a rogue BOOTP/DHCP server operating.\n" if $VERBOSE;
+	if ($yiaddr) {
+		print THROTTLE_MAIL
+			"The server distributed IP address $yiaddr, which falls into a network of special concern.\n";
+	}
+
+	unless (close(THROTTLE_MAIL)) {
+		my_message('LOG_ERR',
+					"${prog}: failure trying to send throttled email: error executing '${THROTTLE_MAIL_CMD}': close(): " .
+						($! ?
+							"syserr closing pipe: $!"
+							:
+							"wait status $? from pipe"
+						) .
+					"\n"
+				);
+		exit 21;
+
+	}
+}
+
+
+
+
+if ($THROTTLE_PAGE_CMD) {
+	# This command suppresses the message if it's sent a message to 'key' within 'throttle_seconds'
+	# I use the calling program's name and the offender's hardware address as the key.
+
+	unless (open(THROTTLE_PAGE, "| $THROTTLE_PAGE_CMD -l -k ${calling_program}_page_${ether_src}_$yiaddr_option_state -t $THROTTLE_PAGE_TIMEOUT -r \"$THROTTLE_PAGE_RECIPIENT\"")) {
+		my_message('LOG_ERR', "${prog}: failure trying to send throttled page: can't execute '${THROTTLE_PAGE_CMD}': open(): $!\n");
+		exit 30;
+	}
+
+	print THROTTLE_PAGE "Rogue DHCP server IP=$ip_src MAC=$ether_src seen via host $hostname interface $ifname\n";
+	print THROTTLE_PAGE "This means *there is* a rogue BOOTP/DHCP server operating.\n" if $VERBOSE;
+	if ($yiaddr) {
+		print THROTTLE_PAGE
+			"Rogue server distributed yiaddr=$yiaddr, a special concern.\n";
+	}
+
+	unless (close(THROTTLE_PAGE)) {
+		my_message('LOG_ERR',
+					"${prog}: failure trying to send throttled page: error executing '${THROTTLE_PAGE_CMD}': close(): " .
+						($! ?
+							"syserr closing pipe: $!"
+							:
+							"wait status $? from pipe"
+						) .
+					"\n"
+				);
+		exit 31;
+	}
+
+}
+
+exit 0;
+
+#############################################################################
+
+sub my_message {
+	# Call with a syslog priority constant and a message string.
+	# We write the message to syslog, using the specified priority.
+	# Your message should not contain a newline.
+
+	my($priority, $msg) = @_;
+	syslog($priority, $msg);
+	return;
+}
diff --git a/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/mail-throttled.j2 b/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/mail-throttled.j2
new file mode 100644
index 00000000..cfd9343e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcp_probe/templates/usr/local/lib/dhcp-probe/mail-throttled.j2
@@ -0,0 +1,225 @@
+#!/usr/bin/perl -w
+
+# {{ ansible_managed }}
+
+# Copyright (C) 2008      Irwin Tillman <networking@princeton.edu>
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: BSD-4-Clause
+
+
+# dhcp_probe was created by the Network Systems Group at Princeton University's
+# Office of Information Technology, networking at princeton dot edu.
+# It was written by Irwin Tillman.
+#
+# Portions of this software are copyrighted by other organizations or individuals;
+# see below for details one which portions, and what legal notices apply
+# to each of those portions.
+#
+# Those portions of the software which have not identified below as copyrighted
+# by other organizations or individuals are themselves Copyright (©) 2000-2008,
+# The Trustees of Princeton University, All Rights Reserved.
+#
+# Redistribution and use in source and binary form, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# * The redistribution, use, or modification shall not violate any of the additional
+#  copyrights, patents, or other restrictions below.
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#  list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice, this
+#  list of conditions and the following disclaimer in the documentation and/or
+#  other materials provided with the distribution.
+#
+# * If redistribution includes any portion of the software that is copyrighted by other
+#  organizations or individuals (as detailed below), the copyright notice associated with
+#  that portion of the software also must be retained.
+#
+# * Neither the names of the individual authors or contributos, nor the
+#  name of "Princeton University" may be used to endorse or promote products
+#  derived from this software without specific prior written permission.
+#
+# This software is provided "as is" and any express or implied
+# warranties, including, but not limited to, the implied warranties of
+# mechantability and fitness for a particular purpose are disclaimed. In
+# no event shall the authors or Princeton University be liable for any
+# direct, indirect, incidental, special exemplary, or consequential
+# damages (including, but not limited to, procurement of substitute goods
+# or services; loss of use, data, or profits; or business interruption)
+# however caused and on any theory of liability, whether in contract,
+# strict liability, or tort (including negligence or otherwise) arising
+# in any way out of the use of this software, even if advised of the
+# possibility of such damage.
+
+
+# $Header: /usr/local/etc/RCS/mail-throttled,v 1.11 2008/12/06 01:50:28 root Exp $
+
+# mail-throttled [-l] [-D dbm_file] -k key -t throttle_seconds [-f from] -r recipient [-d] [-T tie_attempts_max] [-S tie_retry_sleep] [-s subject]
+#
+# Sends mail body (read from STDIN) to 'recipient', but avoids doing so "too frequently."
+#
+# You provide a 'key', which is an arbitrary string used to identify this notification.
+# You also provide 'throttle_seconds', an integer.  If we've sent anything that
+# specified this 'key' within the last 'throttle_seconds', we do not send the message.
+# Otherwise, we send the message, and the remember that we've sent a message for this 'key'
+# at the current time.
+#
+# This key/timesent tuples are stored on-disk, in a dbm.  As a result, the 'key'
+# you supply must satisfy the syntactic requirements for dbm keys.
+# The caller needs to have permission to read and write this DBM (and create it if
+# it does not already exist).  If you fail to specify a dbm_file, we'll use a default
+# value, which may not be what you want (since the caller might not be able to r/w that
+# particular DBM).
+# We never clean this dbm.  You can safely erase it entirely, if you don't mind losing
+# the state, and you know the caller has permission to create a new instance of the DBM.
+#
+# The 'recipient' should be a valid email address.  Naturally, it should not
+# be one that will cause any ack or bounce mail to return to us!
+# If there are several addresses (delimited by spaces), be sure to quote them as a single arg.
+#
+# If a subject is specified, be sure to quote it if it contains any spaces or other shell
+# metachars.
+#
+# If -l is specified, then any errors, warnings, or debugging output is written to syslog
+# in addition to its usual destination (STDERR).  This is helpful if you call this from an
+# environment where STDERR may get lost.
+#
+# Irwin Tillman
+
+use Getopt::Std;
+use GDBM_File;
+use Errno qw(EAGAIN);
+use Sys::Syslog qw(:DEFAULT setlogsock);
+
+use strict;
+use warnings;
+
+use vars qw($DBM_FILE_DEFAULT $MAILCMD $MAILCMD_OPTS $FROM_DEFAULT);
+$DBM_FILE_DEFAULT = '{{ dhcp_probe__cache + "/mail-throttled.gdbm" }}';
+$MAILCMD = "/usr/lib/sendmail";
+# $MAILCMD_OPTS = "-t -ODeliveryMode=queueonly";
+$MAILCMD_OPTS = "-t";
+$FROM_DEFAULT = "root";
+
+my $SYSLOG_FACILITY="daemon";                   # name of facility to use if syslogging
+my $SYSLOG_OPT = 'pid,cons';                    # syslog options to use if syslogging, ignored otherwise
+my $SYSLOG_PRIORITY = 'LOG_ERR';
+
+# The tie() call sometimes fails with EAGAIN.
+# Perhaps that's due to some other process having the DBM open;
+# in fact, that may be more likely if the process that calls us may calls us multiple times in quick succession.
+# So when tie() fails with EAGAIN, we can sleep and retry some number of times before giving up entirely.
+my $TIE_ATTEMPTS_MAX = 3;	#  number of times to try tie() before giving up
+my $TIE_RETRY_SLEEP = 1;	#  seconds to sleep before retrying tie()
+
+(my $prog = $0) =~ s/.*\///;
+
+use vars qw($opt_f $opt_D $opt_d $opt_k $opt_l $opt_r $opt_s $opt_S $opt_t $opt_T);
+&getopts('dD:f:k:lr:s:S:t:T:');
+
+my $debug = $opt_d || "";
+my $dbm_file = $opt_D || $DBM_FILE_DEFAULT;
+my $key = $opt_k || "";
+my $from = $opt_f || $FROM_DEFAULT;
+my $recipient = $opt_r || "";
+my $throttle_secs = $opt_t || 1;
+my $subject = $opt_s || "";
+my $also_syslog = $opt_l || "";
+my $tie_attempts_max = $opt_T || $TIE_ATTEMPTS_MAX; # we deliberately override if CLI option specifies 0, as that makes no sense
+my $tie_retry_sleep = $opt_S || $TIE_RETRY_SLEEP;
+
+if ($also_syslog) {
+	# init our use of syslog
+	# setlogsock('unix'); # talk to syslog with UNIX domain socket, not INET domain. XXX causes failure in Solaris 7
+	openlog($prog, $SYSLOG_OPT, $SYSLOG_FACILITY);
+}
+
+my_warn("${prog}:\nkey=$key\nthrottle_secs=$throttle_secs\nfrom=$from\nrecipient=$recipient\ntie_attempts_max=$tie_attempts_max\ntie_retry_sleep=$tie_retry_sleep\nsubject=$subject") if $debug;
+
+# certain options and args are required
+&Usage() unless ($key && $throttle_secs && $recipient);
+
+my %last_sent = ();
+my $tie_succeeded = 0;
+my $tie_attempts_left = $TIE_ATTEMPTS_MAX;
+
+while ($tie_attempts_left--) {
+	if (tie(%last_sent, 'GDBM_File', $dbm_file, &GDBM_WRCREAT, 0644)) {
+		$tie_succeeded = 1;
+		last;
+	}
+	# the tie() failed
+
+	if ($! == EAGAIN) {
+		# The failure may be due to a transient problem.
+		# Retrying may help.
+		sleep $TIE_RETRY_SLEEP;
+		next;
+
+	} else {
+		# Some other (presumably more serious) error.
+		last;
+	}
+}
+unless ($tie_succeeded) {
+	my_warn("${prog}: can't tie ${dbm_file}: $!");
+	exit 10;
+}
+
+my @mailbody = "";
+@mailbody = <STDIN>; # read it even if we decide not to send it
+
+my $now = time;
+
+my_warn("now = $now") if $debug;
+
+$last_sent{$key} = 0 unless defined($last_sent{$key}); # so it's defined before we use it in subtraction (placate use strict)
+
+if ($now - $last_sent{$key} >= $throttle_secs) {
+	my_warn("last_sent = $last_sent{$key}, will send") if $debug;
+	unless (open(MAIL, "| $MAILCMD $MAILCMD_OPTS -f\"$from\"")) {
+		my_warn("${prog}: error executing '${MAILCMD}': open(): $!");
+		exit 20;
+	}
+	print MAIL	"From: $from\n",
+				"To: $recipient\n",
+				($subject ? "Subject: $subject\n" : "") ,
+				"\n",
+				@mailbody;
+	unless (close(MAIL)) {
+		my_warn("${prog}: error executing '${MAILCMD}': close(): " .
+			($! ?
+				"syserror closing pipe: $!"
+				:
+				"wait status $? from pipe"
+			)
+		);
+		exit 21;
+	}
+
+	$last_sent{$key} = $now;
+} else {
+	my_warn("last_sent = $last_sent{$key}, suppressing") if $debug;
+}
+
+untie %last_sent;
+
+exit 0;
+
+
+
+sub Usage {
+	my_warn("Usage: $prog [-l] [-D dbm_file] -k key -t throttle_seconds [-f from] -r recipient [-T tie_attempts_max] [-S tie_retry_sleep] [-s subject]");
+	exit 1;
+}
+
+
+sub my_warn {
+	# Just a wrapper for warn, but with a possible copy to syslog too.
+	my $msg = shift;
+	warn $msg, "\n";
+	syslog($SYSLOG_PRIORITY, $msg) if $also_syslog;
+	return;
+}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/COPYRIGHT b/ansible_collections/debops/debops/roles/dhcpd/COPYRIGHT
new file mode 100644
index 00000000..a7a217b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.dhcpd - Manage ISC DHCP Server using Ansible
+
+Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+Copyright (C) 2014-2018, 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dhcpd/defaults/main.yml b/ansible_collections/debops/debops/roles/dhcpd/defaults/main.yml
new file mode 100644
index 00000000..aedc2fb6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/defaults/main.yml
@@ -0,0 +1,314 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2020 Imre Jonk <imre@imrejonk.nl>
+# .. Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2018, 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dhcpd__ref_defaults:
+
+# Default variables
+# =================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: dhcpd__base_packages [[[
+#
+# List of base packages to install for DHCP server support.
+dhcpd__base_packages: [ 'isc-dhcp-server' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__packages [[[
+#
+# List of additional packages to install with this role.
+dhcpd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# isc-dhcp-server defaults [[[
+# ----------------------------
+
+# .. envvar:: dhcpd__options [[[
+#
+# Additional options to start the dhcpd processes with.
+# See https://manpages.debian.org/dhcpd.8
+dhcpd__options: ''
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__interfacesv4 [[[
+#
+# List of network interfaces to serve DHCPv4 requests on.
+dhcpd__interfacesv4: [ '{{ ansible_local.ifupdown.external_interface
+                           if ansible_local.ifupdown.external_interface | d()
+                           else ansible_default_ipv4.interface }}' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__interfacesv6 [[[
+#
+# List of network interfaces to serve DHCPv6 requests on.
+dhcpd__interfacesv6: '{{ dhcpd__interfacesv4
+                         if ansible_default_ipv6.address | d()
+                         else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DHCP server configuration [[[
+# -----------------------------
+
+# .. envvar:: dhcpd__authoritative [[[
+#
+# Whether to serve authoritative responses.
+dhcpd__authoritative: False
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__log_facility [[[
+#
+# Syslog facility to use.
+# See https://manpages.debian.org/syslog.3#Values_for_facility
+dhcpd__log_facility: 'daemon'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__default_lease_time [[[
+#
+# The length in seconds that will be assigned to a lease if the client
+# requesting the lease does not ask for a specific expiration time. This is used
+# for both DHCPv4 and DHCPv6 leases (it is also known as the "valid lifetime" in
+# DHCPv6).
+dhcpd__default_lease_time: '{{ 60 * 60 * 12 }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__max_lease_time [[[
+#
+# The maximum length in seconds that will be assigned to a lease.
+dhcpd__max_lease_time: '{{ 60 * 60 * 24 }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__preferred_lifetime [[[
+#
+# The preferred lifetime of assigned IPv6 addresses in seconds. An IPv6 address
+# becomes deprecated when the preferred lifetime expires, causing the OS to no
+# longer use it for new outbound connections.
+dhcpd__preferred_lifetime: '{{ (dhcpd__default_lease_time | float * (5 / 8)) | int }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__dhcpv6_set_tee_times [[[
+#
+# Set T1 (renew) and T2 (rebind) to the values recommended in RFC 3315.
+# See https://tools.ietf.org/html/rfc3315#section-22.4
+dhcpd__dhcpv6_set_tee_times: True
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__update_static_leases [[[
+#
+# Whether to perform DNS updates for clients with static assignments.
+dhcpd__update_static_leases: False
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__domain_name [[[
+#
+# Domain name to advertise to DHCPv4 clients.
+dhcpd__domain_name: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__domain_search [[[
+#
+# List of search domains to advertise to DHCPv4 and DHCPv6 clients.
+dhcpd__domain_search: '{{ ansible_dns.search | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__domain_servers [[[
+#
+# List of IP addresses to advertise as recursive DNS servers. IPv4 addresses
+# will only be advertised to DHCPv4 clients, while IPv6 addresses will only be
+# advertised to DHCPv6 clients.
+dhcpd__name_servers: '{{ ansible_local.resolvconf.upstream_nameservers
+                         if (ansible_local.resolvconf.upstream_nameservers | d())
+                         else (ansible_dns.nameservers
+                               if ("127.0.0.1" not in ansible_dns.nameservers)
+                               else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__global_options_map [[[
+#
+# Additional options to add to the global configuration. This parameter accepts
+# two dictionaries with keys 'DHCPv4' and 'DHCPv6', for each protocol
+# respectively. The values can be strings or YAML text blocks.
+dhcpd__global_options_map:
+  'DHCPv4': ''
+  'DHCPv6': ''
+                                                                   # ]]]
+                                                                   # ]]]
+# iPXE support [[[
+# ----------------
+
+# .. envvar:: dhcpd__ipxe [[[
+#
+# Add iPXE-specific options to ISC DHCP server configuration.
+dhcpd__ipxe: False
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_dhcp_space [[[
+#
+# Add DHCP options iPXE namespace in ``dhcpd.conf`` required to support
+# iPXE-specific DHCP options in the DHCP server configuration.
+dhcpd__ipxe_dhcp_space: True
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_tftp_server [[[
+#
+# IPv4 address of the TFTP server that contains the boot files.
+dhcpd__ipxe_tftp_server: '{{ ansible_default_ipv4.address }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_chain_filename [[[
+#
+# Initial file sent to hosts which requested a PXE boot, used to chain-load
+# the iPXE boot loader.
+dhcpd__ipxe_chain_filename: 'undionly.kpxe'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_efi_chain_filename [[[
+#
+# Initial file sent to hosts using EFI which requested a PXE boot, used to
+# chain-load the iPXE boot loader.
+dhcpd__ipxe_efi_chain_filename: 'ipxe.efi'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_filename [[[
+#
+# File sent to hosts booted with iPXE, by default this loads the standard menu
+# file.
+dhcpd__ipxe_filename: 'menu.ipxe'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ipxe_options [[[
+#
+# Additional DHCP options in YAML text block format, added to the iPXE section
+# of the configuration file.
+dhcpd__ipxe_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# DHCP server configuration scopes [[[
+# ------------------------------------
+
+# .. envvar:: dhcpd__classes [[[
+#
+# List of host classes with custom options for each class. See
+# :ref:`dhcpd__ref_classes` for details.
+dhcpd__classes: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__failovers [[[
+#
+# List of DHCPv4 failover configuration blocks. See :ref:`dhcpd__ref_failovers`
+# for details.
+dhcpd__failovers: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__groups [[[
+#
+# List of grouped configuration scopes. See :ref:`dhcpd__ref_groups` for
+# details.
+dhcpd__groups: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__hosts [[[
+#
+# Global list of static hosts. See :ref:`dhcpd__ref_hosts` for details.
+dhcpd__hosts: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__keys [[[
+#
+# List of DNS update keys. See :ref:`dhcpd__ref_keys` for details.
+dhcpd__keys: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__shared_networks [[[
+#
+# List of shared networks to service with this DHCP server. See
+# :ref:`dhcpd__ref_shared_networks` for details.
+dhcpd__shared_networks: []
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__subnets [[[
+#
+# List of subnets that are not part of a shared network, but are instead defined
+# on a global level. See :ref:`dhcpd__ref_subnets` for details.
+dhcpd__subnets: '{{ dhcpd__default_subnets }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__default_subnets [[[
+#
+# The default subnets as detected by this role. Dynamic lease assignment will
+# not work until you configure subnets with valid address ranges.
+dhcpd__default_subnets:
+
+  - comment: 'Autodetected IPv4 subnet'
+    subnet: '{{ ansible_default_ipv4.network
+                + "/" + ansible_default_ipv4.netmask }}'
+    routers: '{{ [ansible_default_ipv4.gateway]
+                 if ansible_default_ipv4.gateway | d()
+                 else [] }}'
+
+  - comment: 'Autodetected IPv6 subnet'
+    subnet: '{{ ansible_default_ipv6.address | d()
+                + "/" + ansible_default_ipv6.prefix | d() }}'
+    state: '{{ "present" if ansible_default_ipv6.address | d() else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__zones [[[
+#
+# List of DNS zones to update. See :ref:`dhcpd__ref_zones` for details.
+dhcpd__zones: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other roles [[[
+# ---------------------------------
+
+# .. envvar:: dhcpd__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+dhcpd__etc_services__dependent_list:
+
+  - name: 'dhcp-failover'
+    port: '647'
+    protocols: [ 'tcp', 'udp' ]
+    comment: 'Added by debops.dhcpd Ansible role'
+
+                                                                   # ]]]
+# .. envvar:: dhcpd__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+dhcpd__ferm__dependent_rules:
+
+  # Firewall rules are not needed for DHCPv4 because it uses raw sockets (see
+  # https://kb.isc.org/docs/aa-00378). DHCPv6 doesn't use raw sockets so both
+  # server and client need open ports in their firewalls.
+  - name: 'accept_dhcpv6_server'
+    by_role: 'debops.dhcpd'
+    type: 'accept'
+    interface: '{{ dhcpd__interfacesv6 }}'
+    protocol: 'udp'
+    dport: [ 'dhcpv6-server' ]
+    rule_state: '{{ "present" if dhcpd__interfacesv6 else "absent" }}'
+
+  # The DHCPv4 failover port.
+  - name: 'accept_dhcp_failover'
+    by_role: 'debops.dhcpd'
+    type: 'accept'
+    saddr: '{{ (dhcpd__failovers | map(attribute="primary") | list
+                + dhcpd__failovers | map(attribute="secondary") | list)
+               if dhcpd__failovers
+               else omit }}'
+    protocol: 'tcp'
+    dport: [ 'dhcp-failover' ]
+    rule_state: '{{ "present" if dhcpd__failovers else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dhcpd/meta/main.yml b/ansible_collections/debops/debops/roles/dhcpd/meta/main.yml
new file mode 100644
index 00000000..bab70383
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/meta/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure ISC DHCP Server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+  galaxy_tags:
+    - networking
+    - dhcp
+    - pxe
+    - bootp
diff --git a/ansible_collections/debops/debops/roles/dhcpd/tasks/main.yml b/ansible_collections/debops/debops/roles/dhcpd/tasks/main.yml
new file mode 100644
index 00000000..3acf9a3b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/tasks/main.yml
@@ -0,0 +1,84 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install ISC DHCP packages
+  ansible.builtin.package:
+    name: '{{ (dhcpd__base_packages + dhcpd__packages) | flatten }}'
+    state: 'present'
+  register: dhcpd__register_packages
+  until: dhcpd__register_packages is succeeded
+
+- name: Divert original configuration
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  with_items:
+    - '/etc/default/isc-dhcp-server'
+    - '/etc/dhcp/dhcpd.conf'
+    - '/etc/dhcp/dhcpd6.conf'
+
+- name: Write configuration includes
+  ansible.builtin.template:
+    src: 'etc/dhcp/ansible_{{ item }}.conf.j2'
+    dest: '/etc/dhcp/ansible_{{ item }}.conf'
+    mode: '0644'
+  with_items: [ 'failovers', 'ipxe', 'zones' ]
+  notify: [ 'Restart isc-dhcp-server' ]
+
+- name: Store secret keys
+  ansible.builtin.template:
+    src: 'etc/dhcp/ansible_keys.conf.j2'
+    dest: '/etc/dhcp/ansible_keys.conf'
+    mode: '0600'
+  notify: [ 'Restart isc-dhcp-server' ]
+
+- name: Configure dhcpd.conf and dhcpd6.conf
+  ansible.builtin.template:
+    src: 'etc/dhcp/dhcpd.conf.j2'
+    dest: '/etc/dhcp/{{ item.filename }}'
+    mode: '0644'
+  vars:
+    dhcpd__protocol: '{{ item.protocol }}'
+  loop:
+    - filename: 'dhcpd.conf'
+      protocol: 'DHCPv4'
+    - filename: 'dhcpd6.conf'
+      protocol: 'DHCPv6'
+  notify: [ 'Restart isc-dhcp-server' ]
+
+- name: Configure ISC DHCP Server defaults
+  ansible.builtin.template:
+    src: 'etc/default/isc-dhcp-server.j2'
+    dest: '/etc/default/isc-dhcp-server'
+    mode: '0644'
+  notify: [ 'Restart isc-dhcp-server' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dhcpd.fact.j2'
+    dest: '/etc/ansible/facts.d/dhcpd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/ansible/facts.d/dhcpd.fact.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/ansible/facts.d/dhcpd.fact.j2
new file mode 100644
index 00000000..e586dbc5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/ansible/facts.d/dhcpd.fact.j2
@@ -0,0 +1,28 @@
+#!{{ ansible_python['executable'] }}
+
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from json import dumps
+import os
+import subprocess
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ['PATH'].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('dhcpd')}
+
+if output['installed']:
+    output['version'] = subprocess.check_output(
+        ['dhcpd', '--version'], stderr=subprocess.STDOUT
+    ).decode('utf-8').split('-')[2].replace('\n', '')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/default/isc-dhcp-server.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/default/isc-dhcp-server.j2
new file mode 100644
index 00000000..7162d14f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/default/isc-dhcp-server.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+OPTIONS="{{ dhcpd__options }}"
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="{{ dhcpd__interfacesv4 | join(' ') }}"
+INTERFACESv6="{{ dhcpd__interfacesv6 | join(' ') }}"
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_failovers.conf.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_failovers.conf.j2
new file mode 100644
index 00000000..8dfa783e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_failovers.conf.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+{%  for failover in dhcpd__failovers %}
+
+{%      if failover.comment | d() %}
+# {{ failover.comment }}
+{%      endif %}
+failover peer "{{ failover.name }}" {
+{%      if failover.options | d() %}
+
+    # Custom failover options
+    {{ failover.options|indent(4) }}
+{%      endif %}
+
+{%      if failover.primary | d() and failover.primary in ansible_all_ipv4_addresses | d([]) %}
+    primary;
+    mclt {{ failover.mclt | d(3600) }};
+    address {{ failover.primary }};
+    peer address {{ failover.secondary }};
+{%          if failover.split | d() %}
+    split {{ failover.split }};
+{%          else %}
+    hba {{ failover.hba }};
+{%          endif %}
+{%      else %}
+    secondary;
+    address {{ failover.secondary }};
+    peer address {{ failover.primary }};
+{%      endif %}
+    max-response-delay {{ failover.max_response_delay | d(60) }};
+    max-unacked-updates {{ failover.max_unacked_updates | d(10) }};
+    load balance max seconds {{ failover.load_balance_max_seconds | d(5) }};
+    auto-partner-down {{ failover.auto_partner_down | d(0) }};
+    max-lease-misbalance {{ failover.max_lease_misbalance | d(15) }};
+    max-lease-ownership {{ failover.max_lease_ownership | d(10) }};
+    min-balance {{ failover.min_balance | d(60) }};
+    max-balance {{ failover.max_balance | d(3600) }};
+}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_ipxe.conf.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_ipxe.conf.j2
new file mode 100644
index 00000000..ea349b8b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_ipxe.conf.j2
@@ -0,0 +1,69 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2014-2018, 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{%  if dhcpd__ipxe_dhcp_space %}
+# DHCP options configuration for iPXE
+option space ipxe;
+option ipxe-encap-opts code 175 = encapsulate ipxe;
+option ipxe.priority code 1 = signed integer 8;
+option ipxe.keep-san code 8 = unsigned integer 8;
+option ipxe.skip-san-boot code 9 = unsigned integer 8;
+option ipxe.syslogs code 85 = string;
+option ipxe.cert code 91 = string;
+option ipxe.privkey code 92 = string;
+option ipxe.crosscert code 93 = string;
+option ipxe.no-pxedhcp code 176 = unsigned integer 8;
+option ipxe.bus-id code 177 = string;
+option ipxe.bios-drive code 189 = unsigned integer 8;
+option ipxe.username code 190 = string;
+option ipxe.password code 191 = string;
+option ipxe.reverse-username code 192 = string;
+option ipxe.reverse-password code 193 = string;
+option ipxe.version code 235 = string;
+option iscsi-initiator-iqn code 203 = string;
+# Feature indicators
+option ipxe.pxeext code 16 = unsigned integer 8;
+option ipxe.iscsi code 17 = unsigned integer 8;
+option ipxe.aoe code 18 = unsigned integer 8;
+option ipxe.http code 19 = unsigned integer 8;
+option ipxe.https code 20 = unsigned integer 8;
+option ipxe.tftp code 21 = unsigned integer 8;
+option ipxe.ftp code 22 = unsigned integer 8;
+option ipxe.dns code 23 = unsigned integer 8;
+option ipxe.bzimage code 24 = unsigned integer 8;
+option ipxe.multiboot code 25 = unsigned integer 8;
+option ipxe.slam code 26 = unsigned integer 8;
+option ipxe.srp code 27 = unsigned integer 8;
+option ipxe.nbi code 32 = unsigned integer 8;
+option ipxe.pxe code 33 = unsigned integer 8;
+option ipxe.elf code 34 = unsigned integer 8;
+option ipxe.comboot code 35 = unsigned integer 8;
+option ipxe.efi code 36 = unsigned integer 8;
+option ipxe.fcoe code 37 = unsigned integer 8;
+option ipxe.vlan code 38 = unsigned integer 8;
+option ipxe.menu code 39 = unsigned integer 8;
+option ipxe.sdi code 40 = unsigned integer 8;
+option ipxe.nfs code 41 = unsigned integer 8;
+
+{%  endif %}
+# Client architecture detection
+option client-arch code 93 = unsigned integer 16;
+
+{%  if dhcpd__ipxe_tftp_server %}
+# TFTP server
+next-server {{ dhcpd__ipxe_tftp_server }};
+{%  endif %}
+
+# iPXE chain-loading configuration
+if exists user-class and option user-class = "iPXE" {
+        filename "{{ dhcpd__ipxe_filename }}";
+{%  if dhcpd__ipxe_options %}
+        {{ dhcpd__ipxe_options|indent(8) }}
+{%  endif %}
+} elsif option client-arch != 00:00 {
+        filename "{{ dhcpd__ipxe_efi_chain_filename }}";
+} else {
+        filename "{{ dhcpd__ipxe_chain_filename }}";
+}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_keys.conf.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_keys.conf.j2
new file mode 100644
index 00000000..9c815b3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_keys.conf.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+{%  for key in dhcpd__keys %}
+
+{%      if key.comment | d() %}
+# {{ key.comment }}
+{%      endif %}
+key {{ key.name }} {
+{%      if key.options | d() %}
+    # Custom key options
+    {{ key.options|indent(4) }}
+{%      endif %}
+
+    algorithm {{ key.algorithm }};
+    secret {{ key.secret }};
+}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_zones.conf.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_zones.conf.j2
new file mode 100644
index 00000000..7f3a9854
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/ansible_zones.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+{%  for zone in dhcpd__zones %}
+
+{%      if zone.comment | d() %}
+# {{ zone.comment }}
+{%      endif %}
+zone {{ zone.zone }} {
+{%      if zone.options | d() %}
+
+    # Custom zone options
+    {{ zone.options|indent(4) }}
+{%      endif %}
+
+    primary {{ zone.primary }};
+    key {{ zone.key }};
+}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/dhcpd.conf.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/dhcpd.conf.j2
new file mode 100644
index 00000000..90f5aa4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/dhcpd.conf.j2
@@ -0,0 +1,81 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% from 'macro_class.j2' import print_class %}
+{% from 'macro_group.j2' import print_group %}
+{% from 'macro_host.j2' import print_host %}
+{% from 'macro_shared_network.j2' import print_shared_network %}
+{% from 'macro_subnet.j2' import print_subnet %}
+# {{ ansible_managed }}
+
+# Global server configuration
+# ===========================
+{%  if dhcpd__authoritative %}
+authoritative;
+{%  endif %}
+log-facility {{ dhcpd__log_facility }};
+default-lease-time {{ dhcpd__default_lease_time }};
+max-lease-time {{ dhcpd__max_lease_time }};
+update-static-leases {{ "on" if dhcpd__update_static_leases else "off" }};
+{%  if dhcpd__protocol == 'DHCPv6' %}
+preferred-lifetime {{ dhcpd__preferred_lifetime }};
+dhcpv6-set-tee-times {{ "on" if dhcpd__dhcpv6_set_tee_times else "off" }};
+{%  endif %}
+
+# DHCP options
+# ============
+{%  if dhcpd__protocol == 'DHCPv4' %}
+{%      if dhcpd__domain_name %}
+option domain-name "{{ dhcpd__domain_name }}";
+{%      endif %}
+{%      if dhcpd__domain_search %}
+option domain-search "{{ dhcpd__domain_search | join('", "') }}";
+{%      endif %}
+{%      if dhcpd__name_servers | ansible.utils.ipv4 %}
+option domain-name-servers {{ dhcpd__name_servers | ansible.utils.ipv4 | join(', ') }};
+{%      endif %}
+{%  elif dhcpd__protocol == 'DHCPv6' %}
+{%      if dhcpd__domain_search %}
+option dhcp6.domain-search "{{ dhcpd__domain_search | join('", "') }}";
+{%      endif %}
+{%      if dhcpd__name_servers | ansible.utils.ipv6 %}
+option dhcp6.name-servers {{ dhcpd__name_servers | ansible.utils.ipv6 | join(', ') }};
+{%      endif %}
+{%  endif %}
+{%  if dhcpd__global_options_map[dhcpd__protocol] | d() %}
+
+# Custom global configuration options
+# ===================================
+{{ dhcpd__global_options_map[dhcpd__protocol] }}
+{%  endif %}
+
+# Configuration includes
+# ======================
+include "/etc/dhcp/ansible_keys.conf";
+include "/etc/dhcp/ansible_zones.conf";
+{%  if dhcpd__protocol == 'DHCPv4' %}
+include "/etc/dhcp/ansible_failovers.conf";
+{%      if dhcpd__ipxe %}
+include "/etc/dhcp/ansible_ipxe.conf";
+{%      endif %}
+{%  endif %}
+
+# Configuration scopes
+# ====================
+
+{%  for host in dhcpd__hosts %}
+{{ print_host(host, dhcpd__protocol) }}
+{%  endfor %}
+{%  for class in dhcpd__classes %}
+{{ print_class(class) }}
+{%  endfor %}
+{%  for group in dhcpd__groups %}
+{{ print_group(group, dhcpd__protocol) }}
+{%  endfor %}
+{%  for subnet in dhcpd__subnets %}
+{{ print_subnet(subnet, dhcpd__protocol) }}
+{%  endfor %}
+{%  for shared_network in dhcpd__shared_networks %}
+{{ print_shared_network(shared_network, dhcpd__protocol) }}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_class.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_class.j2
new file mode 100644
index 00000000..1069bc88
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_class.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% macro print_class(class) %}
+{%  if class.comment | d() %}
+# {{ class.comment }}
+{%  endif %}
+class "{{ class.name }}" {
+{%  if class.options | d() %}
+
+    # Custom class options
+    {{ class.options|indent(4) }}
+{%  endif %}
+}
+{%  if class.subclasses | d() %}
+{%      for subclass in class.subclasses %}
+{%          if subclass.comment | d() %}
+# {{ subclass.comment }}
+{%          endif %}
+{%          if subclass.options | d() %}
+subclass "{{ class.name }}" {{ subclass.submatch }} {
+    {{ subclass.options|indent(4) }}
+}
+{%          else %}
+subclass "{{ class.name }}" {{ subclass.submatch }};
+{%          endif %}
+{%      endfor %}
+{%  endif %}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_group.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_group.j2
new file mode 100644
index 00000000..59dcac58
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_group.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% from 'macro_host.j2' import print_host %}
+{% from 'macro_subnet.j2' import print_subnet %}
+{% from 'macro_shared_network.j2' import print_shared_network %}
+{% macro print_group(group, protocol) %}
+{%  if group.comment | d() %}
+# {{ group.comment }}
+{%  endif %}
+group {
+{%  if group.options | d() %}
+
+    # Custom group options
+    {{ group.options|indent(4) }}
+{%  endif %}
+
+{%  for host in group.hosts | d() %}
+    {{ print_host(host, protocol)|indent(4) }}
+{%  endfor %}
+{%  for group in group.groups | d() %}
+    {{ print_group(group, protocol)|indent(4) }}
+{%  endfor %}
+{%  for subnet in group.subnets | d() %}
+    {{ print_subnet(subnet, protocol)|indent(4) }}
+{%  endfor %}
+{%  for shared_network in group.shared_networks | d() %}
+    {{ print_shared_network(shared_network, protocol)|indent(4) }}
+{%  endfor %}
+}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_host.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_host.j2
new file mode 100644
index 00000000..71d3ce6c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_host.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% macro print_host(host, protocol) %}
+{%  if (protocol == 'DHCPv4' and host.address4 | d()) or (protocol == 'DHCPv6' and host.address6 | d()) %}
+{%      if host.comment | d() %}
+# {{ host.comment }}
+{%      endif %}
+host {{ host.hostname }} {
+{%      if host.options | d() %}
+
+    # Custom host options
+    {{ host.options|indent(4) }}
+{%      endif%}
+
+{%      if protocol == 'DHCPv4' %}
+    hardware ethernet {{ host.ethernet }};
+    fixed-address {{ host.address4 }};
+{%      elif protocol == 'DHCPv6' %}
+    host-identifier option fqdn.fqdn "{{ host.hostname }}";
+    fixed-address6 {{ host.address6 }};
+{%      endif %}
+}
+{%  endif %}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_pool.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_pool.j2
new file mode 100644
index 00000000..07063768
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_pool.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% macro print_pool(pool, protocol) %}
+{%  if pool.comment | d() %}
+# {{ pool.comment }}
+{%  endif %}
+{{ "pool" if protocol == 'DHCPv4' else "pool6" }} {
+{%  if pool.options | d() %}
+
+    # Custom pool options
+    {{ pool.options }}
+{%  endif %}
+
+{%  if pool.failover | d() %}
+    failover peer "{{ pool.failover }}";
+{%  endif %}
+{%  for range in pool.ranges | d() %}
+    {{ "range" if protocol == 'DHCPv4' else "range6" }} {{ range }};
+{%  endfor %}
+}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_shared_network.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_shared_network.j2
new file mode 100644
index 00000000..4d51c1be
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_shared_network.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% from 'macro_subnet.j2' import print_subnet %}
+{% macro print_shared_network(shared_network, protocol) %}
+{%  if shared_network.comment | d() %}
+# {{ shared_network.comment }}
+{%  endif %}
+shared-network "{{ shared_network.name }}" {
+{%  if shared_network.options | d() %}
+
+    # Custom shared network options
+    {{ shared_network.options }}
+{%  endif %}
+
+{%  for subnet in shared_network.subnets %}
+    {{ print_subnet(subnet, protocol)|indent(4) }}
+{%  endfor %}
+}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_subnet.j2 b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_subnet.j2
new file mode 100644
index 00000000..71288ae3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcpd/templates/etc/dhcp/macro_subnet.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% from 'macro_pool.j2' import print_pool %}
+{% macro print_subnet(subnet, protocol) %}
+{%  if ((protocol == 'DHCPv4' and subnet.subnet | d() | ansible.utils.ipv4) or
+        (protocol == 'DHCPv6' and subnet.subnet | d() | ansible.utils.ipv6)) and
+       subnet.state | d('present') == 'present' %}
+{%      if subnet.comment | d() %}
+# {{ subnet.comment }}
+{%      endif %}
+{%      if protocol == 'DHCPv4' %}
+subnet {{ subnet.subnet | ansible.utils.ipaddr('network') }} netmask {{ subnet.subnet | ansible.utils.ipaddr('netmask') }} {
+{%      elif protocol == 'DHCPv6' %}
+subnet6 {{ subnet.subnet | ansible.utils.ipaddr('network/prefix') }} {
+{%      endif %}
+{%      if subnet.options | d() %}
+
+    # Custom subnet options
+    {{ subnet.options|indent(4) }}
+{%      endif %}
+
+{%      if subnet.routers | d() and protocol == 'DHCPv4' %}
+    option routers {{ subnet.routers | join(', ') }};
+{%      endif %}
+{%      for range in subnet.ranges | d() %}
+    {{ "range" if protocol == 'DHCPv4' else "range6" }} {{ range }};
+{%      endfor %}
+{%      for pool in subnet.pools | d() %}
+    {{ print_pool(pool, protocol)|indent(4) }}
+{%      endfor %}
+}
+{%  endif %}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/COPYRIGHT b/ansible_collections/debops/debops/roles/dhcrelay/COPYRIGHT
new file mode 100644
index 00000000..6a8ce4c1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.dhcrelay - Manage ISC DHCP Relay Agent using Ansible
+
+Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/defaults/main.yml b/ansible_collections/debops/debops/roles/dhcrelay/defaults/main.yml
new file mode 100644
index 00000000..336d9508
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/defaults/main.yml
@@ -0,0 +1,57 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _dhcrelay__ref_defaults:
+
+# Default variables
+# =================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: dhcrelay__base_packages [[[
+#
+# List of base packages to install for DHCP server support.
+dhcrelay__base_packages: [ 'isc-dhcp-relay' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcrelay__packages [[[
+#
+# List of additional packages to install with this role.
+dhcrelay__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# ISC DHCP relay options [[[
+# --------------------------
+
+# .. envvar:: dhcrelay__servers [[[
+#
+# List of DHCP servers that should receive the relayed packets.
+dhcrelay__servers: [ '{{ ansible_default_ipv4.gateway
+                         if ansible_default_ipv4.gateway | d()
+                         else [] }}' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcrelay__interfaces [[[
+#
+# List of network interfaces that dhcrelay should listen on.
+dhcrelay__interfaces: [ '{{ ansible_local.ifupdown.internal_interface
+                            if ansible_local.ifupdown.internal_interface | d()
+                            else ansible_default_ipv4.interface }}' ]
+
+                                                                   # ]]]
+# .. envvar:: dhcrelay__options [[[
+#
+# Additional dhcrelay options.
+dhcrelay__options: ''
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/meta/main.yml b/ansible_collections/debops/debops/roles/dhcrelay/meta/main.yml
new file mode 100644
index 00000000..4630394e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/meta/main.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Imre Jonk'
+  description: 'Install and configure ISC DHCP Relay Agent'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+  galaxy_tags:
+    - networking
+    - dhcp
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/tasks/main.yml b/ansible_collections/debops/debops/roles/dhcrelay/tasks/main.yml
new file mode 100644
index 00000000..2886ad93
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install ISC DHCP relay packages
+  ansible.builtin.package:
+    name: '{{ (dhcrelay__base_packages + dhcrelay__packages) | flatten }}'
+    state: 'present'
+  register: dhcrelay__register_packages
+  until: dhcrelay__register_packages is succeeded
+
+- name: Divert ISC DHCP relay defaults
+  debops.debops.dpkg_divert:
+    path: '/etc/default/isc-dhcp-relay'
+
+- name: Configure ISC DHCP relay defaults
+  ansible.builtin.template:
+    src: 'etc/default/isc-dhcp-relay.j2'
+    dest: '/etc/default/isc-dhcp-relay'
+    mode: '0644'
+  notify: [ 'Restart isc-dhcp-relay' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dhcrelay.fact.j2'
+    dest: '/etc/ansible/facts.d/dhcrelay.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/ansible/facts.d/dhcrelay.fact.j2 b/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/ansible/facts.d/dhcrelay.fact.j2
new file mode 100644
index 00000000..c28ccc7f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/ansible/facts.d/dhcrelay.fact.j2
@@ -0,0 +1,28 @@
+#!{{ ansible_python['executable'] }}
+
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from json import dumps
+import os
+import subprocess
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ['PATH'].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('dhcrelay')}
+
+if output['installed']:
+    output['version'] = subprocess.check_output(
+        ['dhcrelay', '--version'], stderr=subprocess.STDOUT
+    ).decode('utf-8').split('-')[2].replace('\n', '')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/default/isc-dhcp-relay.j2 b/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/default/isc-dhcp-relay.j2
new file mode 100644
index 00000000..73bfce2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhcrelay/templates/etc/default/isc-dhcp-relay.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# What servers should the DHCP relay forward requests to?
+SERVERS="{{ dhcrelay__servers | join(" ") }}"
+
+# On what interfaces should the DHCP relay (dhrelay) serve DHCP requests?
+INTERFACES="{{ dhcrelay__interfaces | join(" ") }}"
+
+# Additional options that are passed to the DHCP relay daemon?
+OPTIONS="{{ dhcrelay__options }}"
diff --git a/ansible_collections/debops/debops/roles/dhparam/COPYRIGHT b/ansible_collections/debops/debops/roles/dhparam/COPYRIGHT
new file mode 100644
index 00000000..fd130a03
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.dhparam - Manage one or multiple sets of Diffie-Hellman Ephemeral parameters
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dhparam/defaults/main.yml b/ansible_collections/debops/debops/roles/dhparam/defaults/main.yml
new file mode 100644
index 00000000..bc012b59
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/defaults/main.yml
@@ -0,0 +1,215 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dhparam__ref_defaults:
+
+# debops.dhparam default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation [[[
+# ----------------
+
+# .. envvar:: dhparam__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. DH parameters will be present as configured.
+#
+# ``absent``
+#   DH parameters will be absent.
+#
+#   .. warning:: The roles is currently not able to dismantle from ``present``
+#      state. This needs to be implemented. This state can only be achieved
+#      currently when ``present`` has never been set before on a host.
+#
+dhparam__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__base_packages [[[
+#
+# List of APT packages which will be installed to support Diffie-Hellman
+# parameters.
+dhparam__base_packages:
+  - [ '{{ "gnutls-bin" if (dhparam__library == "gnutls") else [] }}' ]
+  - [ '{{ "openssl" if (dhparam__library == "openssl") else [] }}' ]
+
+                                                                   # ]]]
+# .. envvar:: dhparam__packages [[[
+#
+# List of additional APT packages to install.
+dhparam__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Cryptographic parameters [[[
+# ----------------------------
+
+# .. envvar:: dhparam__source_library [[[
+#
+# Cryptographic library which will be used on the Ansible Controller to
+# generate preseeded DH parameters. Supported libraries: :command:`openssl`,
+# :command:`gnutls`.
+dhparam__source_library: 'openssl'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__library [[[
+#
+# Cryptographic library which will be used on the remote hosts, by default the
+# same as the one used on Ansible Controller. Supported libraries: :command:`openssl`,
+# :command:`gnutls`.
+dhparam__library: '{{ dhparam__source_library }}'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__default_length [[[
+#
+# Default symlinks will point to a specific Diffie-Hellman parameter file named
+# ``dh<length>.pem``. This variable specifies which ``<length>`` value will be
+# used, which by default is the first value from the list of DH parameter sizes
+# to generate.
+dhparam__default_length: '{{ dhparam__bits[0] }}'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__bits [[[
+#
+# List of Diffie-Hellman parameter sizes to generate. First element of the list
+# will be used as default.
+dhparam__bits: [ '3072', '2048' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Diffie-Hellman parameter sets [[[
+# ---------------------------------
+
+# .. envvar:: dhparam__sets [[[
+#
+# Number of sets of Diffie-Hellman parameters to manage, should be >= 1.
+dhparam__sets: '1'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__default_set [[[
+#
+# Name of the default set of Diffie-Hellman parameters.
+dhparam__default_set: '{{ dhparam__set_prefix + "0" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__set_prefix [[[
+#
+# Short string prepended to the name of each "set" of Diffie-Hellman parameter
+# directories.
+dhparam__set_prefix: 'set'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__source_path [[[
+#
+# Path on the Ansible Controller in the ``secret/`` directory where the initial
+# set of Diffie-Hellman parameters is stored. See :ref:`debops.secret` role for
+# more details.
+dhparam__source_path: '{{ secret + "/dhparam/params" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__path [[[
+#
+# Directory on the managed hosts where Diffie-Hellman parameter sets are kept
+# and maintained.
+dhparam__path: '/etc/pki/dhparam'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__prefix [[[
+#
+# String prepended to the DH parameter file name.
+dhparam__prefix: 'dh'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__suffix [[[
+#
+# String appended to the DH parameter file name.
+dhparam__suffix: '.pem'
+                                                                   # ]]]
+                                                                   # ]]]
+# DH parameter generation script [[[
+# ----------------------------------
+
+# .. envvar:: dhparam__generate_params [[[
+#
+# Absolute path of the ``dhparam-generate-params`` script on remote hosts.
+dhparam__generate_params: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                              + "/dhparam-generate-params" }}'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__generate_log [[[
+#
+# Enable or disable log messages from DH generation script.
+dhparam__generate_log: True
+
+                                                                   # ]]]
+# .. envvar:: dhparam__hook_path [[[
+#
+# Directory on remote hosts where hook scripts are stored. These hooks will be
+# run at the end of the Diffie-Hellman generator script using ``run-parts``.
+dhparam__hook_path: '{{ dhparam__path + "/hooks.d" }}'
+                                                                   # ]]]
+# .. envvar:: dhparam__openssl_options [[[
+#
+# Provide additional options to the openssl dhparam generator (eg. -dsaparam).
+dhparam__openssl_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Initial Diffie-Hellman re-generation [[[
+# ----------------------------------------
+
+# .. envvar:: dhparam__generate_init [[[
+#
+# Schedule a background job on the first configuration of ``debops.dhparam`` on
+# a particular host to re-generate the DH parameters? It will only be done if
+# the :ref:`debops.atd` role is enabled on the host. If disabled, hosts will use the
+# default DH parameters seeded from the Ansible Controller.
+dhparam__generate_init: True
+
+                                                                   # ]]]
+# .. envvar:: dhparam__generate_init_units [[[
+#
+# Time units used to specify the future time of initial DH re-generation. You
+# can use ``minutes``, ``hours``, ``days`` or ``weeks``.
+dhparam__generate_init_units: 'minutes'
+
+                                                                   # ]]]
+# .. envvar:: dhparam__generate_init_count [[[
+#
+# Unit count of the initial DH re-generation. By default Diffie-Hellman
+# parameters will be re-generated about 20 minutes after the initial Ansible run,
+# depending on system CPU load.
+dhparam__generate_init_count: '20'
+                                                                   # ]]]
+                                                                   # ]]]
+# Periodic Diffie-Hellman re-generation [[[
+# -----------------------------------------
+
+# .. envvar:: dhparam__generate_cron [[[
+#
+# Enable periodic Diffie-Hellman parameter re-generation. If :command:`systemd`
+# is present, the role will set up a systemd timer, otherwise the script will
+# be started periodically by :command:`cron` service.
+dhparam__generate_cron: True
+
+                                                                   # ]]]
+# .. envvar:: dhparam__generate_cron_period [[[
+#
+# Time interval between periodical DH parameter re-generation. You can use
+# units recognized by :program:`cron` Ansible module ``special_time`` parameter:
+# ``daily``, ``weekly``, ``monthly``, ``annually``, ``yearly``, ``reboot``.
+# If :command:`systemd` is used, see the :man:`systemd.time(7)` documentation
+# for possible ``OnCalendar=`` values.
+dhparam__generate_cron_period: 'monthly'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dhparam/handlers/main.yml b/ansible_collections/debops/debops/roles/dhparam/handlers/main.yml
new file mode 100644
index 00000000..65c4d1d6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/handlers/main.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Execute DH parameter hooks
+  ansible.builtin.command: run-parts {{ dhparam__hook_path }}
+  register: dhparam__register_hooks
+  changed_when: dhparam__register_hooks.changed | bool
+
+- name: Regenerate DH parameters on first install
+  ansible.posix.at:  # noqa jinja[spacing]
+    command: |
+      test -x {{ dhparam__generate_params }} \
+      && (echo 'nice {{ dhparam__generate_params }} run' | batch > /dev/null 2>&1) || true
+    count: '{{ dhparam__generate_init_count }}'
+    units: '{{ dhparam__generate_init_units }}'
+    unique: True
+  when: (dhparam__generate_init | bool and
+         (ansible_local | d() and ansible_local.atd | d() and
+          ansible_local.atd.enabled | bool))
diff --git a/ansible_collections/debops/debops/roles/dhparam/meta/main.yml b/ansible_collections/debops/debops/roles/dhparam/meta/main.yml
new file mode 100644
index 00000000..251d0d30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage one or multiple sets of Diffie-Hellman Ephemeral parameters'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - encryption
+    - security
+    - tls
+    - ssl
+    - pki
+    - weakdh
+    - logjam
diff --git a/ansible_collections/debops/debops/roles/dhparam/tasks/main.yml b/ansible_collections/debops/debops/roles/dhparam/tasks/main.yml
new file mode 100644
index 00000000..e6069701
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/tasks/main.yml
@@ -0,0 +1,179 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check Ansible Controller library version  # noqa no-shorthand
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if dhparam__source_library == 'gnutls' %}
+    certtool --version | head -n 1 | awk '{print $NF}'
+    {% elif dhparam__source_library == 'openssl' %}
+    openssl version | awk '{print $2}'
+    {% endif %}
+  args:
+    executable: 'bash'
+  changed_when: False
+  register: dhparam__register_version
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  check_mode: False
+  tags: [ 'meta::provision' ]
+
+- name: Assert that required software is installed
+  ansible.builtin.assert:
+    that:
+      - 'dhparam__register_version is defined and dhparam__register_version.stdout'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  tags: [ 'meta::provision' ]
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ dhparam__source_path }}'
+    state: 'directory'
+    mode: '0755'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  tags: [ 'meta::provision' ]
+
+- name: Generate Diffie-Hellman params on Ansible Controller  # noqa no-shorthand
+  ansible.builtin.command: |
+    {% if dhparam__source_library == 'gnutls' %}
+    certtool --generate-dh-params
+             --outfile {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}
+             --bits {{ item }}
+    {% elif dhparam__source_library == 'openssl' %}
+    openssl dhparam {{ dhparam__openssl_options }} -out {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }} {{ item }}
+    {% endif %}
+  args:
+    creates: '{{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}'
+  with_items: '{{ dhparam__bits }}'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  tags: [ 'meta::provision' ]
+
+- name: Install encryption software
+  ansible.builtin.package:
+    name: '{{ q("flattened", (dhparam__base_packages + dhparam__packages)) }}'
+    state: 'present'
+  when: dhparam__deploy_state in ['present']
+  register: dhparam__register_packages
+  until: dhparam__register_packages is succeeded
+  tags: [ 'meta::provision' ]
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '{{ dhparam__hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dhparam__deploy_state in ['present']
+  notify: [ 'Regenerate DH parameters on first install' ]
+
+- name: Preseed Diffie-Hellman parameters
+  ansible.builtin.copy:
+    src: '{{ dhparam__source_path + "/" }}'
+    dest: '{{ dhparam__path + "/params/" + dhparam__set_prefix + item + "/" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    force: False
+  when: dhparam__deploy_state in ['present']
+  with_sequence: 'start=0 count={{ dhparam__sets }}'
+  notify: [ 'Execute DH parameter hooks' ]
+
+- name: Create default symlinks for all sets
+  ansible.builtin.file:
+    src: '{{ "params/" + dhparam__set_prefix + item + "/"
+             + dhparam__prefix + dhparam__default_length + dhparam__suffix }}'
+    path: '{{ dhparam__path + "/" + dhparam__set_prefix + item }}'
+    state: 'link'
+    mode: '0644'
+  when: dhparam__deploy_state in ['present'] and not ansible_check_mode
+  with_sequence: 'start=0 count={{ dhparam__sets }}'
+
+- name: Install DHE generation script
+  ansible.builtin.template:
+    src: 'usr/local/lib/dhparam-generate-params.j2'
+    dest: '{{ dhparam__generate_params }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dhparam__deploy_state in ['present']
+
+- name: Enable periodic DH parameters generation via cron
+  ansible.builtin.cron:
+    name: 'Generate new Diffie-Hellman ephemeral parameters'
+    job: 'test -x {{ dhparam__generate_params }} && {{ dhparam__generate_params }} schedule'
+    cron_file: 'dhparam-generate-params'
+    user: 'root'
+    special_time: '{{ dhparam__generate_cron_period }}'
+    state: '{{ "present"
+               if (ansible_service_mgr != "systemd" and
+                   dhparam__generate_cron | bool and
+                   dhparam__deploy_state in ["present"])
+               else "absent" }}'
+  when: not ansible_check_mode
+
+- name: Setup systemd timer for periodic DH parameter regeneration
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/systemd/system/dhparam-generate-params.service'
+    - 'etc/systemd/system/dhparam-generate-params.timer'
+  register: dhparam__register_systemd
+  when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd'
+
+- name: Enable systemd timer
+  ansible.builtin.systemd:
+    daemon_reload: True
+    name: 'dhparam-generate-params.timer'
+    enabled: '{{ True
+                 if (dhparam__generate_cron | bool)
+                 else False }}'
+    state: '{{ "started"
+                 if (dhparam__generate_cron | bool)
+                 else "stopped" }}'
+  when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd' and
+        not ansible_check_mode
+
+- name: Make sure the Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dhparam__deploy_state in ['present']
+
+- name: Save dhparam local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dhparam.fact.j2'
+    dest: '/etc/ansible/facts.d/dhparam.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they changed
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/dhparam/templates/etc/ansible/facts.d/dhparam.fact.j2 b/ansible_collections/debops/debops/roles/dhparam/templates/etc/ansible/facts.d/dhparam.fact.j2
new file mode 100644
index 00000000..d4499b96
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/templates/etc/ansible/facts.d/dhparam.fact.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set dhparam__tpl_bits = dhparam__bits %}
+{% set dhparam__tpl_default = dhparam__path + "/" + dhparam__default_set %}
+{% set dhparam__tpl_default_length = dhparam__default_length %}
+{% set dhparam__tpl_set_prefix = dhparam__set_prefix %}
+{% set dhparam__tpl_sets = [] %}
+{% for number in range(0, dhparam__sets | int) %}
+{%   set _ = dhparam__tpl_sets.append(number) %}
+{% endfor %}
+{% set dhparam__tpl_hooks = dhparam__hook_path %}
+{% set dhparam__tpl_library = dhparam__library %}
+{% set dhparam__tpl_path = dhparam__path %}
+{% set dhparam__tpl_params = dhparam__path + "/params" %}
+{
+"bits": {{ dhparam__tpl_bits | to_nice_json }},
+"default": "{{ dhparam__tpl_default }}",
+"default_length": "{{ dhparam__tpl_default_length }}",
+"enabled": "true",
+"set_prefix": "{{ dhparam__tpl_set_prefix }}",
+"sets": {{ dhparam__tpl_sets | to_nice_json }},
+{% for number in dhparam__tpl_sets %}
+"{{ dhparam__set_prefix + number | string }}": "{{ dhparam__tpl_path + '/' + dhparam__set_prefix + number | string }}",
+{% endfor %}
+"hooks": "{{ dhparam__tpl_hooks }}",
+"library": "{{ dhparam__tpl_library }}",
+"path": "{{ dhparam__tpl_path }}",
+"params": "{{ dhparam__tpl_params }}"
+}
diff --git a/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.service.j2 b/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.service.j2
new file mode 100644
index 00000000..33687caa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.service.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Regenerate Diffie-Hellman parameters
+Documentation=https://docs.debops.org/en/master/ansible/roles/debops.dhparam/
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+Nice=10
+ExecStart={{ dhparam__generate_params }} run
diff --git a/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.timer.j2 b/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.timer.j2
new file mode 100644
index 00000000..7cd65f81
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/templates/etc/systemd/system/dhparam-generate-params.timer.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Regenerate Diffie-Hellman parameters
+
+[Timer]
+OnCalendar={{ dhparam__generate_cron_period }}
+RandomizedDelaySec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/ansible_collections/debops/debops/roles/dhparam/templates/usr/local/lib/dhparam-generate-params.j2 b/ansible_collections/debops/debops/roles/dhparam/templates/usr/local/lib/dhparam-generate-params.j2
new file mode 100644
index 00000000..4b787b1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dhparam/templates/usr/local/lib/dhparam-generate-params.j2
@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+
+# {{ ansible_managed }}
+
+# Generate Diffie-Hellman ephemeral parameters
+# Copyright (C) Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+
+command="${1:-run}"
+
+delay_job="${2}"
+
+pidfile_scheduler="/run/$(basename "${0}")-scheduler.pid"
+
+pidfile_run="/run/$(basename "${0}").pid"
+
+dhparam_log="{{ 'true' if dhparam__generate_log | bool else '' }}"
+
+clean_up () {
+  test -f "${pidfile_run}" && rm -f "${pidfile_run}"
+  test -f "${pidfile_scheduler}" && rm -f "${pidfile_scheduler}"
+}
+
+log_message () {
+  if [ -n "${dhparam_log}" ] ; then
+    if type logger > /dev/null 2>&1 ; then
+      logger -t "$(basename "${0}")" "${@}"
+    fi
+  fi
+}
+
+if [ "${command}" == "run" ] ; then
+
+  if [ -f "${pidfile_run}" ] ; then
+    log_message "DH parameter generation already in progress managed by PID $(cat "${pidfile_run}"), exiting"
+    exit 0
+  fi
+
+  echo $$ > "${pidfile_run}"
+  sleep 1
+
+  if [ "$(cat "${pidfile_run}")" != $$ ] ; then
+    log_message "DH parameter generation started by PID $(cat "${pidfile_run}"), aborting"
+    exit 0
+  fi
+
+elif [ "${command}" == "schedule" ] ; then
+
+  if [ -f "${pidfile_run}" ] ; then
+    log_message "DH parameter generation found at PID $(cat "${pidfile_run}"), aborting scheduler"
+    exit 0
+  fi
+
+  if [ -f "${pidfile_scheduler}" ] ; then
+    log_message "DH generation scheduler already running as PID $(cat "${pidfile_scheduler}"), exiting"
+    exit 0
+  fi
+
+  echo $$ > "${pidfile_scheduler}"
+  sleep 1
+
+  if [ "$(cat "${pidfile_scheduler}")" != $$ ] ; then
+    log_message "DH generation scheduler started as PID $(cat "${pidfile_scheduler}"), aborting"
+    exit 0
+  fi
+
+fi
+
+dhparam_library="{{ dhparam__library }}"
+dhparam_path="{{ dhparam__path + '/params' }}"
+
+read -r -a dhparam_openssl_options <<< "{{ dhparam__openssl_options | join(' ') }}"
+
+dhparam_prefix="{{ dhparam__prefix }}"
+read -r -a dhparam_bits <<< "{{ dhparam__bits | join(' ') }}"
+dhparam_suffix="{{ dhparam__suffix }}"
+
+dhparam_hooks="{{ dhparam__hook_path }}"
+
+
+# Generate Diffie-Hellman parameters
+generate_params () {
+
+  trap clean_up EXIT
+
+  if [ -n "${delay_job}" ] ; then
+    delay=$(( RANDOM % 20 ))
+    sleep $(( (delay + 1) * 60 ))
+  fi
+
+  cd "${dhparam_path}" || exit 1
+  while IFS= read -r -d '' set ; do
+
+    cd "${set}" || exit 1
+    for length in "${dhparam_bits[@]}" ; do
+
+      log_message "Generating new Diffie-Hellman parameters in $(basename "${set}") with ${length} bits"
+
+      dhparam_file="${dhparam_prefix}${length}${dhparam_suffix}"
+      if [ "${dhparam_library}" == "gnutls" ] ; then
+        certtool --generate-dh-params --outfile "${dhparam_file}.tmp" --bits "${length}" > /dev/null 2>&1 && mv "${dhparam_file}.tmp" "${dhparam_file}"
+      elif [ "${dhparam_library}" == "openssl" ] ; then
+        openssl dhparam "${dhparam_openssl_options[@]}" -out "${dhparam_file}.tmp" "${length}" > /dev/null 2>&1 && mv "${dhparam_file}.tmp" "${dhparam_file}"
+      fi
+
+    done
+    # shellcheck disable=SC2164
+    cd - > /dev/null 2>&1
+
+  done < <(find . -maxdepth 1 -type d -not -name . -print0)
+
+  run-parts "${dhparam_hooks}"
+
+}
+
+# Schedule DH parameter generation at a later time
+schedule_job () {
+
+  if type batch > /dev/null 2>&1 ; then
+    log_message "Scheduling new DH parameter generation using batch"
+    echo "nice ${0} run" | batch > /dev/null 2>&1
+  else
+    log_message "Scheduling new DH parameter generation"
+    (nice "${0}" run delay) &
+  fi
+
+}
+
+case "${command}" in
+  run)        generate_params ;;
+  schedule)   schedule_job ;;
+  *)          echo "Usage: $(basename "${0}") {run|schedule}" ;;
+esac
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/COPYRIGHT b/ansible_collections/debops/debops/roles/dnsmasq/COPYRIGHT
new file mode 100644
index 00000000..81f7f5fe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.dnsmasq - Install and configure dnsmasq
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/defaults/main.yml b/ansible_collections/debops/debops/roles/dnsmasq/defaults/main.yml
new file mode 100644
index 00000000..3eca1dc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/defaults/main.yml
@@ -0,0 +1,669 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dnsmasq__ref_defaults:
+
+# debops.dnsmasq default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: dnsmasq__base_packages [[[
+#
+# List of APT packages to install for :command:`dnsmasq` support.
+dnsmasq__base_packages: [ 'dnsmasq' ]
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__packages [[[
+#
+# List of additional APT packages to install during :command:`dnsmasq`
+# configuration.
+dnsmasq__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Global options [[[
+# ------------------
+
+# .. envvar:: dnsmasq__dhcpv4 [[[
+#
+# Enable or disable DHCPv4 support.
+dnsmasq__dhcpv4: True
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__dhcpv6 [[[
+#
+# Enable or disable DHCPv6 support (router support is required).
+dnsmasq__dhcpv6: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration specific to network interfaces [[[
+# ------------------------------------------------
+
+# These variables define :command:`dnsmasq` configuration related to
+# a particular network interface. See :ref:`dnsmasq__ref_interfaces` for more
+# details.
+
+# .. envvar:: dnsmasq__default_interfaces [[[
+#
+# List of network interfaces for which :command:`dnsmasq` configuration will be
+# generated by default.
+dnsmasq__default_interfaces:
+
+    # Name of the interface.
+  - name: 'br2'
+    state: '{{ "present"
+               if (hostvars[inventory_hostname]["ansible_br2"] is defined)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__interfaces [[[
+#
+# List of network interfaces for which :command:`dnsmasq` configuration will be
+# generated, defined by the user.
+dnsmasq__interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__combined_interfaces [[[
+#
+# Combined list of network interfaces for which :command:`dnsmasq`
+# configuration will be generated, used in role tasks and templates.
+dnsmasq__combined_interfaces: '{{ dnsmasq__default_interfaces
+                                  + dnsmasq__interfaces }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS options [[[
+# ---------------
+
+# .. envvar:: dnsmasq__hostname [[[
+#
+# The router hostname used by :command:`dnsmasq`. It will be used to configure
+# DNS A and AAAA records pointing to the :command:`dnsmasq` server.
+dnsmasq__hostname: '{{ ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__base_domain [[[
+#
+# The DNS domain which will be used as a base for interface-based subdomains if
+# none are explicitly configured.
+dnsmasq__base_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__base_domain_rebind_ok [[[
+#
+# When ``True``, :command:`dnsmasq` will accept DNS records for the base DNS
+# domain that specify IP addresses in private address ranges. This is needed
+# when another DHCP/DNS server is managing the IP address leases, otherwise
+# they will be unresolvable.
+dnsmasq__base_domain_rebind_ok: True
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__etc_hosts [[[
+#
+# List of absolute paths of the additional :man:`hosts(5)` database files to
+# read by :command:`dnsmasq`. This is useful if you don't want to keep the host
+# list in the system-wide :file:`/etc/hosts` database.
+#
+# You can provide the files using the :ref:`debops.resources` Ansible role,
+# non-existent files will be silently ignored by :command:`dnsmasq`.
+dnsmasq__etc_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__nameservers [[[
+#
+# List of upstream DNS nameservers where dnsmasq should forward its DNS queries
+# which it can not answer by itself. If empty, system nameservers (for example
+# received via DHCP) will be used by default.
+dnsmasq__nameservers: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__public_dns [[[
+#
+# Enable or disable access to the local DNS from upstream networks using the
+# firewall. You can publish your subdomain in the public DNS by delegating it
+# in your zone configuration. Be wary of the DNS reflection and amplification
+# attacks!
+dnsmasq__public_dns: False
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__public_dns_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to
+# :command:`dnsmasq` DNS service in public DNS mode. If the list is empty, any
+# hosts can connect. The configuration will be set in the firewall.
+dnsmasq__public_dns_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# TFTP options [[[
+# ----------------
+
+# .. envvar:: dnsmasq__boot_enabled [[[
+#
+# Enable or disable support for BOOTP/PXE boot of remote hosts.
+dnsmasq__boot_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__boot_ipxe_enabled [[[
+#
+# Enable or disable support for iPXE boot menu. The iPXE configuration can be
+# done using the :ref:`debops.ipxe` Ansible role.
+dnsmasq__boot_ipxe_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__boot_server [[[
+#
+# Specify the IP address of the "next server" which provides a TFTP service
+# with boot files. If not specified, :command:`dnsmasq` server will be
+# contacted by the clients instead for the boot files.
+dnsmasq__boot_server: ''
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__boot_tftp_root [[[
+#
+# Absolute path of the TFTP root directory from which boot files will be
+# served. This path needs to exist, otherwise :command:`dnsmasq` service will
+# refuse to start.
+dnsmasq__boot_tftp_root: '/srv/tftp'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__boot_filename [[[
+#
+# Name of the file located in the TFTP root directory which will be sent to
+# clients telling them which file to download and boot from.
+dnsmasq__boot_filename: '{{ "menu.ipxe" if dnsmasq__boot_ipxe_enabled | bool else "pxelinux.0" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DHCP hosts, DNS resource records [[[
+# ------------------------------------
+
+# The variables below can be used to configure DHCP client entries as well as
+# DNS resource records published by :command:`dnsmasq`; syntax for both of
+# these variables is the same. See :ref:`dnsmasq__ref_dhcp_dns_entries` for
+# more details.
+
+# .. envvar:: dnsmasq__dhcp_hosts [[[
+#
+# List of DHCP clients that :command:`dnsmasq` knows about.
+dnsmasq__dhcp_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__dns_records [[[
+#
+# List of DNS resource records that :command:`dnsmasq` publishes.
+dnsmasq__dns_records: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__dhcp_dns_filename [[[
+#
+# Name of the configuration file that contains DHCP and DNS entries, located in
+# the :file:`/etc/dnsmasq.d/` directory.
+dnsmasq__dhcp_dns_filename: 'host-resource-records.conf'
+                                                                   # ]]]
+                                                                   # ]]]
+# The dnsmasq configuration files [[[
+# -----------------------------------
+
+# These variables define the contents of the :command:`dnsmasq` configuration
+# files located in the :file:`/etc/dnsmasq.d/` directory.
+# See :ref:`dnsmasq__ref_configuration` for more details.
+
+# .. envvar:: dnsmasq__default_configuration [[[
+#
+# The configuration defined by the role by default.
+dnsmasq__default_configuration:
+
+  # Remove the old default configuration file
+  - name: '00_main.conf'
+    state: 'absent'
+
+  - name: 'global.conf'
+    options:
+
+      - name: 'conntrack'
+        comment: 'Enable connection tracking support for firewalls'
+        raw: |
+          conntrack
+        state: 'present'
+
+      - name: 'enable-ra'
+        comment: 'Enable support for IPv6 Router Advertisements using dnsmasq'
+        raw: |
+          enable-ra
+        state: 'present'
+
+      - name: 'bind-interfaces'
+        comment: |
+          Bind only to the network interfaces explicitly set in the
+          configuration. This is required to allow additional dnsmasq instances
+          managed by, for example, libvirt.
+        raw: |
+          bind-dynamic
+        state: 'present'
+
+      - name: 'loopback-interface'
+        comment: 'Bind to loopback interface for local DNS queries'
+        raw: |
+          interface = lo
+          no-dhcp-interface = lo
+        state: 'present'
+
+      - name: 'addn-hosts'
+        comment: 'Read hosts information from additional files or directories'
+        value: '{{ dnsmasq__etc_hosts }}'
+        state: '{{ "present" if dnsmasq__etc_hosts | d() else "absent" }}'
+
+  - name: 'consul.conf'
+    comment: |
+      Support for Consul Agent DNS service on localhost
+      Ref: https://www.consul.io/docs/agent/dns.html
+    raw: |
+      server = /consul/127.0.0.1#8600
+    state: '{{ "present"
+               if (ansible_local.consul.installed | d() | bool)
+               else "init" }}'
+
+  - name: 'lxd-override'
+    filename: 'lxd'
+    comment: |
+      Tell any system-wide dnsmasq instance to make sure to bind to interfaces
+      instead of listening on 0.0.0.0
+    raw: |
+      bind-dynamic
+      except-interface = lxdbr0
+    state: '{{ "present" if (ansible_distribution == "Ubuntu") else "ignore" }}'
+
+  - name: 'reserved-domains.conf'
+    options:
+
+      - name: 'reserved-domains'
+        comment: |
+          Do not forward the reserved top level domains to upstream nameservers
+        raw: |
+          # Ref: https://tools.ietf.org/html/rfc2606
+          local = /test/example/invalid/
+
+          # Ref: https://tools.ietf.org/html/rfc6762
+          local = /local/
+
+          # Ref: https://tools.ietf.org/html/rfc7686
+          local = /onion/
+        state: 'present'
+
+      - name: 'private-domains'
+        comment: |
+          Do not forward the following private top level DNS names to upstream
+          DNS servers because RFC 6762 recommends not to use unregistered
+          top-level domains (https://tools.ietf.org/html/rfc6762#appendix-G)
+        raw: |
+          local = /intranet/internal/private/corp/home/lan/
+        state: 'present'
+
+  - name: 'block-dns-over-https'
+    comment: |
+      Blocking the 'use-application-dns.net' domain instructs the applications
+      that support DNS over HTTPS to not use it and rely on the system resolver
+      instead. This might be required for certain applications to support
+      access to internal services, resolve split-DNS correctly, etc.
+
+      Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+    raw: |
+      server = /use-application-dns.net/
+    state: 'present'
+
+  - name: 'dns-global.conf'
+    options:
+
+      - name: 'localise-queries'
+        comment: |
+          Return localized answers to DNS queries from '/etc/hosts' depending
+          on the originating network interface
+        raw: |
+          localise-queries
+        state: 'present'
+
+      - name: 'domain-needed'
+        comment: |
+          Never forward plain hostname queries for A or AAAA records to
+          upstream servers
+        raw: |
+          domain-needed
+        state: 'present'
+
+      - name: 'expand-hosts'
+        comment: |
+          Expand short hostnames found in the '/etc/hosts' file to full FQDN
+          addresses
+        raw: |
+          expand-hosts
+        state: 'present'
+
+      - name: 'stop-dns-rebind'
+        comment: |
+          Reject addresses from the upstream DNS nameservers which are located
+          in the private IP address ranges
+        raw: |
+          stop-dns-rebind
+        state: 'present'
+
+      - name: 'rebind-localhost-ok'
+        comment: |
+          Skip rebinding checks for '127.0.0.0/8' IP address range. This range
+          is used by the realtime black hole (RBL) servers.
+        raw: |
+          rebind-localhost-ok
+        state: 'present'
+
+      - name: 'rebind-local-domain-ok'
+        comment: |
+          Skip rebinding checks for local domain, in case dnsmasq is used as
+          a DNS cache and forwarder on a host that is a part of a network with
+          private IP address ranges, with a different DHCP/DNS server
+          maintaining the leases.
+        option: 'rebind-domain-ok'
+        value: '{{ dnsmasq__base_domain }}'
+        state: '{{ "present"
+                   if (dnsmasq__base_domain_rebind_ok | bool and
+                       dnsmasq__base_domain | d())
+                   else "absent" }}'
+
+      - name: 'rebind-parent-domain-ok'
+        comment: |
+          Skip rebinding checks for the parent domain if it has 4 or more
+          levels, which is most likely an internal domain on a network with
+          private IP address ranges.
+        option: 'rebind-domain-ok'
+        value: '{{ dnsmasq__base_domain.split(".")[1:] | join(".") }}'
+        state: '{{ "present"
+                   if (dnsmasq__base_domain_rebind_ok | bool and
+                        dnsmasq__base_domain | d() and
+                       (dnsmasq__base_domain.split(".") | length >= 4))
+                   else "absent" }}'
+
+      - name: 'bogus-priv'
+        comment: |
+          Do not forward reverse DNS queries for private IP addresses to
+          upstream DNS servers.
+          When an LXC network support is enabled, this parameter is commented
+          out to allow revDNS queries. It will also be commented out when
+          upstream nameservers are located in a private network to allow DNS
+          queries to reach them. Ref: https://bugs.debian.org/461054
+        raw: |
+          bogus-priv
+        state: '{{ "comment"
+                   if ((ansible_local.lxc.net_domain | d()) or
+                       (ansible_local.resolvconf.upstream_nameservers
+                        | d(ansible_dns.nameservers)
+                        | ansible.utils.ipaddr("private")))
+                   else "present" }}'
+
+      - name: 'resolv-file'
+        comment: |
+          Use custom list of nameservers instead of the system upstream
+          nameservers
+        value: '/etc/resolvconf/upstream.conf'
+        state: '{{ "present" if dnsmasq__nameservers | d() else "absent" }}'
+
+
+  - name: 'lxc-net.conf'
+    comment: |
+      Support for resolving LXC container hosts that use the 'lxc-net' bridge
+      configuration
+    options:
+
+      - name: 'local'
+        value: '{{ "/" + (ansible_local.lxc.net_domain | d(""))
+                   + "/" + ansible_local.lxc.net_address | d("") }}'
+
+      # Create a separate 'lxc' host record that points to the 'lxcbr0'
+      # interface from the outside, if there's no external domain set.
+      - name: 'host-record'
+        value: '{{ ansible_local.lxc.net_domain | d("")
+                   + "," + ansible_local.lxc.net_address | d("") }}'
+        state: '{{ "present"
+                   if ("." not in ansible_local.lxc.net_domain | d())
+                   else "absent" }}'
+
+      - name: 'rev-server'
+        value: '{{ ansible_local.lxc.net_subnet | d("")
+                   + "," + ansible_local.lxc.net_address | d("") }}'
+
+      - name: 'rebind-domain-ok'
+        value: '{{ ansible_local.lxc.net_domain | d("") }}'
+
+    state: '{{ "present"
+               if (ansible_local.lxc.net_domain | d())
+               else "init" }}'
+
+  - name: 'dhcp-boot.conf'
+    comment: |
+      This configuration file contains dnsmasq options related to booting
+      remote hosts using iPXE boot menu
+    options:
+
+      - name: 'dhcp-match-ipxe'
+        comment: |
+          Tag all DHCP requests with option 175 as coming from iPXE to avoid
+          recursive loops
+        option: 'dhcp-match'
+        value: 'set:ipxe,175'
+
+      - name: 'dhcp-match-d-i'
+        comment: |
+          Tag all DHCP requests with 'd-i' vendor class as coming from the
+          Debian Installer
+        option: 'dhcp-match'
+        value: 'set:debian-installer,option:vendor-class,"d-i"'
+
+      - name: 'vendor-match'
+        comment: |
+          Inspect the vendor class string and match the text to set the tag
+          Ref: https://tools.ietf.org/html/rfc4578#section-2.1
+        raw: |
+          dhcp-vendorclass = BIOS,PXEClient:Arch:00000
+          dhcp-vendorclass = UEFI32,PXEClient:Arch:00006
+          dhcp-vendorclass = UEFI,PXEClient:Arch:00007
+          dhcp-vendorclass = UEFI64,PXEClient:Arch:00009
+
+      - name: 'boot-ipxe-local'
+        comment: 'Set the boot file name based on the matching tag from the vendor class (above)'
+        raw: |
+          {% if dnsmasq__boot_ipxe_enabled | bool %}
+          # Redirect non-iPXE clients to iPXE
+          dhcp-boot = tag:!ipxe,tag:BIOS,undionly.kpxe
+          dhcp-boot = tag:!ipxe,tag:UEFI32,i386-efi/ipxe.efi
+          dhcp-boot = tag:!ipxe,tag:UEFI,ipxe.efi
+          dhcp-boot = tag:!ipxe,tag:UEFI64,ipxe.efi
+
+          # Load the main menu in iPXE clients
+          {% endif %}
+          dhcp-boot = {{ dnsmasq__boot_filename }}
+        state: '{{ "absent" if dnsmasq__boot_server | d() else "present" }}'
+
+      - name: 'boot-ipxe-remote'
+        comment: 'Set the boot file name based on the matching tag from the vendor class (above)'
+        raw: |
+          {% if dnsmasq__boot_ipxe_enabled | bool %}
+          # Redirect non-iPXE clients to iPXE
+          dhcp-boot = tag:!ipxe,tag:BIOS,undionly.kpxe,,{{ dnsmasq__boot_server }}
+          dhcp-boot = tag:!ipxe,tag:UEFI32,i386-efi/ipxe.efi,,{{ dnsmasq__boot_server }}
+          dhcp-boot = tag:!ipxe,tag:UEFI,ipxe.efi,,{{ dnsmasq__boot_server }}
+          dhcp-boot = tag:!ipxe,tag:UEFI64,ipxe.efi,,{{ dnsmasq__boot_server }}
+
+          # Load the main menu in iPXE clients
+          {% endif %}
+          dhcp-boot = {{ dnsmasq__boot_filename }},,{{ dnsmasq__boot_server }}
+        state: '{{ "present" if dnsmasq__boot_server | d() else "absent" }}'
+
+    state: '{{ "present" if dnsmasq__boot_enabled | bool else "init" }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__interface_configuration [[[
+#
+# Automatically generated :command:`dnsmasq` configuration for each of the
+# network interfaces defined in the :envvar:`dnsmasq__combined_interfaces`
+# variable.
+dnsmasq__interface_configuration: '{{ lookup("template", "lookup/dnsmasq__interface_configuration.j2",
+                                             convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__configuration [[[
+#
+# The configuration which should be present on all hosts in the Ansible
+# inventory.
+dnsmasq__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__group_configuration [[[
+#
+# The configuration which should be present on hosts in a specific Ansible
+# inventory group.
+dnsmasq__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__host_configuration [[[
+#
+# The configuration which should be present on specific hosts in the Ansible
+# inventory.
+dnsmasq__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__combined_configuration [[[
+#
+# The variable which combines all of the other configuration variables and is
+# used in the Ansible tasks.
+dnsmasq__combined_configuration: '{{ dnsmasq__default_configuration
+                                     + dnsmasq__interface_configuration
+                                     + dnsmasq__configuration
+                                     + dnsmasq__group_configuration
+                                     + dnsmasq__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: dnsmasq__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+dnsmasq__ferm__dependent_rules:
+
+  - type: 'accept'
+    by_role: 'debops.dnsmasq'
+    name: 'dns'
+    weight: '40'
+    protocol: [ 'udp', 'tcp' ]
+    saddr: '{{ dnsmasq__public_dns_allow }}'
+    dport: [ 'domain' ]
+    accept_any: True
+    interface: '{{ []
+                   if (dnsmasq__public_dns | bool)
+                   else (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                         | selectattr("state", "equalto", "present")
+                         | map(attribute="name") | list) }}'
+    rule_state: '{{ "present"
+                    if ((dnsmasq__public_dns | bool) or
+                        (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                            | selectattr("state", "equalto", "present")
+                            | map(attribute="name") | list))
+                    else "absent" }}'
+
+  - type: 'accept'
+    by_role: 'debops.dnsmasq'
+    name: 'dhcpv4'
+    weight: '40'
+    protocol: [ 'udp' ]
+    dport: [ 'bootps' ]
+    interface: '{{ dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                   | selectattr("state", "equalto", "present")
+                   | map(attribute="name") | list }}'
+    rule_state: '{{ "present"
+                    if (dnsmasq__dhcpv4 | bool and
+                        (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                         | selectattr("state", "equalto", "present")
+                         | map(attribute="name") | list))
+                    else "absent" }}'
+
+  - type: 'accept'
+    by_role: 'debops.dnsmasq'
+    name: 'dhcpv6'
+    weight: '40'
+    saddr: [ 'fe80::/10' ]
+    daddr: [ 'ff02::1:2' ]
+    # https://tools.ietf.org/html/rfc3315#section-13
+    protocol: [ 'udp' ]
+    sport: [ 'dhcpv6-client' ]
+    dport: [ 'dhcpv6-server' ]
+    interface: '{{ dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                   | selectattr("state", "equalto", "present")
+                   | map(attribute="name") | list }}'
+    rule_state: '{{ "present"
+                    if (dnsmasq__dhcpv6 | bool and
+                        (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                         | selectattr("state", "equalto", "present")
+                         | map(attribute="name") | list))
+                    else "absent" }}'
+
+  - type: 'accept'
+    by_role: 'debops.dnsmasq'
+    filename: 'tftp'
+    weight: '40'
+    dport: [ 'tftp' ]
+    protocol: [ 'udp' ]
+    interface: '{{ dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                   | selectattr("state", "equalto", "present")
+                   | map(attribute="name") | list }}'
+    rule_state: '{{ "present"
+                    if (dnsmasq__boot_enabled | bool and
+                        (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items
+                         | selectattr("state", "equalto", "present")
+                         | map(attribute="name") | list))
+                    else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the :ref:`debops.tcpwrappers` Ansible role.
+dnsmasq__tcpwrappers__dependent_allow: '{{ lookup("template", "lookup/dnsmasq__tcpwrappers__dependent_allow.j2",
+                                             convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__apparmor__local_dependent_config [[[
+#
+# Configuration for the ``debops-contrib.apparmor`` Ansible role.
+dnsmasq__apparmor__local_dependent_config:
+
+  'usr.sbin.dnsmasq':
+    - comment: 'Allow dnsmasq to read upstream DNS servers'
+      rules:
+        - '/etc/resolvconf/upstream.conf r'
+        - '/etc/hosts.dnsmasq r'
+    - comment: 'Allow dnsmasq to read /usr/share/dnsmasq-base/trust-anchors.conf provided by dnsmasq-base'
+      rules:
+        - '/usr/share/dnsmasq-base/* r'
+
+                                                                   # ]]]
+# .. envvar:: dnsmasq__persistent_paths__dependent_paths [[[
+#
+# Configuration for the :ref:`debops.persistent_paths` Ansible role.
+dnsmasq__persistent_paths__dependent_paths:
+
+  '50_debops_dnsmasq':
+    by_role: 'debops.dnsmasq'
+    paths:
+      - '/etc/ansible'
+      - '/etc/dnsmasq.d'
+      - '/etc/default/dnsmasq'
+      - '/etc/resolvconf/upstream.conf'
+      - '/etc/hosts.dnsmasq'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/meta/main.yml b/ansible_collections/debops/debops/roles/dnsmasq/meta/main.yml
new file mode 100644
index 00000000..ef78b607
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Install and configure dnsmasq'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.6.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - dhcp
+    - dns
+    - pxe
+    - tftp
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/tasks/main.yml b/ansible_collections/debops/debops/roles/dnsmasq/tasks/main.yml
new file mode 100644
index 00000000..697e9790
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/tasks/main.yml
@@ -0,0 +1,115 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (dnsmasq__base_packages + dnsmasq__packages)) }}'
+    state: 'present'
+  register: dnsmasq__register_packages
+  until: dnsmasq__register_packages is succeeded
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Generate dnsmasq Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dnsmasq.fact.j2'
+    dest: '/etc/ansible/facts.d/dnsmasq.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+  # This directory is required, otherwise dnsmasq won't start when TFTP support
+  # is enabled
+- name: Make sure TFTP root directory exists
+  ansible.builtin.file:
+    path: '{{ dnsmasq__boot_tftp_root }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dnsmasq__boot_enabled | bool
+
+- name: Remove dnsmasq configuration if requested
+  ansible.builtin.file:
+    path: '/etc/dnsmasq.d/{{ item.filename | d(item.name | regex_replace("\.conf$", "") + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ dnsmasq__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Test and restart dnsmasq' ]
+  when: (item.name | d() and item.state | d('present') == 'absent')
+
+- name: Generate dnsmasq configuration
+  ansible.builtin.template:
+    src: 'etc/dnsmasq.d/template.conf.j2'
+    dest: '/etc/dnsmasq.d/{{ item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ dnsmasq__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Test and restart dnsmasq' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'])
+
+- name: Remove DHCP host configuration and DNS records if requested
+  ansible.builtin.file:
+    path: '/etc/dnsmasq.d/{{ dnsmasq__dhcp_dns_filename }}'
+    state: 'absent'
+  notify: [ 'Test and restart dnsmasq' ]
+  when: not dnsmasq__dhcp_hosts | d() and not dnsmasq__dns_records | d()
+
+- name: Generate DHCP host configuration and DNS records
+  ansible.builtin.template:
+    src: 'etc/dnsmasq.d/dhcp-dns-options.conf.j2'
+    dest: '/etc/dnsmasq.d/{{ dnsmasq__dhcp_dns_filename }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Test and restart dnsmasq' ]
+  when: dnsmasq__dhcp_hosts | d() or dnsmasq__dns_records | d()
+
+- name: Divert original dnsmasq environment file
+  debops.debops.dpkg_divert:
+    path: '/etc/default/dnsmasq'
+  notify: [ 'Test and restart dnsmasq' ]
+
+- name: Configure dnsmasq environment file
+  ansible.builtin.template:
+    src: 'etc/default/dnsmasq.j2'
+    dest: '/etc/default/dnsmasq'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Test and restart dnsmasq' ]
+
+- name: Configure custom nameservers in resolvconf
+  ansible.builtin.template:
+    src: 'etc/resolvconf/upstream.conf.j2'
+    dest: '/etc/resolvconf/upstream.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Test and restart dnsmasq' ]
+  when: dnsmasq__nameservers | d()
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/tasks/main_env.yml b/ansible_collections/debops/debops/roles/dnsmasq/tasks/main_env.yml
new file mode 100644
index 00000000..143cd7dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/tasks/main_env.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare environment for dependent Ansible roles
+  ansible.builtin.set_fact:
+    dnsmasq__env_tcpwrappers__dependent_allow: '{{ dnsmasq__tcpwrappers__dependent_allow }}'
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/ansible/facts.d/dnsmasq.fact.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/ansible/facts.d/dnsmasq.fact.j2
new file mode 100644
index 00000000..2293b2c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/ansible/facts.d/dnsmasq.fact.j2
@@ -0,0 +1,37 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"boot_tftp_root": dnsmasq__boot_tftp_root}
+                     | to_nice_json }}''')
+
+output['installed'] = cmd_exists('dnsmasq')
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "dnsmasq"]).decode('utf-8').split('-')[0]
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/default/dnsmasq.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/default/dnsmasq.j2
new file mode 100644
index 00000000..3a96cdad
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/default/dnsmasq.j2
@@ -0,0 +1,44 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This file has five functions:
+# 1) to completely disable starting dnsmasq,
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname`
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# For upgraders from very old versions, all the shell variables set
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
+
+# Whether or not to run the dnsmasq daemon; set to 0 to disable.
+ENABLED=1
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output
+# rather than the contents of /etc/resolv.conf to find upstream
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+{% if dnsmasq__nameservers | d() %}
+IGNORE_RESOLVCONF=yes
+{% else %}
+#IGNORE_RESOLVCONF=yes
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/dhcp-dns-options.conf.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/dhcp-dns-options.conf.j2
new file mode 100644
index 00000000..6b88f76b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/dhcp-dns-options.conf.j2
@@ -0,0 +1,156 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# DHCP host configuration and DNS records
+
+{% for element in (dnsmasq__dhcp_hosts + dnsmasq__dns_records) %}
+{%   set entry = {} %}
+{%   for k, v in element.items() %}
+{%     set _ = entry.update({k.lower(): v}) %}
+{%   endfor %}
+{%   if entry.state | d('present') != 'absent' %}
+{%     set dhcp_host = [] %}
+{%     set host_record = [] %}
+{%     set cname = [] %}
+{%     set record_command = '' %}
+{%     set record_content = [] %}
+{%     if entry.hwaddr | d() %}
+{%       set _ = dhcp_host.extend( ([ entry.hwaddr ] if (entry.hwaddr is string) else entry.hwaddr) ) %}
+{%     elif entry.mac | d() %}
+{%       set _ = dhcp_host.extend( ([ entry.mac ] if (entry.mac is string) else entry.mac) ) %}
+{%     endif %}
+{%     if entry.id | d() %}
+{%       set _ = dhcp_host.append('id:' + entry.id) %}
+{%     endif %}
+{%     if entry.tag | d() %}
+{%       set _ = dhcp_host.append('set:' + entry.tag) %}
+{%     endif %}
+{%     if entry.ip | d() and (entry.host is undefined and entry.a is undefined and entry.aaaa is undefined) %}
+{%       set _ = dhcp_host.extend( ([ entry.ip ] if (entry.ip is string) else entry.ip) | ansible.utils.ipwrap ) %}
+{%     elif entry.ipaddr | d() and (entry.host is undefined and entry.a is undefined and entry.aaaa is undefined) %}
+{%       set _ = dhcp_host.extend( ([ entry.ipaddr ] if (entry.ipaddr is string) else entry.ipaddr) | ansible.utils.ipwrap ) %}
+{%     elif entry.address | d() and (entry.host is undefined and entry.a is undefined and entry.aaaa is undefined) %}
+{%       set _ = dhcp_host.extend( ([ entry.address ] if (entry.address is string) else entry.address) | ansible.utils.ipwrap ) %}
+{%     endif %}
+{%     if entry.name | d() %}
+{%       set _ = dhcp_host.append(entry.name) %}
+{%     elif entry.hostname | d() %}
+{%       set _ = dhcp_host.append(entry.hostname) %}
+{%     endif %}
+{%     if entry.lease | d() %}
+{%       set _ = dhcp_host.append(entry.lease) %}
+{%     elif entry.lease_time | d() %}
+{%       set _ = dhcp_host.append(entry.lease_time) %}
+{%     endif %}
+{%     if (entry.ignore | d()) | bool %}
+{%       set _ = dhcp_host.append('ignore') %}
+{%     endif %}
+{%     if entry.domain | d() and (entry.ip | d() or entry.ipaddr | d() or entry.address | d()) %}
+{%       if entry.name | d() %}
+{%         set host_name = entry.name %}
+{%       elif entry.hostname | d() %}
+{%         set host_name = entry.hostname %}
+{%       endif %}
+{%       set _ = host_record.append(host_name + '.' + entry.domain) %}
+{%       if entry.ip | d() %}
+{%         set _ = host_record.extend( ([ entry.ip ] if (entry.ip is string) else entry.ip) | ansible.utils.ipwrap ) %}
+{%       elif entry.ipaddr | d() %}
+{%         set _ = host_record.extend( ([ entry.ipaddr ] if (entry.ipaddr is string) else entry.ipaddr) | ansible.utils.ipwrap ) %}
+{%       elif entry.address | d() %}
+{%         set _ = host_record.extend( ([ entry.address ] if (entry.address is string) else entry.address) | ansible.utils.ipwrap ) %}
+{%       endif %}
+{%     endif %}
+{%     if (entry.host | d() or entry.a | d() or entry.aaaa | d()) and (entry.ip | d() or entry.ipaddr | d() or entry.address | d() or entry.target | d()) %}
+{%       set record_command = 'host-record' %}
+{%       if entry.host | d() %}
+{%         set _ = record_content.extend( ([ entry.host ] if (entry.host is string) else entry.host) ) %}
+{%       elif entry.a | d() %}
+{%         set _ = record_content.extend( ([ entry.a ] if (entry.a is string) else entry.a) ) %}
+{%       elif entry.aaaa | d() %}
+{%         set _ = record_content.extend( ([ entry.aaaa ] if (entry.aaaa is string) else entry.aaaa) ) %}
+{%       endif %}
+{%       if entry.ip | d() %}
+{%         set _ = record_content.extend( ([ entry.ip ] if (entry.ip is string) else entry.ip) ) %}
+{%       elif entry.ipaddr | d() %}
+{%         set _ = record_content.extend( ([ entry.ipaddr ] if (entry.ipaddr is string) else entry.ipaddr) ) %}
+{%       elif entry.address | d() %}
+{%         set _ = record_content.extend( ([ entry.address ] if (entry.address is string) else entry.address) ) %}
+{%       elif entry.target | d() %}
+{%         set _ = record_content.extend( ([ entry.target ] if (entry.target is string) else entry.target) ) %}
+{%       endif %}
+{%     elif entry.txt | d() and (entry.value | d() or entry.target | d()) %}
+{%       set record_command = 'txt-record' %}
+{%       set _ = record_content.extend( [ entry.txt ] ) %}
+{%       if entry.value | d() %}
+{%         set _ = record_content.extend( ([ entry.value ] if (entry.value is string) else entry.value) ) %}
+{%       elif entry.target | d() %}
+{%         set _ = record_content.extend( ([ entry.target ] if (entry.target is string) else entry.target) ) %}
+{%       endif %}
+{%     elif entry.cname | d() and entry.target | d() %}
+{%       set record_command = 'cname' %}
+{%       set _ = record_content.extend( [ entry.cname ] ) %}
+{%       set _ = record_content.extend( [ entry.target ] ) %}
+{%     elif entry.ptr | d() and entry.target | d() %}
+{%       set record_command = 'ptr-record' %}
+{%       set _ = record_content.extend( [ entry.ptr ] ) %}
+{%       set _ = record_content.extend( [ entry.target ] ) %}
+{%     elif entry.mx | d() %}
+{%       set record_command = 'mx-host' %}
+{%       set _ = record_content.extend( [ entry.mx ] ) %}
+{%       if entry.target | d() %}
+{%         set _ = record_content.extend( [ entry.target ] ) %}
+{%       endif %}
+{%       if entry.preference | d() %}
+{%         set _ = record_content.extend( [ entry.preference ] ) %}
+{%       elif entry.priority | d() %}
+{%         set _ = record_content.extend( [ entry.priority ] ) %}
+{%       endif %}
+{%     elif entry.srv | d() and entry.target | d() %}
+{%       set record_command = 'srv-host' %}
+{%       set _ = record_content.extend( [ entry.srv ] ) %}
+{%       set _ = record_content.extend( [ entry.target ] ) %}
+{%       if entry.port | d() %}
+{%         set _ = record_content.extend( [ entry.port ] ) %}
+{%       endif %}
+{%       if entry.preference | d() %}
+{%         set _ = record_content.extend( [ entry.preference ] ) %}
+{%       elif entry.priority | d() %}
+{%         set _ = record_content.extend( [ entry.priority ] ) %}
+{%       endif %}
+{%       if entry.weight | d() %}
+{%         set _ = record_content.extend( [ entry.weight ] ) %}
+{%       endif %}
+{%     endif %}
+{%     if (dhcp_host | d() or (record_command | d() and record_content | d()) or entry.raw | d()) %}
+{%       if not loop.first %}
+
+{%       endif %}
+{%       if entry.comment | d() %}
+{{ entry.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{%       if entry.raw | d() %}
+{%         if entry.state | d('present') == 'comment' %}
+{{ "{}".format(entry.raw | regex_replace('\n$','')) | comment(decoration='#', prefix='', postfix='') }}
+{%         else %}
+{{ "{}".format(entry.raw | regex_replace('\n$','')) }}
+{%         endif %}
+{%       elif dhcp_host | d() %}
+{{ '{}dhcp-host = {}'.format(('#' if (entry.state | d('present') == 'comment') else ''), dhcp_host | join(',')) }}
+{%         if host_record | d() %}
+{{ '{}host-record = {}'.format(('#' if (entry.state | d('present') == 'comment') else ''), host_record | join(',')) }}
+{%           if entry.cname | d() %}
+{%             for cname in ([ entry.cname ] if entry.cname is string else entry.cname) %}
+{{ '{}cname = {},{}'.format(('#' if (entry.state | d('present') == 'comment') else ''), cname + '.' + entry.domain, host_name + '.' + entry.domain) }}
+{%             endfor %}
+{%           endif %}
+{%         endif %}
+{%       elif (record_command | d() and record_content | d()) %}
+{{ '{}{} = {}'.format(('#' if (entry.state | d('present') == 'comment') else ''), record_command, record_content | join(',')) }}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/template.conf.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/template.conf.j2
new file mode 100644
index 00000000..28942a7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/dnsmasq.d/template.conf.j2
@@ -0,0 +1,55 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element is string %}
+{%       if not loop.first %}
+
+{%       endif %}
+{{ "{}".format(element) }}
+{%     elif element is mapping %}
+{%       if element.name | d() %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%           if (loop.first and item.comment | d() and element.comment | d()) or (not loop.first and (element.comment | d() or (element.separator | d()) | bool)) %}
+
+{%           endif %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%           endif %}
+{%           if element.value | d() %}
+{%             if element.value is string %}
+{{ "{}{} = {}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name), element.value) }}
+{%             else %}
+{%               for thing in (element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) %}
+{{ "{}{} = {}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name), thing) }}
+{%               endfor %}
+{%             endif %}
+{%           elif element.raw | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "{}".format(element.raw | regex_replace('\n$','')) | comment(decoration='#', prefix='', postfix='') -}}
+{%             else %}
+{{ "{}".format(element.raw | regex_replace('\n$','')) }}
+{%             endif %}
+{%           else %}
+{{ "{}{}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name)) }}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         for key, value in element.items() %}
+{{ "{} = {}".format(key, value) }}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw | regex_replace('\n$','') }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/resolvconf/upstream.conf.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/resolvconf/upstream.conf.j2
new file mode 100644
index 00000000..f16a4b1f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/etc/resolvconf/upstream.conf.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if dnsmasq__nameservers | d() and dnsmasq__nameservers is iterable %}
+{%   for nameserver in dnsmasq__nameservers %}
+nameserver {{ nameserver }}
+{%   endfor %}
+{% elif dnsmasq__nameservers | d() and dnsmasq__nameservers is string %}
+nameserver {{ dnsmasq__nameservers }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__interface_configuration.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__interface_configuration.j2
new file mode 100644
index 00000000..51c3ec0e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__interface_configuration.j2
@@ -0,0 +1,170 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set dnsmasq__tpl_interface_configuration = [] %}
+{% for interface in (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items) %}
+{%   set dnsmasq__tpl_ipv4 = [] %}
+{%   set dnsmasq__tpl_ipv6 = [] %}
+{%   if not interface.ignore_interface_addresses|d(False) and hostvars[inventory_hostname]["ansible_" + interface.name] | d() %}
+{%     if hostvars[inventory_hostname]["ansible_" + interface.name].ipv4 | d() %}
+{%       set _ = dnsmasq__tpl_ipv4.append(hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.address + '/'
+                                          + (hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.address + '/'
+                                             + hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.netmask) | ansible.utils.ipaddr('prefix') | string) %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface.name].ipv4_secondaries | d() %}
+{%         for element in hostvars[inventory_hostname]["ansible_" + interface.name].ipv4_secondaries %}
+{%           set _ = dnsmasq__tpl_ipv4.append(element.address + '/' + (element.address + '/' + element.netmask) | ansible.utils.ipaddr('prefix') | string) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     if hostvars[inventory_hostname]["ansible_" + interface.name].ipv6 | d() %}
+{%       for element in hostvars[inventory_hostname]["ansible_" + interface.name].ipv6 %}
+{%         if not element.address | ansible.utils.ipv6('link-local') %}
+{%           set _ = dnsmasq__tpl_ipv6.append(element.address + '/' + element.prefix) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if interface.address | d() %}
+{%     for element in ([ interface.address ] if interface.address is string else interface.address) %}
+{%       if element | ansible.utils.ipv4('host/prefix') %}
+{%         set _ = dnsmasq__tpl_ipv4.append(element) %}
+{%       elif element | ansible.utils.ipv6('host/prefix') and not element | ansible.utils.ipv6('link-local') %}
+{%         set _ = dnsmasq__tpl_ipv6.append(element) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if interface.addresses | d() %}
+{%     for element in ([ interface.addresses ] if interface.addresses is string else interface.addresses) %}
+{%       if element | ansible.utils.ipv4('host/prefix') %}
+{%         set _ = dnsmasq__tpl_ipv4.append(element) %}
+{%       elif element | ansible.utils.ipv6('host/prefix') and not element | ansible.utils.ipv6('link-local') %}
+{%         set _ = dnsmasq__tpl_ipv6.append(element) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   set interface_hostname = (interface.hostname | d(dnsmasq__hostname)) %}
+{%   set interface_domain = (interface.domain | d(interface.name + "." + dnsmasq__base_domain)) %}
+{%   set interface_tag = (interface.tag | d(interface.name)) %}
+{%   set interface_base = {"name": (interface.filename | d("interface-" + interface.name + ".conf")), "state": (interface.state | d("present"))} %}
+{%   set interface_search = [] %}
+{%   if interface.search | d() %}
+{%     set _ = interface_search.extend([ interface.search ] if interface.search is string else interface.search) %}
+{%   endif %}
+{%   if (interface_domain.endswith(dnsmasq__base_domain) and interface_domain.split(".") | length >= 3 and dnsmasq__base_domain.split(".") | length >= 2) %}
+{%     set _ = interface_search.append(dnsmasq__base_domain) %}
+{%   endif %}
+{%   set interface_options = [] %}
+{%   set _ = interface_options.append({
+  "name": "interface",
+  "value": interface.name
+}) %}
+{%   set _ = interface_options.append({
+  "name": "interface-name_domain",
+  "option": "interface-name",
+  "value": (interface_hostname + "." + interface_domain + "," + interface.name)
+}) %}
+{%   if (not interface.dhcp_enabled | d(True)) | bool %}
+{%     set _ = interface_options.append({
+  "name": "no-dhcp-interface",
+  "value": interface.name
+}) %}
+{%   else %}
+{%     if interface.dhcp_range_state | d('present') == 'present' %}
+{%       for host_address in dnsmasq__tpl_ipv4 %}
+{%         set _ = interface_options.append({
+  "name": ("dhcp_range_" + (host_address | replace('.','_') | replace('/','_'))),
+  "option": "dhcp-range",
+  "separator": True,
+  "value": ("set:" + interface_tag + "," + host_address | ansible.utils.ipv4(interface.dhcp_range_start | d(10) | int) | ansible.utils.ipv4('address') + ',' + host_address | ansible.utils.ipv4(interface.dhcp_range_end | d(-10) | int) | ansible.utils.ipv4('address') + ',' + host_address | ansible.utils.ipv4('netmask') + ',' + interface.dhcp_lease | d('24h'))
+}) %}
+{%       endfor %}
+{%       for host_address in dnsmasq__tpl_ipv6 %}
+{%         if (interface.dhcp_ipv6_mode is string and interface.dhcp_ipv6_mode == '') %}
+{%           set ra_separator = '' %}
+{%         else %}
+{%           set ra_separator = ',' %}
+{%         endif %}
+{%         set _ = interface_options.append({
+  "name": ("dhcp_range_" + (host_address | replace(':','_') | replace('/','_'))),
+  "option": "dhcp-range",
+  "value": ("set:" + interface_tag + "," + host_address | ansible.utils.ipv6(interface.dhcp_range_start | d(10) | int) | ansible.utils.ipv6('address') + ',' + host_address | ansible.utils.ipv6(interface.dhcp_range_end | d(-10) | int) | ansible.utils.ipv6('address') + ',' + interface.dhcp_ipv6_mode | d("ra-names,ra-stateless,slaac") + ra_separator + host_address | ansible.utils.ipv6('prefix') | string + ',' + interface.dhcp_lease | d('24h'))
+}) %}
+{%       endfor %}
+{%     endif %}
+{%     if (interface.router_state | d('present')) in [ 'present', 'enabled' ] %}
+{%       if interface.router_gateway | d() %}
+{%         set _ = interface_options.append({
+  "name": "dhcp_option_ipv4_router",
+  "option": "dhcp-option",
+  "value": ("tag:" + interface_tag + ",option:router," + interface.router_gateway)
+}) %}
+{%       else %}
+{%         set _ = interface_options.append({
+  "name": "dhcp_option_ipv4_router",
+  "option": "dhcp-option",
+  "value": ("tag:" + interface_tag + ",option:router,0.0.0.0")
+}) %}
+{%       endif %}
+{%     elif (interface.router_state | d('present')) in [ 'disabled' ] %}
+{%       set _ = interface_options.append({
+  "name": "dhcp_option_ipv4_router",
+  "option": "dhcp-option",
+  "comment": "IPv4 router is not advertised",
+  "value": ("tag:" + interface_tag + ",option:router")
+}) %}
+{%     endif %}
+{%   endif %}
+{%   if dnsmasq__tpl_ipv6 | d() %}
+{%     set _ = interface_options.append({
+  "name": "dhcp_option6_dns_server",
+  "option": "dhcp-option",
+  "comment": "Advertise RDNSS servers for local IPv6 network",
+  "value": ("tag:" + interface_tag + ",option6:dns-server," + dnsmasq__tpl_ipv6 | ansible.utils.ipv6("address") | ansible.utils.ipwrap | join(","))
+}) %}
+{%   endif %}
+{%   set _ = interface_options.append({
+  "name": "dhcp_option_search",
+  "option": "dhcp-option",
+  "value": ("tag:" + interface_tag + ",option:domain-search," + ([ interface_domain ] + ([ interface_search ] if interface_search is string else interface_search)) | unique | join(","))
+}) %}
+{%   set _ = interface_options.append({
+  "name": "dhcp_option6_search",
+  "option": "dhcp-option",
+  "value": ("tag:" + interface_tag + ",option6:domain-search," + ([ interface_domain ] + ([ interface_search ] if interface_search is string else interface_search)) | unique | join(","))
+}) %}
+{%   for host_address in (dnsmasq__tpl_ipv4 + dnsmasq__tpl_ipv6) %}
+{%     set _ = interface_options.append({
+  "name": ("domain_" + (host_address | replace('.','_') | replace('/','_'))),
+  "option": "domain",
+  "value": (interface_domain + "," + host_address | ansible.utils.ipaddr('subnet') + (",local" if (host_address | ansible.utils.ipaddr('prefix') in [ 8, 16, 24 ]) else ""))
+}) %}
+{%   endfor %}
+{%   if (interface.boot_enabled | d(dnsmasq__boot_enabled)) | bool %}
+{%     set _ = interface_options.extend([{
+  "name": "enable-tftp",
+  "comment": "Enable TFTP support",
+  "value": interface.name
+}, {
+  "name": "tftp-root",
+  "value": (interface.boot_tftp_root | d(dnsmasq__boot_tftp_root)) + "," + interface.name
+}]) %}
+{%     if not dnsmasq__boot_ipxe_enabled | bool %}
+{%       set _ = interface_options.append({
+  "name": "dhcp-boot",
+  "value": ("tag:" + interface_tag + "," + interface.boot_filename | d("pxelinux.0") + ((",," + interface.boot_server) if interface.boot_server | d() else ""))
+}) %}
+{%     endif %}
+{%   endif %}
+{%   if interface.raw | d() %}
+{%     set _ = interface_options.append({
+  "name": "interface_raw",
+  "comment": "Additional interface options",
+  "raw": interface.raw
+}) %}
+{%   endif %}
+{%   set _ = interface_base.update({"options": interface_options}) %}
+{%   set _ = dnsmasq__tpl_interface_configuration.append(interface_base) %}
+{% endfor %}
+{{ dnsmasq__tpl_interface_configuration | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__tcpwrappers__dependent_allow.j2 b/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__tcpwrappers__dependent_allow.j2
new file mode 100644
index 00000000..bdfdc729
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dnsmasq/templates/lookup/dnsmasq__tcpwrappers__dependent_allow.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set dnsmasq__tpl_subnets = [] %}
+{% set dnsmasq__tpl_tcpwrappers__dependent_allow = [] %}
+{% for interface in (dnsmasq__combined_interfaces | flatten | debops.debops.parse_kv_items) %}
+{%   set dnsmasq__tpl_ipv4 = [] %}
+{%   set dnsmasq__tpl_ipv6 = [] %}
+{%   if hostvars[inventory_hostname]["ansible_" + interface.name] | d() %}
+{%     if hostvars[inventory_hostname]["ansible_" + interface.name].ipv4 | d() %}
+{%       set _ = dnsmasq__tpl_ipv4.append(hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.address + '/'
+                                          + (hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.address + '/'
+                                             + hostvars[inventory_hostname]["ansible_" + interface.name].ipv4.netmask) | ansible.utils.ipaddr('prefix') | string) %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface.name].ipv4_secondaries | d() %}
+{%         for element in hostvars[inventory_hostname]["ansible_" + interface.name].ipv4_secondaries %}
+{%           set _ = dnsmasq__tpl_ipv4.append(element.address + '/' + (element.address + '/' + element.netmask) | ansible.utils.ipaddr('prefix') | string) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     if hostvars[inventory_hostname]["ansible_" + interface.name].ipv6 | d() %}
+{%       for element in hostvars[inventory_hostname]["ansible_" + interface.name].ipv6 %}
+{%         if not element.address | ansible.utils.ipv6('link-local') %}
+{%           set _ = dnsmasq__tpl_ipv6.append(element.address + '/' + element.prefix) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if interface.address | d() %}
+{%     for element in ([ interface.address ] if interface.address is string else interface.address) %}
+{%       if element | ansible.utils.ipv4('host/prefix') %}
+{%         set _ = dnsmasq__tpl_ipv4.append(element) %}
+{%       elif element | ansible.utils.ipv6('host/prefix') and not element | ansible.utils.ipv6('link-local') %}
+{%         set _ = dnsmasq__tpl_ipv6.append(element) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if interface.addresses | d() %}
+{%     for element in ([ interface.addresses ] if interface.addresses is string else interface.addresses) %}
+{%       if element | ansible.utils.ipv4('host/prefix') %}
+{%         set _ = dnsmasq__tpl_ipv4.append(element) %}
+{%       elif element | ansible.utils.ipv6('host/prefix') and not element | ansible.utils.ipv6('link-local') %}
+{%         set _ = dnsmasq__tpl_ipv6.append(element) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if (interface.state | d('present') != 'absent' and (interface.boot_enabled | d(dnsmasq__boot_enabled)) | bool) %}
+{%     set _ = dnsmasq__tpl_subnets.extend(dnsmasq__tpl_ipv4 + dnsmasq__tpl_ipv6) %}
+{%   endif %}
+{% endfor %}
+{% set _ = dnsmasq__tpl_tcpwrappers__dependent_allow.append({
+  "daemon": "in.tftpd",
+  "client": (dnsmasq__tpl_subnets | ansible.utils.ipaddr('subnet')),
+  "weight": 50,
+  "filename": "dnsmasq_dependent_allow",
+  "comment": "Allow remote connections to TFTP server",
+  "state": ("present" if (dnsmasq__boot_enabled | bool and dnsmasq__tpl_subnets | d()) else "absent")
+}) %}
+{{ dnsmasq__tpl_tcpwrappers__dependent_allow | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/docker_gen/COPYRIGHT b/ansible_collections/debops/debops/roles/docker_gen/COPYRIGHT
new file mode 100644
index 00000000..c2cf3280
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.docker_gen - Manage configuration files using Docker data
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/docker_gen/defaults/main.yml b/ansible_collections/debops/debops/roles/docker_gen/defaults/main.yml
new file mode 100644
index 00000000..86a9fa55
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/defaults/main.yml
@@ -0,0 +1,207 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _docker_gen__ref_defaults:
+
+# debops.docker_gen default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# Docker_gen installation [[[
+# ---------------------------
+
+# .. envvar:: docker_gen__repo [[[
+#
+# Address of the :command:`docker-gen` GitHub repository.
+docker_gen__repo: 'https://github.com/jwilder/docker-gen'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__os_arch [[[
+#
+# Operating System and Architecture of the :command:`docker-gen` tarball to install.
+docker_gen__os_arch: 'linux-amd64'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__version [[[
+#
+# Version of :command:`docker-gen` to install.
+docker_gen__version: '0.7.4'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__release [[[
+#
+# Templated URL of the :command:`docker-gen` release which will be downloaded from
+# GitHub.
+docker_gen__release: '{{ docker_gen__repo }}/releases/download/{{ docker_gen__version }}/docker-gen-{{ docker_gen__os_arch }}-{{ docker_gen__version }}.tar.gz'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__src [[[
+#
+# Location of :command:`docker-gen` sources on remote host where source tarball will
+# be stored.
+docker_gen__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                     + "/docker-gen" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__lib [[[
+#
+# Location where the :command:`docker-gen` binary will be installed (not in the ``$PATH``
+# since this binary won't be used by the user, but as a service).
+docker_gen__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                     + "/docker-gen" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__templates [[[
+#
+# Location where :command:`docker-gen` templates will be installed.
+docker_gen__templates: '{{ docker_gen__lib + "/templates" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__config [[[
+#
+# Custom configuration in the YAML text block format, added at the end of the
+# generated :file:`/etc/docker-gen.conf` configuration file. Should be in the
+# format::
+#
+#   docker_gen__config: |
+#     [[config]]
+#     key = "value"
+#     option = true
+#
+docker_gen__config: ''
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Remote Docker support [[[
+# -------------------------
+
+# .. envvar:: docker_gen__remote [[[
+#
+# By default :command:`docker-gen` expects Docker to be installed and available
+# locally. With this option set to ``True`` you can enable support for remote
+# Docker TCP connection over TLS.
+docker_gen__remote: False
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__remote_host [[[
+#
+# Specify FQDN hostname or IP address of the remote Docker host.
+docker_gen__remote_host: ''
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__remote_port [[[
+#
+# Specify the TCP port used to connect to Docker using TLS.
+docker_gen__remote_port: '2375'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__remote_endpoint [[[
+#
+# This is the ``-endpoint`` option passed to the :command:`docker-gen` binary when the
+# remote support is enabled.
+docker_gen__remote_endpoint: 'tcp://{{ docker_gen__remote_host }}:{{ docker_gen__remote_port }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# nginx upstream support [[[
+# --------------------------
+
+# .. envvar:: docker_gen__nginx [[[
+#
+# Enable support for generating :program:`nginx` upstream definitions. :command:`docker-gen`
+# will create entry for each container which has ``NGINX_UPSTREAM`` variable set
+# in its environment, for example::
+#
+#     docker run -e NGINX_UPSTREAM=docker_upstream -d ...
+#
+docker_gen__nginx: True
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__nginx_template [[[
+#
+# Path to the template file used by :command:`docker-gen` to generate :program:`nginx`
+# configuration.
+docker_gen__nginx_template: '{{ docker_gen__templates + "/nginx-upstreams.conf.tmpl" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__nginx_dest [[[
+#
+# Path where :command:`docker-gen` saves the generated :program:`nginx` configuration.
+docker_gen__nginx_dest: '/etc/nginx/conf.d/docker-gen-upstreams.conf'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__nginx_options [[[
+#
+# Additional options added to the :program:`nginx` configuration section in
+# :command:`docker-gen` config file, in YAML text block format.
+docker_gen__nginx_options: |
+  onlyexposed = true
+  watch = true
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__nginx_notify [[[
+#
+# Notify command used by :command:`docker-gen` to reload :program:`nginx`, depending on the
+# init system used.
+docker_gen__nginx_notify: '{{ docker_gen__nginx_notify_map[ansible_service_mgr] }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__nginx_notify_map [[[
+#
+# Dictionary map of commands used to reload :program:`nginx` by :command:`docker-gen`.
+docker_gen__nginx_notify_map:
+  systemd:  'nginx -t && systemctl reload nginx'
+  sysvinit: 'nginx -t && service nginx reload'
+  upstart:  'nginx -t && service nginx reload'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI and certificates [[[
+# ------------------------
+
+# .. envvar:: docker_gen__pki [[[
+#
+# Enable or disable support for PKI certificates managed by ``debops.pki``.
+docker_gen__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__pki_path [[[
+#
+# Directory where PKI files are located on the remote host.
+docker_gen__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki") }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__pki_realm [[[
+#
+# Name of the PKI realm used by :command:`docker-gen`.
+docker_gen__pki_realm: '{{ ansible_local.pki.realm | d("system") }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__pki_ca [[[
+#
+# Name of the Root CA certificate file used by :command:`docker-gen`.
+docker_gen__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__pki_crt [[[
+#
+# Name of the host certificate used by :command:`docker`.
+docker_gen__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: docker_gen__pki_key [[[
+#
+# Name of the private key file used by :command:`docker-gen`.
+docker_gen__pki_key: 'default.key'
+
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/docker_gen/files/usr/local/lib/templates/nginx-upstreams.conf.tmpl b/ansible_collections/debops/debops/roles/docker_gen/files/usr/local/lib/templates/nginx-upstreams.conf.tmpl
new file mode 100644
index 00000000..a6b9df50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/files/usr/local/lib/templates/nginx-upstreams.conf.tmpl
@@ -0,0 +1,43 @@
+{{/* Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+   * Copyright (C) 2015-2016 DebOps <https://debops.org/>
+   * SPDX-License-Identifier: GPL-3.0-only
+   */}}
+# Configuration file generated by docker-gen
+
+{{ range $host, $containers := groupByMulti $ "Env.NGINX_UPSTREAM" "," }}
+upstream {{ $host }} {
+
+{{ range $index, $value := $containers }}
+
+	{{ $addrLen := len $value.Addresses }}
+	{{ $network := index $value.Networks 0 }}
+
+	{{/* If only 1 port exposed, use that */}}
+	{{ if eq $addrLen 1 }}
+		{{ with $address := index $value.Addresses 0 }}
+			# {{$value.Name}}
+			server {{ $network.IP }}:{{ $address.Port }};
+		{{ end }}
+
+	{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var */}}
+	{{ else if $value.Env.VIRTUAL_PORT }}
+		{{ range $i, $address := $value.Addresses }}
+			{{ if eq $address.Port $value.Env.VIRTUAL_PORT }}
+			# {{$value.Name}}
+			server {{ $network.IP }}:{{ $address.Port }};
+			{{ end }}
+		{{ end }}
+
+	{{/* Else default to standard web port 80 */}}
+	{{ else }}
+		{{ range $i, $address := $value.Addresses }}
+			{{ if eq $address.Port "80" }}
+			# {{$value.Name}}
+			server {{ $network.IP }}:{{ $address.Port }};
+			{{ end }}
+		{{ end }}
+	{{ end }}
+{{ end }}
+}
+
+{{ end }}
diff --git a/ansible_collections/debops/debops/roles/docker_gen/meta/main.yml b/ansible_collections/debops/debops/roles/docker_gen/meta/main.yml
new file mode 100644
index 00000000..4eadf8ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage docker-gen, file generator which uses Docker metadata'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cloud
+    - docker
+    - templates
diff --git a/ansible_collections/debops/debops/roles/docker_gen/meta/watch-docker-gen b/ansible_collections/debops/debops/roles/docker_gen/meta/watch-docker-gen
new file mode 100644
index 00000000..545a5fe2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/meta/watch-docker-gen
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: docker_gen
+# Package: docker-gen
+# Version: 0.7.4
+
+version=4
+https://github.com/jwilder/docker-gen/tags .*/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/docker_gen/tasks/main.yml b/ansible_collections/debops/debops/roles/docker_gen/tasks/main.yml
new file mode 100644
index 00000000..94e910ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop:
+    - '{{ docker_gen__src }}'
+    - '{{ docker_gen__lib }}'
+    - '{{ docker_gen__templates }}'
+    - '{{ ((docker_gen__nginx_dest | dirname)
+           if (docker_gen__nginx | d() and docker_gen__nginx)
+           else []) }}'
+
+- name: Download docker-gen sources
+  ansible.builtin.get_url:
+    url: '{{ docker_gen__release }}'
+    dest: '{{ docker_gen__src + "/" + docker_gen__release | basename }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Unpack docker-gen
+  ansible.builtin.unarchive:
+    src: '{{ docker_gen__src + "/" + docker_gen__release | basename }}'
+    dest: '{{ docker_gen__lib }}'
+    copy: False
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rwX,g=rX,o=rX'
+  register: docker_gen__register_install
+
+- name: Copy docker-gen templates to remote host
+  ansible.builtin.copy:
+    src: 'usr/local/lib/templates/'
+    dest: '{{ docker_gen__templates + "/" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart docker-gen' ]
+
+- name: Configure docker-gen
+  ansible.builtin.template:
+    src: 'etc/docker-gen.conf.j2'
+    dest: '/etc/docker-gen.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart docker-gen' ]
+
+- name: Configure docker-gen service options
+  ansible.builtin.template:
+    src: 'etc/default/docker-gen.j2'
+    dest: '/etc/default/docker-gen'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart docker-gen' ]
+
+- name: Configure docker-gen init script
+  ansible.builtin.template:
+    src: 'etc/init.d/docker-gen.j2'
+    dest: '/etc/init.d/docker-gen'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Reload service manager', 'Restart docker-gen' ]
+  when: ansible_service_mgr != 'systemd'
+
+- name: Configure docker-gen systemd service
+  ansible.builtin.template:
+    src: 'etc/systemd/system/docker-gen.service.j2'
+    dest: '/etc/systemd/system/docker-gen.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: docker_gen__register_service
+  notify: [ 'Reload service manager', 'Restart docker-gen' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Reload systemd daemons
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Start docker-gen on install
+  ansible.builtin.service:  # noqa no-handler
+    name: 'docker-gen'
+    state: 'started'
+    enabled: True
+  when: docker_gen__register_install | d() and
+        docker_gen__register_install is changed
diff --git a/ansible_collections/debops/debops/roles/docker_gen/templates/etc/default/docker-gen.j2 b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/default/docker-gen.j2
new file mode 100644
index 00000000..49fa2e13
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/default/docker-gen.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# docker-gen Upstart and SysVinit configuration file
+
+# Customize location of docker-gen binary
+DOCKER_GEN="{{ docker_gen__lib }}/docker-gen"
+
+# docker-gen options
+{% set docker_gen__tpl_options = [] %}
+{% if (docker_gen__remote | bool and docker_gen__remote_host | d()) %}
+{%   set _ = docker_gen__tpl_options.append("--endpoint " + docker_gen__remote_endpoint) %}
+{% if docker_gen__pki | d() and docker_gen__pki | bool %}
+{%   set _ = docker_gen__tpl_options.append("--tlsverify") %}
+{%   set _ = docker_gen__tpl_options.append("--tlscacert " + docker_gen__pki_path + "/" + docker_gen__pki_realm + "/" + docker_gen__pki_ca) %}
+{%   set _ = docker_gen__tpl_options.append("--tlscert " + docker_gen__pki_path + "/" + docker_gen__pki_realm + "/" + docker_gen__pki_crt) %}
+{%   set _ = docker_gen__tpl_options.append("--tlskey " + docker_gen__pki_path + "/" + docker_gen__pki_realm + "/" + docker_gen__pki_key) %}
+{% endif %}
+{% endif %}
+DOCKER_GEN__OPTIONS="{{ docker_gen__tpl_options | join(' ') }}"
diff --git a/ansible_collections/debops/debops/roles/docker_gen/templates/etc/docker-gen.conf.j2 b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/docker-gen.conf.j2
new file mode 100644
index 00000000..433e728f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/docker-gen.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if docker_gen__nginx | d() and docker_gen__nginx %}
+# nginx configuration
+[[config]]
+template = "{{ docker_gen__nginx_template }}"
+dest = "{{ docker_gen__nginx_dest }}"
+notifycmd = "{{ docker_gen__nginx_notify }}"
+{% if docker_gen__nginx_options | d() and docker_gen__nginx_options %}
+{{ docker_gen__nginx_options }}
+{% endif %}
+
+{% endif %}
+{% if docker_gen__config | d() and docker_gen__config %}
+{{ docker_gen__config }}
+
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/docker_gen/templates/etc/init.d/docker-gen.j2 b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/init.d/docker-gen.j2
new file mode 100644
index 00000000..2f93e934
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/init.d/docker-gen.j2
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+set -e
+
+### BEGIN INIT INFO
+# Provides:           docker-gen
+# Required-Start:     $syslog $remote_fs
+# Required-Stop:      $syslog $remote_fs
+# Default-Start:      2 3 4 5
+# Default-Stop:       0 1 6
+# Short-Description:  Generate configuration files from Docker meta-data
+# Description:
+#  docker-gen is a daemon which connects to specified Docker instance and using
+#  Docker API can generate configuration files for other services using
+#  templates.
+### END INIT INFO
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+BASE="$(basename "$0")"
+
+# modify these in /etc/default/$BASE (/etc/default/docker-gen)
+DOCKER_GEN=/usr/bin/$BASE
+
+# This is the pid file created/managed by start-stop-daemon
+DOCKER_GEN__SSD_PIDFILE=/var/run/$BASE.pid
+DOCKER_GEN__LOGFILE=/var/log/$BASE.log
+DOCKER_GEN__CONFIG=/etc/$BASE.conf
+DOCKER_GEN__OPTIONS=
+DOCKER_GEN__DESC="docker-gen"
+
+# Get lsb functions
+# shellcheck disable=SC1091
+. /lib/lsb/init-functions
+
+if [ -f "/etc/default/$BASE" ]; then
+	# shellcheck disable=SC1090
+	. "/etc/default/$BASE"
+fi
+
+# Check docker-gen is present
+if [ ! -x "$DOCKER_GEN" ]; then
+	log_failure_msg "$DOCKER_GEN not present or not executable"
+	exit 1
+fi
+
+fail_unless_root() {
+	if [ "$(id -u)" != '0' ]; then
+		log_failure_msg "$DOCKER_GEN__DESC must be run as root"
+		exit 1
+	fi
+}
+
+case "$1" in
+	start)
+		fail_unless_root
+
+		touch "$DOCKER_GEN__LOGFILE"
+
+		# shellcheck disable=SC2039
+		ulimit -n 1048576
+		if [ "$BASH" ]; then
+			# shellcheck disable=SC2039
+			ulimit -u 1048576
+		else
+			# shellcheck disable=SC2039
+			ulimit -p 1048576
+		fi
+
+		log_begin_msg "Starting $DOCKER_GEN__DESC: $BASE"
+		start-stop-daemon --start --background \
+			--no-close \
+			--exec "$DOCKER_GEN" \
+			--pidfile "$DOCKER_GEN__SSD_PIDFILE" \
+			--make-pidfile \
+			-- \
+				"$DOCKER_GEN__OPTIONS" -config="$DOCKER_GEN__CONFIG" \
+					>> "$DOCKER_GEN__LOGFILE" 2>&1
+		log_end_msg $?
+		;;
+
+	stop)
+		fail_unless_root
+		log_begin_msg "Stopping $DOCKER_GEN__DESC: $BASE"
+		start-stop-daemon --stop --pidfile "$DOCKER_GEN__SSD_PIDFILE"
+		log_end_msg $?
+		;;
+
+	restart)
+		fail_unless_root
+		docker_gen__pid="$(cat "$DOCKER_GEN__SSD_PIDFILE" 2>/dev/null)"
+		[ -n "$docker_gen__pid" ] \
+			&& ps -p "$docker_gen__pid" > /dev/null 2>&1 \
+			&& $0 stop
+		$0 start
+		;;
+
+	force-reload)
+		fail_unless_root
+		$0 restart
+		;;
+
+	status)
+		status_of_proc -p "$DOCKER_GEN__SSD_PIDFILE" "$DOCKER_GEN" "$DOCKER_GEN__DESC"
+		;;
+
+	*)
+		echo "Usage: service docker-gen {start|stop|restart|status}"
+		exit 1
+		;;
+esac
diff --git a/ansible_collections/debops/debops/roles/docker_gen/templates/etc/systemd/system/docker-gen.service.j2 b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/systemd/system/docker-gen.service.j2
new file mode 100644
index 00000000..7e3b9cf2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_gen/templates/etc/systemd/system/docker-gen.service.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Docker meta-data file generator
+Documentation=https://github.com/jwilder/docker-gen
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/docker-gen
+ExecStart={{ docker_gen__lib }}/docker-gen $DOCKER_GEN__OPTIONS -config=/etc/docker-gen.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/docker_registry/COPYRIGHT b/ansible_collections/debops/debops/roles/docker_registry/COPYRIGHT
new file mode 100644
index 00000000..01323374
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.docker_registry - Manage Docker Registry service using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/docker_registry/defaults/main.yml b/ansible_collections/debops/debops/roles/docker_registry/defaults/main.yml
new file mode 100644
index 00000000..22af2480
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/defaults/main.yml
@@ -0,0 +1,674 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C)      2020 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2019-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _docker_registry__ref_defaults:
+
+# debops.docker_registry default variables
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: docker_registry__base_packages [[[
+#
+# List of APT packages required for Docker Registry service.
+docker_registry__base_packages: '{{ ["docker-registry"]
+                                    if (not docker_registry__upstream | bool)
+                                    else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__packages [[[
+#
+# List of additional APT packages to install with Docker Registry.
+docker_registry__packages: []
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__version [[[
+#
+# The version of the installed Docker Registry. This variable is defined
+# automatically by the Ansible local facts and doesn't have to be set manually.
+# You can use this variable in conditional configuration.
+docker_registry__version: '{{ ansible_local.docker_registry.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: docker_registry__user [[[
+#
+# Name of the UNIX account which will be used by the Docker Registry service.
+docker_registry__user: 'docker-registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__group [[[
+#
+# Name of the UNIX group which will be used as the primary group of the Docker
+# Registry service.
+docker_registry__group: 'docker-registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__additional_groups [[[
+#
+# List of additional UNIX groups to which the Docker Registry UNIX account
+# should belong.
+docker_registry__additional_groups:
+  - '{{ ansible_local.redis_server.auth_group | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__home [[[
+#
+# Path of the UNIX home directory of the Docker Registry service. This is the
+# default path used by the Debian ``docker-registry`` APT package.
+docker_registry__home: '/var/lib/docker-registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__comment [[[
+#
+# The GECOS field of the Docker Registry UNIX account.
+docker_registry__comment: 'Docker Registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__shell [[[
+#
+# The default shell used by the Docker Registry UNIX account.
+docker_registry__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker Registry upstream installation [[[
+# -----------------------------------------
+
+# .. envvar:: docker_registry__distribution_release [[[
+#
+# This variable defines the OS release used to determine if an upstream Docker
+# Registry needs to be installed.
+docker_registry__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__upstream [[[
+#
+# Enable or disable installation of the :command:`docker-registry` command from
+# the upstream :command:`git` repository.
+docker_registry__upstream: '{{ True
+                               if (docker_registry__distribution_release in
+                                   ["stretch", "trusty", "xenial"])
+                               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__src [[[
+#
+# Path where source repositories will be stored.
+docker_registry__src: '{{ docker_registry__home + "/src" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__gopath [[[
+#
+# Path where Go package builds and cache will be stored.
+docker_registry__gopath: '{{ docker_registry__home + "/go" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__git_dest [[[
+#
+# Path where the Docker Registry upstream repository will be checked out.
+docker_registry__git_dest: '{{ docker_registry__gopath + "/src/"
+                               + docker_registry__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__git_dir [[[
+#
+# Path where the Docker Registry :file:`.git/` directory will be stored.
+docker_registry__git_dir: '{{ docker_registry__src + "/" + docker_registry__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__git_gpg_key [[[
+#
+# The fingerprint of the GPG key used to sign Docker Registry upstream
+# releases.
+docker_registry__git_gpg_key: '8C7A 111C 2110 5794 B0E8  A27B F58C 5D0A 4405 ACDB'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__git_repo [[[
+#
+# The URL of the upstream Docker Registry :command:`git` repository.
+docker_registry__git_repo: 'https://github.com/docker/distribution'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__git_version [[[
+#
+# The branch/tag of the Docker Registry :command:`git` repository to check out.
+docker_registry__git_version: 'v2.7.1'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__binary [[[
+#
+# The absolute path where the Docker Registry upstream binary will be installed
+# to; alternatively, the path of the Docker Registry binary installed by the
+# APT package.
+docker_registry__binary: '{{ "/usr/local/bin/docker-registry"
+                             if docker_registry__upstream | bool
+                             else "/usr/bin/docker-registry" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Web server configuration [[[
+# ----------------------------
+
+# .. envvar:: docker_registry__fqdn [[[
+#
+# The Fully Qualified Domain Name of the Docker Registry service.
+docker_registry__fqdn: 'registry.{{ docker_registry__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__domain [[[
+#
+# The DNS domain used as a base for the Docker Registry FQDN address.
+docker_registry__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__backend_port [[[
+#
+# The TCP port on which the Docker Registry backend service listens for
+# connections.
+docker_registry__backend_port: '5070'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Docker Registry service by the webserver. If this list is empty, anybody can
+# connect and access the service.
+docker_registry__allow: []
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__max_upload_size [[[
+#
+# Specify maximum size of an upload allowed by the webserver. If set to ``0``,
+# the maximum limit is disabled.
+docker_registry__max_upload_size: '4G'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__basic_auth [[[
+#
+# Enable or disable HTTP Basic Authentication in the webserver frontend. If the
+# GitLab Container Registry integration is enabled, the internal HTTP Basic
+# Auth is disabled.
+docker_registry__basic_auth: '{{ False
+                                 if docker_registry__token_enabled | bool
+                                 else True }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__basic_auth_realm [[[
+#
+# The HTTP Basic Auth realm used by Docker Registry service.
+docker_registry__basic_auth_realm: 'Docker Registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__basic_auth_name [[[
+#
+# Name of the :command:`htpasswd` file stored in the
+# :file:`/etc/nginx/private/` directory which contains HTTP Basic Auth
+# credentials.
+docker_registry__basic_auth_name: 'docker-registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__basic_auth_users [[[
+#
+# List of user accounts which will be allowed access to the Docker Registry
+# service via HTTP Basic Auth. The passwords will be automatically generated by
+# the :ref:`debops.nginx` role and stored in the :file:`secret/` directory on
+# Ansible Controller. See :ref:`debops.secret` role for more details.
+docker_registry__basic_auth_users: '{{ ansible_local.core.admin_users | d([]) }}'
+                                                                   # ]]]
+# .. envvar:: docker_registry__basic_auth_except_get [[[
+#
+# If ``True`` then GET requests will not require authentication.
+# Even with successful authentication, Docker images can only be pushed to a
+# path that includes the machines hostname thus having some audit chain to the
+# build server that build the image.
+docker_registry__basic_auth_except_get: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Filesystem storage configuration [[[
+# ------------------------------------
+
+# .. envvar:: docker_registry__storage_dir [[[
+#
+# Absolute path of the local filesystem storage directory used by the Docker
+# Registry service.
+docker_registry__storage_dir: '{{ (ansible_local.fhs.data | d("/srv"))
+                                  + "/" + docker_registry__user + "/storage" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__storage_mode [[[
+#
+# The UNIX permissions of the local filesystem storage directory.
+docker_registry__storage_mode: '0755'
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Server integration [[[
+# ----------------------------
+
+# .. envvar:: docker_registry__redis_enabled [[[
+#
+# Enable or disable support for Redis Server cache.
+docker_registry__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__redis_host [[[
+#
+# The FQDN address of the Redis Server instance to use by Docker Registry.
+docker_registry__redis_host: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__redis_port [[[
+#
+# The TCP port of the Redis Server instance which should be used by Docker
+# Registry.
+docker_registry__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__redis_password [[[
+#
+# The password of the Redis Server instance which should be used by Docker
+# Registry.
+docker_registry__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__redis_db [[[
+#
+# The Redis Server database ID to use by the Docker Registry.
+docker_registry__redis_db: 0
+                                                                   # ]]]
+                                                                   # ]]]
+# Token-based authentication [[[
+# ------------------------------
+
+# The Docker Registry supports token-based authentication, which allows
+# external services to authenticate Docker clients to the Registry.
+
+# .. envvar:; docker_registry__token_provider [[[
+#
+# By default GitLab is used as an authentication service, but other roles that
+# implement the needed Ansible local facts can be used as well. Specify the
+# role name in this variable to use its facts as a data source.
+docker_registry__token_provider: 'gitlab'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_enabled [[[
+#
+# Enable or disable support for token-based authentication.
+docker_registry__token_enabled: '{{ True
+                                    if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                        (ansible_local[docker_registry__token_provider].registry | d()) | bool)
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_fqdn [[[
+#
+# The Fully Qualified Domain Name of the authentication service website. This
+# will be used to redirect HTTP clients that open the main page of Docker
+# Registry to point them to an useful user interface instead.
+docker_registry__token_fqdn: '{{ ansible_local[docker_registry__token_provider].fqdn
+                                 if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                     ansible_local[docker_registry__token_provider].fqdn | d())
+                                 else ("code." + docker_registry__domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_realm_url [[[
+#
+# The URL of the authentication service API endpoint, passed to the Docker
+# clients. The clients can use this URL to request signed authentication tokens
+# from the authentication service.
+docker_registry__token_realm_url: '{{ ansible_local[docker_registry__token_provider].registry_token_realm_url
+                                      if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                          ansible_local[docker_registry__token_provider].registry_token_realm_url | d())
+                                      else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_issuer [[[
+#
+# The authentication service token issuer string, included in the issued
+# tokens. This value needs to be the same in the authentication service
+# configuration file.
+docker_registry__token_issuer: '{{ ansible_local[docker_registry__token_provider].registry_token_issuer
+                                   if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                       ansible_local[docker_registry__token_provider].registry_token_issuer | d())
+                                   else "" }}'
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_service [[[
+#
+# Name of the authentication service in Docker Registry, used in the URLs
+# passed to the authentication source API endpoint.
+docker_registry__token_service: '{{ ansible_local[docker_registry__token_provider].registry_token_service
+                                    if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                        ansible_local[docker_registry__token_provider].registry_token_service | d())
+                                    else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_pki_path [[[
+#
+# The absolute path to the root of the PKI infrastructure, managed by the
+# :ref:`debops.pki` Ansible role.
+docker_registry__token_pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_pki_realm [[[
+#
+# Name of the PKI realm used by the authentication service to sign the
+# authentication tokens that provide access to the Docker Registry.
+docker_registry__token_pki_realm: '{{ ansible_local[docker_registry__token_provider].registry_pki_realm
+                                      if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
+                                          ansible_local[docker_registry__token_provider].registry_pki_realm | d())
+                                      else "domain" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_pki_crt [[[
+#
+# The name of the file in the PKI realm which contains the X.509 certificate.
+docker_registry__token_pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__token_certificate [[[
+#
+# Absolute path of the file which contains the X.509 certificate that can be
+# used by Docker Registry to authenticate the tokens signed by the
+# authentication service, sent by the Docker clients.
+docker_registry__token_certificate: '{{ docker_registry__token_pki_path + "/"
+                                        + docker_registry__token_pki_realm + "/"
+                                        + docker_registry__token_pki_crt }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker Registry configuration [[[
+# ---------------------------------
+
+# The variables below define configuration of the Docker Registry service.
+# See :ref:`docker_registry__ref_config` for more details.
+
+# .. envvar:: docker_registry__config_file [[[
+#
+# Absolute path of the Docker Registry configuration file.
+docker_registry__config_file: '/etc/docker/registry/config.yml'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__original_config [[[
+#
+# The original configuration of the Docker Registry service.
+# Based on: https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml
+docker_registry__original_config:
+
+  - name: 'original-config'
+    config:
+      version: '0.1'
+      log:
+        fields:
+          service: 'registry'
+      storage:
+        cache:
+          blobdescriptor: 'inmemory'
+      http:
+        addr: ':5000'
+        headers:
+          'X-Content-Type-Options': [ 'nosniff' ]
+      health:
+        storagedriver:
+          enabled: True
+          interval: '10s'
+          threshold: 3
+
+  - name: 'original-storage'
+    config:
+      storage:
+        filesystem:
+          rootdirectory: '/var/lib/registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__default_config [[[
+#
+# Default configuration for Docker Registry defined by the role.
+docker_registry__default_config:
+
+  - name: 'default-http'
+    config:
+      http:
+        addr: '127.0.0.1:{{ docker_registry__backend_port }}'
+
+  - name: 'original-storage'
+    state: 'absent'
+
+  - name: 'default-storage'
+    config:
+      storage:
+        filesystem:
+          rootdirectory: '{{ docker_registry__storage_dir }}'
+        delete:
+          enabled: True
+
+  - name: 'default-redis'
+    state: '{{ "present" if docker_registry__redis_enabled | bool else "absent" }}'
+    config:
+      redis:
+        addr: '{{ docker_registry__redis_host + ":" + docker_registry__redis_port }}'
+        password: '{{ docker_registry__redis_password }}'
+        db: '{{ docker_registry__redis_db }}'
+      storage:
+        cache:
+          blobdescriptor: 'redis'
+
+  - name: 'default-token'
+    state: '{{ "present" if docker_registry__token_enabled | bool else "absent" }}'
+    config:
+      auth:
+        token:
+          realm: '{{ docker_registry__token_realm_url }}'
+          issuer: '{{ docker_registry__token_issuer }}'
+          service: '{{ docker_registry__token_service }}'
+          rootcertbundle: '{{ docker_registry__token_certificate }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__config [[[
+#
+# The Docker Registry configuration defined on all hosts in the Ansible
+# inventory.
+docker_registry__config: []
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__group_config [[[
+#
+# The Docker Registry configuration defined on hosts in a specific Ansible
+# inventory group.
+docker_registry__group_config: []
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__host_config [[[
+#
+# The Docker Registry configuration defined on specific hosts in the Ansible
+# inventory.
+docker_registry__host_config: []
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__combined_config [[[
+#
+# The variable which combines all of the other Docker Registry configuration
+# variables and is used in the configuration template.
+docker_registry__combined_config: '{{ docker_registry__original_config
+                                      + docker_registry__default_config
+                                      + docker_registry__config
+                                      + docker_registry__group_config
+                                      + docker_registry__host_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Garbage collector configuration [[[
+# -----------------------------------
+
+# .. envvar:: docker_registry__garbage_collector_enabled [[[
+#
+# Enable or disable support for Docker Registry garbage collector script.
+docker_registry__garbage_collector_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__garbage_collector_interval [[[
+#
+# Specify the interval in which the Docker Registry UNIX account will perform
+# garbage collection using a :command:`cron` script. Supported intervals:
+# ``hourly``, ``daily``, ``weekly``, ``monthly``.
+docker_registry__garbage_collector_interval: 'daily'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: docker_registry__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+docker_registry__etc_services__dependent_list:
+
+  - name: 'docker-registry'
+    port: '{{ docker_registry__backend_port }}'
+    comment: 'Docker Registry'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+docker_registry__keyring__dependent_gpg_keys:
+
+  - user: '{{ docker_registry__user }}'
+    group: '{{ docker_registry__group }}'
+    home: '{{ docker_registry__home }}'
+    id: '{{ docker_registry__git_gpg_key }}'
+    state: '{{ "present" if docker_registry__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+docker_registry__python__dependent_packages3:
+
+  - 'python3-yaml'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+docker_registry__python__dependent_packages2:
+
+  - 'python-yaml'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__nginx__dependent_maps [[[
+#
+# Map configuration for the :ref:`debops.nginx` Ansible role.
+docker_registry__nginx__dependent_maps:
+
+  - name: 'docker_registry_headers'
+    map: '$upstream_http_docker_distribution_api_version $docker_distribution_api_version'
+    mapping: |
+      ''     'registry/2.0';
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+docker_registry__nginx__dependent_upstreams:
+
+  - name: 'docker-registry'
+    server: '127.0.0.1:{{ docker_registry__backend_port }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__nginx__dependent_htpasswd [[[
+#
+# HTTP Basic Auth password configuration for the :ref:`debops.nginx` Ansible
+# role.
+docker_registry__nginx__dependent_htpasswd:
+  name: '{{ docker_registry__basic_auth_name }}'
+  users: '{{ docker_registry__basic_auth_users }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_registry__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+docker_registry__nginx__dependent_servers:
+
+  - name: '{{ docker_registry__fqdn }}'
+    filename: 'debops.docker_registry'
+    allow: '{{ docker_registry__allow }}'
+    auth_basic: '{{ False
+                    if (docker_registry__basic_auth_except_get | bool)
+                    else (docker_registry__basic_auth | bool) }}'
+    auth_basic_realm: '{{ docker_registry__basic_auth_realm }}'
+    auth_basic_name: '{{ docker_registry__basic_auth_name }}'
+
+    options: |
+      client_max_body_size {{ docker_registry__max_upload_size }};
+
+      # required to avoid error HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+      chunked_transfer_encoding on;
+
+    location_list:
+
+      - pattern: '/'
+        options: |
+          {% if docker_registry__token_enabled | bool %}
+          return 307 $scheme://{{ docker_registry__token_fqdn }}/;
+          {% else %}
+          return 307 /v2/;
+          {% endif %}
+
+      - pattern: '/v2/'
+        options: |  # noqa jinja[spacing]
+          # Do not allow connections from docker 1.5 and earlier
+          # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+          if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+          }
+
+          {% if docker_registry__basic_auth_except_get | bool %}
+          set $auth_basic "{{ docker_registry__basic_auth_realm }}";
+          if ($request_method ~* "^(GET|HEAD)$") {
+              set $auth_basic "off";
+          }
+          if ($force_authentication) {
+              set $auth_basic "{{ docker_registry__basic_auth_realm }}";
+          }
+          auth_basic $auth_basic;
+          auth_basic_user_file {{ nginx_private_path + "/" + docker_registry__basic_auth_name }};
+
+          set $auth_status "deny";
+          if ($request_uri ~* "^/v2/([^/]+)/") {
+              set $user_path $1;
+          }
+          if ($remote_user = $user_path) {
+              set $auth_status "grant";
+          }
+          if ($request_method ~* "^(GET|HEAD)$") {
+              set $auth_status "grant";
+          }
+          if ($auth_status != "grant") {
+              return 401;
+          }
+          {% endif %}
+
+          # If $docker_distribution_api_version is empty, the header will not be added.
+          # See the map directive above where this variable is defined.
+          add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+          proxy_pass http://docker-registry;
+          proxy_set_header Host              $http_host;
+          proxy_set_header X-Real-IP         $remote_addr;
+          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Host  $server_name;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_read_timeout 900;
+        state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/docker_registry/meta/main.yml b/ansible_collections/debops/debops/roles/docker_registry/meta/main.yml
new file mode 100644
index 00000000..2f4676a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage Docker Registry service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - docker
+    - containers
+    - registry
+    - packaging
diff --git a/ansible_collections/debops/debops/roles/docker_registry/meta/watch-docker-registry b/ansible_collections/debops/debops/roles/docker_registry/meta/watch-docker-registry
new file mode 100644
index 00000000..74d8245d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/meta/watch-docker-registry
@@ -0,0 +1,10 @@
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: docker_registry
+# Package: docker-registry
+# Version: 2.7.1
+
+version=3
+https://github.com/docker/distribution/tags .*/v?(\d\S*)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/docker_registry/tasks/main.yml b/ansible_collections/debops/debops/roles/docker_registry/tasks/main.yml
new file mode 100644
index 00000000..244b3fe3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/tasks/main.yml
@@ -0,0 +1,176 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (docker_registry__base_packages
+               + docker_registry__packages) | flatten }}'
+    state: 'present'
+  register: docker_registry__register_packages
+  until: docker_registry__register_packages is succeeded
+
+- name: Divert the original docker-registry config file
+  debops.debops.dpkg_divert:
+    path: '/etc/docker/registry/config.yml'
+  notify: [ 'Restart docker-registry' ]
+
+- name: Create Docker Registry UNIX group
+  ansible.builtin.group:
+    name: '{{ docker_registry__group }}'
+    state: 'present'
+    system: True
+
+- name: Create Docker Registry UNIX account
+  ansible.builtin.user:
+    name: '{{ docker_registry__user }}'
+    group: '{{ docker_registry__group }}'
+    groups: '{{ docker_registry__additional_groups | flatten }}'
+    home: '{{ docker_registry__home }}'
+    comment: '{{ docker_registry__comment }}'
+    shell: '{{ docker_registry__shell }}'
+    state: 'present'
+    system: True
+
+- name: Create required directories
+  ansible.builtin.file:
+    name: '{{ item.path }}'
+    state: 'directory'
+    owner: '{{ item.owner | d(omit) }}'
+    group: '{{ item.group | d(omit) }}'
+    mode: '{{ item.mode }}'
+  with_items:
+
+    - path: '{{ docker_registry__config_file | dirname }}'
+      mode: '0755'
+
+    - path: '{{ docker_registry__storage_dir | dirname }}'
+      mode: '0755'
+
+    - path: '{{ docker_registry__storage_dir }}'
+      owner: '{{ docker_registry__user }}'
+      group: '{{ docker_registry__group }}'
+      mode: '{{ docker_registry__storage_mode }}'
+
+- name: Build Docker Registry from upstream
+  become: True
+  become_user: '{{ docker_registry__user }}'
+  when: docker_registry__upstream | bool
+  block:
+
+    - name: Create required build directories
+      ansible.builtin.file:
+        name: '{{ item.path }}'
+        state: 'directory'
+        mode: '{{ item.mode }}'
+      with_items:
+
+        - path: '{{ docker_registry__src }}'
+          mode: '0755'
+
+        - path: '{{ docker_registry__git_dir | dirname }}'
+          mode: '0755'
+
+    - name: Clone Docker Registry source code
+      ansible.builtin.git:
+        repo: '{{ docker_registry__git_repo }}'
+        dest: '{{ docker_registry__git_dest }}'
+        version: '{{ docker_registry__git_version }}'
+        separate_git_dir: '{{ docker_registry__git_dir }}'
+        verify_commit: True
+      register: docker_registry__register_source
+
+    - name: Build Docker Registry binaries
+      environment:  # noqa no-handler
+        GOPATH: '{{ docker_registry__gopath }}'
+        GOCACHE: '{{ docker_registry__gopath + "/cache" }}'
+      ansible.builtin.command: 'make clean binaries'
+      args:
+        chdir: '{{ docker_registry__git_dest }}'
+      when: docker_registry__register_source is changed
+      register: docker_registry__register_build
+      changed_when: docker_registry__register_build.changed | bool
+
+- name: Install Docker Registry binary
+  ansible.builtin.copy:  # noqa no-handler
+    src: '{{ docker_registry__git_dest + "/bin/registry" }}'
+    dest: '/usr/local/bin/docker-registry'
+    remote_src: True
+    mode: '0755'
+  notify: [ 'Restart docker-registry' ]
+  when: docker_registry__upstream | bool and
+        docker_registry__register_build is changed
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Docker Registry local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/docker_registry.fact.j2'
+    dest: '/etc/ansible/facts.d/docker_registry.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate Docker Registry configuration
+  ansible.builtin.template:
+    src: 'etc/docker/registry/config.yml.j2'
+    dest: '{{ docker_registry__config_file }}'
+    owner: '{{ docker_registry__user }}'
+    group: '{{ docker_registry__group }}'
+    mode: '0600'
+  notify: [ 'Restart docker-registry' ]
+  register: docker_registry__register_config
+
+- name: Generate Docker Registry systemd unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/docker-registry.service.j2'
+    dest: '/etc/systemd/system/docker-registry.service'
+    mode: '0644'
+  register: docker_registry__register_systemd
+
+- name: Enable Docker Registry service
+  ansible.builtin.systemd:
+    name: 'docker-registry'
+    daemon_reload: '{{ True if docker_registry__register_systemd is changed else omit }}'
+    enabled: True
+
+- name: Install garbage collector script
+  ansible.builtin.template:
+    src: '{{ item.path }}.j2'
+    dest: '/{{ item.path }}'
+    mode: '{{ item.mode }}'
+  loop:
+    - { path: 'usr/local/bin/docker-registry-gc', mode: '0755' }
+    - { path: 'etc/sudoers.d/docker-registry-gc', mode: '0440' }
+  when: docker_registry__garbage_collector_enabled | bool
+
+- name: Configure garbage collection in cron
+  ansible.builtin.cron:
+    name: 'Perform garbage collection in Docker Registry'
+    cron_file: 'docker-registry-gc'
+    user: '{{ docker_registry__user }}'
+    job: '/usr/local/bin/docker-registry-gc'
+    special_time: '{{ docker_registry__garbage_collector_interval }}'
+    state: '{{ "present"
+               if docker_registry__garbage_collector_enabled | bool
+               else "absent" }}'
diff --git a/ansible_collections/debops/debops/roles/docker_registry/templates/etc/ansible/facts.d/docker_registry.fact.j2 b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/ansible/facts.d/docker_registry.fact.j2
new file mode 100644
index 00000000..9be8b6c8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/ansible/facts.d/docker_registry.fact.j2
@@ -0,0 +1,55 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from yaml import load
+from sys import exit
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+config_file = loads('''{{ docker_registry__config_file | to_nice_json }}''')
+
+output = loads('''{{ {"host_fqdn": docker_registry__fqdn,
+                      "host_port": 443} | to_nice_json }}''')
+
+output['installed'] = cmd_exists('docker-registry')
+
+try:
+    output['version'] = subprocess.check_output(
+            ['docker-registry', '-v']).strip('\n') \
+                                      .split()[2] \
+                                      .split('+')[0] \
+                                      .lstrip('v')
+
+except Exception:
+    pass
+
+try:
+    with open(config_file, 'r') as f:
+        config = load(f)
+        output['api_url'] = ('http://' + config.get('http').get('addr') + '/')
+        if config.get('storage').get('filesystem'):
+            output['storage_type'] = 'filesystem'
+            output['storage_path'] = config.get('storage') \
+                                           .get('filesystem') \
+                                           .get('rootdirectory')
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/docker_registry/templates/etc/docker/registry/config.yml.j2 b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/docker/registry/config.yml.j2
new file mode 100644
index 00000000..7a640536
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/docker/registry/config.yml.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set docker_registry__tpl_config = {} %}
+{% for element in docker_registry__combined_config | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.config | d() %}
+{%     set combined_config = docker_registry__tpl_config | combine(element.config, recursive=True) %}
+{%     set _ = docker_registry__tpl_config.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{{ docker_registry__tpl_config | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/docker_registry/templates/etc/sudoers.d/docker-registry-gc.j2 b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/sudoers.d/docker-registry-gc.j2
new file mode 100644
index 00000000..b01ca05c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/sudoers.d/docker-registry-gc.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Allow the '{{ docker_registry__user }}' UNIX account to stop and start the
+# Docker Registry service. This is required to correctly perform the garbage
+# collection using a cron script.
+
+Cmnd_Alias DOCKER_REGISTRY_STOP    = /bin/systemctl stop docker-registry.service
+Cmnd_Alias DOCKER_REGISTRY_START   = /bin/systemctl start docker-registry.service
+Cmnd_Alias DOCKER_REGISTRY_RESTART = /bin/systemctl restart docker-registry.service
+Cmnd_Alias DOCKER_REGISTRY_RELOAD  = /bin/systemctl reload docker-registry.service
+Cmnd_Alias DOCKER_REGISTRY_STATUS  = /bin/systemctl status docker-registry.service
+
+{{ docker_registry__user }} ALL = (root) NOPASSWD: DOCKER_REGISTRY_STOP
+{{ docker_registry__user }} ALL = (root) NOPASSWD: DOCKER_REGISTRY_START
+{{ docker_registry__user }} ALL = (root) NOPASSWD: DOCKER_REGISTRY_RESTART
+{{ docker_registry__user }} ALL = (root) NOPASSWD: DOCKER_REGISTRY_RELOAD
+{{ docker_registry__user }} ALL = (root) NOPASSWD: DOCKER_REGISTRY_STATUS
diff --git a/ansible_collections/debops/debops/roles/docker_registry/templates/etc/systemd/system/docker-registry.service.j2 b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/systemd/system/docker-registry.service.j2
new file mode 100644
index 00000000..d6b7eabe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/templates/etc/systemd/system/docker-registry.service.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Docker Registry service
+ConditionPathExists=/var/lib/docker-registry
+After=network.target network-online.target
+
+[Service]
+Type=simple
+User={{ docker_registry__user }}
+Group={{ docker_registry__group }}
+WorkingDirectory={{ docker_registry__home }}
+ExecStart={{ docker_registry__binary }} serve {{ docker_registry__config_file }}
+Restart=on-failure
+RestartSec=10
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=docker-registry
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/docker_registry/templates/usr/local/bin/docker-registry-gc.j2 b/ansible_collections/debops/debops/roles/docker_registry/templates/usr/local/bin/docker-registry-gc.j2
new file mode 100644
index 00000000..8ceeb99b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_registry/templates/usr/local/bin/docker-registry-gc.j2
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Perform garbage collection in the Docker Registry
+
+
+set -o nounset -o pipefail -o errexit
+
+readonly CONFIG_FILE="{{ docker_registry__config_file }}"
+readonly REGISTRY_BIN="{{ docker_registry__binary }}"
+readonly DELETE_UNTAGGED="{{ '--delete-untagged' if (docker_registry__version is version('2.7.1', '>=')) else '' }}"
+
+# Redis support
+readonly REDIS_ENABLED="{{ docker_registry__redis_enabled | bool | lower }}"
+readonly REDIS_DATABASE="{{ docker_registry__redis_db }}"
+
+if "${REGISTRY_BIN}" garbage-collect "${CONFIG_FILE}" --dry-run 2>/dev/null \
+   | grep --extended-regexp "^blob eligible for deletion" > /dev/null ; then
+    sudo systemctl stop docker-registry.service
+    "${REGISTRY_BIN}" garbage-collect "${CONFIG_FILE}" "${DELETE_UNTAGGED}" > /dev/null 2>&1
+
+    # Flush Redis cache entries related to Docker Registry. Currently it
+    # flushes all cache data, but could be improved later to remove only
+    # specific keys.
+    if [ "${REDIS_ENABLED}" == "true" ] ; then
+        redis-cli -a "$(redis-password)" -n "${REDIS_DATABASE}" --raw keys "blobs::sha256:*" 2>/dev/null \
+            | xargs redis-cli -a "$(redis-password)" -n "${REDIS_DATABASE}" del 1>/dev/null 2>&1
+        redis-cli -a "$(redis-password)" -n "${REDIS_DATABASE}" --raw keys "repository::*::blobs::sha256:*" 2>/dev/null \
+            | xargs redis-cli -a "$(redis-password)" -n "${REDIS_DATABASE}" del 1>/dev/null 2>&1
+    fi
+
+    sudo systemctl start docker-registry.service
+fi
diff --git a/ansible_collections/debops/debops/roles/docker_server/COPYRIGHT b/ansible_collections/debops/debops/roles/docker_server/COPYRIGHT
new file mode 100644
index 00000000..8f05f5ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.docker_server - Manage Docker server using Ansible
+
+Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+Copyright (C) 2015-2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/docker_server/defaults/main.yml b/ansible_collections/debops/debops/roles/docker_server/defaults/main.yml
new file mode 100644
index 00000000..66d5b059
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/defaults/main.yml
@@ -0,0 +1,265 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# .. Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _docker_server__ref_defaults:
+
+# debops.docker_server default variables
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: docker_server__upstream [[[
+#
+# Enable or disable support for upstream APT repository for Docker. The APT
+# repository is managed by the :ref:`debops.extrepo` Ansible role.
+docker_server__upstream: False
+
+                                                                   # ]]]
+# .. envvar:: docker_server__base_packages [[[
+#
+# List of APT packages to install for Docker support.
+docker_server__base_packages:
+  - '{{ ["docker-ce", "docker-compose-plugin"]
+        if docker_server__upstream | bool
+        else ["docker.io", "docker-compose"] }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__packages [[[
+#
+# List of additional APT packages to install with Docker.
+docker_server__packages: []
+
+                                                                   # ]]]
+# .. envvar:: docker_server__version [[[
+#
+# Variable which contains the version of the Docker package installed on
+# a host. This variable is populated automatically via Ansible local facts and
+# shouldn't be set manually. It can be used in the Ansible inventory to augment
+# Docker configuration.
+docker_server__version: '{{ ansible_local.docker_server.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Service integration [[[
+# -----------------------
+
+# .. envvar:: docker_server__ferm_post_hook [[[
+#
+# Docker needs to be restarted on any changes in the firewall configuration to
+# inject its own firewall rules. This boolean variable will tell the role to
+# install the :command:`ferm` hook script when :ref:`debops.ferm` Ansible role
+# is used to control the firewall.
+docker_server__ferm_post_hook: '{{ ansible_local.ferm.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__resolved_integration [[[
+#
+# Enable or disable support for :command:`systemd-resolved` service integration
+# to permit host DNS resolver to resolve queries inside Docker containers.
+docker_server__resolved_integration: '{{ True
+                                         if ((ansible_local.resolved.state | d()) == "enabled")
+                                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__resolved_address [[[
+#
+# IP address on which :command:`systemd-resolved` service will listen for DNS
+# queries. By default it's the ``docker0`` bridge IP address.
+docker_server__resolved_address: '172.17.0.1'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__resolved_networks [[[
+#
+# List of networks in the CIDR format, which will be allowed to send DNS
+# requests to the :command:`systemd-resolved` service through the firewall.
+docker_server__resolved_networks: [ '172.17.0.0/16' ]
+
+                                                                   # ]]]
+# .. envvar:: docker_server__swarm_support [[[
+#
+# If enabled, the :ref:`debops.ferm` role will create firewall rules which
+# permit traffic needed for Docker Swarm cluster.
+docker_server__swarm_support: False
+
+                                                                   # ]]]
+# .. envvar:: docker_server__swarm_networks [[[
+#
+# List of networks in the CIDR format, which will be allowed to send Docker
+# Swarm communication traffic to a given Docker Swarm node.
+docker_server__swarm_networks: [ '{{ ansible_default_ipv4.network
+                                     + "/" + ansible_default_ipv4.prefix }}' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker authentication [[[
+# -------------------------
+
+# .. envvar:: docker_server__admins [[[
+#
+# List of UNIX accounts which should be added to the ``docker`` system group,
+# which allows them the read-write access to the Docker UNIX socket.
+docker_server__admins: '{{ ansible_local.core.admin_users | d([]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker main configuration file [[[
+# ----------------------------------
+
+# These variables define the contents of the :file:`/etc/docker/daemon.json`
+# configuration file. See :ref:`docker_server__ref_configuration` for more
+# details.
+
+# .. envvar:: docker_server__default_configuration [[[
+#
+# List of configuration options defined by default in the role.
+docker_server__default_configuration:
+
+  # Send logs to journald by default
+  - name: 'log-driver'
+    config:
+      'log-driver': 'journald'
+    state: '{{ "present"
+               if ((ansible_local.journald.enabled | d()) | bool)
+               else "ignore" }}'
+
+  # Specify upstream nameservers only if they are not local
+  - name: 'remote-nameservers'
+    config:
+      'dns': '{{ ansible_dns.nameservers }}'
+    state: '{{ "present"
+               if (not ansible_dns.nameservers
+                   | intersect(["127.0.0.1", "127.0.0.53"]))
+               else "ignore" }}'
+
+  # Use host's systemd-resolved to resolve DNS queries
+  - name: 'resolved-nameserver'
+    config:
+      'dns': ['{{ docker_server__resolved_address }}']
+    state: '{{ "present"
+               if (docker_server__resolved_integration | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__configuration [[[
+#
+# List of Docker configuration options defined on all hosts in the Ansible
+# inventory.
+docker_server__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: docker_server__group_configuration [[[
+#
+# List of Docker configuration options defined on hosts in a specific Ansible
+# inventory group.
+docker_server__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: docker_server__host_configuration [[[
+#
+# List of Docker configuration options defined on specific hosts in the Ansible
+# inventory.
+docker_server__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: docker_server__combined_configuration [[[
+#
+# Variable which combines all Docker configuration lists and is used in role
+# tasks and templates.
+docker_server__combined_configuration: '{{ docker_server__default_configuration
+                                           + docker_server__configuration
+                                           + docker_server__group_configuration
+                                           + docker_server__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: docker_server__extrepo__dependent_sources [[[
+#
+# Configuration for the :ref:`debops.extrepo` Ansible role.
+docker_server__extrepo__dependent_sources:
+
+  - name: 'docker-ce'
+    state: '{{ "present"
+               if (docker_server__upstream | bool)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__systemd__dependent_units [[[
+#
+# Configuration for the :ref:`debops.systemd` Ansible role. By default it's
+# empty, see :ref:`docker_server__ref_systemd` documentation for more details.
+docker_server__systemd__dependent_units: []
+
+                                                                   # ]]]
+# .. envvar:: docker_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+docker_server__etc_services__dependent_list:
+
+  - name: 'docker-manager'
+    port: '2377'
+    protocols: [ 'tcp' ]
+    comment: 'Communication with and between Docker manager nodes'
+
+  - name: 'docker-discovery'
+    port: '7946'
+    comment: 'Docker Swarm overlay network node discovery'
+
+  - name: 'docker-overlay'
+    port: '4789'
+    protocols: [ 'udp' ]
+    comment: 'Docker Swarm overlay network traffic'
+
+                                                                   # ]]]
+# .. envvar:: docker_server__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+docker_server__ferm__dependent_rules:
+
+  - name: 'docker_server_resolved_listener'
+    type: 'accept'
+    daddr: '{{ docker_server__resolved_address }}'
+    dport: '53'
+    saddr: '{{ docker_server__resolved_networks }}'
+    protocol: 'udp'
+    rule_state: '{{ "present"
+                    if (docker_server__resolved_integration | bool)
+                    else "absent" }}'
+
+  - name: 'docker_server_swarm_manager'
+    type: 'accept'
+    saddr: '{{ docker_server__swarm_networks }}'
+    dport: 'docker-manager'
+    protocol: 'tcp'
+    rule_state: '{{ "present"
+                    if (docker_server__swarm_support | bool)
+                    else "absent" }}'
+
+  - name: 'docker_server_swarm_discovery'
+    type: 'accept'
+    saddr: '{{ docker_server__swarm_networks }}'
+    dport: 'docker-discovery'
+    protocol: [ 'tcp', 'udp' ]
+    rule_state: '{{ "present"
+                    if (docker_server__swarm_support | bool)
+                    else "absent" }}'
+
+  - name: 'docker_server_swarm_overlay'
+    type: 'accept'
+    saddr: '{{ docker_server__swarm_networks }}'
+    dport: 'docker-overlay'
+    protocol: 'udp'
+    rule_state: '{{ "present"
+                    if (docker_server__swarm_support | bool)
+                    else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/docker_server/meta/main.yml b/ansible_collections/debops/debops/roles/docker_server/meta/main.yml
new file mode 100644
index 00000000..d501e1a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Docker Engine'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - virtualization
+    - cloud
+    - docker
+    - containers
diff --git a/ansible_collections/debops/debops/roles/docker_server/tasks/main.yml b/ansible_collections/debops/debops/roles/docker_server/tasks/main.yml
new file mode 100644
index 00000000..6052a8bd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/tasks/main.yml
@@ -0,0 +1,81 @@
+---
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name: '{{ (docker_server__base_packages
+               + docker_server__packages) | flatten }}'
+    state: 'present'
+    install_recommends: False
+  notify: [ 'Refresh host facts' ]
+  register: docker_server__register_packages
+  until: docker_server__register_packages is succeeded
+
+- name: Add specified users to 'docker' group
+  ansible.builtin.user:
+    name: '{{ item }}'
+    groups: 'docker'
+    append: True
+  loop: '{{ docker_server__admins }}'
+  tags: [ 'role::docker_server:config', 'role::docker_server:admins' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save docker_server local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/docker_server.fact.j2'
+    dest: '/etc/ansible/facts.d/docker_server.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate Docker configuration file
+  ansible.builtin.template:
+    src: 'etc/docker/daemon.json.j2'
+    dest: '/etc/docker/daemon.json'
+    mode: '0644'
+  notify: [ 'Restart docker' ]
+  tags: [ 'role::docker_server:config' ]
+
+- name: Install ferm post hook
+  ansible.builtin.template:
+    src: 'etc/ferm/hooks/post.d/restart-docker.j2'
+    dest: '/etc/ferm/hooks/post.d/restart-docker'
+    mode: '0755'
+  when: docker_server__ferm_post_hook | bool
+
+- name: Create resolved.conf.d override directory
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: docker_server__resolved_integration | bool
+
+- name: Remove systemd-resolved integration
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d/docker.conf'
+    state: 'absent'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: not docker_server__resolved_integration | bool
+
+- name: Configure systemd-resolved integration
+  ansible.builtin.template:
+    src: 'etc/systemd/resolved.conf.d/docker.conf.j2'
+    dest: '/etc/systemd/resolved.conf.d/docker.conf'
+    mode: '0644'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: docker_server__resolved_integration | bool
diff --git a/ansible_collections/debops/debops/roles/docker_server/templates/etc/ansible/facts.d/docker_server.fact.j2 b/ansible_collections/debops/debops/roles/docker_server/templates/etc/ansible/facts.d/docker_server.fact.j2
new file mode 100644
index 00000000..95760c06
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/templates/etc/ansible/facts.d/docker_server.fact.j2
@@ -0,0 +1,44 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import os
+import re
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {}
+output['installed'] = cmd_exists('docker')
+
+try:
+    docker_version_stdout = subprocess.check_output(
+            ["docker", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in docker_version_stdout.split('\n'):
+        if line.lower().startswith('docker version '):
+            version_string = line.split()[2]
+            version_string = version_string.split(',')[0]
+            # Strip version tag in Debian packaging
+            output['version'] = version_string.split('+')[0]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/docker_server/templates/etc/docker/daemon.json.j2 b/ansible_collections/debops/debops/roles/docker_server/templates/etc/docker/daemon.json.j2
new file mode 100644
index 00000000..8cc1e7c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/templates/etc/docker/daemon.json.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2015-2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+ # Copyright (C) 2015-2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set docker_server__tpl_configuration = {} %}
+{% for element in docker_server__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.config | d() %}
+{%     set combined_config = docker_server__tpl_configuration | combine(element.config, recursive=True) %}
+{%     set _ = docker_server__tpl_configuration.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{{ docker_server__tpl_configuration | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/docker_server/templates/etc/ferm/hooks/post.d/restart-docker.j2 b/ansible_collections/debops/debops/roles/docker_server/templates/etc/ferm/hooks/post.d/restart-docker.j2
new file mode 100755
index 00000000..a1144ceb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/templates/etc/ferm/hooks/post.d/restart-docker.j2
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# After ferm is restarted, Docker needs to be restarted so that it adds its own
+# iptables rules where needed
+
+set -o nounset -o pipefail -o errexit
+
+# Check if we are running under systemd
+if pidof systemd > /dev/null 2>&1 ; then
+
+    if [ "$(systemctl is-active docker.service)" == "active" ] ; then
+        logger -t "ferm-post-hook" "Restarting Docker via ferm post hook..."
+        systemctl restart docker.service
+    fi
+
+else
+
+    # I'm not sure if that's a good way to check for running Docker under
+    # non-systemd systems, if there are issues please provide a better solution
+    if [ -r /var/run/docker/metrics.sock ] ; then
+        logger -t "ferm-post-hook" "Restarting Docker via ferm post hook..."
+        service docker restart
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/docker_server/templates/etc/systemd/resolved.conf.d/docker.conf.j2 b/ansible_collections/debops/debops/roles/docker_server/templates/etc/systemd/resolved.conf.d/docker.conf.j2
new file mode 100644
index 00000000..c282b1f1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/docker_server/templates/etc/systemd/resolved.conf.d/docker.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Listen on Docker network interface for DNS queries
+[Resolve]
+DNSStubListenerExtra={{ docker_server__resolved_address }}
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/COPYRIGHT b/ansible_collections/debops/debops/roles/dokuwiki/COPYRIGHT
new file mode 100644
index 00000000..a223590d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.dokuwiki - Manage DokuWiki installation with Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/defaults/main.yml b/ansible_collections/debops/debops/roles/dokuwiki/defaults/main.yml
new file mode 100644
index 00000000..2620e3fe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/defaults/main.yml
@@ -0,0 +1,719 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dokuwiki__ref_defaults:
+
+# debops.dokuwiki default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration options [[[
+# -------------------------------
+
+# .. envvar:: dokuwiki__fqdn [[[
+#
+# Default domain which will be used to host the "main" wiki instance.
+dokuwiki__fqdn: 'wiki.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__domains [[[
+#
+# List of domains on which DokuWiki is configured in nginx.
+dokuwiki__domains: '{{ [dokuwiki__fqdn] +
+                       dokuwiki__farm_animals | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__nginx_auth_realm [[[
+#
+# Basic Auth realm displayed in the login dialog.
+dokuwiki__nginx_auth_realm: 'Wiki access is restricted'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__nginx_access_policy [[[
+#
+# Access policy defined using :ref:`debops.nginx` role, applied to this DokuWiki.
+dokuwiki__nginx_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__nginx_filename [[[
+#
+# Name of the nginx configuration file for DokuWiki website, without the
+# ``.conf`` extension.
+dokuwiki__nginx_filename: 'debops.dokuwiki'
+                                                                   # ]]]
+                                                                   # ]]]
+# User, group, app directories [[[
+# --------------------------------
+
+# .. envvar:: dokuwiki__user [[[
+#
+# DokuWiki system user account.
+dokuwiki__user: 'dokuwiki'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__group [[[
+#
+# DokuWiki system user group.
+dokuwiki__group: 'dokuwiki'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__home [[[
+#
+# DokuWiki home directory.
+dokuwiki__home: '{{ ansible_local.nginx.www | d("/srv/www") + "/" + dokuwiki__user }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__shell [[[
+#
+# DokuWiki user shell.
+dokuwiki__shell: '/bin/false'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__src [[[
+#
+# Base path for git bare repository with DokuWiki source.
+dokuwiki__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                   + "/" + dokuwiki__user }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__www [[[
+#
+# Base web root directory for DokuWiki website.
+dokuwiki__www: '{{ ansible_local.nginx.www | d("/srv/www") + "/" + dokuwiki__user }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__webserver_user [[[
+#
+# DokuWiki webserver user (needs read-only access to the website code).
+dokuwiki__webserver_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application sources [[[
+# -----------------------
+
+# .. envvar:: dokuwiki__git_repo [[[
+#
+# DokuWiki source repository.
+dokuwiki__git_repo: 'https://github.com/splitbrain/dokuwiki.git'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__git_dest [[[
+#
+# DokuWiki source directory on the host.
+dokuwiki__git_dest: '{{ dokuwiki__src + "/" + dokuwiki__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__git_version [[[
+#
+# DokuWiki git branch to deploy.
+dokuwiki__git_version: 'stable'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__git_checkout [[[
+#
+# Default path where DokuWiki source files will be deployed.
+dokuwiki__git_checkout: '{{ dokuwiki__www + "/sites/" + dokuwiki__domains[0] + "/public" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: dokuwiki__ldap_enabled [[[
+#
+# Enable or disable support for LDAP authentication in DokuWiki. Only the main
+# instance is supported at the moment.
+dokuwiki__ldap_enabled: '{{ True
+                            if (ansible_local | d() and ansible_local.ldap | d() and
+                                (ansible_local.ldap.enabled | d()) | bool)
+                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, LDAP configuration will not be performed.
+dokuwiki__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the DokuWiki service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+dokuwiki__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# DokuWiki service to access the LDAP directory.
+dokuwiki__ldap_self_rdn: 'uid=dokuwiki'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the DokuWiki service to access the LDAP directory.
+dokuwiki__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# DokuWiki service to access the LDAP directory.
+dokuwiki__ldap_self_attributes:
+  uid: '{{ dokuwiki__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ dokuwiki__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "DokuWiki" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# DokuWiki service to bind to the LDAP directory.
+dokuwiki__ldap_binddn: '{{ ([dokuwiki__ldap_self_rdn] + dokuwiki__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the DokuWiki service
+# to bind to the LDAP directory.
+dokuwiki__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                   + dokuwiki__ldap_binddn | to_uuid + ".password length=32"))
+                           if dokuwiki__ldap_enabled | bool
+                           else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the user
+# accounts stored in LDAP.
+dokuwiki__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_people_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the user accounts
+# used by DokuWiki.
+dokuwiki__ldap_people_dn: '{{ [dokuwiki__ldap_people_rdn] + dokuwiki__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_private_groups [[[
+#
+# When this variable is enabled, the :ref:`debops.ldap` role will create
+# a separate LDAP objects that manage the DokuWiki groups as subtree of the
+# DokiWiki service LDAP object. If you set this parameter to ``False``, the
+# role will use the global ``ou=Groups,dc=example,dc=org`` subtree instead.
+dokuwiki__ldap_private_groups: True
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the groups
+# stored in LDAP.
+dokuwiki__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn | d("ou=Groups") }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_groups_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the groups used by
+# DokuWiki. If private groups are enabled, this object will be created
+# automatically.
+dokuwiki__ldap_groups_dn: '{{ ([dokuwiki__ldap_groups_rdn, dokuwiki__ldap_self_rdn]
+                               + dokuwiki__ldap_device_dn)
+                              if dokuwiki__ldap_private_groups | bool
+                              else ([dokuwiki__ldap_groups_rdn] + dokuwiki__ldap_base_dn) }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_admin_group_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which defines who has
+# administrative access to a given DokuWiki instance.
+dokuwiki__ldap_admin_group_rdn: 'cn=DokuWiki Administrators'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_admin_group_dn [[[
+#
+# The Distinguished Name of the LDAP object which defines who has
+# administrative access to a given DokuWiki instance.
+dokuwiki__ldap_admin_group_dn: '{{ [dokuwiki__ldap_admin_group_rdn]
+                                   + dokuwiki__ldap_groups_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_object_owner_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object of the person who
+# installed a given DokuWiki instance and is used as the owner of the "DokuWiki
+# Administrators" group.
+dokuwiki__ldap_object_owner_rdn: 'uid={{ lookup("env", "USER") }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_object_ownerdn [[[
+#
+# The Distinguished Name of the LDAP object of the person who installed a given
+# DokuWiki instance and is used as the owner of the "DokuWiki Administrators"
+# group, defined as a string.
+dokuwiki__ldap_object_ownerdn: '{{ ([dokuwiki__ldap_object_owner_rdn, dokuwiki__ldap_people_rdn]
+                                    + dokuwiki__ldap_base_dn) | join(",") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP connection options [[[
+# ---------------------------
+
+# .. envvar:: dokuwiki__ldap_server_uri [[[
+#
+# The URI address of the LDAP server used by DokuWiki.
+dokuwiki__ldap_server_uri: '{{ ansible_local.ldap.uri | d([""]) | first }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_server_port [[[
+#
+# The TCP port which should be used for connections to the LDAP server.
+dokuwiki__ldap_server_port: '{{ ansible_local.ldap.port | d("389" if dokuwiki__ldap_start_tls | bool else "636") }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_start_tls [[[
+#
+# If ``True``, DokuWiki will use STARTTLS extension to make encrypted
+# connections to the LDAP server.
+dokuwiki__ldap_start_tls: '{{ ansible_local.ldap.start_tls
+                              if (ansible_local | d() and ansible_local.ldap | d() and
+                                  (ansible_local.ldap.start_tls | d()) | bool)
+                              else True }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_user_filter [[[
+#
+# The LDAP filter used to look up user accounts in the directory.
+dokuwiki__ldap_user_filter: '(&
+                               (objectClass=inetOrgPerson)
+                               (|
+                                 (uid=%{user})
+                                 (mail=%{user})
+                               )
+                               (|
+                                 (authorizedService=all)
+                                 (authorizedService=dokuwiki)
+                                 (authorizedService=web:public)
+                               )
+                             )'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_group_filter [[[
+#
+# The LDAP filter used to loo up groups in the directory.
+dokuwiki__ldap_group_filter: '(&
+                                (objectClass=groupOfNames)
+                                (member=%{dn})
+                              )'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap_configuration [[[
+#
+# The variable which contains the LDAP configuration stored in the
+# :file:`conf/local.protected.php` configuration file. The contents should be
+# written in PHP, Jinja can be used for logic outside of the PHP engine.
+dokuwiki__ldap_configuration: |
+  $conf['useacl'] = 1;
+  $conf['authtype'] = 'authldap';
+  $conf['superuser'] = '{{ "@" + dokuwiki__ldap_admin_group_rdn.split("=")[1] }}';
+  $conf['plugin']['authldap']['server'] = '{{ dokuwiki__ldap_server_uri }}';
+  $conf['plugin']['authldap']['port'] = '{{ dokuwiki__ldap_server_port }}';
+  $conf['plugin']['authldap']['usertree'] = '{{ dokuwiki__ldap_people_dn | join(",") }}';
+  $conf['plugin']['authldap']['grouptree'] = '{{ dokuwiki__ldap_groups_dn | join(",") }}';
+  $conf['plugin']['authldap']['userfilter'] = '{{ dokuwiki__ldap_user_filter }}';
+  $conf['plugin']['authldap']['groupfilter'] = '{{ dokuwiki__ldap_group_filter }}';
+  $conf['plugin']['authldap']['version'] = 3;
+  $conf['plugin']['authldap']['starttls'] = {{ "1" if dokuwiki__ldap_start_tls | bool else "0" }};
+  $conf['plugin']['authldap']['referrals'] = '0';
+  $conf['plugin']['authldap']['deref'] = '0';
+  $conf['plugin']['authldap']['binddn'] = '{{ dokuwiki__ldap_binddn }}';
+  $conf['plugin']['authldap']['bindpw'] = '{{ dokuwiki__ldap_bindpw }}';
+  $conf['plugin']['authldap']['userscope'] = 'sub';
+  $conf['plugin']['authldap']['groupscope'] = 'sub';
+  $conf['plugin']['authldap']['userkey'] = 'uid';
+  $conf['plugin']['authldap']['groupkey'] = 'cn';
+  $conf['plugin']['authldap']['debug'] = 0;
+  $conf['plugin']['authldap']['modPass'] = 0;
+# ]]]
+# ]]]
+# Protected local configuration [[[
+# ---------------------------------
+
+# .. envvar:: dokuwiki__protected_conf_php [[[
+#
+# This variable defines the contents of the :file:`conf/local.protected.php`
+# configuration file. The contents should be written in PHP, Jinja can be used
+# for logic outside of the PHP engine.
+dokuwiki__protected_conf_php: |
+  {% if dokuwiki__ldap_enabled | bool %}
+  {{ dokuwiki__ldap_configuration }}
+  {% endif %}
+# ]]]
+
+# .. envvar:; dokuwiki__protected_plugins_php [[[
+#
+# This variable defines the contents of the :file:`conf/plugins.protected.php`
+# configuration file. The contents should be written in PHP, Jinja can be used
+# for logic outside of the PHP engine.
+dokuwiki__protected_plugins_php: |
+  {% if dokuwiki__ldap_enabled | bool %}
+  $plugins['authldap'] = 1;
+  {% endif %}
+# ]]]
+# ]]]
+# MIME Types local configuration [[[
+# ---------------------------------
+
+# .. envvar:: dokuwiki__local_mime_types_conf [[[
+#
+# Additional allowed uploadable file extensions and mimetypes are defined here.
+# Mimetypes that should be downloadable and not be opened in the wiki should
+# be prefixed with a ``!``.
+#
+# For more information, check `Adding additional Mime Types
+# <https://www.dokuwiki.org/mime#adding_additional_mime_types>`_.
+dokuwiki__local_mime_types_conf: |
+   # Extra allowed MIME Types
+   txt     text/plain
+   tex     text/plain
+   conf    text/plain
+   xml     text/xml
+   csv     text/csv
+   svg     image/svg+xml
+   epub    application/epub+zip
+
+# ]]]
+# ]]]
+# Application plugins, themes, system packages [[[
+# ------------------------------------------------
+
+# .. envvar:: dokuwiki__base_packages [[[
+#
+# List of base APT packages to install for DokuWiki support.
+dokuwiki__base_packages: [ 'curl' ]
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__packages [[[
+#
+# List of additional APT packages to install for DokuWiki support.
+dokuwiki__packages: []
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__plugins_enabled [[[
+#
+# Enable or disable installation of DokuWiki plugins and templates.
+dokuwiki__plugins_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__plugins [[[
+#
+# List of custom DokuWiki plugins to install.
+dokuwiki__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__default_plugins [[[
+#
+# List of default DokuWiki plugins to install.
+dokuwiki__default_plugins: '{{ dokuwiki__plugins_editor +
+                               dokuwiki__plugins_syntax +
+                               dokuwiki__plugins_git }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__plugins_editor [[[
+#
+# DokuWiki plugins related to the text editor.
+dokuwiki__plugins_editor:
+
+  - repo: 'https://github.com/cosmocode/edittable.git'
+    dest: 'edittable'
+
+  - repo: 'https://gitlab.com/albertgasset/dokuwiki-plugin-codemirror.git'
+    dest: 'codemirror'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__plugins_syntax [[[
+#
+# DokuWiki plugins that provide additional wiki syntax.
+dokuwiki__plugins_syntax:
+
+  - repo: 'https://github.com/cosmocode/dig.git'
+    dest: 'dig'
+
+  # This plugin has been replaced by 'switchpanel' plugin
+  - repo: 'https://github.com/grantemsley/dokuwiki-plugin-patchpanel.git'
+    dest: 'patchpanel'
+    state: 'absent'
+
+  - repo: 'https://github.com/GreenItSolutions/dokuwiki-plugin-switchpanel.git'
+    dest: 'switchpanel'
+
+  - repo: 'https://github.com/ashrafhasson/dokuwiki-plugin-advrack.git'
+    dest: 'advrack'
+    state: 'absent'
+
+  - repo: 'https://github.com/glensc/dokuwiki-plugin-pageredirect.git'
+    dest: 'pageredirect'
+
+  - repo: 'https://github.com/selfthinker/dokuwiki_plugin_wrap'
+    dest: 'wrap'
+
+  - repo: 'https://github.com/splitbrain/dokuwiki-plugin-graphviz.git'
+    dest: 'graphviz'
+
+  - repo: 'https://github.com/leibler/dokuwiki-plugin-todo.git'
+    dest: 'todo'
+
+  - repo: 'https://github.com/splitbrain/dokuwiki-plugin-gallery'
+    dest: 'gallery'
+
+  - repo: 'https://github.com/dokufreaks/plugin-tag'
+    dest: 'tag'
+
+  - repo: 'https://github.com/dokufreaks/plugin-pagelist'
+    dest: 'pagelist'
+
+  - repo: 'https://github.com/tgarc/dokuwiki-plugin-rst'
+    dest: 'rst'
+    state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__plugins_git [[[
+#
+# DokuWiki plugins related to :command:`git` support.
+dokuwiki__plugins_git:
+
+  - repo: 'https://github.com/kossmac/dokuwiki-plugin-gitlab'
+    dest: 'gitlab'
+    state: 'absent'
+
+  - repo: 'https://github.com/ZJ/ghissues.git'
+    dest: 'ghissues'
+    state: 'absent'
+
+  - repo: 'https://github.com/splitbrain/dokuwiki-plugin-gh.git'
+    dest: 'gh'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__templates [[[
+#
+# List of DokuWiki templates.
+dokuwiki__templates: []
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__default_templates [[[
+#
+# List of default DokuWiki templates.
+dokuwiki__default_templates: '{{ dokuwiki__templates_vector }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__templates_vector [[[
+#
+# The ``vector`` DokuWiki template.
+dokuwiki__templates_vector:
+
+  - repo: 'https://github.com/arsava/dokuwiki-template-vector'
+    dest: 'vector'
+                                                                   # ]]]
+# .. envvar:: dokuwiki__extra_files [[[
+#
+# List of extra files to include in DokuWiki installation on all hosts.
+dokuwiki__extra_files: []
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__group_extra_files [[[
+#
+# List of extra files to include in DokuWiki installation on hosts in group.
+dokuwiki__group_extra_files: []
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__host_extra_files [[[
+#
+# List of extra files to include in DokuWiki installation on host.
+dokuwiki__host_extra_files: []
+
+                                                                   # ]]]
+                                                                   # ]]]
+# DokuWiki farm [[[
+# -----------------
+
+# .. envvar:: dokuwiki__farm [[[
+#
+# Enable or disable `DokuWiki farms <https://www.dokuwiki.org/farms>`_
+# (the vhost variant).
+dokuwiki__farm: True
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__farm_path [[[
+#
+# Path to animals on DokuWiki farm.
+dokuwiki__farm_path: '{{ dokuwiki__www + "/farm" }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__farm_animals [[[
+#
+# List of FQDN domains which will define "farm animals".
+dokuwiki__farm_animals: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Other variables [[[
+# -------------------
+
+# .. envvar:: dokuwiki__max_file_size [[[
+#
+# Maximum upload size, in MB.
+dokuwiki__max_file_size: '30'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: dokuwiki__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+dokuwiki__python__dependent_packages3:
+
+  - 'python3-docutils'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+dokuwiki__python__dependent_packages2:
+
+  - 'python-docutils'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+dokuwiki__ldap__dependent_tasks:
+
+  - name: 'Create DokuWiki account for {{ dokuwiki__ldap_device_dn | join(",") }}'
+    dn: '{{ dokuwiki__ldap_binddn }}'
+    objectClass: '{{ dokuwiki__ldap_self_object_classes }}'
+    attributes: '{{ dokuwiki__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if dokuwiki__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Create DokuWiki group container for {{ dokuwiki__ldap_device_dn | join(",") }}'
+    dn: '{{ dokuwiki__ldap_groups_dn }}'
+    objectClass: 'organizationalStructure'
+    attributes:
+      ou: '{{ dokuwiki__ldap_groups_rdn.split("=")[1] }}'
+      description: 'User groups used in DokuWiki'
+    state: '{{ "present"
+               if (dokuwiki__ldap_device_dn | d() and
+                   dokuwiki__ldap_private_groups | bool)
+               else "ignore" }}'
+
+  - name: 'Create DokuWiki admin group for {{ dokuwiki__ldap_device_dn | join(",") }}'
+    dn: '{{ dokuwiki__ldap_admin_group_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: '{{ dokuwiki__ldap_admin_group_rdn.split("=")[1] }}'
+      owner: '{{ dokuwiki__ldap_object_ownerdn }}'
+      member: '{{ dokuwiki__ldap_object_ownerdn }}'
+    state: '{{ "present" if dokuwiki__ldap_device_dn | d() else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__php__dependent_packages [[[
+#
+# List of PHP packages to install using :ref:`debops.php` role.
+dokuwiki__php__dependent_packages:
+
+  - [ 'gmp', 'curl', 'ldap', 'xml' ]
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__php__dependent_pools [[[
+#
+# Configuration of the DokuWiki PHP-FPM pool managed by the :ref:`debops.php` role.
+dokuwiki__php__dependent_pools:
+
+  - name: 'dokuwiki'
+    user: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    owner: '{{ dokuwiki__user }}'
+    home: '{{ dokuwiki__home }}'
+
+    php_admin_values:
+      post_max_size:       '{{ dokuwiki__max_file_size }}M'
+      upload_max_filesize: '{{ dokuwiki__max_file_size }}M'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__nginx__dependent_upstreams [[[
+#
+# Configuration of the DokuWiki nginx upstream, used by :ref:`debops.nginx`.
+dokuwiki__nginx__dependent_upstreams:
+
+  - name: 'php_dokuwiki'
+    type: 'php'
+    php_pool: 'dokuwiki'
+
+                                                                   # ]]]
+# .. envvar:: dokuwiki__nginx__dependent_servers [[[
+#
+# Configuration of the DokuWiki nginx server, used by :ref:`debops.nginx`.
+dokuwiki__nginx__dependent_servers:
+
+  - name: '{{ dokuwiki__domains }}'
+    filename: '{{ dokuwiki__nginx_filename }}'
+    by_role: 'debops.dokuwiki'
+    type: 'php'
+    root: '{{ dokuwiki__git_checkout }}'
+    webroot_create: False
+    access_policy: '{{ dokuwiki__nginx_access_policy }}'
+    auth_basic_realm: '{{ dokuwiki__nginx_auth_realm }}'
+    index: 'index.html index.htm index.php doku.php'
+
+    options: |
+      autoindex off;
+      client_max_body_size {{ dokuwiki__max_file_size }}M;
+      client_body_buffer_size 128k;
+
+    location:
+      '/': |
+        try_files $uri $uri/ @dokuwiki;
+
+      '@dokuwiki': |
+        rewrite ^/_media/(.*)           /lib/exe/fetch.php?media=$1   last;
+        rewrite ^/_detail/(.*)          /lib/exe/detail.php?media=$1  last;
+        rewrite ^/_export/([^/]+)/(.*)  /doku.php?do=export_$1&id=$2  last;
+        rewrite ^/(.*)                  /doku.php?id=$1               last;
+
+      '~ ^/lib.*\.(gif|png|ico|jpg)$': |
+        expires 31536000s;
+        add_header Pragma "public";
+        add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
+        log_not_found off;
+
+      '~ /(data|conf|bin|inc|install.php)/': |
+        deny all;
+
+    php_upstream: 'php_dokuwiki'
+    php_options: |
+      fastcgi_intercept_errors        on;
+      fastcgi_ignore_client_abort     off;
+      fastcgi_connect_timeout         60;
+      fastcgi_send_timeout            180;
+      fastcgi_read_timeout            180;
+      fastcgi_buffer_size             128k;
+      fastcgi_buffers               4 256k;
+      fastcgi_busy_buffers_size       256k;
+      fastcgi_temp_file_write_size    256k;
+
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/README b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/README
new file mode 100644
index 00000000..d3f3d3b9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/README
@@ -0,0 +1 @@
+This is an animal template for a DokuWiki Farm [https://www.dokuwiki.org/farms].
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/acl.auth.php b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/acl.auth.php
new file mode 100644
index 00000000..9f5a3713
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/acl.auth.php
@@ -0,0 +1,22 @@
+# acl.auth.php
+# <?php exit()?>
+# Don't modify the lines above
+#
+# Access Control Lists
+#
+# Editing this file by hand shouldn't be necessary. Use the ACL
+# Manager interface instead.
+#
+# If your auth backend allows special char like spaces in groups
+# or user names you need to urlencode them (only chars <128, leave
+# UTF-8 multibyte chars as is)
+#
+# none   0
+# read   1
+# edit   2
+# create 4
+# upload 8
+# delete 16
+
+*               @ALL         1
+*               @user        8
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.php b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.php
new file mode 100644
index 00000000..4b20acaa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.php
@@ -0,0 +1,13 @@
+<?php
+/**
+ * This is an example of how a local.php could look like.
+ * Simply copy the options you want to change from dokuwiki.php
+ * to this file and change them.
+ *
+ * When using the installer, a correct local.php file be generated for
+ * you automatically.
+ */
+
+$conf['title'] = 'Wiki Title';
+$conf['useacl'] = 1;
+$conf['superuser'] = '@admin';
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.protected.php b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.protected.php
new file mode 100644
index 00000000..c8d783ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/local.protected.php
@@ -0,0 +1,10 @@
+<?php
+/**
+ * These settings are "protected" and cannot be overwritten
+ * by the configuration manager, but need to be edited manually.
+ */
+
+$conf['savedir'] = DOKU_CONF.'../data';
+$conf['updatecheck'] = 0;
+// if you're using the .htaccess base setup, set this to your animal's base directory:
+//$conf['basedir'] = '/farm/animal/';
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/plugins.local.php b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/plugins.local.php
new file mode 100644
index 00000000..00e8c10b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/plugins.local.php
@@ -0,0 +1,8 @@
+<?php
+/*
+ * Local plugin enable/disable settings
+ * Auto-generated through plugin/extension manager
+ *
+ * NOTE: Plugins will not be added to this file unless there is a need to override a default setting. Plugins are
+ *       enabled by default, unless having a 'disabled' file in their plugin folder.
+ */
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/users.auth.php b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/users.auth.php
new file mode 100644
index 00000000..d4789b4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/conf/users.auth.php
@@ -0,0 +1,11 @@
+# users.auth.php
+# <?php exit()?>
+# Don't modify the lines above
+#
+# Userfile
+#
+# Format:
+#
+# login:passwordhash:Real Name:email:groups,comma,separated
+
+admin:$1$cce258b2$U9o5nK0z4MhTfB5QlKF23/:admin:admin@example.org:admin,user
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/attic/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/attic/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/cache/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/cache/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/index/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/index/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/locks/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/locks/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media/wiki/dokuwiki-128.png b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media/wiki/dokuwiki-128.png
new file mode 100644
index 00000000..b2306ac9
Binary files /dev/null and b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media/wiki/dokuwiki-128.png differ
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_attic/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_attic/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_meta/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/media_meta/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/meta/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/meta/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/dokuwiki.txt b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/dokuwiki.txt
new file mode 100644
index 00000000..aad57510
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/dokuwiki.txt
@@ -0,0 +1,64 @@
+====== DokuWiki ======
+
+[[doku>wiki:dokuwiki|{{wiki:dokuwiki-128.png }}]] DokuWiki is a standards compliant, simple to use [[wp>Wiki]], mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful [[wiki:syntax]] which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files -- no database is required.
+
+Read the [[doku>manual|DokuWiki Manual]] to unleash the full power of DokuWiki.
+
+===== Download =====
+
+DokuWiki is available at http://www.splitbrain.org/go/dokuwiki
+
+
+===== Read More =====
+
+All documentation and additional information besides the [[syntax|syntax description]] is maintained in the DokuWiki at [[doku>|www.dokuwiki.org]].
+
+**About DokuWiki**
+
+  * [[doku>features|A feature list]] :!:
+  * [[doku>users|Happy Users]]
+  * [[doku>press|Who wrote about it]]
+  * [[doku>blogroll|What Bloggers think]]
+  * [[http://www.wikimatrix.org/show/DokuWiki|Compare it with other wiki software]]
+
+**Installing DokuWiki**
+
+  * [[doku>requirements|System Requirements]]
+  * [[http://www.splitbrain.org/go/dokuwiki|Download DokuWiki]] :!:
+  * [[doku>changes|Change Log]]
+  * [[doku>Install|How to install or upgrade]] :!:
+  * [[doku>config|Configuration]]
+
+**Using DokuWiki**
+
+  * [[doku>syntax|Wiki Syntax]]
+  * [[doku>manual|The manual]] :!:
+  * [[doku>FAQ|Frequently Asked Questions (FAQ)]]
+  * [[doku>glossary|Glossary]]
+  * [[http://search.dokuwiki.org|Search for DokuWiki help and documentation]]
+
+**Customizing DokuWiki**
+
+  * [[doku>tips|Tips and Tricks]]
+  * [[doku>Template|How to create and use templates]]
+  * [[doku>plugins|Installing plugins]]
+  * [[doku>development|Development Resources]]
+
+**DokuWiki Feedback and Community**
+
+  * [[doku>newsletter|Subscribe to the newsletter]] :!:
+  * [[doku>mailinglist|Join the mailing list]]
+  * [[http://forum.dokuwiki.org|Check out the user forum]]
+  * [[doku>irc|Talk to other users in the IRC channel]]
+  * [[http://bugs.splitbrain.org/index.php?project=1|Submit bugs and feature wishes]]
+  * [[http://www.wikimatrix.org/forum/viewforum.php?id=10|Share your experiences in the WikiMatrix forum]]
+  * [[doku>thanks|Some humble thanks]]
+
+
+===== Copyright =====
+
+2004-2010 (c) Andreas Gohr <andi@splitbrain.org>((Please do not contact me for help and support -- use the [[doku>mailinglist]] or [[http://forum.dokuwiki.org|forum]] instead)) and the DokuWiki Community
+
+The DokuWiki engine is licensed under [[https://www.gnu.org/licenses/gpl.html|GNU General Public License]] Version 2. If you use DokuWiki in your company, consider [[doku>donate|donating]] a few bucks ;-).
+
+Not sure what this means? See the [[doku>faq:license|FAQ on the Licenses]].
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/syntax.txt b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/syntax.txt
new file mode 100644
index 00000000..cb7fdfcd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/pages/wiki/syntax.txt
@@ -0,0 +1,486 @@
+====== Formatting Syntax ======
+
+[[doku>DokuWiki]] supports some simple markup language, which tries to make the datafiles to be as readable as possible. This page contains all possible syntax you may use when editing the pages. Simply have a look at the source of this page by pressing the //Edit this page// button at the top or bottom of the page. If you want to try something, just use the [[playground:playground|playground]] page. The simpler markup is easily accessible via [[doku>toolbar|quickbuttons]], too.
+
+===== Basic Text Formatting =====
+
+DokuWiki supports **bold**, //italic//, __underlined__ and ''monospaced'' texts. Of course you can **__//''combine''//__** all these.
+
+  DokuWiki supports **bold**, //italic//, __underlined__ and ''monospaced'' texts.
+  Of course you can **__//''combine''//__** all these.
+
+You can use <sub>subscript</sub> and <sup>superscript</sup>, too.
+
+  You can use <sub>subscript</sub> and <sup>superscript</sup>, too.
+
+You can mark something as <del>deleted</del> as well.
+
+  You can mark something as <del>deleted</del> as well.
+
+**Paragraphs** are created from blank lines. If you want to **force a newline** without a paragraph, you can use two backslashes followed by a whitespace or the end of line.
+
+This is some text with some linebreaks\\ Note that the
+two backslashes are only recognized at the end of a line\\
+or followed by\\ a whitespace \\this happens without it.
+
+  This is some text with some linebreaks\\ Note that the
+  two backslashes are only recognized at the end of a line\\
+  or followed by\\ a whitespace \\this happens without it.
+
+You should use forced newlines only if really needed.
+
+===== Links =====
+
+DokuWiki supports multiple ways of creating links.
+
+==== External ====
+
+External links are recognized automagically: http://www.google.com or simply www.google.com - You can set the link text as well: [[http://www.google.com|This Link points to google]]. Email addresses like this one: <andi@splitbrain.org> are recognized, too.
+
+  DokuWiki supports multiple ways of creating links. External links are recognized
+  automagically: http://www.google.com or simply www.google.com - You can set
+  link text as well: [[http://www.google.com|This Link points to google]]. Email
+  addresses like this one: <andi@splitbrain.org> are recognized, too.
+
+==== Internal ====
+
+Internal links are created by using square brackets. You can either just give a [[pagename]] or use an additional [[pagename|link text]].
+
+  Internal links are created by using square brackets. You can either just give
+  a [[pagename]] or use an additional [[pagename|link text]].
+
+[[doku>pagename|Wiki pagenames]] are converted to lowercase automatically, special characters are not allowed.
+
+You can use [[some:namespaces]] by using a colon in the pagename.
+
+  You can use [[some:namespaces]] by using a colon in the pagename.
+
+For details about namespaces see [[doku>namespaces]].
+
+Linking to a specific section is possible, too. Just add the section name behind a hash character as known from HTML. This links to [[syntax#internal|this Section]].
+
+  This links to [[syntax#internal|this Section]].
+
+Notes:
+
+  * Links to [[syntax|existing pages]] are shown in a different style from [[nonexisting]] ones.
+  * DokuWiki does not use [[wp>CamelCase]] to automatically create links by default, but this behavior can be enabled in the [[doku>config]] file. Hint: If DokuWiki is a link, then it's enabled.
+  * When a section's heading is changed, its bookmark changes, too. So don't rely on section linking too much.
+
+==== Interwiki ====
+
+DokuWiki supports [[doku>Interwiki]] links. These are quick links to other Wikis. For example this is a link to Wikipedia's page about Wikis: [[wp>Wiki]].
+
+  DokuWiki supports [[doku>Interwiki]] links. These are quick links to other Wikis.
+  For example this is a link to Wikipedia's page about Wikis: [[wp>Wiki]].
+
+==== Windows Shares ====
+
+Windows shares like [[\\server\share|this]] are recognized, too. Please note that these only make sense in a homogeneous user group like a corporate [[wp>Intranet]].
+
+  Windows Shares like [[\\server\share|this]] are recognized, too.
+
+Notes:
+
+  * For security reasons direct browsing of windows shares only works in Microsoft Internet Explorer per default (and only in the "local zone").
+  * For Mozilla and Firefox it can be enabled through different workaround mentioned in the [[http://kb.mozillazine.org/Links_to_local_pages_do_not_work|Mozilla Knowledge Base]]. However, there will still be a JavaScript warning about trying to open a Windows Share. To remove this warning (for all users), put the following line in ''conf/local.protected.php'':
+
+  $lang['js']['nosmblinks'] = '';
+
+==== Image Links ====
+
+You can also use an image to link to another internal or external page by combining the syntax for links and [[#images_and_other_files|images]] (see below) like this:
+
+  [[http://www.php.net|{{wiki:dokuwiki-128.png}}]]
+
+[[http://www.php.net|{{wiki:dokuwiki-128.png}}]]
+
+Please note: The image formatting is the only formatting syntax accepted in link names.
+
+The whole [[#images_and_other_files|image]] and [[#links|link]] syntax is supported (including image resizing, internal and external images and URLs and interwiki links).
+
+===== Footnotes =====
+
+You can add footnotes ((This is a footnote)) by using double parentheses.
+
+  You can add footnotes ((This is a footnote)) by using double parentheses.
+
+===== Sectioning =====
+
+You can use up to five different levels of headlines to structure your content. If you have more than three headlines, a table of contents is generated automatically -- this can be disabled by including the string ''<nowiki>~~NOTOC~~</nowiki>'' in the document.
+
+==== Headline Level 3 ====
+=== Headline Level 4 ===
+== Headline Level 5 ==
+
+  ==== Headline Level 3 ====
+  === Headline Level 4 ===
+  == Headline Level 5 ==
+
+By using four or more dashes, you can make a horizontal line:
+
+----
+
+===== Images and Other Files =====
+
+You can include external and internal [[doku>images]] with curly brackets. Optionally you can specify the size of them.
+
+Real size:                        {{wiki:dokuwiki-128.png}}
+
+Resize to given width:            {{wiki:dokuwiki-128.png?50}}
+
+Resize to given width and height((when the aspect ratio of the given width and height doesn't match that of the image, it will be cropped to the new ratio before resizing)): {{wiki:dokuwiki-128.png?200x50}}
+
+Resized external image:           {{http://de3.php.net/images/php.gif?200x50}}
+
+  Real size:                        {{wiki:dokuwiki-128.png}}
+  Resize to given width:            {{wiki:dokuwiki-128.png?50}}
+  Resize to given width and height: {{wiki:dokuwiki-128.png?200x50}}
+  Resized external image:           {{http://de3.php.net/images/php.gif?200x50}}
+
+
+By using left or right whitespaces you can choose the alignment.
+
+{{ wiki:dokuwiki-128.png}}
+
+{{wiki:dokuwiki-128.png }}
+
+{{ wiki:dokuwiki-128.png }}
+
+  {{ wiki:dokuwiki-128.png}}
+  {{wiki:dokuwiki-128.png }}
+  {{ wiki:dokuwiki-128.png }}
+
+Of course, you can add a title (displayed as a tooltip by most browsers), too.
+
+{{ wiki:dokuwiki-128.png |This is the caption}}
+
+  {{ wiki:dokuwiki-128.png |This is the caption}}
+
+If you specify a filename (external or internal) that is not an image (''gif, jpeg, png''), then it will be displayed as a link instead.
+
+For linking an image to another page see [[#Image Links]] above.
+
+===== Lists =====
+
+Dokuwiki supports ordered and unordered lists. To create a list item, indent your text by two spaces and use a ''*'' for unordered lists or a ''-'' for ordered ones.
+
+  * This is a list
+  * The second item
+    * You may have different levels
+  * Another item
+
+  - The same list but ordered
+  - Another item
+    - Just use indentation for deeper levels
+  - That's it
+
+<code>
+  * This is a list
+  * The second item
+    * You may have different levels
+  * Another item
+
+  - The same list but ordered
+  - Another item
+    - Just use indentation for deeper levels
+  - That's it
+</code>
+
+Also take a look at the [[doku>faq:lists|FAQ on list items]].
+
+===== Text Conversions =====
+
+DokuWiki can convert certain pre-defined characters or strings into images or other text or HTML.
+
+The text to image conversion is mainly done for smileys. And the text to HTML conversion is used for typography replacements, but can be configured to use other HTML as well.
+
+==== Text to Image Conversions ====
+
+DokuWiki converts commonly used [[wp>emoticon]]s to their graphical equivalents. Those [[doku>Smileys]] and other images can be configured and extended. Here is an overview of Smileys included in DokuWiki:
+
+  * 8-) %%  8-)  %%
+  * 8-O %%  8-O  %%
+  * :-( %%  :-(  %%
+  * :-) %%  :-)  %%
+  * =)  %%  =)   %%
+  * :-/ %%  :-/  %%
+  * :-\ %%  :-\  %%
+  * :-? %%  :-?  %%
+  * :-D %%  :-D  %%
+  * :-P %%  :-P  %%
+  * :-O %%  :-O  %%
+  * :-X %%  :-X  %%
+  * :-| %%  :-|  %%
+  * ;-) %%  ;-)  %%
+  * ^_^ %%  ^_^  %%
+  * :?: %%  :?:  %%
+  * :!: %%  :!:  %%
+  * LOL %%  LOL  %%
+  * FIXME %%  FIXME %%
+  * DELETEME %% DELETEME %%
+
+==== Text to HTML Conversions ====
+
+Typography: [[DokuWiki]] can convert simple text characters to their typographically correct entities. Here is an example of recognized characters.
+
+-> <- <-> => <= <=> >> << -- --- 640x480 (c) (tm) (r)
+"He thought 'It's a man's world'..."
+
+<code>
+-> <- <-> => <= <=> >> << -- --- 640x480 (c) (tm) (r)
+"He thought 'It's a man's world'..."
+</code>
+
+The same can be done to produce any kind of HTML, it just needs to be added to the [[doku>entities|pattern file]].
+
+There are three exceptions which do not come from that pattern file: multiplication entity (640x480), 'single' and "double quotes". They can be turned off through a [[doku>config:typography|config option]].
+
+===== Quoting =====
+
+Some times you want to mark some text to show it's a reply or comment. You can use the following syntax:
+
+  I think we should do it
+
+  > No we shouldn't
+
+  >> Well, I say we should
+
+  > Really?
+
+  >> Yes!
+
+  >>> Then lets do it!
+
+I think we should do it
+
+> No we shouldn't
+
+>> Well, I say we should
+
+> Really?
+
+>> Yes!
+
+>>> Then lets do it!
+
+===== Tables =====
+
+DokuWiki supports a simple syntax to create tables.
+
+^ Heading 1      ^ Heading 2       ^ Heading 3          ^
+| Row 1 Col 1    | Row 1 Col 2     | Row 1 Col 3        |
+| Row 2 Col 1    | some colspan (note the double pipe) ||
+| Row 3 Col 1    | Row 3 Col 2     | Row 3 Col 3        |
+
+Table rows have to start and end with a ''|'' for normal rows or a ''^'' for headers.
+
+  ^ Heading 1      ^ Heading 2       ^ Heading 3          ^
+  | Row 1 Col 1    | Row 1 Col 2     | Row 1 Col 3        |
+  | Row 2 Col 1    | some colspan (note the double pipe) ||
+  | Row 3 Col 1    | Row 3 Col 2     | Row 3 Col 3        |
+
+To connect cells horizontally, just make the next cell completely empty as shown above. Be sure to have always the same amount of cell separators!
+
+Vertical tableheaders are possible, too.
+
+|              ^ Heading 1            ^ Heading 2          ^
+^ Heading 3    | Row 1 Col 2          | Row 1 Col 3        |
+^ Heading 4    | no colspan this time |                    |
+^ Heading 5    | Row 2 Col 2          | Row 2 Col 3        |
+
+As you can see, it's the cell separator before a cell which decides about the formatting:
+
+  |              ^ Heading 1            ^ Heading 2          ^
+  ^ Heading 3    | Row 1 Col 2          | Row 1 Col 3        |
+  ^ Heading 4    | no colspan this time |                    |
+  ^ Heading 5    | Row 2 Col 2          | Row 2 Col 3        |
+
+You can have rowspans (vertically connected cells) by adding '':::'' into the cells below the one to which they should connect.
+
+^ Heading 1      ^ Heading 2                  ^ Heading 3          ^
+| Row 1 Col 1    | this cell spans vertically | Row 1 Col 3        |
+| Row 2 Col 1    | :::                        | Row 2 Col 3        |
+| Row 3 Col 1    | :::                        | Row 2 Col 3        |
+
+Apart from the rowspan syntax those cells should not contain anything else.
+
+  ^ Heading 1      ^ Heading 2                  ^ Heading 3          ^
+  | Row 1 Col 1    | this cell spans vertically | Row 1 Col 3        |
+  | Row 2 Col 1    | :::                        | Row 2 Col 3        |
+  | Row 3 Col 1    | :::                        | Row 2 Col 3        |
+
+You can align the table contents, too. Just add at least two whitespaces at the opposite end of your text: Add two spaces on the left to align right, two spaces on the right to align left and two spaces at least at both ends for centered text.
+
+^           Table with alignment           ^^^
+|         right|    center    |left          |
+|left          |         right|    center    |
+| xxxxxxxxxxxx | xxxxxxxxxxxx | xxxxxxxxxxxx |
+
+This is how it looks in the source:
+
+  ^           Table with alignment           ^^^
+  |         right|    center    |left          |
+  |left          |         right|    center    |
+  | xxxxxxxxxxxx | xxxxxxxxxxxx | xxxxxxxxxxxx |
+
+Note: Vertical alignment is not supported.
+
+===== No Formatting =====
+
+If you need to display text exactly like it is typed (without any formatting), enclose the area either with ''%%<nowiki>%%'' tags or even simpler, with double percent signs ''<nowiki>%%</nowiki>''.
+
+<nowiki>
+This is some text which contains addresses like this: http://www.splitbrain.org and **formatting**, but nothing is done with it.
+</nowiki>
+The same is true for %%//__this__ text// with a smiley ;-)%%.
+
+  <nowiki>
+  This is some text which contains addresses like this: http://www.splitbrain.org and **formatting**, but nothing is done with it.
+  </nowiki>
+  The same is true for %%//__this__ text// with a smiley ;-)%%.
+
+===== Code Blocks =====
+
+You can include code blocks into your documents by either indenting them by at least two spaces (like used for the previous examples) or by using the tags ''%%<code>%%'' or ''%%<file>%%''.
+
+  This is text is indented by two spaces.
+
+<code>
+This is preformatted code all spaces are preserved: like              <-this
+</code>
+
+<file>
+This is pretty much the same, but you could use it to show that you quoted a file.
+</file>
+
+Those blocks were created by this source:
+
+    This is text is indented by two spaces.
+
+  <code>
+  This is preformatted code all spaces are preserved: like              <-this
+  </code>
+
+  <file>
+  This is pretty much the same, but you could use it to show that you quoted a file.
+  </file>
+
+==== Syntax Highlighting ====
+
+[[wiki:DokuWiki]] can highlight sourcecode, which makes it easier to read. It uses the [[http://qbnz.com/highlighter/|GeSHi]] Generic Syntax Highlighter -- so any language supported by GeSHi is supported. The syntax uses the same code and file blocks described in the previous section, but this time the name of the language syntax to be highlighted is included inside the tag, e.g. ''<nowiki><code java></nowiki>'' or ''<nowiki><file java></nowiki>''.
+
+<code java>
+/**
+ * The HelloWorldApp class implements an application that
+ * simply displays "Hello World!" to the standard output.
+ */
+class HelloWorldApp {
+    public static void main(String[] args) {
+        System.out.println("Hello World!"); //Display the string.
+    }
+}
+</code>
+
+The following language strings are currently recognized: //4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript-french, actionscript, actionscript3, ada, algol68, apache, applescript, asm, asp, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcs, delphi, diff, div, dos, dot, e, epc, ecmascript, eiffel, email, erlang, euphoria, f1, falcon, fo, fortran, freebasic, fsharp, gambas, genero, genie, gdb, glsl, gml, gnuplot, go, groovy, gettext, gwbasic, haskell, hicest, hq9plus, html, html5, icon, idl, ini, inno, intercal, io, j, java5, java, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, modula2, modula3, mmix, mpasm, mxml, mysql, newlisp, nsis, oberon2, objc, objeck, ocaml-brief, ocaml, oobas, oracle8, oracle11, oxygene, oz, pascal, pcre, perl, perl6, per, pf, php-brief, php, pike, pic16, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, python, q, qbasic, rails, rebol, reg, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, sql, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, uscript, vala, vbnet, vb, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, winbatch, whois, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic//
+
+==== Downloadable Code Blocks ====
+
+When you use the ''%%<code>%%'' or ''%%<file>%%'' syntax as above, you might want to make the shown code available for download as well. You can do this by specifying a file name after language code like this:
+
+<code>
+<file php myexample.php>
+<?php echo "hello world!"; ?>
+</file>
+</code>
+
+<file php myexample.php>
+<?php echo "hello world!"; ?>
+</file>
+
+If you don't want any highlighting but want a downloadable file, specify a dash (''-'') as the language code: ''%%<code - myfile.foo>%%''.
+
+
+===== Embedding HTML and PHP =====
+
+You can embed raw HTML or PHP code into your documents by using the ''%%<html>%%'' or ''%%<php>%%'' tags. (Use uppercase tags if you need to enclose block level elements.)
+
+HTML example:
+
+<code>
+<html>
+This is some <span style="color:red;font-size:150%;">inline HTML</span>
+</html>
+<HTML>
+<p style="border:2px dashed red;">And this is some block HTML</p>
+</HTML>
+</code>
+
+<html>
+This is some <span style="color:red;font-size:150%;">inline HTML</span>
+</html>
+<HTML>
+<p style="border:2px dashed red;">And this is some block HTML</p>
+</HTML>
+
+PHP example:
+
+<code>
+<php>
+echo 'A logo generated by PHP:';
+echo '<img src="' . $_SERVER['PHP_SELF'] . '?=' . php_logo_guid() . '" alt="PHP Logo !" />';
+echo '(generated inline HTML)';
+</php>
+<PHP>
+echo '<table class="inline"><tr><td>The same, but inside a block level element:</td>';
+echo '<td><img src="' . $_SERVER['PHP_SELF'] . '?=' . php_logo_guid() . '" alt="PHP Logo !" /></td>';
+echo '</tr></table>';
+</PHP>
+</code>
+
+<php>
+echo 'A logo generated by PHP:';
+echo '<img src="' . $_SERVER['PHP_SELF'] . '?=' . php_logo_guid() . '" alt="PHP Logo !" />';
+echo '(inline HTML)';
+</php>
+<PHP>
+echo '<table class="inline"><tr><td>The same, but inside a block level element:</td>';
+echo '<td><img src="' . $_SERVER['PHP_SELF'] . '?=' . php_logo_guid() . '" alt="PHP Logo !" /></td>';
+echo '</tr></table>';
+</PHP>
+
+**Please Note**: HTML and PHP embedding is disabled by default in the configuration. If disabled, the code is displayed instead of executed.
+
+===== RSS/ATOM Feed Aggregation =====
+[[DokuWiki]] can integrate data from external XML feeds. For parsing the XML feeds, [[http://simplepie.org/|SimplePie]] is used. All formats understood by SimplePie can be used in DokuWiki as well. You can influence the rendering by multiple additional space separated parameters:
+
+^ Parameter  ^ Description ^
+| any number | will be used as maximum number items to show, defaults to 8 |
+| reverse    | display the last items in the feed first |
+| author     | show item authors names |
+| date       | show item dates |
+| description| show the item description. If [[doku>config:htmlok|HTML]] is disabled all tags will be stripped |
+| //n//[dhm] | refresh period, where d=days, h=hours, m=minutes. (e.g. 12h = 12 hours). |
+
+The refresh period defaults to 4 hours. Any value below 10 minutes will be treated as 10 minutes. [[wiki:DokuWiki]] will generally try to supply a cached version of a page, obviously this is inappropriate when the page contains dynamic external content. The parameter tells [[wiki:DokuWiki]] to re-render the page if it is more than //refresh period// since the page was last rendered.
+
+**Example:**
+
+  {{rss>http://slashdot.org/index.rss 5 author date 1h }}
+
+{{rss>http://slashdot.org/index.rss 5 author date 1h }}
+
+
+===== Control Macros =====
+
+Some syntax influences how DokuWiki renders a page without creating any output it self. The following control macros are available:
+
+^ Macro           ^ Description |
+| %%~~NOTOC~~%%   | If this macro is found on the page, no table of contents will be created |
+| %%~~NOCACHE~~%% | DokuWiki caches all output by default. Sometimes this might not be wanted (eg. when the %%<php>%% syntax above is used), adding this macro will force DokuWiki to rerender a page on every call |
+
+===== Syntax Plugins =====
+
+DokuWiki's syntax can be extended by [[doku>plugins|Plugins]]. How the installed plugins are used is described on their appropriate description pages. The following syntax plugins are available in this particular DokuWiki installation:
+
+~~INFO:syntaxplugins~~
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/tmp/_dummy b/ansible_collections/debops/debops/roles/dokuwiki/files/srv/www/dokuwiki/farm/animal/data/tmp/_dummy
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/meta/main.yml b/ansible_collections/debops/debops/roles/dokuwiki/meta/main.yml
new file mode 100644
index 00000000..2632da49
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install DokuWiki, a text-based wiki written in PHP5'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - web
+    - wiki
+    - dokuwiki
+    - php
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/meta/watch-dokuwiki b/ansible_collections/debops/debops/roles/dokuwiki/meta/watch-dokuwiki
new file mode 100644
index 00000000..2b20c293
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/meta/watch-dokuwiki
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: dokuwiki
+# Package: dokuwiki
+# Version: stable
+
+version=4
+https://github.com/splitbrain/dokuwiki/tags .*/release_stable_(.+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/post_main.yml b/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/post_main.yml
new file mode 100644
index 00000000..de3fb449
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2021 Jonathan Struebel <jonathan.struebel@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/pre_main.yml b/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/pre_main.yml
new file mode 100644
index 00000000..de3fb449
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/tasks/dokuwiki/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2021 Jonathan Struebel <jonathan.struebel@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/tasks/main.yml b/ansible_collections/debops/debops/roles/dokuwiki/tasks/main.yml
new file mode 100644
index 00000000..53e2b7a6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/tasks/main.yml
@@ -0,0 +1,275 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "dokuwiki/pre_main.yml") }}'
+
+- name: Install requested packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (dokuwiki__base_packages
+                              + dokuwiki__packages)) }}'
+    state: 'present'
+  register: dokuwiki__register_packages
+  until: dokuwiki__register_packages is succeeded
+
+- name: Create DokuWiki group
+  ansible.builtin.group:
+    name: '{{ dokuwiki__group }}'
+    system: True
+    state: 'present'
+
+- name: Create DokuWiki user
+  ansible.builtin.user:
+    name: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    home: '{{ dokuwiki__home }}'
+    shell: '{{ dokuwiki__shell }}'
+    comment: 'DokuWiki'
+    createhome: False
+    system: True
+    state: 'present'
+
+
+# ---- Deployment ----
+
+- name: Create DokuWiki source directory
+  ansible.builtin.file:
+    path: '{{ dokuwiki__src }}'
+    state: 'directory'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0750'
+
+- name: Clone DokuWiki source from deploy server
+  ansible.builtin.git:
+    repo: '{{ dokuwiki__git_repo }}'
+    dest: '{{ dokuwiki__git_dest }}'
+    version: 'master'
+    bare: True
+    update: True
+  become: True
+  become_user: '{{ dokuwiki__user }}'
+  register: dokuwiki__register_source
+  until: dokuwiki__register_source is succeeded
+
+- name: Create DokuWiki checkout directory
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__webserver_user }}'
+    mode: '0750'
+  with_items: [ '{{ dokuwiki__www }}', '{{ dokuwiki__git_checkout }}' ]
+
+- name: Prepare DokuWiki worktree
+  ansible.builtin.copy:
+    content: 'gitdir: {{ dokuwiki__git_dest }}'
+    dest: '{{ dokuwiki__git_checkout + "/.git" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0644'
+
+- name: Get commit hash of target checkout
+  environment:
+    GIT_WORK_TREE: '{{ dokuwiki__git_checkout }}'
+  ansible.builtin.command: git rev-parse {{ dokuwiki__git_version }}  # noqa command-instead-of-module
+  args:
+    chdir: '{{ dokuwiki__git_dest }}'
+  become: True
+  become_user: '{{ dokuwiki__user }}'
+  register: dokuwiki__register_target_branch
+  changed_when: dokuwiki__register_target_branch.stdout != dokuwiki__register_source.before
+
+- name: Checkout DokuWiki
+  environment:
+    GIT_WORK_TREE: '{{ dokuwiki__git_checkout }}'
+  ansible.builtin.command: git checkout -f {{ dokuwiki__git_version }}   # noqa command-instead-of-module
+  args:
+    chdir: '{{ dokuwiki__git_dest }}'
+  become: True
+  become_user: '{{ dokuwiki__user }}'
+  register: dokuwiki__register_checkout
+  changed_when: dokuwiki__register_checkout.changed | bool
+  when: (dokuwiki__register_source.before is undefined or
+         (dokuwiki__register_source.before is defined and
+          dokuwiki__register_target_branch.stdout is defined and
+          dokuwiki__register_source.before != dokuwiki__register_target_branch.stdout))
+
+
+# ---- Configuration ----
+
+- name: Remove specified plugins if requested
+  ansible.builtin.file:
+    path: '{{ dokuwiki__git_checkout + "/lib/plugins/" + item.dest }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dokuwiki__default_plugins
+                           + dokuwiki__plugins) }}'
+  when: (dokuwiki__plugins_enabled | bool and
+         (item.dest | d() and item.dest) and (item.state | d() and item.state == 'absent'))
+
+- name: Install specified plugins from git repositories
+  ansible.builtin.git:
+    repo: '{{ item.repo }}'
+    dest: '{{ dokuwiki__git_checkout + "/lib/plugins/" + item.dest }}'
+    version: '{{ item.version | d(omit) }}'
+    update: True
+  become: True
+  become_user: '{{ dokuwiki__user }}'
+  loop: '{{ q("flattened", dokuwiki__default_plugins
+                           + dokuwiki__plugins) }}'
+  register: dokuwiki__register_git_plugins
+  until: dokuwiki__register_git_plugins is succeeded
+  when: (dokuwiki__plugins_enabled | bool and
+         (item.repo | d() and item.repo) and (item.dest | d() and item.dest) and
+         (item.state is undefined or (item.state | d() and item.state != 'absent')))
+
+- name: Remove specified templates if requested
+  ansible.builtin.file:
+    path: '{{ dokuwiki__git_checkout + "/lib/tpl/" + item.dest }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dokuwiki__default_templates
+                           + dokuwiki__templates) }}'
+  when: (dokuwiki__plugins_enabled | bool and
+         (item.dest | d() and item.dest) and (item.state | d() and item.state == 'absent'))
+
+- name: Install specified templates from git repositories
+  ansible.builtin.git:
+    repo: '{{ item.repo }}'
+    dest: '{{ dokuwiki__git_checkout + "/lib/tpl/" + item.dest }}'
+    version: '{{ item.version | d(omit) }}'
+    update: True
+  become: True
+  become_user: '{{ dokuwiki__user }}'
+  loop: '{{ q("flattened", dokuwiki__default_templates
+                           + dokuwiki__templates) }}'
+  register: dokuwiki__register_git_templates
+  until: dokuwiki__register_git_templates is succeeded
+  when: (dokuwiki__plugins_enabled | bool and
+         (item.repo | d() and item.repo) and (item.dest | d() and item.dest) and
+         (item.state is undefined or (item.state | d() and item.state != 'absent')))
+
+- name: Generate protected local configuration file
+  ansible.builtin.template:
+    src: 'srv/www/dokuwiki/sites/public/conf/local.protected.php.j2'
+    dest: '{{ dokuwiki__git_checkout + "/conf/local.protected.php" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0600'
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::dokuwiki:conf' ]
+
+- name: Generate protected plugin configuration file
+  ansible.builtin.template:
+    src: 'srv/www/dokuwiki/sites/public/conf/plugins.protected.php.j2'
+    dest: '{{ dokuwiki__git_checkout + "/conf/plugins.protected.php" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0600'
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::dokuwiki:conf' ]
+
+- name: Generate local MIME configuration file
+  ansible.builtin.template:
+    src: 'srv/www/dokuwiki/sites/public/conf/mime.local.conf.j2'
+    dest: '{{ dokuwiki__git_checkout + "/conf/mime.local.conf" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0600'
+  tags: [ 'role::dokuwiki:conf', 'role::dokuwiki:mime' ]
+
+- name: Install maintenance scripts
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items:
+    - 'etc/cron.daily/dokuwiki-cleanup'
+    - 'etc/cron.weekly/dokuwiki-wikipedia-blacklist'
+
+- name: Create farm base directory
+  ansible.builtin.file:
+    path: '{{ dokuwiki__farm_path }}'
+    state: 'directory'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__webserver_user }}'
+    mode: '0750'
+  when: dokuwiki__farm | bool
+
+- name: Create farm animal directories
+  ansible.builtin.copy:
+    src: 'srv/www/dokuwiki/farm/animal/'
+    dest: '{{ dokuwiki__farm_path + "/" + item + "/" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__webserver_user }}'
+    mode: '0750'
+    force: False
+  with_items: '{{ dokuwiki__farm_animals }}'
+  when: (dokuwiki__farm | bool and dokuwiki__farm_animals)
+
+- name: Disable DokuWiki farm if not enabled
+  ansible.builtin.file:
+    path: '{{ dokuwiki__git_checkout + "/inc/preload.php" }}'
+    state: 'absent'
+  when: (not dokuwiki__farm | bool or not dokuwiki__farm_animals)
+
+- name: Configure DokuWiki farm preload script
+  ansible.builtin.template:
+    src: 'srv/www/dokuwiki/sites/public/inc/preload.php.j2'
+    dest: '{{ dokuwiki__git_checkout + "/inc/preload.php" }}'
+    owner: '{{ dokuwiki__user }}'
+    group: '{{ dokuwiki__group }}'
+    mode: '0644'
+  when: (dokuwiki__farm | bool and dokuwiki__farm_animals)
+
+- name: Download initial anti-spam blacklist
+  ansible.builtin.command: /etc/cron.weekly/dokuwiki-wikipedia-blacklist
+  args:
+    creates: '{{ dokuwiki__git_checkout + "/conf/wordblock.local.conf" }}'
+
+- name: Delete extra files on remote host
+  ansible.builtin.file:
+    path:  '{{ item.dest | d(item.path | d(item.name)) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dokuwiki__extra_files
+                           + dokuwiki__group_extra_files
+                           + dokuwiki__host_extra_files) }}'
+  when: (item.dest | d() or item.path | d() or item.name | d()) and
+        (item.state | d('present') == 'absent')
+  tags: [ 'role::dokuwiki' ]
+
+- name: Copy extra files to remote host
+  ansible.builtin.copy:
+    dest:     '{{ item.dest | d(item.path | d(item.name)) }}'
+    src:      '{{ item.src | d(omit) }}'
+    content:  '{{ item.content | d(omit) }}'
+    owner:    '{{ item.owner | d(omit) }}'
+    group:    '{{ item.group | d(omit) }}'
+    mode:     '{{ item.mode | d(omit) }}'
+    selevel:  '{{ item.selevel | d(omit) }}'
+    serole:   '{{ item.serole | d(omit) }}'
+    setype:   '{{ item.setype | d(omit) }}'
+    seuser:   '{{ item.seuser | d(omit) }}'
+    follow:   '{{ item.follow | d(omit) }}'
+    force:    '{{ item.force | d(omit) }}'
+    backup:   '{{ item.backup | d(omit) }}'
+    validate: '{{ item.validate | d(omit) }}'
+    remote_src: '{{ item.remote_src | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+  loop: '{{ q("flattened", dokuwiki__extra_files
+                           + dokuwiki__group_extra_files
+                           + dokuwiki__host_extra_files) }}'
+  when: (item.src | d() or item.content is defined) and
+        (item.dest | d() or item.path | d() or item.name | d()) and
+        (item.state | d('present') != 'absent')
+  tags: [ 'role::dokuwiki' ]
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "dokuwiki/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.daily/dokuwiki-cleanup.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.daily/dokuwiki-cleanup.j2
new file mode 100644
index 00000000..3967d272
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.daily/dokuwiki-cleanup.j2
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2006-2019 DokuWiki Contributors <https://dokuwiki.org/>
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Source: https://www.dokuwiki.org/tips:maintenance
+
+# {{ ansible_managed }}
+
+# Clean up DokuWiki installation
+
+function cleanup()
+{
+    local data_path="$1"        # full path to data directory of wiki
+    local retention_days="$2"   # number of days after which old files are to be removed
+
+    # purge files older than ${retention_days} days from attic and media_attic (old revisions)
+    find "${data_path}"/{media_,}attic/ -type f -mtime +"${retention_days}" -delete
+
+    # remove stale lock files (files which are 1-2 days old)
+    find "${data_path}"/locks/ -name '*.lock' -type f -mtime +1 -delete
+
+    # remove empty directories
+    find "${data_path}"/{attic,cache,index,locks,media,media_attic,media_meta,meta,pages,tmp}/ \
+        -mindepth 1 -type d -empty -delete
+
+    # remove files older than ${retention_days} days from the cache
+    if [ -e "${data_path}/cache/?/" ]
+    then
+        find "${data_path}"/cache/?/ -type f -mtime +"${retention_days}" -delete
+    fi
+}
+
+cleanup_path="{{ dokuwiki__git_checkout + '/data' }}"
+
+dokuwiki_farm="{{ dokuwiki__farm | bool | lower }}"
+dokuwiki_farm_path="{{ dokuwiki__farm_path }}"
+read -r -a dokuwiki_farm_animals <<< "{{ dokuwiki__farm_animals | join(' ') }}"
+
+# Cleanup DokuWiki installations (path to datadir, number of days)
+cleanup "${cleanup_path}" 180
+if [ "${dokuwiki_farm}" = "true" ] ; then
+    for animal in "${dokuwiki_farm_animals[@]}" ; do
+        cleanup "${dokuwiki_farm_path}/${animal}/data" 180
+    done
+fi
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.weekly/dokuwiki-wikipedia-blacklist.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.weekly/dokuwiki-wikipedia-blacklist.j2
new file mode 100644
index 00000000..d7edfccc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/etc/cron.weekly/dokuwiki-wikipedia-blacklist.j2
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Install current Wikipedia anti-spam blacklist
+
+blacklist="https://meta.wikimedia.org/wiki/Spam_blacklist?action=raw"
+wordblock_file="{{ dokuwiki__git_checkout + '/conf/wordblock.local.conf' }}"
+
+dokuwiki_farm="{{ dokuwiki__farm | bool | lower }}"
+dokuwiki_farm_path="{{ dokuwiki__farm_path }}"
+read -r -a dokuwiki_farm_animals <<< "{{ dokuwiki__farm_animals | join(' ') }}"
+
+if type curl > /dev/null 2>&1 ; then
+    curl --silent "${blacklist}" | grep -v '<pre>' > "${wordblock_file}"
+
+    if [ "${dokuwiki_farm}" = "true" ] ; then
+        for animal in "${dokuwiki_farm_animals[@]}" ; do
+            if ! [ -h "${dokuwiki_farm_path}/${animal}/conf/wordblock.local.conf" ] ; then
+                ln -s "${wordblock_file}" "${dokuwiki_farm_path}/${animal}/conf/wordblock.local.conf"
+            fi
+        done
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/local.protected.php.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/local.protected.php.j2
new file mode 100644
index 00000000..c1b500a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/local.protected.php.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/* {{ ansible_managed }} */
+
+/* Local DokuWiki configuration options which are not configurable using the
+   Configuration Manager interface */
+
+{{ dokuwiki__protected_conf_php | regex_replace('\n$','') }}
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/mime.local.conf.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/mime.local.conf.j2
new file mode 100644
index 00000000..b1301e38
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/mime.local.conf.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#
+# Allowed uploadable file extensions and mimetypes are defined here.
+# Mimetypes that should be downloadable and not be opened in the
+# should be prefixed with a !
+#
+
+{{  dokuwiki__local_mime_types_conf | d() }}
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/plugins.protected.php.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/plugins.protected.php.j2
new file mode 100644
index 00000000..6ca33476
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/conf/plugins.protected.php.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/* {{ ansible_managed }} */
+
+/* Local DokuWiki configuration options which are not configurable using the
+   Configuration Manager interface */
+
+{{ dokuwiki__protected_plugins_php | regex_replace('\n$','') }}
diff --git a/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/inc/preload.php.j2 b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/inc/preload.php.j2
new file mode 100644
index 00000000..cb1f66ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dokuwiki/templates/srv/www/dokuwiki/sites/public/inc/preload.php.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/**
+ * {{ ansible_managed }}
+ *
+ * This is an example for a farm setup. Simply copy this file to preload.php and
+ * uncomment what you need. See https://www.dokuwiki.org/farms for more information.
+ * You can also use preload.php for other things than farming, e.g. for moving
+ * local configuration files out of the main ./conf directory.
+ */
+
+{% if dokuwiki__farm_animals | d() and dokuwiki__farm_animals %}
+// set this to your farm directory
+if(!defined('DOKU_FARMDIR')) define('DOKU_FARMDIR', '{{ dokuwiki__farm_path }}');
+
+// include this after DOKU_FARMDIR if you want to use farms
+include(fullpath(dirname(__FILE__)).'/farm.php');
+
+// you can overwrite the $config_cascade to your liking
+//$config_cascade = array(
+//);
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dovecot/COPYRIGHT b/ansible_collections/debops/debops/roles/dovecot/COPYRIGHT
new file mode 100644
index 00000000..7bed8e18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.dovecot - Manage Dovecot IMAP/POP3 server using Ansible
+
+Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+Copyright (C) 2015-2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dovecot/defaults/main.yml b/ansible_collections/debops/debops/roles/dovecot/defaults/main.yml
new file mode 100644
index 00000000..39ff1c55
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/defaults/main.yml
@@ -0,0 +1,1415 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# .. Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dovecot__ref_defaults:
+
+# debops.dovecot default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General Dovecot configuration [[[
+# ---------------------------------
+
+# .. envvar:: dovecot__features [[[
+#
+# List of features which should be installed and enabled. See
+# :ref:`dovecot__ref_features` for details.
+dovecot__features: [ 'imap', 'imaps', 'lmtp', 'sieve', 'quota' ]
+
+                                                                   # ]]]
+# .. envvar:: dovecot__auth_mechanisms [[[
+#
+# List of enabled authentication mechanisms. Currently ``plain`` and ``login``
+# are supported.
+dovecot__auth_mechanisms: [ 'plain', 'login' ]
+
+                                                                   # ]]]
+# .. envvar:: dovecot__version [[[
+#
+# Variable which specifies what Dovecot version is installed on the host. It is
+# defined via Ansible local facts and can be used in conditions to modify the
+# configuration as needed.
+dovecot__version: '{{ ansible_local.dovecot.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# User database/mailbox configuration [[[
+# ---------------------------------------
+
+# .. envvar:: dovecot__user_accounts [[[
+#
+# User account lookup mechanisms, see :ref:`dovecot__ref_user_accounts`
+# for details.
+dovecot__user_accounts: '{{ ["deny", "ldap"]
+                            if dovecot__ldap_enabled | bool
+                            else ["deny", "system"] }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__deny_users [[[
+#
+# List of users for which mail access is disabled.
+dovecot__deny_users: [ 'root' ]
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_location [[[
+#
+# Mailbox location. For mbox set something like
+# ``mbox:~/mail:INBOX=/var/mail/%u``.  For more information about the supported
+# format, see the `Dovecot Mail Location`__ documentation.
+#
+# .. __: https://doc.dovecot.org/configuration_manual/mail_location/
+dovecot__mail_location: 'maildir:~/Maildir'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__auth_default_realm [[[
+#
+# The default domain (realm) to add to the usernames that don't include one.
+# Required to correctly point the clients to their mailbox directories.
+dovecot__auth_default_realm: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Virtual Mail [[[
+# ----------------
+#
+# These settings makes it possible to host multiple (virtual) domains and to
+# manage mail for users which do not need to have a local system account.
+#
+
+# .. envvar:: dovecot__vmail_enabled [[[
+#
+# Whether the virtual mail support should be enabled.
+dovecot__vmail_enabled: '{{ True if (dovecot__user_accounts |
+                                     intersect(["mysql", "pgsql", "sqlite",
+                                                "ldap", "passwdfile"]))
+                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__vmail_posix_user [[[
+#
+# A separate user ``vmail`` (`Virtual Mail`), which owns the mailbox
+# directories and is used by the various mail daemons to store and access the
+# stored email, can be used.  On the one hand this prevents mail daemons
+# components from accessing sensitive system directories, on the other hand it
+# protects the mailboxes from external access. Only the ``vmail`` user (and
+# ``root``) are allowed to access the mailboxes.
+dovecot__vmail_posix_user: '{{ ansible_local.postldap.vmail_posix_user
+                               | d("vmail") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__vmail_posix_group [[[
+#
+# Virtual Mail POSIX group.
+dovecot__vmail_posix_group: '{{ ansible_local.postldap.vmail_posix_group
+                                | d("vmail") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__vmail_base [[[
+#
+# The base directory where user mail directories are located, which also
+# serves as the ``home`` directory for the :envvar:`dovecot__vmail_posix_user`.
+# This directory is used as the base for the virtual mail home directory paths
+# and is used e.g. as a prefix for the ``mailHomeDirectory`` LDAP attribute if
+# it's found in the LDAP lookups.
+dovecot__vmail_base: '/var/vmail'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__vmail_home [[[
+#
+# The vmail home directory is a per-user directory where Dovecot can save
+# user-specific files. Dovecot's home directories have nothing to do with
+# system users' home directories. For more information, see `Home Directories
+# for Virtual Users`__.
+#
+# .. __: https://wiki.dovecot.org/VirtualUsers/Home
+dovecot__vmail_home: '{{ dovecot__vmail_base ~ "/%d/%n" }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# DSync Settings [[[
+# --------------
+#
+# Dovecot supports master/master replication using ``dsync``.  For more
+# information, see :ref:`dovecot__ref_dsync`.
+
+# .. envvar:: dovecot__dsync_port [[[
+#
+# Port to use for ``dsync``, defaults to 12345.
+dovecot__dsync_port: '12345'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__dsync_host [[[
+#
+# Remote host to sync with, required.
+dovecot__dsync_host: ''
+
+                                                                   # ]]]
+# .. envvar:: dovecot__dsync_replica [[[
+#
+# Remote host to sync with, specified in the form ``tcp[s]:host[:port]``.
+dovecot__dsync_replica: '{{ ("tcps" if dovecot__pki | d(True) else "tcp") ~ ":" ~
+                            dovecot__dsync_host ~ ":" ~
+                            dovecot__dsync_port }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__dsync_password_path [[[
+#
+# Directory on the Ansible Host where the dsync password will be stored.
+# By default it's stored relative to the :file:`secret/` directory in the
+# DebOps project directory. See the :ref:`debops.secret` role for more details.
+dovecot__dsync_password_path: '{{ "dovecot/credentials/dsync.password" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__dsync_password [[[
+#
+# Password to use for the ``dsync`` protocol. Must be the same on both
+# hosts of a replica pair.
+dovecot__dsync_password: '{{ lookup("password", secret + "/"
+                                    + dovecot__dsync_password_path
+                                    + " length=32") }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# SQL Authentication Settings [[[
+# ---------------------------
+#
+
+# .. envvar:: dovecot__sql_connect [[[
+#
+# Database-driver specific database connection string. See
+# :ref:`dovecot__ref_sql` for more details.
+dovecot__sql_connect: ''
+
+                                                                   # ]]]
+# .. envvar:: dovecot__sql_default_pass_scheme [[[
+#
+# Default password scheme for passwords, stored in a SQL database.  For more
+# information about the supported schemes, check `Authentication /
+# PasswordSchemes
+# <https://doc.dovecot.org/configuration_manual/authentication/password_schemes/>`_.
+dovecot__sql_default_pass_scheme: 'SSHA512'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__sql_password_query [[[
+#
+# SQL query string to get the password. This function should return the values
+# ``username``, ``domain`` and ``password``.
+dovecot__sql_password_query: "SELECT userid AS username, domain, password FROM users WHERE userid = '%n' AND domain = '%d'"
+
+                                                                   # ]]]
+# .. envvar:: dovecot__sql_user_query [[[
+#
+# SQL query string to get the userdb. This function should return the values
+# ``home``, ``uid`` and ``gid``.
+#
+# Optionally the ``mail_location`` can be defined with the option ``mail``,
+# see `MailLocation`__.
+#
+# .. __: https://doc.dovecot.org/configuration_manual/mail_location/
+dovecot__sql_user_query: "SELECT home, uid, gid FROM users WHERE userid = '%n' AND domain = '%d'"
+
+                                                                   # ]]]
+# .. envvar:: dovecot__sql_iterate_query [[[
+#
+# SQL query string to get a list of users. This function should return all
+# valid users (``user`` or ``username`` and ``domain``).
+#
+# For more information about the iterate query , see
+# the `Dovecot SQL documentation`__.
+#
+# .. __: https://doc.dovecot.org/configuration_manual/authentication/sql/
+dovecot__sql_iterate_query: "SELECT userid AS username, domain FROM users"
+
+                                                                   # ]]]
+# .. envvar:: dovecot__passwdfile_scheme [[[
+#
+# Encryption scheme to use with password authentication.
+dovecot__passwdfile_scheme: 'sha512-crypt'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__passwdfile_path [[[
+#
+# Path to the :command:`dovecot` password file.
+dovecot__passwdfile_path: '/etc/dovecot/private/'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__passwdfile_name [[[
+#
+# Name of the :command:`dovecot` password file.
+dovecot__passwdfile_name: 'passwd'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__checkpassword_passdb_command [[[
+#
+# Command to fetch the password database in checkpassword auth mode.
+dovecot__checkpassword_passdb_command: '/usr/bin/checkpassword'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__checkpassword_userdb_command [[[
+#
+# Command to fetch the user database in checkpassword auth mode.
+dovecot__checkpassword_userdb_command: '/usr/bin/checkpassword'
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI / TLS configuration [[[
+# ---------------------------
+
+# .. envvar:: dovecot__pki [[[
+#
+# Enable or disable support for TLS/SSL using :ref:`debops.pki`.
+dovecot__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_path [[[
+#
+# Base PKI directory.
+dovecot__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_realm [[[
+#
+# Default PKI realm.
+dovecot__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_ca [[[
+#
+# Name of the Root Certificate Authority certificate file, relative to the PKI
+# realm directory.
+dovecot__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_crt [[[
+#
+# Default certificate, relative to the :envvar:`dovecot__pki_realm` variable.
+dovecot__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_key [[[
+#
+# Default private key, relative to the :envvar:`dovecot__pki_realm` variable.
+dovecot__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__tls_ca_cert_dir [[[
+#
+# Directory containing X509 Certification Authority certificates.
+dovecot__tls_ca_cert_dir: '/etc/ssl/certs/'
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_required [[[
+#
+# Requires SSL/TLS also for non-plaintext authentication. For more
+# information check ``ssl_required`` in the `Dovecot SSL Configuration`__.
+#
+# .. __: https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
+dovecot__ssl_required: True
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_min_protocol [[[
+#
+# SSL ciphers to use.
+dovecot__ssl_min_protocol: '{{ "TLSv1.2" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_dh_parameters_length [[[
+#
+# Diffie-Hellman parameters length.
+dovecot__ssl_dh_parameters_length: 4096
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_cipher_list [[[
+#
+# SSL ciphers to use.
+dovecot__ssl_cipher_list: '{{ dovecot__ssl_cipher_list_default }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_cipher_list_default [[[
+#
+# Default SSL ciphers.
+dovecot__ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_cipher_list_better_crypto [[[
+#
+# See the `bettercrypto.org`__ guide.
+#
+# .. __: https://bettercrypto.org/
+dovecot__ssl_cipher_list_better_crypto: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_cipher_list_ncsc_nl [[[
+#
+# The 'good' cipher suite from the `NCSC-NL TLS Guidelines v2.1`__.
+#
+# .. __: https://english.ncsc.nl/publications/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1
+dovecot__ssl_cipher_list_ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_hook_name [[[
+#
+# Name of the :ref:`debops.pki` hook script.
+dovecot__pki_hook_name: 'dovecot'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_hook_path [[[
+#
+# Directory for the :ref:`debops.pki` hooks.
+dovecot__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__pki_hook_action [[[
+#
+# Specify how changes in PKI should affect dovecot, either 'reload' or
+# 'restart'.
+dovecot__pki_hook_action: 'reload'
+                                                                   # ]]]
+                                                                   # ]]]
+# Diffie-Hellman parameters [[[
+# -----------------------------
+
+# .. envvar:: dovecot__dhparam [[[
+#
+# Enable or disable support for custom Diffie-Hellman parameters managed by the
+# :ref:`debops.dhparam` Ansible role.
+dovecot__dhparam: '{{ ansible_local.dhparam.enabled
+                      if (ansible_local | d() and ansible_local.dhparam | d() and
+                          ansible_local.dhparam.enabled is defined)
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__dhparam_set [[[
+#
+# Name of the Diffie-Hellman parameter set to use. See the
+# :ref:`debops.dhparam` Ansible role for more details.
+dovecot__dhparam_set: 'default'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ssl_dh_file [[[
+#
+# Absolute path to the Diffie-Hellman parameters file which should be used.
+dovecot__ssl_dh_file: '{{ ansible_local.dhparam[dovecot__dhparam_set]
+                          if (ansible_local | d() and ansible_local.dhparam | d() and
+                            ansible_local.dhparam[dovecot__dhparam_set] | d())
+                          else "" }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Dovecot custom configuration [[[
+# --------------------------------
+
+# These variables define the contents of the :file:`/etc/dovecot/dovecot.conf`
+# configuration file.
+
+# .. envvar:: dovecot__default_configuration [[[
+#
+# The default :command:`dovecot` configuration options defined by the role. See
+# :ref:`dovecot__ref_configuration_syntax` for details.
+dovecot__default_configuration:
+
+  - section: 'main'
+    title: 'Main Configuration'
+    options:
+
+      - name: 'protocols'
+        comment: 'Currently active protocols'
+        value: |  # noqa jinja[spacing]
+          {{ dovecot__features |
+             intersect(['imap', 'imaps', 'pop3',
+                        'pop3s', 'sieve', 'lmtp']) |
+             map("regex_replace", "^(imap|pop3)s$", "\1") |
+             list | unique | join(' ') }}
+
+  - section: 'authentication'
+    title: 'Client Configuration'
+    options:
+
+      - name: 'auth_mechanisms'
+        value: '{{ dovecot__auth_mechanisms | join(" ") }}'
+
+      - name: 'disable_plaintext_auth'
+        value: 'yes'
+
+      - name: 'auth_default_realm'
+        value: '{{ dovecot__auth_default_realm }}'
+
+      - name: 'mail_uid'
+        value: '{{ dovecot__vmail_posix_user }}'
+        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'
+
+      - name: 'mail_gid'
+        value: '{{ dovecot__vmail_posix_group }}'
+        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'
+
+      - name: 'mail_privileged_group'
+        value: '{{ dovecot__vmail_posix_user }}'
+        state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'
+
+      - name: 'passdb_deny'
+        option: 'passdb'
+        state: '{{ "present" if "deny" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'passwd-file'
+
+          - name: 'deny'
+            value: 'yes'
+
+          - name: 'args'
+            value: '/etc/dovecot/dovecot.deny'
+
+      - name: 'passdb_system'
+        option: 'passdb'
+        state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'pam'
+
+          - name: 'args'
+            value: 'session=yes dovecot'
+
+      - name: 'userdb_system'
+        option: 'userdb'
+        state: '{{ "present" if "system" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'passwd'
+
+          - name: 'args'
+            value: 'blocking=no'
+
+      - name: 'passdb_sql'
+        option: 'passdb'
+        state: '{{ "present" if (dovecot__user_accounts | d([]) |
+                     intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'sql'
+
+          - name: 'args'
+            value: '/etc/dovecot/dovecot-sql.conf.ext'
+
+      - name: 'userdb_sql'
+        option: 'userdb'
+        state: '{{ "present" if (dovecot__user_accounts | d([]) |
+                     intersect(["mysql", "pgsql", "sqlite"])) else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'sql'
+
+          - name: 'args'
+            value: '/etc/dovecot/dovecot-sql.conf.ext'
+
+      - name: 'passdb_ldap'
+        option: 'passdb'
+        state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'ldap'
+
+          - name: 'args'
+            value: '/etc/dovecot/dovecot-ldap-passdb.conf'
+
+      - name: 'userdb_ldap'
+        option: 'userdb'
+        state: '{{ "present" if "ldap" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'ldap'
+
+          - name: 'args'
+            value: '/etc/dovecot/dovecot-ldap-userdb.conf'
+
+      - name: 'passdb_passwd'
+        option: 'passdb'
+        state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'passwd-file'
+
+          - name: 'args'
+            value: 'scheme={{ dovecot__passwdfile_scheme }} {{ dovecot__passwdfile_path }}/{{ dovecot__passwdfile_name }}'
+
+      - name: 'userdb_passwd'
+        option: 'userdb'
+        state: '{{ "present" if "passwdfile" in dovecot__user_accounts else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'static'
+
+          - name: 'args'
+            value: 'uid={{ dovecot__vmail_posix_user }} gid={{ dovecot__vmail_posix_group }} home={{ dovecot__vmail_home }}'
+
+          - name: 'default_fields'
+            value: 'quota_rule=*:storage=1G'
+            comment: 'Default fields that can be overridden by passwd-file'
+            state: 'comment'
+
+          - name: 'override_fields'
+            value: 'home=/home/virtual/%u'
+            comment: 'Override fields from passwd-file'
+            state: 'comment'
+
+      - name: 'passdb_checkpassword'
+        option: 'passdb'
+        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
+                     dovecot__checkpassword_passdb_command | d()) else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'checkpassword'
+
+          - name: 'args'
+            value: '{{ dovecot__checkpassword_passdb_command }}'
+
+      - name: 'userdb_checkpassword_pre'
+        option: 'userdb'
+        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
+                     dovecot__checkpassword_userdb_command | d()) else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'prefetch'
+
+      - name: 'userdb_checkpassword_main'
+        option: 'userdb'
+        state: '{{ "present" if ("checkpassword" in dovecot__user_accounts and
+                     dovecot__checkpassword_userdb_command | d()) else "absent" }}'
+        options:
+
+          - name: 'driver'
+            value: 'checkpassword'
+
+          - name: 'args'
+            value: '{{ dovecot__checkpassword_userdb_command }}'
+
+  - section: 'tls'
+    title: 'TLS Configuration'
+    state: '{{ "present" if dovecot__pki is defined and dovecot__pki else "absent" }}'
+    options:
+
+      - name: 'ssl'
+        value: '{{ "required" if dovecot__ssl_required else "yes" }}'
+
+      - name: 'ssl_prefer_server_ciphers'
+        value: 'yes'
+        comment: 'Prefer the server''s order of ciphers over the client''s. (dovecot >= 2.2.6)'
+
+      - name: 'ssl_cert'
+        value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_crt }}'
+
+      - name: 'ssl_key'
+        value: '<{{ dovecot__pki_path ~ "/" ~ dovecot__pki_realm ~ "/" ~ dovecot__pki_key }}'
+
+      - name: 'ssl_protocols'
+        value: '{{ dovecot__ssl_min_protocol }}'
+        state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
+
+      - name: 'ssl_dh_parameters_length'
+        value: '{{ dovecot__ssl_dh_parameters_length }}'
+        state: '{{ "present" if dovecot__version is version("2.3.0", "<") else "absent" }}'
+        comment: 'Diffie-Hellman parameters length (default 1024, dovecot >= 2.2.7, optional in dovecot >= 2.3.3)'
+
+      - name: 'ssl_min_protocol'
+        value: '{{ dovecot__ssl_min_protocol }}'
+        state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
+
+      - name: 'ssl_dh'
+        value: '{{ "" if (dovecot__ssl_dh_file == "") else ("<" + dovecot__ssl_dh_file) }}'
+        state: '{{ "present" if dovecot__version is version("2.3.0", ">=") else "absent" }}'
+
+      - name: 'ssl_cipher_list'
+        value: '{{ dovecot__ssl_cipher_list }}'
+
+      - name: 'ssl_client_ca_dir'
+        value: '/etc/ssl/certs'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+
+  - section: 'no_tls'
+    title: 'TLS Non-Configuration'
+    state: '{{ "absent" if dovecot__pki is defined and dovecot__pki else "present" }}'
+    options:
+
+      - name: 'ssl'
+        value: 'no'
+
+  - section: 'services'
+    title: 'Dovecot services'
+    options:
+
+      - name: 'service imap-login'
+        state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
+        options:
+
+          - name: 'inet_listener imap'
+            options:
+
+              - name: 'address'
+                value: '127.0.0.1, [::1]'
+                comment: 'Only localhost if no PKI is configured'
+                state: '{{ "present" if not dovecot__pki | d(True) else "comment" }}'
+
+              - name: 'port'
+                value: '{{ 143 if "imap" in dovecot__features else 0 }}'
+
+          - name: 'inet_listener imaps'
+            options:
+
+              - name: 'port'
+                value: '{{ 993 if ("imaps" in dovecot__features and dovecot__pki | d(True)) else 0 }}'
+                comment: 'Disabled if no PKI is configured'
+
+      - name: 'service pop3-login'
+        state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
+        options:
+
+          - name: 'inet_listener pop3'
+            options:
+
+              - name: 'address'
+                value: '127.0.0.1, [::1]'
+                comment: 'Only localhost if no PKI is configured'
+                state: '{{ "present" if not dovecot__pki | d(True) else "comment" }}'
+
+              - name: 'port'
+                value: '{{ 110 if "pop3" in dovecot__features else 0 }}'
+
+          - name: 'inet_listener pop3s'
+            options:
+
+              - name: 'port'
+                value: '{{ 995 if ("pop3s" in dovecot__features and dovecot__pki | d(True)) else 0 }}'
+                comment: 'Disabled if no PKI is configured'
+
+      - name: 'service lmtp'
+        state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'user'
+            value: '{{ dovecot__vmail_posix_user }}'
+            state: '{{ "present" if dovecot__vmail_enabled | d(False) else "absent" }}'
+
+          - name: 'unix_listener /var/spool/postfix/private/dovecot-lmtp'
+            options:
+
+              - name: 'mode'
+                value: '0660'
+
+              - name: 'group'
+                value: 'postfix'
+
+              - name: 'user'
+                value: 'postfix'
+
+      - name: 'service managesieve-login'
+        state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'inet_listener sieve'
+            options:
+
+              - name: 'port'
+                value: '4190'
+
+      - name: 'service replicator'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'process_min_avail'
+            value: '1'
+
+          - name: 'unix_listener replicator-doveadm'
+            options:
+
+              - name: 'mode'
+                value: '0600'
+
+              - name: 'user'
+                value: 'vmail'
+
+      - name: 'service aggregator'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'fifo_listener replication-notify-fifo'
+            options:
+
+              - name: 'user'
+                value: 'vmail'
+
+          - name: 'unix_listener replication-notify'
+            options:
+
+              - name: 'user'
+                value: 'vmail'
+
+      - name: 'service doveadm'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'inet_listener doveadm'
+            options:
+
+              - name: 'port'
+                value: '{{ dovecot__dsync_port }}'
+
+              - name: 'ssl'
+                value: 'yes'
+                state: '{{ "present" if (dovecot__pki | d(True)) else "absent" }}'
+
+      - name: 'replication_max_conns'
+        value: '10'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+
+      - name: 'doveadm_port'
+        value: '{{ dovecot__dsync_port }}'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+
+      - name: 'doveadm_password'
+        value: '{{ dovecot__dsync_password }}'
+        state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+
+      - name: 'service auth'
+        options:
+
+          - name: 'unix_listener /var/spool/postfix/private/auth'
+            options:
+
+              - name: 'mode'
+                value: '0660'
+
+              - name: 'group'
+                value: 'postfix'
+
+              - name: 'user'
+                value: 'postfix'
+
+          - name: 'unix_listener auth-userdb'
+            state: '{{ "present" if (dovecot__vmail_enabled | d(False) and
+                         "lmtp" in dovecot__features) else "absent" }}'
+            options:
+
+              - name: 'mode'
+                value: '0660'
+
+              - name: 'group'
+                value: '{{ dovecot__vmail_posix_group }}'
+
+              - name: 'user'
+                value: '{{ dovecot__vmail_posix_user }}'
+
+  - section: 'protocols'
+    title: 'Protocol settings'
+    options:
+
+      - name: 'protocol imap'
+        state: '{{ "present" if ("imap" in dovecot__features or "imaps" in dovecot__features) else "absent" }}'
+        options:
+
+          - name: 'mail_plugins'
+            value: '{{ dovecot__mail_plugins_imap | flatten | join(" ") }}'
+
+          - name: 'mail_max_userip_connections'
+            value: '20'
+            state: 'comment'
+
+          - name: 'imap_idle_notify_interval'
+            value: '29 mins'
+            state: 'comment'
+
+      - name: 'protocol pop3'
+        state: '{{ "present" if ("pop3" in dovecot__features or "pop3s" in dovecot__features) else "absent" }}'
+        options:
+
+          - name: 'mail_plugins'
+            value: '{{ dovecot__mail_plugins_pop3 | flatten | join(" ") }}'
+
+          - name: 'mail_max_userip_connections'
+            value: '10'
+            state: 'comment'
+
+      - name: 'protocol lda'
+        state: '{{ "present" if "lmtp" not in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'mail_plugins'
+            value: '{{ dovecot__mail_plugins_lda | flatten | join(" ") }}'
+
+          - name: 'postmaster_address'
+            value: 'postmaster@{{ ansible_domain }}'
+
+      - name: 'protocol lmtp'
+        state: '{{ "present" if "lmtp" in dovecot__features else "absent" }}'
+        options:
+
+          - name: 'mail_plugins'
+            value: '{{ dovecot__mail_plugins_lmtp | flatten | join(" ") }}'
+
+          - name: 'postmaster_address'
+            value: 'postmaster@{{ ansible_domain }}'
+
+  - section: 'mailbox_locations'
+    title: 'Mailbox Locations'
+    options:
+
+      - name: 'mail_home'
+        value: '{{ dovecot__vmail_home }}'
+        state: '{{ "present" if dovecot__vmail_enabled else "absent" }}'
+
+      - name: 'mail_location'
+        value: '{{ dovecot__mail_location }}'
+        state: '{{ "present" if dovecot__mail_location | d() else "comment" }}'
+
+  - section: 'mailbox_namespaces'
+    title: 'Mailbox Namespaces'
+    options:
+
+      - name: 'namespace inbox'
+        options:
+
+          - name: 'inbox'
+            value: 'yes'
+            comment: 'There can be only one INBOX, and this setting defines which namespace has it.'
+
+          - name: 'mailbox Drafts'
+            options:
+              - name: 'special_use'
+                value: '\Drafts'
+
+          - name: 'mailbox Junk'
+            options:
+              - name: 'special_use'
+                value: '\Junk'
+
+          - name: 'mailbox Trash'
+            comment: |
+              If you change the name of this mailbox and use LDAP,
+              dovecot__ldap_trash_field also needs to be updated.
+            options:
+
+              - name: 'special_use'
+                value: '\Trash'
+
+          - name: 'mailbox Sent'
+            comment: |
+              For \Sent mailboxes there are two widely used names. We'll mark both of
+              them as \Sent. User typically deletes one of them if duplicates are created.
+            options:
+
+              - name: 'special_use'
+                value: '\Sent'
+
+          - name: 'mailbox "Sent Messages"'
+            options:
+
+              - name: 'special_use'
+                value: '\Sent'
+
+          - name: 'mailbox virtual/All'
+            comment: 'If you have a virtual "All Messages" mailbox:'
+            state: 'comment'
+            options:
+
+              - name: 'special_use'
+                value: '\All'
+
+              - name: 'comment'
+                value: 'All my messages'
+
+          - name: 'mailbox virtual/Flagged'
+            comment: 'If you have a virtual "Flagged" mailbox:'
+            state: 'comment'
+            options:
+
+              - name: 'special_use'
+                value: '\Flagged'
+
+              - name: 'comment'
+                value: 'All my flagged messages'
+
+          - name: 'mailbox virtual/Important'
+            comment: 'If you have a virtual "Important" mailbox:'
+            state: 'comment'
+            options:
+
+              - name: 'special_use'
+                value: '\Important'
+
+              - name: 'comment'
+                value: 'All my important messages'
+
+  - section: 'plugins'
+    title: 'Mail Plugins'
+    options:
+
+      - name: 'plugin'
+        options:
+
+          - name: 'sieve'
+            value: '{{ dovecot__sieve_dir }}'
+            state: '{{ "present" if "sieve" in dovecot__features else "absent" }}'
+
+          - name: 'quota'
+            value: 'maildir:User quota'
+            state: '{{ "present" if "quota" in dovecot__features else "absent" }}'
+
+          - name: 'mail_replica'
+            value: '{{ dovecot__dsync_replica }}'
+            state: '{{ "present" if "dsync" in dovecot__features else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__configuration [[[
+#
+# The :command:`dovecot` configuration options defined for all hosts in the
+# Ansible inventory.
+dovecot__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dovecot__group_configuration [[[
+#
+# The :command:`dovecot` configuration options defined for hosts in a
+# specific Ansible inventory group.
+dovecot__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dovecot__host_configuration [[[
+#
+# The :command:`dovecot` configuration options defined for a specific host
+# in the Ansible inventory.
+dovecot__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: dovecot__combined_configuration [[[
+#
+# The variable that combines other :command:`dovecot` configuration options for
+# use in the :file:`/etc/dovecot/dovecot.conf` template.
+dovecot__combined_configuration: '{{ dovecot__default_configuration
+                                      + dovecot__configuration
+                                      + dovecot__group_configuration
+                                      + dovecot__host_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_plugins [[[
+#
+# Default mail plugins for all protocols.
+dovecot__mail_plugins:
+  - '$mail_plugins'
+  - '{{ "notify" if "dsync" in dovecot__features else [] }}'
+  - '{{ "replication" if "dsync" in dovecot__features else [] }}'
+  - '{{ "quota" if "quota" in dovecot__features else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_plugins_imap [[[
+#
+# Enabled mail plugins for the IMAP protocol.
+dovecot__mail_plugins_imap:
+  - '{{ dovecot__mail_plugins }}'
+  - '{{ "imap_sieve" if "sieve" in dovecot__features else [] }}'
+  - '{{ "imap_quota" if "quota" in dovecot__features else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_plugins_pop3 [[[
+#
+# Enabled mail plugins for the POP3 protocol.
+dovecot__mail_plugins_pop3:
+  - '{{ dovecot__mail_plugins }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_plugins_lda [[[
+#
+# Enabled mail plugins for the LDA protocol.
+dovecot__mail_plugins_lda:
+  - '{{ dovecot__mail_plugins }}'
+  - '{{ "sieve" if "sieve" in dovecot__features else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__mail_plugins_ltmp [[[
+#
+# Enabled mail plugins for the LMTP protocol.
+dovecot__mail_plugins_lmtp:
+  - '{{ dovecot__mail_plugins }}'
+  - '{{ "sieve" if "sieve" in dovecot__features else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__sieve_dir [[[
+#
+# Storage directory for sieve scripts.
+dovecot__sieve_dir: 'file:~/sieve;active=~/.dovecot.sieve'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: dovecot__accept_any [[[
+#
+# The default firewall policy for dovecot services.
+#
+# If ``True``, any host can connect to the dovecot daemon unless allow
+# restrictions are defined using the variables below.
+#
+# If ``False``, no hosts can connect to the dovecot daemon by default. You
+# need to specify IP addresses or subnets that can access the services using
+# the variables below.
+dovecot__accept_any: True
+
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_imap [[[
+#
+# List of hosts/networks that can access the ``imap`` port (143).
+dovecot__allow_imap: []
+
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_imaps [[[
+#
+# List of hosts/networks that can access the ``imaps`` port (993).
+dovecot__allow_imaps: []
+
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_pop3 [[[
+#
+# List of hosts/networks that can access the ``pop3`` port (110).
+dovecot__allow_pop3: []
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_pop3s [[[
+#
+# List of hosts/networks that can access the ``pop3s`` port (995).
+dovecot__allow_pop3s: []
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_doveadm [[[
+#
+# List of hosts/networks that can access the ``doveadm`` port (12345, used for
+# dsync).
+dovecot__allow_doveadm:
+  - '{{ dovecot__dsync_host }}'
+                                                                   # ]]]
+# .. envvar:: dovecot__allow_sieve [[[
+#
+# List of hosts/networks that can access the ``ManageSieve Protocol`` port
+# (4190).
+dovecot__allow_sieve: []
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP [[[
+# --------
+
+# .. envvar:: dovecot__ldap_enabled [[[
+#
+# When enabled, :command:`dovecot` will authenticate users against LDAP and
+# authorize access to the user's mailbox.
+dovecot__ldap_enabled: '{{ True
+                           if (ansible_local | d() and ansible_local.ldap | d() and
+                              (ansible_local.ldap.enabled | d()) | bool)
+                           else False }}'
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects.
+dovecot__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object.  It will be used as a
+# base for the Virtual Mail service account LDAP object. If empty, the role
+# will not create the account LDAP object automatically.
+dovecot__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# `dovecot` service to access the LDAP directory.
+dovecot__ldap_self_rdn: 'uid=dovecot'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`dovecot` service to access the LDAP directory.
+dovecot__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`dovecot` service to access the LDAP directory.
+dovecot__ldap_self_attributes:
+  uid: '{{ dovecot__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ dovecot__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "Dovecot" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_binddn [[[
+#
+# The Distinguished Name used to bind to the LDAP directory.
+dovecot__ldap_binddn: '{{ ([dovecot__ldap_self_rdn]
+                           + dovecot__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_bindpw [[[
+#
+# The password used to bind to the LDAP directory.
+dovecot__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                           + dovecot__ldap_binddn | to_uuid + ".password length=32 "
+                           + "chars=ascii_letters,digits,!@_$%^&*"))
+                          if dovecot__ldap_enabled | bool
+                          else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the user
+# accounts in LDAP.
+dovecot__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_people_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the user accounts.
+dovecot__ldap_people_dn: '{{ [dovecot__ldap_people_rdn]
+                             + dovecot__ldap_base_dn }}'
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_uri [[[
+#
+# List of LDAP URIs that point to the directory servers which should be used.
+dovecot__ldap_uri: '{{ ansible_local.ldap.uri | d([""]) }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_start_tls [[[
+#
+# If ``True``, STARTTLS will be used to connect to the LDAP server.
+dovecot__ldap_start_tls: '{{ ansible_local.ldap.start_tls | d(True) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_user_filter [[[
+#
+# The LDAP filter used to look up user accounts in the directory.
+# See :ref:`ldap__ref_admin` for more information.
+dovecot__ldap_user_filter: '(&
+                              (objectClass=mailRecipient)
+                              (|
+                                (uid=%n)
+                                (mail=%u)
+                              )
+                              (|
+                                (authorizedService=all)
+                                (authorizedService=mail:access)
+                              )
+                            )'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_user_list_filter [[[
+#
+# The LDAP filter used to look list user accounts in the directory. This allows
+# commands like :command:`doveadm users '*'` or :command:`doveadm purge -A` to
+# work.
+# See :ref:`ldap__ref_admin` for more information.
+dovecot__ldap_user_list_filter: '(&
+                                   (objectClass=mailRecipient)
+                                   (|
+                                     (authorizedService=all)
+                                     (authorizedService=mail:access)
+                                   )
+                                 )'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_user_list_filter_attribute [[[
+#
+# The attribute used by the :envvar:`dovecot__ldap_user_list_filter` filter as
+# the identifier of the user.
+# See :ref:`ldap__ref_admin` for more information.
+dovecot__ldap_user_list_filter_attribute: 'mail'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_quota_attribute [[[
+#
+# The LDAP attribute storing the user quota.
+dovecot__ldap_quota_attribute: 'mailQuota'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_quota_default [[[
+#
+# Default LDAP quota.
+dovecot__ldap_quota_default: '10 GB'
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap_trash_field [[[
+#
+# The :command:`dovecot` internal field name which corresponds to the trash
+# mailbox, used to control the automatic expunction of mails via the
+# ``mailExpungeTrash`` LDAP attribute.
+dovecot__ldap_trash_field: 'namespace/inbox/mailbox/Trash/autoexpunge'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: dovecot__postfix_lmtp_transport [[[
+#
+# Postfix mail transport target if LMTP is enabled.
+dovecot__postfix_lmtp_transport: 'lmtp:unix:private/dovecot-lmtp'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` role.
+dovecot__ldap__dependent_tasks:
+  - name: 'Create Postfix account for {{ dovecot__ldap_device_dn | join(",") }}'
+    dn: '{{ dovecot__ldap_binddn }}'
+    objectClass: '{{ dovecot__ldap_self_object_classes }}'
+    attributes: '{{ dovecot__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+                if (dovecot__ldap_enabled | bool and
+                    dovecot__ldap_device_dn | d())
+                else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration for the ``debops.postfix`` role.
+dovecot__postfix__dependent_maincf:
+
+  # The default TLS security level set by the 'postfix' role is "may", however
+  # when the mail is delivered over local UNIX socket, this results in
+  # a warning in the mail logs: "warning: smtp_connect_local: opportunistic TLS
+  # encryption is not appropriate for unix-domain destinations". Therefore if
+  # we know that Dovecot is installed locally and we deliver over an UNIX
+  # socket, we can disable the opportunistic TLS encryption for the LMTP
+  # protocol.
+  - name: 'lmtp_tls_security_level'
+    comment: |
+      Security level overridden via local Dovecot installation
+    value: '{{ "none"
+               if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
+               else "may" }}'
+    state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
+
+  # We don't care about the STARTTLS offer when we talk to Dovecot over an UNIX
+  # socket.
+  - name: 'lmtp_tls_note_starttls_offer'
+    value: '{{ False
+               if dovecot__postfix_lmtp_transport.startswith("lmtp:unix:")
+               else True }}'
+    state: '{{ "present" if "lmtp" in dovecot__features else "ignore" }}'
+
+  - name: 'virtual_transport'
+    value: '{{ dovecot__postfix_lmtp_transport }}'
+    state: '{{ "present"
+               if ("lmtp" in dovecot__features and
+                   dovecot__ldap_enabled | bool)
+               else "ignore" }}'
+
+  - name: 'mailbox_transport'
+    value: '{{ dovecot__postfix_lmtp_transport }}'
+    state: '{{ "present"
+               if ("lmtp" in dovecot__features and
+                   not dovecot__ldap_enabled | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__postfix__dependent_mastercf [[[
+#
+# The :file:`master.cf` configuration for the ``debops.postfix`` role.
+dovecot__postfix__dependent_mastercf: []
+                                                                   # ]]]
+# .. envvar:: dovecot__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` role.
+dovecot__etc_services__dependent_list:
+
+  - name: 'doveadm'
+    port: '{{ dovecot__dsync_port }}'
+    protocols: [ 'tcp' ]
+    comment: 'Added by debops.dovecot Ansible role.'
+
+                                                                   # ]]]
+# .. envvar:: dovecot__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` role.
+dovecot__ferm__dependent_rules:
+
+  - name: 'dovecot_imap'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'imap2' ]
+    saddr: '{{ dovecot__allow_imap }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("imap" in dovecot__features | d([]))
+                    else "absent" }}'
+
+  - name: 'dovecot_imaps'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'imaps' ]
+    saddr: '{{ dovecot__allow_imaps }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("imaps" in dovecot__features | d([])
+                         and dovecot__pki | d(True))
+                    else "absent" }}'
+
+  - name: 'dovecot_pop3'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'pop3' ]
+    saddr: '{{ dovecot__allow_pop3 }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("pop3" in dovecot__features | d([]))
+                    else "absent" }}'
+
+  - name: 'dovecot_pop3s'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'pop3s' ]
+    saddr: '{{ dovecot__allow_pop3s }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("pop3s" in dovecot__features | d([])
+                         and dovecot__pki | d(True))
+                    else "absent" }}'
+
+  - name: 'dovecot_doveadm'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'doveadm' ]
+    saddr: '{{ dovecot__allow_doveadm }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("dsync" in dovecot__features | d([]))
+                    else "absent" }}'
+
+  - name: 'dovecot_sieve'
+    type: 'accept'
+    by_role: 'debops.dovecot'
+    dport: [ 'sieve' ]
+    saddr: '{{ dovecot__allow_sieve }}'
+    accept_any: '{{ dovecot__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("sieve" in dovecot__features | d([])
+                         and dovecot__pki | d(True))
+                    else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dovecot/meta/main.yml b/ansible_collections/debops/debops/roles/dovecot/meta/main.yml
new file mode 100644
index 00000000..03d93a77
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Reto Gantenbein'
+  description: 'Configure Dovecot IMAP/POP3 service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - imap
+    - pop3
+    - sieve
+    - mail
diff --git a/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/post_main.yml b/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/post_main.yml
new file mode 100644
index 00000000..c3621f9c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/post_main.yml
@@ -0,0 +1,4 @@
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/pre_main.yml b/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/pre_main.yml
new file mode 100644
index 00000000..c3621f9c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/tasks/dovecot/pre_main.yml
@@ -0,0 +1,4 @@
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/dovecot/tasks/main.yml b/ansible_collections/debops/debops/roles/dovecot/tasks/main.yml
new file mode 100644
index 00000000..858e1dd6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/tasks/main.yml
@@ -0,0 +1,252 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'dovecot/pre_main.yml') }}"
+
+- name: Install Dovecot packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (["dovecot-core"]
+                              + (["dovecot-imapd"]
+                                 if ("imap" in dovecot__features or
+                                     "imaps" in dovecot__features)
+                                 else [])
+                              + (["dovecot-pop3d"]
+                                 if ("pop3" in dovecot__features or
+                                     "pop3s" in dovecot__features)
+                                 else [])
+                              + (["dovecot-lmtpd"]
+                                 if "lmtp" in dovecot__features
+                                 else [])
+                              + (["dovecot-mysql"]
+                                 if "mysql" in dovecot__user_accounts
+                                 else [])
+                              + (["dovecot-pgsql"]
+                                 if "pgsql" in dovecot__user_accounts
+                                 else [])
+                              + (["dovecot-sqlite"]
+                                 if "sqlite" in dovecot__user_accounts
+                                 else [])
+                              + (["dovecot-ldap"]
+                                 if "ldap" in dovecot__user_accounts
+                                 else [])
+                              + (["dovecot-managesieved"]
+                                 if "sieve" in dovecot__features
+                                 else []))) }}'
+    state: 'present'
+  register: dovecot__register_packages
+  until: dovecot__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Dovecot local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/dovecot.fact.j2'
+    dest: '/etc/ansible/facts.d/dovecot.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Remove old diversions
+  debops.debops.dpkg_divert:
+    path: '/etc/dovecot/conf.d/{{ item }}'
+    state: 'absent'
+    delete: True
+  loop:
+    - '10-auth.conf'
+    - '10-master.conf'
+    - '10-mail.conf'
+    - '10-ssl.conf'
+    - '15-lda.conf'
+    - '20-pop3.conf'
+    - '20-imap.conf'
+    - '20-lmtp.conf'
+    - '20-managesieve.conf'
+    - '90-sieve.conf'
+    - '90-sieve-extprograms.conf'
+    - 'auth-deny.conf.ext'
+    - 'auth-system.conf.ext'
+    - 'auth-sql.conf.ext'
+    - 'auth-ldap.conf.ext'
+    - 'auth-passwdfile.conf.ext'
+    - 'auth-checkpassword.conf.ext'
+
+- name: Uninstall disabled Dovecot protocols
+  ansible.builtin.package:
+    pkg: '{{ q("flattened", ((["dovecot-imapd"]
+                              if ("imap" not in dovecot__features and
+                                  "imaps" not in dovecot__features)
+                              else [])
+                             + (["dovecot-pop3d"]
+                                if ("pop3" not in dovecot__features and
+                                    "pop3s" not in dovecot__features)
+                                else [])
+                             + (["dovecot-lmtpd"]
+                                if "lmtp" not in dovecot__features
+                                else [])
+                             + (["dovecot-mysql"]
+                                 if "mysql" not in dovecot__user_accounts
+                                 else [])
+                             + (["dovecot-pgsql"]
+                                if "pgsql" not in dovecot__user_accounts
+                                else [])
+                             + (["dovecot-sqlite"]
+                                if "sqlite" not in dovecot__user_accounts
+                                else [])
+                             + (["dovecot-ldap"]
+                                if ("ldap" not in dovecot__user_accounts)
+                                else [])
+                             + (["dovecot-managesieved"]
+                                if "sieve" not in dovecot__features
+                                else []))) }}'
+    state: 'absent'
+  notify: [ 'Restart dovecot' ]
+
+- name: Remove old local configuration
+  ansible.builtin.file:
+    path: '/etc/dovecot/local.conf'
+    state: 'absent'
+  notify: [ 'Restart dovecot' ]
+  tags: [ "role::dovecot:conf" ]
+
+- name: Generate Dovecot sql configuration
+  ansible.builtin.template:
+    src: "{{ lookup('debops.debops.template_src', 'etc/dovecot/dovecot-sql.conf.ext.j2') }}"
+    dest: '/etc/dovecot/dovecot-sql.conf.ext'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify: [ 'Restart dovecot' ]
+  when: "dovecot__user_accounts | d([]) | intersect(['mysql', 'pgsql', 'sqlite'])"
+  tags: [ "role::dovecot:conf", "role::dovecot:conf:sql" ]
+
+- name: Generate Dovecot ldap configuration
+  ansible.builtin.template:
+    src: "{{ lookup('debops.debops.template_src', 'etc/dovecot/' + item + '.j2') }}"
+    dest: '/etc/dovecot/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify: [ 'Restart dovecot' ]
+  loop:
+    - 'dovecot-ldap-userdb.conf'
+    - 'dovecot-ldap-passdb.conf'
+  when: "'ldap' in dovecot__user_accounts"
+  tags: [ "role::dovecot:conf", "role::dovecot:conf:ldap" ]
+
+- name: Generate Dovecot deny user list
+  ansible.builtin.template:
+    src: "{{ lookup('debops.debops.template_src', 'etc/dovecot/dovecot.deny.j2') }}"
+    dest: '/etc/dovecot/dovecot.deny'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Create private directory to store passwdfile
+  ansible.builtin.file:
+    path: "{{ dovecot__passwdfile_path }}"
+    state: directory
+    owner: 'root'
+    group: 'dovecot'
+    mode: '0650'
+  when: "'passwdfile' in dovecot__user_accounts"
+
+- name: Make sure virtual mail user POSIX group exists
+  ansible.builtin.group:
+    name: '{{ dovecot__vmail_posix_group |
+              d(dovecot__vmail_posix_user) }}'
+    state: 'present'
+    system: True
+  when: 'dovecot__vmail_enabled | d(False)'
+  tags: [ 'role::dovecot:user', 'role::dovecot:group' ]
+
+- name: Make sure virtual mail user POSIX system account exists
+  ansible.builtin.user:
+    name: '{{ dovecot__vmail_posix_user }}'
+    state: 'present'
+    comment: 'Postfix Virtual Mail user'
+    group: '{{ dovecot__vmail_posix_group |
+               d(dovecot__vmail_posix_user) }}'
+    home: '{{ dovecot__vmail_base }}'
+    create_home: True
+    system: True
+    shell: '/usr/sbin/nologin'
+    skeleton: null
+  when: 'dovecot__vmail_enabled | d(False)'
+  tags: [ 'role::dovecot:user' ]
+
+- name: Make sure that the virtual mail user home directory exists - {{ dovecot__vmail_base }}
+  ansible.builtin.file:
+    dest: '{{ dovecot__vmail_base }}'
+    state: 'directory'
+    owner: '{{ dovecot__vmail_posix_user }}'
+    group: '{{ dovecot__vmail_posix_group }}'
+    mode: '0750'
+  when: 'dovecot__vmail_enabled | d(False)'
+  tags: [ 'role::dovecot:user' ]
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ dovecot__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dovecot__pki | bool
+
+- name: Manage PKI dovecot hook
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/dovecot.j2'
+    dest: '{{ dovecot__pki_hook_path + "/" + dovecot__pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: dovecot__pki | bool
+
+- name: Ensure the PKI dovecot hook is absent
+  ansible.builtin.file:
+    path: '{{ dovecot__pki_hook_path + "/" + dovecot__pki_hook_name }}'
+    state: 'absent'
+  when: not (dovecot__pki | bool)
+
+- name: Divert original Dovecot main configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/dovecot/dovecot.conf'
+  notify: [ 'Restart dovecot' ]
+  tags: [ "role::dovecot:conf" ]
+
+- name: Generate Dovecot main configuration file
+  ansible.builtin.template:
+    src: "{{ lookup('debops.debops.template_src', 'etc/dovecot/dovecot.conf.j2') }}"
+    dest: '/etc/dovecot/dovecot.conf'
+    owner: 'root'
+    group: 'dovecot'
+    mode: '0640'
+  notify: [ 'Restart dovecot' ]
+  tags: [ "role::dovecot:conf" ]
+
+- name: Update Ansible facts and restart dovecot, if necessary
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Post hooks
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'dovecot/post_main.yml') }}"
diff --git a/ansible_collections/debops/debops/roles/dovecot/tasks/main_env.yml b/ansible_collections/debops/debops/roles/dovecot/tasks/main_env.yml
new file mode 100644
index 00000000..76f611cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/tasks/main_env.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Remove ferm 'debops-legacy-input-rules' file
+  ansible.builtin.file:
+    path: '/etc/ferm/filter-input.d/dovecot.conf'
+    state: 'absent'
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/ansible/facts.d/dovecot.fact.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/ansible/facts.d/dovecot.fact.j2
new file mode 100644
index 00000000..3d2463b1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/ansible/facts.d/dovecot.fact.j2
@@ -0,0 +1,34 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('dovecot')}
+
+try:
+    output['version'] = subprocess.check_output(
+            ["dovecot", "--version"]
+            ).decode('utf-8').strip().split()[0]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-passdb.conf.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-passdb.conf.j2
new file mode 100644
index 00000000..e5c42b7e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-passdb.conf.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+debug_level = 0
+
+uris = {{ dovecot__ldap_uri | join(",") }}
+ldap_version = 3
+
+tls = '{{ "yes"
+        if (dovecot__ldap_start_tls | bool)
+        else "no" }}'
+tls_ca_cert_dir = {{ dovecot__tls_ca_cert_dir }}
+tls_require_cert = hard
+
+## Passdb LDAP with authentication binds
+# LDAP server verifies the password, so Dovecot doesn't need to know what
+# format the password is stored in. A bit more secure, as a security hole
+# in Dovecot doesn't give attacker access to all the users' password hashes.
+# (And Dovecot admins in general don't have direct access to them.)
+auth_bind = yes
+
+scope = subtree
+base = {{ dovecot__ldap_people_dn | join(",") }}
+dn = {{ dovecot__ldap_binddn }}
+dnpass = {{ dovecot__ldap_bindpw }}
+
+pass_attrs = \
+    uid=%u,\
+    mailDrop=mail,\
+    userPassword=userPassword
+
+pass_filter = {{ dovecot__ldap_user_filter }}
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2
new file mode 100644
index 00000000..361f16d1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2017-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+debug_level = 0
+
+uris = {{ dovecot__ldap_uri | join(",") }}
+ldap_version = 3
+
+tls = '{{ "yes"
+        if (dovecot__ldap_start_tls | bool)
+        else "no" }}'
+tls_ca_cert_dir = {{ dovecot__tls_ca_cert_dir }}
+tls_require_cert = hard
+
+## Passdb LDAP with authentication binds
+# LDAP server verifies the password, so Dovecot doesn't need to know what
+# format the password is stored in. A bit more secure, as a security hole
+# in Dovecot doesn't give attacker access to all the users' password hashes.
+# (And Dovecot admins in general don't have direct access to them.)
+auth_bind = yes
+
+scope = subtree
+base = {{ dovecot__ldap_people_dn | join(",") }}
+dn = {{ dovecot__ldap_binddn }}
+dnpass = {{ dovecot__ldap_bindpw }}
+
+user_attrs = \
+    uid=home={{ dovecot__vmail_base }}/%d/%{ldap:uid},\
+    mailHomeDirectory=home={{ dovecot__vmail_base }}%{ldap:mailHomeDirectory},\
+    mailQuota=quota_rule=*:bytes=%{ldap:{{ dovecot__ldap_quota_attribute }}}:storage=%$,\
+    mailGroupACL=acl_groups,\
+    mailExpungeTrash={{ dovecot__ldap_trash_field }}
+
+user_filter = {{ dovecot__ldap_user_filter }}
+iterate_filter= {{ dovecot__ldap_user_list_filter }}
+iterate_attrs= {{ dovecot__ldap_user_list_filter_attribute }}=user
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-sql.conf.ext.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-sql.conf.ext.j2
new file mode 100644
index 00000000..9dec5775
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot-sql.conf.ext.j2
@@ -0,0 +1,168 @@
+{# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{#
+
+This file follows the upstream default configuration except for the parts
+that are configurable via DebOps variables. If you need a more customized
+setup, you can provide your own template via lookup mechanism.
+
+#}
+
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-sql.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# https://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+#     username VARCHAR(128) NOT NULL,
+#     domain VARCHAR(128) NOT NULL,
+#     password VARCHAR(64) NOT NULL,
+#     home VARCHAR(255) NOT NULL,
+#     uid INTEGER NOT NULL,
+#     gid INTEGER NOT NULL,
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+driver = {{ dovecot__user_accounts | d([]) | intersect(['mysql', 'pgsql', 'sqlite']) | first | d() }}
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+#   For available options, see the PostgreSQL documentation for the
+#   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
+#
+# mysql:
+#   Basic options emulate PostgreSQL option names:
+#     host, port, user, password, dbname
+#
+#   But also adds some new settings:
+#     client_flags           - See MySQL manual
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
+#
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+#   Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+#   The path to the database file.
+#
+# Examples:
+#   connect = host=192.168.1.1 dbname=users
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+#   connect = /etc/dovecot/authdb.sqlite
+#
+#connect =
+connect = {{ dovecot__sql_connect }}
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# https://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+#default_pass_scheme = MD5
+{% if dovecot__sql_default_pass_scheme is defined and dovecot__sql_default_pass_scheme %}
+default_pass_scheme = {{ dovecot__sql_default_pass_scheme }}
+{% endif %}
+
+# passdb query to retrieve the password. It can return fields:
+#   password - The user's password. This field must be returned.
+#   user - user@domain from the database. Needed with case-insensitive lookups.
+#   username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# https://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see https://wiki2.dovecot.org/Variables
+# for full list):
+#   %u = entire user@domain
+#   %n = user part of user@domain
+#   %d = domain part of user@domain
+#
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+#   password_query = SELECT userid AS user, pw AS password \
+#     FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+#  SELECT username, domain, password \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+{% if dovecot__sql_password_query is defined and dovecot__sql_password_query %}
+password_query = {{ dovecot__sql_password_query }}
+{% endif %}
+
+# userdb query to retrieve the user information. It can return fields:
+#   uid - System UID (overrides mail_uid setting)
+#   gid - System GID (overrides mail_gid setting)
+#   home - Home directory
+#   mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# https://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+#  SELECT home, uid, gid \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+{% if dovecot__sql_user_query is defined and dovecot__sql_user_query %}
+user_query = {{ dovecot__sql_user_query }}
+{% endif %}
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+#  SELECT userid AS user, password, \
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+#  FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users
+{% if dovecot__sql_iterate_query is defined and dovecot__sql_iterate_query %}
+iterate_query = {{ dovecot__sql_iterate_query }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.conf.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.conf.j2
new file mode 100644
index 00000000..52381945
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.conf.j2
@@ -0,0 +1,70 @@
+{# Copyright (C) 2019-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2019-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+#
+# /etc/dovecot/dovecot.conf - Main configuration file for dovecot.
+#
+# {{ ansible_managed }}
+#
+
+{% macro print_element(element, commented, loop_first, indent) %}
+{%   set prefix = ("{:^" + indent | string + "}").format('') %}
+{%   set comment_prefix = (prefix + "# ") %}
+{%   if commented or element.state | d('present') == 'comment' %}
+{%     set commented = True %}
+{%     set prefix = comment_prefix %}
+{%   else %}
+{%     set commented = False %}
+{%   endif %}
+{%   if element.options | d() and not loop_first %}
+{{     '' }}
+{%   endif %}
+{%   if element.comment | d() %}
+{{     element.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%   endif %}
+{%   if element.raw | d() %}
+{%     if commented %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='')) -}}
+{%     else %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%     endif %}
+{%   elif element.options | d() %}
+{{     '{}{} {{'.format(prefix, element.option | d(element.name) | regex_replace('\n$', '')) }}
+{%     for element in element.options %}
+{%       if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{{         print_element(element, commented, loop.first, indent + 8) -}}
+{%       endif %}
+{%     endfor %}
+{{     '{}}}'.format(prefix) }}
+{%   else %}
+{{     '{}{} = {}'.format(prefix, element.option | d(element.name), element.value) }}
+{%   endif %}
+{% endmacro %}
+{##}
+{% for section in dovecot__combined_configuration | debops.debops.parse_kv_items(name='section') %}
+{%   if section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if section.options | d() %}
+{%       if section.state != 'hidden' %}
+{%         if (['present', 'comment'] | intersect(section.options | map(attribute='state') | list)) %}
+{%           set section_title = (' ' + ((section.title | d(section.section)) | upper) + ' ') %}
+{%           set section_width = section_title | length + 8 %}
+{{           '' }}
+{{           '' }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           ("{:#^" + section_width | string + "}").format(section_title) }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           '' }}
+{%         endif %}
+{%       else %}
+{{         '' }}
+{%       endif %}
+{%       for element in section.options %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{{           print_element(element, section.state | d('present') == 'comment', loop.first, 0) -}}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.deny.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.deny.j2
new file mode 100644
index 00000000..59939b0d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/dovecot/dovecot.deny.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% for user in dovecot__deny_users %}
+{{ user }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/dovecot/templates/etc/pki/hooks/dovecot.j2 b/ansible_collections/debops/debops/roles/dovecot/templates/etc/pki/hooks/dovecot.j2
new file mode 100644
index 00000000..86fed59e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dovecot/templates/etc/pki/hooks/dovecot.j2
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2020 Rainer Schuth <devel@reixd.net>
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart dovecot on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+dovecot_config="/etc/dovecot/dovecot.conf"
+dovecot_action="{{ dovecot__pki_hook_action }}"
+
+# Check if current PKI realm is used by the 'dovecot' webserver
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${dovecot_config} || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                dovecot_state="$(systemctl is-active dovecot.service)"
+                if [ "${dovecot_state}" = "active" ] ; then
+                    if doveconf -n > /dev/null 2>&1 ; then
+                        systemctl "${dovecot_action}" dovecot.service
+                    fi
+                fi
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/COPYRIGHT b/ansible_collections/debops/debops/roles/dpkg_cleanup/COPYRIGHT
new file mode 100644
index 00000000..42642797
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.dpkg_cleanup - Prepare a dpkg cleanup hook using Ansible
+
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/defaults/main.yml b/ansible_collections/debops/debops/roles/dpkg_cleanup/defaults/main.yml
new file mode 100644
index 00000000..663322d6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/defaults/main.yml
@@ -0,0 +1,62 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dpkg_cleanup__ref_defaults:
+
+# debops.dpkg_cleanup default variables
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global options [[[
+# ------------------
+
+# .. envvar:: dpkg_cleanup__enabled [[[
+#
+# Enable or disable support for the role. By default it's only enabled on hosts
+# which use the APT package manager with assumption that :command:`dpkg`
+# command is present.
+dpkg_cleanup__enabled: '{{ True if (ansible_pkg_mgr == "apt") else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration paths [[[
+# -----------------------
+
+# .. envvar:: dpkg_cleanup__facts_path [[[
+#
+# Absolute path where Ansible local fact scripts are stored. The hook script
+# will automatically remove the fact created by a given role.
+dpkg_cleanup__facts_path: '/etc/ansible/facts.d'
+
+                                                                   # ]]]
+# .. envvar:: dpkg_cleanup__scripts_path [[[
+#
+# Absolute path where the dpkg hook scripts are stored.
+dpkg_cleanup__scripts_path: '/usr/local/lib/dpkg-cleanup'
+
+                                                                   # ]]]
+# .. envvar:: dpkg_cleanup__hooks_path [[[
+#
+# Absolute path where :command:`dpkg` configuration snippets are stored.
+dpkg_cleanup__hooks_path: '/etc/dpkg/dpkg.cfg.d'
+                                                                   # ]]]
+                                                                   # ]]]
+# Hook script definitions [[[
+# ---------------------------
+
+# .. envvar:: dpkg_cleanup__dependent_packages [[[
+#
+# List which sets the contents of the hook scripts generated by the role,
+# defined by other Ansible roles via role dependent variables.
+# See :ref:`dpkg_cleanup__ref_packages` for more details.
+dpkg_cleanup__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/meta/main.yml b/ansible_collections/debops/debops/roles/dpkg_cleanup/meta/main.yml
new file mode 100644
index 00000000..c6a4fb29
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Prepare a dpkg cleanup hook executed on package removal'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cleanup
+    - system
+    - dpkg
+    - apt
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/tasks/main.yml b/ansible_collections/debops/debops/roles/dpkg_cleanup/tasks/main.yml
new file mode 100644
index 00000000..942d934c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure that the cleanup script directory exists
+  ansible.builtin.file:
+    path: '{{ dpkg_cleanup__scripts_path }}'
+    state: 'directory'
+    mode: '0755'
+  when: dpkg_cleanup__enabled | bool
+
+- name: Remove cleanup scripts if requested
+  ansible.builtin.file:
+    path: '{{ dpkg_cleanup__scripts_path + "/" + item.name }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dpkg_cleanup__dependent_packages) }}'
+  loop_control:
+    label: '{{ {"package": item.name} }}'
+  when: dpkg_cleanup__enabled | bool and item.name | d() and
+        item.state | d('present') == 'absent'
+
+- name: Remove cleanup hooks if requested
+  ansible.builtin.file:
+    path: '{{ dpkg_cleanup__hooks_path + "/dpkg-cleanup-" + item.name }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dpkg_cleanup__dependent_packages) }}'
+  loop_control:
+    label: '{{ {"package": item.name} }}'
+  when: dpkg_cleanup__enabled | bool and item.name | d() and
+        item.state | d('present') == 'absent'
+
+- name: Generate cleanup scripts
+  ansible.builtin.template:
+    src: 'usr/local/lib/dpkg-cleanup/package.j2'
+    dest: '{{ dpkg_cleanup__scripts_path + "/" + item.name }}'
+    mode: '0755'
+  loop: '{{ q("flattened", dpkg_cleanup__dependent_packages) }}'
+  loop_control:
+    label: '{{ {"package": item.name} }}'
+  when: dpkg_cleanup__enabled | bool and item.name | d() and
+        item.state | d('present') != 'absent'
+
+- name: Generate cleanup hooks
+  ansible.builtin.template:
+    src: 'etc/dpkg/dpkg.cfg.d/dpkg-cleanup-package.j2'
+    dest: '{{ dpkg_cleanup__hooks_path + "/dpkg-cleanup-" + item.name }}'
+    mode: '0644'
+  loop: '{{ q("flattened", dpkg_cleanup__dependent_packages) }}'
+  loop_control:
+    label: '{{ {"package": item.name} }}'
+  when: dpkg_cleanup__enabled | bool and item.name | d() and
+        item.state | d('present') != 'absent'
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/etc/dpkg/dpkg.cfg.d/dpkg-cleanup-package.j2 b/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/etc/dpkg/dpkg.cfg.d/dpkg-cleanup-package.j2
new file mode 100644
index 00000000..a8df0fcc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/etc/dpkg/dpkg.cfg.d/dpkg-cleanup-package.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+pre-invoke={{ dpkg_cleanup__scripts_path + "/" + item.name }}
diff --git a/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/usr/local/lib/dpkg-cleanup/package.j2 b/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/usr/local/lib/dpkg-cleanup/package.j2
new file mode 100644
index 00000000..023e0265
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dpkg_cleanup/templates/usr/local/lib/dpkg-cleanup/package.j2
@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+# {{ ansible_managed }}
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+# Clean up Ansible modifications on the '{{ item.name }}' package removal
+# The script is executed by dpkg pre-invoke hook
+
+
+set -o nounset -o pipefail -o errexit
+
+# Name of the package which will trigger the hook script
+apt_package="{{ item.name }}"
+
+# List of files which should be reverted via the dpkg-divert script
+readarray -t revert_files << EOF
+{% if item.revert_files | d() %}
+{%   for path in (([ item.revert_files ]
+                   if (item.revert_files is string)
+                   else item.revert_files)
+                 | flatten | sort) %}
+{%     if path.startswith("/") %}
+{{       path }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+EOF
+
+# List of files which should be removed
+readarray -t remove_files << EOF
+{% if item.remove_files | d() %}
+{%   for path in (([ item.remove_files ]
+                   if (item.remove_files is string)
+                   else item.remove_files)
+                 | flatten | sort) %}
+{%     if path.startswith("/") %}
+{{       path }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ dpkg_cleanup__facts_path + "/" + (item.ansible_fact | d(item.name)) + ".fact" }}
+{{ dpkg_cleanup__scripts_path + "/" + item.name }}
+{{ dpkg_cleanup__hooks_path + "/dpkg-cleanup-" + item.name }}
+EOF
+
+# List of directories which should be removed
+readarray -t remove_directories << EOF
+{% if item.remove_directories | d() %}
+{%   for path in (([ item.remove_directories ]
+                   if (item.remove_directories is string)
+                   else item.remove_directories)
+                 | flatten | sort) %}
+{%     if path.startswith("/") %}
+{{       path }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+EOF
+
+# List of service names which should be reloaded via 'systemctl' command
+readarray -t reload_services << EOF
+{% if item.reload_services | d() %}
+{%   for service in (([ item.reload_services ]
+                      if (item.reload_services is string)
+                      else item.reload_services)
+                    | flatten | sort) %}
+{{     service }}
+{%   endfor %}
+{% endif %}
+EOF
+
+# List of service names which should be restarted via 'systemctl' command
+readarray -t restart_services << EOF
+{% if item.restart_services | d() %}
+{%   for service in (([ item.restart_services ]
+                      if (item.restart_services is string)
+                      else item.restart_services)
+                    | flatten | sort) %}
+{{     service }}
+{%   endfor %}
+{% endif %}
+EOF
+
+
+divert_cleanup () {
+    for revert_file in "${revert_files[@]}" ; do
+        if [ -f "${revert_file}.dpkg-divert" ] ; then
+            rm -fv "${revert_file}"
+            dpkg-divert --local --rename --remove "${revert_file}"
+        fi
+    done
+}
+
+file_cleanup () {
+    for remove_file in "${remove_files[@]}" ; do
+        test ! -f "${remove_file}" || rm -fv "${remove_file}"
+    done
+}
+
+directory_cleanup () {
+    for remove_directory in "${remove_directories[@]}" ; do
+        test ! -d "${remove_directory}" || rm -rfv "${remove_directory}"
+    done
+}
+
+service_reload () {
+    for service in "${reload_services[@]}" ; do
+        if pidof systemd > /dev/null 2>&1 ; then
+            if systemctl is-active "${service}" > /dev/null 2>&1 ; then
+                printf "Reloading %s service ...\\n" "${service}"
+                systemctl reload "${service}.service"
+            fi
+        fi
+    done
+}
+
+service_restart () {
+    for service in "${restart_services[@]}" ; do
+        if pidof systemd > /dev/null 2>&1 ; then
+            if systemctl is-active "${service}" > /dev/null 2>&1 ; then
+                printf "Restarting %s service ...\\n" "${service}"
+                systemctl restart "${service}.service"
+            fi
+        fi
+    done
+}
+
+
+# Get the PID of the parent 'dpkg' process and check its command line arguments
+# to get the list of packages currently being worked on
+dpkg_pid="$(ps -o ppid= ${PPID} | tr -d '[:space:]')"
+IFS=' ' read -r -a arguments <<< "$(tr '\0' ' ' < "/proc/${dpkg_pid}/cmdline")"
+
+if [ -n "${DPKG_HOOK_ACTION:-}" ] ; then
+    case ${DPKG_HOOK_ACTION} in
+        purge|remove)
+            for x in "${arguments[@]}"; do
+                case ${x} in
+                    ${apt_package}:*)
+
+                        if [ -n "${revert_files[*]}" ] ; then
+                            divert_cleanup
+                        fi
+                        if [ -n "${remove_files[*]}" ] ; then
+                            file_cleanup
+                        fi
+                        if [ -n "${remove_directories[*]}" ] ; then
+                            directory_cleanup
+                        fi
+                        if [ -n "${reload_services[*]}" ] ; then
+                            service_reload
+                        fi
+                        if [ -n "${restart_services[*]}" ] ; then
+                            service_restart
+                        fi
+
+                    ;;
+                esac
+            done
+        ;;
+    esac
+fi
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/COPYRIGHT b/ansible_collections/debops/debops/roles/dropbear_initramfs/COPYRIGHT
new file mode 100644
index 00000000..11a2fb82
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/COPYRIGHT
@@ -0,0 +1,19 @@
+dropbear_initramfs - Setup the dropbear ssh server in initramfs
+
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/defaults/main.yml b/ansible_collections/debops/debops/roles/dropbear_initramfs/defaults/main.yml
new file mode 100644
index 00000000..fd493221
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/defaults/main.yml
@@ -0,0 +1,281 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _dropbear_initramfs__ref_defaults:
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: dropbear_initramfs__base_packages [[[
+#
+# List of APT packages to install for :command:`dropbear_initramfs` support.
+#
+# Supported versions:
+#
+# * ``dropbear-initramfs``
+# * ``dropbear``
+#
+dropbear_initramfs__base_packages:
+  - '{{ "dropbear"
+        if (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["trusty"])
+        else "dropbear-initramfs" }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__packages [[[
+#
+# List of additional APT packages to install during :command:`dropbear_initramfs`
+# configuration.
+dropbear_initramfs__packages: []
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__config_path [[[
+#
+# Path to dropbear initramfs configuration files.
+dropbear_initramfs__config_path: '{{ "/etc/dropbear-initramfs"
+                                     if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+                                     else "/etc/dropbear/initramfs" }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__config_file [[[
+#
+# Path to dropbear initramfs configuration file.
+dropbear_initramfs__config_file: '{{ dropbear_initramfs__config_path + "/"
+                                     + ("config"
+                                        if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+                                        else "dropbear.conf") }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that dropbear is configured in the initramfs to allow
+#   ssh connections.
+#
+# ``absent``
+#   Ensure that dropbear and related configuration maintained by this role are
+#   absent.
+#
+dropbear_initramfs__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Simple initramfs network [[[
+# ----------------------------
+
+# Refer to https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+# for support configuration options.
+#
+# Note that the ``IP`` kernel parameter only supports legacy IPv4. But don’t
+# worry, the role has you covered. Refer to
+# :envvar:`dropbear_initramfs__interfaces`.
+
+# .. envvar:: dropbear_initramfs__network_autoconf [[[
+#
+# Method to use for autoconfiguration. Use ``off`` or ``none`` for manual
+# network configuration (see below).
+dropbear_initramfs__network_autoconf: 'dhcp'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network_device [[[
+#
+# Default network device.
+dropbear_initramfs__network_device: '{{ ansible_default_ipv6.interface
+                                        if ansible_default_ipv6.interface | d()
+                                        else (ansible_default_ipv4.interface
+                                              if ansible_default_ipv4.interface | d()
+                                              else "eth0") }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network_address [[[
+#
+# Manual network address to set.
+dropbear_initramfs__network_address: '{{ ansible_default_ipv4.address }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network_netmask [[[
+#
+# Manual subnet mask to set.
+dropbear_initramfs__network_netmask: '{{ ansible_default_ipv4.netmask }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network_gateway [[[
+#
+# Manual gateway to set.
+dropbear_initramfs__network_gateway: '{{ ansible_default_ipv4.gateway }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network_manual [[[
+#
+# The ``IP`` kernel parameter used when
+# :envvar:`dropbear_initramfs__network_autoconf` is disabled.
+#
+# The `ipwrap` filter causes IPv6 address to work on some platforms.
+# Refer to: https://serverfault.com/questions/445296/is-there-a-linux-kernel-boot-parameter-to-configure-an-ipv6-address/701451#701451
+dropbear_initramfs__network_manual: '{{
+  (dropbear_initramfs__network_address | ansible.utils.ipwrap) + "::" +
+  (dropbear_initramfs__network_gateway | ansible.utils.ipwrap) + ":" +
+  dropbear_initramfs__network_netmask + "::" +
+  dropbear_initramfs__network_device + ":none" }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__network [[[
+#
+# The ``IP`` kernel parameter as it is configured by the role.
+dropbear_initramfs__network: '{{ dropbear_initramfs__network_manual
+                                 if (dropbear_initramfs__network_autoconf in ["off", "none"])
+                                 else dropbear_initramfs__network_autoconf }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Complex initramfs network [[[
+# -----------------------------
+
+# These variables are dictionaries with additional network configuration.
+# See :ref:`dropbear_initramfs__ref_interfaces` documentation for more details.
+
+# .. envvar:: dropbear_initramfs__interfaces [[[
+#
+# Dictionary which holds the configuration of additional network configuration
+# for all hosts in the Ansible inventory.
+dropbear_initramfs__interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__group_interfaces [[[
+#
+# Dictionary which holds the configuration of additional network configuration
+# for hosts in a specific Ansible inventory group.
+dropbear_initramfs__group_interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__host_interfaces [[[
+#
+# Dictionary which holds the configuration of additional network configuration
+# for specific hosts in the Ansible inventory.
+dropbear_initramfs__host_interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__combined_interfaces [[[
+#
+# Dictionary which combines all of the other network interface
+# configuration variables and is used in the role tasks and templates to
+# generate the configuration.
+dropbear_initramfs__combined_interfaces: '{{ lookup("template", "lookup/dropbear_initramfs__combined_interfaces.j2", convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Initramfs generation [[[
+# ------------------------
+
+# .. envvar:: dropbear_initramfs__update_options [[[
+#
+# Additional options for the :command:`update-initramfs` command.
+# The default is to regenerate the initramfs for all installed kernel versions.
+dropbear_initramfs__update_options: '-k all'
+                                                                   # ]]]
+                                                                   # ]]]
+# Dropbear options [[[
+# -------------------
+
+# .. envvar:: dropbear_initramfs__port [[[
+#
+# The port dropbear listens on.
+dropbear_initramfs__port: '22'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__disable_password_login [[[
+#
+# Disable password login?
+dropbear_initramfs__disable_password_login: '{{
+  True
+  if dropbear_initramfs__combined_authorized_keys | d()
+  else False
+  }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__disable_port_forwarding [[[
+#
+# Disable local and remote port forwarding?
+dropbear_initramfs__disable_port_forwarding: True
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__idle_timeout [[[
+#
+# Count of seconds after that dropbear times out.
+dropbear_initramfs__idle_timeout: '180'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__max_authentication_attempts [[[
+#
+# The maximum number of authentication attempts per connection.
+dropbear_initramfs__max_authentication_attempts: '10'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__forced_command [[[
+#
+# Override the command provided by the user and always run this command.
+dropbear_initramfs__forced_command: ''
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__dropbear_options [[[
+#
+# Set options parsed to dropbear.
+dropbear_initramfs__dropbear_options: '{{
+  "-p " + dropbear_initramfs__port +
+  (" -g -s" if dropbear_initramfs__disable_password_login | d() else "") +
+  (" -j -k" if dropbear_initramfs__disable_port_forwarding | d() else "") +
+  " -I " + dropbear_initramfs__idle_timeout +
+  " -T " + dropbear_initramfs__max_authentication_attempts +
+  (" -c " + dropbear_initramfs__forced_command if dropbear_initramfs__forced_command | d() else "")
+  }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Authorized ssh keys [[[
+# -----------------------
+
+# See :ref:`dropbear_initramfs__ref_authorized_keys` for more details.
+
+# .. envvar:: dropbear_initramfs__authorized_keys [[[
+#
+# List of authorized ssh keys configured on all hosts in the Ansible inventory.
+dropbear_initramfs__authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__group_authorized_keys [[[
+#
+# List of authorized ssh keys configured on a group of hosts in the Ansible inventory.
+dropbear_initramfs__group_authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__host_authorized_keys [[[
+#
+# List of authorized ssh keys configured on specific hosts in the Ansible inventory.
+dropbear_initramfs__host_authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__combined_authorized_keys [[[
+#
+# Combines list of authorized ssh keys as used in the role tasks.
+dropbear_initramfs__combined_authorized_keys: '{{ dropbear_initramfs__authorized_keys +
+                                                  dropbear_initramfs__group_authorized_keys +
+                                                  dropbear_initramfs__host_authorized_keys }}'
+
+                                                                   # ]]]
+# .. envvar:: dropbear_initramfs__authorized_keys_key_options [[[
+#
+# List of default SSH options added to all public keys. If it's set to
+# ``{{ omit }}``, no options will be added automatically. The list of options can be
+# overridden by the ``item.options`` parameter.
+# Refer to :manpage:`dropbear(8)` for details.
+dropbear_initramfs__authorized_keys_key_options: '{{ omit }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/handlers/main.yml b/ansible_collections/debops/debops/roles/dropbear_initramfs/handlers/main.yml
new file mode 100644
index 00000000..df5119c9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update initramfs
+  ansible.builtin.command: update-initramfs -u {{ dropbear_initramfs__update_options }}
+  register: dropbear_initramfs__register_update
+  changed_when: dropbear_initramfs__register_update.changed | bool
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/meta/main.yml b/ansible_collections/debops/debops/roles/dropbear_initramfs/meta/main.yml
new file mode 100644
index 00000000..b7e20561
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/meta/main.yml
@@ -0,0 +1,38 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup the dropbear ssh server in initramfs'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.4'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - startup
+    - boot
+    - fde
+    - headless
+    - encryption
+    - security
+    - initramfs
+    - ssh
+    - cryptsetup
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/tasks/main.yml b/ansible_collections/debops/debops/roles/dropbear_initramfs/tasks/main.yml
new file mode 100644
index 00000000..c734a09b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/tasks/main.yml
@@ -0,0 +1,82 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", (dropbear_initramfs__base_packages
+                              + dropbear_initramfs__packages)) }}'
+    state: '{{ "present" if (dropbear_initramfs__deploy_state == "present") else "absent" }}'
+  register: dropbear_initramfs__register_packages
+  until: dropbear_initramfs__register_packages is succeeded
+  tags: [ 'role::dropbear_initramfs:pkgs' ]
+
+- name: Configure network in initramfs using kernel command line
+  ansible.builtin.template:
+    src: 'etc/initramfs-tools/conf.d/role.conf.j2'
+    dest: '/etc/initramfs-tools/conf.d/50_debops.dropbear_initramfs.conf'
+    mode: '0644'
+  when: (dropbear_initramfs__deploy_state == "present")
+  notify: [ 'Update initramfs' ]
+
+- name: Configure dropbear options
+  ansible.builtin.template:
+    src: 'etc/dropbear/initramfs/dropbear.conf.j2'
+    dest: '{{ dropbear_initramfs__config_file }}'
+    mode: '0644'
+  when: (dropbear_initramfs__deploy_state == "present")
+  notify: [ 'Update initramfs' ]
+
+- name: Configure to bring up additional interfaces/addresses in initramfs
+  ansible.builtin.template:
+    src: 'etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs.j2'
+    dest: '/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs'
+    mode: '0755'
+  when: (dropbear_initramfs__deploy_state == "present")
+  notify: [ 'Update initramfs' ]
+
+- name: Configure to bring down additional interfaces/addresses in initramfs
+  ansible.builtin.template:
+    src: 'etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs.j2'
+    dest: '/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs'
+    mode: '0755'
+  when: (dropbear_initramfs__deploy_state == "present")
+  notify: [ 'Update initramfs' ]
+
+- name: Configure authorized ssh keys
+  ansible.posix.authorized_key:
+    key: "{{ (item.key
+              if item.key is string
+              else (item.key | unique | join('\n') | string))
+             if item.key | d() else '' }}"
+    user: '{{ item.user | d("root") }}'
+    path: '{{ "/etc/initramfs-tools/root/.ssh/authorized_keys"
+              if ("dropbear" in dropbear_initramfs__base_packages)
+              else dropbear_initramfs__config_path + "/authorized_keys" }}'
+    key_options: '{{ (item.key_options if item.key_options is string else item.key_options | join(","))
+                       if item.key_options is defined
+                       else ((dropbear_initramfs__authorized_keys_key_options
+                              if dropbear_initramfs__authorized_keys_key_options is string
+                              else dropbear_initramfs__authorized_keys_key_options | join(","))
+                             if dropbear_initramfs__authorized_keys_key_options != omit else "")
+                     }}'
+    state: '{{ (item.state | d("present")) if (dropbear_initramfs__deploy_state == "present") else "absent" }}'
+    exclusive: '{{ item.exclusive | d(omit) }}'
+    comment:   '{{ item.comment | d(omit) }}'
+    manage_dir: False
+  notify: [ 'Update initramfs' ]
+  loop: '{{ q("flattened", dropbear_initramfs__combined_authorized_keys) }}'
+  loop_control:
+    label: '{{ {"key": item.key} }}'
+
+- name: Remove files in deploy state absent
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  when: (dropbear_initramfs__deploy_state == 'absent')
+  notify: [ 'Update initramfs' ]
+  with_items:
+    - '/etc/initramfs-tools/conf.d/50_debops.dropbear_initramfs.conf'
+    - '/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs'
+    - '/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs'
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/dropbear/initramfs/dropbear.conf.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/dropbear/initramfs/dropbear.conf.j2
new file mode 100644
index 00000000..668de757
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/dropbear/initramfs/dropbear.conf.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2015-2017,2024 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '{{ dropbear_initramfs__config_path }}' directory).
+
+#
+# Command line options to pass to dropbear(8)
+#
+DROPBEAR_OPTIONS="{{ dropbear_initramfs__dropbear_options }}"
+
+#
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#
+#IFDOWN="*"
+
+#
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/conf.d/role.conf.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/conf.d/role.conf.j2
new file mode 100644
index 00000000..e614794d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/conf.d/role.conf.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+IP="{{ dropbear_initramfs__network }}"
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs.j2
new file mode 100644
index 00000000..294ae71f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-bottom/debops_dropbear_initramfs.j2
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+PREREQ=""
+prereqs() {
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+{% for name, interface in dropbear_initramfs__combined_interfaces.items() %}
+{%   set interface_name = (interface.iface | d(name)) %}
+ip link    set   dev {{ interface_name | quote }} down
+ip address flush dev {{ interface_name | quote }}
+ip route   flush dev {{ interface_name | quote }}
+{% endfor %}
+
+exit 0
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs.j2
new file mode 100644
index 00000000..3e8f6435
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/etc/initramfs-tools/scripts/local-top/debops_dropbear_initramfs.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#!/bin/sh
+
+# {{ ansible_managed }}
+
+PREREQ=""
+prereqs() {
+    echo "$PREREQ"
+}
+case $1 in
+prereqs)
+    prereqs
+    exit 0
+    ;;
+esac
+
+{% for name, interface in dropbear_initramfs__combined_interfaces | dictsort %}
+{%   set interface_name = (interface.iface | d(name)) %}
+{%   set addresses = (debops__tpl_macros.flattened(interface.address, interface.addresses) | from_yaml) | unique %}
+{%   set ipv4_addresses = addresses | ansible.utils.ipv4 %}
+{%   set ipv6_addresses = addresses | ansible.utils.ipv6 %}
+{%   set gateways = (debops__tpl_macros.flattened(interface.gateway, interface.gateways) | from_yaml) | unique %}
+{%   set ipv4_gateways = gateways | ansible.utils.ipv4 %}
+{%   set ipv6_gateways = gateways | ansible.utils.ipv6 %}
+
+ip link set dev {{ interface_name | quote }} up
+{%   if interface.inet6 in ['static'] %}
+{%     for address in ipv6_addresses %}
+ip addr add {{ address }} dev {{ interface_name | quote }}
+{%     endfor %}
+{%     if ipv6_gateways %}
+ip route add default via {{ ipv6_gateways | first }}
+{%     endif %}
+{%   endif %}
+{%   if interface.inet in ['static'] %}
+{%     for address in ipv4_addresses %}
+ip addr add {{ address }} dev {{ interface_name | quote }} label {{ interface_name | quote }}:{{ loop.index0 }}
+{%     endfor %}
+{%     if ipv4_gateways %}
+ip route add default via {{ ipv4_gateways | first }}
+{%     endif %}
+{%   endif %}
+ip addr show dev {{ interface_name | quote }}
+{% endfor %}
+
+exit 0
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/import/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/import/debops__tpl_macros.j2
new file mode 100644
index 00000000..58582c54
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/import/debops__tpl_macros.j2
@@ -0,0 +1,181 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be included in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be included like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{# Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happyily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/lookup/dropbear_initramfs__combined_interfaces.j2 b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/lookup/dropbear_initramfs__combined_interfaces.j2
new file mode 100644
index 00000000..9a67febd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/dropbear_initramfs/templates/lookup/dropbear_initramfs__combined_interfaces.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+{% set dropbear_initramfs__tpl_merge_1 = (debops__tpl_macros.merge_dict(dropbear_initramfs__interfaces, dropbear_initramfs__group_interfaces, 'iface') | from_yaml) %}
+{% set dropbear_initramfs__tpl_merge_2 = (debops__tpl_macros.merge_dict(dropbear_initramfs__tpl_merge_1, dropbear_initramfs__host_interfaces, 'iface') | from_yaml) %}
+{% set dropbear_initramfs__tpl_filtered_interfaces = {} %}
+{% for name, params in dropbear_initramfs__tpl_merge_2.items() %}
+{%   set interface_name = (params.iface | d(name)) %}
+{%   if params.type is undefined %}
+{%     if (interface_name.startswith('vlan') or '.' in interface_name) %}
+{%       set _ = params.update({"type":"vlan"}) %}
+{%     elif interface_name.startswith(('en','eth')) %}
+{%       set _ = params.update({"type":"ether"}) %}
+{%     endif %}
+{%   endif %}
+{%   if params.type | d("ether") == 'ether' %}
+{%     if params.inet is undefined %}
+{%       set _ = params.update({"inet":"dhcp"}) %}
+{%     endif %}
+{%     if params.inet6 is undefined %}
+{%       set _ = params.update({"inet6":"auto"}) %}
+{%     endif %}
+{%     set _ = dropbear_initramfs__tpl_filtered_interfaces.update({interface_name:params}) %}
+{%   endif %}
+{% endfor %}
+{{ dropbear_initramfs__tpl_filtered_interfaces | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/elastic_co/COPYRIGHT b/ansible_collections/debops/debops/roles/elastic_co/COPYRIGHT
new file mode 100644
index 00000000..f0140338
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elastic_co/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.elastic_co - Configure Elastic APT repositories
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/elastic_co/defaults/main.yml b/ansible_collections/debops/debops/roles/elastic_co/defaults/main.yml
new file mode 100644
index 00000000..711c2afb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elastic_co/defaults/main.yml
@@ -0,0 +1,122 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _elastic_co__ref_defaults:
+
+# debops.elastic_co default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT repository configuration [[[
+# --------------------------------
+
+# .. envvar:: elastic_co__version [[[
+#
+# Specify the major version of the Elastic APT repository you wish to install.
+# The role will remember the selected version using Ansible local facts which
+# should ensure that in the future currently installed version of the APT
+# repository stays the same on a given host.
+elastic_co__version: '{{ ansible_local.elastic_co.version | d("7.x") }}'
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__curator_version [[[
+#
+# Specify the major version of the Elastic Curator APT repository you wish to install.
+# The role will remember the selected version using Ansible local facts which
+# should ensure that in the future currently installed version of the APT
+# repository stays the same on a given host.
+elastic_co__curator_version: '{{ ansible_local.elastic_co.curator_version | d("5") }}'
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__key_id [[[
+#
+# The fingerprint of the APT repository GPG key to configure.
+elastic_co__key_id: '4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4'
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__repositories [[[
+#
+# APT repository entry to configure for Elastic repository.
+elastic_co__repositories:
+  - repo: 'deb https://artifacts.elastic.co/packages/{{ elastic_co__version }}/apt stable main'
+
+  - repo: 'deb https://packages.elastic.co/curator/{{ elastic_co__curator_version }}/debian9 stable main'
+    enabled: "{{ ansible_distribution_release in ['stretch'] }}"
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Package overrides [[[
+# ---------------------
+
+# .. envvar:: elastic_co__heartbeat_override [[[
+#
+# Enable or disable APT preferences override for the ``heartbeat`` APT package.
+# See :ref:`elastic_co__ref_heartbeat_override` for more details.
+elastic_co__heartbeat_override: True
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: elastic_co__packages [[[
+#
+# List of Elastic APT packages to install on all hosts in the Ansible
+# inventory.
+elastic_co__packages: []
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__group_packages [[[
+#
+# List of Elastic APT packages to install on hosts in specific Ansible
+# inventory group.
+elastic_co__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__host_packages [[[
+#
+# List of Elastic APT packages to install on specific hosts in the Ansible
+# inventory.
+elastic_co__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__dependent_packages [[[
+#
+# List of Elastic APT packages requested for installation by other Ansible
+# roles through role dependent variables.
+elastic_co__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: elastic_co__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+elastic_co__apt_preferences__dependent_list:
+
+  - package: 'heartbeat'
+    pin: 'origin artifacts.elastic.co'
+    priority: '700'
+    reason: 'Conflicts with "heartbeat" package from OS archives'
+    by_role: 'debops.elastic_co'
+    state: '{{ "present" if elastic_co__heartbeat_override | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: elastic_co__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+elastic_co__keyring__dependent_apt_keys:
+
+  - id: '{{ elastic_co__key_id }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/elastic_co/meta/main.yml b/ansible_collections/debops/debops/roles/elastic_co/meta/main.yml
new file mode 100644
index 00000000..8ac528dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elastic_co/meta/main.yml
@@ -0,0 +1,39 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure Elastic APT repositories'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - search
+    - elasticsearch
+    - kibana
+    - logstash
+    - filebeat
+    - metricbeat
+    - packetbeat
+    - heartbeat
diff --git a/ansible_collections/debops/debops/roles/elastic_co/tasks/main.yml b/ansible_collections/debops/debops/roles/elastic_co/tasks/main.yml
new file mode 100644
index 00000000..8ef75c93
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elastic_co/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure Elastic APT repository
+  ansible.builtin.apt_repository:
+    update_cache: True
+    repo: '{{ item.repo }}'
+    filename: '{{ item.filename | d(omit) }}'
+    state: 'present'
+  with_items: '{{ elastic_co__repositories }}'
+  when: item.enabled | d(True)
+
+- name: Install Elastic packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (elastic_co__packages
+                              + elastic_co__group_packages
+                              + elastic_co__host_packages
+                              + elastic_co__dependent_packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: elastic_co__register_install
+  until: elastic_co__register_install is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Elastic local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/elastic_co.fact.j2'
+    dest: '/etc/ansible/facts.d/elastic_co.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/elastic_co/templates/etc/ansible/facts.d/elastic_co.fact.j2 b/ansible_collections/debops/debops/roles/elastic_co/templates/etc/ansible/facts.d/elastic_co.fact.j2
new file mode 100644
index 00000000..391fb222
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elastic_co/templates/etc/ansible/facts.d/elastic_co.fact.j2
@@ -0,0 +1,64 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = loads('''{{ ({
+    "configured": true,
+    "heartbeat_override": elastic_co__heartbeat_override,
+    "version": elastic_co__version,
+    "curator_version": elastic_co__curator_version
+}) | to_nice_json }}''')
+
+# List of Elastic APT packages recognized by this fact
+package_list = [
+  'elasticsearch',
+  'elasticsearch-curator',
+  'filebeat',
+  'kibana',
+  'logstash',
+  'metricbeat',
+  'packetbeat'
+]
+
+# A workaround for conflicting package name in Debian/Ubuntu
+# https://github.com/elastic/beats/issues/3765
+heartbeat_override = loads('''{{ elastic_co__heartbeat_override
+                                 | bool | lower | to_nice_json }}''')
+
+if heartbeat_override:
+    package_list.append('heartbeat')
+
+
+def dpkg_query(packages):
+
+    command = ['dpkg-query', '--show',
+               '--showformat="${Package}": "${Version}",\n'] + packages
+
+    FNULL = open('/dev/null', 'w')
+    proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=FNULL)
+    (stdoutdata, _) = proc.communicate()
+
+    stdout_clean = stdoutdata.strip()
+    stdout_last = stdout_clean.decode('utf-8').rstrip(',')
+    stdout_wrap = '{\n' + stdout_last + '\n}'
+
+    proc_output = loads(str(stdout_wrap))
+    return proc_output
+
+
+package_version = dpkg_query(package_list)
+output.update({"packages": package_version})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/COPYRIGHT b/ansible_collections/debops/debops/roles/elasticsearch/COPYRIGHT
new file mode 100644
index 00000000..e25881ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.elasticsearch - Install and manage Elasticsearch database clusters
+
+Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/defaults/main.yml b/ansible_collections/debops/debops/roles/elasticsearch/defaults/main.yml
new file mode 100644
index 00000000..07b49a1c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/defaults/main.yml
@@ -0,0 +1,1107 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# .. Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# .. Copyright (C) 2014-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _elasticsearch__ref_defaults:
+
+# debops.elasticsearch default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, version [[[
+# -------------------------
+
+# The ``debops.elasticsearch`` role uses the ``debops.elatic_co`` Ansible role
+# to configure the Elastic APT repositories and install the packages. The role
+# also installs the Ansible facts that provide the ``elasticsearch``
+# version.
+
+# .. envvar:: elasticsearch__base_packages [[[
+#
+# List of base APT packages to install.
+elasticsearch__base_packages: [ 'elasticsearch' ]
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__packages [[[
+#
+# List of additional APT packages to install with Elasticsearch.
+elasticsearch__packages: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__version [[[
+#
+# Store the detected Elasticsearch version in a convenient variable for
+# conditional configuration.
+elasticsearch__version: '{{ ansible_local.elasticsearch.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX user and group [[[
+# -----------------------
+
+# .. envvar:: elasticsearch__user [[[
+#
+# Name of the UNIX user account used by Elasticsearch.
+elasticsearch__user: 'elasticsearch'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__group [[[
+#
+# Name of the UNIX primary group used by Elasticsearch.
+elasticsearch__group: 'elasticsearch'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__additional_groups [[[
+#
+# List of additional UNIX groups to which the Elasticsearch user will belong.
+elasticsearch__additional_groups: '{{ ["ssl-cert"]
+                                      if elasticsearch__pki_enabled | bool
+                                      else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Ansible inventory layout [[[
+# ----------------------------
+
+# .. envvar:: elasticsearch__inventory_group_all [[[
+#
+# Name of the Ansible inventory group which contains Elasticsearch host in
+# a "homogeneous" configuration (each node having the same functions as every
+# other node).
+elasticsearch__inventory_group_all: 'debops_service_elasticsearch'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__inventory_group_master [[[
+#
+# Name of the Ansible inventory group which contains Elasticsearch master
+# nodes.
+elasticsearch__inventory_group_master: 'debops_service_elasticsearch_master'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__inventory_group_data [[[
+#
+# Name of the Ansible inventory group which contains Elasticsearch data nodes.
+elasticsearch__inventory_group_data: 'debops_service_elasticsearch_data'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__inventory_group_ingest [[[
+#
+# Name of the Ansible inventory group which contains Elasticsearch ingest
+# nodes.
+elasticsearch__inventory_group_ingest: 'debops_service_elasticsearch_ingest'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__inventory_group_lb [[[
+#
+# Name of the Ansible inventory group which contains Elasticsearch load
+# balancer nodes.
+elasticsearch__inventory_group_lb: 'debops_service_elasticsearch_lb'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__inventory_master_hosts [[[
+#
+# List of Ansible inventory hosts which should be treated as Elasticsearch
+# master nodes. See :ref:`elasticsearch__ref_clustering` for more details.
+elasticsearch__inventory_master_hosts: '{{ (groups[elasticsearch__inventory_group_master]
+                                            | d(groups[elasticsearch__inventory_group_all]))
+                                           if elasticsearch__allow_tcp else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__initial_master_nodes [[[
+#
+# List of Elasticsearch nodes which will be bootstrapped as masters on the
+# first cluster execution.
+elasticsearch__initial_master_nodes: [ '{{ elasticsearch__node_name }}' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: elasticsearch__allow_http [[[
+#
+# List of IP addresses or CIDR subnets that can connect to the Elasticsearch
+# HTTP service. This does not need to be set to allow the nodes to communicate.
+# If this list is empty, nobody can connect to the HTTP server directly.
+elasticsearch__allow_http: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__allow_tcp [[[
+#
+# List of IP addresses or CIDR subnets that can connect to the Elasticsearch
+# TCP transport port. This variable needs to be set to allow nodes to
+# communicate. If this list is empty, nobody can connect to the transport port
+# and the Elasticsearch service is configured in a standalone mode.
+elasticsearch__allow_tcp: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Connection encryption, TLS [[[
+# ------------------------------
+
+# .. envvar:: elasticsearch__pki_enabled [[[
+#
+# Enable or disable support for TLS connection encryption based on DebOps PKI,
+# managed by the :ref:`debops.pki` Ansible role.
+elasticsearch__pki_enabled: '{{ (ansible_local.pki.enabled | d()) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__pki_base_path [[[
+#
+# The absolute path of th location of PKI realms.
+elasticsearch__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__pki_realm [[[
+#
+# The PKI realm used by Elasticsearch cluster for the HTTP and Transport
+# communication.
+elasticsearch__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__pki_ca_file [[[
+#
+# Name of the file which contains Certificate Authorities trusted by
+# Elasticsearch, relative to the PKI realm directory.
+elasticsearch__pki_ca_file: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__pki_key_file [[[
+#
+# Name of the file which contains the private key used by Elasticsearch for
+# HTTP and Transport communication, relative to the PKI realm directory.
+elasticsearch__pki_key_file: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__pki_crt_file [[[
+#
+# Name of the file which contains the X.509 certificate chain used by
+# Elasticsearch for HTTP and Transport communication, relative to the PKI realm
+# directory. Java applications don't work well with Diffie-Hellman parameters
+# embedded in the certificate chain, so let's use the "plain" one instead.
+elasticsearch__pki_crt_file: 'public/cert_intermediate.pem'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__tls_ca_certificate [[[
+#
+# Absolute path of the Certificate Authority certificate used by Elasticsearch.
+elasticsearch__tls_ca_certificate: '{{ elasticsearch__pki_base_path + "/"
+                                       + elasticsearch__pki_realm + "/"
+                                       + elasticsearch__pki_ca_file }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__tls_private_key [[[
+#
+# Absolute path of the private key used by Elasticsearch.
+elasticsearch__tls_private_key: '{{ elasticsearch__pki_base_path + "/"
+                                    + elasticsearch__pki_realm + "/"
+                                    + elasticsearch__pki_key_file }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__tls_certificate [[[
+#
+# Absolute path of the X.509 certificate used by Elasticsearch.
+elasticsearch__tls_certificate: '{{ elasticsearch__pki_base_path + "/"
+                                    + elasticsearch__pki_realm + "/"
+                                    + elasticsearch__pki_crt_file }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Elastic X-Pack options [[[
+# --------------------------
+
+# .. envvar:: elasticsearch__xpack_enabled [[[
+#
+# Enable or disable support for X-Pack plugin. The X-Pack support affects
+# security features of Elasticsearch like TLS encryption in transit and
+# user/role management.
+#
+# By default, X-Pack will be enabled if Elasticsearch is configured as
+# a cluster and PKI environment managed by the :ref:`debops.pki` Ansible role
+# is configured on the host. Otherwise the support will be disabled since it's
+# not useful in a standalone mode.
+elasticsearch__xpack_enabled: '{{ True
+                                  if (elasticsearch__pki_enabled | bool and
+                                      elasticsearch__allow_tcp | d())
+                                  else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Elasticsearch users and roles management [[[
+# --------------------------------------------
+
+# .. envvar:: elasticsearch__api_base_url [[[
+#
+# The URL of the Elasticsearch API endpoint used to manage user accounts and
+# roles in the cluster, for example: ``https://example.org:9200``. If not
+# specified, the role will not perform any API-based tasks.
+#
+# Tasks are executed on one of the Elasticsearch hosts, only single host is
+# used if multiple are in a given Ansible run.
+elasticsearch__api_base_url: '{{ "https://" + ansible_fqdn + ":9200" }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__api_username [[[
+#
+# Name of the Elasticsearch user account used to access the API. The built-in
+# ``elastic`` user account has superuser privileges.
+elasticsearch__api_username: 'elastic'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__secret_path [[[
+#
+# Path to the directory in the :ref:`debops.secret` storage where passwords of
+# Elastcisearch built-in users will be stored.
+elasticsearch__secret_path: '{{ "elasticsearch/credentials/"
+                                + elasticsearch__cluster_name + "/built-in" }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__api_password [[[
+#
+# The password used to access the Elasticsearch API, stored in the
+# :file:`secret/` directory, managed by the :ref:`debops.secret` Ansible role.
+elasticsearch__api_password: '{{ lookup("password", secret + "/"
+                                 + elasticsearch__secret_path + "/"
+                                 + elasticsearch__api_username + "/password") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__native_roles [[[
+#
+# List of Elasticsearch "role" definitions which will be defined on all hosts
+# in the Ansible inventory. See :ref:`elasticsearch__ref_native_roles` for more
+# details.
+elasticsearch__native_roles: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__group_native_roles [[[
+#
+# List of Elasticsearch "role" definitions which will be defined on hosts in
+# a specific Ansible inventory group.
+# See :ref:`elasticsearch__ref_native_roles` for more details.
+elasticsearch__group_native_roles: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__host_native_roles [[[
+#
+# List of Elasticsearch "role" definitions which will be defined on specific
+# hosts in the Ansible inventory. See :ref:`elasticsearch__ref_native_roles`
+# for more details.
+elasticsearch__host_native_roles: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__combined_native_roles [[[
+#
+# The variable which combines all "native role" lists and is used in role tasks
+# and templates.
+elasticsearch__combined_native_roles: '{{ elasticsearch__native_roles
+                                          + elasticsearch__group_native_roles
+                                          + elasticsearch__host_native_roles }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__native_users [[[
+#
+# List of Elasticsearch "user" definitions which will be defined on all hosts
+# in the Ansible inventory. See :ref:`elasticsearch__ref_native_users` for more
+# details.
+elasticsearch__native_users: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__group_native_users [[[
+#
+# List of Elasticsearch "user" definitions which will be defined on hosts in
+# a specific Ansible inventory group.
+# See :ref:`elasticsearch__ref_native_users` for more details.
+elasticsearch__group_native_users: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__host_native_users [[[
+#
+# List of Elasticsearch "user" definitions which will be defined on specific
+# hosts in the Ansible inventory. See :ref:`elasticsearch__ref_native_users`
+# for more details.
+elasticsearch__host_native_users: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__combined_native_users [[[
+#
+# The variable which combines all "native user" lists and is used in role tasks
+# and templates.
+elasticsearch__combined_native_users: '{{ elasticsearch__native_users
+                                          + elasticsearch__group_native_users
+                                          + elasticsearch__host_native_users }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Elasticsearch network options [[[
+# ---------------------------------
+
+# .. envvar:: elasticsearch__network_host [[[
+#
+# List of network interface names or IP addresses on which Elasticsearch should
+# listen for connections. By default, if :ref:`debops.ferm` firewall is enabled,
+# Elasticsearch will listen on ``localhost`` and private IP addresses only. See
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html
+# for more details.
+elasticsearch__network_host: '{{ ["_local_", "_site_"]
+                                 if (ansible_local.ferm.enabled | d() and
+                                     ansible_local.ferm.enabled | bool)
+                                 else ["_local_"] }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__http_port [[[
+#
+# The port on which Elasticsearch will listen for HTTP connections.
+elasticsearch__http_port: '9200'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__transport_tcp_port [[[
+#
+# The port on which Elasticsearch will listen for TCP transport connections.
+elasticsearch__transport_tcp_port: '9300'
+                                                                   # ]]]
+                                                                   # ]]]
+# Elasticsearch cluster options [[[
+# ---------------------------------
+
+# .. envvar:: elasticsearch__domain [[[
+#
+# The DNS domain of the host.
+elasticsearch__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__cluster_name [[[
+#
+# Name of the Elasticsearch cluster, should be the same on all of the cluster
+# nodes. By default it's based on the host domain name.
+elasticsearch__cluster_name: '{{ elasticsearch__domain | replace(".", "-") }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__node_name [[[
+#
+# Descriptive name of the Elasticsearch node, by default based on the hostname.
+elasticsearch__node_name: '{{ ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__discovery_hosts [[[
+#
+# List of Elasticsearch nodes which should be contacted for unicast cluster
+# discovery. See :ref:`elasticsearch__ref_clustering` for more details.
+elasticsearch__discovery_hosts: '{{ elasticsearch__inventory_master_hosts }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__discovery_minimum_master_nodes [[[
+#
+# Minimum number of master-eligible nodes that are required to achieve quorum.
+elasticsearch__discovery_minimum_master_nodes: '{{ "1" if (elasticsearch__inventory_master_hosts | count <= 2)
+                                                       else ((elasticsearch__inventory_master_hosts | count / 2) | round(0, "floor") | int + 1) }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__gateway_recover_after_nodes [[[
+#
+# Number of Elasticsearch nodes required to enable cluster initial recovery
+# after full restart. Deprecated in Elasticsearch 7.7.0.
+elasticsearch__gateway_recover_after_nodes: '{{ elasticsearch__discovery_minimum_master_nodes }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Node functions [[[
+# ------------------
+
+# These variables define the functionality of a given Elasticsearch node. See
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html
+# for more details.
+
+# .. envvar:: elasticsearch__node_master [[[
+#
+# When enabled, this node is a master-eligible node and can be elected as
+# a master.
+#
+# Warning: this variable is not taken into account for master node
+# calculations. See :ref:`elasticsearch__ref_clustering` for more details.
+elasticsearch__node_master: '{{ True
+                                if (elasticsearch__inventory_group_master in group_names)
+                                else (False
+                                      if (elasticsearch__inventory_group_data in group_names)
+                                      else (False
+                                            if (elasticsearch__inventory_group_ingest in group_names)
+                                            else (False
+                                                  if (elasticsearch__inventory_group_lb in group_names)
+                                                  else True))) }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__node_data [[[
+#
+# When enabled, this node can hold the cluster data and perform various
+# operations like searching and aggregation.
+elasticsearch__node_data: '{{ True
+                              if (elasticsearch__inventory_group_data in group_names)
+                              else (False
+                                    if (elasticsearch__inventory_group_master in group_names)
+                                    else (False
+                                          if (elasticsearch__inventory_group_ingest in group_names)
+                                          else (False
+                                                if (elasticsearch__inventory_group_lb in group_names)
+                                                else True))) }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__node_ingest [[[
+#
+# When enabled, this node can perform operations on documents before indexing
+# them using an ingest pipeline.
+elasticsearch__node_ingest: '{{ True
+                                if (elasticsearch__inventory_group_ingest in group_names)
+                                else (False
+                                      if (elasticsearch__inventory_group_master in group_names)
+                                      else (False
+                                            if (elasticsearch__inventory_group_data in group_names)
+                                            else (False
+                                                  if (elasticsearch__inventory_group_lb in group_names)
+                                                  else True))) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Memory options [[[
+# ------------------
+
+# The variables below configure JVM memory allocation options. See
+# https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
+# for more details.
+
+# .. envvar:: elasticsearch__memory_lock [[[
+#
+# Enable or disable memory lock depending on availability of required POSIX
+# capabilities. If this variable is enabled, :command:`systemd` memlock limit
+# is configured.
+elasticsearch__memory_lock: '{{ True
+                                if (not (ansible_system_capabilities_enforced | d()) | bool or
+                                    ((ansible_system_capabilities_enforced | d()) | bool and
+                                     "cap_ipc_lock" in (ansible_system_capabilities | d([]))))
+                                else False }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__systemd_limit_memlock [[[
+#
+# Specify maximum size of the process memory in bytes that the process is
+# allowed to lock in RAM and not have it stored in swap. Specify ``infinity``
+# to disable the maximum limit. This setting is applied through the
+# :command:`systemd` service unit.
+elasticsearch__systemd_limit_memlock: 'infinity'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__jvm_memory_heap_size_multiplier [[[
+#
+# This variable defines a float value which will be used to select the JVM heap
+# size depending on the size of the available system RAM.
+elasticsearch__jvm_memory_heap_size_multiplier: '{{ "0.2"
+                                                    if (ansible_memtotal_mb | int / 2 <= 2048)
+                                                    else "0.45" }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__jvm_memory_min_heap_size [[[
+#
+# Specify the minimum JVM heap size, depending on the available system RAM.
+elasticsearch__jvm_memory_min_heap_size: '{{ (((ansible_memtotal_mb | int
+                                               * elasticsearch__jvm_memory_heap_size_multiplier | float)
+                                               | round | int) | string + "m")
+                                             if (ansible_memtotal_mb | int / 2 <= 32768)
+                                             else "32600m" }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__jvm_memory_max_heap_size [[[
+#
+# Specify the maximum JVM heap size, depending on the available system RAM.
+# This usually should be the same as the minimum heap size, for performance
+# reasons.
+elasticsearch__jvm_memory_max_heap_size: '{{ elasticsearch__jvm_memory_min_heap_size }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Paths [[[
+# ---------
+
+# The variables below configure paths used by Elasticsearch. See
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#path-settings
+# for more details.
+
+# .. envvar:: elasticsearch__path_data [[[
+#
+# List of all data paths. They will be created and permissions will be updated if needed.
+elasticsearch__path_data:
+  - '/var/lib/elasticsearch'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Elasticsearch configuration file [[[
+# ------------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/elasticsearch/elasticsearch.yml` configuration file.
+# See :ref:`elasticsearch__ref_configuration` for the details and configuration
+# syntax.
+
+# .. envvar:: elasticsearch__original_configuration [[[
+#
+# The original configuration options present in the default Elasticsearch
+# configuration file.
+elasticsearch__original_configuration:
+
+  - name: 'cluster.name'
+    comment: 'Use a descriptive name for your cluster'
+    value: 'node-1'
+    state: 'comment'
+
+  - name: 'node.name'
+    comment: 'Use a descriptive name for the node'
+    value: 'node-1'
+    state: 'comment'
+
+  - name: 'node.attr.rack'
+    comment: 'Add custom attributes to the node'
+    value: 'r1'
+    state: 'comment'
+
+  - name: 'path.data'
+    comment: |
+      Path to directory where to store the data
+      (separate multiple locations by comma)
+    value: '/var/lib/elasticsearch'
+
+  - name: 'path.logs'
+    comment: 'Path to log files'
+    value: '/var/log/elasticsearch'
+
+  - name: 'bootstrap.memory_lock'
+    comment: |
+      Lock the memory on startup
+
+      Make sure that the heap size is set to about half the memory available
+      on the system and that the owner of the process is allowed to use this
+      limit.
+
+      Elasticsearch performs poorly when the system is swapping the memory.
+    value: True
+    state: 'comment'
+
+  - name: 'network.host'
+    comment: 'Set the bind address to a specific IP (IPv4 or IPv6)'
+    value: '192.160.0.1'
+    state: 'comment'
+
+  - name: 'http.port'
+    comment: 'Set a custom port for HTTP'
+    value: '9200'
+    state: 'comment'
+
+  - name: '{{ "discovery.zen.ping.unicast.hosts"
+              if (elasticsearch__version is version("7.0.0", "<"))
+              else "discovery.seed_hosts" }}'
+    comment: |
+      Pass an initial list of hosts to perform discovery when new node is started:
+      The default list of hosts is ["127.0.0.1", "[::1]"]
+    value: [ 'host1', 'host2' ]
+    state: 'comment'
+
+  - name: 'cluster.initial_master_nodes'
+    comment: 'Bootstrap the cluster using an initial set of master-eligible nodes:'
+    value: [ 'node-1', 'node-2' ]
+    state: 'comment'
+
+  - name: 'action.destructive_requires_name'
+    comment: 'Require explicit names when deleting indices'
+    value: True
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__default_configuration [[[
+#
+# List of default configuration options defined by the role.
+elasticsearch__default_configuration:
+
+  - name: 'cluster.name'
+    value: '{{ elasticsearch__cluster_name }}'
+    state: 'present'
+
+  - name: 'node.roles'
+    comment: 'Roles assigned to the node'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_master) else "absent" }}'
+    value:
+      - 'master'
+
+  - name: 'node.roles'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_data) else "absent" }}'
+    value:
+      - 'data'
+
+  - name: 'node.roles'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_ingest) else "absent" }}'
+    value:
+      - 'ingest'
+
+  - name: 'node.master'
+    comment: 'Type of the node'
+    value: '{{ elasticsearch__node_master }}'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
+
+  - name: 'node.data'
+    value: '{{ elasticsearch__node_data }}'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
+
+  - name: 'node.ingest'
+    value: '{{ elasticsearch__node_ingest }}'
+    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
+
+  - name: 'node.name'
+    value: '{{ elasticsearch__node_name }}'
+    state: 'present'
+
+  - name: 'network.host'
+    value: '{{ elasticsearch__network_host }}'
+    state: 'present'
+
+  - name: 'http.port'
+    value: '{{ elasticsearch__http_port }}'
+    state: 'present'
+
+  - name: '{{ "transport.tcp.port"
+              if (elasticsearch__version is version("7.1.0", "<"))
+              else "transport.port" }}'
+    comment: 'Set a custom port for TCP transport'
+    value: '{{ elasticsearch__transport_tcp_port }}'
+    state: 'present'
+
+    # Reset the default host list
+  - name: '{{ "discovery.zen.ping.unicast.hosts"
+              if (elasticsearch__version is version("7.0.0", "<"))
+              else "discovery.seed_hosts" }}'
+    value: ''
+    state: 'present'
+
+  - name: '{{ "discovery.zen.ping.unicast.hosts"
+              if (elasticsearch__version is version("7.0.0", "<"))
+              else "discovery.seed_hosts" }}'
+    value: '{{ elasticsearch__discovery_hosts }}'
+    state: '{{ "present" if elasticsearch__discovery_hosts else "absent" }}'
+
+  - name: 'discovery.zen.minimum_master_nodes'
+    comment: |
+      Prevent the "split brain" by configuring the majority of nodes
+      (total number of master-eligible nodes / 2 + 1)
+    value: '{{ elasticsearch__discovery_minimum_master_nodes }}'
+    state: '{{ "present" if (elasticsearch__version is version("7.0.0", "<")) else "absent" }}'
+
+    # Reset the default host list
+  - name: 'cluster.initial_master_nodes'
+    value: ''
+    state: 'present'
+
+  - name: 'cluster.initial_master_nodes'
+    value: '{{ elasticsearch__initial_master_nodes }}'
+    state: '{{ "absent"
+               if (elasticsearch__version is version("7.0.0", "<"))
+               else "present" }}'
+
+  - name: 'gateway.recover_after_nodes'
+    comment: 'Block initial recovery after a full cluster restart until N nodes are started'
+    value: '{{ elasticsearch__gateway_recover_after_nodes }}'
+    state: '{{ "present" if (elasticsearch__version is version("7.7.0", "<")) else "absent" }}'
+
+  - name: 'action.destructive_requires_name'
+    value: True
+    state: 'present'
+
+  - name: 'bootstrap.memory_lock'
+    value: '{{ True if elasticsearch__memory_lock | bool else False }}'
+    state: 'present'
+
+  - name: 'path.data'
+    value: '{{ elasticsearch__path_data }}'
+    state: 'present'
+
+  - name: 'xpack.security.enabled'
+    value: True
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.http.ssl.enabled'
+    value: True
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.http.ssl.verification_mode'
+    value: 'certificate'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+    # The client verification is optional in HTTP communication to avoid
+    # forcing Kibana and other clients to present their own X.509 client
+    # certificates to the Elasticsearch service.
+  - name: 'xpack.security.http.ssl.client_authentication'
+    value: 'optional'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.http.ssl.key'
+    value: '{{ elasticsearch__tls_private_key }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.http.ssl.certificate'
+    value: '{{ elasticsearch__tls_certificate }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.http.ssl.certificate_authorities'
+    value: '{{ elasticsearch__tls_ca_certificate }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.enabled'
+    value: True
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.verification_mode'
+    value: 'certificate'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.client_authentication'
+    value: 'required'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.key'
+    value: '{{ elasticsearch__tls_private_key }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.certificate'
+    value: '{{ elasticsearch__tls_certificate }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+  - name: 'xpack.security.transport.ssl.certificate_authorities'
+    value: '{{ elasticsearch__tls_ca_certificate }}'
+    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__configuration [[[
+#
+# List of configuration options defined on all hosts in the Ansible inventory.
+elasticsearch__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__master_configuration [[[
+#
+# List of configuration options defined on Elasticsearch master nodes
+# (needs to be placed in appropriate Ansible inventory group).
+elasticsearch__master_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__data_configuration [[[
+#
+# List of configuration options defined on Elasticsearch data nodes
+# (needs to be placed in appropriate Ansible inventory group).
+elasticsearch__data_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__ingest_configuration [[[
+#
+# List of configuration options defined on Elasticsearch ingest nodes
+# (needs to be placed in appropriate Ansible inventory group).
+elasticsearch__ingest_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__lb_configuration [[[
+#
+# List of configuration options defined on Elasticsearch load balancer nodes
+# (needs to be placed in appropriate Ansible inventory group).
+elasticsearch__lb_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__group_configuration [[[
+#
+# List of configuration options defined on hosts in specific Ansible inventory
+# group.
+elasticsearch__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__host_configuration [[[
+#
+# List of configuration options defined on specific hosts in the Ansible
+# inventory.
+elasticsearch__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__plugin_configuration [[[
+#
+# List of configuration options defined separately for any Elasticsearch
+# plugins. See :ref:`elasticsearch__ref_plugins` for more details.
+elasticsearch__plugin_configuration: '{{ lookup("template",
+                                         "lookup/elasticsearch__plugin_configuration.j2")
+                                         | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__dependent_role [[[
+#
+# A string that identifies another Ansible role that uses the
+# ``debops.elasticsearch`` role as a dependency. This value is needed to
+# correctly store the dependent configuration options.
+# See :ref:`elasticsearch__ref_dependency` for more details.
+elasticsearch__dependent_role: ''
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__dependent_state [[[
+#
+# Specify the state of the dependent configuration options, either ``present``
+# (options should be included in the configuration file) or ``absent`` (options
+# should be removed from the configuration file).
+# See :ref:`elasticsearch__ref_dependency` for more details.
+elasticsearch__dependent_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__dependent_configuration [[[
+#
+# List of Elasticsearch configuration options defined by another Ansible role
+# and specified using role dependent variables.
+elasticsearch__dependent_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__dependent_configuration_filter [[[
+#
+# Actual variable used in the combined Elasticsearch configuration that unwraps
+# the dependent configuration specified by other Ansible roles and converts it
+# into format understood by the ``debops.elasticsearch`` configuration
+# template. See :ref:`elasticsearch__ref_dependency` for more details.
+elasticsearch__dependent_configuration_filter: '{{ lookup("template",
+                                                   "lookup/elasticsearch__dependent_configuration_filter.j2")
+                                                   | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__combined_configuration [[[
+#
+# Actual list of Elasticsearch configuration options passed to the
+# configuration template. This list defines the order in which the options from
+# different variables are processed.
+elasticsearch__combined_configuration: '{{ lookup("flattened", (elasticsearch__original_configuration
+                                           + elasticsearch__default_configuration
+                                           + elasticsearch__plugin_configuration
+                                           + elasticsearch__dependent_configuration_filter
+                                           + elasticsearch__configuration
+                                           + elasticsearch__master_configuration
+                                           + elasticsearch__data_configuration
+                                           + elasticsearch__ingest_configuration
+                                           + elasticsearch__lb_configuration
+                                           + elasticsearch__group_configuration
+                                           + elasticsearch__host_configuration)) }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__configuration_sections [[[
+#
+# List of sections defined in the :file:`/etc/elasticsearch/elasticsearch.yml`
+# configuration file and corresponding variable groups.
+# See :ref:`elasticsearch__ref_configuration_sections` for more details.
+elasticsearch__configuration_sections:
+
+  - name: 'Cluster'
+    part: 'cluster'
+
+  - name: 'Node'
+    part: 'node'
+
+  - name: 'Paths'
+    part: 'path'
+
+  - name: 'Memory'
+    part: 'bootstrap'
+
+  - name: 'Network'
+    parts: [ 'network', 'http', 'transport' ]
+
+  - name: 'Discovery'
+    part: 'discovery'
+
+  - name: 'Gateway'
+    part: 'gateway'
+
+  - name: 'X-Pack'
+    part: 'xpack'
+
+  - name: 'Search Guard'
+    part: 'searchguard'
+
+  - name: 'ReadonlyREST'
+    part: 'readonlyrest'
+                                                                   # ]]]
+                                                                   # ]]]
+# Plugin configuration [[[
+# ------------------------
+
+# These variables define lists of Elasticsearch plugins to install/remove, as
+# well as additional configuration options for them.
+# See :ref:`elasticsearch__ref_plugins` for more details.
+
+# .. envvar:: elasticsearch__plugins [[[
+#
+# List of Elasticsearch plugins to manage on all hosts in the Ansible
+# inventory.
+elasticsearch__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__master_plugins [[[
+#
+# List of Elasticsearch plugins to manage on master nodes (variable needs to be
+# defined in appropriate Ansible inventory group).
+elasticsearch__master_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__data_plugins [[[
+#
+# List of Elasticsearch plugins to manage on data nodes (variable needs to be
+# defined in appropriate Ansible inventory group).
+elasticsearch__data_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__ingest_plugins [[[
+#
+# List of Elasticsearch plugins to manage on ingest nodes (variable needs to be
+# defined in appropriate Ansible inventory group).
+elasticsearch__ingest_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__lb_plugins [[[
+#
+# List of Elasticsearch plugins to manage on load balancer nodes (variable
+# needs to be defined in appropriate Ansible inventory group).
+elasticsearch__lb_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__group_plugins [[[
+#
+# List of Elasticsearch plugins to manage on hosts in specific Ansible
+# inventory group.
+elasticsearch__group_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__host_plugins [[[
+#
+# List of Elasticsearch plugins to manage on specific hosts in the Ansible
+# inventory.
+elasticsearch__host_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__combined_plugins [[[
+#
+# Actual list of Elasticsearch plugins that combines other plugin variables and
+# is used in the Ansible tasks and the configuration template.
+elasticsearch__combined_plugins: '{{ lookup("flattened", (elasticsearch__plugins
+                                     + elasticsearch__master_plugins
+                                     + elasticsearch__data_plugins
+                                     + elasticsearch__ingest_plugins
+                                     + elasticsearch__lb_plugins
+                                     + elasticsearch__group_plugins
+                                     + elasticsearch__host_plugins)) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Java Policy configuration [[[
+# -----------------------------
+
+# Java Policy defines what paths and resources can be accessed by the
+# Elasticsearch application. By default the file access is limited to the
+# :file:`/etc/elasticsearch/` directory, but in DebOps we want to grant access
+# to the PKI directories managed by the :ref:`debops.pki` role to support
+# encrypted communication in the cluster.
+
+# .. envvar:: elasticsearch__java_policy [[[
+#
+# This variable contains the contents of the :file:`java.policy` configuration
+# file for Elasticsearch.
+elasticsearch__java_policy: |
+  // default permissions granted to all domains
+  grant {
+      // allows anyone to listen on dynamic ports
+      permission java.net.SocketPermission "localhost:0", "listen";
+
+      // "standard" properties that can be read by anyone
+      permission java.util.PropertyPermission "java.version", "read";
+      permission java.util.PropertyPermission "java.vendor", "read";
+      permission java.util.PropertyPermission "java.vendor.url", "read";
+      permission java.util.PropertyPermission "java.class.version", "read";
+      permission java.util.PropertyPermission "os.name", "read";
+      permission java.util.PropertyPermission "os.version", "read";
+      permission java.util.PropertyPermission "os.arch", "read";
+      permission java.util.PropertyPermission "file.separator", "read";
+      permission java.util.PropertyPermission "path.separator", "read";
+      permission java.util.PropertyPermission "line.separator", "read";
+      permission java.util.PropertyPermission
+                     "java.specification.version", "read";
+      permission java.util.PropertyPermission "java.specification.vendor", "read";
+      permission java.util.PropertyPermission "java.specification.name", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.version", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.vendor", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.name", "read";
+      permission java.util.PropertyPermission "java.vm.version", "read";
+      permission java.util.PropertyPermission "java.vm.vendor", "read";
+      permission java.util.PropertyPermission "java.vm.name", "read";
+
+      permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/-", "read";
+      permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/-", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/", "read";
+  };
+# ]]]
+# ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: elasticsearch__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+elasticsearch__etc_services__dependent_list:
+
+  - name: 'elasticsearch-http'
+    port: '{{ elasticsearch__http_port }}'
+
+  - name: 'elasticsearch-tcp'
+    port: '{{ elasticsearch__transport_tcp_port }}'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+elasticsearch__sysctl__dependent_parameters:
+
+  - name: 'elasticsearch'
+    weight: 80
+    options:
+
+        # This parameter is set by default by the Elasticsearch .deb package,
+        # but this breaks 'sysctl' usage in containers. The original file will
+        # be diverted, and the role will configure the relevant setting for us,
+        # automatically commenting it out inside of a container.
+      - name: 'vm.max_map_count'
+        comment: |
+          Elasticsearch uses a mmapfs directory by default to store its
+          indices. The default operating system limits on mmap counts is likely
+          to be too low, which may result in out of memory exceptions.
+          Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html
+        value: 262144
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__extrepo__dependent_sources [[[
+#
+# Configuration for the :ref:`debops.extrepo` Ansible role.
+elasticsearch__extrepo__dependent_sources:
+  - 'elastic'
+
+                                                                   # ]]]
+# .. envvar:: elasticsearch__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+elasticsearch__ferm__dependent_rules:
+
+  - name: 'elasticsearch_http'
+    type: 'accept'
+    dport: '{{ elasticsearch__http_port }}'
+    saddr: '{{ elasticsearch__allow_http }}'
+    accept_any: False
+
+  - name: 'elasticsearch_tcp'
+    type: 'accept'
+    dport: '{{ elasticsearch__transport_tcp_port }}'
+    saddr: '{{ elasticsearch__allow_tcp }}'
+    accept_any: False
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/meta/main.yml b/ansible_collections/debops/debops/roles/elasticsearch/meta/main.yml
new file mode 100644
index 00000000..d89c69f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis, Maciej Delmanowski'
+  description: 'Install and manage Elasticsearch database clusters'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - elasticsearch
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication.yml
new file mode 100644
index 00000000..1e192693
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication.yml
@@ -0,0 +1,52 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check status of built-in users via Elasticsearch API
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/elastic" }}'
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+    method: 'GET'
+    status_code: [ '200', '401' ]
+  register: elasticsearch__register_api_builtin_users
+  until: elasticsearch__register_api_builtin_users.status in [200, 401]
+  retries: 10
+  delay: 5
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Initialize built-in users in Elasticsearch
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          bin/elasticsearch-setup-passwords auto --batch | awk '$1 ~ /^PASSWORD/ {print $2, $4}'"
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_builtin_users
+  changed_when: False
+  when: ((not (ansible_local.elasticsearch.configured | d()) | bool) or
+         elasticsearch__register_api_builtin_users.status == 401)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_users.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save generated user passwords on Ansible Controller
+  ansible.builtin.copy:
+    content: '{{ item.split()[1] }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item.split()[0] + "/password" }}'
+    mode: '0644'
+  loop: '{{ elasticsearch__register_builtin_users.stdout_lines }}'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_users.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication_v8.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication_v8.yml
new file mode 100644
index 00000000..7dc746b4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/authentication_v8.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check status of built-in users via Elasticsearch API
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/elastic" }}'
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+    method: 'GET'
+    status_code: [ '200', '401' ]
+  register: elasticsearch__register_api_builtin_users
+  until: elasticsearch__register_api_builtin_users.status in [200, 401]
+  retries: 10
+  delay: 5
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set passwords for built-in Elasticsearch user accounts
+  ansible.builtin.include_tasks: 'reset_password.yml'
+  loop:
+    - 'elastic'
+    - 'kibana_system'
+    - 'logstash_system'
+    - 'beats_system'
+    - 'apm_system'
+    - 'remote_monitoring_user'
+  when: ((not (ansible_local.elasticsearch.configured | d()) | bool) or
+         elasticsearch__register_api_builtin_users.status == 401)
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/main.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/main.yml
new file mode 100644
index 00000000..20f2fef1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/main.yml
@@ -0,0 +1,204 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Elasticsearch packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (elasticsearch__base_packages
+                              + elasticsearch__packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: elasticsearch__register_packages
+  until: elasticsearch__register_packages is succeeded
+
+- name: Add Elasticsearch UNIX account to selected groups
+  ansible.builtin.user:
+    name: '{{ elasticsearch__user }}'
+    groups: '{{ elasticsearch__additional_groups }}'
+    append: True
+  when: elasticsearch__additional_groups | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Elasticsearch local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/elasticsearch.fact.j2'
+    dest: '/etc/ansible/facts.d/elasticsearch.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check if the dependent config file exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: elasticsearch__register_dependent_config_file
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.elasticsearch.installed | d())
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Load the dependent configuration from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: elasticsearch__register_dependent_config
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.elasticsearch.installed | d() and
+         elasticsearch__register_dependent_config_file.stat.exists | bool)
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Divert original configuration files
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  loop:
+    - '/etc/elasticsearch/elasticsearch.yml'
+    - '/etc/elasticsearch/jvm.options'
+    - '/usr/lib/sysctl.d/elasticsearch.conf'
+    - '/usr/share/elasticsearch/jdk/conf/security/java.policy'
+  notify: [ 'Start elasticsearch' ]
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Create systemd configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/elasticsearch.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Generate systemd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/system/elasticsearch.service.d/ansible.conf.j2'
+    dest: '/etc/systemd/system/elasticsearch.service.d/ansible.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+
+- name: Generate Elasticsearch configuration
+  ansible.builtin.template:
+    src: 'etc/elasticsearch/elasticsearch.yml.j2'
+    dest: '/etc/elasticsearch/elasticsearch.yml'
+    owner: 'root'
+    group: '{{ elasticsearch__group }}'
+    mode: '0660'
+  notify: [ 'Restart elasticsearch' ]
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Generate Elasticsearch JVM configuration
+  ansible.builtin.template:
+    src: 'etc/elasticsearch/jvm.options.j2'
+    dest: '/etc/elasticsearch/jvm.options'
+    owner: 'root'
+    group: '{{ elasticsearch__group }}'
+    mode: '0660'
+  notify: [ 'Restart elasticsearch' ]
+  when: elasticsearch__version is version("5.0.0", ">=")
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Generate Java Policy configuration file
+  ansible.builtin.template:
+    src: 'usr/share/elasticsearch/jdk/conf/security/java.policy.j2'
+    dest: '/usr/share/elasticsearch/jdk/conf/security/java.policy'
+    mode: '0644'
+  notify: [ 'Restart elasticsearch' ]
+  when: elasticsearch__version is version("7.0.0", ">=")
+
+- name: Manage data paths
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ elasticsearch__user }}'
+    group: '{{ elasticsearch__group }}'
+    mode: '0750'
+  loop: '{{ q("flattened", elasticsearch__path_data) }}'
+
+- name: Reload systemd daemons
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check state of installed Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin list
+  args:
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_plugins
+  changed_when: False
+  check_mode: False
+
+- name: Install Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin install {{ item.url | d(item.name) }} --batch
+  args:
+    chdir: '/usr/share/elasticsearch'
+  notify: [ 'Restart elasticsearch' ]
+  loop: '{{ q("flattened", elasticsearch__combined_plugins) }}'
+  register: elasticsearch__register_plugin_install
+  changed_when: elasticsearch__register_plugin_install.changed | bool
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1])
+         not in elasticsearch__register_plugins.stdout_lines)
+
+- name: Remove Elasticsearch plugins
+  ansible.builtin.command: bin/elasticsearch-plugin remove {{ item.name }}
+  args:
+    chdir: '/usr/share/elasticsearch'
+  notify: [ 'Restart elasticsearch' ]
+  loop: '{{ q("flattened", elasticsearch__combined_plugins) }}'
+  register: elasticsearch__register_plugin_remove
+  changed_when: elasticsearch__register_plugin_remove.changed | bool
+  when: (item.name | d() and item.state | d('present') == 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1])
+         in elasticsearch__register_plugins.stdout_lines)
+
+- name: Save Elasticsearch dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/elasticsearch/dependent_config/config.json.j2'
+    dest: '{{ secret + "/elasticsearch/dependent_config/" + inventory_hostname + "/config.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  tags: [ 'role::elasticsearch:config' ]
+
+- name: Ensure that Elasticsearch is restarted
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage Elasticsearch authentication (old)
+  ansible.builtin.import_tasks: 'authentication.yml'
+  run_once: True
+  when: elasticsearch__version is version("8.0", "<") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch authentication (new)
+  ansible.builtin.import_tasks: 'authentication_v8.yml'
+  run_once: True
+  when: elasticsearch__version is version("8.0", ">=") and
+        elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
+
+- name: Manage Elasticsearch roles and users
+  ansible.builtin.import_tasks: 'roles_users.yml'
+  run_once: True
+  when: elasticsearch__xpack_enabled | bool and elasticsearch__pki_enabled | bool
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/main_env.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/main_env.yml
new file mode 100644
index 00000000..358d0b3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/main_env.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.elasticsearch environment
+  ansible.builtin.set_fact:
+    elasticsearch__secret__directories: '{{ lookup("template", "lookup/elasticsearch__secret__directories.j2")
+                                            | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/reset_password.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/reset_password.yml
new file mode 100644
index 00000000..9f43897c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/reset_password.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Initialize password for user account '{{ item }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    bin/elasticsearch-reset-password --username {{ item }} --batch --silent
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/elasticsearch'
+  register: elasticsearch__register_builtin_password
+  changed_when: elasticsearch__register_builtin_password.stdout != ''
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/" + elasticsearch__secret_path + "/" + item }}'
+    state: 'directory'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout_lines | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save generated password of account '{{ item }}'
+  ansible.builtin.copy:
+    content: '{{ elasticsearch__register_builtin_password.stdout }}'
+    dest: '{{ secret + "/" + elasticsearch__secret_path + "/" + item + "/password" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  when: elasticsearch__register_builtin_password.stdout | d()
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/tasks/roles_users.yml b/ansible_collections/debops/debops/roles/elasticsearch/tasks/roles_users.yml
new file mode 100644
index 00000000..7447c886
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/tasks/roles_users.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage native roles in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/role/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_roles | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage native users in Elasticsearch
+  ansible.builtin.uri:
+    url: '{{ elasticsearch__api_base_url + "/_security/user/" + item.name }}'
+    method:      '{{ "DELETE" if (item.state | d("present") in ["absent"]) else "POST" }}'
+    body_format: '{{ omit if (item.state | d("present") in ["absent"]) else "json" }}'
+    body:        '{{ omit if (item.state | d("present") in ["absent"]) else (item.data | to_json) }}'
+    status_code: '{{ ["200", "404"] if (item.state | d("present") in ["absent"]) else "200" }}'  # noqa args[module]
+    user: "{{ elasticsearch__api_username }}"
+    password: "{{ elasticsearch__api_password }}"
+    force_basic_auth: True
+  loop: '{{ elasticsearch__combined_native_users | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: elasticsearch__api_base_url and item.state | d('present') not in ['init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/ansible/facts.d/elasticsearch.fact.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/ansible/facts.d/elasticsearch.fact.j2
new file mode 100644
index 00000000..a19dfac6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/ansible/facts.d/elasticsearch.fact.j2
@@ -0,0 +1,34 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import os
+
+output = {'installed': True, 'configured': False}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "elasticsearch"]).decode('utf-8')
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+marker = '/etc/elasticsearch/elasticsearch.yml.dpkg-divert'
+
+if (os.path.exists(marker) and os.path.isfile(marker)):
+    output['configured'] = True
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.j2
new file mode 100644
index 00000000..838f0264
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/elasticsearch.yml.j2
@@ -0,0 +1,271 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# ======================== Elasticsearch Configuration =========================
+#
+# NOTE: Elasticsearch comes with reasonable defaults for most settings.
+#       Before you set out to tweak and tune the configuration, make sure you
+#       understand what are you trying to accomplish and the consequences.
+#
+# The primary way of configuring a node is via this file. This template lists
+# the most important settings you may want to configure for a production cluster.
+#
+# Please consult the documentation for further information on configuration options:
+# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
+
+{% set elasticsearch__tpl_config = {} %}
+{% set elasticsearch__tpl_comment = {} %}
+{% for item in elasticsearch__combined_configuration | debops.debops.parse_kv_config %}
+{%   if item is mapping %}
+{%     if item.name | d() %}
+{%       if item.state | d('present') != 'absent' %}
+{%         if item.value is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.value } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): item.value }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{#           set _ = elasticsearch__tpl_config.update({ item.name: item.value }) #}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.options is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.options, 'options': item.options } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'options': item.options } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.empty is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.empty, 'empty': item.empty } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'empty': item.empty } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.raw is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.raw, 'raw': item.raw } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'raw': item.raw } }) %}
+{%           endif %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = elasticsearch__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         endif %}
+{%       elif item.state | d('present') == 'absent' %}
+{%         set name_exploded = item.name.split('.') %}
+{%         set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.pop(name_exploded[1:] | join('.'), None) %}
+{%         if current_dict.keys() | length > 0 %}
+{%           set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%         else %}
+{%           set _ = elasticsearch__tpl_config.pop(name_exploded[0], None) %}
+{%         endif %}
+{#         set _ = elasticsearch__tpl_config.pop(item.name, None) #}
+{%       endif %}
+{%     else %}
+{%       for key, value in item.items() %}
+{%         set name_exploded = key.split('.') %}
+{%         set current_dict = elasticsearch__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.update({ name_exploded[1:] | join('.'): value }) %}
+{%         set _ = elasticsearch__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% macro print_config(config, key_prefix='') %}
+{%   for key, value in config.items() %}
+{%     if key | d() %}{# key is not empty #}
+{%       if (key_prefix + '.' + key) in elasticsearch__tpl_comment.keys() %}
+
+{{ elasticsearch__tpl_comment[key_prefix + '.' + key] | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{%       if value | bool and value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%       elif not value | bool and value is not iterable %}
+{%         if value is not none %}
+{%           if value | int or value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%           endif %}
+{%         endif %}
+{%       elif value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value) }}
+{%       elif value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%       elif value is mapping %}
+{%         if value.comment is defined %}
+{%           if value.comment | bool and value.comment is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%           elif not value.comment | bool and value.comment is not iterable %}
+{%             if value.comment is not none %}
+{%               if value.comment | int or value.comment | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%               endif %}
+{%             endif %}
+{%           elif value.comment is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is mapping %}
+{%             if value.options | d() %}
+{%               if value.options is mapping %}
+{%                 for option_key, option_value in value.options.items() %}
+{%                   if option_value | bool and option_value is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%                   elif not option_value | bool and option_value is not iterable %}
+{%                     if option_value is not none %}
+{%                       if option_value | int or option_value | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                       else %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                       endif %}
+{%                     endif %}
+{%                   elif option_value is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is not string and option_value is not mapping %}
+{%                     if option_value | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | join('", "') + '" ]') }}
+{%                     else %}
+# {{ key_prefix + '.' + option_key }}:
+{%                       for element in option_value %}
+#  - "{{ element }}"
+{%                       endfor %}
+
+{%                     endif %}
+{%                   endif %}
+{%                 endfor %}
+{%               endif %}
+{%             elif value.empty is defined %}
+{%               if value.empty is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%               endif %}
+{%             elif value.raw | d() %}
+{{ value.raw | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%             endif %}
+{%           elif value.comment is not string and value.comment is not mapping %}
+{%             if value.comment | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, '[ "' + value.comment | join('", "') + '" ]') }}
+{%             else %}
+# {{ key_prefix + '.' + key }}:
+{%               for element in value.comment %}
+#  - "{{ element }}"
+{%               endfor %}
+
+{%             endif %}
+{%           endif %}
+{%         elif value.options | d() %}
+{%           if value.options is mapping %}
+{%             for option_key, option_value in value.options.items() %}
+{%               if option_value | bool and option_value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%               elif not option_value | bool and option_value is not iterable %}
+{%                 if option_value is not none %}
+{%                   if option_value | int or option_value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   else %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                   endif %}
+{%                 endif %}
+{%               elif option_value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is not string and option_value is not mapping %}
+{%                 if option_value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | join('", "') + '" ]') }}
+{%                 else %}
+{{ key_prefix + '.' + option_key }}:
+{%                  for element in option_value %}
+  - "{{ element }}"
+{%                  endfor %}
+
+{%                endif %}
+{%              endif %}
+{%             endfor %}
+{%           endif %}
+{%         elif value.empty is defined %}
+{%           if value.empty is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%           endif %}
+{%         elif value.raw | d() %}
+{{ value.raw }}
+{%         endif %}
+{%       elif value is not string and value is not mapping %}
+{%         if value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + key, '[ "' + value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%         else %}
+{{ key_prefix + '.' + key }}:
+{%           for element in value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+  - "{{ element }}"
+{%           endfor %}
+
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{% set elasticsearch__tpl_seen_sections = [] %}
+{% for section in elasticsearch__configuration_sections %}
+{%   if section.name | d() %}
+{%     if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(elasticsearch__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(elasticsearch__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     endif %}
+{%   endif %}
+{%   if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(elasticsearch__tpl_config.keys()) %}
+{%     for element in ([ section.part ] if section.part is string else section.part) %}
+{%       if element in elasticsearch__tpl_config.keys() and element not in elasticsearch__tpl_seen_sections %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%         set _ = elasticsearch__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(elasticsearch__tpl_config.keys()) %}
+{%     for element in ([ section.parts ] if section.parts is string else section.parts) %}
+{%       if element in elasticsearch__tpl_config.keys() and element not in elasticsearch__tpl_seen_sections %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%         set _ = elasticsearch__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   endif %}
+{% endfor %}
+{% if elasticsearch__tpl_config.keys() | difference(elasticsearch__tpl_seen_sections) %}
+{{ "{:-^78}".format(' Various ') | comment }}
+{%   for element in (elasticsearch__tpl_config.keys() | difference(elasticsearch__tpl_seen_sections)) %}
+{{ print_config(elasticsearch__tpl_config[element], key_prefix=element) -}}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/jvm.options.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/jvm.options.j2
new file mode 100644
index 00000000..1fd7b92f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/elasticsearch/jvm.options.j2
@@ -0,0 +1,120 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+## JVM configuration
+
+################################################################
+## IMPORTANT: JVM heap size
+################################################################
+##
+## You should always set the min and max JVM heap
+## size to the same value. For example, to set
+## the heap to 4 GB, set:
+##
+## -Xms4g
+## -Xmx4g
+##
+## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
+## for more information
+##
+################################################################
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+
+-Xms{{ elasticsearch__jvm_memory_min_heap_size | d('2g') }}
+-Xmx{{ elasticsearch__jvm_memory_max_heap_size | d('2g') }}
+
+################################################################
+## Expert settings
+################################################################
+##
+## All settings below this section are considered
+## expert settings. Don't tamper with them unless
+## you understand what you are doing
+##
+################################################################
+
+## GC configuration
+8-13:-XX:+UseConcMarkSweepGC
+8-13:-XX:CMSInitiatingOccupancyFraction=75
+8-13:-XX:+UseCMSInitiatingOccupancyOnly
+
+## G1GC Configuration
+# NOTE: G1 GC is only supported on JDK version 10 or later
+# to use G1GC, uncomment the next two lines and update the version on the
+# following three lines to your version of the JDK
+# 10-13:-XX:-UseConcMarkSweepGC
+# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
+14-:-XX:+UseG1GC
+
+## JVM temporary directory
+-Djava.io.tmpdir=${ES_TMPDIR}
+
+## optimizations
+
+# disable calls to System#gc
+-XX:+DisableExplicitGC
+
+# pre-touch memory pages used by the JVM during initialization
+-XX:+AlwaysPreTouch
+
+## basic
+
+# force the server VM (remove on 32-bit client JVMs)
+-server
+
+# explicitly set the stack size (reduce to 320k on 32-bit client JVMs)
+-Xss1m
+
+# set to headless, just in case
+-Djava.awt.headless=true
+
+# ensure UTF-8 encoding by default (e.g. filenames)
+-Dfile.encoding=UTF-8
+
+# use our provided JNA always versus the system one
+-Djna.nosys=true
+
+# use old-style file permissions on JDK9
+-Djdk.io.permissionsUseCanonicalPath=true
+
+# flags to configure Netty
+-Dio.netty.noUnsafe=true
+-Dio.netty.noKeySetOptimization=true
+-Dio.netty.recycler.maxCapacityPerThread=0
+
+# log4j 2
+-Dlog4j.shutdownHookEnabled=false
+-Dlog4j2.disable.jmx=true
+-Dlog4j.skipJansi=true
+
+## heap dumps
+
+# generate a heap dump when an allocation from the Java heap fails
+# heap dumps are created in the working directory of the JVM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# specify an alternative path for heap dumps
+# ensure the directory exists and has sufficient space
+-XX:HeapDumpPath=${heap.dump.path}
+
+## GC logging
+
+## JDK 8 GC logging
+8:-XX:+PrintGCDetails
+8:-XX:+PrintGCDateStamps
+8:-XX:+PrintTenuringDistribution
+8:-XX:+PrintGCApplicationStoppedTime
+8:-Xloggc:/var/log/elasticsearch/gc.log
+8:-XX:+UseGCLogFileRotation
+8:-XX:NumberOfGCLogFiles=32
+8:-XX:GCLogFileSize=64m
+
+# JDK 9+ GC logging
+9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d/ansible.conf.j2
new file mode 100644
index 00000000..4ad64b5a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/etc/systemd/system/elasticsearch.service.d/ansible.conf.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Service]
+{% if elasticsearch__memory_lock | bool %}
+LimitMEMLOCK={{ elasticsearch__systemd_limit_memlock }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__dependent_configuration_filter.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__dependent_configuration_filter.j2
new file mode 100644
index 00000000..1f363cb0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__dependent_configuration_filter.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_dependent_configuration = {} %}
+{% if (elasticsearch__register_dependent_config | d() and elasticsearch__register_dependent_config.content | d()) %}
+{%   set _ = elasticsearch__tpl_dependent_configuration.update(elasticsearch__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if elasticsearch__dependent_role | d() %}
+{%   if elasticsearch__dependent_state == 'present' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.update({elasticsearch__dependent_role: elasticsearch__dependent_configuration}) %}
+{%   elif elasticsearch__dependent_state == 'absent' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.pop(elasticsearch__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{% set elasticsearch__tpl_output = [] %}
+{% for key, value in elasticsearch__tpl_dependent_configuration.items() %}
+{%   set _ = elasticsearch__tpl_output.append(value) %}
+{% endfor %}
+{{ elasticsearch__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__plugin_configuration.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__plugin_configuration.j2
new file mode 100644
index 00000000..1cc17955
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__plugin_configuration.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_output = [] %}
+{% for plugin in ([ elasticsearch__combined_plugins ] if elasticsearch__combined_plugins is mapping else elasticsearch__combined_plugins) %}
+{%   if plugin.state | d('present') != 'absent' %}
+{%     if plugin.configuration | d() %}
+{%       set _ = elasticsearch__tpl_output.append(plugin.configuration) %}
+{%     elif plugin.config | d() %}
+{%       set _ = elasticsearch__tpl_output.append(plugin.config) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ elasticsearch__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__secret__directories.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__secret__directories.j2
new file mode 100644
index 00000000..cf394b3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/lookup/elasticsearch__secret__directories.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'elasticsearch/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/secret/elasticsearch/dependent_config/config.json.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/secret/elasticsearch/dependent_config/config.json.j2
new file mode 100644
index 00000000..388d6626
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/secret/elasticsearch/dependent_config/config.json.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set elasticsearch__tpl_dependent_configuration = {} %}
+{% if (elasticsearch__register_dependent_config | d() and elasticsearch__register_dependent_config.content | d()) %}
+{%   set _ = elasticsearch__tpl_dependent_configuration.update(elasticsearch__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if elasticsearch__dependent_role | d() %}
+{%   if elasticsearch__dependent_state == 'present' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.update({elasticsearch__dependent_role: elasticsearch__dependent_configuration}) %}
+{%   elif elasticsearch__dependent_state == 'absent' %}
+{%     set _ = elasticsearch__tpl_dependent_configuration.pop(elasticsearch__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{{ elasticsearch__tpl_dependent_configuration | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security/java.policy.j2 b/ansible_collections/debops/debops/roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security/java.policy.j2
new file mode 100644
index 00000000..c9ba2090
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/elasticsearch/templates/usr/share/elasticsearch/jdk/conf/security/java.policy.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+//
+// This system policy file grants a set of default permissions to all domains
+// and can be configured to grant additional permissions to modules and other
+// code sources. The code source URL scheme for modules linked into a
+// run-time image is "jrt".
+//
+// For example, to grant permission to read the "foo" property to the module
+// "com.greetings", the grant entry is:
+//
+// grant codeBase "jrt:/com.greetings" {
+//     permission java.util.PropertyPermission "foo", "read";
+// };
+//
+
+{{ elasticsearch__java_policy }}
diff --git a/ansible_collections/debops/debops/roles/environment/COPYRIGHT b/ansible_collections/debops/debops/roles/environment/COPYRIGHT
new file mode 100644
index 00000000..0235c017
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.environment - Manage system environment variables using Ansible
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/environment/defaults/main.yml b/ansible_collections/debops/debops/roles/environment/defaults/main.yml
new file mode 100644
index 00000000..f520434c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/defaults/main.yml
@@ -0,0 +1,107 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _environment__ref_defaults:
+
+# debops.environment default variables [[[
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role configuration [[[
+# ----------------------
+
+# .. envvar:: environment__enabled [[[
+#
+# Enable or disable configuration of environment variables. By default
+# configuration is automatically enabled if any variables are set and disabled
+# otherwise. Set to ``False`` to disable.
+environment__enabled: '{{ lookup("template", "lookup/environment__enabled.j2")
+                          | from_yaml | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: environment__file [[[
+#
+# Path to the file where environment variables are stored.
+environment__file: '/etc/environment'
+
+                                                                   # ]]]
+# .. envvar:: environment__case [[[
+#
+# Control how role should modify variable names:
+#
+# - ``preserve``: don't change the case
+#
+# - ``upper``: uppercase all variable names
+#
+# - ``lower``: lowercase all variable names
+#
+environment__case: 'preserve'
+
+                                                                   # ]]]
+# .. envvar:: environment__placement [[[
+#
+# Default placement of the Ansible block in the environment file:
+#
+# - ``before``: add the block at the start of the file
+#
+# - ``after``: add the block at the end of the file
+#
+# To reset the block location, either remove it from the file, or disable and
+# enable the role using ``environment__enabled`` variable.
+environment__placement: 'before'
+                                                                   # ]]]
+                                                                   # ]]]
+# Environment variable lists [[[
+# ------------------------------
+
+# These lists define what environment variables should be defined on a host.
+# See :ref:`environment__ref_variables` for details.
+
+# .. envvar:: environment__default_variables [[[
+#
+# List of default environment variables to set on all hosts. See
+# :ref:`environment__ref_inventory__environment` for the explanation of default
+# values set in this list.
+environment__default_variables:
+  - '{{ inventory__environment | d({}) }}'
+  - '{{ inventory__group_environment | d({}) }}'
+  - '{{ inventory__host_environment | d({}) }}'
+
+                                                                   # ]]]
+# .. envvar:: environment__variables [[[
+#
+# List of environment variables which should be defined on all hosts in Ansible
+# inventory.
+environment__variables: []
+
+                                                                   # ]]]
+# .. envvar:: environment__group_variables [[[
+#
+# List of environment variables which should be defined on a group of hosts in
+# Ansible inventory.
+environment__group_variables: []
+
+                                                                   # ]]]
+# .. envvar:: environment__host_variables [[[
+#
+# List of environment variables which should be defined on specific hosts in
+# Ansible inventory.
+environment__host_variables: []
+
+                                                                   # ]]]
+# .. envvar:: environment__dependent_variables [[[
+#
+# List of environment variables which are defined by other Ansible roles as
+# a dependency.
+environment__dependent_variables: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/environment/meta/main.yml b/ansible_collections/debops/debops/roles/environment/meta/main.yml
new file mode 100644
index 00000000..a3f1e802
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage system environment variables'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  galaxy_tags:
+  - system
+  - environment
+  - variables
diff --git a/ansible_collections/debops/debops/roles/environment/tasks/main.yml b/ansible_collections/debops/debops/roles/environment/tasks/main.yml
new file mode 100644
index 00000000..c7c2cf2f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure /etc/environment
+  ansible.builtin.blockinfile:  # noqa args[module]
+    dest: '{{ environment__file }}'
+    state: '{{ "present" if environment__enabled | bool else "absent" }}'
+    block: '{{ lookup("template", "lookup/environment__variables.j2") }}'
+    insertbefore: '{{ "BOF" if environment__placement == "before" else omit }}'
+    insertafter: '{{ "EOF" if environment__placement == "after" else omit }}'
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Update Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/environment.fact.j2'
+    dest: '/etc/ansible/facts.d/environment.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/environment/templates/etc/ansible/facts.d/environment.fact.j2 b/ansible_collections/debops/debops/roles/environment/templates/etc/ansible/facts.d/environment.fact.j2
new file mode 100644
index 00000000..4a8e4049
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/templates/etc/ansible/facts.d/environment.fact.j2
@@ -0,0 +1,56 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro print_environment(element) %}
+{%   if element is mapping %}
+{%     if 'name' in element.keys() and 'value' in element.keys() %}
+{%       if element.state | d('present') != 'absent' %}
+{%         if ((element.case is undefined and environment__case == 'upper') or (element.case | d() and element.case == 'upper')) %}
+{{ element.name | upper }}: '{{ element.value }}'
+{%         elif ((element.case is undefined and environment__case == 'lower') or (element.case | d() and element.case == 'lower')) %}
+{{ element.name | lower }}: '{{ element.value }}'
+{%         else %}
+{{ element.name }}: '{{ element.value }}'
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{%         if environment__case == 'upper' %}
+{{ key | upper }}: '{{ value }}'
+{%         elif environment__case == 'lower' %}
+{{ key | lower }}: '{{ value }}'
+{%         else %}
+{{ key }}: '{{ value }}'
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   elif element is string %}
+{%     set environment__tpl_key = element.split('=')[0] %}
+{%     set environment__tpl_value = element.split('=')[1:] | join('=') %}
+{%     if environment__case == 'upper' %}
+{{ environment__tpl_key | upper }}: '{{ environment__tpl_value }}'
+{%     elif environment__case == 'lower' %}
+{{ environment__tpl_key | lower }}: '{{ environment__tpl_value }}'
+{%     else %}
+{{ environment__tpl_key }}: '{{ environment__tpl_value }}'
+{%     endif %}
+{%   else %}
+{%     for widget in element %}
+{{ print_environment(widget) }}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% set environment__tpl_fact_variables = ansible_local.environment.variables | d({}) %}
+{% set environment__tpl_dependent_variables = print_environment(environment__dependent_variables) | from_yaml %}
+{% set environment__tpl_entries = {} %}
+{% if environment__tpl_fact_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_fact_variables) %}
+{% endif %}
+{% if environment__tpl_dependent_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_dependent_variables) %}
+{% endif %}
+{
+"enabled": "{{ environment__enabled | bool | lower }}",
+"variables": {{ environment__tpl_entries | to_nice_json }}
+}
diff --git a/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__enabled.j2 b/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__enabled.j2
new file mode 100644
index 00000000..8b7c8947
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__enabled.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set environment__tpl_enabled = [] %}
+{% for element in environment__default_variables + environment__variables + environment__group_variables + environment__host_variables + environment__dependent_variables %}
+{%   if element %}
+{%     set _ = environment__tpl_enabled.append(element) %}
+{%   endif %}
+{% endfor %}
+{{ True if environment__tpl_enabled else False -}}
diff --git a/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__variables.j2 b/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__variables.j2
new file mode 100644
index 00000000..9dd76869
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/environment/templates/lookup/environment__variables.j2
@@ -0,0 +1,72 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro print_environment(element) %}
+{%   if element is mapping %}
+{%     if 'name' in element.keys() and 'value' in element.keys() %}
+{%       if element.state | d('present') != 'absent' %}
+{%         if ((element.case is undefined and environment__case == 'upper') or (element.case | d() and element.case == 'upper')) %}
+{{ element.name | upper }}: '{{ element.value }}'
+{%         elif ((element.case is undefined and environment__case == 'lower') or (element.case | d() and element.case == 'lower')) %}
+{{ element.name | lower }}: '{{ element.value }}'
+{%         else %}
+{{ element.name }}: '{{ element.value }}'
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{%         if environment__case == 'upper' %}
+{{ key | upper }}: '{{ value }}'
+{%         elif environment__case == 'lower' %}
+{{ key | lower }}: '{{ value }}'
+{%         else %}
+{{ key }}: '{{ value }}'
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   elif element is string %}
+{%     set environment__tpl_key = element.split('=')[0] %}
+{%     set environment__tpl_value = element.split('=')[1:] | join('=') %}
+{%     if environment__case == 'upper' %}
+{{ environment__tpl_key | upper }}: '{{ environment__tpl_value }}'
+{%     elif environment__case == 'lower' %}
+{{ environment__tpl_key | lower }}: '{{ environment__tpl_value }}'
+{%     else %}
+{{ environment__tpl_key }}: '{{ environment__tpl_value }}'
+{%     endif %}
+{%   else %}
+{%     for widget in element %}
+{{ print_environment(widget) }}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% set environment__tpl_default_variables = print_environment(environment__default_variables) | from_yaml %}
+{% set environment__tpl_variables = print_environment(environment__variables) | from_yaml %}
+{% set environment__tpl_group_variables = print_environment(environment__group_variables) | from_yaml %}
+{% set environment__tpl_host_variables = print_environment(environment__host_variables) | from_yaml %}
+{% set environment__tpl_fact_variables = ansible_local.environment.variables | d({}) %}
+{% set environment__tpl_dependent_variables = print_environment(environment__dependent_variables) | from_yaml %}
+{% set environment__tpl_entries = {} %}
+{% if environment__tpl_default_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_default_variables) %}
+{% endif %}
+{% if environment__tpl_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_variables) %}
+{% endif %}
+{% if environment__tpl_group_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_group_variables) %}
+{% endif %}
+{% if environment__tpl_host_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_host_variables) %}
+{% endif %}
+{% if environment__tpl_fact_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_fact_variables) %}
+{% endif %}
+{% if environment__tpl_dependent_variables %}
+{%   set environment__tpl_entries = environment__tpl_entries | combine(environment__tpl_dependent_variables) %}
+{% endif %}
+
+{% for key in environment__tpl_entries.keys() | sort %}
+{{ key }}={{ environment__tpl_entries[key] }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/COPYRIGHT b/ansible_collections/debops/debops/roles/etc_aliases/COPYRIGHT
new file mode 100644
index 00000000..c0b8cb84
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.etc_aliases - Manage /etc/aliases database using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/defaults/main.yml b/ansible_collections/debops/debops/roles/etc_aliases/defaults/main.yml
new file mode 100644
index 00000000..a1eec046
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/defaults/main.yml
@@ -0,0 +1,313 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _etc_aliases__ref_defaults:
+
+# debops.etc_aliases default variables [[[
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration [[[
+# -----------------------
+
+# .. envvar:: etc_aliases__rfc2142_compliant [[[
+#
+# Enable or disable mail aliases recommended by :rfc:`2142`: Mailbox Names For
+# Common Services and Functions.
+etc_aliases__rfc2142_compliant: True
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__admin_private_email [[[
+#
+# List of e-mail addresses of the system administrators defined by the
+# :ref:`debops.core` Ansible role. These addresses will be used as the recipients of
+# the mail sent to the ``root`` account.
+etc_aliases__admin_private_email: '{{ ansible_local.core.admin_private_email | d("root@" + etc_aliases__domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__domain [[[
+#
+# The DNS domain used to generate the ``root`` e-mail alias if :ref:`debops.core`
+# role facts are not present on the host.
+etc_aliases__domain: '{{ ansible_domain }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Local mail aliases and their recipients [[[
+# -------------------------------------------
+
+# These lists define the aliases present in the :file:`/etc/aliases` database
+# and their corresponding mail recipients.
+# See :ref:`etc_aliases__ref_recipients` for more details.
+
+# .. envvar:: etc_aliases__rfc2142_recipients [[[
+#
+# List of mailboxes defined by the :rfc:`2142`: Mailbox Names For
+# Common Services and Functions.
+etc_aliases__rfc2142_recipients:
+
+  - name: 'info'
+    dest: 'staff'
+    comment: |
+      Packaged information about the organization,
+      products and/or services, as appropriate.
+    section: 'business'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'marketing'
+    dest: 'staff'
+    comment: 'Product marketing and marketing communications.'
+    section: 'business'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'sales'
+    dest: 'staff'
+    comment: 'Product purchase information.'
+    section: 'business'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'support'
+    dest: 'staff'
+    comment: 'Problems with products or services.'
+    section: 'business'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'abuse'
+    dest: 'root'
+    comment: 'Inappropriate public behaviour.'
+    section: 'network'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'noc'
+    to: 'root'
+    comment: 'Network infrastructure.'
+    section: 'network'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - alias: 'security'
+    to: 'root'
+    comment: 'Security bulletins or queries.'
+    section: 'network'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'postmaster'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'hostmaster'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'usenet'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'news'
+    dest: 'usenet'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'webmaster'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'www'
+    dest: 'webmaster'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'uucp'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'ftp'
+    dest: 'root'
+    section: 'support'
+    state: '{{ "present"
+               if etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__default_recipients [[[
+#
+# List of the default mail aliases defined by the role.
+etc_aliases__default_recipients:
+
+  - name: 'root'
+    dest: '{{ etc_aliases__admin_private_email }}'
+    section: 'admin'
+    weight: -10
+
+  - name: 'admin'
+    dest: 'root'
+    section: 'admin'
+    weight: -8
+
+  - name: 'hostmaster'
+    dest: 'root'
+    section: 'admin'
+    weight: -8
+    state: '{{ "present"
+               if not etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'operator'
+    dest: 'root'
+    section: 'admin'
+    weight: -8
+
+  - name: 'backup'
+    dest: 'root'
+    section: 'admin'
+    weight: -5
+
+  - name: 'monitoring'
+    dest: 'root'
+    section: 'admin'
+    weight: -5
+
+  - name: 'staff'
+    dest: 'root'
+    section: 'admin'
+
+  - name: 'postmaster'
+    dest: 'root'
+    section: 'system'
+    state: '{{ "present"
+               if not etc_aliases__rfc2142_compliant | bool
+               else "ignore" }}'
+
+  - name: 'MAILER-DAEMON'
+    dest: 'postmaster'
+    section: 'system'
+
+  - name: 'noreply'
+    dest: 'devnull'
+    section: 'system'
+    weight: 10
+
+  - name: 'devnull'
+    dest: '/dev/null'
+    section: 'system'
+    weight: 20
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__recipients [[[
+#
+# List of the mail aliases and recipients which should be present on all hosts
+# in the Ansible inventory.
+etc_aliases__recipients: []
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__group_recipients [[[
+#
+# List of the mail alases and recipients which should be present on host in
+# a specific Ansible inventory group.
+etc_aliases__group_recipients: []
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__host_recipients [[[
+#
+# List of the mail aliases and recipients which should be present on specific
+# hosts in the Ansible inventory.
+etc_aliases__host_recipients: []
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__dependent_recipients [[[
+#
+# List of the mail aliases and recipients defined by other roles through role
+# dependent variables. The configuration syntax differs from a normal
+# alias/recipient configuration, see :ref:`etc_aliases__ref_dependency` for
+# more details.
+etc_aliases__dependent_recipients: []
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__dependent_recipients_filter [[[
+#
+# The filtered configuration from other roles passed via role dependent
+# variables. This variable should be included in the combined list of
+# aliases/recipients. See :ref:`etc_aliases__ref_dependency` for more details.
+etc_aliases__dependent_recipients_filter: '{{ lookup("template",
+                                              "lookup/etc_aliases__dependent_recipients_filter.j2")
+                                              | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__combined_recipients [[[
+#
+# Combined list of aliases and recipients which is passed to the configuration
+# template.
+etc_aliases__combined_recipients: '{{ etc_aliases__rfc2142_recipients
+                                       + etc_aliases__default_recipients
+                                       + etc_aliases__dependent_recipients_filter
+                                       + etc_aliases__recipients
+                                       + etc_aliases__group_recipients
+                                       + etc_aliases__host_recipients }}'
+
+                                                                   # ]]]
+# .. envvar:: etc_aliases__sections [[[
+#
+# List of sections defined in the :file:`/etc/aliases` file for readability.
+# See :ref:`etc_aliases__ref_sections` for more details.
+etc_aliases__sections:
+
+  - name: 'admin'
+    title: 'IT Operations mail aliases'
+
+  - name: 'unknown'
+    title: 'User mail aliases'
+
+  - name: 'business'
+    title: 'RFC 2142: Business-related mail aliases'
+
+  - name: 'network'
+    title: 'RFC 2142: Network Operations mail aliases'
+
+  - name: 'support'
+    title: 'RFC 2142: Mail aliases for specific host services'
+
+  - name: 'system'
+    title: 'Internal mail system aliases'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/meta/main.yml b/ansible_collections/debops/debops/roles/etc_aliases/meta/main.yml
new file mode 100644
index 00000000..9480c81c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage mail alias database in /etc/aliases'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - email
+    - mail
+    - smtp
+    - smtpd
+    - postfix
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/tasks/main.yml b/ansible_collections/debops/debops/roles/etc_aliases/tasks/main.yml
new file mode 100644
index 00000000..891e886e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check if the dependent recipients file exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/etc_aliases/dependent_config/" + inventory_hostname + "/recipients.json" }}'
+  register: etc_aliases__register_dependent_recipients_file
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local | d() and ansible_local.etc_aliases | d() and
+         ansible_local.etc_aliases.configured is defined and
+         ansible_local.etc_aliases.configured | bool)
+
+- name: Load the dependent recipients from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/etc_aliases/dependent_config/" + inventory_hostname + "/recipients.json" }}'
+  register: etc_aliases__register_dependent_recipients
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local | d() and ansible_local.etc_aliases | d() and
+         ansible_local.etc_aliases.configured is defined and
+         ansible_local.etc_aliases.configured | bool and
+         etc_aliases__register_dependent_recipients_file.stat.exists | bool)
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save etc_aliases local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/etc_aliases.fact.j2'
+    dest: '/etc/ansible/facts.d/etc_aliases.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate the /etc/aliases file
+  ansible.builtin.template:
+    src: 'etc/aliases.j2'
+    dest: '/etc/aliases'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Update /etc/aliases.db database' ]
+
+- name: Save etc_aliases dependent recipients on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2'
+    dest: '{{ secret + "/etc_aliases/dependent_config/" + inventory_hostname + "/recipients.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  when: etc_aliases__dependent_recipients | length > 0
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/tasks/main_env.yml b/ansible_collections/debops/debops/roles/etc_aliases/tasks/main_env.yml
new file mode 100644
index 00000000..53d51565
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/tasks/main_env.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.etc_aliases environment
+  ansible.builtin.set_fact:
+    etc_aliases__secret__directories: '{{ lookup("template", "lookup/etc_aliases__secret__directories.j2")
+                                          | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/aliases.j2 b/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/aliases.j2
new file mode 100644
index 00000000..7804ed87
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/aliases.j2
@@ -0,0 +1,44 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Local alias database
+# See aliases(5) for more details
+
+{% set etc_aliases__tpl_filtered_recipients = (etc_aliases__combined_recipients | debops.debops.etc_aliases_parse_recipients) %}
+{% set etc_aliases__tpl_section_list = ((etc_aliases__tpl_filtered_recipients | map(attribute='section')) | list | unique) %}
+{% for section in etc_aliases__sections %}
+{%   if section.state | d('present') != 'absent' %}
+{%     set section_loop = [] %}
+{%     set section_comment_prefix = ('' if loop.first | bool else '\n') %}
+{%     if section.name in etc_aliases__tpl_section_list %}
+{%       if section.title | d() %}
+{{ '{:-^78}'.format(' ' + section.title + ' ') | comment(prefix=section_comment_prefix, postfix='') }}
+{%       endif %}
+{%       for element in etc_aliases__tpl_filtered_recipients %}
+{%         if element.section == section.name and element.state | d('present') != 'absent' %}
+{%           set comment_prefix =   ('' if not section_loop else '\n') %}
+{%           set alias_name =       (('"' + (element.real_name | d(element.name)) + '"')
+                                     if (element.real_name | d(element.name)) is search('[^a-zA-Z0-9\-\_\.]')
+                                     else (element.real_name | d(element.name))) %}
+{%           if element.recipients | d() %}
+{%             set alias_recipients = ' ' + ([ element.recipients ] if element.recipients is string else element.recipients) | join(', ') %}
+{%           else %}
+{%             set alias_recipients = '' %}
+{%           endif %}
+{%           set alias_commented =  ('#' if element.state | d('present') == 'comment' else '') %}
+{%           set alias_indent =     (('29' if alias_commented else '30') if alias_recipients else '0') %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix=comment_prefix, postfix='') -}}
+{%           endif %}
+{%           if element.state | d('present') != 'hidden' %}
+{{ ('{}{:<' + alias_indent + '}{}').format(alias_commented, alias_name + ':', alias_recipients) }}
+{%             set _ = section_loop.append(True) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/ansible/facts.d/etc_aliases.fact.j2 b/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/ansible/facts.d/etc_aliases.fact.j2
new file mode 100644
index 00000000..ed7b27d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/templates/etc/ansible/facts.d/etc_aliases.fact.j2
@@ -0,0 +1,29 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+output = ({
+    'configured': True,
+    'newaliases': False
+})
+
+newaliases_path = [
+    '/usr/bin/newaliases',
+    '/usr/sbin/newaliases'
+]
+
+for file_path in newaliases_path:
+    if os.path.isfile(file_path) and os.access(file_path, os.X_OK):
+        output.update({'newaliases': True})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__dependent_recipients_filter.j2 b/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__dependent_recipients_filter.j2
new file mode 100644
index 00000000..f1f4e0d6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__dependent_recipients_filter.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set etc_aliases__tpl_dependent_recipients = {} %}
+{% if (etc_aliases__register_dependent_recipients | d() and etc_aliases__register_dependent_recipients.content | d()) %}
+{%   set _ = etc_aliases__tpl_dependent_recipients.update(etc_aliases__register_dependent_recipients.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if etc_aliases__dependent_recipients %}
+{%   set etc_aliases__tpl_flattened_recipients = lookup('flattened', etc_aliases__dependent_recipients) %}
+{%   for element in ([ etc_aliases__tpl_flattened_recipients ] if etc_aliases__tpl_flattened_recipients is mapping else etc_aliases__tpl_flattened_recipients) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.pop(element.role, None) %}
+{%       endif %}
+{%     else %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set etc_aliases__tpl_output = [] %}
+{% for key, value in etc_aliases__tpl_dependent_recipients.items() %}
+{%   set _ = etc_aliases__tpl_output.extend(value) %}
+{% endfor %}
+{{ etc_aliases__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__secret__directories.j2 b/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__secret__directories.j2
new file mode 100644
index 00000000..9e5288eb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/templates/lookup/etc_aliases__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'etc_aliases/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/etc_aliases/templates/secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2 b/ansible_collections/debops/debops/roles/etc_aliases/templates/secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2
new file mode 100644
index 00000000..0651aa5f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_aliases/templates/secret/etc_aliases/dependent_config/inventory_hostname/recipients.json.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set etc_aliases__tpl_dependent_recipients = {} %}
+{% if (etc_aliases__register_dependent_recipients | d() and etc_aliases__register_dependent_recipients.content | d()) %}
+{%   set _ = etc_aliases__tpl_dependent_recipients.update(etc_aliases__register_dependent_recipients.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if etc_aliases__dependent_recipients %}
+{%   set etc_aliases__tpl_flattened_recipients = lookup('flattened', etc_aliases__dependent_recipients) %}
+{%   for element in ([ etc_aliases__tpl_flattened_recipients ] if etc_aliases__tpl_flattened_recipients is mapping else etc_aliases__tpl_flattened_recipients) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.pop(element.role, None) %}
+{%       endif %}
+{%     else %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = etc_aliases__tpl_dependent_recipients.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ etc_aliases__tpl_dependent_recipients | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/etc_services/COPYRIGHT b/ansible_collections/debops/debops/roles/etc_services/COPYRIGHT
new file mode 100644
index 00000000..50920476
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.etc_services - Manage /etc/services database using Ansible
+
+Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/etc_services/defaults/main.yml b/ansible_collections/debops/debops/roles/etc_services/defaults/main.yml
new file mode 100644
index 00000000..2d4fdefd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/defaults/main.yml
@@ -0,0 +1,101 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _etc_services__ref_defaults:
+
+# debops.etc_services default variables [[[
+# =========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role configuration and internals [[[
+# ------------------------------------
+
+# .. envvar:: etc_services__enabled [[[
+#
+# Enable :file:`/etc/services.d/` support?
+etc_services__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: etc_services__diversion [[[
+#
+# Name of diverted :file:`/etc/services` file, do not change if the diversion
+# already is active!
+etc_services__diversion: '/etc/services.d/10_debian_etc_services'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: etc_services__base_packages [[[
+#
+# List of base APT packages to install.
+etc_services__base_packages: [ 'netbase' ]
+
+                                                                   # ]]]
+# .. envvar:: etc_services__packages [[[
+#
+# List of additional APT packages to install for :file:`/etc/services`.
+etc_services__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Service database definitions [[[
+# --------------------------------
+
+# The following lists define custom local service entries in
+# :file:`/etc/services`. See :ref:`etc_services__ref_list` for more details.
+
+# .. envvar:: etc_services__list [[[
+#
+# List of local service entries configured on all hosts in Ansible inventory.
+etc_services__list: []
+
+                                                                   # ]]]
+# .. envvar:: etc_services__group_list [[[
+#
+# List of local service entries configured on a group of hosts in Ansible
+# inventory.
+etc_services__group_list: []
+
+                                                                   # ]]]
+# .. envvar:: etc_services__host_list [[[
+#
+# List of local service entries configured on specific hosts in Ansible
+# inventory.
+etc_services__host_list: []
+
+                                                                   # ]]]
+# .. envvar:: etc_services__dependent_list [[[
+#
+# List of local service entries configured by other Ansible roles using role
+# dependent variables.
+etc_services__dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: etc_services__combined_list [[[
+#
+# List of all of the service definitions combined into one, used in the tasks.
+# Some variables are deprecated but still present to allow for backwards
+# compatibility.
+etc_services__combined_list:
+  - '{{ etc_services__list }}'
+  - '{{ etc_services__group_list }}'
+  - '{{ etc_services__host_list }}'
+  - '{{ etc_services__dependent_list }}'
+  - '{{ etc_services_list | d([]) }}'
+  - '{{ etc_services_group_list | d([]) }}'
+  - '{{ etc_services_host_list | d([]) }}'
+  - '{{ etc_services_dependent_list | d([]) }}'
+  - '{{ etc_services_dependency_list | d([]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/etc_services/handlers/main.yml b/ansible_collections/debops/debops/roles/etc_services/handlers/main.yml
new file mode 100644
index 00000000..4e9b6d1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Assemble services.d
+  ansible.builtin.assemble:
+    src:  '/etc/services.d'
+    dest: '/etc/services'
+    backup: False
+    owner: 'root'
+    group: 'root'
+    mode:  '0644'
+  when: etc_services__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/etc_services/meta/main.yml b/ansible_collections/debops/debops/roles/etc_services/meta/main.yml
new file mode 100644
index 00000000..0df9247c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage service definitions in /etc/services'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - system
diff --git a/ansible_collections/debops/debops/roles/etc_services/tasks/main.yml b/ansible_collections/debops/debops/roles/etc_services/tasks/main.yml
new file mode 100644
index 00000000..bdf38aa4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (etc_services__base_packages + etc_services__packages) | flatten }}'
+    state: 'present'
+  register: etc_services__register_packages
+  until: etc_services__register_packages is succeeded
+
+- name: Make sure /etc/services.d directory exists
+  ansible.builtin.file:
+    path:  '/etc/services.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode:  '0755'
+
+- name: Create /etc/services.d/00_ansible
+  ansible.builtin.template:
+    src:  'etc/services.d/00_ansible.j2'
+    dest: '/etc/services.d/00_ansible'
+    owner: 'root'
+    group: 'root'
+    mode:  '0644'
+
+- name: Add/remove diversion of /etc/services
+  debops.debops.dpkg_divert:
+    path: '/etc/services'
+    divert: '{{ etc_services__diversion }}'
+    state: '{{ "present" if etc_services__enabled | bool else "absent" }}'
+    delete: True
+  when: not ansible_check_mode | bool
+
+- name: Generate list of local services if requested
+  ansible.builtin.template:
+    src:  'etc/services.d/local_service.j2'
+    dest: '/etc/services.d/{{ item.filename | default("20_local_service_" + item.name) }}'
+    owner: 'root'
+    group: 'root'
+    mode:  '0644'
+  loop: '{{ etc_services__combined_list | flatten }}'
+  when: (etc_services__enabled | bool and item.state | d('present') != 'absent' and
+         ((item.name | d() and item.port | d()) or item.custom | d()))
+
+- name: Remove list of local services if requested
+  ansible.builtin.file:
+    path: '/etc/services.d/{{ item.filename | default("20_local_service_" + item.name) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", etc_services__combined_list) }}'
+  when: ((not etc_services__enabled | bool or item.delete | d() or
+          item.state | d('present') == 'absent') and
+         ((item.name | d() and item.port | d()) or item.custom | d()))
+
+- name: Assemble services.d
+  ansible.builtin.assemble:
+    src:  '/etc/services.d'
+    dest: '/etc/services'
+    backup: False
+    owner: 'root'
+    group: 'root'
+    mode:  '0644'
+  when: etc_services__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/00_ansible.j2 b/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/00_ansible.j2
new file mode 100644
index 00000000..ca0601d1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/00_ansible.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# Warning: This file is created by Ansible 'assemble' module, that combines
+# files in `/etc/services.d/` directory into file /etc/services. Do not modify
+# this file directly, instead put your additions in the `/etc/services.d/`
+# directory with a proper name, preferably after diverted original
+# `/etc/services`.
+#
+{% if etc_services__enabled | d() %}
+# Original `/etc/services` has been diverted to {{ etc_services__diversion }}
+# Original contents follow.
+{% else %}
+# `/etc/services` diversion is not active, contents of /etc/services.d/ won't be
+# included in `/etc/services`.
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/local_service.j2 b/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/local_service.j2
new file mode 100644
index 00000000..095eb4c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etc_services/templates/etc/services.d/local_service.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.custom | d() %}
+{{   item.custom }}
+{% elif item.name | d() and item.port | d() %}
+{%   set etc_services__tpl_protocols = (item.protocols | d(item.protocol) | d([ 'tcp', 'udp' ])) | list %}
+{%   for transport_layer_protocol in etc_services__tpl_protocols %}
+{{     "%-15s %s/%-26s%s" | format(
+          item.name,
+          item.port,
+          transport_layer_protocol,
+          (" # " + item.comment) if (item.comment | d()) else "")
+}}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/etckeeper/COPYRIGHT b/ansible_collections/debops/debops/roles/etckeeper/COPYRIGHT
new file mode 100644
index 00000000..e8d5ec13
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.etckeeper - Put /etc under version control using etckeeper
+
+Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/etckeeper/defaults/main.yml b/ansible_collections/debops/debops/roles/etckeeper/defaults/main.yml
new file mode 100644
index 00000000..8c603ae6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/defaults/main.yml
@@ -0,0 +1,333 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _etckeeper__ref_defaults:
+
+# debops.etckeeper default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration, installation [[[
+# ---------------------------------------
+
+# .. envvar:: etckeeper__enabled [[[
+#
+# Enable or disable support for :program:`etckeeper` on a given host. Disabling
+# this option does not remove existing :program:`etckeeper` installation and
+# committing changes via Ansible local facts will be disabled.
+etckeeper__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__installed [[[
+#
+# This variable keeps the install status of :command:`etckeeper` to distinguish
+# between new and existing installation.
+etckeeper__installed: '{{ ansible_local.etckeeper.installed | d(False) }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__base_packages [[[
+#
+# List of default APT packages to install for :program:`etckeeper` support.
+etckeeper__base_packages:
+  - '{{ "mercurial" if (etckeeper__vcs == "hg") else etckeeper__vcs }}'
+  - 'etckeeper'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__packages [[[
+#
+# List of additional APT packages to install with :program:`etckeeper`.
+etckeeper__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Package management options [[[
+# ------------------------------
+
+# .. envvar:: etckeeper__highlevel_package_manager [[[
+#
+# The high-level package manager that's being used.
+# (:command:`apt`, :command:`pacman-g2`, :command:`yum`, :command:`dnf`, :command:`zypper` etc).
+# This will only be used when your distribution was not able to predefine this.
+etckeeper__highlevel_package_manager: '{{ ansible_local.etckeeper.highlevel_package_manager | d(ansible_pkg_mgr) }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__lowlevel_package_manager [[[
+#
+# The low-level package manager that's being used.
+# (:command:`dpkg`, :command:`rpm`, :command:`pacman`, :command:`pacman-g2`, etc)
+# This will only be used when your distribution was not able to predefine this.
+etckeeper__lowlevel_package_manager: '{{ ansible_local.etckeeper.lowlevel_package_manager | d(etckeeper__high_low_pkg_map[etckeeper__highlevel_package_manager]) }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__high_low_pkg_map [[[
+#
+# A YAML dictionary that maps the high-level package manager to a low-level
+# package manager.
+etckeeper__high_low_pkg_map:
+  'apt':       'dpkg'
+  'yum':       'rpm'
+  'dnf':       'rpm'
+  'zypper':    'rpm'
+  'pacman':    'pacman'
+                                                                   # ]]]
+                                                                   # ]]]
+# Commit messages [[[
+# -------------------
+
+# .. envvar:: etckeeper__commit_message_init [[[
+#
+# Commit message for the initial commit created by the role.
+etckeeper__commit_message_init: 'Initial commit by "debops.etckeeper" Ansible role'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__commit_message_update [[[
+#
+# Commit message for the subsequent commits created by the role.
+etckeeper__commit_message_update: 'Committed by "debops.etckeeper" Ansible role'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__commit_message_fact [[[
+#
+# Commit message used by the Ansible local fact.
+etckeeper__commit_message_fact: 'Committed by Ansible local facts'
+                                                                   # ]]]
+                                                                   # ]]]
+# Version control ignore list [[[
+# -------------------------------
+
+# These list variables define which paths in :file:`/etc` directory should be
+# ignored by :program:`etckeeper`. They will be added in the
+# :file:`/etc/.gitignore` file. See :ref:`etckeeper__ref_gitignore` for more
+# details.
+
+# .. envvar:: etckeeper__block_marker [[[
+#
+# The string that marks the beginning and end of the section in the
+# :file:`.gitignore` file managed by the ``debops.etckeeper`` role. It shouldn't
+# be changed once deployed, the ``{mark}`` string is required.
+etckeeper__block_marker: '# {mark} section managed by debops.etckeeper Ansible role'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__default_gitignore [[[
+#
+# The default list of :file:`.gitignore` paths defined by the role.
+etckeeper__default_gitignore:
+
+  - name: 'tor-keys'
+    comment: |
+      There is no benefit in tracking Tor keys and it is a potential security
+      vulnerability.
+    ignore: 'tor/keys/'
+
+  - name: 'ssh-host-keys'
+    comment: 'No need to track the SSH host keys'
+    ignore: 'ssh/ssh_host_*_key'
+
+  - name: 'mandos-seckey'
+    comment: |
+      There is no benefit in tracking Mandos keys and it is a potential security
+      vulnerability in case the /etc/ repository is pushed to an external remote.
+    ignore: 'keys/mandos/seckey.txt'
+
+  - name: 'borgmatic'
+    comment: |
+      The borgmatic configuration directory can contain sensitive credentials
+      allowing access to backups of the system and potentially other systems as
+      well. debops.borgbackup only stores credentials in
+      `/etc/borgmatic/${config_name}_passphrase.txt` so we only exclude the
+      passphrase files here.
+    ignore: |-
+      borgmatic/*passphrase*
+      borgmatic.d/*passphrase*
+
+  - name: 'xorg-conf-backup'
+    ignore: 'X11/xorg.conf.backup'
+
+  - name: 'apparmor-libvirt'
+    comment: |
+      Files are generated and managed by libvirt and it is believed that there
+      is very little benefit in tracking these files.
+    ignore: 'apparmor.d/libvirt/*.files'
+
+  - name: 'zfs-zpool-cache'
+    ignore: 'zfs/zpool.cache'
+
+  - name: 'gitlab-omnibus-secrets'
+    comment: 'Ignore GitLab Omnibus secrets'
+    ignore: 'gitlab/gitlab-secrets.json'
+
+  - name: 'gitlab-runner-config'
+    comment: 'Do not commit GitLab runner private configuration'
+    ignore: 'gitlab-runner/config.toml'
+
+  - name: 'docker-key'
+    comment: 'Do not commit Docker private configuration'
+    ignore: 'docker/key.json'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__gitignore [[[
+#
+# List of :file:`.gitignore` paths which should be ignored on all hosts in the
+# Ansible inventory.
+etckeeper__gitignore: []
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__group_gitignore [[[
+#
+# List of :file:`.gitignore` paths which should be ignored on hosts in
+# a specific Ansible inventory group.
+etckeeper__group_gitignore: []
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__host_gitignore [[[
+#
+# List of :file:`.gitignore` paths which should be ignored on specific hosts in
+# the Ansible inventory.
+etckeeper__host_gitignore: []
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__combined_gitignore [[[
+#
+# List which combines all of the :file:`.gitignore` entries together and is
+# used in the role tasks and templates.
+etckeeper__combined_gitignore: '{{ etckeeper__default_gitignore
+                                   + etckeeper__gitignore
+                                   + etckeeper__group_gitignore
+                                   + etckeeper__host_gitignore }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Version control options [[[
+# ---------------------------
+
+# .. envvar:: etckeeper__vcs [[[
+#
+# Which VCS to use to version :file:`/etc` directory. Supported commands:
+#
+# - :command:`git` (default)
+# - :command:`hg`
+# - :command:`bzr`
+# - :command:`darcs`
+#
+# Note that any other VCS than :command:`git` has not really been tested. You might
+# have to fix some bugs in this role when you want to use them.
+etckeeper__vcs: '{{ ansible_local.etckeeper.vcs | d("git") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__vcs_user [[[
+#
+# The committer name for :program:`etckeeper` to use in commits if no
+# interactive user was detected.
+etckeeper__vcs_user: 'The /etc Keeper'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__vcs_email [[[
+#
+# Email address for :program:`etckeeper` to use in commits if no interactive
+# user was detected.
+etckeeper__vcs_email: 'root@{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__git_commit_options [[[
+#
+# Options passed to :command:`git commit` when run by :program:`etckeeper`.
+etckeeper__git_commit_options: '{{ ansible_local.etckeeper.git_commit_options | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__hg_commit_options [[[
+#
+# Options passed to :command:`hg commit` when run by :program:`etckeeper`.
+etckeeper__hg_commit_options: '{{ ansible_local.etckeeper.hg_commit_options | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__bzr_commit_options [[[
+#
+# Options passed to :command:`bzr commit` when run by :program:`etckeeper`.
+etckeeper__bzr_commit_options: '{{ ansible_local.etckeeper.bzr_commit_options | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__darcs_commit_options [[[
+#
+# Options passed to :command:`darcs record` when run by :program:`etckeeper`.
+etckeeper__darcs_commit_options: '{{ ansible_local.etckeeper.darcs_commit_options | d("-a") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__avoid_daily_autocommits [[[
+#
+# Set this option to ``True`` to avoid :program:`etckeeper` committing existing
+# changes to :file:`/etc` automatically once per day.
+etckeeper__avoid_daily_autocommits: '{{ True
+                                        if (ansible_local | d() and ansible_local.etckeeper | d() and
+                                            (ansible_local.etckeeper.avoid_daily_autocommits | d() == "1"))
+                                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__avoid_special_file_warning [[[
+#
+# Set this option to ``True`` to avoid special file warning (the option is
+# enabled automatically by cronjob regardless).
+etckeeper__avoid_special_file_warning: '{{ True
+                                           if (ansible_local | d() and ansible_local.etckeeper | d() and
+                                               (ansible_local.etckeeper.avoid_special_file_warning | d() == "1"))
+                                           else False }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__avoid_commit_before_install [[[
+#
+# Set this option to ``True`` to avoid :program:`etckeeper` committing existing
+# changes to /etc before installation. It will cancel the installation, so
+# you can commit the changes by hand.
+etckeeper__avoid_commit_before_install: '{{ True
+                                            if (ansible_local | d() and ansible_local.etckeeper | d() and
+                                                (ansible_local.etckeeper.avoid_commit_before_install | d() == "1"))
+                                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__push_remote [[[
+#
+# To push each commit to a remote, put the name of the remote here (eg,
+# "origin" for ``git``). Space-separated lists of multiple remotes also work
+# (eg, "origin gitlab github" for git).
+etckeeper__push_remote: '{{ ansible_local.etckeeper.push_remote | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__email_on_commit_state [[[
+#
+# Set this option to ``present`` to allow :program:`etckeeper` to send email on
+# every commit using a hook script. Setting it to ``absent`` will remove the
+# email hook script.
+etckeeper__email_on_commit_state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__email_on_commit_email [[[
+#
+# Email address for :program:`etckeeper` to use in email send after commit.
+etckeeper__email_on_commit_email: '{{ etckeeper__vcs_email }}'
+
+                                                                   # ]]]
+# .. envvar:: etckeeper__gitattributes [[[
+#
+# String to be appended to the :file:`/etc/.gitattributes` file.
+etckeeper__gitattributes: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: etckeeper__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+etckeeper__apt_preferences__dependent_list:
+
+  - packages: [ 'etckeeper' ]
+    backports: [ 'buster' ]
+    reason: 'Support for Python 3'
+    by_role: 'debops.etckeeper'
diff --git a/ansible_collections/debops/debops/roles/etckeeper/meta/main.yml b/ansible_collections/debops/debops/roles/etckeeper/meta/main.yml
new file mode 100644
index 00000000..38dd5e09
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider, Maciej Delmanowski'
+  description: 'Put /etc under version control using etckeeper'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: Debian
+      versions:
+        - all
+
+    - name: Ubuntu
+      versions:
+        - all
+
+  galaxy_tags:
+    - versioning
+    - etckeeper
+    - etc
+    - system
diff --git a/ansible_collections/debops/debops/roles/etckeeper/tasks/main.yml b/ansible_collections/debops/debops/roles/etckeeper/tasks/main.yml
new file mode 100644
index 00000000..cc46254f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/tasks/main.yml
@@ -0,0 +1,173 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save etckeeper local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/etckeeper.fact.j2'
+    dest: '/etc/ansible/facts.d/etckeeper.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+## Diverting the main configuration of etckeeper away leaves the VCS
+## uninitiated until it has been fully configured.
+- name: Divert original configuration under /etc
+  debops.debops.dpkg_divert:
+    path: '/etc/etckeeper/etckeeper.conf'
+  when: etckeeper__enabled | bool and ansible_pkg_mgr == 'apt'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (etckeeper__base_packages
+                              + etckeeper__packages)) }}'
+    state: 'present'
+  register: etckeeper__register_packages
+  until: etckeeper__register_packages is succeeded
+  when: etckeeper__enabled | bool
+
+- name: Create etckeeper configuration
+  ansible.builtin.template:
+    src: 'etc/etckeeper/etckeeper.conf.j2'
+    dest: '/etc/etckeeper/etckeeper.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: etckeeper__register_config
+  notify: [ 'Commit changes in etckeeper' ]
+  when: etckeeper__enabled | bool
+
+- name: Initialize VCS in /etc
+  ansible.builtin.command: etckeeper init
+  args:
+    creates: '/etc/.etckeeper'
+  register: etckeeper__register_init
+  notify: [ 'Commit changes in etckeeper' ]
+  when: etckeeper__enabled | bool
+
+- name: Manage entries in /etc/.gitignore
+  ansible.builtin.blockinfile:
+    path: '/etc/.gitignore'
+    block: |
+      {% for item in etckeeper__combined_gitignore | debops.debops.parse_kv_items %}
+      {% if (item.name | d() and item.state | d('present') != 'absent') %}
+      {% if item.comment | d() %}
+
+      {{ item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}{% endif %}
+      {{ (item.ignore | d(item.name)) | regex_replace('\n$', '') }}
+      {% if item.comment | d() %}
+
+      {% endif %}
+      {% endif %}
+      {% endfor %}
+    insertbefore: 'BOF'
+    marker: '{{ etckeeper__block_marker }}'
+    create: True
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  register: etckeeper__register_gitignore
+  notify: [ 'Commit changes in etckeeper' ]
+  when: etckeeper__enabled | bool and etckeeper__vcs == 'git'
+
+- name: Install /etc/.gitattributes configuration
+  ansible.builtin.template:
+    src: 'etc/gitattributes.j2'
+    dest: '/etc/.gitattributes'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: etckeeper__register_gitattributes
+  when: etckeeper__enabled | bool and etckeeper__vcs == 'git'
+
+- name: Set repository permissions
+  ansible.builtin.file:
+    path: '/etc/.git'
+    state: 'directory'
+    owner: 'root'
+    group: '{{ etckeeper__repository_group | d("root") }}'
+    mode: '{{ etckeeper__repository_permissions | d("0700") }}'
+  when: etckeeper__enabled | bool and etckeeper__vcs == 'git'
+
+- name: Set user, email for the git repository
+  community.general.ini_file:
+    dest: '/etc/.git/config'
+    section: 'user'
+    option: '{{ item.key }}'
+    value: '{{ item.value }}'
+    mode: '0644'
+  with_dict:
+    name: '{{ etckeeper__vcs_user }}'
+    email: '{{ etckeeper__vcs_email }}'
+  when: etckeeper__enabled | bool and etckeeper__vcs == 'git' and
+        etckeeper__vcs_user | d() and etckeeper__vcs_email | d()
+
+- name: Remove e-mail notification hook script
+  ansible.builtin.file:
+    path: '/etc/etckeeper/commit.d/99email'
+    state: 'absent'
+  when: etckeeper__enabled | bool and
+        etckeeper__email_on_commit_state == 'absent'
+
+- name: Install e-mail notification hook script
+  ansible.builtin.template:
+    src: 'etc/etckeeper/commit.d/99email.j2'
+    dest: '/etc/etckeeper/commit.d/99email'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Commit changes in etckeeper' ]
+  when: etckeeper__enabled | bool and
+        etckeeper__email_on_commit_state == 'present'
+
+- name: Configure other VCS software
+  ansible.builtin.include_tasks: 'other_vcs.yml'
+  when: etckeeper__enabled | bool and etckeeper__vcs != 'git' and
+        etckeeper__vcs_user | d() and etckeeper__vcs_email | d()
+
+- name: Unstage and remove ignored files from Git index
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         etckeeper vcs ls-files -i -c --exclude-standard -z | xargs -0 --no-run-if-empty etckeeper vcs rm --cached --
+  args:
+    executable: 'bash'
+  register: etckeeper__register_git_rm_cached_ignored_files
+  when:
+    - etckeeper__enabled | bool
+    - etckeeper__vcs == "git"
+    - etckeeper__register_gitignore is changed  # noqa no-handler
+  changed_when: etckeeper__register_git_rm_cached_ignored_files.stdout
+
+- name: Commit changes in configuration
+  ansible.builtin.command: etckeeper commit '{{ etckeeper__commit_message_update
+                                if etckeeper__installed | bool
+                                else etckeeper__commit_message_init }}'  # noqa no-handler
+  register: etckeeper__register_commit
+  changed_when: etckeeper__register_commit.changed | bool
+  when: (etckeeper__enabled | bool and
+         (etckeeper__register_init is changed or
+          etckeeper__register_config is changed or
+          etckeeper__register_gitignore is changed or
+          etckeeper__register_gitattributes is changed))
diff --git a/ansible_collections/debops/debops/roles/etckeeper/tasks/other_vcs.yml b/ansible_collections/debops/debops/roles/etckeeper/tasks/other_vcs.yml
new file mode 100644
index 00000000..7469bdb2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/tasks/other_vcs.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Set user, email for the bzr repository
+  ansible.builtin.command: etckeeper vcs whoami '{{ etckeeper__vcs_user }} <{{ etckeeper__vcs_email }}>'
+  register: etckeeper__register_bzr_owner
+  changed_when: etckeeper__register_bzr_owner.changed | bool
+  when: (etckeeper__vcs == 'bzr' and etckeeper__vcs_user | d() and etckeeper__vcs_email | d())
+
+- name: Set user, email for the darcs repository
+  ansible.builtin.command: etckeeper vcs setpref author '{{ etckeeper__vcs_user }} <{{ etckeeper__vcs_email }}>'
+  register: etckeeper__register_darcs_owner
+  changed_when: etckeeper__register_darcs_owner.changed | bool
+  when: (etckeeper__vcs == 'darcs' and etckeeper__vcs_user | d() and etckeeper__vcs_email | d())
+
+- name: Set user, email for the hg repository  # noqa no-shorthand
+  ansible.builtin.command: "etckeeper vcs --config 'ui.username={{ etckeeper__vcs_user }} <{{ etckeeper__vcs_email }}>'"
+  register: etckeeper__register_hg_owner
+  changed_when: etckeeper__register_hg_owner.changed | bool
+  when: (etckeeper__vcs == 'hg' and etckeeper__vcs_user | d() and etckeeper__vcs_email | d())
diff --git a/ansible_collections/debops/debops/roles/etckeeper/templates/etc/ansible/facts.d/etckeeper.fact.j2 b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/ansible/facts.d/etckeeper.fact.j2
new file mode 100644
index 00000000..210d8a1d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/ansible/facts.d/etckeeper.fact.j2
@@ -0,0 +1,64 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+try:
+    from subprocess import DEVNULL
+except ImportError:
+    DEVNULL = open(os.devnull, 'wb')
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+config_file = '/etc/etckeeper/etckeeper.conf'
+
+output = loads('''{{ {"installed": False,
+                      "commit": False,
+                      "configured": True,
+                      "enabled": etckeeper__enabled | bool
+                     } | to_nice_json }}''')
+
+commit_msg = loads('''{{ etckeeper__commit_message_fact | to_json }}''')
+
+output['installed'] = cmd_exists('etckeeper')
+
+if output['enabled'] is True and output['installed'] is True:
+    etckeeper_unclean_rc = subprocess.call(
+        ['etckeeper', 'unclean'],
+        stdout=DEVNULL, stderr=DEVNULL)
+
+    if etckeeper_unclean_rc == 0:  # The /etc is unclean
+        subprocess.call(
+            ['etckeeper', 'commit', commit_msg],
+            stdout=DEVNULL, stderr=DEVNULL)
+        output['commit'] = True
+
+    if os.path.exists(config_file) and os.path.isfile(config_file):
+        try:
+            with open(config_file, 'r') as f:
+                for line in f:
+                    if not line.startswith('#') and '=' in line:
+                        line = line.strip().split('=')
+                        output.update({line[0].lower():
+                                       line[1].strip('"')})
+        except Exception:
+            pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/commit.d/99email.j2 b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/commit.d/99email.j2
new file mode 100644
index 00000000..7ebb7e7e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/commit.d/99email.j2
@@ -0,0 +1,14 @@
+#!/bin/sh
+# Copyright (C) 2021 Émile <emile@bleuchtang.fr>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# {{ ansible_managed }}
+
+EMAIL_ON_COMMIT="{{ etckeeper__email_on_commit_email }}"
+
+if [ "$VCS" = git ] && [ -d .git ]; then
+        git log -p -1 | mail -s "[$(hostname -f)] etckeeper changes" "$EMAIL_ON_COMMIT"
+else
+        echo "EMAIL_ON_COMMIT not yet supported for $VCS" >&2
+fi
diff --git a/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/etckeeper.conf.j2 b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/etckeeper.conf.j2
new file mode 100644
index 00000000..88a0a898
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/etckeeper/etckeeper.conf.j2
@@ -0,0 +1,47 @@
+{# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+ # Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## {{ ansible_managed }}
+
+# The VCS to use.
+VCS="{{ etckeeper__vcs }}"
+
+# Options passed to git commit when run by etckeeper.
+GIT_COMMIT_OPTIONS="{{ etckeeper__git_commit_options }}"
+
+# Options passed to hg commit when run by etckeeper.
+HG_COMMIT_OPTIONS="{{ etckeeper__hg_commit_options }}"
+
+# Options passed to bzr commit when run by etckeeper.
+BZR_COMMIT_OPTIONS="{{ etckeeper__bzr_commit_options }}"
+
+# Options passed to darcs record when run by etckeeper.
+DARCS_COMMIT_OPTIONS="{{ etckeeper__darcs_commit_options }}"
+
+# Uncomment to avoid etckeeper committing existing changes
+# to /etc automatically once per day.
+AVOID_DAILY_AUTOCOMMITS={{ '1' if (etckeeper__avoid_daily_autocommits | d() | bool) else '0' }}
+
+# Uncomment the following to avoid special file warning
+# (the option is enabled automatically by cronjob regardless).
+AVOID_SPECIAL_FILE_WARNING={{ '1' if (etckeeper__avoid_special_file_warning | d() | bool) else '0' }}
+
+# Uncomment to avoid etckeeper committing existing changes to
+# /etc before installation. It will cancel the installation,
+# so you can commit the changes by hand.
+AVOID_COMMIT_BEFORE_INSTALL={{ '1' if (etckeeper__avoid_commit_before_install | d() | bool) else '0' }}
+
+# The high-level package manager that's being used.
+# (apt, pacman-g2, yum, dnf, zypper etc)
+HIGHLEVEL_PACKAGE_MANAGER={{ etckeeper__highlevel_package_manager }}
+
+# The low-level package manager that's being used.
+# (dpkg, rpm, pacman, pacman-g2, etc)
+LOWLEVEL_PACKAGE_MANAGER={{ etckeeper__lowlevel_package_manager }}
+
+# To push each commit to a remote, put the name of the remote here.
+# (eg, "origin" for git). Space-separated lists of multiple remotes
+# also work (eg, "origin gitlab github" for git).
+PUSH_REMOTE="{{ etckeeper__push_remote }}"
diff --git a/ansible_collections/debops/debops/roles/etckeeper/templates/etc/gitattributes.j2 b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/gitattributes.j2
new file mode 100644
index 00000000..3a374451
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etckeeper/templates/etc/gitattributes.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+ # Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Usually there is no need to diff backup files.
+*- -diff
+{% if etckeeper__gitattributes != '' %}
+
+{{ etckeeper__gitattributes }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/etesync/COPYRIGHT b/ansible_collections/debops/debops/roles/etesync/COPYRIGHT
new file mode 100644
index 00000000..92d6c4c8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.etesync - Deploy and manage the EteSync server
+
+Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/etesync/defaults/main.yml b/ansible_collections/debops/debops/roles/etesync/defaults/main.yml
new file mode 100644
index 00000000..78629961
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/defaults/main.yml
@@ -0,0 +1,476 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _etesync__ref_defaults:
+
+# debops.etesync default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Domain name configuration [[[
+# -----------------------------
+
+# .. envvar:: etesync__domain [[[
+#
+# The DNS domain used by other variables in the ``debops.etesync`` role.
+etesync__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__fqdn [[[
+#
+# String of the Fully Qualified domain names on which the EteSync application
+# will be available, used by the webserver.
+etesync__fqdn: 'etesync.{{ etesync__domain }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: etesync__base_packages [[[
+#
+# List of APT packages which are required by the EteSync server.
+etesync__base_packages:
+  - 'git'
+                                                                   # ]]]
+                                                                   #
+# .. envvar:: etesync__packages [[[
+#
+# List of additional APT packages to install with EteSync.
+etesync__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Application user, group, home [[[
+# ---------------------------------
+
+# .. envvar:: etesync__user [[[
+#
+# Name of the UNIX system account used to manage EteSync.
+etesync__user: 'etesync'
+
+                                                                   # ]]]
+# .. envvar:: etesync__group [[[
+#
+# Name of the UNIX primary group used to manage EteSync.
+etesync__group: 'etesync'
+
+                                                                   # ]]]
+# .. envvar:: etesync__gecos [[[
+#
+# Contents of the GECOS field set for the EteSync account.
+etesync__gecos: 'EteSync'
+
+                                                                   # ]]]
+# .. envvar:: etesync__shell [[[
+#
+# The default shell set on the EteSync account.
+etesync__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory paths [[[
+# -------------------
+
+# .. envvar:: etesync__home [[[
+#
+# The EteSync account home directory.
+etesync__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                   + "/" + etesync__user }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__etc [[[
+#
+# Directory where the role stores EteSync configuration.
+etesync__etc: '/etc/etesync-server'
+
+                                                                   # ]]]
+# .. envvar:: etesync__src [[[
+#
+# Directory where the role stores EteSync version control sources.
+etesync__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                  + "/" + etesync__user }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__lib [[[
+#
+# Directory where the EteSync server directory is located.
+etesync__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                  + "/" + etesync__user }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__data [[[
+#
+# Directory where EteSync data is stored.
+etesync__data: '{{ (ansible_local.fhs.data | d("/srv"))
+                   + "/" + etesync__user }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application sources and deployment [[[
+# --------------------------------------
+
+# .. envvar:: etesync__git_gpg_key_id [[[
+#
+# The GPG ID of the key used for signing EteSync releases.
+etesync__git_gpg_key_id: '9E21 F091 FC39 5F36 6A47  43E2 D2E5 84C3 7C47 7933'
+
+                                                                   # ]]]
+# .. envvar:: etesync__git_repo [[[
+#
+# The URI of the EteSync :command:`git` source repository.
+etesync__git_repo: 'https://github.com/etesync/server.git'
+
+                                                                   # ]]]
+# .. envvar:: etesync__git_version [[[
+#
+# The :command:`git` branch or tag which will be installed.
+# git commit hash lock to release 0.2.2.
+# Note that this hash locking is not very effective because the main
+# implementation of EteSync is in additional Python packages.
+etesync__git_version: 'b026643cceae07b039942bf0c990ccf917eb072a'
+
+
+                                                                   # ]]]
+# .. envvar:: etesync__git_dest [[[
+#
+# Path where the :command:`git` source bare repository will be stored.
+etesync__git_dest: '{{ etesync__src + "/" + etesync__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__git_checkout [[[
+#
+# Path where EteSync sources will be checked out (installation path).
+etesync__git_checkout: '{{ etesync__lib + "/app" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Python virtualenv configuration [[[
+# -----------------------------------
+
+# .. envvar:: etesync__virtualenv [[[
+#
+# Path where the EteSync ``virtualenv`` directory will be stored.
+etesync__virtualenv: '{{ etesync__lib + "/virtualenv" }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# EteSync configuration options [[[
+# --------------------------------
+
+# .. envvar:: etesync__config_allowed_hosts [[[
+#
+# List of domain names under which the EteSync server will accept
+# connections. Specify ``*`` to accept connections to any domain name.
+etesync__config_allowed_hosts:
+  - '{{ ansible_hostname }}'
+  - '{{ ansible_fqdn }}'
+  - '{{ etesync__fqdn }}'
+  - 'localhost'
+  - '[::1]'
+  - '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: etesync__config_secret_key [[[
+#
+# The Django secret key used by the EteSync server. It will be shared by
+# all hosts on the same domain.
+etesync__config_secret_key: '{{ lookup("password", secret + "/etesync/" +
+                                etesync__domain + "/config/secret_key length=64") }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__config_secret_key_filepath [[[
+#
+# File path where the Django secret key will be stored on the remote host.
+etesync__config_secret_key_filepath: '{{ etesync__etc + "/secret.txt" }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Initial superuser account [[[
+# -----------------------------
+
+# .. envvar:: etesync__superuser_name [[[
+#
+# Name of the initial admin account created by the role.
+etesync__superuser_name: '{{ ansible_local.core.admin_users[0]
+                             if (ansible_local.core.admin_users | d())
+                             else "admin" }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__superuser_email [[[
+#
+# E-mail address of the initial admin account created by the role.
+etesync__superuser_email: '{{ ansible_local.core.admin_private_email[0]
+                              if (ansible_local.core.admin_private_email | d())
+                              else ("root@" + etesync__domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__superuser_password [[[
+#
+# Password set for the initial admin account created by the role.
+etesync__superuser_password: '{{ lookup("password", secret + "/etesync/" +
+                                 inventory_hostname + "/superuser/" +
+                                 etesync__superuser_name + "/password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Internal application settings [[[
+# ---------------------------------
+
+# .. envvar:: etesync__app_name [[[
+#
+# Name of the EteSync server processes (workers) set by the master process.
+etesync__app_name: '{{ etesync__user }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__app_runtime_dir [[[
+#
+# Name of the subdirectory in the :file:`/run/` directory where the EteSync
+# application will bind its UNIX socket. The default is selected so that
+# configuration of the ``gunicorn`` service is idempotent.
+etesync__app_runtime_dir: '{{ "gunicorn"
+                              if (ansible_distribution_release in
+                                  ["trusty", "xenial"])
+                              else "gunicorn-etesync" }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__app_bind [[[
+#
+# Specify either an UNIX or TCP socket on which the EteSync server should
+# bind and listen for connections.
+etesync__app_bind: 'unix:/run/{{ etesync__app_runtime_dir }}/etesync.sock'
+
+                                                                   # ]]]
+# .. envvar:: etesync__app_workers [[[
+#
+# Number of worker threads to start for EteSync server.
+etesync__app_workers: '{{ ansible_processor_vcpus | int + 1 }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__app_timeout [[[
+#
+# Number of seconds after which non-responsive worker threads will be killed
+# and restarted. EteSync installations with lots of objects might require longer
+# timeouts for API access.
+etesync__app_timeout: '900'
+
+                                                                   # ]]]
+# .. envvar:: etesync__app_params [[[
+#
+# List of parameters passed to the ``gunicorn`` process manager.
+etesync__app_params:
+  - '--name={{ etesync__app_name }}'
+  - '--bind={{ etesync__app_bind }}'
+  - '--workers={{ etesync__app_workers }}'
+  - '--timeout={{ etesync__app_timeout }}'
+  - 'etesync_server.wsgi'
+                                                                   # ]]]
+                                                                   # ]]]
+# Other variables [[[
+# -------------------
+
+# .. envvar:: etesync__max_file_size [[[
+#
+# Maximum upload size, in MB.
+etesync__max_file_size: '5'
+
+                                                                   # ]]]
+# .. envvar:: etesync__python_version [[[
+#
+# Python version, needed to refer to static files as installed by Python modules.
+etesync__python_version: '{{ ansible_local.python.version3 | d("3.x") }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__http_psk_subpath_enabled [[[
+#
+# Whether EteSync should be deployed on a random subpath that acts as a
+# protection of the web app/API from people not knowing this PSK.
+# For a discussion in which scenarios this can make sense, refer to
+# `RFC: Support subpath/subdir hosting for additional security`__.
+#
+# .. __: https://github.com/debops/debops/issues/1233
+etesync__http_psk_subpath_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: etesync__http_psk_subpath [[[
+#
+# PSK used as subpath that acts as the first layer of defense in a security in
+# depth concept if enabled.
+etesync__http_psk_subpath: '{{ lookup("password", secret + "/etesync/" +
+                                 inventory_hostname + "/config/subpath chars=ascii_letters,digits length=23")
+                               if etesync__http_psk_subpath_enabled | bool
+                               else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__url [[[
+#
+# The URL where the EteSync server will be reachable. Exposed as variable here
+# as you might want to use it in your custom user password lookup for
+# integrating into your password manager.
+etesync__url: '{{ "https://" + etesync__fqdn + "/" + etesync__http_psk_subpath }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__admin_auth_basic_realm [[[
+#
+# A string which will be displayed as the realm in the browser user/password
+# dialog box during HTTP Basic Authentication for the admin interface.
+etesync__admin_auth_basic_realm: 'Access to EteSync admin interface is restricted'
+
+                                                                   # ]]]
+# .. envvar:: etesync__admin_auth_basic_filename [[[
+#
+# Absolute path to the file that contains usernames and passwords for HTTP
+# Basic Authentication for the admin interface.
+etesync__admin_auth_basic_filename: ''
+
+                                                                   # ]]]
+# .. envvar:: etesync__mail_to [[[
+#
+# List of recipients to which a mail will be send with the full URL of the
+# EteSync server in case :envvar:`etesync__http_psk_subpath` is set.
+etesync__mail_to: [ 'root@{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: etesync__mail_subject [[[
+#
+# Subject of the Email to be send with the full service URL.
+etesync__mail_subject: 'PSK subpath URL to EteSync on {{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__mail_body [[[
+#
+# Body of the Email to be send with the full service URL.
+etesync__mail_body: |
+  EteSync has been deployed for the first time on {{ ansible_fqdn }}.
+  You have chosen to deploy the service on a random subpath thus the URL is
+  needed to access the service.
+
+  URL: {{ etesync__url }}
+
+  You can continue the user setup in the Django administration interface of EteSync over at:
+  {{ etesync__url }}/admin
+
+  Have a nice day :)
+
+# ]]]
+# ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: etesync__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+etesync__keyring__dependent_gpg_keys:
+
+  - user: '{{ etesync__user }}'
+    group: '{{ etesync__group }}'
+    home: '{{ etesync__home }}'
+    id: '{{ etesync__git_gpg_key_id }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+etesync__python__dependent_packages3:
+
+  - 'python3-setproctitle'
+
+  - 'python3-dev'
+
+  ## Django>=2.1.7,<2.1.999 is required which is currently only in Debian sid.
+  ## We install this with pip in a virtualenv for now.
+  # - 'python3-django'
+
+  - 'python3-tz'
+
+                                                                   # ]]]
+# .. envvar:: etesync__gunicorn__dependent_applications [[[
+#
+# Configuration for the :ref:`debops.gunicorn` Ansible role.
+etesync__gunicorn__dependent_applications:
+  - name: 'etesync'
+    mode: 'wsgi'
+    working_dir: '{{ etesync__git_checkout }}'
+    python: '{{ etesync__virtualenv + "/bin/python3" }}'
+    user: '{{ etesync__user }}'
+    group: '{{ etesync__group }}'
+    home: '{{ etesync__home }}'
+    system: True
+    timeout: '{{ etesync__app_timeout }}'
+    workers: '{{ etesync__app_workers }}'
+    args: '{{ etesync__app_params }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+etesync__nginx__dependent_upstreams:
+  - name: 'etesync'
+    server: '{{ etesync__app_bind }}'
+
+                                                                   # ]]]
+# .. envvar:: etesync__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+etesync__nginx__dependent_servers:
+  - name: '{{ etesync__fqdn }}'
+    by_role: 'debops.etesync'
+    filename: 'debops.etesync'
+    favicon: False
+    http_referrer_policy: 'same-origin'
+    options: |
+      client_max_body_size {{ etesync__max_file_size }}M;
+
+    location_list:
+
+      - pattern: '/'
+        options: |-
+          deny all;
+        enabled: '{{ etesync__http_psk_subpath_enabled | bool }}'
+
+      - pattern: '/static/admin/'
+        options: |-
+          alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/django/contrib/admin/static/admin/;
+
+      - pattern: '/static/rest_framework/'
+        options: |-
+          alias {{ etesync__virtualenv + "/lib/python" + (etesync__python_version.split('.')[:2] | join('.')) }}/site-packages/rest_framework/static/rest_framework/;
+
+      - pattern: '/{{ etesync__http_psk_subpath }}'
+        options: |-
+          proxy_pass http://etesync;
+          proxy_set_header X-Forwarded-Host $server_name;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          {% if etesync__http_psk_subpath %}
+          proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
+          {% endif %}
+          proxy_connect_timeout {{ etesync__app_timeout }};
+          proxy_send_timeout {{ etesync__app_timeout }};
+          proxy_read_timeout {{ etesync__app_timeout }};
+
+      - pattern: '{{ (("/" + etesync__http_psk_subpath)
+                      if (etesync__http_psk_subpath_enabled | bool)
+                      else "") + "/admin" }}'
+        options: |-
+          proxy_pass http://etesync;
+          proxy_set_header X-Forwarded-Host $server_name;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          {% if etesync__http_psk_subpath_enabled | bool %}
+          proxy_set_header SCRIPT_NAME /{{ etesync__http_psk_subpath }};
+          {% endif %}
+          proxy_connect_timeout {{ etesync__app_timeout }};
+          proxy_send_timeout {{ etesync__app_timeout }};
+          proxy_read_timeout {{ etesync__app_timeout }};
+
+          auth_basic "{{ etesync__admin_auth_basic_realm }}";
+          auth_basic_user_file {{ etesync__admin_auth_basic_filename }};
+        enabled: '{{ True if (etesync__admin_auth_basic_filename != "") else False }}'
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/etesync/handlers/main.yml b/ansible_collections/debops/debops/roles/etesync/handlers/main.yml
new file mode 100644
index 00000000..9a24bcb4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart gunicorn for etesync
+  ansible.builtin.service:
+    name: 'gunicorn@etesync'
+    state: 'restarted'
+  when: (ansible_local | d() and ansible_local.gunicorn | d() and
+         ansible_local.gunicorn.installed | bool)
diff --git a/ansible_collections/debops/debops/roles/etesync/meta/main.yml b/ansible_collections/debops/debops/roles/etesync/meta/main.yml
new file mode 100644
index 00000000..f7ff593b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  role_name: 'etcsync'
+  author: 'Robin Schneider'
+  description: 'Deploy and manage the EteSync server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - e2ee
+    - private
+    - privacy
+    - calendar
+    - contacts
diff --git a/ansible_collections/debops/debops/roles/etesync/meta/watch-etesync b/ansible_collections/debops/debops/roles/etesync/meta/watch-etesync
new file mode 100644
index 00000000..a8dd0daf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/meta/watch-etesync
@@ -0,0 +1,10 @@
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: etesync
+# Package: etesync
+# Version: 0.2.2
+
+version=4
+https://github.com/etesync/server/tags .*/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/etesync/tasks/main.yml b/ansible_collections/debops/debops/roles/etesync/tasks/main.yml
new file mode 100644
index 00000000..7d5e0ccc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/tasks/main.yml
@@ -0,0 +1,216 @@
+---
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# Install packages [[[1
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (etesync__base_packages
+                              + etesync__packages)) }}'
+    state: 'present'
+  register: etesync__register_packages
+  until: etesync__register_packages is succeeded
+
+# Create EteSync system user [[[1
+- name: Create EteSync system group
+  ansible.builtin.group:
+    name: '{{ etesync__group }}'
+    state: 'present'
+    system: True
+
+- name: Create EteSync system user
+  ansible.builtin.user:
+    name: '{{ etesync__user }}'
+    group: '{{ etesync__group }}'
+    home: '{{ etesync__home }}'
+    comment: '{{ etesync__gecos }}'
+    shell: '{{ etesync__shell }}'
+    state: 'present'
+    system: True
+
+- name: Create additional directories used by EteSync
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ etesync__user }}'
+    group: '{{ etesync__group }}'
+    mode: '0755'
+  with_items:
+    - '{{ etesync__etc }}'
+    - '{{ etesync__src }}'
+    - '{{ etesync__git_dest | dirname }}'
+    - '{{ etesync__lib }}'
+    - '{{ etesync__data }}'
+
+# Download EteSync server [[[1
+- name: Clone EteSync source code
+  ansible.builtin.git:
+    repo: '{{ etesync__git_repo }}'
+    dest: '{{ etesync__git_checkout }}'
+    separate_git_dir: '{{ etesync__git_dest }}'
+    version: '{{ etesync__git_version }}'
+    update: True
+    ## The module cannot hash lock and verify the tag referring to the locked
+    ## commit thus we need to verify the tag in the following task.
+    # verify_commit: True
+  become: True
+  become_user: '{{ etesync__user }}'
+  register: etesync__register_source
+
+- name: Verify git tag signature
+  ansible.builtin.shell: git verify-tag --raw "$(git describe)"  # noqa command-instead-of-module
+  args:
+    chdir: '{{ etesync__git_checkout }}'
+  become: True
+  become_user: '{{ etesync__user }}'
+  changed_when: False
+  ## Always run this to also cover the case where the playbook is interrupted
+  ## before we can verify.
+  # when: etesync__register_source is changed
+
+- name: Install EteSync requirements in virtualenv
+  ansible.builtin.pip:  # noqa no-handler
+    virtualenv: '{{ etesync__virtualenv }}'
+    virtualenv_python: 'python3'
+    virtualenv_site_packages: True
+    requirements: '{{ etesync__git_checkout + "/requirements.txt" }}'
+    extra_args: '--upgrade'
+  register: etesync__register_pip_install
+  until: etesync__register_pip_install is succeeded
+  become: True
+  become_user: '{{ etesync__user }}'
+  notify: [ 'Restart gunicorn for etesync' ]
+  when: etesync__register_source is changed
+
+- name: Clean up stale Python bytecode
+  ansible.builtin.command: find . -name '*.pyc' -delete
+  args:  # noqa no-handler
+    chdir: '{{ etesync__git_checkout }}'
+  become: True
+  become_user: '{{ etesync__user }}'
+  register: etesync__register_cleanup
+  changed_when: etesync__register_cleanup.changed | bool
+  when: etesync__register_source is changed
+
+# Configure EteSync server [[[1
+- name: Exclude secret files from etckeeper
+  ansible.builtin.copy:
+    content: |
+      secret.txt
+    dest: '{{ etesync__etc + "/.gitignore" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  tags: [ 'role::etesync:config' ]
+
+- name: Generate EteSync configuration
+  ansible.builtin.template:
+    src: 'etc/etesync-server/etesync-server.ini.j2'
+    dest: '{{ etesync__etc + "/etesync-server.ini" }}'
+    owner: 'root'
+    group: '{{ etesync__group }}'
+    mode: '0640'
+  register: etesync__register_config
+  notify: [ 'Restart gunicorn for etesync' ]
+  tags: [ 'role::etesync:config' ]
+
+- name: Generate extended EteSync configuration
+  ansible.builtin.template:
+    src: 'usr/local/lib/etesync/app/etesync_site_settings.py.j2'
+    dest: '{{ etesync__git_checkout + "/etesync_site_settings.py" }}'
+    owner: '{{ etesync__user }}'
+    group: '{{ etesync__group }}'
+    mode: '0640'
+  register: etesync__register_config
+  notify: [ 'Restart gunicorn for etesync' ]
+  tags: [ 'role::etesync:config' ]
+
+- name: Generate EteSync secret.txt file
+  ansible.builtin.template:
+    src: 'etc/etesync-server/secret.txt.j2'
+    dest: '{{ etesync__config_secret_key_filepath }}'
+    owner: 'root'
+    group: '{{ etesync__group }}'
+    mode: '0640'
+  notify: [ 'Restart gunicorn for etesync' ]
+  tags: [ 'role::etesync:config' ]
+
+## -o nounset can be enabled with virtualenv >= 16.2.
+## Ref: https://github.com/pypa/virtualenv/pull/922
+- name: Perform database installation or migration
+  ansible.builtin.shell: |
+    set -o pipefail -o errexit;
+    source {{ etesync__virtualenv }}/bin/activate
+    ./manage.py migrate
+  args:  # noqa no-handler
+    chdir: '{{ etesync__git_checkout }}'
+    executable: 'bash'
+  become: True
+  become_user: '{{ etesync__user }}'
+  changed_when: ("No migrations to apply." not in etesync__register_migration.stdout)
+  when: etesync__register_source is changed or etesync__register_config is changed
+  register: etesync__register_migration
+
+- name: Create superuser account
+  environment:
+    SUPERUSER_NAME: '{{ etesync__superuser_name }}'
+    SUPERUSER_EMAIL: '{{ etesync__superuser_email }}'
+    SUPERUSER_PASSWORD: '{{ etesync__superuser_password }}'
+  ansible.builtin.shell:
+    ## -o nounset can be enabled with virtualenv >= 16.2.
+    ## Ref: https://github.com/pypa/virtualenv/pull/922
+    set -o pipefail -o errexit;
+    source {{ etesync__virtualenv }}/bin/activate;
+    echo "from django.contrib.auth.models import User;
+          User.objects.create_superuser('${SUPERUSER_NAME}', '${SUPERUSER_EMAIL}', '${SUPERUSER_PASSWORD}')"
+    | ./manage.py shell
+  args:
+    chdir: '{{ etesync__git_checkout }}'
+    executable: 'bash'
+  become: True
+  become_user: '{{ etesync__user }}'
+  register: etesync__register_superuser
+  changed_when: etesync__register_superuser.changed | bool
+  when: ("etesync" not in ansible_local)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+# Send PSK subpath URL to admin if needed [[[1
+- name: Send mail with the full URL of the EteSync server
+  community.general.mail:
+    from: 'root@{{ ansible_fqdn }}'
+    subject: '{{ etesync__mail_subject }}'
+    to: '{{ etesync__mail_to | d([]) | list | join(",") }}'
+    charset: 'utf8'
+    body: '{{ etesync__mail_body }}'
+  when: (etesync__http_psk_subpath | d() and etesync__mail_to | d() and "etesync" not in ansible_local)
+
+# Save EteSync local facts [[[1
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save EteSync local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/etesync.fact.j2'
+    dest: '/etc/ansible/facts.d/etesync.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/etesync/templates/etc/ansible/facts.d/etesync.fact.j2 b/ansible_collections/debops/debops/roles/etesync/templates/etc/ansible/facts.d/etesync.fact.j2
new file mode 100644
index 00000000..0b2295c6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/templates/etc/ansible/facts.d/etesync.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/etesync-server.ini.j2 b/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/etesync-server.ini.j2
new file mode 100644
index 00000000..0a838ac7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/etesync-server.ini.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[global]
+secret_file = {{ etesync__config_secret_key_filepath }}
+debug = false
+
+[allowed_hosts]
+{% for host in ([ etesync__config_allowed_hosts ]
+				if etesync__config_allowed_hosts is string
+				else etesync__config_allowed_hosts) %}
+allowed_host{{ loop.index }} = {{ host }}
+{% endfor %}
+
+[database]
+engine = django.db.backends.sqlite3
+name = {{ etesync__data }}/db.sqlite3
diff --git a/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/secret.txt.j2 b/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/secret.txt.j2
new file mode 100644
index 00000000..6ad1603e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/templates/etc/etesync-server/secret.txt.j2
@@ -0,0 +1,5 @@
+{# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ etesync__config_secret_key }}
diff --git a/ansible_collections/debops/debops/roles/etesync/templates/usr/local/lib/etesync/app/etesync_site_settings.py.j2 b/ansible_collections/debops/debops/roles/etesync/templates/usr/local/lib/etesync/app/etesync_site_settings.py.j2
new file mode 100644
index 00000000..67f5d703
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etesync/templates/usr/local/lib/etesync/app/etesync_site_settings.py.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# -*- coding: utf-8 -*-
+
+CSRF_TRUSTED_ORIGINS = ['{{ etesync__fqdn }}']
diff --git a/ansible_collections/debops/debops/roles/etherpad/COPYRIGHT b/ansible_collections/debops/debops/roles/etherpad/COPYRIGHT
new file mode 100644
index 00000000..34c242ab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.etherpad - Manage Etherpad Lite using Ansible
+
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/etherpad/defaults/main.yml b/ansible_collections/debops/debops/roles/etherpad/defaults/main.yml
new file mode 100644
index 00000000..4bce6ab9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/defaults/main.yml
@@ -0,0 +1,594 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# .. Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _etherpad__ref_defaults:
+
+# debops.etherpad default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: etherpad__base_packages [[[
+#
+# List of base APT packages required for Etherpad.
+etherpad__base_packages: [ 'build-essential', 'pkg-config', 'libssl-dev',
+                           'libpq-dev', 'curl', 'git' ]
+
+                                                                   # ]]]
+# .. envvar:: etherpad__document_packages [[[
+#
+# List of APT packages to install for document import/export support.
+etherpad__document_packages: [ 'abiword' ]
+
+                                                                   # ]]]
+# .. envvar:: etherpad__packages [[[
+#
+# List of additional APT packages to install with Etherpad.
+etherpad__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Application user, group, directories [[[
+# ----------------------------------------
+
+# .. envvar:: etherpad_system_name [[[
+#
+# Base name for Etherpad instance
+etherpad_system_name: 'etherpad-lite'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_user [[[
+#
+# Name of the system user account for Etherpad.
+etherpad_user: '{{ etherpad_system_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_group [[[
+#
+# Name of the system group account for Etherpad.
+etherpad_group: '{{ etherpad_system_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_home [[[
+#
+# Home directory of Etherpad.
+etherpad_home: '{{ (ansible_local.fhs.app | d("/var/local"))
+                   + "/" + etherpad_user }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__shell [[[
+#
+# The default shell used by the Etherpad account.
+etherpad__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_src_dir [[[
+#
+# Etherpad sources root directory.
+etherpad_src_dir: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                      + "/" + etherpad_system_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_log_dir [[[
+#
+# Path where Etherpad logs are stored.
+etherpad_log_dir: '{{ (ansible_local.fhs.log | d("/var/log"))
+                      + "/" + etherpad_system_name }}'
+                                                                   # ]]]
+# .. envvar:: etherpad_log_to_file [[[
+#
+# By default Etherpad log into syslog, set to true if you want to log into a
+# file instead of syslog.
+etherpad_log_to_file: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Basic configuration [[[
+# -----------------------
+
+# .. envvar:: etherpad_version [[[
+#
+# Etherpad git version to install.
+etherpad_version: '{{ "1.7.0"
+                      if (ansible_local.nodejs.npm_version | d() is version("6.4.0", "<"))
+                      else "1.7.5" }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_source_address [[[
+#
+# git repository address.
+etherpad_source_address: 'https://github.com/ether'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_repository [[[
+#
+# git repository name.
+etherpad_repository: 'etherpad-lite'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_dependencies [[[
+#
+# Should the ``debops.etherpad`` role manage it's own dependencies (database, web server)?
+etherpad_dependencies: True
+
+                                                                   # ]]]
+# .. envvar:: etherpad_domain [[[
+#
+# What domain will be configured for Etherpad.
+etherpad_domain: [ 'pad.{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: etherpad_title [[[
+#
+# Title of the Etherpad instance.
+etherpad_title: 'Etherpad'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_mail_admin [[[
+#
+# E-mail address of the instance administrator, will be shown on each new pad
+# (see ``etherpad_welcome_text`` below).
+etherpad_mail_admin: 'root@{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_welcome_text [[[
+#
+# Text displayed on all new pads by default.
+etherpad_welcome_text: |
+  Welcome to {{ etherpad_title }}!
+
+  This pad is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents.
+
+  Contact with administrator: mailto:{{ etherpad_mail_admin }}
+# ]]]
+# ]]]
+# Database and network [[[
+# ------------------------
+
+# .. envvar:: etherpad_database_server [[[
+#
+# FQDN of the database host. It will be configured by
+# the :ref:`debops.mariadb` or :ref:`debops.postgresql` role.
+etherpad_database_server: '{{ ansible_local.mariadb.server | d(ansible_local.postgresql.server | d("")) }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_database_user [[[
+#
+# Database user to use for Etherpad.
+etherpad_database_user: '{{ etherpad_system_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_database_name [[[
+#
+# Name of the database to use for Etherpad.
+etherpad_database_name: '{{ etherpad_system_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_database_password [[[
+#
+# Database password for the Etherpad database user.
+etherpad_database_password: "{{ lookup('password', secret + '/'
+                                + ('mariadb'
+                                   if etherpad__database == 'mysql'
+                                   else ('postgresql'
+                                         if etherpad__database == 'postgres'
+                                         else etherpad__database)) + '/'
+                                + (ansible_local.mariadb.delegate_to + '/'
+                                   if ansible_local.mariadb.delegate_to | d()
+                                   else (ansible_local.postgresql.delegate_to + '/'
+                                         if ansible_local.postgresql.delegate_to | d()
+                                         else ''))
+                                + (ansible_local.mariadb.port + '/'
+                                   if ansible_local.mariadb.port | d()
+                                   else (ansible_local.postgresql.port + '/'
+                                         if ansible_local.postgresql.port | d()
+                                         else ''))
+                                + '/credentials/' + etherpad_database_user + '/password length=48') }}"
+
+                                                                   # ]]]
+# .. envvar:: etherpad__database [[[
+#
+# Database to use for data storage (choices: sqlite, mysql, postgresql,
+# dirty). Choose mysql even when you use different mysql flavors. More
+# databases will be available in the future.
+etherpad__database: '{{ "mysql"
+                        if (ansible_local | d() and ansible_local.mariadb is defined)
+                        else ("postgres"
+                              if (ansible_local | d() and ansible_local.postgresql is defined)
+                              else "sqlite") }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_database_connection [[[
+#
+# Connection type used for the database.
+etherpad_database_connection: 'socket'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_database_config [[[
+#
+# Etherpad database configuration map.
+etherpad_database_config:
+  dirty:
+    filename: 'var/dirty.db'
+  sqlite:
+    filename: 'var/sqlite.db'
+  mysql:
+    hostname: '{{ etherpad_database_server }}'
+    username: '{{ etherpad_database_user }}'
+    database: '{{ etherpad_database_name }}'
+    password: '{{ etherpad_database_password }}'
+    socket:   '/var/run/mysqld/mysqld.sock'
+    port:     '3306'
+  postgres:
+    hostname: '{{ etherpad_database_server }}'
+    username: '{{ etherpad_database_user }}'
+    database: '{{ etherpad_database_name }}'
+    password: '{{ etherpad_database_password }}'
+    socket:   '/var/run/postgresql'
+    port:     '5432'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_bind [[[
+#
+# IP address where etherpad-lite daemon will listen for connections.
+etherpad_bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_port [[[
+#
+# Port where etherpad-lite daemon will listen for connections.
+etherpad_port: '9001'
+                                                                   # ]]]
+                                                                   # ]]]
+# Authentication [[[
+# ------------------
+
+# .. envvar:: etherpad_admins [[[
+#
+# List of Etherpad administrative accounts. Passwords are generated
+# automatically and are saved in the secret/ directory. Refer to the
+# :ref:`debops.secret` role for more details.
+etherpad_admins: [ 'admin' ]
+
+                                                                   # ]]]
+# .. envvar:: etherpad_users [[[
+#
+# List of Etherpad user accounts. Passwords are generated automatically and
+# are saved in the secret/ directory. Refer to the :ref:`debops.secret` role for
+# more details.
+etherpad_users: []
+
+                                                                   # ]]]
+# .. envvar:: etherpad_password_hashing_algo [[[
+#
+# Hashing algorithm to use for handling passwords.
+# See https://github.com/LaKing/ep_hash_auth for details.
+# Currently only 'sha512' is supported by the role.
+etherpad_password_hashing_algo: 'sha512'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_password_hashing_rounds [[[
+#
+# TODO: Not implemented yet.
+# How much rounds the hashing algorithm should do before using using the
+# password hash.  This option depends on the hashing algorithm selected by
+# :envvar:`etherpad_password_hashing_algo`. Some hashing algorithms
+# implementations may not support rounds. The SHA family currently does not and
+# defaults to one round which is considered insecure. bcrypt however does
+# support it.
+etherpad_password_hashing_rounds: '10'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_require_authentication [[[
+#
+# Require authentication from all users.
+etherpad_require_authentication: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_require_authorization [[[
+#
+# Require authorization by a module or user with ``is_admin = True``.
+etherpad_require_authorization: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_require_session [[[
+#
+# Require session to access pads.
+etherpad_require_session: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_edit_only [[[
+#
+# Users may edit pads but not create new ones. Pad creation is only via the
+# API. This applies both to group pads and regular pads.
+etherpad_edit_only: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_trust_proxy [[[
+#
+# Trust the reverse proxy (nginx)?
+etherpad_trust_proxy: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Etherpad customization [[[
+# --------------------------
+
+# .. envvar:: etherpad_abiword [[[
+#
+# Enable Abiword support (for document import)?
+etherpad_abiword: True
+
+                                                                   # ]]]
+# .. envvar:: etherpad__default_plugins [[[
+#
+# Default Etherpad plugin list (alphabetically sorted).
+etherpad__default_plugins:
+  - name: 'pg'
+    state: '{{ "present"
+               if (etherpad__database == "postgres")
+               else "absent" }}'
+  - name: 'sqlite3'
+    state: '{{ "present"
+               if (etherpad__database == "sqlite")
+               else "absent" }}'
+
+  - 'gyp'
+  - 'bcrypt'
+  - 'ep_adminpads'
+  - 'ep_align'
+  - 'ep_font_color'
+  - 'ep_font_family'
+  - 'ep_font_size'
+  - 'ep_hash_auth'
+  - 'ep_headings'
+  - 'ep_hide_referrer'
+  - 'ep_line_height'
+  - 'ep_linkify'
+  - 'ep_message_all'
+  - 'ep_padlist'
+  - 'ep_page_view'
+  - 'ep_print'
+  - 'ep_rss'
+  - 'ep_scrollto'
+  - 'ep_subscript'
+  - 'ep_superscript'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_plugins [[[
+#
+# List of additional Etherpad plugins to enable.
+# Checkout the list of available plugins for more:
+# https://static.etherpad.org/plugins.html.
+etherpad_plugins: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Other options [[[
+# -----------------
+
+# .. envvar:: etherpad_allow [[[
+#
+# Allow access only from selected IP addresses/CIDR networks. If empty, allow
+# access from everywhere.
+etherpad_allow: []
+
+                                                                   # ]]]
+# .. envvar:: etherpad_minify [[[
+#
+# Minify CSS and JS assets?
+etherpad_minify: True
+
+                                                                   # ]]]
+# .. envvar:: etherpad_max_age [[[
+#
+# Maximum age of cached assets (6 hours by default).
+etherpad_max_age: '{{ (60 * 60 * 6) }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_disable_ip_logging [[[
+#
+# Disable IP addresses in logs?
+etherpad_disable_ip_logging: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_loglevel [[[
+#
+# Etherpad log level (choices: DEBUG, INFO, WARN, ERROR)
+etherpad_loglevel: 'INFO'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_custom_json [[[
+#
+# Here you can define custom settings.json entries in YAML format, which will
+# be converted to JSON and put at the end of the configuration file.
+etherpad_custom_json: False
+
+                                                                   # ]]]
+# .. envvar:: etherpad_api_calls [[[
+#
+# Allows you configure all aspects of Etherpad via its API.
+# See http://etherpad.org/doc/v1.5.1/#index_api_methods for details.
+etherpad_api_calls: []
+  # - method: 'createPad'
+  #   args:
+  #     'padID': 'testing'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_api_version [[[
+#
+# Against which API version should the API calls be executed?
+# Only applies for :envvar:`etherpad_api_calls`.
+etherpad_api_version: '1.2.12'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_api_key_file [[[
+#
+# Filepath of the API key file.
+etherpad_api_key_file: '{{ etherpad_home + "/" + etherpad_repository }}/APIKEY.txt'
+
+                                                                   # ]]]
+# .. envvar:: etherpad_api_calls_debug [[[
+#
+# If True, you will get debugging output for the API calls defined by
+# :envvar:`etherpad_api_calls`. Default is False.
+etherpad_api_calls_debug: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: etherpad__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+etherpad__etc_services__dependent_list:
+
+  - name: 'etherpad-lite'
+    port: '{{ etherpad_port }}'
+    comment: 'Etherpad Lite'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+etherpad__logrotate__dependent_config:
+
+  - filename: 'etherpad-lite'
+    log: '{{ etherpad_log_dir + "/*.log" }}'
+    options: |
+      weekly
+      missingok
+      rotate 4
+      compress
+      notifempty
+      create 644 {{ etherpad_user }} {{ etherpad_group }}
+    comment: 'Logrotate configuration for etherpad-lite'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__mariadb__dependent_users [[[
+#
+# User configuration for the :ref:`debops.mariadb` Ansible role.
+etherpad__mariadb__dependent_users:
+
+  - name: '{{ etherpad_database_user }}'
+    password: '{{ etherpad_database_password }}'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    home: '{{ etherpad_home }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__mariadb__dependent_databases [[[
+#
+# Database configuration for the :ref:`debops.mariadb` Ansible role.
+etherpad__mariadb__dependent_databases:
+
+  - database: '{{ etherpad_database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__postgresql__dependent_roles [[[
+#
+# User configuration for the :ref:`debops.postgresql` Ansible role.
+etherpad__postgresql__dependent_roles:
+
+  - name: '{{ etherpad_database_user }}'
+    password: '{{ etherpad_database_password }}'
+    flags: [ 'NOSUPERUSER', 'NOCREATEDB', 'LOGIN' ]
+
+                                                                   # ]]]
+# .. envvar:: etherpad__postgresql__dependent_databases [[[
+#
+# Database configuration for the :ref:`debops.postgresql` Ansible role.
+etherpad__postgresql__dependent_databases:
+
+  - name: '{{ etherpad_database_name }}'
+    port: '5432'
+    owner: '{{ etherpad_database_user }}'
+    encoding: '{{ etherpad_database_encoding | d(omit) }}'
+    lc_collate: '{{ etherpad_database_collate | d(omit) }}'
+    lc_ctype: '{{ etherpad_database_ctype | d(omit) }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+etherpad__nginx__dependent_upstreams:
+
+  - name: '{{ etherpad_system_name }}'
+    enabled: True
+    server: '127.0.0.1:{{ etherpad_port }}'
+
+                                                                   # ]]]
+# .. envvar:: etherpad__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+etherpad__nginx__dependent_servers:
+  - by_role: 'debops.etherpad'
+    enabled: True
+    favicon: False
+    name: '{{ etherpad_domain }}'
+    filename: 'debops.etherpad'
+
+    location:
+
+      # Allow normal files to pass through
+      '~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|socket.io/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt)': |
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_buffering off;
+        proxy_pass http://{{ etherpad_system_name }};
+
+      # Redirect to force /p/* URLs to the friendly version
+      '/p/': |
+        rewrite ^/p/(.*) /$1 redirect;
+
+      # Handle redirects
+      '/redirect': |
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_buffering off;
+        proxy_pass http://{{ etherpad_system_name }};
+
+      # Match the home page
+      '~ ^/$': |
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_buffering off;
+        proxy_pass http://{{ etherpad_system_name }};
+
+      # Handle pad URLs here
+      '/': |
+        rewrite ^/admin(.*) /admin/$1 redirect;
+        rewrite ^/list(.*) /list break;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_buffering off;
+        proxy_pass http://{{ etherpad_system_name }}/p/;
+        proxy_redirect / /p/;
+
+    location_allow:
+
+      '~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|socket.io/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt)': '{{ etherpad_allow }}'
+
+      '/p/': '{{ etherpad_allow }}'
+
+      '/redirect': '{{ etherpad_allow }}'
+
+      '~ ^/$': '{{ etherpad_allow }}'
+
+      '/': '{{ etherpad_allow }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/etherpad/meta/main.yml b/ansible_collections/debops/debops/roles/etherpad/meta/main.yml
new file mode 100644
index 00000000..efda3a43
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage Etherpad Lite'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - etherpad
+    - documents
+    - texteditor
+    - web
diff --git a/ansible_collections/debops/debops/roles/etherpad/meta/watch-etherpad-lite b/ansible_collections/debops/debops/roles/etherpad/meta/watch-etherpad-lite
new file mode 100644
index 00000000..cef89207
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/meta/watch-etherpad-lite
@@ -0,0 +1,12 @@
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: etherpad
+# Package: etherpad-lite
+# Version: 1.7.5
+
+version=4
+https://github.com/ether/etherpad-lite/tags .*/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/etherpad/tasks/main.yml b/ansible_collections/debops/debops/roles/etherpad/tasks/main.yml
new file mode 100644
index 00000000..c169aa78
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/tasks/main.yml
@@ -0,0 +1,257 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required Etherpad packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (etherpad__base_packages
+                              + (etherpad__document_packages
+                                 if etherpad_abiword | bool
+                                 else [])
+                              + etherpad__packages)) }}'
+    state: 'present'
+  register: etherpad__register_packages
+  until: etherpad__register_packages is succeeded
+
+- name: Create Etherpad system group
+  ansible.builtin.group:
+    name: '{{ etherpad_group }}'
+    system: yes
+    state: 'present'
+
+- name: Create Etherpad user
+  ansible.builtin.user:
+    name: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    home: '{{ etherpad_home }}'
+    shell: '{{ etherpad__shell }}'
+    comment: 'Etherpad'
+    system: yes
+    state: 'present'
+
+- name: Create Etherpad source directory
+  ansible.builtin.file:
+    path: '{{ etherpad_src_dir }}'
+    state: 'directory'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    mode: '0750'
+
+- name: Secure Etherpad home directory
+  ansible.builtin.file:
+    path: '{{ etherpad_home }}'
+    state: 'directory'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    mode: '0750'
+
+- name: Clone Etherpad source code
+  ansible.builtin.git:
+    repo: '{{ etherpad_source_address + "/" + etherpad_repository }}'
+    dest: '{{ etherpad_src_dir + "/" + etherpad_repository }}'
+    version: '{{ etherpad_version }}'
+    bare: yes
+    update: yes
+  become: True
+  become_user: '{{ etherpad_user }}'
+  register: etherpad_register_source
+  tags: [ 'role::etherpad:source' ]
+
+- name: Check if Etherpad is checked out
+  ansible.builtin.stat:
+    path: '{{ etherpad_home + "/" + etherpad_repository }}'
+  register: etherpad_register_directory
+  tags: [ 'role::etherpad:source' ]
+
+- name: Create Etherpad directory
+  ansible.builtin.file:  # noqa no-handler
+    path: '{{ etherpad_home + "/" + etherpad_repository }}'
+    state: 'directory'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    mode: '0755'
+  when: (etherpad_register_source is defined and etherpad_register_source is changed) or
+        (etherpad_register_directory is defined and not etherpad_register_directory.stat.exists | bool)
+  tags: [ 'role::etherpad:source' ]
+
+- name: Prepare Etherpad worktree
+  ansible.builtin.template:  # noqa no-handler
+    src: 'var/local/etherpad-lite/etherpad-lite/git.j2'
+    dest: '{{ etherpad_home + "/" + etherpad_repository }}/.git'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    mode: '0644'
+  when: (etherpad_register_source is defined and etherpad_register_source is changed) or
+        (etherpad_register_directory is defined and not etherpad_register_directory.stat.exists | bool)
+  tags: [ 'role::etherpad:source' ]
+
+- name: Checkout Etherpad
+  ansible.builtin.command: 'git checkout --force {{ etherpad_version }}'  # noqa no-handler command-instead-of-module
+  args:
+    chdir: '{{ etherpad_src_dir + "/" + etherpad_repository }}'
+  environment:
+    GIT_WORK_TREE: '{{ etherpad_home + "/" + etherpad_repository }}'
+  become: True
+  become_user: '{{ etherpad_user }}'
+  register: etherpad_register_checkout
+  notify: [ 'Restart etherpad-lite' ]
+  changed_when: etherpad_register_checkout.changed | bool
+  when: (etherpad_register_source is defined and etherpad_register_source is changed) or
+        (etherpad_register_directory is defined and not etherpad_register_directory.stat.exists | bool)
+  tags: [ 'role::etherpad:source' ]
+
+## Not used anywhere but it should stay for now: See https://github.com/debops/ansible-etherpad/pull/13
+- name: Generate Etherpad session key
+  ansible.builtin.set_fact:
+    etherpad_session_key: '{{ lookup("password", secret + "/credentials/" + ansible_fqdn
+                              + "/etherpad/session_key chars=ascii_letters,numbers,digits,hexdigits length=30") }}'
+  when: secret is defined and secret
+
+- name: Generate Etherpad configuration
+  ansible.builtin.template:
+    src: 'var/local/etherpad-lite/etherpad-lite/settings.json.j2'
+    dest: '{{ etherpad_home + "/" + etherpad_repository }}/settings.json'
+    owner: '{{ etherpad_user }}'
+    group: '{{ etherpad_group }}'
+    mode: '0644'
+  notify: [ 'Restart etherpad-lite' ]
+  tags: [ 'role::etherpad:config' ]
+
+- name: Create log directory
+  ansible.builtin.file:
+    path: '/var/log/etherpad-lite'
+    state: 'directory'
+    owner: '{{ etherpad_user }}'
+    group: 'adm'
+    mode: '0755'
+
+- name: Install Etherpad dependencies
+  ansible.builtin.command: 'bin/installDeps.sh'  # noqa no-handler
+  args:
+    chdir: '{{ etherpad_home + "/" + etherpad_repository }}'
+    creates: '{{ etherpad_home }}/.node-gyp'
+  become: True
+  become_user: '{{ etherpad_user }}'
+  when: etherpad_register_checkout is changed
+
+- name: Manage Etherpad plugins
+  community.general.npm:
+    name: '{{ item.name | d(item) }}'
+    path: '{{ etherpad_home + "/" + etherpad_repository }}'
+    state: '{{ item.state | d("present") }}'
+    production: yes
+  loop: '{{ q("flattened", etherpad__default_plugins
+                           + etherpad_plugins) }}'
+  become: True
+  become_user: '{{ etherpad_user }}'
+  notify: [ 'Restart etherpad-lite' ]
+  tags: [ 'role::etherpad:plugins' ]
+
+- name: Configure etherpad-lite system service
+  ansible.builtin.template:
+    src: 'etc/default/etherpad-lite.j2'
+    dest: '/etc/default/etherpad-lite'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: ansible_service_mgr != 'systemd'
+
+- name: Install etherpad-lite init script
+  ansible.builtin.template:
+    src: 'etc/init.d/etherpad-lite.j2'
+    dest: '/etc/init.d/etherpad-lite'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Reload service manager' ]
+  register: etherpad__register_sysvinit
+  when: ansible_service_mgr != 'systemd'
+
+- name: Install etherpad-lite systemd unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/etherpad-lite.service.j2'
+    dest: '/etc/systemd/system/etherpad-lite.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+  register: etherpad__register_systemd
+  when: ansible_service_mgr == 'systemd'
+
+- name: Reload systemd daemons
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that etherpad-lite is started
+  ansible.builtin.service:  # noqa no-handler
+    name: 'etherpad-lite'
+    state: 'started'
+    enabled: True
+  when: (etherpad__register_sysvinit is changed or
+         etherpad__register_systemd is changed)
+
+- name: Wait for the API key file generation
+  ansible.builtin.wait_for:
+    path: '{{ etherpad_api_key_file }}'
+    timeout: 30
+
+- name: Wait for Etherpad application port to be reachable
+  ansible.builtin.wait_for:
+    port: '{{ etherpad_port }}'
+    timeout: 30
+
+- name: Get the generated API key
+  ansible.builtin.command: cat {{ etherpad_api_key_file }}
+  register: etherpad_api_key
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::etherpad:api', 'role::etherpad:api:call' ]
+
+- name: Make API calls
+  ansible.builtin.uri:
+    url: 'http://localhost:{{ etherpad_port }}/api/{{ etherpad_api_version }}/{{ item.method }}?apikey={{
+          etherpad_api_key.stdout }}{% if item.args | d() %}{% for key, value in item.args.items() %}{{
+          "&" + key + "=" + value }}{% endfor %}{% endif %}'
+  register: etherpad_api_calls_exec
+  ## error while evaluating conditional???
+  # failed_when: etherpad_api_calls_exec.rc != 0 or etherpad_api_calls_exec.json.code | d()
+  with_items: '{{ etherpad_api_calls }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::etherpad:api', 'role::etherpad:api:call' ]
+
+- name: Display API call responses for debugging
+  ansible.builtin.debug:
+    var: etherpad_api_calls_exec
+  when: etherpad_api_calls_exec | d() and etherpad_api_calls_debug
+  tags: [ 'role::etherpad:api', 'role::etherpad:api:call' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Etherpad local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/etherpad.fact.j2'
+    dest: '/etc/ansible/facts.d/etherpad.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/etc/ansible/facts.d/etherpad.fact.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/etc/ansible/facts.d/etherpad.fact.j2
new file mode 100644
index 00000000..11923ef1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/etc/ansible/facts.d/etherpad.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/etc/default/etherpad-lite.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/etc/default/etherpad-lite.j2
new file mode 100644
index 00000000..b86619ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/etc/default/etherpad-lite.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# etherpad-lite system configuration
+
+# Installation directory
+EPLITE_DIR="{{ etherpad_home + '/' + etherpad_repository }}"
+
+# System user
+USER="{{ etherpad_user }}"
+
+# System group
+GROUP="{{ etherpad_group }}"
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/etc/init.d/etherpad-lite.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/etc/init.d/etherpad-lite.j2
new file mode 100644
index 00000000..e544adf2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/etc/init.d/etherpad-lite.j2
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+# {{ ansible_managed }}
+
+# etherpad-lite init script
+
+# Copyright (C) 2011-2017 Etherpad Contributors <https://etherpad.org/>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: Apache-2.0
+# Source: https://github.com/ether/etherpad-lite/wiki/How-to-deploy-Etherpad-Lite-as-a-service
+
+### BEGIN INIT INFO
+# Provides:          etherpad-lite
+# Required-Start:    $local_fs $remote_fs $network $syslog
+# Required-Stop:     $local_fs $remote_fs $network $syslog
+# Should-Start:      postgresql mysql
+# Should-Stop:       postgresql mysql
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts etherpad lite
+# Description:       starts etherpad lite using start-stop-daemon
+### END INIT INFO
+
+PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/node/bin"
+LOGFILE="{{ etherpad_log_dir }}/etherpad-lite.log"
+EPLITE_DIR="/usr/share/etherpad-lite"
+EPLITE_BIN="bin/safeRun.sh"
+USER="etherpad-lite"
+GROUP="etherpad-lite"
+DESC="Etherpad Lite"
+NAME="etherpad-lite"
+
+DEFAULTS="/etc/default/etherpad-lite"
+
+# Load defaults if available
+# shellcheck disable=SC1090
+[ -r "$DEFAULTS" ] && . "$DEFAULTS"
+
+set -e
+
+# shellcheck disable=SC1091
+. /lib/lsb/init-functions
+
+start() {
+  echo "Starting $DESC... "
+
+    start-stop-daemon --start --chuid "$USER:$GROUP" --background --make-pidfile --pidfile "/var/run/${NAME}.pid" --exec "$EPLITE_DIR/$EPLITE_BIN" -- "$LOGFILE" || true
+  echo "done"
+}
+
+#We need this function to ensure the whole process tree will be killed
+killtree() {
+    _pid="$1"
+    _sig="${2-TERM}"
+    for _child in $(ps -o pid --no-headers --ppid "${_pid}"); do
+        killtree "${_child}" "${_sig}"
+    done
+    kill "-${_sig}" "${_pid}"
+}
+
+stop() {
+  echo "Stopping $DESC... "
+  if test -f "/var/run/${NAME}.pid"; then
+    while test -d "/proc/$(cat /var/run/${NAME}.pid)"; do
+      killtree "$(cat /var/run/${NAME}.pid)" 15
+      sleep 0.5
+    done
+    rm "/var/run/${NAME}.pid"
+  fi
+  echo "done"
+}
+
+status() {
+  status_of_proc -p /var/run/$NAME.pid "" "etherpad-lite" && exit 0 || exit $?
+}
+
+case "$1" in
+  start)
+      start
+      ;;
+  stop)
+    stop
+      ;;
+  restart)
+      stop
+      start
+      ;;
+  status)
+      status
+      ;;
+  *)
+      echo "Usage: $NAME {start|stop|restart|status}" >&2
+      exit 1
+      ;;
+esac
+
+exit 0
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/etc/systemd/system/etherpad-lite.service.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/etc/systemd/system/etherpad-lite.service.j2
new file mode 100644
index 00000000..67dcdb68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/etc/systemd/system/etherpad-lite.service.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2011-2017 Etherpad Contributors <https://etherpad.org/>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: Apache-2.0
+ # Source: https://github.com/ether/etherpad-lite/wiki/How-to-deploy-Etherpad-Lite-as-a-service
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Etherpad-lite, the collaborative editor.
+After=syslog.target network-online.target mysql.service postgresql.service
+Conflicts=shutdown.target
+
+[Service]
+Type=simple
+User={{ etherpad_user }}
+Group={{ etherpad_group }}
+WorkingDirectory={{ etherpad_home + "/" + etherpad_repository }}
+ExecStart=/usr/bin/nodejs {{ etherpad_home + "/" + etherpad_repository }}/node_modules/ep_etherpad-lite/node/server.js
+Restart=always
+{% if etherpad_log_to_file is defined and etherpad_log_to_file %}
+StandardOutput=append:{{ etherpad_log_dir }}/production.log
+StandardError=inherit
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/git.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/git.j2
new file mode 100644
index 00000000..5a6911e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/git.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+gitdir: {{ etherpad_src_dir + '/' + etherpad_repository }}
diff --git a/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/settings.json.j2 b/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/settings.json.j2
new file mode 100644
index 00000000..2832e1a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/etherpad/templates/var/local/etherpad-lite/etherpad-lite/settings.json.j2
@@ -0,0 +1,242 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+/*
+  {{ ansible_managed }}
+
+  This file must be valid JSON. But comments are allowed
+*/
+{#
+Pro/contra for generating this file with to_nice_json:
+
+Pro:
+* Much cleaner
+* Less error prone (JSON is picky)
+
+Control:
+* No comments in the generated file possible for the different settings options
+
+Result: For now continue to use the template file.
+
+See also: https://github.com/debops/ansible-etherpad/pull/16/files#r41485963
+
+#}
+{
+  // Name your instance!
+  "title": "{{ etherpad_title }}",
+
+  // favicon default name
+  // alternatively, set up a fully specified Url to your own favicon
+  "favicon": "favicon.ico",
+
+  // IP and port which etherpad should bind at
+  "ip": "{{ etherpad_bind }}",
+  "port" : {{ etherpad_port }},
+
+  /*
+  // Node native SSL support
+  // this is disabled by default
+  //
+  // make sure to have the minimum and correct file access permissions set
+  // so that the Etherpad server can access them
+
+  "ssl" : {
+            "key"  : "/path-to-your/epl-server.key",
+            "cert" : "/path-to-your/epl-server.crt",
+            "ca": ["/path-to-your/epl-intermediate-cert1.crt", "/path-to-your/epl-intermediate-cert2.crt"]
+          },
+
+  */
+
+  // The Type of the database. You can choose between dirty, postgres, sqlite and mysql
+  // You shouldn't use "dirty" for for anything else than testing or development
+  "dbType" : "{{ etherpad__database }}",
+  "dbSettings" : {
+  {% if etherpad__database in ['dirty', 'sqlite'] -%}
+      "filename" : "{{ etherpad_database_config[etherpad__database].filename }}"
+  {% elif etherpad__database in ['mysql', 'postgres'] -%}
+      "user"    : "{{ etherpad_database_config[etherpad__database].username }}",
+      "host"    : "{{ etherpad_database_config[etherpad__database].hostname }}",
+      {% if etherpad_database_connection == 'port' %}
+        "port"    : "{{ etherpad_database_config[etherpad__database].port }}",
+      {% else %}
+        {% if etherpad__database in ['mysql'] -%}
+         "port"    : "{{ etherpad_database_config[etherpad__database].socket }}",
+        {% endif %}
+      {% endif %}
+      "password": "{{ etherpad_database_config[etherpad__database].password | default('') }}",
+      "database": "{{ etherpad_database_config[etherpad__database].database }}"
+   {% endif %}
+   },
+
+  //the default text of a pad
+  "defaultPadText" : "{{ etherpad_welcome_text | replace('\n', '\\n') }}",
+
+  /* Default Pad behavior, users can override by changing */
+  "padOptions": {
+    "noColors": false,
+    "showControls": true,
+    "showChat": true,
+    "showLineNumbers": true,
+    "useMonospaceFont": false,
+    "userName": false,
+    "userColor": false,
+    "rtl": false,
+    "alwaysShowChat": false,
+    "chatAndUsers": false,
+    "lang": "en-gb"
+  },
+
+  /* Should we suppress errors from being visible in the default Pad Text? */
+  "suppressErrorsInPadText" : false,
+
+  /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
+  "requireSession" : {{ etherpad_require_session | lower }},
+
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : {{ etherpad_edit_only | lower }},
+
+  /* Users, who have a valid session, automatically get granted access to password protected pads */
+  "sessionNoPassword" : false,
+
+  /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly,
+     but makes it impossible to debug the javascript/css */
+  "minify" : {{ etherpad_minify | lower }},
+
+  /* How long may clients use served javascript code (in seconds)? Without versioning this
+     may cause problems during deployment. Set to 0 to disable caching */
+  "maxAge" : {{ etherpad_max_age }},
+
+  /* This is the path to the Abiword executable. Setting it to null, disables abiword.
+     Abiword is needed to advanced import/export features of pads*/
+  "abiword" : {% if etherpad_abiword %}"/usr/bin/abiword"{% else %}null{% endif %},
+
+  /* This is the path to the Tidy executable. Setting it to null, disables Tidy.
+     Tidy is used to improve the quality of exported pads*/
+  "tidyHtml" : null,
+
+  /* Allow import of file types other than the supported types: txt, doc, docx, rtf, odt, html & htm */
+  "allowUnknownFileEnds" : true,
+
+  /* This setting is used if you require authentication of all users.
+     Note: /admin always requires authentication. */
+  "requireAuthentication": {{ etherpad_require_authentication | lower }},
+
+  /* Require authorization by a module, or a user with is_admin set, see below. */
+  "requireAuthorization": {{ etherpad_require_authorization | lower }},
+
+  /*when you use NginX or another proxy/ load-balancer set this to true*/
+  "trustProxy": {{ etherpad_trust_proxy | lower }},
+
+  /* Privacy: disable IP logging */
+  "disableIPlogging": {{ etherpad_disable_ip_logging | lower }},
+
+  /* Users for basic authentication. is_admin = true gives access to /admin.
+     If you do not uncomment this, /admin will not be available! */
+{% if (secret is defined and secret) and (etherpad_admins or etherpad_users) %}
+  "users": {
+{% for name in etherpad_admins %}
+    "{{ name }}": {
+{% if 'ep_hash_auth' in (etherpad__default_plugins + etherpad_plugins) %}
+      "hash": "{{ lookup('pipe', 'printf "%s" "' + lookup('password', secret + '/credentials/' + inventory_hostname + '/etherpad/admins/' + name) + '" | sha512sum | cut -f1 -d" "') }}",
+{% else %}
+      "password": "{{ lookup('password', secret + '/credentials/' + inventory_hostname + '/etherpad/admins/' + name) }}",
+{% endif %}
+      "is_admin": true
+    },
+{% endfor %}
+{% for name in etherpad_users %}
+    "{{ name }}": {
+{% if 'ep_hash_auth' in (etherpad__default_plugins + etherpad_plugins) %}
+      "hash": "{{ lookup('pipe', 'printf "%s" "' + lookup('password', secret + '/credentials/' + inventory_hostname + '/etherpad/users/' + name) + '" | sha512sum | cut -f1 -d" "') }}",
+{% else %}
+      "password": "{{ lookup('password', secret + '/credentials/' + inventory_hostname + '/etherpad/users/' + name) }}",
+{% endif %}
+      "is_admin": false
+    },
+{% endfor %}
+  },
+{% endif %}
+
+  // restrict socket.io transport methods
+  "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+
+  // Allow Load Testing tools to hit the Etherpad Instance.  Warning this will disable security on the instance.
+  "loadTest": false,
+
+  /* The toolbar buttons configuration.
+  "toolbar": {
+    "left": [
+      ["bold", "italic", "underline", "strikethrough"],
+      ["orderedlist", "unorderedlist", "indent", "outdent"],
+      ["undo", "redo"],
+      ["clearauthorship"]
+    ],
+    "right": [
+      ["importexport", "timeslider", "savedrevision"],
+      ["settings", "embed"],
+      ["showusers"]
+    ],
+    "timeslider": [
+      ["timeslider_export", "timeslider_returnToPad"]
+    ]
+  },
+  */
+
+  "ep_hash_auth": {
+    "hash_typ": "{{ etherpad_password_hashing_algo }}"
+  },
+
+  /* The log level we are using, can be: DEBUG, INFO, WARN, ERROR */
+  "loglevel": "{{ etherpad_loglevel }}",
+
+  //Logging configuration. See log4js documentation for further information
+  // https://github.com/nomiddlename/log4js-node
+  // You can add as many appenders as you want here:
+  "logconfig" :
+    { "appenders": [
+        { "type": "console"
+        //, "category": "access"// only logs pad access
+        }
+    /*
+      , { "type": "file"
+      , "filename": "your-log-file-here.log"
+      , "maxLogSize": 1024
+      , "backups": 3 // how many log files there're gonna be at max
+      //, "category": "test" // only log a specific category
+        }*/
+    /*
+      , { "type": "logLevelFilter"
+        , "level": "warn" // filters out all log messages that have a lower level than "error"
+        , "appender":
+          {  Use whatever appender you want here  }
+        }*/
+    /*
+      , { "type": "logLevelFilter"
+        , "level": "error" // filters out all log messages that have a lower level than "error"
+        , "appender":
+          { "type": "smtp"
+          , "subject": "An error occurred in your EPL instance!"
+          , "recipients": "bar@blurdybloop.com, baz@blurdybloop.com"
+          , "sendInterval": 60*5 // in secs -- will buffer log messages; set to 0 to send a mail for every message
+          , "transport": "SMTP", "SMTP": { // see https://github.com/andris9/Nodemailer#possible-transport-methods
+              "host": "smtp.example.com", "port": 465,
+              "secureConnection": true,
+              "auth": {
+                  "user": "foo@example.com",
+                  "pass": "bar_foo"
+              }
+            }
+          }
+        }*/
+      ]
+{% if etherpad_custom_json %}
+    },
+    {{ (etherpad_custom_json | to_nice_json)[1:][:-1] | trim }}
+{% else %}
+    }
+{% endif %}
+}
diff --git a/ansible_collections/debops/debops/roles/extrepo/COPYRIGHT b/ansible_collections/debops/debops/roles/extrepo/COPYRIGHT
new file mode 100644
index 00000000..14337af1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.extrepo - Manage external APT sources using Ansible
+
+Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/extrepo/defaults/main.yml b/ansible_collections/debops/debops/roles/extrepo/defaults/main.yml
new file mode 100644
index 00000000..2589b07b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/defaults/main.yml
@@ -0,0 +1,128 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _extrepo__ref_defaults:
+
+# debops.extrepo default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation and packages [[[
+# -----------------------------
+
+# .. envvar:: extrepo__enabled [[[
+#
+# Enable or disable configuration of external APT repositories using the
+# :command:`extrepo` command.
+extrepo__enabled: '{{ False
+                      if (ansible_distribution != "Debian" or
+                          ansible_distribution_release in ["stretch"])
+                      else True }}'
+
+                                                                   # ]]]
+# .. envvar:: extrepo__base_packages [[[
+#
+# List of the default APT packages to install for :command:`extrepo` support.
+# On Debian Buster, the ``extrepo`` package is available via the
+# ``buster-backports`` repository.
+extrepo__base_packages: [ 'extrepo' ]
+
+                                                                   # ]]]
+# .. envvar:: extrepo__packages [[[
+#
+# List of additional packages to install with :command:`extrepo`.
+extrepo__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Main configuration file [[[
+# ---------------------------
+
+# These variables define the contents of the :file:`/etc/extrepo/config.yaml`
+# configuration file. See :ref:`extrepo__ref_configuration` for more details.
+
+# .. envvar:: extrepo__default_configuration [[[
+#
+# The list with default contents of the configuration file defined by the role.
+extrepo__default_configuration:
+
+  - name: 'defaults'
+    config:
+      url: 'https://extrepo-team.pages.debian.net/extrepo-data'
+      dist: '{{ ansible_distribution | lower }}'
+      version: '{{ ansible_distribution_release }}'
+
+  - name: 'policies'
+    config:
+      enabled_policies: '{{ ansible_local.apt.components | d(["main"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: extrepo__configuration [[[
+#
+# List of custom contents of the configuration file defined by the user.
+extrepo__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: extrepo__combined_configuration [[[
+#
+# The variable which combines the lists of configuration file contents and is
+# used in role tasks and templates.
+extrepo__combined_configuration: '{{ extrepo__default_configuration
+                                     + extrepo__configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# External APT sources [[[
+# ------------------------
+
+# These lists define what external APT sources should be enabled on a given
+# host. You can find a list of available APT sources by running the
+# :command:`extrepo search` command.
+#
+# See :ref:`extrepo__ref_sources` for more details.
+
+# .. envvar:: extrepo__sources [[[
+#
+# List of the external APT sources which should be enabled on all hosts in the
+# Ansible inventory.
+extrepo__sources: []
+
+                                                                   # ]]]
+# .. envvar:: extrepo__group_sources [[[
+#
+# List of the external APT sources which should be enabled on hosts in
+# a specific Ansible inventory group.
+extrepo__group_sources: []
+
+                                                                   # ]]]
+# .. envvar:: extrepo__host_sources [[[
+#
+# List of the external APT sources which should be enabled on specific hosts in
+# the Ansible inventory.
+extrepo__host_sources: []
+
+                                                                   # ]]]
+# .. envvar:: extrepo__dependent_sources [[[
+#
+# List of the external APT sources defined by other Ansible roles via role
+# dependent variables.
+extrepo__dependent_sources: []
+
+                                                                   # ]]]
+# .. envvar:: extrepo__combined_sources [[[
+#
+# Variable which combines all lists of external APT sources and is used in role
+# tasks and templates.
+extrepo__combined_sources: '{{ extrepo__dependent_sources
+                               + extrepo__sources
+                               + extrepo__group_sources
+                               + extrepo__host_sources }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/extrepo/meta/main.yml b/ansible_collections/debops/debops/roles/extrepo/meta/main.yml
new file mode 100644
index 00000000..36f65f36
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage external APT sources using extrepo'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - packages
+    - apt
diff --git a/ansible_collections/debops/debops/roles/extrepo/tasks/main.yml b/ansible_collections/debops/debops/roles/extrepo/tasks/main.yml
new file mode 100644
index 00000000..8806dbe8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (extrepo__base_packages
+                              + extrepo__packages)) }}'
+    state: 'present'
+  register: extrepo__register_packages
+  until: extrepo__register_packages is succeeded
+  when: extrepo__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save extrepo local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/extrepo.fact.j2'
+    dest: '/etc/ansible/facts.d/extrepo.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert original extrepo configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/extrepo/config.yaml'
+    state: 'present'
+  when: extrepo__enabled | bool and ansible_pkg_mgr == 'apt'
+
+- name: Generate extrepo configuration file
+  ansible.builtin.template:
+    src: 'etc/extrepo/config.yaml.j2'
+    dest: '/etc/extrepo/config.yaml'
+    mode: '0644'
+  register: extrepo__register_config
+  when: extrepo__enabled | bool
+
+- name: Update external APT sources if required
+  ansible.builtin.command: 'extrepo update {{ item.name }}'  # noqa no-handler
+  loop: '{{ q("flattened", extrepo__combined_sources) | debops.debops.parse_kv_config }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state} }}'
+  register: extrepo__register_updated_sources
+  changed_when: extrepo__register_updated_sources.changed | bool
+  when: extrepo__enabled | bool and item.name in ansible_local.extrepo.sources | d() and
+        item.state | d('present') not in ['absent', 'init', 'ignore'] and
+        extrepo__register_config is changed
+
+- name: Remove external APT sources when requested
+  ansible.builtin.file:
+    path: '{{ "/etc/apt/sources.list.d/extrepo_" + item.name + ".sources" }}'
+    state: 'absent'
+  loop: '{{ q("flattened", extrepo__combined_sources) | debops.debops.parse_kv_config }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state} }}'
+  register: extrepo__register_removed_sources
+  changed_when: extrepo__register_removed_sources.changed | bool
+  when: extrepo__enabled | bool and item.name and item.state | d('present') == 'absent'
+
+- name: Enable external APT sources
+  ansible.builtin.command: 'extrepo enable {{ item.name }}'
+  loop: '{{ q("flattened", extrepo__combined_sources) | debops.debops.parse_kv_config }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state} }}'
+  register: extrepo__register_enabled_sources
+  changed_when: extrepo__register_enabled_sources.changed | bool
+  when: extrepo__enabled | bool and item.name not in ansible_local.extrepo.sources | d() and
+        item.state | d('present') not in ['absent', 'init', 'ignore']
+
+- name: Update APT cache if required
+  ansible.builtin.apt:  # noqa no-handler
+    update_cache: True
+  notify: [ 'Refresh host facts' ]
+  register: extrepo__register_apt_cache
+  until: extrepo__register_apt_cache is succeeded
+  when: (extrepo__enabled | bool and
+         (extrepo__register_updated_sources is changed or
+          extrepo__register_removed_sources is changed or
+          extrepo__register_enabled_sources is changed))
+
+- name: Update Ansible facts if APT cache was modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/extrepo/templates/etc/ansible/facts.d/extrepo.fact.j2 b/ansible_collections/debops/debops/roles/extrepo/templates/etc/ansible/facts.d/extrepo.fact.j2
new file mode 100644
index 00000000..fbf471e0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/templates/etc/ansible/facts.d/extrepo.fact.j2
@@ -0,0 +1,53 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+import json
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('extrepo')}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "extrepo"]).decode('utf-8').split('~')[0]
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+sources_path = '/etc/apt/sources.list.d'
+
+sources_files = [sources_path + "/" + f for f in os.listdir(sources_path)
+                 if os.path.isfile(os.path.join(sources_path, f))]
+
+sources = []
+
+for item in sources_files:
+    with open(item, mode="r") as fd:
+        lines = fd.readlines()
+    # Missing, or 'Enabled: yes\n' means enabled
+    disabled = 'Enabled: no\n' in lines
+    if not disabled:
+        item = os.path.basename(item)
+        if item.startswith('extrepo_') and item.endswith('.sources'):
+            sources.append(item[8:-8])
+
+output['sources'] = sources
+
+print(json.dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/extrepo/templates/etc/extrepo/config.yaml.j2 b/ansible_collections/debops/debops/roles/extrepo/templates/etc/extrepo/config.yaml.j2
new file mode 100644
index 00000000..60f369e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/extrepo/templates/etc/extrepo/config.yaml.j2
@@ -0,0 +1,14 @@
+---
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+{% set extrepo__tpl_configuration = {} %}
+{% for element in extrepo__combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set combined_config = extrepo__tpl_configuration | combine(element.config, recursive=True) %}
+{%     set _ = extrepo__tpl_configuration.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{{ extrepo__tpl_configuration | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/fail2ban/COPYRIGHT b/ansible_collections/debops/debops/roles/fail2ban/COPYRIGHT
new file mode 100644
index 00000000..09f9133d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.fail2ban - Manage fail2ban service using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/fail2ban/defaults/main.yml b/ansible_collections/debops/debops/roles/fail2ban/defaults/main.yml
new file mode 100644
index 00000000..3ceebbe0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/defaults/main.yml
@@ -0,0 +1,271 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _fail2ban__ref_defaults:
+
+# debops.fail2ban default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General fail2ban configuration [[[
+# ----------------------------------
+
+# .. envvar:: fail2ban_loglevel [[[
+#
+# Log verbosity
+# valid values : CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: WARNING
+fail2ban_loglevel: 'WARNING'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_logtarget [[[
+#
+# Where to save logs: a file, ``STDOUT``, ``STDERR``, ``SYSLOG``
+fail2ban_logtarget: '/var/log/fail2ban.log'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_dbpurgeage [[[
+#
+# Age at which bans should be purged from the database (by default, 86400 ; 24h)
+fail2ban_dbpurgeage: '{{ (60 * 60 * 24) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Default configuration for all jails [[[
+# ---------------------------------------
+
+# .. envvar:: fail2ban_ignoreip [[[
+#
+# List of IP addresses or CIDR networks which should be ignored by fail2ban
+fail2ban_ignoreip: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_group_ignoreip [[[
+#
+# List of IP addresses or CIDR networks which should be ignored by fail2ban in
+# a specific Ansible inventory group.
+fail2ban_group_ignoreip: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_host_ignoreip [[[
+#
+# List of IP addresses or CIDR networks which should be ignored by fail2ban on
+# a specific hosts in the Ansible inventory.
+fail2ban_host_ignoreip: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_ignoreip_default [[[
+#
+# List of default IP addresses or CIDR networks which should be ignored by
+# fail2ban
+fail2ban_ignoreip_default: [ '127.0.0.0/8' ]
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_findtime [[[
+#
+# Length of time in seconds between bad login attempts to consider for banning
+# (by default, 10 minutes)
+fail2ban_findtime: '{{ (60 * 10) }}'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_maxretry [[[
+#
+# Maximum number of bad login attempts in the given ``findtime`` to trigger
+# a ban
+fail2ban_maxretry: '3'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_bantime [[[
+#
+# Length of time in seconds for the ban to persist (by default, 2 hours)
+fail2ban_bantime: '{{ (60 * 60 * 2) }}'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_backend [[[
+#
+# Method which fail2ban uses to get notified about new entries in log files
+fail2ban_backend: 'auto'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_mta [[[
+#
+# Default mail notification method
+fail2ban_mta: 'sendmail'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_destemail [[[
+#
+# Recipient address of e-mail notifications
+fail2ban_destemail: 'root@{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_banaction [[[
+#
+# Default "response mode" to use for banning. By default, fail2ban will add IP
+# addresses to custom ``iptables`` recent list and ``REJECT`` connections.
+fail2ban_banaction: 'iptables-xt_recent-echo-reject'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_protocol [[[
+#
+# Protocol type to filter in ``iptables``: ``tcp``, ``udp``, ``icmp``, ``all``
+fail2ban_protocol: 'tcp'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_chain [[[
+#
+# ``iptables`` chain to add the rules in
+fail2ban_chain: 'INPUT'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_position [[[
+#
+# Position in the ``iptables`` chain at which ``fail2ban`` will add its rules.
+# Default is based on firewall generated by ``debops.ferm`` role, which at the
+# moment has these entries in ``INPUT`` chain:
+#
+# 1. Accept connections from ``lo`` interface
+#
+# 2. Filter ``ICMP`` floods (jump to separate chain)
+#
+# 3. Drop ``INVALID`` packets
+#
+# 4. Accept ``ESTABLISHED`` and ``RELATED`` packets
+#
+# 5. Filter ``SYN`` floods (jump to separate chain)
+#
+# This option works only with ban actions that support it.
+fail2ban_position: '6'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_bantime_distribution_map [[[
+#
+# Dictionary for release to default bantime for banning IPs
+fail2ban_bantime_distribution_map:
+  'focal': "7200"
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_action [[[
+#
+# Action performed by ``fail2ban`` when IP address is banned. See list of
+# default actions below.
+fail2ban_action: 'action_'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_action_distribution_map [[[
+#
+# Dictionary for release to default action for banning IPs
+fail2ban_action_distribution_map:
+  'focal': '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s"]'
+# ]]]
+# .. envvar:: fail2ban_default_actions [[[
+#
+# Dict with set of named actions to perform when a ban is executed.
+fail2ban_default_actions:
+
+  # Block an IP address in the firewall
+  'action_': |
+    {{ fail2ban_action_distribution_map[ansible_distribution_release]
+    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
+    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
+
+  # Block an IP address in the firewall and send a notification about the
+  # offender taken from ``whois``
+  'action_mw': |
+    {{ fail2ban_action_distribution_map[ansible_distribution_release]
+    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
+    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
+    %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+  # Block an IP address in the firewall and send a notification about the
+  # offender taken from ``whois`` and relevant log entries
+  'action_mwl': |
+    {{ fail2ban_action_distribution_map[ansible_distribution_release]
+    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
+    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
+    %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# ]]]
+# .. envvar:: fail2ban_custom_actions [[[
+#
+# Dict with custom set of named actions to perform when a ban is executed.
+fail2ban_custom_actions: {}
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_actions [[[
+#
+# List of dicts which define custom local ``fail2ban`` actions.
+fail2ban_actions: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_filters [[[
+#
+# List of dicts which define custom local ``fail2ban`` filters. See
+# :ref:`fail2ban_filters` for more details.
+fail2ban_filters: []
+                                                                   # ]]]
+# .. envvar:: fail2ban_usedns [[[
+#
+# Specifies if jails should trust hostnames in logs.
+# Available options are ``yes``, ``warn``, ``no`` and ``raw``.
+fail2ban_usedns: 'warn'
+                                                                   # ]]]
+                                                                   # ]]]
+# List of fail2ban jails [[[
+# --------------------------
+
+# .. envvar:: fail2ban_jails [[[
+#
+# List of dicts which define ``fail2ban`` jails. See :ref:`fail2ban_jails` for
+# more details. This list is meant for all hosts in the cluster.
+fail2ban_jails:
+  - name: '{{ fail2ban_ssh_jail_name }}'
+    enabled: 'true'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_ssh_jail_name [[[
+#
+# Most distributions already pre-configure a SSH jail. If the default SSH jail
+# is enabled in :envvar:`fail2ban_jails` make sure the name corresponds with the
+# distributions :file:`jail.conf` to leverage possible ``logpath`` and other
+# service specific configurations.
+fail2ban_ssh_jail_name: '{{ fail2ban_ssh_jail_distribution_map[ansible_distribution_release]
+                            if ansible_distribution_release in fail2ban_ssh_jail_distribution_map.keys()
+                            else "sshd" }}'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_ssh_jail_distribution_map [[[
+#
+# Dictionary for release to default SSH jail name mappings.
+fail2ban_ssh_jail_distribution_map:
+  'trusty': 'ssh'
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_group_jails [[[
+#
+# List of dicts which define ``fail2ban`` jails. See :ref:`fail2ban_jails` for
+# more details. This list is meant for specific groups of hosts in the cluster.
+fail2ban_group_jails: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_host_jails [[[
+#
+# List of dicts which define ``fail2ban`` jails. See :ref:`fail2ban_jails` for
+# more details. This list is meant for specific hosts in the cluster.
+fail2ban_host_jails: []
+
+                                                                   # ]]]
+# .. envvar:: fail2ban_dependent_jails [[[
+#
+# List of dicts which define ``fail2ban`` jails. See :ref:`fail2ban_jails` for
+# more details. This list is meant for use by other Ansible roles.
+fail2ban_dependent_jails: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois-lines.local b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois-lines.local
new file mode 100644
index 00000000..678b67dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois-lines.local
@@ -0,0 +1,11 @@
+# This file is managed remotely, all changes will be lost
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+[Definition]
+
+# Disable start/stop e-mails to prevent unimportant spam
+actionstart =
+actionstop =
diff --git a/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois.local b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois.local
new file mode 100644
index 00000000..678b67dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/action.d/sendmail-whois.local
@@ -0,0 +1,11 @@
+# This file is managed remotely, all changes will be lost
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+[Definition]
+
+# Disable start/stop e-mails to prevent unimportant spam
+actionstart =
+actionstop =
diff --git a/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/filter.d/owncloud.local b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/filter.d/owncloud.local
new file mode 100644
index 00000000..47de66db
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/files/etc/fail2ban/filter.d/owncloud.local
@@ -0,0 +1,15 @@
+# Fail2Ban filter for ownCloud
+#
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 Patryk Ściborek <patryk.sciborek@comp.com.pl>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+# Based on: http://www.rojtberg.net/711/secure-owncloud-server/
+
+[Definition]
+
+failregex = ^{"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"}$
+            ^{"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"}$
+            ^{"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"}$
+ignoreregex =
diff --git a/ansible_collections/debops/debops/roles/fail2ban/meta/main.yml b/ansible_collections/debops/debops/roles/fail2ban/meta/main.yml
new file mode 100644
index 00000000..2421c324
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure fail2ban service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - security
+    - firewall
+    - ssh
diff --git a/ansible_collections/debops/debops/roles/fail2ban/tasks/main.yml b/ansible_collections/debops/debops/roles/fail2ban/tasks/main.yml
new file mode 100644
index 00000000..9f5c3f15
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,167 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name:
+      - 'fail2ban'
+      - 'whois'
+    state: 'present'
+    install_recommends: False
+  register: fail2ban__register_packages
+  until: fail2ban__register_packages is succeeded
+
+- name: Divert original fail2ban configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/fail2ban/jail.conf'
+
+- name: Copy upstream jail configuration
+  ansible.builtin.copy:
+    src: '/etc/fail2ban/jail.conf.dpkg-divert'
+    dest: '/etc/fail2ban/jail.conf'
+    remote_src: True
+    force: False
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart fail2ban' ]
+
+- name: Disable default upstream jail
+  ansible.builtin.lineinfile:
+    dest: '/etc/fail2ban/jail.conf'
+    regexp: '^(enabled  = )true'
+    line: '\1false'
+    backrefs: yes
+    mode: '0644'
+  notify: [ 'Reload fail2ban jails' ]
+
+- name: Install custom fail2ban rule files
+  ansible.builtin.copy:
+    src: 'etc/fail2ban/'
+    dest: '/etc/fail2ban/'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rwX,g=rX,o=rX'
+  notify: [ 'Reload fail2ban jails' ]
+
+- name: Install custom fail2ban iptables action files
+  ansible.builtin.template:
+    src: 'etc/fail2ban/action.d/{{ item }}.local.j2'
+    dest: '/etc/fail2ban/action.d/{{ item }}.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [iptables-xt_recent-echo-reject, iptables-xt_recent-echo]
+
+- name: Configure custom fail2ban actions
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/fail2ban/action.d/action.local.j2") }}'
+    dest: '/etc/fail2ban/action.d/{{ item.filename | d(item.name) }}.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ fail2ban_actions }}'
+  notify: [ 'Restart fail2ban' ]
+  when: ((item.name is defined and item.name) and
+         (item.ban is defined and item.ban) and
+         (item.state | d('present') not in ['absent']))
+
+- name: Remove custom fail2ban actions if requested
+  ansible.builtin.file:
+    path: '/etc/fail2ban/action.d/{{ item.filename | d(item.name) }}.local'
+    state: 'absent'
+  with_items: '{{ fail2ban_actions }}'
+  notify: [ 'Restart fail2ban' ]
+  when: ((item.name is defined and item.name) and
+         (item.state | d('present') in ['absent']))
+
+- name: Configure custom fail2ban filters
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/fail2ban/filter.d/filter.local.j2") }}'
+    dest: '/etc/fail2ban/filter.d/{{ item.filename | d(item.name) }}.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ fail2ban_filters }}'
+  notify: [ 'Restart fail2ban' ]
+  when: ((item.name is defined and item.name) and
+         (item.failregex is defined and item.failregex) and
+         (item.state | d('present') not in ['absent']))
+
+- name: Remove custom fail2ban filters if requested
+  ansible.builtin.file:
+    path: '/etc/fail2ban/filter.d/{{ item.filename | d(item.name) }}.local'
+    state: 'absent'
+  with_items: '{{ fail2ban_filters }}'
+  notify: [ 'Restart fail2ban' ]
+  when: ((item.name is defined and item.name) and
+         (item.state | d('present') in ['absent']))
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/fail2ban/fail2ban.local.j2") }}'
+    dest: '/etc/fail2ban/fail2ban.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart fail2ban' ]
+
+- name: Create jail.local.d directory
+  ansible.builtin.file:
+    path: '/etc/fail2ban/jail.local.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure jail default variables
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/fail2ban/jail.local.d/default.local.j2") }}'
+    dest: '/etc/fail2ban/jail.local.d/00_default.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Remove fail2ban jails if requested
+  ansible.builtin.file:
+    path: '/etc/fail2ban/jail.local.d/{{ item.filename | default(item.name) }}.local'
+    state: 'absent'
+  loop: '{{ q("flattened", fail2ban_jails
+                           + fail2ban_group_jails
+                           + fail2ban_host_jails
+                           + fail2ban_dependent_jails) }}'
+  when: ((item.name is defined and item.name) and
+         (item.delete is defined and item.delete))
+
+- name: Configure fail2ban jails
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/fail2ban/jail.local.d/jail.local.j2") }}'
+    dest: '/etc/fail2ban/jail.local.d/{{ item.filename | default(item.name) }}.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", fail2ban_jails
+                           + fail2ban_group_jails
+                           + fail2ban_host_jails
+                           + fail2ban_dependent_jails) }}'
+  when: ((item.name is defined and item.name) and
+         (item.delete is undefined or not item.delete))
+
+- name: Assemble /etc/fail2ban/jail.local
+  ansible.builtin.assemble:
+    src: '/etc/fail2ban/jail.local.d'
+    dest: '/etc/fail2ban/jail.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload fail2ban jails' ]
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/action.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/action.local.j2
new file mode 100644
index 00000000..878e6085
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/action.local.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Definition]
+
+actionstart = {{ item.start | d('') | indent(14) }}
+
+actionstop = {{ item.stop | d('') | indent(13) }}
+
+actioncheck = {{ item.check | d('') | indent(14) }}
+
+actionban = {{ item.ban | indent(12) }}
+
+actionunban = {{ item.unban | d('') | indent(14) }}
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo-reject.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo-reject.local.j2
new file mode 100644
index 00000000..398daae9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo-reject.local.j2
@@ -0,0 +1,91 @@
+# This file is managed remotely, all changes will be lost
+
+# Fail2Ban configuration file
+#
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# $Revision: 2 $
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# Changing iptables rules requires root privileges. If fail2ban is
+# configured to run as root, firewall setup can be performed by
+# fail2ban automatically. However, if fail2ban is configured to run as
+# a normal user, the configuration must be done by some other means
+# (e.g. using static firewall configuration with the
+# iptables-persistent package).
+#
+# Explanation of the rule below:
+#    Check if any packets coming from an IP on the fail2ban-<name>
+#    list have been seen in the last <bantime> seconds. If yes, update the
+#    timestamp for this IP and drop the packet. If not, let the packet
+#    through.
+#
+#    Fail2ban inserts blacklisted hosts into the fail2ban-<name> list
+#    and removes them from the list after some time, according to its
+#    own rules. The <bantime> second timeout is independent and acts as a
+#    safeguard in case the fail2ban process dies unexpectedly. The
+#    shorter of the two timeouts actually matters.
+actionstart = iptables -I <chain> <position> -m recent --update --seconds {{ fail2ban_bantime_distribution_map[ansible_distribution_release] if ansible_distribution_release in fail2ban_bantime_distribution_map.keys() else "<bantime>" }} --name fail2ban-<name> --jump REJECT --reject-with icmp-admin-prohibited
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+             iptables -D <chain> -m recent --update --seconds {{ fail2ban_bantime_distribution_map[ansible_distribution_release] if ansible_distribution_release in fail2ban_bantime_distribution_map.keys() else "<bantime>" }} --name fail2ban-<name> --jump REJECT --reject-with icmp-admin-prohibited
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  position
+# Notes.:  the iptables chain line number where the rule will be inserted
+#
+position = 1
+
+# Option:  bantime
+# Notes.:  length of time in seconds to keep the IP address on the banlist
+#
+bantime  = 3600
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo.local.j2
new file mode 100644
index 00000000..62623f5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/action.d/iptables-xt_recent-echo.local.j2
@@ -0,0 +1,20 @@
+# This file is managed remotely, all changes will be lost
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# $Revision: 2 $
+#
+
+# Custom configuration for iptables - xt_recent support
+
+[Definition]
+
+# Changes in the start line:
+# - <bantime> is configurable instead of static 3600 seconds
+# - <chain> is configurable instead of static INPUT
+actionstart = iptables -I <chain> -m recent --update --seconds {{ fail2ban_bantime_distribution_map[ansible_distribution_release] if ansible_distribution_release in fail2ban_bantime_distribution_map.keys() else "<bantime>" }} --name fail2ban-<name> -j DROP
+
+actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+             iptables -D <chain> -m recent --update --seconds {{ fail2ban_bantime_distribution_map[ansible_distribution_release] if ansible_distribution_release in fail2ban_bantime_distribution_map.keys() else "<bantime>" }} --name fail2ban-<name> -j DROP
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/fail2ban.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/fail2ban.local.j2
new file mode 100644
index 00000000..cfceb520
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/fail2ban.local.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Definition]
+
+loglevel     = {{ fail2ban_loglevel }}
+logtarget    = {{ fail2ban_logtarget }}
+
+dbpurgeage   = {{ fail2ban_dbpurgeage }}
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/filter.d/filter.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/filter.d/filter.local.j2
new file mode 100644
index 00000000..32aceb62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/filter.d/filter.local.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.after | d('') or item.before | d('') %}
+[INCLUDES]
+
+{% if item.before | d('') %}
+before = {{ item.before }}
+
+{% endif %}
+{% if item.after | d('') %}
+after = {{ item.after }}
+
+{% endif %}
+{% endif %}
+[Definition]
+
+{% if item.definitions | d({}) %}
+{% for key, value in item.definitions.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+
+{% endif %}
+failregex = {{ item.failregex | indent(12) }}
+
+ignoreregex = {{ item.ignoreregex | d('') | indent(14) }}
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/default.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/default.local.j2
new file mode 100644
index 00000000..056066a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/default.local.j2
@@ -0,0 +1,47 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+
+# Default variables
+# =================
+
+[DEFAULT]
+
+ignoreip       = {{ (fail2ban_ignoreip_default | d([]) + fail2ban_ignoreip | d([]) + fail2ban_group_ignoreip | d([]) + fail2ban_host_ignoreip | d([])) | join(" ") }}
+
+findtime       = {{ fail2ban_findtime }}
+maxretry       = {{ fail2ban_maxretry }}
+bantime	       = {{ fail2ban_bantime }}
+
+backend        = {{ fail2ban_backend }}
+
+usedns         = {{ fail2ban_usedns }}
+
+mta            = {{ fail2ban_mta }}
+destemail      = {{ fail2ban_destemail }}
+
+banaction      = {{ fail2ban_banaction }}
+protocol       = {{ fail2ban_protocol }}
+chain          = {{ fail2ban_chain }}
+position       = {{ fail2ban_position }}
+
+{% if fail2ban_default_actions is defined and fail2ban_default_actions %}
+{% for name, commands in fail2ban_default_actions.items() %}
+{{ "%-14s" | format(name) }} = {{ commands | indent(17) }}
+
+{% endfor %}
+{% endif %}
+{% if fail2ban_custom_actions is defined and fail2ban_custom_actions %}
+{% for name, commands in fail2ban_custom_actions.items() %}
+{{ "%-14s" | format(name) }} = {{ commands | indent(17) }}
+
+{% endfor %}
+{% endif %}
+action         = {{ "%(" + fail2ban_action + ")s" }}
+
+
+# List of fail2ban jails
+# ======================
diff --git a/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/jail.local.j2 b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/jail.local.j2
new file mode 100644
index 00000000..4224ebc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fail2ban/templates/etc/fail2ban/jail.local.d/jail.local.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.comment is defined and item.comment %}
+# {{ item.comment }}
+{% endif %}
+[{{ item.name }}]
+{% for key, value in item.items() %}
+{%   if key not in [ 'name', 'filename', 'delete', 'comment', 'action', 'ignoreip' ] %}
+{%     if value is iterable and value is not string %}
+{{ "%-14s = %s" | format(key, value | join(",")) }}
+{%     else %}
+{{ "%-14s = %s" | format(key, value) }}
+{%     endif %}
+{%   elif key == 'action' %}
+action         = {{ "%(" + value + ")s" }}
+{%   elif key == 'ignoreip' %}
+ignoreip       = {{ value | join(" ") }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/COPYRIGHT b/ansible_collections/debops/debops/roles/fcgiwrap/COPYRIGHT
new file mode 100644
index 00000000..12637594
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.fcgiwrap - Manage multiple fcgiwrap instances with Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/defaults/main.yml b/ansible_collections/debops/debops/roles/fcgiwrap/defaults/main.yml
new file mode 100644
index 00000000..62116887
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/defaults/main.yml
@@ -0,0 +1,92 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <http://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _fcgiwrap__ref_defaults:
+
+# debops.fcgiwrap default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# fcgiwrap configuration [[[
+# --------------------------
+
+# .. envvar:: fcgiwrap__packages [[[
+#
+# List of APT packages to install.
+fcgiwrap__packages: [ 'fcgiwrap' ]
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__instances [[[
+#
+# List of ``fcgiwrap`` instances to configure. See :ref:`fcgiwrap__instances`
+# for more details.
+fcgiwrap__instances: []
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__disable_default [[[
+#
+# By default role disables the original system-wide instance and uses only
+# per-user instances.
+fcgiwrap__disable_default: True
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__threads [[[
+#
+# Number of cgiwrap threads to start if not specified in instance
+# configuration.
+fcgiwrap__threads: '{{ ansible_processor_cores }}'
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__options_map [[[
+#
+# Map of options passed to ``fcgiwrap`` depending on the installed version.
+fcgiwrap__options_map:
+  '1.1': '-f -c {{ fcgiwrap__threads }}'
+  '1.0': '-c {{ fcgiwrap__threads }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# User and group configuration [[[
+# --------------------------------
+
+# .. envvar:: fcgiwrap__user [[[
+#
+# Default user account which will be used to start ``fcgiwrap`` if none is
+# specified in instance configuration.
+fcgiwrap__user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__group [[[
+#
+# Default group which will be used to start ``fcgiwrap`` if none is specified
+# in instance configuration.
+fcgiwrap__group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__socket_user [[[
+#
+# Owner of the socket used to communicate with ``fcgiwrap`` process if none is
+# specified in instance configuration.
+fcgiwrap__socket_user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__socket_group [[[
+#
+# Default socket group if none is specified in instance configuration.
+fcgiwrap__socket_group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: fcgiwrap__socket_mode [[[
+#
+# Default permissions set on the ``fcgiwrap`` socket.
+fcgiwrap__socket_mode: '0660'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/meta/main.yml b/ansible_collections/debops/debops/roles/fcgiwrap/meta/main.yml
new file mode 100644
index 00000000..17a23d19
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure fcgiwrap, a lightweight FastCGI server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cgi
+    - webhosting
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_systemd.yml b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_systemd.yml
new file mode 100644
index 00000000..e8661e4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_systemd.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Generate systemd units
+  ansible.builtin.template:
+    src: 'etc/systemd/system/fcgiwrap-instance.{{ item.1 }}.j2'
+    dest: '/etc/systemd/system/fcgiwrap-{{ item.0.name }}.{{ item.1 }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: fcgiwrap__register_systemd
+  notify: [ 'Reload service manager' ]
+  with_nested:
+    - '{{ fcgiwrap__instances }}'
+    - [ 'socket', 'service' ]
+  when: fcgiwrap__instances
+
+- name: Reload systemd units
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Enable and start systemd units
+  ansible.builtin.service:  # noqa no-handler
+    name: 'fcgiwrap-{{ item.0.name }}.{{ item.1 }}'
+    state: 'started'
+    enabled: True
+  with_nested:
+    - '{{ fcgiwrap__instances }}'
+    - [ 'socket', 'service' ]
+  when: fcgiwrap__instances and fcgiwrap__register_systemd is changed
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_sysvinit.yml b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_sysvinit.yml
new file mode 100644
index 00000000..b234cd9f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/configure_sysvinit.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create init script configuration
+  ansible.builtin.template:
+    src: 'etc/default/fcgiwrap-instance.j2'
+    dest: '/etc/default/fcgiwrap-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ fcgiwrap__instances }}'
+  register: fcgiwrap__register_init_config
+
+- name: Copy fcgiwrap init script to new instance
+  ansible.builtin.command: 'cp /etc/init.d/fcgiwrap /etc/init.d/fcgiwrap-{{ item.name }}'
+  args:
+    creates: '/etc/init.d/fcgiwrap-{{ item.name }}'
+  register: fcgiwrap__register_init_script
+  with_items: '{{ fcgiwrap__instances }}'
+
+- name: Modify fcgiwrap instance init script (insserv)
+  ansible.builtin.lineinfile:
+    dest: '/etc/init.d/fcgiwrap-{{ item.name }}'
+    regexp: '^# Provides:\s+fcgiwrap.*$'
+    line: '# Provides:          fcgiwrap-{{ item.name }}'
+    state: 'present'
+    mode: '0755'
+  with_items: '{{ fcgiwrap__instances }}'
+
+- name: Modify fcgiwrap instance init script (name)
+  ansible.builtin.lineinfile:
+    dest: '/etc/init.d/fcgiwrap-{{ item.name }}'
+    regexp: '^NAME="fcgiwrap.*"$'
+    line: 'NAME="fcgiwrap-{{ item.name }}"'
+    state: 'present'
+    mode: '0755'
+  with_items: '{{ fcgiwrap__instances }}'
+
+- name: Enable fcgiwrap instance init script
+  ansible.builtin.service:
+    name: 'fcgiwrap-{{ item.name }}'
+    state: 'started'
+    enabled: True
+  with_items: '{{ fcgiwrap__instances }}'
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/tasks/main.yml b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/main.yml
new file mode 100644
index 00000000..f73ec645
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", fcgiwrap__packages) }}'
+    state: 'present'
+  register: fcgiwrap__register_install
+  until: fcgiwrap__register_install is succeeded
+
+- name: Check the fcgiwrap version
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: "dpkg-query -W -f='${Version}\n' 'fcgiwrap'"
+  register: fcgiwrap__register_version
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Make sure required system groups exist
+  ansible.builtin.group:
+    name:   '{{ item.group | d(item.user) }}'
+    system: '{{ item.system | d(True) }}'
+    state: 'present'
+  with_items: '{{ fcgiwrap__instances }}'
+  when: fcgiwrap__instances and item.user | d(False)
+
+- name: Make sure required system accounts exist
+  ansible.builtin.user:
+    name:       '{{ item.user }}'
+    group:      '{{ item.group | d(item.user) }}'
+    shell:      '{{ item.shell | d(omit) }}'
+    home:       '{{ item.home | d(omit) }}'
+    createhome: '{{ item.createhome | d(False) }}'
+    system:     '{{ item.system | d(True) }}'
+    state:      'present'
+  with_items: '{{ fcgiwrap__instances }}'
+  when: fcgiwrap__instances and item.user | d(False)
+
+- name: Disable default fcgiwrap init script
+  ansible.builtin.service:  # noqa no-handler
+    name: 'fcgiwrap'
+    state: 'stopped'
+    enabled: False
+  when: fcgiwrap__disable_default | bool and fcgiwrap__register_install is changed
+
+- name: Configure fcgiwrap instances in sysvinit
+  ansible.builtin.include_tasks: configure_sysvinit.yml
+  when: ansible_service_mgr != 'systemd'
+
+- name: Configure fcgiwrap instances in systemd
+  ansible.builtin.include_tasks: configure_systemd.yml
+  when: ansible_service_mgr == 'systemd'
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/default/fcgiwrap-instance.j2 b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/default/fcgiwrap-instance.j2
new file mode 100644
index 00000000..375afcbd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/default/fcgiwrap-instance.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Defaults for fcgiwrap (if not declared, hardcoded values from the
+# init script are used).
+
+{% set fcgiwrap__tpl_options = { 'value': '' } %}
+{% for key, value in fcgiwrap__options_map.items() %}
+{% if fcgiwrap__register_version.stdout | d() is version_compare(key, '>=') %}
+{% set _ = fcgiwrap__tpl_options.update({ 'value': value }) %}
+{% endif %}
+{% endfor %}
+# Number of instances to launch
+DAEMON_OPTS="{{ item.options | d(fcgiwrap__tpl_options['value']) }}"
+
+# Socket location
+FCGI_SOCKET="{{ item.socket | d('/run/fcgiwrap-' + item.name + '.socket') }}"
+
+# User and group for the daemon processes
+FCGI_USER="{{ item.user | d(fcgiwrap__user) }}"
+FCGI_GROUP="{{ item.group | d(fcgiwrap__group) }}"
+
+# Owner of the socket, if available (defaults to $FCGI_USER/$FCGI_GROUP)
+# Use this of you want to run scripts as a different user that the
+# webserver.
+FCGI_SOCKET_OWNER="{{ item.socket_user | d(fcgiwrap__socket_user) }}"
+FCGI_SOCKET_GROUP="{{ item.socket_group | d(fcgiwrap__socket_group ) }}"
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.service.j2 b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.service.j2
new file mode 100644
index 00000000..c10dc213
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.service.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Simple CGI Server for {{ item.0.name }}
+After=nss-user-lookup.target
+Requires=fcgiwrap-{{ item.0.name }}.socket
+
+{% set fcgiwrap__tpl_options = { 'value': '' } %}
+{% for key, value in fcgiwrap__options_map.items() %}
+{% if fcgiwrap__register_version.stdout | d() is version_compare(key, '>=') %}
+{% set _ = fcgiwrap__tpl_options.update({ 'value': value }) %}
+{% endif %}
+{% endfor %}
+[Service]
+User={{ item.0.user | d(fcgiwrap__user) }}
+Group={{ item.0.group | d(fcgiwrap__group) }}
+ExecStart=/usr/sbin/fcgiwrap {{ fcgiwrap__tpl_options['value'] }}
+
+[Install]
+WantedBy=multi-user.target
+Also=fcgiwrap-{{ item.0.name }}.socket
diff --git a/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.socket.j2 b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.socket.j2
new file mode 100644
index 00000000..6e2296fa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fcgiwrap/templates/etc/systemd/system/fcgiwrap-instance.socket.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=fcgiwrap-{{ item.0.name }} Socket
+
+[Socket]
+SocketUser={{   item.0.socket_user  | d(fcgiwrap__socket_user) }}
+SocketGroup={{  item.0.socket_group | d(fcgiwrap__socket_group) }}
+SocketMode={{   item.0.socket_mode  | d(fcgiwrap__socket_mode) }}
+ListenStream={{ item.0.socket       | d("/run/fcgiwrap-" + item.0.name + ".socket") }}
+
+[Install]
+WantedBy=sockets.target
diff --git a/ansible_collections/debops/debops/roles/ferm/COPYRIGHT b/ansible_collections/debops/debops/roles/ferm/COPYRIGHT
new file mode 100644
index 00000000..988f54c2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.ferm - Manage iptables firewall using ferm
+
+Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ferm/defaults/main.yml b/ansible_collections/debops/debops/roles/ferm/defaults/main.yml
new file mode 100644
index 00000000..dc7bc14b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/defaults/main.yml
@@ -0,0 +1,713 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ferm__ref_defaults:
+
+# debops.ferm default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# ferm configuration [[[
+# ----------------------
+
+# .. envvar:: ferm__enabled [[[
+#
+# Enable or disable :command:`iptables` management by checking if ``cap_net_admin``
+# POSIX capability is set on the host.
+ferm__enabled: '{{ True
+                   if (ansible_system_capabilities is undefined or
+                       (((ansible_system_capabilities_enforced | d()) | bool and
+                         "cap_net_admin" in ansible_system_capabilities) or
+                        not (ansible_system_capabilities_enforced | d(True)) | bool))
+                   else False }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__flush [[[
+#
+# Should ferm-rules be flushed when :program:`ferm` is disabled? The default is true,
+# but you may need set both :envvar:`ferm__enabled` and this to ``False`` if you are
+# running in some container and are not allowed to change :command:`iptables`.
+ferm__flush: '{{ ferm__enabled | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__iptables_backend_enabled [[[
+#
+# Enable or disable configuration of the :command:`iptables` backend symlink
+# using the "alternatives" system, supported on Debian 10 and later.
+ferm__iptables_backend_enabled: '{{ False
+                                    if ansible_distribution_release in
+                                    ["stretch", "trusty", "xenial",
+                                     "bionic", "focal"]
+                                    else True }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__iptables_backend_type [[[
+#
+# Select which iptables backend should be used on the host. Known backends:
+#
+# - ``legacy`` - old arptables, ebtables, iptables, ip6tables
+#
+# - ``nft`` - new, nftables-based firewall
+#
+# Ferm does not support nftables backend, therefore the legacy variant is
+# enabled by default.
+ferm__iptables_backend_type: 'legacy'
+
+                                                                   # ]]]
+# .. envvar:: ferm__base_packages [[[
+#
+# List of base APT packages to install.
+ferm__base_packages: [ 'ferm', 'patch', 'iptables', 'arptables', 'ebtables' ]
+
+                                                                   # ]]]
+# .. envvar:: ferm__packages [[[
+#
+# List of additional APT packages to install.
+ferm__packages: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__domains [[[
+#
+# List of iptables domains enabled in main :program:`ferm` firewall.
+# Currently supported domains:
+#
+# ``ip``
+#   Enables IPv4 support (:command:`iptables`).
+#
+# ``ip6``
+#   Enables IPv6 support (:command:`ip6tables`).
+#
+ferm__domains: '{{ lookup("flattened",
+                          ((["ip"] if (ansible_all_ipv4_addresses | d()) else [])
+                           + (["ip6"] if (ansible_all_ipv6_addresses | d()) else [])),
+                          wantlist=True) }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__ansible_controllers [[[
+#
+# Optional list of CIDR hosts which are not included in ssh port recent filter
+# and won't be blocked by the firewall in case of too many connections.
+# Entries are saved in the local facts on remote hosts.
+# Remember to specify IP address from the remote host point of view.
+# Format: "IP address/netmask", for example: '192.168.1.1/32'.
+#
+# .. note:: If you are using :ref:`debops.tcpwrappers` too (or the DebOps playbook),
+#    mind setting its own Ansible Controllers variable as well. An easier
+#    way would be to use the :ref:`debops.sshd` role to configure ssh service.
+#
+ferm__ansible_controllers: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__ansible_controllers_ports [[[
+#
+# List of ports which are opened for access from Ansible Controllers.
+ferm__ansible_controllers_ports: [ 'ssh' ]
+
+                                                                   # ]]]
+# .. envvar:: ferm__ansible_controllers_interfaces [[[
+#
+# List of interfaces for the default Ansible Controllers rule. An empty list
+# means all interfaces.
+ferm__ansible_controllers_interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__fast_mode [[[
+#
+# Use iptables-restore for fast firewall initialization?
+ferm__fast_mode: False
+
+                                                                   # ]]]
+# .. envvar:: ferm__use_cache [[[
+#
+# Use iptables-restore for fast firewall initialization?
+ferm__use_cache: False
+
+                                                                   # ]]]
+# .. envvar:: ferm__extra_options [[[
+#
+# Additional parameters for ferm (like --def '=bar')
+ferm__extra_options: ""
+
+                                                                   # ]]]
+# .. envvar:: ferm__default_policy_input [[[
+#
+# Default :command:`iptables` policy for ``INPUT`` chain.
+ferm__default_policy_input: 'DROP'
+
+                                                                   # ]]]
+# .. envvar:: ferm__default_policy_output [[[
+#
+# Default :command:`iptables` policy for ``OUTPUT`` chain.
+ferm__default_policy_output: 'ACCEPT'
+
+                                                                   # ]]]
+# .. envvar:: ferm__default_policy_forward [[[
+#
+# Default :command:`iptables` policy for ``FORWARD`` chain.
+ferm__default_policy_forward: 'DROP'
+                                                                   # ]]]
+                                                                   # ]]]
+# Rate limit filter configuration [[[
+# -----------------------------------
+
+# .. envvar:: ferm__filter_icmp [[[
+#
+# Manage filtering of ICMP packets using the ``hashlimit`` module.
+ferm__filter_icmp: True
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_icmp_limit [[[
+#
+# Rate limit when filtering ICMP packets.
+ferm__filter_icmp_limit: '10/second'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_icmp_burst [[[
+#
+# Burst limit when filtering ICMP packets.
+ferm__filter_icmp_burst: '10'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_icmp_expire [[[
+#
+# Expiration time when filtering ICMP packets in seconds.
+# Defaults to 1 hour.
+ferm__filter_icmp_expire: '{{ (60 * 60) }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_syn [[[
+#
+# Manage filtering of TCP SYN segments using the ``hashlimit`` module.
+ferm__filter_syn: True
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_syn_limit [[[
+#
+# Rate limit when filtering TCP SYN segments.
+ferm__filter_syn_limit: '40/second'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_syn_burst [[[
+#
+# Burst limit when filtering TCP SYN segments.
+ferm__filter_syn_burst: '40'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_syn_expire [[[
+#
+# Expiration time when filtering TCP SYN segments in seconds.
+# Defaults to 1 hour.
+ferm__filter_syn_expire: '{{ (60 * 60) }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_recent [[[
+#
+# Enable recent filter in respective rules. You might need to disable it on
+# certain hosts, like OpenVZ containers that don't have the ``recent`` module
+# available.
+ferm__filter_recent: True
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_recent_name [[[
+#
+# Name of recent list to block early.
+ferm__filter_recent_name: 'badguys'
+
+                                                                   # ]]]
+# .. envvar:: ferm__filter_recent_time [[[
+#
+# Length of time in seconds to block recent offenders; if they try connecting
+# before the time is up, timer is reset.
+ferm__filter_recent_time: '{{ (60 * 60 * 2) }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__mark_portscan [[[
+#
+# Mark packets on invalid ports as bad guys (block port scanning). For more
+# information check :ref:`ferm__ref_guide_gateway_hardening`.
+ferm__mark_portscan: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Logging configuration [[[
+# -------------------------
+
+# .. envvar:: ferm__log [[[
+#
+# Enable/disable custom ``&log()`` ferm function used in different firewall
+# rules.
+ferm__log: True
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_type [[[
+#
+# Select how firewall performs logging. By default, it uses normal syslog
+# calls, there are other ways to log packets listed below.
+ferm__log_type: 'LOG'
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_map [[[
+#
+# Dictionary map with actual firewall rules mapped to different log types.
+ferm__log_map:
+  'LOG':   'LOG log-ip-options log-prefix "$msg"'
+  'ULOG':  'ULOG ulog-nlgroup {{ ferm__log_group }} ulog-prefix "$msg"'
+  'NFLOG': 'NFLOG nflog-group {{ ferm__log_group }} nflog-prefix "$msg"'
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_target [[[
+#
+# Firewall log target used in the ``&log()`` ferm function.
+ferm__log_target: '{{ ferm__log_map[ferm__log_type] }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_limit [[[
+#
+# Limit the amount of packets logged by the firewall.
+ferm__log_limit: '2/min'
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_burst [[[
+#
+# Set the burst limit for the logged packets.
+ferm__log_burst: '5'
+
+                                                                   # ]]]
+# .. envvar:: ferm__log_group [[[
+#
+# ULOG/NFLOG group used by the firewall logs.
+ferm__log_group: '32'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall rules configuration [[[
+# --------------------------------
+
+# The variables below define what rules should be present in the firewall. Each
+# variable is a YAML dictionary with nested dictionaries. They are combined in
+# the :envvar:`ferm__combined_rules` variable. See :ref:`ferm__ref_rules` for
+# more details.
+
+# .. envvar:: ferm__include_legacy [[[
+#
+# Include legacy firewall rules. This variable should allow for easier
+# transition to the new firewall rules in the future.
+ferm__include_legacy: True
+
+                                                                   # ]]]
+# .. envvar:: ferm__mdns_state [[[
+#
+# Enable or disable the firewall rule to allow Multicast DNS packets. Multicast
+# DNS is used by :command:`systemd-resolved` service to resolve the ``.local``
+# domain, also used by Avahi/Bonjour services.
+ferm__mdns_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: ferm__mdns_allow [[[
+#
+# List of IP addresses or CIDR subneds which are allowed to send Multicast DNS
+# packets to the host. If the list is empty, any host will be accepted.
+ferm__mdns_allow: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__dependent_rules [[[
+#
+# YAML list which contains :command:`ferm` rules to manage defined by other
+# Ansible roles using dependent variables.
+ferm__dependent_rules: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__fix_dependent_rules [[[
+#
+# For now, some rules defined by other Ansible roles are incomplete. This
+# template makes sure that all required information is added if missing. This
+# variable will be removed at some point in the future, therefore you should
+# not rely on it.
+ferm__fix_dependent_rules: '{{ lookup("template",
+                               "lookup/ferm__fix_dependent_rules.j2",
+                               convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__rules [[[
+#
+# YAML list which contains :command:`ferm` rules which should be defined on all
+# hosts in the Ansible inventory.
+ferm__rules: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__group_rules [[[
+#
+# YAML list which contains :command:`ferm` rules which should be defined on
+# a group of hosts in the Ansible inventory.
+ferm__group_rules: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__host_rules [[[
+#
+# YAML list which contains :command:`ferm` rules which should be defined on
+# specific hosts in the Ansible inventory.
+ferm__host_rules: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__combined_rules [[[
+#
+# YAML list which defines the order in which firewall rules are defined and
+# affect each other. This list is then passed to the parser template to
+# generate final dictionary with rules for :command:`ferm`.
+ferm__combined_rules: '{{ ferm__default_rules
+                          + ferm__fix_dependent_rules
+                          + ferm__rules
+                          + ferm__group_rules
+                          + ferm__host_rules }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__parsed_rules [[[
+#
+# YAML dictionary which contains all of the defined :command:`ferm` rules
+# combined together. This variable is used in the Ansible tasks that manage the
+# rules on remote hosts.
+ferm__parsed_rules: '{{ lookup("template",
+                        "lookup/ferm__parsed_rules.j2",
+                        convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm_input_list [[[
+#
+# This is a legacy variable and shouldn't be used! List of iptables INPUT rules
+# to manage. See :ref:`ferm__ref_input_list` for more details.
+ferm_input_list: []
+
+                                                                   # ]]]
+# .. envvar:: ferm_input_group_list [[[
+#
+# This is a legacy variable and shouldn't be used! List of iptables INPUT rules
+# to manage for a host group. See :ref:`ferm__ref_input_list` for more details.
+ferm_input_group_list: []
+
+                                                                   # ]]]
+# .. envvar:: ferm_input_host_list [[[
+#
+# This is a legacy variable and shouldn't be used! List of iptables INPUT rules
+# to manage for an individual host. See :ref:`ferm__ref_input_list` for more
+# details.
+ferm_input_host_list: []
+
+                                                                   # ]]]
+# .. envvar:: ferm_input_dependent_list [[[
+#
+# This is a legacy variable and shouldn't be used! List of iptables INPUT rules
+# to manage in dependency to other rules. See :ref:`ferm__ref_input_list` for
+# more details.
+ferm_input_dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__default_weight_map [[[
+#
+# Dictionary with mapping between "rule classes" and their desired weight.
+ferm__default_weight_map:
+  'pre-hook':            '00'
+  'function':            '00'
+  'custom':              '00'
+  'loopback':            '01'
+  'default_policy':      '05'
+  'policy':              '05'
+  'ansible-controller':  '05'
+  'any-whitelist':       '10'
+  'filter-icmp':         '15'
+  'connection-tracking': '20'
+  'filter-syn':          '25'
+  'any-blacklist':       '30'
+  'sshd-chain':          '40'
+  'any-forward':         '60'
+  'default':             '100'
+  'accept':              '100'
+  'any-service':         '100'
+  'reject':              '900'
+  'any-reject':          '900'
+  'post-hook':           '950'
+
+                                                                   # ]]]
+# .. envvar:: ferm__weight_map [[[
+#
+# Dictionary with additional mapping between "rule classes" and their desired
+# weight. This variable can be used to override weight for specific weight
+# classes.
+ferm__weight_map: {}
+
+                                                                   # ]]]
+# .. envvar:: ferm__combined_weight_map [[[
+#
+# YAML dictionary with the combined default and custom weight maps, used by the
+# Ansible tasks.
+ferm__combined_weight_map: '{{ ferm__default_weight_map
+                               | combine(ferm__weight_map) }}'
+
+                                                                   # ]]]
+# .. envvar:: ferm__default_rules [[[
+#
+# YAML dictionary with default firewall rules defined on each host.
+ferm__default_rules:
+
+  - name: 'policy_filter_input'
+    type: 'default_policy'
+    chain: 'INPUT'
+    policy: '{{ ferm__default_policy_input }}'
+
+  - name: 'policy_filter_forward'
+    type: 'default_policy'
+    chain: 'FORWARD'
+    policy: '{{ ferm__default_policy_forward }}'
+
+  - name: 'policy_filter_output'
+    type: 'default_policy'
+    chain: 'OUTPUT'
+    policy: '{{ ferm__default_policy_output }}'
+
+  - name: 'firewall_hooks'
+    type: 'custom'
+    comment: 'Run custom hooks at various firewall stages'
+    rules: |
+      @hook pre   "run-parts /etc/ferm/hooks/pre.d";
+      @hook post  "run-parts /etc/ferm/hooks/post.d";
+      @hook flush "run-parts /etc/ferm/hooks/flush.d";
+
+  - name: 'firewall_variables'
+    type: 'custom'
+    comment: 'Define custom variables available in the firewall'
+    rules: |
+      @def $domains      = ({{ ferm__domains | unique | join(" ") }});
+      @def $ipv4_enabled = {{ "1" if "ip" in ferm__domains else "0" }};
+      @def $ipv6_enabled = {{ "1" if "ip6" in ferm__domains else "0" }};
+
+  - name: 'firewall_log'
+    type: 'custom'
+    comment: 'Custom log function used by other rules'
+    rules: |
+      @def &log($msg) = {
+          mod limit limit {{ ferm__log_limit }}
+                    limit-burst {{ ferm__log_burst }}
+              {{ ferm__log_target }};
+      }
+    rule_state: '{{ "present" if (ferm__log | bool) else "absent" }}'
+
+  - name: 'accept_loopback'
+    type: 'accept'
+    weight_class: 'loopback'
+    interface: 'lo'
+
+  - name: 'accept_ansible_controller'
+    type: 'ansible_controller'
+    weight_class: 'ansible-controller'
+    comment: 'Accept SSH connections from Ansible Controllers'
+    dport: '{{ ferm__ansible_controllers_ports }}'
+    interface: '{{ ferm__ansible_controllers_interfaces }}'
+    multiport: True
+    accept_any: False
+
+  - name: 'filter_icmp_flood'
+    type: 'hashlimit'
+    weight_class: 'filter-icmp'
+    protocol: 'icmp'
+    rule_state: '{{ "present" if (ferm__filter_icmp | bool) else "absent" }}'
+    hashlimit: '{{ ferm__filter_icmp_limit }}'
+    hashlimit_burst: '{{ ferm__filter_icmp_burst }}'
+    hashlimit_expire: '{{ ferm__filter_icmp_expire }}'
+    hashlimit_target: 'ACCEPT'
+    target: 'DROP'
+
+  - name: 'connection_tracking'
+    type: 'connection_tracking'
+    weight_class: 'connection-tracking'
+    chain: [ 'INPUT', 'OUTPUT', 'FORWARD' ]
+
+  - name: 'filter_syn_flood'
+    type: 'hashlimit'
+    weight_class: 'filter-syn'
+    protocol: 'tcp'
+    protocol_syn: True
+    rule_state: '{{ "present" if (ferm__filter_syn | bool) else "absent" }}'
+    hashlimit: '{{ ferm__filter_syn_limit }}'
+    hashlimit_burst: '{{ ferm__filter_syn_burst }}'
+    hashlimit_expire: '{{ ferm__filter_syn_expire }}'
+    hashlimit_target: 'RETURN'
+    target: 'DROP'
+
+  - name: 'block_recent_badguys'
+    type: 'recent'
+    weight_class: 'any-blacklist'
+    comment: 'Reject packets marked as "badguys"'
+    rule_state: '{{ "present" if (ferm__filter_recent | bool) else "absent" }}'
+    recent_name: '{{ ferm__filter_recent_name }}'
+    recent_update: True
+    recent_seconds: '{{ ferm__filter_recent_time }}'
+    recent_target: 'REJECT'
+
+  - name: 'clean_recent_badguys'
+    type: 'recent'
+    weight_class: 'any-blacklist'
+    comment: 'Reject packets marked as "badguys"'
+    rule_state: '{{ "present" if (ferm__filter_recent | bool) else "absent" }}'
+    recent_name: '{{ ferm__filter_recent_name }}'
+    recent_remove: True
+    recent_log: False
+
+  - name: 'accept_dhcpv6_client_solicit'
+    type: 'accept'
+    weight_class: 'any-service'
+    comment: 'Initial DHCPv6 Solicit message is sent to multicast'
+    domain: [ 'ip6' ]
+    saddr: [ 'fe80::/10' ]
+    daddr: [ 'ff02::1:2/128' ]
+    protocol: [ 'udp' ]
+    sport: [ 'dhcpv6-client' ]
+    dport: [ 'dhcpv6-server' ]
+    rule_state: '{{ "present" if ("ip6" in ferm__domains) else "absent" }}'
+
+  - name: 'accept_dhcpv6_client'
+    type: 'accept'
+    weight_class: 'any-service'
+    comment: 'DHCPv6 responses seem to be neither RELATED nor ESTABLISHED.'
+    domain: [ 'ip6' ]
+    saddr: [ 'fe80::/10' ]
+    daddr: [ 'fe80::/10' ]
+    protocol: [ 'udp' ]
+    sport: [ 'dhcpv6-server' ]
+    dport: [ 'dhcpv6-client' ]
+    rule_state: '{{ "present" if ("ip6" in ferm__domains) else "absent" }}'
+
+    # Multicast DNS is used by systemd-resolved for '.local' name resolution.
+  - name: 'accept_mdns'
+    type: 'accept'
+    dport: 'mdns'
+    comment: 'Accept Multicast DNS packets from other hosts'
+    saddr: '{{ ferm__mdns_allow }}'
+    daddr: [ '224.0.0.251', 'ff02::fb' ]
+    accept_any: True
+    protocol: 'udp'
+    rule_state: '{{ ferm__mdns_state }}'
+
+    # Avahi is usually installed by default on workstations and laptops where
+    # it is useful. To manage Avahi on servers, you should enable the
+    # 'debops.avahi' Ansible role which will set up the same firewall rule.
+  - name: 'avahi'
+    type: 'accept'
+    dport: 'mdns'
+    saddr: '{{ avahi__allow | d([]) }}'
+    protocol: 'udp'
+    accept_any: True
+    rule_state: '{{ "present"
+                    if ((ansible_local.nsswitch.conf | d() and
+                         ("mdns4_minimal" in q("flattened",
+                                               ansible_local.nsswitch.conf.hosts | d([])) or
+                          "mdns_minimal" in q("flattened",
+                                              ansible_local.nsswitch.conf.hosts | d([])))) and
+                        (ansible_local | d(True) and ansible_local.avahi | d(True) and
+                         ((ansible_local["avahi"] | d({})).enabled | d(True)) | bool))
+                    else "absent" }}'
+
+  - name: 'jump_to_legacy_input_rules'
+    type: 'accept'
+    weight: '-10'
+    weight_class: 'reject'
+    comment: 'Jump to legacy firewall rules'
+    target: 'debops-legacy-input-rules'
+    rule_state: '{{ "present" if (ferm__include_legacy | bool) else "absent" }}'
+
+  - name: 'include_legacy_input_rules'
+    type: 'include'
+    weight_class: 'post-hook'
+    chain: 'debops-legacy-input-rules'
+    comment: 'Include legacy firewall rules'
+    include: '/etc/ferm/filter-input.d/'
+    rule_state: '{{ "present" if (ferm__include_legacy | bool) else "absent" }}'
+
+  - name: 'block_portscans'
+    type: 'recent'
+    weight: '85'
+    comment: 'Mark potential port scanners as bad guys'
+    recent_set_name: '{{ ferm__filter_recent_name }}'
+    rule_state: '{{ "present" if (ferm__mark_portscan | bool) else "absent" }}'
+
+  - name: 'reject_all'
+    type: 'reject'
+
+  - name: 'fail2ban-hook'
+    type: 'fail2ban'
+    comment: 'Reload fail2ban rules'
+    rule_state: '{{ "present" if (ferm__fail2ban | bool) else "absent" }}'
+    rules: |
+      @hook post "type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && systemctl restart fail2ban > /dev/null || true) || true";
+      @hook flush "type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && systemctl restart fail2ban > /dev/null || true) || true";
+    weight_class: 'post-hook'
+
+    # Remove obsolete forwarding rules
+  - name: 'forward_external_in'
+    rule_state: 'absent'
+    weight: '1'
+    weight_class: 'any-forward'
+    type: 'accept'
+    chain: 'FORWARD'
+
+    # Remove obsolete forwarding rules
+  - name: 'forward_external_out'
+    rule_state: 'absent'
+    weight: '2'
+    weight_class: 'any-forward'
+    type: 'accept'
+    chain: 'FORWARD'
+
+    # Remove obsolete forwarding rules
+  - name: 'forward_internal'
+    rule_state: 'absent'
+    weight: '3'
+    weight_class: 'any-forward'
+    type: 'accept'
+    chain: 'FORWARD'
+
+  - name: 'fix_bootpc_checksum'
+    type: 'custom'
+    rules: |
+      # Add checksums to BOOTP packets from virtual machines and containers.
+      # https://www.redhat.com/archives/libvir-list/2010-August/msg00035.html
+      @hook post "iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill";
+    rule_state: 'ignore'
+
+                                                                   # ]]]
+# .. envvar:: ferm__custom_files [[[
+#
+# Copy or install custom files needed by the firewall, usually scripts. The
+# syntax is the same as used by the ``copy`` Ansible module.
+ferm__custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__group_custom_files [[[
+#
+# Copy or install custom files needed by the firewall host group configuration.
+ferm__group_custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__host_custom_files [[[
+#
+# Copy or install custom files needed by the firewall individual host
+# configuration.
+ferm__host_custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: ferm__fail2ban [[[
+#
+# Enable or disable :program:`fail2ban` integration. :program:`ferm` will send :program:`fail2ban` a reload
+# command after its own configuration is reloaded. If :program:`fail2ban` is not present
+# or turned off, nothing will happen.
+ferm__fail2ban: True
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ferm/meta/main.yml b/ansible_collections/debops/debops/roles/ferm/meta/main.yml
new file mode 100644
index 00000000..ed63d56b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider, Reto Gantenbein'
+  description: 'Manage iptables firewall using ferm'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - networking
+    - security
+    - firewall
diff --git a/ansible_collections/debops/debops/roles/ferm/tasks/main.yml b/ansible_collections/debops/debops/roles/ferm/tasks/main.yml
new file mode 100644
index 00000000..81f707a6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/tasks/main.yml
@@ -0,0 +1,228 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure ferm status in debconf
+  ansible.builtin.debconf:
+    name: 'ferm'
+    question: 'ferm/enable'
+    vtype: 'boolean'
+    value: '{{ "yes" if ferm__enabled | bool else "no" }}'
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Ensure ferm is installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", (ferm__base_packages
+                              + ferm__packages)) }}'
+    state: 'present'
+  register: ferm__register_packages
+  until: ferm__register_packages is succeeded
+  when: ferm__enabled | bool
+
+- name: Manage iptables backend using alternatives
+  community.general.alternatives:
+    name: '{{ item.name }}'
+    path: '{{ item.path }}'
+  loop:
+    - { 'name': 'arptables', 'path': '/usr/sbin/arptables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'ebtables', 'path': '/usr/sbin/ebtables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'iptables', 'path': '/usr/sbin/iptables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'ip6tables', 'path': '/usr/sbin/ip6tables-{{ ferm__iptables_backend_type }}' }
+  when: ferm__enabled | bool and ferm__iptables_backend_enabled | bool
+
+- name: Make sure required directories exist
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'adm'
+    mode: '02750'
+  loop:
+    - '/etc/ferm/rules.d'
+    - '/etc/ferm/filter-input.d'
+    - '/etc/ferm/hooks/pre.d'
+    - '/etc/ferm/hooks/post.d'
+    - '/etc/ferm/hooks/flush.d'
+
+- name: Copy custom files to remote hosts
+  ansible.builtin.copy:
+    src: '{{ item.src | d(omit) }}'
+    content: '{{ item.content | d(omit) }}'
+    dest:  '{{ item.dest }}'
+    owner: '{{ item.owner | d(omit) }}'
+    group: '{{ item.group | d(omit) }}'
+    mode:  '{{ item.mode | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+    follow: '{{ item.follow | d(omit) }}'
+    force:  '{{ item.force | d(omit) }}'
+  loop: '{{ (ferm__custom_files + ferm__group_custom_files
+             + ferm__host_custom_files) | flatten }}'
+  loop_control:
+    label: '{{ item.dest }}'
+  when: ((item.src is defined or item.content is defined) and
+         item.dest is defined)
+  register: ferm__register_files
+  tags: [ 'role::ferm:custom_files' ]
+
+- name: Configure ferm default variables
+  ansible.builtin.template:
+    src: 'etc/default/ferm.j2'
+    dest: '/etc/default/ferm'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart ferm' ]
+
+- name: Add/remove diversion of /etc/ferm/ferm.conf
+  debops.debops.dpkg_divert:
+    path: '/etc/ferm/ferm.conf'
+    state: '{{ "present" if ferm__enabled | bool else "absent" }}'
+    delete: True
+
+- name: Configure main ferm config file
+  ansible.builtin.template:
+    src: 'etc/ferm/ferm.conf.j2'
+    dest: '/etc/ferm/ferm.conf'
+    owner: 'root'
+    group: 'adm'
+    mode: '0644'
+  notify: [ 'Restart ferm' ]
+  when: ferm__enabled | bool
+
+- name: Remove firewall rules
+  ansible.builtin.file:
+    dest: '/etc/ferm/rules.d/{{ "%03d" | format((ferm__combined_weight_map[item.value.weight_class
+                                                 | d(item.value.type | d("default"))] | d("80")) | int
+                                + (item.value.weight | d("0")) | int) }}_rule_{{ item.value.name | d(item.key) }}.conf'
+    state: 'absent'
+  loop: '{{ ferm__parsed_rules | dict2items }}'
+  loop_control:
+    label: '{{ item.key }}'
+  register: ferm__register_rules_removed
+  when: (item.value.rule_state | d(item.value.state | d('present')) == 'absent')
+  tags: [ 'role::ferm:rules' ]
+
+- name: Generate firewall rules
+  ansible.builtin.template:
+    src: 'etc/ferm/rules.d/{{ item.value.template | d("rule") }}.conf.j2'
+    dest: '/etc/ferm/rules.d/{{ "%03d" | format((ferm__combined_weight_map[item.value.weight_class
+                                                 | d(item.value.type | d("default"))] | d("80")) | int
+                                + (item.value.weight | d("0")) | int) }}_rule_{{ item.value.name | d(item.key) }}.conf'
+    owner: 'root'
+    group: 'adm'
+    mode: '0644'
+  loop: '{{ ferm__parsed_rules | d({}) | dict2items }}'
+  loop_control:
+    label: '{{ item.key }}'
+  register: ferm__register_rules_created
+  when: (item.value.rule_state | d(item.value.state | d('present')) not in ['absent', 'ignore'])
+  tags: [ 'role::ferm:rules' ]
+
+- name: Remove unknown firewall rules
+  ansible.builtin.shell: find /etc/ferm/rules.d -maxdepth 1 -type f
+         -name '*_rule_{{ item.item.value.name | d(item.item.key) }}.conf'
+         ! -name '{{ "%03d" | format((ferm__combined_weight_map[item.item.value.weight_class
+                                      | d(item.item.value.type | d("default"))] | d("80")) | int
+                     + (item.item.value.weight | d("0")) | int) }}_rule_{{ item.item.value.name
+                                                                         | d(item.item.key) }}.conf'
+         -exec rm -vf {} +
+  loop: '{{ ferm__register_rules_removed.results
+            + ferm__register_rules_created.results }}'
+  loop_control:
+    label: '{{ item.item.key }}'
+  register: ferm__register_unknown_rules
+  changed_when: ferm__register_unknown_rules.changed | bool
+  when: (item.item.key | d() and item is changed)
+  tags: [ 'role::ferm:rules' ]
+
+- name: Remove iptables INPUT rules if requested
+  ansible.builtin.file:
+    path: '/etc/ferm/filter-input.d/{{ ferm__weight_map[item.weight_class | d()]
+           | d(item.weight | d("50")) }}_{{ item.filename
+           | d(item.type + "_" + item.name | d((item.dport[0] if item.dport | d() else "rules"))) }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", ferm_input_list
+                           + ferm_input_group_list
+                           + ferm_input_host_list
+                           + ferm_input_dependent_list) }}'
+  when: (ferm__enabled | bool and item.type | d() and (item.delete | d() | bool))
+  register: ferm__register_input_rules_del
+  tags: [ 'role::ferm:rules' ]
+
+- name: Configure iptables INPUT rules
+  ansible.builtin.template:
+    src: 'etc/ferm/filter-input.d/{{ item.type }}.conf.j2'
+    dest: '/etc/ferm/filter-input.d/{{ ferm__weight_map[item.weight_class | d()]
+           | d(item.weight | d("50")) }}_{{ item.filename
+           | d(item.type + "_" + item.name | d((item.dport[0] if item.dport | d() else "rules"))) }}.conf'
+    owner: 'root'
+    group: 'adm'
+    mode: '0644'
+  loop: '{{ q("flattened", ferm_input_list
+                           + ferm_input_group_list
+                           + ferm_input_host_list
+                           + ferm_input_dependent_list) }}'
+  when: (ferm__enabled | bool and item.type | d() and not (item.delete | d() | bool))
+  register: ferm__register_input_rules_add
+  tags: [ 'role::ferm:rules' ]
+
+- name: Restart ferm
+  ansible.builtin.service:  # noqa no-handler
+    name: 'ferm'
+    state: 'restarted'
+  when: (ferm__enabled | bool and (ferm__register_files is changed or
+         ferm__register_rules_created is changed or ferm__register_rules_removed is changed or
+         ferm__register_input_rules_del is changed or ferm__register_input_rules_add is changed) and
+         not ansible_check_mode)
+
+- name: Clear iptables rules if ferm is disabled
+  ansible.builtin.service:
+    name: 'ferm'
+    state: 'stopped'
+  when: (not ferm__enabled | bool and ferm__flush | bool)
+  tags: [ 'role::ferm:rules' ]
+
+- name: Remove deprecated ifupdown hook
+  ansible.builtin.file:
+    path: '/etc/network/if-pre-up.d/ferm-forward'
+    state: 'absent'
+
+- name: Disable ferm after changes when requested
+  ansible.builtin.lineinfile:
+    dest: '/etc/default/ferm'
+    regexp: '^ENABLED="'
+    line: 'ENABLED="no"'
+    mode: '0644'
+  when: not ferm__enabled | bool and not ansible_check_mode
+
+- name: Ensure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save ferm local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ferm.fact.j2'
+    dest: '/etc/ansible/facts.d/ferm.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'meta::facts', 'role::ferm:rules' ]
+  notify: [ 'Refresh host facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ansible/facts.d/ferm.fact.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ansible/facts.d/ferm.fact.j2
new file mode 100644
index 00000000..6138d19c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ansible/facts.d/ferm.fact.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_ansible_controllers = []                                             %}
+{% if ansible_local.ferm.ansible_controllers | d() %}
+{%   for element in ansible_local.ferm.ansible_controllers                            %}
+{%     set _ = ferm__tpl_ansible_controllers.append(element)                          %}
+{%   endfor                                                                           %}
+{% endif                                                                              %}
+{% if ferm__ansible_controllers | d()                                                   %}
+{%   for element in ferm__ansible_controllers                                         %}
+{%     if element not in ferm__tpl_ansible_controllers                                %}
+{%       set _ = ferm__tpl_ansible_controllers.append(element)                        %}
+{%     endif                                                                          %}
+{%   endfor                                                                           %}
+{% endif                                                                              %}
+{% if ansible_controller | d()                                                          %}
+{%   if ansible_controller not in ferm__tpl_ansible_controllers                       %}
+{%     set _ = ferm__tpl_ansible_controllers.append(ansible_controller)               %}
+{%   endif                                                                            %}
+{% endif                                                                              %}
+{% set ferm__tpl_ansible_controllers_result = ferm__tpl_ansible_controllers | unique | sort %}
+{
+"enabled": "{{ ferm__enabled     | bool | lower }}",
+"ansible_controllers": {{ ferm__tpl_ansible_controllers_result | to_nice_json }}
+}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/default/ferm.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/default/ferm.j2
new file mode 100644
index 00000000..07109641
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/default/ferm.j2
@@ -0,0 +1,38 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# configuration for /etc/init.d/ferm
+
+# use iptables-restore for fast firewall initialization?
+{% if ferm__fast_mode | bool %}
+FAST=yes
+{% else %}
+FAST=no
+{% endif %}
+
+# cache the output of ferm --lines in /var/cache/ferm?
+{% if ferm__use_cache | bool %}
+CACHE=yes
+{% else %}
+CACHE=no
+{% endif %}
+
+# additional parameters for ferm (like --def '=bar')
+OPTIONS={{ ferm__extra_options }}
+
+# Enable the ferm init script? (i.e. run on boot-up)
+{% if ferm__enabled | bool %}
+ENABLED="yes"
+{% else %}
+{% if ((ansible_local.ferm.enabled | d() | bool) and
+       not ferm__enabled | bool) %}
+ENABLED="yes"
+{% else %}
+ENABLED="no"
+{% endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.conf.j2
new file mode 100644
index 00000000..9a16600b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.conf.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Load configuration from parts
+@include 'rules.d/';
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/accept.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/accept.conf.j2
new file mode 100644
index 00000000..f0ae7d00
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/accept.conf.j2
@@ -0,0 +1,375 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_target = 'ACCEPT' %}
+{% set ferm__tpl_reject_with = 'icmp-admin-prohibited' %}
+{% set ferm__tpl_interface = [] %}
+{% set ferm__tpl_interface_present = [] %}
+{% set ferm__tpl_outerface = [] %}
+{% set ferm__tpl_outerface_present = [] %}
+{% set ferm__tpl_protocol = [] %}
+{% set ferm__tpl_protocol_syn = [] %}
+{% set ferm__tpl_saddr = [] %}
+{% set ferm__tpl_daddr = [] %}
+{% set ferm__tpl_sport = [] %}
+{% set ferm__tpl_dport = [] %}
+{% set ferm__tpl_state = [] %}
+{% set ferm__tpl_subchain = (item.type + "-" + item.name | d((item.dport[0] if item.dport | d() else "rules"))) %}
+{% if item.interface | d() %}
+{%   if item.interface is string %}
+{%     set ferm__tpl_interface = [ item.interface ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interface | unique %}
+{%   endif %}
+{% elif item.interfaces | d() %}
+{%   if item.interfaces is string %}
+{%     set ferm__tpl_interface = [ item.interfaces ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.interface_present | d() %}
+{%   if item.interface_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.interface_present] | d() %}
+{%       set ferm__tpl_interface_present = [ item.interface_present ] %}
+{%     endif %}
+{%   else %}
+{%     for interface in item.interface_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface] | d() %}
+{%         set _ = ferm__tpl_interface_present.append(interface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% elif item.interfaces_present | d() %}
+{%   if item.interfaces_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.interfaces_present] | d() %}
+{%       set ferm__tpl_interface_present = [ item.interfaces_present ] %}
+{%     endif %}
+{%   else %}
+{%     for interface in item.interfaces_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface] | d() %}
+{%         set _ = ferm__tpl_interface_present.append(interface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.outerface | d() %}
+{%   if item.outerface is string %}
+{%     set ferm__tpl_outerface = [ item.outerface ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerface | unique %}
+{%   endif %}
+{% elif item.outerfaces | d() %}
+{%   if item.outerfaces is string %}
+{%     set ferm__tpl_outerface = [ item.outerfaces ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.outerface_present | d() %}
+{%   if item.outerface_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.outerface_present] | d() %}
+{%       set ferm__tpl_outerface_present = [ item.outerface_present ] %}
+{%     endif %}
+{%   else %}
+{%     for outerface in item.outerface_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + outerface] | d() %}
+{%         set _ = ferm__tpl_outerface_present.append(outerface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% elif item.outerfaces_present | d() %}
+{%   if item.outerfaces_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.outerfaces_present] | d() %}
+{%       set ferm__tpl_outerface_present = [ item.outerfaces_present ] %}
+{%     endif %}
+{%   else %}
+{%     for outerface in item.outerfaces_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + outerface] | d() %}
+{%         set _ = ferm__tpl_outerface_present.append(outerface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.protocol | d() %}
+{%   if item.protocol is string %}
+{%     set ferm__tpl_protocol = [ item.protocol ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocol | unique %}
+{%   endif %}
+{% elif item.protocols | d() %}
+{%   if item.protocols is string %}
+{%     set ferm__tpl_protocol = [ item.protocols ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocols | unique %}
+{%   endif %}
+{% endif %}
+{% if item.protocol_syn is defined %}
+{%   if item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ 'syn' ] %}
+{%   elif not item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ '! syn' ] %}
+{%   endif %}
+{% endif %}
+{% if item.saddr | d() %}
+{%   if item.saddr is string %}
+{%     set ferm__tpl_saddr = [ item.saddr ] %}
+{%   else %}
+{%     set ferm__tpl_saddr = item.saddr | unique %}
+{%   endif %}
+{% endif %}
+{% if item.daddr | d() %}
+{%   if item.daddr is string %}
+{%     set ferm__tpl_daddr = [ item.daddr ] %}
+{%   else %}
+{%     set ferm__tpl_daddr = item.daddr | unique %}
+{%   endif %}
+{% endif %}
+{% if item.sport | d() %}
+{%   if item.sport is string %}
+{%     set ferm__tpl_sport = [ item.sport ] %}
+{%   else %}
+{%     set ferm__tpl_sport = item.sport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.dport | d() %}
+{%   if item.dport is string %}
+{%     set ferm__tpl_dport = [ item.dport ] %}
+{%   else %}
+{%     set ferm__tpl_dport = item.dport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.state | d() %}
+{%   if item.state is string %}
+{%     set ferm__tpl_state = [ item.state ] %}
+{%   else %}
+{%     set ferm__tpl_state = item.state | unique %}
+{%   endif %}
+{% endif %}
+{% if item.target | d() %}
+{%   set ferm__tpl_target = item.target %}
+{% endif %}
+{% if item.reject_with | d() %}
+{%   set ferm__tpl_reject_with = item.reject_with %}
+{% endif %}
+{% if item.subchain is defined %}
+{%   if item.subchain | bool %}
+{%     set ferm__tpl_subchain = item.subchain %}
+{%   else %}
+{%     set ferm__tpl_subchain = '' %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_interface %}
+{%   if ferm__tpl_interface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("interface " +  ferm__tpl_interface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface | join(" ") + ")") %}
+{%   endif %}
+{% elif ferm__tpl_interface_present %}
+{%   if ferm__tpl_interface_present | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("interface " +  ferm__tpl_interface_present | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface_present | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_outerface %}
+{%   if ferm__tpl_outerface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("outerface " +  ferm__tpl_outerface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface | join(" ") + ")") %}
+{%   endif %}
+{% elif ferm__tpl_outerface_present %}
+{%   if ferm__tpl_outerface_present | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("outerface " +  ferm__tpl_outerface_present | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface_present | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_protocol %}
+{%   if ferm__tpl_protocol | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("protocol " +  ferm__tpl_protocol | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("protocol (" + ferm__tpl_protocol | join(" ") + ")") %}
+{%   endif %}
+{% elif not ferm__tpl_protocol and (ferm__tpl_sport or ferm__tpl_dport) %}
+{%   set _ = ferm__tpl_arguments.append("protocol tcp") %}
+{% endif %}
+{% if ferm__tpl_protocol_syn %}
+{%   set _ = ferm__tpl_arguments.append(ferm__tpl_protocol_syn | join(" ")) %}
+{% endif %}
+{% if ferm__tpl_dport %}
+{%   if item.multiport | d() and item.multiport | bool %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("mod multiport destination-ports (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   else %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("dport (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_daddr %}
+{%   set _= ferm__tpl_arguments.append("daddr (" + ferm__tpl_daddr | join(" ") +")") %}
+{% endif %}
+{% if ferm__tpl_state %}
+{%   if ferm__tpl_state | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("mod state state " +  ferm__tpl_state | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("mod state state (" + ferm__tpl_state | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_arguments and (ferm__tpl_saddr | length > 3) %}
+{%   if ferm__tpl_subchain %}
+{%     set _ = ferm__tpl_arguments.append('@subchain "' + ferm__tpl_subchain + '"') %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{%   if item.enabled is undefined or item.enabled | bool %}
+{%     if ferm__tpl_saddr | d() %}
+        @def $ITEMS = ( @ipfilter( ({{ ferm__tpl_saddr | unique | join(" ") }}) ) );
+        @if @ne($ITEMS,"") {
+{%       if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if item.include | d() %}
+            @include "{{ item.include }}";
+{%         elif item.realgoto is undefined or not item.realgoto | bool %}
+            saddr $ITEMS jump "{{ ferm__tpl_target }}";
+{%         elif item.realgoto | d() and item.realgoto | bool %}
+            saddr $ITEMS realgoto "{{ ferm__tpl_target }}";
+{%         endif %}
+{%       elif ferm__tpl_target in [ 'REJECT' ] %}
+            saddr $ITEMS REJECT reject-with {{ ferm__tpl_reject_with }};
+{%       else %}
+            saddr $ITEMS {{ ferm__tpl_target }};
+{%       endif %}
+        }
+{%     else %}
+{%       if item.accept_any is defined %}
+{%         if item.accept_any | bool %}
+{%           if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%             if item.include | d() %}
+        @include "{{ item.include }}";
+{%             elif item.realgoto is undefined or not item.realgoto | bool %}
+        jump "{{ ferm__tpl_target }}";
+{%             elif item.realgoto | d() and item.realgoto | bool %}
+        realgoto "{{ ferm__tpl_target }}";
+{%             endif %}
+{%           elif ferm__tpl_target in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%           else %}
+        {{ ferm__tpl_target }};
+{%           endif %}
+{%         elif not item.accept_any | bool %}
+        # Connections from any IP address not allowed
+{%         endif %}
+{%       else %}
+{%         if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%           if item.include | d() %}
+        @include "{{ item.include }}";
+{%           elif item.realgoto is undefined or not item.realgoto | bool %}
+        jump "{{ ferm__tpl_target }}";
+{%           elif item.realgoto | d() and item.realgoto | bool %}
+        realgoto "{{ ferm__tpl_target }}";
+{%           endif %}
+{%         elif ferm__tpl_target in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%         else %}
+{%           if ferm__tpl_arguments %}
+        {{ ferm__tpl_target }};
+{%           else %}
+        # No rule parameters specified
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/ansible_controller.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/ansible_controller.conf.j2
new file mode 100644
index 00000000..6cdf0915
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/ansible_controller.conf.j2
@@ -0,0 +1,351 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_ansible_controllers = [] %}
+{% set ferm__tpl_target = 'ACCEPT' %}
+{% set ferm__tpl_reject_with = 'icmp-admin-prohibited' %}
+{% set ferm__tpl_interface = [] %}
+{% set ferm__tpl_outerface = [] %}
+{% set ferm__tpl_protocol = [ 'tcp' ] %}
+{% set ferm__tpl_protocol_syn = [] %}
+{% set ferm__tpl_saddr = [] %}
+{% set ferm__tpl_daddr = [] %}
+{% set ferm__tpl_sport = [] %}
+{% set ferm__tpl_dport = [ 'ssh' ] %}
+{% set ferm__tpl_state = [] %}
+{% set ferm__tpl_subchain = (item.type + "-" + item.name | d((item.dport[0] if item.dport | d() else "rules"))) %}
+{% if ansible_local.core.ansible_controllers | d() %}
+{%   for element in ansible_local.core.ansible_controllers %}
+{%     set _ = ferm__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% if ansible_local.ferm.ansible_controllers | d() %}
+{%   for element in ansible_local.ferm.ansible_controllers %}
+{%     set _ = ferm__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% if ferm__ansible_controllers | d() %}
+{%   if ferm__ansible_controllers is string %}
+{%     set _ = ferm__tpl_ansible_controllers.append(ferm__ansible_controllers) %}
+{%   else %}
+{%     for element in ferm__ansible_controllers %}
+{%       set _ = ferm__tpl_ansible_controllers.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.ansible_controller | d() %}
+{%   if item.ansible_controller is string %}
+{%     set _ = ferm__tpl_ansible_controllers.append(item.ansible_controller) %}
+{%   else %}
+{%     for element in item.ansible_controller %}
+{%       set _ = ferm__tpl_ansible_controllers.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.ansible_controllers | d() %}
+{%   if item.ansible_controllers is string %}
+{%     set _ = ferm__tpl_ansible_controllers.append(item.ansible_controllers) %}
+{%   else %}
+{%     for element in item.ansible_controllers %}
+{%       set _ = ferm__tpl_ansible_controllers.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_ansible_controllers_result = ferm__tpl_ansible_controllers | unique | sort %}
+{% if item.interface | d() %}
+{%   if item.interface is string %}
+{%     set ferm__tpl_interface = [ item.interface ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interface | unique %}
+{%   endif %}
+{% elif item.interfaces | d() %}
+{%   if item.interfaces is string %}
+{%     set ferm__tpl_interface = [ item.interfaces ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.outerface | d() %}
+{%   if item.outerface is string %}
+{%     set ferm__tpl_outerface = [ item.outerface ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerface | unique %}
+{%   endif %}
+{% elif item.outerfaces | d() %}
+{%   if item.outerfaces is string %}
+{%     set ferm__tpl_outerface = [ item.outerfaces ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.protocol | d() %}
+{%   if item.protocol is string %}
+{%     set ferm__tpl_protocol = [ item.protocol ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocol | unique %}
+{%   endif %}
+{% elif item.protocols | d() %}
+{%   if item.protocols is string %}
+{%     set ferm__tpl_protocol = [ item.protocols ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocols | unique %}
+{%   endif %}
+{% endif %}
+{% if item.protocol_syn is defined %}
+{%   if item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ 'syn' ] %}
+{%   elif not item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ '! syn' ] %}
+{%   endif %}
+{% endif %}
+{% if item.saddr | d() %}
+{%   if item.saddr is string %}
+{%     set ferm__tpl_saddr = [ item.saddr ] %}
+{%   else %}
+{%     set ferm__tpl_saddr = item.saddr | unique %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_ansible_controllers_result %}
+{%   if ferm__tpl_ansible_controllers_result is string %}
+{%     set _ = ferm__tpl_saddr.append(ferm__tpl_ansible_controllers) %}
+{%   else %}
+{%     for element in ferm__tpl_ansible_controllers %}
+{%       set _ = ferm__tpl_saddr.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.daddr | d() %}
+{%   if item.daddr is string %}
+{%     set ferm__tpl_daddr = [ item.daddr ] %}
+{%   else %}
+{%     set ferm__tpl_daddr = item.daddr | unique %}
+{%   endif %}
+{% endif %}
+{% if item.sport | d() %}
+{%   if item.sport is string %}
+{%     set ferm__tpl_sport = [ item.sport ] %}
+{%   else %}
+{%     set ferm__tpl_sport = item.sport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.dport | d() %}
+{%   if item.dport is string %}
+{%     set ferm__tpl_dport = [ item.dport ] %}
+{%   else %}
+{%     set ferm__tpl_dport = item.dport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.state | d() %}
+{%   if item.state is string %}
+{%     set ferm__tpl_state = [ item.state ] %}
+{%   else %}
+{%     set ferm__tpl_state = item.state | unique %}
+{%   endif %}
+{% endif %}
+{% if item.target | d() %}
+{%   set ferm__tpl_target = item.target %}
+{% endif %}
+{% if item.reject_with | d() %}
+{%   set ferm__tpl_reject_with = item.reject_with %}
+{% endif %}
+{% if item.subchain | d() %}
+{%   set ferm__tpl_subchain = item.subchain %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_interface %}
+{%   if ferm__tpl_interface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("interface " +  ferm__tpl_interface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_outerface %}
+{%   if ferm__tpl_outerface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("outerface " +  ferm__tpl_outerface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_protocol %}
+{%   if ferm__tpl_protocol | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("protocol " +  ferm__tpl_protocol | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("protocol (" + ferm__tpl_protocol | join(" ") + ")") %}
+{%   endif %}
+{% elif not ferm__tpl_protocol and (ferm__tpl_sport or ferm__tpl_dport) %}
+{%   set _ = ferm__tpl_arguments.append("protocol tcp") %}
+{% endif %}
+{% if ferm__tpl_protocol_syn %}
+{%   set _ = ferm__tpl_arguments.append(ferm__tpl_protocol_syn | join(" ")) %}
+{% endif %}
+{% if ferm__tpl_dport %}
+{%   if item.multiport | d() and item.multiport | bool %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("mod multiport destination-ports (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   else %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("dport (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_state %}
+{%   if ferm__tpl_state | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("mod state state " +  ferm__tpl_state | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("mod state state (" + ferm__tpl_state | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_arguments and (ferm__tpl_saddr | length > 3) %}
+{%   if ferm__tpl_subchain %}
+{%     set _ = ferm__tpl_arguments.append('@subchain "' + ferm__tpl_subchain + '"') %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{%   if item.enabled is undefined or item.enabled | bool %}
+{%     if ferm__tpl_saddr | d() %}
+        @def $ITEMS = ( @ipfilter( ({{ ferm__tpl_saddr | unique | join(" ") }}) ) );
+        @if @ne($ITEMS,"") {
+{%       if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if item.include | d() %}
+            @include "{{ item.include }}";
+{%         elif item.realgoto is undefined or not item.realgoto | bool %}
+            saddr $ITEMS jump "{{ ferm__tpl_target }}";
+{%         elif item.realgoto | d() and item.realgoto | bool %}
+            saddr $ITEMS realgoto "{{ ferm__tpl_target }}";
+{%         endif %}
+{%       elif ferm__tpl_target in [ 'REJECT' ] %}
+            saddr $ITEMS REJECT reject-with {{ ferm__tpl_reject_with }};
+{%       else %}
+            saddr $ITEMS {{ ferm__tpl_target }};
+{%       endif %}
+        }
+{%     else %}
+{%       if item.accept_any is defined %}
+{%         if item.accept_any | bool %}
+{%           if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%             if item.include | d() %}
+        @include "{{ item.include }}";
+{%             elif item.realgoto is undefined or not item.realgoto | bool %}
+        jump "{{ ferm__tpl_target }}";
+{%             elif item.realgoto | d() and item.realgoto | bool %}
+        realgoto "{{ ferm__tpl_target }}";
+{%             endif %}
+{%           elif ferm__tpl_target in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%           else %}
+        {{ ferm__tpl_target }};
+{%           endif %}
+{%         elif not item.accept_any | bool %}
+        # Connections from any IP address not allowed
+{%         endif %}
+{%       else %}
+{%         if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%           if item.include | d() %}
+        @include "{{ item.include }}";
+{%           elif item.realgoto is undefined or not item.realgoto | bool %}
+        jump "{{ ferm__tpl_target }}";
+{%           elif item.realgoto | d() and item.realgoto | bool %}
+        realgoto "{{ ferm__tpl_target }}";
+{%           endif %}
+{%         elif ferm__tpl_target in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%         else %}
+{%           if ferm__tpl_arguments %}
+        {{ ferm__tpl_target }};
+{%           else %}
+        # No rule parameters specified
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/connection_tracking.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/connection_tracking.conf.j2
new file mode 100644
index 00000000..0c7882b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/connection_tracking.conf.j2
@@ -0,0 +1,150 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_tracking_invalid_target = 'DROP' %}
+{% set ferm__tpl_tracking_active_target = 'ACCEPT' %}
+{% set ferm__tpl_tracking_module = 'conntrack' %}
+{% set ferm__tpl_interface = [] %}
+{% set ferm__tpl_outerface = [] %}
+{% set ferm__tpl_interface_not = [] %}
+{% set ferm__tpl_outerface_not = [] %}
+{% if item.tracking_invalid_target | d() %}
+{%   set ferm__tpl_tracking_invalid_target = item.tracking_invalid_target %}
+{% endif %}
+{% if item.tracking_active_target | d() %}
+{%   set ferm__tpl_tracking_active_target = item.tracking_active_target %}
+{% endif %}
+{% if item.tracking_module | d() %}
+{%   set ferm__tpl_tracking_module = item.tracking_module %}
+{% endif %}
+{% if item.interface | d() %}
+{%   if item.interface is string %}
+{%     set ferm__tpl_interface = [ item.interface ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interface | unique %}
+{%   endif %}
+{% elif item.interface_not | d() %}
+{%   if item.interface_not is string %}
+{%     set ferm__tpl_interface_not = [ item.interface_not ] %}
+{%   else %}
+{%     set ferm__tpl_interface_not = item.interface_not | unique %}
+{%   endif %}
+{% endif %}
+{% if item.outerface | d() %}
+{%   if item.outerface is string %}
+{%     set ferm__tpl_outerface = [ item.outerface ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerface | unique %}
+{%   endif %}
+{% elif item.outerface_not | d() %}
+{%   if item.outerface_not is string %}
+{%     set ferm__tpl_outerface_not = [ item.outerface_not ] %}
+{%   else %}
+{%     set ferm__tpl_outerface_not = item.outerface_not | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_interface %}
+{%   set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface | join(" ") + ")") %}
+{% elif ferm__tpl_interface_not %}
+{%   set _ = ferm__tpl_arguments.append("interface ! " + ferm__tpl_interface_not[0] | string) %}
+{% endif %}
+{% if ferm__tpl_outerface %}
+{%   set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface | join(" ") + ")") %}
+{% elif ferm__tpl_outerface_not %}
+{%   set _ = ferm__tpl_arguments.append("outerface ! " + ferm__tpl_outerface_not[0] | string) %}
+{% endif %}
+{% if ferm__tpl_tracking_module == 'state' %}
+{%   set ferm__tpl_tracking_module_command = 'mod state state' %}
+{% else %}
+{%   set ferm__tpl_tracking_module_command = 'mod conntrack ctstate' %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+        {{ ferm__tpl_tracking_module_command }} INVALID {{ ferm__tpl_tracking_invalid_target }};
+        {{ ferm__tpl_tracking_module_command }} (ESTABLISHED RELATED) {{ ferm__tpl_tracking_active_target }};
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/custom.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/custom.conf.j2
new file mode 100644
index 00000000..0f5c6b80
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/custom.conf.j2
@@ -0,0 +1,94 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = [] %}
+{% set ferm__tpl_table = [] %}
+{% set ferm__tpl_chain = [] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") + " {" }}
+{% endif %}
+{%   if item.rules | d() %}
+{%     if ferm__tpl_domain_args %}
+{{ item.rules | indent(4,true) }}
+{%     else %}
+{{ item.rules }}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_domain_args %}}{% endif %}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/default_policy.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/default_policy.conf.j2
new file mode 100644
index 00000000..75337f5c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/default_policy.conf.j2
@@ -0,0 +1,93 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_policy = 'ACCEPT' %}
+{% if item.policy | d() %}
+{%   set ferm__tpl_policy = item.policy %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    policy {{ ferm__tpl_policy }};
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/dmz.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/dmz.conf.j2
new file mode 100644
index 00000000..07027d2e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/dmz.conf.j2
@@ -0,0 +1,153 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{#
+   dmz - forward connections on a given IP/port to another host
+
+List of parameters:
+
+Required:
+  item.public_ip           IP address on the public network which accepts connections
+  item.private_ip          IP address of the host on the internal network
+
+Optional:
+  item.protocol(s)         list of protocols to forward, by default (tcp)
+  item.port(s)             list of ports to forward, if not specified, all traffic is forwarded
+  item.dport               destination port to forward to
+  item.snat_ip             IP address of the firewall host on the internal network. If unset
+                           the source address is not translated.
+
+#}
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_public_ip = [] %}
+{% set ferm__tpl_protocols = [ 'tcp' ] %}
+{% set ferm__tpl_ports = [] %}
+{% if item.public_ip is defined and item.public_ip %}
+{% if item.public_ip is string %}
+{% set _ = ferm__tpl_public_ip.append(item.public_ip) %}
+{% else %}
+{% set ferm__tpl_public_ip = item.public_ip %}
+{% endif %}
+{% endif %}
+{% if item.protocol is defined and item.protocol %}
+{% if item.protocol is string %}
+{% set ferm__tpl_protocols = item.protocol.split(" ") %}
+{% else %}
+{% set ferm__tpl_protocols = item.protocol %}
+{% endif %}
+{% elif item.protocols is defined and item.protocols %}
+{% if item.protocols is string %}
+{% set ferm__tpl_protocols = item.protocols.split(" ") %}
+{% else %}
+{% set ferm__tpl_protocols = item.protocols %}
+{% endif %}
+{% endif %}
+{% if item.port is defined and item.port %}
+{% if item.port is string %}
+{% set ferm__tpl_ports = item.port.split(" ") %}
+{% else %}
+{% set ferm__tpl_ports = item.port %}
+{% endif %}
+{% elif item.ports is defined and item.ports %}
+{% if item.ports is string %}
+{% set ferm__tpl_ports = item.ports.split(" ") %}
+{% else %}
+{% set ferm__tpl_ports = item.ports %}
+{% endif %}
+{% endif %}
+{% if item.dport is defined and item.dport %}
+{% set ferm__tpl_dport = [item.dport] %}
+{% else %}
+{% set ferm__tpl_dport = ferm__tpl_ports %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if ferm__tpl_public_ip and item.private_ip %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}table filter chain FORWARD {
+	@def $PUBLIC_IP  = ( @ipfilter( ({{ ferm__tpl_public_ip  | unique | join(" ") }}) ) );
+	@def $PRIVATE_IP = ( @ipfilter( ({{ item.private_ip }}) ) );
+	@if @ne($PUBLIC_IP,"") @if @ne($PRIVATE_IP,"") {
+{% if ferm__tpl_dport %}
+                protocol ({{ ferm__tpl_protocols | join(" ") }}) {
+{% if ferm__tpl_dport | length > 1 %}
+                        mod multiport destination-ports ({{ ferm__tpl_dport | join(" ") }}) {
+{% else %}
+                        dport ({{ ferm__tpl_dport | join(" ") }}) {
+{% endif %}
+                                destination $PRIVATE_IP ACCEPT;
+                        }
+                }
+{% else %}
+		destination $PRIVATE_IP ACCEPT;
+{% endif %}
+	}
+}
+
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}table nat {
+	@def $PUBLIC_IP  = ( @ipfilter( ({{ ferm__tpl_public_ip  | unique | join(" ") }}) ) );
+	@def $PRIVATE_IP = ( @ipfilter( ({{ item.private_ip }}) ) );
+	@if @ne($PUBLIC_IP,"") @if @ne($PRIVATE_IP,"") {
+		chain PREROUTING {
+{% if ferm__tpl_ports %}
+                        protocol ({{ ferm__tpl_protocols | join(" ") }}) {
+{% if ferm__tpl_ports | length > 1 %}
+                                mod multiport destination-ports ({{ ferm__tpl_ports | join(" ") }}) {
+{% else %}
+                                dport ({{ ferm__tpl_ports | join(" ") }}) {
+{% endif %}
+{% if item.dport | d() %}
+                                        destination $PUBLIC_IP DNAT to {{ item.private_ip }}:{{ item.dport }};
+{% else %}
+                                        destination $PUBLIC_IP DNAT to $PRIVATE_IP;
+{% endif %}
+                                }
+                        }
+{% else %}
+			destination $PUBLIC_IP DNAT to $PRIVATE_IP;
+{% endif %}
+		}
+{% if item.snat_ip is defined and item.snat_ip %}
+		chain POSTROUTING {
+            destination $PRIVATE_IP SNAT to {{ item.snat_ip }};
+		}
+{% endif %}
+	}
+}
+
+{% else %}
+# Cannot configure DMZ, public or private IP addresses not specified
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/fail2ban.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/fail2ban.conf.j2
new file mode 100644
index 00000000..cc47ba23
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/fail2ban.conf.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+@hook post "type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true";
+@hook flush "type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true";
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/hashlimit.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/hashlimit.conf.j2
new file mode 100644
index 00000000..4d0ab96e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/hashlimit.conf.j2
@@ -0,0 +1,354 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_hashlimit_target = 'RETURN' %}
+{% set ferm__tpl_target = 'REJECT' %}
+{% set ferm__tpl_reject_with = 'icmp-admin-prohibited' %}
+{% set ferm__tpl_interface = [] %}
+{% set ferm__tpl_interface_present = [] %}
+{% set ferm__tpl_outerface = [] %}
+{% set ferm__tpl_outerface_present = [] %}
+{% set ferm__tpl_protocol = [] %}
+{% set ferm__tpl_protocol_syn = [] %}
+{% set ferm__tpl_daddr = [] %}
+{% set ferm__tpl_dport = [] %}
+{% set ferm__tpl_state = [] %}
+{% set ferm__tpl_subchain = (item.type + "-" + item.name | d(item.hashlimit_name)) %}
+{% if item.interface | d() %}
+{%   if item.interface is string %}
+{%     set ferm__tpl_interface = [ item.interface ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interface | unique %}
+{%   endif %}
+{% elif item.interfaces | d() %}
+{%   if item.interfaces is string %}
+{%     set ferm__tpl_interface = [ item.interfaces ] %}
+{%   else %}
+{%     set ferm__tpl_interface = item.interfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.interface_present | d() %}
+{%   if item.interface_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.interface_present] | d() %}
+{%       set ferm__tpl_interface_present = [ item.interface_present ] %}
+{%     endif %}
+{%   else %}
+{%     for interface in item.interface_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface] | d() %}
+{%         set _ = ferm__tpl_interface_present.append(interface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% elif item.interfaces_present | d() %}
+{%   if item.interfaces_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.interfaces_present] | d() %}
+{%       set ferm__tpl_interface_present = [ item.interfaces_present ] %}
+{%     endif %}
+{%   else %}
+{%     for interface in item.interfaces_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + interface] | d() %}
+{%         set _ = ferm__tpl_interface_present.append(interface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.outerface | d() %}
+{%   if item.outerface is string %}
+{%     set ferm__tpl_outerface = [ item.outerface ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerface | unique %}
+{%   endif %}
+{% elif item.outerfaces | d() %}
+{%   if item.outerfaces is string %}
+{%     set ferm__tpl_outerface = [ item.outerfaces ] %}
+{%   else %}
+{%     set ferm__tpl_outerface = item.outerfaces | unique %}
+{%   endif %}
+{% endif %}
+{% if item.outerface_present | d() %}
+{%   if item.outerface_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.outerface_present] | d() %}
+{%       set ferm__tpl_outerface_present = [ item.outerface_present ] %}
+{%     endif %}
+{%   else %}
+{%     for outerface in item.outerface_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + outerface] | d() %}
+{%         set _ = ferm__tpl_outerface_present.append(outerface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% elif item.outerfaces_present | d() %}
+{%   if item.outerfaces_present is string %}
+{%     if hostvars[inventory_hostname]["ansible_" + item.outerfaces_present] | d() %}
+{%       set ferm__tpl_outerface_present = [ item.outerfaces_present ] %}
+{%     endif %}
+{%   else %}
+{%     for outerface in item.outerfaces_present %}
+{%       if hostvars[inventory_hostname]["ansible_" + outerface] | d() %}
+{%         set _ = ferm__tpl_outerface_present.append(outerface) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if item.protocol | d() %}
+{%   if item.protocol is string %}
+{%     set ferm__tpl_protocol = [ item.protocol ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocol | unique %}
+{%   endif %}
+{% elif item.protocols | d() %}
+{%   if item.protocols is string %}
+{%     set ferm__tpl_protocol = [ item.protocols ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocols | unique %}
+{%   endif %}
+{% endif %}
+{% if item.protocol_syn is defined %}
+{%   if item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ 'syn' ] %}
+{%   elif not item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ '! syn' ] %}
+{%   endif %}
+{% endif %}
+{% if item.daddr | d() %}
+{%   if item.daddr is string %}
+{%     set ferm__tpl_daddr = [ item.daddr ] %}
+{%   else %}
+{%     set ferm__tpl_daddr = item.daddr | unique %}
+{%   endif %}
+{% endif %}
+{% if item.dport | d() %}
+{%   if item.dport is string %}
+{%     set ferm__tpl_dport = [ item.dport ] %}
+{%   else %}
+{%     set ferm__tpl_dport = item.dport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.state | d() %}
+{%   if item.state is string %}
+{%     set ferm__tpl_state = [ item.state ] %}
+{%   else %}
+{%     set ferm__tpl_state = item.state | unique %}
+{%   endif %}
+{% endif %}
+{% if item.hashlimit_target | d() %}
+{%   set ferm__tpl_hashlimit_target = item.hashlimit_target %}
+{% endif %}
+{% if item.target | d() %}
+{%   set ferm__tpl_target = item.target %}
+{% endif %}
+{% if item.reject_with | d() %}
+{%   set ferm__tpl_reject_with = item.reject_with %}
+{% endif %}
+{% if item.subchain is defined %}
+{%   if item.subchain | bool %}
+{%     set ferm__tpl_subchain = item.subchain %}
+{%   else %}
+{%     set ferm__tpl_subchain = '' %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_interface %}
+{%   if ferm__tpl_interface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("interface " +  ferm__tpl_interface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface | join(" ") + ")") %}
+{%   endif %}
+{% elif ferm__tpl_interface_present %}
+{%   if ferm__tpl_interface_present | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("interface " +  ferm__tpl_interface_present | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("interface (" + ferm__tpl_interface_present | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_outerface %}
+{%   if ferm__tpl_outerface | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("outerface " +  ferm__tpl_outerface | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface | join(" ") + ")") %}
+{%   endif %}
+{% elif ferm__tpl_outerface_present %}
+{%   if ferm__tpl_outerface_present | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("outerface " +  ferm__tpl_outerface_present | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("outerface (" + ferm__tpl_outerface_present | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_protocol %}
+{%   set _ = ferm__tpl_arguments.append("protocol (" + ferm__tpl_protocol | join(" ") + ")") %}
+{% endif %}
+{% if ferm__tpl_protocol_syn %}
+{%   set _ = ferm__tpl_arguments.append(ferm__tpl_protocol_syn | join(" ")) %}
+{% endif %}
+{% if ferm__tpl_daddr %}
+{%   set _= ferm__tpl_arguments.append("daddr (" + ferm__tpl_daddr | join(" ") +")") %}
+{% endif %}
+{% if ferm__tpl_dport %}
+{%   set _ = ferm__tpl_arguments.append("dport (" + ferm__tpl_dport | join(" ") + ")") %}
+{% endif %}
+{% if ferm__tpl_state %}
+{%   set _ = ferm__tpl_arguments.append("mod state state (" + ferm__tpl_state | join(" ") + ")") %}
+{% endif %}
+{% if item.enabled is undefined or item.enabled | bool %}
+{%   if ferm__tpl_subchain %}
+{%     set _ = ferm__tpl_arguments.append('@subchain "' + ferm__tpl_subchain + '"') %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{%   if item.enabled is undefined or item.enabled | bool %}
+
+        mod hashlimit    hashlimit {{ item.hashlimit }}
+{%     if item.hashlimit_burst | d() %}
+                         hashlimit-burst {{ item.hashlimit_burst }}
+{%     endif %}
+                         hashlimit-mode {{ item.hashlimit_mode | d("srcip") }}
+                         hashlimit-name {{ item.name | d(item.hashlimit_name) }}
+{%     if item.hashlimit_expire is undefined or item.hashlimit_expire %}
+                         hashlimit-htable-expire {{ ((item.hashlimit_expire | d("1800")) | int * 1000) | string }}
+{%     endif %}
+{%     if ferm__tpl_hashlimit_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%       if item.include | d() %}
+
+            @include "{{ item.include }}";
+{%       elif item.realgoto is undefined or not item.realgoto | bool %}
+
+            jump "{{ ferm__tpl_target }}";
+{%       elif item.realgoto | d() and item.realgoto | bool %}
+
+            realgoto "{{ ferm__tpl_target }}";
+{%       endif %}
+{%     elif ferm__tpl_hashlimit_target in [ 'REJECT' ] %}
+
+            REJECT reject-with {{ ferm__tpl_reject_with }};
+{%     else %}
+
+            {{ ferm__tpl_hashlimit_target }};
+{%     endif %}
+{%     if ((item.log is undefined or item.log | bool) and (ferm__log | bool)) %}
+
+        &log("{{ item.log_prefix | d('ipt-hashlimit-' + item.name | d(item.hashlimit_name) + ': ') }}");
+{%     endif %}
+{%     if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%       if item.include | d() %}
+
+        @include "{{ item.include }}";
+{%       elif item.realgoto is undefined or not item.realgoto | bool %}
+
+        jump "{{ ferm__tpl_target }}";
+{%       elif item.realgoto | d() and item.realgoto | bool %}
+
+        realgoto "{{ ferm__tpl_target }}";
+{%       endif %}
+{%     elif ferm__tpl_target in [ 'REJECT' ] %}
+
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%     else %}
+
+        {{ ferm__tpl_target }};
+{%     endif %}
+{%   else %}
+{%     if ferm__tpl_hashlimit_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%       if item.include | d() %}
+
+        @include "{{ item.include }}";
+{%       elif item.realgoto is undefined or not item.realgoto | bool %}
+
+        jump "{{ ferm__tpl_target }}";
+{%       elif item.realgoto | d() and item.realgoto | bool %}
+
+        realgoto "{{ ferm__tpl_target }}";
+{%       endif %}
+{%     elif ferm__tpl_hashlimit_target in [ 'REJECT' ] %}
+
+        REJECT reject-with {{ ferm__tpl_reject_with }};
+{%     else %}
+
+        {{ ferm__tpl_hashlimit_target }};
+{%     endif %}
+{%   endif %}
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/include.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/include.conf.j2
new file mode 100644
index 00000000..059e8ba4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/include.conf.j2
@@ -0,0 +1,87 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    @include "{{ item.include }}";
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/log.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/log.conf.j2
new file mode 100644
index 00000000..4f19b70a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/log.conf.j2
@@ -0,0 +1,179 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_log_target = 'LOG' %}
+{% set ferm__tpl_target = '' %}
+{% set ferm__tpl_reject_with = 'icmp-admin-prohibited' %}
+{% set ferm__tpl_log_limit = ferm__log_limit %}
+{% set ferm__tpl_log_burst = ferm__log_burst %}
+{% set ferm__tpl_log_ip_options = True %}
+{% set ferm__tpl_log_tcp_options = False %}
+{% set ferm__tpl_log_tcp_sequence = False %}
+{% set ferm__tpl_log_level = 'warning' %}
+{% set ferm__tpl_log_prefix = 'iptables-log: ' %}
+{% if item.log_target | d() %}
+{%   set ferm__tpl_log_target = item.log_target %}
+{% endif %}
+{% if item.target | d() %}
+{%   set ferm__tpl_target = item.target %}
+{% endif %}
+{% if item.reject_with | d() %}
+{%   set ferm__tpl_reject_with = item.reject_with %}
+{% endif %}
+{% if item.log_limit | d() %}
+{%   set ferm__tpl_log_limit = item.log_limit %}
+{% endif %}
+{% if item.log_burst | d() %}
+{%   set ferm__tpl_log_burst = item.log_burst %}
+{% endif %}
+{% if item.log_ip_options is defined %}
+{%   set ferm__tpl_log_ip_options = item.log_ip_options | bool %}
+{% endif %}
+{% if item.log_tcp_options is defined %}
+{%   set ferm__tpl_log_tcp_options = item.log_tcp_options | bool %}
+{% endif %}
+{% if item.log_tcp_sequence is defined %}
+{%   set ferm__tpl_log_tcp_sequence = item.log_tcp_sequence | bool %}
+{% endif %}
+{% if item.log_prefix | d() %}
+{%   set ferm__tpl_log_prefix = item.log_prefix %}
+{% endif %}
+{% if item.log_level | d() %}
+{%   set ferm__tpl_log_level = item.log_level %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_log_limit %}
+{%   set _ = ferm__tpl_arguments.append('mod limit limit ' + ferm__tpl_log_limit) %}
+{%   if ferm__tpl_log_burst %}
+{%     set _ = ferm__tpl_arguments.append('limit-burst ' + ferm__tpl_log_burst) %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_log_args = [] %}
+{% if ferm__tpl_log_target == 'LOG' %}
+{%   if ferm__tpl_log_ip_options | bool %}
+{%     set _ = ferm__tpl_log_args.append('log-ip-options') %}
+{%   endif %}
+{%   if ferm__tpl_log_tcp_options | bool %}
+{%     set _ = ferm__tpl_log_args.append('log-tcp-options') %}
+{%   endif %}
+{%   if ferm__tpl_log_tcp_sequence | bool %}
+{%     set _ = ferm__tpl_log_args.append('log-tcp-sequence') %}
+{%   endif %}
+{%   if ferm__tpl_log_level %}
+{%     set _ = ferm__tpl_log_args.append('log-level ' + ferm__tpl_log_level) %}
+{%   endif %}
+{%   if ferm__tpl_log_prefix %}
+{%     set _ = ferm__tpl_log_args.append('log-prefix "' + ferm__tpl_log_prefix + '"') %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{% if ferm__tpl_log_target in [ 'LOG', 'ULOG', 'NFLOG' ] %}
+
+        {{ ferm__tpl_log_target }} {{ ferm__tpl_log_args | join(" ") }};
+{% endif %}
+    }
+{%   if ferm__tpl_target %}
+{%     if ferm__tpl_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%       if item.include | d() %}
+
+    @include "{{ item.include }}";
+{%       elif item.realgoto is undefined or not item.realgoto | bool %}
+
+    jump "{{ ferm__tpl_target }}";
+{%       elif item.realgoto | d() and item.realgoto | bool %}
+
+    realgoto "{{ ferm__tpl_target }}";
+{%       endif %}
+{%     elif ferm__tpl_target in [ 'REJECT' ] %}
+
+    REJECT reject-with {{ ferm__tpl_reject_with }};
+{%     else %}
+
+    {{ ferm__tpl_target }};
+{%     endif %}
+{%   endif %}
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/masquerade.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/masquerade.conf.j2
new file mode 100644
index 00000000..51d3ba2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/masquerade.conf.j2
@@ -0,0 +1,44 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{#
+  marsquerade - add masquerading rules
+
+List of parameters:
+
+Required:
+  item.outerface          Public interface to Masquerade the forwarding network
+
+#}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm_tpl_outerface = [] %}
+{% if item.outerface is defined and item.outerface %}
+{%   if item.outerface is string %}
+{%     set _ = ferm_tpl_outerface.append(item.outerface) %}
+{%   else %}
+{%     set ferm_tpl_outerface = item.outerface %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+
+{% if ferm_tpl_outerface %}
+table nat {
+	chain POSTROUTING {
+		outerface {{ ferm_tpl_outerface | unique | join(" ") }} MASQUERADE;
+	}
+}
+
+{% else %}
+# Cannot configure DMZ, public or private IP addresses not specified
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/recent.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/recent.conf.j2
new file mode 100644
index 00000000..0c9e4a1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/recent.conf.j2
@@ -0,0 +1,252 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Rule arguments #}
+{# ============== #}
+{% set ferm__tpl_recent_target = 'NOP' %}
+{% set ferm__tpl_reject_with = 'icmp-admin-prohibited' %}
+{% set ferm__tpl_protocol = [] %}
+{% set ferm__tpl_protocol_syn = [] %}
+{% set ferm__tpl_dport = [] %}
+{% set ferm__tpl_state = [] %}
+{% set ferm__tpl_subchain = item.type + "-" + item.name %}
+{% set ferm__tpl_recent_name = '' %}
+{% set ferm__tpl_recent_set_name = '' %}
+{% set ferm__tpl_recent_update = False %}
+{% set ferm__tpl_recent_remove = False %}
+{% set ferm__tpl_recent_seconds = '' %}
+{% set ferm__tpl_recent_hitcount = '' %}
+{% if item.protocol | d() %}
+{%   if item.protocol is string %}
+{%     set ferm__tpl_protocol = [ item.protocol ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocol | unique %}
+{%   endif %}
+{% elif item.protocols | d() %}
+{%   if item.protocols is string %}
+{%     set ferm__tpl_protocol = [ item.protocols ] %}
+{%   else %}
+{%     set ferm__tpl_protocol = item.protocols | unique %}
+{%   endif %}
+{% endif %}
+{% if item.protocol_syn is defined %}
+{%   if item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ 'syn' ] %}
+{%   elif not item.protocol_syn | bool %}
+{%     set ferm__tpl_protocol_syn = [ '! syn' ] %}
+{%   endif %}
+{% endif %}
+{% if item.dport | d() %}
+{%   if item.dport is string %}
+{%     set ferm__tpl_dport = [ item.dport ] %}
+{%   else %}
+{%     set ferm__tpl_dport = item.dport | unique %}
+{%   endif %}
+{% endif %}
+{% if item.state | d() %}
+{%   if item.state is string %}
+{%     set ferm__tpl_state = [ item.state ] %}
+{%   else %}
+{%     set ferm__tpl_state = item.state | unique %}
+{%   endif %}
+{% endif %}
+{% if item.subchain is defined %}
+{%   if item.subchain | bool %}
+{%     set ferm__tpl_subchain = item.subchain %}
+{%   else %}
+{%     set ferm__tpl_subchain = '' %}
+{%   endif %}
+{% endif %}
+{% if item.recent_name | d() %}
+{%   set ferm__tpl_recent_name = item.recent_name %}
+{% elif item.recent_set_name | d() %}
+{%   set ferm__tpl_recent_set_name = item.recent_set_name %}
+{% endif %}
+{% if item.recent_update | d() and item.recent_update | bool %}
+{%   set ferm__tpl_recent_update = True %}
+{% endif %}
+{% if item.recent_remove | d() and item.recent_remove | bool %}
+{%   set ferm__tpl_recent_remove = True %}
+{% endif %}
+{% if item.recent_seconds | d() %}
+{%   set ferm__tpl_recent_seconds = item.recent_seconds | string %}
+{% endif %}
+{% if item.recent_hitcount | d() %}
+{%   set ferm__tpl_recent_hitcount = item.recent_hitcount | string %}
+{% endif %}
+{% if item.recent_target | d() %}
+{%   set ferm__tpl_recent_target = item.recent_target %}
+{% endif %}
+{% if item.reject_with | d() %}
+{%   set ferm__tpl_reject_with = item.reject_with %}
+{% endif %}
+{% set ferm__tpl_arguments = [] %}
+{% if ferm__tpl_protocol %}
+{%   if ferm__tpl_protocol | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("protocol " +  ferm__tpl_protocol | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("protocol (" + ferm__tpl_protocol | join(" ") + ")") %}
+{%   endif %}
+{% elif not ferm__tpl_protocol and ferm__tpl_dport %}
+{%   set _ = ferm__tpl_arguments.append("protocol tcp") %}
+{% endif %}
+{% if ferm__tpl_protocol_syn %}
+{%   set _ = ferm__tpl_arguments.append(ferm__tpl_protocol_syn | join(" ")) %}
+{% endif %}
+{% if ferm__tpl_dport %}
+{%   if item.multiport | d() and item.multiport | bool %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("mod multiport destination-ports (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   else %}
+{%     if ferm__tpl_dport | length == 1 %}
+{%       set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_dport | join(" ")) %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append("dport (" + ferm__tpl_dport | join(" ") + ")") %}
+{%     endif %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_state %}
+{%   if ferm__tpl_state | length == 1 %}
+{%     set _ = ferm__tpl_arguments.append("mod state state " +  ferm__tpl_state | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_arguments.append("mod state state (" + ferm__tpl_state | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_arguments %}
+{%   if ferm__tpl_subchain %}
+{%     set _ = ferm__tpl_arguments.append('@subchain "' + ferm__tpl_subchain + '"') %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_recent_args = [] %}
+{% if ferm__tpl_recent_name %}
+{%   set _ = ferm__tpl_recent_args.append('name "' + ferm__tpl_recent_name + '"') %}
+{% elif ferm__tpl_recent_set_name %}
+{%   set _ = ferm__tpl_recent_args.append('set name "' + ferm__tpl_recent_set_name + '"') %}
+{% endif %}
+{% if ferm__tpl_recent_update | bool %}
+{%   set _ = ferm__tpl_recent_args.append('update') %}
+{% endif %}
+{% if ferm__tpl_recent_remove | bool %}
+{%   set _ = ferm__tpl_recent_args.append('remove') %}
+{% endif %}
+{% if ferm__tpl_recent_seconds %}
+{%   set _ = ferm__tpl_recent_args.append('seconds ' + ferm__tpl_recent_seconds) %}
+{% endif %}
+{% if ferm__tpl_recent_hitcount %}
+{%   set _ = ferm__tpl_recent_args.append('hitcount ' + ferm__tpl_recent_hitcount) %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+
+        mod recent {{ ferm__tpl_recent_args | join(" ") }} {
+{%   if ((item.recent_log is undefined or item.recent_log | bool) and ferm__log | bool) %}
+
+            &log("{{ item.recent_log_prefix | d('ipt-recent-' + item.recent_name | d(item.recent_set_name) + ': ') }}");
+{%   endif %}
+{%   if ferm__tpl_recent_target %}
+{%     if ferm__tpl_recent_target not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%       if item.include | d() %}
+
+            @include "{{ item.include }}";
+{%       elif item.realgoto is undefined or not item.realgoto | bool %}
+
+            jump "{{ ferm__tpl_recent_target }}";
+{%       elif item.realgoto | d() and item.realgoto | bool %}
+
+            realgoto "{{ ferm__tpl_recent_target }}";
+{%       endif %}
+{%     elif ferm__tpl_recent_target in [ 'REJECT' ] %}
+
+            REJECT reject-with {{ ferm__tpl_reject_with }};
+{%     else %}
+
+            {{ ferm__tpl_recent_target }};
+{%     endif %}
+{%   endif %}
+        }
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/reject.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/reject.conf.j2
new file mode 100644
index 00000000..ebeffda9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/ferm.d/reject.conf.j2
@@ -0,0 +1,94 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{# Domain, table, chain #}
+{# ==================== #}
+{% set ferm__tpl_domain = ferm__domains %}
+{% set ferm__tpl_table = [ 'filter' ] %}
+{% set ferm__tpl_chain = [ 'INPUT' ] %}
+{% if item.domain | d() %}
+{%   if item.domain is string %}
+{%     set ferm__tpl_domain = [ item.domain ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domain | unique %}
+{%   endif %}
+{% elif item.domains | d() %}
+{%   if item.domains is string %}
+{%     set ferm__tpl_domain = [ item.domains ] %}
+{%   else %}
+{%     set ferm__tpl_domain = item.domains | unique %}
+{%   endif %}
+{% endif %}
+{% if item.table | d() %}
+{%   if item.table is string %}
+{%     set ferm__tpl_table = [ item.table ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.table | unique %}
+{%   endif %}
+{% elif item.tables | d() %}
+{%   if item.tables is string %}
+{%     set ferm__tpl_table = [ item.tables ] %}
+{%   else %}
+{%     set ferm__tpl_table = item.tables | unique %}
+{%   endif %}
+{% endif %}
+{% if item.chain | d() %}
+{%   if item.chain is string %}
+{%     set ferm__tpl_chain = [ item.chain ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chain | unique %}
+{%   endif %}
+{% elif item.chains | d() %}
+{%   if item.chains is string %}
+{%     set ferm__tpl_chain = [ item.chains ] %}
+{%   else %}
+{%     set ferm__tpl_chain = item.chains | unique %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_domain_args = [] %}
+{% if ferm__tpl_domain %}
+{%   if ferm__tpl_domain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("domain " +  ferm__tpl_domain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("domain (" + ferm__tpl_domain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_table %}
+{%   if ferm__tpl_table | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("table " +  ferm__tpl_table | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("table (" + ferm__tpl_table | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{% if ferm__tpl_chain %}
+{%   if ferm__tpl_chain | length == 1 %}
+{%     set _ = ferm__tpl_domain_args.append("chain " +  ferm__tpl_chain | join(" ")) %}
+{%   else %}
+{%     set _ = ferm__tpl_domain_args.append("chain (" + ferm__tpl_chain | join(" ") + ")") %}
+{%   endif %}
+{% endif %}
+{# Main template #}
+{# ============= #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+
+{% endif %}
+{% if item.when is undefined or item.when | bool %}
+{%   if ferm__tpl_domain_args %}{{ ferm__tpl_domain_args | join(" ") }} {% endif %}{
+    protocol udp REJECT reject-with icmp-port-unreachable;
+    protocol tcp REJECT reject-with tcp-reset;
+    @if @eq($DOMAIN, ip) {
+        REJECT reject-with icmp-proto-unreachable;
+    }
+    @if @eq($DOMAIN, ip6) {
+        REJECT;
+    }
+}
+{% else %}
+# Rule disabled by 'item.when' condition
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/accept.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/accept.conf.j2
new file mode 100644
index 00000000..e6d714f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/accept.conf.j2
@@ -0,0 +1,95 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_protocol = [] %}
+{% if item.protocol is defined %}
+{%   if item.protocol is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocol) %}
+{%   else %}
+{%     for element in item.protocol %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.protocols is defined %}
+{%   if item.protocols is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocols) %}
+{%   else %}
+{%     for element in item.protocols %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_state = item.default_state | default('enabled') %}
+{% if item.disabled is defined %}
+{%   set ferm__tpl_state = 'enabled' %}
+{%   if item.disabled is string %}
+{%     if item.disabled | bool %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.disabled %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   endif %}
+{% elif item.enabled is defined %}
+{%   set ferm__tpl_state = 'disabled' %}
+{%   if item.enabled is string %}
+{%     if item.enabled | bool %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.enabled %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   endif %}
+{% else %}
+{%   set ferm__tpl_state = 'enabled' %}
+{% endif %}
+# {{ ansible_managed }}
+
+{% if item.jump is undefined or not item.jump %}
+# Accept new connections{% if item.saddr | d() %} from specified IP addresses{% endif %}{% if item.dport | d() %} on {{ item.dport | join(',') }} port{% endif %}
+{% else %}
+# Jump to specified chain
+{% endif %}
+{#
+
+List of parameters:
+
+Optional:
+  item.dport		list of destination ports to configure
+  item.protocol(s)	list of protocols to configure (tcp, udp)
+  item.saddr		list of source addresses to accept
+  item.accept_any	accept connections from any IP address if True
+  item.disabled		if True, disable the rule (can be used to toggle rule via variable)
+  item.enabled		if True, enable the rule (can be used to toggle rule via variable)
+  item.include          include custom file or command output
+  item.jump		jump tp specified chain
+
+#}
+
+{% if ferm__tpl_state == 'enabled' %}
+{% if ferm__tpl_protocol or item.dport | d() %}protocol ({{ (ferm__tpl_protocol if ferm__tpl_protocol else ['tcp']) | join(' ') }}){% endif %}{% if item.dport | d() %} dport ({{ item.dport | join(' ') }}){% endif %}{% if ferm__tpl_protocol or item.dport | d() %} {% endif %}{
+{% if item.saddr is defined and item.saddr %}
+	@def $ITEMS = ( @ipfilter( ({{ item.saddr | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% else %}
+{% if item.accept_any is defined and item.accept_any | bool %}
+	ACCEPT;
+{% elif item.include is defined and item.include %}
+	@include "{{ item.include }}";
+{% elif item.jump is defined and item.jump %}
+	jump "{{ item.jump }}";
+{% else %}
+	# Connections from any IP address not allowed
+{% endif %}
+{% endif %}
+}
+{% else %}
+# dport_accept rule has been disabled by a variable
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/custom.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/custom.conf.j2
new file mode 100644
index 00000000..7500ba49
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/custom.conf.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{#
+#    ==== Custom ip(6)tables rules for debops.ferm role ====
+#
+# You need to define 'item.dport: []' in your rule definition for debops.ferm
+# role to work correctly.
+#
+# Rules created by this template should be defined in ferm configuration
+# format, in 'item.rules' variable as YAML text block. See ferm(1) manual for
+# information abut ferm syntax.
+#
+# Remember that ferm by default configures both iptables and ip6tables at the
+# same time and write your rules accordingly. All rules defined using this
+# template will be included inside:
+#
+#   domain (ip ip6) table filter chain INPUT { }
+#
+# You can use @if ferm function to specify only a particular domain:
+#
+#   @if @eq($DOMAIN, ip) { }
+#
+# To filter list of IP addresses for a particular domain, you can use
+# ipfilter() ferm function. See examples of dport_* rules for usage patterns.
+#
+#}
+# {{ ansible_managed }}
+
+{% if item.by_role is defined and item.by_role %}
+# ip(6)tables rules defined by Ansible role: {{ item.by_role }}
+
+{% endif %}
+{% if item.rules is defined and item.rules %}
+{{ item.rules }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_accept.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_accept.conf.j2
new file mode 100644
index 00000000..e6d714f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_accept.conf.j2
@@ -0,0 +1,95 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_protocol = [] %}
+{% if item.protocol is defined %}
+{%   if item.protocol is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocol) %}
+{%   else %}
+{%     for element in item.protocol %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.protocols is defined %}
+{%   if item.protocols is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocols) %}
+{%   else %}
+{%     for element in item.protocols %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_state = item.default_state | default('enabled') %}
+{% if item.disabled is defined %}
+{%   set ferm__tpl_state = 'enabled' %}
+{%   if item.disabled is string %}
+{%     if item.disabled | bool %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.disabled %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   endif %}
+{% elif item.enabled is defined %}
+{%   set ferm__tpl_state = 'disabled' %}
+{%   if item.enabled is string %}
+{%     if item.enabled | bool %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.enabled %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   endif %}
+{% else %}
+{%   set ferm__tpl_state = 'enabled' %}
+{% endif %}
+# {{ ansible_managed }}
+
+{% if item.jump is undefined or not item.jump %}
+# Accept new connections{% if item.saddr | d() %} from specified IP addresses{% endif %}{% if item.dport | d() %} on {{ item.dport | join(',') }} port{% endif %}
+{% else %}
+# Jump to specified chain
+{% endif %}
+{#
+
+List of parameters:
+
+Optional:
+  item.dport		list of destination ports to configure
+  item.protocol(s)	list of protocols to configure (tcp, udp)
+  item.saddr		list of source addresses to accept
+  item.accept_any	accept connections from any IP address if True
+  item.disabled		if True, disable the rule (can be used to toggle rule via variable)
+  item.enabled		if True, enable the rule (can be used to toggle rule via variable)
+  item.include          include custom file or command output
+  item.jump		jump tp specified chain
+
+#}
+
+{% if ferm__tpl_state == 'enabled' %}
+{% if ferm__tpl_protocol or item.dport | d() %}protocol ({{ (ferm__tpl_protocol if ferm__tpl_protocol else ['tcp']) | join(' ') }}){% endif %}{% if item.dport | d() %} dport ({{ item.dport | join(' ') }}){% endif %}{% if ferm__tpl_protocol or item.dport | d() %} {% endif %}{
+{% if item.saddr is defined and item.saddr %}
+	@def $ITEMS = ( @ipfilter( ({{ item.saddr | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% else %}
+{% if item.accept_any is defined and item.accept_any | bool %}
+	ACCEPT;
+{% elif item.include is defined and item.include %}
+	@include "{{ item.include }}";
+{% elif item.jump is defined and item.jump %}
+	jump "{{ item.jump }}";
+{% else %}
+	# Connections from any IP address not allowed
+{% endif %}
+{% endif %}
+}
+{% else %}
+# dport_accept rule has been disabled by a variable
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_limit.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_limit.conf.j2
new file mode 100644
index 00000000..5238e25d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/dport_limit.conf.j2
@@ -0,0 +1,110 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_protocol = [] %}
+{% if item.protocol is defined %}
+{%   if item.protocol is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocol) %}
+{%   else %}
+{%     for element in item.protocol %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.protocols is defined %}
+{%   if item.protocols is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocols) %}
+{%   else %}
+{%     for element in item.protocols %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_state = item.default_state | default('enabled') %}
+{% if item.disabled is defined %}
+{%   set ferm__tpl_state = 'enabled' %}
+{%   if item.disabled is string %}
+{%     if item.disabled | bool %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.disabled %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   endif %}
+{% elif item.enabled is defined %}
+{%   set ferm__tpl_state = 'disabled' %}
+{%   if item.enabled is string %}
+{%     if item.enabled | bool %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.enabled %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   endif %}
+{% else %}
+{%   set ferm__tpl_state = 'enabled' %}
+{% endif %}
+# {{ ansible_managed }}
+
+{% if ferm__filter_recent | d() and ferm__filter_recent | bool %}
+# Limit new connections on {{ item.dport | join(',') }} port.
+# Allow no more than {{ item.hits | default('5') }} connection attempts from a source IP in {{ item.seconds | default('300') }} seconds.
+{% else %}
+# iptables recent filter is not available, connections are not filtered.
+{% endif %}
+{#
+
+List of parameters:
+
+Required:
+  item.dport		list of destination ports to configure
+
+Optional:
+  item.protocol(s)	list of protocols to configure (tcp, udp)
+  item.syn              if defined and True, match SYN packets, if defined and
+                        False, match !SYN packets
+  item.seconds		time in seconds to count between hits
+  item.hits		how many connections in item.seconds to allow
+  item.destination      name of the ip(6)tables recent list where IP address will be added
+  item.disabled		if True, disable the rule (can be used to toggle rule via variable)
+  item.enabled		if True, enable the rule (can be used to toggle rule via variable)
+
+#}
+
+{% if ((item.syn is defined and item.syn) or
+       (item.syn is defined and item.syn in [ 'True', 'true', 'Yes', 'yes' ])) %}
+{%   set ferm_tpl_syn = 'syn' %}
+{% elif ((item.syn is defined and not item.syn) or
+        (item.syn is defined and item.syn in [ 'False', 'false', 'no', 'no' ])) %}
+{%   set ferm_tpl_syn = '!syn' %}
+{% endif %}
+{% if ferm__tpl_state == 'enabled' %}
+protocol ({{ (ferm__tpl_protocol if ferm__tpl_protocol else ['tcp']) | join(' ') }}){% if ferm__tpl_syn is defined %} {{ ferm__tpl_syn }}{% endif %} dport ({{ item.dport | join(' ') }}) {
+{% if ferm__filter_recent | d() and ferm__filter_recent | bool %}
+
+	@subchain "dport-limit-{{ item.dport[0] }}" {
+		mod recent name {{ item.dport[0] | upper }} {
+			set NOP;
+			update seconds {{ item.seconds | default('300') }} hitcount {{ item.hits | default('5') }} @subchain "dport-log-{{ item.dport[0] }}" {
+				mod recent set name "{{ item.destination | default('badguys') }}" {
+{% if ferm__log_issues is defined and ferm__log_issues %}
+					mod limit limit 3/hour limit-burst 5 {
+						LOG log-prefix "iptables-blocked-{{ item.dport[0] }}: " log-level warning;
+					}
+{% endif %}
+					DROP;
+				}
+			}
+		}
+	}
+
+{% endif %}
+	ACCEPT;
+}
+{% else %}
+# dport_limit rule has been disabled by a variable
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/include.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/include.conf.j2
new file mode 100644
index 00000000..e6d714f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/include.conf.j2
@@ -0,0 +1,95 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_protocol = [] %}
+{% if item.protocol is defined %}
+{%   if item.protocol is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocol) %}
+{%   else %}
+{%     for element in item.protocol %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.protocols is defined %}
+{%   if item.protocols is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocols) %}
+{%   else %}
+{%     for element in item.protocols %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_state = item.default_state | default('enabled') %}
+{% if item.disabled is defined %}
+{%   set ferm__tpl_state = 'enabled' %}
+{%   if item.disabled is string %}
+{%     if item.disabled | bool %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.disabled %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   endif %}
+{% elif item.enabled is defined %}
+{%   set ferm__tpl_state = 'disabled' %}
+{%   if item.enabled is string %}
+{%     if item.enabled | bool %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.enabled %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   endif %}
+{% else %}
+{%   set ferm__tpl_state = 'enabled' %}
+{% endif %}
+# {{ ansible_managed }}
+
+{% if item.jump is undefined or not item.jump %}
+# Accept new connections{% if item.saddr | d() %} from specified IP addresses{% endif %}{% if item.dport | d() %} on {{ item.dport | join(',') }} port{% endif %}
+{% else %}
+# Jump to specified chain
+{% endif %}
+{#
+
+List of parameters:
+
+Optional:
+  item.dport		list of destination ports to configure
+  item.protocol(s)	list of protocols to configure (tcp, udp)
+  item.saddr		list of source addresses to accept
+  item.accept_any	accept connections from any IP address if True
+  item.disabled		if True, disable the rule (can be used to toggle rule via variable)
+  item.enabled		if True, enable the rule (can be used to toggle rule via variable)
+  item.include          include custom file or command output
+  item.jump		jump tp specified chain
+
+#}
+
+{% if ferm__tpl_state == 'enabled' %}
+{% if ferm__tpl_protocol or item.dport | d() %}protocol ({{ (ferm__tpl_protocol if ferm__tpl_protocol else ['tcp']) | join(' ') }}){% endif %}{% if item.dport | d() %} dport ({{ item.dport | join(' ') }}){% endif %}{% if ferm__tpl_protocol or item.dport | d() %} {% endif %}{
+{% if item.saddr is defined and item.saddr %}
+	@def $ITEMS = ( @ipfilter( ({{ item.saddr | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% else %}
+{% if item.accept_any is defined and item.accept_any | bool %}
+	ACCEPT;
+{% elif item.include is defined and item.include %}
+	@include "{{ item.include }}";
+{% elif item.jump is defined and item.jump %}
+	jump "{{ item.jump }}";
+{% else %}
+	# Connections from any IP address not allowed
+{% endif %}
+{% endif %}
+}
+{% else %}
+# dport_accept rule has been disabled by a variable
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/jump.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/jump.conf.j2
new file mode 100644
index 00000000..e6d714f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/filter-input.d/jump.conf.j2
@@ -0,0 +1,95 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_protocol = [] %}
+{% if item.protocol is defined %}
+{%   if item.protocol is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocol) %}
+{%   else %}
+{%     for element in item.protocol %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% elif item.protocols is defined %}
+{%   if item.protocols is string %}
+{%     set _ = ferm__tpl_protocol.append(item.protocols) %}
+{%   else %}
+{%     for element in item.protocols %}
+{%       set _ = ferm__tpl_protocol.append(element) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% set ferm__tpl_state = item.default_state | default('enabled') %}
+{% if item.disabled is defined %}
+{%   set ferm__tpl_state = 'enabled' %}
+{%   if item.disabled is string %}
+{%     if item.disabled | bool %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.disabled %}
+{%       set ferm__tpl_state = 'disabled' %}
+{%     endif %}
+{%   endif %}
+{% elif item.enabled is defined %}
+{%   set ferm__tpl_state = 'disabled' %}
+{%   if item.enabled is string %}
+{%     if item.enabled | bool %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   else %}
+{%     if item.enabled %}
+{%       set ferm__tpl_state = 'enabled' %}
+{%     endif %}
+{%   endif %}
+{% else %}
+{%   set ferm__tpl_state = 'enabled' %}
+{% endif %}
+# {{ ansible_managed }}
+
+{% if item.jump is undefined or not item.jump %}
+# Accept new connections{% if item.saddr | d() %} from specified IP addresses{% endif %}{% if item.dport | d() %} on {{ item.dport | join(',') }} port{% endif %}
+{% else %}
+# Jump to specified chain
+{% endif %}
+{#
+
+List of parameters:
+
+Optional:
+  item.dport		list of destination ports to configure
+  item.protocol(s)	list of protocols to configure (tcp, udp)
+  item.saddr		list of source addresses to accept
+  item.accept_any	accept connections from any IP address if True
+  item.disabled		if True, disable the rule (can be used to toggle rule via variable)
+  item.enabled		if True, enable the rule (can be used to toggle rule via variable)
+  item.include          include custom file or command output
+  item.jump		jump tp specified chain
+
+#}
+
+{% if ferm__tpl_state == 'enabled' %}
+{% if ferm__tpl_protocol or item.dport | d() %}protocol ({{ (ferm__tpl_protocol if ferm__tpl_protocol else ['tcp']) | join(' ') }}){% endif %}{% if item.dport | d() %} dport ({{ item.dport | join(' ') }}){% endif %}{% if ferm__tpl_protocol or item.dport | d() %} {% endif %}{
+{% if item.saddr is defined and item.saddr %}
+	@def $ITEMS = ( @ipfilter( ({{ item.saddr | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% else %}
+{% if item.accept_any is defined and item.accept_any | bool %}
+	ACCEPT;
+{% elif item.include is defined and item.include %}
+	@include "{{ item.include }}";
+{% elif item.jump is defined and item.jump %}
+	jump "{{ item.jump }}";
+{% else %}
+	# Connections from any IP address not allowed
+{% endif %}
+{% endif %}
+}
+{% else %}
+# dport_accept rule has been disabled by a variable
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/rules.d/rule.conf.j2 b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/rules.d/rule.conf.j2
new file mode 100644
index 00000000..cb8ccdd4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/etc/ferm/rules.d/rule.conf.j2
@@ -0,0 +1,605 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+
+{% macro print_list(elements, prefix='', postfix='') %}{% if elements | length == 1 %}{{ ((prefix + ' ') if prefix else '') + elements | join(' ') + ((' ' + postfix) if postfix else '') }}{% else %}{{ ((prefix + ' ') if prefix else '') + '(' + (elements | join(' ')) + ')' + ((' ' + postfix) if postfix else '') }}{% endif %}{% endmacro %}
+{% macro print_rule(config) %}
+{#   Domain, table, chain #}
+{#   ==================== #}
+{%   set ferm__tpl_config = {
+  'type': 'accept',
+  'domain_args': [],
+  'target': 'ACCEPT',
+  'hashlimit_target': 'RETURN',
+  'recent_target': 'NOP',
+  'reject_with': 'icmp-admin-prohibited',
+  'saddr': [],
+  'daddr': [],
+  'sport': [],
+  'dport': []
+} %}
+{%   if config.comment | d() %}
+{%     set _ = ferm__tpl_config.update({'comment': config.comment }) %}
+{%   endif %}
+{%   if config.type | d() %}
+{%     set _ = ferm__tpl_config.update({'type': config.type }) %}
+{%   endif %}
+{%   set _ = ferm__tpl_config.update({'domain': (debops__tpl_macros.flattened(config.domain | d(config.domains | d(ferm__domains))) | from_yaml) }) %}
+{%   if ferm__tpl_config['type'] != 'dmz' %}
+{%     set _ = ferm__tpl_config.update({'table': (debops__tpl_macros.flattened(config.table | d(config.tables | d('filter'))) | from_yaml) }) %}
+{%     set _ = ferm__tpl_config.update({'chain': (debops__tpl_macros.flattened(config.chain | d(config.chains | d('INPUT'))) | from_yaml) }) %}
+{%   endif %}
+{%   if ferm__tpl_config['domain'] | d() %}
+{%     set _ = ferm__tpl_config['domain_args'].append(print_list(ferm__tpl_config['domain'], prefix='domain')) %}
+{%   endif %}
+{%   if ferm__tpl_config['table'] | d() %}
+{%     set _ = ferm__tpl_config['domain_args'].append(print_list(ferm__tpl_config['table'], prefix='table')) %}
+{%   endif %}
+{%   if ferm__tpl_config['chain'] | d() %}
+{%     set _ = ferm__tpl_config['domain_args'].append(print_list(ferm__tpl_config['chain'], prefix='chain')) %}
+{%   endif %}
+{#   Rule arguments #}
+{#   ============== #}
+{%   if config.saddr | d() %}
+{%     set _ = ferm__tpl_config['saddr'].extend(([ config.saddr ] if config.saddr is string else config.saddr)) %}
+{%   endif %}
+{%   if config.daddr | d() %}
+{%       set _ = ferm__tpl_config['daddr'].extend(([ config.daddr ] if config.daddr is string else config.daddr)) %}
+{%   endif %}
+{%   if config.sport | d() %}
+{%       set _ = ferm__tpl_config['sport'].extend([ config.sport ] | flatten | map("string")) %}
+{%   endif %}
+{%   if config.dport | d() %}
+{%       set _ = ferm__tpl_config['dport'].extend([ config.dport ] | flatten | map("string")) %}
+{%   endif %}
+{%   if config.recent_name | d() %}
+{%     set _ = ferm__tpl_config.update({'recent_name': config.recent_name}) %}
+{%   elif config.recent_set_name | d() %}
+{%     set _ = ferm__tpl_config.update({'recent_set_name': config.recent_set_name}) %}
+{%   endif %}
+{%   if config.recent_update | d() and config.recent_update | bool %}
+{%     set _ = ferm__tpl_config.update({'recent_update': True}) %}
+{%   endif %}
+{%   if config.recent_remove | d() and config.recent_remove | bool %}
+{%     set _ = ferm__tpl_config.update({'recent_remove': True}) %}
+{%   endif %}
+{%   if config.recent_seconds | d() %}
+{%     set _ = ferm__tpl_config.update({'recent_seconds': config.recent_seconds | string}) %}
+{%   endif %}
+{%   if config.recent_hitcount | d() %}
+{%     set _ = ferm__tpl_config.update({'recent_hitcount': config.recent_hitcount | string}) %}
+{%   endif %}
+{%   if config.recent_target | d() %}
+{%     set _ = ferm__tpl_config.update({'recent_target': config.recent_target}) %}
+{%   endif %}
+{%   if config.snat_ip | d() %}
+{%     set _ = ferm__tpl_config.update({'snat_ip': config.snat_ip}) %}
+{%   endif %}
+{%   if config.subchain | d() %}
+{%     set _ = ferm__tpl_config.update({'subchain': (ferm__tpl_config['type'] + "-" + config.name | d((ferm__tpl_config['dport'][0] if ferm__tpl_config['dport'] | d() else "rules")))}) %}
+{%   endif %}
+{%   set _ = ferm__tpl_config.update({'interface': (debops__tpl_macros.flattened(config.interface | d(config.interfaces)) | from_yaml) }) %}
+{%   if ferm__tpl_config['type'] == 'connection_tracking' %}
+{%     set _ = ferm__tpl_config.update({'tracking_invalid_target': (config.tracking_invalid_target | d('DROP'))}) %}
+{%     set _ = ferm__tpl_config.update({'tracking_active_target':  (config.tracking_active_target  | d('ACCEPT'))}) %}
+{%     set _ = ferm__tpl_config.update({'tracking_module': (config.tracking_module | d('conntrack'))}) %}
+{%     if ferm__tpl_config['tracking_module'] == 'state' %}
+{%       set _ = ferm__tpl_config.update({'tracking_module_command': 'mod state state'}) %}
+{%     else %}
+{%       set _ = ferm__tpl_config.update({'tracking_module_command': 'mod conntrack ctstate'}) %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['type'] == 'dmz' %}
+{%     if config.public_ip | d() %}
+{%       set _ = ferm__tpl_config.update({'public_ip': ([ config.public_ip ] if config.public_ip is string else config.public_ip) }) %}
+{%     endif %}
+{%     if config.private_ip | d() %}
+{%       set _ = ferm__tpl_config.update({'private_ip': ([ config.private_ip ] if config.private_ip is string else config.private_ip) }) %}
+{%     endif %}
+{%     if config.port | d() or config.ports | d() %}
+{%       set _ = ferm__tpl_config.update({'dmz_ports': (debops__tpl_macros.flattened(config.port | d(config.ports))) | from_yaml }) %}
+{%       if ferm__tpl_config['dport'] == [] %}
+{%          set _ = ferm__tpl_config['dport'].extend(ferm__tpl_config['dmz_ports']) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   for interface in (debops__tpl_macros.flattened(config.interface_present | d(config.interfaces_present)) | from_yaml) %}
+{%     if hostvars[inventory_hostname]["ansible_" + interface] | d() %}
+{%       set _ = ferm__tpl_config.update({'interface_present': [ interface ] }) %}
+{%     endif %}
+{%   endfor %}
+{%   if config.outerface | d() or config.outerfaces | d() %}
+{%     set _ = ferm__tpl_config.update({'outerface': (debops__tpl_macros.flattened(config.outerface | d(config.outerfaces)) | from_yaml) }) %}
+{%   endif %}
+{%   for outerface in (debops__tpl_macros.flattened(config.outerface_present | d(config.outerfaces_present)) | from_yaml) %}
+{%     if hostvars[inventory_hostname]["ansible_" + outerface] | d() %}
+{%       set _ = ferm__tpl_config.update({'outerface_present': [ outerface ] }) %}
+{%     endif %}
+{%   endfor %}
+{%   if config.protocol | d() or config.protocols | d() %}
+{%     set _ = ferm__tpl_config.update({'protocol': (debops__tpl_macros.flattened(config.protocol | d(config.protocols)) | from_yaml) }) %}
+{%   endif %}
+{%   if config.protocol_syn | d() %}
+{%     if config.protocol_syn | bool %}
+{%       set _ = ferm__tpl_config.update({'protocol_syn': [ 'syn' ] }) %}
+{%     elif not config.protocol_syn | bool %}
+{%       set _ = ferm__tpl_config.update({'protocol_syn': [ '! syn' ] }) %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['type'] == 'ansible_controller' %}
+{%     set ferm__tpl_ansible_controllers = [] %}
+{%     if ansible_local.core.ansible_controllers | d() %}
+{%       set _ = ferm__tpl_ansible_controllers.extend(ansible_local.core.ansible_controllers) %}
+{%     endif %}
+{%     if ansible_local.ferm.ansible_controllers | d() %}
+{%       set _ = ferm__tpl_ansible_controllers.extend(ansible_local.ferm.ansible_controllers) %}
+{%     endif %}
+{%     if ferm__ansible_controllers | d() %}
+{%       set _ = ferm__tpl_ansible_controllers.extend(([ ferm__ansible_controllers ] if ferm__ansible_controllers is string else ferm__ansible_controllers)) %}
+{%     endif %}
+{%     if config.ansible_controller | d() %}
+{%       set _ = ferm__tpl_ansible_controllers.extend(([ config.ansible_controller ] if config.ansible_controller is string else config.ansible_controller)) %}
+{%     elif config.ansible_controllers | d() %}
+{%       set _ = ferm__tpl_ansible_controllers.extend(([ config.ansible_controllers ] if config.ansible_controllers is string else config.ansible_controllers)) %}
+{%     endif %}
+{%     if ferm__tpl_ansible_controllers %}
+{%       set _ = ferm__tpl_config['saddr'].extend(ferm__tpl_ansible_controllers) %}
+{%     endif %}
+{%   endif %}
+{%   if config.state | d() %}
+{%       set _ = ferm__tpl_config.update({'state': ([ config.state ] if config.state is string else config.state) }) %}
+{%   endif %}
+{%   if config.target | d() %}
+{%     set _ = ferm__tpl_config.update({'target': config.target}) %}
+{%   endif %}
+{%   if config.hashlimit_target | d() %}
+{%     set _ = ferm__tpl_config.update({'hashlimit_target': config.hashlimit_target}) %}
+{%   endif %}
+{%   if config.reject_with | d() %}
+{%     set _ = ferm__tpl_config.update({'reject_with': config.reject_with}) %}
+{%   endif %}
+{%   if config.subchain is defined %}
+{%     if config.subchain | bool %}
+{%       set _ = ferm__tpl_config.update({'subchain': config.subchain}) %}
+{%     else %}
+{%       if config.hashlimit | d() %}
+{%         set _ = ferm__tpl_config.update({'subchain': (ferm__tpl_config['type'] + "-" + config.hashlimit_name | d(config.name | d(rule_name)))}) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   if config.hashlimit | d() %}
+{%     set _ = ferm__tpl_config.update({'subchain': (ferm__tpl_config['type'] + "-" + config.hashlimit_name | d(config.name | d(rule_name)))}) %}
+{%   endif %}
+{%   if config.limit | d() %}
+{%     set _ = ferm__tpl_config.update({'limit': config.limit}) %}
+{%     if config.limit_burst | d() %}
+{%       set _ = ferm__tpl_config.update({'limit_burst': config.limit_burst}) %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['type'] == 'log' %}
+{%     set _ = ferm__tpl_config.update({'log_target': 'LOG'}) %}
+{%   endif %}
+{%   if config.log_target | d() %}
+{%     set _ = ferm__tpl_config.update({'log_target': config.log_target}) %}
+{%   endif %}
+{%   if config.log_limit | d() %}
+{%     set _ = ferm__tpl_config.update({'limit': config.log_limit}) %}
+{%   endif %}
+{%   if config.log_burst | d() %}
+{%     set _ = ferm__tpl_config.update({'limit_burst': config.log_burst}) %}
+{%   endif %}
+{%   if config.log_ip_options | d() %}
+{%     set _ = ferm__tpl_config.update({'log_ip_options': config.log_ip_options | bool}) %}
+{%   endif %}
+{%   if config.log_tcp_options | d() %}
+{%     set _ = ferm__tpl_config.update({'log_tcp_options': config.log_tcp_options | bool}) %}
+{%   endif %}
+{%   if config.log_tcp_sequence | d() %}
+{%     set _ = ferm__tpl_config.update({'log_tcp_sequence': config.log_tcp_sequence | bool}) %}
+{%   endif %}
+{%   if config.log_prefix | d() %}
+{%     set _ = ferm__tpl_config.update({'log_prefix': config.log_prefix}) %}
+{%   endif %}
+{%   if config.log_level | d() %}
+{%     set _ = ferm__tpl_config.update({'log_level': config.log_level}) %}
+{%   endif %}
+{%   set ferm__tpl_log_args = [] %}
+{%   if ferm__tpl_config['type'] == 'log' %}
+{%     if ferm__tpl_config['log_target'] == 'LOG' %}
+{%       if ferm__tpl_config['log_ip_options'] | d() and ferm__tpl_config['log_ip_options'] | bool %}
+{%         set _ = ferm__tpl_log_args.append('log-ip-options') %}
+{%       endif %}
+{%       if ferm__tpl_config['log_tcp_options'] | d() and ferm__tpl_config['log_tcp_options'] | bool %}
+{%         set _ = ferm__tpl_log_args.append('log-tcp-options') %}
+{%       endif %}
+{%       if ferm__tpl_config['log_tcp_sequence'] | d() and ferm__tpl_config['log_tcp_sequence'] | bool %}
+{%         set _ = ferm__tpl_log_args.append('log-tcp-sequence') %}
+{%       endif %}
+{%       if ferm__tpl_config['log_level'] | d() %}
+{%         set _ = ferm__tpl_log_args.append('log-level ' + ferm__tpl_config['log_level']) %}
+{%       endif %}
+{%       if ferm__tpl_config['log_prefix'] | d() %}
+{%         set _ = ferm__tpl_log_args.append('log-prefix "' + ferm__tpl_config['log_prefix'] + '"') %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   set ferm__tpl_recent_args = [] %}
+{%   if ferm__tpl_config['recent_name'] | d() %}
+{%     set _ = ferm__tpl_recent_args.append('name "' + ferm__tpl_config['recent_name'] + '"') %}
+{%   elif ferm__tpl_config['recent_set_name'] | d() %}
+{%     set _ = ferm__tpl_recent_args.append('set name "' + ferm__tpl_config['recent_set_name'] + '"') %}
+{%   endif %}
+{%   if (ferm__tpl_config['recent_update'] | d(False)) | bool %}
+{%     set _ = ferm__tpl_recent_args.append('update') %}
+{%   endif %}
+{%   if (ferm__tpl_config['recent_remove'] | d(False)) | bool %}
+{%     set _ = ferm__tpl_recent_args.append('remove') %}
+{%   endif %}
+{%   if ferm__tpl_config['recent_seconds'] | d() %}
+{%     set _ = ferm__tpl_recent_args.append('seconds ' + ferm__tpl_config['recent_seconds']) %}
+{%   endif %}
+{%   if ferm__tpl_config['recent_hitcount'] | d() %}
+{%     set _ = ferm__tpl_recent_args.append('hitcount ' + ferm__tpl_config['recent_hitcount']) %}
+{%   endif %}
+{%   set ferm__tpl_arguments = [] %}
+{%   if ferm__tpl_config['interface'] | d() %}
+{%     set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['interface'], prefix='interface')) %}
+{%   elif ferm__tpl_config['interface_present'] | d() %}
+{%     set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['interface_present'], prefix='interface')) %}
+{%   endif %}
+{%   if ferm__tpl_config['outerface'] | d() %}
+{%     set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['outerface'], prefix='outerface')) %}
+{%   elif ferm__tpl_config['outerface_present'] | d() %}
+{%     set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['outerface_present'], prefix='outerface')) %}
+{%   endif %}
+{%   if ferm__tpl_config['protocol'] | d() %}
+{%     set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['protocol'], prefix='protocol')) %}
+{%   elif not ferm__tpl_config['protocol'] | d() and (ferm__tpl_config['sport'] | d() or ferm__tpl_config['dport'] | d()) %}
+{%     set _ = ferm__tpl_arguments.append("protocol tcp") %}
+{%   endif %}
+{%   if ferm__tpl_config['protocol_syn'] | d() %}
+{%     set _ = ferm__tpl_arguments.extend(ferm__tpl_config['protocol_syn']) %}
+{%   endif %}
+{%   if ferm__tpl_config['sport'] | d() %}
+{%     if config.multiport | d() and config.multiport | bool %}
+{%       if ferm__tpl_config['sport'] | length == 1 %}
+{%         set _ = ferm__tpl_arguments.append("sport " +  ferm__tpl_config['sport'] | join(" ")) %}
+{%       else %}
+{%         set _ = ferm__tpl_arguments.append("mod multiport source-ports (" + ferm__tpl_config['sport'] | join(" ") + ")") %}
+{%       endif %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['sport'], prefix='sport')) %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['dport'] | d() %}
+{%     if config.multiport | d() and config.multiport | bool %}
+{%       if ferm__tpl_config['dport'] | length == 1 %}
+{%         set _ = ferm__tpl_arguments.append("dport " +  ferm__tpl_config['dport'] | join(" ")) %}
+{%       else %}
+{%         set _ = ferm__tpl_arguments.append("mod multiport destination-ports (" + ferm__tpl_config['dport'] | join(" ") + ")") %}
+{%       endif %}
+{%     else %}
+{%       set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['dport'], prefix='dport')) %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['state'] | d() %}
+{%       set _ = ferm__tpl_arguments.append(print_list(ferm__tpl_config['state'], prefix='mod state state')) %}
+{%   endif %}
+{%   if ferm__tpl_arguments and ((ferm__tpl_config['saddr'] | d([])) | length > 3 or config.hashlimit | d()) %}
+{%     if ferm__tpl_config['subchain'] | d() %}
+{%       set _ = ferm__tpl_arguments.append('@subchain "' + ferm__tpl_config['subchain'] + '"') %}
+{%     endif %}
+{%   endif %}
+{%   if ferm__tpl_config['limit'] | d() %}
+{%     set _ = ferm__tpl_arguments.append("mod limit limit " + ferm__tpl_config['limit']) %}
+{%     if ferm__tpl_config['limit_burst'] | d() %}
+{%       set _ = ferm__tpl_arguments.append("limit-burst " + ferm__tpl_config['limit_burst']) %}
+{%     endif %}
+{%   endif %}
+{# This is where the configuration begins
+   ====================================== #}
+{%   if ferm__tpl_config['comment'] | d() %}
+{{ (ferm__tpl_config['comment'] if ferm__tpl_config['comment'] is string else ferm__tpl_config['comment'] | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%   endif %}
+{%   if ferm__tpl_config['type'] != 'dmz' %}
+{%     if ferm__tpl_config['domain_args'] %}{{ ferm__tpl_config['domain_args'] | join(" ") }} {% endif %}{
+{%   endif %}
+{%   if ferm__tpl_config['type'] in [ 'policy', 'default_policy' ] %}
+    policy {{ config.policy }};
+{%   elif ferm__tpl_config['type'] == 'include' %}
+    @include "{{ config.include }}";
+{%   elif ferm__tpl_config['type'] == 'connection_tracking' %}
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+        {{ ferm__tpl_config['tracking_module_command'] }} INVALID {{ ferm__tpl_config['tracking_invalid_target'] }};
+        {{ ferm__tpl_config['tracking_module_command'] }} (ESTABLISHED RELATED) {{ ferm__tpl_config['tracking_active_target'] }};
+    }
+{%   elif ferm__tpl_config['type'] == 'log' %}
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{% if ferm__tpl_log_args %}
+        {{ ferm__tpl_config['log_target'] }} {{ ferm__tpl_log_args | join(' ') }};
+{% else %}
+        {{ ferm__tpl_config['log_target'] }};
+{% endif %}
+    }
+{%   elif ferm__tpl_config['type'] == 'recent' %}
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+
+        mod recent {{ ferm__tpl_recent_args | join(" ") }} {
+{%     if ((config.recent_log is undefined or config.recent_log | bool) and ferm__log | bool) %}
+
+            &log("{{ config.recent_log_prefix | d('ipt-recent-' + config.recent_name | d(config.recent_set_name) + ': ') }}");
+{%     endif %}
+{%     if ferm__tpl_config['recent_target'] %}
+{%       if ferm__tpl_config['recent_target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if config.include | d() %}
+
+            @include "{{ config.include }}";
+{%         elif config.realgoto is undefined or not config.realgoto | bool %}
+
+            jump "{{ ferm__tpl_config['recent_target'] }}";
+{%         elif config.realgoto | d() and config.realgoto | bool %}
+
+            realgoto "{{ ferm__tpl_config['recent_target'] }}";
+{%         endif %}
+{%       elif ferm__tpl_config['recent_target'] in [ 'REJECT' ] %}
+
+            REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%       else %}
+
+            {{ ferm__tpl_config['recent_target'] }};
+{%       endif %}
+{%     endif %}
+        }
+    }
+{%   elif ferm__tpl_config['type'] == 'reject' %}
+    protocol udp REJECT reject-with icmp-port-unreachable;
+    protocol tcp REJECT reject-with tcp-reset;
+    @if @eq($DOMAIN, ip) {
+        REJECT reject-with icmp-proto-unreachable;
+    }
+    @if @eq($DOMAIN, ip6) {
+        REJECT;
+    }
+{%   elif ferm__tpl_config['type'] in [ 'custom', 'raw' ] %}
+{%     if config.rules | d() %}
+{%       if ferm__tpl_config['domain_args'] %}
+{{ config.rules | indent(4,true) }}
+{%       else %}
+{{ config.rules }}
+{%       endif %}
+{%     endif %}
+{%   elif ferm__tpl_config['type'] == 'dmz' %}
+{%     if ferm__tpl_config['domain_args'] %}{{ ferm__tpl_config['domain_args'] | join(" ") }} {% endif %}{
+{%       if ferm__tpl_config['interface'] | d() %}
+    @def $PUBLIC_IF  = ({{ ferm__tpl_config['interface']  | unique | join(' ') }});
+{%       endif %}
+{%       if ferm__tpl_config['public_ip'] | d() %}
+    @def $PUBLIC_IP  = ( @ipfilter( ({{ ferm__tpl_config['public_ip']  | unique | join(' ') }}) ) );
+{%       endif %}
+    @def $PRIVATE_IP = ( @ipfilter( ({{ ferm__tpl_config['private_ip'] | unique | join(' ') }}) ) );
+
+{%       if ferm__tpl_config['public_ip'] | d() %}
+    @def $PUBLIC_IPV4 = "{{ ferm__tpl_config['public_ip'] | unique | ansible.utils.ipv4 | first | d('') }}";
+    @def $PUBLIC_IPV6 = "{{ ferm__tpl_config['public_ip'] | unique | ansible.utils.ipv6 | first | d('') }}";
+
+{%       endif %}
+    @def $PRIVATE_IPV4 = "{{ ferm__tpl_config['private_ip'] | unique | ansible.utils.ipv4 | first | d('') }}";
+    @def $PRIVATE_IPV6 = "{{ ferm__tpl_config['private_ip'] | unique | ansible.utils.ipv6 | first | d('') }}";
+
+    {% if ferm__tpl_config['interface'] | d() %}@if @ne($PUBLIC_IF,""){% endif %}{% if ferm__tpl_config['public_ip'] | d() %} @if @ne($PUBLIC_IP,""){% endif %} @if @ne($PRIVATE_IP,"") {
+        table filter chain FORWARD {
+{%     if ferm__tpl_config['dmz_ports'] | d() %}
+            protocol ({{ ferm__tpl_config['protocol'] | d([ 'tcp' ]) | join(" ") }}) {
+{%       if ferm__tpl_config['dport'] | length > 1 %}
+                mod multiport destination-ports ({{ ferm__tpl_config['dport'] | join(" ") }}) {
+{%       else %}
+                dport ({{ ferm__tpl_config['dport'] | join(" ") }}) {
+{%       endif %}
+                    destination $PRIVATE_IP ACCEPT;
+                }
+            }
+{%     else %}
+            destination $PRIVATE_IP ACCEPT;
+{%     endif %}
+        }
+
+        table nat {
+            chain PREROUTING {
+{%     if ferm__tpl_config['dmz_ports'] | d() %}
+                protocol ({{ ferm__tpl_config['protocol'] | d([ 'tcp' ]) | join(" ") }}) {
+{%       if ferm__tpl_config['dmz_ports'] | length > 1 %}
+                    mod multiport destination-ports ({{ ferm__tpl_config['dmz_ports'] | join(" ") }}) {
+{%       else %}
+                    dport ({{ ferm__tpl_config['dmz_ports'] | join(" ") }}) {
+{%       endif %}
+{%       if ferm__tpl_config['dport'] | d() %}
+                        @if @eq($DOMAIN, ip)  @if @ne($PRIVATE_IPV4,"") {% if ferm__tpl_config['interface'] | d() %}interface $PUBLIC_IF {% endif %}{% if ferm__tpl_config['public_ip'] | d() %}destination $PUBLIC_IPV4 {% endif %}DNAT to @cat($PRIVATE_IPV4, ":{{ ferm__tpl_config['dport'][0] }}");
+                        @if @eq($DOMAIN, ip6) @if @ne($PRIVATE_IPV6,"") {% if ferm__tpl_config['interface'] | d() %}interface $PUBLIC_IF {% endif %}{% if ferm__tpl_config['public_ip'] | d() %}destination $PUBLIC_IPV6 {% endif %}DNAT to @cat("[",$PRIVATE_IPV6, "]:{{ ferm__tpl_config['dport'][0] }}");
+{%       else %}
+                        {% if ferm__tpl_config['interface'] | d() %}interface $PUBLIC_IF {% endif %}{% if ferm__tpl_config['public_ip'] | d() %}destination $PUBLIC_IP {% endif %}DNAT to $PRIVATE_IP;
+{%       endif %}
+                    }
+                }
+{%     else %}
+                {% if ferm__tpl_config['interface'] | d() %}interface $PUBLIC_IF {% endif %}{% if ferm__tpl_config['public_ip'] | d() %}destination $PUBLIC_IP {% endif %}DNAT to $PRIVATE_IP;
+{%     endif %}
+            }
+{%     if ferm__tpl_config['snat_ip'] | d() %}
+            chain POSTROUTING {
+                destination $PRIVATE_IP SNAT to {{ ferm__tpl_config['snat_ip'] }};
+            }
+{%     endif %}
+        }
+    }
+}
+{%   else %}
+    {% if ferm__tpl_arguments %}{{ ferm__tpl_arguments | join(" ") }} {% endif %}{
+{%     if config.hashlimit | d() %}
+
+        mod hashlimit    hashlimit {{ config.hashlimit }}
+{%       if config.hashlimit_burst | d() %}
+                         hashlimit-burst {{ config.hashlimit_burst }}
+{%       endif %}
+                         hashlimit-mode {{ config.hashlimit_mode | d("srcip") }}
+                         hashlimit-name {{ config.hashlimit_name | d(config.name | d(rule_name)) }}
+{%       if config.hashlimit_expire is undefined or config.hashlimit_expire %}
+                         hashlimit-htable-expire {{ ((config.hashlimit_expire | d("1800")) | int * 1000) | string }}
+{%       endif %}
+{%       if ferm__tpl_config['hashlimit_target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if config.include | d() %}
+
+            @include "{{ config.include }}";
+{%         elif config.realgoto is undefined or not config.realgoto | bool %}
+
+            jump "{{ ferm__tpl_config['target'] }}";
+{%         elif config.realgoto | d() and config.realgoto | bool %}
+
+            realgoto "{{ ferm__tpl_config['target'] }}";
+{%         endif %}
+{%       elif ferm__tpl_config['hashlimit_target'] in [ 'REJECT' ] %}
+
+            REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%       else %}
+
+            {{ ferm__tpl_config['hashlimit_target'] }};
+{%       endif %}
+{%       if ((config.log is undefined or config.log | bool) and (ferm__log | bool)) %}
+
+        &log("{{ config.log_prefix | d('ipt-hashlimit-' + config.hashlimit_name | d(config.name | d(rule_name)) + ': ') }}");
+
+{%       endif %}
+{%     endif %}
+{%     if ferm__tpl_config['saddr'] | d() and ferm__tpl_config['daddr'] | d() %}
+        @def $SITEMS = ( @ipfilter( ({{ ferm__tpl_config['saddr'] | unique | join(" ") }}) ) );
+        @def $DITEMS = ( @ipfilter( ({{ ferm__tpl_config['daddr'] | unique | join(" ") }}) ) );
+        @if @ne($SITEMS,"") {
+            @if  @ne($DITEMS,"") {
+{%       if ferm__tpl_config['target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if config.include | d() %}
+                @include "{{ config.include }}";
+{%         elif config.realgoto is undefined or not config.realgoto | bool %}
+                saddr $SITEMS daddr $DITEMS jump "{{ ferm__tpl_config['target'] }}";
+{%         elif config.realgoto | d() and config.realgoto | bool %}
+                saddr $SITEMS daddr $DITEMS realgoto "{{ ferm__tpl_config['target'] }}";
+{%         endif %}
+{%       elif ferm__tpl_config['target'] in [ 'REJECT' ] %}
+                saddr $SITEMS daddr $DITEMS REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%       else %}
+                saddr $SITEMS daddr $DITEMS {{ ferm__tpl_config['target'] }};
+{%       endif %}
+            }
+        }
+{%     elif ferm__tpl_config['saddr'] | d() %}
+        @def $SITEMS = ( @ipfilter( ({{ ferm__tpl_config['saddr'] | unique | join(" ") }}) ) );
+        @if @ne($SITEMS,"") {
+{%       if ferm__tpl_config['target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if config.include | d() %}
+            @include "{{ config.include }}";
+{%         elif config.realgoto is undefined or not config.realgoto | bool %}
+            saddr $SITEMS jump "{{ ferm__tpl_config['target'] }}";
+{%         elif config.realgoto | d() and config.realgoto | bool %}
+            saddr $SITEMS realgoto "{{ ferm__tpl_config['target'] }}";
+{%         endif %}
+{%       elif ferm__tpl_config['target'] in [ 'REJECT' ] %}
+            saddr $SITEMS REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%       else %}
+            saddr $SITEMS {{ ferm__tpl_config['target'] }};
+{%       endif %}
+        }
+{%     elif ferm__tpl_config['daddr'] | d() %}
+        @def $DITEMS = ( @ipfilter( ({{ ferm__tpl_config['daddr'] | unique | join(" ") }}) ) );
+        @if @ne($DITEMS,"") {
+{%       if ferm__tpl_config['target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%         if config.include | d() %}
+            @include "{{ config.include }}";
+{%         elif config.realgoto is undefined or not config.realgoto | bool %}
+            daddr $DITEMS jump "{{ ferm__tpl_config['target'] }}";
+{%         elif config.realgoto | d() and config.realgoto | bool %}
+            daddr $DITEMS realgoto "{{ ferm__tpl_config['target'] }}";
+{%         endif %}
+{%       elif ferm__tpl_config['target'] in [ 'REJECT' ] %}
+            daddr $DITEMS REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%       else %}
+            daddr $DITEMS {{ ferm__tpl_config['target'] }};
+{%       endif %}
+        }
+{%     else %}
+{%       if config.accept_any is defined %}
+{%         if config.accept_any | bool %}
+{%           if ferm__tpl_config['target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%             if config.include | d() %}
+        @include "{{ config.include }}";
+{%             elif config.realgoto is undefined or not config.realgoto | bool %}
+        jump "{{ ferm__tpl_config['target'] }}";
+{%             elif config.realgoto | d() and config.realgoto | bool %}
+        realgoto "{{ ferm__tpl_config['target'] }}";
+{%             endif %}
+{%           elif ferm__tpl_config['target'] in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%           else %}
+        {{ ferm__tpl_config['target'] }};
+{%           endif %}
+{%         elif not config.accept_any | bool %}
+        # Connections from any IP address not allowed
+{%         endif %}
+{%       else %}
+{%         if ferm__tpl_config['target'] not in [ 'ACCEPT', 'DROP', 'REJECT', 'RETURN', 'NOP' ] %}
+{%           if config.include | d() %}
+        @include "{{ config.include }}";
+{%           elif config.realgoto is undefined or not config.realgoto | bool %}
+        jump "{{ ferm__tpl_config['target'] }}";
+{%           elif config.realgoto | d() and config.realgoto | bool %}
+        realgoto "{{ ferm__tpl_config['target'] }}";
+{%           endif %}
+{%         elif ferm__tpl_config['target'] in [ 'REJECT' ] %}
+        REJECT reject-with {{ ferm__tpl_config['reject_with'] }};
+{%         else %}
+{%           if ferm__tpl_arguments %}
+        {{ ferm__tpl_config['target'] }};
+{%           else %}
+        # No rule parameters specified
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+    }
+{%   endif %}
+{%   if ferm__tpl_config['type'] != 'dmz' %}
+}
+{%   endif %}
+{% endmacro %}
+{% set rule_name = (item.value.name | d(item.key)) %}
+{% set rule = item.value %}
+{% if rule.by_role | d() %}
+{{ ("This firewall rule was generated by: " + (rule.by_role if rule.by_role is string else rule.by_role | join('\n')))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% if rule.comment | d() %}
+{{ (rule.comment if rule.comment is string else rule.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% if rule.rules | d() %}
+{%   if rule.rules is string %}
+{{ rule.rules -}}
+{%   elif rule.rules is mapping %}
+{{ print_rule(rule.rules) -}}
+{%   elif rule.rules is not string and rule.rules is not mapping %}
+{%     for element in rule.rules %}{% if not loop.first %}
+
+{% endif %}
+{%       if element is string %}
+{{ element -}}
+{%       elif element is mapping %}
+{{ print_rule(element) -}}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if rule.debug | d() | bool or (ansible_local | d() and ansible_local.tags | d() and 'debug' in ansible_local.tags) %}
+
+{{ ("rule_name: " + (rule_name | to_nice_yaml)) | replace('\n$','') | comment(prefix='',postfix='') -}}
+{{ ("rule: " + (rule | to_nice_yaml)) | replace('\n$','') | comment(prefix='',postfix='') -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/import/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/ferm/templates/import/debops__tpl_macros.j2
new file mode 100644
index 00000000..a661bc41
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/import/debops__tpl_macros.j2
@@ -0,0 +1,225 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be imported in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in templates which are called by {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be imported like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{#
+## Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{%  macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{#
+## Recursively merges nested dictionaries or a nested dictionary with a list of
+## dictionaries. In the second case, a key name can be given whose value will
+## be used as top-level key for the dictionary item. Note that for merging simple
+## dictionaries you should use the regular `combined` Jinja filter.
+##
+## This can be used to define default variables as YAML dictionaries and then
+## use YAML lists of dictionaries either in the inventory or in role dependent
+## variables which lets you add multiple YAML lists together.
+##
+## Arguments:
+##   current_dict:   Nested dictionary whose values might get overwritten if
+##                   defined in `to_merge_dict`.
+##   to_merge_dict:  Dictionary or list of dictionaries being merged into `current_dict`.
+##   dict_key:       Key in the `to_merge_dict` item which is used to match the
+##                   dictionary item being merged in `current_dict` in case `to_merge_dict`
+##                   is a list of dictionaries.
+##
+## Return: JSON-formatted dictionary
+##
+## Examples:
+##
+## 1. Merge single-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'},
+##                                        'item2': {'key3': 'val3', 'key4': 'val4'}},
+##                                       {'item1': {'key2': 'new_val2'},
+##                                        'item2': {'key5': 'val5'    }}) }}
+##
+##     Will output: {"item1": {"key1": "val1", "key2": "new_val2"},
+##                   "item2": {"key3": "val3", "key4": "val4", "key5": "val5"}}
+##
+## 2. Merge double-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'prop1': {'key1': 'val1'}}},
+##                                       {'item1': {'prop1': {'key3': 'val3'},
+##                                                  'prop2': {'key2': 'val2'}}}) }}
+##
+##     Will output: {"item1": {"prop1": {"key1": "val1", "key3": "val3"},
+##                             "prop2": {"key2": "val2"}}}
+##
+## 3. Merge nested dictionary with list of dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'}},
+##                                       [{'name': 'item2', 'key3': 'val3'},
+##                                        {'name': 'item3', 'key4': 'val4'}]) }}
+##
+##     Will output: {"item1: {"key1": "val1", "key2": "val2"},
+##                   "item2: {"name": "item2", "key3": "val3"},
+##                   "item3: {"name": "item3", "key4": "val4"}}
+#}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happyily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Returns flattened object as JSON which you will need to deserialize using `from_yaml`.
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__fix_dependent_rules.j2 b/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__fix_dependent_rules.j2
new file mode 100644
index 00000000..dd9ebeca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__fix_dependent_rules.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if ferm__dependent_rules %}
+{%   set ferm__tpl_dependent_rules = lookup('flattened', ferm__dependent_rules) %}
+{% else %}
+{%   set ferm__tpl_dependent_rules = [] %}
+{% endif %}
+{% set ferm__tpl_fixed_rules = {} %}
+{% set ferm__tpl_flattened_rules = [] %}
+{% if ferm__tpl_dependent_rules %}
+{%   if ferm__tpl_dependent_rules is mapping %}
+{%     set fixed_dict = ferm__tpl_dependent_rules %}
+{%     if 'name' not in fixed_dict.keys() %}
+{%       if 'filename' in fixed_dict.keys() %}
+{%         set _ = fixed_dict.update({"name": ('filename_' + (fixed_dict.filename if fixed_dict.filename is string else fixed_dict.filename[0]))}) %}
+{%       elif 'dport' in fixed_dict.keys() %}
+{%         set _ = fixed_dict.update({"name": ('dport_' + (fixed_dict.dport if fixed_dict.dport is string else fixed_dict.dport[0]))}) %}
+{%       endif %}
+{%     endif %}
+{%     set _ = ferm__tpl_fixed_rules.update({fixed_dict['name']:fixed_dict}) %}
+{%   elif ferm__tpl_dependent_rules is not string and ferm__tpl_dependent_rules is not mapping %}
+{%     for element in ferm__tpl_dependent_rules %}
+{%       set fixed_dict = element %}
+{%       if 'name' not in fixed_dict.keys() %}
+{%         if 'filename' in fixed_dict.keys() %}
+{%           set _ = fixed_dict.update({"name": ('filename_' + (fixed_dict.filename if fixed_dict.filename is string else fixed_dict.filename[0]))}) %}
+{%         elif 'dport' in fixed_dict.keys() %}
+{%           set _ = fixed_dict.update({"name": ('dport_' + (fixed_dict.dport if fixed_dict.dport is string else fixed_dict.dport[0]))}) %}
+{%         endif %}
+{%       endif %}
+{%       set _ = ferm__tpl_fixed_rules.update({fixed_dict['name']:fixed_dict}) %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% for key, value in ferm__tpl_fixed_rules.items() %}
+{%   set _ = ferm__tpl_flattened_rules.append(value) %}
+{% endfor %}
+{{ ferm__tpl_flattened_rules | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__parsed_rules.j2 b/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__parsed_rules.j2
new file mode 100644
index 00000000..dccaa648
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ferm/templates/lookup/ferm__parsed_rules.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ferm__tpl_filtered_rules = {} %}
+{% for element in ferm__combined_rules %}
+{%   if element.name | d() and element.rule_state | d(element.state | d('present')) != 'ignore' %}
+{%     set rule_parameters = (ferm__tpl_filtered_rules[element.name].copy() if ferm__tpl_filtered_rules[element.name] is defined else {}) %}
+{%     if rule_parameters.rules is undefined and element.rules is undefined %}
+{%       set ferm__tpl_rule = {} %}
+{%       for parameter in element.keys() | sort %}
+{%         if parameter not in [ 'comment', 'rule_state', 'name', 'rules', 'template', 'weight', 'weight_class', 'role', 'role_weight', 'delete', 'when', 'enabled' ] %}
+{%           if parameter == 'state' %}
+{%             if element["state"] not in [ 'present', 'absent', 'ignore' ] %}
+{%               set _ = ferm__tpl_rule.update({parameter: element[parameter]}) %}
+{%             endif %}
+{%           else %}
+{%             set _ = ferm__tpl_rule.update({parameter: element[parameter]}) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%       if ferm__tpl_rule %}
+{%         set _ = rule_parameters.update({"rules":[]}) %}
+{%         set _ = rule_parameters["rules"].append(ferm__tpl_rule) %}
+{%       endif %}
+{%     endif %}
+{%     if element["state"] is undefined or element["state"] not in [ 'present', 'absent', 'ignore' ] %}
+{%       if element["enabled"] | d() %}
+{%         if element["enabled"] | bool %}
+{%           set _ = rule_parameters.update({"rule_state":"present"}) %}
+{%         else %}
+{%           set _ = rule_parameters.update({"rule_state":"absent"}) %}
+{%         endif %}
+{%       elif element["rule_state"] | d() %}
+{%         set _ = rule_parameters.update({"rule_state":element["rule_state"]}) %}
+{%       else %}
+{%         set _ = rule_parameters.update({"rule_state":"present"}) %}
+{%       endif %}
+{%     endif %}
+{%     for param_key in element.keys() %}
+{%       set _ = rule_parameters.update({ param_key: element[param_key] }) %}
+{%     endfor %}
+{%     if element.name | d() %}
+{%       set _ = ferm__tpl_filtered_rules.update({element.name: rule_parameters}) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ ferm__tpl_filtered_rules | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/fhs/COPYRIGHT b/ansible_collections/debops/debops/roles/fhs/COPYRIGHT
new file mode 100644
index 00000000..a8336d18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fhs/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.fhs - Create base directory hierarchy used by DebOps roles
+
+Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/fhs/defaults/main.yml b/ansible_collections/debops/debops/roles/fhs/defaults/main.yml
new file mode 100644
index 00000000..c3d0010b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fhs/defaults/main.yml
@@ -0,0 +1,162 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _fhs__ref_defaults:
+
+# debops.fhs default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: fhs__enabled [[[
+#
+# Enable or disable support for base directory hierarchy management.
+fhs__enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Base directories [[[
+# --------------------
+
+# These variables define what base directories should be present on the host.
+# See :ref:`fhs__ref_directories` for more details.
+
+# .. envvar:: fhs__default_directories [[[
+#
+# List of the default base directories defined by the role.
+fhs__default_directories:
+
+  # Path where Ansible local facts are stored. This shouldn't really be changed
+  # because Ansible uses this path explicitly.
+  - name: 'facts'
+    path: '/etc/ansible/facts.d'
+
+  # Directory where user binaries accessible via "$PATH" should be stored.
+  - name: 'bin'
+    path: '/usr/local/bin'
+
+  # Directory where additional configuration files not related to existing or
+  # packaged services will be stored. Very rarely used.
+  - name: 'etc'
+    path: '/usr/local/etc'
+
+  # Directory where various scripts which don't or shouldn't be directly
+  # accessible from the interactive shell should be stored, so that they don't
+  # pollute Tab-completion. Roles can create subdirectories here in case when
+  # more than a handful of scripts are used.
+  - name: 'lib'
+    path: '/usr/local/lib'
+
+  # Directory where administrator binaries accessible via "$PATH" should be
+  # stored.
+  - name: 'sbin'
+    path: '/usr/local/sbin'
+
+  # Path where static data files should be stored, similar to
+  # the '/usr/share' directory. Rarely used.
+  - name: 'share'
+    path: '/usr/local/share'
+
+  # Path where application sources (tarballs, 'git' repositories) can be stored
+  # and operated on, usually in a separate subdirectory for each role or user.
+  - name: 'src'
+    path: '/usr/local/src'
+
+  # Directory that stores application data, things served by a given host, for
+  # example webpages. Web application system accounts may have their home
+  # directories there.
+  - name: 'data'
+    path: '/srv'
+
+  # Alternative directory for application data.
+  - name: 'srv'
+    path: '/srv'
+
+  # Directory used commonly for home directories of UNIX accounts used by web
+  # applications, or for the websites installed system-wide. An alternative
+  # location of the '/var/www/' directory for non-packaged content.
+  - name: 'www'
+    path: '/srv/www'
+
+  # Path where local backups generated by automated scripts are stored, usually
+  # in separate subdirectories for each user/role.
+  - name: 'backup'
+    path: '/var/backups'
+
+  # Path where home directories of local system accounts are stored ('/home' is
+  # reserved for regular users and home directories of users stored in remote
+  # filesystems like NFS).
+  - name: 'home'
+    path: '/var/local'
+    mode: '02775'
+
+  # Path where variable internal data are stored. Examples include databases,
+  # spools, transient files. Usually a separate subdirectory is used, especially
+  # when the application has its own home directory.
+  - name: 'var'
+    path: '/var/local'
+    mode: '02775'
+
+  # Directory where non-web applications are installed. By default it's in
+  # a subdirectory, usually home directory of an application, but the root path
+  # might be different.
+  - name: 'app'
+    path: '/var/local'
+    mode: '02775'
+
+  # Path where cache files are stored, optionally with a separate subdirectory.
+  - name: 'cache'
+    path: '/var/cache'
+
+  # Path where log files are stored, optionally with a separate subdirectory.
+  - name: 'log'
+    path: '/var/log'
+    mode: '{{ "u=rwX,g=rwX,o=rX"
+              if (ansible_distribution in ["Ubuntu", "Linux Mint"])
+              else omit }}'
+
+  # Path where spool files are stored, optionally with a separate subdirectory.
+  - name: 'spool'
+    path: '/var/spool'
+
+                                                                   # ]]]
+# .. envvar:: fhs__directories [[[
+#
+# List of additional base directories defined by the user for all hosts in the
+# Ansible inventory.
+fhs__directories: []
+
+                                                                   # ]]]
+# .. envvar:: fhs__group_directories [[[
+#
+# List of additional base directories defined by the user for hosts in a
+# specific Ansible inventory group.
+fhs__group_directories: []
+
+                                                                   # ]]]
+# .. envvar:: fhs__host_directories [[[
+#
+# List of additional base directories defined by the user for specific hosts in
+# the Ansible inventory.
+fhs__host_directories: []
+
+                                                                   # ]]]
+# .. envvar:: fhs__combined_directories [[[
+#
+# Variable which combines all of the base directory lists and is used in role
+# tasks and templates.
+fhs__combined_directories: '{{ fhs__default_directories
+                               + fhs__directories
+                               + fhs__group_directories
+                               + fhs__host_directories }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/fhs/meta/main.yml b/ansible_collections/debops/debops/roles/fhs/meta/main.yml
new file mode 100644
index 00000000..ec1f76c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fhs/meta/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Create base directory hierarchy used by DebOps roles'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  galaxy_tags:
+  - system
diff --git a/ansible_collections/debops/debops/roles/fhs/tasks/main.yml b/ansible_collections/debops/debops/roles/fhs/tasks/main.yml
new file mode 100644
index 00000000..9e57e6ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fhs/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create base directory hierarchy
+  ansible.builtin.file:
+    path: '{{ hostvars[inventory_hostname]["ansible_local"]["fhs"][item.name] | d(item.path) }}'
+    state: 'directory'
+    mode: '{{ item.mode | d("0755") }}'
+  loop: '{{ fhs__combined_directories | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {item.name: (hostvars[inventory_hostname]["ansible_local"]["fhs"][item.name] | d(item.path))} }}'
+  when: (fhs__enabled | bool and item.state | d('present') != 'absent' and
+         (hostvars[inventory_hostname]["ansible_local"]["fhs"][item.name] | d(item.path)).startswith('/'))
+  tags: [ 'meta::facts' ]
+
+- name: Save fhs local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/fhs.fact.j2'
+    dest: '/etc/ansible/facts.d/fhs.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: fhs__enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/fhs/templates/etc/ansible/facts.d/fhs.fact.j2 b/ansible_collections/debops/debops/roles/fhs/templates/etc/ansible/facts.d/fhs.fact.j2
new file mode 100644
index 00000000..a21e2e78
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fhs/templates/etc/ansible/facts.d/fhs.fact.j2
@@ -0,0 +1,31 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+# Workaround to allow Jinja template inside of a Python script
+"""
+{% set fhs__tpl_facts = {} %}
+{% for item in fhs__combined_directories | debops.debops.parse_kv_items %}
+{%   if hostvars[inventory_hostname]["ansible_local"]["fhs"][item.name] | d() %}
+{%     set _ = fhs__tpl_facts.update({item.name:
+         hostvars[inventory_hostname]["ansible_local"]["fhs"][item.name]}) %}
+{%   else %}
+{%     if item.state | d('present') != 'absent' and item.path.startswith('/') %}
+{%       set _ = fhs__tpl_facts.update({item.name: item.path}) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+"""
+
+output = loads('''{{ fhs__tpl_facts | to_nice_json }}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/filebeat/COPYRIGHT b/ansible_collections/debops/debops/roles/filebeat/COPYRIGHT
new file mode 100644
index 00000000..0bd98786
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.filebeat - Manage Filebeat service using Ansible
+
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/filebeat/defaults/main.yml b/ansible_collections/debops/debops/roles/filebeat/defaults/main.yml
new file mode 100644
index 00000000..68abec50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/defaults/main.yml
@@ -0,0 +1,516 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _filebeat__ref_defaults:
+
+# debops.filebeat default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, version [[[
+# -------------------------
+
+# The ``debops.filebeat`` role uses the :ref:`debops.elastic_co` Ansible role
+# to configure the Elastic APT repositories and install the packages. The role
+# also installs the Ansible facts that provide the ``filebeat``
+# version.
+
+# .. envvar:: filebeat__base_packages [[[
+#
+# List of base APT packages to install.
+filebeat__base_packages: [ 'filebeat' ]
+
+                                                                   # ]]]
+# .. envvar:: filebeat__packages [[[
+#
+# List of additional APT packages to install with Filebeat.
+filebeat__packages: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__version [[[
+#
+# Store the detected Filebeat version in a convenient variable for conditional
+# configuration.
+filebeat__version: '{{ ansible_local.filebeat.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Main Filebeat configuration file [[[
+# ------------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/filebeat/filebeat.yml` configuration file.
+# See :ref:`filebeat__ref_configuration` for more details.
+
+# .. envvar:: filebeat__original_configuration [[[
+#
+# Filebeat configuration based on the original config file which comes with the
+# package. Some of the configuration options are overridden in the subsequent
+# configuration variable.
+filebeat__original_configuration:
+
+  - name: 'filebeat_inputs'
+    config:
+      filebeat.inputs:
+        - type: 'log'
+          enabled: False
+          paths: [ '/var/log/*.log' ]
+
+  - name: 'filebeat_config_modules'
+    config:
+      filebeat.config.modules:
+        path: '${path.config}/modules.d/*.yml'
+        reload.enabled: False
+
+  - name: 'setup_template_settings'
+    config:
+      setup.template.settings:
+        index.number_of_shards: 3
+
+  - name: 'setup_kibana'
+    config:
+      setup.kibana:
+
+  - name: 'output_elasticsearch'
+    config:
+      output.elasticsearch:
+        hosts: [ 'localhost:9200' ]
+
+  - name: 'processors'
+    config:
+      processors:
+        - add_host_metadata: ~
+        - add_cloud_metadata: ~
+
+                                                                   # ]]]
+# .. envvar:: filebeat__default_configuration [[[
+#
+# The Filebeat configuration defined by the role.
+filebeat__default_configuration:
+
+  - name: 'filebeat_inputs'
+    config:
+      filebeat.inputs:
+        - type: 'log'
+          enabled: True
+          paths:
+            - '/var/log/*.log'
+            - '/var/log/messages'
+
+  - name: 'filebeat_config_inputs'
+    config:
+      filebeat.config.inputs:
+        path: '${path.config}/inputs.d/*.yml'
+        reload.enabled: True
+        reload.period: '30s'
+
+  - name: 'filebeat_config_modules'
+    config:
+      filebeat.config.modules:
+        path: '${path.config}/modules.d/*.yml'
+        reload.enabled: True
+        reload.period: '30s'
+
+                                                                   # ]]]
+# .. envvar:: filebeat__configuration [[[
+#
+# The Filebeat configuration which should be present on all hosts in the
+# Ansible inventory.
+filebeat__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__group_configuration [[[
+#
+# The Filebeat configuration which should be present on hosts in a specific
+# Ansible inventory group.
+filebeat__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__host_configuration [[[
+#
+# The Filebeat configuration which should be present on specific hosts in the
+# Ansible inventory.
+filebeat__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__combined_configuration [[[
+#
+# Variable which combines all Filebeat configuration variables and is used in
+# the role tasks and templates.
+filebeat__combined_configuration: '{{ filebeat__original_configuration
+                                      + filebeat__default_configuration
+                                      + filebeat__configuration
+                                      + filebeat__group_configuration
+                                      + filebeat__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Filebeat configuration snippets [[[
+# -----------------------------------
+
+# The variables below define Filebeat configuration snippets stored in the
+# :file:`/etc/filebeat/` directory. Snippets can be created in subdirectories,
+# which will be created automatically. See :ref:`filebeat__ref_snippets` for
+# more details.
+
+# .. envvar:: filebeat__default_snippets [[[
+#
+# A list of default Filebeat configuration snippets defined by the role.
+filebeat__default_snippets:
+
+  - name: 'inputs.d/ceph.yml'
+    state: '{{ "present"
+               if ansible_local.ceph.installed | d() | bool
+               else "absent" }}'
+    config:
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ceph/ceph-osd.*.log'
+        ignore_older: '1h'
+        fields:
+          ceph.daemon: 'osd'
+        fields_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ceph/ceph-mgr.*.log'
+        ignore_older: '1h'
+        fields:
+          ceph.daemon: 'mgr'
+        fields_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ceph/ceph-mon.*.log'
+        ignore_older: '1h'
+        fields:
+          ceph.daemon: 'mon'
+        fields_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ceph/ceph.log'
+        ignore_older: '1h'
+        fields:
+          ceph.daemon: 'ceph'
+        fields_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ceph/ceph.audit.log'
+        ignore_older: '1h'
+        fields:
+          ceph.daemon: 'audit'
+        fields_under_root: True
+
+
+  - name: 'inputs.d/libvirt.yml'
+    state: '{{ "present"
+               if ansible_local.libvirtd.installed | d() | bool
+               else "absent" }}'
+    config:
+      type: 'log'
+      enabled: True
+      paths:
+        - '/var/log/libvirt/*.log'
+        - '/var/log/libvirt/qemu/*.log'
+      ignore_older: '1h'
+      fields:
+        libvirt: True
+      fields_under_root: True
+
+
+  - name: 'inputs.d/named.yml'
+    state: '{{ "present"
+               if ansible_local.bind.installed | d() | bool
+               else "absent" }}'
+    config:
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/named/named.log'
+        ignore_older: '1h'
+        fields:
+          named.type: 'general'
+        files_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/named/lame.log'
+        ignore_older: '1h'
+        fields:
+          named.type: 'lame'
+        files_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/named/query.log'
+        ignore_older: '1h'
+        fields:
+          named.type: 'query'
+        files_under_root: True
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/named/query-errors.log'
+        ignore_older: '1h'
+        fields:
+          named.type: 'query-errors'
+        files_under_root: True
+
+
+  - name: 'inputs.d/openstack.yml'
+    state: '{{ "present"
+               if ansible_local.openstack.installed | d() | bool
+               else "absent" }}'
+    config:
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/nova/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'nova'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/neutron/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'neutron'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/glance/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'glance'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/cinder/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'cinder'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/keystone/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'keystone'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+      - type: 'log'
+        enabled: True
+        paths:
+          - '/var/log/ironic/*.log'
+          - '/var/log/ironic-inspector/*.log'
+        ignore_older: '1h'
+        fields:
+          openstack.component: 'ironic'
+        fields_under_root: True
+        multiline:
+          pattern: '^.*(ERROR).*[[:space:]]{3}.*'
+          negate: False
+          match: 'after'
+
+
+  - name: 'modules.d/apache2.yml'
+    config:
+      module: 'apache2'
+      access:
+        enabled: True
+      error:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.apache.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/auditd.yml'
+    config:
+      module: 'auditd'
+      log:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.auditd.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/icinga.yml'
+    config:
+      module: 'icinga'
+      main:
+        enabled: True
+      debug:
+        enabled: True
+      startup:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.icinga.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/mysql.yml'
+    config:
+      module: 'mysql'
+      error:
+        enabled: True
+      slowlog:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.mariadb.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/nginx.yml'
+    config:
+      module: 'nginx'
+      access:
+        enabled: True
+      error:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.nginx.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/postgresql.yml'
+    config:
+      module: 'postgresql'
+      log:
+        enabled: True
+    state: '{{ "present"
+               if (ansible_local.postgresql.installed | d() | bool)
+               else "ignore" }}'
+
+  - name: 'modules.d/system.yml'
+    config:
+      module: 'system'
+      syslog:
+        enabled: True
+      auth:
+        enabled: True
+
+                                                                   # ]]]
+# .. envvar:: filebeat__snippets [[[
+#
+# A list of Filebeat configuration snippets which should be present on all
+# hosts in the Ansible inventory.
+filebeat__snippets: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__group_snippets [[[
+#
+# A list of Filebeat configuration snippets which should be present on hosts in
+# a specific Ansible inventory group.
+filebeat__group_snippets: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__host_snippets [[[
+#
+# A list of Filebeat configuration snippets which should be present on specific
+# hosts in the Ansible inventory.
+filebeat__host_snippets: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__combined_snippets [[[
+#
+# Variable which combines all Filebeat snippet variables and is used in role
+# tasks and templates.
+filebeat__combined_snippets: '{{ filebeat__default_snippets
+                                 + filebeat__snippets
+                                 + filebeat__group_snippets
+                                 + filebeat__host_snippets }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Filebeat keystore contents [[[
+# ------------------------------
+
+# The variables below define the contents of the Filebeat keystore which can be
+# used to store passwords and other confidential data, which then can be
+# referenced in Filebeat configuration files. See :ref:`filebeat__ref_keys` for
+# more details.
+
+# .. envvar:: filebeat__keys [[[
+#
+# Filebeat keystore content which should be present on all hosts in the Ansible
+# inventory.
+filebeat__keys: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__group_keys [[[
+#
+# Filebeat keystore content which should be present on all hosts in the Ansible
+# inventory.
+filebeat__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__host_keys [[[
+#
+# Filebeat keystore content which should be present on hosts in a specific
+# Ansible inventory group.
+filebeat__host_keys: []
+
+                                                                   # ]]]
+# .. envvar:: filebeat__combined_keys [[[
+#
+# Filebeat keystore content which should be present on specific hosts in the
+# Ansible inventory.
+filebeat__combined_keys: '{{ filebeat__keys
+                             + filebeat__group_keys
+                             + filebeat__host_keys }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: filebeat__extrepo__dependent_sources [[[
+#
+# Configuration for the :ref:`debops.extrepo` Ansible role.
+filebeat__extrepo__dependent_sources:
+  - 'elastic'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/filebeat/meta/main.yml b/ansible_collections/debops/debops/roles/filebeat/meta/main.yml
new file mode 100644
index 00000000..debe28cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Filebeat, a log shipper for Elasticsearch'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - xenial
+    - bionic
+    - focal
+  - name: Debian
+    versions:
+    - stretch
+    - buster
+    - bullseye
+  galaxy_tags:
+  - elasticsearch
+  - logs
+  - logging
+  - syslog
diff --git a/ansible_collections/debops/debops/roles/filebeat/tasks/main.yml b/ansible_collections/debops/debops/roles/filebeat/tasks/main.yml
new file mode 100644
index 00000000..2cbccec7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/tasks/main.yml
@@ -0,0 +1,149 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Filebeat packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (filebeat__base_packages
+                              + filebeat__packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: filebeat__register_packages
+  until: filebeat__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Filebeat local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/filebeat.fact.j2'
+    dest: '/etc/ansible/facts.d/filebeat.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert the original Filebeat configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/filebeat/filebeat.yml'
+    state: 'present'
+  register: filebeat__register_config_divert
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Generate main Filebeat configuration
+  ansible.builtin.template:
+    src: 'etc/filebeat/filebeat.yml.j2'
+    dest: '/etc/filebeat/filebeat.yml'
+    mode: '0600'
+  notify: [ 'Test filebeat configuration and restart' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required configuration directories
+  ansible.builtin.file:
+    path: '{{ "/etc/filebeat/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ filebeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init'] and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove snippet configuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/filebeat/" + (item.name | regex_replace(".yml", "") + ".yml") }}'
+    state: 'absent'
+  loop: '{{ filebeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state, "config": item.config} }}'
+  notify: [ 'Test filebeat configuration and restart' ]
+  when: item.state | d('present') == 'absent' and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate snippet configuration
+  ansible.builtin.template:
+    src: 'etc/filebeat/snippets.d/snippet.yml.j2'
+    dest: '{{ "/etc/filebeat/" + (item.name | regex_replace(".yml", "") + ".yml") }}'
+    mode: '{{ item.mode | d("0600") }}'
+  loop: '{{ filebeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state, "config": item.config} }}'
+  notify: [ 'Test filebeat configuration and restart' ]
+  when: item.state | d('present') not in ['absent', 'ignore', 'init'] and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Check if the Filebeat keystore exists
+  ansible.builtin.stat:
+    path: '/var/lib/filebeat/filebeat.keystore'
+  register: filebeat__register_keystore
+
+- name: Create Filebeat keystore if not present
+  ansible.builtin.command: 'filebeat keystore create'
+  register: filebeat__register_keystore_create
+  changed_when: filebeat__register_keystore_create.changed | bool
+  when: not filebeat__register_keystore.stat.exists
+
+- name: Get the list of keystore contents
+  ansible.builtin.command: 'filebeat keystore list'
+  register: filebeat__register_keys
+  changed_when: False
+  check_mode: False
+
+- name: Remove key from Filebeat keystore when requested
+  ansible.builtin.command: 'filebeat keystore remove {{ item.name }}'
+  loop: '{{ filebeat__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Test filebeat configuration and restart' ]
+  register: filebeat__register_keystore_remove
+  changed_when: filebeat__register_keystore_remove.changed | bool
+  when: (item.state | d('present') == 'absent' and
+         item.name in filebeat__register_keys.stdout_lines)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set or update key in Filebeat keystore
+  environment:
+    DEBOPS_FILEBEAT_KEY: '{{ item.value }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if item.force | d(False) %}
+    printf "%s" "${DEBOPS_FILEBEAT_KEY}" | filebeat keystore add "{{ item.name }}" --stdin --force
+    {% else %}
+    printf "%s" "${DEBOPS_FILEBEAT_KEY}" | filebeat keystore add "{{ item.name }}" --stdin
+    {% endif %}
+  args:
+    executable: 'bash'
+  loop: '{{ filebeat__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Test filebeat configuration and restart' ]
+  register: filebeat__register_keystore_add
+  changed_when: filebeat__register_keystore_add.changed | bool
+  when: (item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.name not in filebeat__register_keys.stdout_lines or
+          (item.force | d(False)) | bool))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Enable filebeat service on installation
+  ansible.builtin.service:  # noqa no-handler
+    name: 'filebeat'
+    enabled: True
+  when: filebeat__register_config_divert is changed
diff --git a/ansible_collections/debops/debops/roles/filebeat/templates/etc/ansible/facts.d/filebeat.fact.j2 b/ansible_collections/debops/debops/roles/filebeat/templates/etc/ansible/facts.d/filebeat.fact.j2
new file mode 100644
index 00000000..ca817c91
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/templates/etc/ansible/facts.d/filebeat.fact.j2
@@ -0,0 +1,36 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('filebeat'),
+          'inputs': '/etc/filebeat/inputs.d',
+          'modules': '/etc/filebeat/modules.d'}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "filebeat"]).decode('utf-8')
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/filebeat.yml.j2 b/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/filebeat.yml.j2
new file mode 100644
index 00000000..7ed0619d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/filebeat.yml.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+---
+# {{ ansible_managed }}
+
+{% set filebeat__tpl_configuration = {} %}
+{% for element in filebeat__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.config | d() %}
+{%     set combined_config = filebeat__tpl_configuration | combine(element.config, recursive=True) %}
+{%     set _ = filebeat__tpl_configuration.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{{ filebeat__tpl_configuration | to_nice_yaml(indent=2) }}
diff --git a/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/snippets.d/snippet.yml.j2 b/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/snippets.d/snippet.yml.j2
new file mode 100644
index 00000000..d6802a2e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/filebeat/templates/etc/filebeat/snippets.d/snippet.yml.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+---
+# {{ ansible_managed }}
+
+{% if item.comment is defined %}
+{{ item.comment | trim | comment(prefix='', postfix='') }}
+{% endif %}
+{{ q("flattened", item.config) | to_nice_yaml(indent=2) }}
diff --git a/ansible_collections/debops/debops/roles/firejail/COPYRIGHT b/ansible_collections/debops/debops/roles/firejail/COPYRIGHT
new file mode 100644
index 00000000..961593ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/COPYRIGHT
@@ -0,0 +1,19 @@
+firejail - Setup and configure Firejail
+
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/firejail/defaults/main.yml b/ansible_collections/debops/debops/roles/firejail/defaults/main.yml
new file mode 100644
index 00000000..2fd4fda0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/defaults/main.yml
@@ -0,0 +1,240 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _firejail__ref_defaults:
+
+# debops-contrib.firejail default variables [[[
+# =============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: firejail__base_packages [[[
+#
+# List of base packages to install.
+firejail__base_packages:
+  - 'firejail'
+
+                                                                   # ]]]
+# .. envvar:: firejail__packages [[[
+#
+# List of optional global packages.
+# This variable is intended to be used in Ansible’s global inventory.
+firejail__packages: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__group_packages [[[
+#
+# List of optional group packages.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+firejail__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__host_packages [[[
+#
+# List of optional host packages.
+# This variable is intended to be used in the inventory of hosts.
+firejail__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Firejail is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Firejail is uninstalled and it's configuration is removed.
+#
+firejail__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# System paths [[[
+# ----------------
+
+# .. envvar:: firejail__config_path [[[
+#
+# Directory where the system wide Firejail configuration and profiles are
+# stored.
+firejail__config_path: '/etc/firejail'
+
+                                                                   # ]]]
+# .. envvar:: firejail__program_file_path [[[
+#
+# File path of the :command:`firejail` binary.
+# When set to ``auto``, the role tries to figure out the file path via the
+# :command:`which` command.
+# Note that :command:`which` is executed in the context of the root user who
+# might have a different ``PATH`` variable then normal users.
+#
+# To use :command:`firejail` from another location, set:
+#
+# .. code-block:: yaml
+#   :linenos:
+#
+#    firejail__program_file_path: '/usr/local/bin/firejail'
+#
+# in your Ansible inventory.
+firejail__program_file_path: 'auto'
+
+                                                                   # ]]]
+# .. envvar:: firejail__system_local_bin_path [[[
+#
+# Directory in which to create the symlinks when enabling a profile system
+# wide.
+# This directory path must be included in the ``PATH`` variable before the
+# directory which contains the real program so that the symlink pointing to
+# :command:`firejail` is used when users try to execute the program.
+firejail__system_local_bin_path: '{{ ansible_local.fhs.bin | d("/usr/local/bin") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Program sandboxes [[[
+# ---------------------
+
+# Program sandboxes can be defined using dictionary variables on different
+# inventory levels which are combined together.
+#
+# For more details refer to :ref:`firejail__ref_program_sandboxes`
+# in the :ref:`firejail__ref_default_variable_details` section.
+
+# .. envvar:: firejail__program_sandboxes [[[
+#
+# This variable is intended to be used in Ansible’s global inventory.
+firejail__program_sandboxes: {}
+
+                                                                   # ]]]
+# .. envvar:: firejail__group_program_sandboxes [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+firejail__group_program_sandboxes: {}
+
+                                                                   # ]]]
+# .. envvar:: firejail__host_program_sandboxes [[[
+#
+# This variable is intended to be used in the inventory of hosts.
+firejail__host_program_sandboxes: {}
+
+                                                                   # ]]]
+# .. envvar:: firejail__role_program_sandboxes [[[
+#
+# Program sandbox definitions used/set internally by this role.
+firejail__role_program_sandboxes:
+  default:
+    # The "default" profile is not intended to correspond to a program called
+    # "default". Ensure that even if such a program exists, it will not be
+    # sandboxed system wide without the role maintainers approving it first.
+    # Last checked: 2019-01.
+    system_wide_sandboxed: 'absent'
+  ssh:
+    # Might conflict with other programs using it. For example, Ansible and
+    # BorgBackup did not work with this enabled system wide.
+    system_wide_sandboxed: 'absent'
+  tar:
+    # Causes dpkg install tasks to fail.
+    system_wide_sandboxed: 'absent'
+  unrar:
+    # Did not extract when run in sandbox.
+    # `unp` seems unable to detect that `unrar` is installed with the symlink.
+    # Last checked: 2019-01.
+    system_wide_sandboxed: 'absent'
+  git:
+    # Needed everywhere. Did not work well with zsh and does not work for root because the profile uses --noroot.
+    # Last checked: 2019-01.
+    system_wide_sandboxed: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: firejail__combined_program_sandboxes [[[
+#
+# Combined dictionary of program sandboxes as it is used by the role.
+# This defines the order in which dictionary keys might "mask" previous once.
+firejail__combined_program_sandboxes: '{{
+  firejail__role_program_sandboxes
+  | combine(firejail__program_sandboxes)
+  | combine(firejail__group_program_sandboxes)
+  | combine(firejail__host_program_sandboxes) }}'
+
+                                                                   # ]]]
+# .. envvar:: firejail__global_profiles_system_wide_sandboxed [[[
+#
+# Sandbox all programs for which Firejail ships profiles or which have
+# otherwise been configured below :envvar:`firejail__config_path` system wide
+# using the method described in
+# :ref:`item.system_wide_sandboxed <firejail__ref_system_wide_sandboxed>`.
+# This variable only applies when the program was not configured using
+# :ref:`firejail__ref_program_sandboxes`. For that case refer to
+# :envvar:`firejail__program_sandboxes_system_wide_sandboxed`.
+firejail__global_profiles_system_wide_sandboxed: 'if_installed'
+
+                                                                   # ]]]
+# .. envvar:: firejail__program_sandboxes_system_wide_sandboxed [[[
+#
+# Default value for :ref:`item.system_wide_sandboxed <firejail__ref_system_wide_sandboxed>`.
+firejail__program_sandboxes_system_wide_sandboxed: 'if_installed'
+                                                                   # ]]]
+                                                                   # ]]]
+# Workaround for desktop files [[[
+# --------------------------------
+
+# Some desktop files include a full path to the executable which would
+# result in the program being executed without Firejail sandboxing it.
+# For this, Firejail provides the :command:`firecfg --fix` command which fixes
+# those desktop files and saves them under :file:`~/.local/share/applications/`.
+#
+# This section provides variables which you should use to do this for the
+# users.
+#
+# Those variables have the same structure as the ``users__accounts`` ones from
+# the debops.users_ role. This allows you to include all users you
+# configured using the debops.users_ by putting this:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    firejail__fix_for_users: '{{ users__accounts | d([]) }}'
+#    firejail__group_fix_for_users: '{{ users__group_accounts | d([]) }}'
+#    firejail__host_fix_for_users: '{{ users__host_accounts | d([]) }}'
+#
+# into your global inventory.
+
+# .. envvar:: firejail__fix_for_users [[[
+#
+# Global list of users for which the desktop files workaround should be applied.
+# The list should contain a dictionary for each user with the username in the
+# ``name`` key of the dictionary.
+firejail__fix_for_users: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__group_fix_for_users [[[
+#
+# Host group list of users for which the desktop files workaround should be applied.
+firejail__group_fix_for_users: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__host_fix_for_users [[[
+#
+# Host list of users for which the desktop files workaround should be applied.
+firejail__host_fix_for_users: []
+
+                                                                   # ]]]
+# .. envvar:: firejail__combined_fix_for_users [[[
+#
+# Combined list of users as it is used by the role.
+firejail__combined_fix_for_users: '{{ (firejail__fix_for_users | list)
+                                      + (firejail__group_fix_for_users | list)
+                                      + (firejail__host_fix_for_users | list) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/ansible-integration.rst b/ansible_collections/debops/debops/roles/firejail/docs/ansible-integration.rst
new file mode 100644
index 00000000..6ab10725
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/ansible-integration.rst
@@ -0,0 +1,35 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Ansible integration and role design
+===================================
+
+.. include:: includes/all.rst
+
+Design goals
+------------
+
+* :command:`firecfg` is not being used to enabling/disabling
+  :ref:`system wide sandboxes <firejail__ref_system_wide_sandboxed>`.
+  This is done by the role itself to have more control over the process.
+
+  Note that running :command:`firecfg` without arguments will have a similar
+  affect than when using this role with
+  :envvar:`firejail__global_profiles_system_wide_sandboxed` set to
+  `if_installed <firejail__ref_system_wide_sandboxed_if_installed>`_ but
+  without all the other logic of this role.
+  So :command:`firecfg` might change settings done by the role. You can rerun
+  the role to ensure that the state defined by Ansible is present on the
+  system.
+
+Alternative roles
+-----------------
+
+As of 2016-10-31 ypid_ was aware of two alternative Ansible roles for Firejail:
+
+* `gbraad.firejail <https://galaxy.ansible.com/gbraad/firejail/>`_, targets Fedora, has a major security issue: `Installation can be trivially MITMed leading to the system being comprised <https://github.com/gbraad/ansible-role-firejail/issues/2>`_. Only deals with installing the Firejail suite itself.
+* `Firejail role <https://bitbucket.org/aaaaaaaaaaaaaaaaaaaaa1/ansible-firejail>`_ by `aaaaaaaaaaaaaaaaaaaaa1 <https://bitbucket.org/aaaaaaaaaaaaaaaaaaaaa1/>`_, targets system which use APT_. Only deals with building and installing Firejail itself.
+
+None of the existing roles where found to be a suitable start for this role so
+it has been designed and written from scratch.
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/changelog.rst b/ansible_collections/debops/debops/roles/firejail/docs/changelog.rst
new file mode 100644
index 00000000..7bbcd324
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/copyright.rst b/ansible_collections/debops/debops/roles/firejail/docs/copyright.rst
new file mode 100644
index 00000000..d289ad2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/defaults-detailed.rst b/ansible_collections/debops/debops/roles/firejail/docs/defaults-detailed.rst
new file mode 100644
index 00000000..7703bb5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/defaults-detailed.rst
@@ -0,0 +1,144 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _firejail__ref_default_variable_details:
+
+Default variable details
+========================
+
+.. include:: includes/all.rst
+
+Some of ``debops-contrib.firejail`` default variables have more extensive
+configuration than simple strings or lists, here you can find documentation and
+examples for them.
+
+.. contents::
+   :local:
+   :depth: 1
+
+.. _firejail__ref_program_sandboxes:
+
+program_sandboxes
+-----------------
+
+The :envvar:`firejail__program_sandboxes` and similar dictionaries allow you to
+configure program sandboxes using Firejail profiles (:manpage:`firejail-profile(5)`).
+The dictionary key is the program name, the value is a dictionary with the
+following supported keys:
+
+.. _firejail__ref_system_wide_sandboxed:
+
+``system_wide_sandboxed``
+  Optional, string.
+  Should the program be sandboxed with :command:`firejail` for all users of the
+  system by creating a symlink under :jinja_code:`/usr/local/bin/{{ item.key }}`
+  with the :command:`firejail` program binary file path as target.
+  The directory path where the symlink is being created/removed
+  (:file:`/usr/local/bin/`) can be changed via :envvar:`firejail__system_local_bin_path`.
+  This option relies on the feature of :command:`firejail` to be called via a
+  different file path which causes :command:`firejail` to act as a wrapper
+  around the real program.
+
+  These options are supported:
+
+  ``present``
+    The sandbox should be present system wide.
+
+  .. _firejail__ref_system_wide_sandboxed_if_installed:
+
+  ``if_installed``
+    The sandbox should be present system wide but only if the program is
+    installed (is found in ``PATH``) on role run.
+    This can be used to not make it look like the program is installed (by
+    creating a symlink with the name in the ``PATH``) and to avoid the case where
+    a user tries to run the program and :command:`firejail` complaining with
+    "Error: cannot find the program in the path".
+    If the program is not found, then the system wide sandbox will be made
+    ``absent``.
+
+  ``absent``
+    The sandbox should be absent system wide.
+
+  ``ignored``
+    A potentially existing file in :file:`/usr/local/bin/` is ignored.
+
+  Defaults to :envvar:`firejail__global_profiles_system_wide_sandboxed`.
+  Refer to :manpage:`firejail(1)` under "Desktop Integration" or `Firejail
+  0.9.38 Release Announcement`_ under "Symlink invocation".
+
+``profile``
+  Optional, dictionary.
+  Use a provided profile by copying it from the Ansible controller into the
+  :envvar:`firejail__config_path` directory of the remote system using the
+  `Ansible ansible.builtin.copy module`_.
+  ``profile`` is basically just passed to the module. Refer to it’s
+  documentation for details with the exception that the ``state`` parameter is
+  handled properly. ``state`` defaults to ``present`` but can be set to
+  ``absent`` which will cause the profile on the remote systems to become absent.
+  Refer to :ref:`firejail__ref_program_sandboxes_providing_additional_profiles`
+  for how this can be used.
+
+
+Examples for sandboxing additional programs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Sandbox the given programs on all hosts even if Firejail does not yet ship with
+a profile for them:
+
+.. code-block:: yaml
+
+   firejail__program_sandboxes:
+     jq: {}
+     my_cool_program:
+       system_wide_sandboxed: 'present'
+
+The symlink for :program:`jq` will only be created if :program:`jq` is installed.
+The symlink for :program:`my_cool_program` will be created regardless whether
+it has been found in the ``PATH``.
+
+
+Example to exclude a program from being sandboxed
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Depending on the value of :envvar:`firejail__global_profiles_system_wide_sandboxed`,
+the role might sandbox all programs which are installed and for which security
+profiles are defined. Check out the following example in case you want to
+exclude programs from being sandboxed system wide:
+
+.. code-block:: yaml
+
+   firejail__program_sandboxes:
+     less:
+       # Less can’t possibly have an issue with parsing untrusted input (TM).
+       # I know what I am doing! Don’t sandbox it!
+       system_wide_sandboxed: 'absent'
+
+
+.. _firejail__ref_program_sandboxes_providing_additional_profiles:
+
+Examples for providing additional profiles
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Copy Firejail security profiles from the Ansible controller to all remote
+systems:
+
+.. code-block:: yaml
+
+   firejail__program_sandboxes:
+     smplayer:
+       profile:
+         src: '/home/user/.config/firejail/smplayer.profile'
+
+         ## `content` can be used alternatively to `src` to provide the profile inlined
+         ## (supports Jinja templating as usual):
+         # content: |
+         #   # {{ ansible_managed }}
+         #   # smplayer security profile.
+         #   noblacklist ${HOME}/.config/smplayer
+         #   # And so on.
+
+         ## `state` can be used to make the profile absent:
+         # state: 'absent'
+
+This will create :file:`/etc/firejail/smplayer.profile` on all remote systems.
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/getting-started.rst b/ansible_collections/debops/debops/roles/firejail/docs/getting-started.rst
new file mode 100644
index 00000000..189bbca6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/getting-started.rst
@@ -0,0 +1,60 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To setup and configure Firejail on a given host it should be included in the
+``debops_service_firejail`` Ansible inventory group:
+
+.. code:: ini
+
+   [debops_service_firejail]
+   hostname
+
+Example playbook
+----------------
+
+Here's an example playbook that uses the ``debops-contrib.firejail`` role:
+
+.. literalinclude:: playbooks/firejail.yml
+   :language: yaml
+   :lines: 1,5-
+
+The playbooks is shipped with this role under
+:file:`./docs/playbooks/firejail.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::firejail``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::firejail:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
+
+``role::firejail:profile``
+  Tasks related to Firejail security profile management like copying or
+  removing profile files.
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/includes/all.rst b/ansible_collections/debops/debops/roles/firejail/docs/includes/all.rst
new file mode 100644
index 00000000..9eced120
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/includes/all.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
+.. include:: includes/role.rst
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/includes/role.rst b/ansible_collections/debops/debops/roles/firejail/docs/includes/role.rst
new file mode 100644
index 00000000..24c9cad2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/includes/role.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _Firejail 0.9.38 Release Announcement: https://l3net.wordpress.com/2016/02/04/firejail-0-9-38-release-announcement/
+.. _ypid_firejail-scripts: https://github.com/ypid/firejail-scripts
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/index.rst b/ansible_collections/debops/debops/roles/firejail/docs/index.rst
new file mode 100644
index 00000000..2d2a334b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/index.rst
@@ -0,0 +1,25 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.firejail:
+
+Ansible role: debops-contrib.firejail
+=====================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   defaults-detailed
+   ansible-integration
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/introduction.rst b/ansible_collections/debops/debops/roles/firejail/docs/introduction.rst
new file mode 100644
index 00000000..c2e37479
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/introduction.rst
@@ -0,0 +1,44 @@
+.. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2022 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+Firejail_ is a SUID program that reduces the risk of security breaches by
+restricting the running environment of untrusted applications using Linux
+namespaces and seccomp-bpf.
+
+This Ansible role allows you to setup and configure Firejail.
+
+Features
+~~~~~~~~
+
+* Installs Firejail from configured APT_ repositories. debops.apt_ can be used
+  to enable Backports if needed.
+* Sandboxes programs system-wide by placing a symlink to :command:`firejail`
+  into the ``PATH`` so that :command:`firejail` can wrap program invocations
+  and sandbox the invoked program using security profiles that Firejail ships
+  or that the system administrator defines.
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.3``. To install it, run::
+
+    ansible-galaxy install debops-contrib.firejail
+
+
+Note that this role uses features recently introduced in Jinja2, namely
+the `equalto` filter which was released with
+`Jinja 2.8 <http://jinja.pocoo.org/docs/dev/changelog/#version-2-8>`_ and thus
+requires Jinja 2.8.
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/firejail/docs/playbooks/firejail.yml b/ansible_collections/debops/debops/roles/firejail/docs/playbooks/firejail.yml
new file mode 100644
index 00000000..2b62e053
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/docs/playbooks/firejail.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and configure Firejail
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_firejail' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: secret
+
+    - role: firejail
+      tags: [ 'role::firejail' ]
diff --git a/ansible_collections/debops/debops/roles/firejail/meta/main.yml b/ansible_collections/debops/debops/roles/firejail/meta/main.yml
new file mode 100644
index 00000000..d08d9ea5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup and configure Firejail'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
+    - isolation
+    - sandboxing
+    - compartmentalization
+    - firejail
+    - seccomp
+    - apparmor
+    - x11
diff --git a/ansible_collections/debops/debops/roles/firejail/tasks/main.yml b/ansible_collections/debops/debops/roles/firejail/tasks/main.yml
new file mode 100644
index 00000000..3f29cf44
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/firejail/tasks/main.yml
@@ -0,0 +1,236 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# Ensure specified packages are present [[[
+- name: Ensure specified packages are present
+  ansible.builtin.package:
+    name: '{{ q("flattened", (firejail__base_packages
+                              + firejail__packages
+                              + firejail__group_packages
+                              + firejail__host_packages)) }}'
+    state: 'present'
+  when: firejail__deploy_state in ["present"]
+  register: firejail__register_packages
+  until: firejail__register_packages is succeeded
+  tags: [ 'role::firejail:pkgs' ]
+# ]]]
+
+# Installation details [[[
+- name: Get program file path of firejail
+  ansible.builtin.command: which -a firejail
+  register: firejail__register_program_file_path
+  check_mode: False
+  changed_when: False
+  failed_when: firejail__register_program_file_path.rc not in [0, 1]
+  when: (firejail__program_file_path == "auto")
+
+- name: Set program file path of firejail for later use in the role
+  ansible.builtin.set_fact:
+    firejail__program_file_path: '{{ (firejail__register_program_file_path.stdout_lines
+                                      + ["/usr/bin/firejail"]) | first }}'
+  when: (firejail__program_file_path == "auto")
+# ]]]
+
+# Gather list of system wide profiles [[[
+- name: Get list of system wide profiles
+  ansible.builtin.find:
+    file_type: 'file'
+    paths: [ '{{ firejail__config_path }}' ]
+    patterns: '*.profile'
+    use_regex: False
+    hidden: False
+    recurse: False
+  register: firejail__register_find_system_wide_profiles
+  # no_log: '{{ debops__no_log | d(True) }}'
+  ## Disabled because the output is not interesting but very verbose.
+
+- name: Set list of system wide profiles
+  ansible.builtin.set_fact:
+    firejail__fact_system_wide_profiles: '{{
+      firejail__register_find_system_wide_profiles.files
+        | map(attribute="path")
+        | map("basename")
+        | map("regex_replace", "\.profile$", "") | list }}'
+# ]]]
+
+# Gather list of installed programs [[[
+- name: Check if programs which should be sandboxed are installed
+  ansible.builtin.command: which -a {{ item | quote }}
+  check_mode: False
+  changed_when: False
+  failed_when: firejail__register_cmd_which_programs.rc not in [0, 1]
+  register: firejail__register_cmd_which_programs
+  when: (item in (firejail__combined_program_sandboxes.keys() | list
+                  + (firejail__fact_system_wide_profiles
+                     if (firejail__global_profiles_system_wide_sandboxed == "if_installed")
+                     else [])))
+  with_items: '{{ firejail__combined_program_sandboxes.keys() | list | union(firejail__fact_system_wide_profiles) }}'
+
+# For optimized performance, firejail__fact_installed_programs only contains
+# programs for which the install state actually matters.
+- name: Set list of installed programs
+  ansible.builtin.set_fact:
+    firejail__fact_installed_programs: '{{
+      firejail__register_cmd_which_programs.results
+      | selectattr("rc", "defined")
+      | selectattr("rc", "equalto", 0)
+      | map(attribute="stdout_lines")
+      | map("first") | map("basename") | list }}'
+
+# ]]]
+
+# Create/remove symlinks for sandboxed programs [[[
+- name: Ensure that the local bin path exists
+  ansible.builtin.file:
+    path: '{{ firejail__system_local_bin_path }}'
+    state: 'directory'
+    mode: '0755'
+
+- name: Create/remove symlinks for sandboxed programs
+  ansible.builtin.file:
+    path: '{{ firejail__system_local_bin_path + "/" + item }}'
+    src: '{{ firejail__program_file_path }}'
+    state: '{{ "link"
+               if (firejail__deploy_state in ["present"] and
+                   ((item in firejail__combined_program_sandboxes and
+                    ((firejail__combined_program_sandboxes[item].system_wide_sandboxed
+                      | d(firejail__program_sandboxes_system_wide_sandboxed) == "present") or
+                     ((firejail__combined_program_sandboxes[item].system_wide_sandboxed
+                       | d(firejail__program_sandboxes_system_wide_sandboxed) == "if_installed") and
+                       item in firejail__fact_installed_programs))) or
+                    (item not in firejail__combined_program_sandboxes and
+                     ((firejail__global_profiles_system_wide_sandboxed == "present") or
+                     (firejail__global_profiles_system_wide_sandboxed == "if_installed" and
+                      item in firejail__fact_installed_programs)))))
+               else "absent" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    force: '{{ ansible_check_mode | d(omit) }}'
+  when: not (item in firejail__combined_program_sandboxes and firejail__combined_program_sandboxes[item].system_wide_sandboxed | d("present") in ["ignored"])
+  with_items: '{{ firejail__combined_program_sandboxes.keys() | list | union(firejail__fact_system_wide_profiles) }}'
+# ]]]
+
+# Manage profile [[[
+- name: Provide (additional) profiles
+  ansible.builtin.copy:
+    dest:           '{{ item.value.profile.dest | d(firejail__config_path + "/" + item.key + ".profile") }}'
+    backup:         '{{ item.value.profile.backup | d(omit) }}'
+    content:        '{{ item.value.profile.content | d(omit) }}'
+    directory_mode: '{{ item.value.profile.directory_mode | d(omit) }}'
+    follow:         '{{ item.value.profile.follow | d(omit) }}'
+    force:          '{{ item.value.profile.force | d(omit) }}'
+    owner:          '{{ item.value.profile.owner | d("root") }}'
+    group:          '{{ item.value.profile.group | d("root") }}'
+    mode:           '{{ item.value.profile.mode | d("0644") }}'
+    selevel:        '{{ item.value.profile.selevel | d(omit) }}'
+    serole:         '{{ item.value.profile.serole | d(omit) }}'
+    setype:         '{{ item.value.profile.setype | d(omit) }}'
+    seuser:         '{{ item.value.profile.seuser | d(omit) }}'
+    src:            '{{ item.value.profile.src | d(omit) }}'
+    validate:       '{{ item.value.profile.validate | d(omit) }}'
+  when: (firejail__deploy_state in ["present"] and
+         "profile" in item.value and item.value.profile.state | d("present") == "present")
+  with_dict: '{{ firejail__combined_program_sandboxes }}'
+  tags: [ 'role::firejail:profile' ]
+
+- name: Delete profiles
+  ansible.builtin.file:
+    path: '{{ item.value.profile.dest | d(firejail__config_path + "/" + item.key + ".profile") }}'
+    state: 'absent'
+  when: ("profile" in item.value and
+         (item.value.profile.state | d("present") == "absent" or firejail__deploy_state in ["absent"]))
+  with_dict: '{{ firejail__combined_program_sandboxes }}'
+  tags: [ 'role::firejail:profile' ]
+# ]]]
+
+# Clean up program sandboxes [[[
+
+# This will not `find` broken symlinks which is the reason why system package
+# removal is performed after the cleanup so that the symlinks are not yet broken
+# when the cleanup tasks are run in `absent` `firejail__deploy_state`.
+# > /usr/local/bin/$program was skipped as it does not seem to be a valid file or it cannot be accessed
+- name: Get list of files in local bin path
+  ansible.builtin.find:
+    file_type: 'file'
+    paths: [ '{{ firejail__system_local_bin_path }}' ]
+    hidden: False
+    recurse: False
+  register: firejail__register_profile_program_symlinks_find
+  no_log: '{{ debops__no_log | d(True) }}'
+  ## Disabled because log is not interesting but very verbose.
+
+# Needed because of a bug: https://github.com/ansible/ansible-modules-core/issues/3027
+# `realpath` filter (https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#managing-file-names-and-path-names)
+# can not be used because filters are executed on the Ansible controller.
+- name: Workaround to get the realpath
+  ansible.builtin.stat:
+    path: '{{ item.path }}'
+  register: firejail__register_profile_program_symlinks_stat
+  no_log: '{{ debops__no_log | d(True) }}'
+  ## Disabled because log is not interesting but very verbose.
+  with_items: '{{ firejail__register_profile_program_symlinks_find.files }}'
+
+- name: Remove program symlink when profiles is is not defined in any variable
+  ansible.builtin.file:
+    path: '{{ item.stat.path }}'
+    state: 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+  ## Disabled because log is not interesting but very verbose.
+  when: (item.stat.islnk and
+         ((item.stat.lnk_source | basename == "firejail" and
+           (item.stat.lnk_source != firejail__program_file_path or
+            firejail__deploy_state not in ["present"])) or
+          (item.stat.lnk_source == firejail__program_file_path and
+           (item.stat.path | basename not in (firejail__combined_program_sandboxes.keys() | list
+                                            | union(firejail__fact_system_wide_profiles))))))
+  with_items: '{{ firejail__register_profile_program_symlinks_stat.results }}'
+
+# ]]]
+
+# Workaround for desktop files [[[
+
+  ## Firejail 0.9.44.4 does not ensure that the directory exists?
+- name: Ensure ~/.local/share/applications exists
+  ansible.builtin.file:
+    path: '~/.local/share/applications'
+    state: 'directory'
+    mode: '0755'
+  become: True
+  become_user: '{{ item.name }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: firejail__deploy_state in ["present"] and item != "root" and item.state | d("present") == "present"
+  loop: '{{ q("flattened", firejail__combined_fix_for_users) }}'
+
+- name: Apply workaround for desktop files
+  ansible.builtin.command: firecfg --fix
+  register: firejail__register_cmd_firecfg_fix
+  changed_when: ("created" in firejail__register_cmd_firecfg_fix.stdout)
+  become: True
+  become_user: '{{ item.name }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: firejail__deploy_state in ["present"] and item != "root" and item.state | d("present") == "present"
+  loop: '{{ q("flattened", firejail__combined_fix_for_users) }}'
+
+# ]]]
+
+# Ensure specified packages are absent [[[
+- name: Ensure specified packages are absent
+  ansible.builtin.package:
+    name: '{{ item }}'
+    state: 'absent'
+  when: firejail__deploy_state in ["absent"]
+  loop: '{{ q("flattened", firejail__base_packages
+                           + firejail__packages
+                           + firejail__group_packages
+                           + firejail__host_packages) }}'
+  tags: [ 'role::firejail:pkgs' ]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/foodsoft/COPYRIGHT b/ansible_collections/debops/debops/roles/foodsoft/COPYRIGHT
new file mode 100644
index 00000000..8e1651a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/COPYRIGHT
@@ -0,0 +1,19 @@
+foodsoft - Setup and manage Foodsoft
+
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/foodsoft/defaults/main.yml b/ansible_collections/debops/debops/roles/foodsoft/defaults/main.yml
new file mode 100644
index 00000000..23da4e5a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/defaults/main.yml
@@ -0,0 +1,464 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _foodsoft__ref_defaults:
+
+# debops-contrib.foodsoft default variables [[[
+# =============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+# .. include:: ../includes/role.rst
+
+
+# System packages [[[
+# -------------------
+
+# .. envvar:: foodsoft__base_packages [[[
+#
+# List of base packages required by Foodsoft.
+foodsoft__base_packages:
+  - '{{ ["ruby2.0", "ruby2.0-dev"] if (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["trusty"]) else [] }}'
+
+  - 'libcurl3-dev'
+  - 'libxml2-dev'
+  - 'libxslt-dev'
+  - 'libffi-dev'
+  - 'libreadline-dev'
+
+  ## charlock_holmes
+  - 'g++'
+  ## https://stackoverflow.com/questions/15553792/error-installing-charlock-holmes-error-installing-gitlab/15556110#15556110
+  - 'libicu-dev'
+
+  ## RMagick
+  - 'pkg-config'
+  - 'libmagickwand-dev'
+  - 'ruby-magic'
+  - 'libmagic-dev'
+
+  ## sqlite3
+  - '{{ ["libsqlite3-dev"] if (foodsoft__database in ["sqlite"]) else [] }}'
+
+  ## mysql2
+  - '{{ ["libmysqlclient-dev", "libmariadbd-dev"] if (foodsoft__database in ["mariadb"]) else [] }}'
+
+  ## Install via gem
+  # - 'ruby-charlock-holmes'
+  # - 'ruby-rmagick'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Foodsoft is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Foodsoft is uninstalled and it's configuration is removed.
+#
+# ``purged``
+#   Same as ``absent`` but additionally also ensures that the database and
+#   other persistent data is removed.
+#
+foodsoft__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# FQDN and DNS addresses [[[
+# --------------------------
+
+# .. envvar:: foodsoft__fqdn [[[
+#
+# The Fully Qualified Domain Name of the Foodsoft instance. This address is
+# used to configure the webserver frontend.
+foodsoft__fqdn: 'foodsoft.{{ foodsoft__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__domain [[[
+#
+# Domain that will be configured for the Foodsoft instance.
+foodsoft__domain: '{{ ansible_domain }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: foodsoft__database [[[
+#
+# Autodetected variable containing the database management system which should be used.
+# The supported and tested option is ``mariadb``.
+#
+# Refer to :ref:`foodsoft__ref_getting_started` for details.
+#
+# .. Planned are ``mariadb``, ``postgresql``, ``sqlite``.
+#
+foodsoft__database: '{{ ansible_local.foodsoft.database
+                        if (ansible_local.foodsoft.database | d())
+                        else ("mariadb"
+                              if (ansible_local | d() and ansible_local.mariadb is defined)
+                              else ("postgresql"
+                                    if (ansible_local | d() and ansible_local.postgresql is defined)
+                                    else "no-database-detected")) }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_server [[[
+#
+# FQDN of the database server. It will be configured by
+# the debops.mariadb_ or debops.postgresql_ role.
+foodsoft__database_server: '{{ ansible_local[foodsoft__database].server }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_port [[[
+#
+# Port database is listening on.
+foodsoft__database_port: '{{ ansible_local[foodsoft__database].port }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_name [[[
+#
+# Name of the database to use for Foodsoft.
+foodsoft__database_name: 'foodsoft'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_user [[[
+#
+# Database user to use for Foodsoft.
+foodsoft__database_user: 'foodsoft'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_password_path [[[
+#
+# Path to database password file.
+foodsoft__database_password_path: '{{ secret + "/" + foodsoft__database + "/"
+                                      + ansible_local[foodsoft__database].delegate_to
+                                      + (("/" + ansible_local[foodsoft__database].port)
+                                         if (foodsoft__database == "postgresql")
+                                         else "")
+                                      + "/credentials/" + foodsoft__database_user + "/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_password [[[
+#
+# Database password for Foodsoft.
+foodsoft__database_password: '{{ lookup("password", foodsoft__database_password_path + " length=48 chars=ascii_letters,digits,.:-_") }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_name_map [[[
+#
+# Database name mapping from the names as used in DebOps to Ruby database
+# adapter names.
+foodsoft__database_name_map:
+  'mariadb': 'mysql2'
+  'sqlite': 'sqlite3'
+
+  # Legacy:
+  'mysql': 'mysql2'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__database_config [[[
+#
+# Database configuration for Foodsoft. Written to :file:`config/database.yml`.
+foodsoft__database_config:
+  production:
+    adapter: '{{ foodsoft__database_name_map[foodsoft__database] }}'
+    # socket: '/tmp/mysql.sock'
+    host: '{{ foodsoft__database_server }}'
+    reconnect: False
+    pool: 5
+    username: '{{ foodsoft__database_user }}'
+    password: '{{ foodsoft__database_password }}'
+    database: '{{ foodsoft__database_name }}'
+    encoding: 'utf8'
+                                                                   # ]]]
+                                                                   # ]]]
+# Webserver configuration [[[
+# ---------------------------
+
+# .. envvar:: foodsoft__webserver [[[
+#
+# Autodetected variable containing the webserver which should be used.
+# Currently only Nginx is supported.
+foodsoft__webserver: '{{ ansible_local.foodsoft.webserver
+                         if (ansible_local.foodsoft.webserver | d())
+                         else ("nginx"
+                               if (ansible_local.nginx.enabled | d() | bool)
+                               else ("apache"
+                                     if (ansible_local.apache.enabled | d() | bool)
+                                     else "no-webserver-detected")) }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__webserver_user [[[
+#
+# Name of the webserver user account which will be granted read only access to
+# the Foodsoft application directory.
+foodsoft__webserver_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory paths [[[
+# -------------------
+
+# .. envvar:: foodsoft__home_path [[[
+#
+# The Foodsoft system account home directory.
+foodsoft__home_path: '{{ ansible_local.nginx.www | d("/srv/www") + "/" + foodsoft__user }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__www_path [[[
+#
+# Base web root directory for Foodsoft.
+foodsoft__www_path: '{{ foodsoft__git_dest + "/public" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System user and group [[[
+# -------------------------
+
+# .. envvar:: foodsoft__user [[[
+#
+# System UNIX account used by the Foodsoft.
+foodsoft__user: 'foodsoft'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__group [[[
+#
+# System UNIX group used by the Foodsoft.
+foodsoft__group: 'foodsoft'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__gecos [[[
+#
+# Contents of the GECOS field set for the Foodsoft account.
+foodsoft__gecos: 'Foodsoft'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__shell [[[
+#
+# The default shell set on the foodsoft account.
+foodsoft__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Foodsoft sources and deployment [[[
+# -----------------------------------
+
+# .. envvar:: foodsoft__git_repo [[[
+#
+# The URI of the Foodsoft git source repository.
+# There is also https://github.com/foodcoop-adam/foodsoft.git which you can choose alternatively.
+foodsoft__git_repo: 'https://github.com/foodcoops/foodsoft.git'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__git_version [[[
+#
+# The git branch or tag which will be installed.
+# Defaults to the commit hash of latest release (4.5.1).
+# This is done because Foodsoft development is not cryptographically
+# signed and this role wants to comply with the
+# `DebOps Software Source Policy <https://docs.debops.org/en/latest/debops-policy/docs/software-source-policy.html#software-installed-from-git-repositories>`__.
+foodsoft__git_version: 'a7b6b0c803ca4a79ddab7cea92545b8cc188f952'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__git_dest [[[
+#
+# Path where the Foodsoft sources will be checked out (installation path).
+foodsoft__git_dest: '{{ foodsoft__home_path + "/foodcoops-foodsoft" }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__git_update [[[
+#
+# Should new revisions be retrieved from the origin repository?
+foodsoft__git_update: True
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__bundler_exclude_groups [[[
+#
+# Don’t install the Gems in the listed groups.
+foodsoft__bundler_exclude_groups:
+  - 'test'
+
+  ## Contains SQLite gem.
+  - 'development'
+                                                                   # ]]]
+                                                                   # ]]]
+# Foodsoft configuration [[[
+# --------------------------
+
+# .. envvar:: foodsoft__name [[[
+#
+# Name of this Foodsoft instance.
+foodsoft__name: 'Foodcoop'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__contact [[[
+#
+# Foodcoop contact information (used for FAX messages).
+foodsoft__contact:
+  street: 'Grüne Straße 23'
+  zip_code: '12323'
+  city: 'Berlin'
+  country: 'Deutschland'
+  email: '{{ foodsoft__email_sender }}'
+  phone: '030 323 232323'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__default_scope [[[
+#
+# If :envvar:`foodsoft__multi_coop_install` is true you have to use a coop name, which
+# you you wanna be selected by default.
+foodsoft__default_scope: 'f'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__homepage [[[
+#
+# Homepage URL.
+foodsoft__homepage: 'https://{{ foodsoft__fqdn }}/{{ foodsoft__default_scope }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__page_footer [[[
+#
+# Page footer (html allowed). Default is a Foodsoft footer. Set to the word
+# "blank" for no footer. If unchanged, the default footer of Foodsoft will be used.
+foodsoft__page_footer: '<a href="{{ foodsoft__homepage }}/">{{ foodsoft__name }}</a>, setup by <a href="https://debops.org/">DebOps</a>.'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__email_sender [[[
+#
+# Email address to be used as sender.
+foodsoft__email_sender: 'foodsoft@{{ foodsoft__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__error_recipients [[[
+#
+# Email address to be used as sender.
+foodsoft__error_recipients:
+  - 'admin@{{ foodsoft__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__multi_coop_install [[[
+#
+# If you wanna serve more than one Foodcoop with one installation.
+# Don't forget to setup databases for each Foodcoop. See also MULTI_COOP_INSTALL.
+foodsoft__multi_coop_install: False
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__upstream_config [[[
+#
+# Configuration as defined by upstream Foodcoop in
+# :file:`config/app_config.yml.SAMPLE`.
+foodsoft__upstream_config: '{{ lookup("file", "vars/sample_app_config.yml") | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__role_config [[[
+#
+# This dict is managed by the role itself, controlled by other default variables.
+foodsoft__role_config:
+
+  multi_coop_install: '{{ foodsoft__multi_coop_install | bool }}'
+  default_scope: '{{ foodsoft__default_scope }}'
+  name: '{{ foodsoft__name }}'
+  contact: '{{ foodsoft__contact }}'
+  homepage: '{{ foodsoft__homepage }}'
+
+  # Default timezone, e. g. UTC, Amsterdam, Berlin, etc.
+  # FIXME: Foodsoft/Ruby seem to expect a different format than what debops.core returns.
+  # Potentially splitting at "/" and returning the second half of the string
+  # would do the job but that would need testing.
+  # Change manually if needed.
+  # time_zone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+
+  # Page footer (html allowed). Default is a Foodsoft footer. Set to `blank` for no footer.
+  page_footer: '{{ foodsoft__page_footer }}'
+
+  email_sender: '{{ foodsoft__email_sender }}'
+
+  # Config for the exception_notification plugin.
+  notification:
+    error_recipients: '{{ foodsoft__error_recipients }}'
+    sender_address: '"Foodsoft Error" <{{ foodsoft__email_sender }}>'
+    email_prefix: "[Foodsoft]"
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__config [[[
+#
+# This dict is intended to be used in Ansible’s global inventory as needed.
+foodsoft__config: {}
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__group_config [[[
+#
+# This dict is intended to be used in a host inventory group of Ansible
+# (only one host group is supported) as needed.
+foodsoft__group_config: {}
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__host_config [[[
+#
+# This dict is intended to be used in the inventory of hosts as needed.
+foodsoft__host_config: {}
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__combined_config [[[
+#
+# The configuration written to :file:`config/app_config.yml`.
+foodsoft__combined_config: '{{ foodsoft__upstream_config.default
+                               | combine(foodsoft__role_config)
+                               | combine(foodsoft__config)
+                               | combine(foodsoft__group_config)
+                               | combine(foodsoft__host_config) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: foodsoft__mariadb__dependent_databases [[[
+#
+# Configuration of the foodsoft database managed by the debops.mariadb_ role.
+foodsoft__mariadb__dependent_databases:
+
+  - database: '{{ foodsoft__database_name }}'
+    state: '{{ "present" if (foodsoft__deploy_state != "purged") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__mariadb__dependent_users [[[
+#
+# Configuration of the foodsoft database user managed by the debops.mariadb_ role.
+foodsoft__mariadb__dependent_users:
+
+  - database: '{{ foodsoft__database_name }}'
+    state: '{{ "present" if (foodsoft__deploy_state == "present") else "absent" }}'
+    user: '{{ foodsoft__database_user }}'
+    password: '{{ foodsoft__database_password }}'
+
+                                                                   # ]]]
+# .. envvar:: foodsoft__nginx__dependent_servers [[[
+#
+# Configuration of the foodsoft nginx server, used by the debops.nginx_
+# Ansible role.
+foodsoft__nginx__dependent_servers:
+
+  - name: '{{ foodsoft__fqdn }}'
+    filename: 'debops.foodsoft'
+    by_role: 'debops-contrib.foodsoft'
+    enabled: True
+    type: 'rails'
+    root: '{{ foodsoft__www_path }}'
+    webroot_create: False
+
+    # Foodsoft manages this by itself by default.
+    # TODO: Should probably be disabled in Foodsoft so that DebOps can manage it.
+    hsts_enabled: False
+    frame_options: False
+    content_type_options: False
+    xss_protection: '{{ omit }}'
+
+    # Phusion Passenger options
+    passenger_user: '{{ foodsoft__user }}'
+    passenger_group: '{{ foodsoft__group }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/foodsoft/meta/main.yml b/ansible_collections/debops/debops/roles/foodsoft/meta/main.yml
new file mode 100644
index 00000000..28efc187
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup and manage Foodsoft'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - web
+    - foodsoft
+    - foodcoop
+    - food
+    - ordering
diff --git a/ansible_collections/debops/debops/roles/foodsoft/tasks/main.yml b/ansible_collections/debops/debops/roles/foodsoft/tasks/main.yml
new file mode 100644
index 00000000..0985d766
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/tasks/main.yml
@@ -0,0 +1,169 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# System packages [[[
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", foodsoft__base_packages) }}'
+    state: '{{ "present" if (foodsoft__deploy_state == "present") else "absent" }}'
+  register: foodsoft__register_packages
+  until: foodsoft__register_packages is succeeded
+  tags: [ 'role::foodsoft:pkgs' ]
+# ]]]
+
+# System user and group [[[
+- name: Create Foodsoft system group
+  ansible.builtin.group:
+    name: '{{ foodsoft__group }}'
+    state: '{{ "present" if (foodsoft__deploy_state == "present") else "absent" }}'
+    system: True
+
+- name: Create Foodsoft system user
+  ansible.builtin.user:
+    name: '{{ foodsoft__user }}'
+    group: '{{ foodsoft__group }}'
+    home: '{{ foodsoft__home_path }}'
+    comment: '{{ foodsoft__gecos }}'
+    shell: '{{ foodsoft__shell }}'
+    state: '{{ "present" if (foodsoft__deploy_state == "present") else "absent" }}'
+    system: True
+# ]]]
+
+- name: Clone Foodsoft git repository
+  ansible.builtin.git:
+    repo: '{{ foodsoft__git_repo }}'
+    dest: '{{ foodsoft__git_dest }}'
+    version: '{{ foodsoft__git_version }}'
+    update: '{{ foodsoft__git_update | bool }}'
+  become: True
+  become_user: '{{ foodsoft__user }}'
+  register: foodsoft__register_git
+  when: (foodsoft__deploy_state == "present")
+
+- name: Update Foodsoft directory permissions
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ foodsoft__user }}'
+    group: '{{ foodsoft__webserver_user }}'
+    mode: '0750'
+  with_items:
+    - '{{ foodsoft__home_path }}'
+    - '{{ foodsoft__git_dest }}'
+
+- name: Install Foodsoft dependencies via bundler
+  community.general.bundler:
+    chdir: '{{ foodsoft__git_dest }}'
+    exclude_groups: '{{ foodsoft__bundler_exclude_groups }}'
+    extra_args: '--without development --deployment'
+    # user_install: True
+  register: foodsoft__register_bundler
+  until: foodsoft__register_bundler is succeeded
+  tags: [ 'role::foodsoft:gems' ]
+  # become: True
+  # become_user: '{{ foodsoft__user }}'
+  when: foodsoft__bundler_exclude_groups | d()
+
+## https://github.com/foodcoops/foodsoft/blob/master/doc/SETUP_DEVELOPMENT.md#manual-configuration
+- name: Configure Foodsoft
+  ansible.builtin.template:
+    src: 'srv/www/foodsoft/app/config/{{ item }}.j2'
+    dest: '{{ foodsoft__git_dest }}/config/{{ item }}'
+    owner: '{{ foodsoft__user }}'
+    group: '{{ foodsoft__group }}'
+    mode: '0640'
+  tags: [ 'role::foodsoft:config' ]
+  with_items:
+    - 'database.yml'
+    - 'app_config.yml'
+
+## Workaround because there is not a single command for this: https://github.com/foodcoops/foodsoft/issues/385
+- name: Generate secret token
+  ansible.builtin.command: 'bundle exec rake secret'
+  args:
+    chdir: '{{ foodsoft__git_dest }}'
+    creates: '{{ foodsoft__git_dest }}/config/initializers/secret_token.rb'
+  register: foodsoft__register_secret_token
+  # become: True
+  # become_user: '{{ foodsoft__user }}'
+  tags: [ 'role::foodsoft:gen_token' ]
+
+- name: Check secret token
+  ## Default is 128
+  ansible.builtin.assert:  # noqa no-handler
+    that:
+      - 'foodsoft__register_secret_token.stdout | length > 120'
+      - 'foodsoft__register_secret_token.stdout | length < 500'
+  when: foodsoft__register_secret_token is changed
+  tags: [ 'role::foodsoft:gen_token' ]
+
+- name: Configure secret token for Foodsoft
+  ansible.builtin.template:  # noqa no-handler
+    src: 'srv/www/foodsoft/app/config/initializers/secret_token.rb.j2'
+    dest: '{{ foodsoft__git_dest }}/config/initializers/secret_token.rb'
+    owner: '{{ foodsoft__user }}'
+    group: '{{ foodsoft__group }}'
+    mode: '0640'
+  tags: [ 'role::foodsoft:gen_token' ]
+  when: foodsoft__register_secret_token is changed
+
+- name: Create database schema and load defaults
+  ansible.builtin.command: 'bundle exec rake db:setup'
+  args:
+    chdir: '{{ foodsoft__git_dest }}'
+  # become: True
+  # become_user: '{{ foodsoft__user }}'
+  register: foodsoft__register_db_setup
+  changed_when: foodsoft__register_db_setup.changed | bool
+  when: (not (ansible_local.foodsoft[foodsoft__database + "_initialized"] | bool
+              if (ansible_local | d() and ansible_local.foodsoft | d() and
+                  ansible_local.foodsoft[foodsoft__database + "_initialized"] | d())
+              else False))
+
+## Maybe only needed for https://github.com/foodcoop-adam/foodsoft
+# - name: Setup admin user
+  # ansible.builtin.command: 'rake db:seed'
+  # args:
+    # chdir: '{{ foodsoft__git_dest }}'
+  # become: True
+  # become_user: '{{ foodsoft__user }}'
+
+
+## TODO: (optional) Get background jobs done
+
+# Ansible local facts [[[
+- name: Make sure that Ansible local facts directory is present
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (foodsoft__deploy_state == "present")
+
+- name: Save Foodsoft local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/foodsoft.fact.j2'
+    dest: '/etc/ansible/facts.d/foodsoft.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: (foodsoft__deploy_state == "present")
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/foodsoft/templates/etc/ansible/facts.d/foodsoft.fact.j2 b/ansible_collections/debops/debops/roles/foodsoft/templates/etc/ansible/facts.d/foodsoft.fact.j2
new file mode 100644
index 00000000..2683e922
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/templates/etc/ansible/facts.d/foodsoft.fact.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ ({
+    "enabled": True,
+    "database": foodsoft__database,
+    "webserver": foodsoft__webserver,
+    (foodsoft__database + "_initialized"): True,
+}) | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/app_config.yml.j2 b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/app_config.yml.j2
new file mode 100644
index 00000000..2182214a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/app_config.yml.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+default: &defaults
+    {{ foodsoft__combined_config | to_nice_yaml | indent(4) }}
+
+development:
+  <<: *defaults
+
+test:
+  <<: *defaults
+
+production:
+  <<: *defaults
diff --git a/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/database.yml.j2 b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/database.yml.j2
new file mode 100644
index 00000000..843c6ee1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/database.yml.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+default: &defaults
+    {{ foodsoft__database_config.production | to_nice_yaml | indent(4) }}
+
+development:
+  <<: *defaults
+
+test:
+  <<: *defaults
+
+production:
+  <<: *defaults
diff --git a/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/initializers/secret_token.rb.j2 b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/initializers/secret_token.rb.j2
new file mode 100644
index 00000000..fe55e667
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/foodsoft/templates/srv/www/foodsoft/app/config/initializers/secret_token.rb.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+Foodsoft::Application.config.secret_key_base = '{{ foodsoft__register_secret_token.stdout }}'
+
+# When you're upgrading from Rails 3, it's ok to keep using `secret_token`.
+# http://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html
diff --git a/ansible_collections/debops/debops/roles/freeradius/COPYRIGHT b/ansible_collections/debops/debops/roles/freeradius/COPYRIGHT
new file mode 100644
index 00000000..55020e7a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.freeradius - Manage FreeRADIUS service using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/freeradius/defaults/main.yml b/ansible_collections/debops/debops/roles/freeradius/defaults/main.yml
new file mode 100644
index 00000000..5a8ef417
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/defaults/main.yml
@@ -0,0 +1,368 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _freeradius__ref_defaults:
+
+# debops.freeradius default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, FreeRADIUS version [[[
+# ------------------------------------
+
+# .. envvar:: freeradius__base_packages [[[
+#
+# List of essential APT packages to install for FreeRADIUS support.
+freeradius__base_packages: [ 'freeradius', 'freeradius-utils' ]
+
+                                                                   # ]]]
+# .. envvar:: freeradius__packages [[[
+#
+# List of additional APT packages to install with FreeRADIUS.
+freeradius__packages: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__version [[[
+#
+# The version of the installed FreeRADIUS package, gathered via Ansible local
+# facts. This variable can be used in conditions to enable/disable parts of the
+# configuration.
+freeradius__version: '{{ ansible_local.freeradius.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: freeradius__user [[[
+#
+# The UNIX system account which is used to manage FreeRADIUS service.
+freeradius__user: 'freerad'
+
+                                                                   # ]]]
+# .. envvar:: freeradius__group [[[
+#
+# The UNIX group which is used to manage FreeRADIUS service.
+freeradius__group: 'freerad'
+
+                                                                   # ]]]
+# .. envvar:: freeradius__conf_base_path [[[
+#
+# Absolute path to the base directory which contains the FreeRADIUS
+# configuration files. You most likely don't have to change this.
+freeradius__conf_base_path: '/etc/freeradius/3.0'
+                                                                   # ]]]
+                                                                   # ]]]
+# Internal firewall and ports [[[
+# -------------------------------
+
+# These variables define the firewall configuration for internal FreeRADIUS
+# communication, not intended for client endpoints.
+
+# .. envvar:: freeradius__default_ports [[[
+#
+# List of TCP/UDP ports which are managed by default in the firewall, for
+# internal communication. You can use port numbers or names from the
+# :file:`/etc/services` database.
+freeradius__default_ports: [ 'radius', 'radius-acct' ]
+
+                                                                   # ]]]
+# .. envvar:: freeradius__ports [[[
+#
+# List of TCP/UDP ports for internal communication which will be managed on all
+# hosts in the Ansible inventory.
+freeradius__ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__group_ports [[[
+#
+# List of TCP/UDP ports for internal communication which will be managed on
+# hosts in a specific Ansible inventory group.
+freeradius__group_ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__host_ports [[[
+#
+# List of TCP/UDP ports for internal communication which will be managed on
+# specific hosts in the Ansible inventory.
+freeradius__host_ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__accept_any [[[
+#
+# By default, internal firewall does not allow any connections from anywhere
+# and you need to specify IP addresses or CIDR subnets to allow for
+# communication to the FreeRADIUS service. If this variable is set to ``True``,
+# the configuration will be "flipped" - the role will allow internal
+# communication with FreeRADIUS from anywhere by default, and specifying IP
+# addresses or subnets will restrict it to only these hosts/networks.
+freeradius__accept_any: False
+
+                                                                   # ]]]
+# .. envvar:: freeradius__allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# internal FreeRADIUS service, defined on all hosts in the Ansible inventory.
+freeradius__allow: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# internal FreeRADIUS service, defined on hosts in a specific Ansible inventory
+# group.
+freeradius__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# internal FreeRADIUS service, defined on specific hosts in the Ansible
+# inventory.
+freeradius__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Public firewall and ports [[[
+# -----------------------------
+
+# These variables define the firewall configuration for public FreeRADIUS
+# services, like DHCP, intended for client endpoints.
+
+# .. envvar:: freeradius__public_ports [[[
+#
+# List of TCP/UDP ports for public communication which will be managed on all
+# hosts in the Ansible inventory.
+freeradius__public_ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_group_ports [[[
+#
+# List of TCP/UDP ports for public communication which will be managed on hosts
+# in a specific Ansible inventory group.
+freeradius__public_group_ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_host_ports [[[
+#
+# List of TCP/UDP ports for public communication which will be managed on
+# specific hosts in the Ansible inventory.
+freeradius__public_host_ports: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_accept_any [[[
+#
+# By default, if public TCP/UDP ports are specified, the firewall will accept
+# connections from any IP addresses or CIDR subnets to these ports, and
+# specifying hosts/networks in ``freeradius__public_*_allow`` variables will
+# restrict the connections to only these IP addresses/subnets. If this variable
+# is set to ``False``, the configuration will be "flipped" - the role will not
+# allow connections from anywhere to specified TCP/UDP ports, and you will need
+# to specify IP addresses/subnets that are allowed to connect.
+freeradius__public_accept_any: True
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# public FreeRADIUS service, defined on all hosts in the Ansible inventory.
+freeradius__public_allow: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# public FreeRADIUS service, defined on hosts in a specific Ansible inventory
+# group.
+freeradius__public_group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__public_host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# public FreeRADIUS service, defined on specific hosts in the Ansible
+# inventory.
+freeradius__public_host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# FreeRADIUS configuration files [[[
+# ----------------------------------
+
+# These variables define the contents of the FreeRADIUS configuration files
+# located in :file:`/etc/freeradius/` directory.
+# See :ref:`freeradius__ref_configuration` for more details.
+
+# .. envvar:: freeradius__default_configuration [[[
+#
+# The default FreeRADIUS configuration defined by the role.
+freeradius__default_configuration:
+
+  # Enable FreeRADIUS control socket for the 'radmin' command to work correctly
+  - name: 'sites-enabled/control-socket'
+    link_src: '../sites-available/control-socket'
+
+                                                                   # ]]]
+# .. envvar:: freeradius__configuration [[[
+#
+# Definition of FreeRADIUS configuration which should be managed on all hosts
+# in the Ansible inventory.
+freeradius__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__group_configuration [[[
+#
+# Definition of FreeRADIUS configuration which should be managed on hosts
+# in a specific Ansible inventory group.
+freeradius__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__host_configuration [[[
+#
+# Definition of FreeRADIUS configuration which should be managed on specific
+# hosts in the Ansible inventory.
+freeradius__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: freeradius__combined_configuration [[[
+#
+# The variable that combines all of the FreeRADIUS configuration lists and is
+# used in the role tasks and templates.
+freeradius__combined_configuration: '{{ freeradius__default_configuration
+                                        + freeradius__configuration
+                                        + freeradius__group_configuration
+                                        + freeradius__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: freeradius__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+freeradius__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: '{{ freeradius__default_ports
+               + freeradius__ports
+               + freeradius__group_ports
+               + freeradius__host_ports }}'
+    saddr: '{{ freeradius__allow
+               + freeradius__group_allow
+               + freeradius__host_allow }}'
+    protocols: [ 'tcp', 'udp' ]
+    accept_any: '{{ freeradius__accept_any }}'
+    weight: '50'
+    by_role: 'debops.freeradius'
+    name: 'radius_internal'
+    multiport: True
+
+  - type: 'accept'
+    dport: '{{ freeradius__public_ports
+               + freeradius__public_group_ports
+               + freeradius__public_host_ports }}'
+    saddr: '{{ freeradius__public_allow
+               + freeradius__public_group_allow
+               + freeradius__public_host_allow }}'
+    protocols: [ 'tcp', 'udp' ]
+    accept_any: '{{ freeradius__public_accept_any }}'
+    weight: '50'
+    by_role: 'debops.freeradius'
+    name: 'radius_public'
+    multiport: True
+    rule_state: '{{ "present"
+                    if (freeradius__public_ports
+                        + freeradius__public_group_ports
+                        + freeradius__public_host_ports)
+                    else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: freeradius__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+freeradius__logrotate__dependent_config:
+
+  - filename: 'freeradius'
+    divert: True
+    log: '/var/log/freeradius/radius.log'
+    comment: 'The main server log'
+    options: |
+      daily
+      rotate 52
+      missingok
+      compress
+      delaycompress
+      notifempty
+      copytruncate
+    state: 'present'
+
+  - filename: 'freeradius-monitor'
+    logs:
+      - '/var/log/freeradius/checkrad.log'
+      - '/var/log/freeradius/radwatch.log'
+    comment: 'Session monitoring utilities'
+    options: |
+      daily
+      rotate 52
+      missingok
+      compress
+      delaycompress
+      notifempty
+      nocreate
+    state: 'present'
+
+  - filename: 'freeradius-session'
+    logs:
+      - '/var/log/freeradius/radutmp'
+      - '/var/log/freeradius/radwtmp'
+    comment: 'Session database modules'
+    options: |
+      daily
+      rotate 52
+      missingok
+      compress
+      delaycompress
+      notifempty
+      nocreate
+    state: 'present'
+
+  - filename: 'freeradius-sql'
+    log: '/var/log/freeradius/sqllog.sql'
+    comment: 'SQL log files'
+    options: |
+      daily
+      rotate 52
+      missingok
+      compress
+      delaycompress
+      notifempty
+      nocreate
+    state: 'present'
+
+  - filename: 'freeradius-detail'
+    log: '/var/log/freeradius/radacct/*/detail'
+    comment: |
+      There are different detail-rotating strategies you can use.  One is
+      to write to a single detail file per IP and use the rotate config
+      below.  Another is to write to a daily detail file per IP with:
+          detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+      (or similar) in radiusd.conf, without rotation.  If you go with the
+      second technique, you will need another cron job that removes old
+      detail files.  You do not need to comment out the below for method #2.
+    options: |
+      weekly
+      rotate 260
+      missingok
+      compress
+      delaycompress
+      notifempty
+      nocreate
+    state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/freeradius/meta/main.yml b/ansible_collections/debops/debops/roles/freeradius/meta/main.yml
new file mode 100644
index 00000000..3e894ac1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure FreeRADIUS'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.6.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - radius
+    - authentication
+    - authorization
+    - networking
diff --git a/ansible_collections/debops/debops/roles/freeradius/tasks/main.yml b/ansible_collections/debops/debops/roles/freeradius/tasks/main.yml
new file mode 100644
index 00000000..d448c9b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/tasks/main.yml
@@ -0,0 +1,132 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install FreeRADIUS packages
+  ansible.builtin.package:
+    name: '{{ item }}'
+    state: 'present'
+  loop: '{{ q("flattened", freeradius__base_packages
+                           + freeradius__packages) }}'
+  register: freeradius__register_packages
+  until: freeradius__register_packages is succeeded
+
+- name: Enable FreeRADIUS service in systemd to start at boot time
+  ansible.builtin.systemd:
+    name: 'freeradius.service'
+    enabled: True
+  when: ansible_service_mgr == 'systemd'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save FreeRADIUS local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/freeradius.fact.j2'
+    dest: '/etc/ansible/facts.d/freeradius.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Get list of FreeRADIUS Conffiles
+  ansible.builtin.command: cat /var/lib/dpkg/info/freeradius-config.conffiles
+  register: freeradius__register_conffiles
+  changed_when: False
+  check_mode: False
+
+- name: Add/remove diversion of FreeRADIUS configuration files
+  vars:
+    freeradius__var_divert_path: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
+    freeradius__var_divert_divert: '{{ freeradius__conf_base_path + "/"
+                                       + (item.divert_filename
+                                          | d((((item.filename | d(item.name)) | dirname + "/.")
+                                               if ((item.filename | d(item.name)) | dirname) else ".")
+                                              + (item.filename | d(item.name)) | basename + ".dpkg-divert")) }}'
+  debops.debops.dpkg_divert:
+    path: '{{ freeradius__var_divert_path }}'
+    divert: '{{ freeradius__var_divert_divert }}'
+    state: '{{ item.state | d("present") }}'
+    delete: True
+  loop: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"path": freeradius__var_divert_path,
+                "divert": freeradius__var_divert_divert,
+                "state": item.state | d("present")} }}'
+  notify: [ 'Check freeradius configuration and restart' ]
+  when: (item.name | d() and item.divert | d(False) | bool and
+         item.state | d('present') in ['present', 'absent'])
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Create missing configuration directories
+  ansible.builtin.file:
+    path: '{{ (freeradius__conf_base_path + "/" + (item.filename | d(item.name))) | dirname }}'
+    state: 'directory'
+    owner: '{{ freeradius__user }}'
+    group: '{{ freeradius__group }}'
+    mode: '0755'
+  with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"path": ((freeradius__conf_base_path + "/" + (item.filename | d(item.name))) | dirname)} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.link_src | d() or item.options | d() or item.raw | d()))
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Generate FreeRADIUS configuration files
+  ansible.builtin.template:
+    src:   'etc/freeradius/template.conf.j2'
+    dest:  '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
+    owner: '{{ item.owner | d(freeradius__user) }}'
+    group: '{{ item.group | d(freeradius__group) }}'
+    mode:  '{{ item.mode | d("0640") }}'
+  with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check freeradius configuration and restart' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         not item.link_src | d() and (item.options | d() or item.raw | d()))
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Create configuration file symlinks
+  ansible.builtin.file:
+    dest: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
+    src: '{{ item.link_src }}'
+    state: 'link'
+    owner: '{{ item.owner | d(freeradius__user) }}'
+    group: '{{ item.group | d(freeradius__group) }}'
+    mode:  '{{ item.mode | d("0640") }}'
+  with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check freeradius configuration and restart' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         item.link_src | d())
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Remove FreeRADIUS configuration files
+  ansible.builtin.file:
+    dest: '{{ freeradius__conf_base_path + "/" + (item.filename | d(item.name)) }}'
+    state: 'absent'
+  with_items: '{{ freeradius__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check freeradius configuration and restart' ]
+  when: (item.name | d() and not item.divert | d(False) | bool and
+         item.state | d('present') == 'absent')
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
diff --git a/ansible_collections/debops/debops/roles/freeradius/templates/etc/ansible/facts.d/freeradius.fact.j2 b/ansible_collections/debops/debops/roles/freeradius/templates/etc/ansible/facts.d/freeradius.fact.j2
new file mode 100644
index 00000000..46c30062
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/templates/etc/ansible/facts.d/freeradius.fact.j2
@@ -0,0 +1,33 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('freeradius')}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "freeradius"]).decode('utf-8').split('+')[0]
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/freeradius/templates/etc/freeradius/template.conf.j2 b/ansible_collections/debops/debops/roles/freeradius/templates/etc/freeradius/template.conf.j2
new file mode 100644
index 00000000..f85a8f76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/freeradius/templates/etc/freeradius/template.conf.j2
@@ -0,0 +1,34 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw -}}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix=('\n' if not loop.first else ''), postfix='') -}}
+{%       endif %}
+{%       if element.raw | d() %}
+{%         if not loop.last %}
+{{ element.raw }}
+{%         else %}
+{{ element.raw -}}
+{%         endif %}
+{%       elif element.value | d() %}
+{%         if not loop.last %}
+{{ '{} = {}'.format(element.name, element.value) }}
+{%         else %}
+{{ '{} = {}'.format(element.name, element.value) -}}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/fuse/COPYRIGHT b/ansible_collections/debops/debops/roles/fuse/COPYRIGHT
new file mode 100644
index 00000000..3cb3feb6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/COPYRIGHT
@@ -0,0 +1,19 @@
+fuse - Install and configure Filesystem in Userspace (FUSE)
+
+Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/fuse/defaults/main.yml b/ansible_collections/debops/debops/roles/fuse/defaults/main.yml
new file mode 100644
index 00000000..585b6fe2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/defaults/main.yml
@@ -0,0 +1,100 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _fuse__ref_defaults:
+
+# debops-contrib.fuse default variables [[[
+# =========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Required packages [[[
+# ---------------------
+
+# .. envvar:: fuse_base_packages [[[
+#
+# List of base packages to install.
+fuse_base_packages: [ 'fuse' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Fuse options [[[
+# ----------------
+
+# .. envvar:: fuse_mount_max [[[
+#
+# Set the maximum number of FUSE mounts allowed to non-root users.
+# Set to ``default`` to use the number chosen by your distribution which is
+# 1000 in Debian Jessie.
+fuse_mount_max: 'default'
+
+                                                                   # ]]]
+# .. envvar:: fuse_user_allow_other [[[
+#
+# Allow non-root users to specify the allow_other or allow_root mount options.
+fuse_user_allow_other: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Fuse hardening [[[
+# ------------------
+
+# .. envvar:: fuse_restrict_access [[[
+#
+# Should access to fuse and :file:`/dev/fuse` be restricted to root and the
+# members of the fuse group?
+# Debian used to have a group called fuse and users which should be allowed to use FUSE needed to be in that group.
+# As of Debian Jessie, no group is being created by default and every user has access to fuse.
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733312
+# This was done to make it work by default with other packages which are based on FUSE.
+fuse_restrict_access: False
+
+                                                                   # ]]]
+# .. envvar:: fuse_group [[[
+#
+# Name of the system group ob :file:`/dev/fuse`.
+# Only users who are members of the :envvar:`fuse_group` and ``root`` are allowed
+# to use FUSE when :envvar:`fuse_restrict_access` is ``True``.
+fuse_group: 'fuse'
+
+                                                                   # ]]]
+# .. envvar:: fuse_permissions [[[
+#
+# Unix permissions of :file:`/dev/fuse`.
+# It defaults to ``0600`` so that only the file owner (``root``) and users in
+# the :envvar:`fuse_group` have access to FUSE.
+fuse_permissions: '0660'
+
+                                                                   # ]]]
+# .. envvar:: fuse_users [[[
+#
+# Which users should be allowed to use FUSE?
+# Only takes affect when :envvar:`fuse_restrict_access` is ``True``.
+# This variable is intended to be used in Ansible’s global inventory.
+fuse_users: []
+
+                                                                   # ]]]
+# .. envvar:: fuse_users_host_group [[[
+#
+# Which users should be allowed to use FUSE?
+# Only takes affect when :envvar:`fuse_restrict_access` is ``True``.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+fuse_users_host_group: []
+
+                                                                   # ]]]
+# .. envvar:: fuse_users_host [[[
+#
+# Which users should be allowed to use FUSE?
+# Only takes affect when :envvar:`fuse_restrict_access` is ``True``.
+# This variable is intended to be used in the inventory of hosts.
+fuse_users_host: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/changelog.rst b/ansible_collections/debops/debops/roles/fuse/docs/changelog.rst
new file mode 100644
index 00000000..b3ca1e2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/copyright.rst b/ansible_collections/debops/debops/roles/fuse/docs/copyright.rst
new file mode 100644
index 00000000..a8b5ec4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/getting-started.rst b/ansible_collections/debops/debops/roles/fuse/docs/getting-started.rst
new file mode 100644
index 00000000..0db0d924
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/getting-started.rst
@@ -0,0 +1,52 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To manage and configure FUSE on a given host it should be included in the
+``debops_service_fuse`` Ansible inventory group:
+
+.. code:: ini
+
+   [debops_service_fuse]
+   hostname
+
+Example playbook
+----------------
+
+Here's an example playbook that uses the ``debops-contrib.fuse`` role:
+
+.. literalinclude:: playbooks/fuse.yml
+   :language: yaml
+   :lines: 1,5-
+
+This playbooks is shipped with this role under
+:file:`./docs/playbooks/fuse.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::fuse``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/includes/all.rst b/ansible_collections/debops/debops/roles/fuse/docs/includes/all.rst
new file mode 100644
index 00000000..73d42c4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/index.rst b/ansible_collections/debops/debops/roles/fuse/docs/index.rst
new file mode 100644
index 00000000..409804d3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.fuse:
+
+Ansible role: debops-contrib.fuse
+=================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/introduction.rst b/ansible_collections/debops/debops/roles/fuse/docs/introduction.rst
new file mode 100644
index 00000000..ccd88953
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/introduction.rst
@@ -0,0 +1,27 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.fuse`` role allows you to install and configure Filesystem
+in Userspace (FUSE).
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.3``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.fuse
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/fuse/docs/playbooks/fuse.yml b/ansible_collections/debops/debops/roles/fuse/docs/playbooks/fuse.yml
new file mode 100644
index 00000000..cd3d8556
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/docs/playbooks/fuse.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install and configure Filesystem in Userspace (FUSE)
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_fuse' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: fuse
+      tags: [ 'role::fuse' ]
diff --git a/ansible_collections/debops/debops/roles/fuse/meta/main.yml b/ansible_collections/debops/debops/roles/fuse/meta/main.yml
new file mode 100644
index 00000000..6c380cbd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Install and configure Filesystem in Userspace (FUSE)'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - fuse
+    - hardening
diff --git a/ansible_collections/debops/debops/roles/fuse/tasks/main.yml b/ansible_collections/debops/debops/roles/fuse/tasks/main.yml
new file mode 100644
index 00000000..41da9704
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", fuse_base_packages) }}'
+    state: 'present'
+  register: fuse__register_packages
+  until: fuse__register_packages is succeeded
+
+- name: Divert original /etc/fuse.conf
+  debops.debops.dpkg_divert:
+    path: '/etc/fuse.conf'
+
+- name: Setup udev rule for fuse to change file permissions
+  ansible.builtin.template:
+    src: 'etc/fuse.conf.j2'
+    dest: '/etc/fuse.conf'
+    mode: '0644'
+
+- name: Ensure fuse system group is present
+  ansible.builtin.group:
+    name: '{{ fuse_group }}'
+    state: 'present'
+    system: True
+
+- name: Add fuse_users to fuse_group
+  ansible.builtin.user:
+    name: '{{ item }}'
+    groups: '{{ fuse_group }}'
+    append: True
+  loop: '{{ [fuse_users, fuse_users_host_group, fuse_users_host] | flatten }}'
+
+- name: Setup udev rule for fuse to change file permissions
+  ansible.builtin.template:
+    src: 'etc/udev/rules.d/fuse.rules.j2'
+    dest: '/etc/udev/rules.d/99-fuse.rules'
+    mode: '0644'
+  when: fuse_restrict_access | bool
+
+- name: Ensure FUSE permissions are applied immediately
+  ansible.builtin.file:
+    path: '/dev/fuse'
+    owner: 'root'
+    group: '{{ fuse_group }}'
+    mode: '{{ fuse_permissions }}'
+  when: fuse_restrict_access | bool
+
+- name: Remove udev rule for fuse
+  ansible.builtin.file:
+    path: '/etc/udev/rules.d/99-fuse.rules'
+    state: 'absent'
+  when: not (fuse_restrict_access | bool)
diff --git a/ansible_collections/debops/debops/roles/fuse/templates/etc/fuse.conf.j2 b/ansible_collections/debops/debops/roles/fuse/templates/etc/fuse.conf.j2
new file mode 100644
index 00000000..fa57e951
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/templates/etc/fuse.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## {{ ansible_managed }}
+# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)
+
+# Set the maximum number of FUSE mounts allowed to non-root users.
+# The default is 1000.
+{% if fuse_mount_max == 'default' %}
+#mount_max = 1000
+{% else %}
+mount_max = {{ fuse_mount_max | int }}
+{% endif %}
+
+# Allow non-root users to specify the allow_other or allow_root mount options.
+{{ '' if fuse_user_allow_other else '#' }}user_allow_other
diff --git a/ansible_collections/debops/debops/roles/fuse/templates/etc/udev/rules.d/fuse.rules.j2 b/ansible_collections/debops/debops/roles/fuse/templates/etc/udev/rules.d/fuse.rules.j2
new file mode 100644
index 00000000..0d50572b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/fuse/templates/etc/udev/rules.d/fuse.rules.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## {{ ansible_managed }}
+
+KERNEL=="fuse", GROUP="{{ fuse_group }}", MODE="{{ fuse_permissions }}"
diff --git a/ansible_collections/debops/debops/roles/gitlab/COPYRIGHT b/ansible_collections/debops/debops/roles/gitlab/COPYRIGHT
new file mode 100644
index 00000000..0d62f36a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.gitlab - Install and manage GitLab Omnibus
+
+Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/gitlab/defaults/main.yml b/ansible_collections/debops/debops/roles/gitlab/defaults/main.yml
new file mode 100644
index 00000000..9bdf4e2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/defaults/main.yml
@@ -0,0 +1,763 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _gitlab__ref_defaults:
+
+# debops.gitlab default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# GitLab Omnibus installation [[[
+# -------------------------------
+
+# .. envvar:: gitlab__edition [[[
+#
+# Select the GitLab edition you want to install or manage. The "community"
+# edition contains only the open source components, the "enterprise" edition
+# includes closed source components and can be upgraded with a commercial
+# license. Set to "manual" to allow a manual installation of GitLab Omnibus
+# package which can then be configured by the role.
+gitlab__edition: 'community'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__preferred_version [[[
+#
+# Specify the version of the GitLab APT package to install, in the
+# :man:`apt_preferences(5)` format. By default any version is preferred, which
+# will usually select the latest version available. An example selection of
+# a specific version: ``16.9.1-ce.0``.
+gitlab__preferred_version: '*'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__base_packages [[[
+#
+# List of the default APT packages used to install GitLab Omnibus on a host.
+gitlab__base_packages:
+
+  - '{{ "gitlab-ce"
+        if (gitlab__edition == "community")
+        else ("gitlab-ee"
+              if (gitlab__edition == "enterprise")
+              else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__packages [[[
+#
+# List of additional APT packages which should be installed with GitLab
+# Omnibus.
+gitlab__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: gitlab__user [[[
+#
+# Name of the primary UNIX account used by GitLab Omnibus.
+gitlab__user: 'git'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__group [[[
+#
+# Name of the primary UNIX group used by GitLab Omnibus.
+gitlab__group: 'git'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__additional_groups [[[
+#
+# List of additional UNIX groups which the GitLab Omnibus account should belong
+# to.
+gitlab__additional_groups:
+
+  # The "sshusers" UNIX group permits access to a given UNIX account over SSH
+  - '{{ (ansible_local.system_groups.local_prefix | d("")) + "sshusers" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__comment [[[
+#
+# The GECOS field of the primary GitLab Omnibus UNIX account.
+gitlab__comment: 'GitLab Omnibus main account'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__home [[[
+#
+# The home directory of the primary GitLab Omnibus UNIX account. This path is
+# used by default by the Omnibus packages and shouldn't be changed recklessly.
+gitlab__home: '/var/opt/gitlab'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__shell [[[
+#
+# The default UNIX shell used by the primary GitLab Omnibus account.
+gitlab__shell: '/bin/sh'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application environment [[[
+# ---------------------------
+
+# .. envvar:: gitlab__fqdn [[[
+#
+# The Fully Qualified Domain Name on which GitLab Omnibus will be available. It
+# might be published :ref:`as a SRV record <dns_configuration_srv_usage>` for
+# GitLab Runners to find the API endpoint automatically.
+gitlab__fqdn: 'code.{{ gitlab__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__domain [[[
+#
+# The DNS domain on which GitLab Omnibus is deployed.
+gitlab__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__registry_port [[[
+#
+# By default, GitLab Container registry is published on the same FQDN as the
+# main GitLab application, on a different TCP port.
+gitlab__registry_port: '5050'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__firewall_ports [[[
+#
+# List of TCP ports which should be opened in the :command:`ferm` firewall to
+# allow access to the GitLab services.
+gitlab__firewall_ports:
+
+  - 'http'
+  - 'https'
+  - 'container-registry'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to access GitLab
+# Omnibus services, configured on all hosts in the Ansible inventory. If the
+# list is empty, any host can access GitLab.
+gitlab__allow: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to access GitLab
+# Omnibus services, configured on hosts in a specific Ansible inventory group.
+# If the list is empty, any host can access GitLab.
+gitlab__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to access GitLab
+# Omnibus services, configured on specific hosts in the Ansible inventory. If
+# the list is empty, any host can access GitLab.
+gitlab__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__initial_root_password [[[
+#
+# The initial "root" account password set during GitLab Omnibus installation
+# via the $GITLAB_ROOT_PASSWORD environment variable.
+gitlab__initial_root_password: '{{ lookup("password", secret + "/gitlab/credentials/"
+                                                      + "root/initial_password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI infrastructure integration [[[
+# ----------------------------------
+
+# .. envvar:: gitlab__pki_enabled [[[
+#
+# Enable or disable support for PKI infrastructure, managed by the
+# :ref:`debops.pki` Ansible role.
+gitlab__pki_enabled: '{{ (ansible_local.pki.enabled | d(False)) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__pki_path [[[
+#
+# The base path of the PKI infrastructure managed by the :ref:`debops.pki`
+# Ansible role.
+gitlab__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__pki_hook_path [[[
+#
+# Directory with PKI hooks.
+gitlab__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__pki_realm [[[
+#
+# The name of the PKI realm which should be used by GitLab Omnibus installation
+# by default.
+gitlab__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ssl_default_symlinks [[[
+#
+# List of the symlinks to private key and X.509 certificate used by GitLab
+# Omnibus by default, located in the :file:`/etc/gitlab/ssl/` directory.
+# See :ref:`gitlab__ref_ssl_symlinks` for more details.
+gitlab__ssl_default_symlinks:
+
+  - link: '{{ gitlab__fqdn + ".key" }}'
+    src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/private/key.pem" }}'
+
+  - link: '{{ gitlab__fqdn + ".crt" }}'
+    src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/chain.pem" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ssl_symlinks [[[
+#
+# List of additional symlinks to private keys and X.509 certificates used by
+# GitLab Omnibus, located in the :file:`/etc/gitlab/ssl/` directory.
+# See :ref:`gitlab__ref_ssl_symlinks` for more details.
+gitlab__ssl_symlinks: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ssl_default_cacerts [[[
+#
+# List of the symlinks to Certificate Authority certificate used by GitLab
+# Omnibus by default, located in the :file:`/etc/gitlab/trusted-certs/`
+# directory. Syntax is the same as the configuration for private keys and
+# certificates. See :ref:`gitlab__ref_ssl_symlinks` for more details.
+gitlab__ssl_default_cacerts:
+
+  - link: '{{ gitlab__pki_realm + "-root.crt" }}'
+    src: '{{ gitlab__pki_path + "/" + gitlab__pki_realm + "/public/root.pem" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ssl_cacerts [[[
+#
+# List of additional symlinks to Certificate Authority certificate used by
+# GitLab Omnibus, located in the :file:`/etc/gitlab/trusted-certs/` directory.
+# Syntax is the same as the configuration for private keys and certificates.
+# See :ref:`gitlab__ref_ssl_symlinks` for more details.
+gitlab__ssl_cacerts: []
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP Authentication configuration [[[
+# -------------------------------------
+
+# More information about LDAP support in GitLab can be found at
+# https://gitlab.com/help/administration/auth/ldap.md
+
+# .. envvar:: gitlab__ldap_enabled [[[
+#
+# Enable or disable LDAP integration.
+gitlab__ldap_enabled: '{{ True
+                          if (ansible_local | d() and ansible_local.ldap | d() and
+                              (ansible_local.ldap.enabled | d()) | bool)
+                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, LDAP configuration will not be generated.
+gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the GitLab service account LDAP object.
+# If the list is empty, the role will not create the account LDAP object
+# automatically.
+gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# GitLab service to access the LDAP directory.
+gitlab__ldap_self_rdn: 'uid=gitlab'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the Gitlab service to access the LDAP directory.
+gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# GitLab service to access the LDAP directory.
+gitlab__ldap_self_attributes:
+  uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ gitlab__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "GitLab" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# GitLab service to bind to the LDAP directory.
+gitlab__ldap_binddn: '{{ ([gitlab__ldap_self_rdn] + gitlab__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the GitLab service to
+# bind to the LDAP directory.
+gitlab__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                 + gitlab__ldap_binddn | to_uuid + ".password length=32"))
+                         if gitlab__ldap_enabled | bool
+                         else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_label [[[
+#
+# Specify the name of the LDAP server displayed on the login page.
+gitlab__ldap_label: 'LDAP'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_host [[[
+#
+# FQDN address of the LDAP server to connect to.
+gitlab__ldap_host: '{{ ansible_local.ldap.hosts | d([""]) | first }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_port [[[
+#
+# The LDAP service port to use for connections.
+gitlab__ldap_port: '{{ ansible_local.ldap.port | d("389") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_encryption [[[
+#
+# The encryption method that should be used to connect to the LDAP server.
+# Available methods: ``start_tls``, ``simple_tls``, ``plain``.
+gitlab__ldap_encryption: '{{ "start_tls"
+                             if ((ansible_local.ldap.start_tls | d()) | bool)
+                             else "simple_tls" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_timeout [[[
+#
+# Set timeout in seconds for LDAP queries.
+gitlab__ldap_timeout: '10'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_activedirectory [[[
+#
+# Enable or disable support for ActiveDirectory servers.
+gitlab__ldap_activedirectory: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_account_attribute [[[
+#
+# Name of the LDAP attribute to use for account lookups. On plain LDAP servers
+# it's usually ``uid``, on older ActiveDirectory installations it could be
+# ``sAMAccountName``.
+gitlab__ldap_account_attribute: '{{ "sAMAccountName"
+                                    if (gitlab__ldap_activedirectory | bool)
+                                    else "uid" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_user_filter [[[
+#
+# LDAP search query which will be used by the GitLab service to filter the
+# available user accounts.
+gitlab__ldap_user_filter: '(&
+                             (objectClass=inetOrgPerson)
+                             (|
+                               (authorizedService=all)
+                               (authorizedService=gitlab)
+                               (authorizedService=web:public)
+                             )
+                           )'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_username_or_email_login [[[
+#
+# If this variable is enabled, GitLab will ignore everything
+# after the first '@' in the LDAP username submitted by the user on login.
+#
+# Example:
+# - the user enters ``jane.doe@example.com`` and ``p@ssw0rd`` as LDAP
+# credentials;
+# - GitLab queries the LDAP server with ``jane.doe`` and ``p@ssw0rd``.
+#
+# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
+# disable this setting, because the userPrincipalName contains an '@'.
+gitlab__ldap_username_or_email_login: '{{ True
+                                          if (gitlab__ldap_account_attribute in
+                                              ["uid", "sAMAccountName"])
+                                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_block_auto_created_users [[[
+#
+# Enable this setting to keep new LDAP users blocked until they have been
+# cleared by the admin.
+gitlab__ldap_block_auto_created_users: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap_lowercase_usernames [[[
+#
+# If enabled, GitLab will convert usernames to lowercase before searching the
+# for the LDAP user accounts.
+gitlab__ldap_lowercase_usernames: True
+                                                                   # ]]]
+                                                                   # ]]]
+# GitLab backup options [[[
+# -------------------------
+
+# .. envvar:: gitlab__backup_enabled [[[
+#
+# When enabled, the role will configure the :command:`cron` service to
+# periodically perform backups of the GitLab Omnibus installation. If this
+# parameter is set to ``False``, the :command:`cron` configuration will be
+# removed.
+gitlab__backup_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_frequency [[[
+#
+# Select the GitLab Omnibus backup frequency (either ``daily``, ``weekly`` or
+# ``monthly``).
+gitlab__backup_frequency: 'daily'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_keep_time [[[
+#
+# How long to store backups for, in seconds.
+gitlab__backup_keep_time: '{{ (60 * 60 * 24 * 7) | int }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_path [[[
+#
+# Absolute path to the directory where GitLab Omnibus backups are stored and
+# managed.
+gitlab__backup_path: '/var/opt/gitlab/backups'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_exclude_directories [[[
+#
+# Choose what should be excluded from the backup. An empty list means that
+# nothing will be excluded from the backup.
+# Reference: https://docs.gitlab.com/ee/raketasks/backup_gitlab.html#excluding-specific-directories-from-the-backup
+gitlab__backup_exclude_directories: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_default_environment [[[
+#
+# YAML dictionary with default environment variables which should be present in
+# the GitLab backup :command:`cron` job. Dictionary keys are the variable
+# names, dictionary values are the variable values. An empty value removes the
+# variable from the generated configuration file.
+gitlab__backup_default_environment:
+  CRON: '1'
+  SKIP: '{{ gitlab__backup_exclude_directories | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__backup_environment [[[
+#
+# YAML dictionary with custom environment variables which should be present in
+# the GitLab backup :command:`cron` job. Dictionary keys are the variable
+# names, dictionary values are the variable values. An empty value removes the
+# variable from the generated configuration file. This variable is combined
+# with the default environment variable.
+gitlab__backup_environment: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# GitLab Omnibus configuration file [[[
+# -------------------------------------
+
+# The lists below define the contents of the :file:`/etc/gitlab/gitlab.rb`
+# configuration file which manages the GitLab Omnibus installation. The role
+# maintains the configuration file using the :ref:`universal_configuration`
+# system. See :ref:`gitlab__ref_configuration` for more details.
+
+# .. envvar:: gitlab__default_configuration [[[
+#
+# The default configuration options for GitLab Omnibus defined by the role.
+gitlab__default_configuration:
+
+  - name: 'preamble-comment'
+    title: 'GitLab configuration settings'
+    comment: |
+      This file is generated during initial installation and **is not** modified
+      during upgrades.
+      Check out the latest version of this file to know about the different
+      settings that can be configured, when they were introduced and why:
+      https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template
+
+      Locally, the complete template corresponding to the installed version can be found at:
+      /opt/gitlab/etc/gitlab.rb.template
+
+      You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
+      the gitlab.rb.template from the currently running version.
+
+      You can run `gitlab-ctl show-config` to display the configuration that will be generated by
+      running `gitlab-ctl reconfigure`
+    state: 'present'
+
+  - name: 'external_url'
+    title: 'GitLab URL'
+    comment: |
+      URL on which GitLab will be reachable.
+      For more details on configuring external_url see:
+      https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
+    value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+               + gitlab__fqdn }}'
+
+  - name: 'registry_external_url'
+    title: 'GitLab Container Registry URL'
+    comment: |
+      URL on which GitLab Container Registry will be reachable. By default we
+      use the same FQDN as the main GitLab installation with a separate TCP
+      port; see the documentation to find out how to publish the Registry on
+      a separate FQDN.
+    value: '{{ (("https://") if gitlab__pki_enabled | bool else ("http://"))
+               + gitlab__fqdn + ":" + gitlab__registry_port }}'
+
+  - name: 'roles'
+    title: 'Roles for multi-instance GitLab'
+    comment: |
+      The default is to have no roles enabled, which results in GitLab running as an all-in-one instance.
+      Options:
+        redis_sentinel_role redis_master_role redis_replica_role geo_primary_role geo_secondary_role
+        postgres_role consul_role application_role monitoring_role
+      For more details on each role, see:
+      https://docs.gitlab.com/omnibus/roles/README.html#roles
+    value: [ 'redis_sentinel_role', 'redis_master_role' ]
+    state: 'comment'
+
+  - name: 'legend-comment'
+    title: 'Legend'
+    comment: |
+      The following notations at the beginning of each line may be used to
+      differentiate between components of this file and to easily select them using
+      a regex.
+      ## Titles, subtitles etc
+      ##! More information - Description, Docs, Links, Issues etc.
+      Configuration settings have a single # followed by a single space at the
+      beginning; Remove them to enable the setting.
+
+      **Configuration settings below are optional.**
+    state: 'present'
+
+  - name: 'header-comment'
+    raw: |
+      ################################################################################
+      ################################################################################
+      ##                Configuration Settings for GitLab CE and EE                 ##
+      ################################################################################
+      ################################################################################
+
+      ################################################################################
+      ## gitlab.yml configuration
+      ##! Docs: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md
+      ################################################################################
+    state: 'present'
+    separator: True
+
+  - name: 'gitlab_rails'
+    options:
+
+      - name: 'time_zone'
+        title: 'Set the time zone of the GitLab Omnibus installation'
+        value: '{{ ansible_local.tzdata.timezone | d("UTC") }}'
+        state: 'present'
+
+      - name: 'backup_path'
+        title: 'Absolute path where GitLab backups are stored'
+        value: '{{ gitlab__backup_path }}'
+        state: '{{ "present"
+                   if (gitlab__backup_path != "/var/opt/gitlab/backups")
+                   else "comment" }}'
+
+      - name: 'backup_keep_time'
+        title: 'The duration in seconds to keep backups before they are allowed to be deleted'
+        value: '{{ gitlab__backup_keep_time }}'
+        state: '{{ "present"
+                   if (gitlab__backup_keep_time | string != "604800")
+                   else "comment" }}'
+
+      - name: 'ldap_enabled'
+        title: 'LDAP Settings'
+        comment: |
+          Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
+          **Be careful not to break the indentation in the ldap_servers block. It is
+            in yaml format and the spaces must be retained. Using tabs will not work.**
+        value: '{{ ansible_local.ldap.enabled | d(False) }}'
+        state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
+
+      - name: 'prevent_ldap_sign_in'
+        value: False
+        state: 'comment'
+
+      - name: 'ldap_servers'
+        title: "**remember to close this block with 'EOS' below**"
+        raw: |
+          gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+            main:  # 'main' is the GitLab 'provider ID' of this LDAP server
+              label: '{{ gitlab__ldap_label }}'
+              host: '{{ gitlab__ldap_host }}'
+              port: {{ gitlab__ldap_port }}
+              uid: '{{ gitlab__ldap_account_attribute }}'
+              bind_dn: '{{ gitlab__ldap_binddn }}'
+              password: '{{ gitlab__ldap_bindpw }}'
+              encryption: '{{ gitlab__ldap_encryption }}' # "start_tls" or "simple_tls" or "plain"
+              verify_certificates: true
+              smartcard_auth: false
+              active_directory: {{ gitlab__ldap_activedirectory | lower }}
+              allow_username_or_email_login: {{ gitlab__ldap_username_or_email_login | lower }}
+              lowercase_usernames: {{ gitlab__ldap_lowercase_usernames | lower }}
+              block_auto_created_users: {{ gitlab__ldap_block_auto_created_users | lower }}
+              base: '{{ gitlab__ldap_base_dn | join(",") }}'
+              user_filter: '{{ gitlab__ldap_user_filter }}'
+              ## EE only
+              group_base: ''
+              admin_group: ''
+              sync_ssh_keys: false
+          EOS
+        state: '{{ "present" if gitlab__ldap_enabled | bool else "comment" }}'
+
+  - name: 'nginx'
+    options:
+
+      - name: 'redirect_http_to_https'
+        title: 'Enable HTTP to HTTPS redirection in nginx'
+        value: '{{ True if gitlab__pki_enabled | bool else False }}'
+        state: 'present'
+
+  - name: 'package'
+    options:
+
+      - name: 'modify_kernel_parameters'
+        comment: |
+          Attempt to modify kernel parameters. To skip this in containers where
+          the relevant file system is read-only, set the value to false.
+        value: '{{ False
+                   if ("container" in (ansible_virtualization_tech_guest | d([])))
+                   else True }}'
+        state: '{{ "present"
+                   if ("container" in (ansible_virtualization_tech_guest | d([])))
+                   else "comment" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__configuration [[[
+#
+# The configuration options for GitLab Omnibus defined on all hosts in the
+# Ansible inventory.
+gitlab__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__group_configuration [[[
+#
+# The configuration options for GitLab Omnibus defined on hosts in a specific
+# Ansible inventory group.
+gitlab__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__host_configuration [[[
+#
+# The configuration options for GitLab Omnibus defined on specific hosts in the
+# Ansible inventory.
+gitlab__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab__combined_configuration [[[
+#
+# Variable which combines all GitLab Omnibus configuration variables and is
+# used in role tasks and templates.
+gitlab__combined_configuration: '{{ gitlab__default_configuration
+                                    + gitlab__configuration
+                                    + gitlab__group_configuration
+                                    + gitlab__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: gitlab__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+gitlab__apt_preferences__dependent_list:
+
+  - filename: 'gitlab.pref'
+    package: '{{ "gitlab-ce"
+                 if (gitlab__edition == "community")
+                 else ("gitlab-ee"
+                       if (gitlab__edition == "enterprise")
+                       else "") }}'
+    version: '{{ gitlab__preferred_version }}'
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__etc_services__dependent_list [[[
+#
+# List of custom :file:`/etc/services` to configure for the :ref:`debops.etc_services`
+# Ansible role.
+gitlab__etc_services__dependent_list:
+
+  - name: 'container-registry'
+    port: '{{ gitlab__registry_port }}'
+    protocols: [ 'tcp' ]
+    comment: 'GitLab Omnibus Container Registry'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__keyring__dependent_apt_keys [[[
+#
+# List of APT repositories and GPG keys managed by the :ref:`debops.keyring`
+# Ansible role.
+gitlab__keyring__dependent_apt_keys:
+
+  - id: 'F640 3F65 44A3 8863 DAA0  B6E0 3F01 618A 5131 2F3F'
+    repo: 'deb https://packages.gitlab.com/gitlab/gitlab-ee/debian/ {{ ansible_distribution_release }} main'
+    filename: 'gitlab_ee'
+    state: '{{ "present"
+               if (gitlab__edition == "enterprise")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__extrepo__dependent_sources [[[
+#
+# List of APT repository sources managed by the :ref:`debops.extrepo` Ansible
+# role.
+gitlab__extrepo__dependent_sources:
+
+  - name: 'gitlab_ce'
+    state: '{{ "present"
+               if (gitlab__edition == "community")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+gitlab__ferm__dependent_rules:
+
+  - name: 'gitlab_services'
+    type: 'accept'
+    by_role: 'debops.gitlab'
+    dport: '{{ gitlab__firewall_ports }}'
+    saddr: '{{ gitlab__allow + gitlab__group_allow + gitlab__host_allow }}'
+    accept_any: True
+    rule_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: gitlab__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+gitlab__ldap__dependent_tasks:
+
+  - name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
+    dn: '{{ gitlab__ldap_binddn }}'
+    objectClass: '{{ gitlab__ldap_self_object_classes }}'
+    attributes: '{{ gitlab__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if gitlab__ldap_device_dn | d() else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/gitlab/meta/main.yml b/ansible_collections/debops/debops/roles/gitlab/meta/main.yml
new file mode 100644
index 00000000..8d637cf2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install, upgrade and manage GitLab Omnibus instance'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - gitlab
+    - gitlabci
+    - git
+    - webapp
+    - rails
+    - development
+    - programming
+    - ci
diff --git a/ansible_collections/debops/debops/roles/gitlab/tasks/main.yml b/ansible_collections/debops/debops/roles/gitlab/tasks/main.yml
new file mode 100644
index 00000000..6677766a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/tasks/main.yml
@@ -0,0 +1,122 @@
+---
+# Copyright (C) 2015-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save information about GitLab in Ansible Facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/gitlab.fact.j2'
+    dest: '/etc/ansible/facts.d/gitlab.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Flush handlers if needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create GitLab UNIX system group
+  ansible.builtin.group:
+    name: '{{ gitlab__group }}'
+    state: 'present'
+    system: True
+
+- name: Create GitLab UNIX system account
+  ansible.builtin.user:
+    name: '{{ gitlab__user }}'
+    group: '{{ gitlab__group }}'
+    groups: '{{ gitlab__additional_groups }}'
+    comment: '{{ gitlab__comment }}'
+    home: '{{ gitlab__home }}'
+    shell: '{{ gitlab__shell }}'
+    state: 'present'
+    append: True
+    system: True
+
+- name: Create GitLab configuration directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    mode: '{{ item.mode }}'
+  loop:
+    - { path: '/etc/gitlab/ssl',           mode: '0755' }
+    - { path: '/etc/gitlab/trusted-certs', mode: '0755' }
+
+- name: Manage CA certificate symlinks in GitLab environment
+  ansible.builtin.file:  # noqa risky-file-permissions
+    path: '{{ "/etc/gitlab/trusted-certs/" + item.link }}'
+    src:  '{{ item.src }}'
+    state: '{{ item.state | d("link") }}'
+  loop: '{{ q("flattened", (gitlab__ssl_default_cacerts + gitlab__ssl_cacerts)) }}'
+  notify: [ 'Restart GitLab Omnibus' ]
+  when: gitlab__pki_enabled | bool
+
+- name: Manage private key and SSL certificate symlinks in GitLab environment
+  ansible.builtin.file:  # noqa risky-file-permissions
+    path: '{{ "/etc/gitlab/ssl/" + item.link }}'
+    src:  '{{ item.src }}'
+    state: '{{ item.state | d("link") }}'
+  loop: '{{ q("flattened", (gitlab__ssl_default_symlinks + gitlab__ssl_symlinks)) }}'
+  notify: [ 'Restart GitLab Omnibus' ]
+  when: gitlab__pki_enabled | bool
+
+- name: Generate GitLab Omnibus configuration
+  ansible.builtin.template:
+    src: 'etc/gitlab/gitlab.rb.j2'
+    dest: '/etc/gitlab/gitlab.rb'
+    mode: '0600'
+  notify: [ 'Reconfigure GitLab Omnibus' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove GitLab Omnibus backup cron job if requested
+  ansible.builtin.file:
+    path: '/etc/cron.d/backup-gitlab-omnibus'
+    state: 'absent'
+  when: not gitlab__backup_enabled | bool
+
+- name: Configure GitLab Omnibus backup cron job
+  ansible.builtin.template:
+    src: 'etc/cron.d/backup-gitlab-omnibus.j2'
+    dest: '/etc/cron.d/backup-gitlab-omnibus'
+    mode: '0644'
+  when: gitlab__backup_enabled | bool
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ gitlab__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: gitlab__pki_enabled | bool
+
+- name: Manage PKI gitlab hook
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/pki/hooks/gitlab.j2") }}'
+    dest: '{{ gitlab__pki_hook_path + "/gitlab" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: gitlab__pki_enabled | bool
+
+- name: Install GitLab APT packages
+  environment:
+    GITLAB_ROOT_PASSWORD: '{{ gitlab__initial_root_password }}'
+  ansible.builtin.package:
+    name: '{{ q("flattened", gitlab__base_packages + gitlab__packages) }}'
+    state: 'present'
+  register: gitlab__register_packages
+  until: gitlab__register_packages is succeeded
diff --git a/ansible_collections/debops/debops/roles/gitlab/templates/etc/ansible/facts.d/gitlab.fact.j2 b/ansible_collections/debops/debops/roles/gitlab/templates/etc/ansible/facts.d/gitlab.fact.j2
new file mode 100644
index 00000000..c633b733
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/templates/etc/ansible/facts.d/gitlab.fact.j2
@@ -0,0 +1,49 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {}
+
+output['installed'] = cmd_exists('gitlab-ctl')
+output['omnibus'] = cmd_exists('gitlab-ctl')
+
+if output['omnibus']:
+    try:
+        version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "gitlab-ce"]).decode('utf-8').split('-')[0]
+        if version_stdout:
+            output['version'] = version_stdout
+            output['edition'] = 'community'
+        else:
+            version_stdout = subprocess.check_output(
+                    ["dpkg-query", "-W", "-f=${Version}",
+                     "gitlab-ee"]).decode('utf-8').split('-')[0]
+            if version_stdout:
+                output['version'] = version_stdout
+                output['edition'] = 'enterprise'
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/gitlab/templates/etc/cron.d/backup-gitlab-omnibus.j2 b/ansible_collections/debops/debops/roles/gitlab/templates/etc/cron.d/backup-gitlab-omnibus.j2
new file mode 100644
index 00000000..5140acc6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/templates/etc/cron.d/backup-gitlab-omnibus.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Create a backup of the GitLab Omnibus installation.
+# Backup tarballs are stored in {{ gitlab__backup_path }}
+
+# Environment variables
+{% for key, value in (gitlab__backup_environment | combine(gitlab__backup_default_environment)) | dictsort %}
+{%   if value %}
+{{     '{}={}'.format(key | upper, value) }}
+{%   endif %}
+{% endfor %}
+
+# Cron job
+@{{ gitlab__backup_frequency }} root test -x /usr/bin/gitlab-backup && /usr/bin/gitlab-backup create
diff --git a/ansible_collections/debops/debops/roles/gitlab/templates/etc/gitlab/gitlab.rb.j2 b/ansible_collections/debops/debops/roles/gitlab/templates/etc/gitlab/gitlab.rb.j2
new file mode 100644
index 00000000..4b21e0a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/templates/etc/gitlab/gitlab.rb.j2
@@ -0,0 +1,112 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for item in gitlab__combined_configuration | debops.debops.parse_kv_items %}
+{%   if item.state not in [ 'absent', 'ignore', 'init' ] %}
+{%     if item.separator | d() %}
+{{       '' }}
+{%     endif %}
+{%     if (item.title | d() or item.comment | d()) and not loop.first %}
+{{       '' }}
+{%     endif %}
+{%     if item.title | d() %}
+{{       item.title | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='## ') -}}
+{%     endif %}
+{%     if item.comment | d() %}
+{{       item.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='##! ') -}}
+{%     endif %}
+{%     set item_comment = '' %}
+{%     if item.state == 'comment' %}
+{%       set item_comment = '# ' %}
+{%     endif %}
+{%     if item.raw | d() %}
+{%       if item.state == 'comment' %}
+{{         item.raw | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='# ') -}}
+{%       else %}
+{{         item.raw | regex_replace('\n$','') }}
+{%       endif %}
+{%     elif item.value is defined %}
+{%       if item.value | bool and item.value is not iterable %}
+{%         if item.value | string == '1' %}
+{{           "{}{} {}".format(item_comment, item.name, item.value) }}
+{%         else %}
+{{           "{}{} {}".format(item_comment, item.name, 'true') }}
+{%         endif %}
+{%       elif not item.value | bool and item.value is not iterable %}
+{%         if item.value is not none %}
+{%           if item.value | int or item.value | string == '0' %}
+{{             "{}{} {}".format(item_comment, item.name, item.value) }}
+{%           else %}
+{{             "{}{} {}".format(item_comment, item.name, 'false') }}
+{%           endif %}
+{%         endif %}
+{%       elif item.value is string %}
+{%         if item.value == 'nil' %}
+{{           "{}{} {}".format(item_comment, item.name, item.value) }}
+{%         else %}
+{{           "{}{} '{}'".format(item_comment, item.name, item.value) }}
+{%         endif %}
+{%       elif item.value is number %}
+{{         "{}{} {}".format(item_comment, item.name, item.value) }}
+{%       elif item.value is not string and item.value is not mapping %}
+{{         "{}{} {}".format(item_comment, item.name, "['" + item.value | join("', '") + "']") }}
+{%       endif %}
+{%     elif item.options | d() %}
+{%       for element in item.options %}
+{%         if element.state not in [ 'absent', 'ignore', 'init' ] %}
+{%           if (element.title | d() or element.comment | d()) %}
+{{             '' }}
+{%           endif %}
+{%           if element.title | d() %}
+{{             element.title | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='## ') -}}
+{%           endif %}
+{%           if element.comment | d() %}
+{{             element.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='##! ') -}}
+{%           endif %}
+{%           set element_comment = '' %}
+{%           if element.state == 'comment' %}
+{%             set element_comment = '# ' %}
+{%           endif %}
+{%           if element.raw | d() %}
+{%             if element.state == 'comment' %}
+{{               element.raw | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='# ') -}}
+{%             else %}
+{{               element.raw | regex_replace('\n$','') }}
+{%             endif %}
+{%           elif element.value is defined %}
+{%             if element.value | bool and element.value is not iterable %}
+{%               if element.value | string == '1' %}
+{{                 "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
+{%               else %}
+{{                 "{}{}['{}'] = {}".format(element_comment, item.name, element.name, 'true') }}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int or element.value | string == '0' %}
+{{                   "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
+{%                 else %}
+{{                   "{}{}['{}'] = {}".format(element_comment, item.name, element.name, 'false') }}
+{%                 endif %}
+{%               endif %}
+{%             elif element.value is string %}
+{%               if element.value == 'nil' %}
+{{                 "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
+{%               else %}
+{{                 "{}{}['{}'] = '{}'".format(element_comment, item.name, element.name, element.value) }}
+{%               endif %}
+{%             elif element.value is number %}
+{{               "{}{}['{}'] = {}".format(element_comment, item.name, element.name, element.value) }}
+{%             elif element.value is not string and element.value is not mapping %}
+{{               "{}{}['{}'] = {}".format(element_comment, item.name, element.name, "['" + element.value | join("', '") + "']") }}
+{%             endif %}
+{%           else %}
+{{             "{}{}['{}'] = []".format(element_comment, item.name, element.name) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/gitlab/templates/etc/pki/hooks/gitlab.j2 b/ansible_collections/debops/debops/roles/gitlab/templates/etc/pki/hooks/gitlab.j2
new file mode 100644
index 00000000..15d11324
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab/templates/etc/pki/hooks/gitlab.j2
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2025 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2025 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Restart GitLab Omnibus nginx service on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+# Check if any GitLab Omnibus certificates are symlinked from the current PKI realm
+certificate="$(find /etc/gitlab/ssl -type l -exec readlink -f {} + | grep "/etc/pki/realms/${PKI_SCRIPT_REALM}" || true)"
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                gitlab_state="$(systemctl is-active gitlab-runsvdir.service)"
+                if [ "${gitlab_state}" = "active" ] ; then
+                    gitlab-ctl restart nginx
+                fi
+
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/COPYRIGHT b/ansible_collections/debops/debops/roles/gitlab_runner/COPYRIGHT
new file mode 100644
index 00000000..c2340996
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.gitlab_runner - Manage GitLab Runner instances using Ansible
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/defaults/main.yml b/ansible_collections/debops/debops/roles/gitlab_runner/defaults/main.yml
new file mode 100644
index 00000000..32859607
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/defaults/main.yml
@@ -0,0 +1,747 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _gitlab_runner__ref_defaults:
+
+# debops.gitlab_runner default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Package installation [[[
+# ------------------------
+
+# .. envvar:: gitlab_runner__apt_upstream [[[
+#
+# Enable configuration of upstream GitLab Runner repository. Currently it's the
+# only source of the required packages, but if you have downloaded them into
+# your own APT repository, you can disable upstream using this variable.
+gitlab_runner__apt_upstream: True
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__apt_key [[[
+#
+# GPG key which signs the upstream APT repository package list.
+gitlab_runner__apt_key: 'F6403F6544A38863DAA0B6E03F01618A51312F3F'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__apt_repo [[[
+#
+# APT ``sources.list`` configuration of the upstream GitLab Runner repository.
+gitlab_runner__apt_repo: 'deb https://packages.gitlab.com/runner/gitlab-runner/{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} main'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__base_packages [[[
+#
+# List of APT packages which will be installed by the role.
+gitlab_runner__base_packages:
+  - 'gitlab-runner'
+  - '{{ ["vagrant-libvirt", "libguestfs-tools", "busybox", "patch"]
+        if gitlab_runner__vagrant_libvirt | bool
+        else [] }}'
+  - '{{ "vagrant-lxc" if gitlab_runner__vagrant_lxc | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__packages [[[
+#
+# List of additional APT packages to install with GitLab Runner.
+gitlab_runner__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# User, group, home directory [[[
+# -------------------------------
+
+# .. envvar:: gitlab_runner__user [[[
+#
+# System user account which will be used to run GitLab Runner jobs.
+gitlab_runner__user: 'gitlab-runner'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__group [[[
+#
+# System group which will be used to run GitLab Runner jobs.
+gitlab_runner__group: 'gitlab-runner'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__additional_groups [[[
+#
+# List of additional groups to which add the GitLab Runner user account,
+# specified as dictionaries. Missing groups will be added automatically.
+# Dictionary keys used by this variable:
+#
+# - ``name``: required, name of the group.
+#
+# - ``system``: optional, bool. If ``True``, the group will be a system group.
+#
+# System groups have GID < 1000. If ``system`` key is not specified, the value
+# of :envvar:`gitlab_runner__system` is used instead.
+gitlab_runner__additional_groups: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__system [[[
+#
+# If ``True``, the created user and groups will have UID and GID < 1000 and
+# will be considered "local" user and groups.
+gitlab_runner__system: True
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__home [[[
+#
+# Home directory of the GitLab Runner user.
+gitlab_runner__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+	                 + "/" + gitlab_runner__user }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__comment [[[
+#
+# Comment or GECOS field set on the GitLab Runner account.
+gitlab_runner__comment: 'GitLab Runner'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__shell [[[
+#
+# Default shell used by the GitLab Runner user account.
+gitlab_runner__shell: '/bin/bash'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global configuration [[[
+# ------------------------
+
+# .. envvar:: gitlab_runner__concurrent [[[
+#
+# Global number of jobs that can run concurrently on all configured runners.
+gitlab_runner__concurrent: '{{ ansible_processor_vcpus
+                               if (ansible_local | d() and
+                                   ansible_local.docker_server | d() and
+                                   (ansible_local.docker_server.installed | d()) | bool)
+                               else "1" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__domain [[[
+#
+# The default domain used in different places of the role.
+gitlab_runner__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__fqdn [[[
+#
+# The Fully Qualified Domain Name of the GitLab Runner host.
+gitlab_runner__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__gitlab_srv_rr [[[
+#
+# List which contains the result of the DNS query for Gitlab server ``SRV``
+# resource records in the host's domain. See :rfc:`2782` for details.
+#
+# If there are no resource records, the role checks if a local Gitlab
+# installation is present and uses the host FQDN as the Gitlab API server
+# address. Finally, ``code.<domain>`` is used as a fallback.
+gitlab_runner__gitlab_srv_rr: '{{ q("debops.debops.dig_srv", "_gitlab._tcp." + gitlab_runner__domain,
+                                    ansible_fqdn
+                                    if (ansible_local | d() and ansible_local.gitlab | d() and
+                                       (ansible_local.gitlab.installed | d()) | bool)
+                                    else ("code." + gitlab_runner__domain), 443) }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__api_fqdn [[[
+#
+# The Fully Qualified Domain Name (FQDN) of the GitLab CI host which will control the
+# runner operation.
+#
+# The use of the FQDN instead of ``localhost`` is required for X.509
+# certificate verification and for correct information in system logs.
+gitlab_runner__api_fqdn: '{{ gitlab_runner__gitlab_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__api_url [[[
+#
+# The HTTP API endpoint of the GitLab CI server.
+# The role will check if the API server is available before trying to use it.
+gitlab_runner__api_url: 'https://{{ gitlab_runner__api_fqdn }}/'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__api_token [[[
+#
+# The personal GitLab API access token used to register or remove the runners in GitLab.
+# You can generate an access token in GitLab "User Settings", "Access Tokens"
+# configuration page.
+gitlab_runner__api_token: '{{ lookup("env", "GITLAB_API_TOKEN") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__runner_type [[[
+#
+# The scope of the runner.
+# It can be one of the following values: ``instance_type``,
+# ``group_type`` or ``project_type``
+gitlab_runner__runner_type: 'instance_type'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__group_id [[[
+#
+# The ID of the group that the runner is created in.
+# Required if ``gitlab_runner__runner_type`` is ``group_type``.
+gitlab_runner__group_id: ~
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__project_id [[[
+#
+# The ID of the project that the runner is created in.
+# Required if ``gitlab_runner__runner_type`` is ``project_type``.
+gitlab_runner__project_id: ~
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__executor [[[
+#
+# Default "executor" used by the runners.
+gitlab_runner__executor: 'shell'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__metrics_server [[[
+#
+# The embedded Prometheus metrics server listener configuration in format:
+# ``[host]:<port>``.
+gitlab_runner__metrics_server: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__environment [[[
+#
+# A set of custom environment variables added to each GitLab Runner.
+# See :ref:`gitlab_runner__environment` for more details.
+gitlab_runner__environment: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# GitLab Runner tags [[[
+# ----------------------
+
+# .. envvar:: gitlab_runner__shell_tags [[[
+#
+# List of tags automatically generated by the role, based on Ansible facts.
+# These tags are used with shell executors.
+gitlab_runner__shell_tags: '{{ lookup("template",
+                               "lookup/gitlab_runner__shell_tags.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__default_tags [[[
+#
+# List of default tags applied to the Runner at registration in GitLab CI.
+gitlab_runner__default_tags: [ 'managed-by-debops' ]
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__tags [[[
+#
+# List of global tags applied to the Runner at registration in GitLab CI.
+gitlab_runner__tags: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__group_tags [[[
+#
+# List of tags applied to the Runner at registration in GitLab CI based on an
+# inventory group.
+gitlab_runner__group_tags: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__host_tags [[[
+#
+# List of per-host tags applied to the Runner at registration in GitLab CI.
+gitlab_runner__host_tags: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__combined_tags [[[
+#
+# Combined list of system-wide tags for easier use in the role tasks.
+gitlab_runner__combined_tags: '{{ gitlab_runner__default_tags
+                                  + gitlab_runner__tags
+                                  + gitlab_runner__group_tags
+                                  + gitlab_runner__host_tags }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# GitLab Runner instances [[[
+# ---------------------------
+
+# GitLab Runner instances are configured as separate dictionary entries. Each
+# entry supports keys of the same name as most of the default variables with
+# ``gitlab_runner__`` stripped, for example ``item.docker_volumes`` instead of
+# :envvar:`gitlab_runner__docker_volumes`. If a key is not specified, a default value
+# will be used if configured on the role level.
+
+# An instance requires at least an ``item.name`` key, which is used as the
+# Runner instance description. The ``item.state`` key can be used to delete an
+# instance, when it's set to ``absent``.
+
+# .. envvar:: gitlab_runner__default_instances [[[
+#
+# List of default GitLab Runner instances.
+gitlab_runner__default_instances:
+
+  - name: '{{ ansible_hostname + "-shell" }}'
+    executor: 'shell'
+    run_untagged: False
+    state: '{{ "absent"
+               if (ansible_local | d() and ansible_local.docker_server | d() and
+                   (ansible_local.docker_server.installed | d()) | bool)
+               else "present" }}'
+
+  - name: '{{ ansible_hostname + "-docker" }}'
+    executor: 'docker'
+    tags: [ 'docker' ]
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.docker_server | d() and
+                   (ansible_local.docker_server.installed | d()) | bool)
+               else "absent" }}'
+
+  - name: '{{ ansible_hostname + "-docker-root" }}'
+    executor: 'docker'
+    concurrent: '{{ ansible_processor_vcpus }}'
+    docker_privileged: True
+    run_untagged: False
+    tags: [ 'docker-privileged' ]
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.docker_server | d() and
+                   (ansible_local.docker_server.installed | d()) | bool)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__instances [[[
+#
+# Global list of GitLab Runner instances.
+gitlab_runner__instances: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__group_instances [[[
+#
+# List of GitLab Runner instances in Ansible host group.
+gitlab_runner__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__host_instances [[[
+#
+# List of GitLab Runner instances on a particular host.
+gitlab_runner__host_instances: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom file upload [[[
+# ----------------------
+
+# .. envvar:: gitlab_runner__custom_files [[[
+#
+# List of custom files to upload to GitLab Runner host. Each entry is
+# a dictionary with keys the same as the ``copy`` module options.
+# This list is meant to be configured for all hosts.
+gitlab_runner__custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__group_custom_files [[[
+#
+# List of custom files to upload to GitLab Runner host. Each entry is
+# a dictionary with keys the same as the ``copy`` module options.
+# This list is meant to be configured for a group of hosts.
+gitlab_runner__group_custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__host_custom_files [[[
+#
+# List of custom files to upload to GitLab Runner host. Each entry is
+# a dictionary with keys the same as the ``copy`` module options.
+# This list is meant to be configured for specific hosts.
+gitlab_runner__host_custom_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Shell executor configuration [[[
+# --------------------------------
+
+# These variables control what features are configured on the GitLab Runner
+# host to use by the shell executor.
+
+# .. envvar:: gitlab_runner__vagrant_libvirt [[[
+#
+# Enable or disable support for Vagrant libvirt plugin (configuration of this
+# support also implies installation of :command:`vagrant` on the GitLab Runner
+# host).
+#
+# Enabling Vagrant libvirt will add the ``gitlab-runner`` UNIX account to the
+# ``libvirt`` and ``kvm`` UNIX groups, required for libvirt access by Vagrant.
+gitlab_runner__vagrant_libvirt: '{{ True
+                                    if (ansible_local | d() and ansible_local.libvirtd | d() and
+                                        (ansible_local.libvirtd.installed | d()) | bool and
+                                        (ansible_distribution_release not in
+                                         ["trusty"]))
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__vagrant_libvirt_patch [[[
+#
+# Patch ``vagrant-libvirt`` source code to fix an issue with removed SSH host
+# keys that prevent interaction with Vagrant VMs.
+# See the patch file in :file:`files/patches/` directory for more details.
+gitlab_runner__vagrant_libvirt_patch: '{{ True
+                                          if (gitlab_runner__vagrant_libvirt | bool and
+                                              ansible_distribution_release in
+                                              ["stretch", "buster"])
+                                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__vagrant_libvirt_patch_state [[[
+#
+# Select the state of the custom ``vagrant-libvirt`` patches managed by this
+# role. If the state is ``present``, the patches will be applied on the host;
+# the ``absent`` state will remove them and restore the source to its original
+# state.
+gitlab_runner__vagrant_libvirt_patch_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__vagrant_lxc [[[
+#
+# Enable or disable support for Vagrant LXC plugin (configuration of this
+# support also implies installation of :command:`vagrant` on the GitLab Runner
+# host). Enabling Vagrant LXC will give limited :command:`sudo` access for the
+# GitLab Runner UNIX account to allow access to LXC commands.
+gitlab_runner__vagrant_lxc: '{{ True
+                                if (ansible_local | d() and ansible_local.lxc | d() and
+                                    (ansible_local.lxc.installed | d()) | bool and
+                                    (ansible_distribution_release not in
+                                     ["trusty"]))
+                                else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSH key and host management [[[
+# -------------------------------
+
+# .. envvar:: gitlab_runner__ssh_generate [[[
+#
+# Generate ``~/.ssh/id_rsa`` SSH private and public key if it doesn't exist.
+# The generated SSH key does not contain a passhprase so that it can be used
+# non-interactively by ``gitlab-runner`` daemon.
+gitlab_runner__ssh_generate: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_generate_bits [[[
+#
+# Size of the generated SSH key.
+gitlab_runner__ssh_generate_bits: '4096'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_install_to [[[
+#
+# List of hosts which should have the ``gitlab-runner`` SSH key installed using
+# a ``delegate_to`` Ansible mechanism and ``authorized_key`` module. Ansible
+# will use connection information available in inventory to reach hosts. Each entry
+# is a dictionary with keys:
+#
+# - ``host``: the host address, it should be accessible to Ansible Controller
+#
+# - ``user``: user account which should will have the SSH key installed
+#
+# - ``options``: SSH ``authorized_keys`` options to set for a given key
+#
+# - ``become``: whether or not to use become once connected
+#
+gitlab_runner__ssh_install_to: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_known_hosts [[[
+#
+# List of host names which SSH host fingerprints should be scanned and added to
+# the ``~/.ssh/known_hosts`` file of the ``gitlab-runner`` account. This should
+# allow ``git clone`` commands over SSH.
+gitlab_runner__ssh_known_hosts: [ '{{ gitlab_runner__fqdn }}' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# SSH executor configuration [[[
+# ------------------------------
+
+# You should refer to `SSH executor documentation <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersssh-section>`_
+# for information about what can be configured and the required syntax.
+
+# .. envvar:: gitlab_runner__ssh_host [[[
+#
+# FQDN host where SSH executor should connect to, unless overridden in the
+# runner instance configuration.
+gitlab_runner__ssh_host: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_port [[[
+#
+# Port to use by the SSH executor.
+gitlab_runner__ssh_port: '22'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_user [[[
+#
+# Username which the SSH executor should use to connect to the remote host.
+gitlab_runner__ssh_user: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_identity_file [[[
+#
+# Absolute path to the SSH identity file stored on the remote host which should
+# be used by the SSH executor to connect to the ssh host.
+gitlab_runner__ssh_identity_file: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__ssh_password [[[
+#
+# Password which should be used by the SSH executor to connect to the host.
+# This password is only used for SSH authentication, normally you should use an
+# identity file instead.
+gitlab_runner__ssh_password: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker executor configuration [[[
+# ---------------------------------
+
+# You should refer to the `Docker executor documentation <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersdocker-section>`_
+# for information about what can be configured and what's the specific syntax
+# of each option.
+
+# .. envvar:: gitlab_runner__docker_host [[[
+#
+# Specify the FQDN hostname of the remote Docker host. If nothing is specified,
+# local Docker instance is used.
+gitlab_runner__docker_host: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_tls_cert_path [[[
+#
+# Path to a directory with X.509 certificate, private key and CA certificate
+# used to authenticate to a remote Docker instance.
+gitlab_runner__docker_tls_cert_path: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_image [[[
+#
+# Name of the Docker image to use for containers.
+gitlab_runner__docker_image: 'debian'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_privileged [[[
+#
+# Enable or disable execution of Docker containers in privileged mode.
+gitlab_runner__docker_privileged: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_disable_cache [[[
+#
+# Enable or disable use of cache by Docker.
+gitlab_runner__docker_disable_cache: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_cache_dir [[[
+#
+# Directory with Docker cache data.
+gitlab_runner__docker_cache_dir: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_cap_add [[[
+#
+# Specify list of POSIX capabilities to add to a container.
+gitlab_runner__docker_cap_add: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_cap_drop [[[
+#
+# Specify list of POSIX capabilities to drop from a container.
+gitlab_runner__docker_cap_drop: [ 'NET_ADMIN', 'SYS_ADMIN', 'DAC_OVERRIDE' ]
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_devices [[[
+#
+# List of devices to add to a Docker container.
+gitlab_runner__docker_devices: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_extra_hosts [[[
+#
+# List of additional :file:`/etc/hosts` entries to set in a Docker container.
+gitlab_runner__docker_extra_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_links [[[
+#
+# List of other containers to link to a given container.
+gitlab_runner__docker_links: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_services [[[
+#
+# List of other services enabled in a container.
+gitlab_runner__docker_services: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_volumes [[[
+#
+# List of volumes mounted in a container.
+gitlab_runner__docker_volumes: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_allowed_images [[[
+#
+# Specify a wildcard list of images which can be listed in a :file:`.gitlab-ci.yml`
+# file and are allowed to be used.
+gitlab_runner__docker_allowed_images: []
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__docker_allowed_services [[[
+#
+# Specify a wildcard list of services which can be listed in
+# a :file:`.gitlab-ci.yml` file and are allowed to be used.
+gitlab_runner__docker_allowed_services: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Docker Machine and autoscaling [[[
+# ----------------------------------
+
+# You should refer to the `GitLab Runner autoscaling documentation <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersmachine-section>`_
+# for information about what can be configured and what's the specific syntax
+# of each option.
+
+# .. envvar:: gitlab_runner__machine_idle_count [[[
+#
+# Number of machines, that need to be created and waiting in Idle state.
+gitlab_runner__machine_idle_count: '{{ ansible_processor_cores }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_idle_time [[[
+#
+# Time (in seconds) for machine to be in Idle state before it is removed.
+gitlab_runner__machine_idle_time: '600'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_max_builds [[[
+#
+# Builds count after which machine will be removed.
+gitlab_runner__machine_max_builds: '100'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_name [[[
+#
+# Name of the machine. It must contain ``%s``, which will be replaced with
+# a unique machine identifier.
+gitlab_runner__machine_name: 'auto-scale-%s.{{ gitlab_runner__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_driver [[[
+#
+# Docker Machine "driver" to use. You should refer to `Docker Machine
+# documentation <https://docs.docker.com/machine/drivers/>`_ for more
+# information about supported drivers.
+gitlab_runner__machine_driver: 'generic'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_offpeakperiods [[[
+#
+# Autoscale can be configured with the support for Off Peak time mode periods.
+# Time periods when the scheduler is in the OffPeak mode.You should refer
+# to `Gitlab Runner Advanced configuration documentation
+# <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#offpeakperiods-syntax>`_ for more
+# information about OffPeakPeriods syntax.
+gitlab_runner__machine_offpeakperiods: ["* * 0-7,19-23 * * mon-fri *", "* * * * * sat,sun *"]
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_offpeakidlecount [[[
+#
+# Like IdleCount, but for Off Peak time periods.
+gitlab_runner__machine_offpeakidlecount: 0
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_offpeakidletime [[[
+#
+# Like IdleTime, but for Off Peak time mperiods.
+gitlab_runner__machine_offpeakidletime: 1200
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__machine_options [[[
+#
+# List of options to pass to Docker Machine. See the GitLab Runner autoscaling
+# documentation for more details.
+gitlab_runner__machine_options: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Distributed cache configuration [[[
+# -----------------------------------
+
+# You should refer to the `GitLab Runner cache documentation <https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnerscache-section>`_
+# for information about what can be configured and what's the specific syntax
+# of each option.
+
+# .. envvar:: gitlab_runner__cache [[[
+#
+# Enable the support for distributed cache.
+gitlab_runner__cache: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_type [[[
+#
+# Select the cache type. Currently only ``s3`` is supported.
+gitlab_runner__cache_type: 's3'
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_server_address [[[
+#
+# Specify the cache server address.
+gitlab_runner__cache_server_address: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_access_key [[[
+#
+# Specify the cache access key.
+gitlab_runner__cache_access_key: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_secret_key [[[
+#
+# Specify the cache secret key.
+gitlab_runner__cache_secret_key: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_bucket_name [[[
+#
+# Name of the S3 bucket to use for the cache.
+gitlab_runner__cache_bucket_name: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_bucket_location [[[
+#
+# Cache bucket location
+gitlab_runner__cache_bucket_location: ''
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_insecure [[[
+#
+# Enable or disable connections to the S3 service over HTTP instead of HTTPS.
+gitlab_runner__cache_insecure: False
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__cache_shared [[[
+#
+# Enables cache sharing between runners.
+gitlab_runner__cache_shared: False
+
+                                                                   # ]]]
+# .. envvar:: gitlab_runner__run_untagged [[[
+#
+# Enable or disable running untagged jobs.
+gitlab_runner__run_untagged: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: gitlab_runner__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+gitlab_runner__keyring__dependent_apt_keys:
+
+  - id: '{{ gitlab_runner__apt_key }}'
+    repo: '{{ gitlab_runner__apt_repo }}'
+    state: '{{ "present" if gitlab_runner__apt_upstream | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.37.patch b/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.37.patch
new file mode 100644
index 00000000..af0b5756
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.37.patch
@@ -0,0 +1,33 @@
+# Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# During 'vagrant package' operation, 'virt-sysprep' command removes existing
+# SSH host keys. However, at the next boot of the packaged box, they are not
+# regenerated automatically, and this breaks Vagrant provisioning as well as
+# the 'vagrant ssh' command. Another problem is re-creation of the existing
+# '/etc/machine-id' file if it has been zeroed out, which breaks DHCP and VM
+# networking during operation of multiple Vagrant machines at once.
+#
+# This patch is hopefully a temporary solution to these problems until a better
+# one is found. It will disable the removal of existing SSH host keys and VM
+# customization by the 'virt-sysprep' command. This is not advisable in
+# a production environment, however can be sufficient for a temporary, test
+# environment.
+#
+# See also: https://github.com/vagrant-libvirt/vagrant-libvirt/issues/759
+# See also: https://github.com/vagrant-libvirt/vagrant-libvirt/issues/851#issuecomment-520799720
+#
+# Work directory: /usr/share/rubygems-integration/all/gems/vagrant-libvirt-*
+
+--- lib/vagrant-libvirt/action/package_domain.rb
++++ lib/vagrant-libvirt/action/package_domain.rb
+@@ -38,7 +38,7 @@
+           `qemu-img rebase -p -b "" #{@tmp_img}`
+           # remove hw association with interface
+           # working for centos with lvs default disks
+-          `virt-sysprep --no-logfile --operations defaults,-ssh-userdir -a #{@tmp_img}`
++          `virt-sysprep --no-logfile --operations defaults,-ssh-userdir,-ssh-hostkeys,-customize -a #{@tmp_img}`
+           Dir.chdir(@tmp_dir)
+           img_size = `qemu-img info #{@tmp_img} | grep 'virtual size' | awk '{print $3;}' | tr -d 'G'`.chomp
+           File.write(@tmp_dir + '/metadata.json', metadata_content(img_size))
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.45.patch b/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.45.patch
new file mode 100644
index 00000000..c9b6971a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/files/patches/package_domain-keep-ssh-host-keys-0.0.45.patch
@@ -0,0 +1,33 @@
+# Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# During 'vagrant package' operation, 'virt-sysprep' command removes existing
+# SSH host keys. However, at the next boot of the packaged box, they are not
+# regenerated automatically, and this breaks Vagrant provisioning as well as
+# the 'vagrant ssh' command. Another problem is re-creation of the existing
+# '/etc/machine-id' file if it has been zeroed out, which breaks DHCP and VM
+# networking during operation of multiple Vagrant machines at once.
+#
+# This patch is hopefully a temporary solution to these problems until a better
+# one is found. It will disable the removal of existing SSH host keys and VM
+# customization by the 'virt-sysprep' command. This is not advisable in
+# a production environment, however can be sufficient for a temporary, test
+# environment.
+#
+# See also: https://github.com/vagrant-libvirt/vagrant-libvirt/issues/759
+# See also: https://github.com/vagrant-libvirt/vagrant-libvirt/issues/851#issuecomment-520799720
+#
+# Work directory: /usr/share/rubygems-integration/all/gems/vagrant-libvirt-*
+
+--- lib/vagrant-libvirt/action/package_domain.rb
++++ lib/vagrant-libvirt/action/package_domain.rb
+@@ -38,7 +38,7 @@
+           `qemu-img rebase -p -b "" #{@tmp_img}`
+           # remove hw association with interface
+           # working for centos with lvs default disks
+-          `virt-sysprep --no-logfile --operations defaults,-ssh-userdir -a #{@tmp_img}`
++          `virt-sysprep --no-logfile --operations defaults,-ssh-userdir,-ssh-hostkeys,-customize -a #{@tmp_img}`
+           # add any user provided file
+           extra = ''
+           @tmp_include = @tmp_dir + '/_include'
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/meta/main.yml b/ansible_collections/debops/debops/roles/gitlab_runner/meta/main.yml
new file mode 100644
index 00000000..74951cd5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage GitLab Runner instances'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - gitlab
+    - git
+    - docker
+    - ssh
+    - ci
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/tasks/main.yml b/ansible_collections/debops/debops/roles/gitlab_runner/tasks/main.yml
new file mode 100644
index 00000000..80733556
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/tasks/main.yml
@@ -0,0 +1,266 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Create required groups
+  ansible.builtin.group:
+    name: '{{ item.name if item.name | d() else item }}'
+    system: '{{ item.system | bool if item.system is defined else gitlab_runner__system | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", [gitlab_runner__group]
+                           + gitlab_runner__additional_groups) }}'
+
+- name: Create gitlab-runner user
+  ansible.builtin.user:
+    name: '{{ gitlab_runner__user }}'
+    group: '{{ gitlab_runner__group }}'
+    groups: '{{ gitlab_runner__additional_groups | map(attribute="name") | list | join(",") }}'
+    append: True
+    home: '{{ gitlab_runner__home }}'
+    system: '{{ gitlab_runner__system | bool }}'
+    comment: '{{ gitlab_runner__comment }}'
+    shell: '{{ gitlab_runner__shell }}'
+    state: 'present'
+    generate_ssh_key: '{{ gitlab_runner__ssh_generate | bool }}'
+    ssh_key_bits: '{{ gitlab_runner__ssh_generate_bits }}'
+    skeleton: null
+
+- name: Remove '~/.bash_logout' to avoid conflicts with the shell runner
+  ansible.builtin.file:
+    state: 'absent'
+    path: "{{ gitlab_runner__home }}/.bash_logout"
+
+- name: Allow Docker access for gitlab-runner user
+  ansible.builtin.user:
+    name: '{{ gitlab_runner__user }}'
+    groups: 'docker'
+    append: True
+  when: (ansible_local | d() and ansible_local.docker_server | d() and
+         (ansible_local.docker_server.installed | d()) | bool)
+
+- name: Copy custom files to GitLab Runner host
+  ansible.builtin.copy:
+    src: '{{ item.src | d(omit) }}'
+    content: '{{ item.content | d(omit) }}'
+    dest: '{{ item.dest }}'
+    owner: '{{ item.owner | d(omit) }}'
+    group: '{{ item.group | d(omit) }}'
+    mode: '{{ item.mode | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+    follow: '{{ item.follow | d(omit) }}'
+    force: '{{ item.force | d(omit) }}'
+  loop: '{{ q("flattened", gitlab_runner__custom_files
+                           + gitlab_runner__group_custom_files
+                           + gitlab_runner__host_custom_files) }}'
+  when: ((item.src | d() or item.content | d()) and item.dest | d())
+
+- name: Make sure APT can access HTTPS repositories
+  ansible.builtin.apt:
+    name: [ 'apt-transport-https', 'openssl', 'ca-certificates' ]
+    state: 'present'
+    install_recommends: False
+    update_cache: True
+    cache_valid_time: '{{ ansible_local.core.cache_valid_time | d("86400") }}'
+  register: gitlab_runner__register_apt_https
+  until: gitlab_runner__register_apt_https is succeeded
+
+- name: Install gitlab-runner packages
+  ansible.builtin.apt:
+    name: "{{ query('flattened', gitlab_runner__base_packages +
+                                 gitlab_runner__packages) }}"
+    state: 'present'
+    install_recommends: False
+  register: gitlab_runner__register_packages
+  until: gitlab_runner__register_packages is succeeded
+
+- name: Register new GitLab Runners
+  ansible.builtin.uri:
+    url: '{{ (item.api_url | d(gitlab_runner__api_url)) + "api/v4/user/runners" }}'
+    method: 'POST'
+    headers:
+      'PRIVATE-TOKEN': '{{ item.api_token | d(gitlab_runner__api_token) }}'
+    body_format: 'form-urlencoded'
+    body:
+      runner_type: '{{ item.runner_type | d(gitlab_runner__runner_type) }}'
+      group_id: '{{ item.group_id | d(gitlab_runner__group_id) | d(omit) }}'
+      project_id: '{{ item.project_id | d(gitlab_runner__project_id) | d(omit) }}'
+      description: '{{ item.name }}'
+      tag_list: '{{ (item.tags | d([])
+                     + (gitlab_runner__shell_tags
+                        if (item.executor == "shell") else [])
+                     + gitlab_runner__combined_tags)
+                     | unique | join(",") }}'
+      run_untagged: '{{ item.run_untagged | d(gitlab_runner__run_untagged) }}'
+      paused: '{{ item.paused | d(omit) }}'
+      locked: '{{ item.locked | d(omit) }}'
+      access_level: '{{ item.access_level | d(omit) }}'
+      maximum_timeout: '{{ item.maximum_timeout | d(omit) }}'
+      maintenance_note: '{{ item.maintenance_note | d(omit) }}'
+    status_code: '200,201'
+  register: gitlab_runner__register_new_instances
+  loop: '{{ q("flattened", gitlab_runner__default_instances
+                           + gitlab_runner__instances
+                           + gitlab_runner__group_instances
+                           + gitlab_runner__host_instances) }}'
+  when: ((item.api_token | d() or gitlab_runner__api_token) and item.name and
+         (item.state is undefined or item.state != 'absent') and
+         (ansible_local is undefined or
+          (ansible_local | d() and (ansible_local.gitlab_runner is undefined or
+           (ansible_local.gitlab_runner | d() and ansible_local.gitlab_runner.instances is defined and
+            item.name not in ansible_local.gitlab_runner.instances)))))
+
+- name: Generate GitLab Runner configuration files
+  ansible.builtin.template:
+    src: 'etc/gitlab-runner/{{ item }}.j2'
+    dest: '/etc/gitlab-runner/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  with_items: [ 'config.toml', 'ansible.json' ]
+
+- name: Delete GitLab Runners if requested
+  ansible.builtin.uri:
+    url: '{{ (item.0.api_url | d(gitlab_runner__api_url)) + "api/v4/runners/" + item.1.id | string }}'
+    method: 'DELETE'
+    headers:
+      'PRIVATE-TOKEN': '{{ item.0.api_token | d(gitlab_runner__api_token) }}'
+  with_together:
+    - '{{ gitlab_runner__default_instances + gitlab_runner__instances
+          + gitlab_runner__group_instances + gitlab_runner__host_instances }}'
+    - '{{ ansible_local.gitlab_runner.instance_tokens | d([]) }}'
+  when: ((item.0.api_token | d() or gitlab_runner__api_token)
+         and item.0.name | d() and item.1.name | d() and item.0.name == item.1.name and
+         (item.0.state | d() and item.0.state == 'absent'))
+  failed_when: False
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Get the SSH key from the remote host
+  ansible.builtin.slurp:
+    src: '~{{ gitlab_runner__user }}/.ssh/id_rsa.pub'
+  register: gitlab_runner__register_ssh_key
+  when: gitlab_runner__ssh_generate | bool
+
+- name: Distribute SSH key to other hosts
+  ansible.posix.authorized_key:
+    key: '{{ gitlab_runner__register_ssh_key.content | b64decode | trim }}'
+    user: '{{ item.user }}'
+    state: 'present'
+    key_options: '{{ item.options | d() }}'
+  delegate_to: '{{ item.host }}'
+  become: '{{ item.become | d(True) }}'
+  with_items: '{{ gitlab_runner__ssh_install_to }}'
+  when: gitlab_runner__ssh_generate | bool and item.user | d() and item.host | d()
+
+- name: Make sure that the ~/.ssh directory exists
+  ansible.builtin.file:
+    path: '{{ gitlab_runner__home }}/.ssh'
+    state: 'directory'
+    owner: '{{ gitlab_runner__user }}'
+    group: '{{ gitlab_runner__group }}'
+    mode: '0700'
+  when: gitlab_runner__ssh_known_hosts | d()
+
+- name: Make sure the ~/.ssh/known_hosts file exists
+  ansible.builtin.copy:
+    content: ''
+    dest: '{{ gitlab_runner__home }}/.ssh/known_hosts'
+    owner: '{{ gitlab_runner__user }}'
+    group: '{{ gitlab_runner__group }}'
+    mode: '0644'
+    force: False
+  when: gitlab_runner__ssh_known_hosts | d()
+
+- name: Get list of already scanned host fingerprints
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         ssh-keygen -f {{ gitlab_runner__home }}/.ssh/known_hosts -F {{ item }} | grep -q '^# Host {{ item }} found'
+  args:
+    executable: 'bash'
+  with_items: '{{ gitlab_runner__ssh_known_hosts }}'
+  when: gitlab_runner__ssh_known_hosts | d()
+  register: gitlab_runner__register_known_hosts
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Scan SSH fingerprints of specified hosts
+  ansible.builtin.shell: 'ssh-keyscan -H -T 10 {{ item.item }} >> {{ gitlab_runner__home + "/.ssh/known_hosts" }}'
+  with_items: '{{ gitlab_runner__register_known_hosts.results }}'
+  register: gitlab_runner__register_keyscan
+  changed_when: gitlab_runner__register_keyscan.changed | bool
+  when: gitlab_runner__ssh_known_hosts and item is defined and item.rc > 0
+  failed_when: False
+
+- name: Configure Vagrant libvirt access
+  ansible.builtin.user:
+    name: '{{ gitlab_runner__user }}'
+    append: True
+    groups: '{{ ([ansible_local.libvirtd.unix_sock_group
+                  if (ansible_local.libvirtd.unix_sock_group | d())
+                  else "libvirt"]
+                 + (["kvm"]
+                    if (ansible_local | d() and ansible_local.libvirtd | d() and
+                        (ansible_local.libvirtd.hw_virt | d()) | bool)
+                    else [])) | join(",") }}'
+  when: gitlab_runner__vagrant_libvirt | bool
+
+- name: Configure Vagrant libvirt sudo access
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/gitlab-runner-vagrant-libvirt.j2'
+    dest: '/etc/sudoers.d/gitlab-runner-vagrant-libvirt'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: (ansible_local | d() and ansible_local.sudo | d() and
+         (ansible_local.sudo.installed | d()) | bool and
+         gitlab_runner__vagrant_libvirt | bool)
+
+- name: Find 'vagrant-libvirt' source code
+  ansible.builtin.command: find /usr/share/rubygems-integration/all/gems -maxdepth 1 -type d -name 'vagrant-libvirt-*'
+  register: gitlab_runner__register_libvirt_source
+  when: gitlab_runner__vagrant_libvirt_patch | bool
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::gitlab_runner:patch' ]
+
+- name: Patch 'vagrant-libvirt' source code
+  ansible.posix.patch:
+    src: '{{ "patches/package_domain-keep-ssh-host-keys-"
+             + (item | basename | replace("vagrant-libvirt-", "")) + ".patch" }}'
+    basedir: '{{ item }}'
+    state: '{{ gitlab_runner__vagrant_libvirt_patch_state }}'
+  with_items: '{{ gitlab_runner__register_libvirt_source.stdout_lines }}'
+  when: gitlab_runner__vagrant_libvirt_patch | bool
+  tags: [ 'role::gitlab_runner:patch' ]
+
+- name: Configure Vagrant LXC sudo access
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/gitlab-runner-vagrant-lxc.j2'
+    dest: '/etc/sudoers.d/gitlab-runner-vagrant-lxc'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: (ansible_local | d() and ansible_local.sudo | d() and
+         (ansible_local.sudo.installed | d()) | bool and
+         gitlab_runner__vagrant_lxc | bool)
+
+- name: Make sure that Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save GitLab Runner local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/gitlab_runner.fact.j2'
+    dest: '/etc/ansible/facts.d/gitlab_runner.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/ansible/facts.d/gitlab_runner.fact.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/ansible/facts.d/gitlab_runner.fact.j2
new file mode 100644
index 00000000..532eab70
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/ansible/facts.d/gitlab_runner.fact.j2
@@ -0,0 +1,27 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import os
+
+output = {}
+state_file = '/etc/gitlab-runner/ansible.json'
+
+if os.path.isfile(state_file):
+    try:
+        fh = open(state_file)
+        output = load(fh)
+    except Exception:
+        pass
+
+output['installed'] = True
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/ansible.json.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/ansible.json.j2
new file mode 100644
index 00000000..ed5d257c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/ansible.json.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set gitlab_runner__tpl_instances = [] %}
+{% set gitlab_runner__tpl_instance_tokens = [] %}
+{% if gitlab_runner__register_new_instances | d() and gitlab_runner__register_new_instances.results %}
+{%   for item in gitlab_runner__register_new_instances.results %}
+{%     if item.item.name | d() and item.json | d() and item.json.id | d() and item.json.token | d() %}
+{%       set _ = gitlab_runner__tpl_instances.append(item.item.name) %}
+{%       set _ = gitlab_runner__tpl_instance_tokens.append({ "id": item.json.id, "name": item.item.name, "token": item.json.token }) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if ansible_local.gitlab_runner.instance_tokens | d() %}
+{%   for item in ansible_local.gitlab_runner.instance_tokens %}
+{%     if item.name not in gitlab_runner__tpl_instances %}
+{%       for element in (gitlab_runner__default_instances + gitlab_runner__instances + gitlab_runner__group_instances + gitlab_runner__host_instances) %}
+{%         if (item.name == element.name and (element.state is undefined or element.state != 'absent')) %}
+{%           set _ = gitlab_runner__tpl_instances.append(item.name) %}
+{%           set _ = gitlab_runner__tpl_instance_tokens.append({ "id": item.id, "name": item.name, "token": item.token }) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set output = {
+    "instance_tokens": gitlab_runner__tpl_instance_tokens,
+    "instances": gitlab_runner__tpl_instances
+} %}
+{{ output | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/config.toml.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/config.toml.j2
new file mode 100644
index 00000000..73b03ca1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/gitlab-runner/config.toml.j2
@@ -0,0 +1,474 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+concurrent = {{ gitlab_runner__concurrent }}
+{% if gitlab_runner__metrics_server | d() %}
+metrics_server = "{{ gitlab_runner__metrics_server }}"
+{% endif %}
+
+{% set gitlab_runner__tpl_instances = [] %}
+{% set gitlab_runner__tpl_instance_tokens = [] %}
+{% if gitlab_runner__register_new_instances | d() and gitlab_runner__register_new_instances.results %}
+{%   for item in gitlab_runner__register_new_instances.results %}
+{%     if item.item.name | d() and item.json | d() and item.json.token | d() %}
+{%       set _ = gitlab_runner__tpl_instances.append(item.item.name) %}
+{%       set _ = gitlab_runner__tpl_instance_tokens.append({ "name": item.item.name, "token": item.json.token }) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if ansible_local.gitlab_runner.instance_tokens | d() %}
+{%   for item in ansible_local.gitlab_runner.instance_tokens %}
+{%     if item.name not in gitlab_runner__tpl_instances %}
+{%       for element in (gitlab_runner__default_instances + gitlab_runner__instances + gitlab_runner__group_instances + gitlab_runner__host_instances) %}
+{%         if (item.name == element.name and (element.state is undefined or element.state != 'absent')) %}
+{%           set _ = gitlab_runner__tpl_instances.append(item.name) %}
+{%           set _ = gitlab_runner__tpl_instance_tokens.append({ "name": item.name, "token": item.token }) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% for runner in (gitlab_runner__default_instances + gitlab_runner__instances + gitlab_runner__group_instances + gitlab_runner__host_instances) %}
+{%   set gitlab_runner__tpl_token = [] %}
+{%   for item in gitlab_runner__tpl_instance_tokens %}
+{%     if runner.name == item.name and item.token %}
+{%       set _ = gitlab_runner__tpl_token.append(item.token) %}
+{%     endif %}
+{%   endfor %}
+{%   if ((runner.state is undefined or runner.state != 'absent') and gitlab_runner__tpl_token) %}
+[[runners]]
+  name = "{{ runner.name }}"
+  url = "{{ runner.api_url | d(gitlab_runner__api_url) }}"
+  token = "{{ gitlab_runner__tpl_token[0] }}"
+{%     set gitlab_runner__tpl_environment = [] %}
+{%     if gitlab_runner__environment is mapping %}
+{%       for key, value in gitlab_runner__environment.items() %}
+{%         set _ = gitlab_runner__tpl_environment.append(key + "=" + value) %}
+{%       endfor %}
+{%     elif gitlab_runner__environment is string %}
+{%       set _ = gitlab_runner__tpl_environment.append(gitlab_runner__environment) %}
+{%     else %}
+{%       for element in gitlab_runner__environment %}
+{%         set _ = gitlab_runner__tpl_environment.append(element) %}
+{%       endfor %}
+{%     endif %}
+{%     if runner.environment | d() %}
+{%       if runner.environment is mapping %}
+{%         for key, value in runner.environment.items() %}
+{%           set _ = gitlab_runner__tpl_environment.append(key + "=" + value) %}
+{%         endfor %}
+{%       elif runner.environment is string %}
+{%         set _ = gitlab_runner__tpl_environment.append(runner.environment) %}
+{%       else %}
+{%         for element in runner.environment %}
+{%           set _ = gitlab_runner__tpl_environment.append(element) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     if gitlab_runner__tpl_environment %}
+  environment = [ "{{ gitlab_runner__tpl_environment | join('", "') }}" ]
+{%     endif %}
+{%     if runner.tls_ca_file | d() %}
+  tls-ca-file = "{{ runner.tls_ca_file }}"
+{%     endif %}
+{%     if runner.shell | d() %}
+  shell = "{{ runner.shell }}"
+{%     endif %}
+{%     if runner.limit | d() %}
+  limit = {{ runner.limit }}
+{%     endif %}
+{%     if runner.output_limit | d() %}
+  output_limit = {{ runner.output_limit }}
+{%     endif %}
+{%     if runner.pre_clone_script | d() %}
+  pre_clone_script = '''
+{{ runner.pre_clone_script | indent(4, true) | regex_replace("((?m)^\s*$|\n$)", "") }}
+  '''
+{%     endif %}
+{%     if runner.pre_build_script | d() %}
+  pre_build_script = '''
+{{ runner.pre_build_script | indent(4, true) | regex_replace("((?m)^\s*$|\n$)", "") }}
+  '''
+{%     endif %}
+{%     if runner.post_build_script | d() %}
+  post_build_script = '''
+{{ runner.post_build_script | indent(4, true) | regex_replace("((?m)^\s*$|\n$)", "") }}
+  '''
+{%     endif %}
+{%     if runner.builds_dir | d() %}
+  builds_dir = "{{ runner.builds_dir }}"
+{%     endif %}
+{%     if runner.cache_dir | d() %}
+  cache_dir = "{{ runner.cache_dir }}"
+{%     endif %}
+{%     if runner.disable_verbose | d() %}
+  disable_verbose = {{ runner.disable_verbose | bool | lower }}
+{%     endif %}
+  executor = "{{ runner.executor | d(gitlab_runner__executor) }}"
+{%     if ((runner.executor | d() and runner.executor in [ 'docker', 'docker-ssh', 'docker+machine', 'docker-ssh+machine' ]) or
+           (gitlab_runner__executor in [ 'docker', 'docker-ssh', 'docker+machine', 'docker-ssh+machine' ])) %}
+  [runners.docker]
+    image = "{{ runner.docker_image | d(gitlab_runner__docker_image) }}"
+    privileged = {{ (runner.docker_privileged | d(gitlab_runner__docker_privileged)) | bool | lower }}
+    disable_cache = {{ (runner.docker_disable_cache | d(gitlab_runner__docker_disable_cache)) | bool | lower }}
+{%       if (runner.docker_cache_dir | d() or gitlab_runner__docker_cache_dir) %}
+    cache_dir = "{{ runner.docker_cache_dir | d(gitlab_runner__docker_cache_dir) }}"
+{%       endif %}
+{%       if (runner.docker_host | d() or gitlab_runner__docker_host) %}
+    host = "{{ runner.docker_host | d(gitlab_runner__docker_host) }}"
+{%       endif %}
+{%       if runner.docker_hostname | d() %}
+    hostname = "{{ runner.docker_hostname }}"
+{%       endif %}
+{%       if (runner.docker_tls_cert_path | d() or gitlab_runner__docker_tls_cert_path) %}
+    tls_cert_path = "{{ runner.docker_tls_cert_path | d(gitlab_runner__docker_tls_cert_path) }}"
+{%       endif %}
+{%       if runner.docker_tls_verify is defined %}
+    tls_verify = {{ runner.docker_tls_verify | bool | lower }}
+{%       endif %}
+{%       if runner.docker_memory is defined %}
+    memory = "{{ runner.docker_memory }}"
+{%       endif %}
+{%       if runner.docker_memory_swap is defined %}
+    memory_swap = "{{ runner.docker_memory_swap }}"
+{%       endif %}
+{%       if runner.docker_memory_reservation is defined %}
+    memory_reservation = "{{ runner.docker_memory_reservation }}"
+{%       endif %}
+{%       if runner.docker_oom_kill_disable is defined %}
+    oom_kill_disable = {{ runner.docker_oom_kill_disable | bool | lower }}
+{%       endif %}
+{%       if runner.docker_oom_score_adjust is defined %}
+    oom_score_adjust = {{ runner.docker_oom_score_adjust }}
+{%       endif %}
+{%       if runner.docker_cpuset_cpus is defined %}
+    cpuset_cpus = "{{ runner.docker_cpuset_cpus }}"
+{%       endif %}
+{%       if runner.docker_cpu_shares is defined %}
+    cpu_shares = {{ runner.docker_cpu_shares }}
+{%       endif %}
+{%       if runner.docker_cpus is defined %}
+    cpus = "{{ runner.docker_cpus }}"
+{%       endif %}
+{%       if runner.docker_disable_entrypoint_overwrite is defined %}
+    disable_entrypoint_overwrite = {{ runner.docker_disable_entrypoint_overwrite | bool | lower }}
+{%       endif %}
+{%       if runner.docker_shm_size is defined %}
+    shm_size = {{ runner.docker_shm_size }}
+{%       endif %}
+{%       if runner.docker_wait_for_services_timeout | d() %}
+    wait_for_services_timeout = {{ runner.docker_wait_for_services_timeout }}
+{%       endif %}
+{%       if runner.docker_image_ttl | d() %}
+    image_ttl = {{ runner.docker_image_ttl }}
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_cap_add = [] %}
+{%       if gitlab_runner__docker_cap_add %}
+{%         if gitlab_runner__docker_cap_add is string %}
+{%           set _ = gitlab_runner__tpl_docker_cap_add.append(gitlab_runner__docker_cap_add) %}
+{%         else %}
+{%           for capability in gitlab_runner__docker_cap_add %}
+{%             set _ = gitlab_runner__tpl_docker_cap_add.append(capability) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_cap_add | d() %}
+{%         if runner.docker_cap_add is string %}
+{%           set _ = gitlab_runner__tpl_docker_cap_add.append(runner.docker_cap_add) %}
+{%         else %}
+{%           for capability in runner.docker_cap_add %}
+{%             set _ = gitlab_runner__tpl_docker_cap_add.append(capability) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_cap_add %}
+    cap_add = [ "{{ gitlab_runner__tpl_docker_cap_add | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_cap_drop = [] %}
+{%       if gitlab_runner__docker_cap_drop %}
+{%         if gitlab_runner__docker_cap_drop is string %}
+{%           set _ = gitlab_runner__tpl_docker_cap_drop.append(gitlab_runner__docker_cap_drop) %}
+{%         else %}
+{%           for capability in gitlab_runner__docker_cap_drop %}
+{%             set _ = gitlab_runner__tpl_docker_cap_drop.append(capability) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_cap_drop | d() %}
+{%         if runner.docker_cap_drop is string %}
+{%           set _ = gitlab_runner__tpl_docker_cap_drop.append(runner.docker_cap_drop) %}
+{%         else %}
+{%           for capability in runner.docker_cap_drop %}
+{%             set _ = gitlab_runner__tpl_docker_cap_drop.append(capability) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_cap_drop %}
+    cap_drop = [ "{{ gitlab_runner__tpl_docker_cap_drop | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_devices = [] %}
+{%       if gitlab_runner__docker_devices %}
+{%         if gitlab_runner__docker_devices is string %}
+{%           set _ = gitlab_runner__tpl_docker_devices.append(gitlab_runner__docker_devices) %}
+{%         else %}
+{%           for device in gitlab_runner__docker_devices %}
+{%             set _ = gitlab_runner__tpl_docker_devices.append(device) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_devices | d() %}
+{%         if runner.docker_devices is string %}
+{%           set _ = gitlab_runner__tpl_docker_devices.append(runner.docker_devices) %}
+{%         else %}
+{%           for device in runner.docker_devices %}
+{%             set _ = gitlab_runner__tpl_docker_devices.append(device) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_devices %}
+    devices = [ "{{ gitlab_runner__tpl_docker_devices | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_extra_hosts = [] %}
+{%       if gitlab_runner__docker_extra_hosts %}
+{%         if gitlab_runner__docker_extra_hosts is string %}
+{%           set _ = gitlab_runner__tpl_docker_extra_hosts.append(gitlab_runner__docker_extra_hosts) %}
+{%         else %}
+{%           for host in gitlab_runner__docker_extra_hosts %}
+{%             set _ = gitlab_runner__tpl_docker_extra_hosts.append(host) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_extra_hosts | d() %}
+{%         if runner.docker_extra_hosts is string %}
+{%           set _ = gitlab_runner__tpl_docker_extra_hosts.append(runner.docker_extra_hosts) %}
+{%         else %}
+{%           for host in runner.docker_extra_hosts %}
+{%             set _ = gitlab_runner__tpl_docker_extra_hosts.append(host) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_extra_hosts %}
+    extra_hosts = [ "{{ gitlab_runner__tpl_docker_extra_hosts | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_links = [] %}
+{%       if gitlab_runner__docker_links %}
+{%         if gitlab_runner__docker_links is string %}
+{%           set _ = gitlab_runner__tpl_docker_links.append(gitlab_runner__docker_links) %}
+{%         else %}
+{%           for link in gitlab_runner__docker_links %}
+{%             set _ = gitlab_runner__tpl_docker_links.append(link) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_links | d() %}
+{%         if runner.docker_links is string %}
+{%           set _ = gitlab_runner__tpl_docker_links.append(runner.docker_links) %}
+{%         else %}
+{%           for link in runner.docker_links %}
+{%             set _ = gitlab_runner__tpl_docker_links.append(link) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_links %}
+    links = [ "{{ gitlab_runner__tpl_docker_links | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_services = [] %}
+{%       if gitlab_runner__docker_services %}
+{%         if gitlab_runner__docker_services is string %}
+{%           set _ = gitlab_runner__tpl_docker_services.append(gitlab_runner__docker_services) %}
+{%         else %}
+{%           for service in gitlab_runner__docker_services %}
+{%             set _ = gitlab_runner__tpl_docker_services.append(service) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_services | d() %}
+{%         if runner.docker_services is string %}
+{%           set _ = gitlab_runner__tpl_docker_services.append(runner.docker_services) %}
+{%         else %}
+{%           for service in runner.docker_services %}
+{%             set _ = gitlab_runner__tpl_docker_services.append(service) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_services %}
+    services = [ "{{ gitlab_runner__tpl_docker_services | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_volumes = [] %}
+{%       if gitlab_runner__docker_volumes %}
+{%         if gitlab_runner__docker_volumes is string %}
+{%           set _ = gitlab_runner__tpl_docker_volumes.append(gitlab_runner__docker_volumes) %}
+{%         else %}
+{%           for volume in gitlab_runner__docker_volumes %}
+{%             set _ = gitlab_runner__tpl_docker_volumes.append(volume) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_volumes | d() %}
+{%         if runner.docker_volumes is string %}
+{%           set _ = gitlab_runner__tpl_docker_volumes.append(runner.docker_volumes) %}
+{%         else %}
+{%           for volume in runner.docker_volumes %}
+{%             set _ = gitlab_runner__tpl_docker_volumes.append(volume) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_volumes %}
+    volumes = [ "{{ gitlab_runner__tpl_docker_volumes | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_allowed_images = [] %}
+{%       if gitlab_runner__docker_allowed_images %}
+{%         if gitlab_runner__docker_allowed_images is string %}
+{%           set _ = gitlab_runner__tpl_docker_allowed_images.append(gitlab_runner__docker_allowed_images) %}
+{%         else %}
+{%           for image in gitlab_runner__docker_allowed_images %}
+{%             set _ = gitlab_runner__tpl_docker_allowed_images.append(image) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_allowed_images | d() %}
+{%         if runner.docker_allowed_images is string %}
+{%           set _ = gitlab_runner__tpl_docker_allowed_images.append(runner.docker_allowed_images) %}
+{%         else %}
+{%           for image in runner.docker_allowed_images %}
+{%             set _ = gitlab_runner__tpl_docker_allowed_images.append(image) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_allowed_images %}
+    allowed_images = [ "{{ gitlab_runner__tpl_docker_allowed_images | join('", "') }}" ]
+{%       endif %}
+{%       set gitlab_runner__tpl_docker_allowed_services = [] %}
+{%       if gitlab_runner__docker_allowed_services %}
+{%         if gitlab_runner__docker_allowed_services is string %}
+{%           set _ = gitlab_runner__tpl_docker_allowed_services.append(gitlab_runner__docker_allowed_services) %}
+{%         else %}
+{%           for service in gitlab_runner__docker_allowed_services %}
+{%             set _ = gitlab_runner__tpl_docker_allowed_services.append(service) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if runner.docker_allowed_services | d() %}
+{%         if runner.docker_allowed_services is string %}
+{%           set _ = gitlab_runner__tpl_docker_allowed_services.append(runner.docker_allowed_services) %}
+{%         else %}
+{%           for service in runner.docker_allowed_services %}
+{%             set _ = gitlab_runner__tpl_docker_allowed_services.append(service) %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if gitlab_runner__tpl_docker_allowed_services %}
+    allowed_services = [ "{{ gitlab_runner__tpl_docker_allowed_services | join('", "') }}" ]
+{%       endif %}
+{%       if runner.docker_pull_policy | d() %}
+    pull_policy = "{{ runner.docker_pull_policy }}"
+{%       endif %}
+{%       if runner.docker_tmpfs | d() %}
+    [runners.docker.tmpfs]
+{%         for directory, options in runner.docker_tmpfs.items() %}
+      "{{ directory }}" = "{{ options }}"
+{%         endfor %}
+{%       endif %}
+{%       if runner.docker_services_tmpfs | d() %}
+    [runners.docker.services_tmpfs]
+{%         for directory, options in runner.docker_services_tmpfs.items() %}
+      "{{ directory }}"= "{{ options }}"
+{%         endfor %}
+{%       endif %}
+{%    endif %}
+{%     if ((runner.executor | d() and runner.executor in [ 'parallels' ]) or
+           (gitlab_runner__executor in [ 'parallels' ])) %}
+  [runners.parallels]
+    base_name = "{{ runner.parallels_base_name }}"
+{%       if runner.parallels_template_name | d() %}
+    template_name = "{{ runner.parallels_template_name }}"
+{%       endif %}
+{%       if runner.parallels_disable_snapshots | d() %}
+    disable_snapshots = {{ runner.parallels_disable_snapshots | bool | lower }}
+{%       endif %}
+{%     endif %}
+{%     if ((runner.executor | d() and runner.executor in [ 'virtualbox' ]) or
+           (gitlab_runner__executor in [ 'virtualbox' ])) %}
+  [runners.virtualbox]
+    base_name = "{{ runner.virtualbox_base_name }}"
+{%       if runner.virtualbox_disable_snapshots | d() %}
+    disable_snapshots = {{ runner.virtualbox_disable_snapshots | bool | lower }}
+{%       endif %}
+{%     endif %}
+{%     if ((runner.executor | d() and runner.executor in [ 'ssh', 'docker-ssh', 'docker-ssh+machine', 'parallels', 'virtualbox' ]) or
+           (gitlab_runner__executor in [ 'ssh', 'docker-ssh', 'docker-ssh+machine', 'parallels', 'virtualbox' ])) %}
+  [runners.ssh]
+    host = "{{ runner.ssh_host | d(gitlab_runner__ssh_host) }}"
+    port = "{{ runner.ssh_port | d(gitlab_runner__ssh_port) }}"
+    user = "{{ runner.ssh_user | d(gitlab_runner__ssh_user) }}"
+{%       if (runner.ssh_password | d() or gitlab_runner__ssh_password) %}
+    password = "{{ runner.ssh_password | d(gitlab_runner__ssh_password) }}"
+{%       endif %}
+{%       if (runner.ssh_identity_file | d() or gitlab_runner__ssh_identity_file) %}
+    identity_file = "{{ runner.ssh_identity_file | d(gitlab_runner__ssh_identity_file) }}"
+{%       endif %}
+{%     endif %}
+{%     if ((runner.executor | d() and runner.executor in [ 'docker+machine', 'docker-ssh+machine' ]) or
+           (gitlab_runner__executor in [ 'docker+machine', 'docker-ssh+machine' ])) %}
+  [runners.machine]
+    IdleCount = {{ runner.machine_idle_count | d(gitlab_runner__machine_idle_count) }}
+    IdleTime = {{ runner.machine_idle_time | d(gitlab_runner__machine_idle_time) }}
+    MaxBuilds = {{ runner.machine_max_builds | d(gitlab_runner__machine_max_builds) }}
+    MachineName = "{{ runner.machine_name | d(gitlab_runner__machine_name) }}"
+    MachineDriver = "{{ runner.machine_driver | d(gitlab_runner__machine_driver) }}"
+    {% if runner.machine_offpeakperiods | d() or gitlab_runner__machine_offpeakperiods %}
+     OffPeakPeriods = [
+         {%         if runner.machine_offpeakperiods | d() %}
+         {%           for offpeakperiod in runner.machine_offpeakperiods %}
+               "{{ offpeakperiod }}"{% if not loop.last %},
+         {% endif %}
+         {%           endfor %}
+         {%         else %}
+         {%           for offpeakperiod in gitlab_runner__machine_offpeakperiods %}
+               "{{ offpeakperiod }}"{% if not loop.last %},
+         {% endif %}
+         {%           endfor %}
+         {%         endif %}
+     ]
+ {% endif %}
+ {% if runner.machine_offpeakidlecount | d() or gitlab_runner__machine_offpeakidlecount %}
+     OffPeakIdleCount = {{ runner.machine_offpeakidlecount | d(gitlab_runner__machine_offpeakidlecount) }}
+ {% endif %}
+ {% if runner.machine_offpeakidletime | d() or gitlab_runner__machine_offpeakidletime %}
+     OffPeakIdleTime = {{ runner.machine_offpeakidletime | d(gitlab_runner__machine_offpeakidletime) }}
+ {% endif %}
+{%       if runner.machine_options | d() or gitlab_runner__machine_options %}
+    MachineOptions = [
+{%         if runner.machine_options | d() %}
+{%           for option in runner.machine_options %}
+      "{{ option }}"{% if not loop.last %},
+{% endif %}
+{%           endfor %}
+{%         else %}
+{%           for option in gitlab_runner__machine_options %}
+      "{{ option }}"{% if not loop.last %},
+{% endif %}
+{%           endfor %}
+{%         endif %}
+
+    ]
+{%       endif %}
+{%     endif %}
+{%     if ((runner.cache | d() and runner.cache | bool) or gitlab_runner__cache | bool) %}
+  [runners.cache]
+    Type = "{{ runner.cache_type | d(gitlab_runner__cache_type) }}"
+    Shared = {{ (runner.cache_shared | d(gitlab_runner__cache_shared)) | bool | lower }}
+    [runners.cache.s3]
+      ServerAddress = "{{ runner.cache_server_address | d(gitlab_runner__cache_server_address) }}"
+      AccessKey = "{{ runner.cache_access_key | d(gitlab_runner__cache_access_key) }}"
+      SecretKey = "{{ runner.cache_secret_key | d(gitlab_runner__cache_secret_key) }}"
+      BucketName = "{{ runner.cache_bucket_name | d(gitlab_runner__cache_bucket_name) }}"
+      BucketLocation = "{{ runner.cache_bucket_location | d(gitlab_runner__cache_bucket_location) }}"
+      Insecure = {{ (runner.cache_insecure | d(gitlab_runner__cache_insecure)) | bool | lower }}
+{%     endif %}
+
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-libvirt.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-libvirt.j2
new file mode 100644
index 00000000..e6bbe816
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-libvirt.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# vagrant-libvirt requires access to the libvirt image files to be able to
+# package them as boxes. This command allows to grant that access from an
+# unprivileged user account.
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env chmod a+r /var/lib/libvirt/images/*.img
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-lxc.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-lxc.j2
new file mode 100644
index 00000000..61b73573
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/etc/sudoers.d/gitlab-runner-vagrant-lxc.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# lxc
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-ls
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-info *
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-config *
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-attach *
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env which lxc-*
+
+# vagrant-lxc (startup)
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env cat /var/lib/lxc/*/config
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-start -d --name *
+
+# vagrant-lxc (create)
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-create --version
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-create -B * --template * --name * -- --tarball {{ gitlab_runner__home }}/.vagrant.d/boxes/* --config {{ gitlab_runner__home }}/.vagrant.d/boxes/*
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env tar --numeric-owner -cvzf /tmp/*/rootfs.tar.gz -C /var/lib/lxc/* ./rootfs
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env cp -f /tmp/lxc-config* /var/lib/lxc/*/config
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env chown root\:root /var/lib/lxc/*/config
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env chown *\:* /tmp/*/rootfs.tar.gz
+
+# vagrant-lxc (shutdown & destroy)
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-shutdown --name *
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-stop --name *
+{{ gitlab_runner__user }}   ALL=(root) NOPASSWD: /usr/bin/env lxc-destroy --name *
diff --git a/ansible_collections/debops/debops/roles/gitlab_runner/templates/lookup/gitlab_runner__shell_tags.j2 b/ansible_collections/debops/debops/roles/gitlab_runner/templates/lookup/gitlab_runner__shell_tags.j2
new file mode 100644
index 00000000..807bc168
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitlab_runner/templates/lookup/gitlab_runner__shell_tags.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [ 'shell' ] %}
+{% set _ = output.append(ansible_pkg_mgr) %}
+{% set _ = output.append(ansible_service_mgr) %}
+{% set _ = output.append(ansible_system | lower) %}
+{% if (ansible_local | d() and ansible_local.tags | d()) %}
+{%   set _ = output.extend(ansible_local.tags) %}
+{% endif %}
+{% if (ansible_local | d() and ansible_local.docker_server | d() and
+       (ansible_local.docker_server.installed | d()) | bool) %}
+{%   set _ = output.append('docker-host') %}
+{% endif %}
+{% if (ansible_local | d() and ansible_local.lxc | d() and
+       (ansible_local.lxc.installed | d()) | bool) %}
+{%   set _ = output.append('lxc-host') %}
+{% endif %}
+{% if gitlab_runner__vagrant_libvirt | bool %}
+{%   set _ = output.extend([ 'vagrant', 'vagrant-vm', 'vagrant-libvirt' ]) %}
+{% endif %}
+{% if gitlab_runner__vagrant_lxc | bool %}
+{%   set _ = output.extend([ 'vagrant', 'vagrant-lxc' ]) %}
+{% endif %}
+{% set _ = output.append(ansible_local.core.distribution | d(ansible_distribution) | lower) %}
+{% set _ = output.append(ansible_local.core.distribution_release | d(ansible_distribution_release) | lower) %}
+{% if ansible_virtualization_type not in [ 'NA' ] %}
+{%   set _ = output.append(ansible_virtualization_type + '-' + ansible_virtualization_role) %}
+{% endif %}
+{% if (ansible_local | d() and ansible_local.libvirtd | d() and (ansible_local.libvirtd.hw_virt | d()) | bool) %}
+{%   set _ = output.append('hw-virt') %}
+{% endif %}
+{% if (ansible_memtotal_mb | int > 2048) %}
+{%   set _ = output.append('mem-2GB') %}
+{% endif %}
+{% if (ansible_memtotal_mb | int > 3072) %}
+{%   set _ = output.append('mem-3GB') %}
+{% endif %}
+{% if (ansible_memtotal_mb | int > 4096) %}
+{%   set _ = output.append('mem-4GB') %}
+{% endif %}
+{% if (ansible_memtotal_mb | int > 6144) %}
+{%   set _ = output.append('mem-6GB') %}
+{% endif %}
+{% if (ansible_memtotal_mb | int > 8192) %}
+{%   set _ = output.append('mem-8GB') %}
+{% endif %}
+{% set _ = output.append('amd64' if (ansible_architecture == 'x86_64') else ansible_architecture) %}
+{{ output | unique }}
diff --git a/ansible_collections/debops/debops/roles/gitusers/COPYRIGHT b/ansible_collections/debops/debops/roles/gitusers/COPYRIGHT
new file mode 100644
index 00000000..70032639
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.gitusers - Manage git-based deployment accounts
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/gitusers/defaults/main.yml b/ansible_collections/debops/debops/roles/gitusers/defaults/main.yml
new file mode 100644
index 00000000..f24dcf9e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/defaults/main.yml
@@ -0,0 +1,158 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _gitusers__ref_defaults:
+
+# debops.gitusers default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# --- An example account entry, everything except 'name' is optional
+# List of all recognized values, default value listed first
+#
+#  - name: 'username'               # mandatory, default group if not defined
+#    state: 'present,absent'
+#    group: 'name'                  # default group
+#    groups: []                     # list of groups to set
+#    append: yes/no                 # add to, or set groups
+#    gid: ''
+#    uid: ''
+#    comment: 'GECOS entry'
+#    systemuser: False/True         # create system user
+#    systemgroup: False/True        # create system group
+#
+#    domain: '{{ ansible_domain }}' # for git users
+#
+#    # Create ~/.forward file (set to False to remove ~/.forward)
+#    forward: [ 'user@domain', 'account' ]
+#
+#    # Add or disable ssh authorized keys (set to False to remove ~/.ssh/authorized_keys
+#    sshkeys: [ 'list', 'of', 'keys' ]
+#
+#    # List of permissions for a particular user account
+#    permissions: [ 'deploy' ]
+
+
+# --- Lists of different accounts to create/manage ---
+
+# .. envvar:: gitusers_list [[[
+#
+# "Global" users
+gitusers_list: []
+
+                                                                   # ]]]
+# .. envvar:: gitusers_group_list [[[
+#
+# "Host group" users
+gitusers_group_list: []
+
+                                                                   # ]]]
+# .. envvar:: gitusers_host_list [[[
+#
+# "Host" users
+gitusers_host_list: []
+
+                                                                   # ]]]
+# --- Global defaults ---
+
+# .. envvar:: gitusers_name_suffix [[[
+#
+# Add a suffix to an account name, for example '-git'
+gitusers_name_suffix: ""
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_shell [[[
+#
+# Shell enforced on all git-shell accounts
+gitusers_default_shell: '/usr/bin/git-shell'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_groups_list [[[
+#
+# List of groups git-shell users belong to (git-shell requires SSH access)
+gitusers_default_groups_list: [ 'sshusers' ]
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_groups_append [[[
+#
+# Should default groups be added to, or replace current user groups? Set to
+# 'no' to enforce your preferred list of groups
+gitusers_default_groups_append: 'yes'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_home_prefix [[[
+#
+# Directory where git-shell user home will be created
+gitusers_default_home_prefix: '{{ (ansible_local.fhs.data | d("/srv"))
+                                  + "/gitusers" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_home_mode [[[
+#
+# Unix permissions enforced on users home directories
+gitusers_default_home_mode: '0750'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_git_scripts [[[
+#
+# Main location of gitusers scripts
+gitusers_git_scripts: '{{ (ansible_local.fhs.home | d("/var/local"))
+                          + "/gitusers" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_www_prefix [[[
+#
+# Path to directory where websites are stored
+gitusers_default_www_prefix: '{{ ansible_local.nginx.www if (ansible_local is defined and ansible_local.nginx is defined and ansible_local.nginx.www is defined) else "/srv/www" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_www_group [[[
+#
+# System group which should be allowed access to website directory
+gitusers_default_www_group: '{{ ansible_local.nginx.user if (ansible_local is defined and ansible_local.nginx is defined and ansible_local.nginx.user is defined) else "www-data" }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_domain [[[
+#
+# What domain should git users use for publishing websites
+gitusers_default_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_user_domain [[[
+#
+# Domain used for userdir repositories
+gitusers_default_user_domain: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_permissions [[[
+#
+# List of default permissions for users that don't have specific
+# 'item.permissions' key set. Known permissions:
+# - ``deploy``: allow execution of custom ./deploy script in repository
+gitusers_default_permissions: []
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_hook_list [[[
+#
+# Default set of git hooks installed in a new repository
+gitusers_default_hook_list: 'jekyll'
+
+                                                                   # ]]]
+# .. envvar:: gitusers_default_hooks [[[
+#
+# A map of git hooks that can be installed in a repository by users via 'init'
+# command
+gitusers_default_hooks:
+  'jekyll':    [ 'post-receive.d/00_checkout', 'post-checkout.d/00_submodule', 'post-checkout.d/jekyll' ]
+  'deploy':    [ 'post-receive.d/00_checkout', 'post-checkout.d/00_submodule', 'post-checkout.d/deploy' ]
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/functions.sh b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/functions.sh
new file mode 100644
index 00000000..1a6ef0a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/functions.sh
@@ -0,0 +1,17 @@
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Helper function which checks if a given element is in array
+in_array () {
+    local array="$1[@]"
+    local seeking=$2
+    local in=1
+    for element in "${!array}"; do
+        if [[ $element == $seeking ]]; then
+        in=0
+        break
+    fi
+    done
+    return $in
+}
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/bare b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/bare
new file mode 100755
index 00000000..a5dc330b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/bare
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Convert <repository> to bare repository (no work directory)
+EOF
+    exit 1
+fi
+
+# Sanitize repository name
+repository="${1//[^a-zA-Z0-9\.\/\_-]/}"
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+if [ -d "${project}" ] ; then
+    cd "${HOME}/${project}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
+
+set +e
+worktree="$(git config --get core.worktree)"
+denybranch="$(git config --get receive.denyCurrentBranch)"
+set -e
+
+if [ -n "${worktree}" ] ; then
+    if [ -d "${worktree}" ] ; then
+        rm -rf "${worktree}"
+        echo "Work directory of ${repository} deleted"
+    fi
+    git config --unset-all core.worktree
+fi
+
+git config deploy.bare true
+git config core.bare true
+
+if [ -n "${denybranch}" ] ; then
+    git config --unset-all receive.denyCurrentBranch
+fi
+
+echo "Repository ${repository} is now bare"
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/checkout b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/checkout
new file mode 100755
index 00000000..dbae891e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/checkout
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+checkout_command="hooks/post-receive.d/00_checkout"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository> [branch]
+
+Check out <repository> to current work tree from master branch or [branch]
+If [branch] is specified, set it as default branch
+After checkout, run post-checkout hooks
+EOF
+    exit 1
+fi
+
+# Sanitize repository name
+repository="${1//[^a-zA-Z0-9\.\/\_-]/}"
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+# Sanitize branch name
+branch="${2//[^a-zA-Z0-9\.\_-]/}"
+
+if [ -d "${project}" ] ; then
+    cd "${HOME}/${project}"
+
+    set +e
+    currentworktree="$(git config deploy.worktree)"
+    currentbranch="$(git config deploy.branch)"
+    currentbare="$(git config deploy.bare)"
+    set -e
+
+    if [ -z "${currentbranch}" ] ; then
+        echo "Error: No branches present" && exit 1
+    fi
+
+    if [ -n "${branch}" ] ; then
+        if git show-ref --verify --quiet "refs/heads/${branch}" ; then
+            git config deploy.branch "${branch}"
+            git config deploy.ref "refs/heads/${branch}"
+            echo "Branch '${branch}' set as default"
+        else
+            echo "Error: Branch '${branch}' not found" && exit 1
+        fi
+    else
+        branch="${currentbranch}"
+    fi
+
+    if [ -z "${currentworktree}" ] ; then
+        echo "Error: No work directory specified" && exit 1
+    fi
+
+    currentrev="$(git rev-parse "refs/heads/${currentbranch}")"
+    newrev="$(git rev-parse "refs/heads/${branch}")"
+    if [ -x "${checkout_command}" ] ; then
+        if [ -n "${currentbare}" ] && [ "${currentbare}" = "true" ] ; then
+            echo "Converting repository from bare to normal"
+        fi
+        git config deploy.bare false
+        echo "${currentrev} ${newrev} refs/heads/${branch}" | ${checkout_command}
+    fi
+
+else
+    echo "Error: No repository named ${repository}" && exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/clean b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/clean
new file mode 100755
index 00000000..08714866
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/clean
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+# Directory where public contents are stored
+gitusers_data="$(git config --global --get gitusers.data)"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Delete everything in the public directory of <repository>
+EOF
+    exit 1
+fi
+
+# Sanitize repository name
+repository="${1//[^a-zA-Z0-9\.\/\_-]/}"
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+if [ -d "${project}" ] ; then
+    cd "${HOME}/${project}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
+
+set +e
+public="$(git config --get deploy.public)"
+snapshot="$(git config --get deploy.snapshot)"
+set -e
+
+if [ -z "${snapshot}" ] && [ -n "${public}" ] ; then
+    if [ "${public##"$gitusers_data"}" != "${public}" ] ; then
+
+        if [ -d "${public}" ] ; then
+            rm -rf "${public}"
+            echo "Public directory '${public}' cleaned"
+        else
+            echo "Error: Public directory '${public}' does not exist" && exit 1
+        fi
+    else
+        echo "Error: Public directory '${public}' is outside of allowed path" && exit 1
+    fi
+elif [ -n "${snapshot}" ] ; then
+    echo "Error: ${repository} is a snapshot repository, aborting" && exit 1
+else
+    echo "Public directory is not configured"
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/drop b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/drop
new file mode 100755
index 00000000..0bc92fa1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/drop
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Delete <repository>
+EOF
+    exit 1
+fi
+
+# Sanitize repository name
+repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+if [ -d "${project}" ] ; then
+    cd "${HOME}/${project}"
+
+    set +e
+    worktree=$(git config --get deploy.worktree)
+    public=$(git config --get deploy.public)
+    snapshot=$(git config --get deploy.snapshot)
+    set -e
+
+    cd "${HOME}"
+
+    if [ -z "${snapshot}" ] && [ -n "${public}" ] && [ -d "${public}" ] ; then
+        echo "Removing public directory ${public}"
+        rm -rf "${public}"
+    fi
+    if [ -n "${worktree}" ] && [ -d "${worktree}" ] ; then
+        if [ -n "${snapshot}" ] ; then
+            echo "Removing snapshot link in ${worktree}"
+            test -f "${public}/.git" && rm -f "${worktree}/.git"
+        else
+            echo "Removing work directory ${worktree}"
+            rm -rf "${worktree}"
+        fi
+    fi
+    echo "Removing repository ${HOME}/${project}"
+    rm -rf "${HOME:?}/${project:?}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/help b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/help
new file mode 100755
index 00000000..b7f8a5e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/help
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+if tty -s ; then
+    if [ -r "${HOME}/.motd" ] ; then
+        cat "${HOME}/.motd"
+    fi
+    echo "Run '<command>' for help, or 'exit' to leave.  Available commands:"
+else
+    echo "Run '<command>' for help.  Available commands:"
+fi
+
+cd "$(dirname "$0")" || exit
+
+for cmd in * ; do
+    case "$cmd" in
+    help) ;;
+    *) [ -f "$cmd" ] && [ -x "$cmd" ] && echo "$cmd" ;;
+    esac
+done
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/info b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/info
new file mode 100755
index 00000000..02568850
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/info
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+userdomain="$(git config --global --get gitusers.userdir.domain)"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Shows status of a given repository
+EOF
+    exit 1
+fi
+
+if [ -n "${1}" ] ; then
+    # Sanitize repository name
+    repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+    project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+else
+    echo "Error: No repository specified" && exit 1
+fi
+
+if [ -d "${HOME}/${project}" ] ; then
+    cd "${HOME}/${project}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
+
+set +e
+currentworktree="$(git config deploy.worktree)"
+currentpublic="$(git config deploy.public)"
+currentbranch="$(git config deploy.branch)"
+currentdomain="$(git config deploy.domain)"
+currentuserdir="$(git config --bool deploy.userdir)"
+localbranches="$(git branch | awk -F ' +' '$2 !~ /detached/ {print $2}' | xargs)"
+set -e
+
+echo "Repository directory:     $(pwd)"
+
+if [ -n "${currentworktree}" ] ; then
+    echo "Work directory:           ${currentworktree}"
+fi
+if [ -n "${currentpublic}" ] ; then
+    echo "Public directory:     ${currentpublic}"
+fi
+if [ -n "${currentbranch}" ] ; then
+    echo "Default branch:           ${currentbranch}"
+fi
+if [ -n "${localbranches}" ] ; then
+    echo "Local branches:           ${localbranches}"
+fi
+if [ -n "${currentdomain}" ] ; then
+    echo "Domain URL:           http://${currentdomain}/"
+elif [ -n "${currentuserdir}" ] ; then
+    echo "Userdir URL:          http://${userdomain}/~${USER}/"
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/init b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/init
new file mode 100755
index 00000000..4e978dfb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/init
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+system_functions="$(git config --global --get gitusers.system.functions)"
+# shellcheck disable=SC1090
+test -x "${system_functions}" && source "${system_functions}"
+
+# Directory with available hooks
+system_git_hooks="$(git config --global --get gitusers.init.hooks)"
+
+# What hook types are known and allowed
+read -r -a allowed_hooks <<< "$(git config --global --get gitusers.hooks)"
+
+# Name of default repository type to use if it's not specified by user
+read -r -a default_repository_type <<< "$(git config --global --get gitusers.init.type)"
+
+# Default directory where repositories are checked out
+checkout_path="$(git config --global --get gitusers.init.path)"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository> [type]
+
+Create new repository with optional [type] as default
+Available types: ${allowed_hooks[@]}
+EOF
+    exit 1
+fi
+
+
+# ---- Prepare environment ----
+
+# Sanitize repository name
+repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+# Sanitize repository type
+if [ -n "${2}" ] ; then
+    repository_type="${2//[^a-zA-Z0-9]/}"
+else
+    repository_type="${default_repository_type[*]}"
+fi
+
+if [ -n "${repository_type}" ] && ! in_array allowed_hooks "${repository_type}" ; then
+    echo "Error: Unknown repository type" && exit 1
+fi
+
+# List of hooks installed by default
+read -r -a default_hooks <<< "$(git config --global --get "gitusers.hookmap.${repository_type}")"
+
+# Define a worktree outside of the home directory
+worktree="${checkout_path}/${repository}.checkout"
+
+
+# ---- Create and initialize the project ----
+
+mkdir -p "${HOME}/${project}"
+cd "${HOME}/${project}"
+
+if ! [ -r "config" ] ; then
+    git init --bare
+    git config deploy.bare "false"
+    git config deploy.worktree "${worktree}"
+    git config deploy.type "${repository_type}"
+fi
+
+
+# ---- Reset default hooks ----
+
+if [ -n "${default_hooks[*]}" ] ; then
+    for hook in "${default_hooks[@]}" ; do
+        hook_dir="$(dirname "${hook}")"
+        test -d "hooks/${hook_dir}" && rm -rf "hooks/${hook_dir}"
+    done
+fi
+
+
+# ---- Configure default hooks ----
+
+if [ -n "${default_hooks[*]}" ] ; then
+    for hook in "${default_hooks[@]}" ; do
+        hook_dir=$(dirname "${hook}")
+        hook_type="${hook_dir//\.d$/}"
+        echo "Installing ${hook_type} hook: $(basename "${hook}")"
+        test -d "hooks/${hook_dir}" || mkdir -p "hooks/${hook_dir}"
+        test -x "${system_git_hooks}/${hook}" && ln -sf "${system_git_hooks}/${hook}" "hooks/${hook_dir}/$(basename "${hook}")"
+        test -L "hooks/hook-chain" || ln -sf "${system_git_hooks}/hook-chain" "hooks/hook-chain"
+        test -L "hooks/${hook_type}" || ln -sf "hook-chain" "hooks/${hook_type}"
+    done
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/list b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/list
new file mode 100755
index 00000000..edc19bd4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/list
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# shellcheck disable=SC2016
+print_if_repo='
+    if $(git --git-dir="$1" rev-parse) ; then
+        printf "%s\n" "${1#./}" | sed -e "s/\.git$//i"
+    fi
+'
+
+find . -type d -name "*.git" -exec sh -c "$print_if_repo" -- \{\} \; -prune 2>/dev/null | sort
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/publish b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/publish
new file mode 100755
index 00000000..b966ebcc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/publish
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+parentdomain="$(git config --global --get gitusers.publish.domain)"
+
+userdomain="$(git config --global --get gitusers.userdir.domain)"
+
+publish_path="$(git config --global --get gitusers.publish.path)"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository> <domain>
+
+Publish repository on a given <domain>
+EOF
+    exit 1
+fi
+
+if [ -n "${1}" ] ; then
+    # Sanitize repository name
+    repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+    project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+else
+    echo "Error: No repository specified" && exit 1
+fi
+
+if [ -d "${HOME}/${project}" ] ; then
+    cd "${HOME}/${project}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
+
+set +e
+currentworktree=$(git config deploy.worktree)
+currentpublic=$(git config deploy.public)
+currentbranch=$(git config deploy.branch)
+currentdomain=$(git config deploy.domain)
+currentuserdir=$(git config --bool deploy.userdir)
+set -e
+
+if [ -n "${2}" ] ; then
+    if [ -z "${2//[^a-zA-Z0-9]/}" ] || [ -n "${2//[^\/]/}" ]; then
+        echo "Error: illegal domain: '${2}'" && exit 1
+    fi
+
+    # Sanitize domain name
+    domain="${2//[^a-zA-Z0-9\.\-]/}"
+
+    if [[ ${domain} != *.* ]] ; then
+        domain="${domain}.${parentdomain}"
+    fi
+else
+    if [ -n "${currentpublic}" ] ; then
+        cat <<-EOF
+Work directory:     ${currentworktree}
+Public directory:   ${currentpublic}
+Current branch:     ${currentbranch}
+EOF
+        if [ -n "${currentuserdir}" ] ; then
+            cat <<-EOF
+Userdir URL:        http://${userdomain}/~${USER}/
+EOF
+        else
+            cat <<-EOF
+Domain URL:     http://${currentdomain}/
+EOF
+        fi
+        exit 1
+    else
+        if [[ ${repository} == */* ]] ; then
+            repository=$(echo "${repository}" | sed -e 's!^\([^/]*\)/\(.*\)$!\2/\1!' -e 's/\//./g')
+        fi
+        domain="${repository}.${parentdomain}"
+    fi
+fi
+
+public="${publish_path}/${domain}/public"
+
+if [ -n "${domain}" ] ; then
+    git config deploy.public "${public}"
+    git config deploy.domain "${domain}"
+    set +e
+    git config --unset-all deploy.userdir
+    set -e
+
+    cat <<-EOF
+Work directory:     ${currentworktree}
+Public directory:   ${public}
+Active branch:      ${currentbranch}
+Domain URL:     http://${domain}/
+EOF
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/rename b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/rename
new file mode 100755
index 00000000..a9ccfb76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/rename
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository> <newrepository>
+
+Change name of <repository> to <newrepository>
+EOF
+    exit 1
+fi
+
+if [ -n "${1}" ] ; then
+    # Sanitize repository name
+    repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+    project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+else
+    echo "Error: No repository name given" && exit 1
+fi
+
+if [ -n "${2}" ] ; then
+    # Sanitize new repository name
+    newrepository=${2//[^a-zA-Z0-9\.\/\_-]/}
+    newproject=$(echo "${newrepository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+else
+    echo "Error: No new repository name given" && exit 1
+fi
+
+
+if [ -d "${project}" ] ; then
+
+    if [[ ${newrepository} == */* ]] ; then
+        mkdir -p "$(dirname "${HOME}/${newrepository}")"
+    fi
+    if [ -d "${newproject}" ] ; then
+        echo "Error: Repository ${newrepository} already exists" && exit 1
+    else
+        mv "${HOME}/${project}" "${HOME}/${newproject}"
+        echo "Repository ${repository} renamed to ${newrepository}"
+        exit 0
+    fi
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/snapshot b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/snapshot
new file mode 100755
index 00000000..c28057de
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/snapshot
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+# Directory with available post-receive hooks
+git_hooks="$(git config --global --get gitusers.init.hooks)"
+
+# List of post-receive hooks installed by default
+default_hooks=( post-receive.d/00_checkout )
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Create a snapshot from the public dir of given repository
+EOF
+    exit 1
+fi
+
+
+# ---- Prepare environment ----
+
+# Sanitize repository name
+repository=${1//[^a-zA-Z0-9\.\/\_-]/}
+project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+
+if [ ! -d "${project}" ] ; then
+    echo "Project '${project}' not found" && exit 1
+fi
+
+cd "${HOME}/${project}"
+
+set +e
+branch=$(git config --get deploy.branch)
+public=$(git config --get deploy.public)
+set -e
+
+snapshot="${HOME}/$(dirname "${project}")/$(basename "${project}" .git).snapshot.git"
+
+if [ -z "${public}" ] ; then
+    echo "Error: Public directory is not configured" && exit 1
+fi
+
+if [ ! -d "${public}" ] ; then
+    echo "Error: Public directory does not exist" && exit 1
+fi
+
+cd "${public}" || exit 1
+
+git init --separate-git-dir="${snapshot}"
+git config deploy.bare false
+git config deploy.worktree "${public}"
+git config deploy.public "${public}"
+git config deploy.branch master
+git config deploy.snapshot true
+git add .
+git commit -m "Snapshot of '${USER}@$(hostname --fqdn):${public} [${branch}]'"
+
+cd "${snapshot}" || exit 1
+
+if [ -n "${default_hooks[*]}" ] ; then
+    for hook in "${default_hooks[@]}" ; do
+        hook_dir=$(dirname "${hook}")
+        hook_type="${hook_dir//\.d$/}"
+        echo "Installing ${hook_type} hook: $(basename "${hook}")"
+        test -d "hooks/${hook_dir}" || mkdir -p "hooks/${hook_dir}"
+        test -x "${git_hooks}/${hook}" && ln -sf "${git_hooks}/${hook}" "hooks/${hook_dir}/$(basename "${hook}")"
+        test -L "hooks/hook-chain" || ln -sf "${git_hooks}/hook-chain" "hooks/hook-chain"
+        test -L "hooks/${hook_type}" || ln -sf "hook-chain" "hooks/${hook_type}"
+    done
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/sshkey b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/sshkey
new file mode 100755
index 00000000..195bbd6d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/sshkey
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+sshkey="${HOME}/.ssh/id_rsa.pub"
+
+if [ ! -r "${sshkey}" ] ; then
+    ssh-keygen -f "${HOME}/.ssh/id_rsa" -q -t rsa -N ""
+fi
+
+cat "${sshkey}"
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/userdir b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/userdir
new file mode 100755
index 00000000..c3d43cc8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/git-shell-commands/userdir
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+domain="$(git config --global --get gitusers.userdir.domain)"
+
+userdir_path="$(git config --global --get gitusers.userdir.path)"
+
+# If no project name is given, display help
+if [ $# -eq 0 ] ; then
+    cat <<-EOF
+Usage: $(basename "${0}") <repository>
+
+Publish <repository> as http://${domain}/~${USER}/
+EOF
+    exit 1
+fi
+
+if [ -n "${1}" ] ; then
+    # Sanitize repository name
+    repository="${1//[^a-zA-Z0-9\.\/\_-]/}"
+    project=$(echo "${repository}" | sed -e 's/^\///i' -e 's/\.\././g' -e 's/^\.//i' -e 's/\.git$\|$/.git/i')
+else
+    echo "Error: No repository specified" && exit 1
+fi
+
+if [ -d "${HOME}/${project}" ] ; then
+    cd "${HOME}/${project}"
+else
+    echo "Error: Repository ${repository} not found" && exit 1
+fi
+
+set +e
+currentworktree=$(git config deploy.worktree)
+currentbranch=$(git config deploy.branch)
+set -e
+
+public="${userdir_path}/public"
+
+[ -d "${public}" ] || mkdir -p "${public}"
+
+git config deploy.public "${public}"
+git config --bool deploy.userdir true
+set +e
+git config --unset-all deploy.domain
+set -e
+
+cat <<-EOF
+Work directory:     ${currentworktree}
+Public directory:   ${public}
+Active branch:      ${currentbranch}
+Userdir URL:        http://${domain}/~${USER}/
+EOF
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/hook-chain b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/hook-chain
new file mode 100755
index 00000000..f4e851ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/hook-chain
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+set -e
+
+data=$(cat)
+params="${*}"
+exitcodes=()
+hooktype=$(basename "$0")
+
+GIT_DIR="$(git rev-parse --git-dir)"
+
+if [ -e "${GIT_DIR}/hooks/${hooktype}.d" ] ; then
+  for hook in "${GIT_DIR}"/hooks/"${hooktype}".d/* ; do
+    test -x "${hook}" || continue
+    echo "${data}" | "${hook}" "${params}"
+    exitcodes+=($?)
+  done
+
+  for i in "${exitcodes[@]}"; do
+    [ "$i" == 0 ] || exit "$i"
+  done
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/00_submodule b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/00_submodule
new file mode 100755
index 00000000..6bb3655c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/00_submodule
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Update submodules
+
+set -e
+
+worktree="$(git config --get deploy.worktree)"
+
+test -d "${worktree}" || mkdir -p "${worktree}"
+
+cd "${worktree}" || exit 1
+
+git submodule sync && git submodule update --init --force --recursive
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/deploy b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/deploy
new file mode 100755
index 00000000..d5765420
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/deploy
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Run deployment script
+
+oldrev="${1}"
+newrev="${2}"
+
+system_functions="$(git config --global --get gitusers.system.functions)"
+# shellcheck disable=SC1090
+test -x "${system_functions}" && source "${system_functions}"
+
+read -r -a permissions <<< "$(git config --global --get gitusers.permissions)"
+worktree="$(git config --get deploy.worktree)"
+public="$(git config --get deploy.public)"
+setup="$(git config --get deploy.setup)"
+
+test -d "${worktree}" || mkdir -p "${worktree}"
+
+cd "${worktree}" || exit 1
+
+if [ -n "${public}" ] ; then
+  export DEPLOY_PUBLIC="${public}"
+fi
+
+logfile="log/deploy.log"
+restartfile="tmp/restart.txt"
+
+if [ -n "${permissions[*]}" ] && in_array permissions deploy ; then
+
+  if [ -z "${setup}" ]; then
+
+    # this is the first push; this branch was just created
+    mkdir -p log tmp
+    chmod 0775 log tmp
+    touch $logfile $restartfile
+    chmod 0664 $logfile $restartfile
+
+    # execute the one-time setup hook
+    if [ -x deploy/setup ] ; then
+      echo "DEPLOY_PUBLIC=\"${DEPLOY_PUBLIC}\""
+      deploy/setup "${oldrev}" "${newrev}" 2>&1 | tee -a "${logfile}"
+    fi
+    git config deploy.setup true
+
+  else
+
+    mkdir -p log tmp
+    chmod 0775 log tmp
+    touch $logfile $restartfile
+    chmod 0664 $logfile $restartfile
+
+    # log timestamp
+    echo "==== $(date) ====" >> "${logfile}"
+
+    # execute the main deploy hook
+    if [ -x deploy/after_push ] ; then
+      echo "DEPLOY_PUBLIC=\"${DEPLOY_PUBLIC}\""
+      deploy/after_push "${oldrev}" "${newrev}" 2>&1 | tee -a "${logfile}"
+    fi
+
+  fi
+
+else
+
+  if test -x "${worktree}/deploy/setup" ; then
+    echo "No permission to run deploy script"
+  fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/jekyll b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/jekyll
new file mode 100755
index 00000000..33f6b90f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-checkout.d/jekyll
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Build Jekyll website
+
+set -e
+
+worktree=$(git config --get deploy.worktree)
+public=$(git config --get deploy.public)
+
+test -d "${worktree}" || mkdir -p "${worktree}"
+
+cd "${worktree}" || exit 1
+
+if [ -n "${public}" ] ; then
+  if type jekyll > /dev/null ; then
+    jekyll build --destination "${public}"
+  fi
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-receive.d/00_checkout b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-receive.d/00_checkout
new file mode 100755
index 00000000..3bad6797
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/files/var/lib/gitusers/hooks/post-receive.d/00_checkout
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Check out git branch to work directory
+
+unset GIT_INDEX_FILE
+
+real_bare="$(git config --get core.bare)"
+bare="$(git config --get deploy.bare)"
+worktree="$(git config deploy.worktree)"
+branch="$(git config deploy.branch)"
+
+set -e
+
+GIT_DIR="$(pwd)"
+GIT_WORK_TREE="${worktree}"
+export GIT_DIR
+export GIT_WORK_TREE
+
+if [ -n "${bare}" ] && [ "${bare}" = "false" ] ; then
+
+  test -d "${worktree}" || mkdir -p "${worktree}"
+
+  if [ -r "${worktree}/.git" ] ; then
+    cd "${worktree}" || exit 1
+    if ! git diff --quiet ; then
+      echo "Error: Found tracked changes in work directory, aborting" && exit 1
+    fi
+    if git ls-files --others --exclude-standard | grep >/dev/null . ; then
+      echo "Error: Found untracked files in work directory, aborting" && exit 1
+    fi
+    cd - > /dev/null
+  fi
+
+  # shellcheck disable=SC2034
+  while read -r oldrev newrev ref ; do
+
+    if [ -z "${branch}" ] ; then
+      branch="${ref##refs/heads/}"
+      git symbolic-ref HEAD "${ref}"
+      git config deploy.branch "${branch}"
+      git config deploy.ref "${ref}"
+    fi
+    if [[ ${ref} =~ .*/${branch}$ ]] ; then
+      echo "gitdir: ${GIT_DIR}" > "${worktree}/.git"
+      git config deploy.bare false
+      git config core.bare false
+      git config core.worktree "${worktree}"
+      git config receive.denyCurrentBranch ignore
+      if [ "${real_bare}" = "${bare}" ] ; then
+        git checkout -f "${branch}"
+      else
+        git checkout -f
+      fi
+    fi
+
+  done
+fi
diff --git a/ansible_collections/debops/debops/roles/gitusers/meta/main.yml b/ansible_collections/debops/debops/roles/gitusers/meta/main.yml
new file mode 100644
index 00000000..bc130b67
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage user accounts based around git-shell'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - git
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/forward.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/forward.yml
new file mode 100644
index 00000000..175179aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/forward.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+#- name: Configure ~/.forward for users
+#  ansible.builtin.template:
+#    src: 'srv/gitusers/forward.j2'
+#    dest: '{{ item.home | default(gitusers_default_home_prefix + "/" + item.name + gitusers_name_suffix) }}/.forward'
+#    owner: '{{ item.name + gitusers_name_suffix }}'
+#    group: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+#    mode: '0644'
+#  loop: '{{ q("flattened", gitusers_list
+#                           + gitusers_group_list
+#                           + gitusers_host_list) }}'
+#  when: ((item.name is defined and item.name) and
+#         (item.state is undefined or (item.state is defined and item.state != 'absent')) and
+#         (item.forward is defined and item.forward))
+#
+#- name: Remove ~/.forward from user account when disabled
+#  ansible.builtin.file:
+#    dest: '{{ item.home | default(gitusers_default_home_prefix + "/" + item.name + gitusers_name_suffix) }}/.forward'
+#    state: 'absent'
+#  loop: '{{ q("flattened", gitusers_list
+#                           + gitusers_group_list
+#                           + gitusers_host_list) }}'
+#  when: ((item.name is defined and item.name) and
+#         (item.state is undefined or (item.state is defined and item.state != 'absent')) and
+#         (item.forward is defined and item.forward == False))
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/git-shell.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/git-shell.yml
new file mode 100644
index 00000000..a0358f64
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/git-shell.yml
@@ -0,0 +1,76 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create gitusers scripts path
+  ansible.builtin.file:
+    path: '{{ gitusers_git_scripts }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Install gitusers scripts
+  ansible.builtin.copy:
+    src: 'var/lib/gitusers/'
+    dest: '{{ gitusers_git_scripts }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Prepare gituser environment
+  ansible.builtin.template:
+    src: 'srv/gitusers/{{ item.1 }}.j2'
+    dest: '{{ item.0.home | default(gitusers_default_home_prefix + "/"
+                                    + item.0.name + gitusers_name_suffix) }}/.{{ item.1 }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_nested:
+    - '{{ gitusers_list + gitusers_group_list + gitusers_host_list }}'
+    - [ 'forward', 'gitconfig', 'motd' ]
+  when: ((item.0.name is defined and item.0.name) and
+         (item.0.state is undefined or (item.0.state is defined and item.0.state != 'absent')))
+
+- name: Create base directory for user websites
+  ansible.builtin.file:
+    path: '{{ gitusers_default_www_prefix }}/{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    state: 'directory'
+    owner: 'root'
+    group: '{{ gitusers_default_www_group }}'
+    mode: '0711'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+         (item.state is undefined or (item.state is defined and item.state != 'absent')))
+
+- name: Create root directory for user websites
+  ansible.builtin.file:
+    path: '{{ gitusers_default_www_prefix }}/{{ item.0.group | default(item.0.name
+                                                                       + gitusers_name_suffix) }}/{{ item.1 }}'
+    state: 'directory'
+    owner: 'root'
+    group: '{{ item.0.group | default(item.0.name + gitusers_name_suffix) }}'
+    mode: '02775'
+  with_nested:
+    - '{{ gitusers_list + gitusers_group_list + gitusers_host_list }}'
+    - [ 'checkouts', 'sites', 'userdir' ]
+  when: ((item.0.name is defined and item.0.name) and
+         (item.0.state is undefined or (item.0.state is defined and item.0.state != 'absent')))
+
+- name: Symlink git-shell-commands to user directories
+  ansible.builtin.file:
+    path: '{{ item.home | default(gitusers_default_home_prefix + "/"
+                                  + item.name + gitusers_name_suffix) + "/git-shell-commands" }}'
+    src: '{{ gitusers_git_scripts + "/git-shell-commands/" }}'
+    state: 'link'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+         (item.state is undefined or (item.state is defined and item.state != 'absent')))
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/gitusers.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/gitusers.yml
new file mode 100644
index 00000000..5a9355aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/gitusers.yml
@@ -0,0 +1,71 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage user accounts without UIDs
+  ansible.builtin.user:
+    name: '{{ item.name + gitusers_name_suffix }}'
+    state: '{{ item.state | default("present") }}'
+    group: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    comment: '{{ item.comment | default("") }}'
+    system: '{{ item.systemuser | default("no") }}'
+    shell: '{{ item.shell | default(gitusers_default_shell) }}'
+    home: '{{ item.home | default(gitusers_default_home_prefix + "/" + item.name + gitusers_name_suffix) }}'
+    createhome: 'no'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and (item.uid is undefined or (item.uid is defined and not item.uid)))
+
+- name: Manage user accounts with UIDs
+  ansible.builtin.user:
+    name: '{{ item.name + gitusers_name_suffix }}'
+    uid: '{{ item.uid }}'
+    state: '{{ item.state | default("present") }}'
+    group: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    comment: '{{ item.comment | default("") }}'
+    system: '{{ item.systemuser | default("no") }}'
+    shell: '{{ item.shell | default(gitusers_default_shell) }}'
+    home: '{{ item.home | default(gitusers_default_home_prefix + "/" + item.name + gitusers_name_suffix) }}'
+    createhome: 'no'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and (item.uid is defined and item.uid))
+
+- name: Manage user default groups
+  ansible.builtin.user:
+    name: '{{ item.name + gitusers_name_suffix }}'
+    state: '{{ item.state | default("present") }}'
+    groups: '{{ gitusers_default_groups_list | join(",") }}'
+    append: '{{ gitusers_default_groups_append }}'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+         (gitusers_default_groups_list is defined and gitusers_default_groups_list))
+
+- name: Manage user custom groups
+  ansible.builtin.user:
+    name: '{{ item.name + gitusers_name_suffix }}'
+    state: '{{ item.state | default("present") }}'
+    groups: '{{ item.groups | join(",") }}'
+    append: '{{ item.append | default("yes") }}'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and (item.groups is defined and item.groups))
+
+- name: Enforce home directories permissions
+  ansible.builtin.file:
+    state: 'directory'
+    path: '{{ item.home | default(gitusers_default_home_prefix + "/" + item.name + gitusers_name_suffix) }}'
+    owner: '{{ item.name + gitusers_name_suffix }}'
+    group: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    mode: '{{ gitusers_default_home_mode }}'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+        (item.state is undefined or (item.state is defined and item.state != 'absent')))
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/groups_absent.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/groups_absent.yml
new file mode 100644
index 00000000..910115e2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/groups_absent.yml
@@ -0,0 +1,13 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Remove user groups if requested
+  ansible.builtin.group:
+    name: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: (item.name is defined and (item.state is defined and item.state == 'absent'))
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/groups_present.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/groups_present.yml
new file mode 100644
index 00000000..ee7f0379
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/groups_present.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create user groups without GIDs
+  ansible.builtin.group:
+    name: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    system: '{{ item.systemgroup | default("no") }}'
+    state: 'present'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: (((item.name is defined and item.name) and
+          (item.gid is undefined or (item.gid is defined and not item.gid))) and
+        (item.state is undefined or (item.state is defined and item.state != 'absent')))
+
+- name: Create user groups with GIDs
+  ansible.builtin.group:
+    name: '{{ item.group | default(item.name + gitusers_name_suffix) }}'
+    system: '{{ item.systemgroup | default("no") }}'
+    gid: '{{ item.gid }}'
+    state: 'present'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and (item.gid is defined and item.gid) and
+        (item.state is undefined or (item.state is defined and item.state != 'absent')))
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/main.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/main.yml
new file mode 100644
index 00000000..336669ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create directory for gituser homes
+  ansible.builtin.file:
+    path: '{{ gitusers_default_home_prefix }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0751'
+
+- name: Configure groups
+  ansible.builtin.include_tasks: groups_present.yml
+
+- name: Configure users
+  ansible.builtin.include_tasks: gitusers.yml
+
+- name: Configure git-shell
+  ansible.builtin.include_tasks: git-shell.yml
+
+#- name: Configure mail forwarding
+#  ansible.builtin.include_tasks: forward.yml
+
+- name: Configure sshkeys
+  ansible.builtin.include_tasks: sshkeys.yml
+
+- name: Remove groups if requested
+  ansible.builtin.include_tasks: groups_absent.yml
diff --git a/ansible_collections/debops/debops/roles/gitusers/tasks/sshkeys.yml b/ansible_collections/debops/debops/roles/gitusers/tasks/sshkeys.yml
new file mode 100644
index 00000000..0201b1ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/tasks/sshkeys.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure authorized SSH keys for users
+  ansible.posix.authorized_key:
+    key: '{{ "\n".join(item.sshkeys) | string }}'
+    state: 'present'
+    user: '{{ item.name + gitusers_name_suffix }}'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+         (item.state is undefined or (item.state is defined and item.state != 'absent')) and
+         (item.sshkeys is defined and item.sshkeys))
+
+- name: Remove ~/.ssh/authorized_keys from user account if disabled
+  ansible.builtin.file:
+    dest: '{{ item.home | default(gitusers_default_home_prefix + "/"
+                                  + item.name + gitusers_name_suffix) }}/.ssh/authorized_keys'
+    state: 'absent'
+  loop: '{{ q("flattened", gitusers_list
+                           + gitusers_group_list
+                           + gitusers_host_list) }}'
+  when: ((item.name is defined and item.name) and
+         (item.state is undefined or (item.state is defined and item.state != 'absent')) and
+         (item.sshkeys is defined and not item.sshkeys | bool))
diff --git a/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/forward.j2 b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/forward.j2
new file mode 100644
index 00000000..2ccbabd6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/forward.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.0.forward is defined and item.0.forward %}
+{{ ", ".join(item.0.forward) }}{% endif %}
diff --git a/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/gitconfig.j2 b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/gitconfig.j2
new file mode 100644
index 00000000..e71ee708
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/gitconfig.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set item = item.0 %}
+# This file is managed remotely, all changes will be lost
+
+[user]
+  name          = {{ item.comment | default(item.name | capitalize) }}
+  email         = {{ item.name + "@" + ansible_fqdn }}
+
+[gitusers]
+  home          = {{ gitusers_default_home_prefix + "/" + item.name }}
+  data          = {{ gitusers_default_www_prefix + "/" + item.group | default(item.name + gitusers_name_suffix) }}
+  hooks         = {{ gitusers_default_hooks.keys() | join(" ") }}
+  permissions   = {{ item.permissions | default(gitusers_default_permissions) | join(" ") }}
+
+[gitusers "hookmap"]
+{% for hooktype, hooklist in gitusers_default_hooks.items() %}
+  {{ "%-14s = %s" | format(hooktype, hooklist | join(" ")) }}
+{% endfor %}
+
+[gitusers "permission"]
+  deploy        = {{ item.deploy   | default('false') | lower }}
+  userdir       = {{ item.userdir  | default('true')  | lower }}
+
+[gitusers "system"]
+  functions     = {{ gitusers_git_scripts + "/functions.sh" }}
+  hooks         = {{ gitusers_git_scripts + "/hooks" }}
+
+[gitusers "init"]
+  path          = {{ gitusers_default_www_prefix + "/" + item.group | default(item.name + gitusers_name_suffix) + "/checkouts" }}
+  hooks         = {{ gitusers_git_scripts + "/hooks" }}
+  type          = {{ item.type | default(gitusers_default_hook_list) }}
+
+[gitusers "publish"]
+  path          = {{ gitusers_default_www_prefix + "/" + item.group | default(item.name + gitusers_name_suffix) + "/sites" }}
+  domain        = {{ item.domain | default(gitusers_default_domain) }}
+
+[gitusers "userdir"]
+  path          = {{ gitusers_default_www_prefix + "/" + item.group | default(item.name + gitusers_name_suffix) + "/userdir" }}
+  domain        = {{ gitusers_default_user_domain }}
diff --git a/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/motd.j2 b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/motd.j2
new file mode 100644
index 00000000..ab85b461
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gitusers/templates/srv/gitusers/motd.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.0.motd is defined and item.0.motd %}
+{{ item.0.motd }}{% endif %}
diff --git a/ansible_collections/debops/debops/roles/global_handlers/COPYRIGHT b/ansible_collections/debops/debops/roles/global_handlers/COPYRIGHT
new file mode 100644
index 00000000..2422ff6d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.global_handlers - Provide Ansible handlers to other Ansible roles
+
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/apparmor.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/apparmor.yml
new file mode 100644
index 00000000..b44784eb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/apparmor.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload all AppArmor profiles
+  ansible.builtin.service:
+    name: 'apparmor'
+    state: 'reloaded'
+  when: ansible_local.apparmor.installed | d(False) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/apt_cacher_ng.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/apt_cacher_ng.yml
new file mode 100644
index 00000000..dc25e290
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/apt_cacher_ng.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart apt-cacher-ng
+  ansible.builtin.service:
+    name: 'apt-cacher-ng'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/atd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/atd.yml
new file mode 100644
index 00000000..8ecf1b86
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/atd.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload systemd units
+  ansible.builtin.systemd:
+    daemon_reload: True
+  when: ansible_service_mgr == 'systemd'
+
+- name: Restart atd
+  ansible.builtin.service:
+    name: 'atd'
+    state: 'restarted'
+  when: not ansible_check_mode
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/avahi.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/avahi.yml
new file mode 100644
index 00000000..85f8705f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/avahi.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart avahi-daemon
+  ansible.builtin.service:
+    name: 'avahi-daemon'
+    state: 'restarted'
+  when: (ansible_local.avahi.installed | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/bind.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/bind.yml
new file mode 100644
index 00000000..ed163540
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/bind.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+  # Note: running as the bind user makes sure it has permissions
+  #       to read all relevant configuration files, including
+  #       included snippets, keys, etc.
+- name: Test named configuration and restart
+  ansible.builtin.command: runuser -u bind -- /usr/bin/named-checkconf
+  register: bind__register_checkconf
+  changed_when: bind__register_checkconf.changed | bool
+  notify: [ 'Restart named' ]
+
+- name: Restart named
+  ansible.builtin.service:
+    name: 'named'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcp_probe.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcp_probe.yml
new file mode 100644
index 00000000..c14ddec1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcp_probe.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart dhcp-probe
+  ansible.builtin.service:
+    name: 'dhcp-probe'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcpd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcpd.yml
new file mode 100644
index 00000000..493fcbdf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcpd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart isc-dhcp-server
+  ansible.builtin.service:
+    name: 'isc-dhcp-server'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcrelay.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcrelay.yml
new file mode 100644
index 00000000..c83a213d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/dhcrelay.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart isc-dhcp-relay
+  ansible.builtin.service:
+    name: 'isc-dhcp-relay'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/dnsmasq.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/dnsmasq.yml
new file mode 100644
index 00000000..c73d77e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/dnsmasq.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test and restart dnsmasq
+  ansible.builtin.command: dnsmasq --test
+  register: dnsmasq__register_config_test
+  changed_when: dnsmasq__register_config_test.changed | bool
+  notify: [ 'Restart dnsmasq' ]
+
+- name: Restart dnsmasq
+  ansible.builtin.service:
+    name: 'dnsmasq'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_gen.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_gen.yml
new file mode 100644
index 00000000..d1f24040
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_gen.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart docker-gen
+  ansible.builtin.service:
+    name: 'docker-gen'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_registry.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_registry.yml
new file mode 100644
index 00000000..c064dc1c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_registry.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart docker-registry
+  ansible.builtin.service:
+    name: 'docker-registry'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_server.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_server.yml
new file mode 100644
index 00000000..42a831a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/docker_server.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Imre Jonk <mail@imrejonk.nl>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart docker
+  ansible.builtin.service:
+    name: 'docker'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/dovecot.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/dovecot.yml
new file mode 100644
index 00000000..80f7cca5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/dovecot.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2017-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart dovecot
+  ansible.builtin.service:
+    name: 'dovecot'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/elasticsearch.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/elasticsearch.yml
new file mode 100644
index 00000000..0b0233fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/elasticsearch.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2014-2016 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Start elasticsearch
+  ansible.builtin.service:
+    name: 'elasticsearch'
+    state: 'started'
+    enabled: True
+
+- name: Restart elasticsearch
+  ansible.builtin.service:
+    name: 'elasticsearch'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/etc_aliases.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/etc_aliases.yml
new file mode 100644
index 00000000..057ba731
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/etc_aliases.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update /etc/aliases.db database
+  ansible.builtin.command: newaliases
+  register: etc_aliases__register_newaliases
+  changed_when: etc_aliases__register_newaliases.changed | bool
+  when: ansible_local | d() and ansible_local.etc_aliases | d() and
+        ansible_local.etc_aliases.newaliases is defined and
+        ansible_local.etc_aliases.newaliases | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/etckeeper.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/etckeeper.yml
new file mode 100644
index 00000000..890e2b3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/etckeeper.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2016-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C)      2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Commit changes in etckeeper
+  ansible.builtin.shell: etckeeper unclean && etckeeper commit 'Committed by Ansible "etckeeper" handler' || true
+  register: etckeeper__register_commit
+  changed_when: etckeeper__register_commit.changed | bool
+  when: (ansible_local.etckeeper.enabled | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/etherpad.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/etherpad.yml
new file mode 100644
index 00000000..82646899
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/etherpad.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart etherpad-lite
+  ansible.builtin.service:
+    name: 'etherpad-lite'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/fail2ban.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/fail2ban.yml
new file mode 100644
index 00000000..5bb5cb80
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/fail2ban.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Assemble /etc/fail2ban/jail.local
+  ansible.builtin.assemble:
+    src: '/etc/fail2ban/jail.local.d'
+    dest: '/etc/fail2ban/jail.local'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload fail2ban jails' ]
+
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: 'fail2ban'
+    state: 'restarted'
+
+- name: Reload fail2ban jails
+  ansible.builtin.shell: type fail2ban-server > /dev/null
+         && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
+  register: fail2ban__register_reload
+  changed_when: fail2ban__register_reload.changed | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/ferm.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/ferm.yml
new file mode 100644
index 00000000..afb97007
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/ferm.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart ferm
+  ansible.builtin.service:
+    name: 'ferm'
+    state: 'restarted'
+  when: (ansible_local.ferm.enabled | d()) | bool and not ansible_check_mode
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/filebeat.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/filebeat.yml
new file mode 100644
index 00000000..7846dcdc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/filebeat.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test filebeat configuration and restart
+  ansible.builtin.command: 'filebeat test config'
+  register: filebeat__register_test_config
+  changed_when: filebeat__register_test_config.changed | bool
+  notify:
+    - 'Restart filebeat'
+    - 'Commit changes in etckeeper'
+  when: (ansible_local.filebeat.installed | d()) | bool
+
+- name: Test filebeat output and restart
+  ansible.builtin.command: 'filebeat test output'
+  register: filebeat__register_test_output
+  changed_when: filebeat__register_test_output.changed | bool
+  notify: [ 'Restart filebeat' ]
+  when: (ansible_local.filebeat.installed | d()) | bool
+
+- name: Restart filebeat
+  ansible.builtin.service:
+    name: 'filebeat'
+    state: 'restarted'
+  when: (ansible_local.filebeat.installed | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/freeradius.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/freeradius.yml
new file mode 100644
index 00000000..eba8db37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/freeradius.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check freeradius configuration and restart
+  ansible.builtin.command: freeradius -C
+  register: freeradius__register_check_config
+  changed_when: freeradius__register_check_config.changed | bool
+  notify: [ 'Restart freeradius' ]
+
+- name: Restart freeradius
+  ansible.builtin.service:
+    name: 'freeradius'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/gitlab.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/gitlab.yml
new file mode 100644
index 00000000..faebe120
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/gitlab.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reconfigure GitLab Omnibus
+  ansible.builtin.command: 'gitlab-ctl reconfigure'
+  register: gitlab__register_reconfigure
+  changed_when: gitlab__register_reconfigure.changed | bool
+  when: (ansible_local.gitlab.omnibus | d()) | bool
+
+- name: Restart GitLab Omnibus
+  ansible.builtin.command: 'gitlab-ctl restart'
+  register: gitlab__register_restart
+  changed_when: gitlab__register_restart.changed | bool
+  when: (ansible_local.gitlab.omnibus | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/grub.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/grub.yml
new file mode 100644
index 00000000..bd0cc436
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/grub.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update GRUB
+  ansible.builtin.command: update-grub
+  register: handlers__register_grub_update
+  changed_when: handlers__register_grub_update.changed | bool
+  failed_when: ('error' in handlers__register_grub_update.stderr)
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/icinga.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/icinga.yml
new file mode 100644
index 00000000..d21beea4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/icinga.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check icinga2 configuration and restart
+  ansible.builtin.command: icinga2 daemon -C
+  register: icinga__register_config_test
+  changed_when: icinga__register_config_test.changed | bool
+  notify: [ 'Restart icinga2' ]
+
+- name: Restart icinga2
+  ansible.builtin.service:
+    name: 'icinga2'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/imapproxy.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/imapproxy.yml
new file mode 100644
index 00000000..b6c018fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/imapproxy.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart imapproxy
+  ansible.builtin.service:
+    name: 'imapproxy'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/influxdb_server.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/influxdb_server.yml
new file mode 100644
index 00000000..257664fe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/influxdb_server.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart influxdb
+  ansible.builtin.service:
+    name: 'influxdb'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/iscsi.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/iscsi.yml
new file mode 100644
index 00000000..507a552a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/iscsi.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart open-iscsi
+  ansible.builtin.service:
+    name: 'open-iscsi'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/keepalived.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/keepalived.yml
new file mode 100644
index 00000000..07554dd0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/keepalived.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check keepalived configuration and restart
+  ansible.builtin.command: keepalived --config-test
+  register: keepalived__register_config_restart
+  changed_when: keepalived__register_config_restart.changed | bool
+  notify: [ 'Restart keepalived' ]
+
+- name: Check keepalived configuration and reload
+  ansible.builtin.command: keepalived --config-test
+  register: keepalived__register_config_reload
+  changed_when: keepalived__register_config_reload.changed | bool
+  notify: [ 'Reload keepalived' ]
+
+- name: Restart keepalived
+  ansible.builtin.service:
+    name: 'keepalived'
+    state: 'restarted'
+
+- name: Reload keepalived
+  ansible.builtin.service:
+    name: 'keepalived'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/kibana.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/kibana.yml
new file mode 100644
index 00000000..2a2eeb46
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/kibana.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Start kibana
+  ansible.builtin.service:
+    name: 'kibana'
+    state: 'started'
+    enabled: True
+
+- name: Restart kibana
+  ansible.builtin.service:
+    name: 'kibana'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/libvirtd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/libvirtd.yml
new file mode 100644
index 00000000..2384daa5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/libvirtd.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart libvirtd
+  ansible.builtin.service:
+    name: 'libvirtd'
+    state: 'restarted'
+  when: ansible_distribution_release not in ['trusty', 'xenial']
+
+- name: Restart libvirt-bin
+  ansible.builtin.service:
+    name: 'libvirt-bin'
+    state: 'restarted'
+  when: ansible_distribution_release in ['trusty', 'xenial']
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/lldpd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/lldpd.yml
new file mode 100644
index 00000000..cf5de7cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/lldpd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart lldpd
+  ansible.builtin.service:
+    name: 'lldpd'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/mailman.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/mailman.yml
new file mode 100644
index 00000000..31c836b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/mailman.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart mailman3
+  ansible.builtin.service:
+    name: 'mailman3'
+    state: 'restarted'
+
+- name: Restart mailman3-web
+  ansible.builtin.service:
+    name: 'mailman3-web'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/main.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/main.yml
new file mode 100644
index 00000000..85ab7f09
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/main.yml
@@ -0,0 +1,238 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# The order of the imports affects the execution order of handlers.
+
+- name: Import meta handlers
+  ansible.builtin.import_tasks: 'meta.yml'
+
+- name: Import systemd handlers
+  ansible.builtin.import_tasks: 'systemd.yml'
+
+- name: Import resolved handlers
+  ansible.builtin.import_tasks: 'resolved.yml'
+
+- name: Import timesyncd handlers
+  ansible.builtin.import_tasks: 'timesyncd.yml'
+
+- name: Import apparmor handlers
+  ansible.builtin.import_tasks: 'apparmor.yml'
+
+- name: Import apt_cacher_ng handlers
+  ansible.builtin.import_tasks: 'apt_cacher_ng.yml'
+
+- name: Import atd handlers
+  ansible.builtin.import_tasks: 'atd.yml'
+
+- name: Import avahi handlers
+  ansible.builtin.import_tasks: 'avahi.yml'
+
+- name: Import bind handlers
+  ansible.builtin.import_tasks: 'bind.yml'
+
+- name: Import dhcp_probe handlers
+  ansible.builtin.import_tasks: 'dhcp_probe.yml'
+
+- name: Import dhcpd handlers
+  ansible.builtin.import_tasks: 'dhcpd.yml'
+
+- name: Import dhcrelay handlers
+  ansible.builtin.import_tasks: 'dhcrelay.yml'
+
+- name: Import dnsmasq handlers
+  ansible.builtin.import_tasks: 'dnsmasq.yml'
+
+- name: Import docker_gen handlers
+  ansible.builtin.import_tasks: 'docker_gen.yml'
+
+- name: Import docker_registry handlers
+  ansible.builtin.import_tasks: 'docker_registry.yml'
+
+- name: Import docker_server handlers
+  ansible.builtin.import_tasks: 'docker_server.yml'
+
+- name: Import dovecot handlers
+  ansible.builtin.import_tasks: 'dovecot.yml'
+
+- name: Import elasticsearch handlers
+  ansible.builtin.import_tasks: 'elasticsearch.yml'
+
+- name: Import etc_aliases handlers
+  ansible.builtin.import_tasks: 'etc_aliases.yml'
+
+- name: Import etherpad handlers
+  ansible.builtin.import_tasks: 'etherpad.yml'
+
+- name: Import fail2ban handlers
+  ansible.builtin.import_tasks: 'fail2ban.yml'
+
+- name: Import ferm handlers
+  ansible.builtin.import_tasks: 'ferm.yml'
+
+- name: Import filebeat handlers
+  ansible.builtin.import_tasks: 'filebeat.yml'
+
+- name: Import freeradius handlers
+  ansible.builtin.import_tasks: 'freeradius.yml'
+
+- name: Import gitlab handlers
+  ansible.builtin.import_tasks: 'gitlab.yml'
+
+- name: Import grub handlers
+  ansible.builtin.import_tasks: 'grub.yml'
+
+- name: Import icinga handlers
+  ansible.builtin.import_tasks: 'icinga.yml'
+
+- name: Import imapproxy handlers
+  ansible.builtin.import_tasks: 'imapproxy.yml'
+
+- name: Import influxdb_server handlers
+  ansible.builtin.import_tasks: 'influxdb_server.yml'
+
+- name: Import iscsi handlers
+  ansible.builtin.import_tasks: 'iscsi.yml'
+
+- name: Import keepalived handlers
+  ansible.builtin.import_tasks: 'keepalived.yml'
+
+- name: Import kibana handlers
+  ansible.builtin.import_tasks: 'kibana.yml'
+
+- name: Import mailman handlers
+  ansible.builtin.import_tasks: 'mailman.yml'
+
+- name: Import metricbeat handlers
+  ansible.builtin.import_tasks: 'metricbeat.yml'
+
+- name: Import memcached handlers
+  ansible.builtin.import_tasks: 'memcached.yml'
+
+- name: Import miniflux handlers
+  ansible.builtin.import_tasks: 'miniflux.yml'
+
+- name: Import minio handlers
+  ansible.builtin.import_tasks: 'minio.yml'
+
+- name: Import monit handlers
+  ansible.builtin.import_tasks: 'monit.yml'
+
+- name: Import mosquitto handlers
+  ansible.builtin.import_tasks: 'mosquitto.yml'
+
+- name: Import nfs_server handlers
+  ansible.builtin.import_tasks: 'nfs_server.yml'
+
+- name: Import nginx handlers
+  ansible.builtin.import_tasks: 'nginx.yml'
+
+- name: Import ntp handlers
+  ansible.builtin.import_tasks: 'ntp.yml'
+
+- name: Import nullmailer handlers
+  ansible.builtin.import_tasks: 'nullmailer.yml'
+
+- name: Import opendkim handlers
+  ansible.builtin.import_tasks: 'opendkim.yml'
+
+- name: Import opensearch handlers
+  ansible.builtin.import_tasks: 'opensearch.yml'
+
+- name: Import pdns handlers
+  ansible.builtin.import_tasks: 'pdns.yml'
+
+- name: Import pki handlers
+  ansible.builtin.import_tasks: 'pki.yml'
+
+- name: Import postfix handlers
+  ansible.builtin.import_tasks: 'postfix.yml'
+
+- name: Import prosody handlers
+  ansible.builtin.import_tasks: 'prosody.yml'
+
+- name: Import rabbitmq_server handlers
+  ansible.builtin.import_tasks: 'rabbitmq_server.yml'
+
+- name: Import radvd handlers
+  ansible.builtin.import_tasks: 'radvd.yml'
+
+- name: Import reprepro handlers
+  ansible.builtin.import_tasks: 'reprepro.yml'
+
+- name: Import resolvconf handlers
+  ansible.builtin.import_tasks: 'resolvconf.yml'
+
+- name: Import rspamd handlers
+  ansible.builtin.import_tasks: 'rspamd.yml'
+
+- name: Import rstudio_server handlers
+  ansible.builtin.import_tasks: 'rstudio_server.yml'
+
+- name: Import rsyslog handlers
+  ansible.builtin.import_tasks: 'rsyslog.yml'
+
+- name: Import salt handlers
+  ansible.builtin.import_tasks: 'salt.yml'
+
+- name: Import samba handlers
+  ansible.builtin.import_tasks: 'samba.yml'
+
+- name: Import saslauthd handlers
+  ansible.builtin.import_tasks: 'saslauthd.yml'
+
+- name: Import sks handlers
+  ansible.builtin.import_tasks: 'sks.yml'
+
+- name: Import slapd handlers
+  ansible.builtin.import_tasks: 'slapd.yml'
+
+- name: Import smstools handlers
+  ansible.builtin.import_tasks: 'smstools.yml'
+
+- name: Import snmpd handlers
+  ansible.builtin.import_tasks: 'snmpd.yml'
+
+- name: Import lldpd handlers
+  ansible.builtin.import_tasks: 'lldpd.yml'
+
+- name: Import sshd handlers
+  ansible.builtin.import_tasks: 'sshd.yml'
+
+- name: Import stunnel handlers
+  ansible.builtin.import_tasks: 'stunnel.yml'
+
+- name: Import sysfs handlers
+  ansible.builtin.import_tasks: 'sysfs.yml'
+
+- name: Import libvirtd handlers
+  ansible.builtin.import_tasks: 'libvirtd.yml'
+
+- name: Import tcpwrappers handlers
+  ansible.builtin.import_tasks: 'tcpwrappers.yml'
+
+- name: Import tftpd handlers
+  ansible.builtin.import_tasks: 'tftpd.yml'
+
+- name: Import tgt handlers
+  ansible.builtin.import_tasks: 'tgt.yml'
+
+- name: Import tinc handlers
+  ansible.builtin.import_tasks: 'tinc.yml'
+
+- name: Import tinyproxy handlers
+  ansible.builtin.import_tasks: 'tinyproxy.yml'
+
+- name: Import unbound handlers
+  ansible.builtin.import_tasks: 'unbound.yml'
+
+- name: Import telegraf handlers
+  ansible.builtin.import_tasks: 'telegraf.yml'
+
+- name: Import zabbix_agent handlers
+  ansible.builtin.import_tasks: 'zabbix_agent.yml'
+
+# Keep this handler last to commit any changes at the end of playbooks
+- name: Import etckeeper handlers
+  ansible.builtin.import_tasks: 'etckeeper.yml'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/memcached.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/memcached.yml
new file mode 100644
index 00000000..c72d6ad5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/memcached.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart memcached
+  ansible.builtin.service:
+    name: 'memcached'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/meta.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/meta.yml
new file mode 100644
index 00000000..76a2346e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/meta.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (C) 2021-2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Refresh host facts
+  ansible.builtin.setup:
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/metricbeat.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/metricbeat.yml
new file mode 100644
index 00000000..c54fa5b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/metricbeat.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test metricbeat configuration and restart
+  ansible.builtin.command: 'metricbeat test config'
+  register: metricbeat__register_test_config
+  changed_when: metricbeat__register_test_config.changed | bool
+  notify:
+    - 'Restart metricbeat'
+    - 'Commit changes in etckeeper'
+  when: (ansible_local.metricbeat.installed | d()) | bool
+
+- name: Test metricbeat output and restart
+  ansible.builtin.command: 'metricbeat test output'
+  register: metricbeat__register_test_output
+  changed_when: metricbeat__register_test_output.changed | bool
+  notify: [ 'Restart metricbeat' ]
+  when: (ansible_local.metricbeat.installed | d()) | bool
+
+- name: Restart metricbeat
+  ansible.builtin.service:
+    name: 'metricbeat'
+    state: 'restarted'
+  when: (ansible_local.metricbeat.installed | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/miniflux.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/miniflux.yml
new file mode 100644
index 00000000..16d1775c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/miniflux.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart miniflux
+  ansible.builtin.service:
+    name: 'miniflux'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/minio.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/minio.yml
new file mode 100644
index 00000000..a3b05490
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/minio.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart minio
+  ansible.builtin.service:
+    name: 'minio'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/monit.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/monit.yml
new file mode 100644
index 00000000..aeedfb7f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/monit.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test monit and reload
+  ansible.builtin.command: monit -t
+  register: monit__register_check_config
+  changed_when: monit__register_check_config.changed | bool
+  notify: [ 'Reload monit' ]
+
+- name: Reload monit
+  ansible.builtin.service:
+    name: 'monit'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/mosquitto.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/mosquitto.yml
new file mode 100644
index 00000000..bc58c16f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/mosquitto.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart mosquitto
+  ansible.builtin.service:
+    name: 'mosquitto'
+    state: 'restarted'
+
+- name: Reload mosquitto
+  ansible.builtin.service:
+    name: 'mosquitto'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/nfs_server.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/nfs_server.yml
new file mode 100644
index 00000000..f4667781
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/nfs_server.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart nfs-kernel-server service
+  ansible.builtin.service:
+    name: 'nfs-kernel-server'
+    state: 'restarted'
+
+- name: Reload NFS exports
+  ansible.builtin.command: exportfs -ra
+  register: nfs_server__register_exportfs
+  changed_when: nfs_server__register_exportfs.changed | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/nginx.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/nginx.yml
new file mode 100644
index 00000000..c61dfc33
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/nginx.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test nginx and restart
+  ansible.builtin.command: nginx -t
+  register: nginx__register_check_restart
+  changed_when: nginx__register_check_restart.changed | bool
+  notify: [ 'Restart nginx' ]
+
+- name: Test nginx and reload
+  ansible.builtin.command: nginx -t
+  register: nginx__register_check_reload
+  changed_when: nginx__register_check_reload.changed | bool
+  notify: [ 'Reload nginx' ]
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: 'nginx'
+    state: 'restarted'
+
+- name: Reload nginx
+  ansible.builtin.service:
+    name: 'nginx'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/ntp.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/ntp.yml
new file mode 100644
index 00000000..5a6fdb4d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/ntp.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart openntpd
+  ansible.builtin.service:
+    name: 'openntpd'
+    state: 'restarted'
+  when: not ansible_check_mode
+
+- name: Restart ntp
+  ansible.builtin.service:
+    name: 'ntp'
+    state: 'restarted'
+  when: ntp__daemon == 'ntpd'
+
+- name: Restart systemd-timesyncd
+  ansible.builtin.service:
+    name: 'systemd-timesyncd'
+    state: 'restarted'
+
+- name: Restart chrony
+  ansible.builtin.service:
+    name: 'chrony'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/nullmailer.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/nullmailer.yml
new file mode 100644
index 00000000..ab076dcc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/nullmailer.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart nullmailer
+  ansible.builtin.service:
+    name: 'nullmailer'
+    state: 'restarted'
+  when: not ansible_check_mode
+
+- name: Reload xinetd
+  ansible.builtin.service:
+    name: 'xinetd'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/opendkim.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/opendkim.yml
new file mode 100644
index 00000000..d60965a6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/opendkim.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check opendkim and restart
+  ansible.builtin.command: opendkim -n
+  register: opendkim__register_check_restart
+  changed_when: opendkim__register_check_restart.changed | bool
+  notify: [ 'Restart opendkim' ]
+
+- name: Check opendkim and reload
+  ansible.builtin.command: opendkim -n
+  register: opendkim__register_check_reload
+  changed_when: opendkim__register_check_reload.changed | bool
+  notify: [ 'Reload opendkim' ]
+  when: ansible_local | d() and ansible_local.opendkim | d() and
+        ansible_local.opendkim.installed is defined and
+        ansible_local.opendkim.installed | bool
+
+- name: Restart opendkim
+  ansible.builtin.service:
+    name: 'opendkim'
+    state: 'restarted'
+
+- name: Reload opendkim
+  ansible.builtin.service:
+    name: 'opendkim'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/opensearch.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/opensearch.yml
new file mode 100644
index 00000000..6114b87f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/opensearch.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart opensearch
+  ansible.builtin.service:
+    name: 'opensearch'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/pdns.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/pdns.yml
new file mode 100644
index 00000000..502e2a68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/pdns.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart pdns
+  ansible.builtin.service:
+    name: 'pdns'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/pki.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/pki.yml
new file mode 100644
index 00000000..60a90b42
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/pki.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update ca-certificates.crt
+  ansible.builtin.command: update-ca-certificates
+  register: pki__register_update_cacerts
+  changed_when: pki__register_update_cacerts.changed | bool
+  notify: [ 'Install ca-certificates.crt into Postfix chroot' ]
+
+- name: Regenerate ca-certificates.crt
+  ansible.builtin.command: update-ca-certificates --fresh
+  register: pki__register_regenerate_cacerts
+  changed_when: pki__register_regenerate_cacerts.changed | bool
+  notify: [ 'Install ca-certificates.crt into Postfix chroot' ]
+
+- name: Reconfigure ca-certificates
+  environment:
+    DEBIAN_FRONTEND: 'noninteractive'
+    DEBCONF_NONINTERACTIVE_SEEN: 'true'
+  ansible.builtin.command: dpkg-reconfigure --frontend=noninteractive ca-certificates
+  register: pki__register_reconfigure_cacerts
+  changed_when: pki__register_reconfigure_cacerts.changed | bool
+  notify: [ 'Install ca-certificates.crt into Postfix chroot' ]
+
+- name: Install ca-certificates.crt into Postfix chroot
+  ansible.builtin.shell: test -d /var/spool/postfix &&
+         cp -f /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt || true
+  register: pki__register_postfix_chroot
+  changed_when: pki__register_postfix_chroot.changed | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/postfix.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/postfix.yml
new file mode 100644
index 00000000..3c039334
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/postfix.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Process Postfix Makefile
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.command: make
+  args:
+    chdir: '/etc/postfix'
+  register: handlers__register_postfix_make
+  notify: [ 'Check postfix and reload' ]
+  changed_when: 'not handlers__register_postfix_make.stdout.startswith("make: Nothing to be done")'
+
+- name: Check postfix and restart
+  ansible.builtin.command: /usr/sbin/postfix -c /etc/postfix check
+  register: postfix__register_check_restart
+  changed_when: postfix__register_check_restart.changed | bool
+  notify: [ 'Restart postfix' ]
+
+- name: Check postfix and reload
+  ansible.builtin.command: /usr/sbin/postfix -c /etc/postfix check
+  register: postfix__register_check_reload
+  changed_when: postfix__register_check_reload.changed | bool
+  notify: [ 'Reload postfix' ]
+
+- name: Restart postfix
+  ansible.builtin.service:
+    name: 'postfix'
+    state: 'restarted'
+
+- name: Reload postfix
+  ansible.builtin.service:
+    name: 'postfix'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/prosody.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/prosody.yml
new file mode 100644
index 00000000..7cae2bc6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/prosody.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: 'Restart prosody'
+  ansible.builtin.service:
+    name: 'prosody'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/rabbitmq_server.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/rabbitmq_server.yml
new file mode 100644
index 00000000..dba0f211
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/rabbitmq_server.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart rabbitmq-server
+  ansible.builtin.service:
+    name: 'rabbitmq-server'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/radvd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/radvd.yml
new file mode 100644
index 00000000..f8623152
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/radvd.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test radvd and restart
+  ansible.builtin.command: radvd --configtest
+  register: radvd__register_test_config
+  changed_when: radvd__register_test_config.changed | bool
+  notify: [ 'Restart radvd' ]
+
+- name: Restart radvd
+  ansible.builtin.service:
+    name: 'radvd'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/reprepro.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/reprepro.yml
new file mode 100644
index 00000000..947793c4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/reprepro.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart inoticoming
+  ansible.builtin.service:
+    name: 'inoticoming'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/resolvconf.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/resolvconf.yml
new file mode 100644
index 00000000..543dff4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/resolvconf.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Apply static resolvconf configuration
+  ansible.builtin.command: '/usr/local/lib/resolvconf-static'
+  register: resolvconf__register_static_config
+  changed_when: resolvconf__register_static_config.changed | bool
+
+- name: Refresh /etc/resolv.conf
+  ansible.builtin.command: 'resolvconf -u'
+  register: resolvconf__register_refresh
+  changed_when: resolvconf__register_refresh.changed | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/resolved.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/resolved.yml
new file mode 100644
index 00000000..87a9de59
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/resolved.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart systemd-resolved service
+  ansible.builtin.systemd:
+    name: 'systemd-resolved.service'
+    state: 'restarted'
+  listen:
+    - 'Restart DNS resolver'
+  when:
+    - ansible_service_mgr == 'systemd'
+    - (ansible_local.resolved.state | d('disabled')) == 'enabled'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/rspamd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/rspamd.yml
new file mode 100644
index 00000000..99bb117f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/rspamd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart rspamd
+  ansible.builtin.service:
+    name: 'rspamd'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/rstudio_server.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/rstudio_server.yml
new file mode 100644
index 00000000..78a183b8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/rstudio_server.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Verify rstudio-server
+  ansible.builtin.command: rstudio-server test-config
+  register: rstudio_server__register_test_config
+  changed_when: rstudio_server__register_test_config.changed | bool
+  notify: [ 'Restart rstudio-server' ]
+
+- name: Restart rstudio-server
+  ansible.builtin.service:
+    name: 'rstudio-server'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/rsyslog.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/rsyslog.yml
new file mode 100644
index 00000000..0d673d47
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/rsyslog.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check and restart rsyslogd
+  ansible.builtin.command: rsyslogd -N 1
+  notify: [ 'Restart rsyslogd' ]
+  register: rsyslog__register_test_config
+  changed_when: rsyslog__register_test_config.changed | bool
+  when: (ansible_local.rsyslog.installed | d()) | bool
+
+- name: Restart rsyslogd
+  ansible.builtin.service:
+    name: 'rsyslog'
+    state: 'restarted'
+  when: (ansible_local.rsyslog.installed | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/salt.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/salt.yml
new file mode 100644
index 00000000..62f78daf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/salt.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart salt-master
+  ansible.builtin.service:
+    name: 'salt-master'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/samba.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/samba.yml
new file mode 100644
index 00000000..87720ab0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/samba.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check samba config
+  ansible.builtin.command: testparm -s
+  register: samba__register_test_config
+  changed_when: samba__register_test_config.changed | bool
+  notify: [ 'Reload nmbd', 'Reload smbd' ]
+
+- name: Reload nmbd
+  ansible.builtin.service:
+    name: 'nmbd'
+    state: 'restarted'
+
+- name: Reload smbd
+  ansible.builtin.service:
+    name: 'smbd'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/saslauthd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/saslauthd.yml
new file mode 100644
index 00000000..7192e081
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/saslauthd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart saslauthd
+  ansible.builtin.service:
+    name: 'saslauthd'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/sks.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/sks.yml
new file mode 100644
index 00000000..d81ef124
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/sks.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart sks
+  ansible.builtin.service:
+    name: 'sks'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/slapd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/slapd.yml
new file mode 100644
index 00000000..37011736
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/slapd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart slapd
+  ansible.builtin.service:
+    name: 'slapd'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/smstools.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/smstools.yml
new file mode 100644
index 00000000..9f8a8e76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/smstools.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart smstools
+  ansible.builtin.service:
+    name: 'smstools'
+    state: 'restarted'
+
+- name: Restart xinetd
+  ansible.builtin.service:
+    name: 'xinetd'
+    state: 'restarted'
+
+- name: Reload xinetd
+  ansible.builtin.service:
+    name: 'xinetd'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/snmpd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/snmpd.yml
new file mode 100644
index 00000000..69104c04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/snmpd.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart snmpd
+  ansible.builtin.service:
+    name: 'snmpd'
+    enabled: True
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/sshd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/sshd.yml
new file mode 100644
index 00000000..d18d5e18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/sshd.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Test sshd configuration and restart
+  ansible.builtin.command: sshd -t
+  register: sshd__register_test_config
+  changed_when: sshd__register_test_config.changed | bool
+  notify: [ 'Restart sshd' ]
+
+- name: Restart sshd
+  ansible.builtin.service:
+    name: 'ssh'
+    state: 'restarted'
+  when: (ansible_local.sshd.socket_activation | d('disabled')) == 'disabled'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/stunnel.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/stunnel.yml
new file mode 100644
index 00000000..e2601c49
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/stunnel.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart stunnel
+  ansible.builtin.service:
+    name: 'stunnel4'
+    state: 'restarted'
+
+- name: Reload stunnel
+  ansible.builtin.service:
+    name: 'stunnel4'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/sysfs.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/sysfs.yml
new file mode 100644
index 00000000..fb8a5ce7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/sysfs.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart sysfsutils
+  ansible.builtin.service:
+    name: 'sysfsutils'
+    state: 'restarted'
+  when: (ansible_local.sysfs.enabled | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/systemd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/systemd.yml
new file mode 100644
index 00000000..021e66db
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/systemd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: True
+  listen:
+    - 'Reload service manager'
+  when: ansible_service_mgr == 'systemd'
+
+- name: Create temporary files with systemd-tmpfiles
+  ansible.builtin.command: 'systemd-tmpfiles --create'
+  listen:
+    - 'Create temporary files'
+  register: systemd__register_tmpfiles
+  changed_when: systemd__register_tmpfiles.stdout != ''
+  when: ansible_service_mgr == 'systemd'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/tcpwrappers.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/tcpwrappers.yml
new file mode 100644
index 00000000..9851e341
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/tcpwrappers.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Assemble hosts.allow.d
+  ansible.builtin.assemble:
+    src: '/etc/hosts.allow.d'
+    dest: '/etc/hosts.allow'
+    backup: False
+    mode: '0644'
+  when: (ansible_local.tcpwrappers.enabled | d()) | bool
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/telegraf.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/telegraf.yml
new file mode 100644
index 00000000..d8b0e899
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/telegraf.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Check telegraf and restart
+  ansible.builtin.command: '/usr/bin/telegraf --test --config /etc/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d'
+  register: telegraf__register_config_test
+  changed_when: telegraf__register_config_test.changed | bool
+  notify: [ 'Restart telegraf' ]
+
+- name: Restart telegraf
+  ansible.builtin.service:
+    name: "telegraf"
+    state: "restarted"
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/tftpd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/tftpd.yml
new file mode 100644
index 00000000..9db64036
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/tftpd.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart tftpd-hpa
+  ansible.builtin.service:
+    name: 'tftpd-hpa'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/tgt.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/tgt.yml
new file mode 100644
index 00000000..2fe91139
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/tgt.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload tgt
+  ansible.builtin.service:
+    name: 'tgt'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/timesyncd.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/timesyncd.yml
new file mode 100644
index 00000000..18b5a8f6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/timesyncd.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart systemd-timesyncd service
+  ansible.builtin.systemd:
+    name: 'systemd-timesyncd.service'
+    state: 'restarted'
+  when: ansible_service_mgr == 'systemd'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/tinc.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/tinc.yml
new file mode 100644
index 00000000..07199ba9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/tinc.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Reload tinc
+  ansible.builtin.service:
+    name: 'tinc'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/tinyproxy.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/tinyproxy.yml
new file mode 100644
index 00000000..1ebc4464
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/tinyproxy.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart tinyproxy
+  ansible.builtin.service:
+    name: 'tinyproxy'
+    state: 'restarted'
+    enabled: yes
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/unbound.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/unbound.yml
new file mode 100644
index 00000000..7c5d5953
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/unbound.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check unbound configuration and reload
+  ansible.builtin.command: unbound-checkconf /etc/unbound/unbound.conf
+  register: unbound__register_config_test
+  changed_when: unbound__register_config_test.changed | bool
+  notify: [ 'Reload unbound' ]
+
+- name: Reload unbound
+  ansible.builtin.service:
+    name: 'unbound'
+    state: 'reloaded'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/handlers/zabbix_agent.yml b/ansible_collections/debops/debops/roles/global_handlers/handlers/zabbix_agent.yml
new file mode 100644
index 00000000..a72035aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/handlers/zabbix_agent.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2021-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Check zabbix-agent and restart
+  ansible.builtin.command: '/usr/sbin/zabbix_agentd --print'
+  register: zabbix_agent__register_config_test_c
+  changed_when: zabbix_agent__register_config_test_c.changed | bool
+  when: zabbix_agent__flavor == 'C'
+  notify: [ 'Restart zabbix-agent' ]
+
+- name: Check zabbix-agent2 and restart
+  ansible.builtin.command: '/usr/sbin/zabbix_agent2 --print'
+  register: zabbix_agent__register_config_test_go
+  changed_when: zabbix_agent__register_config_test_go.changed | bool
+  when: zabbix_agent__flavor == 'Go'
+  notify: [ 'Restart zabbix-agent2' ]
+
+- name: Restart zabbix-agent
+  ansible.builtin.service:
+    name: 'zabbix-agent'
+    state: 'restarted'
+
+- name: Restart zabbix-agent2
+  ansible.builtin.service:
+    name: 'zabbix-agent2'
+    state: 'restarted'
diff --git a/ansible_collections/debops/debops/roles/global_handlers/meta/main.yml b/ansible_collections/debops/debops/roles/global_handlers/meta/main.yml
new file mode 100644
index 00000000..acb7154f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/global_handlers/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski'
+  description: 'Provide handlers to other Ansible roles'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: Ubuntu
+      versions:
+        - all
+
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - handlers
+    - ansible
+    - systemd
+    - sysvinit
+    - services
diff --git a/ansible_collections/debops/debops/roles/golang/COPYRIGHT b/ansible_collections/debops/debops/roles/golang/COPYRIGHT
new file mode 100644
index 00000000..d79b417d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.golang - Manage Go environment and applications using Ansible
+
+Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/golang/defaults/main.yml b/ansible_collections/debops/debops/roles/golang/defaults/main.yml
new file mode 100644
index 00000000..3d313f50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/defaults/main.yml
@@ -0,0 +1,202 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# .. Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _golang__ref_defaults:
+
+# debops.golang default variables
+# ===============================
+
+# .. contents::
+#    :local:
+
+# Go UNIX environment [[[
+# -----------------------
+
+# .. envvar:: golang__user [[[
+#
+# Name of an unprivileged UNIX system account which will host the Go build
+# environment.
+golang__user: '_golang'
+
+                                                                   # ]]]
+# .. envvar:: golang__group [[[
+#
+# Name of the primary UNIX group of the Go UNIX account.
+golang__group: '_golang'
+
+                                                                   # ]]]
+# .. envvar:: golang__home [[[
+#
+# Absolute path to the home directory of the Go UNIX account.
+golang__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                  + "/" + golang__user }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__shell [[[
+#
+# The default shell used by the Go UNIX account.
+golang__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: golang__comment [[[
+#
+# The value of the GECOS field of the Go UNIX account.
+golang__comment: 'Go build environment'
+                                                                   # ]]]
+                                                                   # ]]]
+# Go source builds and binaries [[[
+# ---------------------------------
+
+# .. envvar:: golang__apt_dev_packages [[[
+#
+# List of base APT packages installed when a source build is required.
+golang__apt_dev_packages: [ 'golang-go', 'make' ]
+
+                                                                   # ]]]
+# .. envvar:: golang__env_gopath [[[
+#
+# The value of the ``$GOPATH`` environment variable, which defines a list of
+# directories outside of the current Go environment that contain Go sources and
+# packages, separated by colons.
+golang__env_gopath: '{{ golang__home + "/go" }}:/usr/share/gocode'
+
+                                                                   # ]]]
+# .. envvar:: golang__env_gocache [[[
+#
+# The value of the ``$GOCACHE`` environment variable used during Go builds.
+# This variable specifies the directory which holds the Go build cache.
+golang__env_gocache: '{{ golang__home + "/.cache/go" }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__env_path [[[
+#
+# The value of the ``$PATH`` environment variable used during Go builds. This
+# value allows access to the binaries on the Go UNIX account installed by the
+# :command:`go install` command, which are usually not needed in the normal
+# host environment.
+golang__env_path: '{{ golang__home + "/go/bin:" + ansible_env.PATH }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__gosrc [[[
+#
+# Absolute path to the directory where Go application sources will be cloned
+# using the :command:`git` command, as the unprivileged Go UNIX account.
+golang__gosrc: '{{ golang__home + "/go/src" }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__git_depth [[[
+#
+# The default depth used to create a "shallow clone" of the :command:`git`
+# repositories if not specified otherwise, minimum 1. If not specified, entire
+# :command:`git` repository is cloned.
+golang__git_depth: '0'
+
+                                                                   # ]]]
+# .. envvar:: golang__bin_database [[[
+#
+# Absolute path to a file which tracks what Go binaries have been installed by
+# the :ref:`debops.golang` role and is used by the Ansible local fact to
+# resolve the paths to preferred binaries.
+golang__bin_database: '/usr/local/etc/golang-binaries'
+                                                                   # ]]]
+                                                                   # ]]]
+# Go packages [[[
+# ---------------
+
+# The ``golang__*_packages`` default variables define what Go packages should
+# be installed by the :ref:`debops.golang` role.
+# See the :ref:`golang__ref_packages` documentation for more details.
+
+# .. envvar:: golang__default_packages [[[
+#
+# List of default Go packages to install, defined by the role.
+golang__default_packages:
+
+  # The Go environment will be installed if no dependent Go packages are defined
+  - name: 'golang-go'
+    apt_packages: 'golang-go'
+    state: '{{ "ignore" if golang__dependent_packages | d() else "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__packages [[[
+#
+# List of Go packages to install on all hosts in Ansible inventory.
+golang__packages: []
+
+                                                                   # ]]]
+# .. envvar:: golang__group_packages [[[
+#
+# List of Go packages to install on a group of hosts in Ansible inventory.
+golang__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: golang__host_packages [[[
+#
+# List of Go packages to install on specific hosts in Ansible inventory.
+golang__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: golang__dependent_packages [[[
+#
+# List of Go packages to install specified by other Ansible roles.
+golang__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: golang__combined_packages [[[
+#
+# List of Go packages which combines all other lists and is used in the role
+# tasks.
+golang__combined_packages: '{{ golang__default_packages
+                               + golang__dependent_packages
+                               + golang__packages
+                               + golang__group_packages
+                               + golang__host_packages }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: golang__keyring__dependent_gpg_user [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role (all GPG keys should
+# be imported into a specific UNIX account keyring).
+golang__keyring__dependent_gpg_user: '{{ golang__user }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role (list of GPG keys to
+# import to the keyring).
+golang__keyring__dependent_gpg_keys:
+
+  - user:  '{{ golang__user }}'
+    group: '{{ golang__group }}'
+    home:  '{{ golang__home }}'
+    state: '{{ "present"
+               if (q("flattened", golang__combined_packages) | debops.debops.parse_kv_items
+                   | selectattr("gpg", "defined") | selectattr("state", "equalto", "present")
+                   | map(attribute="gpg") | list)
+               else "absent" }}'
+
+  - '{{ q("flattened", golang__combined_packages) | debops.debops.parse_kv_items
+        | selectattr("gpg", "defined") | selectattr("state", "equalto", "present")
+        | map(attribute="gpg") | list }}'
+
+                                                                   # ]]]
+# .. envvar:: golang__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` role.
+golang__apt_preferences__dependent_list:
+
+  - packages: [ 'golang', 'golang-*', 'dh-golang' ]
+    backports: [ 'stretch', 'buster', 'trusty' ]
+    reason: 'Closer feature parity with upstream'
+    by_role: 'debops.golang'
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/golang/meta/main.yml b/ansible_collections/debops/debops/roles/golang/meta/main.yml
new file mode 100644
index 00000000..bd806409
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis, Maciej Delmanowski'
+  description: 'Install Go language support and build Go applications from sources'
+  company: 'DebOps'
+  license: 'GPLv3'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - programming
+    - golang
+    - go
diff --git a/ansible_collections/debops/debops/roles/golang/tasks/golang_build_install.yml b/ansible_collections/debops/debops/roles/golang/tasks/golang_build_install.yml
new file mode 100644
index 00000000..a5371f88
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/tasks/golang_build_install.yml
@@ -0,0 +1,246 @@
+---
+# Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check package availability for {{ build.name }}
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         apt-cache madison \
+           {{ ([build.apt_packages] if build.apt_packages is string else build.apt_packages) | join(' ') }} \
+           | awk '{print $1}' | sort | uniq
+  args:
+    executable: '/bin/bash'
+  register: golang__register_build_apt_packages
+  when: build.apt_packages | d()
+  changed_when: False
+  check_mode: False
+
+- name: Install packages for {{ build.name }}
+  ansible.builtin.package:
+    name: '{{ build.apt_packages }}'
+    state: 'present'
+  register: golang__register_install_apt_packages
+  until: golang__register_install_apt_packages is succeeded
+  when: (not (build.upstream | d()) | bool and
+         (build.apt_packages is defined and
+          (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+           | intersect(golang__register_build_apt_packages.stdout_lines))))
+
+- name: Prepare Go UNIX environment
+  when: ((build.git | d() or build.url | d()) and ((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines))))))
+  block:
+
+    - name: Ensure that the UNIX group for Go environment exists
+      ansible.builtin.group:
+        name: '{{ golang__group }}'
+        state: 'present'
+        system: True
+
+    - name: Ensure that the UNIX account for Go environment exists
+      ansible.builtin.user:
+        name: '{{ golang__user }}'
+        group: '{{ golang__group }}'
+        home: '{{ golang__home }}'
+        comment: '{{ golang__comment }}'
+        shell: '{{ golang__shell }}'
+        state: 'present'
+        system: True
+
+- name: Install required packages for {{ build.name }}
+  ansible.builtin.package:
+    name: '{{ q("flattened", (build.apt_required_packages | d([]))) }}'
+    state: 'present'
+  register: golang__register_install_apt_required_packages
+  until: golang__register_install_apt_required_packages is succeeded
+  when: (build.url | d() and build.upstream_type | d('git') == 'url' and (((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines)))))))
+
+- name: Download Go binaries directly
+  when: (build.url | d() and build.upstream_type | d('git') == 'url' and ((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines))))))
+  become: True
+  become_user: '{{ golang__user }}'
+  block:
+
+    - name: Create the required directories for {{ build.name }}
+      ansible.builtin.file:
+        dest: '{{ (golang__gosrc + "/" + url_item.dest) | dirname }}'
+        state: 'directory'
+        mode: '0755'
+      loop: '{{ build.url }}'
+      loop_control:
+        loop_var: 'url_item'
+
+    - name: Download files for {{ build.name }}
+      ansible.builtin.get_url:
+        url: '{{ url_item.src }}'
+        dest: '{{ golang__gosrc + "/" + url_item.dest }}'
+        checksum: '{{ url_item.checksum | d(omit) }}'
+        mode: '0644'
+      loop: '{{ build.url }}'
+      loop_control:
+        loop_var: 'url_item'
+      register: golang__register_get_url
+      until: golang__register_get_url is succeeded
+
+    - name: Extract archive for {{ build.name }}
+      ansible.builtin.unarchive:
+        src: '{{ golang__gosrc + "/" + url_item.dest }}'
+        dest: '{{ golang__gosrc + "/" + (url_item.unarchive_dest | d(url_item.dest | dirname)) }}'
+        remote_src: True
+        creates: '{{ golang__gosrc + "/" + url_item.unarchive_creates }}'
+        mode: 'u=rwX,g=rwX,o=rX'
+      loop: '{{ build.url }}'
+      loop_control:
+        loop_var: 'url_item'
+      when: (url_item.unarchive | d()) | bool
+
+    - name: Verify files for {{ build.name }}
+      ansible.builtin.command: gpg --verify {{ golang__gosrc + "/" + url_item.dest }}
+      args:
+        chdir: '{{ (golang__gosrc + "/" + url_item.dest) | dirname }}'
+      loop: '{{ build.url }}'
+      loop_control:
+        loop_var: 'url_item'
+      register: golang__register_verify
+      changed_when: False
+      failed_when: golang__register_verify.rc != 0
+      when: (url_item.gpg_verify | d()) | bool
+
+- name: Install binaries for {{ build.name }}
+  ansible.builtin.copy:
+    src: '{{ (""
+              if ((binary_item.src | d(binary_item)).startswith("/"))
+              else (golang__gosrc + "/"))
+             + (binary_item.src | d(binary_item)) }}'
+    dest: '{{ ((binary_item.dest | dirname)
+               if (binary_item.dest | d() and "/" in binary_item.dest)
+               else "/usr/local/bin") + "/"
+              + ((binary_item.dest | d(binary_item.src | d(binary_item))) | basename) }}'
+    remote_src: True
+    mode: '{{ binary_item.mode | d("0755") }}'
+  register: golang__register_download_install
+  notify: '{{ binary_item.notify if binary_item.notify | d() else omit }}'
+  loop: '{{ build.url_binaries | d([]) }}'
+  loop_control:
+    loop_var: 'binary_item'
+  when: (build.url_binaries | d() and build.upstream_type | d('git') == 'url' and ((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines))))))
+
+- name: Install dev packages for {{ build.name }}
+  ansible.builtin.package:
+    name: '{{ q("flattened", (golang__apt_dev_packages + (build.apt_dev_packages | d([])))) }}'
+    state: 'present'
+  register: golang__register_install_apt_dev_packages
+  until: golang__register_install_apt_dev_packages is succeeded
+  when: (build.git | d() and build.upstream_type | d('git') == 'git' and (((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines)))))))
+
+- name: Build Go applications from source
+  when: (build.git | d() and build.upstream_type | d('git') == 'git' and (((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines)))))))
+  become: True
+  become_user: '{{ golang__user }}'
+  block:
+
+    - name: Clone repo for {{ build.name }}
+      ansible.builtin.git:
+        repo: '{{ git_item.repo }}'
+        dest: '{{ golang__gosrc + "/" + (git_item.dest | d(git_item.repo.split("://")[1])) }}'
+        version: '{{ git_item.version | d(git_item.branch | d(omit)) }}'
+        depth: '{{ git_item.depth | d(golang__git_depth | d(omit)) }}'
+        verify_commit: '{{ True if build.gpg | d() else omit }}'
+      loop: '{{ build.git }}'
+      loop_control:
+        loop_var: 'git_item'
+      register: golang__register_build_source
+
+    - name: Build binaries for {{ build.name }}
+      environment:
+        GOPATH: '{{ golang__env_gopath }}'
+        GOCACHE: '{{ golang__env_gocache }}'
+        PATH: '{{ golang__env_path }}'
+      ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+             {{ git_item.build_script }}
+      args:
+        executable: '/bin/bash'
+        chdir: '{{ golang__gosrc + "/" + (git_item.dest | d(git_item.repo.split("://")[1])) }}'
+      loop: '{{ build.git }}'
+      loop_control:
+        loop_var: 'git_item'
+      when: git_item.build_script | d() and
+            golang__register_build_source is changed
+      register: golang__register_build
+      changed_when: golang__register_build.changed | bool
+
+- name: Install binaries for {{ build.name }}
+  ansible.builtin.copy:
+    src: '{{ (""
+              if ((binary_item.src | d(binary_item)).startswith("/"))
+              else (golang__gosrc + "/"))
+             + (binary_item.src | d(binary_item)) }}'
+    dest: '{{ ((binary_item.dest | dirname)
+               if (binary_item.dest | d() and "/" in binary_item.dest)
+               else "/usr/local/bin") + "/"
+              + ((binary_item.dest | d(binary_item.src | d(binary_item))) | basename) }}'
+    remote_src: True
+    mode: '{{ binary_item.mode | d("0755") }}'
+  register: golang__register_build_install
+  notify: '{{ binary_item.notify if binary_item.notify | d() else omit }}'
+  loop: '{{ build.git_binaries | d([]) }}'
+  loop_control:
+    loop_var: 'binary_item'
+  when: (build.git_binaries | d() and build.upstream_type | d('git') == 'git' and ((build.upstream | d()) | bool or
+         (build.apt_packages is undefined or
+          (not (([build.apt_packages] if (build.apt_packages is string) else build.apt_packages)
+                | intersect(golang__register_build_apt_packages.stdout_lines))))))
+
+- name: Create the initial Go binaries database file
+  ansible.builtin.copy:
+    content: |
+      # This is a database of the applications installed by the 'debops.golang'
+      # Ansible role and used by the '/etc/ansible/facts.d/golang.fact' script
+      # to provide paths to the correct binaries.
+    dest: '{{ golang__bin_database }}'
+    mode: '0644'
+    force: False
+  when: build.url_binaries | d() or build.git_binaries | d()
+
+- name: Register binaries for {{ build.name }}
+  ansible.builtin.lineinfile:
+    path: '{{ golang__bin_database }}'
+    regexp: "{{ '^' + (((binary_item.dest | d(binary_item.src | d(binary_item))) | basename)
+                       | regex_replace('-', '\\-')
+                       | regex_replace('\\.', '\\\\.')) + '$' }}"
+    line: '{{ (binary_item.dest | d(binary_item.src | d(binary_item))) | basename }}'
+    state: 'present'
+    mode: '0644'
+  loop: '{{ build.url_binaries | d([]) + build.git_binaries | d([]) }}'
+  loop_control:
+    loop_var: 'binary_item'
+  register: golang__register_build_database
+  when: build.url_binaries | d() or build.git_binaries | d()
+
+  # An exception to the rule. Role needs to refresh facts without executing any
+  # other pending handlers.
+- name: Update Ansible local facts if they were modified
+  ansible.builtin.setup:  # noqa no-handler
+  when: (ansible_local | d() and ansible_local.golang | d() and
+         (ansible_local.golang.configured | d()) | bool and
+         (golang__register_build_database is changed or
+          golang__register_download_install is changed or
+          golang__register_build_install is changed))
diff --git a/ansible_collections/debops/debops/roles/golang/tasks/main.yml b/ansible_collections/debops/debops/roles/golang/tasks/main.yml
new file mode 100644
index 00000000..df3938ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Build and install Go packages
+  ansible.builtin.include_tasks: 'golang_build_install.yml'
+  loop_control:
+    loop_var: 'build'
+  loop: '{{ q("flattened", golang__combined_packages) | debops.debops.parse_kv_items }}'
+  when: build.name | d() and build.state | d('present') not in [ 'absent', 'ignore' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Go local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/golang.fact.j2'
+    dest: '/etc/ansible/facts.d/golang.fact'
+    mode: '0755'
+  register: golang__register_facts
+  tags: [ 'meta::facts' ]
+
+  # An exception to the rule. Role needs to refresh facts without executing any
+  # other pending handlers.
+- name: Update Ansible facts if they were modified
+  ansible.builtin.setup:  # noqa no-handler
+  when: golang__register_facts is changed
diff --git a/ansible_collections/debops/debops/roles/golang/templates/etc/ansible/facts.d/golang.fact.j2 b/ansible_collections/debops/debops/roles/golang/templates/etc/ansible/facts.d/golang.fact.j2
new file mode 100644
index 00000000..2a55dce1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/golang/templates/etc/ansible/facts.d/golang.fact.j2
@@ -0,0 +1,65 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def cmd_abspath(cmd):
+    binaries = (os.path.abspath(os.path.join(path, cmd))
+                for path in os.environ["PATH"].split(os.pathsep))
+    for binary in binaries:
+        if os.access(binary, os.X_OK):
+            return binary
+
+
+bin_database = loads('''{{ golang__bin_database | to_nice_json }}''')
+binaries = {}
+
+output = loads('''{{ {"configured": True,
+                      "gosrc": golang__gosrc
+                     } | to_nice_json }}''')
+
+output['installed'] = cmd_exists('go')
+
+try:
+    output['version'] = subprocess.check_output(
+            ['go', 'version']).decode('utf-8').strip('\n') \
+                                      .split()[2] \
+                                      .lstrip('go')
+
+except Exception:
+    pass
+
+try:
+    with open(bin_database, 'r') as f:
+        for line in f:
+            if line.strip('\n') and not line.startswith('#'):
+                binary = line.strip('\n')
+                if cmd_exists(binary):
+                    binaries[binary] = cmd_abspath(binary)
+
+except Exception:
+    pass
+
+if binaries:
+    output['binaries'] = binaries
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/grub/COPYRIGHT b/ansible_collections/debops/debops/roles/grub/COPYRIGHT
new file mode 100644
index 00000000..cf7a2c2b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.grub - Manage GRUB configuration
+
+Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/grub/defaults/main.yml b/ansible_collections/debops/debops/roles/grub/defaults/main.yml
new file mode 100644
index 00000000..0d091a0a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/defaults/main.yml
@@ -0,0 +1,343 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# .. Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _grub__ref_defaults:
+
+# debops.grub default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# GRUB configuration options [[[
+# ------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/default/grub.d/ansible.cfg` configuration file which is used to
+# generate GRUB configuration in :file:`/boot/grub/grub.cfg`. Option names
+# don't contain the ``GRUB_`` prefix and will be converted to uppercase in the
+# final configuration file.
+#
+# See :ref:`grub__ref_configuration` for more details about the syntax.
+
+# .. envvar:: grub__original_configuration [[[
+#
+# This variable contains original configuration present in the GRUB
+# configuration file on Debian/Ubuntu hosts.
+grub__original_configuration:
+
+  - name: 'default'
+    value: 0
+    quote: False
+
+  - name: 'hidden_timeout'
+    value: 0
+    state: '{{ "present" if (ansible_distribution == "Ubuntu") else "ignore" }}'
+
+  - name: 'hidden_timeout_quiet'
+    value: True
+    state: '{{ "present" if (ansible_distribution == "Ubuntu") else "ignore" }}'
+
+  - name: 'timeout'
+    value: 5
+    quote: False
+
+  - name: 'distributor'
+    value: '`lsb_release -i -s 2> /dev/null || echo Debian`'
+    quote: False
+
+  - name: 'cmdline_linux_default'
+    value: []
+    original: True
+
+  - name: 'cmdline_linux'
+    value: []
+    original: True
+
+  - name: 'badram'
+    comment: |
+      Uncomment to enable BadRAM filtering, modify to suit your needs
+      This works with Linux (no patch required) and with any kernel that obtains
+      the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
+    value: '0x01234567,0xfefefefe,0x89abcdef,0xefefefef'
+    state: 'comment'
+
+  - name: 'terminal'
+    comment: 'Uncomment to disable graphical terminal (grub-pc only)'
+    value: 'console'
+    state: 'comment'
+    quote: False
+
+  - name: 'gfxmode'
+    comment: |
+      The resolution used on graphical terminal
+      note that you can use only modes which your graphic card supports via VBE
+      you can see them in real GRUB with the command `vbeinfo'
+    value: '640x480'
+    state: 'comment'
+    quote: False
+
+  - name: 'disable_linux_uuid'
+    comment: "Uncomment if you don't want GRUB to pass \"root=UUID=xxx\" parameter to Linux"
+    value: True
+    state: 'comment'
+    quote: False
+
+  - name: 'disable_recovery'
+    comment: 'Uncomment to disable generation of recovery mode menu entries'
+    value: True
+    state: 'comment'
+
+  - name: 'init_tune'
+    comment: 'Uncomment to get a beep at grub start'
+    value: '480 440 1'
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: grub__fact_configuration [[[
+#
+# This variable contains configuration based on the Ansible local facts of
+# a given host. This is used to keep the list of kernel parameters idempotent
+# and preserve the original parameters on first run of the role.
+grub__fact_configuration:
+
+  - name: 'default'
+    value: '{{ ansible_local.grub.default | d("0") }}'
+
+  - name: 'cmdline_linux_default'
+    value: '{{ ansible_local.grub.cmdline_default | d([]) }}'
+
+  - name: 'cmdline_linux'
+    value: '{{ ansible_local.grub.cmdline | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: grub__default_configuration [[[
+#
+# This variable contains custom GRUB configuration defined by the role.
+grub__default_configuration:
+
+  # Set the default GRUB timeout depending on the host type (hardware or
+  # virtual machine) to allow for faster booting of VMs
+  - name: 'timeout'
+    value: '{{ grub__timeout_hardware
+               if (ansible_virtualization_role is undefined or
+                   ansible_virtualization_role not in ["guest"])
+               else grub__timeout_virtual }}'
+
+  # Enable support for cgroup memory management, useful for LXC/Docker
+  # containers
+  - name: 'cmdline_linux_default'
+    value:
+      - 'cgroup_enable=memory'
+      - 'swapaccount=1'
+
+  # Disable I/O scheduler in virtual machines for better performance
+  - name: 'cmdline_linux_default'
+    value: [ 'elevator=noop' ]
+    state: '{{ "present" if (ansible_virtualization_role | d() == "guest") else "ignore" }}'
+
+  # Activate GRUB serial console support when requested
+  - name: 'terminal'
+    comment: 'Uncomment to disable graphical terminal (grub-pc only)'
+    value: 'console serial'
+    quote: True
+    state: '{{ "present" if grub__serial_console | bool else "ignore" }}'
+
+  # Specify additional parameters for the 'serial' GRUB command
+  - name: 'serial_command'
+    value: 'serial --unit={{ grub__serial_console_unit }} --speed={{ grub__serial_console_speed }} --word=8 --parity=no --stop=1'
+    state: '{{ "present" if grub__serial_console | bool else "ignore" }}'
+
+  # Configure serial console in Linux kernel when requested. The last device
+  # will be used for /dev/console, which has been set to tty0 (the foreground
+  # virtual console) to enable output to the VGA console as well.
+  - name: 'cmdline_linux_default'
+    value:
+      - '{{ "console=ttyS{},{}n8".format(grub__serial_console_unit, grub__serial_console_speed) }}'
+      - 'console=tty0'
+    state: '{{ "present" if grub__serial_console | bool else "ignore" }}'
+
+  # Activate custom hack for menu entry access restrictions when requested
+  - name: 'linux_menuentry_class_additional'
+    comment: |
+      Needs to be exported until it is patched upstream.
+      FIXME: Remove `export` when patched upstream has reached Debian stable.
+      Currently unlikely because the patch was not accepted upstream.
+    value: '{{ grub__menuentry_access }}'
+    state: '{{ "present"
+               if (grub__combined_users | length > 0 and
+                   grub__menuentry_access is string)
+               else "absent" }}'
+    export: True
+
+                                                                   # ]]]
+# .. envvar:: grub__configuration [[[
+#
+# This variable contains GRUB configuration which should be applied on all
+# hosts in the Ansible inventory.
+grub__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: grub__group_configuration [[[
+#
+# This variable contains GRUB configuration which should be applied on hosts in
+# a specific Ansible inventory group.
+grub__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: grub__host_configuration [[[
+#
+# This variable contains GRUB configuration which should be applied on specific
+# hosts in the Ansible inventory.
+grub__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: grub__dependent_configuration [[[
+#
+# This variable contains GRUB configuration specified by other Ansible roles
+# using role dependent variables.
+grub__dependent_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: grub__combined_configuration [[[
+#
+# This variable combines all of the configuration variables in a specific order
+# which defines the hierarchy. It's used in the final configuration template.
+grub__combined_configuration: '{{ grub__original_configuration
+                                  + grub__fact_configuration
+                                  + grub__default_configuration
+                                  + lookup("flattened",
+                                           grub__dependent_configuration,
+                                           wantlist=True)
+                                  + grub__configuration
+                                  + grub__group_configuration
+                                  + grub__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Serial console configuration [[[
+# --------------------------------
+
+# .. envvar:: grub__serial_console [[[
+#
+# Enable serial console (in both grub and kernel)
+grub__serial_console: True
+
+                                                                   # ]]]
+# .. envvar:: grub__serial_console_unit [[[
+#
+# Serial port to enable console on (eg. ttyS0 => 0, ttyS1 => 1)
+grub__serial_console_unit: 0
+
+                                                                   # ]]]
+# .. envvar:: grub__serial_console_speed [[[
+#
+# Speed of the serial port.
+# Other parameters (8 bits, no parity, 1 stop bit are hardcoded)
+grub__serial_console_speed: 115200
+                                                                   # ]]]
+                                                                   # ]]]
+# Timeouts [[[
+# ------------
+
+# .. envvar:: grub__timeout_hardware [[[
+#
+# GRUB timeout for hardware-based devices.
+grub__timeout_hardware: 5
+
+                                                                   # ]]]
+# .. envvar:: grub__timeout_virtual [[[
+#
+# GRUB timeout for virtual devices.
+grub__timeout_virtual: 1
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Security and users [[[
+# ----------------------
+
+# .. envvar:: grub__users [[[
+#
+# Global list of GRUB users.
+grub__users: []
+
+                                                                   # ]]]
+# .. envvar:: grub__group_users [[[
+#
+# Host group list of GRUB users.
+grub__group_users: []
+
+                                                                   # ]]]
+# .. envvar:: grub__host_users [[[
+#
+# Host list of GRUB users.
+grub__host_users: []
+
+                                                                   # ]]]
+# .. envvar:: grub__combined_users [[[
+#
+# Combined list as it is used internally by the role list of GRUB users.
+# If this list is empty no users will created and thus leaving GRUB without
+# password protection.
+grub__combined_users: '{{ grub__users + grub__group_users + grub__host_users }}'
+
+                                                                   # ]]]
+# .. envvar:: grub__menuentry_access [[[
+#
+# This option only takes effect when there is at least one user defined.
+#
+# Default access level for all menu entries generated by
+# :file:`/etc/grub.d/10_linux` (which are the Linux images in your :file:`/boot`
+# directory).
+#
+# It defaults to '--unrestricted' which allows to boot those menu entries
+# without the need for authentication by entering a password.
+# Editing or a recovery shell still require authentication.
+#
+# Another option is '--users '$username1 $username2' to only allow those users
+# to boot the entry.
+#
+# Using an empty string will result in the need to authenticate also for booting
+# those entries.
+grub__menuentry_access: '--unrestricted'
+
+                                                                   # ]]]
+# .. envvar:: grub__iter_time [[[
+#
+# Number of PBKDF2 iterations.
+# Corresponds with the ``--iteration-count`` parameter.
+#
+# The current default of :command:`grub-mkpasswd-pbkdf2` is ``10000`` iterations.
+# Set to ``default`` to use the compiled-in default of :command:`grub-mkpasswd-pbkdf2`.
+grub__iter_time: 'default'
+
+                                                                   # ]]]
+# .. envvar:: grub__salt_length [[[
+#
+# Length of the Salt in characters. One unique salt will be generated for each host.
+# Corresponds with the ``--salt`` parameter.
+#
+# The current default of :command:`grub-mkpasswd-pbkdf2` is ``64`` characters.
+# Set to ``default`` to use the compiled-in default of :command:`grub-mkpasswd-pbkdf2`.
+grub__salt_length: 'default'
+
+                                                                   # ]]]
+# .. envvar:: grub__hash_length [[[
+#
+# Length of generated hash in characters.
+# Corresponds with the ``--buflen`` parameter.
+#
+# The current default of :command:`grub-mkpasswd-pbkdf2` is ``64`` characters.
+# Set to ``default`` to use the compiled-in default of :command:`grub-mkpasswd-pbkdf2`.
+grub__hash_length: 'default'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/grub/meta/main.yml b/ansible_collections/debops/debops/roles/grub/meta/main.yml
new file mode 100644
index 00000000..6cb91335
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Patryk Sciborek, Robin Schneider'
+  description: 'Manage GRUB configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - boot
+    - bootloader
diff --git a/ansible_collections/debops/debops/roles/grub/tasks/main.yml b/ansible_collections/debops/debops/roles/grub/tasks/main.yml
new file mode 100644
index 00000000..e89bdae4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/tasks/main.yml
@@ -0,0 +1,197 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Create /etc/default/grub.d directory
+  ansible.builtin.file:
+    path: '/etc/default/grub.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Generate GRUB configuration file
+  ansible.builtin.template:
+    src: 'etc/default/grub.d/ansible.cfg.j2'
+    dest: '/etc/default/grub.d/ansible.cfg'
+    owner:  'root'
+    group:  'root'
+    mode:   '0644'
+  notify: [ 'Update GRUB' ]
+
+# Security and users [[[
+
+- name: Ensure secrets directories exist
+  ansible.builtin.file:
+    path: '{{ secret + "/credentials/" + inventory_hostname + "/grub/" + item.name }}'
+    state: 'directory'
+    mode: '0750'
+  with_items: '{{ grub__combined_users }}'
+  become: False
+  delegate_to: 'localhost'
+  when: item.name | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save plaintext password in secrets
+  ansible.builtin.copy:
+    content: "{{ item.password + '\n' }}"
+    dest: '{{ secret + "/credentials/" + inventory_hostname + "/grub/" + item.name + "/password" }}'
+    mode: '0640'
+  with_items: '{{ grub__combined_users }}'
+  register: grub__register_pw_plain
+  become: False
+  delegate_to: 'localhost'
+  when: item.name | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save temporary grub-mkpasswd formatted password in secrets
+  ansible.builtin.template:
+    src: 'secret/credentials/inventory_hostname/grub/user_name/password_mkpasswd.j2'
+    dest: '{{ secret + "/credentials/" + inventory_hostname + "/grub/" + item.0.name + "/password_mkpasswd" }}'
+    mode: '0640'
+  with_together:
+    - '{{ grub__combined_users }}'
+    - '{{ grub__register_pw_plain.results | d({}) }}'
+  become: False
+  delegate_to: 'localhost'
+  when: (item.0.name | d() and item.1 is changed)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+## There seems to be no way to specify the salt (except using a custom script).
+## Only generating the hashed password when the plaintext password has changed
+## is the workaround to make it idempotent.
+## This is not too bad because depending on the iteration count chosen this operation could take a while ;)
+- name: Generate salted hash from user password
+  environment:
+    GRUB_PLAINTEXT_PASSWORD: '{{ item.0.password }}'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         cat '{{ (secret + "/credentials/" + inventory_hostname + "/grub/" + item.0.name + "/password_mkpasswd") | quote }}'
+         | LANG=C LC_ALL=C grub-mkpasswd-pbkdf2
+         {{ "" if grub__iter_time | d() == "default" else ("--iteration-count=" + grub__iter_time) }}
+         {{ "" if grub__salt_length | d() == "default" else ("--salt=" + grub__salt_length) }}
+         {{ "" if grub__hash_length | d() == "default" else ("--buflen=" + grub__hash_length) }}
+         | perl -ne 's/^(:?Your PBKDF2|PBKDF2 hash of your password) is //ms && print'
+  args:  # noqa no-handler
+    executable: 'bash'
+  with_together:
+    - '{{ grub__combined_users }}'
+    - '{{ grub__register_pw_plain.results | d({}) }}'
+  register: grub__register_pw_hashes
+  become: False
+  delegate_to: 'localhost'
+  changed_when: False
+  when: (item.0.name | d() and item.1 is changed)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove temporary grub-mkpassword formatted password
+  ansible.builtin.file:
+    path: '{{ secret + "/credentials/" + inventory_hostname + "/grub/" + item.0.name + "/password_mkpasswd" }}'
+    state: 'absent'
+  with_together:
+    - '{{ grub__combined_users }}'
+    - '{{ grub__register_pw_plain.results | d({}) }}'
+  become: False
+  delegate_to: 'localhost'
+  when: (item.0.name | d() and item.1 is changed)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save hashed password in secrets
+  ansible.builtin.copy:
+    content: "{{ item.1.stdout_lines.0 + '\n' }}"
+    dest: '{{ secret + "/credentials/" + inventory_hostname + "/grub/" + item.0.name + "/password_hash" }}'
+    mode: '0640'
+  with_together:
+    - '{{ grub__combined_users }}'
+    - '{{ grub__register_pw_hashes.results | d({}) }}'
+  become: False
+  delegate_to: 'localhost'
+  when: (item.1 is not skipped)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Configure users and passwords
+  ansible.builtin.template:
+    src: 'etc/grub.d/01_users.j2'
+    dest: '/etc/grub.d/01_users'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (not ansible_check_mode and grub__combined_users | length > 0)
+  notify: [ 'Update GRUB' ]
+
+- name: Remove users and passwords
+  ansible.builtin.file:
+    path: '/etc/grub.d/01_users'
+    state: 'absent'
+  when: (grub__combined_users | length == 0)
+  notify: [ 'Update GRUB' ]
+
+## FIXME: Remove when patched upstream has reached Debian stable.
+## Currently unlikely because the patch was not accepted upstream.
+## It has been decided to not divert this script because there is a chance that
+## security fixes could affect this file.
+- name: Add/remove diversion of /etc/grub.d/10_linux
+  debops.debops.dpkg_divert:
+    path: '/etc/grub.d/10_linux'
+    state: '{{ "present" if grub__combined_users | length > 0 else "absent" }}'
+    delete: True
+  notify: [ 'Update GRUB' ]
+
+- name: Copy /etc/grub.d/10_linux.dpkg-divert to its original location
+  ansible.builtin.copy:
+    src: '/etc/grub.d/10_linux.dpkg-divert'
+    dest: '/etc/grub.d/10_linux'
+    remote_src: True
+    force: False
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (grub__combined_users | length > 0)
+
+- name: Allow configuration of the default menu entry parameters
+  ansible.builtin.replace:
+    dest: '/etc/grub.d/10_linux'
+    regexp: "^CLASS=(?:\\$\\{[A-Z_]+:-)?([\"'][\\w _-]+)([\"'])\\}?"
+    replace: 'CLASS=${GRUB_LINUX_MENUENTRY_CLASS:-\1 ${GRUB_LINUX_MENUENTRY_CLASS_ADDITIONAL:-}\2}'
+    mode: '0755'
+  notify: [ 'Update GRUB' ]
+  when: (grub__combined_users | length > 0)
+
+# ]]]
+
+- name: Make sure that local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save local GRUB facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/grub.fact.j2'
+    dest: '/etc/ansible/facts.d/grub.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/grub/templates/etc/ansible/facts.d/grub.fact.j2 b/ansible_collections/debops/debops/roles/grub/templates/etc/ansible/facts.d/grub.fact.j2
new file mode 100644
index 00000000..e86d1bfc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/templates/etc/ansible/facts.d/grub.fact.j2
@@ -0,0 +1,61 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+try:
+    from subprocess import DEVNULL
+except ImportError:
+    DEVNULL = open(os.devnull, 'wb')
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+grub_conf = '/etc/default/grub.d/ansible.cfg'
+
+output = {'installed': cmd_exists('update-grub'),
+          'configured': True}
+
+if os.path.exists(grub_conf) and os.path.isfile(grub_conf):
+    try:
+        with open(grub_conf, 'r') as f:
+            for line in f:
+                if not line.startswith('#') and '=' in line:
+                    line = line.strip().split('=', 1)
+
+                    if line[0].lower() == 'grub_cmdline_linux_default':
+                        value = line[1].strip('"').split()
+                        if ('$' + line[0].upper()) in value:
+                            value.remove('$' + line[0].upper())
+                        output['cmdline_default'] = value
+
+                    elif line[0].lower() == 'grub_cmdline_linux':
+                        value = line[1].strip('"').split()
+                        if ('$' + line[0].upper()) in value:
+                            value.remove('$' + line[0].upper())
+                        output['cmdline'] = value
+
+                    elif line[0].lower() == 'grub_default':
+                        output['default'] = line[1].strip('"')
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/grub/templates/etc/default/grub.d/ansible.cfg.j2 b/ansible_collections/debops/debops/roles/grub/templates/etc/default/grub.d/ansible.cfg.j2
new file mode 100644
index 00000000..eed1e174
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/templates/etc/default/grub.d/ansible.cfg.j2
@@ -0,0 +1,49 @@
+{# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+ # Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# If you change this file, run 'update-grub' afterwards to update
+# /boot/grub/grub.cfg.
+# For full documentation of the options in this file, see:
+#   info -f grub -n 'Simple configuration'
+
+{% for element in grub__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     set element_comment = ('#' if element.state | d('present') == 'comment' else '') %}
+{%     set element_export = ('export ' if (element.export | d(False)) | bool else '') %}
+{%     set element_quote = ('"' if (element.quote | d(True)) | bool else '') %}
+{%     set element_name = ('grub_' + (element.name | lower | regex_replace('^grub_',''))) | upper %}
+{%     set element_original = ((('$grub_' + (element.name | lower | regex_replace('^grub_','')) + ' ') | upper) if (element.original | d()) | bool else '')  %}
+{%     set element_value = element.value | d('') %}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='\n', postfix='') -}}
+{%     endif %}
+{%     if element_value is string %}
+{{ '{}{}{}={}{}{}{}'.format(element_comment, element_export, element_name, element_quote, element_original, element_value, element_quote) }}
+{%     elif element_value | bool and element_value is not iterable %}
+{%       if element_value | string == '1' %}
+{{ '{}{}{}={}{}{}{}'.format(element_comment, element_export, element_name, element_quote, element_original, element_value, element_quote) }}
+{%       else %}
+{{ '{}{}{}={}{}{}'.format(element_comment, element_export, element_name, element_quote, 'true', element_quote) }}
+{%       endif %}
+{%     elif not element_value | bool and element_value is not iterable %}
+{%       if element_value is not none %}
+{%         if element_value | int %}
+{{ '{}{}{}={}{}{}{}'.format(element_comment, element_export, element_name, element_quote, element_original, element_value, element_quote) }}
+{%         else %}
+{%           if element_value | string == '0' %}
+{{ '{}{}{}={}{}{}{}'.format(element_comment, element_export, element_name, element_quote, element_original, element_value, element_quote) }}
+{%           else %}
+{{ '{}{}{}={}{}{}'.format(element_comment, element_export, element_name, element_quote, 'false', element_quote) }}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     elif element_value is iterable and element_value is not string and element_value is not mapping %}
+{{ '{}{}{}={}{}{}{}'.format(element_comment, element_export, element_name, element_quote, element_original, element_value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' '), element_quote) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/grub/templates/etc/grub.d/01_users.j2 b/ansible_collections/debops/debops/roles/grub/templates/etc/grub.d/01_users.j2
new file mode 100644
index 00000000..0dbd33f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/templates/etc/grub.d/01_users.j2
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+## {{ ansible_managed }}
+cat <<EOF
+{% set superusers = grub__combined_users|rejectattr("superuser", "none") | map(attribute = 'name') | join(' ') %}
+{% if superusers | length == 0 %}
+## No users have been defined.
+{% else %}
+set superusers="{{ superusers }}"
+{%   for item in grub__combined_users %}
+password_pbkdf2 {{ item.name }} {{ lookup('file', secret + "/credentials/" + inventory_hostname + "/grub/" + item.name + "/password_hash") }}
+{%   endfor %}
+## Workaround for https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/718670
+export superusers
+{% endif %}
+EOF
diff --git a/ansible_collections/debops/debops/roles/grub/templates/secret/credentials/inventory_hostname/grub/user_name/password_mkpasswd.j2 b/ansible_collections/debops/debops/roles/grub/templates/secret/credentials/inventory_hostname/grub/user_name/password_mkpasswd.j2
new file mode 100644
index 00000000..0db21e1c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/grub/templates/secret/credentials/inventory_hostname/grub/user_name/password_mkpasswd.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ item.0.password }}
+{{ item.0.password }}
diff --git a/ansible_collections/debops/debops/roles/gunicorn/COPYRIGHT b/ansible_collections/debops/debops/roles/gunicorn/COPYRIGHT
new file mode 100644
index 00000000..b13b0fee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.gunicorn - Manage Gunicorn using Debian packages via Ansible
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/gunicorn/defaults/main.yml b/ansible_collections/debops/debops/roles/gunicorn/defaults/main.yml
new file mode 100644
index 00000000..ce89cf51
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/defaults/main.yml
@@ -0,0 +1,121 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _gunicorn__ref_defaults:
+
+# debops.gunicorn default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Default configuration [[[
+# -------------------------
+
+# .. envvar:: gunicorn__binary [[[
+#
+# The default binary to start the service. Set to "gunicorn3" for Python 3
+# applications.
+# This may be defined per application as well.
+gunicorn__binary: '{{ "gunicorn3"
+                      if (ansible_local | d() and ansible_local.python | d() and
+                          (ansible_local.python.installed3 | d()) | bool)
+                      else "gunicorn" }}'
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__workers [[[
+#
+# The default number of worker threads used by Green Unicorn applications if
+# not specified otherwise.
+gunicorn__workers: '{{ ansible_processor_vcpus | int + 1 }}'
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__user [[[
+#
+# The default UNIX account used by the Green Unicorn process if it's not
+# specified in the configuration.
+gunicorn__user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__group [[[
+#
+# The default UNIX group used by the Green Unicorn process if it's not
+# specified in the configuration.
+gunicorn__group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__systemd_timeout [[[
+#
+# Define the default timeout in :command:`systemd` for Green Unicorn services.
+gunicorn__systemd_timeout: '90'
+                                                                   # ]]]
+                                                                   # ]]]
+# Managed applications [[[
+# ------------------------
+
+# .. envvar:: gunicorn__applications [[[
+#
+# List of WSGI applications which are managed by the role, defined in the
+# Ansible inventory. See :ref:`gunicorn__ref_applications` for more details.
+gunicorn__applications: []
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__dependent_applications [[[
+#
+# List of WSGI applications which are managed by the role, defined by other
+# Ansible roles using dependent variables.
+# See :ref:`gunicorn__ref_applications` for more details.
+gunicorn__dependent_applications: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: gunicorn__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+gunicorn__logrotate__dependent_config:
+
+  - filename: 'gunicorn'
+    logs: [ '/var/log/gunicorn/*.log' ]
+    divert: True
+    options: |
+      rotate 4
+      compress
+      delaycompress
+      missingok
+      notifempty
+      weekly
+      sharedscripts
+      su {{ gunicorn__user }} {{ gunicorn__group }}
+    postrotate: |
+      invoke-rc.d --quiet gunicorn reload >/dev/null
+    comment: 'Log rotation for Green Unicorn logs'
+                                                                   # ]]]
+# .. envvar:: gunicorn__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+gunicorn__python__dependent_packages3:
+
+  - 'gunicorn3'
+  - 'python3-setproctitle'
+
+                                                                   # ]]]
+# .. envvar:: gunicorn__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+gunicorn__python__dependent_packages2:
+
+  - 'gunicorn'
+  - 'python-setproctitle'
+
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/gunicorn/files/script/start-gunicorn-instances b/ansible_collections/debops/debops/roles/gunicorn/files/script/start-gunicorn-instances
new file mode 100755
index 00000000..01310b3a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/files/script/start-gunicorn-instances
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Start all enabled and inactive Green Unicorn systemd instances
+# This script is executed by the role handler at the end of the playbook run
+
+
+set -o nounset -o pipefail -o errexit
+
+for instance in $(systemctl list-units -t service --full --all 'gunicorn@*.service' | cut -d' ' -f1 | grep -E '^gunicorn\@.*\.service') ; do
+    if [ "$(systemctl is-enabled "${instance}")" == "enabled" ] && [ "$(systemctl is-active "${instance}")" != "active" ] ; then
+        systemctl start "${instance}"
+    fi
+done
diff --git a/ansible_collections/debops/debops/roles/gunicorn/handlers/main.yml b/ansible_collections/debops/debops/roles/gunicorn/handlers/main.yml
new file mode 100644
index 00000000..b38357ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/handlers/main.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# A separate handler is needed to ensure the correct order of execution
+- name: Reload systemd daemon (gunicorn)
+  ansible.builtin.systemd:
+    daemon_reload: True
+  when: ansible_service_mgr == 'systemd'
+
+- name: Restart gunicorn
+  ansible.builtin.service:
+    name: 'gunicorn'
+    state: 'restarted'
+
+- name: Start Green Unicorn instances
+  ansible.builtin.script: 'script/start-gunicorn-instances'
diff --git a/ansible_collections/debops/debops/roles/gunicorn/meta/main.yml b/ansible_collections/debops/debops/roles/gunicorn/meta/main.yml
new file mode 100644
index 00000000..12b00996
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Gunicorn Debian service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - webserver
+    - python
+    - django
+    - wsgi
diff --git a/ansible_collections/debops/debops/roles/gunicorn/tasks/main.yml b/ansible_collections/debops/debops/roles/gunicorn/tasks/main.yml
new file mode 100644
index 00000000..832ee80f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure Green Unicorn on older OS releases
+  ansible.builtin.include_tasks: 'older_releases.yml'
+  when: ansible_distribution_release in
+        [ 'trusty', 'xenial' ]
+
+- name: Configure Green Unicorn on newer OS releases
+  ansible.builtin.include_tasks: 'newer_releases.yml'
+  when: ansible_distribution_release not in
+        [ 'trusty', 'xenial' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save gunicorn local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/gunicorn.fact.j2'
+    dest: '/etc/ansible/facts.d/gunicorn.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/gunicorn/tasks/newer_releases.yml b/ansible_collections/debops/debops/roles/gunicorn/tasks/newer_releases.yml
new file mode 100644
index 00000000..91dae7a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/tasks/newer_releases.yml
@@ -0,0 +1,153 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure that configuration directory exists
+  ansible.builtin.file:
+    path:  '/etc/gunicorn'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode:  '0755'
+
+- name: Ensure that required groups exist
+  ansible.builtin.group:
+    name: '{{ item.group }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') != 'absent' and
+        item.group | d()
+
+- name: Ensure that required users exist
+  ansible.builtin.user:
+    name: '{{ item.user }}'
+    group: '{{ item.group | d(omit) }}'
+    home: '{{ item.home }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') != 'absent' and
+        item.user | d() and item.home | d()
+
+- name: Create log directories
+  ansible.builtin.file:
+    path: '/var/log/gunicorn/{{ item.name }}'
+    state: 'directory'
+    owner: '{{ item.user | d(gunicorn__user) }}'
+    group: '{{ item.group | d(gunicorn__group) }}'
+    mode: '0775'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Create logrotate configs
+  ansible.builtin.template:
+    src: 'etc/logrotate.d/gunicorn.j2'
+    dest: '/etc/logrotate.d/gunicorn-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Check if systemd instances for Green Unicorn are configured
+  ansible.builtin.stat:
+    path: '/etc/systemd/system/gunicorn@.service'
+  register: gunicorn__register_systemd_templated
+
+- name: Stop and disable Green Unicorn instances if requested
+  ansible.builtin.systemd:
+    name: 'gunicorn@{{ item.name }}.service'
+    state: 'stopped'
+    enabled: False
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  notify: [ 'Reload systemd daemon (gunicorn)' ]
+  when: ansible_service_mgr == 'systemd' and
+        gunicorn__register_systemd_templated.stat | d() and
+        gunicorn__register_systemd_templated.stat.exists | bool and
+        item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate systemd configuration files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/{{ item }}.j2'
+    dest: '/etc/systemd/system/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'gunicorn.service', 'gunicorn@.service' ]
+  notify: [ 'Reload systemd daemon (gunicorn)' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Remove per-instance systemd configuration
+  ansible.builtin.file:
+    path: '/etc/systemd/system/gunicorn@{{ item.name }}.service.d'
+    state: 'absent'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  notify: [ 'Reload systemd daemon (gunicorn)' ]
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') == 'absent'
+
+- name: Create per-instance systemd directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/gunicorn@{{ item.name }}.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') != 'absent'
+
+- name: Generate per-instance systemd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/system/gunicorn@application.service.d/instance.conf.j2'
+    dest: '/etc/systemd/system/gunicorn@{{ item.name }}.service.d/instance.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  notify: [ 'Reload systemd daemon (gunicorn)', 'Start Green Unicorn instances' ]
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') != 'absent'
+
+- name: Remove Unicorn instance configuration
+  ansible.builtin.file:
+    path: '/etc/gunicorn/{{ item.name }}.conf.py'
+    state: 'absent'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate Unicorn instance configuration
+  ansible.builtin.template:
+    src: 'etc/gunicorn/application.conf.py.j2'
+    dest: '/etc/gunicorn/{{ item.name }}.conf.py'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Start Green Unicorn instances' ]
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Reload systemd configuration
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Enable Unicorn instances in systemd
+  ansible.builtin.systemd:
+    name: 'gunicorn@{{ item.name }}.service'
+    enabled: True
+  notify: [ 'Start Green Unicorn instances' ]
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') != 'absent'
diff --git a/ansible_collections/debops/debops/roles/gunicorn/tasks/older_releases.yml b/ansible_collections/debops/debops/roles/gunicorn/tasks/older_releases.yml
new file mode 100644
index 00000000..0cf00aa4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/tasks/older_releases.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Make sure /etc/gunicorn.d/ directory exists
+  ansible.builtin.file:
+    path: '/etc/gunicorn.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Remove gunicorn configuration
+  ansible.builtin.file:
+    path: '/etc/gunicorn.d/{{ item.name }}'
+    state: 'absent'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  notify: [ 'Restart gunicorn' ]
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate gunicorn configuration
+  ansible.builtin.template:
+    src: 'etc/gunicorn.d/application.j2'
+    dest: '/etc/gunicorn.d/{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", gunicorn__applications
+                           + gunicorn__dependent_applications) }}'
+  notify: [ 'Restart gunicorn' ]
+  when: item.name | d() and item.state | d('present') != 'absent'
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/ansible/facts.d/gunicorn.fact.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/ansible/facts.d/gunicorn.fact.j2
new file mode 100644
index 00000000..38782734
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/ansible/facts.d/gunicorn.fact.j2
@@ -0,0 +1,40 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+from subprocess import Popen, PIPE
+import os
+
+output = {"installed": True}
+
+gunicorn_bin = "/usr/bin/{{ gunicorn__binary }}"
+
+try:
+    if os.path.isfile(gunicorn_bin) and os.access(gunicorn_bin, os.X_OK):
+        process = Popen([gunicorn_bin, '--version'], stdout=PIPE, stderr=PIPE)
+        stdout, stderr = process.communicate()
+
+        # Py2 gunicorn
+        version = stderr
+        # Py3 gunicorn
+        if len(stdout) > 0:
+            version = stdout
+
+        output.update({"version": version.decode('utf-8')
+                                         .split()[2].replace(')', '')})
+
+    else:
+        output.update({"installed": False})
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn.d/application.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn.d/application.j2
new file mode 100644
index 00000000..534db654
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn.d/application.j2
@@ -0,0 +1,33 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% macro print_config(config) %}
+{%   for key, value in config.items() %}
+{%     if key not in [ 'name', 'comment', 'state', 'home', 'system' ] %}
+{%       if value is string %}
+'{{ key }}': '{{ value }}',
+{%       elif value is mapping %}
+'{{ key }}': {
+{%         for v_key, v_value in value.items() %}
+    '{{ v_key }}': '{{ v_value }}',
+{%         endfor %}
+},
+{%       elif value is not string and value is not mapping %}
+'{{ key }}': (
+{%       for element in value %}
+    '{{ element }}',
+{%       endfor %}
+),
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+
+{% if item.comment | d() %}
+{{ (item.comment if item.comment is string else item.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+CONFIG = {
+{{ print_config(item) | indent(4, true) }}
+}
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn/application.conf.py.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn/application.conf.py.j2
new file mode 100644
index 00000000..016f2fc2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/gunicorn/application.conf.py.j2
@@ -0,0 +1,222 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# -*- coding: utf-8 -*-
+
+{% set gunicorn__tpl_run_path = (item.run_path if (item.run_path is defined and item.run_path != omit) else '/run') %}
+#
+# Server socket
+#
+#   bind - The socket to bind.
+#
+#       A string of the form: 'HOST', 'HOST:PORT', 'unix:PATH'.
+#       An IP is a valid HOST.
+#
+#   backlog - The number of pending connections. This refers
+#       to the number of clients that can be waiting to be
+#       served. Exceeding this number results in the client
+#       getting an error when attempting to connect. It should
+#       only affect servers under significant load.
+#
+#       Must be a positive integer. Generally set in the 64-2048
+#       range.
+#
+
+bind = '{{ item.bind | d("unix:" + gunicorn__tpl_run_path + "/gunicorn-" + item.name + "/" + item.name + ".sock") }}'
+backlog = {{ item.backlog | d('2048') }}
+
+#
+# Worker processes
+#
+#   workers - The number of worker processes that this server
+#       should keep alive for handling requests.
+#
+#       A positive integer generally in the 2-4 x $(NUM_CORES)
+#       range. You'll want to vary this a bit to find the best
+#       for your particular application's work load.
+#
+#   worker_class - The type of workers to use. The default
+#       sync class should handle most 'normal' types of work
+#       loads. You'll want to read
+#       http://docs.gunicorn.org/en/latest/design.html#choosing-a-worker-type
+#       for information on when you might want to choose one
+#       of the other worker classes.
+#
+#       An string referring to a 'gunicorn.workers' entry point
+#       or a python path to a subclass of
+#       gunicorn.workers.base.Worker. The default provided values
+#       are:
+#
+#           egg:gunicorn#sync
+#           egg:gunicorn#eventlet   - Requires eventlet >= 0.9.7
+#           egg:gunicorn#gevent     - Requires gevent >= 0.12.2 (?)
+#           egg:gunicorn#tornado    - Requires tornado >= 0.2
+#
+#   worker_connections - For the eventlet and gevent worker classes
+#       this limits the maximum number of simultaneous clients that
+#       a single process can handle.
+#
+#       A positive integer generally set to around 1000.
+#
+#   timeout - If a worker does not notify the master process in this
+#       number of seconds it is killed and a new worker is spawned
+#       to replace it.
+#
+#       Generally set to thirty seconds. Only set this noticeably
+#       higher if you're sure of the repercussions for sync workers.
+#       For the non sync workers it just means that the worker
+#       process is still communicating and is not tied to the length
+#       of time required to handle a single request.
+#
+#   keepalive - The number of seconds to wait for the next request
+#       on a Keep-Alive HTTP connection.
+#
+#       A positive integer. Generally set in the 1-5 seconds range.
+#
+
+workers = {{ item.workers | d(gunicorn__workers) }}
+worker_class = '{{ item.worker_class | d("sync") }}'
+worker_connections = {{ item.worker_connections | d('1000') }}
+timeout = {{ item.timeout | d('30') }}
+keepalive = {{ item.keepalive | d('2') }}
+
+#
+#   spew - Install a trace function that spews every line of Python
+#       that is executed when running the server. This is the
+#       nuclear option.
+#
+#       True or False
+#
+
+spew = {{ (item.spew | d(False)) | bool }}
+
+#
+# Server mechanics
+#
+#   daemon - Detach the main Gunicorn process from the controlling
+#       terminal with a standard fork/fork sequence.
+#
+#       True or False
+#
+#   pidfile - The path to a pid file to write
+#
+#       A path string or None to not write a pid file.
+#
+#   user - Switch worker processes to run as this user.
+#
+#       A valid user id (as an integer) or the name of a user that
+#       can be retrieved with a call to pwd.getpwnam(value) or None
+#       to not change the worker process user.
+#
+#   group - Switch worker process to run as this group.
+#
+#       A valid group id (as an integer) or the name of a user that
+#       can be retrieved with a call to pwd.getgrnam(value) or None
+#       to change the worker processes group.
+#
+#   umask - A mask for file permissions written by Gunicorn. Note that
+#       this affects unix socket permissions.
+#
+#       A valid value for the os.umask(mode) call or a string
+#       compatible with int(value, 0) (0 means Python guesses
+#       the base, so values like "0", "0xFF", "0022" are valid
+#       for decimal, hex, and octal representations)
+#
+#   tmp_upload_dir - A directory to store temporary request data when
+#       requests are read. This will most likely be disappearing soon.
+#
+#       A path to a directory where the process owner can write. Or
+#       None to signal that Python should choose one on its own.
+#
+
+daemon = {{ (item.daemon | d(False)) | bool }}
+pidfile = '{{ item.pidfile | d(gunicorn__tpl_run_path + "/gunicorn-" + item.name + "/" + item.name + ".pid") }}'
+umask = {{ item.umask | d('0') }}
+user = '{{ item.user if (item.user is defined and item.user != omit) else gunicorn__user }}'
+group = '{{ item.group if (item.group is defined and item.group != omit) else gunicorn__group }}'
+tmp_upload_dir = {{ ("'" + item.tmp_upload_dir + "'") if item.tmp_upload_dir | d() else 'None' }}
+
+#
+#   Logging
+#
+#   logfile - The path to a log file to write to.
+#
+#       A path string. "-" means log to stdout.
+#
+#   loglevel - The granularity of log output
+#
+#       A string of "debug", "info", "warning", "error", "critical"
+#
+
+accesslog = '{{ item.accesslog | d("/var/log/gunicorn/" + item.name + "/" + item.name + "_access.log") }}'
+errorlog = '{{ item.errorlog | d("/var/log/gunicorn/" + item.name + "/" + item.name + "_error.log") }}'
+loglevel = '{{ item.loglevel | d("info") }}'
+{% set gunicorn__tpl_remote_host_header = item.remote_host_header | d('X-Real-IP') %}
+access_log_format = '%({{ "{" + gunicorn__tpl_remote_host_header + "}" }}i)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
+
+#
+# Process naming
+#
+#   proc_name - A base to use with setproctitle to change the way
+#       that Gunicorn processes are reported in the system process
+#       table. This affects things like 'ps' and 'top'. If you're
+#       going to be running more than one instance of Gunicorn you'll
+#       probably want to set a name to tell them apart. This requires
+#       that you install the setproctitle module.
+#
+#       A string or None to choose a default of something like 'gunicorn'.
+#
+
+proc_name = {{ ("'" + item.proc_name + "'") if item.proc_name | d() else 'None' }}
+
+#
+# Server hooks
+#
+#   post_fork - Called just after a worker has been forked.
+#
+#       A callable that takes a server and worker instance
+#       as arguments.
+#
+#   pre_fork - Called just prior to forking the worker subprocess.
+#
+#       A callable that accepts the same arguments as after_fork
+#
+#   pre_exec - Called just prior to forking off a secondary
+#       master process during things like config reloading.
+#
+#       A callable that takes a server instance as the sole argument.
+#
+
+def post_fork(server, worker):
+    server.log.info("Worker spawned (pid: %s)", worker.pid)
+
+def pre_fork(server, worker):
+    pass
+
+def pre_exec(server):
+    server.log.info("Forked child, re-executing.")
+
+def when_ready(server):
+    server.log.info("Server is ready. Spawning workers")
+
+def worker_int(worker):
+    worker.log.info("worker received INT or QUIT signal")
+
+    ## get traceback info
+    import threading, sys, traceback
+    id2name = dict([(th.ident, th.name) for th in threading.enumerate()])
+    code = []
+    for threadId, stack in sys._current_frames().items():
+        code.append("\n# Thread: %s(%d)" % (id2name.get(threadId,""),
+            threadId))
+        for filename, lineno, name, line in traceback.extract_stack(stack):
+            code.append('File: "%s", line %d, in %s' % (filename,
+                lineno, name))
+            if line:
+                code.append("  %s" % (line.strip()))
+    worker.log.debug("\n".join(code))
+
+def worker_abort(worker):
+    worker.log.info("worker received SIGABRT signal")
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/logrotate.d/gunicorn.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/logrotate.d/gunicorn.j2
new file mode 100644
index 00000000..eb5bcf3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/logrotate.d/gunicorn.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Log rotation for Green Unicorn logs
+/var/log/gunicorn/{{ item.name }}/*.log {
+    rotate 4
+    compress
+    delaycompress
+    missingok
+    notifempty
+    weekly
+    sharedscripts
+    su {{ item.user if (item.user is defined and item.user != omit) else gunicorn__user }} {{ item.group if (item.group is defined and item.group != omit) else gunicorn__group }}
+    postrotate
+        invoke-rc.d --quiet gunicorn@{{ item.name }} reload >/dev/null
+    endscript
+}
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn.service.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn.service.j2
new file mode 100644
index 00000000..51be7c25
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn.service.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# systemd service for managing all Green Unicorn instances on the host
+
+[Unit]
+Description=Green Unicorn - Python application server
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecReload=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@.service.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@.service.j2
new file mode 100644
index 00000000..ec66c50e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@.service.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Green Unicorn - Python application server for %i
+Documentation=man:gunicorn
+PartOf=gunicorn.service
+Before=gunicorn.service
+ReloadPropagatedFrom=gunicorn.service
+After=network-online.target mysql.service postgresql.service
+Wants=network-online.target
+
+[Service]
+PermissionsStartOnly=true
+EnvironmentFile=-/etc/default/gunicorn-%i
+PIDFile=/run/gunicorn-%i/%i.pid
+ExecStart=/usr/bin/{{ gunicorn__binary }} --config=/etc/gunicorn/%i.conf.py ${GUNICORN_OPTS}
+ExecReload=/bin/kill -s HUP $MAINPID
+ExecStop=/bin/kill -s TERM $MAINPID
+Restart=always
+SyslogIdentifier=gunicorn@%i
+OOMScoreAdjust=-900
+TimeoutStopSec={{ gunicorn__systemd_timeout }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@application.service.d/instance.conf.j2 b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@application.service.d/instance.conf.j2
new file mode 100644
index 00000000..4f0226e9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/gunicorn/templates/etc/systemd/system/gunicorn@application.service.d/instance.conf.j2
@@ -0,0 +1,45 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set gunicorn__tpl_run_path = (item.run_path if (item.run_path is defined and item.run_path != omit) else '/run') %}
+# Custom per-instance configuration for Green Unicorn service
+
+[Service]
+User={{ item.user if (item.user is defined and item.user != omit) else gunicorn__user }}
+Group={{ item.group if (item.group is defined and item.group != omit) else gunicorn__group }}
+WorkingDirectory={{ item.working_directory | d(item.working_dir | d(item.workdir)) }}
+RuntimeDirectory={{ 'gunicorn-' + item.name }}
+RuntimeDirectoryMode={{ item.bind_mode | d('0755') }}
+Environment="PYTHONPATH={{ item.working_directory | d(item.working_dir | d(item.workdir)) }}"
+PIDFile={{ item.pidfile if (item.pidfile is defined and item.pidfile != omit) else (gunicorn__tpl_run_path + '/gunicorn-' + item.name + '/%i.pid') }}
+TimeoutStopSec={{ item.systemd_timeout | d(gunicorn__systemd_timeout) }}
+{% if item.environment | d() %}
+{%   for element in ([ item.environment ] if item.environment is mapping else item.environment) %}
+{%     if element.name | d() %}
+{%       if element.state | d('present') != 'absent' %}
+{{ 'Environment="{}={}"'.format(element.name | upper, element.value | d('')) }}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{{ 'Environment="{}={}"'.format(key | upper, value) }}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.app_module | d() %}
+
+ExecStart=
+ExecStart={{ (item.python + ' ') if item.python | d() else '' }}/usr/bin/{{ item.binary | d(gunicorn__binary) }} --config=/etc/gunicorn/%i.conf.py ${GUNICORN_OPTS} {{ item.app_module }}
+{% elif item.args | d() %}
+
+ExecStart=
+ExecStart={{ (item.python + ' ') if item.python | d() else '' }}/usr/bin/{{ item.binary | d(gunicorn__binary) }} --config=/etc/gunicorn/%i.conf.py {{ ([ item.args ] if item.args is string else item.args) | join(' ') }}
+{% elif item.exec | d() %}
+
+# Configure custom Green Unicorn launcher
+ExecStart=
+ExecStart={{ item.exec }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/hashicorp/COPYRIGHT b/ansible_collections/debops/debops/roles/hashicorp/COPYRIGHT
new file mode 100644
index 00000000..760f58a8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.hashicorp - Securely install HashiCorp applications
+
+Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/hashicorp/defaults/main.yml b/ansible_collections/debops/debops/roles/hashicorp/defaults/main.yml
new file mode 100644
index 00000000..ad8bfa30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/defaults/main.yml
@@ -0,0 +1,311 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _hashicorp__ref_defaults:
+
+# debops.hashicorp default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT package management [[[
+# --------------------------
+
+# .. envvar:: hashicorp__base_packages [[[
+#
+# List of APT packages required by the role to function.
+hashicorp__base_packages: [ 'rsync', 'openssl', 'ca-certificates', 'unzip' ]
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__packages [[[
+#
+# List of additional APT packages to install on hosts managed by the role.
+hashicorp__packages: []
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__dependent_packages [[[
+#
+# List of APT packages to install requested by other Ansible roles.
+hashicorp__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# HashiCorp user account [[[
+# --------------------------
+
+# .. envvar:: hashicorp__user [[[
+#
+# Name of the system account which will perform signature and archive
+# verification.
+hashicorp__user: 'hashicorp'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__group [[[
+#
+# Name of the primary system group of the HashiCorp_ account.
+hashicorp__group: 'hashicorp'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__home [[[
+#
+# Path to the home directory of the HashiCorp_ account.
+hashicorp__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                     + "/" + hashicorp__user }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__comment [[[
+#
+# The GECOS string set for the HashiCorp_ account.
+hashicorp__comment: 'HashiCorp Application Manager'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__shell [[[
+#
+# The default shell of the HashiCorp_ account.
+hashicorp__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenPGP key and keyserver [[[
+# -----------------------------
+
+# See :ref:`hashicorp__ref_security` for details about how the role uses the
+# HashiCorp_ company OpenPGP keys.
+
+# .. envvar:: hashicorp__gpg_key_id [[[
+#
+# The OpenPGP key fingerprint of the HashiCorp_ company.
+hashicorp__gpg_key_id: 'C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__keyserver [[[
+#
+# URL of the OpenPGP keyserver used to obtain the HashiCorp_ OpenPGP key.
+hashicorp__keyserver: '{{ ansible_local.keyring.keyserver | d("hkp://keyserver.ubuntu.com") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# HashiCorp Application lists [[[
+# -------------------------------
+
+# .. envvar:: hashicorp__applications [[[
+#
+# List of HashiCorp_ applications that should be installed on a given host.
+# To find out what applications are supported, check the names of the keys
+# in the :envvar:`hashicorp__default_version_map` dictionary.
+hashicorp__applications: []
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__dependent_applications [[[
+#
+# List of HashiCorp_ applications that are requested by other Ansible roles
+# using dependent variables.
+hashicorp__dependent_applications: []
+                                                                   # ]]]
+                                                                   # ]]]
+# HashiCorp application versions [[[
+# ----------------------------------
+
+# .. envvar:: hashicorp__default_version_map [[[
+#
+# YAML dictionary which maps the HashiCorp_ application names to their versions.
+# This is the main dictionary and shouldn't be modified by the user if
+# possible.
+hashicorp__default_version_map:
+  'atlas-upload-cli':  '0.2.0'
+  'consul':            '0.8.3'
+  'consul-replicate':  '0.3.1'
+  'consul-template':   '0.18.3'
+  'docker-base':       '0.0.4'
+  'docker-basetool':   '0.0.3'
+  'envconsul':         '0.6.2'
+  'nomad':             '0.5.6'
+  'otto':              '0.2.0'
+  'packer':            '1.0.0'
+  'serf':              '0.8.1'
+  'terraform':         '0.9.5'
+  'vault':             '0.7.2'
+  'vault-ssh-helper':  '0.1.3'
+
+  # The applications below have incompatible release formats:
+  #'vagrant':          '1.9.5'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__version_map [[[
+#
+# An additional YAML dictionary which defines mapping between HashiCorp_
+# applications and their versions. This dictionary should be used to override
+# the default version if necessary.
+hashicorp__version_map: {}
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__combined_version_map [[[
+#
+# The YAML dictionary used by the role to lookup specific versions of HashiCorp_
+# applications to install.
+hashicorp__combined_version_map: '{{ hashicorp__default_version_map
+                                     | combine(hashicorp__version_map) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Archive binary overrides [[[
+# ----------------------------
+
+# .. envvar:: hashicorp__default_binary_map [[[
+#
+# Some of the HashiCorp_ applications use different location or name of binaries
+# in their archives. This YAML dictionary is used to override the default
+# binary name(s) to the correct ones when necessary. Paths are relative to the
+# specific archive directory.
+hashicorp__default_binary_map:
+  'atlas-upload-cli': 'atlas-upload'
+  'docker-base':      [ 'bin/dumb-init', 'bin/gosu' ]
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__binary_map [[[
+#
+# Custom YAML dictionary with binary name overrides. This variable can be used
+# by the user when necessary.
+hashicorp__binary_map: {}
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__combined_binary_map [[[
+#
+# The YAML dictionary variable used by the role to override paths to the
+# specific archive binaries.
+hashicorp__combined_binary_map: '{{ hashicorp__default_binary_map
+                                    | combine(hashicorp__binary_map) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Base directory paths [[[
+# ------------------------
+
+# .. envvar:: hashicorp__src [[[
+#
+# Base path to the directory with HashiCorp_ binary archives, their hash
+# signatures and OpenPGP signatures.
+hashicorp__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                    + "/" + hashicorp__user + "/" +
+                     (hashicorp__base_url.split("://") | last | split("/") | first) }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__lib [[[
+#
+# Base path to the directory where HashiCorp_ archives are unpacked after
+# verification.
+hashicorp__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                    + "/" + hashicorp__user }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__bin [[[
+#
+# Base path to the directory where HashiCorp_ application binaries will be
+# installed by the ``root`` account.
+hashicorp__bin: '{{ ansible_local.fhs.bin | d("/usr/local/bin") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# HashiCorp application repositories [[[
+# --------------------------------------
+
+# .. envvar:: hashicorp__base_url [[[
+#
+# The base URL of the HashiCorp_ webserver with application releases.
+hashicorp__base_url: 'https://releases.hashicorp.com/'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__platform [[[
+#
+# Name of the current OS platform in the format used by the HashiCorp_
+# application archive filenames.
+hashicorp__platform: '{{ ansible_system | lower }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__architecture [[[
+#
+# Key used to lookup current system architecture.
+hashicorp__architecture: '{{ ansible_architecture }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__architecture_map [[[
+#
+# YAML dictionary that maps the system architecture as used by Ansible to the
+# architecture names used in the HashiCorp_ archive filenames.
+hashicorp__architecture_map:
+  'x86_64': 'amd64'
+  'i386': '386'
+  'armhf': 'arm'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__tar_suffix [[[
+#
+# The filename suffix of the HashiCorp_ application archive.
+hashicorp__tar_suffix: '{{ hashicorp__platform + "_"
+                           + hashicorp__architecture_map[hashicorp__architecture]
+                           + ".zip" }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__hash_suffix [[[
+#
+# The filename suffix of the file which contains SHA256 hashes of the released
+# files.
+hashicorp__hash_suffix: 'SHA256SUMS'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__sig_suffix [[[
+#
+# The filename suffix of the file which contains OpenPGP signature of the file
+# with SHA256 hashes, signed by the HashiCorp_ OpenPGP key.
+hashicorp__sig_suffix: '{{ hashicorp__hash_suffix + ".sig" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Consul Web UI configuration [[[
+# -------------------------------
+
+# .. envvar:: hashicorp__consul_webui [[[
+#
+# Boolean variable which controls if the Consul Web UI should be installed
+# alongside ``consul``. By default the Web UI files are not installed to allow
+# headless installation.
+hashicorp__consul_webui: '{{ ansible_local.hashicorp.consul_webui | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__consul_webui_suffix [[[
+#
+# The filename suffix of the Consul Web UI archive file.
+hashicorp__consul_webui_suffix: 'web_ui.zip'
+
+                                                                   # ]]]
+# .. envvar:: hashicorp__consul_webui_path [[[
+#
+# Absolute path where the Consul Web UI files should be installed.
+hashicorp__consul_webui_path: '{{ ansible_local.nginx.www | d("/srv/www") + "/consul/sites/public" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: hashicorp__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+hashicorp__keyring__dependent_gpg_keys:
+
+  - user: '{{ hashicorp__user }}'
+    group: '{{ hashicorp__group }}'
+    home: '{{ hashicorp__home }}'
+    id: '{{ hashicorp__gpg_key_id }}'
+    state: '{{ "present"
+               if (hashicorp__applications or hashicorp__dependent_applications)
+               else "absent" }}'
+
+    # The old GPG key has been revoked
+    # https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512
+  - user: '{{ hashicorp__user }}'
+    id: '91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C'
+    state: 'absent'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/main.yml b/ansible_collections/debops/debops/roles/hashicorp/meta/main.yml
new file mode 100644
index 00000000..442fcd78
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Securely install HashiCorp applications'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - hashicorp
+    - consul
+    - docker
+    - nomad
+    - otto
+    - packer
+    - serf
+    - terraform
+    - vault
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-atlas-upload-cli b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-atlas-upload-cli
new file mode 100644
index 00000000..9296c8f6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-atlas-upload-cli
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: atlas-upload-cli
+# Version: 0.2.0
+
+version=4
+https://github.com/hashicorp/atlas-upload-cli/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul
new file mode 100644
index 00000000..fb810da6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: consul
+# Version: 0.8.3
+
+version=4
+https://github.com/hashicorp/consul/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-replicate b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-replicate
new file mode 100644
index 00000000..17068fed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-replicate
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: consul-replicate
+# Version: 0.3.1
+
+version=4
+https://github.com/hashicorp/consul-replicate/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-template b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-template
new file mode 100644
index 00000000..146924b8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-consul-template
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: consul-template
+# Version: 0.18.3
+
+version=4
+https://github.com/hashicorp/consul-template/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-base b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-base
new file mode 100644
index 00000000..43705aaf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-base
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: docker-base
+# Version: 0.3.1
+
+version=4
+https://github.com/hashicorp/docker-base/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-basetool b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-basetool
new file mode 100644
index 00000000..5cfdefb8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-docker-basetool
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: docker-basetool
+# Version: 0.0.3
+
+version=4
+https://github.com/hashicorp/docker-basetool/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-envconsul b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-envconsul
new file mode 100644
index 00000000..05592985
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-envconsul
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: envconsul
+# Version: 0.6.2
+
+version=4
+https://github.com/hashicorp/envconsul/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-nomad b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-nomad
new file mode 100644
index 00000000..b05d86ac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-nomad
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: nomad
+# Version: 0.5.6
+
+version=4
+https://github.com/hashicorp/nomad/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-otto b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-otto
new file mode 100644
index 00000000..52003ff8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-otto
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: otto
+# Version: 0.2.0
+
+version=4
+https://github.com/hashicorp/otto/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-packer b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-packer
new file mode 100644
index 00000000..d25be117
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-packer
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: packer
+# Version: 1.0.0
+
+version=4
+https://github.com/hashicorp/packer/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-serf b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-serf
new file mode 100644
index 00000000..bfd813b6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-serf
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: serf
+# Version: 0.8.1
+
+version=4
+https://github.com/hashicorp/serf/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-terraform b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-terraform
new file mode 100644
index 00000000..dd117ca0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-terraform
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: terraform
+# Version: 0.9.5
+
+version=4
+https://github.com/hashicorp/terraform/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault
new file mode 100644
index 00000000..5f7751de
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: vault
+# Version: 0.7.2
+
+version=4
+https://github.com/hashicorp/vault/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault-ssh-helper b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault-ssh-helper
new file mode 100644
index 00000000..10d0501b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/meta/watch-vault-ssh-helper
@@ -0,0 +1,10 @@
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: hashicorp
+# Package: vault-ssh-helper
+# Version: 0.1.3
+
+version=4
+https://github.com/hashicorp/vault-ssh-helper/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/hashicorp/tasks/main.yml b/ansible_collections/debops/debops/roles/hashicorp/tasks/main.yml
new file mode 100644
index 00000000..7bd62ae5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/tasks/main.yml
@@ -0,0 +1,263 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+# APT package installation [[[1
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (hashicorp__base_packages
+                              + hashicorp__packages
+                              + hashicorp__dependent_packages)) }}'
+    state: 'present'
+  register: hashicorp__register_packages
+  until: hashicorp__register_packages is succeeded
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+
+
+# User, group management [[[1
+
+- name: Create HashiCorp group
+  ansible.builtin.group:
+    name: '{{ hashicorp__group }}'
+    state: 'present'
+    system: True
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  tags: [ 'role::hashicorp:download', 'role::hashicorp:verify' ]
+
+- name: Create HashiCorp user
+  ansible.builtin.user:
+    name: '{{ hashicorp__user }}'
+    group: '{{ hashicorp__group }}'
+    home: '{{ hashicorp__home }}'
+    comment: '{{ hashicorp__comment }}'
+    shell: '{{ hashicorp__shell }}'
+    system: True
+    state: 'present'
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  tags: [ 'role::hashicorp:download', 'role::hashicorp:verify' ]
+
+
+# Filesystem directory management [[[1
+
+- name: Create source directories
+  ansible.builtin.file:
+    path: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+    state: 'directory'
+    owner: '{{ hashicorp__user }}'
+    group: '{{ hashicorp__group }}'
+    mode: '0755'
+  with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  tags: [ 'role::hashicorp:download', 'role::hashicorp:verify' ]
+
+- name: Create library directories
+  ansible.builtin.file:
+    path: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+    state: 'directory'
+    owner: '{{ hashicorp__user }}'
+    group: '{{ hashicorp__group }}'
+    mode: '0750'
+  with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  tags: [ 'role::hashicorp:unpack', 'role::hashicorp:install' ]
+
+- name: Create Consul Web UI library directory
+  ansible.builtin.file:
+    path: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/web_ui" }}'
+    state: 'directory'
+    owner: '{{ hashicorp__user }}'
+    group: '{{ hashicorp__group }}'
+    mode: '0755'
+  with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+  when: (hashicorp__consul_webui | bool and item == 'consul')
+
+- name: Create Consul Web UI directory
+  ansible.builtin.file:
+    path: '{{ hashicorp__consul_webui_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (hashicorp__consul_webui | bool and
+         ('consul' in (hashicorp__applications + hashicorp__dependent_applications | unique)))
+
+
+# OpenPGP keys, application download and validation [[[1
+
+- name: Download and validate the tarballs
+  become: True
+  become_user: '{{ hashicorp__user }}'
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  block:
+
+    # HashiCorp application archive download [[[2
+
+    - name: Download requested application files
+      ansible.builtin.get_url:
+        url: '{{ hashicorp__base_url + item.0 + "/" +
+                 hashicorp__combined_version_map[item.0] + "/" + item.0 + "_" +
+                 hashicorp__combined_version_map[item.0] + "_" + item.1 }}'
+        dest: '{{ hashicorp__src + "/" + item.0 + "/" + hashicorp__combined_version_map[item.0] + "/" }}'
+        mode: '0644'
+      with_nested:
+        - '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+        - [ '{{ hashicorp__tar_suffix }}', '{{ hashicorp__hash_suffix }}', '{{ hashicorp__sig_suffix }}' ]
+      when: (ansible_local.hashicorp is not defined or
+             (ansible_local.hashicorp | d() and ansible_local.hashicorp.applications | d() and
+              (ansible_local.hashicorp.applications[item.0] is not defined or
+               (ansible_local.hashicorp.applications[item.0] != hashicorp__combined_version_map[item.0]))))
+      tags: [ 'role::hashicorp:download', 'role::hashicorp:verify' ]
+
+    - name: Download Consul Web UI
+      ansible.builtin.get_url:
+        url: '{{ hashicorp__base_url + item.0 + "/" +
+                 hashicorp__combined_version_map[item.0] + "/" + item.0 + "_" +
+                 hashicorp__combined_version_map[item.0] + "_" + item.1 }}'
+        dest: '{{ hashicorp__src + "/" + item.0 + "/" + hashicorp__combined_version_map[item.0] + "/" }}'
+        mode: '0644'
+      with_nested:
+        - [ 'consul' ]
+        - [ '{{ hashicorp__consul_webui_suffix }}' ]
+      when: (hashicorp__consul_webui | bool and
+             ('consul' in (hashicorp__applications + hashicorp__dependent_applications) | unique) and
+              (ansible_local.hashicorp is not defined or
+               (ansible_local.hashicorp | d() and ansible_local.hashicorp.applications | d() and
+                (ansible_local.hashicorp.applications['consul'] is not defined or
+                 (ansible_local.hashicorp.applications['consul'] != hashicorp__combined_version_map['consul'])) or
+                not ansible_local.hashicorp.consul_webui | bool)))
+      tags: [ 'role::hashicorp:download', 'role::hashicorp:verify' ]
+
+
+    # SHA256 signature verification [[[2
+
+    - name: Verify signatures with HashiCorp GPG key
+      ansible.builtin.command: gpg --verify {{ item + '_' + hashicorp__combined_version_map[item] + '_' + hashicorp__sig_suffix }}
+                            {{ item + '_' + hashicorp__combined_version_map[item] + '_' + hashicorp__hash_suffix }}
+      args:
+        chdir: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+      with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+      register: hashicorp__register_signature
+      changed_when: False
+      failed_when: hashicorp__register_signature.rc != 0
+      tags: [ 'role::hashicorp:verify' ]
+
+    - name: Check file signatures
+      ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+             grep --file <(find . -type f -printf "%f$\n")
+             {{ item + '_' + hashicorp__combined_version_map[item] + '_' + hashicorp__hash_suffix }}
+             | sha256sum --check --status
+      args:
+        chdir: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+        executable: 'bash'
+      with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+      register: hashicorp__register_hash
+      changed_when: False
+      failed_when: hashicorp__register_hash.rc != 0
+      tags: [ 'role::hashicorp:verify' ]
+
+
+    # HashiCorp application archive unpack [[[2
+
+    - name: Unpack the file archives
+      ansible.builtin.unarchive:
+        remote_src: True
+        src: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
+                 item + "_" + hashicorp__combined_version_map[item] + "_" + hashicorp__tar_suffix }}'
+        dest: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] }}'
+        mode: 'u=rwX,g=rwX,o=rX'
+        creates: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
+                     ((hashicorp__combined_binary_map[item]
+                       if hashicorp__combined_binary_map[item] is string
+                       else hashicorp__combined_binary_map[item] | first)
+                      if hashicorp__combined_binary_map[item] | d() else item) }}'
+      with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+      register: hashicorp__register_unpack
+      tags: [ 'role::hashicorp:unpack', 'role::hashicorp:install' ]
+
+    - name: Unpack the Consul Web UI
+      ansible.builtin.unarchive:
+        copy: False
+        src: '{{ hashicorp__src + "/" + item + "/" + hashicorp__combined_version_map[item] + "/" +
+                 item + "_" + hashicorp__combined_version_map[item] + "_" + hashicorp__consul_webui_suffix }}'
+        dest: '{{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/web_ui" + "/" }}'
+        mode: 'u=rwX,g=rwX,o=rX'
+        creates: '{{ hashicorp__lib + "/" + item + "/"
+                     + hashicorp__combined_version_map[item] + "/web_ui/index.html" }}'
+      with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+      register: hashicorp__register_unpack_webui
+      when: hashicorp__consul_webui | bool and item == 'consul'
+      tags: [ 'role::hashicorp:unpack', 'role::hashicorp:install' ]
+
+
+# HashiCorp application installation [[[1
+
+- name: Install HashiCorp applications
+  ansible.builtin.shell: install --mode 755 --owner root --group root --target-directory {{ hashicorp__bin }}
+         {{ ((hashicorp__combined_binary_map[item.0]
+              if hashicorp__combined_binary_map[item.0] is string
+              else hashicorp__combined_binary_map[item.0] | join(' '))
+             if hashicorp__combined_binary_map[item.0] | d() else item.0) }}
+         {% if item.0 == 'terraform' %}
+         ; find . -maxdepth 1 -type f -name 'terraform-*'
+                  -exec install -m 755 -o root -g root -t {{ hashicorp__bin }} {} +
+         {% endif %}
+  args:  # noqa no-handler
+    chdir: '{{ hashicorp__lib + "/" + item.0 + "/" + hashicorp__combined_version_map[item.0] }}'
+  with_together:
+    - '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+    - '{{ hashicorp__register_unpack.results }}'
+  register: hashicorp__register_app_install
+  changed_when: hashicorp__register_app_install.changed | bool
+  when: (item.1 is changed or (ansible_local | d() and
+         (ansible_local.hashicorp is not defined or
+          (ansible_local.hashicorp | d() and ansible_local.hashicorp.applications | d() and
+           (ansible_local.hashicorp.applications[item.0] is not defined or
+            (ansible_local.hashicorp.applications[item.0] != hashicorp__combined_version_map[item.0]))))))
+  tags: [ 'role::hashicorp:install' ]
+
+- name: Synchronize Consul Web UI public directory  # noqa command-instead-of-module
+  ansible.builtin.shell: 'rsync --delete --recursive --prune-empty-dirs
+         {{ hashicorp__lib + "/" + item + "/" + hashicorp__combined_version_map[item] + "/web_ui/" }}
+         {{ hashicorp__consul_webui_path }} && chown -R root:root {{ hashicorp__consul_webui_path }}'
+  with_items: '{{ (hashicorp__applications + hashicorp__dependent_applications) | unique }}'
+  register: hashicorp__register_consul_ui_rsync
+  changed_when: hashicorp__register_consul_ui_sync.changed | bool
+  when: (hashicorp__consul_webui | bool and item == 'consul' and hashicorp__register_unpack_webui is changed)
+
+
+# Ansible local facts [[[1
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+
+- name: Save HashiCorp local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/hashicorp.fact.j2'
+    dest: '/etc/ansible/facts.d/hashicorp.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: (hashicorp__applications or hashicorp__dependent_applications)
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/hashicorp/templates/etc/ansible/facts.d/hashicorp.fact.j2 b/ansible_collections/debops/debops/roles/hashicorp/templates/etc/ansible/facts.d/hashicorp.fact.j2
new file mode 100644
index 00000000..1e8c7757
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hashicorp/templates/etc/ansible/facts.d/hashicorp.fact.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2016      Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set hashicorp__tpl_application_list = ((ansible_local.hashicorp.applications | list if (ansible_local.hashicorp.applications | d()) else []) + hashicorp__applications + hashicorp__dependent_applications) | sort | unique %}
+{% set hashicorp__tpl_applications = {} %}
+{% for entry in hashicorp__tpl_application_list %}
+{%   if (ansible_local.hashicorp.applications | d() and entry in ansible_local.hashicorp.applications) %}
+{%     set _ = hashicorp__tpl_applications.update({ entry : ansible_local.hashicorp.applications[entry] }) %}
+{%   elif entry in hashicorp__combined_version_map %}
+{%     set _ = hashicorp__tpl_applications.update({ entry : hashicorp__combined_version_map[entry] }) %}
+{%   endif %}
+{%   if (entry in hashicorp__combined_version_map and (hashicorp__tpl_applications[entry] != hashicorp__combined_version_map[entry])) %}
+{%     set _ = hashicorp__tpl_applications.update({ entry : hashicorp__combined_version_map[entry] }) %}
+{%   endif %}
+{% endfor %}
+{% set hashicorp__tpl_consul_webui = ansible_local.hashicorp.consul_webui | d(False) | bool | lower %}
+{% if hashicorp__consul_webui | bool and 'consul' in hashicorp__tpl_applications %}
+{%   set hashicorp__tpl_consul_webui = True %}
+{% endif %}
+{% set hashicorp__tpl_facts = {} %}
+{% set _ = hashicorp__tpl_facts.update({ "applications":      hashicorp__tpl_applications }) %}
+{% set _ = hashicorp__tpl_facts.update({ "bin":               hashicorp__bin }) %}
+{% set _ = hashicorp__tpl_facts.update({ "consul_webui":      hashicorp__tpl_consul_webui | bool | lower }) %}
+{% set _ = hashicorp__tpl_facts.update({ "consul_webui_path": hashicorp__consul_webui_path }) %}
+{% set _ = hashicorp__tpl_facts.update({ "installed":         "true" }) %}
+{{ hashicorp__tpl_facts | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/homeassistant/COPYRIGHT b/ansible_collections/debops/debops/roles/homeassistant/COPYRIGHT
new file mode 100644
index 00000000..8f1eb698
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/COPYRIGHT
@@ -0,0 +1,19 @@
+homeassistant - Setup and manage Home Assistant
+
+Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/homeassistant/defaults/main.yml b/ansible_collections/debops/debops/roles/homeassistant/defaults/main.yml
new file mode 100644
index 00000000..4fe2794f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/defaults/main.yml
@@ -0,0 +1,386 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _homeassistant__ref_defaults:
+
+# debops-contrib.homeassistant default variables [[[
+# ==================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: homeassistant__base_packages [[[
+#
+# List of base packages to install.
+homeassistant__base_packages:
+  - 'libffi-dev'
+  - 'libssl-dev'
+  - 'libjpeg-dev'
+  - 'zlib1g-dev'
+  - 'autoconf'
+  - 'build-essential'
+  - 'libopenjp2-7'
+  - 'libtiff5'
+  - '{{ "libturbojpeg"
+        if (ansible_distribution == "Ubuntu")
+        else "libturbojpeg0" }}'
+  - 'tzdata'
+                                                                   # ]]]
+# .. envvar:: homeassistant__packages [[[
+#
+# List of additional packages to install.
+homeassistant__packages: []
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__dependency_python_packages [[[
+#
+# List of Home Assistant Core dependency packages.
+# This refers to Debian system packages and not Python packages.
+homeassistant__dependency_python_packages:
+  - 'python3-dev'
+  - 'python3-venv'
+  - 'python3-pip'
+  - 'python3-virtualenv'
+  - 'python3-requests'
+  - 'python3-yaml'
+  - 'python3-tz'
+  - 'python3-jinja2'
+  - 'python3-voluptuous'
+
+  - '{{ ["python3-aiohttp"]
+        if (ansible_distribution_release not in ["trusty"])
+        else [] }}'
+  - '{{ ["python3-async-timeout"]
+        if (ansible_distribution == "Debian" and ansible_distribution_major_version | int >= 9)
+        else [] }}'
+  - 'python3-chardet'
+                                                                   # ]]]
+# .. envvar:: homeassistant__optional_python_packages [[[
+#
+# List of optional packages.
+# This refers to Debian system packages and not Python packages.
+homeassistant__optional_python_packages:
+  - '{{ ["python3-colorlog"]
+        if (ansible_distribution_release not in ["trusty"])
+        else [] }}'
+  - 'libffi-dev'
+  - 'libssl-dev'
+  - 'python3-crypto'
+  - 'python3-cryptography'
+  - 'python3-pyparsing'
+  - 'python3-appdirs'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__combined_packages [[[
+#
+# List of all system packages which will be installed by the role.
+homeassistant__combined_packages: '{{ (homeassistant__base_packages
+                                       + homeassistant__packages
+                                       + (homeassistant__dependency_python_packages
+                                          if (not homeassistant__virtualenv | bool)
+                                          else [])
+                                       + (homeassistant__optional_python_packages
+                                          if (not homeassistant__virtualenv | bool)
+                                          else []))
+                                      | unique | sort }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Home Assistant is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Home Assistant is uninstalled. Not fully supported yet.
+#
+homeassistant__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# FQDN and DNS addresses [[[
+# --------------------------
+
+# .. envvar:: homeassistant__fqdn [[[
+#
+# The Fully Qualified Domain Name of the Home Assistant instance. This address is
+# used to configure the webserver frontend.
+homeassistant__fqdn: 'ha.{{ homeassistant__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__domain [[[
+#
+# Domain that will be configured for the Home Assistant instance.
+homeassistant__domain: '{{ ansible_domain }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Reverse proxy configuration [[[
+# -------------------------------
+
+# While Home Assistant provides it’s own authentication methods one might want
+# to enable multiple authentications after each other that are enforced by
+# different components (Security in Depth).
+# Also refer to
+# `RFC: Support subpath/subdir hosting for additional security`__.
+#
+# .. __: https://github.com/debops/debops/issues/1233
+
+# .. envvar:: homeassistant__verify_client_certificate [[[
+#
+# Should a valid client certificate be required to access Home Assistant?
+homeassistant__verify_client_certificate: False
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__basic_auth [[[
+#
+# Enable or disable HTTP Basic Authentication in the webserver frontend.
+# Note that there is an unhandled issue that you might face when enabling this.
+# Ref: https://github.com/home-assistant/core/issues/6184
+homeassistant__basic_auth: False
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__basic_auth_realm [[[
+#
+# The HTTP Basic Auth realm used for Home Assistant.
+homeassistant__basic_auth_realm: 'Home Assistant'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__basic_auth_name [[[
+#
+# Name of the :command:`htpasswd` file stored in the
+# :file:`/etc/nginx/private/` directory which contains HTTP Basic Auth
+# credentials.
+homeassistant__basic_auth_name: 'homeassistant'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__basic_auth_users [[[
+#
+# List of user accounts which will be allowed access to Home Assistant.
+homeassistant__basic_auth_users: '{{ ansible_local.core.admin_users | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__webserver_user [[[
+#
+# Name of the webserver user account which will be granted read only access to
+# the www directory outside of the Home Assistant configuration directory.
+homeassistant__webserver_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory paths [[[
+# -------------------
+
+# .. envvar:: homeassistant__home_path [[[
+#
+# The Home Assistant system account home directory.
+homeassistant__home_path: '{{ (ansible_local.fhs.home | d("/var/local"))
+                              + "/" + homeassistant__user }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__virtualenv_path [[[
+#
+# Path to the virtualenv where Home Assistant will be installed.
+homeassistant__virtualenv_path: '{{ homeassistant__home_path + "/prod_venv" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System user and group [[[
+# -------------------------
+
+# .. envvar:: homeassistant__user [[[
+#
+# System UNIX account under which Home Assistant is run.
+homeassistant__user: 'homeassistant'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__group [[[
+#
+# System UNIX group used by Home Assistant.
+homeassistant__group: 'homeassistant'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__groups [[[
+#
+# List of additional system groups of the system UNIX account.
+# The ``dialout`` group grants accesses to devices typically used for home
+# automation which can be found under :file:`/dev/ttyACM*` for example.
+# If you don’t use such devices, you can remove the group from the list.
+homeassistant__groups: [ 'dialout' ]
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__gecos [[[
+#
+# Contents of the GECOS field set for the Home Assistant account.
+homeassistant__gecos: 'Home Assistant'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__shell [[[
+#
+# The default shell set on the Home Assistant account.
+homeassistant__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Home Assistant sources and deployment [[[
+# -----------------------------------------
+
+# .. envvar:: homeassistant__virtualenv [[[
+#
+# Should a Python virtualenv be created and used for Home Assistant deployment?
+# Virtualenv is currently the only supported way. Listing all dependencies here
+# has is too high maintenance and does not help much because Home Assistant
+# might install dependencies ad-hoc.
+homeassistant__virtualenv: True
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__release_channel [[[
+#
+# Which release channel should be installed?
+#
+# Choices:
+#
+# * ``release``: Latest release.
+# * ``develop``: Latest development version.
+#
+homeassistant__release_channel: 'release'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_repo [[[
+#
+# The URI of the Home Assistant git source repository.
+homeassistant__git_repo: 'https://github.com/home-assistant/home-assistant.git'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_version [[[
+#
+# The git branch or tag which will be installed.
+# Refer to the `releasing documentation
+# <https://home-assistant.io/developers/releasing/>`__ for details.
+homeassistant__git_version: '{{ "master" if (homeassistant__release_channel in ["release"]) else "dev" }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_dest [[[
+#
+# Path where the Home Assistant sources will be checked out (installation path).
+homeassistant__git_dest: '{{ homeassistant__home_path + "/home-assistant" }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_recursive [[[
+#
+# Should the git repository be cloned recursively?
+homeassistant__git_recursive: True
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_depth [[[
+#
+# To which depth should the git repository be cloned?
+# Default is to clone the whole repository.
+homeassistant__git_depth: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__git_update [[[
+#
+# Should new revisions be retrieved from the origin repository?
+homeassistant__git_update: True
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__daemon_path [[[
+#
+# File path where the Home Assistant console script is located.
+homeassistant__daemon_path: '{{ (homeassistant__home_path + "/prod_venv/bin/hass")
+                                if (homeassistant__virtualenv | bool)
+                                else (homeassistant__home_path + "/.local/bin/hass") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: homeassistant__nginx__dependent_upstreams [[[
+#
+# Configuration of the Home Assistant nginx upstream, used by the debops.nginx_
+# Ansible role.
+homeassistant__nginx__dependent_upstreams:
+
+  - name: 'homeassistant'
+    type: 'default'
+    state: '{{ "present" if (homeassistant__deploy_state == "present") else "absent" }}'
+    enabled: True
+    server: 'localhost:8123'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__nginx__dependent_htpasswd [[[
+#
+# HTTP Basic Auth password configuration for the :ref:`debops.nginx` Ansible
+# role.
+homeassistant__nginx__dependent_htpasswd:
+  name: '{{ homeassistant__basic_auth_name }}'
+  users: '{{ homeassistant__basic_auth_users }}'
+
+                                                                   # ]]]
+# .. envvar:: homeassistant__nginx__dependent_servers [[[
+#
+# Configuration of the Home Assistant nginx server, used by the debops.nginx_
+# Ansible role.
+homeassistant__nginx__dependent_servers:
+
+  - name: '{{ homeassistant__fqdn }}'
+    filename: 'debops.homeassistant'
+    by_role: 'debops-contrib.homeassistant'
+    state: '{{ "present" if (homeassistant__deploy_state == "present") else "absent" }}'
+    type: 'proxy'
+    ssl_verify_client: '{{ homeassistant__verify_client_certificate | bool }}'
+    auth_basic: '{{ homeassistant__basic_auth | bool }}'
+    auth_basic_realm: '{{ homeassistant__basic_auth_realm }}'
+    auth_basic_name: '{{ homeassistant__basic_auth_name }}'
+    options: |
+      proxy_buffering off;
+
+      location /local/ {
+              autoindex off;
+              alias {{ homeassistant__home_path }}/www/;
+      }
+      location /local_brands/ {
+              rewrite /local_brands/(.*) /$1  break;
+
+              proxy_pass https://brands.home-assistant.io/;
+
+              proxy_set_header Host brands.home-assistant.io;
+              proxy_ssl_verify on;
+              proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+              proxy_ssl_server_name on;
+
+              # Aggressively cache files on disk.
+              proxy_buffering on;
+              proxy_cache brands;
+              # Exclude $scheme$proxy_host from key to ease testing with different proxy_pass.
+              proxy_cache_key $request_uri;
+              proxy_cache_lock on;
+
+              # This might end up serving place holder files for 6 months.
+              # Ref: https://github.com/home-assistant/brands#caching
+              proxy_cache_valid 6M;
+
+              proxy_cache_valid 404 60m;
+              proxy_method GET;
+              proxy_pass_request_body off;
+              proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+              proxy_cache_bypass $http_pragma;
+              add_header X-Cache-Status $upstream_cache_status;
+      }
+    proxy_pass: 'http://homeassistant'
+    proxy_options: |
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/changelog.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/changelog.rst
new file mode 100644
index 00000000..6d01c6ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/copyright.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/copyright.rst
new file mode 100644
index 00000000..ce69ac9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/getting-started.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/getting-started.rst
new file mode 100644
index 00000000..18f72525
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/getting-started.rst
@@ -0,0 +1,82 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _homeassistant__ref_getting_started:
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To setup and manage Home Assistant on a given host or set of hosts, they need to
+be added one of the ``[debops_service_homeassistant.*]`` Ansible groups in the
+inventory depending on your way of deployment:
+
+.. code:: ini
+
+   [debops_service_homeassistant_nginx]
+   hostname
+
+Example playbook
+----------------
+
+Ansible playbook that uses the ``debops-contrib.homeassistant`` role and does not
+setup a reverse proxy:
+
+.. literalinclude:: playbooks/homeassistant-plain.yml
+   :language: yaml
+   :lines: 1,5-
+
+Ansible playbook that uses the ``debops-contrib.homeassistant`` role together
+with debops.nginx_ as reverse proxy:
+
+.. literalinclude:: playbooks/homeassistant-nginx.yml
+   :language: yaml
+   :lines: 1,5-
+
+These playbooks are shipped with this role under
+:file:`./docs/playbooks/` from which you can symlink them to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Hosting static files
+--------------------
+
+`Home Assistant supports hosting static files`__. The role configures the
+webserver to serve those files directly. Same as Home Assistant, no
+authentication for static files is provided!
+
+To avoid the risk of giving the webserver access the configuration directory
+under which the :file:`www` directory is normally stored, the role creates the
+:file:`www` directory one level above the configuration directory and creates a
+symlink where Home Assistant would read them to not break the application in
+any way.
+
+.. __: https://www.home-assistant.io/integrations/http/#hosting-files
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::homeassistant``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::homeassistant:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/includes/all.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/includes/all.rst
new file mode 100644
index 00000000..84ba4678
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/index.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/index.rst
new file mode 100644
index 00000000..3d218c23
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.homeassistant:
+
+Ansible role: debops-contrib.homeassistant
+==========================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/homeassistant/docs/introduction.rst b/ansible_collections/debops/debops/roles/homeassistant/docs/introduction.rst
new file mode 100644
index 00000000..2cea943f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/docs/introduction.rst
@@ -0,0 +1,30 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.homeassistant`` role allows you to setup and manage
+`Home Assistant <https://en.wikipedia.org/wiki/Home_Assistant>`_.
+Home Assistant is a home automation platform running on Python 3.
+It is able to track and control all devices at home and offer a platform for
+automating control.
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.2.2``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.homeassistant
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/homeassistant/handlers/main.yml b/ansible_collections/debops/debops/roles/homeassistant/handlers/main.yml
new file mode 100644
index 00000000..003a65eb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart Home Assistant
+  ansible.builtin.systemd:
+    name: 'home-assistant'
+    state: 'restarted'
+  when: (ansible_distribution_release not in ["trusty"])
diff --git a/ansible_collections/debops/debops/roles/homeassistant/meta/main.yml b/ansible_collections/debops/debops/roles/homeassistant/meta/main.yml
new file mode 100644
index 00000000..40baad66
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider'
+  description: 'Setup and manage Home Assistant'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.2'
+
+  platforms:
+
+    - name: Debian
+      versions:
+        - bullseye
+
+  galaxy_tags:
+    - automation
+    - home
+    - homeassistant
+    - iot
diff --git a/ansible_collections/debops/debops/roles/homeassistant/tasks/main.yml b/ansible_collections/debops/debops/roles/homeassistant/tasks/main.yml
new file mode 100644
index 00000000..8d5c6ff4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/tasks/main.yml
@@ -0,0 +1,131 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", homeassistant__combined_packages) }}'
+  when: (homeassistant__deploy_state == "present")
+  register: homeassistant__register_packages
+  until: homeassistant__register_packages is succeeded
+  tags: [ 'role::homeassistant:pkgs' ]
+
+# System user and group [[[
+- name: Create Home Assistant system group
+  ansible.builtin.group:
+    name: '{{ homeassistant__group }}'
+    state: '{{ "present" if (homeassistant__deploy_state == "present") else "absent" }}'
+    system: True
+
+- name: Create Home Assistant system user
+  ansible.builtin.user:
+    name: '{{ homeassistant__user }}'
+    group: '{{ homeassistant__group }}'
+    groups: '{{ homeassistant__groups | join(",") | default(omit) }}'
+    append: False
+    home: '{{ homeassistant__home_path }}'
+    comment: '{{ homeassistant__gecos }}'
+    shell: '{{ homeassistant__shell }}'
+    state: '{{ "present" if (homeassistant__deploy_state == "present") else "absent" }}'
+    system: True
+# ]]]
+
+- name: Clone Home Assistant git repository
+  ansible.builtin.git:
+    repo: '{{ homeassistant__git_repo }}'
+    dest: '{{ homeassistant__git_dest }}'
+    depth: '{{ homeassistant__git_depth }}'
+    version: '{{ homeassistant__git_version }}'
+    recursive: '{{ homeassistant__git_recursive | bool }}'
+    update: '{{ homeassistant__git_update | bool }}'
+  become: True
+  become_user: '{{ homeassistant__user }}'
+  register: homeassistant__register_git
+  when: (homeassistant__deploy_state == "present")
+
+- name: Install hass without virtualenv
+  ansible.builtin.pip:  # noqa no-handler
+    name: '.'
+    chdir: '{{ homeassistant__git_dest }}'
+    executable: 'pip3'
+    extra_args: '--user --upgrade'
+  become: True
+  become_user: '{{ homeassistant__user }}'
+  when: not homeassistant__virtualenv | bool and homeassistant__register_git is changed
+  notify: [ 'Restart Home Assistant' ]
+
+- name: Install hass in virtualenv
+  ansible.builtin.pip:  # noqa no-handler
+    name: '.'
+    chdir: '{{ homeassistant__git_dest }}'
+    extra_args: '--upgrade'
+    virtualenv: '{{ homeassistant__virtualenv_path }}'
+    virtualenv_python: 'python3'
+  become: True
+  become_user: '{{ homeassistant__user }}'
+  when: homeassistant__virtualenv | bool and homeassistant__register_git is changed
+  notify: [ 'Restart Home Assistant' ]
+
+  # https://community.home-assistant.io/t/wth-why-are-brand-icons-a-cloud-dependency/226359/13
+  # Does not work. Home assistant still requests the files from https://brands.home-assistant.io/ …
+# - name: Change hardcoded brands.home-assistant.io domain and point to Nginx
+#   ansible.builtin.shell: |
+#     set -o pipefail -o errexit;
+#     for i in $(find lib/python*/site-packages/hass_frontend/ lib/python*/site-packages/homeassistant/components/ -iname '*.js.gz' -type f); do zcat "$i" | sed --regexp-extended 's#https://brands\.home-assistant\.io/#https://{{ homeassistant__fqdn }}/local_brands/brands/#g;s#brands\.home-assistant\.io#{{ homeassistant__fqdn }}#g;' > "$i.copy"; gzip "$i.copy"; mv "$i.copy.gz" "$i" ; done
+#     find lib/python*/site-packages/hass_frontend/ lib/python*/site-packages/homeassistant/components/ -not -iname '*.gz' -type f -print0 | xargs --null sed --in-place --regexp-extended 's#https://brands\.home-assistant\.io/#https://{{ homeassistant__fqdn }}/local_brands/brands/#g;s#brands\.home-assistant\.io#{{ homeassistant__fqdn }}#g;'
+#   args:
+#     chdir: '{{ homeassistant__virtualenv_path }}'
+#     executable: 'bash'
+#   become: True
+#   become_user: '{{ homeassistant__user }}'
+#   when: homeassistant__register_git is changed
+
+- name: Ensure Home Assistant config dir exists
+  ansible.builtin.file:
+    path: '{{ homeassistant__home_path }}/.homeassistant'
+    mode: '0750'
+    state: 'directory'
+  become: True
+  become_user: '{{ homeassistant__user }}'
+  when: (homeassistant__deploy_state == "present")
+
+- name: Ensure Home Assistant www dir exists
+  ansible.builtin.file:
+    path: '{{ homeassistant__home_path }}/www'
+    owner: '{{ homeassistant__user }}'
+    group: '{{ homeassistant__webserver_user }}'
+    mode: '0750'
+    state: 'directory'
+  when: (homeassistant__deploy_state == "present")
+
+- name: Ensure Home Assistant www in config dir is a symlink
+  ansible.builtin.file:
+    src: '{{ homeassistant__home_path }}/www'
+    dest: '{{ homeassistant__home_path }}/.homeassistant/www'
+    state: 'link'
+    mode: '0755'
+  become: True
+  become_user: '{{ homeassistant__user }}'
+  when: (homeassistant__deploy_state == "present")
+
+- name: Configure systemd unit file
+  ansible.builtin.template:
+    src: 'etc/systemd/system/home-assistant.service.j2'
+    dest: '/etc/systemd/system/home-assistant.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: homeassistant__register_systemd_unit_file
+  when: (homeassistant__deploy_state == "present")
+
+- name: Set Home Assistant state using systemd
+  ansible.builtin.systemd:
+    name: 'home-assistant'
+    state: '{{ "started" if (homeassistant__deploy_state == "present") else "stopped" }}'
+    enabled: True
+    masked: False
+    daemon_reload: '{{ homeassistant__register_systemd_unit_file is changed }}'
+  when: (homeassistant__deploy_state == "present" and ansible_distribution_release not in ["trusty"])
diff --git a/ansible_collections/debops/debops/roles/homeassistant/tasks/main_env.yml b/ansible_collections/debops/debops/roles/homeassistant/tasks/main_env.yml
new file mode 100644
index 00000000..11701113
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/tasks/main_env.yml
@@ -0,0 +1,24 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2022 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# - name: Ensure Nginx cache dir exists
+#   ansible.builtin.file:
+#     path: '/var/cache/nginx/proxy'
+#     mode: '0700'
+#     state: 'directory'
+#     owner: 'www-data'
+#     group: 'root'
+#   when: (homeassistant__deploy_state == "present")
+
+# - name: Configure Nginx proxy_cache_path
+#   ansible.builtin.template:
+#     src: 'etc/nginx/conf.d/debops.homeassistant.conf.j2'
+#     dest: '/etc/nginx/conf.d/debops.homeassistant.conf'
+#     owner: 'root'
+#     group: 'root'
+#     mode: '0644'
+#   when: (homeassistant__deploy_state == "present")
diff --git a/ansible_collections/debops/debops/roles/homeassistant/templates/etc/nginx/conf.d/debops.homeassistant.conf.j2 b/ansible_collections/debops/debops/roles/homeassistant/templates/etc/nginx/conf.d/debops.homeassistant.conf.j2
new file mode 100644
index 00000000..09bf4f13
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/templates/etc/nginx/conf.d/debops.homeassistant.conf.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2022 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=brands:10m use_temp_path=off inactive=5y max_size=5g;
diff --git a/ansible_collections/debops/debops/roles/homeassistant/templates/etc/systemd/system/home-assistant.service.j2 b/ansible_collections/debops/debops/roles/homeassistant/templates/etc/systemd/system/home-assistant.service.j2
new file mode 100644
index 00000000..802bd5e0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/homeassistant/templates/etc/systemd/system/home-assistant.service.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# Source: https://home-assistant.io/docs/autostart/systemd/
+
+[Unit]
+Description=Home Assistant
+After=network.target
+
+[Service]
+Type=simple
+User={{ homeassistant__user }}
+ExecStart={{ homeassistant__daemon_path }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/hwraid/COPYRIGHT b/ansible_collections/debops/debops/roles/hwraid/COPYRIGHT
new file mode 100644
index 00000000..1cc33142
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hwraid/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.hwraid - Manage hardware RAID devices using Ansible
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/hwraid/defaults/main.yml b/ansible_collections/debops/debops/roles/hwraid/defaults/main.yml
new file mode 100644
index 00000000..cb82f5b1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hwraid/defaults/main.yml
@@ -0,0 +1,116 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _hwraid__ref_defaults:
+
+# debops.hwraid default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# .. envvar:: hwraid_distribution [[[
+#
+# OS distribution used to lookup available releases
+hwraid_distribution: '{{ ansible_distribution }}'
+
+                                                                   # ]]]
+# .. envvar:: hwraid_release [[[
+#
+# OS release used to lookup available releases
+hwraid_release: '{{ ansible_distribution_release }}'
+
+                                                                   # ]]]
+# .. envvar:: hwraid_blacklist [[[
+#
+# Ignore specified kernel modules
+hwraid_blacklist: []
+
+                                                                   # ]]]
+# .. envvar:: hwraid_repository_apt_key_id [[[
+#
+# HWRaid repository GPG key
+hwraid_repository_apt_key_id: '0073 C119 19A6 4146 4163  F711 6005 210E 23B3 D3B4'
+
+                                                                   # ]]]
+# .. envvar:: hwraid_distribution_releases [[[
+#
+# OS releases available in HWRaid repository
+# it is important to have the latest release first
+hwraid_distribution_releases:
+  'Debian': [ 'stretch', 'squeeze', 'sid' ]
+  'Ubuntu': [ 'wily', 'vivid', 'trusty' ]
+
+                                                                   # ]]]
+# .. envvar:: hwraid_device_database [[[
+#
+# List of known RAID device drivers and corresponding packages
+hwraid_device_database:
+
+  # 3Ware Eskalad
+  # http://hwraid.le-vert.net/wiki/3Ware
+  - module:   '3w_xxxx'
+    packages: [ 'tw_cli', '3ware-status' ]
+    daemons: [ '3ware-statusd' ]
+  - module:   '3w_9xxx'
+    packages: [ 'tw_cli', '3ware-status' ]
+    daemons: [ '3ware-statusd' ]
+
+  # LSI Fusion MPT SAS
+  # http://hwraid.le-vert.net/wiki/LSIFusionMPT
+  - module:   'mptsas'
+    packages: [ 'mpt-status' ]
+    daemons: [ 'mpt-statusd' ]
+
+  # LSI Fusion MPT SAS2
+  # http://hwraid.le-vert.net/wiki/LSIFusionMPTSAS2
+  - module:   'mpt2sas'
+    packages: [ 'sas2ircu', 'sas2ircu-status' ]
+    daemons: [ 'sas2ircu-statusd' ]
+
+  # LSI MegaRAID
+  # http://hwraid.le-vert.net/wiki/LSIMegaRAID
+  - module:   'megaraid_mm'
+    packages: [ 'megactl', 'megaraid-status' ]
+    daemons: [ 'megaraid-statusd' ]
+  - module:   'megaraid_mbox'
+    packages: [ 'megactl', 'megaraid-status' ]
+    daemons: [ 'megaraid-statusd' ]
+
+  # LSI MegaRAID SAS
+  # http://hwraid.le-vert.net/wiki/LSIMegaRAIDSAS
+  - module:   'megaraid_sas'
+    packages: [ 'megactl', 'megaraid-status' ]
+    daemons: [ 'megaraidsas-statusd' ]
+
+  # Adaptec AACRaid
+  # http://hwraid.le-vert.net/wiki/Adaptec
+  - module:   'aacraid'
+    packages: [ 'arcconf', 'aacraid-status' ]
+    daemons: [ 'aacraid-statusd' ]
+
+  # HP/Compaq SmartArray
+  # http://hwraid.le-vert.net/wiki/SmartArray
+  - module:   'cciss'
+    packages: [ 'cciss-vol-status' ]
+    daemons: [ 'cciss-vol-statusd' ]
+
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: hwraid__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+hwraid__keyring__dependent_apt_keys:
+
+  - id: '{{ hwraid_repository_apt_key_id }}'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/hwraid/meta/main.yml b/ansible_collections/debops/debops/roles/hwraid/meta/main.yml
new file mode 100644
index 00000000..bc8fafd4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hwraid/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure HWRaid repository and install packages for recognized RAID storage arrays'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - monitoring
+    - system
+    - hardware
+    - raid
+    - hwraid
diff --git a/ansible_collections/debops/debops/roles/hwraid/tasks/main.yml b/ansible_collections/debops/debops/roles/hwraid/tasks/main.yml
new file mode 100644
index 00000000..0bc400d0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/hwraid/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Select supported release for current distribution
+  ansible.builtin.set_fact:
+    hwraid_register_release: '{{ hwraid_release }}'
+  when: hwraid_release in hwraid_distribution_releases[hwraid_distribution]
+
+# if the current linux distribution is not available yet, we try to use the latest one
+- name: Select latest release for current distribution if no match found
+  ansible.builtin.set_fact:
+    hwraid_register_release: '{{ hwraid_distribution_releases[hwraid_distribution][0] }}'
+  when: hwraid_register_release is undefined
+
+- name: Configure HWRaid APT repository
+  ansible.builtin.apt_repository:
+    repo: 'deb http://hwraid.le-vert.net/{{ hwraid_distribution | lower }} {{ hwraid_register_release | lower }} main'
+    state: 'present'
+    update_cache: True
+  when: hwraid_register_release is defined and hwraid_register_release
+
+- name: Get list of active kernel modules
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && lsmod | awk '{print $1}'
+  args:
+    executable: 'bash'
+  register: hwraid_register_modules
+  changed_when: False
+
+- name: Install packages for recognized RAID devices
+  ansible.builtin.apt:
+    name: '{{ item.1 }}'
+    state: 'present'
+    install_recommends: False
+  with_subelements:
+    - '{{ hwraid_device_database }}'
+    - 'packages'
+  register: hwraid__register_packages
+  until: hwraid__register_packages is succeeded
+  when: ((hwraid_register_release is defined and hwraid_register_release) and
+         item.0.module not in hwraid_blacklist and
+         item.0.module in hwraid_register_modules.stdout_lines)
+
+- name: Make sure service starts at boot
+  ansible.builtin.service:
+    name: '{{ item.1 }}'
+    state: 'started'
+    enabled: yes
+  with_subelements:
+    - '{{ hwraid_device_database }}'
+    - 'daemons'
+  when: ((hwraid_register_release is defined and hwraid_register_release) and
+         item.0.module not in hwraid_blacklist and
+         item.0.module in hwraid_register_modules.stdout_lines)
+
+# vim: syntax=yaml ts=2 sw=2 et sr softtabstop=2 autoindent paste
diff --git a/ansible_collections/debops/debops/roles/icinga/COPYRIGHT b/ansible_collections/debops/debops/roles/icinga/COPYRIGHT
new file mode 100644
index 00000000..2c0fc3af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.icinga - Manage Icinga 2 Agent using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/icinga/defaults/main.yml b/ansible_collections/debops/debops/roles/icinga/defaults/main.yml
new file mode 100644
index 00000000..50a6128d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/defaults/main.yml
@@ -0,0 +1,904 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _icinga__ref_defaults:
+
+# debops.icinga default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Upstream configuration, APT packages [[[
+# ----------------------------------------
+
+# .. envvar:: icinga__upstream [[[
+#
+# Enable or disable support for Icinga 2 upstream packages instead of the ones
+# included in a given OS release.
+icinga__upstream: '{{ True
+                      if (ansible_distribution_release in ["trusty"])
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__upstream_apt_key_id [[[
+#
+# The GPG key id of the upstream Icinga 2 APT repository.
+icinga__upstream_apt_key_id: 'DD3A F619 8ED0 00B4 C0B7 3956 CC11 6F55 AA7F 2382'
+
+                                                                   # ]]]
+# .. envvar:: icinga__upstream_apt_repo [[[
+#
+# The :file:`sources.list` entry of the upstream Icinga 2 APT repository.
+icinga__upstream_apt_repo: 'deb https://packages.icinga.com/{{ icinga__distribution | lower }} icinga-{{ icinga__distribution_release | lower }} main'
+
+                                                                   # ]]]
+# .. envvar:: icinga__distribution [[[
+#
+# Name of the OS distribution used to select the correct upstream APT
+# repository.
+icinga__distribution: '{{ ansible_local.core.distribution | d(ansible_distribution) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__distribution_release [[[
+#
+# Name of the OS release used to select the correct upstream APT repository.
+icinga__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__version [[[
+#
+# The version of the installed Icinga 2 package, detected by the Ansible local
+# fact script. This variable can be used in conditional Icinga 2 configuration.
+icinga__version: '{{ ansible_local.icinga.version | d("0.0.0") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__base_packages [[[
+#
+# List of APT packages to install for Icinga 2 support.
+icinga__base_packages:
+  - 'icinga2'
+  - 'ssl-cert'
+  - 'monitoring-plugins'
+  - 'nagios-plugins-contrib'
+
+                                                                   # ]]]
+# .. envvar:: icinga__packages [[[
+#
+# List of additional APT packages to install with Icinga 2.
+icinga__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# User and group configuration [[[
+# --------------------------------
+
+# .. envvar:: icinga__user [[[
+#
+# Name of the UNIX system account which is used to run Icinga 2. This account
+# is created by the APT package and you shouldn't change it here.
+icinga__user: 'nagios'
+
+                                                                   # ]]]
+# .. envvar:: icinga__group [[[
+#
+# Name of the UNIX system group which is used to run Icinga 2. This group is
+# created by the APT package and you shouldn't change it here.
+icinga__group: 'nagios'
+
+                                                                   # ]]]
+# .. envvar:: icinga__additional_groups [[[
+#
+# List of additional UNIX groups which the Icinga 2 user should be a member of.
+icinga__additional_groups:
+  - 'ssl-cert'
+  - '{{ ansible_local.proc_hidepid.group
+        if (ansible_local.proc_hidepid.group | d() and
+            (ansible_local.proc_hidepid.enabled | d()) | bool)
+        else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network, DNS configuration, API configuration [[[
+# -------------------------------------------------
+
+# .. envvar:: icinga__fqdn [[[
+#
+# The Fully Qualified Domain Name of this Icinga 2 node. This variable is used
+# during the node registration in the Icinga 2 Director and in the zone
+# configuration.
+icinga__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__display_name [[[
+#
+# The short display name of this Icinga 2 node. This variable is used during
+# the node registration in the Icinga 2 Director and in the zone configuration.
+icinga__display_name: '{{ (inventory_hostname_short | d(inventory_hostname.split(".")[0]))
+                          if (inventory_hostname_short | d(inventory_hostname.split(".")[0]) != "localhost")
+                          else ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__ipv4_address [[[
+#
+# The IPv4 address (or FQDN used to lookup the IPv4 address) of this Icinga 2
+# node. This variable is used during the node registration in the Icinga 2
+# Director (and will be used to contact the node for monitoring purposes).
+icinga__ipv4_address: '{{ ansible_default_ipv4.address
+                          | d(ansible_all_ipv4_addresses | d([]) | first)
+                          | d(icinga_fqdn) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__ipv6_address [[[
+#
+# The IPv6 address (or FQDN used to lookup the IPv4 address) of this Icinga 2
+# node. This variable is used during the node registration in the Icinga 2
+# Director (and will be used to contact the node for monitoring purposes).
+icinga__ipv6_address: '{{ ansible_default_ipv6.address
+                          | d(ansible_all_ipv6_addresses | d([]) | first)
+                          | d(omit, true) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__domain [[[
+#
+# The main DNS domain used by the role to configure Icinga 2.
+icinga__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__master_nodes [[[
+#
+# List which contains the result of the DNS query for Icinga 2 master node
+# ``SRV`` resource records in the host's domain. This is a DebOps-specific
+# feature, which does not have a corresponding RFC.
+#
+# See :ref:`icinga__ref_dns_config` for details if you want to specify this
+# list manually.
+icinga__master_nodes: '{{ q("debops.debops.dig_srv", "_icinga-master._tcp." + icinga__domain,
+                            "icinga-master." + icinga__domain, icinga__api_port) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__master_delegate_to [[[
+#
+# The host to which tasks that must execute on the master node will be delegated.
+# It's used when ``icinga__master_*_configuration`` is set and configuration
+# files are written on the master node.
+icinga__master_delegate_to: '{{ icinga__master_nodes[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_nodes [[[
+#
+# List which contains the result of the DNS query for Icinga 2 director node
+# ``SRV`` resource records in the host's domain. This is a DebOps-specific
+# feature, which does not have a corresponding RFC.
+#
+# Only the first entry in the list will be used to register a node.
+#
+# See :ref:`icinga__ref_dns_config` for details if you want to specify this
+# list manually.
+icinga__director_nodes: '{{ q("debops.debops.dig_srv", "_icinga-director._tcp." + icinga__domain,
+                              "icinga-director." + icinga__domain, 443) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__node_type [[[
+#
+# Specify the type of this Icinga 2 node, either ``master`` or ``client``.
+#
+# Master nodes are not registered automatically in the Icinga 2 Director, and
+# have the default API user configured automatically.
+#
+# Client nodes are registered in the Icinga 2 Director if one is available.
+icinga__node_type: '{{ "master"
+                       if (icinga__fqdn in
+                           (icinga__master_nodes | map(attribute="target")) or
+                           not icinga__director_enabled | bool)
+                       else "client" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__allow [[[
+#
+# List of IP addresses or subnets that are allowed to talk to the Icinga
+# 2 Agent over the network, configured on all hosts in the Ansible inventory.
+# If no entries are specified, access through the firewall is disabled.
+icinga__allow: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__group_allow [[[
+#
+# List of IP addresses or subnets that are allowed to talk to the Icinga
+# 2 Agent over the network, configured on hosts in a specific Ansible inventory
+# group. If no entries are specified, access through the firewall is disabled.
+icinga__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__host_allow [[[
+#
+# List of IP addresses or subnets that are allowed to talk to the Icinga
+# 2 Agent over the network, configured on specific hosts in the Ansible
+# inventory. If no entries are specified, access through the firewall is
+# disabled.
+icinga__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__api_listen [[[
+#
+# IP address on which the Icinga 2 REST API should listen. Defaults to all IPv4
+# and IPv6 addresses.
+icinga__api_listen: '::'
+
+                                                                   # ]]]
+# .. envvar:: icinga__api_port [[[
+#
+# The TCP port on which the Icinga 2 REST API should listen.
+icinga__api_port: '5665'
+
+                                                                   # ]]]
+# .. envvar:: icinga__api_user [[[
+#
+# The default user account for the REST API with superuser privileges. This
+# account will be defined only on the master Icinga 2 nodes.
+#
+# This account is used by the :ref:`debops.icinga_web` Ansible role to perform
+# the configuration kickstart and to access the Icinga REST API. It should be
+# synchronized with the corresponding :envvar:`icinga_web__icinga_api_user`
+# variable.
+icinga__api_user: 'root'
+
+                                                                   # ]]]
+# .. envvar:: icinga__api_password [[[
+#
+# The password for the Icinga 2 REST API "root" account. It will be generated
+# only on the master Icinga 2 nodes. It should be synchronized with the
+# corresponding :envvar:`icinga_web__icinga_api_password` variable.
+icinga__api_password: '{{ lookup("password", secret + "/icinga/api/"
+                                  + icinga__fqdn + "/credentials/"
+                                  + icinga__api_user + "/password")
+                          if (icinga__node_type == "master")
+                          else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__api_permissions [[[
+#
+# List of the default permissions for the "root" account accessible via the
+# REST API.
+icinga__api_permissions: [ '*' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 Director options [[[
+# -----------------------------
+
+# .. envvar:: icinga__director_enabled [[[
+#
+# Enable or disable support for the Icinga 2 Director configuration. Support
+# will be automatically enabled if DNS ``SRV`` records exist for the Icinga 2
+# master and director nodes.
+#
+# See :ref:`icinga__ref_dns_config` for more details.
+icinga__director_enabled: '{{ True
+                              if (icinga__master_nodes[0]["dig_srv_src"] | d("") != "fallback" and
+                                  icinga__director_nodes[0]["dig_srv_src"] | d("") != "fallback")
+                              else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register [[[
+#
+# Enable or disable automatic registration of configured hosts in Icinga 2
+# Director.
+icinga__director_register: '{{ True
+                               if (icinga__director_enabled | bool)
+                               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_api_fqdn [[[
+#
+# The Fully Qualified Domain Name of the Icinga 2 Director host where a given
+# host will be registered. The address will be found using DNS ``SRV`` records
+# by default. See :ref:`icinga__ref_dns_config` for more details.
+icinga__director_register_api_fqdn: '{{ icinga__director_nodes[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_api_url [[[
+#
+# The URL of the Icinga 2 Director REST API which will be used to register the
+# host in Icinga 2 Director.
+icinga__director_register_api_url: 'https://{{ icinga__director_register_api_fqdn }}/director/host'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_api_user [[[
+#
+# The user account in the Icinga 2 Director REST API which will be used for
+# host registration. This variable corresponds to the
+# :envvar:`icinga_web__director_api_user` variable.
+icinga__director_register_api_user: 'director-api'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_api_password [[[
+#
+# The password of the Icinga 2 Director REST API user used to register the host
+# in Icinga. This variable corresponds to the
+# :envvar:`icinga_web__director_api_password` variable.
+icinga__director_register_api_password: '{{ lookup("password", secret + "/icinga_web/api/"
+                                            + icinga__director_register_api_fqdn + "/credentials/"
+                                            + icinga__director_register_api_user + "/password") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_default_templates [[[
+#
+# List of default host templates to use for a given host during registration.
+# The templates need to be prepared beforehand in the Icinga 2 Director.
+icinga__director_register_default_templates:
+  - 'icinga-agent-host'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_templates [[[
+#
+# List of host templates to use for a given host during registration. These
+# templates are used for all hosts in the Ansible inventory. The templates
+# need to be prepared beforehand in the Icinga 2 Director.
+icinga__director_register_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_group_templates [[[
+#
+# List of host templates to use for a given host during registration. These
+# templates are used for hosts in a specific Ansible inventory group.
+# The templates need to be prepared beforehand in the Icinga 2 Director.
+icinga__director_register_group_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_host_templates [[[
+#
+# List of host templates to use for a given host during registration. These
+# templates are used for specific hosts in the Ansible inventory.
+# The templates need to be prepared beforehand in the Icinga 2 Director.
+icinga__director_register_host_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_default_vars [[[
+#
+# YAML dictionary that contains default environment variables defined for
+# a given host during registration. The key is the variable name, and the value
+# is the variable value.
+icinga__director_register_default_vars:
+  'ansible_managed': True
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_vars [[[
+#
+# YAML dictionary that contains environment variables defined for a given host
+# during registration. These variables will be set for all hosts in the Ansible
+# inventory. The key is the variable name, and the value is the variable value.
+icinga__director_register_vars: {}
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_group_vars [[[
+#
+# YAML dictionary that contains environment variables defined for a given host
+# during registration. These variables will be set for hosts in a specific
+# Ansible inventory group. The key is the variable name, and the value is the
+# variable value.
+icinga__director_register_group_vars: {}
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_host_vars [[[
+#
+# YAML dictionary that contains environment variables defined for a given host
+# during registration. These variables will be set for specific hosts in the
+# Ansible inventory. The key is the variable name, and the value is the
+# variable value.
+icinga__director_register_host_vars: {}
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_register_host_object [[[
+#
+# The host object data passed to the Icinga 2 Director via the REST API during
+# host registration.
+icinga__director_register_host_object:
+  object_type: 'object'
+  object_name: '{{ icinga__fqdn }}'
+  display_name: '{{ icinga__display_name }}'
+  address: '{{ icinga__ipv4_address }}'
+  address6: '{{ icinga__ipv6_address }}'
+  imports: '{{ q("flattened",
+                 (icinga__director_register_default_templates
+                  + icinga__director_register_templates
+                  + icinga__director_register_group_templates
+                  + icinga__director_register_host_templates)) }}'
+  vars: '{{ icinga__director_register_default_vars
+            | combine(icinga__director_register_vars,
+                      icinga__director_register_group_vars,
+                      icinga__director_register_host_vars) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_deploy [[[
+#
+# Enable or disable automatic deployment of new Icinga configuration via Icinga
+# 2 Director. The deployment will be triggered only once if any host on the
+# current run is registered in Icinga.
+icinga__director_deploy: '{{ True
+                             if (icinga__director_register | bool)
+                             else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_deploy_api_fqdn [[[
+#
+# The Fully Qualified Domain Name of the Icinga 2 Director host where the
+# deployment will be performed. The address will be found using DNS SRV records
+# by default. See :ref:`icinga__ref_dns_config` for more details.
+icinga__director_deploy_api_fqdn: '{{ icinga__director_nodes[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_deploy_api_url [[[
+#
+# The REST API URL used to execute new configuration deployment.
+icinga__director_deploy_api_url: 'https://{{ icinga__director_deploy_api_fqdn }}/director/config/deploy'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_deploy_api_user [[[
+#
+# The user account in the Icinga 2 Director REST API which will be used for
+# configuration deployment. This variable corresponds to the
+# :envvar:`icinga_web__director_api_user` variable.
+icinga__director_deploy_api_user: 'director-api'
+
+                                                                   # ]]]
+# .. envvar:: icinga__director_deploy_api_password [[[
+#
+# The password of the Icinga 2 Director REST API user used to perform the
+# configuration deployment. This variable corresponds to the
+# :envvar:`icinga_web__director_api_password` variable.
+icinga__director_deploy_api_password: '{{ lookup("password", secret + "/icinga_web/api/"
+                                            + icinga__director_deploy_api_fqdn + "/credentials/"
+                                            + icinga__director_deploy_api_user + "/password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DebOps PKI support [[[
+# ----------------------
+
+# .. envvar:: icinga__pki_enabled [[[
+#
+# Enable or disable support for DebOps PKI. If disabled, Icinga will be
+# configured with the default certificate and key paths, but no further
+# configuration will be done to create the internal PKI.
+icinga__pki_enabled: '{{ True
+                         if (ansible_local | d() and ansible_local.pki | d() and
+                             (ansible_local.pki.enabled | d()) | bool)
+                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_path [[[
+#
+# The base path where the PKI realms are located.
+icinga__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_realm [[[
+#
+# Name of the PKI realm to use for Icinga REST API.
+icinga__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_ca [[[
+#
+# Name of the file which contains the Root Certificate Authority certificate.
+icinga__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_crt [[[
+#
+# Name of the file which contains the server certificate.
+icinga__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_key [[[
+#
+# Name of the file which contains the private key.
+icinga__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_cert_path [[[
+#
+# Absolute path of the X.509 server certificate used by Icinga.
+icinga__pki_cert_path: '{{ icinga__pki_path + "/" + icinga__pki_realm
+                           + "/" + icinga__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_key_path [[[
+#
+# Absolute path of the X.509 private key used by Icinga.
+icinga__pki_key_path: '{{ icinga__pki_path + "/" + icinga__pki_realm
+                          + "/" + icinga__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__pki_ca_path [[[
+#
+# Absolute path of the Root Certificate Authority used by Icinga.
+icinga__pki_ca_path: '{{ icinga__pki_path + "/" + icinga__pki_realm
+                         + "/" + icinga__pki_ca }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga configuration files [[[
+# ------------------------------
+
+# These lists manage the files and directories stored in the
+# :file:`/etc/icinga2/` directory. See the :ref:`icinga__ref_configuration` for
+# more details.
+
+# .. envvar:: icinga__default_configuration [[[
+#
+# The default Icinga configuration files defined by the role.
+icinga__default_configuration:
+
+  - name: 'icinga2.conf'
+    divert: True
+    comment: |
+      Icinga 2 configuration file
+      - this is where you define settings for the Icinga application including
+      which hosts/services to check.
+
+      For an overview of all available configuration options please refer
+      to the documentation that is distributed as part of Icinga 2.
+    options:
+
+      - name: 'constants'
+        comment: 'The constant.conf defines global constants.'
+        value: |
+          include "constants.conf"
+        state: 'present'
+
+      - name: 'zones'
+        comment: |
+          The zones.conf defines zones for a cluster setup.
+          Not required for single instance setups.
+        value: |
+          include "zones.conf"
+        state: 'present'
+
+      - name: 'itl'
+        comment: |
+          The Icinga Template Library (ITL) provides a number of useful templates
+          and command definitions.
+          Common monitoring plugin command definitions are included separately.
+        value: |
+          include <itl>
+          include <plugins>
+          include <plugins-contrib>
+          include <manubulon>
+        state: 'present'
+
+      - name: 'windows_plugins'
+        comment: |
+          This includes the Icinga 2 Windows plugins. These command definitions
+          are required on a master node when a client is used as command endpoint.
+        value: |
+          include <windows-plugins>
+        state: 'present'
+
+      - name: 'nscp'
+        comment: |
+          This includes the NSClient++ check commands. These command definitions
+          are required on a master node when a client is used as command endpoint.
+        value: |
+          include <nscp>
+        state: 'present'
+
+      - name: 'features_enabled'
+        comment: |
+          The features-available directory contains a number of configuration
+          files for features which can be enabled and disabled using the
+          icinga2 feature enable / icinga2 feature disable CLI commands.
+          These commands work by creating and removing symbolic links in
+          the features-enabled directory.
+        value: |
+          include "features-enabled/*.conf"
+        state: 'present'
+
+      - name: 'repository.d'
+        comment: |
+          The repository.d directory contains all configuration objects
+          managed by the 'icinga2 repository' CLI commands.
+        value: |
+          include_recursive "repository.d"
+        state: '{{ "absent"
+                   if (icinga__version is version("2.8.0", ">="))
+                   else "present" }}'
+
+      - name: 'conf.d'
+        comment: |
+          Although in theory you could define all your objects in this file
+          the preferred way is to create separate directories and files in the conf.d
+          directory. Each of these files must have the file extension ".conf".
+        value: |
+          include_recursive "conf.d"
+        state: '{{ "absent" if (icinga__director_enabled | bool) else "present" }}'
+
+      - name: 'api_users'
+        comment: |
+          Read the API User objects on master node.
+        value: |
+          include "conf.d/api-users.conf"
+        state: '{{ "present"
+                   if (icinga__director_enabled | bool and
+                       icinga__node_type == "master")
+                   else "absent" }}'
+
+  - name: 'zones.conf'
+    divert: True
+    comment: |
+      Endpoint and Zone configuration for a cluster setup
+      This local example requires 'NodeName' defined in
+      constants.conf
+    options:
+
+      - name: 'object_master'
+        value: |
+          {% for record in icinga__master_nodes %}
+          {% if record.target | d() %}
+          object Endpoint "{{ record.target | regex_replace('\.$', '') }}" {
+            host = "{{ record.target | regex_replace('\.$', '') }}"
+            port = "{{ record.port }}"
+          }
+
+          {% endif %}
+          {% endfor %}
+          object Zone "master" {
+            endpoints = [ "{{ icinga__master_nodes | map(attribute='target') | join('", "') }}" ]
+          }
+        state: '{{ "present"
+                   if (icinga__node_type != "master" and
+                       icinga__master_nodes[0]["dig_srv_src"] | d("") != "fallback")
+                   else "absent" }}'
+
+      - name: 'object_node'
+        value: |
+          object Endpoint NodeName {
+            host = NodeName
+          }
+
+          object Zone ZoneName {
+            endpoints = [ NodeName ]
+          {% if (icinga__director_enabled | bool and icinga__node_type != 'master') %}
+            parent = "master"
+          {% endif %}
+          }
+        state: 'present'
+
+      - name: 'object_global_templates'
+        value: |
+          object Zone "global-templates" {
+            global = true
+          }
+        state: 'present'
+
+      - name: 'object_director_global'
+        value: |
+          object Zone "director-global" {
+            global = true
+          }
+        state: '{{ "present" if (icinga__director_enabled | bool) else "absent" }}'
+
+  - name: 'conf.d/api-users.conf'
+    comment: 'The APIUser objects are used for authentication against the API.'
+    group: '{{ icinga__group }}'
+    mode: '0640'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if (icinga__node_type == "master")
+               else "absent" }}'
+    options:
+
+      - name: 'api_user_root'
+        value: |
+          object ApiUser "{{ icinga__api_user }}" {
+            password = "{{ icinga__api_password }}"
+
+            permissions = [ "{{ icinga__api_permissions | join('", "') }}" ]
+          }
+        state: 'present'
+
+  - name: 'features-available/api.conf'
+    divert: True
+    comment: 'The API listener is used for distributed monitoring setups.'
+    value: |
+      object ApiListener "api" {
+        bind_host = "{{ icinga__api_listen }}"
+        bind_port = {{ icinga__api_port }}
+
+      {% if icinga__pki_enabled | bool %}
+        cert_path = "{{ icinga__pki_cert_path }}"
+        key_path  = "{{ icinga__pki_key_path }}"
+        ca_path   = "{{ icinga__pki_ca_path }}"
+      {% else %}
+        cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
+        key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
+        ca_path = SysconfDir + "/icinga2/pki/ca.crt"
+      {% endif %}
+
+        accept_config   = {{ 'false' if (icinga__director_enabled | bool and icinga__node_type == 'master') else 'true' }}
+        accept_commands = {{ 'false' if (icinga__director_enabled | bool and icinga__node_type == 'master') else 'true' }}
+
+        ticket_salt = TicketSalt
+      }
+    state: 'present'
+    feature_name: 'api'
+    feature_state: 'present'
+
+  - name: 'features-available/notification.conf'
+    divert: True
+    state: '{{ "init" if (icinga__node_type == "master") else "feature" }}'
+    feature_name: 'notification'
+    feature_state: '{{ "present" if (icinga__node_type == "master") else "absent" }}'
+
+  - name: 'features-available/checker.conf'
+    divert: True
+    state: '{{ "init" if (icinga__node_type == "master") else "feature" }}'
+    feature_name: 'checker'
+    feature_state: '{{ "present" if (icinga__node_type == "master") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__configuration [[[
+#
+# List of the Icinga configuration files managed on all hosts in the Ansible
+# inventory.
+icinga__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__group_configuration [[[
+#
+# List of the Icinga configuration files managed on hosts in a specific Ansible
+# inventory group.
+icinga__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__host_configuration [[[
+#
+# List of the Icinga configuration files managed on specific hosts in the
+# Ansible inventory.
+icinga__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__dependent_configuration [[[
+#
+# List of the Icinga configuration files defined by other Ansible roles using
+# role-dependent variables. See :ref:`icinga__ref_dependency` for more details
+# about the usage.
+icinga__dependent_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__dependent_configuration_filter [[[
+#
+# Variable which contains the parsed list of Icinga configuration files defined
+# by other Ansible roles.
+icinga__dependent_configuration_filter: '{{ lookup("template",
+                                             "lookup/icinga__dependent_configuration_filter.j2")
+                                             | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__combined_configuration [[[
+#
+# Variable which combines all of the other Icinga configuration lists and is
+# used in the role tasks.
+icinga__combined_configuration: '{{ icinga__default_configuration
+                                    + icinga__dependent_configuration_filter
+                                    + icinga__configuration
+                                    + icinga__group_configuration
+                                    + icinga__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga master node's configuration files [[[
+# --------------------------------------------
+
+# These lists manage the files and directories stored in the
+# :file:`/etc/icinga2/zones.d/` directory on the Icinga master node.
+# It may be used when the setup of an Icinga agent needs to add config files
+# to the master node. It's useful when Director module is not used and
+# Icinga objects (Zone, Endpoint, Host, ...) need to be defined both
+# on the agent and the master nodes.
+# The syntax for ``icinga__master_*_configuration`` variables is the
+# same as :ref:`icinga__ref_configuration`.
+
+# .. envvar:: icinga__master_configuration [[[
+#
+# List of the Icinga configuration files defined on the master node for
+# every host.
+icinga__master_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__master_group_configuration [[[
+#
+# List of the Icinga configuration files defined on the master node for
+# hosts in a specific Ansible inventory group.
+icinga__master_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__master_host_configuration [[[
+#
+# List of the Icinga configuration files defined on the master node for
+# specific hosts in the Ansible inventory.
+icinga__master_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__master_combined_configuration [[[
+#
+# Variable which combines Icinga master node configuration from previous
+# variables.
+icinga__master_combined_configuration: '{{ icinga__master_configuration
+                                           + icinga__master_group_configuration
+                                           + icinga__master_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom files managed with Icinga [[[
+# ------------------------------------
+
+# These lists can be used to manage custom files (by default scripts) on the
+# hosts along with Icinga. See :ref:`icinga__ref_custom_files` for more
+# details.
+
+# .. envvar:: icinga__custom_files [[[
+#
+# List of custom files managed on all hosts in the Ansible inventory.
+icinga__custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__group_custom_files [[[
+#
+# List of custom files managed on hosts in a specific Ansible inventory group.
+icinga__group_custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: icinga__host_custom_files [[[
+#
+# List of custom files managed on specific hosts in the Ansible inventory.
+icinga__host_custom_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: icinga__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+icinga__etc_services__dependent_list:
+
+  - name: 'icinga-api'
+    port: '{{ icinga__api_port }}'
+    comment: 'Icinga 2 REST API'
+
+                                                                   # ]]]
+# .. envvar:: icinga__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+icinga__keyring__dependent_apt_keys:
+
+  - id: '{{ icinga__upstream_apt_key_id }}'
+    repo: '{{ icinga__upstream_apt_repo }}'
+    state: '{{ "present" if icinga__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+icinga__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'icinga-api' ]
+    saddr: '{{ icinga__allow + icinga__group_allow + icinga__host_allow }}'
+    accept_any: False
+    weight: '40'
+    by_role: 'icinga'
+    name: 'icinga_api'
+                                                                   # ]]]
+# .. envvar:: icinga__unattended_upgrades__dependent_origins [[[
+#
+# List of origin patterns managed by the :ref:`debops.unattended_upgrades` role.
+icinga__unattended_upgrades__dependent_origins:
+
+  - origin: 'site=packages.icinga.com'
+    by_role: 'debops.icinga'
+    state: '{{ "present" if icinga__upstream | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/icinga/handlers/main.yml b/ansible_collections/debops/debops/roles/icinga/handlers/main.yml
new file mode 100644
index 00000000..7901bb04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/handlers/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check icinga2 configuration and restart it on the master node
+  ansible.builtin.command: icinga2 daemon -C
+  register: icinga__register_check_config
+  changed_when: icinga__register_check_config.changed | bool
+  notify: [ 'Restart icinga2 on the master node' ]
+  delegate_to: '{{ icinga__master_delegate_to }}'
+
+- name: Restart icinga2 on the master node
+  ansible.builtin.service:
+    name: 'icinga2'
+    state: 'restarted'
+  delegate_to: '{{ icinga__master_delegate_to }}'
+
+- name: Trigger Icinga Director configuration deployment
+  ansible.builtin.uri:
+    body_format: 'json'
+    headers:
+      Accept: 'application/json'
+    method: 'POST'
+    url: '{{ icinga__director_deploy_api_url }}'
+    user: '{{ icinga__director_deploy_api_user }}'
+    password: '{{ icinga__director_deploy_api_password }}'
+  run_once: True
+  when: icinga__director_deploy | bool
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/icinga/meta/main.yml b/ansible_collections/debops/debops/roles/icinga/meta/main.yml
new file mode 100644
index 00000000..337117e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Icinga 2 installation'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - monitoring
+    - icinga
+    - nagios
diff --git a/ansible_collections/debops/debops/roles/icinga/tasks/main.yml b/ansible_collections/debops/debops/roles/icinga/tasks/main.yml
new file mode 100644
index 00000000..96bd8851
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/tasks/main.yml
@@ -0,0 +1,197 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import Custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required Icinga packages
+  ansible.builtin.package:
+    name: '{{ lookup("flattened",
+                     (icinga__base_packages + icinga__packages),
+                     wantlist=True) }}'
+    state: 'present'
+  register: icinga__register_packages
+  until: icinga__register_packages is succeeded
+
+- name: Add Icinga user to system UNIX groups
+  ansible.builtin.user:
+    name: '{{ icinga__user }}'
+    groups: '{{ lookup("flattened", icinga__additional_groups, wantlist=True) | join(",") }}'
+    append: True
+  notify: [ 'Check icinga2 configuration and restart' ]
+
+- name: Load dependent configuration variables
+  ansible.builtin.include_vars:
+    dir: '{{ secret + "/icinga/dependent_config/" + inventory_hostname }}'
+    depth: 1
+    name: 'icinga__vars_dependent_configuration'
+  when: (ansible_local | d() and ansible_local.icinga | d() and
+         (ansible_local.icinga.configured | d()) | bool)
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Icinga local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/icinga.fact.j2'
+    dest: '/etc/ansible/facts.d/icinga.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Add/remove diversion of Icinga configuration files
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/icinga2/" + item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    state: '{{ item.state | d("present") }}'
+    delete: True
+  loop: '{{ icinga__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: (item.name | d() and
+         item.state | d('present') in ['absent', 'present'] and
+         item.divert | d(False) | bool)
+
+- name: Ensure that configuration directories exist
+  ansible.builtin.file:
+    path: '/etc/icinga2/{{ (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) | dirname }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ icinga__combined_configuration | debops.debops.parse_kv_items }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init', 'feature'] and
+         ((item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) | dirname | d()))
+
+- name: Remove Icinga configuration files
+  ansible.builtin.file:
+    path: '/etc/icinga2/{{ item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ icinga__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: (item.name | d() and item.state | d('present') == 'absent' and
+         not item.divert | d(False) | bool)
+
+- name: Generate Icinga configuration files
+  ansible.builtin.template:
+    src: 'etc/icinga2/template.conf.j2'
+    dest: '/etc/icinga2/{{ item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0644") }}'
+  with_items: '{{ icinga__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init', 'divert', 'feature'])
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Ensure that configuration directories exist on the master node
+  ansible.builtin.file:
+    path: '/etc/icinga2/zones.d/{{ (item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) | dirname }}'
+    state: 'directory'
+    recurse: true
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ icinga__master_combined_configuration | debops.debops.parse_kv_items }}'
+  delegate_to: '{{ icinga__master_delegate_to }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init', 'feature'] and
+         ((item.filename | d(item.name | regex_replace(".conf$", "") + ".conf")) | dirname | d()))
+
+- name: Remove Icinga configuration on the master node if requested
+  ansible.builtin.file:
+    path: '/etc/icinga2/zones.d/{{ item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ icinga__master_combined_configuration | debops.debops.parse_kv_items }}'
+  delegate_to: '{{ icinga__master_delegate_to }}'
+  notify: [ 'Check icinga2 configuration and restart it on the master node' ]
+  when: (item.name | d() and item.state | d('present') == 'absent')
+
+- name: Generate Icinga configuration files on the master node
+  ansible.builtin.template:
+    src: 'etc/icinga2/template.conf.j2'
+    dest: '/etc/icinga2/zones.d/{{ item.filename | d(item.name | regex_replace(".conf$", "") + ".conf") }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0644") }}'
+  with_items: '{{ icinga__master_combined_configuration | debops.debops.parse_kv_items }}'
+  delegate_to: '{{ icinga__master_delegate_to }}'
+  notify: [ 'Check icinga2 configuration and restart it on the master node' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init', 'divert', 'feature'])
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+
+- name: Configure state of Icinga features
+  ansible.builtin.file:
+    path: '/etc/icinga2/features-enabled/{{ item.feature_name }}.conf'
+    src: '{{ ("../features-available/" + item.feature_name + ".conf")
+             if (item.feature_state | d("present") == "present") else omit }}'
+    state: '{{ "link" if item.feature_state | d("present") == "present" else "absent" }}'
+    mode: '0644'
+    force: '{{ True if ansible_check_mode | bool else omit }}'
+  with_items: '{{ icinga__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init', 'divert'] and
+         item.feature_name | d() and item.feature_state | d())
+
+- name: Copy custom files for Icinga
+  ansible.builtin.copy:
+    content: '{{ item.content | d(omit) }}'
+    src:     '{{ item.src | d(omit) }}'
+    dest:    '{{ item.dest | d(omit) }}'
+    force:   '{{ item.force | d(omit) }}'
+    owner:   '{{ item.owner | d("root") }}'
+    group:   '{{ item.group | d("root") }}'
+    mode:    '{{ item.mode | d("0755") }}'
+  loop: '{{ q("flattened", icinga__custom_files
+                           + icinga__group_custom_files
+                           + icinga__host_custom_files) }}'
+  when: ((item.src | d() or item.content | d()) and
+         item.dest | d() and item.state | d("present") != "absent")
+
+- name: Save dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/icinga/dependent_config/inventory_hostname/configuration.json.j2'
+    dest: '{{ secret + "/icinga/dependent_config/" + inventory_hostname + "/configuration.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+
+- name: Register Icinga node in Icinga Director
+  ansible.builtin.uri:
+    body_format: 'json'
+    headers:
+      Accept: 'application/json'
+    method: 'POST'
+    body: '{{ icinga__director_register_host_object }}'
+    url: '{{ icinga__director_register_api_url }}'
+    user: '{{ icinga__director_register_api_user }}'
+    password: '{{ icinga__director_register_api_password }}'
+    status_code: [ 201, 422, 500 ]
+    force_basic_auth: True
+  register: icinga__register_director_host
+  notify: [ 'Trigger Icinga Director configuration deployment' ]
+  when: (icinga__director_enabled | bool and icinga__director_register | bool and
+         (icinga__node_type != 'master' or (ansible_local.icinga_web.installed | d()) | bool))
+  changed_when: icinga__register_director_host.status == 201
+  tags: [ 'role::icinga:register' ]
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/icinga/tasks/main_env.yml b/ansible_collections/debops/debops/roles/icinga/tasks/main_env.yml
new file mode 100644
index 00000000..942b69a9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare Icinga environment
+  ansible.builtin.set_fact:
+    icinga__secret__directories: '{{ lookup("template", "lookup/icinga__secret__directories.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/icinga/templates/etc/ansible/facts.d/icinga.fact.j2 b/ansible_collections/debops/debops/roles/icinga/templates/etc/ansible/facts.d/icinga.fact.j2
new file mode 100644
index 00000000..597662e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/templates/etc/ansible/facts.d/icinga.fact.j2
@@ -0,0 +1,39 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"installed": False,
+                      "configured": True}
+                     | to_nice_json }}''')
+
+output['installed'] = cmd_exists('icinga2')
+
+try:
+    icinga_version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "icinga2"]).decode('utf-8').split('-')[0]
+    output['version'] = icinga_version_stdout
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/icinga/templates/etc/icinga2/template.conf.j2 b/ansible_collections/debops/debops/roles/icinga/templates/etc/icinga2/template.conf.j2
new file mode 100644
index 00000000..e6862c2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/templates/etc/icinga2/template.conf.j2
@@ -0,0 +1,43 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro print_comment(comment) %}
+{%   if (comment | regex_replace('\n$','')).split('\n') | count == 1 %}
+{{ comment | regex_replace('\n$','') | comment('plain', decoration='// ', prefix='', postfix='') -}}
+{%   else %}
+{{ comment | regex_replace('\n$','') | comment('plain', decoration=' * ', prefix='/**', postfix=' */\n') -}}
+{%   endif %}
+{% endmacro %}
+{{ print_comment(ansible_managed) }}
+{% if item.comment | d() %}
+{{ print_comment(item.comment) -}}
+{% endif %}
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element.value | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if (not loop.first or (loop.first and item.comment | d())) %}
+
+{%       endif %}
+{%       if element.comment | d() %}
+{{ print_comment(element.comment) -}}
+{%       endif %}
+{%       if element.state | d('present') == 'comment' %}
+/*
+{%       endif %}
+{{ element.value | regex_replace('\n$','') }}
+{%       if element.state | d('present') == 'comment' %}
+*/
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.value | d() %}
+{%   if item.state | d('present') == 'comment' %}
+/*
+{%   endif %}
+{{ item.value | regex_replace('\n$','') }}
+{%   if item.state | d('present') == 'comment' %}
+*/
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__dependent_configuration_filter.j2 b/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__dependent_configuration_filter.j2
new file mode 100644
index 00000000..9a77537e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__dependent_configuration_filter.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set icinga__tpl_dependent_configuration = {} %}
+{% if icinga__vars_dependent_configuration | d() %}
+{%   set _ = icinga__tpl_dependent_configuration.update(icinga__vars_dependent_configuration) %}
+{% endif %}
+{% if icinga__dependent_configuration %}
+{%   set icinga__tpl_flattened_configuration = lookup('flattened', icinga__dependent_configuration) %}
+{%   for element in ([ icinga__tpl_flattened_configuration ] if icinga__tpl_flattened_configuration is mapping else icinga__tpl_flattened_configuration) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = icinga__tpl_dependent_configuration.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = icinga__tpl_dependent_configuration.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = icinga__tpl_dependent_configuration.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set icinga__tpl_output_configuration = [] %}
+{% for key, value in icinga__tpl_dependent_configuration.items() %}
+{%   set _ = icinga__tpl_output_configuration.extend(value) %}
+{% endfor %}
+{{ icinga__tpl_output_configuration | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__secret__directories.j2 b/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__secret__directories.j2
new file mode 100644
index 00000000..7172ee52
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/templates/lookup/icinga__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'icinga/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/icinga/templates/secret/icinga/dependent_config/inventory_hostname/configuration.json.j2 b/ansible_collections/debops/debops/roles/icinga/templates/secret/icinga/dependent_config/inventory_hostname/configuration.json.j2
new file mode 100644
index 00000000..bf1b306f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga/templates/secret/icinga/dependent_config/inventory_hostname/configuration.json.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set icinga__tpl_dependent_configuration = {} %}
+{% if icinga__vars_dependent_configuration | d() %}
+{%   set _ = icinga__tpl_dependent_configuration.update(icinga__vars_dependent_configuration) %}
+{% endif %}
+{% if icinga__dependent_configuration %}
+{%   set icinga__tpl_flattened_configuration = lookup('flattened', icinga__dependent_configuration) %}
+{%   for element in ([ icinga__tpl_flattened_configuration ] if icinga__tpl_flattened_configuration is mapping else icinga__tpl_flattened_configuration) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = icinga__tpl_dependent_configuration.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = icinga__tpl_dependent_configuration.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = icinga__tpl_dependent_configuration.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ icinga__tpl_dependent_configuration | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/icinga_db/COPYRIGHT b/ansible_collections/debops/debops/roles/icinga_db/COPYRIGHT
new file mode 100644
index 00000000..9fab86db
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.icinga_db - Manage Icinga 2 database using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+Copyright (C) 2018-2023 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/icinga_db/defaults/main.yml b/ansible_collections/debops/debops/roles/icinga_db/defaults/main.yml
new file mode 100644
index 00000000..f50fd7ac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/defaults/main.yml
@@ -0,0 +1,283 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+# .. Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _icinga_db__ref_defaults:
+
+# debops.icinga_db default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: icinga_db__icinga_installed [[[
+#
+# Variable which defines if Icinga 2 has been installed on the host. If it's
+# not installed, the role will not perform the database configuration.
+#
+# You should install Icinga with the :ref:`debops.icinga` role before
+# configuring a database for it. The default DebOps playbook should do that
+# automatically if the main Icinga role is enabled on a host.
+icinga_db__icinga_installed: '{{ ansible_local.icinga.installed | d(False) | bool }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: icinga_db__type [[[
+#
+# The database type to configure for Icinga 2, either PostgreSQL (preferred) or
+# MariaDB/MySQL. Debian installation supports only one database type at a time.
+icinga_db__type: '{{ ansible_local.icinga_db.type
+                     | d("postgresql" if ansible_local.postgresql is defined else "", true)
+                     | d("mariadb" if ansible_local.mariadb is defined else "", true) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__database_map [[[
+#
+# A map containing per-database settings for the Icinga 2 database.
+icinga_db__database_map:
+  postgresql:
+    ido:       'pgsql'
+    db_name:   'icinga2'
+    db_user:   'icinga2'
+    db_host:   '{{ ansible_local.postgresql.server | d("localhost") }}'
+    db_port:   '{{ ansible_local.postgresql.port | d(5432) }}'
+    db_schema: '/usr/share/icinga2-ido-pgsql/schema/pgsql.sql'
+    pw_path:   '{{ secret + "/postgresql/"
+                   + ansible_local.postgresql.delegate_to | d(inventory_hostname)
+                   + "/" + ansible_local.postgresql.port | d("5432")
+                   + "/credentials/icinga2/password" }}'
+  mariadb:
+    ido:       'mysql'
+    db_name:   'icinga2'
+    db_user:   'icinga2'
+    db_host:   '{{ ansible_local.mariadb.server | d("localhost") }}'
+    db_port:   '{{ ansible_local.mariadb.port | d() }}'
+    db_schema: '/usr/share/icinga2-ido-mysql/schema/mysql.sql'
+    pw_path:   '{{ secret + "/mariadb/"
+                   + ansible_local.mariadb.delegate_to | d(inventory_hostname)
+                   + "/credentials/icinga2/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__ido [[[
+#
+# The IDO driver to use for the Icinga 2 database.
+icinga_db__ido: '{{ icinga_db__database_map[icinga_db__type].ido }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__host [[[
+#
+# The host where the Icinga 2 database will be installed.
+icinga_db__host: '{{ icinga_db__database_map[icinga_db__type].db_host }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__port [[[
+#
+# The port used to connect to the Icinga 2 database.
+icinga_db__port: '{{ icinga_db__database_map[icinga_db__type].db_port }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__ssl [[[
+#
+# Whether to use SSL when communicating with the Icinga 2 database.
+icinga_db__ssl: '{{ False if icinga_db__host == "localhost"
+                    else ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__user [[[
+#
+# Name of the database user for Icinga 2.
+icinga_db__user: '{{ icinga_db__database_map[icinga_db__type].db_user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__database [[[
+#
+# Name of the database for Icinga 2.
+icinga_db__database: '{{ icinga_db__database_map[icinga_db__type].db_name }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__password_path [[[
+#
+# Path to database password file located on the Ansible Controller. See the
+# :ref:`debops.secret` role for more details.
+icinga_db__password_path: '{{ icinga_db__database_map[icinga_db__type].pw_path }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__password [[[
+#
+# Password of the Icinga 2 database user.
+icinga_db__password: "{{ lookup('password', icinga_db__password_path
+                                   + ' length=48 chars=ascii_letters,digits,.-_') }}"
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__init [[[
+#
+# Should the Icinga 2 database be initialized ? Per default, it should be
+# initialized only the first time this role runs.
+icinga_db__init: '{{ not (ansible_local.icinga_db.configured | d(False) | bool) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__schema [[[
+#
+# Absolute path to the Icinga 2 database schema which will be imported during
+# initialization. The schema needs to be located on the remote host where
+# Icinga 2 is being configured.
+icinga_db__schema: '{{ icinga_db__database_map[icinga_db__type].db_schema }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__default_configuration [[[
+#
+# The default database configuration applied by the role.
+icinga_db__default_configuration:
+
+  - name: 'library'
+    raw: 'library "db_ido_{{ icinga_db__ido }}"'
+
+  - name: 'connection'
+    option: 'object Ido{{ icinga_db__ido | capitalize }}Connection "ido-{{ icinga_db__ido }}"'
+    options:
+
+      - name: 'user'
+        value: '{{ icinga_db__user }}'
+
+      - name: 'password'
+        value: '{{ icinga_db__password }}'
+
+      - name: 'host'
+        value: '{{ icinga_db__host }}'
+
+      - name: 'database'
+        value: '{{ icinga_db__database }}'
+
+      - name: 'port'
+        value: '{{ icinga_db__port | d("") }}'
+        state: '{{ "present" if icinga_db__port | d() else "ignore" }}'
+
+      - name: 'ssl_mode'
+        value: '{{ "verify-full" if icinga_db__ssl | d(False) | bool else "disable" }}'
+        state: '{{ "present" if icinga_db__type | d() == "postgresql" else "ignore" }}'
+
+      - name: 'enable_ssl'
+        value: '{{ True if icinga_db__ssl | d(False) | bool else False }}'
+        state: '{{ "present" if icinga_db__type | d() == "mariadb" else "ignore" }}'
+
+      - name: 'ssl_ca'
+        value: '{{ icinga_db__ssl_ca_certificate }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__configuration [[[
+#
+# Custom database configuration defined in the Ansible inventory.
+icinga_db__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__combined_configuration [[[
+#
+# A variable which combines the database configuration from different
+# source variables and is used by the role to generate the actual
+# configuration file.
+icinga_db__combined_configuration: '{{ icinga_db__default_configuration
+                                       + icinga_db__configuration }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Support for DebOps PKI and TLS [[[
+# ----------------------------------
+
+# .. envvar:: icinga_db__pki_path [[[
+#
+# Absolute path to the directory that contains PKI realms.
+icinga_db__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__pki_realm [[[
+#
+# Default PKI realm used by the Icinga database server.
+icinga_db__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__pki_ca [[[
+#
+# Name of the Root CA certificate file, relative to the PKI realm directory.
+icinga_db__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__ssl_ca_certificate [[[
+#
+# Absolute path to the Root CA certificate used by the Icinga 2 master to
+# authenticate database server certificates.
+icinga_db__ssl_ca_certificate: '{{ icinga_db__pki_path + "/"
+                                   + icinga_db__pki_realm + "/"
+                                   + icinga_db__pki_ca }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: icinga_db__base_packages [[[
+#
+# The list of APT packages to install for Icinga 2 database support.
+icinga_db__base_packages:
+
+  # Disable dbconfig support, DebOps roles will handle the Icinga database
+  - 'dbconfig-no-thanks'
+  - '{{ "icinga2-ido-" + icinga_db__ido }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__packages [[[
+#
+# List of additional APT packages to install with Icinga 2 database support.
+icinga_db__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: icinga_db__postgresql__dependent_roles [[[
+#
+# Configuration of PostgreSQL roles for :ref:`debops.postgresql` Ansible role.
+icinga_db__postgresql__dependent_roles:
+  - name: '{{ icinga_db__user }}'
+    password: '{{ icinga_db__password }}'
+    db: '{{ icinga_db__database }}'
+    priv: ['ALL']
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__postgresql__dependent_databases [[[
+#
+# Configuration of PostgreSQL databases for the :ref:`debops.postgresql` Ansible
+# role.
+icinga_db__postgresql__dependent_databases:
+  - name: '{{ icinga_db__database }}'
+    owner: '{{ icinga_db__user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__mariadb__dependent_users [[[
+#
+# Configuration of MariaDB users for :ref:`debops.mariadb` Ansible role.
+icinga_db__mariadb__dependent_users:
+  - name: '{{ icinga_db__user }}'
+    password: '{{ icinga_db__password }}'
+    database: '{{ icinga_db__database }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_db__mariadb__dependent_databases [[[
+#
+# Configuration of MariaDB databases for :ref:`debops.mariadb` Ansible role.
+icinga_db__mariadb__dependent_databases:
+  - name: '{{ icinga_db__database }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/icinga_db/meta/main.yml b/ansible_collections/debops/debops/roles/icinga_db/meta/main.yml
new file mode 100644
index 00000000..2bfbbe2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Icinga 2 database'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - monitoring
+    - icinga
+    - nagios
diff --git a/ansible_collections/debops/debops/roles/icinga_db/tasks/main.yml b/ansible_collections/debops/debops/roles/icinga_db/tasks/main.yml
new file mode 100644
index 00000000..38d2d68d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/tasks/main.yml
@@ -0,0 +1,102 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+# Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Assert that the DB type is valid
+  ansible.builtin.assert:
+    that:
+      - 'icinga_db__database_map[icinga_db__type] is defined'
+  become: False
+  run_once: True
+  delegate_to: 'localhost'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", icinga_db__base_packages + icinga_db__packages) }}'
+    state: 'present'
+  register: icinga_db__register_packages
+  until: icinga_db__register_packages is succeeded
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: icinga_db__icinga_installed | bool
+
+- name: Create Icinga PostgreSQL tables
+  community.postgresql.postgresql_db:
+    name: '{{ icinga_db__database }}'
+    state: 'restore'
+    target: '{{ icinga_db__schema }}'
+    login_host: '{{ icinga_db__host }}'
+    login_user: '{{ icinga_db__user }}'
+    login_password: '{{ icinga_db__password }}'
+    ssl_mode: '{{ "verify-full" if icinga_db__ssl | d(False) | bool else "disable" }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_db__type == 'postgresql' and
+        icinga_db__init | bool
+
+- name: Create Icinga MariaDB tables
+  community.mysql.mysql_db:
+    name: '{{ icinga_db__database }}'
+    state: 'import'
+    target: '{{ icinga_db__schema }}'
+    login_host: '{{ icinga_db__host }}'
+    login_user: '{{ icinga_db__user }}'
+    login_password: '{{ icinga_db__password }}'
+    check_hostname: '{{ icinga_db__ssl | d(False) | bool }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_db__type == 'mariadb' and
+        icinga_db__init | bool
+
+- name: Add Icinga database configuration file diversion
+  debops.debops.dpkg_divert:
+    path: '/etc/icinga2/features-available/ido-{{ icinga_db__ido }}.conf'
+    state: 'present'
+  when: icinga_db__icinga_installed | bool
+
+- name: Create Icinga database configuration file
+  ansible.builtin.template:
+    src: 'etc/icinga2/features-available/ido-db.conf.j2'
+    dest: '/etc/icinga2/features-available/ido-{{ icinga_db__ido }}.conf'
+    owner: 'root'
+    group: 'nagios'
+    mode: '0640'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: icinga_db__icinga_installed | bool
+
+- name: Enable Icinga database support
+  ansible.builtin.file:
+    path: '/etc/icinga2/features-enabled/ido-{{ icinga_db__ido }}.conf'
+    src: '../features-available/ido-{{ icinga_db__ido }}.conf'
+    state: 'link'
+  notify: [ 'Check icinga2 configuration and restart' ]
+  when: icinga_db__icinga_installed | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Icinga database local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/icinga_db.fact.j2'
+    dest: '/etc/ansible/facts.d/icinga_db.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/icinga_db/templates/etc/ansible/facts.d/icinga_db.fact.j2 b/ansible_collections/debops/debops/roles/icinga_db/templates/etc/ansible/facts.d/icinga_db.fact.j2
new file mode 100644
index 00000000..1ca83ebd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/templates/etc/ansible/facts.d/icinga_db.fact.j2
@@ -0,0 +1,147 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+import os
+import re
+
+
+# https://stackoverflow.com/questions/241327/remove-c-and-c-comments-using-python
+def remove_comments(text):
+    def replacer(match):
+        s = match.group(0)
+        if s.startswith('/'):
+            return " "
+        else:
+            return s
+    pattern = re.compile(
+        r'//.*?$|/\*.*?\*/|\'(?:\\.|[^\\\'])*\'|"(?:\\.|[^\\"])*"',
+        re.DOTALL | re.MULTILINE
+    )
+    return re.sub(pattern, replacer, text)
+
+
+def splitlines_and_cleanup(text):
+    return [line.strip() for line in text.splitlines() if line.strip()]
+
+
+def parse(it):
+    result = []
+
+    while True:
+        try:
+            line = next(it)
+        except StopIteration:
+            break
+
+        tokens = line.split()
+        cfg_entry = {
+            "raw": line,
+            "tokens": tokens,
+            "parameters": {},
+            "children": []
+        }
+        if len(tokens) == 3 and tokens[1] == '=' and tokens[2] != '{':
+            cfg_entry["parameters"][tokens[0]] = tokens[2]
+
+        token_iter = iter(tokens)
+        while True:
+            try:
+                tk = next(token_iter)
+            except StopIteration:
+                result.append(cfg_entry)
+                break
+
+            if tk == '}':
+                break
+            elif tk == '{':
+                cfg_entry["children"] = parse(it)
+                for child in cfg_entry["children"]:
+                    cfg_entry["parameters"].update(child["parameters"])
+                result.append(cfg_entry)
+                break
+
+    return result
+
+
+parameter_map = {
+    'host': 'db_host',
+    'database': 'db_name',
+    'user': 'db_user',
+    'password': 'db_password',
+    'port': 'db_port',
+    'enable_ssl': 'db_ssl',
+    'ssl_mode': 'db_ssl',
+    'ssl_ca': 'db_ssl_ca'
+}
+
+
+def parse_cfg(txt):
+    result = {'configured': False}
+
+    txt = remove_comments(txt)
+    txt = splitlines_and_cleanup(txt)
+    cfg = parse(iter(txt))
+
+    for entry in cfg:
+        if 'tokens' not in entry or len(entry['tokens']) < 3:
+            continue
+        elif entry['tokens'][0].lower() != "object":
+            continue
+        elif entry['tokens'][1].lower() == 'idopgsqlconnection':
+            result = {
+                'configured': True,
+                'ido': 'pgsql',
+                'type': 'postgresql',
+            }
+        elif entry['tokens'][1].lower() == 'idomysqlconnection':
+            result = {
+                'configured': True,
+                'ido': 'mysql',
+                'type': 'mariadb',
+            }
+        else:
+            continue
+
+        for input_key, output_key in parameter_map.items():
+            if input_key not in entry['parameters']:
+                continue
+            val = entry['parameters'][input_key]
+            if val.startswith('"') and val.endswith('"') and len(val) > 1:
+                val = val.strip('"')
+            result[output_key] = val
+
+    return result
+
+
+output = {'configured': True}
+
+db_config_files = [
+    ('/etc/icinga2/features-available/'
+     'ido-{{ icinga_db__database_map[icinga_db__type].ido }}.conf')
+]
+
+for config_file in db_config_files:
+    if not os.path.exists(config_file) or not os.path.isfile(config_file):
+        output['configured'] = False
+        break
+
+    try:
+        with open(config_file, 'r') as f:
+            cfg = f.read()
+            output.update(parse_cfg(cfg))
+
+    except Exception:
+        output['configured'] = False
+        break
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/icinga_db/templates/etc/icinga2/features-available/ido-db.conf.j2 b/ansible_collections/debops/debops/roles/icinga_db/templates/etc/icinga2/features-available/ido-db.conf.j2
new file mode 100644
index 00000000..ad549ac3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_db/templates/etc/icinga2/features-available/ido-db.conf.j2
@@ -0,0 +1,64 @@
+{# Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+/**
+ * The db_ido_{{ icinga_db__ido }} library implements IDO functionality
+ * for {{ icinga_db__ido }}.
+ *
+ * {{ ansible_managed }}
+ */
+
+{% macro print_element(element, commented, loop_first, indent) %}
+{%   set prefix = ("{:^" + indent | string + "}").format('') %}
+{%   set comment_prefix = (prefix + "# ") %}
+{%   if commented or element.state | d('present') == 'comment' %}
+{%     set commented = True %}
+{%     set prefix = comment_prefix %}
+{%   else %}
+{%     set commented = False %}
+{%   endif %}
+{%   if element.options | d() and not loop_first %}
+{{     '' }}
+{%   endif %}
+{%   if element.comment | d() %}
+{{     element.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%   endif %}
+{%   if element.raw | d() %}
+{%     if commented %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='')) -}}
+{%     else %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%     endif %}
+{%   elif element.options | d() %}
+{{     '{}{} {{'.format(prefix, element.option | d(element.name) | regex_replace('\n$', '')) }}
+{%     for element in element.options %}
+{%       if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{{         print_element(element, commented, loop.first, indent + 8) -}}
+{%       endif %}
+{%     endfor %}
+{{     '{}}}'.format(prefix) }}
+{%   else %}
+{%     if element.value is not string and element.value is not mapping and element.value is iterable %}
+{%       set element_value = [] %}
+{%       for option in element.value %}
+{%         if option.state | d('present') != 'absent' and option.name | d("") | length > 0 %}
+{%           set _ = element_value.append(option.name) %}
+{%         endif %}
+{%       endfor %}
+{%     elif element.value is string %}
+{%       set element_value = '"' + element.value + '"' %}
+{%     elif element.value is boolean %}
+{%       set element_value = element.value | string | lower %}
+{%     else %}
+{%       set element_value = element.value | d("") | to_json %}
+{%     endif %}
+{{     '{}{} = {}'.format(prefix, element.option | d(element.name), element_value) }}
+{%   endif %}
+{% endmacro %}
+{##}
+{% for item in icinga_db__combined_configuration | debops.debops.parse_kv_config %}
+{%   if item.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{{     print_element(item, item.state | d('present') == 'comment', loop.first, 0) -}}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/icinga_web/COPYRIGHT b/ansible_collections/debops/debops/roles/icinga_web/COPYRIGHT
new file mode 100644
index 00000000..ff6bbe6c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.icinga_web - Manage Icinga 2 Webservice using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/icinga_web/defaults/main.yml b/ansible_collections/debops/debops/roles/icinga_web/defaults/main.yml
new file mode 100644
index 00000000..e837ba17
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/defaults/main.yml
@@ -0,0 +1,1844 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+# .. Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _icinga_web__ref_defaults:
+
+# debops.icinga_web default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, UNIX environment [[[
+# ----------------------------------
+
+# .. envvar:: icinga_web__base_packages [[[
+#
+# List of default APT packages to install for Icinga 2 Web support.
+icinga_web__base_packages:
+  - 'icingaweb2'
+  - 'icingaweb2-module-doc'
+  - 'icingaweb2-module-monitoring'
+  - 'icingacli'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__packages [[[
+#
+# List of additional APT packages to install with Icinga 2 Web support.
+icinga_web__packages: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__user [[[
+#
+# The UNIX account used by Icinga 2 Web. This account should be present on the
+# system by default.
+icinga_web__user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: Icinga_web__group [[[
+#
+# The UNIX group used by Icinga 2 Web. This group will be created automatically
+# by the APT package.
+icinga_web__group: 'icingaweb2'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__src [[[
+#
+# Directory where custom source code will be downloaded by the role, for
+# example module repositories.
+icinga_web__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                     + "/icinga_web" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: icinga_web__fqdn [[[
+#
+# The Fully Qualified Domain Name of the Icinga 2 Web service. The web
+# interface will be available on this address. This address is also used to
+# access the Icinga 2 Director API.
+icinga_web__fqdn: 'icinga.{{ icinga_web__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__domain [[[
+#
+# The domain used by the Icinga 2 Web interface.
+icinga_web__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__node_fqdn [[[
+#
+# The Fully Qualified Domain Name of the local Icinga 2 node. This hostname
+# will be used to access the Icinga 2 REST API.
+icinga_web__node_fqdn: '{{ ansible_fqdn }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 Web modules [[[
+# ------------------------
+
+# These variables define what Icinga 2 Web modules should be installed and/or
+# enabled. External modules will be cloned using :command:`git` command.
+# See :ref:`icinga_web__ref_modules` for more details.
+
+# .. envvar:: icinga_web__default_modules [[[
+#
+# List of Icinga 2 Web modules installed by default.
+icinga_web__default_modules:
+
+  - name: 'toplevelview'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-toplevelview'
+    git_version: 'v0.3.3'
+    state: 'present'
+
+  - name: 'monitoring'
+    state: 'present'
+
+  - name: 'businessprocess'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-businessprocess'
+    git_version: 'v2.3.1'
+    state: 'present'
+
+  - name: 'graphite'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-graphite'
+    git_version: 'v1.1.0'
+    enabled: False
+    state: 'present'
+
+  - name: 'director'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-director'
+    git_version: 'v1.8.1'
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+  - name: 'generictts'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-generictts'
+    git_version: 'v2.0.0'
+    state: 'present'
+
+  - name: 'grafana'
+    git_repo: 'https://github.com/Mikesch-mp/icingaweb2-module-grafana'
+    git_version: 'v1.4.2'
+    state: 'present'
+
+  - name: 'map'
+    git_repo: 'https://github.com/nbuchwitz/icingaweb2-module-map'
+    git_version: 'v1.1.0'
+    state: 'present'
+
+  - name: 'pnp'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-pnp'
+    git_version: 'v1.1.0'
+    enabled: False
+    state: 'present'
+
+  - name: 'elasticsearch'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-elasticsearch'
+    git_version: 'v0.9.0'
+    state: 'present'
+
+  - name: 'cube'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-cube'
+    git_version: 'v1.1.1'
+    state: 'present'
+
+  - name: 'netboximport'
+    git_repo: 'https://github.com/Uberspace/icingaweb2-module-netboximport'
+    git_version: 'master'
+    state: 'present'
+
+  - name: 'doc'
+    state: 'present'
+
+  - name: 'ipl'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-ipl'
+    git_version: 'v0.5.0'
+    state: 'present'
+
+  - name: 'reactbundle'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-reactbundle'
+    git_version: 'v0.9.0'
+    state: 'present'
+
+  - name: 'incubator'
+    git_repo: 'https://github.com/Icinga/icingaweb2-module-incubator'
+    git_version: 'v0.6.0'
+    state: 'present'
+
+  - name: 'x509'
+    git_repo: 'https://github.com/icinga/icingaweb2-module-x509'
+    git_version: 'v1.0.0'
+    state: '{{ "present" if icinga_web__x509_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__modules [[[
+#
+# List of additional Icinga 2 Web modules that should be installed/managed by
+# the role.
+icinga_web__modules: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 Web database [[[
+# -------------------------
+
+# .. envvar:: icinga_web__database_type [[[
+#
+# Specify the type of the Icinga 2 Web database, either ``postgresql``
+# (preferred) or ``mariadb``. The role will try to detect the available
+# databases automatically based on the Ansible local facts.
+icinga_web__database_type: '{{ ansible_local.icinga_web.database_type
+                               | d(ansible_local.icinga_db.type | d(""), true)
+                               | d("postgresql" if ansible_local.postgresql is defined else "", true)
+                               | d("mariadb" if ansible_local.mariadb is defined else "", true) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_map [[[
+#
+# A map containing per-database settings for the Icinga 2 Web database.
+icinga_web__database_map:
+  postgresql:
+    ido:     'pgsql'
+    db_name: 'icingaweb2_production'
+    db_user: 'icingaweb2'
+    db_host: '{{ ansible_local.postgresql.server | d("localhost") }}'
+    db_port: '{{ ansible_local.postgresql.port | d(5432) }}'
+    db_schema: '/usr/share/icingaweb2/etc/schema/pgsql.schema.sql'
+    pw_path: '{{ secret + "/postgresql/"
+                 + ansible_local.postgresql.delegate_to | d(inventory_hostname)
+                 + "/" + ansible_local.postgresql.port | d("5432")
+                 + "/credentials/icingaweb2/password" }}'
+  mariadb:
+    ido:     'mysql'
+    db_name: 'icingaweb2'
+    db_user: 'icingaweb2'
+    db_host: '{{ ansible_local.mariadb.server | d("localhost") }}'
+    db_port: '{{ ansible_local.mariadb.port | d(3306) }}'
+    db_schema: '/usr/share/icingaweb2/etc/schema/mysql.schema.sql'
+    pw_path: '{{ secret + "/mariadb/"
+                 + ansible_local.mariadb.delegate_to | d(inventory_hostname)
+                 + "/credentials/icingaweb2/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_name [[[
+#
+# Name of the Icinga 2 Web database.
+icinga_web__database_name: '{{ icinga_web__database_map[icinga_web__database_type].db_name }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_user [[[
+#
+# Name of the Icinga 2 Web database user.
+icinga_web__database_user: '{{ icinga_web__database_map[icinga_web__database_type].db_user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_password_path [[[
+#
+# Path to database password file located on the Ansible Controller. See the
+# :ref:`debops.secret` role for more details.
+icinga_web__database_password_path: '{{ icinga_web__database_map[icinga_web__database_type].pw_path }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_password [[[
+#
+# Password for Icinga 2 Web database.
+icinga_web__database_password: "{{ lookup('password', icinga_web__database_password_path
+                                   + ' length=48 chars=ascii_letters,digits,.-_') }}"
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_host [[[
+#
+# The address of the Icinga 2 Web database server.
+icinga_web__database_host: '{{ icinga_web__database_map[icinga_web__database_type].db_host }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_port [[[
+#
+# The port on which the Icinga 2 Web database server listens for connections.
+icinga_web__database_port: '{{ icinga_web__database_map[icinga_web__database_type].db_port }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_ssl [[[
+#
+# Whether to use SSL when communicating with the Icinga 2 Web database.
+icinga_web__database_ssl: '{{ False if icinga_web__database_host == "localhost"
+                              else ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_schema [[[
+#
+# Absolute path to the Icinga 2 Web database schema which will be imported
+# during initialization. The schema needs to be located on the remote host
+# where Icinga 2 Web is being configured.
+icinga_web__database_schema: '{{ icinga_web__database_map[icinga_web__database_type].db_schema }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__database_init [[[
+#
+# Enable or disable initialization of the Icinga 2 Web database.
+icinga_web__database_init: '{{ not (ansible_local.icinga_web.installed | d(False) | bool) }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 master database [[[
+# ----------------------------
+
+# These variables control configuration of the Icinga 2 master database,
+# managed by :ref:`debops.icinga_db` Ansible role. This database is usually on
+# the same host the Web interface is installed, but if not, you might need to
+# configure access to a remote database here.
+
+# .. envvar:: icinga_web__master_database_enabled [[[
+#
+# Enable or disable configuration of the Icinga 2 master database resource in
+# the Icinga 2 Web interface.
+# This does not control the configuration of the actual database, see
+# :ref:`debops.icinga_db` role for that.
+icinga_web__master_database_enabled: '{{ ansible_local.icinga_db.configured | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_type [[[
+#
+# Specify the type of the Icinga 2 master database, either ``postgresql`` or
+# ``mariadb``.
+icinga_web__master_database_type: '{{ ansible_local.icinga_db.type | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_ido [[[
+#
+# Specify the IDO driver of the Icinga 2 master database, either ``pgsql`` or
+# ``mysql``.
+icinga_web__master_database_ido: '{{ ansible_local.icinga_db.ido | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_name [[[
+#
+# Name of the Icinga 2 master database.
+icinga_web__master_database_name: '{{ ansible_local.icinga_db.db_name | d("icinga2") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_user [[[
+#
+# Name of the Icinga 2 master database user.
+icinga_web__master_database_user: '{{ ansible_local.icinga_db.db_user | d("icinga2") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_password [[[
+#
+# Password for the Icinga 2 master database.
+icinga_web__master_database_password: '{{ ansible_local.icinga_db.db_password | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_host [[[
+#
+# The address of the Icinga 2 master database host.
+icinga_web__master_database_host: '{{ ansible_local.icinga_db.db_host | d("localhost") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_port [[[
+#
+# The port on which the Icinga 2 master database listens for connections.
+icinga_web__master_database_port: '{{ ansible_local.icinga_db.db_port | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__master_database_ssl [[[
+#
+# Whether to use SSL when communicating with the Icinga 2 master database.
+icinga_web__master_database_ssl: '{{ ansible_local.icinga_db.db_ssl | d(False) }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 Director support [[[
+# -----------------------------
+
+# .. envvar:: icinga_web__director_enabled [[[
+#
+# Enable or disable support for Icinga 2 Web Director module.
+icinga_web__director_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_user [[[
+#
+# The username of the Icinga 2 Director Unix account, which will
+# be automatically created by this role.
+icinga_web__director_user: 'icingadirector'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_group [[[
+#
+# The primary group of the Icinga 2 Director Unix account. Defaults to the group created by the `icingaweb2` APT package.
+icinga_web__director_group: '{{ icinga_web__group }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_home [[[
+#
+# The home directory of the Icinga 2 Director Unix account.
+icinga_web__director_home: '/var/local/{{ icinga_web__director_user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_home_mode [[[
+#
+# Octal permissions on the home directory of the Icinga 2 Director Unix account.
+icinga_web__director_home_mode: '0755'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_shell [[[
+#
+# The shell of the Icinga 2 Director Unix account.
+icinga_web__director_shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_api_fqdn [[[
+#
+# Fully Qualified Domain Name which is part of the URL to the Icinga 2 Director
+# REST API. It is usually the same as the Icinga 2 Web interface FQDN.
+icinga_web__director_api_fqdn: '{{ icinga_web__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_api_url [[[
+#
+# The URL of the Icinga 2 Director REST API which will be used to interact with
+# Icinga Director.
+icinga_web__director_api_url: 'https://{{ icinga_web__director_api_fqdn }}/director'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_api_user [[[
+#
+# Name of the Icinga 2 Director API user, used by the :ref:`debops.icinga` role
+# to authenticate to the Director REST API.
+icinga_web__director_api_user: 'director-api'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_api_password [[[
+#
+# The password for the Icinga 2 Director API user used by the
+# :ref:`debops.icinga` role.
+icinga_web__director_api_password: '{{ lookup("password", secret + "/icinga_web/api/"
+                                       + icinga_web__director_api_fqdn + "/credentials/"
+                                       + icinga_web__director_api_user + "/password") }}'
+
+                                                                   # ]]]
+
+# .. envvar:: icinga_web__director_database_type [[[
+#
+# Specify the type of the Icinga 2 Director database, either ``postgresql``
+# (preferred) or ``mariadb``. It's usually the same type as the main Icinga 2
+# Web database.
+icinga_web__director_database_type: '{{ icinga_web__database_type | d("invalid") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_map [[[
+#
+# A map containing per-database settings for the Icinga 2 Director database.
+icinga_web__director_database_map:
+  postgresql:
+    ido:     'pgsql'
+    db_name: 'icinga2_director_production'
+    db_user: 'icinga2_director'
+    db_host: '{{ ansible_local.postgresql.server | d("localhost") }}'
+    db_port: '{{ ansible_local.postgresql.port | d(5432) }}'
+    pw_path: '{{ secret + "/postgresql/"
+                 + ansible_local.postgresql.delegate_to | d(inventory_hostname)
+                 + "/" + ansible_local.postgresql.port | d("5432")
+                 + "/credentials/icinga2_director/password" }}'
+  mariadb:
+    ido:     'mysql'
+    db_name: 'icinga2_director'
+    db_user: 'icinga2_director'
+    db_host: '{{ ansible_local.mariadb.server | d("localhost") }}'
+    db_port: '{{ ansible_local.mariadb.port | d() }}'
+    pw_path: '{{ secret + "/mariadb/"
+                 + ansible_local.mariadb.delegate_to | d(inventory_hostname)
+                 + "/credentials/icinga2_director/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_name [[[
+#
+# Name of the Icinga 2 Director database.
+icinga_web__director_database_name: '{{ icinga_web__director_database_map[icinga_web__director_database_type].db_name }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_user [[[
+#
+# Name of the Icinga 2 Director database user.
+icinga_web__director_database_user: '{{ icinga_web__director_database_map[icinga_web__director_database_type].db_user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_password_path [[[
+#
+# Path to database password file located on the Ansible Controller for the
+# Icinga 2 Director database.
+icinga_web__director_database_password_path: '{{ icinga_web__director_database_map[icinga_web__director_database_type].pw_path }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_password [[[
+#
+# Database password for the Icinga 2 Director database.
+icinga_web__director_database_password: "{{ lookup('password', icinga_web__director_database_password_path
+                                            + ' length=48 chars=ascii_letters,digits,.-_') }}"
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_host [[[
+#
+# Address of the Icinga 2 Director database server.
+icinga_web__director_database_host: '{{ icinga_web__director_database_map[icinga_web__director_database_type].db_host }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_port [[[
+#
+# The port on which the Icinga 2 Director database server listens for
+# connections.
+icinga_web__director_database_port: '{{ icinga_web__director_database_map[icinga_web__director_database_type].db_port }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_ssl [[[
+#
+# Whether to use SSL when communicating with the Icinga 2 Director database.
+icinga_web__director_database_ssl: '{{ False if icinga_web__director_database_host == "localhost"
+                                       else ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_database_init [[[
+#
+# Enable or disable initialization of the Icinga 2 Director database.
+icinga_web__director_database_init: '{{ not (ansible_local.icinga_web.installed | d(False) | bool) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_kickstart_enabled [[[
+#
+# Enable or disable initial import (kickstart) of the Icinga 2 configuration
+# into the Director database.
+icinga_web__director_kickstart_enabled: '{{ ansible_local.icinga.installed | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_default_templates [[[
+#
+# List of default templates to create in Icinga Director. See
+# :ref:`icinga_web__ref_director_templates` for more details.
+icinga_web__director_default_templates:
+
+  - name: 'generic-host'
+    api_endpoint: '/host'
+    data:
+      object_type: 'template'
+      object_name: 'generic-host'
+      check_command: 'hostalive'
+      check_interval: '5m'
+      retry_interval: '30s'
+      max_check_attempts: '5'
+    state: 'present'
+
+  - name: 'icinga-agent-host'
+    api_endpoint: '/host'
+    data:
+      object_type: 'template'
+      object_name: 'icinga-agent-host'
+      has_agent: true
+      master_should_connect: true
+      accept_config: true
+      imports:
+        - 'generic-host'
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_templates [[[
+#
+# List of templates to create in Icinga Director defined on all hosts in the
+# Ansible inventory. See :ref:`icinga_web__ref_director_templates` for more
+# details.
+icinga_web__director_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_group_templates [[[
+#
+# List of templates to create in Icinga Director defined on hosts in a specific
+# Ansible inventory group. See :ref:`icinga_web__ref_director_templates` for
+# more details.
+icinga_web__director_group_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_host_templates [[[
+#
+# List of templates to create in Icinga Director defined on specific hosts in
+# the Ansible inventory. See :ref:`icinga_web__ref_director_templates` for more
+# details.
+icinga_web__director_host_templates: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_combined_templates [[[
+#
+# Variable which combines all of the Icinga Director template lists and is used
+# in role tasks and templates.
+icinga_web__director_combined_templates: '{{ icinga_web__director_default_templates
+                                             + icinga_web__director_templates
+                                             + icinga_web__director_group_templates
+                                             + icinga_web__director_host_templates }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 x509 module support [[[
+# -----------------------------
+
+# .. envvar:: icinga_web__x509_enabled [[[
+#
+# Enable or disable support for Icinga 2 Web x509 module. It currently only
+# supports MariaDB.
+# See https://github.com/icinga/icingaweb2-module-x509 for more details
+icinga_web__x509_enabled: '{{ icinga_web__director_database_type == "mariadb"
+                              and ansible_local.mariadb is defined }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_type [[[
+#
+# Specify the type of the Icinga 2 Web x509 module database. Either
+# ``postgresql`` (under development) or ``mariadb``. It's usually the same type
+# as the main Icinga 2 Web database.
+icinga_web__x509_database_type: '{{ icinga_web__database_type | d("invalid") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_map [[[
+#
+# A map containing per-database settings for the Icinga 2 Web x509 module
+# database.
+icinga_web__x509_database_map:
+  postgresql:
+    ido:     'pgsql'
+    db_name: 'icingaweb2_x509'
+    db_user: 'icingaweb2_x509'
+    db_host: '{{ ansible_local.postgresql.server | d("localhost") }}'
+    db_port: '{{ ansible_local.postgresql.port | d(5432) }}'
+    db_schema: '/usr/share/icingaweb2/modules/x509/etc/schema/pgsql.schema.sql'
+    pw_path: '{{ secret + "/postgresql/"
+                 + ansible_local.postgresql.delegate_to | d(inventory_hostname)
+                 + "/" + ansible_local.postgresql.port | d("5432")
+                 + "/credentials/icingaweb2_x509/password" }}'
+  mariadb:
+    ido:     'mysql'
+    db_name: 'icingaweb2_x509'
+    db_user: 'icingaweb2_x509'
+    db_host: '{{ ansible_local.mariadb.server | d("localhost") }}'
+    db_port: '{{ ansible_local.mariadb.port | d(3306) }}'
+    db_schema: '/usr/share/icingaweb2/modules/x509/etc/schema/mysql.schema.sql'
+    pw_path: '{{ secret + "/mariadb/"
+                 + ansible_local.mariadb.delegate_to | d(inventory_hostname)
+                 + "/credentials/icingaweb2_x509/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_name [[[
+#
+# Name of the Icinga 2 Web x509 module database.
+icinga_web__x509_database_name: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].db_name }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_user [[[
+#
+# Name of the Icinga 2 Web x509 module database user.
+icinga_web__x509_database_user: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].db_user }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_password_path [[[
+#
+# Path to the database password file located on the Ansible Controller. See the
+# :ref:`debops.secret` role for more details.
+icinga_web__x509_database_password_path: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].pw_path }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_password [[[
+#
+# Password for the Icinga 2 Web x509 module database.
+icinga_web__x509_database_password: '{{ lookup("password", icinga_web__x509_database_password_path
+                                        + " length=48 chars=ascii_letters,digits,.-_") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_host [[[
+#
+# The address of the Icinga 2 Web x509 module database server.
+icinga_web__x509_database_host: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].db_host }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_port [[[
+#
+# The port on which the Icinga 2 Web x509 module database server listens for
+# connections.
+icinga_web__x509_database_port: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].db_port }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_schema [[[
+#
+# Absolute path to the Icinga 2 Web x509 module database scheme which will be
+# imported during initialization.
+icinga_web__x509_database_schema: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].db_schema }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_ssl [[[
+#
+# Whether to use SSL when communicating with the Icinga 2 Web x509 module
+# database.
+icinga_web__x509_database_ssl: '{{ False if icinga_web__x509_database_host == "localhost"
+                                   else ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__x509_database_init [[[
+#
+# Enable or disable initialization of the Icinga 2 Web x509 module database.
+icinga_web__x509_database_init: '{{ not ansible_local.icinga_web.x509_installed | d(False) }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 REST API [[[
+# ---------------------
+
+# These variables configure access to the Icinga 2 REST API. Using that API,
+# the Icinga 2 Web and Director interface communicates with the Icinga
+# 2 cluster nodes.
+
+# .. envvar:: icinga_web__icinga_api_fqdn [[[
+#
+# Fully Qualified Domain Name of the Icinga 2 API endpoint. It's usually on the
+# same host as the Icinga 2 Web interface.
+icinga_web__icinga_api_fqdn: '{{ icinga_web__node_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__icinga_api_port [[[
+#
+# The port on which the Icinga 2 service listens for new API connections.
+icinga_web__icinga_api_port: '5665'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__icinga_api_user [[[
+#
+# The name of the API user used for authentication to the Icinga 2 REST API.
+icinga_web__icinga_api_user: 'root'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__icinga_api_password [[[
+#
+# The password of the Icinga 2 REST API user.
+icinga_web__icinga_api_password: '{{ lookup("password", secret + "/icinga/api/"
+                                     + icinga_web__icinga_api_fqdn + "/credentials/"
+                                     + icinga_web__icinga_api_user
+                                     + "/password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Icinga 2 Web initial user accounts [[[
+# --------------------------------------
+
+# .. envvar:: icinga_web__initial_account_groups [[[
+#
+# List of initial user groups created by the role in the Icinga 2 Web database
+# during initialization. See :ref:`icinga_web__ref_initial_account_groups` for
+# more details.
+icinga_web__initial_account_groups:
+
+  - name: 'Administrators'
+
+  - name: 'Users'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__initial_accounts [[[
+#
+# List of initial user accounts created by the role in the Icinga 2 Web
+# database during initialization. See :ref:`icinga_web__ref_initial_accounts`
+# for more details.
+icinga_web__initial_accounts:
+
+  - name: 'root'
+    password: '{{ lookup("password", secret + "/icinga_web/auth/"
+                  + inventory_hostname + "/credentials/root/password") }}'
+
+  - name: '{{ icinga_web__director_api_user }}'
+    password: '{{ icinga_web__director_api_password }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_account_password [[[
+#
+# The default password used for the initial accounts which don't specify their
+# own password.
+icinga_web__default_account_password: '{{ lookup("password", secret + "/icinga_web/auth/"
+                                          + inventory_hostname + "/default_password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP authentication [[[
+# -----------------------
+#
+# Refer to the `official Icinga web documentation`__ for more details.
+#
+# .. __: https://icinga.com/docs/icinga-web-2/latest/doc/05-Authentication/#active-directory-or-ldap-authentication
+
+# .. envvar:: icinga_web__ldap_enabled [[[
+#
+# Enable LDAP support
+icinga_web__ldap_enabled: '{{ True
+                              if ansible_local.ldap.enabled | d() | bool
+                              else False }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list.
+icinga_web__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the object which contains the groups stored
+# in LDAP.
+icinga_web__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn
+                                  | d("ou=Groups") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_groups_dn [[[
+#
+# The Distinguished Name where Icinga Web will look for groups, defined as a
+# YAML list.
+icinga_web__ldap_groups_dn: '{{ [icinga_web__ldap_groups_rdn]
+                                + icinga_web__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the object which contains the user accounts
+# stored in LDAP.
+icinga_web__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn
+                                  | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_people_dn [[[
+#
+# The base Distinguished Name where Icinga Web will look for users, defined as a
+# YAML list.
+icinga_web__ldap_people_dn: '{{ [icinga_web__ldap_people_rdn]
+                                + icinga_web__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the Icinga web service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+icinga_web__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# Icinga Web service to access the LDAP directory.
+icinga_web__ldap_self_rdn: 'uid=icingaweb'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the Icinga Web service to access the LDAP directory.
+icinga_web__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# Icinga Web service to access the LDAP directory.
+icinga_web__ldap_self_attributes:
+  uid: '{{ icinga_web__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ icinga_web__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "Icinga Web" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# Icinga Web service to bind to the LDAP directory.
+icinga_web__ldap_binddn: '{{ ([icinga_web__ldap_self_rdn]
+                              + icinga_web__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the Icinga Web service
+# to bind to the LDAP directory.
+icinga_web__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                     + icinga_web__ldap_binddn | to_uuid
+                                     + ".password length=48 "
+                                     + "chars=ascii_letters,digits,.-_"))
+                              if icinga_web__ldap_enabled | bool
+                              else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_hostname [[[
+#
+# The LDAP URI that points to the directory server which should be used by
+# Icinga Web.
+icinga_web__ldap_hostname: '{{ ansible_local.ldap.hosts | d([""]) | first }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_encryption [[[
+#
+# The LDAP encryption to use, either ``starttls``, ``ldaps`` or ``plain``
+# (discouraged).
+icinga_web__ldap_encryption: '{{ "ldaps"
+                                 if ansible_local.ldap.protocol | d("") == "ldaps"
+                                 else ("starttls"
+                                       if ansible_local.ldap.start_tls | d(True) | bool
+                                       else "plain") }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_port [[[
+#
+# The TCP port to use for LDAP connections.
+icinga_web__ldap_port: '{{ ansible_local.ldap.port | d(389) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_user_filter [[[
+#
+# Use this to control which LDAP users are listed as Icinga Web users.
+icinga_web__ldap_user_filter: '(&
+                                 (objectClass={{ icinga_web__ldap_user_class }})
+                                 ( |
+                                   (authorizedService=all)
+                                   (authorizedService=icingaweb)
+                                 )
+                               )'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_user_class [[[
+#
+# The objectClass of LDAP users.
+icinga_web__ldap_user_class: 'inetOrgPerson'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_user_name_attribute [[[
+#
+# The LDAP attribute which contains the username.
+icinga_web__ldap_user_name_attribute: 'uid'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_group_filter [[[
+#
+# Use this to control which LDAP groups are listed as Icinga Web groups.
+icinga_web__ldap_group_filter: 'objectClass={{ icinga_web__ldap_group_class }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_group_class [[[
+#
+# The objectClass of LDAP groups.
+icinga_web__ldap_group_class: 'groupOfNames'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_group_member_attribute [[[
+#
+# The LDAP attribute where a group’s members are stored.
+icinga_web__ldap_group_member_attribute: 'member'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap_group_name_attribute [[[
+#
+# The LDAP attribute which contains the group name.
+icinga_web__ldap_group_name_attribute: 'cn'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`authentication.ini` configuration file [[[
+# -----------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/authentication.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_authentication [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_authentication: '{{ (icinga_web__register_config.stdout
+                                         | from_json)["authentication.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_authentication [[[
+#
+# The default authentication configuration appled by the role.
+icinga_web__default_authentication:
+
+  - name: 'icingaweb2'
+    options:
+
+      - name: 'backend'
+        value: 'db'
+
+      - name: 'resource'
+        value: 'icingaweb_db'
+
+  - name: 'ldap_users'
+    options:
+
+      - name: 'backend'
+        value: 'ldap'
+
+      - name: 'resource'
+        value: 'ldap_db'
+
+      - name: 'user_class'
+        value: '{{ icinga_web__ldap_user_class }}'
+
+      - name: 'user_name_attribute'
+        value: '{{ icinga_web__ldap_user_name_attribute }}'
+
+      - name: 'filter'
+        value: '{{ icinga_web__ldap_user_filter }}'
+
+    state: '{{ "present" if icinga_web__ldap_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__authentication [[[
+#
+# Custom authentication configuration defined in the Ansible inventory.
+icinga_web__authentication: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_authentication [[[
+#
+# The variable which combines the authentication configuration from different
+# source variables and is used by the role task to generate the actual file.
+icinga_web__combined_authentication: '{{ icinga_web__current_authentication
+                                         + icinga_web__default_authentication
+                                         + icinga_web__authentication }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`config.ini` configuration file [[[
+# ---------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/config.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_config [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_config: '{{ (icinga_web__register_config.stdout
+                                 | from_json)["config.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_config [[[
+#
+# The default global configuration appled by the role.
+icinga_web__default_config:
+
+  - name: 'global'
+    options:
+
+      - name: 'show_stacktraces'
+        value: '0'
+
+      - name: 'config_backend'
+        value: 'db'
+
+      - name: 'config_resource'
+        value: 'icingaweb_db'
+
+      - name: 'module_path'
+        value: '/usr/share/icingaweb2/modules'
+
+  - name: 'logging'
+    options:
+
+      - name: 'log'
+        value: 'syslog'
+
+      - name: 'level'
+        value: 'ERROR'
+
+      - name: 'application'
+        value: 'icingaweb2'
+
+      - name: 'facility'
+        value: 'user'
+
+  - name: 'themes'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__config [[[
+#
+# Custom global configuration defined in the Ansible inventory.
+icinga_web__config: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_config [[[
+#
+# The variable which combines the global configuration from different source
+# variables and is used by the role task to generate the actual file.
+icinga_web__combined_config: '{{ icinga_web__current_config
+                                 + icinga_web__default_config
+                                 + icinga_web__config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`groups.ini` configuration file [[[
+# ---------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/groups.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_groups [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_groups: '{{ (icinga_web__register_config.stdout
+                                 | from_json)["groups.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_groups [[[
+#
+# The default group configuration appled by the role.
+icinga_web__default_groups:
+
+  - name: 'icingaweb2'
+    options:
+
+      - name: 'backend'
+        value: 'db'
+
+      - name: 'resource'
+        value: 'icingaweb_db'
+
+  - name: 'ldap_groups'
+    options:
+
+      - name: 'backend'
+        value: 'ldap'
+
+      - name: 'resource'
+        value: 'ldap_db'
+
+      - name: 'user_backend'
+        value: 'ldap_users'
+
+      - name: 'base_dn'
+        value: '{{ icinga_web__ldap_groups_dn | join(",") }}'
+
+      - name: 'group_class'
+        value: '{{ icinga_web__ldap_group_class }}'
+
+      - name: 'group_member_attribute'
+        value: '{{ icinga_web__ldap_group_member_attribute }}'
+
+      - name: 'group_name_attribute'
+        value: '{{ icinga_web__ldap_group_name_attribute }}'
+
+      - name: 'group_filter'
+        value: '{{ icinga_web__ldap_group_filter }}'
+
+    state: '{{ "present" if icinga_web__ldap_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__groups [[[
+#
+# Custom group configuration defined in the Ansible inventory.
+icinga_web__groups: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_groups [[[
+#
+# The variable which combines the group configuration from different source
+# variables and is used by the role task to generate the actual file.
+icinga_web__combined_groups: '{{ icinga_web__current_groups
+                                 + icinga_web__default_groups
+                                 + icinga_web__groups }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`resources.ini` configuration file [[[
+# ------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/resources.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_resources [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_resources: '{{ (icinga_web__register_config.stdout
+                                    | from_json)["resources.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_resources [[[
+#
+# The default resource configuration appled by the role.
+icinga_web__default_resources:
+
+  - name: 'icingaweb_db'
+    options:
+
+      - name: 'type'
+        value: 'db'
+
+      - name: 'db'
+        value: '{{ icinga_web__database_map[icinga_web__database_type].ido }}'
+
+      - name: 'host'
+        value: '{{ icinga_web__database_host }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__database_port }}'
+        state: '{{ "present" if icinga_web__database_port | d() else "absent" }}'
+
+      - name: 'dbname'
+        value: '{{ icinga_web__database_name }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__database_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__database_password }}'
+
+      - name: 'charset'
+        value: 'utf8'
+
+      - name: 'persistent'
+        value: '0'
+
+      - name: 'use_ssl'
+        value: '{{ "1" if icinga_web__database_ssl | d(False) | bool else "0" }}'
+
+  - name: 'icinga2'
+    state: '{{ "present" if icinga_web__master_database_enabled | bool else "ignore" }}'
+    options:
+
+      - name: 'type'
+        value: 'db'
+
+      - name: 'db'
+        value: '{{ icinga_web__master_database_ido }}'
+
+      - name: 'host'
+        value: '{{ icinga_web__master_database_host }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__master_database_port }}'
+        state: '{{ "present" if icinga_web__master_database_port | d() else "absent" }}'
+
+      - name: 'dbname'
+        value: '{{ icinga_web__master_database_name }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__master_database_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__master_database_password }}'
+
+      - name: 'charset'
+        value: 'utf8'
+
+      - name: 'persistent'
+        value: '0'
+
+      - name: 'use_ssl'
+        value: '{{ "1" if icinga_web__master_database_ssl | d(False) | bool else "0" }}'
+
+  - name: 'icinga2_director'
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+    options:
+
+      - name: 'type'
+        value: 'db'
+
+      - name: 'db'
+        value: '{{ icinga_web__director_database_map[icinga_web__director_database_type].ido }}'
+
+      - name: 'host'
+        value: '{{ icinga_web__director_database_host }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__director_database_port }}'
+        state: '{{ "present" if icinga_web__director_database_port | d() else "absent" }}'
+
+      - name: 'dbname'
+        value: '{{ icinga_web__director_database_name }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__director_database_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__director_database_password }}'
+
+      - name: 'charset'
+        value: 'utf8'
+
+      - name: 'persistent'
+        value: '0'
+
+      - name: 'use_ssl'
+        value: '{{ "1" if icinga_web__director_database_ssl | d(False) | bool else "0" }}'
+
+  - name: 'ldap_db'
+    state: '{{ "present" if icinga_web__ldap_enabled | bool else "ignore" }}'
+    options:
+
+      - name: 'type'
+        value: 'ldap'
+
+      - name: 'hostname'
+        value: '{{ icinga_web__ldap_hostname }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__ldap_port }}'
+
+      - name: 'root_dn'
+        value: '{{ icinga_web__ldap_base_dn | join(",") }}'
+
+      - name: 'bind_dn'
+        value: '{{ icinga_web__ldap_binddn }}'
+
+      - name: 'bind_pw'
+        value: '{{ icinga_web__ldap_bindpw }}'
+
+      - name: 'encryption'
+        value: '{{ icinga_web__ldap_encryption }}'
+
+  - name: 'icingaweb2_x509'
+    state: '{{ "present" if icinga_web__x509_enabled | bool else "ignore" }}'
+    options:
+
+      - name: 'type'
+        value: 'db'
+
+      - name: 'db'
+        value: '{{ icinga_web__x509_database_map[icinga_web__x509_database_type].ido }}'
+
+      - name: 'host'
+        value: '{{ icinga_web__x509_database_host }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__x509_database_port }}'
+
+      - name: 'dbname'
+        value: '{{ icinga_web__x509_database_name }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__x509_database_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__x509_database_password }}'
+
+      - name: 'charset'
+        value: 'utf8'
+
+      - name: 'use_ssl'
+        value: '{{ "1" if icinga_web__x509_database_ssl | d(False) | bool else "0" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__resources [[[
+#
+# Custom resource configuration defined in the Ansible inventory.
+icinga_web__resources: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_resources [[[
+#
+# The variable which combines the resource configuration from different source
+# variables and is used by the role task to generate the actual file.
+icinga_web__combined_resources: '{{ icinga_web__current_resources
+                                    + icinga_web__default_resources
+                                    + icinga_web__resources }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`roles.ini` configuration file [[[
+# --------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/roles.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_roles [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_roles: '{{ (icinga_web__register_config.stdout
+                                | from_json)["roles.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_roles [[[
+#
+# The default user role configuration appled by the role.
+icinga_web__default_roles:
+
+  - name: 'Administrators'
+    options:
+
+      - name: 'users'
+        value: '{{ ansible_local.core.admin_users | d([]) | join(",") }}'
+
+      - name: 'permissions'
+        value: '*'
+
+      - name: 'groups'
+        value: 'Administrators'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__roles [[[
+#
+# Custom user role configuration defined in the Ansible inventory.
+icinga_web__roles: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_roles [[[
+#
+# The variable which combines the user role configuration from different source
+# variables and is used by the role task to generate the actual file.
+icinga_web__combined_roles: '{{ icinga_web__current_roles
+                                + icinga_web__default_roles
+                                + icinga_web__roles }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`modules/monitoring/backends.ini` configuration file [[[
+# ------------------------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/modules/monitoring/backends.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_backends [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_backends: '{{ (icinga_web__register_config.stdout
+                                   | from_json)["modules/monitoring/backends.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_backends [[[
+#
+# The default monitoring backend configuration appled by the role.
+icinga_web__default_backends:
+
+  - name: 'icinga2'
+    state: '{{ "present"
+               if (icinga_web__master_database_enabled | bool)
+               else "ignore" }}'
+    options:
+
+      - name: 'type'
+        value: 'ido'
+
+      - name: 'resource'
+        value: 'icinga2'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__backends [[[
+#
+# Custom monitoring backend configuration defined in the Ansible inventory.
+icinga_web__backends: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_backends [[[
+#
+# The variable which combines the monitoring backend configuration from
+# different source variables and is used by the role task to generate the
+# actual file.
+icinga_web__combined_backends: '{{ icinga_web__current_backends
+                                   + icinga_web__default_backends
+                                   + icinga_web__backends }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`modules/monitoring/commandtransports.ini` configuration file [[[
+# ---------------------------------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/modules/monitoring/commandtransports.ini`
+# configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_commandtransports [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_commandtransports: '{{ (icinga_web__register_config.stdout
+                                            | from_json)["modules/monitoring/commandtransports.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_commandtransports [[[
+#
+# The default command transport configuration appled by the role.
+icinga_web__default_commandtransports:
+
+  - name: 'icinga2'
+    options:
+
+      - name: 'transport'
+        value: 'api'
+
+      - name: 'host'
+        value: '{{ icinga_web__icinga_api_fqdn }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__icinga_api_port }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__icinga_api_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__icinga_api_password }}'
+
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.icinga | d() and
+                   (ansible_local.icinga.installed | d()) | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__commandtransports [[[
+#
+# Custom command transport configuration defined in the Ansible inventory.
+icinga_web__commandtransports: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_commandtransports [[[
+#
+# The variable which combines the command transport configuration from
+# different source variables and is used by the role task to generate the
+# actual file.
+icinga_web__combined_commandtransports: '{{ icinga_web__current_commandtransports
+                                            + icinga_web__default_commandtransports
+                                            + icinga_web__commandtransports }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`modules/director/config.ini` configuration file [[[
+# --------------------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/modules/director/config.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_director_cfg [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_director_cfg: '{{ (icinga_web__register_config.stdout
+                                       | from_json)["modules/director/config.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_director_cfg [[[
+#
+# The default Icinga 2 Director configuration appled by the role.
+icinga_web__default_director_cfg:
+
+  - name: 'db'
+    options:
+
+      - name: 'resource'
+        value: 'icinga2_director'
+
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_cfg [[[
+#
+# Custom Icinga 2 Director configuration defined in the Ansible inventory.
+icinga_web__director_cfg: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_director_cfg [[[
+#
+# The variable which combines the Icinga 2 Director configuration from
+# different source variables and is used by the role task to generate the
+# actual file.
+icinga_web__combined_director_cfg: '{{ icinga_web__current_director_cfg
+                                       + icinga_web__default_director_cfg
+                                       + icinga_web__director_cfg }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`modules/director/kickstart.ini` configuration file [[[
+# -----------------------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/modules/director/kickstart.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_director_kickstart_cfg [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_director_kickstart_cfg: '{{ (icinga_web__register_config.stdout
+                                                 | from_json)["modules/director/kickstart.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_director_kickstart_cfg [[[
+#
+# The default kickstart configuration appled by the role.
+icinga_web__default_director_kickstart_cfg:
+
+  - name: 'config'
+    options:
+
+      - name: 'endpoint'
+        value: '{{ icinga_web__icinga_api_fqdn }}'
+
+      - name: 'host'
+        value: '{{ icinga_web__icinga_api_fqdn }}'
+
+      - name: 'port'
+        value: '{{ icinga_web__icinga_api_port }}'
+
+      - name: 'username'
+        value: '{{ icinga_web__icinga_api_user }}'
+
+      - name: 'password'
+        value: '{{ icinga_web__icinga_api_password }}'
+
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.icinga | d() and
+                   (ansible_local.icinga.installed | d()) | bool)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__director_kickstart_cfg [[[
+#
+# Custom kickstart configuration defined in the Ansible inventory.
+icinga_web__director_kickstart_cfg: []
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_director_kickstart [[[
+#
+# The variable which combines the kickstart configuration from different source
+# variables and is used by the role task to generate the actual file.
+icinga_web__combined_director_kickstart_cfg: '{{ icinga_web__current_director_kickstart_cfg
+                                                 + icinga_web__default_director_kickstart_cfg
+                                                 + icinga_web__director_kickstart_cfg }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :file:`modules/x509/config.ini` configuration file [[[
+# --------------------------------------------------------------
+
+# These variables manage the contents of the
+# :file:`/etc/icingaweb2/modules/x509/config.ini` configuration file.
+# See :ref:`icinga_web__ref_ini_configuration` for more details.
+
+# .. envvar:: icinga_web__current_x509_cfg [[[
+#
+# The current contents of the config file, gathered during runtime.
+icinga_web__current_x509_cfg: '{{ (icinga_web__register_config.stdout
+                                       | from_json)["modules/x509/config.ini"] | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__default_x509_cfg [[[
+#
+# The default Icinga 2 509 configuration appled by the role.
+icinga_web__default_x509_cfg:
+
+  - name: 'backend'
+    options:
+
+      - name: 'resource'
+        value: 'icingaweb2_x509'
+
+    state: '{{ "present" if icinga_web__x509_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__combined_x509_cfg [[[
+#
+# The variable which combines the Icinga 2 x509 configuration from
+# different source variables and is used by the role task to generate the
+# actual file.
+icinga_web__combined_x509_cfg: '{{ icinga_web__current_x509_cfg
+                                       + icinga_web__default_x509_cfg }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: icinga_web__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+icinga_web__apt_preferences__dependent_list:
+
+  - package: [ 'icingaweb2', 'icingaweb2-*', 'icingacli', 'php-icinga' ]
+    backports: [ 'stretch' ]
+    by_role: 'debops.icinga_web'
+    reason: 'Incompatibility with PHP 7.3'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+icinga_web__ldap__dependent_tasks:
+
+  - name: 'Create Icinga Web account for {{ icinga_web__ldap_device_dn | join(",") }}'
+    dn: '{{ icinga_web__ldap_binddn }}'
+    objectClass: '{{ icinga_web__ldap_self_object_classes }}'
+    attributes: '{{ icinga_web__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if icinga_web__ldap_enabled else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__postgresql__dependent_roles [[[
+#
+# Configuration of PostgreSQL roles for :ref:`debops.postgresql` Ansible role.
+icinga_web__postgresql__dependent_roles:
+
+  # Owner of the main Icinga Web database
+  - name: '{{ icinga_web__database_name }}'
+    flags: [ 'NOLOGIN' ]
+
+  - name: '{{ icinga_web__database_user }}'
+    password: '{{ icinga_web__database_password }}'
+    db: '{{ icinga_web__database_name }}'
+    priv: [ 'ALL' ]
+
+  - name: '{{ icinga_web__director_database_name }}'
+    flags: [ 'NOLOGIN' ]
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+  - name: '{{ icinga_web__director_database_user }}'
+    password: '{{ icinga_web__director_database_password }}'
+    db: '{{ icinga_web__director_database_name }}'
+    priv: [ 'ALL' ]
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__postgresql__dependent_databases [[[
+#
+# Configuration of PostgreSQL databases for the :ref:`debops.postgresql` Ansible
+# role.
+icinga_web__postgresql__dependent_databases:
+
+  - name:  '{{ icinga_web__database_name }}'
+    owner: '{{ icinga_web__database_name }}'
+
+  - name:  '{{ icinga_web__director_database_name }}'
+    owner: '{{ icinga_web__director_database_name }}'
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__postgresql__dependent_groups [[[
+#
+# Configuration of PostgreSQL groups for the :ref:`debops.postgresql` Ansible role.
+icinga_web__postgresql__dependent_groups:
+
+  - roles:  [ '{{ icinga_web__database_user }}' ]
+    groups: [ '{{ icinga_web__database_name }}' ]
+    database: '{{ icinga_web__database_name }}'
+
+  - roles:  [ '{{ icinga_web__director_database_user }}' ]
+    groups: [ '{{ icinga_web__director_database_name }}' ]
+    database: '{{ icinga_web__director_database_name }}'
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__postgresql__dependent_privileges [[[
+#
+# Configuration of PostgreSQL privileges for the :ref:`debops.postgresql`
+# Ansible role.
+icinga_web__postgresql__dependent_privileges:
+
+  - roles:  [ '{{ icinga_web__database_user }}' ]
+    database: '{{ icinga_web__database_name }}'
+    objs:   [ 'ALL_DEFAULT' ]
+    privs:  [ 'SELECT', 'INSERT', 'UPDATE', 'DELETE' ]
+    type:     'default_privs'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__postgresql__dependent_extensions [[[
+#
+# Configuration of PostgreSQL extensions for the :ref:`debops.postgresql` Ansible
+# role.
+icinga_web__postgresql__dependent_extensions:
+
+  - database: '{{ icinga_web__director_database_name }}'
+    extension: 'pgcrypto'
+    state: '{{ "present" if icinga_web__director_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__mariadb__dependent_databases [[[
+#
+# Database configuration for the :ref:`debops.mariadb` Ansible role.
+icinga_web__mariadb__dependent_databases:
+
+  - name: '{{ icinga_web__database_name }}'
+    state: '{{ "present" if icinga_web__database_type == "mariadb" else "ignore" }}'
+
+  - name: '{{ icinga_web__director_database_name }}'
+    state: '{{ "present"
+                if (icinga_web__director_enabled | bool and icinga_web__director_database_type == "mariadb")
+                else "ignore" }}'
+
+  - name: '{{ icinga_web__x509_database_name }}'
+    state: '{{ "present" if icinga_web__x509_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__mariadb__dependent_users [[[
+#
+# User configuration for the :ref:`debops.mariadb` Ansible role.
+icinga_web__mariadb__dependent_users:
+
+  - database: '{{ icinga_web__database_name }}'
+    user: '{{ icinga_web__database_user }}'
+    password: '{{ icinga_web__database_password }}'
+    state: '{{ "present" if icinga_web__database_type == "mariadb" else "ignore" }}'
+
+  - database: '{{ icinga_web__director_database_name }}'
+    user: '{{ icinga_web__director_database_user }}'
+    password: '{{ icinga_web__director_database_password }}'
+    state: '{{ "present"
+                if (icinga_web__director_enabled | bool and icinga_web__director_database_type == "mariadb")
+                else "ignore" }}'
+
+  - database: '{{ icinga_web__x509_database_name }}'
+    user: '{{ icinga_web__x509_database_user }}'
+    state: '{{ "present" if icinga_web__x509_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__php__dependent_packages [[[
+#
+# List of ``php-*`` APT packages to install by the :ref:`debops.php` Ansible
+# role.
+icinga_web__php__dependent_packages:
+  - 'mysql'
+  - 'intl'
+  - 'ldap'
+  - 'imagick'
+  - 'pgsql'
+  - 'curl'
+  - 'yaml'
+  - 'gmp'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__php__dependent_pools [[[
+#
+# PHP-FPM pool configuration for the :ref:`debops.php` Ansible role.
+icinga_web__php__dependent_pools:
+
+  - name: 'icingaweb'
+    user: 'www-data'
+    group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+icinga_web__nginx__dependent_upstreams:
+
+  - name: 'php_icingaweb'
+    type: 'php'
+    php_pool: 'icingaweb'
+
+                                                                   # ]]]
+# .. envvar:: icinga_web__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+icinga_web__nginx__dependent_servers:
+
+  - by_role: 'debops.icinga_web'
+    type: 'php'
+    name: '{{ icinga_web__fqdn }}'
+    root: '/usr/share/icingaweb2/public'
+    webroot_create: False
+    filename: 'debops.icinga_web'
+    php_upstream: 'php_icingaweb'
+    php_limit_except: [ 'GET', 'HEAD', 'POST', 'DELETE' ]
+
+    options: |
+      if (!-d $request_filename) {
+              rewrite ^/(.+)/$ /$1 permanent;
+      }
+
+    location_list:
+
+      - pattern: '/'
+        options: 'try_files $1 $uri $uri/ /index.php$is_args$args;'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config2 b/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config2
new file mode 100755
index 00000000..ef09201c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config2
@@ -0,0 +1,56 @@
+#!/usr/bin/env python2
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Get current Icinga Web configuration values
+
+from __future__ import print_function
+from json import dumps
+from os import path
+from os import listdir
+from os import walk
+
+try:
+    from configparser import ConfigParser
+except ImportError:
+    from ConfigParser import ConfigParser
+
+
+def get_config(config_file):
+    config_data = []
+    if path.isfile(config_file):
+        config = ConfigParser()
+        config.read(config_file)
+
+        for section in config.sections():
+
+            section_options = []
+            for name, value in config.items(section):
+                section_options.append({"name": name,
+                                        "value": value.strip('"')})
+
+            config_data.append({"name": section, "options": section_options})
+    return config_data
+
+
+output = {}
+
+root_config_dir = '/etc/icingaweb2'
+
+ini_directories = [x[0] for x in walk(root_config_dir)]
+
+for dir_path in ini_directories:
+    if path.exists(dir_path):
+
+        ini_prefix = dir_path.lstrip(root_config_dir)
+        ini_files = ([f for f in listdir(dir_path)
+                      if (path.isfile(path.join(dir_path, f))
+                      and f.endswith('.ini'))])
+
+        for ini_file in ini_files:
+            output.update({path.join(ini_prefix, ini_file).lstrip('/'):
+                           get_config(path.join(dir_path, ini_file))})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config3 b/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config3
new file mode 100755
index 00000000..12d307ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/files/script/icingaweb-config3
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Get current Icinga Web configuration values
+
+from __future__ import print_function
+from json import dumps
+from os import path
+from os import listdir
+from os import walk
+
+try:
+    from configparser import ConfigParser
+except ImportError:
+    from ConfigParser import ConfigParser
+
+
+def get_config(config_file):
+    config_data = []
+    if path.isfile(config_file):
+        config = ConfigParser()
+        config.read(config_file)
+
+        for section in config.sections():
+
+            section_options = []
+            for name, value in config.items(section):
+                section_options.append({"name": name,
+                                        "value": value.strip('"')})
+
+            config_data.append({"name": section, "options": section_options})
+    return config_data
+
+
+output = {}
+
+root_config_dir = '/etc/icingaweb2'
+
+ini_directories = [x[0] for x in walk(root_config_dir)]
+
+for dir_path in ini_directories:
+    if path.exists(dir_path):
+
+        ini_prefix = dir_path.lstrip(root_config_dir)
+        ini_files = ([f for f in listdir(dir_path)
+                      if (path.isfile(path.join(dir_path, f))
+                      and f.endswith('.ini'))])
+
+        for ini_file in ini_files:
+            output.update({path.join(ini_prefix, ini_file).lstrip('/'):
+                           get_config(path.join(dir_path, ini_file))})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/main.yml b/ansible_collections/debops/debops/roles/icinga_web/meta/main.yml
new file mode 100644
index 00000000..371452a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Icinga 2 Web installation'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - monitoring
+    - icinga
+    - nagios
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-businessprocess b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-businessprocess
new file mode 100644
index 00000000..da722a14
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-businessprocess
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: businessprocess
+# Version: 2.3.1
+
+version=4
+https://github.com/Icinga/icingaweb2-module-businessprocess/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-cube b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-cube
new file mode 100644
index 00000000..9b955444
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-cube
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: cube
+# Version: 1.1.1
+
+version=4
+https://github.com/Icinga/icingaweb2-module-cube/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-director b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-director
new file mode 100644
index 00000000..5c8fece5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-director
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: director
+# Version: 1.8.1
+
+version=4
+https://github.com/Icinga/icingaweb2-module-director/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-elasticsearch b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-elasticsearch
new file mode 100644
index 00000000..cd5cdd46
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-elasticsearch
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: elasticsearch
+# Version: 0.9.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-elasticsearch/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-generictts b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-generictts
new file mode 100644
index 00000000..025adb37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-generictts
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: generictts
+# Version: 2.0.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-generictts/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-grafana b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-grafana
new file mode 100644
index 00000000..a5cc591d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-grafana
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: grafana
+# Version: 1.4.2
+
+version=4
+https://github.com/Mikesch-mp/icingaweb2-module-grafana/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-graphite b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-graphite
new file mode 100644
index 00000000..3befc466
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-graphite
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: graphite
+# Version: 1.1.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-graphite/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-incubator b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-incubator
new file mode 100644
index 00000000..acc0a3a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-incubator
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: incubator
+# Version: 0.6.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-incubator/tags .*\/v?(\d[0-9.]+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-ipl b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-ipl
new file mode 100644
index 00000000..0465ba64
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-ipl
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: ipl
+# Version: 0.5.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-ipl/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-map b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-map
new file mode 100644
index 00000000..886d8e0e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-map
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: map
+# Version: 1.1.0
+
+version=4
+https://github.com/nbuchwitz/icingaweb2-module-map/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-pnp b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-pnp
new file mode 100644
index 00000000..2591d6ca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-pnp
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: pnp
+# Version: 1.1.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-pnp/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-reactbundle b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-reactbundle
new file mode 100644
index 00000000..d5ebce86
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-reactbundle
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: reactbundle
+# Version: 0.9.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-reactbundle/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-toplevelview b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-toplevelview
new file mode 100644
index 00000000..e2de5e94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-toplevelview
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: toplevelview
+# Version: 0.3.3
+
+version=4
+https://github.com/Icinga/icingaweb2-module-toplevelview/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/meta/watch-x509 b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-x509
new file mode 100644
index 00000000..55713aa0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/meta/watch-x509
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: icinga_web
+# Package: x509
+# Version: 1.0.0
+
+version=4
+https://github.com/Icinga/icingaweb2-module-x509/tags .*\/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/icinga_web/tasks/main.yml b/ansible_collections/debops/debops/roles/icinga_web/tasks/main.yml
new file mode 100644
index 00000000..1bc6fa2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/tasks/main.yml
@@ -0,0 +1,321 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 Gabriel Lewertowski <gabriel.lewertowski@trust-in-soft.com>
+# Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2018-2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Assert that the DB types are valid
+  ansible.builtin.assert:
+    that:
+      - 'icinga_web__database_map[icinga_web__database_type].db_name is defined'
+      - 'icinga_web__director_enabled | d(False) | bool == False or
+         icinga_web__director_database_map[icinga_web__director_database_type].db_name is defined'
+      - 'icinga_web__x509_enabled | d(False) | bool == False or
+         icinga_web__x509_database_map[icinga_web__x509_database_type].db_name is defined'
+  become: False
+  run_once: True
+  delegate_to: 'localhost'
+
+- name: Install required Icinga Web packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", icinga_web__base_packages + icinga_web__packages) }}'
+    state: 'present'
+  register: icinga_web__register_packages
+  until: icinga_web__register_packages is succeeded
+
+- name: Get current Icinga Web configuration
+  ansible.builtin.script: 'script/icingaweb-config{{ "2" if (ansible_python_version is version_compare("3.5", "<")) else "3" }}'
+  register: icinga_web__register_config
+  changed_when: False
+  check_mode: False
+
+- name: Ensure that configuration directories exist
+  ansible.builtin.file:
+    path: '/etc/icingaweb2/{{ item.name }}'
+    state: 'directory'
+    owner: '{{ icinga_web__user }}'
+    group: '{{ icinga_web__group }}'
+    mode: '{{ item.mode | d("02770") }}'
+  with_items:
+    - name: 'enabledModules'
+      mode: '02750'
+    - name: 'modules/monitoring'
+    - name: 'modules/director'
+    - name: 'modules/x509'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Download and install Icinga upstream modules
+  ansible.builtin.git:
+    repo: '{{ item.git_repo }}'
+    dest: '{{ icinga_web__src + "/" + item.git_repo.split("://")[1] }}'
+    version: '{{ item.git_version }}'
+  with_items: '{{ (icinga_web__default_modules + icinga_web__modules) | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.git_repo | d() and
+        item.git_version | d() and item.state | d('present') != 'absent'
+
+- name: Symlink Icinga upstream modules to Icinga Web application
+  ansible.builtin.file:
+    path: '{{ "/usr/share/icingaweb2/modules/" + item.name }}'
+    src: '{{ icinga_web__src + "/" + item.git_repo.split("://")[1] }}'
+    state: 'link'
+    force: '{{ True if ansible_check_mode | bool else omit }}'
+    mode: '0755'
+  with_items: '{{ (icinga_web__default_modules + icinga_web__modules) | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.git_repo | d() and
+        item.git_version | d() and item.state | d('present') != 'absent'
+
+- name: Manage Icinga Web modules
+  ansible.builtin.file:
+    path: '/etc/icingaweb2/enabledModules/{{ item.name }}'
+    src: '{{ (item.path | d("/usr/share/icingaweb2/modules/" + item.name))
+             if (item.state | d("present") != "absent" and (item.enabled | d(True)) | bool) else omit }}'
+    state: '{{ "link" if (item.state | d("present") != "absent" and (item.enabled | d(True)) | bool) else "absent" }}'
+    force: '{{ True if ansible_check_mode | bool else omit }}'
+    mode: '0755'
+  with_items: '{{ (icinga_web__default_modules + icinga_web__modules) | debops.debops.parse_kv_items }}'
+  when: item.name | d()
+
+- name: Generate Icinga Web configuration
+  ansible.builtin.template:
+    src: 'etc/icingaweb2/template.ini.j2'
+    dest: '/etc/icingaweb2/{{ item.filename }}'
+    owner: '{{ icinga_web__user }}'
+    group: '{{ icinga_web__group }}'
+    mode: '0660'
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+  with_items:
+    - filename: 'authentication.ini'
+      config: '{{ icinga_web__combined_authentication }}'
+    - filename: 'config.ini'
+      config: '{{ icinga_web__combined_config }}'
+    - filename: 'groups.ini'
+      config: '{{ icinga_web__combined_groups }}'
+    - filename: 'resources.ini'
+      config: '{{ icinga_web__combined_resources }}'
+      no_log: '{{ debops__no_log | d(True) }}'
+    - filename: 'roles.ini'
+      config: '{{ icinga_web__combined_roles }}'
+    - filename: 'modules/monitoring/backends.ini'
+      config: '{{ icinga_web__combined_backends }}'
+    - filename: 'modules/monitoring/commandtransports.ini'
+      config: '{{ icinga_web__combined_commandtransports }}'
+    - filename: 'modules/director/config.ini'
+      config: '{{ icinga_web__combined_director_cfg }}'
+    - filename: 'modules/director/kickstart.ini'
+      config: '{{ icinga_web__combined_director_kickstart_cfg }}'
+    - filename: 'modules/x509/config.ini'
+      config: '{{ icinga_web__combined_x509_cfg }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Generate initial data file
+  ansible.builtin.template:
+    src: 'tmp/icingaweb-initial-data.sql.j2'
+    dest: '/tmp/icingaweb-initial-data.sql'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  when: icinga_web__database_init | bool
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create Icinga Web PostgreSQL tables
+  community.postgresql.postgresql_db:
+    name: '{{ icinga_web__database_name }}'
+    state: 'restore'
+    target: '{{ item }}'
+    login_host: '{{ icinga_web__database_host }}'
+    login_user: '{{ icinga_web__database_user }}'
+    login_password: '{{ icinga_web__database_password }}'
+    ssl_mode: '{{ "verify-full" if icinga_web__database_ssl | d(False) | bool else "disable" }}'
+  with_items:
+    - '{{ icinga_web__database_schema }}'
+    - '/tmp/icingaweb-initial-data.sql'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_web__database_type == 'postgresql' and
+        icinga_web__database_init | bool
+
+- name: Create Icinga Web x509 PostgreSQL tables
+  community.postgresql.postgresql_db:
+    name: '{{ icinga_web__x509_database_name }}'
+    state: 'restore'
+    target: '{{ icinga_web__x509_database_schema }}'
+    login_host: '{{ icinga_web__x509_database_host }}'
+    login_user: '{{ icinga_web__x509_database_user }}'
+    login_password: '{{ icinga_web__x509_database_password }}'
+    ssl_mode: '{{ "verify-full" if icinga_web__x509_database_ssl | d(False) | bool else "disable" }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_web__x509_enabled | bool and
+        icinga_web__x509_database_type == 'postgresql' and
+        icinga_web__x509_database_init | bool
+
+- name: Create Icinga Web MariaDB tables
+  community.mysql.mysql_db:
+    name: '{{ icinga_web__database_name }}'
+    state: 'import'
+    target: '{{ item }}'
+    login_host: '{{ icinga_web__database_host }}'
+    login_user: '{{ icinga_web__database_user }}'
+    login_password: '{{ icinga_web__database_password }}'
+    check_hostname: '{{ icinga_web__database_ssl | d(False) | bool }}'
+  with_items:
+    - '{{ icinga_web__database_schema }}'
+    - '/tmp/icingaweb-initial-data.sql'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_web__database_type == 'mariadb' and
+        icinga_web__database_init | bool
+
+- name: Create Icinga Web x509 MariaDB tables
+  community.mysql.mysql_db:
+    name: '{{ icinga_web__x509_database_name }}'
+    state: 'import'
+    target: '{{ icinga_web__x509_database_schema }}'
+    login_host: '{{ icinga_web__x509_database_host }}'
+    login_port: '{{ icinga_web__x509_database_port }}'
+    login_user: '{{ icinga_web__x509_database_user }}'
+    login_password: '{{ icinga_web__x509_database_password }}'
+    check_hostname: '{{ icinga_web__x509_database_ssl | d(False) | bool }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: icinga_web__x509_enabled | bool and
+        icinga_web__x509_database_type == 'mariadb' and
+        icinga_web__x509_database_init | bool
+
+- name: Ensure that initial data schema is removed
+  ansible.builtin.file:
+    path: '/tmp/icingaweb-initial-data.sql'
+    state: 'absent'
+
+- name: Create or migrate Icinga Director database
+  ansible.builtin.command: 'icingacli director migration run'
+  register: icinga_web__register_director_migrate
+  changed_when: icinga_web__register_director_migrate.changed | bool
+  when: icinga_web__director_enabled | bool and
+        icinga_web__director_database_init | bool
+
+- name: Kickstart Icinga Director configuration
+  ansible.builtin.command: 'icingacli director kickstart run'
+  register: icinga_web__register_director_kickstart
+  changed_when: icinga_web__register_director_kickstart.changed | bool
+  when: icinga_web__director_enabled | bool and
+        icinga_web__director_database_init | bool and
+        icinga_web__director_kickstart_enabled | bool
+
+- name: Deploy Icinga Director configuration
+  ansible.builtin.command: 'icingacli director config deploy'
+  register: icinga_web__register_director_deploy
+  changed_when: icinga_web__register_director_deploy.changed | bool
+  when: icinga_web__director_enabled | bool and
+        icinga_web__director_database_init | bool and
+        icinga_web__director_kickstart_enabled | bool
+
+- name: Create Director Unix account
+  ansible.builtin.user:
+    name: '{{ icinga_web__director_user }}'
+    group: '{{ icinga_web__director_group }}'
+    system: True
+    home: '{{ icinga_web__director_home }}'
+    shell: '{{ icinga_web__director_shell }}'
+
+- name: Set permissions on Director home directory
+  ansible.builtin.file:
+    path: '{{ icinga_web__director_home }}'
+    mode: '{{ icinga_web__director_home_mode }}'
+
+- name: Check if old Director jobs service exists
+  ansible.builtin.stat:
+    path: '/etc/systemd/system/icinga2-director-jobs.service'
+  register: icinga_web__register_director_jobs_service
+
+- name: Stop and disable old Director jobs service
+  ansible.builtin.systemd:
+    name: 'icinga2-director-jobs.service'
+    state: 'stopped'
+    enabled: False
+  when: icinga_web__register_director_jobs_service.stat.exists
+
+- name: Remove old Director jobs service
+  ansible.builtin.file:
+    path: '/etc/systemd/system/icinga2-director-jobs.service'
+    state: 'absent'
+
+- name: Configure Director service
+  ansible.builtin.template:
+    src: 'etc/systemd/system/icinga-director.service.j2'
+    dest: '/etc/systemd/system/icinga-director.service'
+    mode: '0644'
+
+- name: Start and enable Director service
+  ansible.builtin.systemd:
+    daemon_reload: True
+    name: 'icinga-director.service'
+    enabled: True
+    state: 'started'
+  when: icinga_web__director_enabled | bool
+
+- name: Stop and disable Director service
+  ansible.builtin.systemd:
+    name: 'icinga-director.service'
+    enabled: False
+    state: 'stopped'
+  when: not icinga_web__director_enabled | bool
+
+- name: Import CA certificates to Icinga Web x509 truststore
+  ansible.builtin.command: 'icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt'
+  register: icinga_web__register_import_ca
+  changed_when: icinga_web__register_import_ca.changed | bool
+  when: icinga_web__x509_enabled | bool and
+        icinga_web__x509_database_init | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Icinga Web local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/icinga_web.fact.j2'
+    dest: '/etc/ansible/facts.d/icinga_web.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Register Icinga templates in Icinga Director
+  ansible.builtin.uri:
+    body_format: 'json'
+    headers:
+      Accept: 'application/json'
+    method: 'POST'
+    body: '{{ item.data }}'
+    url: '{{ icinga_web__director_api_url + item.api_endpoint }}'
+    user: '{{ icinga_web__director_api_user }}'
+    password: '{{ icinga_web__director_api_password }}'
+    status_code: [ '201', '422', '500' ]
+    force_basic_auth: True
+  loop: '{{ icinga_web__director_combined_templates | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: icinga_web__register_director_templates
+  when: icinga_web__director_enabled | bool and
+        item.state | d('present') not in ['absent', 'init', 'ignore']
+  changed_when: icinga_web__register_director_templates.status == 201
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::icinga_web:templates' ]
diff --git a/ansible_collections/debops/debops/roles/icinga_web/templates/etc/ansible/facts.d/icinga_web.fact.j2 b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/ansible/facts.d/icinga_web.fact.j2
new file mode 100644
index 00000000..b0f0afde
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/ansible/facts.d/icinga_web.fact.j2
@@ -0,0 +1,30 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"installed": False,
+                      "x509_installed": icinga_web__x509_enabled,
+                      "database_type": icinga_web__database_type}
+                     | to_nice_json }}''')
+
+output['installed'] = cmd_exists('icingacli')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/icinga_web/templates/etc/icingaweb2/template.ini.j2 b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/icingaweb2/template.ini.j2
new file mode 100644
index 00000000..81ea44f0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/icingaweb2/template.ini.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for element in item.config | debops.debops.parse_kv_items %}
+{%   if element.state | d("present") not in [ "absent", "ignore", "init" ] %}
+{%     if not loop.first %}
+
+{%     endif %}
+{{ '[{}]'.format(element.name) }}
+{%     if element.options | d() %}
+{%       for thing in element.options %}
+{%         if thing.state | d("present") not in [ "absent", "ignore", "init" ] %}
+{{ '{} = "{}"'.format(thing.name, thing.value) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/icinga_web/templates/etc/systemd/system/icinga-director.service.j2 b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/systemd/system/icinga-director.service.j2
new file mode 100644
index 00000000..5b1b6343
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/templates/etc/systemd/system/icinga-director.service.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Icinga Director - Monitoring Configuration
+Documentation=https://icinga.com/docs/director/latest/
+Wants=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/icinga-director
+EnvironmentFile=-/etc/sysconfig/icinga-director
+ExecStart=/usr/bin/icingacli director daemon run
+ExecReload=/bin/kill -HUP ${MAINPID}
+User={{ icinga_web__director_user }}
+SyslogIdentifier=icingadirector
+Type=notify
+
+NotifyAccess=main
+WatchdogSec=10
+RestartSec=30
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/icinga_web/templates/tmp/icingaweb-initial-data.sql.j2 b/ansible_collections/debops/debops/roles/icinga_web/templates/tmp/icingaweb-initial-data.sql.j2
new file mode 100644
index 00000000..cc08c416
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/icinga_web/templates/tmp/icingaweb-initial-data.sql.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+-- {{ ansible_managed }}
+
+INSERT INTO icingaweb_group (id, name, ctime)
+VALUES
+{% for element in icinga_web__initial_account_groups %}
+{%   if element.name | d() and element.state | d('present') != 'absent' %}
+{{ "    ({}, '{}', NOW()){}".format(loop.index, element.name, (';' if loop.last else ',')) }}
+{%   endif %}
+{% endfor %}
+
+INSERT INTO icingaweb_user (name, active, password_hash, ctime)
+VALUES
+{% for element in icinga_web__initial_accounts %}
+{%   if element.name | d() and element.state | d('present') != 'absent' %}
+{{ "    ('{}', 1, '{}', NOW()){}".format(element.name,
+    (element.password_hash | d((element.password | d(icinga_web__default_account_password))
+    | password_hash('md5', (65534 | random(seed=(element.name + inventory_hostname))
+    | string | hash('sha256'))[0:8]))), (';' if loop.last else ',')) }}
+{%   endif %}
+{% endfor %}
+
+INSERT INTO icingaweb_group_membership (group_id, username, ctime)
+VALUES
+{% for element in icinga_web__initial_accounts %}
+{%   if element.name | d() and element.state | d('present') != 'absent' %}
+{{ "    ({}, '{}', NOW()){}".format(element.group_id | d('1'), element.name, (';' if loop.last else ',')) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/COPYRIGHT b/ansible_collections/debops/debops/roles/ifupdown/COPYRIGHT
new file mode 100644
index 00000000..cde85df3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.ifupdown - Manage network interfaces using Ansible
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ifupdown/defaults/main.yml b/ansible_collections/debops/debops/roles/ifupdown/defaults/main.yml
new file mode 100644
index 00000000..33b79635
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/defaults/main.yml
@@ -0,0 +1,390 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ifupdown__ref_defaults:
+
+# debops.ifupdown default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: ifupdown__base_packages [[[
+#
+# List of base APT packages to install.
+ifupdown__base_packages:
+  - [ 'ifupdown', 'bsdutils', 'rsync' ]
+  - '{{ []
+        if ("/usr/sbin/NetworkManager" in ansible_local.ifupdown.known_managers | d([]))
+        else "rdnssd" }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__dynamic_packages [[[
+#
+# List of APT packages to install based on the requirements of the interface
+# types that are configured by the role (support for bridges, bonding, VLANs,
+# depends on the presence of a given interface type).
+ifupdown__dynamic_packages: '{{ lookup("template", "lookup/ifupdown__dynamic_packages.j2", convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__packages [[[
+#
+# List of additional APT packages to install with the role.
+ifupdown__packages: []
+                                                                   # ]]]
+# .. envvar:: ifupdown__purge_packages [[[
+#
+# List of APT packages which will be purged when this role is
+# enabled, to stop them from interfering with ``ifupdown``.
+ifupdown__purge_packages: [ 'netplan.io', 'nplan' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# General role configuration [[[
+# ------------------------------
+
+# .. envvar:: ifupdown__interface_weight_map [[[
+#
+# This is a YAML dictionary which maps the interface type to a number which is
+# prepended to the configuration file names to ensure correct order of the
+# network interfaces. It also defines the order the interfaces are brought down
+# and up.
+#
+# You shouldn't change the map after the :command:`ifupdown` configuration is
+# deployed, otherwise the role will lose track of the configuration files and
+# duplicate configuration might be created.
+ifupdown__interface_weight_map:
+  'mapping':   '00'
+  'bonding':   '10'
+  'ether':     '20'
+  'slip':      '30'
+  'wlan':      '30'
+  'wwan':      '30'
+  'vlan':      '40'
+  'bridge':    '60'
+  '6to4':      '80'
+  'tunnel':    '80'
+  'default':   '80'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__reconfigure_auto [[[
+#
+# If ``True``, the role will reconfigure interfaces automatically after changes
+# are detected by Ansible. If ``False``, role will install the reconfiguration
+# script on the remote host so that the user can run it to apply the changes by
+# hand.
+ifupdown__reconfigure_auto: True
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__reconfigure_script_path [[[
+#
+# Path where the reconfiguration script will be installed if automatic
+# reconfiguration is disabled.
+ifupdown__reconfigure_script_path: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                                       + "/ifupdown-reconfigure-interfaces" }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__reconfigure_init_file [[[
+#
+# Path where the original :file:`/etc/network/interfaces` file will be copied
+# to on the first role run to allow for reconfiguration of existing interfaces.
+ifupdown__reconfigure_init_file: '/etc/network/interfaces.d/old-interfaces'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__default_nat_masquerade [[[
+#
+# By default, when IPv4 NAT is enabled on a bridge interface, the role will
+# configure a SNAT firewall rule using the primary IP address of the default
+# gateway interface. This is good for hosts in a static environment, where the
+# host's IP address doesn't change.
+#
+# If your host is used in a dynamic environment or switches between different
+# environments, you can set this variable to ``True`` and the role will use the
+# MASQUERADE firewall rule instead to modify packets on the fly with current
+# outgoing IPv4 address. This can be changed on the interface level as well.
+ifupdown__default_nat_masquerade: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Default network interface layout [[[
+# ------------------------------------
+
+# .. envvar:: ifupdown__external_interface [[[
+#
+# Name of the physical network interface which is assumed by the role to be an
+# "external" interface. This is usually the default network interface.
+ifupdown__external_interface: '{{ ansible_local.ifupdown.external_interface | d(lookup("template", "lookup/ifupdown__external_interface.j2", convert_data=False) | from_yaml) }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__internal_interface [[[
+#
+# Name of the physical network interface which is assumed by the role to be an
+# "internal" interface. This will be one of the non-default network interfaces,
+# chosen in alphabetical order.
+ifupdown__internal_interface: '{{ ansible_local.ifupdown.internal_interface | d(lookup("template", "lookup/ifupdown__internal_interface.j2", convert_data=False) | from_yaml) }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__interface_layout [[[
+#
+# Name of the "network interface layout" defined in the
+# :envvar:`ifupdown__default_interfaces_map` which will be used to configure
+# initial state of the network interfaces. This name is used in the
+# :envvar:`ifupdown__default_interfaces` variable to select a network layout.
+ifupdown__interface_layout: '{{ "dynamic"
+                                if (ansible_virtualization_type in ["lxc", "openvz"] and
+                                    ansible_virtualization_role == "guest")
+                                else "bridge" }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__default_interfaces_map [[[
+#
+# A YAML dictionary with different network interface configurations:
+#
+# ``static``
+#   One Ethernet primary interface with static configuration taken from Ansible
+#   facts.
+#
+# ``dynamic``
+#   One or two Ethernet interfaces with DHCP configuration.
+#
+# ``bridge``
+#   One or two Ethernet interfaces with bridges attached to them, each bridge
+#   uses DHCP configuration.
+#
+# ``manual``
+#   Do not use any network interface layout and do not configure any interface.
+#
+# The default interface configuration can be modified by other
+# ``ifupdown__*_interfaces`` variables if necessary.
+# See the :ref:`ifupdown__ref_interfaces` documentation for more details.
+ifupdown__default_interfaces_map:
+
+  'static':
+
+    'external':
+      iface: '{{ ansible_default_ipv4.interface | d("") }}'
+      inet: 'static'
+      inet6: 'auto'
+      address: '{{ (ansible_default_ipv4.address | d("") + "/" +
+                    ansible_default_ipv4.netmask | d("")) }}'
+      gateway: '{{ ansible_default_ipv4.gateway | d("") }}'
+      dns_nameservers: '{{ ansible_dns.nameservers | d(False) }}'
+      dns_search: '{{ ansible_dns.search | d(False) }}'
+
+  'dynamic':
+
+    'external':
+      iface: '{{ ifupdown__external_interface }}'
+      inet: 'dhcp'
+      inet6: 'auto'
+      state: '{{ "present"
+                 if ifupdown__external_interface in ansible_interfaces
+                 else "ignore" }}'
+
+    'internal':
+      iface: '{{ ifupdown__internal_interface }}'
+      inet: 'dhcp'
+      inet6: 'auto'
+      state: '{{ "present"
+                 if ifupdown__internal_interface in ansible_interfaces
+                 else "ignore" }}'
+
+    'br0':
+      state: '{{ "absent"
+                 if (ansible_local.ifupdown.interface_layout | d() == "bridge")
+                 else "ignore" }}'
+
+    'br1':
+      state: '{{ "absent"
+                 if (ansible_local.ifupdown.interface_layout | d() == "bridge")
+                 else "ignore" }}'
+
+  'bridge':
+
+    'external':
+      iface: '{{ ifupdown__external_interface }}'
+      inet: 'manual'
+      inet6: False
+      state: '{{ "present"
+                 if ifupdown__external_interface in ansible_interfaces
+                 else "ignore" }}'
+
+    'internal':
+      iface: '{{ ifupdown__internal_interface }}'
+      inet: 'manual'
+      inet6: False
+      state: '{{ "present"
+                 if ifupdown__internal_interface in ansible_interfaces
+                 else "ignore" }}'
+
+    'br0':
+      inet: 'dhcp'
+      inet6: 'auto'
+      type: 'bridge'
+      forward: True
+      bridge_ports: '{{ ifupdown__external_interface }}'
+      state: '{{ "present"
+                 if ifupdown__external_interface in ansible_interfaces
+                 else "ignore" }}'
+
+    'br1':
+      inet: 'dhcp'
+      inet6: 'auto'
+      type: 'bridge'
+      forward: True
+      bridge_ports: '{{ ifupdown__internal_interface }}'
+      state: '{{ "present"
+                 if ifupdown__internal_interface in ansible_interfaces
+                 else "ignore" }}'
+
+  'manual': {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Network interface configuration [[[
+# -----------------------------------
+
+# These variables are YAML dictionaries with network interface definitions.
+# See :ref:`ifupdown__ref_interfaces` documentation for more details.
+
+# .. envvar:: ifupdown__ethernet_interfaces [[[
+#
+# YAML dictionary which holds the basic information about the Ethernet
+# interfaces detected by the role.
+ifupdown__ethernet_interfaces: '{{ lookup("template", "lookup/ifupdown__ethernet_interfaces.j2", convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__default_interfaces [[[
+#
+# YAML dictionary which holds the default configuration applied to the network
+# interfaces, depending on the selected interface layout.
+ifupdown__default_interfaces: '{{ ifupdown__default_interfaces_map[ifupdown__interface_layout] | d({}) }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__interfaces [[[
+#
+# YAML dictionary which holds the configuration of network interfaces for all
+# hosts in the Ansible inventory.
+ifupdown__interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__group_interfaces [[[
+#
+# YAML dictionary which holds the configuration of network interfaces for hosts
+# in a specific Ansible inventory group.
+ifupdown__group_interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__host_interfaces [[[
+#
+# YAML dictionary which holds the configuration of network interfaces for
+# specific hosts in the Ansible inventory.
+ifupdown__host_interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__dependent_interfaces [[[
+#
+# YAML dictionary which holds the configuration of network interfaces defined
+# by other Ansible roles via dependent variables.
+ifupdown__dependent_interfaces: {}
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__combined_interfaces [[[
+#
+# YAML dictionary which combines all of the other network interface
+# configuration variables and is used in the role tasks and templates to
+# generate the configuration.
+ifupdown__combined_interfaces: '{{ lookup("template", "lookup/ifupdown__combined_interfaces.j2", convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom ifupdown hooks [[[
+# -------------------------
+
+# .. envvar:: ifupdown__custom_hooks [[[
+#
+# List of custom hooks created by the ``debops.ifupdown`` role. See
+# :ref:`ifupdown__ref_custom_hooks` for more details.
+ifupdown__custom_hooks:
+
+  - name: 'filter-dhcp-options'
+    hook: 'etc/dhcp/dhclient-enter-hooks.d/filter-dhcp-options'
+    mode: '0644'
+    state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom configuration files [[[
+# ------------------------------
+
+# You can create custom configuration files on remote hosts if needed to
+# further configure the network interfaces.
+# See :ref:`ifupdown__ref_custom_files` for more details.
+
+# .. envvar:: ifupdown__custom_files [[[
+#
+# Manage custom files on all hosts in Ansible inventory.
+ifupdown__custom_files: []
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__custom_group_files [[[
+#
+# Manage custom files on hosts in specific Ansible inventory group.
+ifupdown__custom_group_files: []
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__custom_host_files [[[
+#
+# Manage custom files on specific hosts in Ansible inventory.
+ifupdown__custom_host_files: []
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__custom_dependent_files [[[
+#
+# Manage custom files defined by other Ansible roles through the role dependent
+# variables.
+ifupdown__custom_dependent_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: ifupdown__ferm__dependent_rules [[[
+#
+# Configuration for :ref:`debops.ferm`, generated dynamically from the
+# network interface configuration and passed to the role through a variable.
+ifupdown__ferm__dependent_rules: '{{ lookup("template", "lookup/ifupdown__ferm__dependent_rules.j2", convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__kmod__dependent_load [[[
+#
+# Configuration for :ref:`debops.kmod`, generated dynamically from the
+# network interface configuration and passed to the role through a variable.
+ifupdown__kmod__dependent_load: '{{ lookup("template", "lookup/ifupdown__kmod__dependent_load.j2", convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ifupdown__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+ifupdown__sysctl__dependent_parameters: '{{ lookup("template",
+                                            "lookup/ifupdown__sysctl__dependent_parameters.j2",
+                                            convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Role metadata [[[
+# -----------------
+
+# .. envvar:: ifupdown__role_metadata [[[
+#
+# This is a variable with the role metadata used internally by DebOps.
+ifupdown__role_metadata:
+  version: '0.3.0'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ifupdown/files/script/ifupdown-reconfigure-interfaces b/ansible_collections/debops/debops/roles/ifupdown/files/script/ifupdown-reconfigure-interfaces
new file mode 100755
index 00000000..1df6f98f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/files/script/ifupdown-reconfigure-interfaces
@@ -0,0 +1,407 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Reconfigure changed network interfaces
+# Part of the debops.ifupdown Ansible role
+# See https://github.com/debops/ansible-ifupdown/ for more details
+
+set -o nounset -o pipefail -o errexit
+
+# Get current PID for logging
+pid="$$"
+
+# Script filename to use in log messages
+script=$( basename "${0}" )
+
+# Path where reconfigure requests are stored
+interface_request_path="/run/network"
+
+# Filename prefix of reconfigure requests
+interface_request_prefix="debops-ifupdown-reconfigure"
+
+# Name of the reconfiguration request for all interfaces
+interface_reconfigure_all="networking"
+
+key_exists () {
+    # Check if an associative array has a specified key present
+    # shellcheck disable=SC2016
+    # shellcheck disable=SC2086
+    eval '[ ${'$1'[$2]+test_of_existence} ]'
+}
+
+join_by () {
+    local IFS="$1"
+    shift
+    echo "$*"
+}
+
+# Check if the init system in use is systemd
+is_systemd () {
+    if [ -d /run/systemd/system ] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Advanced message logger
+log_message () {
+
+    local -A args
+
+    local OPTIND optchar
+
+    local optspec=":mflth-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    message)
+                        # shellcheck disable=SC2154
+                        args["message"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    message=*)
+                        args["message"]=${OPTARG#*=}
+                        ;;
+                    tag)
+                        # shellcheck disable=SC2154
+                        args["tag"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    tag=*)
+                        args["tag"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: log_message <-t|--tag[=]tag> <-m|--message[=]message>" >&2
+                exit 2
+                ;;
+            m)
+                args["message"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            t)
+                args["tag"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "message" ; then
+
+        # We are talking to a human! *wiggles tail*
+        if tty -s > /dev/null 2>&1 ; then
+            echo "${args['message']}"
+        fi
+
+        # We are talking to a syslog daemon! *wiggles tail*
+        if type logger > /dev/null 2>&1 ; then
+            logger -t "${args['tag']:-${script}}[${pid}]" "${args['message']}"
+        fi
+
+    fi
+}
+
+# Cleanup
+on_exit () {
+    rm -f "${interface_request_path}/${interface_request_prefix}",*
+}
+
+trap on_exit EXIT
+
+containsElement () {
+    local e
+    for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
+    return 1
+}
+
+# Stop the entre networking service at once
+stop_networking () {
+
+    echo "Pause for a few seconds before stopping network, to give control a bit of head start"
+    sleep 3
+    if is_systemd ; then
+        systemctl stop networking.service
+    else
+        service networking stop
+    fi
+
+}
+
+# Start the entre networking service at once
+start_networking () {
+
+    if is_systemd ; then
+        systemctl start networking.service
+    else
+        service networking start
+    fi
+
+}
+
+# Check what init we are using and bring interface down correctly
+interface_down () {
+
+    if is_systemd ; then
+
+        local -a if_hotplug_interfaces
+        local -a if_boot_interfaces
+        local -a systemd_ifup_instances
+        local systemd_escaped_interface
+        mapfile -t if_hotplug_interfaces < <(ifquery --list --allow=hotplug)
+        mapfile -t if_boot_interfaces < <(ifquery --list --allow=boot)
+        mapfile -t systemd_ifup_instances < <(systemctl list-units --no-legend --state=active 'ifup@*.service' | awk '{print $1}' | sed -e 's/^ifup\@//' -e 's/\.service$//' | xargs -0 systemd-escape -u)
+        systemd_escaped_interface="$(systemd-escape "${1}")"
+
+        if [ ${#if_hotplug_interfaces[@]} -gt 0 ] && containsElement "${1}" "${if_hotplug_interfaces[@]}" ; then
+		systemctl stop "ifup@${systemd_escaped_interface}.service"
+        elif [ ${#if_boot_interfaces[@]} -gt 0 ] && containsElement "${1}" "${if_boot_interfaces[@]}" ; then
+            if [ ${#if_hotplug_interfaces[@]} -gt 0 ] && [ ${#systemd_ifup_instances[@]} -gt 0 ] && containsElement "${1}" "${systemd_ifup_instances[@]}" ; then
+                systemctl stop "ifup@${systemd_escaped_interface}.service"
+            else
+                systemctl stop "iface@${systemd_escaped_interface}.service"
+            fi
+        fi
+    else
+        ifdown "${1}"
+    fi
+
+}
+
+# Check what init we are using and bring interface up correctly
+interface_up () {
+
+    local -a if_hotplug_interfaces
+    local -a if_boot_interfaces
+    local systemd_escaped_interface
+    mapfile -t if_hotplug_interfaces < <(ifquery --list --allow=hotplug)
+    mapfile -t if_boot_interfaces < <(ifquery --list --allow=boot)
+    systemd_escaped_interface="$(systemd-escape "${1}")"
+
+    if is_systemd ; then
+        if [ ${#if_hotplug_interfaces[@]} -gt 0 ] && containsElement "${1}" "${if_hotplug_interfaces[@]}" ; then
+            systemctl start "ifup@${systemd_escaped_interface}.service"
+        elif [ ${#if_boot_interfaces[@]} -gt 0 ] && containsElement "${1}" "${if_boot_interfaces[@]}" ; then
+            systemctl start "iface@${systemd_escaped_interface}.service"
+        fi
+    else
+        ifup "${1}"
+    fi
+
+}
+
+# Check if any interfaces have changed, if so, first stop all of them using
+# current configuration, apply the new configuration and bring the modified
+# interfaces back up
+
+if [ -d "${interface_request_path}" ] ; then
+
+    declare -a changed_interfaces
+    declare -a changed_interface_names
+    declare -a created_interfaces
+    declare -a removed_interfaces
+
+    mapfile -t changed_interfaces < <(find "${interface_request_path}" -type f -name "${interface_request_prefix},*" | sed -e "s#^${interface_request_path}/${interface_request_prefix},##" | sort -n)
+    mapfile -t changed_interface_names < <(find "${interface_request_path}" -type f -name "${interface_request_prefix},*" | sed -e "s#^${interface_request_path}/${interface_request_prefix},##" | sort -n | sed -e 's/^.*\,//')
+
+    if [ ${#changed_interfaces[@]} -gt 0 ]; then
+
+        log_message -m "Detected interfaces to reconfigure: $(join_by ',' "${changed_interface_names[@]}")"
+
+        # On hosts with systemd, the specific interface to configure might
+        # still be managed by the 'networking.service' unit, in which case it
+        # will be impossible to reconfigure it by 'ifup@.service' unit alone.
+        # Let's try to detect sich interfaces, and if detected, bring the entire
+        # networking down and hope that all of the other interfaces are
+        # configured correctly to be brought up, either by hotplug mechanism in
+        # 'networking.service', or by being in separate 'ifup@.service'
+        # instances.
+        #
+        # This will most likely break existing bridged connections.
+        declare -a systemd_ifup_instances
+        declare -a systemd_iface_instances
+        declare -a systemd_interface_instances
+        if is_systemd ; then
+            declare -a systemd_escaped_ifup_instances
+            declare -a systemd_escaped_iface_instances
+            mapfile -t systemd_escaped_ifup_instances < <(systemctl list-units --no-legend --state=active 'ifup@*.service' | awk '{print $1}' | sed -e 's/^ifup\@//' -e 's/\.service$//')
+            mapfile -t systemd_escaped_iface_instances < <(systemctl list-units --no-legend --state=active 'iface@*.service' | awk '{print $1}' | sed -e 's/^iface\@//' -e 's/\.service$//')
+            mapfile -t systemd_ifup_instances < <(for i in "${systemd_escaped_ifup_instances[@]}"; do systemd-escape -u "${i}"; done)
+            mapfile -t systemd_iface_instances < <(for i in "${systemd_escaped_iface_instances[@]}"; do systemd-escape -u "${i}"; done)
+
+            if [ ${#systemd_ifup_instances[@]} -gt 0 ]; then
+                log_message -m "Found active systemd ifup@ instances: $(join_by ',' "${systemd_escaped_ifup_instances[@]}")"
+            fi
+            if [ ${#systemd_iface_instances[@]} -gt 0 ]; then
+                log_message -m "Found active systemd iface@ instances: $(join_by ',' "${systemd_escaped_iface_instances[@]}")"
+            fi
+        else
+            # Prevent issues with unbound variable
+            systemd_ifup_instances=()
+            systemd_iface_instances=()
+        fi
+
+        systemd_interface_instances=( "${systemd_ifup_instances[@]:-}" "${systemd_iface_instances[@]:-}" )
+
+        # This will usually be used the first time the script tries to
+        # reconfigure networks. At this time we don't really know what's set up
+        # where, so disable all networking.
+        if containsElement "${interface_reconfigure_all}" "${changed_interface_names[@]}" ; then
+
+            log_message -m "Shutting down networking service in the unknown state"
+            stop_networking
+
+            # This means that all 'ifup@.service' instances are
+            # now desynchronized and broken. We need to stop all
+            # of them and bring them later.
+            if [ ${#systemd_interface_instances[@]} -gt 0 ]; then
+                for ifup_iface in "${systemd_ifup_instances[@]:-}" ; do
+                    log_message -m "Bringing down '${ifup_iface}' interface in the unknown state"
+                    interface_down "${ifup_iface}"
+                done
+            fi
+        fi
+
+        # Make sure that all relevant interfaces are down, shutting them down in reverse order
+        #for iface in ${changed_interfaces[@]} ; do
+        for ((i=${#changed_interfaces[@]}-1; i>=0; i--)) ; do
+            iface="${changed_interfaces[${i}]}"
+            # shellcheck disable=SC2001
+            iface_name=$(echo "${iface}" | sed -e s'/^.*\,//')
+            if [ "${iface}" != "${interface_reconfigure_all}" ] ; then
+                if [ "$(<"${interface_request_path}/${interface_request_prefix},${iface}")" != "created" ] ; then
+
+                    if ifquery --state "${iface_name}" > /dev/null 2>&1 ; then
+                        log_message -m "Bringing down '${iface_name}' interface"
+                        interface_down "${iface_name}"
+                    else
+                        log_message -m "The '${iface_name}' interface is inactive"
+                    fi
+
+                    # If the interface is still up it probably means that it's
+                    # stuck in the systemd 'networking.service' unit.
+                    # It's time to bring down everything, and then bring it
+                    # back up to get back to the known state.
+                    if ifquery --state "${iface_name}" > /dev/null 2>&1 ; then
+
+                        # The interface in question was definitely not set up by 'ifup@.service'
+                        if containsElement "${iface_name}" "${systemd_interface_instances[@]:-}" ; then
+
+                            log_message -m "The '${iface_name}' interface is still active, shutting down networking service"
+                            stop_networking
+
+                            # This means that all 'ifup@.service' instances are
+                            # now desynchronized and broken. We need to stop all
+                            # of them and bring them later.
+                            if [ ${#systemd_interface_instances[@]} -gt 0 ]; then
+                                for ifup_iface in "${systemd_interface_instances[@]:-}" ; do
+                                    log_message -m "Bringing down '${ifup_iface}' interface due to desynchronized networking"
+                                    interface_down "${ifup_iface}"
+                                done
+                            fi
+
+                        else
+
+                            # This probably shouldn't happen
+                            log_message -m "Error: Script was working on '${iface_name}' network interface when it lost knowledge about the network interface state. The '/etc/network/interfaces.d/' might be desynchronized. Exiting to avoid loss of connectivity, investigate the issue."
+                            exit 1
+
+                        fi
+
+                    fi
+
+                else
+                    log_message -m "The '${iface_name}' network interface is a new interface, nothing to bring down"
+                    created_interfaces+=( "${iface_name}" )
+                fi
+            fi
+        done
+
+        # Apply new interface configuration
+        log_message -m "Synchronizing /etc/network/interfaces.d/ configuration"
+        rsync -a --delete /etc/network/interfaces.config.d/ /etc/network/interfaces.d
+
+        # This is usually used the first time the network interfaces are reconfigured
+        if containsElement "${interface_reconfigure_all}" "${changed_interface_names[@]}" ; then
+
+            log_message -m "Starting up networking service"
+            start_networking
+
+        fi
+
+        # On systemd hosts it might be possible that the networking was
+        # disabled because interfaces were desynchronized. In this case, let's
+        # bring it back up first
+        if is_systemd ; then
+            if ! systemctl is-active networking.service > /dev/null 2>&1 ; then
+                log_message -m "Starting up networking service after desynchronization"
+                start_networking
+            fi
+        fi
+
+        # Make sure that all relevant interface are up
+        for iface in "${changed_interfaces[@]}" ; do
+            # shellcheck disable=SC2001
+            iface_name=$(echo "${iface}" | sed -e s'/^.*\,//')
+            if [ "${iface}" != "${interface_reconfigure_all}" ] ; then
+                if [ "$(<"${interface_request_path}/${interface_request_prefix},${iface}")" != "removed" ] ; then
+
+                    if ! ifquery --state "${iface_name}" > /dev/null 2>&1 ; then
+                        log_message -m "Bringing up '${iface_name}' interface"
+                        interface_up "${iface_name}"
+                    fi
+
+                else
+                    log_message -m "The '${iface_name}' network interface was removed, nothing to bring up"
+                    removed_interfaces+=( "${iface_name}" )
+                fi
+            fi
+        done
+
+        # If we have some interfaces configured by 'ifup@.service', if they are
+        # down, they probably should be up by now. If not, bring them up.
+        if [ ${#systemd_interface_instances[@]} -gt 0 ]; then
+            for ifup_iface in "${systemd_interface_instances[@]}" ; do
+
+                if ! containsElement "${ifup_iface}" "${removed_interfaces[@]:-}" \
+                && ! containsElement "${ifup_iface}" "${created_interfaces[@]:-}" ; then
+                    if ! ifquery --state "${ifup_iface}" > /dev/null 2>&1 ; then
+                        log_message -m "Bringing up '${ifup_iface}' interface after desynchronization"
+                        interface_up "${ifup_iface}"
+                    fi
+                fi
+
+            done
+        fi
+
+        # Stop and disable systemd-networkd service
+        if is_systemd ; then
+            if systemctl is-active systemd-networkd.service > /dev/null 2>&1 ; then
+               log_message -m "Disabling systemd-networkd service"
+               systemctl stop systemd-networkd
+               systemctl disable systemd-networkd.service
+               systemctl disable systemd-networkd.socket
+            fi
+        fi
+
+        log_message -m "Interface configuration finished, have a nice day"
+
+    else
+
+        log_message -m "No interface reconfiguration requested"
+
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/ifupdown/handlers/main.yml b/ansible_collections/debops/debops/roles/ifupdown/handlers/main.yml
new file mode 100644
index 00000000..7d7ca66a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Apply ifupdown configuration
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.script: 'script/ifupdown-reconfigure-interfaces'
+  when: ifupdown__reconfigure_auto | bool
diff --git a/ansible_collections/debops/debops/roles/ifupdown/meta/main.yml b/ansible_collections/debops/debops/roles/ifupdown/meta/main.yml
new file mode 100644
index 00000000..d1e804a6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage network interface configuration in /etc/network/interfaces'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - system
diff --git a/ansible_collections/debops/debops/roles/ifupdown/tasks/divert_interfaces.yml b/ansible_collections/debops/debops/roles/ifupdown/tasks/divert_interfaces.yml
new file mode 100644
index 00000000..c8deb44e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/tasks/divert_interfaces.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Divert original /etc/network/interfaces
+  debops.debops.dpkg_divert:
+    path: '/etc/network/interfaces'
+  register: ifupdown__register_divert
+
+- name: Provide original interface configuration temporarily
+  ansible.builtin.copy:  # noqa no-handler
+    src: '/etc/network/interfaces.dpkg-divert'
+    dest: '{{ ifupdown__reconfigure_init_file }}'
+    remote_src: True
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: ifupdown__register_divert is changed and not ansible_check_mode | bool
+
+- name: Remove redundant configuration
+  ansible.builtin.lineinfile:  # noqa no-handler
+    dest: '{{ ifupdown__reconfigure_init_file }}'
+    regexp: '{{ item }}'
+    state: 'absent'
+  with_items:
+    - '^source /etc/network/interfaces.d/*'
+    - '^auto lo'
+    - '^iface lo inet loopback'
+  when: ifupdown__register_divert is changed
+
+- name: Create /etc/network/interfaces
+  ansible.builtin.template:
+    src: 'etc/network/interfaces.j2'
+    dest: '/etc/network/interfaces'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: ifupdown__register_main_config
+
+- name: Ensure that runtime directory exists
+  ansible.builtin.file:  # noqa no-handler
+    path: '/run/network'
+    state: 'directory'
+    mode: '0755'
+  when: (ifupdown__register_divert is changed or
+         ifupdown__register_main_config is changed)
+
+- name: Request entire network reconfiguration
+  ansible.builtin.copy:  # noqa no-handler
+    content: 'init'
+    dest: '/run/network/debops-ifupdown-reconfigure.networking'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Apply ifupdown configuration' ]
+  when: (ifupdown__register_divert is changed or
+         ifupdown__register_main_config is changed)
diff --git a/ansible_collections/debops/debops/roles/ifupdown/tasks/ifup_systemd.yml b/ansible_collections/debops/debops/roles/ifupdown/tasks/ifup_systemd.yml
new file mode 100644
index 00000000..c3bab655
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/tasks/ifup_systemd.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check systemd version
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && systemd --version | head -n 1 | awk '{print $2}'
+  args:
+    executable: 'bash'
+  register: ifupdown__register_systemd_version
+  check_mode: False
+  changed_when: False
+
+- name: Install custom ifupdown services
+  ansible.builtin.template:
+    src: 'etc/systemd/system/{{ item }}.j2'
+    dest: '/etc/systemd/system/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'iface@.service'
+    - 'ifup-wait-all-auto.service'
+    - 'ifup-allow-boot.service'
+  register: ifupdown__register_systemd_services
+
+- name: Reload systemd services
+  ansible.builtin.systemd:  # noqa no-handler
+    daemon_reload: True
+  when: ifupdown__register_systemd_services is changed
+
+  ## https://stackoverflow.com/a/28888474
+- name: Test if Ansible is running in check mode
+  ansible.builtin.command: /bin/true
+  changed_when: False
+  register: ifupdown__register_check_mode
+
+- name: Enable custom ifupdown services
+  ansible.builtin.service:
+    name: '{{ item }}'
+    enabled: True
+  with_items: [ 'ifup-wait-all-auto', 'ifup-allow-boot' ]
+  when: ifupdown__register_check_mode is not skipped
diff --git a/ansible_collections/debops/debops/roles/ifupdown/tasks/main.yml b/ansible_collections/debops/debops/roles/ifupdown/tasks/main.yml
new file mode 100644
index 00000000..cb371fc5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/tasks/main.yml
@@ -0,0 +1,200 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save ifupdown local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ifupdown.fact.j2'
+    dest: '/etc/ansible/facts.d/ifupdown.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (ifupdown__base_packages
+                              + ifupdown__dynamic_packages
+                              + ifupdown__packages)) }}'
+    state: 'present'
+  register: ifupdown__register_packages
+  until: ifupdown__register_packages is succeeded
+
+- name: Purge conflicting packages
+  ansible.builtin.apt:
+    name: '{{ q("flattened", ifupdown__purge_packages) }}'
+    state: 'absent'
+    purge: True
+
+- name: Create custom ifupdown systemd services
+  ansible.builtin.include_tasks: ifup_systemd.yml
+  when: ansible_service_mgr == 'systemd'
+
+- name: Reset network configuration on role upgrade
+  ansible.builtin.file:
+    path: '/etc/network/interfaces.config.d'
+    state: 'absent'
+  when: (ansible_local | d() and ansible_local.debops_fact | d() and
+         ansible_local.debops_fact.enabled | bool and
+         (ansible_local.debops_fact.version is undefined or
+          (ansible_local.debops_fact.version.ifupdown | d("0.0.0") is version_compare("0.3.0", "<"))))
+
+- name: Create configuration directories
+  ansible.builtin.file:
+    path:   '{{ item }}'
+    state:  'directory'
+    owner:  'root'
+    group:  'root'
+    mode:   '0755'
+  with_items:
+    - '/etc/network/interfaces.d'
+    - '/etc/network/interfaces.config.d'
+
+- name: Preserve original network configuration
+  ansible.builtin.include_tasks: divert_interfaces.yml
+
+- name: Remove network interface configuration
+  ansible.builtin.file:
+    dest: '/etc/network/interfaces.config.d/{{ "%03d" | format((ifupdown__interface_weight_map[item.value.weight_class
+                                                                | d(item.value.type | d("default"))] | d("90")) | int
+                                               + (item.value.weight | d("0")) | int) }}_iface_{{ item.value.iface
+                                                                                               | d(item.key) }}'
+    state: 'absent'
+  with_dict: '{{ ifupdown__combined_interfaces }}'
+  register: ifupdown__register_interfaces_removed
+  when: item.value.state | d('present') == 'absent'
+
+- name: Generate network interface configuration
+  ansible.builtin.template:
+    src: 'etc/network/interfaces.d/iface.j2'
+    dest: '/etc/network/interfaces.config.d/{{ "%03d" | format((ifupdown__interface_weight_map[item.value.weight_class
+                                                                | d(item.value.type | d("default"))] | d("90")) | int
+                                               + (item.value.weight | d("0")) | int) }}_iface_{{ item.value.iface
+                                                                                               | d(item.key) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.value.mode | d("0644") }}'
+  with_dict: '{{ ifupdown__combined_interfaces }}'
+  register: ifupdown__register_interfaces_created
+  when: item.value.state | d('present') not in ['absent', 'ignore']
+
+- name: Remove unknown interface configuration
+  ansible.builtin.shell: find /etc/network/interfaces.config.d -maxdepth 1 -type f
+         -name '*_iface_{{ item.item.value.iface | d(item.item.key) }}'
+         ! -name '{{ "%03d" | format((ifupdown__interface_weight_map[item.item.value.weight_class
+                                      | d(item.item.value.type | d("default"))] | d("90")) | int
+                     + (item.item.value.weight | d("0")) | int) }}_iface_{{ item.item.value.iface | d(item.item.key) }}'
+         -exec rm -vf {} +
+  with_items:  # noqa no-handler
+    - '{{ ifupdown__register_interfaces_removed.results }}'
+    - '{{ ifupdown__register_interfaces_created.results }}'
+  register: ifupdown__register_iface_cleanup
+  changed_when: ifupdown__register_iface_cleanup.changed | bool
+  when: (item.item.key | d() and item is changed)
+
+- name: Mark modified interfaces for processing
+  ansible.builtin.copy:  # noqa no-handler
+    content: |
+      {{ ("created"
+          if ((item.item.key | replace(':', '_') | replace('.', '_')) not in ansible_interfaces and
+              (item.diff is undefined or
+               (item.diff | d() and item.diff.after | d() and
+                item.diff.after_header | d() and
+                item.diff.after_header == "dynamically generated")))
+          else ("removed"
+                if (item.diff | d() and item.diff.after | d() and
+                    item.diff.after.state | d() and
+                    item.diff.after.state == "absent")
+                else "changed")) }}
+    dest: '{{ "/run/network/debops-ifupdown-reconfigure," +
+              ("%03d" | format(((ifupdown__interface_weight_map[item.item.value.weight_class
+                                 | d(item.item.value.type | d("default"))]
+                                 | d(ifupdown__interface_weight_map["default"] | d("90"))) | int
+               + (item.item.value.weight | d("0")) | int))) | string + ","
+               + (item.item.value.iface | d(item.item.key)) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - '{{ ifupdown__register_interfaces_removed.results }}'
+    - '{{ ifupdown__register_interfaces_created.results }}'
+  notify: [ 'Apply ifupdown configuration' ]
+  when: (item.item.key | d() and item is changed)
+
+- name: Remove custom configuration files
+  ansible.builtin.file:
+    path:  '{{ item.dest | d(item.path) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", ifupdown__custom_files
+                           + ifupdown__custom_group_files
+                           + ifupdown__custom_host_files
+                           + ifupdown__custom_dependent_files) }}'
+  when: ((item.dest | d() or item.path | d()) and
+         item.state | d('present') == 'absent')
+
+- name: Generate custom configuration files
+  ansible.builtin.copy:
+    dest:    '{{ item.dest | d(item.path) }}'
+    src:     '{{ item.src | d(omit) }}'
+    content: '{{ item.content | d(omit) }}'
+    owner:   '{{ item.owner | d("root") }}'
+    group:   '{{ item.group | d("root") }}'
+    mode:    '{{ item.mode | d("0644") }}'
+    force:   '{{ item.force | d(omit) }}'
+  loop: '{{ q("flattened", ifupdown__custom_files
+                           + ifupdown__custom_group_files
+                           + ifupdown__custom_host_files
+                           + ifupdown__custom_dependent_files) }}'
+  when: ((item.dest | d() or item.path | d()) and
+         (item.src | d() or item.content | d()) and
+         item.state | d('present') != 'absent')
+
+- name: Remove custom ifupdown hooks
+  ansible.builtin.file:
+    path: '{{ item.dest | d("/" + item.hook) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", ifupdown__custom_hooks) }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Install custom ifupdown hooks
+  ansible.builtin.template:
+    src:  '{{ item.src | d(item.hook + ".j2") }}'
+    dest: '{{ item.dest | d("/" + item.hook) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode | d("0755") }}'
+  loop: '{{ q("flattened", ifupdown__custom_hooks) }}'
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Install reconfiguration script if needed
+  ansible.builtin.copy:
+    src: 'script/ifupdown-reconfigure-interfaces'
+    dest: '{{ ifupdown__reconfigure_script_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: not ifupdown__reconfigure_auto | bool
+
+- name: Save role version information
+  community.general.ini_file:
+    dest: '{{ ansible_local.debops_fact.public_facts | d("/etc/ansible/debops_fact.ini") }}'
+    section: 'version'
+    option: 'ifupdown'
+    value: '{{ ifupdown__role_metadata.version }}'
+    mode: '0644'
+  when: ansible_local | d() and ansible_local.debops_fact | d() and
+        ansible_local.debops_fact.enabled | bool
diff --git a/ansible_collections/debops/debops/roles/ifupdown/tasks/main_env.yml b/ansible_collections/debops/debops/roles/ifupdown/tasks/main_env.yml
new file mode 100644
index 00000000..256379d7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/tasks/main_env.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare configuration of dependent Ansible roles
+  ansible.builtin.set_fact:
+    ifupdown__env_ferm__dependent_rules: '{{ ifupdown__ferm__dependent_rules }}'
+    ifupdown__env_kmod__dependent_load:  '{{ ifupdown__kmod__dependent_load }}'
+    ifupdown__env_sysctl__dependent_parameters: '{{ ifupdown__sysctl__dependent_parameters }}'
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/ansible/facts.d/ifupdown.fact.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/ansible/facts.d/ifupdown.fact.j2
new file mode 100644
index 00000000..d6243b4a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/ansible/facts.d/ifupdown.fact.j2
@@ -0,0 +1,65 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+# Workaround for Jinja template in a Python script
+"""
+{% set ifupdown__tpl_dependent_interfaces = [] %}
+{% set ifupdown__tpl_dependent_interfaces_absent = [] %}
+{% if ifupdown__dependent_interfaces %}
+{%   for interface, params in ifupdown__dependent_interfaces.items() %}
+{%     set interface_name = (params.iface | d(interface)) %}
+{%     if params.state | d('present') in [ 'present', 'ignore' ] %}
+{%       set _ = ifupdown__tpl_dependent_interfaces.append(interface_name) %}
+{%     elif params.state | d('present') == 'absent' %}
+{%       set _ = ifupdown__tpl_dependent_interfaces_absent.append(
+                     interface_name) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if ansible_local.ifupdown.dependent_interfaces | d() %}
+{%   for element in ansible_local.ifupdown.dependent_interfaces %}
+{%     if element not in ifupdown__tpl_dependent_interfaces_absent and
+          element not in ifupdown__tpl_dependent_interfaces %}
+{%       set _ = ifupdown__tpl_dependent_interfaces.append(element) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+"""
+
+output = loads('''{
+    "configured": true,
+    "dependent_interfaces": {{ ifupdown__tpl_dependent_interfaces
+                               | to_nice_json }},
+    "external_interface": "{{ ansible_local.ifupdown.external_interface
+                               | d(ifupdown__external_interface) }}",
+    "interface_layout": "{{ ifupdown__interface_layout }}",
+    "internal_interface": "{{ ansible_local.ifupdown.internal_interface
+                               | d(ifupdown__internal_interface) }}"
+}''')
+
+network_commands = ['/lib/systemd/systemd-networkd',
+                    '/usr/sbin/NetworkManager',
+                    '/sbin/ifup',
+                    '/usr/sbin/netplan']
+
+known_managers = []
+
+for command in network_commands:
+    if os.path.exists(command) and os.access(command, os.X_OK):
+        known_managers.append(command)
+
+output['known_managers'] = known_managers
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/dhcp/dhclient-enter-hooks.d/filter-dhcp-options.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/dhcp/dhclient-enter-hooks.d/filter-dhcp-options.j2
new file mode 100644
index 00000000..ff5e07f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/dhcp/dhclient-enter-hooks.d/filter-dhcp-options.j2
@@ -0,0 +1,45 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# vim:ft=sh
+
+# Hook installed by the 'debops.ifupdown' Ansible role
+
+# This hook is sourced directly into the dhclient-script(8) environment, be
+# careful about messing around in it. Bourne shell (/bin/sh) features are used
+# here.
+
+# This hook can be used to filter incoming DHCP options per the network
+# interface and ignore unwanted ones. See the dhclient-script(8) for
+# information about how this script is used by 'dhclient', and dhcp-options(5)
+# for information about possible DHCP options which can be ignored.
+
+
+case "$reason" in
+    BOUND|RENEW|REBIND|REBOOT|TIMEOUT)
+
+        case "$interface" in
+{% for interface, options in ifupdown__combined_interfaces.items() %}
+{%   if (options.state | d('present') != 'absent' and
+         options.dhcp_ignore is defined and options.dhcp_ignore) %}
+{% set dhcp_ignore = ([ options.dhcp_ignore ] if (options.dhcp_ignore is string) else options.dhcp_ignore) %}
+
+            {{ interface }})
+                echo "Ignoring DHCP options received via '${interface}' interface: {{ dhcp_ignore | join(',') }}"
+                unset {{ dhcp_ignore | join(' ') }}
+                ;;
+{%   endif %}
+{% endfor %}
+
+            *)
+                ;;
+
+        esac
+
+        ;;
+
+esac
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.d/iface.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.d/iface.j2
new file mode 100644
index 00000000..81e97833
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.d/iface.j2
@@ -0,0 +1,194 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+# {{ ansible_managed }}
+
+{% set interface_name = (item.value.iface | d(item.key)) %}
+{% set interface = item.value %}
+{% set ifupdown__tpl_addresses = [] %}
+{% set ifupdown__tpl_ipv4_addresses = [] %}
+{% set ifupdown__tpl_ipv6_addresses = [] %}
+{% if interface.no_addresses is undefined or not interface.no_addresses | bool %}
+{%   set ifupdown__tpl_addresses = (debops__tpl_macros.flattened(interface.address, interface.addresses) | from_yaml) | unique %}
+{%   set ifupdown__tpl_ipv4_addresses = ifupdown__tpl_addresses | ansible.utils.ipv4 %}
+{%   set ifupdown__tpl_ipv6_addresses = ifupdown__tpl_addresses | ansible.utils.ipv6 %}
+{%   set ifupdown__tpl_gateways = (debops__tpl_macros.flattened(interface.gateway, interface.gateways) | from_yaml) | unique %}
+{%   set ifupdown__tpl_ipv4_gateways = ifupdown__tpl_gateways | unique | ansible.utils.ipv4 %}
+{%   set ifupdown__tpl_ipv6_gateways = ifupdown__tpl_gateways | unique | ansible.utils.ipv6 %}
+{% endif %}
+{% if interface.inet | d() and interface.inet in [ 'static', 'tunnel' ] and not ifupdown__tpl_ipv4_addresses %}
+{%   set _ = interface.update({"inet":"manual"}) %}
+{% endif %}
+{% if interface.inet6 | d() and interface.inet6 in [ 'static', 'v4tunnel' ] and not ifupdown__tpl_ipv6_addresses %}
+{%   set _ = interface.update({"inet6":"manual"}) %}
+{% endif %}
+{% if interface.comment | d() %}
+{{ (interface.comment if interface.comment is string else interface.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% set ifupdown__tpl_allow = [] %}
+{% if interface.auto | d() and interface.auto | bool %}
+{%   set _ = ifupdown__tpl_allow.append('auto') %}
+{% endif %}
+{% if interface.allow | d() %}
+{%   if interface.allow is iterable %}
+{%     for thing in ([ interface.allow ] if interface.allow is string else interface.allow) %}
+{%       set _ = ifupdown__tpl_allow.append(thing) %}
+{%     endfor %}
+{%   else %}
+{%     if interface.allow | bool %}
+{%       set _ = ifupdown__tpl_allow.append('hotplug') %}
+{%     endif %}
+{%   endif %}
+{% endif %}
+{% if ifupdown__tpl_allow %}
+{%   for thing in ifupdown__tpl_allow | unique %}
+allow-{{ thing }} {{ interface_name }}
+{%   endfor %}
+{% if interface.comment4 | d() %}
+
+{% endif %}
+{% endif %}
+{% set ifupdown__tpl_separate_stanza = [] %}
+{% if interface.comment6 | d() %}
+{%   set _ = ifupdown__tpl_separate_stanza.append(True) %}
+{% endif %}
+{% if interface.type | d('ether') in [ 'ether', 'bridge', 'bonding', 'vlan', '6to4', 'tunnel', 'ppp' ] %}
+{%   if interface.inet | d() and interface.inet in [ 'loopback', 'static', 'manual', 'dhcp', 'bootp', 'tunnel', 'ppp', 'wvdial', 'ipv4ll' ] %}
+{%     if interface.comment4 | d() %}
+{{ (interface.comment4 if interface.comment4 is string else interface.comment4 | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+iface {{ interface_name }} inet {{ interface.inet }}
+{%     if interface.inet == 'static' and ifupdown__tpl_ipv4_addresses %}
+    address         {{ ifupdown__tpl_ipv4_addresses[0] | ansible.utils.ipaddr('address') }}
+    netmask         {{ ifupdown__tpl_ipv4_addresses[0] | ansible.utils.ipaddr('netmask') }}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+{%       if ifupdown__tpl_ipv4_addresses | length > 1 %}
+{%         for address in ifupdown__tpl_ipv4_addresses[1:] %}
+    up              ip addr add {{ address }} dev {{ interface_name }} label {{ interface_name }}:{{ loop.index0 }}
+    down            ip addr del {{ address }} dev {{ interface_name }} label {{ interface_name }}:{{ loop.index0 }}
+{%         endfor %}
+{%       endif %}
+{%     elif interface.inet != 'static' and ifupdown__tpl_ipv4_addresses %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+{%       for address in ifupdown__tpl_ipv4_addresses %}
+    up              ip addr add {{ address }} dev {{ interface_name }} label {{ interface_name }}:{{ loop.index0 }}
+    down            ip addr del {{ address }} dev {{ interface_name }} label {{ interface_name }}:{{ loop.index0 }}
+{%       endfor %}
+{%     endif %}
+{%     if ifupdown__tpl_ipv4_gateways %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    gateway         {{ ifupdown__tpl_ipv4_gateways | first }}
+{%     endif %}
+{%     if interface.dns_nameservers | d() %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    dns-nameservers {{ (([ interface.dns_nameservers ]) if interface.dns_nameservers is string else interface.dns_nameservers) | join(' ') }}
+{%     endif %}
+{%     if interface.dns_search | d() %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    dns-search      {{ (([ interface.dns_search ]) if interface.dns_search is string else interface.dns_search) | join(' ') }}
+{%     endif %}
+{%     if interface.type | d() and interface.type == 'bridge' %}
+{%       for param_name in interface.keys() | sort %}
+{%         if param_name.startswith(('bridge_', 'bridge-')) and interface[param_name] %}
+{%           set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    {{ param_name }} {{ (([ interface[param_name] ]) if (interface[param_name] is string) else interface[param_name]) | join(' ') }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if interface.type | d() and interface.type == 'vlan' %}
+{%       if interface.vlan_device | d() %}
+{%         set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    vlan_raw_device {{ interface.vlan_device }}
+{%       elif interface.vlan_raw_device | d() %}
+{%         set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    vlan_raw_device {{ interface.vlan_raw_device }}
+{%       endif %}
+{%     endif %}
+{%     if interface.type | d() and interface.type == 'bonding' %}
+{%       if interface.slaves | d() %}
+{%         set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    slaves          {{ (([ interface.slaves ]) if interface.slaves is string else interface.slaves) | join(' ') }}
+{%       endif %}
+{%       for param_name in interface.keys() | sort %}
+{%         if param_name.startswith(('bond_', 'bond-')) and interface[param_name] %}
+{%           set _ = ifupdown__tpl_separate_stanza.append(True) %}
+    {{ param_name }} {{ (([ interface[param_name] ]) if (interface[param_name] is string) else interface[param_name]) | join(' ') }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if interface.options4 | d(interface.options | d()) %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+{{ (interface.options4 | d(interface.options)) | indent(4, true) }}
+{%     endif %}
+{%     if interface.add_options4 | d(interface.add_options | d()) %}
+{%       set _ = ifupdown__tpl_separate_stanza.append(True) %}
+{{ (interface.add_options4 | d(interface.add_options)) | indent(4, true) }}
+{%     endif %}
+{%     if (interface.inet6 | d() and ifupdown__tpl_separate_stanza) %}
+
+{%     endif %}
+{%   endif %}
+{%   if interface.inet6 | d() and interface.inet6 in [ 'auto', 'loopback', 'static', 'manual', 'dhcp', 'v4tunnel', '6to4' ] %}
+{%     if interface.comment6 | d() %}
+{{ (interface.comment6 if interface.comment6 is string else interface.comment6 | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+iface {{ interface_name }} inet6 {{ interface.inet6 }}
+{%     if interface.inet6 == 'static' and ifupdown__tpl_ipv6_addresses %}
+    address         {{ ifupdown__tpl_ipv6_addresses[0] }}
+{%       if ifupdown__tpl_ipv6_addresses | length > 1 %}
+{%         for address in ifupdown__tpl_ipv6_addresses[1:] %}
+    up              ip addr add {{ address }} dev {{ interface_name }}
+    down            ip addr del {{ address }} dev {{ interface_name }}
+{%         endfor %}
+{%       endif %}
+{%     elif interface.inet6 != 'static' and ifupdown__tpl_ipv6_addresses %}
+{%       for address in ifupdown__tpl_ipv6_addresses %}
+    up              ip addr add {{ address }} dev {{ interface_name }}
+    down            ip addr del {{ address }} dev {{ interface_name }}
+{%       endfor %}
+{%     endif %}
+{%     if ifupdown__tpl_ipv6_gateways %}
+    gateway         {{ ifupdown__tpl_ipv6_gateways | first }}
+{%     endif %}
+{%     if interface.type == '6to4' and interface.local | d() %}
+    local           {{ interface.local }}
+{%     endif %}
+{%     if ((interface.inet is undefined or not interface.inet) and interface.dns_nameservers | d()) %}
+    dns-nameservers {{ (([ interface.dns_nameservers ]) if interface.dns_nameservers is string else interface.dns_nameservers) | join(' ') }}
+{%     endif %}
+{%     if ((interface.inet is undefined or not interface.inet) and interface.dns_search | d()) %}
+    dns-search      {{ (([ interface.dns_search ]) if interface.dns_search is string else interface.dns_search) | join(' ') }}
+{%     endif %}
+{%     if ((interface.inet is undefined or not interface.inet) and interface.options | d()) %}
+{{ interface.options | indent(4, true) }}
+{%     endif %}
+{%     if ((interface.inet is undefined or not interface.inet) and interface.add_options | d()) %}
+{{ interface.add_options | indent(4, true) }}
+{%     endif %}
+{%     if interface.options6 | d() %}
+{{ interface.options6 | indent(4, true) }}
+{%     endif %}
+{%     if interface.add_options6 | d() %}
+{{ interface.add_options6 | indent(4, true) }}
+{%     endif %}
+{%   endif %}
+{% elif interface.type | d('ether') in [ 'mapping' ] %}
+mapping {{ interface_name }}
+{%   if interface.script | d() %}
+    script {{ interface.script }}
+{%   endif %}
+{%   if interface.options | d() %}
+{{ interface.options | indent(4, true) }}
+{%   endif %}
+{%   if interface.add_options | d() %}
+{{ interface.add_options | indent(4, true) }}
+{%   endif %}
+{% endif %}
+{% if interface.debug | d() | bool %}
+
+{{ ("interface_name: " + (interface_name | to_nice_json)) | replace('\n$','') | comment(prefix='',postfix='') -}}
+{{ ("interface: " + (interface | to_nice_json)) | replace('\n$','') | comment(prefix='',postfix='') -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.j2
new file mode 100644
index 00000000..a1c807d1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/network/interfaces.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This file describes the network interfaces available on your system
+# # and how to activate them. For more information, see interfaces(5).
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# Read interface configuration from other files
+source /etc/network/interfaces.d/*
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/iface@.service.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/iface@.service.j2
new file mode 100644
index 00000000..4de38546
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/iface@.service.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_systemd_version = (ifupdown__register_systemd_version.stdout | d('215')) + '.0' %}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Bring network interface up for %i
+Documentation=man:interfaces(5) man:ifup(8)
+Documentation=https://bugs.debian.org/765000
+Documentation=https://bugs.debian.org/819314
+After=local-fs.target network-pre.target networking.service apparmor.service systemd-sysctl.service
+Before=network.target shutdown.target network-online.target
+Conflicts=shutdown.target
+After=sys-subsystem-net-devices-%i.device
+ConditionPathIsDirectory=/run/network
+DefaultDependencies=no
+IgnoreOnIsolate=yes
+
+[Service]
+{# https://bugs.debian.org/761909 #}
+{% if ansible_service_mgr == 'systemd' and ifupdown__tpl_systemd_version is version_compare('228.0', '>=') %}
+# avoid stopping on shutdown via stopping system-iface.slice
+Slice=system.slice
+{% endif %}
+ExecStart=/bin/sh -ec 'ifup --allow=boot %I; ifquery --state %I'
+ExecStop=/sbin/ifdown %I
+RemainAfterExit=true
+TimeoutStartSec=5min
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-allow-boot.service.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-allow-boot.service.j2
new file mode 100644
index 00000000..70b9963b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-allow-boot.service.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Bring up non-hotpluggable interfaces on boot
+Documentation=man:interfaces(5) man:ifup(8)
+Documentation=https://bugs.debian.org/765000
+Documentation=https://bugs.debian.org/819314
+DefaultDependencies=no
+Wants=network.target
+After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service networking.service
+Before=network.target shutdown.target network-online.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStartSec=2min
+ExecStart=/bin/sh -ec '\
+  for i in $(ifquery --list --exclude lo --allow boot); do INTERFACES="$INTERFACES$i "; done; \
+  [ -n "$INTERFACES" ] || exit 0; \
+  for i in $INTERFACES; do \
+  escaped_iface="$(systemd-escape "$i")"; \
+  logger -t ifup-allow-boot "Checking state of the $i interface" ; \
+  if ! ifquery --state $i > /dev/null && ! systemctl is-active iface@$${escaped_iface} > /dev/null 2>&1 ; then \
+  logger -t ifup-allow-boot "Interface $i is down, bringing it up" ; \
+  systemctl start iface@$${escaped_iface} ; sleep 0.5 ; \
+  while [ -e /run/network/ifup-$i.pid ] ; do sleep 0.5 ; \
+  logger -t ifup-allow-boot "Waiting for $i interface" ; done ; \
+  logger -t ifup-allow-boot "Interface $i is up" ; \
+  fi ; done'
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=network-online.target
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-wait-all-auto.service.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-wait-all-auto.service.j2
new file mode 100644
index 00000000..17a9dfa6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/etc/systemd/system/ifup-wait-all-auto.service.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Wait for all "auto" /etc/network/interfaces to be up for network-online.target
+Documentation=man:interfaces(5) man:ifup(8)
+Documentation=https://unix.stackexchange.com/a/217768
+DefaultDependencies=no
+Wants=network.target
+After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service networking.service
+Before=network.target shutdown.target network-online.target ifup-allow-boot.service
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStartSec=2min
+ExecStart=/bin/sh -ec '\
+  for i in $(ifquery --list --exclude lo --allow auto); do INTERFACES="$INTERFACES$i "; done; \
+  [ -n "$INTERFACES" ] || exit 0; \
+  while ! ifquery --state $INTERFACES >/dev/null; do sleep 1; done; \
+  for i in $INTERFACES; do while [ -e /run/network/ifup-$i.pid ]; do sleep 0.2; done; done'
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=network-online.target
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/import/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/import/debops__tpl_macros.j2
new file mode 100644
index 00000000..de4fc5c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/import/debops__tpl_macros.j2
@@ -0,0 +1,181 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be imported in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in templates which are called by {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be imported like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{# Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__combined_interfaces.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__combined_interfaces.j2
new file mode 100644
index 00000000..2a97ff50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__combined_interfaces.j2
@@ -0,0 +1,180 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+{% set ifupdown__tpl_merge_1 = (debops__tpl_macros.merge_dict(ifupdown__ethernet_interfaces, ifupdown__default_interfaces, 'iface') | from_yaml) %}
+{% set ifupdown__tpl_merge_2 = (debops__tpl_macros.merge_dict(ifupdown__tpl_merge_1, ifupdown__interfaces, 'iface')                 | from_yaml) %}
+{% set ifupdown__tpl_merge_3 = (debops__tpl_macros.merge_dict(ifupdown__tpl_merge_2, ifupdown__group_interfaces, 'iface')           | from_yaml) %}
+{% set ifupdown__tpl_merge_4 = (debops__tpl_macros.merge_dict(ifupdown__tpl_merge_3, ifupdown__host_interfaces, 'iface')            | from_yaml) %}
+{% set ifupdown__tpl_merge_5 = (debops__tpl_macros.merge_dict(ifupdown__tpl_merge_4, ifupdown__dependent_interfaces, 'iface')       | from_yaml) %}
+{% set ifupdown__tpl_filtered_interfaces = {} %}
+{% for name, params in ifupdown__tpl_merge_5.items() %}
+{%   set interface_name = (params.iface | d(name)) %}
+{%   if params.type is undefined %}
+{%     if (interface_name.startswith('vlan') or '.' in interface_name) %}
+{%       set _ = params.update({"type":"vlan"}) %}
+{%     elif interface_name.startswith(('en','eth')) %}
+{%       set _ = params.update({"type":"ether"}) %}
+{%     elif interface_name.startswith('sl') %}
+{%       set _ = params.update({"type":"slip"}) %}
+{%     elif interface_name.startswith('wl') %}
+{%       set _ = params.update({"type":"wlan"}) %}
+{%     elif interface_name.startswith('ww') %}
+{%       set _ = params.update({"type":"wwan"}) %}
+{%     elif interface_name.startswith('br') %}
+{%       set _ = params.update({"type":"bridge"}) %}
+{%     elif interface_name.startswith(('tap','tun','mesh','sit')) %}
+{%       set _ = params.update({"type":"tunnel"}) %}
+{%     elif interface_name.startswith('bond') %}
+{%       set _ = params.update({"type":"bonding"}) %}
+{%     elif interface_name.startswith('6to4') %}
+{%       set _ = params.update({"type":"6to4"}) %}
+{%     endif %}
+{%   elif params.type %}
+{%     if (interface_name.startswith('vlan') or '.' in interface_name) %}
+{%       set _ = params.update({"type":"vlan"}) %}
+{%     endif %}
+{%   endif %}
+{%   if params.type == 'ether' %}
+{%     if params.inet is undefined %}
+{%       set _ = params.update({"inet":"dhcp"}) %}
+{%     endif %}
+{%     if params.inet6 is undefined %}
+{%       set _ = params.update({"inet6":"auto"}) %}
+{%     endif %}
+{%     if params.auto is undefined %}
+{%       if ansible_service_mgr != 'systemd' %}
+{%         set _ = params.update({"auto":True}) %}
+{%       else %}
+{%         set _ = params.update({"auto":False}) %}
+{%       endif %}
+{%     endif %}
+{%     if params.allow is undefined %}
+{%       if (ansible_virtualization_role == 'guest' and ansible_virtualization_type in [ 'lxc', 'openvz' ]) %}
+{%         set _ = params.update({"allow":["boot"]}) %}
+{%       else %}
+{%         set _ = params.update({"allow":["hotplug"]}) %}
+{%       endif %}
+{%     endif %}
+{%   elif params.type == 'vlan' %}
+{%     if params.inet is undefined %}
+{%       set _ = params.update({"inet":"manual"}) %}
+{%     endif %}
+{%     if params.vlan_device is undefined and params.vlan_raw_device is undefined and '.' in interface_name %}
+{%       set _ = params.update({"vlan_raw_device": (interface_name.split('.') | first) }) %}
+{%     endif %}
+{%     if params.auto is undefined %}
+{%       if ansible_service_mgr != 'systemd' %}
+{%         set _ = params.update({"auto":True}) %}
+{%       else %}
+{%         set _ = params.update({"auto":False}) %}
+{%       endif %}
+{%     endif %}
+{%     if params.allow is undefined %}
+{%       set _ = params.update({"allow":["boot"]}) %}
+{%     endif %}
+{%   elif params.type == 'bridge' %}
+{%     if params.inet is undefined %}
+{%       set _ = params.update({"inet":"manual"}) %}
+{%     endif %}
+{%     if params.options is undefined and params.options4 is undefined and params.options6 is undefined %}
+{%       if params.bridge_ports is undefined %}
+{%         set _ = params.update({"bridge_ports":"none"}) %}
+{%       endif %}
+{%       if params.bridge_fd is undefined %}
+{%         set _ = params.update({"bridge_fd":"0"}) %}
+{%       endif %}
+{%       if params.bridge_maxwait is undefined %}
+{%         set _ = params.update({"bridge_maxwait":"0"}) %}
+{%       endif %}
+{%       if params.forward is undefined %}
+{%         set _ = params.update({"forward":True}) %}
+{%       endif %}
+{%       if params.auto is undefined %}
+{%         if ansible_service_mgr != 'systemd' %}
+{%           set _ = params.update({"auto":True}) %}
+{%         else %}
+{%           set _ = params.update({"auto":False}) %}
+{%         endif %}
+{%       endif %}
+{%       if params.allow is undefined %}
+{%         set _ = params.update({"allow":["boot"]}) %}
+{%       endif %}
+{%     endif %}
+{%   elif params.type == 'bonding' %}
+{%     if params.inet is undefined %}
+{%       set _ = params.update({"inet":"manual"}) %}
+{%     endif %}
+{%   elif params.type == '6to4' %}
+{%     if params.inet6 is undefined %}
+{%       set _ = params.update({"inet6":"6to4"}) %}
+{%     endif %}
+{%     if params.options is undefined and params.options6 is undefined and 'local' not in params.keys() %}
+{%       if ansible_default_ipv4.address | ansible.utils.ipv4('public') %}
+{%         set _ = params.update({"local":ansible_default_ipv4.address}) %}
+{%       else %}
+{%         set _ = params.update({"state":"absent"}) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   if params.auto is undefined and ((params.inet | d() and params.inet != 'manual') or (params.inet6 | d() and params.inet6 != 'manual')) %}
+{%     if ansible_service_mgr != 'systemd' %}
+{%       set _ = params.update({"auto":True}) %}
+{%     else %}
+{%       set _ = params.update({"auto":False}) %}
+{%     endif %}
+{%   endif %}
+{%   if params.allow is undefined and ((params.inet | d() and params.inet != 'manual') or (params.inet6 | d() and params.inet6 != 'manual')) %}
+{%     set _ = params.update({"allow":["boot"]}) %}
+{%   endif %}
+{%   set _ = ifupdown__tpl_filtered_interfaces.update({interface_name:params}) %}
+{% endfor %}
+{% set ifupdown__tpl_vlan_filtered_interfaces = {} %}
+{% for name, params in ifupdown__tpl_filtered_interfaces.items() %}
+{%   set interface_name = (params.iface | d(name)) %}
+{%   if params.type == 'vlan' and params.weight_class is undefined %}
+{%     if params.vlan_raw_device | d() %}
+{%       if params.vlan_raw_device.startswith(('en','eth')) %}
+{%         set _ = params.update({"weight_class":"ether"}) %}
+{%       elif params.vlan_raw_device.startswith('sl') %}
+{%         set _ = params.update({"weight_class":"slip"}) %}
+{%       elif params.vlan_raw_device.startswith('wl') %}
+{%         set _ = params.update({"weight_class":"wlan"}) %}
+{%       elif params.vlan_raw_device.startswith('ww') %}
+{%         set _ = params.update({"weight_class":"wwan"}) %}
+{%       elif params.vlan_raw_device.startswith('br') %}
+{%         set _ = params.update({"weight_class":"bridge"}) %}
+{%       elif params.vlan_raw_device.startswith(('tap','tun','mesh','sit')) %}
+{%         set _ = params.update({"weight_class":"tunnel"}) %}
+{%       elif params.vlan_raw_device.startswith('bond') %}
+{%         set _ = params.update({"weight_class":"bonding"}) %}
+{%       elif params.vlan_raw_device.startswith('6to4') %}
+{%         set _ = params.update({"weight_class":"6to4"}) %}
+{%       endif %}
+{%       set _ = params.update({"weight": "5"}) %}
+{%     elif params.vlan_device | d() %}
+{%       if params.vlan_device.startswith(('en','eth')) %}
+{%         set _ = params.update({"weight_class":"ether"}) %}
+{%       elif params.vlan_device.startswith('sl') %}
+{%         set _ = params.update({"weight_class":"slip"}) %}
+{%       elif params.vlan_device.startswith('wl') %}
+{%         set _ = params.update({"weight_class":"wlan"}) %}
+{%       elif params.vlan_device.startswith('ww') %}
+{%         set _ = params.update({"weight_class":"wwan"}) %}
+{%       elif params.vlan_device.startswith('br') %}
+{%         set _ = params.update({"weight_class":"bridge"}) %}
+{%       elif params.vlan_device.startswith(('tap','tun','mesh','sit')) %}
+{%         set _ = params.update({"weight_class":"tunnel"}) %}
+{%       elif params.vlan_device.startswith('bond') %}
+{%         set _ = params.update({"weight_class":"bonding"}) %}
+{%       elif params.vlan_device.startswith('6to4') %}
+{%         set _ = params.update({"weight_class":"6to4"}) %}
+{%       endif %}
+{%       set _ = params.update({"weight": "5"}) %}
+{%     endif %}
+{%   endif %}
+{%   set _ = ifupdown__tpl_vlan_filtered_interfaces.update({interface_name:params}) %}
+{% endfor %}
+{{ ifupdown__tpl_vlan_filtered_interfaces | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__dynamic_packages.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__dynamic_packages.j2
new file mode 100644
index 00000000..e83e611e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__dynamic_packages.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_packages = [] %}
+{% if ifupdown__combined_interfaces | d() %}
+{%   for interface, params in ifupdown__combined_interfaces.items() %}
+{%     if (params.state | d('present') == 'present' and params.type | d()) %}
+{%       if params.type == 'bridge' %}
+{%         set _ = ifupdown__tpl_packages.append('bridge-utils') %}
+{%       elif params.type == 'vlan' %}
+{%         set _ = ifupdown__tpl_packages.append('vlan') %}
+{%       elif params.type == 'bonding' %}
+{%         set _ = ifupdown__tpl_packages.append('ifenslave') %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ ifupdown__tpl_packages | unique | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ethernet_interfaces.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ethernet_interfaces.j2
new file mode 100644
index 00000000..1a01dfea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ethernet_interfaces.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_interfaces = {} %}
+{% for interface in ansible_interfaces | sort %}
+{%   set ifupdown__tpl_interface = {} %}
+{%   if interface.startswith(('en', 'eth')) %}
+{%     if hostvars[inventory_hostname]["ansible_" + (interface | replace("-", "_"))].type | d() %}
+{%       set _ = ifupdown__tpl_interface.update({
+  "type": hostvars[inventory_hostname]["ansible_" + (interface | replace("-", "_"))]["type"]
+}) %}
+{%       set _ = ifupdown__tpl_interfaces.update({ interface: ifupdown__tpl_interface }) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ ifupdown__tpl_interfaces | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__external_interface.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__external_interface.j2
new file mode 100644
index 00000000..2163a3e6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__external_interface.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_external_interface = '' %}
+{% if ansible_default_ipv4.type == 'bridge' %}
+{%   set ifupdown__tpl_external_interface = hostvars[inventory_hostname]["ansible_" + (ansible_default_ipv4.interface | replace("-", "_"))]["interfaces"][0] %}
+{% elif ansible_default_ipv4.type == 'ether' %}
+{%   set ifupdown__tpl_external_interface = ansible_default_ipv4.interface %}
+{% endif %}
+{{ ifupdown__tpl_external_interface | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ferm__dependent_rules.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ferm__dependent_rules.j2
new file mode 100644
index 00000000..4c1e4c7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__ferm__dependent_rules.j2
@@ -0,0 +1,72 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_ferm__dependent_rules = [] %}
+{% if ifupdown__combined_interfaces %}
+{%   for interface, params in ifupdown__combined_interfaces.items() %}
+{%     set interface_name = (params.iface | d(interface)) %}
+{%     if params.state | d('present') in [ 'present', 'absent' ] %}
+{%       set ifupdown__tpl_forward_rules = '' %}
+{%       set ifupdown__tpl_nat_rules = [] %}
+{%       if params.forward | d() | bool %}
+{%         set ifupdown__tpl_forward_rules = (['domain $domains table filter chain FORWARD {']
+             + (['    interface ' + interface_name + ' ' + params.forward_interface_ferm_rule | d("ACCEPT") + ";"]
+                if params.forward_interface_ferm_rule_enabled | d(True) | bool
+                else [])
+             + (['    outerface ' + interface_name + ' ' + params.forward_outerface_ferm_rule | d("ACCEPT") + ";"]
+                if params.forward_outerface_ferm_rule_enabled | d(True) | bool
+                else [])
+             + ['}']) | join("\n")
+%}
+{%       endif %}
+{%       if params.inet | d() and params.nat | d() | bool %}
+{%         set ifupdown__tpl_ipv4_addresses = [] %}
+{%         if params.address | d() %}
+{%           for element in ([ params.address ] if params.address is string else params.address) %}
+{%             if element | ansible.utils.ipv4('host/prefix') %}
+{%               set _ = ifupdown__tpl_ipv4_addresses.append(element) %}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%         if params.addresses | d() %}
+{%           for element in ([ params.addresses ] if params.addresses is string else params.addresses) %}
+{%             if element | ansible.utils.ipv4('host/prefix') %}
+{%               set _ = ifupdown__tpl_ipv4_addresses.append(element) %}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%         if not ifupdown__tpl_ipv4_addresses %}
+{%           if hostvars[inventory_hostname]["ansible_" + (interface_name | replace("-","_"))] | d() and hostvars[inventory_hostname]["ansible_" + (interface_name | replace("-", "_"))].ipv4 | d() %}
+{%             set ifupdown__tpl_subnet = (hostvars[inventory_hostname]["ansible_" + (interface_name | replace("-", "_"))]["ipv4"].address + "/" + hostvars[inventory_hostname]["ansible_" + (interface_name | replace("-", "_"))]["ipv4"].netmask) %}
+{%             set _ = ifupdown__tpl_ipv4_addresses.append(ifupdown__tpl_subnet) %}
+{%           endif %}
+{%         endif %}
+{%         for network in ifupdown__tpl_ipv4_addresses %}
+{%           set _ = ifupdown__tpl_nat_rules.append('
+
+@if $ipv4_enabled {
+    domain ip table nat chain POSTROUTING {
+        source ' + (network | ansible.utils.ipaddr('network')) + '/' + (network | ansible.utils.ipaddr('netmask')) + ' destination 224.0.0.0/255.255.255.0 RETURN;
+        source ' + (network | ansible.utils.ipaddr('network')) + '/' + (network | ansible.utils.ipaddr('netmask')) + ' destination 255.255.255.255 RETURN;
+        destination ' + (network | ansible.utils.ipaddr('network')) + '/' + (network | ansible.utils.ipaddr('netmask')) + ' RETURN;
+        source ' + (network | ansible.utils.ipaddr('network')) + '/' + (network | ansible.utils.ipaddr('netmask')) + (' MASQUERADE' if ((params.nat_masquerade | d(ifupdown__default_nat_masquerade)) | bool) else ' SNAT to ' + (params.nat_snat_address if (params.nat_snat_address | d() and params.nat_snat_address | ansible.utils.ipv4('address')) else (hostvars[inventory_hostname]["ansible_" + params.nat_snat_interface]["ipv4"].address if params.nat_snat_interface | d() else ansible_default_ipv4.address))) + ';
+    }
+}') %}
+{%         endfor %}
+{%       endif %}
+{%       if ifupdown__tpl_forward_rules %}
+{%         set ifupdown__tpl_firewall_rule = {
+"type":"custom",
+"weight":"50",
+"by_role":"debops.ifupdown",
+"rule_state":("present" if params.state | d('present') == 'present' else "absent"),
+"name":"forward_bridge_" + interface_name,
+"rules":(ifupdown__tpl_forward_rules + (ifupdown__tpl_nat_rules | join('')))} %}
+{%         set _ = ifupdown__tpl_ferm__dependent_rules.append(ifupdown__tpl_firewall_rule) %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ ifupdown__tpl_ferm__dependent_rules | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__internal_interface.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__internal_interface.j2
new file mode 100644
index 00000000..7cd6e615
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__internal_interface.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_external_interface = ifupdown__external_interface %}
+{% set ifupdown__tpl_internal_interface = [] %}
+{% for interface in (ansible_interfaces | sort) %}
+{%   if hostvars[inventory_hostname]["ansible_" + (interface | replace("-", "_"))].type | d() %}
+{%     if (hostvars[inventory_hostname]["ansible_" + (interface | replace("-", "_"))]["type"] == 'ether' and
+           hostvars[inventory_hostname]["ansible_" + (interface | replace("-", "_"))].module is defined and
+           interface != ifupdown__tpl_external_interface) %}
+{%       set _ = ifupdown__tpl_internal_interface.append(interface) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% if ifupdown__tpl_internal_interface %}
+{{ ifupdown__tpl_internal_interface | first | to_yaml }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__kmod__dependent_load.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__kmod__dependent_load.j2
new file mode 100644
index 00000000..365b339c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__kmod__dependent_load.j2
@@ -0,0 +1,45 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_packages = [] %}
+{% if ifupdown__combined_interfaces | d() %}
+{%   for interface, params in ifupdown__combined_interfaces.items() %}
+{%     if (params.state | d('present') == 'present' and params.type | d()) %}
+{%       if params.type == 'bonding' %}
+{%         set _ = ifupdown__tpl_packages.append('ifenslave') %}
+{%       elif params.type == 'bridge' %}
+{%         set _ = ifupdown__tpl_packages.append('bridge-utils') %}
+{%       elif params.type == 'vlan' %}
+{%         set _ = ifupdown__tpl_packages.append('vlan') %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set ifupdown__tpl_kmod__dependent_load = [] %}
+{% if 'ifenslave' in ifupdown__tpl_packages or 'ifenslave-2.6' in ifupdown__tpl_packages %}
+{%   set _ = ifupdown__tpl_kmod__dependent_load.append({
+  'name': 'bonding',
+  'comment': 'Load the bonding module for network interface bond configuration',
+  'filename': 'ifupdown-bonding.conf',
+  'state': 'present'
+}) %}
+{% endif %}
+{% if 'bridge-utils' in ifupdown__tpl_packages %}
+{%   set _ = ifupdown__tpl_kmod__dependent_load.append({
+  'name': 'bridge',
+  'comment': 'Load the bridge module for network interface bridge configuration',
+  'filename': 'ifupdown-bridge.conf',
+  'state': 'present'
+}) %}
+{% endif %}
+{% if 'vlan' in ifupdown__tpl_packages %}
+{%   set _ = ifupdown__tpl_kmod__dependent_load.append({
+  'name': '8021q',
+  'comment': 'Load the 8021q module for VLAN configuration',
+  'filename': 'ifupdown-vlan.conf',
+  'state': 'present'
+}) %}
+{% endif %}
+{{ ifupdown__tpl_kmod__dependent_load | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__sysctl__dependent_parameters.j2 b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__sysctl__dependent_parameters.j2
new file mode 100644
index 00000000..a84aeeac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ifupdown/templates/lookup/ifupdown__sysctl__dependent_parameters.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ifupdown__tpl_sysctl__dependent_parameters = [] %}
+{% if ifupdown__combined_interfaces %}
+{%   for interface, params in ifupdown__combined_interfaces.items() %}
+{%     set interface_name = (params.iface | d(interface)) %}
+{%     if params.state | d('present') in [ 'present', 'absent' ] %}
+{%       set ifupdown__tpl_forwarding_parameters = [] %}
+{%       if params.forward is defined %}
+{%         set _ = ifupdown__tpl_forwarding_parameters.append({
+  "name": ("net.ipv6.conf." + interface_name + ".forwarding"),
+  "value": (params.forward_ipv6 | d(params.forward)) | bool,
+  "comment": ((params.forward_ipv6 | d(params.forward)) | ternary("Enable", "Disable") + " IPv6 forwarding on the " + interface_name + " interface"),
+  "state": "present"
+}) %}
+{%         if params.accept_ra | d() %}
+{%           set ra_preference_comment = {
+  0: ("Do not accept SLAAC Router Advertisements on the " + interface_name + " interface"),
+  1: ("Accept SLAAC Router Advertisements on the " + interface_name + " interface when forwarding is disabled"),
+  2: ("Accept SLAAC Router Advertisements on the " + interface_name + " interface even if forwarding is enabled")
+} %}
+{%           set _ = ifupdown__tpl_forwarding_parameters.append({
+  "name": ("net.ipv6.conf." + interface_name + ".accept_ra"),
+  "value": params.accept_ra,
+  "comment": ra_preference_comment[params.accept_ra | int],
+  "state": "present"
+}) %}
+{%         endif %}
+{%         set _ = ifupdown__tpl_forwarding_parameters.append({
+  "name": ("net.ipv4.conf." + interface_name + ".forwarding"),
+  "value": (params.forward_ipv4 | d(params.forward)) | bool,
+  "comment": ((params.forward_ipv4 | d(params.forward)) | ternary("Enable", "Disable") + " IPv4 forwarding on the " + interface_name + " interface"),
+  "state": "present"
+}) %}
+{%       endif %}
+{%       set ifupdown__tpl_sysctl_config = {
+  "name": ("ifupdown_" + interface_name + "_forwarding"),
+  "weight": 50,
+  "comment":"Configuration generated by the 'debops.ifupdown' Ansible role",
+  "state": ("present" if (params.state | d('present') == 'present' and ifupdown__tpl_forwarding_parameters) else "absent"),
+  "options": ifupdown__tpl_forwarding_parameters
+} %}
+{%       set _ = ifupdown__tpl_sysctl__dependent_parameters.append(ifupdown__tpl_sysctl_config) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ ifupdown__tpl_sysctl__dependent_parameters | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/imapproxy/COPYRIGHT b/ansible_collections/debops/debops/roles/imapproxy/COPYRIGHT
new file mode 100644
index 00000000..682c8e0f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.imapproxy - Manage imapproxy with Ansible
+
+Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+Copyright (C) 2021 DebOps <https://debops.org/>
+Based on the roundcube role which is:
+Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/imapproxy/defaults/main.yml b/ansible_collections/debops/debops/roles/imapproxy/defaults/main.yml
new file mode 100644
index 00000000..713d9056
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/defaults/main.yml
@@ -0,0 +1,547 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _imapproxy__ref_defaults:
+
+# debops.imapproxy default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: imapproxy__packages [[[
+#
+# List of additional APT packages that should be installed with imapproxy.
+imapproxy__packages: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__base_packages__base_packages [[[
+#
+# APT packages required for the imapproxy installation.
+imapproxy__base_packages: [ 'imapproxy' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: imapproxy__domain [[[
+#
+# The DNS domain of the imapproxy installation. Only used for DNS lookups
+# to set default values for connection variables.
+imapproxy__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__imap_srv_rr [[[
+#
+# List which contains the result of the DNS query for IMAP server ``SRV``
+# resource records in the host's domain. See :rfc:`6186` for details.
+imapproxy__imap_srv_rr: '{{ q("dig_srv", "_imap._tcp." + imapproxy__domain,
+                              "imap." + imapproxy__domain, 143) }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__imaps_srv_rr [[[
+#
+# List which contains the result of the DNS query for IMAPS server ``SRV``
+# resource records in the host's domain. See :rfc:`6186` for details.
+imapproxy__imaps_srv_rr: '{{ q("dig_srv", "_imaps._tcp." + imapproxy__domain,
+                               "imap." + imapproxy__domain, 993) }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__imap_fqdn [[[
+#
+# The FQDN address of the IMAP server which stores user mailboxes. The role
+# first checks if a local Dovecot installation is present and, if so, uses the
+# host FQDN. Next, the role uses DNS SRV resource records to try to find an
+# IMAP server. Finally, ``imap.<domain>`` is used as a fallback.
+#
+# The use of the FQDN instead of ``localhost`` is required for X.509
+# certificate verification.
+imapproxy__imap_fqdn: '{{ ansible_fqdn
+                          if (ansible_local | d() and ansible_local.dovecot | d() and
+                             (ansible_local.dovecot.installed | d()) | bool)
+                          else imapproxy__imap_srv_rr[0]["target"]
+                              if imapproxy__imap_srv_rr[0]["dig_srv_src"] | d("") != "fallback"
+                              else imapproxy__imaps_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__imap_port [[[
+#
+# TCP port used for connecting to the IMAP server.
+imapproxy__imap_port: '{{ "143"
+                          if (imapproxy__imap_fqdn == ansible_fqdn)
+                          else imapproxy__imap_srv_rr[0]["port"]
+                              if imapproxy__imap_srv_rr[0]["dig_srv_src"] | d("") != "fallback"
+                              else imapproxy__imaps_srv_rr[0]["port"] }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__listen_address [[[
+#
+# The address on which imapproxy should listen for incoming connections,
+# defaults to ``localhost`` for use with local webmail installations.
+# If this is changed, please review the firewall variables to avoid
+# security issues.
+imapproxy__listen_address: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__listen_port [[[
+#
+# The port on which imapproxy should listen for incoming connections,
+# defaults to ``1143`` for use with local webmail installations.
+imapproxy__listen_port: '1143'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to
+# imapproxy over the network, on all hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`imapproxy__ferm__dependent_rules` variable directly.
+imapproxy__allow: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to
+# imapproxy over the network, on hosts in the specific Ansible
+# inventory group. This variable configures the firewall for all instances at
+# the same time, for individual instance configuration you should modify the
+# :envvar:`imapproxy__ferm__dependent_rules` variable directly.
+imapproxy__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to
+# imapproxy over the network, on specific hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`imapproxy__ferm__dependent_rules` variable directly.
+imapproxy__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI / TLS configuration [[[
+# ---------------------------
+
+# These variables configure the ``TLS`` support in :command:`imapproxy`.
+# Note that this should only be necessary if :command:`imapproxy` is not
+# installed on the same host as the ``IMAP`` server (e.g. the one managed
+# by the :ref:`debops.dovecot` role). Also not that ``SSL`` is **NOT**
+# supported out of the box by :command:`imapproxy`, see
+# :file:`/usr/share/doc/imapproxy/README.ssl` for more details.
+
+# .. envvar:: imapproxy__pki [[[
+#
+# Enable or disable support for TLS in imapproxy, managed by the
+# :ref:`debops.pki` Ansible role.
+imapproxy__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_path [[[
+#
+# Absolute path to the directory where PKI realms are located.
+imapproxy__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_realm [[[
+#
+# Name of the default PKI realm used by imapproxy.
+imapproxy__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_ca [[[
+#
+# Name of the Root Certificate Authority certificate file used by imapproxy,
+# relative to the PKI realm directory.
+imapproxy__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_crt [[[
+#
+# Name of the certificate file used by imapproxy, relative to the PKI realm
+# directory.
+imapproxy__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_key [[[
+#
+# Name of the private key file used by imapproxy, relative to the PKI realm
+# directory.
+imapproxy__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__tls_ca_path [[[
+#
+# Absolute path of the directory holding the Root Certificate Authority
+# certificate file used in the imapproxy configuration.
+imapproxy__tls_ca_path: '/etc/ssl/certs'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__tls_ca_file [[[
+#
+# Absolute path of the Root Certificate Authority certificate file used in the
+# imapproxy configuration.
+imapproxy__tls_ca_file: '{{ imapproxy__tls_ca_path + "/ca-certificates.crt" }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__tls_cert_file [[[
+#
+# Absolute path of the certificate file used in the imapproxy configuration.
+imapproxy__tls_cert_file: '{{ (imapproxy__pki_path + "/" + imapproxy__pki_realm + "/" + imapproxy__pki_crt)
+                            if imapproxy__pki | bool else "/etc/ssl/certs/ssl-cert-snakeoil.pem" }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__tls_key_file [[[
+#
+# Absolute path of the private key file used in the imapproxy configuration.
+imapproxy__tls_key_file: '{{ (imapproxy__pki_path + "/" + imapproxy__pki_realm + "/" + imapproxy__pki_key)
+                           if imapproxy__pki | bool else "/etc/ssl/private/ssl-cert-snakeoil.key" }}'
+                                                                   # ]]]
+# .. envvar:: imapproxy__tls_force [[[
+#
+# Imapproxy can autodetect whether to use ``STARTTLS`` by checking if the
+# remote server advertises the ``LOGIN`` capability. A correctly configured
+# IMAP server should not advertise this capability over remote connections.
+imapproxy__tls_force: '{{ "no" if (imapproxy__imap_fqdn == ansible_fqdn or
+                                   not imapproxy_pki | d(True))
+                          else "yes" }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_hook_name [[[
+#
+# Name of the hook script which will be stored in hook directory.
+imapproxy__pki_hook_name: 'imapproxy'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_hook_path [[[
+#
+# Directory with PKI hooks.
+imapproxy__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__pki_hook_action [[[
+#
+# Specify how changes in PKI should affect imapproxy, only 'restart' is
+# supported.
+imapproxy__pki_hook_action: 'restart'
+                                                                   # ]]]
+                                                                   # ]]]
+# Imapproxy custom configuration [[[
+# ----------------------------------
+
+# These variables define the contents of the :file:`/etc/imapproxy.conf`
+# configuration file.
+
+# .. envvar:: imapproxy__default_configuration [[[
+#
+# The default :command:`imapproxy` configuration options defined by the role.
+imapproxy__default_configuration:
+
+  - name: 'server_hostname'
+    comment: |
+      This setting controls which IMAP server we proxy our connections to.
+    value: '{{ imapproxy__imap_fqdn }}'
+
+  - name: 'server_port'
+    comment: |
+      This setting specifies the port that server_hostname is listening on.
+      This is the TCP port that we proxy inbound connections to.
+
+      The original config file contains this note:
+      If you are using SSL with IMAP Proxy, note that unless the server is
+      highly non-standard, this should still be set to the server's normal,
+      unencrypted IMAP port and should NOT be set to port 993, since IMAP
+      Proxy uses STARTTLS to encrypt a "normal" IMAP connection.
+
+      But note that there is nothing "non-standard" about only supporting
+      IMAPS over 993 (see RFC8314).
+
+      If the server is only available via (encrypted) port 993, please
+      consult the README.ssl file for help.
+    value: '{{ imapproxy__imap_port }}'
+
+  - name: 'listen_address'
+    comment: |
+      This setting specifies which address the proxy server will bind to and
+      accept incoming connections to.  If undefined, bind to all.
+      Must be a dotted decimal IP address.
+    value: '{{ imapproxy__listen_address }}'
+
+  - name: 'listen_port'
+    comment: |
+      This setting specifies which port the proxy server will bind to and
+      accept incoming connections from.
+    value: '{{ imapproxy__listen_port }}'
+
+  - name: 'connect_retries'
+    comment: |
+      This setting controls how many times we retry connecting to our server.
+    value: '10'
+
+  - name: 'connect_delay'
+    comment: |
+      This setting controls the delay between retries in seconds.
+    value: '5'
+
+  - name: 'cache_size'
+    comment: |
+      This setting determines how many in-core IMAP connection structures
+      will be allocated.  As such, it determines not only how many cached
+      connections will be allowed, but really the total number of simultaneous
+      connections, cached and active.
+    value: '3072'
+
+  - name: 'cache_expiration_time'
+    comment: |
+      This setting controls how many seconds an inactive connection will be
+      cached.
+    value: '300'
+
+  - name: 'proc_username'
+    comment: |
+      This setting controls which username the IMAP proxy process will run as.
+      It is not allowed to run as "root".
+    value: 'nobody'
+
+  - name: 'proc_groupname'
+    comment: |
+      This setting controls which groupname the IMAP proxy process will run as.
+    value: 'nogroup'
+
+  - name: 'stat_filename'
+    comment: |
+      This is the path to the filename that the proxy server mmap()s to
+      write statistical data to.  This is the file that pimpstat needs to
+      look at to be able to provide its useful stats.
+    value: '/var/run/pimpstats'
+
+  - name: 'protocol_log_filename'
+    comment: |
+      protocol logging may only be turned on for one user at a time.  All
+      protocol logging data is written to the file specified by this path.
+    value: '/dev/null'
+
+  - name: 'syslog_facility'
+    comment: |
+      The logging facility to be used for all syslog calls.  If nothing is
+      specified here, it will default to LOG_MAIL.  Any of the possible
+      facilities listed in the syslog(3) manpage may be used here except
+      LOG_KERN.
+    value: 'LOG_MAIL'
+
+  - name: 'syslog_prioritymask'
+    comment: |
+      This configuration option is provided as a way to limit the verbosity
+      of imapproxy.  If no value is specified, it will default to no priority
+      mask and you'll see all possible log messages.  Any of the possible
+      priority values listed in the syslog(3) manpage may be used here.  By
+      default, you will see all possible log messages.
+    value: 'LOG_WARNING'
+
+  - name: 'send_tcp_keepalives'
+    comment: |
+      This determines whether the SO_KEEPALIVE option will be set on all
+      sockets.
+    value: 'no'
+
+  - name: 'enable_select_cache'
+    comment: |
+      This configuration option allows you to turn select caching on or off.
+      When select caching is enabled, imapproxy will cache SELECT responses
+      from an IMAP server.
+    value: 'no'
+
+  - name: 'foreground_mode'
+    comment: |
+      This will prevent imapproxy from detaching from its parent process and
+      controlling terminal on startup.
+    value: 'no'
+
+  - name: 'force_tls'
+    comment: |
+      Force imapproxy to use STARTTLS even if LOGIN is not disabled (unsecured
+      connections will not be used).
+    value: '{{ imapproxy__tls_force }}'
+
+  - name: 'chroot_directory'
+    comment: |
+      This allows imapproxy to run in a chroot jail if desired.
+      If commented out, imapproxy will not run chroot()ed.  If a directory is
+      specified here, imapproxy will chroot() to that directory.
+    value: '/var/lib/imapproxy/chroot'
+
+  - name: 'preauth_command'
+    comment: |
+      Arbitrary command that can be sent to the server before
+      authenticating users.  This can be useful to access non-
+      standard IMAP servers such as Yahoo!, which requires
+      (required?) the following command to be sent before
+      authentication is allowed:
+         ID ("GUID" "1")
+      (See: http://en.wikipedia.org/wiki/Yahoo!_Mail&oldid=447046431#Free_IMAP_and_SMTPs_access )
+      To use such a command, this setting should look like this:
+         preauth_command ID ("GUID" "1")
+      No matter what this command is, it is expected to return an
+      OK response
+    value: ''
+    state: 'comment'
+
+  - name: 'enable_admin_commands'
+    comment: |
+      Used to enable or disable the internal imapproxy administrative commands.
+    value: 'no'
+
+  - name: 'tls_ca_path'
+    comment: |
+      TLS configuration options
+    value: '{{ imapproxy__tls_ca_path }}'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_ca_file'
+    value: '{{ imapproxy__tls_ca_file }}'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_cert_file'
+    value: '{{ imapproxy__tls_cert_file }}'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_key_file'
+    value: '{{ imapproxy__tls_key_file }}'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_verify_server'
+    value: 'yes'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_ciphers'
+    value: 'ALL:!aNULL:!eNULL'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_no_tlsv1'
+    comment: |
+      Set any of these to "yes" if the corresponding TLS version is not
+      sufficiently secure for your needs.
+    value: 'yes'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_no_tlsv1.1'
+    value: 'yes'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'tls_no_tlsv1.2'
+    value: 'no'
+    state: '{{ "present" if imapproxy__pki | d(True) else "comment" }}'
+
+  - name: 'auth_sasl_plain_username'
+    comment: |
+      Authenticate using SASL AUTHENTICATE PLAIN
+
+      The following authentication username and password are used
+      along with the username from the client as the authorization
+      identity.  In order to avoid having the service wide open (no
+      password needed from the client), the client is required to
+      send the auth_shared_secret in leiu of a user password.
+
+      NOTE: This functionality *assumes* that the server supports
+            AUTHENTICATE PLAIN, and it does *not* verify this by
+            looking at the server's capabilities list.
+    value: ''
+    state: 'comment'
+
+  - name: 'auth_sasl_plain_password'
+    value: ''
+    state: 'comment'
+
+  - name: 'auth_shared_secret'
+    value: ''
+    state: 'comment'
+
+  - name: 'dns_rr'
+    comment: |
+      Use DNS round robin to cycle through all returned RRs we
+      got when looking up the IMAP server with getaddrinfo().
+      Default is no.
+    value: 'yes'
+    state: 'comment'
+
+  - name: 'ipversion_only'
+    comment: |
+      Limit DNS requests to AF_INET or AF_INET6
+
+      Set ipversion_only to 4 or 6 accordingly.
+      Default if unset is AF_UNSPEC for both A and AAAA.
+    value: '6'
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__configuration [[[
+#
+# The :command:`imapproxy` configuration options defined for all hosts in the
+# Ansible inventory.
+imapproxy__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__group_configuration [[[
+#
+# The :command:`imapproxy` configuration options defined for hosts in a
+# specific Ansible inventory group.
+imapproxy__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__host_configuration [[[
+#
+# The :command:`imapproxy` configuration options defined for a specific host
+# in the Ansible inventory.
+imapproxy__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__combined_configuration [[[
+#
+# The variable that combines other :command:`imapproxy` configuration options
+# and is used in the dovecot.conf template.
+imapproxy__combined_configuration: '{{ imapproxy__default_configuration
+                                        + imapproxy__configuration
+                                        + imapproxy__group_configuration
+                                        + imapproxy__host_configuration }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: imapproxy__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+imapproxy__etc_services__dependent_list:
+
+  - name: 'imapproxy'
+    port: '{{ imapproxy__listen_port }}'
+    comment: 'IMAP Proxy Server'
+    protocol: [ 'tcp' ]
+
+                                                                   # ]]]
+# .. envvar:: imapproxy__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+imapproxy__ferm__dependent_rules:
+
+  - name: 'imapproxy'
+    type: 'accept'
+    dport: [ 'imapproxy' ]
+    saddr: '{{ imapproxy__allow + imapproxy__group_allow + imapproxy__host_allow }}'
+    weight: '40'
+    accept_any: False
+    by_role: 'debops.imapproxy'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/imapproxy/meta/main.yml b/ansible_collections/debops/debops/roles/imapproxy/meta/main.yml
new file mode 100644
index 00000000..0ef45902
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'David Härdeman'
+  description: 'Manage imapproxy, used to speed up e.g. webmail clients'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - debops
+    - email
+    - mail
+    - imap
+    - web
diff --git a/ansible_collections/debops/debops/roles/imapproxy/tasks/main.yml b/ansible_collections/debops/debops/roles/imapproxy/tasks/main.yml
new file mode 100644
index 00000000..e928c3ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/tasks/main.yml
@@ -0,0 +1,78 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install imapproxy packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (imapproxy__base_packages
+                              + imapproxy__packages)) }}'
+    state: 'present'
+  register: imapproxy__register_packages
+  until: imapproxy__register_packages is succeeded
+  tags: [ 'role::imapproxy:pkg' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save imapproxy local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/imapproxy.fact.j2'
+    dest: '/etc/ansible/facts.d/imapproxy.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert original imapproxy configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/imapproxy.conf'
+  notify: [ 'Restart imapproxy' ]
+  tags: [ 'role::imapproxy:config' ]
+
+- name: Generate imapproxy configuration
+  ansible.builtin.template:
+    src: 'etc/imapproxy.conf.j2'
+    dest: '/etc/imapproxy.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart imapproxy' ]
+  tags: [ 'role::imapproxy:config' ]
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ imapproxy__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: imapproxy__pki | bool
+
+- name: Manage PKI imapproxy hook
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/imapproxy.j2'
+    dest: '{{ imapproxy__pki_hook_path + "/" + imapproxy__pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: imapproxy__pki | bool
+
+- name: Ensure the PKI imapproxy hook is absent
+  ansible.builtin.file:
+    path: '{{ imapproxy__pki_hook_path + "/" + imapproxy__pki_hook_name }}'
+    state: 'absent'
+  when: not (imapproxy__pki | bool)
diff --git a/ansible_collections/debops/debops/roles/imapproxy/templates/etc/ansible/facts.d/imapproxy.fact.j2 b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/ansible/facts.d/imapproxy.fact.j2
new file mode 100644
index 00000000..099540f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/ansible/facts.d/imapproxy.fact.j2
@@ -0,0 +1,67 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def get_value(input_line, key, output):
+    if input_line.startswith(key):
+        output[key] = input_line.split()[1].strip()
+
+
+output = {}
+
+output['installed'] = cmd_exists('imapproxyd')
+
+if output['installed']:
+    try:
+        imapproxy_version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "imapproxy"]).decode('utf-8').split('-')[0]
+        output['version'] = imapproxy_version_stdout
+
+    except Exception:
+        pass
+
+    try:
+        if os.path.isfile('/etc/imapproxy.conf'):
+            try:
+                with open('/etc/imapproxy.conf') as fh:
+                    for line in fh:
+                        get_value(line, 'server_hostname', output)
+                        get_value(line, 'server_port', output)
+                        get_value(line, 'listen_address', output)
+                        get_value(line, 'listen_port', output)
+                        get_value(line, 'force_tls', output)
+                        get_value(line, 'chroot_directory', output)
+                        get_value(line, 'enable_admin_commands', output)
+                        get_value(line, 'cache_expiration_time', output)
+                        get_value(line, 'cache_size', output)
+                        get_value(line, 'ipversion_only', output)
+
+            except Exception:
+                pass
+
+    except Exception:
+        pass
+
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/imapproxy/templates/etc/imapproxy.conf.j2 b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/imapproxy.conf.j2
new file mode 100644
index 00000000..99b0296a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/imapproxy.conf.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## imapproxy.conf
+##
+## {{ ansible_managed }}
+##
+## This is the global configuration file for imapproxy.
+## Lines beginning with a '#' sign are treated as comments and will be
+## ignored.  Each line to be processed must be a space delimited
+## keyword/value pair.
+##
+{% for item in imapproxy__combined_configuration | debops.debops.parse_kv_items() %}
+{%   if item.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if item.comment | d() %}
+
+#
+{{       item.comment | regex_replace('\n$', '') | comment(prefix='', decoration='## ', postfix='') -}}
+#
+{%     endif %}
+{%     if item.raw | d() %}
+{%       if item.state | d('present') == 'comment' %}
+{{         '{}'.format(item.raw | regex_replace('\n$', '')) | comment(prefix='', decoration='#', postfix='') -}}
+{%       else %}
+{{         '{}'.format(item.raw | regex_replace('\n$', '')) }}
+{%       endif %}
+{%     else %}
+{%       if item.state | d('present') == 'comment' %}
+{{         '{} {}'.format(item.option | d(item.name), item.value) | comment(prefix='', decoration='#', postfix='') -}}
+{%       else %}
+{{         '{} {}'.format(item.option | d(item.name), item.value) }}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/imapproxy/templates/etc/pki/hooks/imapproxy.j2 b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/pki/hooks/imapproxy.j2
new file mode 100644
index 00000000..386cf275
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/imapproxy/templates/etc/pki/hooks/imapproxy.j2
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Copyright (C)      2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2018-2021 DebOps <https://debops.org/>
+# Based on the postfix hook which is:
+# Copyright (C)      2020 Rainer Schuth <devel@reixd.net>
+# Copyright (C)      2018 Norbert Summer <git@o-g.at>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart imapproxy on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+imapproxy_config="/etc/imapproxy.conf"
+imapproxy_action="{{ imapproxy__pki_hook_action }}"
+imapproxy_service="imapproxy.service"
+
+# Check if current PKI realm is used by the 'imapproxy' server
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${imapproxy_config} || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                imapproxy_state="$(systemctl is-active ${imapproxy_service})"
+                if [ "${imapproxy_state}" = "active" ] ; then
+		    systemctl "${imapproxy_action}" "${imapproxy_service}"
+                fi
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/influxdata/COPYRIGHT b/ansible_collections/debops/debops/roles/influxdata/COPYRIGHT
new file mode 100644
index 00000000..ad6b9d24
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdata/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.influxdata - Configure InfluxData APT repositories
+
+Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/influxdata/defaults/main.yml b/ansible_collections/debops/debops/roles/influxdata/defaults/main.yml
new file mode 100644
index 00000000..fa613597
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdata/defaults/main.yml
@@ -0,0 +1,78 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+# .. Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _influxdata__ref_defaults:
+
+# debops.influxdata default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT repository configuration [[[
+# --------------------------------
+
+# .. envvar:: influxdata__key_id [[[
+#
+# The fingerprint of the APT repository GPG key to configure.
+# from: https://portal.influxdata.com/downloads/
+influxdata__key_id: '9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E'
+
+                                                                   # ]]]
+# .. envvar:: influxdata__repository [[[
+#
+# APT repository entry to configure for InfluxData repository.
+influxdata__repository: 'deb https://repos.influxdata.com/{{ ansible_distribution | lower }} stable main'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: influxdata__packages [[[
+#
+# List of InfluxData APT packages to install on all hosts in the Ansible
+# inventory.
+influxdata__packages: []
+
+                                                                   # ]]]
+# .. envvar:: influxd ata__group_packages [[[
+#
+# List of InfluxData APT packages to install on hosts in specific Ansible
+# inventory group.
+influxdata__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: influxdata__host_packages [[[
+#
+# List of InfluxData APT packages to install on specific hosts in the Ansible
+# inventory.
+influxdata__host_packages: []
+
+                                                                    # ]]]
+# .. envvar:: influxdata__dependent_packages [[[
+#
+# List of InfluxData APT packages requested for installation by other Ansible
+# roles through role dependent variables.
+influxdata__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: influxdata__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+influxdata__keyring__dependent_apt_keys:
+
+  - id: '{{ influxdata__key_id }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/influxdata/meta/main.yml b/ansible_collections/debops/debops/roles/influxdata/meta/main.yml
new file mode 100644
index 00000000..d29c242e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdata/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Patryk Ściborek'
+  description: 'Configure InfluxData APT repositories'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - search
+    - influxdb
+    - telegraf
+    - chronograf
+    - kapacitor
diff --git a/ansible_collections/debops/debops/roles/influxdata/tasks/main.yml b/ansible_collections/debops/debops/roles/influxdata/tasks/main.yml
new file mode 100644
index 00000000..6a03bc8a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdata/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+# Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure InfluxData APT repository
+  ansible.builtin.apt_repository:
+    repo: '{{ influxdata__repository }}'
+    state: 'present'
+    update_cache: True
+
+- name: Install InfluxData packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (influxdata__packages
+                              + influxdata__group_packages
+                              + influxdata__host_packages
+                              + influxdata__dependent_packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: influxdata__register_install
+  until: influxdata__register_install is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save InfluxData local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/influxdata.fact.j2'
+    dest: '/etc/ansible/facts.d/influxdata.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/influxdata/templates/etc/ansible/facts.d/influxdata.fact.j2 b/ansible_collections/debops/debops/roles/influxdata/templates/etc/ansible/facts.d/influxdata.fact.j2
new file mode 100644
index 00000000..d76df328
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdata/templates/etc/ansible/facts.d/influxdata.fact.j2
@@ -0,0 +1,51 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Patryk Ściborek <patryk@sciborek.com>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = loads('''{{ ({
+    "configured": true
+}) | to_nice_json }}''')
+
+# List of InfluxData APT packages recognized by this fact
+package_list = [
+  'chronograf',
+  'kapacitor',
+  'telegraf',
+  'influxdb',
+]
+
+
+def dpkg_query(packages):
+
+    command = ['dpkg-query', '--show',
+               '--showformat="${Package}": "${Version}",\n'] + packages
+
+    FNULL = open('/dev/null', 'w')
+    proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=FNULL)
+    (stdoutdata, _) = proc.communicate()
+
+    stdout_clean = stdoutdata.strip()
+    stdout_last = stdout_clean.decode('utf-8').rstrip(',')
+    stdout_wrap = '{\n' + stdout_last + '\n}'
+
+    proc_output = loads(str(stdout_wrap))
+    return proc_output
+
+
+package_version = dpkg_query(package_list)
+output.update({"packages": package_version})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/influxdb/COPYRIGHT b/ansible_collections/debops/debops/roles/influxdb/COPYRIGHT
new file mode 100644
index 00000000..835f4b88
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.influxdb_server - Manage InfluxDB service using Ansible
+
+Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/influxdb/defaults/main.yml b/ansible_collections/debops/debops/roles/influxdb/defaults/main.yml
new file mode 100644
index 00000000..c0a78df4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/defaults/main.yml
@@ -0,0 +1,136 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# .. Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# .. Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _influxdb__ref_defaults:
+
+# debops.influxdb default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# InfluxDB server configuration [[[
+# ---------------------------------
+
+# .. envvar:: influxdb__server [[[
+#
+# FQDN hostname of the InfluxDB server. If a local InfluxDB server is detected, it
+# will override this variable automatically. Only one server at a time is
+# currently supported per host. DNS name is required because this access is via a
+# HTTP(S) API
+influxdb__server: ''
+
+                                                                   # ]]]
+# .. envvar:: influxdb__port [[[
+#
+# Port number on which to connect to the server. You usually don't need to
+# change this.
+influxdb__port: '8086'
+
+                                                                   # ]]]
+# .. envvar:: influxdb__delegate_to [[[
+#
+# When the InfluxDB server is used remotely, this variable allows to control
+# the task delegation to the database server. Defaults to `inventory_hostname`,
+# the calls to the API are done from the host where runs `influxdb` playbook.
+influxdb__delegate_to: '{{ inventory_hostname }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL configuration [[[
+# ---------------------
+
+# .. envvar:: influxdb__pki [[[
+#
+# Enable or disable support for SSL in InfluxDB (using :ref:`debops.pki`).
+influxdb__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Databases, user accounts [[[
+# ----------------------------
+
+# .. envvar:: influxdb__password_length [[[
+#
+# Length of automatically generated user accounts, saved in the ``secret/``
+# directory. See :ref:`debops.secret` role for more details about passwords.
+influxdb__password_length: '48'
+
+                                                                   # ]]]
+# .. envvar:: influxdb__root_password [[[
+#
+# Password for default root admin user.
+influxdb__root_password: '{{ lookup("password",
+                             secret + "/influxdb/" + influxdb__server +
+                             "/credentials/root/password " +
+                             "length=" + influxdb__password_length) }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb__databases [[[
+#
+# List of databases configured on the InfluxDB server. See
+# :ref:`influxdb__databases` for more details.
+influxdb__databases: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb__dependent_databases [[[
+#
+# List of databases configured on the InfluxDB server, defined by another
+# Ansible role.
+influxdb__dependent_databases: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb__retention_policies [[[
+#
+# List of retention policies configured on the InfluxDB server. See
+# :ref:`influxdb__retention_policies` for more details.
+influxdb__retention_policies: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb__dependent_retention_policies [[[
+#
+# List of retention policies configured on the InfluxDB server, defined by another
+# Ansible role.
+influxdb__dependent_retention_policies: []
+                                                                   # ]]]
+# .. envvar:: influxdb__users [[[
+#
+# List of user accounts configured on the InfluxDB server. See
+# :ref:`influxdb__users` for more details.
+influxdb__users: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb__dependent_users [[[
+#
+# List of user accounts configured on the InfluxDB server, defined by another
+# Ansible role.
+influxdb__dependent_users: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: influxdb__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+influxdb__python__dependent_packages3:
+
+  - 'python3-influxdb'
+
+                                                                   # ]]]
+# .. envvar:: influxdb__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+influxdb__python__dependent_packages2:
+
+  - 'python-influxdb'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/influxdb/meta/main.yml b/ansible_collections/debops/debops/roles/influxdb/meta/main.yml
new file mode 100644
index 00000000..dd84b57e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Pedro Luis López, Bechea Leonardo, Alin Alexandru'
+  description: 'Install and manage InfluxDB server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - search
+    - monitoring
+    - influxdb
diff --git a/ansible_collections/debops/debops/roles/influxdb/tasks/main.yml b/ansible_collections/debops/debops/roles/influxdb/tasks/main.yml
new file mode 100644
index 00000000..f77d315f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check if database server is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'influxdb'
+         | grep -v '^$'
+  args:
+    executable: 'bash'
+  register: influxdb__register_version
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Override configuration if local server is detected
+  ansible.builtin.set_fact:
+    influxdb__server: '{{ ansible_fqdn if influxdb__pki else "localhost" }}'
+  when: (influxdb__register_version.stdout | d(False))
+
+- name: Make sure that local fact directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save InfluxDB local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/influxdb.fact.j2'
+    dest: '/etc/ansible/facts.d/influxdb.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage database contents
+  ansible.builtin.include_tasks: 'manage_contents.yml'
+  when: (influxdb__server | d(False) and influxdb__delegate_to)
+  tags: [ 'role::influxdb:contents' ]
diff --git a/ansible_collections/debops/debops/roles/influxdb/tasks/manage_contents.yml b/ansible_collections/debops/debops/roles/influxdb/tasks/manage_contents.yml
new file mode 100644
index 00000000..146dc54e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/tasks/manage_contents.yml
@@ -0,0 +1,94 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Drop databases if requested
+  community.general.influxdb_database:
+    database_name: '{{ item.database | d(item.name) }}'
+    state: 'absent'
+    hostname: '{{ influxdb__server }}'
+    port: '{{ influxdb__port }}'
+    ssl: '{{ influxdb__pki }}'
+    password: '{{ influxdb__root_password }}'
+    proxies: '{{ item.proxies | d(influxdb__proxies | d(omit)) }}'
+    validate_certs: '{{ item.validate_certs | d(influxdb__validate_certs | d(True)) }}'
+  loop: '{{ q("flattened", influxdb__databases + influxdb__dependent_databases | d([])) }}'
+  delegate_to: '{{ influxdb__delegate_to }}'
+  when: ((item.database | d(False) or item.name | d(False)) and
+         (item.state is defined and item.state == 'absent'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create databases
+  community.general.influxdb_database:
+    database_name: '{{ item.database | d(item.name) }}'
+    state: 'present'
+    hostname: '{{ influxdb__server }}'
+    port: '{{ influxdb__port }}'
+    ssl: '{{ influxdb__pki }}'
+    password: '{{ influxdb__root_password }}'
+    proxies: '{{ item.proxies | d(influxdb__proxies | d(omit)) }}'
+    validate_certs: '{{ item.validate_certs | d(influxdb__validate_certs | d(True)) }}'
+  loop: '{{ q("flattened", influxdb__databases + influxdb__dependent_databases | d([])) }}'
+  delegate_to: '{{ influxdb__delegate_to }}'
+  when: ((item.database | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != 'absent'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create retention policies
+  community.general.influxdb_retention_policy:
+    policy_name: '{{ item.policy | d(item.name) }}'
+    database_name: '{{ item.database }}'
+    duration: '{{ item.duration }}'
+    replication: '{{ item.replication }}'
+    default: '{{ item.default | d(False) }}'
+    hostname: '{{ influxdb__server }}'
+    port: '{{ influxdb__port }}'
+    ssl: '{{ influxdb__pki }}'
+    password: '{{ influxdb__root_password }}'
+    proxies: '{{ item.proxies | d(influxdb__proxies | d(omit)) }}'
+    validate_certs: '{{ item.validate_certs | d(influxdb__validate_certs | d(True)) }}'
+  loop: '{{ q("flattened", influxdb__retention_policies + influxdb__dependent_retention_policies | d([])) }}'
+  delegate_to: '{{ influxdb__delegate_to }}'
+  when: item.policy | d(False) or item.name | d(False)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Drop user accounts if requested
+  community.general.influxdb_user:
+    user_name: '{{ item.user | d(item.name) }}'
+    state: 'absent'
+    hostname: '{{ influxdb__server }}'
+    port: '{{ influxdb__port }}'
+    ssl: '{{ influxdb__pki }}'
+    password: '{{ influxdb__root_password }}'
+    proxies: '{{ item.proxies | d(influxdb__proxies | d(omit)) }}'
+    validate_certs: '{{ item.validate_certs | d(influxdb__validate_certs | d(True)) }}'
+  loop: '{{ q("flattened", influxdb__users + influxdb__dependent_users) }}'
+  delegate_to: '{{ influxdb__delegate_to }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is defined and item.state == "absent"))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create user accounts
+  community.general.influxdb_user:
+    user_name: '{{ item.user | d(item.name) }}'
+    user_password: '{{ item.password | d(lookup("password",
+                       secret + "/influxdb/" + influxdb__server +
+                       "/credentials/" + item.user | d(item.name) + "/password " +
+                       "length=" + influxdb__password_length)) }}'
+    grants: '{{ item.grants | d(omit) }}'
+    admin: '{{ item.admin | d(False) }}'
+    state: 'present'
+    hostname: '{{ influxdb__server }}'
+    port: '{{ influxdb__port }}'
+    ssl: '{{ influxdb__pki }}'
+    password: '{{ influxdb__root_password }}'
+    proxies: '{{ item.proxies | d(influxdb__proxies | d(omit)) }}'
+    validate_certs: '{{ item.validate_certs | d(influxdb__validate_certs | d(True)) }}'
+  loop: '{{ q("flattened", influxdb__users + influxdb__dependent_users) }}'
+  delegate_to: '{{ influxdb__delegate_to }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != "absent"))
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/influxdb/templates/etc/ansible/facts.d/influxdb.fact.j2 b/ansible_collections/debops/debops/roles/influxdb/templates/etc/ansible/facts.d/influxdb.fact.j2
new file mode 100644
index 00000000..8f620002
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb/templates/etc/ansible/facts.d/influxdb.fact.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+ # Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+ # Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% set influxdb__tpl_delegate_to = ansible_local.influxdb.delegate_to | d(influxdb__delegate_to) %}
+{% set influxdb__tpl_port        = ansible_local.influxdb.port | d(influxdb__port) %}
+{% set influxdb__tpl_server      = ansible_local.influxdb.server | d(influxdb__server) %}
+{% if influxdb__register_version.stdout %}
+{% set influxdb__tpl_server      = ansible_fqdn if influxdb__pki else "localhost" %}
+{% endif %}
+{
+"delegate_to": "{{ influxdb__tpl_delegate_to }}",
+"port": "{{ influxdb__tpl_port }}",
+"server": "{{ influxdb__tpl_server }}"
+}
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/COPYRIGHT b/ansible_collections/debops/debops/roles/influxdb_server/COPYRIGHT
new file mode 100644
index 00000000..835f4b88
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.influxdb_server - Manage InfluxDB service using Ansible
+
+Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/defaults/main.yml b/ansible_collections/debops/debops/roles/influxdb_server/defaults/main.yml
new file mode 100644
index 00000000..1b57c94a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/defaults/main.yml
@@ -0,0 +1,375 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# .. Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# .. Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _influxdb_server__ref_defaults:
+
+# debops.influxdb_server default variables
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# -------------------------------
+
+# .. envvar:: influxdb_server__base_packages [[[
+#
+# List of the default APT packages to install for InfluxDB Server support.
+influxdb_server__base_packages: [ 'influxdb' ]
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__packages [[[
+#
+# List of additional APT packages to install with InfluxDB Server.
+influxdb_server__packages: []
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Basic configuration [[[
+# -----------------------
+
+# .. envvar:: influxdb_server__allow [[[
+#
+# List of IP addresses or CIDR subnets which will be permitted to access the
+# InfluxDB server API. If the list is empty, nobody can access the service.
+influxdb_server__allow: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__bind [[[
+#
+# The ip address on which this InfluxDB listens on.
+# Leave empty to bind on all interfaces.
+influxdb_server__bind: ''
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__port [[[
+#
+# Port number on which this InfluxDB listens on.
+influxdb_server__port: '8086'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__rpc_allow [[[
+#
+# List of IP addresses or CIDR subnets which will be permitted to access the
+# InfluxDB RPC. If the list is empty, nobody can access the service.
+influxdb_server__rpc_allow: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__rpc_bind [[[
+#
+# The ip address used by the RPC service for RPC calls made by the CLI for backup and restore operations.
+# Leave empty to bind on all interfaces.
+influxdb_server__rpc_bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__rpc_port [[[
+#
+# Port number used by the RPC service for RPC calls made by the CLI for backup and restore operations.
+influxdb_server__rpc_port: '8088'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__default_directory [[[
+#
+# Default directory root for InfluxDB server.
+influxdb_server__default_directory: '/var/lib/influxdb'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__directory [[[
+#
+# The directory root for InfluxDB server.
+influxdb_server__directory: '{{ influxdb_server__default_directory }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__delegate_to [[[
+#
+# Inventory hostname of the server to which Ansible roles will delegate tasks.
+# Using a FQDN hostname known to Ansible. Defaults to `inventory_hostname`.
+influxdb_server__delegate_to: '{{ inventory_hostname }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# InfluxDB configuration file [[[
+# -------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/influxdb/influxdb.conf` configuration file.
+
+# .. envvar:: influxdb_server__default_configuration [[[
+#
+# The default configuration options which should be present in the main
+# configuration file.
+influxdb_server__default_configuration:
+
+  - name: 'global'
+    options:
+      - reporting-disabled: 'true'
+      - bind-address: '"{{ influxdb_server__rpc_bind }}:{{ influxdb_server__rpc_port }}"'
+
+  - name: 'meta'
+    options:
+      - dir: '"{{ influxdb_server__directory }}/meta"'
+
+  - name: 'data'
+    options:
+      - dir: '"{{ influxdb_server__directory }}/data"'
+      - wal-dir: '"{{ influxdb_server__directory }}/wal"'
+
+  - name: 'coordinator'
+    options: []
+
+  - name: 'retention'
+    options: []
+
+  - name: 'shard-precreation'
+    options: []
+
+  - name: 'monitor'
+    options: []
+
+  - name: 'http'
+    options:
+      - bind-address: '"{{ influxdb_server__bind }}:{{ influxdb_server__port }}"'
+      - https-enabled: '{{ "true" if influxdb_server__pki else "false" }}'
+      - auth-enabled: 'true'
+
+  - name: 'logging'
+    options: []
+
+  - name: 'subscriber'
+    options: []
+
+  - name: 'graphite'
+    options: []
+
+  - name: 'collectd'
+    options: []
+
+  - name: 'opentsdb'
+    options: []
+
+  - name: 'udp'
+    options: []
+
+  - name: 'continuous_queries'
+    options: []
+
+  - name: 'tls'
+    options:
+      - min-version: '"tls1.2"'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__configuration [[[
+#
+# List of configuration options defined on all hosts in the InfluxDB inventory.
+influxdb_server__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__combined_configuration [[[
+#
+# Actual list of InfluxDB configuration options passed to the
+# configuration template. This list defines the order in which the options from
+# different variables are processed.
+influxdb_server__combined_configuration: '{{ influxdb_server__default_configuration +
+                                             influxdb_server__configuration +
+                                             influxdb_server__pki_options }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL configuration [[[
+# ---------------------
+
+# .. envvar:: influxdb_server__append_groups [[[
+#
+# List of additional system groups to append to the InfluxDB system user.
+# ``ssl-cert`` group is required for access to certificate private keys.
+influxdb_server__append_groups: [ 'ssl-cert' ]
+
+                                                                   # ]]]
+# .. envvar:: influxdb__pki_options [[[
+#
+# Configuration of SSL support in :program:`influxdb`, managed by :ref:`debops.pki` role.
+influxdb_server__pki_options:
+
+  - name: 'http'
+    state: '{{ "present" if influxdb_server__pki | bool else "absent" }}'
+    options:
+      - https-certificate: '"{{ influxdb_server__pki_path + "/" + influxdb_server__pki_realm +
+                                "/" + influxdb_server__pki_crt }}"'
+      - https-private-key: '"{{ influxdb_server__pki_path + "/" + influxdb_server__pki_realm +
+                                "/" + influxdb_server__pki_key }}"'
+
+  - name: 'subscriber'
+    state: '{{ "present" if influxdb_server__pki | bool else "absent" }}'
+    options:
+      - ca-certs: '"{{ influxdb_server__pki_path + "/" + influxdb_server__pki_realm +
+                       "/" + influxdb_server__pki_ca }}"'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki [[[
+#
+# Enable or disable support for SSL in InfluxDB (using :ref:`debops.pki`).
+influxdb_server__pki: '{{ True
+                          if (ansible_local.pki.enabled | d() | bool and
+                              influxdb_server__pki_realm in ansible_local.pki.known_realms)
+                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki_path [[[
+#
+# Base path for PKI directory.
+influxdb_server__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki") }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki_realm [[[
+#
+# Default PKI realm used by InfluxDB server.
+influxdb_server__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki_ca [[[
+#
+# Root CA certificate used by InfluxDB, relative to :envvar:`influxdb_server__pki_realm`.
+influxdb_server__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki_crt [[[
+#
+# Host certificate used by InfluxDB, relative to :envvar:`influxdb_server__pki_realm`.
+influxdb_server__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__pki_key [[[
+#
+# Host private key used by InfluxDB, relative to :envvar:`influxdb_server__pki_realm`.
+influxdb_server__pki_key: 'default.key'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Default root account [[[
+# ----------------------------
+
+# .. envvar:: influxdb_server__password_length [[[
+#
+# Length of automatically generated user accounts, saved in the ``secret/``
+# directory. See :ref:`debops.secret` role for more details about passwords.
+influxdb_server__password_length: '48'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__root_password [[[
+#
+# Password for default root admin user.
+influxdb_server__root_password: '{{ lookup("password", secret + "/influxdb/" + ansible_fqdn +
+                                    "/credentials/root/password " +
+                                    "length=" + influxdb_server__password_length) }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# AutoInfluxDBBackup configuration [[[
+# ---------------------------------
+
+# .. envvar:: influxdb_server__backup [[[
+#
+# Enable or disable support for daily, weekly and monthly snapshots of the
+# database using :program:`autoinfluxdbbackup`.
+influxdb_server__backup: True
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__backup_mailaddr [[[
+#
+# Mail address to send messages to (account or alias name will be properly
+# routed by the Postfix SMTP server).
+influxdb_server__backup_mailaddr: 'backup@{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__backup_doweekly [[[
+#
+# Specify the day of the week to create weekly backups
+# (1 - Monday, 7 - Sunday).
+influxdb_server__backup_doweekly: '6'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__backup_latest [[[
+#
+# Don't keep copies of most recent backups by default.
+influxdb_server__backup_latest: 'no'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__backup_directory [[[
+#
+# Base directory where :program:`autoinfluxdbbackup` stores the database backups.
+# The directory will be created automatically by :program:`autoinfluxdbbackup`, if it
+# does not exist.
+influxdb_server__backup_directory: '/var/lib/autoinfluxdbbackup'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: influxdb_server__influxdata__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.influxdata` Ansible role.
+influxdb_server__influxdata__dependent_packages:
+  - '{{ influxdb_server__base_packages }}'
+  - '{{ influxdb_server__packages }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+influxdb_server__ferm__dependent_rules:
+
+  - name: 'influxdb_http'
+    type: 'accept'
+    saddr: '{{ influxdb_server__allow }}'
+    dport: [ 'influxdb-http' ]
+    accept_any: False
+    role: 'influxdb_server'
+
+  - name: 'influxdb_rpc'
+    type: 'accept'
+    saddr: '{{ influxdb_server__rpc_allow }}'
+    dport: [ 'influxdb-rpc' ]
+    accept_any: False
+    role: 'influxdb_server'
+    state: '{{ "absent" if influxdb_server__rpc_bind == "127.0.0.1" else "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+influxdb_server__etc_services__dependent_list:
+
+  - name: 'influxdb-http'
+    port: '{{ influxdb_server__port }}'
+
+  - name: 'influxdb-rpc'
+    port: '{{ influxdb_server__rpc_port }}'
+    state: '{{ "absent" if influxdb_server__rpc_bind == "127.0.0.1" else "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+influxdb_server__python__dependent_packages3:
+
+  - 'python3-influxdb'
+
+                                                                   # ]]]
+# .. envvar:: influxdb_server__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+influxdb_server__python__dependent_packages2:
+
+  - 'python-influxdb'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/files/usr/sbin/autoinfluxdbbackup b/ansible_collections/debops/debops/roles/influxdb_server/files/usr/sbin/autoinfluxdbbackup
new file mode 100755
index 00000000..0f3396f1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/files/usr/sbin/autoinfluxdbbackup
@@ -0,0 +1,481 @@
+#!/bin/bash
+set -o pipefail -o errexit
+
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This file is managed remotely, all changes will be lost
+
+#
+# InfluxDB Backup Script
+# VER. 0.1
+
+# Note, this is a lobotomized port of AutoMySQLBackup
+# (https://sourceforge.net/projects/automysqlbackup/) for use with
+# InfluxDB.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+#=====================================================================
+#=====================================================================
+# Set the following variables to your system needs
+# (Detailed instructions below variables)
+#=====================================================================
+
+# Database name to specify a specific database only e.g. myawesomeapp
+# Unnecessary if backup all databases
+# DBNAME=""
+
+# Host name (or IP address) of influxdb server e.g localhost
+DBHOST="127.0.0.1"
+
+# Port that influxdb is listening on
+DBPORT="8088"
+
+# Backup directory location e.g /backups
+BACKUPDIR="/var/backups/influxdb"
+
+# Mail setup
+# What would you like to be mailed to you?
+# - log   : send only log file
+# - files : send log file and sql files as attachments (see docs)
+# - stdout : will simply output the log to the screen if run manually.
+# - quiet : Only send logs if an error occurs to the MAILADDR.
+MAILCONTENT="stdout"
+
+# Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs])
+export MAXATTSIZE="4000"
+
+# Email Address to send mail to? (user@domain.com)
+# MAILADDR=""
+
+# ============================================================================
+# === SCHEDULING AND RETENTION OPTIONS ( Read the doc's below for details )===
+#=============================================================================
+
+# Do you want to do hourly backups? How long do you want to keep them?
+DOHOURLY="no"
+HOURLYRETENTION=24
+
+# Do you want to do daily backups? How long do you want to keep them?
+DODAILY="yes"
+DAILYRETENTION=0
+
+# Which day do you want weekly backups? (1 to 7 where 1 is Monday)
+DOWEEKLY="yes"
+WEEKLYDAY=6
+WEEKLYRETENTION=4
+
+# Do you want monthly backups? How long do you want to keep them?
+DOMONTHLY="yes"
+MONTHLYRETENTION=4
+
+# ============================================================
+# === ADVANCED OPTIONS ( Read the doc's below for details )===
+#=============================================================
+
+# Choose Compression type. (gzip or bzip2)
+COMP="gzip"
+
+# Choose if the uncompressed folder should be deleted after compression has completed
+CLEANUP="yes"
+
+# Additionally keep a copy of the most recent backup in a separate directory.
+LATEST="yes"
+
+# Make Hardlink not a copy
+LATESTLINK="yes"
+
+# Maximum files of a single backup used by split - leave empty if no split required
+# MAXFILESIZE=""
+
+# Command to run before backups (uncomment to use)
+# PREBACKUP=""
+
+# Command run after backups (uncomment to use)
+# POSTBACKUP=""
+
+#=====================================================================
+# Options documentation
+#=====================================================================
+# Set the DBHOST option to the server you wish to backup, leave the
+# default to backup "this server".(to backup multiple servers make
+# copies of this file and set the options for that server)
+#
+# You can change the backup storage location from /backups to anything
+# you like by using the BACKUPDIR setting..
+#
+# The MAILCONTENT and MAILADDR options and pretty self explanatory, use
+# these to have the backup log mailed to you at any email address or multiple
+# email addresses in a space separated list.
+#
+# (If you set mail content to "log" you will require access to the "mail" program
+# on your server. If you set this to "files" you will have to have mutt installed
+# on your server. If you set it to "stdout" it will log to the screen if run from
+# the console or to the cron job owner if run through cron. If you set it to "quiet"
+# logs will only be mailed if there are errors reported. )
+#
+#
+# Finally copy autoinfluxdbbackup to anywhere on your server and make sure
+# to set executable permission. You can also copy the script to
+# /etc/cron.daily to have it execute automatically every night or simply
+# place a symlink in /etc/cron.daily to the file if you wish to keep it
+# somewhere else.
+#
+# NOTE: On Debian copy the file with no extension for it to be run
+# by cron e.g just name the file "autoinfluxdbbackup"
+#
+# That's it..
+#
+#
+# === Advanced options ===
+#
+# To set the day of the week that you would like the weekly backup to happen
+# set the WEEKLYDAY setting, this can be a value from 1 to 7 where 1 is Monday,
+# The default is 6 which means that weekly backups are done on a Saturday.
+#
+# Use PREBACKUP and POSTBACKUP to specify Pre and Post backup commands
+# or scripts to perform tasks either before or after the backup process.
+#
+#
+#=====================================================================
+# Backup Rotation..
+#=====================================================================
+#
+# Hourly backups are executed if DOHOURLY is set to "yes".
+# The number of hours backup copies to keep for each day (i.e. 'Monday', 'Tuesday', etc.) is set with DHOURLYRETENTION.
+# DHOURLYRETENTION=0 rotates hourly backups every day (i.e. only the most recent hourly copy is kept). -1 disables rotation.
+#
+# Daily backups are executed if DODAILY is set to "yes".
+# The number of daily backup copies to keep for each day (i.e. 'Monday', 'Tuesday', etc.) is set with DAILYRETENTION.
+# DAILYRETENTION=0 rotates daily backups every week (i.e. only the most recent daily copy is kept). -1 disables rotation.
+#
+# Weekly backups are executed if DOWEEKLY is set to "yes".
+# WEEKLYDAY [1-7] sets which day a weekly backup occurs when cron.daily scripts are run.
+# Rotate weekly copies after the number of weeks set by WEEKLYRETENTION.
+# WEEKLYRETENTION=0 rotates weekly backups every week. -1 disables rotation.
+#
+# Monthly backups are executed if DOMONTHLY is set to "yes".
+# Monthly backups occur on the first day of each month when cron.daily scripts are run.
+# Rotate monthly backups after the number of months set by MONTHLYRETENTION.
+# MONTHLYRETENTION=0 rotates monthly backups upon each execution. -1 disables rotation.
+#
+#=====================================================================
+# Please Note!!
+#=====================================================================
+#
+# I take no responsibility for any data loss or corruption when using
+# this script.
+#
+# This script will not help in the event of a hard drive crash. You
+# should copy your backups offline or to another PC for best protection.
+#
+# Happy backing up!
+#
+#=====================================================================
+# Restoring
+#=====================================================================
+# ???
+#
+#=====================================================================
+# Change Log
+#=====================================================================
+# VER 0.1 - (2020-03-01)
+#       - Initial Release
+#
+#=====================================================================
+#=====================================================================
+#=====================================================================
+#
+# Should not need to be modified from here down!!
+#
+#=====================================================================
+#=====================================================================
+#=====================================================================
+
+shellout () {
+    if [ -n "$1" ]; then
+        echo "$1"
+        exit 1
+    fi
+    exit 0
+}
+
+# External config - override default values set above
+for x in default sysconfig; do
+  if [ -f "/etc/$x/autoinfluxdbbackup" ]; then
+      # shellcheck source=/dev/null
+      source /etc/$x/autoinfluxdbbackup
+  fi
+done
+
+# Include extra config file if specified on commandline, e.g. for backuping several remote dbs from central server
+# shellcheck source=/dev/null
+[ -n "$1" ] && [ -f "$1" ] && source "${1}"
+
+#=====================================================================
+
+PATH=/usr/local/bin:/usr/bin:/bin
+DATE=$(date +%Y-%m-%d_%Hh%Mm)                     # Datestamp e.g 2002-09-21
+HOD=$(date +%s)                                   # Current timestamp for PITR backup
+DOW=$(date +%A)                                   # Day of the week e.g. Monday
+DNOW=$(date +%u)                                  # Day number of the week 1 to 7 where 1 represents Monday
+DOM=$(date +%d)                                   # Date of the Month e.g. 27
+M=$(date +%B)                                     # Month e.g January
+W=$(date +%V)                                     # Week Number e.g 37
+VER=0.1                                           # Version Number
+LOGFILE=$BACKUPDIR/$DBHOST-$(date +%H%M).log       # Logfile Name
+LOGERR=$BACKUPDIR/ERRORS_$DBHOST-$(date +%H%M).log # Logfile Name
+OPT=""                                            # OPT string for use with influxd backup
+
+# Do we need to backup only a specific database?
+if [ "$DBNAME" ]; then
+  OPT="$OPT -database $DBNAME"
+fi
+
+# Create required directories
+mkdir -p $BACKUPDIR/{hourly,daily,weekly,monthly,tmp} || shellout 'failed to create directories'
+
+if [ "$LATEST" = "yes" ]; then
+    rm -rf "$BACKUPDIR/latest"
+    mkdir -p "$BACKUPDIR/latest" || shellout 'failed to create directory'
+fi
+
+# IO redirection for logging.
+touch "$LOGFILE"
+exec 6>&1           # Link file descriptor #6 with stdout.
+                    # Saves stdout.
+exec > "$LOGFILE"     # stdout replaced with file $LOGFILE.
+
+touch "$LOGERR"
+exec 7>&2           # Link file descriptor #7 with stderr.
+                    # Saves stderr.
+exec 2> "$LOGERR"     # stderr replaced with file $LOGERR.
+
+# When a desire is to receive log via e-mail then we close stdout and stderr.
+[ "$MAILCONTENT" == "log" ] && exec 6>&- 7>&-
+
+# Functions
+
+# Database dump function
+dbdump () {
+    COMMAND="influxd backup -portable -host $DBHOST:$DBPORT $OPT $BACKUPDIR/tmp"
+    $COMMAND
+    INFLUXDBBACKUPSTATUS=$?
+    if [ $INFLUXDBBACKUPSTATUS -ne 0 ]; then
+        echo "ERROR: influxd backup failed: $1" >&2
+        return 1
+    fi
+    echo Tar backup to "$1"
+    cd "$BACKUPDIR/tmp" || return 1
+    tar cf "$1" -- *
+    cd - >/dev/null || return 1
+    echo Cleaning up folder at "$BACKUPDIR/tmp"
+    rm "$BACKUPDIR/tmp/"*
+    [ -e "$1" ] && return 0
+    echo "ERROR: influxd backup failed to create backup: $1" >&2
+    return 1
+}
+
+if [ -n "$MAXFILESIZE" ]; then
+    write_file() {
+        split --bytes "$MAXFILESIZE" --numeric-suffixes - "${1}-"
+    }
+else
+    write_file() {
+        cat > "$1"
+    }
+fi
+
+# Compression function plus latest copy
+compression () {
+    SUFFIX=""
+    dir=$(dirname "$1")
+    file=$(basename "$1")
+    if [ -n "$COMP" ]; then
+        [ "$COMP" = "gzip" ] && SUFFIX=".tgz"
+        [ "$COMP" = "bzip2" ] && SUFFIX=".tar.bz2"
+        echo Tar and $COMP to "$file$SUFFIX"
+        cd "$dir" || return 1
+        tar -cf - "$file" | $COMP --stdout | write_file "${file}${SUFFIX}"
+        cd - >/dev/null || return 1
+    else
+        echo "No compression option set, check advanced settings"
+    fi
+
+    if [ "$LATEST" = "yes" ]; then
+        if [ "$LATESTLINK" = "yes" ];then
+            COPY="ln"
+        else
+            COPY="cp"
+        fi
+        $COPY "$1$SUFFIX" "$BACKUPDIR/latest/"
+    fi
+
+    if [ "$CLEANUP" = "yes" ]; then
+        echo Cleaning up folder at "$1"
+        rm -rf "$1"
+    fi
+
+    return 0
+}
+
+# Run command before we begin
+if [ "$PREBACKUP" ]; then
+    echo ======================================================================
+    echo "Prebackup command output."
+    echo
+    eval "$PREBACKUP"
+    echo
+    echo ======================================================================
+    echo
+fi
+
+echo ======================================================================
+echo AutoInfluxDBBackup VER $VER
+
+echo
+echo "Backup of Database Server - $DBHOST"
+echo ======================================================================
+
+echo "Backup Start $(date)"
+echo ======================================================================
+# Monthly Full Backup of all Databases
+if [[ $DOM = "01" ]] && [[ $DOMONTHLY = "yes" ]]; then
+    echo Monthly Full Backup
+    echo
+    # Delete old monthly backups while respecting the set retention policy.
+    if [[ $MONTHLYRETENTION -ge 0 ]] ; then
+        NUM_OLD_FILES=$(find $BACKUPDIR/monthly -depth -not -newermt "$MONTHLYRETENTION month ago" -type f | wc -l)
+        if [[ $NUM_OLD_FILES -gt 0 ]] ; then
+            echo Deleting "$NUM_OLD_FILES" global setting backup file\(s\) older than "$MONTHLYRETENTION" month\(s\) old.
+            find $BACKUPDIR/monthly -not -newermt "$MONTHLYRETENTION month ago" -type f -delete
+        fi
+    fi
+    FILE="$BACKUPDIR/monthly/$DATE.$M"
+
+# Weekly Backup
+elif [[ "$DNOW" = "$WEEKLYDAY" ]] && [[ "$DOWEEKLY" = "yes" ]] ; then
+    echo Weekly Backup
+    echo
+    if [[ $WEEKLYRETENTION -ge 0 ]] ; then
+        # Delete old weekly backups while respecting the set retention policy.
+        NUM_OLD_FILES=$(find $BACKUPDIR/weekly -depth -not -newermt "$WEEKLYRETENTION week ago" -type f | wc -l)
+        if [[ $NUM_OLD_FILES -gt 0 ]] ; then
+            echo Deleting "$NUM_OLD_FILES" global setting backup file\(s\) older than "$WEEKLYRETENTION" week\(s\) old.
+            find $BACKUPDIR/weekly -not -newermt "$WEEKLYRETENTION week ago" -type f -delete
+        fi
+    fi
+    FILE="$BACKUPDIR/weekly/week.$W.$DATE"
+    OPT="$OPT -since $(date -u --date='7 days ago' +'%Y-%m-%dT%H:00:00Z')"
+
+# Daily Backup
+elif [[ $DODAILY = "yes" ]] ; then
+    echo Daily Backup of Databases
+    echo
+    # Delete old daily backups while respecting the set retention policy.
+    if [[ $DAILYRETENTION -ge 0 ]] ; then
+        NUM_OLD_FILES=$(find $BACKUPDIR/daily -depth -not -newermt "$DAILYRETENTION days ago" -type f | wc -l)
+        if [[ $NUM_OLD_FILES -gt 0 ]] ; then
+            echo Deleting "$NUM_OLD_FILES" global setting backup file\(s\) made in previous weeks.
+            find "$BACKUPDIR/daily" -not -newermt "$DAILYRETENTION days ago" -type f -delete
+        fi
+    fi
+    FILE="$BACKUPDIR/daily/$DATE.$DOW"
+    OPT="$OPT -since $(date -u --date='1 day ago' +'%Y-%m-%dT%H:00:00Z')"
+
+# Hourly Backup
+elif [[ $DOHOURLY = "yes" ]] ; then
+    echo Hourly Backup of Databases
+    echo
+    # Delete old hourly backups while respecting the set retention policy.
+    if [[ $HOURLYRETENTION -ge 0 ]] ; then
+        NUM_OLD_FILES=$(find $BACKUPDIR/hourly -depth -not -newermt "$HOURLYRETENTION hour ago" -type f | wc -l)
+        if [[ $NUM_OLD_FILES -gt 0 ]] ; then
+            echo "Deleting $NUM_OLD_FILES global setting backup files made in previous weeks."
+            find $BACKUPDIR/hourly -not -newermt "$HOURLYRETENTION hour ago" -type f -delete
+        fi
+    fi
+    FILE="$BACKUPDIR/hourly/$DATE.$DOW.$HOD"
+    # convert timestamp to date: echo $TIMESTAMP | gawk '{print strftime("%c", $0)}'
+    OPT="$OPT -since $(date -u --date='1 hour ago' +'%Y-%m-%dT%H:00:00Z')"
+
+fi
+
+# FILE will not be set if no frequency is selected.
+if [[ -z "$FILE" ]] ; then
+  echo "ERROR: No backup frequency was chosen."
+  echo "Please set one of DOHOURLY,DODAILY,DOWEEKLY,DOMONTHLY to \"yes\""
+  exit 1
+fi
+
+dbdump "$FILE" && compression "$FILE"
+
+echo ----------------------------------------------------------------------
+echo "Backup End Time $(date)"
+echo ======================================================================
+
+echo Total disk space used for backup storage..
+echo Size - Location
+du -hs "$BACKUPDIR"
+echo
+echo ======================================================================
+
+# Run command when we're done
+if [ "$POSTBACKUP" ]; then
+    echo ======================================================================
+    echo "Postbackup command output."
+    echo
+    eval "$POSTBACKUP"
+    echo
+    echo ======================================================================
+fi
+
+# Clean up IO redirection if we plan not to deliver log via e-mail.
+[ ! "$MAILCONTENT" == "log" ] && exec 1>&6 2>&7 6>&- 7>&-
+
+if [ "$MAILCONTENT" = "log" ]; then
+    mail -s "InfluxDB Backup Log for $DBHOST - $DATE" "$MAILADDR" < "$LOGFILE"
+
+    if [ -s "$LOGERR" ]; then
+        cat "$LOGERR"
+        mail -s "ERRORS REPORTED: InfluxDB Backup error Log for $DBHOST - $DATE" "$MAILADDR" < "$LOGERR"
+    fi
+else
+    if [ -s "$LOGERR" ]; then
+        cat "$LOGFILE"
+        echo
+        echo "###### WARNING ######"
+        echo "STDERR written to during influxd backup execution."
+        echo "The backup probably succeeded, as influxd backup sometimes writes to STDERR, but you may wish to scan the error log below:"
+        cat "$LOGERR"
+    else
+        cat "$LOGFILE"
+    fi
+fi
+
+# TODO: Would be nice to know if there were any *actual* errors in the $LOGERR
+STATUS=0
+if [ -s "$LOGERR" ]; then
+    STATUS=1
+fi
+
+# Clean up Logfile
+rm -f "$LOGFILE" "$LOGERR"
+
+exit $STATUS
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/meta/main.yml b/ansible_collections/debops/debops/roles/influxdb_server/meta/main.yml
new file mode 100644
index 00000000..dd84b57e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Pedro Luis López, Bechea Leonardo, Alin Alexandru'
+  description: 'Install and manage InfluxDB server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - search
+    - monitoring
+    - influxdb
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/tasks/autoinfluxdbbackup.yml b/ansible_collections/debops/debops/roles/influxdb_server/tasks/autoinfluxdbbackup.yml
new file mode 100644
index 00000000..05343f6a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/tasks/autoinfluxdbbackup.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Copy autoinfluxdbbackup script
+  ansible.builtin.copy:
+    src: 'usr/sbin/autoinfluxdbbackup'
+    dest: '/usr/sbin/autoinfluxdbbackup'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Ensure that the autoinfluxdbbackup directory exists
+  ansible.builtin.file:
+    path: '/etc/autoinfluxdbbackup/'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure autoinfluxdbbackup
+  ansible.builtin.template:
+    src: '{{ item.template }}.j2'
+    dest: '/{{ item.template }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode }}'
+  with_items:
+    - template: 'etc/cron.daily/autoinfluxdbbackup'
+      mode: '0755'
+    - template: 'etc/default/autoinfluxdbbackup'
+      mode: '0644'
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/tasks/main.yml b/ansible_collections/debops/debops/roles/influxdb_server/tasks/main.yml
new file mode 100644
index 00000000..81c79278
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/tasks/main.yml
@@ -0,0 +1,127 @@
+---
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Restart database server on first install (influx bug)
+  ansible.builtin.service:
+    name: 'influxdb'
+    state: 'restarted'
+  when: not (ansible_local.influxdb_server.installed | d(false) | bool)
+
+- name: Wait for HTTP endpoint port to become open on the host on first install
+  ansible.builtin.wait_for:
+    port: '{{ influxdb_server__port }}'
+  when: not (ansible_local.influxdb_server.installed | d(false) | bool)
+
+- name: Create default admin user on first install
+  community.general.influxdb_user:
+    user_name: 'root'
+    user_password: '{{ influxdb_server__root_password }}'
+    state: 'present'
+    admin: 'yes'
+    proxies:
+      http:
+      https:
+  when: not (ansible_local.influxdb_server.installed | d(false) | bool)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Stop database server on first install
+  ansible.builtin.service:
+    name: 'influxdb'
+    state: 'stopped'
+  when: not (ansible_local.influxdb_server.installed | d(false) | bool)
+
+- name: Add InfluxDB server user to specified groups
+  ansible.builtin.user:
+    name: 'influxdb'
+    groups: '{{ influxdb_server__append_groups | join(",") | default(omit) }}'
+    append: True
+    createhome: False
+  when: influxdb_server__pki | bool
+
+- name: Ensure InfluxDB server directory exists
+  ansible.builtin.file:
+    path: '{{ influxdb_server__directory }}'
+    state: 'directory'
+    owner: 'influxdb'
+    group: 'influxdb'
+    mode: '0750'
+
+- name: Move InfluxDB data files to data directory
+  ansible.builtin.shell:
+    'mv {{ influxdb_server__default_directory }}/* {{ influxdb_server__directory }}'
+  register: influxdb_server__register_move
+  changed_when: influxdb_server__register_move.changed | bool
+  when: (not (ansible_local.influxdb_server.installed | d(false) | bool) and
+         influxdb_server__directory != influxdb_server__default_directory)
+
+- name: Divert the original influxdb configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/influxdb/influxdb.conf'
+    state: 'present'
+    delete: True
+  tags: [ 'role::influxdb_server:config' ]
+
+- name: Configure InfluxDB server
+  ansible.builtin.template:
+    src: 'etc/influxdb/influxdb.conf.j2'
+    dest: '/etc/influxdb/influxdb.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'role::influxdb_server:config' ]
+  notify: [ 'Restart influxdb' ]
+
+- name: Start database server on first install
+  ansible.builtin.service:
+    name: 'influxdb'
+    state: 'started'
+  when: not (ansible_local.influxdb_server.installed | d(false) | bool)
+
+- name: Configure autoinfluxdbbackup
+  ansible.builtin.include_tasks: 'autoinfluxdbbackup.yml'
+  when: influxdb_server__backup | bool
+  tags: [ 'role::influxdb_server:autoinfluxdbbackup' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save InfluxDB server local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/influxdb_server.fact.j2'
+    dest: '/etc/ansible/facts.d/influxdb_server.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Save InfluxDB local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/influxdb.fact.j2'
+    dest: '/etc/ansible/facts.d/influxdb.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb.fact.j2 b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb.fact.j2
new file mode 100644
index 00000000..5fbc3ee8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb.fact.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+ # Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+ # Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+{% set influxdb__tpl_delegate_to = ansible_local.influxdb.delegate_to | d(influxdb_server__delegate_to) %}
+{% set influxdb__tpl_port        = ansible_local.influxdb.port | d(influxdb_server__port) %}
+{% set influxdb__tpl_server      = ansible_local.influxdb.server | d(ansible_fqdn if influxdb_server__pki else "localhost") %}
+{
+"delegate_to": "{{ influxdb__tpl_delegate_to }}",
+"port": "{{ influxdb__tpl_port }}",
+"server": "{{ influxdb__tpl_server }}"
+}
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb_server.fact.j2 b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb_server.fact.j2
new file mode 100644
index 00000000..90f14757
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/ansible/facts.d/influxdb_server.fact.j2
@@ -0,0 +1,27 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {}
+output['installed'] = cmd_exists('influxd')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/cron.daily/autoinfluxdbbackup.j2 b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/cron.daily/autoinfluxdbbackup.j2
new file mode 100644
index 00000000..e2267bf1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/cron.daily/autoinfluxdbbackup.j2
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+test -x /usr/sbin/autoinfluxdbbackup || exit 0
+/usr/sbin/autoinfluxdbbackup > /dev/null
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/default/autoinfluxdbbackup.j2 b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/default/autoinfluxdbbackup.j2
new file mode 100644
index 00000000..1ab30a29
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/default/autoinfluxdbbackup.j2
@@ -0,0 +1,173 @@
+# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+# Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+# Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+#
+# InfluxDB Backup Script
+# VER. 0.1
+
+# Note, this is a lobotomized port of AutoMySQLBackup
+# (https://sourceforge.net/projects/automysqlbackup/) for use with
+# InfluxDB.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+#=====================================================================
+#=====================================================================
+# Set the following variables to your system needs
+# (Detailed instructions below variables)
+#=====================================================================
+
+# Database name to specify a specific database only e.g. myawesomeapp
+# Unnecessary if backup all databases
+# DBNAME=""
+
+# Host name (or IP address) of influxdb server e.g localhost
+DBHOST="{{ influxdb_server__rpc_bind }}"
+
+# Port that influxdb is listening on
+DBPORT="{{ influxdb_server__rpc_port }}"
+
+# Backup directory location e.g /backups
+BACKUPDIR="{{ influxdb_server__backup_directory | d('/var/lib/autoinfluxdbbackup') }}"
+
+# Mail setup
+# What would you like to be mailed to you?
+# - log   : send only log file
+# - files : send log file and sql files as attachments (see docs)
+# - stdout : will simply output the log to the screen if run manually.
+# - quiet : Only send logs if an error occurs to the MAILADDR.
+MAILCONTENT="quiet"
+
+# Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs])
+export MAXATTSIZE="4000"
+
+# Email Address to send mail to? (user@domain.com)
+MAILADDR="{{ influxdb_server__backup_mailaddr }}"
+
+# ============================================================================
+# === SCHEDULING AND RETENTION OPTIONS ( Read the doc's below for details )===
+#=============================================================================
+
+# Do you want to do hourly backups? How long do you want to keep them?
+DOHOURLY="no"
+HOURLYRETENTION=24
+
+# Do you want to do daily backups? How long do you want to keep them?
+DODAILY="yes"
+DAILYRETENTION=0
+
+# Which day do you want weekly backups? (1 to 7 where 1 is Monday)
+DOWEEKLY="yes"
+WEEKLYDAY={{ influxdb_server__backup_doweekly }}
+WEEKLYRETENTION=4
+
+# Do you want monthly backups? How long do you want to keep them?
+DOMONTHLY="yes"
+MONTHLYRETENTION=4
+
+# ============================================================
+# === ADVANCED OPTIONS ( Read the doc's below for details )===
+#=============================================================
+
+# Choose Compression type. (gzip or bzip2)
+COMP="gzip"
+
+# Choose if the uncompressed folder should be deleted after compression has completed
+CLEANUP="yes"
+
+# Additionally keep a copy of the most recent backup in a separate directory.
+LATEST="{{ influxdb_server__backup_latest }}"
+
+# Make Hardlink not a copy
+LATESTLINK="yes"
+
+# Maximum files of a single backup used by split - leave empty if no split required
+# MAXFILESIZE=""
+
+# Command to run before backups (uncomment to use)
+# PREBACKUP=""
+
+# Command run after backups (uncomment to use)
+# POSTBACKUP=""
+
+#=====================================================================
+# Options documentation
+#=====================================================================
+# Set the DBHOST option to the server you wish to backup, leave the
+# default to backup "this server".(to backup multiple servers make
+# copies of this file and set the options for that server)
+#
+# You can change the backup storage location from /backups to anything
+# you like by using the BACKUPDIR setting..
+#
+# The MAILCONTENT and MAILADDR options and pretty self explanatory, use
+# these to have the backup log mailed to you at any email address or multiple
+# email addresses in a space separated list.
+#
+# (If you set mail content to "log" you will require access to the "mail" program
+# on your server. If you set this to "files" you will have to have mutt installed
+# on your server. If you set it to "stdout" it will log to the screen if run from
+# the console or to the cron job owner if run through cron. If you set it to "quiet"
+# logs will only be mailed if there are errors reported. )
+#
+#
+# Finally copy autoinfluxdbbackup to anywhere on your server and make sure
+# to set executable permission. You can also copy the script to
+# /etc/cron.daily to have it execute automatically every night or simply
+# place a symlink in /etc/cron.daily to the file if you wish to keep it
+# somewhere else.
+#
+# NOTE: On Debian copy the file with no extension for it to be run
+# by cron e.g just name the file "autoinfluxdbbackup"
+#
+# That's it..
+#
+#
+# === Advanced options ===
+#
+# To set the day of the week that you would like the weekly backup to happen
+# set the WEEKLYDAY setting, this can be a value from 1 to 7 where 1 is Monday,
+# The default is 6 which means that weekly backups are done on a Saturday.
+#
+# Use PREBACKUP and POSTBACKUP to specify Pre and Post backup commands
+# or scripts to perform tasks either before or after the backup process.
+#
+#
+#=====================================================================
+# Backup Rotation..
+#=====================================================================
+#
+# Hourly backups are executed if DOHOURLY is set to "yes".
+# The number of hours backup copies to keep for each day (i.e. 'Monday', 'Tuesday', etc.) is set with DHOURLYRETENTION.
+# DHOURLYRETENTION=0 rotates hourly backups every day (i.e. only the most recent hourly copy is kept). -1 disables rotation.
+#
+# Daily backups are executed if DODAILY is set to "yes".
+# The number of daily backup copies to keep for each day (i.e. 'Monday', 'Tuesday', etc.) is set with DAILYRETENTION.
+# DAILYRETENTION=0 rotates daily backups every week (i.e. only the most recent daily copy is kept). -1 disables rotation.
+#
+# Weekly backups are executed if DOWEEKLY is set to "yes".
+# WEEKLYDAY [1-7] sets which day a weekly backup occurs when cron.daily scripts are run.
+# Rotate weekly copies after the number of weeks set by WEEKLYRETENTION.
+# WEEKLYRETENTION=0 rotates weekly backups every week. -1 disables rotation.
+#
+# Monthly backups are executed if DOMONTHLY is set to "yes".
+# Monthly backups occur on the first day of each month when cron.daily scripts are run.
+# Rotate monthly backups after the number of months set by MONTHLYRETENTION.
+# MONTHLYRETENTION=0 rotates monthly backups upon each execution. -1 disables rotation.
diff --git a/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/influxdb/influxdb.conf.j2 b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/influxdb/influxdb.conf.j2
new file mode 100644
index 00000000..568f7bfc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/influxdb_server/templates/etc/influxdb/influxdb.conf.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2020 Pedro Luis Lopez <pedroluis.lopezsanchez@gmail.com>
+ # Copyright (C) 2020 Innobyte Bechea Leonardo <https://www.innobyte.com/>
+ # Copyright (C) 2020 Innobyte Alin Alexandru <https://www.innobyte.com/>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+{% for element in influxdb_server__combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+
+{%     if element.name in [ 'graphite', 'collectd', 'opentsdb', 'udp' ] %}
+{{ '[[{}]]'.format(element.name) }}
+{%     else %}
+{{ '[{}]'.format(element.name) }}
+{%     endif %}
+{%     if element.options | d() %}
+{%       for thing in element.options %}
+{%         if thing.name | d() and thing.value | d() and thing.state | d('present') != 'absent' %}
+{{ '  {} = {}'.format(thing.name, thing.value) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/ipxe/COPYRIGHT b/ansible_collections/debops/debops/roles/ipxe/COPYRIGHT
new file mode 100644
index 00000000..c1460a4a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.ipxe - Manage iPXE boot service using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ipxe/defaults/main.yml b/ansible_collections/debops/debops/roles/ipxe/defaults/main.yml
new file mode 100644
index 00000000..98aca895
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/defaults/main.yml
@@ -0,0 +1,578 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ipxe__ref_defaults:
+
+# debops.ipxe default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: ipxe__base_packages [[[
+#
+# List of the default APT packages to install for iPXE support.
+ipxe__base_packages: [ 'ipxe', 'pax', 'cpio', 'syslinux-common',
+                       'openssl', 'ca-certificates' ]
+
+                                                                   # ]]]
+# .. envvar:: ipxe__packages [[[
+#
+# List of additional APT packages to install with iPXE.
+ipxe__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# TFTP environment [[[
+# --------------------
+
+# .. envvar:: ipxe__tftp_root [[[
+#
+# Absolute path to the TFTP root directory.
+ipxe__tftp_root: '{{ ansible_local.tftpd.directory | d(ansible_local.dnsmasq.boot_tftp_root | d("/srv/tftp")) }}'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__bootloaders [[[
+#
+# List of files on the remote host which will be copied to the TFTP root
+# directory. These files are boot loaders called during the PXE boot via the
+# DHCP options. Bootloaders are provided by the installed APT packages.
+ipxe__bootloaders:
+  - '/usr/lib/syslinux/memdisk'
+  - '/usr/lib/ipxe/undionly.kpxe'
+  - '/boot/ipxe.efi'
+                                                                   # ]]]
+                                                                   # ]]]
+# Debian Installer network boot [[[
+# ---------------------------------
+
+# .. envvar:: ipxe__debian_netboot_enabled [[[
+#
+# Enable or disable support for configuring a set of Debian Installer instances
+# which can be used to install Debian releases over the network.
+ipxe__debian_netboot_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_firmware [[[
+#
+# Enable or disable inclusion of the non-free firmware packages in the Debian
+# Installer images. The non-free firmware might be required to use certain
+# hardware (network cards, storage drivers, etc.).
+ipxe__debian_netboot_firmware: '{{ ansible_local.apt.nonfree | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_src [[[
+#
+# The base directory where the Debian netboot and firmware tarballs will be
+# downloaded. The final directory depends on a given OS release and hardware
+# architecture.
+ipxe__debian_netboot_src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                              + "/ipxe/debian/netboot" }}'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_pxe_root [[[
+#
+# The base directory where Debian Installer tarballs will be unpacked. The
+# final directory depends on a given OS release and hardware architecture.
+ipxe__debian_netboot_pxe_root: '{{ ipxe__tftp_root + "/pxe/linux/debian" }}'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_mirror [[[
+#
+# The base URL from which the Debian netboot tarballs will be downloaded. This
+# should be a fully-fledged Debian mirror.
+ipxe__debian_netboot_mirror: 'https://deb.debian.org/debian'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_firmware_mirror [[[
+#
+# The base URL from which the Debian firmware tarballs will be downloaded.
+ipxe__debian_netboot_firmware_mirror: 'https://cdimage.debian.org/cdimage/unofficial/non-free/firmware'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_releases [[[
+#
+# Specify which Debian releases will be prepared for iPXE boot on a given host.
+# The releases need to be defined in the OS release map below.
+ipxe__debian_netboot_releases: [ 'bullseye', 'bookworm', 'trixie' ]
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_architectures [[[
+#
+# Specify which Debian architectures will be prepared for iPXE boot on a given
+# host. The architectures need to be defined in the OS release map below.
+ipxe__debian_netboot_architectures: [ 'amd64', 'i386', 'arm64' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Debian Installer release maps [[[
+# ---------------------------------
+
+# These lists define the Debian Installer releases that will be downloaded and
+# prepared for use via iPXE boot.
+# See :ref:`ipxe__ref_debian_netboot_release_map` for more details.
+
+# .. envvar:: ipxe__debian_netboot_default_release_map [[[
+#
+# The list of the default Debian Installer releases defined by the role.
+ipxe__debian_netboot_default_release_map:
+
+  - name: 'bullseye-amd64'
+    release: 'bullseye'
+    architecture: 'amd64'
+    netboot_version: '20210731+deb11u12'
+    netboot_checksum: 'sha256:77033ca69a43f0dd06d274f90f40dcf3487e93772c3331d22ad84419305da157'  # netboot.tar.gz
+    firmware_version: '20240831'
+    firmware_checksum: 'sha256:5dff544bad3dc197a8e20b6121ef0c005d2f06085b83e7f24ca9feb7e77e42d2'  # firmware.cpio.gz
+
+  - name: 'bullseye-amd64-gtk'
+    release: 'bullseye'
+    architecture: 'amd64'
+    netboot_subdir: '/gtk'
+    netboot_version: '20210731+deb11u12'
+    netboot_checksum: 'sha256:854d108e35b3d96a71cfb5ddcb96fed14e51915aae9c9fdbaa634d1ad17bafa6'  # netboot.tar.gz
+    firmware_version: '20240831'
+    firmware_checksum: 'sha256:5dff544bad3dc197a8e20b6121ef0c005d2f06085b83e7f24ca9feb7e77e42d2'  # firmware.cpio.gz
+
+  - name: 'bookworm-amd64'
+    release: 'bookworm'
+    architecture: 'amd64'
+    netboot_version: '20230607+deb12u12'
+    netboot_checksum: 'sha256:2cc3a5c20f9605ac29ea3afb6376d55b14d827f1ac44c42c3d3eed464a3c255b'  # netboot.tar.gz
+    firmware_version: '20250906'
+    firmware_checksum: 'sha256:09a174c10ea816f1ea704be84005cc7af0a68c2121c282e7d8c89b73b355c36e'  # firmware.cpio.gz
+
+  - name: 'bookworm-amd64-gtk'
+    release: 'bookworm'
+    architecture: 'amd64'
+    netboot_subdir: '/gtk'
+    netboot_version: '20230607+deb12u12'
+    netboot_checksum: 'sha256:130fd44c343e0fe5addbd0afcfc86b2fd3d5f8d77159f238609a6ab3f75ca07e'  # netboot.tar.gz
+    firmware_version: '20250906'
+    firmware_checksum: 'sha256:09a174c10ea816f1ea704be84005cc7af0a68c2121c282e7d8c89b73b355c36e'  # firmware.cpio.gz
+
+  - name: 'trixie-amd64'
+    release: 'trixie'
+    architecture: 'amd64'
+    netboot_version: '20250803+deb13u1'
+    netboot_checksum: 'sha256:a75870b27965ef67f13a2cdc9d4c574224e16b9b2764f88bf0ecc7c28b244fcb'  # netboot.tar.gz
+    firmware_version: '20250906'
+    firmware_checksum: 'sha256:e00d0f1c498932e0b8e86663701a96a9d3ad30c0f9200e21427b8db7ce2c900a'  # firmware.cpio.gz
+
+  - name: 'trixie-amd64-gtk'
+    release: 'trixie'
+    architecture: 'amd64'
+    netboot_subdir: '/gtk'
+    netboot_version: '20250803+deb13u1'
+    netboot_checksum: 'sha256:ac444dfe9f4e6d62aa54e8d33eae9c30984fb73ee78a15d115273c39026a08eb'  # netboot.tar.gz
+    firmware_version: '20250906'
+    firmware_checksum: 'sha256:e00d0f1c498932e0b8e86663701a96a9d3ad30c0f9200e21427b8db7ce2c900a'  # firmware.cpio.gz
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_release_map [[[
+#
+# The list of Debian Installer releases defined by the administrator. This
+# variable can be used to modify the default release list if necessary.
+ipxe__debian_netboot_release_map: []
+
+                                                                   # ]]]
+# .. envvar:: ipxe__debian_netboot_combined_release_map [[[
+#
+# The variable which combines the lists of the Debian Installer releases and is
+# used in the role tasks and templates.
+ipxe__debian_netboot_combined_release_map: '{{ ipxe__debian_netboot_default_release_map
+                                               + ipxe__debian_netboot_release_map }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# iPXE scripts [[[
+# ----------------
+
+# These lists define the iPXE menu scripts stored in the FTFP root directory.
+# See :ref:`ipxe__ref_scripts` for more details.
+
+# .. envvar:: ipxe__default_scripts [[[
+#
+# The list of the default iPXE scripts defined by the role.
+ipxe__default_scripts:
+
+  - name: 'variables.ipxe'
+    comment: 'iPXE global variables'
+    options:
+
+      - name: 'main_menu_title'
+        comment: 'The main menu title'
+        value: '{{ ansible_local.machine.organization | d("DebOps") + " Boot Menu" }}'
+
+      - name: 'debian_installer_mirror'
+        comment: 'Debian mirror used during automated installation'
+        value: 'deb.debian.org'
+
+      - name: 'debian_installer_preseed'
+        comment: 'Default preseed subdomain to use'
+        value: 'debian.seed'
+
+      - name: 'debian_installer_keymap'
+        comment: 'Default keymap to set for the preseeding'
+        value: 'us'
+
+      - name: 'debian_installer_kernel_params'
+        comment: 'Kernel parameters passed to the Debian Installer at boot'
+        value: [ 'quiet' ]
+
+      - name: 'ipxe_boot_path'
+        comment: 'Subdirectory with boot configuration files'
+        value: 'boot/'
+
+  - name: 'boot.ipxe'
+    raw: |
+      # iPXE configuration based on https://gist.github.com/robinsmidsrod/2234639
+
+      # Global variables used by all other iPXE scripts
+      chain --autofree variables.ipxe ||
+
+      # Boot using a dynamic script if it's specified
+      # http://ipxe.org/scripting
+      isset ${ipxe_boot_url} && chain --replace --autofree ${ipxe_boot_url} ||
+
+      # Boot <boot-url>/<boot-path>/hostname-<hostname>.ipxe
+      # if hostname DHCP variable is set and script is present
+      isset ${hostname} && chain --replace --autofree ${ipxe_boot_path}hostname-${hostname}.ipxe ||
+
+      # Boot <boot-url>/<boot-path>/uuid-<UUID>.ipxe
+      # if SMBIOS UUID variable is set and script is present
+      isset ${uuid} && chain --replace --autofree ${ipxe_boot_path}uuid-${uuid}.ipxe ||
+
+      # Boot <boot-url>/<boot-path>/mac-010203040506.ipxe if script is present
+      chain --replace --autofree ${ipxe_boot_path}mac-${mac:hexraw}.ipxe ||
+
+      # Boot <boot-url>/<boot-path>/pci-8086100e.ipxe if one type of
+      # PCI Intel adapter is present and script is present
+      chain --replace --autofree ${ipxe_boot_path}pci-${pci/${busloc}.0.2}${pci/${busloc}.2.2}.ipxe ||
+
+      # Boot <boot-url>/<boot-path>/chip-82541pi.ipxe if one type of
+      # PCI Intel adapter is present and script is present
+      chain --replace --autofree ${ipxe_boot_path}chip-${chip}.ipxe ||
+
+      # Boot <boot-url>/menu.ipxe script if all other options have been exhausted
+      set post_boot true
+      chain --replace --autofree menu.ipxe ||
+    state: 'present'
+
+  - name: 'menu.ipxe'
+    options:
+
+      - name: 'initialization'
+        raw: |
+          :start
+
+          chain --autofree variables.ipxe ||
+
+          set space:hex 20:20
+          set space ${space:string}
+
+          iseq ${cls} serial && goto ignore_cls ||
+          set cls:hex 1b:5b:4a  # ANSI clear screen sequence - "^[[J"
+          set cls ${cls:string}
+          :ignore_cls
+
+          isset ${arch} && goto skip_arch_detect ||
+          cpuid --ext 29 && set arch x86_64 || set arch i386
+          iseq ${arch} i386   && set arch5 i586   || set arch5 ${arch}
+          iseq ${arch} x86_64 && set arch_a amd64 || set arch_a ${arch}
+          :skip_arch_detect
+
+          isset ${menu} && goto ${menu} ||
+
+          isset ${ip} || dhcp || echo DHCP failed
+
+          isset ${post_boot} || chain --replace --autofree boot.ipxe ||
+
+      - name: 'main-menu-header'
+        raw: |
+          :main_menu
+          isset ${main_menu_cursor} || set main_menu_cursor exit
+          clear version
+          menu ${main_menu_title} [IP: ${netX/ip}]
+          item --gap Default:
+          item --key x exit ${space} Boot from hard disk [x]
+          item
+          item --gap Main menu:
+
+      - name: 'main-menu'
+        raw: |
+          item --key d debian-installer ${space} Install Debian GNU/Linux on this host [d]
+          item
+
+      - name: 'main-menu-footer'
+        raw: |
+          item netboot_xyz_boot_menu ${space} -> Netboot.xyz Boot Menu
+          item sal_boot_menu         ${space} -> SAL Boot Menu
+          item rackspace_boot_menu   ${space} -> Rackspace Boot Menu
+          item
+          item --gap Tools:
+          item sysinfo ${space} System info
+          item reboot ${space} Reboot
+          item shell ${space} iPXE shell
+
+          isset ${menu} && set timeout 0 || set timeout 4000
+          choose --timeout ${timeout} --default ${main_menu_cursor} menu || goto cancel
+          set main_menu_cursor ${menu}
+          set timeout 0
+          goto ${menu} ||
+          chain ${menu}.ipxe || goto error
+          goto main_menu
+
+      - name: 'cancel-shell'
+        raw: |
+          :cancel
+          echo You cancelled the menu, dropping you to a shell
+
+          :shell
+          echo Type "exit" to return to menu.
+          set menu main_menu
+          shell
+          goto main_menu
+
+      - name: 'other-boot-menu'
+        raw: |
+          :sal_boot_menu
+          chain http://boot.salstar.sk || goto error
+          goto main_menu
+
+          :rackspace_boot_menu
+          chain http://boot.rackspace.com/menu.ipxe || goto error
+          goto main_menu
+
+          :netboot_xyz_boot_menu
+          chain --autofree http://boot.netboot.xyz || goto error
+          goto main_menu
+
+      - name: 'reboot-exit-error'
+        raw: |
+          :reboot
+          reboot
+
+          :exit
+          echo ${cls}
+          exit
+
+          :error
+          echo Error occurred, press any key to return to menu ...
+          prompt
+          goto main_menu
+
+          :reload
+          echo Reloading menu.ipxe ...
+          chain menu.ipxe
+
+      - name: 'sysinfo'
+        raw: |
+          :sysinfo
+          menu System info
+          item --gap UUID:
+          item mac ${space} ${uuid}
+          item --gap MAC:
+          item mac ${space} ${netX/mac}
+          item --gap IP/mask:
+          item ip ${space} ${netX/ip}/${netX/netmask}
+          item --gap Gateway:
+          item gw ${space} ${netX/gateway}
+          item --gap Hostname:
+          item hostname ${space} ${hostname}
+          item --gap Domain:
+          item domain ${space} ${netX/domain}
+          item --gap DNS:
+          item dns ${space} ${netX/dns}
+          item --gap DHCP server:
+          item dhcpserver ${space} ${netX/dhcp-server}
+          item --gap Next-server:
+          item nextserver ${space} ${next-server}
+          item --gap Filename:
+          item filename ${space} ${netX/filename}
+          choose empty ||
+          goto main_menu
+
+  - name: 'debian-installer.ipxe'
+    raw: |
+      chain --autofree variables.ipxe ||
+
+      goto ${menu}
+
+      :debian-installer
+      isset ${debian-installer-cursor} || set debian-installer-cursor stable
+      set os debian
+      set domain ${netX/domain}
+
+      iseq ${manufacturer} Xen && set netcfg netcfg/get_ipaddress=${netX/ip} netcfg/get_netmask=${netX/netmask} netcfg/get_gateway=${netX/gateway} netcfg/get_nameservers=${dns} netcfg/confirm_static=true netcfg/choose_interface=auto netcfg/disable_autoconfig=true ||
+
+      menu Install Debian GNU/Linux / ${arch_a}
+      item --gap Select suite:
+      item --key e trixie ${space} Debian Stable (Trixie) [e]
+      # Enable this when Debian Forky gets an installer
+      #item forky ${space} Debian Testing (Forky)
+      item
+      item --gap Select release:
+      item trixie ${space} Debian GNU/Linux 13 (Trixie)
+      item bookworm ${space} Debian GNU/Linux 12 (Bookworm)
+      item bullseye ${space} Debian GNU/Linux 11 (bullseye)
+      choose --default ${debian-installer-cursor} version || goto debian_exit
+      set debian-installer-cursor ${version}
+
+      set mirrorcfg mirror/suite=${version} mirror/country=manual mirror/http/hostname=${debian_installer_mirror} mirror/http/directory=/${os}
+
+      set boot_params -- ${debian_installer_kernel_params}
+
+      :deb_boot_type_init
+      set type text
+
+      :deb_boot_type
+      set dir pxe/linux/debian/${version}/${arch_a}/current
+
+      menu Install Debian GNU/Linux / ${arch_a} / ${version}
+      item --gap Select installer mode:
+      item text ${space} Text install
+      item graphical ${space} Graphical install
+      item
+      item rescue ${space} Rescue mode
+      item
+      item expert ${space} Expert install
+      item --key b preseed ${space} Preseed install [b]
+      item
+      item --gap Preseed parameters:
+      item config_hostname ${space} Hostname: ${hostname}
+      item config_domain ${space} Domain: ${domain}
+      item config_preseed ${space} Flavor: ${debian_installer_preseed}
+      item config_keymap ${space} Keymap: ${debian_installer_keymap}
+      item
+      item --gap Installer parameters:
+      item config_mirror ${space} Mirror: ${debian_installer_mirror}
+      item config_boot_params ${space} Boot: ${boot_params}
+      choose --default ${type} type || goto debian-installer
+
+      echo ${cls}
+      goto deb_${type}
+
+      :deb_config_mirror
+      echo -n Set Debian mirror [${debian_installer_mirror}]: && read change_debian_installer_mirror
+      isset ${change_debian_installer_mirror} && set debian_installer_mirror ${change_debian_installer_mirror} || goto deb_boot_type
+      clear change_debian_installer_mirror
+      set mirrorcfg mirror/suite=${version} mirror/country=manual mirror/http/hostname=${debian_installer_mirror} mirror/http/directory=/${os}
+      goto deb_boot_type
+
+      :deb_config_boot_params
+      echo -n Edit boot options: && read boot_params
+      goto deb_boot_type
+
+      :deb_config_keymap
+      echo -n Set keymap [${debian_installer_keymap}]: && read change_debian_installer_keymap
+      isset ${change_debian_installer_keymap} && set debian_installer_keymap ${change_debian_installer_keymap} || goto deb_boot_type
+      clear change_debian_installer_keymap
+      goto deb_boot_type
+
+      :deb_config_hostname
+      echo -n Set hostname: [${hostname}]: && read change_hostname
+      isset ${change_hostname} && set hostname ${change_hostname} || goto deb_boot_type
+      clear change_hostname
+      goto deb_boot_type
+
+      :deb_config_domain
+      echo -n Set domain [${domain}]: && read change_domain
+      isset ${change_domain} && set domain ${change_domain} || goto deb_boot_type
+      clear change_domain
+      goto deb_boot_type
+
+      :deb_config_preseed
+      echo -n Set preseed URL for ${os} ${version} [${debian_installer_preseed}]: && read change_debian_installer_preseed
+      isset ${change_debian_installer_preseed} && set debian_installer_preseed ${change_debian_installer_preseed} || goto deb_boot_type
+      clear change_debian_installer_preseed
+      goto deb_boot_type
+
+      :deb_rescue
+      set install_params rescue/enable=true
+      goto deb_text
+
+      :deb_expert
+      set install_params priority=low
+      goto deb_text
+
+      :deb_preseed
+      echo -n Set preseed URL for ${os} ${version} [${debian_installer_preseed}]: && read preseedurl || goto deb_boot_type
+      isset ${hostname} || goto deb_preseed_get_hostname
+      :deb_preseed_has_hostname
+      isset ${preseedurl} && set install_params auto=true priority=critical preseed/url=${preseedurl} keymap=${debian_installer_keymap} netcfg/hostname=${hostname} domain=${domain} || goto deb_default_preseed
+      goto deb_text
+      :deb_default_preseed
+      set install_params auto=true priority=critical preseed/url=${debian_installer_preseed} keymap=${debian_installer_keymap} netcfg/hostname=${hostname} domain=${domain} ||
+      goto deb_text
+
+      :deb_preseed_get_hostname
+      echo -n Set hostname [${hostname}]: && read hostname || goto deb_preseed_no_hostname
+      isset ${hostname} || goto deb_preseed_no_hostname
+      goto deb_preseed_has_hostname
+
+      :deb_preseed_no_hostname
+      echo Error: Preseeding requires a valid hostname. Press <Enter> to continue.
+      prompt
+      goto deb_boot_type
+
+      :deb_text
+      set dir ${dir}/debian-installer/${arch_a}
+      goto deb_boot
+
+      :deb_graphical
+      set dir ${dir}/gtk/debian-installer/${arch_a}
+      set install_params vga=788
+      goto deb_boot
+
+      :deb_boot
+      imgfree
+      echo Boot parameters: ${install_params} ${boot_params}
+      kernel ${dir}/linux initrd=initrd.gz ${netcfg} ${mirrorcfg} ${install_params} ${boot_params}
+      initrd ${dir}/initrd.gz
+      boot
+      goto debian_exit
+
+      :debian_exit
+      set menu main_menu
+      chain menu.ipxe
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: ipxe__scripts [[[
+#
+# The list of the iPXE scripts defined for all hosts in the Ansible inventory.
+ipxe__scripts: []
+
+                                                                   # ]]]
+# .. envvar:: ipxe__group_scripts [[[
+#
+# The list of the iPXE scripts defined for hosts in a specific Ansible
+# inventory group.
+ipxe__group_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: ipxe__host_scripts [[[
+#
+# The list of the iPXE scripts defined for specific hosts in the Ansible
+# inventory.
+ipxe__host_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: ipxe__combined_scripts [[[
+#
+# The variable which combines all of the iPXE script lists and is used in the
+# role tasks and templates.
+ipxe__combined_scripts: '{{ ipxe__default_scripts
+                            + ipxe__scripts
+                            + ipxe__group_scripts
+                            + ipxe__host_scripts }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/main.yml b/ansible_collections/debops/debops/roles/ipxe/meta/main.yml
new file mode 100644
index 00000000..e22b500d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage iPXE configuration scripts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - tftp
+    - pxe
+    - netboot
+    - provisioning
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bookworm b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bookworm
new file mode 100644
index 00000000..bf607062
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bookworm
@@ -0,0 +1,10 @@
+# Copyright (C) 2023-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: firmware-bookworm
+# Version: 20250906
+
+version=4
+https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/bookworm (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bullseye b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bullseye
new file mode 100644
index 00000000..5fb8b9f4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-bullseye
@@ -0,0 +1,10 @@
+# Copyright (C) 2021-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: firmware-bullseye
+# Version: 20240831
+
+version=4
+https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/bullseye (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-trixie b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-trixie
new file mode 100644
index 00000000..80d2787f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-firmware-trixie
@@ -0,0 +1,10 @@
+# Copyright (C) 2025 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2025 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: firmware-trixie
+# Version: 20250906
+
+version=4
+https://cdimage.debian.org/cdimage/unofficial/non-free/firmware/trixie (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bookworm b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bookworm
new file mode 100644
index 00000000..f1cc2aad
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bookworm
@@ -0,0 +1,10 @@
+# Copyright (C) 2023-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: netboot-bookworm
+# Version: 20230607+deb12u12
+
+version=4
+https://deb.debian.org/debian/dists/bookworm/main/installer-amd64 (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bullseye b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bullseye
new file mode 100644
index 00000000..09926c1d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboot-bullseye
@@ -0,0 +1,10 @@
+# Copyright (C) 2021-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: netboot-bullseye
+# Version: 20210731+deb11u12
+
+version=4
+https://deb.debian.org/debian/dists/bullseye/main/installer-amd64 (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboox-trixie b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboox-trixie
new file mode 100644
index 00000000..410898d5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/meta/watch-netboox-trixie
@@ -0,0 +1,10 @@
+# Copyright (C) 2025 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2025 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: ipxe
+# Package: netboot-trixie
+# Version: 20250803+deb13u1
+
+version=4
+https://deb.debian.org/debian/dists/trixie/main/installer-amd64 (20.+)/
diff --git a/ansible_collections/debops/debops/roles/ipxe/tasks/debian_netboot.yml b/ansible_collections/debops/debops/roles/ipxe/tasks/debian_netboot.yml
new file mode 100644
index 00000000..2c853b0a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/tasks/debian_netboot.yml
@@ -0,0 +1,100 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create Debian netboot directories
+  ansible.builtin.file:
+    path: '{{ ipxe__debian_netboot_src + "/" + item.release + "/" + item.architecture
+              + "/" + item.netboot_version + (item.netboot_subdir | d("")) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.architecture in ipxe__debian_netboot_architectures
+
+- name: Create Debian installer directories
+  ansible.builtin.file:
+    path: '{{ ipxe__debian_netboot_pxe_root + "/" + item.release + "/" + item.architecture
+              + "/" + item.netboot_version + (item.netboot_subdir | d("")) }}'
+    state: 'directory'
+    mode: '0775'  # tarball enforces this mode
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.architecture in ipxe__debian_netboot_architectures
+
+- name: Download Debian netboot tarballs
+  ansible.builtin.get_url:
+    url: '{{ item.netboot_url | d(ipxe__debian_netboot_mirror + "/dists/" + item.release
+                                  + "/main/installer-" + item.architecture + "/"
+                                  + item.netboot_version + "/images/netboot"
+                                  + (item.netboot_subdir | d("")) + "/netboot.tar.gz") }}'
+    dest: '{{ ipxe__debian_netboot_src + "/" + item.release + "/" + item.architecture + "/"
+              + item.netboot_version + (item.netboot_subdir | d("")) + "/netboot.tar.gz" }}'
+    checksum: '{{ item.netboot_checksum | d(omit) }}'
+    mode: '0644'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.architecture in ipxe__debian_netboot_architectures
+  register: ipxe__register_get_netboot
+  until: ipxe__register_get_netboot is succeeded
+
+- name: Unpack Debian netboot tarballs
+  ansible.builtin.unarchive:
+    src: '{{ ipxe__debian_netboot_src + "/" + item.release + "/" + item.architecture + "/"
+             + item.netboot_version + (item.netboot_subdir | d("")) + "/netboot.tar.gz" }}'
+    dest: '{{ ipxe__debian_netboot_pxe_root + "/" + item.release + "/" + item.architecture + "/"
+              + item.netboot_version + (item.netboot_subdir | d("")) }}'
+    mode: 'u=rwX,g=rwX,o=rX'
+    remote_src: True
+    creates: '{{ ipxe__debian_netboot_pxe_root + "/" + item.release + "/" + item.architecture + "/"
+                 + item.netboot_version + (item.netboot_subdir | d("")) + "/pxelinux.0" }}'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  register: ipxe__register_debian_installer
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.architecture in ipxe__debian_netboot_architectures
+
+- name: Point current Debian netboot symlink to correct version
+  ansible.builtin.file:
+    path: '{{ ipxe__debian_netboot_pxe_root + "/" + item.release + "/" + item.architecture + "/current" }}'
+    src: '{{ item.netboot_version }}'
+    state: 'link'
+    mode: '0775'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.architecture in ipxe__debian_netboot_architectures and
+        (item.netboot_current | d(True)) | bool
+
+- name: Create Debian firmware directories
+  ansible.builtin.file:
+    path: '{{ ipxe__debian_netboot_src + "/" + item.release + "/non-free/" + item.firmware_version }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: ipxe__debian_netboot_firmware | bool and item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.firmware_version | d()
+
+- name: Download Debian firmware tarballs
+  ansible.builtin.get_url:
+    url: '{{ item.firmware_url | d(ipxe__debian_netboot_firmware_mirror + "/" + item.release + "/"
+                                   + item.firmware_version + "/firmware.cpio.gz") }}'
+    dest: '{{ ipxe__debian_netboot_src + "/" + item.release + "/non-free/"
+              + item.firmware_version + "/firmware.cpio.gz" }}'
+    checksum: '{{ item.firmware_checksum | d(omit) }}'
+    mode: '0644'
+  loop: '{{ ipxe__debian_netboot_combined_release_map | debops.debops.parse_kv_items }}'
+  when: ipxe__debian_netboot_firmware | bool and item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+        item.release in ipxe__debian_netboot_releases and item.firmware_version | d()
+  register: ipxe__register_get_firmware
+  until: ipxe__register_get_firmware is succeeded
+
+- name: Include firmware in the Debian netboot installers
+  ansible.builtin.shell: cat {{ ipxe__debian_netboot_src + "/" + item.item.release + "/non-free/"
+                + item.item.firmware_version + "/firmware.cpio.gz" }}
+             >> {{ ipxe__debian_netboot_pxe_root + "/" + item.item.release + "/" + item.item.architecture + "/"
+                   + item.item.netboot_version + (item.item.netboot_subdir | d("")) + "/debian-installer/"
+                   + item.item.architecture + "/initrd.gz" }}
+  loop: '{{ ipxe__register_debian_installer.results }}'  # noqa no-handler
+  register: ipxe__register_netboot_merge
+  changed_when: ipxe__register_netboot_merge.changed | bool
+  when: ipxe__debian_netboot_firmware | bool and item.item.firmware_version | d() and item is changed
diff --git a/ansible_collections/debops/debops/roles/ipxe/tasks/main.yml b/ansible_collections/debops/debops/roles/ipxe/tasks/main.yml
new file mode 100644
index 00000000..8af53d63
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (ipxe__base_packages + ipxe__packages)) }}'
+    state: 'present'
+  register: ipxe__register_packages
+  until: ipxe__register_packages is succeeded
+
+- name: Ensure that iPXE script directories exist
+  ansible.builtin.file:
+    path: '{{ ipxe__tftp_root + "/" + (((item.name | regex_replace("\.ipxe$", "")) + ".ipxe") | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ ipxe__combined_scripts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "path": (ipxe__tftp_root + "/" + ((item.name | regex_replace("\.ipxe$", "") + ".ipxe") | dirname)),
+                "state": item.state | d("present")} }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Generate iPXE scripts
+  ansible.builtin.template:
+    src: 'srv/tftp/template.ipxe.j2'
+    dest: '{{ ipxe__tftp_root + "/" + (item.name | regex_replace("\.ipxe$", "")) + ".ipxe" }}'
+    mode: '0644'
+  loop: '{{ ipxe__combined_scripts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present")} }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Remove iPXE scripts if requested
+  ansible.builtin.file:
+    path: '{{ ipxe__tftp_root + "/" + (item.name | regex_replace("\.ipxe$", "")) + ".ipxe" }}'
+    state: 'absent'
+  loop: '{{ ipxe__combined_scripts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present")} }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Install bootloader files in the TFTP root directory
+  ansible.builtin.copy:
+    src: '{{ item }}'
+    dest: '{{ ipxe__tftp_root + "/" + (item | basename) }}'
+    remote_src: True
+    mode: '0644'
+  loop: '{{ ipxe__bootloaders }}'
+
+- name: Configure Debian netboot installers
+  ansible.builtin.include_tasks: debian_netboot.yml
+  when: ipxe__debian_netboot_enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save iPXE local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ipxe.fact.j2'
+    dest: '/etc/ansible/facts.d/ipxe.fact'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/ipxe/templates/etc/ansible/facts.d/ipxe.fact.j2 b/ansible_collections/debops/debops/roles/ipxe/templates/etc/ansible/facts.d/ipxe.fact.j2
new file mode 100644
index 00000000..25c46704
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/templates/etc/ansible/facts.d/ipxe.fact.j2
@@ -0,0 +1,15 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/ipxe/templates/srv/tftp/template.ipxe.j2 b/ansible_collections/debops/debops/roles/ipxe/templates/srv/tftp/template.ipxe.j2
new file mode 100644
index 00000000..aa24886d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ipxe/templates/srv/tftp/template.ipxe.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+#!ipxe
+
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace("\n$", "") | comment(prefix="", postfix="") }}
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw | regex_replace("\n$", "") }}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.raw | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+
+{%       endif %}
+{%       if element.comment | d() %}
+{{ element.comment | regex_replace("\n$", "") | comment(prefix="", postfix="") }}
+{%       endif %}
+{{ element.raw | regex_replace("\n$", "") }}
+{%     elif element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+
+{%       endif %}
+{%       if element.comment | d() %}
+{{ element.comment | regex_replace("\n$", "") | comment(prefix="", postfix="") -}}
+{%       endif %}
+{%       if element.value is string %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ') %}
+{%       endif %}
+{{ '{} {} {}'.format(element.command | d('set'), element.name, element_value) }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/iscsi/COPYRIGHT b/ansible_collections/debops/debops/roles/iscsi/COPYRIGHT
new file mode 100644
index 00000000..84e6d31b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.iscsi - Manage Open-iSCSI configuration using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/iscsi/defaults/main.yml b/ansible_collections/debops/debops/roles/iscsi/defaults/main.yml
new file mode 100644
index 00000000..157fcfef
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/defaults/main.yml
@@ -0,0 +1,196 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _iscsi__ref_defaults:
+
+# debops.iscsi default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: iscsi__packages [[[
+#
+# List of packages installed for iSCSI Initiator support.
+iscsi__packages: [ 'open-iscsi', 'lvm2' ]
+
+                                                                   # ]]]
+# .. envvar:: iscsi__interfaces [[[
+#
+# List of network interfaces configured for iSCSI connections. If not
+# specified, iSCSI targets will be discovered on all network interfaces.
+iscsi__interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: iscsi__portals [[[
+#
+# List of FQDN hostnames or IP addresses of iSCSI Target hosts on which Ansible
+# will perform iSCSI discovery. Each discovered host will not be scanned again
+# automatically to not distrupt existing connections. The discovery state is
+# stored in Ansible local facts.
+iscsi__portals: []
+
+                                                                   # ]]]
+# .. envvar:: iscsi__targets [[[
+#
+# List of iSCSI Targets configured on a given host. Each iSCSI Target is
+# defined as a YAML dict. Check :ref:`iscsi__targets` for more details.
+iscsi__targets: []
+
+                                                                   # ]]]
+# .. envvar:: iscsi__logical_volumes [[[
+#
+# List of LVM Logical Volumes based on iSCSI storage. Each volume is defined as
+# a YAML dict. Check :ref:`iscsi__logical_volumes` for more details.
+iscsi__logical_volumes: []
+                                                                   # ]]]
+                                                                   # ]]]
+# iSCSI Qualified Name [[[
+# ------------------------
+
+# .. envvar:: iscsi__iqn_date [[[
+#
+# Year and month when the Naming Authority of this iSCSI host was established.
+iscsi__iqn_date: '{{ ansible_date_time.year + "-" + ansible_date_time.month }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__iqn_authority [[[
+#
+# DNS domain name of the Naming Authority responsible for this iSCSI host.
+iscsi__iqn_authority: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__iqn [[[
+#
+# Base prefix for iSCSI Qualified Name of this iSCSI Initiator host, will be
+# saved in Ansible local facts to prevent changes related to the default date
+# field.
+iscsi__iqn: '{{ (ansible_local.iscsi.iqn
+                 if (ansible_local.iscsi.iqn | d())
+                 else ("iqn." + iscsi__iqn_date + "." +
+                       iscsi__iqn_authority.split(".")[::-1] | join("."))) }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__hostname [[[
+#
+# Hostname added to the IQN to create Initiator Name.
+iscsi__hostname: '{{ ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__initiator_name [[[
+#
+# iSCSI initiator name of this host.
+iscsi__initiator_name: '{{ iscsi__iqn + ":" + iscsi__hostname }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Default Initiator configuration [[[
+# -----------------------------------
+
+# .. envvar:: iscsi__enabled [[[
+#
+# Enable or disable ``iscsid`` daemon
+iscsi__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: iscsi__node_startup [[[
+#
+# Specify if sessions should be started at boot (``automatic``) or not
+# (``manual``).
+iscsi__node_startup: 'automatic'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__discovery_auth [[[
+#
+# Enable or disable iSCSI discovery authentication.
+iscsi__discovery_auth: True
+
+                                                                   # ]]]
+# .. envvar:: iscsi__discovery_auth_username [[[
+#
+# Username used for iSCSI discovery authentication on all hosts, should be the
+# same for all iSCSI Targets to work automatically.
+iscsi__discovery_auth_username: '{{ lookup("password", secret + "/iscsi/credentials/discovery/username") }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__discovery_auth_password [[[
+#
+# Password used for iSCSI discovery authentication on all hosts, should be the
+# same for all iSCSI Targets to work automatically.
+iscsi__discovery_auth_password: '{{ lookup("password", secret + "/iscsi/credentials/discovery/password") }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__session_auth [[[
+#
+# Enable or disable iSCSI session authentication.
+iscsi__session_auth: True
+
+                                                                   # ]]]
+# .. envvar:: iscsi__session_auth_username [[[
+#
+# Username used for iSCSI session authentication on all hosts, should be the
+# same for all iSCSI Targets to work automatically. Can be overridden using
+# ``item.auth_username`` in target configuration.
+iscsi__session_auth_username: '{{ lookup("password", secret + "/iscsi/credentials/session/username") }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__session_auth_password [[[
+#
+# Password used for iSCSI session authentication on all hosts, should be the
+# same for all iSCSI Targets to work automatically. Can be overridden using
+# ``item.auth_password`` in target configuration.
+iscsi__session_auth_password: '{{ lookup("password", secret + "/iscsi/credentials/session/password") }}'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__default_options [[[
+#
+# Dict with options set in ``/etc/iscsi/iscsid.conf``, passed to ``lineinfile``
+# Ansible module.
+iscsi__default_options:
+  'node.startup':                          '{{ iscsi__node_startup }}'
+  'discovery.sendtargets.auth.authmethod': '{{ "CHAP" if (iscsi__discovery_auth | d(False)) else "None" }}'
+  'discovery.sendtargets.auth.username':   '{{ iscsi__discovery_auth_username }}'
+  'discovery.sendtargets.auth.password':   '{{ iscsi__discovery_auth_password }}'
+  'node.session.auth.authmethod':          '{{ "CHAP" if (iscsi__session_auth | d(False)) else "None" }}'
+  'node.session.auth.username':            '{{ iscsi__session_auth_username }}'
+  'node.session.auth.password':            '{{ iscsi__session_auth_password }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Filesystem and mount configuration [[[
+# --------------------------------------
+
+# .. envvar:: iscsi__default_fs_type [[[
+#
+# Default filesystem created on block devices if none is specified.
+iscsi__default_fs_type: 'ext4'
+
+                                                                   # ]]]
+# .. envvar:: iscsi__default_mount_options [[[
+#
+# Default mount options added in ``/etc/fstab`` to all iSCSI-based filesystems,
+# if none are specified.
+iscsi__default_mount_options: 'defaults,_netdev'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: iscsi__unattended_upgrades__dependent_blacklist [[[
+#
+# Configuration of the ``debops.unattended_upgrades`` role.
+iscsi__unattended_upgrades__dependent_blacklist:
+
+  # Prevent automatic upgrades of the ``open-iscsi`` package. The upgrade
+  # results in a restart of the service and all existing connections are lost.
+  - 'open-iscsi'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/iscsi/meta/main.yml b/ansible_collections/debops/debops/roles/iscsi/meta/main.yml
new file mode 100644
index 00000000..6f082e86
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage iSCSI Initiator configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - iscsi
+    - storage
+    - networking
diff --git a/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/post_main.yml b/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/post_main.yml
new file mode 100644
index 00000000..b704008b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/post_main.yml
@@ -0,0 +1,3 @@
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/pre_main.yml b/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/pre_main.yml
new file mode 100644
index 00000000..b704008b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/tasks/iscsi/pre_main.yml
@@ -0,0 +1,3 @@
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/iscsi/tasks/main.yml b/ansible_collections/debops/debops/roles/iscsi/tasks/main.yml
new file mode 100644
index 00000000..84564d5c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/tasks/main.yml
@@ -0,0 +1,108 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'iscsi/pre_main.yml') }}"
+
+- name: Install required iSCSI packages
+  ansible.builtin.package:
+    name:  '{{ q("flattened", iscsi__packages) }}'
+    state: 'present'
+  register: iscsi__register_packages
+  until: iscsi__register_packages is succeeded
+
+- name: Configure iSCSI Initiator IQN
+  ansible.builtin.lineinfile:
+    dest:   '/etc/iscsi/initiatorname.iscsi'
+    regexp: '^InitiatorName=iqn'
+    line:   'InitiatorName={{ iscsi__initiator_name }}'
+    state:  'present'
+    mode: '0600'
+  register: iscsi__register_initiatorname
+
+- name: Configure iSCSI discovery authentication
+  ansible.builtin.lineinfile:
+    dest:    '/etc/iscsi/iscsid.conf'
+    regexp:  '{{ (item.key | replace(".", "\.")) + "\s=\s" }}'
+    line:    '{{ item.key + " = " + item.value }}'
+    state:   'present'
+    mode:    '0600'
+  with_dict: '{{ iscsi__default_options }}'
+  when: item | d(False) and item.value
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Restart iSCSI service if initial configuration changed
+  ansible.builtin.service:  # noqa no-handler
+    name:  'open-iscsi'
+    state: 'restarted'
+  when: iscsi__enabled | d() and iscsi__register_initiatorname | d() and iscsi__register_initiatorname is changed
+
+- name: Generate iSCSI interface configuration
+  ansible.builtin.shell: iscsiadm -m iface -I {{ item }} -o new ;
+         iscsiadm -m iface -I {{ item }} --op=update -n iface.net_ifacename -v {{ item }}
+  args:
+    creates: '/etc/iscsi/ifaces/{{ item }}'
+  with_items: '{{ iscsi__interfaces }}'
+  when: (iscsi__interfaces | d(False) and item in ansible_interfaces)
+
+- name: Discover iSCSI targets on portals
+  community.general.open_iscsi:
+    discover: True
+    portal:   '{{ item }}'
+  with_items: '{{ iscsi__portals }}'
+  register: iscsi__register_discover_targets
+  when: iscsi__portals | d(False) and
+        item not in ansible_local.iscsi.discovered_portals | d([])
+
+- name: Log in to specified iSCSI targets
+  community.general.open_iscsi:
+    target:    '{{ item.target }}'
+    login:     '{{ False if (not item.login | d(True)) else True }}'
+    node_auth: '{{ "CHAP" if (item.auth | d(False)) else omit }}'
+    node_user: '{{ item.auth_username if (item.auth | d(False)) else omit }}'
+    node_pass: '{{ item.auth_password if (item.auth | d(False)) else omit }}'
+    auto_node_startup: '{{ False if (not item.auto | d(True)) else True }}'
+  with_items: '{{ iscsi__targets }}'
+  register: iscsi__register_targets
+  when: iscsi__targets | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Make sure that local facts directory exists
+  ansible.builtin.file:
+    dest:  '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode:  '0755'
+
+- name: Save iSCSI facts
+  ansible.builtin.template:
+    src:   'etc/ansible/facts.d/iscsi.fact.j2'
+    dest:  '/etc/ansible/facts.d/iscsi.fact'
+    owner: 'root'
+    group: 'root'
+    mode:  '0644'
+  tags: [ 'meta::facts' ]
+
+- name: Manage LVM
+  ansible.builtin.include_tasks: manage_lvm.yml
+  when: (((ansible_system_capabilities_enforced | d()) | bool and
+          "cap_sys_admin" in ansible_system_capabilities) or
+         not (ansible_system_capabilities_enforced | d(True)) | bool)
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'iscsi/post_main.yml') }}"
diff --git a/ansible_collections/debops/debops/roles/iscsi/tasks/manage_lvm.yml b/ansible_collections/debops/debops/roles/iscsi/tasks/manage_lvm.yml
new file mode 100644
index 00000000..83227407
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/tasks/manage_lvm.yml
@@ -0,0 +1,81 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Unmount filesystems if requested
+  ansible.posix.mount:
+    name:   '{{ item.mount }}'
+    src:    '{{ "/dev/mapper/" + item.vg + "-" + item.lv }}'
+    fstype: '{{ item.fs_type | d(iscsi__default_fs_type) }}'
+    state:  'absent'
+  with_items: '{{ iscsi__logical_volumes }}'
+  when: iscsi__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.mount | d(False) and
+        (item.state is defined and item.state == 'absent')
+
+- name: Remove Logical Volumes if requested
+  community.general.lvol:
+    vg:    '{{ item.vg }}'
+    lv:    '{{ item.lv }}'
+    size:  '{{ item.size }}'
+    force: '{{ item.force | d(omit) }}'
+    state: 'absent'
+  with_items: '{{ iscsi__logical_volumes }}'
+  when: iscsi__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.state | d() and item.state == 'absent'
+
+- name: Manage LVM Volume Groups
+  community.general.lvg:
+    vg:         '{{ item.item.lvm_vg }}'
+    pvs:        '{{ item.devicenodes | join(",") }}'
+    state:      '{{ item.item.lvm_state | d("present") }}'
+    pesize:     '{{ item.item.lvm_pesize | d(omit) }}'
+    force:      '{{ item.item.lvm_force | d(omit) }}'
+    vg_options: '{{ item.item.lvm_options | d(omit) }}'
+  with_items: '{{ iscsi__register_targets.results }}'
+  when: iscsi__register_targets | d(False) and iscsi__register_targets.results | d() and
+        item.devicenodes | d() and item.item.lvm_vg | d()
+
+- name: Manage LVM Logical Volumes
+  community.general.lvol:
+    vg:    '{{ item.vg }}'
+    lv:    '{{ item.lv }}'
+    size:  '{{ item.size }}'
+    force: '{{ item.force | d(omit) }}'
+    state: 'present'
+  with_items: '{{ iscsi__logical_volumes }}'
+  when: iscsi__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        (item.state is undefined or item.state != 'absent')
+
+- name: Manage filesystems
+  community.general.filesystem:
+    dev:    '{{ "/dev/mapper/" + item.vg + "-" + item.lv }}'
+    fstype: '{{ item.fs_type | d(iscsi__default_fs_type) }}'
+    force:  '{{ item.fs_force | d(omit) }}'
+    opts:   '{{ item.fs_opts | d(omit) }}'
+  with_items: '{{ iscsi__logical_volumes }}'
+  when: iscsi__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        (item.state is undefined or item.state != 'absent') and
+        ((item.mount | d() and (item.fs is undefined or item.fs | d()) or
+         item.fs | d()))
+
+- name: Manage mount points
+  ansible.posix.mount:
+    name:   '{{ item.mount }}'
+    src:    '{{ "/dev/mapper/" + item.vg + "-" + item.lv }}'
+    fstype: '{{ item.fs_type | d(iscsi__default_fs_type) }}'
+    opts:   '{{ item.mount_opts | d(iscsi__default_mount_options) }}'
+    state:  '{{ item.mount_state | d("mounted") }}'
+    dump:   '{{ item.mount_dump | d(omit) }}'
+    passno: '{{ item.mount_passno | d(omit) }}'
+    fstab:  '{{ item.mount_fstab | d(omit) }}'
+  with_items: '{{ iscsi__logical_volumes }}'
+  when: iscsi__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.mount | d(False) and
+        (item.state is undefined or item.state != 'absent')
diff --git a/ansible_collections/debops/debops/roles/iscsi/templates/etc/ansible/facts.d/iscsi.fact.j2 b/ansible_collections/debops/debops/roles/iscsi/templates/etc/ansible/facts.d/iscsi.fact.j2
new file mode 100644
index 00000000..7a948797
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/iscsi/templates/etc/ansible/facts.d/iscsi.fact.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set iscsi__tpl_iqn = ansible_local.iscsi.iqn | d(iscsi__iqn) %}
+{% set iscsi__tpl_discovered_portals = [] %}
+{% if ansible_local.iscsi.discovered_portals | d() %}
+{% set iscsi__tpl_discovered_portals = ansible_local.iscsi.discovered_portals %}
+{% endif %}
+{% if iscsi__register_discover_targets | d() and iscsi__register_discover_targets.results | d() %}
+{% for element in iscsi__register_discover_targets.results %}
+{% if "item" in element.keys() %}
+{% set _ = iscsi__tpl_discovered_portals.append(element.item) %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{
+"iqn":"{{ iscsi__tpl_iqn }}",
+"discovered_portals": {{ iscsi__tpl_discovered_portals | unique | to_nice_json }}
+}
diff --git a/ansible_collections/debops/debops/roles/java/COPYRIGHT b/ansible_collections/debops/debops/roles/java/COPYRIGHT
new file mode 100644
index 00000000..fa36cd30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.java - Manage Java environment using Ansible
+
+Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/java/defaults/main.yml b/ansible_collections/debops/debops/roles/java/defaults/main.yml
new file mode 100644
index 00000000..10bb88e9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/defaults/main.yml
@@ -0,0 +1,154 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# .. Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _java__ref_defaults:
+
+# debops.java default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Java APT packages [[[
+# ---------------------
+
+# .. envvar:: java__install_jdk [[[
+#
+# By default the role installs only the Java Runtime Environment (JRE)
+# packages. Other Ansible roles can request installation of the compatible Java
+# Development Kit (JDK) by enabling this variable.
+java__install_jdk: False
+
+                                                                   # ]]]
+# .. envvar:: java__base_packages [[[
+#
+# List of default APT packages which should be installed for Java Runtime
+# Environment.
+java__base_packages: [ 'default-jre-headless', 'ca-certificates-java' ]
+
+                                                                   # ]]]
+# .. envvar:: java__jdk_packages [[[
+#
+# List of default APT packages which should be installed for Java Development
+# Kit.
+java__jdk_packages: '{{ (["default-jdk"]
+                         if (ansible_distribution_release in ["trusty"])
+                         else ["default-jdk-headless"])
+                        if java__install_jdk | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: java__packages [[[
+#
+# List of APT packages which should be installed on all hosts in Ansible
+# inventory.
+java__packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__group_packages [[[
+#
+# List of APT packages which should be installed on a group of hosts in Ansible
+# inventory.
+java__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__host_packages [[[
+#
+# List of APT packages which should be installed on specific hosts in Ansible
+# inventory.
+java__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: java__dependent_packages [[[
+#
+# List of APT packages requested by other Ansible roles.
+java__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Java versions [[[
+# -----------------
+
+# .. envvar:: java__version [[[
+#
+# The version of Java detected by the Ansible local facts.
+java__version: '{{ ansible_local.java.version | d("0.0.0") }}'
+
+                                                                   # ]]]
+# .. envvar:: java__major_version [[[
+#
+# The Java major version number detected by the Ansible local facts.
+java__major_version: '{{ ansible_local.java.major_version | d("0") }}'
+
+                                                                   # ]]]
+# .. envvar:: java__alternatives [[[
+#
+# You can use this variable to select which version of Java is used system-wide
+# by default. To find out what versions are available, use the
+# :command:`update-java-alternatives -l` command on the remote host.
+java__alternatives: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Java Security Policy configuration [[[
+# --------------------------------------
+
+# Java Security Policy defines what paths and resources can be accessed by the
+# Java-based applications. In DebOps we want to grant access to the PKI
+# directories managed by the :ref:`debops.pki` role to support encrypted
+# communication.
+
+# .. envvar:: java__security_policy_path [[[
+#
+# Path to the system-wide security policy used by all Java applications.
+java__security_policy_path: '{{ "/etc/java-" + java__major_version + "-openjdk/security/java.policy" }}'
+
+                                                                   # ]]]
+# .. envvar:: java__default_security_policy [[[
+#
+# This variable contains the contents of the
+# :file:`/etc/java-*-openjdk/security/java.policy` configuration file.
+java__default_security_policy: |
+  // default permissions granted to all domains
+  grant {
+      // allows anyone to listen on dynamic ports
+      permission java.net.SocketPermission "localhost:0", "listen";
+
+      // "standard" properties that can be read by anyone
+      permission java.util.PropertyPermission "java.version", "read";
+      permission java.util.PropertyPermission "java.vendor", "read";
+      permission java.util.PropertyPermission "java.vendor.url", "read";
+      permission java.util.PropertyPermission "java.class.version", "read";
+      permission java.util.PropertyPermission "os.name", "read";
+      permission java.util.PropertyPermission "os.version", "read";
+      permission java.util.PropertyPermission "os.arch", "read";
+      permission java.util.PropertyPermission "file.separator", "read";
+      permission java.util.PropertyPermission "path.separator", "read";
+      permission java.util.PropertyPermission "line.separator", "read";
+      permission java.util.PropertyPermission
+                     "java.specification.version", "read";
+      permission java.util.PropertyPermission "java.specification.vendor", "read";
+      permission java.util.PropertyPermission "java.specification.name", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.version", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.vendor", "read";
+      permission java.util.PropertyPermission
+                     "java.vm.specification.name", "read";
+      permission java.util.PropertyPermission "java.vm.version", "read";
+      permission java.util.PropertyPermission "java.vm.vendor", "read";
+      permission java.util.PropertyPermission "java.vm.name", "read";
+
+      // Permit access to DebOps PKI infrastructure and system-wide certificate store
+      permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/-", "read";
+      permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/-", "read";
+      permission java.io.FilePermission "/etc/ssl/certs/", "read";
+  };
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/java/meta/main.yml b/ansible_collections/debops/debops/roles/java/meta/main.yml
new file mode 100644
index 00000000..75c4402b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis'
+  description: 'Manage Java OpenJRE/OpenJDK environment'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - java
+    - development
+    - jre
+    - jdk
+    - openjdk
+    - openjre
diff --git a/ansible_collections/debops/debops/roles/java/tasks/main.yml b/ansible_collections/debops/debops/roles/java/tasks/main.yml
new file mode 100644
index 00000000..8a7c9016
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install Java packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (java__base_packages
+                              + java__jdk_packages
+                              + java__packages
+                              + java__group_packages
+                              + java__host_packages
+                              + java__dependent_packages)) }}'
+    state: 'present'
+  register: java__register_packages
+  until: java__register_packages is succeeded
+
+- name: Update Java alternatives
+  ansible.builtin.command: 'update-java-alternatives -s {{ java__alternatives }}'
+  register: java__register_update_alternatives
+  changed_when: java__register_update_alternatives.changed | bool
+  when: java__alternatives | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Java local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/java.fact.j2'
+    dest: '/etc/ansible/facts.d/java.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert default Java security policy configuration file
+  debops.debops.dpkg_divert:
+    path: '{{ java__security_policy_path }}'
+    state: 'present'
+
+- name: Generate default Java security policy configuration
+  ansible.builtin.template:
+    src: 'etc/java-x-openjdk/security/java.policy.j2'
+    dest: '{{ java__security_policy_path }}'
+    mode: '0644'
diff --git a/ansible_collections/debops/debops/roles/java/templates/etc/ansible/facts.d/java.fact.j2 b/ansible_collections/debops/debops/roles/java/templates/etc/ansible/facts.d/java.fact.j2
new file mode 100644
index 00000000..edfeda26
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/templates/etc/ansible/facts.d/java.fact.j2
@@ -0,0 +1,31 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014 Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+
+output = {"installed": True}
+
+try:
+    java_version_output = subprocess.check_output(
+        ['java', '-version'],
+        stderr=subprocess.STDOUT).decode('utf-8').split('\n')
+
+except subprocess.CalledProcessError:
+    pass
+
+if java_version_output:
+    for line in java_version_output:
+        if 'version' in line:
+            output['version'] = line.split()[2].strip('"').split('_')[0]
+            output['major_version'] = output['version'].split('.')[0]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/java/templates/etc/java-x-openjdk/security/java.policy.j2 b/ansible_collections/debops/debops/roles/java/templates/etc/java-x-openjdk/security/java.policy.j2
new file mode 100644
index 00000000..86db9e77
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/java/templates/etc/java-x-openjdk/security/java.policy.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+//
+// This system policy file grants a set of default permissions to all domains
+// and can be configured to grant additional permissions to modules and other
+// code sources. The code source URL scheme for modules linked into a
+// run-time image is "jrt".
+//
+// For example, to grant permission to read the "foo" property to the module
+// "com.greetings", the grant entry is:
+//
+// grant codeBase "jrt:/com.greetings" {
+//     permission java.util.PropertyPermission "foo", "read";
+// };
+//
+
+{{ java__default_security_policy }}
diff --git a/ansible_collections/debops/debops/roles/journald/COPYRIGHT b/ansible_collections/debops/debops/roles/journald/COPYRIGHT
new file mode 100644
index 00000000..7249cf0c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.journald - Manage systemd-journald service using Ansible
+
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/journald/defaults/main.yml b/ansible_collections/debops/debops/roles/journald/defaults/main.yml
new file mode 100644
index 00000000..27ec5ff7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/defaults/main.yml
@@ -0,0 +1,265 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _journald__ref_defaults:
+
+# debops.journald default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# General options [[[
+# -------------------
+
+# .. envvar:: journald__enabled [[[
+#
+# Enable or disable management of the :command:`systemd-journald` service by
+# the role.
+journald__enabled: '{{ True
+                       if (ansible_service_mgr == "systemd")
+                       else False }}'
+
+                                                                   # ]]]
+# .. envvar:: journald__version [[[
+#
+# The version of the :command:`systemd-journald` service installed on the host.
+# It will be automatically defined by the Ansible local fact script.
+journald__version: '{{ ansible_local.journald.version | d("0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Journal storage configuration [[[
+# ---------------------------------
+
+# .. envvar:: journald__storage [[[
+#
+# Select the storage type of the journal logs. Supported types: ``auto``,
+# ``persistent``, ``volatile``, ``none``.
+journald__storage: 'auto'
+
+                                                                   # ]]]
+# .. envvar:: journald__persistent_state [[[
+#
+# Set the desired state of the persistent journal storage directory
+# (:file:`/var/log/journal/`). If set to ``absent``, the directory will be
+# removed by the role.
+#
+# By default the role will not enable persistent journal if the
+# :file:`/var/log/journal/` directory is not already present, but it will be
+# kept persistent if it is used. This is due to slow :command:`journalctl` and
+# :command:`systemctl` command operation with large persistent journals.
+# See https://github.com/systemd/systemd/issues/2460 for more details.
+journald__persistent_state: '{{ "absent"
+                                if (journald__storage == "none")
+                                else ("present"
+                                      if (ansible_local.journald.persistent | d()) | bool
+                                      else "absent") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Forward Secure Sealing [[[
+# --------------------------
+
+# .. envvar:: journald__fss_enabled [[[
+#
+# Enable or disable Forward Secure Sealing done by the
+# :command:`systemd-journald` service. If enabled, the role will create the
+# sealing keys if they are not already present on the hosts, and will save the
+# verification keys in the :file:`secret/journal/fss/` directory on the Ansible
+# Controller. See :ref:`journald__ref_fss` for more details.
+journald__fss_enabled: '{{ True
+                           if (journald__persistent_state == "present")
+                           else False }}'
+
+                                                                   # ]]]
+# .. envvar:: journald__fss_interval [[[
+#
+# Specify the interval between log sealing as well as the sealing key rotation.
+# The default is 15 minutes; shorter times may incur more host resource usage.
+journald__fss_interval: '15min'
+
+                                                                   # ]]]
+# .. envvar:: journald__fss_verify_key_path [[[
+#
+# Directory on the Ansible Host where the FSS verification key will be stored.
+# By default it's stored relative to the :file:`secret/` directory in the
+# DebOps project directory. See :ref:`debops.secret` role for more details.
+journald__fss_verify_key_path: '{{ "journald/fss/" + inventory_hostname + "/verify_key" }}'
+
+                                                                   # ]]]
+# .. envvar:: journald__fss_verify_key [[[
+#
+# The contents of the FSS verification key file stored on the Ansible
+# Controller, used by the log verification task (not run by the role by
+# default).
+journald__fss_verify_key: '{{ lookup("file", secret + "/" + journald__fss_verify_key_path) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Main :command:`systemd-journald` configuration [[[
+# --------------------------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/systemd/journald.conf.d/ansible.conf` which controls the
+# :command:`systemd-journald` operation. See :ref:`journald__ref_configuration`
+# for more details.
+
+# .. envvar:: journald__default_configuration [[[
+#
+# The :command:`systemd-journald` configuration defined by the role.
+journald__default_configuration:
+
+  - name: 'Storage'
+    value: '{{ journald__storage }}'
+    state: '{{ "init"
+               if (journald__storage == "auto")
+               else "present" }}'
+
+  - name: 'Compress'
+    value: True
+    state: 'init'
+
+  - name: 'Seal'
+    value: '{{ journald__fss_enabled }}'
+    state: '{{ "init" if journald__fss_enabled | bool else "present" }}'
+
+  - name: 'SplitMode'
+    value: 'uid'
+    state: 'init'
+
+  - name: 'SyncIntervalSec'
+    value: '5m'
+    state: 'init'
+
+  - name: 'RateLimitIntervalSec'
+    value: '30s'
+    state: 'init'
+
+  - name: 'RateLimitBurst'
+    value: 10000
+    state: 'init'
+
+  - name: 'SystemMaxUse'
+    value: ''
+    state: 'init'
+
+  - name: 'SystemKeepFree'
+    value: ''
+    state: 'init'
+
+  - name: 'SystemMaxFileSize'
+    value: ''
+    state: 'init'
+
+  - name: 'SystemMaxFiles'
+    value: 100
+    state: 'init'
+
+  - name: 'RuntimeMaxUse'
+    value: ''
+    state: 'init'
+
+  - name: 'RuntimeKeepFree'
+    value: ''
+    state: 'init'
+
+  - name: 'RuntimeMaxFileSize'
+    value: ''
+    state: 'init'
+
+  - name: 'RuntimeMaxFiles'
+    value: 100
+    state: 'init'
+
+  - name: 'MaxRetentionSec'
+    value: ''
+    state: 'init'
+
+  - name: 'MaxFileSec'
+    value: '1month'
+    state: 'init'
+
+  - name: 'ForwardToSyslog'
+    value: True
+    state: 'init'
+
+  - name: 'ForwardToKMsg'
+    value: False
+    state: 'init'
+
+  - name: 'ForwardToConsole'
+    value: False
+    state: 'init'
+
+  - name: 'ForwardToWall'
+    value: True
+    state: 'init'
+
+  - name: 'TTYPath'
+    value: '/dev/console'
+    state: 'init'
+
+  - name: 'MaxLevelStore'
+    value: 'debug'
+    state: 'init'
+
+  - name: 'MaxLevelSyslog'
+    value: 'debug'
+    state: 'init'
+
+  - name: 'MaxLevelKMsg'
+    value: 'notice'
+    state: 'init'
+
+  - name: 'MaxLevelConsole'
+    value: 'info'
+    state: 'init'
+
+  - name: 'MaxLevelWall'
+    value: 'emerg'
+    state: 'init'
+
+  - name: 'LineMax'
+    value: '48K'
+    state: 'init'
+
+  - name: 'ReadKMsg'
+    value: True
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: journald__configuration [[[
+#
+# The :command:`systemd-journald` configuration defined on all hosts in the
+# Ansible inventory.
+journald__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: journald__group_configuration [[[
+#
+# The :command:`systemd-journald` configuration defined on hosts in a specific
+# Ansible inventory group.
+journald__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: journald__host_configuration [[[
+#
+# The :command:`systemd-journald` configuration defined on specific hosts in
+# the Ansible inventory.
+journald__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: journald__combined_configuration [[[
+#
+# The variable which combines all other :command:`systemd-journald`
+# configuration variables and is used in the role tasks and templates.
+journald__combined_configuration: '{{ journald__default_configuration
+                                      + journald__configuration
+                                      + journald__group_configuration
+                                      + journald__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/journald/meta/main.yml b/ansible_collections/debops/debops/roles/journald/meta/main.yml
new file mode 100644
index 00000000..706a13c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage systemd-journald service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - systemd
+    - journal
+    - journald
+    - logging
+    - logs
+    - monitoring
diff --git a/ansible_collections/debops/debops/roles/journald/tasks/main.yml b/ansible_collections/debops/debops/roles/journald/tasks/main.yml
new file mode 100644
index 00000000..a74dca9f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/tasks/main.yml
@@ -0,0 +1,126 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save journald local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/journald.fact.j2'
+    dest: '/etc/ansible/facts.d/journald.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+  vars:
+    secret__directories:
+      - '{{ (journald__fss_verify_key_path | dirname)
+            if journald__fss_enabled | bool
+            else [] }}'
+
+- name: Move persistent journal to volatile storage if requested
+  ansible.builtin.command: 'journalctl --relinquish-var'
+  register: journald__register_relinquish_var
+  changed_when: journald__register_relinquish_var.changed | bool
+  when: (journald__enabled | bool and journald__version is version("244", ">=") and
+         journald__persistent_state == 'absent' and
+         (ansible_local.journald.persistent | d(False)) | bool)
+
+- name: Remove persistent journal storage if requested
+  ansible.builtin.file:
+    path: '/var/log/journal'
+    state: 'absent'
+  when: journald__enabled | bool and
+        journald__storage in ['auto', 'none', 'volatile'] and
+        journald__persistent_state == 'absent'
+
+- name: Create persistent journal storage directory
+  ansible.builtin.file:
+    path: '/var/log/journal/{{ ansible_machine_id }}'
+    state: 'directory'
+    group: 'systemd-journal'
+    mode: '2755'
+  register: journald__register_persistent
+  when: journald__enabled | bool and
+        journald__storage in ['auto', 'persistent'] and
+        journald__persistent_state != 'absent'
+
+- name: Apply extended permissions in the persistent storage
+  ansible.builtin.command: 'systemd-tmpfiles --create --prefix /var/log/journal'
+  changed_when: False
+  when: journald__enabled | bool and
+        journald__storage in ['auto', 'persistent'] and
+        journald__persistent_state != 'absent'
+
+- name: Create Forward Secure Seal keys when requested
+  ansible.builtin.command: 'journalctl --setup-keys --interval={{ journald__fss_interval }}'
+  register: journald__register_fss
+  changed_when: journald__register_fss.stderr_lines | count > 1
+  when: (journald__enabled | bool and
+         journald__storage in ['auto', 'persistent'] and
+         journald__persistent_state != 'absent' and
+         journald__fss_enabled | bool and
+        (not ansible_local.journald.sealed | d()) | bool)
+
+- name: Save Forward Secure Seal verification key on Ansible Controller
+  ansible.builtin.copy:  # noqa no-handler
+    content: '{{ journald__register_fss.stdout }}'
+    dest: '{{ secret + "/" + journald__fss_verify_key_path }}'
+    mode: '0600'
+  delegate_to: 'localhost'
+  become: False
+  when: journald__register_fss is changed
+
+- name: Flush journal to persistent storage
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'systemd-journal-flush.service'
+    state: 'restarted'
+  when: journald__enabled | bool and journald__persistent_state != 'absent' and
+        journald__register_persistent is changed
+
+- name: Create journald configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/journald.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: journald__enabled | bool
+
+- name: Generate journald configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/journald.conf.d/ansible.conf.j2'
+    dest: '/etc/systemd/journald.conf.d/ansible.conf'
+    mode: '0644'
+  register: journald__register_config
+  when: journald__enabled | bool
+
+- name: Restart journald if its configuration was modified
+  ansible.builtin.service:  # noqa no-handler
+    name: 'systemd-journald'
+    state: 'restarted'
+  when: journald__enabled | bool and journald__register_config is changed
+
+- name: Verify journal logs using FSS when requested
+  ansible.builtin.command: 'journalctl --verify --verify-key="{{ journald__fss_verify_key }}"'
+  register: journald__register_fss_verify
+  when: journald__enabled | bool and journald__persistent_state != 'absent'
+  changed_when: False
+  tags: [ 'never', 'role::journald:fss:verify' ]
diff --git a/ansible_collections/debops/debops/roles/journald/templates/etc/ansible/facts.d/journald.fact.j2 b/ansible_collections/debops/debops/roles/journald/templates/etc/ansible/facts.d/journald.fact.j2
new file mode 100644
index 00000000..3aaa1428
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/templates/etc/ansible/facts.d/journald.fact.j2
@@ -0,0 +1,53 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('journalctl'),
+          'persistent': False,
+          'sealed': False,
+          'enabled': loads('''{{ journald__enabled
+                                 | bool | to_json }}''')}
+
+if (os.path.exists('/var/log/journal') and
+        os.path.isdir('/var/log/journal')):
+    output['persistent'] = True
+
+if (os.path.exists('/etc/machine-id') and
+        os.path.isfile('/etc/machine-id')):
+    with open('/etc/machine-id', 'r') as idfile:
+        machine_id = idfile.readline().strip()
+        seal = os.path.join('/var/log/journal/', machine_id, 'fss')
+        if os.path.exists(seal) and os.path.isfile(seal):
+            output['sealed'] = True
+
+try:
+    journald_version_stdout = subprocess.check_output(
+            ["journalctl", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in journald_version_stdout.split('\n'):
+        if line.lower().startswith('systemd '):
+            output['version'] = line.split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/journald/templates/etc/systemd/journald.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/journald/templates/etc/systemd/journald.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..b111b830
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/journald/templates/etc/systemd/journald.conf.d/ansible.conf.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See journald.conf(5) for details.
+
+[Journal]
+{% for element in journald__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/keepalived/COPYRIGHT b/ansible_collections/debops/debops/roles/keepalived/COPYRIGHT
new file mode 100644
index 00000000..3d05ebc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.keepalived - Manage keepalived service using Ansible
+
+Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/keepalived/defaults/main.yml b/ansible_collections/debops/debops/roles/keepalived/defaults/main.yml
new file mode 100644
index 00000000..d447780f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/defaults/main.yml
@@ -0,0 +1,214 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _keepalived__ref_defaults:
+
+# debops.keepalived default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: keepalived__base_packages [[[
+#
+# List of base APT packages required for the :command:`keepalived` service.
+keepalived__base_packages: [ 'keepalived' ]
+
+                                                                   # ]]]
+# .. envvar:: keepalived__packages [[[
+#
+# List of additional APT packages which should be installed with the
+# :command:`keepalived` service.
+keepalived__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Ansible hostgroup configuration [[[
+# -----------------------------------
+
+# .. envvar:: keepalived__host_group [[[
+#
+# Name of the Ansible inventory host group which should be used by the role to
+# determine number of :command:`keepalived` nodes included in a given cluster.
+keepalived__host_group: 'debops_service_keepalived'
+
+                                                                   # ]]]
+# .. envvar:: keepalived__host_count [[[
+#
+# Number of :command:`keepalived` nodes in the current cluster -1 to keep it
+# synced with the group index which starts at 0. This number can be used in
+# :command:`keepalived` configuration options in calculations that use maximum
+# number of cluster nodes.
+keepalived__host_count: '{{ (groups[keepalived__host_group] | count - 1) }}'
+
+                                                                   # ]]]
+# .. envvar:: keepalived__host_index [[[
+#
+# Number of the current host in the :command:`keepalived` cluster starting from 0.
+# This number is based on the order of hosts specified in the
+# :envvar:`keepalived__host_group` Ansible inventory group and will change if
+# that group is modified. The index number can be used in the service
+# configuration for priority configuration options.
+keepalived__host_index: '{{ groups[keepalived__host_group].index(inventory_hostname) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: keepalived__allow [[[
+#
+# List of IP addresses or subnets that are allowed to sent VRRP packets to the
+# :command:`keepalived` service through the firewall, configured on all hosts
+# in the Ansible inventory. If the list is empty, service will not receive any
+# VRRP communication.
+keepalived__allow: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__group_allow [[[
+#
+# List of IP addresses or subnets that are allowed to sent VRRP packets to the
+# :command:`keepalived` service through the firewall, configured on hosts in
+# a specific Ansible inventory group. If the list is empty, service will not
+# receive any VRRP communication.
+keepalived__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__host_allow [[[
+#
+# List of IP addresses or subnets that are allowed to sent VRRP packets to the
+# :command:`keepalived` service through the firewall, configured on specific
+# hosts in the Ansible inventory. If the list is empty, service will not
+# receive any VRRP communication.
+keepalived__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`keepalived` service configuration [[[
+# ---------------------------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/keepalived/keepalived.conf` configuration file.
+# See :ref:`keepalived__ref_configuration` for more details.
+
+# .. envvar:: keepalived__default_configuration [[[
+#
+# List of :command:`keepalived` configuration entries defined by the role by
+# default.
+keepalived__default_configuration:
+
+  - name: 'global_defs'
+    raw: |
+      global_defs {
+          process_names
+          router_id {{ ansible_hostname }}
+      }
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: keepalived__configuration [[[
+#
+# List of :command:`keepalived` configuration entries which should be present
+# on all hosts in the Ansible inventory.
+keepalived__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__group_configuration [[[
+#
+# List of :command:`keepalived` configuration entries which should be present
+# on hosts in a specific Ansible inventory group.
+keepalived__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__host_configuration [[[
+#
+# List of :command:`keepalived` configuration entries which should be present
+# on specific hosts in the Ansible inventory.
+keepalived__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__combined_configuration [[[
+#
+# Variable which combines all :command:`keepalived` configuration entries and
+# is used in role tasks and templates.
+keepalived__combined_configuration: '{{ keepalived__default_configuration
+                                        + keepalived__configuration
+                                        + keepalived__group_configuration
+                                        + keepalived__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom scripts and auxiliary files [[[
+# --------------------------------------
+
+# These variables can be used to add custom files (scripts, private keys,
+# certificates) in the :file:`/etc/keepalived/` directory on the remote hosts.
+# See :ref:`keepalived__ref_scripts` for more details.
+
+# .. envvar:: keepalived__scripts [[[
+#
+# Custom scripts or files which should be configured on all hosts in the
+# Ansible inventory.
+keepalived__scripts: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__group_scripts [[[
+#
+# Custom scripts or files which should be configured on hosts in a specific
+# Ansible inventory group.
+keepalived__group_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: keepalived__host_scripts [[[
+#
+# Custom scripts or files which should be configured on specific hosts in the
+# Ansible inventory.
+keepalived__host_scripts: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: keepalived__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+keepalived__sysctl__dependent_parameters:
+
+  - name: 'keepalived'
+    weight: '80'
+    options:
+
+      - name: 'net.ipv4.ip_nonlocal_bind'
+        comment: |
+          This parameter allows processes to bind to IPv4 addresses that are
+          not local to permit failover.
+        value: 1
+
+      - name: 'net.ipv6.ip_nonlocal_bind'
+        comment: |
+          This parameter allows processes to bind to IPv6 addresses that are
+          not local to permit failover.
+        value: 1
+
+                                                                   # ]]]
+# .. envvar:: keepalived__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+keepalived__ferm__dependent_rules:
+
+  - name: 'accept_vrrp_keepalived'
+    type: 'accept'
+    protocol: 'vrrp'
+    saddr: '{{ keepalived__allow + keepalived__group_allow + keepalived__host_allow }}'
+    daddr: [ '224.0.0.18', 'ff02::12' ]
+    accept_any: False
+    weight: '50'
+    by_role: 'debops.keepalived'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/keepalived/meta/main.yml b/ansible_collections/debops/debops/roles/keepalived/meta/main.yml
new file mode 100644
index 00000000..86e134b6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage keepalived service'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags:
+    - keepalived
+    - clustering
+    - failover
diff --git a/ansible_collections/debops/debops/roles/keepalived/tasks/main.yml b/ansible_collections/debops/debops/roles/keepalived/tasks/main.yml
new file mode 100644
index 00000000..66e8b028
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (keepalived__base_packages
+                              + keepalived__packages)) }}'
+    state: 'present'
+  register: keepalived__register_packages
+  until: keepalived__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save keepalived local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/keepalived.fact.j2'
+    dest: '/etc/ansible/facts.d/keepalived.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Remove custom scripts from remote hosts if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/keepalived/" + (item.dest | d(item.name)) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", keepalived__scripts
+                           + keepalived__group_scripts
+                           + keepalived__host_scripts) }}'
+  when: item.state | d('present') == 'absent'
+
+- name: Copy custom scripts to remote hosts
+  ansible.builtin.copy:
+    src: '{{ item.src | d(omit) }}'
+    dest: '{{ "/etc/keepalived/" + (item.dest | d(item.name)) }}'
+    content: '{{ item.content | d(omit) }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode: '{{ item.mode | d("0755") }}'
+  loop: '{{ q("flattened", keepalived__scripts
+                           + keepalived__group_scripts
+                           + keepalived__host_scripts) }}'
+  when: item.state | d('present') not in ['absent', 'ignore']
+
+- name: Generate keepalive configuration file
+  ansible.builtin.template:
+    src: 'etc/keepalived/keepalived.conf.j2'
+    dest: '/etc/keepalived/keepalived.conf'
+    mode: '0640'
+  notify: [ 'Check keepalived configuration and reload' ]
diff --git a/ansible_collections/debops/debops/roles/keepalived/templates/etc/ansible/facts.d/keepalived.fact.j2 b/ansible_collections/debops/debops/roles/keepalived/templates/etc/ansible/facts.d/keepalived.fact.j2
new file mode 100644
index 00000000..dd6de94f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/templates/etc/ansible/facts.d/keepalived.fact.j2
@@ -0,0 +1,41 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('keepalived')}
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        keepalived_stdout = subprocess.check_output(
+            ["/usr/sbin/keepalived --version"],
+            shell=True, stderr=subprocess.STDOUT).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if keepalived_stdout:
+    for line in keepalived_stdout.split('\n'):
+        if line.startswith('Keepalived '):
+            output['version'] = line.split()[1].lstrip('v')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/keepalived/templates/etc/keepalived/keepalived.conf.j2 b/ansible_collections/debops/debops/roles/keepalived/templates/etc/keepalived/keepalived.conf.j2
new file mode 100644
index 00000000..04fb25ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keepalived/templates/etc/keepalived/keepalived.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{% for element in keepalived__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if not loop.first %}
+{{       '' }}
+{%     endif %}
+{%     if element.comment | d() %}
+{{       element.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{%     endif %}
+{{     '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/keyring/COPYRIGHT b/ansible_collections/debops/debops/roles/keyring/COPYRIGHT
new file mode 100644
index 00000000..5173e3ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.keyring - Manage APT keyring and UNIX account GPG keyring via Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/keyring/defaults/main.yml b/ansible_collections/debops/debops/roles/keyring/defaults/main.yml
new file mode 100644
index 00000000..7384ccd0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/defaults/main.yml
@@ -0,0 +1,119 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _keyring__ref_defaults:
+
+# debops.keyring default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global configuration [[[
+# ------------------------
+
+# .. envvar:: keyring__enabled [[[
+#
+# Enable or disable support for managing APT and GPG keyrings for other roles.
+keyring__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: keyring__local_path [[[
+#
+# The path to the directory that contains GPG keys available locally on the
+# Ansible Controller. A non-absolute path is relative to the :file:`files/`
+# directory of the :ref:`debops.keyring` Ansible role; you can also specify an
+# absolute path to a directory on the Ansible Controller.
+#
+# Key files are expected to be named in the format: :file:`0xFINGERPRINT.asc`.
+keyring__local_path: ''
+
+                                                                   # ]]]
+# .. envvar:: keyring__keybase_api [[[
+#
+# The URL of the Keybase API which should be used to lookup GPG keys not
+# available in the local keyring.
+keyring__keybase_api: 'https://keybase.io/'
+
+                                                                   # ]]]
+# .. envvar:: keyring__keyserver [[[
+#
+# The URL of the GPG keyserver to use to retrieve keys that are not
+# available in the local keyring.
+keyring__keyserver: 'hkp://keyserver.ubuntu.com'
+
+                                                                   # ]]]
+# .. envvar:: keyring__gpg_version [[[
+#
+# The version of the :command:`gpg` command in use. This variable is defined
+# via Ansible local facts and can be used for conditional code execution.
+keyring__gpg_version: '{{ ansible_local.keyring.gpg_version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: keyring__base_packages [[[
+#
+# List of the default APT packages to install for keyring support.
+keyring__base_packages:
+  - 'curl'
+  - 'ca-certificates'
+  - 'gnupg'
+  - '{{ "apt-transport-https"
+        if (ansible_distribution_release in
+            ["stretch", "trusty", "xenial"])
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: keyring__packages [[[
+#
+# List of additional APT packages to install for keyring support.
+keyring__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Dependent configuration variables [[[
+# -------------------------------------
+
+# .. envvar:: keyring__dependent_gpg_user [[[
+#
+# Specify the UNIX account on which GPG keys will be managed if the ``user``
+# parameter is not specified. If the variable is empty, ``root`` GPG keyring
+# will be used by default. This variable can be set to manage many GPG keys on
+# an unprivileged UNIX account at once.
+keyring__dependent_gpg_user: ''
+
+                                                                   # ]]]
+# .. envvar:: keyring__dependent_apt_auth_files [[[
+#
+# This list defines APT authentication information for repositories which
+# require HTTP Basic Authentication to access.
+# See :ref:`keyring__ref_dependent_apt_auth_files` for more details.
+keyring__dependent_apt_auth_files: []
+
+                                                                   # ]]]
+# .. envvar:: keyring__dependent_apt_keys [[[
+#
+# The variable which can be used by other Ansible roles to define what GPG keys
+# should be present in the APT keyring. If you want to define the APT keys via
+# the Ansible inventory, use the :ref:`debops.apt` role instead.
+# See :ref:`keyring__ref_dependent_apt_keys` for more details.
+keyring__dependent_apt_keys: []
+
+                                                                   # ]]]
+# .. envvar:: keyring__dependent_gpg_keys [[[
+#
+# The variable which can be used by other Ansible roles to define what GPG keys
+# should be present in an unprivileged UNIX account GPG keyrings. The usage via
+# the Ansible inventory is not supported.
+# See :ref:`keyring__ref_dependent_gpg_keys` for more details.
+keyring__dependent_gpg_keys: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/keyring/meta/main.yml b/ansible_collections/debops/debops/roles/keyring/meta/main.yml
new file mode 100644
index 00000000..db905690
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage APT keyring and UNIX account GPG keyrings'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - apt
+    - gpg
+    - pgp
+    - openpgp
+    - keyring
+    - keybase
+    - security
diff --git a/ansible_collections/debops/debops/roles/keyring/tasks/main.yml b/ansible_collections/debops/debops/roles/keyring/tasks/main.yml
new file mode 100644
index 00000000..647ed15a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/tasks/main.yml
@@ -0,0 +1,176 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Get list of local GPG key fingerprints on Ansible Controller
+  ansible.builtin.set_fact:
+    keyring__fact_local_keys: '{{ (q("fileglob", (keyring__local_path + "/*.asc"))
+                                     | map("basename") | map("replace", " ", "")
+                                     | map("regex_replace", "^0x(.*)\.asc", "\1")
+                                     | list) if keyring__local_path | d() else [] }}'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (keyring__base_packages + keyring__packages)) }}'
+    state: 'present'
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt'
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save keyring local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/keyring.fact.j2'
+    dest: '/etc/ansible/facts.d/keyring.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Import specified GPG keys to APT keyring
+  ansible.builtin.apt_key:  # noqa args[module]
+    id: '{{ (item.id | d(item)) | replace(" ", "") }}'
+    data: '{{ item.data | d((lookup("file", keyring__local_path + "/0x" + ((item.id | d(item)) | replace(" ", "")) + ".asc"))
+                            if (item.state | d("present") != "absent" and item.url is undefined and item.keybase is undefined and
+                                ((item.id | d(item)) | replace(" ", "")) in keyring__fact_local_keys)
+                            else omit) }}'
+    keyserver: '{{ item.keyserver | d(keyring__keyserver
+                                      if (keyring__keyserver | d() and item.url is undefined and item.keybase is undefined and
+                                          ((item.id | d(item)) | replace(" ", "")) not in keyring__fact_local_keys)
+                                      else omit) }}'
+    keyring: '{{ item.keyring | d(omit) }}'
+    url: '{{ item.url | d((keyring__keybase_api + item.keybase
+                           + "/pgp_keys.asc?fingerprint=" + ((item.id | d(item)) | replace(" ", "")))
+                          if item.keybase | d() else omit) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", (keyring__dependent_apt_keys)) }}'
+  register: keyring__register_apt_key
+  until: keyring__register_apt_key is succeeded
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt' and
+        (item.id | d() or item is string) and
+        (item.extrepo is undefined or
+         item.extrepo not in (ansible_local.extrepo.sources | d([])))
+  tags: [ 'role::keyring:apt_key' ]
+
+- name: Configure specified upstream APT repositories
+  ansible.builtin.apt_repository:
+    repo: '{{ item.repo }}'
+    filename: '{{ item.filename | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+    update_cache: False
+  loop: '{{ q("flattened", (keyring__dependent_apt_keys)) }}'
+  register: keyring__register_apt_repository
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt' and item.repo | d() and
+        (item.extrepo is undefined or
+         item.extrepo not in (ansible_local.extrepo.sources | d([])))
+  tags: [ 'role::keyring:apt_repository' ]
+
+- name: Remove APT auth configuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/apt/auth.conf.d/" + (item.name | regex_replace(".conf$", "")) + ".conf" }}'
+    state: 'absent'
+  loop: '{{ q("flattened", (keyring__dependent_apt_auth_files)) }}'
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt' and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate APT auth configuration
+  ansible.builtin.template:
+    src: 'etc/apt/auth.conf.d/template.conf.j2'
+    dest: '{{ "/etc/apt/auth.conf.d/" + (item.name | regex_replace(".conf$", "")) + ".conf" }}'
+    mode: '0640'
+  loop: '{{ q("flattened", (keyring__dependent_apt_auth_files)) }}'
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt' and
+        item.machine | d() and item.login | d() and item.password | d() and
+        item.state | d('present') not in ['absent', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Update APT cache when needed
+  ansible.builtin.apt:  # noqa no-handler
+    update_cache: True
+  when: keyring__enabled | bool and ansible_pkg_mgr == 'apt' and
+        keyring__register_apt_repository is changed
+  tags: [ 'role::keyring:apt_repository' ]
+
+- name: Ensure that required UNIX groups exist
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.user) }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  loop: '{{ q("flattened", (keyring__dependent_gpg_keys)) }}'
+  when: keyring__enabled | bool and (item.create_user | d(True)) | bool and
+        item.user | d() and item.state | d('present') not in ['absent', 'ignore']
+
+- name: Ensure that required UNIX accounts exist
+  ansible.builtin.user:
+    name: '{{ item.user }}'
+    group: '{{ item.group | d(item.user) }}'
+    home: '{{ item.home | d(omit) }}'
+    system: '{{ item.system | d(True) }}'
+    state: 'present'
+  loop: '{{ q("flattened", (keyring__dependent_gpg_keys)) }}'
+  when: keyring__enabled | bool and (item.create_user | d(True)) | bool and
+        item.user | d() and item.state | d('present') not in ['absent', 'ignore']
+
+- name: Gather information about existing UNIX accounts
+  ansible.builtin.getent:
+    database: 'passwd'
+  check_mode: False
+
+  # In some cases 'apt-key' command refuses to work complaining that it has to
+  # be run by root. This task should handle these cases gracefully.
+- name: Import specified GPG keys to account keyring
+  vars:
+    keyring__var_gpg_command: '{{ "gpg --batch"
+                                  if (keyring__gpg_version is version("2.0.0", "<"))
+                                  else "gpg --no-autostart --batch" }}'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         {{ keyring__var_gpg_command }} --list-keys '{{ (item.id | d(item)) | replace(" ", "") }}'
+         {% if item.state | d('present') == 'absent' %}
+         && ( printf "Removing key...\n" && {{ keyring__var_gpg_command }} --delete-key {{ (item.id | d(item)) | replace(" ", "") }} )
+         || true
+         {% else %}
+         {% if ((item.id | d(item)) | replace(" ", "")) not in keyring__fact_local_keys %}
+         {% if item.url | d() %}
+         || ( printf "Adding key...\n" && curl {{ item.url }} | {{ keyring__var_gpg_command }} --import - )
+         {% elif item.keybase | d() %}
+         || ( printf "Adding key...\n" && curl {{ keyring__keybase_api + item.keybase
+                                                  + '/pgp_keys.asc?fingerprint='
+                                                  + ((item.id | d(item)) | replace(" ", "")) }} | {{ keyring__var_gpg_command }} --import - )
+         {% elif (item.keyserver | d(keyring__keyserver if keyring__keyserver | d() else False)) %}
+         || ( printf "Adding key...\n" && gpg --keyserver {{ item.keyserver | d(keyring__keyserver if keyring__keyserver else "") }} \
+                                              --batch --recv-key {{ (item.id | d(item)) | replace(" ", "") }} && gpgconf --kill all )
+         {% endif %}
+         {% else %}
+         || ( printf "Adding key...\n" && {{ keyring__var_gpg_command }} --import - )
+         {% endif %}
+         {% endif %}
+  args:
+    executable: 'bash'
+    stdin: '{{ item.data | d((lookup("file", keyring__local_path + "/0x" + ((item.id | d(item)) | replace(" ", "")) + ".asc"))
+                             if (item.state | d("present") != "absent" and
+                                 ((item.id | d(item)) | replace(" ", "")) in keyring__fact_local_keys)
+                             else omit) }}'
+  become: True
+  become_user: '{{ item.user | d(keyring__dependent_gpg_user if keyring__dependent_gpg_user | d() else "root") }}'
+  loop: '{{ q("flattened", (keyring__dependent_gpg_keys)) }}'
+  register: keyring__register_gpg_key
+  until: keyring__register_gpg_key.rc | d(0) == 0
+  when: (keyring__enabled | bool and (item.id | d() or item is string) and
+         (item.user | d(keyring__dependent_gpg_user if keyring__dependent_gpg_user | d() else "root")) in getent_passwd.keys())
+  changed_when: '("Adding key..." in keyring__register_gpg_key.stdout_lines) or
+                 ("Removing key..." in keyring__register_gpg_key.stdout_lines)'
diff --git a/ansible_collections/debops/debops/roles/keyring/templates/etc/ansible/facts.d/keyring.fact.j2 b/ansible_collections/debops/debops/roles/keyring/templates/etc/ansible/facts.d/keyring.fact.j2
new file mode 100644
index 00000000..74c8e8ad
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/templates/etc/ansible/facts.d/keyring.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+output = loads('''{{ {"configured": True,
+                      "enabled": keyring__enabled,
+                      "keyserver": keyring__keyserver}
+                     | to_nice_json }}''')
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        gpg_stdout = subprocess.check_output(
+            ["/usr/bin/gpg --version"],
+            shell=True, stderr=devnull).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if gpg_stdout:
+    for line in gpg_stdout.split('\n'):
+        if '(GnuPG)' in line:
+            output['gpg_version'] = line.split()[2]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/keyring/templates/etc/apt/auth.conf.d/template.conf.j2 b/ansible_collections/debops/debops/roles/keyring/templates/etc/apt/auth.conf.d/template.conf.j2
new file mode 100644
index 00000000..887028f5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/keyring/templates/etc/apt/auth.conf.d/template.conf.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# Authentication credentials for "{{ item.name }}" APT repository
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{{ 'machine {} login {} password {}'.format(item.machine, item.login, item.password) }}
diff --git a/ansible_collections/debops/debops/roles/kibana/COPYRIGHT b/ansible_collections/debops/debops/roles/kibana/COPYRIGHT
new file mode 100644
index 00000000..dab5eebb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.kibana - Install and manage Kibana dashboard using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/kibana/defaults/main.yml b/ansible_collections/debops/debops/roles/kibana/defaults/main.yml
new file mode 100644
index 00000000..db36a5c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/defaults/main.yml
@@ -0,0 +1,798 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _kibana__ref_defaults:
+
+# debops.kibana default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, version [[[
+# -------------------------
+
+# The ``debops.kibana`` role uses the ``debops.elatic_co`` Ansible role to
+# configure the Elastic APT repositories and install the packages. The role
+# also installs the Ansible facts that provide the :command:`kibana` version.
+
+# .. envvar:: kibana__base_packages [[[
+#
+# List of base APT packages to install.
+kibana__base_packages: [ 'kibana' ]
+
+                                                                   # ]]]
+# .. envvar:: kibana__packages [[[
+#
+# List of additional APT packages to install with Kibana.
+kibana__packages: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__version [[[
+#
+# Store the detected Kibana version in a convenient variable for conditional
+# configuration.
+kibana__version: '{{ ansible_local.kibana.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX user and group, file paths [[[
+# -----------------------------------
+
+# .. envvar:: kibana__user [[[
+#
+# Name of the UNIX user account used by Kibana.
+kibana__user: 'kibana'
+
+                                                                   # ]]]
+# .. envvar:: kibana__group [[[
+#
+# Name of the UNIX primary group used by Kibana.
+kibana__group: 'kibana'
+
+                                                                   # ]]]
+# .. envvar:: kibana__additional_groups [[[
+#
+# List of additional UNIX groups to which the Kibana user will belong.
+kibana__additional_groups: '{{ ["ssl-cert"]
+                               if kibana__pki_enabled | bool
+                               else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__keystore_path [[[
+#
+# Path to the Kibana keystore file.
+kibana__keystore_path: '{{ "/var/lib/kibana/kibana.keystore"
+                           if (kibana__version is version("7.0.0", "<"))
+                           else "/etc/kibana/kibana.keystore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Frontend webserver options [[[
+# ------------------------------
+
+# .. envvar:: kibana__fqdn [[[
+#
+# The Fully Qualified Domain Name under which the Kibana web service will be
+# published by the webserver.
+kibana__fqdn: 'kibana.{{ kibana__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__domain [[[
+#
+# The DNS domain used by the Kibana web service.
+kibana__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__webserver_access_policy [[[
+#
+# Name of the :ref:`debops.nginx` access policy for the Kibana webservice.
+# See the :ref:`debops.nginx` role documentation for more details.
+kibana__webserver_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: kibana__webserver_allow [[[
+#
+# List of IP addresses or CIDR subnets which will be allowed to connect to the
+# Kibana webservice. If not specified, anybody can connect.
+kibana__webserver_allow: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__webserver_auth_basic_realm [[[
+#
+# A string which will be displayed as the realm in the browser user/password
+# dialog box during HTTP Basic Authentication.
+kibana__webserver_auth_basic_realm: 'Access to Kibana is restricted'
+
+                                                                   # ]]]
+# .. envvar:: kibana__webserver_auth_basic_filename [[[
+#
+# Absolute path to the file that contains usernames and passwords for HTTP
+# Basic Authentication.
+kibana__webserver_auth_basic_filename: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Kibana server options [[[
+# -------------------------
+
+# .. envvar:: kibana__server_host [[[
+#
+# Specify the IP address or hostname on which Kibana server will listen for
+# connections.
+kibana__server_host: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: kibana__server_port [[[
+#
+# Specify the TCP port on which Kibana server will listen for connections.
+kibana__server_port: '5601'
+
+                                                                   # ]]]
+# .. envvar:: kibana__server_name [[[
+#
+# Human-readable name of the Kibana server host.
+kibana__server_name: '{{ kibana__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_url [[[
+#
+# The URL address of the Elasticsearch cluster the Kibana client should connect
+# to. By default Kibana is configured to connect to a load-balancer
+# Elasticsearch instance on the same host.
+# This variable is used on Kibana < 7.0.0.
+kibana__elasticsearch_url: 'http://localhost:9200'
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_hosts [[[
+#
+# The URL addresses of the Elasticsearch hosts the Kibana client should connect
+# to. By default Kibana is configured to connect to a load-balancer
+# Elasticsearch instance on the same host.
+# This variable is used on Kibana >= 7.0.0.
+kibana__elasticsearch_hosts: [ 'http://localhost:9200' ]
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_cluster_name [[[
+#
+# Name of the Elasticsearch cluster, used to lookup passwords in the
+# :ref:`debops.secret` subdirectory. This variable should be synchronized with
+# the :envvar:`elasticsearch__cluster_name` variable using Ansible inventory.
+kibana__elasticsearch_cluster_name: '{{ kibana__domain | replace(".", "-") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_username [[[
+#
+# The username used by Kibana for internal maintenance on password-protected
+# Elasticsearch clusters.
+kibana__elasticsearch_username: '{{ ""
+                                    if (kibana__elasticsearch_hosts[0].startswith("http://"))
+                                    else ("kibana"
+                                          if (kibana__version is version("7.0.0", "<"))
+                                          else "kibana_system") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_secret_path [[[
+#
+# Path to the Elasticsearch passwords stored in the :ref:`debops.secret`
+# directory. It should be synchronized with :envvar:`elasticsearch__secret_path`
+# variable for best results.
+kibana__elasticsearch_secret_path: '{{ "elasticsearch/credentials/"
+                                       + kibana__elasticsearch_cluster_name
+                                       + "/built-in" }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__elasticsearch_password [[[
+#
+# The password used by Kibana for internal maintenance on password-protected
+# Elasticsearch clusters.
+kibana__elasticsearch_password: '{{ ""
+                                    if (kibana__elasticsearch_hosts[0].startswith("http://"))
+                                    else (lookup("password", secret + "/"
+                                          + kibana__elasticsearch_secret_path + "/"
+                                          + kibana__elasticsearch_username
+                                          + "/password")) }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__index [[[
+#
+# The Elasticsearch index used by Kibana to store configuration. Deprecated in
+# Kibana 7.11.
+kibana__index: '.kibana'
+
+                                                                   # ]]]
+# .. envvar:: kibana__default_app_id [[[
+#
+# The default Kibana 'application' to load on start. Deprecated in Kibana 7.9.
+kibana__default_app_id: 'discover'
+
+                                                                   # ]]]
+# .. envvar:: kibana__security_encryption_key [[[
+#
+# Key used to encrypt session information. Should be the same on all instances
+# when used id high-availability deployments. Key is stored in the
+# :file:`secret/` directory, managed by the :ref:`debops.secret` Ansible role.
+kibana__security_encryption_key: '{{ lookup("password", secret
+                                            + "/kibana/security_encryption_key length=32") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__reporting_encryption_key [[[
+#
+# The static encryption key for reporting. Key is stored in the
+# :file:`secret/` directory, managed by the :ref:`debops.secret` Ansible role.
+kibana__reporting_encryption_key: '{{ lookup("password", secret
+                                             + "/kibana/reporting_encryption_key length=32") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Connection encryption, TLS [[[
+# ------------------------------
+
+# .. envvar:: kibana__secure_connection [[[
+#
+# Enable or disable configuration of secure connection to the Elasticsearch
+# cluster. By default this will be enable if username and password are defined.
+kibana__secure_connection: '{{ True
+                               if (kibana__elasticsearch_username | d() and
+                                   kibana__elasticsearch_password | d())
+                               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_enabled [[[
+#
+# Enable or disable support for TLS connection encryption based on DebOps PKI,
+# managed by the :ref:`debops.pki` Ansible role.
+kibana__pki_enabled: '{{ (ansible_local.pki.enabled | d()) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_base_path [[[
+#
+# The absolute path of th location of PKI realms.
+kibana__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_realm [[[
+#
+# The PKI realm used by Kibana for the HTTP communication with Elasticsearch
+# cluster.
+kibana__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_ca_file [[[
+#
+# Name of the file which contains Certificate Authorities trusted by
+# Kibana, relative to the PKI realm directory.
+kibana__pki_ca_file: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_key_file [[[
+#
+# Name of the file which contains the private key used by Kibana for HTTP
+# communication with the Elasticsearch cluster, relative to the PKI realm
+# directory.
+kibana__pki_key_file: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__pki_crt_file [[[
+#
+# Name of the file which contains the X.509 certificate chain used by Kibana
+# for HTTP communication with the Elasticsearch cluster, relative to the PKI
+# realm directory. Java applications don't work well with Diffie-Hellman
+# parameters embedded in the certificate chain, so let's use the "plain" one
+# instead.
+kibana__pki_crt_file: 'public/cert_intermediate.pem'
+
+                                                                   # ]]]
+# .. envvar:: kibana__tls_ca_certificate [[[
+#
+# Absolute path of the Certificate Authority certificate used by Kibana
+kibana__tls_ca_certificate: '{{ kibana__pki_base_path + "/"
+                                + kibana__pki_realm + "/"
+                                + kibana__pki_ca_file }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__tls_private_key [[[
+#
+# Absolute path of the private key used by Kibana.
+kibana__tls_private_key: '{{ kibana__pki_base_path + "/"
+                             + kibana__pki_realm + "/"
+                             + kibana__pki_key_file }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__tls_certificate [[[
+#
+# Absolute path of the X.509 certificate used by Kibana.
+kibana__tls_certificate: '{{ kibana__pki_base_path + "/"
+                             + kibana__pki_realm + "/"
+                             + kibana__pki_crt_file }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Kibana configuration file [[[
+# -----------------------------
+
+# The variables below define the contents of the :file:`/etc/kibana/kibana.yml`
+# configuration file. See :ref:`kibana__ref_configuration` for the details and
+# configuration syntax.
+
+# .. envvar:: kibana__default_configuration [[[
+#
+# The default configuration options which should be present in the main
+# configuration file.
+kibana__default_configuration:
+
+  - name: 'server.port'
+    value: '{{ kibana__server_port }}'
+    comment: 'Kibana is served by a back end server. This setting specifies the port to use'
+
+  - name: 'server.host'
+    value: '{{ kibana__server_host }}'
+    comment: |
+      Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
+      The default is 'localhost', which usually means remote machines will not be able to connect.
+      To allow connections from remote users, set this parameter to a non-loopback address.
+
+  - name: 'server.name'
+    value: '{{ kibana__server_name }}'
+    comment: "The Kibana server's name. This is used for display purposes"
+
+  - name: 'server.basePath'
+    value: ''
+    state: 'comment'
+    comment: |
+      Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
+      the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
+      to Kibana. This setting cannot end in a slash.
+
+  - name: 'server.publicBaseUrl'
+    value: '{{ "https://" + ansible_fqdn }}'
+    comment: |
+      Specifies the public URL at which Kibana is available for end users. If
+      `server.basePath` is configured this URL should end with the same basePath.
+    state: '{{ "present"
+               if (kibana__version is version("7.0.0", ">="))
+               else "absent" }}'
+
+  - name: 'server.maxPayloadBytes'
+    value: 1048576
+    state: 'comment'
+    comment: 'The maximum payload size in bytes for incoming server requests'
+
+  - name: 'kibana.index'
+    value: '{{ kibana__index }}'
+    comment: |
+      Kibana uses an index in Elasticsearch to store saved searches, visualizations and
+      dashboards. Kibana creates a new index if the index doesn't already exist.
+    state: '{{ "present"
+               if (kibana__version is version("7.11.0", "<"))
+               else "absent" }}'
+
+  - name: 'kibana.defaultAppId'
+    value: '{{ kibana__default_app_id }}'
+    comment: 'The default application to load'
+    state: '{{ "present"
+               if (kibana__version is version("7.9.0", "<"))
+               else "absent" }}'
+
+  - name: 'elasticsearch.url'
+    value: '{{ kibana__elasticsearch_url }}'
+    comment: 'The URL of the Elasticsearch instance to use for all your queries'
+    state: '{{ "present"
+               if (kibana__version is version("7.0.0", "<"))
+               else "absent" }}'
+
+  - name: 'elasticsearch.hosts'
+    value: '{{ kibana__elasticsearch_hosts }}'
+    comment: 'The URLs of the Elasticsearch instances to use for all your queries'
+    state: '{{ "absent"
+               if (kibana__version is version("7.0.0", "<"))
+               else "present" }}'
+
+  - name: 'elasticsearch.preserveHost'
+    value: True
+    state: 'comment'
+    comment: |
+      When value of this option is true Kibana uses the hostname specified in the server.host
+      setting. When the value of this setting is false, Kibana uses the hostname of the host
+      that connects to this Kibana instance.
+
+  - name: 'elasticsearch.username'
+    value: '{{ kibana__elasticsearch_username }}'
+    state: '{{ "present"
+               if (kibana__elasticsearch_username | d() and
+                   kibana__elasticsearch_password | d())
+               else "comment" }}'
+    comment: |
+      If your Elasticsearch is protected with basic authentication, these settings provide
+      the username and password that the Kibana server uses to perform maintenance on the Kibana
+      index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
+      is proxied through the Kibana server.
+
+  - name: 'elasticsearch.password'
+    value: '{{ kibana__elasticsearch_password }}'
+    state: '{{ "present"
+               if (kibana__elasticsearch_username | d() and
+                   kibana__elasticsearch_password | d())
+               else "comment" }}'
+
+  - name: 'server.ssl.enabled'
+    value: False
+    state: 'comment'
+    comment: |
+      Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
+      These settings enable SSL for outgoing requests from the Kibana server to the browser.
+
+  - name: 'server.ssl.certificate'
+    value: '/path/to/your/server.crt'
+    state: 'comment'
+
+  - name: 'server.ssl.key'
+    value: '/path/to/your/server.key'
+    state: 'comment'
+
+  - name: 'elasticsearch.ssl.certificate'
+    value: '/path/to/your/client.crt'
+    state: 'comment'
+    comment: |
+      Optional settings that provide the paths to the PEM-format SSL certificate and key files.
+      These files validate that your Elasticsearch backend uses the same key files.
+
+  - name: 'elasticsearch.ssl.key'
+    value: '/path/to/your/client.key'
+    state: 'comment'
+
+  - name: 'elasticsearch.ssl.certificateAuthorities'
+    value: [ '/path/to/your/CA.pem' ]
+    state: 'comment'
+    comment: |
+      Optional setting that enables you to specify a path to the PEM file for the certificate
+      authority for your Elasticsearch instance.
+
+    # Reset the list of default certificate authorities.
+  - name: 'elasticsearch.ssl.certificateAuthorities'
+    value: ''
+    state: '{{ "present" if (kibana__secure_connection | bool and
+                             kibana__pki_enabled | bool)
+                         else "ignore" }}'
+
+  - name: 'elasticsearch.ssl.certificateAuthorities'
+    value: [ '{{ kibana__tls_ca_certificate }}' ]
+    state: '{{ "present" if (kibana__secure_connection | bool and
+                             kibana__pki_enabled | bool)
+                         else "ignore" }}'
+
+  - name: 'elasticsearch.ssl.certificate'
+    value: '{{ kibana__tls_certificate }}'
+    state: '{{ "present" if (kibana__secure_connection | bool and
+                             kibana__pki_enabled | bool)
+                         else "ignore" }}'
+
+  - name: 'elasticsearch.ssl.key'
+    value: '{{ kibana__tls_private_key }}'
+    state: '{{ "present" if (kibana__secure_connection | bool and
+                             kibana__pki_enabled | bool)
+                         else "ignore" }}'
+
+  - name: 'elasticsearch.ssl.verificationMode'
+    value: 'full'
+    state: 'comment'
+    comment: "To disregard the validity of SSL certificates, change this setting's value to 'none'"
+
+  - name: 'elasticsearch.pingTimeout'
+    value: 1500
+    state: 'comment'
+    comment: |
+      Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
+      the elasticsearch.requestTimeout setting.
+
+  - name: 'elasticsearch.requestTimeout'
+    value: 30000
+    state: 'comment'
+    comment: |
+      Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
+      must be a positive integer.
+
+  - name: 'elasticsearch.requestHeadersWhitelist'
+    value: [ 'authorization' ]
+    state: 'comment'
+    comment: |
+      List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
+      headers, set this value to [] (an empty list).
+
+  - name: 'elasticsearch.customHeaders'
+    empty: {}
+    state: 'comment'
+    comment: |
+      Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
+      by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
+
+  - name: 'elasticsearch.shardTimeout'
+    value: 0
+    state: 'comment'
+    comment: 'Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable'
+
+  - name: 'elasticsearch.startupTimeout'
+    value: 5000
+    state: 'comment'
+    comment: 'Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying'
+
+  - name: 'pid.file'
+    value: '/var/run/kibana.pid'
+    state: 'comment'
+    comment: 'Specifies the path where Kibana creates the process ID file'
+
+  - name: 'logging.dest'
+    value: 'stdout'
+    state: 'comment'
+    comment: 'Enables you specify a file where Kibana stores log output'
+
+  - name: 'logging.silent'
+    value: False
+    state: 'comment'
+    comment: 'Set the value of this setting to true to suppress all logging output'
+
+  - name: 'logging.quiet'
+    value: False
+    state: 'comment'
+    comment: 'Set the value of this setting to true to suppress all logging output other than error messages'
+
+  - name: 'logging.verbose'
+    value: False
+    state: 'comment'
+    comment: |
+      Set the value of this setting to true to log all events, including system usage information
+      and all requests.
+
+  - name: 'ops.interval'
+    value: 5000
+    state: 'comment'
+    comment: |
+      Set the interval in milliseconds to sample system and process performance
+      metrics. Minimum is 100ms. Defaults to 5000.
+
+  - name: 'i18n.defaultLocale'
+    state: 'comment'
+    comment: |
+      The default locale. This locale can be used in certain circumstances to substitute any missing
+      translations.
+    value: 'en'
+
+  - name: 'xpack.security.encryptionKey'
+    comment: |
+      An arbitrary string of 32 characters or more that is used to encrypt session information.
+    value: '{{ kibana__security_encryption_key }}'
+
+  - name: 'xpack.reporting.encryptionKey'
+    comment: |
+      The static encryption key for reporting. Use an alphanumeric text string that is at least 32 characters.
+    value: '{{ kibana__reporting_encryption_key }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__configuration [[[
+#
+# List of configuration options defined on all hosts in the Ansible inventory.
+kibana__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__group_configuration [[[
+#
+# List of configuration options defined on hosts in specific Ansible inventory
+# group.
+kibana__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__host_configuration [[[
+#
+# List of configuration options defined on specific hosts in the Ansible
+# inventory.
+kibana__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__plugin_configuration [[[
+#
+# List of configuration options defined separately for any Kibana plugins.
+# See :ref:`kibana__ref_plugins` for more details.
+kibana__plugin_configuration: '{{ lookup("template",
+                                  "lookup/kibana__plugin_configuration.j2")
+                                  | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__dependent_role [[[
+#
+# A string that identifies another Ansible role that uses the ``debops.kibana``
+# role as a dependency. This value is needed to correctly store the dependent
+# configuration options. See :ref:`kibana__ref_dependency` for more details.
+kibana__dependent_role: ''
+
+                                                                   # ]]]
+# .. envvar:: kibana__dependent_state [[[
+#
+# Specify the state of the dependent configuration options, either ``present``
+# (options should be included in the configuration file) or ``absent`` (options
+# should be removed from the configuration file).
+# See :ref:`kibana__ref_dependency` for more details.
+kibana__dependent_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: kibana__dependent_configuration [[[
+#
+# List of Kibana configuration options defined by another Ansible role
+# and specified using role dependent variables.
+kibana__dependent_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__dependent_configuration_filter [[[
+#
+# Actual variable used in the combined Kibana configuration that unwraps the
+# dependent configuration specified by other Ansible roles and converts it into
+# format understood by the ``debops.kibana`` configuration template.
+# See :ref:`kibana__ref_dependency` for more details.
+kibana__dependent_configuration_filter: '{{ lookup("template",
+                                            "lookup/kibana__dependent_configuration_filter.j2")
+                                            | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__combined_configuration [[[
+#
+# Actual list of Kibana configuration options passed to the configuration
+# template. This list defines the order in which the options from different
+# variables are processed.
+kibana__combined_configuration: '{{ lookup("flattened", (kibana__default_configuration
+                                    + kibana__plugin_configuration
+                                    + kibana__dependent_configuration_filter
+                                    + kibana__configuration
+                                    + kibana__group_configuration
+                                    + kibana__host_configuration)) }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__configuration_sections [[[
+#
+# List of sections defined in the :file:`/etc/kibana/kibana.yml`
+# configuration file and corresponding variable groups.
+# See :ref:`kibana__ref_configuration_sections` for more details.
+kibana__configuration_sections:
+
+  - name: 'Server'
+    part: [ 'server', 'kibana' ]
+
+  - name: 'Elasticsearch'
+    part: 'elasticsearch'
+
+  - name: 'Map tiles'
+    part: 'tilemap'
+
+  - name: 'Logging'
+    part: 'logging'
+
+  - name: 'X-Pack'
+    part: 'xpack'
+
+  - name: 'Search Guard'
+    part: 'searchguard'
+                                                                   # ]]]
+                                                                   # ]]]
+# Plugin configuration [[[
+# ------------------------
+
+# These variables define lists of Kibana plugins to install/remove, as
+# well as additional configuration options for them.
+# See :ref:`kibana__ref_plugins` for more details.
+
+# .. envvar:: kibana__plugins [[[
+#
+# List of Kibana plugins to manage on all hosts in the Ansible inventory.
+kibana__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__group_plugins [[[
+#
+# List of Kibana plugins to manage on hosts in specific Ansible inventory
+# group.
+kibana__group_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__host_plugins [[[
+#
+# List of Kibana plugins to manage on specific hosts in the Ansible inventory.
+kibana__host_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__combined_plugins [[[
+#
+# Actual list of Kibana plugins that combines other plugin variables and is
+# used in the Ansible tasks and the configuration template.
+kibana__combined_plugins: '{{ lookup("flattened", (kibana__plugins
+                              + kibana__group_plugins
+                              + kibana__host_plugins)) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Kibana keystore contents [[[
+# ----------------------------
+
+# The variables below define the contents of the Kibana keystore which can be
+# used to store passwords and other confidential data, which then can be
+# referenced in Kibana configuration files. See :ref:`kibana__ref_keys` for
+# more details.
+
+# .. envvar:: kibana__keys [[[
+#
+# Kibana keystore content which should be present on all hosts in the Ansible
+# inventory.
+kibana__keys: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__group_keys [[[
+#
+# Kibana keystore content which should be present on all hosts in the Ansible
+# inventory.
+kibana__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__host_keys [[[
+#
+# Kibana keystore content which should be present on hosts in a specific
+# Ansible inventory group.
+kibana__host_keys: []
+
+                                                                   # ]]]
+# .. envvar:: kibana__combined_keys [[[
+#
+# Kibana keystore content which should be present on specific hosts in the
+# Ansible inventory.
+kibana__combined_keys: '{{ kibana__keys
+                           + kibana__group_keys
+                           + kibana__host_keys }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: kibana__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+kibana__etc_services__dependent_list:
+  - name: 'kibana'
+    port: '{{ kibana__server_port }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__extrepo__dependent_sources [[[
+#
+# Configuration for the :ref:`debops.extrepo` Ansible role.
+kibana__extrepo__dependent_sources:
+  - 'elastic'
+
+                                                                   # ]]]
+# .. envvar:: kibana__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+kibana__nginx__dependent_servers:
+  - name: '{{ kibana__fqdn }}'
+    by_role: 'debops.kibana'
+    filename: 'debops.kibana'
+    deny_hidden: False
+    type: 'proxy'
+    proxy_options: |
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_cache_bypass $http_upgrade;
+    proxy_pass: 'http://kibana'
+    proxy_redirect: 'default'
+    allow:               '{{ kibana__webserver_allow }}'
+    access_policy:       '{{ kibana__webserver_access_policy }}'
+    auth_basic:          '{{ True if kibana__webserver_auth_basic_filename | d() else False }}'
+    auth_basic_realm:    '{{ kibana__webserver_auth_basic_realm }}'
+    auth_basic_filename: '{{ kibana__webserver_auth_basic_filename }}'
+
+                                                                   # ]]]
+# .. envvar:: kibana__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+kibana__nginx__dependent_upstreams:
+  - name: 'kibana'
+    server: '{{ kibana__server_host + ":" + kibana__server_port }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/kibana/meta/main.yml b/ansible_collections/debops/debops/roles/kibana/meta/main.yml
new file mode 100644
index 00000000..6fa304fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage Kibana dashboard'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - clustering
+    - database
+    - nosql
+    - elasticsearch
+    - elastic
+    - dashboard
+    - visualization
diff --git a/ansible_collections/debops/debops/roles/kibana/tasks/main.yml b/ansible_collections/debops/debops/roles/kibana/tasks/main.yml
new file mode 100644
index 00000000..a9cca90c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/tasks/main.yml
@@ -0,0 +1,196 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Kibana packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (kibana__base_packages
+                              + kibana__packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: kibana__register_packages
+  until: kibana__register_packages is succeeded
+
+- name: Add Kibana UNIX account to selected groups
+  ansible.builtin.user:
+    name: '{{ kibana__user }}'
+    groups: '{{ kibana__additional_groups }}'
+    append: True
+  when: kibana__additional_groups | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Kibana local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/kibana.fact.j2'
+    dest: '/etc/ansible/facts.d/kibana.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check if the dependent config file exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/kibana/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: kibana__register_dependent_config_file
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.kibana.installed | d())
+  tags: [ 'role::kibana:config' ]
+
+- name: Load the dependent configuration from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/kibana/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: kibana__register_dependent_config
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local.kibana.installed | d() and
+         kibana__register_dependent_config_file.stat.exists | bool)
+  tags: [ 'role::kibana:config' ]
+
+- name: Divert original configuration files
+  debops.debops.dpkg_divert:
+    path: '/etc/kibana/kibana.yml'
+  notify: [ 'Start kibana' ]
+  tags: [ 'role::kibana:config' ]
+
+- name: Generate Kibana configuration
+  ansible.builtin.template:
+    src: 'etc/kibana/kibana.yml.j2'
+    dest: '/etc/kibana/kibana.yml'
+    owner: 'root'
+    group: '{{ kibana__group }}'
+    mode: '0660'
+  notify: [ 'Restart kibana' ]
+  tags: [ 'role::kibana:config' ]
+
+- name: Check state of installed Kibana plugins
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         bin/kibana-plugin list | cut -d@ -f1
+  args:
+    executable: 'bash'
+    chdir: '/usr/share/kibana'
+  register: kibana__register_plugins
+  become: True
+  become_user: '{{ kibana__user }}'
+  changed_when: False
+  check_mode: False
+
+- name: Install Kibana plugins
+  ansible.builtin.command: bin/kibana-plugin install {{ item.url | d(item.name) }}
+  args:
+    chdir: '/usr/share/kibana'
+  notify: [ 'Restart kibana' ]
+  become: True
+  become_user: '{{ item.user | d(kibana__user) }}'
+  loop: '{{ q("flattened", kibana__combined_plugins) }}'
+  register: kibana__register_plugin_install
+  changed_when: kibana__register_plugin_install.changed | bool
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1]) not in kibana__register_plugins.stdout_lines)
+
+- name: Remove Kibana plugins
+  ansible.builtin.command: bin/kibana-plugin remove {{ item.name }}
+  args:
+    chdir: '/usr/share/kibana'
+  notify: [ 'Restart kibana' ]
+  become: True
+  become_user: '{{ item.user | d(kibana__user) }}'
+  loop: '{{ q("flattened", kibana__combined_plugins) }}'
+  register: kibana__register_plugin_remove
+  changed_when: kibana__register_plugin_remove.changed | bool
+  when: (item.name | d() and item.state | d('present') == 'absent' and
+         (item.name if ':' not in item.name else item.name.split(':')[1]) in kibana__register_plugins.stdout_lines)
+
+# The keystore handling is very similar to ../../metricbeat/tasks/main.yml
+# Make sure you change it in both places.
+- name: Check if the Kibana keystore exists
+  ansible.builtin.stat:
+    path: '{{ kibana__keystore_path }}'
+  register: kibana__register_keystore
+
+- name: Create Kibana keystore if not present
+  ansible.builtin.command: 'bin/kibana-keystore create'
+  args:
+    chdir: '/usr/share/kibana'
+  register: kibana__register_keystore_create
+  changed_when: kibana__register_keystore_create.changed | bool
+  when: not kibana__register_keystore.stat.exists
+
+- name: Get the list of keystore contents
+  ansible.builtin.command: 'bin/kibana-keystore list'
+  args:
+    chdir: '/usr/share/kibana'
+  register: kibana__register_keys
+  changed_when: False
+  check_mode: '{{ False if ansible_local.kibana.installed | d() else omit }}'
+
+- name: Remove key from Kibana keystore when requested
+  ansible.builtin.command: 'bin/kibana-keystore remove {{ item.name }}'
+  args:
+    chdir: '/usr/share/kibana'
+  loop: '{{ kibana__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Restart kibana' ]
+  register: kibana__register_keystore_remove
+  changed_when: kibana__register_keystore_remove.changed | bool
+  when: (item.state | d('present') == 'absent' and
+         item.name in kibana__register_keys.stdout_lines)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set or update key in Kibana keystore
+  environment:
+    DEBOPS_KIBANA_KEY: '{{ item.value }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if item.force | d(False) %}
+    printf "%s" "${DEBOPS_KIBANA_KEY}" | bin/kibana-keystore add "{{ item.name }}" --stdin --force
+    {% else %}
+    printf "%s" "${DEBOPS_KIBANA_KEY}" | bin/kibana-keystore add "{{ item.name }}" --stdin
+    {% endif %}
+  args:
+    chdir: '/usr/share/kibana'
+    executable: 'bash'
+  loop: '{{ kibana__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Restart kibana' ]
+  register: kibana__register_keystore_add
+  changed_when: kibana__register_keystore_add.changed | bool
+  when: (item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.name not in kibana__register_keys.stdout_lines or
+          (item.force | d(False)) | bool))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save Kibana dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/kibana/dependent_config/config.json.j2'
+    dest: '{{ secret + "/kibana/dependent_config/" + inventory_hostname + "/config.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  tags: [ 'role::kibana:config' ]
diff --git a/ansible_collections/debops/debops/roles/kibana/tasks/main_env.yml b/ansible_collections/debops/debops/roles/kibana/tasks/main_env.yml
new file mode 100644
index 00000000..da56e02b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.kibana environment
+  ansible.builtin.set_fact:
+    kibana__secret__directories: '{{ lookup("template", "lookup/kibana__secret__directories.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/etc/ansible/facts.d/kibana.fact.j2 b/ansible_collections/debops/debops/roles/kibana/templates/etc/ansible/facts.d/kibana.fact.j2
new file mode 100644
index 00000000..4d40bbe1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/etc/ansible/facts.d/kibana.fact.j2
@@ -0,0 +1,26 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+
+output = {'installed': True}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "kibana"]).decode('utf-8')
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/etc/kibana/kibana.yml.j2 b/ansible_collections/debops/debops/roles/kibana/templates/etc/kibana/kibana.yml.j2
new file mode 100644
index 00000000..1bcf92cf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/etc/kibana/kibana.yml.j2
@@ -0,0 +1,257 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set kibana__tpl_config = {} %}
+{% set kibana__tpl_comment = {} %}
+{% for item in kibana__combined_configuration | debops.debops.parse_kv_config %}
+{%   if item is mapping %}
+{%     if item.name | d() %}
+{%       if item.state | d('present') != 'absent' %}
+{%         if item.value is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.value } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): item.value }) %}
+{%           endif %}
+{%           set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{#           set _ = kibana__tpl_config.update({ item.name: item.value }) #}
+{%           if item.comment | d() %}
+{%             set _ = kibana__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.options is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.options, 'options': item.options } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'options': item.options } }) %}
+{%           endif %}
+{%           set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = kibana__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.empty is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.empty, 'empty': item.empty } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'empty': item.empty } }) %}
+{%           endif %}
+{%           set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = kibana__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         elif item.raw is defined %}
+{%           set name_exploded = item.name.split('.') %}
+{%           set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%           if item.state | d('present') == 'comment' %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'comment': item.raw, 'raw': item.raw } }) %}
+{%           else %}
+{%             set _ = current_dict.update({ name_exploded[1:] | join('.'): { 'raw': item.raw } }) %}
+{%           endif %}
+{%           set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%           if item.comment | d() %}
+{%             set _ = kibana__tpl_comment.update({ item.name: item.comment }) %}
+{%           endif %}
+{%         endif %}
+{%       elif item.state | d('present') == 'absent' %}
+{%         set name_exploded = item.name.split('.') %}
+{%         set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.pop(name_exploded[1:] | join('.'), None) %}
+{%         if current_dict.keys() | length > 0 %}
+{%           set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%         else %}
+{%           set _ = kibana__tpl_config.pop(name_exploded[0], None) %}
+{%         endif %}
+{#         set _ = kibana__tpl_config.pop(item.name, None) #}
+{%       endif %}
+{%     else %}
+{%       for key, value in item.items() %}
+{%         set name_exploded = key.split('.') %}
+{%         set current_dict = kibana__tpl_config[name_exploded[0]] | d({}) %}
+{%         set _ = current_dict.update({ name_exploded[1:] | join('.'): value }) %}
+{%         set _ = kibana__tpl_config.update({ name_exploded[0]: current_dict }) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% macro print_config(config, key_prefix='') %}
+{%   for key, value in config.items() %}
+{%     if key | d() %}{# key is not empty #}
+{%       if (key_prefix + '.' + key) in kibana__tpl_comment.keys() %}
+
+{{ kibana__tpl_comment[key_prefix + '.' + key] | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{%       if value | bool and value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%       elif not value | bool and value is not iterable %}
+{%         if value is not none %}
+{%           if value | int or value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%           endif %}
+{%         endif %}
+{%       elif value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value) }}
+{%       elif value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value) }}
+{%       elif value is mapping %}
+{%         if value.comment is defined %}
+{%           if value.comment | bool and value.comment is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'true') }}
+{%           elif not value.comment | bool and value.comment is not iterable %}
+{%             if value.comment is not none %}
+{%               if value.comment | int or value.comment | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, 'false') }}
+{%               endif %}
+{%             endif %}
+{%           elif value.comment is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.comment) }}
+{%           elif value.comment is mapping %}
+{%             if value.options | d() %}
+{%               if value.options is mapping %}
+{%                 for option_key, option_value in value.options.items() %}
+{%                   if option_value | bool and option_value is not iterable %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%                   elif not option_value | bool and option_value is not iterable %}
+{%                     if option_value is not none %}
+{%                       if option_value | int or option_value | string == '0' %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                       else %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                       endif %}
+{%                     endif %}
+{%                   elif option_value is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is number %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   elif option_value is not string and option_value is not mapping %}
+{%                     if option_value | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%                     else %}
+# {{ key_prefix + '.' + option_key }}:
+{%                       for element in option_value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+#  - "{{ element }}"
+{%                       endfor %}
+
+{%                     endif %}
+{%                   endif %}
+{%                 endfor %}
+{%               endif %}
+{%             elif value.empty is defined %}
+{%               if value.empty is string %}
+{{ '# %s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%               else %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%               endif %}
+{%             elif value.raw | d() %}
+{{ value.raw | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%             endif %}
+{%           elif value.comment is not string and value.comment is not mapping %}
+{%             if value.comment | count <= 4 %}
+{{ '# %s: %s' | format(key_prefix + '.' + key, '[ "' + value.comment | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%             else %}
+# {{ key_prefix + '.' + key }}:
+{%               for element in value.comment | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+#  - "{{ element }}"
+{%               endfor %}
+
+{%             endif %}
+{%           endif %}
+{%         elif value.options | d() %}
+{%           if value.options is mapping %}
+{%             for option_key, option_value in value.options.items() %}
+{%               if option_value | bool and option_value is not iterable %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'true') }}
+{%               elif not option_value | bool and option_value is not iterable %}
+{%                 if option_value is not none %}
+{%                   if option_value | int or option_value | string == '0' %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%                   else %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, 'false') }}
+{%                   endif %}
+{%                 endif %}
+{%               elif option_value is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is number %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, option_value) }}
+{%               elif option_value is not string and option_value is not mapping %}
+{%                 if option_value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + option_key, '[ "' + option_value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%                 else %}
+{{ key_prefix + '.' + option_key }}:
+{%                  for element in option_value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+  - "{{ element }}"
+{%                  endfor %}
+
+{%                endif %}
+{%              endif %}
+{%             endfor %}
+{%           endif %}
+{%         elif value.empty is defined %}
+{%           if value.empty is string %}
+{{ '%s: "%s"' | format(key_prefix + '.' + key, value.empty) }}
+{%           else %}
+{{ '%s: %s' | format(key_prefix + '.' + key, value.empty) }}
+{%           endif %}
+{%         elif value.raw | d() %}
+{{ value.raw }}
+{%         endif %}
+{%       elif value is not string and value is not mapping %}
+{%         if value | count <= 4 %}
+{{ '%s: %s' | format(key_prefix + '.' + key, '[ "' + value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join('", "') + '" ]') }}
+{%         else %}
+{{ key_prefix + '.' + key }}:
+{%           for element in value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+  - "{{ element }}"
+{%           endfor %}
+
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{% set kibana__tpl_seen_sections = [] %}
+{% for section in kibana__configuration_sections %}
+{%   if section.name | d() %}
+{%     if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(kibana__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(kibana__tpl_config.keys()) %}
+{{ "{:-^78}".format(' ' + section.name + ' ') | comment }}
+{%     endif %}
+{%   endif %}
+{%   if section.part | d() and ([ section.part ] if section.part is string else section.part) | intersect(kibana__tpl_config.keys()) %}
+{%     for element in ([ section.part ] if section.part is string else section.part) %}
+{%       if element in kibana__tpl_config.keys() and element not in kibana__tpl_seen_sections %}
+{{ print_config(kibana__tpl_config[element], key_prefix=element) -}}
+{%         set _ = kibana__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   elif section.parts | d() and ([ section.parts ] if section.parts is string else section.parts) | intersect(kibana__tpl_config.keys()) %}
+{%     for element in ([ section.parts ] if section.parts is string else section.parts) %}
+{%       if element in kibana__tpl_config.keys() and element not in kibana__tpl_seen_sections %}
+{{ print_config(kibana__tpl_config[element], key_prefix=element) -}}
+{%         set _ = kibana__tpl_seen_sections.append(element) %}
+{%       endif %}
+{%     endfor %}
+
+{%   endif %}
+{% endfor %}
+{% if kibana__tpl_config.keys() | difference(kibana__tpl_seen_sections) %}
+{{ "{:-^78}".format(' Various ') | comment }}
+{%   for element in (kibana__tpl_config.keys() | difference(kibana__tpl_seen_sections)) %}
+{{ print_config(kibana__tpl_config[element], key_prefix=element) -}}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__dependent_configuration_filter.j2 b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__dependent_configuration_filter.j2
new file mode 100644
index 00000000..a38bddd9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__dependent_configuration_filter.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set kibana__tpl_dependent_configuration = {} %}
+{% if (kibana__register_dependent_config | d() and kibana__register_dependent_config.content | d()) %}
+{%   set _ = kibana__tpl_dependent_configuration.update(kibana__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if kibana__dependent_role | d() %}
+{%   if kibana__dependent_state == 'present' %}
+{%     set _ = kibana__tpl_dependent_configuration.update({kibana__dependent_role: kibana__dependent_configuration}) %}
+{%   elif kibana__dependent_state == 'absent' %}
+{%     set _ = kibana__tpl_dependent_configuration.pop(kibana__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{% set kibana__tpl_output = [] %}
+{% for key, value in kibana__tpl_dependent_configuration.items() %}
+{%   set _ = kibana__tpl_output.append(value) %}
+{% endfor %}
+{{ kibana__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__plugin_configuration.j2 b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__plugin_configuration.j2
new file mode 100644
index 00000000..7023d200
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__plugin_configuration.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set kibana__tpl_output = [] %}
+{% for plugin in ([ kibana__combined_plugins ] if kibana__combined_plugins is mapping else kibana__combined_plugins) %}
+{%   if plugin.state | d('present') != 'absent' %}
+{%     if plugin.configuration | d() %}
+{%       set _ = kibana__tpl_output.append(plugin.configuration) %}
+{%     elif plugin.config | d() %}
+{%       set _ = kibana__tpl_output.append(plugin.config) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ kibana__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__secret__directories.j2 b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__secret__directories.j2
new file mode 100644
index 00000000..08d65e2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/lookup/kibana__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'kibana/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/kibana/templates/secret/kibana/dependent_config/config.json.j2 b/ansible_collections/debops/debops/roles/kibana/templates/secret/kibana/dependent_config/config.json.j2
new file mode 100644
index 00000000..b8332755
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kibana/templates/secret/kibana/dependent_config/config.json.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set kibana__tpl_dependent_configuration = {} %}
+{% if (kibana__register_dependent_config | d() and kibana__register_dependent_config.content | d()) %}
+{%   set _ = kibana__tpl_dependent_configuration.update(kibana__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if kibana__dependent_role | d() %}
+{%   if kibana__dependent_state == 'present' %}
+{%     set _ = kibana__tpl_dependent_configuration.update({kibana__dependent_role: kibana__dependent_configuration}) %}
+{%   elif kibana__dependent_state == 'absent' %}
+{%     set _ = kibana__tpl_dependent_configuration.pop(kibana__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{{ kibana__tpl_dependent_configuration | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/kmod/COPYRIGHT b/ansible_collections/debops/debops/roles/kmod/COPYRIGHT
new file mode 100644
index 00000000..ccffbcec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.kmod - Manage kernel modules using Ansible
+
+Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/kmod/defaults/main.yml b/ansible_collections/debops/debops/roles/kmod/defaults/main.yml
new file mode 100644
index 00000000..4a7031f3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/defaults/main.yml
@@ -0,0 +1,176 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _kmod__ref_defaults:
+
+# debops.kmod default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: kmod__enabled [[[
+#
+# Enable or disable support for kernel module management. The role will check
+# if the :command:`/sbin/modprobe` is present on a host and will enable/disable
+# itself automatically as needed. You can use this variable to override this
+# mechanism.
+kmod__enabled: '{{ True
+                   if (kmod__register_modprobe.stat.exists | bool)
+                   else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Installation, APT packages [[[
+# ------------------------------
+
+# .. envvar:: kmod__base_packages [[[
+#
+# List of APT packages to install. They are used by the role internally.
+kmod__base_packages: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__packages [[[
+#
+# List of additional APT packages to install.
+kmod__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Kernel module configuration [[[
+# -------------------------------
+
+# These variables define what kernel module configuration should be present on
+# a host. See :ref:`kmod__ref_modules` for more details.
+
+# .. envvar:: kmod__default_modules [[[
+#
+# List of default kernel module configuration entries defined by the role.
+kmod__default_modules:
+
+  - name: 'blacklist-firewire-thunderbolt'
+    state: 'config'
+    comment: |
+      Protection against Firewire DMA attacks
+      https://security.stackexchange.com/a/49158/79474
+      https://github.com/lfit/itpol/blob/master/linux-workstation-security.md#blacklisting-modules
+    blacklist:
+      - 'firewire_sbp2'
+      - 'firewire_ohci'
+      - 'firewire_core'
+      - 'thunderbolt'
+
+                                                                   # ]]]
+# .. envvar:: kmod__modules [[[
+#
+# List of kernel module configuration entries which should be present on all
+# hosts in the Ansible inventory.
+kmod__modules: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__group_modules [[[
+#
+# List of kernel module configuration entries which should be present on hosts
+# in a specific Ansible inventory group.
+kmod__group_modules: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__host_modules [[[
+#
+# List of kernel module configuration entries which should be present on
+# specific hosts in the Ansible inventory.
+kmod__host_modules: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__dependent_modules [[[
+#
+# List of kernel module configuration entries which are defined by other
+# Ansible roles through role dependent variables.
+kmod__dependent_modules: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__combined_modules [[[
+#
+# The variable that combines all lists of kernel module parameters and passes
+# them to the role tasks.
+kmod__combined_modules: '{{ kmod__default_modules
+                            + lookup("flattened", kmod__dependent_modules, wantlist=True)
+                            + kmod__modules
+                            + kmod__group_modules
+                            + kmod__host_modules }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Kernel module loading at boot [[[
+# ---------------------------------
+
+# These variables control what kernel modules should be loaded at boot time.
+# See :ref:`kmod__ref_load` for more details.
+
+# .. envvar:: kmod__load [[[
+#
+# List of kernel modules which should be loaded at boot time on all hosts in the
+# Ansible inventory.
+kmod__load: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__group_load [[[
+#
+# List of kernel modules which should be loaded at boot time on hosts in
+# a specific Ansible inventory group.
+kmod__group_load: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__host_load [[[
+#
+# List of kernel modules which should be loaded at boot time on specific hosts
+# in the Ansible inventory.
+kmod__host_load: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__dependent_load [[[
+#
+# List of kernel modules to loat at boot time, defined by other Ansible roles
+# through role dependent variables.
+kmod__dependent_load: []
+
+                                                                   # ]]]
+# .. envvar:: kmod__combined_load [[[
+#
+# Variable which combines all of the kernel module load lists and passes them
+# to the role tasks.
+kmod__combined_load: '{{ lookup("flattened", kmod__dependent_load, wantlist=True)
+                         + kmod__load
+                         + kmod__group_load
+                         + kmod__host_load }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: kmod__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+kmod__python__dependent_packages3: []
+
+  # Currently there's no kmodpy for Python 3.x in Debian, but hopefully it will
+  # be available at some point in the future.
+  #- 'python3-kmodpy'
+
+                                                                   # ]]]
+# .. envvar:: kmod__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+kmod__python__dependent_packages2:
+
+  - 'python-kmodpy'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/kmod/meta/main.yml b/ansible_collections/debops/debops/roles/kmod/meta/main.yml
new file mode 100644
index 00000000..9a7a9625
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage kernel modules'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - kernel
+    - linux
diff --git a/ansible_collections/debops/debops/roles/kmod/tasks/main.yml b/ansible_collections/debops/debops/roles/kmod/tasks/main.yml
new file mode 100644
index 00000000..66e7ec1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if modprobe is available
+  ansible.builtin.stat:
+    path: '/sbin/modprobe'
+  register: kmod__register_modprobe
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (kmod__base_packages
+                              + kmod__packages)) }}'
+    state: 'present'
+  register: kmod__register_packages
+  until: kmod__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save kmod local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/kmod.fact.j2'
+    dest: '/etc/ansible/facts.d/kmod.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure kernel modules
+  ansible.builtin.include_tasks: 'modprobe.yml'
+  loop_control:
+    loop_var: 'module'
+  with_items: '{{ kmod__combined_modules | debops.debops.parse_kv_items }}'
+  when: kmod__enabled | bool
+
+- name: Remove module load configuration
+  ansible.builtin.file:
+    dest: '/etc/modules-load.d/{{ item.filename | d(item.name | replace("_", "-") + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ kmod__combined_load | debops.debops.parse_kv_items }}'
+  when: kmod__enabled | bool and ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') == 'absent'
+
+- name: Configure module loading at boot
+  ansible.builtin.template:
+    src: 'etc/modules-load.d/module.conf.j2'
+    dest: '/etc/modules-load.d/{{ item.filename | d(item.name | replace("_", "-") + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ kmod__combined_load | debops.debops.parse_kv_items }}'
+  when: kmod__enabled | bool and ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') not in ['absent', 'ignore']
+
+- name: Manage module loading in /etc/modules
+  ansible.builtin.lineinfile:
+    dest: '/etc/modules'
+    regexp: '^{{ item.name }}'
+    line: '{{ item.name }}'
+    state: '{{ item.state }}'
+    mode: '0644'
+  loop: '{{ kmod__combined_load | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: kmod__enabled | bool and ansible_service_mgr != 'systemd' and
+        item.name | d() and item.state | d('present') in ['present', 'absent']
+
+- name: Load missing kernel modules enabled at boot
+  community.general.modprobe:
+    name: '{{ item.name }}'
+    state: 'present'
+  with_items: '{{ kmod__combined_load | debops.debops.parse_kv_items }}'
+  notify: [ 'Refresh host facts' ]
+  when: kmod__enabled | bool and item.name | d() and item.state | d('present') not in ['config', 'absent', 'ignore'] and
+        item.modules is undefined and ansible_local.kmod.modules | d() and item.name not in ansible_local.kmod.modules
+
+- name: Update Ansible facts if modules were loaded
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/kmod/tasks/modprobe.yml b/ansible_collections/debops/debops/roles/kmod/tasks/modprobe.yml
new file mode 100644
index 00000000..e24c6f96
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/tasks/modprobe.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Remove module configuration
+  ansible.builtin.file:
+    dest: '/etc/modprobe.d/{{ module.filename | d(module.name | replace("_", "-") + ".conf") }}'
+    state: 'absent'
+  notify: [ 'Refresh host facts' ]
+  register: kmod__register_module_config_delete
+  when: module.name | d() and module.state | d('present') == 'absent'
+
+- name: Generate module configuration
+  ansible.builtin.template:
+    src: 'etc/modprobe.d/module.conf.j2'
+    dest: '/etc/modprobe.d/{{ module.filename | d(module.name | replace("_", "-") + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  register: kmod__register_module_config_create
+  when: module.name | d() and module.state | d('present') != 'absent'
+
+- name: Unload kernel module if configuration changed
+  community.general.modprobe:  # noqa no-handler
+    name: '{{ module.name }}'
+    state: 'absent'
+  when: ((kmod__register_module_config_delete is changed or
+          kmod__register_module_config_create is changed) and
+         module.blacklist is not defined and
+         ansible_local.kmod.modules | d() and
+         module.name in ansible_local.kmod.modules and
+         module.state | d('present') not in ['config'])
+
+- name: Load kernel module if configuration changed
+  community.general.modprobe:  # noqa no-handler
+    name: '{{ module.name }}'
+    state: 'present'
+  when: ((kmod__register_module_config_delete is changed or
+          kmod__register_module_config_create is changed) and
+         module.blacklist is not defined and
+         module.state | d('present') not in ['config', 'absent', 'blacklist'])
diff --git a/ansible_collections/debops/debops/roles/kmod/templates/etc/ansible/facts.d/kmod.fact.j2 b/ansible_collections/debops/debops/roles/kmod/templates/etc/ansible/facts.d/kmod.fact.j2
new file mode 100644
index 00000000..8798c74c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/templates/etc/ansible/facts.d/kmod.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+
+try:
+    import kmodpy
+    kernel_modules = [x[0] for x in kmodpy.Kmod().list()]
+except ImportError:
+    import subprocess
+    kernel_modules = []
+
+    try:
+        lsmod_output = subprocess.check_output(['lsmod'])
+        for line in lsmod_output.splitlines():
+            if not line.decode('utf-8').startswith('Module '):
+                kernel_modules.append(line.decode('utf-8').split()[0])
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        pass
+
+
+output = loads('''{{ {"configured": True,
+                      "enabled": kmod__enabled | bool} | to_nice_json }}''')
+
+output['modules'] = kernel_modules
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/kmod/templates/etc/modprobe.d/module.conf.j2 b/ansible_collections/debops/debops/roles/kmod/templates/etc/modprobe.d/module.conf.j2
new file mode 100644
index 00000000..9751d4f9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/templates/etc/modprobe.d/module.conf.j2
@@ -0,0 +1,73 @@
+{# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_value(value) %}
+{%   if value | bool and value is not iterable %}
+{{ '{}'.format('1') }}
+{%   elif not value | bool and value is not iterable %}
+{%     if value is not none %}
+{%       if value | int or value | string == '0' %}
+{{ '{}'.format(value) }}
+{%       else %}
+{{ '{}'.format('0') }}
+{%       endif %}
+{%     endif %}
+{%   elif value is string %}
+{{ '{}'.format(value) }}
+{%   elif value is number %}
+{{ '{}'.format(value) }}
+{%   endif %}
+{% endmacro %}
+{% if module.comment | d() %}
+{{ module.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if module.alias | d() %}
+{%   for element in ([ module.alias ] if module.alias is string else module.alias) %}
+{{ 'alias {} {}'.format(element, module.name) }}
+{%   endfor %}
+{% endif %}
+{% if module.aliases | d() %}
+{%   for element in ([ module.aliases ] if module.aliases is string else module.aliases) %}
+{{ 'alias {} {}'.format(element, module.name) }}
+{%   endfor %}
+{% endif %}
+{% if module.blacklist | d() %}
+{%   for element in ([ module.blacklist ] if module.blacklist is string else module.blacklist) %}
+{{ 'blacklist {}'.format(element) }}
+{%   endfor %}
+{% endif %}
+{% if module.state | d('present') == 'blacklist' %}
+{{ 'blacklist {}'.format(module.name) }}
+{% endif %}
+{% if module.options | d() %}
+{%   for element in ([ module.options ] if module.options is string else module.options) %}
+{%     if element.name | d() and element.value | d() %}
+{%       if element.state | d('present') != 'absent' %}
+{%         if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%         endif %}
+{{ 'options {} {}={}'.format(module.name, element.name, print_value(element.value)) -}}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{{ 'options {} {}={}'.format(module.name, key, print_value(value)) -}}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if module.install | d() %}
+{{ 'install {} {}'.format(module.name, module.install) }}
+{% endif %}
+{% if module.remove | d() %}
+{{ 'remove {} {}'.format(module.name, module.softdep) }}
+{% endif %}
+{% if module.softdep | d() %}
+{{ 'softdep {} {}'.format(module.name, module.softdep) }}
+{% endif %}
+{% if module.raw | d() %}
+{{ module.raw }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/kmod/templates/etc/modules-load.d/module.conf.j2 b/ansible_collections/debops/debops/roles/kmod/templates/etc/modules-load.d/module.conf.j2
new file mode 100644
index 00000000..965a536b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kmod/templates/etc/modules-load.d/module.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2018 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2018-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.modules | d() %}
+{%   for element in ([ item.modules ] if item.modules is string else item.modules) %}
+{{ element }}
+{%   endfor %}
+{% else %}
+{{ item.name }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/kodi/COPYRIGHT b/ansible_collections/debops/debops/roles/kodi/COPYRIGHT
new file mode 100644
index 00000000..536f67b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/COPYRIGHT
@@ -0,0 +1,19 @@
+kodi - Setup and manage Kodi
+
+Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/kodi/defaults/main.yml b/ansible_collections/debops/debops/roles/kodi/defaults/main.yml
new file mode 100644
index 00000000..63e928b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/defaults/main.yml
@@ -0,0 +1,132 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _kodi__ref_defaults:
+
+# debops-contrib.kodi default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: kodi__base_packages [[[
+#
+# List of base packages to install.
+# Suggested packages:
+# libasound2-plugins alsa-utils libbluray-bdj firmware-crystalhd libfftw3-bin libfftw3-dev alsa-base glew-utils opus-tools pulseaudio speex
+# Recommended packages:
+# kodi-visualization-spectrum libcec4 libmodplug1 libnfs8 libplist3 udisks2 libaacs0 libgl1-mesa-dri javascript-common va-driver-all | va-driver vdpau-driver-all | vdpau-driver
+kodi__base_packages:
+  - 'kodi'
+  - 'xorg'
+  - 'xserver-xorg'
+  - 'dbus-x11'
+  - 'xinit'
+
+  ## https://askubuntu.com/questions/761893/xserver-permission-denied-tty7/806459#806459
+  - 'xserver-xorg-legacy'
+
+  - 'python-dbus'
+  - 'python3-dbus'
+
+  ## dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files
+  - 'accountsservice'
+
+  - 'pulseaudio'
+  - 'libasound2-plugins'
+  - 'alsa-utils'
+  - 'libfftw3-bin'
+  - 'libfftw3-dev'
+  - 'glew-utils'
+  - 'opus-tools'
+  - 'speex'
+
+  ## https://kodi.wiki/view/HOW-TO:Suspend_and_wake_in_Ubuntu#Enabling_Suspend_.2F_Wake_.2F_Shutdown_.2F_Power_off_on_Ubuntu_Linux
+  # - 'upower'
+  # - 'acpi-support'
+
+  - '{{ ["policykit-1"]
+        if (kodi__polkit_action | d())
+        else [] }}'
+                                                                   # ]]]
+# .. envvar:: kodi__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that `changeme/FIXME** is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that `changeme/FIXME** is uninstalled and it's configuration is removed.
+#
+kodi__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# System user and group [[[
+# -------------------------
+
+# .. envvar:: kodi__user [[[
+#
+# System UNIX account used by the Kodi.
+kodi__user: 'kodi'
+
+                                                                   # ]]]
+# .. envvar:: kodi__group [[[
+#
+# System UNIX group used by Kodi.
+kodi__group: 'kodi'
+
+                                                                   # ]]]
+# .. envvar:: kodi__groups [[[
+#
+# List of additional system groups of the system UNIX account.
+kodi__groups:
+  - 'cdrom'
+  - 'floppy'
+  - 'audio'
+  - 'video'
+  - 'plugdev'
+
+                                                                   # ]]]
+# .. envvar:: kodi__home_path [[[
+#
+# The Home Assistant system account home directory.
+kodi__home_path: '{{ (ansible_local.fhs.home | d("/var/local"))
+                     + "/" + kodi__user }}'
+
+                                                                   # ]]]
+# .. envvar:: kodi__gecos [[[
+#
+# Contents of the GECOS field set for the Kodi account.
+kodi__gecos: 'kodi.org'
+
+                                                                   # ]]]
+# .. envvar:: kodi__shell [[[
+#
+# The default shell set on the Kodi account.
+kodi__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Kodi permissions [[[
+# --------------------
+
+# .. envvar:: kodi__group [[[
+#
+# What Polkit actions to allow to the Kodi. Set to ``False`` to not grant any
+# Polkit permissions.
+#
+# https://kodi.wiki/view/HOW-TO:Suspend_and_wake_in_Ubuntu#Enabling_Suspend_.2F_Wake_.2F_Shutdown_.2F_Power_off_on_Ubuntu_Linux
+kodi__polkit_action: 'org.freedesktop.login1.*'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/changelog.rst b/ansible_collections/debops/debops/roles/kodi/docs/changelog.rst
new file mode 100644
index 00000000..6d01c6ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/copyright.rst b/ansible_collections/debops/debops/roles/kodi/docs/copyright.rst
new file mode 100644
index 00000000..ce69ac9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/getting-started.rst b/ansible_collections/debops/debops/roles/kodi/docs/getting-started.rst
new file mode 100644
index 00000000..424a178d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/getting-started.rst
@@ -0,0 +1,67 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _kodi__ref_getting_started:
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To manage `changeme/FIXME** on a given host or set of hosts, they need to
+be added to the ``[debops_service_kodi]`` Ansible group in the inventory:
+
+.. code:: ini
+
+   [debops_service_kodi]
+   hostname
+
+Window manager support
+----------------------
+
+.. code-block:: none
+
+    [ypid_service_dm]
+    hostname
+
+Example playbook
+----------------
+
+If you are using this role without DebOps, here's an example Ansible playbook
+that uses the ``debops-contrib.kodi`` role:
+
+.. literalinclude:: playbooks/kodi.yml
+   :language: yaml
+   :lines: 1,5-
+
+The playbook is shipped with this role under
+:file:`./docs/playbooks/kodi.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::kodi``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::kodi:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/includes/all.rst b/ansible_collections/debops/debops/roles/kodi/docs/includes/all.rst
new file mode 100644
index 00000000..3d8020e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/includes/all.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
+.. include:: includes/role.rst
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/includes/role.rst b/ansible_collections/debops/debops/roles/kodi/docs/includes/role.rst
new file mode 100644
index 00000000..6cb49ebe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/includes/role.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _Kodi: https://en.wikipedia.org/wiki/Kodi_%28software%29
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/index.rst b/ansible_collections/debops/debops/roles/kodi/docs/index.rst
new file mode 100644
index 00000000..6551855a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.kodi:
+
+Ansible role: debops-contrib.kodi
+===============================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/kodi/docs/introduction.rst b/ansible_collections/debops/debops/roles/kodi/docs/introduction.rst
new file mode 100644
index 00000000..4759f1cc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/docs/introduction.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.kodi`` role allows you to setup and manage the Kodi_ media center software.
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.5``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.kodi
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/kodi/meta/main.yml b/ansible_collections/debops/debops/roles/kodi/meta/main.yml
new file mode 100644
index 00000000..83d6083b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider'
+  description: 'Setup and manage Kodi'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: Debian
+      versions:
+        - buster
+
+  galaxy_tags:
+    - kodi
+    - home
+    - htpc
+    - mediacenter
+    - media
+    - player
diff --git a/ansible_collections/debops/debops/roles/kodi/tasks/main.yml b/ansible_collections/debops/debops/roles/kodi/tasks/main.yml
new file mode 100644
index 00000000..25b35aab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# http://kodi.wiki/view/HOW-TO:Autostart_Kodi_for_Linux
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", kodi__base_packages) }}'
+    state: '{{ "present" if (kodi__deploy_state == "present") else "absent" }}'
+  register: kodi__register_packages
+  until: kodi__register_packages is succeeded
+  tags: [ 'role::kodi:pkgs' ]
+
+# System user and group [[[
+- name: Create Kodi system group
+  ansible.builtin.group:
+    name: '{{ kodi__group }}'
+    state: '{{ "present" if (kodi__deploy_state == "present") else "absent" }}'
+    system: True
+
+- name: Create Kodi system user
+  ansible.builtin.user:
+    name: '{{ kodi__user }}'
+    group: '{{ kodi__group }}'
+    groups: '{{ kodi__groups | join(",") | default(omit) }}'
+    append: False
+    home: '{{ kodi__home_path }}'
+    comment: '{{ kodi__gecos }}'
+    shell: '{{ kodi__shell }}'
+    state: '{{ "present" if (kodi__deploy_state == "present") else "absent" }}'
+    system: True
+# ]]]
+
+- name: Create polkit configuration
+  ansible.builtin.template:
+    src: 'etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla.j2'
+    dest: '/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: kodi__polkit_action | d()
+
+- name: Remove polkit configuration
+  ansible.builtin.file:
+    path: '/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla'
+    state: 'absent'
+  when: not kodi__polkit_action | d()
diff --git a/ansible_collections/debops/debops/roles/kodi/templates/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla.j2 b/ansible_collections/debops/debops/roles/kodi/templates/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla.j2
new file mode 100644
index 00000000..72d77207
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/kodi/templates/etc/polkit-1/localauthority/50-local.d/kodi-actions.pkla.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Actions for kodi user]
+Identity=unix-user:{{ kodi__user }}
+Action={{ kodi__polkit_action }}
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
diff --git a/ansible_collections/debops/debops/roles/ldap/COPYRIGHT b/ansible_collections/debops/debops/roles/ldap/COPYRIGHT
new file mode 100644
index 00000000..21d298af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.ldap - Manage system-wide LDAP configuration and directory objects
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ldap/defaults/main.yml b/ansible_collections/debops/debops/roles/ldap/defaults/main.yml
new file mode 100644
index 00000000..f5a9ec44
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/defaults/main.yml
@@ -0,0 +1,813 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ldap__ref_defaults:
+
+# debops.ldap default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role behaviour [[[
+# ------------------
+
+# .. envvar:: ldap__enabled [[[
+#
+# Enable or disable support for system-wide LDAP configuration. By default LDAP
+# configuration is disabled, but once enabled on a host, the role will keep it
+# that way.
+#
+# In a custom playbook that uses the :ref:`debops.ldap` role, you can set this
+# variable to ``True`` to strictly enable LDAP support (for example during
+# initial deployment), or to ``False``, to omit making any changes on a host
+# related to LDAP (for example if you want to interact only with the LDAP
+# directory itself).
+ldap__enabled: '{{ ansible_local.ldap.enabled
+                   if (ansible_local | d() and ansible_local.ldap | d() and
+                       (ansible_local.ldap.enabled | d()) | bool)
+                   else False }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__posix_enabled [[[
+#
+# Enable or disable support for LDAP-POSIX environment integration. If this
+# variable is disabled, this will instruct other Ansible roles to not configure
+# POSIX subsystems like PAM, :command:`sshd` service, :command:`sudo` and
+# similar to use LDAP directory on a paritcular host. Only higher level
+# applications will integrate with the directory.
+ldap__posix_enabled: '{{ ansible_local.ldap.posix_enabled | d(ldap__enabled) }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__configured [[[
+#
+# This variable is used to detect if the role already applied its default
+# configuration on a host. If it did (or this variable is ``True``) and the
+# role is used as a dependency, the role will skip executing LDAP tasks defined
+# by default and those defined in the Ansible inventory to avoid creating long
+# lists of tasks. The state is tracked using a fact during runtime.
+ldap__configured: '{{ ansible_local.ldap.configured
+                      if (ansible_local | d() and ansible_local.ldap | d() and
+                          ansible_local.ldap.configured is defined)
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__dependent_play [[[
+#
+# This variable checks if the role is used as a dependent role. If it is (or
+# this variable is ``True``), the role will skip most of its normal tasks and
+# only run the LDAP tasks defined via the dependent variables.
+ldap__dependent_play: '{{ True
+                          if (ldap__configured | bool and
+                              ldap__dependent_tasks | d())
+                          else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: ldap__base_packages [[[
+#
+# List of default APT packages to install for LDAP client support.
+ldap__base_packages: [ 'libldap-common', 'ldap-utils', 'libsasl2-modules' ]
+
+                                                                   # ]]]
+# .. envvar:: ldap__packages [[[
+#
+# List of additional APT packages to install with LDAP client support.
+ldap__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS and network configuration [[[
+# ---------------------------------
+
+# .. envvar:: ldap__domain [[[
+#
+# The DNS domain used to look for the LDAP servers and to create the LDAP Base
+# Distinguished Name (BaseDN) variables.
+ldap__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__servers_srv_rr [[[
+#
+# List which contains the result of the DNS query for LDAP server ``SRV``
+# resource records in the host's domain.
+ldap__servers_srv_rr: '{{ q("debops.debops.dig_srv", "_ldap._tcp." + ldap__domain,
+                            "ldap." + ldap__domain, 389) }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__servers [[[
+#
+# List of LDAP directory server hostnames which should be used to manage
+# directory entries. The first server listed here will be used for
+# administrative access.
+#
+# The role tries to detect LDAP servers to use via published ``_ldap._tcp`` SRV
+# resource records, and if there aren't any, will fallback to the ``ldap.*``
+# Fully Qualified Domain Name.
+ldap__servers: '{{ ldap__servers_srv_rr | map(attribute="target") }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__servers_protocol [[[
+#
+# The ``<protocol>://`` name to use in the configured LDAP URIs, based on the
+# presence of configured :ref:`debops.pki` environment. Role assumes that all
+# detected LDAP servers use the same connection configuration.
+ldap__servers_protocol: '{{ "ldap" if ldap__start_tls | bool else "ldaps" }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__servers_uri [[[
+#
+# The list of LDAP URIs to configure in the :file:`/etc/ldap/ldap.conf`
+# configuration file which will be used as a default configuration system-wide.
+ldap__servers_uri: '{{ ldap__servers
+                       | map("regex_replace", "^(.*)$",
+                             ldap__servers_protocol + "://\1/")
+                       | list }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__start_tls [[[
+#
+# If ``True``, the role will use STARTTLS command by default on connections to
+# plain ``ldap`` (389) TCP port. This requires configured X.509 PKI
+# environment, managed by the :ref:`debops.pki` role.
+ldap__start_tls: '{{ True
+                     if (ansible_local | d() and ansible_local.pki | d() and
+                         (ansible_local.pki.enabled | d()) | bool)
+                     else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP directory structure [[[
+# ----------------------------
+
+# These variables define the LDAP directory structure used by the
+# :ref:`debops.ldap` Ansible role. Check the :ref:`ldap__ref_ldap_dit` for more
+# details.
+
+# .. envvar:: ldap__base_dn [[[
+#
+# The Base Distinguished Name (BaseDN) used in the LDAP directory, defined in
+# a YAML list format. By default, OpenLDAP service in Debian uses the host DNS
+# domain to create the directory BaseDN, that's why this role uses the DNS
+# domain to construct the BaseDN on the client side.
+#
+# This variable can be used in Ansible playbooks that include the
+# :ref:`debops.ldap` role to join other YAML list-based RDNs together.
+ldap__base_dn: '{{ ldap__domain.split(".")
+                   | map("regex_replace", "^(.*)$", "dc=\1")
+                   | list }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__basedn [[[
+#
+# The Base Distinguished Name (BaseDN) used in the LDAP directory, defined as
+# a comma-delimited string.
+#
+# This variable can be used in Ansible playbooks that include the
+# :ref:`debops.ldap` role to join other string-based RDNs together.
+ldap__basedn: '{{ ldap__base_dn | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__people_rdn [[[
+#
+# The RDN added to the BaseDN that contains the personal LDAP objects, for
+# example ``inetOrgPerson``.
+ldap__people_rdn: 'ou=People'
+
+                                                                   # ]]]
+# .. envvar:: ldap__system_groups_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP System Group objects, for
+# example ``groupOfNames`` or ``groupOfUniqueNames``. This group is used for
+# internal LDAP administration.
+#
+# This variable is obsolete and will be removed in the future.
+ldap__system_groups_rdn: 'ou=System Groups'
+
+                                                                   # ]]]
+# .. envvar:: ldap__groups_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP Group objects, for example
+# ``groupOfNames`` or ``groupOfUniqueNames``.
+ldap__groups_rdn: 'ou=Groups'
+
+                                                                   # ]]]
+# .. envvar:: ldap__hosts_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP Host objects, for example
+# ``device``, that allow different devices access to the LDAP directory. This
+# branch is meant to be used for servers and devices managed by the IT
+# department.
+ldap__hosts_rdn: 'ou=Hosts'
+
+                                                                   # ]]]
+# .. envvar:: ldap__machines_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP Machine objects, for example
+# ``device``, that allow different devices access to the LDAP directory. This
+# branch is meant to be used for client machines that require access to the
+# LDAP directory.
+ldap__machines_rdn: 'ou=Machines'
+
+                                                                   # ]]]
+# .. envvar:: ldap__roles_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP Role objects, for example
+# ``organizationalRole``.
+ldap__roles_rdn: 'ou=Roles'
+
+                                                                   # ]]]
+# .. envvar:: ldap__services_rdn [[[
+#
+# The RDN added to the BaseDN that contains LDAP Service objects, for example
+# ``account``, that belong to the cluster-wide services, as opposed to
+# a service that exists on a specific machine.
+ldap__services_rdn: 'ou=Services'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP device object configuration [[[
+# ------------------------------------
+
+# These variables define the "LDAP device object" the :ref:`debops.ldap` role
+# will create in the LDAP directory for a given host it is executed against.
+# This object will be used as a base DN to create additional LDAP objects
+# required by other DebOps roles, for example bind accounts.
+
+# .. envvar:: ldap__device_enabled [[[
+#
+# Enable or disable management of the "LDAP device object" in the LDAP
+# directory. Disabling this functionality might make some of the DebOps roles
+# that depend on access to the LDAP directory unusable.
+ldap__device_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_separate_domains [[[
+#
+# By default, hosts managed by DebOps will be put in an additional directory
+# level based on their DNS domain, to make the management of large environments
+# easier. If you have small number of hosts in the LDAP directory, you can
+# disable this variable to not create additional level in the directory
+# structure.
+ldap__device_separate_domains: True
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_domain [[[
+#
+# The DNS domain used to create an LDAP ``dNSDomain`` object to hold hosts in
+# the same domain together.
+ldap__device_domain: '{{ ldap__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_fqdn [[[
+#
+# The Fully Qualified Domain Name of a given remote host. This value will be
+# used to build the Distinguished Name of the LDAP object that represents this
+# device.
+ldap__device_fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_aliases [[[
+#
+# List of additional DNS names for a given device. They will be added as ``cn``
+# attributes in the LDAP device object.
+ldap__device_aliases: [ '{{ ansible_hostname }}' ]
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_ip_addresses [[[
+#
+# List of IPv6/IPv4 addresses of the remote host which will be included in the
+# LDAP device object ``ipHostNumber`` attributes.
+#
+# Only the externally accessible addresses will be added, any internal bridges
+# or other network interfaces not reachable directly from outside the
+# host will be skipped. The :rfc:`1918` addresses will also be added in the
+# attributes, if they are configured to be reachable from outside of the host.
+ldap__device_ip_addresses: '{{ lookup("template", "lookup/ldap__device_ip_addresses.j2",
+                                      convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_ip_iface_regex [[[
+#
+# Regex used to determine which network interfaces to consider for inclusion
+# in the LDAP device object ``ipHostNumber`` attributes.
+ldap__device_ip_iface_regex: '^(bond|en|eth|vlan|mv-|host)'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_mac_addresses [[[
+#
+# List of Media Access Control (MAC) addresses of the remote host which will be
+# included in the LDAP device object ``macAddress`` attributes.
+#
+# Only the Ethernet network interfaces, or their equivalents in the virtual
+# machines or containers, will be included in the list. Any other types of
+# network devices will be skipped.
+#
+# The 'unique' filter is used here to prevent adding duplicate MAC addresses to
+# the device object. This could otherwise cause problems when the host employs
+# network bonding (where the MAC addresses of the physical interfaces can become
+# the same).
+ldap__device_mac_addresses: '{{ lookup("template", "lookup/ldap__device_mac_addresses.j2",
+                                       convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_mac_iface_regex [[[
+#
+# Regex used to determine which network interfaces to consider for inclusion
+# in the LDAP device object ``macAddress`` attributes.
+ldap__device_mac_iface_regex: '^(en|eth|mv-)'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_self_rdn [[[
+#
+# The Relative Distinguished Name of the remote host LDAP object managed by
+# DebOps.
+ldap__device_self_rdn: 'cn={{ ldap__device_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_domain_rdn [[[
+#
+# The Relative Distinguished Name of the domain LDAP object which will contain
+# all device objects in that domain, if enabled.
+ldap__device_domain_rdn: 'dc={{ ldap__device_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_branch_rdn [[[
+#
+# The Relative Distinguished Name of the main LDAP directory branch where the
+# remote hosts managed by DebOps will be added, along with the separate
+# ``domain`` LDAP objects.
+ldap__device_branch_rdn: '{{ ldap__hosts_rdn }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_dn [[[
+#
+# The Distinguished Name of the LDAP object that will represent the host
+# managed by DebOps in the LDAP directory, defined as a YAML list. This value
+# will be available using the ``ansible_local.ldap.device_dn`` Ansible local
+# fact, from where other Ansible roles can use it to construct Distinguished
+# Names relative to the hosts' own LDAP object.
+ldap__device_dn: '{{ q("flattened", [ldap__device_self_rdn]
+                                    + ([ldap__device_domain_rdn]
+                                       if ldap__device_separate_domains | bool
+                                       else [])
+                                    + [ldap__device_branch_rdn]
+                                    + ldap__base_dn) }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_managers [[[
+#
+# The list of Distinguished Names of the host managers (system administrators
+# or other people responsible for a given host), stored in the LDAP device
+# object in the ``manager`` attribute. By default the current Ansible user will
+# be set as a manager; any other Ansible users who apply the :ref:`debops.ldap`
+# role against the same host will be automatically added as managers as well.
+ldap__device_managers: [ '{{ ldap__admin_dn | join(",") }}' ]
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_domain_object_classes [[[
+#
+# List of LDAP ``objectClass`` names which will be used to create the
+# ``domain`` LDAP object, when enabled.
+ldap__device_domain_object_classes: [ 'domain' ]
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_domain_attributes [[[
+#
+# YAML dictionary which contains the LDAP object attributes which are required
+# to create the ``domain`` LDAP object.
+ldap__device_domain_attributes:
+  dc: '{{ ldap__device_domain_rdn.split("=")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_object_classes [[[
+#
+# List of LDAP ``objectClass`` names which will be used to create the LDAP
+# device object.
+ldap__device_object_classes: '{{ ["device", "ieee802Device", "ipHost"]
+                                 + ([]
+                                    if (ansible_virtualization_role == "guest" and
+                                        ansible_virtualization_type in ["lxc", "docker", "openvz"])
+                                    else ["bootableDevice"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__device_attributes [[[
+#
+# YAML dictionary which contains the LDAP object attributes of the device
+# object. Some of these attributes (``cn``, ``ipHostNumber``) are required for
+# the object creation by the LDAP schema, others are included as a convenience.
+#
+# These attributes will be used to update the existing LDAP device object as
+# well on any changes.
+ldap__device_attributes:
+  cn: '{{ ([ldap__device_self_rdn.split("=")[1]] + ldap__device_aliases) | unique }}'
+  ipHostNumber: '{{ ldap__device_ip_addresses }}'
+  macAddress:   '{{ ldap__device_mac_addresses }}'
+  manager:      '{{ ldap__device_managers }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# POSIX environment [[[
+# ---------------------
+
+# These variables define default parameters of the POSIX environment expected
+# by the LDAP directory. See :ref:`ldap__ref_posix` for more details.
+#
+# Ref: https://github.com/systemd/systemd/blob/master/docs/UIDS-GIDS.md
+#
+# .. note:: When the values of the variables are updated here, rmember to
+#    update the corresponding variables in the :ref:`debops.slapd` role for
+#    consistency.
+
+# .. envvar:: ldap__uid_gid_min [[[
+#
+# First UID/GID which is considered to be managed by the LDAP directory and not
+# by the local NSS database.
+ldap__uid_gid_min: '2000000000'
+
+                                                                   # ]]]
+# .. envvar:: ldap__groupid_min [[[
+#
+# First UID/GID reserved for shared groups in the LDAP directory. Default: the
+# same as the start of the LDAP directory UID/GID range.
+ldap__groupid_min: '{{ ldap__uid_gid_min }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__groupid_max [[[
+#
+# Last UID/GID reserved for shared groups in the LDAP directory. Higher UID/GID
+# numbers are meant to be used for people, machine or service accounts with
+# matching User Private Groups. Default: 2001999999
+#
+# Ref: https://wiki.debian.org/UserPrivateGroups
+ldap__groupid_max: '{{ ldap__uid_gid_min | int + 1999999 }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__uid_gid_max [[[
+#
+# Last UID/GID which is considered to be managed by the LDAP directory and not
+# by the local NSS database. Default: 2099999999
+ldap__uid_gid_max: '{{ ldap__uid_gid_min | int + 99999999 }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__home [[[
+#
+# Specify the base path of the home directories managed in LDAP using the
+# ``homeDirectory`` attribute.
+ldap__home: '/home'
+
+                                                                   # ]]]
+# .. envvar:: ldap__shell [[[
+#
+# Specify the default shell for accounts managed in LDAP using the
+# ``loginShell`` attribute.
+ldap__shell: '/bin/bash'
+                                                                   # ]]]
+                                                                   # ]]]
+# Host-based access control [[[
+# -----------------------------
+
+# Lists below define URN-like patterns which can be used by other Ansible roles
+# to implement host-based access control. The list of URN patterns defined on
+# a given host is available via Ansible local facts.
+# See :ref:`ldap__ref_ldap_access_host` for more details.
+#
+# The lists are flattened in the fact script, you can use an empty list to
+# enable or disable an URN pattern conditionally.
+
+# .. envvar:: ldap__default_urn_patterns [[[
+#
+# List of the URN-like patterns defined by the role.
+ldap__default_urn_patterns:
+
+  - '{{ ("deploy:" + ansible_local.machine.deployment)
+        if (ansible_local.machine.deployment | d())
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__urn_patterns [[[
+#
+# List of the URN-like patterns defined on all hosts in the Ansible inventory.
+ldap__urn_patterns: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__group_urn_patterns [[[
+#
+# List of the URN-like patterns defined on hosts in a specific Ansible
+# inventory group.
+ldap__group_urn_patterns: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__host_urn_patterns [[[
+#
+# List of the URN-like patterns defined on specific hosts in the Ansible
+# inventory.
+ldap__host_urn_patterns: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__combined_urn_patterns [[[
+#
+# Variable which combines all other URN pattern lists and is used in role
+# templates.
+ldap__combined_urn_patterns: '{{ ldap__default_urn_patterns
+                                 + ldap__urn_patterns
+                                 + ldap__group_urn_patterns
+                                 + ldap__host_urn_patterns }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System-wide LDAP configuration [[[
+# ----------------------------------
+
+# These variables define contents of the :file:`/etc/ldap/ldap.conf`
+# configuration file. See :ref:`ldap__ref_configuration` for more details.
+
+# .. envvar:: ldap__default_configuration [[[
+#
+# List of the default configuration options for system-wide LDAP support,
+# defined by the role.
+ldap__default_configuration:
+
+  - name: 'base'
+    value: '{{ ldap__basedn }}'
+
+  - name: 'uri'
+    value: '{{ ldap__servers_uri }}'
+
+  - name: 'sizelimit'
+    value: '12'
+    state: 'comment'
+    separator: True
+
+  - name: 'timelimit'
+    value: '15'
+    state: 'comment'
+
+  - name: 'deref'
+    value: 'never'
+    state: 'comment'
+
+  - name: 'tls_cacert'
+    comment: 'TLS certificates (needed for GnuTLS)'
+    value: '/etc/ssl/certs/ca-certificates.crt'
+
+  - name: 'tls_reqcert'
+    value: 'demand'
+
+                                                                   # ]]]
+# .. envvar:: ldap__configuration [[[
+#
+# List of the configuration options for system-wide LDAP support, defined on
+# all hosts in the Ansible inventory.
+ldap__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__group_configuration [[[
+#
+# List of the configuration options for system-wide LDAP support, defined on
+# hosts in a specific Ansible inventory group.
+ldap__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__host_configuration [[[
+#
+# List of the configuration options for system-wide LDAP support, defined on
+# specific hosts in the Ansible inventory.
+ldap__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__combined_configuration [[[
+#
+# The variable which combines all other system-wide configuration variables and
+# is used in the Ansible tasks and templates.
+ldap__combined_configuration: '{{ ldap__default_configuration
+                                  + ldap__configuration
+                                  + ldap__group_configuration
+                                  + ldap__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP administrative access [[[
+# ------------------------------
+
+# These variables define configuration of the administrative access to the LDAP
+# directory, required to perform LDAP tasks by Ansible on behalf of the system
+# administrator. See :ref:`ldap__ref_admin` for more details.
+
+# .. envvar:: ldap__admin_enabled [[[
+#
+# Enable or disable support for performing LDAP tasks on behalf of the LDAP
+# Administrator. This feature will be enabled if the password is available to
+# allow binding to the LDAP directory.
+ldap__admin_enabled: '{{ True if ldap__fact_admin_bindpw | d() else False }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_passwordstore_path [[[
+#
+# The relative path in the :command:`pass` password database, where personal
+# LDAP credentials can be found by the role. See :ref:`ldap__ref_admin_pass`
+# for more details. This variable can be used in Ansible playbooks that use the
+# :ref:`debops.ldap` role to create and update admin credentials.
+ldap__admin_passwordstore_path: 'debops/ldap/credentials'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_rdn [[[
+#
+# The Relative Distinguished Name of the personal account of the person who
+# uses the Ansible playbooks. By default derived from the local UNIX account
+# name which is assumed to be the same in the LDAP directory. This account
+# should have sufficient privileges to manage the LDAP directory objects
+# operated on by the playbooks.
+ldap__admin_rdn: '{{ "uid=" + lookup("env", "USER") }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_dn [[[
+#
+# The Distinguished Name of the system administrator account, defined as a YAML
+# list.
+ldap__admin_dn: '{{ [ldap__admin_rdn, ldap__people_rdn] + ldap__base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_binddn [[[
+#
+# The LDAP BindDN value which will be used to bind to the LDAP directory for
+# administrative tasks. It can be overridden on the Ansible Controller through
+# use of the environment variables.
+ldap__admin_binddn: '{{ lookup("env", "DEBOPS_LDAP_ADMIN_BINDDN")
+                        | d(ldap__admin_dn | join(","), True) }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_bindpw [[[
+#
+# The LDAP BindPW value which will be used to bind to the LDAP directory for
+# administrative tasks. It can be overridden on the Ansible Controller through
+# use of the environment variables. See :ref:`ldap__ref_admin_pass` for more
+# details.
+ldap__admin_bindpw: '{{ (lookup("env", "DEBOPS_LDAP_ADMIN_BINDPW")
+                         if lookup("env", "DEBOPS_LDAP_ADMIN_BINDPW") | d()
+                         else (lookup("file", secret + "/ldap/credentials/"
+                                              + ldap__admin_binddn | to_uuid
+                                              + ".password")
+                               if lookup("first_found",
+                                         [secret + "/ldap/credentials/"
+                                          + ldap__admin_binddn | to_uuid
+                                          + ".password"],
+                                         skip=True, errors="ignore")
+                               else lookup("passwordstore",
+                                           ldap__admin_passwordstore_path + "/"
+                                           + ldap__admin_binddn | to_uuid
+                                           + " create=false", errors="ignore")))
+                        if ldap__enabled | bool else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_server_uri [[[
+#
+# The LDAP URI that defines the connection to use for LDAP tasks performed by
+# Ansible on behalf of the system administrator.
+ldap__admin_server_uri: '{{ ldap__servers_uri | first }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_delegate_to [[[
+#
+# By default all LDAP tasks are delegated to the Ansible Controller to allow
+# access to credentials stored locally by the current Ansible user. This
+# variable allows to delegate to another host than the Ansible Controller to
+# perform the LDAP tasks there.
+ldap__admin_delegate_to: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_become [[[
+#
+# By default the LDAP tasks delegated to the Ansible Controller will be
+# executed without performing privilege escalation on the Controller host. If
+# you need to to escalate privileges on a remote host to which the LDAP tasks
+# have been delegated, you can enable this here.
+ldap__admin_become: False
+
+                                                                   # ]]]
+# .. envvar:: ldap__admin_become_user [[[
+#
+# Specify the UNIX account to which perform the privilege escalation, if
+# enabled in the previous variable.
+ldap__admin_become_user: 'root'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP tasks and operations [[[
+# -----------------------------
+
+# These variables define a list of LDAP tasks to perform in the LDAP directory,
+# when the administrative access is available. See :ref:`ldap__ref_tasks` for
+# more details.
+
+# .. envvar:: ldap__default_tasks [[[
+#
+# List of LDAP tasks to perform in the LDAP directory, defined by the role.
+ldap__default_tasks:
+
+  - name: 'Ensure that {{ ldap__hosts_rdn }} object exists in LDAP directory'
+    dn: '{{ [ldap__hosts_rdn] + ldap__base_dn }}'
+    objectClass: [ 'organizationalStructure' ]
+    attributes:
+      ou: '{{ ldap__hosts_rdn.split("=")[1] }}'
+      description: 'Servers and other data center equipment'
+
+  - name: 'Create domain object for {{ ldap__device_dn | join(",") }}'
+    dn: '{{ [ldap__device_domain_rdn, ldap__device_branch_rdn]
+            + ldap__base_dn }}'
+    objectClass: '{{ ldap__device_domain_object_classes }}'
+    attributes: '{{ ldap__device_domain_attributes }}'
+    state: '{{ "present"
+               if (ldap__device_enabled | bool and
+                   ldap__device_separate_domains | bool)
+               else "ignore" }}'
+
+  - name: 'Create device object for {{ ldap__device_dn | join(",") }}'
+    dn: '{{ ldap__device_dn }}'
+    objectClass: '{{ ldap__device_object_classes }}'
+    attributes: '{{ ldap__device_attributes }}'
+    state: '{{ "present"
+               if (ldap__device_enabled | bool)
+               else "ignore" }}'
+
+  - name: 'Update device object for {{ ldap__device_dn | join(",") }}'
+    dn: '{{ ldap__device_dn }}'
+    attributes: '{{ ldap__device_attributes }}'
+    state: '{{ "present"
+               if (ldap__fact_configured | bool and
+                   ldap__device_enabled | bool)
+               else ("exact"
+                     if (ldap__device_enabled | bool)
+                     else "ignore") }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__tasks [[[
+#
+# List of LDAP tasks to perform in the LDAP directory, defined on all hosts in
+# the Ansible inventory.
+ldap__tasks: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__group_tasks [[[
+#
+# List of LDAP tasks to perform in the LDAP directory, defined on hosts in
+# specific Ansible inventory group.
+ldap__group_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__host_tasks [[[
+#
+# List of LDAP tasks to perform in the LDAP directory, defined on specific
+# hosts in the Ansible inventory.
+ldap__host_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__dependent_tasks [[[
+#
+# List of the LDAP tasks to perform in the LDAP directory, defined by other
+# Ansible roles or playbooks.
+ldap__dependent_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: ldap__combined_tasks [[[
+#
+# The variable that combines the lists of LDAP tasks in other variables and is
+# used in role tasks. By default :ref:`debops.ldap` role will execute LDAP
+# tasks defined in Ansible inventory when run standalone, and will skip them if
+# it detects the usage as a dependency by another role.
+ldap__combined_tasks: '{{ ldap__dependent_tasks
+                          if (ldap__fact_configured | bool and
+                              ldap__dependent_tasks | d())
+                          else (ldap__default_tasks
+                                + ldap__tasks
+                                + ldap__group_tasks
+                                + ldap__host_tasks
+                                + ldap__dependent_tasks) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: ldap__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+ldap__python__dependent_packages3:
+
+  - '{{ ([]
+         if (ansible_distribution_release in
+             (["stretch", "trusty", "xenial"]))
+         else "python3-ldap")
+        if ldap__enabled | bool
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: ldap__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+ldap__python__dependent_packages2:
+
+  - '{{ "python-ldap" if ldap__enabled | bool else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ldap/meta/main.yml b/ansible_collections/debops/debops/roles/ldap/meta/main.yml
new file mode 100644
index 00000000..dbc48334
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage system-wide LDAP configuration and directory objects'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ldap
+    - openldap
diff --git a/ansible_collections/debops/debops/roles/ldap/tasks/ldap_tasks.yml b/ansible_collections/debops/debops/roles/ldap/tasks/ldap_tasks.yml
new file mode 100644
index 00000000..836c95f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/tasks/ldap_tasks.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  community.general.ldap_entry:
+    dn:          '{{ item.dn if (item.dn is string) else item.dn | join(",") }}'
+    objectClass: '{{ item.objectClass | d(omit) }}'
+    attributes:  '{{ item.attributes | d(omit) }}'
+    state:       '{{ item.entry_state | d(item.state) }}'
+    server_uri:  '{{ ldap__admin_server_uri }}'
+    start_tls:   '{{ ldap__start_tls }}'
+    bind_dn:     '{{ ldap__admin_binddn }}'
+    bind_pw:     '{{ ldap__fact_admin_bindpw }}'
+  become:      '{{ ldap__admin_become }}'
+  become_user: '{{ ldap__admin_become_user if ldap__admin_become_user | d() else omit }}'
+  delegate_to: '{{ ldap__admin_delegate_to if ldap__admin_delegate_to | d() else omit }}'
+  run_once:    '{{ item.run_once | d(False) }}'
+  when: (item.objectClass | d() or item.entry_state | d()) and item.state not in ['init', 'ignore']
+  tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
+  no_log: '{{ debops__no_log | d(item.no_log | d(True
+                                 if ("userPassword" in (item.attributes | d({})).keys() or
+                                     "olcRootPW" in (item.attributes | d({})).keys())
+                                 else False)) }}'
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  debops.debops.ldap_attrs:
+    dn:         '{{ item.dn if (item.dn is string) else item.dn | join(",") }}'
+    attributes: '{{ item.attributes | d({}) }}'
+    ordered:    '{{ item.ordered | d(False) }}'
+    state:      '{{ item.state }}'
+    server_uri: '{{ ldap__admin_server_uri }}'
+    start_tls:  '{{ ldap__start_tls }}'
+    bind_dn:    '{{ ldap__admin_binddn }}'
+    bind_pw:    '{{ ldap__fact_admin_bindpw }}'
+  become:      '{{ ldap__admin_become }}'
+  become_user: '{{ ldap__admin_become_user if ldap__admin_become_user | d() else omit }}'
+  delegate_to: '{{ ldap__admin_delegate_to if ldap__admin_delegate_to | d() else omit }}'
+  run_once:    '{{ item.run_once | d(False) }}'
+  when: not item.objectClass | d() and not item.entry_state | d() and item.state not in ['init', 'ignore']
+  tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
+  no_log: '{{ debops__no_log | d(item.no_log | d(True
+                                 if ("userPassword" in (item.attributes | d({})).keys() or
+                                     "olcRootPW" in (item.attributes | d({})).keys())
+                                 else False)) }}'
diff --git a/ansible_collections/debops/debops/roles/ldap/tasks/main.yml b/ansible_collections/debops/debops/roles/ldap/tasks/main.yml
new file mode 100644
index 00000000..ebd3979b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Take note of the current LDAP configuration
+  ansible.builtin.set_fact:
+
+    # Track the changes in the configuration state
+    # between role executions in the same play.
+    ldap__fact_configured: '{{ ldap__configured }}'
+
+    # Re-instantiate dependent variables to evaluate variables that use them.
+    # Without this, dependent variables may contain outdated configuration.
+    ldap__fact_dependent_tasks: '{{ ldap__dependent_tasks }}'
+  tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
+
+- name: Install packages required for LDAP support
+  ansible.builtin.package:
+    name: '{{ q("flattened", ldap__base_packages + ldap__packages) }}'
+    state: 'present'
+  register: ldap__register_packages
+  until: ldap__register_packages is succeeded
+  when: ldap__enabled | bool and not ldap__dependent_play | bool
+
+- name: Divert original LDAP client configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/ldap/ldap.conf'
+  when: ldap__enabled | bool and not ldap__dependent_play | bool
+
+- name: Generate system-wide LDAP configuration
+  ansible.builtin.template:
+    src: 'etc/ldap/ldap.conf.j2'
+    dest: '/etc/ldap/ldap.conf'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: ldap__enabled | bool and not ldap__dependent_play | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: ldap__enabled | bool and not ldap__dependent_play | bool
+
+- name: Save LDAP client local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ldap.fact.j2'
+    dest: '/etc/ansible/facts.d/ldap.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: ldap__enabled | bool and not ldap__dependent_play | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Check if LDAP admin password is available
+  ansible.builtin.set_fact:
+    ldap__fact_admin_bindpw: '{{ ldap__admin_bindpw }}'
+  become: '{{ ldap__admin_become }}'
+  become_user: '{{ ldap__admin_become_user }}'
+  delegate_to: '{{ ldap__admin_delegate_to }}'
+  run_once: True
+  tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
+
+- name: Perform LDAP tasks
+  ansible.builtin.include_tasks: 'ldap_tasks.yml'
+  loop: '{{ q("flattened", ldap__combined_tasks) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"state": item.state,
+                "dn": item.dn,
+                "attributes": item.attributes | d({})} }}'
+  when: ldap__enabled | bool and ldap__admin_enabled | bool and
+        item.name | d() and item.dn | d() and
+        item.state | d('present') not in [ 'init', 'ignore' ]
+  tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
+  no_log: '{{ debops__no_log | d(item.no_log | d(True
+                                 if ("userPassword" in (item.attributes | d({})).keys() or
+                                     "olcRootPW" in (item.attributes | d({})).keys())
+                                 else False)) }}'
diff --git a/ansible_collections/debops/debops/roles/ldap/templates/etc/ansible/facts.d/ldap.fact.j2 b/ansible_collections/debops/debops/roles/ldap/templates/etc/ansible/facts.d/ldap.fact.j2
new file mode 100644
index 00000000..d09590e8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/templates/etc/ansible/facts.d/ldap.fact.j2
@@ -0,0 +1,109 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+try:
+    import ldap
+except ImportError:
+    pass
+
+
+config_file = '/etc/ldap/ldap.conf'
+
+output = loads('''{{ {"configured": False,
+                      "enabled": ldap__enabled | bool,
+                      "posix_enabled": ldap__posix_enabled | bool,
+                      "system_groups_rdn": ldap__system_groups_rdn,
+                      "groups_rdn": ldap__groups_rdn,
+                      "hosts_rdn": ldap__hosts_rdn,
+                      "machines_rdn": ldap__machines_rdn,
+                      "people_rdn": ldap__people_rdn,
+                      "roles_rdn": ldap__roles_rdn,
+                      "services_rdn": ldap__services_rdn,
+                      "device_dn": (ldap__device_dn
+                                    if ldap__device_enabled | bool
+                                    else []),
+                      "uid_gid_min": ldap__uid_gid_min,
+                      "groupid_min": ldap__groupid_min,
+                      "groupid_max": ldap__groupid_max,
+                      "uid_gid_max": ldap__uid_gid_max,
+                      "home": ldap__home,
+                      "shell": ldap__shell,
+                      "urn_patterns": (ldap__combined_urn_patterns
+                                       | flatten)
+                     } | to_nice_json }}''')
+
+if os.path.exists(config_file) and os.path.isfile(config_file):
+
+    try:
+        conf = []
+        with open(config_file, 'r') as f:
+            for line in f:
+                if not line.startswith('#') and line.strip():
+
+                    line = line.strip().split()
+                    key = line[0].lower()
+                    value = line[1]
+                    raw_value = line[1]
+
+                    if key in ['uri', 'host']:
+                        value = line[1:]
+                        raw_value = ' '.join(line[1:])
+                    elif key in ['base']:
+                        value = ' '.join(line[1:])
+                        raw_value = ' '.join(line[1:])
+                    elif key in ['referrals', 'gssapi_sign', 'gssapi_encrypt',
+                                 'gssapi_allow_remote_principal']:
+                        if line[1].lower() in ['on', 'true', 'yes']:
+                            value = True
+                        elif line[1].lower() in ['off', 'false', 'no']:
+                            value = False
+
+                    conf.append({key: raw_value})
+
+                    if key == 'base':
+                        output['base_dn'] = (
+                                ldap.dn.explode_dn(value.encode()))
+                        output['basedn'] = (
+                                ldap.dn.dn2str(
+                                    ldap.dn.str2dn(value.encode())))
+
+                    elif key == 'uri':
+                        hosts = []
+                        for url in value:
+                            parts = url.split('://', 1)
+                            output['protocol'] = parts[0]
+                            if output['protocol'] == 'ldap':
+                                output['port'] = '389'
+                            elif output['protocol'] == 'ldaps':
+                                output['port'] = '636'
+
+                            hosts.append(parts[1].split('/', 1)[0])
+                        output['uri'] = value
+                        output['hosts'] = hosts
+
+                    else:
+                        output.update({key: value})
+
+            if output['protocol'] == 'ldap':
+                output['start_tls'] = True
+            elif output['protocol'] == 'ldaps':
+                output['start_tls'] = False
+
+        if output['enabled']:
+            output['configured'] = True
+            output['conf'] = conf
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/ldap/templates/etc/ldap/ldap.conf.j2 b/ansible_collections/debops/debops/roles/ldap/templates/etc/ldap/ldap.conf.j2
new file mode 100644
index 00000000..98fafb9e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/templates/etc/ldap/ldap.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+{% for option in ldap__combined_configuration | debops.debops.parse_kv_config %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if option.separator | bool and not option.comment | d() and not loop.first %}
+
+{%     endif %}
+{%     if option.comment | d() %}
+
+{{ option.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{{ '{}{}\t{}{}'.format(('#' if (option.state | d('present') == 'comment') else ''), option.name | upper, ('\t' if (option.name | count < 8) else ''), (option.value if option.value is string else (option.value | selectattr("name", "defined") | map(attribute="name") | list | join(' ')))) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_ip_addresses.j2 b/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_ip_addresses.j2
new file mode 100644
index 00000000..425d576c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_ip_addresses.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ldap__tpl_device_interfaces = [] %}
+{% set ldap__tpl_device_masters = [] %}
+{% set ldap__tpl_device_ip_addresses = [] %}
+{% for item in ansible_interfaces %}
+{%   set iface = (item | replace('-','_') | regex_replace('^(.*)$', 'ansible_\\1')) %}
+{%   if item | regex_search(ldap__device_ip_iface_regex) %}
+{%     set _ = ldap__tpl_device_interfaces.append(iface) %}
+{%   elif hostvars[inventory_hostname][iface].type | d('ether') == 'bridge' %}
+{%     set _ = ldap__tpl_device_masters.append(iface) %}
+{%   endif %}
+{% endfor %}
+{% for iface in ldap__tpl_device_interfaces %}
+{%   if hostvars[inventory_hostname][iface].ipv6 | d() %}
+{%     for element in hostvars[inventory_hostname][iface].ipv6 %}
+{%       set address = element.address + '/' + element.prefix %}
+{%       if not address | ansible.utils.ipv6('link-local') %}
+{%         set _ = ldap__tpl_device_ip_addresses.append(element.address) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if hostvars[inventory_hostname][iface].ipv4 | d() %}
+{%     if hostvars[inventory_hostname][iface].ipv4.address | d() %}
+{%       set _ = ldap__tpl_device_ip_addresses.append(hostvars[inventory_hostname][iface].ipv4.address) %}
+{%     endif %}
+{%     if hostvars[inventory_hostname][iface].ipv4_secondaries | d() %}
+{%       for element in hostvars[inventory_hostname][iface].ipv4_secondaries %}
+{%         set _ = ldap__tpl_device_ip_addresses.append(element.address) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% for iface in ldap__tpl_device_masters %}
+{%   if hostvars[inventory_hostname][iface].interfaces | d() %}
+{%     if hostvars[inventory_hostname][iface].interfaces | intersect(ldap__tpl_device_interfaces) %}
+{%       if hostvars[inventory_hostname][iface].ipv6 | d() %}
+{%         for element in hostvars[inventory_hostname][iface].ipv6 %}
+{%           set address = element.address + '/' + element.prefix %}
+{%           if not address | ansible.utils.ipv6('link-local') %}
+{%             set _ = ldap__tpl_device_ip_addresses.append(element.address) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       if hostvars[inventory_hostname][iface].ipv4 | d() %}
+{%         if hostvars[inventory_hostname][iface].ipv4.address | d() %}
+{%           set _ = ldap__tpl_device_ip_addresses.append(hostvars[inventory_hostname][iface].ipv4.address) %}
+{%         endif %}
+{%       endif %}
+{%       if hostvars[inventory_hostname][iface].ipv4_secondaries | d() %}
+{%         for element in hostvars[inventory_hostname][iface].ipv4_secondaries %}
+{%           set _ = ldap__tpl_device_ip_addresses.append(element.address) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ ldap__tpl_device_ip_addresses | unique }}
diff --git a/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_mac_addresses.j2 b/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_mac_addresses.j2
new file mode 100644
index 00000000..3c95e8f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ldap/templates/lookup/ldap__device_mac_addresses.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ldap__tpl_device_mac_addresses = [] %}
+{% for item in ansible_interfaces %}
+{%   if item | regex_search(ldap__device_mac_iface_regex) %}
+{%     set iface = (item | replace('-','_') | regex_replace('^(.*)$', 'ansible_\\1')) %}
+{%     if hostvars[inventory_hostname][iface].macaddress | d() %}
+{%       set _ = ldap__tpl_device_mac_addresses.append(hostvars[inventory_hostname][iface].macaddress) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ ldap__tpl_device_mac_addresses | unique }}
diff --git a/ansible_collections/debops/debops/roles/librenms/COPYRIGHT b/ansible_collections/debops/debops/roles/librenms/COPYRIGHT
new file mode 100644
index 00000000..b64c5951
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.librenms - Manage LibreNMS service using Ansible
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/librenms/defaults/main.yml b/ansible_collections/debops/debops/roles/librenms/defaults/main.yml
new file mode 100644
index 00000000..329e7985
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/defaults/main.yml
@@ -0,0 +1,581 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _librenms__ref_defaults:
+
+# debops.librenms default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# System packages [[[
+# -------------------
+
+# .. envvar:: librenms__base_packages [[[
+#
+# List of base packages required by LibreNMS.
+librenms__base_packages:
+  - [ 'snmp', 'imagemagick', 'fping', 'whois', 'mtr-tiny',
+      'rrdtool', 'nmap', ]
+  - '{{ "snmp-mibs-downloader"
+        if (ansible_local | d() and ansible_local.apt | d() and
+            (ansible_local.apt.nonfree | d()) | bool)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__monitoring_packages [[[
+#
+# List of monitoring packages to install (some distributions didn't rename the
+# old packages and they need overrides).
+librenms__monitoring_packages: '{{ librenms__monitoring_packages_map[ansible_distribution]
+                                   | d(["monitoring-plugins"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__monitoring_packages_map [[[
+#
+# Map of monitoring packages for different distributions.
+librenms__monitoring_packages_map:
+  'Ubuntu': [ 'nagios-plugins' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__packages [[[
+#
+# List of additional packages installed with LibreNMS.
+librenms__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Webserver configuration [[[
+# ---------------------------
+
+# .. envvar:: librenms__fqdn [[[
+#
+# FQDN of the LibreNMS webpage, configured in ``nginx``.
+librenms__fqdn: 'nms.{{ librenms__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__domain [[[
+#
+# Default domain used by the LibreNMS service.
+librenms__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__base_url [[[
+#
+# You can use this to force a particular hostname or port in LibreNMS, to for
+# example publish it behind a HTTP proxy.
+librenms__base_url: '/'
+
+                                                                   # ]]]
+# .. envvar:: librenms__nginx_auth_realm [[[
+#
+# Text displayed in the nginx HTTP Auth window when access policy is enabled.
+librenms__nginx_auth_realm: 'LibreNMS access is restricted'
+
+                                                                   # ]]]
+# .. envvar:: librenms__nginx_access_policy [[[
+#
+# Name of the "nginx access policy" for LibreNMS webpage. See ``debops.nginx``
+# Ansible role for more details.
+librenms__nginx_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: librenms__webserver_user [[[
+#
+# Name of the webserver user account which will be granted read only access to
+# the LibreNMS application directory.
+librenms__webserver_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application user, group, directories [[[
+# ----------------------------------------
+
+# .. envvar:: librenms__user [[[
+#
+# Name of the system user account for LibreNMS application.
+librenms__user: 'librenms'
+
+                                                                   # ]]]
+# .. envvar:: librenms__group [[[
+#
+# Name of the system group for LibreNMS application.
+librenms__group: 'librenms'
+
+                                                                   # ]]]
+# .. envvar:: librenms__shell [[[
+#
+# Shell configured on LibreNMS account.
+librenms__shell: '/bin/bash'
+
+                                                                   # ]]]
+# .. envvar:: librenms__home [[[
+#
+# Home directory of the LibreNMS application.
+librenms__home: '{{ ansible_local.nginx.www | d("/srv/www") + "/" + librenms__user }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__install_path [[[
+#
+# Path where LibreNMS application source will be installed, this directory
+# should be readable by the webserver.
+librenms__install_path: '{{ librenms__home + "/sites/public" }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__data_path [[[
+#
+# Path where LibreNMS application data is stored, this directory should be set
+# outside of the webserver root directory.
+librenms__data_path: '{{ (ansible_local.fhs.data | d("/srv"))
+                         + "/" + librenms__user }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__rrd_dir [[[
+#
+# Path where LibreNMS RRD files are stored.
+librenms__rrd_dir: '{{ librenms__data_path + "/rrd" }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__log_dir [[[
+#
+# Path where LibreNMS logs are stored.
+librenms__log_dir: '{{ (ansible_local.fhs.log | d("/var/log"))
+                       + "/librenms" }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_mode [[[
+#
+# LibreNMS config mode. This allows to override the default config mode
+# so that the other system users (i.e. syslog) could execute scripts
+# such as syslog.php.
+librenms__config_mode: '0600'
+                                                                   # ]]]
+                                                                   # ]]]
+# LibreNMS sources [[[
+# --------------------
+
+# .. envvar:: librenms__install_repo [[[
+#
+# URL of the LibreNMS git repository.
+librenms__install_repo: 'https://github.com/librenms/librenms.git'
+
+                                                                   # ]]]
+# .. envvar:: librenms__install_version [[[
+#
+# Name of the git branch to install.
+librenms__install_version: 'master'
+
+                                                                   # ]]]
+# .. envvar:: librenms__update [[[
+#
+# Enable or disable daily upgrades pulled from LibreNMS ``git`` repository.
+librenms__update: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: librenms__database_server [[[
+#
+# FQDN of the MariaDB database host. It will be configured by
+# the ``debops.mariadb`` role.
+librenms__database_server: '{{ ansible_local.mariadb.server }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__database_user [[[
+#
+# MariaDB database user to use for LibreNMS.
+librenms__database_user: 'librenms'
+
+                                                                   # ]]]
+# .. envvar:: librenms__database_name [[[
+#
+# Name of the MariaDB database to use for LibreNMS.
+librenms__database_name: 'librenms'
+
+                                                                   # ]]]
+# .. envvar:: librenms__database_password [[[
+#
+# MariaDB database password to LibreNMS account.
+librenms__database_password: "{{ lookup('password', secret + '/mariadb/' +
+                                 ansible_local.mariadb.delegate_to +
+                                 '/credentials/' + librenms__database_user +
+                                 '/password length=48') }}"
+                                                                   # ]]]
+                                                                   # ]]]
+# Application configuration [[[
+# -----------------------------
+
+# .. envvar:: librenms__admin_accounts [[[
+#
+# Names of accounts that will be created in LibreNMS database. It's preferable
+# that these accounts correspond to UNIX accounts on the LibreNMS host, see
+# ``librenms__home_snmp_conf`` variable.
+#
+# Passwords will be automatically stored in ``secret/`` directory (see
+# ``debops.secret`` role for more details).
+librenms__admin_accounts: '{{ ansible_local.core.admin_users | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__cron_threads [[[
+#
+# Number of LibreNMS poller threads run by ``cron``.
+librenms__cron_threads: '{{ (ansible_processor_cores | int * 4) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Memcached configuration [[[
+# ---------------------------
+
+# .. envvar:: librenms__memcached [[[
+#
+# Enable or disable support for ``memcached`` service.
+librenms__memcached: False
+
+                                                                   # ]]]
+# .. envvar:: librenms__memcached_host [[[
+#
+# Hostname of the ``memcached`` server. If you use multiple LibreNMS instances
+# that should work together, you need to point them to the same server.
+librenms__memcached_host: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: librenms__memcached_port [[[
+#
+# Port on which ``memcached`` service listens for incoming connections.
+librenms__memcached_port: 11211
+                                                                   # ]]]
+                                                                   # ]]]
+# Web interface configuration [[[
+# -------------------------------
+
+# .. envvar:: librenms__show_services [[[
+#
+# Enable or disable "Services" tab in LibreNMS interface.
+librenms__show_services: True
+
+                                                                   # ]]]
+# .. envvar:: librenms__site_style [[[
+#
+# CSS style to use in LibreNMS UI, either ``light`` or ``dark``.
+librenms__site_style: 'light'
+
+                                                                   # ]]]
+# .. envvar:: librenms__network_map_items [[[
+#
+# List of data types to source for the network map:
+#
+# - ``xdp``: data gathered from LLDP, CDP, and similar protocols;
+#
+# - ``mac``: data gathered from ARP tables;
+#
+librenms__network_map_items: [ 'xdp' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__front_page [[[
+#
+# Name of the ``.php`` page that is displayed by default.
+librenms__front_page: 'pages/front/tiles.php'
+
+                                                                   # ]]]
+# .. envvar:: librenms__public_status [[[
+#
+# Enable or disable a public status page with information about monitored
+# devices, which does not require authentication.
+librenms__public_status: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Device autodiscovery [[[
+# ------------------------
+
+# .. envvar:: librenms__devices [[[
+#
+# List of FQDN hostnames of devices (servers, switches, routers, printers,
+# etc.) which should be added to LibreNMS by the role. By default LibreNMS will
+# add its own host.
+librenms__devices: [ '{{ librenms__own_hostname }}' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__own_hostname [[[
+#
+# Name of the host on which LibreNMS is installed.
+librenms__own_hostname: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__discover_services [[[
+#
+# Enable or disable SNMP service discovery on servers.
+librenms__discover_services: True
+
+                                                                   # ]]]
+# .. envvar:: librenms__autodiscover_networks [[[
+#
+# List of CIDR networks which will be automatically scanned by LibreNMS to find
+# new SNMP devices.
+librenms__autodiscover_networks: [ '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__ignore_mount_string [[[
+#
+# List of partial names of mount points which LibreNMS should ignore.
+librenms__ignore_mount_string: [ 'cgroup', '/run/', '/dev/shm' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Simple Network Management Protocol [[[
+# --------------------------------------
+
+# .. envvar:: librenms__snmp_version [[[
+#
+# Which SNMP protocol version is used by default to authenticate to SNMP
+# devices (``v1``, ``v2c``, ``v3``).
+librenms__snmp_version: 'v3'
+
+                                                                   # ]]]
+# .. envvar:: librenms__snmp_communities [[[
+#
+# List of SNMP v1/v2c community strings to try while authenticating to SNMP
+# devices.
+librenms__snmp_communities: [ 'public' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__snmp_credentials [[[
+#
+# List of SNMP v3 credentials to try while authenticating to SNMP devices. Each
+# entry is a dict with various parameters, see
+# :ref:`librenms__ref_snmp_credentials` for more details.
+librenms__snmp_credentials: [ '{{ librenms__snmp_credentials_default }}' ]
+
+                                                                   # ]]]
+# .. envvar:: librenms__snmp_credentials_default [[[
+#
+# SNMPv3 credentials entry with configuration used by default by
+# ``debops.snmpd`` role to configure SNMP service on servers.
+librenms__snmp_credentials_default:
+  authname:   '{{ lookup("password", secret + "/snmp/credentials/agent/username") }}'
+  authpass:   '{{ lookup("password", secret + "/snmp/credentials/agent/password") }}'
+  cryptopass: '{{ lookup("password", secret + "/snmp/credentials/agent/password") }}'
+  authlevel:  'authPriv'
+  authalgo:   'SHA'
+  cryptoalgo: 'AES'
+
+                                                                   # ]]]
+# .. envvar:: librenms__home_snmp_conf [[[
+#
+# List of UNIX accounts for which ``~/.snmp/snmp.conf`` will be generated. By
+# default it's a ``root`` account, LibreNMS account and admin accounts that
+# exist on the host.
+librenms__home_snmp_conf: '{{ (["root", librenms__user] +
+                              librenms__admin_accounts | d([])) | unique }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LibreNMS config.php contents [[[
+# --------------------------------
+
+# .. envvar:: librenms__configuration_maps [[[
+#
+# Main list with dictionaries that hold the LibreNMS configuration generated by
+# ``config.php`` template. See :ref:`librenms__ref_configuration_maps` for more
+# details.
+librenms__configuration_maps:
+  - '{{ librenms__config_database }}'
+  - '{{ librenms__config_authentication }}'
+  - '{{ librenms__config_installation }}'
+  - '{{ librenms__config_memcached }}'
+  - '{{ librenms__config_webui }}'
+  - '{{ librenms__config_autodiscovery }}'
+  - '{{ librenms__config_snmp }}'
+  - '{{ librenms__config_custom }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_database [[[
+#
+# LibreNMS database configuration.
+librenms__config_database:
+  comment: 'Database configuration'
+  db_host: '{{ librenms__database_server }}'
+  db_name: '{{ librenms__database_name }}'
+  db_user: '{{ librenms__database_user }}'
+  db_pass: '{{ librenms__database_password }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_authentication [[[
+#
+# LibreNMS authentication configuration.
+librenms__config_authentication:
+  comment: 'Authentication configuration'
+  auth_mechanism: 'mysql'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_installation [[[
+#
+# LibreNMS installation configuration.
+librenms__config_installation:
+  comment: 'Application directories, installation'
+  install_dir: '{{ librenms__install_path }}'
+  base_url:    '{{ librenms__base_url }}'
+  rrd_dir:     '{{ librenms__rrd_dir }}'
+  log_dir:     '{{ librenms__log_dir }}'
+  update:      '{{ librenms__update }}'
+  user:        '{{ librenms__user }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_memcached [[[
+#
+# LibreNMS ``memcached`` configuration.
+librenms__config_memcached:
+  comment: 'Memcached configuration'
+  memcached:
+    enable: '{{ librenms__memcached }}'
+    host:   '{{ librenms__memcached_host }}'
+    port:   '{{ librenms__memcached_port }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_webui [[[
+#
+# LibreNMS web interface configuration.
+librenms__config_webui:
+  comment: 'Web interface configuration'
+  site_style:          '{{ librenms__site_style }}'
+  front_page:          '{{ librenms__front_page }}'
+  public_status:       '{{ librenms__public_status }}'
+  show_services:       '{{ librenms__show_services }}'
+  network_map_items:   { array: '{{ librenms__network_map_items }}' }
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_autodiscovery [[[
+#
+# LibreNMS autodiscovery configuration.
+librenms__config_autodiscovery:
+  comment: 'Autodiscovery configuration'
+  own_hostname:        '{{ librenms__own_hostname }}'
+  discover_services:   '{{ librenms__discover_services }}'
+  nets:                '{{ librenms__autodiscover_networks }}'
+  ignore_mount_string: '{{ librenms__ignore_mount_string }}'
+  auth_ldap_groups:
+    admin:
+      level: 7
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_snmp [[[
+#
+# LibreNMS SNMP configuration.
+librenms__config_snmp:
+  comment: 'SNMP configuration'
+  snmp:
+    version: { array: [ '{{ librenms__snmp_version }}' ] }
+    community: { array: '{{ librenms__snmp_communities }}' }
+    v3: '{{ librenms__snmp_credentials }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__config_custom [[[
+#
+# Custom LibreNMS configuration.
+librenms__config_custom: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: librenms__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+librenms__python__dependent_packages3:
+
+  - 'python3-mysqldb'
+
+                                                                   # ]]]
+# .. envvar:: librenms__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+librenms__python__dependent_packages2:
+
+  - 'python-mysqldb'
+
+                                                                   # ]]]
+# .. envvar:: librenms__logrotate__dependent_config [[[
+#
+# Configuration for ``debops.logrotate`` Ansible role.
+librenms__logrotate__dependent_config:
+
+  - filename: 'librenms'
+    logs: '{{ librenms__log_dir }}/*.log'
+    options: |
+      weekly
+      missingok
+      rotate 4
+      compress
+      notifempty
+      copytruncate
+      delaycompress
+
+#]]]
+# .. envvar:: librenms__php__dependent_packages [[[
+#
+# List of PHP packages to install by ``debops.php`` role.
+librenms__php__dependent_packages:
+  - [ 'mysql', 'gmp', 'gd', 'snmp', 'curl', 'mcrypt', 'json' ]
+  - '{{ ["xml", "mbstring", "zip"]
+        if (php__version is version_compare("7.0", ">=")) else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__php__dependent_pools [[[
+#
+# PHP pool configuration for the ``debops.php`` Ansible role.
+librenms__php__dependent_pools:
+  - name: 'librenms'
+    user: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    owner: '{{ librenms__user }}'
+    home: '{{ librenms__home }}'
+
+                                                                   # ]]]
+# .. envvar:: librenms__nginx__dependent_upstreams [[[
+#
+# The upstream configuration for the ``debops.nginx`` role.
+librenms__nginx__dependent_upstreams:
+  - name: 'php_librenms'
+    type: 'php'
+    php_pool: 'librenms'
+
+                                                                   # ]]]
+# .. envvar:: librenms__nginx__dependent_servers [[[
+#
+# The server configuration for ``debops.nginx`` Ansible role.
+librenms__nginx__dependent_servers:
+  - by_role: 'debops.librenms'
+    type: 'php'
+    name: [ '{{ librenms__fqdn }}' ]
+    root: '{{ librenms__install_path + "/html" }}'
+    webroot_create: False
+    filename: 'debops.librenms'
+    access_policy: '{{ librenms__nginx_access_policy }}'
+    auth_basic_realm: '{{ librenms__nginx_auth_realm }}'
+    php_upstream: 'php_librenms'
+
+    location:
+      '@librenms': |
+        rewrite ^api/v0(.*)$ /api_v0.php/$1 last;
+        rewrite ^(.+)$ /index.php/$1 last;
+
+      '/': |
+        try_files $uri $uri/ @librenms;
+
+# ]]]
+# .. envvar:: librenms__mariadb__dependent_users [[[
+#
+# List of user accounts to configure by ``debops.mariadb`` role.
+librenms__mariadb__dependent_users:
+  - database: '{{ librenms__database_name }}'
+    user: '{{ librenms__database_user }}'
+    owner: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    home: '{{ librenms__home }}'
+    system: True
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/librenms/meta/main.yml b/ansible_collections/debops/debops/roles/librenms/meta/main.yml
new file mode 100644
index 00000000..cf5ae362
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install LibreNMS, an Open Source Network Monitoring System'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - monitoring
+    - network
+    - librenms
+    - nms
+    - snmp
+    - alerts
diff --git a/ansible_collections/debops/debops/roles/librenms/meta/watch-librenms b/ansible_collections/debops/debops/roles/librenms/meta/watch-librenms
new file mode 100644
index 00000000..f1ae0923
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/meta/watch-librenms
@@ -0,0 +1,10 @@
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: librenms
+# Package: librenms
+# Version: master
+
+version=4
+https://github.com/librenms/librenms/tags .*/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/librenms/tasks/main.yml b/ansible_collections/debops/debops/roles/librenms/tasks/main.yml
new file mode 100644
index 00000000..ec4b9d26
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/tasks/main.yml
@@ -0,0 +1,236 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", ((["php5-memcached"]
+                               if librenms__memcached | d()
+                               else [])
+                              + librenms__base_packages
+                              + librenms__monitoring_packages
+                              + librenms__packages)) }}'
+    state: 'present'
+  register: librenms__register_packages
+  until: librenms__register_packages is succeeded
+
+- name: Enable non-free MIBs support
+  ansible.builtin.lineinfile:
+    dest: '/etc/snmp/snmp.conf'
+    state: 'present'
+    regexp: 'mibs\s:'
+    line: '#mibs :'
+    mode: '0644'
+
+
+# ---- Environment ----
+
+- name: Create LibreNMS group
+  ansible.builtin.group:
+    name: '{{ librenms__group }}'
+    system: True
+    state: 'present'
+
+- name: Create LibreNMS user
+  ansible.builtin.user:
+    name: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    home: '{{ librenms__home }}'
+    shell: '{{ librenms__shell }}'
+    comment: 'LibreNMS'
+    system: True
+    state: 'present'
+
+
+# ---- Deployment ----
+
+- name: Clone LibreNMS source from deploy server
+  ansible.builtin.git:
+    repo: '{{ librenms__install_repo }}'
+    dest: '{{ librenms__install_path }}'
+    version: '{{ librenms__install_version }}'
+    update: False
+  become: True
+  become_user: '{{ librenms__user }}'
+  register: librenms__register_source
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::librenms:source' ]
+
+- name: Update LibreNMS home directory permissions
+  ansible.builtin.file:
+    path: '{{ librenms__home }}'
+    state: 'directory'
+    owner: '{{ librenms__user }}'
+    group: '{{ librenms__webserver_user }}'
+    mode: '0750'
+
+- name: Make sure log directory exists
+  ansible.builtin.file:
+    dest: '{{ librenms__log_dir }}'
+    state: 'directory'
+    owner: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    mode: '0750'
+  tags: [ 'role::librenms:config' ]
+
+- name: Make sure data directories exist
+  ansible.builtin.file:
+    dest: '{{ item }}'
+    state: 'directory'
+    owner: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    mode: '0775'
+  with_items:
+    - '{{ librenms__data_path }}'
+    - '{{ librenms__rrd_dir }}'
+  tags: [ 'role::librenms:config' ]
+
+
+# ---- Configuration ----
+
+  # This should be ran once until bug is fixed
+  # https://github.com/ansible/ansible/issues/10784
+- name: Initialize SNMP credentials
+  ansible.builtin.set_fact:
+    librenms__fact_snmp_v3_authlevel:  '{{ librenms__snmp_credentials[0]["authlevel"] }}'
+    librenms__fact_snmp_v3_authalgo:   '{{ librenms__snmp_credentials[0]["authalgo"] }}'
+    librenms__fact_snmp_v3_cryptoalgo: '{{ librenms__snmp_credentials[0]["cryptoalgo"] }}'
+    librenms__fact_snmp_v3_authname:   '{{ librenms__snmp_credentials[0]["authname"] }}'
+    librenms__fact_snmp_v3_authpass:   '{{ librenms__snmp_credentials[0]["authpass"] }}'
+    librenms__fact_snmp_v3_cryptopass: '{{ librenms__snmp_credentials[0]["cryptopass"] }}'
+  run_once: True
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::librenms:config', 'role::librenms:database', 'role::librenms:snmp_conf' ]
+
+- name: Create LibreNMS database
+  community.mysql.mysql_db:
+    name: '{{ librenms__database_name }}'
+    state: 'present'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  delegate_to: '{{ ansible_local.mariadb.delegate_to }}'
+  register: librenms__register_database_status
+  tags: [ 'role::librenms:database' ]
+
+- name: Configure LibreNMS
+  ansible.builtin.template:
+    src: 'srv/www/sites/public/config.php.j2'
+    dest: '{{ librenms__install_path + "/config.php" }}'
+    owner: '{{ librenms__user }}'
+    group: '{{ librenms__group }}'
+    mode: '{{ librenms__config_mode }}'
+  tags: [ 'role::librenms:config', 'role::librenms:database' ]
+
+- name: Install missing PHP packages via Composer
+  community.general.composer:  # noqa no-handler
+    command: 'install'
+    working_dir: '{{ librenms__install_path }}'
+  register: librenms__register_composer
+  until: librenms__register_composer is succeeded
+  when: (librenms__register_database_status | d() and librenms__register_database_status is changed)
+  become: True
+  become_user: '{{ librenms__user }}'
+
+- name: Initialize database
+  ansible.builtin.command: './daily.sh'  # noqa no-handler
+  args:
+    chdir: '{{ librenms__install_path }}'
+  become: True
+  become_user: '{{ librenms__user }}'
+  register: librenms__register_database_init
+  changed_when: librenms__register_database_init.changed | bool
+  when: (librenms__register_database_status | d() and librenms__register_database_status is changed)
+  tags: [ 'role::librenms:database' ]
+
+- name: Get list of existing users from LibreNMS database
+  ansible.builtin.command: mysql -ssNe "select username from users"
+  become: True
+  become_user: '{{ librenms__user }}'
+  register: librenms__register_users
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::librenms:config', 'role::librenms:admins' ]
+
+- name: Create admin accounts
+  ansible.builtin.command: 'php adduser.php {{ item }} {{ lookup("password", secret + "/credentials/" + inventory_hostname
+                                                             + "/librenms/admin/" + item + "/password") }} 10'
+  args:
+    chdir: '{{ librenms__install_path }}'
+  check_mode: False
+  become: True
+  become_user: '{{ librenms__user }}'
+  with_items: '{{ librenms__admin_accounts }}'
+  register: librenms__register_admin_accounts
+  changed_when: librenms__register_admin_accounts.changed | bool
+  when: (librenms__admin_accounts | d([]) and (item not in librenms__register_users.stdout_lines))
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::librenms:config', 'role::librenms:admins' ]
+
+- name: Configure cron tasks
+  ansible.builtin.template:
+    src: 'etc/cron.d/librenms.j2'
+    dest: '/etc/cron.d/librenms'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'role::librenms:config' ]
+
+- name: Check list of current user accounts
+  ansible.builtin.shell: 'set -o nounset -o pipefail -o errexit &&
+          getent passwd | cut -d: -f1'
+  args:
+    executable: 'bash'
+  register: librenms__register_passwd
+  changed_when: False
+  check_mode: False
+  when: librenms__home_snmp_conf | d() and librenms__home_snmp_conf
+  tags: [ 'role::librenms:config', 'role::librenms:snmp_conf' ]
+
+- name: Create ~/.snmp directories
+  ansible.builtin.file:
+    path: '{{ "~" + item + "/.snmp" }}'
+    state: 'directory'
+    owner: '{{ item }}'
+    group: '{{ item }}'
+    mode: '0700'
+  with_items: '{{ librenms__home_snmp_conf }}'
+  check_mode: False
+  when: ((librenms__home_snmp_conf | d() and librenms__home_snmp_conf) and
+         (librenms__register_passwd | d() and item in librenms__register_passwd.stdout_lines))
+  tags: [ 'role::librenms:config', 'role::librenms:snmp_conf' ]
+
+- name: Generate ~/.snmp/snmp.conf configuration
+  ansible.builtin.template:
+    src: 'home/snmp/snmp.conf.j2'
+    dest: '{{ "~" + item + "/.snmp/snmp.conf" }}'
+    owner: '{{ item }}'
+    group: '{{ item }}'
+    mode: '0600'
+  with_items: '{{ librenms__home_snmp_conf }}'
+  when: ((librenms__home_snmp_conf | d() and librenms__home_snmp_conf) and
+         (librenms__register_passwd | d() and item in librenms__register_passwd.stdout_lines))
+  tags: [ 'role::librenms:config', 'role::librenms:snmp_conf' ]
+
+- name: Get list of known devices from LibreNMS database
+  ansible.builtin.command: mysql -ssNe "select hostname from devices"
+  become: True
+  become_user: '{{ librenms__user }}'
+  register: librenms__register_devices
+  changed_when: False
+  tags: [ 'role::librenms:config', 'role::librenms:devices' ]
+
+- name: Add specified hosts to LibreNMS
+  ansible.builtin.command: php addhost.php {{ item }} any v3
+  args:
+    chdir: '{{ librenms__install_path }}'
+  become: True
+  become_user: '{{ librenms__user }}'
+  with_items: '{{ librenms__devices }}'
+  register: librenms__register_addhost
+  changed_when: librenms__register_addhost.changed | bool
+  when: (librenms__devices | d([]) and (item not in librenms__register_devices.stdout_lines))
+  tags: [ 'role::librenms:config', 'role::librenms:devices' ]
diff --git a/ansible_collections/debops/debops/roles/librenms/templates/etc/cron.d/librenms.j2 b/ansible_collections/debops/debops/roles/librenms/templates/etc/cron.d/librenms.j2
new file mode 100644
index 00000000..b2e9be39
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/templates/etc/cron.d/librenms.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Using this cron file requires an additional user on your system, please see install docs.
+
+33  */6   * * *   {{ librenms__user }}    {{ librenms__install_path }}/discovery.php -h all >> /dev/null 2>&1
+*/5  *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/discovery.php -h new >> /dev/null 2>&1
+*/5  *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/cronic {{ librenms__install_path }}/poller-wrapper.py {{ librenms__cron_threads }} >> /dev/null 2>&1
+*/5  *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/check-services.php >> /dev/null 2>&1
+15   0    * * *   {{ librenms__user }}    {{ librenms__install_path }}/daily.sh >> /dev/null 2>&1
+*    *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/alerts.php >> /dev/null 2>&1
+*/5  *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/poll-billing.php >> /dev/null 2>&1
+01   *    * * *   {{ librenms__user }}    {{ librenms__install_path }}/billing-calculate.php >> /dev/null 2>&1
diff --git a/ansible_collections/debops/debops/roles/librenms/templates/home/my.cnf.j2 b/ansible_collections/debops/debops/roles/librenms/templates/home/my.cnf.j2
new file mode 100644
index 00000000..73b77d5b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/templates/home/my.cnf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[client]
+host = {{ librenms__database_server }}
+user = {{ librenms__database_user }}
+password = "{{ librenms__database_password }}"
+database = {{ librenms__database_name }}
diff --git a/ansible_collections/debops/debops/roles/librenms/templates/home/snmp/snmp.conf.j2 b/ansible_collections/debops/debops/roles/librenms/templates/home/snmp/snmp.conf.j2
new file mode 100644
index 00000000..5f887815
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/templates/home/snmp/snmp.conf.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# SNMP client configuration
+
+defVersion         {{ librenms__snmp_version }}
+
+defCommunity       {{ librenms__snmp_communities[0] }}
+
+defSecurityLevel   {{ librenms__fact_snmp_v3_authlevel }}
+defAuthType        {{ librenms__fact_snmp_v3_authalgo }}
+defPrivType        {{ librenms__fact_snmp_v3_cryptoalgo }}
+
+defSecurityName    {{ librenms__fact_snmp_v3_authname }}
+defAuthPassphrase  {{ librenms__fact_snmp_v3_authpass }}
+defPrivPassphrase  {{ librenms__fact_snmp_v3_cryptopass }}
diff --git a/ansible_collections/debops/debops/roles/librenms/templates/srv/www/sites/public/config.php.j2 b/ansible_collections/debops/debops/roles/librenms/templates/srv/www/sites/public/config.php.j2
new file mode 100644
index 00000000..2df552a9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/librenms/templates/srv/www/sites/public/config.php.j2
@@ -0,0 +1,80 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+
+# {{ ansible_managed }}
+
+# Have a look in defaults.inc.php for examples of settings you can set here. DO NOT EDIT defaults.inc.php!
+{% macro print_config(data, key_list = [], array = False) %}
+{%   set chain = [] %}
+{%   for part in key_list %}
+{%     if part is number %}
+{%       set _ = chain.append("[" + part | string + "]") %}
+{%     else %}
+{%       set _ = chain.append("['" + part + "']") %}
+{%     endif %}
+{%   endfor %}
+{%   if data is number %}
+$config{{ chain | join('') }} = {{ data }};
+{%   elif data is string %}
+{%     if data in [ True, False, 'True', 'False', 'true', 'false', 'TRUE', 'FALSE' ] %}
+$config{{ chain | join('') }} = {{ data | upper }};
+{%     else %}
+$config{{ chain | join('') }} = "{{ data }}";
+{%     endif %}
+{%   elif data is mapping %}
+{%     set output = [] %}
+{%     for key, value in data.items() %}
+{%       if key == 'array' %}
+{%         set _ = output.append(print_config(value, key_list, array = True)) %}
+{%       else %}
+{%         set subkey_list = key_list + [ key ] %}
+{%         set _ = output.append(print_config(value, subkey_list, array)) %}
+{%       endif %}
+{%     endfor %}
+{%     for line in output %}
+{{ line }}{% endfor %}
+{%   else %}
+{%     set list_of_mappings = [] %}
+{%     set list_of_elements = [] %}
+{%     for value in data %}
+{%       if value is mapping %}
+{%         set _ = list_of_mappings.append(value) %}
+{%       else %}
+{%         set _ = list_of_elements.append(value) %}
+{%       endif %}
+{%     endfor %}
+{%     if list_of_mappings %}
+{%       for mapped_element in list_of_mappings %}
+{%         set map_loop = loop %}
+{%         for element_key, element_value in mapped_element.items() %}
+{%           set subkey_list = key_list + [ map_loop.index0, element_key ] %}
+{{ print_config(element_value, subkey_list, array) }}{%         endfor %}
+{%       endfor %}
+{%     endif %}
+{%     if list_of_elements %}
+{%       if array %}
+$config{{ chain | join('') }} = array({{ '"' + list_of_elements | join('", "') + '"' }});
+{%       else %}
+{%         for value in list_of_elements %}
+$config{{ chain | join('') + '[]' }} = "{{ value }}";
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% for configuration_map in librenms__configuration_maps %}
+{%   if 'comment' in configuration_map.keys() and configuration_map['comment'] %}
+
+### {{ configuration_map["comment"] }}
+{%   endif %}
+{%   for config_key, config_value in configuration_map.items() %}
+{%     if config_key not in [ 'comment' ] %}
+{%       set subkey_list = [ config_key ] %}
+{{ print_config(config_value, subkey_list) }}{% endif %}
+{%   endfor %}
+{% endfor %}
+
+# vim:ft=php
diff --git a/ansible_collections/debops/debops/roles/libuser/COPYRIGHT b/ansible_collections/debops/debops/roles/libuser/COPYRIGHT
new file mode 100644
index 00000000..5753428c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.libuser - Install libuser on a Debian/Ubuntu host using Ansible
+
+Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/libuser/defaults/main.yml b/ansible_collections/debops/debops/roles/libuser/defaults/main.yml
new file mode 100644
index 00000000..c43d8024
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/defaults/main.yml
@@ -0,0 +1,307 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# .. Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# debops.libuser default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# Installation, Apt packages [[[
+# ------------------------------
+
+# .. envvar:: libuser__enabled [[[
+#
+# Should Ansible use ``libuser`` library to manage UNIX accounts and groups?
+libuser__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: libuser__base_packages [[[
+#
+# List of APT base packages which are required by the Libuser service.
+libuser__base_packages: [ 'libuser' ]
+
+                                                                   # ]]]
+# .. envvar:: libuser__packages [[[
+#
+# List of APT packages which are required by the Libuser service.
+libuser__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Libuser configuration file [[[
+# ------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/libuser.conf` configuration file.
+# See :ref:`libuser__ref_configuration` for more details.
+
+# .. envvar:: libuser__original_configuration [[[
+#
+# The default configuration options which should be present in the main
+# configuration file.
+libuser__original_configuration:
+
+  - name: 'import'
+    options:
+
+      - name: 'login_defs'
+        comment: |
+          Data from these files is used when libuser.conf does not define a value.
+          The mapping is documented in the man page.
+        value: '/etc/login.defs'
+        state: 'present'
+
+      - name: 'default_useradd'
+        value: '/etc/default/useradd'
+        state: 'present'
+
+  - name: 'defaults'
+    options:
+
+      - name: 'moduledir'
+        comment: 'The default (/usr/lib*/libuser) is usually correct'
+        value: '/your/custom/directory'
+        state: 'comment'
+
+      - name: 'skeleton'
+        comment: 'The following variables are usually imported:'
+        value: '/etc/skel'
+        state: 'comment'
+        separator: True
+
+      - name: 'mailspooldir'
+        value: '/var/mail'
+        state: 'comment'
+
+      - name: 'crypt_style'
+        value: 'sha512'
+        state: 'present'
+        separator: True
+
+      - name: 'modules'
+        value: 'files shadow'
+        state: 'present'
+
+      - name: 'create_modules'
+        value: 'files shadow'
+        state: 'present'
+
+      - name: 'modules_with_ldap'
+        option: 'modules'
+        value: 'files shadow ldap'
+        state: 'comment'
+
+      - name: 'create_modules_with_ldap'
+        option: 'create_modules'
+        value: 'ldap'
+        state: 'comment'
+
+  - name: 'userdefaults'
+    options:
+
+      - name: 'LU_USERNAME'
+        value: '%n'
+        state: 'present'
+
+      - name: 'LU_UIDNUMBER'
+        comment: 'This is better imported from /etc/login.defs:'
+        value: '500'
+        state: 'comment'
+
+      - name: 'LU_GIDNUMBER'
+        value: '%u'
+        state: 'present'
+
+      - name: 'LU_USERPASSWORD'
+        value: '!!'
+        state: 'comment'
+
+      - name: 'LU_GECOS'
+        value: '%n'
+        state: 'comment'
+
+      - name: 'LU_HOMEDIRECTORY'
+        value: '/home/%n'
+        state: 'comment'
+
+      - name: 'LU_LOGINSHELL'
+        value: '/bin/bash'
+        state: 'comment'
+
+      - name: 'LU_SHADOWNAME'
+        value: '%n'
+        state: 'comment'
+        separator: True
+
+      - name: 'LU_SHADOWPASSWORD'
+        value: '!!'
+        state: 'comment'
+
+      - name: 'LU_SHADOWLASTCHANGE'
+        value: '%d'
+        state: 'comment'
+
+      - name: 'LU_SHADOWMIN'
+        value: '0'
+        state: 'comment'
+
+      - name: 'LU_SHADOWMAX'
+        value: '99999'
+        state: 'comment'
+
+      - name: 'LU_SHADOWWARNING'
+        value: '7'
+        state: 'comment'
+
+      - name: 'LU_SHADOWINACTIVE'
+        value: '-1'
+        state: 'comment'
+
+      - name: 'LU_SHADOWEXPIRE'
+        value: '-1'
+        state: 'comment'
+
+      - name: 'LU_SHADOWFLAG'
+        value: '-1'
+        state: 'comment'
+
+  - name: 'groupdefaults'
+    options:
+
+      - name: 'LU_GROUPNAME'
+        value: '%n'
+        state: 'present'
+
+      - name: 'LU_GIDNUMBER'
+        comment: 'This is better imported from /etc/login.defs:'
+        value: '500'
+        state: 'comment'
+
+      - name: 'LU_GROUPPASSWORD'
+        value: '!!'
+        state: 'comment'
+        separator: True
+
+      - name: 'LU_MEMBERUID'
+        state: 'comment'
+
+      - name: 'LU_ADMINISTRATORUID'
+        state: 'comment'
+
+  - name: 'files'
+    options:
+
+      - name: 'directory'
+        comment: |
+          This is useful for the case where some master files are used to
+          populate a different NSS mechanism which this workstation uses.
+        value: '/etc'
+        state: 'comment'
+
+  - name: 'shadow'
+    options:
+
+      - name: 'directory'
+        comment: |
+          This is useful for the case where some master files are used to
+          populate a different NSS mechanism which this workstation uses.
+        value: '/etc'
+        state: 'comment'
+
+  - name: 'ldap'
+    options:
+
+      - name: 'server'
+        comment: 'Setting these is always necessary.'
+        value: 'ldap'
+        state: 'comment'
+
+      - name: 'basedn'
+        value: 'dc=example,dc=com'
+        state: 'comment'
+
+      - name: 'userBranch'
+        comment: "Setting these is rarely necessary, since it's usually correct."
+        value: 'ou=People'
+        state: 'comment'
+        separator: True
+
+      - name: 'groupBranch'
+        value: 'ou=Group'
+        state: 'comment'
+
+      - name: 'binddn'
+        comment: |
+          Set only if your administrative user uses simple bind operations to
+          connect to the server.
+        value: 'cn=Manager,dc=example,dc=com'
+        state: 'comment'
+        separator: True
+
+      - name: 'user'
+        comment: |
+          Set this only if the default user (as determined by SASL) is incorrect
+          for SASL bind operations.  Usually, it's correct, so you'll rarely need
+          to set these.
+        value: 'Manager'
+        state: 'comment'
+        separator: True
+
+      - name: 'authuser'
+        value: 'Manager'
+        state: 'comment'
+
+  - name: 'sasl'
+    options:
+
+      - name: 'appname'
+        comment: |
+          Set these only if your sasldb is only used by a particular application, and
+          in a particular domain.  The default (all applications, all domains) is
+          probably correct for most installations.
+        value: 'imap'
+        state: 'comment'
+
+      - name: 'domain'
+        value: 'EXAMPLE.COM'
+        state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: libuser__configuration [[[
+#
+# The configuration which should be present on all hosts in the Ansible
+# inventory.
+libuser__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libuser__group_configuration [[[
+#
+# The configuration which should be present on hosts in a specific Ansible
+# inventory group.
+libuser__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libuser__host_configuration [[[
+#
+# The configuration which should be present on specific hosts in the Ansible
+# inventory.
+libuser__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libuser__combined_configuration [[[
+#
+# The variable which combines all of the other configuration variables and is
+# used in the Ansible tasks.
+libuser__combined_configuration: '{{ libuser__original_configuration
+                                     + libuser__configuration
+                                     + libuser__group_configuration
+                                     + libuser__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/libuser/meta/main.yml b/ansible_collections/debops/debops/roles/libuser/meta/main.yml
new file mode 100644
index 00000000..2cfde213
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Bechea Leonardo, Alin Alexandru'
+  description: 'Install and manage Libuser service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.8'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - libuser
diff --git a/ansible_collections/debops/debops/roles/libuser/tasks/main.yml b/ansible_collections/debops/debops/roles/libuser/tasks/main.yml
new file mode 100644
index 00000000..36e14c5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install Libuser requested packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", libuser__base_packages
+                             + libuser__packages) }}'
+    state: 'present'
+  register: libuser__register_packages
+  until: libuser__register_packages is succeeded
+  when: libuser__enabled | bool
+
+- name: Divert the original libuser configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/libuser.conf'
+  when: libuser__enabled | bool
+
+- name: Configure main libuser config file
+  ansible.builtin.template:
+    src: 'etc/libuser.conf.j2'
+    dest: '/etc/libuser.conf'
+    mode: '0644'
+  when: libuser__enabled | bool
+
+- name: Make sure that local fact directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Libuser local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/libuser.fact.j2'
+    dest: '/etc/ansible/facts.d/libuser.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/libuser/templates/etc/ansible/facts.d/libuser.fact.j2 b/ansible_collections/debops/debops/roles/libuser/templates/etc/ansible/facts.d/libuser.fact.j2
new file mode 100644
index 00000000..75b30084
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/templates/etc/ansible/facts.d/libuser.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads("""{{ {'configured': True,
+                     } | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/libuser/templates/etc/libuser.conf.j2 b/ansible_collections/debops/debops/roles/libuser/templates/etc/libuser.conf.j2
new file mode 100644
index 00000000..fbb226db
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libuser/templates/etc/libuser.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+ # Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See libuser.conf(5) for more information.
+
+# Do not modify the default module list if you care about unattended calls
+# to programs (i.e., scripts) working!
+
+{% for element in libuser__combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if not loop.first %}
+
+{%     endif %}
+{%     if element.name %}
+{{ '[{}]'.format(element.name) }}
+{%     endif %}
+{%     if element.options | d() %}
+{%       for thing in element.options %}
+{%         if thing.name | d() and thing.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%           set thing_commented = ('# ' if thing.state | d('present') == 'comment' else '') %}
+{%           if (thing.separator | d()) | bool %}
+
+{%           endif %}
+{%           if thing.comment | d() %}
+{{ thing.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%           endif %}
+{%           if thing.value | d() %}
+{{ '{}{} = {}'.format(thing_commented, thing.option | d(thing.name), ([ thing.value ] if thing.value is string else thing.value) | join(',')) }}
+{%           else %}
+{{ '{}{} ='.format(thing_commented, thing.option | d(thing.name)) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/libvirt/COPYRIGHT b/ansible_collections/debops/debops/roles/libvirt/COPYRIGHT
new file mode 100644
index 00000000..c26627ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.libvirt - Manage libvirt client configuration
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/libvirt/defaults/main.yml b/ansible_collections/debops/debops/roles/libvirt/defaults/main.yml
new file mode 100644
index 00000000..f2eefc2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/defaults/main.yml
@@ -0,0 +1,186 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _libvirt__ref_defaults:
+
+# debops.libvirt default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# libvirt system configuration [[[
+# --------------------------------
+
+# .. envvar:: libvirt__base_packages [[[
+#
+# List of base packages to install with Libvirt.
+libvirt__base_packages:
+  - [ 'gawk', 'netcat-openbsd', 'virtinst' ]
+  - '{{ [] if (ansible_distribution_release in ["bullseye"])
+           else "virt-top" }}'
+  - '{{ "virt-goodies"
+        if (ansible_local | d() and ansible_local.python | d() and
+            (ansible_local.python.installed2 | d()) | bool)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__packages [[[
+#
+# List of ``libvirt`` packages which will be installed on all distribution
+# releases, unless overridden.
+libvirt__packages: [ 'libvirt-clients' ]
+
+                                                                   # ]]]
+# .. envvar:: libvirt__packages_map [[[
+#
+# Override list of base packages for specific distribution releases.
+libvirt__packages_map:
+  'trusty':  [ 'libvirt-bin' ]
+  'xenial':  [ 'libvirt-bin' ]
+
+                                                                   # ]]]
+# .. envvar:: libvirt__group_map [[[
+#
+# Mapping of default UNIX access group on different distributions.
+libvirt__group_map:
+  'Debian': 'libvirt'
+  'Ubuntu': 'libvirtd'
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirt connection URI [[[
+# --------------------------
+
+# .. envvar:: libvirt__default_uri [[[
+#
+# Default connection URI (connect to :program:`libvirtd` instance on ``localhost``).
+libvirt__default_uri: 'qemu:///system'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__connections [[[
+#
+# Dict with connections configured in ``~/.config/libvirt/libvirt.conf``. See
+# :ref:`libvirt__connections` for more details.
+libvirt__connections:
+  'localhost': '{{ libvirt__default_uri }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__uri [[[
+#
+# Name of the connection from ``libvirt__connections`` dict used by default by
+# ``libvirt`` clients on the admin account.
+libvirt__uri: 'localhost'
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirt network configuration [[[
+# ---------------------------------
+
+# .. envvar:: libvirt__networks [[[
+#
+# List of network definitions in ``libvirt``, specified as YAML dicts. See
+# :ref:`libvirt__networks` for more details.
+libvirt__networks:
+  - '{{ libvirt__networks_default }}'
+  - '{{ libvirt__networks_virt_nat }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__networks_default [[[
+#
+# Default DebOps network configuration for ``libvirt``. NAT that comes with
+# ``libvirt`` by default is inactive, bridges configured by ``debops.ifupdown``
+# are automatically added to ``libvirt`` if they are present.
+libvirt__networks_default:
+
+  # Internal network configured by ``libvirt`` by default.
+  - name: 'default'
+    type: 'dnsmasq'
+    bridge: 'virbr0'
+    addresses: [ '192.168.122.1/24' ]
+    dhcp_range: [ '2', '-2' ]
+    state: 'absent'
+
+  - name: 'external'
+    type: 'bridge'
+    bridge: 'br0'
+    interface_present: 'br0'
+
+  - name: 'internal'
+    type: 'bridge'
+    bridge: 'br1'
+    interface_present: 'br1'
+
+  - name: 'nat'
+    type: 'bridge'
+    bridge: 'br2'
+    interface_present: 'br2'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__networks_virt_nat [[[
+#
+# An internal network behind NAT. This is a replacement configuration for
+# ``default`` ``libvirt`` network, since you cannot redefine existing
+# configuration, only undefine the old one and define a new one. Using
+# different ``item.name`` avoids the issue of redefining the network all the
+# time.
+libvirt__networks_virt_nat:
+
+  - name: 'virt-nat'
+    type: 'dnsmasq'
+    bridge: 'virbr0'
+    addresses: [ '192.168.122.1/24' ]
+    domain: 'nat.{{ ansible_domain }}'
+    state: 'active'
+    forward: True
+    dhcp: True
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirt storage pool configuration [[[
+# --------------------------------------
+
+# .. envvar:: libvirt__pools [[[
+#
+# List of storage pool definitions in ``libvirt``, specified as YAML dicts. See
+# :ref:`libvirt__pools` for more details.
+libvirt__pools:
+  - '{{ libvirt__pools_default }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__pools_default [[[
+#
+# List of default storage pools configured by ``debops.libvirt``.
+libvirt__pools_default:
+
+  - name: 'default'
+    type: 'dir'
+    path: '/var/lib/libvirt/images'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: libvirt__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+libvirt__python__dependent_packages3:
+
+  - 'python3-libvirt'
+  - 'python3-lxml'
+
+                                                                   # ]]]
+# .. envvar:: libvirt__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+libvirt__python__dependent_packages2:
+
+  - 'python-libvirt'
+  - 'python-lxml'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/libvirt/meta/main.yml b/ansible_collections/debops/debops/roles/libvirt/meta/main.yml
new file mode 100644
index 00000000..b473d853
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage local or remote libvirt instance'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - virtualization
diff --git a/ansible_collections/debops/debops/roles/libvirt/tasks/main.yml b/ansible_collections/debops/debops/roles/libvirt/tasks/main.yml
new file mode 100644
index 00000000..716fee4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install libvirt support
+  ansible.builtin.package:
+    name: '{{ q("flattened", (libvirt__base_packages
+                              + (libvirt__packages_map[ansible_distribution_release]
+                                 | d(libvirt__packages)))) }}'
+    state: 'present'
+  register: libvirt__register_packages
+  until: libvirt__register_packages is succeeded
+
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: '~/.config/libvirt'
+    state: 'directory'
+    mode: '0755'
+  become: False
+
+- name: Generate libvirt.conf configuration
+  ansible.builtin.template:
+    src: 'home/config/libvirt/libvirt.conf.j2'
+    dest: '~/.config/libvirt/libvirt.conf'
+    mode: '0644'
+  become: False
+
+- name: Get list of groups admin account belongs to
+  ansible.builtin.command: groups
+  register: libvirt__register_groups
+  changed_when: False
+  check_mode: False
+  become: False
+  tags: [ 'role::libvirt:networks', 'role::libvirt:pools' ]
+
+- name: Manage libvirt networks
+  ansible.builtin.include_tasks: manage_networks.yml
+  when: libvirt__group_map[ansible_distribution] in libvirt__register_groups.stdout.split(" ")
+  tags: [ 'role::libvirt:networks' ]
+
+- name: Manage libvirt pools
+  ansible.builtin.include_tasks: manage_pools.yml
+  when: libvirt__group_map[ansible_distribution] in libvirt__register_groups.stdout.split(" ")
+  tags: [ 'role::libvirt:pools' ]
diff --git a/ansible_collections/debops/debops/roles/libvirt/tasks/manage_networks.yml b/ansible_collections/debops/debops/roles/libvirt/tasks/manage_networks.yml
new file mode 100644
index 00000000..9416d95d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/tasks/manage_networks.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Stop networks if requested
+  community.libvirt.virt_net:
+    name: '{{ item.name }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'inactive'
+  loop: '{{ q("flattened", libvirt__networks) }}'
+  become: False
+  when: (item.name | d() and (item.state | d() in ['inactive', 'undefined', 'absent']))
+
+- name: Undefine networks if requested
+  community.libvirt.virt_net:
+    name: '{{ item.name }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'absent'
+  loop: '{{ q("flattened", libvirt__networks) }}'
+  become: False
+  when: (item.name | d() and (item.state | d() in ['undefined', 'absent']))
+
+- name: Define networks
+  community.libvirt.virt_net:
+    name: '{{ item.name }}'
+    xml: '{{ lookup("template", "lookup/network/" + item.type + ".xml.j2") }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'present'
+  loop: '{{ q("flattened", libvirt__networks) }}'
+  become: False
+  when: ((item.name | d()) and
+         (item.state | d("active") not in ['undefined', 'absent']) and
+         (item.interface_present is undefined or
+          (item.interface_present in ansible_interfaces and not item.uri | d())))
+
+- name: Start networks if not started
+  community.libvirt.virt_net:
+    name: '{{ item.name }}'
+    state: 'active'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+  loop: '{{ q("flattened", libvirt__networks) }}'
+  become: False
+  when: ((item.name | d()) and
+         (item.state is undefined or item.state in ['active']) and
+         (item.interface_present is undefined or
+          (item.interface_present in ansible_interfaces and not item.uri | d())))
+
+- name: Set autostart attribute on networks
+  community.libvirt.virt_net:
+    name: '{{ item.name }}'
+    autostart: '{{ "yes" if (item.autostart | d(True)) else "no" }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+  loop: '{{ q("flattened", libvirt__networks) }}'
+  become: False
+  when: ((item.name | d()) and
+         (item.state is undefined or item.state not in ['undefined', 'absent']) and
+         (item.interface_present is undefined or
+          (item.interface_present in ansible_interfaces and not item.uri | d())))
diff --git a/ansible_collections/debops/debops/roles/libvirt/tasks/manage_pools.yml b/ansible_collections/debops/debops/roles/libvirt/tasks/manage_pools.yml
new file mode 100644
index 00000000..9ccda70f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/tasks/manage_pools.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Stop storage pools if requested
+  community.libvirt.virt_pool:
+    name: '{{ item.name }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'inactive'
+  loop: '{{ q("flattened", libvirt__pools) }}'
+  become: False
+  register: libvirt__register_stop
+  when: ((item.name | d()) and (item.state | d() in ['inactive', 'undefined', 'absent']))
+
+- name: Delete storage pools if requested
+  community.libvirt.virt_pool:  # noqa no-handler
+    name: '{{ item.item.name }}'
+    uri: '{{ libvirt__connections[item.item.uri | d(libvirt__uri)] }}'
+    command: 'delete'
+    mode: '{{ item.item.mode | d(omit) }}'
+  loop: '{{ q("flattened", libvirt__register_stop.results) }}'
+  become: False
+  when: (item is changed and item.item.name | d() and item.item.delete | d(False) and
+         item.item.state | d() in ['undefined'] and
+         item.item.type in ['dir', 'nfs', 'logical'])
+
+- name: Undefine storage pools if requested
+  community.libvirt.virt_pool:
+    name: '{{ item.name }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'absent'
+  loop: '{{ q("flattened", libvirt__pools) }}'
+  become: False
+  when: ((item.name | d()) and (item.state | d() in ['undefined', 'absent']))
+
+- name: Define storage pools
+  community.libvirt.virt_pool:
+    name: '{{ item.name }}'
+    xml: '{{ lookup("template", "lookup/pool/" + item.type + ".xml.j2") }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+    state: 'present'
+  loop: '{{ q("flattened", libvirt__pools) }}'
+  become: False
+  register: libvirt__register_define
+  when: ((item.name | d()) and (item.state | d('active') not in ['undefined', 'absent']))
+
+- name: Build new storage pools
+  community.libvirt.virt_pool:  # noqa no-handler
+    name: '{{ item.item.name }}'
+    uri: '{{ libvirt__connections[item.item.uri | d(libvirt__uri)] }}'
+    command: 'build'
+    mode: '{{ item.item.mode | d(omit) }}'
+  loop: '{{ q("flattened", libvirt__register_define.results) }}'
+  become: False
+  when: (item is changed and item.item.name | d() and
+         (item.item.state | d('active') not in ['undefined', 'absent']) and
+         (item.item.build | d(True)) and
+         (item.item.type in ['dir', 'nfs'] or
+         (item.item.type == 'logical' and item.item.devices | d())))
+
+- name: Start storage pools if not started
+  community.libvirt.virt_pool:
+    name: '{{ item.name }}'
+    state: 'active'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+  loop: '{{ q("flattened", libvirt__pools) }}'
+  become: False
+  when: (item.name | d() and item.state | d('active') in ['active'])
+
+- name: Set autostart attribute on storage pools
+  community.libvirt.virt_pool:
+    name: '{{ item.name }}'
+    autostart: '{{ "yes" if (item.autostart | d(True)) else "no" }}'
+    uri: '{{ libvirt__connections[item.uri | d(libvirt__uri)] }}'
+  loop: '{{ q("flattened", libvirt__pools) }}'
+  become: False
+  when: (item.name | d() and item.state | d('active') not in ['undefined', 'absent'])
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/home/config/libvirt/libvirt.conf.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/home/config/libvirt/libvirt.conf.j2
new file mode 100644
index 00000000..1230918e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/home/config/libvirt/libvirt.conf.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+#uri_aliases = [
+#  "hail=qemu+ssh://root@hail.cloud.example.com/system",
+#  "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+uri_aliases = [
+{% for key, value in libvirt__connections.items() %}
+    "{{ key + '=' + value }}",
+{% endfor %}
+]
+
+# This can be used to prevent probing of the hypervisor
+# driver when no URI is supplied by the application.
+#uri_default = "qemu:///system"
+
+{% if libvirt__uri | d() %}
+uri_default = "{{ libvirt__connections[libvirt__uri] }}"
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/bridge.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/bridge.xml.j2
new file mode 100644
index 00000000..60b862dd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/bridge.xml.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<network>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+  <bridge name="{{ item.bridge }}" />
+  <forward mode="bridge" />
+</network>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/direct.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/direct.xml.j2
new file mode 100644
index 00000000..669a172a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/direct.xml.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<network>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+  <forward mode="bridge">
+    <interface dev="{{ item.bridge }}" />
+  </forward>
+</network>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/dnsmasq.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/dnsmasq.xml.j2
new file mode 100644
index 00000000..7b50cb04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/network/dnsmasq.xml.j2
@@ -0,0 +1,49 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set libvirt__tpl_dhcp_range_start = 10 %}
+{% set libvirt__tpl_dhcp_range_end   = 250 %}
+{% if item.dhcp_range | d() %}
+{% set libvirt__tpl_dhcp_range_start = item.dhcp_range[0] | int %}
+{% set libvirt__tpl_dhcp_range_end   = item.dhcp_range[1] | int %}
+{% endif %}
+<network>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+{% if item.bridge | d() %}
+  <bridge name="{{ item.bridge }}"/>
+{% endif %}
+{% if item.forward | d() %}
+  <forward mode="{{ item.forward_mode | d('nat') }}"/>
+{% endif %}
+{% if item.domain | d() %}
+  <domain name="{{ item.domain }}" localOnly="{{ "yes" if item.domain_local | d() else "no" }}"/>
+{% endif %}
+{% if item.addresses | d() %}
+{% for subnet in item.addresses | ansible.utils.ipv4('host/prefix') %}
+  <ip family="ipv4" address="{{ subnet | ansible.utils.ipaddr('address') }}" netmask="{{ subnet | ansible.utils.ipaddr('netmask') }}">
+{% if item.dhcp | d() and loop.first %}
+    <dhcp>
+{% if item.bootp | d() %}
+      <bootp file="{{ item.bootp_file | d('/undionly.kpxe') }}"{% if item.bootp_server | d() %} server="{{ item.bootp_server }}"{% endif %}/>
+{% endif %}
+      <range start="{{ subnet | ansible.utils.ipaddr(libvirt__tpl_dhcp_range_start) | ansible.utils.ipaddr('address') }}" end="{{ subnet | ansible.utils.ipaddr(libvirt__tpl_dhcp_range_end) | ansible.utils.ipaddr('address') }}"/>
+    </dhcp>
+{% endif %}
+  </ip>
+{% endfor %}
+{% for subnet in item.addresses | ansible.utils.ipv6('host/prefix') %}
+  <ip family="ipv6" address="{{ subnet | ansible.utils.ipaddr('address') }}" prefix="{{ subnet | ansible.utils.ipaddr('prefix') }}">
+{% if item.dhcp | d() and loop.first %}
+    <dhcp>
+      <range start="{{ subnet | ansible.utils.ipaddr(libvirt__tpl_dhcp_range_start) | ansible.utils.ipaddr('address') }}" end="{{ subnet | ansible.utils.ipaddr(libvirt__tpl_dhcp_range_end) | ansible.utils.ipaddr('address') }}"/>
+    </dhcp>
+{% endif %}
+  </ip>
+{% endfor %}
+{% endif %}
+</network>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/dir.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/dir.xml.j2
new file mode 100644
index 00000000..942ec862
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/dir.xml.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<pool type='dir'>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+  <target>
+    <path>{{ item.path }}</path>
+  </target>
+</pool>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/logical.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/logical.xml.j2
new file mode 100644
index 00000000..f97caeee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/logical.xml.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<pool type='logical'>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+{% if item.device | d() or item.devices | d() %}
+  <source>
+{% if item.device | d() %}
+{% if item.device is string %}
+    <device path="{{ item.device }}"/>
+{% else %}
+{% for device in item.device %}
+    <device path="{{ device }}"/>
+{% endfor %}
+{% endif %}
+{% elif item.devices | d() %}
+{% if item.devices is string %}
+    <device path="{{ item.devices }}"/>
+{% else %}
+{% for device in item.devices %}
+    <device path="{{ device }}"/>
+{% endfor %}
+{% endif %}
+{% endif %}
+  </source>
+{% endif %}
+  <target>
+    <path>/dev/{{ item.name }}</path>
+  </target>
+</pool>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/nfs.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/nfs.xml.j2
new file mode 100644
index 00000000..6606a68a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/nfs.xml.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<pool type='netfs'>
+  <name>{{ item.name }}</name>
+{% if item.uuid | d() %}
+  <uuid>{{ item.uuid }}</uuid>
+{% endif %}
+  <source>
+    <host name="{{ item.host }}"{% if item.port | d() %} port="{{ item.port }}"{% endif %}/>
+    <dir path="{{ item.src }}"/>
+    <format type="nfs"/>
+  </source>
+  <target>
+    <path>{{ item.path }}</path>
+  </target>
+</pool>
diff --git a/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/zfs.xml.j2 b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/zfs.xml.j2
new file mode 100644
index 00000000..9f262679
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirt/templates/lookup/pool/zfs.xml.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<pool type="zfs">
+  <name>{{ item.name }}</name>
+  <source>
+    <name>{{ item.zpoolname }}</name>
+  </source>
+</pool>
diff --git a/ansible_collections/debops/debops/roles/libvirtd/COPYRIGHT b/ansible_collections/debops/debops/roles/libvirtd/COPYRIGHT
new file mode 100644
index 00000000..04353009
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.libvirtd - Manage libvirt virtualization host
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/libvirtd/defaults/main.yml b/ansible_collections/debops/debops/roles/libvirtd/defaults/main.yml
new file mode 100644
index 00000000..a68ffaa2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/defaults/main.yml
@@ -0,0 +1,997 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _libvirtd__ref_defaults:
+
+# debops.libvirtd default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# libvirt features [[[
+# --------------------
+
+# .. envvar:: libvirtd__kvm_support [[[
+#
+# Enable or disable support for KVM-based virtual machines.
+libvirtd__kvm_support: '{{ True
+                           if (ansible_virtualization_type == "kvm" and
+                               (ansible_virtualization_role == "host" or
+                                libvirtd__register_hw_virt.stdout | d()))
+                           else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirtd packages [[[
+# ---------------------
+
+# .. envvar:: libvirtd__base_packages [[[
+#
+# List of :program:`libvirtd` packages which will be installed on all
+# distribution releases, unless overridden.
+libvirtd__base_packages:
+  - 'libvirt-daemon-system'
+  - 'libvirt-clients'
+  - 'libnss-libvirt'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__base_packages_map [[[
+#
+# Override list of base packages for specific distribution releases.
+libvirtd__base_packages_map:
+  'trusty':  [ 'libvirt-bin' ]
+  'xenial':  [ 'libvirt-bin' ]
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__kvm_packages [[[
+#
+# List of QEMU KVM packages to install. They will be installed on all hosts
+# apart from KVM guests, to not create redundant support.
+libvirtd__kvm_packages: '{{ ["qemu-system-x86", "qemu-utils"]
+                            + (["qemu-kvm"]
+                              if ansible_distribution_release in ["stretch",
+                                   "buster", "bionic", "focal"]
+                              else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__network_packages [[[
+#
+# List of network-related packages to install with :program:`libvirtd`.
+libvirtd__network_packages:
+  - 'dnsmasq-base'
+  - 'bridge-utils'
+  - 'ebtables'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__misc_packages [[[
+#
+# List of APT packages related to different subsystems not specified in other
+# package lists, or packages which are required by :command:`libvirtd` for
+# correct operation.
+libvirtd__misc_packages:
+  - 'gawk'
+  - 'netcat-openbsd'
+  - 'ovmf'  # UEFI firmware for amd64 VMs
+  - 'pm-utils'
+  - 'sysfsutils'
+  - '{{ [] if (ansible_distribution_release in ["bullseye"])
+           else "virt-top" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__packages [[[
+#
+# List of custom packages to install.
+libvirtd__packages: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__version [[[
+#
+# The version of the :command:`libvirtd` daemon exposed as a convenient
+# variable for conditional checks.
+libvirtd__version: '{{ ansible_local.libvirtd.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Access control [[[
+# ------------------
+
+# .. envvar:: libvirtd__deployment_mode [[[
+#
+# Specify the type of the environment a given :command:`libvirtd` operates in.
+# Possible choices: ``libvirt``, ``opennebula``.
+libvirtd__deployment_mode: '{{ "opennebula"
+                               if ("debops_service_opennebula_node" in group_names)
+                               else "libvirt" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__admins [[[
+#
+# List of administrator accounts which should have access to
+# :program:`libvirtd`.
+libvirtd__admins: '{{ [ansible_user | d(lookup("env", "USER"))]
+                      if ansible_user | d(lookup("env", "USER")) != "root"
+                      else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__unix_sock_group [[[
+#
+# Name of the UNIX system group which is allowed to access :command:`libvirtd`
+# service through its UNIX sockets.
+libvirtd__unix_sock_group: '{{ ansible_local.libvirtd.unix_sock_group | d("libvirt") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirtd connection URI [[[
+# ---------------------------
+
+# .. envvar:: libvirtd__system_uri [[[
+#
+# Connection URI for the local :program:`libvirtd` instance.
+libvirtd__system_uri: 'qemu:///system'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__uri_aliases [[[
+#
+# YAML dictionary with system-wide connection aliases configured in
+# the :file:`/etc/libvirt/libvirt.conf` configuration file.
+#
+# Each key is an alias for a connection, each value should be a valid
+# :command:`libvirt` URI connection string.
+libvirtd__uri_aliases:
+  'localhost': '{{ libvirtd__system_uri }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__default_uri [[[
+#
+# Name of the alias from the :envvar:`libvirtd__uri_aliases` variable
+# configured as default :command:`libvirt` connection system-wide.
+libvirtd__default_uri: 'localhost'
+                                                                   # ]]]
+                                                                   # ]]]
+# libvirtd master configuration [[[
+# ---------------------------------
+
+# These lists define configuration options present in the
+# :file:`/etc/libvirt/libvirtd.conf` configuration file.
+# See :ref:`libvirtd__ref_configuration` for more details.
+
+# .. envvar:: libvirtd__original_configuration [[[
+#
+# List of original :command:`libvirtd` configuration options defined by the
+# installed software package.
+libvirtd__original_configuration:
+
+  - name: 'listen_tls'  # [[[
+    comment: |
+      Flag listening for secure TLS connections on the public TCP/IP port.
+      NB, must pass the --listen flag to the libvirtd process for this to
+      have any effect.
+
+      It is necessary to setup a CA and issue server certificates before
+      using this capability.
+
+      This is enabled by default, uncomment this to disable it
+    value: False
+    section: 'network'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'listen_tcp'  # [[[
+    comment: |
+      Listen for unencrypted TCP connections on the public TCP/IP port.
+      NB, must pass the --listen flag to the libvirtd process for this to
+      have any effect.
+
+      Using the TCP socket requires SASL authentication by default. Only
+      SASL mechanisms which support data encryption are allowed. This is
+      DIGEST_MD5 and GSSAPI (Kerberos5)
+
+      This is disabled by default, uncomment this to enable it.
+    value: True
+    section: 'network'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'tls_port'  # [[[
+    comment: |
+      Override the port for accepting secure TLS connections
+      This can be a port number, or service name
+    value: '16514'
+    section: 'network'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'tcp_port'  # [[[
+    comment: |
+      Override the port for accepting insecure TCP connections
+      This can be a port number, or service name
+    value: '16509'
+    section: 'network'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'listen_addr'  # [[[
+    comment: |
+      Override the default configuration which binds to all network
+      interfaces. This can be a numeric IPv4/6 address, or hostname
+
+      If the libvirtd service is started in parallel with network
+      startup (e. g. with systemd), binding to addresses other than
+      the wildcards (0.0.0.0/::) might not be available yet.
+    value: '192.168.0.1'
+    section: 'network'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'mdns_adv'  # [[[
+    comment: |
+      Flag toggling mDNS advertisement of the libvirt service.
+
+      Alternatively can disable for all services on a host by
+      stopping the Avahi daemon
+
+      This is disabled by default, uncomment this to enable it
+    value: True
+    section: 'network'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'mdns_name'  # [[[
+    comment: |
+      Override the default mDNS advertisement name. This must be
+      unique on the immediate broadcast network.
+
+      The default is "Virtualization Host HOSTNAME", where HOSTNAME
+      is substituted for the short hostname of the machine (without domain)
+    value: 'Virtualization Host Joe Demo'
+    section: 'network'
+    state: 'comment'
+    weight: 7  # ]]]
+
+  - name: 'unix_sock_group'  # [[[
+    comment: |
+      Set the UNIX domain socket group ownership. This can be used to
+      allow a 'trusted' set of users access to management capabilities
+      without becoming root.
+
+      This is restricted to 'root' by default.
+    value: 'libvirt'
+    section: 'unix-socket'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'unix_sock_ro_perms'  # [[[
+    comment: |
+      Set the UNIX socket permissions for the R/O socket. This is used
+      for monitoring VM status only
+
+      Default allows any user. If setting group ownership, you may want to
+      restrict this too.
+    value: '0777'
+    section: 'unix-socket'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'unix_sock_rw_perms'  # [[[
+    comment: |
+      Set the UNIX socket permissions for the R/W socket. This is used
+      for full management of VMs
+
+      Default allows only root. If PolicyKit is enabled on the socket,
+      the default will change to allow everyone (eg, 0777)
+
+      If not using PolicyKit and setting group ownership for access
+      control, then you may want to relax this too.
+    value: '0770'
+    section: 'unix-socket'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'unix_sock_admin_perms'  # [[[
+    comment: |
+      Set the UNIX socket permissions for the admin interface socket.
+
+      Default allows only owner (root), do not change it unless you are
+      sure to whom you are exposing the access to.
+    value: '0700'
+    section: 'unix-socket'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'unix_sock_dir'  # [[[
+    comment: |
+      Set the name of the directory in which sockets will be found/created.
+    value: '/var/run/libvirt'
+    section: 'unix-socket'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'auth_unix_ro'  # [[[
+    comment: |
+      Set an authentication scheme for UNIX read-only sockets
+      By default socket permissions allow anyone to connect
+
+      To restrict monitoring of domains you may wish to enable
+      an authentication mechanism here
+    value: 'none'
+    section: 'authn'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'auth_unix_rw'  # [[[
+    comment: |
+      Set an authentication scheme for UNIX read-write sockets
+      By default socket permissions only allow root. If PolicyKit
+      support was compiled into libvirt, the default will be to
+      use 'polkit' auth.
+
+      If the unix_sock_rw_perms are changed you may wish to enable
+      an authentication mechanism here
+    value: 'none'
+    section: 'authn'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'auth_tcp'  # [[[
+    comment: |
+      Change the authentication scheme for TCP sockets.
+
+      If you don't enable SASL, then all TCP traffic is cleartext.
+      Don't do this outside of a dev/test scenario. For real world
+      use, always enable SASL and use the GSSAPI or DIGEST-MD5
+      mechanism in /etc/sasl2/libvirt.conf
+    value: 'sasl'
+    section: 'authn'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'auth_tls'  # [[[
+    comment: |
+      Change the authentication scheme for TLS sockets.
+
+      TLS sockets already have encryption provided by the TLS
+      layer, and limited authentication is done by certificates
+
+      It is possible to make use of any SASL authentication
+      mechanism as well, by using 'sasl' for this option
+    value: 'none'
+    section: 'authn'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'access_drivers'  # [[[
+    comment: |
+      Change the API access control scheme
+
+      By default an authenticated user is allowed access
+      to all APIs. Access drivers can place restrictions
+      on this. By default the 'nop' driver is enabled,
+      meaning no access control checks are done once a
+      client has authenticated with libvirtd
+    value: [ 'polkit' ]
+    section: 'authn'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'key_file'  # [[[
+    comment: |
+      Override the default server key file path
+    value: '/etc/pki/libvirt/private/serverkey.pem'
+    section: 'tls-cert'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'cert_file'  # [[[
+    comment: |
+      Override the default server certificate file path
+    value: '/etc/pki/libvirt/servercert.pem'
+    section: 'tls-cert'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'ca_file'  # [[[
+    comment: |
+      Override the default CA certificate path
+    value: '/etc/pki/CA/cacert.pem'
+    section: 'tls-cert'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'crl_file'  # [[[
+    comment: |
+      Specify a certificate revocation list.
+      Defaults to not using a CRL, uncomment to enable it
+    value: '/etc/pki/CA/crl.pem'
+    section: 'tls-cert'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'tls_no_sanity_certificate'  # [[[
+    comment: |
+      Flag to disable verification of our own server certificates
+
+      When libvirtd starts it performs some sanity checks against
+      its own certificates.
+
+      Default is to always run sanity checks. Uncommenting this
+      will disable sanity checks which is not a good idea
+    value: True
+    section: 'authz'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'tls_no_verify_certificate'  # [[[
+    comment: |
+      Flag to disable verification of client certificates
+
+      Client certificate verification is the primary authentication mechanism.
+      Any client which does not present a certificate signed by the CA
+      will be rejected.
+
+      Default is to always verify. Uncommenting this will disable
+      verification - make sure an IP whitelist is set
+    value: True
+    section: 'authz'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'tls_allowed_dn_list'  # [[[
+    comment: |
+      A whitelist of allowed x509 Distinguished Names
+      This list may contain wildcards such as
+
+        "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+
+      See the POSIX fnmatch function for the format of the wildcards.
+
+      NB If this is an empty list, no client can connect, so comment out
+      entirely rather than using empty list to disable these checks
+
+      By default, no DNs are checked
+    value: [ 'DN1', 'DN2' ]
+    section: 'authz'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'sasl_allowed_username_list'  # [[[
+    comment: |
+      A whitelist of allowed SASL usernames. The format for username
+      depends on the SASL authentication mechanism. Kerberos usernames
+      look like username@REALM
+
+      This list may contain wildcards such as
+
+        "*@EXAMPLE.COM"
+
+      See the POSIX fnmatch function for the format of the wildcards.
+
+      NB If this is an empty list, no client can connect, so comment out
+      entirely rather than using empty list to disable these checks
+
+      By default, no Usernames are checked
+    value: [ 'joe@EXAMPLE.COM', 'fred@EXAMPLE.COM' ]
+    section: 'authz'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'tls_priority'  # [[[
+    comment: |
+      Override the compile time default TLS priority string. The
+      default is usually "NORMAL" unless overridden at build time.
+      Only set this is it is desired for libvirt to deviate from
+      the global default settings.
+    value: 'NORMAL'
+    section: 'authz'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'max_clients'  # [[[
+    comment: |
+      The maximum number of concurrent client connections to allow
+      over all sockets combined.
+    value: 5000
+    section: 'proc'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'max_queued_clients'  # [[[
+    comment: |
+      The maximum length of queue of connections waiting to be
+      accepted by the daemon. Note, that some protocols supporting
+      retransmission may obey this so that a later reattempt at
+      connection succeeds.
+    value: 1000
+    section: 'proc'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'max_anonymous_clients'  # [[[
+    comment: |
+      The maximum length of queue of accepted but not yet
+      authenticated clients. The default value is 20. Set this to
+      zero to turn this feature off.
+    value: 20
+    section: 'proc'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'min_workers'  # [[[
+    comment: |
+      The minimum limit sets the number of workers to start up
+      initially. If the number of active clients exceeds this,
+      then more threads are spawned, up to max_workers limit.
+      Typically you would want max_workers to equal maximum
+      number of clients allowed.
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'max_workers'  # [[[
+    value: 20
+    section: 'proc'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'prio_workers'  # [[[
+    comment: |
+      The number of priority workers. If all workers from above
+      pool are stuck, some calls marked as high priority
+      (notably domainDestroy) can be executed in this pool.
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'max_requests'  # [[[
+    comment: |
+      Total global limit on concurrent RPC calls. Should be
+      at least as large as max_workers. Beyond this, RPC requests
+      will be read into memory and queued. This directly impacts
+      memory usage, currently each request requires 256 KB of
+      memory. So by default up to 5 MB of memory is used
+
+      XXX this is not actually enforced yet, only the per-client
+      limit is used so far
+    value: 20
+    section: 'proc'
+    state: 'comment'
+    weight: 7  # ]]]
+
+  - name: 'max_client_requests'  # [[[
+    comment: |
+      Limit on concurrent requests from a single client
+      connection. To avoid one client monopolizing the server
+      this should be a small fraction of the global max_requests
+      and max_workers parameter
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 8  # ]]]
+
+  - name: 'admin_min_workers'  # [[[
+    comment: |
+      Same processing controls, but this time for the admin interface.
+      For description of each option, be so kind to scroll few lines
+      upwards.
+    value: 1
+    section: 'proc'
+    state: 'comment'
+    weight: 9  # ]]]
+
+  - name: 'admin_max_workers'  # [[[
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 10  # ]]]
+
+  - name: 'admin_max_clients'  # [[[
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 11  # ]]]
+
+  - name: 'admin_max_queued_clients'  # [[[
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 12  # ]]]
+
+  - name: 'admin_max_client_requests'  # [[[
+    value: 5
+    section: 'proc'
+    state: 'comment'
+    weight: 13  # ]]]
+
+  - name: 'log_level'  # [[[
+    comment: |
+      Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+      basically 1 will log everything possible
+      Note: Journald may employ rate limiting of the messages logged
+      and thus lock up the libvirt daemon. To use the debug level with
+      journald you have to specify it explicitly in 'log_outputs', otherwise
+      only information level messages will be logged.
+    value: 3
+    section: 'log'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'log_filters'  # [[[
+    comment: |
+      Logging filters:
+      A filter allows to select a different logging level for a given category
+      of logs
+      The format for a filter is one of:
+        x:name
+        x:+name
+
+          where name is a string which is matched against the category
+          given in the VIR_LOG_INIT() at the top of each libvirt source
+          file, e. g., "remote", "qemu", or "util.json" (the name in the
+          filter can be a substring of the full category name, in order
+          to match multiple similar categories), the optional "+" prefix
+          tells libvirt to log stack trace for each message matching
+          name, and x is the minimal level where matching messages should
+          be logged:
+
+        1: DEBUG
+        2: INFO
+        3: WARNING
+        4: ERROR
+
+      Multiple filters can be defined in a single @filters, they just need to be
+      separated by spaces.
+
+      e. g. to only get warning or errors from the remote layer and only errors
+      from the event layer:
+    value: '3:remote 4:event'
+    section: 'log'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'log_outputs'  # [[[
+    comment: |
+      Logging outputs:
+      An output is one of the places to save logging information
+      The format for an output can be:
+        x:stderr
+          output goes to stderr
+        x:syslog:name
+          use syslog for the output and use the given name as the ident
+        x:file:file_path
+          output to a file, with the given filepath
+        x:journald
+          output to journald logging system
+      In all case the x prefix is the minimal level, acting as a filter
+        1: DEBUG
+        2: INFO
+        3: WARNING
+        4: ERROR
+
+      Multiple outputs can be defined, they just need to be separated by spaces.
+      e. g. to log all warnings and errors to syslog under the libvirtd ident:
+    value: '3:syslog:libvirtd'
+    section: 'log'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'log_buffer_size'  # [[[
+    comment: |
+      Log debug buffer size:
+
+      This configuration option is no longer used, since the global
+      log buffer functionality has been removed. Please configure
+      suitable log_outputs/log_filters settings to obtain logs.
+    value: 64
+    section: 'log'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'audit_level'  # [[[
+    comment: |
+      This setting allows usage of the auditing subsystem to be altered:
+
+        audit_level == 0  -> disable all auditing
+        audit_level == 1  -> enable auditing, only if enabled on host (default)
+        audit_level == 2  -> enable auditing, and exit if disabled on host
+    value: 2
+    section: 'audit'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'audit_logging'  # [[[
+    comment: |
+      If set to 1, then audit messages will also be sent
+      via libvirt logging infrastructure. Defaults to 0
+    value: True
+    section: 'audit'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'host_uuid'  # [[[
+    comment: |
+      Host UUID is read from one of the sources specified in host_uuid_source.
+
+      - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+      - 'machine-id': fetch the UUID from /etc/machine-id
+
+      The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+      a valid UUID a temporary UUID will be generated.
+
+      Another option is to specify host UUID in host_uuid.
+
+      Keep the format of the example UUID below. UUID must not have all digits
+      be the same.
+
+      NB This default all-zeros UUID will not work. Replace
+      it with the output of the 'uuidgen' command and then
+      uncomment this entry
+    value: '00000000-0000-0000-0000-000000000000'
+    section: 'uuid'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'host_uuid_source'  # [[[
+    value: 'smbios'
+    section: 'uuid'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'keepalive_interval'  # [[[
+    comment: |
+      This allows libvirtd to detect broken client connections or even
+      dead clients.  A keepalive message is sent to a client after
+      keepalive_interval seconds of inactivity to check if the client is
+      still responding; keepalive_count is a maximum number of keepalive
+      messages that are allowed to be sent to the client without getting
+      any response before the connection is considered broken.  In other
+      words, the connection is automatically closed approximately after
+      keepalive_interval * (keepalive_count + 1) seconds since the last
+      message received from the client.  If keepalive_interval is set to
+      -1, libvirtd will never send keepalive requests; however clients
+      can still send them and the daemon will send responses.  When
+      keepalive_count is set to 0, connections will be automatically
+      closed after keepalive_interval seconds of inactivity without
+      sending any keepalive messages.
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'keepalive_count'  # [[[
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'keepalive_required'  # [[[
+    comment: |
+      These configuration options are no longer used.  There is no way to
+      restrict such clients from connecting since they first need to
+      connect in order to ask for keepalive.
+    value: True
+    section: 'keepalive'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'admin_keepalive_required'  # [[[
+    value: True
+    section: 'keepalive'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'admin_keepalive_interval'  # [[[
+    comment: |
+      Keepalive settings for the admin interface
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'admin_keepalive_count'  # [[[
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 6  # ]]]
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__default_configuration [[[
+#
+# List of :command:`libvirtd` configuration options which are changed from
+# their original values by the role.
+libvirtd__default_configuration:
+
+  - 'unix_sock_group':    '{{ libvirtd__unix_sock_group }}'
+    'unix_sock_ro_perms': '0770'
+    'unix_sock_rw_perms': '0770'
+
+  # Ref: https://forum.opennebula.org/t/polkitd-traps-general-protection-ip-in-libmozjs-17-0-so/399/3
+  - name: 'auth_unix_ro'
+    value: 'none'
+    state: '{{ "present"
+               if (libvirtd__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+  # Ref: https://forum.opennebula.org/t/polkitd-traps-general-protection-ip-in-libmozjs-17-0-so/399/3
+  - name: 'auth_unix_rw'
+    value: 'none'
+    state: '{{ "present"
+               if (libvirtd__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__configuration [[[
+#
+# List of :command:`libvirtd` configuration options which should be set on all
+# hosts in the Ansible inventory.
+libvirtd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__group_configuration [[[
+#
+# List of :command:`libvirtd` configuration options which should be set on
+# hosts in specific Ansible inventory group.
+libvirtd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__host_configuration [[[
+#
+# List of :command:`libvirtd` configuration options which should be set on
+# specific hosts in the Ansible inventory.
+libvirtd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__combined_configuration [[[
+#
+# Variable which combines all of the configuration lists and passes them to the
+# configuration file template for processing.
+libvirtd__combined_configuration: '{{ libvirtd__original_configuration
+                                      + libvirtd__default_configuration
+                                      + libvirtd__configuration
+                                      + libvirtd__group_configuration
+                                      + libvirtd__host_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__configuration_sections [[[
+#
+# List which defines what sections are present in the
+# :file:`/etc/libvirt/libvirtd.conf` configuration file.
+# See :ref:`libvirtd__ref_configuration_sections` for more details.
+libvirtd__configuration_sections:
+
+  - name: 'network'
+    title: 'Network connectivity controls'
+
+  - name: 'unix-socket'
+    title: 'UNIX socket access controls'
+
+  - name: 'authn'
+    title: 'Authentication'
+    comment: |
+      - none: do not perform auth checks. If you can connect to the
+              socket you are allowed. This is suitable if there are
+              restrictions on connecting to the socket (eg, UNIX
+              socket permissions), or if there is a lower layer in
+              the network providing auth (eg, TLS/x509 certificates)
+
+      - sasl: use SASL infrastructure. The actual auth scheme is then
+              controlled from /etc/sasl2/libvirt.conf. For the TCP
+              socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+              For non-TCP or TLS sockets, any scheme is allowed.
+
+      - polkit: use PolicyKit to authenticate. This is only suitable
+                for use on the UNIX sockets. The default policy will
+                require a user to supply their own password to gain
+                full read/write access (aka sudo like), while anyone
+                is allowed read/only access.
+
+
+  - name: 'tls-cert'
+    title: 'TLS X.509 certificate configuration'
+
+  - name: 'authz'
+    title: 'Authorization controls'
+
+  - name: 'proc'
+    title: 'Processing controls'
+
+  - name: 'log'
+    title: 'Logging controls'
+
+  - name: 'audit'
+    title: 'Auditing controls'
+
+  - name: 'uuid'
+    title: 'UUID of the host'
+
+  - name: 'keepalive'
+    title: 'Keepalive protocol'
+
+  - name: 'unknown'
+    title: 'Other parameters'
+                                                                   # ]]]
+                                                                   # ]]]
+# KSM (Kernel Samepage Merging) configuration [[[
+# -----------------------------------------------
+
+# .. envvar:: libvirtd__ksm_enabled [[[
+#
+# Whether to enable KSM.
+libvirtd__ksm_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__ksm_sleep_milisecs [[[
+#
+# How long to sleep in between page scans.
+libvirtd__ksm_sleep_milisecs: 20
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__ksm_pages_to_scan [[[
+#
+# How many pages to scan in one run.
+libvirtd__ksm_pages_to_scan: 100
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: libvirtd__ferm_post_hook [[[
+#
+# Enable or disable installation of the :program:`ferm` post hook.
+libvirtd__ferm_post_hook: '{{ True
+                              if (ansible_local | d() and ansible_local.ferm | d() and
+                                  (ansible_local.ferm.enabled | d()) | bool)
+                              else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: libvirtd__ferm__dependent_rules [[[
+#
+# Configuration for ``debops.ferm`` firewall.
+libvirtd__ferm__dependent_rules:
+
+  - type: 'custom'
+    filename: 'bootpc_checksum'
+    weight: '30'
+    rules: |
+      # Add checksums to BOOTP packets from virtual machines and containers.
+      # https://www.redhat.com/archives/libvir-list/2010-August/msg00035.html
+      @hook post "iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill";
+
+  - type: 'custom'
+    filename: 'reload_libvirt'
+    weight: 'zz'
+    rules: '@hook post "type libvirtd > /dev/null && (systemctl reload libvirtd || true)";'
+    state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+libvirtd__python__dependent_packages3:
+
+  - 'python3-libvirt'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+libvirtd__python__dependent_packages2:
+
+  - 'python-libvirt'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd__nsswitch__dependent_services [[[
+#
+# Configuration for the :ref:`debops.nsswitch` Ansible role.
+libvirtd__nsswitch__dependent_services: [ 'libvirt', 'libvirt_guest' ]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/libvirtd/meta/main.yml b/ansible_collections/debops/debops/roles/libvirtd/meta/main.yml
new file mode 100644
index 00000000..5e4e3991
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage libvirt virtualization host'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - virtualization
+    - kvm
+    - qemu
+    - xen
+    - lxc
diff --git a/ansible_collections/debops/debops/roles/libvirtd/tasks/main.yml b/ansible_collections/debops/debops/roles/libvirtd/tasks/main.yml
new file mode 100644
index 00000000..f5040dda
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/tasks/main.yml
@@ -0,0 +1,121 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+  # When nested KVM is enabled on a host, Ansible does not recognize the
+  # hardware virtualization support in the guest correctly. This is an
+  # additional runtime check to account for that.
+- name: Check if host supports hardware virtualization
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         egrep 'vmx|svm|0xc0f' /proc/cpuinfo || true
+  args:
+    executable: 'bash'
+  register: libvirtd__register_hw_virt
+  check_mode: False
+  changed_when: False
+
+- name: Install libvirtd support
+  ansible.builtin.package:
+    name: '{{ q("flattened", (libvirtd__network_packages
+                              + libvirtd__misc_packages
+                              + libvirtd__packages
+                              + (libvirtd__base_packages_map[ansible_distribution_release]
+                                 if (ansible_distribution_release in libvirtd__base_packages_map.keys())
+                                 else libvirtd__base_packages)
+                              + (libvirtd__kvm_packages
+                                 if libvirtd__kvm_support | bool
+                                 else []))) }}'
+    state: 'present'
+    install_recommends: False
+  register: libvirtd__register_packages
+  until: libvirtd__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save libvirtd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/libvirtd.fact.j2'
+    dest: '/etc/ansible/facts.d/libvirtd.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert managed configuration files
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  loop:
+    - '/etc/libvirt/libvirt.conf'
+    - '/etc/libvirt/libvirtd.conf'
+
+- name: Generate libvirt configuration files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/libvirt/libvirt.conf'
+
+- name: Generate libvirtd configuration files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/libvirt/libvirtd.conf'
+  notify: [ 'Restart libvirtd', 'Restart libvirt-bin' ]
+
+- name: Add administrators to libvirtd access group
+  ansible.builtin.user:
+    name: '{{ item }}'
+    groups: "{{ libvirtd__unix_sock_group }}"
+    append: True
+  with_items: '{{ libvirtd__admins }}'
+  when: libvirtd__admins | d()
+
+- name: Install ferm post hook
+  ansible.builtin.template:
+    src: 'etc/ferm/hooks/post.d/reload-libvirtd.j2'
+    dest: '/etc/ferm/hooks/post.d/reload-libvirtd'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: libvirtd__ferm_post_hook | bool
+
+- name: Configure Kernel Same-page Merging
+  ansible.builtin.template:
+    src: 'etc/sysfs.d/ksm.conf.j2'
+    dest: '/etc/sysfs.d/ksm.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart sysfsutils' ]
+
+- name: Check /sys filesystem mount options
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         findmnt -n -o FS-OPTIONS --target /sys | tr ',' '\n'
+  args:
+    executable: 'bash'
+  register: libvirtd__register_sysfs
+  changed_when: False
+  check_mode: False
diff --git a/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ansible/facts.d/libvirtd.fact.j2 b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ansible/facts.d/libvirtd.fact.j2
new file mode 100644
index 00000000..0771ccf5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ansible/facts.d/libvirtd.fact.j2
@@ -0,0 +1,50 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+from grp import getgrall
+import subprocess
+import re
+
+output = loads('''{{ ({
+    "deployment_mode": libvirtd__deployment_mode,
+    "installed": true
+}) | to_nice_json }}''')
+
+try:
+    libvirtd_version_stdout = subprocess.check_output(
+            ['libvirtd', '--version']).decode('utf-8').split()[2]
+    output['version'] = libvirtd_version_stdout
+
+except Exception:
+    pass
+
+# Check if host supports hardware virtualization
+libvirtd_hw_virt = False
+try:
+    libvirtd_hw_virt_stdout = subprocess.check_output(
+            ['egrep', 'vmx|svm|0xc0f', '/proc/cpuinfo'])
+    libvirtd_hw_virt = True
+
+except Exception:
+    pass
+output['hw_virt'] = libvirtd_hw_virt
+
+unix_groups = getgrall()
+
+for group in unix_groups:
+    if group.gr_name == 'libvirt':
+        output['unix_sock_group'] = 'libvirt'
+    elif group.gr_name == 'libvirtd':
+        output['unix_sock_group'] = 'libvirtd'
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ferm/hooks/post.d/reload-libvirtd.j2 b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ferm/hooks/post.d/reload-libvirtd.j2
new file mode 100755
index 00000000..bc5d3441
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/ferm/hooks/post.d/reload-libvirtd.j2
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# After ferm is restarted, libvirtd needs to be reloaded so that it adds its
+# own iptables rules where needed
+
+set -o nounset -o pipefail -o errexit
+
+# Check if we are running under systemd
+if pidof systemd > /dev/null 2>&1 ; then
+
+    if [ "$(systemctl is-active libvirtd.service)" == "active" ] ; then
+        logger -t "ferm-post-hook" "Reloading libvirtd via ferm post hook..."
+        systemctl reload libvirtd.service
+    fi
+
+else
+
+    # I'm not sure if that's a good way to check for running libvirtd under
+    # non-systemd systems, if there are issues please provide a better solution
+    if [ -r /var/run/libvirtd.pid ] ; then
+        logger -t "ferm-post-hook" "Reloading libvirtd via ferm post hook..."
+        service libvirtd restart
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirt.conf.j2 b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirt.conf.j2
new file mode 100644
index 00000000..5a2cd5ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirt.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+uri_aliases = [
+{% for key, value in libvirtd__uri_aliases.items() %}
+    "{{ key + '=' + value }}",
+{% endfor %}
+]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+uri_default = "{{ libvirtd__uri_aliases[libvirtd__default_uri] }}"
diff --git a/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirtd.conf.j2 b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirtd.conf.j2
new file mode 100644
index 00000000..a5221124
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/libvirt/libvirtd.conf.j2
@@ -0,0 +1,131 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Master libvirt daemon configuration file
+#
+# For further information consult https://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+{% set libvirtd__tpl_configuration = {} %}
+{% set libvirtd__tpl_configuration_list = [] %}
+{% set libvirtd__tpl_known_sections = [] %}
+{% set libvirtd__tpl_seen_sections = [] %}
+{#
+#  --- Transform the list of configuration parameters to a merged YAML dictionary structure ---
+#}
+{% for element in libvirtd__combined_configuration %}
+{%   if element is mapping %}
+{%     if element.name | d() and element.state | d('present') != 'ignore' %}
+{%       set parameters = (libvirtd__tpl_configuration[element.name].copy() if libvirtd__tpl_configuration[element.name] is defined else {}) %}
+{%       set _ = parameters.update({ 'name': element.name, 'state': element.state | d(parameters.state | d('present')), 'section': element.section | d(parameters.section | d('unknown')), 'weight': element.weight | d(parameters.weight | d(0)) | int }) %}
+{%       if element.value is defined %}
+{%         set _ = parameters.update({ 'value': element.value }) %}
+{%       else %}
+{%         set _ = parameters.update({ 'value': parameters.value | d("") }) %}
+{%         set _ = parameters.update({ 'state': parameters.state | d('comment') }) %}
+{%       endif %}
+{%       if element.comment is defined %}
+{%         set _ = parameters.update({ 'comment': element.comment }) %}
+{%       endif %}
+{%     elif not element.name | d() %}
+{%       for key, value in element.items() %}
+{%         set loop_parameters = (libvirtd__tpl_configuration[key].copy() if libvirtd__tpl_configuration[key] is defined else {}) %}
+{%         set _ = loop_parameters.update({ 'name': key, 'value': value, 'state': 'present', 'section': loop_parameters.section | d('unknown'), 'weight': loop_parameters.weight | d(0) | int }) %}
+{%         set _ = libvirtd__tpl_configuration.update({ loop_parameters.name: loop_parameters }) %}
+{%       endfor %}
+{%     endif %}
+{%     if parameters | d() and parameters.name | d() %}
+{%       set _ = libvirtd__tpl_configuration.update({ parameters.name: parameters }) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{#
+#  --- Transform the YAML dictionary structure into a list ---
+#}
+{% for key, value in libvirtd__tpl_configuration.items() %}
+{%   set _ = libvirtd__tpl_configuration_list.append(value) %}
+{%   if value.state | d('present') != 'absent' %}
+{%     set _ = libvirtd__tpl_known_sections.append(value.section) %}
+{%   endif %}
+{% endfor %}
+{#
+#  --- Macro that prints a single parameter ---
+#}
+{% macro print_parameter(param, next_option) %}
+{%   if param.state | d('present') != 'absent' %}
+{%     if param.comment | d() %}
+{%       if next_option %}
+
+{%       endif %}
+{{ param.comment | regex_replace('\n$','') | comment(prefix='\n',postfix='') -}}
+{%     endif %}
+{%     if param.value is defined %}
+{%       if param.value | bool and param.value is not iterable %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, 1) -}}
+{%       elif not param.value | bool and param.value is not iterable %}
+{%         if param.value is not none %}
+{%           if param.value | int or param.value | string == '0' %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%           else %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, 0) -}}
+{%           endif %}
+{%         endif %}
+{%       elif param.value is string %}
+{{ '{}{} = "{}"'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%       elif param.value is number %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%       elif param.value is not string and param.value is not mapping %}
+{%         if param.value | count <= 4 %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, '[ "' + param.value | join('", "') + '" ]') -}}
+{%         else %}
+{{ '{}{} = ['.format(('#' if param.state | d('present') == 'comment' else ''), param.name) }}
+{%           for thing in param.value %}
+{{ '{:<4}"{}"{}'.format(('#' if param.state | d('present') == 'comment' else ''), thing, (',' if not loop.last | bool else '')) }}
+{%           endfor %}
+{{ '{}]'.format(('#' if param.state | d('present') == 'comment' else '')) -}}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{#
+#  --- Macro that prints a single section with parameters of that section ordered by weight ---
+#}
+{% macro print_section(element, section_name='') %}
+{%   if element.state | d('present') != 'hidden' %}
+#################################################################
+{{ element.title | comment }}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='',postfix='') -}}
+{%     endif %}
+{%   else %}
+
+{%   endif %}
+{%   set option_counter = [] %}
+{%   for option in libvirtd__tpl_configuration_list | sort(attribute='weight') %}
+{%     if option.section | d() == section_name and option.state | d('present') != 'absent' %}
+{{ print_parameter(option, option_counter) }}
+{%       set _ = option_counter.append(True) %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{#
+#  --- Go through configuration sections and print them and their parameters ---
+#}
+{% for section in libvirtd__configuration_sections %}
+{%   if not loop.first | bool and section.state | d('present') not in ['hidden', 'absent' ] and section.name in libvirtd__tpl_known_sections %}
+
+
+{% endif %}
+{%   if section.state | d('present') != 'absent' and section.name in libvirtd__tpl_known_sections %}
+{{ print_section(section, section_name=section.name) -}}
+{%     set _ = libvirtd__tpl_seen_sections.append(section.name) %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/libvirtd/templates/etc/sysfs.d/ksm.conf.j2 b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/sysfs.d/ksm.conf.j2
new file mode 100644
index 00000000..e813641f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd/templates/etc/sysfs.d/ksm.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Enable Kernel Same-page Merging
+kernel/mm/ksm/run = {{ '1' if libvirtd__ksm_enabled | bool else '0' }}
+
+# How long to sleep between scans
+kernel/mm/ksm/sleep_millisecs = {{ libvirtd__ksm_sleep_milisecs }}
+
+# How many pages to scan in one run
+kernel/mm/ksm/pages_to_scan = {{ libvirtd__ksm_pages_to_scan }}
diff --git a/ansible_collections/debops/debops/roles/libvirtd_qemu/COPYRIGHT b/ansible_collections/debops/debops/roles/libvirtd_qemu/COPYRIGHT
new file mode 100644
index 00000000..7b83fcef
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd_qemu/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.libvirtd_qemu - Manage libvirtd QEMU configuration
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/libvirtd_qemu/defaults/main.yml b/ansible_collections/debops/debops/roles/libvirtd_qemu/defaults/main.yml
new file mode 100644
index 00000000..a3f4c078
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd_qemu/defaults/main.yml
@@ -0,0 +1,1275 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _libvirtd_qemu__ref_defaults:
+
+# debops.libvirtd_qemu default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# libvirt features [[[
+# --------------------
+
+# .. envvar:: libvirtd_qemu__kvm_support [[[
+#
+# Enable or disable support for KVM-based virtual machines.
+libvirtd_qemu__kvm_support: '{{ True
+                                if (ansible_virtualization_type == "kvm" and
+                                    (ansible_virtualization_role == "host" or
+                                     libvirtd_qemu__register_hw_virt.stdout | d()))
+                                else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: libvirtd_qemu__base_packages [[[
+#
+# List of :program:`libvirtd` packages which will be installed on all distribution
+# releases, unless overridden.
+libvirtd_qemu__base_packages:
+  - 'libvirt-daemon-system'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__base_packages_map [[[
+#
+# Override list of base packages for specific distribution releases.
+libvirtd_qemu__base_packages_map:
+  'trusty':  [ 'libvirt-bin' ]
+  'xenial':  [ 'libvirt-bin' ]
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__kvm_packages [[[
+#
+# List of QEMU KVM packages to install. They will be installed on all hosts
+# apart from KVM guests, to not create redundant support.
+libvirtd_qemu__kvm_packages: '{{ ["qemu-system-x86", "qemu-utils"]
+                                 + ["qemu-kvm"]
+                                   if ansible_distribution_release in
+                                        ["stretch", "buster", "bionic", "focal"]
+                                   else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__packages [[[
+#
+# List of custom packages to install.
+libvirtd_qemu__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# QEMU environment [[[
+# --------------------
+
+# .. envvar:: libvirtd_qemu__deployment_mode [[[
+#
+# Specify the type of the environment a given :command:`libvirtd` operates in.
+# Possible choices: ``libvirt``, ``opennebula``.
+libvirtd_qemu__deployment_mode: '{{ ansible_local.libvirtd.deployment_mode
+                                    if (ansible_local.libvirtd.deployment_mode | d())
+                                    else ("opennebula"
+                                          if ("debops_service_opennebula_node" in group_names)
+                                          else "libvirt") }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__user [[[
+#
+# The UNIX system user account which will be used to run QEMU processes. The
+# Debian default is ``libvirt-qemu``, however OpenNebula requires the use of
+# the ``oneadmin`` management account to ensure correct file access.
+libvirtd_qemu__user: '{{ (ansible_local.opennebula.user
+                          if (ansible_local.opennebula.user | d())
+                          else "oneadmin")
+                         if (libvirtd_qemu__deployment_mode == "opennebula")
+                         else "libvirt-qemu" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__group [[[
+#
+# The UNIX system group which will be used to run QEMU processes. The Debian
+# default is ``libvirt-qemu``, however OpenNebula requires the use of the
+# ``oneadmin`` management group to ensure correct file access.
+libvirtd_qemu__group: '{{ (ansible_local.opennebula.group
+                           if (ansible_local.opennebula.group | d())
+                           else "oneadmin")
+                          if (libvirtd_qemu__deployment_mode == "opennebula")
+                          else "libvirt-qemu" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# VNC/SPICE remote display options [[[
+# ------------------------------------
+
+# .. envvar:: libvirtd_qemu__remote_display_allow [[[
+#
+# List of IP addresses or CIDR subnets which will be allowed to connect to the
+# VNC/SPICE service through the firewall. if nothing is specified, nobody can
+# connect to these services.
+libvirtd_qemu__remote_display_allow: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__remote_display_ports [[[
+#
+# List of TCP ports which should be opened in the firewall to allow access to
+# the VNC/SPICE services. You can specify specific ports or port ranges
+# separated by the ``:`` character. Only the hosts specified by the
+# :envvar:`libvirtd_qemu__remote_display_allow` variable will have access
+# through these ports.
+libvirtd_qemu__remote_display_ports: '{{ libvirtd_qemu__remote_display_port_min | string + ":"
+                                         + libvirtd_qemu__remote_display_port_max | string }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__remote_display_port_min [[[
+#
+# The lower bound of the port range used by the VNC/SPICE services to allow
+# access to the remote VM console. The lower bound port configuration shouldn't
+# be changed, otherwise it might result in negative port numbers used by the
+# services.
+libvirtd_qemu__remote_display_port_min: 5900
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__remote_display_port_max [[[
+#
+# The upper bound of the port range used by the VNC/SPICE services to allow
+# access to the remote VM console.
+libvirtd_qemu__remote_display_port_max: 65535
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__spice_listen [[[
+#
+# Specify the IP address on which QEMU processes should listen for SPICE
+# connections.
+libvirtd_qemu__spice_listen: '{{ "0.0.0.0"
+                                 if libvirtd_qemu__remote_display_allow | d()
+                                 else "127.0.0.1" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__vnc_listen [[[
+#
+# Specify the IP address on which QEMU processes should listen for VNC
+# connections.
+libvirtd_qemu__vnc_listen: '{{ "0.0.0.0"
+                               if libvirtd_qemu__remote_display_allow | d()
+                               else "127.0.0.1" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# QEMU master configuration [[[
+# -----------------------------
+
+# These lists define configuration options present in the
+# :file:`/etc/libvirt/qemu.conf` configuration file.
+# See :ref:`libvirtd_qemu__ref_configuration` for more details.
+
+# .. envvar:: libvirtd_qemu__original_configuration [[[
+#
+# List of original QEMU configuration options defined by the installed software
+# package.
+libvirtd_qemu__original_configuration:
+
+  - name: 'default_tls_x509_cert_dir'  # [[[
+    comment: |
+      Use of TLS requires that x509 certificates be issued. The default is
+      to keep them in /etc/pki/qemu. This directory must contain
+
+      ca-cert.pem - the CA master certificate
+      server-cert.pem - the server certificate signed with ca-cert.pem
+      server-key.pem  - the server private key
+
+      and optionally may contain
+
+      dh-params.pem - the DH params configuration file
+    value: '/etc/pki/qemu'
+    section: 'tls'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'default_tls_x509_verify'  # [[[
+    comment: |
+      The default TLS configuration only uses certificates for the server
+      allowing the client to verify the server identity and establish
+      an encrypted channel.
+
+      It is possible to use x509 certificates for authentication too, by
+      issuing a x509 certificate to every client who needs to connect.
+
+      Enabling this option will reject any client who does not have a
+      certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+    value: True
+    section: 'tls'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'default_tls_x509_secret_uuid'  # [[[
+    comment: |
+      Libvirt assumes the server-key.pem file is unencrypted by default.
+      To use an encrypted server-key.pem file, the password to decrypt
+      the PEM file is required. This can be provided by creating a secret
+      object in libvirt and then to uncomment this setting to set the UUID
+      of the secret.
+
+      NB This default all-zeros UUID will not work. Replace it with the
+      output from the UUID for the TLS secret from a 'virsh secret-list'
+      command and then uncomment the entry
+    value: '00000000-0000-0000-0000-000000000000'
+    section: 'tls'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'vnc_listen'  # [[[
+    comment: |
+      VNC is configured to listen on 127.0.0.1 by default.
+      To make it listen on all public interfaces, uncomment
+      this next option.
+
+      NB, strong recommendation to enable TLS + x509 certificate
+      verification when allowing public access
+    value: '0.0.0.0'
+    section: 'vnc'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'vnc_auto_unix_socket'  # [[[
+    comment: |
+      Enable this option to have VNC served over an automatically created
+      unix socket. This prevents unprivileged access from users on the
+      host machine, though most VNC clients do not support it.
+
+      This will only be enabled for VNC configurations that have listen
+      type=address but without any address specified. This setting takes
+      preference over vnc_listen.
+    value: True
+    section: 'vnc'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'vnc_tls'  # [[[
+    comment: |
+      Enable use of TLS encryption on the VNC server. This requires
+      a VNC client which supports the VeNCrypt protocol extension.
+      Examples include vinagre, virt-viewer, virt-manager and vencrypt
+      itself. UltraVNC, RealVNC, TightVNC do not support this
+
+      It is necessary to setup CA and issue a server certificate
+      before enabling this.
+    value: True
+    section: 'vnc'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'vnc_tls_x509_cert_dir'  # [[[
+    comment: |
+      In order to override the default TLS certificate location for
+      vnc certificates, supply a valid path to the certificate directory.
+      If the provided path does not exist then the default_tls_x509_cert_dir
+      path will be used.
+    value: '/etc/pki/libvirt-vnc'
+    section: 'vnc'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'vnc_tls_x509_verify'  # [[[
+    comment: |
+      The default TLS configuration only uses certificates for the server
+      allowing the client to verify the server identity and establish
+      an encrypted channel.
+
+      It is possible to use x509 certificates for authentication too, by
+      issuing a x509 certificate to every client who needs to connect.
+
+      Enabling this option will reject any client who does not have a
+      certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
+
+      If this option is not supplied, it will be set to the value of
+      "default_tls_x509_verify".
+    value: True
+    section: 'vnc'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'vnc_password'  # [[[
+    comment: |
+      The default VNC password. Only 8 bytes are significant for
+      VNC passwords. This parameter is only used if the per-domain
+      XML config does not already provide a password. To allow
+      access without passwords, leave this commented out. An empty
+      string will still enable passwords, but be rejected by QEMU,
+      effectively preventing any use of VNC. Obviously change this
+      example here before you set this.
+    value: 'XYZ12345'
+    section: 'vnc'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'vnc_sasl'  # [[[
+    comment: |
+      Enable use of SASL encryption on the VNC server. This requires
+      a VNC client which supports the SASL protocol extension.
+      Examples include vinagre, virt-viewer and virt-manager
+      itself. UltraVNC, RealVNC, TightVNC do not support this
+
+      It is necessary to configure /etc/sasl2/qemu.conf to choose
+      the desired SASL plugin (eg, GSSPI for Kerberos)
+    value: True
+    section: 'vnc'
+    state: 'comment'
+    weight: 7  # ]]]
+
+  - name: 'vnc_sasl_dir'  # [[[
+    comment: |
+      The default SASL configuration file is located in /etc/sasl2/
+      When running libvirtd unprivileged, it may be desirable to
+      override the configs in this location. Set this parameter to
+      point to the directory, and create a qemu.conf in that location
+    value: '/some/directory/sasl2'
+    section: 'vnc'
+    state: 'comment'
+    weight: 8  # ]]]
+
+  - name: 'vnc_allow_host_audio'  # [[[
+    comment: |
+      QEMU implements an extension for providing audio over a VNC connection,
+      though if your VNC client does not support it, your only chance for getting
+      sound output is through regular audio backends. By default, libvirt will
+      disable all QEMU sound backends if using VNC, since they can cause
+      permissions issues. Enabling this option will make libvirtd honor the
+      QEMU_AUDIO_DRV environment variable when using VNC.
+    value: False
+    section: 'vnc'
+    state: 'comment'
+    weight: 9  # ]]]
+
+  - name: 'spice_listen'  # [[[
+    comment: |
+      SPICE is configured to listen on 127.0.0.1 by default.
+      To make it listen on all public interfaces, uncomment
+      this next option.
+
+      NB, strong recommendation to enable TLS + x509 certificate
+      verification when allowing public access
+    value: '0.0.0.0'
+    section: 'spice'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'spice_tls'  # [[[
+    comment: |
+      Enable use of TLS encryption on the SPICE server.
+
+      It is necessary to setup CA and issue a server certificate
+      before enabling this.
+    value: True
+    section: 'spice'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'spice_tls_x509_cert_dir'  # [[[
+    comment: |
+      In order to override the default TLS certificate location for
+      spice certificates, supply a valid path to the certificate directory.
+      If the provided path does not exist then the default_tls_x509_cert_dir
+      path will be used.
+    value: '/etc/pki/libvirt-spice'
+    section: 'spice'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'spice_auto_unix_socket'  # [[[
+    comment: |
+      Enable this option to have SPICE served over an automatically created
+      unix socket. This prevents unprivileged access from users on the
+      host machine.
+
+      This will only be enabled for SPICE configurations that have listen
+      type=address but without any address specified. This setting takes
+      preference over spice_listen.
+    value: True
+    section: 'spice'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'spice_password'  # [[[
+    comment: |
+      The default SPICE password. This parameter is only used if the
+      per-domain XML config does not already provide a password. To
+      allow access without passwords, leave this commented out. An
+      empty string will still enable passwords, but be rejected by
+      QEMU, effectively preventing any use of SPICE. Obviously change
+      this example here before you set this.
+    value: 'XYZ12345'
+    section: 'spice'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'spice_sasl'  # [[[
+    comment: |
+      Enable use of SASL encryption on the SPICE server. This requires
+      a SPICE client which supports the SASL protocol extension.
+
+      It is necessary to configure /etc/sasl2/qemu.conf to choose
+      the desired SASL plugin (eg, GSSPI for Kerberos)
+    value: True
+    section: 'spice'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'spice_sasl_dir'  # [[[
+    comment: |
+      The default SASL configuration file is located in /etc/sasl2/
+      When running libvirtd unprivileged, it may be desirable to
+      override the configs in this location. Set this parameter to
+      point to the directory, and create a qemu.conf in that location
+    value: '/some/directory/sasl2'
+    section: 'spice'
+    state: 'comment'
+    weight: 7  # ]]]
+
+  - name: 'chardev_tls'  # [[[
+    comment: |
+      Enable use of TLS encryption on the chardev TCP transports.
+
+      It is necessary to setup CA and issue a server certificate
+      before enabling this.
+    value: True
+    section: 'chardev'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'chardev_tls_x509_cert_dir'  # [[[
+    comment: |
+      In order to override the default TLS certificate location for character
+      device TCP certificates, supply a valid path to the certificate directory.
+      If the provided path does not exist then the default_tls_x509_cert_dir
+      path will be used.
+    value: '/etc/pki/libvirt-chardev'
+    section: 'chardev'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'chardev_tls_x509_verify'  # [[[
+    comment: |
+      The default TLS configuration only uses certificates for the server
+      allowing the client to verify the server identity and establish
+      an encrypted channel.
+
+      It is possible to use x509 certificates for authentication too, by
+      issuing a x509 certificate to every client who needs to connect.
+
+      Enabling this option will reject any client who does not have a
+      certificate signed by the CA in /etc/pki/libvirt-chardev/ca-cert.pem
+    value: True
+    section: 'chardev'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'chardev_tls_x509_secret_uuid'  # [[[
+    comment: |
+      Uncomment and use the following option to override the default secret
+      UUID provided in the default_tls_x509_secret_uuid parameter.
+
+      NB This default all-zeros UUID will not work. Replace it with the
+      output from the UUID for the TLS secret from a 'virsh secret-list'
+      command and then uncomment the entry
+    value: '00000000-0000-0000-0000-000000000000'
+    section: 'chardev'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'nographics_allow_host_audio'  # [[[
+    comment: |
+      By default, if no graphical front end is configured, libvirt will disable
+      QEMU audio output since directly talking to alsa/pulseaudio may not work
+      with various security settings. If you know what you are doing, enable
+      the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+      environment variable when using nographics.
+    value: True
+    section: 'display'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'remote_display_port_min'  # [[[
+    comment: |
+      Override the port for creating both VNC and SPICE sessions (min).
+      This defaults to 5900 and increases for consecutive sessions
+      or when ports are occupied, until it hits the maximum.
+
+      Minimum must be greater than or equal to 5900 as lower number would
+      result into negative vnc display number.
+
+      Maximum must be less than 65536, because higher numbers do not make
+      sense as a port number.
+    value: 5900
+    section: 'display'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'remote_display_port_max'  # [[[
+    value: 65535
+    section: 'display'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'remote_websocket_port_min'  # [[[
+    comment: |
+      VNC WebSocket port policies, same rules apply as with remote display
+      ports. VNC WebSockets use similar display <-> port mappings, with
+      the exception being that ports start from 5700 instead of 5900.
+    value: 5700
+    section: 'display'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'remote_websocket_port_max'  # [[[
+    value: 65535
+    section: 'display'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'security_driver'  # [[[
+    comment: |
+      The default security driver is SELinux. If SELinux is disabled
+      on the host, then the security driver will automatically disable
+      itself. If you wish to disable QEMU SELinux security driver while
+      leaving SELinux enabled for the host in general, then set this
+      to 'none' instead. It is also possible to use more than one security
+      driver at the same time, for this use a list of names separated by
+      comma and delimited by square brackets. For example:
+
+            security_driver = [ "selinux", "apparmor" ]
+
+      Notes: The DAC security driver is always enabled; as a result, the
+      value of security_driver cannot contain "dac".  The value "none" is
+      a special value; security_driver can be set to that value in
+      isolation, but it cannot appear in a list of drivers.
+    value: 'selinux'
+    section: 'security'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'security_default_confined'  # [[[
+    comment: |
+      If set to non-zero, then the default security labeling
+      will make guests confined. If set to zero, then guests
+      will be unconfined by default. Defaults to 1.
+    value: True
+    section: 'security'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'security_require_confined'  # [[[
+    comment: |
+      If set to non-zero, then attempts to create unconfined
+      guests will be blocked. Defaults to 0.
+    value: True
+    section: 'security'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'user'  # [[[
+    comment: |
+      The user for QEMU processes run by the system instance. It can be
+      specified as a user name or as a user id. The qemu driver will try to
+      parse this value first as a name and then, if the name does not exist,
+      as a user id.
+
+      Since a sequence of digits is a valid user name, a leading plus sign
+      can be used to ensure that a user id will not be interpreted as a user
+      name.
+
+      Some examples of valid values are:
+
+            user = "qemu"   # A user named "qemu"
+            user = "+0"     # Super user (uid=0)
+            user = "100"    # A user named "100" or a user with uid=100
+    value: 'root'
+    section: 'user-group'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'group'  # [[[
+    comment: |
+      The group for QEMU processes run by the system instance. It can be
+      specified in a similar way to user.
+    value: 'root'
+    section: 'user-group'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'dynamic_ownership'  # [[[
+    comment: |
+      Whether libvirt should dynamically change file ownership
+      to match the configured user/group above. Defaults to 1.
+      Set to 0 to disable file ownership changes.
+    value: True
+    section: 'user-group'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'cgroup_controllers'  # [[[
+    comment: |
+      What cgroup controllers to make use of with QEMU guests
+
+      - 'cpu' - use for schedular tunables
+      - 'devices' - use for device whitelisting
+      - 'memory' - use for memory tunables
+      - 'blkio' - use for block devices I/O tunables
+      - 'cpuset' - use for CPUs and memory nodes
+      - 'cpuacct' - use for CPUs statistics.
+
+      NB, even if configured here, they will not be used unless
+      the administrator has mounted cgroups, e. g.:
+
+      mkdir /dev/cgroup
+      mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+
+      They can be mounted anywhere, and different controllers
+      can be mounted in different locations. libvirt will detect
+      where they are located.
+    value: [ 'cpu', 'devices', 'memory', 'blkio', 'cpuset', 'cpuacct' ]
+    section: 'cgroup'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'cgroup_device_acl'  # [[[
+    comment: |
+      This is the basic set of devices allowed / required by
+      all virtual machines.
+
+      As well as this, any configured block backed disks,
+      all sound device, and all PTY devices are allowed.
+
+      This will only need setting if newer QEMU suddenly
+      wants some device we do not already know about.
+
+      RDMA migration requires the following extra files to be added to the list:
+        "/dev/infiniband/rdma_cm",
+        "/dev/infiniband/issm0",
+        "/dev/infiniband/issm1",
+        "/dev/infiniband/umad0",
+        "/dev/infiniband/umad1",
+        "/dev/infiniband/uverbs0"
+    value: [ '/dev/null', '/dev/full', '/dev/zero',
+             '/dev/random', '/dev/urandom',
+             '/dev/ptmx', '/dev/kvm', '/dev/kqemu',
+             '/dev/rtc', '/dev/hpet', '/dev/vfio/vfio' ]
+    section: 'cgroup'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'save-image_format'  # [[[
+    comment: |
+      The default format for Qemu/KVM guest save images is raw; that is, the
+      memory from the domain is dumped out directly to a file.  If you have
+      guests with a large amount of memory, however, this can take up quite
+      a bit of space.  If you would like to compress the images while they
+      are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+      for save_image_format.  Note that this means you slow down the process of
+      saving a domain in order to save disk space; the list above is in descending
+      order by performance and ascending order by compression ratio.
+
+      save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+      at scheduled saving, and it is an error if the specified save_image_format
+      is not valid, or the requested compression program cannot be found.
+
+      dump_image_format is used when you use 'virsh dump' at emergency
+      crashdump, and if the specified dump_image_format is not valid, or
+      the requested compression program cannot be found, this falls
+      back to "raw" compression.
+
+      snapshot_image_format specifies the compression algorithm of the memory save
+      image when an external snapshot of a domain is taken. This does not apply
+      on disk image format. It is an error if the specified format is not valid,
+      or the requested compression program cannot be found.
+    value: 'raw'
+    section: 'dump'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'dump_image_format'  # [[[
+    value: 'raw'
+    section: 'dump'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'snapshot_image_format'  # [[[
+    value: 'raw'
+    section: 'dump'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'auto_dump_path'  # [[[
+    comment: |
+      When a domain is configured to be auto-dumped when libvirtd receives a
+      watchdog event from qemu guest, libvirtd will save dump files in directory
+      specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+    value: '/var/lib/libvirt/qemu/dump'
+    section: 'dump'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'auto_dump_bypass_cache'  # [[[
+    comment: |
+      When a domain is configured to be auto-dumped, enabling this flag
+      has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+      virDomainCoreDump API.  That is, the system will avoid using the
+      file system cache while writing the dump file, but may cause
+      slower operation.
+    value: False
+    section: 'dump'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'auto_start_bypass_cache'  # [[[
+    comment: |
+      When a domain is configured to be auto-started, enabling this flag
+      has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+      with the virDomainCreateWithFlags API.  That is, the system will
+      avoid using the file system cache when restoring any managed state
+      file, but may cause slower operation.
+    value: False
+    section: 'dump'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'hugetlbfs_mount'  # [[[
+    comment: |
+      If provided by the host and a hugetlbfs mount point is configured,
+      a guest may request huge page backing. When this mount point is
+      unspecified here, determination of a host mount point in /proc/mounts
+      will be attempted. Specifying an explicit mount overrides detection
+      of the same in /proc/mounts. Setting the mount point to "" will
+      disable guest hugepage backing. If desired, multiple mount points can
+      be specified at once, separated by comma and enclosed in square
+      brackets, for example:
+
+          hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+
+      The size of huge page served by specific mount point is determined by
+      libvirt at the daemon startup.
+
+      NB, within these mount points, guests will create memory backing
+      files in a location of $MOUNTPOINT/libvirt/qemu
+    value: '/dev/hugepages'
+    section: 'proc'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'bridge_helper'  # [[[
+    comment: |
+      Path to the setuid helper for creating tap devices.  This executable
+      is used to create <source type='bridge'> interfaces when libvirtd is
+      running unprivileged.  libvirt invokes the helper directly, instead
+      of using "-netdev bridge", for security reasons.
+    value: '/usr/libexec/qemu-bridge-helper'
+    section: 'proc'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'clear_emulator_capabilities'  # [[[
+    comment: |
+      If clear_emulator_capabilities is enabled, libvirt will drop all
+      privileged capabilities of the QEmu/KVM emulator. This is enabled by
+      default.
+
+      Warning: Disabling this option means that a compromised guest can
+      exploit the privileges and possibly do damage to the host.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'set_process_name'  # [[[
+    comment: |
+      If enabled, libvirt will have QEMU set its process name to
+      "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
+      process will appear as "qemu:VM_NAME" in process listings and
+      other system monitoring tools. By default, QEMU does not set
+      its process title, so the complete QEMU command (emulator and
+      its arguments) appear in process listings.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'max_processes'  # [[[
+    comment: |
+      If max_processes is set to a positive integer, libvirt will use
+      it to set the maximum number of processes that can be run by qemu
+      user. This can be used to override default value set by host OS.
+      The same applies to max_files which sets the limit on the maximum
+      number of opened files.
+    value: 0
+    section: 'proc'
+    state: 'comment'
+    weight: 5  # ]]]
+
+  - name: 'max_files'  # [[[
+    value: 0
+    section: 'proc'
+    state: 'comment'
+    weight: 6  # ]]]
+
+  - name: 'max_core'  # [[[
+    comment: |
+      If max_core is set to a non-zero integer, then QEMU will be
+      permitted to create core dumps when it crashes, provided its
+      RAM size is smaller than the limit set.
+
+      Be warned that the core dump will include a full copy of the
+      guest RAM, if the 'dump_guest_core' setting has been enabled,
+      or if the guest XML contains
+
+        <memory dumpcore="on">...guest ram...</memory>
+
+      If guest RAM is to be included, ensure the max_core limit
+      is set to at least the size of the largest expected guest
+      plus another 1GB for any QEMU host side memory mappings.
+
+      As a special case it can be set to the string "unlimited" to
+      to allow arbitrarily sized core dumps.
+
+      By default the core dump size is set to 0 disabling all dumps
+
+      Size is a positive integer specifying bytes or the
+      string "unlimited"
+    value: 'unlimited'
+    section: 'proc'
+    state: 'comment'
+    weight: 7  # ]]]
+
+  - name: 'dump_guest_core'  # [[[
+    comment: |
+      Determine if guest RAM is included in QEMU core dumps. By
+      default guest RAM will be excluded if a new enough QEMU is
+      present. Setting this to '1' will force guest RAM to always
+      be included in QEMU core dumps.
+
+      This setting will be ignored if the guest XML has set the
+      dumpcore attribute on the <memory> element.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 8  # ]]]
+
+  - name: 'mac_filter'  # [[[
+    comment: |
+      mac_filter enables MAC addressed based filtering on bridge ports.
+      This currently requires ebtables to be installed.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 9  # ]]]
+
+  - name: 'relaxed_acs_check'  # [[[
+    comment: |
+      By default, PCI devices below non-ACS switch are not allowed to be assigned
+      to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
+      be assigned to guests.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 10  # ]]]
+
+  - name: 'allow_disk_format_probing'  # [[[
+    comment: |
+      If allow_disk_format_probing is enabled, libvirt will probe disk
+      images to attempt to identify their format, when not otherwise
+      specified in the XML. This is disabled by default.
+
+      WARNING: Enabling probing is a security hole in almost all
+      deployments. It is strongly recommended that users update their
+      guest XML <disk> elements to include  <driver type='XXXX'/>
+      elements instead of enabling this option.
+    value: True
+    section: 'proc'
+    state: 'comment'
+    weight: 11  # ]]]
+
+  - name: 'lock_manager'  # [[[
+    comment: |
+      In order to prevent accidentally starting two domains that
+      share one writable disk, libvirt offers two approaches for
+      locking files. The first one is sanlock, the other one,
+      virtlockd, is then our own implementation. Accepted values
+      are "sanlock" and "lockd".
+    value: 'lockd'
+    section: 'proc'
+    state: 'comment'
+    weight: 12  # ]]]
+
+  - name: 'max_queued'  # [[[
+    comment: |
+      Set limit of maximum APIs queued on one domain. All other APIs
+      over this threshold will fail on acquiring job lock. Specially,
+      setting to zero turns this feature off.
+      Note, that job lock is per domain.
+    value: 0
+    section: 'proc'
+    state: 'comment'
+    weight: 13  # ]]]
+
+  - name: 'keepalive_interval'  # [[[
+    comment: |
+      This allows qemu driver to detect broken connections to remote
+      libvirtd during peer-to-peer migration.  A keepalive message is
+      sent to the daemon after keepalive_interval seconds of inactivity
+      to check if the daemon is still responding; keepalive_count is a
+      maximum number of keepalive messages that are allowed to be sent
+      to the daemon without getting any response before the connection
+      is considered broken.  In other words, the connection is
+      automatically closed approximately after
+      keepalive_interval * (keepalive_count + 1) seconds since the last
+      message received from the daemon.  If keepalive_interval is set to
+      -1, qemu driver will not send keepalive requests during
+      peer-to-peer migration; however, the remote libvirtd can still
+      send them and source libvirtd will send responses.  When
+      keepalive_count is set to 0, connections will be automatically
+      closed after keepalive_interval seconds of inactivity without
+      sending any keepalive messages.
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'keepalive_count'  # [[[
+    value: 5
+    section: 'keepalive'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'seccomp_sandbox'  # [[[
+    comment: |
+      Use seccomp syscall whitelisting in QEMU.
+      1 = on, 0 = off, -1 = use QEMU default
+      Defaults to -1.
+    value: 1
+    section: 'seccomp'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'migration_address'  # [[[
+    comment: |
+      Override the listen address for all incoming migrations. Defaults to
+      0.0.0.0, or :: if both host and qemu are capable of IPv6.
+    value: '0.0.0.0'
+    section: 'migration'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'migration_host'  # [[[
+    comment: |
+      The default hostname or IP address which will be used by a migration
+      source for transferring migration data to this host.  The migration
+      source has to be able to resolve this hostname and connect to it so
+      setting "localhost" will not work.  By default, the host configured
+      hostname is used.
+    value: 'host.example.com'
+    section: 'migration'
+    state: 'comment'
+    weight: 2  # ]]]
+
+  - name: 'migration_port_min'  # [[[
+    comment: |
+      Override the port range used for incoming migrations.
+
+      Minimum must be greater than 0, however when QEMU is not running as root,
+      setting the minimum to be lower than 1024 will not work.
+
+      Maximum must not be greater than 65535.
+    value: 49152
+    section: 'migration'
+    state: 'comment'
+    weight: 3  # ]]]
+
+  - name: 'migration_port_max'  # [[[
+    value: 49215
+    section: 'migration'
+    state: 'comment'
+    weight: 4  # ]]]
+
+  - name: 'log_timestamp'  # [[[
+    comment: |
+      Timestamp QEMU log messages (if QEMU supports it)
+
+      Defaults to 1.
+    value: False
+    section: 'log'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'nvram'  # [[[
+    comment: |
+      Location of master nvram file
+
+      When a domain is configured to use UEFI instead of standard
+      BIOS it may use a separate storage for UEFI variables. If
+      that is the case libvirt creates the variable store per domain
+      using this master file as image. Each UEFI firmware can,
+      however, have different variables store. Therefore the nvram is
+      a list of strings when a single item is in form of:
+        ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
+      Later, when libvirt creates per domain variable store, this list is
+      searched for the master image. The UEFI firmware can be called
+      differently for different guest architectures. For instance, it is OVMF
+      for x86_64 and i686, but it is AAVMF for aarch64. The libvirt default
+      follows this scheme.
+    value: [ '/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd',
+             '/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd',
+             '/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd' ]
+    section: 'nvram'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'stdio_handler'  # [[[
+    comment: |
+      The backend to use for handling stdout/stderr output from
+      QEMU processes.
+
+      'file': QEMU writes directly to a plain file. This is the
+              historical default, but allows QEMU to inflict a
+              denial of service attack on the host by exhausting
+              filesystem space
+
+      'logd': QEMU writes to a pipe provided by virtlogd daemon.
+              This is the current default, providing protection
+              against denial of service by performing log file
+              rollover when a size limit is hit.
+    value: 'logd'
+    section: 'stdio'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'gluster_debug_level'  # [[[
+    comment: |
+      QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
+      most verbose, and 0 representing no debugging output.
+
+      The current logging levels defined in the gluster GFAPI are:
+
+        0 - None
+        1 - Emergency
+        2 - Alert
+        3 - Critical
+        4 - Error
+        5 - Warning
+        6 - Notice
+        7 - Info
+        8 - Debug
+        9 - Trace
+
+      Defaults to 4
+    value: 9
+    section: 'gluster'
+    state: 'comment'
+    weight: 1  # ]]]
+
+  - name: 'namespaces'  # [[[
+    comment: |
+      To enhance security, QEMU driver is capable of creating private namespaces
+      for each domain started. Well, so far only "mount" namespace is supported. If
+      enabled it means qemu process is unable to see all the devices on the system,
+      only those configured for the domain in question. Libvirt then manages
+      devices entries throughout the domain lifetime. This namespace is turned on
+      by default.
+    value: [ 'mount' ]
+    section: 'namespaces'
+    state: 'comment'
+    weight: 1  # ]]]
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__default_configuration [[[
+#
+# List of QEMU configuration options which are changed from their original
+# values by the role.
+libvirtd_qemu__default_configuration:
+
+  - name: 'spice_listen'
+    value: '{{ libvirtd_qemu__spice_listen }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__remote_display_allow | d())
+               else "ignore" }}'
+
+  - name: 'vnc_listen'
+    value: '{{ libvirtd_qemu__vnc_listen }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__remote_display_allow | d())
+               else "ignore" }}'
+
+  - name: 'remote_display_port_min'
+    value: '{{ libvirtd_qemu__remote_display_port_min }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+  - name: 'remote_display_port_max'
+    value: '{{ libvirtd_qemu__remote_display_port_max }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+  - name: 'user'
+    value: '{{ libvirtd_qemu__user }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+  - name: 'group'
+    value: '{{ libvirtd_qemu__group }}'
+    state: '{{ "present"
+               if (libvirtd_qemu__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+  - name: 'dynamic_ownership'
+    value: False
+    state: '{{ "present"
+               if (libvirtd_qemu__deployment_mode == "opennebula")
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__configuration [[[
+#
+# List of QEMU configuration options which should be set on all hosts in the
+# Ansible inventory.
+libvirtd_qemu__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__group_configuration [[[
+#
+# List of QEMU configuration options which should be set on hosts in specific
+# Ansible inventory group.
+libvirtd_qemu__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__host_configuration [[[
+#
+# List of QEMU configuration options which should be set on specific hosts in
+# the Ansible inventory.
+libvirtd_qemu__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__combined_configuration [[[
+#
+# Variable which combines all of the configuration lists and passes them to the
+# configuration file template for processing.
+libvirtd_qemu__combined_configuration: '{{ libvirtd_qemu__original_configuration
+                                           + libvirtd_qemu__default_configuration
+                                           + libvirtd_qemu__configuration
+                                           + libvirtd_qemu__group_configuration
+                                           + libvirtd_qemu__host_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__configuration_sections [[[
+#
+# List which defines what sections are present in the
+# :file:`/etc/libvirt/qemu.conf` configuration file.
+# See :ref:`libvirtd_qemu__ref_configuration_sections` for more details.
+libvirtd_qemu__configuration_sections:
+
+  - name: 'tls'
+    title: 'TLS configuration'
+    state: 'hidden'
+
+  - name: 'vnc'
+    title: 'VNC display configuration'
+    state: 'hidden'
+
+  - name: 'spice'
+    title: 'SPICE display configuration'
+    state: 'hidden'
+
+  - name: 'chardev'
+    title: 'Character device configuration'
+    state: 'hidden'
+
+  - name: 'display'
+    title: 'Display configuration'
+    state: 'hidden'
+
+  - name: 'security'
+    title: 'Security configuration'
+    state: 'hidden'
+
+  - name: 'user-group'
+    title: 'User and group configuration'
+    state: 'hidden'
+
+  - name: 'cgroup'
+    title: 'Cgroup configuration'
+    state: 'hidden'
+
+  - name: 'dump'
+    title: 'Data dump configuration'
+    state: 'hidden'
+
+  - name: 'proc'
+    title: 'Process configuration'
+    state: 'hidden'
+
+  - name: 'keepalive'
+    title: 'Keepalive configuration'
+    state: 'hidden'
+
+  - name: 'seccomp'
+    title: 'SecComp configuration'
+    state: 'hidden'
+
+  - name: 'migration'
+    title: 'Migration configuration'
+    state: 'hidden'
+
+  - name: 'log'
+    title: 'Logging configuration'
+    state: 'hidden'
+
+  - name: 'nvram'
+    title: 'NVRAM configuration'
+    state: 'hidden'
+
+  - name: 'stdio'
+    title: 'IO configuration'
+    state: 'hidden'
+
+  - name: 'gluster'
+    title: 'GlusterFS configuration'
+    state: 'hidden'
+
+  - name: 'namespaces'
+    title: 'Namespaces configuration'
+    state: 'hidden'
+
+  - name: 'unknown'
+    title: 'Other configuration'
+    state: 'hidden'
+
+                                                                   # ]]]
+# .. envvar:: libvirtd_qemu__configuration_comments [[[
+#
+# Enable or disable inclusion of the parameter comments in the generated
+# configuration file.
+libvirtd_qemu__configuration_comments: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: libvirtd_qemu__ferm__dependent_rules [[[
+#
+# Configuration for the ``debops.ferm`` Ansible role.
+libvirtd_qemu__ferm__dependent_rules:
+
+  - name: 'libvirtd_qemu__remote_display'
+    type: 'accept'
+    dport: '{{ libvirtd_qemu__remote_display_ports }}'
+    saddr: '{{ libvirtd_qemu__remote_display_allow }}'
+    accept_any: False
+    rule_state: '{{ "present"
+                    if (libvirtd_qemu__deployment_mode == "opennebula")
+                    else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/libvirtd_qemu/meta/main.yml b/ansible_collections/debops/debops/roles/libvirtd_qemu/meta/main.yml
new file mode 100644
index 00000000..e0269b3c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd_qemu/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage libvirtd QEMU configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - virtualization
+    - kvm
+    - qemu
diff --git a/ansible_collections/debops/debops/roles/libvirtd_qemu/tasks/main.yml b/ansible_collections/debops/debops/roles/libvirtd_qemu/tasks/main.yml
new file mode 100644
index 00000000..9b059bbc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd_qemu/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+  # When nested KVM is enabled on a host, Ansible does not recognize the
+  # hardware virtualization support in the guest correctly. This is an
+  # additional runtime check to account for that.
+- name: Check if host supports hardware virtualization
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         egrep --color=auto 'vmx|svm|0xc0f' /proc/cpuinfo || true
+  args:
+    executable: 'bash'
+  register: libvirtd_qemu__register_hw_virt
+  check_mode: False
+  changed_when: False
+
+- name: Install libvirt if not already installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", ((libvirtd_qemu__base_packages_map[ansible_distribution_release]
+                               if (ansible_distribution_release in libvirtd_qemu__base_packages_map.keys())
+                               else libvirtd_qemu__base_packages)
+                              + (libvirtd_qemu__kvm_packages if libvirtd_qemu__kvm_support | bool else [])
+                              + libvirtd_qemu__packages)) }}'
+    state: 'present'
+  register: libvirtd_qemu__register_packages
+  until: libvirtd_qemu__register_packages is succeeded
+  when: (ansible_local is undefined or
+         (ansible_local | d() and ansible_local.libvirtd is undefined or
+          (ansible_local | d() and ansible_local.libvirtd | d() and
+           (ansible_local.libvirtd.installed is undefined or
+            not ansible_local.libvirtd.installed | bool))))
+
+- name: Make sure required directories exist
+  ansible.builtin.file:
+    path: '/etc/libvirt'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Divert managed configuration files
+  debops.debops.dpkg_divert:
+    path: '/etc/libvirt/qemu.conf'
+
+- name: Generate QEMU private configuration files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  with_items:
+    - 'etc/libvirt/qemu.conf'
+  notify: [ 'Restart libvirtd', 'Restart libvirt-bin' ]
diff --git a/ansible_collections/debops/debops/roles/libvirtd_qemu/templates/etc/libvirt/qemu.conf.j2 b/ansible_collections/debops/debops/roles/libvirtd_qemu/templates/etc/libvirt/qemu.conf.j2
new file mode 100644
index 00000000..d4f61f0f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/libvirtd_qemu/templates/etc/libvirt/qemu.conf.j2
@@ -0,0 +1,125 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+{% set libvirtd_qemu__tpl_configuration = {} %}
+{% set libvirtd_qemu__tpl_configuration_list = [] %}
+{% set libvirtd_qemu__tpl_known_sections = [] %}
+{% set libvirtd_qemu__tpl_seen_sections = [] %}
+{#
+#  --- Transform the list of configuration parameters to a merged YAML dictionary structure ---
+#}
+{% for element in libvirtd_qemu__combined_configuration %}
+{%   if element is mapping %}
+{%     if element.name | d() and element.state | d('present') != 'ignore' %}
+{%       set parameters = (libvirtd_qemu__tpl_configuration[element.name].copy() if libvirtd_qemu__tpl_configuration[element.name] is defined else {}) %}
+{%       set _ = parameters.update({ 'name': element.name, 'state': element.state | d(parameters.state | d('present')), 'section': element.section | d(parameters.section | d('unknown')), 'weight': element.weight | d(parameters.weight | d(0)) | int }) %}
+{%       if element.value is defined %}
+{%         set _ = parameters.update({ 'value': element.value }) %}
+{%       else %}
+{%         set _ = parameters.update({ 'value': parameters.value | d("") }) %}
+{%         set _ = parameters.update({ 'state': parameters.state | d('comment') }) %}
+{%       endif %}
+{%       if element.comment is defined %}
+{%         set _ = parameters.update({ 'comment': element.comment }) %}
+{%       endif %}
+{%     elif not element.name | d() %}
+{%       for key, value in element.items() %}
+{%         set loop_parameters = (libvirtd_qemu__tpl_configuration[key].copy() if libvirtd_qemu__tpl_configuration[key] is defined else {}) %}
+{%         set _ = loop_parameters.update({ 'name': key, 'value': value, 'state': 'present', 'section': loop_parameters.section | d('unknown'), 'weight': loop_parameters.weight | d(0) | int }) %}
+{%         set _ = libvirtd_qemu__tpl_configuration.update({ loop_parameters.name: loop_parameters }) %}
+{%       endfor %}
+{%     endif %}
+{%     if parameters | d() and parameters.name | d() %}
+{%       set _ = libvirtd_qemu__tpl_configuration.update({ parameters.name: parameters }) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{#
+#  --- Transform the YAML dictionary structure into a list ---
+#}
+{% for key, value in libvirtd_qemu__tpl_configuration.items() %}
+{%   set _ = libvirtd_qemu__tpl_configuration_list.append(value) %}
+{%   if value.state | d('present') != 'absent' %}
+{%     set _ = libvirtd_qemu__tpl_known_sections.append(value.section) %}
+{%   endif %}
+{% endfor %}
+{#
+#  --- Macro that prints a single parameter ---
+#}
+{% macro print_parameter(param, next_option) %}
+{%   if param.state | d('present') != 'absent' %}
+{%     if param.comment | d() and libvirtd_qemu__configuration_comments | bool %}
+{%       if next_option %}
+
+{%       endif %}
+{{ param.comment | regex_replace('\n$','') | comment(prefix='\n',postfix='') -}}
+{%     endif %}
+{%     if param.value is defined %}
+{%       if param.value | bool and param.value is not iterable %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, 1) -}}
+{%       elif not param.value | bool and param.value is not iterable %}
+{%         if param.value is not none %}
+{%           if param.value | int or param.value | string == '0' %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%           else %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, 0) -}}
+{%           endif %}
+{%         endif %}
+{%       elif param.value is string %}
+{{ '{}{} = "{}"'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%       elif param.value is number %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, param.value) -}}
+{%       elif param.value is not string and param.value is not mapping %}
+{%         if param.value | count <= 4 %}
+{{ '{}{} = {}'.format(('#' if param.state | d('present') == 'comment' else ''), param.name, '[ "' + param.value | join('", "') + '" ]') -}}
+{%         else %}
+{{ '{}{} = ['.format(('#' if param.state | d('present') == 'comment' else ''), param.name) }}
+{%           for thing in param.value %}
+{{ '{:<4}"{}"{}'.format(('#' if param.state | d('present') == 'comment' else ''), thing, (',' if not loop.last | bool else '')) }}
+{%           endfor %}
+{{ '{}]'.format(('#' if param.state | d('present') == 'comment' else '')) -}}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{#
+#  --- Macro that prints a single section with parameters of that section ordered by weight ---
+#}
+{% macro print_section(element, section_name='') %}
+{%   if element.state | d('present') != 'hidden' %}
+#################################################################
+{{ element.title | comment }}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='',postfix='') -}}
+{%     endif %}
+{%   else %}
+
+{%   endif %}
+{%   set option_counter = [] %}
+{%   for option in libvirtd_qemu__tpl_configuration_list | sort(attribute='weight') %}
+{%     if option.section | d() == section_name and option.state | d('present') != 'absent' %}
+{{ print_parameter(option, option_counter) }}
+{%       set _ = option_counter.append(True) %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{#
+#  --- Go through configuration sections and print them and their parameters ---
+#}
+{% for section in libvirtd_qemu__configuration_sections %}
+{%   if not loop.first | bool and section.state | d('present') not in ['hidden', 'absent' ] and section.name in libvirtd_qemu__tpl_known_sections %}
+
+
+{% endif %}
+{%   if section.state | d('present') != 'absent' and section.name in libvirtd_qemu__tpl_known_sections %}
+{{ print_section(section, section_name=section.name) -}}
+{%     set _ = libvirtd_qemu__tpl_seen_sections.append(section.name) %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/lldpd/COPYRIGHT b/ansible_collections/debops/debops/roles/lldpd/COPYRIGHT
new file mode 100644
index 00000000..ae36163e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.lldpd - Install and configure LLDP service using Ansible
+
+Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/lldpd/defaults/main.yml b/ansible_collections/debops/debops/roles/lldpd/defaults/main.yml
new file mode 100644
index 00000000..85fd0148
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/defaults/main.yml
@@ -0,0 +1,207 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _lldpd__ref_defaults:
+
+# debops.lldpd default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation and packages [[[
+# -----------------------------
+
+# .. envvar:: lldpd__enabled [[[
+#
+# Enable or disable installation and management of LLDP service.
+lldpd__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: lldpd__base_packages [[[
+#
+# List of the APT packages required for LLDP service.
+lldpd__base_packages: [ 'lldpd' ]
+
+                                                                   # ]]]
+# .. envvar:: lldpd__packages [[[
+#
+# List of additional APT packages installed with LLDP service.
+lldpd__packages: []
+
+                                                                   # ]]]
+# .. envvar:: lldpd__version [[[
+#
+# Variable which holds the :command:`lldpd` version information gathered via
+# local facts. It can be used in conditional configuration.
+lldpd__version: '{{ ansible_local.lldpd.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LLDP daemon configuration [[[
+# -----------------------------
+
+# .. envvar:: lldpd__default_daemon_arguments [[[
+#
+# List of default daemon arguments to pass to the process during startup, they
+# will be separated by spaces. See the :man:`lldpd(8)` manual page for details.
+# Common arguments include ``-c`` (CDP), ``-s`` (SONMP) and ``-e`` (EDP)
+# protocol support. If the list is empty, the defaults will not be modified.
+lldpd__default_daemon_arguments:
+
+  # Enable support for SNMP subagent when the 'debops.snmpd' role is detected
+  # on the host
+  - '{{ "-x" if (ansible_local.snmpd.installed | d()) | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: lldpd__daemon_arguments [[[
+#
+# List of daemon arguments to pass to the process during startup, they will be
+# separated by spaces. See the :man:`lldpd(8)` manual page for details.  Common
+# arguments include ``-c`` (CDP), ``-s`` (SONMP) and ``-e`` (EDP) protocol
+# support. If the list is empty, the defaults will not be modified.
+lldpd__daemon_arguments: []
+                                                                   # ]]]
+                                                                   # ]]]
+# LLDP service configuration [[[
+# ------------------------------
+
+# The lists below define the contents of the :file:`/etc/lldpd.d/` directory
+# and configuration files inside. See :ref:`lldpd__ref_configuration` for more
+# details.
+
+# .. envvar:: lldpd__default_configuration [[[
+#
+# List of the default configuration files defined by the role.
+lldpd__default_configuration:
+
+  # Overload the 'ChassisID' attribute to show that a given host is a virtual
+  # and not a physical one. It should have been the 'Platform' attribute, but
+  # the "lldpd" daemon does not support advertising it using LLDP, only CDP.
+  - name: 'chassisid'
+    comment: |
+      Override the default ChassisID value in virtual machines and containers
+      to disthinguish them from physical hosts. The value needs to be unique
+      across all neighbors, otherwise LLDP information is mangled.
+    options:
+
+      - name: 'chassis-container'
+        option: 'configure system chassisid'
+        value: 'Container ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "container")
+                   else "absent" }}'
+
+      - name: 'chassis-docker'
+        option: 'configure system chassisid'
+        value: 'Docker container ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "docker")
+                   else "absent" }}'
+
+      - name: 'chassis-kvm'
+        option: 'configure system chassisid'
+        value: 'KVM virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "kvm")
+                   else "absent" }}'
+
+      - name: 'chassis-lxc'
+        option: 'configure system chassisid'
+        value: 'LXC container ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "lxc")
+                   else "absent" }}'
+
+      - name: 'chassis-openstack'
+        option: 'configure system chassisid'
+        value: 'Openstack virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "openstack")
+                   else "absent" }}'
+
+      - name: 'chassis-openvz'
+        option: 'configure system chassisid'
+        value: 'OpenVZ container ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "openvz")
+                   else "absent" }}'
+
+      - name: 'chassis-podman'
+        option: 'configure system chassisid'
+        value: 'Podman container ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "podman")
+                   else "absent" }}'
+
+      - name: 'chassis-virtualbox'
+        option: 'configure system chassisid'
+        value: 'VirtualBox virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "virtualbox")
+                   else "absent" }}'
+
+      - name: 'chassis-virtualpc'
+        option: 'configure system chassisid'
+        value: 'VirtualPC virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "VirtualPC")
+                   else "absent" }}'
+
+      - name: 'chassis-vmware'
+        option: 'configure system chassisid'
+        value: 'VMware virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "VMware")
+                   else "absent" }}'
+
+      - name: 'chassis-xen'
+        option: 'configure system chassisid'
+        value: 'Xen virtual machine ({{ ansible_hostname }})'
+        state: '{{ "present"
+                   if (ansible_virtualization_type == "xen")
+                   else "absent" }}'
+
+    state: '{{ "present"
+               if (ansible_virtualization_role == "guest" and
+                   lldpd__version is version("1.0.0", ">="))
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: lldpd__configuration [[[
+#
+# List of the :command:`lldpd` configuration files which should be present on
+# all hosts in the Ansible inventory.
+lldpd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lldpd__group_configuration [[[
+#
+# List of the :command:`lldpd` configuration files which should be present on
+# hosts in a specific Ansible inventory group.
+lldpd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lldpd__host_configuration [[[
+#
+# List of the :command:`lldpd` configuration files which should be present on
+# specific hosts in the Ansible inventory.
+lldpd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lldpd__combined_configuration [[[
+#
+# Variable which combines all of the :command:`lldpd` configuration lists and
+# is used in role tasks and templates.
+lldpd__combined_configuration: '{{ lldpd__default_configuration
+                                   + lldpd__configuration
+                                   + lldpd__group_configuration
+                                   + lldpd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/lldpd/meta/main.yml b/ansible_collections/debops/debops/roles/lldpd/meta/main.yml
new file mode 100644
index 00000000..eec5500b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/meta/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure LLDP service'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.9.0'
+  platforms:
+  - name: Debian
+    versions:
+    - buster
+    - bullseye
+  galaxy_tags:
+  - networking
+  - lldp
+  - cdp
diff --git a/ansible_collections/debops/debops/roles/lldpd/tasks/main.yml b/ansible_collections/debops/debops/roles/lldpd/tasks/main.yml
new file mode 100644
index 00000000..d8e6997c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/tasks/main.yml
@@ -0,0 +1,82 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (lldpd__base_packages
+                              + lldpd__packages)) }}'
+    state: 'present'
+  register: lldpd__register_packages
+  until: lldpd__register_packages is succeeded
+  when: lldpd__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: lldpd__enabled | bool
+
+- name: Save lldpd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/lldpd.fact.j2'
+    dest: '/etc/ansible/facts.d/lldpd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: lldpd__enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert daemon configuration file if requested
+  debops.debops.dpkg_divert:
+    path: '/etc/default/lldpd'
+    state: '{{ "present"
+               if ((lldpd__default_daemon_arguments
+                    + lldpd__daemon_arguments) | flatten) | d()
+               else "absent" }}'
+    delete: True
+  notify: [ 'Restart lldpd' ]
+  when: lldpd__enabled | bool
+
+- name: Generate daemon environment configuration
+  ansible.builtin.template:
+    src: 'etc/default/lldpd.j2'
+    dest: '/etc/default/lldpd'
+    mode: '0644'
+  notify: [ 'Restart lldpd' ]
+  when: lldpd__enabled | bool and
+        (lldpd__default_daemon_arguments
+         + lldpd__daemon_arguments) | flatten | d()
+
+- name: Remove lldpd configuration files if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/lldpd.d/" + item.name + ".conf" }}'
+    state: 'absent'
+  loop: '{{ lldpd__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart lldpd' ]
+  when: lldpd__enabled | bool and item.state | d('present') in ['absent']
+
+- name: Generate lldpd configuration files
+  ansible.builtin.template:
+    src: 'etc/lldpd.d/template.conf.j2'
+    dest: '{{ "/etc/lldpd.d/" + item.name + ".conf" }}'
+    mode: '0644'
+  loop: '{{ lldpd__combined_configuration | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart lldpd' ]
+  when: lldpd__enabled | bool and item.state | d('present') not in ['absent', 'init', 'ignore']
diff --git a/ansible_collections/debops/debops/roles/lldpd/templates/etc/ansible/facts.d/lldpd.fact.j2 b/ansible_collections/debops/debops/roles/lldpd/templates/etc/ansible/facts.d/lldpd.fact.j2
new file mode 100644
index 00000000..e66c3475
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/templates/etc/ansible/facts.d/lldpd.fact.j2
@@ -0,0 +1,33 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+import json
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('lldpd')}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["lldpd", "-v"]).decode('utf-8').strip()
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+print(json.dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/lldpd/templates/etc/default/lldpd.j2 b/ansible_collections/debops/debops/roles/lldpd/templates/etc/default/lldpd.j2
new file mode 100644
index 00000000..d648f7de
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/templates/etc/default/lldpd.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# Uncomment to start SNMP subagent and enable CDP, SONMP and EDP protocol
+DAEMON_ARGS="{{ (lldpd__default_daemon_arguments + lldpd__daemon_arguments) | flatten | join(' ') }}"
diff --git a/ansible_collections/debops/debops/roles/lldpd/templates/etc/lldpd.d/template.conf.j2 b/ansible_collections/debops/debops/roles/lldpd/templates/etc/lldpd.d/template.conf.j2
new file mode 100644
index 00000000..a435f9a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lldpd/templates/etc/lldpd.d/template.conf.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.raw | d() %}
+{%   if item.state | d('present') == 'comment' %}
+{{     item.raw | regex_replace('\n$', '') | regex_replace('^', '#', multiline=True) }}
+{%   else %}
+{{     item.raw | regex_replace('\n$', '') }}
+{%   endif %}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       set element_comment = ('#' if (item.state | d('present') == 'comment') else '') %}
+{%       set element_name = (element.option | d(element.name)) %}
+{%       if element.value | d() %}
+{{         '{}{} "{}"'.format(element_comment, element_name, element.value) }}
+{%       else %}
+{{         '{}{}'.format(element_comment, element_name) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/locales/COPYRIGHT b/ansible_collections/debops/debops/roles/locales/COPYRIGHT
new file mode 100644
index 00000000..e2e4cb7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/locales/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.locales - Configure localization and internationalization
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/locales/defaults/main.yml b/ansible_collections/debops/debops/roles/locales/defaults/main.yml
new file mode 100644
index 00000000..8015a676
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/locales/defaults/main.yml
@@ -0,0 +1,85 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _locales__ref_defaults:
+
+# debops.locales default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: locales__base_packages [[[
+#
+# List of base APT packages to install for localisation.
+locales__base_packages: [ 'locales' ]
+
+                                                                   # ]]]
+# .. envvar:: locales__packages [[[
+#
+# List of additional APT packages to install for localisation.
+locales__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Locale configuration [[[
+# ------------------------
+
+# In the list variables below you can specify the localization definitions that
+# should be installed on a given system. Alternatively, you can specify each
+# list entry as a YAML dictionary with the ``name`` parameter that specifies
+# the locale and the ``state`` parameter (either ``present`` or ``absent`` that
+# specifies the desired state of a given locale.
+
+# .. envvar:: locales__default_list [[[
+#
+# List of default localization definitions to configure on all hosts.
+locales__default_list: [ 'en_US.UTF-8' ]
+
+                                                                   # ]]]
+# .. envvar:: locales__list [[[
+#
+# List of localization definitions to configure on all hosts in the Ansible
+# inventory.
+locales__list: []
+
+                                                                   # ]]]
+# .. envvar:: locales__group_list [[[
+#
+# List of localization definitions to configure on hosts in specific Ansible
+# inventory group.
+locales__group_list: []
+
+                                                                   # ]]]
+# .. envvar:: locales__host_list [[[
+#
+# List of localization definitions to configure on specific hosts in the
+# Ansible inventory.
+locales__host_list: []
+
+                                                                   # ]]]
+# .. envvar:: locales__dependent_list [[[
+#
+# List of localization definitions to configure specified by other Ansible
+# roles via role dependent variables.
+locales__dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: locales__system_lang [[[
+#
+# Specify the default localization definition to use system-wide, defined as
+# the ``$LANG`` environment variable. If not set, the localization will be
+# dependent on the client configuration.
+locales__system_lang: ''
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/locales/meta/main.yml b/ansible_collections/debops/debops/roles/locales/meta/main.yml
new file mode 100644
index 00000000..76f5b93b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/locales/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure localization and internationalization'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - locales
+    - lang
diff --git a/ansible_collections/debops/debops/roles/locales/tasks/main.yml b/ansible_collections/debops/debops/roles/locales/tasks/main.yml
new file mode 100644
index 00000000..0ae8c38c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/locales/tasks/main.yml
@@ -0,0 +1,62 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install locale packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (locales__base_packages
+                              + locales__packages)) }}'
+    state: 'present'
+  register: locales__register_packages
+  until: locales__register_packages is succeeded
+
+- name: Ensure that specified locales exist
+  community.general.locale_gen:
+    name: '{{ item.name | d(item) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", locales__default_list
+                           + locales__list
+                           + locales__group_list
+                           + locales__host_list
+                           + locales__dependent_list) }}'
+
+- name: Set default system locale
+  ansible.builtin.debconf:
+    name: 'locales'
+    question: 'locales/default_environment_locale'
+    vtype: 'string'
+    value: '{{ locales__system_lang }}'
+  register: locales__register_system_lang
+  when: ansible_pkg_mgr == 'apt' and locales__system_lang | d()
+
+- name: Update /etc/default/locale
+  ansible.builtin.command: 'update-locale LANG={{ locales__system_lang }}'  # noqa no-handler
+  register: locales__register_update_locale
+  changed_when: locales__register_update_locale.changed | bool
+  when: ansible_pkg_mgr == 'apt' and locales__register_system_lang is changed
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save locale local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/locales.fact.j2'
+    dest: '/etc/ansible/facts.d/locales.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/locales/templates/etc/ansible/facts.d/locales.fact.j2 b/ansible_collections/debops/debops/roles/locales/templates/etc/ansible/facts.d/locales.fact.j2
new file mode 100644
index 00000000..256fc977
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/locales/templates/etc/ansible/facts.d/locales.fact.j2
@@ -0,0 +1,37 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+import os
+
+config_files = ['/etc/locale.conf', '/etc/default/locale']
+system_locale = 'C.UTF-8'
+output = {'configured': True}
+
+for conffile in config_files:
+    if os.path.exists(conffile) and os.path.isfile(conffile):
+        try:
+            with open(conffile, 'r') as f:
+                for line in f:
+                    if line.startswith('LANG='):
+                        line = line.strip().split('=')
+                        output['system_encoding'] = line[1].split('.')[1]
+                        output['system_language'] = (
+                                line[1].split('.')[0].split('_')[0])
+                        output['system_locale'] = line[1]
+                        output['system_region'] = (
+                                line[1].split('.')[0].split('_')[1])
+
+        except Exception:
+            pass
+        break
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/logrotate/COPYRIGHT b/ansible_collections/debops/debops/roles/logrotate/COPYRIGHT
new file mode 100644
index 00000000..a347872d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.logrotate - Manage log rotation configuration
+
+Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/logrotate/defaults/main.yml b/ansible_collections/debops/debops/roles/logrotate/defaults/main.yml
new file mode 100644
index 00000000..1e372d85
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/defaults/main.yml
@@ -0,0 +1,168 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _logrotate__ref_defaults:
+
+# debops.logrotate default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global configuration [[[
+# ------------------------
+
+# .. envvar:: logrotate__enabled [[[
+#
+# Enable or disable management of ``logrotate`` configuration files.
+logrotate__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: logrotate__base_packages [[[
+#
+# List of base APT packages to install.
+logrotate__base_packages: [ 'logrotate' ]
+
+                                                                   # ]]]
+# .. envvar:: logrotate__packages [[[
+#
+# List of additional APT packages to install with ``logrotate``.
+logrotate__packages: []
+
+                                                                   # ]]]
+# .. envvar:: logrotate__cron_period [[[
+#
+# Specify how often :program:`cron` should execute log rotation. By default the
+# ``logrotate`` command will be executed daily. Available periods are:
+# ``hourly``, ``daily``, ``weekly``, ``monthly``.
+logrotate__cron_period: 'daily'
+
+                                                                   # ]]]
+# .. envvar:: logrotate__default_period [[[
+#
+# Select the default log rotation period. Supported values are: ``daily``,
+# ``weekly``, ``monthly``, ``yearly``. The ``logrotate`` command is currently
+# run daily via a :program:`cron` script.
+logrotate__default_period: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: logrotate__default_rotation [[[
+#
+# Specify the number of old log files to keep before removing them.
+logrotate__default_rotation: '4'
+
+                                                                   # ]]]
+# .. envvar:: logrotate__options [[[
+#
+# A YAML text block with ``logrotate`` options configured in the main
+# configuration file for all hosts in the inventory.
+logrotate__options: ''
+
+                                                                   # ]]]
+# .. envvar:: logrotate__group_options [[[
+#
+# A YAML text block with ``logrotate`` options configured in the main
+# configuration file for hosts in specific groups.
+logrotate__group_options: ''
+
+                                                                   # ]]]
+# .. envvar:: logrotate__host_options [[[
+#
+# A YAML text block with ``logrotate`` options configured in the main
+# configuration file for specific hosts in the inventory.
+logrotate__host_options: ''
+
+                                                                   # ]]]
+# .. envvar:: logrotate__default_options [[[
+#
+# A YAML text block with ``logrotate`` configuration options applied to all
+# logs by default. These options will be applied last, the last line should
+# include other configuration files located in :file:`/etc/logrotate.d/` directory.
+logrotate__default_options: |
+  create
+  {{ logrotate__default_period }}
+  rotate {{ logrotate__default_rotation }}
+  tabooext + .dpkg-divert
+  include /etc/logrotate.d
+# ]]]
+# ]]]
+# Log rotation configuration [[[
+# ------------------------------
+
+# .. envvar:: logrotate__default_config [[[
+#
+# Configuration of log rotation for logs that don't have their own packaged
+# configuration in :file:`/etc/logrotate.d/`. This configuration will be included
+# in the main ``logrotate`` configuration file. See :ref:`logrotate__config`
+# for more details about the syntax.
+logrotate__default_config:
+
+  - log: '/var/log/wtmp'
+    comment: 'No packages own wtmp or btmp, they will be managed directly'
+    options: |
+      missingok
+      monthly
+      create 0664 root utmp
+      rotate 1
+    state: '{{ "present"
+               if (ansible_distribution_release in
+                   (["stretch", "trusty", "xenial", "bionic"]))
+               else "absent" }}'
+
+  - log: '/var/log/btmp'
+    options: |
+      missingok
+      monthly
+      create 0660 root utmp
+      rotate 1
+    state: '{{ "present"
+               if (ansible_distribution_release in
+                   (["stretch", "trusty", "xenial", "bionic"]))
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: logrotate__config [[[
+#
+# Log rotation configuration for all hosts in Ansible inventory. See
+# :ref:`logrotate__config` for more details.
+logrotate__config: []
+
+                                                                   # ]]]
+# .. envvar:: logrotate__group_config [[[
+#
+# Log rotation configuration for hosts in a specific Ansible group. See
+# :ref:`logrotate__config` for more details.
+logrotate__group_config: []
+
+                                                                   # ]]]
+# .. envvar:: logrotate__host_config [[[
+#
+# Log rotation configuration for specific hosts in Ansible inventory. See
+# :ref:`logrotate__config` for more details.
+logrotate__host_config: []
+
+                                                                   # ]]]
+# .. envvar:: logrotate__dependent_config [[[
+#
+# Log rotation configuration defined by other Ansible roles through dependent
+# variables. See :ref:`logrotate__config` for more details.
+logrotate__dependent_config: []
+                                                                   # ]]]
+# .. envvar:: logrotate__combined_config [[[
+#
+# Variable which combines all the log rotation configuration variables for use
+# in the tasks. See :ref:`logrotate__config` for more details.
+logrotate__combined_config: '{{ logrotate__config
+                                + logrotate__group_config
+                                + logrotate__host_config
+                                + logrotate__dependent_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/logrotate/meta/main.yml b/ansible_collections/debops/debops/roles/logrotate/meta/main.yml
new file mode 100644
index 00000000..b233a3f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage log rotation configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - logs
diff --git a/ansible_collections/debops/debops/roles/logrotate/tasks/main.yml b/ansible_collections/debops/debops/roles/logrotate/tasks/main.yml
new file mode 100644
index 00000000..fc32a7a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/tasks/main.yml
@@ -0,0 +1,85 @@
+---
+# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (logrotate__base_packages + logrotate__packages) | flatten }}'
+    state: 'present'
+  register: logrotate__register_packages
+  until: logrotate__register_packages is succeeded
+  when: logrotate__enabled | bool
+
+- name: Determine current cron log rotation
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    dpkg-divert --list /etc/cron.daily/logrotate | awk '{ print $NF }'
+  args:
+    executable: 'bash'
+  register: logrotate__register_cron_diversion
+  changed_when: False
+  when: logrotate__enabled | bool
+
+- name: Remove previous cron log rotation
+  debops.debops.dpkg_divert:
+    path: '/etc/cron.daily/logrotate'
+    divert: '{{ logrotate__register_cron_diversion.stdout }}'
+    state: 'absent'
+    delete: True
+  when: (logrotate__enabled | bool and
+         logrotate__register_cron_diversion.stdout | d() and
+         logrotate__register_cron_diversion.stdout | d() !=
+         ('/etc/cron.' + logrotate__cron_period + '/logrotate'))
+
+- name: Configure cron log rotation {{ logrotate__cron_period }}
+  debops.debops.dpkg_divert:
+    path: '/etc/cron.daily/logrotate'
+    divert: '/etc/cron.{{ logrotate__cron_period }}/logrotate'
+  when: (logrotate__enabled | bool and
+         logrotate__cron_period in ['hourly', 'weekly', 'monthly'])
+
+- name: Add/remove diversion of the logrotate config file
+  debops.debops.dpkg_divert:
+    path: '/etc/logrotate.conf'
+    state: '{{ "present" if logrotate__enabled | bool else "absent" }}'
+    delete: True
+
+- name: Generate logrotate main configuration file
+  ansible.builtin.template:
+    src: 'etc/logrotate.conf.j2'
+    dest: '/etc/logrotate.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: logrotate__enabled | bool
+
+- name: Add/remove diversion of the custom log rotation configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/logrotate.d/{{ item.filename }}'
+    state: '{{ "present"
+               if
+               (logrotate__enabled | bool and item.state | d("present") != "absent")
+               else "absent" }}'
+    delete: True
+  loop: '{{ logrotate__combined_config | flatten }}'
+  when: item.filename | d() and item.divert | d(False) | bool
+
+- name: Generate custom log rotation configuration
+  ansible.builtin.template:
+    src: 'etc/logrotate.d/config.j2'
+    dest: '/etc/logrotate.d/{{ item.filename }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ logrotate__combined_config | flatten }}'
+  when: (logrotate__enabled | bool and item.filename | d() and
+         item.state | d('present') != 'absent')
+
+- name: Remove custom log rotation configuration
+  ansible.builtin.file:
+    path: '/etc/logrotate.d/{{ item.filename }}'
+    state: 'absent'
+  loop: '{{ logrotate__combined_config | flatten }}'
+  when: (item.filename | d() and not item.divert | d(False) | bool and
+         (not logrotate__enabled | bool or item.state | d('present') == 'absent'))
diff --git a/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.conf.j2 b/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.conf.j2
new file mode 100644
index 00000000..3661e130
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.conf.j2
@@ -0,0 +1,101 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if logrotate__options %}
+{{ logrotate__options | regex_replace('\n$','') }}
+{% endif %}
+{% if logrotate__group_options %}
+{{ logrotate__group_options | regex_replace('\n$','') }}
+{% endif %}
+{% if logrotate__host_options %}
+{{ logrotate__host_options | regex_replace('\n$','') }}
+{% endif %}
+{% if logrotate__default_options %}
+{{ logrotate__default_options | regex_replace('\n$','') }}
+{% endif %}
+
+{% macro print_config(section) %}
+{%   if section.state is undefined or section.state != 'absent' %}
+{%     if section.comment | d() %}
+{{ section.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     if section.log | d() %}
+{%       if section.log is string %}
+{{ section.log }} {
+{%       else %}
+{%         if section.log | length <= 2 %}
+{{ section.log | join(" ") }} {
+{%         else %}
+{%           for element in section.log %}
+{{ element }}
+{%           endfor %}
+{
+{%         endif %}
+{%       endif %}
+{%     elif section.logs | d() %}
+{%       if section.logs is string %}
+{{ section.logs }} {
+{%       else %}
+{%         if section.logs | length <= 2 %}
+{{ section.logs | join(" ") }} {
+{%         else %}
+{%           for element in section.logs %}
+{{ element }}
+{%           endfor %}
+{
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%     if section.options | d() %}
+{{ section.options | regex_replace('\n$','') | indent(4, true) }}
+{%     endif %}
+{%     if section.firstaction | d() %}
+    firstaction
+{{ section.firstaction | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%     endif %}
+{%     if section.prerotate | d() %}
+    prerotate
+{{ section.prerotate | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%     endif %}
+{%     if section.postrotate | d() %}
+    postrotate
+{{ section.postrotate | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%     endif %}
+{%     if section.preremove | d() %}
+    preremove
+{{ section.preremove | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%     endif %}
+{%     if section.lastaction | d() %}
+    lastaction
+{{ section.lastaction | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%     endif %}
+}
+{%   endif %}
+{% endmacro %}
+{% for item in logrotate__default_config %}
+{%   if item.sections | d() %}
+{%     for section in item.sections %}
+{%       if (section.log | d() or section.logs | d() or section.filename | d()) and section.state | d('present') != 'absent' %}
+{{ print_config(section) | regex_replace('\n$','') }}
+{%         if not loop.last %}
+
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   else %}
+{%     if (item.log | d() or item.logs | d() or item.filename | d()) and item.state | d('present') != 'absent' %}
+{{ print_config(item) | regex_replace('\n$','') }}
+{%       if not loop.last %}
+
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.d/config.j2 b/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.d/config.j2
new file mode 100644
index 00000000..56c9f774
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/logrotate/templates/etc/logrotate.d/config.j2
@@ -0,0 +1,90 @@
+{# Copyright (C) 2016-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_config(section) %}
+{%   if section.state is undefined or section.state != 'absent' %}
+{%     if section.comment | d() %}
+{{ section.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     if section.log | d() %}
+{%       if section.log is string %}
+{{ section.log }} {
+{%       else %}
+{%         if section.log | length <= 2 %}
+{{ section.log | join(" ") }} {
+{%         else %}
+{%           for element in section.log %}
+{{ element }}
+{%           endfor %}
+{
+{%         endif %}
+{%       endif %}
+{%     elif section.logs | d() %}
+{%       if section.logs is string %}
+{{ section.logs }} {
+{%       else %}
+{%         if section.logs | length <= 2 %}
+{{ section.logs | join(" ") }} {
+{%         else %}
+{%           for element in section.logs %}
+{{ element }}
+{%           endfor %}
+{
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%     if section.options | d() %}
+{%       if section.log | d() or section.logs | d() %}
+{{ section.options | regex_replace('\n$','') | indent(4, true) }}
+{%       else %}
+{{ section.options | regex_replace('\n$','') }}
+{%       endif %}
+{%     endif %}
+{%     if section.log | d() or section.logs | d() %}
+{%       if section.firstaction | d() %}
+    firstaction
+{{ section.firstaction | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%       endif %}
+{%       if section.prerotate | d() %}
+    prerotate
+{{ section.prerotate | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%       endif %}
+{%       if section.postrotate | d() %}
+
+    postrotate
+{{ section.postrotate | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%       endif %}
+{%       if section.preremove | d() %}
+    preremove
+{{ section.preremove | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%       endif %}
+{%       if section.lastaction | d() %}
+    lastaction
+{{ section.lastaction | regex_replace('\n$','') | indent(8, true) }}
+    endscript
+{%       endif %}
+}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% if item.sections | d() %}
+{%   for section in item.sections %}
+{%     if (section.log | d() or section.logs | d() or section.filename | d()) and section.state | d('present') != 'absent' %}
+{{ print_config(section) | regex_replace('\n$','') }}
+{%       if not loop.last %}
+
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{%   if (item.log | d() or item.logs | d() or item.filename | d()) and item.state | d('present') != 'absent' %}
+{{ print_config(item) | regex_replace('\n$','') }}
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/lvm/COPYRIGHT b/ansible_collections/debops/debops/roles/lvm/COPYRIGHT
new file mode 100644
index 00000000..a2e3ac8e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.lvm - Manage LVM configuration using Ansible
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/lvm/defaults/main.yml b/ansible_collections/debops/debops/roles/lvm/defaults/main.yml
new file mode 100644
index 00000000..035c98ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/defaults/main.yml
@@ -0,0 +1,105 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _lvm__ref_defaults:
+
+# debops.lvm default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# LVM configuration [[[
+# ---------------------
+
+# .. envvar:: lvm__packages [[[
+#
+# List of LVM-related packages to install.
+lvm__packages: [ 'lvm2' ]
+
+                                                                   # ]]]
+# .. envvar:: lvm__global_use_lvmetad [[[
+#
+# Enable ``lvmetad`` daemon by default.
+lvm__global_use_lvmetad: True
+
+                                                                   # ]]]
+# .. envvar:: lvm__devices_filter [[[
+#
+# List of filters that determine what devices are used by ``lvm`` scripts.
+lvm__devices_filter: [ 'a|sd.*|', 'a|vd.*|', 'a|drbd.*|', 'a|md.*|', 'r|.*|' ]
+
+                                                                   # ]]]
+# .. envvar:: lvm__devices_global_filter [[[
+#
+# List of filters that determine what devices are scanned by ``lvm`` scripts.
+lvm__devices_global_filter: '{{ lvm__devices_filter }}'
+
+                                                                   # ]]]
+# .. envvar:: lvm__config_lookup [[[
+#
+# Ansible selects the base LVM configuration based on available version,
+# distribution and release. Using this variable you can override the automatic
+# choice if needed.
+lvm__config_lookup: ''
+
+                                                                   # ]]]
+# .. envvar:: lvm__config [[[
+#
+# Dictionary variable with LVM configuration which will be merged with base
+# ``lvm.conf`` configuration variables. Each key is a section name, and values
+# are dictionary variables themselves. See files in ``var/`` directory for
+# examples and possible values.
+lvm__config:
+
+  global:
+    use_lvmetad: '{{ lvm__global_use_lvmetad }}'
+
+  devices:
+    filter: '{{ lvm__devices_filter }}'
+    global_filter: '{{ lvm__devices_global_filter }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Volume Groups and Logical Volumes [[[
+# ------------------------------------
+
+# .. envvar:: lvm__default_fs_type [[[
+#
+# Default filesystem used to format and mount volumes if none is specified.
+lvm__default_fs_type: 'ext4'
+
+                                                                   # ]]]
+# .. envvar:: lvm__default_mount_options [[[
+#
+# Default mount options used to mount volumes, comma-separated.
+lvm__default_mount_options: 'defaults'
+
+                                                                   # ]]]
+# .. envvar:: lvm__volume_groups [[[
+#
+# List of Volume Groups, each one defined as a YAML dict. See
+# :ref:`lvm__volume_groups` for more details.
+lvm__volume_groups: []
+
+                                                                   # ]]]
+# .. envvar:: lvm__thin_pools [[[
+#
+# List of LVM thin pools, each one defined as a yaml dict. see
+# :ref:`lvm__thin_pools` for more details.
+lvm__thin_pools: []
+
+                                                                   # ]]]
+# .. envvar:: lvm__logical_volumes [[[
+#
+# List of Logical Volumes, each one defined as a YAML dict. See
+# :ref:`lvm__logical_volumes` for more details.
+lvm__logical_volumes: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/lvm/meta/main.yml b/ansible_collections/debops/debops/roles/lvm/meta/main.yml
new file mode 100644
index 00000000..584ee293
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure Logical Volume Manager (LVM)'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - storage
+    - lvm
diff --git a/ansible_collections/debops/debops/roles/lvm/tasks/main.yml b/ansible_collections/debops/debops/roles/lvm/tasks/main.yml
new file mode 100644
index 00000000..94b2af97
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install LVM support
+  ansible.builtin.package:
+    name:  '{{ q("flattened", lvm__packages) }}'
+    state: 'present'
+  register: lvm__register_packages
+  until: lvm__register_packages is succeeded
+
+- name: Divert original lvm.conf
+  debops.debops.dpkg_divert:
+    path: '/etc/lvm/lvm.conf'
+
+- name: Check LVM version
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'lvm2' | grep -v '^$' | cut -d- -f1
+  args:
+    executable: 'bash'
+  register: lvm__register_version
+  changed_when: False
+  check_mode: False
+
+- name: Lookup base LVM configuration
+  ansible.builtin.include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ "lvm_config_" + lvm__config_lookup + ".yml" }}'
+    - '{{ "lvm_config_" + lvm__register_version.stdout + ".yml" }}'
+    - '{{ "lvm_config_" + ansible_distribution | lower + "_" + ansible_distribution_release + ".yml" }}'
+    - '{{ "lvm_config_" + ansible_distribution | lower + ".yml" }}'
+    - 'lvm_config_default.yml'
+
+- name: Configure LVM
+  ansible.builtin.template:
+    src: 'etc/lvm/lvm.conf.j2'
+    dest: '/etc/lvm/lvm.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Enable/disable lvm2-lvmetad socket
+  ansible.builtin.systemd:
+    name: 'lvm2-lvmetad.socket'
+    state: '{{ "started" if lvm__global_use_lvmetad else "stopped" }}'
+    enabled: '{{ lvm__global_use_lvmetad }}'
+  when: (ansible_distribution_release in ['stretch', 'trusty', 'xenial',
+                                          'bionic'])
+
+- name: Manage LVM
+  ansible.builtin.include_tasks: manage_lvm.yml
+  when: (((ansible_system_capabilities_enforced | d()) | bool and
+          "cap_sys_admin" in ansible_system_capabilities) or
+         not (ansible_system_capabilities_enforced | d(True)) | bool)
diff --git a/ansible_collections/debops/debops/roles/lvm/tasks/manage_lvm.yml b/ansible_collections/debops/debops/roles/lvm/tasks/manage_lvm.yml
new file mode 100644
index 00000000..99be602e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/tasks/manage_lvm.yml
@@ -0,0 +1,104 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Rescan LVM Volume Groups
+  ansible.builtin.command: 'vgscan'  # noqa no-handler
+  register: lvm__register_vgscan
+  changed_when: lvm__register_vgscan.changed | bool
+  when: ((lvm__register_devices_filter | d() and lvm__register_devices_filter is changed) or
+         (lvm__register_devices_global_filter | d() and lvm__register_devices_global_filter is changed))
+
+- name: Unmount filesystems if requested
+  ansible.posix.mount:
+    name:   '{{ item.mount }}'
+    src:    '{{ "/dev/mapper/" + item.vg | regex_replace("-", "--") + "-" + item.lv | regex_replace("-", "--") }}'
+    fstype: '{{ item.fs_type | d(lvm__default_fs_type) }}'
+    state:  'absent'
+  with_items: '{{ lvm__logical_volumes }}'
+  when: lvm__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.mount | d(False) and
+        item.state | d('present') == 'absent'
+
+- name: Remove Logical Volumes if requested
+  community.general.lvol:
+    vg:    '{{ item.vg }}'
+    lv:    '{{ item.lv }}'
+    size:  '{{ item.size }}'
+    force: '{{ item.force | d(omit) }}'
+    state: 'absent'
+  with_items: '{{ lvm__logical_volumes }}'
+  when: lvm__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.state | d('present') == 'absent'
+
+- name: Manage LVM Volume Groups
+  community.general.lvg:
+    vg:         '{{ item.vg }}'
+    pvs:        '{{ item.pvs if item.pvs is string else (item.pvs | join(",")) }}'
+    state:      '{{ item.state | d("present") }}'
+    pesize:     '{{ item.pesize | d(omit) }}'
+    force:      '{{ item.force | d(omit) }}'
+    vg_options: '{{ item.options | d(omit) }}'
+  with_items: '{{ lvm__volume_groups }}'
+  when: item.vg | d(False) and item.pvs | d(False)
+
+- name: Manage LVM Thin Pools
+  community.general.lvol:
+    vg:       '{{ item.vg }}'
+    thinpool: '{{ item.thinpool }}'
+    size:     '{{ item.size }}'
+    opts:     '{{ item.opts | d(omit) }}'
+  with_items: '{{ lvm__thin_pools }}'
+  when: lvm__thin_pools | d(False) and
+        item.vg | d() and item.thinpool | d() and item.size | d() and
+        item.state | d('present') != 'absent'
+
+- name: Manage LVM Logical Volumes
+  community.general.lvol:
+    lv:         '{{ item.lv }}'
+    vg:         '{{ item.vg }}'
+    size:       '{{ item.size }}'
+    opts:       '{{ item.opts | d(omit) }}'
+    thinpool:   '{{ item.thinpool | d(omit) }}'
+    force:      '{{ item.force | d(omit) }}'
+    shrink:     '{{ item.force | d(False) }}'
+    state:      'present'
+  with_items: '{{ lvm__logical_volumes }}'
+  when: lvm__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.state | d('present') != 'absent'
+  register: lvm__register_logical_volumes
+
+- name: Manage filesystems
+  community.general.filesystem:
+    dev:    '{{ "/dev/mapper/" + item.vg | regex_replace("-", "--") + "-" + item.lv | regex_replace("-", "--") }}'
+    fstype: '{{ item.fs_type | d(lvm__default_fs_type) }}'
+    force:  '{{ item.fs_force | d(omit) }}'
+    opts:   '{{ item.fs_opts | d(omit) }}'
+    resizefs: '{{ item.fs_resizefs | d(omit) }}'
+  with_items: '{{ lvm__logical_volumes }}'
+  when: lvm__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.state | d('present') != 'absent' and
+        ((item.mount | d() and item.fs | d(True)) or item.fs | d()) and
+        (not ansible_check_mode or
+         (ansible_check_mode and lvm__register_logical_volumes is not changed))
+
+- name: Manage mount points
+  ansible.posix.mount:
+    name:   '{{ item.mount }}'
+    src:    '{{ "/dev/mapper/" + item.vg | regex_replace("-", "--") + "-" + item.lv | regex_replace("-", "--") }}'
+    fstype: '{{ item.fs_type | d(lvm__default_fs_type) }}'
+    opts:   '{{ item.mount_opts | d(lvm__default_mount_options) }}'
+    state:  '{{ item.mount_state | d("mounted") }}'
+    dump:   '{{ item.mount_dump | d(omit) }}'
+    passno: '{{ item.mount_passno | d(omit) }}'
+    fstab:  '{{ item.mount_fstab | d(omit) }}'
+  with_items: '{{ lvm__logical_volumes }}'
+  when: lvm__logical_volumes | d(False) and
+        item.vg | d() and item.lv | d() and item.size | d() and
+        item.fs | d(True) and item.mount | d() and
+        item.state | d('present') != 'absent'
diff --git a/ansible_collections/debops/debops/roles/lvm/templates/etc/lvm/lvm.conf.j2 b/ansible_collections/debops/debops/roles/lvm/templates/etc/lvm/lvm.conf.j2
new file mode 100644
index 00000000..8aee5dfd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/templates/etc/lvm/lvm.conf.j2
@@ -0,0 +1,80 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if lvm__config_base_version | d() %}
+# lvm.conf based on lvm2 package version: {{ lvm__config_base_version }}
+
+{% endif %}
+{% set lvm__tpl_base = lvm__config_base %}
+{% set lvm__tpl_config = lvm__config %}
+{% macro print_content (key, value) %}
+{% if value is not iterable %}
+{% if value in [ 0, 1 ] %}
+{% if value | bool %}
+{{ key }} = 1
+{% elif not value | bool %}
+{{ key }} = 0
+{% endif %}
+{% elif value is number %}
+{{ key }} = {{ value }}
+{% endif %}
+{% elif value is iterable %}
+{% if value is string %}
+{% if value[0:1] == "0" %}
+{{ key }} = {{ value }}
+{% else %}
+{{ key }} = "{{ value }}"
+{% endif %}
+{% else %}
+{% if value | length > 0 %}
+{{ key }} = [ "{{ value | join('", "') }}" ]
+{% else %}
+{{ key }} = [ ]
+{% endif %}
+{% endif %}
+{% endif %}
+{% endmacro %}
+{% macro print_section (name, content, mask) %}
+{%   set seen_keys = [] %}
+{{ name }} {
+{%   for key, value in content.items() %}
+{%     if value is mapping %}
+{{ print_section (key, value, {}) | indent (4,true) }}
+{%       set _ = seen_keys.append(key) %}
+{%     else %}
+{%       if key in mask.keys() %}
+{{ print_content (key, mask[key]) | indent (4,true) }}
+{%         set _ = seen_keys.append(key) %}
+{%       else %}
+{{ print_content (key, value) | indent (4,true) }}
+{%         set _ = seen_keys.append(key) %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{%   if mask %}
+{%     for key, value in mask.items() %}
+{%       if key not in seen_keys %}
+{{ print_content ( key, value) | indent (4,true) }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+}
+{% endmacro %}
+{% set seen_sections = [] %}
+{% for section in lvm__tpl_base.keys() | sort %}
+{% if section in lvm__tpl_config.keys() %}
+{{ print_section (section, lvm__tpl_base[section], lvm__tpl_config[section]) }}
+{% set _ = seen_sections.append(section) %}
+{% else %}
+{{ print_section (section, lvm__tpl_base[section], {}) }}
+{% set _ = seen_sections.append(section) %}
+{% endif %}
+{% endfor %}
+{% for section in lvm__tpl_config.keys() | sort %}
+{% if section not in seen_sections %}
+{{ print_section (section, lvm__tpl_config[section], {}) }}
+{% endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.111.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.111.yml
new file mode 100644
index 00000000..bf9fa381
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.111.yml
@@ -0,0 +1,1257 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Based on /etc/lvm/lvm.conf from Debian Jessie
+lvm__config_base_version: '2.02.111-2.2'
+
+lvm__config_base:
+
+  # This section allows you to set the way the configuration settings are handled.
+  config:
+
+    # If enabled, any LVM2 configuration mismatch is reported.
+    # This implies checking that the configuration key is understood
+    # by LVM2 and that the value of the key is of a proper type.
+    # If disabled, any configuration mismatch is ignored and default
+    # value is used instead without any warning (a message about the
+    # configuration key not being found is issued in verbose mode only).
+    checks: 1
+
+    # If enabled, any configuration mismatch aborts the LVM2 process.
+    abort_on_errors: 0
+
+    # Directory where LVM looks for configuration profiles.
+    profile_dir: "/etc/lvm/profile"
+
+
+  # This section allows you to configure which block devices should
+  # be used by the LVM system.
+  devices:
+
+    # Where do you want your volume groups to appear ?
+    dir: "/dev"
+
+    # An array of directories that contain the device nodes you wish
+    # to use with LVM2.
+    scan: [ "/dev" ]
+
+    # If set, the cache of block device nodes with all associated symlinks
+    # will be constructed out of the existing udev database content.
+    # This avoids using and opening any inapplicable non-block devices or
+    # subdirectories found in the device directory. This setting is applied
+    # to udev-managed device directory only, other directories will be scanned
+    # fully. LVM2 needs to be compiled with udev support for this setting to
+    # take effect. N.B. Any device node or symlink not managed by udev in
+    # udev directory will be ignored with this setting on.
+    obtain_device_list_from_udev: 1
+
+    # If several entries in the scanned directories correspond to the
+    # same block device and the tools need to display a name for device,
+    # all the pathnames are matched against each item in the following
+    # list of regular expressions in turn and the first match is used.
+
+    # By default no preferred names are defined.
+    # preferred_names: [ ]
+
+    # Try to avoid using undescriptive /dev/dm-N names, if present.
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+
+    # In case no prefererred name matches or if preferred_names are not
+    # defined at all, builtin rules are used to determine the preference.
+    #
+    # The first builtin rule checks path prefixes and it gives preference
+    # based on this ordering (where "dev" depends on devices/dev setting):
+    #   /dev/mapper > /dev/disk > /dev/dm-* > /dev/block
+    #
+    # If the ordering above cannot be applied, the path with fewer slashes
+    # gets preference then.
+    #
+    # If the number of slashes is the same, a symlink gets preference.
+    #
+    # Finally, if all the rules mentioned above are not applicable,
+    # lexicographical order is used over paths and the smallest one
+    # of all gets preference.
+
+
+    # A filter that tells LVM2 to only use a restricted set of devices.
+    # The filter consists of an array of regular expressions.  These
+    # expressions can be delimited by a character of your choice, and
+    # prefixed with either an 'a' (for accept) or 'r' (for reject).
+    # The first expression found to match a device name determines if
+    # the device will be accepted or rejected (ignored).  Devices that
+    # don't match any patterns are accepted.
+
+    # Be careful if there there are symbolic links or multiple filesystem
+    # entries for the same device as each name is checked separately against
+    # the list of patterns.  The effect is that if the first pattern in the
+    # list to match a name is an 'a' pattern for any of the names, the device
+    # is accepted; otherwise if the first pattern in the list to match a name
+    # is an 'r' pattern for any of the names it is rejected; otherwise it is
+    # accepted.
+
+    # Don't have more than one filter line active at once: only one gets used.
+
+    # Run vgscan after you change this parameter to ensure that
+    # the cache file gets regenerated (see below).
+    # If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
+
+    # If lvmetad is used, then see "A note about device filtering while
+    # lvmetad is used" comment that is attached to global/use_lvmetad setting.
+
+    # By default we accept every block device:
+    # filter: [ "a/.*/" ]
+
+    # Exclude the cdrom drive
+    # filter: [ "r|/dev/cdrom|" ]
+
+    # When testing I like to work with just loopback devices:
+    # filter: [ "a/loop/", "r/.*/" ]
+
+    # Or maybe all loops and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+
+    # Use anchors if you want to be really specific
+    # filter: [ "a|^/dev/hda8$|", "r/.*/" ]
+
+    # Since "filter" is often overridden from command line, it is not suitable
+    # for system-wide device filtering (udev rules, lvmetad). To hide devices
+    # from LVM-specific udev processing and/or from lvmetad, you need to set
+    # global_filter. The syntax is the same as for normal "filter"
+    # above. Devices that fail the global_filter are not even opened by LVM.
+
+    # global_filter: []
+
+    # The results of the filtering are cached on disk to avoid
+    # rescanning dud devices (which can take a very long time).
+    # By default this cache is stored in the /etc/lvm/cache directory
+    # in a file called '.cache'.
+    # It is safe to delete the contents: the tools regenerate it.
+    # (The old setting 'cache' is still respected if neither of
+    # these new ones is present.)
+    # N.B. If obtain_device_list_from_udev is set to 1 the list of
+    # devices is instead obtained from udev and any existing .cache
+    # file is removed.
+    cache_dir: "/run/lvm"
+    cache_file_prefix: ""
+
+    # You can turn off writing this cache file by setting this to 0.
+    write_cache_state: 1
+
+    # Advanced settings.
+
+    # List of pairs of additional acceptable block device types found
+    # in /proc/devices with maximum (non-zero) number of partitions.
+    # types: [ "fd", 16 ]
+
+    # If sysfs is mounted (2.6 kernels) restrict device scanning to
+    # the block devices it believes are valid.
+    # 1 enables; 0 disables.
+    sysfs_scan: 1
+
+    # By default, LVM2 will ignore devices used as component paths
+    # of device-mapper multipath devices.
+    # 1 enables; 0 disables.
+    multipath_component_detection: 1
+
+    # By default, LVM2 will ignore devices used as components of
+    # software RAID (md) devices by looking for md superblocks.
+    # 1 enables; 0 disables.
+    md_component_detection: 1
+
+    # By default, if a PV is placed directly upon an md device, LVM2
+    # will align its data blocks with the md device's stripe-width.
+    # 1 enables; 0 disables.
+    md_chunk_alignment: 1
+
+    # Default alignment of the start of a data area in MB.  If set to 0,
+    # a value of 64KB will be used.  Set to 1 for 1MiB, 2 for 2MiB, etc.
+    # default_data_alignment: 1
+
+    # By default, the start of a PV's data area will be a multiple of
+    # the 'minimum_io_size' or 'optimal_io_size' exposed in sysfs.
+    # - minimum_io_size - the smallest request the device can perform
+    #   w/o incurring a read-modify-write penalty (e.g. MD's chunk size)
+    # - optimal_io_size - the device's preferred unit of receiving I/O
+    #   (e.g. MD's stripe width)
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    # 1 enables; 0 disables.
+    data_alignment_detection: 1
+
+    # Alignment (in KB) of start of data area when creating a new PV.
+    # md_chunk_alignment and data_alignment_detection are disabled if set.
+    # Set to 0 for the default alignment (see: data_alignment_default)
+    # or page size, if larger.
+    data_alignment: 0
+
+    # By default, the start of the PV's aligned data area will be shifted by
+    # the 'alignment_offset' exposed in sysfs.  This offset is often 0 but
+    # may be non-zero; e.g.: certain 4KB sector drives that compensate for
+    # windows partitioning will have an alignment_offset of 3584 bytes
+    # (sector 7 is the lowest aligned logical block, the 4KB sectors start
+    # at LBA -1, and consequently sector 63 is aligned on a 4KB boundary).
+    # But note that pvcreate --dataalignmentoffset will skip this detection.
+    # 1 enables; 0 disables.
+    data_alignment_offset_detection: 1
+
+    # If, while scanning the system for PVs, LVM2 encounters a device-mapper
+    # device that has its I/O suspended, it waits for it to become accessible.
+    # Set this to 1 to skip such devices.  This should only be needed
+    # in recovery situations.
+    ignore_suspended_devices: 0
+
+    # ignore_lvm_mirrors:  Introduced in version 2.02.104
+    # This setting determines whether logical volumes of "mirror" segment
+    # type are scanned for LVM labels.  This affects the ability of
+    # mirrors to be used as physical volumes.  If 'ignore_lvm_mirrors'
+    # is set to '1', it becomes impossible to create volume groups on top
+    # of mirror logical volumes - i.e. to stack volume groups on mirrors.
+    #
+    # Allowing mirror logical volumes to be scanned (setting the value to '0')
+    # can potentially cause LVM processes and I/O to the mirror to become
+    # blocked.  This is due to the way that the "mirror" segment type handles
+    # failures.  In order for the hang to manifest itself, an LVM command must
+    # be run just after a failure and before the automatic LVM repair process
+    # takes place OR there must be failures in multiple mirrors in the same
+    # volume group at the same time with write failures occurring moments
+    # before a scan of the mirror's labels.
+    #
+    # Note that these scanning limitations do not apply to the LVM RAID
+    # types, like "raid1".  The RAID segment types handle failures in a
+    # different way and are not subject to possible process or I/O blocking.
+    #
+    # It is encouraged that users set 'ignore_lvm_mirrors' to 1 if they
+    # are using the "mirror" segment type.  Users that require volume group
+    # stacking on mirrored logical volumes should consider using the "raid1"
+    # segment type.  The "raid1" segment type is not available for
+    # active/active clustered volume groups.
+    #
+    # Set to 1 to disallow stacking and thereby avoid a possible deadlock.
+    ignore_lvm_mirrors: 1
+
+    # During each LVM operation errors received from each device are counted.
+    # If the counter of a particular device exceeds the limit set here, no
+    # further I/O is sent to that device for the remainder of the respective
+    # operation. Setting the parameter to 0 disables the counters altogether.
+    disable_after_error_count: 0
+
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid: 1
+
+    # Minimum size (in KB) of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KB is ignored.
+
+    # Ignore devices smaller than 2MB such as floppy drives.
+    pv_min_size: 2048
+
+    # The original built-in setting was 512 up to and including version 2.02.84.
+    # pv_min_size: 512
+
+    # Issue discards to a logical volumes's underlying physical volume(s) when
+    # the logical volume is no longer using the physical volumes' space (e.g.
+    # lvremove, lvreduce, etc).  Discards inform the storage that a region is
+    # no longer in use.  Storage that supports discards advertise the protocol
+    # specific way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set).  Not all storage will support or benefit
+    # from discards but SSDs and thinly provisioned LUNs generally do.  If set
+    # to 1, discards will only be issued if both the storage and kernel provide
+    # support.
+    # 1 enables; 0 disables.
+    issue_discards: 0
+
+
+  # This section allows you to configure the way in which LVM selects
+  # free space for its Logical Volumes.
+  allocation:
+
+    # When searching for free space to extend an LV, the "cling"
+    # allocation policy will choose space on the same PVs as the last
+    # segment of the existing LV.  If there is insufficient space and a
+    # list of tags is defined here, it will check whether any of them are
+    # attached to the PVs concerned and then seek to match those PV tags
+    # between existing extents and new extents.
+    # Use the special tag "@*" as a wildcard to match any PV tag.
+
+    # Example: LVs are mirrored between two sites within a single VG.
+    # PVs are tagged with either @site1 or @site2 to indicate where
+    # they are situated.
+
+    # cling_tag_list: [ "@site1", "@site2" ]
+    # cling_tag_list: [ "@*" ]
+
+    # Changes made in version 2.02.85 extended the reach of the 'cling'
+    # policies to detect more situations where data can be grouped
+    # onto the same disks.  Set this to 0 to revert to the previous
+    # algorithm.
+    maximise_cling: 1
+
+    # Whether to use blkid library instead of native LVM2 code to detect
+    # any existing signatures while creating new Physical Volumes and
+    # Logical Volumes. LVM2 needs to be compiled with blkid wiping support
+    # for this setting to take effect.
+    #
+    # LVM2 native detection code is currently able to recognize these signatures:
+    #   - MD device signature
+    #   - swap signature
+    #   - LUKS signature
+    # To see the list of signatures recognized by blkid, check the output
+    # of 'blkid -k' command. The blkid can recognize more signatures than
+    # LVM2 native detection code, but due to this higher number of signatures
+    # to be recognized, it can take more time to complete the signature scan.
+    use_blkid_wiping: 1
+
+    # Set to 1 to wipe any signatures found on newly-created Logical Volumes
+    # automatically in addition to zeroing of the first KB on the LV
+    # (controlled by the -Z/--zero y option).
+    # The command line option -W/--wipesignatures takes precedence over this
+    # setting.
+    # The default is to wipe signatures when zeroing.
+    #
+    wipe_signatures_when_zeroing_new_lvs: 1
+
+    # Set to 1 to guarantee that mirror logs will always be placed on
+    # different PVs from the mirror images.  This was the default
+    # until version 2.02.85.
+    mirror_logs_require_separate_pvs: 0
+
+    # Set to 1 to guarantee that cache_pool metadata will always be
+    # placed on  different PVs from the cache_pool data.
+    cache_pool_metadata_require_separate_pvs: 0
+
+    # Specify the minimal chunk size (in kiB) for cache pool volumes.
+    # Using a chunk_size that is too large can result in wasteful use of
+    # the cache, where small reads and writes can cause large sections of
+    # an LV to be mapped into the cache.  However, choosing a chunk_size
+    # that is too small can result in more overhead trying to manage the
+    # numerous chunks that become mapped into the cache.  The former is
+    # more of a problem than the latter in most cases, so we default to
+    # a value that is on the smaller end of the spectrum.  Supported values
+    # range from 32(kiB) to 1048576 in multiples of 32.
+    # cache_pool_chunk_size: 64
+
+    # Set to 1 to guarantee that thin pool metadata will always
+    # be placed on different PVs from the pool data.
+    thin_pool_metadata_require_separate_pvs: 0
+
+    # Specify chunk size calculation policy for thin pool volumes.
+    # Possible options are:
+    # "generic"        - if thin_pool_chunk_size is defined, use it.
+    #                    Otherwise, calculate the chunk size based on
+    #                    estimation and device hints exposed in sysfs:
+    #                    the minimum_io_size. The chunk size is always
+    #                    at least 64KiB.
+    #
+    # "performance"    - if thin_pool_chunk_size is defined, use it.
+    #			 Otherwise, calculate the chunk size for
+    #			 performance based on device hints exposed in
+    #			 sysfs: the optimal_io_size. The chunk size is
+    #			 always at least 512KiB.
+    # thin_pool_chunk_size_policy: "generic"
+
+    # Specify the minimal chunk size (in KB) for thin pool volumes.
+    # Use of the larger chunk size may improve performance for plain
+    # thin volumes, however using them for snapshot volumes is less efficient,
+    # as it consumes more space and takes extra time for copying.
+    # When unset, lvm tries to estimate chunk size starting from 64KB
+    # Supported values are in range from 64 to 1048576.
+    # thin_pool_chunk_size: 64
+
+    # Specify discards behaviour of the thin pool volume.
+    # Select one of  "ignore", "nopassdown", "passdown"
+    # thin_pool_discards: "passdown"
+
+    # Set to 0, to disable zeroing of thin pool data chunks before their
+    # first use.
+    # N.B. zeroing larger thin pool chunk size degrades performance.
+    # thin_pool_zero: 1
+
+
+  # This section that allows you to configure the nature of the
+  # information that LVM2 reports.
+  log:
+
+    # Controls the messages sent to stdout or stderr.
+    # There are three levels of verbosity, 3 being the most verbose.
+    verbose: 0
+
+    # Set to 1 to suppress all non-essential messages from stdout.
+    # This has the same effect as -qq.
+    # When this is set, the following commands still produce output:
+    # dumpconfig, lvdisplay, lvmdiskscan, lvs, pvck, pvdisplay,
+    # pvs, version, vgcfgrestore -l, vgdisplay, vgs.
+    # Non-essential messages are shifted from log level 4 to log level 5
+    # for syslog and lvm2_log_fn purposes.
+    # Any 'yes' or 'no' questions not overridden by other arguments
+    # are suppressed and default to 'no'.
+    silent: 0
+
+    # Should we send log messages through syslog?
+    # 1 is yes; 0 is no.
+    syslog: 1
+
+    # Should we log error and debug messages to a file?
+    # By default there is no log file.
+    #file: "/var/log/lvm2.log"
+
+    # Should we overwrite the log file each time the program is run?
+    # By default we append.
+    overwrite: 0
+
+    # What level of log messages should we send to the log file and/or syslog?
+    # There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Format of output messages
+    # Whether or not (1 or 0) to indent messages according to their severity
+    indent: 1
+
+    # Whether or not (1 or 0) to display the command name on each line output
+    command_names: 0
+
+    # A prefix to use before the message text (but after the command name,
+    # if selected).  Default is two spaces, so you can see/grep the severity
+    # of each message.
+    prefix: "  "
+
+    # To make the messages look similar to the original LVM tools use:
+    #   indent = 0
+    #   command_names = 1
+    #   prefix = " -- "
+
+    # Set this if you want log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    # activation: 0
+
+    # Some debugging messages are assigned to a class and only appear
+    # in debug output if the class is listed here.
+    # Classes currently available:
+    #   memory, devices, activation, allocation, lvmetad, metadata, cache,
+    #   locking
+    # Use "all" to see everything.
+    debug_classes: [ "memory", "devices", "activation", "allocation",
+                     "lvmetad", "metadata", "cache", "locking" ]
+
+
+  # Configuration of metadata backups and archiving.  In LVM2 when we
+  # talk about a 'backup' we mean making a copy of the metadata for the
+  # *current* system.  The 'archive' contains old metadata configurations.
+  # Backups are stored in a human readable text format.
+  backup:
+
+    # Should we maintain a backup of the current metadata configuration ?
+    # Use 1 for Yes; 0 for No.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Where shall we keep it ?
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Should we maintain an archive of old metadata configurations.
+    # Use 1 for Yes; 0 for No.
+    # On by default.  Think very hard before turning this off.
+    archive: 1
+
+    # Where should archived files go ?
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # What is the minimum number of archive files you wish to keep ?
+    retain_min: 10
+
+    # What is the minimum time you wish to keep an archive file for ?
+    retain_days: 30
+
+
+  # Settings for the running LVM2 in shell (readline) mode.
+  shell:
+
+    # Number of lines of history to store in ~/.lvm_history
+    history_size: 100
+
+
+  # Miscellaneous global LVM2 settings
+  global:
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    # (umask needs to be quoted because octal)
+    umask: "077"
+
+    # Allow other users to read the files
+    #umask: "022"
+
+    # Enabling test mode means that no changes to the on disk metadata
+    # will be made.  Equivalent to having the -t option on every
+    # command.  Defaults to off.
+    test: 0
+
+    # Default value for --units argument
+    units: "h"
+
+    # Since version 2.02.54, the tools distinguish between powers of
+    # 1024 bytes (e.g. KiB, MiB, GiB) and powers of 1000 bytes (e.g.
+    # KB, MB, GB).
+    # If you have scripts that depend on the old behaviour, set this to 0
+    # temporarily until you update them.
+    si_unit_consistency: 1
+
+    # Whether or not to display unit suffix for sizes. This setting has
+    # no effect if the units are in human-readable form (global/units="h")
+    # in which case the suffix is always displayed.
+    suffix: 1
+
+    # Whether or not to communicate with the kernel device-mapper.
+    # Set to 0 if you want to use the tools to manipulate LVM metadata
+    # without activating any logical volumes.
+    # If the device-mapper kernel driver is not present in your kernel
+    # setting this to 0 should suppress the error messages.
+    activation: 1
+
+    # If we can't communicate with device-mapper, should we try running
+    # the LVM1 tools?
+    # This option only applies to 2.4 kernels and is provided to help you
+    # switch between device-mapper kernels and LVM1 kernels.
+    # The LVM1 tools need to be installed with .lvm1 suffices
+    # e.g. vgscan.lvm1 and they will stop working after you start using
+    # the new lvm2 on-disk metadata format.
+    # The default value is set when the tools are built.
+    # fallback_to_lvm1: 0
+
+    # The default metadata format that commands should use - "lvm1" or "lvm2".
+    # The command line override is -M1 or -M2.
+    # Defaults to "lvm2".
+    # format: "lvm2"
+
+    # Location of proc filesystem
+    proc: "/proc"
+
+    # Type of locking to use. Defaults to local file-based locking (1).
+    # Turn locking off by setting to 0 (dangerous: risks metadata corruption
+    # if LVM2 commands get run concurrently).
+    # Type 2 uses the external shared library locking_library.
+    # Type 3 uses built-in clustered locking.
+    # Type 4 uses read-only locking which forbids any operations that might
+    # change metadata.
+    # Type 5 offers dummy locking for tools that do not need any locks.
+    # You should not need to set this directly: the tools will select when
+    # to use it instead of the configured locking_type.  Do not use lvmetad or
+    # the kernel device-mapper driver with this locking type.
+    # It is used by the --readonly option that offers read-only access to
+    # Volume Group metadata that cannot be locked safely because it belongs to
+    # an inaccessible domain and might be in use, for example a virtual machine
+    # image or a disk that is shared by a clustered machine.
+    #
+    # N.B. Don't use lvmetad with locking type 3 as lvmetad is not yet
+    # supported in clustered environment. If use_lvmetad=1 and locking_type=3
+    # is set at the same time, LVM always issues a warning message about this
+    # and then it automatically disables lvmetad use.
+    locking_type: 1
+
+    # Set to 0 to fail when a lock request cannot be satisfied immediately.
+    wait_for_locks: 1
+
+    # If using external locking (type 2) and initialisation fails,
+    # with this set to 1 an attempt will be made to use the built-in
+    # clustered locking.
+    # If you are using a customised locking_library you should set this to 0.
+    fallback_to_clustered_locking: 1
+
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this set
+    # to 1 an attempt will be made to use local file-based locking (type 1).
+    # If this succeeds, only commands against local volume groups will proceed.
+    # Volume Groups marked as clustered will be ignored.
+    fallback_to_local_locking: 1
+
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress.  A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/run/lock/lvm"
+
+    # Whenever there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to be
+    # serviced.  Without this setting, write access may be stalled by a high
+    # volume of read-only requests.
+    # NB. This option only affects locking_type = 1 viz. local file-based
+    # locking.
+    prioritise_write_locks: 1
+
+    # Other entries can go here to allow you to load shared libraries
+    # e.g. if support for LVM1 metadata was compiled as a shared library use
+    #   format_libraries: "liblvm2format1.so"
+    # Full pathnames can be given.
+
+    # Search this directory first for shared libraries.
+    #   library_dir: "/lib/lvm2"
+
+    # The external locking library to load if locking_type is set to 2.
+    #   locking_library: "liblvm2clusterlock.so"
+
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+    # Check whether CRC is matching when parsed VG is used multiple times.
+    # This is useful to catch unexpected internal cached volume group
+    # structure modification. Please only enable for debugging.
+    detect_internal_vg_cache_corruption: 0
+
+    # If set to 1, no operations that change on-disk metadata will be permitted.
+    # Additionally, read-only commands that encounter metadata in need of repair
+    # will still be allowed to proceed exactly as if the repair had been
+    # performed (except for the unchanged vg_seqno).
+    # Inappropriate use could mess up your system, so seek advice first!
+    metadata_read_only: 0
+
+    # 'mirror_segtype_default' defines which segtype will be used when the
+    # shorthand '-m' option is used for mirroring.  The possible options are:
+    #
+    # "mirror" - The original RAID1 implementation provided by LVM2/DM.  It is
+    #	         characterized by a flexible log solution (core, disk, mirrored)
+    #		 and by the necessity to block I/O while reconfiguring in the
+    #		 event of a failure.
+    #
+    #		 There is an inherent race in the dmeventd failure handling
+    #		 logic with snapshots of devices using this type of RAID1 that
+    #		 in the worst case could cause a deadlock.
+    #		   Ref: https://bugzilla.redhat.com/show_bug.cgi?id=817130#c10
+    #
+    # "raid1"  - This implementation leverages MD's RAID1 personality through
+    #		 device-mapper.  It is characterized by a lack of log options.
+    #		 (A log is always allocated for every device and they are placed
+    #		 on the same device as the image - no separate devices are
+    #		 required.)  This mirror implementation does not require I/O
+    #		 to be blocked in the kernel in the event of a failure.
+    #		 This mirror implementation is not cluster-aware and cannot be
+    #		 used in a shared (active/active) fashion in a cluster.
+    #
+    # Specify the '--type <mirror|raid1>' option to override this default
+    # setting.
+    mirror_segtype_default: "raid1"
+
+    # 'raid10_segtype_default' determines the segment types used by default
+    # when the '--stripes/-i' and '--mirrors/-m' arguments are both specified
+    # during the creation of a logical volume.
+    # Possible settings include:
+    #
+    # "raid10" - This implementation leverages MD's RAID10 personality through
+    #            device-mapper.
+    #
+    # "mirror" - LVM will layer the 'mirror' and 'stripe' segment types.  It
+    #            will do this by creating a mirror on top of striped sub-LVs;
+    #            effectively creating a RAID 0+1 array.  This is suboptimal
+    #            in terms of providing redundancy and performance. Changing to
+    #            this setting is not advised.
+    # Specify the '--type <raid10|mirror>' option to override this default
+    # setting.
+    raid10_segtype_default: "raid10"
+
+    # The default format for displaying LV names in lvdisplay was changed
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # Set to 1 to reinstate the previous format.
+    #
+    # lvdisplay_shows_full_device_path: 0
+
+    # Whether to use (trust) a running instance of lvmetad. If this is set to
+    # 0, all commands fall back to the usual scanning mechanisms. When set to 1
+    # *and* when lvmetad is running (automatically instantiated by making use of
+    # systemd's socket-based service activation or run as an initscripts service
+    # or run manually), the volume group metadata and PV state flags are obtained
+    # from the lvmetad instance and no scanning is done by the individual
+    # commands. In a setup with lvmetad, lvmetad udev rules *must* be set up for
+    # LVM to work correctly. Without proper udev rules, all changes in block
+    # device configuration will be *ignored* until a manual 'pvscan --cache'
+    # is performed. These rules are installed by default.
+    #
+    # If lvmetad has been running while use_lvmetad was 0, it MUST be stopped
+    # before changing use_lvmetad to 1 and started again afterwards.
+    #
+    # If using lvmetad, the volume activation is also switched to automatic
+    # event-based mode. In this mode, the volumes are activated based on
+    # incoming udev events that automatically inform lvmetad about new PVs
+    # that appear in the system. Once the VG is complete (all the PVs are
+    # present), it is auto-activated. The activation/auto_activation_volume_list
+    # setting controls which volumes are auto-activated (all by default).
+    #
+    # A note about device filtering while lvmetad is used:
+    # When lvmetad is updated (either automatically based on udev events
+    # or directly by pvscan --cache <device> call), the devices/filter
+    # is ignored and all devices are scanned by default. The lvmetad always
+    # keeps unfiltered information which is then provided to LVM commands
+    # and then each LVM command does the filtering based on devices/filter
+    # setting itself.
+    # To prevent scanning devices completely, even when using lvmetad,
+    # the devices/global_filter must be used.
+    # N.B. Don't use lvmetad with locking type 3 as lvmetad is not yet
+    # supported in clustered environment. If use_lvmetad=1 and locking_type=3
+    # is set at the same time, LVM always issues a warning message about this
+    # and then it automatically disables lvmetad use.
+    use_lvmetad: 0
+
+    # Full path of the utility called to check that a thin metadata device
+    # is in a state that allows it to be used.
+    # Each time a thin pool needs to be activated or after it is deactivated
+    # this utility is executed. The activation will only proceed if the utility
+    # has an exit status of 0.
+    # Set to "" to skip this check.  (Not recommended.)
+    # The thin tools are available as part of the device-mapper-persistent-data
+    # package from https://github.com/jthornber/thin-provisioning-tools.
+    #
+    # thin_check_executable: "/usr/sbin/thin_check"
+
+    # Array of string options passed with thin_check command. By default,
+    # option "-q" is for quiet output.
+    # With thin_check version 2.1 or newer you can add "--ignore-non-fatal-errors"
+    # to let it pass through ignorable errors and fix them later.
+    # With thin_check version 3.2 or newer you should add
+    # "--clear-needs-check-flag".
+    #
+    # thin_check_options: [ "-q", "--clear-needs-check-flag" ]
+
+    # Full path of the utility called to repair a thin metadata device
+    # is in a state that allows it to be used.
+    # Each time a thin pool needs repair this utility is executed.
+    # See thin_check_executable how to obtain binaries.
+    #
+    # thin_repair_executable: "/usr/sbin/thin_repair"
+
+    # Array of extra string options passed with thin_repair command.
+    # thin_repair_options: [ "" ]
+
+    # Full path of the utility called to dump thin metadata content.
+    # See thin_check_executable how to obtain binaries.
+    #
+    # thin_dump_executable: "/usr/sbin/thin_dump"
+
+    # If set, given features are not used by thin driver.
+    # This can be helpful not just for testing, but i.e. allows to avoid
+    # using problematic implementation of some thin feature.
+    # Features:
+    #   block_size
+    #   discards
+    #   discards_non_power_2
+    #   external_origin
+    #   metadata_resize
+    #   external_origin_extend
+    #
+    # thin_disabled_features: [ "discards", "block_size" ]
+
+    # Full path of the utility called to check that a cache metadata device
+    # is in a state that allows it to be used.
+    # Each time a cached LV needs to be used or after it is deactivated
+    # this utility is executed. The activation will only proceed if the utility
+    # has an exit status of 0.
+    # Set to "" to skip this check.  (Not recommended.)
+    # The cache tools are available as part of the device-mapper-persistent-data
+    # package from https://github.com/jthornber/thin-provisioning-tools.
+    #
+    # cache_check_executable: "/usr/sbin/cache_check"
+
+    # Array of string options passed with cache_check command. By default,
+    # option "-q" is for quiet output.
+    #
+    # cache_check_options: [ "-q" ]
+
+    # Full path of the utility called to repair a cache metadata device.
+    # Each time a cache metadata needs repair this utility is executed.
+    # See cache_check_executable how to obtain binaries.
+    #
+    # cache_repair_executable: "/usr/sbin/cache_repair"
+
+    # Array of extra string options passed with cache_repair command.
+    # cache_repair_options: [ "" ]
+
+    # Full path of the utility called to dump cache metadata content.
+    # See cache_check_executable how to obtain binaries.
+    #
+    # cache_dump_executable: "/usr/sbin/cache_dump"
+
+
+  activation:
+    # Set to 1 to perform internal checks on the operations issued to
+    # libdevmapper.  Useful for debugging problems with activation.
+    # Some of the checks may be expensive, so it's best to use this
+    # only when there seems to be a problem.
+    checks: 0
+
+    # Set to 0 to disable udev synchronisation (if compiled into the binaries).
+    # Processes will not wait for notification from udev.
+    # They will continue irrespective of any possible udev processing
+    # in the background.  You should only use this if udev is not running
+    # or has rules that ignore the devices LVM2 creates.
+    # The command line argument --nodevsync takes precedence over this setting.
+    # If set to 1 when udev is not running, and there are LVM2 processes
+    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them up.
+    udev_sync: 1
+
+    # Set to 0 to disable the udev rules installed by LVM2 (if built with
+    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
+    # for active logical volumes directly itself.
+    # N.B. Manual intervention may be required if this setting is changed
+    # while any logical volumes are active.
+    udev_rules: 1
+
+    # Set to 1 for LVM2 to verify operations performed by udev. This turns on
+    # additional checks (and if necessary, repairs) on entries in the device
+    # directory after udev has completed processing its events.
+    # Useful for diagnosing problems with LVM2/udev interactions.
+    verify_udev_operations: 0
+
+    # If set to 1 and if deactivation of an LV fails, perhaps because
+    # a process run from a quick udev rule temporarily opened the device,
+    # retry the operation for a few seconds before failing.
+    retry_deactivation: 1
+
+    # How to fill in missing stripes if activating an incomplete volume.
+    # Using "error" will make inaccessible parts of the device return
+    # I/O errors on access.  You can instead use a device path, in which
+    # case, that device will be used to in place of missing stripes.
+    # But note that using anything other than "error" with mirrored
+    # or snapshotted volumes is likely to result in data corruption.
+    missing_stripe_filler: "error"
+
+    # The linear target is an optimised version of the striped target
+    # that only handles a single stripe.  Set this to 0 to disable this
+    # optimisation and always use the striped target.
+    use_linear_target: 1
+
+    # How much stack (in KB) to reserve for use while devices suspended
+    # Prior to version 2.02.89 this used to be set to 256KB
+    reserved_stack: 64
+
+    # How much memory (in KB) to reserve for use while devices suspended
+    reserved_memory: 8192
+
+    # Nice value used while devices suspended
+    process_priority: -18
+
+    # If volume_list is defined, each LV is only activated if there is a
+    # match against the list.
+    #
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # If any host tags exist but volume_list is not defined, a default
+    # single-entry list containing "@*" is assumed.
+    #
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If auto_activation_volume_list is defined, each LV that is to be
+    # activated with the autoactivation option (--activate ay/-a ay) is
+    # first checked against the list. There are two scenarios in which
+    # the autoactivation option is used:
+    #
+    #   - automatic activation of volumes based on incoming PVs. If all the
+    #     PVs making up a VG are present in the system, the autoactivation
+    #     is triggered. This requires lvmetad (global/use_lvmetad=1) and udev
+    #     to be running. In this case, "pvscan --cache -aay" is called
+    #     automatically without any user intervention while processing
+    #     udev events. Please, make sure you define auto_activation_volume_list
+    #     properly so only the volumes you want and expect are autoactivated.
+    #
+    #   - direct activation on command line with the autoactivation option.
+    #     In this case, the user calls "vgchange --activate ay/-a ay" or
+    #     "lvchange --activate ay/-a ay" directly.
+    #
+    # By default, the auto_activation_volume_list is not defined and all
+    # volumes will be activated either automatically or by using --activate ay/-a ay.
+    #
+    # N.B. The "activation/volume_list" is still honoured in all cases so even
+    # if the VG/LV passes the auto_activation_volume_list, it still needs to
+    # pass the volume_list for it to be activated in the end.
+
+    # If auto_activation_volume_list is defined but empty, no volumes will be
+    # activated automatically and --activate ay/-a ay will do nothing.
+    #
+    # auto_activation_volume_list: []
+
+    # If auto_activation_volume_list is defined and it's not empty, only matching
+    # volumes will be activated either automatically or by using --activate ay/-a ay.
+    #
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # auto_activation_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If read_only_volume_list is defined, each LV that is to be activated
+    # is checked against the list, and if it matches, it as activated
+    # in read-only mode.  (This overrides '--permission rw' stored in the
+    # metadata.)
+    #
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # read_only_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # Each LV can have an 'activation skip' flag stored persistently against it.
+    # During activation, this flag is used to decide whether such an LV is skipped.
+    # The 'activation skip' flag can be set during LV creation and by default it
+    # is automatically set for thin snapshot LVs. The 'auto_set_activation_skip'
+    # enables or disables this automatic setting of the flag while LVs are created.
+    # auto_set_activation_skip: 1
+
+    # For RAID or 'mirror' segment types, 'raid_region_size' is the
+    # size (in KiB) of each:
+    # - synchronization operation when initializing
+    # - each copy operation when performing a 'pvmove' (using 'mirror' segtype)
+    # This setting has replaced 'mirror_region_size' since version 2.02.99
+    raid_region_size: 512
+
+    # Setting to use when there is no readahead value stored in the metadata.
+    #
+    # "none" - Disable readahead.
+    # "auto" - Use default value chosen by kernel.
+    readahead: "auto"
+
+    # 'raid_fault_policy' defines how a device failure in a RAID logical
+    # volume is handled.  This includes logical volumes that have the following
+    # segment types: raid1, raid4, raid5*, and raid6*.
+    #
+    # In the event of a failure, the following policies will determine what
+    # actions are performed during the automated response to failures (when
+    # dmeventd is monitoring the RAID logical volume) and when 'lvconvert' is
+    # called manually with the options '--repair' and '--use-policies'.
+    #
+    # "warn"	- Use the system log to warn the user that a device in the RAID
+    #		  logical volume has failed.  It is left to the user to run
+    #		  'lvconvert --repair' manually to remove or replace the failed
+    #		  device.  As long as the number of failed devices does not
+    #		  exceed the redundancy of the logical volume (1 device for
+    #		  raid4/5, 2 for raid6, etc) the logical volume will remain
+    #		  usable.
+    #
+    # "allocate" - Attempt to use any extra physical volumes in the volume
+    #		  group as spares and replace faulty devices.
+    #
+    raid_fault_policy: "warn"
+
+    # 'mirror_image_fault_policy' and 'mirror_log_fault_policy' define
+    # how a device failure affecting a mirror (of "mirror" segment type) is
+    # handled.  A mirror is composed of mirror images (copies) and a log.
+    # A disk log ensures that a mirror does not need to be re-synced
+    # (all copies made the same) every time a machine reboots or crashes.
+    #
+    # In the event of a failure, the specified policy will be used to determine
+    # what happens. This applies to automatic repairs (when the mirror is being
+    # monitored by dmeventd) and to manual lvconvert --repair when
+    # --use-policies is given.
+    #
+    # "remove" - Simply remove the faulty device and run without it.  If
+    #            the log device fails, the mirror would convert to using
+    #            an in-memory log.  This means the mirror will not
+    #            remember its sync status across crashes/reboots and
+    #            the entire mirror will be re-synced.  If a
+    #            mirror image fails, the mirror will convert to a
+    #            non-mirrored device if there is only one remaining good
+    #            copy.
+    #
+    # "allocate" - Remove the faulty device and try to allocate space on
+    #            a new device to be a replacement for the failed device.
+    #            Using this policy for the log is fast and maintains the
+    #            ability to remember sync state through crashes/reboots.
+    #            Using this policy for a mirror device is slow, as it
+    #            requires the mirror to resynchronize the devices, but it
+    #            will preserve the mirror characteristic of the device.
+    #            This policy acts like "remove" if no suitable device and
+    #            space can be allocated for the replacement.
+    #
+    # "allocate_anywhere" - Not yet implemented. Useful to place the log device
+    #            temporarily on same physical volume as one of the mirror
+    #            images. This policy is not recommended for mirror devices
+    #            since it would break the redundant nature of the mirror. This
+    #            policy acts like "remove" if no suitable device and space can
+    #            be allocated for the replacement.
+
+    mirror_log_fault_policy: "allocate"
+    mirror_image_fault_policy: "remove"
+
+    # 'snapshot_autoextend_threshold' and 'snapshot_autoextend_percent' define
+    # how to handle automatic snapshot extension. The former defines when the
+    # snapshot should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the snapshot, in percent of its current size.
+    #
+    # For example, if you set snapshot_autoextend_threshold to 70 and
+    # snapshot_autoextend_percent to 20, whenever a snapshot exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G snapshot, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the snapshot will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting snapshot_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    snapshot_autoextend_threshold: 100
+    snapshot_autoextend_percent: 20
+
+    # 'thin_pool_autoextend_threshold' and 'thin_pool_autoextend_percent' define
+    # how to handle automatic pool extension. The former defines when the
+    # pool should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the pool, in percent of its current size.
+    #
+    # For example, if you set thin_pool_autoextend_threshold to 70 and
+    # thin_pool_autoextend_percent to 20, whenever a pool exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G pool, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the pool will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting thin_pool_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    thin_pool_autoextend_threshold: 100
+    thin_pool_autoextend_percent: 20
+
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended, and as a precaution against deadlocks, LVM2 needs to pin
+    # any memory it is using so it is not paged out.  Groups of pages that
+    # are known not to be accessed during activation need not be pinned
+    # into memory.  Each string listed in this setting is compared against
+    # each line in /proc/self/maps, and the pages corresponding to any
+    # lines that match are not pinned.  On some systems locale-archive was
+    # found to make up over 80% of the memory used by the process.
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+
+    # Set to 1 to revert to the default behaviour prior to version 2.02.62
+    # which used mlockall() to pin the whole process's memory while activating
+    # devices.
+    use_mlockall: 0
+
+    # Monitoring is enabled by default when activating logical volumes.
+    # Set to 0 to disable monitoring or use the --ignoremonitoring option.
+    monitoring: 1
+
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress
+    # at intervals of this number of seconds.  The default is 15 seconds.
+    # If this is set to 0 and there is only one thing to wait for, there
+    # are no progress reports, but the process is awoken immediately the
+    # operation is complete.
+    polling_interval: 15
+
+    # 'activation_mode' determines how Logical Volumes are activated if
+    # any devices are missing.  Possible settings are:
+    #
+    #	"complete" -  Only allow activation of an LV if all of the Physical
+    #		      Volumes it uses are present.  Other PVs in the Volume
+    #		      Group may be missing.
+    #
+    #	"degraded" -  Like "complete", but additionally RAID Logical Volumes of
+    #		      segment type raid1, raid4, raid5, radid6 and raid10 will
+    #		      be activated if there is no data loss, i.e. they have
+    #		      sufficient redundancy to present the entire addressable
+    #		      range of the Logical Volume.
+    #
+    #	"partial"  -  Allows the activation of any Logical Volume even if
+    #		      a missing or failed PV could cause data loss with a
+    #		      portion of the Logical Volume inaccessible.
+    #		      This setting should not normally be used, but may
+    #		      sometimes assist with data recovery.
+    #
+    # This setting was introduced in LVM version 2.02.108.  It corresponds
+    # with the '--activationmode' option for lvchange and vgchange.
+    activation_mode: "degraded"
+
+
+  # Report settings.
+  #
+  # report:
+    # Align columns on report output.
+    # aligned: 1
+
+    # When buffered reporting is used, the report's content is appended
+    # incrementally to include each object being reported until the report
+    # is flushed to output which normally happens at the end of command
+    # execution. Otherwise, if buffering is not used, each object is
+    # reported as soon as its processing is finished.
+    # buffered: 1
+
+    # Show headings for columns on report.
+    # headings: 1
+
+    # A separator to use on report after each field.
+    # separator: " "
+
+    # A separator to use for list items when reported.
+    # list_item_separator: ","
+
+    # Use a field name prefix for each field reported.
+    # prefixes: 0
+
+    # Quote field values when using field name prefixes.
+    # quoted: 1
+
+    # Output each column as a row. If set, this also implies report/prefixes=1.
+    # colums_as_rows: 0
+
+    # Use binary values "0" or "1" instead of descriptive literal values for
+    # columns that have exactly two valid values to report (not counting the
+    # "unknown" value which denotes that the value could not be determined).
+    #
+    # binary_values_as_numeric: 0
+
+    # Comma separated list of columns to sort by when reporting 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # devtypes_sort: "devtype_name"
+
+    # Comma separated list of columns to report for 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # devtypes_cols: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Comma separated list of columns to report for 'lvm devtypes' command in verbose mode.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # devtypes_cols_verbose: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Comma separated list of columns to sort by when reporting 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # lvs_sort: "vg_name,lv_name"
+
+    # Comma separated list of columns to report for 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # lvs_cols: "lv_name,vg_name,lv_attr,lv_size,pool_lv,origin,data_percent,metadata_percent,move_pv,mirror_log,copy_percent,convert_lv"
+
+    # Comma separated list of columns to report for 'lvs' command in verbose mode.
+    # See 'lvs -o help' for the list of possible fields.
+    # lvs_cols_verbose: "lv_name,vg_name,seg_count,lv_attr,lv_size,lv_major,lv_minor,lv_kernel_major,lv_kernel_minor,pool_lv,origin,data_percent,metadata_percent,move_pv,copy_percent,mirror_log,convert
+
+    # Comma separated list of columns to sort by when reporting 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # vgs_sort: "vg_name"
+
+    # Comma separated list of columns to report for 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # vgs_cols: "vg_name,pv_count,lv_count,snap_count,vg_attr,vg_size,vg_free"
+
+    # Comma separated list of columns to report for 'vgs' command in verbose mode.
+    # See 'vgs -o help' for the list of possible fields.
+    # vgs_cols_verbose: "vg_name,vg_attr,vg_extent_size,pv_count,lv_count,snap_count,vg_size,vg_free,vg_uuid,vg_profile"
+
+    # Comma separated list of columns to sort by when reporting 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # pvs_sort: "pv_name"
+
+    # Comma separated list of columns to report for 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # pvs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free"
+
+    # Comma separated list of columns to report for 'pvs' command in verbose mode.
+    # See 'pvs -o help' for the list of possible fields.
+    # pvs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,dev_size,pv_uuid"
+
+    # Comma separated list of columns to sort by when reporting 'lvs --segments' command.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # segs_sort: "vg_name,lv_name,seg_start"
+
+    # Comma separated list of columns to report for 'lvs --segments' command.
+    # See 'lvs --segments  -o help' for the list of possible fields.
+    # segs_cols: "lv_name,vg_name,lv_attr,stripes,segtype,seg_size"
+
+    # Comma separated list of columns to report for 'lvs --segments' command in verbose mode.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # segs_cols_verbose: "lv_name,vg_name,lv_attr,seg_start,seg_size,stripes,segtype,stripesize,chunksize"
+
+    # Comma separated list of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # pvsegs_sort: "pv_name,pvseg_start"
+
+    # Comma separated list of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # pvsegs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size"
+
+    # Comma separated list of columns to sort by when reporting 'pvs --segments' command in verbose mode.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # pvsegs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size,lv_name,seg_start_pe,segtype,seg_pe_ranges"
+
+
+####################
+# Advanced section #
+####################
+
+  # Metadata settings
+  #
+  # metadata:
+    # Default number of copies of metadata to hold on each PV.  0, 1 or 2.
+    # You might want to override it from the command line with 0
+    # when running pvcreate on new PVs which are to be added to large VGs.
+
+    # pvmetadatacopies: 1
+
+    # Default number of copies of metadata to maintain for each VG.
+    # If set to a non-zero value, LVM automatically chooses which of
+    # the available metadata areas to use to achieve the requested
+    # number of copies of the VG metadata.  If you set a value larger
+    # than the the total number of metadata areas available then
+    # metadata is stored in them all.
+    # The default value of 0 ("unmanaged") disables this automatic
+    # management and allows you to control which metadata areas
+    # are used at the individual PV level using 'pvchange
+    # --metadataignore y/n'.
+
+    # vgmetadatacopies: 0
+
+    # Approximate default size of on-disk metadata areas in sectors.
+    # You should increase this if you have large volume groups or
+    # you want to retain a large on-disk history of your metadata changes.
+
+    # pvmetadatasize: 255
+
+    # List of directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM2 with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other
+    # on-disk metadata (pvmetadatacopies = 0). Or this can be in
+    # addition to on-disk metadata areas.
+    # The feature was originally added to simplify testing and is not
+    # supported under low memory situations - the machine could lock up.
+    #
+    # Never edit any files in these directories by hand unless you
+    # you are absolutely sure you know what you are doing! Use
+    # the supplied toolset to make changes (e.g. vgcfgrestore).
+
+    # dirs: [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+
+
+  # Event daemon
+  #
+  dmeventd:
+    # mirror_library is the library used when monitoring a mirror device.
+    #
+    # "libdevmapper-event-lvm2mirror.so" attempts to recover from
+    # failures.  It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # snapshot_library is the library used when monitoring a snapshot device.
+    #
+    # "libdevmapper-event-lvm2snapshot.so" monitors the filling of
+    # snapshots and emits a warning through syslog when the use of
+    # the snapshot exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the snapshot is filled.
+
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
+
+    # thin_library is the library used when monitoring a thin device.
+    #
+    # "libdevmapper-event-lvm2thin.so" monitors the filling of
+    # pool and emits a warning through syslog when the use of
+    # the pool exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the pool is filled.
+
+    thin_library: "libdevmapper-event-lvm2thin.so"
+
+    # Full path of the dmeventd binary.
+    #
+    # executable: "/sbin/dmeventd"
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.168.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.168.yml
new file mode 100644
index 00000000..14b13328
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.168.yml
@@ -0,0 +1,2070 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Based on /etc/lvm/lvm.conf from Debian Stretch
+lvm__config_base_version: '2.02.168-2'
+
+lvm__config_base:
+
+  # Configuration section config.
+  # How LVM configuration settings are handled.
+  config:
+
+    # Configuration option config/checks.
+    # If enabled, any LVM configuration mismatch is reported.
+    # This implies checking that the configuration key is understood by
+    # LVM and that the value of the key is the proper type. If disabled,
+    # any configuration mismatch is ignored and the default value is used
+    # without any warning (a message about the configuration key not being
+    # found is issued in verbose mode only).
+    checks: 1
+
+    # Configuration option config/abort_on_errors.
+    # Abort the LVM process if a configuration mismatch is found.
+    abort_on_errors: 0
+
+    # Configuration option config/profile_dir.
+    # Directory where LVM looks for configuration profiles.
+    profile_dir: "/etc/lvm/profile"
+
+  # Configuration section devices.
+  # How LVM uses block devices.
+  devices:
+
+    # Configuration option devices/dir.
+    # Directory in which to create volume group device nodes.
+    # Commands also accept this as a prefix on volume group names.
+    # This configuration option is advanced.
+    dir: "/dev"
+
+    # Configuration option devices/scan.
+    # Directories containing device nodes to use with LVM.
+    # This configuration option is advanced.
+    scan: [ "/dev" ]
+
+    # Configuration option devices/obtain_device_list_from_udev.
+    # Obtain the list of available devices from udev.
+    # This avoids opening or using any inapplicable non-block devices or
+    # subdirectories found in the udev directory. Any device node or
+    # symlink not managed by udev in the udev directory is ignored. This
+    # setting applies only to the udev-managed device directory; other
+    # directories will be scanned fully. LVM needs to be compiled with
+    # udev support for this setting to apply.
+    obtain_device_list_from_udev: 1
+
+    # Configuration option devices/external_device_info_source.
+    # Select an external device information source.
+    # Some information may already be available in the system and LVM can
+    # use this information to determine the exact type or use of devices it
+    # processes. Using an existing external device information source can
+    # speed up device processing as LVM does not need to run its own native
+    # routines to acquire this information. For example, this information
+    # is used to drive LVM filtering like MD component detection, multipath
+    # component detection, partition detection and others.
+    #
+    # Accepted values:
+    #   none
+    #     No external device information source is used.
+    #   udev
+    #     Reuse existing udev database records. Applicable only if LVM is
+    #     compiled with udev support.
+    #
+    external_device_info_source: "none"
+
+    # Configuration option devices/preferred_names.
+    # Select which path name to display for a block device.
+    # If multiple path names exist for a block device, and LVM needs to
+    # display a name for the device, the path names are matched against
+    # each item in this list of regular expressions. The first match is
+    # used. Try to avoid using undescriptive /dev/dm-N names, if present.
+    # If no preferred name matches, or if preferred_names are not defined,
+    # the following built-in preferences are applied in order until one
+    # produces a preferred name:
+    # Prefer names with path prefixes in the order of:
+    # /dev/mapper, /dev/disk, /dev/dm-*, /dev/block.
+    # Prefer the name with the least number of slashes.
+    # Prefer a name that is a symlink.
+    # Prefer the path with least value in lexicographical order.
+    #
+    # Example
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option devices/filter.
+    # Limit the block devices that are used by LVM commands.
+    # This is a list of regular expressions used to accept or reject block
+    # device path names. Each regex is delimited by a vertical bar '|'
+    # (or any character) and is preceded by 'a' to accept the path, or
+    # by 'r' to reject the path. The first regex in the list to match the
+    # path is used, producing the 'a' or 'r' result for the device.
+    # When multiple path names exist for a block device, if any path name
+    # matches an 'a' pattern before an 'r' pattern, then the device is
+    # accepted. If all the path names match an 'r' pattern first, then the
+    # device is rejected. Unmatching path names do not affect the accept
+    # or reject decision. If no path names for a device match a pattern,
+    # then the device is accepted. Be careful mixing 'a' and 'r' patterns,
+    # as the combination might produce unexpected results (test changes.)
+    # Run vgscan after changing the filter to regenerate the cache.
+    # See the use_lvmetad comment for a special case regarding filters.
+    #
+    # Example
+    # Accept every block device:
+    # filter: [ "a|.*/|" ]
+    # Reject the cdrom drive:
+    # filter: [ "r|/dev/cdrom|" ]
+    # Work with just loopback devices, e.g. for testing:
+    # filter: [ "a|loop|", "r|.*|" ]
+    # Accept all loop devices and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+    # Use anchors to be very specific:
+    # filter: [ "a|^/dev/hda8$|", "r|.*/|" ]
+    #
+    # This configuration option has an automatic default value.
+    # filter: [ "a|.*/|" ]
+
+    # Configuration option devices/global_filter.
+    # Limit the block devices that are used by LVM system components.
+    # Because devices/filter may be overridden from the command line, it is
+    # not suitable for system-wide device filtering, e.g. udev and lvmetad.
+    # Use global_filter to hide devices from these LVM system components.
+    # The syntax is the same as devices/filter. Devices rejected by
+    # global_filter are not opened by LVM.
+    # This configuration option has an automatic default value.
+    # global_filter: [ "a|.*/|" ]
+
+    # Configuration option devices/cache_dir.
+    # Directory in which to store the device cache file.
+    # The results of filtering are cached on disk to avoid rescanning dud
+    # devices (which can take a very long time). By default this cache is
+    # stored in a file named .cache. It is safe to delete this file; the
+    # tools regenerate it. If obtain_device_list_from_udev is enabled, the
+    # list of devices is obtained from udev and any existing .cache file
+    # is removed.
+    cache_dir: "/run/lvm"
+
+    # Configuration option devices/cache_file_prefix.
+    # A prefix used before the .cache file name. See devices/cache_dir.
+    cache_file_prefix: ""
+
+    # Configuration option devices/write_cache_state.
+    # Enable/disable writing the cache file. See devices/cache_dir.
+    write_cache_state: 1
+
+    # Configuration option devices/types.
+    # List of additional acceptable block device types.
+    # These are of device type names from /proc/devices, followed by the
+    # maximum number of partitions.
+    #
+    # Example
+    # types: [ "fd", 16 ]
+    #
+    # This configuration option is advanced.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option devices/sysfs_scan.
+    # Restrict device scanning to block devices appearing in sysfs.
+    # This is a quick way of filtering out block devices that are not
+    # present on the system. sysfs must be part of the kernel and mounted.)
+    sysfs_scan: 1
+
+    # Configuration option devices/multipath_component_detection.
+    # Ignore devices that are components of DM multipath devices.
+    multipath_component_detection: 1
+
+    # Configuration option devices/md_component_detection.
+    # Ignore devices that are components of software RAID (md) devices.
+    md_component_detection: 1
+
+    # Configuration option devices/fw_raid_component_detection.
+    # Ignore devices that are components of firmware RAID devices.
+    # LVM must use an external_device_info_source other than none for this
+    # detection to execute.
+    fw_raid_component_detection: 0
+
+    # Configuration option devices/md_chunk_alignment.
+    # Align PV data blocks with md device's stripe-width.
+    # This applies if a PV is placed directly on an md device.
+    md_chunk_alignment: 1
+
+    # Configuration option devices/default_data_alignment.
+    # Default alignment of the start of a PV data area in MB.
+    # If set to 0, a value of 64KiB will be used.
+    # Set to 1 for 1MiB, 2 for 2MiB, etc.
+    # This configuration option has an automatic default value.
+    # default_data_alignment: 1
+
+    # Configuration option devices/data_alignment_detection.
+    # Detect PV data alignment based on sysfs device information.
+    # The start of a PV data area will be a multiple of minimum_io_size or
+    # optimal_io_size exposed in sysfs. minimum_io_size is the smallest
+    # request the device can perform without incurring a read-modify-write
+    # penalty, e.g. MD chunk size. optimal_io_size is the device's
+    # preferred unit of receiving I/O, e.g. MD stripe width.
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    data_alignment_detection: 1
+
+    # Configuration option devices/data_alignment.
+    # Alignment of the start of a PV data area in KiB.
+    # If a PV is placed directly on an md device and md_chunk_alignment or
+    # data_alignment_detection are enabled, then this setting is ignored.
+    # Otherwise, md_chunk_alignment and data_alignment_detection are
+    # disabled if this is set. Set to 0 to use the default alignment or the
+    # page size, if larger.
+    data_alignment: 0
+
+    # Configuration option devices/data_alignment_offset_detection.
+    # Detect PV data alignment offset based on sysfs device information.
+    # The start of a PV aligned data area will be shifted by the
+    # alignment_offset exposed in sysfs. This offset is often 0, but may
+    # be non-zero. Certain 4KiB sector drives that compensate for windows
+    # partitioning will have an alignment_offset of 3584 bytes (sector 7
+    # is the lowest aligned logical block, the 4KiB sectors start at
+    # LBA -1, and consequently sector 63 is aligned on a 4KiB boundary).
+    # pvcreate --dataalignmentoffset will skip this detection.
+    data_alignment_offset_detection: 1
+
+    # Configuration option devices/ignore_suspended_devices.
+    # Ignore DM devices that have I/O suspended while scanning devices.
+    # Otherwise, LVM waits for a suspended device to become accessible.
+    # This should only be needed in recovery situations.
+    ignore_suspended_devices: 0
+
+    # Configuration option devices/ignore_lvm_mirrors.
+    # Do not scan 'mirror' LVs to avoid possible deadlocks.
+    # This avoids possible deadlocks when using the 'mirror' segment type.
+    # This setting determines whether LVs using the 'mirror' segment type
+    # are scanned for LVM labels. This affects the ability of mirrors to
+    # be used as physical volumes. If this setting is enabled, it is
+    # impossible to create VGs on top of mirror LVs, i.e. to stack VGs on
+    # mirror LVs. If this setting is disabled, allowing mirror LVs to be
+    # scanned, it may cause LVM processes and I/O to the mirror to become
+    # blocked. This is due to the way that the mirror segment type handles
+    # failures. In order for the hang to occur, an LVM command must be run
+    # just after a failure and before the automatic LVM repair process
+    # takes place, or there must be failures in multiple mirrors in the
+    # same VG at the same time with write failures occurring moments before
+    # a scan of the mirror's labels. The 'mirror' scanning problems do not
+    # apply to LVM RAID types like 'raid1' which handle failures in a
+    # different way, making them a better choice for VG stacking.
+    ignore_lvm_mirrors: 1
+
+    # Configuration option devices/disable_after_error_count.
+    # Number of I/O errors after which a device is skipped.
+    # During each LVM operation, errors received from each device are
+    # counted. If the counter of a device exceeds the limit set here,
+    # no further I/O is sent to that device for the remainder of the
+    # operation. Setting this to 0 disables the counters altogether.
+    disable_after_error_count: 0
+
+    # Configuration option devices/require_restorefile_with_uuid.
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid: 1
+
+    # Configuration option devices/pv_min_size.
+    # Minimum size in KiB of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KiB is ignored. The previous built-in
+    # value was 512.
+    pv_min_size: 2048
+
+    # Configuration option devices/issue_discards.
+    # Issue discards to PVs that are no longer used by an LV.
+    # Discards are sent to an LV's underlying physical volumes when the LV
+    # is no longer using the physical volumes' space, e.g. lvremove,
+    # lvreduce. Discards inform the storage that a region is no longer
+    # used. Storage that supports discards advertise the protocol-specific
+    # way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set). Not all storage will support or
+    # benefit from discards, but SSDs and thinly provisioned LUNs
+    # generally do. If enabled, discards will only be issued if both the
+    # storage and kernel provide support.
+    issue_discards: 0
+
+    # Configuration option devices/allow_changes_with_duplicate_pvs.
+    # Allow VG modification while a PV appears on multiple devices.
+    # When a PV appears on multiple devices, LVM attempts to choose the
+    # best device to use for the PV. If the devices represent the same
+    # underlying storage, the choice has minimal consequence. If the
+    # devices represent different underlying storage, the wrong choice
+    # can result in data loss if the VG is modified. Disabling this
+    # setting is the safest option because it prevents modifying a VG
+    # or activating LVs in it while a PV appears on multiple devices.
+    # Enabling this setting allows the VG to be used as usual even with
+    # uncertain devices.
+    allow_changes_with_duplicate_pvs: 0
+
+  # Configuration section allocation.
+  # How LVM selects space and applies properties to LVs.
+  allocation:
+
+    # Configuration option allocation/cling_tag_list.
+    # Advise LVM which PVs to use when searching for new space.
+    # When searching for free space to extend an LV, the 'cling' allocation
+    # policy will choose space on the same PVs as the last segment of the
+    # existing LV. If there is insufficient space and a list of tags is
+    # defined here, it will check whether any of them are attached to the
+    # PVs concerned and then seek to match those PV tags between existing
+    # extents and new extents.
+    #
+    # Example
+    # Use the special tag "@*" as a wildcard to match any PV tag:
+    # cling_tag_list: [ "@*" ]
+    # LVs are mirrored between two sites within a single VG, and
+    # PVs are tagged with either @site1 or @site2 to indicate where
+    # they are situated:
+    # cling_tag_list: [ "@site1", "@site2" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/maximise_cling.
+    # Use a previous allocation algorithm.
+    # Changes made in version 2.02.85 extended the reach of the 'cling'
+    # policies to detect more situations where data can be grouped onto
+    # the same disks. This setting can be used to disable the changes
+    # and revert to the previous algorithm.
+    maximise_cling: 1
+
+    # Configuration option allocation/use_blkid_wiping.
+    # Use blkid to detect existing signatures on new PVs and LVs.
+    # The blkid library can detect more signatures than the native LVM
+    # detection code, but may take longer. LVM needs to be compiled with
+    # blkid wiping support for this setting to apply. LVM native detection
+    # code is currently able to recognize: MD device signatures,
+    # swap signature, and LUKS signatures. To see the list of signatures
+    # recognized by blkid, check the output of the 'blkid -k' command.
+    use_blkid_wiping: 1
+
+    # Configuration option allocation/wipe_signatures_when_zeroing_new_lvs.
+    # Look for and erase any signatures while zeroing a new LV.
+    # The --wipesignatures option overrides this setting.
+    # Zeroing is controlled by the -Z/--zero option, and if not specified,
+    # zeroing is used by default if possible. Zeroing simply overwrites the
+    # first 4KiB of a new LV with zeroes and does no signature detection or
+    # wiping. Signature wiping goes beyond zeroing and detects exact types
+    # and positions of signatures within the whole LV. It provides a
+    # cleaner LV after creation as all known signatures are wiped. The LV
+    # is not claimed incorrectly by other tools because of old signatures
+    # from previous use. The number of signatures that LVM can detect
+    # depends on the detection code that is selected (see
+    # use_blkid_wiping.) Wiping each detected signature must be confirmed.
+    # When this setting is disabled, signatures on new LVs are not detected
+    # or erased unless the --wipesignatures option is used directly.
+    wipe_signatures_when_zeroing_new_lvs: 1
+
+    # Configuration option allocation/mirror_logs_require_separate_pvs.
+    # Mirror logs and images will always use different PVs.
+    # The default setting changed in version 2.02.85.
+    mirror_logs_require_separate_pvs: 0
+
+    # Configuration option allocation/raid_stripe_all_devices.
+    # Stripe across all PVs when RAID stripes are not specified.
+    # If enabled, all PVs in the VG or on the command line are used for raid0/4/5/6/10
+    # when the command does not specify the number of stripes to use.
+    # This was the default behaviour until release 2.02.162.
+    # This configuration option has an automatic default value.
+    # raid_stripe_all_devices: 0
+
+    # Configuration option allocation/cache_pool_metadata_require_separate_pvs.
+    # Cache pool metadata and data will always use different PVs.
+    cache_pool_metadata_require_separate_pvs: 0
+
+    # Configuration option allocation/cache_mode.
+    # The default cache mode used for new cache.
+    #
+    # Accepted values:
+    #   writethrough
+    #     Data blocks are immediately written from the cache to disk.
+    #   writeback
+    #     Data blocks are written from the cache back to disk after some
+    #     delay to improve performance.
+    #
+    # This setting replaces allocation/cache_pool_cachemode.
+    # This configuration option has an automatic default value.
+    # cache_mode: "writethrough"
+
+    # Configuration option allocation/cache_policy.
+    # The default cache policy used for new cache volume.
+    # Since kernel 4.2 the default policy is smq (Stochastic multique),
+    # otherwise the older mq (Multiqueue) policy is selected.
+    # This configuration option does not have a default value defined.
+
+    # Configuration section allocation/cache_settings.
+    # Settings for the cache policy.
+    # See documentation for individual cache policies for more info.
+    # This configuration section has an automatic default value.
+    # cache_settings: {}
+
+    # Configuration option allocation/cache_pool_chunk_size.
+    # The minimal chunk size in KiB for cache pool volumes.
+    # Using a chunk_size that is too large can result in wasteful use of
+    # the cache, where small reads and writes can cause large sections of
+    # an LV to be mapped into the cache. However, choosing a chunk_size
+    # that is too small can result in more overhead trying to manage the
+    # numerous chunks that become mapped into the cache. The former is
+    # more of a problem than the latter in most cases, so the default is
+    # on the smaller end of the spectrum. Supported values range from
+    # 32KiB to 1GiB in multiples of 32.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/cache_pool_max_chunks.
+    # The maximum number of chunks in a cache pool.
+    # For cache target v1.9 the recommended maximumm is 1000000 chunks.
+    # Using cache pool with more chunks may degrade cache performance.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/thin_pool_metadata_require_separate_pvs.
+    # Thin pool metadata and data will always use different PVs.
+    thin_pool_metadata_require_separate_pvs: 0
+
+    # Configuration option allocation/thin_pool_zero.
+    # Thin pool data chunks are zeroed before they are first used.
+    # Zeroing with a larger thin pool chunk size reduces performance.
+    # This configuration option has an automatic default value.
+    # thin_pool_zero: 1
+
+    # Configuration option allocation/thin_pool_discards.
+    # The discards behaviour of thin pool volumes.
+    #
+    # Accepted values:
+    #   ignore
+    #   nopassdown
+    #   passdown
+    #
+    # This configuration option has an automatic default value.
+    # thin_pool_discards: "passdown"
+
+    # Configuration option allocation/thin_pool_chunk_size_policy.
+    # The chunk size calculation policy for thin pool volumes.
+    #
+    # Accepted values:
+    #   generic
+    #     If thin_pool_chunk_size is defined, use it. Otherwise, calculate
+    #     the chunk size based on estimation and device hints exposed in
+    #     sysfs - the minimum_io_size. The chunk size is always at least
+    #     64KiB.
+    #   performance
+    #     If thin_pool_chunk_size is defined, use it. Otherwise, calculate
+    #     the chunk size for performance based on device hints exposed in
+    #     sysfs - the optimal_io_size. The chunk size is always at least
+    #     512KiB.
+    #
+    # This configuration option has an automatic default value.
+    # thin_pool_chunk_size_policy: "generic"
+
+    # Configuration option allocation/thin_pool_chunk_size.
+    # The minimal chunk size in KiB for thin pool volumes.
+    # Larger chunk sizes may improve performance for plain thin volumes,
+    # however using them for snapshot volumes is less efficient, as it
+    # consumes more space and takes extra time for copying. When unset,
+    # lvm tries to estimate chunk size starting from 64KiB. Supported
+    # values are in the range 64KiB to 1GiB.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/physical_extent_size.
+    # Default physical extent size in KiB to use for new VGs.
+    # This configuration option has an automatic default value.
+    # physical_extent_size: 4096
+
+  # Configuration section log.
+  # How LVM log information is reported.
+  log:
+
+    # Configuration option log/report_command_log.
+    # Enable or disable LVM log reporting.
+    # If enabled, LVM will collect a log of operations, messages,
+    # per-object return codes with object identification and associated
+    # error numbers (errnos) during LVM command processing. Then the
+    # log is either reported solely or in addition to any existing
+    # reports, depending on LVM command used. If it is a reporting command
+    # (e.g. pvs, vgs, lvs, lvm fullreport), then the log is reported in
+    # addition to any existing reports. Otherwise, there's only log report
+    # on output. For all applicable LVM commands, you can request that
+    # the output has only log report by using --logonly command line
+    # option. Use log/command_log_cols and log/command_log_sort settings
+    # to define fields to display and sort fields for the log report.
+    # You can also use log/command_log_selection to define selection
+    # criteria used each time the log is reported.
+    # This configuration option has an automatic default value.
+    # report_command_log: 0
+
+    # Configuration option log/command_log_sort.
+    # List of columns to sort by when reporting command log.
+    # See <lvm command> --logonly --configreport log -o help
+    # for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # command_log_sort: "log_seq_num"
+
+    # Configuration option log/command_log_cols.
+    # List of columns to report when reporting command log.
+    # See <lvm command> --logonly --configreport log -o help
+    # for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # command_log_cols: "log_seq_num,log_type,log_context,log_object_type,log_object_name,log_object_id,log_object_group,log_object_group_id,log_message,log_errno,log_ret_code"
+
+    # Configuration option log/command_log_selection.
+    # Selection criteria used when reporting command log.
+    # You can define selection criteria that are applied each
+    # time log is reported. This way, it is possible to control the
+    # amount of log that is displayed on output and you can select
+    # only parts of the log that are important for you. To define
+    # selection criteria, use fields from log report. See also
+    # <lvm command> --logonly --configreport log -S help for the
+    # list of possible fields and selection operators. You can also
+    # define selection criteria for log report on command line directly
+    # using <lvm command> --configreport log -S <selection criteria>
+    # which has precedence over log/command_log_selection setting.
+    # For more information about selection criteria in general, see
+    # lvm(8) man page.
+    # This configuration option has an automatic default value.
+    # command_log_selection: "!(log_type=status && message=success)"
+
+    # Configuration option log/verbose.
+    # Controls the messages sent to stdout or stderr.
+    verbose: 0
+
+    # Configuration option log/silent.
+    # Suppress all non-essential messages from stdout.
+    # This has the same effect as -qq. When enabled, the following commands
+    # still produce output: dumpconfig, lvdisplay, lvmdiskscan, lvs, pvck,
+    # pvdisplay, pvs, version, vgcfgrestore -l, vgdisplay, vgs.
+    # Non-essential messages are shifted from log level 4 to log level 5
+    # for syslog and lvm2_log_fn purposes.
+    # Any 'yes' or 'no' questions not overridden by other arguments are
+    # suppressed and default to 'no'.
+    silent: 0
+
+    # Configuration option log/syslog.
+    # Send log messages through syslog.
+    syslog: 1
+
+    # Configuration option log/file.
+    # Write error and debug log messages to a file specified here.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option log/overwrite.
+    # Overwrite the log file each time the program is run.
+    overwrite: 0
+
+    # Configuration option log/level.
+    # The level of log messages that are sent to the log file or syslog.
+    # There are 6 syslog-like log levels currently in use: 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Configuration option log/indent.
+    # Indent messages according to their severity.
+    indent: 1
+
+    # Configuration option log/command_names.
+    # Display the command name on each line of output.
+    command_names: 0
+
+    # Configuration option log/prefix.
+    # A prefix to use before the log message text.
+    # (After the command name, if selected).
+    # Two spaces allows you to see/grep the severity of each message.
+    # To make the messages look similar to the original LVM tools use:
+    # indent: 0, command_names: 1, prefix: " -- "
+    prefix: "  "
+
+    # Configuration option log/activation.
+    # Log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    activation: 0
+
+    # Configuration option log/debug_classes.
+    # Select log messages by class.
+    # Some debugging messages are assigned to a class and only appear in
+    # debug output if the class is listed here. Classes currently
+    # available: memory, devices, activation, allocation, lvmetad,
+    # metadata, cache, locking, lvmpolld. Use "all" to see everything.
+    debug_classes: [ "memory", "devices", "activation", "allocation", "lvmetad", "metadata", "cache", "locking", "lvmpolld", "dbus" ]
+
+  # Configuration section backup.
+  # How LVM metadata is backed up and archived.
+  # In LVM, a 'backup' is a copy of the metadata for the current system,
+  # and an 'archive' contains old metadata configurations. They are
+  # stored in a human readable text format.
+  backup:
+
+    # Configuration option backup/backup.
+    # Maintain a backup of the current metadata configuration.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Configuration option backup/backup_dir.
+    # Location of the metadata backup files.
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Configuration option backup/archive.
+    # Maintain an archive of old metadata configurations.
+    # Think very hard before turning this off.
+    archive: 1
+
+    # Configuration option backup/archive_dir.
+    # Location of the metadata archive files.
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # Configuration option backup/retain_min.
+    # Minimum number of archives to keep.
+    retain_min: 10
+
+    # Configuration option backup/retain_days.
+    # Minimum number of days to keep archive files.
+    retain_days: 30
+
+  # Configuration section shell.
+  # Settings for running LVM in shell (readline) mode.
+  shell:
+
+    # Configuration option shell/history_size.
+    # Number of lines of history to store in ~/.lvm_history.
+    history_size: 100
+
+  # Configuration section global.
+  # Miscellaneous global LVM settings.
+  global:
+
+    # Configuration option global/umask.
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    umask: '0077'
+
+    # Configuration option global/test.
+    # No on-disk metadata changes will be made in test mode.
+    # Equivalent to having the -t option on every command.
+    test: 0
+
+    # Configuration option global/units.
+    # Default value for --units argument.
+    units: "h"
+
+    # Configuration option global/si_unit_consistency.
+    # Distinguish between powers of 1024 and 1000 bytes.
+    # The LVM commands distinguish between powers of 1024 bytes,
+    # e.g. KiB, MiB, GiB, and powers of 1000 bytes, e.g. KB, MB, GB.
+    # If scripts depend on the old behaviour, disable this setting
+    # temporarily until they are updated.
+    si_unit_consistency: 1
+
+    # Configuration option global/suffix.
+    # Display unit suffix for sizes.
+    # This setting has no effect if the units are in human-readable form
+    # (global/units: "h") in which case the suffix is always displayed.
+    suffix: 1
+
+    # Configuration option global/activation.
+    # Enable/disable communication with the kernel device-mapper.
+    # Disable to use the tools to manipulate LVM metadata without
+    # activating any logical volumes. If the device-mapper driver
+    # is not present in the kernel, disabling this should suppress
+    # the error messages.
+    activation: 1
+
+    # Configuration option global/fallback_to_lvm1.
+    # Try running LVM1 tools if LVM cannot communicate with DM.
+    # This option only applies to 2.4 kernels and is provided to help
+    # switch between device-mapper kernels and LVM1 kernels. The LVM1
+    # tools need to be installed with .lvm1 suffices, e.g. vgscan.lvm1.
+    # They will stop working once the lvm2 on-disk metadata format is used.
+    # This configuration option has an automatic default value.
+    # fallback_to_lvm1: 0
+
+    # Configuration option global/format.
+    # The default metadata format that commands should use.
+    # The -M 1|2 option overrides this setting.
+    #
+    # Accepted values:
+    #   lvm1
+    #   lvm2
+    #
+    # This configuration option has an automatic default value.
+    # format: "lvm2"
+
+    # Configuration option global/format_libraries.
+    # Shared libraries that process different metadata formats.
+    # If support for LVM1 metadata was compiled as a shared library use
+    # format_libraries: "liblvm2format1.so"
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/segment_libraries.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/proc.
+    # Location of proc filesystem.
+    # This configuration option is advanced.
+    proc: "/proc"
+
+    # Configuration option global/etc.
+    # Location of /etc system configuration directory.
+    etc: "/etc"
+
+    # Configuration option global/locking_type.
+    # Type of locking to use.
+    #
+    # Accepted values:
+    #   0
+    #     Turns off locking. Warning: this risks metadata corruption if
+    #     commands run concurrently.
+    #   1
+    #     LVM uses local file-based locking, the standard mode.
+    #   2
+    #     LVM uses the external shared library locking_library.
+    #   3
+    #     LVM uses built-in clustered locking with clvmd.
+    #     This is incompatible with lvmetad. If use_lvmetad is enabled,
+    #     LVM prints a warning and disables lvmetad use.
+    #   4
+    #     LVM uses read-only locking which forbids any operations that
+    #     might change metadata.
+    #   5
+    #     Offers dummy locking for tools that do not need any locks.
+    #     You should not need to set this directly; the tools will select
+    #     when to use it instead of the configured locking_type.
+    #     Do not use lvmetad or the kernel device-mapper driver with this
+    #     locking type. It is used by the --readonly option that offers
+    #     read-only access to Volume Group metadata that cannot be locked
+    #     safely because it belongs to an inaccessible domain and might be
+    #     in use, for example a virtual machine image or a disk that is
+    #     shared by a clustered machine.
+    #
+    locking_type: 1
+
+    # Configuration option global/wait_for_locks.
+    # When disabled, fail if a lock request would block.
+    wait_for_locks: 1
+
+    # Configuration option global/fallback_to_clustered_locking.
+    # Attempt to use built-in cluster locking if locking_type 2 fails.
+    # If using external locking (type 2) and initialisation fails, with
+    # this enabled, an attempt will be made to use the built-in clustered
+    # locking. Disable this if using a customised locking_library.
+    fallback_to_clustered_locking: 1
+
+    # Configuration option global/fallback_to_local_locking.
+    # Use locking_type 1 (local) if locking_type 2 or 3 fail.
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this
+    # enabled, an attempt will be made to use local file-based locking
+    # (type 1). If this succeeds, only commands against local VGs will
+    # proceed. VGs marked as clustered will be ignored.
+    fallback_to_local_locking: 1
+
+    # Configuration option global/locking_dir.
+    # Directory to use for LVM command file locks.
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress. A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/run/lock/lvm"
+
+    # Configuration option global/prioritise_write_locks.
+    # Allow quicker VG write access during high volume read access.
+    # When there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to
+    # be serviced. Without this setting, write access may be stalled by a
+    # high volume of read-only requests. This option only affects
+    # locking_type 1 viz. local file-based locking.
+    prioritise_write_locks: 1
+
+    # Configuration option global/library_dir.
+    # Search this directory first for shared libraries.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/locking_library.
+    # The external locking library to use for locking_type 2.
+    # This configuration option has an automatic default value.
+    # locking_library: "liblvm2clusterlock.so"
+
+    # Configuration option global/abort_on_internal_errors.
+    # Abort a command that encounters an internal error.
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+    # Configuration option global/detect_internal_vg_cache_corruption.
+    # Internal verification of VG structures.
+    # Check if CRC matches when a parsed VG is used multiple times. This
+    # is useful to catch unexpected changes to cached VG structures.
+    # Please only enable for debugging.
+    detect_internal_vg_cache_corruption: 0
+
+    # Configuration option global/metadata_read_only.
+    # No operations that change on-disk metadata are permitted.
+    # Additionally, read-only commands that encounter metadata in need of
+    # repair will still be allowed to proceed exactly as if the repair had
+    # been performed (except for the unchanged vg_seqno). Inappropriate
+    # use could mess up your system, so seek advice first!
+    metadata_read_only: 0
+
+    # Configuration option global/mirror_segtype_default.
+    # The segment type used by the short mirroring option -m.
+    # The --type mirror|raid1 option overrides this setting.
+    #
+    # Accepted values:
+    #   mirror
+    #     The original RAID1 implementation from LVM/DM. It is
+    #     characterized by a flexible log solution (core, disk, mirrored),
+    #     and by the necessity to block I/O while handling a failure.
+    #     There is an inherent race in the dmeventd failure handling logic
+    #     with snapshots of devices using this type of RAID1 that in the
+    #     worst case could cause a deadlock. (Also see
+    #     devices/ignore_lvm_mirrors.)
+    #   raid1
+    #     This is a newer RAID1 implementation using the MD RAID1
+    #     personality through device-mapper. It is characterized by a
+    #     lack of log options. (A log is always allocated for every
+    #     device and they are placed on the same device as the image,
+    #     so no separate devices are required.) This mirror
+    #     implementation does not require I/O to be blocked while
+    #     handling a failure. This mirror implementation is not
+    #     cluster-aware and cannot be used in a shared (active/active)
+    #     fashion in a cluster.
+    #
+    mirror_segtype_default: "raid1"
+
+    # Configuration option global/raid10_segtype_default.
+    # The segment type used by the -i -m combination.
+    # The --type raid10|mirror option overrides this setting.
+    # The --stripes/-i and --mirrors/-m options can both be specified
+    # during the creation of a logical volume to use both striping and
+    # mirroring for the LV. There are two different implementations.
+    #
+    # Accepted values:
+    #   raid10
+    #     LVM uses MD's RAID10 personality through DM. This is the
+    #     preferred option.
+    #   mirror
+    #     LVM layers the 'mirror' and 'stripe' segment types. The layering
+    #     is done by creating a mirror LV on top of striped sub-LVs,
+    #     effectively creating a RAID 0+1 array. The layering is suboptimal
+    #     in terms of providing redundancy and performance.
+    #
+    raid10_segtype_default: "raid10"
+
+    # Configuration option global/sparse_segtype_default.
+    # The segment type used by the -V -L combination.
+    # The --type snapshot|thin option overrides this setting.
+    # The combination of -V and -L options creates a sparse LV. There are
+    # two different implementations.
+    #
+    # Accepted values:
+    #   snapshot
+    #     The original snapshot implementation from LVM/DM. It uses an old
+    #     snapshot that mixes data and metadata within a single COW
+    #     storage volume and performs poorly when the size of stored data
+    #     passes hundreds of MB.
+    #   thin
+    #     A newer implementation that uses thin provisioning. It has a
+    #     bigger minimal chunk size (64KiB) and uses a separate volume for
+    #     metadata. It has better performance, especially when more data
+    #     is used. It also supports full snapshots.
+    #
+    sparse_segtype_default: "thin"
+
+    # Configuration option global/lvdisplay_shows_full_device_path.
+    # Enable this to reinstate the previous lvdisplay name format.
+    # The default format for displaying LV names in lvdisplay was changed
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # This configuration option has an automatic default value.
+    # lvdisplay_shows_full_device_path: 0
+
+    # Configuration option global/use_lvmetad.
+    # Use lvmetad to cache metadata and reduce disk scanning.
+    # When enabled (and running), lvmetad provides LVM commands with VG
+    # metadata and PV state. LVM commands then avoid reading this
+    # information from disks which can be slow. When disabled (or not
+    # running), LVM commands fall back to scanning disks to obtain VG
+    # metadata. lvmetad is kept updated via udev rules which must be set
+    # up for LVM to work correctly. (The udev rules should be installed
+    # by default.) Without a proper udev setup, changes in the system's
+    # block device configuration will be unknown to LVM, and ignored
+    # until a manual 'pvscan --cache' is run. If lvmetad was running
+    # while use_lvmetad was disabled, it must be stopped, use_lvmetad
+    # enabled, and then started. When using lvmetad, LV activation is
+    # switched to an automatic, event-based mode. In this mode, LVs are
+    # activated based on incoming udev events that inform lvmetad when
+    # PVs appear on the system. When a VG is complete (all PVs present),
+    # it is auto-activated. The auto_activation_volume_list setting
+    # controls which LVs are auto-activated (all by default.)
+    # When lvmetad is updated (automatically by udev events, or directly
+    # by pvscan --cache), devices/filter is ignored and all devices are
+    # scanned by default. lvmetad always keeps unfiltered information
+    # which is provided to LVM commands. Each LVM command then filters
+    # based on devices/filter. This does not apply to other, non-regexp,
+    # filtering settings: component filters such as multipath and MD
+    # are checked during pvscan --cache. To filter a device and prevent
+    # scanning from the LVM system entirely, including lvmetad, use
+    # devices/global_filter.
+    use_lvmetad: 1
+
+    # Configuration option global/lvmetad_update_wait_time.
+    # The number of seconds a command will wait for lvmetad update to finish.
+    # After waiting for this period, a command will not use lvmetad, and
+    # will revert to disk scanning.
+    # This configuration option has an automatic default value.
+    # lvmetad_update_wait_time: 10
+
+    # Configuration option global/use_lvmlockd.
+    # Use lvmlockd for locking among hosts using LVM on shared storage.
+    # Applicable only if LVM is compiled with lockd support in which
+    # case there is also lvmlockd(8) man page available for more
+    # information.
+    use_lvmlockd: 0
+
+    # Configuration option global/lvmlockd_lock_retries.
+    # Retry lvmlockd lock requests this many times.
+    # Applicable only if LVM is compiled with lockd support
+    # This configuration option has an automatic default value.
+    # lvmlockd_lock_retries: 3
+
+    # Configuration option global/sanlock_lv_extend.
+    # Size in MiB to extend the internal LV holding sanlock locks.
+    # The internal LV holds locks for each LV in the VG, and after enough
+    # LVs have been created, the internal LV needs to be extended. lvcreate
+    # will automatically extend the internal LV when needed by the amount
+    # specified here. Setting this to 0 disables the automatic extension
+    # and can cause lvcreate to fail. Applicable only if LVM is compiled
+    # with lockd support
+    # This configuration option has an automatic default value.
+    # sanlock_lv_extend: 256
+
+    # Configuration option global/thin_check_executable.
+    # The full path to the thin_check command.
+    # LVM uses this command to check that a thin metadata device is in a
+    # usable state. When a thin pool is activated and after it is
+    # deactivated, this command is run. Activation will only proceed if
+    # the command has an exit status of 0. Set to "" to skip this check.
+    # (Not recommended.) Also see thin_check_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_check_executable: "/usr/sbin/thin_check"
+
+    # Configuration option global/thin_dump_executable.
+    # The full path to the thin_dump command.
+    # LVM uses this command to dump thin pool metadata.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_dump_executable: "/usr/sbin/thin_dump"
+
+    # Configuration option global/thin_repair_executable.
+    # The full path to the thin_repair command.
+    # LVM uses this command to repair a thin metadata device if it is in
+    # an unusable state. Also see thin_repair_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_repair_executable: "/usr/sbin/thin_repair"
+
+    # Configuration option global/thin_check_options.
+    # List of options passed to the thin_check command.
+    # With thin_check version 2.1 or newer you can add the option
+    # --ignore-non-fatal-errors to let it pass through ignorable errors
+    # and fix them later. With thin_check version 3.2 or newer you should
+    # include the option --clear-needs-check-flag.
+    # This configuration option has an automatic default value.
+    # thin_check_options: [ "-q", "--clear-needs-check-flag" ]
+
+    # Configuration option global/thin_repair_options.
+    # List of options passed to the thin_repair command.
+    # This configuration option has an automatic default value.
+    # thin_repair_options: [ "" ]
+
+    # Configuration option global/thin_disabled_features.
+    # Features to not use in the thin driver.
+    # This can be helpful for testing, or to avoid using a feature that is
+    # causing problems. Features include: block_size, discards,
+    # discards_non_power_2, external_origin, metadata_resize,
+    # external_origin_extend, error_if_no_space.
+    #
+    # Example
+    # thin_disabled_features: [ "discards", "block_size" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/cache_disabled_features.
+    # Features to not use in the cache driver.
+    # This can be helpful for testing, or to avoid using a feature that is
+    # causing problems. Features include: policy_mq, policy_smq.
+    #
+    # Example
+    # cache_disabled_features: [ "policy_smq" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/cache_check_executable.
+    # The full path to the cache_check command.
+    # LVM uses this command to check that a cache metadata device is in a
+    # usable state. When a cached LV is activated and after it is
+    # deactivated, this command is run. Activation will only proceed if the
+    # command has an exit status of 0. Set to "" to skip this check.
+    # (Not recommended.) Also see cache_check_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_check_executable: "/usr/sbin/cache_check"
+
+    # Configuration option global/cache_dump_executable.
+    # The full path to the cache_dump command.
+    # LVM uses this command to dump cache pool metadata.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_dump_executable: "/usr/sbin/cache_dump"
+
+    # Configuration option global/cache_repair_executable.
+    # The full path to the cache_repair command.
+    # LVM uses this command to repair a cache metadata device if it is in
+    # an unusable state. Also see cache_repair_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_repair_executable: "/usr/sbin/cache_repair"
+
+    # Configuration option global/cache_check_options.
+    # List of options passed to the cache_check command.
+    # With cache_check version 5.0 or newer you should include the option
+    # --clear-needs-check-flag.
+    # This configuration option has an automatic default value.
+    # cache_check_options: [ "-q", "--clear-needs-check-flag" ]
+
+    # Configuration option global/cache_repair_options.
+    # List of options passed to the cache_repair command.
+    # This configuration option has an automatic default value.
+    # cache_repair_options: [ "" ]
+
+    # Configuration option global/system_id_source.
+    # The method LVM uses to set the local system ID.
+    # Volume Groups can also be given a system ID (by vgcreate, vgchange,
+    # or vgimport.) A VG on shared storage devices is accessible only to
+    # the host with a matching system ID. See 'man lvmsystemid' for
+    # information on limitations and correct usage.
+    #
+    # Accepted values:
+    #   none
+    #     The host has no system ID.
+    #   lvmlocal
+    #     Obtain the system ID from the system_id setting in the 'local'
+    #     section of an lvm configuration file, e.g. lvmlocal.conf.
+    #   uname
+    #     Set the system ID from the hostname (uname) of the system.
+    #     System IDs beginning localhost are not permitted.
+    #   machineid
+    #     Use the contents of the machine-id file to set the system ID.
+    #     Some systems create this file at installation time.
+    #     See 'man machine-id' and global/etc.
+    #   file
+    #     Use the contents of another file (system_id_file) to set the
+    #     system ID.
+    #
+    system_id_source: "none"
+
+    # Configuration option global/system_id_file.
+    # The full path to the file containing a system ID.
+    # This is used when system_id_source is set to 'file'.
+    # Comments starting with the character # are ignored.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/use_lvmpolld.
+    # Use lvmpolld to supervise long running LVM commands.
+    # When enabled, control of long running LVM commands is transferred
+    # from the original LVM command to the lvmpolld daemon. This allows
+    # the operation to continue independent of the original LVM command.
+    # After lvmpolld takes over, the LVM command displays the progress
+    # of the ongoing operation. lvmpolld itself runs LVM commands to
+    # manage the progress of ongoing operations. lvmpolld can be used as
+    # a native systemd service, which allows it to be started on demand,
+    # and to use its own control group. When this option is disabled, LVM
+    # commands will supervise long running operations by forking themselves.
+    # Applicable only if LVM is compiled with lvmpolld support.
+    use_lvmpolld: 1
+
+    # Configuration option global/notify_dbus.
+    # Enable D-Bus notification from LVM commands.
+    # When enabled, an LVM command that changes PVs, changes VG metadata,
+    # or changes the activation state of an LV will send a notification.
+    notify_dbus: 1
+
+  # Configuration section activation.
+  activation:
+
+    # Configuration option activation/checks.
+    # Perform internal checks of libdevmapper operations.
+    # Useful for debugging problems with activation. Some of the checks may
+    # be expensive, so it's best to use this only when there seems to be a
+    # problem.
+    checks: 0
+
+    # Configuration option activation/udev_sync.
+    # Use udev notifications to synchronize udev and LVM.
+    # The --nodevsync option overrides this setting.
+    # When disabled, LVM commands will not wait for notifications from
+    # udev, but continue irrespective of any possible udev processing in
+    # the background. Only use this if udev is not running or has rules
+    # that ignore the devices LVM creates. If enabled when udev is not
+    # running, and LVM processes are waiting for udev, run the command
+    # 'dmsetup udevcomplete_all' to wake them up.
+    udev_sync: 1
+
+    # Configuration option activation/udev_rules.
+    # Use udev rules to manage LV device nodes and symlinks.
+    # When disabled, LVM will manage the device nodes and symlinks for
+    # active LVs itself. Manual intervention may be required if this
+    # setting is changed while LVs are active.
+    udev_rules: 1
+
+    # Configuration option activation/verify_udev_operations.
+    # Use extra checks in LVM to verify udev operations.
+    # This enables additional checks (and if necessary, repairs) on entries
+    # in the device directory after udev has completed processing its
+    # events. Useful for diagnosing problems with LVM/udev interactions.
+    verify_udev_operations: 0
+
+    # Configuration option activation/retry_deactivation.
+    # Retry failed LV deactivation.
+    # If LV deactivation fails, LVM will retry for a few seconds before
+    # failing. This may happen because a process run from a quick udev rule
+    # temporarily opened the device.
+    retry_deactivation: 1
+
+    # Configuration option activation/missing_stripe_filler.
+    # Method to fill missing stripes when activating an incomplete LV.
+    # Using 'error' will make inaccessible parts of the device return I/O
+    # errors on access. You can instead use a device path, in which case,
+    # that device will be used in place of missing stripes. Using anything
+    # other than 'error' with mirrored or snapshotted volumes is likely to
+    # result in data corruption.
+    # This configuration option is advanced.
+    missing_stripe_filler: "error"
+
+    # Configuration option activation/use_linear_target.
+    # Use the linear target to optimize single stripe LVs.
+    # When disabled, the striped target is used. The linear target is an
+    # optimised version of the striped target that only handles a single
+    # stripe.
+    use_linear_target: 1
+
+    # Configuration option activation/reserved_stack.
+    # Stack size in KiB to reserve for use while devices are suspended.
+    # Insufficient reserve risks I/O deadlock during device suspension.
+    reserved_stack: 64
+
+    # Configuration option activation/reserved_memory.
+    # Memory size in KiB to reserve for use while devices are suspended.
+    # Insufficient reserve risks I/O deadlock during device suspension.
+    reserved_memory: 8192
+
+    # Configuration option activation/process_priority.
+    # Nice value used while devices are suspended.
+    # Use a high priority so that LVs are suspended
+    # for the shortest possible time.
+    process_priority: -18
+
+    # Configuration option activation/volume_list.
+    # Only LVs selected by this list are activated.
+    # If this list is defined, an LV is only activated if it matches an
+    # entry in this list. If this list is undefined, it imposes no limits
+    # on LV activation (all are allowed).
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/auto_activation_volume_list.
+    # Only LVs selected by this list are auto-activated.
+    # This list works like volume_list, but it is used only by
+    # auto-activation commands. It does not apply to direct activation
+    # commands. If this list is defined, an LV is only auto-activated
+    # if it matches an entry in this list. If this list is undefined, it
+    # imposes no limits on LV auto-activation (all are allowed.) If this
+    # list is defined and empty, i.e. "[]", then no LVs are selected for
+    # auto-activation. An LV that is selected by this list for
+    # auto-activation, must also be selected by volume_list (if defined)
+    # before it is activated. Auto-activation is an activation command that
+    # includes the 'a' argument: --activate ay or -a ay. The 'a' (auto)
+    # argument for auto-activation is meant to be used by activation
+    # commands that are run automatically by the system, as opposed to LVM
+    # commands run directly by a user. A user may also use the 'a' flag
+    # directly to perform auto-activation. Also see pvscan(8) for more
+    # information about auto-activation.
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # auto_activation_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/read_only_volume_list.
+    # LVs in this list are activated in read-only mode.
+    # If this list is defined, each LV that is to be activated is checked
+    # against this list, and if it matches, it is activated in read-only
+    # mode. This overrides the permission setting stored in the metadata,
+    # e.g. from --permission rw.
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # read_only_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/raid_region_size.
+    # Size in KiB of each raid or mirror synchronization region.
+    # For raid or mirror segment types, this is the amount of data that is
+    # copied at once when initializing, or moved at once by pvmove.
+    raid_region_size: 512
+
+    # Configuration option activation/error_when_full.
+    # Return errors if a thin pool runs out of space.
+    # The --errorwhenfull option overrides this setting.
+    # When enabled, writes to thin LVs immediately return an error if the
+    # thin pool is out of data space. When disabled, writes to thin LVs
+    # are queued if the thin pool is out of space, and processed when the
+    # thin pool data space is extended. New thin pools are assigned the
+    # behavior defined here.
+    # This configuration option has an automatic default value.
+    # error_when_full: 0
+
+    # Configuration option activation/readahead.
+    # Setting to use when there is no readahead setting in metadata.
+    #
+    # Accepted values:
+    #   none
+    #     Disable readahead.
+    #   auto
+    #     Use default value chosen by kernel.
+    #
+    readahead: "auto"
+
+    # Configuration option activation/raid_fault_policy.
+    # Defines how a device failure in a RAID LV is handled.
+    # This includes LVs that have the following segment types:
+    # raid1, raid4, raid5*, and raid6*.
+    # If a device in the LV fails, the policy determines the steps
+    # performed by dmeventd automatically, and the steps performed by the
+    # manual command lvconvert --repair --use-policies.
+    # Automatic handling requires dmeventd to be monitoring the LV.
+    #
+    # Accepted values:
+    #   warn
+    #     Use the system log to warn the user that a device in the RAID LV
+    #     has failed. It is left to the user to run lvconvert --repair
+    #     manually to remove or replace the failed device. As long as the
+    #     number of failed devices does not exceed the redundancy of the LV
+    #     (1 device for raid4/5, 2 for raid6), the LV will remain usable.
+    #   allocate
+    #     Attempt to use any extra physical volumes in the VG as spares and
+    #     replace faulty devices.
+    #
+    raid_fault_policy: "warn"
+
+    # Configuration option activation/mirror_image_fault_policy.
+    # Defines how a device failure in a 'mirror' LV is handled.
+    # An LV with the 'mirror' segment type is composed of mirror images
+    # (copies) and a mirror log. A disk log ensures that a mirror LV does
+    # not need to be re-synced (all copies made the same) every time a
+    # machine reboots or crashes. If a device in the LV fails, this policy
+    # determines the steps performed by dmeventd automatically, and the steps
+    # performed by the manual command lvconvert --repair --use-policies.
+    # Automatic handling requires dmeventd to be monitoring the LV.
+    #
+    # Accepted values:
+    #   remove
+    #     Simply remove the faulty device and run without it. If the log
+    #     device fails, the mirror would convert to using an in-memory log.
+    #     This means the mirror will not remember its sync status across
+    #     crashes/reboots and the entire mirror will be re-synced. If a
+    #     mirror image fails, the mirror will convert to a non-mirrored
+    #     device if there is only one remaining good copy.
+    #   allocate
+    #     Remove the faulty device and try to allocate space on a new
+    #     device to be a replacement for the failed device. Using this
+    #     policy for the log is fast and maintains the ability to remember
+    #     sync state through crashes/reboots. Using this policy for a
+    #     mirror device is slow, as it requires the mirror to resynchronize
+    #     the devices, but it will preserve the mirror characteristic of
+    #     the device. This policy acts like 'remove' if no suitable device
+    #     and space can be allocated for the replacement.
+    #   allocate_anywhere
+    #     Not yet implemented. Useful to place the log device temporarily
+    #     on the same physical volume as one of the mirror images. This
+    #     policy is not recommended for mirror devices since it would break
+    #     the redundant nature of the mirror. This policy acts like
+    #     'remove' if no suitable device and space can be allocated for the
+    #     replacement.
+    #
+    mirror_image_fault_policy: "remove"
+
+    # Configuration option activation/mirror_log_fault_policy.
+    # Defines how a device failure in a 'mirror' log LV is handled.
+    # The mirror_image_fault_policy description for mirrored LVs also
+    # applies to mirrored log LVs.
+    mirror_log_fault_policy: "allocate"
+
+    # Configuration option activation/snapshot_autoextend_threshold.
+    # Auto-extend a snapshot when its usage exceeds this percent.
+    # Setting this to 100 disables automatic extension.
+    # The minimum value is 50 (a smaller value is treated as 50.)
+    # Also see snapshot_autoextend_percent.
+    # Automatic extension requires dmeventd to be monitoring the LV.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # snapshot_autoextend_threshold: 70
+    #
+    snapshot_autoextend_threshold: 100
+
+    # Configuration option activation/snapshot_autoextend_percent.
+    # Auto-extending a snapshot adds this percent extra space.
+    # The amount of additional space added to a snapshot is this
+    # percent of its current size.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # snapshot_autoextend_percent: 20
+    #
+    snapshot_autoextend_percent: 20
+
+    # Configuration option activation/thin_pool_autoextend_threshold.
+    # Auto-extend a thin pool when its usage exceeds this percent.
+    # Setting this to 100 disables automatic extension.
+    # The minimum value is 50 (a smaller value is treated as 50.)
+    # Also see thin_pool_autoextend_percent.
+    # Automatic extension requires dmeventd to be monitoring the LV.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # thin_pool_autoextend_threshold: 70
+    #
+    thin_pool_autoextend_threshold: 100
+
+    # Configuration option activation/thin_pool_autoextend_percent.
+    # Auto-extending a thin pool adds this percent extra space.
+    # The amount of additional space added to a thin pool is this
+    # percent of its current size.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # thin_pool_autoextend_percent: 20
+    #
+    thin_pool_autoextend_percent: 20
+
+    # Configuration option activation/mlock_filter.
+    # Do not mlock these memory areas.
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended. As a precaution against deadlocks, LVM pins memory it is
+    # using so it is not paged out, and will not require I/O to reread.
+    # Groups of pages that are known not to be accessed during activation
+    # do not need to be pinned into memory. Each string listed in this
+    # setting is compared against each line in /proc/self/maps, and the
+    # pages corresponding to lines that match are not pinned. On some
+    # systems, locale-archive was found to make up over 80% of the memory
+    # used by the process.
+    #
+    # Example
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+    #
+    # This configuration option is advanced.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/use_mlockall.
+    # Use the old behavior of mlockall to pin all memory.
+    # Prior to version 2.02.62, LVM used mlockall() to pin the whole
+    # process's memory while activating devices.
+    use_mlockall: 0
+
+    # Configuration option activation/monitoring.
+    # Monitor LVs that are activated.
+    # The --ignoremonitoring option overrides this setting.
+    # When enabled, LVM will ask dmeventd to monitor activated LVs.
+    monitoring: 1
+
+    # Configuration option activation/polling_interval.
+    # Check pvmove or lvconvert progress at this interval (seconds).
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress at
+    # intervals of this number of seconds. If this is set to 0 and there
+    # is only one thing to wait for, there are no progress reports, but
+    # the process is awoken immediately once the operation is complete.
+    polling_interval: 15
+
+    # Configuration option activation/auto_set_activation_skip.
+    # Set the activation skip flag on new thin snapshot LVs.
+    # The --setactivationskip option overrides this setting.
+    # An LV can have a persistent 'activation skip' flag. The flag causes
+    # the LV to be skipped during normal activation. The lvchange/vgchange
+    # -K option is required to activate LVs that have the activation skip
+    # flag set. When this setting is enabled, the activation skip flag is
+    # set on new thin snapshot LVs.
+    # This configuration option has an automatic default value.
+    # auto_set_activation_skip: 1
+
+    # Configuration option activation/activation_mode.
+    # How LVs with missing devices are activated.
+    # The --activationmode option overrides this setting.
+    #
+    # Accepted values:
+    #   complete
+    #     Only allow activation of an LV if all of the Physical Volumes it
+    #     uses are present. Other PVs in the Volume Group may be missing.
+    #   degraded
+    #     Like complete, but additionally RAID LVs of segment type raid1,
+    #     raid4, raid5, radid6 and raid10 will be activated if there is no
+    #     data loss, i.e. they have sufficient redundancy to present the
+    #     entire addressable range of the Logical Volume.
+    #   partial
+    #     Allows the activation of any LV even if a missing or failed PV
+    #     could cause data loss with a portion of the LV inaccessible.
+    #     This setting should not normally be used, but may sometimes
+    #     assist with data recovery.
+    #
+    activation_mode: "degraded"
+
+    # Configuration option activation/lock_start_list.
+    # Locking is started only for VGs selected by this list.
+    # The rules are the same as those for volume_list.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/auto_lock_start_list.
+    # Locking is auto-started only for VGs selected by this list.
+    # The rules are the same as those for auto_activation_volume_list.
+    # This configuration option does not have a default value defined.
+
+  # Configuration section metadata.
+  # This configuration section has an automatic default value.
+  # metadata:
+
+    # Configuration option metadata/check_pv_device_sizes.
+    # Check device sizes are not smaller than corresponding PV sizes.
+    # If device size is less than corresponding PV size found in metadata,
+    # there is always a risk of data loss. If this option is set, then LVM
+    # issues a warning message each time it finds that the device size is
+    # less than corresponding PV size. You should not disable this unless
+    # you are absolutely sure about what you are doing!
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # check_pv_device_sizes: 1
+
+    # Configuration option metadata/record_lvs_history.
+    # When enabled, LVM keeps history records about removed LVs in
+    # metadata. The information that is recorded in metadata for
+    # historical LVs is reduced when compared to original
+    # information kept in metadata for live LVs. Currently, this
+    # feature is supported for thin and thin snapshot LVs only.
+    # This configuration option has an automatic default value.
+    # record_lvs_history: 0
+
+    # Configuration option metadata/lvs_history_retention_time.
+    # Retention time in seconds after which a record about individual
+    # historical logical volume is automatically destroyed.
+    # A value of 0 disables this feature.
+    # This configuration option has an automatic default value.
+    # lvs_history_retention_time: 0
+
+    # Configuration option metadata/pvmetadatacopies.
+    # Number of copies of metadata to store on each PV.
+    # The --pvmetadatacopies option overrides this setting.
+    #
+    # Accepted values:
+    #   2
+    #     Two copies of the VG metadata are stored on the PV, one at the
+    #     front of the PV, and one at the end.
+    #   1
+    #     One copy of VG metadata is stored at the front of the PV.
+    #   0
+    #     No copies of VG metadata are stored on the PV. This may be
+    #     useful for VGs containing large numbers of PVs.
+    #
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # pvmetadatacopies: 1
+
+    # Configuration option metadata/vgmetadatacopies.
+    # Number of copies of metadata to maintain for each VG.
+    # The --vgmetadatacopies option overrides this setting.
+    # If set to a non-zero value, LVM automatically chooses which of the
+    # available metadata areas to use to achieve the requested number of
+    # copies of the VG metadata. If you set a value larger than the the
+    # total number of metadata areas available, then metadata is stored in
+    # them all. The value 0 (unmanaged) disables this automatic management
+    # and allows you to control which metadata areas are used at the
+    # individual PV level using pvchange --metadataignore y|n.
+    # This configuration option has an automatic default value.
+    # vgmetadatacopies: 0
+
+    # Configuration option metadata/pvmetadatasize.
+    # Approximate number of sectors to use for each metadata copy.
+    # VGs with large numbers of PVs or LVs, or VGs containing complex LV
+    # structures, may need additional space for VG metadata. The metadata
+    # areas are treated as circular buffers, so unused space becomes filled
+    # with an archive of the most recent previous versions of the metadata.
+    # This configuration option has an automatic default value.
+    # pvmetadatasize: 255
+
+    # Configuration option metadata/pvmetadataignore.
+    # Ignore metadata areas on a new PV.
+    # The --metadataignore option overrides this setting.
+    # If metadata areas on a PV are ignored, LVM will not store metadata
+    # in them.
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # pvmetadataignore: 0
+
+    # Configuration option metadata/stripesize.
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # stripesize: 64
+
+    # Configuration option metadata/dirs.
+    # Directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other
+    # on-disk metadata (pvmetadatacopies: 0). Or this can be in addition
+    # to on-disk metadata areas. The feature was originally added to
+    # simplify testing and is not supported under low memory situations -
+    # the machine could lock up. Never edit any files in these directories
+    # by hand unless you are absolutely sure you know what you are doing!
+    # Use the supplied toolset to make changes (e.g. vgcfgrestore).
+    #
+    # Example
+    # dirs: [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+    #
+    # This configuration option is advanced.
+    # This configuration option does not have a default value defined.
+
+  # Configuration section report.
+  # LVM report command output formatting.
+  # This configuration section has an automatic default value.
+  # report:
+
+    # Configuration option report/output_format.
+    # Format of LVM command's report output.
+    # If there is more than one report per command, then the format
+    # is applied for all reports. You can also change output format
+    # directly on command line using --reportformat option which
+    # has precedence over log/output_format setting.
+    # Accepted values:
+    #   basic
+    #     Original format with columns and rows. If there is more than
+    #     one report per command, each report is prefixed with report's
+    #     name for identification.
+    #   json
+    #     JSON format.
+    # This configuration option has an automatic default value.
+    # output_format: "basic"
+
+    # Configuration option report/compact_output.
+    # Do not print empty values for all report fields.
+    # If enabled, all fields that don't have a value set for any of the
+    # rows reported are skipped and not printed. Compact output is
+    # applicable only if report/buffered is enabled. If you need to
+    # compact only specified fields, use compact_output=0 and define
+    # report/compact_output_cols configuration setting instead.
+    # This configuration option has an automatic default value.
+    # compact_output: 0
+
+    # Configuration option report/compact_output_cols.
+    # Do not print empty values for specified report fields.
+    # If defined, specified fields that don't have a value set for any
+    # of the rows reported are skipped and not printed. Compact output
+    # is applicable only if report/buffered is enabled. If you need to
+    # compact all fields, use compact_output=1 instead in which case
+    # the compact_output_cols setting is then ignored.
+    # This configuration option has an automatic default value.
+    # compact_output_cols: ""
+
+    # Configuration option report/aligned.
+    # Align columns in report output.
+    # This configuration option has an automatic default value.
+    # aligned: 1
+
+    # Configuration option report/buffered.
+    # Buffer report output.
+    # When buffered reporting is used, the report's content is appended
+    # incrementally to include each object being reported until the report
+    # is flushed to output which normally happens at the end of command
+    # execution. Otherwise, if buffering is not used, each object is
+    # reported as soon as its processing is finished.
+    # This configuration option has an automatic default value.
+    # buffered: 1
+
+    # Configuration option report/headings.
+    # Show headings for columns on report.
+    # This configuration option has an automatic default value.
+    # headings: 1
+
+    # Configuration option report/separator.
+    # A separator to use on report after each field.
+    # This configuration option has an automatic default value.
+    # separator: " "
+
+    # Configuration option report/list_item_separator.
+    # A separator to use for list items when reported.
+    # This configuration option has an automatic default value.
+    # list_item_separator: ","
+
+    # Configuration option report/prefixes.
+    # Use a field name prefix for each field reported.
+    # This configuration option has an automatic default value.
+    # prefixes: 0
+
+    # Configuration option report/quoted.
+    # Quote field values when using field name prefixes.
+    # This configuration option has an automatic default value.
+    # quoted: 1
+
+    # Configuration option report/columns_as_rows.
+    # Output each column as a row.
+    # If set, this also implies report/prefixes=1.
+    # This configuration option has an automatic default value.
+    # columns_as_rows: 0
+
+    # Configuration option report/binary_values_as_numeric.
+    # Use binary values 0 or 1 instead of descriptive literal values.
+    # For columns that have exactly two valid values to report
+    # (not counting the 'unknown' value which denotes that the
+    # value could not be determined).
+    # This configuration option has an automatic default value.
+    # binary_values_as_numeric: 0
+
+    # Configuration option report/time_format.
+    # Set time format for fields reporting time values.
+    # Format specification is a string which may contain special character
+    # sequences and ordinary character sequences. Ordinary character
+    # sequences are copied verbatim. Each special character sequence is
+    # introduced by the '%' character and such sequence is then
+    # substituted with a value as described below.
+    #
+    # Accepted values:
+    #   %a
+    #     The abbreviated name of the day of the week according to the
+    #     current locale.
+    #   %A
+    #     The full name of the day of the week according to the current
+    #     locale.
+    #   %b
+    #     The abbreviated month name according to the current locale.
+    #   %B
+    #     The full month name according to the current locale.
+    #   %c
+    #     The preferred date and time representation for the current
+    #     locale (alt E)
+    #   %C
+    #     The century number (year/100) as a 2-digit integer. (alt E)
+    #   %d
+    #     The day of the month as a decimal number (range 01 to 31).
+    #     (alt O)
+    #   %D
+    #     Equivalent to %m/%d/%y. (For Americans only. Americans should
+    #     note that in other countries%d/%m/%y is rather common. This
+    #     means that in international context this format is ambiguous and
+    #     should not be used.
+    #   %e
+    #     Like %d, the day of the month as a decimal number, but a leading
+    #     zero is replaced by a space. (alt O)
+    #   %E
+    #     Modifier: use alternative local-dependent representation if
+    #     available.
+    #   %F
+    #     Equivalent to %Y-%m-%d (the ISO 8601 date format).
+    #   %G
+    #     The ISO 8601 week-based year with century as adecimal number.
+    #     The 4-digit year corresponding to the ISO week number (see %V).
+    #     This has the same format and value as %Y, except that if the
+    #     ISO week number belongs to the previous or next year, that year
+    #     is used instead.
+    #   %g
+    #     Like %G, but without century, that is, with a 2-digit year
+    #     (00-99).
+    #   %h
+    #     Equivalent to %b.
+    #   %H
+    #     The hour as a decimal number using a 24-hour clock
+    #     (range 00 to 23). (alt O)
+    #   %I
+    #     The hour as a decimal number using a 12-hour clock
+    #     (range 01 to 12). (alt O)
+    #   %j
+    #     The day of the year as a decimal number (range 001 to 366).
+    #   %k
+    #     The hour (24-hour clock) as a decimal number (range 0 to 23);
+    #     single digits are preceded by a blank. (See also %H.)
+    #   %l
+    #     The hour (12-hour clock) as a decimal number (range 1 to 12);
+    #     single digits are preceded by a blank. (See also %I.)
+    #   %m
+    #     The month as a decimal number (range 01 to 12). (alt O)
+    #   %M
+    #     The minute as a decimal number (range 00 to 59). (alt O)
+    #   %O
+    #     Modifier: use alternative numeric symbols.
+    #   %p
+    #     Either "AM" or "PM" according to the given time value,
+    #     or the corresponding strings for the current locale. Noon is
+    #     treated as "PM" and midnight as "AM".
+    #   %P
+    #     Like %p but in lowercase: "am" or "pm" or a corresponding
+    #     string for the current locale.
+    #   %r
+    #     The time in a.m. or p.m. notation. In the POSIX locale this is
+    #     equivalent to %I:%M:%S %p.
+    #   %R
+    #     The time in 24-hour notation (%H:%M). For a version including
+    #     the seconds, see %T below.
+    #   %s
+    #     The number of seconds since the Epoch,
+    #     1970-01-01 00:00:00 +0000 (UTC)
+    #   %S
+    #     The second as a decimal number (range 00 to 60). (The range is
+    #     up to 60 to allow for occasional leap seconds.) (alt O)
+    #   %t
+    #     A tab character.
+    #   %T
+    #     The time in 24-hour notation (%H:%M:%S).
+    #   %u
+    #     The day of the week as a decimal, range 1 to 7, Monday being 1.
+    #     See also %w. (alt O)
+    #   %U
+    #     The week number of the current year as a decimal number,
+    #     range 00 to 53, starting with the first Sunday as the first
+    #     day of week 01. See also %V and %W. (alt O)
+    #   %V
+    #     The ISO 8601 week number of the current year as a decimal number,
+    #     range 01 to 53, where week 1 is the first week that has at least
+    #     4 days in the new year. See also %U and %W. (alt O)
+    #   %w
+    #     The day of the week as a decimal, range 0 to 6, Sunday being 0.
+    #     See also %u. (alt O)
+    #   %W
+    #     The week number of the current year as a decimal number,
+    #     range 00 to 53, starting with the first Monday as the first day
+    #     of week 01. (alt O)
+    #   %x
+    #     The preferred date representation for the current locale without
+    #     the time. (alt E)
+    #   %X
+    #     The preferred time representation for the current locale without
+    #     the date. (alt E)
+    #   %y
+    #     The year as a decimal number without a century (range 00 to 99).
+    #     (alt E, alt O)
+    #   %Y
+    #     The year as a decimal number including the century. (alt E)
+    #   %z
+    #     The +hhmm or -hhmm numeric timezone (that is, the hour and minute
+    #     offset from UTC).
+    #   %Z
+    #     The timezone name or abbreviation.
+    #   %%
+    #     A literal '%' character.
+    #
+    # This configuration option has an automatic default value.
+    # time_format: "%Y-%m-%d %T %z"
+
+    # Configuration option report/devtypes_sort.
+    # List of columns to sort by when reporting 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_sort: "devtype_name"
+
+    # Configuration option report/devtypes_cols.
+    # List of columns to report for 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_cols: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Configuration option report/devtypes_cols_verbose.
+    # List of columns to report for 'lvm devtypes' command in verbose mode.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_cols_verbose: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Configuration option report/lvs_sort.
+    # List of columns to sort by when reporting 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_sort: "vg_name,lv_name"
+
+    # Configuration option report/lvs_cols.
+    # List of columns to report for 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols: "lv_name,vg_name,lv_attr,lv_size,pool_lv,origin,data_percent,metadata_percent,move_pv,mirror_log,copy_percent,convert_lv"
+
+    # Configuration option report/lvs_cols_verbose.
+    # List of columns to report for 'lvs' command in verbose mode.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols_verbose: "lv_name,vg_name,seg_count,lv_attr,lv_size,lv_major,lv_minor,lv_kernel_major,lv_kernel_minor,pool_lv,origin,data_percent,metadata_percent,move_pv,copy_percent,mirror_log,convert_lv,lv_uuid,lv_profile"
+
+    # Configuration option report/vgs_sort.
+    # List of columns to sort by when reporting 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_sort: "vg_name"
+
+    # Configuration option report/vgs_cols.
+    # List of columns to report for 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols: "vg_name,pv_count,lv_count,snap_count,vg_attr,vg_size,vg_free"
+
+    # Configuration option report/vgs_cols_verbose.
+    # List of columns to report for 'vgs' command in verbose mode.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols_verbose: "vg_name,vg_attr,vg_extent_size,pv_count,lv_count,snap_count,vg_size,vg_free,vg_uuid,vg_profile"
+
+    # Configuration option report/pvs_sort.
+    # List of columns to sort by when reporting 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_sort: "pv_name"
+
+    # Configuration option report/pvs_cols.
+    # List of columns to report for 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free"
+
+    # Configuration option report/pvs_cols_verbose.
+    # List of columns to report for 'pvs' command in verbose mode.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,dev_size,pv_uuid"
+
+    # Configuration option report/segs_sort.
+    # List of columns to sort by when reporting 'lvs --segments' command.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_sort: "vg_name,lv_name,seg_start"
+
+    # Configuration option report/segs_cols.
+    # List of columns to report for 'lvs --segments' command.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols: "lv_name,vg_name,lv_attr,stripes,segtype,seg_size"
+
+    # Configuration option report/segs_cols_verbose.
+    # List of columns to report for 'lvs --segments' command in verbose mode.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols_verbose: "lv_name,vg_name,lv_attr,seg_start,seg_size,stripes,segtype,stripesize,chunksize"
+
+    # Configuration option report/pvsegs_sort.
+    # List of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_sort: "pv_name,pvseg_start"
+
+    # Configuration option report/pvsegs_cols.
+    # List of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size"
+
+    # Configuration option report/pvsegs_cols_verbose.
+    # List of columns to sort by when reporting 'pvs --segments' command in verbose mode.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size,lv_name,seg_start_pe,segtype,seg_pe_ranges"
+
+    # Configuration option report/vgs_cols_full.
+    # List of columns to report for lvm fullreport's 'vgs' subreport.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols_full: "vg_all"
+
+    # Configuration option report/pvs_cols_full.
+    # List of columns to report for lvm fullreport's 'vgs' subreport.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols_full: "pv_all"
+
+    # Configuration option report/lvs_cols_full.
+    # List of columns to report for lvm fullreport's 'lvs' subreport.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols_full: "lv_all"
+
+    # Configuration option report/pvsegs_cols_full.
+    # List of columns to report for lvm fullreport's 'pvseg' subreport.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols_full: "pvseg_all,pv_uuid,lv_uuid"
+
+    # Configuration option report/segs_cols_full.
+    # List of columns to report for lvm fullreport's 'seg' subreport.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols_full: "seg_all,lv_uuid"
+
+    # Configuration option report/vgs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'vgs' subreport.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_sort_full: "vg_name"
+
+    # Configuration option report/pvs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'vgs' subreport.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_sort_full: "pv_name"
+
+    # Configuration option report/lvs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'lvs' subreport.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_sort_full: "vg_name,lv_name"
+
+    # Configuration option report/pvsegs_sort_full.
+    # List of columns to sort by when reporting for lvm fullreport's 'pvseg' subreport.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_sort_full: "pv_uuid,pvseg_start"
+
+    # Configuration option report/segs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'seg' subreport.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_sort_full: "lv_uuid,seg_start"
+
+    # Configuration option report/mark_hidden_devices.
+    # Use brackets [] to mark hidden devices.
+    # This configuration option has an automatic default value.
+    # mark_hidden_devices: 1
+
+    # Configuration option report/two_word_unknown_device.
+    # Use the two words 'unknown device' in place of '[unknown]'.
+    # This is displayed when the device for a PV is not known.
+    # This configuration option has an automatic default value.
+    # two_word_unknown_device: 0
+
+  # Configuration section dmeventd.
+  # Settings for the LVM event daemon.
+  dmeventd:
+
+    # Configuration option dmeventd/mirror_library.
+    # The library dmeventd uses when monitoring a mirror device.
+    # libdevmapper-event-lvm2mirror.so attempts to recover from
+    # failures. It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # Configuration option dmeventd/raid_library.
+    # This configuration option has an automatic default value.
+    # raid_library: "libdevmapper-event-lvm2raid.so"
+
+    # Configuration option dmeventd/snapshot_library.
+    # The library dmeventd uses when monitoring a snapshot device.
+    # libdevmapper-event-lvm2snapshot.so monitors the filling of snapshots
+    # and emits a warning through syslog when the usage exceeds 80%. The
+    # warning is repeated when 85%, 90% and 95% of the snapshot is filled.
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
+
+    # Configuration option dmeventd/thin_library.
+    # The library dmeventd uses when monitoring a thin device.
+    # libdevmapper-event-lvm2thin.so monitors the filling of a pool
+    # and emits a warning through syslog when the usage exceeds 80%. The
+    # warning is repeated when 85%, 90% and 95% of the pool is filled.
+    thin_library: "libdevmapper-event-lvm2thin.so"
+
+    # Configuration option dmeventd/executable.
+    # The full path to the dmeventd binary.
+    # This configuration option has an automatic default value.
+    # executable: "/sbin/dmeventd"
+
+  # Configuration section tags.
+  # Host tag settings.
+  # This configuration section has an automatic default value.
+  # tags:
+
+    # Configuration option tags/hosttags.
+    # Create a host tag using the machine name.
+    # The machine name is nodename returned by uname(2).
+    # This configuration option has an automatic default value.
+    # hosttags: 0
+
+    # Configuration section tags/<tag>.
+    # Replace this subsection name with a custom tag name.
+    # Multiple subsections like this can be created. The '@' prefix for
+    # tags is optional. This subsection can contain host_list, which is a
+    # list of machine names. If the name of the local machine is found in
+    # host_list, then the name of this subsection is used as a tag and is
+    # applied to the local machine as a 'host tag'. If this subsection is
+    # empty (has no host_list), then the subsection name is always applied
+    # as a 'host tag'.
+    #
+    # Example
+    # The host tag foo is given to all hosts, and the host tag
+    # bar is given to the hosts named machine1 and machine2.
+    # tags:
+    #   foo: {}
+    #   bar:
+    #     host_list: [ "machine1", "machine2" ]
+    #
+    # This configuration section has variable name.
+    # This configuration section has an automatic default value.
+    # tag:
+
+      # Configuration option tags/<tag>/host_list.
+      # A list of machine names.
+      # These machine names are compared to the nodename returned
+      # by uname(2). If the local machine name matches an entry in
+      # this list, the name of the subsection is applied to the
+      # machine as a 'host tag'.
+      # This configuration option does not have a default value defined.
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.66.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.66.yml
new file mode 100644
index 00000000..1c4bb991
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.66.yml
@@ -0,0 +1,499 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Based on /etc/lvm/lvm.conf from Ubuntu Precise
+lvm__config_base_version: '2.02.66-4ubuntu7.4'
+
+lvm__config_base:
+
+  # This section allows you to configure which block devices should
+  # be used by the LVM system.
+  devices:
+
+    # Where do you want your volume groups to appear ?
+    dir: "/dev"
+
+    # An array of directories that contain the device nodes you wish
+    # to use with LVM2.
+    scan: [ "/dev" ]
+
+    # If several entries in the scanned directories correspond to the
+    # same block device and the tools need to display a name for device,
+    # all the pathnames are matched against each item in the following
+    # list of regular expressions in turn and the first match is used.
+    preferred_names: [ ]
+
+    # Try to avoid using undescriptive /dev/dm-N names, if present.
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+
+    # A filter that tells LVM2 to only use a restricted set of devices.
+    # The filter consists of an array of regular expressions.  These
+    # expressions can be delimited by a character of your choice, and
+    # prefixed with either an 'a' (for accept) or 'r' (for reject).
+    # The first expression found to match a device name determines if
+    # the device will be accepted or rejected (ignored).  Devices that
+    # don't match any patterns are accepted.
+
+    # Be careful if there there are symbolic links or multiple filesystem
+    # entries for the same device as each name is checked separately against
+    # the list of patterns.  The effect is that if any name matches any 'a'
+    # pattern, the device is accepted; otherwise if any name matches any 'r'
+    # pattern it is rejected; otherwise it is accepted.
+
+    # Don't have more than one filter line active at once: only one gets used.
+
+    # Run vgscan after you change this parameter to ensure that
+    # the cache file gets regenerated (see below).
+    # If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
+
+
+    # By default we accept every block device:
+    filter: [ "a/.*/" ]
+
+    # Exclude the cdrom drive
+    # filter: [ "r|/dev/cdrom|" ]
+
+    # When testing I like to work with just loopback devices:
+    # filter: [ "a/loop/", "r/.*/" ]
+
+    # Or maybe all loops and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+
+    # Use anchors if you want to be really specific
+    # filter: [ "a|^/dev/hda8$|", "r/.*/" ]
+
+    # The results of the filtering are cached on disk to avoid
+    # rescanning dud devices (which can take a very long time).
+    # By default this cache is stored in the /etc/lvm/cache directory
+    # in a file called '.cache'.
+    # It is safe to delete the contents: the tools regenerate it.
+    # (The old setting 'cache' is still respected if neither of
+    # these new ones is present.)
+    cache_dir: "/etc/lvm/cache"
+    cache_file_prefix: ""
+
+    # You can turn off writing this cache file by setting this to 0.
+    write_cache_state: 1
+
+    # Advanced settings.
+
+    # List of pairs of additional acceptable block device types found
+    # in /proc/devices with maximum (non-zero) number of partitions.
+    # types: [ "fd", 16 ]
+
+    # If sysfs is mounted (2.6 kernels) restrict device scanning to
+    # the block devices it believes are valid.
+    # 1 enables; 0 disables.
+    sysfs_scan: 1
+
+    # By default, LVM2 will ignore devices used as components of
+    # software RAID (md) devices by looking for md superblocks.
+    # 1 enables; 0 disables.
+    md_component_detection: 1
+
+    # By default, if a PV is placed directly upon an md device, LVM2
+    # will align its data blocks with the md device's stripe-width.
+    # 1 enables; 0 disables.
+    md_chunk_alignment: 1
+
+    # By default, the start of a PV's data area will be a multiple of
+    # the 'minimum_io_size' or 'optimal_io_size' exposed in sysfs.
+    # - minimum_io_size - the smallest request the device can perform
+    #   w/o incurring a read-modify-write penalty (e.g. MD's chunk size)
+    # - optimal_io_size - the device's preferred unit of receiving I/O
+    #   (e.g. MD's stripe width)
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    # 1 enables; 0 disables.
+    data_alignment_detection: 1
+
+    # Alignment (in KB) of start of data area when creating a new PV.
+    # If a PV is placed directly upon an md device and md_chunk_alignment or
+    # data_alignment_detection is enabled this parameter is ignored.
+    # Set to 0 for the default alignment of 64KB or page size, if larger.
+    data_alignment: 0
+
+    # By default, the start of the PV's aligned data area will be shifted by
+    # the 'alignment_offset' exposed in sysfs.  This offset is often 0 but
+    # may be non-zero; e.g.: certain 4KB sector drives that compensate for
+    # windows partitioning will have an alignment_offset of 3584 bytes
+    # (sector 7 is the lowest aligned logical block, the 4KB sectors start
+    # at LBA -1, and consequently sector 63 is aligned on a 4KB boundary).
+    # 1 enables; 0 disables.
+    data_alignment_offset_detection: 1
+
+    # If, while scanning the system for PVs, LVM2 encounters a device-mapper
+    # device that has its I/O suspended, it waits for it to become accessible.
+    # Set this to 1 to skip such devices.  This should only be needed
+    # in recovery situations.
+    ignore_suspended_devices: 0
+
+
+  # This section that allows you to configure the nature of the
+  # information that LVM2 reports.
+  log:
+
+    # Controls the messages sent to stdout or stderr.
+    # There are three levels of verbosity, 3 being the most verbose.
+    verbose: 0
+
+    # Should we send log messages through syslog?
+    # 1 is yes; 0 is no.
+    syslog: 1
+
+    # Should we log error and debug messages to a file?
+    # By default there is no log file.
+    #file: "/var/log/lvm2.log"
+
+    # Should we overwrite the log file each time the program is run?
+    # By default we append.
+    overwrite: 0
+
+    # What level of log messages should we send to the log file and/or syslog?
+    # There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Format of output messages
+    # Whether or not (1 or 0) to indent messages according to their severity
+    indent: 1
+
+    # Whether or not (1 or 0) to display the command name on each line output
+    command_names: 0
+
+    # A prefix to use before the message text (but after the command name,
+    # if selected).  Default is two spaces, so you can see/grep the severity
+    # of each message.
+    prefix: "  "
+
+    # To make the messages look similar to the original LVM tools use:
+    #   indent: 0
+    #   command_names: 1
+    #   prefix: " -- "
+
+    # Set this if you want log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    # activation: 0
+
+
+  # Configuration of metadata backups and archiving.  In LVM2 when we
+  # talk about a 'backup' we mean making a copy of the metadata for the
+  # *current* system.  The 'archive' contains old metadata configurations.
+  # Backups are stored in a human readable text format.
+  backup:
+
+    # Should we maintain a backup of the current metadata configuration ?
+    # Use 1 for Yes; 0 for No.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Where shall we keep it ?
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Should we maintain an archive of old metadata configurations.
+    # Use 1 for Yes; 0 for No.
+    # On by default.  Think very hard before turning this off.
+    archive: 1
+
+    # Where should archived files go ?
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # What is the minimum number of archive files you wish to keep ?
+    retain_min: 10
+
+    # What is the minimum time you wish to keep an archive file for ?
+    retain_days: 30
+
+
+  # Settings for the running LVM2 in shell (readline) mode.
+  shell:
+
+    # Number of lines of history to store in ~/.lvm_history
+    history_size: 100
+
+
+  # Miscellaneous global LVM2 settings
+  global:
+
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    # (umask needs to be quoted because octal)
+    umask: "077"
+
+    # Allow other users to read the files
+    #umask: "022"
+
+    # Enabling test mode means that no changes to the on disk metadata
+    # will be made.  Equivalent to having the -t option on every
+    # command.  Defaults to off.
+    test: 0
+
+    # Default value for --units argument
+    units: "h"
+
+    # Since version 2.02.54, the tools distinguish between powers of
+    # 1024 bytes (e.g. KiB, MiB, GiB) and powers of 1000 bytes (e.g.
+    # KB, MB, GB).
+    # If you have scripts that depend on the old behaviour, set this to 0
+    # temporarily until you update them.
+    si_unit_consistency: 1
+
+    # Whether or not to communicate with the kernel device-mapper.
+    # Set to 0 if you want to use the tools to manipulate LVM metadata
+    # without activating any logical volumes.
+    # If the device-mapper kernel driver is not present in your kernel
+    # setting this to 0 should suppress the error messages.
+    activation: 1
+
+    # If we can't communicate with device-mapper, should we try running
+    # the LVM1 tools?
+    # This option only applies to 2.4 kernels and is provided to help you
+    # switch between device-mapper kernels and LVM1 kernels.
+    # The LVM1 tools need to be installed with .lvm1 suffices
+    # e.g. vgscan.lvm1 and they will stop working after you start using
+    # the new lvm2 on-disk metadata format.
+    # The default value is set when the tools are built.
+    # fallback_to_lvm1: 0
+
+    # The default metadata format that commands should use - "lvm1" or "lvm2".
+    # The command line override is -M1 or -M2.
+    # Defaults to "lvm2".
+    # format: "lvm2"
+
+    # Location of proc filesystem
+    proc: "/proc"
+
+    # Type of locking to use. Defaults to local file-based locking (1).
+    # Turn locking off by setting to 0 (dangerous: risks metadata corruption
+    # if LVM2 commands get run concurrently).
+    # Type 2 uses the external shared library locking_library.
+    # Type 3 uses built-in clustered locking.
+    # Type 4 uses read-only locking which forbids any operations that might
+    # change metadata.
+    locking_type: 1
+
+    # Set to 0 to fail when a lock request cannot be satisfied immediately.
+    wait_for_locks: 1
+
+    # If using external locking (type 2) and initialisation fails,
+    # with this set to 1 an attempt will be made to use the built-in
+    # clustered locking.
+    # If you are using a customised locking_library you should set this to 0.
+    fallback_to_clustered_locking: 1
+
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this set
+    # to 1 an attempt will be made to use local file-based locking (type 1).
+    # If this succeeds, only commands against local volume groups will proceed.
+    # Volume Groups marked as clustered will be ignored.
+    fallback_to_local_locking: 1
+
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress.  A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/var/lock/lvm"
+
+    # Whenever there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to be
+    # serviced.  Without this setting, write access may be stalled by a high
+    # volume of read-only requests.
+    # NB. This option only affects locking_type = 1 viz. local file-based
+    # locking.
+    prioritise_write_locks: 1
+
+    # Other entries can go here to allow you to load shared libraries
+    # e.g. if support for LVM1 metadata was compiled as a shared library use
+    #   format_libraries = "liblvm2format1.so"
+    # Full pathnames can be given.
+
+    # Search this directory first for shared libraries.
+    #   library_dir: "/lib/lvm2"
+
+    # The external locking library to load if locking_type is set to 2.
+    #   locking_library: "liblvm2clusterlock.so"
+
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+
+  activation:
+    # Set to 0 to disable udev synchronisation (if compiled into the binaries).
+    # Processes will not wait for notification from udev.
+    # They will continue irrespective of any possible udev processing
+    # in the background.  You should only use this if udev is not running
+    # or has rules that ignore the devices LVM2 creates.
+    # The command line argument --nodevsync takes precedence over this setting.
+    # If set to 1 when udev is not running, and there are LVM2 processes
+    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them up.
+    udev_sync: 1
+
+    # Set to 0 to disable the udev rules installed by LVM2 (if built with
+    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
+    # for active logical volumes directly itself.
+    # N.B. Manual intervention may be required if this setting is changed
+    # while any logical volumes are active.
+    udev_rules: 1
+
+    # How to fill in missing stripes if activating an incomplete volume.
+    # Using "error" will make inaccessible parts of the device return
+    # I/O errors on access.  You can instead use a device path, in which
+    # case, that device will be used to in place of missing stripes.
+    # But note that using anything other than "error" with mirrored
+    # or snapshotted volumes is likely to result in data corruption.
+    missing_stripe_filler: "error"
+
+    # How much stack (in KB) to reserve for use while devices suspended
+    reserved_stack: 256
+
+    # How much memory (in KB) to reserve for use while devices suspended
+    reserved_memory: 8192
+
+    # Nice value used while devices suspended
+    process_priority: -18
+
+    # If volume_list is defined, each LV is only activated if there is a
+    # match against the list.
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # Size (in KB) of each copy operation when mirroring
+    mirror_region_size: 512
+
+    # Setting to use when there is no readahead value stored in the metadata.
+    #
+    # "none" - Disable readahead.
+    # "auto" - Use default value chosen by kernel.
+    readahead: "auto"
+
+    # 'mirror_image_fault_policy' and 'mirror_log_fault_policy' define
+    # how a device failure affecting a mirror is handled.
+    # A mirror is composed of mirror images (copies) and a log.
+    # A disk log ensures that a mirror does not need to be re-synced
+    # (all copies made the same) every time a machine reboots or crashes.
+    #
+    # In the event of a failure, the specified policy will be used to determine
+    # what happens. This applies to automatic repairs (when the mirror is being
+    # monitored by dmeventd) and to manual lvconvert --repair when
+    # --use-policies is given.
+    #
+    # "remove" - Simply remove the faulty device and run without it.  If
+    #            the log device fails, the mirror would convert to using
+    #            an in-memory log.  This means the mirror will not
+    #            remember its sync status across crashes/reboots and
+    #            the entire mirror will be re-synced.  If a
+    #            mirror image fails, the mirror will convert to a
+    #            non-mirrored device if there is only one remaining good
+    #            copy.
+    #
+    # "allocate" - Remove the faulty device and try to allocate space on
+    #            a new device to be a replacement for the failed device.
+    #            Using this policy for the log is fast and maintains the
+    #            ability to remember sync state through crashes/reboots.
+    #            Using this policy for a mirror device is slow, as it
+    #            requires the mirror to resynchronize the devices, but it
+    #            will preserve the mirror characteristic of the device.
+    #            This policy acts like "remove" if no suitable device and
+    #            space can be allocated for the replacement.
+    #
+    # "allocate_anywhere" - Not yet implemented. Useful to place the log device
+    #            temporarily on same physical volume as one of the mirror
+    #            images. This policy is not recommended for mirror devices
+    #            since it would break the redundant nature of the mirror. This
+    #            policy acts like "remove" if no suitable device and space can
+    #            be allocated for the replacement.
+
+    mirror_log_fault_policy: "allocate"
+    mirror_image_fault_policy: "remove"
+
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended, and as a precaution against deadlocks, LVM2 needs to pin
+    # any memory it is using so it is not paged out.  Groups of pages that
+    # are known not to be accessed during activation need not be pinned
+    # into memory.  Each string listed in this setting is compared against
+    # each line in /proc/self/maps, and the pages corresponding to any
+    # lines that match are not pinned.  On some systems locale-archive was
+    # found to make up over 80% of the memory used by the process.
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+
+    # Set to 1 to revert to the default behaviour prior to version 2.02.62
+    # which used mlockall() to pin the whole process's memory while activating
+    # devices.
+    use_mlockall: 0
+
+    # Monitoring is enabled by default when activating logical volumes.
+    # Set to 0 to disable monitoring or use the --ignoremonitoring option.
+    monitoring: 1
+
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress
+    # at intervals of this number of seconds.  The default is 15 seconds.
+    # If this is set to 0 and there is only one thing to wait for, there
+    # are no progress reports, but the process is awoken immediately the
+    # operation is complete.
+    polling_interval: 15
+
+
+####################
+# Advanced section #
+####################
+
+  # Metadata settings
+  #
+  # metadata:
+    # Default number of copies of metadata to hold on each PV.  0, 1 or 2.
+    # You might want to override it from the command line with 0
+    # when running pvcreate on new PVs which are to be added to large VGs.
+
+    # pvmetadatacopies: 1
+
+    # Approximate default size of on-disk metadata areas in sectors.
+    # You should increase this if you have large volume groups or
+    # you want to retain a large on-disk history of your metadata changes.
+
+    # pvmetadatasize: 255
+
+    # List of directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM2 with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other
+    # on-disk metadata (pvmetadatacopies = 0). Or this can be in
+    # addition to on-disk metadata areas.
+    # The feature was originally added to simplify testing and is not
+    # supported under low memory situations - the machine could lock up.
+    #
+    # Never edit any files in these directories by hand unless you
+    # you are absolutely sure you know what you are doing! Use
+    # the supplied toolset to make changes (e.g. vgcfgrestore).
+
+    # dirs: [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+
+
+  # Event daemon
+  #
+  dmeventd:
+    # mirror_library is the library used when monitoring a mirror device.
+    #
+    # "libdevmapper-event-lvm2mirror.so" attempts to recover from
+    # failures.  It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # snapshot_library is the library used when monitoring a snapshot device.
+    #
+    # "libdevmapper-event-lvm2snapshot.so" monitors the filling of
+    # snapshots and emits a warning through syslog, when the use of
+    # snapshot exceedes 80%. The warning is repeated when 85%, 90% and
+    # 95% of the snapshot are filled.
+
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.95.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.95.yml
new file mode 100644
index 00000000..0e26c289
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.95.yml
@@ -0,0 +1,768 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Based on /etc/lvm/lvm.conf from Debian Wheezy
+lvm__config_base_version: '2.02.95-8'
+
+lvm__config_base:
+
+  # This section allows you to configure which block devices should
+  # be used by the LVM system.
+  devices:
+
+    # Where do you want your volume groups to appear ?
+    dir: "/dev"
+
+    # An array of directories that contain the device nodes you wish
+    # to use with LVM2.
+    scan: [ "/dev" ]
+
+    # If set, the cache of block device nodes with all associated symlinks
+    # will be constructed out of the existing udev database content.
+    # This avoids using and opening any inapplicable non-block devices or
+    # subdirectories found in the device directory. This setting is applied
+    # to udev-managed device directory only, other directories will be scanned
+    # fully. LVM2 needs to be compiled with udev support for this setting to
+    # take effect. N.B. Any device node or symlink not managed by udev in
+    # udev directory will be ignored with this setting on.
+    obtain_device_list_from_udev: 1
+
+    # If several entries in the scanned directories correspond to the
+    # same block device and the tools need to display a name for device,
+    # all the pathnames are matched against each item in the following
+    # list of regular expressions in turn and the first match is used.
+    preferred_names: [ ]
+
+    # Try to avoid using undescriptive /dev/dm-N names, if present.
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+
+    # A filter that tells LVM2 to only use a restricted set of devices.
+    # The filter consists of an array of regular expressions.  These
+    # expressions can be delimited by a character of your choice, and
+    # prefixed with either an 'a' (for accept) or 'r' (for reject).
+    # The first expression found to match a device name determines if
+    # the device will be accepted or rejected (ignored).  Devices that
+    # don't match any patterns are accepted.
+
+    # Be careful if there there are symbolic links or multiple filesystem
+    # entries for the same device as each name is checked separately against
+    # the list of patterns.  The effect is that if the first pattern in the
+    # list to match a name is an 'a' pattern for any of the names, the device
+    # is accepted; otherwise if the first pattern in the list to match a name
+    # is an 'r' pattern for any of the names it is rejected; otherwise it is
+    # accepted.
+
+    # Don't have more than one filter line active at once: only one gets used.
+
+    # Run vgscan after you change this parameter to ensure that
+    # the cache file gets regenerated (see below).
+    # If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
+
+
+    # By default we accept every block device:
+    filter: [ "a/.*/" ]
+
+    # Exclude the cdrom drive
+    # filter: [ "r|/dev/cdrom|" ]
+
+    # When testing I like to work with just loopback devices:
+    # filter: [ "a/loop/", "r/.*/" ]
+
+    # Or maybe all loops and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+
+    # Use anchors if you want to be really specific
+    # filter: [ "a|^/dev/hda8$|", "r/.*/" ]
+
+    # The results of the filtering are cached on disk to avoid
+    # rescanning dud devices (which can take a very long time).
+    # By default this cache is stored in the /etc/lvm/cache directory
+    # in a file called '.cache'.
+    # It is safe to delete the contents: the tools regenerate it.
+    # (The old setting 'cache' is still respected if neither of
+    # these new ones is present.)
+    cache_dir: "/run/lvm"
+    cache_file_prefix: ""
+
+    # You can turn off writing this cache file by setting this to 0.
+    write_cache_state: 1
+
+    # Advanced settings.
+
+    # List of pairs of additional acceptable block device types found
+    # in /proc/devices with maximum (non-zero) number of partitions.
+    # types: [ "fd", 16 ]
+
+    # If sysfs is mounted (2.6 kernels) restrict device scanning to
+    # the block devices it believes are valid.
+    # 1 enables; 0 disables.
+    sysfs_scan: 1
+
+    # By default, LVM2 will ignore devices used as component paths
+    # of device-mapper multipath devices.
+    # 1 enables; 0 disables.
+    multipath_component_detection: 1
+
+    # By default, LVM2 will ignore devices used as components of
+    # software RAID (md) devices by looking for md superblocks.
+    # 1 enables; 0 disables.
+    md_component_detection: 1
+
+    # By default, if a PV is placed directly upon an md device, LVM2
+    # will align its data blocks with the md device's stripe-width.
+    # 1 enables; 0 disables.
+    md_chunk_alignment: 1
+
+    # Default alignment of the start of a data area in MB.  If set to 0,
+    # a value of 64KB will be used.  Set to 1 for 1MiB, 2 for 2MiB, etc.
+    # default_data_alignment: 1
+
+    # By default, the start of a PV's data area will be a multiple of
+    # the 'minimum_io_size' or 'optimal_io_size' exposed in sysfs.
+    # - minimum_io_size - the smallest request the device can perform
+    #   w/o incurring a read-modify-write penalty (e.g. MD's chunk size)
+    # - optimal_io_size - the device's preferred unit of receiving I/O
+    #   (e.g. MD's stripe width)
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    # 1 enables; 0 disables.
+    data_alignment_detection: 1
+
+    # Alignment (in KB) of start of data area when creating a new PV.
+    # md_chunk_alignment and data_alignment_detection are disabled if set.
+    # Set to 0 for the default alignment (see: data_alignment_default)
+    # or page size, if larger.
+    data_alignment: 0
+
+    # By default, the start of the PV's aligned data area will be shifted by
+    # the 'alignment_offset' exposed in sysfs.  This offset is often 0 but
+    # may be non-zero; e.g.: certain 4KB sector drives that compensate for
+    # windows partitioning will have an alignment_offset of 3584 bytes
+    # (sector 7 is the lowest aligned logical block, the 4KB sectors start
+    # at LBA -1, and consequently sector 63 is aligned on a 4KB boundary).
+    # But note that pvcreate --dataalignmentoffset will skip this detection.
+    # 1 enables; 0 disables.
+    data_alignment_offset_detection: 1
+
+    # If, while scanning the system for PVs, LVM2 encounters a device-mapper
+    # device that has its I/O suspended, it waits for it to become accessible.
+    # Set this to 1 to skip such devices.  This should only be needed
+    # in recovery situations.
+    ignore_suspended_devices: 0
+
+    # During each LVM operation errors received from each device are counted.
+    # If the counter of a particular device exceeds the limit set here, no
+    # further I/O is sent to that device for the remainder of the respective
+    # operation. Setting the parameter to 0 disables the counters altogether.
+    disable_after_error_count: 0
+
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid: 1
+
+    # Minimum size (in KB) of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KB is ignored.
+
+    # Ignore devices smaller than 2MB such as floppy drives.
+    pv_min_size: 2048
+
+    # The original built-in setting was 512 up to and including version 2.02.84.
+    # pv_min_size: 512
+
+    # Issue discards to a logical volumes's underlying physical volume(s) when
+    # the logical volume is no longer using the physical volumes' space (e.g.
+    # lvremove, lvreduce, etc).  Discards inform the storage that a region is
+    # no longer in use.  Storage that supports discards advertise the protocol
+    # specific way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set).  Not all storage will support or benefit
+    # from discards but SSDs and thinly provisioned LUNs generally do.  If set
+    # to 1, discards will only be issued if both the storage and kernel provide
+    # support.
+    # 1 enables; 0 disables.
+    issue_discards: 0
+
+
+  # This section allows you to configure the way in which LVM selects
+  # free space for its Logical Volumes.
+  #allocation:
+  #  # When searching for free space to extend an LV, the "cling"
+  #  # allocation policy will choose space on the same PVs as the last
+  #  # segment of the existing LV.  If there is insufficient space and a
+  #  # list of tags is defined here, it will check whether any of them are
+  #  # attached to the PVs concerned and then seek to match those PV tags
+  #  # between existing extents and new extents.
+  #  # Use the special tag "@*" as a wildcard to match any PV tag.
+  #
+  #  # Example: LVs are mirrored between two sites within a single VG.
+  #  # PVs are tagged with either @site1 or @site2 to indicate where
+  #  # they are situated.
+  #
+  #  #cling_tag_list: [ "@site1", "@site2" ]
+  #  cling_tag_list: [ "@*" ]
+  #
+  #  # Changes made in version 2.02.85 extended the reach of the 'cling'
+  #  # policies to detect more situations where data can be grouped
+  #  # onto the same disks.  Set this to 0 to revert to the previous
+  #  # algorithm.
+  #
+  #  maximise_cling: 1
+  #
+  #  # Set to 1 to guarantee that mirror logs will always be placed on
+  #  # different PVs from the mirror images.  This was the default
+  #  # until version 2.02.85.
+  #
+  #  mirror_logs_require_separate_pvs: 0
+  #
+  #  # Set to 1 to guarantee that thin pool metadata will always
+  #  # be placed on different PVs from the pool data.
+  #
+  #  thin_pool_metadata_require_separate_pvs: 0
+
+
+  # This section that allows you to configure the nature of the
+  # information that LVM2 reports.
+  log:
+
+    # Controls the messages sent to stdout or stderr.
+    # There are three levels of verbosity, 3 being the most verbose.
+    verbose: 0
+
+    # Should we send log messages through syslog?
+    # 1 is yes; 0 is no.
+    syslog: 1
+
+    # Should we log error and debug messages to a file?
+    # By default there is no log file.
+    #file: "/var/log/lvm2.log"
+
+    # Should we overwrite the log file each time the program is run?
+    # By default we append.
+    overwrite: 0
+
+    # What level of log messages should we send to the log file and/or syslog?
+    # There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Format of output messages
+    # Whether or not (1 or 0) to indent messages according to their severity
+    indent: 1
+
+    # Whether or not (1 or 0) to display the command name on each line output
+    command_names: 0
+
+    # A prefix to use before the message text (but after the command name,
+    # if selected).  Default is two spaces, so you can see/grep the severity
+    # of each message.
+    prefix: "  "
+
+    # To make the messages look similar to the original LVM tools use:
+    #   indent: 0
+    #   command_names: 1
+    #   prefix: " -- "
+
+    # Set this if you want log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    # activation: 0
+
+
+  # Configuration of metadata backups and archiving.  In LVM2 when we
+  # talk about a 'backup' we mean making a copy of the metadata for the
+  # *current* system.  The 'archive' contains old metadata configurations.
+  # Backups are stored in a human readable text format.
+  backup:
+
+    # Should we maintain a backup of the current metadata configuration ?
+    # Use 1 for Yes; 0 for No.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Where shall we keep it ?
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Should we maintain an archive of old metadata configurations.
+    # Use 1 for Yes; 0 for No.
+    # On by default.  Think very hard before turning this off.
+    archive: 1
+
+    # Where should archived files go ?
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # What is the minimum number of archive files you wish to keep ?
+    retain_min: 10
+
+    # What is the minimum time you wish to keep an archive file for ?
+    retain_days: 30
+
+
+  # Settings for the running LVM2 in shell (readline) mode.
+  shell:
+
+    # Number of lines of history to store in ~/.lvm_history
+    history_size: 100
+
+
+  # Miscellaneous global LVM2 settings
+  global:
+
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    # (umask value needs to be quoted because octal)
+    umask: "077"
+
+    # Allow other users to read the files
+    #umask: 022
+
+    # Enabling test mode means that no changes to the on disk metadata
+    # will be made.  Equivalent to having the -t option on every
+    # command.  Defaults to off.
+    test: 0
+
+    # Default value for --units argument
+    units: "h"
+
+    # Since version 2.02.54, the tools distinguish between powers of
+    # 1024 bytes (e.g. KiB, MiB, GiB) and powers of 1000 bytes (e.g.
+    # KB, MB, GB).
+    # If you have scripts that depend on the old behaviour, set this to 0
+    # temporarily until you update them.
+    si_unit_consistency: 1
+
+    # Whether or not to communicate with the kernel device-mapper.
+    # Set to 0 if you want to use the tools to manipulate LVM metadata
+    # without activating any logical volumes.
+    # If the device-mapper kernel driver is not present in your kernel
+    # setting this to 0 should suppress the error messages.
+    activation: 1
+
+    # If we can't communicate with device-mapper, should we try running
+    # the LVM1 tools?
+    # This option only applies to 2.4 kernels and is provided to help you
+    # switch between device-mapper kernels and LVM1 kernels.
+    # The LVM1 tools need to be installed with .lvm1 suffices
+    # e.g. vgscan.lvm1 and they will stop working after you start using
+    # the new lvm2 on-disk metadata format.
+    # The default value is set when the tools are built.
+    # fallback_to_lvm1: 0
+
+    # The default metadata format that commands should use - "lvm1" or "lvm2".
+    # The command line override is -M1 or -M2.
+    # Defaults to "lvm2".
+    # format: "lvm2"
+
+    # Location of proc filesystem
+    proc: "/proc"
+
+    # Type of locking to use. Defaults to local file-based locking (1).
+    # Turn locking off by setting to 0 (dangerous: risks metadata corruption
+    # if LVM2 commands get run concurrently).
+    # Type 2 uses the external shared library locking_library.
+    # Type 3 uses built-in clustered locking.
+    # Type 4 uses read-only locking which forbids any operations that might
+    # change metadata.
+    locking_type: 1
+
+    # Set to 0 to fail when a lock request cannot be satisfied immediately.
+    wait_for_locks: 1
+
+    # If using external locking (type 2) and initialisation fails,
+    # with this set to 1 an attempt will be made to use the built-in
+    # clustered locking.
+    # If you are using a customised locking_library you should set this to 0.
+    fallback_to_clustered_locking: 1
+
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this set
+    # to 1 an attempt will be made to use local file-based locking (type 1).
+    # If this succeeds, only commands against local volume groups will proceed.
+    # Volume Groups marked as clustered will be ignored.
+    fallback_to_local_locking: 1
+
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress.  A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/run/lock/lvm"
+
+    # Whenever there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to be
+    # serviced.  Without this setting, write access may be stalled by a high
+    # volume of read-only requests.
+    # NB. This option only affects locking_type = 1 viz. local file-based
+    # locking.
+    prioritise_write_locks: 1
+
+    # Other entries can go here to allow you to load shared libraries
+    # e.g. if support for LVM1 metadata was compiled as a shared library use
+    #   format_libraries = "liblvm2format1.so"
+    # Full pathnames can be given.
+
+    # Search this directory first for shared libraries.
+    #   library_dir: "/lib/lvm2"
+
+    # The external locking library to load if locking_type is set to 2.
+    #   locking_library: "liblvm2clusterlock.so"
+
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+    # Check whether CRC is matching when parsed VG is used multiple times.
+    # This is useful to catch unexpected internal cached volume group
+    # structure modification. Please only enable for debugging.
+    detect_internal_vg_cache_corruption: 0
+
+    # If set to 1, no operations that change on-disk metadata will be permitted.
+    # Additionally, read-only commands that encounter metadata in need of repair
+    # will still be allowed to proceed exactly as if the repair had been
+    # performed (except for the unchanged vg_seqno).
+    # Inappropriate use could mess up your system, so seek advice first!
+    metadata_read_only: 0
+
+    # 'mirror_segtype_default' defines which segtype will be used when the
+    # shorthand '-m' option is used for mirroring.  The possible options are:
+    #
+    # "mirror" - The original RAID1 implementation provided by LVM2/DM.  It is
+    #	         characterized by a flexible log solution (core, disk, mirrored)
+    #		 and by the necessity to block I/O while reconfiguring in the
+    #		 event of a failure.  Snapshots of this type of RAID1 can be
+    #		 problematic.
+    #
+    # "raid1"  - This implementation leverages MD's RAID1 personality through
+    #		 device-mapper.  It is characterized by a lack of log options.
+    #		 (A log is always allocated for every device and they are placed
+    #		 on the same device as the image - no separate devices are
+    #		 required.)  This mirror implementation does not require I/O
+    #		 to be blocked in the kernel in the event of a failure.
+    #
+    # Specify the '--type <mirror|raid1>' option to override this default
+    # setting.
+    mirror_segtype_default: "mirror"
+
+    # The default format for displaying LV names in lvdisplay was changed
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # Set to 1 to reinstate the previous format.
+    #
+    # lvdisplay_shows_full_device_path: 0
+
+    # Whether to use (trust) a running instance of lvmetad. If this is set to
+    # 0, all commands fall back to the usual scanning mechanisms. When set to 1
+    # *and* when lvmetad is running (it is not auto-started), the volume group
+    # metadata and PV state flags are obtained from the lvmetad instance and no
+    # scanning is done by the individual commands. In a setup with lvmetad,
+    # lvmetad udev rules *must* be set up for LVM to work correctly. Without
+    # proper udev rules, all changes in block device configuration will be
+    # *ignored* until a manual 'vgscan' is performed.
+    use_lvmetad: 0
+
+
+  activation:
+    # Set to 1 to perform internal checks on the operations issued to
+    # libdevmapper.  Useful for debugging problems with activation.
+    # Some of the checks may be expensive, so it's best to use this
+    # only when there seems to be a problem.
+    checks: 0
+
+    # Set to 0 to disable udev synchronisation (if compiled into the binaries).
+    # Processes will not wait for notification from udev.
+    # They will continue irrespective of any possible udev processing
+    # in the background.  You should only use this if udev is not running
+    # or has rules that ignore the devices LVM2 creates.
+    # The command line argument --nodevsync takes precedence over this setting.
+    # If set to 1 when udev is not running, and there are LVM2 processes
+    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them up.
+    udev_sync: 1
+
+    # Set to 0 to disable the udev rules installed by LVM2 (if built with
+    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
+    # for active logical volumes directly itself.
+    # N.B. Manual intervention may be required if this setting is changed
+    # while any logical volumes are active.
+    udev_rules: 1
+
+    # Set to 1 for LVM2 to verify operations performed by udev. This turns on
+    # additional checks (and if necessary, repairs) on entries in the device
+    # directory after udev has completed processing its events.
+    # Useful for diagnosing problems with LVM2/udev interactions.
+    verify_udev_operations: 0
+
+    # If set to 1 and if deactivation of an LV fails, perhaps because
+    # a process run from a quick udev rule temporarily opened the device,
+    # retry the operation for a few seconds before failing.
+    retry_deactivation: 1
+
+    # How to fill in missing stripes if activating an incomplete volume.
+    # Using "error" will make inaccessible parts of the device return
+    # I/O errors on access.  You can instead use a device path, in which
+    # case, that device will be used to in place of missing stripes.
+    # But note that using anything other than "error" with mirrored
+    # or snapshotted volumes is likely to result in data corruption.
+    missing_stripe_filler: "error"
+
+    # The linear target is an optimised version of the striped target
+    # that only handles a single stripe.  Set this to 0 to disable this
+    # optimisation and always use the striped target.
+    use_linear_target: 1
+
+    # How much stack (in KB) to reserve for use while devices suspended
+    # Prior to version 2.02.89 this used to be set to 256KB
+    reserved_stack: 64
+
+    # How much memory (in KB) to reserve for use while devices suspended
+    reserved_memory: 8192
+
+    # Nice value used while devices suspended
+    process_priority: -18
+
+    # If volume_list is defined, each LV is only activated if there is a
+    # match against the list.
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If read_only_volume_list is defined, each LV that is to be activated
+    # is checked against the list, and if it matches, it as activated
+    # in read-only mode.  (This overrides '--permission rw' stored in the
+    # metadata.)
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # read_only_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # Size (in KB) of each copy operation when mirroring
+    mirror_region_size: 512
+
+    # Setting to use when there is no readahead value stored in the metadata.
+    #
+    # "none" - Disable readahead.
+    # "auto" - Use default value chosen by kernel.
+    readahead: "auto"
+
+    # 'raid_fault_policy' defines how a device failure in a RAID logical
+    # volume is handled.  This includes logical volumes that have the following
+    # segment types: raid1, raid4, raid5*, and raid6*.
+    #
+    # In the event of a failure, the following policies will determine what
+    # actions are performed during the automated response to failures (when
+    # dmeventd is monitoring the RAID logical volume) and when 'lvconvert' is
+    # called manually with the options '--repair' and '--use-policies'.
+    #
+    # "warn"	- Use the system log to warn the user that a device in the RAID
+    #		  logical volume has failed.  It is left to the user to run
+    #		  'lvconvert --repair' manually to remove or replace the failed
+    #		  device.  As long as the number of failed devices does not
+    #		  exceed the redundancy of the logical volume (1 device for
+    #		  raid4/5, 2 for raid6, etc) the logical volume will remain
+    #		  usable.
+    #
+    # "allocate" - Attempt to use any extra physical volumes in the volume
+    #		  group as spares and replace faulty devices.
+    #
+    raid_fault_policy: "warn"
+
+    # 'mirror_image_fault_policy' and 'mirror_log_fault_policy' define
+    # how a device failure affecting a mirror (of "mirror" segment type) is
+    # handled.  A mirror is composed of mirror images (copies) and a log.
+    # A disk log ensures that a mirror does not need to be re-synced
+    # (all copies made the same) every time a machine reboots or crashes.
+    #
+    # In the event of a failure, the specified policy will be used to determine
+    # what happens. This applies to automatic repairs (when the mirror is being
+    # monitored by dmeventd) and to manual lvconvert --repair when
+    # --use-policies is given.
+    #
+    # "remove" - Simply remove the faulty device and run without it.  If
+    #            the log device fails, the mirror would convert to using
+    #            an in-memory log.  This means the mirror will not
+    #            remember its sync status across crashes/reboots and
+    #            the entire mirror will be re-synced.  If a
+    #            mirror image fails, the mirror will convert to a
+    #            non-mirrored device if there is only one remaining good
+    #            copy.
+    #
+    # "allocate" - Remove the faulty device and try to allocate space on
+    #            a new device to be a replacement for the failed device.
+    #            Using this policy for the log is fast and maintains the
+    #            ability to remember sync state through crashes/reboots.
+    #            Using this policy for a mirror device is slow, as it
+    #            requires the mirror to resynchronize the devices, but it
+    #            will preserve the mirror characteristic of the device.
+    #            This policy acts like "remove" if no suitable device and
+    #            space can be allocated for the replacement.
+    #
+    # "allocate_anywhere" - Not yet implemented. Useful to place the log device
+    #            temporarily on same physical volume as one of the mirror
+    #            images. This policy is not recommended for mirror devices
+    #            since it would break the redundant nature of the mirror. This
+    #            policy acts like "remove" if no suitable device and space can
+    #            be allocated for the replacement.
+
+    mirror_log_fault_policy: "allocate"
+    mirror_image_fault_policy: "remove"
+
+    # 'snapshot_autoextend_threshold' and 'snapshot_autoextend_percent' define
+    # how to handle automatic snapshot extension. The former defines when the
+    # snapshot should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the snapshot, in percent of its current size.
+    #
+    # For example, if you set snapshot_autoextend_threshold to 70 and
+    # snapshot_autoextend_percent to 20, whenever a snapshot exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G snapshot, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the snapshot will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting snapshot_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    snapshot_autoextend_threshold: 100
+    snapshot_autoextend_percent: 20
+
+    # 'thin_pool_autoextend_threshold' and 'thin_pool_autoextend_percent' define
+    # how to handle automatic pool extension. The former defines when the
+    # pool should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the pool, in percent of its current size.
+    #
+    # For example, if you set thin_pool_autoextend_threshold to 70 and
+    # thin_pool_autoextend_percent to 20, whenever a pool exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G pool, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the pool will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting thin_pool_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    thin_pool_autoextend_threshold: 100
+    thin_pool_autoextend_percent: 20
+
+    # Full path of the utility called to check that a thin metadata device
+    # is in a state that allows it to be used.
+    # Each time a thin pool needs to be activated, this utility is executed.
+    # The activation will only proceed if the utility has an exit status of 0.
+    # Set to "" to skip this check.  (Not recommended.)
+    # The thin tools are available as part of the device-mapper-persistent-data
+    # package from https://github.com/jthornber/thin-provisioning-tools.
+    #
+    thin_check_executable: "/sbin/thin_check -q"
+
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended, and as a precaution against deadlocks, LVM2 needs to pin
+    # any memory it is using so it is not paged out.  Groups of pages that
+    # are known not to be accessed during activation need not be pinned
+    # into memory.  Each string listed in this setting is compared against
+    # each line in /proc/self/maps, and the pages corresponding to any
+    # lines that match are not pinned.  On some systems locale-archive was
+    # found to make up over 80% of the memory used by the process.
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+
+    # Set to 1 to revert to the default behaviour prior to version 2.02.62
+    # which used mlockall() to pin the whole process's memory while activating
+    # devices.
+    use_mlockall: 0
+
+    # Monitoring is enabled by default when activating logical volumes.
+    # Set to 0 to disable monitoring or use the --ignoremonitoring option.
+    monitoring: 0
+
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress
+    # at intervals of this number of seconds.  The default is 15 seconds.
+    # If this is set to 0 and there is only one thing to wait for, there
+    # are no progress reports, but the process is awoken immediately the
+    # operation is complete.
+    polling_interval: 15
+
+
+####################
+# Advanced section #
+####################
+
+  # Metadata settings
+  #
+  # metadata:
+    # Default number of copies of metadata to hold on each PV.  0, 1 or 2.
+    # You might want to override it from the command line with 0
+    # when running pvcreate on new PVs which are to be added to large VGs.
+
+    # pvmetadatacopies: 1
+
+    # Default number of copies of metadata to maintain for each VG.
+    # If set to a non-zero value, LVM automatically chooses which of
+    # the available metadata areas to use to achieve the requested
+    # number of copies of the VG metadata.  If you set a value larger
+    # than the the total number of metadata areas available then
+    # metadata is stored in them all.
+    # The default value of 0 ("unmanaged") disables this automatic
+    # management and allows you to control which metadata areas
+    # are used at the individual PV level using 'pvchange
+    # --metadataignore y/n'.
+
+    # vgmetadatacopies: 0
+
+    # Approximate default size of on-disk metadata areas in sectors.
+    # You should increase this if you have large volume groups or
+    # you want to retain a large on-disk history of your metadata changes.
+
+    # pvmetadatasize: 255
+
+    # List of directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM2 with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other
+    # on-disk metadata (pvmetadatacopies = 0). Or this can be in
+    # addition to on-disk metadata areas.
+    # The feature was originally added to simplify testing and is not
+    # supported under low memory situations - the machine could lock up.
+    #
+    # Never edit any files in these directories by hand unless you
+    # you are absolutely sure you know what you are doing! Use
+    # the supplied toolset to make changes (e.g. vgcfgrestore).
+
+    # dirs: [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+
+
+  # Event daemon
+  #
+  dmeventd:
+    # mirror_library is the library used when monitoring a mirror device.
+    #
+    # "libdevmapper-event-lvm2mirror.so" attempts to recover from
+    # failures.  It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # snapshot_library is the library used when monitoring a snapshot device.
+    #
+    # "libdevmapper-event-lvm2snapshot.so" monitors the filling of
+    # snapshots and emits a warning through syslog when the use of
+    # the snapshot exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the snapshot is filled.
+
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
+
+    # thin_library is the library used when monitoring a thin device.
+    #
+    # "libdevmapper-event-lvm2thin.so" monitors the filling of
+    # pool and emits a warning through syslog when the use of
+    # the pool exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the pool is filled.
+
+    thin_library: "libdevmapper-event-lvm2thin.so"
+
+    # Full path of the dmeventd binary.
+    #
+    # executable: "/sbin/dmeventd"
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.98.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.98.yml
new file mode 100644
index 00000000..33c2477e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.02.98.yml
@@ -0,0 +1,811 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Based on /etc/lvm/lvm.conf from Ubuntu Trusty
+lvm__config_base_version: '2.02.98-6ubuntu2'
+
+lvm__config_base:
+
+  # This section allows you to configure which block devices should
+  # be used by the LVM system.
+  devices:
+
+    # Where do you want your volume groups to appear ?
+    dir: "/dev"
+
+    # An array of directories that contain the device nodes you wish
+    # to use with LVM2.
+    scan: [ "/dev" ]
+
+    # If set, the cache of block device nodes with all associated symlinks
+    # will be constructed out of the existing udev database content.
+    # This avoids using and opening any inapplicable non-block devices or
+    # subdirectories found in the device directory. This setting is applied
+    # to udev-managed device directory only, other directories will be scanned
+    # fully. LVM2 needs to be compiled with udev support for this setting to
+    # take effect. N.B. Any device node or symlink not managed by udev in
+    # udev directory will be ignored with this setting on.
+    obtain_device_list_from_udev: 1
+
+    # If several entries in the scanned directories correspond to the
+    # same block device and the tools need to display a name for device,
+    # all the pathnames are matched against each item in the following
+    # list of regular expressions in turn and the first match is used.
+    preferred_names: [ ]
+
+    # Try to avoid using undescriptive /dev/dm-N names, if present.
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+
+    # A filter that tells LVM2 to only use a restricted set of devices.
+    # The filter consists of an array of regular expressions.  These
+    # expressions can be delimited by a character of your choice, and
+    # prefixed with either an 'a' (for accept) or 'r' (for reject).
+    # The first expression found to match a device name determines if
+    # the device will be accepted or rejected (ignored).  Devices that
+    # don't match any patterns are accepted.
+
+    # Be careful if there there are symbolic links or multiple filesystem
+    # entries for the same device as each name is checked separately against
+    # the list of patterns.  The effect is that if the first pattern in the
+    # list to match a name is an 'a' pattern for any of the names, the device
+    # is accepted; otherwise if the first pattern in the list to match a name
+    # is an 'r' pattern for any of the names it is rejected; otherwise it is
+    # accepted.
+
+    # Don't have more than one filter line active at once: only one gets used.
+
+    # Run vgscan after you change this parameter to ensure that
+    # the cache file gets regenerated (see below).
+    # If it doesn't do what you expect, check the output of 'vgscan -vvvv'.
+
+
+    # By default we accept every block device:
+    filter: [ "a/.*/" ]
+
+    # Exclude the cdrom drive
+    # filter: [ "r|/dev/cdrom|" ]
+
+    # When testing I like to work with just loopback devices:
+    # filter: [ "a/loop/", "r/.*/" ]
+
+    # Or maybe all loops and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+
+    # Use anchors if you want to be really specific
+    # filter: [ "a|^/dev/hda8$|", "r/.*/" ]
+
+    # Since "filter" is often overridden from command line, it is not suitable
+    # for system-wide device filtering (udev rules, lvmetad). To hide devices
+    # from LVM-specific udev processing and/or from lvmetad, you need to set
+    # global_filter. The syntax is the same as for normal "filter"
+    # above. Devices that fail the global_filter are not even opened by LVM.
+
+    # global_filter: []
+
+    # The results of the filtering are cached on disk to avoid
+    # rescanning dud devices (which can take a very long time).
+    # By default this cache is stored in the /etc/lvm/cache directory
+    # in a file called '.cache'.
+    # It is safe to delete the contents: the tools regenerate it.
+    # (The old setting 'cache' is still respected if neither of
+    # these new ones is present.)
+    # N.B. If obtain_device_list_from_udev is set to 1 the list of
+    # devices is instead obtained from udev and any existing .cache
+    # file is removed.
+    cache_dir: "/run/lvm"
+    cache_file_prefix: ""
+
+    # You can turn off writing this cache file by setting this to 0.
+    write_cache_state: 1
+
+    # Advanced settings.
+
+    # List of pairs of additional acceptable block device types found
+    # in /proc/devices with maximum (non-zero) number of partitions.
+    # types: [ "fd", 16 ]
+
+    # If sysfs is mounted (2.6 kernels) restrict device scanning to
+    # the block devices it believes are valid.
+    # 1 enables; 0 disables.
+    sysfs_scan: 1
+
+    # By default, LVM2 will ignore devices used as component paths
+    # of device-mapper multipath devices.
+    # 1 enables; 0 disables.
+    multipath_component_detection: 1
+
+    # By default, LVM2 will ignore devices used as components of
+    # software RAID (md) devices by looking for md superblocks.
+    # 1 enables; 0 disables.
+    md_component_detection: 1
+
+    # By default, if a PV is placed directly upon an md device, LVM2
+    # will align its data blocks with the md device's stripe-width.
+    # 1 enables; 0 disables.
+    md_chunk_alignment: 1
+
+    # Default alignment of the start of a data area in MB.  If set to 0,
+    # a value of 64KB will be used.  Set to 1 for 1MiB, 2 for 2MiB, etc.
+    # default_data_alignment: 1
+
+    # By default, the start of a PV's data area will be a multiple of
+    # the 'minimum_io_size' or 'optimal_io_size' exposed in sysfs.
+    # - minimum_io_size - the smallest request the device can perform
+    #   w/o incurring a read-modify-write penalty (e.g. MD's chunk size)
+    # - optimal_io_size - the device's preferred unit of receiving I/O
+    #   (e.g. MD's stripe width)
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # This setting takes precedence over md_chunk_alignment.
+    # 1 enables; 0 disables.
+    data_alignment_detection: 1
+
+    # Alignment (in KB) of start of data area when creating a new PV.
+    # md_chunk_alignment and data_alignment_detection are disabled if set.
+    # Set to 0 for the default alignment (see: data_alignment_default)
+    # or page size, if larger.
+    data_alignment: 0
+
+    # By default, the start of the PV's aligned data area will be shifted by
+    # the 'alignment_offset' exposed in sysfs.  This offset is often 0 but
+    # may be non-zero; e.g.: certain 4KB sector drives that compensate for
+    # windows partitioning will have an alignment_offset of 3584 bytes
+    # (sector 7 is the lowest aligned logical block, the 4KB sectors start
+    # at LBA -1, and consequently sector 63 is aligned on a 4KB boundary).
+    # But note that pvcreate --dataalignmentoffset will skip this detection.
+    # 1 enables; 0 disables.
+    data_alignment_offset_detection: 1
+
+    # If, while scanning the system for PVs, LVM2 encounters a device-mapper
+    # device that has its I/O suspended, it waits for it to become accessible.
+    # Set this to 1 to skip such devices.  This should only be needed
+    # in recovery situations.
+    ignore_suspended_devices: 0
+
+    # During each LVM operation errors received from each device are counted.
+    # If the counter of a particular device exceeds the limit set here, no
+    # further I/O is sent to that device for the remainder of the respective
+    # operation. Setting the parameter to 0 disables the counters altogether.
+    disable_after_error_count: 0
+
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid: 1
+
+    # Minimum size (in KB) of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KB is ignored.
+
+    # Ignore devices smaller than 2MB such as floppy drives.
+    pv_min_size: 2048
+
+    # The original built-in setting was 512 up to and including version 2.02.84.
+    # pv_min_size: 512
+
+    # Issue discards to a logical volumes's underlying physical volume(s) when
+    # the logical volume is no longer using the physical volumes' space (e.g.
+    # lvremove, lvreduce, etc).  Discards inform the storage that a region is
+    # no longer in use.  Storage that supports discards advertise the protocol
+    # specific way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set).  Not all storage will support or benefit
+    # from discards but SSDs and thinly provisioned LUNs generally do.  If set
+    # to 1, discards will only be issued if both the storage and kernel provide
+    # support.
+    # 1 enables; 0 disables.
+    issue_discards: 1
+
+
+  # This section allows you to configure the way in which LVM selects
+  # free space for its Logical Volumes.
+  allocation:
+
+    # When searching for free space to extend an LV, the "cling"
+    # allocation policy will choose space on the same PVs as the last
+    # segment of the existing LV.  If there is insufficient space and a
+    # list of tags is defined here, it will check whether any of them are
+    # attached to the PVs concerned and then seek to match those PV tags
+    # between existing extents and new extents.
+    # Use the special tag "@*" as a wildcard to match any PV tag.
+
+    # Example: LVs are mirrored between two sites within a single VG.
+    # PVs are tagged with either @site1 or @site2 to indicate where
+    # they are situated.
+
+    # cling_tag_list: [ "@site1", "@site2" ]
+    # cling_tag_list: [ "@*" ]
+
+    # Changes made in version 2.02.85 extended the reach of the 'cling'
+    # policies to detect more situations where data can be grouped
+    # onto the same disks.  Set this to 0 to revert to the previous
+    # algorithm.
+    maximise_cling: 1
+
+    # Set to 1 to guarantee that mirror logs will always be placed on
+    # different PVs from the mirror images.  This was the default
+    # until version 2.02.85.
+    mirror_logs_require_separate_pvs: 0
+
+    # Set to 1 to guarantee that thin pool metadata will always
+    # be placed on different PVs from the pool data.
+    thin_pool_metadata_require_separate_pvs: 0
+
+
+  # This section that allows you to configure the nature of the
+  # information that LVM2 reports.
+  log:
+
+    # Controls the messages sent to stdout or stderr.
+    # There are three levels of verbosity, 3 being the most verbose.
+    verbose: 0
+
+    # Set to 1 to suppress all non-essential messages from stdout.
+    # This has the same effect as -qq.
+    # When this is set, the following commands still produce output:
+    # dumpconfig, lvdisplay, lvmdiskscan, lvs, pvck, pvdisplay,
+    # pvs, version, vgcfgrestore -l, vgdisplay, vgs.
+    # Non-essential messages are shifted from log level 4 to log level 5
+    # for syslog and lvm2_log_fn purposes.
+    # Any 'yes' or 'no' questions not overridden by other arguments
+    # are suppressed and default to 'no'.
+    silent: 0
+
+    # Should we send log messages through syslog?
+    # 1 is yes; 0 is no.
+    syslog: 1
+
+    # Should we log error and debug messages to a file?
+    # By default there is no log file.
+    #file: "/var/log/lvm2.log"
+
+    # Should we overwrite the log file each time the program is run?
+    # By default we append.
+    overwrite: 0
+
+    # What level of log messages should we send to the log file and/or syslog?
+    # There are 6 syslog-like log levels currently in use - 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Format of output messages
+    # Whether or not (1 or 0) to indent messages according to their severity
+    indent: 1
+
+    # Whether or not (1 or 0) to display the command name on each line output
+    command_names: 0
+
+    # A prefix to use before the message text (but after the command name,
+    # if selected).  Default is two spaces, so you can see/grep the severity
+    # of each message.
+    prefix: "  "
+
+    # To make the messages look similar to the original LVM tools use:
+    #   indent: 0
+    #   command_names: 1
+    #   prefix: " -- "
+
+    # Set this if you want log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    # activation: 0
+
+
+  # Configuration of metadata backups and archiving.  In LVM2 when we
+  # talk about a 'backup' we mean making a copy of the metadata for the
+  # *current* system.  The 'archive' contains old metadata configurations.
+  # Backups are stored in a human readable text format.
+  backup:
+
+    # Should we maintain a backup of the current metadata configuration ?
+    # Use 1 for Yes; 0 for No.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Where shall we keep it ?
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Should we maintain an archive of old metadata configurations.
+    # Use 1 for Yes; 0 for No.
+    # On by default.  Think very hard before turning this off.
+    archive: 1
+
+    # Where should archived files go ?
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # What is the minimum number of archive files you wish to keep ?
+    retain_min: 10
+
+    # What is the minimum time you wish to keep an archive file for ?
+    retain_days: 30
+
+
+  # Settings for the running LVM2 in shell (readline) mode.
+  shell:
+
+    # Number of lines of history to store in ~/.lvm_history
+    history_size: 100
+
+
+  # Miscellaneous global LVM2 settings
+  global:
+
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    # (umask needs to be quoted because octal)
+    umask: "077"
+
+    # Allow other users to read the files
+    #umask: "022"
+
+    # Enabling test mode means that no changes to the on disk metadata
+    # will be made.  Equivalent to having the -t option on every
+    # command.  Defaults to off.
+    test: 0
+
+    # Default value for --units argument
+    units: "h"
+
+    # Since version 2.02.54, the tools distinguish between powers of
+    # 1024 bytes (e.g. KiB, MiB, GiB) and powers of 1000 bytes (e.g.
+    # KB, MB, GB).
+    # If you have scripts that depend on the old behaviour, set this to 0
+    # temporarily until you update them.
+    si_unit_consistency: 1
+
+    # Whether or not to communicate with the kernel device-mapper.
+    # Set to 0 if you want to use the tools to manipulate LVM metadata
+    # without activating any logical volumes.
+    # If the device-mapper kernel driver is not present in your kernel
+    # setting this to 0 should suppress the error messages.
+    activation: 1
+
+    # If we can't communicate with device-mapper, should we try running
+    # the LVM1 tools?
+    # This option only applies to 2.4 kernels and is provided to help you
+    # switch between device-mapper kernels and LVM1 kernels.
+    # The LVM1 tools need to be installed with .lvm1 suffices
+    # e.g. vgscan.lvm1 and they will stop working after you start using
+    # the new lvm2 on-disk metadata format.
+    # The default value is set when the tools are built.
+    # fallback_to_lvm1: 0
+
+    # The default metadata format that commands should use - "lvm1" or "lvm2".
+    # The command line override is -M1 or -M2.
+    # Defaults to "lvm2".
+    # format: "lvm2"
+
+    # Location of proc filesystem
+    proc: "/proc"
+
+    # Type of locking to use. Defaults to local file-based locking (1).
+    # Turn locking off by setting to 0 (dangerous: risks metadata corruption
+    # if LVM2 commands get run concurrently).
+    # Type 2 uses the external shared library locking_library.
+    # Type 3 uses built-in clustered locking.
+    # Type 4 uses read-only locking which forbids any operations that might
+    # change metadata.
+    locking_type: 1
+
+    # Set to 0 to fail when a lock request cannot be satisfied immediately.
+    wait_for_locks: 1
+
+    # If using external locking (type 2) and initialisation fails,
+    # with this set to 1 an attempt will be made to use the built-in
+    # clustered locking.
+    # If you are using a customised locking_library you should set this to 0.
+    fallback_to_clustered_locking: 1
+
+    # If an attempt to initialise type 2 or type 3 locking failed, perhaps
+    # because cluster components such as clvmd are not running, with this set
+    # to 1 an attempt will be made to use local file-based locking (type 1).
+    # If this succeeds, only commands against local volume groups will proceed.
+    # Volume Groups marked as clustered will be ignored.
+    fallback_to_local_locking: 1
+
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress.  A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/run/lock/lvm"
+
+    # Whenever there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to be
+    # serviced.  Without this setting, write access may be stalled by a high
+    # volume of read-only requests.
+    # NB. This option only affects locking_type = 1 viz. local file-based
+    # locking.
+    prioritise_write_locks: 1
+
+    # Other entries can go here to allow you to load shared libraries
+    # e.g. if support for LVM1 metadata was compiled as a shared library use
+    #   format_libraries = "liblvm2format1.so"
+    # Full pathnames can be given.
+
+    # Search this directory first for shared libraries.
+    #   library_dir: "/lib/lvm2"
+
+    # The external locking library to load if locking_type is set to 2.
+    #   locking_library: "liblvm2clusterlock.so"
+
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+    # Check whether CRC is matching when parsed VG is used multiple times.
+    # This is useful to catch unexpected internal cached volume group
+    # structure modification. Please only enable for debugging.
+    detect_internal_vg_cache_corruption: 0
+
+    # If set to 1, no operations that change on-disk metadata will be permitted.
+    # Additionally, read-only commands that encounter metadata in need of repair
+    # will still be allowed to proceed exactly as if the repair had been
+    # performed (except for the unchanged vg_seqno).
+    # Inappropriate use could mess up your system, so seek advice first!
+    metadata_read_only: 0
+
+    # 'mirror_segtype_default' defines which segtype will be used when the
+    # shorthand '-m' option is used for mirroring.  The possible options are:
+    #
+    # "mirror" - The original RAID1 implementation provided by LVM2/DM.  It is
+    #	         characterized by a flexible log solution (core, disk, mirrored)
+    #		 and by the necessity to block I/O while reconfiguring in the
+    #		 event of a failure.
+    #
+    #		 There is an inherent race in the dmeventd failure handling
+    #		 logic with snapshots of devices using this type of RAID1 that
+    #		 in the worst case could cause a deadlock.
+    #		   Ref: https://bugzilla.redhat.com/show_bug.cgi?id=817130#c10
+    #
+    # "raid1"  - This implementation leverages MD's RAID1 personality through
+    #		 device-mapper.  It is characterized by a lack of log options.
+    #		 (A log is always allocated for every device and they are placed
+    #		 on the same device as the image - no separate devices are
+    #		 required.)  This mirror implementation does not require I/O
+    #		 to be blocked in the kernel in the event of a failure.
+    #		 This mirror implementation is not cluster-aware and cannot be
+    #		 used in a shared (active/active) fashion in a cluster.
+    #
+    # Specify the '--type <mirror|raid1>' option to override this default
+    # setting.
+    mirror_segtype_default: "mirror"
+
+    # The default format for displaying LV names in lvdisplay was changed
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # Set to 1 to reinstate the previous format.
+    #
+    # lvdisplay_shows_full_device_path: 0
+
+    # Whether to use (trust) a running instance of lvmetad. If this is set to
+    # 0, all commands fall back to the usual scanning mechanisms. When set to 1
+    # *and* when lvmetad is running (it is not auto-started), the volume group
+    # metadata and PV state flags are obtained from the lvmetad instance and no
+    # scanning is done by the individual commands. In a setup with lvmetad,
+    # lvmetad udev rules *must* be set up for LVM to work correctly. Without
+    # proper udev rules, all changes in block device configuration will be
+    # *ignored* until a manual 'pvscan --cache' is performed.
+    #
+    # If lvmetad has been running while use_lvmetad was 0, it MUST be stopped
+    # before changing use_lvmetad to 1 and started again afterwards.
+    use_lvmetad: 0
+
+    # Full path of the utility called to check that a thin metadata device
+    # is in a state that allows it to be used.
+    # Each time a thin pool needs to be activated or after it is deactivated
+    # this utility is executed. The activation will only proceed if the utility
+    # has an exit status of 0.
+    # Set to "" to skip this check.  (Not recommended.)
+    # The thin tools are available as part of the device-mapper-persistent-data
+    # package from https://github.com/jthornber/thin-provisioning-tools.
+    #
+    thin_check_executable: "/usr/sbin/thin_check"
+
+    # String with options passed with thin_check command. By default,
+    # option '-q' is for quiet output.
+    thin_check_options: [ "-q" ]
+
+
+  activation:
+    # Set to 1 to perform internal checks on the operations issued to
+    # libdevmapper.  Useful for debugging problems with activation.
+    # Some of the checks may be expensive, so it's best to use this
+    # only when there seems to be a problem.
+    checks: 0
+
+    # Set to 0 to disable udev synchronisation (if compiled into the binaries).
+    # Processes will not wait for notification from udev.
+    # They will continue irrespective of any possible udev processing
+    # in the background.  You should only use this if udev is not running
+    # or has rules that ignore the devices LVM2 creates.
+    # The command line argument --nodevsync takes precedence over this setting.
+    # If set to 1 when udev is not running, and there are LVM2 processes
+    # waiting for udev, run 'dmsetup udevcomplete_all' manually to wake them up.
+    udev_sync: 1
+
+    # Set to 0 to disable the udev rules installed by LVM2 (if built with
+    # --enable-udev_rules). LVM2 will then manage the /dev nodes and symlinks
+    # for active logical volumes directly itself.
+    # N.B. Manual intervention may be required if this setting is changed
+    # while any logical volumes are active.
+    udev_rules: 1
+
+    # Set to 1 for LVM2 to verify operations performed by udev. This turns on
+    # additional checks (and if necessary, repairs) on entries in the device
+    # directory after udev has completed processing its events.
+    # Useful for diagnosing problems with LVM2/udev interactions.
+    verify_udev_operations: 0
+
+    # If set to 1 and if deactivation of an LV fails, perhaps because
+    # a process run from a quick udev rule temporarily opened the device,
+    # retry the operation for a few seconds before failing.
+    retry_deactivation: 1
+
+    # How to fill in missing stripes if activating an incomplete volume.
+    # Using "error" will make inaccessible parts of the device return
+    # I/O errors on access.  You can instead use a device path, in which
+    # case, that device will be used to in place of missing stripes.
+    # But note that using anything other than "error" with mirrored
+    # or snapshotted volumes is likely to result in data corruption.
+    missing_stripe_filler: "error"
+
+    # The linear target is an optimised version of the striped target
+    # that only handles a single stripe.  Set this to 0 to disable this
+    # optimisation and always use the striped target.
+    use_linear_target: 1
+
+    # How much stack (in KB) to reserve for use while devices suspended
+    # Prior to version 2.02.89 this used to be set to 256KB
+    reserved_stack: 64
+
+    # How much memory (in KB) to reserve for use while devices suspended
+    reserved_memory: 8192
+
+    # Nice value used while devices suspended
+    process_priority: -18
+
+    # If volume_list is defined, each LV is only activated if there is a
+    # match against the list.
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If auto_activation_volume_list is defined, each LV that is to be
+    # activated is checked against the list while using the autoactivation
+    # option (--activate ay/-a ay), and if it matches, it is activated.
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # auto_activation_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # If read_only_volume_list is defined, each LV that is to be activated
+    # is checked against the list, and if it matches, it as activated
+    # in read-only mode.  (This overrides '--permission rw' stored in the
+    # metadata.)
+    #   "vgname" and "vgname/lvname" are matched exactly.
+    #   "@tag" matches any tag set in the LV or VG.
+    #   "@*" matches if any tag defined on the host is also set in the LV or VG
+    #
+    # read_only_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+
+    # Size (in KB) of each copy operation when mirroring
+    mirror_region_size: 512
+
+    # Setting to use when there is no readahead value stored in the metadata.
+    #
+    # "none" - Disable readahead.
+    # "auto" - Use default value chosen by kernel.
+    readahead: "auto"
+
+    # 'raid_fault_policy' defines how a device failure in a RAID logical
+    # volume is handled.  This includes logical volumes that have the following
+    # segment types: raid1, raid4, raid5*, and raid6*.
+    #
+    # In the event of a failure, the following policies will determine what
+    # actions are performed during the automated response to failures (when
+    # dmeventd is monitoring the RAID logical volume) and when 'lvconvert' is
+    # called manually with the options '--repair' and '--use-policies'.
+    #
+    # "warn"	- Use the system log to warn the user that a device in the RAID
+    #		  logical volume has failed.  It is left to the user to run
+    #		  'lvconvert --repair' manually to remove or replace the failed
+    #		  device.  As long as the number of failed devices does not
+    #		  exceed the redundancy of the logical volume (1 device for
+    #		  raid4/5, 2 for raid6, etc) the logical volume will remain
+    #		  usable.
+    #
+    # "allocate" - Attempt to use any extra physical volumes in the volume
+    #		  group as spares and replace faulty devices.
+    #
+    raid_fault_policy: "warn"
+
+    # 'mirror_image_fault_policy' and 'mirror_log_fault_policy' define
+    # how a device failure affecting a mirror (of "mirror" segment type) is
+    # handled.  A mirror is composed of mirror images (copies) and a log.
+    # A disk log ensures that a mirror does not need to be re-synced
+    # (all copies made the same) every time a machine reboots or crashes.
+    #
+    # In the event of a failure, the specified policy will be used to determine
+    # what happens. This applies to automatic repairs (when the mirror is being
+    # monitored by dmeventd) and to manual lvconvert --repair when
+    # --use-policies is given.
+    #
+    # "remove" - Simply remove the faulty device and run without it.  If
+    #            the log device fails, the mirror would convert to using
+    #            an in-memory log.  This means the mirror will not
+    #            remember its sync status across crashes/reboots and
+    #            the entire mirror will be re-synced.  If a
+    #            mirror image fails, the mirror will convert to a
+    #            non-mirrored device if there is only one remaining good
+    #            copy.
+    #
+    # "allocate" - Remove the faulty device and try to allocate space on
+    #            a new device to be a replacement for the failed device.
+    #            Using this policy for the log is fast and maintains the
+    #            ability to remember sync state through crashes/reboots.
+    #            Using this policy for a mirror device is slow, as it
+    #            requires the mirror to resynchronize the devices, but it
+    #            will preserve the mirror characteristic of the device.
+    #            This policy acts like "remove" if no suitable device and
+    #            space can be allocated for the replacement.
+    #
+    # "allocate_anywhere" - Not yet implemented. Useful to place the log device
+    #            temporarily on same physical volume as one of the mirror
+    #            images. This policy is not recommended for mirror devices
+    #            since it would break the redundant nature of the mirror. This
+    #            policy acts like "remove" if no suitable device and space can
+    #            be allocated for the replacement.
+
+    mirror_log_fault_policy: "allocate"
+    mirror_image_fault_policy: "remove"
+
+    # 'snapshot_autoextend_threshold' and 'snapshot_autoextend_percent' define
+    # how to handle automatic snapshot extension. The former defines when the
+    # snapshot should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the snapshot, in percent of its current size.
+    #
+    # For example, if you set snapshot_autoextend_threshold to 70 and
+    # snapshot_autoextend_percent to 20, whenever a snapshot exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G snapshot, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the snapshot will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting snapshot_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    snapshot_autoextend_threshold: 100
+    snapshot_autoextend_percent: 20
+
+    # 'thin_pool_autoextend_threshold' and 'thin_pool_autoextend_percent' define
+    # how to handle automatic pool extension. The former defines when the
+    # pool should be extended: when its space usage exceeds this many
+    # percent. The latter defines how much extra space should be allocated for
+    # the pool, in percent of its current size.
+    #
+    # For example, if you set thin_pool_autoextend_threshold to 70 and
+    # thin_pool_autoextend_percent to 20, whenever a pool exceeds 70% usage,
+    # it will be extended by another 20%. For a 1G pool, using up 700M will
+    # trigger a resize to 1.2G. When the usage exceeds 840M, the pool will
+    # be extended to 1.44G, and so on.
+    #
+    # Setting thin_pool_autoextend_threshold to 100 disables automatic
+    # extensions. The minimum value is 50 (A setting below 50 will be treated
+    # as 50).
+
+    thin_pool_autoextend_threshold: 100
+    thin_pool_autoextend_percent: 20
+
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended, and as a precaution against deadlocks, LVM2 needs to pin
+    # any memory it is using so it is not paged out.  Groups of pages that
+    # are known not to be accessed during activation need not be pinned
+    # into memory.  Each string listed in this setting is compared against
+    # each line in /proc/self/maps, and the pages corresponding to any
+    # lines that match are not pinned.  On some systems locale-archive was
+    # found to make up over 80% of the memory used by the process.
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+
+    # Set to 1 to revert to the default behaviour prior to version 2.02.62
+    # which used mlockall() to pin the whole process's memory while activating
+    # devices.
+    use_mlockall: 0
+
+    # Monitoring is enabled by default when activating logical volumes.
+    # Set to 0 to disable monitoring or use the --ignoremonitoring option.
+    monitoring: 0
+
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress
+    # at intervals of this number of seconds.  The default is 15 seconds.
+    # If this is set to 0 and there is only one thing to wait for, there
+    # are no progress reports, but the process is awoken immediately the
+    # operation is complete.
+    polling_interval: 15
+
+
+####################
+# Advanced section #
+####################
+
+  # Metadata settings
+  #
+  # metadata:
+    # Default number of copies of metadata to hold on each PV.  0, 1 or 2.
+    # You might want to override it from the command line with 0
+    # when running pvcreate on new PVs which are to be added to large VGs.
+
+    # pvmetadatacopies: 1
+
+    # Default number of copies of metadata to maintain for each VG.
+    # If set to a non-zero value, LVM automatically chooses which of
+    # the available metadata areas to use to achieve the requested
+    # number of copies of the VG metadata.  If you set a value larger
+    # than the the total number of metadata areas available then
+    # metadata is stored in them all.
+    # The default value of 0 ("unmanaged") disables this automatic
+    # management and allows you to control which metadata areas
+    # are used at the individual PV level using 'pvchange
+    # --metadataignore y/n'.
+
+    # vgmetadatacopies: 0
+
+    # Approximate default size of on-disk metadata areas in sectors.
+    # You should increase this if you have large volume groups or
+    # you want to retain a large on-disk history of your metadata changes.
+
+    # pvmetadatasize: 255
+
+    # List of directories holding live copies of text format metadata.
+    # These directories must not be on logical volumes!
+    # It's possible to use LVM2 with a couple of directories here,
+    # preferably on different (non-LV) filesystems, and with no other
+    # on-disk metadata (pvmetadatacopies = 0). Or this can be in
+    # addition to on-disk metadata areas.
+    # The feature was originally added to simplify testing and is not
+    # supported under low memory situations - the machine could lock up.
+    #
+    # Never edit any files in these directories by hand unless you
+    # you are absolutely sure you know what you are doing! Use
+    # the supplied toolset to make changes (e.g. vgcfgrestore).
+
+    # dirs: [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ]
+
+
+  # Event daemon
+  #
+  dmeventd:
+    # mirror_library is the library used when monitoring a mirror device.
+    #
+    # "libdevmapper-event-lvm2mirror.so" attempts to recover from
+    # failures.  It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # snapshot_library is the library used when monitoring a snapshot device.
+    #
+    # "libdevmapper-event-lvm2snapshot.so" monitors the filling of
+    # snapshots and emits a warning through syslog when the use of
+    # the snapshot exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the snapshot is filled.
+
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
+
+    # thin_library is the library used when monitoring a thin device.
+    #
+    # "libdevmapper-event-lvm2thin.so" monitors the filling of
+    # pool and emits a warning through syslog when the use of
+    # the pool exceeds 80%. The warning is repeated when 85%, 90% and
+    # 95% of the pool is filled.
+
+    thin_library: "libdevmapper-event-lvm2thin.so"
+
+    # Full path of the dmeventd binary.
+    #
+    # executable: "/sbin/dmeventd"
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.03.02.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.03.02.yml
new file mode 100644
index 00000000..fd0ebdfa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_2.03.02.yml
@@ -0,0 +1,2164 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Based on /etc/lvm/lvm.conf from Debian Buster
+lvm__config_base_version: '2.03.02-3'
+
+lvm__config_base:
+
+  # Configuration section config.
+  # How LVM configuration settings are handled.
+  config:
+
+    # Configuration option config/checks.
+    # If enabled, any LVM configuration mismatch is reported.
+    # This implies checking that the configuration key is understood by
+    # LVM and that the value of the key is the proper type. If disabled,
+    # any configuration mismatch is ignored and the default value is used
+    # without any warning (a message about the configuration key not being
+    # found is issued in verbose mode only).
+    checks: 1
+
+    # Configuration option config/abort_on_errors.
+    # Abort the LVM process if a configuration mismatch is found.
+    abort_on_errors: 0
+
+    # Configuration option config/profile_dir.
+    # Directory where LVM looks for configuration profiles.
+    profile_dir: "/etc/lvm/profile"
+
+  # Configuration section devices.
+  # How LVM uses block devices.
+  devices:
+
+    # Configuration option devices/dir.
+    # Directory in which to create volume group device nodes.
+    # Commands also accept this as a prefix on volume group names.
+    # This configuration option is advanced.
+    dir: "/dev"
+
+    # Configuration option devices/scan.
+    # Directories containing device nodes to use with LVM.
+    # This configuration option is advanced.
+    scan: [ "/dev" ]
+
+    # Configuration option devices/obtain_device_list_from_udev.
+    # Obtain the list of available devices from udev.
+    # This avoids opening or using any inapplicable non-block devices or
+    # subdirectories found in the udev directory. Any device node or
+    # symlink not managed by udev in the udev directory is ignored. This
+    # setting applies only to the udev-managed device directory; other
+    # directories will be scanned fully. LVM needs to be compiled with
+    # udev support for this setting to apply.
+    obtain_device_list_from_udev: 1
+
+    # Configuration option devices/external_device_info_source.
+    # Select an external device information source.
+    # Some information may already be available in the system and LVM can
+    # use this information to determine the exact type or use of devices it
+    # processes. Using an existing external device information source can
+    # speed up device processing as LVM does not need to run its own native
+    # routines to acquire this information. For example, this information
+    # is used to drive LVM filtering like MD component detection, multipath
+    # component detection, partition detection and others.
+    #
+    # Accepted values:
+    #   none
+    #     No external device information source is used.
+    #   udev
+    #     Reuse existing udev database records. Applicable only if LVM is
+    #     compiled with udev support.
+    #
+    external_device_info_source: "none"
+
+    # Configuration option devices/preferred_names.
+    # Select which path name to display for a block device.
+    # If multiple path names exist for a block device, and LVM needs to
+    # display a name for the device, the path names are matched against
+    # each item in this list of regular expressions. The first match is
+    # used. Try to avoid using undescriptive /dev/dm-N names, if present.
+    # If no preferred name matches, or if preferred_names are not defined,
+    # the following built-in preferences are applied in order until one
+    # produces a preferred name:
+    # Prefer names with path prefixes in the order of:
+    # /dev/mapper, /dev/disk, /dev/dm-*, /dev/block.
+    # Prefer the name with the least number of slashes.
+    # Prefer a name that is a symlink.
+    # Prefer the path with least value in lexicographical order.
+    #
+    # Example
+    # preferred_names: [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option devices/filter.
+    # Limit the block devices that are used by LVM commands.
+    # This is a list of regular expressions used to accept or reject block
+    # device path names. Each regex is delimited by a vertical bar '|'
+    # (or any character) and is preceded by 'a' to accept the path, or
+    # by 'r' to reject the path. The first regex in the list to match the
+    # path is used, producing the 'a' or 'r' result for the device.
+    # When multiple path names exist for a block device, if any path name
+    # matches an 'a' pattern before an 'r' pattern, then the device is
+    # accepted. If all the path names match an 'r' pattern first, then the
+    # device is rejected. Unmatching path names do not affect the accept
+    # or reject decision. If no path names for a device match a pattern,
+    # then the device is accepted. Be careful mixing 'a' and 'r' patterns,
+    # as the combination might produce unexpected results (test changes.)
+    # Run vgscan after changing the filter to regenerate the cache.
+    #
+    # Example
+    # Accept every block device:
+    # filter: [ "a|.*/|" ]
+    # Reject the cdrom drive:
+    # filter: [ "r|/dev/cdrom|" ]
+    # Work with just loopback devices, e.g. for testing:
+    # filter: [ "a|loop|", "r|.*|" ]
+    # Accept all loop devices and ide drives except hdc:
+    # filter: [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
+    # Use anchors to be very specific:
+    # filter: [ "a|^/dev/hda8$|", "r|.*/|" ]
+    #
+    # This configuration option has an automatic default value.
+    # filter: [ "a|.*/|" ]
+
+    # Configuration option devices/global_filter.
+    # Limit the block devices that are used by LVM system components.
+    # Because devices/filter may be overridden from the command line, it is
+    # not suitable for system-wide device filtering, e.g. udev.
+    # Use global_filter to hide devices from these LVM system components.
+    # The syntax is the same as devices/filter. Devices rejected by
+    # global_filter are not opened by LVM.
+    # This configuration option has an automatic default value.
+    # global_filter: [ "a|.*/|" ]
+
+    # Configuration option devices/types.
+    # List of additional acceptable block device types.
+    # These are of device type names from /proc/devices, followed by the
+    # maximum number of partitions.
+    #
+    # Example
+    # types: [ "fd", 16 ]
+    #
+    # This configuration option is advanced.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option devices/sysfs_scan.
+    # Restrict device scanning to block devices appearing in sysfs.
+    # This is a quick way of filtering out block devices that are not
+    # present on the system. sysfs must be part of the kernel and mounted.)
+    sysfs_scan: 1
+
+    # Configuration option devices/scan_lvs.
+    # Scan LVM LVs for layered PVs.
+    scan_lvs: 1
+
+    # Configuration option devices/multipath_component_detection.
+    # Ignore devices that are components of DM multipath devices.
+    multipath_component_detection: 1
+
+    # Configuration option devices/md_component_detection.
+    # Ignore devices that are components of software RAID (md) devices.
+    md_component_detection: 1
+
+    # Configuration option devices/fw_raid_component_detection.
+    # Ignore devices that are components of firmware RAID devices.
+    # LVM must use an external_device_info_source other than none for this
+    # detection to execute.
+    fw_raid_component_detection: 0
+
+    # Configuration option devices/md_chunk_alignment.
+    # Align the start of a PV data area with md device's stripe-width.
+    # This applies if a PV is placed directly on an md device.
+    # default_data_alignment will be overridden if it is not aligned
+    # with the value detected for this setting.
+    # This setting is overridden by data_alignment_detection,
+    # data_alignment, and the --dataalignment option.
+    md_chunk_alignment: 1
+
+    # Configuration option devices/default_data_alignment.
+    # Align the start of a PV data area with this number of MiB.
+    # Set to 1 for 1MiB, 2 for 2MiB, etc. Set to 0 to disable.
+    # This setting is overridden by data_alignment and the --dataalignment
+    # option.
+    # This configuration option has an automatic default value.
+    # default_data_alignment: 1
+
+    # Configuration option devices/data_alignment_detection.
+    # Align the start of a PV data area with sysfs io properties.
+    # The start of a PV data area will be a multiple of minimum_io_size or
+    # optimal_io_size exposed in sysfs. minimum_io_size is the smallest
+    # request the device can perform without incurring a read-modify-write
+    # penalty, e.g. MD chunk size. optimal_io_size is the device's
+    # preferred unit of receiving I/O, e.g. MD stripe width.
+    # minimum_io_size is used if optimal_io_size is undefined (0).
+    # If md_chunk_alignment is enabled, that detects the optimal_io_size.
+    # default_data_alignment and md_chunk_alignment will be overridden
+    # if they are not aligned with the value detected for this setting.
+    # This setting is overridden by data_alignment and the --dataalignment
+    # option.
+    data_alignment_detection: 1
+
+    # Configuration option devices/data_alignment.
+    # Align the start of a PV data area with this number of KiB.
+    # When non-zero, this setting overrides default_data_alignment.
+    # Set to 0 to disable, in which case default_data_alignment
+    # is used to align the first PE in units of MiB.
+    # This setting is overridden by the --dataalignment option.
+    data_alignment: 0
+
+    # Configuration option devices/data_alignment_offset_detection.
+    # Shift the start of an aligned PV data area based on sysfs information.
+    # After a PV data area is aligned, it will be shifted by the
+    # alignment_offset exposed in sysfs. This offset is often 0, but may
+    # be non-zero. Certain 4KiB sector drives that compensate for windows
+    # partitioning will have an alignment_offset of 3584 bytes (sector 7
+    # is the lowest aligned logical block, the 4KiB sectors start at
+    # LBA -1, and consequently sector 63 is aligned on a 4KiB boundary).
+    # This setting is overridden by the --dataalignmentoffset option.
+    data_alignment_offset_detection: 1
+
+    # Configuration option devices/ignore_suspended_devices.
+    # Ignore DM devices that have I/O suspended while scanning devices.
+    # Otherwise, LVM waits for a suspended device to become accessible.
+    # This should only be needed in recovery situations.
+    ignore_suspended_devices: 0
+
+    # Configuration option devices/ignore_lvm_mirrors.
+    # Do not scan 'mirror' LVs to avoid possible deadlocks.
+    # This avoids possible deadlocks when using the 'mirror' segment type.
+    # This setting determines whether LVs using the 'mirror' segment type
+    # are scanned for LVM labels. This affects the ability of mirrors to
+    # be used as physical volumes. If this setting is enabled, it is
+    # impossible to create VGs on top of mirror LVs, i.e. to stack VGs on
+    # mirror LVs. If this setting is disabled, allowing mirror LVs to be
+    # scanned, it may cause LVM processes and I/O to the mirror to become
+    # blocked. This is due to the way that the mirror segment type handles
+    # failures. In order for the hang to occur, an LVM command must be run
+    # just after a failure and before the automatic LVM repair process
+    # takes place, or there must be failures in multiple mirrors in the
+    # same VG at the same time with write failures occurring moments before
+    # a scan of the mirror's labels. The 'mirror' scanning problems do not
+    # apply to LVM RAID types like 'raid1' which handle failures in a
+    # different way, making them a better choice for VG stacking.
+    ignore_lvm_mirrors: 1
+
+    # Configuration option devices/require_restorefile_with_uuid.
+    # Allow use of pvcreate --uuid without requiring --restorefile.
+    require_restorefile_with_uuid: 1
+
+    # Configuration option devices/pv_min_size.
+    # Minimum size in KiB of block devices which can be used as PVs.
+    # In a clustered environment all nodes must use the same value.
+    # Any value smaller than 512KiB is ignored. The previous built-in
+    # value was 512.
+    pv_min_size: 2048
+
+    # Configuration option devices/issue_discards.
+    # Issue discards to PVs that are no longer used by an LV.
+    # Discards are sent to an LV's underlying physical volumes when the LV
+    # is no longer using the physical volumes' space, e.g. lvremove,
+    # lvreduce. Discards inform the storage that a region is no longer
+    # used. Storage that supports discards advertise the protocol-specific
+    # way discards should be issued by the kernel (TRIM, UNMAP, or
+    # WRITE SAME with UNMAP bit set). Not all storage will support or
+    # benefit from discards, but SSDs and thinly provisioned LUNs
+    # generally do. If enabled, discards will only be issued if both the
+    # storage and kernel provide support.
+    issue_discards: 0
+
+    # Configuration option devices/allow_changes_with_duplicate_pvs.
+    # Allow VG modification while a PV appears on multiple devices.
+    # When a PV appears on multiple devices, LVM attempts to choose the
+    # best device to use for the PV. If the devices represent the same
+    # underlying storage, the choice has minimal consequence. If the
+    # devices represent different underlying storage, the wrong choice
+    # can result in data loss if the VG is modified. Disabling this
+    # setting is the safest option because it prevents modifying a VG
+    # or activating LVs in it while a PV appears on multiple devices.
+    # Enabling this setting allows the VG to be used as usual even with
+    # uncertain devices.
+    allow_changes_with_duplicate_pvs: 0
+
+  # Configuration section allocation.
+  # How LVM selects space and applies properties to LVs.
+  allocation:
+
+    # Configuration option allocation/cling_tag_list.
+    # Advise LVM which PVs to use when searching for new space.
+    # When searching for free space to extend an LV, the 'cling' allocation
+    # policy will choose space on the same PVs as the last segment of the
+    # existing LV. If there is insufficient space and a list of tags is
+    # defined here, it will check whether any of them are attached to the
+    # PVs concerned and then seek to match those PV tags between existing
+    # extents and new extents.
+    #
+    # Example
+    # Use the special tag "@*" as a wildcard to match any PV tag:
+    # cling_tag_list: [ "@*" ]
+    # LVs are mirrored between two sites within a single VG, and
+    # PVs are tagged with either @site1 or @site2 to indicate where
+    # they are situated:
+    # cling_tag_list: [ "@site1", "@site2" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/maximise_cling.
+    # Use a previous allocation algorithm.
+    # Changes made in version 2.02.85 extended the reach of the 'cling'
+    # policies to detect more situations where data can be grouped onto
+    # the same disks. This setting can be used to disable the changes
+    # and revert to the previous algorithm.
+    maximise_cling: 1
+
+    # Configuration option allocation/use_blkid_wiping.
+    # Use blkid to detect and erase existing signatures on new PVs and LVs.
+    # The blkid library can detect more signatures than the native LVM
+    # detection code, but may take longer. LVM needs to be compiled with
+    # blkid wiping support for this setting to apply. LVM native detection
+    # code is currently able to recognize: MD device signatures,
+    # swap signature, and LUKS signatures. To see the list of signatures
+    # recognized by blkid, check the output of the 'blkid -k' command.
+    use_blkid_wiping: 1
+
+    # Configuration option allocation/wipe_signatures_when_zeroing_new_lvs.
+    # Look for and erase any signatures while zeroing a new LV.
+    # The --wipesignatures option overrides this setting.
+    # Zeroing is controlled by the -Z/--zero option, and if not specified,
+    # zeroing is used by default if possible. Zeroing simply overwrites the
+    # first 4KiB of a new LV with zeroes and does no signature detection or
+    # wiping. Signature wiping goes beyond zeroing and detects exact types
+    # and positions of signatures within the whole LV. It provides a
+    # cleaner LV after creation as all known signatures are wiped. The LV
+    # is not claimed incorrectly by other tools because of old signatures
+    # from previous use. The number of signatures that LVM can detect
+    # depends on the detection code that is selected (see
+    # use_blkid_wiping.) Wiping each detected signature must be confirmed.
+    # When this setting is disabled, signatures on new LVs are not detected
+    # or erased unless the --wipesignatures option is used directly.
+    wipe_signatures_when_zeroing_new_lvs: 1
+
+    # Configuration option allocation/mirror_logs_require_separate_pvs.
+    # Mirror logs and images will always use different PVs.
+    # The default setting changed in version 2.02.85.
+    mirror_logs_require_separate_pvs: 0
+
+    # Configuration option allocation/raid_stripe_all_devices.
+    # Stripe across all PVs when RAID stripes are not specified.
+    # If enabled, all PVs in the VG or on the command line are used for
+    # raid0/4/5/6/10 when the command does not specify the number of
+    # stripes to use.
+    # This was the default behaviour until release 2.02.162.
+    # This configuration option has an automatic default value.
+    # raid_stripe_all_devices: 0
+
+    # Configuration option allocation/cache_pool_metadata_require_separate_pvs.
+    # Cache pool metadata and data will always use different PVs.
+    cache_pool_metadata_require_separate_pvs: 0
+
+    # Configuration option allocation/cache_metadata_format.
+    # Sets default metadata format for new cache.
+    #
+    # Accepted values:
+    #   0  Automatically detected best available format
+    #   1  Original format
+    #   2  Improved 2nd. generation format
+    #
+    # This configuration option has an automatic default value.
+    # cache_metadata_format: 0
+
+    # Configuration option allocation/cache_mode.
+    # The default cache mode used for new cache.
+    #
+    # Accepted values:
+    #   writethrough
+    #     Data blocks are immediately written from the cache to disk.
+    #   writeback
+    #     Data blocks are written from the cache back to disk after some
+    #     delay to improve performance.
+    #
+    # This setting replaces allocation/cache_pool_cachemode.
+    # This configuration option has an automatic default value.
+    # cache_mode: "writethrough"
+
+    # Configuration option allocation/cache_policy.
+    # The default cache policy used for new cache volume.
+    # Since kernel 4.2 the default policy is smq (Stochastic multiqueue),
+    # otherwise the older mq (Multiqueue) policy is selected.
+    # This configuration option does not have a default value defined.
+
+    # Configuration section allocation/cache_settings.
+    # Settings for the cache policy.
+    # See documentation for individual cache policies for more info.
+    # This configuration section has an automatic default value.
+    # cache_settings: {}
+
+    # Configuration option allocation/cache_pool_chunk_size.
+    # The minimal chunk size in KiB for cache pool volumes.
+    # Using a chunk_size that is too large can result in wasteful use of
+    # the cache, where small reads and writes can cause large sections of
+    # an LV to be mapped into the cache. However, choosing a chunk_size
+    # that is too small can result in more overhead trying to manage the
+    # numerous chunks that become mapped into the cache. The former is
+    # more of a problem than the latter in most cases, so the default is
+    # on the smaller end of the spectrum. Supported values range from
+    # 32KiB to 1GiB in multiples of 32.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/cache_pool_max_chunks.
+    # The maximum number of chunks in a cache pool.
+    # For cache target v1.9 the recommended maximumm is 1000000 chunks.
+    # Using cache pool with more chunks may degrade cache performance.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/thin_pool_metadata_require_separate_pvs.
+    # Thin pool metadata and data will always use different PVs.
+    thin_pool_metadata_require_separate_pvs: 0
+
+    # Configuration option allocation/thin_pool_zero.
+    # Thin pool data chunks are zeroed before they are first used.
+    # Zeroing with a larger thin pool chunk size reduces performance.
+    # This configuration option has an automatic default value.
+    # thin_pool_zero: 1
+
+    # Configuration option allocation/thin_pool_discards.
+    # The discards behaviour of thin pool volumes.
+    #
+    # Accepted values:
+    #   ignore
+    #   nopassdown
+    #   passdown
+    #
+    # This configuration option has an automatic default value.
+    # thin_pool_discards: "passdown"
+
+    # Configuration option allocation/thin_pool_chunk_size_policy.
+    # The chunk size calculation policy for thin pool volumes.
+    #
+    # Accepted values:
+    #   generic
+    #     If thin_pool_chunk_size is defined, use it. Otherwise, calculate
+    #     the chunk size based on estimation and device hints exposed in
+    #     sysfs - the minimum_io_size. The chunk size is always at least
+    #     64KiB.
+    #   performance
+    #     If thin_pool_chunk_size is defined, use it. Otherwise, calculate
+    #     the chunk size for performance based on device hints exposed in
+    #     sysfs - the optimal_io_size. The chunk size is always at least
+    #     512KiB.
+    #
+    # This configuration option has an automatic default value.
+    # thin_pool_chunk_size_policy: "generic"
+
+    # Configuration option allocation/thin_pool_chunk_size.
+    # The minimal chunk size in KiB for thin pool volumes.
+    # Larger chunk sizes may improve performance for plain thin volumes,
+    # however using them for snapshot volumes is less efficient, as it
+    # consumes more space and takes extra time for copying. When unset,
+    # lvm tries to estimate chunk size starting from 64KiB. Supported
+    # values are in the range 64KiB to 1GiB.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option allocation/physical_extent_size.
+    # Default physical extent size in KiB to use for new VGs.
+    # This configuration option has an automatic default value.
+    # physical_extent_size: 4096
+
+    # Configuration option allocation/vdo_use_compression.
+    # Enables or disables compression when creating a VDO volume.
+    # Compression may be disabled if necessary to maximize performance
+    # or to speed processing of data that is unlikely to compress.
+    # This configuration option has an automatic default value.
+    # vdo_use_compression: 1
+
+    # Configuration option allocation/vdo_use_deduplication.
+    # Enables or disables deduplication when creating a VDO volume.
+    # Deduplication may be disabled in instances where data is not expected
+    # to have good deduplication rates but compression is still desired.
+    # This configuration option has an automatic default value.
+    # vdo_use_deduplication: 1
+
+    # Configuration option allocation/vdo_emulate_512_sectors.
+    # Specifies that the VDO volume is to emulate a 512 byte block device.
+    # This configuration option has an automatic default value.
+    # vdo_emulate_512_sectors: 0
+
+    # Configuration option allocation/vdo_block_map_cache_size_mb.
+    # Specifies the amount of memory in MiB allocated for caching block map
+    # pages for VDO volume. The value must be a multiple of 4096 and must be
+    # at least 128MiB and less than 16TiB. The cache must be at least 16MiB
+    # per logical thread. Note that there is a memory overhead of 15%.
+    # This configuration option has an automatic default value.
+    # vdo_block_map_cache_size_mb: 128
+
+    # Configuration option allocation/vdo_block_map_period.
+    # Tunes the quantity of block map updates that can accumulate
+    # before cache pages are flushed to disk. The value must be
+    # at least 1 and less then 16380.
+    # A lower value means shorter recovery time but lower performance.
+    # This configuration option has an automatic default value.
+    # vdo_block_map_period: 16380
+
+    # Configuration option allocation/vdo_check_point_frequency.
+    # The default check point frequency for VDO volume.
+    # This configuration option has an automatic default value.
+    # vdo_check_point_frequency: 0
+
+    # Configuration option allocation/vdo_use_sparse_index.
+    # Enables sparse indexing for VDO volume.
+    # This configuration option has an automatic default value.
+    # vdo_use_sparse_index: 0
+
+    # Configuration option allocation/vdo_index_memory_size_mb.
+    # Specifies the amount of index memory in MiB for VDO volume.
+    # The value must be at least 256MiB and at most 1TiB.
+    # This configuration option has an automatic default value.
+    # vdo_index_memory_size_mb: 256
+
+    # Configuration option allocation/vdo_use_read_cache.
+    # Enables or disables the read cache within the VDO volume.
+    # The cache should be enabled if write workloads are expected
+    # to have high levels of deduplication, or for read intensive
+    # workloads of highly compressible data.
+    # This configuration option has an automatic default value.
+    # vdo_use_read_cache: 0
+
+    # Configuration option allocation/vdo_read_cache_size_mb.
+    # Specifies the extra VDO volume read cache size in MiB.
+    # This space is in addition to a system-defined minimum.
+    # The value must be less then 16TiB and 1.12 MiB of memory
+    # will be used per MiB of read cache specified, per bio thread.
+    # This configuration option has an automatic default value.
+    # vdo_read_cache_size_mb: 0
+
+    # Configuration option allocation/vdo_slab_size_mb.
+    # Specifies the size in MiB of the increment by which a VDO is grown.
+    # Using a smaller size constrains the total maximum physical size
+    # that can be accommodated. Must be a power of two between 128MiB and 32GiB.
+    # This configuration option has an automatic default value.
+    # vdo_slab_size_mb: 2048
+
+    # Configuration option allocation/vdo_ack_threads.
+    # Specifies the number of threads to use for acknowledging
+    # completion of requested VDO I/O operations.
+    # The value must be at in range [0..100].
+    # This configuration option has an automatic default value.
+    # vdo_ack_threads: 1
+
+    # Configuration option allocation/vdo_bio_threads.
+    # Specifies the number of threads to use for submitting I/O
+    # operations to the storage device of VDO volume.
+    # The value must be in range [1..100]
+    # Each additional thread after the first will use an additional 18MiB of RAM,
+    # plus 1.12 MiB of RAM per megabyte of configured read cache size.
+    # This configuration option has an automatic default value.
+    # vdo_bio_threads: 1
+
+    # Configuration option allocation/vdo_bio_rotation.
+    # Specifies the number of I/O operations to enqueue for each bio-submission
+    # thread before directing work to the next. The value must be in range [1..1024].
+    # This configuration option has an automatic default value.
+    # vdo_bio_rotation: 64
+
+    # Configuration option allocation/vdo_cpu_threads.
+    # Specifies the number of threads to use for CPU-intensive work such as
+    # hashing or compression for VDO volume. The value must be in range [1..100]
+    # This configuration option has an automatic default value.
+    # vdo_cpu_threads: 2
+
+    # Configuration option allocation/vdo_hash_zone_threads.
+    # Specifies the number of threads across which to subdivide parts of the VDO
+    # processing based on the hash value computed from the block data.
+    # The value must be at in range [0..100].
+    # vdo_hash_zone_threads, vdo_logical_threads and vdo_physical_threads must be
+    # either all zero or all non-zero.
+    # This configuration option has an automatic default value.
+    # vdo_hash_zone_threads: 1
+
+    # Configuration option allocation/vdo_logical_threads.
+    # Specifies the number of threads across which to subdivide parts of the VDO
+    # processing based on the hash value computed from the block data.
+    # A logical thread count of 9 or more will require explicitly specifying
+    # a sufficiently large block map cache size, as well.
+    # The value must be in range [0..100].
+    # vdo_hash_zone_threads, vdo_logical_threads and vdo_physical_threads must be
+    # either all zero or all non-zero.
+    # This configuration option has an automatic default value.
+    # vdo_logical_threads: 1
+
+    # Configuration option allocation/vdo_physical_threads.
+    # Specifies the number of threads across which to subdivide parts of the VDO
+    # processing based on physical block addresses.
+    # Each additional thread after the first will use an additional 10MiB of RAM.
+    # The value must be in range [0..16].
+    # vdo_hash_zone_threads, vdo_logical_threads and vdo_physical_threads must be
+    # either all zero or all non-zero.
+    # This configuration option has an automatic default value.
+    # vdo_physical_threads: 1
+
+    # Configuration option allocation/vdo_write_policy.
+    # Specifies the write policy:
+    # auto  - VDO will check the storage device and determine whether it supports flushes.
+    #         If it does, VDO will run in async mode, otherwise it will run in sync mode.
+    # sync  - Writes are acknowledged only after data is stably written.
+    #         This policy is not supported if the underlying storage is not also synchronous.
+    # async - Writes are acknowledged after data has been cached for writing to stable storage.
+    #         Data which has not been flushed is not guaranteed to persist in this mode.
+    # This configuration option has an automatic default value.
+    # vdo_write_policy: "auto"
+
+  # Configuration section log.
+  # How LVM log information is reported.
+  log:
+
+    # Configuration option log/report_command_log.
+    # Enable or disable LVM log reporting.
+    # If enabled, LVM will collect a log of operations, messages,
+    # per-object return codes with object identification and associated
+    # error numbers (errnos) during LVM command processing. Then the
+    # log is either reported solely or in addition to any existing
+    # reports, depending on LVM command used. If it is a reporting command
+    # (e.g. pvs, vgs, lvs, lvm fullreport), then the log is reported in
+    # addition to any existing reports. Otherwise, there's only log report
+    # on output. For all applicable LVM commands, you can request that
+    # the output has only log report by using --logonly command line
+    # option. Use log/command_log_cols and log/command_log_sort settings
+    # to define fields to display and sort fields for the log report.
+    # You can also use log/command_log_selection to define selection
+    # criteria used each time the log is reported.
+    # This configuration option has an automatic default value.
+    # report_command_log: 0
+
+    # Configuration option log/command_log_sort.
+    # List of columns to sort by when reporting command log.
+    # See <lvm command> --logonly --configreport log -o help
+    # for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # command_log_sort: "log_seq_num"
+
+    # Configuration option log/command_log_cols.
+    # List of columns to report when reporting command log.
+    # See <lvm command> --logonly --configreport log -o help
+    # for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # command_log_cols: "log_seq_num,log_type,log_context,log_object_type,log_object_name,log_object_id,log_object_group,log_object_group_id,log_message,log_errno,log_ret_code"
+
+    # Configuration option log/command_log_selection.
+    # Selection criteria used when reporting command log.
+    # You can define selection criteria that are applied each
+    # time log is reported. This way, it is possible to control the
+    # amount of log that is displayed on output and you can select
+    # only parts of the log that are important for you. To define
+    # selection criteria, use fields from log report. See also
+    # <lvm command> --logonly --configreport log -S help for the
+    # list of possible fields and selection operators. You can also
+    # define selection criteria for log report on command line directly
+    # using <lvm command> --configreport log -S <selection criteria>
+    # which has precedence over log/command_log_selection setting.
+    # For more information about selection criteria in general, see
+    # lvm(8) man page.
+    # This configuration option has an automatic default value.
+    # command_log_selection: "!(log_type=status && message=success)"
+
+    # Configuration option log/verbose.
+    # Controls the messages sent to stdout or stderr.
+    verbose: 0
+
+    # Configuration option log/silent.
+    # Suppress all non-essential messages from stdout.
+    # This has the same effect as -qq. When enabled, the following commands
+    # still produce output: dumpconfig, lvdisplay, lvmdiskscan, lvs, pvck,
+    # pvdisplay, pvs, version, vgcfgrestore -l, vgdisplay, vgs.
+    # Non-essential messages are shifted from log level 4 to log level 5
+    # for syslog and lvm2_log_fn purposes.
+    # Any 'yes' or 'no' questions not overridden by other arguments are
+    # suppressed and default to 'no'.
+    silent: 0
+
+    # Configuration option log/syslog.
+    # Send log messages through syslog.
+    syslog: 1
+
+    # Configuration option log/file.
+    # Write error and debug log messages to a file specified here.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option log/overwrite.
+    # Overwrite the log file each time the program is run.
+    overwrite: 0
+
+    # Configuration option log/level.
+    # The level of log messages that are sent to the log file or syslog.
+    # There are 6 syslog-like log levels currently in use: 2 to 7 inclusive.
+    # 7 is the most verbose (LOG_DEBUG).
+    level: 0
+
+    # Configuration option log/indent.
+    # Indent messages according to their severity.
+    indent: 1
+
+    # Configuration option log/command_names.
+    # Display the command name on each line of output.
+    command_names: 0
+
+    # Configuration option log/prefix.
+    # A prefix to use before the log message text.
+    # (After the command name, if selected).
+    # Two spaces allows you to see/grep the severity of each message.
+    # To make the messages look similar to the original LVM tools use:
+    # indent: 0, command_names: 1, prefix: " -- "
+    prefix: "  "
+
+    # Configuration option log/activation.
+    # Log messages during activation.
+    # Don't use this in low memory situations (can deadlock).
+    activation: 0
+
+    # Configuration option log/debug_classes.
+    # Select log messages by class.
+    # Some debugging messages are assigned to a class and only appear in
+    # debug output if the class is listed here. Classes currently
+    # available: memory, devices, io, activation, allocation,
+    # metadata, cache, locking, lvmpolld. Use "all" to see everything.
+    debug_classes: [ "memory", "devices", "io", "activation", "allocation", "metadata", "cache", "locking", "lvmpolld", "dbus" ]
+
+  # Configuration section backup.
+  # How LVM metadata is backed up and archived.
+  # In LVM, a 'backup' is a copy of the metadata for the current system,
+  # and an 'archive' contains old metadata configurations. They are
+  # stored in a human readable text format.
+  backup:
+
+    # Configuration option backup/backup.
+    # Maintain a backup of the current metadata configuration.
+    # Think very hard before turning this off!
+    backup: 1
+
+    # Configuration option backup/backup_dir.
+    # Location of the metadata backup files.
+    # Remember to back up this directory regularly!
+    backup_dir: "/etc/lvm/backup"
+
+    # Configuration option backup/archive.
+    # Maintain an archive of old metadata configurations.
+    # Think very hard before turning this off.
+    archive: 1
+
+    # Configuration option backup/archive_dir.
+    # Location of the metadata archive files.
+    # Remember to back up this directory regularly!
+    archive_dir: "/etc/lvm/archive"
+
+    # Configuration option backup/retain_min.
+    # Minimum number of archives to keep.
+    retain_min: 10
+
+    # Configuration option backup/retain_days.
+    # Minimum number of days to keep archive files.
+    retain_days: 30
+
+  # Configuration section shell.
+  # Settings for running LVM in shell (readline) mode.
+  shell:
+
+    # Configuration option shell/history_size.
+    # Number of lines of history to store in ~/.lvm_history.
+    history_size: 100
+
+  # Configuration section global.
+  # Miscellaneous global LVM settings.
+  global:
+
+    # Configuration option global/umask.
+    # The file creation mask for any files and directories created.
+    # Interpreted as octal if the first digit is zero.
+    umask: '0077'
+
+    # Configuration option global/test.
+    # No on-disk metadata changes will be made in test mode.
+    # Equivalent to having the -t option on every command.
+    test: 0
+
+    # Configuration option global/units.
+    # Default value for --units argument.
+    units: "r"
+
+    # Configuration option global/si_unit_consistency.
+    # Distinguish between powers of 1024 and 1000 bytes.
+    # The LVM commands distinguish between powers of 1024 bytes,
+    # e.g. KiB, MiB, GiB, and powers of 1000 bytes, e.g. KB, MB, GB.
+    # If scripts depend on the old behaviour, disable this setting
+    # temporarily until they are updated.
+    si_unit_consistency: 1
+
+    # Configuration option global/suffix.
+    # Display unit suffix for sizes.
+    # This setting has no effect if the units are in human-readable form
+    # (global/units: "h") in which case the suffix is always displayed.
+    suffix: 1
+
+    # Configuration option global/activation.
+    # Enable/disable communication with the kernel device-mapper.
+    # Disable to use the tools to manipulate LVM metadata without
+    # activating any logical volumes. If the device-mapper driver
+    # is not present in the kernel, disabling this should suppress
+    # the error messages.
+    activation: 1
+
+    # Configuration option global/segment_libraries.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/proc.
+    # Location of proc filesystem.
+    # This configuration option is advanced.
+    proc: "/proc"
+
+    # Configuration option global/etc.
+    # Location of /etc system configuration directory.
+    etc: "/etc"
+
+    # Configuration option global/wait_for_locks.
+    # When disabled, fail if a lock request would block.
+    wait_for_locks: 1
+
+    # Configuration option global/locking_dir.
+    # Directory to use for LVM command file locks.
+    # Local non-LV directory that holds file-based locks while commands are
+    # in progress. A directory like /tmp that may get wiped on reboot is OK.
+    locking_dir: "/run/lock/lvm"
+
+    # Configuration option global/prioritise_write_locks.
+    # Allow quicker VG write access during high volume read access.
+    # When there are competing read-only and read-write access requests for
+    # a volume group's metadata, instead of always granting the read-only
+    # requests immediately, delay them to allow the read-write requests to
+    # be serviced. Without this setting, write access may be stalled by a
+    # high volume of read-only requests. This option only affects
+    # locking_type 1 viz. local file-based locking.
+    prioritise_write_locks: 1
+
+    # Configuration option global/library_dir.
+    # Search this directory first for shared libraries.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/abort_on_internal_errors.
+    # Abort a command that encounters an internal error.
+    # Treat any internal errors as fatal errors, aborting the process that
+    # encountered the internal error. Please only enable for debugging.
+    abort_on_internal_errors: 0
+
+    # Configuration option global/metadata_read_only.
+    # No operations that change on-disk metadata are permitted.
+    # Additionally, read-only commands that encounter metadata in need of
+    # repair will still be allowed to proceed exactly as if the repair had
+    # been performed (except for the unchanged vg_seqno). Inappropriate
+    # use could mess up your system, so seek advice first!
+    metadata_read_only: 0
+
+    # Configuration option global/mirror_segtype_default.
+    # The segment type used by the short mirroring option -m.
+    # The --type mirror|raid1 option overrides this setting.
+    #
+    # Accepted values:
+    #   mirror
+    #     The original RAID1 implementation from LVM/DM. It is
+    #     characterized by a flexible log solution (core, disk, mirrored),
+    #     and by the necessity to block I/O while handling a failure.
+    #     There is an inherent race in the dmeventd failure handling logic
+    #     with snapshots of devices using this type of RAID1 that in the
+    #     worst case could cause a deadlock. (Also see
+    #     devices/ignore_lvm_mirrors.)
+    #   raid1
+    #     This is a newer RAID1 implementation using the MD RAID1
+    #     personality through device-mapper. It is characterized by a
+    #     lack of log options. (A log is always allocated for every
+    #     device and they are placed on the same device as the image,
+    #     so no separate devices are required.) This mirror
+    #     implementation does not require I/O to be blocked while
+    #     handling a failure. This mirror implementation is not
+    #     cluster-aware and cannot be used in a shared (active/active)
+    #     fashion in a cluster.
+    #
+    mirror_segtype_default: "raid1"
+
+    # Configuration option global/raid10_segtype_default.
+    # The segment type used by the -i -m combination.
+    # The --type raid10|mirror option overrides this setting.
+    # The --stripes/-i and --mirrors/-m options can both be specified
+    # during the creation of a logical volume to use both striping and
+    # mirroring for the LV. There are two different implementations.
+    #
+    # Accepted values:
+    #   raid10
+    #     LVM uses MD's RAID10 personality through DM. This is the
+    #     preferred option.
+    #   mirror
+    #     LVM layers the 'mirror' and 'stripe' segment types. The layering
+    #     is done by creating a mirror LV on top of striped sub-LVs,
+    #     effectively creating a RAID 0+1 array. The layering is suboptimal
+    #     in terms of providing redundancy and performance.
+    #
+    raid10_segtype_default: "raid10"
+
+    # Configuration option global/sparse_segtype_default.
+    # The segment type used by the -V -L combination.
+    # The --type snapshot|thin option overrides this setting.
+    # The combination of -V and -L options creates a sparse LV. There are
+    # two different implementations.
+    #
+    # Accepted values:
+    #   snapshot
+    #     The original snapshot implementation from LVM/DM. It uses an old
+    #     snapshot that mixes data and metadata within a single COW
+    #     storage volume and performs poorly when the size of stored data
+    #     passes hundreds of MB.
+    #   thin
+    #     A newer implementation that uses thin provisioning. It has a
+    #     bigger minimal chunk size (64KiB) and uses a separate volume for
+    #     metadata. It has better performance, especially when more data
+    #     is used. It also supports full snapshots.
+    #
+    sparse_segtype_default: "thin"
+
+    # Configuration option global/lvdisplay_shows_full_device_path.
+    # Enable this to reinstate the previous lvdisplay name format.
+    # The default format for displaying LV names in lvdisplay was changed
+    # in version 2.02.89 to show the LV name and path separately.
+    # Previously this was always shown as /dev/vgname/lvname even when that
+    # was never a valid path in the /dev filesystem.
+    # This configuration option has an automatic default value.
+    # lvdisplay_shows_full_device_path: 0
+
+    # Configuration option global/event_activation.
+    # Activate LVs based on system-generated device events.
+    # When a device appears on the system, a system-generated event runs
+    # the pvscan command to activate LVs if the new PV completes the VG.
+    # Use auto_activation_volume_list to select which LVs should be
+    # activated from these events (the default is all.)
+    # When event_activation is disabled, the system will generally run
+    # a direct activation command to activate LVs in complete VGs.
+    event_activation: 1
+
+    # Configuration option global/use_aio.
+    # Use async I/O when reading and writing devices.
+    # This configuration option has an automatic default value.
+    # use_aio: 1
+
+    # Configuration option global/use_lvmlockd.
+    # Use lvmlockd for locking among hosts using LVM on shared storage.
+    # Applicable only if LVM is compiled with lockd support in which
+    # case there is also lvmlockd(8) man page available for more
+    # information.
+    use_lvmlockd: 0
+
+    # Configuration option global/lvmlockd_lock_retries.
+    # Retry lvmlockd lock requests this many times.
+    # Applicable only if LVM is compiled with lockd support
+    # This configuration option has an automatic default value.
+    # lvmlockd_lock_retries: 3
+
+    # Configuration option global/sanlock_lv_extend.
+    # Size in MiB to extend the internal LV holding sanlock locks.
+    # The internal LV holds locks for each LV in the VG, and after enough
+    # LVs have been created, the internal LV needs to be extended. lvcreate
+    # will automatically extend the internal LV when needed by the amount
+    # specified here. Setting this to 0 disables the automatic extension
+    # and can cause lvcreate to fail. Applicable only if LVM is compiled
+    # with lockd support
+    # This configuration option has an automatic default value.
+    # sanlock_lv_extend: 256
+
+    # Configuration option global/thin_check_executable.
+    # The full path to the thin_check command.
+    # LVM uses this command to check that a thin metadata device is in a
+    # usable state. When a thin pool is activated and after it is
+    # deactivated, this command is run. Activation will only proceed if
+    # the command has an exit status of 0. Set to "" to skip this check.
+    # (Not recommended.) Also see thin_check_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_check_executable: "/usr/sbin/thin_check"
+
+    # Configuration option global/thin_dump_executable.
+    # The full path to the thin_dump command.
+    # LVM uses this command to dump thin pool metadata.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_dump_executable: "/usr/sbin/thin_dump"
+
+    # Configuration option global/thin_repair_executable.
+    # The full path to the thin_repair command.
+    # LVM uses this command to repair a thin metadata device if it is in
+    # an unusable state. Also see thin_repair_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # thin_repair_executable: "/usr/sbin/thin_repair"
+
+    # Configuration option global/thin_check_options.
+    # List of options passed to the thin_check command.
+    # With thin_check version 2.1 or newer you can add the option
+    # --ignore-non-fatal-errors to let it pass through ignorable errors
+    # and fix them later. With thin_check version 3.2 or newer you should
+    # include the option --clear-needs-check-flag.
+    # This configuration option has an automatic default value.
+    # thin_check_options: [ "-q", "--clear-needs-check-flag" ]
+
+    # Configuration option global/thin_repair_options.
+    # List of options passed to the thin_repair command.
+    # This configuration option has an automatic default value.
+    # thin_repair_options: [ "" ]
+
+    # Configuration option global/thin_disabled_features.
+    # Features to not use in the thin driver.
+    # This can be helpful for testing, or to avoid using a feature that is
+    # causing problems. Features include: block_size, discards,
+    # discards_non_power_2, external_origin, metadata_resize,
+    # external_origin_extend, error_if_no_space.
+    #
+    # Example
+    # thin_disabled_features: [ "discards", "block_size" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/cache_disabled_features.
+    # Features to not use in the cache driver.
+    # This can be helpful for testing, or to avoid using a feature that is
+    # causing problems. Features include: policy_mq, policy_smq, metadata2.
+    #
+    # Example
+    # cache_disabled_features: [ "policy_smq" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/cache_check_executable.
+    # The full path to the cache_check command.
+    # LVM uses this command to check that a cache metadata device is in a
+    # usable state. When a cached LV is activated and after it is
+    # deactivated, this command is run. Activation will only proceed if the
+    # command has an exit status of 0. Set to "" to skip this check.
+    # (Not recommended.) Also see cache_check_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_check_executable: "/usr/sbin/cache_check"
+
+    # Configuration option global/cache_dump_executable.
+    # The full path to the cache_dump command.
+    # LVM uses this command to dump cache pool metadata.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_dump_executable: "/usr/sbin/cache_dump"
+
+    # Configuration option global/cache_repair_executable.
+    # The full path to the cache_repair command.
+    # LVM uses this command to repair a cache metadata device if it is in
+    # an unusable state. Also see cache_repair_options.
+    # (See package device-mapper-persistent-data or thin-provisioning-tools)
+    # This configuration option has an automatic default value.
+    # cache_repair_executable: "/usr/sbin/cache_repair"
+
+    # Configuration option global/cache_check_options.
+    # List of options passed to the cache_check command.
+    # With cache_check version 5.0 or newer you should include the option
+    # --clear-needs-check-flag.
+    # This configuration option has an automatic default value.
+    # cache_check_options: [ "-q", "--clear-needs-check-flag" ]
+
+    # Configuration option global/cache_repair_options.
+    # List of options passed to the cache_repair command.
+    # This configuration option has an automatic default value.
+    # cache_repair_options: [ "" ]
+
+    # Configuration option global/vdo_format_executable.
+    # The full path to the vdoformat command.
+    # LVM uses this command to initial data volume for VDO type logical volume
+    # This configuration option has an automatic default value.
+    # vdo_format_executable: "autodetect"
+
+    # Configuration option global/vdo_format_options.
+    # List of options passed added to standard vdoformat command.
+    # This configuration option has an automatic default value.
+    # vdo_format_options: [ "" ]
+
+    # Configuration option global/fsadm_executable.
+    # The full path to the fsadm command.
+    # LVM uses this command to help with lvresize -r operations.
+    # This configuration option has an automatic default value.
+    # fsadm_executable: "/sbin/fsadm"
+
+    # Configuration option global/system_id_source.
+    # The method LVM uses to set the local system ID.
+    # Volume Groups can also be given a system ID (by vgcreate, vgchange,
+    # or vgimport.) A VG on shared storage devices is accessible only to
+    # the host with a matching system ID. See 'man lvmsystemid' for
+    # information on limitations and correct usage.
+    #
+    # Accepted values:
+    #   none
+    #     The host has no system ID.
+    #   lvmlocal
+    #     Obtain the system ID from the system_id setting in the 'local'
+    #     section of an lvm configuration file, e.g. lvmlocal.conf.
+    #   uname
+    #     Set the system ID from the hostname (uname) of the system.
+    #     System IDs beginning localhost are not permitted.
+    #   machineid
+    #     Use the contents of the machine-id file to set the system ID.
+    #     Some systems create this file at installation time.
+    #     See 'man machine-id' and global/etc.
+    #   file
+    #     Use the contents of another file (system_id_file) to set the
+    #     system ID.
+    #
+    system_id_source: "none"
+
+    # Configuration option global/system_id_file.
+    # The full path to the file containing a system ID.
+    # This is used when system_id_source is set to 'file'.
+    # Comments starting with the character # are ignored.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option global/use_lvmpolld.
+    # Use lvmpolld to supervise long running LVM commands.
+    # When enabled, control of long running LVM commands is transferred
+    # from the original LVM command to the lvmpolld daemon. This allows
+    # the operation to continue independent of the original LVM command.
+    # After lvmpolld takes over, the LVM command displays the progress
+    # of the ongoing operation. lvmpolld itself runs LVM commands to
+    # manage the progress of ongoing operations. lvmpolld can be used as
+    # a native systemd service, which allows it to be started on demand,
+    # and to use its own control group. When this option is disabled, LVM
+    # commands will supervise long running operations by forking themselves.
+    # Applicable only if LVM is compiled with lvmpolld support.
+    use_lvmpolld: 1
+
+    # Configuration option global/notify_dbus.
+    # Enable D-Bus notification from LVM commands.
+    # When enabled, an LVM command that changes PVs, changes VG metadata,
+    # or changes the activation state of an LV will send a notification.
+    notify_dbus: 1
+
+  # Configuration section activation.
+  activation:
+
+    # Configuration option activation/checks.
+    # Perform internal checks of libdevmapper operations.
+    # Useful for debugging problems with activation. Some of the checks may
+    # be expensive, so it's best to use this only when there seems to be a
+    # problem.
+    checks: 0
+
+    # Configuration option activation/udev_sync.
+    # Use udev notifications to synchronize udev and LVM.
+    # The --nodevsync option overrides this setting.
+    # When disabled, LVM commands will not wait for notifications from
+    # udev, but continue irrespective of any possible udev processing in
+    # the background. Only use this if udev is not running or has rules
+    # that ignore the devices LVM creates. If enabled when udev is not
+    # running, and LVM processes are waiting for udev, run the command
+    # 'dmsetup udevcomplete_all' to wake them up.
+    udev_sync: 1
+
+    # Configuration option activation/udev_rules.
+    # Use udev rules to manage LV device nodes and symlinks.
+    # When disabled, LVM will manage the device nodes and symlinks for
+    # active LVs itself. Manual intervention may be required if this
+    # setting is changed while LVs are active.
+    udev_rules: 1
+
+    # Configuration option activation/verify_udev_operations.
+    # Use extra checks in LVM to verify udev operations.
+    # This enables additional checks (and if necessary, repairs) on entries
+    # in the device directory after udev has completed processing its
+    # events. Useful for diagnosing problems with LVM/udev interactions.
+    verify_udev_operations: 0
+
+    # Configuration option activation/retry_deactivation.
+    # Retry failed LV deactivation.
+    # If LV deactivation fails, LVM will retry for a few seconds before
+    # failing. This may happen because a process run from a quick udev rule
+    # temporarily opened the device.
+    retry_deactivation: 1
+
+    # Configuration option activation/missing_stripe_filler.
+    # Method to fill missing stripes when activating an incomplete LV.
+    # Using 'error' will make inaccessible parts of the device return I/O
+    # errors on access. Using 'zero' will return success (and zero) on I/O
+    # You can instead use a device path, in which case,
+    # that device will be used in place of missing stripes. Using anything
+    # other than 'error' with mirrored or snapshotted volumes is likely to
+    # result in data corruption.
+    # This configuration option is advanced.
+    missing_stripe_filler: "error"
+
+    # Configuration option activation/use_linear_target.
+    # Use the linear target to optimize single stripe LVs.
+    # When disabled, the striped target is used. The linear target is an
+    # optimised version of the striped target that only handles a single
+    # stripe.
+    use_linear_target: 1
+
+    # Configuration option activation/reserved_stack.
+    # Stack size in KiB to reserve for use while devices are suspended.
+    # Insufficient reserve risks I/O deadlock during device suspension.
+    reserved_stack: 64
+
+    # Configuration option activation/reserved_memory.
+    # Memory size in KiB to reserve for use while devices are suspended.
+    # Insufficient reserve risks I/O deadlock during device suspension.
+    reserved_memory: 8192
+
+    # Configuration option activation/process_priority.
+    # Nice value used while devices are suspended.
+    # Use a high priority so that LVs are suspended
+    # for the shortest possible time.
+    process_priority: -18
+
+    # Configuration option activation/volume_list.
+    # Only LVs selected by this list are activated.
+    # If this list is defined, an LV is only activated if it matches an
+    # entry in this list. If this list is undefined, it imposes no limits
+    # on LV activation (all are allowed).
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/auto_activation_volume_list.
+    # Only LVs selected by this list are auto-activated.
+    # This list works like volume_list, but it is used only by
+    # auto-activation commands. It does not apply to direct activation
+    # commands. If this list is defined, an LV is only auto-activated
+    # if it matches an entry in this list. If this list is undefined, it
+    # imposes no limits on LV auto-activation (all are allowed.) If this
+    # list is defined and empty, i.e. "[]", then no LVs are selected for
+    # auto-activation. An LV that is selected by this list for
+    # auto-activation, must also be selected by volume_list (if defined)
+    # before it is activated. Auto-activation is an activation command that
+    # includes the 'a' argument: --activate ay or -a ay. The 'a' (auto)
+    # argument for auto-activation is meant to be used by activation
+    # commands that are run automatically by the system, as opposed to LVM
+    # commands run directly by a user. A user may also use the 'a' flag
+    # directly to perform auto-activation. Also see pvscan(8) for more
+    # information about auto-activation.
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # auto_activation_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/read_only_volume_list.
+    # LVs in this list are activated in read-only mode.
+    # If this list is defined, each LV that is to be activated is checked
+    # against this list, and if it matches, it is activated in read-only
+    # mode. This overrides the permission setting stored in the metadata,
+    # e.g. from --permission rw.
+    #
+    # Accepted values:
+    #   vgname
+    #     The VG name is matched exactly and selects all LVs in the VG.
+    #   vgname/lvname
+    #     The VG name and LV name are matched exactly and selects the LV.
+    #   @tag
+    #     Selects an LV if the specified tag matches a tag set on the LV
+    #     or VG.
+    #   @*
+    #     Selects an LV if a tag defined on the host is also set on the LV
+    #     or VG. See tags/hosttags. If any host tags exist but volume_list
+    #     is not defined, a default single-entry list containing '@*'
+    #     is assumed.
+    #
+    # Example
+    # read_only_volume_list: [ "vg1", "vg2/lvol1", "@tag1", "@*" ]
+    #
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/raid_region_size.
+    # Size in KiB of each raid or mirror synchronization region.
+    # The clean/dirty state of data is tracked for each region.
+    # The value is rounded down to a power of two if necessary, and
+    # is ignored if it is not a multiple of the machine memory page size.
+    raid_region_size: 2048
+
+    # Configuration option activation/error_when_full.
+    # Return errors if a thin pool runs out of space.
+    # The --errorwhenfull option overrides this setting.
+    # When enabled, writes to thin LVs immediately return an error if the
+    # thin pool is out of data space. When disabled, writes to thin LVs
+    # are queued if the thin pool is out of space, and processed when the
+    # thin pool data space is extended. New thin pools are assigned the
+    # behavior defined here.
+    # This configuration option has an automatic default value.
+    # error_when_full: 0
+
+    # Configuration option activation/readahead.
+    # Setting to use when there is no readahead setting in metadata.
+    #
+    # Accepted values:
+    #   none
+    #     Disable readahead.
+    #   auto
+    #     Use default value chosen by kernel.
+    #
+    readahead: "auto"
+
+    # Configuration option activation/raid_fault_policy.
+    # Defines how a device failure in a RAID LV is handled.
+    # This includes LVs that have the following segment types:
+    # raid1, raid4, raid5*, and raid6*.
+    # If a device in the LV fails, the policy determines the steps
+    # performed by dmeventd automatically, and the steps performed by the
+    # manual command lvconvert --repair --use-policies.
+    # Automatic handling requires dmeventd to be monitoring the LV.
+    #
+    # Accepted values:
+    #   warn
+    #     Use the system log to warn the user that a device in the RAID LV
+    #     has failed. It is left to the user to run lvconvert --repair
+    #     manually to remove or replace the failed device. As long as the
+    #     number of failed devices does not exceed the redundancy of the LV
+    #     (1 device for raid4/5, 2 for raid6), the LV will remain usable.
+    #   allocate
+    #     Attempt to use any extra physical volumes in the VG as spares and
+    #     replace faulty devices.
+    #
+    raid_fault_policy: "warn"
+
+    # Configuration option activation/mirror_image_fault_policy.
+    # Defines how a device failure in a 'mirror' LV is handled.
+    # An LV with the 'mirror' segment type is composed of mirror images
+    # (copies) and a mirror log. A disk log ensures that a mirror LV does
+    # not need to be re-synced (all copies made the same) every time a
+    # machine reboots or crashes. If a device in the LV fails, this policy
+    # determines the steps performed by dmeventd automatically, and the steps
+    # performed by the manual command lvconvert --repair --use-policies.
+    # Automatic handling requires dmeventd to be monitoring the LV.
+    #
+    # Accepted values:
+    #   remove
+    #     Simply remove the faulty device and run without it. If the log
+    #     device fails, the mirror would convert to using an in-memory log.
+    #     This means the mirror will not remember its sync status across
+    #     crashes/reboots and the entire mirror will be re-synced. If a
+    #     mirror image fails, the mirror will convert to a non-mirrored
+    #     device if there is only one remaining good copy.
+    #   allocate
+    #     Remove the faulty device and try to allocate space on a new
+    #     device to be a replacement for the failed device. Using this
+    #     policy for the log is fast and maintains the ability to remember
+    #     sync state through crashes/reboots. Using this policy for a
+    #     mirror device is slow, as it requires the mirror to resynchronize
+    #     the devices, but it will preserve the mirror characteristic of
+    #     the device. This policy acts like 'remove' if no suitable device
+    #     and space can be allocated for the replacement.
+    #   allocate_anywhere
+    #     Not yet implemented. Useful to place the log device temporarily
+    #     on the same physical volume as one of the mirror images. This
+    #     policy is not recommended for mirror devices since it would break
+    #     the redundant nature of the mirror. This policy acts like
+    #     'remove' if no suitable device and space can be allocated for the
+    #     replacement.
+    #
+    mirror_image_fault_policy: "remove"
+
+    # Configuration option activation/mirror_log_fault_policy.
+    # Defines how a device failure in a 'mirror' log LV is handled.
+    # The mirror_image_fault_policy description for mirrored LVs also
+    # applies to mirrored log LVs.
+    mirror_log_fault_policy: "allocate"
+
+    # Configuration option activation/snapshot_autoextend_threshold.
+    # Auto-extend a snapshot when its usage exceeds this percent.
+    # Setting this to 100 disables automatic extension.
+    # The minimum value is 50 (a smaller value is treated as 50.)
+    # Also see snapshot_autoextend_percent.
+    # Automatic extension requires dmeventd to be monitoring the LV.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # snapshot_autoextend_threshold: 70
+    #
+    snapshot_autoextend_threshold: 100
+
+    # Configuration option activation/snapshot_autoextend_percent.
+    # Auto-extending a snapshot adds this percent extra space.
+    # The amount of additional space added to a snapshot is this
+    # percent of its current size.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # snapshot_autoextend_percent: 20
+    #
+    snapshot_autoextend_percent: 20
+
+    # Configuration option activation/thin_pool_autoextend_threshold.
+    # Auto-extend a thin pool when its usage exceeds this percent.
+    # Setting this to 100 disables automatic extension.
+    # The minimum value is 50 (a smaller value is treated as 50.)
+    # Also see thin_pool_autoextend_percent.
+    # Automatic extension requires dmeventd to be monitoring the LV.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # thin_pool_autoextend_threshold: 70
+    #
+    thin_pool_autoextend_threshold: 100
+
+    # Configuration option activation/thin_pool_autoextend_percent.
+    # Auto-extending a thin pool adds this percent extra space.
+    # The amount of additional space added to a thin pool is this
+    # percent of its current size.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 1G
+    # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds
+    # 840M, it is extended to 1.44G:
+    # thin_pool_autoextend_percent: 20
+    #
+    thin_pool_autoextend_percent: 20
+
+    # Configuration option activation/vdo_pool_autoextend_threshold.
+    # Auto-extend a VDO pool when its usage exceeds this percent.
+    # Setting this to 100 disables automatic extension.
+    # The minimum value is 50 (a smaller value is treated as 50.)
+    # Also see vdo_pool_autoextend_percent.
+    # Automatic extension requires dmeventd to be monitoring the LV.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 10G
+    # VDO pool exceeds 7G, it is extended to 12G, and when it exceeds
+    # 8.4G, it is extended to 14.4G:
+    # vdo_pool_autoextend_threshold: 70
+    #
+    vdo_pool_autoextend_threshold: 100
+
+    # Configuration option activation/vdo_pool_autoextend_percent.
+    # Auto-extending a VDO pool adds this percent extra space.
+    # The amount of additional space added to a VDO pool is this
+    # percent of its current size.
+    #
+    # Example
+    # Using 70% autoextend threshold and 20% autoextend size, when a 10G
+    # VDO pool exceeds 7G, it is extended to 12G, and when it exceeds
+    # 8.4G, it is extended to 14.4G:
+    # This configuration option has an automatic default value.
+    # vdo_pool_autoextend_percent: 20
+
+    # Configuration option activation/mlock_filter.
+    # Do not mlock these memory areas.
+    # While activating devices, I/O to devices being (re)configured is
+    # suspended. As a precaution against deadlocks, LVM pins memory it is
+    # using so it is not paged out, and will not require I/O to reread.
+    # Groups of pages that are known not to be accessed during activation
+    # do not need to be pinned into memory. Each string listed in this
+    # setting is compared against each line in /proc/self/maps, and the
+    # pages corresponding to lines that match are not pinned. On some
+    # systems, locale-archive was found to make up over 80% of the memory
+    # used by the process.
+    #
+    # Example
+    # mlock_filter: [ "locale/locale-archive", "gconv/gconv-modules.cache" ]
+    #
+    # This configuration option is advanced.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/use_mlockall.
+    # Use the old behavior of mlockall to pin all memory.
+    # Prior to version 2.02.62, LVM used mlockall() to pin the whole
+    # process's memory while activating devices.
+    use_mlockall: 0
+
+    # Configuration option activation/monitoring.
+    # Monitor LVs that are activated.
+    # The --ignoremonitoring option overrides this setting.
+    # When enabled, LVM will ask dmeventd to monitor activated LVs.
+    monitoring: 1
+
+    # Configuration option activation/polling_interval.
+    # Check pvmove or lvconvert progress at this interval (seconds).
+    # When pvmove or lvconvert must wait for the kernel to finish
+    # synchronising or merging data, they check and report progress at
+    # intervals of this number of seconds. If this is set to 0 and there
+    # is only one thing to wait for, there are no progress reports, but
+    # the process is awoken immediately once the operation is complete.
+    polling_interval: 15
+
+    # Configuration option activation/auto_set_activation_skip.
+    # Set the activation skip flag on new thin snapshot LVs.
+    # The --setactivationskip option overrides this setting.
+    # An LV can have a persistent 'activation skip' flag. The flag causes
+    # the LV to be skipped during normal activation. The lvchange/vgchange
+    # -K option is required to activate LVs that have the activation skip
+    # flag set. When this setting is enabled, the activation skip flag is
+    # set on new thin snapshot LVs.
+    # This configuration option has an automatic default value.
+    # auto_set_activation_skip: 1
+
+    # Configuration option activation/activation_mode.
+    # How LVs with missing devices are activated.
+    # The --activationmode option overrides this setting.
+    #
+    # Accepted values:
+    #   complete
+    #     Only allow activation of an LV if all of the Physical Volumes it
+    #     uses are present. Other PVs in the Volume Group may be missing.
+    #   degraded
+    #     Like complete, but additionally RAID LVs of segment type raid1,
+    #     raid4, raid5, radid6 and raid10 will be activated if there is no
+    #     data loss, i.e. they have sufficient redundancy to present the
+    #     entire addressable range of the Logical Volume.
+    #   partial
+    #     Allows the activation of any LV even if a missing or failed PV
+    #     could cause data loss with a portion of the LV inaccessible.
+    #     This setting should not normally be used, but may sometimes
+    #     assist with data recovery.
+    #
+    activation_mode: "degraded"
+
+    # Configuration option activation/lock_start_list.
+    # Locking is started only for VGs selected by this list.
+    # The rules are the same as those for volume_list.
+    # This configuration option does not have a default value defined.
+
+    # Configuration option activation/auto_lock_start_list.
+    # Locking is auto-started only for VGs selected by this list.
+    # The rules are the same as those for auto_activation_volume_list.
+    # This configuration option does not have a default value defined.
+
+  # Configuration section metadata.
+  # This configuration section has an automatic default value.
+  # metadata:
+
+    # Configuration option metadata/check_pv_device_sizes.
+    # Check device sizes are not smaller than corresponding PV sizes.
+    # If device size is less than corresponding PV size found in metadata,
+    # there is always a risk of data loss. If this option is set, then LVM
+    # issues a warning message each time it finds that the device size is
+    # less than corresponding PV size. You should not disable this unless
+    # you are absolutely sure about what you are doing!
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # check_pv_device_sizes: 1
+
+    # Configuration option metadata/record_lvs_history.
+    # When enabled, LVM keeps history records about removed LVs in
+    # metadata. The information that is recorded in metadata for
+    # historical LVs is reduced when compared to original
+    # information kept in metadata for live LVs. Currently, this
+    # feature is supported for thin and thin snapshot LVs only.
+    # This configuration option has an automatic default value.
+    # record_lvs_history: 0
+
+    # Configuration option metadata/lvs_history_retention_time.
+    # Retention time in seconds after which a record about individual
+    # historical logical volume is automatically destroyed.
+    # A value of 0 disables this feature.
+    # This configuration option has an automatic default value.
+    # lvs_history_retention_time: 0
+
+    # Configuration option metadata/pvmetadatacopies.
+    # Number of copies of metadata to store on each PV.
+    # The --pvmetadatacopies option overrides this setting.
+    #
+    # Accepted values:
+    #   2
+    #     Two copies of the VG metadata are stored on the PV, one at the
+    #     front of the PV, and one at the end.
+    #   1
+    #     One copy of VG metadata is stored at the front of the PV.
+    #   0
+    #     No copies of VG metadata are stored on the PV. This may be
+    #     useful for VGs containing large numbers of PVs.
+    #
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # pvmetadatacopies: 1
+
+    # Configuration option metadata/vgmetadatacopies.
+    # Number of copies of metadata to maintain for each VG.
+    # The --vgmetadatacopies option overrides this setting.
+    # If set to a non-zero value, LVM automatically chooses which of the
+    # available metadata areas to use to achieve the requested number of
+    # copies of the VG metadata. If you set a value larger than the the
+    # total number of metadata areas available, then metadata is stored in
+    # them all. The value 0 (unmanaged) disables this automatic management
+    # and allows you to control which metadata areas are used at the
+    # individual PV level using pvchange --metadataignore y|n.
+    # This configuration option has an automatic default value.
+    # vgmetadatacopies: 0
+
+    # Configuration option metadata/pvmetadatasize.
+    # The default size of the metadata area in units of 512 byte sectors.
+    # The metadata area begins at an offset of the page size from the start
+    # of the device. The first PE is by default at 1 MiB from the start of
+    # the device. The space between these is the default metadata area size.
+    # The actual size of the metadata area may be larger than what is set
+    # here due to default_data_alignment making the first PE a MiB multiple.
+    # The metadata area begins with a 512 byte header and is followed by a
+    # circular buffer used for VG metadata text. The maximum size of the VG
+    # metadata is about half the size of the metadata buffer. VGs with large
+    # numbers of PVs or LVs, or VGs containing complex LV structures, may need
+    # additional space for VG metadata. The --metadatasize option overrides
+    # this setting.
+    # This configuration option does not have a default value defined.
+    # This configuration option has an automatic default value.
+
+    # Configuration option metadata/pvmetadataignore.
+    # Ignore metadata areas on a new PV.
+    # The --metadataignore option overrides this setting.
+    # If metadata areas on a PV are ignored, LVM will not store metadata
+    # in them.
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # pvmetadataignore: 0
+
+    # Configuration option metadata/stripesize.
+    # This configuration option is advanced.
+    # This configuration option has an automatic default value.
+    # stripesize: 64
+
+  # Configuration section report.
+  # LVM report command output formatting.
+  # This configuration section has an automatic default value.
+  # report:
+
+    # Configuration option report/output_format.
+    # Format of LVM command's report output.
+    # If there is more than one report per command, then the format
+    # is applied for all reports. You can also change output format
+    # directly on command line using --reportformat option which
+    # has precedence over log/output_format setting.
+    # Accepted values:
+    #   basic
+    #     Original format with columns and rows. If there is more than
+    #     one report per command, each report is prefixed with report's
+    #     name for identification.
+    #   json
+    #     JSON format.
+    # This configuration option has an automatic default value.
+    # output_format: "basic"
+
+    # Configuration option report/compact_output.
+    # Do not print empty values for all report fields.
+    # If enabled, all fields that don't have a value set for any of the
+    # rows reported are skipped and not printed. Compact output is
+    # applicable only if report/buffered is enabled. If you need to
+    # compact only specified fields, use compact_output=0 and define
+    # report/compact_output_cols configuration setting instead.
+    # This configuration option has an automatic default value.
+    # compact_output: 0
+
+    # Configuration option report/compact_output_cols.
+    # Do not print empty values for specified report fields.
+    # If defined, specified fields that don't have a value set for any
+    # of the rows reported are skipped and not printed. Compact output
+    # is applicable only if report/buffered is enabled. If you need to
+    # compact all fields, use compact_output=1 instead in which case
+    # the compact_output_cols setting is then ignored.
+    # This configuration option has an automatic default value.
+    # compact_output_cols: ""
+
+    # Configuration option report/aligned.
+    # Align columns in report output.
+    # This configuration option has an automatic default value.
+    # aligned: 1
+
+    # Configuration option report/buffered.
+    # Buffer report output.
+    # When buffered reporting is used, the report's content is appended
+    # incrementally to include each object being reported until the report
+    # is flushed to output which normally happens at the end of command
+    # execution. Otherwise, if buffering is not used, each object is
+    # reported as soon as its processing is finished.
+    # This configuration option has an automatic default value.
+    # buffered: 1
+
+    # Configuration option report/headings.
+    # Show headings for columns on report.
+    # This configuration option has an automatic default value.
+    # headings: 1
+
+    # Configuration option report/separator.
+    # A separator to use on report after each field.
+    # This configuration option has an automatic default value.
+    # separator: " "
+
+    # Configuration option report/list_item_separator.
+    # A separator to use for list items when reported.
+    # This configuration option has an automatic default value.
+    # list_item_separator: ","
+
+    # Configuration option report/prefixes.
+    # Use a field name prefix for each field reported.
+    # This configuration option has an automatic default value.
+    # prefixes: 0
+
+    # Configuration option report/quoted.
+    # Quote field values when using field name prefixes.
+    # This configuration option has an automatic default value.
+    # quoted: 1
+
+    # Configuration option report/columns_as_rows.
+    # Output each column as a row.
+    # If set, this also implies report/prefixes=1.
+    # This configuration option has an automatic default value.
+    # columns_as_rows: 0
+
+    # Configuration option report/binary_values_as_numeric.
+    # Use binary values 0 or 1 instead of descriptive literal values.
+    # For columns that have exactly two valid values to report
+    # (not counting the 'unknown' value which denotes that the
+    # value could not be determined).
+    # This configuration option has an automatic default value.
+    # binary_values_as_numeric: 0
+
+    # Configuration option report/time_format.
+    # Set time format for fields reporting time values.
+    # Format specification is a string which may contain special character
+    # sequences and ordinary character sequences. Ordinary character
+    # sequences are copied verbatim. Each special character sequence is
+    # introduced by the '%' character and such sequence is then
+    # substituted with a value as described below.
+    #
+    # Accepted values:
+    #   %a
+    #     The abbreviated name of the day of the week according to the
+    #     current locale.
+    #   %A
+    #     The full name of the day of the week according to the current
+    #     locale.
+    #   %b
+    #     The abbreviated month name according to the current locale.
+    #   %B
+    #     The full month name according to the current locale.
+    #   %c
+    #     The preferred date and time representation for the current
+    #     locale (alt E)
+    #   %C
+    #     The century number (year/100) as a 2-digit integer. (alt E)
+    #   %d
+    #     The day of the month as a decimal number (range 01 to 31).
+    #     (alt O)
+    #   %D
+    #     Equivalent to %m/%d/%y. (For Americans only. Americans should
+    #     note that in other countries%d/%m/%y is rather common. This
+    #     means that in international context this format is ambiguous and
+    #     should not be used.
+    #   %e
+    #     Like %d, the day of the month as a decimal number, but a leading
+    #     zero is replaced by a space. (alt O)
+    #   %E
+    #     Modifier: use alternative local-dependent representation if
+    #     available.
+    #   %F
+    #     Equivalent to %Y-%m-%d (the ISO 8601 date format).
+    #   %G
+    #     The ISO 8601 week-based year with century as adecimal number.
+    #     The 4-digit year corresponding to the ISO week number (see %V).
+    #     This has the same format and value as %Y, except that if the
+    #     ISO week number belongs to the previous or next year, that year
+    #     is used instead.
+    #   %g
+    #     Like %G, but without century, that is, with a 2-digit year
+    #     (00-99).
+    #   %h
+    #     Equivalent to %b.
+    #   %H
+    #     The hour as a decimal number using a 24-hour clock
+    #     (range 00 to 23). (alt O)
+    #   %I
+    #     The hour as a decimal number using a 12-hour clock
+    #     (range 01 to 12). (alt O)
+    #   %j
+    #     The day of the year as a decimal number (range 001 to 366).
+    #   %k
+    #     The hour (24-hour clock) as a decimal number (range 0 to 23);
+    #     single digits are preceded by a blank. (See also %H.)
+    #   %l
+    #     The hour (12-hour clock) as a decimal number (range 1 to 12);
+    #     single digits are preceded by a blank. (See also %I.)
+    #   %m
+    #     The month as a decimal number (range 01 to 12). (alt O)
+    #   %M
+    #     The minute as a decimal number (range 00 to 59). (alt O)
+    #   %O
+    #     Modifier: use alternative numeric symbols.
+    #   %p
+    #     Either "AM" or "PM" according to the given time value,
+    #     or the corresponding strings for the current locale. Noon is
+    #     treated as "PM" and midnight as "AM".
+    #   %P
+    #     Like %p but in lowercase: "am" or "pm" or a corresponding
+    #     string for the current locale.
+    #   %r
+    #     The time in a.m. or p.m. notation. In the POSIX locale this is
+    #     equivalent to %I:%M:%S %p.
+    #   %R
+    #     The time in 24-hour notation (%H:%M). For a version including
+    #     the seconds, see %T below.
+    #   %s
+    #     The number of seconds since the Epoch,
+    #     1970-01-01 00:00:00 +0000 (UTC)
+    #   %S
+    #     The second as a decimal number (range 00 to 60). (The range is
+    #     up to 60 to allow for occasional leap seconds.) (alt O)
+    #   %t
+    #     A tab character.
+    #   %T
+    #     The time in 24-hour notation (%H:%M:%S).
+    #   %u
+    #     The day of the week as a decimal, range 1 to 7, Monday being 1.
+    #     See also %w. (alt O)
+    #   %U
+    #     The week number of the current year as a decimal number,
+    #     range 00 to 53, starting with the first Sunday as the first
+    #     day of week 01. See also %V and %W. (alt O)
+    #   %V
+    #     The ISO 8601 week number of the current year as a decimal number,
+    #     range 01 to 53, where week 1 is the first week that has at least
+    #     4 days in the new year. See also %U and %W. (alt O)
+    #   %w
+    #     The day of the week as a decimal, range 0 to 6, Sunday being 0.
+    #     See also %u. (alt O)
+    #   %W
+    #     The week number of the current year as a decimal number,
+    #     range 00 to 53, starting with the first Monday as the first day
+    #     of week 01. (alt O)
+    #   %x
+    #     The preferred date representation for the current locale without
+    #     the time. (alt E)
+    #   %X
+    #     The preferred time representation for the current locale without
+    #     the date. (alt E)
+    #   %y
+    #     The year as a decimal number without a century (range 00 to 99).
+    #     (alt E, alt O)
+    #   %Y
+    #     The year as a decimal number including the century. (alt E)
+    #   %z
+    #     The +hhmm or -hhmm numeric timezone (that is, the hour and minute
+    #     offset from UTC).
+    #   %Z
+    #     The timezone name or abbreviation.
+    #   %%
+    #     A literal '%' character.
+    #
+    # This configuration option has an automatic default value.
+    # time_format: "%Y-%m-%d %T %z"
+
+    # Configuration option report/devtypes_sort.
+    # List of columns to sort by when reporting 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_sort: "devtype_name"
+
+    # Configuration option report/devtypes_cols.
+    # List of columns to report for 'lvm devtypes' command.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_cols: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Configuration option report/devtypes_cols_verbose.
+    # List of columns to report for 'lvm devtypes' command in verbose mode.
+    # See 'lvm devtypes -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # devtypes_cols_verbose: "devtype_name,devtype_max_partitions,devtype_description"
+
+    # Configuration option report/lvs_sort.
+    # List of columns to sort by when reporting 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_sort: "vg_name,lv_name"
+
+    # Configuration option report/lvs_cols.
+    # List of columns to report for 'lvs' command.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols: "lv_name,vg_name,lv_attr,lv_size,pool_lv,origin,data_percent,metadata_percent,move_pv,mirror_log,copy_percent,convert_lv"
+
+    # Configuration option report/lvs_cols_verbose.
+    # List of columns to report for 'lvs' command in verbose mode.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols_verbose: "lv_name,vg_name,seg_count,lv_attr,lv_size,lv_major,lv_minor,lv_kernel_major,lv_kernel_minor,pool_lv,origin,data_percent,metadata_percent,move_pv,copy_percent,mirror_log,convert_lv,lv_uuid,lv_profile"
+
+    # Configuration option report/vgs_sort.
+    # List of columns to sort by when reporting 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_sort: "vg_name"
+
+    # Configuration option report/vgs_cols.
+    # List of columns to report for 'vgs' command.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols: "vg_name,pv_count,lv_count,snap_count,vg_attr,vg_size,vg_free"
+
+    # Configuration option report/vgs_cols_verbose.
+    # List of columns to report for 'vgs' command in verbose mode.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols_verbose: "vg_name,vg_attr,vg_extent_size,pv_count,lv_count,snap_count,vg_size,vg_free,vg_uuid,vg_profile"
+
+    # Configuration option report/pvs_sort.
+    # List of columns to sort by when reporting 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_sort: "pv_name"
+
+    # Configuration option report/pvs_cols.
+    # List of columns to report for 'pvs' command.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free"
+
+    # Configuration option report/pvs_cols_verbose.
+    # List of columns to report for 'pvs' command in verbose mode.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,dev_size,pv_uuid"
+
+    # Configuration option report/segs_sort.
+    # List of columns to sort by when reporting 'lvs --segments' command.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_sort: "vg_name,lv_name,seg_start"
+
+    # Configuration option report/segs_cols.
+    # List of columns to report for 'lvs --segments' command.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols: "lv_name,vg_name,lv_attr,stripes,segtype,seg_size"
+
+    # Configuration option report/segs_cols_verbose.
+    # List of columns to report for 'lvs --segments' command in verbose mode.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols_verbose: "lv_name,vg_name,lv_attr,seg_start,seg_size,stripes,segtype,stripesize,chunksize"
+
+    # Configuration option report/pvsegs_sort.
+    # List of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_sort: "pv_name,pvseg_start"
+
+    # Configuration option report/pvsegs_cols.
+    # List of columns to sort by when reporting 'pvs --segments' command.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size"
+
+    # Configuration option report/pvsegs_cols_verbose.
+    # List of columns to sort by when reporting 'pvs --segments' command in verbose mode.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols_verbose: "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size,lv_name,seg_start_pe,segtype,seg_pe_ranges"
+
+    # Configuration option report/vgs_cols_full.
+    # List of columns to report for lvm fullreport's 'vgs' subreport.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_cols_full: "vg_all"
+
+    # Configuration option report/pvs_cols_full.
+    # List of columns to report for lvm fullreport's 'vgs' subreport.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_cols_full: "pv_all"
+
+    # Configuration option report/lvs_cols_full.
+    # List of columns to report for lvm fullreport's 'lvs' subreport.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_cols_full: "lv_all"
+
+    # Configuration option report/pvsegs_cols_full.
+    # List of columns to report for lvm fullreport's 'pvseg' subreport.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_cols_full: "pvseg_all,pv_uuid,lv_uuid"
+
+    # Configuration option report/segs_cols_full.
+    # List of columns to report for lvm fullreport's 'seg' subreport.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_cols_full: "seg_all,lv_uuid"
+
+    # Configuration option report/vgs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'vgs' subreport.
+    # See 'vgs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # vgs_sort_full: "vg_name"
+
+    # Configuration option report/pvs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'vgs' subreport.
+    # See 'pvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvs_sort_full: "pv_name"
+
+    # Configuration option report/lvs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'lvs' subreport.
+    # See 'lvs -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # lvs_sort_full: "vg_name,lv_name"
+
+    # Configuration option report/pvsegs_sort_full.
+    # List of columns to sort by when reporting for lvm fullreport's 'pvseg' subreport.
+    # See 'pvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # pvsegs_sort_full: "pv_uuid,pvseg_start"
+
+    # Configuration option report/segs_sort_full.
+    # List of columns to sort by when reporting lvm fullreport's 'seg' subreport.
+    # See 'lvs --segments -o help' for the list of possible fields.
+    # This configuration option has an automatic default value.
+    # segs_sort_full: "lv_uuid,seg_start"
+
+    # Configuration option report/mark_hidden_devices.
+    # Use brackets [] to mark hidden devices.
+    # This configuration option has an automatic default value.
+    # mark_hidden_devices: 1
+
+    # Configuration option report/two_word_unknown_device.
+    # Use the two words 'unknown device' in place of '[unknown]'.
+    # This is displayed when the device for a PV is not known.
+    # This configuration option has an automatic default value.
+    # two_word_unknown_device: 0
+
+  # Configuration section dmeventd.
+  # Settings for the LVM event daemon.
+  dmeventd:
+
+    # Configuration option dmeventd/mirror_library.
+    # The library dmeventd uses when monitoring a mirror device.
+    # libdevmapper-event-lvm2mirror.so attempts to recover from
+    # failures. It removes failed devices from a volume group and
+    # reconfigures a mirror as necessary. If no mirror library is
+    # provided, mirrors are not monitored through dmeventd.
+    mirror_library: "libdevmapper-event-lvm2mirror.so"
+
+    # Configuration option dmeventd/raid_library.
+    # This configuration option has an automatic default value.
+    # raid_library: "libdevmapper-event-lvm2raid.so"
+
+    # Configuration option dmeventd/snapshot_library.
+    # The library dmeventd uses when monitoring a snapshot device.
+    # libdevmapper-event-lvm2snapshot.so monitors the filling of snapshots
+    # and emits a warning through syslog when the usage exceeds 80%. The
+    # warning is repeated when 85%, 90% and 95% of the snapshot is filled.
+    snapshot_library: "libdevmapper-event-lvm2snapshot.so"
+
+    # Configuration option dmeventd/thin_library.
+    # The library dmeventd uses when monitoring a thin device.
+    # libdevmapper-event-lvm2thin.so monitors the filling of a pool
+    # and emits a warning through syslog when the usage exceeds 80%. The
+    # warning is repeated when 85%, 90% and 95% of the pool is filled.
+    thin_library: "libdevmapper-event-lvm2thin.so"
+
+    # Configuration option dmeventd/thin_command.
+    # The plugin runs command with each 5% increment when thin-pool data volume
+    # or metadata volume gets above 50%.
+    # Command which starts with 'lvm ' prefix is internal lvm command.
+    # You can write your own handler to customise behaviour in more details.
+    # User handler is specified with the full path starting with '/'.
+    # This configuration option has an automatic default value.
+    # thin_command: "lvm lvextend --use-policies"
+
+    # Configuration option dmeventd/vdo_library.
+    # The library dmeventd uses when monitoring a VDO pool device.
+    # libdevmapper-event-lvm2vdo.so monitors the filling of a pool
+    # and emits a warning through syslog when the usage exceeds 80%. The
+    # warning is repeated when 85%, 90% and 95% of the pool is filled.
+    # This configuration option has an automatic default value.
+    # vdo_library: "libdevmapper-event-lvm2vdo.so"
+
+    # Configuration option dmeventd/vdo_command.
+    # The plugin runs command with each 5% increment when VDO pool volume
+    # gets above 50%.
+    # Command which starts with 'lvm ' prefix is internal lvm command.
+    # You can write your own handler to customise behaviour in more details.
+    # User handler is specified with the full path starting with '/'.
+    # This configuration option has an automatic default value.
+    # vdo_command: "lvm lvextend --use-policies"
+
+    # Configuration option dmeventd/executable.
+    # The full path to the dmeventd binary.
+    # This configuration option has an automatic default value.
+    # executable: "/sbin/dmeventd"
+
+  # Configuration section tags.
+  # Host tag settings.
+  # This configuration section has an automatic default value.
+  # tags:
+
+    # Configuration option tags/hosttags.
+    # Create a host tag using the machine name.
+    # The machine name is nodename returned by uname(2).
+    # This configuration option has an automatic default value.
+    # hosttags: 0
+
+    # Configuration section tags/<tag>.
+    # Replace this subsection name with a custom tag name.
+    # Multiple subsections like this can be created. The '@' prefix for
+    # tags is optional. This subsection can contain host_list, which is a
+    # list of machine names. If the name of the local machine is found in
+    # host_list, then the name of this subsection is used as a tag and is
+    # applied to the local machine as a 'host tag'. If this subsection is
+    # empty (has no host_list), then the subsection name is always applied
+    # as a 'host tag'.
+    #
+    # Example
+    # The host tag foo is given to all hosts, and the host tag
+    # bar is given to the hosts named machine1 and machine2.
+    # tags:
+    #   foo: {}
+    #   bar:
+    #     host_list: [ "machine1", "machine2" ]
+    #
+    # This configuration section has variable name.
+    # This configuration section has an automatic default value.
+    # tag:
+
+      # Configuration option tags/<tag>/host_list.
+      # A list of machine names.
+      # These machine names are compared to the nodename returned
+      # by uname(2). If the local machine name matches an entry in
+      # this list, the name of the subsection is applied to the
+      # machine as a 'host tag'.
+      # This configuration option does not have a default value defined.
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian.yml
new file mode 120000
index 00000000..5c35c18e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian.yml
@@ -0,0 +1 @@
+lvm_config_debian_buster.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_buster.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_buster.yml
new file mode 120000
index 00000000..07a374b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_buster.yml
@@ -0,0 +1 @@
+lvm_config_2.03.02.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_jessie.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_jessie.yml
new file mode 120000
index 00000000..34aa0e2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_jessie.yml
@@ -0,0 +1 @@
+lvm_config_2.02.111.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_stretch.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_stretch.yml
new file mode 120000
index 00000000..252cee61
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_stretch.yml
@@ -0,0 +1 @@
+lvm_config_2.02.168.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_wheezy.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_wheezy.yml
new file mode 120000
index 00000000..0f81e489
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_debian_wheezy.yml
@@ -0,0 +1 @@
+lvm_config_2.02.95.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_default.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_default.yml
new file mode 120000
index 00000000..5c35c18e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_default.yml
@@ -0,0 +1 @@
+lvm_config_debian_buster.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu.yml
new file mode 120000
index 00000000..f09d38b6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu.yml
@@ -0,0 +1 @@
+lvm_config_ubuntu_trusty.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_precise.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_precise.yml
new file mode 120000
index 00000000..3ae3e7e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_precise.yml
@@ -0,0 +1 @@
+lvm_config_2.02.66.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_trusty.yml b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_trusty.yml
new file mode 120000
index 00000000..c4e4fc7e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lvm/vars/lvm_config_ubuntu_trusty.yml
@@ -0,0 +1 @@
+lvm_config_2.02.98.yml
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/lxc/COPYRIGHT b/ansible_collections/debops/debops/roles/lxc/COPYRIGHT
new file mode 100644
index 00000000..2c2857c6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.lxc - Configure and manage LXC hosts using Ansible
+
+Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/lxc/defaults/main.yml b/ansible_collections/debops/debops/roles/lxc/defaults/main.yml
new file mode 100644
index 00000000..3cc31638
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/defaults/main.yml
@@ -0,0 +1,770 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _lxc__ref_defaults:
+
+# debops.lxc default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: lxc__base_packages [[[
+#
+# List of base APT packages to install for LXC support.
+lxc__base_packages:
+  - [ 'lxc', 'lxcfs', 'debootstrap', 'xz-utils' ]
+  - '{{ ["dnsmasq-base"] if (lxc__net_deploy_state == "present") else [] }}'
+  - '{{ []
+        if (ansible_distribution_release in ["stretch", "trusty", "xenial"])
+        else ["apparmor", "lxc-templates"] }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__packages [[[
+#
+# List of additional APT packages to install with LXC.
+lxc__packages: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__version [[[
+#
+# The variable that exposes the version of the LXC service installed on
+# a host. It will be set automatically using the Ansible local facts.
+lxc__version: '{{ ansible_local.lxc.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Unprivileged LXC containers [[[
+# -------------------------------
+
+# .. envvar:: lxc__root_subuid_start [[[
+#
+# Specify the first subUID of the unprivileged LXC containers managed by the
+# ``root`` system account.
+lxc__root_subuid_start: '{{ ansible_local.root_account.subuids[0]["start"]
+                            if (ansible_local.root_account.subuids | d())
+                            else "100000" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__root_subuid_count [[[
+#
+# Specify the number of subUIDs reserved for the unprivileged LXC containers
+# managed by the ``root`` system account.
+lxc__root_subuid_count: '{{ ansible_local.root_account.subuids[0]["count"]
+                            if (ansible_local.root_account.subuids | d())
+                            else "65536" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__root_subgid_start [[[
+#
+# Specify the first subGID of the unprivileged LXC containers managed by the
+# ``root`` system account.
+lxc__root_subgid_start: '{{ ansible_local.root_account.subgids[0]["start"]
+                            if (ansible_local.root_account.subgids | d())
+                            else "100000" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__root_subgid_count [[[
+#
+# Specify the number of subGIDs reserved for the unprivileged LXC containers
+# managed by the ``root`` system account.
+lxc__root_subgid_count: '{{ ansible_local.root_account.subgids[0]["count"]
+                            if (ansible_local.root_account.subgids | d())
+                            else "65536" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LXC internal network configuration [[[
+# --------------------------------------
+
+# These variables define configuration of the internal LXC network for local
+# containers. If you want to support container networking on multiple LXC hosts
+# at once, you should set up external DHCP/DNS server and connect the LXC
+# containers to the host bridge interfaces instead.
+
+# .. envvar:: lxc__net_deploy_state [[[
+#
+# If ``present``, the role will configure internal LXC network using the
+# ``lxc-net`` service. If ``absent``, the internal LXC network will be disabled
+# and de-configured.
+#
+# The ``lxc-net`` service is not configured inside container environment or if
+# the host is also configured to support LXD service using the
+# :ref:`debops.lxd` role.
+lxc__net_deploy_state: '{{ "absent"
+                           if ((ansible_virtualization_type in ["lxc", "docker", "openvz"] and
+                                ansible_virtualization_role == "guest") or
+                               (inventory_hostname in groups["debops_service_lxd"] | d([])) or
+                               (ansible_local.lxd.installed | d(False)) | bool)
+                           else "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_resolver [[[
+#
+# Specify the system-wide DNS resolver in use, detected automatically. The role
+# will integrate the internal LXC network with the system resolver to permit
+# resolution of container hostnames.
+lxc__net_resolver: '{{ "resolvconf"
+                       if ((ansible_local.resolvconf.deploy_state | d("absent")) == "present")
+                       else ("systemd-resolved"
+                             if ((ansible_local.resolved.state | d("disabled")) == "enabled")
+                             else "none") }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_bridge [[[
+#
+# Name of the network bridge which will be configured for the internal LXC
+# network.
+lxc__net_bridge: 'lxcbr0'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_address [[[
+#
+# The IPv4 address and CIDR mask of the internal LXC bridge, which will be the
+# NAT gateway for the LXC containers. This value will be used to configure the
+# internal :command:`dnsmasq` DHCP server.
+#
+# You should ensure that the internal LXC network does not collide with other
+# local networks, to avoid routing issues.
+lxc__net_address: '10.0.3.1/24'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_router [[[
+#
+# Enable or disable router advertisement on the ``lxc-net`` bridge. You should
+# disable this if the primary network route of the LXC containers should go
+# through normal host bridges instead of the bridge managed by the ``lxc-net``
+# service.
+lxc__net_router: True
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_dhcp_start [[[
+#
+# The index of the IP address from the above subnet that starts the DHCP range.
+# First IP address is usually the gateway address, therefore you need to start
+# with a higher number.
+lxc__net_dhcp_start: '2'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_dhcp_end [[[
+#
+# The index of the IP address from the above subnet that ends the DHCP range.
+# Negative number tells the role to count from the end of the subnet; last IP
+# address is usually the broadcast address, therefore you need to get at least
+# one address before it.
+lxc__net_dhcp_end: '-2'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_base_domain [[[
+#
+# The DNS domain used as a base for the internal LXC domain. By default it is
+# based on the LXC host domain.
+lxc__net_base_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_domain [[[
+#
+# The DNS domain used in the internal LXC network.
+lxc__net_domain: '{{ "lxc" + (("." + lxc__net_base_domain)
+                              if lxc__net_base_domain | d()
+                              else "") }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_use_nft [[[
+#
+# Enable or disable support for NFtables by the :command:`lxc-net` script.
+lxc__net_use_nft: 'false'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_fqdn [[[
+#
+# The FQDN of the internal LXC bridge / internal LXC gateway registered in the
+# :command:`dnsmasq` service. It can be seen, for example, in traceroutes.
+#
+# The :command:`resolvconf` service will be used to add or remove the LXC
+# domain in the :file:`/etc/resolv.conf`; with local DNS resolver, for example
+# :command:`dnsmasq`, configured on the LXC host the containers can then be
+# accessed by their hostnames instead of the IP addresses.
+lxc__net_fqdn: '{{ ansible_hostname + "."
+                   + ansible_local.lxc.net_domain | d(lxc__net_domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_dnsmasq_conf [[[
+#
+# Absolute path to the custom :command:`dnsmasq` configuration file used by the
+# internal LXC network.
+lxc__net_dnsmasq_conf: '/etc/lxc/lxc-net-dnsmasq.conf'
+
+                                                                   # ]]]
+# .. envvar:: lxc__net_dnsmasq_options [[[
+#
+# String or YAML text block with additional :man:`dnsmasq(8)` options added to
+# its custom configuration file.
+lxc__net_dnsmasq_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# System-wide configuration [[[
+# -----------------------------
+
+# These variables define contents of the configuration files in the
+# :file:`/etc/lxc/` directory. See :ref:`lxc__ref_configuration` for more
+# details.
+
+# .. envvar:: lxc__default_configuration [[[
+#
+# The default LXC configuration files defined by the role.
+lxc__default_configuration:
+
+  - name: 'lxc'
+    comment: 'System-wide LXC configuration options'
+    options:
+
+      - name: 'lxc.lxcpath'
+        comment: 'Path where LXC containers are stored'
+        value: '/var/lib/lxc'
+
+      - name: 'lxc.cgroup.use'
+        value: '@all'
+        state: '{{ "present"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "absent" }}'
+
+      - name: 'lxc.default_config'
+        comment: |
+          Default configuration file used for new LXC containers if not
+          specified otherwise
+        value: '/etc/lxc/privileged.conf'
+
+      - name: 'lxc.default_unprivileged_config'
+        comment: |
+          Default configuration file used for new unprivileged LXC containers,
+          created by the 'lxc-new-unprivileged' script
+        value: '/etc/lxc/internal-unprivileged.conf'
+
+    # Default configuration for unprivileged LXC containers.
+  - name: 'unprivileged'
+    options:
+
+      - name: '{{ "lxc.network.type"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.type" }}'
+        value: 'veth'
+
+      - name: '{{ "lxc.network.link"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.link" }}'
+        value: '{{ "br0"
+                   if ((ansible_local | d() and ansible_local.ifupdown | d() and
+                        (ansible_local.ifupdown.configured | d()) | bool) or
+                       (ansible_local.networkd.state | d("disabled")) == "enabled")
+                   else (lxc__net_bridge
+                         if (lxc__net_deploy_state == "present")
+                         else "br0") }}'
+
+      - name: '{{ "lxc.network.flags"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.flags" }}'
+        value: 'up'
+
+      - name: 'lxc.id_map_user'
+        alias: '{{ "lxc.id_map"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.idmap" }}'
+        value: 'u 0 {{ lxc__root_subuid_start }} {{ lxc__root_subuid_count }}'
+        separator: True
+
+      - name: 'lxc.id_map_group'
+        alias: '{{ "lxc.id_map"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.idmap" }}'
+        value: 'g 0 {{ lxc__root_subgid_start }} {{ lxc__root_subgid_count }}'
+
+      - name: 'lxc.start.auto'
+        value: '0'
+        separator: True
+
+      - name: 'lxc.cap.drop_secure'
+        alias: 'lxc.cap.drop'
+        value: '{{ ["mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time"]
+                  + ([] if (lxc__version is version("3.0.0", "<") or
+                            lxc__version is version("4.0.0", ">="))
+                  else ["sys_admin"]) }}'
+
+      # Select how many CPUs are available inside of the container
+      - name: 'lxc.cgroup.cpuset.cpus'
+        value: '0-{{ ansible_processor_vcpus | int - 1 }}'
+        state: 'comment'
+        separator: True
+
+      # Limit the amount of memory available inside of the container
+      - name: 'lxc.cgroup.memory.limit_in_bytes'
+        value: '{{ (ansible_memtotal_mb | int / 1024) | round | int }}G'
+        state: 'comment'
+
+      # Limit available swap space inside of the container. The value is
+      # a combined memory (above) + swap size, it should be bigger than the
+      # amount of memory allocated to the container.
+      - name: 'lxc.cgroup.memory.memsw.limit_in_bytes'
+        value: '{{ ((ansible_memtotal_mb | int + ansible_swaptotal_mb | int) / 1024) | round | int }}G'
+        state: 'comment'
+
+      # Required in AppArmor environment to allow systemd services to start
+      # inside of the LXC unprivileged containers.
+      # See also: https://bugs.debian.org/916644,
+      # https://bugs.debian.org/918839, https://bugs.debian.org/911806
+      # https://github.com/lxc/lxc/issues/4333
+      - name: 'lxc.apparmor.profile'
+        value: 'unconfined'
+        state: 'present'
+
+      # Required in AppArmor environment to allow systemd services to start
+      # inside of the LXC unprivileged containers.
+      # See also: https://bugs.debian.org/916644,
+      # https://bugs.debian.org/918839, https://bugs.debian.org/911806
+      - name: 'lxc.apparmor.allow_nesting'
+        value: '1'
+        state: '{{ "absent"
+                   if (lxc__version is version("3.0.0", "<") or
+                       lxc__version is version("4.1.0", ">="))
+                   else "present" }}'
+
+    # Default configuration for privileged LXC containers
+  - name: 'privileged'
+    options:
+
+      - name: '{{ "lxc.network.type"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.type" }}'
+        value: 'veth'
+
+      - name: '{{ "lxc.network.link"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.link" }}'
+        value: '{{ "br0"
+                   if ((ansible_local | d() and ansible_local.ifupdown | d() and
+                        (ansible_local.ifupdown.configured | d()) | bool) or
+                       (ansible_local.networkd.state | d("disabled")) == "enabled")
+                   else (lxc__net_bridge
+                         if (lxc__net_deploy_state == "present")
+                         else "br0") }}'
+
+      - name: '{{ "lxc.network.flags"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.flags" }}'
+        value: 'up'
+
+      - name: 'lxc.start.auto'
+        value: '0'
+        separator: True
+
+      - name: 'lxc.cap.drop_secure'
+        alias: 'lxc.cap.drop'
+        value: '{{ ["mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time"]
+                  + ([] if (lxc__version is version("3.0.0", "<") or
+                            lxc__version is version("4.0.0", ">="))
+                            else ["sys_admin"]) }}'
+
+    # Configuration for unprivileged LXC containers that uses only the internal
+    # bridge managed by the 'lxc-net' service
+  - name: 'internal-unprivileged'
+    state: '{{ "present" if (lxc__net_deploy_state == "present") else "absent" }}'
+    options:
+
+      - name: '{{ "lxc.network.type"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.type" }}'
+        value: 'veth'
+
+      - name: '{{ "lxc.network.link"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.link" }}'
+        value: '{{ lxc__net_bridge }}'
+
+      - name: '{{ "lxc.network.flags"
+                  if (lxc__version is version("2.1.0", "<"))
+                  else "lxc.net.0.flags" }}'
+        value: 'up'
+
+      - name: 'lxc.id_map_user'
+        alias: '{{ "lxc.id_map"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.idmap" }}'
+        value: 'u 0 {{ lxc__root_subuid_start }} {{ lxc__root_subuid_count }}'
+        separator: True
+
+      - name: 'lxc.id_map_group'
+        alias: '{{ "lxc.id_map"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.idmap" }}'
+        value: 'g 0 {{ lxc__root_subgid_start }} {{ lxc__root_subgid_count }}'
+
+      - name: 'lxc.start.auto'
+        value: '0'
+        separator: True
+
+      - name: 'lxc.cap.drop_secure'
+        alias: 'lxc.cap.drop'
+        value: '{{ ["mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time"]
+                  + ([] if (lxc__version is version("3.0.0", "<") or
+                            lxc__version is version("4.0.0", ">="))
+                            else ["sys_admin"]) }}'
+
+      # Select how many CPUs are available inside of the container
+      - name: 'lxc.cgroup.cpuset.cpus'
+        value: '0-{{ ansible_processor_vcpus | int - 1 }}'
+        state: 'comment'
+        separator: True
+
+      # Limit the amount of memory available inside of the container
+      - name: 'lxc.cgroup.memory.limit_in_bytes'
+        value: '{{ (ansible_memtotal_mb | int / 1024) | round | int }}G'
+        state: 'comment'
+
+      # Limit available swap space inside of the container. The value is
+      # a combined memory (above) + swap size, it should be bigger than the
+      # amount of memory allocated to the container.
+      - name: 'lxc.cgroup.memory.memsw.limit_in_bytes'
+        value: '{{ ((ansible_memtotal_mb | int + ansible_swaptotal_mb | int) / 1024) | round | int }}G'
+        state: 'comment'
+
+      # Required in AppArmor environment to allow systemd services to start
+      # inside of the LXC unprivileged containers.
+      # See also: https://bugs.debian.org/916644,
+      # https://bugs.debian.org/918839, https://bugs.debian.org/911806
+      # https://github.com/lxc/lxc/issues/4333
+      - name: 'lxc.apparmor.profile'
+        value: 'unconfined'
+        state: 'present'
+
+      # Required in AppArmor environment to allow systemd services to start
+      # inside of the LXC unprivileged containers.
+      # See also: https://bugs.debian.org/916644,
+      # https://bugs.debian.org/918839, https://bugs.debian.org/911806
+      - name: 'lxc.apparmor.allow_nesting'
+        value: '1'
+        state: '{{ "absent"
+                   if (lxc__version is version("3.0.0", "<") or
+                       lxc__version is version("4.1.0", ">="))
+                   else "present" }}'
+
+    # Default configuration for privileged LXC containers with multiple network
+    # interfaces
+  - name: 'external-internal'
+    options:
+
+      - name: 'lxc.network.type_net0'
+        alias: '{{ "lxc.network.type"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.0.type" }}'
+        value: 'veth'
+
+      - name: 'lxc.network.link_net0'
+        alias: '{{ "lxc.network.link"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.0.link" }}'
+        value: '{{ "br0"
+                   if ((ansible_local | d() and ansible_local.ifupdown | d() and
+                        (ansible_local.ifupdown.configured | d()) | bool) or
+                       (ansible_local.networkd.state | d("disabled")) == "enabled")
+                   else (lxc__net_bridge
+                         if (lxc__net_deploy_state == "present")
+                         else "br0") }}'
+
+      - name: 'lxc.network.flags_net0'
+        alias: '{{ "lxc.network.flags"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.0.flags" }}'
+        value: 'up'
+
+      - name: 'lxc.network.type_net1'
+        alias: '{{ "lxc.network.type"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.1.type" }}'
+        value: 'veth'
+        separator: True
+
+      - name: 'lxc.network.link_net1'
+        alias: '{{ "lxc.network.link"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.1.link" }}'
+        value: 'br1'
+
+      - name: 'lxc.network.flags_net1'
+        alias: '{{ "lxc.network.flags"
+                   if (lxc__version is version("2.1.0", "<"))
+                   else "lxc.net.1.flags" }}'
+        value: 'up'
+
+      - name: 'lxc.start.auto'
+        value: '0'
+        separator: True
+
+      - name: 'lxc.cap.drop_secure'
+        alias: 'lxc.cap.drop'
+        value: '{{ ["mknod", "sys_rawio", "syslog", "wake_alarm", "sys_time"]
+                  + ([] if (lxc__version is version("3.0.0", "<") or
+                            lxc__version is version("4.0.0", ">="))
+                  else ["sys_admin"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__configuration [[[
+#
+# List of LXC configuration files which should be present on all hosts in the
+# Ansible inventory.
+lxc__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__group_configuration [[[
+#
+# List of LXC configuration files which should be present on hosts in
+# a specific Ansible inventory group.
+lxc__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__host_configuration [[[
+#
+# List of LXC configuration files which should be present on specific hosts in
+# the Ansible inventory.
+lxc__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__combined_configuration [[[
+#
+# The variable that combines all of the configuration lists and is used in the
+# role tasks.
+lxc__combined_configuration: '{{ lxc__default_configuration
+                                 + lxc__configuration
+                                 + lxc__group_configuration
+                                 + lxc__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Common container configuration [[[
+# ----------------------------------
+
+# These variables define the contents of the
+# :file:`/usr/share/lxc/config/common.conf.d/` directory. Files in this
+# directory that end in ``.conf`` are included in the common configuration of
+# each LXC container.
+#
+# The syntax is the same as the system-wide configuration.
+# See :ref:`lxc__ref_configuration` for details.
+
+# .. envvar:: lxc__common_default_conf [[[
+#
+# Default configuration for all LXC containers defined by the role.
+lxc__common_default_conf:
+
+  - name: 'static-hwaddr'
+    comment: |
+      Generate static, predictable MAC addresses for container network
+      interfaces before the container is started. Containers will have to be
+      restarted for new MAC addresses to be used.
+    options:
+
+      - name: 'lxc.hook.pre-start_hwaddr'
+        alias: 'lxc.hook.pre-start'
+        value: '/usr/local/bin/lxc-hwaddr-static'
+
+  - name: 'destroy-systemd-instance'
+    comment: |
+      At container destruction, ensure that its corresponding systemd service
+      instance is disabled.
+    options:
+
+      - name: 'lxc.hook.destroy_systemd_instance'
+        alias: 'lxc.hook.destroy'
+        value: '/usr/local/lib/lxc/lxc-destroy-systemd-instance'
+
+                                                                   # ]]]
+# .. envvar:: lxc__common_conf [[[
+#
+# Common configuration for all LXC containers defined on all hosts in the
+# Ansible inventory.
+lxc__common_conf: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__common_group_conf [[[
+#
+# Common configuration for all LXC containers defined on hosts in a specific
+# Ansible inventory group.
+lxc__common_group_conf: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__common_host_conf [[[
+#
+# Common configuration for all LXC containers defined on specific hosts in the
+# Ansible inventory.
+lxc__common_host_conf: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__common_combined_conf [[[
+#
+# Variable which combines configuration from all common conf variables and is
+# used in the role tasks.
+lxc__common_combined_conf: '{{ lxc__common_default_conf
+                               + lxc__common_conf
+                               + lxc__common_group_conf
+                               + lxc__common_host_conf }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LXC container defaults [[[
+# --------------------------
+
+# These variables define default configuration of LXC containers created by the
+# role. By default, if no other options are specified, the role will create
+# unprivileged LXC containers based on the host OS distribution and release,
+# with configured SSH access.
+
+# .. envvar:: lxc__default_container_config [[[
+#
+# Specify the default LXC configuration file used during container creation.
+lxc__default_container_config: '/etc/lxc/unprivileged.conf'
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_ssh [[[
+#
+# If ``True``, the LXC containers created by the role will be configured with
+# SSH access by the :command:`lxc-prepare-ssh` script.
+# If ``False``, the LXC containers will not have direct SSH access configured.
+# This can be overridden for individual containers using the ``item.ssh``
+# parameter.
+lxc__default_container_ssh: True
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_ssh_root_sshkeys [[[
+#
+# The list of SSH public keys stored in the
+# :file:`/etc/lxc/root_authorized_keys` file. If the file is not empty, its
+# contents will be added to the :file:`/root/.ssh/authorized_keys` file in all
+# new LXC containers. This list can be used to define SSH identities of system
+# administrators which should have access to all LXC containers created on the
+# host.
+lxc__default_container_ssh_root_sshkeys: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_template [[[
+#
+# Specify the default LXC container template to use if none is defined. By
+# default the role creates unprivileged LXC containers.
+lxc__default_container_template: 'download'
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_distribution [[[
+#
+# The default OS distribution used during container creation.
+lxc__default_container_distribution: '{{ ansible_local.core.distribution | d(ansible_distribution) }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_release [[[
+#
+# The default OS release used during container creation.
+lxc__default_container_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_architecture [[[
+#
+# Specify the default processor architecture used during container creation
+# (required by the "download" LXC template).
+lxc__default_container_architecture: '{{ "amd64"
+                                         if (ansible_architecture == "x86_64")
+                                         else ansible_architecture }}'
+                                                                   # ]]]
+# .. envvar:: lxc__default_container_backing_store [[[
+#
+# Specify the default backing store used during container creation
+lxc__default_container_backing_store: 'dir'
+                                                                   # ]]]
+                                                                   # ]]]
+# LXC container instances [[[
+# ---------------------------
+
+# These variables can be used to create and manage LXC containers on LXC hosts.
+# See :ref:`lxc__ref_containers` for more details.
+
+# .. envvar:: lxc__containers [[[
+#
+# The list of LXC containers which should be configured on LXC hosts. Be aware
+# that containers with the same name on multiple LXC hosts might cause issues
+# due to the same static MAC addresses configured on each of them. This
+# situation should be avoided.
+lxc__containers: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: lxc__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` role.
+lxc__apt_preferences__dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: lxc__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+lxc__python__dependent_packages3:
+
+  - 'python3-lxc'
+
+                                                                   # ]]]
+# .. envvar:: lxc__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+lxc__python__dependent_packages2:
+
+  - 'python-lxc'
+
+                                                                   # ]]]
+# .. envvar:: lxc__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` role.
+lxc__ferm__dependent_rules:
+
+  - type: 'custom'
+    by_role: 'debops.lxc'
+    filename: 'lxc_bootp_checksum'
+    weight: '30'
+    rule_state: 'absent'
+
+  - type: 'custom'
+    by_role: 'debops.lxc'
+    name: 'bootp_checksum'
+    weight: '30'
+    rules: |
+      # Add checksums to BOOTP packets for LXC containers
+      # https://www.redhat.com/archives/libvir-list/2010-August/msg00035.html
+      @hook post "iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill";
+
+# ]]]
+# .. envvar:: lxc__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+lxc__sysctl__dependent_parameters:
+
+  - name: 'lxc-inotify'
+    divert: True
+    weight: '30'
+    options:
+
+      - name: 'fs.inotify.max_user_instances'
+        comment: |
+          Defines the maximum number of inotify listeners.
+          By default, this value is 128, which is quickly exhausted when using
+          systemd-based LXC containers (15 containers are enough).
+          When the limit is reached, systemd becomes mostly unusable, throwing
+          "Too many open files" all around (both on the host and in containers).
+          See https://kdecherf.com/blog/2015/09/12/systemd-and-the-fd-exhaustion/
+          Increase the user inotify instance limit to allow for about
+          100 containers to run before the limit is hit again
+        value: 1024
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-hwaddr-static b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-hwaddr-static
new file mode 100755
index 00000000..0dceb571
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-hwaddr-static
@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Usage: lxc-hwaddr-static <container_name>
+
+# For specified LXC container, generate a random but predictable MAC address
+# for each configured network interface and save it in the configuration file.
+
+# MAC addresses are expected to conform to a set of Locally Administered
+# Address Ranges: https://serverfault.com/questions/40712/
+
+# This script can be used as a pre-start hook via the 'lxc.hook.pre-start'
+# option in the container configuration, however on the container start the new
+# MAC addresses added to the config file are not known to LXC scripts. New MAC
+# addresses will be used after a container is restarted.
+
+
+set -o nounset -o pipefail -o errexit
+
+SCRIPT="$(basename "${0}")"
+readonly SCRIPT
+readonly CONTAINER="${LXC_NAME:-${1:-}}"
+readonly CONFIG="${LXC_CONFIG_FILE:-/var/lib/lxc/${CONTAINER}/config}"
+
+# First character in a static prefix
+readonly MAC_LAA1=( {0..9} {a..f} )
+
+# Second character in a static prefix
+readonly MAC_LAA2=( 2 6 a e )
+
+
+if [ -n "${CONTAINER}" ] ; then
+    if [ -r "${CONFIG}" ] ; then
+
+        # Detect the new LXC configuration, 2.1.x+
+        if grep -qE '^lxc\.uts\.name\s+=' "${CONFIG}" ; then
+
+            # Don't modify configuration files that already contain hardware addresses
+            if ! grep -qE '^lxc\.net\.[0-9]+\.hwaddr\s+=' "${CONFIG}" \
+                && ! grep -qE '^# no-static-hwaddr' "${CONFIG}" \
+                && ! grep -qE '^# no-hwaddr-static' "${CONFIG}" ; then
+
+                # Count number of network interfaces defined for a container
+                iface_count="$(grep -cE '^lxc\.net\.[0-9]+\.type\s+=' "${CONFIG}")"
+
+                # Convert the container name into a number usable by RANDOM
+                container_seed="$(printf "%s" "${CONTAINER}" | od -An -vtu1 | tr -d '[:blank:]')"
+
+                for (( i=0 ; i<iface_count ; i++ )) ; do
+
+                    # Seed the randomizer with a predictable string based on container
+                    # name and the network interface number
+                    RANDOM="${container_seed}${i}"
+                    interface_seed="${CONTAINER}${i}"
+
+                    # Generate random MAC address based on predictable seed
+                    static_prefix="${MAC_LAA1[ $RANDOM % ${#MAC_LAA1[@]} ]}${MAC_LAA2[ $RANDOM % ${#MAC_LAA2[@]} ]}"
+                    static_hwaddr="$(printf "%s" "${interface_seed}" | md5sum | sed "s/^\\(..\\)\\(..\\)\\(..\\)\\(..\\)\\(..\\).*$/${static_prefix}:\\1:\\2:\\3:\\4:\\5/")"
+
+                    # Configure the generated MAC address for each network interface
+                    # found in the container configuration file
+                    printf "Setting a static MAC address for interface %s: %s\\n" "${i}" "${static_hwaddr}"
+                    awk "/^lxc.net.${i}.type/ {sub(/lxc.net.${i}.type.*$/,\"&\\nlxc.net.${i}.hwaddr = ${static_hwaddr}\")}1" "${CONFIG}" > "${CONFIG}.tmp"
+                    mv "${CONFIG}.tmp" "${CONFIG}"
+
+                done
+
+            else
+                printf "Configuration file '%s' already contains MAC addresses, skipping\\n" "${CONFIG}"
+                exit 0
+            fi
+
+
+        # Detect the old LXC configuration, pre 2.1.x
+        elif grep -qE '^lxc\.utsname\s+=' "${CONFIG}" ; then
+
+            # Don't modify configuration files that already contain hardware addresses
+            if ! grep -qE '^lxc\.network\.hwaddr\s+=' "${CONFIG}" \
+                && ! grep -qE '^# no-static-hwaddr' "${CONFIG}" \
+                && ! grep -qE '^# no-hwaddr-static' "${CONFIG}" ; then
+
+                # Count number of network interfaces defined for a container
+                iface_count="$(grep -cE '^lxc\.network\.type\s+=' "${CONFIG}")"
+
+                # Convert the container name into a number usable by RANDOM
+                container_seed="$(printf "%s" "${CONTAINER}" | od -An -vtu1 | tr -d '[:blank:]')"
+
+                for (( i=1 ; i<=iface_count ; i++ )) ; do
+
+                    # Seed the randomizer with a predictable string based on container
+                    # name and the network interface number
+                    RANDOM="${container_seed}${i}"
+                    interface_seed="${CONTAINER}${i}"
+
+                    # Generate random MAC address based on predictable seed
+                    static_prefix="${MAC_LAA1[ $RANDOM % ${#MAC_LAA1[@]} ]}${MAC_LAA2[ $RANDOM % ${#MAC_LAA2[@]} ]}"
+                    static_hwaddr="$(printf "%s" "${interface_seed}" | md5sum | sed "s/^\\(..\\)\\(..\\)\\(..\\)\\(..\\)\\(..\\).*$/${static_prefix}:\\1:\\2:\\3:\\4:\\5/")"
+
+                    # Configure the generated MAC address for each network interface
+                    # found in the container configuration file
+                    printf "Setting a static MAC address for interface %s: %s\\n" "${i}" "${static_hwaddr}"
+                    awk "/^lxc.network.type/{x++} x==${i}{sub(/lxc.network.type.*$/,\"&\\nlxc.network.hwaddr = ${static_hwaddr}\")}1" "${CONFIG}" > "${CONFIG}.tmp"
+                    mv "${CONFIG}.tmp" "${CONFIG}"
+
+                done
+
+            else
+                printf "Configuration file '%s' already contains MAC addresses, skipping\\n" "${CONFIG}"
+                exit 0
+            fi
+
+        fi
+
+    else
+        printf "Warning: '%s' file not found, skipping\\n" "${CONFIG}"
+    fi
+else
+    cat <<EOF
+${SCRIPT}: generate static and predictable MAC addresses for LXC containers
+
+Usage: ${SCRIPT} <container_name>
+EOF
+fi
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-new-unprivileged b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-new-unprivileged
new file mode 100755
index 00000000..e2c94277
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-new-unprivileged
@@ -0,0 +1,142 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# A simple script to create na uprivileged LXC container based on current LXC
+# host distribution, release and architecture. The script uses the
+# 'lxc-hwaddr-static' and 'lxc-prepare-ssh' commands to further configure the
+# created LXC container.
+
+# Usage: lxc-new-unprivileged <container> [config-file]
+
+
+set -o nounset -o pipefail -o errexit
+
+SCRIPT="$(basename "${0}")"
+readonly SCRIPT
+readonly CONTAINER="${1:-}"
+CONFIG_FILE="$(grep 'lxc.default_unprivileged_config' /etc/lxc/lxc.conf | awk '{print $3}')"
+readonly CONFIG_FILE
+
+DISTRIBUTION="$(lsb_release -i | awk '{print $NF}' | tr '[:upper:]' '[:lower:]')"
+readonly DISTRIBUTION
+RELEASE="$(lsb_release -c | awk '{print $NF}' | tr '[:upper:]' '[:lower:]')"
+readonly RELEASE
+ARCHITECTURE="$(dpkg --print-architecture)"
+readonly ARCHITECTURE
+
+# The SKS keyservers are deprecated, so we need to provide an alternative
+readonly DOWNLOAD_KEYSERVER="${DOWNLOAD_KEYSERVER:-hkp://keyserver.ubuntu.com}"
+export DOWNLOAD_KEYSERVER
+
+container_exists () {
+    local container
+    container="${1}"
+
+    if lxc-ls -1 | grep -q -E "^${container}$" ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+print_usage () {
+    cat <<EOF
+${SCRIPT}: create new unprivileged LXC container based on LXC host
+
+Usage: ${SCRIPT} <container-name>
+EOF
+}
+
+error_msg () {
+    printf "%s\\n" "${*}" >&2
+}
+
+main () {
+    local container
+    container="${CONTAINER}"
+
+    local config_file
+    config_file="${CONFIG_FILE}"
+
+    local distribution
+    distribution="${DISTRIBUTION}"
+
+    local release
+    release="${RELEASE}"
+
+    local architecture
+    architecture="${ARCHITECTURE}"
+
+    if [ -n "${container}" ] ; then
+        if ! container_exists "${container}" ; then
+
+            printf "Container '%s' doesn't exist, creating...\\n" "${container}"
+
+            lxc-create --name "${container}" \
+                       --config "${config_file}" \
+                       --template "download" \
+                       -- --dist "${distribution}" \
+                          --release "${release}" \
+                          --arch "${architecture}"
+
+            if grep -qE '^lxc\.uts\.name\s+=' "/var/lib/lxc/${container}/config" ; then
+                iface_count="$(grep -cE '^lxc\.net\.[0-9]+\.type\s+=' "/var/lib/lxc/${container}/config")"
+            elif grep -qE '^lxc\.utsname\s+=' "/var/lib/lxc/${container}/config" ; then
+                iface_count="$(grep -cE '^lxc\.network\.type\s+=' "/var/lib/lxc/${container}/config")"
+            fi
+            iface_count="$(( iface_count - 1 ))"
+
+            if [ -f "/var/lib/lxc/${container}/rootfs/etc/network/interfaces" ] ; then
+                if [ "${iface_count}" -gt 0 ] ; then
+                    for (( i=1 ; i<=iface_count ; i++ )) ; do
+                        printf "Adding eth%s interface to network configuration\\n" "${i}"
+                        cat <<EOF >> "/var/lib/lxc/${container}/rootfs/etc/network/interfaces"
+
+auto eth${i}
+iface eth${i} inet dhcp
+EOF
+                    done
+                fi
+            fi
+
+            lxc-hwaddr-static "${container}"
+
+            if pidof systemd > /dev/null 2>&1 ; then
+                systemctl enable "lxc@${container}.service"
+                systemctl start "lxc@${container}.service"
+            else
+                lxc-start -n "${container}" -d
+            fi
+            lxc-wait -n "${container}" -s RUNNING
+
+            # During container creation, a static hostname is added into
+            # '/etc/hosts' which breaks proper DNS domain resolution of the
+            # container. Because we are using DHCP/DNS server to manage
+            # containers, remove the static host entry to fix the issue.
+            if lxc-attach -n "${container}" -- grep -q '127.0.1.1' /etc/hosts ; then
+                printf "Removing static host entry from /etc/hosts...\\n"
+                lxc-attach -n "${container}" -- sed -i "/127\\.0\\.1\\.1/d" /etc/hosts > /dev/null
+            fi
+
+            c=0
+            until lxc-prepare-ssh "${container}" ; do
+                ((c++)) && ((c==4)) && break
+                printf "Waiting for network inside container to settle...\\n"
+                sleep 5
+            done
+
+        else
+            error_msg "Error: container '${container}' already exists"
+            return 1
+        fi
+    else
+        print_usage
+        return 1
+    fi
+}
+
+main
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-prepare-ssh b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-prepare-ssh
new file mode 100755
index 00000000..3d573418
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/bin/lxc-prepare-ssh
@@ -0,0 +1,170 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Prepare a LXC container for remote management by adding authorized SSH keys
+# to its 'root' account. The script will ensure that OpenSSH is installed in
+# the container.
+
+set -o nounset -o pipefail -o errexit
+
+SCRIPT="$(basename "${0}")"
+readonly SCRIPT
+readonly CONTAINER="${1:-}"
+
+if [ -f "/etc/lxc/root_authorized_keys" ] ; then
+    readonly ROOT_AUTHORIZED_KEYS="/etc/lxc/root_authorized_keys"
+else
+    readonly ROOT_AUTHORIZED_KEYS=""
+fi
+
+if [ -n "${SUDO_USER:-}" ] ; then
+    SUDO_USER_HOME="$(getent passwd "${SUDO_USER}" | cut -d: -f6)"
+    readonly SUDO_USER_HOME
+    readonly SUDO_AUTHORIZED_KEYS="${SUDO_USER_HOME}/.ssh/authorized_keys"
+
+    # Support for SSH keys from LDAP directory
+    if [ -x "/etc/ssh/authorized_keys_lookup" ] ; then
+        LDAP_AUTHORIZED_KEYS="$(/etc/ssh/authorized_keys_lookup "${SUDO_USER}")"
+        readonly LDAP_AUTHORIZED_KEYS
+    fi
+else
+    readonly SUDO_AUTHORIZED_KEYS=""
+fi
+
+container_exists () {
+    local container
+    container="${1}"
+
+    if lxc-ls -1 | grep -q -E "^${container}$" ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+container_is_running () {
+    local container
+    container="${1}"
+
+    if [ "$(lxc-info -n "${container}" | grep -E "^State:\\s" | awk '{print $2}')" = "RUNNING" ] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+prepare_openssh () {
+    local container
+    container="${1}"
+
+    if ! lxc-attach -n "${container}" -- test -x /usr/sbin/sshd ; then
+        if lxc-attach -n "${container}" -- test -f /etc/debian_version ; then
+            printf "Installing OpenSSH service...\\n"
+            lxc-attach -n "${container}" -- apt-get update
+            lxc-attach -n "${container}" -- apt-get -y --no-install-recommends install openssh-server
+        fi
+    fi
+}
+
+prepare_authorized_keys () {
+    local container
+    container="${1}"
+    local authorized_keys
+    authorized_keys="${2}"
+
+    local -a authorized_keys_content
+    if [ -f "${authorized_keys}" ] ; then
+        readarray -t authorized_keys_content <<< "$(< "${authorized_keys}")"
+    else
+        readarray -t authorized_keys_content <<< "${authorized_keys}"
+    fi
+
+    if ! lxc-attach -n "${container}" -- test -d /root/.ssh ; then
+        lxc-attach -n "${container}" -- mkdir -p -m 0700 /root/.ssh
+        lxc-attach -n "${container}" -- touch /root/.ssh/authorized_keys
+        lxc-attach -n "${container}" -- chmod 0600 /root/.ssh/authorized_keys
+    fi
+    if [ -f "${authorized_keys}" ] ; then
+        printf "Adding authorized SSH keys from '%s'...\\n" "${authorized_keys}"
+    else
+        printf "Adding authorized SSH key...\\n"
+    fi
+    for key_line in "${authorized_keys_content[@]}" ; do
+        if ssh-keygen -l -f - <<< "${key_line}" > /dev/null ; then
+            if ! lxc-attach -n "${container}" -- grep -Fxq "${key_line}" /root/.ssh/authorized_keys ; then
+                ssh-keygen -l -f - <<< "${key_line}"
+                lxc-attach -n "${container}" -- tee -a /root/.ssh/authorized_keys <<< "${key_line}" 1>/dev/null
+            fi
+        fi
+    done
+}
+
+print_usage () {
+    cat <<EOF
+${SCRIPT}: add authorized SSH keys to an LXC container
+
+Usage: ${SCRIPT} <container-name>
+
+The keys will be taken from files:
+    /etc/lxc/root_authorized_keys
+    \${SUDO_USER}/.ssh/authorized_keys
+If enabled, LDAP directory will be checked for SSH authorized_keys
+EOF
+}
+
+error_msg () {
+    printf "%s\\n" "${*}" >&2
+}
+
+main () {
+    local container
+    container="${CONTAINER}"
+    local -a root_authorized_keys
+    local -a authorized_keys
+    root_authorized_keys=( "${ROOT_AUTHORIZED_KEYS}" )
+    authorized_keys=( "${SUDO_AUTHORIZED_KEYS}" )
+    local ldap_authorized_keys
+    ldap_authorized_keys="${LDAP_AUTHORIZED_KEYS:-}"
+
+    if [ -n "${container}" ] ; then
+        if container_exists "${container}" ; then
+            if ! container_is_running "${container}" ; then
+                printf "Container '%s' is not running, starting...\\n" "${container}"
+
+                if pidof systemd > /dev/null 2>&1 ; then
+                    systemctl enable "lxc@${container}.service"
+                    systemctl start "lxc@${container}.service"
+                else
+                    lxc-start -n "${container}" -d
+                fi
+                lxc-wait -n "${container}" -s RUNNING
+            fi
+            prepare_openssh "${container}"
+            for key_file in "${root_authorized_keys[@]}" ; do
+                if [ -f "${key_file}" ] ; then
+                    prepare_authorized_keys "${container}" "${key_file}"
+                fi
+            done
+            for key_file in "${authorized_keys[@]}" ; do
+                if [ -f "${key_file}" ] ; then
+                    prepare_authorized_keys "${container}" "${key_file}"
+                fi
+            done
+            if [ -n "${ldap_authorized_keys}" ] ; then
+                prepare_authorized_keys "${container}" "${ldap_authorized_keys}"
+            fi
+        else
+            error_msg "Error: container '${container}' doesn't exist"
+            return 1
+        fi
+    else
+        print_usage
+        return 1
+    fi
+}
+
+main
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-destroy-systemd-instance b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-destroy-systemd-instance
new file mode 100755
index 00000000..3f759d1f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-destroy-systemd-instance
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Script installed by the 'debops.lxc' Ansible role
+
+# This hook script is executed by 'lxc-destroy' command via the
+# 'lxc.hook.destroy' LXC configuration option. It will disable the
+# 'lxc@<container>.service' systemd service instance when its corresponding LXC
+# container is destroyed.
+
+set -o nounset -o pipefail -o errexit
+
+readonly CONTAINER="${LXC_NAME:-${1:-}}"
+
+if [ -n "${CONTAINER}" ] ; then
+    if pidof systemd > /dev/null 2>&1 ; then
+
+        if [ "$(systemctl is-enabled "lxc@${CONTAINER}.service")" = "enabled" ] ; then
+            /bin/systemctl --no-ask-password disable "lxc@${CONTAINER}.service"
+        fi
+
+        if [ -d "/etc/systemd/system/lxc@${CONTAINER}.service.d" ] ; then
+            rm -rf "/etc/systemd/system/lxc@${CONTAINER}.service.d"
+            /bin/systemctl --no-ask-password daemon-reload
+        fi
+
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-resolvconf b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-resolvconf
new file mode 100755
index 00000000..47e9c875
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-resolvconf
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Script installed by the 'debops.lxc' Ansible role
+
+# Hook script executed by the 'lxc-net' systemd service on start and stop,
+# which maintains the '/run/resolvconf/interface/lxcbr0.lxc-net' configuration
+# file
+
+set -o nounset -o pipefail -o errexit
+
+readonly COMMAND="${1:-}"
+
+if [ -f "/etc/default/lxc-net" ] ; then
+
+    # shellcheck disable=SC1091
+    source /etc/default/lxc-net
+
+    readonly RESOLVCONF_FILE="/run/resolvconf/interface/${LXC_BRIDGE}.lxc-net"
+
+    case "${COMMAND}" in
+        start)
+            if [ -f "${RESOLVCONF_FILE}" ] ; then
+                rm -f "${RESOLVCONF_FILE}"
+            fi
+
+            if [ -n "${LXC_DOMAIN}" ] ; then
+                printf "search %s\\n" "${LXC_DOMAIN}" > "${RESOLVCONF_FILE}"
+            fi
+            resolvconf -u
+            ;;
+        stop)
+            if [ -f "${RESOLVCONF_FILE}" ] ; then
+                rm -f "${RESOLVCONF_FILE}"
+            fi
+            resolvconf -u
+            ;;
+        *)
+            printf "This script shouldn't be used as standalone. Exiting\\n"
+            exit 1
+            ;;
+    esac
+fi
diff --git a/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-systemd-resolved b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-systemd-resolved
new file mode 100755
index 00000000..451328a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/files/usr/local/lib/lxc/lxc-net-systemd-resolved
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Script installed by the 'debops.lxc' Ansible role
+
+# Hook script executed by the 'lxc-net' systemd service on start and stop,
+# which configures nameserver and domain for the LXC containers in the
+# systemd-resolved resolver.
+
+set -o nounset -o pipefail -o errexit
+
+readonly COMMAND="${1:-}"
+
+if [ -f "/etc/default/lxc-net" ] ; then
+
+    # shellcheck disable=SC1091
+    source /etc/default/lxc-net
+
+    if [ "${USE_LXC_BRIDGE}" == "true" ] ; then
+        # Configuration for LXC-based network
+
+        readonly RESOLVE_ENABLED="${USE_LXC_BRIDGE}"
+        readonly RESOLVE_BRIDGE="${LXC_BRIDGE:-}"
+        readonly RESOLVE_NAMESERVER="${LXC_ADDR:-}"
+
+        # Use route-only domains with tilde, otherwise DNS queries for host's own
+        # name will result in returning its LXC subdomain name and break DNS
+        # resolution
+        readonly RESOLVE_DOMAIN="~${LXC_DOMAIN:-}"
+
+    else
+        # Configuration for LXD-based network
+
+        readonly LXD_BRIDGE="lxdbr0"
+
+        # Wait for the network interface to be configured
+        TIMEOUT_COUNT="0"
+        until (( TIMEOUT_COUNT == 5 )) || ip addr show dev "${LXD_BRIDGE}" 2>/dev/null | grep "state UP" > /dev/null ; do
+            sleep "$(( TIMEOUT_COUNT++ ))"
+        done
+
+        if ip link show "${LXD_BRIDGE}" up > /dev/null 2>&1 ; then
+
+            readonly RESOLVE_ENABLED="true"
+            readonly RESOLVE_BRIDGE="${LXD_BRIDGE}"
+            RESOLVE_NAMESERVER="$(ip addr show "${LXD_BRIDGE}" | grep -Po 'inet \K[\d.]+')"
+
+            # Use route-only domains with tilde, otherwise DNS queries for host's own
+            # name will result in returning its LXC subdomain name and break DNS
+            # resolution
+            readonly RESOLVE_DOMAIN="~lxd"
+        else
+            readonly RESOLVE_ENABLED="false"
+            readonly RESOLVE_NAMESERVER=""
+        fi
+    fi
+
+    RESOLVE_REVDNS="$(printf "%s\n" "${RESOLVE_NAMESERVER}" | awk -F'.' '{print "~"$3"."$2"."$1".in-addr.arpa"}')"
+    RESOLVED_SERVICE="$(systemctl is-active systemd-resolved.service)"
+
+    if [ "${RESOLVE_ENABLED}" == "true" ] && [ "${RESOLVED_SERVICE}" == "active" ] ; then
+        case "${COMMAND}" in
+            start)
+                resolvectl dns "${RESOLVE_BRIDGE}" "${RESOLVE_NAMESERVER}"
+                resolvectl domain "${RESOLVE_BRIDGE}" "${RESOLVE_DOMAIN}" "${RESOLVE_REVDNS}"
+                ;;
+            stop)
+                resolvectl revert "${RESOLVE_BRIDGE}"
+                ;;
+            *)
+                printf "This script shouldn't be used as standalone. Exiting\\n"
+                exit 1
+                ;;
+        esac
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/lxc/meta/main.yml b/ansible_collections/debops/debops/roles/lxc/meta/main.yml
new file mode 100644
index 00000000..9f425235
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Configure and manage LXC'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - container
+    - lxc
+    - virtualization
diff --git a/ansible_collections/debops/debops/roles/lxc/tasks/lxc/post_main.yml b/ansible_collections/debops/debops/roles/lxc/tasks/lxc/post_main.yml
new file mode 100644
index 00000000..cdb86f9c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/tasks/lxc/post_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/lxc/tasks/lxc/pre_main.yml b/ansible_collections/debops/debops/roles/lxc/tasks/lxc/pre_main.yml
new file mode 100644
index 00000000..cdb86f9c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/tasks/lxc/pre_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/lxc/tasks/main.yml b/ansible_collections/debops/debops/roles/lxc/tasks/main.yml
new file mode 100644
index 00000000..66714efd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/tasks/main.yml
@@ -0,0 +1,455 @@
+---
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'lxc/pre_main.yml') }}"
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (lxc__base_packages
+                              + lxc__packages)) }}'
+    state: 'present'
+  register: lxc__register_packages
+  until: lxc__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save LXC local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/lxc.fact.j2'
+    dest: '/etc/ansible/facts.d/lxc.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop:
+    - '/etc/systemd/system/lxc.service.d'
+    - '/etc/systemd/system/lxc@.service.d'
+    - '/usr/local/lib/lxc'
+
+- name: Install custom LXC hooks
+  ansible.builtin.copy:
+    src: 'usr/local/lib/lxc/'
+    dest: '/usr/local/lib/lxc/'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Install custom LXC helper scripts
+  ansible.builtin.copy:
+    src: 'usr/local/bin/'
+    dest: '/usr/local/bin/'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Remove systemd service overrides
+  ansible.builtin.file:
+    path: '{{ item.name | d(item) }}'
+    state: 'absent'
+  loop:
+    - name: '/etc/systemd/system/lxc@.service.d/poweroff.conf'
+      state: '{{ "present"
+                 if (lxc__version is version("2.1.0", "<"))
+                 else "absent" }}'
+  register: lxc__register_systemd_overrides_remove
+  when: item.state | d('present') == 'absent'
+
+- name: Install systemd service overrides
+  ansible.builtin.template:
+    src: '{{ item.name | d(item) }}.j2'
+    dest: '/{{ item.name | d(item) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'etc/systemd/system/lxc.service.d/exec-override.conf'
+    - 'etc/systemd/system/lxc@.service.d/partof.conf'
+    - name: 'etc/systemd/system/lxc@.service.d/poweroff.conf'
+      state: '{{ "present"
+                 if (lxc__version is version("2.1.0", "<"))
+                 else "absent" }}'
+  register: lxc__register_systemd_overrides_create
+  when: item.state | d('present') != 'absent'
+
+- name: Disable internal network when requested
+  ansible.builtin.systemd:
+    name: 'lxc-net.service'
+    state: 'stopped'
+  when: (lxc__net_deploy_state == 'absent' and
+         ansible_service_mgr == 'systemd')
+  tags: [ 'role::lxc:net' ]
+
+- name: Remove lxc-net support files
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop:
+    - '{{ lxc__net_dnsmasq_conf }}'
+    - '/etc/systemd/system/lxc-net.service.d'
+    - '/etc/ferm/hooks/post.d/restart-lxc-net'
+  register: lxc__register_net_remove
+  when: lxc__net_deploy_state == 'absent'
+  tags: [ 'role::lxc:net' ]
+
+- name: Generate lxc-net configuration file
+  ansible.builtin.template:
+    src: 'etc/default/lxc-net.j2'
+    dest: '/etc/default/lxc-net'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: lxc__register_net_config
+  tags: [ 'role::lxc:net' ]
+
+- name: Generate lxc-net dnsmasq config file
+  ansible.builtin.template:
+    src: 'etc/lxc/lxc-net-dnsmasq.conf.j2'
+    dest: '{{ lxc__net_dnsmasq_conf }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: lxc__register_net_dnsmasq
+  when: lxc__net_deploy_state == 'present'
+  tags: [ 'role::lxc:net', 'role::lxc:dnsmasq' ]
+
+- name: Install lxc-net ferm hook
+  ansible.builtin.template:
+    src: 'etc/ferm/hooks/post.d/restart-lxc-net.j2'
+    dest: '/etc/ferm/hooks/post.d/restart-lxc-net'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (lxc__net_deploy_state == 'present' and
+         ansible_local | d() and ansible_local.ferm | d() and
+         (ansible_local.ferm.enabled | d()) | bool)
+  tags: [ 'role::lxc:net' ]
+
+- name: Create lxc-net service override directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/lxc-net.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: lxc__net_deploy_state == 'present'
+  tags: [ 'role::lxc:net' ]
+
+- name: Hook lxc-net-resolvconf script to the lxc-net service
+  ansible.builtin.template:
+    src: 'etc/systemd/system/lxc-net.service.d/resolvconf.conf.j2'
+    dest: '/etc/systemd/system/lxc-net.service.d/resolvconf.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: lxc__register_net_systemd
+  when: lxc__net_deploy_state == 'present' and lxc__net_resolver == "resolvconf"
+  tags: [ 'role::lxc:net' ]
+
+- name: Hook lxc-net-systemd-resolved script to the lxc-net service
+  ansible.builtin.template:
+    src: 'etc/systemd/system/lxc-net.service.d/systemd-resolved.conf.j2'
+    dest: '/etc/systemd/system/lxc-net.service.d/systemd-resolved.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: lxc__register_net_systemd
+  when: lxc__net_deploy_state == 'present' and lxc__net_resolver == "systemd-resolved"
+  tags: [ 'role::lxc:net' ]
+
+- name: Reconfigure systemd services when modified
+  ansible.builtin.systemd:  # noqa no-handler
+    name: '{{ "lxc-net.service" if (lxc__net_deploy_state == "present") else omit }}'
+    state: '{{ "restarted" if (lxc__net_deploy_state == "present") else omit }}'
+    daemon_reload: True
+  when: (ansible_service_mgr == 'systemd' and
+         (lxc__register_net_remove | d({}) is changed or
+          lxc__register_net_config | d({}) is changed or
+          lxc__register_net_dnsmasq | d({}) is changed or
+          lxc__register_net_systemd | d({}) is changed or
+          lxc__register_systemd_overrides_create | d({}) is changed or
+          lxc__register_systemd_overrides_remove | d({}) is changed))
+  tags: [ 'role::lxc:net', 'role::lxc:dnsmasq' ]
+
+- name: Remove default SSH keys for root in containers if none are defined
+  ansible.builtin.file:
+    path: '/etc/lxc/root_authorized_keys'
+    state: 'absent'
+  when: not lxc__default_container_ssh_root_sshkeys | d()
+
+- name: Define default SSH keys for root account in containers
+  ansible.posix.authorized_key:
+    key: "{{ lxc__default_container_ssh_root_sshkeys | join('\n') }}"
+    path: '/etc/lxc/root_authorized_keys'
+    manage_dir: False
+    user: 'root'
+    state: 'present'
+    exclusive: True
+  when: lxc__default_container_ssh_root_sshkeys | d()
+
+- name: Remove LXC configuration if requested
+  ansible.builtin.file:
+    path: '/etc/lxc/{{ item.filename | d(item.name + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ lxc__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate LXC configuration
+  ansible.builtin.template:
+    src: 'etc/lxc/template.conf.j2'
+    dest: '/etc/lxc/{{ item.filename | d(item.name + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ lxc__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Remove common LXC container configuration if requested
+  ansible.builtin.file:
+    path: '/usr/share/lxc/config/common.conf.d/{{ item.filename | d(item.name + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ lxc__common_combined_conf | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate common LXC container configuration
+  ansible.builtin.template:
+    src: 'etc/lxc/template.conf.j2'
+    dest: '/usr/share/lxc/config/common.conf.d/{{ item.filename | d(item.name + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ lxc__common_combined_conf | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Stop LXC containers if requested
+  ansible.builtin.systemd:
+    name: 'lxc@{{ item.name | d(item) }}.service'
+    state: 'stopped'
+    enabled: '{{ True if item.state | d("started") == "stopped" else False }}'
+  loop: '{{ lxc__containers }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) in ansible_local.lxc.containers | d() and
+        item.state | d("started") in ["stopped", "absent"]
+  tags: [ 'role::lxc:containers' ]
+
+- name: Destroy LXC containers if requested
+  community.general.lxc_container:
+    name:  '{{ item.name | d(item) }}'
+    state: 'absent'
+  loop: '{{ lxc__containers }}'
+  tags: [ 'role::lxc:containers' ]
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "absent"
+
+- name: Remove systemd LXC instance configuration if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/system/lxc@{{ item.name }}.service.d'
+    state: 'absent'
+  loop: '{{ lxc__containers }}'
+  register: lxc__register_systemd_remove_override
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "absent" and item.systemd_override | d()
+  tags: [ 'role::lxc:containers' ]
+
+- name: Create systemd override directories for LXC instances
+  ansible.builtin.file:
+    path: '/etc/systemd/system/lxc@{{ item.name }}.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ lxc__containers }}'
+  when: item.state | d("started") != "absent" and item.systemd_override | d()
+  tags: [ 'role::lxc:containers' ]
+
+- name: Generate systemd LXC instance override files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/lxc@.service.d/ansible-override.conf.j2'
+    dest: '/etc/systemd/system/lxc@{{ item.name }}.service.d/ansible-override.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ lxc__containers }}'
+  register: lxc__register_systemd_create_override
+  when: item.state | d("started") != "absent" and item.systemd_override | d()
+  tags: [ 'role::lxc:containers' ]
+
+- name: Reload systemd configuration when needed
+  ansible.builtin.systemd:  # noqa no-handler
+    daemon_reload: True
+  when: ansible_service_mgr == 'systemd' and
+        lxc__register_systemd_create_override is changed or
+        lxc__register_systemd_remove_override is changed
+  tags: [ 'role::lxc:containers' ]
+
+- name: Manage LXC containers
+  community.general.lxc_container:
+    name:                '{{ item.name | d(item) }}'
+    archive:             '{{ item.archive | d(omit) }}'
+    archive_compression: '{{ item.archive_compression | d(omit) }}'
+    archive_path:        '{{ item.archive_path | d(omit) }}'
+    backing_store:       '{{ item.backing_store | d(lxc__default_container_backing_store) }}'
+    clone_name:          '{{ item.clone_name | d(omit) }}'
+    clone_snapshot:      '{{ item.clone_snapshot | d(omit) }}'
+    config:              '{{ item.config | d(lxc__default_container_config) }}'
+    container_command:   '{{ item.container_command | d(omit) }}'
+    container_config:    '{{ item.container_config | d(omit) }}'
+    container_log:       '{{ item.container_log | d(omit) }}'
+    container_log_level: '{{ item.container_log_level | d(omit) }}'
+    directory:           '{{ item.directory | d(omit) }}'
+    fs_size:             '{{ item.fs_size | d(omit) }}'
+    fs_type:             '{{ item.fs_type | d(omit) }}'
+    lv_name:             '{{ item.lv_name | d(omit) }}'
+    lxc_path:            '{{ item.lxc_path | d(omit) }}'
+    state:               '{{ item.state | d("started"
+                                            if (ansible_local | d() and ansible_local.lxc | d() and
+                                                (item.name | d(item))
+                                                in ansible_local.lxc.containers | d())
+                                            else "stopped") }}'
+    template:            '{{ item.template | d(lxc__default_container_template) }}'
+    template_options:    '{{ item.template_options | d((lxc__var_template_options | join(" "))
+                                                       if ((item.template
+                                                            | d(lxc__default_container_template)) == "download")
+                                                       else omit) }}'
+    thinpool:            '{{ item.thinpool | d(omit) }}'
+    vg_name:             '{{ item.vg_name | d(omit) }}'
+    zfs_root:            '{{ item.zfs_root | d(omit) }}'
+  environment:
+    DOWNLOAD_KEYSERVER: '{{ ansible_local.keyring.keyserver | d("hkp://keyserver.ubuntu.com") }}'
+  vars:
+    lxc__var_template_options:
+      - '--dist {{ (item.distribution | d(lxc__default_container_distribution)) | lower }}'
+      - '--release {{ (item.release | d(lxc__default_container_release)) | lower }}'
+      - '--arch {{ (item.architecture | d(lxc__default_container_architecture)) | lower }}'
+  loop: '{{ lxc__containers }}'
+  tags: [ 'role::lxc:containers' ]
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") != "absent"
+
+- name: Configure static MAC addresses for new LXC containers
+  ansible.builtin.command: lxc-hwaddr-static {{ item.name | d(item) }}
+  loop: '{{ lxc__containers }}'
+  register: lxc__register_hwaddr_static
+  changed_when: lxc__register_hwaddr_static.changed | bool
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "started"
+  tags: [ 'role::lxc:containers' ]
+
+- name: Include fstab parameter in LXC container configuration for lxc<4.0
+  ansible.builtin.lineinfile:
+    path: '/var/lib/lxc/{{ item.name | d(item) }}/config'
+    regexp: '^lxc\.mount\s+=\s+'
+    line: 'lxc.mount = /var/lib/lxc/{{ item.name | d(item) }}/fstab'
+    insertafter: '^lxc\.rootfs\.backend\s+=\s+'
+    state: 'present'
+    mode: '0644'
+  loop: '{{ lxc__containers }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "started" and item.fstab | d() and
+        lxc__version is version("4.0", operator="lt", strict=True)
+  tags: [ 'role::lxc:containers' ]
+
+- name: Include fstab parameter in LXC container configuration for lxc>=4.0
+  ansible.builtin.lineinfile:
+    path: '/var/lib/lxc/{{ item.name | d(item) }}/config'
+    regexp: '^lxc\.mount\.fstab\s+=\s+'
+    line: 'lxc.mount.fstab = /var/lib/lxc/{{ item.name | d(item) }}/fstab'
+    insertafter: '^lxc\.rootfs\.backend\s+=\s+'
+    state: 'present'
+    mode: '0644'
+  loop: '{{ lxc__containers }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "started" and item.fstab | d() and
+        lxc__version is version("4.0", operator=">=", strict=True)
+  tags: [ 'role::lxc:containers' ]
+
+- name: Create custom fstab files for LXC containers
+  ansible.builtin.copy:
+    content: |
+      # Filesystem table for the '{{ item.name | d(item) }}' LXC container
+      {{ item.fstab | regex_replace('\n$', '') }}
+    dest: '/var/lib/lxc/{{ item.name | d(item) }}/fstab'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ lxc__containers }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "started" and item.fstab | d()
+  tags: [ 'role::lxc:containers' ]
+
+- name: Start LXC containers after creation
+  ansible.builtin.systemd:
+    name: 'lxc@{{ item.name | d(item) }}.service'
+    state: '{{ "restarted" if (item.state is defined) else "started" }}'
+    enabled: '{{ True if item.state | d("started") == "started" else False }}'
+  loop: '{{ lxc__containers }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        item.state | d("started") == "started"
+  tags: [ 'role::lxc:containers' ]
+
+- name: Restart LXC containers when modified
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'lxc@{{ item.0.name | d(item.0) }}.service'
+    state: 'restarted'
+  loop: '{{ lxc__containers | zip(lxc__register_systemd_create_override.results | d([])) | list }}'
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.0.name | d(item.0)) in ansible_local.lxc.containers | d() and
+        item.0.state | d('started') == 'started' and item.1 is changed
+  tags: [ 'role::lxc:containers' ]
+
+- name: Prepare SSH access in LXC containers
+  ansible.builtin.shell: |
+    if lxc-attach -n "{{ item.name | d(item) }}" -- grep -q '127.0.1.1' /etc/hosts ; then
+        lxc-attach -n "{{ item.name | d(item) }}" -- sed -i "/127\.0\.1\.1/d" /etc/hosts > /dev/null
+    fi
+    until lxc-prepare-ssh {{ item.name | d(item) }} ; do
+       ((c++)) && ((c==4)) && break
+       printf "Waiting for network connection inside container to settle...\n" ; sleep 5
+    done
+  loop: '{{ lxc__containers }}'
+  register: lxc__register_prepare_ssh
+  changed_when: lxc__register_prepare_ssh.changed | bool
+  when: ansible_local | d() and ansible_local.lxc | d() and
+        (item.name | d(item)) not in ansible_local.lxc.containers | d() and
+        (item.ssh | d(lxc__default_container_ssh)) | bool and item.state | d("started") == "started"
+  tags: [ 'role::lxc:containers' ]
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'lxc/post_main.yml') }}"
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/ansible/facts.d/lxc.fact.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/ansible/facts.d/lxc.fact.j2
new file mode 100644
index 00000000..236fe943
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/ansible/facts.d/lxc.fact.j2
@@ -0,0 +1,55 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import lxc
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+lxc_net_conf = '/etc/default/lxc-net'
+
+output = {'installed': cmd_exists('/usr/bin/lxc-create'),
+          'containers': list(lxc.list_containers()),
+          'version': lxc.version}
+
+if os.path.exists(lxc_net_conf) and os.path.isfile(lxc_net_conf):
+    try:
+        with open(lxc_net_conf, 'r') as f:
+
+            lxc_net_vars = {}
+
+            for line in f:
+                if not line.startswith('#') and '=' in line:
+                    line = line.strip().split('=')
+                    lxc_net_vars.update({line[0].lower():
+                                         line[1].strip('"')})
+
+            output['net_enabled'] = False
+            if lxc_net_vars['use_lxc_bridge'] == 'true':
+                output['net_enabled'] = True
+
+            if output['net_enabled']:
+                output['net_bridge'] = lxc_net_vars['lxc_bridge']
+                output['net_address'] = lxc_net_vars['lxc_addr']
+                output['net_subnet'] = lxc_net_vars['lxc_network']
+                output['net_domain'] = lxc_net_vars['lxc_domain']
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/default/lxc-net.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/default/lxc-net.j2
new file mode 100644
index 00000000..d2748b4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/default/lxc-net.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2014-2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration for the 'lxc-net' service,
+# based on https://wiki.debian.org/LXC/SimpleBridge,
+# generated by the 'debops.lxc' Ansible role.
+
+USE_LXC_BRIDGE="{{ 'true' if (lxc__net_deploy_state == 'present') else 'false' }}"
+{% if (lxc__net_deploy_state == 'present') %}
+LXC_BRIDGE="{{ lxc__net_bridge }}"
+LXC_ADDR="{{ lxc__net_address | ansible.utils.ipaddr('address') }}"
+LXC_NETMASK="{{ lxc__net_address | ansible.utils.ipaddr('netmask') }}"
+LXC_NETWORK="{{ lxc__net_address | ansible.utils.ipaddr('subnet') }}"
+LXC_DHCP_RANGE="{{ lxc__net_address | ansible.utils.ipaddr(lxc__net_dhcp_start | int) | ansible.utils.ipaddr('address') + ',' + lxc__net_address | ansible.utils.ipaddr(lxc__net_dhcp_end | int) | ansible.utils.ipaddr('address') }}"
+LXC_DHCP_MAX="{{ (lxc__net_address | ansible.utils.ipaddr('size')) | int - ((lxc__net_dhcp_start | int|abs) + (lxc__net_dhcp_end | int|abs)) }}"
+LXC_DHCP_CONFILE="{{ lxc__net_dnsmasq_conf }}"
+LXC_DOMAIN="{{ lxc__net_domain }}"
+LXC_USE_NFT="{{ lxc__net_use_nft }}"
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/ferm/hooks/post.d/restart-lxc-net.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/ferm/hooks/post.d/restart-lxc-net.j2
new file mode 100644
index 00000000..0f9679ac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/ferm/hooks/post.d/restart-lxc-net.j2
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# After ferm is restarted, lxc-net needs to be restarted so that it adds its
+# own iptables rules where needed
+
+set -o nounset -o pipefail -o errexit
+
+# Check if we are running under systemd
+if pidof systemd > /dev/null 2>&1 ; then
+
+    if [ "$(systemctl is-active lxc-net.service)" == "active" ] ; then
+        logger -t "ferm-post-hook" "Restarting lxc-net via ferm post hook..."
+        systemctl restart lxc-net.service
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/lxc-net-dnsmasq.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/lxc-net-dnsmasq.conf.j2
new file mode 100644
index 00000000..b45f241b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/lxc-net-dnsmasq.conf.j2
@@ -0,0 +1,34 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Additional configuration for the 'dnsmasq' daemon managed by the 'lxc-net'
+# service. For basic network options, see '/etc/default/lxc-net' config file.
+
+# Detect DNS loops
+dns-loop-detect
+
+# Mark the LXC domain as local and generate PTR resource records automatically
+domain = {{ lxc__net_domain + ',' + (lxc__net_address | ansible.utils.ipaddr('subnet')) + (',local' if (lxc__net_address | ansible.utils.ipaddr('prefix') in [ 8, 16, 24 ]) else '') }}
+
+# Set the FQDN name of the bridge interface in the DNS
+interface-name = {{ lxc__net_fqdn }},{{ lxc__net_bridge }}
+{% if (lxc__net_domain.split('.') | length >= 3 and lxc__net_domain.split('.')[1:] | length >= 2) %}
+
+# Include the parent domain as searchable via resolvconf
+dhcp-option = tag:{{ lxc__net_bridge }},option:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
+dhcp-option = tag:{{ lxc__net_bridge }},option6:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
+{% endif %}
+{% if not lxc__net_router | bool %}
+
+# Disable default route advertisement via the {{ lxc__net_bridge }} interface
+dhcp-option = tag:{{ lxc__net_bridge }},option:router
+{% endif %}
+{% if lxc__net_dnsmasq_options | d() %}
+
+# Additional dnsmasq options
+{{ lxc__net_dnsmasq_options | regex_replace('\n$','') }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/template.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/template.conf.j2
new file mode 100644
index 00000000..50307b84
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/lxc/template.conf.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%       if element.comment | d() %}
+{%         if not loop.first %}
+
+{%         endif %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{{ '{} = {}'.format(('\n' if (element.separator | d()) | bool else '') + ('#' if (element.state == 'comment') else '') + element.alias | d(element.name), (element.value if (element.value is string) else (element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ')))) }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/resolvconf.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/resolvconf.conf.j2
new file mode 100644
index 00000000..05c6074c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/resolvconf.conf.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Automatically add/remove internal LXC domain in /etc/resolv.conf using
+# 'resolvconf' service
+
+[Unit]
+
+# By default 'lxc-net.service' on Debian depends on network-online.target,
+# which doesn't work correctly (see: https://unix.stackexchange.com/questions/209832/).
+#
+# Add a dependency on 'network.target' so that lxc-net at least is configured
+# after ferm.service and sets up its networking as expected.
+After=network.target
+
+[Service]
+
+# Automatically add / remove LXC subdomain in /etc/resolv.conf. With usable
+# local DNS resolver this allows to access the LXC containers from the LXC host
+# via their names instead of their IP addresses.
+ExecStart=/usr/local/lib/lxc/lxc-net-resolvconf start
+ExecStop=/usr/local/lib/lxc/lxc-net-resolvconf stop
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/systemd-resolved.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/systemd-resolved.conf.j2
new file mode 100644
index 00000000..eedab23c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc-net.service.d/systemd-resolved.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Automatically add/remove internal LXC domain in system resolver using
+# 'systemd-resolved' service
+
+[Unit]
+
+# By default 'lxc-net.service' on Debian depends on network-online.target,
+# which doesn't work correctly (see: https://unix.stackexchange.com/questions/209832/).
+#
+# Add a dependency on 'network.target' so that lxc-net at least is configured
+# after ferm.service and sets up its networking as expected.
+After=network.target
+
+[Service]
+
+# Automatically add / remove LXC subdomain in systemd-resolved. With usable
+# local DNS resolver this allows to access the LXC containers from the LXC host
+# via their names instead of their IP addresses.
+ExecStart=/usr/local/lib/lxc/lxc-net-systemd-resolved start
+ExecStop=/usr/local/lib/lxc/lxc-net-systemd-resolved stop
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc.service.d/exec-override.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc.service.d/exec-override.conf.j2
new file mode 100644
index 00000000..706a9918
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc.service.d/exec-override.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Override the default ExecStart and ExecStop commands in the main
+# 'lxc.service' unit to prevent accidental launch of LXC containers
+# not supervised by systemd
+
+[Service]
+ExecStart=
+ExecStart=/bin/true
+
+ExecStop=
+ExecStop=/bin/true
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/ansible-override.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/ansible-override.conf.j2
new file mode 100644
index 00000000..76bab769
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/ansible-override.conf.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ item.systemd_override | regex_replace('$\n', '') }}
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/partof.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/partof.conf.j2
new file mode 100644
index 00000000..917c0195
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/partof.conf.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# These parameters allow restarts of all LXC containers at once by issuing the
+# command: systemctl restart lxc.service
+
+[Unit]
+ConditionPathExists=/var/lib/lxc/%i/config
+PartOf=lxc.service
+ReloadPropagatedFrom=lxc.service
diff --git a/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/poweroff.conf.j2 b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/poweroff.conf.j2
new file mode 100644
index 00000000..563e90b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxc/templates/etc/systemd/system/lxc@.service.d/poweroff.conf.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2014-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# The Debian Stretch LXC containers use 'systemd' as the init and service
+# manager. Unfortunately, this causes issues during container poweroff, when
+# initiated from the LXC host itself. This modification causes the container
+# poweroff to be initiated from the inside of the container, where its systemd
+# instance can correctly shut down its own container.
+#
+# References:
+# https://bugs.debian.org/831691
+# https://lists.linuxcontainers.org/pipermail/lxc-users/2017-February/012827.html
+# https://github.com/lxc/lxc/issues/1085
+# https://github.com/lxc/lxd/issues/2947
+# https://forum.turris.cz/t/lxc-stop-n-container-takes-too-long/6358
+
+[Service]
+ExecStop=
+ExecStop=/bin/sh -ec '\
+  if /usr/bin/lxc-ls | grep %i > /dev/null ; then \
+    /usr/bin/lxc-attach -n %i -- /bin/systemctl --no-block poweroff ; \
+  fi'
diff --git a/ansible_collections/debops/debops/roles/lxd/COPYRIGHT b/ansible_collections/debops/debops/roles/lxd/COPYRIGHT
new file mode 100644
index 00000000..6f26d219
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.lxd - Configure and manage LXD service using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/lxd/defaults/main.yml b/ansible_collections/debops/debops/roles/lxd/defaults/main.yml
new file mode 100644
index 00000000..bb3d91af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/defaults/main.yml
@@ -0,0 +1,302 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _lxd__ref_defaults:
+
+# debops.lxd default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation and packages [[[
+# -----------------------------
+
+# .. envvar:: lxd__upstream_enabled [[[
+#
+# Enable or disable installation of LXD from upstream :command:`git`
+# repository. LXD currently is not packaged in Debian, therefore installation
+# from source will be performed on Debian hosts. On Ubuntu hosts the role will
+# install the distribution APT packages.
+lxd__upstream_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: lxd__upstream_type [[[
+#
+# Specify the upstream installation type to use. Currently only ``apt`` (on
+# Ubuntu) and ``git`` (elsewhere) are a valid option.
+lxd__upstream_type: '{{ "apt"
+                        if (ansible_distribution == "Ubuntu")
+                        else "git" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxd__upstream_gpg_key [[[
+#
+# The GPG key used to sign LXD release tags in the repository, required for
+# signature verification.
+lxd__upstream_gpg_key:
+  - '602F 5676 63E5 93BC BD14  F338 C638 974D 6479 2D67'
+  - '5DE3 E050 9C47 EA3C F04A  42D3 4AEE 18F8 3AFD EB23'
+
+                                                                   # ]]]
+# .. envvar:: lxd__upstream_git_repository [[[
+#
+# The URL of the :command:`git` repository with LXD source code.
+lxd__upstream_git_repository: 'https://github.com/lxc/lxd'
+
+                                                                   # ]]]
+# .. envvar:: lxd__upstream_git_release [[[
+#
+# The :command:`git` release tag to install. At the moment the LTS release of
+# LXD does not correctly compile on Debian, so more recent release is used
+# instead. This will change on the next working LTS release.
+lxd__upstream_git_release: 'stable-4.0'
+
+                                                                   # ]]]
+# .. envvar:: lxd__golang_gosrc [[[
+#
+# Directory with compiled source code of additional libraries required by LXD.
+# They will be installed to the :file:`/usr/local/lib/` directory by the role.
+lxd__golang_gosrc: '{{ ansible_local.golang.gosrc | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: lxd__binary [[[
+#
+# Absolute path to the :command:`lxd` binary installed by the
+# :ref:`debops.golang` Ansible role. The path is used in various
+# :command:`systemd` unit files.
+lxd__binary: '{{ ansible_local.golang.binaries["lxd"]
+                 if (ansible_local.golang.binaries.lxd | d())
+                 else "/usr/bin/lxd" }}'
+
+                                                                   # ]]]
+# .. envvar:: lxd__base_packages [[[
+#
+# List of APT packages required by the LXD service.
+lxd__base_packages: [ 'dnsmasq-base', 'lxcfs', 'squashfs-tools' ]
+
+                                                                   # ]]]
+# .. envvar:: lxd__packages [[[
+#
+# List of additional APT packages to install with LXD.
+lxd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# POSIX environment [[[
+# ---------------------
+
+# .. envvar:: lxd__group [[[
+#
+# The POSIX system group which grants full access to the LXD service.
+lxd__group: 'lxd'
+
+                                                                   # ]]]
+# .. envvar:: lxd__admin_accounts [[[
+#
+# List of POSIX accounts which will be granted full access to the LXD service
+# by adding them to the LXD system group.
+lxd__admin_accounts: '{{ ansible_local.core.admin_users | d([]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LXD configuration preseeding [[[
+# --------------------------------
+
+# These variables define the initial "preseed" YAML configuration which will be
+# applied to the LXD service on first installation or on request.
+# See :ref:`lxd__ref_preseed` for more details.
+
+# .. envvar:: lxd__default_preseed [[[
+#
+# List of the default preseed configuration entries defined by the role.
+lxd__default_preseed:
+
+  - name: 'server-default'
+    seed:
+      config: {}
+
+  - name: 'network-default'
+    seed:
+      networks:
+        - name: 'lxdbr0'
+          config:
+            ipv4.address: 'auto'
+            ipv6.address: 'auto'
+          description: ''
+          type: ''
+
+  - name: 'storage-default'
+    seed:
+      storage_pools:
+        - name: 'default'
+          config: {}
+          description: ''
+          driver: 'dir'
+
+  - name: 'profile-default'
+    seed:
+      profiles:
+        - name: 'default'
+          config: {}
+          description: ''
+          devices:
+            eth0:
+              name: 'eth0'
+              nictype: 'bridged'
+              parent: 'lxdbr0'
+              type: 'nic'
+            root:
+              path: '/'
+              pool: 'default'
+              type: 'disk'
+
+  - name: 'cluster-default'
+    seed:
+      cluster: null
+
+                                                                   # ]]]
+# .. envvar:: lxd__preseed [[[
+#
+# List of the preseed configuration entries defined on all hosts in the Ansible
+# inventory.
+lxd__preseed: []
+
+                                                                   # ]]]
+# .. envvar:: lxd__group_preseed [[[
+#
+# List of the preseed configuration entries defined on hosts in a specific
+# Ansible inventory group.
+lxd__group_preseed: []
+
+                                                                   # ]]]
+# .. envvar:: lxd__host_preseed [[[
+#
+# List of the preseed configuration entries defined on specific hosts in the
+# Ansible inventory.
+lxd__host_preseed: []
+
+                                                                   # ]]]
+# .. envvar:: lxd__combined_preseed [[[
+#
+# Variable which combines all of the preseed confituration lists and is used in
+# role tasks and templates.
+lxd__combined_preseed: '{{ lxd__default_preseed
+                           + lxd__preseed
+                           + lxd__group_preseed
+                           + lxd__host_preseed }}'
+
+                                                                   # ]]]
+# .. envvar:: lxd__init_preseed [[[
+#
+# Variable which controls when the preseed configuration should be applied to
+# the LXD service. It can be set via the ``--extra-vars`` Ansible argument to
+# re-apply the preseed configuration on existing installations.
+lxd__init_preseed: '{{ False
+                       if (ansible_local | d() and ansible_local.lxd | d() and
+                           (ansible_local.lxd.installed | d()) | bool)
+                       else True }}'
+
+                                                                   # ]]]
+# .. envvar:: lxd__preseed_data [[[
+#
+# Variable which holds the YAML configuration data passed to the
+# :command:`lxd init --preseed` command via stdin.
+lxd__preseed_data: '{{ lookup("template", "lookup/lxd__preseed_data.j2") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: lxd__golang__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.golang` Ansible role.
+lxd__golang__dependent_packages:
+
+  - name: 'lxd'
+    state: '{{ "present" if lxd__upstream_enabled | bool else "absent" }}'
+    upstream_type: '{{ lxd__upstream_type }}'
+    apt_packages: [ 'lxd', 'lxd-client' ]
+    apt_dev_packages: [ 'autoconf', 'automake', 'tcl', 'libacl1-dev', 'libcap-dev',
+                        'liblxc1', 'lxc-dev', 'libtool', 'libuv1-dev', 'make',
+                        'pkg-config', 'libapparmor-dev', 'libseccomp-dev',
+                        'libcap-dev', 'libudev-dev', 'libsqlite3-dev',
+                        'liblz4-dev' ]
+    gpg: '{{ lxd__upstream_gpg_key }}'
+    git:
+      - repo: '{{ lxd__upstream_git_repository }}'
+        version: '{{ lxd__upstream_git_release }}'
+        depth: 50
+        build_script: |
+          export GOPATH="${HOME}/go"
+          make deps
+          export CGO_CFLAGS="-I${HOME}/go/deps/sqlite/ -I${HOME}/go/deps/libco/ -I${HOME}/go/deps/raft/include/ -I${HOME}/go/deps/dqlite/include/"
+          export CGO_LDFLAGS="-L${HOME}/go/deps/sqlite/.libs/ -L${HOME}/go/deps/libco/ -L${HOME}/go/deps/raft/.libs -L${HOME}/go/deps/dqlite/.libs/"
+          export LD_LIBRARY_PATH="${HOME}/go/deps/sqlite/.libs/:${HOME}/go/deps/libco/:${HOME}/go/deps/raft/.libs/:${HOME}/go/deps/dqlite/.libs/"
+          export CGO_LDFLAGS_ALLOW="(-Wl,-wrap,pthread_create)|(-Wl,-z,now)"
+          make
+    git_binaries:
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxd" }}'
+        dest: 'lxd'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxd-agent" }}'
+        dest: 'lxd-agent'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxd-benchmark" }}'
+        dest: 'lxd-benchmark'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxd-p2c" }}'
+        dest: 'lxd-p2c'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxc" }}'
+        dest: 'lxc'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/lxc-to-lxd" }}'
+        dest: 'lxc-to-lxd'
+
+      - src: '{{ lxd__upstream_git_repository.split("://")[1] + "/../../../../bin/fuidshift" }}'
+        dest: 'fuidshift'
+
+                                                                   # ]]]
+# .. envvar:: lxd__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+lxd__logrotate__dependent_config:
+
+  - filename: 'lxd'
+    divert: '{{ False if lxd__upstream_enabled | bool else True }}'
+    log: '/var/log/lxd/lxd.log'
+    options: |
+      copytruncate
+      daily
+      rotate 7
+      delaycompress
+      compress
+      notifempty
+      missingok
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: lxd__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+lxd__sysctl__dependent_parameters:
+
+  - name: 'lxd-inotify'
+    divert: '{{ False if lxd__upstream_enabled | bool else True }}'
+    weight: '10'
+    options:
+
+      - name: 'fs.inotify.max_user_instances'
+        comment: |
+          Increase the user inotify instance limit to allow for about
+          100 containers to run before the limit is hit again
+        value: 1024
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/lxd/meta/main.yml b/ansible_collections/debops/debops/roles/lxd/meta/main.yml
new file mode 100644
index 00000000..5a37404f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure and manage LXD service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.8.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - container
+    - lxc
+    - lxd
+    - virtualization
diff --git a/ansible_collections/debops/debops/roles/lxd/meta/watch-lxd b/ansible_collections/debops/debops/roles/lxd/meta/watch-lxd
new file mode 100644
index 00000000..372ed486
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/meta/watch-lxd
@@ -0,0 +1,10 @@
+# Copyright (C) 2019-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: lxd
+# Package: lxd
+# Version: stable-4.0
+
+version=3
+https://github.com/lxc/lxd/tags .*/lxd-?(\d\S*)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/lxd/tasks/main.yml b/ansible_collections/debops/debops/roles/lxd/tasks/main.yml
new file mode 100644
index 00000000..519ba64c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/tasks/main.yml
@@ -0,0 +1,116 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if custom libraries exist
+  ansible.builtin.stat:
+    path: '{{ lxd__golang_gosrc + "/../deps/raft/.libs" }}'
+  register: lxd__register_libraries
+
+# The custom libraries were built during LXD installation via the
+# 'debops.golang' role and need to be installed system-wide for the lxc/lxd
+# binaries to work correctly.
+- name: Copy custom dependent libraries to system directory
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    mkdir -p /usr/local/lib/x86_64-linux-gnu &&
+    cp -Pf ../deps/raft/.libs/libraft.so* \
+           ../deps/dqlite/.libs/libdqlite.so* \
+           /usr/local/lib/x86_64-linux-gnu &&
+    ldconfig
+  args:
+    chdir: '{{ lxd__golang_gosrc }}'
+    creates: '/usr/local/lib/x86_64-linux-gnu/libraft.so.0'
+    executable: 'bash'
+  when: lxd__upstream_enabled | bool and lxd__upstream_type == 'git' and
+        lxd__register_libraries.stat.exists | bool
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (lxd__base_packages + lxd__packages) | flatten }}'
+    state: 'present'
+
+- name: Create required POSIX system group
+  ansible.builtin.group:
+    name: '{{ lxd__group }}'
+    state: 'present'
+    system: True
+
+- name: Add selected UNIX accounts to LXD system group
+  ansible.builtin.user:
+    name: '{{ item }}'
+    groups: '{{ lxd__group }}'
+    append: True
+  loop: '{{ lxd__admin_accounts }}'
+
+- name: Create the log directory
+  ansible.builtin.file:
+    state: 'directory'
+    path: '/var/log/lxd'
+    mode: '0700'
+
+- name: Check if lxc-apparmor-load binary exists
+  ansible.builtin.stat:
+    path: '/usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load'
+  register: lxd__register_apparmor_load
+
+  # Without this, lxd daemon in Debian Bookworm doesn't start correctly
+- name: Create lxc-apparmor-load symlink if needed
+  ansible.builtin.file:
+    path: '/usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load'
+    src: '/usr/libexec/lxc/lxc-apparmor-load'
+    state: 'link'
+  when: not lxd__register_apparmor_load.stat.exists | bool and
+        ansible_distribution_release in [ 'bookworm' ]
+
+- name: Generate systemd units
+  ansible.builtin.template:
+    src: 'etc/systemd/system/{{ item }}.j2'
+    dest: '/etc/systemd/system/{{ item }}'
+    mode: '0644'
+  loop: [ 'lxd.socket', 'lxd.service', 'lxd-containers.service', 'lxd-net.service' ]
+  register: lxd__register_systemd
+  when: lxd__upstream_enabled | bool and ansible_service_mgr == 'systemd'
+
+- name: Enable systemd units
+  ansible.builtin.systemd:  # noqa no-handler
+    daemon_reload: True
+    name: '{{ item }}'
+    state: 'started'
+    enabled: True
+  loop: [ 'lxd.socket', 'lxd-containers.service', 'lxd-net.service' ]
+  when: lxd__register_systemd is changed
+
+- name: Apply preseed configuration
+  ansible.builtin.command: lxd init --preseed
+  args:
+    stdin: '{{ lxd__preseed_data }}'
+  changed_when: False
+  when: lxd__init_preseed | bool
+  tags: [ 'role::lxd:init' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save LXD local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/lxd.fact.j2'
+    dest: '/etc/ansible/facts.d/lxd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/etc/ansible/facts.d/lxd.fact.j2 b/ansible_collections/debops/debops/roles/lxd/templates/etc/ansible/facts.d/lxd.fact.j2
new file mode 100644
index 00000000..ed79fd21
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/etc/ansible/facts.d/lxd.fact.j2
@@ -0,0 +1,38 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('lxd')}
+
+try:
+    output['version'] = subprocess.check_output(
+            ["lxd", "version"]
+            ).decode('utf-8').strip()
+
+    output['networks'] = loads(
+            subprocess.check_output(["lxc", "network", "list",
+                                     "--format=json"]
+                                    ).decode('utf-8').strip())
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-containers.service.j2 b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-containers.service.j2
new file mode 100644
index 00000000..cfef3824
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-containers.service.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=LXD - container startup/shutdown
+Documentation=man:lxd(1)
+After=lxd.socket lxd.service
+Requires=lxd.socket
+
+[Service]
+Type=oneshot
+ExecStart={{ lxd__binary }} activateifneeded
+ExecStop={{ lxd__binary }} shutdown
+TimeoutStartSec=600s
+TimeoutStopSec=600s
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-net.service.j2 b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-net.service.j2
new file mode 100644
index 00000000..1b11b329
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd-net.service.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=LXD - systemd-resolved internal domain configuration
+After=lxd.socket lxd.service
+Requires=lxd.socket
+ConditionPathExists=/usr/local/lib/lxc/lxc-net-systemd-resolved
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/lib/lxc/lxc-net-systemd-resolved start
+ExecStop=/usr/local/lib/lxc/lxc-net-systemd-resolved stop
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.service.j2 b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.service.j2
new file mode 100644
index 00000000..604c437e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.service.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=LXD - main daemon
+After=network-online.target openvswitch-switch.service lxcfs.service lxd.socket
+Requires=network-online.target lxcfs.service lxd.socket
+Documentation=man:lxd(1)
+
+[Service]
+EnvironmentFile=-/etc/environment
+ExecStartPre=/usr/lib/x86_64-linux-gnu/lxc/lxc-apparmor-load
+ExecStart={{ lxd__binary }} --group {{ lxd__group }} --logfile=/var/log/lxd/lxd.log
+ExecStartPost={{ lxd__binary }} waitready --timeout=600
+KillMode=process
+TimeoutStartSec=600s
+TimeoutStopSec=30s
+Restart=on-failure
+LimitNOFILE=1048576
+LimitNPROC=infinity
+TasksMax=infinity
+
+[Install]
+Also=lxd-containers.service lxd.socket
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.socket.j2 b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.socket.j2
new file mode 100644
index 00000000..afa7496e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/etc/systemd/system/lxd.socket.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=LXD - unix socket
+Documentation=man:lxd(1)
+After=network.target
+
+[Socket]
+ListenStream=/var/lib/lxd/unix.socket
+SocketUser=root
+SocketGroup={{ lxd__group }}
+SocketMode=0660
+Service=lxd.service
+
+[Install]
+WantedBy=sockets.target
diff --git a/ansible_collections/debops/debops/roles/lxd/templates/lookup/lxd__preseed_data.j2 b/ansible_collections/debops/debops/roles/lxd/templates/lookup/lxd__preseed_data.j2
new file mode 100644
index 00000000..08d91ba5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/lxd/templates/lookup/lxd__preseed_data.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set lxd__tpl_preseed = {} %}
+{% for element in lxd__combined_preseed | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.seed | d() %}
+{%     set combined_preseed = lxd__tpl_preseed | combine(element.seed, recursive=True) %}
+{%     set _ = lxd__tpl_preseed.update(combined_preseed) %}
+{%   endif %}
+{% endfor %}
+{{ lxd__tpl_preseed | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/machine/COPYRIGHT b/ansible_collections/debops/debops/roles/machine/COPYRIGHT
new file mode 100644
index 00000000..13d8fca7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.machine - Manage local machine information and MOTD
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/machine/defaults/main.yml b/ansible_collections/debops/debops/roles/machine/defaults/main.yml
new file mode 100644
index 00000000..4d3b72d5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/defaults/main.yml
@@ -0,0 +1,201 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _machine__ref_defaults:
+
+# debops.machine default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: machine__enabled [[[
+#
+# Enable or disable support for managing static machine information and MOTD.
+machine__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: machine__packages [[[
+#
+# List of APT packages to install with the ``debops.machine`` role enabled.
+machine__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Machine information [[[
+# -----------------------
+
+# These variables manage contents of the :file:`/etc/machine-info`
+# configuration file. See :manpage:`machine-info(5)` and
+# :manpage:`hostnamectl(1)` for more details.
+
+# .. envvar:: machine__organization [[[
+#
+# Human-readable name of the organization that's responsible for this machine.
+machine__organization: '{{ ansible_domain.split(".")[0] | capitalize }}'
+
+                                                                   # ]]]
+# .. envvar:: machine__contact [[[
+#
+# Human-readable contact information for this machine - e-mail, phone number or
+# an URL to a web page about a person or team responsible for this host.
+machine__contact: '{{ ansible_local.core.admin_public_email[0]
+                      | d("root@" + ansible_domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: machine__pretty_hostname [[[
+#
+# Human-readable hostname for this machine.
+machine__pretty_hostname: ''
+
+                                                                   # ]]]
+# .. envvar:: machine__icon_name [[[
+#
+# Name of the icon to use for this machine.
+machine__icon_name: ''
+
+                                                                   # ]]]
+# .. envvar:: machine__chassis [[[
+#
+# Specify the machine type to override the autodetected value. Currently
+# recognized chassis types: 'desktop', 'laptop', 'server', 'tablet', 'handset',
+# 'watch', 'vm', 'container'.
+machine__chassis: ''
+
+                                                                   # ]]]
+# .. envvar:: machine__deployment [[[
+#
+# Define the system deployment environment. Suggested values:
+# 'development', 'integration', 'staging', 'production'.
+machine__deployment: 'production'
+
+                                                                   # ]]]
+# .. envvar:: machine__location [[[
+#
+# Describe the physical location where a given system can be found, for example
+# a city, or a rack in which the machine is located.
+machine__location: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of the :file:`/etc/motd` file [[[
+# -----------------------------------------------
+
+# .. envvar:: machine__motd [[[
+#
+# String or YAML text block with the welcome message stored in the
+# :file:`/etc/motd` configuration file.
+machine__motd: ''
+
+                                                                   # ]]]
+# .. envvar:: machine__etc_motd_state [[[
+#
+# Specify the state of the :file:`/etc/motd` file, either ``present`` (the file
+# exists) or ``absent`` (the file will be removed).
+machine__etc_motd_state: '{{ "present" if machine__motd | d() else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: machine__motd_update_dir [[[
+#
+# Directory which contains scripts that generate the dynamic MOTD.
+machine__motd_update_dir: '/etc/update-motd.d'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of the :file:`/etc/issue` file [[[
+# ------------------------------------------------
+
+# .. envvar:: machine__etc_issue_state [[[
+#
+# This variable controls if the role should manage the :file:`/etc/issue`
+# configuration file. If ``present``, the role will divert the distribution file
+# and generate a custom one; if ``absent``, the role will revert the diverted
+# version and will not modify it.
+machine__etc_issue_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: machine__etc_issue_template [[[
+#
+# Path to the Jinja2 template used to generate the :file:`/etc/issue`
+# configuration file, relative to the :file:`templates/` directory of this role.
+machine__etc_issue_template: 'etc/issue.j2'
+                                                                   # ]]]
+                                                                   # ]]]
+# Dynamic Message Of The Day [[[
+# ------------------------------
+
+# These variables control the shell scripts that generate the dynamic MOTD.
+# See :ref:`machine__ref_motd_scripts` for more details.
+
+# .. envvar:: machine__motd_default_scripts [[[
+#
+# The list of the default MOTD scripts managed by the role.
+machine__motd_default_scripts:
+
+  # This file comes with the 'base-files' APT package on Debian
+  - name: 'uname'
+    filename: '10-uname'
+    divert: True
+    content: |
+      #!/bin/sh
+      uname -snrvm
+    state: 'init'
+
+  - name: 'ansible'
+    weight: 50
+    src: 'etc/update-motd.d/ansible'
+    state: 'present'
+
+  - name: 'tail'
+    weight: 90
+    content: |
+      #!/bin/sh
+      if [ -f /etc/motd.tail ] ; then
+          cat /etc/motd.tail
+      fi
+    state: 'present'
+
+  - name: 'fortune'
+    weight: 95
+    src: 'etc/update-motd.d/fortune'
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: machine__motd_scripts [[[
+#
+# The list of the MOTD scripts which should be present on all hosts in the
+# Ansible inventory.
+machine__motd_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: machine__motd_group_scripts [[[
+#
+# The list of the MOTD scripts which should be present on hosts in a specific
+# Ansible inventory group.
+machine__motd_group_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: machine__motd_host_scripts [[[
+#
+# The list of the MOTD scripts which should be present on specific hosts in the
+# Ansible inventory.
+machine__motd_host_scripts: []
+
+                                                                   # ]]]
+# .. envvar:: machine__motd_combined_scripts [[[
+#
+# The list which combines configuration of the MOTD scripts which is passed to
+# the Ansible tasks.
+machine__motd_combined_scripts: '{{ machine__motd_default_scripts
+                                    + machine__motd_scripts
+                                    + machine__motd_group_scripts
+                                    + machine__motd_host_scripts }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/ansible b/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/ansible
new file mode 100755
index 00000000..87b45cb5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/ansible
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# shellcheck disable=SC2034
+BLACK='\033[49;30m'
+BLACKB='\033[49;90m'
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+BLUE='\033[94;49m'
+MAGENTA='\033[0;35m'
+CYAN='\033[36;49m'
+WHITE='\033[0;37m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+if [ -d "/etc/ansible/facts.d" ] ; then
+    printf "${BLACKB}%70s${RESET}\\n" | tr ' ' -
+    # shellcheck disable=SC2059
+    printf "    ${CYAN}This system is managed by ${BOLD}Ansible${RESET}${CYAN}, manual changes will be lost${RESET}\\n"
+    printf "${BLACKB}%70s${RESET}\\n" | tr ' ' -
+fi
diff --git a/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/fortune b/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/fortune
new file mode 100755
index 00000000..b258b319
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/files/etc/update-motd.d/fortune
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# shellcheck disable=SC1091
+. /etc/default/locale
+
+export LANG
+export PATH="/usr/local/games:/usr/games:$PATH"
+
+if [ -x /usr/games/fortune ] ; then
+    /usr/games/fortune -s
+fi
diff --git a/ansible_collections/debops/debops/roles/machine/meta/main.yml b/ansible_collections/debops/debops/roles/machine/meta/main.yml
new file mode 100644
index 00000000..ee081a6a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage local machine information and MOTD'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - motd
+    - issue
+    - login
diff --git a/ansible_collections/debops/debops/roles/machine/tasks/main.yml b/ansible_collections/debops/debops/roles/machine/tasks/main.yml
new file mode 100644
index 00000000..3cf65d98
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/tasks/main.yml
@@ -0,0 +1,156 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install requested packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", machine__packages) }}'
+    state: 'present'
+  register: machine__register_packages
+  until: machine__register_packages is succeeded
+  when: machine__enabled | bool
+
+- name: Generate machine-info config file
+  ansible.builtin.template:
+    src: 'etc/machine-info.j2'
+    dest: '/etc/machine-info'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: machine__enabled | bool
+
+- name: Add/remove diversion of /etc/issue
+  debops.debops.dpkg_divert:
+    path: '/etc/issue'
+    state: '{{ "present"
+               if machine__etc_issue_state | d("present") != "absent"
+               else "absent" }}'
+    delete: True
+  when: machine__enabled | bool
+
+- name: Configure /etc/issue file
+  ansible.builtin.template:
+    src: '{{ machine__etc_issue_template }}'
+    dest: '/etc/issue'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: machine__enabled | bool and machine__etc_issue_state | d('present') != 'absent'
+
+- name: Remove static /etc/motd file if requested
+  ansible.builtin.file:
+    path: '/etc/motd'
+    state: 'absent'
+  when: machine__enabled | bool and machine__etc_motd_state == 'absent'
+
+- name: Generate static /etc/motd file
+  ansible.builtin.copy:
+    content: "{{ machine__motd }}"
+    dest: '/etc/motd'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: machine__enabled | bool and machine__etc_motd_state | d('present') != 'absent' and
+        machine__motd | d()
+
+- name: Ensure that required directories exist
+  ansible.builtin.file:
+    path: '{{ machine__motd_update_dir }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: machine__enabled | bool
+
+- name: Create /run/motd.dynamic symlink
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Add/remove diversion of packaged MOTD scripts
+  vars:
+    machine__var_divert_path: '{{ "/etc/update-motd.d/"
+                                  + item.filename | d(("%02d" | format(item.weight | int)) | string + "-" + item.name) }}'
+  debops.debops.dpkg_divert:
+    path: '{{ machine__var_divert_path }}'
+    divert: '{{ machine__var_divert_path + ".disabled" }}'
+    state: '{{ "present"
+               if (machine__enabled | bool and
+                   item.state | d("present") not in ["absent", "revert"])
+               else "absent" }}'
+    delete: True
+  loop: '{{ machine__motd_combined_scripts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ item.filename | d(item.name) }}'
+  when: item.filename | d(item.name) and item.divert | d(False) | bool
+
+- name: Remove dynamic MOTD scripts
+  ansible.builtin.file:
+    path: '{{ machine__motd_update_dir + "/"
+              + (item.filename | d(("%02d" | format(item.weight | int)) | string + "-" + item.name)) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", machine__motd_combined_scripts) | debops.debops.parse_kv_items }}'
+  register: machine__register_motd_scripts_removed
+  when: (machine__enabled | bool and
+         item.filename | d(item.name) and
+         item.state | d('present') == 'absent' and not item.divert | d(False) | bool)
+
+- name: Install dynamic MOTD scripts
+  ansible.builtin.copy:
+    src: '{{ item.src | d(omit) }}'
+    content: '{{ item.content | d(omit) }}'
+    dest: '{{ machine__motd_update_dir + "/"
+              + (item.filename | d(("%02d" | format(item.weight | int)) | string + "-" + item.name)) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ machine__motd_combined_scripts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ item.filename | d() or item.name }}'
+  register: machine__register_motd_scripts_created
+  when: (machine__enabled | bool and
+         item.filename | d(item.name) and
+         item.src | d(item.content) and
+         item.state | d('present') not in ['init', 'absent', 'ignore', 'divert', 'revert'])
+
+- name: Remove unknown MOTD scripts
+  ansible.builtin.shell: find /etc/update-motd.d -maxdepth 1 -type f
+         -name '*-{{ item.item.name }}'
+         ! -name '{{ ("%02d" | format((item.item.weight | d("0")) | int)) | string + "-" + item.item.name }}'
+         -exec rm -vf {} +
+  loop: '{{ machine__register_motd_scripts_removed.results
+            + machine__register_motd_scripts_created.results }}'
+  loop_control:
+    label: '{{ item.item.name }}'
+  register: machine__register_remove_unknown
+  changed_when: machine__register_remove_unknown.changed | bool
+  when: (item.item.name | d() and not item.item.divert | d(False) | bool and
+         item.item.filename is undefined and item is changed)
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save machine local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/machine.fact.j2'
+    dest: '/etc/ansible/facts.d/machine.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/machine/templates/etc/ansible/facts.d/machine.fact.j2 b/ansible_collections/debops/debops/roles/machine/templates/etc/ansible/facts.d/machine.fact.j2
new file mode 100644
index 00000000..41188e7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/templates/etc/ansible/facts.d/machine.fact.j2
@@ -0,0 +1,28 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+output = loads('''{{ {'configured': True,
+                      'enabled': machine__enabled | bool
+                      } | to_nice_json }}''')
+
+machine_info = '/etc/machine-info'
+
+if os.path.exists(machine_info) and os.path.isfile(machine_info):
+    with open(machine_info, "r") as f:
+        for line in f:
+            if not line.startswith('#') and '=' in line:
+                line = line.strip().split('=')
+                output.update({str(line[0]).lower(): str(line[1]).strip('"')})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/machine/templates/etc/issue.j2 b/ansible_collections/debops/debops/roles/machine/templates/etc/issue.j2
new file mode 100644
index 00000000..6b00aac4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/templates/etc/issue.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+
+      /\\       \n.\O
+     /  \\      {{ machine__organization }}
+    DebOps
+     \\  /      \l / \U
+      \\/       \s \r
diff --git a/ansible_collections/debops/debops/roles/machine/templates/etc/machine-info.j2 b/ansible_collections/debops/debops/roles/machine/templates/etc/machine-info.j2
new file mode 100644
index 00000000..299066ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/machine/templates/etc/machine-info.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if machine__organization | d() %}
+ORGANIZATION="{{ machine__organization }}"
+{% endif %}
+{% if machine__contact | d() %}
+CONTACT="{{ machine__contact }}"
+{% endif %}
+{% if machine__pretty_hostname | d() %}
+PRETTY_HOSTNAME="{{ machine__pretty_hostname }}"
+{% endif %}
+{% if machine__icon_name | d() %}
+ICON_NAME="{{ machine__icon_name }}"
+{% endif %}
+{% if machine__chassis | d() %}
+CHASSIS="{{ machine__chassis }}"
+{% endif %}
+{% if machine__deployment | d() %}
+DEPLOYMENT="{{ machine__deployment }}"
+{% endif %}
+{% if machine__location | d() %}
+LOCATION="{{ machine__location }}"
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/mailman/COPYRIGHT b/ansible_collections/debops/debops/roles/mailman/COPYRIGHT
new file mode 100644
index 00000000..da612596
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.mailman - Manage Mailman installation using Ansible
+
+Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+Copyright (C) 2014-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/core_configuration.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/core_configuration.yml
new file mode 100644
index 00000000..3a81aa20
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/core_configuration.yml
@@ -0,0 +1,521 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# Mailman Core configuration options
+# ==================================
+
+# These variables define the contents of the :file:`/etc/mailman3/mailman.cfg`
+# configuration file. See :ref:`mailman__ref_core_configuration` for more
+# details.
+
+# .. envvar:: mailman__core_original_configuration [[[
+#
+# The original contents of the :file:`/etc/mailman3/mailman.cfg` configuration
+# file defined in YAML format. The options are changed in subsequent variables.
+mailman__core_original_configuration:
+
+  - name: 'mailman'
+    options:
+
+      - name: 'site_owner'
+        comment: |
+          This address is the "site owner" address.  Certain messages which must be
+          delivered to a human, but which can't be delivered to a list owner (e.g. a
+          bounce from a list owner), will be sent to this address.  It should point to
+          a human.
+        value: 'changeme@example.com'
+
+      - name: 'noreply_address'
+        comment: |
+          This is the local-part of an email address used in the From field whenever a
+          message comes from some entity to which there is no natural reply recipient.
+          Mailman will append '@' and the host name of the list involved.  This
+          address must not bounce and it must not point to a Mailman process.
+        value: 'noreply'
+
+      - name: 'default_language'
+        comment: 'The default language for this server.'
+        value: 'en'
+
+      - name: 'sender_headers'
+        comment: |
+          Membership tests for posting purposes are usually performed by looking at a
+          set of headers, passing the test if any of their values match a member of
+          the list.  Headers are checked in the order given in this variable.  The
+          value From_ means to use the envelope sender.  Field names are case
+          insensitive.  This is a space separate list of headers.
+        value: [ 'from', 'from_', 'reply-to', 'sender' ]
+
+      - name: 'email_commands_max_lines'
+        comment: 'Mail command processor will ignore mail command lines after designated max.'
+        value: 10
+
+      - name: 'pending_request_life'
+        comment: |
+          Default length of time a pending request is live before it is evicted from
+          the pending database.
+        value: '3d'
+
+      - name: 'cache_life'
+        comment: 'How long should files be saved before they are evicted from the cache?'
+        value: '7d'
+
+      - name: 'pre_hook'
+        comment: |
+          A callable to run with no arguments early in the initialization process.
+          This runs before database initialization.
+        value: ''
+
+      - name: 'post_hook'
+        comment: |
+          A callable to run with no arguments late in the initialization process.
+          This runs after adapters are initialized.
+        value: ''
+
+      - name: 'layout'
+        comment: |
+          Which paths.* file system layout to use.
+          You should not change this variable.
+        value: 'debian'
+
+      - name: 'filtered_messages_are_preservable'
+        comment: 'Can MIME filtered messages be preserved by list owners?'
+        value: False
+
+      - name: 'html_to_plain_text_command'
+        comment: |
+          How should text/html parts be converted to text/plain when the mailing list
+          is set to convert HTML to plaintext?  This names a command to be called,
+          where the substitution variable $filename is filled in by Mailman, and
+          contains the path to the temporary file that the command should read from.
+          The command should print the converted text to stdout.
+        value: '/usr/bin/lynx -dump $filename'
+
+      - name: 'listname_chars'
+        comment: |
+          Specify what characters are allowed in list names.  Characters outside of
+          the class [-_.+=!$*{}~0-9a-z] matched case insensitively are never allowed,
+          but this specifies a subset as the only allowable characters.  This must be
+          a valid character class regexp or the effect on list creation is
+          unpredictable.
+        value: '[-_.0-9a-z]'
+
+  - name: 'shell'
+    separator: True
+    comment: |
+      `mailman shell` (also `withlist`) gives you an interactive prompt that you
+      can use to interact with an initialized and configured Mailman system.  Use
+      --help for more information.  This section allows you to configure certain
+      aspects of this interactive shell.
+    options:
+
+      - name: 'prompt'
+        comment: 'Customize the interpreter prompt.'
+        value: '>>>'
+        separator: True
+
+      - name: 'banner'
+        comment: 'Banner to show on startup.'
+        value: 'Welcome to the GNU Mailman shell'
+
+      - name: 'use_ipython'
+        comment: |
+          Use IPython as the shell, which must be found on the system.  Valid values
+          are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except
+          that any import errors will be displayed to stderr.
+        value: False
+
+      - name: 'history_file'
+        comment: |
+          Set this to allow for command line history if readline is available.  This
+          can be as simple as $var_dir/history.py to put the file in the var directory.
+        value: ''
+
+  - name: 'paths.debian'
+    separator: True
+    comment: |
+      Important directories for Mailman operation.  These are defined here so that
+      different layouts can be supported.   For example, a developer layout would
+      be different from a FHS layout.  Most paths are based off the var_dir, and
+      often just setting that will do the right thing for all the other paths.
+      You might also have to set spool_dir though.
+
+      Substitutions are allowed, but must be of the form $var where 'var' names a
+      configuration variable in the paths.* section.  Substitutions are expanded
+      recursively until no more $-variables are present.  Beware of infinite
+      expansion loops!
+    options:
+
+      - name: 'var_dir'
+        comment: |
+          This is the root of the directory structure that Mailman will use to store
+          its run-time data.
+        value: '/var/lib/mailman3'
+
+      - name: 'queue_dir'
+        comment: 'This is where the Mailman queue files directories will be created.'
+        value: '$var_dir/queue'
+        separator: False
+
+      - name: 'bin_dir'
+        comment: |
+          This is the directory containing the Mailman 'runner' and 'master' commands
+          if set to the string '$argv', it will be taken as the directory containing
+          the 'mailman' command.
+        value: '/usr/lib/mailman3/bin'
+
+      - name: 'list_data_dir'
+        comment: 'All list-specific data.'
+        value: '$var_dir/lists'
+
+      - name: 'log_dir'
+        comment: 'Directory where log files go.'
+        value: '/var/log/mailman3'
+
+      - name: 'lock_dir'
+        comment: 'Directory for system-wide locks.'
+        value: '$var_dir/locks'
+
+      - name: 'data_dir'
+        comment: 'Directory for system-wide data.'
+        value: '$var_dir/data'
+
+      - name: 'cache_dir'
+        comment: 'Cache files.'
+        value: '$var_dir/cache'
+
+      - name: 'etc_dir'
+        comment: 'Directory for configuration files and such.'
+        value: '/etc/mailman3'
+
+      - name: 'ext_dir'
+        comment: 'Directory containing Mailman plugins.'
+        value: '$var_dir/ext'
+
+      - name: 'messages_dir'
+        comment: 'Directory where the default IMessageStore puts its messages.'
+        value: '$var_dir/messages'
+
+      - name: 'archive_dir'
+        comment: |
+          Directory for archive backends to store their messages in.  Archivers should
+          create a subdirectory in here to store their files.
+        value: '$var_dir/archives'
+
+      - name: 'template_dir'
+        comment: 'Root directory for site-specific template override files.'
+        value: '$var_dir/templates'
+
+      - name: 'pid_file'
+        comment: |
+          There are also a number of paths to specific file locations that can be
+          defined.  For these, the directory containing the file must already exist,
+          or be one of the directories created by Mailman as per above.
+
+          This is where PID file for the master runner is stored.
+        value: '/run/mailman3/master.pid'
+
+      - name: 'lock_file'
+        comment: 'Lock file.'
+        value: '$lock_dir/master.lck'
+
+  - name: 'database'
+    separator: True
+    options:
+
+      - name: 'class_sqlite'
+        option: 'class'
+        comment: 'The class implementing the IDatabase.'
+        value: 'mailman.database.sqlite.SQLiteDatabase'
+        state: 'comment'
+
+      - name: 'class_mysql'
+        option: 'class'
+        value: 'mailman.database.mysql.MySQLDatabase'
+        state: 'comment'
+
+      - name: 'class_postgresql'
+        option: 'class'
+        value: 'mailman.database.postgresql.PostgreSQLDatabase'
+        state: 'comment'
+
+      - name: 'url_sqlite'
+        option: 'url'
+        comment: |
+          Use this to set the Storm database engine URL.  You generally have one
+          primary database connection for all of Mailman.  List data and most rosters
+          will store their data in this database, although external rosters may access
+          other databases in their own way.  This string supports standard
+          'configuration' substitutions.
+        value: 'sqlite:///$DATA_DIR/mailman.db'
+        state: 'comment'
+
+      - name: 'url_mysql'
+        option: 'url'
+        value: 'mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1'
+        state: 'comment'
+
+      - name: 'url_postgresql'
+        option: 'url'
+        value: 'postgres://mailman3:mmpass@localhost/mailman3'
+        state: 'comment'
+
+      - name: 'debug'
+        value: False
+        separator: True
+
+  - name: 'logging.debian'
+    separator: True
+    comment: |
+      This defines various log settings.  The options available are:
+
+      - level     -- Overrides the default level; this may be any of the
+                     standard Python logging levels, case insensitive.
+      - format    -- Overrides the default format string
+      - datefmt   -- Overrides the default date format string
+      - path      -- Overrides the default logger path.  This may be a relative
+                     path name, in which case it is relative to Mailman's LOG_DIR,
+                     or it may be an absolute path name.  You cannot change the
+                     handler class that will be used.
+      - propagate -- Boolean specifying whether to propagate log message from this
+                     logger to the root "mailman" logger.  You cannot override
+                     settings for the root logger.
+
+      In this section, you can define defaults for all loggers, which will be
+      prefixed by 'mailman.'.  Use subsections to override settings for specific
+      loggers.  The names of the available loggers are:
+
+      - archiver        --  All archiver output
+      - bounce          --  All bounce processing logs go here
+      - config          --  Configuration issues
+      - database        --  Database logging (SQLAlchemy and Alembic)
+      - debug           --  Only used for development
+      - error           --  All exceptions go to this log
+      - fromusenet      --  Information related to the Usenet to Mailman gateway
+      - http            --  Internal wsgi-based web interface
+      - locks           --  Lock state changes
+      - mischief        --  Various types of hostile activity
+      - runner          --  Runner process start/stops
+      - smtp            --  Successful SMTP activity
+      - smtp-failure    --  Unsuccessful SMTP activity
+      - subscribe       --  Information about leaves/joins
+      - vette           --  Message vetting information
+    options:
+
+      - name: 'format'
+        value: '%(asctime)s (%(process)d) %(message)s'
+
+      - name: 'datefmt'
+        value: '%b %d %H:%M:%S %Y'
+
+      - name: 'propagate'
+        value: False
+
+      - name: 'level'
+        value: 'info'
+
+      - name: 'path'
+        value: 'mailman.log'
+
+  - name: 'webservice'
+    options:
+
+      - name: 'hostname'
+        comment: 'The hostname at which admin web service resources are exposed.'
+        value: 'localhost'
+
+      - name: 'port'
+        comment: 'The port at which the admin web service resources are exposed.'
+        value: 8001
+
+      - name: 'use_https'
+        comment: 'Whether or not requests to the web service are secured through SSL.'
+        value: False
+
+      - name: 'show_tracebacks'
+        comment: |
+          Whether or not to show tracebacks in an HTTP response for a request that
+          raised an exception.
+        value: True
+
+      - name: 'api_version'
+        comment: 'The API version number for the current (highest) API.'
+        value: '3.1'
+
+      - name: 'admin_user'
+        comment: 'The administrative username.'
+        value: 'restadmin'
+
+      - name: 'admin_pass'
+        comment: 'The administrative password.'
+        value: 'restpass'
+
+  - name: 'mta'
+    options:
+
+      - name: 'incoming_exim'
+        option: 'incoming'
+        comment: 'The class defining the interface to the incoming mail transport agent.'
+        value: 'mailman.mta.exim4.LMTP'
+        state: 'comment'
+
+      - name: 'incoming'
+        value: 'mailman.mta.postfix.LMTP'
+
+      - name: 'outgoing'
+        comment: |
+          The callable implementing delivery to the outgoing mail transport agent.
+          This must accept three arguments, the mailing list, the message, and the
+          message metadata dictionary.
+        value: 'mailman.mta.deliver.deliver'
+
+      - name: 'smtp_host'
+        comment: |
+          How to connect to the outgoing MTA.  If smtp_user and smtp_pass is given,
+          then Mailman will attempt to log into the MTA when making a new connection.
+        value: 'localhost'
+
+      - name: 'smtp_port'
+        value: 25
+
+      - name: 'smtp_user'
+        value: ''
+
+      - name: 'smtp_pass'
+        value: ''
+
+      - name: 'lmtp_host'
+        comment: |
+          Where the LMTP server listens for connections.  Use 127.0.0.1 instead of
+          localhost for Postfix integration, because Postfix only consults DNS
+          (e.g. not /etc/hosts).
+        value: '127.0.0.1'
+
+      - name: 'lmtp_port'
+        value: 8024
+
+      - name: 'configuration_exim'
+        option: 'configuration'
+        comment: |
+          Where can we find the mail server specific configuration file?  The path can
+          be either a file system path or a Python import path.  If the value starts
+          with python: then it is a Python import path, otherwise it is a file system
+          path.  File system paths must be absolute since no guarantees are made about
+          the current working directory.  Python paths should not include the trailing
+          .cfg, which the file must end with.
+        value: 'python:mailman.config.exim4'
+        state: 'comment'
+
+      - name: 'configuration'
+        comment: |
+        value: 'python:mailman.config.postfix'
+
+  - name: 'archiver.hyperkitty'
+    comment: |
+      The following lines are specific to mailing lists archiving using
+      HyperKitty. They require 'python3-mailman-hyperkitty' to be installed
+      and will produce errors otherwise.
+
+      If you don't want to use HyperKitty, please comment them out.
+    options:
+
+      - name: 'class'
+        value: 'mailman_hyperkitty.Archiver'
+
+      - name: 'enable'
+        value: True
+
+      - name: 'configuration'
+        value: '/etc/mailman3/mailman-hyperkitty.cfg'
+
+                                                                   # ]]]
+# .. envvar:: mailman__core_default_configuration [[[
+#
+# Mailman Core configuration options defined by the role.
+mailman__core_default_configuration:
+
+  - name: 'mailman'
+    options:
+
+      - name: 'site_owner'
+        value: '{{ "root@" + mailman__domain }}'
+
+  - name: 'database'
+    options:
+
+      - name: 'class_sqlite'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("SQLiteDatabase"))
+                   else "ignore" }}'
+
+      - name: 'class_mysql'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("MySQLDatabase"))
+                   else "ignore" }}'
+
+      - name: 'class_postgresql'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("PostgreSQLDatabase"))
+                   else "ignore" }}'
+
+      - name: 'url_sqlite'
+        value: '{{ ansible_local.mailman.database_url | d() }}'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("SQLiteDatabase"))
+                   else "ignore" }}'
+
+      - name: 'url_mysql'
+        value: '{{ ansible_local.mailman.database_url | d() }}'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("MySQLDatabase"))
+                   else "ignore" }}'
+
+      - name: 'url_postgresql'
+        value: '{{ ansible_local.mailman.database_url | d() }}'
+        state: '{{ "present"
+                   if ((ansible_local.mailman.database_class | d("")).endswith("PostgreSQLDatabase"))
+                   else "ignore" }}'
+
+  - name: 'webservice'
+    options:
+
+      - name: 'admin_pass'
+        value: '{{ ansible_local.mailman.webservice_admin_pass | d("restpass") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__core_configuration [[[
+#
+# Mailman Core configuration options defined on all hosts in the Ansible
+# inventory.
+mailman__core_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__core_group_configuration [[[
+#
+# Mailman Core configuration options defined on hosts in a specific Ansible
+# inventory group.
+mailman__core_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__core_host_configuration [[[
+#
+# Mailman Core configuration options defined on specific hosts in the Ansible
+# inventory.
+mailman__core_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__core_combined_configuration [[[
+#
+# Variable which combines all of the Mailman Core configuration variables and
+# is used in the role tasks and templates.
+mailman__core_combined_configuration: '{{ mailman__core_original_configuration
+                                          + mailman__core_default_configuration
+                                          + mailman__core_configuration
+                                          + mailman__core_group_configuration
+                                          + mailman__core_host_configuration }}'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/dependent.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/dependent.yml
new file mode 100644
index 00000000..102a6ea6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/dependent.yml
@@ -0,0 +1,156 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# Configuration for other Ansible roles
+# =====================================
+
+# .. envvar:: mailman__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mailman__python__dependent_packages3:
+
+  - '{{ ["python3-django-auth-ldap"]
+        if mailman__ldap_enabled | bool
+        else [] }}'
+
+  - '{{ ["python3-psycopg2"]
+        if (mailman__database_type == "postgresql")
+        else [] }}'
+
+  - '{{ ["python3-pymysql", "python3-mysqldb"]
+        if (mailman__database_type == "mysql")
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mailman__python__dependent_packages2:
+
+  - '{{ ["python-django-auth-ldap"]
+        if mailman__ldap_enabled | bool
+        else [] }}'
+
+  - '{{ ["python-psycopg2"]
+        if (mailman__database_type == "postgresql")
+        else [] }}'
+
+  - '{{ ["python-pymysql", "python-mysqldb"]
+        if (mailman__database_type == "mysql")
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` role.
+mailman__ldap__dependent_tasks:
+
+  - name: '{{ "Create Mailman 3 account for "
+              + mailman__ldap_device_dn | join(",") }}'
+    dn: '{{ mailman__ldap_bind_dn }}'
+    objectClass: '{{ mailman__ldap_self_object_classes }}'
+    attributes: '{{ mailman__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__postfix__dependent_maincf [[[
+#
+# Configuration for the :ref:`debops.postfix` Ansible role.
+mailman__postfix__dependent_maincf:
+
+  - name: 'owner_request_special'
+    value: False
+    state: 'present'
+
+  - name: 'transport_maps'
+    value: [ 'hash:/var/lib/mailman3/data/postfix_lmtp' ]
+    state: 'present'
+
+  - name: 'local_recipient_maps'
+    value:
+      - 'proxy:unix:passwd.byname'
+      - '$alias_maps'
+      - 'hash:/var/lib/mailman3/data/postfix_lmtp'
+    state: 'present'
+
+  - name: 'relay_domains'
+    value: [ 'hash:/var/lib/mailman3/data/postfix_domains' ]
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: mailman__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+mailman__nginx__dependent_upstreams:
+
+  - name: 'mailman3'
+    server: 'unix:/run/mailman3-web/uwsgi.sock fail_timeout=0'
+
+                                                                   # ]]]
+# .. envvar:: mailman__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+mailman__nginx__dependent_servers:
+
+  - by_role: 'debops.mailman'
+    enabled: True
+    name: '{{ [mailman__fqdn] + mailman__additional_domains }}'
+    redirect_from: True
+    filename: 'debops.mailman'
+
+    location_list:
+
+      # Provide a redirect from old Mailman 2.1 installation
+      - pattern: '^/mailman/?$'
+        pattern_prefix: '~* '
+        options: 'return 301 /postorius/lists/;'
+        state: 'present'
+
+      # Provide a redirect from old Mailman 2.1 installation
+      - pattern: '^/mailman/listinfo/?$'
+        pattern_prefix: '~* '
+        options: 'return 301 /postorius/lists/;'
+        state: 'present'
+
+      # Provide a redirect from old Mailman 2.1 installation to per-list page
+      # FIXME: Captures the trailing slash but shouldn't
+      - pattern: '^/mailman/listinfo/(.+)/?$'
+        pattern_prefix: '~* '
+        options: 'return 301 /postorius/lists/$1.{{ mailman__fqdn }}/;'
+        state: 'present'
+
+      # Provide a redirect from old Mailman 2.1 installation
+      - pattern: '^/pipermail/?$'
+        pattern_prefix: '~* '
+        options: 'return 301 /hyperkitty/;'
+        state: 'present'
+
+      # Provide a redirect from old Mailman 2.1 installation
+      # FIXME: Captures the trailing slash but shouldn't
+      - pattern: '^/pipermail/(.+)/?$'
+        pattern_prefix: '~* '
+        options: 'return 301 /hyperkitty/list/$1@{{ mailman__fqdn }}/;'
+        state: 'present'
+
+      - pattern: '/'
+        options: |
+          uwsgi_pass mailman3;
+          include /etc/nginx/uwsgi_params;
+        state: 'present'
+
+      - pattern: '/mailman3/static'
+        options: |
+          alias /var/lib/mailman3/web/static;
+        state: 'present'
+
+      - pattern: '/mailman3/static/favicon.ico'
+        options: |
+          alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
+        state: 'present'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/environment.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/environment.yml
new file mode 100644
index 00000000..8e04eee1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/environment.yml
@@ -0,0 +1,111 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# Mailman environment configuration [[[
+# =====================================
+
+# System package configuration [[[
+# --------------------------------
+
+# .. envvar:: mailman__base_packages [[[
+#
+# List of the base APT packages to install for Mailman 3 support.
+mailman__base_packages:
+
+  - 'mailman3-full'
+  - 'lynx'
+  - '{{ "dbconfig-pgsql"
+        if (mailman__database_type == "postgresql")
+        else [] }}'
+  - '{{ "dbconfig-mysql"
+        if (mailman__database_type == "mysql")
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__packages [[[
+#
+# List of additional APT packages to install with Mailman 3.
+mailman__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: mailman__user [[[
+#
+# The UNIX system account used by the Mailman installation.
+mailman__user: 'list'
+
+                                                                   # ]]]
+# .. envvar:: mailman__group [[[
+#
+# The UNIX system group used by the Mailman installation.
+mailman__group: 'list'
+                                                                   # ]]]
+                                                                   # ]]]
+# Web environment [[[
+# -------------------
+
+# .. envvar:: mailman__domain [[[
+#
+# The DNS domain used by Mailman service.
+mailman__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__fqdn [[[
+#
+# The Fully Qualified Domain Name used by Mailman.
+# If the Mailman3 web interface sends emails, this domain will be used for the
+# sender addresses. In particular, it will be 'postorius@<fqdn>' for internal
+# authentication and 'root@<fqdn>' for error messages.
+mailman__fqdn: 'lists.{{ mailman__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__additional_domains [[[
+#
+# Additional DNS names used by the Mailman webserver. The users will be
+# automatically redirected to the main FQDN of the service.
+mailman__additional_domains: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration options [[[
+# ----------------------------------
+
+# .. envvar:: mailman__database_type [[[
+#
+# The database type used by the Mailman installation, defined via Ansible local
+# facts to avoid switching to a different database on subsequent Ansible runs.
+# If Mailman 3 is not installed, the database will be selected in order of
+# preference - PostgreSQL, MySQL, SQLite.
+mailman__database_type: '{{ ansible_local.mailman.database_class.split(".")[2]
+                            if (ansible_local | d() and ansible_local.mailman is defined)
+                            else ("postgresql"
+                                  if (ansible_local.postgresql is defined)
+                                  else ("mysql"
+                                        if (ansible_local.mariadb is defined)
+                                        else "sqlite")) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Django superuser account [[[
+# ----------------------------
+
+# .. envvar:: mailman__superuser_name [[[
+#
+# Name of the Django superuser account created by the role.
+mailman__superuser_name: '{{ ansible_local.core.admin_users[0]
+                             if (ansible_local.core.admin_users | d())
+                             else "admin" }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__superuser_email [[[
+#
+# E-mail address of the Django superuser account created by the role.
+mailman__superuser_email: '{{ ansible_local.core.admin_private_email[0]
+                              if (ansible_local.core.admin_private_email | d())
+                              else ("postmaster@" + mailman__domain) }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/hyperkitty_configuration.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/hyperkitty_configuration.yml
new file mode 100644
index 00000000..12cf6a1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/hyperkitty_configuration.yml
@@ -0,0 +1,85 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# HyperKitty configuration options
+# ================================
+
+# These variables define the contents of the
+# :file:`/etc/mailman3/mailman-hyperkitty.cfg` configuration file.
+# They use the same syntax as the Mailman Core configuration options.
+# See :ref:`mailman__ref_core_configuration` for more details.
+
+# .. envvar:: mailman__hyperkitty_original_configuration [[[
+#
+# The original contents of the configuration file. The options are modified in
+# subsequent variables.
+mailman__hyperkitty_original_configuration:
+
+  - name: 'general'
+    options:
+
+      - name: 'base_url'
+        comment: |
+          This is your HyperKitty installation, preferably on the localhost. This
+          address will be used by Mailman to forward incoming emails to HyperKitty
+          for archiving. It does not need to be publicly available, in fact it's
+          better if it is not.
+        value: 'http://localhost/mailman3/hyperkitty/'
+
+      - name: 'api_key'
+        comment: |
+          Shared API key, must be the identical to the value in HyperKitty's
+          settings.
+        value: 'SecretArchiverAPIKey'
+
+                                                                   # ]]]
+# .. envvar:: mailman__hyperkitty_default_configuration [[[
+#
+# The HyperKitty configuration defined by the role.
+mailman__hyperkitty_default_configuration:
+
+  - name: 'general'
+    options:
+
+      - name: 'base_url'
+        value: '{{ "https://" + mailman__fqdn + "/hyperkitty/" }}'
+
+      - name: 'api_key'
+        value: '{{ ansible_local.mailman.archiver_key | d("SecretArchiverAPIKey") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__hyperkitty_configuration [[[
+#
+# The HyperKitty configuration defined on all hosts in the Ansible inventory.
+mailman__hyperkitty_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__hyperkitty_group_configuration [[[
+#
+# The HyperKitty configuration defined on hosts in a specific Ansible inventory
+# group.
+mailman__hyperkitty_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__hyperkitty_host_configuration [[[
+#
+# The HyperKitty configuration defined on specific hosts in the Ansible
+# inventory.
+mailman__hyperkitty_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__hyperkitty_combined_configuration [[[
+#
+# The variable which combines all other HyperKitty configuration variables and
+# is used in the role tasks and templates.
+mailman__hyperkitty_combined_configuration: '{{ mailman__hyperkitty_original_configuration
+                                                + mailman__hyperkitty_default_configuration
+                                                + mailman__hyperkitty_configuration
+                                                + mailman__hyperkitty_group_configuration
+                                                + mailman__hyperkitty_host_configuration }}'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/ldap.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/ldap.yml
new file mode 100644
index 00000000..b5c1376b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/ldap.yml
@@ -0,0 +1,142 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# LDAP configuration
+# ------------------
+
+# .. envvar:: mailman__ldap_enabled [[[
+#
+# Enable or disable LDAP authentication in the web interface.
+mailman__ldap_enabled: '{{ ansible_local.ldap.enabled | d(False) }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_uri [[[
+#
+# List of LDAP server URIs.
+mailman__ldap_uri: '{{ ansible_local.ldap.uri | d(["ldap://ldap." + ansible_domain]) }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_device_dn [[[
+#
+# The Distinguished Name of the device LDAP object, defined as a YAML list. It
+# will be used as a base for the Mailman 3 service account object. The role will
+# not create the account object automatically if this list is empty.
+mailman__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the service account object that Mailman 3
+# uses to access the LDAP directory.
+mailman__ldap_self_rdn: 'uid=mailman'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_self_object_classes [[[
+#
+# List of object classes that will be used to create the LDAP service account.
+mailman__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP service account.
+mailman__ldap_self_attributes:
+  uid: '{{ mailman__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ mailman__ldap_bind_password }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "mailman" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_starttls [[[
+#
+# Enable or disable StartTLS for encrypted connections to the LDAP server.
+mailman__ldap_starttls: True
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_bind_dn [[[
+#
+# The Distinguished Name of the service account object that Mailman 3 uses to
+# access the LDAP directory.
+mailman__ldap_bind_dn: '{{ ([mailman__ldap_self_rdn]
+                            + mailman__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_bind_password [[[
+#
+# The password used by Mailman 3 to access the LDAP directory.
+mailman__ldap_bind_password: '{{ lookup("password", secret + "/ldap/credentials/"
+                                                    + mailman__ldap_bind_dn | to_uuid
+                                                    + ".password chars=ascii_letters,digits length=22") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_base_dn [[[
+#
+# The base Distinguished Name of the LDAP directory, defined as a YAML list.
+mailman__ldap_base_dn: '{{ ansible_local.ldap.basedn
+                           if (ansible_local.ldap.basedn | d())
+                           else "dc=" + ansible_domain.split(".")
+                                        | join(",dc=") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP subtree that contains personal
+# entries.
+mailman__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP subtree that contains group
+# entries.
+mailman__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn | d("ou=Groups") }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_people_dn [[[
+#
+# The Distinguished Name of the LDAP subtree that contains personal entries.
+mailman__ldap_people_dn: '{{ mailman__ldap_people_rdn + ","
+                             + mailman__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_groups_dn [[[
+#
+# The Distinguished Name of the LDAP subtree that contains group entries.
+mailman__ldap_groups_dn: '{{ mailman__ldap_groups_rdn + ","
+                             + mailman__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_people_filter [[[
+#
+# The LDAP filter to query personal entries with.
+mailman__ldap_people_filter: '(&
+                                (objectClass=inetOrgPerson)
+                                (|
+                                  (uid=%(user)s)
+                                  (mail=%(user)s)
+                                )
+                                (|
+                                  (authorizedService=all)
+                                  (authorizedService=mailman)
+                                )
+                              )'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_groups_filter [[[
+#
+# The LDAP filter to query group entries with.
+mailman__ldap_groups_filter: '(objectClass=groupOfNames)'
+
+                                                                   # ]]]
+# .. envvar:: mailman__ldap_superusers_group [[[
+#
+# The name of the LDAP group that contains the superusers. Members of this group
+# are given full administrative privileges in the Mailman 3 web interface.
+mailman__ldap_superusers_group: 'cn=UNIX Administrators'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/templates.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/templates.yml
new file mode 100644
index 00000000..a491c1c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/templates.yml
@@ -0,0 +1,54 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# Mailman templates
+# =================
+
+# These variables define the configuration of the custom Mailman 3 templating
+# system. See :ref:`mailman__ref_templates` for more details.
+
+# .. envvar:: mailman__default_templates [[[
+#
+# The list of the Mailman 3 templates defined by the role.
+mailman__default_templates:
+
+  # Remove the default message footer from all mailing lists
+  - name: 'site/en/list:member:generic:footer.txt'
+    content: ''
+
+                                                                   # ]]]
+# .. envvar:: mailman__templates [[[
+#
+# The list of the Mailman 3 templates defined on all hosts in the Ansible
+# inventory.
+mailman__templates: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__group_templates [[[
+#
+# The list of the Mailman 3 templates defined on hosts in a specific Ansible
+# inventory group.
+mailman__group_templates: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__host_templates [[[
+#
+# The list of the Mailman 3 templates defined on specific hosts in the Ansible
+# inventory.
+mailman__host_templates: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__combined_templates [[[
+#
+# Variable which combines all of the other Mailman 3 template variables and is
+# used in role tasks and templates.
+mailman__combined_templates: '{{ mailman__default_templates
+                                 + mailman__templates
+                                 + mailman__group_templates
+                                 + mailman__host_templates }}'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/defaults/main/web_configuration.yml b/ansible_collections/debops/debops/roles/mailman/defaults/main/web_configuration.yml
new file mode 100644
index 00000000..18337892
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/defaults/main/web_configuration.yml
@@ -0,0 +1,505 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# Mailman Web configuration options
+# =================================
+
+# These variables define the contents of the
+# :file:`/etc/mailman3/mailman-web.py` configuration file.
+# See :ref:`mailman__ref_web_configuration` for more details.
+
+# .. envvar:: mailman__web_original_configuration [[[
+#
+# The original contents of the :file:`/etc/mailman3/mailman-web.py`
+# configuration file. They configuration options are changed by the subsequent
+# variables.
+mailman__web_original_configuration:
+
+  - name: 'secret_key'
+    comment: 'SECURITY WARNING: keep the secret key used in production secret!'
+    value: 'secretkey'
+
+  - name: 'admins'
+    value:
+      - [ 'Mailman Suite Admin', 'root@localhost' ]
+    type: 'tuple'
+    separator: True
+    state: 'present'
+
+  - name: 'allowed_hosts'
+    comment: |
+      Hosts/domain names that are valid for this site; required if DEBUG is False
+      See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+      Set to '*' per default in the Deian package to allow all hostnames. Mailman3
+      is meant to run behind a webserver reverse proxy anyway.
+    options:
+
+      - name: 'localhost'
+        comment: 'Archiving API from Mailman, keep it.'
+        state: 'comment'
+
+      - name: 'lists.your-domain.org'
+        state: 'comment'
+
+      - name: '*'
+        comment: 'Add here all production URLs you may have.'
+        state: 'present'
+
+  - name: 'mailman_rest_api_url'
+    comment: 'Mailman API credentials'
+    value: 'http://localhost:8001'
+
+  - name: 'mailman_rest_api_user'
+    value: 'restadmin'
+
+  - name: 'mailman_rest_api_pass'
+    value: 'restpass'
+
+  - name: 'mailman_archiver_key'
+    value: 'keypass'
+
+  - name: 'mailman_archiver_from'
+    value: [ '127.0.0.1', '::1' ]
+    type: 'tuple'
+
+  - name: 'installed_apps'
+    comment: 'Application definition'
+    type: 'tuple'
+    options:
+
+      - 'hyperkitty'
+      - 'postorius'
+      - 'django_mailman3'
+
+      - name: 'django.contrib.admin'
+        comment: 'Uncomment the next line to enable the admin:'
+        state: 'present'
+
+      - name: 'django.contrib.admindocs'
+        comment: 'Uncomment the next line to enable admin documentation:'
+        state: 'comment'
+
+      - 'django.contrib.auth'
+      - 'django.contrib.contenttypes'
+      - 'django.contrib.sessions'
+      - 'django.contrib.sites'
+      - 'django.contrib.messages'
+      - 'django.contrib.staticfiles'
+      - 'rest_framework'
+      - 'django_gravatar'
+      - 'compressor'
+      - 'haystack'
+      - 'django_extensions'
+      - 'django_q'
+      - 'allauth'
+      - 'allauth.account'
+      - 'allauth.socialaccount'
+      - 'django_mailman3.lib.auth.fedora'
+
+      - name: 'allauth.socialaccount.providers.openid'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.github'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.gitlab'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.google'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.facebook'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.twitter'
+        state: 'comment'
+
+      - name: 'allauth.socialaccount.providers.stackexchange'
+        state: 'comment'
+
+  - name: 'database_sqlite'
+    option: 'databases'
+    comment: |
+      Database
+      https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+    state: '{{ "present" if (mailman__database_type == "sqlite") else "ignore" }}'
+    config:
+      'default':
+        'ENGINE': 'django.db.backends.sqlite3'
+        'NAME': '/var/lib/mailman3/web/mailman3web.db'
+        'USER': ''
+        'PASSWORD': ''
+        'HOST': ''
+        'PORT': ''
+        'OPTIONS': {}
+
+  - name: 'databases_mysql'
+    option: 'databases'
+    comment: |
+      Database
+      https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+    state: '{{ "present" if (mailman__database_type == "mysql") else "ignore" }}'
+    config:
+      'default':
+        'ENGINE': 'django.db.backends.mysql'
+        'NAME': 'mailman3web'
+        'USER': 'mailman3web'
+        'PASSWORD': 'password'
+        'HOST': 'localhost'
+        'PORT': ''
+        'OPTIONS':
+          'init_command': "SET sql_mode='STRICT_TRANS_TABLES'"
+
+  - name: 'use_x_forwarded_host'
+    comment: |
+      If you're behind a proxy, use the X-Forwarded-Host header
+      See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
+    value: True
+
+  - name: 'secure_proxy_ssl_header_proto'
+    option: 'secure_proxy_ssl_header'
+    comment: |
+      And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
+      https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+    value: [ 'HTTP_X_FORWARDED_PROTO', 'https' ]
+    type: 'tuple'
+    state: 'comment'
+
+  - name: 'secure_proxy_ssl_header_scheme'
+    option: 'secure_proxy_ssl_header'
+    value: [ 'HTTP_X_FORWARDED_SCHEME', 'https' ]
+    type: 'tuple'
+    state: 'comment'
+
+  - name: 'secure_ssl_redirect'
+    comment: 'Other security settings'
+    value: True
+    state: 'comment'
+
+  - name: 'secure_redirect_exempt'
+    comment: |
+      If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
+      contains at least this line:
+    value: [ 'archives/api/mailman/.*' ]
+    state: 'comment'
+
+  - name: 'session_cookie_secure'
+    value: True
+    state: 'comment'
+
+  - name: 'secure_content_type_nosniff'
+    value: True
+    state: 'comment'
+
+  - name: 'secure_browser_xss_filter'
+    value: True
+    state: 'comment'
+
+  - name: 'csrf_cookie_secure'
+    value: True
+    state: 'comment'
+
+  - name: 'csrf_cookie_httponly'
+    value: True
+    state: 'comment'
+
+  - name: 'x_frame_options'
+    value: 'DENY'
+    state: 'comment'
+
+  - name: 'language_code'
+    comment: |
+      Internationalization
+      https://docs.djangoproject.com/en/1.8/topics/i18n/
+    value: 'en-us'
+
+  - name: 'time_zone'
+    value: 'UTC'
+
+  - name: 'use_i18n'
+    value: True
+
+  - name: 'use_l10n'
+    value: True
+
+  - name: 'use_tz'
+    value: True
+
+  - name: 'emailname'
+    comment: 'Set default domain for email addresses.'
+    value: 'localhost.local'
+
+  - name: 'default_from_email'
+    comment: |
+      If you enable internal authentication, this is the address that the emails
+      will appear to be coming from. Make sure you set a valid domain name,
+      otherwise the emails may get rejected.
+      https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
+      DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
+    value: "'postorius@{}'.format(EMAILNAME)"
+    type: 'raw'
+
+  - name: 'server_email'
+    comment: |
+      If you enable email reporting for error messages, this is where those emails
+      will appear to be coming from. Make sure you set a valid domain name,
+      otherwise the emails may get rejected.
+      https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
+      SERVER_EMAIL = 'root@your-domain.org'
+    value: "'root@{}'.format(EMAILNAME)"
+    type: 'raw'
+
+  - name: 'account_default_http_protocol'
+    comment: 'Django Allauth'
+    value: 'https'
+
+  - name: 'socialaccount_providers'
+    comment: 'Social auth'
+    state: 'comment'
+    config:
+      'openid':
+        'SERVERS':
+          - id: 'yahoo'
+            name: 'Yahoo'
+            openid_url: 'https://me.yahoo.com/'
+      'google':
+        'SCOPE': [ 'profile', 'email' ]
+        'AUTH_PARAMS':
+          access_type: 'online'
+      'facebook':
+        'METHOD': 'oauth2'
+        'SCOPE': [ 'email' ]
+        'FIELDS':
+          - 'email'
+          - 'name'
+          - 'first_name'
+          - 'last_name'
+          - 'locale'
+          - 'timezone'
+        'VERSION': 'v2.4'
+
+  - name: 'compress_offline'
+    comment: |
+      On a production setup, setting COMPRESS_OFFLINE to True will bring a
+      significant performance improvement, as CSS files will not need to be
+      recompiled on each requests. It means running an additional "compress"
+      management command after each code upgrade.
+      https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
+    value: True
+
+  - name: 'postorius_template_base_url'
+    value: 'http://localhost/mailman3/'
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_default_configuration [[[
+#
+# The default Mailman Web configuration defined by the role.
+mailman__web_default_configuration:
+
+  - name: 'installed_apps'
+    options:
+
+      # Disable the Fedora social login enabled by default
+      - name: 'django_mailman3.lib.auth.fedora'
+        state: 'comment'
+
+  - name: 'admins'
+    value:
+      - [ 'Mailman Suite Admin', 'root@{{ mailman__domain }}' ]
+
+  - name: 'secret_key'
+    value: '{{ ansible_local.mailman.secret_key | d("secretkey") }}'
+
+  - name: 'mailman_archiver_key'
+    value: '{{ ansible_local.mailman.archiver_key | d("restadmin") }}'
+
+  - name: 'emailname'
+    value: '{{ mailman__fqdn }}'
+
+  - name: 'mailman_rest_api_pass'
+    value: '{{ ansible_local.mailman.webservice_admin_pass | d("restpass") }}'
+
+  - name: 'databases_mysql'
+    option: 'databases'
+    copy_id_from: 'installed_apps'
+    state: '{{ "present" if (mailman__database_type == "mysql") else "ignore" }}'
+    config:
+      'default':
+        'ENGINE':   'django.db.backends.mysql'
+        'NAME':     '{{ ansible_local.mailman.web_db_name | d("mailman3web") }}'
+        'USER':     '{{ ansible_local.mailman.web_db_user | d("mailman3web") }}'
+        'PASSWORD': '{{ ansible_local.mailman.web_db_password | d("password") }}'
+        'HOST':     '{{ ansible_local.mailman.web_db_host | d("localhost") }}'
+        'PORT':     '{{ ansible_local.mailman.web_db_port | d("") }}'
+        'OPTIONS':
+          'init_command': "SET sql_mode='STRICT_TRANS_TABLES'"
+
+  - name: 'databases_postgresql'
+    option: 'databases'
+    copy_id_from: 'installed_apps'
+    state: '{{ "present" if (mailman__database_type == "postgresql") else "ignore" }}'
+    config:
+      'default':
+        'ENGINE':   'django.db.backends.postgresql_psycopg2'
+        'NAME':     '{{ ansible_local.mailman.web_db_name | d("mailman3web") }}'
+        'USER':     '{{ ansible_local.mailman.web_db_user | d("mailman3web") }}'
+        'PASSWORD': '{{ ansible_local.mailman.web_db_password | d("password") }}'
+        'HOST':     '{{ ansible_local.mailman.web_db_host | d("localhost") }}'
+        'PORT':     '{{ ansible_local.mailman.web_db_port | d("") }}'
+        'OPTIONS': {}
+
+    # Reset the variable to make sure it is empty by default
+  - name: 'socialaccount_providers'
+    comment: 'Social auth'
+    state: 'present'
+    config: {}
+
+  - name: 'gravatar_secure_url'
+    value: 'https://seccdn.libravatar.org/'
+
+  - name: 'gravatar_default_image'
+    value: '{{ ["mm", "identicon", "monsterid", "wavatar", "retro", "robohash", "pagan"]
+               | random(seed=inventory_hostname) }}'
+
+  - name: 'gravatar_default_rating'
+    value: 'g'
+
+  - name: 'gravatar_default_secure'
+    value: True
+
+  - name: 'time_zone'
+    value: '{{ "UTC"
+               if ((ansible_local.tzdata.timezone | d("Etc/UTC")) == "Etc/UTC")
+               else ansible_local.tzdata.timezone }}'
+
+  - name: 'postorius_template_base_url'
+    value: '{{ "https://" + mailman__fqdn + "/" }}'
+
+  - name: 'mailman_archiver_from'
+    value: '{{ (["127.0.0.1", "::1"]
+                + ansible_all_ipv4_addresses | d([])
+                + ((ansible_all_ipv4_addresses | map("regex_replace", "^", "::ffff:") | list)
+                   if ansible_all_ipv4_addresses | d([]) else [])
+                + (ansible_all_ipv6_addresses | d([])
+                   | difference(ansible_all_ipv6_addresses | d([])
+                   | ansible.utils.ipaddr("link-local"))))
+               | sort | unique }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_ldap_configuration [[[
+#
+# Additional configuration options specific to the LDAP integration.
+mailman__web_ldap_configuration:
+
+  - name: 'ldap_import'
+    comment: 'Enable LDAP authentication support in Django'
+    raw: |
+      import ldap
+      from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+    copy_id_from: 'secret_key'
+    weight: -200
+
+  - name: 'auth_ldap_server_uri'
+    comment: |
+      Integration with the 'django-auth-ldap' library
+      https://django-auth-ldap.readthedocs.io/en/latest/reference.html
+    value: '{{ mailman__ldap_uri | join(" ") }}'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_start_tls'
+    value: '{{ mailman__ldap_starttls }}'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_bind_dn'
+    value: '{{ mailman__ldap_bind_dn }}'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_bind_password'
+    value: '{{ mailman__ldap_bind_password }}'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_user_search'
+    raw: |
+      AUTH_LDAP_USER_SEARCH = LDAPSearch(
+          '{{ mailman__ldap_people_dn }}',
+          ldap.SCOPE_SUBTREE,
+          '{{ mailman__ldap_people_filter }}',
+      )
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_group_search'
+    raw: |
+      AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+          '{{ mailman__ldap_groups_dn }}',
+          ldap.SCOPE_SUBTREE,
+          '{{ mailman__ldap_groups_filter }}',
+      )
+      AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr='cn')
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_user_attr_map'
+    config:
+      'first_name': 'givenName'
+      'last_name': 'sn'
+      'email': 'mail'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_user_flags_by_group'
+    config:
+      'is_staff':     '{{ mailman__ldap_superusers_group + "," + mailman__ldap_groups_dn }}'
+      'is_superuser': '{{ mailman__ldap_superusers_group + "," + mailman__ldap_groups_dn }}'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_find_group_perms'
+    value: True
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'auth_ldap_cache_timeout'
+    value: 3600
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+  - name: 'authentication_backends'
+    value:
+      - 'django_auth_ldap.backend.LDAPBackend'
+      - 'django.contrib.auth.backends.ModelBackend'
+    state: '{{ "present" if mailman__ldap_enabled | bool else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_configuration [[[
+#
+# The configuration of the Mailman 3 Web interface defined on all hosts in the
+# Ansible inventory.
+mailman__web_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_group_configuration [[[
+#
+# The configuration of the Mailman 3 Web interface defined on hosts in
+# a specific Ansible inventory group.
+mailman__web_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_host_configuration [[[
+#
+# The configuration of the Mailman 3 Web interface defined on specific hosts in
+# the Ansible inventory.
+mailman__web_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: mailman__web_combined_configuration [[[
+#
+# The variable which combines all other Mailman 3 Web configuration variables
+# and is used in the role tasks and templates.
+mailman__web_combined_configuration: '{{ mailman__web_original_configuration
+                                         + mailman__web_default_configuration
+                                         + mailman__web_ldap_configuration
+                                         + mailman__web_configuration
+                                         + mailman__web_group_configuration
+                                         + mailman__web_host_configuration }}'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mailman/meta/main.yml b/ansible_collections/debops/debops/roles/mailman/meta/main.yml
new file mode 100644
index 00000000..a95e9a9f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage Mailman, Mailing List Manager'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - mailman
+    - mail
+    - mailinglist
+    - postfix
diff --git a/ansible_collections/debops/debops/roles/mailman/tasks/main.yml b/ansible_collections/debops/debops/roles/mailman/tasks/main.yml
new file mode 100644
index 00000000..bfe2527d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", mailman__base_packages
+                             + mailman__packages) }}'
+    state: 'present'
+  register: mailman__register_packages
+  until: mailman__register_packages is succeeded
+
+- name: Create systemd configuration directories
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/system/" + item }}'
+    state: 'directory'
+    mode: '0755'
+  loop: [ 'mailman3.service.d', 'mailman3-web.service.d' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Configure systemd services
+  ansible.builtin.template:
+    src: '{{ "etc/systemd/system/" + item + "/dependencies.conf.j2" }}'
+    dest: '{{ "/etc/systemd/system/" + item + "/dependencies.conf" }}'
+    mode: '0644'
+  loop: [ 'mailman3.service.d', 'mailman3-web.service.d' ]
+  notify: [ 'Reload service manager' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Mailman local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mailman.fact.j2'
+    dest: '/etc/ansible/facts.d/mailman.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate Mailman Core configuration
+  ansible.builtin.template:
+    src: 'etc/mailman3/{{ item }}.j2'
+    dest: '/etc/mailman3/{{ item }}'
+    group: '{{ mailman__group }}'
+    mode: '0640'
+  loop: [ 'mailman.cfg', 'mailman-hyperkitty.cfg' ]
+  notify: [ 'Restart mailman3' ]
+
+- name: Generate Mailman Web configuration
+  ansible.builtin.template:
+    src: 'etc/mailman3/mailman-web.py.j2'
+    dest: '/etc/mailman3/mailman-web.py'
+    group: 'www-data'
+    mode: '0640'
+  notify: [ 'Restart mailman3-web' ]
+
+- name: Create required template directories
+  ansible.builtin.file:
+    path: '{{ "/var/lib/mailman3/templates/" + (item.name | dirname) }}'
+    state: 'directory'
+    owner: '{{ mailman__user }}'
+    group: '{{ mailman__group }}'
+    mode: '0755'
+  loop: '{{ mailman__combined_templates | debops.debops.parse_kv_items }}'
+  when: item.state | d('present') != 'absent'
+
+- name: Remove custom Mailman templates if requested
+  ansible.builtin.file:
+    path: '{{ "/var/lib/mailman3/templates/" + item.name }}'
+    state: 'absent'
+  loop: '{{ mailman__combined_templates | debops.debops.parse_kv_items }}'
+  when: item.state | d('present') == 'absent'
+
+- name: Generate custom Mailman templates
+  ansible.builtin.copy:
+    content: '{{ item.content | d("") }}'
+    dest: '{{ "/var/lib/mailman3/templates/" + item.name }}'
+    owner: '{{ mailman__user }}'
+    group: '{{ mailman__group }}'
+    mode: '0644'
+  loop: '{{ mailman__combined_templates | debops.debops.parse_kv_items }}'
+  when: item.state | d('present') != 'absent'
+
+- name: Ensure Postfix lookup tables exist
+  ansible.builtin.command: 'mailman aliases'
+  args:
+    creates: '/var/lib/mailman3/data/postfix_domains'
+  register: mailman__register_aliases
+  become: True
+  become_user: '{{ mailman__user }}'
+
+- name: Create Django superuser account
+  community.general.django_manage:  # noqa no-handler
+    command: 'createsuperuser --noinput --username={{ mailman__superuser_name }} --email={{ mailman__superuser_email }}'
+    app_path: '/usr/share/mailman3-web'
+  when: mailman__register_aliases is changed and
+        not mailman__ldap_enabled | bool
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/ansible/facts.d/mailman.fact.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/ansible/facts.d/mailman.fact.j2
new file mode 100644
index 00000000..f730bffa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/ansible/facts.d/mailman.fact.j2
@@ -0,0 +1,85 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import subprocess
+import os
+import sys
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def get_vars_from_file(filename):
+    import imp
+    f = open(filename)
+    global data
+    data = imp.load_source('data', '', f)
+    f.close()
+
+
+core_config_file = '/etc/mailman3/mailman.cfg'
+web_config_file = '/etc/mailman3/mailman-web.py'
+
+output = {'installed': cmd_exists('mailman')}
+
+if output['installed'] is True:
+
+    try:
+        mailman_version_stdout = subprocess.check_output(
+                ["mailman", "--version"]
+                ).decode('utf-8').strip().split()[2]
+        output['version'] = mailman_version_stdout
+
+    except Exception:
+        pass
+
+    if os.path.exists(core_config_file) and os.path.isfile(core_config_file):
+        try:
+            with open(core_config_file, 'r') as f:
+                for line in f:
+                    if not line.startswith('#') and ':' in line:
+                        line = line.strip().split(':', 1)
+                        key = line[0].strip()
+                        value = line[1].strip()
+
+                        if (key == 'class' and
+                                value.startswith('mailman.database.')):
+                            output['database_class'] = value
+
+                        elif key == 'url':
+                            output['database_url'] = value
+
+                        elif key == 'admin_pass':
+                            output['webservice_admin_pass'] = value
+
+        except Exception:
+            pass
+
+    if os.path.exists(web_config_file) and os.path.isfile(web_config_file):
+        try:
+            exec(open(web_config_file).read())
+            output['secret_key'] = SECRET_KEY
+            output['archiver_key'] = MAILMAN_ARCHIVER_KEY
+            output['web_db_name'] = DATABASES['default']['NAME']
+            output['web_db_user'] = DATABASES['default']['USER']
+            output['web_db_password'] = DATABASES['default']['PASSWORD']
+            output['web_db_host'] = DATABASES['default']['HOST']
+            output['web_db_port'] = DATABASES['default']['PORT']
+
+        except Exception:
+            pass
+
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-hyperkitty.cfg.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-hyperkitty.cfg.j2
new file mode 100644
index 00000000..856a04c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-hyperkitty.cfg.j2
@@ -0,0 +1,82 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# This is the mailman extension configuration file to enable HyperKitty as an
+# archiver. Remember to add the following lines in the mailman.cfg file:
+#
+# [archiver.hyperkitty]
+# class: mailman_hyperkitty.Archiver
+# enable: yes
+# configuration: /etc/mailman3/mailman-hyperkitty.cfg
+#
+
+{% for section in mailman__hyperkitty_combined_configuration | debops.debops.parse_kv_items %}
+{%   if section.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if not loop.first %}
+
+{%     endif %}
+{%     if section.separator | d() %}
+
+{%     endif %}
+{%     if section.state | d('present') != 'hidden' %}
+{{ "[{}]".format(section.name) }}
+{%     endif %}
+{%     if section.comment | d() %}
+{{ section.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       if section.name == 'paths.debian' %}
+#
+{%       endif %}
+{%     endif %}
+{%     if section.options | d() %}
+{%       for option in section.options %}
+{%         if option.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%           if ((option.comment | d() or option.separator | d()) and
+                 section.name not in [ 'paths.debian' ] and
+                 (not loop.first or section.comment | d())) %}
+
+{%           endif %}
+{%           if option.comment | d() %}
+{{ option.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%           endif %}
+{%           set option_comment = '' %}
+{%           if option.state | d('present') == 'comment' %}
+{%             set option_comment = '#' %}
+{%           endif %}
+{%           set option_name = (option.option | d(option.name)) %}
+{%           if option.value | bool and option.value is not iterable %}
+{%             if option.value | int and option.value | string != 'True' %}
+{%               set option_value = option.value %}
+{%             else %}
+{%               set option_value = 'yes' %}
+{%             endif %}
+{%           elif not option.value | bool and option.value is not iterable %}
+{%             if option.value is not none %}
+{%               if option.value | int or option.value | string == '0' %}
+{%                 set option_value = option.value %}
+{%               else %}
+{%                 set option_value = 'no' %}
+{%               endif %}
+{%             endif %}
+{%           else %}
+{%             set option_value = (([ option.value ]
+                                    if (option.value is string or
+                                        option.value is not iterable)
+                                    else (option.value
+                                          | selectattr("state", "equalto", "present")
+                                          | map(attribute="name")
+                                          | list))
+                                   | join(' ')) %}
+{%           endif %}
+{%           if option_value %}
+{{ "{}{}: {}".format(option_comment, option_name, option_value) }}
+{%           else %}
+{{ "{}{}:".format(option_comment, option_name) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-web.py.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-web.py.j2
new file mode 100644
index 00000000..b094754f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman-web.py.j2
@@ -0,0 +1,106 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+# -*- coding: utf-8 -*-
+
+# This file is imported by the Mailman Suite. It is used to override
+# the default settings from /usr/share/mailman3-web/settings.py.
+
+{% for element in mailman__web_combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set element_name = (element.option | d(element.name)) %}
+{%     set option_comment = ('# ' if (element.state | d('present') == 'comment') else '') %}
+{%     if ((element.comment | d() or (element.separator | d() | bool)) and not loop.first) %}
+
+{%     endif %}
+{%     if element.comment | d() %}
+{{       element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     if element.raw | d() %}
+{%       if element.state | d('present') == 'comment' %}
+{{         ('{}'.format(element.raw | regex_replace('\n$', ''))) | comment(prefix='', postfix='') }}
+{%       else %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%       endif %}
+{%     elif element.value | d() %}
+{%       if element.value | bool and element.value is not iterable %}
+{%         if element.value | int and element.value | string != 'True' %}
+{{           '{}{} = {}'.format(option_comment, element_name | upper, element.value) }}
+{%         else %}
+{{           '{}{} = True'.format(option_comment, element_name | upper) }}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int or element.value | string == '0' %}
+{{             '{}{} = {}'.format(option_comment, element_name | upper, element.value) }}
+{%           else %}
+{{             '{}{} = False'.format(option_comment, element_name | upper) }}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         if element.type | d() == 'tuple' %}
+{%           if element.value | count == 2 %}
+{{             "{}{} = ('{}')".format(option_comment, element_name | upper, element.value | join("', '")) }}
+{%           else %}
+{{             '{}{} = ('.format(option_comment, element_name | upper) }}
+{%             for tuple_value in element.value %}
+{%               if tuple_value is string %}
+{{                 (option_comment + "'" + tuple_value + "',") | indent(4, true) }}
+{%               else %}
+{{                 (option_comment + "('" + tuple_value | join("', '") + "'),") | indent(4, true) }}
+{%               endif %}
+{%             endfor %}
+{{             (option_comment + ')') }}
+{%           endif %}
+{%         elif element.type | d() == 'raw' %}
+{%           if element.state | d('present') == 'comment' %}
+{{             ('{} = {}'.format(element_name | upper, element.value)) | comment(prefix='', postfix='') }}
+{%           else %}
+{{             '{} = {}'.format(element_name | upper, element.value) }}
+{%           endif %}
+{%         else %}
+{%           if element.state | d('present') == 'comment' %}
+{{             ('{} = {}'.format(element_name | upper, element.value | to_nice_json)) | comment(prefix='', postfix='') }}
+{%           else %}
+{{             '{} = {}'.format(element_name | upper, element.value | to_nice_json) }}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     elif element.options | d() %}
+{%       if element.type | d() == 'tuple' %}
+{{         '{}{} = ('.format(option_comment, element_name | upper) }}
+{%         for entry in element.options %}
+{%           if entry.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%             set entry_comment = ('#' if (entry.state | d('present') == 'comment') else '') %}
+{%             if entry.comment | d() %}
+{{               (entry.comment | regex_replace('\n$','') | comment(prefix='', postfix=''))| indent(4, true) -}}
+{%             endif %}
+{{             (option_comment + entry_comment + "'" + entry.name + "',") | indent(4, true) }}
+{%           endif %}
+{%         endfor %}
+{{         (option_comment + ')') }}
+{%       else %}
+{{         '{}{} = ['.format(option_comment, element_name | upper) }}
+{%         for entry in element.options %}
+{%           if entry.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%             set entry_comment = ('#' if (entry.state | d('present') == 'comment') else '') %}
+{%             if entry.comment | d() %}
+{{               (entry.comment | regex_replace('\n$','') | comment(prefix='', postfix=''))| indent(4, true) -}}
+{%             endif %}
+{{             (option_comment + entry_comment + "'" + entry.name + ("'," if not loop.last else "'")) | indent(4, true) }}
+{%           endif %}
+{%         endfor %}
+{{         (option_comment + ']') }}
+{%       endif %}
+{%     elif element.config is defined %}
+{{       '{}{} = '.format(option_comment, element_name | upper) -}}
+{%       if element.state | d('present') == 'comment' %}
+{{         '{}'.format(((element.config | to_nice_json) | comment(prefix='', postfix=''))) | regex_replace('^# {', '{') -}}
+{%       else %}
+{{         '{}'.format(element.config | to_nice_json) }}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman.cfg.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman.cfg.j2
new file mode 100644
index 00000000..ed6d88c8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/mailman3/mailman.cfg.j2
@@ -0,0 +1,95 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+# Copyright (C) 2008-2017 by the Free Software Foundation, Inc.
+#
+# This file is part of GNU Mailman.
+#
+# GNU Mailman is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# GNU Mailman is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# GNU Mailman.  If not, see <https://www.gnu.org/licenses/>.
+
+# This file contains the Debian configuration for mailman.  It uses ini-style
+# formats under the lazr.config regime to define all system configuration
+# options.  See <https://launchpad.net/lazr.config> for details.
+
+
+{% for section in mailman__core_combined_configuration | debops.debops.parse_kv_items %}
+{%   if section.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if not loop.first %}
+
+{%     endif %}
+{%     if section.separator | d() %}
+
+{%     endif %}
+{%     if section.state | d('present') != 'hidden' %}
+{{ "[{}]".format(section.name) }}
+{%     endif %}
+{%     if section.comment | d() %}
+{{ section.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       if section.name == 'paths.debian' %}
+#
+{%       endif %}
+{%     endif %}
+{%     if section.options | d() %}
+{%       for option in section.options %}
+{%         if option.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%           if ((option.comment | d() or option.separator | d()) and
+                 section.name not in [ 'paths.debian' ] and
+                 (not loop.first or section.comment | d())) %}
+
+{%           endif %}
+{%           if option.comment | d() %}
+{{ option.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%           endif %}
+{%           set option_comment = '' %}
+{%           if option.state | d('present') == 'comment' %}
+{%             set option_comment = '#' %}
+{%           endif %}
+{%           set option_name = (option.option | d(option.name)) %}
+{%           if option.value | bool and option.value is not iterable %}
+{%             if option.value | int and option.value | string != 'True' %}
+{%               set option_value = option.value %}
+{%             else %}
+{%               set option_value = 'yes' %}
+{%             endif %}
+{%           elif not option.value | bool and option.value is not iterable %}
+{%             if option.value is not none %}
+{%               if option.value | int or option.value | string == '0' %}
+{%                 set option_value = option.value %}
+{%               else %}
+{%                 set option_value = 'no' %}
+{%               endif %}
+{%             endif %}
+{%           else %}
+{%             set option_value = (([ option.value ]
+                                    if (option.value is string or
+                                        option.value is not iterable)
+                                    else (option.value
+                                          | selectattr("state", "equalto", "present")
+                                          | map(attribute="name")
+                                          | list))
+                                   | join(' ')) %}
+{%           endif %}
+{%           if option_value %}
+{{ "{}{}: {}".format(option_comment, option_name, option_value) }}
+{%           else %}
+{{ "{}{}:".format(option_comment, option_name) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3-web.service.d/dependencies.conf.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3-web.service.d/dependencies.conf.j2
new file mode 100644
index 00000000..f703ec1f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3-web.service.d/dependencies.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Add additional service dependencies to Mailman 3 Web service
+[Unit]
+After=postgresql.service mysql.service apache2.service nginx.service mailman3.service network.target network-online.target
+Wants=mailman3.service
diff --git a/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3.service.d/dependencies.conf.j2 b/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3.service.d/dependencies.conf.j2
new file mode 100644
index 00000000..846f4899
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mailman/templates/etc/systemd/system/mailman3.service.d/dependencies.conf.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2020      CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Add additional service dependencies to Mailman 3 Core service
+[Unit]
+After=postgresql.service mysql.service postfix.service network.target network-online.target
diff --git a/ansible_collections/debops/debops/roles/mariadb/COPYRIGHT b/ansible_collections/debops/debops/roles/mariadb/COPYRIGHT
new file mode 100644
index 00000000..e6ad13a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.mariadb - Manage MariaDB database client
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mariadb/defaults/main.yml b/ansible_collections/debops/debops/roles/mariadb/defaults/main.yml
new file mode 100644
index 00000000..372b59d7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/defaults/main.yml
@@ -0,0 +1,394 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _mariadb__ref_defaults:
+
+# debops.mariadb default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# MariaDB server configuration [[[
+# --------------------------------
+
+# .. envvar:: mariadb__server [[[
+#
+# FQDN hostname of the MariaDB server. If a local MariaDB server is detected, it
+# will override this variable automatically. Only one server at a time is
+# currently supported per host.
+mariadb__server: ''
+
+                                                                   # ]]]
+# .. envvar:: mariadb__port [[[
+#
+# Port number on which to connect to the server. You usually don't need to
+# change this.
+mariadb__port: '3306'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__client [[[
+#
+# When the database server is used remotely, this variable defines the "host"
+# part of the client username. If a local MariaDB server is detected, this
+# variable will be automatically changed to ``localhost``.
+mariadb__client: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__delegate_to [[[
+#
+# When the MariaDB server is used remotely, Ansible needs to run tasks on the
+# correct host. This variable controls the task delegation to the correct
+# database server.
+#
+# If the MariaDB server is run locally, this should point to the inventory name
+# of the current host, NOT ``localhost`` because that would delegate the tasks
+# to the Ansible Controller.
+mariadb__delegate_to: '{{ mariadb__server
+                          if (mariadb__server | d() and
+                              mariadb__server != "localhost")
+                          else inventory_hostname }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# MariaDB APT packages [[[
+# ------------------------
+
+# .. envvar:: mariadb__flavor [[[
+#
+# Variable which defines what database engine to use:
+#
+# - ``mariadb``: default, use MariaDB engine from Debian repository
+#
+# - ``mariadb_upstream``: use MariaDB engine from upstream repository
+#
+# - ``mysql-5.6_galera-3``: use MySQL 5.6 engine with Galera from Codership
+#   repository
+#
+# - ``mysql-5.7_galera-3``: use MySQL 5.7 engine with Galera from Codership
+#   repository
+#
+# - ``percona-8.0``: use Percona 8.0 from upstream repository
+#
+# - ``percona-5.7``: use Percona 5.7 from upstream repository
+#
+# The choice depends on availability of MariaDB packages in a distribution.
+# Percona needs to be selected explicitly.
+mariadb__flavor: '{{ ansible_local.mariadb.flavor | d("mariadb") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__apt_key [[[
+#
+# String or list of GPG keys which should be added to the APT key database to
+# authenticate the external repositories. If this value is set to `False` no
+# extra APT key will be added.
+mariadb__apt_key: '{{ mariadb__apt_key_map[mariadb__flavor] | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__apt_key_map [[[
+#
+# A YAML dictionary map which keeps GPG key ids for APT repository keys of
+# different MariaDB/MySQL/Percona APT repositories. These GPG keys will be
+# downloaded if any of the listed flavors is selected.
+mariadb__apt_key_map:
+
+  'mariadb': []
+
+  'mariadb_upstream':
+    - id: '199369E5404BD5FC7D2FE43BCBCB082A1BB943DB'
+    - id: '177F4010FE56CA3336300305F1656F24C74CD1D8'
+    - repo: 'deb {{ mariadb__upstream_mirror }} {{ ansible_distribution_release }} main'
+
+  'mysql-5.6_galera-3':
+    - id: '44B7345738EBDE52594DAD80D669017EBC19DDBA'
+    - repo: 'deb http://releases.galeracluster.com/mysql-wsrep-5.6/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+    - repo: 'deb http://releases.galeracluster.com/galera-3/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+
+  'mysql-5.7_galera-3':
+    - id: '44B7345738EBDE52594DAD80D669017EBC19DDBA'
+    - repo: 'deb http://releases.galeracluster.com/mysql-wsrep-5.7/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+    - repo: 'deb http://releases.galeracluster.com/galera-3/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+
+  'percona-8.0':
+    - id: '4D1BB29D63D98E422B2113B19334A25F8507EFA5'
+    - repo: 'deb http://repo.percona.com/ps-80/apt {{ ansible_distribution_release }} main'
+    - repo: 'deb http://repo.percona.com/tools/apt {{ ansible_distribution_release }} main'
+
+  'percona-5.7':
+    - id: '4D1BB29D63D98E422B2113B19334A25F8507EFA5'
+    - repo: 'deb http://repo.percona.com/ps-57/apt {{ ansible_distribution_release }} main'
+    - repo: 'deb http://repo.percona.com/tools/apt {{ ansible_distribution_release }} main'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__upstream_version [[[
+#
+# Version of the MariaDB upstream.
+mariadb__upstream_version: '10.1'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__upstream_mirror [[[
+#
+# URL of the MariaDB upstream mirror.
+mariadb__upstream_mirror: 'http://nyc2.mirrors.digitalocean.com/mariadb/repo/{{ mariadb__upstream_version }}/{{ ansible_distribution | lower }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__base_packages [[[
+#
+# List of APT packages that should be installed with any database engine
+# selected.
+mariadb__base_packages: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb__packages [[[
+#
+# List of additional packages to install with the database client.
+mariadb__packages: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb__packages_map [[[
+#
+# Dictionary with list of packages that will be installed with a particular
+# database engine.
+mariadb__packages_map:
+  'mariadb': [ 'mariadb-client' ]
+  'mariadb_upstream': [ 'mariadb-client' ]
+  'mysql-5.6_galera-3': [ 'mysql-wsrep-client-5.6' ]
+  'mysql-5.7_galera-3': [ 'mysql-wsrep-client-5.7' ]
+  'percona-8.0': [ 'percona-server-client' ]
+  'percona-5.7': [ 'percona-server-client-5.7' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# MariaDB client system-wide configuration [[[
+# --------------------------------------------
+
+# The MariaDB/MySQL client configuration is managed in
+# :file:`/etc/mysql/conf.d/client.cnf` configuration file, generated by an Ansible
+# template. Check :ref:`mariadb__ref_options` for more details about the
+# syntax used to configure the server.
+
+# .. envvar:: mariadb__client_charset_options [[[
+#
+# Configuration options related to charset and string encoding on the client.
+mariadb__client_charset_options:
+  'default_character_set': 'utf8mb4'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__client_remote_host_options [[[
+#
+# These options will be enabled only if local MariaDB/MySQL server is not
+# detected. The configuration will detect the presence of an SSL tunnel and
+# configure the server connection details accordingly.
+mariadb__client_remote_host_options:
+  - name: 'remote-host-options'
+    state: '{{ "present"
+               if (not mariadb__register_version.stdout | d(False))
+               else "absent" }}'
+    options:
+
+      - name: 'remote-host-not-tunnel'
+        state: '{{ "present"
+                   if (mariadb__register_tunnel.rc | d() != 0)
+                   else "absent" }}'
+        options:
+          'host': '{{ mariadb__server }}'
+          'port': '{{ mariadb__port }}'
+
+      - name: 'remote-host-tunnel'
+        state: '{{ "present"
+                   if (mariadb__register_tunnel.rc | d() == 0)
+                   else "absent" }}'
+        options:
+          'host': '127.0.0.1'
+          'port': '{{ mariadb__port }}'
+
+      - name: 'pki-options'
+        comment: 'Support for SSL connections'
+        state: '{{ "present" if mariadb__pki | bool else "absent" }}'
+        options:
+          'ssl':
+          'ssl_ca':     '{{ mariadb__pki_path + "/" + mariadb__pki_realm + "/" + mariadb__pki_ca }}'
+          'ssl_cert':   '{{ mariadb__pki_path + "/" + mariadb__pki_realm + "/" + mariadb__pki_crt }}'
+          'ssl_key':    '{{ mariadb__pki_path + "/" + mariadb__pki_realm + "/" + mariadb__pki_key }}'
+          'ssl_cipher': '{{ mariadb__pki_cipher }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__client_options [[[
+#
+# Configuration options set in :file:`/etc/mysql/conf.d/client.cnf` file. This is
+# a "master variable" for the rest of the configuration variables.
+mariadb__client_options:
+  - section: 'client'
+    options:
+      - '{{ mariadb__client_charset_options }}'
+      - '{{ mariadb__client_remote_host_options }}'
+      - '{{ mariadb__options }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__options [[[
+#
+# Dictionary or list with custom MariaDB client options.
+mariadb__options: {}
+
+                                                                   # ]]]
+# .. envvar:: mariadb__client_cnf_file [[[
+#
+# Absolute path for the client configuration file managed by the
+# ``debops.mariadb`` Ansible role.
+mariadb__client_cnf_file: '{{ "/etc/mysql/mariadb.conf.d/90-client.cnf"
+                              if (mariadb__register_confd.stat.exists | bool)
+                              else "/etc/mysql/conf.d/zz-client.cnf" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL configuration [[[
+# ---------------------
+
+# .. envvar:: mariadb__pki [[[
+#
+# Enable or disable support for SSL in MariaDB (using :ref:`debops.pki`).
+mariadb__pki: '{{ (True
+                   if (ansible_local.pki.enabled | d() and
+                       mariadb__pki_realm in ansible_local.pki.known_realms)
+                   else False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_path [[[
+#
+# Base path for PKI directory.
+mariadb__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_realm [[[
+#
+# Default PKI realm used by MariaDB (Debian MariaDB packages do not support chained
+# certificates, see https://bugs.debian.org/630625).
+mariadb__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_ca [[[
+#
+# Root CA certificate used by MariaDB, relative to :envvar:`mariadb__pki_realm`.
+mariadb__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_crt [[[
+#
+# Host certificate used by MariaDB, relative to :envvar:`mariadb__pki_realm`.
+mariadb__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_key [[[
+#
+# Host private key used by MariaDB, relative to :envvar:`mariadb__pki_realm`.
+mariadb__pki_key: 'default.key'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__pki_cipher [[[
+#
+# Cipher suite used for encrypted connections.
+mariadb__pki_cipher: 'DHE-RSA-AES256-SHA'
+                                                                   # ]]]
+                                                                   # ]]]
+# User account privileges [[[
+# ---------------------------
+
+# .. envvar:: mariadb__default_privileges [[[
+#
+# Should ``debops.mariadb`` automatically grant all privileges to a database
+# named the same as the username for a given user account? This is equivalent
+# to::
+#
+#     GRANT ALL PRIVILEGES ON `<user>`.* TO `<user>`@`<host>`;
+#
+mariadb__default_privileges: True
+
+                                                                   # ]]]
+# .. envvar:: mariadb__default_privileges_aux [[[
+#
+# Should ``debops.mariadb`` automatically grant all privileges to databases
+# with the same prefix as the username for a given user account? This is
+# equivalent to::
+#
+#     GRANT ALL PRIVILEGES ON `<user>\_%`.* TO `<user>`@`<host>`;
+#
+mariadb__default_privileges_aux: True
+
+                                                                   # ]]]
+# .. envvar:: mariadb__default_privileges_grant [[[
+#
+# Default privileges granted automatically. See Ansible ``mysql_user`` module
+# for list and format of privileges.
+mariadb__default_privileges_grant: 'ALL'
+                                                                   # ]]]
+                                                                   # ]]]
+# Databases, user accounts [[[
+# ----------------------------
+
+# .. envvar:: mariadb__password_length [[[
+#
+# Length of automatically generated user accounts, saved in the ``secret/``
+# directory. See :ref:`debops.secret` role for more details about passwords.
+mariadb__password_length: '48'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__databases [[[
+#
+# List of databases configured on the MariaDB server. See
+# :ref:`mariadb__databases` for more details.
+mariadb__databases: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb__dependent_databases [[[
+#
+# List of databases configured on the MariaDB server, defined by another
+# Ansible role.
+mariadb__dependent_databases: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb__users [[[
+#
+# List of user accounts configured on the MariaDB server. See
+# :ref:`mariadb__users` for more details.
+mariadb__users: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb__dependent_users [[[
+#
+# List of user accounts configured on the MariaDB server, defined by another
+# Ansible role.
+mariadb__dependent_users: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: mariadb__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+mariadb__keyring__dependent_apt_keys:
+
+  - '{{ mariadb__apt_key }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mariadb__python__dependent_packages3:
+
+  - 'python3-mysqldb'
+
+                                                                   # ]]]
+# .. envvar:: mariadb__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mariadb__python__dependent_packages2:
+
+  - 'python-mysqldb'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mariadb/meta/main.yml b/ansible_collections/debops/debops/roles/mariadb/meta/main.yml
new file mode 100644
index 00000000..1fed4a62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage a MariaDB / MySQL client'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mariadb
+    - mysql
+    - percona
+    - database
+    - sql
diff --git a/ansible_collections/debops/debops/roles/mariadb/tasks/main.yml b/ansible_collections/debops/debops/roles/mariadb/tasks/main.yml
new file mode 100644
index 00000000..567bbbcb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/tasks/main.yml
@@ -0,0 +1,98 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# Ansible does not support management of multiple MariaDB / MySQL from one user
+# account, so if a database server is installed locally, we will avoid messing
+# with local root account to not lose the control over it.
+- name: Check if database server is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'mariadb-server' 'mysql-server'
+                                         'percona-server-server*'
+         | grep -v '^$'
+  args:
+    executable: 'bash'
+  register: mariadb__register_version
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Check if local database port is open
+  ansible.builtin.command: nc -z localhost {{ mariadb__port }}
+  register: mariadb__register_tunnel
+  when: not mariadb__register_version.stdout
+  failed_when: False
+  changed_when: False
+
+- name: Override delegation if tunnel is detected
+  ansible.builtin.set_fact:
+    mariadb__delegate_to: '{{ mariadb__server | d("undefined") }}'
+  when: (not mariadb__register_version.stdout | d(False) and
+         (mariadb__register_tunnel | d() and mariadb__register_tunnel.rc == 0))
+
+- name: Override configuration if local server is detected
+  ansible.builtin.set_fact:
+    mariadb__server: 'localhost'
+    mariadb__client: 'localhost'
+  when: (mariadb__register_version.stdout | d(False) or
+         (mariadb__register_tunnel | d() and mariadb__register_tunnel.rc == 0))
+
+- name: Install database client packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (mariadb__base_packages
+                              + mariadb__packages_map[mariadb__flavor]
+                              + mariadb__packages)) }}'
+    state: 'present'
+  register: mariadb__register_packages
+  until: mariadb__register_packages is succeeded
+
+- name: Check if MariaDB config directory exists
+  ansible.builtin.stat:
+    path: '/etc/mysql/mariadb.conf.d'
+  register: mariadb__register_confd
+
+- name: Configure database client defaults
+  ansible.builtin.template:
+    src: 'etc/mysql/conf.d/client.cnf.j2'
+    dest: '{{ mariadb__client_cnf_file }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: mariadb__server | d(False)
+
+- name: Make sure that local fact directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save MariaDB local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mariadb.fact.j2'
+    dest: '/etc/ansible/facts.d/mariadb.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage database contents
+  ansible.builtin.include_tasks: 'manage_contents.yml'
+  when: (mariadb__server | d(False) and mariadb__delegate_to)
+  tags: [ 'role::mariadb:contents' ]
diff --git a/ansible_collections/debops/debops/roles/mariadb/tasks/manage_contents.yml b/ansible_collections/debops/debops/roles/mariadb/tasks/manage_contents.yml
new file mode 100644
index 00000000..a70e568c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/tasks/manage_contents.yml
@@ -0,0 +1,214 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Drop databases if requested
+  community.mysql.mysql_db:
+    name: '{{ item.database | d(item.name) }}'
+    state: 'absent'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  loop: '{{ q("flattened", mariadb__databases + mariadb__dependent_databases + mariadb_databases | d([])) }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.database | d(False) or item.name | d(False)) and
+         (item.state is defined and item.state == 'absent'))
+
+- name: Create databases
+  community.mysql.mysql_db:
+    name: '{{ item.database | d(item.name) }}'
+    state: 'present'
+    encoding: '{{ item.encoding | d(omit) }}'
+    collation: '{{ item.collation | d(omit) }}'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  loop: '{{ q("flattened", mariadb__databases + mariadb__dependent_databases + mariadb_databases | d([])) }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.database | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != 'absent'))
+  register: mariadb__register_database_status
+
+- name: Copy database source file to remote host
+  ansible.builtin.copy:  # noqa no-handler
+    src: '{{ item.0.source }}'
+    dest: '{{ item.0.target }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  with_together:
+    - '{{ mariadb__databases
+          + lookup("flattened", mariadb__dependent_databases, wantlist=True)
+          + mariadb_databases | d([]) }}'
+    - '{{ mariadb__register_database_status.results }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.0.database | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != 'absent') and
+         (item.0.source | d(False) and item.0.target | d(False)) and
+         (item.0.name == item.1.db and item.1 is changed))
+
+- name: Import source file contents into database
+  community.mysql.mysql_db:  # noqa no-handler
+    name: '{{ item.0.database | d(item.0.name) }}'
+    target: '{{ item.0.target }}'
+    state: 'import'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  with_together:
+    - '{{ mariadb__databases
+          + lookup("flattened", mariadb__dependent_databases, wantlist=True)
+          + mariadb_databases | d([]) }}'
+    - '{{ mariadb__register_database_status.results }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.0.database | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != 'absent') and
+         item.0.target | d(False) and (item.0.name == item.1.db and item.1 is changed))
+
+- name: Remove source files
+  ansible.builtin.file:
+    dest: '{{ item.target }}'
+    state: 'absent'
+  loop: '{{ q("flattened", mariadb__databases + mariadb__dependent_databases + mariadb_databases | d([])) }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.database | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != 'absent') and
+         (item.source | d(False) and item.target | d(False)) and
+         (item.target_delete is undefined or item.target_delete))
+
+- name: Drop user accounts if requested
+  community.mysql.mysql_user:
+    name: '{{ item.user | d(item.name) }}'
+    host: '{{ item.host | default(mariadb__client) }}'
+    state: 'absent'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is defined and item.state == "absent"))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create user accounts
+  community.mysql.mysql_user:
+    name: '{{ item.user | d(item.name) }}'
+    host: '{{ item.host | default(mariadb__client) }}'
+    state: 'present'
+    password: '{{ item.password | default(lookup("password",
+                  secret + "/mariadb/" + mariadb__delegate_to +
+                  "/credentials/" + item.user | d(item.name) + "/password " +
+                  "length=" + mariadb__password_length)) }}'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  register: mariadb__register_create_users
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != "absent"))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Grant default privileges to users
+  community.mysql.mysql_user:
+    name: '{{ item.0.user | d(item.0.name) }}'
+    host: '{{ item.0.host | default(mariadb__client) }}'
+    priv: '{{ (item.0.database | d(item.0.name)) + ".*:" + mariadb__default_privileges_grant }}'
+    append_privs: True
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  with_together:
+    - '{{ mariadb__users + lookup("flattened", mariadb__dependent_users, wantlist=True) + mariadb_users | d([]) }}'
+    - '{{ mariadb__register_create_users.results }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.0.user | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != "absent") and
+         mariadb__default_privileges | d(False) and
+         (item.0.priv_default is undefined or item.0.priv_default))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Grant auxiliary privileges to users
+  community.mysql.mysql_user:
+    name: '{{ item.0.user | d(item.0.name) }}'
+    host: '{{ item.0.host | default(mariadb__client) }}'
+    priv: '{{ (item.0.database | d(item.0.name)) + "\_%.*:" + mariadb__default_privileges_grant }}'
+    append_privs: True
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  with_together:
+    - '{{ mariadb__users + lookup("flattened", mariadb__dependent_users, wantlist=True) + mariadb_users | d([]) }}'
+    - '{{ mariadb__register_create_users.results }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.0.user | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != "absent") and
+         mariadb__default_privileges_aux | d(False) and
+         (item.0.priv_aux is undefined or item.0.priv_aux))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Grant custom privileges to users
+  community.mysql.mysql_user:
+    name: '{{ item.0.user | d(item.0.name) }}'
+    host: '{{ item.0.host | default(mariadb__client) }}'
+    priv: '{{ item.0.priv if (item.0.priv is string) else (item.0.priv | join("/")) }}'
+    append_privs: '{{ item.0.append_privs | default(True) }}'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  with_together:
+    - '{{ mariadb__users + lookup("flattened", mariadb__dependent_users, wantlist=True) + mariadb_users | d([]) }}'
+    - '{{ mariadb__register_create_users.results }}'
+  delegate_to: '{{ mariadb__delegate_to }}'
+  when: ((item.0.user | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != "absent") and
+         item.0.priv | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Make sure required system groups exist
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.owner) }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != "absent") and
+         item.owner | d(False) and item.home | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Make sure required system accounts exist
+  ansible.builtin.user:
+    name: '{{ item.owner }}'
+    group: '{{ item.group | d(item.owner) }}'
+    home: '{{ item.home }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is undefined or item.state != "absent") and
+         item.owner | d(False) and item.home | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove ~/.my.cnf from owner home if requested
+  ansible.builtin.file:
+    dest: '{{ "~" + item.owner + "/.my.cnf" }}'
+    state: 'absent'
+  loop: '{{ q("flattened", mariadb__users + mariadb__dependent_users + mariadb_users | d([])) }}'
+  when: ((item.user | d(False) or item.name | d(False)) and
+         (item.state is defined and item.state == "absent") and
+         item.owner | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Ensure that directory for custom file path .my.cnf exists
+  ansible.builtin.file:
+    path: '{{ item.0.creds_path | regex_replace("^(.*/).*$", "\\1") }}'
+    state: 'directory'
+    mode: '{{ item.0.mode | d("0755") }}'
+  with_together:
+    - '{{ mariadb__users + lookup("flattened", mariadb__dependent_users, wantlist=True) + mariadb_users | d([]) }}'
+    - '{{ mariadb__register_create_users.results }}'
+  when: ((item.0.user | d(False) or item.0.name | d(False)) and
+         (item.0.state | d("present") != "absent") and
+         item.0.creds_path | d(False) and
+         item.0.owner | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Write ~/.my.cnf in owner home directory
+  ansible.builtin.template:
+    src: 'home/my.cnf.j2'
+    dest: '{{ item.0.creds_path | d("~" + item.0.owner + "/.my.cnf") }}'
+    owner: '{{ item.0.owner }}'
+    group: '{{ item.0.group | default(item.0.owner) }}'
+    mode: '{{ item.0.mode | default("0640") }}'
+  with_together:
+    - '{{ mariadb__users + lookup("flattened", mariadb__dependent_users, wantlist=True) + mariadb_users | d([]) }}'
+    - '{{ mariadb__register_create_users.results }}'
+  when: ((item.0.user | d(False) or item.0.name | d(False)) and
+         (item.0.state is undefined or item.0.state != "absent") and
+         item.0.owner | d(False))
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/mariadb/templates/etc/ansible/facts.d/mariadb.fact.j2 b/ansible_collections/debops/debops/roles/mariadb/templates/etc/ansible/facts.d/mariadb.fact.j2
new file mode 100644
index 00000000..deb44ecc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/templates/etc/ansible/facts.d/mariadb.fact.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set mariadb__tpl_client      = ansible_local.mariadb.client | d(mariadb__client) %}
+{% set mariadb__tpl_delegate_to = ansible_local.mariadb.delegate_to | d(mariadb__delegate_to) %}
+{% set mariadb__tpl_host        = ansible_local.mariadb.host | d(mariadb__client) %}
+{% set mariadb__tpl_server      = ansible_local.mariadb.server | d(mariadb__server) %}
+{% if mariadb__register_version.stdout %}
+{%   set mariadb__tpl_client      = "localhost" %}
+{%   set mariadb__tpl_delegate_to = mariadb__delegate_to %}
+{%   set mariadb__tpl_host        = "localhost" %}
+{%   set mariadb__tpl_server      = "localhost" %}
+{% elif mariadb__register_tunnel | d() and mariadb__register_tunnel.rc == 0 %}
+{%   set mariadb__tpl_client      = "localhost" %}
+{%   set mariadb__tpl_delegate_to = mariadb__delegate_to %}
+{%   set mariadb__tpl_host        = "localhost" %}
+{%   set mariadb__tpl_server      = "localhost" %}
+{% endif %}
+{
+"client": "{{ mariadb__tpl_client }}",
+"delegate_to": "{{ mariadb__tpl_delegate_to }}",
+"flavor": "{{ ansible_local.mariadb.flavor | d(mariadb__flavor) }}",
+"host": "{{ mariadb__tpl_host }}",
+"port": "{{ ansible_local.mariadb.port | d(mariadb__port) }}",
+"server": "{{ mariadb__tpl_server }}"
+}
diff --git a/ansible_collections/debops/debops/roles/mariadb/templates/etc/mysql/conf.d/client.cnf.j2 b/ansible_collections/debops/debops/roles/mariadb/templates/etc/mysql/conf.d/client.cnf.j2
new file mode 100644
index 00000000..f6767b2b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/templates/etc/mysql/conf.d/client.cnf.j2
@@ -0,0 +1,65 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_config(config) %}
+{%   if config is mapping %}
+{%     if 'section' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+[{{ config.section }}]
+
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     elif 'name' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         elif config.value | d() %}
+{{ '%-30s = "%s"' | format(config.name, config.value) }}
+{%         else %}
+{{ config.name }}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       if config %}
+{%         for option in config.keys() | sort %}
+{%           if config[option] is not none %}
+{{ '%-30s = "%s"' | format(option, config[option]) }}
+{%           else %}
+{{ option }}
+{%           endif %}
+{%         endfor %}
+
+{%       endif %}
+{%     endif %}
+{%   else %}
+{%     for element in config %}
+{{ print_config(element) -}}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% for item in mariadb__client_options %}
+{{ print_config(item) -}}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mariadb/templates/home/my.cnf.j2 b/ansible_collections/debops/debops/roles/mariadb/templates/home/my.cnf.j2
new file mode 100644
index 00000000..425b114d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb/templates/home/my.cnf.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set item = item.0 %}
+# {{ ansible_managed }}
+
+[client]
+
+{% if mariadb__server != "localhost" %}
+host={{ item.server | d(mariadb__server) }}
+port={{ item.server_port | d(mariadb__port) }}
+{% else %}
+# host={{ item.server | d(mariadb__server) }}
+# port={{ item.server_port | d(mariadb__port) }}
+{% endif %}
+user={{ item.user | d(item.name) }}
+password="{{ item.password | default(lookup('password', secret + '/mariadb/' + mariadb__delegate_to | d('undefined') + '/credentials/' + item.user | d(item.name) + '/password ' + 'length=' + mariadb__password_length)) }}"
+{% if item.database | d(False) %}
+database={{ item.database }}
+{% endif %}
+{% if item.options | d(False) %}
+{{ item.options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/COPYRIGHT b/ansible_collections/debops/debops/roles/mariadb_server/COPYRIGHT
new file mode 100644
index 00000000..892813dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.mariadb_server - Manage MariaDB database server
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/defaults/main.yml b/ansible_collections/debops/debops/roles/mariadb_server/defaults/main.yml
new file mode 100644
index 00000000..6565f3bf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/defaults/main.yml
@@ -0,0 +1,502 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _mariadb_server__ref_defaults:
+
+# debops.mariadb_server default variables [[[
+# ===========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# MariaDB Server APT packages [[[
+# -------------------------------
+
+# .. envvar:: mariadb_server__flavor [[[
+#
+# Variable which defines what database engine to use:
+#
+# - ``mariadb``: default, use MariaDB engine from Debian repository
+#
+# - ``mariadb_upstream``: use MariaDB engine from upstream repository
+#
+# - ``mysql-5.6_galera-3``: use MySQL 5.6 engine with Galera from Codership
+#   repository
+#
+# - ``mysql-5.7_galera-3``: use MySQL 5.7 engine with Galera from Codership
+#   repository
+#
+# - ``percona-8.0``: use Percona 8.0 from its upstream repository, it includes
+#   XtraDB and optionally TokuDB and MyRocks engines
+#
+# - ``percona-5.7``: use Percona 5.7 from its upstream repository, it includes
+#   XtraDB and optionally TokuDB and MyRocks engines
+#
+# Percona needs to be selected explicitly.
+mariadb_server__flavor: '{{ ansible_local.mariadb.flavor | d("mariadb") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__apt_key [[[
+#
+# String or list of GPG keys which should be added to the APT key database to
+# authenticate the external repositories.
+mariadb_server__apt_key: '{{ mariadb_server__apt_key_map[mariadb_server__flavor] | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__apt_key_map [[[
+#
+# A YAML dictionary map which keeps GPG key ids for APT repository keys of
+# different MariaDB/MySQL/Percona APT repositories. These GPG keys will be
+# downloaded if any of the listed flavors is selected.
+mariadb_server__apt_key_map:
+
+  'mariadb': []
+
+  'mariadb_upstream':
+    - id: '199369E5404BD5FC7D2FE43BCBCB082A1BB943DB'
+    - id: '177F4010FE56CA3336300305F1656F24C74CD1D8'
+    - repo: 'deb {{ mariadb_server__upstream_mirror }} {{ ansible_distribution_release }} main'
+
+  'mysql-5.6_galera-3':
+    - id: '44B7345738EBDE52594DAD80D669017EBC19DDBA'
+    - repo: 'deb http://releases.galeracluster.com/mysql-wsrep-5.6/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+    - repo: 'deb http://releases.galeracluster.com/galera-3/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+
+  'mysql-5.7_galera-3':
+    - id: '44B7345738EBDE52594DAD80D669017EBC19DDBA'
+    - repo: 'deb http://releases.galeracluster.com/mysql-wsrep-5.7/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+    - repo: 'deb http://releases.galeracluster.com/galera-3/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main'
+
+  'percona-8.0':
+    - id: '4D1BB29D63D98E422B2113B19334A25F8507EFA5'
+    - repo: 'deb http://repo.percona.com/tools/apt {{ ansible_distribution_release }} main'
+    - repo: 'deb http://repo.percona.com/ps-80/apt {{ ansible_distribution_release }} main'
+
+  'percona-5.7':
+    - id: '4D1BB29D63D98E422B2113B19334A25F8507EFA5'
+    - repo: 'deb http://repo.percona.com/tools/apt {{ ansible_distribution_release }} main'
+    - repo: 'deb http://repo.percona.com/ps-57/apt {{ ansible_distribution_release }} main'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__upstream_version [[[
+#
+# Version of the MariaDB upstream.
+mariadb_server__upstream_version: '10.1'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__upstream_mirror [[[
+#
+# URL of the MariaDB upstream mirror.
+mariadb_server__upstream_mirror: 'http://nyc2.mirrors.digitalocean.com/mariadb/repo/{{ mariadb_server__upstream_version }}/{{ ansible_distribution | lower }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__base_packages [[[
+#
+# List of APT packages that should be installed with any database engine
+# selected.
+mariadb_server__base_packages: [ 'ssl-cert' ]
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__packages [[[
+#
+# List of additional packages to install with the database server.
+mariadb_server__packages: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__packages_map [[[
+#
+# Dictionary with list of packages that will be installed with a particular
+# database engine.
+mariadb_server__packages_map:
+  'mariadb': [ 'mariadb-server' ]
+  'mariadb_upstream': [ 'mariadb-server' ]
+  'mysql': [ 'mysql-server' ]
+  'mysql-5.6_galera-3': [ 'mysql-wsrep-server-5.6', 'galera-3', 'galera-arbitrator-3' ]
+  'mysql-5.7_galera-3': [ 'mysql-wsrep-server-5.7', 'galera-3', 'galera-arbitrator-3' ]
+  'percona-8.0': [ 'percona-server-server' ]
+  'percona-5.7': [ 'percona-server-server-5.7' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: mariadb_server__bind_address [[[
+#
+# IP address on which MariaDB server listens on for new connections. To allow
+# connections from remote hosts, you need to change this to ``0.0.0.0`` for IPv4
+# only connections, or ``::`` for IPv4 and IPv6 connections.
+#
+# When bind address is changed, you need to restart the :program:`mysqld` daemon to
+# rebind it to new network interfaces, it won't be restarted automatically by
+# Ansible.
+mariadb_server__bind_address: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__port [[[
+#
+# Port number on which this MariaDB server listens on.
+mariadb_server__port: '3306'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__allow [[[
+#
+# List of IP addresses or CIDR subnets which will be allowed to connect to the
+# MariaDB server in :command:`ip(6)tables` and TCP wrappers. If it's empty, remote
+# connections are not allowed.
+mariadb_server__allow: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__max_connections [[[
+#
+# Maximum number of allowed connections.
+mariadb_server__max_connections: '100'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__default_datadir [[[
+#
+# Default directory to store data
+mariadb_server__default_datadir: '/var/lib/mysql'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__datadir [[[
+#
+# Directory to store data
+mariadb_server__datadir: '{{ mariadb_server__default_datadir }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__delegate_to [[[
+#
+# Hostname of the server to which Ansible roles will delegate tasks. It should
+# point to "this server", using a FQDN hostname known to Ansible.
+mariadb_server__delegate_to: '{{ inventory_hostname }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Server configuration options [[[
+# --------------------------------
+
+# The MariaDB/MySQL server configuration is managed in
+# :file:`/etc/mysql/conf.d/mysqld.cnf` configuration file, generated by an Ansible
+# template. Check :ref:`mariadb_server__ref_options` for more details about the
+# syntax used to configure the server.
+
+# .. envvar:: mariadb_server__mysqld_performance_options [[[
+#
+# Configuration options related to database performance and resource
+# utilization.
+mariadb_server__mysqld_performance_options:
+  'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
+  'innodb_buffer_pool_size':      '{{ (ansible_memtotal_mb / 2) | int }}M'
+  'query_cache_type':             '0'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__local_infile [[[
+#
+# Enable or disable LOCAL capability for LOAD DATA INFILE.
+mariadb_server__local_infile: False
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_security_options [[[
+#
+# Configuration options related to the server security.
+mariadb_server__mysqld_security_options:
+  'local_infile':         '{{ "1" if mariadb_server__local_infile | bool else "0" }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_charset_options [[[
+#
+# Configuration options related to charset and string encoding on the server.
+mariadb_server__mysqld_charset_options:
+  'character_set_server': 'utf8mb4'
+  'collation_server':     'utf8mb4_general_ci'
+  'init_connect':         'SET NAMES utf8mb4'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_network_options [[[
+#
+# Configuration options related to network access and network connections.
+mariadb_server__mysqld_network_options:
+  'bind_address':    '{{ mariadb_server__bind_address }}'
+  'port':            '{{ mariadb_server__port }}'
+  'max_connections': '{{ mariadb_server__max_connections }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_pki_options [[[
+#
+# Configuration of SSL support in :program:`mysqld`, managed by :ref:`debops.pki` role.
+mariadb_server__mysqld_pki_options:
+  name: 'pki-options'
+  comment: 'Support for SSL connections'
+  state: '{{ "present" if mariadb_server__pki | bool else "absent" }}'
+  options:
+    'ssl':
+    'ssl_ca':     '{{ mariadb_server__pki_path + "/" + mariadb_server__pki_realm + "/" + mariadb_server__pki_ca }}'
+    'ssl_cert':   '{{ mariadb_server__pki_path + "/" + mariadb_server__pki_realm + "/" + mariadb_server__pki_crt }}'
+    'ssl_key':    '{{ mariadb_server__pki_path + "/" + mariadb_server__pki_realm + "/" + mariadb_server__pki_key }}'
+    'ssl_cipher': '{{ mariadb_server__pki_cipher }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_cluster_options [[[
+#
+# Configuration options for :program:`mysqld` required to operate in a
+# MariaDB/MySQL cluster.
+mariadb_server__mysqld_cluster_options:
+  name: 'cluster-options'
+  comment: 'Required for cluster operation'
+  state: '{{ "present" if mariadb_server__flavor in ["mysql-5.6_galera-3", "percona", "percona-5.7"] else "absent" }}'
+  options:
+    'binlog_format': 'ROW'
+    'default_storage_engine': 'InnoDB'
+    'innodb_autoinc_lock_mode': '2'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_directory_options [[[
+#
+# Configuration options related to directory (e.g. datadir)
+mariadb_server__mysqld_directory_options:
+  'datadir': '{{ mariadb_server__datadir }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_options [[[
+#
+# Configuration options set in :file:`/etc/mysql/conf.d/mysqld.cnf` file. This is
+# a "master variable" for the rest of the configuration variables.
+mariadb_server__mysqld_options:
+  - section: 'mysqld'
+    options:
+      - '{{ mariadb_server__mysqld_performance_options }}'
+      - '{{ mariadb_server__mysqld_charset_options }}'
+      - '{{ mariadb_server__mysqld_security_options }}'
+      - '{{ mariadb_server__mysqld_network_options }}'
+      - '{{ mariadb_server__mysqld_pki_options }}'
+      - '{{ mariadb_server__mysqld_cluster_options }}'
+      - '{{ mariadb_server__mysqld_directory_options }}'
+      - '{{ mariadb_server__options }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__client_options [[[
+#
+# Configuration set in :file:`/etc/mysql/conf.d/client.cnf` at the installation
+# time. Afterwards you should use the :ref:`debops.mariadb` role to manage it.
+mariadb_server__client_options:
+  - section: 'client'
+    options:
+      'default_character_set': 'utf8mb4'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__options [[[
+#
+# Dictionary or list with custom :program:`mysqld` options.
+mariadb_server__options: {}
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__client_cnf_file [[[
+#
+# Absolute path for the client configuration file managed by the
+# ``debops.mariadb_server`` Ansible role.
+mariadb_server__client_cnf_file: '{{ "/etc/mysql/mariadb.conf.d/90-client.cnf"
+                                     if (mariadb_server__register_confd.stat.exists | bool)
+                                     else "/etc/mysql/conf.d/zz-client.cnf" }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__mysqld_cnf_file [[[
+#
+# Absolute path for the server configuration file managed by the
+# ``debops.mariadb_server`` Ansible role.
+mariadb_server__mysqld_cnf_file: '{{ "/etc/mysql/mariadb.conf.d/90-mysqld.cnf"
+                                     if (mariadb_server__register_confd.stat.exists | bool)
+                                     else "/etc/mysql/conf.d/zz-mysqld.cnf" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL configuration [[[
+# ---------------------
+
+# .. envvar:: mariadb_server__append_groups [[[
+#
+# List of additional system groups to append to the MariaDB system user.
+# ``ssl-cert`` group is required for access to certificate private keys.
+mariadb_server__append_groups: [ 'ssl-cert' ]
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki [[[
+#
+# Enable or disable support for SSL in MariaDB (using :ref:`debops.pki`).
+mariadb_server__pki: '{{ (True
+                      if (ansible_local.pki.enabled | d() and
+                          mariadb_server__pki_realm in ansible_local.pki.known_realms)
+                      else False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_path [[[
+#
+# Base path for PKI directory.
+mariadb_server__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_realm [[[
+#
+# Default PKI realm used by MariaDB server.
+mariadb_server__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_ca [[[
+#
+# Root CA certificate used by MariaDB, relative to :envvar:`mariadb_server__pki_realm`.
+mariadb_server__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_crt [[[
+#
+# Host certificate used by MariaDB, relative to :envvar:`mariadb_server__pki_realm`.
+mariadb_server__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_key [[[
+#
+# Host private key used by MariaDB, relative to :envvar:`mariadb_server__pki_realm`.
+mariadb_server__pki_key: 'default.key'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__pki_cipher [[[
+#
+# Cipher suite used for encrypted connections.
+mariadb_server__pki_cipher: 'DHE-RSA-AES256-SHA'
+                                                                   # ]]]
+                                                                   # ]]]
+# AutoMySQLBackup configuration [[[
+# ---------------------------------
+
+# .. envvar:: mariadb_server__backup [[[
+#
+# Enable or disable support for daily, weekly and monthly snapshots of the
+# database using :program:`automysqlbackup`.
+mariadb_server__backup: True
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_mailaddr [[[
+#
+# Mail address to send messages to (account or alias name will be properly
+# routed by the Postfix SMTP server).
+mariadb_server__backup_mailaddr: 'backup'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_create_database [[[
+#
+# If the backup should contain a CREATE DATABASE statement or not.
+mariadb_server__backup_create_database: True
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_exclude_databases [[[
+#
+# List of database names to exclude (you can use regular expressions)
+# Example: ['^.*_cache$']
+mariadb_server__backup_exclude_databases: []
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_doweekly [[[
+#
+# Specify the day of the week to create weekly backups
+# (1 - Monday, 7 - Sunday).
+mariadb_server__backup_doweekly: '6'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_latest [[[
+#
+# Don't keep copies of most recent backups by default.
+mariadb_server__backup_latest: 'no'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__backup_directory [[[
+#
+# Base directory where :program:`automysqlbackup` stores the database backups.
+# The directory will be created automatically by :program:`automysqlbackup`, if it
+# does not exist.
+mariadb_server__backup_directory: '/var/lib/automysqlbackup'
+
+# .. envvar:: mariadb_server__backup_max_allowed_packet [[[
+#
+# Max allowed packet for backup.
+mariadb_server__backup_max_allowed_packet: ''
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: mariadb_server__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+mariadb_server__keyring__dependent_apt_keys:
+
+  - '{{ mariadb_server__apt_key }}'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__etc_services__dependent_rules [[[
+#
+# Configuration for :ref:`debops.etc_services` Ansible role.
+mariadb_server__etc_services__dependent_rules:
+
+  - name: 'galera-cluster-rep'
+    port: '4567'
+    protocols: [ 'tcp', 'udp' ]
+    comment: 'Galera Cluster Replication'
+
+  - name: 'galera-ist'
+    port: '4568'
+    protocols: [ 'tcp' ]
+    comment: 'Galera Incremental State Transfer'
+
+  - name: 'galera-sst'
+    port: '4444'
+    protocols: [ 'tcp' ]
+    comment: 'Galera State Snapshot Transfer'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__ferm__dependent_rules [[[
+#
+# Configuration for :ref:`debops.ferm` Ansible role.
+mariadb_server__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'mysql' ]
+    saddr: '{{ mariadb_server__allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'mariadb_server'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__tcpwrappers__dependent_allow [[[
+#
+# Configuration for :ref:`debops.tcpwrappers` Ansible role.
+mariadb_server__tcpwrappers__dependent_allow:
+
+  - daemon: 'mysqld'
+    client: '{{ mariadb_server__allow }}'
+    accept_any: False
+    weight: '50'
+    filename: 'mariadb_server_allow'
+    comment: 'Allow remote connections to MariaDB / MySQL server'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mariadb_server__python__dependent_packages3:
+
+  - 'python3-mysqldb'
+
+                                                                   # ]]]
+# .. envvar:: mariadb_server__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mariadb_server__python__dependent_packages2:
+
+  - 'python-mysqldb'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/meta/main.yml b/ansible_collections/debops/debops/roles/mariadb_server/meta/main.yml
new file mode 100644
index 00000000..4c16a16d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage a MariaDB / MySQL server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mariadb
+    - mysql
+    - percona
+    - sql
+    - database
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/tasks/configure_server.yml b/ansible_collections/debops/debops/roles/mariadb_server/tasks/configure_server.yml
new file mode 100644
index 00000000..a0dd763c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/tasks/configure_server.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure database server
+  ansible.builtin.template:
+    src: 'etc/mysql/conf.d/mysqld.cnf.j2'
+    dest: '{{ mariadb_server__mysqld_cnf_file }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Setup automysqlbackup configuration
+  ansible.builtin.template:
+    src: 'etc/default/automysqlbackup.j2'
+    dest: '/etc/default/automysqlbackup'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: mariadb_server__backup | d()
+
+- name: Enable events table backup in mysqldump
+  community.general.ini_file:
+    dest:    '/etc/mysql/debian.cnf'
+    section: 'mysqldump'
+    option:  'events'
+    value:   'true'
+    mode: '0600'
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/tasks/main.yml b/ansible_collections/debops/debops/roles/mariadb_server/tasks/main.yml
new file mode 100644
index 00000000..f58bdc50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/tasks/main.yml
@@ -0,0 +1,124 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# We want to have our configuration enabled as soon as possible for UTF-8
+# support, this check lets us know if MariaDB / MySQL server has just been
+# installed and we can quickly apply our own configuration and restart the
+# server before any more changes happen.
+- name: Check if database server is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'mariadb-server' 'mysql-server'
+                                         'percona-server-server' 'mysql-wsrep-server-5.6'
+         | grep -v '^$'
+  args:
+    executable: 'bash'
+  register: mariadb_server__register_version
+  check_mode: False
+  changed_when: False
+  failed_when: False
+
+- name: Install database server packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (mariadb_server__base_packages
+                              + mariadb_server__packages_map[mariadb_server__flavor]
+                              + mariadb_server__packages
+                              + (["automysqlbackup"]
+                                 if mariadb_server__backup | bool
+                                 else []))) }}'
+    state: 'present'
+  register: mariadb_server__register_install_status
+  until: mariadb_server__register_install_status is succeeded
+
+- name: Stop database server on first install
+  ansible.builtin.service:  # noqa no-handler
+    name: 'mysql'
+    state: 'stopped'
+  when: ((mariadb_server__register_version | d() and not mariadb_server__register_version.stdout) and
+         (mariadb_server__register_install_status | d() and mariadb_server__register_install_status is changed))
+
+- name: Add database server user to specified groups
+  ansible.builtin.user:
+    name: 'mysql'
+    groups: '{{ mariadb_server__append_groups | join(",") | default(omit) }}'
+    append: True
+    createhome: False
+  when: mariadb_server__pki | bool
+
+- name: Check if MariaDB config directory exists
+  ansible.builtin.stat:
+    path: '/etc/mysql/mariadb.conf.d'
+  register: mariadb_server__register_confd
+
+- name: Ensure MariaDB data directory exists
+  ansible.builtin.file:
+    path: '{{ mariadb_server__datadir }}'
+    state: 'directory'
+    owner: 'mysql'
+    group: 'mysql'
+    mode: '0755'
+
+- name: Move MariaDB data files to data directory
+  ansible.builtin.shell:  # noqa no-handler
+    'mv {{ mariadb_server__default_datadir }}/* {{ mariadb_server__datadir }}'
+  register: mariadb_server__register_move
+  changed_when: mariadb_server__register_move.changed | bool
+  when: ((mariadb_server__register_version | d() and not mariadb_server__register_version.stdout) and
+         (mariadb_server__register_install_status | d() and mariadb_server__register_install_status is changed) and
+         (mariadb_server__datadir != mariadb_server__default_datadir))
+
+- name: Configure database client on first install
+  ansible.builtin.template:
+    src: 'etc/mysql/conf.d/client.cnf.j2'
+    dest: '{{ mariadb_server__client_cnf_file }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (mariadb_server__register_version | d() and not mariadb_server__register_version.stdout)
+
+- name: Configure database server
+  ansible.builtin.include_tasks: 'configure_server.yml'
+  tags: [ 'role::mariadb_server:configure' ]
+
+- name: Start database server on first install
+  ansible.builtin.service:  # noqa no-handler
+    name: 'mysql'
+    state: 'started'
+  when: ((mariadb_server__register_version | d() and not mariadb_server__register_version.stdout) and
+         (mariadb_server__register_install_status | d() and mariadb_server__register_install_status is changed))
+
+- name: Secure database server
+  ansible.builtin.include_tasks: 'secure_installation.yml'
+  tags: [ 'role::mariadb_server:secure' ]
+
+- name: Make sure that local fact directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save MariaDB local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mariadb.fact.j2'
+    dest: '/etc/ansible/facts.d/mariadb.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/tasks/secure_installation.yml b/ansible_collections/debops/debops/roles/mariadb_server/tasks/secure_installation.yml
new file mode 100644
index 00000000..017587d6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/tasks/secure_installation.yml
@@ -0,0 +1,20 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Delete anonymous database user
+  community.mysql.mysql_user:
+    user: ""
+    host: '{{ item }}'
+    state: 'absent'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  with_items: [ '{{ ansible_hostname }}', 'localhost' ]
+
+- name: Remove test database on first install
+  community.mysql.mysql_db:  # noqa no-handler
+    db: 'test'
+    state: 'absent'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: ((mariadb_server__register_version | d() and not mariadb_server__register_version.stdout) and
+         (mariadb_server__register_install_status | d() and mariadb_server__register_install_status is changed))
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/ansible/facts.d/mariadb.fact.j2 b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/ansible/facts.d/mariadb.fact.j2
new file mode 100644
index 00000000..7d8f9ba7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/ansible/facts.d/mariadb.fact.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set mariadb__tpl_client      = ansible_local.mariadb.client | d("localhost") %}
+{% set mariadb__tpl_delegate_to = ansible_local.mariadb.delegate_to | d(mariadb_server__delegate_to) %}
+{% set mariadb__tpl_host        = ansible_local.mariadb.host | d("localhost") %}
+{% set mariadb__tpl_server      = ansible_local.mariadb.server | d("localhost") %}
+{% if (mariadb_server__register_version.stdout or (mariadb_server__register_install_status | d() and mariadb_server__register_install_status.changed | bool)) %}
+{%   set mariadb__tpl_client      = "localhost" %}
+{%   set mariadb__tpl_delegate_to = mariadb_server__delegate_to %}
+{%   set mariadb__tpl_host        = "localhost" %}
+{%   set mariadb__tpl_server      = "localhost" %}
+{% endif %}
+{
+"client": "{{ mariadb__tpl_client }}",
+"delegate_to": "{{ mariadb__tpl_delegate_to }}",
+"flavor": "{{ ansible_local.mariadb.flavor | d(mariadb_server__flavor) }}",
+"host": "{{ mariadb__tpl_host }}",
+"port": "{{ ansible_local.mariadb.port | d(mariadb_server__port) }}",
+"server": "{{ mariadb__tpl_server }}"
+}
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/default/automysqlbackup.j2 b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/default/automysqlbackup.j2
new file mode 100644
index 00000000..0e6d2962
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/default/automysqlbackup.j2
@@ -0,0 +1,104 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# By default, the Debian version of automysqlbackup will use:
+# mysqldump --defaults-file=/etc/mysql/debian.cnf
+# but you might want to overwrite with a specific user & pass.
+# To do this, simply edit below.
+
+# Username to access the MySQL server e.g. dbuser
+#USERNAME=`grep user /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'`
+
+# Username to access the MySQL server e.g. password
+#PASSWORD=`grep password /etc/mysql/debian.cnf | tail -n 1 | cut -d"=" -f2 | awk '{print $1}'`
+
+# Host name (or IP address) of MySQL server e.g localhost
+DBHOST=localhost
+
+# List of DBNAMES for Daily/Weekly Backup e.g. "DB1 DB2 DB3"
+# Note that it's absolutely normal that the db named "mysql" is not in this
+# list, as it's added later by the script. See the MDBNAMES directives below
+# in this file (advanced options).
+# This is ONLY a convenient default, if you don't like it, don't complain
+# and write your own.
+# The following is a quick hack that will find the names of the databases by
+# reading the mysql folder content. Feel free to replace by something else.
+# DBNAMES=`find /var/lib/mysql -mindepth 1 -maxdepth 1 -type d | cut -d'/' -f5 | grep -v ^mysql\$ | tr \\\r\\\n ,\ `
+# This one does a list of dbs using a MySQL statement.
+{% set mariadb_server__tpl_backup_database_names = []                     %}
+{% for item in mariadb_server__backup_exclude_databases                   %}
+{%   set _ = mariadb_server__tpl_backup_database_names.append('grep -v ') %}
+{%   set _ = mariadb_server__tpl_backup_database_names.append(item)       %}
+{%   set _ = mariadb_server__tpl_backup_database_names.append(' | ')      %}
+{% endfor                                                                 %}
+DBNAMES=`mysql --defaults-file=/etc/mysql/debian.cnf --execute="SHOW DATABASES" | awk '{print $1}' | grep -v ^Database$ | grep -v ^mysql$ | grep -v ^performance_schema$ | grep -v ^information_schema$ | {{ mariadb_server__tpl_backup_database_names | join('') }}tr \\\r\\\n ,\ `
+
+# Backup directory location e.g /backups
+# Folders inside this one will be created (daily, weekly, etc.), and the
+# subfolders will be database names. Note that backups will be owned by
+# root, with Unix rights 0600.
+BACKUPDIR="{{ mariadb_server__backup_directory | d('/var/lib/automysqlbackup') }}"
+
+# Mail setup
+# What would you like to be mailed to you?
+# - log   : send only log file
+# - files : send log file and sql files as attachments (see docs)
+# - stdout : will simply output the log to the screen if run manually.
+# - quiet : Only send logs if an error occurs to the MAILADDR.
+MAILCONTENT="quiet"
+
+# Set the maximum allowed email size in k. (4000 = approx 5MB email [see
+# docs])
+MAXATTSIZE="4000"
+
+# Email Address to send mail to? (user@domain.com)
+MAILADDR="{{ mariadb_server__backup_mailaddr }}"
+
+# ============================================================
+# === ADVANCED OPTIONS ( Read the doc's below for details )===
+#=============================================================
+
+# List of DBBNAMES for Monthly Backups.
+MDBNAMES="mysql $DBNAMES"
+
+# List of DBNAMES to EXLUCDE if DBNAMES are set to all (must be in " quotes)
+DBEXCLUDE=""
+
+# Include CREATE DATABASE in backup?
+CREATE_DATABASE={{ 'yes' if mariadb_server__backup_create_database | bool else 'no' }}
+
+# Separate backup directory and file for each DB? (yes or no)
+SEPDIR=yes
+
+# Which day do you want weekly backups? (1 to 7 where 1 is Monday)
+DOWEEKLY={{ mariadb_server__backup_doweekly }}
+
+# Choose Compression type. (gzip or bzip2)
+COMP=gzip
+
+# Compress communications between backup server and MySQL server?
+COMMCOMP=no
+
+# Additionally keep a copy of the most recent backup in a separate
+# directory.
+LATEST={{ mariadb_server__backup_latest }}
+
+#  The maximum size of the buffer for client/server communication. e.g. 16MB
+#  (maximum is 1GB)
+MAX_ALLOWED_PACKET={{ mariadb_server__backup_max_allowed_packet }}
+
+#  For connections to localhost. Sometimes the Unix socket file must be
+#  specified.
+SOCKET=
+
+# Command to run before backups (uncomment to use)
+#PREBACKUP="/etc/mysql-backup-pre"
+
+# Command run after backups (uncomment to use)
+#POSTBACKUP="/etc/mysql-backup-post"
+
+# Backup of stored procedures and routines (comment to remove)
+ROUTINES=yes
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/client.cnf.j2 b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/client.cnf.j2
new file mode 100644
index 00000000..98d8116d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/client.cnf.j2
@@ -0,0 +1,65 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_config(config) %}
+{%   if config is mapping %}
+{%     if 'section' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+[{{ config.section }}]
+
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     elif 'name' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         elif config.value | d() %}
+{{ '%-30s = "%s"' | format(config.name, config.value) }}
+{%         else %}
+{{ config.name }}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       if config %}
+{%         for option in config.keys() | sort %}
+{%           if config[option] is not none %}
+{{ '%-30s = "%s"' | format(option, config[option]) }}
+{%           else %}
+{{ option }}
+{%           endif %}
+{%         endfor %}
+
+{%       endif %}
+{%     endif %}
+{%   else %}
+{%     for element in config %}
+{{ print_config(element) -}}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% for item in mariadb_server__client_options %}
+{{ print_config(item) -}}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/mysqld.cnf.j2 b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/mysqld.cnf.j2
new file mode 100644
index 00000000..d82c764d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mariadb_server/templates/etc/mysql/conf.d/mysqld.cnf.j2
@@ -0,0 +1,65 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_config(config) %}
+{%   if config is mapping %}
+{%     if 'section' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+[{{ config.section }}]
+
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     elif 'name' in config.keys() %}
+{%       if config.state | d('present') == 'present' %}
+{%         if config.comment | d() %}
+{{ config.comment | comment(postfix='') -}}
+{%         endif %}
+{%         if config.options | d() %}
+{%           if config.options is mapping %}
+{{ print_config(config.options) -}}
+{%           else %}
+{%             for element in config.options %}
+{{ print_config(element) -}}
+{%             endfor %}
+{%           endif %}
+{%         elif config.value | d() %}
+{{ '%-30s = "%s"' | format(config.name, config.value) }}
+{%         else %}
+{{ config.name }}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       if config %}
+{%         for option in config.keys() | sort %}
+{%           if config[option] is not none %}
+{{ '%-30s = "%s"' | format(option, config[option]) }}
+{%           else %}
+{{ option }}
+{%           endif %}
+{%         endfor %}
+
+{%       endif %}
+{%     endif %}
+{%   else %}
+{%     for element in config %}
+{{ print_config(element) -}}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% for item in mariadb_server__mysqld_options %}
+{{ print_config(item) -}}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mcli/COPYRIGHT b/ansible_collections/debops/debops/roles/mcli/COPYRIGHT
new file mode 100644
index 00000000..3d58bb42
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.mcli - Install MinIO Client using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mcli/defaults/main.yml b/ansible_collections/debops/debops/roles/mcli/defaults/main.yml
new file mode 100644
index 00000000..780e27ad
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/defaults/main.yml
@@ -0,0 +1,153 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _mcli__ref_defaults:
+
+# debops.mcli default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Go application deployment [[[
+# -----------------------------
+
+# These variables control how the :command:`mcli` binary is installed on the
+# host. The installation is performed by the :ref:`debops.golang` role, refer
+# to its documentation for details. The installation definition can be found in
+# the :envvar:`mcli__golang__dependent_packages` variable.
+
+# .. envvar:: mcli__upstream_gpg_key [[[
+#
+# The fingerprint of the GPG key which is used to sign the MinIO Client
+# releases. It will be used to verify the downloaded signature file as well as
+# the :command:`git` tags in the source repository.
+mcli__upstream_gpg_key: '4405 F3F0 DDBA 1B9E 68A3  1D25 12C7 4390 F9AA C728'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_type [[[
+#
+# Specify the method which should be used to install MinIO Client binary.
+# Either ``url`` to download the configured binary directly and virify it using
+# the specified GPG key, or ``git`` to clone the MinIO Client :command:`git`
+# repository and build the specified version from source.
+mcli__upstream_type: 'url'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_upgrade [[[
+#
+# Enable or disable automatic upgrades of MinIO Client downloaded from
+# upstream. This does not affect installations built from the :command:`git`
+# repository.
+#
+# MinIO Client is updated quite frequently. Remember that already downloaded MinIO
+# Client releases are not removed automatically; check the download directory (by
+# default :file:`/var/local/_golang/go/src/releases/linux-amd64/mc/`
+# directory) and remove old releases.
+mcli__upstream_upgrade: False
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_url_mirror [[[
+#
+# The base URL of the MinIO Client download page, should end with the ``/``
+# character.
+mcli__upstream_url_mirror: 'https://dl.min.io/client/mc/release/'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_platform [[[
+#
+# Specify the OS type and platform architecture to use for installation. The
+# list of supported architectures and OS types can be found on the
+# https://dl.min.io/client/mc/release/ page.
+mcli__upstream_platform: 'linux-amd64'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_url_release [[[
+#
+# The version of MinIO Client to download from upstream on a given host. You
+# should specify the ``RELEASE.YYYY-MM-DDTHH-MM-SSZ`` tagged release number.
+#
+# Available MinIO Client releases: https://github.com/minio/mc/releases
+mcli__upstream_url_release: '{{ mcli__env_upstream_url_release }}'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_url_binary [[[
+#
+# The path to the MinIO Client binary on the upstream HTTPS server, relative to
+# the OS type and platform directory.
+mcli__upstream_url_binary: '{{ "archive/mc." + mcli__upstream_url_release }}'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_git_repository [[[
+#
+# The URL of the upstream :command:`git` repository which contains MinIO Client
+# source code.
+mcli__upstream_git_repository: 'https://github.com/minio/mc'
+
+                                                                   # ]]]
+# .. envvar:: mcli__upstream_git_release [[[
+#
+# The version of MinIO Client to build from source on a given host. The build
+# version depends on the availability of a specific Golang version and other
+# factors.  Latest MinIO Client versions which can be built on a given OS
+# distribution release are preferable.
+mcli__upstream_git_release: '{{ "RELEASE.2019-03-20T21-29-03Z"
+                                if (ansible_distribution_release in
+                                    ["stretch", "buster", "xenial", "bionic"])
+                                    else ("RELEASE.2019-09-05T23-43-50Z"
+                                      if (ansible_distribution_release in
+                                          ["bullseye"])
+                                      else mcli__upstream_url_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: mcli__binary [[[
+#
+# Absolute path to the :command:`mcli` Go binary installed on the host.
+# See the :ref:`debops.golang` role for more details.
+mcli__binary: '{{ ansible_local.golang.binaries["mcli"]
+                   if (ansible_local.golang.binaries | d() and
+                       ansible_local.golang.binaries.mcli | d())
+                   else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: mcli__golang__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.golang` Ansible role.
+mcli__golang__dependent_packages:
+
+  - name: 'mcli'
+    upstream_type: '{{ mcli__upstream_type }}'
+    gpg: '{{ mcli__upstream_gpg_key }}'
+    url:
+
+      - src: '{{ mcli__upstream_url_mirror + mcli__upstream_platform + "/" + mcli__upstream_url_binary }}'
+        dest: 'releases/{{ mcli__upstream_platform }}/mc/mc.{{ mcli__upstream_url_release }}'
+        checksum: 'sha256:{{ mcli__upstream_url_mirror + mcli__upstream_platform + "/" + mcli__upstream_url_binary }}.sha256sum'
+
+      - src: '{{ mcli__upstream_url_mirror + mcli__upstream_platform + "/" + mcli__upstream_url_binary + ".asc" }}'
+        dest: 'releases/{{ mcli__upstream_platform }}/mc/mc.{{ mcli__upstream_url_release }}.asc'
+        gpg_verify: True
+
+    url_binaries:
+      - src: 'releases/{{ mcli__upstream_platform }}/mc/mc.{{ mcli__upstream_url_release }}'
+        dest: 'mcli'
+    git:
+      - repo: '{{ mcli__upstream_git_repository }}'
+        version: '{{ mcli__upstream_git_release }}'
+        build_script: |
+          make clean build
+    git_binaries:
+      - src: '{{ mcli__upstream_git_repository.split("://")[1] + "/mc" }}'
+        dest: 'mcli'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mcli/meta/main.yml b/ansible_collections/debops/debops/roles/mcli/meta/main.yml
new file mode 100644
index 00000000..86e3e2d4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install MinIO Client (mc) binary on Debian/Ubuntu host'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+  galaxy_tags:
+    - s3
+    - storage
+    - minio
diff --git a/ansible_collections/debops/debops/roles/mcli/meta/watch-mc b/ansible_collections/debops/debops/roles/mcli/meta/watch-mc
new file mode 100644
index 00000000..abdbd67b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/meta/watch-mc
@@ -0,0 +1,10 @@
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: mcli
+# Package: mc
+# Version: master
+
+version=4
+https://github.com/minio/mc/tags .*/(RELEASE\..+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/mcli/tasks/main.yml b/ansible_collections/debops/debops/roles/mcli/tasks/main.yml
new file mode 100644
index 00000000..aedec053
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save MinIO Client local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mcli.fact.j2'
+    dest: '/etc/ansible/facts.d/mcli.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/mcli/tasks/main_env.yml b/ansible_collections/debops/debops/roles/mcli/tasks/main_env.yml
new file mode 100644
index 00000000..8d99de7e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/tasks/main_env.yml
@@ -0,0 +1,16 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare mcli environment
+  ansible.builtin.set_fact:
+    mcli__env_upstream_url_release: '{{ ansible_local.mcli.release_tag
+                                         if (ansible_local.mcli.release_tag | d() and
+                                             ansible_local.mcli.release_tag.startswith("RELEASE.") and
+                                             not mcli__upstream_upgrade | bool)
+                                         else (lookup("url",
+                                                      (mcli__upstream_url_mirror + mcli__upstream_platform
+                                                       + "/mc.sha256sum"))
+                                               | regex_search("mc\.RELEASE\..+$")
+                                               | regex_replace("^mc\.", "")) }}'
diff --git a/ansible_collections/debops/debops/roles/mcli/templates/etc/ansible/facts.d/mcli.fact.j2 b/ansible_collections/debops/debops/roles/mcli/templates/etc/ansible/facts.d/mcli.fact.j2
new file mode 100644
index 00000000..7f5715cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mcli/templates/etc/ansible/facts.d/mcli.fact.j2
@@ -0,0 +1,49 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('mcli')}
+
+try:
+    mcli_version_stdout = subprocess.check_output(
+            ["mcli", "--version"]
+            ).decode('utf-8').strip()
+except Exception:
+    try:
+        mcli_version_stdout = subprocess.check_output(
+                ["mcli", "version"]
+                ).decode('utf-8').strip()
+    except Exception:
+        pass
+
+if mcli_version_stdout:
+    for line in mcli_version_stdout.split('\n'):
+        if line.lower().startswith('mcli version '):
+            output['version'] = line.split()[2]
+            output['release_tag'] = line.split()[2]
+        elif line.lower().startswith('version: '):
+            output['version'] = line.split()[1]
+        elif line.lower().startswith('release-tag: '):
+            output['release_tag'] = line.split()[1]
+        elif line.lower().startswith('commit-id: '):
+            output['commit_id'] = line.split()[1]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/memcached/COPYRIGHT b/ansible_collections/debops/debops/roles/memcached/COPYRIGHT
new file mode 100644
index 00000000..5efbfac6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.memcached - Manage Memcached service using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/memcached/defaults/main.yml b/ansible_collections/debops/debops/roles/memcached/defaults/main.yml
new file mode 100644
index 00000000..9f2f18c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/defaults/main.yml
@@ -0,0 +1,117 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _memcached__ref_defaults:
+
+# debops.memcached default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation and packages [[[
+# -----------------------------
+
+# .. envvar:: memcached__base_packages [[[
+#
+# List of required APT packages to install for :command:`memcached` service.
+memcached__base_packages: [ 'memcached' ]
+
+                                                                   # ]]]
+# .. envvar:: memcached__packages [[[
+#
+# List of additional APT packages to install with :command:`memcached`.
+memcached__packages: []
+
+                                                                   # ]]]
+# .. envvar:: memcached__version [[[
+#
+# The installed :command:`memcached` version. This variable is autodetected
+# using Ansible local facts.
+memcached__version: '{{ ansible_local.memcached.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Memcached configuration [[[
+# ---------------------------
+
+# .. envvar:: memcached__bind [[[
+#
+# IP address on which ``memcached`` listens for new connections. To listen on
+# all interfaces, set it to ``0.0.0.0``.
+memcached__bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: memcached__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to this
+# ``memcached``. If the list is empty, remote connections are denied.
+memcached__allow: []
+
+                                                                   # ]]]
+# .. envvar:: memcached__memory [[[
+#
+# Maximum amount of RAM ``memcached`` is allowed to use.
+memcached__memory: '{{ (memcached__memory_available | float *
+                        memcached__memory_multiplier | float) | int }}'
+
+                                                                   # ]]]
+# .. envvar:: memcached__memory_available [[[
+#
+# Amount of RAM which ``debops.memcached`` takes into account while calculating
+# ``memcached__memory`` variable.
+memcached__memory_available: '{{ ansible_memtotal_mb }}'
+
+                                                                   # ]]]
+# .. envvar:: memcached__memory_multiplier [[[
+#
+# Value which is multiplied by amount of available RAM to limit memory
+# accessible to ``memcached``. 1.0 will allow access to all available memory,
+# values bigger than 1.0 don't make much sense.
+memcached__memory_multiplier: '0.3'
+
+                                                                   # ]]]
+# .. envvar:: memcached__connections [[[
+#
+# Maximum number of allowed connections.
+memcached__connections: '1024'
+
+                                                                   # ]]]
+# .. envvar:: memcached__options [[[
+#
+# Additional ``memcached`` options, specified as YAML text block.
+memcached__options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: memcached__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+memcached__etc_services__dependent_list:
+
+  - name: 'memcache'
+    port: '11211'
+
+                                                                   # ]]]
+# .. envvar:: memcached__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+memcached__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'memcache' ]
+    protocol: [ 'tcp', 'udp' ]
+    saddr: '{{ memcached__allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'memcached'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/memcached/meta/main.yml b/ansible_collections/debops/debops/roles/memcached/meta/main.yml
new file mode 100644
index 00000000..80903985
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure memcached instance'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cache
+    - memory
diff --git a/ansible_collections/debops/debops/roles/memcached/tasks/main.yml b/ansible_collections/debops/debops/roles/memcached/tasks/main.yml
new file mode 100644
index 00000000..a0839ff9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install memcached
+  ansible.builtin.package:
+    name: '{{ (memcached__base_packages
+               + memcached__packages) | flatten }}'
+    state: 'present'
+  register: memcached__register_packages
+  until: memcached__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save memcached local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/memcached.fact.j2'
+    dest: '/etc/ansible/facts.d/memcached.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure memcached
+  ansible.builtin.template:
+    src: 'etc/memcached.conf.j2'
+    dest: '/etc/memcached.conf'
+    mode: '0644'
+  notify: [ 'Restart memcached' ]
diff --git a/ansible_collections/debops/debops/roles/memcached/templates/etc/ansible/facts.d/memcached.fact.j2 b/ansible_collections/debops/debops/roles/memcached/templates/etc/ansible/facts.d/memcached.fact.j2
new file mode 100644
index 00000000..33232b05
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/templates/etc/ansible/facts.d/memcached.fact.j2
@@ -0,0 +1,33 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('memcached')}
+
+try:
+    output['version'] = subprocess.check_output(
+            ["memcached", "-V"]
+            ).decode('utf-8').strip().split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/memcached/templates/etc/memcached.conf.j2 b/ansible_collections/debops/debops/roles/memcached/templates/etc/memcached.conf.j2
new file mode 100644
index 00000000..91902ab8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/memcached/templates/etc/memcached.conf.j2
@@ -0,0 +1,62 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# memcached default config file
+# 2003 - Jay Bonci <jaybonci@debian.org>
+# This configuration file is read by the start-memcached script provided as
+# part of the Debian GNU/Linux distribution.
+
+# Run memcached as a daemon. This command is implied, and is not needed for the
+# daemon to run. See the README.Debian that comes with this package for more
+# information.
+-d
+
+# Log memcached's output to /var/log/memcached
+logfile /var/log/memcached.log
+
+# Be verbose
+# -v
+
+# Be even more verbose (print client commands as well)
+# -vv
+
+# Start with a cap of {{ memcached__memory }} megs of memory. Note that the
+# daemon will grow to this size, but does not start out holding this much
+# memory
+-m {{ memcached__memory }}
+
+# Default connection port is 11211
+-p 11211
+
+# Run the daemon as memcache. The start-memcached will default to running as root if no
+# -u command is present in this config file
+-u memcache
+
+# Specify which IP address to listen on. The default is to listen on all IP addresses
+# This parameter is one of the only security measures that memcached has, so make sure
+# it's listening on a firewalled interface.
+-l {{ memcached__bind }}
+
+# Limit the number of simultaneous incoming connections. The daemon default is 1024
+-c {{ memcached__connections }}
+
+# Lock down all paged memory. Consult with the README and homepage before you do this
+# -k
+
+# Return error when memory is exhausted (rather than removing items)
+# -M
+
+# Maximize core file limit
+# -r
+{% if memcached__version is version("1.5.6", ">=") %}
+# Use a pidfile
+
+-P /run/memcached/memcached.pid
+{% endif %}
+{% if memcached__options | d() %}
+
+{{ memcached__options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/metricbeat/COPYRIGHT b/ansible_collections/debops/debops/roles/metricbeat/COPYRIGHT
new file mode 100644
index 00000000..f06f32b3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.metricbeat - Manage Metricbeat service using Ansible
+
+Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/metricbeat/defaults/main.yml b/ansible_collections/debops/debops/roles/metricbeat/defaults/main.yml
new file mode 100644
index 00000000..156df573
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/defaults/main.yml
@@ -0,0 +1,263 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _metricbeat__ref_defaults:
+
+# debops.metricbeat default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, version [[[
+# -------------------------
+
+# The ``debops.metricbeat`` role uses the :ref:`debops.extrepo` Ansible role
+# to configure the Elastic APT repositories and GPG keys.
+
+# .. envvar:: metricbeat__base_packages [[[
+#
+# List of base APT packages to install.
+metricbeat__base_packages: [ 'metricbeat' ]
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__packages [[[
+#
+# List of additional APT packages to install with Metricbeat.
+metricbeat__packages: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__version [[[
+#
+# Store the detected Metricbeat version in a convenient variable for conditional
+# configuration.
+metricbeat__version: '{{ ansible_local.metricbeat.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Main Metricbeat configuration file [[[
+# -----------0--------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/metricbeat/metricbeat.yml` configuration file.
+# See :ref:`metricbeat__ref_configuration` for more details.
+
+# .. envvar:: metricbeat__original_configuration [[[
+#
+# Metricbeat configuration based on the original config file which comes with
+# the package. Some of the configuration options are overridden in the
+# subsequent configuration variable.
+metricbeat__original_configuration:
+
+  - name: 'metricbeat_config_modules'
+    config:
+      metricbeat.config.modules:
+        path: '${path.config}/modules.d/*.yml'
+        reload.enabled: False
+
+  - name: 'setup_template_settings'
+    config:
+      setup.template.settings:
+        index.number_of_shards: 1
+        index.codec: 'best_compression'
+
+  - name: 'setup_kibana'
+    config:
+      setup.kibana:
+
+  - name: 'output_elasticsearch'
+    config:
+      output.elasticsearch:
+        hosts: [ 'localhost:9200' ]
+
+  - name: 'processors'
+    config:
+      processors:
+        - add_host_metadata: ~
+        - add_cloud_metadata: ~
+        - add_docker_metadata: ~
+        - add_kubernetes_metadata: ~
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__default_configuration [[[
+#
+# The Metricbeat configuration defined by the role.
+metricbeat__default_configuration:
+
+  - name: 'metricbeat_config_modules'
+    config:
+      metricbeat.config.modules:
+        path: '${path.config}/modules.d/*.yml'
+        reload.enabled: True
+        reload.period: '30s'
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__configuration [[[
+#
+# The Metricbeat configuration which should be present on all hosts in the
+# Ansible inventory.
+metricbeat__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__group_configuration [[[
+#
+# The Metricbeat configuration which should be present on hosts in a specific
+# Ansible inventory group.
+metricbeat__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__host_configuration [[[
+#
+# The Metricbeat configuration which should be present on specific hosts in the
+# Ansible inventory.
+metricbeat__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__combined_configuration [[[
+#
+# Variable which combines all Metricbeat configuration variables and is used in
+# the role tasks and templates.
+metricbeat__combined_configuration: '{{ metricbeat__original_configuration
+                                        + metricbeat__default_configuration
+                                        + metricbeat__configuration
+                                        + metricbeat__group_configuration
+                                        + metricbeat__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Metricbeat configuration snippets [[[
+# -------------------------------------
+
+# The variables below define Metricbeat configuration snippets stored in the
+# :file:`/etc/metricbeat/` directory. Snippets can be created in subdirectories,
+# which will be created automatically. See :ref:`metricbeat__ref_snippets` for
+# more details.
+
+# .. envvar:: metricbeat__default_snippets [[[
+#
+# A list of default Metricbeat configuration snippets defined by the role.
+metricbeat__default_snippets:
+
+  - name: 'modules.d/system.yml'
+    divert: True
+    config:
+
+      - module: 'system'
+        period: '10s'
+        metricsets:
+          - 'cpu'
+          - 'load'
+          - 'memory'
+          - 'network'
+          - 'process'
+          - 'process_summary'
+          - 'socket_summary'
+          #- entropy
+          #- core
+          #- diskio
+          #- socket
+          #- service
+          #- users
+        process.include_top_n:
+          by_cpu: 5      # include top 5 processes by CPU
+          by_memory: 5   # include top 5 processes by memory
+
+      - module: 'system'
+        period: '1m'
+        metricsets:
+          - 'filesystem'
+          - 'fsstat'
+        processors:
+          - drop_event.when.regexp:
+              system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)'
+
+      - module: 'system'
+        period: '15m'
+        metricsets:
+          - 'uptime'
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__snippets [[[
+#
+# A list of Metricbeat configuration snippets which should be present on all
+# hosts in the Ansible inventory.
+metricbeat__snippets: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__group_snippets [[[
+#
+# A list of Metricbeat configuration snippets which should be present on hosts
+# in a specific Ansible inventory group.
+metricbeat__group_snippets: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__host_snippets [[[
+#
+# A list of Metricbeat configuration snippets which should be present on
+# specific hosts in the Ansible inventory.
+metricbeat__host_snippets: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__combined_snippets [[[
+#
+# Variable which combines all Metricbeat snippet variables and is used in role
+# tasks and templates.
+metricbeat__combined_snippets: '{{ metricbeat__default_snippets
+                                   + metricbeat__snippets
+                                   + metricbeat__group_snippets
+                                   + metricbeat__host_snippets }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Metricbeat keystore contents [[[
+# --------------------------------
+
+# The variables below define the contents of the Metricbeat keystore which can
+# be used to store passwords and other confidential data, which then can be
+# referenced in Metricbeat configuration files. See :ref:`metricbeat__ref_keys`
+# for more details.
+
+# .. envvar:: metricbeat__keys [[[
+#
+# Metricbeat keystore content which should be present on all hosts in the
+# Ansible inventory.
+metricbeat__keys: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__group_keys [[[
+#
+# Metricbeat keystore content which should be present on all hosts in the Ansible
+# inventory.
+metricbeat__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__host_keys [[[
+#
+# Metricbeat keystore content which should be present on hosts in a specific
+# Ansible inventory group.
+metricbeat__host_keys: []
+
+                                                                   # ]]]
+# .. envvar:: metricbeat__combined_keys [[[
+#
+# Metricbeat keystore content which should be present on specific hosts in the
+# Ansible inventory.
+metricbeat__combined_keys: '{{ metricbeat__keys
+                               + metricbeat__group_keys
+                               + metricbeat__host_keys }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: metricbeat__extrepo__dependent_sources [[[
+#
+# Configuration for the :ref:`debops.extrepo` Ansible role.
+metricbeat__extrepo__dependent_sources:
+  - 'elastic'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/metricbeat/meta/main.yml b/ansible_collections/debops/debops/roles/metricbeat/meta/main.yml
new file mode 100644
index 00000000..d29f73ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Metricbeat, a metrics shipper for Elasticsearch'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  galaxy_tags:
+  - elasticsearch
+  - elastic
+  - monitoring
+  - metrics
+  - beats
diff --git a/ansible_collections/debops/debops/roles/metricbeat/tasks/main.yml b/ansible_collections/debops/debops/roles/metricbeat/tasks/main.yml
new file mode 100644
index 00000000..1493dd92
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/tasks/main.yml
@@ -0,0 +1,163 @@
+---
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Metricbeat packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (metricbeat__base_packages
+                              + metricbeat__packages)) }}'
+    state: 'present'
+  notify: [ 'Refresh host facts' ]
+  register: metricbeat__register_packages
+  until: metricbeat__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Metricbeat local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/metricbeat.fact.j2'
+    dest: '/etc/ansible/facts.d/metricbeat.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Divert the original Metricbeat configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/metricbeat/metricbeat.yml'
+    state: 'present'
+  register: metricbeat__register_config_divert
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Generate main Metricbeat configuration
+  ansible.builtin.template:
+    src: 'etc/metricbeat/metricbeat.yml.j2'
+    dest: '/etc/metricbeat/metricbeat.yml'
+    mode: '0600'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create required configuration directories
+  ansible.builtin.file:
+    path: '{{ "/etc/metricbeat/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ metricbeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init'] and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage snippet diversion and reversion
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/metricbeat/" + (item.name | regex_replace(".yml", "") + ".yml") }}'
+    state: '{{ "absent" if item.state | d("present") == "absent" else "present" }}'
+    delete: True
+  loop: '{{ metricbeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  when: ansible_pkg_mgr == 'apt' and item.config | d() and (item.divert | d())
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove snippet configuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/metricbeat/" + (item.name | regex_replace(".yml", "") + ".yml") }}'
+    state: 'absent'
+  loop: '{{ metricbeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state, "config": item.config} }}'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  when: item.state | d('present') == 'absent' and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate snippet configuration
+  ansible.builtin.template:
+    src: 'etc/metricbeat/snippets.d/snippet.yml.j2'
+    dest: '{{ "/etc/metricbeat/" + (item.name | regex_replace(".yml", "") + ".yml") }}'
+    mode: '{{ item.mode | d("0600") }}'
+  loop: '{{ metricbeat__combined_snippets | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state, "config": item.config} }}'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  when: item.state | d('present') not in ['absent', 'ignore', 'init'] and item.config | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+# The keystore handling is very similar to ../../kibana/tasks/main.yml
+# Make sure you change it in both places.
+- name: Check if the Metricbeat keystore exists
+  ansible.builtin.stat:
+    path: '/var/lib/metricbeat/metricbeat.keystore'
+  register: metricbeat__register_keystore
+
+- name: Create Metricbeat keystore if not present
+  ansible.builtin.command: 'metricbeat keystore create'
+  register: metricbeat__register_keystore_create
+  changed_when: metricbeat__register_keystore_create.changed | bool
+  when: not metricbeat__register_keystore.stat.exists
+
+- name: Get the list of keystore contents
+  ansible.builtin.command: 'metricbeat keystore list'
+  register: metricbeat__register_keys
+  changed_when: False
+  check_mode: '{{ False if ansible_local.metricbeat.installed | d() else omit }}'
+
+- name: Remove key from Metricbeat keystore when requested
+  ansible.builtin.command: 'metricbeat keystore remove {{ item.name }}'
+  loop: '{{ metricbeat__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  register: metricbeat__register_keystore_remove
+  changed_when: metricbeat__register_keystore_remove.changed | bool
+  when: (item.state | d('present') == 'absent' and
+         item.name in metricbeat__register_keys.stdout_lines)
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set or update key in Metricbeat keystore
+  environment:
+    DEBOPS_METRICBEAT_KEY: '{{ item.value }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if item.force | d(False) %}
+    printf "%s" "${DEBOPS_METRICBEAT_KEY}" | metricbeat keystore add "{{ item.name }}" --stdin --force
+    {% else %}
+    printf "%s" "${DEBOPS_METRICBEAT_KEY}" | metricbeat keystore add "{{ item.name }}" --stdin
+    {% endif %}
+  args:
+    executable: 'bash'
+  loop: '{{ metricbeat__combined_keys | debops.debops.parse_kv_config }}'
+  loop_control:
+    label:  '{{ {"name": item.name, "state": item.state} }}'
+  notify: [ 'Test metricbeat configuration and restart' ]
+  register: metricbeat__register_keystore_add
+  changed_when: metricbeat__register_keystore_add.changed | bool
+  when: (item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.name not in metricbeat__register_keys.stdout_lines or
+          (item.force | d(False)) | bool))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Enable metricbeat service on installation
+  ansible.builtin.service:  # noqa no-handler
+    name: 'metricbeat'
+    enabled: True
+  when: ansible_local.metricbeat.installed | d() and metricbeat__register_config_divert is changed
diff --git a/ansible_collections/debops/debops/roles/metricbeat/templates/etc/ansible/facts.d/metricbeat.fact.j2 b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/ansible/facts.d/metricbeat.fact.j2
new file mode 100644
index 00000000..7ec51e72
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/ansible/facts.d/metricbeat.fact.j2
@@ -0,0 +1,36 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('metricbeat'),
+          'inputs': '/etc/filebeat/inputs.d',
+          'modules': '/etc/filebeat/modules.d'}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "metricbeat"]).decode('utf-8')
+    output['version'] = version_stdout
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/metricbeat.yml.j2 b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/metricbeat.yml.j2
new file mode 100644
index 00000000..5d66d0e3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/metricbeat.yml.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+---
+# {{ ansible_managed }}
+
+{% set metricbeat__tpl_configuration = {} %}
+{% for element in metricbeat__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.config | d() %}
+{%     set combined_config = metricbeat__tpl_configuration | combine(element.config, recursive=True) %}
+{%     set _ = metricbeat__tpl_configuration.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{{ metricbeat__tpl_configuration | to_nice_yaml(indent=2) }}
diff --git a/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/snippets.d/snippet.yml.j2 b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/snippets.d/snippet.yml.j2
new file mode 100644
index 00000000..78ce3491
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/metricbeat/templates/etc/metricbeat/snippets.d/snippet.yml.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+---
+# {{ ansible_managed }}
+
+{% if item.comment is defined %}
+{{ item.comment | trim | comment(prefix='', postfix='') }}
+{% endif %}
+{{ q("flattened", item.config) | to_nice_yaml(indent=2) }}
diff --git a/ansible_collections/debops/debops/roles/minidlna/COPYRIGHT b/ansible_collections/debops/debops/roles/minidlna/COPYRIGHT
new file mode 100644
index 00000000..43633ed6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/COPYRIGHT
@@ -0,0 +1,17 @@
+debops.minidlna - Manage DLNA with Ansible
+
+Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/minidlna/defaults/main.yml b/ansible_collections/debops/debops/roles/minidlna/defaults/main.yml
new file mode 100644
index 00000000..11eba5c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/defaults/main.yml
@@ -0,0 +1,376 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# .. Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _minidlna__ref_defaults:
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: minidlna__base_packages [[[
+#
+# List of APT packages to install for :command:`minidlna` support.
+minidlna__base_packages: [ 'minidlna' ]
+
+                                                                   # ]]]
+# .. envvar:: minidlna__packages [[[
+#
+# List of additional APT packages to install during :command:`minidlna`
+# configuration.
+minidlna__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: minidlna__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# MiniDLNA instances over the network, on all hosts in the Ansible inventory.
+# If not specified, all hosts can connect to MiniDLNA service.
+minidlna__allow: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# MiniDLNA instances over the network, on hosts in a specific Ansible inventory
+# group. If not specified, all hosts can connect to MiniDLNA service.
+minidlna__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# MiniDLNA instances over the network, on specific hosts in the Ansible
+# inventory. If not specified, all hosts can connect to MiniDLNA service.
+minidlna__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__ssdp_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to send packets to the
+# 1900/udp port used by Simple Service Discovery Protocol, configured on all
+# hosts in the Ansible inventory. This is required only when UPnP port
+# forwarding is desired.
+minidlna__ssdp_allow: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__ssdp_group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to send packets to the
+# 1900/udp port used by Simple Service Discovery Protocol, configured on hosts
+# in a specific Ansible inventory group. This is required only when UPnP port
+# forwarding is desired.
+minidlna__ssdp_group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__ssdp_host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to send packets to the
+# 1900/udp port used by Simple Service Discovery Protocol, configured on
+# specific hosts in the Ansible inventory. This is required only when UPnP port
+# forwarding is desired.
+minidlna__ssdp_host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# MiniDLNA configuration [[[
+# --------------------------
+
+# These variables define the contents of the :file:`/etc/minidlna.conf`
+# configuration file. See :ref:`minidlna__ref_configuration` for more details.
+
+# .. envvar:: minidlna__original_configuration [[[
+#
+# List of the default MiniDLNA configuration options defined in the Debian package.
+minidlna__original_configuration:
+
+  - name: 'user'
+    comment: |
+      Specify the user name or uid to run as (root by default).
+      On Debian system command line option (from /etc/default/minidlna) overrides this.
+    value: 'minidlna'
+    state: 'comment'
+
+  - name: 'media_dir'
+    comment: |
+      Path to the directory you want scanned for media files.
+
+      This option can be specified more than once if you want multiple directories
+      scanned.
+
+      If you want to restrict a media_dir to a specific content type, you can
+      prepend the directory name with a letter representing the type (A, P or V),
+      followed by a comma, as so:
+        * "A" for audio    (eg. media_dir=A,/var/lib/minidlna/music)
+        * "P" for pictures (eg. media_dir=P,/var/lib/minidlna/pictures)
+        * "V" for video    (eg. media_dir=V,/var/lib/minidlna/videos)
+        * "PV" for pictures and video (eg. media_dir=PV,/var/lib/minidlna/digital_camera)
+    value: [ '/var/lib/minidlna' ]
+
+  - name: 'merge_media_dirs'
+    comment: |
+      Set this to merge all media_dir base contents into the root container
+      (The default is no.)
+    value: False
+    state: 'comment'
+
+  - name: 'db_dir'
+    comment: 'Path to the directory that should hold the database and album art cache.'
+    value: '/var/cache/minidlna'
+    state: 'comment'
+
+  - name: 'log_dir'
+    comment: 'Path to the directory that should hold the log file.'
+    value: '/var/log/minidlna'
+    state: 'comment'
+
+  - name: 'log_level'
+    comment: |
+      Type and minimum level of importance of messages to be logged.
+
+      The types are "artwork", "database", "general", "http", "inotify",
+      "metadata", "scanner", "ssdp" and "tivo".
+
+      The levels are "off", "fatal", "error", "warn", "info" or "debug".
+      "off" turns of logging entirely, "fatal" is the highest level of importance
+      and "debug" the lowest.
+
+      The types are comma-separated, followed by an equal sign ("="), followed by a
+      level that applies to the preceding types. This can be repeated, separating
+      each of these constructs with a comma.
+
+      The default is to log all types of messages at the "warn" level.
+    value: 'general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn'
+    state: 'comment'
+
+  - name: 'root_container'
+    comment: |
+      Use a different container as the root of the directory tree presented to
+      clients. The possible values are:
+        * "." - standard container
+        * "B" - "Browse Directory"
+        * "M" - "Music"
+        * "P" - "Pictures"
+        * "V" - "Video"
+        * Or, you can specify the ObjectID of your desired root container
+          (eg. 1$F for Music/Playlists)
+      If you specify "B" and the client device is audio-only then "Music/Folders"
+      will be used as root.
+    value: '.'
+    state: 'comment'
+
+  - name: 'network_interface'
+    comment: |
+      Network interface(s) to bind to (e.g. eth0), comma delimited.
+      This option can be specified more than once.
+    value: []
+    state: 'comment'
+
+  - name: 'port'
+    comment: |
+      Port number for HTTP traffic (descriptions, SOAP, media transfer).
+      This option is mandatory (or it must be specified on the command-line using
+      "-p").
+    value: 8200
+
+  - name: 'presentation_url'
+    comment: |
+      URL presented to clients (e.g. http://example.com:80).
+    value: '/'
+    state: 'comment'
+
+  - name: 'friendly_name'
+    comment: |
+      Name that the DLNA server presents to clients.
+      Defaults to "hostname: username".
+    value: ''
+    state: 'comment'
+
+  - name: 'serial'
+    comment: |
+      Serial number the server reports to clients.
+      Defaults to the MAC address of network interface.
+    value: ''
+    state: 'comment'
+
+  - name: 'uuid'
+    comment: |
+      Specify device's UPnP UUID minidlna should use. By default MAC address is
+      used to build uniq UUID.
+    value: ''
+    state: 'comment'
+
+  - name: 'model_name'
+    comment: 'Model name the server reports to clients.'
+    value: 'Windows Media Connect compatible (MiniDLNA)'
+    state: 'comment'
+
+  - name: 'model_number'
+    comment: |
+      Model number the server reports to clients.
+      Defaults to the version number of minidlna.
+    value: ''
+    state: 'comment'
+
+  - name: "inotify"
+    comment: 'Automatic discovery of new files in the media_dir directory.'
+    value: True
+    state: 'comment'
+
+  - name: 'album_art_names'
+    comment: |
+      List of file names to look for when searching for album art.
+      Names should be delimited with a forward slash ("/").
+      This option can be specified more than once.
+    value:
+      - 'Cover.jpg/cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg'
+      - 'AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg'
+      - 'Folder.jpg/folder.jpg/Thumb.jpg/thumb.jpg'
+
+  - name: 'strict_dlna'
+    comment: |
+      Strictly adhere to DLNA standards.
+      This allows server-side downscaling of very large JPEG images, which may
+      decrease JPEG serving performance on (at least) Sony DLNA products.
+    value: False
+    state: 'comment'
+
+  - name: 'enable_tivo'
+    comment: 'Support for streaming .jpg and .mp3 files to a TiVo supporting HMO.'
+    value: False
+    state: 'comment'
+
+  - name: 'tivo_discovery'
+    comment: |
+      Which method to use for registering in TiVo: 'bonjour' (default) or
+      legacy 'beacon'
+    value: 'bonjour'
+    state: 'comment'
+
+  - name: 'notify_interval'
+    comment: 'SSDP notify interval, in seconds.'
+    value: 895
+    state: 'comment'
+
+  - name: 'minissdpdsocket'
+    comment: 'Path to the MiniSSDPd socket, for MiniSSDPd support.'
+    value: '/run/minissdpd.sock'
+    state: 'comment'
+
+  - name: 'force_sort_criteria'
+    comment: |
+      Always set SortCriteria to this value, regardless of the SortCriteria
+      passed by the client
+      e.g. force_sort_criteria=+upnp:class,+upnp:originalTrackNumber,+dc:title
+    value: ''
+    state: 'comment'
+
+  - name: 'max_connections'
+    comment: |
+      maximum number of simultaneous connections
+      note: many clients open several simultaneous connections while streaming
+    value: 50
+    state: 'comment'
+
+  - name: 'wide_links'
+    comment: 'set this to yes to allow symlinks that point outside user-defined media_dirs.'
+    value: False
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: minidlna__default_configuration [[[
+#
+# List of the default MiniDLNA configuration options defined by the role.
+minidlna__default_configuration:
+
+  # The default notification interval results in the MiniDLNA broadcasting its
+  # presence every 14 minutes(!). This is too long for a reasonable setup where
+  # you might expect to see a DLNA server appear almost immediately.
+  - name: 'notify_interval'
+    value: 30
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: minidlna__configuration [[[
+#
+# List of MiniDLNA configuration options defined on all hosts in the Ansible inventory.
+minidlna__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__group_configuration [[[
+#
+# List of MiniDLNA configuration options defined on hosts in a specific Ansible
+# inventory group.
+minidlna__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__host_configuration [[[
+#
+# List of MiniDLNA configuration options defined on specific hosts in the
+# Ansible inventory.
+minidlna__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: minidlna__combined_configuration [[[
+#
+# Variable which combines MiniDLNA configuration lists and is used in role
+# tasks and templates.
+minidlna__combined_configuration: '{{ minidlna__original_configuration
+                                      + minidlna__default_configuration
+                                      + minidlna__configuration
+                                      + minidlna__group_configuration
+                                      + minidlna__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: minidlna__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+minidlna__ferm__dependent_rules:
+
+  - name: 'minidlna_allow_http'
+    type: 'accept'
+    dport: [ 'minidlna' ]
+    protocol: [ 'tcp' ]
+    saddr: '{{ minidlna__allow + minidlna__group_allow + minidlna__host_allow }}'
+    weight: '50'
+    by_role: 'debops.minidlna'
+
+  - name: 'minidlna_allow_ssdp'
+    type: 'accept'
+    dport: [ 'ssdp' ]
+    protocol: [ 'udp' ]
+    saddr: '{{ minidlna__ssdp_allow + minidlna__ssdp_group_allow + minidlna__ssdp_host_allow }}'
+    accept_any: False
+    weight: '50'
+    by_role: 'debops.minidlna'
+
+                                                                   # ]]]
+# .. envvar:: minidlna_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+minidlna_server__etc_services__dependent_list:
+
+  - name: 'ssdp'
+    port: '1900'
+    protocol: [ 'udp' ]
+    comment: 'Simple Service Discovery Protocol'
+
+  - name: 'minidlna'
+    port: '8200'
+    protocol: [ 'tcp' ]
+    comment: 'MiniDLNA media server Web Interface'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/minidlna/meta/main.yml b/ansible_collections/debops/debops/roles/minidlna/meta/main.yml
new file mode 100644
index 00000000..674c9a7a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Julien Lecomte'
+  description: 'Configure MiniDLNA instances'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - minidlna
+    - dlna
diff --git a/ansible_collections/debops/debops/roles/minidlna/tasks/main.yml b/ansible_collections/debops/debops/roles/minidlna/tasks/main.yml
new file mode 100644
index 00000000..f78a89f1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+# Package installation [[[1
+- name: Install MiniDLNA packages
+  ansible.builtin.apt:
+    name: '{{ (minidlna__base_packages + minidlna__packages) | flatten }}'
+    state: 'present'
+  register: minidlna__register_packages
+  until: minidlna__register_packages is succeeded
+
+# MiniDLNA configuration [[[1
+- name: Divert the MiniDLNA configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/minidlna.conf'
+
+- name: Generate MiniDLNA configuration file
+  ansible.builtin.template:
+    src: 'etc/minidlna.conf.j2'
+    dest: '/etc/minidlna.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  register: minidlna__register_configuration
+
+- name: Conditionally restart MiniDLNA service
+  ansible.builtin.systemd:
+    name: 'minidlna.service'
+    enabled: true
+    daemon_reload: '{{ True if (minidlna__register_configuration is changed) else omit }}'
+    state: '{{ "restarted" if (minidlna__register_configuration is changed) else "started" }}'
+  when: ansible_service_mgr == 'systemd'
+
+# Ansible facts [[[1
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create local facts of MiniDLNA
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/minidlna.fact.j2'
+    dest: '/etc/ansible/facts.d/minidlna.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/minidlna/templates/etc/ansible/facts.d/minidlna.fact.j2 b/ansible_collections/debops/debops/roles/minidlna/templates/etc/ansible/facts.d/minidlna.fact.j2
new file mode 100644
index 00000000..2b926cee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/templates/etc/ansible/facts.d/minidlna.fact.j2
@@ -0,0 +1,25 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+
+output = {}
+
+try:
+    with open("/etc/minidlna.conf", 'r') as fp:
+        output["configured"] = True
+        for line in fp:
+            if line.startswith("port="):
+                output["http_port"] = line[5:].strip()
+    pass
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/minidlna/templates/etc/minidlna.conf.j2 b/ansible_collections/debops/debops/roles/minidlna/templates/etc/minidlna.conf.j2
new file mode 100644
index 00000000..7ebad1cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minidlna/templates/etc/minidlna.conf.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+ # Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# This is the configuration file for the MiniDLNA daemon, a DLNA/UPnP-AV media
+# server.
+#
+# Unless otherwise noted, the commented out options show their default value.
+#
+# On Debian, you can also refer to the minidlna.conf(5) man page for
+# documentation about this file.
+
+{% for element in minidlna__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if element.comment | d() %}
+{%       if not loop.first %}
+
+{%       endif %}
+{{       element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     set element_comment = ('#' if element.state | d('present') == 'comment' else '') %}
+{%     if element.value is defined %}
+{%       if element.value is string and not element.value | bool %}
+{%         set element_value = element.value %}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           set element_value = 'yes' %}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             if element.value | string == '0' %}
+{%               set element_value = element.value %}
+{%             else %}
+{%               set element_value = 'no' %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list %}
+{%       endif %}
+{%     else %}
+{%       set element_value = element.value | d() %}
+{%     endif %}
+{%     if element_value is not string and element_value is not mapping and element_value is iterable %}
+{%       for thing in element_value %}
+{{         '{}{}={}'.format(element_comment, element.name, thing) }}
+{%       endfor %}
+{%     else %}
+{{       '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/miniflux/COPYRIGHT b/ansible_collections/debops/debops/roles/miniflux/COPYRIGHT
new file mode 100644
index 00000000..d9a2ec61
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/COPYRIGHT
@@ -0,0 +1,17 @@
+debops.miniflux - Manage Miniflux with Ansible
+
+Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+Copyright (C) 2015-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/miniflux/defaults/main.yml b/ansible_collections/debops/debops/roles/miniflux/defaults/main.yml
new file mode 100644
index 00000000..32ef3e5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/defaults/main.yml
@@ -0,0 +1,378 @@
+---
+# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+# Copyright (C) 2022      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# .. _miniflux__ref_defaults:
+
+# debops.miniflux default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Web service configuration [[[
+# -----------------------------
+
+# .. envvar:: miniflux__domain [[[
+#
+# The DNS domain used by other variables in the ``debops.miniflux``
+# role.
+miniflux__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__fqdn [[[
+#
+# String of the Fully Qualified domain names on which the Miniflux
+# application will be available, used by the webserver.
+miniflux__fqdn: 'miniflux.{{ miniflux__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__bind [[[
+#
+# The ip address on which this Miniflux listens on.
+miniflux__bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__port [[[
+#
+# Port number on which this Miniflux listens on.
+miniflux__port: '3366'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application user, group, home [[[
+# ---------------------------------
+
+# .. envvar:: miniflux__user [[[
+#
+# Name of the UNIX system account used by the Miniflux service.
+miniflux__user: 'miniflux'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__group [[[
+#
+# Name of the UNIX system group used by the Miniflux service.
+miniflux__group: 'miniflux'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__gecos [[[
+#
+# Contents of the GECOS field set for the Miniflux account.
+miniflux__gecos: 'Miniflux'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__shell [[[
+#
+# The default shell set on the Miniflux account.
+miniflux__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__home [[[
+#
+# The Miniflux account home directory.
+miniflux__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                    + "/" + miniflux__user }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PostgreSQL database configuration [[[
+# -------------------------------------
+
+# The Miniflux database configuration is managed by the
+# :ref:`debops.postgresql` Ansible role. See its documentation for
+# details about the default variable values used in the Miniflux role.
+
+# .. envvar:: miniflux__database_host [[[
+#
+# The hostname or IP address of the PostgreSQL database server to use
+# for the Miniflux database.
+miniflux__database_host: '{{ ansible_local.postgresql.server | d("localhost") }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__database_port [[[
+#
+# The TCP port of the PostgreSQL database server which should be used by
+# Miniflux.
+miniflux__database_port: '{{ ansible_local.postgresql.port | d("5432") }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__database_name [[[
+#
+# Name of the PostgreSQL database and its corresponding role used by
+# Miniflux. This role won't be able to login to the database server
+# directly.
+miniflux__database_name: 'miniflux_production'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__database_user [[[
+#
+# Name of the PostgreSQL role used by Miniflux. This role will be able
+# to login to the PostgreSQL server and access the Miniflux database.
+miniflux__database_user: 'miniflux'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__database_password [[[
+#
+# Autogenerated password to the Miniflux PostgreSQL user role.
+miniflux__database_password: '{{ lookup("password", secret + "/postgresql/" +
+                                    (ansible_local.postgresql.delegate_to | d("localhost")) + "/" +
+                                    (ansible_local.postgresql.port | d("5432")) + "/credentials/" +
+                                    miniflux__database_user + "/password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Go application deployment [[[
+# -----------------------------
+
+# These variables control how the :command:`miniflux` binary is
+# installed on the host. The installation is performed by the
+# :ref:`debops.golang` role, refer to its documentation for details. The
+# installation definition can be found in the
+# :envvar:`miniflux__golang__dependent_packages` variable.
+
+# .. envvar:: miniflux__upstream_gpg_key [[[
+#
+# The fingerprint of the GPG key which is used to sign the Miniflux
+# releases. It will be used to verify the downloaded signature file as
+# well as the :command:`git` tags in the source repository.
+miniflux__upstream_gpg_key: '5A7A 89AC F055 24CA A0F3  6F9B AEB7 A164 0710 8DB5'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__upstream_type [[[
+#
+# Specify the method which should be used to install Miniflux binary.  The
+# ``apt`` method will install Miniflux via the configured APT repository, if
+# it's available. The ``url`` method will download the :command:`miniflux`
+# compiled binary and install it directly after verification with the official
+# GPG key. The ``git`` method will download Miniflux source code and compile it
+# locally (this method doesn't work on Debian Bullseye due to missing "embed"
+# Go library).
+miniflux__upstream_type: 'apt'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__upstream_version [[[
+#
+# Version of the Miniflux upstream.
+miniflux__upstream_version: '2.0.35'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__upstream_url_mirror [[[
+#
+# The base URL of the Miniflux download page, should end with the ``/``
+# character.
+miniflux__upstream_url_mirror: 'https://github.com/miniflux/v2/releases/'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__upstream_platform [[[
+#
+# Specify the OS type and platform architecture to use for installation.
+# The list of supported architectures and OS types can be found on the
+# https://github.com/miniflux/v2/releases/ page.
+miniflux__upstream_platform: 'linux-amd64'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__upstream_git_repository [[[
+#
+# The URL of the upstream :command:`git` repository which contains
+# Miniflux source code.
+miniflux__upstream_git_repository: 'https://github.com/miniflux/miniflux'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__binary [[[
+#
+# Absolute path to the :command:`miniflux` Go binary installed on the
+# host. See the :ref:`debops.golang` role for more details.
+miniflux__binary: '{{ ansible_local.golang.binaries["miniflux"]
+                      if (ansible_local.golang.binaries | d() and
+                          ansible_local.golang.binaries.miniflux | d())
+                      else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Miniflux configuration [[[
+# --------------------------
+
+# The variables below define the contents of the :file:`/etc/miniflux.conf`
+# configuration file. See :ref:`miniflux__ref_configuration` for more details.
+
+# .. envvar:: miniflux__default_configuration [[[
+#
+# Miniflux configuration options defined by the role by default.
+miniflux__default_configuration:
+
+  - name: 'run_migrations'
+    value: True
+
+  - name: 'database_url'
+    value: '{{ "postgres://" + miniflux__database_user
+               + ":" + miniflux__database_password
+               + "@" + miniflux__database_host
+               + ":" + miniflux__database_port
+               + "/" + miniflux__database_name }}'
+
+  - name: 'listen_addr'
+    value: '{{ miniflux__bind + ":" + miniflux__port }}'
+
+  - name: 'base_url'
+    value: '{{ "https://" + miniflux__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__configuration [[[
+#
+# Miniflux configuration options defined on all hosts in the Ansible inventory.
+miniflux__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: miniflux__group_configuration [[[
+#
+# Miniflux configuration options defined on hosts in a specific Ansible
+# inventory group.
+miniflux__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: miniflux__host_configuration [[[
+#
+# Miniflux configuration options defined on specific hosts in the Ansible
+# inventory.
+miniflux__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: miniflux__combined_configuration [[[
+#
+# Variable which combines all Miniflux configuration lists and is used in role
+# tasks and templates.
+miniflux__combined_configuration: '{{ miniflux__default_configuration
+                                      + miniflux__configuration
+                                      + miniflux__group_configuration
+                                      + miniflux__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+miniflux__keyring__dependent_apt_keys:
+
+  - id: '{{ miniflux__upstream_gpg_key }}'
+    url: 'https://apt.miniflux.app/KEY.gpg'
+    repo: 'deb https://apt.miniflux.app/ /'
+    state: '{{ "present"
+               if (miniflux__upstream_type == "apt")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__postgresql__dependent_roles [[[
+#
+# Role configuration for the :ref:`debops.postgresql` Ansible role.
+miniflux__postgresql__dependent_roles:
+
+  - name: '{{ miniflux__database_user }}'
+
+  - name: '{{ miniflux__database_name }}'
+    flags: [ 'NOLOGIN' ]
+
+                                                                   # ]]]
+# .. envvar:: miniflux__postgresql__dependent_groups [[[
+#
+# Group configuration for the :ref:`debops.postgresql` Ansible role.
+miniflux__postgresql__dependent_groups:
+
+  - roles: [ '{{ miniflux__database_user }}' ]
+    groups: [ '{{ miniflux__database_name }}' ]
+    database: '{{ miniflux__database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__postgresql__dependent_databases [[[
+#
+# Database configuration for the :ref:`debops.postgresql` Ansible role.
+miniflux__postgresql__dependent_databases:
+
+  - name: '{{ miniflux__database_name }}'
+    owner: '{{ miniflux__database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__postgresql__dependent_pgpass [[[
+#
+# ``~/.pgpass`` configuration for the :ref:`debops.postgresql` Ansible
+# role.
+miniflux__postgresql__dependent_pgpass:
+
+  - owner: '{{ miniflux__user }}'
+    group: '{{ miniflux__group }}'
+    home: '{{ miniflux__home }}'
+    system: True
+
+                                                                   # ]]]
+# .. envvar:: miniflux__postgresql__dependent_extensions [[[
+#
+# Configuration of PostgreSQL extensions for the
+# :ref:`debops.postgresql` Ansible role.
+miniflux__postgresql__dependent_extensions:
+
+  - database: '{{ miniflux__database_name }}'
+    extension: 'hstore'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__golang__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.golang` Ansible role.
+miniflux__golang__dependent_packages:
+
+  - name: 'miniflux'
+    upstream_type: '{{ miniflux__upstream_type }}'
+    apt_packages: [ 'miniflux' ]
+    gpg:
+      - id: '{{ miniflux__upstream_gpg_key }}'
+        url: 'https://apt.miniflux.app/KEY.gpg'
+    url:
+      - src: '{{ miniflux__upstream_url_mirror + "download/" + miniflux__upstream_version + "/miniflux-" + miniflux__upstream_platform }}'
+        dest: 'releases/{{ miniflux__upstream_platform }}/miniflux/miniflux/" + miniflux__upstream_version + "/miniflux_" + miniflux__upstream_version + "_linux_amd64'
+    url_binaries:
+      - src: 'releases/{{ miniflux__upstream_platform }}/miniflux/miniflux/" + miniflux__upstream_version + "/miniflux_" + miniflux__upstream_version + "_linux_amd64'
+        dest: 'miniflux'
+        notify: [ 'Restart miniflux' ]
+    git:
+      - repo: '{{ miniflux__upstream_git_repository }}'
+        version: '{{ miniflux__upstream_version }}'
+        build_script: |
+          make clean linux-amd64
+    git_binaries:
+      - src: 'github.com/miniflux/v2/bin/miniflux.app'
+        dest: 'miniflux'
+        notify: [ 'Restart miniflux' ]
+
+                                                                   # ]]]
+# .. envvar:: miniflux__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+miniflux__nginx__dependent_upstreams:
+
+  - name: 'miniflux-upstream'
+    server: '{{ miniflux__bind }}:{{ miniflux__port }}'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+miniflux__nginx__dependent_servers:
+
+  - name: '{{ miniflux__fqdn }}'
+    by_role: 'debops.miniflux'
+    filename: 'debops.miniflux'
+    type: 'proxy'
+    proxy_location: '/'
+    proxy_headers: True
+    proxy_options: |
+      proxy_redirect off;
+    proxy_pass: 'http://miniflux-upstream'
+
+                                                                   # ]]]
+# .. envvar:: miniflux__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+miniflux__etc_services__dependent_list:
+
+  - name: 'miniflux'
+    port: '{{ miniflux__port }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/miniflux/meta/main.yml b/ansible_collections/debops/debops/roles/miniflux/meta/main.yml
new file mode 100644
index 00000000..42f8e8da
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Berkhan Berkdemir'
+  description: 'Install and manage a Miniflux instance'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - cloud
+    - private
+    - privacy
diff --git a/ansible_collections/debops/debops/roles/miniflux/meta/watch-miniflux b/ansible_collections/debops/debops/roles/miniflux/meta/watch-miniflux
new file mode 100644
index 00000000..670e4873
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/meta/watch-miniflux
@@ -0,0 +1,12 @@
+# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: miniflux
+# Package: miniflux
+# Version: 2.0.35
+
+version=4
+opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%" \
+    https://github.com/miniflux/v2/tags \
+    (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
diff --git a/ansible_collections/debops/debops/roles/miniflux/tasks/main.yml b/ansible_collections/debops/debops/roles/miniflux/tasks/main.yml
new file mode 100644
index 00000000..032b0733
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Create required UNIX system group
+  ansible.builtin.group:
+    name: '{{ miniflux__group }}'
+    state: 'present'
+    system: True
+
+- name: Create required UNIX system account
+  ansible.builtin.user:
+    name: '{{ miniflux__user }}'
+    group: '{{ miniflux__group }}'
+    home: '{{ miniflux__home }}'
+    comment: '{{ miniflux__gecos }}'
+    shell: '{{ miniflux__shell }}'
+    skeleton: '/dev/null'
+    state: 'present'
+    system: True
+
+- name: Generate Miniflux configuration
+  ansible.builtin.template:
+    src: 'etc/miniflux.conf.j2'
+    dest: '/etc/miniflux.conf'
+    mode: '0640'
+  notify: [ 'Restart miniflux' ]
+
+- name: Install systemd configuration files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/miniflux.service.j2'
+    dest: '/etc/systemd/system/miniflux.service'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+  when: miniflux__upstream_type != 'apt'
+
+- name: Flush handlers if needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Start and enable Miniflux service
+  ansible.builtin.service:
+    name: 'miniflux'
+    state: 'started'
+    enabled: True
+  when: miniflux__upstream_type != 'apt'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Minflux local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/miniflux.fact.j2'
+    dest: '/etc/ansible/facts.d/miniflux.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/miniflux/templates/etc/ansible/facts.d/miniflux.fact.j2 b/ansible_collections/debops/debops/roles/miniflux/templates/etc/ansible/facts.d/miniflux.fact.j2
new file mode 100644
index 00000000..e0f36d5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/templates/etc/ansible/facts.d/miniflux.fact.j2
@@ -0,0 +1,34 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('miniflux')}
+
+try:
+    miniflux_version_stdout = subprocess.check_output(
+            ["miniflux", "--version"]
+            ).decode('utf-8').strip()
+    if miniflux_version_stdout:
+        output['version'] = miniflux_version_stdout
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/miniflux/templates/etc/miniflux.conf.j2 b/ansible_collections/debops/debops/roles/miniflux/templates/etc/miniflux.conf.j2
new file mode 100644
index 00000000..e2d5b8f0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/templates/etc/miniflux.conf.j2
@@ -0,0 +1,54 @@
+{# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+ # Copyright (C) 2022      Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for item in miniflux__combined_configuration | debops.debops.parse_kv_config %}
+{%   if item.state not in [ 'absent', 'ignore', 'init' ] %}
+{%     if item.separator | d() %}
+{{       '' }}
+{%     endif %}
+{%     if (item.comment | d()) and not loop.first %}
+{{       '' }}
+{%     endif %}
+{%     if item.comment | d() %}
+{{       item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     set item_comment = '' %}
+{%     set item_name = item.name | upper %}
+{%     if item.state == 'comment' %}
+{%       set item_comment = '#' %}
+{%     endif %}
+{%     if item.raw | d() %}
+{%       if item.state == 'comment' %}
+{{         item.raw | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='#') -}}
+{%       else %}
+{{         item.raw | regex_replace('\n$','') }}
+{%       endif %}
+{%     elif item.value is defined %}
+{%       if item.value | bool and item.value is not iterable %}
+{%         if item.value | string == '1' %}
+{{           "{}{}={}".format(item_comment, item_name, item.value) }}
+{%         else %}
+{{           "{}{}={}".format(item_comment, item_name, '1') }}
+{%         endif %}
+{%       elif not item.value | bool and item.value is not iterable %}
+{%         if item.value is not none %}
+{%           if item.value | int or item.value | string == '0' %}
+{{             "{}{}={}".format(item_comment, item_name, item.value) }}
+{%           else %}
+{{             "{}{}={}".format(item_comment, item_name, '0') }}
+{%           endif %}
+{%         endif %}
+{%       elif item.value is string %}
+{{         '{}{}="{}"'.format(item_comment, item_name, item.value) }}
+{%       elif item.value is number %}
+{{         "{}{}={}".format(item_comment, item_name, item.value) }}
+{%       elif item.value is not string and item.value is not mapping %}
+{{         "{}{}={}".format(item_comment, item_name, item.value | join(" ")) }}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/miniflux/templates/etc/systemd/system/miniflux.service.j2 b/ansible_collections/debops/debops/roles/miniflux/templates/etc/systemd/system/miniflux.service.j2
new file mode 100644
index 00000000..4ace0ff5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/miniflux/templates/etc/systemd/system/miniflux.service.j2
@@ -0,0 +1,41 @@
+{# Copyright (C) 2021-2022 Berkhan Berkdemir <berkhan@tekdanisman.com>
+ # Copyright (C) 2022      Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ ansible_managed | comment(prefix='', postfix='') }}
+[Unit]
+Description=Miniflux
+Documentation=man:miniflux(1) https://miniflux.app/docs/index.html
+After=network.target network-online.target postgresql.service
+
+[Service]
+ExecStart={{ miniflux__binary }}
+User={{ miniflux__user }}
+EnvironmentFile=/etc/miniflux.conf
+Type=notify
+WatchdogSec=60s
+WatchdogSignal=SIGKILL
+Restart=always
+RestartSec=5
+RuntimeDirectory=miniflux
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ProtectSystem=strict
+PrivateTmp=yes
+NoNewPrivileges=yes
+RestrictNamespaces=yes
+ProtectHome=yes
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectHostname=yes
+RestrictRealtime=yes
+ProtectKernelLogs=yes
+ProtectClock=yes
+SystemCallArchitectures=native
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/minio/COPYRIGHT b/ansible_collections/debops/debops/roles/minio/COPYRIGHT
new file mode 100644
index 00000000..5d8cfc7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.minio - Install MinIO, Amazon S3 Compatible Object Storage
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/minio/defaults/main.yml b/ansible_collections/debops/debops/roles/minio/defaults/main.yml
new file mode 100644
index 00000000..f1b9cdcb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/defaults/main.yml
@@ -0,0 +1,503 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _minio__ref_defaults:
+
+# debops.minio default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: minio__user [[[
+#
+# The name of the UNIX system account used by the MinIO service.
+minio__user: 'minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__group [[[
+#
+# The name of the UNIX system group used by the MinIO service.
+minio__group: 'minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__additional_groups [[[
+#
+# List of additional UNIX groups to add to the MinIO UNIX account, required for
+# access to additional resources.
+minio__additional_groups: '{{ ["ssl-cert"] if minio__pki_enabled | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__home [[[
+#
+# The absolute path of the MinIO UNIX account home directory.
+minio__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                 + "/" + minio__user }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__shell [[[
+#
+# The UNIX shell used by the MinIO account.
+minio__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: minio__comment [[[
+#
+# The GECOS field set on the MinIO UNIX account.
+minio__comment: 'MinIO'
+                                                                   # ]]]
+                                                                   # ]]]
+# Go application deployment [[[
+# -----------------------------
+
+# These variables control how the :command:`minio` binary is installed on the
+# host. The installation is performed by the :ref:`debops.golang` role, refer
+# to its documentation for details. The installation definition can be found in
+# the :envvar:`minio__golang__dependent_packages` variable.
+
+# .. envvar:: minio__upstream_gpg_key [[[
+#
+# The fingerprint of the GPG key which is used to sign the MinIO releases. It
+# will be used to verify the downloaded signature file as well as the
+# :command:`git` tags in the source repository.
+minio__upstream_gpg_key: '4405 F3F0 DDBA 1B9E 68A3  1D25 12C7 4390 F9AA C728'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_type [[[
+#
+# Specify the method which should be used to install MinIO binary. Either
+# ``url`` to download the configured binary directly and virify it using the
+# specified GPG key, or ``git`` to clone the MinIO :command:`git` repository
+# and build the specified version from source.
+minio__upstream_type: 'url'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_upgrade [[[
+#
+# Enable or disable automatic upgrades of MinIO downloaded from upstream.
+# This does not affect installations built from the :command:`git` repository.
+#
+# MinIO is updated quite frequently. Remember that already downloaded MinIO
+# releases are not removed automatically; check the download directory (by
+# default :file:`/var/local/_golang/go/src/releases/linux-amd64/minio/` ) and
+# remove old releases.
+minio__upstream_upgrade: False
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_url_mirror [[[
+#
+# The base URL of the MinIO download page, should end with the ``/`` character.
+minio__upstream_url_mirror: 'https://dl.min.io/server/minio/release/'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_platform [[[
+#
+# Specify the OS type and platform architecture to use for installation. The
+# list of supported architectures and OS types can be found on the
+# https://dl.min.io/server/minio/release/ page.
+minio__upstream_platform: 'linux-amd64'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_url_release [[[
+#
+# The version of MinIO to download from upstream on a given host. You should
+# specify the ``RELEASE.YYYY-MM-DDTHH-MM-SSZ`` tagged release number.
+#
+# Available MinIO releases: https://github.com/minio/minio/releases
+minio__upstream_url_release: '{{ minio__env_upstream_url_release }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_url_binary [[[
+#
+# The path to the MinIO binary on the upstream HTTPS server, relative to the OS
+# type and platform directory.
+minio__upstream_url_binary: '{{ "archive/minio." + minio__upstream_url_release }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_git_repository [[[
+#
+# The URL of the upstream :command:`git` repository which contains MinIO source
+# code.
+minio__upstream_git_repository: 'https://github.com/minio/minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__upstream_git_release [[[
+#
+# The version of MinIO to build from source on a given host. The build version
+# depends on the availability of a specific Golang version and other factors.
+# Latest MinIO versions which can be built on a given OS distribution release
+# are preferable.
+minio__upstream_git_release: '{{ "RELEASE.2019-03-27T22-35-21Z"
+                                 if (ansible_distribution_release in
+                                     ["stretch", "buster", "xenial", "bionic"])
+                                     else ("RELEASE.2019-09-05T23-24-38Z"
+                                       if (ansible_distribution_release in
+                                           ["bullseye"])
+                                       else minio__upstream_url_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__binary [[[
+#
+# Absolute path to the :command:`minio` Go binary installed on the host.
+# See the :ref:`debops.golang` role for more details.
+minio__binary: '{{ ansible_local.golang.binaries["minio"]
+                   if (ansible_local.golang.binaries | d() and
+                       ansible_local.golang.binaries.minio | d())
+                   else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Filesystem layout [[[
+# ---------------------
+
+# .. envvar:: minio__config_dir [[[
+#
+# The directory which contains MinIO tenant configuration files with
+# environment variables for each MinIO instance.
+minio__config_dir: '/etc/minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__volumes_dir [[[
+#
+# The directory which contains MinIO volumes. If not specified otherwise, each
+# MinIO tenant will have its volume subdirectory created in this directory.
+minio__volumes_dir: '/srv/minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__volumes [[[
+#
+# List of directories in the filesystem which should be created to contain
+# MinIO volumes, defined on all hosts in the Ansible inventory.
+# You can specify a relative path which will be created under
+# the :envvar:`minio__volumes_dir` directory, or an absolute filesystem path.
+minio__volumes: []
+
+                                                                   # ]]]
+# .. envvar:: minio__group_volumes [[[
+#
+# List of directories in the filesystem which should be created to contain
+# MinIO volumes, defined on hosts in a specific Ansible inventory group.
+# You can specify a relative path which will be created under
+# the :envvar:`minio__volumes_dir` directory, or an absolute filesystem path.
+minio__group_volumes: []
+
+                                                                   # ]]]
+# .. envvar:: minio__host_volumes [[[
+#
+# List of directories in the filesystem which should be created to contain
+# MinIO volumes, defined on specific hosts in the Ansible inventory.
+# You can specify a relative path which will be created under
+# the :envvar:`minio__volumes_dir` directory, or an absolute filesystem path.
+minio__host_volumes: []
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS configuration [[[
+# ---------------------
+
+# .. envvar:: minio__fqdn [[[
+#
+# The Fully Qualified Domain Name of a host on which MinIO is installed. This
+# variable is used in the :command:`nginx` configuration to point the upstream
+# to the local MinIO service when TLS support is enabled, due to the X.509
+# certificate requirements. If you want to change the FQDN on which
+# a particular MinIO instance is accessible via :command:`nginx`, use the
+# ``item.fqdn`` parameter instead.
+minio__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__domain [[[
+#
+# This variable is used in the :command:`nginx` configuration to generate the
+# FQDN of the MinIO service based on the MinIO instance name and DNS domain
+# specified here.
+minio__domain: '{{ ansible_domain }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Transport Layer Security (TLS) support [[[
+# ------------------------------------------
+
+# These variables are used to configure the `TLS support in MinIO`__.
+# The :ref:`debops.pki` Ansible is used to manage the private keys and X.509
+# certificates.
+#
+# .. __: https://docs.min.io/docs/how-to-secure-access-to-minio-server-with-tls.html
+
+# .. envvar:: minio__pki_enabled [[[
+#
+# Enable or disable support for encrypted communication between MinIO instances
+# via TLS. The support will be enabled in the :ref:`debops.pki` Ansible role is
+# configured on a host.
+minio__pki_enabled: '{{ ansible_local.pki.enabled
+                        if (ansible_local | d() and ansible_local.pki | d() and
+                            ansible_local.pki.enabled is defined)
+                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__pki_base_path [[[
+#
+# The absolute path to the directory which contains the PKI realm
+# subdirectories.
+minio__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__pki_realm [[[
+#
+# Name of the PKI realm to use by the MinIO service.
+minio__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__pki_key [[[
+#
+# The name of the file which contains the private key used by the X.509
+# certificate, relative to the PKI realm directory.
+minio__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__pki_crt [[[
+#
+# The name of the file which contains the X.509 certificate chain used by
+# MinIO, relative to the PKI realm directory.
+#
+# MinIO requires a full X.509 chain with the intermediate CA and the Root
+# Certificate Authority included. Otherwise you will see the error message
+# "Unable to load the TLS configuration: Invalid TLS certificate".
+minio__pki_crt: 'public/full.pem'
+
+                                                                   # ]]]
+# .. envvar:: minio__tls_certs_dir [[[
+#
+# Absolute path to the directory where the :ref:`debops.minio` role will create
+# symlinks to the private key and X.509 certificate chain used by MinIO for TLS
+# connections.
+minio__tls_certs_dir: '{{ minio__home + "/.minio/certs" }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__tls_private_key [[[
+#
+# Absolute path to the private key used by MinIO which will be symlinked as the
+# :file:`private.key` file inside of the :file:`certs/` directory.
+minio__tls_private_key: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__tls_public_crt [[[
+#
+# Absolute path to the X.509 certificate chain used by MinIO which will be
+# symlinked as the :file:`public.crt` file inside of the :file:`certs/`
+# directory.
+minio__tls_public_crt: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_crt }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# MinIO instance configuration [[[
+# --------------------------------
+
+# The variables below define a list of MinIO instances to manage on
+# a particular host. See :ref:`minio__ref_instances` for more details.
+
+# .. envvar:: minio__default_instances [[[
+#
+# The list of the default MinIO instances defined by the role.
+minio__default_instances:
+
+  # This instance configuration overrides the nginx configuration to use the
+  # host's FQDN instead of the instance name. It also supports using host
+  # subdomains as the bucket names.
+  - name: 'main'
+    port: '9000'
+    console_port: '19000'
+    fqdn: '{{ minio__fqdn }}'
+    domain: '{{ minio__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__instances [[[
+#
+# The list of the MinIO instances which should be defined on all hosts in the
+# Ansible inventory.
+minio__instances: []
+
+                                                                   # ]]]
+# .. envvar:: minio__group_instances [[[
+#
+# The list of the MinIO instances which should be defined on hosts in
+# a specific Ansible inventory group.
+minio__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: minio__host_instances [[[
+#
+# The list of the MinIO instances which should be defined on specific hosts in
+# the Ansible inventory.
+minio__host_instances: []
+
+                                                                   # ]]]
+# .. envvar:: minio__combined_instances [[[
+#
+# The variable which combines all other MinIO instance variables and is used in
+# the role tasks and templates.
+minio__combined_instances: '{{ minio__default_instances
+                               + minio__instances
+                               + minio__group_instances
+                               + minio__host_instances }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: minio__golang__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.golang` Ansible role.
+minio__golang__dependent_packages:
+
+  - name: 'minio'
+    upstream_type: '{{ minio__upstream_type }}'
+    gpg: '{{ minio__upstream_gpg_key }}'
+    url:
+
+      - src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}'
+        dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
+        checksum: 'sha256:{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}.sha256sum'
+
+      - src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary + ".asc" }}'
+        dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}.asc'
+        gpg_verify: True
+
+    url_binaries:
+      - src: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
+        dest: 'minio'
+        notify: 'Restart minio'
+    git:
+      - repo: '{{ minio__upstream_git_repository }}'
+        version: '{{ minio__upstream_git_release }}'
+        build_script: |
+          make clean build
+    git_binaries:
+      - src: '{{ minio__upstream_git_repository.split("://")[1] + "/minio" }}'
+        dest: 'minio'
+        notify: 'Restart minio'
+
+                                                                   # ]]]
+# .. envvar:: minio__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role, generated
+# dynamically based on the MinIO instance configuration.
+minio__etc_services__dependent_list: '{{ minio__env_etc_services_dependent_list }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+minio__sysctl__dependent_parameters:
+
+  # Ref: https://github.com/minio/minio/tree/master/docs/deployment/kernel-tuning
+  - name: 'minio'
+    weight: '80'
+    options:
+
+      - name: 'net.ipv4.tcp_fin_timeout'
+        comment: |
+          A socket left in memory takes approximately 1.5Kb of memory. It makes
+          sense to close the unused sockets preemptively to ensure no memory
+          leakage. This way, even if a peer doesn't close the socket due to
+          some reason, the system itself closes it after a timeout.
+
+          The "tcp_fin_timeout" variable defines this timeout and tells kernel
+          how long to keep sockets in the state FIN-WAIT-2. We recommend
+          setting it to 30.
+        value: 30
+
+      - name: 'net.ipv4.tcp_keepalive_probes'
+        comment: |
+          This variable defines the number of unacknowledged probes to be sent
+          before considering a connection dead.
+        value: 5
+
+      - name: 'net.core.wmem_max'
+        comment: |
+          This parameter sets the max OS send buffer size for all types of
+          connections.
+        value: 540000
+
+      - name: 'net.core.rmem_max'
+        comment: |
+          This parameter sets the max OS receive buffer size for all types of
+          connections.
+        value: 540000
+
+      - name: 'vm.swappiness'
+        comment: |
+          This parameter controls the relative weight given to swapping out
+          runtime memory, as opposed to dropping pages from the system page
+          cache. It takes values from 0 to 100, both inclusive. We recommend
+          setting it to 10.
+        value: 10
+
+      - name: 'vm.dirty_background_ratio'
+        comment: |
+          This is the percentage of system memory that can be filled with dirty
+          pages, i.e. memory pages that still need to be written to disk. We
+          recommend writing the data to the disk as soon as possible. To do
+          this, set the dirty_background_ratio to 1.
+        value: 1
+
+      - name: 'vm.dirty_ratio'
+        comment: |
+          This defines is the absolute maximum amount of system memory that can
+          be filled with dirty pages before everything must get committed to
+          disk.
+        value: 1
+
+      - name: 'kernel.sched_min_granularity_ns'
+        comment: |
+          This parameter decides the minimum time a task will be be allowed to
+          run on CPU before being preempted out. We recommend setting it to
+          10ms.
+        value: 10000000
+
+      - name: 'kernel.sched_wakeup_granularity_ns'
+        comment: |
+          Lowering this parameter improves wake-up latency and throughput for
+          latency critical tasks, particularly when a short duty cycle load
+          component must compete with CPU bound components.
+        value: 15000000
+
+                                                                   # ]]]
+# .. envvar:: minio__sysfs__dependent_attributes [[[
+#
+# Configuration for the :ref:`debops.sysfs` Ansible role.
+minio__sysfs__dependent_attributes:
+
+  - role: 'minio'
+    config:
+      - name: 'transparent_hugepages'
+        state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: minio__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role, generated dynamically
+# based on the MinIO instance configuration.
+minio__ferm__dependent_rules: '{{ minio__env_ferm_dependent_rules }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role, generated
+# dynamically based on the MinIO instance configuration.
+minio__nginx__dependent_upstreams: '{{ minio__env_nginx_dependent_upstreams }}'
+
+                                                                   # ]]]
+# .. envvar:: minio__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role, generated
+# dynamically based on the MinIO instance configuration.
+minio__nginx__dependent_servers: '{{ minio__env_nginx_dependent_servers }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/minio/meta/main.yml b/ansible_collections/debops/debops/roles/minio/meta/main.yml
new file mode 100644
index 00000000..dc6d9eaa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage MinIO, an S3 compatible storage service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+  galaxy_tags:
+    - s3
+    - storage
+    - minio
diff --git a/ansible_collections/debops/debops/roles/minio/meta/watch-minio b/ansible_collections/debops/debops/roles/minio/meta/watch-minio
new file mode 100644
index 00000000..3b20aefa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/meta/watch-minio
@@ -0,0 +1,10 @@
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: minio
+# Package: minio
+# Version: master
+
+version=4
+https://github.com/minio/minio/tags .*/(RELEASE\..+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/minio/tasks/main.yml b/ansible_collections/debops/debops/roles/minio/tasks/main.yml
new file mode 100644
index 00000000..659ee7dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/tasks/main.yml
@@ -0,0 +1,174 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Create required UNIX system group
+  ansible.builtin.group:
+    name: '{{ minio__group }}'
+    state: 'present'
+    system: True
+
+- name: Create required UNIX system account
+  ansible.builtin.user:
+    name: '{{ minio__user }}'
+    group: '{{ minio__group }}'
+    groups: '{{ minio__additional_groups }}'
+    append: True
+    home: '{{ minio__home }}'
+    comment: '{{ minio__comment }}'
+    shell: '{{ minio__shell }}'
+    state: 'present'
+    system: True
+
+- name: Create required application directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: '{{ minio__user }}'
+    group: '{{ minio__group }}'
+    mode: '{{ item.mode }}'
+  loop:
+
+    - path: '{{ minio__config_dir }}'
+      mode: '0750'
+
+    - path: '{{ minio__volumes_dir }}'
+      mode: '0750'
+
+    - path: '{{ minio__tls_certs_dir }}'
+      mode: '0700'
+
+- name: Create volume directories
+  ansible.builtin.file:
+    path: '{{ (""
+               if ((item.path | d(item)).startswith("/"))
+               else (minio__volumes_dir + "/"))
+              + (item.path | d(item)) }}'
+    state: 'directory'
+    owner: '{{ minio__user }}'
+    group: '{{ minio__group }}'
+    mode: '0750'
+  loop: '{{ minio__volumes + minio__group_volumes + minio__host_volumes }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Symlink TLS files to MinIO home directory
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    src: '{{ item.src }}'
+    mode: '{{ item.mode }}'
+    state: 'link'
+  loop:
+    - path: '{{ minio__tls_certs_dir + "/private.key" }}'
+      src: '{{ minio__tls_private_key }}'
+      mode: '0640'
+
+    - path: '{{ minio__tls_certs_dir + "/public.crt" }}'
+      src: '{{ minio__tls_public_crt }}'
+      mode: '0644'
+  when: minio__pki_enabled | bool
+
+- name: Install systemd configuration files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    mode: '0644'
+  loop:
+    - 'etc/systemd/system/minio.service'
+    - 'etc/systemd/system/minio@.service'
+  notify: [ 'Reload service manager' ]
+
+- name: Reload systemd daemon if required
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Stop and disable MinIO instances if requested
+  ansible.builtin.systemd:
+    name: 'minio@{{ item.name }}.service'
+    state: 'stopped'
+    enabled: False
+  loop: '{{ minio__combined_instances | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') in ['absent']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove MinIO instance configuration files if requested
+  ansible.builtin.file:
+    path: '{{ minio__config_dir + "/" + item.name }}'
+    state: 'absent'
+  loop: '{{ minio__combined_instances | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') in ['absent']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate MinIO instance configuration files
+  ansible.builtin.template:
+    src: 'etc/minio/instance.j2'
+    dest: '{{ minio__config_dir + "/" + item.name }}'
+    owner: '{{ minio__user }}'
+    group: '{{ minio__group }}'
+    mode: '0640'
+  loop: '{{ minio__combined_instances | debops.debops.parse_kv_items }}'
+  register: minio__register_instance_config
+  when: item.name | d() and item.port | d() and
+        item.state | d('present') not in ['absent', 'ignore', 'init']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Start and enable MinIO instances
+  ansible.builtin.systemd:
+    name: 'minio@{{ item.name }}.service'
+    state: 'started'
+    enabled: True
+  loop: '{{ minio__combined_instances | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and
+        item.name | d() and item.port | d() and
+        item.state | d('present') not in ['absent', 'ignore', 'init']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Start and enable MinIO service
+  ansible.builtin.systemd:
+    name: 'minio.service'
+    state: 'started'
+    enabled: True
+  when: ansible_service_mgr == 'systemd'
+
+- name: Restart MinIO instances if configuration was modified
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'minio@{{ item.item.name }}.service'
+    state: 'restarted'
+  loop: '{{ minio__register_instance_config.results }}'
+  when: item is changed
+
+- name: Install PKI hook script
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/minio.j2'
+    dest: '/etc/pki/hooks/minio'
+    mode: '0755'
+  when: ansible_service_mgr == 'systemd' and minio__pki_enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save MinIO local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/minio.fact.j2'
+    dest: '/etc/ansible/facts.d/minio.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/minio/tasks/main_env.yml b/ansible_collections/debops/debops/roles/minio/tasks/main_env.yml
new file mode 100644
index 00000000..3662f17e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/tasks/main_env.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare minio environment
+  ansible.builtin.set_fact:
+    minio__env_upstream_url_release: '{{ ansible_local.minio.release_tag
+                                         if (ansible_local.minio.release_tag | d() and
+                                             ansible_local.minio.release_tag.startswith("RELEASE.") and
+                                             not minio__upstream_upgrade | bool)
+                                         else (lookup("url",
+                                                      (minio__upstream_url_mirror + minio__upstream_platform
+                                                       + "/minio.sha256sum"))
+                                               | regex_search("minio\.RELEASE\..+$")
+                                               | regex_replace("^minio\.", "")) }}'
+    minio__env_etc_services_dependent_list: '{{ lookup("template",
+                                                "lookup/minio__env_etc_services_dependent_list.j2",
+                                                convert_data=False) | from_yaml }}'
+    minio__env_ferm_dependent_rules:        '{{ lookup("template",
+                                                "lookup/minio__env_ferm_dependent_rules.j2",
+                                                convert_data=False) | from_yaml }}'
+    minio__env_nginx_dependent_upstreams:   '{{ lookup("template",
+                                                "lookup/minio__env_nginx_dependent_upstreams.j2",
+                                                convert_data=False) | from_yaml }}'
+    minio__env_nginx_dependent_servers:     '{{ lookup("template",
+                                                "lookup/minio__env_nginx_dependent_servers.j2",
+                                                convert_data=False) | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/minio/templates/etc/ansible/facts.d/minio.fact.j2 b/ansible_collections/debops/debops/roles/minio/templates/etc/ansible/facts.d/minio.fact.j2
new file mode 100644
index 00000000..fbbeaa28
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/etc/ansible/facts.d/minio.fact.j2
@@ -0,0 +1,49 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('minio')}
+
+try:
+    minio_version_stdout = subprocess.check_output(
+            ["minio", "--version"]
+            ).decode('utf-8').strip()
+except Exception:
+    try:
+        minio_version_stdout = subprocess.check_output(
+                ["minio", "version"]
+                ).decode('utf-8').strip()
+    except Exception:
+        pass
+
+if minio_version_stdout:
+    for line in minio_version_stdout.split('\n'):
+        if line.lower().startswith('minio version '):
+            output['version'] = line.split()[2]
+            output['release_tag'] = line.split()[2]
+        elif line.lower().startswith('version: '):
+            output['version'] = line.split()[1]
+        elif line.lower().startswith('release-tag: '):
+            output['release_tag'] = line.split()[1]
+        elif line.lower().startswith('commit-id: '):
+            output['commit_id'] = line.split()[1]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/minio/templates/etc/minio/instance.j2 b/ansible_collections/debops/debops/roles/minio/templates/etc/minio/instance.j2
new file mode 100644
index 00000000..93d73425
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/etc/minio/instance.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2019-2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration for the '{{ item.name }}' MinIO instance
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='',postfix='') }}
+{% endif %}
+MINIO_TYPE="{{ item.type | d('server') }}"
+{% if item.volumes is undefined or item.volumes | d() %}
+MINIO_VOLUMES="{{ (( [ item.volumes ] if (item.volumes is string) else item.volumes) | join(' ')) if item.volumes | d() else (minio__volumes_dir + '/' + item.name) }}"
+{% endif %}
+MINIO_SERVER_URL="{{ item.server_url | d('https://' + minio__fqdn + '/') }}"
+MINIO_OPTS="{{ '--address ' + (item.bind | d('')) + ':' + item.port | string + ' --console-address ' + (item.console_bind | d('')) + ':' + item.console_port | string + ((' ' + item.minio_options) if item.minio_options | d() else '') }}"
+{% if not (item.standalone | d(False)) | bool %}
+MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/distributed/' + item.name + '/root_user length=20 chars=ascii_letters,digits')) }}"
+MINIO_ROOT_PASSWORD="{{ item.root_password | d(lookup('password', secret + '/minio/distributed/' + item.name + '/root_password length=32')) }}"
+{% else %}
+MINIO_ROOT_USER="{{ item.root_user         | d(lookup('password', secret + '/minio/standalone/' + inventory_hostname + '/' + item.name + '/root_user length=20 chars=ascii_letters,digits')) }}"
+MINIO_ROOT_PASSWORD="{{ item.root_password | d(lookup('password', secret + '/minio/standalone/' + inventory_hostname + '/' + item.name + '/root_password length=32')) }}"
+{% endif %}
+{% if item.browser is defined %}
+MINIO_BROWSER="{{ 'on' if item.browser | bool else 'off' }}"
+{% endif %}
+{% if item.domain | d() or item.domains | d() %}
+MINIO_DOMAIN="{{ ((([ item.domain ] if (item.domain is string) else item.domain) if item.domain | d() else []) + (([ item.domains ] if (item.domains is string) else item.domains) if item.domains | d() else [])) | join(',') }}"
+{% endif %}
+{% if item.environment | d() %}
+{%   for key, value in item.environment.items() %}
+{{ '{}="{}"'.format(key | upper, (value if (value is string) else (value | join(',')))) }}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/minio/templates/etc/pki/hooks/minio.j2 b/ansible_collections/debops/debops/roles/minio/templates/etc/pki/hooks/minio.j2
new file mode 100644
index 00000000..25233bea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/etc/pki/hooks/minio.j2
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart MinIO instances on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+pki_script_realm="${PKI_SCRIPT_REALM:-}"
+minio_pki_realm="{{ minio__pki_realm }}"
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${pki_script_realm}" ] && [ -n "${minio_pki_realm}" ] \
+        && [ "${pki_script_realm}" = "${minio_pki_realm}" ] \
+        && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                minio_state="$(systemctl is-active minio.service)"
+                if [ "${minio_state}" = "active" ] ; then
+                    systemctl restart minio.service
+                fi
+
+            else
+
+                printf "Warning: sysvinit is not supported\\n"
+
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio.service.j2 b/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio.service.j2
new file mode 100644
index 00000000..e19879ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio.service.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=MinIO service
+After=network-online.target
+Documentation=https://docs.min.io
+Wants=network-online.target
+After=network-online.target
+ConditionPathExists={{ minio__config_dir }}
+AssertFileIsExecutable={{ minio__binary }}
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecReload=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio@.service.j2 b/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio@.service.j2
new file mode 100644
index 00000000..0f06c389
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/etc/systemd/system/minio@.service.j2
@@ -0,0 +1,38 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=MinIO '%i' instance
+Documentation=https://docs.min.io
+Wants=network-online.target
+After=network-online.target
+ConditionPathExists={{ minio__config_dir }}/%i
+AssertFileIsExecutable={{ minio__binary }}
+PartOf=minio.service
+ReloadPropagatedFrom=minio.service
+Before=minio.service
+
+[Service]
+WorkingDirectory={{ minio__home }}
+
+User={{ minio__user }}
+Group={{ minio__group }}
+
+EnvironmentFile=-{{ minio__config_dir }}/%i
+
+ExecStart={{ minio__binary }} $MINIO_TYPE $MINIO_OPTS $MINIO_VOLUMES
+
+# Let systemd restart this service always
+Restart=always
+
+# Specifies the maximum file descriptor number that can be opened by this process
+LimitNOFILE=65536
+
+SyslogIdentifier=minio-%i
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=minio.service
diff --git a/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_etc_services_dependent_list.j2 b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_etc_services_dependent_list.j2
new file mode 100644
index 00000000..0de09a71
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_etc_services_dependent_list.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2019-2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set minio__tpl_etc_services_dependent_list = [] %}
+{% for element in minio__combined_instances | debops.debops.parse_kv_items %}
+{%   if (element.name | d() and element.port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set rule = {'name': ('minio-' + element.name),
+                   'port': element.port,
+                   'protocol': [ 'tcp' ],
+                   'state': element.state} %}
+{%     set _ = minio__tpl_etc_services_dependent_list.append(rule) %}
+{%   endif %}
+{%   if (element.name | d() and element.console_port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set rule = {'name': ('minio-' + element.name + '-console'),
+                   'port': element.console_port,
+                   'protocol': [ 'tcp' ],
+                   'state': element.state} %}
+{%     set _ = minio__tpl_etc_services_dependent_list.append(rule) %}
+{%   endif %}
+{% endfor %}
+{{ minio__tpl_etc_services_dependent_list | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_ferm_dependent_rules.j2 b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_ferm_dependent_rules.j2
new file mode 100644
index 00000000..6bc93b75
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_ferm_dependent_rules.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2019-2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set minio__tpl_ferm_dependent_rules = [] %}
+{% for element in minio__combined_instances | debops.debops.parse_kv_items %}
+{%   if (element.name | d() and element.port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set rule = {'type': 'accept',
+                   'rule_state': element.state,
+                   'dport': [ element.port | string ],
+                   'saddr': (( [ element.allow ] if (element.allow is string) else element.allow) if element.allow | d() else []),
+                   'accept_any': True,
+                   'weight': '50',
+                   'by_role': 'debops.minio',
+                   'name': ('minio-' + element.name)} %}
+{%     set _ = minio__tpl_ferm_dependent_rules.append(rule) %}
+{%   endif %}
+{%   if (element.name | d() and element.console_port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set rule = {'type': 'accept',
+                   'rule_state': element.state,
+                   'dport': [ element.console_port | string ],
+                   'saddr': (( [ element.allow ] if (element.allow is string) else element.allow) if element.allow | d() else []),
+                   'accept_any': True,
+                   'weight': '50',
+                   'by_role': 'debops.minio',
+                   'name': ('minio-' + element.name + '-console')} %}
+{%     set _ = minio__tpl_ferm_dependent_rules.append(rule) %}
+{%   endif %}
+{% endfor %}
+{{ minio__tpl_ferm_dependent_rules | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_servers.j2 b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_servers.j2
new file mode 100644
index 00000000..78ee6804
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_servers.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set minio__tpl_nginx_dependent_servers = [] %}
+{% for element in minio__combined_instances | debops.debops.parse_kv_items %}
+{%   if (element.name | d() and element.port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set server = {'name': [ (element.fqdn | d(element.name + '.' + minio__domain)) ]
+                             + ((( ( [ element.domain ] if (element.domain is string) else element.domain)
+                                   | map('regex_replace', '^(.*)$', '*.\\1')) | list)
+                                if element.domain | d() else [])
+                             + ((( ( [ element.domains ] if (element.domains is string) else element.domains)
+                                   | map('regex_replace', '^(.*)$', '*.\\1')) | list)
+                                if element.domains | d() else []),
+                     'filename': 'minio-' + element.name,
+                     'state': element.state,
+                     'type': 'proxy',
+                     'options': 'ignore_invalid_headers off;\nclient_max_body_size 0;\nproxy_buffering off;',
+                     'proxy_pass': ('https' if minio__pki_enabled | bool else 'http') + '://minio-' + element.name,
+                     'proxy_options': 'proxy_http_version 1.1;\nproxy_read_timeout 15m;\nproxy_send_timeout 15m;\nproxy_request_buffering off;'} %}
+{%     set _ = minio__tpl_nginx_dependent_servers.append(server) %}
+{%   endif %}
+{% endfor %}
+{{ minio__tpl_nginx_dependent_servers | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_upstreams.j2 b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_upstreams.j2
new file mode 100644
index 00000000..66db6bc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/minio/templates/lookup/minio__env_nginx_dependent_upstreams.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set minio__tpl_nginx_dependent_upstreams = [] %}
+{% for element in minio__combined_instances | debops.debops.parse_kv_items %}
+{%   if (element.name | d() and element.port | d() and element.state | d('present') not in [ 'ignore', 'init' ]) %}
+{%     set upstream = {'name': 'minio-' + element.name,
+                       'state': element.state,
+                       'server': (minio__fqdn if minio__pki_enabled | bool else '127.0.0.1') + ':' + element.port | string} %}
+{%     set _ = minio__tpl_nginx_dependent_upstreams.append(upstream) %}
+{%   endif %}
+{% endfor %}
+{{ minio__tpl_nginx_dependent_upstreams | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/monit/COPYRIGHT b/ansible_collections/debops/debops/roles/monit/COPYRIGHT
new file mode 100644
index 00000000..ddfbe218
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.monit - Manage Monit using Ansible
+
+Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/monit/defaults/main.yml b/ansible_collections/debops/debops/roles/monit/defaults/main.yml
new file mode 100644
index 00000000..8885450a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/defaults/main.yml
@@ -0,0 +1,674 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# .. Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _monit__ref_defaults:
+
+# debops.monit default variables [[[
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: monit__base_packages [[[
+#
+# List of base APT packages to install for Monit support.
+monit__base_packages: [ 'monit' ]
+
+                                                                   # ]]]
+# .. envvar:: monit__packages [[[
+#
+# List of additional APT packages to install with Monit.
+monit__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Monit deployment options [[[
+# ----------------------------
+
+# .. envvar:: monit__fqdn [[[
+#
+# The Fully Qualified Domain Name of the host Monit is running on.
+monit__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: monit__domain [[[
+#
+# This variable is used to define the default e-mail address to which Monit
+# alerts will be sent.
+monit__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: monit__check_interval [[[
+#
+# Time in seconds between Monit checks.
+monit__check_interval: '120'
+
+                                                                   # ]]]
+# .. envvar:: monit__start_delay [[[
+#
+# Time in seconds to delay the initial check after Monit is started.
+monit__start_delay: '240'
+
+                                                                   # ]]]
+# .. envvar:: monit__alerts_to [[[
+#
+# Specify the e-mail address where Monit should sent the e-mail alerts to.
+monit__alerts_to: [ 'root@{{ monit__domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: monit__httpd_port [[[
+#
+# The TCP port used by the Monit HTTP server.
+monit__httpd_port: '2812'
+
+                                                                   # ]]]
+# .. envvar:: monit__httpd_username [[[
+#
+# The username used by the Monit CLI to access the HTTP server.
+monit__httpd_username: 'monit'
+
+                                                                   # ]]]
+# .. envvar:: monit__httpd_password [[[
+#
+# The password used by the Monit CLI to access the HTTP server.
+monit__httpd_password: '{{ lookup("password", secret + "/credentials/"
+                           + inventory_hostname + "/monit/httpd/password "
+                           + "chars=ascii_letters,digits length=32") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Monit configuration [[[
+# -----------------------
+
+# These lists define contents of the Monit configuration files, located in the
+# :file:`/etc/monit/conf.d/` directory. See :ref:`monit__ref_config` for more
+# details.
+
+# .. envvar:: monit__default_config [[[
+#
+# The default configuration defined by the ``debops.monit`` Ansible role.
+monit__default_config:
+
+  - name: 'daemon'
+    content: |
+      set daemon {{ monit__check_interval }}
+          with start delay {{ monit__start_delay }}
+    weight: 10
+
+  - name: 'logfile'
+    content: |
+      set logfile syslog facility log_daemon
+    weight: 15
+
+  - name: 'http_server'
+    comment: 'HTTP server is used by the command line tool'
+    content: |
+      set httpd port {{ monit__httpd_port }} and
+          use address localhost
+          allow localhost
+          allow {{ monit__httpd_username + ':' + monit__httpd_password }}
+    weight: 20
+    mode: '0600'
+
+  - name: 'mailserver'
+    content: |
+      set mailserver localhost
+    weight: 25
+
+  - name: 'global_alerts'
+    content: |
+      {% for address in ([monit__alerts_to]
+                         if monit__alerts_to is string
+                         else monit__alerts_to) %}
+      set alert {{ address }} not on { instance, action }
+      {% endfor %}
+    weight: 30
+
+  - name: 'check_system'
+    content: |
+      check system {{ monit__fqdn }}
+        if loadavg (1min)     > {{ ansible_processor_vcpus * 2 }} for 5 cycles then alert
+        if loadavg (5min)     > {{ ansible_processor_vcpus }} for 5 cycles then alert
+        if memory usage       > 75% for 5 cycles then alert
+        if swap usage         > 25% for 5 cycles then alert
+        if cpu usage (user)   > 70% for 5 cycles then alert
+        if cpu usage (system) > 30% for 5 cycles then alert
+        if cpu usage (wait)   > 30% for 5 cycles then alert
+    weight: 35
+
+                                                                   # ]]]
+# .. envvar:: monit__service_config [[[
+#
+# The service configuration shipped with the Debian Monit package. This
+# configuration is modified to work correctly with :command:`systemd` and will
+# be activated when Ansible local facts for specific services are present.
+monit__service_config:
+
+  - name: 'apache2'
+    content: |
+      check process apache2 with pidfile /var/run/apache2/apache2.pid
+        group www
+        group apache2
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start apache2.service"
+        stop  program = "/bin/systemctl stop  apache2.service"
+      {% else %}
+        start program = "/etc/init.d/apache2 start"
+        stop  program = "/etc/init.d/apache2 stop"
+      {% endif %}
+        if failed port 80 protocol http request "/" then restart
+        if 5 restarts with 5 cycles then timeout
+        depend apache2_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend apache2_unit
+      {% else %}
+        depend apache2_rc
+      {% endif %}
+
+      check file apache2_bin with path /usr/sbin/apache2
+        group apache2
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file apache2_unit with path /lib/systemd/system/apache2.service
+        group apache2
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file apache2_rc with path /etc/init.d/apache2
+        group apache2
+        include /etc/monit/templates/rootbin
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local.apache.enabled | d() | bool)
+               else "init" }}'
+
+  - name: 'atd'
+    content: |
+      check process atd with pidfile /var/run/atd.pid
+        group system
+        group atd
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start atd.service"
+        stop  program = "/bin/systemctl stop  atd.service"
+      {% else %}
+        start program = "/etc/init.d/atd start"
+        stop  program = "/etc/init.d/atd stop"
+      {% endif %}
+        if 5 restarts within 5 cycles then timeout
+        depends on atd_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depends on atd_unit
+      {% else %}
+        depends on atd_rc
+      {% endif %}
+
+      check file atd_bin with path "/usr/sbin/atd"
+        group atd
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file atd_unit with path "/lib/systemd/system/atd.service"
+        group atd
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file atd_rc with path "/etc/init.d/atd"
+        group atd
+        include /etc/monit/templates/rootbin
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.atd | d() and
+                   (ansible_local.atd.enabled | d()) | bool)
+               else "init" }}'
+
+  - name: 'cron'
+    content: |
+      check process crond with pidfile /var/run/crond.pid
+        group system
+        group crond
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start cron.service"
+        stop  program = "/bin/systemctl stop  cron.service"
+      {% else %}
+        start program = "/etc/init.d/cron start"
+        stop  program = "/etc/init.d/cron stop"
+      {% endif %}
+        if 5 restarts with 5 cycles then timeout
+        depend cron_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend cron_unit
+      {% else %}
+        depend cron_rc
+      {% endif %}
+        depend cron_spool
+
+      check file cron_bin with path /usr/sbin/cron
+        group crond
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file cron_unit with path "/lib/systemd/system/cron.service"
+        group crond
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file cron_rc with path "/etc/init.d/cron"
+        group crond
+        include /etc/monit/templates/rootbin
+      {% endif %}
+
+      check directory cron_spool with path /var/spool/cron/crontabs
+        group crond
+        if failed permission 1730 then unmonitor
+        if failed uid root        then unmonitor
+        if failed gid crontab     then unmonitor
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.cron | d() and
+                   (ansible_local.cron.enabled | d()) | bool)
+               else "init" }}'
+
+  - name: 'memcached'
+    content: |
+      check process memcached matching "^/usr/bin/memcached"
+        group cache
+        group memcached
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start memcached.service"
+        stop  program = "/bin/systemctl stop  memcached.service"
+      {% else %}
+        start program = "/etc/init.d/memcached start"
+        stop  program = "/etc/init.d/memcached stop"
+      {% endif %}
+        if failed host 127.0.0.1 port 11211 and protocol memcache then restart
+        if cpu > 60% for 2 cycles then alert
+        if cpu > 98% for 5 cycles then restart
+        if 5 restarts within 20 cycles then timeout
+        depend memcache_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend memcache_unit
+      {% else %}
+        depend memcache_rc
+      {% endif %}
+
+      check file memcache_bin with path /usr/bin/memcached
+        group memcached
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file memcache_unit with path /lib/systemd/system/memcached.service
+        group memcached
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file memcache_rc with path /etc/init.d/memcached
+        group memcached
+        include /etc/monit/templates/rootbin
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.memcached | d() and
+                   (ansible_local.memcached.installed | d()) | bool)
+               else "init" }}'
+
+  - name: 'mysql'
+    content: |
+      check process mysqld with pidfile /var/run/mysqld/mysqld.pid
+        group database
+        group mysql
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start mysql.service"
+        stop  program = "/bin/systemctl stop  mysql.service"
+      {% else %}
+        start program = "/etc/init.d/mysql start"
+        stop  program = "/etc/init.d/mysql stop"
+      {% endif %}
+        if failed host localhost port 3306 protocol mysql with timeout 15 seconds for 3 times within 4 cycles then restart
+        if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 4 cycles then restart
+        if 5 restarts with 5 cycles then timeout
+        depend mysql_bin
+        depend mysql_rc
+
+      check file mysql_bin with path /usr/sbin/mysqld
+        group mysql
+        include /etc/monit/templates/rootbin
+
+      check file mysql_rc with path /etc/init.d/mysql
+        group mysql
+        include /etc/monit/templates/rootbin
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.mariadb | d() and
+                   ansible_local.mariadb.server | d("") == "localhost")
+               else "init" }}'
+
+  - name: 'nginx'
+    content: |
+      check process nginx with pidfile /var/run/nginx.pid
+        group www
+        group nginx
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start nginx.service"
+        stop  program = "/bin/systemctl stop  nginx.service"
+      {% else %}
+        start program = "/etc/init.d/nginx start"
+        stop  program = "/etc/init.d/nginx stop"
+      {% endif %}
+        if failed port 80 protocol http request "/" then restart
+        if 5 restarts with 5 cycles then timeout
+        depend nginx_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend nginx_unit
+      {% else %}
+        depend nginx_rc
+      {% endif %}
+
+      check file nginx_bin with path /usr/sbin/nginx
+        group nginx
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file nginx_unit with path /lib/systemd/system/nginx.service
+        group nginx
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file nginx_rc with path /etc/init.d/nginx
+        group nginx
+        include /etc/monit/templates/rootbin
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.nginx | d() and
+                   (ansible_local.nginx.enabled | d()) | bool)
+               else "init" }}'
+
+  - name: 'openntpd'
+    content: |
+      check process ntpd matching "^/usr/sbin/ntpd -f /etc/openntpd/ntpd.conf"
+        group system
+        group ntpd
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start openntpd.service"
+        stop  program = "/bin/systemctl stop  openntpd.service"
+      {% else %}
+        start program = "/etc/init.d/openntpd start"
+        stop  program = "/etc/init.d/openntpd stop"
+      {% endif %}
+        if 4 restarts within 12 cycles then timeout
+        depend ntpd_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend ntpd_unit
+      {% else %}
+        depend ntpd_rc
+      {% endif %}
+
+      check file ntpd_bin with path /usr/sbin/ntpd
+        group ntpd
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file ntpd_unit with path /lib/systemd/system/openntpd.service
+        group ntpd
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file ntpd_rc with path /etc/init.d/openntpd
+        group ntpd
+        include /etc/monit/templates/rootbin
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.ntp | d() and
+                   (ansible_local.ntp.configured | d()) | bool and
+                   ansible_local.ntp.daemon | d("") == "openntpd")
+               else "init" }}'
+
+  - name: 'postfix'
+    content: |
+      check process postfix with pidfile /var/spool/postfix/pid/master.pid
+        group system
+        group mail
+        group postfix
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start postfix.service"
+        stop  program = "/bin/systemctl stop  postfix.service"
+      {% else %}
+        start program = "/etc/init.d/postfix start"
+        stop  program = "/etc/init.d/postfix stop"
+      {% endif %}
+        if failed host localhost port 25 with protocol smtp for 2 times within 3 cycles then restart
+        if 5 restarts with 5 cycles then timeout
+        depend master_bin
+      {% if ansible_distribution_release in ['trusty', 'xenial'] %}
+        depend postfix_rc
+      {% else %}
+        depend postfix_unit
+      {% endif %}
+        depend postdrop_bin
+        depend postqueue_bin
+        depend master_cf
+        depend main_cf
+
+      {% if ansible_distribution_release in ['trusty', 'xenial'] %}
+      check file master_bin with path /usr/lib/postfix/master
+      {% else %}
+      check file master_bin with path /usr/lib/postfix/sbin/master
+      {% endif %}
+        group postfix
+        include /etc/monit/templates/rootbin
+
+      check file postdrop_bin with path /usr/sbin/postdrop
+        group postfix
+        if failed checksum        then unmonitor
+        if failed permission 2555 then unmonitor
+        if failed uid root        then unmonitor
+        if failed gid postdrop    then unmonitor
+
+      check file postqueue_bin with path /usr/sbin/postqueue
+        group postfix
+        if failed checksum        then unmonitor
+        if failed permission 2555 then unmonitor
+        if failed uid root        then unmonitor
+        if failed gid postdrop    then unmonitor
+
+      check file master_cf with path /etc/postfix/master.cf
+        group postfix
+        include /etc/monit/templates/rootrc
+
+      check file main_cf with path /etc/postfix/main.cf
+        group postfix
+        include /etc/monit/templates/rootrc
+
+      {% if ansible_distribution_release in ['trusty', 'xenial'] %}
+      check file postfix_rc with path /etc/init.d/postfix
+        group postfix
+        include /etc/monit/templates/rootbin
+      {% else %}
+      check file postfix_unit with path /lib/systemd/system/postfix.service
+        group postfix
+        include /etc/monit/templates/rootrc
+      {% endif %}
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.postfix | d() and
+                   (ansible_local.postfix.installed | d()) | bool)
+               else "init" }}'
+
+  - name: 'rsyslog'
+    content: |
+      check process rsyslogd with pidfile /var/run/rsyslogd.pid
+        group system
+        group rsyslogd
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start rsyslog.service"
+        stop  program = "/bin/systemctl stop  rsyslog.service"
+      {% else %}
+        start program = "/etc/init.d/rsyslog start"
+        stop  program = "/etc/init.d/rsyslog stop"
+      {% endif %}
+        if 5 restarts with 5 cycles then timeout
+        depend on rsyslogd_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend on rsyslogd_unit
+      {% else %}
+        depend on rsyslogd_rc
+      {% endif %}
+        depend on rsyslog_file
+
+      check file rsyslogd_bin with path /usr/sbin/rsyslogd
+        group rsyslogd
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file rsyslogd_unit with path "/lib/systemd/system/rsyslog.service"
+        group rsyslogd
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file rsyslogd_rc with path "/etc/init.d/rsyslog"
+        group rsyslogd
+        include /etc/monit/templates/rootbin
+      {% endif %}
+
+      check file rsyslog_file with path /var/log/messages
+        group rsyslogd
+        if timestamp > 65 minutes then alert
+        if failed permission 640  then unmonitor
+        if failed uid root        then unmonitor
+        if failed gid adm         then unmonitor
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.rsyslog | d() and
+                   (ansible_local.rsyslog.enabled | d()) | bool)
+               else "init" }}'
+
+  - name: 'snmpd'
+    content: |
+      check process snmpd with pidfile /var/run/snmpd.pid
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start snmpd"
+        stop  program = "/bin/systemctl stop  snmpd"
+      {% else %}
+        start program = "/etc/init.d/snmpd start"
+        stop  program = "/etc/init.d/snmpd stop"
+      {% endif %}
+        if failed host localhost port 161 type udp then restart
+        if 5 restarts within 5 cycles then timeout
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.snmpd | d() and
+                   (ansible_local.snmpd.installed | d()) | bool)
+               else "init" }}'
+
+  - name: 'sshd'
+    content: |
+      check process sshd with pidfile /var/run/sshd.pid
+        group system
+        group sshd
+      {% if ansible_service_mgr == 'systemd' %}
+        start program = "/bin/systemctl start ssh.service"
+        stop  program = "/bin/systemctl stop  ssh.service"
+      {% else %}
+        start program = "/etc/init.d/ssh start"
+        stop  program = "/etc/init.d/ssh stop"
+      {% endif %}
+        if failed host localhost port 22 with proto ssh then restart
+        if 5 restarts with 5 cycles then timeout
+        depend on sshd_bin
+        depend on sftp_bin
+      {% if ansible_service_mgr == 'systemd' %}
+        depend on sshd_unit
+      {% else %}
+        depend on sshd_rc
+      {% endif %}
+        depend on sshd_rsa_key
+        depend on sshd_ecdsa_key
+        depend on sshd_ed25519_key
+
+      check file sshd_bin with path /usr/sbin/sshd
+        group sshd
+        include /etc/monit/templates/rootbin
+
+      check file sftp_bin with path /usr/lib/openssh/sftp-server
+        group sshd
+        include /etc/monit/templates/rootbin
+
+      {% if ansible_service_mgr == 'systemd' %}
+      check file sshd_unit with path /lib/systemd/system/ssh.service
+        group sshd
+        include /etc/monit/templates/rootrc
+      {% else %}
+      check file sshd_rc with path /etc/init.d/ssh
+        group sshd
+        include /etc/monit/templates/rootbin
+      {% endif %}
+
+      check file sshd_rsa_key with path /etc/ssh/ssh_host_rsa_key
+        group sshd
+        include /etc/monit/templates/rootstrict
+
+      check file sshd_ecdsa_key with path /etc/ssh/ssh_host_ecdsa_key
+        group sshd
+        include /etc/monit/templates/rootstrict
+
+      check file sshd_ed25519_key with path /etc/ssh/ssh_host_ed25519_key
+        group sshd
+        include /etc/monit/templates/rootstrict
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.sshd | d() and
+                   (ansible_local.sshd.configured | d()) | bool)
+               else "init" }}'
+
+                                                                   # ]]]
+# .. envvar:: monit__config [[[
+#
+# Monit configuration which should be present on all hosts in the Ansible
+# inventory.
+monit__config: []
+
+                                                                   # ]]]
+# .. envvar:: monit__group_config [[[
+#
+# Monit configuration which should be present on hosts in specific Ansible
+# inventory group.
+monit__group_config: []
+
+                                                                   # ]]]
+# .. envvar:: monit__host_config [[[
+#
+# Monit configuration which should be present on specific hosts in the Ansible
+# inventory.
+monit__host_config: []
+
+                                                                   # ]]]
+# .. envvar:: monit__dependent_config [[[
+#
+# Monit configuration defined by other Ansible roles through role dependent
+# variables. The dependent configuration it not tracked by the role, therefore
+# try to avoid modifying existing configuration to not cause idempotency
+# loops. The dependent configuration can be overridden by the Ansible
+# inventory.
+monit__dependent_config: []
+
+                                                                   # ]]]
+# .. envvar:: monit__combined_config [[[
+#
+# List which combines all of the defined Monit configuration and passed it to
+# the Ansible tasks.
+monit__combined_config: '{{ monit__default_config
+                            + monit__service_config
+                            + monit__dependent_config
+                            + monit__config
+                            + monit__group_config
+                            + monit__host_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: monit__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+monit__etc_services__dependent_list:
+
+  - name: 'monit'
+    port: '{{ monit__httpd_port }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/monit/meta/main.yml b/ansible_collections/debops/debops/roles/monit/meta/main.yml
new file mode 100644
index 00000000..da33fdd9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Nick Janetakis'
+  description: 'Install and configure Monit service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - monitoring
+    - system
diff --git a/ansible_collections/debops/debops/roles/monit/tasks/main.yml b/ansible_collections/debops/debops/roles/monit/tasks/main.yml
new file mode 100644
index 00000000..3d1e5d04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Monit packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (monit__base_packages
+                              + monit__packages)) }}'
+    state: 'present'
+  register: monit__register_packages
+  until: monit__register_packages is succeeded
+
+- name: Remove Monit configuration if requested
+  ansible.builtin.file:
+    path: '/etc/monit/conf.d/{{ ((item.weight | string + "_") if (item.weight != 0) else "") + item.name }}'
+    state: 'absent'
+  with_items: '{{ monit__combined_config | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+  notify: [ 'Test monit and reload' ]
+  no_log: '{{ debops__no_log | d(True if (item.mode | d("0644") == "0600") else False) }}'
+
+- name: Generate Monit configuration
+  ansible.builtin.template:
+    src: 'etc/monit/conf.d/template.j2'
+    dest: '/etc/monit/conf.d/{{ ((item.weight | string + "_") if (item.weight != 0) else "") + item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode | d("0600") }}'
+  with_items: '{{ monit__combined_config | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['init', 'absent']
+  notify: [ 'Test monit and reload' ]
+  no_log: '{{ debops__no_log | d(True if (item.mode | d("0644") == "0600") else False) }}'
+
+- name: Make sure Ansible local facts directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure Monit local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/monit.fact.j2'
+    dest: '/etc/ansible/facts.d/monit.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/monit/templates/etc/ansible/facts.d/monit.fact.j2 b/ansible_collections/debops/debops/roles/monit/templates/etc/ansible/facts.d/monit.fact.j2
new file mode 100644
index 00000000..018a2de3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/templates/etc/ansible/facts.d/monit.fact.j2
@@ -0,0 +1,43 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+output = {'installed': True, 'services': []}
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        monit_stdout = subprocess.check_output(
+            ["/usr/bin/monit --version"],
+            shell=True, stderr=devnull)
+
+    with open(os.devnull, 'w') as devnull:
+        monit_services = subprocess.check_output(
+            ["/usr/bin/monit -B summary | sed -e '1,3d' | awk '{print $1}'"],
+            shell=True, stderr=devnull)
+
+except subprocess.CalledProcessError:
+    pass
+
+if monit_stdout:
+    for line in monit_stdout.decode('utf-8').split('\n'):
+        if 'This is Monit version' in line:
+            output['version'] = line.split()[4]
+
+if monit_services:
+    output['services'] = monit_services.decode('utf-8').strip().split('\n')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/monit/templates/etc/monit/conf.d/template.j2 b/ansible_collections/debops/debops/roles/monit/templates/etc/monit/conf.d/template.j2
new file mode 100644
index 00000000..378d3267
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/monit/templates/etc/monit/conf.d/template.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2014      Nick Janetakis <nick.janetakis@gmail.com>
+ # Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% if item.content | d() %}
+{{ item.content -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/mosquitto/COPYRIGHT b/ansible_collections/debops/debops/roles/mosquitto/COPYRIGHT
new file mode 100644
index 00000000..6c37230f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.mosquitto - Manage a Mosquitto MQTT broker using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mosquitto/defaults/main.yml b/ansible_collections/debops/debops/roles/mosquitto/defaults/main.yml
new file mode 100644
index 00000000..e0e78e99
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/defaults/main.yml
@@ -0,0 +1,741 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _mosquitto__ref_defaults:
+
+# debops.mosquitto default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: mosquitto__upstream [[[
+#
+# If enabled, the role will install Mosquitto APT packages from the upstream
+# repository. On older OS releases, using the upstream package might enable
+# websocket support. The upstream repository is enabled automatically on OS
+# releases with unsuitable Mosquitto version.
+mosquitto__upstream: '{{ True if ansible_distribution_release in ["trusty"]
+                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__upstream_key_id [[[
+#
+# GPG fingerprint of the upstream APT repository signing key.
+mosquitto__upstream_key_id: '8277 CCB4 9EC5 B595 F2D2 C713 6161 1AE4 3099 3623'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__upstream_repository [[[
+#
+# APT URLs of the upstream Mosquitto repositories based on the OS distribution.
+mosquitto__upstream_repository:
+  Debian:   'deb http://repo.mosquitto.org/debian {{ ansible_distribution_release }} main'
+  Raspbian: 'deb http://repo.mosquitto.org/debian {{ ansible_distribution_release }} main'
+  Ubuntu:   'ppa:mosquitto-dev/mosquitto-ppa'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__distribution_release [[[
+#
+# This variable defines the OS release used to determine if certain packages
+# are provided or not.
+mosquitto__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__base_packages [[[
+#
+# List of base APT packages to install for Mosquitto support.
+mosquitto__base_packages:
+  - 'mosquitto'
+  - 'mosquitto-clients'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__packages [[[
+#
+# List of additional APT packages to install with Mosquitto.
+mosquitto__packages: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__version [[[
+#
+# The variable that contains the version number of the Mosquitto server,
+# checked dynamically during role execution.
+mosquitto__version: '{{ mosquitto__register_version.stdout | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PyPI packages [[[
+# -----------------
+
+# The ``paho-mqtt`` Python module is required by Ansible ``mqtt`` module.
+# It became available in Debian Buster. For older releases it's installed
+# from PyPI. This module allows usage of the ``mqtt`` module in Ansible roles
+# after checking if Mosquitto is installed via Ansible local facts.
+
+# .. envvar:: mosquitto__pip_packages [[[
+#
+# List of PyPI packages to install system-wide using :command:`pip` package
+# manager.
+mosquitto__pip_packages: '{{ ["paho-mqtt"]
+                             if (mosquitto__distribution_release in
+                                 ["trusty", "xenial"])
+                             else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# User, group, additional groups [[[
+# ----------------------------------
+
+# .. envvar:: mosquitto__user [[[
+#
+# Name of the UNIX system account used by the Mosquitto service.
+mosquitto__user: 'mosquitto'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__group [[[
+#
+# Name of the UNIX system group used by the Mosquitto service.
+mosquitto__group: 'mosquitto'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__append_groups [[[
+#
+# List of additional UNIX groups that the Mosquitto system account should
+# belong to. The ``ssl-cert`` UNIX group is required for access to the PKI
+# private keys to the TLS certificates.
+mosquitto__append_groups: '{{ ["ssl-cert"] if mosquitto__pki | bool else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: mosquitto__network [[[
+#
+# Enable or disable access to the Mosquitto service over the network. If set to
+# ``False``, only local clients will be able to connect to the service.
+# WebSockets connections are still possible if enabled.
+mosquitto__network: True
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__allow [[[
+#
+# List of IP addresses or CIDR subnets that are allowed to connect to the
+# Mosquitto service over plaintext TCP connection. If it's empty, no host other
+# than ``localhost`` can connect over plaintext. This list also affects what
+# hosts are allowed to connect to the ``mosquitto`` daemon by TCP Wrappers.
+mosquitto__allow: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__allow_tls [[[
+#
+# List of IP addresses or CIDR subnets that are allowed to connect to the
+# Mosquitto service over TLS. If it's empty, any host can connect to the
+# service over TLS (depending on authentication, which by default is not
+# enabled). This list also affects what hosts are allowed to connect to the
+# ``mosquitto`` daemon by TCP Wrappers.
+mosquitto__allow_tls: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Websocket support [[[
+# ---------------------
+
+# Support for WebSockets is not available in older OS releases, it should work
+# properly on Debian Stretch and newer OS releases that provide the required
+# version of ``libwebsockets`` package.
+
+# You can test support for WebSockets in Mosquitto using:
+# http://www.hivemq.com/blog/full-featured-mqtt-client-browser
+
+# .. envvar:: mosquitto__websockets [[[
+#
+# Enable or disable support for WebSockets if the required packages are
+# available.
+mosquitto__websockets: '{{ mosquitto__register_websockets.stdout | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__websockets_package [[[
+#
+# Specify a list of the APT packages which will be checked for existence.
+# If the packages are available, the WebSockets support will be enabled on this
+# host.
+mosquitto__websockets_packages: [ 'libwebsockets8' ]
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__websockets_allow [[[
+#
+# List of IP addresses or CIDR subnets which will be allowed to connect to the
+# Mosquitto WebSocket service by the webserver. If this list is empty, any
+# hosts can connect over WebSockets.
+mosquitto__websockets_allow: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__fqdn [[[
+#
+# The FQDN address of the WebSocket Mosquitto service, configured in the
+# webserver.
+mosquitto__fqdn: 'mqtt.{{ mosquitto__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__domain [[[
+#
+# The DNS domain used by Mosquitto WebSockets service, configured in the
+# webserver.
+mosquitto__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__http_dir_path [[[
+#
+# Absolute path of the directory with static files which will be served by the
+# Mosquitto server over HTTP. This directory will be created by the role if it
+# doesn't exist.
+mosquitto__http_dir_path: '{{ (ansible_local.fhs.data | d("/srv"))
+                              + "/mosquitto/www/public" }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__http_dir_owner [[[
+#
+# The UNIX system account which will be an owner of the public HTTP server
+# directory.
+mosquitto__http_dir_owner: 'root'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__http_dir_group [[[
+#
+# The UNIX system group which will be the group of the public HTTP server
+# directory.
+mosquitto__http_dir_group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__http_dir_mode [[[
+#
+# The UNIX permissions of the public HTTP server directory.
+mosquitto__http_dir_mode: '0755'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global Mosquitto configuration [[[
+# ----------------------------------
+
+# The variables specify Mosquitto global configuration options.
+# See :ref:`mosquitto__ref_options` for more details.
+
+# .. envvar:: mosquitto__default_options [[[
+#
+# The YAML dictionary with default Mosquitto options.
+mosquitto__default_options:
+  password_file:   '{{ mosquitto__password_file if mosquitto__password | bool else "" }}'
+  acl_file:        '{{ mosquitto__acl_file if mosquitto__acl | bool else "" }}'
+  allow_anonymous: '{{ mosquitto__allow_anonymous }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__options [[[
+#
+# The YAML dictionary with custom Mosquitto options configured in the Ansible
+# inventory. This variable can be used to override the default options.
+mosquitto__options: {}
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__combined_options [[[
+#
+# The YAML dictionary that holds the combined global options and is used in the
+# configuration template.
+mosquitto__combined_options: '{{ mosquitto__default_options
+                                 | combine(mosquitto__options) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Mosquitto listeners [[[
+# -----------------------
+
+# The variables configure what ports the Mosquitto is listening for
+# connections. See :ref:`mosquitto__ref_listeners` for more details.
+
+# .. envvar:: mosquitto__default_listeners [[[
+#
+# The YAML dictionary that configures default Mosquitto listeners.
+mosquitto__default_listeners:
+
+  '1883':
+    comment:     'The default listener for local clients'
+    listener:    '{{ "1883" + ("" if mosquitto__allow | d() else " localhost") }}'
+    avahi_state: '{{ "present" if (mosquitto__network | bool and mosquitto__allow | d()) else "absent" }}'
+    avahi_type:  '_mqtt._tcp'
+    avahi_port:  '1883'
+
+  '1884':
+    comment:     'The websocket listener behind a webserver'
+    listener:    '1884 127.0.0.1'
+    protocol:    'websockets'
+    http_dir:    '{{ mosquitto__http_dir_path }}'
+    state:       '{{ "present" if mosquitto__websockets | bool else "absent" }}'
+
+  '8883':
+    comment:     'The default listener for remote clients over TLS'
+    listener:    '{{ "8883" + ("" if mosquitto__network | bool else " localhost") }}'
+    state:       '{{ "present" if mosquitto__pki | bool else "absent" }}'
+    cafile:      '{{ mosquitto__broker_cafile }}'
+    certfile:    '{{ mosquitto__broker_certfile }}'
+    keyfile:     '{{ mosquitto__broker_keyfile }}'
+    tls_version: '{{ mosquitto__tls_version }}'
+    ciphers:     '{{ mosquitto__ciphers }}'
+    avahi_state: '{{ "present" if (mosquitto__network | bool and mosquitto__pki | bool) else "absent" }}'
+    avahi_type:  '_secure-mqtt._tcp'
+    avahi_port:  '8883'
+    avahi_txt:   'tls-version={{ mosquitto__tls_version }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__listeners [[[
+#
+# The YAML dictionary with custom Mosquitto listeners defined in Ansible
+# inventory. This variable can be used to modify the default listeners.
+mosquitto__listeners: {}
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__combined_listeners [[[
+#
+# The YAML dictionary that combines the other listener variables and is used in
+# the configuration template.
+mosquitto__combined_listeners: '{{ mosquitto__default_listeners
+                                   | combine(mosquitto__listeners) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Mosquitto bridges [[[
+# ---------------------
+
+# The variables define configuration of bridge connections between MQTT
+# services. See :ref:`mosquitto__ref_bridges` for more details.
+
+# .. envvar:: mosquitto__bridges [[[
+#
+# The YAML dictionary that defines MQTT bridges which should be configured on
+# all hosts in the Ansible inventory.
+mosquitto__bridges: {}
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__group_bridges [[[
+#
+# The YAML dictionary that defines MQTT bridges which should be configured on
+# hosts in specific Ansible inventory group.
+mosquitto__group_bridges: {}
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__host_bridges [[[
+#
+# The YAML dictionary that defines MQTT bridges which should be configured on
+# specific hosts in Ansible inventory.
+mosquitto__host_bridges: {}
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__combined_bridges [[[
+#
+# The YAML dictionary that combines all of the bridge variables and is used in
+# the configuration template.
+mosquitto__combined_bridges: '{{ mosquitto__bridges
+                                 | combine(mosquitto__group_bridges)
+                                 | combine(mosquitto__host_bridges) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Public Key Infrastructure [[[
+# -----------------------------
+
+# The ``debops.mosquitto`` role uses the PKI infrastructure maintained by the
+# :ref:`debops.pki` Ansible role. See its documentation for more details.
+
+# .. envvar:: mosquitto__pki [[[
+#
+# Enable or disable support for the PKI infrastructure and connections over TLS,
+# depending on the presence of the :ref:`debops.pki` environment.
+mosquitto__pki: '{{ ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_path [[[
+#
+# Absolute path to the directory that contains PKI realms.
+mosquitto__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_client_realm [[[
+#
+# Name of the PKI realm used by MQTT clients for connections over TLS.
+mosquitto__pki_client_realm: 'domain'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_bridge_realm [[[
+#
+# Name of the PKI realm used by the MQTT bridge connections over TLS.
+mosquitto__pki_bridge_realm: 'domain'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_broker_realm [[[
+#
+# Name of the PKI realm used by the Mosquitto TLS listener.
+mosquitto__pki_broker_realm: 'domain'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_ca [[[
+#
+# Name of the file with the Root CA certificate of a given PKI realm.
+mosquitto__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_crt [[[
+#
+# Name of the file with the certificate of a given PKI realm.
+mosquitto__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__pki_key [[[
+#
+# Name of the file with the private key of a given PKI realm.
+mosquitto__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI inventory variables [[[
+# ---------------------------
+
+# These variables define paths to the CA, private key and certificate files
+# depending on the specified PKI realm. They are defined for convenience and
+# can be used in the Ansible inventory for listener/bridge definitions that
+# configure TLS connections.
+
+# .. envvar:: mosquitto__client_cafile [[[
+#
+# Absolute path to the Root CA certificate of the PKI client realm.
+mosquitto__client_cafile: '{{ mosquitto__pki_path + "/" +
+                              mosquitto__pki_client_realm + "/" +
+                              mosquitto__pki_ca }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__client_certfile [[[
+#
+# Absolute path to the certificate of the PKI client realm.
+mosquitto__client_certfile: '{{ mosquitto__pki_path + "/" +
+                                mosquitto__pki_client_realm + "/" +
+                                mosquitto__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__client_keyfile [[[
+#
+# Absolute path to the private key of the PKI client realm.
+mosquitto__client_keyfile: '{{ mosquitto__pki_path + "/" +
+                               mosquitto__pki_client_realm + "/" +
+                               mosquitto__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__bridge_cafile [[[
+#
+# Absolute path to the Root CA certificate of the PKI bridge realm.
+mosquitto__bridge_cafile: '{{ mosquitto__pki_path + "/" +
+                              mosquitto__pki_bridge_realm + "/" +
+                              mosquitto__pki_ca }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__bridge_certfile [[[
+#
+# Absolute path to the certificate of the PKI bridge realm.
+mosquitto__bridge_certfile: '{{ mosquitto__pki_path + "/" +
+                                mosquitto__pki_bridge_realm + "/" +
+                                mosquitto__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__bridge_keyfile [[[
+#
+# Absolute path to the private key of the PKI bridge realm.
+mosquitto__bridge_keyfile: '{{ mosquitto__pki_path + "/" +
+                               mosquitto__pki_bridge_realm + "/" +
+                               mosquitto__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__broker_cafile [[[
+#
+# Absolute path to the Root CA certificate of the PKI broker realm.
+mosquitto__broker_cafile: '{{ mosquitto__pki_path + "/" +
+                              mosquitto__pki_broker_realm + "/" +
+                              mosquitto__pki_ca }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__broker_certfile [[[
+#
+# Absolute path to the certificate of the PKI broker realm.
+mosquitto__broker_certfile: '{{ mosquitto__pki_path + "/" +
+                                mosquitto__pki_broker_realm + "/" +
+                                mosquitto__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__broker_keyfile [[[
+#
+# Absolute path to the private key of the PKI broker realm.
+mosquitto__broker_keyfile: '{{ mosquitto__pki_path + "/" +
+                               mosquitto__pki_broker_realm + "/" +
+                               mosquitto__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__ciphers [[[
+#
+# String which contains a list of OpenSSL ciphers to use for TLS connections.
+# This list is based on the recommended cipher list according to the Applied
+# Crypto Hardening guide (https://bettercrypto.org/).
+mosquitto__ciphers: 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__tls_version [[[
+#
+# Specify the TLS version to use for encrypted connections.
+mosquitto__tls_version: 'tlsv1.2'
+                                                                   # ]]]
+                                                                   # ]]]
+# Avahi/ZeroConf support [[[
+# --------------------------
+
+# .. envvar:: mosquitto__avahi [[[
+#
+# Enable or disable Avahi support. See :ref:`mosquitto__ref_avahi_support` for
+# more details.
+mosquitto__avahi: '{{ ansible_local.avahi.installed | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__avahi_name [[[
+#
+# Description of the Mosquitto service in Avahi, visible to other hosts.
+mosquitto__avahi_name: 'Mosquitto MQTT server on %h'
+                                                                   # ]]]
+                                                                   # ]]]
+# Password file configuration [[[
+# -------------------------------
+
+# Automatic creation of user/password entries is available in Mosquitto 1.4+.
+# On older OS releases it will work only with upstream Mosquitto version, on
+# Debian Stretch it should work out of the box.
+
+# .. envvar:: mosquitto__password [[[
+#
+# Enable password file configuration when there users defined in the Ansible
+# inventory.
+mosquitto__password: '{{ True
+                         if (mosquitto__auth_users or
+                             mosquitto__auth_group_users or
+                             mosquitto__auth_host_users)
+                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__password_file [[[
+#
+# Absolute path of the file which contains user/password entries.
+mosquitto__password_file: '/etc/mosquitto/passwd'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__password_secret_path [[[
+#
+# Path to the :file:`secret/` directory on the Ansible Controller where the
+# autogenerated user passwords will be stored. See :ref:`debops.secret` Ansible role
+# documentation for more details.
+mosquitto__password_secret_path: '{{ secret + "/mosquitto/passwd" }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__allow_anonymous [[[
+#
+# If any user accounts are defined in the Ansible inventory (password support
+# is enabled), anonymous access to the Mosquitto broker will be disabled.
+# Otherwise anonymous connections are allowed.
+mosquitto__allow_anonymous: '{{ "false" if mosquitto__password | bool else "true" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Access Control List support [[[
+# -------------------------------
+
+# .. envvar:: mosquitto__acl [[[
+#
+# Enable Access Control List support if any users are defined in the Ansible
+# inventory, and/or anonymous or pattern configuration is present.
+mosquitto__acl: '{{ True
+                    if (mosquitto__auth_anonymous or
+                        mosquitto__auth_users or
+                        mosquitto__auth_group_users or
+                        mosquitto__auth_host_users or
+                        mosquitto__auth_patterns)
+                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__acl_file [[[
+#
+# Absolute path to the file which contains ACL entries.
+mosquitto__acl_file: '/etc/mosquitto/acl'
+                                                                   # ]]]
+                                                                   # ]]]
+# User authentication, ACL configuration [[[
+# ------------------------------------------
+
+# .. envvar:: mosquitto__auth_anonymous [[[
+#
+# A YAML text block or a YAML list of ACL entries that define access control
+# for anonymous connections. See :ref:`mosquitto__ref_auth_anonymous` for more
+# details.
+mosquitto__auth_anonymous: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__auth_users [[[
+#
+# A YAML list of user accounts configured on all hosts in Ansible inventory.
+# See :ref:`mosquitto__ref_auth_users` for more details.
+mosquitto__auth_users: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__auth_group_users [[[
+#
+# A YAML list of user accunts configured on hosts in specific Ansible inventory
+# group. See :ref:`mosquitto__ref_auth_users` for more details.
+mosquitto__auth_group_users: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__auth_host_users [[[
+#
+# A YAML list of user accunts configured on specific hosts in Ansible
+# inventory. See :ref:`mosquitto__ref_auth_users` for more details.
+mosquitto__auth_host_users: []
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__auth_patterns [[[
+#
+# A YAML text block or YAML list of ACL entries based on topic patterns.
+# See :ref:`mosquitto__ref_auth_patterns` for more details.
+mosquitto__auth_patterns: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: mosquitto__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mosquitto__python__dependent_packages3:
+
+  - '{{ []
+        if (mosquitto__distribution_release in ["trusty", "xenial"])
+        else ["python3-paho-mqtt"] }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+mosquitto__python__dependent_packages2:
+
+  - '{{ []
+        if (mosquitto__distribution_release in ["trusty", "xenial"])
+        else ["python-paho-mqtt"] }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+mosquitto__etc_services__dependent_list:
+
+  - name: 'mqtt'
+    port: '1883'
+    comment: 'Message Queuing Telemetry Transport Protocol'
+
+  - name: 'ws-mqtt'
+    port: '1884'
+    comment: 'WebSocket MQTT'
+
+  - name: 'secure-mqtt'
+    port: '8883'
+    comment: 'Secure MQTT'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+mosquitto__keyring__dependent_apt_keys:
+
+  - id: '{{ mosquitto__upstream_key_id }}'
+    repo: '{{ mosquitto__upstream_repository[ansible_distribution] }}'
+    state: '{{ "present" if mosquitto__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the :ref:`debops.tcpwrappers` Ansible role.
+mosquitto__tcpwrappers__dependent_allow:
+
+  - daemon: 'mosquitto'
+    client: '{{ mosquitto__allow }}'
+    accept_any: False
+    weight: '50'
+    filename: 'mosquitto_dependent_allow'
+    comment: 'Allow remote connections to Mosquitto server'
+    state: '{{ "present"
+               if mosquitto__network | bool
+               else "absent" }}'
+
+  - daemon: 'mosquitto'
+    client: '{{ mosquitto__allow_tls }}'
+    accept_any: True
+    weight: '50'
+    filename: 'mosquitto-tls_dependent_allow'
+    comment: 'Allow remote connections to Mosquitto server over TLS'
+    state: '{{ "present"
+               if (mosquitto__network | bool and
+                   mosquitto__pki | bool)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+mosquitto__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'mqtt' ]
+    weight: '40'
+    saddr: '{{ mosquitto__allow }}'
+    accept_any: False
+    by_role: 'debops.mosquitto'
+    rule_state: '{{ "present"
+                    if mosquitto__network | bool
+                    else "absent" }}'
+
+  - type: 'accept'
+    dport: [ 'secure-mqtt' ]
+    weight: '40'
+    saddr: '{{ mosquitto__allow + mosquitto__allow_tls }}'
+    accept_any: True
+    by_role: 'debops.mosquitto'
+    rule_state: '{{ "present"
+                    if (mosquitto__network | bool and
+                        mosquitto__pki | bool)
+                    else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: mosquitto__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+mosquitto__nginx__dependent_servers:
+  - name: '{{ mosquitto__fqdn }}'
+    filename: 'mosquitto-websocket'
+    by_role: 'debops.mosquitto'
+    root: '{{ mosquitto__http_dir_path }}'
+    webroot_create: False
+    allow: '{{ mosquitto__websockets_allow }}'
+    type: 'proxy'
+    proxy_pass: 'http://mosquitto_websocket'
+    proxy_redirect: 'default'
+    proxy_options: |
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+
+# ]]]
+# .. envvar:: mosquitto__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+mosquitto__nginx__dependent_upstreams:
+  - name: 'mosquitto_websocket'
+    server: '127.0.0.1:1884'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mosquitto/meta/main.yml b/ansible_collections/debops/debops/roles/mosquitto/meta/main.yml
new file mode 100644
index 00000000..8c0b5bf6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage a Mosquitto MQTT broker'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mqtt
+    - queue
+    - broker
+    - iot
diff --git a/ansible_collections/debops/debops/roles/mosquitto/tasks/main.yml b/ansible_collections/debops/debops/roles/mosquitto/tasks/main.yml
new file mode 100644
index 00000000..4f7298db
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/tasks/main.yml
@@ -0,0 +1,234 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check if supported version of libwebsockets is available
+  ansible.builtin.command: apt-cache -q madison {{ mosquitto__websockets_packages | join(' ') }}
+  register: mosquitto__register_websockets
+  when: ansible_pkg_mgr == 'apt'
+  changed_when: False
+  check_mode: False
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (mosquitto__base_packages
+                              + mosquitto__packages)) }}'
+    state: 'present'
+  register: mosquitto__register_packages
+  until: mosquitto__register_packages is succeeded
+
+- name: Install required Python modules
+  ansible.builtin.pip:
+    name: '{{ item }}'
+    state: 'present'
+  with_items: '{{ mosquitto__pip_packages }}'
+  register: mosquitto__register_pip_install
+  until: mosquitto__register_pip_install is succeeded
+  when: mosquitto__pip_packages | d()
+
+- name: Check the installed Mosquitto version
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         mosquitto -h | head -n 1 | awk '{print $3}' || true
+  args:
+    executable: 'bash'
+  register: mosquitto__register_version
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::mosquitto:passwd' ]
+
+- name: Ensure that the required UNIX group exists
+  ansible.builtin.group:
+    name: '{{ mosquitto__group }}'
+    state: 'present'
+    system: True
+
+- name: Add Mosquitto user to specified system groups
+  ansible.builtin.user:
+    name: '{{ mosquitto__user }}'
+    group: '{{ mosquitto__group }}'
+    groups: '{{ ([mosquitto__append_groups]
+                 if mosquitto__append_groups is string
+                 else mosquitto__append_groups) | join(",") }}'
+    append: True
+  notify: [ 'Restart mosquitto' ]
+
+- name: Make sure the password file exists
+  ansible.builtin.file:
+    path: '{{ mosquitto__password_file }}'
+    state: '{{ "file" if (ansible_local.mosquitto.password | d() | bool) else "touch" }}'
+    owner: 'root'
+    group: '{{ mosquitto__group }}'
+    mode:  '0640'
+  when: mosquitto__password | bool
+  tags: [ 'role::mosquitto:passwd' ]
+
+- name: Check current list of user entries
+  ansible.builtin.command: awk -F ':' '{print $1}' {{ mosquitto__password_file }}
+  register: mosquitto__register_passwd
+  when: mosquitto__password | bool
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::mosquitto:passwd' ]
+
+- name: Remove user/password entries
+  ansible.builtin.command: 'mosquitto_passwd -D {{ mosquitto__password_file }} {{ item.name | d(item) }}'
+  loop: '{{ q("flattened", mosquitto__auth_users
+                           + mosquitto__auth_group_users
+                           + mosquitto__auth_host_users) }}'
+  register: mosquitto__register_passwd_remove
+  changed_when: mosquitto__register_passwd_remove.changed | bool
+  when: (mosquitto__password | bool and item.state | d('present') == 'absent' and
+         (item.name | d(item) in mosquitto__register_passwd.stdout_lines) and
+         mosquitto__version is version_compare('1.4.0', '>='))
+  notify: [ 'Reload mosquitto' ]
+  tags: [ 'role::mosquitto:passwd' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create user/password entries
+  environment:
+    MOSQUITTO_PASSWORD: '{{ item.password
+                            | d(lookup("password", mosquitto__password_secret_path + "/" + item.name | d(item))) }}'
+  ansible.builtin.command: 'mosquitto_passwd -b {{ mosquitto__password_file }} {{ item.name | d(item) }} ${MOSQUITTO_PASSWORD}'
+  loop: '{{ q("flattened", mosquitto__auth_users
+                           + mosquitto__auth_group_users
+                           + mosquitto__auth_host_users) }}'
+  register: mosquitto__register_passwd_create
+  changed_when: mosquitto__register_passwd_create.changed | bool
+  when: (mosquitto__password | bool and item.state | d('present') != 'absent' and
+         (item.name | d(item) not in mosquitto__register_passwd.stdout_lines) and
+         mosquitto__version is version_compare('1.4.0', '>='))
+  notify: [ 'Reload mosquitto' ]
+  tags: [ 'role::mosquitto:passwd' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage Mosquitto ACL file
+  ansible.builtin.template:
+    src: 'etc/mosquitto/acl.j2'
+    dest: '{{ mosquitto__acl_file }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: mosquitto__acl | bool
+  notify: [ 'Reload mosquitto' ]
+  tags: [ 'role::mosquitto:acl' ]
+
+- name: Remove Mosquitto default configuration if empty
+  ansible.builtin.file:
+    path: '/etc/mosquitto/conf.d/00_default.conf'
+    state: 'absent'
+  when: not mosquitto__combined_options | d()
+  notify: [ 'Restart mosquitto' ]
+  tags: [ 'role::mosquitto:config', 'role::mosquitto:passwd', 'role::mosquitto:acl' ]
+
+- name: Generate Mosquitto default configuration
+  ansible.builtin.template:
+    src: 'etc/mosquitto/conf.d/default.conf.j2'
+    dest: '/etc/mosquitto/conf.d/00_default.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart mosquitto' ]
+  tags: [ 'role::mosquitto:config', 'role::mosquitto:passwd', 'role::mosquitto:acl' ]
+
+- name: Remove Mosquitto listener configuration
+  ansible.builtin.file:
+    dest: '/etc/mosquitto/conf.d/listener_{{ item.key }}.conf'
+    state: 'absent'
+  with_dict: '{{ mosquitto__combined_listeners }}'
+  notify: [ 'Restart mosquitto' ]
+  when: item.value.state | d('present') == 'absent'
+  tags: [ 'role::mosquitto:listeners' ]
+
+- name: Generate Mosquitto listener configuration
+  ansible.builtin.template:
+    src: 'etc/mosquitto/conf.d/listener.conf.j2'
+    dest: '/etc/mosquitto/conf.d/listener_{{ item.key }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_dict: '{{ mosquitto__combined_listeners }}'
+  notify: [ 'Restart mosquitto' ]
+  when: item.value.state | d('present') != 'absent'
+  tags: [ 'role::mosquitto:listeners' ]
+
+- name: Remove Mosquitto bridge configuration
+  ansible.builtin.file:
+    dest: '/etc/mosquitto/conf.d/bridge_{{ item.value.connection | d(item.key) }}.conf'
+    state: 'absent'
+  with_dict: '{{ mosquitto__combined_bridges }}'
+  notify: [ 'Restart mosquitto' ]
+  when: item.value.state | d('present') == 'absent'
+  tags: [ 'role::mosquitto:bridges' ]
+
+- name: Generate Mosquitto bridge configuration
+  ansible.builtin.template:
+    src: 'etc/mosquitto/conf.d/bridge.conf.j2'
+    dest: '/etc/mosquitto/conf.d/bridge_{{ item.value.connection | d(item.key) }}.conf'
+    owner: 'root'
+    group: '{{ item.value.group | d("root") }}'
+    mode: '{{ item.value.mode | d("0644") }}'
+  with_dict: '{{ mosquitto__combined_bridges }}'
+  notify: [ 'Restart mosquitto' ]
+  when: item.value.state | d('present') != 'absent'
+  tags: [ 'role::mosquitto:bridges' ]
+
+- name: Make sure that Avahi service directory exists
+  ansible.builtin.file:
+    path: '/etc/avahi/services'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: mosquitto__avahi | bool
+  tags: [ 'role::mosquitto:avahi', 'role::mosquitto:listeners' ]
+
+- name: Generate Avahi Mosquitto service file
+  ansible.builtin.template:
+    src: 'etc/avahi/services/mosquitto.service.j2'
+    dest: '/etc/avahi/services/mosquitto.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: mosquitto__avahi | bool
+  tags: [ 'role::mosquitto:avahi', 'role::mosquitto:listeners' ]
+
+- name: Make sure that WebSockets public HTTP directory exists
+  ansible.builtin.file:
+    path: '{{ mosquitto__http_dir_path }}'
+    state: 'directory'
+    owner: '{{ mosquitto__http_dir_owner }}'
+    group: '{{ mosquitto__http_dir_group }}'
+    mode:  '{{ mosquitto__http_dir_mode }}'
+  when: mosquitto__websockets | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'role::mosquitto:passwd' ]
+
+- name: Save Mosquitto local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mosquitto.fact.j2'
+    dest: '/etc/ansible/facts.d/mosquitto.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts', 'role::mosquitto:passwd' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+  tags: [ 'role::mosquitto:passwd' ]
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/ansible/facts.d/mosquitto.fact.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/ansible/facts.d/mosquitto.fact.j2
new file mode 100644
index 00000000..d3d088b7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/ansible/facts.d/mosquitto.fact.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set mosquitto__tpl_anonymous = mosquitto__allow_anonymous %}
+{% set mosquitto__tpl_password = mosquitto__password %}
+{
+"anonymous": {{ mosquitto__tpl_anonymous | bool | lower }},
+"installed": true,
+"password": {{ mosquitto__tpl_password | bool | lower }}
+}
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/avahi/services/mosquitto.service.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/avahi/services/mosquitto.service.j2
new file mode 100644
index 00000000..c0ac6703
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/avahi/services/mosquitto.service.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+
+<!-- {{ ansible_managed }} -->
+
+<service-group>
+
+  <name replace-wildcards="yes">{{ mosquitto__avahi_name }}</name>
+{% for listener_key, listener_args in mosquitto__combined_listeners.items() %}
+{%   if listener_args.avahi_state | d("present") != "absent" and listener_args.avahi_type | d() and listener_args.avahi_port | d() %}
+
+  <service>
+    <type>{{ listener_args.avahi_type }}</type>
+    <port>{{ listener_args.avahi_port }}</port>
+{%     if listener_args.avahi_txt | d() %}
+{%       if listener_args.avahi_txt is string %}
+    <txt-record>{{ listener_args.avahi_txt }}</txt-record>
+{%       elif listener_args.avahi_txt is not string and listener_args.avahi_txt is not mapping %}
+{%         for element in listener_args.avahi_txt %}
+    <txt-record>{{ element }}</txt-record>
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+  </service>
+{%   endif %}
+{% endfor %}
+
+</service-group>
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/acl.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/acl.j2
new file mode 100644
index 00000000..275dd8f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/acl.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if mosquitto__auth_anonymous %}
+{%   if mosquitto__auth_anonymous is string %}
+{{ mosquitto__auth_anonymous }}
+{%   elif mosquitto__auth_anonymous is not string and mosquitto__auth_anonymous is not mapping %}
+{%     for entry in mosquitto__auth_anonymous %}
+{{ entry }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% for entry in (mosquitto__auth_users + mosquitto__auth_group_users + mosquitto__auth_host_users) %}
+{%   if entry is mapping %}
+{%     if entry.state | d("present") != "absent" and entry.name | d() and entry.acl | d() %}
+
+user {{ entry.name }}
+{%       if entry.acl is string %}
+{{ entry.acl }}
+{%       elif entry.acl is not string and entry.acl is not mapping %}
+{%         for element in entry.acl %}
+{{ element }}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% if mosquitto__auth_patterns %}
+{%   if mosquitto__auth_patterns is string %}
+{{ mosquitto__auth_patterns }}
+{%   elif mosquitto__auth_patterns is not string and mosquitto__auth_patterns is not mapping %}
+{%     for entry in mosquitto__auth_patterns %}
+{{ entry }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/bridge.conf.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/bridge.conf.j2
new file mode 100644
index 00000000..a4c05f68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/bridge.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set bridge = item.value %}
+{% set bridge_name = (item.value.connection | d(item.key)) %}
+{% if bridge.comment | d() %}
+{{ (bridge.comment if bridge.comment is string else bridge.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+connection {{ bridge_name }}
+{% for config_key, config_value in bridge.items() %}
+{%   if config_key not in [ 'connection', 'state', 'comment', 'group', 'mode' ] %}
+{%     if config_value is string and config_value != '' %}
+{{ "%s %s" | format(config_key, config_value) }}
+{%     elif config_value is not string and config_value is not mapping %}
+{%       for thing in config_value %}
+{%         if thing is string and thing != '' %}
+{{ "%s %s" | format(config_key, thing) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/default.conf.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/default.conf.j2
new file mode 100644
index 00000000..5183b8a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/default.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set options = mosquitto__combined_options %}
+{% if options.comment | d() %}
+{{ (options.comment if options.comment is string else options.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{% for config_key, config_value in options.items() %}
+{%   if config_value is string and config_value != '' %}
+{{ "%s %s" | format(config_key, config_value) }}
+{%   elif config_value is not string and config_value is not mapping %}
+{%     for thing in config_value %}
+{%       if thing is string and thing != '' %}
+{{ "%s %s" | format(config_key, thing) }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/listener.conf.j2 b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/listener.conf.j2
new file mode 100644
index 00000000..5b8bc0fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mosquitto/templates/etc/mosquitto/conf.d/listener.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set listener = item.value %}
+{% set listener_port = (item.value.listener | d(item.key)) %}
+{% if listener.comment | d() %}
+{{ (listener.comment if listener.comment is string else listener.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+listener {{ listener_port }}
+{% for config_key, config_value in listener.items() %}
+{%   if (config_key not in [ 'listener', 'state', 'comment' ] and not config_key.startswith('avahi_')) %}
+{%     if config_value is string and config_value != '' %}
+{{ "%s %s" | format(config_key, config_value) }}
+{%     elif config_value is not string and config_value is not mapping %}
+{%       for thing in config_value %}
+{%         if thing is string and thing != '' %}
+{{ "%s %s" | format(config_key, thing) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/mount/COPYRIGHT b/ansible_collections/debops/debops/roles/mount/COPYRIGHT
new file mode 100644
index 00000000..70a097c9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mount/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.mount - Manage local device and bind mounts using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/mount/defaults/main.yml b/ansible_collections/debops/debops/roles/mount/defaults/main.yml
new file mode 100644
index 00000000..aa6ba2c9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mount/defaults/main.yml
@@ -0,0 +1,152 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _mount__ref_defaults:
+
+# debops.mount default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: mount__enabled [[[
+#
+# Enable or disable support for local device mounts, bind mounts and custom
+# directories.
+mount__enabled: '{{ True
+                    if (((ansible_system_capabilities_enforced | d()) | bool and
+                         "cap_sys_admin" in ansible_system_capabilities) or
+                        not (ansible_system_capabilities_enforced | d(True)) | bool)
+                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: mount__base_packages [[[
+#
+# List of APT packages to install for correct filesystem management.
+mount__base_packages: '{{ ["acl"]
+                          if (((mount__directories
+                                + mount__group_directories
+                                + mount__host_directories)
+                               | flatten) | selectattr("acl", "defined") | list
+                               | subelements("acl"))
+                          else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: mount__packages [[[
+#
+# List of additional APT packages to install for filesystem management.
+mount__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Device mounts [[[
+# -----------------
+
+# These variables control local device mounts, usually external disk drives,
+# LVM block devices or other storage. See :ref:`mount__ref_devices` for
+# more details.
+
+# .. envvar:: mount__devices [[[
+#
+# Define local mounts for all hosts in the Ansible inventory.
+mount__devices: []
+
+                                                                   # ]]]
+# .. envvar:: mount__group_devices [[[
+#
+# Define local mounts for hosts in a specific Ansible inventory group.
+mount__group_devices: []
+
+                                                                   # ]]]
+# .. envvar:: mount__host_devices [[[
+#
+# Define local mounts for specific hosts in the Ansible inventory.
+mount__host_devices: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom directories [[[
+# ----------------------
+
+# These variables can be used to create custom directories on mounted
+# filesystems with specific permissions, ACLs, etc.
+# See :ref:`mount__ref_directories` for more details.
+
+# .. envvar:: mount__directories [[[
+#
+# List of directories to manage on all hosts in the Ansible inventory.
+mount__directories: []
+
+                                                                   # ]]]
+# .. envvar:: mount__group_directories [[[
+#
+# List of directories to manage on hosts in a specific Ansible inventory group.
+mount__group_directories: []
+
+                                                                   # ]]]
+# .. envvar:: mount__host_directories [[[
+#
+# List of directories to manage on specific hosts in the Ansible inventory.
+mount__host_directories: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom files [[[
+# -----------------------
+
+# These variables can be used to create custom files that can hold credentials
+# and can be referenced in the :file:`/etc/fstab` database.
+#
+# See :ref:`resources__ref_files` for more details (the same syntax is used in
+# both roles).
+
+# .. envvar:: mount__files [[[
+#
+# Manage file contents on all hosts in Ansible inventory.
+mount__files: []
+
+                                                                   # ]]]
+# .. envvar:: mount__group_files [[[
+#
+# Manage file contents on hosts in a specific group in Ansible inventory.
+mount__group_files: []
+
+                                                                   # ]]]
+# .. envvar:: mount__host_files [[[
+#
+# Manage file contents on specific hosts in Ansible inventory.
+mount__host_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Bind mounts [[[
+# ---------------
+
+# These variables define configuration of bind mounts, separately from normal
+# filesystems to allow bind-mounting of existing directories.
+# See :ref:`mount__ref_binds` for more details.
+
+# .. envvar:: mount__binds [[[
+#
+# Define bind mounts for all hosts in the Ansible inventory.
+mount__binds: []
+
+                                                                   # ]]]
+# .. envvar:: mount__group_binds [[[
+#
+# Define bind mounts for hosts in a specific Ansible inventory group.
+mount__group_binds: []
+
+                                                                   # ]]]
+# .. envvar:: mount__host_binds [[[
+#
+# Define bind mounts for specific hosts in the Ansible inventory.
+mount__host_binds: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/mount/meta/main.yml b/ansible_collections/debops/debops/roles/mount/meta/main.yml
new file mode 100644
index 00000000..6e1bf562
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mount/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage local device and bind mounts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.6.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - filesystems
+    - mount
diff --git a/ansible_collections/debops/debops/roles/mount/tasks/main.yml b/ansible_collections/debops/debops/roles/mount/tasks/main.yml
new file mode 100644
index 00000000..d6655d8d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mount/tasks/main.yml
@@ -0,0 +1,177 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (mount__base_packages + mount__packages) | flatten }}'
+    state: 'present'
+  register: mount__register_packages
+  until: mount__register_packages is succeeded
+  when: mount__enabled | bool
+
+  # This task allows configuration of the outer mount point attributes, but
+  # will not change them while the device is mounted.
+- name: Ensure that the mount points exist
+  ansible.builtin.file:
+    path:    '{{ item.path | d(item.dest | d(item.name)) }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(item.owner | d(omit)) }}'
+    mode:    '{{ item.mode | d("0755") }}'
+    state:   'directory'
+  loop: '{{ (mount__devices
+             + mount__group_devices
+             + mount__host_devices)
+            | flatten }}'
+  when: (mount__enabled | bool and item.state | d('mounted') in ['mounted', 'present', 'unmounted'] and
+         (item.device | d(item.src)) not in (ansible_mounts | map(attribute='device') | list))
+
+- name: Stop devices automounted by systemd if requested
+  ansible.builtin.systemd:
+    name: '{{ item.name | regex_replace("^/", "") | regex_replace("/", "-") + ".automount" }}'
+    state: 'stopped'
+  loop: '{{ (mount__devices
+             + mount__group_devices
+             + mount__host_devices)
+            | flatten }}'
+  when: (mount__enabled | bool and ansible_service_mgr == 'systemd' and
+         item.state | d('mounted') in ['unmounted', 'absent'] and
+         (((item.opts if (item.opts is string) else item.opts | join(','))
+           if item.opts | d() else 'defaults') is match(".*x-systemd.automount.*")))
+
+# Manage custom files [[[1
+- name: Copy files to remote hosts
+  ansible.builtin.copy:
+    dest:     '{{ item.dest | d(item.path | d(item.name)) }}'
+    src:      '{{ item.src | d(omit) }}'
+    content:  '{{ item.content | d(omit) }}'
+    owner:    '{{ item.owner | d(omit) }}'
+    group:    '{{ item.group | d(omit) }}'
+    mode:     '{{ item.mode | d(omit) }}'
+    selevel:  '{{ item.selevel | d(omit) }}'
+    serole:   '{{ item.serole | d(omit) }}'
+    setype:   '{{ item.setype | d(omit) }}'
+    seuser:   '{{ item.seuser | d(omit) }}'
+    follow:   '{{ item.follow | d(omit) }}'
+    force:    '{{ item.force | d(omit) }}'
+    backup:   '{{ item.backup | d(omit) }}'
+    validate: '{{ item.validate | d(omit) }}'
+    remote_src: '{{ item.remote_src | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+  loop: '{{ q("flattened", mount__files
+                           + mount__group_files
+                           + mount__host_files) }}'
+  when: (mount__enabled | bool and
+         (item.src | d() or item.content is defined) and
+         (item.dest | d() or item.path | d() or item.name | d()) and
+         (item.state | d('present') != 'absent'))
+
+- name: Manage device mounts
+  ansible.posix.mount:
+    src:    '{{ item.src }}'
+    path:   '{{ item.path | d(item.dest | d(item.name)) }}'
+    fstype: '{{ item.fstype | d("auto") }}'
+    opts:   '{{ ((item.opts if (item.opts is string) else (item.opts | join(",")))
+                 if item.opts | d() else "defaults") }}'
+    dump:   '{{ item.dump | d(omit) }}'
+    passno: '{{ item.passno | d(omit) }}'
+    state:  '{{ item.state | d("mounted") }}'
+    fstab:  '{{ item.fstab | d(omit) }}'
+  loop: '{{ (mount__devices
+             + mount__group_devices
+             + mount__host_devices)
+            | flatten }}'
+  register: mount__register_devices
+  when: (mount__enabled | bool and
+         (item.name | d() or item.dest | d() or item.path | d()) and item.src)
+
+- name: Restart 'local-fs.target' systemd unit
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'local-fs.target'
+    state: 'restarted'
+    daemon_reload: True
+  loop: '{{ mount__register_devices.results }}'
+  when: (mount__enabled | bool and ansible_service_mgr == 'systemd' and item is changed and
+         (((item.opts if (item.opts is string) else item.opts | join(','))
+           if item.opts | d() else 'defaults') is match(".*x-systemd.automount.*")))
+
+- name: Restart 'remote-fs.target' systemd unit
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'remote-fs.target'
+    state: 'restarted'
+    daemon_reload: True
+  loop: '{{ mount__register_devices.results }}'
+  when: (mount__enabled | bool and ansible_service_mgr == 'systemd' and item is changed and
+         (((item.opts if (item.opts is string) else item.opts | join(','))
+           if item.opts | d() else 'defaults') is match(".*x-systemd.automount.*")))
+
+- name: Manage directories
+  ansible.builtin.file:
+    path:    '{{ item.path | d(item.dest | d(item.name)) }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(item.owner | d(omit)) }}'
+    mode:    '{{ item.mode | d("0755") }}'
+    recurse: '{{ item.recurse | d(omit) }}'
+    state:   '{{ item.state | d("directory") }}'
+  loop: '{{ (mount__directories
+             + mount__group_directories
+             + mount__host_directories)
+            | flatten }}'
+  when: mount__enabled | bool and (item.path | d() or item.dest | d() or item.name | d()) and
+        item.state | d('directory') in ['directory', 'absent']
+
+- name: Manage directory ACLs
+  ansible.posix.acl:
+    path:        '{{ item.0.path | d(item.0.dest | d(item.0.name)) }}'
+    default:     '{{ item.1.default | d(omit) }}'
+    entity:      '{{ item.1.entity | d(omit) }}'
+    etype:       '{{ item.1.etype | d(omit) }}'
+    permissions: '{{ item.1.permissions | d(omit) }}'
+    follow:      '{{ item.1.follow | d(omit) }}'
+    recursive:   '{{ item.1.recursive | d(omit) }}'
+    state:       '{{ item.1.state | d("present") }}'
+  loop: '{{ ((mount__directories
+             + mount__group_directories
+             + mount__host_directories)
+             | flatten) | selectattr("acl", "defined") | list
+             | subelements("acl") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name, "acl": item.1} }}'
+  when: mount__enabled | bool and (item.0.path | d() or item.0.dest | d() or item.0.name | d()) and
+        item.0.state | d('directory') == 'directory' and item.0.acl | d()
+
+- name: Manage bind mounts
+  ansible.posix.mount:
+    src:    '{{ item.src }}'
+    path:   '{{ item.path | d(item.dest | d(item.name)) }}'
+    fstype: '{{ item.fstype | d("none") }}'
+    opts:   '{{ ((item.opts if (item.opts is string) else (item.opts | join(","))) if item.opts | d() else "bind") }}'
+    dump:   '{{ item.dump | d(omit) }}'
+    passno: '{{ item.passno | d(omit) }}'
+    state:  '{{ item.state | d("mounted") }}'
+    fstab:  '{{ item.fstab | d(omit) }}'
+  loop: '{{ (mount__binds
+             + mount__group_binds
+             + mount__host_binds)
+            | flatten }}'
+  when: (mount__enabled | bool and
+         (item.name | d() or item.dest | d() or item.path | d()) and
+         item.src | d())
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save mount local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/mount.fact.j2'
+    dest: '/etc/ansible/facts.d/mount.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/mount/templates/etc/ansible/facts.d/mount.fact.j2 b/ansible_collections/debops/debops/roles/mount/templates/etc/ansible/facts.d/mount.fact.j2
new file mode 100644
index 00000000..640cab94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/mount/templates/etc/ansible/facts.d/mount.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads('''{{ {'configured': True,
+                      'enabled': mount__enabled | bool
+                      } | to_nice_json }}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/netbase/COPYRIGHT b/ansible_collections/debops/debops/roles/netbase/COPYRIGHT
new file mode 100644
index 00000000..ee59d323
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.netbase - Manage local host and network database using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/netbase/defaults/main.yml b/ansible_collections/debops/debops/roles/netbase/defaults/main.yml
new file mode 100644
index 00000000..340b082c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/defaults/main.yml
@@ -0,0 +1,303 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _netbase__ref_defaults:
+
+# debops.netbase default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration, APT packages [[[
+# ---------------------------------------
+
+# .. envvar:: netbase__enabled [[[
+#
+# Enable or disable support for local host and network database management.
+netbase__enabled: '{{ False
+                      if (ansible_virtualization_type == "docker" and
+                          ansible_virtualization_role == "guest")
+                      else True }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__base_packages [[[
+#
+# List of base APT packages to linstall for netbase support.
+netbase__base_packages: [ 'netbase', 'libcap2-bin', 'dbus' ]
+
+                                                                   # ]]]
+# .. envvar:: netbase__packages [[[
+#
+# List of additional APT packages to install for netbase support.
+netbase__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Hostname and domain [[[
+# -----------------------
+
+# .. envvar:: netbase__hostname_config_enabled [[[
+#
+# Enable or disable configuration of the hostname based on presence of the
+# ``cap_sys_admin`` POSIX capability. The role will also avoid configuring the
+# hostname in containers, which usually cannot change their own hostname
+# directory due to host restrictions. Hostname will still be defined in
+# :file:`/etc/hosts` if the local domain configuration is enabled.
+netbase__hostname_config_enabled: '{{ True
+                                      if ((((ansible_system_capabilities_enforced | d()) | bool and
+                                           "cap_sys_admin" in ansible_system_capabilities) or
+                                          not (ansible_system_capabilities_enforced | d(True)) | bool) and
+                                          (ansible_virtualization_type is undefined or
+                                           ansible_virtualization_type not in ["lxc", "docker", "openvz"]))
+                                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__hostname [[[
+#
+# Set a hostname for a given host. It should contain only characters supported
+# in the DNS: alphanumeric, and a dash; no dots or other punctuation.
+#
+# By default, the role will configure the hostname based on the Ansible
+# inventory configuration. To preserve existing hostname, set the value to
+# ``'{{ ansible_hostname }}'``.
+netbase__hostname: '{{ (inventory_hostname_short | d(inventory_hostname.split(".")[0]))
+                       if (inventory_hostname_short | d(inventory_hostname.split(".")[0]) != "localhost")
+                       else ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__domain [[[
+#
+# Define a local domain for a given host. If not changed, the DNS domain is
+# defined based on the following rules:
+#
+# If the host has been installed with a domain, and its FQDN points to the
+# ``127.0.1.1`` address, the role will check on the remote host if a given FQDN
+# exists in the DNS database. If the FQDN can be resolved, the ``127.0.1.1``
+# entry will be removed from the :file:`/etc/hosts` file to allow the DNS
+# database to provide the correct IP address. If the FQDN is not found in DNS
+# database, the existing entry will be left intact.
+#
+# If the host has been configured with a domain in :file:`/etc/hosts` file
+# which is also present in the DNS database, and its FQDN points to any other
+# IP address than ``127.0.1.1``, the role will generate the IPv4 and IPv6
+# entries for this domain which should preserve the existing configuration.
+#
+# If the host has been installed without a domain specified, a domain will be
+# generated based on the ``ansible_host`` variable (if it's set to a FQDN
+# address) and saved in the :file:`/etc/hosts` database. The host's FQDN and
+# hostname will point to the default IPv4 and IPv6 addresses of the host.
+# If the Ansible inventory does not have a FQDN defined for a given host in the
+# ``ansible_host`` variable, the host is assumed to be standalone and a domain
+# will not be generated for it.
+netbase__domain: '{{ ""
+                     if (ansible_local | d() and ansible_local.netbase | d() and
+                         (((ansible_local.netbase.self_address | d()) != "127.0.1.1" and
+                           (not ansible_local.netbase.self_local_hostname | d()) | bool) or
+                          ((ansible_local.netbase.self_address | d()) == "127.0.1.1" and
+                            ansible_local.netbase.self_domain | d() and
+                            ansible_local.netbase.self_domain_source in ["dns"])))
+                     else (ansible_local.netbase.self_domain
+                           if (ansible_local | d() and ansible_local.netbase | d() and
+                               (ansible_local.netbase.self_domain | d()) and
+                               (ansible_local.netbase.self_local_hostname | d()) | bool)
+                           else ((ansible_host | d(ansible_ssh_host | d("0"))).split(".")[1:] | join(".")
+                                 if (not (ansible_host | d(ansible_ssh_host | d("0"))) | ansible.utils.ipaddr)
+                                 else (inventory_hostname.split(".")[1:] | join(".")
+                                       if (inventory_hostname.split(".") | count > 1)
+                                       else ""))) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__aliases [[[
+#
+# List of additional alias names defined for the current host, including its
+# hostname, in the :file:`/etc/hosts` database. This list is automatically
+# generated using the Ansible local facts. If you plan to change it, ensure
+# that the hostname is specified first to avoid any issues with name
+# resolution.
+netbase__aliases: '{{ ([netbase__hostname]
+                       + ansible_local.netbase.self_aliases | d([]) | unique) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__host_ipv4_address [[[
+#
+# The IPv4 address which will be used to create the host record in the
+# :file:`/etc/hosts` database with the FQDN and the hostname. If the host does
+# not have a proper IPv4 address associated with it and you want to use IPv4
+# networking, you can use ``127.0.1.1`` to set the hostname.
+netbase__host_ipv4_address: '{{ (ansible_default_ipv4.address | d())
+                                if (ansible_domain | d() and
+                                    ansible_local | d() and ansible_local.netbase | d() and
+                                    ansible_local.netbase.self_domain_source in ["dns"])
+                                else ansible_local.netbase.self_address | d("127.0.1.1") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__host_ipv6_address [[[
+#
+# The IPv6 address which will be used to create the host record in the
+# :file:`/etc/hosts` database with the FQDN and the hostname.
+netbase__host_ipv6_address: '{{ ansible_default_ipv6.address | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__domain_host_entry [[[
+#
+# The actual :file:`/etc/hosts` entry with the local domain definition. It will
+# be set as the IPv4 and/or IPv6 addresses defined in above variables.
+netbase__domain_host_entry: '{{ ([netbase__hostname + "." + netbase__domain] + netbase__aliases)
+                                if netbase__domain | d()
+                                else (netbase__hostname
+                                      if (not ansible_domain | d())
+                                      else []) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Host database in :file:`/etc/hosts` [[[
+# ---------------------------------------
+
+# The ``netbase__*_hosts`` variables below define the host records in the
+# :file:`/etc/hosts` database. See :ref:`netbase__ref_hosts` for more details.
+
+# .. envvar:: netbase__hosts_config_type [[[
+#
+# The host database configuration method used by the role.
+#
+# If ``lineinfile``, the configuration will be done using the ``lineinfile``
+# Ansible module. This allows the database to be updated by other mechanisms
+# than Ansible, but the configuration is very slow. This is suitable for small
+# number of host entries, otherwise you should think about setting up a local
+# DNS server instead.
+#
+# If ``template``, the hosts database will be generated using the ``template``
+# Ansible module. This makes the configuration much faster, which is useful
+# with large list of hosts, but the database cannot be modified by other tools,
+# the changes will not be preserved by Ansible.
+netbase__hosts_config_type: '{{ "template"
+                                if ((netbase__hosts
+                                     | combine(netbase__group_hosts, netbase__host_hosts)).keys()
+                                    | count > 15)
+                                else "lineinfile" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__default_hosts [[[
+#
+# The default set of host database entries, defined by the role.
+netbase__default_hosts:
+
+  - '127.0.0.1': [ 'localhost' ]
+  - '127.0.1.1': []
+  - '::1':       [ 'localhost', 'ip6-localhost', 'ip6-loopback' ]
+  - 'ff02::1':   [ 'ip6-allnodes' ]
+  - 'ff02::2':   [ 'ip6-allrouters' ]
+
+  - name:  '{{ netbase__host_ipv4_address }}'
+    value: '{{ netbase__domain_host_entry }}'
+    separator: '{{ True
+                   if (netbase__host_ipv4_address == "127.0.1.1" and
+                       (ansible_local | d() and ansible_local.netbase | d() and
+                        ansible_local.netbase.self_domain_source not in ["dns"]))
+                   else False }}'
+
+  - name:  '{{ netbase__host_ipv6_address }}'
+    value: '{{ netbase__domain_host_entry }}'
+
+                                                                   # ]]]
+# .. envvar:: netbase__hosts [[[
+#
+# YAML list of host entries which should be present on all hosts in the Ansible
+# inventory.
+#
+# Since the host database is supposed to be the same across all hosts, you
+# should most likely stick to using this variable and define it for the ``all``
+# inventory group.
+netbase__hosts: []
+
+                                                                   # ]]]
+# .. envvar:: netbase__group_hosts [[[
+#
+# YAML list of host entries which should be present on hosts in a specific
+# Ansible inventory group.
+netbase__group_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: netbase__host_hosts [[[
+#
+# YAML list of host entries which should be present on specific hosts in the
+# Ansible inventory.
+netbase__host_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: netbase__combined_hosts [[[
+#
+# The variable which combines all other hosts lists and is used in the role
+# tasks and templates.
+netbase__combined_hosts: '{{ netbase__default_hosts
+                            + netbase__hosts
+                            + netbase__group_hosts
+                            + netbase__host_hosts }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network database in :file:`/etc/networks` [[[
+# ---------------------------------------------
+
+# These variables define what network entries should be present in the
+# :file:`/etc/networks` database. Each dictionary key is a network name and
+# value should be a string or a YAML list of a class A, B or C network address
+# and optional aliases. Example:
+#
+# .. code-block:: yaml
+#
+#    netbase__networks:
+#      'net.example.org': '192.0.2.0'
+#
+# Entries with empty values will be removed from the database.
+# See the :man:`networks(5)` manual page for more details.
+
+# .. envvar:: netbase__networks [[[
+#
+# YAML dictionary of network entries which should be present on all hosts in
+# the Ansible inventory.
+#
+# Since the network database is supposed to be the same across all hosts, you
+# should most likely stick to using this variable and define it for the ``all``
+# inventory group.
+netbase__networks: {}
+
+                                                                   # ]]]
+# .. envvar:: netbase__group_networks [[[
+#
+# YAML dictionary of network entries which should be present on hosts in
+# a specific Ansible inventory group.
+netbase__group_networks: {}
+
+                                                                   # ]]]
+# .. envvar:: netbase__host_networks [[[
+#
+# YAML dictionary of network entries which should be present on specific hosts
+# in the Ansible inventory.
+netbase__host_networks: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: netbase__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+netbase__python__dependent_packages3:
+
+  - 'python3-dnspython'
+
+                                                                   # ]]]
+# .. envvar:: netbase__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+netbase__python__dependent_packages2:
+
+  - 'python-dnspython'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/netbase/meta/main.yml b/ansible_collections/debops/debops/roles/netbase/meta/main.yml
new file mode 100644
index 00000000..ea20fb16
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure local host and network database'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - hosts
+    - system
+    - nss
diff --git a/ansible_collections/debops/debops/roles/netbase/tasks/main.yml b/ansible_collections/debops/debops/roles/netbase/tasks/main.yml
new file mode 100644
index 00000000..80815822
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/tasks/main.yml
@@ -0,0 +1,89 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (netbase__base_packages
+                              + netbase__packages)) }}'
+    state: 'present'
+  register: netbase__register_packages
+  until: netbase__register_packages is succeeded
+  when: netbase__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save netbase local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/netbase.fact.j2'
+    dest: '/etc/ansible/facts.d/netbase.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage the hostname
+  ansible.builtin.hostname:
+    name: '{{ netbase__hostname }}'
+  notify: [ 'Refresh host facts' ]
+  when: netbase__enabled | bool and netbase__hostname_config_enabled | bool
+
+- name: Generate /etc/hosts database
+  ansible.builtin.template:
+    src: 'etc/hosts.j2'
+    dest: '/etc/hosts'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: netbase__enabled | bool and netbase__hosts_config_type == 'template'
+
+- name: Manage entries in /etc/hosts
+  ansible.builtin.lineinfile:  # noqa no-tabs
+    dest:    '/etc/hosts'
+    regexp:  '^{{ item.name | replace(".", "\.") }}\s+'
+    line:    "{{ item.name }}\t{{ ('\t' if (item.name | string | length < 8) else '') }}{{ item.value
+                 if (item.value is string)
+                 else ((item.value | d()) | selectattr('name', 'defined') | map(attribute='name') | list | join(' ')) }}"
+    state:   '{{ "present" if item.value | d() else "absent" }}'
+    mode:    '0644'
+  loop: '{{ netbase__combined_hosts | debops.debops.parse_kv_config }}'
+  loop_control:
+    label: '{{ {item.name: (item.value | d([])) | selectattr("name", "defined") | map(attribute="name") | list} }}'
+  notify: [ 'Refresh host facts' ]
+  when: netbase__enabled | bool and netbase__hosts_config_type == 'lineinfile' and item.name | d()
+
+- name: Manage entries in /etc/networks
+  ansible.builtin.lineinfile:  # noqa no-tabs
+    dest:    '/etc/networks'
+    regexp:  '^{{ item.key | replace(".", "\.") }}\s+'
+    line:    "{{ item.key }}\t{{ item.value if (item.value is string) else (item.value | d() | join(' ')) }}"
+    state:   '{{ "present" if item.value | d() else "absent" }}'
+    mode:    '0644'
+  with_dict: '{{ netbase__networks | combine(netbase__group_networks, netbase__host_networks) }}'
+  notify: [ 'Refresh host facts' ]
+  when: netbase__enabled | bool
+
+  # This task is here in case that the hostname or domain of the host was
+  # changed, to ensure that the Ansible facts are updated
+- name: Update Ansible facts if databases were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/netbase/templates/etc/ansible/facts.d/netbase.fact.j2 b/ansible_collections/debops/debops/roles/netbase/templates/etc/ansible/facts.d/netbase.fact.j2
new file mode 100644
index 00000000..8d3a762d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/templates/etc/ansible/facts.d/netbase.fact.j2
@@ -0,0 +1,123 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+"""Return information about host FQDN, domain and IP address
+
+This script checks the FQDN and the IP address of the host and returns it in
+JSON format for consumption by Ansible. The data is gathered from the host's
+perspective, because Ansible facts are not sufficient to determine which FQDN
+and IP address the host recognizes as "itself".
+
+Returned JSON keys:
+
+  - "configured"    If True, the role has been correctly appled on the host.
+
+  - "self_fqdn"     The host's FQDN as seen by its operating system, either
+                    defined locally in '/etc/hosts' or resolved by the DNS.
+
+  - "self_domain"   The host's domain extracted from the FQDN name.
+
+  - "self_aliases"  List of additional host aliases (including the primary
+                    hostname) defined in the '/etc/hosts' file.
+
+  - "self_address"  IP address resolved by the host from it's FQDN name.
+
+  - "self_local_hostname"  If True, the script detected the FQDN and IP address
+                           information in local '/etc/hosts' database.
+
+                           If False, the script did not detect the FQDN and IP
+                           address locally, and assumes that it came from the
+                           DNS.
+
+  - "self_domain_source"   What is the source of the domain information?
+                           ' 'dns': the domain exists in the DNS database
+                           - 'localhost': the domain is set in the '/etc/hosts'
+                                          file and may not be defined in the
+                                          DNS database
+                           - 'standalone': there is no DNS domain set, host is
+                                           not part of a domain
+"""
+
+from __future__ import print_function
+from json import dumps
+import socket
+
+
+def get_dns_address():
+    try:
+        return socket.gethostbyname(socket.getfqdn())
+    except socket.gaierror:
+        try:
+            return socket.gethostbyname(socket.gethostname())
+        except socket.gaierror:
+            return ''
+
+
+def get_dns_domain():
+    try:
+        return socket.getfqdn().split('.', 1)[1]
+    except IndexError:
+        return ''
+
+
+output = {'configured': True,
+          'self_address': get_dns_address(),
+          'self_domain': get_dns_domain(),
+          'self_fqdn': socket.getfqdn(),
+          'self_local_hostname': False,
+          'self_domain_source': 'dns'}
+
+# Check if the host address and FQDN are defined locally, to not remove them
+# accidentally
+with open('/etc/hosts', 'r') as hosts:
+    for line in hosts:
+        if not line.startswith('#'):
+            if (output['self_fqdn'] in line.split()[1:]
+                    and output['self_address'] == line.split()[0]):
+                output['self_local_hostname'] = True
+                output['self_domain_source'] = 'standalone'
+                aliases = ([e for e in line.split()
+                            if (e not in ([output['self_fqdn'],
+                                           output['self_address'],
+                                           output['self_domain']]))])
+                if aliases:
+                    output['self_aliases'] = aliases
+
+            if (output['self_fqdn'] in line.split()
+                    and '.' in output['self_fqdn']
+                    and output['self_address'] == line.split()[0]
+                    and (output['self_domain'] ==
+                         '.'.join(line.split()[1].split('.')[1:]))):
+                output['self_domain_source'] = 'localhost'
+
+    if output['self_domain_source'] == 'localhost':
+        try:
+            import dns.resolver
+            resolver = dns.resolver.Resolver()
+            resolver.timeout = 0.8
+            resolver.lifetime = 0.8
+            try:
+                resolver.resolve(output['self_fqdn'], 'AAAA')
+                output['self_domain_source'] = 'dns'
+
+            except Exception:
+                pass
+
+            try:
+                resolver.resolve(output['self_fqdn'], 'A')
+                output['self_domain_source'] = 'dns'
+
+            except Exception:
+                pass
+
+        except Exception:
+            pass
+
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/netbase/templates/etc/hosts.j2 b/ansible_collections/debops/debops/roles/netbase/templates/etc/hosts.j2
new file mode 100644
index 00000000..943c6da8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbase/templates/etc/hosts.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2018-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for element in netbase__combined_hosts | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value | d() %}
+{%     if (element.separator | d()) | bool %}
+
+{%     endif %}
+{%     if element.value is string %}
+{%       if '.' in element.value %}
+{{         '{}\t{}{} {}'.format(element.name, ('\t' if element.name | length < 8 else ''), element.value, element.value.split('.') | first) }}
+{%       else %}
+{{         '{}\t{}{}'.format(element.name, ('\t' if element.name | length < 8 else ''), element.value) }}
+{%       endif %}
+{%     else %}
+{{       '{}\t{}{}'.format(element.name, ('\t' if element.name | length < 8 else ''), (element.value | selectattr('name', 'defined') | map(attribute='name') | list) | join(' ')) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/netbox/COPYRIGHT b/ansible_collections/debops/debops/roles/netbox/COPYRIGHT
new file mode 100644
index 00000000..6d971ff7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.netbox - Deploy and manage NetBox, IPAM/DCIM management tool
+
+Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020-2022 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/netbox/defaults/main.yml b/ansible_collections/debops/debops/roles/netbox/defaults/main.yml
new file mode 100644
index 00000000..a314c83c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/defaults/main.yml
@@ -0,0 +1,1129 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _netbox__ref_defaults:
+
+# debops.netbox default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Domain name configuration [[[
+# -----------------------------
+
+# .. envvar:: netbox__fqdn [[[
+#
+# String or list of the Fully Qualified domain names on which the NetBox
+# application will be available, used by the webserver. The first item will be
+# used as the e-mail sender domain name.
+netbox__fqdn: [ 'dcim.{{ netbox__domain }}', 'ipam.{{ netbox__domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: netbox__domain [[[
+#
+# The DNS domain used by other variables in the ``debops.netbox`` role.
+netbox__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Primary/Standby configuration [[[
+# -----------------------------
+
+# .. envvar:: netbox__primary [[[
+#
+# Boolean to define if the instance of NetBox will be primary or not.
+# True: This instance will become primary and needs read and write
+# database access.
+# False: This instance will become standby,
+# "netbox__config_maintenance_mode" will be set to True and
+# "netbox__config_session_file_path" will be populated.
+netbox__primary: True
+
+                                                                   # ]]]
+                                                                   # ]]]
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: netbox__base_packages [[[
+#
+# List of APT packages which are required by the NetBox application.
+netbox__base_packages:
+  - 'git'
+  - 'build-essential'
+  - 'libxml2-dev'
+  - 'libxslt1-dev'
+  - 'libffi-dev'
+  - 'graphviz'
+  - 'libpq-dev'
+  - 'libssl-dev'
+  - '{{ ["libldap2-dev", "libsasl2-dev"]
+        if netbox__ldap_enabled | bool
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__packages [[[
+#
+# List of additional APT packages to install with NetBox.
+netbox__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Application user, group, home [[[
+# ---------------------------------
+
+# .. envvar:: netbox__user [[[
+#
+# Name of the UNIX system account used to manage NetBox.
+netbox__user: 'netbox'
+
+                                                                   # ]]]
+# .. envvar:: netbox__group [[[
+#
+# Name of the UNIX primary group used to manage NetBox.
+netbox__group: 'netbox'
+
+                                                                   # ]]]
+# .. envvar:: netbox__gecos [[[
+#
+# Contents of the GECOS field set for the NetBox account.
+netbox__gecos: 'NetBox'
+
+                                                                   # ]]]
+# .. envvar:: netbox__shell [[[
+#
+# The default shell set on the NetBox account.
+netbox__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: netbox__napalm_ssh_generate [[[
+#
+# Generate :file:`~/.ssh/id_rsa` SSH private and public key if it doesn't
+# exist.
+netbox__napalm_ssh_generate: False
+
+                                                                   # ]]]
+# .. envvar:: netbox__napalm_ssh_generate_bits [[[
+#
+# Size of the generated SSH key.
+netbox__napalm_ssh_generate_bits: '2048'
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory paths [[[
+# -------------------
+
+# .. envvar:: netbox__home [[[
+#
+# The NetBox account home directory.
+netbox__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                  + "/" + netbox__user }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__src [[[
+#
+# Directory where the role stores NetBox sources from GitHub.
+netbox__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                 + "/" + netbox__user }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__lib [[[
+#
+# Directory where the NetBox application directory is located.
+netbox__lib: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                 + "/" + netbox__user }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__data [[[
+#
+# Directory where custom NetBox data (images, scripts) outside of the database
+# is stored.
+netbox__data: '{{ (ansible_local.fhs.data | d("/srv"))
+                  + "/" + netbox__user }}'
+                                                                   # ]]]
+# .. envvar:: netbox__bin [[[
+#
+# Directory where helper scripts for NetBox power users are stored.
+netbox__bin: '{{ ansible_local.fhs.bin | d("/usr/local/bin") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application sources and deployment [[[
+# --------------------------------------
+
+# .. envvar:: netbox__git_gpg_key_id [[[
+#
+# The GPG ID of the key used for signing NetBox releases. At the moment the
+# releases are signed using GitHub GPG key.
+netbox__git_gpg_key_id: '5DE3 E050 9C47 EA3C F04A  42D3 4AEE 18F8 3AFD EB23'
+
+                                                                   # ]]]
+# .. envvar:: netbox__git_repo [[[
+#
+# The URI of the NetBox :command:`git` source repository.
+netbox__git_repo: 'https://github.com/netbox-community/netbox.git'
+
+                                                                   # ]]]
+# .. envvar:: netbox__git_version [[[
+#
+# The :command:`git` branch or tag which will be installed.
+netbox__git_version: 'v4.4.1'
+
+                                                                   # ]]]
+# .. envvar:: netbox__git_dest [[[
+#
+# Path where the :command:`git` source bare repository will be stored.
+netbox__git_dest: '{{ netbox__src + "/" + netbox__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__git_checkout [[[
+#
+# Path where NetBox sources will be checked out (installation path).
+netbox__git_checkout: '{{ netbox__virtualenv + "/app" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Python virtualenv configuration [[[
+# -----------------------------------
+
+# .. envvar:: netbox__virtualenv_version [[[
+#
+# Beginning with v2.5, NetBox will no longer support Python 2.
+# When this is set to `3` a **new** Python 3 `virtualenv` environment will be
+# created next to the old one.
+# Valid values are `3` or an empty string.
+# This option is scheduled for removal in 2022-12.
+netbox__virtualenv_version: '{{ ""
+                                if (netbox__git_version | regex_search("^v?[0-9\.]+")
+                                  and netbox__git_version | replace("v", "") is version("2.5", "<"))
+                                else "3" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__virtualenv [[[
+#
+# Path where the NetBox ``virtualenv`` directory will be stored.
+netbox__virtualenv: '{{ netbox__lib + "/virtualenv" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__virtualenv_env_path [[[
+#
+# The contents of the ``$PATH`` environment variable set for the Ansible tasks
+# which are executed inside of the NetBox Python environment.
+netbox__virtualenv_env_path: '{{ netbox__virtualenv }}/bin:/usr/local/bin:/usr/bin:/bin'
+
+                                                                   # ]]]
+# .. envvar:: netbox__virtualenv_pip_packages [[[
+#
+# List of additional Python modules installed inside of the NetBox
+# ``virtualenv`` environment. See :ref:`netbox__ref_virtualenv_pip_packages`
+# for more details.
+netbox__virtualenv_pip_packages:
+  - name: 'gunicorn'
+    version: '{{ ansible_local.gunicorn.version | d(omit) }}'
+  - 'setproctitle'
+  - name: 'django-auth-ldap'
+    state: '{{ "present" if netbox__ldap_enabled | bool else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# PostgreSQL database configuration [[[
+# -------------------------------------
+
+# The NetBox database configuration is managed by the :ref:`debops.postgresql`
+# Ansible role. See its documentation for details about the default variable
+# values used in the NetBox role.
+
+# .. envvar:: netbox__database_host [[[
+#
+# The hostname or IP address of the PostgreSQL database server to use for the
+# NetBox database.
+netbox__database_host: '{{ ansible_local.postgresql.server | d("localhost") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__database_port [[[
+#
+# The TCP port of the PostgreSQL database server which should be used by NetBox.
+netbox__database_port: '{{ ansible_local.postgresql.port | d("5432") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__database_name [[[
+#
+# Name of the PostgreSQL database and its corresponding role used by NetBox.
+# This role won't be able to login to the database server directly.
+netbox__database_name: 'netbox_production'
+
+                                                                   # ]]]
+# .. envvar:: netbox__database_user [[[
+#
+# Name of the PostgreSQL role used by NetBox. This role will be able to login
+# to the PostgreSQL server and access the NetBox database.
+netbox__database_user: '{{ netbox__user }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__database_password [[[
+#
+# Autogenerated password to the NetBox PostgreSQL user role.
+netbox__database_password: '{{ lookup("password", secret + "/postgresql/" +
+                               (ansible_local.postgresql.delegate_to | d("localhost")) + "/" +
+                               (ansible_local.postgresql.port | d("5432")) + "/credentials/" +
+                               netbox__database_user + "/password") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__load_initial_data [[[
+#
+# If ``True``, the role will populate the NetBox database with the initial data
+# provided with the application on installation.
+netbox__load_initial_data: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis database configuration [[[
+# --------------------------------
+
+# The Redis database configuration is managed by the :ref:`debops.redis_server`
+# Ansible role. See its documentation for details about the default variable
+# values used in the NetBox role.
+
+# .. envvar:: netbox__redis_host [[[
+#
+# Define hostname of the Redis server to use.
+netbox__redis_host: '{{ ansible_local.redis_server.host | d("localhost") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__redis_port [[[
+#
+# Define port of Redis server to use.
+netbox__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__redis_password [[[
+#
+# Define the Redis authentication password to use.
+netbox__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__redis_database [[[
+#
+# Specify which Redis database to use for NetBox.
+netbox__redis_database: '0'
+
+                                                                   # ]]]
+# .. envvar:: netbox__redis_cache_database [[[
+#
+# Specify which Redis database to use for NetBox cache.
+netbox__redis_cache_database: '{{ (netbox__redis_database | int + 1) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__redis_ssl [[[
+#
+# Enable or disable support for encrypted connections to Redis. Currently this
+# option has no support in DebOps.
+netbox__redis_ssl: False
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: netbox__ldap_enabled [[[
+#
+# Enable or disable support for LDAP authentication in NetBox.
+netbox__ldap_enabled: '{{ True
+                          if (ansible_local | d() and ansible_local.ldap | d() and
+                              (ansible_local.ldap.enabled | d()) | bool)
+                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, LDAP configuration will not be performed.
+netbox__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the NetBox service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+netbox__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# NetBox service to access the LDAP directory.
+netbox__ldap_self_rdn: 'uid=netbox'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the NetBox service to access the LDAP directory.
+netbox__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# NetBox service to access the LDAP directory.
+netbox__ldap_self_attributes:
+  uid: '{{ netbox__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ netbox__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "NetBox" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# NetBox service to bind to the LDAP directory.
+netbox__ldap_binddn: '{{ ([netbox__ldap_self_rdn] + netbox__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the NetBox service
+# to bind to the LDAP directory.
+netbox__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                 + netbox__ldap_binddn | to_uuid + ".password length=32"))
+                         if netbox__ldap_enabled | bool
+                         else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the user
+# accounts stored in LDAP.
+netbox__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_people_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the user accounts
+# used by NetBox.
+netbox__ldap_people_dn: '{{ [netbox__ldap_people_rdn] + netbox__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_group_authentication_enabled [[[
+#
+# Enable or disable user authentication using LDAP groups.
+netbox__ldap_group_authentication_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_private_groups [[[
+#
+# When this variable is enabled, the :ref:`debops.ldap` role will create
+# a separate LDAP objects that manage the NetBox groups as subtree of the
+# NetBox service LDAP object. If you set this parameter to ``False``, the
+# role will use the global ``ou=Groups,dc=example,dc=org`` subtree instead.
+netbox__ldap_private_groups: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the groups
+# stored in LDAP.
+netbox__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn | d("ou=Groups") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_groups_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the groups used by
+# NetBox. If private groups are enabled, this object will be created
+# automatically.
+netbox__ldap_groups_dn: '{{ ([netbox__ldap_groups_rdn, netbox__ldap_self_rdn]
+                             + netbox__ldap_device_dn)
+                            if netbox__ldap_private_groups | bool
+                            else ([netbox__ldap_groups_rdn] + netbox__ldap_base_dn) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_group_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which defines the group of
+# NetBox users on a given NetBox instance.
+netbox__ldap_user_group_rdn: 'cn=NetBox Users'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_group_dn [[[
+#
+# The Distinguished Name of the LDAP object which defines who defines the group
+# of NetBox users on a given NetBox instance.
+netbox__ldap_user_group_dn: '{{ [netbox__ldap_user_group_rdn]
+                                + netbox__ldap_groups_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_active_group_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which defines who has
+# active access to a given NetBox instance.
+netbox__ldap_user_active_group_rdn: 'cn=NetBox Active Users'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_active_group_dn [[[
+#
+# The Distinguished Name of the LDAP object which defines who has
+# access to a given NetBox instance.
+netbox__ldap_user_active_group_dn: '{{ [netbox__ldap_user_active_group_rdn]
+                                       + netbox__ldap_groups_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_staff_group_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which defines who has
+# staff access level to a given NetBox instance and can have permissions in
+# NetBox ACL system.
+netbox__ldap_user_staff_group_rdn: 'cn=NetBox Staff'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_staff_group_dn [[[
+#
+# The Distinguished Name of the LDAP object which defines who has
+# staff access level to a given NetBox instance and can have permissions in
+# NetBox ACL system.
+netbox__ldap_user_staff_group_dn: '{{ [netbox__ldap_user_staff_group_rdn]
+                                      + netbox__ldap_groups_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_admin_group_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which defines who has
+# superuser access level to a given NetBox instance.
+netbox__ldap_user_admin_group_rdn: 'cn=NetBox Administrators'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_admin_group_dn [[[
+#
+# The Distinguished Name of the LDAP object which defines who has
+# superuser access level to a given NetBox instance.
+netbox__ldap_user_admin_group_dn: '{{ [netbox__ldap_user_admin_group_rdn]
+                                      + netbox__ldap_groups_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_object_owner_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object of the person who
+# installed a given NetBox instance and is used as the owner of the "NetBox
+# Administrators" group.
+netbox__ldap_object_owner_rdn: 'uid={{ lookup("env", "USER") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_object_ownerdn [[[
+#
+# The Distinguished Name of the LDAP object of the person who installed a given
+# NetBox instance and is used as the owner of the "NetBox Administrators"
+# group, defined as a string.
+netbox__ldap_object_ownerdn: '{{ ([netbox__ldap_object_owner_rdn, netbox__ldap_people_rdn]
+                                  + netbox__ldap_base_dn) | join(",") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP connection options [[[
+# ---------------------------
+
+# .. envvar:: netbox__ldap_server_uri [[[
+#
+# The URI address of the LDAP server used by NetBox.
+netbox__ldap_server_uri: '{{ ansible_local.ldap.uri | d([""]) | first }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_server_port [[[
+#
+# The TCP port which should be used for connections to the LDAP server.
+netbox__ldap_server_port: '{{ ansible_local.ldap.port | d("389" if netbox__ldap_start_tls | bool else "636") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_start_tls [[[
+#
+# If ``True``, NetBox will use STARTTLS extension to make encrypted
+# connections to the LDAP server.
+netbox__ldap_start_tls: '{{ ansible_local.ldap.start_tls
+                            if (ansible_local | d() and ansible_local.ldap | d() and
+                                (ansible_local.ldap.start_tls | d()) | bool)
+                            else True }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap_user_filter [[[
+#
+# The LDAP filter used to look up user accounts in the directory.
+netbox__ldap_user_filter: '(uid=%(user)s)'
+                                                                   # ]]]
+                                                                   # ]]]
+# NetBox configuration options [[[
+# --------------------------------
+
+# .. envvar:: netbox__config_allowed_hosts [[[
+#
+# List of domain names under which the NetBox application will accept
+# connections. Specify ``*`` to accept connections to any domain name.
+netbox__config_allowed_hosts: '{{ netbox__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_secret_key [[[
+#
+# The Django secret key used by the NetBox application. It will be shared by
+# all hosts on the same domain.
+netbox__config_secret_key: '{{ lookup("password", secret + "/netbox/" +
+                               netbox__domain + "/config/secret_key length=64") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_admins [[[
+#
+# A YAML list of tuples, ``[ 'Name', 'email' ]``, of the NetBox administrators.
+# They will receive e-mail messages about NetBox application errors.
+#
+# By default the role uses the list of private admin e-mails from the
+# :ref:`debops.core` Ansible role.
+netbox__config_admins: '{{ lookup("template", "lookup/netbox__config_admins.j2") | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_changelog_retention [[[
+#
+# Maximum number of days to retain logged changes. Set to 0 to retain changes
+# indefinitely.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_changelog_retention: 90
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_cors_origin_allow_all [[[
+#
+# API Cross-Origin Resource Sharing configuration. If ``True``, all origins are
+# allowed. See https://github.com/ottoyiu/django-cors-headers for more details.
+netbox__config_cors_origin_allow_all: False
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_cors_origin_whitelist [[[
+#
+# List of allowed CORS origin hostnames.
+netbox__config_cors_origin_whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_cors_origin_regex_whitelist [[[
+#
+# List of allowed CORS origin regex hostnames.
+netbox__config_cors_origin_regex_whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_default_language [[[
+#
+# Set the default preferred language/locale.
+netbox__config_default_language: 'en-us'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_server [[[
+#
+# The address of the SMTP server used by NetBox. By default the application
+# uses a locally-installed SMTP server.
+netbox__config_email_server: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_port [[[
+#
+# The TCP port of the SMTP server used by NetBox.
+netbox__config_email_port: '25'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_username [[[
+#
+# The username used to login to the SMTP server.
+netbox__config_email_username: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_password [[[
+#
+# The password used to login to the SMTP server.
+netbox__config_email_password: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_use_tls [[[
+#
+# Use TLS (previously known as SSL) when connecting to the SMTP server.
+netbox__config_email_use_tls: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_timeout [[[
+#
+# The SMTP server connection timeout, in seconds.
+netbox__config_email_timeout: '10'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_email_from [[[
+#
+# The e-mail address for the NetBox application, it will be used in the
+# ``From:`` header of the NetBox e-mail messages.
+netbox__config_email_from: '{{ netbox__user }}@{{ netbox__fqdn
+                                                  if netbox__fqdn is string
+                                                  else netbox__fqdn[0] }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_logging [[[
+#
+# Optional, custom logging configuration specified as YAML dictionary.
+# See https://docs.djangoproject.com/en/1.11/topics/logging for more details.
+netbox__config_logging: {}
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_login_required [[[
+#
+# If ``True``, access to NetBox is only allowed for logged-in users. If
+# ``False``, some information stored in the NetBox database is accessible in
+# the read-only mode for anonymous users.
+netbox__config_login_required: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_login_timeout [[[
+#
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 14 days)
+netbox__config_login_timeout: '{{ (60 * 60 * 24 * 14) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_base_path [[[
+#
+# Set the "base path" of the NetBox application if it's installed in
+# a subdirectory of the webserver.
+netbox__config_base_path: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_maintenance_mode [[[
+#
+# Enable or disable maintenance mode banner.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_maintenance_mode: '{{ not netbox__primary | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_paginate_count [[[
+#
+# Specify maximum number of list items per page.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_paginate_count: '50'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_max_page_size [[[
+#
+# Maximum number of objects returned in an API call.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_max_page_size: '1000'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_maps_url [[[
+#
+# The URL to use when mapping physical addresses or GPS coordinates.
+# Note that NetBox defaults to Google Maps and has no interest in changing or
+# even documenting OpenStreetMap.
+# See `PR 6272 <https://github.com/netbox-community/netbox/pull/6272>`__.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_maps_url: 'https://www.openstreetmap.org/search?query='
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_time_zone [[[
+#
+# Specify the timezone used by NetBox.
+netbox__config_time_zone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_date_format [[[
+#
+# Specify the date format which NetBox uses to display information.
+# See https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date for
+# more details.
+netbox__config_date_format: 'N j, Y'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_short_date_format [[[
+#
+# Specify the short date format used by NetBox to display information.
+netbox__config_short_date_format: 'Y-m-d'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_time_format [[[
+#
+# Specify the time format used by NetBox to display information.
+netbox__config_time_format: 'g:i a'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_short_time_format [[[
+#
+# Specify the short time format used by NetBox to display information.
+netbox__config_short_time_format: 'H:i:s'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_datetime_format [[[
+#
+# Specify the date and time format used by NetBox to display information.
+netbox__config_datetime_format: 'N j, Y g:i a'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_short_datetime_format [[[
+#
+# Specify the short date and time format used by NetBox to display information.
+netbox__config_short_datetime_format: 'Y-m-d H:i'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_banner_top [[[
+#
+# Specify a custom message displayed on the top of every page.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_banner_top: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_banner_bottom [[[
+#
+# Specify a custom message displayed on the bottom of every page.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_banner_bottom: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_banner_login [[[
+#
+# Specify a custom message displayed on the login page above the login from.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_banner_login: ''
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_prefer_ipv4 [[[
+#
+# By default NetBox prefers to use IPv6 addresses as primary device addresses.
+# Set this variable to ``True`` to change that to IPv4 instead.
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_prefer_ipv4: False
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_census_reporting [[[
+#
+# Enables anonymous census reporting. To opt out of census reporting, set this
+# to ``False``.
+netbox__config_census_reporting: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_enforce_global_unique [[[
+#
+# If enabled, NetBox will enforce unique IP space in the "global" table (all
+# prefixes and IP addresses not included in a VRF).
+# This overwrites potentially existing `dynamic configuration settings <https://netbox.readthedocs.io/en/stable/configuration/dynamic-settings/>`__.
+netbox__config_enforce_global_unique: False
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_exempt_view_permissions [[[
+#
+# Exempt certain models from the enforcement of view permissions. Models listed
+# here will be viewable by all users and by anonymous users. List models in the
+# form `<app>.<model>`. Add '*' to this list to exempt all models.
+netbox__config_exempt_view_permissions: []
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_metrics_enabled [[[
+#
+# When enabled, expose Prometheus monitoring metrics at the HTTP endpoint
+# '/metrics'.
+netbox__config_metrics_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_session_file_path [[[
+#
+# By default, NetBox will store session data in the database. Alternatively,
+# a file path can be specified here to use local file storage instead. (This
+# can be useful for enabling authentication on a standby instance with
+# read-only database access.) Note that the user as which NetBox runs must have
+# read and write permissions to this path.
+netbox__config_session_file_path: '{{ "" if netbox__primary | bool else netbox__data + "/sessions" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_media_root [[[
+#
+# Absolute path where NetBox stores uploaded media files.
+netbox__config_media_root: '{{ netbox__data + "/media" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_reports_root [[[
+#
+# Absolute path where NetBox reports (Python modules) are stored.
+netbox__config_reports_root: '{{ netbox__data + "/reports" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_scripts_root [[[
+#
+# Absolute path where NetBox scripts (Python modules) are stored.
+netbox__config_scripts_root: '{{ netbox__data + "/scripts" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_plugins [[[
+#
+# List of NetBox plugins.
+netbox__config_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: netbox__config_plugins_config [[[
+#
+# NetBox plugins configuration settings.
+# See :ref:`netbox__config_plugins_config` for more details.
+netbox__config_plugins_config: {}
+                                                                   # ]]]
+# .. envvar:: netbox__config_custom [[[
+#
+# Additional configuration not directly supported by this role can be specified
+# with this string variable.
+netbox__config_custom: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Initial superuser account [[[
+# -----------------------------
+
+# .. envvar:: netbox__superuser_name [[[
+#
+# Name of the initial admin account created by the role.
+netbox__superuser_name: '{{ ansible_local.core.admin_users[0] | d("admin") }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__superuser_email [[[
+#
+# E-mail address of the initial admin account created by the role.
+netbox__superuser_email: '{{ ansible_local.core.admin_private_email[0]
+                              | d("root@" + netbox__domain) }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__superuser_password [[[
+#
+# Password set for the initial admin account created by the role.
+netbox__superuser_password: '{{ lookup("password", secret + "/netbox/" +
+                                netbox__domain + "/superuser/" +
+                                netbox__superuser_name + "/password") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Internal application settings [[[
+# ---------------------------------
+
+# .. envvar:: netbox__app_internal_appserver [[[
+#
+# Enable or disable support for internal ``gunicorn`` application server.
+netbox__app_internal_appserver: '{{ ansible_local.gunicorn.installed
+                                     | d(ansible_service_mgr == "systemd") | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_name [[[
+#
+# Name of the NetBox application processes (workers) set by the master process.
+netbox__app_name: '{{ netbox__user }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_runtime_dir [[[
+#
+# Name of the subdirectory in the :file:`/run/` directory where the NetBox
+# application will bind its UNIX socket. The default is selected so that
+# configuration of the ``gunicorn`` service is idempotent.
+netbox__app_runtime_dir: '{{ "gunicorn"
+                             if (ansible_distribution_release in
+                                 ["trusty", "xenial"])
+                             else "gunicorn-netbox" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_bind [[[
+#
+# Specify either an UNIX or TCP socket on which the NetBox application should
+# bind and listen for connections.
+netbox__app_bind: 'unix:/run/{{ netbox__app_runtime_dir }}/netbox.sock'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_workers [[[
+#
+# Number of worker threads to start for NetBox application.
+netbox__app_workers: '{{ ansible_processor_vcpus | int + 1 }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_timeout [[[
+#
+# Number of seconds after which non-responsive worker threads will be killed
+# and restarted. NetBox installations with lots of objects might require longer
+# timeouts for API access.
+netbox__app_timeout: '900'
+
+                                                                   # ]]]
+# .. envvar:: netbox__app_params [[[
+#
+# List of parameters passed to the ``gunicorn`` process manager.
+netbox__app_params:
+  - '--name={{ netbox__app_name }}'
+  - '--bind={{ netbox__app_bind }}'
+  - '--workers={{ netbox__app_workers }}'
+  - '--timeout={{ netbox__app_timeout }}'
+  - 'netbox.wsgi'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: netbox__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+netbox__keyring__dependent_gpg_keys:
+
+  - user: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    home: '{{ netbox__home }}'
+    id: '{{ netbox__git_gpg_key_id }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+netbox__python__dependent_packages3:
+
+  - 'python3-dev'
+
+                                                                   # ]]]
+# .. envvar:: netbox__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+netbox__python__dependent_packages2:
+
+  - 'python-dev'
+
+                                                                   # ]]]
+# .. envvar:: netbox__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+netbox__ldap__dependent_tasks:
+
+  - name: 'Create NetBox account for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_binddn }}'
+    objectClass: '{{ netbox__ldap_self_object_classes }}'
+    attributes: '{{ netbox__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if netbox__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Create NetBox group container for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_groups_dn }}'
+    objectClass: 'organizationalStructure'
+    attributes:
+      ou: '{{ netbox__ldap_groups_rdn.split("=")[1] }}'
+      description: 'User groups used in NetBox'
+    state: '{{ "present"
+               if (netbox__ldap_device_dn | d() and
+                   netbox__ldap_private_groups | bool)
+               else "ignore" }}'
+
+  - name: 'Create NetBox user group for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_user_group_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: '{{ netbox__ldap_user_group_rdn.split("=")[1] }}'
+      owner: '{{ netbox__ldap_object_ownerdn }}'
+      member: '{{ netbox__ldap_object_ownerdn }}'
+    state: '{{ "present" if netbox__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Create NetBox active user group for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_user_active_group_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: '{{ netbox__ldap_user_active_group_rdn.split("=")[1] }}'
+      owner: '{{ netbox__ldap_object_ownerdn }}'
+      member: '{{ netbox__ldap_object_ownerdn }}'
+    state: '{{ "present" if netbox__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Create NetBox staff group for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_user_staff_group_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: '{{ netbox__ldap_user_staff_group_rdn.split("=")[1] }}'
+      owner: '{{ netbox__ldap_object_ownerdn }}'
+      member: '{{ netbox__ldap_object_ownerdn }}'
+    state: '{{ "present" if netbox__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Create NetBox admin group for {{ netbox__ldap_device_dn | join(",") }}'
+    dn: '{{ netbox__ldap_user_admin_group_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: '{{ netbox__ldap_user_admin_group_rdn.split("=")[1] }}'
+      owner: '{{ netbox__ldap_object_ownerdn }}'
+      member: '{{ netbox__ldap_object_ownerdn }}'
+    state: '{{ "present" if netbox__ldap_device_dn | d() else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__gunicorn__dependent_applications [[[
+#
+# Configuration for the :ref:`debops.gunicorn` Ansible role.
+netbox__gunicorn__dependent_applications:
+  - name: 'netbox'
+    mode: 'wsgi'
+    working_dir: '{{ netbox__git_checkout + "/netbox" }}'
+    python: '{{ netbox__virtualenv + "/bin/python" }}'
+    user: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    home: '{{ netbox__home }}'
+    system: True
+    timeout: '{{ netbox__app_timeout }}'
+    workers: '{{ netbox__app_workers }}'
+    args: '{{ netbox__app_params }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__postgresql__dependent_roles [[[
+#
+# Role configuration for the :ref:`debops.postgresql` Ansible role.
+netbox__postgresql__dependent_roles:
+  - name: '{{ netbox__database_user }}'
+  - name: '{{ netbox__database_name }}'
+    flags: [ 'NOLOGIN' ]
+
+                                                                   # ]]]
+# .. envvar:: netbox__postgresql__dependent_groups [[[
+#
+# Group configuration for the :ref:`debops.postgresql` Ansible role.
+netbox__postgresql__dependent_groups:
+  - roles: [ '{{ netbox__database_user }}' ]
+    groups: [ '{{ netbox__database_name }}' ]
+    database: '{{ netbox__database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__postgresql__dependent_databases [[[
+#
+# Database configuration for the :ref:`debops.postgresql` Ansible role.
+netbox__postgresql__dependent_databases:
+  - name: '{{ netbox__database_name }}'
+    owner: '{{ netbox__database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__postgresql__dependent_pgpass [[[
+#
+# ``~/.pgpass`` configuration for the :ref:`debops.postgresql` Ansible role.
+netbox__postgresql__dependent_pgpass:
+  - owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    home: '{{ netbox__home }}'
+    system: True
+
+                                                                   # ]]]
+# .. envvar:: netbox__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+netbox__nginx__dependent_upstreams:
+  - name: 'netbox'
+    server: '{{ netbox__app_bind }}'
+
+                                                                   # ]]]
+# .. envvar:: netbox__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+netbox__nginx__dependent_servers:
+  - name: '{{ netbox__fqdn }}'
+    by_role: 'debops.netbox'
+    filename: 'debops.netbox'
+    options: |
+      client_max_body_size 25m;
+    location:
+      '/static/': |
+        alias {{ netbox__git_checkout }}/netbox/static/;
+
+      '/': |
+        proxy_pass http://netbox;
+        proxy_set_header X-Forwarded-Host $server_name;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout {{ netbox__app_timeout }};
+        proxy_send_timeout {{ netbox__app_timeout }};
+        proxy_read_timeout {{ netbox__app_timeout }};
+        add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/netbox/handlers/main.yml b/ansible_collections/debops/debops/roles/netbox/handlers/main.yml
new file mode 100644
index 00000000..4002ba93
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/handlers/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# A separate handler is needed to ensure the correct order of execution
+- name: Reload systemd daemon (netbox)
+  ansible.builtin.systemd:
+    daemon_reload: True
+  when: ansible_service_mgr == 'systemd'
+
+- name: Restart gunicorn for netbox
+  ansible.builtin.service:
+    name: 'gunicorn@netbox'
+    state: 'restarted'
+  when: (not netbox__app_internal_appserver | bool and
+         ansible_local.gunicorn.installed | d() | bool)
+
+- name: Restart netbox internal appserver
+  ansible.builtin.service:
+    name: 'netbox'
+    state: 'restarted'
+    enabled: True
+  when: netbox__app_internal_appserver | bool
+
+- name: Restart netbox Request Queue Worker
+  ansible.builtin.service:
+    name: 'netbox-rq'
+    state: 'restarted'
+    enabled: True
+  when: netbox__app_internal_appserver | bool
diff --git a/ansible_collections/debops/debops/roles/netbox/meta/main.yml b/ansible_collections/debops/debops/roles/netbox/meta/main.yml
new file mode 100644
index 00000000..710ca023
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Deploy and manage NetBox, IPAM/DCIM management tool'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ipam
+    - dcim
+    - django
+    - networking
+    - datacenter
diff --git a/ansible_collections/debops/debops/roles/netbox/meta/watch-netbox b/ansible_collections/debops/debops/roles/netbox/meta/watch-netbox
new file mode 100644
index 00000000..ca858cfc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/meta/watch-netbox
@@ -0,0 +1,10 @@
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016,2020-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: netbox
+# Package: netbox
+# Version: 4.4.1
+
+version=4
+https://github.com/netbox-community/netbox/tags .*/v?(\d\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/netbox/tasks/main.yml b/ansible_collections/debops/debops/roles/netbox/tasks/main.yml
new file mode 100644
index 00000000..e044a41e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/tasks/main.yml
@@ -0,0 +1,369 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C)      2021 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (netbox__base_packages
+                              + netbox__packages)) }}'
+    state: 'present'
+  register: netbox__register_packages
+  until: netbox__register_packages is succeeded
+
+- name: Create NetBox system group
+  ansible.builtin.group:
+    name: '{{ netbox__group }}'
+    state: 'present'
+    system: True
+
+- name: Create NetBox system user
+  ansible.builtin.user:
+    name: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    home: '{{ netbox__home }}'
+    comment: '{{ netbox__gecos }}'
+    shell: '{{ netbox__shell }}'
+    state: 'present'
+    system: True
+    generate_ssh_key: '{{ netbox__napalm_ssh_generate | bool }}'
+    ssh_key_bits: '{{ netbox__napalm_ssh_generate_bits }}'
+
+- name: Create additional directories used by NetBox
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0755'
+  with_items:
+    - '{{ netbox__src }}'
+    - '{{ netbox__lib }}'
+    - '{{ netbox__data }}'
+    - '{{ netbox__config_media_root }}'
+    - '{{ netbox__config_reports_root }}'
+    - '{{ netbox__config_scripts_root }}'
+
+- name: Clone NetBox source code
+  ansible.builtin.git:
+    repo: '{{ netbox__git_repo }}'
+    dest: '{{ netbox__git_dest }}'
+    version: '{{ netbox__git_version }}'
+    bare: True
+    update: True
+    verify_commit: True
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_source
+  until: netbox__register_source is succeeded
+
+- name: Check if NetBox is installed
+  ansible.builtin.stat:
+    path: '{{ netbox__git_checkout }}'
+  register: netbox__register_installed
+
+- name: Check current virtualenv version
+  ansible.builtin.stat:
+    path: '{{ netbox__virtualenv + "/bin/python" }}'
+  register: netbox__register_virtualenv_version
+
+- name: Remove old python2 based virtualenv
+  ansible.builtin.file:
+    path: '{{ netbox__virtualenv }}'
+    state: 'absent'
+  register: netbox__register_virtalenv_deleted
+  when: (netbox__virtualenv_version == '3' and
+         netbox__register_virtualenv_version.stat.lnk_target | d() == 'python2')
+
+- name: Create NetBox checkout directory
+  ansible.builtin.file:
+    path: '{{ netbox__git_checkout }}'
+    state: 'directory'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0755'
+
+- name: Prepare NetBox git worktree
+  ansible.builtin.copy:
+    content: 'gitdir: {{ netbox__git_dest }}'
+    dest: '{{ netbox__git_checkout + "/.git" }}'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0644'
+
+- name: Get commit hash of target checkout
+  environment:
+    GIT_WORK_TREE: '{{ netbox__git_checkout }}'
+  ansible.builtin.command: git rev-parse {{ netbox__git_version }}  # noqa command-instead-of-module
+  args:
+    chdir: '{{ netbox__git_dest }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_target_branch
+  changed_when: netbox__register_target_branch.stdout != netbox__register_source.before
+
+- name: Checkout NetBox
+  environment:  # noqa no-handler
+    GIT_WORK_TREE: '{{ netbox__git_checkout }}'
+  ansible.builtin.command: git checkout -f {{ netbox__git_version }}  # noqa command-instead-of-module
+  args:
+    chdir: '{{ netbox__git_dest }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_checkout
+  changed_when: netbox__register_checkout.changed | bool
+  until: netbox__register_checkout is succeeded
+  notify: [ 'Restart gunicorn for netbox', 'Restart netbox internal appserver', 'Restart netbox Request Queue Worker' ]
+  when: (netbox__register_source.before is undefined or
+         (netbox__register_source.before | d() and netbox__register_target_branch.stdout | d() and
+          netbox__register_source.before != netbox__register_target_branch.stdout) or
+          not netbox__register_installed.stat.exists | bool or
+          netbox__register_virtalenv_deleted.changed | bool)
+
+- name: Create Python virtualenv for NetBox
+  ansible.builtin.pip:
+    name: [ 'pip', 'setuptools' ]
+    virtualenv: '{{ netbox__virtualenv }}'
+    virtualenv_python: '{{ "python" + netbox__virtualenv_version }}'
+    # This is required due to an issue with setuptools
+    # https://github.com/digitalocean/netbox/issues/864
+    state: 'forcereinstall'
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_virtualenv
+  until: netbox__register_virtualenv is succeeded
+  changed_when: (netbox__register_virtualenv is success and
+                 netbox__register_virtualenv.stdout is search('New python executable in'))
+
+- name: Clean up stale Python bytecode
+  ansible.builtin.command: "find . -name '*.pyc' -delete"  # noqa no-handler
+  args:
+    chdir: '{{ netbox__git_checkout + "/netbox" }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_cleanup
+  changed_when: netbox__register_cleanup.changed | bool
+  when: netbox__register_checkout is changed
+
+- name: Install NetBox requirements in virtualenv
+  ansible.builtin.pip:  # noqa no-handler
+    virtualenv: '{{ netbox__virtualenv }}'
+    requirements: '{{ netbox__git_checkout + "/requirements.txt" }}'
+    extra_args: '--upgrade'
+  register: netbox__register_pip_install
+  until: netbox__register_pip_install is succeeded
+  become: True
+  become_user: '{{ netbox__user }}'
+  notify: [ 'Restart gunicorn for netbox', 'Restart netbox internal appserver', 'Restart netbox Request Queue Worker' ]
+  when: netbox__register_checkout is changed
+
+- name: Install additional Python modules in virtualenv
+  ansible.builtin.pip:  # noqa no-handler
+    name:       '{{ item.name | d(item) }}'
+    version:    '{{ item.version | d(omit) }}'
+    virtualenv: '{{ netbox__virtualenv }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  loop: '{{ q("flattened", netbox__virtualenv_pip_packages) }}'
+  when: netbox__register_checkout is changed and
+        item.state | d('present') not in ['absent', 'ignore']
+
+- name: Generate NetBox configuration
+  ansible.builtin.template:
+    src: 'usr/local/lib/netbox/configuration.py.j2'
+    dest: '{{ netbox__git_checkout + "/netbox/netbox/configuration.py" }}'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0640'
+  notify: [ 'Restart gunicorn for netbox', 'Restart netbox internal appserver', 'Restart netbox Request Queue Worker' ]
+  register: netbox__register_configuration
+  tags: [ 'role::netbox:config' ]
+
+- name: Generate NetBox LDAP configuration
+  ansible.builtin.template:
+    src: 'usr/local/lib/netbox/ldap_config.py.j2'
+    dest: '{{ netbox__git_checkout + "/netbox/netbox/ldap_config.py" }}'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0640'
+  notify: [ 'Restart gunicorn for netbox', 'Restart netbox internal appserver', 'Restart netbox Request Queue Worker' ]
+  when: netbox__ldap_enabled | bool
+  tags: [ 'role::netbox:config' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Perform database installation or migration
+  ## Commands from upgrade.sh. We cannot directly run this script as of 3.5
+  ## because it also deals with virtualenv with different directory paths than
+  ## this role.
+  ansible.builtin.shell:  # noqa no-handler
+    cmd: |
+      set -o nounset -o pipefail -o errexit
+      ./manage.py migrate
+      ./manage.py trace_paths --no-input || :
+      (cd .. && mkdocs build)
+      ./manage.py collectstatic --no-input
+      ./manage.py remove_stale_contenttypes --no-input
+      ./manage.py reindex --lazy
+      ./manage.py clearsessions
+    chdir: '{{ netbox__git_checkout + "/netbox" }}'
+    executable: 'bash'
+  environment:
+    VIRTUAL_ENV: '{{ netbox__virtualenv }}'
+    PATH: '{{ netbox__virtualenv_env_path }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  when: (netbox__register_checkout is changed and
+         netbox__primary | bool)
+  register: netbox__register_migration
+  changed_when: netbox__register_migration.changed | bool
+
+- name: Generate static content
+  ## Since we do not run the manage.py file on secondary sites
+  ## we need to generate those files in an extra task.
+  ansible.builtin.shell:  # noqa no-handler
+    cmd: |
+      set -o nounset -o pipefail -o errexit
+      ./manage.py collectstatic --no-input
+    chdir: '{{ netbox__git_checkout + "/netbox" }}'
+    executable: 'bash'
+  environment:
+    VIRTUAL_ENV: '{{ netbox__virtualenv }}'
+    PATH: '{{ netbox__virtualenv_env_path }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  when: (netbox__register_checkout is changed and
+         not netbox__primary | bool)
+  register: netbox__register_collectstatic
+  changed_when: not netbox__register_collectstatic.stdout is search('0 static files copied')
+
+- name: Create local session directory
+  ansible.builtin.file:
+    path: '{{ netbox__data + "/sessions" }}'
+    owner: '{{ netbox__user }}'
+    group: '{{ netbox__group }}'
+    mode: '0770'
+    access_time: preserve
+    modification_time: preserve
+    state: directory
+  become: True
+  become_user: '{{ netbox__user }}'
+  when: (not netbox__primary | bool)
+
+- name: Cleanup stale contenttypes and sessions
+  ## Since we do not run the manage.py file on secondary sites
+  ## we need to run the cleanup in an extra task.
+  ansible.builtin.shell:  # noqa no-handler
+    cmd: |
+      set -o nounset -o pipefail -o errexit
+      ./manage.py remove_stale_contenttypes --no-input
+      ./manage.py clearsessions
+    chdir: '{{ netbox__git_checkout + "/netbox" }}'
+    executable: 'bash'
+  environment:
+    VIRTUAL_ENV: '{{ netbox__virtualenv }}'
+    PATH: '{{ netbox__virtualenv_env_path }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  when: (netbox__register_checkout is changed and
+         not netbox__primary | bool)
+  changed_when: false
+
+- name: Create Django superuser account
+  community.general.django_manage:
+    command: 'createsuperuser --noinput --username={{ netbox__superuser_name }} --email={{ netbox__superuser_email }}'
+    app_path: '{{ netbox__git_checkout + "/netbox" }}'
+    virtualenv: '{{ netbox__virtualenv }}'
+  environment:
+    DJANGO_SUPERUSER_PASSWORD: '{{ netbox__superuser_password }}'
+  become: True
+  become_user: '{{ netbox__user }}'
+  register: netbox__register_django_superuser
+  failed_when: ('error' in netbox__register_django_superuser.out.lower() and
+                'that username is already taken.' not in netbox__register_django_superuser.out.lower())
+  when: (netbox__primary | bool and
+         not netbox__register_installed.stat.exists | bool and
+         not netbox__register_migration.stdout is search('No migrations to apply.'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate systemd service unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/netbox.service.j2'
+    dest: '/etc/systemd/system/netbox.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify:
+    - 'Reload systemd daemon (netbox)'
+    - 'Restart gunicorn for netbox'
+    - 'Restart netbox internal appserver'
+  when: netbox__app_internal_appserver | bool
+
+- name: Generate NetBox RQ systemd service unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/netbox-rq.service.j2'
+    dest: '/etc/systemd/system/netbox-rq.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify:
+    - 'Reload systemd daemon (netbox)'
+    - 'Restart netbox Request Queue Worker'
+  when: netbox__app_internal_appserver | bool
+
+- name: Generate systemd NetBox Housekeeping service unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/netbox-housekeeping.service.j2'
+    dest: '/etc/systemd/system/netbox-housekeeping.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify:
+    - 'Reload systemd daemon (netbox)'
+
+- name: Generate systemd NetBox Housekeeping timer unit
+  ansible.builtin.template:
+    src: 'etc/systemd/system/netbox-housekeeping.timer.j2'
+    dest: '/etc/systemd/system/netbox-housekeeping.timer'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify:
+    - 'Reload systemd daemon (netbox)'
+
+- name: Enable systemd NetBox Housekeeping timer
+  ansible.builtin.systemd:
+    daemon_reload: True
+    name: 'netbox-housekeeping.timer'
+    enabled: True
+    state: 'started'
+  when: ansible_service_mgr == 'systemd' and not ansible_check_mode
+
+- name: Generate NetBox netbox-manage script
+  ansible.builtin.template:
+    src: 'usr/local/bin/netbox-manage.j2'
+    dest: '{{ netbox__bin + "/netbox-manage" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save NetBox local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/netbox.fact.j2'
+    dest: '/etc/ansible/facts.d/netbox.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/etc/ansible/facts.d/netbox.fact.j2 b/ansible_collections/debops/debops/roles/netbox/templates/etc/ansible/facts.d/netbox.fact.j2
new file mode 100644
index 00000000..2c067d0d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/etc/ansible/facts.d/netbox.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.service.j2 b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.service.j2
new file mode 100644
index 00000000..095c79c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.service.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2023 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=NetBox Housekeeping Service
+Documentation=https://docs.netbox.dev/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User={{ netbox__user }}
+Group={{ netbox__group }}
+WorkingDirectory={{ netbox__git_checkout + "/netbox" }}
+
+ExecStart={{ netbox__virtualenv }}/bin/python3 {{ netbox__git_checkout + "/netbox/manage.py housekeeping" }}
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.timer.j2 b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.timer.j2
new file mode 100644
index 00000000..d0047a4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-housekeeping.timer.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2023 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=NetBox Housekeeping Timer
+Documentation=https://docs.netbox.dev/
+After=network-online.target
+Wants=network-online.target
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-rq.service.j2 b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-rq.service.j2
new file mode 100644
index 00000000..6b5d5450
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox-rq.service.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=NetBox Request Queue Worker
+Documentation=https://netbox.readthedocs.io/en/stable/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+User={{ netbox__user }}
+Group={{ netbox__group }}
+WorkingDirectory={{ netbox__git_checkout + "/netbox" }}
+
+ExecStart={{ netbox__virtualenv }}/bin/python3 {{ netbox__git_checkout + "/netbox/manage.py rqworker" }}
+
+Restart=on-failure
+RestartSec=30
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox.service.j2 b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox.service.j2
new file mode 100644
index 00000000..bf17e3cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/etc/systemd/system/netbox.service.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=NetBox
+Documentation=https://netbox.readthedocs.io/en/latest/
+After=network.target
+
+[Service]
+User={{ netbox__user }}
+Group={{ netbox__group }}
+RuntimeDirectory={{ netbox__app_runtime_dir }}
+RuntimeDirectoryMode=0755
+WorkingDirectory={{ netbox__git_checkout + "/netbox" }}
+ExecStart={{ netbox__virtualenv }}/bin/gunicorn {{ netbox__app_params | join(' ') }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/lookup/netbox__config_admins.j2 b/ansible_collections/debops/debops/roles/netbox/templates/lookup/netbox__config_admins.j2
new file mode 100644
index 00000000..f55e5cb3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/lookup/netbox__config_admins.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if (ansible_local.core.admin_private_email | d()) %}
+{%   for address in ansible_local.core.admin_private_email %}
+- [ '{{ address.split("@") | first }}', '{{ address }}' ]
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/usr/local/bin/netbox-manage.j2 b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/bin/netbox-manage.j2
new file mode 100644
index 00000000..a2d9b477
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/bin/netbox-manage.j2
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2021 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Activate virtualenv and run `manage.py` as NetBox user.
+
+# {{ ansible_managed }}
+
+set -o nounset -o pipefail -o errexit
+
+sudo -u "{{ netbox__user }}" bash -c '
+	source "{{ netbox__virtualenv }}/bin/activate"
+	"{{ netbox__git_checkout }}/netbox/manage.py" "$@"
+' "inline_script_name" "$@"
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/configuration.py.j2 b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/configuration.py.j2
new file mode 100644
index 00000000..ef901d9e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/configuration.py.j2
@@ -0,0 +1,315 @@
+{# Copyright (C) 2016 Jeremy Stretch <stretch@packetlife.net>
+ # Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016,2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: Apache-2.0
+ #}
+# {{ ansible_managed }}
+# -*- coding: utf-8 -*-
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+import json
+
+# NetBox required settings [[[1
+#########################
+#                       #
+#   Required settings   #
+#                       #
+#########################
+
+# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write
+# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name.
+#
+# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local']
+ALLOWED_HOSTS = [ '{{ ( [ netbox__config_allowed_hosts ] if netbox__config_allowed_hosts is string else netbox__config_allowed_hosts) | join("', '") }}' ]
+
+# PostgreSQL database configuration. See the Django documentation for a complete list of available parameters:
+#   https://docs.djangoproject.com/en/stable/ref/settings/#databases
+DATABASE = {
+    'ENGINE': 'django.db.backends.postgresql',     # Database engine
+    'NAME': '{{ netbox__database_name }}',         # Database name
+    'USER': '{{ netbox__database_user }}',         # PostgreSQL username
+    'PASSWORD': '{{ netbox__database_password }}', # PostgreSQL password
+    'HOST': '{{ netbox__database_host }}',         # Database server
+    'PORT': '{{ netbox__database_port }}',         # Database port (leave blank for default)
+    'CONN_MAX_AGE': 300,                           # Max database connection age
+}
+
+# Redis database settings. Redis is used for caching and for queuing background tasks such as webhook events. A separate
+# configuration exists for each. Full connection details are required in both sections, and it is strongly recommended
+# to use two separate database IDs.
+REDIS = {
+    'tasks': {
+        'HOST': '{{ netbox__redis_host }}',
+        'PORT': {{ netbox__redis_port }},
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'USERNAME': '',
+        'PASSWORD': '{{ netbox__redis_password }}',
+        'DATABASE': {{ netbox__redis_database }},
+        'SSL': {{ netbox__redis_ssl }},
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+        # Set a path to a certificate authority, typically used with a self signed certificate.
+        # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
+    },
+    'caching': {
+        'HOST': '{{ netbox__redis_host }}',
+        'PORT': {{ netbox__redis_port }},
+        # Comment out `HOST` and `PORT` lines and uncomment the following if using Redis Sentinel
+        # 'SENTINELS': [('mysentinel.redis.example.com', 6379)],
+        # 'SENTINEL_SERVICE': 'netbox',
+        'USERNAME': '',
+        'PASSWORD': '{{ netbox__redis_password }}',
+        'DATABASE': {{ netbox__redis_cache_database }},
+        'SSL': {{ netbox__redis_ssl }},
+        # Set this to True to skip TLS certificate verification
+        # This can expose the connection to attacks, be careful
+        # 'INSECURE_SKIP_TLS_VERIFY': False,
+        # Set a path to a certificate authority, typically used with a self signed certificate.
+        # 'CA_CERT_PATH': '/etc/ssl/certs/ca.crt',
+    }
+}
+
+# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
+# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
+# symbols. NetBox will not run without this defined. For more information, see
+# https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-SECRET_KEY
+SECRET_KEY = '{{ netbox__config_secret_key }}'
+
+# NetBox optional settings [[[1
+#########################
+#                       #
+#   Optional settings   #
+#                       #
+#########################
+
+# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of
+# application errors (assuming correct email settings are provided).
+ADMINS = [
+    # ['John Doe', 'jdoe@example.com'],
+{% if netbox__config_admins %}
+{%   for element in netbox__config_admins %}
+    [ '{{ element[0] }}', '{{ element[1] }}' ],
+{%   endfor %}
+{% endif %}
+]
+
+# Permit the retrieval of API tokens after their creation.
+ALLOW_TOKEN_RETRIEVAL = False
+
+# Enable any desired validators for local account passwords below. For a list of included validators, please see the
+# Django documentation at https://docs.djangoproject.com/en/stable/topics/auth/passwords/#password-validation.
+AUTH_PASSWORD_VALIDATORS = [
+    # {
+    #     'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    #     'OPTIONS': {
+    #         'min_length': 10,
+    #     }
+    # },
+]
+
+# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
+# BASE_PATH = 'netbox/'
+BASE_PATH = '{{ netbox__config_base_path }}'
+
+# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be
+# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or
+# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers
+CORS_ORIGIN_ALLOW_ALL = {{ netbox__config_cors_origin_allow_all | bool }}
+CORS_ORIGIN_WHITELIST = [
+    # 'https://hostname.example.com',
+{% if netbox__config_cors_origin_whitelist %}
+{%   for element in netbox__config_cors_origin_whitelist %}
+    '{{ element }}',
+{%   endfor %}
+{% endif %}
+]
+CORS_ORIGIN_REGEX_WHITELIST = [
+    # r'^(https?://)?(\w+\.)?example\.com$',
+{% if netbox__config_cors_origin_regex_whitelist %}
+{%   for element in netbox__config_cors_origin_regex_whitelist %}
+    '{{ element }}',
+{%   endfor %}
+{% endif %}
+]
+
+# The name to use for the CSRF token cookie.
+CSRF_COOKIE_NAME = 'csrftoken'
+
+# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal
+# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging
+# on a production system.
+DEBUG = False
+
+# Set the default preferred language/locale
+DEFAULT_LANGUAGE = '{{ netbox__config_default_language }}'
+
+# Email settings
+EMAIL = {
+    'SERVER': '{{ netbox__config_email_server }}',
+    'PORT': {{ netbox__config_email_port }},
+    'USERNAME': '{{ netbox__config_email_username }}',
+    'PASSWORD': '{{ netbox__config_email_password }}',
+    'USE_TLS': {{ netbox__config_email_use_tls | bool }},
+    'TIMEOUT': {{ netbox__config_email_timeout }},  # seconds
+    'FROM_EMAIL': '{{ netbox__config_email_from }}',
+}
+
+# Localization
+# This should only be enabled for development or testing purposes as netbox is not yet fully localized.
+ENABLE_LOCALIZATION = False
+
+# Exempt certain models from the enforcement of view permissions. Models listed here will be viewable by all users and
+# by anonymous users. List models in the form `<app>.<model>`. Add '*' to this list to exempt all models.
+EXEMPT_VIEW_PERMISSIONS = [
+    # 'dcim.site',
+    # 'dcim.region',
+    # 'ipam.prefix',
+{% for element in netbox__config_exempt_view_permissions %}
+    '{{ element }}',
+{% endfor %}
+]
+
+# HTTP proxies NetBox should use when sending outbound HTTP requests (e.g. for webhooks).
+# HTTP_PROXIES = {
+#     'http': 'http://10.10.1.10:3128',
+#     'https': 'http://10.10.1.10:1080',
+# }
+
+# IP addresses recognized as internal to the system. The debugging toolbar will be available only to clients accessing
+# NetBox from an internal IP.
+INTERNAL_IPS = ('127.0.0.1', '::1')
+
+# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs:
+#   https://docs.djangoproject.com/en/stable/topics/logging/
+LOGGING = json.loads('''{{ netbox__config_logging | to_nice_json }}''')
+
+# Automatically reset the lifetime of a valid session upon each authenticated request. Enables users to remain
+# authenticated to NetBox indefinitely.
+LOGIN_PERSISTENCE = False
+
+# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users
+# are permitted to access most data in NetBox but not make any changes.
+LOGIN_REQUIRED = {{ netbox__config_login_required | bool }}
+
+# The length of time (in seconds) for which a user will remain logged into the web UI before being prompted to
+# re-authenticate. (Default: 1209600 [14 days])
+LOGIN_TIMEOUT = {{ netbox__config_login_timeout }}
+
+# The view name or URL to which users are redirected after logging out.
+LOGOUT_REDIRECT_URL = 'home'
+
+# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that
+# the default value of this setting is derived from the installed location.
+MEDIA_ROOT = '{{ netbox__config_media_root }}'
+
+# By default uploaded media is stored on the local filesystem. Using Django-storages is also supported. Provide the
+# class path of the storage driver in STORAGE_BACKEND and any configuration options in STORAGE_CONFIG. For example:
+# STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+# STORAGE_CONFIG = {
+#     'AWS_ACCESS_KEY_ID': 'Key ID',
+#     'AWS_SECRET_ACCESS_KEY': 'Secret',
+#     'AWS_STORAGE_BUCKET_NAME': 'netbox',
+#     'AWS_S3_REGION_NAME': 'eu-west-1',
+# }
+
+# Expose Prometheus monitoring metrics at the HTTP endpoint '/metrics'
+METRICS_ENABLED = {{ netbox__config_metrics_enabled }}
+
+# Enable installed plugins. Add the name of each plugin to the list.
+PLUGINS = json.loads('''{{ netbox__config_plugins | to_nice_json }}''')
+
+# Plugins configuration settings. These settings are used by various plugins that the user may have installed.
+# Each key in the dictionary is the name of an installed plugin and its value is a dictionary of settings.
+PLUGINS_CONFIG = json.loads('''{{ netbox__config_plugins_config | to_nice_json }}''')
+
+# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to
+# prefer IPv4 instead.
+PREFER_IPV4 = {{ netbox__config_prefer_ipv4 | bool }}
+
+# Remote authentication support
+REMOTE_AUTH_ENABLED = {{ netbox__ldap_enabled | bool }}
+{% if netbox__ldap_enabled | bool -%}
+REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
+REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
+REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
+REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
+REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+{% endif %}
+
+# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+REPORTS_ROOT = '{{ netbox__config_reports_root }}'
+
+# Maximum execution time for background tasks, in seconds.
+RQ_DEFAULT_TIMEOUT = 300
+
+# The file path where custom scripts will be stored. A trailing slash is not needed. Note that the default value of
+# this setting is derived from the installed location.
+SCRIPTS_ROOT = '{{ netbox__config_scripts_root }}'
+
+# The name to use for the session cookie.
+SESSION_COOKIE_NAME = 'sessionid'
+
+# By default, NetBox will store session data in the database. Alternatively, a file path can be specified here to use
+# local file storage instead. (This can be useful for enabling authentication on a standby instance with read-only
+# database access.) Note that the user as which NetBox runs must have read and write permissions to this path.
+SESSION_FILE_PATH = '{{ netbox__config_session_file_path }}'
+
+# Time zone (default: UTC)
+TIME_ZONE = '{{ netbox__config_time_zone }}'
+
+# Date/time formatting. See the following link for supported formats:
+# https://docs.djangoproject.com/en/stable/ref/templates/builtins/#date
+DATE_FORMAT = '{{ netbox__config_date_format }}'
+SHORT_DATE_FORMAT = '{{ netbox__config_short_date_format }}'
+TIME_FORMAT = '{{ netbox__config_time_format }}'
+SHORT_TIME_FORMAT = '{{ netbox__config_short_time_format }}'
+DATETIME_FORMAT = '{{ netbox__config_datetime_format }}'
+SHORT_DATETIME_FORMAT = '{{ netbox__config_short_datetime_format }}'
+
+# DebOps settings that are not in the configuration_example.py file [[[1
+
+CENSUS_REPORTING_ENABLED = {{ netbox__config_census_reporting | bool }}
+
+# Dynamic Configuration Parameters [[[1
+
+# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same
+# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP.
+BANNER_TOP = '{{ netbox__config_banner_top }}'
+BANNER_BOTTOM = '{{ netbox__config_banner_bottom }}'
+
+# Text to include on the login page above the login form. HTML is allowed.
+BANNER_LOGIN = '{{ netbox__config_banner_login }}'
+
+# Maximum number of days to retain logged changes. Set to 0 to retain changes indefinitely. (Default: 90)
+CHANGELOG_RETENTION = {{ netbox__config_changelog_retention }}
+
+# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce unique IP space within the global table
+# (all prefixes and IP addresses not assigned to a VRF), set ENFORCE_GLOBAL_UNIQUE to True.
+ENFORCE_GLOBAL_UNIQUE = {{ netbox__config_enforce_global_unique | bool }}
+
+# Setting this to True will display a "maintenance mode" banner at the top of every page.
+MAINTENANCE_MODE = {{ netbox__config_maintenance_mode | bool }}
+
+# The URL to use when mapping physical addresses or GPS coordinates.
+MAPS_URL = '{{ netbox__config_maps_url }}'
+
+# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g.
+# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request
+# all objects by specifying "?limit=0".
+MAX_PAGE_SIZE = {{ netbox__config_max_page_size }}
+
+# Determine how many objects to display per page within a list. (Default: 50)
+PAGINATE_COUNT = {{ netbox__config_paginate_count }}
+{% if netbox__config_custom != '' %}
+
+# DebOps netbox__config_custom settings [[[1
+{{ netbox__config_custom }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/ldap_config.py.j2 b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/ldap_config.py.j2
new file mode 100644
index 00000000..26623b29
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/netbox/templates/usr/local/lib/netbox/ldap_config.py.j2
@@ -0,0 +1,90 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: Apache-2.0
+ #}
+# {{ ansible_managed }}
+# -*- coding: utf-8 -*-
+
+from importlib import import_module
+from os import environ
+
+import ldap
+from django_auth_ldap.config import LDAPSearch
+
+
+# Import and return the group type based on string name
+def _import_group_type(group_type_name):
+    mod = import_module('django_auth_ldap.config')
+    try:
+        return getattr(mod, group_type_name)()
+    except:
+        return None
+
+# Server URI
+AUTH_LDAP_SERVER_URI = '{{ netbox__ldap_server_uri }}'
+
+# The following may be needed if you are binding to Active Directory.
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0
+}
+
+# Set the DN and password for the NetBox service account.
+AUTH_LDAP_BIND_DN = '{{ netbox__ldap_binddn }}'
+AUTH_LDAP_BIND_PASSWORD = '{{ netbox__ldap_bindpw }}'
+
+# Set a string template that describes any user’s distinguished name based on the username.
+AUTH_LDAP_USER_DN_TEMPLATE = None
+
+# Enable STARTTLS for ldap authentication.
+AUTH_LDAP_START_TLS = {{ netbox__ldap_start_tls }}
+
+# Uncomment this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
+# Note that this is a NetBox-specific setting which sets:
+#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+#LDAP_IGNORE_CERT_ERRORS = True
+
+AUTH_LDAP_USER_SEARCH_BASEDN = '{{ netbox__ldap_base_dn | join(",") }}'
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    AUTH_LDAP_USER_SEARCH_BASEDN,
+    ldap.SCOPE_SUBTREE,
+    "{{ netbox__ldap_user_filter }}"
+)
+
+# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
+# hierarchy.
+AUTH_LDAP_GROUP_SEARCH_BASEDN = environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', '')
+AUTH_LDAP_GROUP_SEARCH_CLASS = environ.get('AUTH_LDAP_GROUP_SEARCH_CLASS', 'group')
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_SEARCH_BASEDN, ldap.SCOPE_SUBTREE,
+                                    "(objectClass=" + AUTH_LDAP_GROUP_SEARCH_CLASS + ")")
+AUTH_LDAP_GROUP_TYPE = _import_group_type(environ.get('AUTH_LDAP_GROUP_TYPE', 'GroupOfNamesType'))
+
+# Define a group required to login.
+{% if netbox__ldap_group_authentication_enabled | bool %}
+AUTH_LDAP_REQUIRE_GROUP = '{{ netbox__ldap_user_group_dn | join(",") }}'
+{% else %}
+AUTH_LDAP_REQUIRE_GROUP = None
+{% endif %}
+
+# Define special user types using groups. Exercise great caution when assigning superuser status.
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {}
+
+if AUTH_LDAP_REQUIRE_GROUP is not None:
+    AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+        "is_active": '{{ netbox__ldap_user_active_group_dn | join(",") }}',
+        "is_staff": '{{ netbox__ldap_user_staff_group_dn | join(",") }}',
+        "is_superuser": '{{ netbox__ldap_user_admin_group_dn | join(",") }}'
+    }
+
+# For more granular permissions, we can map LDAP groups to Django groups.
+AUTH_LDAP_FIND_GROUP_PERMS = environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true'
+AUTH_LDAP_MIRROR_GROUPS = environ.get('AUTH_LDAP_MIRROR_GROUPS', '').lower() == 'true'
+
+# Cache groups for one hour to reduce LDAP traffic
+AUTH_LDAP_CACHE_TIMEOUT = int(environ.get('AUTH_LDAP_CACHE_TIMEOUT', 3600))
+
+# Populate the Django user from the LDAP directory.
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
+    "last_name": environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
+    "email": environ.get('AUTH_LDAP_ATTR_MAIL', 'mailAddress')
+}
diff --git a/ansible_collections/debops/debops/roles/networkd/COPYRIGHT b/ansible_collections/debops/debops/roles/networkd/COPYRIGHT
new file mode 100644
index 00000000..2620482a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.networkd - Manage network interfaces using systemd-networkd
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/networkd/defaults/main.yml b/ansible_collections/debops/debops/roles/networkd/defaults/main.yml
new file mode 100644
index 00000000..78a6c132
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/defaults/main.yml
@@ -0,0 +1,252 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _networkd__ref_defaults:
+
+# debops.networkd default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General options [[[
+# -------------------
+
+# .. envvar:: networkd__enabled [[[
+#
+# Enable or disable management of the :command:`systemd-networkd` service using
+# DebOps. If the parameter is set to ``False``, the role will not touch service
+# configuration.
+networkd__enabled: '{{ True
+                       if (ansible_service_mgr == "systemd")
+                       else False }}'
+
+                                                                   # ]]]
+# .. envvar:: networkd__unattended_restart [[[
+#
+# On the first installation, :command:`systemd-networkd` cannot be restarted
+# unattended because changes in network configuration might make a host
+# unreachable and stop the playbook execution. When the service is configured,
+# it should be fine to restart on any changes.
+networkd__unattended_restart: '{{ True
+                                  if ((ansible_local.networkd.state | d()) == "enabled")
+                                  else False }}'
+
+                                                                   # ]]]
+# .. envvar:: networkd__deploy_state [[[
+#
+# This variable controls if the :command:`systemd-networkd` main configuration
+# file is managed on the host (``present``) or not (``absent``, default). If
+# deployment state is disabled, :command:`systemd-networkd` will use the
+# configuration provided with the OS package. Configuration of the specific
+# service units is not affected by this variable.
+networkd__deploy_state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: networkd__version [[[
+#
+# Specify the version of the :command:`systemd-networkd` daemon installed on
+# the host. By default this variable is defined using Ansible local facts and
+# can be used to alter configuration depending on the version of the service.
+networkd__version: '{{ ansible_local.networkd.version | d("0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-networkd` daemon configuration [[[
+# --------------------------------------------------------
+
+# These variables define the contents of the ``[Network]`` section in the
+# :file:`/etc/systemd/networkd.conf` configuration file. Check the
+# :man:`networkd.conf(5)` manual page for more information about the
+# configuration options, and :ref:`networkd__ref_configuration` for details
+# about the configuration of the role itself.
+#
+# By default the configuration is not applied on the hosts, you need to set
+# :envvar:`networkd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: networkd__default_configuration [[[
+#
+# List of the default configuration options defined by the role.
+networkd__default_configuration:
+
+  - name: 'SpeedMeter'
+    value: False
+    state: 'init'
+
+  - name: 'SpeedMeterIntervalSec'
+    value: '10sec'
+    state: 'init'
+
+  - name: 'ManageForeignRoutes'
+    value: True
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: networkd__configuration [[[
+#
+# List of the configuration options which should be present on all hosts in the
+# Ansible inventory.
+networkd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__group_configuration [[[
+#
+# List of the configuration options which should be present on hosts in
+# a specific Ansible inventory group.
+networkd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__host_configuration [[[
+#
+# List of the configuration options which should be present on specific hosts
+# in the Ansible inventory.
+networkd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__combined_configuration [[[
+#
+# Variable which combines all configuration lists and is used in the role tasks
+# and templates.
+networkd__combined_configuration: '{{ networkd__default_configuration
+                                     + networkd__configuration
+                                     + networkd__group_configuration
+                                     + networkd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-networkd` DHCP configuration [[[
+# ------------------------------------------------------
+
+# These variables define configuration of the ``[DHCP]`` section in the
+# :file:`/etc/systemd/networkd.conf` configuration file. Check the
+# :man:`networkd.conf(5)` manual page for more information about the
+# configuration options, and :ref:`networkd__ref_configuration` for details
+# about the configuration of the role itself.
+#
+# By default the configuration is not applied on the hosts, you need to set
+# :envvar:`networkd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: networkd__dhcp_default_configuration [[[
+#
+# List of the default DHCP configuration options for the user instances,
+# defined by the role.
+networkd__dhcp_default_configuration:
+
+  - name: 'DUIDType'
+    value: 'vendor'
+    state: 'init'
+
+  - name: 'DUIDRawData'
+    value: ''
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: networkd__dhcp_configuration [[[
+#
+# List of the DHCP configuration options which should be present on all hosts
+# in the Ansible inventory.
+networkd__dhcp_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__dhcp_group_configuration [[[
+#
+# List of the DHCP configuration options which should be present on hosts in
+# a specific Ansible inventory group.
+networkd__dhcp_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__dhcp_host_configuration [[[
+#
+# List of the DHCP configuration options which should be present on specific
+# hosts in the Ansible inventory.
+networkd__dhcp_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__dhcp_combined_configuration [[[
+#
+# Variable which combines all DHCP configuration lists and is used in role
+# tasks and templates.
+networkd__dhcp_combined_configuration: '{{ networkd__dhcp_default_configuration
+                                          + networkd__dhcp_configuration
+                                          + networkd__dhcp_group_configuration
+                                          + networkd__dhcp_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-networkd` configuration units [[[
+# -------------------------------------------------------
+
+# These variables can be used to manage :command:`systemd-networkd`
+# :file:`*.network`, :file:`*.netdev` and :file:`*.link` files located in the
+# :file:`/etc/systemd/network/` directory. Check the :man:`systemd.network(5)`,
+# :man:`systemd.netdev(5)` and :file:`systemd.link(5)` manual pages for more
+# information about files themselves, and :ref:`networkd__ref_units` for
+# details about configuring units using this role.
+
+# .. envvar:: networkd__default_units [[[
+#
+# List of the default :command:`systemd-networkd` units defined by the role.
+networkd__default_units:
+
+  - name: 'wired-dhcp.network'
+    comment: 'Configure any wired Ethernet interface via DHCP'
+    raw: |
+      [Match]
+      Name=e*
+
+      [Network]
+      DHCP=yes
+      MulticastDNS=yes
+      LLDP=yes
+      EmitLLDP=yes
+
+      [DHCPv4]
+      UseDomains=true
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: networkd__units [[[
+#
+# List of :command:`systemd-networkd` units which should be present on all
+# hosts in the Ansible inventory.
+networkd__units: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__group_units [[[
+#
+# List of :command:`systemd-networkd` units which should be present on hosts in
+# a specific Ansible inventory group.
+networkd__group_units: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__host_units [[[
+#
+# List of :command:`systemd-networkd` units which should be present on specific
+# hosts in the Ansible inventory.
+networkd__host_units: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__dependent_units [[[
+#
+# List of :command:`systemd-networkd` units which are defined by other Ansible
+# roles using dependent role variables.
+networkd__dependent_units: []
+
+                                                                   # ]]]
+# .. envvar:: networkd__combined_units [[[
+#
+# Variable which combines all of the :command:`systemd-networkd` unit lists and
+# is used in role tasks and templates.
+networkd__combined_units: '{{ networkd__default_units
+                              + networkd__dependent_units
+                              + networkd__units
+                              + networkd__group_units
+                              + networkd__host_units }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/networkd/handlers/main.yml b/ansible_collections/debops/debops/roles/networkd/handlers/main.yml
new file mode 100644
index 00000000..bd1959d0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Restart systemd-networkd service
+  ansible.builtin.systemd:
+    name: 'systemd-networkd.service'
+    state: 'restarted'
+  when: (ansible_service_mgr == 'systemd' and networkd__unattended_restart | bool)
diff --git a/ansible_collections/debops/debops/roles/networkd/meta/main.yml b/ansible_collections/debops/debops/roles/networkd/meta/main.yml
new file mode 100644
index 00000000..77f40ba9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage network interfaces using systemd-networkd'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - systemd
+    - network
+    - networking
diff --git a/ansible_collections/debops/debops/roles/networkd/tasks/main.yml b/ansible_collections/debops/debops/roles/networkd/tasks/main.yml
new file mode 100644
index 00000000..5df9b649
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/tasks/main.yml
@@ -0,0 +1,102 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save networkd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/networkd.fact.j2'
+    dest: '/etc/ansible/facts.d/networkd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+  # Enable the service after checking the facts for the first time, to capture
+  # the state change and not restart the service on the first run
+- name: Ensure that systemd-networkd service is enabled
+  ansible.builtin.systemd:
+    name: 'systemd-networkd.service'
+    enabled: True
+  when: networkd__enabled | bool
+
+- name: Remove systemd-networkd configuuration if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/networkd.conf.d/ansible.conf'
+    state: 'absent'
+  notify: [ 'Restart systemd-networkd service' ]
+  when: networkd__enabled | bool and networkd__deploy_state == 'absent'
+
+- name: Create systemd-networkd configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/networkd.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: networkd__enabled | bool and networkd__deploy_state != 'absent'
+
+- name: Generate systemd-networkd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/networkd.conf.d/ansible.conf.j2'
+    dest: '/etc/systemd/networkd.conf.d/ansible.conf'
+    mode: '0644'
+  notify: [ 'Restart systemd-networkd service' ]
+  when: networkd__enabled | bool and networkd__deploy_state != 'absent'
+
+- name: Remove network units if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/network/" + item.name }}'
+    state: 'absent'
+  loop: '{{ networkd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-networkd service' ]
+  when: networkd__enabled | bool and item.state | d("present") == 'absent'
+
+- name: Remove network unit overrides if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/network/" + item.name + ".d" }}'
+    state: 'absent'
+  loop: '{{ networkd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-networkd service' ]
+  when: networkd__enabled | bool and item.state | d("present") == 'absent'
+
+- name: Create directories for network units
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/network/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ networkd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: networkd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        (item.name | dirname).endswith('.d')
+
+- name: Generate network units
+  ansible.builtin.template:
+    src: 'etc/systemd/network/template.j2'
+    dest: '{{ "/etc/systemd/network/" + item.name }}'
+    mode: '0644'
+  loop: '{{ networkd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-networkd service' ]
+  when: networkd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init']
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/networkd/templates/etc/ansible/facts.d/networkd.fact.j2 b/ansible_collections/debops/debops/roles/networkd/templates/etc/ansible/facts.d/networkd.fact.j2
new file mode 100644
index 00000000..3d8c1ee0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/templates/etc/ansible/facts.d/networkd.fact.j2
@@ -0,0 +1,45 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('networkctl')}
+
+try:
+    is_enabled = subprocess.check_output(
+            ["systemctl", "is-enabled",
+                "systemd-networkd.service"]).decode('utf-8')
+    output['state'] = is_enabled.strip()
+except subprocess.CalledProcessError:
+    output['state'] = 'disabled'
+
+try:
+    networkd_version_stdout = subprocess.check_output(
+            ["networkctl", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in networkd_version_stdout.split('\n'):
+        if line.lower().startswith('systemd '):
+            output['version'] = line.split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/network/template.j2 b/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/network/template.j2
new file mode 100644
index 00000000..f202cb62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/network/template.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{{ item.raw | regex_replace('\n$', '') }}
diff --git a/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/networkd.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/networkd.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..0ea56db7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/networkd/templates/etc/systemd/networkd.conf.d/ansible.conf.j2
@@ -0,0 +1,65 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See networkd.conf(5) for details.
+
+[Network]
+{% for element in networkd__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
+
+[DHCP]
+{% for element in networkd__dhcp_combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/neurodebian/COPYRIGHT b/ansible_collections/debops/debops/roles/neurodebian/COPYRIGHT
new file mode 100644
index 00000000..acdb94a9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.neurodebian - Install packages from the NeuroDebian repository
+
+Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/neurodebian/defaults/main.yml b/ansible_collections/debops/debops/roles/neurodebian/defaults/main.yml
new file mode 100644
index 00000000..24b40d4a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/defaults/main.yml
@@ -0,0 +1,242 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _neurodebian__ref_defaults:
+
+# debops.neurodebian default variables
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: neurodebian__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that repositories and packages provided by NeuroDebian are
+#   installed and configured as requested.
+#
+# ``absent``
+#   Ensure that repositories and packages provided by NeuroDebian are absent.
+#
+neurodebian__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__upstream [[[
+#
+# When the upstream support is enabled, Ansible will configure NeuroDebian APT
+# repositories directly. When it's disabled, the role will install the
+# ``neurodebian`` APT package included in Debian and let it configure the
+# repositories. The package is included since Debian Stretch.
+neurodebian__upstream: '{{ True
+                           if (ansible_distribution_release in ["trusty"])
+                           else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# NeuroDebian packages and installation [[[
+# -----------------------------------------
+
+# .. envvar:: neurodebian__support_packages [[[
+#
+# The APT packages to install for NeuroDebian support.
+neurodebian__support_packages: [ 'neurodebian', 'netselect' ]
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__packages [[[
+#
+# List of global packages for NeuroDebian.
+# This variable is intended to be used in Ansible’s global inventory.
+neurodebian__packages: []
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__group_packages [[[
+#
+# List of group packages for NeuroDebian.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+neurodebian__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__host_packages [[[
+#
+# List of host packages for NeuroDebian.
+# This variable is intended to be used in the inventory of hosts.
+neurodebian__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__dependent_packages [[[
+#
+# List of APT packages to install for other Ansible roles, for usage as
+# a dependent role.
+neurodebian__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Upstream APT repository configuration [[[
+# -----------------------------------------
+
+# Refer to http://neuro.debian.net/ for details.
+
+# .. envvar:: neurodebian__apt_key_fingerprint [[[
+#
+# The OpenPGP key fingerprint for the key by which the NeuroDebian APT
+# repository is signed.
+neurodebian__apt_key_fingerprint: 'DD95 CC43 0502 E37E F840  ACEE A5D3 2F01 2649 A5A9'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__apt_components [[[
+#
+# The NeuroDebian repository component/flavor to enable.
+# Supported choices: ``main``, ``contrib``, ``non-free``.
+neurodebian__apt_components:
+  - 'main'
+  - '{{ ["contrib", "non-free"]
+        if (ansible_local.apt.nonfree | d() | bool)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__apt_source_types [[[
+#
+# List of source types to configure for the NeuroDebian repository.
+# Supported choices: ``deb``, ``deb-src``.
+neurodebian__apt_source_types: [ 'deb' ]
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__region [[[
+#
+# A rough estimate of the region (country) a given host resides in, based on
+# the system locale settings. This variable is used to select a mirror near the
+# host, and might be inaccurate.
+neurodebian__region: '{{ ansible_local.locales.system_region | d("US") }}'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__region_mirror_map [[[
+#
+# YAML dictionary that maps country codes (taken from the locale) to
+# NeuroDebian mirrors.
+neurodebian__region_mirror_map:
+  'AU': 'au'
+  'CA': 'us-nh'
+  'CN': 'cn-hf'
+  'DE': 'de-m'
+  'ES': 'de-m'
+  'FR': 'de-md'
+  'GB': 'de-m'
+  'GR': 'gr'
+  'IT': 'de-m'
+  'JP': 'jp'
+  'NZ': 'au'
+  'PL': 'de-md'
+  'RU': 'de-md'
+  'US': 'us-nh'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__apt_mirror_map [[[
+#
+# YAML dictionary that contains a list of NeuroDebian mirrors, taken from
+# the http://neuro.debian.net/mirrors_status.html page.
+neurodebian__apt_mirror_map:
+
+  # Australia (AARNET)
+  'au':     'http://mirror.aarnet.edu.au/pub/neurodebian'
+
+  # China (Tsinghua University)
+  'cn-bj1': 'http://mirrors.tuna.tsinghua.edu.cn/neurodebian'
+
+  # China (University of Science and Technology of China)
+  'cn-hf':  'http://mirrors.ustc.edu.cn/neurodebian'
+
+  # China (Zhejiang University)
+  'cn-zj':  'http://mirrors.zju.edu.cn/neurodebian'
+
+  # Germany (G-Node, LMU Munich)
+  'de-m':   'http://neurodebian.g-node.org/'
+
+  # Germany (University of Magdeburg)
+  'de-md':  'http://neurodebian.ovgu.de/debian'
+
+  # Greece (Aristotle University of Thessaloniki)
+  'gr':     'http://neurobot.bio.auth.gr/neurodebian'
+
+  # Japan (Kiyotaka Nemoto)
+  'jp':     'http://neuroimaging.sakura.ne.jp/neurodebian'
+
+  # USA-CA (Paul Ivanov, California)
+  'us-ca':  'http://neurodeb.pirsquared.org/'
+
+  # USA-NH (Dartmouth College)
+  'us-nh':  'http://neuro.debian.net/debian'
+
+  # USA-TN (Vanderbilt)
+  'us-tn':  'http://masi.vuse.vanderbilt.edu/neurodebian'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__apt_mirror [[[
+#
+# The variable that specifies the NeuroDebian mirror to use, selected via the
+# host's region taken from the system locale settings.
+neurodebian__apt_mirror: '{{ neurodebian__region_mirror_map[neurodebian__region]
+                             | d("us-nh") }}'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__apt_mirror_uri [[[
+#
+# The NeuroDebian APT repository mirror URI to use.
+neurodebian__apt_mirror_uri: '{{ neurodebian__apt_mirror_map[neurodebian__apt_mirror] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: neurodebian__apt_preferences__dependent_list [[[
+#
+# APT pinning for packages from the NeuroDebian repository. By default (without
+# this pinning), both the official Debian repositories and NeuroDebian have the
+# same preference which would lead to APT picking the package with the highest
+# version regardless from which repository it comes from.
+#
+# As NeuroDebian provides many additional packages along with more recent
+# versions of packages already available in official Debian releases, APT
+# pinning is used to ensure that package versions available in official Debian
+# releases are preferred even if NeuroDebian provides newer versions.
+#
+# The job of setting up the APT pinning is offloaded to the
+# :ref:`debops.apt_preferences` role which is instructed using this variable.
+neurodebian__apt_preferences__dependent_list:
+
+  - package: '*'
+    reason: |-
+      Pin NeuroDebian with priority 80 which is lower then the official Debian backports (100).
+      This also works when `apt_preferences__preset_list` is set which increases
+      Debian backports to 400 and decreases Debian testing to 50.
+    by_role: 'debops.neurodebian'
+    pin: 'release o=NeuroDebian'
+    priority: '80'
+    state: '{{ "present" if (neurodebian__deploy_state == "present") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: neurodebian__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+neurodebian__keyring__dependent_apt_keys:
+
+  # This is needed to avoid apt_key removing the GPG key from the
+  # 'neurodebian-archive-keyring' APT package
+  - id: '{{ neurodebian__apt_key_fingerprint if neurodebian__upstream | bool else "" }}'
+    state: '{{ "present"
+               if (neurodebian__deploy_state == "present" and
+                   neurodebian__upstream | bool)
+               else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/neurodebian/meta/main.yml b/ansible_collections/debops/debops/roles/neurodebian/meta/main.yml
new file mode 100644
index 00000000..886a70b5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Robin Schneider'
+  description: 'Install packages from the NeuroDebian repository'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - science
+    - neuroscience
+    - education
+    - research
+    - apt
diff --git a/ansible_collections/debops/debops/roles/neurodebian/tasks/main.yml b/ansible_collections/debops/debops/roles/neurodebian/tasks/main.yml
new file mode 100644
index 00000000..4c8863e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+# Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure NeuroDebian APT repository
+  ansible.builtin.template:
+    src: 'etc/apt/sources.list.d/neurodebian.sources.list.j2'
+    dest: '/etc/apt/sources.list.d/neurodebian.sources.list'
+    mode: '0644'
+  register: neurodebian__register_apt_repository
+  when: (neurodebian__deploy_state == "present" and
+         neurodebian__upstream | bool)
+
+- name: Ensure the NeuroDebian APT repository is disabled
+  ansible.builtin.file:
+    path: '/etc/apt/sources.list.d/neurodebian.sources.list'
+    state: 'absent'
+  register: neurodebian__register_apt_repository_absent
+  when: (neurodebian__deploy_state == "absent" and
+         neurodebian__upstream | bool)
+
+- name: Configure NeuroDebian support in debconf
+  ansible.builtin.debconf:
+    name: 'neurodebian'
+    question: 'neurodebian/enable'
+    vtype: 'boolean'
+    value: '{{ "true" if (neurodebian__deploy_state == "present") else "false" }}'
+  when: not neurodebian__upstream | bool
+
+- name: Install packages required for NeuroDebian support
+  ansible.builtin.package:
+    name: '{{ q("flattened", neurodebian__support_packages) }}'
+    state: 'present'
+  register: neurodebian__register_support_packages
+  until: neurodebian__register_support_packages is succeeded
+  when: (neurodebian__deploy_state == "present" and
+         not neurodebian__upstream | bool)
+
+- name: Update APT repository cache
+  ansible.builtin.apt:  # noqa no-handler
+    update_cache: True
+  # Not using a handler here as the handler would need to be flushed at this
+  # point which is discouraged in DebOps because that would also flush all
+  # other handlers notified up to this point.
+  register: neurodebian__register_apt_update
+  until: neurodebian__register_apt_update is succeeded
+  when: neurodebian__register_apt_repository is changed or
+        neurodebian__register_apt_repository_absent is changed or
+        neurodebian__register_support_packages is changed
+
+- name: Ensure specified packages are in their desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", (neurodebian__packages
+                              + neurodebian__group_packages
+                              + neurodebian__host_packages
+                              + neurodebian__dependent_packages)) }}'
+    state: '{{ "present" if (neurodebian__deploy_state == "present") else "absent" }}'
+  register: neurodebian__register_packages
+  until: neurodebian__register_packages is succeeded
+  tags: [ 'role::neurodebian:package' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save NeuroDebian local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/neurodebian.fact.j2'
+    dest: '/etc/ansible/facts.d/neurodebian.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/neurodebian/templates/etc/ansible/facts.d/neurodebian.fact.j2 b/ansible_collections/debops/debops/roles/neurodebian/templates/etc/ansible/facts.d/neurodebian.fact.j2
new file mode 100644
index 00000000..6fcf032e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/templates/etc/ansible/facts.d/neurodebian.fact.j2
@@ -0,0 +1,17 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+
+
+output = {"configured": True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/neurodebian/templates/etc/apt/sources.list.d/neurodebian.sources.list.j2 b/ansible_collections/debops/debops/roles/neurodebian/templates/etc/apt/sources.list.d/neurodebian.sources.list.j2
new file mode 100644
index 00000000..55e4ac2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/neurodebian/templates/etc/apt/sources.list.d/neurodebian.sources.list.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2017      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2019      Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{#
+# http://neuro.debian.net/ would normally autogenerate this file based on the
+# webconfigurator and a deterministic URL. But as this resource is not available
+# over HTTPS and to allow more flexibility, the file is templated using Ansible and Jinja2.
+#}
+
+{% for source_type in neurodebian__apt_source_types %}
+{{ source_type }} {{ neurodebian__apt_mirror_uri }} data {{ q("flattened", neurodebian__apt_components) | join(" ") }}
+{{ source_type }} {{ neurodebian__apt_mirror_uri }} {{ ansible_distribution_release | lower }} {{ q("flattened", neurodebian__apt_components) | join(" ") }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/nfs/COPYRIGHT b/ansible_collections/debops/debops/roles/nfs/COPYRIGHT
new file mode 100644
index 00000000..8519f662
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nfs - manage NFS4 client using Ansible
+
+Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nfs/defaults/main.yml b/ansible_collections/debops/debops/roles/nfs/defaults/main.yml
new file mode 100644
index 00000000..49326ded
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/defaults/main.yml
@@ -0,0 +1,98 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nfs__ref_defaults:
+
+# debops.nfs default variables [[[
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: nfs__base_packages [[[
+#
+# List of APT packages that are required for NFS support.
+nfs__base_packages: [ 'nfs-common' ]
+
+                                                                   # ]]]
+# .. envvar:: nfs__packages [[[
+#
+# List of additional APT packages to install with NFS support.
+nfs__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# NFS mount configuration [[[
+# ---------------------------
+
+# .. envvar:: nfs__kerberos [[[
+#
+# Enable Kerberos support. Currently doesn't do much.
+nfs__kerberos: False
+
+                                                                   # ]]]
+# .. envvar:: nfs__default_mount_type [[[
+#
+# The default filesystem type used for NFS mount points, if a custom type is
+# not specified in the NFS share configuration.
+nfs__default_mount_type: 'nfs4'
+
+                                                                   # ]]]
+# .. envvar:: nfs__base_mount_options [[[
+#
+# List of :command:`mount` options that are added to all mount points
+# configured by this role. These should ensure correct operation for a network
+# mount point.
+nfs__base_mount_options: [ 'proto=tcp', 'port=2049', '_netdev' ]
+
+                                                                   # ]]]
+# .. envvar:: nfs__security_mount_options [[[
+#
+# List of :command:`mount` options related to Kerberos security, added to all
+# mount points configured by this role.
+nfs__security_mount_options: '{{ ["sec=krb5p"] if nfs__kerberos | bool else ["sec=sys"] }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs__default_mount_options [[[
+#
+# List of default :command:`mount` options added to all mount point configured
+# by this role if no options are specified in the configuration of a given NFS
+# share.
+nfs__default_mount_options: [ 'noatime', 'nosuid', 'nodev', 'hard', 'intr' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# NFS shares [[[
+# --------------
+
+# The lists of NFS shares configured on the hosts. Each list element is
+# a dictionary which describes an NFS share. See :ref:`nfs__ref_shares` for
+# more details.
+
+# .. envvar:: nfs__shares [[[
+#
+# List of NFS shares configured on all hosts in the Ansible inventory.
+nfs__shares: []
+
+                                                                   # ]]]
+# .. envvar:: nfs__group_shares [[[
+#
+# List of NFS shares configured on hosts in specific Ansible inventory group.
+nfs__group_shares: []
+
+                                                                   # ]]]
+# .. envvar:: nfs__host_shares [[[
+#
+# List of NFS shares configured on specific hosts in the Ansible inventory.
+nfs__host_shares: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nfs/meta/main.yml b/ansible_collections/debops/debops/roles/nfs/meta/main.yml
new file mode 100644
index 00000000..57e4765d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure NFS4 client'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - nfs
+    - filesystem
+    - networking
diff --git a/ansible_collections/debops/debops/roles/nfs/tasks/main.yml b/ansible_collections/debops/debops/roles/nfs/tasks/main.yml
new file mode 100644
index 00000000..08887a4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (nfs__base_packages
+                              + nfs__packages)) }}'
+    state: 'present'
+  register: nfs__register_packages
+  until: nfs__register_packages is succeeded
+
+- name: Configure NFS client
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/default/nfs-common'
+  register: nfs__register_config
+
+- name: Ensure that the NFS mount points exist
+  ansible.builtin.file:
+    path:  '{{ item.path }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0755") }}'
+    state: 'directory'
+  loop: '{{ q("flattened", nfs__shares
+                           + nfs__group_shares
+                           + nfs__host_shares) }}'
+  when: item.path | d() and item.src | d() and item.state | d('mounted') == 'present'
+
+- name: Manage NFS mount points
+  ansible.posix.mount:
+    name:   '{{ item.path }}'
+    src:    '{{ item.src }}'
+    fstype: '{{ item.fstype | d(nfs__default_mount_type) }}'
+    opts:   '{{ lookup("template", "lookup/mount_options.j2") | from_yaml }}'
+    state:  '{{ item.state | d("mounted") }}'
+    passno: '{{ item.passno | d(omit) }}'
+    dump:   '{{ item.dump | d(omit) }}'
+    fstab:  '{{ item.fstab | d(omit) }}'
+  loop: '{{ q("flattened", nfs__shares
+                           + nfs__group_shares
+                           + nfs__host_shares) }}'
+  register: nfs__register_devices
+  when: item.path | d() and item.src | d()
+
+- name: Restart 'remote-fs.target' systemd unit
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'remote-fs.target'
+    state: 'restarted'
+    daemon_reload: True
+  loop: '{{ nfs__register_devices.results }}'
+  when: (ansible_service_mgr == 'systemd' and item is changed and
+         (lookup("template", "lookup/mount_options.j2") is match(".*x-systemd.automount.*")))
diff --git a/ansible_collections/debops/debops/roles/nfs/templates/etc/default/nfs-common.j2 b/ansible_collections/debops/debops/roles/nfs/templates/etc/default/nfs-common.j2
new file mode 100644
index 00000000..0266d694
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/templates/etc/default/nfs-common.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2013-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD="no"
+
+# Options for rpc.statd.
+#   Should rpc.statd listen on a specific port? This is especially useful
+#   when you have a port-based firewall. To use a fixed port, set this
+#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+#   For more information, see rpc.statd(8) or https://wiki.debian.org/SecuringNFS
+STATDOPTS=""
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD="yes"
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD="{{ 'yes' if nfs__kerberos | bool else 'no' }}"
diff --git a/ansible_collections/debops/debops/roles/nfs/templates/lookup/mount_options.j2 b/ansible_collections/debops/debops/roles/nfs/templates/lookup/mount_options.j2
new file mode 100644
index 00000000..2b758a77
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs/templates/lookup/mount_options.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2013-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set nfs__tpl_mount_options = [] %}
+{% if item.options | d() %}
+{%   set _ = nfs__tpl_mount_options.extend((item.options.split(',') if item.options is string else item.options)) %}
+{% elif item.opts | d() %}
+{%   set _ = nfs__tpl_mount_options.extend((item.opts.split(',') if item.opts is string else item.opts)) %}
+{% else %}
+{%   set _ = nfs__tpl_mount_options.extend((nfs__default_mount_options.split(',') if nfs__default_mount_options is string else nfs__default_mount_options)) %}
+{% endif %}
+{% if (item.default_options | d(True)) | bool %}
+{{ (nfs__security_mount_options + nfs__tpl_mount_options + nfs__base_mount_options) | unique | join(',') | to_yaml }}
+{% else %}
+{{ (nfs__tpl_mount_options + [ '_netdev' ]) | unique | join(',') | to_yaml }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/nfs_server/COPYRIGHT b/ansible_collections/debops/debops/roles/nfs_server/COPYRIGHT
new file mode 100644
index 00000000..0407cf30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nfs_server - manage NFS server using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nfs_server/defaults/main.yml b/ansible_collections/debops/debops/roles/nfs_server/defaults/main.yml
new file mode 100644
index 00000000..599f597c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/defaults/main.yml
@@ -0,0 +1,263 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nfs_server__ref_defaults:
+
+# debops.nfs_server default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: nfs_server__base_packages [[[
+#
+# List of base APT packages required by the NFS server.
+nfs_server__base_packages: [ 'nfs-kernel-server', 'acl' ]
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__packages [[[
+#
+# List of additional APT packages to install with the NFS server.
+nfs_server__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: nfs_server__allow [[[
+#
+# List of IP addresses or CIDR subnets which can access the NFS server.
+nfs_server__allow: []
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__accept_any [[[
+#
+# By default the firewall does not accept connections to the NFS server if no
+# networks are specified. If you change this variable to ``True``, any hosts
+# will be able to connect to the NFS server unless list of allowed hosts is
+# specified.
+nfs_server__accept_any: False
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__firewall_protocols [[[
+#
+# List of protocols which should be opened for NFS communication through the
+# firewall.
+nfs_server__firewall_protocols: '{{ ["tcp", "udp"] if nfs_server__v3 | bool else "tcp" }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__anchor_port [[[
+#
+# The various NFSv3 services use first available port to listen for
+# connections. To change that and allow connections through the firewall, the
+# role defines a static set of ports to use. This variable is used to specify
+# the first port of that set.
+nfs_server__anchor_port: '3550'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__service_ports [[[
+#
+# This variable is a YAML dictionary which defines all port numbers used by
+# various NFSv3 services.
+nfs_server__service_ports:
+  'rpc.nfs-cb':   '{{ (nfs_server__anchor_port | int + 0) }}'
+  'rpc.lockd':    '{{ (nfs_server__anchor_port | int + 1) }}'
+  'rpc.mountd':   '{{ (nfs_server__anchor_port | int + 2) }}'
+  'rpc.statd':    '{{ (nfs_server__anchor_port | int + 3) }}'
+  'rpc.statd-bc': '{{ (nfs_server__anchor_port | int + 4) }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__firewall_ports [[[
+#
+# List of TCP/UDP ports which should be opened in the firewall for NFS access.
+nfs_server__firewall_ports: '{{ (["nfs", "sunrpc"] + (nfs_server__service_ports.keys() | list))
+                                if nfs_server__v3 | bool else ["nfs"] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# NFS server configuration [[[
+# ----------------------------
+
+# .. envvar:: nfs_server__v3 [[[
+#
+# Enable or disable support for NFSv3 features. By default the NFSv3 support is
+# disabled to ensure better service security.
+nfs_server__v3: False
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__threads [[[
+#
+# Number of :command:`nfsd` threads to run. This depends on several factors,
+# for example number of NFS clients that access the NFS shares. Check the
+# :command:`nfsstat` command to diagnose possible issues and adjust this number
+# as necessary.
+nfs_server__threads: '{{ ansible_processor_vcpus | int * 2 }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__priority [[[
+#
+# Server thread priority, see :manpage:`nice(1)` for more details.
+nfs_server__priority: '0'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__mountd_options [[[
+#
+# The arguments passed to the ;command:`rpc.mountd` process.
+nfs_server__mountd_options: '--manage-gids --port {{ nfs_server__service_ports["rpc.mountd"] }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__kerberos [[[
+#
+# Enable or disable Kerberos support.
+nfs_server__kerberos: False
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__svcgssd_options [[[
+#
+# Arguments passed to the ``rpc.svcgssd`` process.
+nfs_server__svcgssd_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# NFS4 root pseudo-filesystem [[[
+# -------------------------------
+
+# .. envvar:: nfs_server__root_path [[[
+#
+# Absolute path of the NFS4 root filesystem. All other NFS4 shares should be
+# served as subdirectories of this directory.
+nfs_server__root_path: '{{ (ansible_local.fhs.data | d("/srv"))
+                           + "/nfs" }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__root_options [[[
+#
+# List of options that are used to export the NFS4 root filesystem.
+nfs_server__root_options: [ 'rw', 'fsid=root', 'sync', 'subtree_check', 'crossmnt' ]
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__root_security_options [[[
+#
+# List of NFS4 security options that are used to export the NFS4 root
+# filesystem.
+nfs_server__root_security_options: '{{ ["sec=krb5p"] if nfs_server__kerberos | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__root_acl [[[
+#
+# The Access Control List of NFS clients that are allowed to mount the NFS4
+# root filesystem. See :ref:`nfs_server__ref_exports` for more details.
+nfs_server__root_acl: '{{ "*" if nfs_server__accept_any | bool else nfs_server__allow }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# NFS server exports [[[
+# ----------------------
+
+# The list of YAML dictionaries that define NFS exports.
+# See :ref:`nfs_server__ref_exports` for more details.
+
+# .. envvar:: nfs_server__default_exports [[[
+#
+# The default NFS exports defined on the server. This usually includes the NFS4
+# root pseudo-filesystem.
+nfs_server__default_exports:
+  - path: '{{ nfs_server__root_path }}'
+    acl: '{{ nfs_server__root_acl }}'
+    options: '{{ (nfs_server__root_security_options.split(",")
+                  if nfs_server__root_security_options is string
+                  else nfs_server__root_security_options) +
+                 (nfs_server__root_options.split(",")
+                  if nfs_server__root_options is string
+                  else nfs_server__root_options) }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__exports [[[
+#
+# List of NFS server exports defined on all hosts in the Ansible inventory.
+nfs_server__exports: []
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__group_exports [[[
+#
+# List of NFS server exports defined on hosts in specific Ansible inventory
+# group.
+nfs_server__group_exports: []
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__host_exports [[[
+#
+# List of NFS server exports defined on specific hosts in Ansible inventory.
+nfs_server__host_exports: []
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__combined_exports [[[
+#
+# All of the NFS exports lists are combined in this variable and passed to
+# tasks and templates in the role.
+nfs_server__combined_exports: '{{ lookup("flattened", nfs_server__default_exports
+                                  + nfs_server__exports + nfs_server__group_exports
+                                  + nfs_server__host_exports) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: nfs_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+nfs_server__etc_services__dependent_list:
+
+  - name: 'rpc.nfs-cb'
+    port: '{{ nfs_server__service_ports["rpc.nfs-cb"] }}'
+    comment: 'RPC NFS callback'
+
+  - name: 'rpc.lockd'
+    port: '{{ nfs_server__service_ports["rpc.lockd"] }}'
+    comment: 'RPC lockd'
+
+  - name: 'rpc.mountd'
+    port: '{{ nfs_server__service_ports["rpc.mountd"] }}'
+    comment: 'RPC mountd'
+
+  - name: 'rpc.statd'
+    port: '{{ nfs_server__service_ports["rpc.statd"] }}'
+    comment: 'RPC statd'
+
+  - name: 'rpc.statd-bc'
+    port: '{{ nfs_server__service_ports["rpc.statd-bc"] }}'
+    comment: 'RPC statd broadcast'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the :ref:`debops.tcpwrappers` Ansible role.
+nfs_server__tcpwrappers__dependent_allow:
+
+  - daemon: [ 'rpcbind', 'mountd', 'lockd', 'statd' ]
+    client: '{{ nfs_server__allow }}'
+    accept_any: '{{ nfs_server__accept_any }}'
+    filename: 'nfs-server'
+    state: '{{ "present" if nfs_server__v3 | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nfs_server__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+nfs_server__ferm__dependent_rules:
+  - name: 'nfs_server'
+    type: 'accept'
+    dport: '{{ nfs_server__firewall_ports }}'
+    protocol: '{{ nfs_server__firewall_protocols }}'
+    saddr: '{{ nfs_server__allow }}'
+    accept_any: '{{ nfs_server__accept_any }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nfs_server/meta/main.yml b/ansible_collections/debops/debops/roles/nfs_server/meta/main.yml
new file mode 100644
index 00000000..be21cc3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage NFS server using Ansible'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - nfs
+    - filesystem
+    - networking
diff --git a/ansible_collections/debops/debops/roles/nfs_server/tasks/main.yml b/ansible_collections/debops/debops/roles/nfs_server/tasks/main.yml
new file mode 100644
index 00000000..de778dfe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/tasks/main.yml
@@ -0,0 +1,67 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (nfs_server__base_packages
+                              + nfs_server__packages)) }}'
+    state: 'present'
+  register: nfs_server__register_packages
+  until: nfs_server__register_packages is succeeded
+
+- name: Configure NFS server
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/default/nfs-common'
+    - 'etc/default/nfs-kernel-server'
+    - 'etc/modprobe.d/nfs-server.conf'
+  notify:
+    - 'Restart nfs-kernel-server service'
+
+- name: Create /etc/exports.d/ directory
+  ansible.builtin.file:
+    path: '/etc/exports.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Ensure exported directories exist
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0755") }}'
+  loop: '{{ q("flattened", nfs_server__combined_exports) }}'
+  when: item.path | d() and item.state | d('present') != 'absent' and item.acl | d()
+
+- name: Bind mount requested directories
+  ansible.posix.mount:
+    name: '{{ item.path }}'
+    src: '{{ item.bind.src | d(item.bind) }}'
+    opts: '{{ (["bind"] + item.bind.options | d([])) | join(",") }}'
+    fstype: 'none'
+    state: 'mounted'
+  loop: '{{ q("flattened", nfs_server__combined_exports) }}'
+  when: item.path | d() and item.state | d('present') != 'absent' and item.acl | d() and item.bind | d()
+
+- name: Configure NFS exports
+  ansible.builtin.template:
+    src: 'etc/exports.d/ansible.exports.j2'
+    dest: '/etc/exports.d/ansible.exports'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload NFS exports' ]
diff --git a/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-common.j2 b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-common.j2
new file mode 100644
index 00000000..a4e15a4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-common.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# If you do not set values for the NEED_ options, they will be attempted
+# autodetected; this should be sufficient for most people. Valid alternatives
+# for the NEED_ options are "yes" and "no".
+
+# Do you want to start the statd daemon? It is not needed for NFSv4.
+NEED_STATD="{{ 'yes' if nfs_server__v3 | bool else 'no' }}"
+
+# Options for rpc.statd.
+#   Should rpc.statd listen on a specific port? This is especially useful
+#   when you have a port-based firewall. To use a fixed port, set this
+#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
+#   For more information, see rpc.statd(8) or https://wiki.debian.org/SecuringNFS
+STATDOPTS="--port {{ nfs_server__service_ports['rpc.statd'] }} --outgoing-port {{ nfs_server__service_ports['rpc.statd-bc'] }}"
+
+# Do you want to start the idmapd daemon? It is only needed for NFSv4.
+NEED_IDMAPD="yes"
+
+# Do you want to start the gssd daemon? It is required for Kerberos mounts.
+NEED_GSSD="{{ 'yes' if nfs_server__kerberos | bool else 'no' }}"
diff --git a/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-kernel-server.j2 b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-kernel-server.j2
new file mode 100644
index 00000000..3dc8e137
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/default/nfs-kernel-server.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Number of servers to start up
+RPCNFSDCOUNT={{ nfs_server__threads }}
+
+# Runtime priority of server (see nice(1))
+RPCNFSDPRIORITY={{ nfs_server__priority }}
+
+# Options for rpc.mountd.
+# If you have a port-based firewall, you might want to set up
+# a fixed port here using the --port option. For more information,
+# see rpc.mountd(8) or https://wiki.debian.org/SecuringNFS
+# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
+RPCMOUNTDOPTS="{{ nfs_server__mountd_options if nfs_server__mountd_options is string else nfs_server__mountd_options | join(' ') }}"
+
+# Do you want to start the svcgssd daemon? It is only required for Kerberos
+# exports. Valid alternatives are "yes" and "no"; the default is "no".
+NEED_SVCGSSD="{{ 'yes' if nfs_server__kerberos | bool else 'no' }}"
+
+# Options for rpc.svcgssd.
+RPCSVCGSSDOPTS="{{ nfs_server__svcgssd_options if nfs_server__svcgssd_options is string else nfs_server__svcgssd_options | join(' ') }}"
diff --git a/ansible_collections/debops/debops/roles/nfs_server/templates/etc/exports.d/ansible.exports.j2 b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/exports.d/ansible.exports.j2
new file mode 100644
index 00000000..dfe8d1d5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/exports.d/ansible.exports.j2
@@ -0,0 +1,93 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_export(export) %}
+{%   if export is mapping and export.state | d('present') != 'absent' and export.path | d() and export.acl | d() %}
+{%     set nfs_server__tpl_export_path = export.path %}
+{%     set nfs_server__tpl_export_options = [] %}
+{%     set nfs_server__tpl_export_acl = [] %}
+{%     if export.options | d() %}
+{%         set _ = nfs_server__tpl_export_options.append('-' + (export.options if export.options is string else export.options | join(','))) %}
+{%     endif %}
+{%     if export.acl is string %}
+{%       set _ = nfs_server__tpl_export_acl.append(export.acl) %}
+{%     elif export.acl is not string and export.acl is not mapping %}
+{%       for element in export.acl %}
+{%         if element is string %}
+{%           set _ = nfs_server__tpl_export_acl.append(element) %}
+{%         elif element is mapping and element.state | d('present') != 'absent' %}
+{%           if element.client | d() %}
+{%             if element.client is string %}
+{%               if element.options | d() %}
+{%                 set _ = nfs_server__tpl_export_acl.append(element.client + '(' + (element.options if element.options is string else element.options | join(',')) + ')') %}
+{%               else %}
+{%                 set _ = nfs_server__tpl_export_acl.append(element.client) %}
+{%               endif %}
+{%             elif element.client is not string and element.client is not mapping %}
+{%               for host in element.client %}
+{%                 if element.options | d() %}
+{%                   set _ = nfs_server__tpl_export_acl.append(host + '(' + (element.options if element.options is string else element.options | join(',')) + ')') %}
+{%                 else %}
+{%                   set _ = nfs_server__tpl_export_acl.append(host) %}
+{%                 endif %}
+{%               endfor %}
+{%             endif %}
+{%           elif element.clients | d() %}
+{%             if element.clients is string %}
+{%               if element.options | d() %}
+{%                 set _ = nfs_server__tpl_export_acl.append(element.clients + '(' + (element.options if element.options is string else element.options | join(',')) + ')') %}
+{%               else %}
+{%                 set _ = nfs_server__tpl_export_acl.append(element.clients) %}
+{%               endif %}
+{%             elif element.clients is not string and element.clients is not mapping %}
+{%               for host in element.clients %}
+{%                 if element.options | d() %}
+{%                   set _ = nfs_server__tpl_export_acl.append(host + '(' + (element.options if element.options is string else element.options | join(',')) + ')') %}
+{%                 else %}
+{%                   set _ = nfs_server__tpl_export_acl.append(host) %}
+{%                 endif %}
+{%               endfor %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if export.comment | d() %}
+{{ (export.comment if export.comment is string else export.comment | join('\n'))  | regex_replace('\n$', '') | comment(prefix='\n', postfix='') -}}
+{%     endif %}
+{%     if nfs_server__tpl_export_acl | length > 1 %}
+{%       if nfs_server__tpl_export_options %}
+{{ "%-30s %s \\" | format(nfs_server__tpl_export_path, nfs_server__tpl_export_options | join(' ')) }}
+{%         for acl_entry in nfs_server__tpl_export_acl %}
+{%           if not loop.last | bool %}
+{{ "%-34s %s \\" | format('', acl_entry) }}
+{%           else %}
+{{ "%-34s %s" | format('', acl_entry) }}
+{%           endif %}
+{%         endfor %}
+{%       else %}
+{{ "%-30s %s \\" | format(nfs_server__tpl_export_path, (nfs_server__tpl_export_options + [ nfs_server__tpl_export_acl[0] ]) | join(" ")) }}
+{%         for acl_entry in nfs_server__tpl_export_acl[1:] %}
+{%           if not loop.last | bool %}
+{{ "%-30s %s \\" | format('', acl_entry) }}
+{%           else %}
+{{ "%-30s %s" | format('', acl_entry) }}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     else %}
+{{ "%-30s %s" | format(nfs_server__tpl_export_path, (nfs_server__tpl_export_options + nfs_server__tpl_export_acl) | join(" ")) }}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% for entry in (nfs_server__combined_exports) %}
+{%   if entry is mapping and entry.state | d('present') != 'absent' and entry.path | d() and entry.acl | d() %}
+{%     if not loop.first | bool and not entry.comment | d() %}
+
+{%     endif %}
+{{ print_export(entry) -}}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/nfs_server/templates/etc/modprobe.d/nfs-server.conf.j2 b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/modprobe.d/nfs-server.conf.j2
new file mode 100644
index 00000000..357e55b6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nfs_server/templates/etc/modprobe.d/nfs-server.conf.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+options lockd nlm_udpport={{ nfs_server__service_ports['rpc.lockd'] }} nlm_tcpport={{ nfs_server__service_ports['rpc.lockd'] }}
+options nfs callback_tcpport={{ nfs_server__service_ports['rpc.nfs-cb'] }}
diff --git a/ansible_collections/debops/debops/roles/nginx/COPYRIGHT b/ansible_collections/debops/debops/roles/nginx/COPYRIGHT
new file mode 100644
index 00000000..5d46d5fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.nginx - Manage nginx webserver using Ansible
+
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nginx/defaults/main.yml b/ansible_collections/debops/debops/roles/nginx/defaults/main.yml
new file mode 100644
index 00000000..9e046d2e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/defaults/main.yml
@@ -0,0 +1,1283 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@drybjed.net>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nginx__ref_defaults:
+
+# debops.nginx default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic Settings [[[
+# ------------------
+
+# .. envvar:: nginx__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Nginx is installed and configured as requested.
+#
+# ``config``
+#   Highly optional. In this state you are responsible for manually installing
+#   nginx packages which are compatible with this role. The role maintains
+#   configuration only. This state is designed for very specific deployments
+#   which require out-of-tree nginx binaries.
+#
+# ``absent``
+#   Ensure that Nginx is uninstalled and it's configuration is removed.
+#
+#   .. warning:: The roles is currently not able to dismantle from ``present``
+#      state. This needs to be implemented. This state can only be achieved
+#      currently when ``present`` has never been set before on a host.
+#
+nginx__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: nginx_base_packages [[[
+#
+# List of Debian packages installed by this role
+nginx_base_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_flavor [[[
+#
+# What type of nginx server to install (see :envvar:`nginx_flavor_package_map`)
+nginx_flavor: 'full'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_distribution_release [[[
+#
+# Specify the OS distribution release to use in flavored repositories.
+nginx__flavor_distribution_release: '{{ ansible_local.core.distribution_release
+                                         | d(ansible_distribution_release) }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_apt_key_id [[[
+#
+# The APT GPG key id of the currently selected flavor.
+nginx__flavor_apt_key_id: '{{ nginx__flavor_apt_key_id_map[nginx_flavor] | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_apt_repository [[[
+#
+# The APT repository of the currently selected flavor.
+nginx__flavor_apt_repository: '{{ nginx__flavor_apt_repository_map[nginx_flavor] | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_apt_key_id_map [[[
+#
+# Dicrionary which maps the APT GPG key ids to their respective flavors.
+nginx__flavor_apt_key_id_map:
+  'nginx.org': '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62'
+  'passenger': '16378A33A6EF16762922526E561F9B9CAC40B2F7'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_apt_repository_map [[[
+#
+# Dicrionary which maps the APT GPG repositories to their respective flavors.
+nginx__flavor_apt_repository_map:
+  'nginx.org': 'deb https://nginx.org/packages/{{ ansible_distribution | lower }}/ {{ nginx__flavor_distribution_release }} nginx'
+  'passenger': 'deb https://oss-binaries.phusionpassenger.com/apt/passenger {{ nginx__flavor_distribution_release }} main'
+
+                                                                   # ]]]
+# .. envvar:: nginx__flavor_packages [[[
+#
+# The list of APT packages installed depending on the currently selected
+# flavor.
+nginx__flavor_packages: '{{ nginx_flavor_package_map[nginx_flavor] }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_flavor_package_map [[[
+#
+# There are many versions of nginx server to choose from, but only 1 can be
+# installed at a time. This is a list of APT packages which will be installed
+# for a specific flavor.
+nginx_flavor_package_map:
+
+  # Default version from Debian
+  'full': [ 'nginx-full' ]
+
+  # Light version from Debian
+  'light': [ 'nginx-light' ]
+
+  # Extras version from Debian
+  'extras': [ 'nginx-extras' ]
+
+  # nginx with support for Phusion Passenger compiled in. Requires external APT
+  # repository. See https://phusionpassenger.com/ for more details.
+  'passenger':
+    - 'nginx-extras'
+    - 'ruby'
+    - '{{ "passenger"
+          if (nginx__flavor_distribution_release in
+              ["trusty", "xenial"])
+          else "libnginx-mod-http-passenger" }}'
+
+  # Upstream version from https://nginx.org/ packaged for Debian
+  'nginx.org': [ 'nginx' ]
+
+                                                                   # ]]]
+# .. envvar:: nginx_user [[[
+#
+# System user used by nginx.
+nginx_user: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: nginx_www [[[
+#
+# nginx base path for website directories
+# It is exposed using Ansible local facts as 'ansible_local.nginx.www'
+nginx_www: '/srv/www'
+
+                                                                   # ]]]
+# .. envvar:: nginx_public_dir_name [[[
+#
+# public folder foreach website
+# It cat be overwritten per servers
+nginx_public_dir_name: 'public'
+
+                                                                   # ]]]
+# .. envvar:: nginx_etc_path [[[
+#
+# Directory where :program:`nginx` configuration is stored.
+nginx_etc_path: '/etc/nginx'
+
+                                                                   # ]]]
+# .. envvar:: nginx_private_path [[[
+#
+# Directory where private files used by :program:`nginx` are stored (for example
+# htpasswd files).
+nginx_private_path: '{{ nginx_etc_path + "/private" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_run_path [[[
+#
+# Directory where runtime :program:`nginx` files are stored.
+nginx_run_path: '/run'
+
+                                                                   # ]]]
+# .. envvar:: nginx_log_path [[[
+#
+# Directory where :program:`nginx` log files are stored.
+# Socket where :program:`nginx` sends logs to, if nginx_log_to_syslog is true.
+# A socket can be unix:/path/to/socket or ipaddress:port
+nginx_log_path: '{{ "unix:/dev/log" if nginx_log_to_syslog else "/var/log/nginx" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_log_to_syslog [[[
+#
+# If this variable is true, :program:`nginx` logs to the socket stored
+# in `nginx_log_path`.
+nginx_log_to_syslog: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_syslog_config [[[
+#
+# Examples from nginx documentation are:
+# `nohostname`
+# `facility=local7,tag=nginx,severity=info`
+nginx_syslog_config: 'nohostname'
+                                                                   # ]]]
+                                                                   # ]]]
+# Phusion Passenger support [[[
+# -----------------------------
+
+# .. envvar:: nginx_passenger_root [[[
+#
+# Specify Phusion Passenger root paths manually (by default this variable is
+# detected automatically at Ansible run time).
+nginx_passenger_root: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_passenger_ruby [[[
+#
+# Specify path to Ruby executable for Phusion Passenger manually (by default
+# this variable is detected automatically at Ansible run time).
+nginx_passenger_ruby: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_passenger_max_pool_size [[[
+#
+# Maximum number of Passenger processes.
+nginx_passenger_max_pool_size: '{{ (ansible_processor_cores | int * 5) }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_passenger_options [[[
+#
+# Additional Phusion Passenger global options.
+nginx_passenger_options: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_passenger_default_min_instances [[[
+#
+# Minimum Passenger instances per nginx server.
+nginx_passenger_default_min_instances: '{{ ansible_processor_cores }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global server access and authentication [[[
+# -------------------------------------------
+
+# .. envvar:: nginx_http_allow [[[
+#
+# List of IP addresses or CIDR networks which can access this server. If the
+# list is empty, access is allowed from anywhere.
+nginx_http_allow: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_auth_basic [[[
+#
+# Enable or disable HTTP Basic Auth for all nginx servers on this host.
+# By default it depends on the contents of 'nginx_http_auth_users' variable, if
+# the list is not empty, authorization is automatically enabled.
+nginx_http_auth_basic: '{{ nginx_http_auth_users }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_auth_basic_name [[[
+#
+# Name of the htpasswd file in '/etc/nginx/private/' with list of global
+# HTTP Basic Auth accounts.
+nginx_http_auth_basic_name: 'nginx_http'
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_auth_users [[[
+#
+# List of HTTP Basic Auth accounts which need to login before accessing this
+# server. Passwords are generated automatically and stored in 'secret/'
+# directory (see :ref:`debops.secret` role). If this list empty, access is not
+# restricted.
+nginx_http_auth_users: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_auth_htpasswd [[[
+#
+# Default htpasswd file used for global HTTP Basic Auth accounts.
+nginx__http_auth_htpasswd:
+  name: '{{ nginx_http_auth_basic_name }}'
+  users: '{{ nginx_http_auth_users }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_server_names_hash_bucket_size [[[
+#
+# The default value of 'server_names_hash_bucket_size' depends on the size
+# of the processor’s cache line. If a large number of server names are
+# defined, or unusually long server names are defined,
+# tuning the 'server_names_hash_max_size' and
+# 'server_names_hash_bucket_size' directives at the http level may
+# become necessary.
+# More information can be found at:
+#
+# - https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size
+#
+nginx_http_server_names_hash_bucket_size: 64
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_server_names_hash_max_size [[[
+#
+# Sets the maximum size of the server names hash tables.
+# More information can be found at:
+#
+# - https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size
+#
+nginx_http_server_names_hash_max_size: 512
+
+                                                                   # ]]]
+# .. envvar:: nginx_http_options [[[
+#
+# Default http { } options.
+nginx_http_options: |
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  types_hash_max_size 2048;
+  gzip on;
+  gzip_disable "msie6";
+  gzip_comp_level    5;
+  gzip_min_length    256;
+  gzip_proxied       any;
+  gzip_vary          on;
+  gzip_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/ld+json
+    application/manifest+json
+    application/rss+xml
+    application/vnd.geo+json
+    application/vnd.ms-fontobject
+    application/x-font-ttf
+    application/x-web-app-manifest+json
+    application/xhtml+xml
+    application/xml
+    font/opentype
+    image/bmp
+    image/svg+xml
+    image/x-icon
+    text/cache-manifest
+    text/css
+    text/plain
+    text/vnd.rim.location.xloc
+    text/vtt
+    text/x-component
+    text/x-cross-domain-policy;
+
+# ]]]
+# .. envvar:: nginx_http_extra_options [[[
+#
+# A string or YAML text block with additional nginx options placed in the
+# :file:`/etc/nginx/nginx.conf` inside of the "http" block.
+nginx_http_extra_options: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_extra_options [[[
+#
+# A string or YAML text block with additional nginx options placed in the
+# :file:`/etc/nginx/nginx.conf` outside of the "http" block.
+nginx_extra_options: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_manage_ipv6only [[[
+#
+# If this variable is enabled, ``debops.nginx`` role will automatically add
+# ``ipv6only=false`` to the default nginx server configuration. You can disable
+# it and manage IPv4 and IPv6 listen directives yourself. nginx daemon needs to
+# be restarted when this variable changes. More information can be found at:
+#
+# - https://github.com/debops/ansible-nginx/issues/86
+#
+# - http://stefanchrist.eu/blog/2015_01_21/Using%20ipv6only%20in%20Nginx.xhtml
+#
+nginx_manage_ipv6only: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_listen_port [[[
+#
+# Default listen port for HTTP connections.
+nginx_listen_port: [ '[::]:80' ]
+
+                                                                   # ]]]
+# .. envvar:: nginx_listen_ssl_port [[[
+#
+# Default listen port for HTTPS connections.
+nginx_listen_ssl_port: [ '[::]:443' ]
+
+                                                                   # ]]]
+# .. envvar:: nginx_listen_socket [[[
+#
+# Default listen socket for HTTP connections.
+nginx_listen_socket: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_listen_ssl_socket [[[
+#
+# Default listen socket for HTTPS connections.
+nginx_listen_ssl_socket: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_real_ip_from [[[
+#
+# List of IP addresses or CIDR subnets that the server should trust about real
+# IP addresses of clients. If this list is specified, :program:`nginx` will read the
+# client IP address from the specified header. This is useful when :program:`nginx`
+# server is used behind another proxy server (local or remote).
+nginx_real_ip_from: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_real_ip_header [[[
+#
+# Specify the header used to lookup client IP addresses given by another
+# server.
+nginx_real_ip_header: 'X-Forwarded-For'
+
+                                                                   # ]]]
+# .. envvar:: nginx_real_ip_recursive [[[
+#
+# If this variable is enabled, :program:`nginx` will ignore client IP addresses that
+# match the ones from list of trusted upstream servers. This is useful when the
+# upstream server is also a proxy.
+nginx_real_ip_recursive: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_keepalive_timeout [[[
+#
+nginx_default_keepalive_timeout: 60
+
+                                                                   # ]]]
+# .. envvar:: nginx_multi_accept [[[
+#
+# If enabled a worker process will accept all new connections at a time,
+# instead of a new connection at a time.
+nginx_multi_accept: 'off'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki [[[
+#
+# Enable or disable support for PKI/SSL/TLS in nginx.
+# Defaults to ``True`` if :ref:`debops.pki` is enabled on the remote host.
+nginx_pki: '{{ ansible_local | d() and ansible_local.pki | d() and
+               (ansible_local.pki.enabled | d() | bool) }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_path [[[
+#
+# Directory path where PKI realm live.
+nginx_pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_realm [[[
+#
+# Default PKI realm to use.
+nginx_pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_ca_realm [[[
+#
+# PKI realm to use for client CA.
+nginx_pki_ca_realm: '{{ ansible_local.pki.ca_realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_crt [[[
+#
+# Path to default certificate, key and DH parameters file used by all nginx
+# servers if not specified otherwise in server configuration. Relative to
+# 'nginx_pki_realm' variable.
+nginx_pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_key [[[
+#
+# The name of the file which contains the private key file of the X.509
+# certificate, relative to the 'nginx_pki_realm' variable.
+nginx_pki_key: 'default.key'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_ca [[[
+#
+# The name of the file which contains the Root Certificate used to authenticate
+# other servers, relative to the 'nginx_pki_realm' variable.
+nginx_pki_ca:  'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_trusted [[[
+#
+# The name of the file which contains the Root Certificate used to authenticate
+# client certificates, relative to the 'nginx_pki_realm' variable.
+nginx_pki_trusted: 'trusted.crt'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_hook_name [[[
+#
+# Name of the hook script which will be stored in hook directory.
+nginx_pki_hook_name: 'nginx'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_hook_path [[[
+#
+# Directory with PKI hooks.
+nginx_pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_pki_hook_action [[[
+#
+# Specify how changes in PKI should affect nginx, either 'reload' or 'restart'.
+nginx_pki_hook_action: 'reload'
+
+                                                                   # ]]]
+# .. envvar:: nginx_ssl_dhparam [[[
+#
+# Path to the file with Diffie-Hellman parameters to use by the webserver.
+nginx_ssl_dhparam: '{{ (""
+                        if nginx_default_tls_protocols | length == 1 and
+                           nginx_default_tls_protocols[0] == "TLSv1.3"
+                        else
+                           (ansible_local.dhparam[nginx_ssl_dhparam_set]
+                            if (ansible_local | d() and ansible_local.dhparam | d() and
+                                ansible_local.dhparam[nginx_ssl_dhparam_set] | d())
+                            else "")) }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_ssl_dhparam_set [[[
+#
+# Name of the ``dhparam`` set to use.
+nginx_ssl_dhparam_set: 'default'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_ciphers [[[
+#
+# Default set of cipher suites to use.
+# Refer to ``nginx_ssl_ciphers`` for details.
+nginx_default_ssl_ciphers: '{{ "mozilla_modern"
+                               if nginx_default_tls_protocols | length == 1 and
+                                  nginx_default_tls_protocols[0] == "TLSv1.3"
+                               else "mozilla_intermediate" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_tls_protocols [[[
+#
+# Default set of TLS protocols to use. TLSv1.3 is only supported on nginx
+# version 1.13.0 and up.
+#
+# See also: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
+nginx_default_tls_protocols: '{{ ["TLSv1.2", "TLSv1.3"]
+                                 if ansible_local.nginx.version | d("0.0.0") is version("1.13.0", ">=")
+                                 else ["TLSv1.2"] }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_curve [[[
+#
+# Default SSL ECDH curve used on servers, to see a list of supported curves, run:
+#
+# .. code-block:: console
+#
+#    openssl ecparam -list_curves
+#
+# See also: https://security.stackexchange.com/questions/31772/
+# Set to ``False`` to disable ECC.
+nginx_default_ssl_curve: 'secp384r1'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_verify_client [[[
+#
+# Default ssl verify client.
+nginx_default_ssl_verify_client: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_client_certificate [[[
+#
+# Default ssl client certificate
+nginx_default_ssl_client_certificate: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_crl [[[
+#
+# Default ssl revocation client certificate
+nginx_default_ssl_crl: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_ocsp [[[
+#
+# Enable or disable OCSP Stapling.
+nginx_ocsp: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_ocsp_verify [[[
+#
+# Verify OCSP responses from the server which requires chained intermediate and
+# Root CA certificates.
+nginx_ocsp_verify: '{{ nginx_ocsp | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_ocsp_resolvers [[[
+#
+# List of DNS servers used to resolve OCSP stapling and other
+# dns queries (e.g. for proxy_path). If it's empty, nginx role
+# will try to use the nameservers from /etc/resolv.conf
+# Currently only the first nameserver is used
+nginx_ocsp_resolvers: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_hsts_age [[[
+#
+# HTTP Strict-Transport-Security
+# https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# Maximum age in seconds for which clients should remember to only make secure
+# connections.
+# Defaults to two earth years.
+nginx_hsts_age: '{{ 2 * 365 * 24 * 60 * 60 }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_hsts_subdomains [[[
+#
+# Should HSTS_ also include subdomains?
+# Note that all subdomains have to support HTTPS if you use this!
+nginx_hsts_subdomains: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_hsts_preload [[[
+#
+# Should the ``preload`` parameter be added to the HSTS header?
+# Refer to the `HSTS Preload List Submission`_ page to make use of this
+# feature.
+# It is disabled by default because setting this to ``True`` alone does
+# nothing, it is just one requirement to get included in the preloading list.
+# Please feel encouraged to get to know HSTS preloading and enable it when you
+# are ready!
+nginx_hsts_preload: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_enable_http2 [[[
+#
+# Enable HTTP/2 (formerly HTTP QUICK) on nginx.
+# HTTP/2 enables a server to pre‑emptively push resources to a remote client,
+# anticipating that the client may soon request those resource, hence
+# reducing the number of RTTs (Round Trip Times).
+# Available with nginx version >= 1.9.5
+nginx_enable_http2: True
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_csp_append [[[
+#
+# CSP directives to append to all policies. This can be used to set the
+# ``report-uri`` globally.
+# The string MUST end with a semicolon but MUST NOT begin with one.
+# Refer :ref:`nginx__ref_servers_http_security_headers` for details.
+nginx__http_csp_append: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_name [[[
+#
+# Specify HTTP server name which will be marked as default_server.
+nginx_default_name: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_ssl_name [[[
+#
+# Specify HTTPS server name which will be marked as default_server.
+nginx_default_ssl_name: ''
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_type [[[
+#
+# Default server template used if no type is selected
+nginx_default_type: 'default'
+
+                                                                   # ]]]
+# .. envvar:: nginx_webroot_create [[[
+#
+# Create global webroot directories?
+# Path: :file:`/srv/www/sites/*/public`.
+nginx_webroot_create: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_webroot_owner [[[
+#
+# The name of the UNIX account which will be the default owner of the webroot
+# directories created by the role, if not specified otherwise.
+nginx_webroot_owner: 'root'
+
+                                                                   # ]]]
+# .. envvar:: nginx_webroot_group [[[
+#
+# The name of the UNIX group which will be the default group of the webroot
+# directories created by the role, if not specified otherwise.
+nginx_webroot_group: 'root'
+
+                                                                   # ]]]
+# .. envvar:: nginx_webroot_mode [[[
+#
+# The default mode of the webroot directories created by the role.
+nginx_webroot_mode: '0755'
+
+                                                                   # ]]]
+# .. envvar:: nginx_welcome_template [[[
+#
+# Name of the Jinja2 template used as a welcome page.
+nginx_welcome_template: 'srv/www/sites/welcome/public/index.html.j2'
+
+                                                                   # ]]]
+# .. envvar:: nginx_welcome_domain [[[
+#
+# The domain used on the default welcome page.
+nginx_welcome_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_acme [[[
+#
+# Enable or disable support for Automated Certificate Management Environment
+# (ACME) on all servers. This can be overridden per server using ``item.acme``
+# variable.
+nginx_acme: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_acme_root [[[
+#
+# Global directory where ACME challenges will be served from. It's not created
+# by the role automatically and left to be managed by other Ansible roles.
+nginx_acme_root: '{{ nginx_www + "/sites/acme/public" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_acme_server [[[
+#
+# Enable or disable custom ACME challenge server configuration. It will answer
+# queries on a specified domain, from ``nginx_acme_root`` directory. It can be
+# used for other things as well, for example to serve certificates to
+# other hosts.
+nginx_acme_server: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_acme_domain [[[
+#
+# Specifies the DNS domain to which ACME challenge queries will be redirected if
+# they are not found on the host. The domain must exist in the DNS and a web
+# server needs to be configured to answer the queries.
+# Set to ``False`` to disable the redirect.
+nginx_acme_domain: 'acme.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__hostname_domains [[[
+#
+# Specify the domains which will be used as a base domains for automatic short
+# name generation. It will not be used if it's defined on the server level.
+# First domain from the list that matches, wins.
+nginx__hostname_domains: [ '{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: nginx_status [[[
+#
+# List of IP addresses or CIDR ranges to allow access to the status page
+nginx_status: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_status_localhost [[[
+#
+# By default allow access to the status page from webserver itself
+nginx_status_localhost: '{{ ["127.0.0.1/32", "::1/128"] + ansible_all_ipv4_addresses | d([]) +
+                            (ansible_all_ipv6_addresses | d([])
+                             | difference(ansible_all_ipv6_addresses | d([])
+                             | ansible.utils.ipaddr("link-local"))) }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_status_name [[[
+#
+# Name of the nginx status page location
+nginx_status_name: '/nginx_status'
+
+                                                                   # ]]]
+# .. envvar:: nginx_local_servers [[[
+#
+# Hash of symlinks to local server definitions stored in /etc/nginx/sites-local/
+# Entries with empty values or False will be removed
+# Symlinks will be created in /etc/nginx/sites-enabled/
+nginx_local_servers: {}
+  #'symlink': 'file'
+  #'other-symlink.conf': 'sub/directory/file.conf'
+  #'removed-file': False
+  #'also-removed':
+  #'symlink\ with\ spaces.conf': 'other-file.conf'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_satisfy [[[
+#
+# Default "satisfy" mode used if not specified, choices: any, all
+nginx_default_satisfy: 'any'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_auth_basic_realm [[[
+#
+# Default HTTP Basic Auth "realm" presented to the user
+nginx_default_auth_basic_realm: 'Access to this website is restricted'
+
+                                                                   # ]]]
+# .. envvar:: nginx_htpasswd_secret_path [[[
+#
+# Path on the Ansible Controller used to lookup htpasswd passwords (see
+# debops.secret_ role). You can change this to for example share a set of
+# passwords between different hosts in case you use nginx in a HA setup
+nginx_htpasswd_secret_path: '{{ secret + "/credentials/" + inventory_hostname + "/nginx/htpasswd" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__htpasswd_crypt_scheme [[[
+#
+# The encryption scheme used by the ``htpasswd`` Ansible module to generate
+# password hashes. You should use schemes supported by ``passlib`` library.
+nginx__htpasswd_crypt_scheme: 'sha512_crypt'
+
+                                                                   # ]]]
+# .. envvar:: nginx__htpasswd_password_length [[[
+#
+# Default length of the automatically generated passwords.
+nginx__htpasswd_password_length: 32
+
+                                                                   # ]]]
+# .. envvar:: nginx__htpasswd_password_characters [[[
+#
+# Set of characters allowed in passwords autogenerated by the role.
+nginx__htpasswd_password_characters: 'ascii_letters,digits,.-_~&()*='
+
+                                                                   # ]]]
+# .. envvar:: nginx__htpasswd [[[
+#
+# List of htpasswd files with user accounts managed by ``debops.nginx``. Example
+# entries are included below
+nginx__htpasswd: []
+
+  # Create specified user accounts
+  #- name: 'server_domain'
+  #  users: [ 'username1', 'username2@domain' ]
+
+  # Delete specified user accounts
+  #- name: 'server_domain'
+  #  users: [ 'username1', 'username2@domain' ]
+  #  delete: True
+
+  # Delete htpasswd file
+  #- name: 'server_domain'
+  #  users: []
+  #  state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: nginx__default_htpasswd [[[
+#
+# List of the default htpasswd file configuration created by the role.
+nginx__default_htpasswd:
+  - '{{ nginx__http_auth_htpasswd }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__dependent_htpasswd [[[
+#
+# List of htpasswd file configurations defined by other roles via role
+# dependent variables.
+nginx__dependent_htpasswd: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Nginx server access policy [[[
+# ------------------------------
+
+# Using the dicts below you can define a named "access policy" consisting of a list
+# of allowed hosts/CIDR networks and/or a name of a htpasswd file in
+# '/etc/nginx/private/' with a list of user accounts to allow access. You can
+# also define if any or all restrictions need to be met to gain access to
+# a website. In website configuration dict, you can define an
+# 'item.access_policy' key with a name of a particular policy. The nginx role
+# will then use this information to generate a proper config file with given
+# restrictions in place.
+
+# .. envvar:: nginx_access_policy_allow_map [[[
+#
+# List of IP addresses or CIDR networks which can access a particular site
+nginx_access_policy_allow_map: {}
+
+  #'my_policy': [ '192.0.2.0/24', '2002:db8::/64' ]
+
+                                                                   # ]]]
+# .. envvar:: nginx_access_policy_auth_basic_map [[[
+#
+# Name of an HTTP Basic Auth htpasswd file in '/etc/nginx/private/' directory
+nginx_access_policy_auth_basic_map: {}
+
+  #'my_policy': 'htpasswd_file'
+
+                                                                   # ]]]
+# .. envvar:: nginx_access_policy_satisfy_map [[[
+#
+# Should all or any restrictions be met to gain access?
+nginx_access_policy_satisfy_map: {}
+
+  #'my_policy': 'any' or 'all'
+
+                                                                   # ]]]
+# .. envvar:: nginx__maps [[[
+#
+# List of nginx map definitions
+# Each map should be defined in it's own hash variable, similar to upstreams
+# and servers
+# https://nginx.org/en/docs/http/ngx_http_map_module.html
+nginx__maps: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__default_maps [[[
+#
+# List of default nginx map definitions
+nginx__default_maps:
+
+  # Extract the subdomain from the '*.local' domain managed by Avahi and expose
+  # it as a variable which can be used to redirect the HTTP clients to websites
+  - name: 'host_without_local'
+    map: '$host $host_without_local'
+    mapping: '~*^(?<subdomain>[a-zA-Z0-9\-\_\.]+)\.local$ $subdomain;'
+
+  # Support WebSocket connection upgrade as a proxy
+  # Documentation: https://nginx.org/en/docs/http/websocket.html
+  - name: 'connection_upgrade'
+    map: '$http_upgrade $connection_upgrade'
+    mapping: |
+      ''      Close;
+    default: 'Upgrade'
+
+                                                                   # ]]]
+# .. envvar:: nginx__dependent_maps [[[
+#
+# List of nginx maps defined in Ansible roles
+nginx__dependent_maps: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__upstreams [[[
+#
+# List of nginx upstream definitions
+nginx__upstreams: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__default_upstreams [[[
+#
+# List of default nginx upstream definitions
+nginx__default_upstreams:
+  - '{{ nginx_upstream_php5_www_data }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__dependent_upstreams [[[
+#
+# List of nginx upstreams defined in Ansible roles
+nginx__dependent_upstreams: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_upstream_php5_www_data [[[
+#
+# Upstream for default php5-fpm configuration
+# Legacy.
+nginx_upstream_php5_www_data:
+  state: 'absent'
+  name: 'php5_www-data'
+  type: 'php5'
+  php5: 'www-data'
+                                                                   # ]]]
+                                                                   # ]]]
+# Nginx servers [[[
+# -----------------
+
+# .. envvar:: nginx__servers [[[
+#
+# List of nginx server definitions
+#
+# Refer to the :ref:`documentation of all options <nginx__ref_servers>` for
+# more details.
+nginx__servers: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__default_servers [[[
+#
+# List of default nginx servers defined by the role.
+nginx__default_servers:
+  - '{{ nginx_server_welcome }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__internal_servers [[[
+#
+# List of internal nginx servers.
+nginx__internal_servers:
+  - '{{ nginx_server_localhost }}'
+  - '{{ nginx_server_acme }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__dependent_servers [[[
+#
+# List of nginx servers defined in Ansible roles.
+nginx__dependent_servers: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_server_welcome [[[
+#
+# Default nginx site
+# List and description of available parameters can be found in nginx server
+# templates :file:`templates/etc/nginx/sites-available/*.conf.j2`.
+nginx_server_welcome:
+  enabled: True
+  name: [ 'welcome' ]
+  welcome: True
+  welcome_domain: '{{ nginx_welcome_domain }}'
+  csp: "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self';"
+  csp_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: nginx_server_localhost [[[
+#
+# Default nginx ``localhost`` server. It can be used to access :program:`nginx` status
+# page by other services.
+nginx_server_localhost:
+  enabled: True
+  name: [ 'localhost', '127.0.0.1', '[::1]' ]
+  acme: False
+  ssl: False
+  welcome: True
+  welcome_css: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_server_acme [[[
+#
+# Custom server for ACME challenge queries
+nginx_server_acme:
+  enabled: '{{ nginx_acme_server | bool }}'
+  delete: '{{ not nginx_acme_server | bool }}'
+  name: [ '{{ nginx_acme_domain }}' ]
+  filename: 'acme-challenge'
+  root: '{{ nginx_acme_root }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_default_try_files [[[
+#
+# Checks for the existence of files in order, and returns the
+# first file that is found for location /.
+# https://wiki.nginx.org/NginxHttpCoreModule#try_files
+nginx_default_try_files:
+  - '$uri'
+  - '$uri/'
+  - '$uri.html'
+  - '$uri.htm'
+  - '$uri/index.html'
+
+                                                                   # ]]]
+# .. envvar:: nginx__log_format [[[
+#
+# log_format nginx configuration in /etc/nginx/conf.d/
+nginx__log_format: []
+
+  #- name: 'main'
+  #  log_format: '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'
+
+                                                                   # ]]]
+# .. envvar:: nginx__dependent_log_format [[[
+#
+# log_format nginx configuration in /etc/nginx/conf.d/
+nginx__dependent_log_format: []
+
+                                                                   # ]]]
+# .. envvar:: nginx__custom_config [[[
+#
+# Custom nginx configuration in /etc/nginx/conf.d/
+nginx__custom_config: []
+
+  #- name: 'other_config'
+  #  custom: |
+  #    text block {
+  #    }
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_xss_protection [[[
+#
+# Default value for :ref:`xss_protection
+# <nginx__ref_http_xss_protection>`.
+nginx__http_xss_protection: '1; mode=block'
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_referrer_policy [[[
+#
+# Default value for :ref:`http_referrer_policy
+# <nginx__ref_http_referrer_policy>`.
+nginx__http_referrer_policy: 'same-origin'
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_permitted_cross_domain_policies [[[
+#
+# Default value for :ref:`permitted_cross_domain_policies
+# <nginx__ref_permitted_cross_domain_policies>`.
+nginx__http_permitted_cross_domain_policies: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__http_robots_tag [[[
+#
+# Default value for :ref:`robots_tag
+# <nginx__ref_http_robots_tag>`.
+nginx__http_robots_tag: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_apt_preferences_dependent_list [[[
+#
+# Configuration of custom APT preferences.
+nginx_apt_preferences_dependent_list: '{{ nginx__apt_preferences__dependent_list }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+nginx__apt_preferences__dependent_list:
+
+  - package: 'nginx nginx-*'
+    pin: 'release o=Phusion'
+    reason: 'Support for Phusion Passenger'
+    priority: '600'
+    suffix: '_passenger'
+    by_role: 'debops.nginx'
+    state: '{{ ((nginx__deploy_state in ["present"]) and (nginx_flavor in ["passenger"])) | ternary("present", "absent") }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx_php5_status [[[
+#
+# Name of the php5 fpm status page location
+nginx_php5_status: False
+
+                                                                   # ]]]
+# .. envvar:: nginx_php5_status_name [[[
+#
+# Name of the PHP5 status page used in the URL.
+nginx_php5_status_name: 'php5_status'
+
+                                                                   # ]]]
+# .. envvar:: nginx_php5_ping_name [[[
+#
+# Name of the PHP5 ping page used in the URL.
+nginx_php5_ping_name: 'php5_ping'
+
+                                                                   # ]]]
+# .. envvar:: nginx_privileged_group [[[
+#
+# What system group has privileged access to :program:`nginx` service.
+nginx_privileged_group: 'webadmins'
+
+                                                                   # ]]]
+# .. envvar:: nginx_ssl_ciphers [[[
+#
+# Hash of SSL ciphers available to use in nginx server definitions
+# You can select a set of ciphers using 'ssl_ciphers' variable
+# Default set of ciphers is set in nginx_default_ssl_ciphers variable
+nginx_ssl_ciphers:
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/theory/cipher_suites/recommended.tex
+  # This will come at a certain cost of excluding many clients!
+  # If you want even higher security then the default values of this role then
+  # consider to use a preset for this role maintained by ypid:
+  # https://github.com/ypid/ypid-ansible-inventory
+  bettercrypto_org__set_a: 'EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3'
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
+  bettercrypto_org__set_b: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
+
+  # https://bettercrypto.org/
+  # https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/configuration/Webservers/nginx/default-ec
+  # But only cipher suites which support PFS. Only drops support for Android 2.3.7 which is negligible.
+  bettercrypto_org__set_b_pfs: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH'
+
+  # https://cipherli.st/
+  cipherli_st: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
+
+  # Perfect Forward Secrecy (https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy)
+  # String taken on 2014-04-11
+  pfs: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'
+
+  # Perfect Forward Secrecy + RC4
+  # String taken on 2014-04-11
+  pfs_rc4: 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
+
+  # Hardened SSL cipher list (https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
+  # String taken on 2014-04-11
+  hardened: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+
+  # TLS recommendations from Mozilla Foundation (https://wiki.mozilla.org/Security/Server_Side_TLS)
+  # String taken on 2014-04-11
+  mozilla: 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'
+
+  # Modern TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # Actually they do not specify a ciphersuite, because "modern" means TLSv1.3 only,
+  # which has its own ciphers, while TLSv1.2 and lower ciphers are not used.
+  # Therefore, we just repeat mozilla_intermediate here, to avoid a security hole
+  # that would be created with nginx default ciphersuite and accidental
+  # activation of TLSv1.2 or lower.
+  # String taken on 2020-07-27
+  mozilla_modern: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+
+  # Intermediate TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # String taken on 2020-07-27
+  mozilla_intermediate: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
+
+  # Old TLS recommendation from Mozilla (https://ssl-config.mozilla.org/)
+  # String taken on 2020-07-27
+  mozilla_old: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA'
+
+  # FIPS 140-2 compliant (https://en.wikipedia.org/wiki/FIPS_140-2)
+  # https://community.qualys.com/thread/12182
+  fips: 'FIPS@STRENGTH:!aNULL:!eNULL'
+
+  # 'good' cipher suite from NCSC-NL TLS Guidelines v2.0
+  # https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
+  ncsc_nl: 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256'
+
+  # This cipher set disables the 'ssl_ciphers' option in 'nginx' and the
+  # default set of SSL ciphers for a given platform will be used.
+  # This is recommended when TLSv1.3 is the only protocol in use.
+  default: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall Configuration [[[
+# --------------------------
+
+# .. envvar:: nginx_allow [[[
+#
+# List of IP addresses or CIDR networks allowed to connect to HTTP or HTTPS
+# service. It will be configured in iptables firewall via the
+# :ref:`debops.ferm` role. If there are no entries, nginx will accept
+# connections from any IP address or network.
+# If you have multiple web services on a host, you might want to control access
+# using 'item.location_allow' option instead.
+nginx_allow: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_group_allow [[[
+#
+# List of the CIDR subnets or IP addresses which are allowed to connect to the
+# HTTP or HTTPS service, configured on hosts in a specific Ansible inventory
+# group.
+nginx_group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_host_allow [[[
+#
+# List of the CIDR subnets or IP addresses which are allowed to connect to the
+# HTTP or HTTPS service, configured on specific hosts in the Ansible inventory.
+nginx_host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: nginx_ferm_dependent_rules [[[
+#
+# Configuration of the :command:`iptables` firewall using :program:`ferm`.
+nginx_ferm_dependent_rules: '{{ nginx__ferm__dependent_rules }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+nginx__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'http', 'https' ]
+    saddr: '{{ nginx_allow + nginx_group_allow + nginx_host_allow }}'
+    accept_any: True
+    weight: '40'
+    by_role: 'nginx'
+    name: 'http_https'
+    multiport: True
+    delete: '{{ nginx__deploy_state != "present" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: nginx__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.nginx` Ansible role.
+nginx__keyring__dependent_apt_keys:
+
+  - id: '{{ nginx__flavor_apt_key_id }}'
+    repo: '{{ nginx__flavor_apt_repository }}'
+    state: '{{ "present"
+               if (nginx_flavor in ["nginx.org", "passenger"] and
+                   nginx__deploy_state == "present")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nginx__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+nginx__python__dependent_packages3:
+
+  - 'python3-passlib'
+
+                                                                   # ]]]
+# .. envvar:: nginx__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+nginx__python__dependent_packages2:
+
+  - 'python-passlib'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nginx/meta/main.yml b/ansible_collections/debops/debops/roles/nginx/meta/main.yml
new file mode 100644
index 00000000..6a5b8112
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Install and manage nginx webserver'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - nginx
+    - web
+    - webserver
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/main.yml b/ansible_collections/debops/debops/roles/nginx/tasks/main.yml
new file mode 100644
index 00000000..ba7ae95c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/main.yml
@@ -0,0 +1,310 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "nginx/pre_main.yml") }}'
+  when: (nginx__deploy_state in ['present'])
+
+- name: Assert that no legacy options are used
+  ansible.builtin.assert:
+    that:
+      - '((item.csp is defined and item.csp is string) or item.csp is undefined)'
+      - '(item.csp_policy is undefined)'
+  run_once: True
+  delegate_to: 'localhost'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+
+- name: Check if nginx is installed
+  ansible.builtin.stat:
+    path: '/usr/sbin/nginx'
+  register: nginx_register_installed
+
+- name: Ensure base packages are installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", nginx_base_packages) }}'
+    state: 'present'
+  when: (nginx__deploy_state in ['present'])
+  register: nginx__register_packages_present
+  until: nginx__register_packages_present is succeeded
+
+- name: Ensure Nginx packages are in their desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", nginx__flavor_packages) }}'
+    state: '{{ "present" if (nginx__deploy_state == "present") else "absent" }}'
+  register: nginx__register_packages_flavor
+  until: nginx__register_packages_flavor is succeeded
+
+- name: Create systemd override directory for nginx unit
+  ansible.builtin.file:
+    path: '/etc/systemd/system/nginx.service.d'
+    state: 'directory'
+    mode: '0755'
+  when: nginx__deploy_state in ['present', 'config'] and
+        ansible_service_mgr == 'systemd' and
+        ansible_distribution_release in ["stretch", "buster", "bullseye",
+          "trusty", "xenial", "bionic", "focal", "jammy", "lunar"]
+
+- name: Create systemd override configuration for nginx unit
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/systemd/system/nginx.service.d/wait-for-network.conf.j2") }}'
+    dest: '/etc/systemd/system/nginx.service.d/wait-for-network.conf'
+    mode: '0644'
+  notify: [ 'Reload systemd daemon' ]
+  when: nginx__deploy_state in ['present', 'config'] and
+        ansible_service_mgr == 'systemd' and
+        ansible_distribution_release in ["stretch", "buster", "bullseye",
+          "trusty", "xenial", "bionic", "focal", "jammy", "lunar"]
+
+- name: Remove systemd override configuration for nginx unit
+  ansible.builtin.file:
+    path: '/etc/systemd/system/nginx.service.d/wait-for-network.conf'
+    state: 'absent'
+  notify: [ 'Reload systemd daemon' ]
+  when: ansible_distribution_release not in ["stretch", "buster", "bullseye",
+          "trusty", "xenial", "bionic", "focal", "jammy", "lunar"]
+
+- name: Remove systemd override directory for nginx unit, if empty
+  ansible.builtin.command: 'rmdir /etc/systemd/system/nginx.service.d/'
+  register: nginx__register_rmdir_systemd
+  changed_when: nginx__register_rmdir_systemd.rc == 0
+  failed_when: False
+  when: ansible_distribution_release not in ["stretch", "buster", "bullseye",
+          "trusty", "xenial", "bionic", "focal", "jammy", "lunar"]
+
+- name: Make sure that Ansible local facts directory is present
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Save nginx local facts
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/ansible/facts.d/nginx.fact.j2") }}'
+    dest: '/etc/ansible/facts.d/nginx.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create default nginx directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items:
+    - '/etc/nginx/sites-default.d'
+    - '/etc/nginx/sites-available'
+    - '/etc/nginx/sites-enabled'
+    - '/etc/nginx/snippets'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Divert default.conf in case nginx nginx.org flavor is used
+  debops.debops.dpkg_divert:
+    path: '/etc/nginx/conf.d/default.conf'
+  when: (nginx_flavor == 'nginx.org' and nginx__deploy_state in ['present', 'config'])
+
+- name: Configure Passenger support
+  ansible.builtin.include_tasks: 'passenger_config.yml'
+  when: (nginx_flavor == 'passenger' and nginx__deploy_state in ['present', 'config'])
+
+- name: Restart nginx on first install to bypass missing pid bug
+  ansible.builtin.service:
+    name: 'nginx'
+    state: 'restarted'
+  when: (nginx_register_installed | d() and not nginx_register_installed.stat.exists and
+         nginx__deploy_state in ['present', 'config'])
+
+- name: Get list of nameservers configured in /etc/resolv.conf
+  ansible.builtin.shell: awk '$1=="nameserver" {if(/%/){sub(/[0-9a-fA-F:]+/, "[&]", $2)}; print $2}' /etc/resolv.conf
+  args:
+    executable: 'sh'
+  register: nginx_register_nameservers
+  changed_when: False
+  check_mode: False
+  when: (nginx__deploy_state in ['present', 'config'])
+  tags: [ 'role::nginx:servers' ]
+
+- name: Convert list of nameservers to Ansible list
+  ansible.builtin.set_fact:
+    nginx_ocsp_resolvers: "{{ nginx_register_nameservers.stdout_lines }}"
+  when: ((nginx_register_nameservers.stdout is defined and nginx_register_nameservers.stdout) and
+         (nginx_ocsp_resolvers is undefined or
+         (nginx_ocsp_resolvers is defined and not nginx_ocsp_resolvers)) and
+         (nginx__deploy_state in ['present', 'config']))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Ensure that webadmins privileged group exists
+  ansible.builtin.group:
+    name: '{{ nginx_privileged_group }}'
+    state: 'present'
+    system: True
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Create directory for webadmins configuration
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-local'
+    state: 'directory'
+    owner: 'root'
+    group: '{{ nginx_privileged_group }}'
+    mode: '0775'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Allow webadmins to control nginx system service using sudo
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/sudoers.d/nginx_webadmins.j2") }}'
+    dest: '/etc/sudoers.d/nginx_webadmins'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: (ansible_local | d() and ansible_local.sudo | d() and
+         (ansible_local.sudo.installed | d()) | bool and
+         nginx__deploy_state in ['present', 'config'])
+
+- name: Divert original /etc/nginx/nginx.conf
+  debops.debops.dpkg_divert:
+    path: '/etc/nginx/nginx.conf'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Setup /etc/nginx/nginx.conf
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/nginx.conf.j2") }}'
+    dest: '/etc/nginx/nginx.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Test nginx and reload' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Generate custom nginx snippets
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/snippets/" + item + ".conf.j2") }}'
+    dest: '/etc/nginx/snippets/{{ item }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'acme-challenge', 'ssl' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+  notify: [ 'Test nginx and reload' ]
+
+- name: Disable default nginx site
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-enabled/default'
+    state: 'absent'
+  notify: [ 'Test nginx and reload' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Manage local server definitions - create symlinks
+  ansible.builtin.file:
+    src: '/etc/nginx/sites-local/{{ item.value }}'
+    path: '/etc/nginx/sites-enabled/{{ item.key }}'
+    state: 'link'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (item.value and nginx__deploy_state in ['present', 'config'])
+  with_dict: '{{ nginx_local_servers | d({}) }}'
+  notify: [ 'Test nginx and reload' ]
+
+- name: Manage local server definitions - remove symlinks
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-enabled/{{ item.key }}'
+    state: 'absent'
+  when: ((not item.value | d()) and nginx__deploy_state in ['present', 'config'])
+  with_dict: '{{ nginx_local_servers | d({}) }}'
+  notify: [ 'Test nginx and reload' ]
+
+  # If nginx local facts are not present, assume that configuration
+  # is being reset and move all symlinks out of the way to prevent
+  # accidental failures because of old wrong configuration files
+- name: Remove all configuration symlinks during config reset
+  ansible.builtin.shell: rm -f /etc/nginx/sites-enabled/*  # noqa no-free-form
+  args:
+    executable: 'sh'
+    creates: '/etc/ansible/facts.d/nginx.fact'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Configure htpasswd files
+  ansible.builtin.include_tasks: 'nginx_htpasswd.yml'
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Generate nginx conf.d/ files
+  ansible.builtin.include_tasks: 'nginx_configs.yml'
+  tags: [ 'role::nginx:servers' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Generate nginx server configuration
+  ansible.builtin.include_tasks: 'nginx_servers.yml'
+  tags: [ 'role::nginx:servers' ]
+  when: (nginx__deploy_state in ['present', 'config'])
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ nginx_pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (nginx_pki | bool and nginx__deploy_state in ['present', 'config'])
+
+- name: Manage PKI nginx hook
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/pki/hooks/nginx.j2") }}'
+    dest: '{{ nginx_pki_hook_path + "/" + nginx_pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (nginx_pki | bool and nginx__deploy_state in ['present', 'config'])
+
+- name: Ensure the PKI nginx hook is absent
+  ansible.builtin.file:
+    path: '{{ nginx_pki_hook_path + "/" + nginx_pki_hook_name }}'
+    state: 'absent'
+  when: (nginx__deploy_state in ['absent'])
+
+- name: Save nginx local facts
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/ansible/facts.d/nginx.fact.j2") }}'
+    dest: '/etc/ansible/facts.d/nginx.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "nginx/post_main.yml") }}'
+  when: (nginx__deploy_state in [ 'present' ])
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/nginx/post_main.yml b/ansible_collections/debops/debops/roles/nginx/tasks/nginx/post_main.yml
new file mode 100644
index 00000000..95ca5750
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/nginx/post_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/nginx/pre_main.yml b/ansible_collections/debops/debops/roles/nginx/tasks/nginx/pre_main.yml
new file mode 100644
index 00000000..95ca5750
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/nginx/pre_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/nginx_configs.yml b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_configs.yml
new file mode 100644
index 00000000..520dc3ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_configs.yml
@@ -0,0 +1,134 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Make sure configuration directory exists
+  ansible.builtin.file:
+    path: '/etc/nginx/conf.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags: [ 'role::nginx:servers' ]
+
+- name: Remove nginx maps if requested
+  ansible.builtin.file:
+    dest: '/etc/nginx/conf.d/map_{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__maps
+                           + nginx__default_maps
+                           + nginx__dependent_maps
+                           + nginx_maps | d([])
+                           + nginx_default_maps | d([])
+                           + nginx_dependent_maps | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and
+         ((item.state | d() and item.state == 'absent') or
+          (item.delete | d() and item.delete | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Configure nginx maps
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/conf.d/map.conf.j2") }}'
+    dest: '/etc/nginx/conf.d/map_{{ item.name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__maps
+                           + nginx__default_maps
+                           + nginx__dependent_maps
+                           + nginx_maps | d([])
+                           + nginx_default_maps | d([])
+                           + nginx_dependent_maps | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Remove nginx upstreams if requested
+  ansible.builtin.file:
+    dest: '/etc/nginx/conf.d/upstream_{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__upstreams
+                           + nginx__default_upstreams
+                           + nginx__dependent_upstreams
+                           + nginx_upstreams | d([])
+                           + nginx_default_upstreams | d([])
+                           + nginx_dependent_upstreams | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and
+         ((item.state | d('present') == 'absent') or
+          (item.delete | d() and item.delete | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Configure nginx upstreams
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/conf.d/upstream_" + (item.type | d("default")) + ".conf.j2") }}'
+    dest: '/etc/nginx/conf.d/upstream_{{ item.name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__upstreams
+                           + nginx__default_upstreams
+                           + nginx__dependent_upstreams
+                           + nginx_upstreams | d([])
+                           + nginx_default_upstreams | d([])
+                           + nginx_dependent_upstreams | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Remove nginx log_format if requested
+  ansible.builtin.file:
+    dest: '/etc/nginx/conf.d/log_{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__log_format
+                           + nginx__dependent_log_format) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and
+         ((item.state | d('present') == 'absent') or
+          (item.delete | d() and item.delete | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Configure nginx log_format
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/conf.d/log_format.conf.j2") }}'
+    dest: '/etc/nginx/conf.d/log_{{ item.name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__log_format
+                           + nginx__dependent_log_format) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Remove custom nginx configuration if requested
+  ansible.builtin.file:
+    dest: '/etc/nginx/conf.d/{{ item.filename | d("custom_" + item.name + ".conf") }}'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__custom_config
+                           + nginx_custom_config | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and
+         ((item.state | d() and item.state == 'absent') or
+          (item.delete | d() and item.delete | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Add custom nginx configuration
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/conf.d/custom.conf.j2") }}'
+    dest: '/etc/nginx/conf.d/{{ item.filename | d("custom_" + item.name + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__custom_config
+                           + nginx_custom_config | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.name | d() and item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool))
+  tags: [ 'role::nginx:servers' ]
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/nginx_htpasswd.yml b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_htpasswd.yml
new file mode 100644
index 00000000..06e148e8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_htpasswd.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create directory for htpasswd files
+  ansible.builtin.file:
+    path: '{{ nginx_private_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: '{{ nginx_user }}'
+    mode: '0750'
+
+- name: Remove htpasswd files if requested
+  ansible.builtin.file:
+    dest: '{{ nginx_private_path + "/" + item.name }}'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__htpasswd
+                           + nginx__default_htpasswd
+                           + nginx__dependent_htpasswd
+                           + nginx_htpasswd | d([])) }}'
+  when: (item.name | d() and (item.state | d() and item.state == 'absent'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage users in htpasswd files
+  community.general.htpasswd:
+    path: '{{ nginx_private_path + "/" + item.0.name }}'
+    name: '{{ item.1 }}'
+    crypt_scheme: '{{ nginx__htpasswd_crypt_scheme }}'
+    password: '{{ item.0.password
+                  if item.0.password | d()
+                  else lookup("password", nginx_htpasswd_secret_path + "/" + item.0.name + "/" + item.1
+                  + " length=" + nginx__htpasswd_password_length | string
+                  + " chars=" + nginx__htpasswd_password_characters) }}'
+    state: '{{ "present" if not (item.0.delete | d(False) | bool) else "absent" }}'
+    owner: 'root'
+    group: '{{ nginx_user }}'
+    mode: '0640'
+  with_subelements:
+    - '{{ nginx__htpasswd + nginx__default_htpasswd + nginx__dependent_htpasswd + nginx_htpasswd | d([]) }}'
+    - 'users'
+  when: (item.0.name | d() and item.0.state | d('present') != 'absent' and item.1 | d())
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/nginx_servers.yml b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_servers.yml
new file mode 100644
index 00000000..cb6a6693
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/nginx_servers.yml
@@ -0,0 +1,241 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create global webroot directories if allowed
+  ansible.builtin.file:
+    path: '{{ item.root | d("{}/sites/{}/{}".format(nginx_www + ("/" + item.owner if item.owner | d() else ""),
+                                                    (item.name if item.name is string else item.name[0]) | d("default"),
+                                                    item.public_dir_name | d(nginx_public_dir_name))) }}'
+    state: 'directory'
+    owner: '{{ item.owner | d(nginx_webroot_owner) }}'
+    group: '{{ item.group | d(item.owner | d(nginx_webroot_group)) }}'
+    mode: '{{ item.mode | d(nginx_webroot_mode) }}'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  when: ((item.webroot_create | d(nginx_webroot_create) | bool) and
+         item.state | d('present') != 'absent')
+  tags: [ 'role::nginx:servers' ]
+
+- name: Create default welcome page if enabled
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", (item.welcome_template | d(nginx_welcome_template))) }}'
+    dest: '{{ item.root + "/index.html"
+              if item.root | d()
+              else ("{}/sites/{}/{}/index.html".format(nginx_www + ("/" + item.owner if item.owner | d() else ""),
+                                                       (item.name if item.name is string else item.name[0]) | d("default"),
+                                                       item.public_dir_name | d(nginx_public_dir_name))) }}'
+    owner: '{{ item.owner | d(nginx_webroot_owner) }}'
+    group: '{{ item.group | d(item.owner | d(nginx_webroot_group)) }}'
+    mode:  '0644'
+    force: '{{ item.welcome_force | d() | bool }}'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  when: ((item.webroot_create | d(nginx_webroot_create) | bool) and
+         item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool) and
+         (item.welcome | d() | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Copy 'normalize.css' CSS file for welcome page
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "srv/www/sites/welcome/public/normalize.css") }}'
+    dest: '{{ item.root + "/normalize.css"
+              if item.root | d()
+              else ("{}/sites/{}/{}/normalize.css".format(nginx_www + ("/" + item.owner if item.owner | d() else ""),
+                                                          (item.name if item.name is string else item.name[0]) | d("default"),
+                                                          item.public_dir_name | d(nginx_public_dir_name))) }}'
+    owner: '{{ item.owner | d(nginx_webroot_owner) }}'
+    group: '{{ item.group | d(item.owner | d(nginx_webroot_group)) }}'
+    mode:  '0644'
+    force: '{{ item.welcome_force | d() | bool }}'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  when: ((item.webroot_create | d(nginx_webroot_create) | bool) and
+         item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool) and
+         (item.welcome | d() | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Remove nginx server configuration if requested
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-available/{{ item.filename | d(item.name
+                                                           if item.name is string
+                                                           else item.name[0] | d("default")) }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  when: (item.name is defined and
+         ((item.state | d("present") == 'absent') or (item.delete | d() | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get last used HTTP default_server for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_saved: '{{ ansible_local.nginx.default_server }}'
+  when: (ansible_local is defined and ansible_local.nginx is defined and
+         ansible_local.nginx.default_server is defined)
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get last used HTTPS default_server for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_ssl_saved: '{{ ansible_local.nginx.default_server_ssl }}'
+  when: (ansible_local is defined and ansible_local.nginx is defined and
+         ansible_local.nginx.default_server_ssl is defined)
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get HTTP server from nginx defaults for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_name: '{{ nginx_default_name }}'
+  when: nginx_default_name is defined and nginx_default_name
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get HTTPS server from nginx defaults for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_ssl_name: '{{ nginx_default_ssl_name }}'
+  when: nginx_default_ssl_name is defined and nginx_default_ssl_name
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get first server that listens on http port for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_http: '{{ item.name if item.name is string else item.name[0] | d("default") }}'
+  loop: '{{ q("flattened", (nginx__servers + nginx__default_servers + nginx__internal_servers + nginx__dependent_servers
+                            + nginx_servers | d([]) + nginx_default_servers | d([])
+                            + nginx_internal_servers | d([]) + nginx_dependent_servers | d([]))[::-1]) }}'
+  when: (item.state | d('present') != 'absent' and
+         (item.enabled | d(True) | bool) and
+         (item.listen | d(True)) and
+         ((item.ssl is undefined or not item.ssl | bool) or not nginx_pki | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Get first server that listens on https port for default_server roulette
+  ansible.builtin.set_fact:
+    nginx_register_default_server_https: '{{ item.name if item.name is string else item.name[0] | d("default") }}'
+  loop: '{{ q("flattened", (nginx__servers + nginx__default_servers + nginx__internal_servers + nginx__dependent_servers
+                            + nginx_servers | d([]) + nginx_default_servers | d([])
+                            + nginx_internal_servers | d([]) + nginx_dependent_servers | d([]))[::-1]) }}'
+  when: (item.state | d('present') != 'absent' and (item.enabled is undefined or item.enabled | bool) and
+         (item.listen_ssl is undefined or item.listen_ssl | d()) and
+         ((item.ssl | d() and item.ssl | bool) or
+          (item.ssl is undefined and nginx_pki | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Spin the HTTP default_server roulette!
+  ansible.builtin.set_fact:
+    nginx_register_default_server: '{{ nginx_register_default_server_saved |
+                                         default(nginx_register_default_server_name |
+                                           default(nginx_register_default_server_http |
+                                             default(""))) }}'
+  tags: [ 'role::nginx:servers' ]
+
+- name: Spin the HTTPS default_server roulette!
+  ansible.builtin.set_fact:
+    nginx_register_default_server_ssl: '{{ nginx_register_default_server_ssl_saved |
+                                             default(nginx_register_default_server_ssl_name |
+                                               default(nginx_register_default_server_https |
+                                                 default(""))) }}'
+  tags: [ 'role::nginx:servers' ]
+
+- name: Generate nginx server configuration
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/nginx/sites-available/" + (item.type | d(nginx_default_type)) + ".conf.j2") }}'
+    dest: '/etc/nginx/sites-available/{{ item.filename | d(item.name
+                                                           if item.name is string
+                                                           else item.name[0] | d("default")) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  notify: [ 'Test nginx and reload' ]
+  when: (item.state | d('present') != 'absent' and
+         (item.delete is undefined or not item.delete | bool))
+  tags: [ 'role::nginx:servers' ]
+
+- name: Disable nginx server configuration
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-enabled/{{ item.filename
+                                       | d(item.name if item.name is string else item.name[0] | d("default")) }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  notify: [ 'Test nginx and restart' ]
+  when: (item.name is defined and
+         ((item.state | d("present") == 'absent') or
+          (item.enabled | d() and not item.enabled | bool) or
+          (item.delete | d() | bool)))
+  tags: [ 'role::nginx:servers' ]
+
+  ## https://stackoverflow.com/a/28888474
+- name: Test if Ansible is running in check mode
+  ansible.builtin.command: /bin/true
+  changed_when: False
+  register: nginx__register_check_mode
+  tags: [ 'role::nginx:servers' ]
+
+- name: Save fact if Ansible is running in check mode in variable
+  ansible.builtin.set_fact:
+    nginx__fact_check_mode: '{{ nginx__register_check_mode is skipped }}'
+  tags: [ 'role::nginx:servers' ]
+
+- name: Enable nginx server configuration
+  ansible.builtin.file:
+    path: '/etc/nginx/sites-enabled/{{ item.filename
+                                       | d(item.name if item.name is string else item.name[0] | d("default")) }}.conf'
+    src: '/etc/nginx/sites-available/{{ item.filename
+                                        | d(item.name if item.name is string else item.name[0] | d("default")) }}.conf'
+    state: 'link'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", nginx__servers
+                           + nginx__default_servers
+                           + nginx__internal_servers
+                           + nginx__dependent_servers
+                           + nginx_servers | d([])
+                           + nginx_default_servers | d([])
+                           + nginx_internal_servers | d([])
+                           + nginx_dependent_servers | d([])) }}'
+  notify: [ 'Test nginx and restart' ]
+  when: (item.state | d('present') != 'absent' and
+         (item.enabled | d(True) | bool) and
+         (item.delete is undefined or not item.delete | bool) and
+         not nginx__fact_check_mode | bool)
+  tags: [ 'role::nginx:servers' ]
diff --git a/ansible_collections/debops/debops/roles/nginx/tasks/passenger_config.yml b/ansible_collections/debops/debops/roles/nginx/tasks/passenger_config.yml
new file mode 100644
index 00000000..cb9742be
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/tasks/passenger_config.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Detect passenger root
+  ansible.builtin.command: passenger-config about root
+  register: nginx_register_passenger_root
+  changed_when: False
+
+- name: Set passenger_root value
+  ansible.builtin.set_fact:
+    nginx_passenger_root: '{{ nginx_register_passenger_root.stdout }}'
+  when: nginx_passenger_root is undefined or not nginx_passenger_root
+
+- name: Detect passenger ruby
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          passenger-config about ruby-command | grep Command | tail -1 | awk -F: '{print $2}'"
+  args:
+    executable: 'bash'
+  register: nginx_register_passenger_ruby
+  changed_when: False
+
+- name: Set passenger_ruby value
+  ansible.builtin.set_fact:
+    nginx_passenger_ruby: '{{ nginx_register_passenger_ruby.stdout | trim }}'
+  when: nginx_passenger_ruby is undefined or not nginx_passenger_ruby
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/ansible/facts.d/nginx.fact.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/ansible/facts.d/nginx.fact.j2
new file mode 100644
index 00000000..e84c3cdf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/ansible/facts.d/nginx.fact.j2
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Check nginx version
+nginx_version="$(/usr/sbin/nginx -v 2>&1 | sed -e 's#^.*/##')"
+
+cat << EOF
+{% set nginx_tpl_default_server = '' %}
+{% if (ansible_local is defined and ansible_local.nginx is defined and
+       ansible_local.nginx.default_server is defined) %}
+{%   set nginx_tpl_default_server = ansible_local.nginx.default_server %}
+{% elif nginx_register_default_server | d() %}
+{%   set nginx_tpl_default_server = nginx_register_default_server %}
+{% endif %}
+{% set nginx_tpl_default_server_ssl = '' %}
+{% if (ansible_local is defined and ansible_local.nginx is defined and
+       ansible_local.nginx.default_server_ssl is defined) %}
+{%   set nginx_tpl_default_server_ssl = ansible_local.nginx.default_server_ssl %}
+{% elif nginx_register_default_server_ssl | d() %}
+{%   set nginx_tpl_default_server_ssl = nginx_register_default_server_ssl %}
+{% endif %}
+{
+"acme": "{{ nginx_acme | bool | lower }}",
+"acme_domain": "{{ nginx_acme_domain }}",
+"acme_root": "{{ nginx_acme_root }}",
+"acme_server": "{{ nginx_acme_server | bool | lower }}",
+{% if nginx_tpl_default_server %}
+"default_server": "{{ nginx_tpl_default_server }}",
+{% endif %}
+{% if nginx_tpl_default_server_ssl %}
+"default_server_ssl": "{{ nginx_tpl_default_server_ssl }}",
+{% endif %}
+"enabled": {{ (nginx__deploy_state in [ 'present' ]) | lower }},
+"manage_ipv6only": "{{ nginx_manage_ipv6only | bool | lower }}",
+"user": "{{ nginx_user }}",
+"www": "{{ nginx_www }}",
+"flavor": "{{ nginx_flavor }}",
+"version": "$nginx_version",
+"status_localhost": {{ nginx_status_localhost | to_nice_json }},
+"status": {{ nginx_status | to_nice_json }}
+}
+EOF
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/custom.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/custom.conf.j2
new file mode 100644
index 00000000..7f04c327
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/custom.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.name is defined and item.name %}
+# Custom configuration: {{ item.name }}
+{{ item.custom }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/log_format.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/log_format.conf.j2
new file mode 100644
index 00000000..381973b9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/log_format.conf.j2
@@ -0,0 +1,34 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{#
+#    ==== log_format template for debops.nginx role ====
+#
+# List of parameters supported by this template:
+#
+#   - item.name: ''
+#       Name of the log_format. Required.
+#
+#   - item.escape: 'default|json'
+#       The escape parameter (1.11.8) allows setting json or default characters
+#       escaping in variables, by default, default escaping is used.
+#
+#   - item.log_format: ''
+#       The log format can contain common variables, and variables that exist
+#       only at the time of a log write. Required.
+#
+#}
+# {{ ansible_managed }}
+
+{% if item.name is defined and item.name                                       %}
+{%      if item.log_format is defined and item.log_format                      %}
+{%          set nginx_tpl_access_log_format_escaping = ''                      %}
+{%          if item.escaping is defined                                        %}
+{%              set nginx_tpl_access_log_format_escaping = ' ' + item.escaping %}
+{%          endif                                                              %}
+# log_format configuration: {{ item.name }}
+log_format {{ item.name }} {{ nginx_tpl_access_log_format_escaping }} '{{ item.log_format }}';
+{%      endif                                                                  %}
+{% endif                                                                       %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/map.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/map.conf.j2
new file mode 100644
index 00000000..bddad3bd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/map.conf.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{#
+#    ==== nginx map template for debops.nginx role ====
+#
+# More information about maps: https://nginx.org/en/docs/http/ngx_http_map_module.html
+# List of parameters supported by this template:
+#
+#   - item.name: ''
+#       Name of the map configuration file. Required.
+#
+#   - item.map: ''
+#       Lookup string and variable name to set, for example:
+#         '$http_host $name'
+#         '$http_user_agent $mobile'
+#
+#   - item.default: ''
+#       Default value to set if no mapping can be selected
+#       (without the semicolon).
+#
+#   - item.include: []
+#       List of files to include in this map { } definition (use absolute paths
+#       to files).
+#
+#   - item.hostnames: True
+#       If this key is defined and True, nginx will treat list of source values
+#       as hostnames.
+#
+#   - item.mapping: |
+#       Text block with value mapping specified in the nginx configuration
+#       format (semicolons need to be included at the end of each line).
+#
+#   - item.delete: True
+#       If this parameter is defined and True, map configuration file will
+#       be removed from the host.
+#
+#}
+# {{ ansible_managed }}
+
+{% if item.name is defined and item.name                                          %}
+map {{ item.map }} {
+{%     if item.hostnames is defined and item.hostnames                            %}
+        hostnames;
+{%     endif                                                                      %}
+{%     if item.default is defined and item.default                                %}
+        default {{ item.default }};
+{%     endif                                                                      %}
+{%     if item.mapping is defined and item.mapping                                %}
+        {{ item.mapping | indent(8) | regex_replace("(?m)^\s*$", "") }}
+{%     endif                                                                      %}
+{%     if item.include is defined and item.include                                %}
+{%         for file in item.include                                               %}
+        include {{ file }};
+{%         endfor                                                                 %}
+{%     endif                                                                      %}
+}
+{% endif                                                                          %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_default.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_default.conf.j2
new file mode 100644
index 00000000..0280bf0e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_default.conf.j2
@@ -0,0 +1,106 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{#
+#    ==== Default nginx upstream template for debops.nginx role ====
+#
+# List of parameters supported by this template:
+#
+#   - item.name: ''
+#       Name of the upstream backend. Required.
+#
+#   - item.type: ''
+#       Name of the template used by nginx to generate upstream configuration.
+#
+#   - item.server: '' or []
+#       Address and additional parameters of a server. You can specify either
+#       a string (to configure one server instance) or a list (to configure
+#       multiple servers. If 'item.port' is not defined, each list element can
+#       be in the form 'address:port' to specify different ports.
+#
+#   - item.cluster: []
+#       Alternative configuration of servers. You can specify list of inventory
+#       hosts (for example using 'groups.group_name' syntax in a variable);
+#       template will check if a host can be found in Ansible facts and will
+#       use the FQDN hostname in the server configuration. If 'item.port' is
+#       specified, it will be added to all listed hosts.
+#
+#   - item.cluster_ip_all: []
+#       Alternative configuration of servers. You can specify list of inventory
+#       hosts (for example using 'groups.group_name' syntax in a variable);
+#       template will check if a host can be found in Ansible facts and will
+#       use all of the available IP addresses in the server configuration. If
+#       'item.port' is specified, it will be added to all listed hosts.
+#
+#   - item.port: ''
+#       Port number to add to lists of servers if nginx should connect to port
+#       other than 80.
+#
+#   - item.enabled: True/False
+#       If this parameter is defined and False, upstream will be configured
+#       with all servers in a "down" state.
+#
+#   - item.delete: True
+#       If this parameter is defined and True, upstream configuration file will
+#       be removed from the host.
+#
+#   - item.hash: True
+#       If this parameter is defined and True, 'ip_hash' option will be added
+#       to the upstream configuration.
+#
+#}
+# {{ ansible_managed }}
+
+{% block nginx_tpl_block_upstream                                                 %}
+{% if item.name is defined and item.name                                          %}
+upstream {{ item.name }} {
+{%     if item.hash is defined and item.hash                                      %}
+        ip_hash;
+{%     endif                                                                      %}
+{%     if item.server is defined and item.server                                  %}
+{%         if item.server is not string                                           %}
+{%             for line in item.server                                            %}
+        server {{ line }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             endfor                                                             %}
+{%         else                                                                   %}
+        server {{ item.server }}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%         endif                                                                  %}
+{%     endif                                                                      %}
+{%     if item.cluster is defined and item.cluster                                %}
+{%         for host in item.cluster                                               %}
+{%             if host == inventory_hostname                                      %}
+        server localhost{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             else                                                               %}
+{%                 if host in play_hosts and hostvars[host].ansible_fqdn is defined %}
+        server {{ hostvars[host].ansible_fqdn }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%                 else                                                           %}
+        # Unknown domain name of {{ host }}
+{%                 endif                                                          %}
+{%             endif                                                              %}
+{%         endfor                                                                 %}
+{%     endif                                                                      %}
+{%     if item.cluster_ip_all is defined and item.cluster_ip_all                  %}
+{%         for host in item.cluster_ip_all                                        %}
+{%             if host == inventory_hostname                                      %}
+        server 127.0.0.1{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             else                                                               %}
+{%                 if host in play_hosts and hostvars[host].ansible_all_ipv4_addresses is defined %}
+{%                     for address in hostvars[host].ansible_all_ipv4_addresses | unique | sort %}
+        server {{ address }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%                     endfor                                                     %}
+{%                 else                                                           %}
+        # Unknown IP address of {{ host }}                                        %}
+{%                 endif                                                          %}
+{%             endif                                                              %}
+{%         endfor                                                                 %}
+{%     endif                                                                      %}
+{%     if item.options | d()                                                        %}
+{{ item.options | indent(8, true) | regex_replace("(?m)^\s*$", "") }}
+{%     endif                                                                      %}
+{%     block nginx_tpl_block_custom_upstreams                                     %}
+{%     endblock                                                                   %}
+}
+{% endif                                                                          %}
+{% endblock                                                                       %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php.conf.j2
new file mode 100644
index 00000000..67006863
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php.conf.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "upstream_default.conf.j2" %}
+{#
+#
+#   ---- nginx upstream template for PHP websites ----
+#
+# List of parameters supported by this template:
+#
+#   - item.php_pool / item.php_pools
+#       Name of PHP-FPM pool which should be used as the upstream server. The
+#       role will automatically generate the path to the UNIX socket in the
+#       expected location.
+#
+#}
+{% set nginx__tpl_php_version = ansible_local.php.version | d('5' if (ansible_distribution_release in [ 'trusty', 'wily' ]) else '7.0') %}
+{% block nginx_tpl_block_custom_upstreams %}
+{%   set nginx__tpl_php_pools = item.php_pools | d(item.php_pool | d([]) ) %}
+{%   if nginx__tpl_php_pools %}
+{%     for pool in ([ nginx__tpl_php_pools ] if nginx__tpl_php_pools is string else nginx__tpl_php_pools) %}
+        server unix:{{ nginx_run_path }}/php{{ nginx__tpl_php_version }}-fpm-{{ pool }}.sock{% if ((item.enabled | d() and not item.enabled | bool) or (item.down | d() and item.down | bool)) %} down{% endif %};
+{%     endfor %}
+{%   endif %}
+{% endblock %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php5.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php5.conf.j2
new file mode 100644
index 00000000..1ef1a096
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_php5.conf.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "upstream_default.conf.j2" %}
+{#
+#
+#   ---- nginx upstream template for PHP5 websites ----
+#
+# List of parameters supported by this template:
+#
+#   - item.php5: ''
+#       Partial name of the UNIX socket created by php5-fpm process to use in
+#       the upstream configuration.
+#
+#}
+{% block nginx_tpl_block_custom_upstreams                                         %}
+{%     if item.php5 is defined and item.php5                                      %}
+    server unix:{{ nginx_run_path }}/php{{ ansible_local.php.version | d('5') }}-fpm-{{ item.php5 }}.sock{% if item.enabled is defined and item.enabled == False %} down{% endif %};
+{%     endif                                                                      %}
+{% endblock                                                                       %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_rails.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_rails.conf.j2
new file mode 100644
index 00000000..034ca7a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/conf.d/upstream_rails.conf.j2
@@ -0,0 +1,59 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "upstream_default.conf.j2" %}
+{% block nginx_tpl_block_upstream                                                 %}
+{% if nginx_flavor != 'passenger'                                                 %}
+{% if item.name is defined and item.name                                          %}
+upstream {{ item.name }} {
+{%     if item.hash is defined and item.hash                                      %}
+        ip_hash;
+{%     endif                                                                      %}
+{%     if item.server is defined and item.server                                  %}
+{%         if item.server is not string                                           %}
+{%             for line in item.server                                            %}
+        server {{ line }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             endfor                                                             %}
+{%         else                                                                   %}
+        server {{ item.server }}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%         endif                                                                  %}
+{%     endif                                                                      %}
+{%     if item.cluster is defined and item.cluster                                %}
+{%         for host in item.cluster                                               %}
+{%             if host == inventory_hostname                                      %}
+        server localhost{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             else                                                               %}
+{%                 if host in play_hosts and hostvars[host].ansible_fqdn is defined %}
+        server {{ hostvars[host].ansible_fqdn }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%                 else                                                           %}
+        # Unknown domain name of {{ host }}
+{%                 endif                                                          %}
+{%             endif                                                              %}
+{%         endfor                                                                 %}
+{%     endif                                                                      %}
+{%     if item.cluster_ip_all is defined and item.cluster_ip_all                  %}
+{%         for host in item.cluster_ip_all                                        %}
+{%             if host == inventory_hostname                                      %}
+        server 127.0.0.1{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%             else                                                               %}
+{%                 if host in play_hosts and hostvars[host].ansible_all_ipv4_addresses is defined %}
+{%                     for address in hostvars[host].ansible_all_ipv4_addresses | unique | sort %}
+        server {{ address }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
+{%                     endfor                                                     %}
+{%                 else                                                           %}
+        # Unknown IP address of {{ host }}                                        %}
+{%                 endif                                                          %}
+{%             endif                                                              %}
+{%         endfor                                                                 %}
+{%     endif                                                                      %}
+{%     block nginx_tpl_block_custom_upstreams                                     %}
+{%     endblock                                                                   %}
+}
+{% endif                                                                          %}
+{% elif nginx_flavor == 'passenger'                                               %}
+# Upstream configuration disabled.
+# Rails applications are served using Phusion Passenger
+{% endif                                                                          %}
+{% endblock                                                                       %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/nginx.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/nginx.conf.j2
new file mode 100644
index 00000000..2d7fb5a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/nginx.conf.j2
@@ -0,0 +1,127 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if nginx_user | d() %}
+user {{ nginx_user }};
+
+{% endif %}
+pid {{ nginx_run_path }}/nginx.pid;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+# Default error_log
+{% set nginx_tpl_syslog_config = '' %}
+{% if nginx_syslog_config is defined %}
+{%     set nginx_tpl_syslog_config = ',' + nginx_syslog_config %}
+{% endif %}
+{% if nginx_log_to_syslog %}
+error_log syslog:server={{ nginx_log_path }}{{ nginx_tpl_syslog_config }};
+{% else %}
+error_log {{ nginx_http_error_log | default(nginx_log_path + '/error.log') }};
+{% endif %}
+
+# Nicenness, from 20 (nice) to -20 (not nice)
+worker_priority {{ nginx_worker_priority | default('0') }};
+
+# Number of workers to run, usually equals number of CPU cores
+worker_processes {{ nginx_worker_processes | default(ansible_processor_vcpus) }};
+
+# Maximum number of opened files per process, must be higher than worker_connections
+worker_rlimit_nofile {{ nginx_worker_rlimit_nofile | default('4096') }};
+
+{% if nginx_flavor == 'passenger' %}
+# Phusion Passenger requires correct $PATH to work
+env PATH;
+
+{% endif %}
+events {
+        worker_connections {{ nginx_worker_connections | default('1024') }};
+        multi_accept {{ nginx_multi_accept | default('off') }};
+}
+
+http {
+        include {{ nginx_etc_path }}/conf.d/*.conf;
+        include {{ nginx_etc_path }}/snippets/ssl.conf;
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        server_tokens {{ nginx_http_server_tokens | default('off') }};
+
+        server_names_hash_bucket_size {{ nginx_http_server_names_hash_bucket_size | default('64') }};
+        server_names_hash_max_size {{ nginx_http_server_names_hash_max_size | default('512') }};
+
+{% if nginx_http_options | d() and nginx_http_options %}
+{{ nginx_http_options | indent(8, true) | regex_replace("(?m)^\s*$", "") }}
+
+{% endif %}
+{% if nginx_http_extra_options | d() and nginx_http_extra_options %}
+{{ nginx_http_extra_options | indent(8, true) | regex_replace("(?m)^\s*$", "") }}
+
+{% endif %}
+{% block nginx_tpl_block_log %}
+{%      set nginx_tpl_access_log_format = '' %}
+{%      if nginx_access_log_format is defined %}
+{%          set nginx_tpl_access_log_format = ' ' +  nginx_access_log_format %}
+{%      endif %}
+        # Logging
+{% if nginx_log_to_syslog %}
+        access_log syslog:server={{ nginx_log_path }}{{ nginx_tpl_syslog_config }}{{ nginx_tpl_access_log_format }};
+        error_log  syslog:server={{ nginx_log_path }}{{ nginx_tpl_syslog_config }};
+{% else %}
+        access_log {{ nginx_http_access_log | default(nginx_log_path + '/access.log' + nginx_tpl_access_log_format) }};
+        error_log  {{ nginx_http_error_log  | default(nginx_log_path + '/error.log')  }};
+{% endif %}
+{% endblock %}
+
+        add_header X-Clacks-Overhead "GNU Terry Pratchett";
+
+{% if nginx_http_client_max_body_size | d() and nginx_http_client_max_body_size %}
+        client_max_body_size {{ nginx_http_client_max_body_size }};
+
+{% endif %}
+{% if ((nginx_http_allow is defined and nginx_http_allow) or
+       (nginx_http_auth_basic is defined and nginx_http_auth_basic) or
+       (nginx_http_satisfy is defined and nginx_http_satisfy)) %}
+        satisfy {{ nginx_http_satisfy | default(nginx_default_satisfy) }};
+
+{% endif %}
+{% if nginx_http_allow is defined and nginx_http_allow %}
+{% for address in ([ nginx_http_allow ] if nginx_http_allow is string else nginx_http_allow) %}
+        allow {{ address }};
+{% endfor %}
+        deny all;
+
+{% endif %}
+{% if nginx_http_auth_basic is defined and nginx_http_auth_basic %}
+        auth_basic "{% if nginx_http_auth_basic_realm is defined and nginx_http_auth_basic_realm %}{{ nginx_http_auth_basic_realm }}{% else %}{{ nginx_default_auth_basic_realm }}{% endif %}";
+        auth_basic_user_file {{ nginx_http_auth_basic_filename | default(nginx_private_path + "/" + nginx_http_auth_basic_name) }};
+
+{% endif %}
+{% if nginx_flavor == 'passenger' %}
+        # Configuration options for Phusion Passenger
+{# These values are set at playbook runtime #}
+{% if ansible_distribution_release in [ 'trusty', 'xenial' ] %}
+        passenger_root {{ nginx_passenger_root }};
+        passenger_ruby {{ nginx_passenger_ruby }};
+
+{% endif %}
+        passenger_max_pool_size {{ nginx_passenger_max_pool_size }};
+
+{% if nginx_passenger_options %}
+{{ nginx_passenger_options | indent(8,true) | regex_replace("(?m)^\s*$", "") }}
+
+{% endif %}
+{% endif %}
+        # Virtual Hosts Configs
+        include {{ nginx_etc_path }}/sites-enabled/*.conf;
+}
+{% if nginx_extra_options %}
+
+{{ nginx_extra_options }}
+{% endif %}
+
+# vim:ft=nginx
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/custom.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/custom.conf.j2
new file mode 100644
index 00000000..be368a3b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/custom.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.name | d() %}
+# Custom configuration: {{ item.name if item.name is string else item.name[0] | d('default') }}
+{{ item.custom }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/debops__tpl_macros.j2
new file mode 100644
index 00000000..4c458b37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/debops__tpl_macros.j2
@@ -0,0 +1,60 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Copyright [[[
+# Commonly used set of macros in DebOps.
+# It can be included in repositories as needed.
+# Changes to this file should go upstream: FIXME
+#
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+# ]]] #}
+
+{% macro get_yaml_list_for_elem(list_or_elem) %}{# [[[ #}
+{{ ([ list_or_elem ]
+    if (list_or_elem is string or list_or_elem in [True, False])
+    else (list_or_elem | list)) | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/default.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/default.conf.j2
new file mode 100644
index 00000000..4d621368
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/default.conf.j2
@@ -0,0 +1,775 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'debops__tpl_macros.j2' as debops__tpl_macros with context %}
+{#
+ #
+ #    ==== Default server template for debops.nginx role ====
+ #
+ # Refer to the documentation in /docs/defaults-detailed.rst
+ #
+ #}
+
+{#
+ #
+ #   ---- HTTPS, ports to listen on, default server, HTTPS redirect ----
+ #}
+{% set nginx_version            = ansible_local.nginx.version | d("0.0") %}
+{% set nginx_tpl_robots_tag     = [] if (item.robots_tag | d(nginx__http_robots_tag) is string and item.robots_tag | d(nginx__http_robots_tag) == omit)
+    else (
+        [ item.robots_tag | d(nginx__http_robots_tag) ]
+        if (item.robots_tag | d(nginx__http_robots_tag) is string)
+        else (item.robots_tag | d(nginx__http_robots_tag))) %}
+{% set nginx_tpl_acme           = (item.acme      | default(nginx_acme)) | bool %}
+{% set nginx_tpl_ssl            = (item.ssl       | default(nginx_pki)) | bool %}
+{% set nginx_tpl_listen         = item.listen     | default(nginx_listen_port if nginx_listen_port else nginx_listen_socket) %}
+{% if nginx_tpl_ssl | bool %}
+{%     set nginx_tpl_listen_ssl     = item.listen_ssl | default(nginx_listen_ssl_port if nginx_listen_ssl_port else nginx_listen_ssl_socket) %}
+{% endif %}
+{% set nginx_tpl_default_server = []                                           %}
+{% set nginx_tpl_ipv6only = []                                                 %}
+{% if nginx_register_default_server | d() %}
+{%     for name in ([ item.name ] if item.name is string else item.name)       %}
+{%         if (name == nginx_register_default_server or
+               not name and nginx_register_default_server == "default")        %}
+{%             set _ = nginx_tpl_default_server.append('default_server')       %}
+{%             if (nginx_manage_ipv6only | bool)                               %}
+{%                 set _ = nginx_tpl_ipv6only.append('ipv6only=off')           %}
+{%             endif                                                           %}
+{%         endif                                                               %}
+{%     endfor                                                                  %}
+{% endif                                                                       %}
+{% set nginx_tpl_default_server_ssl = []                                       %}
+{% set nginx_tpl_ipv6only_ssl = []                                             %}
+{% if nginx_register_default_server_ssl | d() %}
+{%     for name in ([ item.name ] if item.name is string else item.name)       %}
+{%         if (name == nginx_register_default_server_ssl or
+               not name and nginx_register_default_server_ssl == "default")    %}
+{%            set _ = nginx_tpl_default_server_ssl.append('default_server')    %}
+{%            if (nginx_manage_ipv6only | bool)                                %}
+{%                set _ = nginx_tpl_ipv6only_ssl.append('ipv6only=off')        %}
+{%            endif                                                            %}
+{%         endif                                                               %}
+{%     endfor %}
+{% endif %}
+{% set nginx_tpl_default_redirect_code = '307'                                 %}
+{% set nginx_tpl_default_redirect_code_ssl = '301'                             %}
+{% set nginx_tpl_http_redirect = item.redirect | default('https://$host$request_uri') %}
+{% set nginx_tpl_pki_custom_realm = '' %}
+{% set nginx_tpl_pki_custom_realm_list = [] %}
+{% if (nginx_pki | bool and item.name | d() and (ansible_local.pki.known_realms | d())) %}
+{# TODO: Legacy code. Use debops__tpl_macros.j2 #}
+{%     for name in ([ item.name ] if item.name is string else item.name)                       %}
+{%         if name in ansible_local.pki.known_realms                                           %}
+{%             set _ = nginx_tpl_pki_custom_realm_list.append(name)                            %}
+{%         elif (name.split('.')[1:] | join('.')) in ansible_local.pki.known_realms            %}
+{%             set _ = nginx_tpl_pki_custom_realm_list.append(name.split('.')[1:] | join('.')) %}
+{%         endif                                                                               %}
+{%     endfor                                                                                  %}
+{% endif                                                                                       %}
+{% if nginx_tpl_pki_custom_realm_list                                      %}
+{%     set nginx_tpl_pki_custom_realm = nginx_tpl_pki_custom_realm_list[0] %}
+{% endif                                                                   %}
+{#
+ #
+ #   ---- SSL certificate ----
+ #}
+{% set nginx_tpl_ssl_certificate = item.ssl_crt | d(nginx_pki_path + "/" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + "/" + (item.pki_crt | d(nginx_pki_crt))) %}
+{#
+ #
+ #   ---- SSL certificate key ----
+ #}
+{% set nginx_tpl_ssl_certificate_key = item.ssl_key | d(nginx_pki_path + "/" + item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + "/" + (item.pki_key | d(nginx_pki_key))) %}
+{#
+ #
+ #  ---- SSL client CA certificate ----
+ #}
+{% set nginx_tpl_ssl_client_certificate = item.ssl_ca | d(nginx_pki_path + "/" + item.pki_ca_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_ca_realm) + "/" + (item.pki_ca | d(nginx_pki_ca))) %}
+{#
+ #
+ #   ---- SSL trusted CA certificate ----
+ #}
+{% set nginx_tpl_ssl_trusted_certificate = item.ssl_trusted
+      | d(nginx_pki_path + "/" + (item.pki_realm | d(nginx_tpl_pki_custom_realm if nginx_tpl_pki_custom_realm else nginx_pki_realm) + "/" + item.pki_trusted | d(nginx_pki_trusted))) %}
+{#
+ #
+ #   ---- Diffie-Hellman Key Exchange parameters ----
+ #}
+{% set nginx_tpl_ssl_dhparam = item.ssl_dhparam | default(nginx_ssl_dhparam) %}
+{#
+ #
+ #   ---- root directory ----
+ #}
+{% if item.owner | d()                                                       %}
+{%     set nginx_tpl_root = item.root | default(nginx_www + '/' + item.owner + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}
+{% else                                                                    %}
+{%     set nginx_tpl_root = item.root | default(nginx_www + '/sites/' + (item.name if item.name is string else item.name[0] | d('default')) + '/' + ( item.public_dir_name | d(nginx_public_dir_name)) ) %}
+{% endif                                                                   %}
+{% if item.root_suffix | d()                                          %}
+{%     set nginx_tpl_root = nginx_tpl_root + '/' + item.root_suffix %}
+{% endif                                                            %}
+{% macro print_root()                                       %}
+{%     block nginx_tpl_block_root                           %}
+{%       if (not (item.root | d() | bool)) and nginx_tpl_root %}
+        root {{ nginx_tpl_root }};
+{%       endif                                              %}
+{%     endblock                                             %}
+{% endmacro                                                 %}
+{#
+ #
+ #   ---- macro which prints location entries from 'location' hash, flat ----
+ #}
+{% macro print_location(location,location_allow=[],location_referers=[],location_deny=[]) %}
+{%     if location is defined                                                  %}
+{%         for path in location.keys()                                         %}
+{%             if location[path]                                               %}
+        location {{ path }} {
+{%                 if location_referers is defined                             %}
+{%                     if location_referers[path] is defined and location_referers[path] %}
+                valid_referers none blocked {{ location_referers[path] | unique | sort | join(' ') }};
+                if ($invalid_referer) {
+                        return 403;
+                }
+{%                     endif                                                   %}
+{%                 endif                                                       %}
+                {{ item.location[path] | indent(16) | regex_replace("(?m)^\s*$", "") }}
+{%                 if location_allow is defined                                %}
+{%                     if location_allow[path] is defined and location_allow[path] %}
+{%                         for address in location_allow[path] | unique | sort %}
+                allow {{ address }};
+{%                         endfor                                              %}
+{%                         if location_deny is defined                         %}
+{%                             if location_deny[path] is defined               %}
+{%                                 for address in location_deny[path] | unique | sort %}
+                deny {{ address }};
+{%                                 endfor                                      %}
+{%                             endif                                           %}
+{%                         else                                                %}
+                deny all;
+{%                         endif                                               %}
+{%                     endif                                                   %}
+{%                 endif                                                       %}
+        }
+
+{%             endif                                                           %}
+{%         endfor                                                              %}
+{%     endif                                                                   %}
+{% endmacro                                                                    %}
+{#
+ #
+ #   ---- macro which prints location entries from 'location_list' list, recursive
+ #}
+{% macro print_location_list(location_list)                                    %}
+{%     if location_list is defined                                             %}
+{%         for entry in location_list                                          %}
+{%             if entry.pattern | d() and (entry.enabled | d(True) | bool)         %}
+        location {{ entry.pattern_prefix | default('') + entry.pattern }} {
+{%                 if entry.referers | d()                                       %}
+                valid_referers none blocked {{ entry.referers | unique | join(' ') }};
+                if ($invalid_referer) {
+                        return 403;
+                }
+{%                 endif                                                       %}
+{%                 if entry.options | d()                                        %}
+                {{ entry.options | indent(16) | regex_replace("(?m)^\s*$", "") }}
+{%                 endif                                                       %}
+{%                 if entry.access_policy | d() and (entry.access_policy in nginx_access_policy_satisfy_map) %}
+                satisfy {{ nginx_access_policy_satisfy_map[entry.access_policy] }};
+
+{%                 elif entry.allow | d() or
+                        (entry.auth_basic | d() | bool) or
+                        (entry.satisfy | d()) or
+                        (entry.access_policy | d() and
+                         entry.access_policy not in nginx_access_policy_satisfy_map) %}
+                satisfy {{ entry.satisfy | default(nginx_default_satisfy) }};
+
+{%                 endif                                                            %}
+{%                 if entry.allow | d() or entry.access_policy | d()    %}
+{%                     if entry.allow is defined                   %}
+{%                         if entry.allow is string                %}
+                allow {{ entry.allow }};
+{%                         else                                   %}
+{%                             for address in entry.allow | unique | sort %}
+                allow {{ address }};
+{%                             endfor                             %}
+{%                         endif                                  %}
+{%                     endif                                      %}
+{%                     if entry.access_policy | d() and (entry.access_policy in nginx_access_policy_allow_map) %}
+{%                         for address in nginx_access_policy_allow_map[entry.access_policy] | unique | sort %}
+                allow {{ address }};
+{%                         endfor                                                                          %}
+{%                     endif                                                                               %}
+                deny all;
+
+{%                 endif                                                                                   %}
+{%                 if entry.access_policy | d() and (entry.access_policy in nginx_access_policy_auth_basic_map) %}
+                auth_basic "{{ entry.auth_basic_realm | d(nginx_default_auth_basic_realm) }}";
+                auth_basic_user_file {{ nginx_private_path + "/" + nginx_access_policy_auth_basic_map[entry.access_policy] }};
+
+{%                 elif entry.auth_basic | d() | bool %}
+                auth_basic "{{ entry.auth_basic_realm | d(nginx_default_auth_basic_realm) }}";
+                auth_basic_user_file {{ entry.auth_basic_filename | default(nginx_private_path + "/" + entry.auth_basic_name | d()) }};
+
+{%                 endif %}
+{%                 if entry.locations | d()                                      %}
+{{ print_location_list(entry.locations) | indent(8, true) | regex_replace("(?m)^\s*$", "") }}
+{%                 endif                                                       %}
+        }
+{%             endif                                                           %}
+{% if not loop.last %}
+
+{% endif %}
+{%         endfor                                                              %}
+{%     endif                                                                   %}
+{% endmacro                                                                    %}
+{#
+ #
+ #   ---- macro which prints the nginx server block which is shared between HTTP and HTTPS
+ #}
+{% macro print_shared_nginx_server_block()                                               %}
+{% if (not nginx_tpl_ssl and ((item.redirect | d()) or (item.redirect_to_ssl | d() | bool))) %}
+        return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};
+{% elif nginx_tpl_ssl and item.redirect_ssl | d()                                          %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} {{ item.redirect_ssl }};
+{% else                                                                                  %}
+        keepalive_timeout {{ item.keepalive | default(nginx_default_keepalive_timeout) | string }};
+
+{%     block nginx_tpl_block_log                                                    %}
+{%         if item.name | d() %}
+{%             set nginx_tpl_access_log_format = ''                                 %}
+{%             if item.access_log_format is defined                                 %}
+{%                 set nginx_tpl_access_log_format = ' ' +  item.access_log_format  %}
+{%             elif nginx_access_log_format is defined                              %}
+{%                 set nginx_tpl_access_log_format = ' ' +  nginx_access_log_format %}
+{%             endif                                                                %}
+{%             set nginx_tpl_syslog_config = ''                                     %}
+{%             if item.syslog_config is defined                                     %}
+{%                 set nginx_tpl_syslog_config = ',' + item.syslog_config           %}
+{%             elif nginx_syslog_config is defined                                  %}
+{%                 set nginx_tpl_syslog_config = ',' + nginx_syslog_config          %}
+{%             endif                                                                %}
+{%             if item.access_log_enabled | d(True) | bool %}
+{%                 if (item.log_to_syslog | d(nginx_log_to_syslog))                 %}
+        access_log syslog:server={{ item.log_path | d(nginx_log_path)}}{{ nginx_tpl_syslog_config }}{{ nginx_tpl_access_log_format }};
+{%                 else                                                             %}
+        access_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.access_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_access') }}.log{{ nginx_tpl_access_log_format }};
+{%                 endif                                                            %}
+{%             else %}
+        access_log off;
+{%             endif %}
+{%             if item.error_log_enabled | d(True) | bool %}
+{%                 if (item.log_to_syslog | d(nginx_log_to_syslog))                 %}
+        error_log  syslog:server={{ item.log_path | d(nginx_log_path) }}{{ nginx_tpl_syslog_config }};
+{%                 else                                                             %}
+        error_log {{ (item.log_path | d(nginx_log_path)) + '/' + item.error_log | d(item.filename | d(item.name if item.name is string else item.name[0]) + '_error') }}.log;
+{%                 endif                                                            %}
+{%             else %}
+        error_log off;
+{%             endif %}
+{%         endif                                                                    %}
+{%     endblock                                                                     %}
+{%     block nginx_tpl_block_index                                                  %}
+{%         if item.index | d(True)                                                    %}
+        index {{ item.index | default('index.html index.htm') }};
+
+{%         endif                                                                    %}
+{%     endblock                                                                     %}
+{%     if nginx_real_ip_from | d() and nginx_real_ip_from                             %}
+{%         if nginx_real_ip_header | d() and nginx_real_ip_header                     %}
+        real_ip_header {{ nginx_real_ip_header }};
+{%         endif                                                                    %}
+{%         if nginx_real_ip_recursive | bool                                        %}
+        real_ip_recursive on;
+{%         elif not nginx_real_ip_recursive | bool                                  %}
+        real_ip_recursive off;
+{%         endif                                                                    %}
+{%         if nginx_real_ip_from is string                                          %}
+        set_real_ip_from {{ nginx_real_ip_from }};
+
+{%         else                                                                     %}
+{%             for element in nginx_real_ip_from                                    %}
+        set_real_ip_from {{ element }};
+{%             endfor                                                               %}
+{%         endif                                                                    %}
+
+{%     endif                                                                        %}
+{%     if item.maintenance | d(True) | bool                                             %}
+        if (-f $document_root/{{ item.maintenance_file | d('maintenance.html') }}) {
+                return 503;
+        }
+        error_page 503 @maintenance;
+        location @maintenance {
+                rewrite ^(.*)$ /{{ item.maintenance_file | d('maintenance.html') }} break;
+        }
+
+{%     endif                                                                        %}
+{%     if item.error_pages | d()                                                      %}
+{%         for code, location in item.error_pages.items()                       %}
+        error_page {{ code }} {{ location }};
+        location {{ location }} {
+                internal;
+        }
+
+{%         endfor                                                                   %}
+{%     endif                                                                        %}
+{%     if item.include_files_begin | d()                                 %}
+{%         for file in item.include_files_begin                        %}
+        include {{ file }};
+{%         endfor                                                      %}
+
+{%     endif                                                           %}
+{%     if item.error_pages_list | d()                                    %}
+{%         for element in item.error_pages_list                        %}
+{%             if element.location | d() or element.location_options | d() %}
+
+{%             endif                                                   %}
+        error_page {{ element.code if (element.code is string) else (element.code | join(" ")) }} {{ element.uri }};
+{%             if element.location | d() or element.location_options | d() %}
+        location {{ element.location | d(element.uri) }} {
+{{ element.location_options | indent(16, true) | regex_replace("(?m)^\s*$", "") }}
+        }
+{%                 if not loop.last                                    %}
+
+{%                 endif                                               %}
+{%             endif                                                   %}
+{%         endfor                                                      %}
+
+{%     endif                                                           %}
+{%     if item.options | d()                                             %}
+        {{ item.options | indent(8) | regex_replace("(?m)^\s*$", "") }}
+
+{%     endif                                                           %}
+{%     if item.access_policy | d() and (item.access_policy in nginx_access_policy_satisfy_map) %}
+        satisfy {{ nginx_access_policy_satisfy_map[item.access_policy] }};
+
+{%     elif item.allow | d() or
+            (item.auth_basic | d() | bool) or
+            (item.satisfy | d()) or
+            (item.access_policy | d() and
+             item.access_policy not in nginx_access_policy_satisfy_map) %}
+        satisfy {{ item.satisfy | default(nginx_default_satisfy) }};
+
+{%     endif                                                            %}
+{%     if item.allow | d() or item.access_policy | d()    %}
+{%         if item.allow is defined                   %}
+{%             if item.allow is string                %}
+        allow {{ item.allow }};
+{%             else                                   %}
+{%                 for address in item.allow | unique | sort %}
+        allow {{ address }};
+{%                 endfor                             %}
+{%             endif                                  %}
+{%         endif                                      %}
+{%         if item.access_policy | d() and (item.access_policy in nginx_access_policy_allow_map) %}
+{%             for address in nginx_access_policy_allow_map[item.access_policy] | unique | sort  %}
+        allow {{ address }};
+{%             endfor                                                                          %}
+{%         endif                                                                               %}
+        deny all;
+
+{%     endif                                                                                   %}
+{%     if item.access_policy | d() and (item.access_policy in nginx_access_policy_auth_basic_map) %}
+        auth_basic "{{ item.auth_basic_realm | d(nginx_default_auth_basic_realm) }}";
+        auth_basic_user_file {{ nginx_private_path + "/" + nginx_access_policy_auth_basic_map[item.access_policy] }};
+
+{%     elif item.auth_basic | d() | bool %}
+        auth_basic "{{ item.auth_basic_realm | d(nginx_default_auth_basic_realm) }}";
+        auth_basic_user_file {{ item.auth_basic_filename | default(nginx_private_path + "/" + item.auth_basic_name | d()) }};
+
+{%     endif %}
+{%     if item.userdir | d() | bool %}
+        location ~ {{ item.userdir_regexp | d('^/~(.+?)(/.*)?$') }} {
+                alias {{ item.userdir_alias | d(nginx_www + '/$1/userdir/public$2') }};
+                index {{ item.userdir_index | d(item.index | default('index.html index.htm')) }};
+{%         if item.userdir_options | d() %}
+{{             item.userdir_options | indent(16, true) | regex_replace("(?m)^\s*$", "") }}
+{%         else                        %}
+                autoindex on;
+                autoindex_exact_size off;
+{%         endif                       %}
+        }
+
+{%     endif %}
+{%     if item.deny_hidden | d(True) | bool %}
+        # Disallow access to hidden files and directories, except `/.well-known/`
+        # https://www.mnot.net/blog/2010/04/07/well-known
+        # https://tools.ietf.org/html/rfc5785
+        location ~ /\.(?!well-known/) {
+                return 404;
+        }
+
+{%     endif %}
+{%     if item.favicon | d(True) | bool %}
+        location = /favicon.ico {
+                try_files /favicon.ico =204;
+                access_log off;
+                log_not_found off;
+        }
+
+{%     endif                          %}
+{%     if item.status | d(True) and (nginx_status or nginx_status_localhost) %}
+        location = {{ item.status_name | default(nginx_status_name) }} {
+                stub_status on;
+                access_log off;
+{%         if nginx_status_localhost                                 %}
+{%             for address in nginx_status_localhost | unique | sort %}
+                allow {{ address }};
+{%             endfor                                         %}
+{%         endif                                              %}
+{%         if nginx_status                                    %}
+{%             for address in nginx_status | unique | sort    %}
+                allow {{ address }};
+{%             endfor                                         %}
+{%         endif                                              %}
+{%         if item.status | d()                               %}
+{%             for address in item.status | unique | sort     %}
+                allow {{ address }};
+{%             endfor                                         %}
+{%         endif                                              %}
+                deny all;
+        }
+
+{%     endif                                                  %}
+{%     block nginx_tpl_block_custom_status_locations %}
+{%     endblock                                      %}
+{%     if nginx_tpl_default_server or nginx_tpl_default_server_ssl %}
+        include /etc/nginx/sites-default.d/*.conf;
+
+{%     endif                                               %}
+{%     block nginx_tpl_block_location                      %}
+{%         if item.location | d() or item.location_list | d()  %}
+{%             if item.location_list | d()                   %}
+{{                 print_location_list(item.location_list) }}
+{%             endif                                       %}
+{%             if item.location | d()                        %}
+{{                 print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}
+{%            endif                                        %}
+{%         else                                            %}
+        location / {
+{%             block nginx_tpl_block_location_root         %}
+                try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files | d() else nginx_default_try_files) | join(' ') }} =404;
+{%             endblock                                    %}
+        }
+{%         endif                                           %}
+{%     endblock %}
+{%     block nginx_tpl_block_custom_locations %}
+{%     endblock %}
+{%     if item.include_files_end | d()                       %}
+
+{%         for file in item.include_files_end              %}
+        include {{ file }};
+{%         endfor                                          %}
+{%     endif                                               %}
+{% endif %}
+{% endmacro %}
+{#
+ #
+ #   ---- nginx server template begins here ----
+ #}
+# {{ ansible_managed }}
+
+{% if item.name | d()                                                         %}
+# nginx server configuration for:
+{%     for address in ([ item.name ] if item.name is string else item.name) %}
+{%         if nginx_tpl_ssl and not (item.redirect_to_ssl | d(True) | bool)   %}
+#    - http://{{ address }}/
+{%         endif                                                            %}
+#    - {{ "https" if nginx_tpl_ssl else "http" }}://{{ address }}/
+{%     endfor                                                               %}
+{%     if item.by_role | d()                                                  %}
+# generated by Ansible role: {{ item.by_role }}
+{%     endif                                                                %}
+
+{% else                                                                     %}
+# nginx server default configuration
+{%     if item.by_role | d()                                                  %}
+# generated by Ansible role: {{ item.by_role }}
+{%     endif                                                                %}
+
+{% endif                                                                    %}
+{% if item.toplevel_options | d() %}
+{{   item.toplevel_options | regex_replace("(?m)^\s*$", "") | regex_replace("\n$", "") }}
+
+{% endif %}
+{% set nginx__tpl_hostname_domain = item.hostname_domain | d(((item.name if item.name is string else item.name[0]) if item.name | d() else ansible_fqdn).split('.')[1:] | join('.')) %}
+{% set nginx__tpl_final_hostname_domain = [] %}
+{% if item.hostname_domain is undefined %}
+{%   for domain_suffix in nginx__hostname_domains[::-1] %}
+{%     if nginx__tpl_hostname_domain.endswith(domain_suffix) %}
+{%       if nginx__tpl_final_hostname_domain %}
+{%         set _ = nginx__tpl_final_hostname_domain.pop() %}
+{%       endif %}
+{%       set _ = nginx__tpl_final_hostname_domain.append(domain_suffix) %}
+{%     endif %}
+{%   endfor %}
+{%   if nginx__tpl_final_hostname_domain %}
+{%     set nginx__tpl_hostname_domain = nginx__tpl_final_hostname_domain[0] %}
+{%   endif %}
+{% endif %}
+{% if item.hostname is undefined                         %}
+{%   set nginx__tpl_hostnames = []                       %}
+{%   for element in ([ item.name ] if (item.name is string) else item.name) %}
+{%     set element_hostname = element | regex_replace(('\.' + (nginx__tpl_hostname_domain | replace('.', '\.')) + '$'), '') %}
+{%     if (not element_hostname | ansible.utils.ipaddr and
+           element_hostname not in ([ item.name ] if (item.name is string) else item.name) and
+           not element_hostname.startswith('www') and
+           element_hostname is not search('[^a-zA-Z0-9\-\_\.]+')) and
+           (element_hostname + '.' + nginx__tpl_hostname_domain) in ([ item.name ] if item.name is string else item.name) %}
+{%       set _ = nginx__tpl_hostnames.append(element_hostname) %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{%   set nginx__tpl_hostnames = ([ item.hostname ] if (item.hostname is string) else item.hostname) %}
+{% endif %}
+{% if nginx__tpl_hostnames | d() and item.listen | d(True)                  %}
+# Support for redirection via DNS suffixes in /etc/resolv.conf
+server {
+{%   if item.listen | d(True)                            %}
+{%       for port in nginx_tpl_listen                  %}
+        listen {{ port }};
+{%       endfor                                        %}
+
+{%       for address in nginx__tpl_hostnames | unique | sort %}
+        server_name {{ address }};
+{%       endfor                                        %}
+
+{%   endif                                             %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://$host.{{ nginx__tpl_hostname_domain }}$request_uri;
+}
+
+{%   if nginx__tpl_hostname_domain.startswith('lxc.') %}
+# Support for redirection to an internal LXC subdomain
+server {
+{%     if item.listen | d(True)                          %}
+{%       for port in nginx_tpl_listen                  %}
+        listen {{ port }};
+{%       endfor                                        %}
+
+{%       for address in nginx__tpl_hostnames | unique | sort %}
+        server_name {{ address + '.lxc' }};
+{%       endfor                                        %}
+
+{%     endif                                           %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://$host.{{ nginx__tpl_hostname_domain | regex_replace('^lxc\.','') }}$request_uri;
+}
+
+{%   endif                                             %}
+# Support for redirection via Avahi/mDNS '*.local' domain
+server {
+{%   if item.listen | d(True)                            %}
+{%       for port in nginx_tpl_listen                  %}
+        listen {{ port }};
+{%       endfor                                        %}
+
+{%       for address in nginx__tpl_hostnames | unique | sort %}
+        server_name {{ address }}.local;
+{%       endfor                                        %}
+
+{%   endif                                             %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://$host_without_local.{{ nginx__tpl_hostname_domain }}$request_uri;
+}
+
+{% endif                                                 %}
+{% if item.redirect_from | d() and item.name | d()           %}
+{%     if item.name is string or item.name | length == 1 %}
+# Cannot redirect from only one name: {{ item.name if item.name is string else item.name | join(', ') }}
+
+{%     else                                              %}
+server {
+
+{%         if item.listen | d(True)                        %}
+{%             for port in nginx_tpl_listen              %}
+        listen {{ port | string }};
+{%             endfor                                    %}
+{%             if nginx_tpl_ssl | bool                   %}
+{%                 for port in nginx_tpl_listen_ssl      %}
+        listen {{ port | string }} ssl;
+{%                 endfor                                %}
+
+        ssl_certificate {{ nginx_tpl_ssl_certificate }};
+        ssl_certificate_key {{ nginx_tpl_ssl_certificate_key }};
+{%              endif                                    %}
+
+{%             if item.redirect_from is iterable         %}
+{%                 for name in item.redirect_from        %}
+        server_name {{ name }};
+{%                 endfor                                %}
+{%             else                                      %}{# item.redirect_from is True #}
+{%                 for name in item.name[1:]             %}
+        server_name {{ name }};
+{%                 endfor                                %}
+{%             endif                                     %}
+
+{%         endif                                         %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;
+
+}
+
+{%     endif                                             %}
+{% elif item.redirect_to | d() and item.name | d()           %}
+server {
+
+{%     if item.listen | d(True)                            %}
+{%         for port in nginx_tpl_listen                  %}
+        listen {{ port }};
+{%         endfor                                        %}
+
+{%         for address in ([ item.name ] if item.name is string else item.name) %}
+{%             if address != item.redirect_to            %}
+        server_name {{ address }};
+{%             endif                                     %}
+{%         endfor                                        %}
+
+{%     endif                                             %}
+        return {{ item.redirect_code | default(nginx_tpl_default_redirect_code) }} $scheme://{{ item.redirect_to }}$request_uri;
+
+}
+
+{% endif                                                 %}
+server {
+
+{% if item.listen | d(True)                                %}
+{%     for port in nginx_tpl_listen %}
+        listen {{ port }}{% if nginx_tpl_default_server %} {{ nginx_tpl_default_server | join(" ") }}{% endif %}{% if (loop.first and nginx_tpl_ipv6only) %} {{ nginx_tpl_ipv6only | join(" ") }}{% endif %};
+{%     endfor                                            %}
+
+{%     if item.name | d()                                  %}
+{%         if item.redirect_from | d()                     %}
+        server_name {{ item.name if item.name is string else item.name[0] }};
+
+{%         elif item.redirect_to | d()                     %}
+        server_name {{ item.redirect_to }};
+
+{%         else                                          %}
+{%             for name in ([ item.name ] if item.name is string else item.name) %}
+        server_name {{ name }};
+{%             endfor                                    %}
+
+{%         endif                                         %}
+{%     endif                                             %}
+{{     print_root() }}
+{%     if nginx_tpl_acme | bool                          %}
+        include snippets/acme-challenge.conf;
+
+{%     endif                                             %}
+{% endif                                                 %}
+{% if nginx_tpl_ssl                                      %}
+{%     if item.listen | d(True)                            %}
+{%         if not (item.redirect_to_ssl | d(True) | bool)  %}
+{{             print_shared_nginx_server_block() }}
+{%         else                                          %}
+        location / {
+                return {{ item.redirect_code_ssl | default(nginx_tpl_default_redirect_code_ssl) }} {{ nginx_tpl_http_redirect }};
+        }
+{%         endif                                         %}
+
+}
+
+server {
+
+{%     endif %}
+{%     for port in nginx_tpl_listen_ssl %}
+{%      set opts = [ 'ssl' ] %}
+{%      if nginx_version is version_compare('1.9.5', '>=') %}
+{%        if nginx_enable_http2 | bool %}
+{%          set _ = opts.append('http2') %}
+{%        endif %}
+{%      endif %}
+{%      set _ = opts.extend(nginx_tpl_default_server_ssl) %}
+{%      if loop.first %}
+{%        set _ = opts.extend(nginx_tpl_ipv6only_ssl) %}
+{%      endif %}
+        listen {{ port }} {{ opts | join(" ") }};
+{%     endfor %}
+
+        ssl_certificate           {{ nginx_tpl_ssl_certificate }};
+        ssl_certificate_key       {{ nginx_tpl_ssl_certificate_key }};
+        ssl_protocols             {{ (item.tls_protocols | d(nginx_default_tls_protocols)) | join(" ") }};
+        ssl_prefer_server_ciphers {{ "off"
+                                      if nginx_default_tls_protocols | length == 1 and
+                                         nginx_default_tls_protocols[0] == "TLSv1.3"
+                                      else "on" }};
+{%     if (nginx_ssl_ciphers[item.ssl_ciphers | d(nginx_default_ssl_ciphers)]) %}
+        ssl_ciphers               "{{ nginx_ssl_ciphers[item.ssl_ciphers | default(nginx_default_ssl_ciphers)] }}"; # TLS cipher suites set: {{ item.ssl_ciphers | default(nginx_default_ssl_ciphers) }}
+{%     else %}
+        #ssl_ciphers              "default set of ciphers used by this nginx install";
+{%     endif %}
+{%     if nginx_tpl_ssl_dhparam and nginx_tpl_ssl_dhparam != '' %}
+        ssl_dhparam               {{ nginx_tpl_ssl_dhparam }};
+{%     endif                                                %}
+{%     if item.ssl_curve | default(nginx_default_ssl_curve) %}
+        ssl_ecdh_curve            {{ item.ssl_curve | default(nginx_default_ssl_curve) }};
+{%     endif                                                %}
+{%     if nginx_version is version_compare('1.4','>=') and (item.ocsp | d(nginx_ocsp)) | bool %}
+        ssl_stapling              on;
+{%         if (item.ocsp_verify | d(nginx_ocsp_verify)) | bool  %}
+        ssl_stapling_verify       on;
+        ssl_trusted_certificate   {{ nginx_tpl_ssl_trusted_certificate }};
+{%         endif                                                %}
+        resolver                  {{ (item.ocsp_resolvers | d(nginx_ocsp_resolvers)) | ansible.utils.ipwrap | join(" ") }} valid=300s;
+        resolver_timeout          5s;
+{%     endif                                                        %}
+{%     if (item.ssl_verify_client | d(nginx_default_ssl_verify_client)) | bool      %}
+{%         if item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) %}
+        ssl_verify_client         on;
+        ssl_client_certificate    {{ item.ssl_client_certificate | d(nginx_default_ssl_client_certificate) }};
+{%         endif                                                                    %}
+{%         if item.ssl_crl | d(nginx_default_ssl_crl)           %}
+        ssl_crl                   {{ item.ssl_crl | d(nginx_default_ssl_crl) }};
+{%         endif                                                %}
+{%     endif                                                    %}
+{%     if item.hsts_enabled | d(True) | bool                      %}
+        add_header                Strict-Transport-Security "max-age={{ nginx_hsts_age }}{{ "; includeSubDomains" if nginx_hsts_subdomains | bool else "" }}{{ "; preload" if ((item.hsts_preload | d(nginx_hsts_preload)) | bool) else "" }}"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};
+{% endif                                                    %}
+{% if item.csp_enabled | d(False) | bool %}
+        add_header                Content-Security-Policy "{{ item.csp | d("default-src https: ;") + (" " + item.csp_append | d(nginx__http_csp_append) if (item.csp_append | d(nginx__http_csp_append)) else "") }}";
+{% endif %}
+{% if item.csp_report_enabled | d(False) | bool %}
+        add_header                Content-Security-Policy-Report-Only "{{ item.csp_report | d(item.csp | d("default-src https: ;")) + (" " + item.csp_append | d(nginx__http_csp_append) if (item.csp_append | d(nginx__http_csp_append)) else "") }}";
+{% endif %}
+{%     if item.content_type_options | d(True) != omit             %}
+        add_header                X-Content-Type-Options "{{ item.content_type_options | d('nosniff') }}"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};
+{%     endif                                                    %}
+{%     if item.frame_options | d() != omit                        %}
+        add_header                X-Frame-Options "{{ item.frame_options | d('SAMEORIGIN') }}"{% if nginx_version is version_compare('1.7.5','>=') %} always{% endif %};
+{%     endif                                                    %}
+{%     if item.xss_protection | d(nginx__http_xss_protection) != omit %}
+        add_header                X-XSS-Protection "{{ item.xss_protection | d(nginx__http_xss_protection) }}";
+{%     endif                                                    %}
+{%     if item.http_referrer_policy | d(nginx__http_referrer_policy) != omit %}
+        add_header                Referrer-Policy "{{ item.http_referrer_policy | d(nginx__http_referrer_policy) }}";
+{%     endif                                                    %}
+{%     for robots_tag in nginx_tpl_robots_tag                   %}
+        add_header                X-Robots-Tag "{{ robots_tag }}";
+{%     endfor                                                   %}
+{%     if item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) != omit %}
+        add_header                X-Permitted-Cross-Domain-Policies "{{ item.permitted_cross_domain_policies | d(nginx__http_permitted_cross_domain_policies) }}";
+{%     endif                                                    %}
+
+{%     if item.name | d()                                         %}
+{%         if item.redirect_from | d()                            %}
+        server_name {{ item.name if item.name is string else item.name[0] }};
+
+{%         elif item.redirect_to | d()                            %}
+        server_name {{ item.redirect_to }};
+
+{%         else                                                 %}
+{%             for name in ([ item.name ] if item.name is string else item.name) %}
+        server_name {{ name }};
+{%             endfor                                           %}
+
+{%         endif                                                %}
+{%     endif                                                    %}
+{% endif %}
+{% if nginx_tpl_ssl | bool                                      %}
+{{     print_root() }}
+{%     if nginx_tpl_acme | bool                                 %}
+        include snippets/acme-challenge.conf;
+
+{%     endif                                                    %}
+{% endif                                                        %}
+{# ---- end of nginx_tpl_ssl ---- #}
+{{ print_shared_nginx_server_block() }}
+}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php.conf.j2
new file mode 100644
index 00000000..f08e34bb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php.conf.j2
@@ -0,0 +1,134 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "default.conf.j2" %}
+{#
+#
+#    ---- nginx server template for PHP websites ----
+#
+# Refer to the documentation in /docs/defaults-detailed.rst
+#
+#}
+{% block nginx_tpl_block_index %}
+        index {{ item.index | default('index.html index.htm index.php') }};
+
+{% endblock %}
+{% block nginx_tpl_block_location_root %}
+                try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files | d() else ["$uri $uri/ $uri.php"]) | join(' ') }};
+{% endblock %}
+{% block nginx_tpl_block_custom_status_locations %}
+{%   if item.php_status | d() | bool %}
+        location ~ ^/({{ item.php_status_name | d('status.php') }}|{{ item.php_ping_name | d('ping.php') }})$ {
+                access_log off;
+{%     set nginx__tpl_status_allow = [] %}
+{%     if nginx_status_localhost %}
+{%       for address in nginx_status_localhost | unique | sort %}
+{%         set _ = nginx__tpl_status_allow.append(address) %}
+{%       endfor %}
+{%     endif %}
+{%     if nginx_status %}
+{%       for address in nginx_status | unique | sort %}
+{%         set _ = nginx__tpl_status_allow.append(address) %}
+{%       endfor %}
+{%     endif %}
+{%     if item.php_status_allow | d() %}
+{%       for address in ([ item.php_status_allow ] if item.php_status_allow is string else item.php_status_allow) %}
+{%          set _ = nginx__tpl_status_allow.append(address) %}
+{%       endfor %}
+{%     endif %}
+{%     for address in nginx__tpl_status_allow | unique | sort %}
+                allow {{ address }};
+{%     endfor %}
+                deny all;
+                include fastcgi_params;
+                fastcgi_index index.php;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                fastcgi_pass {{ item.php_upstream }};
+        }
+
+{%   endif %}
+{% endblock %}
+{% block nginx_tpl_block_custom_locations %}
+{%   if item.location | d() %}
+{%     if '/' not in item.location.keys() %}
+        location / {
+                try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files | d() else ["$uri $uri/ $uri.php"]) | join(' ') }};
+        }
+
+{%     endif %}
+{%   endif %}
+{%   if item.php_upstream | d() %}
+
+        # CVE-2019-11043 mitigation (https://security-tracker.debian.org/tracker/CVE-2019-11043)
+        # Based on: https://bugs.php.net/bug.php?id=78599
+        rewrite ^(.*?)\n $1;
+        location {{ item.php_location_script_name | d("~ ^(?!.+\.php/)(?<script_name>.+\.php)$") }} {
+{%      if item.php_limit_except | d() %}
+                limit_except {{ item.php_limit_except if item.php_limit_except is string else item.php_limit_except | join(' ') }} { deny all; }
+
+{%     endif %}
+                try_files {{ (([ item.php_try_files ] if item.php_try_files is string else item.php_try_files) if item.php_try_files | d() else ['$script_name', '=404']) | join(' ') }};
+
+{%     if item.php_include | d(True) %}
+{%       if (nginx_version | d() and nginx_version is version_compare('1.6.1','<')) %}
+                include {{ item.php_include | d('fastcgi_params') }};
+{%       else %}
+{%         if nginx_flavor in [ 'passenger', 'nginx.org' ] %}
+                include {{ item.php_include | d('fastcgi_params') }};
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+{%         else %}
+                include {{ item.php_include | d('fastcgi.conf') }};
+{%         endif %}
+{%       endif %}
+
+{%     endif %}
+{%     if item.php_options | d() %}
+                {{ item.php_options | indent(16) | regex_replace("(?m)^\s*$", "") }}
+
+{%     endif %}
+                # Mitigate HTTPOXY attacks (https://httpoxy.org/)
+                fastcgi_param HTTP_PROXY "";
+
+                fastcgi_index index.php;
+                fastcgi_pass {{ item.php_upstream }};
+        }
+
+        # CVE-2019-11043 mitigation (https://security-tracker.debian.org/tracker/CVE-2019-11043)
+        # Based on: https://bugs.php.net/bug.php?id=78599
+        rewrite ^(.*?)\n $1;
+        location {{ item.php_location_path_info | d("~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$") }} {
+{%     if item.php_limit_except | d() %}
+                limit_except {{ item.php_limit_except if item.php_limit_except is string else item.php_limit_except | join(' ') }} { deny all; }
+
+{%     endif %}
+                try_files {{ (([ item.php_try_files ] if item.php_try_files is string else item.php_try_files) if item.php_try_files | d() else ['$script_name', '=404']) | join(' ') }};
+
+{%     if (item.php_include is undefined or item.php_include | d()) %}
+                include {{ item.php_include | default('fastcgi_params') }};
+{%       if (item.php_include is undefined) %}
+                fastcgi_param SCRIPT_FILENAME $document_root$script_name;
+                fastcgi_param PATH_INFO $path_info;
+{# This option doesn't work yet... #}
+                #fastcgi_param PATH_TRANSLATED $document_root$path_info;
+
+{%       endif %}
+{%     endif %}
+{%     if item.php_options | d() %}
+                {{ item.php_options | indent(16) | regex_replace("(?m)^\s*$", "") }}
+
+{%     endif %}
+                # Mitigate HTTPOXY attacks (https://httpoxy.org/)
+                fastcgi_param HTTP_PROXY "";
+
+                fastcgi_index index.php;
+                fastcgi_pass {{ item.php_upstream }};
+        }
+
+{%   else %}
+        location ~ \.php$ {
+                return 403;
+        }
+{%   endif %}
+{% endblock %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php5.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php5.conf.j2
new file mode 100644
index 00000000..9c1be94b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/php5.conf.j2
@@ -0,0 +1,173 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "default.conf.j2" %}
+{#
+#
+#    ---- nginx server template for PHP5 websites ----
+#
+# This template is deprecated.
+# Refer to the documentation in /docs/defaults-detailed.rst for alternatives.
+#
+# List of parameters supported by this template:
+#
+#   - item.php5: ''
+#       Name of nginx upstream to use.
+#
+#       If undefined, '.php' files will be protected by =403.
+#
+#
+#   - item.index: ''
+#       String of index files to enable.
+#
+#       If undefined, add 'index.php' at the end of list of index files.
+#
+#
+#   - item.php5_limit_except: '' or False
+#       String of methods to allow for all hosts.
+#
+#       If undefined, default limits will be applied (block all requests except
+#       GET, HEAD and POST).
+#
+#       If set to False, limits are disabled.
+#
+#       More information:
+#       https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except
+#
+#
+#   - item.php5_include: ''
+#       File to include instead of 'fastcgi_params', relative to /etc/nginx/
+#
+#       If set to False, nothing is included.
+#
+#
+#   - item.php5_options: |
+#       Additional options to append to php location, in text block format.
+#
+#
+#   - item.php5_status: []
+#       Optional. Enable php5 fpm server status page and allow access from list of
+#       IP addresses or CIDR ranges.
+#
+#
+#   - item.php5_status_name: ''
+#       Optional. Set the name of the location which should be used for php5 fpm
+#       status page
+#
+#
+#   - item.php5_ping_name: ''
+#       Optional. Set the name of the location which should be used for php5 fpm
+#       ping page
+#
+#
+#}
+{% block nginx_tpl_block_index %}
+        index {{ item.index | default('index.html index.htm index.php') }};
+
+{% endblock %}
+{% block nginx_tpl_block_location_root %}
+                try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files | d() else ["$uri $uri/ $uri.php"]) | join(' ') }};
+{% endblock %}
+{% block nginx_tpl_block_custom_status_locations %}
+{% if item.php5_status | d(nginx_php5_status) and (nginx_status or nginx_status_localhost) %}
+        location ~ ^/({{ item.php5_status_name | default(nginx_php5_status_name) }}|{{ item.php5_ping_name | default(nginx_php5_ping_name) }})$ {
+                access_log off;
+{% if nginx_status_localhost %}
+{% for address in nginx_status_localhost | unique | sort %}
+                allow {{ address }};
+{% endfor %}
+{% endif %}
+{% if nginx_status %}
+{% for address in nginx_status | unique | sort %}
+                allow {{ address }};
+{% endfor %}
+{% endif %}
+{% if item.php5_status is defined and item.php5_status %}
+{% for address in item.php5_status | unique | sort %}
+                allow {{ address }};
+{% endfor %}
+{% endif %}
+                deny all;
+                include fastcgi_params;
+                fastcgi_index index.php;
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                fastcgi_pass {{ item.php5 }};
+        }
+
+{% endif %}
+{% endblock %}
+{% block nginx_tpl_block_custom_locations %}
+{% if item.php5 is defined and item.php5 %}
+        # CVE-2019-11043 mitigation (https://security-tracker.debian.org/tracker/CVE-2019-11043)
+        # Based on: https://bugs.php.net/bug.php?id=78599
+        rewrite ^(.*?)\n $1;
+        location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
+{% if (item.php5_limit_except is undefined or (item.php5_limit_except is defined and item.php5_limit_except)) %}
+                limit_except {{ item.php5_limit_except | default('GET HEAD POST') }} { deny all; }
+
+{% endif %}
+                try_files $script_name =404;
+
+{% if (item.php5_include is undefined or (item.php5_include is defined and item.php5_include)) %}
+{% if (nginx_version is defined and nginx_version is version_compare('1.6.1','<')) %}
+                include {{ item.php5_include | default('fastcgi_params') }};
+{% else %}
+{% if nginx_flavor in [ 'passenger', 'nginx.org' ] %}
+                include {{ item.php5_include | default('fastcgi_params') }};
+                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+{% else %}
+                include {{ item.php5_include | default('fastcgi.conf') }};
+{% endif %}
+{% endif %}
+
+{% endif %}
+{% if item.php5_options is defined and item.php5_options %}
+                {{ item.php5_options | indent(16) | regex_replace("(?m)^\s*$", "") }}
+
+{% endif %}
+                # Mitigate HTTPOXY attacks (https://httpoxy.org/)
+                fastcgi_param HTTP_PROXY "";
+
+                fastcgi_index index.php;
+                fastcgi_pass {{ item.php5 }};
+        }
+
+        # CVE-2019-11043 mitigation (https://security-tracker.debian.org/tracker/CVE-2019-11043)
+        # Based on: https://bugs.php.net/bug.php?id=78599
+        rewrite ^(.*?)\n $1;
+        location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
+{% if (item.php5_limit_except is undefined or (item.php5_limit_except is defined and item.php5_limit_except)) %}
+                limit_except {{ item.php5_limit_except | default('GET HEAD POST') }} { deny all; }
+
+{% endif %}
+                try_files $script_name =404;
+
+{% if (item.php5_include is undefined or (item.php5_include is defined and item.php5_include)) %}
+                include {{ item.php5_include | default('fastcgi_params') }};
+{% if (item.php5_include is undefined) %}
+                fastcgi_param SCRIPT_FILENAME $document_root$script_name;
+                fastcgi_param PATH_INFO $path_info;
+{# This option doesn't work yet... #}
+                #fastcgi_param PATH_TRANSLATED $document_root$path_info;
+
+{% endif %}
+{% endif %}
+{% if item.php5_options is defined and item.php5_options %}
+                {{ item.php5_options | indent(16) | regex_replace("(?m)^\s*$", "") }}
+
+{% endif %}
+                # Mitigate HTTPOXY attacks (https://httpoxy.org/)
+                fastcgi_param HTTP_PROXY "";
+
+                fastcgi_index index.php;
+                fastcgi_pass {{ item.php5 }};
+        }
+
+{% else %}
+        location ~ \.php$ {
+                return 403;
+        }
+{% endif %}
+{% endblock %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/proxy.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/proxy.conf.j2
new file mode 100644
index 00000000..322391a8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/proxy.conf.j2
@@ -0,0 +1,46 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "default.conf.j2" %}
+{% block nginx_tpl_block_index %}
+{% endblock %}
+{% block nginx_tpl_block_location %}
+{% if (item.location is defined and item.location) or (item.location_list is defined and item.location_list) %}
+{%   if item.location_list is defined and item.location_list %}
+{{ print_location_list(item.location_list) }}
+{%   endif %}
+{%   if item.location is defined and item.location %}
+{{ print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}
+{%   endif %}
+{% else %}
+        location {{ item.proxy_location if item.proxy_location | d() else "/" }} {
+{%   if item.proxy_headers is undefined or item.proxy_headers | bool %}
+                proxy_set_header Host              $host;
+                proxy_set_header X-Real-IP         $remote_addr;
+                proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+{%     if not (item.redirect_to_ssl | d(True) | bool) %}
+                set $X_Forwarded_Proto "http";
+                set $X_Forwarded_Port 80;
+                if ($https) {
+                        set $X_Forwarded_Proto "https";
+                        set $X_Forwarded_Port 443;
+                }
+                proxy_set_header X-Forwarded-Proto $X_Forwarded_Proto;
+                proxy_set_header X-Forwarded-Port $X_Forwarded_Port;
+{%     else %}
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Port  {{ "443" if (nginx_tpl_ssl | d() and nginx_tpl_ssl | bool) else "80" }};
+{%     endif %}
+{%   elif item.proxy_headers | d() %}
+{{ item.proxy_headers | indent(16, true) | regex_replace("(?m)^\s*$", "") }}
+{%   endif %}
+{%   if item.proxy_options | d() and item.proxy_options %}
+{{ item.proxy_options | indent(16, true) | regex_replace("(?m)^\s*$", "") }}
+{%   endif %}
+                proxy_pass {{ item.proxy_pass }};
+        }
+
+{% endif %}
+{% endblock %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/rails.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/rails.conf.j2
new file mode 100644
index 00000000..8af3423e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/sites-available/rails.conf.j2
@@ -0,0 +1,46 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% extends "default.conf.j2" %}
+{% block nginx_tpl_block_location %}
+
+{%   if (item.location is defined and item.location) or (item.location_list is defined and item.location_list) %}
+{%     if item.location_list is defined and item.location_list %}
+{{       print_location_list(item.location_list) }}
+{%     endif %}
+{%     if item.location is defined and item.location %}
+{{       print_location(item.location, item.location_allow, item.location_referers, item.location_deny) }}
+{%     endif %}
+{%   else %}
+        location / {
+{%     block nginx_tpl_block_location_root %}
+                try_files {{ (([ item.try_files ] if item.try_files is string else item.try_files) if item.try_files | d() else nginx_default_try_files) | join(' ') }} =404;
+{%     endblock %}
+        }
+{%   endif %}
+
+{%   if nginx_flavor == 'passenger' %}
+        passenger_enabled on;
+{%     if item.passenger_ruby is defined and item.passenger_ruby %}
+        passenger_ruby {{ item.passenger_ruby }};
+{%     endif %}
+{%     if item.passenger_app_env is defined and item.passenger_app_env %}
+        passenger_app_env {{ item.passenger_app_env }};
+{%     endif %}
+{%     if item.passenger_user is defined and item.passenger_user %}
+        passenger_user {{ item.passenger_user }};
+{%       if item.passenger_group is defined and item.passenger_group %}
+        passenger_group {{ item.passenger_group }};
+{%       else %}
+        passenger_group {{ item.passenger_user }};
+{%       endif %}
+{%     endif %}
+        passenger_min_instances {{ item.passenger_min_instances | default(nginx_passenger_default_min_instances) }};
+{%     if item.passenger_options is defined and item.passenger_options %}
+{{ item.passenger_options | indent(8, true) | regex_replace("(?m)^\s*$", "") }}
+{%     endif %}
+
+{%   endif %}
+{% endblock %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/acme-challenge.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/acme-challenge.conf.j2
new file mode 100644
index 00000000..2daac120
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/acme-challenge.conf.j2
@@ -0,0 +1,46 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Automatic Certificate Management Environment (ACME) support.
+# https://tools.ietf.org/html/draft-ietf-acme-acme-01
+# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
+
+
+# Return the ACME challenge present in the server public root.
+# If not found, switch to global web server root.
+location ^~ /.well-known/acme-challenge/ {
+        allow all;
+        default_type "text/plain";
+        try_files $uri @well-known-acme-challenge;
+}
+
+# Return the ACME challenge present in the global server public root.
+# If not present, redirect request to a specified domain.
+location @well-known-acme-challenge {
+        allow all;
+        root {{ nginx_acme_root }};
+        default_type "text/plain";
+{% if nginx_acme_domain %}
+        try_files $uri @redirect-acme-challenge;
+{% endif %}
+}
+
+{% if nginx_acme_domain %}
+# Redirect the ACME challenge to a different host. If a redirect loop is
+# detected, return 404.
+location @redirect-acme-challenge {
+        if ($arg_redirect) {
+                return 404;
+        }
+        return 307 $scheme://{{ nginx_acme_domain }}$request_uri?redirect=yes;
+}
+
+{% endif %}
+# Return 404 if ACME challenge well known path is accessed directly.
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/ssl.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/ssl.conf.j2
new file mode 100644
index 00000000..7dbcd419
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/nginx/snippets/ssl.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Define default SSL configuration options
+
+ssl_protocols               {{ nginx_default_tls_protocols | join(" ") }};
+ssl_prefer_server_ciphers   {{ "off"
+                               if nginx_default_tls_protocols | length == 1 and
+                                  nginx_default_tls_protocols[0] == "TLSv1.3"
+                               else "on" }};
+ssl_ciphers                 {{ nginx_ssl_ciphers[nginx_default_ssl_ciphers] }};
+{% if nginx_ssl_dhparam != '' %}
+ssl_dhparam                 {{ nginx_ssl_dhparam }};
+{% endif %}
+{% if nginx_default_ssl_curve %}
+ssl_ecdh_curve              {{ nginx_default_ssl_curve }};
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/pki/hooks/nginx.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/pki/hooks/nginx.j2
new file mode 100644
index 00000000..dd3303b9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/pki/hooks/nginx.j2
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart nginx on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+nginx_config="/etc/nginx/nginx.conf"
+nginx_sites="/etc/nginx/sites-enabled"
+nginx_action="{{ nginx_pki_hook_action }}"
+
+# Check if current PKI realm is used by the 'nginx' webserver
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${nginx_sites}/* || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                nginx_state="$(systemctl is-active nginx.service)"
+                if [ "${nginx_state}" = "active" ] ; then
+                    if /usr/sbin/nginx -c "${nginx_config}" -t > /dev/null 2>&1 ; then
+                        systemctl "${nginx_action}" nginx.service
+                    fi
+                fi
+
+            else
+
+                nginx_pidfile="$(grep -E '^pid\s+' "${nginx_config}" | awk '{print $2}' | cut -d\; -f1)"
+                if kill -0 "$(<"${nginx_pidfile}")" > /dev/null 2>&1 ; then
+                    if /usr/sbin/nginx -c "${nginx_config}" -t > /dev/null 2>&1 ; then
+                        /usr/sbin/service nginx "${nginx_action}" > /dev/null
+                    fi
+                fi
+
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/sudoers.d/nginx_webadmins.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/sudoers.d/nginx_webadmins.j2
new file mode 100644
index 00000000..6d11446d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/sudoers.d/nginx_webadmins.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+Cmnd_Alias NGINX_RELOAD =  /etc/init.d/nginx reload, \
+                           /bin/systemctl reload nginx.service
+
+Cmnd_Alias NGINX_STATUS =  /etc/init.d/nginx status, \
+                           /bin/systemctl status nginx.service
+
+Cmnd_Alias NGINX_STOP =    /etc/init.d/nginx stop, \
+                           /bin/systemctl stop nginx.service
+
+Cmnd_Alias NGINX_START =   /etc/init.d/nginx start, \
+                           /bin/systemctl start nginx.service
+
+Cmnd_Alias NGINX_RESTART = /etc/init.d/nginx restart, \
+                           /bin/systemctl restart nginx.service
+
+%{{ nginx_privileged_group }} ALL = (root) NOPASSWD: NGINX_RELOAD
+%{{ nginx_privileged_group }} ALL = (root) NOPASSWD: NGINX_STATUS
+%{{ nginx_privileged_group }} ALL = (root) NOPASSWD: NGINX_STOP
+%{{ nginx_privileged_group }} ALL = (root) NOPASSWD: NGINX_START
+%{{ nginx_privileged_group }} ALL = (root) NOPASSWD: NGINX_RESTART
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/etc/systemd/system/nginx.service.d/wait-for-network.conf.j2 b/ansible_collections/debops/debops/roles/nginx/templates/etc/systemd/system/nginx.service.d/wait-for-network.conf.j2
new file mode 100644
index 00000000..8f373b4d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/etc/systemd/system/nginx.service.d/wait-for-network.conf.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Ensure that 'nginx.service' waits for the network services to be configured
+# before starting. This avoids an issue where 'nginx' might fail because remote
+# upstream servers defined by hostnames are unreachable.
+# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943934
+#
+# This also fixes issues with IPv6 enabled hosts where IPv6 addresses might not
+# be configured at the time 'nginx' is started.
+# Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861261
+#
+# Note that this is the default since Debian package version 1.22.0-2,
+# i.e. Debian Bookworm/Ubuntu Mantic or later.
+
+[Unit]
+After=network-online.target
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/index.html.j2 b/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/index.html.j2
new file mode 100644
index 00000000..b9ec0ccd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/index.html.j2
@@ -0,0 +1,76 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<!DOCTYPE html>
+<html lang="en">
+{% set nginx_tpl_domain = item.welcome_domain | d(item.name if (item.name is string) else item.name[0] | d(ansible_domain)) %}
+{% if nginx_tpl_domain %}
+{%   set nginx_tpl_welcome_title = '<a href="' + item.welcome_url_scheme | d("https") + '://' + nginx_tpl_domain + '/">' + nginx_tpl_domain + '</a>' %}
+{% else %}
+{%   set nginx_tpl_welcome_title = '<a href="http://companyname.website/">CompanyName.website</a>' %}
+{% endif %}
+
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+    <meta name="referrer" content="no-referrer">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>{{ nginx_tpl_domain | d("CompanyName.website") }}</title>
+{% if item.welcome_css | d(True) | bool %}
+    <link rel="stylesheet" type="text/css" media="screen" href="normalize.css">
+    <style type="text/css" media="screen">
+html {
+  font-size: 17px;
+  font-family: "Droid Sans Condensed", sans-serif;
+}
+
+@media (max-width: 900px) {
+  html { font-size: 15px; }
+}
+
+@media (max-width: 400px) {
+  html { font-size: 13px; }
+}
+
+#content {
+  margin: 0 auto;
+  width: 600px;
+  padding: 2rem;
+  text-align: center;
+}
+
+@media (max-width: 900px) {
+  #content {
+    width: 70%;
+    padding: 1.5rem;
+  }
+}
+
+h1 {
+  padding-bottom: 0.05em;
+  border-bottom: 2px solid #0092DF;
+}
+
+a {
+  text-decoration: none;
+  color: #0092DF;
+}
+    </style>
+{% endif %}
+  </head>
+
+  <body>
+    <div id="content">
+
+      <h2>{{ nginx_tpl_welcome_title }}</h2>
+
+{% if nginx_tpl_domain %}
+      <p id="http-status"><strong>{{ item.welcome_status_choices | d([ '200 OK', "418 I'm a teapot" ]) | random }}</strong></p>
+{% elif not nginx_tpl_domain %}
+      <p>If you're reading this, the web server was installed correctly.</p>
+{% endif %}
+
+    </div>
+  </body>
+</html>
diff --git a/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/normalize.css b/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/normalize.css
new file mode 100644
index 00000000..adeacc27
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nginx/templates/srv/www/sites/welcome/public/normalize.css
@@ -0,0 +1,427 @@
+/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
+/* Copyright (C) 2015 Nicolas Gallagher <nicolasgallagher@gmail.com> */
+/* Copyright (C) 2015 Jonathan Neal <jonathantneal@hotmail.com> */
+/* SPDX-License-Identifier: MIT */
+
+/**
+ * 1. Set default font family to sans-serif.
+ * 2. Prevent iOS and IE text size adjust after device orientation change,
+ *    without disabling user zoom.
+ */
+
+html {
+  font-family: sans-serif; /* 1 */
+  -ms-text-size-adjust: 100%; /* 2 */
+  -webkit-text-size-adjust: 100%; /* 2 */
+}
+
+/**
+ * Remove default margin.
+ */
+
+body {
+  margin: 0;
+}
+
+/* HTML5 display definitions
+   ========================================================================== */
+
+/**
+ * Correct `block` display not defined for any HTML5 element in IE 8/9.
+ * Correct `block` display not defined for `details` or `summary` in IE 10/11
+ * and Firefox.
+ * Correct `block` display not defined for `main` in IE 11.
+ */
+
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+main,
+menu,
+nav,
+section,
+summary {
+  display: block;
+}
+
+/**
+ * 1. Correct `inline-block` display not defined in IE 8/9.
+ * 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
+ */
+
+audio,
+canvas,
+progress,
+video {
+  display: inline-block; /* 1 */
+  vertical-align: baseline; /* 2 */
+}
+
+/**
+ * Prevent modern browsers from displaying `audio` without controls.
+ * Remove excess height in iOS 5 devices.
+ */
+
+audio:not([controls]) {
+  display: none;
+  height: 0;
+}
+
+/**
+ * Address `[hidden]` styling not present in IE 8/9/10.
+ * Hide the `template` element in IE 8/9/10/11, Safari, and Firefox < 22.
+ */
+
+[hidden],
+template {
+  display: none;
+}
+
+/* Links
+   ========================================================================== */
+
+/**
+ * Remove the gray background color from active links in IE 10.
+ */
+
+a {
+  background-color: transparent;
+}
+
+/**
+ * Improve readability of focused elements when they are also in an
+ * active/hover state.
+ */
+
+a:active,
+a:hover {
+  outline: 0;
+}
+
+/* Text-level semantics
+   ========================================================================== */
+
+/**
+ * Address styling not present in IE 8/9/10/11, Safari, and Chrome.
+ */
+
+abbr[title] {
+  border-bottom: 1px dotted;
+}
+
+/**
+ * Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
+ */
+
+b,
+strong {
+  font-weight: bold;
+}
+
+/**
+ * Address styling not present in Safari and Chrome.
+ */
+
+dfn {
+  font-style: italic;
+}
+
+/**
+ * Address variable `h1` font-size and margin within `section` and `article`
+ * contexts in Firefox 4+, Safari, and Chrome.
+ */
+
+h1 {
+  font-size: 2em;
+  margin: 0.67em 0;
+}
+
+/**
+ * Address styling not present in IE 8/9.
+ */
+
+mark {
+  background: #ff0;
+  color: #000;
+}
+
+/**
+ * Address inconsistent and variable font size in all browsers.
+ */
+
+small {
+  font-size: 80%;
+}
+
+/**
+ * Prevent `sub` and `sup` affecting `line-height` in all browsers.
+ */
+
+sub,
+sup {
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+}
+
+sup {
+  top: -0.5em;
+}
+
+sub {
+  bottom: -0.25em;
+}
+
+/* Embedded content
+   ========================================================================== */
+
+/**
+ * Remove border when inside `a` element in IE 8/9/10.
+ */
+
+img {
+  border: 0;
+}
+
+/**
+ * Correct overflow not hidden in IE 9/10/11.
+ */
+
+svg:not(:root) {
+  overflow: hidden;
+}
+
+/* Grouping content
+   ========================================================================== */
+
+/**
+ * Address margin not present in IE 8/9 and Safari.
+ */
+
+figure {
+  margin: 1em 40px;
+}
+
+/**
+ * Address differences between Firefox and other browsers.
+ */
+
+hr {
+  box-sizing: content-box;
+  height: 0;
+}
+
+/**
+ * Contain overflow in all browsers.
+ */
+
+pre {
+  overflow: auto;
+}
+
+/**
+ * Address odd `em`-unit font size rendering in all browsers.
+ */
+
+code,
+kbd,
+pre,
+samp {
+  font-family: monospace, monospace;
+  font-size: 1em;
+}
+
+/* Forms
+   ========================================================================== */
+
+/**
+ * Known limitation: by default, Chrome and Safari on OS X allow very limited
+ * styling of `select`, unless a `border` property is set.
+ */
+
+/**
+ * 1. Correct color not being inherited.
+ *    Known issue: affects color of disabled elements.
+ * 2. Correct font properties not being inherited.
+ * 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
+ */
+
+button,
+input,
+optgroup,
+select,
+textarea {
+  color: inherit; /* 1 */
+  font: inherit; /* 2 */
+  margin: 0; /* 3 */
+}
+
+/**
+ * Address `overflow` set to `hidden` in IE 8/9/10/11.
+ */
+
+button {
+  overflow: visible;
+}
+
+/**
+ * Address inconsistent `text-transform` inheritance for `button` and `select`.
+ * All other form control elements do not inherit `text-transform` values.
+ * Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
+ * Correct `select` style inheritance in Firefox.
+ */
+
+button,
+select {
+  text-transform: none;
+}
+
+/**
+ * 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
+ *    and `video` controls.
+ * 2. Correct inability to style clickable `input` types in iOS.
+ * 3. Improve usability and consistency of cursor style between image-type
+ *    `input` and others.
+ */
+
+button,
+html input[type="button"], /* 1 */
+input[type="reset"],
+input[type="submit"] {
+  -webkit-appearance: button; /* 2 */
+  cursor: pointer; /* 3 */
+}
+
+/**
+ * Re-set default cursor for disabled elements.
+ */
+
+button[disabled],
+html input[disabled] {
+  cursor: default;
+}
+
+/**
+ * Remove inner padding and border in Firefox 4+.
+ */
+
+button::-moz-focus-inner,
+input::-moz-focus-inner {
+  border: 0;
+  padding: 0;
+}
+
+/**
+ * Address Firefox 4+ setting `line-height` on `input` using `!important` in
+ * the UA stylesheet.
+ */
+
+input {
+  line-height: normal;
+}
+
+/**
+ * It's recommended that you don't attempt to style these elements.
+ * Firefox's implementation doesn't respect box-sizing, padding, or width.
+ *
+ * 1. Address box sizing set to `content-box` in IE 8/9/10.
+ * 2. Remove excess padding in IE 8/9/10.
+ */
+
+input[type="checkbox"],
+input[type="radio"] {
+  box-sizing: border-box; /* 1 */
+  padding: 0; /* 2 */
+}
+
+/**
+ * Fix the cursor style for Chrome's increment/decrement buttons. For certain
+ * `font-size` values of the `input`, it causes the cursor style of the
+ * decrement button to change from `default` to `text`.
+ */
+
+input[type="number"]::-webkit-inner-spin-button,
+input[type="number"]::-webkit-outer-spin-button {
+  height: auto;
+}
+
+/**
+ * 1. Address `appearance` set to `searchfield` in Safari and Chrome.
+ * 2. Address `box-sizing` set to `border-box` in Safari and Chrome.
+ */
+
+input[type="search"] {
+  -webkit-appearance: textfield; /* 1 */
+  box-sizing: content-box; /* 2 */
+}
+
+/**
+ * Remove inner padding and search cancel button in Safari and Chrome on OS X.
+ * Safari (but not Chrome) clips the cancel button when the search input has
+ * padding (and `textfield` appearance).
+ */
+
+input[type="search"]::-webkit-search-cancel-button,
+input[type="search"]::-webkit-search-decoration {
+  -webkit-appearance: none;
+}
+
+/**
+ * Define consistent border, margin, and padding.
+ */
+
+fieldset {
+  border: 1px solid #c0c0c0;
+  margin: 0 2px;
+  padding: 0.35em 0.625em 0.75em;
+}
+
+/**
+ * 1. Correct `color` not being inherited in IE 8/9/10/11.
+ * 2. Remove padding so people aren't caught out if they zero out fieldsets.
+ */
+
+legend {
+  border: 0; /* 1 */
+  padding: 0; /* 2 */
+}
+
+/**
+ * Remove default vertical scrollbar in IE 8/9/10/11.
+ */
+
+textarea {
+  overflow: auto;
+}
+
+/**
+ * Don't inherit the `font-weight` (applied by a rule above).
+ * NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
+ */
+
+optgroup {
+  font-weight: bold;
+}
+
+/* Tables
+   ========================================================================== */
+
+/**
+ * Remove most spacing between table cells.
+ */
+
+table {
+  border-collapse: collapse;
+  border-spacing: 0;
+}
+
+td,
+th {
+  padding: 0;
+}
diff --git a/ansible_collections/debops/debops/roles/nodejs/COPYRIGHT b/ansible_collections/debops/debops/roles/nodejs/COPYRIGHT
new file mode 100644
index 00000000..37e39f69
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nodejs/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.nodejs - Manage NodeJS environment using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nodejs/defaults/main.yml b/ansible_collections/debops/debops/roles/nodejs/defaults/main.yml
new file mode 100644
index 00000000..712512bf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nodejs/defaults/main.yml
@@ -0,0 +1,251 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nodejs__ref_defaults:
+
+# debops.nodejs default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global configuration [[[
+# ------------------------
+
+# .. envvar:: nodejs__distribution_release [[[
+#
+# Specify the OS distribution release to use for the upstream APT repositories
+# and other configuration.
+nodejs__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Node upstream configuration [[[
+# -------------------------------
+
+# .. envvar:: nodejs__node_upstream [[[
+#
+# Enable or disable support for NodeSource APT repositories. On older
+# distribution versions the upstream package will be installed due to no
+# security support.
+nodejs__node_upstream: '{{ ansible_local.nodejs.node_upstream
+                            | d(nodejs__distribution_release in ["xenial"]) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__node_upstream_release [[[
+#
+# Specify the Node.js release to install from the NodeSource APT repository.
+# See https://github.com/nodejs/Release for the current release and maintenance
+# schedule. Available releases:
+#
+# - ``node_8.x``
+#
+# - ``node_10.x``
+#
+# - ``node_12.x``
+#
+nodejs__node_upstream_release: '{{ "node_8.x"
+                                   if (nodejs__distribution_release in
+                                       ["stretch", "trusty",
+                                        "xenial", "bionic"])
+                                   else "node_10.x" }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__node_upstream_key_id [[[
+#
+# GPG fingerprint of APT repository signing key.
+nodejs__node_upstream_key_id: '9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__node_upstream_repository [[[
+#
+# URL of the NodeSource APT repository in ``sources.list`` format.
+nodejs__node_upstream_repository: 'deb https://deb.nodesource.com/{{ nodejs__node_upstream_release }} {{ nodejs__distribution_release }} main'
+                                                                   # ]]]
+                                                                   # ]]]
+# Yarn upstream configuration [[[
+# -------------------------------
+
+# .. envvar:: nodejs__yarn_upstream [[[
+#
+# Enable or disable support for Yarn upstream APT repository.
+#
+# At the moment the ``yarnpkg`` package in Debian Buster is broken if Node.js
+# from NodeSource is installed, therefore in that case installation from
+# upstream will be enabled automatically. Ref: https://bugs.debian.org/933229
+nodejs__yarn_upstream: '{{ True
+                           if nodejs__node_upstream | bool
+                           else (ansible_local.nodejs.yarn_upstream
+                                  | d(nodejs__distribution_release in
+                                    ["stretch", "xenial", "bionic"])) }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__yarn_upstream_key_id [[[
+#
+# GPG fingerprint of Yarn APT repository signing key.
+nodejs__yarn_upstream_key_id: '72ECF46A56B4AD39C907BBB71646B01B86E50310'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__yarn_upstream_repository [[[
+#
+# URL of the NodeSource APT repository in ``sources.list`` format.
+nodejs__yarn_upstream_repository: 'deb https://dl.yarnpkg.com/debian/ stable main'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: nodejs__remove_packages [[[
+#
+# List of APT packages to remove before installation of Node.js support.
+nodejs__remove_packages:
+
+  # This package collides with the 'yarn' upstream package
+  # Ref: https://bugs.debian.org/913997
+  - 'cmdtest'
+
+  # Remove the OS release package if Yarn from upstream should be installed
+  - '{{ "yarnpkg" if nodejs__yarn_upstream | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__base_packages [[[
+#
+# List of base APT packages to install.
+nodejs__base_packages:
+  - 'nodejs'
+  - '{{ [] if nodejs__node_upstream | bool else "npm" }}'
+  - '{{ "yarn"
+        if nodejs__yarn_upstream | bool
+        else ([]
+              if (nodejs__distribution_release in
+                  ["stretch", "trusty",
+                   "xenial", "bionic"])
+              else "yarnpkg") }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__packages [[[
+#
+# List of APT packages to install on all hosts in Ansible inventory.
+nodejs__packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__group_packages [[[
+#
+# List of APT packages to install ona group of hosts in Ansible inventory.
+nodejs__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__host_packages [[[
+#
+# List of APT packages to install on specific hosts in Ansible inventory.
+nodejs__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__dependent_packages [[[
+#
+# List of APT packages to install specified by other Ansible roles.
+nodejs__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# NPM packages [[[
+# ----------------
+
+# You can use the lists below to install NPM packages. Each element of a list
+# is either a NPM package name, or a YAML dictionary with parameters supported
+# by the ``npm`` Ansible module. See that module documentation for list of
+# supported parameters. An example:
+#
+# .. code-block:: yaml
+#
+#    nodejs__npm_packages:
+#      - 'bower'
+#
+#      - name: 'gulp'
+#        version: '3'
+
+# .. envvar:: nodejs__npm_packages [[[
+#
+# List of NPM packages to install on all hosts in Ansible inventory.
+nodejs__npm_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__npm_group_packages [[[
+#
+# List of NPM packages to install on a group of hosts in Ansible inventory.
+nodejs__npm_group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__npm_host_packages [[[
+#
+# List of NPM packages to install on specific hosts in Ansible inventory.
+nodejs__npm_host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__npm_dependent_packages [[[
+#
+# List of NPM packages to install specified by other Ansible roles.
+nodejs__npm_dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: nodejs__npm_production_mode [[[
+#
+# If production mode is not specified for an NPM package, the default value set
+# here will be used instead. By default role does no install development
+# dependencies of a given package. You can override this value using
+# ``item.production`` parameter.
+nodejs__npm_production_mode: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: nodejs__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+nodejs__apt_preferences__dependent_list:
+
+  - packages: [ 'nodejs', 'nodejs-*', 'node-*', 'libssl1.0.0', 'libssl-dev', 'npm', 'libuv1', 'libuv1-dev' ]
+    backports: [ 'stretch' ]
+    reason: 'Unsupported NodeJS version, parity with next Debian release'
+    by_role: 'debops_nodejs'
+    filename: 'debops_nodejs.pref'
+    state: '{{ "absent" if nodejs__node_upstream | bool else "present" }}'
+
+  - package: '*'
+    pin: 'origin "deb.nodesource.com"'
+    priority: '100'
+    reason: "Don't upgrade software automatically using packages from external repository"
+    role: 'debops.nodejs'
+    suffix: '_deb_nodesource_com'
+    state: '{{ "present" if nodejs__node_upstream | bool else "absent" }}'
+
+  - packages: [ 'nodejs', 'nodejs-*' ]
+    pin: 'origin "deb.nodesource.com"'
+    priority: '501'
+    reason: 'Prefer nodejs packages from the same repository for consistency'
+    role: 'debops.nodejs'
+    suffix: '_deb_nodesource_com'
+    state: '{{ "present" if nodejs__node_upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nodejs__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+nodejs__keyring__dependent_apt_keys:
+
+  - id: '{{ nodejs__node_upstream_key_id }}'
+    repo: '{{ nodejs__node_upstream_repository }}'
+    state: '{{ "present" if nodejs__node_upstream | bool else "absent" }}'
+
+  - id: '{{ nodejs__yarn_upstream_key_id }}'
+    repo: '{{ nodejs__yarn_upstream_repository }}'
+    state: '{{ "present" if nodejs__yarn_upstream | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nodejs/meta/main.yml b/ansible_collections/debops/debops/roles/nodejs/meta/main.yml
new file mode 100644
index 00000000..5da65962
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nodejs/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install NodeJS and NPM packages'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - nodejs
+    - npm
diff --git a/ansible_collections/debops/debops/roles/nodejs/tasks/main.yml b/ansible_collections/debops/debops/roles/nodejs/tasks/main.yml
new file mode 100644
index 00000000..2ea98063
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nodejs/tasks/main.yml
@@ -0,0 +1,82 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Remove conflicting APT packages
+  ansible.builtin.apt:
+    name: '{{ q("flattened", nodejs__remove_packages) }}'
+    state: 'absent'
+    purge: True
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Install APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (nodejs__base_packages
+                              + nodejs__packages
+                              + nodejs__group_packages
+                              + nodejs__host_packages
+                              + nodejs__dependent_packages)) }}'
+    state: '{{ "latest"
+               if (nodejs__node_upstream | bool and
+                   (ansible_local | d() and ansible_local.nodejs | d() and
+                    ansible_local.nodejs.node_upstream is defined and
+                    not ansible_local.nodejs.node_upstream | bool))
+               else "present" }}'
+    autoremove: '{{ True
+                    if (nodejs__node_upstream | bool and
+                        (ansible_local | d() and ansible_local.nodejs | d() and
+                         ansible_local.nodejs.node_upstream is defined and
+                         not ansible_local.nodejs.node_upstream | bool))
+                    else omit }}'
+  notify: [ 'Refresh host facts' ]
+  register: nodejs__register_packages
+  until: nodejs__register_packages is succeeded
+
+  # The 'yarnpkg' package in Debian does not provide a 'yarn' binary which
+  # might be expected by other tools/scripts.
+  # Ref: https://bugs.debian.org/843021
+- name: Maintain 'yarn' symlink for the 'yarnpkg' package
+  ansible.builtin.file:
+    path: '/usr/local/bin/yarn'
+    src: '{{ omit if nodejs__yarn_upstream | bool else "/usr/bin/yarnpkg" }}'
+    state: '{{ "absent" if nodejs__yarn_upstream | bool else "link" }}'
+    mode: '0755'
+
+- name: Install NPM packages
+  community.general.npm:
+    name:           '{{ item.name | d(item) }}'
+    state:          '{{ item.state | d("present") }}'
+    global:         '{{ (item.global | d(True)) | bool }}'
+    production:     '{{ (item.production | d(nodejs__npm_production_mode)) | bool }}'
+    version:        '{{ item.version | d(omit) }}'
+    registry:       '{{ item.registry | d(omit) }}'
+    executable:     '{{ item.executable | d(omit) }}'
+    ignore_scripts: '{{ item.ignore_scripts | d(omit) }}'
+    path:           '{{ item.path | d(omit) }}'
+  loop: '{{ q("flattened", nodejs__npm_packages
+                           + nodejs__npm_group_packages
+                           + nodejs__npm_host_packages
+                           + nodejs__npm_dependent_packages) }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Node.js local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/nodejs.fact.j2'
+    dest: '/etc/ansible/facts.d/nodejs.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/nodejs/templates/etc/ansible/facts.d/nodejs.fact.j2 b/ansible_collections/debops/debops/roles/nodejs/templates/etc/ansible/facts.d/nodejs.fact.j2
new file mode 100644
index 00000000..ba001147
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nodejs/templates/etc/ansible/facts.d/nodejs.fact.j2
@@ -0,0 +1,94 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Patrick Heeney <patrickheeney@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{
+    {"configured": True,
+     "node_upstream": (ansible_local.nodejs.node_upstream
+                       if (ansible_local.nodejs.node_upstream | d())
+                       else nodejs__node_upstream),
+     "yarn_upstream": (ansible_local.nodejs.yarn_upstream
+                      if (ansible_local.nodejs.yarn_upstream | d())
+                      else nodejs__yarn_upstream)
+    } | to_json }}''')
+
+output['node_installed'] = cmd_exists('node')
+output['npm_installed'] = cmd_exists('npm')
+output['yarn_installed'] = cmd_exists('yarn')
+
+
+if output['node_installed']:
+    try:
+        version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "nodejs"]).decode('utf-8').split('~')[0].split('-')[0]
+        output['node_version'] = version_stdout
+
+    except Exception:
+        pass
+
+
+if output['npm_installed']:
+    try:
+        version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "npm"]).decode('utf-8').split('+')[0]
+        output['npm_version'] = version_stdout
+        output['npm_upstream'] = False
+
+        # The NodeJS from upstream includes its own 'npm' release, separate
+        # 'npm' .deb package is not provided.
+        if not output['npm_version']:
+            try:
+                version_stdout = subprocess.check_output(
+                        ["npm", "--version"]).decode('utf-8').strip()
+                output['npm_version'] = version_stdout
+                output['npm_upstream'] = True
+
+            except Exception:
+                pass
+
+    except Exception:
+        pass
+
+
+if output['yarn_installed']:
+    try:
+        with open(os.devnull, 'w') as devnull:
+            version_stdout = subprocess.check_output(
+                    ["dpkg-query", "-W", "-f=${Version}", "yarnpkg"],
+                    stderr=devnull).decode('utf-8').split('-')[0]
+            output['yarn_version'] = version_stdout
+
+    except Exception:
+        try:
+            version_stdout = subprocess.check_output(
+                    ["dpkg-query", "-W", "-f=${Version}",
+                     "yarn"]).decode('utf-8').split('-')[0]
+            output['yarn_version'] = version_stdout
+
+        except Exception:
+            pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/nscd/COPYRIGHT b/ansible_collections/debops/debops/roles/nscd/COPYRIGHT
new file mode 100644
index 00000000..72c179ab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nscd - Manage Name Service Cache Daemon with Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nscd/defaults/main.yml b/ansible_collections/debops/debops/roles/nscd/defaults/main.yml
new file mode 100644
index 00000000..14795d40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/defaults/main.yml
@@ -0,0 +1,193 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nscd__ref_defaults:
+
+# debops.nscd default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global options, APT packages [[[
+# --------------------------------
+
+# .. envvar:: nscd__flavor [[[
+#
+# Select the "flavor" of the Name Service Cache Daemon to use. Available
+# flavors are: ``nscd``, ``unscd``. The ``unscd`` flavor is simpler, but more
+# resilient.
+nscd__flavor: 'unscd'
+
+                                                                   # ]]]
+# .. envvar:: nscd__base_packages [[[
+#
+# List of the base APT packages to install for Name Service Cache support.
+nscd__base_packages: [ '{{ nscd__flavor }}' ]
+
+                                                                   # ]]]
+# .. envvar:: nscd__packages [[[
+#
+# List of additional APT packages to install with :command:`nscd`.
+nscd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Service configuration [[[
+# -------------------------
+
+# These variables define the contents of the :file:`/etc/nscd.conf`
+# configuration file. See :ref:`nscd__ref_configuration` for more details.
+
+# .. envvar:: nscd__default_configuration [[[
+#
+# The default configuration options for the :command:`nscd` service defined by
+# the role.
+nscd__default_configuration:
+
+  - name: 'global'
+    options:
+
+      - name: 'logfile'
+        value: '/var/log/nscd.log'
+        state: 'comment'
+
+      - name: 'threads'
+        value: 4
+        state: 'comment'
+
+      - name: 'max_threads'
+        value: 32
+        state: 'comment'
+
+      - name: 'server_user'
+        value: '{{ "unscd"
+                   if (nscd__flavor == "unscd")
+                   else "nobody" }}'
+        state: '{{ "present"
+                   if (nscd__flavor == "unscd")
+                   else "comment" }}'
+
+      - name: 'stat_user'
+        value: 'somebody'
+        state: 'comment'
+
+      - name: 'debug_level'
+        value: 0
+
+      - name: 'reload_count'
+        value: 5
+        state: 'comment'
+
+      - name: 'paranoia'
+        value: False
+
+      - name: 'restart_interval'
+        value: 3600
+        state: 'comment'
+
+  - name: 'passwd'
+    enable_cache: True
+    positive_time_to_live: 600
+    negative_time_to_live: 20
+    suggested_size: 1001
+    check_files: True
+    persistent: True
+    shared: True
+    max_db_size: 33554432
+    auto_propagate: True
+
+  - name: 'group'
+    enable_cache: True
+    positive_time_to_live: 3600
+    negative_time_to_live: 60
+    suggested_size: 1001
+    check_files: True
+    persistent: True
+    shared: True
+    max_db_size: 33554432
+    auto_propagate: True
+
+  - name: 'hosts'
+    comment: |
+      hosts caching is broken with gethostby* calls, hence is now disabled
+      by default. Specifically, the caching does not obey DNS TTLs, and
+      thus could lead to problems if the positive-time-to-live is
+      significantly larger than the actual TTL.
+
+      You should really use a caching nameserver instead of nscd for this
+      sort of request. However, you can easily re-enable this by default.
+    enable_cache: False
+    positive_time_to_live: 3600
+    negative_time_to_live: 20
+    suggested_size: 1001
+    check_files: True
+    persistent: True
+    shared: True
+    max_db_size: 33554432
+    state: 'comment'
+
+  - name: 'services'
+    enable_cache: True
+    positive_time_to_live: 28800
+    negative_time_to_live: 20
+    suggested_size: 1001
+    check_files: True
+    persistent: True
+    shared: True
+    max_db_size: 33554432
+    state: '{{ "absent"
+               if (nscd__flavor == "unscd")
+               else "present" }}'
+
+  - name: 'netgroup'
+    enable_cache: True
+    positive_time_to_live: 28800
+    negative_time_to_live: 20
+    suggested_size: 1001
+    check_files: True
+    persistent: True
+    shared: True
+    max_db_size: 33554432
+    state: '{{ "absent"
+               if (nscd__flavor == "unscd")
+               else "present" }}'
+
+                                                                   # ]]]
+# .. envvar:: nscd__configuration [[[
+#
+# The configuration options for the :command:`nscd` service defined on all
+# hosts in the Ansible inventory.
+nscd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nscd__group_configuration [[[
+#
+# The configuration options for the :command:`nscd` service defined on hosts in
+# a specific Ansible inventory group.
+nscd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nscd__host_configuration [[[
+#
+# The configuration options for the :command:`nscd` service defined on specific
+# hosts in the Ansible inventory.
+nscd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nscd__combined_configuration [[[
+#
+# The variable that combines all other configuration variables and is used in
+# role tasks and templates.
+nscd__combined_configuration: '{{ nscd__default_configuration
+                                  + nscd__configuration
+                                  + nscd__group_configuration
+                                  + nscd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nscd/meta/main.yml b/ansible_collections/debops/debops/roles/nscd/meta/main.yml
new file mode 100644
index 00000000..ba46f388
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Name Service Cache Daemon'
+  company: 'DebOps'
+  license: 'GPL-3.0'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ldap
+    - nss
diff --git a/ansible_collections/debops/debops/roles/nscd/tasks/main.yml b/ansible_collections/debops/debops/roles/nscd/tasks/main.yml
new file mode 100644
index 00000000..093af344
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", nscd__base_packages + nscd__packages) }}'
+    state: 'present'
+  register: nscd__register_packages
+  until: nscd__register_packages is succeeded
+
+- name: Divert the nscd configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/nscd.conf'
+
+- name: Generate nscd configuration
+  ansible.builtin.template:
+    src: 'etc/nscd.conf.j2'
+    dest: '/etc/nscd.conf'
+    mode: '0644'
+  register: nscd__register_config
+
+- name: Restart nscd if its configuration was modified
+  ansible.builtin.service:  # noqa no-handler
+    name: '{{ nscd__flavor }}'
+    state: 'restarted'
+  when: nscd__register_config is changed
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save nscd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/nscd.fact.j2'
+    dest: '/etc/ansible/facts.d/nscd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/nscd/templates/etc/ansible/facts.d/nscd.fact.j2 b/ansible_collections/debops/debops/roles/nscd/templates/etc/ansible/facts.d/nscd.fact.j2
new file mode 100644
index 00000000..80bd235f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/templates/etc/ansible/facts.d/nscd.fact.j2
@@ -0,0 +1,30 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{
+    {"configured": True,
+     "flavor": nscd__flavor
+    } | to_nice_json }}''')
+
+output['installed'] = cmd_exists('nscd')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/nscd/templates/etc/nscd.conf.j2 b/ansible_collections/debops/debops/roles/nscd/templates/etc/nscd.conf.j2
new file mode 100644
index 00000000..a9d2ff70
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nscd/templates/etc/nscd.conf.j2
@@ -0,0 +1,127 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#
+# /etc/nscd.conf
+#
+# A Name Service Cache config file.  This file is needed by nscd.
+#
+# Legal entries are:
+#
+#	logfile			<file>
+#	debug-level		<level>
+#	threads			<initial #threads to use>
+#	max-threads		<maximum #threads to use>
+#	server-user             <user to run server as instead of root>
+#		server-user is ignored if nscd is started with -S parameters
+#       stat-user               <user who is allowed to request statistics>
+#	reload-count		unlimited|<number>
+#	paranoia		<yes|no>
+#	restart-interval	<time in seconds>
+#
+#       enable-cache		<service> <yes|no>
+#	positive-time-to-live	<service> <time in seconds>
+#	negative-time-to-live   <service> <time in seconds>
+#       suggested-size		<service> <prime number>
+#	check-files		<service> <yes|no>
+#	persistent		<service> <yes|no>
+#	shared			<service> <yes|no>
+#	max-db-size		<service> <number bytes>
+#	auto-propagate		<service> <yes|no>
+#
+# Currently supported cache names (services): passwd, group, hosts, services
+#
+
+
+{% macro print_global(option) %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if option.value is defined %}
+{%       set option_comment = ('#\t' if (option.state | d('present') == 'comment') else '\t') %}
+{%       set option_name = (option.name | replace('_','-')) %}
+{%       set option_tab = ('\t' + ('\t' if (option.name | length < 16) else '') + ('\t' if (option.name | length < 8) else '')) %}
+{%       if option.value is string and not option.value | bool %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, option.value) }}
+{%       elif option.value | bool and option.value is not iterable %}
+{%         if option.value | string == '1' %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, option.value) }}
+{%         else %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, 'yes') }}
+{%         endif %}
+{%       elif not option.value | bool and option.value is not iterable %}
+{%         if option.value is not none %}
+{%           if option.value | int %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, option.value) }}
+{%           else %}
+{%             if option.value | string == '0' %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, option.value) }}
+{%             else %}
+{{ '{}{}{}{}'.format(option_comment, option_name, option_tab, 'no') }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% macro print_section(section, option) %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if option.value is defined %}
+{%       set option_comment = ('#\t' if (option.state | d('present') == 'comment') else '\t') %}
+{%       set option_name = (option.name | replace('_','-')) %}
+{%       set option_tab = ('\t' + ('\t' if (option.name | length < 16) else '') + ('\t' if (option.name | length < 8) else '')) %}
+{%       set option_section = (section + ('\t' + ('\t' if (section | length < 8) else ''))) %}
+{%       if option.value is string and not option.value | bool %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, option.value) }}
+{%       elif option.value | bool and option.value is not iterable %}
+{%         if option.value | string == '1' %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, option.value) }}
+{%         else %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, 'yes') }}
+{%         endif %}
+{%       elif not option.value | bool and option.value is not iterable %}
+{%         if option.value is not none %}
+{%           if option.value | int %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, option.value) }}
+{%           else %}
+{%             if option.value | string == '0' %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, option.value) }}
+{%             else %}
+{{ '{}{}{}{}{}'.format(option_comment, option_name, option_tab, option_section, 'no') }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endmacro %}
+{% for element in nscd__combined_configuration | debops.debops.parse_kv_items %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if element.name == 'global' and element.options | d() %}
+{%       for entry in element.options %}
+{{ print_global(entry) -}}
+{%       endfor %}
+{%     else %}
+{%       set entry_list = [] %}
+{%       if nscd__flavor == 'unscd' %}
+{%         set entry_names = [ 'enable_cache', 'positive_time_to_live', 'negative_time_to_live', 'suggested_size', 'check_files' ] %}
+{%       elif nscd__flavor == 'nscd' %}
+{%         set entry_names = [ 'enable_cache', 'positive_time_to_live', 'negative_time_to_live', 'suggested_size', 'check_files', 'persistent', 'shared', 'max_db_size', 'auto_propagate' ] %}
+{%       endif %}
+{%       for entry_name in entry_names %}
+{%         if entry_name in element.keys() %}
+{%             set _ = entry_list.append({'name': entry_name, 'value': element[entry_name], 'state': element.state | d('present')}) %}
+{%         endif %}
+{%       endfor %}
+
+{%       if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{%       for entry in entry_list %}
+{{ print_section(element.name, entry) -}}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/nslcd/COPYRIGHT b/ansible_collections/debops/debops/roles/nslcd/COPYRIGHT
new file mode 100644
index 00000000..cbc51035
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nslcd - Configure LDAP support for NSS and PAM lookups
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nslcd/defaults/main.yml b/ansible_collections/debops/debops/roles/nslcd/defaults/main.yml
new file mode 100644
index 00000000..db89fa46
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/defaults/main.yml
@@ -0,0 +1,312 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nslcd__ref_defaults:
+
+# debops.nslcd default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: nslcd__base_packages [[[
+#
+# List of APT packages required for LDAP lookups via NSS and PAM.
+nslcd__base_packages:
+  - [ 'libpam-ldapd', 'libnss-ldapd', 'nslcd', 'openssl', 'ca-certificates' ]
+  - '{{ "nslcd-utils"
+        if (ansible_local | d() and ansible_local.python | d() and
+            (ansible_local.python.installed2 | d()) | bool)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__packages [[[
+#
+# List of additional APT packages to install with :command:`nslcd` package.
+nslcd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: nslcd__user [[[
+#
+# Name of the UNIX system account which will be used to perform LDAP lookups
+# via the :command:`nslcd` service.
+nslcd__user: 'nslcd'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__group [[[
+#
+# Name of the UNIX system group which will be used to perform LDAP lookups via
+# the :command:`nslcd` service.
+nslcd__group: 'nslcd'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__mkhomedir_umask [[[
+#
+# Default umask for new home directories created by the ``pam_mkhomedir`` PAM
+# module.
+nslcd__mkhomedir_umask: '{{ ansible_local.core.homedir_umask | d("0027") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: nslcd__ldap_enabled [[[
+#
+# Enable or disable integration with the LDAP directory. The integration is
+# enabled automatically when the :ref:`debops.ldap` environment is configured
+# on the host.
+nslcd__ldap_enabled: '{{ ansible_local.ldap.enabled
+                         if (ansible_local | d() and ansible_local.ldap | d() and
+                             ansible_local.ldap.enabled is defined)
+                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, :file:`/etc/nslcd.conf` configuration file will not be generated.
+nslcd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the :command:`nslcd` service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+nslcd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# :command:`nslcd` service to access the LDAP directory.
+nslcd__ldap_self_rdn: '{{ "uid=" + nslcd__user }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`nslcd` service to access the LDAP directory.
+nslcd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`nslcd` service to access the LDAP directory.
+nslcd__ldap_self_attributes:
+  uid: '{{ nslcd__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ nslcd__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "nslcd" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# :command:`nslcd` service to bind to the LDAP directory.
+nslcd__ldap_binddn: '{{ ([nslcd__ldap_self_rdn] + nslcd__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the :command:`nslcd`
+# service to bind to the LDAP directory.
+nslcd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                + nslcd__ldap_binddn | to_uuid + ".password length=32"))
+                        if nslcd__ldap_enabled | bool
+                        else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_posix_urns [[[
+#
+# List of LDAP search filters which are derived from URN-like patterns defined
+# for a given host in the :ref:`debops.ldap` role.
+# See :ref:`ldap__ref_ldap_access_host` for more details.
+nslcd__ldap_posix_urns: '{{ (ansible_local.ldap.urn_patterns
+                             if (ansible_local.ldap.urn_patterns | d())
+                             else [])
+                            | map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
+                            | list }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__ldap_host_filter [[[
+#
+# The LDAP filter used in ``passwd``, ``shadow`` and ``group`` filters to
+# control the access to UNIX environment on specific hosts or domains. See the
+# ``filter_passwd_group`` parameter in :command:`nslcd` configuration for its
+# default usage.
+nslcd__ldap_host_filter: '(|
+                            (host=posix:all)
+                            (host=posix:{{ ansible_fqdn }})
+                            (host=posix:\2a.{{ ansible_domain }})
+                            {{ nslcd__ldap_posix_urns | join(" ") }}
+                          )'
+                                                                   # ]]]
+                                                                   # ]]]
+# Service configuration [[[
+# -------------------------
+
+# These variables define the contents of the :file:`/etc/nslcd.conf`
+# configuration file. See :ref:`nslcd__ref_configuration` for more details, and
+# :man:`nslcd.conf(5)` for possible configuration parameters.
+
+# .. envvar:: nslcd__idle_timelimit [[[
+#
+# The idle timelimit for connections with the LDAP server. This must be lower
+# than the server's olcIdleTimeout, otherwise nslcd will log error messages like
+# "ldap_result() failed: Can't contact LDAP server".
+nslcd__idle_timelimit: '600'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__default_configuration [[[
+#
+# The default :command:`nslcd` configuration options defined by the role.
+nslcd__default_configuration:
+
+  - name: 'uid'
+    comment: 'The user and group nslcd should run as.'
+    value: '{{ nslcd__user }}'
+
+  - name: 'gid'
+    value: '{{ nslcd__group }}'
+
+  - name: 'uri'
+    comment: 'The location at which the LDAP server(s) should be reachable.'
+    value: '{{ ansible_local.ldap.uri | d("") }}'
+
+  - name: 'idle_timelimit'
+    comment: 'The idle timelimit for connections with the LDAP server.'
+    value: '{{ nslcd__idle_timelimit }}'
+
+  - name: 'base'
+    comment: 'The search base that will be used for all queries.'
+    value: '{{ nslcd__ldap_base_dn | join(",") }}'
+
+  - name: 'ldap_version'
+    comment: 'The LDAP protocol version to use.'
+    value: '3'
+    state: 'comment'
+
+  - name: 'binddn'
+    comment: 'The DN to bind with for normal lookups.'
+    value: '{{ nslcd__ldap_binddn }}'
+
+  - name: 'bindpw'
+    value: '{{ nslcd__ldap_bindpw }}'
+
+  - name: 'rootpwmoddn'
+    comment: 'The DN used for password modifications by root.'
+    value: 'cn=admin,dc=example,dc=com'
+    state: 'comment'
+
+  - name: 'ssl'
+    comment: 'SSL options'
+    value: '{{ "start_tls"
+               if (ansible_local | d() and ansible_local.ldap | d() and
+                   (ansible_local.ldap.start_tls | d()) | bool)
+               else "on" }}'
+
+  - name: 'tls_reqcert'
+    value: 'demand'
+
+  - name: 'tls_cacertfile'
+    value: '/etc/ssl/certs/ca-certificates.crt'
+
+  - name: 'scope'
+    comment: 'The search scope.'
+    value: 'sub'
+    state: 'comment'
+
+  - name: 'nss_min_uid'
+    comment: |
+      First valid UID/GID number expected to be in the LDAP directory.
+      UIDs/GIDs lower than this value will be ignored.
+    value: '{{ ansible_local.ldap.uid_gid_min | d("10000") }}'
+
+  - name: 'map_group_id'
+    comment: |
+      Use the 'gid' attribute instead of 'cn' as the POSIX group name.
+    option: 'map'
+    map: 'group'
+    value: 'cn gid'
+
+  - name: 'filter_passwd_group'
+    raw: |
+      filter passwd (& (objectClass=posixAccount) {{ nslcd__ldap_host_filter }} )
+      filter group  (& (objectClass=posixGroupId) {{ nslcd__ldap_host_filter }} )
+      filter shadow (& (objectClass=shadowAccount) {{ nslcd__ldap_host_filter }} )
+    comment: 'Limit which UNIX accounts and groups are present on a host'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__configuration [[[
+#
+# The :command:`nslcd` configuration options defined on all hosts in the
+# Ansible inventory.
+nslcd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nslcd__group_configuration [[[
+#
+# The :command:`nslcd` configuration options defined on hosts in a specific
+# Ansible inventory group.
+nslcd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nslcd__host_configuration [[[
+#
+# The :command:`nslcd` configuration options defined on specific hosts in the
+# Ansible inventory.
+nslcd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: nslcd__combined_configuration [[[
+#
+# The variable that combines other :command:`nslcd` configuration options and
+# is used in the role template.
+nslcd__combined_configuration: '{{ nslcd__default_configuration
+                                   + nslcd__configuration
+                                   + nslcd__group_configuration
+                                   + nslcd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: nslcd__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+nslcd__ldap__dependent_tasks:
+
+  - name: 'Create nslcd account for {{ nslcd__ldap_device_dn | join(",") }}'
+    dn: '{{ nslcd__ldap_binddn }}'
+    objectClass: '{{ nslcd__ldap_self_object_classes }}'
+    attributes: '{{ nslcd__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if ((ansible_local.ldap.posix_enabled | d()) | bool and
+                   nslcd__ldap_device_dn | d())
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: nslcd__nsswitch__dependent_services [[[
+#
+# Configuration for the :ref:`debops.nsswitch` Ansible role.
+nslcd__nsswitch__dependent_services: [ 'ldap' ]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nslcd/meta/main.yml b/ansible_collections/debops/debops/roles/nslcd/meta/main.yml
new file mode 100644
index 00000000..46a58001
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure LDAP support for NSS and PAM lookups'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ldap
+    - nslcd
+    - nss
+    - pam
+    - system
diff --git a/ansible_collections/debops/debops/roles/nslcd/tasks/main.yml b/ansible_collections/debops/debops/roles/nslcd/tasks/main.yml
new file mode 100644
index 00000000..7443f4b9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure pam-mkhomedir to create home directories
+  ansible.builtin.template:
+    src: 'usr/share/pam-configs/mkhomedir.j2'
+    dest: '/usr/share/pam-configs/mkhomedir'
+    mode: '0644'
+  register: nslcd__register_mkhomedir
+
+- name: Enable mkhomedir PAM module
+  ansible.builtin.shell: 'pam-auth-update --package --remove mkhomedir 2>/dev/null && pam-auth-update --package --enable mkhomedir 2>/dev/null'  # noqa no-handler
+  register: nslcd__register_pam_update
+  changed_when: nslcd__register_pam_update.changed | bool
+  when: nslcd__register_mkhomedir is changed
+
+- name: Install packages for nslcd support
+  ansible.builtin.package:
+    name: '{{ q("flattened", nslcd__base_packages + nslcd__packages) }}'
+    state: 'present'
+  register: nslcd__register_packages
+  until: nslcd__register_packages is succeeded
+
+- name: Generate nslcd configuration
+  ansible.builtin.template:
+    src: 'etc/nslcd.conf.j2'
+    dest: '/etc/nslcd.conf'
+    group: '{{ nslcd__group }}'
+    mode: '0640'
+  register: nslcd__register_config
+  when: nslcd__ldap_base_dn | d()
+
+- name: Restart nslcd if its configuration was modified
+  ansible.builtin.service:  # noqa no-handler
+    name: 'nslcd'
+    state: 'restarted'
+  when: nslcd__register_config is changed
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save nslcd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/nslcd.fact.j2'
+    dest: '/etc/ansible/facts.d/nslcd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/nslcd/templates/etc/ansible/facts.d/nslcd.fact.j2 b/ansible_collections/debops/debops/roles/nslcd/templates/etc/ansible/facts.d/nslcd.fact.j2
new file mode 100644
index 00000000..16e8c189
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/templates/etc/ansible/facts.d/nslcd.fact.j2
@@ -0,0 +1,25 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('nslcd')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/nslcd/templates/etc/nslcd.conf.j2 b/ansible_collections/debops/debops/roles/nslcd/templates/etc/nslcd.conf.j2
new file mode 100644
index 00000000..222c0c2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/templates/etc/nslcd.conf.j2
@@ -0,0 +1,33 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+{% for option in nslcd__combined_configuration | debops.debops.parse_kv_config %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if option.separator | bool and not option.comment | d() and not loop.first %}
+
+{%     endif %}
+{%     if option.comment | d() %}
+
+{{ option.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     set option_map = '' %}
+{%     if option.map | d() %}
+{%       set option_map = (' ' + option.map) %}
+{%     endif %}
+{%     if option.raw | d() %}
+{%       if option.state | d('present') == 'comment' %}
+{{ option.raw | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       else %}
+{{ option.raw | regex_replace('\n$','') }}
+{%       endif %}
+{%     else %}
+{{ '{}{}{} {}'.format(('#' if (option.state | d('present') == 'comment') else ''), (option.option | d(option.name)), option_map, (option.value if option.value is string else (option.value | selectattr("name", "defined") | map(attribute="name") | list | join(' ')))) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/nslcd/templates/usr/share/pam-configs/mkhomedir.j2 b/ansible_collections/debops/debops/roles/nslcd/templates/usr/share/pam-configs/mkhomedir.j2
new file mode 100644
index 00000000..caaffe3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nslcd/templates/usr/share/pam-configs/mkhomedir.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+Name: activate mkhomedir managed by Ansible
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required                        pam_mkhomedir.so umask={{ nslcd__mkhomedir_umask }} skel=/etc/skel
diff --git a/ansible_collections/debops/debops/roles/nsswitch/COPYRIGHT b/ansible_collections/debops/debops/roles/nsswitch/COPYRIGHT
new file mode 100644
index 00000000..d47e3bcf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nsswitch - configure Name Service Switch using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nsswitch/defaults/main.yml b/ansible_collections/debops/debops/roles/nsswitch/defaults/main.yml
new file mode 100644
index 00000000..536ba062
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/defaults/main.yml
@@ -0,0 +1,191 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nsswitch__ref_defaults:
+
+# debops.nsswitch default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: nsswitch__enabled [[[
+#
+# Enable or disable management of the :file:`/etc/nsswitch.conf` configuration
+# file by Ansible.
+nsswitch__enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Name Service Switch services [[[
+# --------------------------------
+
+# These variables define what NSS services are active on a given host.
+# See :ref:`nsswitch__ref_services` for more details.
+
+# .. envvar:: nsswitch__default_services [[[
+#
+# List of default NSS services that should be active on the host and present in
+# the :file:`/etc/nsswitch.conf` configuration file.
+nsswitch__default_services: [ 'compat', 'files', 'dns', 'db', 'nis' ]
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__services [[[
+#
+# List of NSS services that should be active on all hosts in the Ansible
+# inventory.
+nsswitch__services: []
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__group_services [[[
+#
+# List of NSS services that should be active on groups in a specific Ansible
+# inventory group.
+nsswitch__group_services: []
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__host_services [[[
+#
+# List of NSS services that should be active on specific hosts in the Ansible
+# inventory.
+nsswitch__host_services: []
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__dependent_services [[[
+#
+# List of NSS services that should be active on a given host, requested by
+# other Ansible roles using dependent role variables.
+nsswitch__dependent_services: []
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__remove_services [[[
+#
+# List of NSS services which should be explicitly removed from the
+# :file:`/etc/nsswitch.conf` configuration file.
+nsswitch__remove_services: []
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__combined_services [[[
+#
+# The combined list of NSS services to manage by the role. This variable is
+# used in the template file to configure what services should be present.
+nsswitch__combined_services: '{{ lookup("flattened", (nsswitch__default_services
+                                 + nsswitch__services + nsswitch__group_services
+                                 + nsswitch__host_services + nsswitch__dependent_services)
+                                 | difference(nsswitch__remove_services)).split(",") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Name Service Switch databases [[[
+# ---------------------------------
+
+# .. envvar:: nsswitch__default_database_map [[[
+#
+# This YAML dictionary defines a mapping between NSS databases and NSS
+# services. The presence of a given NSS service here doesn't mean that it will
+# be activated. See :ref:`nsswitch__ref_database_map` for more details.
+nsswitch__default_database_map:
+  'passwd':     [ 'compat', 'mymachines', 'systemd', 'sss', 'ldap', 'winbind' ]
+  'group':      [ 'compat', 'mymachines', 'systemd', 'sss', 'ldap', 'winbind' ]
+  'shadow':     [ 'compat', 'sss' ]
+  'gshadow':    [ 'files' ]
+  'initgroups': []
+
+  'hosts':
+
+    - 'files'
+
+    - 'mymachines'
+
+    - [ 'mdns_minimal', '[NOTFOUND=return]' ]
+
+    - replace: 'mdns4_minimal'
+      service: '{{ "mdns_minimal" if (ansible_local | d() and ansible_local.avahi | d() and
+                                      ansible_local.avahi.ipv6 | bool) else "mdns4_minimal" }}'
+      action:  '[NOTFOUND=return]'
+
+    - [ 'resolve', '[!UNAVAIL=return]' ]
+
+    - 'dns'
+
+    - 'libvirt'
+
+    - 'libvirt_guest'
+
+    - 'wins'
+
+    - 'myhostname'
+
+  'networks':   [ 'files' ]
+  'protocols':  [ 'db',  'files' ]
+  'services':   [ 'db',  'files', 'sss', 'ldap' ]
+  'ethers':     [ 'db',  'files' ]
+  'rpc':        [ 'db',  'files' ]
+  'netgroup':   [ 'nis', 'sss', 'ldap' ]
+  'publickey':  []
+  'aliases':    []
+  'sudoers':
+
+    - { service: 'files', require: False }
+    - { service: 'sss',   require: False }
+    - { service: 'ldap',  require: False }
+
+  'automount':
+
+    - { service: 'files', require: False }
+    - { service: 'sss',   require: False }
+    - { service: 'ldap',  require: False }
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__database_map [[[
+#
+# YAML dictionary which defines the mapping between NSS databases and NSS
+# services for all hosts in Ansible inventory.
+nsswitch__database_map: {}
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__group_database_map [[[
+#
+# YAML dictionary which defines the mapping between NSS databases and NSS
+# services for hosts in specific Ansible inventory group.
+nsswitch__group_database_map: {}
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__host_database_map [[[
+#
+# YAML dictionary which defines the mapping between NSS databases and NSS
+# services for specific hosts in Ansible inventory.
+nsswitch__host_database_map: {}
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__combined_database_map [[[
+#
+# The combined default and custom database map variable used in the template.
+nsswitch__combined_database_map: '{{ nsswitch__default_database_map
+                                     | combine(nsswitch__database_map)
+                                     | combine(nsswitch__group_database_map)
+                                     | combine(nsswitch__host_database_map) }}'
+
+                                                                   # ]]]
+# .. envvar:: nsswitch__database_groups [[[
+#
+# This list variable defines the "layout" of the generated
+# :file:`/etc/nsswitch.conf` configuration file. Each list contains a list of
+# NSS databases grouped together for convenience and aesthetic purposes.
+nsswitch__database_groups:
+  - [ 'passwd', 'group', 'shadow', 'gshadow', 'initgroups' ]
+  - [ 'hosts', 'networks' ]
+  - [ 'protocols', 'services', 'ethers', 'rpc' ]
+  - [ 'netgroup' ]
+  - [ 'aliases', 'sudoers', 'automount' ]
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nsswitch/meta/main.yml b/ansible_collections/debops/debops/roles/nsswitch/meta/main.yml
new file mode 100644
index 00000000..e68ba7f4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Name Service Switch configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - authentication
+    - dns
+    - sssd
+    - ldap
+    - kerberos
diff --git a/ansible_collections/debops/debops/roles/nsswitch/tasks/main.yml b/ansible_collections/debops/debops/roles/nsswitch/tasks/main.yml
new file mode 100644
index 00000000..4dc56f79
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save nsswitch local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/nsswitch.fact.j2'
+    dest: '/etc/ansible/facts.d/nsswitch.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate Name Service Switch configuration
+  ansible.builtin.template:
+    src: 'etc/nsswitch.conf.j2'
+    dest: '/etc/nsswitch.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: nsswitch__register_config
+  when: nsswitch__enabled | bool
+
+  # systemd-logind service needs to be restarted for authentication of users
+  # from remote sources (ldap, sss) to work correctly. The NSS configuration is
+  # not reloaded automatically on changes.
+  # Ref: https://bugzilla.redhat.com/show_bug.cgi?id=132608#c4
+- name: Restart systemd-logind to fix NSS lookups
+  ansible.builtin.service:  # noqa no-handler
+    name: 'systemd-logind'
+    state: 'restarted'
+  when: ansible_service_mgr == 'systemd' and nsswitch__register_config is changed and
+        ansible_connection != 'local'
diff --git a/ansible_collections/debops/debops/roles/nsswitch/templates/etc/ansible/facts.d/nsswitch.fact.j2 b/ansible_collections/debops/debops/roles/nsswitch/templates/etc/ansible/facts.d/nsswitch.fact.j2
new file mode 100644
index 00000000..a0040103
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/templates/etc/ansible/facts.d/nsswitch.fact.j2
@@ -0,0 +1,56 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+
+nsswitch_conf = '/etc/nsswitch.conf'
+
+nss_databases = loads('''{{ nsswitch__combined_database_map
+                            | list | sort | to_nice_json }}''')
+
+output = loads('''{{ ({
+    "enabled": nsswitch__enabled | bool
+}) | to_nice_json }}''')
+
+output_conf = {}
+
+try:
+    fh = open(nsswitch_conf)
+
+    for line in fh:
+
+        if line != '\n' and not line.startswith('#'):
+            words = line.split()
+            database = words[0].split(':')
+            if database[0] in nss_databases:
+                service_actions = {}
+                for i in range(len(words[1:])):
+                    if words[i+1].startswith('[') and words[i+1].endswith(']'):
+                        service_actions.update({words[i]: words[i+1]})
+                service_list = []
+                for service in words[1:]:
+                    if service in list(service_actions):
+                        service_list.append([service,
+                                             service_actions[service]])
+                    else:
+                        if service not in service_actions.values():
+                            service_list.append(service)
+                output_conf.update({database[0]: service_list})
+
+    fh.close()
+
+    output.update({"conf": output_conf})
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/nsswitch/templates/etc/nsswitch.conf.j2 b/ansible_collections/debops/debops/roles/nsswitch/templates/etc/nsswitch.conf.j2
new file mode 100644
index 00000000..b034602f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nsswitch/templates/etc/nsswitch.conf.j2
@@ -0,0 +1,61 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+{% set nsswitch__tpl_active_database_map = ansible_local.nsswitch.conf | d({}) %}
+{% set nsswitch__tpl_filtered_database_map = {} %}
+{% for database, service_list in nsswitch__combined_database_map.items() %}
+{%   if service_list and service_list is not string and service_list is not mapping %}
+{%     set nsswitch__tpl_service_list = [] %}
+{%     for element in service_list %}
+{%       if element is string %}
+{%         if (element in nsswitch__combined_services or (database in nsswitch__tpl_active_database_map.keys() and element in (lookup("flattened", nsswitch__tpl_active_database_map[database]).split(',')) and element not in nsswitch__remove_services)) %}
+{%           set _ = nsswitch__tpl_service_list.append(element) %}
+{%         endif %}
+{%       elif element is mapping %}
+{%         if element.service | d() and element.replace | d() and element.state | d('present') != 'absent' %}
+{%           if ((element.service in nsswitch__combined_services and element.require | d(True) | bool) or (database in nsswitch__tpl_active_database_map.keys() and element.replace in (lookup("flattened", nsswitch__tpl_active_database_map[database]).split(',')) and element.service not in nsswitch__remove_services)) %}
+{%             if element.action | d() %}
+{%               set _ = nsswitch__tpl_service_list.append([ element.service, element.action ]) %}
+{%             else %}
+{%               set _ = nsswitch__tpl_service_list.append(element.service) %}
+{%             endif %}
+{%           endif %}
+{%         elif element.service | d() and element.state | d('present') != 'absent' %}
+{%           if ((element.service in nsswitch__combined_services and element.require | d(True) | bool) or (database in nsswitch__tpl_active_database_map.keys() and element.service in (lookup("flattened", nsswitch__tpl_active_database_map[database]).split(',')) and element.service not in nsswitch__remove_services)) %}
+{%             if element.action | d() %}
+{%               set _ = nsswitch__tpl_service_list.append([ element.service, element.action ]) %}
+{%             else %}
+{%               set _ = nsswitch__tpl_service_list.append(element.service) %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       elif element is not string and element is not mapping %}
+{%         if (element[0] in nsswitch__combined_services or (database in nsswitch__tpl_active_database_map.keys() and element[0] in (lookup("flattened", nsswitch__tpl_active_database_map[database]).split(',')) and element[0] not in nsswitch__remove_services)) %}
+{%           set _ = nsswitch__tpl_service_list.append(element) %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%     if nsswitch__tpl_service_list %}
+{%       set _ = nsswitch__tpl_filtered_database_map.update({ database: nsswitch__tpl_service_list }) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% for db_group in nsswitch__database_groups %}
+{%   if not loop.first | bool and (db_group | intersect(nsswitch__tpl_filtered_database_map.keys())) %}
+
+{%   endif %}
+{%   for database in db_group %}
+{%     if database in nsswitch__tpl_filtered_database_map.keys() %}
+{{ "%-15s %s" | format(database + ':', lookup('flattened', nsswitch__tpl_filtered_database_map[database]).split(',') | join(' ')) }}
+{%     endif %}
+{%   endfor %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/ntp/COPYRIGHT b/ansible_collections/debops/debops/roles/ntp/COPYRIGHT
new file mode 100644
index 00000000..177cd960
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.ntp - Manage timezone and NTP client/server
+
+Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ntp/defaults/main.yml b/ansible_collections/debops/debops/roles/ntp/defaults/main.yml
new file mode 100644
index 00000000..52eee6b3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/defaults/main.yml
@@ -0,0 +1,318 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ntp__ref_defaults:
+
+# debops.ntp default variables [[[
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global options [[[
+# ------------------
+
+# .. envvar:: ntp__daemon_enabled [[[
+#
+# If ``True``, role will install and configure an NTP daemon. The daemon is not
+# required in containerized environments, where the host takes care for setting
+# time accurately.
+ntp__daemon_enabled: '{{ "True"
+                         if (ntp__daemon | d(False) and
+                             not (ansible_virtualization_role | d("") == "guest" and
+                                  ansible_virtualization_type | d("")
+                                    in ["container", "lxc"]) and
+                             not (ansible_system_capabilities_enforced | d(True) | bool and
+                                  "cap_sys_time" not in ansible_system_capabilities))
+                         else "False" }}'
+
+                                                                   # ]]]
+# .. envvar:: ntp__daemon [[[
+#
+# Which clock management daemon/program should be setup?
+#
+# Choices (string):
+#
+# - chrony
+# - ntpdate
+# - ntpd
+# - openntpd
+# - systemd-timesyncd
+#
+# Set to ``False`` to disable clock management.
+ntp__daemon: '{{ (ansible_local.ntp.daemon
+                  if (ansible_local.ntp.daemon | d())
+                  else ("systemd-timesyncd"
+                        if (ansible_service_mgr == "systemd")
+                        else "openntpd")) }}'
+
+                                                                   # ]]]
+# .. envvar:: ntp__ignore_ntpdate [[[
+#
+# Don't uninstall ``ntpdate`` package if it's installed. Be aware that
+# ``ntpdate-debian`` script is executed each time a network interface is
+# brought up. This might result in unexpected time jumps forward or backward.
+ntp__ignore_ntpdate: False
+
+                                                                   # ]]]
+# .. envvar:: ntp__servers [[[
+#
+# List of NTP servers to synchronize with
+# If you use :program:`ntpd`, you can add server options in server strings, for example::
+#
+#     ntp__servers:
+#       - '0.debian.pool.ntp.org iburst minpoll 6 maxpoll 10'
+#
+# If you're syncing against local servers, recommended options are:
+# 'burst iburst minpoll 4 maxpoll 4', where:
+#
+# ``burst`` and ``iburst``:
+#   Get a time sync as fast as possible by sending 8 sync queries with 2 second
+#   interval. (Beware though, this is considered as an abuse on public servers!)
+#
+# ``minpoll``, ``maxpoll``:
+#   Min/max interval for sync queries to be sent in normal operation mode. It's
+#   defined in seconds as a power of two:
+#
+#   * 4 -- 16 seconds (minimal allowed)
+#   * 5 -- 32 seconds
+#   * 6 -- 64 seconds
+#
+#   and so on.
+#
+ntp__servers: '{{ (ntp__servers_map[ansible_distribution][1]
+                   | d(ntp__servers_map["default"][1]))
+                   if (ntp__daemon in ["chrony"])
+                   else ntp__servers_map[ansible_distribution]
+                        | d(ntp__servers_map["default"]) }}'
+
+                                                                   # ]]]
+# .. envvar:: ntp__servers_map [[[
+#
+# YAML dictionary with different NTP server lists depending on OS distribution.
+ntp__servers_map:
+  'Debian':  [ '0.debian.pool.ntp.org', '1.debian.pool.ntp.org',
+               '2.debian.pool.ntp.org', '3.debian.pool.ntp.org' ]
+  'Ubuntu':  [ '0.ubuntu.pool.ntp.org', '1.ubuntu.pool.ntp.org',
+               '2.ubuntu.pool.ntp.org', '3.ubuntu.pool.ntp.org' ]
+  'default': [ '0.pool.ntp.org', '1.pool.ntp.org',
+               '2.pool.ntp.org', '3.pool.ntp.org' ]
+
+                                                                   # ]]]
+# .. envvar:: ntp__fudge [[[
+#
+# :program:`ntpd` specific.
+# Fudge local clock if time servers is not available.
+ntp__fudge: True
+
+                                                                   # ]]]
+# .. envvar:: ntp__servers_as_pool [[[
+#
+# Treat NTP server addresses as pool addresses. The server name is expected
+# to resolve to multiple IP addresses which might change over time. This is
+# currently only supported by :program:`chrony`. Other NTP servers will
+# ignore this setting.
+ntp__servers_as_pool: True
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: ntp__base_packages [[[
+#
+# List of APT packages to install for NTP support.
+ntp__base_packages:
+  - '{{ "chrony" if (ntp__daemon == "chrony") else [] }}'
+  - '{{ "ntp" if (ntp__daemon == "ntpd") else [] }}'
+  - '{{ "openntpd" if (ntp__daemon == "openntpd") else [] }}'
+  - '{{ "systemd-timesyncd" if (ntp__daemon == "systemd-timesyncd" and
+                                ansible_distribution_release
+                                not in ["stretch", "buster"]) else [] }}'
+  - '{{ "ntpdate" if (ntp__daemon == "ntpdate") else [] }}'
+
+
+                                                                   # ]]]
+# .. envvar:: ntp__packages [[[
+#
+# List of additional APT packages to install with NTP support.
+ntp__packages: []
+
+                                                                   # ]]]
+# .. envvar:: ntp__purge_packages [[[
+#
+# List of APT packages to purge during NTP configuration to avoid issues with
+# conflicting services.
+ntp__purge_packages:
+  - '{{ "chrony" if (ntp__daemon != "chrony") else [] }}'
+  - '{{ "ntp" if (ntp__daemon not in ["ntpd", "openntpd"]) else [] }}'
+  - '{{ "openntpd" if (ntp__daemon != "openntpd") else [] }}'
+  - '{{ "systemd-timesyncd" if (ntp__daemon != "systemd-timesyncd") else [] }}'
+  - '{{ "ntpdate" if (ntp__daemon != "ntpdate" and
+                      not ntp__ignore_ntpdate | bool) else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenNTPd configuration [[[
+# --------------------------
+
+# .. envvar:: ntp__openntpd_options [[[
+#
+# Set the ``openntpd`` daemon options.
+ntp__openntpd_options: '-f /etc/openntpd/ntpd.conf -s'
+                                                                   # ]]]
+                                                                   # ]]]
+# Chrony configuration [[[
+# --------------------------
+
+# .. envvar:: ntp__chrony_cmdport [[[
+#
+# Set the ``chrony`` cmdport option. 323 is the chrony default, but
+# debops recommends you default to 0 to disable UDP connections which
+# requires ``chronyc`` be run as root to connect over unix socket.
+ntp__chrony_cmdport: 0
+                                                                   # ]]]
+                                                                   # ]]]
+# Network accessibility [[[
+# -------------------------
+
+# .. envvar:: ntp__listen [[[
+#
+# List of interfaces :program:`ntpd` should listen on.
+# Specify ``ntp__listen: '*'`` to listen on all interfaces.
+#
+# The :program:`chrony` service only supports one listen interface for each of
+# the IPv4 and IPv6 protocols. It must be specified as an IP address.
+ntp__listen: []
+
+                                                                   # ]]]
+# .. envvar:: ntp__firewall_access [[[
+#
+# Enable or disable access to NTP through the firewall.
+ntp__firewall_access: False
+
+                                                                   # ]]]
+# .. envvar:: ntp__allow [[[
+#
+# List of hosts/networks in CIDR format to allow access to the NTP port by the
+# firewall. If this list is set to ``False``, access will be allowed from
+# anywhere. You should probably define a list of networks allowed access to
+# mitigate NTP amplification attacks.
+ntp__allow: []
+
+                                                                   # ]]]
+# .. envvar:: ntp__ferm_chain [[[
+#
+# Name of the :command:`iptables` chain to use for filtering NTP connections.
+ntp__ferm_chain: 'filter-ntp'
+
+                                                                   # ]]]
+# .. envvar:: ntp__ferm_weight [[[
+#
+# Weight of the ``debops.ntp`` firewall rules, determines the order of the
+# configuration files.
+ntp__ferm_weight: '40'
+
+                                                                   # ]]]
+# .. envvar:: ntp__ferm_recent_seconds [[[
+#
+# Time window which firewall checks to filter too many connections, specified
+# in seconds.
+ntp__ferm_recent_seconds: '{{ (60 * 60) }}'
+
+                                                                   # ]]]
+# .. envvar:: ntp__ferm_recent_hitcount [[[
+#
+# Maximum number of new connections from a host in the specified time window.
+ntp__ferm_recent_hitcount: 5
+
+                                                                   # ]]]
+# .. envvar:: ntp__ferm_recent_target [[[
+#
+# Specify what the firewall should do with packets that exceed the allowed
+# limits. You can use ``DROP`` (recommended), ``REJECT`` (high risk of
+# reflection attacks) or specify name of an :command:`iptables` chain to
+# further process the packet(s).
+ntp__ferm_recent_target: 'DROP'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: ntp__ferm__dependent_rules [[[
+#
+# Configuration of the Linux firewall using :ref:`debops.ferm`.
+ntp__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'ntp' ]
+    protocol: 'udp'
+    weight: '{{ ntp__ferm_weight }}'
+    role: 'ntp'
+    role_weight: '10'
+    name: 'jump-filter-ntp'
+    target: '{{ ntp__ferm_chain }}'
+    rule_state: '{{ "present"
+                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
+                        ntp__firewall_access | bool)
+                    else "absent" }}'
+
+  - chain: '{{ ntp__ferm_chain }}'
+    type: 'recent'
+    dport: [ 'ntp' ]
+    protocol: 'udp'
+    saddr: '{{ ntp__allow }}'
+    weight: '{{ ntp__ferm_weight }}'
+    role: 'ntp'
+    role_weight: '20'
+    name: 'mark'
+    subchain: False
+    recent_set_name: 'ntp-new'
+    recent_log: False
+    rule_state: '{{ "present"
+                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
+                        ntp__firewall_access | bool)
+                    else "absent" }}'
+
+  - chain: '{{ ntp__ferm_chain }}'
+    type: 'recent'
+    dport: [ 'ntp' ]
+    protocol: [ 'udp' ]
+    weight: '{{ ntp__ferm_weight }}'
+    role: 'ntp'
+    role_weight: '30'
+    name: 'filter'
+    subchain: False
+    recent_name: 'ntp-new'
+    recent_update: True
+    recent_seconds: '{{ ntp__ferm_recent_seconds }}'
+    recent_hitcount: '{{ ntp__ferm_recent_hitcount }}'
+    recent_target: '{{ ntp__ferm_recent_target }}'
+    recent_log_prefix: 'ipt-recent-ntp: '
+    rule_state: '{{ "present"
+                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
+                        ntp__firewall_access | bool)
+                    else "absent" }}'
+
+  - chain: '{{ ntp__ferm_chain }}'
+    type: 'accept'
+    dport: [ 'ntp' ]
+    protocol: 'udp'
+    state: 'NEW'
+    saddr: '{{ ntp__allow }}'
+    weight: '{{ ntp__ferm_weight }}'
+    role: 'ntp'
+    role_weight: '40'
+    rule_state: '{{ "present"
+                    if (ntp__daemon in ["openntpd", "ntpd", "chrony"] and
+                        ntp__firewall_access | bool)
+                    else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ntp/meta/main.yml b/ansible_collections/debops/debops/roles/ntp/meta/main.yml
new file mode 100644
index 00000000..e1ee0b97
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage time synchronization, NTP server and timezone'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - timezone
+    - ntp
+    - ntpd
+    - ntpdate
+    - openntpd
+    - timesyncd
+    - tzdata
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/chrony.yml b/ansible_collections/debops/debops/roles/ntp/tasks/chrony.yml
new file mode 100644
index 00000000..a8050a31
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/chrony.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure chrony
+  ansible.builtin.template:
+    src: 'etc/chrony/chrony.conf.j2'
+    dest: '/etc/chrony/chrony.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart chrony' ]
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/install.yml b/ansible_collections/debops/debops/roles/ntp/tasks/install.yml
new file mode 100644
index 00000000..587b8874
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/install.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ (ntp__base_packages + ntp__packages) | flatten }}'
+    state: 'present'
+  register: ntp__register_apt_install
+  until: ntp__register_apt_install is succeeded
+
+- name: Query available systemd services
+  ansible.builtin.service_facts:
+  when: ansible_service_mgr == "systemd"
+
+- name: Manage systemd-timesyncd state
+  ansible.builtin.service:
+    name: 'systemd-timesyncd'
+    state: '{{ "started" if (ntp__daemon in ["systemd-timesyncd"]) else "stopped" }}'
+    enabled: '{{ True if (ntp__daemon in ["systemd-timesyncd"]) else False }}'
+  when:
+    - ansible_service_mgr == "systemd"
+    - ("systemd-timesyncd.service" in ansible_facts.services and
+       ansible_facts.services['systemd-timesyncd.service'].status != 'not-found')
+
+# NTPdate does not need to be configured separately as the script `/usr/sbin/ntpdate-debian`
+# will pick up the configuration from `/etc/ntp.conf` when it exists.
+
+# Install chrony on all hosts except inside containers
+- name: Install chrony
+  ansible.builtin.include_tasks: chrony.yml
+  when: ntp__daemon == 'chrony'
+
+  # Install NTPd on all hosts except inside containers
+- name: Install ntpd
+  ansible.builtin.include_tasks: ntpd.yml
+  when: ntp__daemon in [ 'ntpd', 'ntpdate' ]
+
+  # Install OpenNTPd on all hosts except inside containers
+- name: Install OpenNTPd
+  ansible.builtin.include_tasks: openntpd.yml
+  when: ntp__daemon == 'openntpd'
+
+  # Configure systemd-timesyncd
+- name: Include systemd-timesyncd configuration
+  ansible.builtin.include_tasks: systemd-timesyncd.yml
+  when: (ansible_service_mgr == "systemd" and
+         ntp__daemon == 'systemd-timesyncd')
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/main.yml b/ansible_collections/debops/debops/roles/ntp/tasks/main.yml
new file mode 100644
index 00000000..1ca45cb5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Ensure that configuration is supported
+  ansible.builtin.assert:
+    that: not ntp__daemon or ntp__daemon in [ 'chrony', 'ntpd', 'ntpdate', 'openntpd', 'systemd-timesyncd' ]
+
+- name: Ensure that alternative daemons/programs are not installed
+  ansible.builtin.apt:
+    name: '{{ ntp__purge_packages | flatten }}'
+    state: 'absent'
+    purge: True
+  register: ntp__register_apt_purge
+  until: ntp__register_apt_purge is succeeded
+  when: ntp__daemon_enabled | bool
+
+  # Installs either ntpdate, NTPd, chrony or OpenNTPd on all hosts except inside containers
+- name: Install NTP service
+  ansible.builtin.include_tasks: install.yml
+  when: ntp__daemon_enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save ntp local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/ntp.fact.j2'
+    dest: '/etc/ansible/facts.d/ntp.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/ntpd.yml b/ansible_collections/debops/debops/roles/ntp/tasks/ntpd.yml
new file mode 100644
index 00000000..dc9d4b50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/ntpd.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Divert original /etc/ntp.conf
+  debops.debops.dpkg_divert:
+    path: '/etc/ntp.conf'
+  when: ntp__daemon == 'ntpd'
+
+- name: Configure NTPd
+  ansible.builtin.template:
+    src: 'etc/ntpd/ntp.conf.j2'
+    dest: '/etc/ntp.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart ntp' ]
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/openntpd.yml b/ansible_collections/debops/debops/roles/ntp/tasks/openntpd.yml
new file mode 100644
index 00000000..804963cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/openntpd.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Divert OpenNTPd configuration files
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  loop:
+    - '/etc/default/openntpd'
+    - '/etc/openntpd/ntpd.conf'
+    - '/etc/network/if-up.d/openntpd'
+
+- name: Configure OpenNTPd
+  ansible.builtin.template:
+    src: '{{ item.name }}.j2'
+    dest: '/{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode | d("0644") }}'
+  with_items:
+
+    - name: 'etc/default/openntpd'
+
+    - name: 'etc/openntpd/ntpd.conf'
+
+    - name: 'etc/network/if-up.d/openntpd'
+      mode: '0755'
+
+    - name: 'etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd'
+
+    - name: 'usr/local/lib/debops-ntp-openntpd-dpkg-cleanup'
+      mode: '0755'
+
+  notify: [ 'Restart openntpd' ]
diff --git a/ansible_collections/debops/debops/roles/ntp/tasks/systemd-timesyncd.yml b/ansible_collections/debops/debops/roles/ntp/tasks/systemd-timesyncd.yml
new file mode 100644
index 00000000..873eac4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/tasks/systemd-timesyncd.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Make sure conf override dir exists
+  ansible.builtin.file:
+    path: '/etc/systemd/timesyncd.conf.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure systemd-timesyncd
+  ansible.builtin.template:
+    src: 'etc/systemd/timesyncd.conf.d/ansible.conf.j2'
+    dest: '/etc/systemd/timesyncd.conf.d/ansible.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart systemd-timesyncd' ]
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/ansible/facts.d/ntp.fact.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/ansible/facts.d/ntp.fact.j2
new file mode 100644
index 00000000..de8ca89f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/ansible/facts.d/ntp.fact.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set ntp__tpl_daemon = '' %}
+{% if ntp__daemon_enabled | bool %}
+{% set ntp__tpl_daemon = ntp__daemon %}
+{% endif %}
+{
+"configured": "true",
+"daemon": "{{ ntp__tpl_daemon }}"
+}
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/chrony/chrony.conf.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/chrony/chrony.conf.j2
new file mode 100644
index 00000000..7525024f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/chrony/chrony.conf.j2
@@ -0,0 +1,82 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+{% if ntp__servers is defined and ntp__servers %}
+# NTP servers to synchronize with
+{% if ntp__servers is string %}
+pool {{ ntp__servers }} iburst
+{% else %}
+{% for address in ntp__servers %}
+{{ ntp__servers_as_pool | ternary('pool', 'server') }} {{ address }} iburst
+{% endfor %}
+{% endif %}
+
+{% endif %}
+{% if ntp__listen and ntp__listen != '*' %}
+# Only listen on these interfaces for incoming connections
+{% for address in ntp__listen %}
+bindaddress {{ address }}
+{% endfor %}
+
+{% endif %}
+# Only listen on localhost for command connections
+bindcmdaddress 127.0.0.1
+
+# Set the udp control port on loopback. 0 means that chronyc can only talk to chronyd via Unix sockets.
+cmdport {{ ntp__chrony_cmdport }}
+
+{% if ntp__allow == False %}
+# Allow all hosts to connect to the server
+allow all
+
+{% else %}
+# Default is to restrict all access to everybody
+deny all
+
+{%   if ntp__allow is string %}
+allow {{ ntp__allow }}
+{%   else %}
+{%     for address in ntp__allow %}
+allow {{ address }}
+{%     endfor %}
+{%   endif %}
+
+{% endif %}
+
+{% if ntp__fudge is defined and ntp__fudge %}
+# Fudge local clock if time servers is not available
+local stratum 10
+{% endif %}
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+hwclockfile /etc/adjtime
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/default/openntpd.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/default/openntpd.j2
new file mode 100644
index 00000000..17dc5c8e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/default/openntpd.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# /etc/default/openntpd
+
+# Append '-s' to set the system time when starting in case the offset
+# between the local clock and the servers is more than 180 seconds.
+# For other options, see man ntpd(8).
+DAEMON_OPTS="{{ ntp__openntpd_options }}"
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd.j2
new file mode 100644
index 00000000..f5db1d61
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+pre-invoke=/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/network/if-up.d/openntpd.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/network/if-up.d/openntpd.j2
new file mode 100644
index 00000000..462e5c7b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/network/if-up.d/openntpd.j2
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+export CONFIG="/etc/openntpd/ntpd.conf"
+
+if [ "${METHOD}"X = "loopback"X ] || [ "${METHOD}"X = "none"X ]
+then
+    exit 0
+fi
+
+# Only run from ifup.
+if [ "$MODE" != start ]; then
+    exit 0
+fi
+
+# Don't try to restart openntpd.service under systemd if it's not running
+# This avoids issues with openntpd restarting early during boot
+if [ -d /run/systemd/system ]; then
+    if [ "$(systemctl is-active openntpd.service)" = "active" ] ; then
+        systemctl restart --no-block openntpd.service || true
+    fi
+else
+    invoke-rc.d openntpd force-reload || true
+fi
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/ntpd/ntp.conf.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/ntpd/ntp.conf.j2
new file mode 100644
index 00000000..39541b1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/ntpd/ntp.conf.j2
@@ -0,0 +1,80 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+{% if ntp__listen is defined and ntp__listen and ntp__listen != '*' %}
+# Addresses to listen on, default is to block everything
+interface ignore ipv4
+interface ignore ipv6
+{%   if ntp__listen is string %}
+interface listen {{ ntp__listen }}
+
+{%   else %}
+{%     for address in ntp__listen %}
+interface listen {{ address }}
+{%     endfor %}
+
+{%   endif %}
+{% else %}
+# ntpd will listen on all interfaces
+
+{% endif %}
+{% if ntp__servers is defined and ntp__servers %}
+# NTP servers to synchronize with
+{% if ntp__servers is string %}
+server {{ ntp__servers }}
+{% else %}
+{% for address in ntp__servers %}
+server {{ address }}
+{% endfor %}
+{% endif %}
+{% endif %}
+
+{% if ntp__fudge is defined and ntp__fudge %}
+# Fudge local clock if time servers is not available
+fudge 127.127.1.0 stratum 10
+{% endif %}
+
+# NTPd ACLs
+# Allow full access from localhost
+restrict 127.0.0.1
+restrict -6 ::1
+
+{% if ntp__allow is defined and ntp__allow %}
+# Default is to restrict all access to everybody
+restrict default ignore
+restrict -6 default ignore
+
+{%   if ntp__allow is string %}
+{%     if ntp__allow | ansible.utils.ipv4 %}
+restrict {{ ntp__allow | ansible.utils.ipaddr('network') }} mask {{ ntp__allow | ansible.utils.ipaddr('netmask') }} notrap nomodify nopeer
+{%     else %}
+restrict -6 {{ ntp__allow | ansible.utils.ipaddr('network') }} mask {{ ntp__allow | ansible.utils.ipaddr('netmask') }} notrap nomodify nopeer
+{%     endif %}
+{%   else %}
+{%     for address in ntp__allow %}
+{%       if address | ansible.utils.ipv4 %}
+restrict {{ address | ansible.utils.ipaddr('network') }} mask {{ address | ansible.utils.ipaddr('netmask') }} notrap nomodify nopeer
+{%       else %}
+restrict -6 {{ address | ansible.utils.ipaddr('network') }} mask {{ address | ansible.utils.ipaddr('netmask') }} notrap nomodify nopeer
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% else %}
+# No allow rules specified, so default is to allow everyone to query
+restrict default limited kod nomodify notrap nopeer noquery
+restrict -6 default limited kod nomodify notrap nopeer noquery
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/openntpd/ntpd.conf.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/openntpd/ntpd.conf.j2
new file mode 100644
index 00000000..f4e8479f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/openntpd/ntpd.conf.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if ntp__listen is defined and ntp__listen %}
+# Addresses to listen on
+{%   if ntp__listen is string %}
+listen on {{ ntp__listen }}
+
+{%   else %}
+{%     for address in ntp__listen %}
+listen on {{ address }}
+{%     endfor %}
+
+{%   endif %}
+{% else %}
+# ntpd is not listening on any interface
+
+{% endif %}
+{% if ntp__servers is defined and ntp__servers %}
+# NTP servers to synchronize with
+{% if ntp__servers is string %}
+servers {{ ntp__servers }}
+{% else %}
+{% for address in ntp__servers %}
+servers {{ address }}
+{% endfor %}
+{% endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/ntp/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..18a348a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration for systemd-timesyncd
+
+[Time]
+{% if ansible_distribution_release in [ 'trusty' ] %}
+Servers={{ ntp__servers | join(' ') }}
+{% else %}
+NTP={{ ntp__servers | join(' ') }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ntp/templates/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup.j2 b/ansible_collections/debops/debops/roles/ntp/templates/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup.j2
new file mode 100644
index 00000000..b32adf74
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ntp/templates/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup.j2
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Clean up 'debops.ntp' modifications on the 'openntpd' package removal
+
+set -o nounset -o pipefail -o errexit
+
+revert_files=(
+    "/etc/default/openntpd"
+    "/etc/network/if-up.d/openntpd"
+    "/etc/openntpd/ntpd.conf"
+)
+
+remove_files=(
+    "/usr/local/lib/debops-ntp-openntpd-dpkg-cleanup"
+    "/etc/dpkg/dpkg.cfg.d/debops-ntp-openntpd"
+)
+
+debops_ntp_divert_cleanup () {
+
+    printf "Reverting OpenNTPd configuration files ...\\n"
+    for revert_file in "${revert_files[@]}" ; do
+        if [ -f "${revert_file}.dpkg-divert" ] ; then
+            rm -f "${revert_file}"
+            dpkg-divert --quiet --local --rename --remove "${revert_file}"
+        fi
+    done
+
+}
+
+debops_ntp_file_cleanup () {
+
+    printf "Removing OpenNTPd configuration maintained by Ansible ...\\n"
+    for remove_file in "${remove_files[@]}" ; do
+        test ! -f "${remove_file}" || rm -f "${remove_file}"
+    done
+}
+
+
+dpkg_pid="$(ps -o ppid= ${PPID} | tr -d '[:space:]')"
+
+IFS=' ' read -r -a arguments <<< "$(tr '\0' ' ' < "/proc/${dpkg_pid}/cmdline")"
+
+if [ -n "${DPKG_HOOK_ACTION:-}" ] ; then
+    case ${DPKG_HOOK_ACTION} in
+        remove)
+            for x in "${arguments[@]}"; do
+                case ${x} in
+                    openntpd:*)
+                        debops_ntp_divert_cleanup
+                        debops_ntp_file_cleanup
+                    ;;
+                esac
+            done
+        ;;
+        purge)
+            for x in "${arguments[@]}"; do
+                case ${x} in
+                    openntpd:*)
+                        debops_ntp_divert_cleanup
+                        debops_ntp_file_cleanup
+                    ;;
+                esac
+            done
+        ;;
+    esac
+fi
diff --git a/ansible_collections/debops/debops/roles/nullmailer/COPYRIGHT b/ansible_collections/debops/debops/roles/nullmailer/COPYRIGHT
new file mode 100644
index 00000000..0980fb7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.nullmailer - Manage nullmailer SMTP server with Ansible
+
+Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/nullmailer/defaults/main.yml b/ansible_collections/debops/debops/roles/nullmailer/defaults/main.yml
new file mode 100644
index 00000000..b41bdd3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/defaults/main.yml
@@ -0,0 +1,525 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _nullmailer__ref_defaults:
+
+# debops.nullmailer default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration and other MTAs [[[
+# --------------------------------------
+
+# .. envvar:: nullmailer__enabled [[[
+#
+# Enable or disable support for ``nullmailer`` service. The role will check for
+# presence of other Mail Transport Agents on a host and disable itself
+# automatically if needed.
+nullmailer__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__skip_mta [[[
+#
+# The ``debops.nullmailer`` role avoids replacing the currently configured SMTP
+# server if it's detected. To disable this functionality and force the
+# ``nullmailer`` service to replace an existing MTA, set this variable to
+# ``False``.
+nullmailer__skip_mta: True
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__skip_mta_packages [[[
+#
+# List of APT packages which, if present, will disable configuration of
+# ``nullmailer`` service.
+nullmailer__skip_mta_packages: [ 'postfix' ]
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__purge_mta_packages [[[
+#
+# List of APT packages which will be purged when ``nullmailer`` service is
+# enabled, to stop them from interfering with the active MTA.
+nullmailer__purge_mta_packages: [ 'exim4-base', 'exim4-config', 'exim4-daemon-light',
+                                  'postfix', 'msmtp-mta', 'dma' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package configuration [[[
+# -----------------------------
+
+# .. envvar:: nullmailer__base_packages [[[
+#
+# List of APT packages which will be installed to configure ``nullmailer``
+# service.
+nullmailer__base_packages: [ 'nullmailer', 'bsd-mailx' ]
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtpd_packages [[[
+#
+# List of APT packages which will be installed when the ``nullmailer-smtpd``
+# service is enabled.
+nullmailer__smtpd_packages: '{{ ["xinetd"] if nullmailer__smtpd | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__packages [[[
+#
+# List of custom APT packages installed with ``nullmailer``.
+nullmailer__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS, domain, catch-all e-mail addresses [[[
+# -------------------------------------------
+
+# .. envvar:: nullmailer__mailname [[[
+#
+# The domain name of the host, stored in the :file:`/etc/mailname`
+# configuration file. See https://wiki.debian.org/EtcMailName for more details.
+nullmailer__mailname: '{{ nullmailer__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__fqdn [[[
+#
+# The FQDN name of the :command:`nullmailer` host, used in different
+# configuration variables of the role.
+nullmailer__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__domain [[[
+#
+# The default DNS domain used in different configuration variables of the role.
+nullmailer__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__adminaddr [[[
+#
+# If this list is not empty, all mail messages addressed to any user in the
+# default hostname from :file:`/etc/mailname` or ``localhost`` will be redirected
+# to the specified e-mail addresses (catch-all). This is required for mail
+# directed to local accounts because :command:`nullmailer` does not support
+# local mailboxes.
+#
+# By default send all mail for local recipients to the "root" account on the
+# mail relay host. Let the relay host deal with forwarding such e-mail messages
+# to the proper recipients.
+nullmailer__adminaddr: [ '{{ "root@" + nullmailer__relayhost }}' ]
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__idhost [[[
+#
+# The string used to generate the ``Message-Id:`` header of sent messages.
+nullmailer__idhost: '{{ nullmailer__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__helohost [[[
+#
+# The string sent to the remote SMTP servers in the ``HELO`` command.
+nullmailer__helohost: '{{ nullmailer__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__defaulthost [[[
+#
+# The string appended to the e-mail addresses without the "host" part.
+nullmailer__defaulthost: '{{ nullmailer__mailname }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__defaultdomain [[[
+#
+# The string appended to the host part of the e-mail addresses without a dot.
+nullmailer__defaultdomain: '{{ nullmailer__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__allmailfrom [[[
+#
+# Force envelope sender. Needed for some mail relays with authentication if
+# they don't allow arbitrary envelope sender addresses. (Needs nullmailer >= 1.4)
+nullmailer__allmailfrom: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: nullmailer__ldap_enabled [[[
+#
+# Enable or disable integration with the LDAP directory. The integration is
+# enabled automatically when the :ref:`debops.ldap` environment is configured
+# on the host.
+nullmailer__ldap_enabled: '{{ ansible_local.ldap.enabled
+                              if (ansible_local | d() and ansible_local.ldap | d() and
+                                  ansible_local.ldap.enabled is defined)
+                              else False }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, the LDAP account for the :command`nullmailer` SMTP service will not
+# be created in the LDAP directory.
+nullmailer__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the :command:`nullmailer` service account
+# LDAP object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+nullmailer__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# :command:`nullmailer` service to send the authenticated messages to the
+# relayhost.
+nullmailer__ldap_self_rdn: 'uid=nullmailer'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`nullmailer` service to send authenticated mail
+# messages.
+nullmailer__ldap_self_object_classes: [ 'account', 'simpleSecurityObject',
+                                        'authorizedServiceObject' ]
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`nullmailer` service to send authenticated mail messages.
+nullmailer__ldap_self_attributes:
+  uid: '{{ nullmailer__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ nullmailer__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "nullmailer" service to send authenticated mail messages'
+  authorizedService: 'mail:send'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# :command:`nullmailer` service to bind to the LDAP directory.
+nullmailer__ldap_binddn: '{{ ([nullmailer__ldap_self_rdn] + nullmailer__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the
+# :command:`nullmailer` service to bind to the LDAP directory.
+nullmailer__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                     + nullmailer__ldap_binddn | to_uuid + ".password length=32"))
+                             if nullmailer__ldap_enabled | bool
+                             else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SMTP relay configuration [[[
+# ----------------------------
+
+# .. envvar:: nullmailer__starttls [[[
+#
+# Boolean. If enabled, all remote SMTP servers configured in
+# :file:`/etc/nullmailer/remotes` will request encrypted connections using the
+# ``STARTTLS`` command. This can be overridden per remote, see
+# :ref:`nullmailer__ref_remotes` for more details.
+nullmailer__starttls: True
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtp_srv_rr [[[
+#
+# List which contains the result of the DNS query for SMTP server ``SRV``
+# resource records in the host's domain. See :rfc:`6186` for details.
+nullmailer__smtp_srv_rr: '{{ q("debops.debops.dig_srv", "_smtp._tcp." + nullmailer__domain,
+                               "smtp." + nullmailer__domain, 25)
+                             if nullmailer__enabled | bool
+                             else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtp_port [[[
+#
+# SMTP port (default is 25; use 587 for STARTTLS or 465 for Implicit TLS.
+nullmailer__smtp_port: '{{ nullmailer__smtp_srv_rr[0]["port"] }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__relayhost [[[
+#
+# The FQDN address of the mail server which all mail messages will be forwarded
+# to by the ``nullmailer`` service.
+nullmailer__relayhost: '{{ nullmailer__smtp_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__relayhost_options [[[
+#
+# Additional options set for the default relayhost in the
+# :file:`/etc/nullmailer/remotes` configuration file. You can specify either
+# a YAML dictionary with parameters used by other :command:`nullmailer`
+# remotes, or a YAML list with "raw" :command:`nullmailer` options.
+# See :ref:`nullmailer__ref_remotes` for more details.
+nullmailer__relayhost_options:
+  - '--port={{ nullmailer__smtp_port }}'
+  - '{{ "--ssl"
+        if (nullmailer__smtp_port == "465")
+        else "--starttls" }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__default_remotes [[[
+#
+# The default list of SMTP servers where ``nullmailer`` forwards all mail
+# messages. See :ref:`nullmailer__ref_remotes` for more details.
+nullmailer__default_remotes:
+
+  - host: '{{ nullmailer__relayhost }}'
+    options: '{{ nullmailer__relayhost_options }}'
+    auth: True
+    user: '{{ nullmailer__ldap_self_rdn.split("=")[1] + "@" + nullmailer__fqdn }}'
+    password: '{{ nullmailer__ldap_bindpw }}'
+    state: '{{ "present" if nullmailer__ldap_enabled | bool else "absent" }}'
+
+  - '{{ (nullmailer__relayhost_options | combine({"host": nullmailer__relayhost}))
+        if (nullmailer__relayhost_options is mapping)
+        else ({"host": nullmailer__relayhost,
+               "state": ("absent" if nullmailer__ldap_enabled | bool else "present"),
+               "options": nullmailer__relayhost_options}) }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__remotes [[[
+#
+# The list of additional SMTP servers where ``nullmailer`` forwards all mail
+# messages. See :ref:`nullmailer__ref_remotes` for more details.
+nullmailer__remotes: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Nullmailer rate limits [[[
+# --------------------------
+
+# .. envvar:: nullmailer__maxpause [[[
+#
+# The maximum number of seconds to pause between successive queue runs.
+nullmailer__maxpause: '86400'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__pausetime [[[
+#
+# The minimum number of seconds to pause between successive queue runs when
+# there are messages in the queue.
+nullmailer__pausetime: '60'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__sendtimeout [[[
+#
+# The number of seconds to wait for a thread to complete sending a message
+# before killing it and trying again.
+nullmailer__sendtimeout: '3600'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration file definitions [[[
+# ----------------------------------
+
+# .. envvar:: nullmailer__configuration_files [[[
+#
+# List which defines names and contents of the configuration files managed by
+# the ``debops.nullmailer`` role. See the
+# :ref:`nullmailer__ref_configuration_files` for more details.
+nullmailer__configuration_files:
+
+  - dest: '/etc/mailname'
+    content: '{{ nullmailer__mailname }}'
+
+  - dest: '/etc/nullmailer/adminaddr'
+    content: '{{ nullmailer__adminaddr
+                 if nullmailer__adminaddr is string
+                 else nullmailer__adminaddr | join(",") }}'
+
+  - dest: '/etc/nullmailer/idhost'
+    content: '{{ nullmailer__idhost }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__idhost else "absent" }}'
+
+  - dest: '/etc/nullmailer/helohost'
+    content: '{{ nullmailer__helohost }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__helohost else "absent" }}'
+
+  - dest: '/etc/nullmailer/defaulthost'
+    content: '{{ nullmailer__defaulthost }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__defaulthost else "absent" }}'
+
+  - dest: '/etc/nullmailer/defaultdomain'
+    content: '{{ nullmailer__defaultdomain }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__defaultdomain else "absent" }}'
+
+  - dest: '/etc/nullmailer/maxpause'
+    content: '{{ nullmailer__maxpause }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__maxpause else "absent" }}'
+
+  - dest: '/etc/nullmailer/pausetime'
+    content: '{{ nullmailer__pausetime }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__pausetime else "absent" }}'
+
+  - dest: '/etc/nullmailer/sendtimeout'
+    content: '{{ nullmailer__sendtimeout }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__sendtimeout else "absent" }}'
+
+  - dest: '/etc/nullmailer/allmailfrom'
+    content: '{{ nullmailer__allmailfrom }}'
+    mode: '0644'
+    state: '{{ "present" if nullmailer__allmailfrom else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__private_configuration_files [[[
+#
+# List which defines names and contents of the private configuration files
+# managed by the ``debops.nullmailer`` role. Modifications to the configuration
+# files on this list won't be logged by Ansible. See the
+# :ref:`nullmailer__ref_configuration_files` for more details.
+nullmailer__private_configuration_files:
+
+  - dest: '/etc/nullmailer/remotes'
+    content: "{{ lookup('template', 'lookup/nullmailer__remotes.j2')
+                 | from_yaml | join('\n') }}"
+    owner: 'mail'
+    group: 'mail'
+    mode: '0600'
+                                                                   # ]]]
+                                                                   # ]]]
+# Nullmailer SMTPD service [[[
+# ----------------------------
+
+# The ``debops.nullmailer`` role can configure a ``nullmailer-smtpd`` service
+# using ``nullmailer`` and :program:`xinetd` packages. The :program:`xinetd` service will
+# listen on port ``25`` (can be changed) and on incoming connection will start
+# a ``sendmail`` process which can be used to send an e-mail message.
+
+# This service does not perform any user authentication, therefore
+# :ref:`debops.ferm` and :ref:`debops.tcpwrappers` roles are used to limit the access
+# from the network to specific IP addresses or CIDR subnets. By default, the
+# ``nullmailer-smtpd`` service listens for new TCP connections only on the
+# loopback interface, and firewall/TCP Wrappers do not accept any connections
+# from the network.
+
+# .. envvar:: nullmailer__smtpd [[[
+#
+# Enable or disable custom :program:`xinetd`-based SMTP service which allows access to
+# the ``sendmail`` program from other hosts over the network.
+nullmailer__smtpd: False
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtpd_bind [[[
+#
+# Specify the IPv4 address on which the :program:`xinetd` SMTP server should
+# listen for new connections. By default it listens only on ``lo`` interface.
+nullmailer__smtpd_bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtpd_bind6 [[[
+#
+# Specify the IPv6 address on which the :program:`xinetd` SMTP server should
+# listen for new connections. By default it listens only on ``lo`` interface.
+nullmailer__smtpd_bind6: '::1'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtpd_port [[[
+#
+# Default port to listen on for the SMTP connections.
+nullmailer__smtpd_port: '25'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__smtpd_allow [[[
+#
+# Specify list of IP addresses or CIDR subnets which are allowed to connect to
+# the ``nullmailer-smtpd`` service. These lists will be configured in the
+# :command:`iptables` firewall using :ref:`debops.ferm` role and in the TCP Wrappers
+# using :ref:`debops.tcpwrappers` role.
+#
+# If this list is empty, nobody is allowed to connect remotely.
+nullmailer__smtpd_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: nullmailer__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+nullmailer__ldap__dependent_tasks:
+
+  - name: 'Create nullmailer account for {{ nullmailer__ldap_device_dn | join(",") }}'
+    dn: '{{ nullmailer__ldap_binddn }}'
+    objectClass: '{{ nullmailer__ldap_self_object_classes }}'
+    attributes: '{{ nullmailer__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if (nullmailer__ldap_enabled | bool and
+                   nullmailer__ldap_device_dn | d())
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` role.
+nullmailer__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ '{{ nullmailer__smtpd_port }}' ]
+    saddr: '{{ nullmailer__smtpd_allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'debops.nullmailer'
+    rule_state: '{{ "present"
+                    if (nullmailer__deploy_state | d("present") != "absent" and
+                        nullmailer__smtpd | bool) else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the :ref:`debops.tcpwrappers` Ansible role.
+nullmailer__tcpwrappers__dependent_allow:
+
+  - daemon: 'sendmail'
+    client: '{{ nullmailer__smtpd_allow }}'
+    accept_any: False
+    weight: '50'
+    filename: 'nullmailer_dependent_allow'
+    comment: 'Allow remote connections to SMTP server'
+    state: '{{ "present"
+               if (nullmailer__deploy_state | d("present") != "absent" and
+                   nullmailer__smtpd | bool) else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: nullmailer__dpkg_cleanup__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.dpkg_cleanup` Ansible role.
+nullmailer__dpkg_cleanup__dependent_packages:
+
+  - name: 'nullmailer'
+    remove_files:
+      - '{{ (nullmailer__configuration_files
+             | selectattr("dest", "defined")
+             | map(attribute="dest") | list)
+            | difference("/etc/mailname") }}'
+      - '{{ nullmailer__private_configuration_files
+            | selectattr("dest", "defined")
+            | map(attribute="dest") | list }}'
+      - '/etc/ferm/ferm.d/50_debops.nullmailer_accept_25.conf'
+      - '/etc/hosts.allow.d/50_nullmailer_dependent_allow'
+      - '/etc/xinetd.d/nullmailer-smtpd'
+      - '/etc/xinetd.d/nullmailer-smtpd6'
+    reload_services:
+      - 'xinetd'
+    restart_services:
+      - 'ferm'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/nullmailer/meta/main.yml b/ansible_collections/debops/debops/roles/nullmailer/meta/main.yml
new file mode 100644
index 00000000..87d46ea9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage nullmailer SMTP server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - nullmailer
+    - smtp
+    - mta
diff --git a/ansible_collections/debops/debops/roles/nullmailer/tasks/main.yml b/ansible_collections/debops/debops/roles/nullmailer/tasks/main.yml
new file mode 100644
index 00000000..f8568c3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (nullmailer__base_packages
+                              + nullmailer__smtpd_packages
+                              + nullmailer__packages)) }}'
+    state: 'present'
+  register: nullmailer__register_packages
+  until: nullmailer__register_packages is succeeded
+  when: nullmailer__deploy_state | d('present') != 'absent'
+
+- name: Purge other SMTP servers
+  ansible.builtin.apt:
+    name: '{{ nullmailer__purge_mta_packages | flatten }}'
+    state: 'absent'
+    purge: True
+  when: (nullmailer__deploy_state | d('present') != 'absent' and
+         nullmailer__purge_mta_packages)
+
+- name: Generate configuration files
+  ansible.builtin.copy:
+    dest:    '{{ item.dest }}'
+    content: "{{ (item.content + '\n') if item.content | d() else ('' if item.content is defined else omit) }}"
+    src:     '{{ item.src | d(omit) }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(omit) }}'
+    mode:    '{{ item.mode | d(omit) }}'
+  loop: '{{ q("flattened", nullmailer__configuration_files) }}'
+  notify: [ 'Restart nullmailer' ]
+  when: (nullmailer__deploy_state | d('present') != 'absent' and
+         (item.dest | d() and (item.src | d() or item.content is defined) and
+          item.state | d('present') != 'absent'))
+
+- name: Generate private configuration files
+  ansible.builtin.copy:
+    dest:    '{{ item.dest }}'
+    content: "{{ (item.content + '\n') if item.content | d() else omit }}"
+    src:     '{{ item.src | d(omit) }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(omit) }}'
+    mode:    '{{ item.mode | d(omit) }}'
+  loop: '{{ q("flattened", nullmailer__private_configuration_files) }}'
+  notify: [ 'Restart nullmailer' ]
+  when: (nullmailer__deploy_state | d('present') != 'absent' and
+         (item.dest | d() and (item.src | d() or item.content | d()) and
+          item.state | d('present') != 'absent'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove configuration files if requested
+  ansible.builtin.file:
+    path: '{{ item.dest }}'
+    state: 'absent'
+  loop: '{{ q("flattened", nullmailer__configuration_files) }}'
+  notify: [ 'Restart nullmailer' ]
+  when: (nullmailer__deploy_state | d('present') != 'absent' and
+         (item.dest | d() and (item.src | d() or item.content is defined) and
+          item.state | d('present') == 'absent'))
+
+- name: Remove private configuration files if requested
+  ansible.builtin.file:
+    path: '{{ item.dest }}'
+    state: 'absent'
+  loop: '{{ q("flattened", nullmailer__private_configuration_files) }}'
+  notify: [ 'Restart nullmailer' ]
+  when: (nullmailer__deploy_state | d('present') != 'absent' and
+         (item.dest | d() and (item.src | d() or item.content is defined) and
+          item.state | d('present') == 'absent'))
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Configure nullmailer services in xinetd
+  ansible.builtin.template:
+    src: 'etc/xinetd.d/{{ item }}.j2'
+    dest: '/etc/xinetd.d/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'nullmailer-smtpd'
+    - 'nullmailer-smtpd6'
+  notify: [ 'Reload xinetd' ]
+  when: (nullmailer__deploy_state | d('present') != 'absent' and nullmailer__smtpd | bool)
+
+- name: Disable nullmailer-smtpd service in xinetd
+  ansible.builtin.file:
+    path: '/etc/xinetd.d/{{ item }}'
+    state: 'absent'
+  loop:
+    - 'nullmailer-smtpd'
+    - 'nullmailer-smtpd6'
+  notify: [ 'Reload xinetd' ]
+  when: ((nullmailer__deploy_state | d() and nullmailer__deploy_state == 'absent') or
+         not nullmailer__smtpd | bool)
+
+- name: Remove old dpkg cleanup hook and script
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop:
+    - '/etc/dpkg/dpkg.cfg.d/debops-nullmailer'
+    - '/usr/local/lib/debops-nullmailer-dpkg-cleanup'
+  when: nullmailer__deploy_state | d('present') != 'absent'
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ nullmailer__dpkg_cleanup__dependent_packages }}'
+  when: nullmailer__deploy_state | d('present') != 'absent'
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::nullmailer:dpkg_cleanup' ]
diff --git a/ansible_collections/debops/debops/roles/nullmailer/tasks/main_env.yml b/ansible_collections/debops/debops/roles/nullmailer/tasks/main_env.yml
new file mode 100644
index 00000000..7f02e80f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/tasks/main_env.yml
@@ -0,0 +1,25 @@
+---
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if MTA is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg --get-selections
+              | grep -w -E '({{ nullmailer__skip_mta_packages | join("|") }})'
+              | awk '{print $1}' || true
+  args:
+    executable: '/bin/bash'
+  register: nullmailer__register_mta
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Set nullmailer deployment state
+  ansible.builtin.set_fact:
+    nullmailer__deploy_state: '{{ "present"
+                                  if (nullmailer__enabled | bool and
+                                      (not nullmailer__skip_mta | bool or not nullmailer__register_mta.stdout | d()))
+                                  else "absent" }}'
diff --git a/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd.j2 b/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd.j2
new file mode 100644
index 00000000..dc60b2ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+service sendmail
+{
+    disable        = {{ 'no' if nullmailer__smtpd | bool else 'yes' }}
+    bind           = {{ nullmailer__smtpd_bind }}
+    port           = {{ nullmailer__smtpd_port }}
+    socket_type    = stream
+    protocol       = tcp
+    wait           = no
+    user           = mail
+    server         = /usr/sbin/sendmail
+    server_args    = -bs
+    type           = unlisted
+    log_type       = SYSLOG mail info
+    log_on_failure = ATTEMPT
+}
diff --git a/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd6.j2 b/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd6.j2
new file mode 100644
index 00000000..d75baae8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/templates/etc/xinetd.d/nullmailer-smtpd6.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+service sendmail
+{
+    disable        = {{ 'no' if nullmailer__smtpd | bool else 'yes' }}
+    bind           = {{ nullmailer__smtpd_bind6 }}
+    port           = {{ nullmailer__smtpd_port }}
+    socket_type    = stream
+    protocol       = tcp
+    wait           = no
+    user           = mail
+    server         = /usr/sbin/sendmail
+    server_args    = -bs
+    type           = unlisted
+    log_type       = SYSLOG mail info
+    log_on_failure = ATTEMPT
+}
diff --git a/ansible_collections/debops/debops/roles/nullmailer/templates/lookup/nullmailer__remotes.j2 b/ansible_collections/debops/debops/roles/nullmailer/templates/lookup/nullmailer__remotes.j2
new file mode 100644
index 00000000..b6f854f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/nullmailer/templates/lookup/nullmailer__remotes.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set nullmailer__tpl_remotes = [] %}
+{% for entry in (nullmailer__default_remotes + nullmailer__remotes) %}
+{%   set nullmailer__tpl_entry = [] %}
+{%   if entry is string %}
+{%     set _ = nullmailer__tpl_remotes.append(entry) %}
+{%   elif entry is mapping and entry.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if entry.host | d() %}
+{%       set _ = nullmailer__tpl_entry.append(entry.host) %}
+{%       set _ = nullmailer__tpl_entry.append(entry.protocol | d('smtp')) %}
+{%       if ((entry.starttls | d(nullmailer__starttls) | bool) and (not entry.ssl | d() | bool) and (not entry.options | d())) %}
+{%         set _ = nullmailer__tpl_entry.append('--starttls') %}
+{%       endif %}
+{%       if entry.ssl | d() | bool %}
+{%         set _ = nullmailer__tpl_entry.append('--ssl') %}
+{%       endif %}
+{%       if entry.insecure | d() | bool %}
+{%         set _ = nullmailer__tpl_entry.append('--insecure') %}
+{%       endif %}
+{%       if entry.x509fmtder | d() | bool %}
+{%         set _ = nullmailer__tpl_entry.append('--x509fmtder') %}
+{%       endif %}
+{%       if entry.x509cafile | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--x509cafile=' + entry.x509cafile) %}
+{%       endif %}
+{%       if entry.x509certfile | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--x509certfile=' + entry.x509certfile) %}
+{%       endif %}
+{%       if entry.x509crlfile | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--x509crlfile=' + entry.x509crlfile) %}
+{%       endif %}
+{%       if entry.port | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--port=' + entry.port | string) %}
+{%       endif %}
+{%       if ((entry.auth | d() | bool) or (entry.auth_login | d() | bool)) %}
+{%         set _ = nullmailer__tpl_entry.append('--auth-login') %}
+{%       endif %}
+{%       if entry.user | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--user=' + entry.user) %}
+{%       endif %}
+{%       if entry.password | d() or entry.pass | d() %}
+{%         set _ = nullmailer__tpl_entry.append('--pass=' + (entry.password | d(entry.pass))) %}
+{%       endif %}
+{%       if entry.options | d() %}
+{%         set _ = nullmailer__tpl_entry.append(entry.options if entry.options is string else entry.options | join(' ')) %}
+{%       endif %}
+{%       set _ = nullmailer__tpl_remotes.append(nullmailer__tpl_entry | join(' ')) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% if nullmailer__tpl_remotes %}
+{%   for entry in nullmailer__tpl_remotes %}
+- '{{ entry }}'
+{%   endfor %}
+{% else %}
+- ''
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/opendkim/COPYRIGHT b/ansible_collections/debops/debops/roles/opendkim/COPYRIGHT
new file mode 100644
index 00000000..994cd570
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.opendkim - Manage OpenDKIM service using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/opendkim/defaults/main.yml b/ansible_collections/debops/debops/roles/opendkim/defaults/main.yml
new file mode 100644
index 00000000..2f65b178
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/defaults/main.yml
@@ -0,0 +1,448 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _opendkim__ref_defaults:
+
+# debops.opendkim default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, application version [[[
+# -------------------------------------
+
+# .. envvar:: opendkim__base_packages [[[
+#
+# List of APT packages to install for OpenDKIM support.
+opendkim__base_packages: [ 'opendkim', 'opendkim-tools' ]
+
+                                                                   # ]]]
+# .. envvar:: opendkim__packages [[[
+#
+# List of additional APT packages to install with OpenDKIM.
+opendkim__packages: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__version [[[
+#
+# The version of the installed OpenDKIM service, gathered automatically by
+# Ansible local facts.
+opendkim__version: '{{ ansible_local.opendkim.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application environment, Postfix support [[[
+# --------------------------------------------
+
+# .. envvar:: opendkim__user [[[
+#
+# The UNIX system account used by the OpenDKIM service.
+opendkim__user: 'opendkim'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__group [[[
+#
+# The UNIX system group used by the OpenDKIM service.
+opendkim__group: 'opendkim'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__postfix_integration [[[
+#
+# Enable or disable integration with Postfix SMTP server.
+# See :ref:`opendkim__ref_postfix` for more details.
+opendkim__postfix_integration: '{{ ansible_local.postfix.installed
+                                   if (ansible_local | d() and ansible_local.postfix | d() and
+                                       ansible_local.postfix.installed is defined)
+                                   else False }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__postfix_group [[[
+#
+# Name of the UNIX system group used by Postfix SMTP server. This variable is
+# used to create the OpenDKIM socket directory with correct access permissions
+# for Postfix.
+opendkim__postfix_group: '{{ ansible_local.postfix.system_group | d("postfix") }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__pidfile [[[
+#
+# Path to the PID file used by OpenDKIM.
+opendkim__pidfile: '/var/run/opendkim/opendkim.pid'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__socket [[[
+#
+# path to the UNIX socket used by OpenDKIM.
+opendkim__socket: '{{ "/var/spool/postfix/opendkim/opendkim.sock"
+                      if opendkim__postfix_integration | bool
+                      else "/var/run/opendkim/opendkim.sock" }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__domain [[[
+#
+# The main DNS domain used in the OpenDKIM configuration.
+opendkim__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__fqdn [[[
+#
+# The Fully Qualified Domain Name of the current host used in the OpenDKIM
+# configuration.
+opendkim__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__domainkeys_path [[[
+#
+# Directory where DomainKeys are stored on the remote host.
+opendkim__dkimkeys_path: '/etc/dkimkeys'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__default_key_size [[[
+#
+# The default size of the RSA DomainKeys generated by the role.
+opendkim__default_key_size: '2048'
+                                                                   # ]]]
+                                                                   # ]]]
+# DomainKeys configuration [[[
+# ----------------------------
+
+# These variables configure the DomainKeys used by OpenDKIM.
+# See :ref:`opendkim__ref_keys` for more details.
+
+# .. envvar:: opendkim__default_keys [[[
+#
+# The list of default DomainKeys configured by the role.
+opendkim__default_keys:
+
+  - name: 'mail'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__keys [[[
+#
+# List of DomainKeys which should be present on all hosts in the Ansible
+# inventory.
+opendkim__keys: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__group_keys [[[
+#
+# List of DomainKeys which should be present on hosts in specific Ansible
+# inventory group.
+opendkim__group_keys: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__host_keys [[[
+#
+# List of DomainKeys which should be present on specific hosts in the Ansible
+# inventory.
+opendkim__host_keys: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__combined_keys [[[
+#
+# This list combines the other DomainKey lists and is used in the Ansible
+# tasks.
+opendkim__combined_keys: '{{ opendkim__default_keys
+                             + opendkim__keys
+                             + opendkim__group_keys
+                             + opendkim__host_keys }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DKIM Signing Table [[[
+# ----------------------
+
+# These variables configure the OpenDKIM Signing Table, which specifies what
+# messages should be signed by which DomainKeys.
+# See :ref:`opendkim__ref_signing_table` for more details.
+
+# .. envvar:: opendkim__default_signing_table [[[
+#
+# List of default signing table entries defined by the role.
+opendkim__default_signing_table:
+
+  - name: 'mail'
+    from: '{{ opendkim__domain }}'
+    domain: '{{ opendkim__domain }}'
+    subdomains: True
+
+                                                                   # ]]]
+# .. envvar:: opendkim__signing_table [[[
+#
+# List of signing table entries which should be present on all hosts in the
+# Ansible inventory.
+opendkim__signing_table: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__group_signing_table [[[
+#
+# List of signing table entries which should be present on hosts in specific
+# Ansible inventory group.
+opendkim__group_signing_table: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__host_signing_table [[[
+#
+# List of signing table entries which should be present on specific hosts in
+# the Ansible inventory.
+opendkim__host_signing_table: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__combined_signing_table [[[
+#
+# The variable that combines all of the signing table list variables and is
+# used in the configuration template.
+opendkim__combined_signing_table: '{{ opendkim__default_signing_table
+                                      + opendkim__signing_table
+                                      + opendkim__group_signing_table
+                                      + opendkim__host_signing_table }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Trusted hosts [[[
+# -----------------
+
+# These variables define lists of "trusted hosts" which will be used in the
+# ``InternalHosts`` and ``ExternalIgnoreList`` configuration options.
+# See :ref:`opendkim__ref_trusted_hosts` for more details.
+
+# .. envvar:: opendkim__default_trusted_hosts [[[
+#
+# The default list of trusted hosts defined by the role.
+opendkim__default_trusted_hosts:
+  - '127.0.0.1'
+  - '::1'
+  - 'localhost'
+  - '{{ opendkim__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__trusted_hosts [[[
+#
+# The list of trusted hosts which should be defined on all hosts in the Ansible
+# inventory.
+opendkim__trusted_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__group_trusted_hosts [[[
+#
+# The list of trusted hosts which should be defined on hosts in specific
+# Ansible inventory group.
+opendkim__group_trusted_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__host_trusted_hosts [[[
+#
+# The list of trusted hosts which should be defined on specific hosts in the
+# Ansible inventory.
+opendkim__host_trusted_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__combined_trusted_hosts [[[
+#
+# The variable that combines all of the trusted host lists and passes them to
+# the configuration template.
+opendkim__combined_trusted_hosts: '{{ opendkim__default_trusted_hosts
+                                      + opendkim__trusted_hosts
+                                      + opendkim__group_trusted_hosts
+                                      + opendkim__host_trusted_hosts }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenDKIM main configuration [[[
+# -------------------------------
+
+# These variables define the contents of the :file:`/etc/opendkim.conf`
+# configuration file. See :ref:`opendkim__ref_config` for more details.
+
+# .. envvar:: opendkim__original_config [[[
+#
+# The configuration set by default by the Debian package after installation.
+opendkim__original_config:
+
+  - name: 'config-header'
+    comment: |
+      This is a basic configuration that can easily be adapted to suit a standard
+      installation. For more advanced options, see opendkim.conf(5) and/or
+      /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+    state: 'hidden'
+
+  - name: 'Syslog'
+    comment: 'Log to syslog'
+    value: True
+
+  - name: 'UMask'
+    comment: |
+      Required to use local socket with MTAs that access the socket as a non-
+      privileged user (e. g. Postfix)
+    value: '002'
+
+  - name: 'Domain'
+    comment: |
+      Sign for example.com with key in /etc/mail/dkim.key using
+      selector '2007' (e. g. 2007._domainkey.example.com)
+    value: 'example.com'
+    state: 'comment'
+
+  - name: 'KeyFile'
+    value: '/etc/mail/dkim.key'
+    state: 'comment'
+
+  - name: 'Selector'
+    value: '2007'
+    state: 'comment'
+
+  - name: 'Canonicalization'
+    comment: 'Commonly-used options; the commented-out versions show the defaults.'
+    value: 'simple'
+    state: 'comment'
+
+  - name: 'Mode'
+    value: 'sv'
+    state: 'comment'
+
+  - name: 'Subdomains'
+    value: False
+    state: 'comment'
+
+  - name: 'OversignHeaders'
+    comment: |
+      Always oversign From (sign using actual From and a null From to prevent
+      malicious signatures header fields (From and/or others) between the signer
+      and the verifier.  From is oversigned by default in the Debian package
+      because it is often the identity key used by reputation systems and thus
+      somewhat security sensitive.
+    value: [ 'From' ]
+
+  - name: 'ResolverConfiguration'
+    comment: |
+      ResolverConfiguration filename
+          default (none)
+
+      Specifies a configuration file to be passed to the Unbound library that
+      performs DNS queries applying the DNSSEC protocol.  See the Unbound
+      documentation at https://unbound.net/ for the expected content of this file.
+      The results of using this and the TrustAnchorFile setting at the same
+      time are undefined.
+      In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+      unbound package
+    value: '/etc/unbound/unbound.conf'
+    state: 'comment'
+
+  - name: 'TrustAnchorFile'
+    comment: |
+      TrustAnchorFile filename
+          default (none)
+
+      Specifies a file from which trust anchor data should be read when doing
+      DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+      at https://unbound.net/ for the expected format of this file.
+    value: '/usr/share/dns/root.key'
+
+                                                                   # ]]]
+# .. envvar:: opendkim__default_config [[[
+#
+# The OpenDKIM configuration defined by the ``debops.opendkim`` Ansible role.
+opendkim__default_config:
+
+  - name: 'ResolverConfiguration'
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.unbound | d() and
+                   (ansible_local.unbound.installed | d()) | bool)
+               else "ignore" }}'
+
+  - name: 'TrustAnchorFile'
+    state: '{{ "absent"
+               if (ansible_local | d() and ansible_local.unbound | d() and
+                   (ansible_local.unbound.installed | d()) | bool)
+               else "ignore" }}'
+
+  - name: 'Socket'
+    comment: 'Listen for connections in the Postfix chroot'
+    value: 'local:{{ opendkim__socket }}'
+    state: '{{ "present" if opendkim__postfix_integration | bool else "ignore" }}'
+
+  - name: 'UserID'
+    comment: 'Required by the systemd opendkim.service unit'
+    value: '{{ opendkim__user + ":" + opendkim__group }}'
+
+  - name: 'PidFile'
+    comment: 'Required by the systemd opendkim.service unit'
+    value: '/run/opendkim/opendkim.pid'
+
+  - name: 'KeyTable'
+    value: '{{ opendkim__dkimkeys_path + "/KeyTable" }}'
+    copy_id_from: 'Selector'
+    weight: 1
+
+  - name: 'SigningTable'
+    value: '{{ opendkim__dkimkeys_path + "/SigningTable" }}'
+    copy_id_from: 'KeyTable'
+    weight: 2
+
+  - name: 'InternalHosts'
+    value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
+    copy_id_from: 'KeyTable'
+    weight: 3
+
+  - name: 'ExternalIgnoreList'
+    value: '{{ opendkim__dkimkeys_path + "/TrustedHosts" }}'
+    copy_id_from: 'KeyTable'
+    weight: 4
+
+                                                                   # ]]]
+# .. envvar:: opendkim__config [[[
+#
+# The configuration which should be set on all hosts in the Ansible inventory.
+opendkim__config: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__group_config [[[
+#
+# The configuration which should be set on hosts in specific Ansible inventory
+# group.
+opendkim__group_config: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__host_config [[[
+#
+# The configuration which should be set on specific hosts in the Ansible
+# inventory.
+opendkim__host_config: []
+
+                                                                   # ]]]
+# .. envvar:: opendkim__combined_config [[[
+#
+# The combined OpenDKIM configuration passed to the config file template.
+opendkim__combined_config: '{{ opendkim__original_config
+                               + opendkim__default_config
+                               + opendkim__config
+                               + opendkim__group_config
+                               + opendkim__host_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: opendkim__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration for :ref:`debops.postfix` Ansible role.
+opendkim__postfix__dependent_maincf:
+
+  - name: 'smtpd_milters'
+    value:
+      - name: 'unix:/opendkim/opendkim.sock'
+        weight: -300
+    state: 'present'
+
+  - name: 'non_smtpd_milters'
+    value:
+      - name: 'unix:/opendkim/opendkim.sock'
+        weight: -300
+    state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/opendkim/files/secret/opendkim/lib/extract-domainkey-zone b/ansible_collections/debops/debops/roles/opendkim/files/secret/opendkim/lib/extract-domainkey-zone
new file mode 100755
index 00000000..5f5532bd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/files/secret/opendkim/lib/extract-domainkey-zone
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Extract public RSA key from private DomainKeys and output it as a DNS zone
+# Usage: ./lib/extract-domainkey-zone <path/to/keys*.pem>
+
+
+set -o nounset -o pipefail -o errexit
+
+if [ $# -gt 0 ] ; then
+    for keyfile in "${@}" ; do
+        if [ -r "${keyfile}" ] && [[ "${keyfile}" == *_*.pem ]] ; then
+
+            filename=$( basename "${keyfile}" )
+            filename_stripped="${filename%.pem}"
+            domain="${filename_stripped%%_*}"
+            selector="${filename_stripped##*_}"
+            key=$( openssl rsa -in "${keyfile}" -pubout -outform pem 2>/dev/null | grep -v '^-' | sed -e 's/^\|$/"/g' -e '2,$s/^/\          /g' )
+
+            printf "%s._domainkey\\tIN\\tTXT\\t( \"v=DKIM1; k=rsa; \"\\n\\tp=%s )  ; ----- DKIM key %s for %s\\n" \
+                "${selector}" "${key}" "${selector}" "${domain}"
+        fi
+    done
+else
+    printf "%s\\n" "Output DNS zone with DNSSEC public keys
+
+Usage: ${0} path/to/*.pem
+The private keys need to be named using the '<domain>_<selector>.pem' format"
+    exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/opendkim/meta/main.yml b/ansible_collections/debops/debops/roles/opendkim/meta/main.yml
new file mode 100644
index 00000000..551d7bc4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure OpenDKIM service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smtp
+    - milter
+    - dkim
+    - spf
+    - dmarc
+    - mail
+    - security
+    - antispam
diff --git a/ansible_collections/debops/debops/roles/opendkim/tasks/main.yml b/ansible_collections/debops/debops/roles/opendkim/tasks/main.yml
new file mode 100644
index 00000000..2face6aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/tasks/main.yml
@@ -0,0 +1,169 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install OpenDKIM support
+  ansible.builtin.package:
+    name: '{{ q("flattened", (opendkim__base_packages
+                              + opendkim__packages)) }}'
+    state: 'present'
+  register: opendkim__register_packages
+  until: opendkim__register_packages is succeeded
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Divert original OpenDKIM configuration
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  loop:
+    - '/etc/opendkim.conf'
+    - '/etc/default/opendkim'
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Make sure Ansible local facts directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure OpenDKIM local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/opendkim.fact.j2'
+    dest: '/etc/ansible/facts.d/opendkim.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate OpenDKIM configuration from /etc
+  ansible.builtin.template:
+    src: 'etc/opendkim.conf.j2'
+    dest: '/etc/opendkim.conf'
+    owner: 'root'
+    group: '{{ opendkim__group }}'
+    mode: '0640'
+  notify: [ 'Check opendkim and reload' ]
+
+- name: Generate OpenDKIM configuration from /etc/default
+  ansible.builtin.template:
+    src: 'etc/default/opendkim.j2'
+    dest: '/etc/default/opendkim'
+    mode: '0644'
+  notify: [ 'Check opendkim and reload' ]
+
+- name: Ensure that opendkim.service.d directory exists
+  ansible.builtin.file:
+    path: '/etc/systemd/system/opendkim.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (ansible_service_mgr == 'systemd' and
+         ansible_distribution_release not in
+         ['trusty', 'xenial', 'bionic'])
+
+- name: Fix OpenDKIM issues with systemd
+  ansible.builtin.template:
+    src: 'etc/systemd/system/opendkim.service.d/pid-socket.conf.j2'
+    dest: '/etc/systemd/system/opendkim.service.d/pid-socket.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload service manager', 'Check opendkim and restart' ]
+  when: (ansible_service_mgr == 'systemd' and
+         ansible_distribution_release not in
+         ['trusty', 'xenial', 'bionic'])
+
+- name: Ensure that DomainKey directory exists
+  ansible.builtin.file:
+    path: '{{ opendkim__dkimkeys_path }}'
+    state: 'directory'
+    owner: '{{ opendkim__user }}'
+    group: '{{ opendkim__group }}'
+    mode: '0700'
+
+- name: Install helper scripts on Ansible Controller
+  ansible.builtin.copy:
+    src: 'secret/opendkim/lib/'
+    dest: '{{ secret + "/opendkim/lib/" }}'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  run_once: True
+
+- name: Generate DomainKeys on Ansible Controller
+  community.crypto.openssl_privatekey:
+    size:  '{{ item.size | d(opendkim__default_key_size) }}'
+    type:  '{{ (item.type | d("rsa")) | upper }}'
+    path:  '{{ secret + "/opendkim/domainkeys/"
+               + (item.domain | d(opendkim__domain)) + "_"
+               + (item.selector | d(item.name | d(item))) + ".pem" }}'
+    regenerate: '{{ item.regenerate | d("full_idempotence"
+                                        if ansible_version.full is version("2.10", ">=")
+                                        else omit) }}'
+  loop: '{{ q("flattened", opendkim__combined_keys) }}'
+  become: False
+  delegate_to: 'localhost'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove DomainKeys from hosts when requested
+  ansible.builtin.file:
+    path: '{{ opendkim__dkimkeys_path + "/"
+              + (item.domain | d(opendkim__domain)) + "_"
+              + (item.selector | d(item.name | d(item))) + ".pem" }}'
+    state: 'absent'
+  loop: '{{ q("flattened", opendkim__combined_keys) }}'
+  when: item.state | d('present') == 'absent'
+
+- name: Download DomainKeys from Ansible Controller
+  ansible.builtin.copy:
+    src:  '{{ secret + "/opendkim/domainkeys/"
+              + (item.domain | d(opendkim__domain)) + "_"
+              + (item.selector | d(item.name | d(item))) + ".pem" }}'
+    dest: '{{ opendkim__dkimkeys_path + "/"
+              + (item.domain | d(opendkim__domain)) + "_"
+              + (item.selector | d(item.name | d(item))) + ".pem" }}'
+    owner: 'root'
+    group: '{{ opendkim__group }}'
+    mode: '0640'
+  loop: '{{ q("flattened", opendkim__combined_keys) }}'
+  when: item.state | d('present') != 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate key configuration files
+  ansible.builtin.template:
+    src: 'etc/dkimkeys/{{ item }}.j2'
+    dest: '{{ opendkim__dkimkeys_path + "/" + item }}'
+    owner: 'root'
+    group: '{{ opendkim__group }}'
+    mode: '0640'
+  notify: [ 'Check opendkim and reload' ]
+  with_items: [ 'KeyTable', 'SigningTable', 'TrustedHosts' ]
+
+- name: Create OpenDKIM socket directory in Postfix chroot
+  ansible.builtin.file:
+    path: '/var/spool/postfix/opendkim'
+    state: 'directory'
+    owner: '{{ opendkim__user }}'
+    group: '{{ opendkim__postfix_group }}'
+    mode: '02750'
+  when: opendkim__postfix_integration | bool
+  notify: [ 'Check opendkim and restart' ]
diff --git a/ansible_collections/debops/debops/roles/opendkim/tasks/main_env.yml b/ansible_collections/debops/debops/roles/opendkim/tasks/main_env.yml
new file mode 100644
index 00000000..c0f51a1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare OpenDKIM environment
+  ansible.builtin.set_fact:
+    opendkim__secret__directories: '{{ lookup("template", "lookup/opendkim__secret__directories.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/ansible/facts.d/opendkim.fact.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/ansible/facts.d/opendkim.fact.j2
new file mode 100644
index 00000000..adf99d2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/ansible/facts.d/opendkim.fact.j2
@@ -0,0 +1,39 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+# The configuration file is diverted by Ansible before the fact
+# is executed for the first time. This way we can detect first
+# installation without additional Ansible tasks.
+output = {'installed': False}
+if os.path.isfile('/etc/opendkim.conf'):
+    output['installed'] = True
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        opendkim_stdout = subprocess.check_output(
+            ["/usr/sbin/opendkim -V"],
+            shell=True, stderr=devnull).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if opendkim_stdout:
+    for line in opendkim_stdout.split('\n'):
+        if 'OpenDKIM Filter' in line:
+            output['version'] = line.split()[3].lstrip('v')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/default/opendkim.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/default/opendkim.j2
new file mode 100644
index 00000000..982df8b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/default/opendkim.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Command-line options specified here will override the contents of
+# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
+#DAEMON_OPTS=""
+#
+# Uncomment to specify an alternate socket
+# Note that setting this will override any Socket value in opendkim.conf
+# default:
+SOCKET="local:{{ opendkim__socket }}"
+# listen on all interfaces on port 54321:
+#SOCKET="inet:54321"
+# listen on loopback on port 12345:
+#SOCKET="inet:12345@localhost"
+# listen on 192.0.2.1 on port 12345:
+#SOCKET="inet:12345@192.0.2.1"
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/KeyTable.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/KeyTable.j2
new file mode 100644
index 00000000..ac49c5b4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/KeyTable.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See opendkim.conf(5), 'KeyTable' parameter for more details
+
+{% for element in opendkim__combined_keys %}
+{%   if element.state | d('present') != 'absent' %}
+{%     set key_selector =   (element.selector | d(element.name | d(element))) %}
+{%     set key_domain =     (element.domain   | d(opendkim__domain)) %}
+{%     set key_id =         (key_domain + '_' + key_selector) %}
+{%     set key_path =       (opendkim__dkimkeys_path + '/' + key_id + '.pem') %}
+{{ '{:<50} {}:{}:{}'.format(key_id, key_domain, key_selector, key_path) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/SigningTable.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/SigningTable.j2
new file mode 100644
index 00000000..2bcf12d0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/SigningTable.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See opendkim.conf(5), 'SigningTable' parameter for more details
+
+{% for element in opendkim__combined_signing_table %}
+{%   if element.state | d('present') != 'absent' %}
+{{ '{} {}'.format(element.from, (element.domain | d(opendkim__domain)) + '_' + (element.selector | d(element.name))) }}
+{%     if ((element.subdomains | d(False)) | bool and not element.from.startswith('.')) %}
+{{ '{} {}'.format('.' + element.from, (element.domain | d(opendkim__domain)) + '_' + (element.selector | d(element.name))) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/TrustedHosts.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/TrustedHosts.j2
new file mode 100644
index 00000000..f79c626a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/dkimkeys/TrustedHosts.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See opendkim.conf(5), 'InternalHosts' parameter for more details
+
+{% for element in opendkim__combined_trusted_hosts %}
+{{ '{}'.format(element) }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/opendkim.conf.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/opendkim.conf.j2
new file mode 100644
index 00000000..90e6f471
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/opendkim.conf.j2
@@ -0,0 +1,72 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set opendkim__tpl_config = (opendkim__combined_config | debops.debops.parse_kv_config) %}
+{% set opendkim__tpl_sections = ((opendkim__tpl_config | map(attribute='section')) | list | unique) %}
+{% for section in opendkim__config_sections | d([ {'name': 'unknown'} ]) %}
+{%   if section.state | d('present') != 'absent' %}
+{%     set section_loop = [] %}
+{%     set section_comment_prefix = ('' if loop.first | bool else '\n') %}
+{%     if section.name in opendkim__tpl_sections %}
+{%       if section.title | d() %}
+
+{{ '{:-^70}'.format(' ' + section.title + ' ') | comment(prefix=section_comment_prefix, postfix='') }}
+{%       endif %}
+{%       for element in opendkim__tpl_config %}
+{%         if element.section == section.name and element.state | d('present') != 'absent' %}
+{%           set comment_prefix =   ('' if not section_loop else '\n') %}
+{%           set option_commented = ('#' if element.state | d('present') == 'comment' else '') %}
+{%           set option_indent =    ('27' if element.state | d('present') == 'comment' else '28') %}
+{%           set element_name =     (element.option | d(element.name)) %}
+{%           if element.value is defined %}
+{%             if element.value | bool and element.value is not iterable %}
+{%               if element.value | int and element.value | string != 'True' %}
+{%                 set element_value = element.value %}
+{%               else %}
+{%                 set element_value = 'yes' %}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int or element.value | string == '0' %}
+{%                   set element_value = element.value %}
+{%                 else %}
+{%                   set element_value = 'no' %}
+{%                 endif %}
+{%               endif %}
+{%             elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%               set element_value = [] %}
+{%               for option in element.value %}
+{%                 if option.state | d('present') != 'absent' %}
+{%                   set _ = element_value.append(option.name) %}
+{%                 endif %}
+{%               endfor %}
+{%             else %}
+{%               set element_value = element.value %}
+{%             endif %}
+{%           else %}
+{%             set element_value = [] %}
+{%           endif %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix=comment_prefix, postfix='') -}}
+{%             if element.state | d('present') == 'hidden' %}
+
+{%             endif %}
+{%           elif element.separator is defined and element.separator | bool %}
+
+{%           endif %}
+{%           if element.state | d('present') != 'hidden' %}
+{%             if element_value is not string and element_value is not mapping and element_value is iterable %}
+{{ ('{}{:<' + option_indent + '} {}').format(option_commented, element_name, element_value | join(',')) }}
+{%             else %}
+{{ ('{}{:<' + option_indent + '} {}').format(option_commented, element_name, element_value) }}
+{%             endif %}
+{%             set _ = section_loop.append(True) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/etc/systemd/system/opendkim.service.d/pid-socket.conf.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/etc/systemd/system/opendkim.service.d/pid-socket.conf.j2
new file mode 100644
index 00000000..f8be8f33
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/etc/systemd/system/opendkim.service.d/pid-socket.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Fix issues with OpenDKIM on Debian Stretch
+# https://unix.stackexchange.com/questions/351584/
+
+# Empty 'ExecStart=' is require to reset the current value since ExecStart can
+# be present multiple times in an unit, and we don't want that.
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf -P {{ opendkim__pidfile }} -p local:{{ opendkim__socket }}
diff --git a/ansible_collections/debops/debops/roles/opendkim/templates/lookup/opendkim__secret__directories.j2 b/ansible_collections/debops/debops/roles/opendkim/templates/lookup/opendkim__secret__directories.j2
new file mode 100644
index 00000000..e0769965
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opendkim/templates/lookup/opendkim__secret__directories.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+  - 'opendkim/domainkeys'
+  - 'opendkim/lib'
diff --git a/ansible_collections/debops/debops/roles/opensearch/COPYRIGHT b/ansible_collections/debops/debops/roles/opensearch/COPYRIGHT
new file mode 100644
index 00000000..988958a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/COPYRIGHT
@@ -0,0 +1,18 @@
+debops.opensearch - Install and manage OpenSearch
+
+Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+Copyright (C) 2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
diff --git a/ansible_collections/debops/debops/roles/opensearch/defaults/main.yml b/ansible_collections/debops/debops/roles/opensearch/defaults/main.yml
new file mode 100644
index 00000000..4e9c5145
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/defaults/main.yml
@@ -0,0 +1,262 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _opensearch__ref_defaults:
+
+# debops.opensearch default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General [[[
+# -----------
+
+# .. envvar:: opensearch__version [[[
+#
+# The OpenSearch version to install.
+opensearch__version: '2.2.0'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__tarball [[[
+#
+# The name of the OpenSearch release tarball.
+opensearch__tarball: 'opensearch-{{ opensearch__version }}-linux-x64.tar.gz'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__installation_directory [[[
+#
+# The directory where the OpenSearch release tarball should be extracted.
+opensearch__installation_directory: '/usr/local/share/opensearch'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__user [[[
+#
+# Name of the UNIX user account used by OpenSearch.
+opensearch__user: 'opensearch'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__group [[[
+#
+# Name of the UNIX primary group used by OpenSearch.
+opensearch__group: 'opensearch'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: opensearch__allow_http [[[
+#
+# List of IP addresses or CIDR subnets that can connect to the OpenSearch HTTP
+# service. This does not need to be set to allow the nodes to communicate.
+# If this list is empty, nobody can connect to the HTTP server directly.
+opensearch__allow_http: []
+
+                                                                   # ]]]
+# .. envvar:: opensearch__allow_tcp [[[
+#
+# List of IP addresses or CIDR subnets that can connect to the OpenSearch TCP
+# transport port. This variable needs to be set to allow nodes to communicate.
+# If this list is empty, nobody can connect to the transport port and the
+# OpenSearch service is configured in a standalone mode.
+opensearch__allow_tcp: []
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenSearch network options [[[
+# ---------------------------------
+
+# .. envvar:: opensearch__http_port [[[
+#
+# The port on which OpenSearch will listen for HTTP connections.
+opensearch__http_port: '9200'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__transport_tcp_port [[[
+#
+# The port on which OpenSearch will listen for TCP transport connections.
+opensearch__transport_tcp_port: '9300'
+                                                                   # ]]]
+                                                                   # ]]]
+# Memory options [[[
+# ------------------
+
+# The variables below configure JVM memory allocation options. See
+# https://opensearch.org/docs/latest/opensearch/install/important-settings/
+# for more details.
+
+# .. envvar:: opensearch__memory_lock [[[
+#
+# Enable or disable memory lock depending on availability of required POSIX
+# capabilities. If this variable is enabled, :command:`systemd` memlock limit
+# is configured.
+opensearch__memory_lock: '{{ True
+                                if (not (ansible_system_capabilities_enforced | d()) | bool or
+                                    ((ansible_system_capabilities_enforced | d()) | bool and
+                                     "cap_ipc_lock" in (ansible_system_capabilities | d([]))))
+                                else False }}'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__jvm_memory_heap_size_multiplier [[[
+#
+# This variable defines a float value which will be used to select the JVM heap
+# size depending on the size of the available system RAM.
+opensearch__jvm_memory_heap_size_multiplier: '{{ "0.2"
+                                                    if (ansible_memtotal_mb | int / 2 <= 2048)
+                                                    else "0.45" }}'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__jvm_memory_min_heap_size [[[
+#
+# Specify the minimum JVM heap size, depending on the available system RAM.
+opensearch__jvm_memory_min_heap_size: '{{ (((ansible_memtotal_mb | int
+                                               * opensearch__jvm_memory_heap_size_multiplier | float)
+                                               | round | int) | string + "m")
+                                             if (ansible_memtotal_mb | int / 2 <= 32768)
+                                             else "32600m" }}'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__jvm_memory_max_heap_size [[[
+#
+# Specify the maximum JVM heap size, depending on the available system RAM.
+# This usually should be the same as the minimum heap size, for performance
+# reasons.
+opensearch__jvm_memory_max_heap_size: '{{ opensearch__jvm_memory_min_heap_size }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenSearch configuration [[[
+# ----------------------------
+
+# .. envvar:: opensearch__default_configuration [[[
+#
+# Default configuration provided by this role.
+opensearch__default_configuration:
+
+  - name: 'cluster.name'
+    comment: 'Use a descriptive name for your cluster'
+    value: '{{ ansible_domain | replace(".", "-") }}'
+
+  - name: 'node.name'
+    comment: 'Use a descriptive name for the node'
+    value: '{{ ansible_hostname }}'
+
+  - name: 'path.data'
+    comment: |
+      Path to directory where to store the data (separate multiple locations by
+      comma)
+    value: '/var/local/opensearch'
+
+  - name: 'path.logs'
+    comment: 'Path to log files'
+    value: '/var/log/opensearch'
+
+  - name: 'plugins.security.disabled'
+    comment: 'Disable TLS support'
+    value: True
+
+  - name: 'bootstrap.memory_lock'
+    comment: 'Lock the memory on startup'
+    value: '{{ True if opensearch__memory_lock | bool else False }}'
+
+  - name: 'cluster.initial_master_nodes'
+    comment: |
+      Bootstrap the cluster using an initial set of master-eligible nodes
+    value: [ '{{ ansible_hostname }}' ]
+
+                                                                   # ]]]
+# .. envvar:: opensearch__configuration [[[
+#
+# Configuration to apply to all OpenSearch hosts.
+opensearch__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: opensearch__group_configuration [[[
+#
+# Configuration to apply to all OpenSearch hosts in the inventory group.
+opensearch__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: opensearch__host_configuration [[[
+#
+# Configuration to apply to individual OpenSearch hosts.
+opensearch__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: opensearch__combined_configuration [[[
+#
+# Combined OpenSearch configuration.
+opensearch__combined_configuration: '{{ opensearch__default_configuration
+                                        + opensearch__configuration
+                                        + opensearch__group_configuration
+                                        + opensearch__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: opensearch__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+opensearch__etc_services__dependent_list:
+
+  - name: 'opensearch-http'
+    port: '{{ opensearch__http_port }}'
+
+  - name: 'opensearch-tcp'
+    port: '{{ opensearch__transport_tcp_port }}'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+opensearch__keyring__dependent_gpg_keys:
+
+  - id: 'C5B7 4989 65EF D1C2 924B  A9D5 39D3 1987 9310 D3FC'
+    url: 'https://artifacts.opensearch.org/publickeys/opensearch.pgp'
+    user: '{{ opensearch__user }}'
+    group: '{{ opensearch__group }}'
+    home: '/var/local/opensearch'
+
+                                                                   # ]]]
+# .. envvar:: opensearch__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+opensearch__sysctl__dependent_parameters:
+
+  - name: 'opensearch'
+    weight: 80
+    options:
+
+      - name: 'vm.max_map_count'
+        comment: |
+          The OpenSearch documentation recommends setting this as the minimum
+          for production workloads, see
+          https://opensearch.org/docs/latest/opensearch/install/important-settings/
+        value: 262144
+
+                                                                   # ]]]
+# .. envvar:: opensearch__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+opensearch__ferm__dependent_rules:
+
+  - name: 'opensearch_http'
+    type: 'accept'
+    dport: '{{ opensearch__http_port }}'
+    saddr: '{{ opensearch__allow_http }}'
+    accept_any: False
+
+  - name: 'opensearch_tcp'
+    type: 'accept'
+    dport: '{{ opensearch__transport_tcp_port }}'
+    saddr: '{{ opensearch__allow_tcp }}'
+    accept_any: False
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/opensearch/meta/main.yml b/ansible_collections/debops/debops/roles/opensearch/meta/main.yml
new file mode 100644
index 00000000..e99fd4e0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/meta/main.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Imre Jonk, CipherMail B.V.'
+  description: 'Install and manage OpenSearch'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.10.0'
+  platforms:
+    - name: 'Debian'
+      versions:
+        - 'bullseye'
+  galaxy_tags:
+    - 'database'
+    - 'nosql'
+    - 'opensearch'
diff --git a/ansible_collections/debops/debops/roles/opensearch/meta/watch-opensearch b/ansible_collections/debops/debops/roles/opensearch/meta/watch-opensearch
new file mode 100644
index 00000000..1e39c400
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/meta/watch-opensearch
@@ -0,0 +1,10 @@
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Role: opensearch
+# Package: opensearch
+# Version: 2.2.0
+
+version=4
+https://github.com/opensearch-project/OpenSearch/tags \/opensearch-project\/OpenSearch\/releases\/tag\/(\d+\.\d+\.\d+)
diff --git a/ansible_collections/debops/debops/roles/opensearch/tasks/main.yml b/ansible_collections/debops/debops/roles/opensearch/tasks/main.yml
new file mode 100644
index 00000000..389e128a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/tasks/main.yml
@@ -0,0 +1,145 @@
+---
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ opensearch__user }}'
+    group: '{{ opensearch__group }}'
+    mode: '0750'
+  loop:
+    - '/etc/opensearch'
+    - '/var/local/opensearch'
+    - '/var/log/opensearch'
+
+- name: Install OpenSearch from upstream release
+  when: ansible_local.opensearch.version | d("0.0.0") != opensearch__version
+  block:
+
+    - name: Download release files
+      ansible.builtin.get_url:
+        url: 'https://artifacts.opensearch.org/releases/bundle/opensearch/{{ opensearch__version + "/" + item }}'
+        dest: '/var/tmp/{{ item }}'
+        mode: '0644'
+      loop:
+        - '{{ opensearch__tarball }}'
+        - '{{ opensearch__tarball }}.sig'
+
+    - name: Verify release tarball
+      ansible.builtin.command: >-
+        gpg --verify /var/tmp/{{ opensearch__tarball }}.sig
+      become: True
+      become_user: '{{ opensearch__user }}'
+      changed_when: False
+
+    - name: Stop service
+      ansible.builtin.service:
+        name: 'opensearch'
+        state: 'stopped'
+
+    - name: Remove old installation directory
+      ansible.builtin.file:
+        path: '{{ opensearch__installation_directory }}'
+        state: 'absent'
+
+    - name: Create new installation directory
+      ansible.builtin.file:
+        path: '{{ opensearch__installation_directory }}'
+        state: 'directory'
+        mode: '0755'
+
+    - name: Extract release tarball
+      ansible.builtin.unarchive:
+        src: '/var/tmp/{{ opensearch__tarball }}'
+        dest: '{{ opensearch__installation_directory }}'
+        remote_src: True
+        owner: 'root'
+        group: 'root'
+        mode: 'u=rwX,g=rX,o=rX'
+        extra_opts:
+          - '--strip-components=1'
+      notify: [ 'Refresh host facts', 'Restart opensearch' ]
+
+    - name: Install new configuration files
+      ansible.builtin.copy:
+        src: '{{ opensearch__installation_directory }}/config/'
+        dest: '/etc/opensearch'
+        remote_src: True
+        owner: 'root'
+        group: '{{ opensearch__group }}'
+        mode: '0640'
+
+- name: Configure OpenSearch and the JVM
+  ansible.builtin.template:
+    src: 'etc/opensearch/{{ item }}.j2'
+    dest: '/etc/opensearch/{{ item }}'
+    owner: 'root'
+    group: '{{ opensearch__group }}'
+    mode: '0640'
+  loop:
+    - 'jvm.options'
+    - 'opensearch.yml'
+  notify: [ 'Restart opensearch' ]
+
+- name: Remove redundant configuration directory
+  ansible.builtin.file:
+    path: '{{ opensearch__installation_directory }}/config'
+    state: 'absent'
+
+- name: Symlink log directory
+  ansible.builtin.file:
+    path: '{{ opensearch__installation_directory }}/logs'
+    src: '/var/log/opensearch'
+    state: 'link'
+    force: True
+
+- name: Generate systemd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/system/opensearch.service.j2'
+    dest: '/etc/systemd/system/opensearch.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/opensearch.fact.j2'
+    dest: '/etc/ansible/facts.d/opensearch.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Flush handlers
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Start service
+  ansible.builtin.service:
+    name: 'opensearch'
+    state: 'started'
+    enabled: True
+
+- name: Clean up release files
+  ansible.builtin.file:
+    path: '/var/tmp/{{ item }}'
+    state: 'absent'
+  loop:
+    - '{{ opensearch__tarball }}'
+    - '{{ opensearch__tarball }}.sig'
diff --git a/ansible_collections/debops/debops/roles/opensearch/templates/etc/ansible/facts.d/opensearch.fact.j2 b/ansible_collections/debops/debops/roles/opensearch/templates/etc/ansible/facts.d/opensearch.fact.j2
new file mode 100644
index 00000000..dc01de31
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/templates/etc/ansible/facts.d/opensearch.fact.j2
@@ -0,0 +1,26 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from json import dumps
+import re
+
+output = {}
+
+try:
+    # Search the manifest file for the version number. Return on first match.
+    for line in open('{{ opensearch__installation_directory }}/manifest.yml'):
+        match = re.search(r"^\s*version: (\d+\.\d+\.\d+)$", line)
+        if match:
+            output['version'] = match.group(1)
+            break
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/jvm.options.j2 b/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/jvm.options.j2
new file mode 100644
index 00000000..fff620fa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/jvm.options.j2
@@ -0,0 +1,85 @@
+{# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+
+## JVM configuration
+
+################################################################
+## IMPORTANT: JVM heap size
+################################################################
+##
+## You should always set the min and max JVM heap
+## size to the same value. For example, to set
+## the heap to 4 GB, set:
+##
+## -Xms4g
+## -Xmx4g
+##
+## See https://opensearch.org/docs/opensearch/install/important-settings/
+## for more information
+##
+################################################################
+
+# Xms represents the initial size of total heap space
+# Xmx represents the maximum size of total heap space
+
+-Xms{{ opensearch__jvm_memory_min_heap_size }}
+-Xmx{{ opensearch__jvm_memory_max_heap_size }}
+
+################################################################
+## Expert settings
+################################################################
+##
+## All settings below this section are considered
+## expert settings. Don't tamper with them unless
+## you understand what you are doing
+##
+################################################################
+
+## GC configuration
+8-10:-XX:+UseConcMarkSweepGC
+8-10:-XX:CMSInitiatingOccupancyFraction=75
+8-10:-XX:+UseCMSInitiatingOccupancyOnly
+
+## G1GC Configuration
+# NOTE: G1 GC is only supported on JDK version 10 or later
+# to use G1GC, uncomment the next two lines and update the version on the
+# following three lines to your version of the JDK
+# 10:-XX:-UseConcMarkSweepGC
+# 10:-XX:-UseCMSInitiatingOccupancyOnly
+11-:-XX:+UseG1GC
+11-:-XX:G1ReservePercent=25
+11-:-XX:InitiatingHeapOccupancyPercent=30
+
+## JVM temporary directory
+-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
+
+## heap dumps
+
+# generate a heap dump when an allocation from the Java heap fails
+# heap dumps are created in the working directory of the JVM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# specify an alternative path for heap dumps; ensure the directory exists and
+# has sufficient space
+-XX:HeapDumpPath=data
+
+# specify an alternative path for JVM fatal error logs
+-XX:ErrorFile=logs/hs_err_pid%p.log
+
+## JDK 8 GC logging
+8:-XX:+PrintGCDetails
+8:-XX:+PrintGCDateStamps
+8:-XX:+PrintTenuringDistribution
+8:-XX:+PrintGCApplicationStoppedTime
+8:-Xloggc:logs/gc.log
+8:-XX:+UseGCLogFileRotation
+8:-XX:NumberOfGCLogFiles=32
+8:-XX:GCLogFileSize=64m
+
+# JDK 9+ GC logging
+9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m
+
+# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
+18-:-Djava.security.manager=allow
diff --git a/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/opensearch.yml.j2 b/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/opensearch.yml.j2
new file mode 100644
index 00000000..212fef8a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/templates/etc/opensearch/opensearch.yml.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{%  for element in opensearch__combined_configuration | debops.debops.parse_kv_items %}
+{%      if element.state == "present" %}
+{%          if element.comment|d() %}
+{{ element.comment | regex_replace('$\n', '') | comment(prefix='', postfix='') -}}
+{%          endif %}
+{%          if element.value is boolean or element.value is integer %}
+{{ element.name }}: {{ element.value }}
+{%          elif element.value is string %}
+{{ element.name }}: "{{ element.value }}"
+{%          elif element.value is iterable %}
+{{ element.name }}: [ "{{ element.value | join('", "') }}" ]
+{%          endif %}
+
+{%      endif %}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/opensearch/templates/etc/systemd/system/opensearch.service.j2 b/ansible_collections/debops/debops/roles/opensearch/templates/etc/systemd/system/opensearch.service.j2
new file mode 100644
index 00000000..d357665b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/opensearch/templates/etc/systemd/system/opensearch.service.j2
@@ -0,0 +1,63 @@
+{# Copyright (C) 2022 CipherMail B.V. <https://www.ciphermail.com/>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=OpenSearch
+Documentation=https://opensearch.org/docs/latest
+Requires=network.target remote-fs.target
+After=network.target remote-fs.target
+ConditionPathExists={{ opensearch__installation_directory }}
+ConditionPathExists=/var/local/opensearch
+
+[Service]
+Environment=OPENSEARCH_HOME={{ opensearch__installation_directory }}
+Environment=OPENSEARCH_PATH_CONF=/etc/opensearch
+ReadWritePaths=/var/log/opensearch
+
+WorkingDirectory={{ opensearch__installation_directory }}
+
+User={{ opensearch__user }}
+Group={{ opensearch__group }}
+
+ExecStart=/usr/local/share/opensearch/bin/opensearch
+
+# Specifies the maximum file descriptor number that can be opened by this
+# process
+LimitNOFILE=65535
+
+# Specifies the maximum number of processes
+LimitNPROC=4096
+
+# Specifies the maximum size of virtual memory
+LimitAS=infinity
+
+# Specifies the maximum file size
+LimitFSIZE=infinity
+
+# Specifies the maximum size that may be locked into memory
+LimitMEMLOCK=infinity
+
+# Disable timeout logic and wait until process is stopped
+TimeoutStopSec=0
+
+# SIGTERM signal is used to stop the Java process
+KillSignal=SIGTERM
+
+# Send the signal only to the JVM rather than its control group
+KillMode=process
+
+# Java process is never killed
+SendSIGKILL=no
+
+# When a JVM receives a SIGTERM signal it exits with code 143
+SuccessExitStatus=143
+
+# Allow a slow startup before the systemd notifier module kicks in to extend
+# the timeout
+TimeoutStartSec=180
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/owncloud/COPYRIGHT b/ansible_collections/debops/debops/roles/owncloud/COPYRIGHT
new file mode 100644
index 00000000..51425aa1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.owncloud - Install and manage ownCloud instances
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+Copyright (C) 2015-2022 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/owncloud/defaults/main.yml b/ansible_collections/debops/debops/roles/owncloud/defaults/main.yml
new file mode 100644
index 00000000..c9043c8c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/defaults/main.yml
@@ -0,0 +1,2464 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# .. Copyright (C) 2015-2023 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _owncloud__ref_defaults:
+
+# Default variables
+# =================
+
+# .. include:: ../../../../includes/global.rst
+# .. include:: ../includes/role.rst
+#    :start-line: 8
+
+# .. contents:: Sections
+#    :local:
+#
+# .. Role maintainer note:
+# .. The official ownCloud documentation is also written is RST.
+# .. https://github.com/owncloud/documentation/tree/master/admin_manual
+# .. https://github.com/nextcloud/documentation/tree/master/admin_manual
+
+# .. Packages and installation [[[1
+#
+# -----------------------------
+#   Packages and installation
+# -----------------------------
+
+# .. envvar:: owncloud__base_packages
+#
+# List of base packages required by ownCloud.
+owncloud__base_packages:
+  - '{{ ["owncloud-complete-files"]
+        if (owncloud__variant == "owncloud")
+        else [] }}'
+  - '{{ ["curl", "unzip"]
+        if (owncloud__variant == "nextcloud")
+        else [] }}'
+
+  # There are no Debian packages for Nextcloud yet unfortunately.
+
+  ## https://doc.owncloud.org/server/10.3/admin_manual/installation/source_installation.html
+  ## FIXME: Collaborative document editing in ownCloud is now done with Collabora Online.
+  ## FIXME: Is it necessary to install all LibreOffice packages? https://github.com/owncloud/documents#known-issues
+  ## Upstream documentation does not specify it more clearly. Installing ``libreoffice`` just to be sure.
+  - '{{ ["libreoffice"] if (owncloud__app_documents_libreoffice_enabled | bool) else [] }}'
+
+  ## Useful for debugging. Refer to `owncloud__base_php_packages` for the PHP packages
+  - '{{ ["smbclient"] if (owncloud__smb_support | bool) else [] }}'
+  - '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("9.0", ">=")) else [] }}'
+
+
+# .. envvar:: owncloud__required_php_packages
+#
+# List of PHP packages required by Nextcloud.
+# Refer to the `official Nextcloud documentation <https://docs.nextcloud.com/server/23/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation>`__ for details.
+owncloud__required_php_packages:
+  # Included in base install:
+  # - 'ctype'
+
+  # - 'dom'
+
+  - 'iconv'
+  - 'gd'
+  - 'json'
+
+  - 'xml'
+  # Included in the `xml` Debian package:
+  # - 'SimpleXML'
+  # - 'XMLWriter'
+
+  # - 'posix'
+  # - 'zlib'
+
+  - 'bcmath'
+  - 'gmp'
+
+# .. envvar:: owncloud__recommended_php_packages
+#
+# List of PHP packages recommended by Nextcloud.
+# Refer to the `official Nextcloud documentation <https://docs.nextcloud.com/server/17/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation>`__ for details.
+owncloud__recommended_php_packages:
+  - 'curl'
+  - 'bz2'
+  - 'mcrypt'
+
+  # Recommended/Optional: SFTP storage
+  - 'gmp'
+
+
+# .. envvar:: owncloud__base_php_packages
+#
+# List of base PHP packages required by ownCloud.
+owncloud__base_php_packages:
+  - '{{ owncloud__required_php_packages
+        if (owncloud__variant == "nextcloud")
+        else [] }}'
+
+  - 'mbstring'
+  - 'zip'
+  - '{{ ["php-xml", "php-apcu", "php7.4-mysql", "php7.4-redis"] if (owncloud__variant != "nextcloud") else [] }}'
+
+  ## Required for the "OpenOTP Two Factor Authentication" (twofactor_rcdevsopenotp) as of NC 14.
+  - 'ldap'
+  - 'soap'
+
+  - '{{ ["apcu"] if (owncloud__apcu_enabled | bool) else [] }}'
+  - '{{ ["mysql"] if (owncloud__database in ["mariadb", "mysql"]) else [] }}'
+  - '{{ ["pgsql"] if (owncloud__database in ["postgresql"]) else [] }}'
+  - '{{ ["redis"] if (owncloud__redis_enabled | bool) else [] }}'
+
+  ## Seems to be required at least for PHP7.0 to fix:
+  ## PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/redis.so'
+  ## - /usr/lib/php/20151012/redis.so: undefined symbol: igbinary_serialize in Unknown on line 0
+  - '{{ ["igbinary"]
+        if (not (ansible_distribution == "Ubuntu" and (ansible_distribution_version is version_compare("15.10", "<"))))
+        else [] }}'
+
+  - '{{ ["libsmbclient"] if (owncloud__smb_support | bool and owncloud__release is version_compare("8.9.9", "<=")) else [] }}'
+
+  ## Included in normal PHP installations but require it here because it is
+  ## used internally by the role:
+  - 'json'
+
+
+# .. envvar:: owncloud__optional_php_packages
+#
+# List of recommended/optional PHP packages for ownCloud.
+owncloud__optional_php_packages:
+  - '{{ owncloud__recommended_php_packages
+        if (owncloud__variant == "nextcloud")
+        else [] }}'
+  - 'intl'
+  - 'imagick'
+
+
+# .. envvar:: owncloud__packages
+#
+# List of global packages for ownCloud.
+# This variable is intended to be used in Ansible’s global inventory.
+owncloud__packages: []
+
+
+# .. envvar:: owncloud__group_packages
+#
+# List of group packages for ownCloud.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+owncloud__group_packages: []
+
+
+# .. envvar:: owncloud__host_packages
+#
+# List of host packages for ownCloud.
+# This variable is intended to be used in the inventory of hosts.
+owncloud__host_packages: []
+
+
+# .. envvar:: owncloud__dependent_packages
+#
+# List of APT packages to install for other Ansible roles, for usage as
+# a dependent role.
+owncloud__dependent_packages: []
+
+
+# .. envvar:: owncloud__deploy_state
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that ownCloud is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that owncloud is uninstalled and it's configuration is removed.
+#   Not fully supported yet.
+#   FIXME: This would remove all packages that are installed by the role!
+#   Package lists need to be split.
+#
+owncloud__deploy_state: 'present'
+
+
+# .. Nextcloud user account [[[
+#
+# --------------------------
+#   Nextcloud user account
+# --------------------------
+
+# .. envvar:: owncloud__system_user [[[
+#
+# Name of the system account which will perform archive
+# verification using the OpenPGP signature.
+owncloud__system_user: 'nextcloud'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__system_group [[[
+#
+# Name of the primary system group of the Nextcloud account.
+owncloud__system_group: 'nextcloud'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__system_home [[[
+#
+# Path to the home directory of the Nextcloud account.
+owncloud__system_home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                           + "/" + owncloud__system_user }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__comment [[[
+#
+# The GECOS string set for the Nextcloud account.
+owncloud__comment: 'Nextcloud Application Manager'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__shell [[[
+#
+# The default shell of the Nextcloud account.
+owncloud__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. Base directory paths [[[
+#
+# ------------------------
+#   Base directory paths
+# ------------------------
+
+# .. envvar:: owncloud__src [[[
+#
+# Base path to the directory with application archives, their hash
+# signatures and OpenPGP signatures.
+owncloud__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                   + "/" + owncloud__system_user }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# .. Nextcloud installation [[[
+#
+# --------------------------
+#   Nextcloud installation
+# --------------------------
+
+# .. envvar:: owncloud__upstream_key_fingerprint [[[
+#
+# The OpenPGP key fingerprint for the key by which the Nextcloud release
+# tarballs are signed.
+owncloud__upstream_key_fingerprint: '2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A'
+                                                                   # ]]]
+# .. envvar:: owncloud__keyserver [[[
+#
+# URL of the OpenPGP keyserver used to obtain OpenPGP keys.
+owncloud__keyserver: '{{ ansible_local.keyring.keyserver | d("hkp://keyserver.ubuntu.com") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. ownCloud upgrades [[[1
+#
+# ---------------------
+#   ownCloud upgrades
+# ---------------------
+#
+# .. warning:: Auto upgrading is deprecated. If you want this, add support for
+#    https://github.com/nextcloud/docker to this Ansible role.
+
+
+# .. ownCloud source and deployment [[[1
+#
+# ----------------------------------
+#   ownCloud source and deployment
+# ----------------------------------
+
+# .. envvar:: owncloud__variant
+#
+# Which variant of the application should be used?
+#
+# Supported variants:
+#
+# * ``owncloud`` (legacy variant, not recommended for new deployments, not well tested)
+# * ``nextcloud`` (Main supported variant in the future. Currently supported on Debian stretch, refer to `issue 45 <https://github.com/debops/ansible-owncloud/issues/45>`_ for details)
+#
+owncloud__variant: '{{ ansible_local.owncloud.variant | d("nextcloud") }}'
+
+
+# .. envvar:: owncloud__variant_download_url_map
+#
+# URL map for :envvar:`owncloud__variant`.
+# Used to download the software.
+owncloud__variant_download_url_map:
+  nextcloud: 'https://download.nextcloud.com/server/releases'
+
+
+# .. envvar:: owncloud__variant_url_map
+#
+# Homepage URL map for :envvar:`owncloud__variant`.
+# Used when referring to the software.
+owncloud__variant_url_map:
+  owncloud: 'https://owncloud.org/'
+  nextcloud: 'https://nextcloud.com/'
+
+
+# .. envvar:: owncloud__variant_name_map
+#
+# Name map for :envvar:`owncloud__variant`.
+# Used when referring to the software.
+owncloud__variant_name_map:
+  owncloud: 'ownCloud'
+  nextcloud: 'Nextcloud'
+
+
+# .. envvar:: owncloud__release
+#
+# Defaults to the latest stable release supported and tested with this role.
+# This may not always be the latest stable release.
+#
+# Supported releases:
+#
+# * Nextcloud ``24.0``
+#
+# Upcoming:
+#
+# * Nextcloud ``25.0`` (Implemented based on documentation changes but untested).
+#
+# Unsupported:
+#
+# * ownCloud ``10.4`` (Not supported in the latest version of DebOps due to lack of maintainers. Use DebOps v2.2.x if you need it and consider becoming a maintainer.)
+#
+# For Nextcloud refer to the `Nextcloud Maintenance and Release Schedule <https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule>`_.
+# and the `Nextcloud Server Changelog <https://nextcloud.com/changelog/>`_.
+#
+# For ownCloud refer to the `ownCloud Maintenance and Release Schedule <https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule>`_
+# and the `package index <https://download.owncloud.org/download/repositories/>`_ for more details.
+owncloud__release: '{{ "10"
+                       if (owncloud__variant == "owncloud")
+                       else "24.0" }}'
+
+
+# .. envvar:: owncloud__distribution
+#
+# Name and version of OS distribution to use for ownCloud packages.
+owncloud__distribution: '{{ owncloud__distribution_name + "_" +
+                            owncloud__distribution_version }}'
+
+
+# .. envvar:: owncloud__distribution_name
+#
+# Name of the OS distribution to use for ownCloud URLs.
+owncloud__distribution_name: '{{ ansible_distribution }}'
+
+
+# .. envvar:: owncloud__distribution_version
+#
+# Version number of the OS distribution for ownCloud URLs.
+owncloud__distribution_version: '{{ ansible_distribution_major_version }}'
+
+
+# .. envvar:: owncloud__apt_repo_base
+#
+# Base APT repository URL starting at the authority part.
+owncloud__apt_repo_base: 'download.opensuse.org/repositories/isv:/ownCloud:/server:/{{ owncloud__release }}'
+
+
+# .. envvar:: owncloud__apt_repo_key_id
+#
+# OpenPGP public key specified by fingerprint which is used to sign the APT
+# repository.
+owncloud__apt_repo_key_id: '1B07204CD71B690D409F57D24ABE1AC7557BEFF9'
+
+
+# .. envvar:: owncloud__old_apt_repo_keys
+#
+# Old or unused OpenPGP public keys specified by fingerprint which where
+# previously used to sign the APT repository.
+# The keys listed here are ensured to be absent to reduce the risk if one of
+# the keys gets compromised.
+owncloud__old_apt_repo_keys:
+  - 'F9EA4996747310AE79474F44977C43A8BA684223'
+  - 'BCECA90325B072AB1245F739AB7C32C35180350A'
+
+
+# .. envvar:: owncloud__src_remote_dir
+#
+# File path used to store application sources on the remote system.
+# This is currently only used to copy the OpenPGP public key to the remote.
+owncloud__src_remote_dir: '{{
+  (ansible_local.fhs.src | d("/usr/local/src"))
+  + "/owncloud" }}'
+
+
+# .. envvar:: owncloud__apt_repo_source
+#
+# APT ``sources.list`` URL of the ownCloud ``.deb`` repository.
+owncloud__apt_repo_source: '{{ "deb https://" + owncloud__apt_repo_base + "/" +
+                               owncloud__distribution + "/ /" }}'
+
+
+# .. envvar:: owncloud__app_user
+#
+# User that will be used for the ownCloud instance.
+owncloud__app_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+
+
+# .. envvar:: owncloud__app_group
+#
+# Group that will be used for the ownCloud instance.
+owncloud__app_group: '{{ owncloud__app_user }}'
+
+
+# .. envvar:: owncloud__app_home
+#
+# Directory under which ownCloud will be installed.
+owncloud__app_home: '{{ "/var/www/owncloud"
+                        if (owncloud__variant == "owncloud")
+                        else ((ansible_local.nginx.www
+                              if (ansible_local.nginx.www | d())
+                              else "/srv/www") + "/" + owncloud__system_user) }}'
+
+
+# .. envvar:: owncloud__data_path
+#
+# Path where ownCloud data directory and files are stored.
+owncloud__data_path: '{{ owncloud__app_home }}/data'
+
+
+# .. envvar:: owncloud__temp_path
+#
+# Directory which ownCloud will use as temp directory.
+#
+# In case :file:`/tmp` has limited space (for example is a ramdisk) or is otherwise
+# restricted then it is a good idea to change the temp directory that ownCloud
+# uses to a path with more space available.
+#
+# The default (empty string) is to let ownCloud figure out which temp directory
+# it should use which probably results in :file:`/tmp/owncloudtemp` unless
+# otherwise influenced by environment variables and such.
+
+# See also :envvar:`owncloud__php_temp_path`.
+owncloud__temp_path: ''
+
+
+# .. envvar:: owncloud__deploy_path
+#
+# Where the ownCloud instance will be deployed (web root).
+owncloud__deploy_path: '{{ owncloud__app_home }}'
+
+# .. envvar:: owncloud__deploy_path_mode
+#
+# Octal permissions for ownCloud web root.
+owncloud__deploy_path_mode: '0750'
+
+# .. In memory caching [[[1
+#
+# ---------------------
+#   In memory caching
+# ---------------------
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/caching_configuration.html>`__ for details.
+
+# .. envvar:: owncloud__apcu_enabled
+#
+# Whether ``APCu`` should be used for local caching.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/caching_configuration.html#apcu-configuration>`__ for details.
+owncloud__apcu_enabled: True
+
+
+# .. envvar:: owncloud__redis_enabled
+#
+# Use Redis for file locking as recommended for small and large installations.
+# The default is to auto detect if Redis is enabled on the remote server and in
+# that case automatically use it for file locking.
+# Note that ownCloud requires version 2.2.5+ of the ``redis`` PHP package. This
+# requirement is not meet for Ubuntu trusty (neither in the release repos nor
+# in backports) thus Redis will not be enabled automatically by the role.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/caching_configuration.html#redis-configuration>`__ for details.
+owncloud__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool and
+                             (not (ansible_distribution == "Ubuntu" and ansible_distribution_release == "trusty")) }}'
+
+
+# .. envvar:: owncloud__redis_host
+#
+# Redis server to use when :envvar:`owncloud__redis_enabled` is ``True``.
+owncloud__redis_host: '{{ ansible_local.redis_server.host | d("localhost") }}'
+
+
+# .. envvar:: owncloud__redis_port
+#
+# Network port on which the Redis server is listening on.
+owncloud__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
+
+
+# .. envvar:: owncloud__redis_password
+#
+# Redis server authentication password.
+owncloud__redis_password: '{{ ansible_local.redis_server.password | d(omit) }}'
+
+# .. Database configuration [[[1
+#
+# --------------------------
+#   Database configuration
+# --------------------------
+
+# .. envvar:: owncloud__database
+#
+# ownCloud recommends MySQL or MariaDB as database management system.
+# Set to ``False`` to use SQLite.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/database/linux_database_configuration.html>`__ for details.
+# See the :envvar:`owncloud__database_map` for the databases support by this role.
+owncloud__database: 'mariadb'
+
+
+# .. envvar:: owncloud__database_server
+#
+# FQDN of the database server. It will be configured by
+# the :ref:`debops.mariadb` or :ref:`debops.postgresql` role.
+owncloud__database_server: '{{ ansible_local[owncloud__database].server }}'
+
+
+# .. envvar:: owncloud__database_port
+#
+# Port database is listening on.
+owncloud__database_port: '{{ ansible_local[owncloud__database].port }}'
+
+
+# .. envvar:: owncloud__database_user
+#
+# Database user to use for ownCloud.
+owncloud__database_user: '{{ owncloud__variant }}'
+
+
+# .. envvar:: owncloud__database_name
+#
+# Name of the database to use for ownCloud.
+owncloud__database_name: '{{ owncloud__variant }}'
+
+
+# .. envvar:: owncloud__database_password_path
+#
+# Path to database password file.
+owncloud__database_password_path: '{{ secret + "/" + owncloud__database + "/"
+                                      + ansible_local[owncloud__database].delegate_to
+                                      + (("/" + ansible_local[owncloud__database].port)
+                                         if (owncloud__database == "postgresql")
+                                         else "")
+                                      + "/credentials/" + owncloud__database_user + "/password" }}'
+
+
+# .. envvar:: owncloud__database_password
+#
+# Database password for ownCloud.
+owncloud__database_password: '{{ lookup("password", owncloud__database_password_path + " length=48") }}'
+
+
+# .. envvar:: owncloud__database_map
+#
+owncloud__database_map:
+
+  # MySQL/MariaDB database.
+  mariadb:
+    dbtype: 'mysql'
+    dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
+    dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
+    dbpass: '{{ owncloud__database_password }}'
+    dbhost: '{{ owncloud__database_server | d("localhost") }}'
+    dbtableprefix: ''
+
+  # PostgreSQL database on localhost, connection through Unix socket, no default password.
+  postgresql:
+    dbtype: 'pgsql'
+    dbname: '{{ owncloud__database_name | d(owncloud__app_user) }}'
+    dbuser: '{{ owncloud__database_user | d(owncloud__app_user) }}'
+    dbpass: '{{ owncloud__database_password }}'
+    dbhost: '{{ owncloud__database_server | d("/var/run/postgresql") }}'
+    dbtableprefix: ''
+
+  sqlite:
+    dbtype: 'sqlite'
+
+
+# .. ownCloud admin login/password [[[1
+#
+# ---------------------------------
+#   ownCloud admin login/password
+# ---------------------------------
+
+# .. envvar:: owncloud__admin_username
+#
+# Default admin username, in the form 'admin-$USER'.
+# Set to ``False`` to disable automatic username and password.
+owncloud__admin_username: 'admin-{{ lookup("env", "USER") }}'
+
+
+# .. envvar:: owncloud__admin_password_path
+#
+# Path to database password file.
+owncloud__admin_password_path: '{{ secret + "/credentials/" + inventory_hostname +
+                                  "/owncloud/admin/" + owncloud__admin_username +
+                                  "/password" }}'
+
+
+# .. envvar:: owncloud__password_length
+#
+# Length of randomly generated admin password.
+owncloud__password_length: 20
+
+
+# .. envvar:: owncloud__admin_password
+#
+# Default admin password.
+# A random password will be generate by default as documented by the :ref:`debops.secret` role.
+owncloud__admin_password: '{{ lookup("password", owncloud__admin_password_path
+                              + " length=" + (owncloud__password_length | string)) }}'
+
+
+# .. envvar:: owncloud__autosetup
+#
+# Should Ansible automatically finish the ownCloud setup on
+# it's own? If this feature is disabled, some of the installation tasks will
+# have to be performed manually by the ownCloud/Nextcloud administrator.
+owncloud__autosetup: True
+
+
+# .. envvar:: owncloud__autosetup_url
+#
+# URL which will be called to finish autosetup of ownCloud 8.0. For newer
+# ownCloud versions :command:`occ` will be used which is more reliable because
+# it does not depend on the webserver nor network.
+owncloud__autosetup_url: 'http://{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}/index.php'
+
+
+# .. ownCloud configuration [[[1
+#
+# --------------------------
+#   ownCloud configuration
+# --------------------------
+
+# .. envvar:: owncloud__fqdn
+#
+# The Fully Qualified Domain Name to use for the ownCloud instance.
+owncloud__fqdn: 'cloud.{{ owncloud__domain }}'
+
+
+# .. envvar:: owncloud__domain
+#
+# Domain that will be configured for the ownCloud instance.
+owncloud__domain: '{{ ansible_domain }}'
+
+
+# .. envvar:: owncloud__upload_size
+#
+# Max upload size set in :program:`nginx` and PHP, with amount as M or G.
+# Before you change this be sure to understand
+# `Uploading big files > 512MB of the official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/files/big_file_upload_configuration.html>`__.
+owncloud__upload_size: '2G'
+
+
+# .. envvar:: owncloud__cron_minute
+#
+# At what time cron should execute background jobs
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/developer_manual/app/fundamentals/backgroundjobs.html>`__ for details.
+owncloud__cron_minute: '*/15'
+
+
+# .. envvar:: owncloud__timeout
+#
+# Timeouts in seconds for application requests.
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/files/big_file_upload_configuration.html>`__ for details.
+owncloud__timeout: 3600
+
+
+# .. envvar:: owncloud__app_user_webfinger_support
+#
+# Should the ``Webfinger`` application be supported?
+# Set this to ``True`` if you are planning to use this app.
+owncloud__app_user_webfinger_support: False
+
+
+# .. ownCloud config.php configuration [[[1
+#
+# -------------------------------------
+#   ownCloud config.php configuration
+# -------------------------------------
+#
+# The dicts of this section ends up in :file:`owncloud/config/debops.config.php` and override the values
+# from :file:`owncloud/config/config.php`.
+#
+# TODO: Note that as of ownCloud 9.0, you can not unset a setting which was
+# once set in :file:`debops.config.php` because ownCloud might copies it to
+# :file:`config.php`. Possible fix: `occ config:system:set`
+#
+# For more information refer to :ref:`owncloud__ref_config`.
+
+
+# .. envvar:: owncloud__role_config
+#
+# See `ownCloud config.php configuration`_.
+# This variable is used internally, controlled by other variables of this role.
+owncloud__role_config:
+
+  trusted_domains: '{{ [owncloud__fqdn] if owncloud__fqdn is string else owncloud__fqdn }}'
+
+  ## https://github.com/owncloud/core/issues/22257
+  ## TODO: Temporary workaround until all package maintainers have caught up.
+  ## Edit: Have caught up as of 9.0.2-1.1. Remove this config in a while when
+  ## it is expected that all users are running 9.0.2 or later.
+  'updatechecker': '{{ True if (owncloud__variant in ["nextcloud"]) else False }}'
+
+  'memcache.local':
+    state: '{{ "present" if (owncloud__apcu_enabled | bool or owncloud__redis_enabled | bool) else "absent" }}'
+    value: '{{ "\\OC\\Memcache\\Redis" if (owncloud__redis_enabled | bool) else "\\OC\\Memcache\\APCu" }}'
+
+  'memcache.locking':
+    state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
+    value: '\\OC\\Memcache\\Redis'
+
+  'redis':
+    state: '{{ "present" if (owncloud__redis_enabled | bool) else "absent" }}'
+    value:
+      host: '{{ owncloud__redis_host }}'
+      port: '{{ owncloud__redis_port | int }}'
+      password: '{{ owncloud__redis_password }}'
+
+  'tempdirectory':
+    state: '{{ "present" if (owncloud__temp_path | d()) else "absent" }}'
+    value: '{{ owncloud__temp_path }}'
+
+# .. envvar:: owncloud__release_channel
+#
+# The channel for tracking Nextcloud upstream releases.
+# Refer to the `official Nextcloud documentation <https://nextcloud.com/release-channels/>`__ for details.
+owncloud__release_channel: '{{ "stable"
+                               if (owncloud__variant == "nextcloud" and
+                                   owncloud__release is version("17.0", ">="))
+                               else "production" }}'
+
+# .. envvar:: owncloud__role_recommended_config
+#
+# See `ownCloud config.php configuration`_.
+# This variable is a set of optional settings for ownCloud recommended by the
+# maintainers of this role.
+# Set:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__role_recommended_config: {}
+#
+# in your inventory when you want to disable it.
+owncloud__role_recommended_config:
+
+  ## The default timezone for logfiles is UTC.
+  logtimezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+
+  ## Loglevel to start logging at. Valid values are: 0 = Debug, 1 = Info,
+  ##  2 = Warning, 3 = Error, and 4 = Fatal. The default value is Warning.
+  loglevel: 2
+
+  ## ISO 8601 datetime: 2004-02-12T15:19:21+00:00
+  logdateformat: 'Y-m-d H:i:s.u'
+
+  ## Release channel
+  'updater.release.channel': '{{ owncloud__release_channel }}'
+
+# .. envvar:: owncloud__config
+#
+# See `ownCloud config.php configuration`_.
+# This variable is intended to be used in Ansible’s global inventory.
+# More specific variables can overrule less specific variables.
+owncloud__config: {}
+
+
+# .. envvar:: owncloud__group_config
+#
+# See `ownCloud config.php configuration`_.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+owncloud__group_config: {}
+
+
+# .. envvar:: owncloud__host_config
+#
+# See `ownCloud config.php configuration`_.
+# This variable is intended to be used in the inventory of hosts.
+owncloud__host_config: {}
+
+
+# .. envvar:: owncloud__combined_config
+#
+# See `ownCloud config.php configuration`_.
+# Variable which combines all of the other Owncloud configuration
+# and is used in the configuration template.
+owncloud__combined_config: '{{ owncloud__role_config
+                               | combine(owncloud__role_recommended_config,
+                                         owncloud__config,
+                                         owncloud__group_config,
+                                         owncloud__host_config) }}'
+
+
+# .. ownCloud applications configuration [[[1
+#
+# ---------------------------------------
+#   ownCloud applications configuration
+# ---------------------------------------
+
+# Dictionary of ownCloud application settings.
+# Check the output of :command:`occ config:list` to see how the settings are called.
+# You might need to change a particular setting via the web interface in order
+# for it to appear in the output.
+#
+# Note that :command:`occ` can also change ownCloud system settings but this should
+# be done via `ownCloud config.php configuration`_.
+#
+# Examples:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__apps_config:
+#
+#      ## Set the default quota for all users which don’t have more explicit
+#      ## quota settings to 100 MB.
+#      files:
+#        default_quota: '100 MB'
+#
+#      ## Disable Federated Cloud Sharing:
+#      ## * Allow users on this server to send shares to other servers
+#      ## * Allow users on this server to receive shares from other servers
+#      core:
+#        incoming_server2server_share_enabled: 'no'
+#        outgoing_server2server_share_enabled: 'no'
+#      files_sharing:
+#        incoming_server2server_share_enabled: 'no'
+#        outgoing_server2server_share_enabled: 'no'
+#
+#      ## Disable Federation:
+#      ## * Add server automatically once a federated share was created successfully
+#      federation:
+#        autoAddServers: '0'
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/occ_command.html#config-commands-label>`__ for details.
+
+# .. envvar:: owncloud__optional_apps_config
+#
+# See `ownCloud applications configuration`_.
+# Role dictionary of ownCloud application settings.
+# This variable is a set of optional settings for ownCloud recommended by the
+# maintainers of this role.
+owncloud__role_apps_config:
+  documents:
+    enabled: '{{ "yes" if (owncloud__app_documents_enabled | bool) else "no" }}'
+    converter: 'local'
+
+  password_policy:
+    ## Default is 6 as of Nextcloud 11 which is not state of the art.
+    ## Default is 8 as of Nextcloud 12+.
+    ## https://github.com/nextcloud/password_policy/blob/master/lib/PasswordPolicyConfig.php
+    minLength: 8
+
+
+# .. envvar:: owncloud__apps_config
+#
+# See `ownCloud applications configuration`_.
+# Global dictionary of ownCloud application settings.
+# This variable is intended to be used in Ansible’s global inventory.
+# More specific variables can overrule less specific variables.
+owncloud__apps_config: {}
+
+
+# .. envvar:: owncloud__group_apps_config
+#
+# See `ownCloud applications configuration`_.
+# Group dictionary of ownCloud application settings.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+owncloud__group_apps_config: {}
+
+
+# .. envvar:: owncloud__host_apps_config
+#
+# See `ownCloud applications configuration`_.
+# Host dictionary of ownCloud application settings.
+# This variable is intended to be used in the inventory of hosts.
+owncloud__host_apps_config: {}
+
+
+# .. envvar:: owncloud__dependent_apps_config
+#
+# See `ownCloud applications configuration`_.
+# This variable is intended to be used from other Ansible roles, for usage as
+# a dependent role.
+owncloud__dependent_apps_config: {}
+
+
+# .. envvar:: owncloud__apps_config_combined
+#
+# See `ownCloud applications configuration`_.
+# Variable which combines all of the apps variables
+# and is used in the configuration template.
+owncloud__apps_config_combined: '{{ owncloud__dependent_apps_config
+                                    | combine(owncloud__role_apps_config,
+                                              owncloud__apps_config,
+                                              owncloud__group_apps_config,
+                                              owncloud__host_apps_config) }}'
+
+
+# .. envvar:: owncloud__app_documents_enabled
+#
+# Whether the `ownCloud documents application`_ should be enabled.
+# Not enabled by default because, as of ownCloud 9.0, the application is not shipped by default.
+# Note that this will install LibreOffice plus dependencies on the server.
+owncloud__app_documents_enabled: False
+
+
+# .. envvar:: owncloud__app_documents_libreoffice_enabled
+#
+# Should LibreOffice be installed on the server so that the documents app can
+# work with proprietary document formats such as Microsoft Office?
+owncloud__app_documents_libreoffice_enabled: False
+
+
+# .. External storage [[[1
+#
+# --------------------
+#   External storage
+# --------------------
+
+# Refer to the :ref:`owncloud__ref_external_storage` section for more details.
+
+# .. envvar:: owncloud__smb_support
+#
+# Should SMB/CIFS be support by installing the required system packages and
+# enabling the required ownCloud application?
+owncloud__smb_support: False
+
+
+# .. ownCloud raw occ commands [[[1
+#
+# -----------------------------
+#   ownCloud raw occ commands
+# -----------------------------
+
+# List of :command:`occ` commands to run.
+# It can be used to enable apps, add users and more which can be useful when
+# deploying ownCloud.
+#
+# Examples:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__occ_cmd_list:
+#
+#      - command: 'app:enable external'
+#
+#      - command: 'app:install calendar'
+#        when: '{{ owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("13.0", ">=") }}'
+#      - command: 'app:enable calendar'
+#
+#      ## Create an additional admin account.
+#      - command: 'user:add --password-from-env --display-name="Administrator" --group="admin" admin'
+#        env:
+#          OC_PASS: "{{ lookup('password', secret + '/credentials/' +
+#                       inventory_hostname + '/owncloud/admin/' + 'admin' +
+#                       '/password length=' + owncloud__password_length) }}"
+#
+#      ## Create an regular user. Note that you probably want to use an existing
+#      ## user database like LDAP.
+#      - command: 'user:add --password-from-env --display-name="Normal user" user'
+#        when: '{{ owncloud__release is version_compare("8.1", ">=") }}'
+#        env:
+#          OC_PASS: "{{ lookup('password', secret + '/credentials/' +
+#                       inventory_hostname + '/owncloud/users/' + 'user' +
+#                       '/password length=' + owncloud__password_length) }}"
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/occ_command.html>`__ for details.
+
+# .. envvar:: owncloud__role_occ_cmd_list
+#
+# Default list of :command:`occ` commands to run.
+# Command present of role to automate certain tasks.
+# See `ownCloud raw occ commands`_.
+owncloud__role_occ_cmd_list:
+  ## Disable the updater because it does not work anyway with the way ownCloud
+  ## is setup by this role using packages.
+  ## Since ownCloud 9 it is called `updatenotification`.
+  - command: 'app:disable updater'
+    when: '{{ owncloud__release is version_compare("8.2", "<=") }}'  # noqa jinja[spacing]
+
+  - command: 'app:enable user_ldap'
+    when: '{{ owncloud__ldap_enabled | bool }}'  # noqa jinja[spacing]
+
+  - command: 'app:enable files_external'
+    when: '{{ owncloud__smb_support | bool }}'  # noqa jinja[spacing]
+
+
+# .. envvar:: owncloud__occ_cmd_list
+#
+# See `ownCloud raw occ commands`_.
+# This variable is intended to be used in Ansible’s global inventory.
+owncloud__occ_cmd_list: []
+
+
+# .. envvar:: owncloud__group_occ_cmd_list
+#
+# See `ownCloud raw occ commands`_.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+owncloud__group_occ_cmd_list: []
+
+
+# .. envvar:: owncloud__host_occ_cmd_list
+#
+# See `ownCloud raw occ commands`_.
+# This variable is intended to be used in the inventory of hosts.
+owncloud__host_occ_cmd_list: []
+
+
+# .. envvar:: owncloud__dependent_occ_cmd_list
+#
+# See `ownCloud raw occ commands`_.
+# This variable is intended to be used from other Ansible roles, for usage as
+# a dependent role.
+owncloud__dependent_occ_cmd_list: []
+
+
+# .. envvar:: owncloud__occ_bin_file_path
+#
+# Where the :command:`occ` wrapper script should be installed.
+owncloud__occ_bin_file_path: '{{ (ansible_local.fhs.bin | d("/usr/local/bin"))
+                                 + "/occ" }}'
+
+
+# .. ownCloud user files [[[1
+#
+# -----------------------
+#   ownCloud user files
+# -----------------------
+
+# These lists allow you to manage files for ownCloud users, either by
+# copying files from the Ansible Controller or providing the contents directly
+# in Ansible inventory. You can use all parameters supported by the `Ansible
+# ansible.builtin.copy module`_.
+#
+# See :ref:`owncloud__ref_owncloud__user_files` for more details.
+
+# .. envvar:: owncloud__user_files
+#
+# Manage ownCloud user files on all hosts in Ansible’s inventory.
+owncloud__user_files: []
+
+
+# .. envvar:: owncloud__user_files_group
+#
+# Manage ownCloud user files on hosts in a specific Ansible inventory
+# group.
+owncloud__user_files_group: []
+
+
+# .. envvar:: owncloud__user_files_host
+#
+# Manage ownCloud user files on specific hosts in Ansible’s inventory.
+owncloud__user_files_host: []
+
+
+# .. LDAP authentication [[[1
+#
+# .. _owncloud__ref_ldap_defaults:
+#
+# -----------------------
+#   LDAP authentication
+# -----------------------
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html>`__
+# and to the :ref:`owncloud__ref_external_users` section for more details.
+
+# .. envvar:: owncloud__ldap_enabled
+#
+# Enable LDAP support. ownCloud support multiple LDAP servers but this role
+# configures only default one. If you need something more complex you can
+# use :envvar:`owncloud__occ_cmd_list`.
+owncloud__ldap_enabled: '{{ True
+                            if (ansible_local | d() and ansible_local.ldap | d() and
+                                (ansible_local.ldap.enabled | d()) | bool)
+                            else False }}'
+
+
+# .. envvar:: owncloud_ldap_update_settings
+#
+# Ensure that the settings listed in :envvar:`owncloud__ldap_combined_config`
+# are up-to-date on the remote system.
+# Set to ``False`` to only configure LDAP settings in ownCloud when ownCloud
+# currently has no LDAP configuration.
+owncloud_ldap_update_settings: True
+
+
+# .. envvar:: owncloud__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, automated Nextcloud LDAP configuration will not be performed.
+owncloud__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+
+# .. envvar:: owncloud__ldap_base_groups_dn [[[
+#
+# The base Distinguished Name where Nextcloud will look for groups.
+owncloud__ldap_base_groups_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_base_users_dn [[[
+#
+# The base Distinguished Name where Nextcloud will look for users.
+owncloud__ldap_base_users_dn: '{{ owncloud__ldap_base_dn | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the Nextcloud service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+owncloud__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# Nextcloud service to access the LDAP directory.
+owncloud__ldap_self_rdn: 'uid=nextcloud'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the Nextcloud service to access the LDAP directory.
+owncloud__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# Nextcloud service to access the LDAP directory.
+owncloud__ldap_self_attributes:
+  uid: '{{ owncloud__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ owncloud__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "Nextcloud" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# Nextcloud service to bind to the LDAP directory.
+owncloud__ldap_binddn: '{{ ([owncloud__ldap_self_rdn] + owncloud__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the Nextcloud service
+# to bind to the LDAP directory.
+owncloud__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                   + owncloud__ldap_binddn | to_uuid + ".password length=32 "
+                                   + "chars=ascii_letters,digits,!@_#$%^&*"))
+                           if owncloud__ldap_enabled | bool
+                           else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_uri [[[
+#
+# List of LDAP URIs that point to the directory servers which should be used by
+# Nextcloud.
+owncloud__ldap_uri: '{{ ansible_local.ldap.uri | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_primary_server [[[
+#
+# The primary LDAP server URI to use.
+owncloud__ldap_primary_server: '{{ owncloud__ldap_uri | first }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_method [[[
+#
+# The LDAP connection method to use, either ``tls`` (recommended), ``ssl`` or
+# ``plain`` (discouraged).
+owncloud__ldap_method: 'tls'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_port [[[
+#
+# The TCP port to use for LDAP connections.
+owncloud__ldap_port: '{{ 636 if (owncloud__ldap_method in ["ssl"]) else 389 }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_user_display_name
+#
+# The attribute that should be used as display name in ownCloud.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#directory-settings>`__ for details.
+owncloud__ldap_user_display_name: 'cn'
+
+
+# .. envvar:: owncloud__ldap_user_filter
+#
+# Use this to control which LDAP users are listed as ownCloud users on your ownCloud server.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#user-filter>`__ for details.
+owncloud__ldap_user_filter: '(|
+                               (objectclass=inetOrgPerson)
+                             )'
+
+
+# .. envvar:: owncloud__ldap_user_filter_objectclass
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#user-filter>`__ for details.
+owncloud__ldap_user_filter_objectclass: 'inetOrgPerson'
+
+
+# .. envvar:: owncloud__ldap_group_filter
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#group-filter>`__ for details.
+owncloud__ldap_group_filter: '(&
+                                (objectClass=groupOfNames)
+                                (nextcloudEnabled=true)
+                              )'
+
+
+# .. envvar:: owncloud__ldap_group_filter_groups
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#group-filter>`__ for details.
+owncloud__ldap_group_filter_groups: ''
+
+
+# .. envvar:: owncloud__ldap_group_filter_objectclass
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#group-filter>`__ for details.
+owncloud__ldap_group_filter_objectclass: 'posixGroup'
+
+
+# .. envvar:: owncloud__ldap_login_filter
+#
+# The settings in the Login Filter tab determine which LDAP users can log in to
+# your ownCloud system. With the default filter, users can log in using their
+# usernames from the ``uid`` attribute, as well as their e-mail addresses
+# defined using the ``mail`` attribute. In either case, users need to have
+# access to the Nextcloud service defined by the ``authorizedService``
+# attribute.
+#
+# The ``entryUUID`` attribute search is required to perform password modify
+# extended operations.
+owncloud__ldap_login_filter: '(&
+                                (objectclass=inetOrgPerson)
+                                (|
+                                  (uid=%uid)
+                                  (|
+                                    (mail=%uid)
+                                    (entryUUID=%uid)
+                                  )
+                                )
+                                (|
+                                  (authorizedService=all)
+                                  (authorizedService=nextcloud)
+                                  (authorizedService=owncloud)
+                                  (authorizedService=web:public)
+                                )
+                              )'
+
+
+# .. envvar:: owncloud__ldap_login_filter_attributes
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#login-filter>`__ for details.
+owncloud__ldap_login_filter_attributes: ''
+
+
+# .. envvar:: owncloud__ldap_group_assoc_attribute
+#
+# Attribute which ownCloud uses to match members of the group.
+#
+# Possible values:
+#
+# ``memberUid``
+#   Useful for OpenLDAP with PosixGroups. Attribute contains only UID of the user.
+#
+# ``uniqueMember``
+#   Attribute contains full DN of the user.
+#
+# ``member``
+#   FIXME
+#   Attribute contains full DN of the user.
+#
+owncloud__ldap_group_assoc_attribute: 'member'
+
+
+# .. envvar:: owncloud__home_folder_naming_rule
+#
+# By default, the ownCloud server creates the user directory in your ownCloud data directory and gives it the ownCloud username, .e.g :file:`/var/www/owncloud/data/alice`. You may want to override this setting and name it after an LDAP attribute value. The attribute can also return an absolute path, e. g. :file:`/mnt/storage43/alice`. Leave it empty for default behavior.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#special-attributes>`__ for details.
+owncloud__home_folder_naming_rule: 'attr:uid'
+
+# .. Advanced settings [[[
+#
+# ~~~~~~~~~~~~~~~~~~~~~
+#   Advanced settings
+# ~~~~~~~~~~~~~~~~~~~~~
+
+# .. envvar:: owncloud__ldap_cache_ttl
+#
+# A cache is introduced to avoid unnecessary LDAP traffic, for example caching usernames so they don’t have to be looked up for every page, and speeding up loading of the Users page. Saving the configuration empties the cache. The time is given in seconds.
+#
+# Note that almost every PHP request requires a new connection to the LDAP server. If you require fresh PHP requests we recommend defining a minimum lifetime of 15s or so, rather than completely eliminating the cache.
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/user/user_auth_ldap.html#caching>`__ for details.
+owncloud__ldap_cache_ttl: '600'
+
+# .. ]]]
+
+# .. Expert settings [[[
+#
+# ~~~~~~~~~~~~~~~~~~~
+#   Expert settings
+# ~~~~~~~~~~~~~~~~~~~
+
+# .. envvar:: owncloud__ldap_expert_username_attr
+#
+# The internal username is the identifier in ownCloud for LDAP users. By
+# default it will be created from the UUID attribute. The UUID attribute
+# ensures that the username is unique, and that characters do not need to be
+# converted. Only these characters are allowed: :regexp:`[a-zA-Z0-9_.@-]`.
+# Other characters are replaced with their ASCII equivalents, or are simply
+# omitted.
+#
+# The LDAP backend ensures that there are no duplicate internal usernames in
+# ownCloud, i.e. that it is checking all other activated user backends
+# (including local ownCloud users). On collisions a random number (between 1000
+# and 9999) will be attached to the retrieved value. For example, if ``alice``
+# exists, the next username may be ``alice_1337``.
+#
+# The internal username is the default name for the user home folder in
+# ownCloud. It is also a part of remote URLs, for instance for all DAV
+# services.
+#
+# You can override all of this with the Internal Username setting. Leave it
+# empty for default behaviour. Changes will affect only newly mapped LDAP
+# users.
+#
+# For a Microsoft Windows environment, putting this:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__ldap_expert_username_attr: 'sAMAccountName'
+#
+# in your inventory might come in handy to use the user names from AD as user names in ownCloud.
+owncloud__ldap_expert_username_attr: ''
+
+# .. ]]]
+
+# .. envvar:: owncloud__ldap_config_id
+#
+# The configuration database configID to use for the LDAP configuration managed
+# by the role.
+owncloud__ldap_config_id: '{{ ansible_local.owncloud.ldap_config_id
+                              if (ansible_local.owncloud.ldap_config_id | d())
+                              else (owncloud__register_ldap_config_id.stdout
+                                    if (owncloud__register_ldap_config_id | d() and
+                                        owncloud__register_ldap_config_id.stdout | d())
+                                    else "") }}'
+
+
+# .. envvar:: owncloud__ldap_quota_attribute
+#
+# Set the LDAP attribute value to be read by Owncloud/Nextcloud in order to get the user quota.
+# Any quota set in LDAP overrides quotas set on the Nextcloud user management page.
+# Refer to the `official ownCloud documentation <https://docs.nextcloud.com/server/17/admin_manual/configuration_user/user_auth_ldap.html#special-attributes>`__ for details.
+owncloud__ldap_quota_attribute: 'nextcloudQuota'
+
+# .. envvar:: owncloud__ldap_quota_default
+#
+# User default LDAP quota. Use human-readable values, e.g. "2 GB".
+# Refer to the `official ownCloud documentation <https://docs.nextcloud.com/server/17/admin_manual/configuration_user/user_auth_ldap.html#special-attributes>`__ for details.
+owncloud__ldap_quota_default: '10 GB'
+
+# .. envvar:: owncloud__ldap_default_config [[[
+#
+# The LDAP configuration options defined by default.
+# See :ref:`owncloud__ref_ldap_config` for more details.
+owncloud__ldap_default_config:
+
+  - name: 'ldapHost'
+    value: '{{ owncloud__ldap_primary_server }}'
+
+  - name: 'ldapPort'
+    value: '{{ owncloud__ldap_port }}'
+
+  - name: 'ldapAgentName'
+    value: '{{ owncloud__ldap_binddn }}'
+
+  - name: 'ldapAgentPassword'
+    value: '{{ owncloud__ldap_bindpw }}'
+
+  - name: 'ldapBase'
+    value: '{{ owncloud__ldap_base_dn | join(",") }}'
+
+  - name: 'ldapBaseGroups'
+    value: '{{ owncloud__ldap_base_groups_dn }}'
+
+  - name: 'ldapBaseUsers'
+    value: '{{ owncloud__ldap_base_users_dn }}'
+
+  - name: 'ldapEmailAttribute'
+    value: 'mail'
+
+  - name: 'ldapExpertUsernameAttr'
+    value: '{{ owncloud__ldap_expert_username_attr }}'
+
+  - name: 'ldapConfigurationActive'
+    value: '1'
+
+  - name: 'ldapUserDisplayName'
+    value: '{{ owncloud__ldap_user_display_name }}'
+
+  - name: 'ldapUserFilter'
+    value: '{{ owncloud__ldap_user_filter }}'
+
+  - name: 'ldapUserFilterObjectclass'
+    value: '{{ owncloud__ldap_user_filter_objectclass }}'
+
+  - name: 'ldapLoginFilter'
+    value: '{{ owncloud__ldap_login_filter }}'
+
+  - name: 'ldapLoginFilterAttributes'
+    value: '{{ owncloud__ldap_login_filter_attributes }}'
+
+  - name: 'ldapGroupFilter'
+    value: '{{ owncloud__ldap_group_filter }}'
+
+  - name: 'ldapGroupFilterGroups'
+    value: '{{ owncloud__ldap_group_filter_groups }}'
+
+  - name: 'ldapGroupFilterObjectclass'
+    value: '{{ owncloud__ldap_group_filter_objectclass }}'
+
+  - name: 'ldapGroupMemberAssocAttr'
+    value: '{{ owncloud__ldap_group_assoc_attribute }}'
+
+  - name: 'homeFolderNamingRule'
+    value: '{{ owncloud__home_folder_naming_rule }}'
+
+  - name: 'ldapCacheTTL'
+    value: '{{ owncloud__ldap_cache_ttl }}'
+
+  - name: 'ldapTLS'
+    value: '{{ "1" if (owncloud__ldap_method == "tls") else "0" }}'
+
+  - name: 'ldapQuotaAttribute'
+    value: '{{ owncloud__ldap_quota_attribute }}'
+
+  - name: 'ldapQuotaDefault'
+    value: '{{ owncloud__ldap_quota_default }}'
+
+  - name: 'hasMemberOfFilterSupport'
+    value: '1'
+
+  - name: 'turnOnPasswordChange'
+    value: '1'
+
+  - name: 'ldapDefaultPPolicyDN'
+    value: '{{ (["cn=Default Password Policy", "ou=Password Policies"]
+                + owncloud__ldap_base_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap_config [[[
+#
+# List of custom LDAP configuration options defined for all hosts
+# in the Ansible inventory.
+# See :ref:`owncloud__ref_ldap_config` for more details.
+owncloud__ldap_config: []
+                                                                   # ]]]
+
+# .. envvar:: owncloud__group_ldap_config [[[
+#
+# List of custom LDAP configuration options defined on hosts in
+# a specific Ansible inventory group.
+owncloud__group_ldap_config: []
+                                                                   # ]]]
+
+# .. envvar:: owncloud__host_ldap_config [[[
+#
+# List of custom LDAP configuration options defined on specific
+# hosts in the Ansible inventory.
+owncloud__host_ldap_config: []
+                                                                   # ]]]
+
+# .. envvar:: owncloud__ldap_combined_config [[[
+#
+# The variable that combines default and user LDAP configuration and is used in
+# the role tasks and templates.
+owncloud__ldap_combined_config: '{{ owncloud__ldap_default_config
+                                    + owncloud__ldap_config
+                                    + owncloud__group_ldap_config
+                                    + owncloud__host_ldap_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. ownCloud Mail configuration [[[1
+#
+# -------------------------------
+#   ownCloud Mail configuration
+# -------------------------------
+#
+# Refer to the `official ownCloud documentation about config.php <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/config_sample_php_parameters.html#mail-parameters>`__ and the `official ownCloud documentation about email configuration <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/email_configuration.html>`__ for details.
+
+# .. envvar:: owncloud__mail_domain
+#
+owncloud__mail_domain: '{{ owncloud__fqdn if owncloud__fqdn is string else owncloud__fqdn[0] }}'
+
+
+# .. envvar:: owncloud__mail_from_address
+#
+# From address that overrides the built-in ``sharing-noreply`` and
+# ``lostpassword-noreply`` from addresses.
+owncloud__mail_from_address: 'noreply'
+
+
+# .. envvar:: owncloud__mail_smtpmode
+#
+# Which mode to use for sending mail.
+# Choices are:
+#
+# * ``sendmail``
+# * ``smtp``
+# * ``qmail``
+# * ``php``
+#
+owncloud__mail_smtpmode: 'sendmail'
+
+
+# .. envvar:: owncloud__mail_smtphost
+#
+# Specify the IP address of your mail server host.
+# This may contain multiple hosts separated by a semi-colon. If you need to
+# specify the port number append it to the IP address separated by a colon,
+# like this: ``127.0.0.1:24``.
+#
+# This depends on :envvar:`owncloud__mail_smtpmode`.
+owncloud__mail_smtphost: 'smtp.{{ owncloud__domain }}'
+
+
+# .. envvar:: owncloud__mail_smtpport
+#
+# Port for sending mail. Can also be specified via :envvar:`owncloud__mail_smtphost`.
+# This depends on :envvar:`owncloud__mail_smtpmode`.
+owncloud__mail_smtpport: '25'
+
+
+# .. envvar:: owncloud__mail_conf_map
+#
+# This configuration ends up in :file:`mail.config.php` and override the
+# values from :file:`config.php`.
+# Set to:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__mail_conf_map: {}
+#
+# if you want to be able to configure/change this via the admin web interface.
+owncloud__mail_conf_map:
+  mail_domain: '{{ owncloud__mail_domain }}'
+  mail_from_address: '{{ owncloud__mail_from_address }}'
+  mail_smtpmode: '{{ owncloud__mail_smtpmode }}'
+  mail_smtphost: '{{ owncloud__mail_smtphost }}'
+  mail_smtpport: '{{ owncloud__mail_smtpport }}'
+
+
+# .. Theming ownCloud [[[1
+#
+# --------------------
+#   Theming ownCloud
+# --------------------
+#
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/developer_manual/core/theming.html>`__ for details.
+# See also `ownCloud Trademark Guidelines`_.
+
+# .. envvar:: owncloud__theme_active
+#
+# Name of the theme to activate. Generation of a custom theme can be influenced
+# by the following options.
+#
+# In case you already have a theme you want to use, you can alternatively
+# provide the theme under :file:`/var/www/owncloud/themes/$your_theme_name`
+# (for example using debops.resources_) and set this variable to
+# ``$your_theme_name``. Note that the role maintainers recommend to let the
+# role assemble your theme. See the following options.
+owncloud__theme_active: '{{ "debops"
+                            if (owncloud__variant in ["owncloud"])
+                            else "" }}'
+
+
+# .. envvar:: owncloud__theme_directory_name
+#
+# Directory name where the custom theme generated by this role will be stored under.
+# This variable has the same format as the :envvar:`owncloud__theme_active` option.
+# If you don’t want this role to generate a theme for you, you can set this to
+# an empty string to disable this feature.
+# The generated theme name defaults to ``debops`` to allow enabling it via
+# :envvar:`owncloud__theme_active`.
+owncloud__theme_directory_name: '{{ "debops"
+                                    if (owncloud__variant in ["owncloud"])
+                                    else "" }}'
+
+
+# .. envvar:: owncloud__theme_title
+#
+# Title of your ownCloud. This variable is included in the `HTML title tag`_ on
+# all pages.
+owncloud__theme_title: 'DebOps Cloud'
+
+
+# .. envvar:: owncloud__theme_name
+#
+# Name of your ownCloud or software. This is shown when sharing a file/dir as
+# link for example.
+owncloud__theme_name: 'DebOps Cloud'
+
+
+# .. envvar:: owncloud__theme_name_html
+#
+# Name of your ownCloud. HTML code can be used in this variable to create
+# hyperlinks for example.
+owncloud__theme_name_html: '{{ owncloud__theme_name }}'
+
+
+# .. envvar:: owncloud__theme_entity_name
+#
+# Entity string for your ownCloud. For example the name of your company. This
+# string is used in the footer and the copyright.
+owncloud__theme_entity_name: 'DebOps'
+
+
+# .. envvar:: owncloud__theme_base_url
+#
+# Base URL to get more information about your ownCloud. By default,
+# :envvar:`owncloud__theme_entity_name` links to this URL on the login page.
+# Use an empty string to use the default URL pointing to the ownCloud website.
+owncloud__theme_base_url: 'https://github.com/debops/ansible-owncloud'
+
+
+# .. envvar:: owncloud__theme_slogan
+#
+# Slogan of your ownCloud. This is shown by default on the bottom of the login page.
+# It should not contain ``</br>`` (newline) because at least ownCloud as of
+# version ``9.0`` can’t automatically adjust to that.
+# Use an empty string to use the default slogan provided by ownCloud.
+#
+# See the `ownCloud Trademark Guidelines`_ section on 'Apps, Product and Service
+# Names, and Compatibility References' for more suggestions.
+owncloud__theme_slogan: 'Powered by <a href="{{ owncloud__variant_url_map[owncloud__variant] }}">{{ owncloud__variant_name_map[owncloud__variant] }}</a>'
+
+
+# .. envvar:: owncloud__theme_footer_short
+#
+# Short version of the footer.
+# The value can contain arbitrary PHP and HTML code.
+# You will need to take care of quotes yourself.
+owncloud__theme_footer_short: |
+  'Setup by <a href="' . $this->getBaseUrl() . '" target="_blank\">' . $this->getEntity() . '</a><br/>' .
+  '{{ owncloud__theme_slogan }}'
+
+
+# .. envvar:: owncloud__theme_footer_long
+#
+# Long version of the footer. See :envvar:`owncloud__theme_footer_short` for details.
+# TODO: What exactly is the difference?
+owncloud__theme_footer_long: '{{ owncloud__theme_footer_short }}'
+
+
+# .. envvar:: owncloud__theme_doc_link_to_key
+#
+# Return statement the ``buildDocLinkToKey`` function which allows you to alter
+# the URL used when referring to the documentation.
+# The value can contain arbitrary PHP and HTML code.
+# You will need to take care of quotes yourself.
+# The reason for not going with the ownCloud default is that it seems to point
+# to ``8.0`` even for the ``9.0.2`` release. Seems to be a bug.
+owncloud__theme_doc_link_to_key: '$this->getDocBaseUrl() . ''/server/{{ owncloud__release }}/go.php?to='' . $key'
+
+
+# .. envvar:: owncloud__theme_copy_files
+#
+# Global dictionary of additional files to place in the theme.
+# This variable is intended to be used in Ansible’s global inventory.
+# More specific variables can overrule less specific variables.
+# The key is the target file path in the ownCloud theme directory.
+# The ``state`` value allows to make files absent.
+# All other options correspond to the options of the
+# `Ansible ansible.builtin.copy module`_.
+#
+# To change the logo on the login page you can use:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    owncloud__theme_copy_files:
+#
+#      'core/img/logo.svg':
+#        ## Prefer SVG: https://github.com/owncloud/core/issues/5676#issuecomment-27649493
+#        src: '/src/path/on/your/ansible/controller/logo.svg'
+#
+#      'core/css/styles.css':
+#        content: |
+#          /* Use logo from theme. */
+#          #header .logo {
+#            background-image: url('../img/logo.svg');
+#            width: 250px;
+#            height: 121px;
+#          }
+#
+# in your inventory.
+owncloud__theme_copy_files: {}
+
+
+# .. envvar:: owncloud__theme_copy_files_host_group
+#
+# Host group dictionary of additional files to place in the theme.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+# Refer to :envvar:`owncloud__theme_copy_files` for more details.
+owncloud__theme_copy_files_host_group: {}
+
+
+# .. envvar:: owncloud__theme_copy_files_host
+#
+# Host dictionary of additional files to place in the theme.
+# This variable is intended to be used in the inventory of hosts.
+# Refer to :envvar:`owncloud__theme_copy_files` for more details.
+owncloud__theme_copy_files_host: {}
+
+
+# .. envvar:: owncloud__theme_conf_map
+#
+# This configuration ends up in :file:`theme.config.php` and override the
+# values from :file:`config.php`.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/server/config_sample_php_parameters.html>`__ for details.
+owncloud__theme_conf_map:
+  theme: '{{ owncloud__theme_active }}'
+
+                                                                   # ]]]
+# .. Webserver [[[
+#
+# -------------
+#   Webserver
+# -------------
+
+# .. envvar:: owncloud__http_psk_subpath_enabled [[[
+#
+# Whether the application should be deployed on a random subpath that acts as a
+# protection of the web app/API from people not knowing this PSK.
+# For a discussion in which scenarios this can make sense, refer to
+# `RFC: Support subpath/subdir hosting for additional security`__.
+#
+# .. __: https://github.com/debops/debops/issues/1233
+#
+# .. warning:: This breaks the ``/.well-known`` URIs intentionally.
+#
+# Hint for migration: Nextcloud is able to auto detect the webroot that it is
+# being accessed. This means that it can be accessed by subpath and without, with
+# the same Nginx config. This allows soft migration of all users to the subpath
+# and then disabling ``/`` when all are migrated.
+# The role does not support generating such a Webserver config but it is easy
+# to run the role without and with subpath enabled and than merging the
+# rendered Nginx site configuration.
+owncloud__http_psk_subpath_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: owncloud__http_psk_subpath [[[
+#
+# PSK used as subpath that acts as the first layer of defense in a security in
+# depth concept if enabled.
+owncloud__http_psk_subpath: '{{ lookup("password", secret + "/credentials/" +
+                                  inventory_hostname + "/owncloud/config/subpath chars=ascii_letters,digits length=10")
+                                if owncloud__http_psk_subpath_enabled | bool
+                                else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__http_psk_subpath_begin_slash [[[
+#
+# slash at the begin plus Subpath. Used to simplify the webserver config below.
+owncloud__http_psk_subpath_begin_slash: '{{ ("/" + owncloud__http_psk_subpath)
+                                          if owncloud__http_psk_subpath_enabled | bool
+                                          else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__http_psk_subpath_end_slash [[[
+#
+# Subpath plus a slash at the end. Used to simplify the webserver config below.
+owncloud__http_psk_subpath_end_slash: '{{ (owncloud__http_psk_subpath + "/")
+                                          if owncloud__http_psk_subpath_enabled | bool
+                                          else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__webserver [[[
+#
+# Variable containing the webserver which should be used.
+# Refer to :ref:`owncloud__ref_getting_started` for how to switch webservers.
+owncloud__webserver: '{{ ansible_local.owncloud.webserver
+                         | d("apache"
+                             if (ansible_local.apache.enabled | d() | bool)
+                             else ("nginx"
+                                   if (ansible_local.nginx.enabled | d() | bool)
+                                   else "no-webserver-detected")) }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__apache_modules [[[
+#
+# Variable containing the used webserver which can be used.
+# Refer to :ref:`owncloud__ref_getting_started` for how to switch webservers.
+# TODO: Enable on Debian package scripts to ensure that the PHP module is
+# enabled as the name of the module is not deterministic with ``php5`` and
+# ``php7.0``.
+owncloud__apache_modules: []
+                                                                   # ]]]
+# .. envvar:: owncloud__nginx_client_body_temp_path [[[
+#
+# Defines the directory where Nginx will temporary store files holding client
+# request bodies.
+# Refer to the `the Nginx documentation <https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path>`__ for details.
+#
+# The default (empty string) is to not change the default of the webserver.
+# TODO: Confirm that this variable does what it says.
+owncloud__nginx_client_body_temp_path: ''
+
+                                                                   # ]]]
+# .. envvar:: owncloud__nginx_access_log_assets [[[
+#
+# Should the access to assets be logged by :program:`nginx`?
+owncloud__nginx_access_log_assets: True
+                                                                   # ]]]
+                                                                   # ]]]
+# .. PHP [[[
+#
+# ---
+# PHP
+# ---
+
+# .. envvar:: owncloud__php_temp_path [[[
+#
+# Directory which PHP will use as temp directory.
+#
+# In case :file:`/tmp` has limited space (for example is a ramdisk) or is otherwise
+# restricted then it is recommended to change the temp directory which PHP
+# uses to a path with more space available.
+# This directory is used to cache uploaded files when using Apache.
+# See also :envvar:`owncloud__temp_path`.
+#
+# Empty string will not change the temp directory of PHP.
+owncloud__php_temp_path: ''
+
+                                                                   # ]]]
+# .. envvar:: owncloud__php_output_buffering [[[
+#
+# Output buffering set in PHP, with amount set in megabytes.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/configuration/files/big_file_upload_configuration.html#configuring-php>`__ for details.
+owncloud__php_output_buffering: '0'
+
+
+                                                                   # ]]]
+# .. envvar:: owncloud__php_max_children [[[
+#
+# Max children processes to run in php fpm.
+# FIXME: Check if default of debops.php_ might be sufficient.
+owncloud__php_max_children: '50'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. Role-dependent configuration [[[1
+#
+# --------------------------------
+#   Role-dependent configuration
+# --------------------------------
+
+# .. envvar:: owncloud__apt_preferences__dependent_list
+#
+# Configuration for the :ref:`debops.apt_preferences` role.
+#
+# .. TODO: Consider moving logic to the :ref:`debops.php` role.
+#
+owncloud__apt_preferences__dependent_list:
+
+  - package: 'php5-apcu'
+    backports: [ 'trusty' ]
+    reason: 'ownCloud requires at least APCu version 4.0.6.'
+    by_role: 'debops.owncloud'
+    state: '{{ owncloud__deploy_state }}'
+
+
+# .. envvar:: owncloud__apt_preferences__dependent_list_optional
+#
+# Optional configuration for the :ref:`debops.apt_preferences` role.
+# Only required when APT preference presets from the
+# :ref:`debops.apt_preferences` role are used.
+owncloud__apt_preferences__dependent_list_optional:
+
+  - package: 'owncloud owncloud*'
+    reason: 'Use download.owncloud.org even when foreign sources are disabled by global APT preferences.'
+    pin: 'origin "download.owncloud.org"'
+    priority: 995
+    by_role: 'debops.owncloud'
+    state: '{{ "present"
+               if (owncloud__variant in ["owncloud"] and
+                   owncloud__deploy_state == "present")
+               else "absent" }}'
+
+
+# .. envvar:: owncloud__keyring__dependent_apt_keys [[[
+#
+# APT key configuration for the :ref:`debops.keyring` Ansible role.
+owncloud__keyring__dependent_apt_keys:
+
+  - id: '{{ owncloud__apt_repo_key_id }}'
+    state: '{{ "present" if (owncloud__variant in ["owncloud"]) else "absent" }}'
+
+    # Old or unused OpenPGP public keys specified by fingerprint which where
+    # previously used to sign the APT repository.
+    # The keys listed here are ensured to be absent to reduce the risk if one of
+    # the keys gets compromised.
+  - id: 'F9EA4996747310AE79474F44977C43A8BA684223'
+    state: 'absent'
+
+  - id: 'BCECA90325B072AB1245F739AB7C32C35180350A'
+    state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__keyring__dependent_gpg_keys [[[
+#
+# GPG key configuration for the :ref:`debops.keyring` Ansible role.
+owncloud__keyring__dependent_gpg_keys:
+
+  - user: '{{ owncloud__system_user }}'
+    group: '{{ owncloud__system_group }}'
+    home: '{{ owncloud__system_home }}'
+    id: '{{ owncloud__upstream_key_fingerprint }}'
+    state: '{{ "present" if (owncloud__variant in ["nextcloud"]) else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+owncloud__ldap__dependent_tasks:
+
+  - name: 'Create Nextcloud account for {{ owncloud__ldap_device_dn | join(",") }}'
+    dn: '{{ owncloud__ldap_binddn }}'
+    objectClass: '{{ owncloud__ldap_self_object_classes }}'
+    attributes: '{{ owncloud__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'
+
+  - name: 'Enable password management by {{ owncloud__ldap_binddn }}'
+    dn: '{{ (["cn=Password Reset Agent", "ou=Roles"] + owncloud__ldap_base_dn) | join(",") }}'
+    attributes:
+      roleOccupant: '{{ owncloud__ldap_binddn }}'
+    state: '{{ "present" if owncloud__ldap_device_dn | d() else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__mariadb__dependent_databases [[[
+#
+# Configuration of the database managed by the :ref:`debops.mariadb` role.
+owncloud__mariadb__dependent_databases:
+
+  - database: '{{ owncloud__database_map[owncloud__database].dbname }}'
+    state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__mariadb__dependent_users [[[
+#
+# Configuration of the database user managed by the :ref:`debops.mariadb` role.
+owncloud__mariadb__dependent_users:
+
+  - database: '{{ owncloud__database_map[owncloud__database].dbname }}'
+    user: '{{ owncloud__database_map[owncloud__database].dbuser }}'
+    password: '{{ owncloud__database_map[owncloud__database].dbpass }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__postgresql__dependent_roles [[[
+#
+# Configuration of the database roles managed by the :ref:`debops.postgresql` role.
+owncloud__postgresql__dependent_roles:
+
+  - name: '{{ owncloud__database_name }}'  # Separate role is needed when owncloud__database_name != owncloud__database_user
+  - name: '{{ owncloud__database_user }}'  # Password is not passed directly - it will be read from the file
+
+                                                                   # ]]]
+# .. envvar:: owncloud__postgresql__dependent_groups [[[
+#
+# Configuration of the database groups managed by the :ref:`debops.postgresql` role.
+owncloud__postgresql__dependent_groups:
+
+  - roles: [ '{{ owncloud__database_user }}' ]
+    groups: [ '{{ owncloud__database_name }}' ]
+    database: '{{ owncloud__database_name }}'
+    state: '{{ "present" if (owncloud__deploy_state != "purged") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: owncloud__postgresql__dependent_databases [[[
+#
+# Configuration of the database managed by the :ref:`debops.postgresql` role.
+owncloud__postgresql__dependent_databases:
+
+  - name: '{{ owncloud__database_name }}'
+    owner: '{{ owncloud__database_user }}'
+                                                                   # ]]]
+# .. envvar:: owncloud__logrotate__dependent_config [[[
+#
+# Configuration of the logrotate rule managed by the debops.logrotate_ role.
+# ownCloud as of Version 9.0 does not do log rotate by default. This could
+# be enabled by ``log_rotate_size``. ``logrotate`` is the default in DebOps.
+owncloud__logrotate__dependent_config:
+
+  - filename: '{{ owncloud__variant }}'
+    log: '{{ owncloud__data_path + "/" + owncloud__variant + ".log" }}'
+    state: '{{ "present" if (owncloud__deploy_state == "present") else "absent" }}'
+    options: |
+      rotate 12
+      weekly
+      missingok
+      notifempty
+      compress
+      su {{ owncloud__app_user }} {{ owncloud__app_group }}
+      delaycompress
+# ]]]
+
+# .. envvar:: owncloud__apache__dependent_snippets [[[
+#
+# Apache configuration snippets managed by the :ref:`debops.apache` role.
+# Disable the :file:`/etc/apache2/conf-enabled/owncloud.conf` which configures
+# ownCloud below ``/owncloud``.
+owncloud__apache__dependent_snippets:
+  'owncloud':
+    enabled: False
+    type: 'dont-create'
+
+
+# .. envvar:: owncloud__apache__dependent_vhosts
+#
+# Apache virtual host managed by the :ref:`debops.apache` role.
+owncloud__apache__dependent_vhosts:
+
+  - type: 'default'
+    name: '{{ owncloud__fqdn }}'
+    by_role: 'debops.owncloud'
+    filename: 'debops.owncloud'
+    root: '{{ owncloud__app_home }}'
+    options: '+FollowSymLinks'
+    allow_override: 'All'
+    root_directives: |  # noqa jinja[spacing]
+      <IfModule mod_dav.c>
+            Dav off
+      </IfModule>
+
+      SetEnv HOME {{ owncloud__app_home }}
+      SetEnv HTTP_HOME {{ owncloud__app_home }}
+
+      {# Does not work.
+      ## Tested while uploading with:
+      ## while true; do df -h /tmp|tail -n 1; sleep 0.1; done
+      ## Currently configured in PHP Apache scope: owncloud__php__dependent_configuration
+      {% if owncloud__php_temp_path | d() %}
+      <IfModule mod_php5.c>
+        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
+      </IfModule>
+      <IfModule mod_php7.c>
+        php_value sys_temp_dir '{{ owncloud__php_temp_path }}'
+      </IfModule>
+      {% endif %}
+      # SetEnv TMPDIR '{{ owncloud__php_temp_path }}'
+      #}
+    raw_content: |
+      <Directory "{{ owncloud__app_home }}/data/">
+          # Just in case the .htaccess gets disabled.
+          Require all denied
+      </Directory>
+      {% if owncloud__data_path != (owncloud__app_home + "/data") %}
+      <Directory {{ owncloud__data_path | quote }}>
+          # Just in case someone changes the global Apache defaults and messed
+          # with the "Alias" directive ;)
+          Require all denied
+      </Directory>
+      {% endif %}
+    http_sec_headers_directive_options: 'set'
+
+
+# .. envvar:: owncloud__nginx__dependent_maps
+#
+# :program:`nginx` maps managed by the :ref:`debops.nginx` role.
+owncloud__nginx__dependent_maps:
+
+  - name: 'asset_immutable'
+    map: '$arg_v $asset_immutable'
+    mapping: '"" "";'
+    default: 'immutable'
+
+
+# .. envvar:: owncloud__nginx_options
+#
+# Nginx main config block for the application.
+owncloud__nginx_options: |-
+  add_header X-Download-Options noopen;
+
+  # Remove X-Powered-By, which is an information leak
+  fastcgi_hide_header X-Powered-By;
+
+  # Specify how to handle directories -- specifying `/index.php$request_uri`
+  # here as the fallback means that Nginx always exhibits the desired behaviour
+  # when a client requests a path that corresponds to a directory that exists
+  # on the server. In particular, if that directory contains an index.php file,
+  # that file is correctly served; if it doesn't, then the request is passed to
+  # the front-end controller. This consistent behaviour means that we don't need
+  # to specify custom rules for certain paths (e.g. images and other assets,
+  # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+  # `try_files $uri $uri/ /index.php$request_uri`
+  # always provides the desired behaviour.
+  index index.php index.html /index.php$request_uri;
+
+  # Set max upload size and increase upload timeout:
+  client_max_body_size {{ owncloud__upload_size }};
+  client_body_timeout 300s;
+  {% if owncloud__nginx_client_body_temp_path %}
+  client_body_temp_path '{{ owncloud__nginx_client_body_temp_path }}';
+  {% endif %}
+  fastcgi_buffers 64 4K;
+
+  {% if owncloud__app_user_webfinger_support | bool %}
+  rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+  rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+  {% endif %}
+
+  {% if owncloud__variant == "nextcloud" %}
+  # Enable gzip but do not remove ETag headers
+  gzip on;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+  {% else %}
+  # Disable gzip to avoid the removal of the ETag header
+  gzip off;
+  {% endif %}
+
+  # Uncomment if your server is build with the ngx_pagespeed module
+  # This module is currently not supported.
+  #pagespeed off;
+
+  # The settings allows you to optimize the HTTP2 bandwitdth.
+  # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+  # for tuning hints
+  # TODO(ypid): Nginx will be able to autotune this value when the patch gets accepted.
+  # DebOps will drop this manual tuning based on Nextcloud recommendation
+  # when the Nginx release is available in Debian oldstable.
+  client_body_buffer_size 512k;
+
+  {% if not (owncloud__variant == "nextcloud" and
+             owncloud__release is version("18.0", ">=")) %}
+  error_page            403             /core/templates/403.php;
+  error_page            404             /core/templates/404.php;
+  {% endif %}
+
+  # Default Cache-Control policy
+  expires 1m;
+
+
+  # Avoid to send the security headers twice as ownCloud
+  # also adds the X-* HTTP headers.
+  fastcgi_param modHeadersAvailable true;
+
+# .. envvar:: owncloud__nginx__dependent_servers
+#
+# :program:`nginx` server configuration managed by the :ref:`debops.nginx` role.
+owncloud__nginx__dependent_servers:
+
+  ## https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html
+  ## Corresponds to 5527a8c1ffc18d614e51ab18b61daccbbb047af9
+  ## from https://github.com/nextcloud/documentation.git
+  - type: 'default'
+    enabled: True
+    by_role: 'debops.owncloud'
+    filename: 'debops.owncloud'
+    name: '{{ owncloud__fqdn }}'
+    root: '{{ owncloud__deploy_path }}'
+    webroot_create: False
+    deny_hidden: False
+    favicon: False
+
+    ## Nextcloud has its own maintenance page
+    maintenance: '{{ False if (owncloud__variant == "nextcloud") else True }}'
+
+    ## https://docs.nextcloud.com/server/17/admin_manual/issues/general_troubleshooting.html#common-problems-error-messages
+    ## DebOps default should be fine.
+    # keepalive: '3600'
+
+    robots_tag: [ 'none' ]
+    permitted_cross_domain_policies: 'none'
+    frame_options: '{{ omit if (owncloud__variant == "nextcloud" and
+                                owncloud__release is version("17.0", "<"))
+                            else "SAMEORIGIN" }}'
+
+    options: |
+      {% if not (owncloud__http_psk_subpath_enabled | bool) %}
+      {{ owncloud__nginx_options }}
+      {% endif %}
+
+    location_list:
+      - pattern: '/'
+        options: |-
+          deny all;
+        enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'
+
+      - pattern: '= /{{ owncloud__http_psk_subpath }}'
+        options: |
+          # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+          if ( $http_user_agent ~ ^DavClnt ) {
+              return 302 /{{ owncloud__http_psk_subpath_end_slash }}remote.php/webdav/$is_args$args;
+          }
+
+          # Not used in the Nginx configuration example of Nextcloud/ownCloud.
+          # Needed because `security.limit_extensions` defaults to `.php` in DebOps.
+          rewrite ^ /{{ owncloud__http_psk_subpath_end_slash }}index.php;
+
+      - pattern: '= /robots.txt'
+        options: |
+          allow all;
+          log_not_found off;
+        enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'
+
+      - pattern: '^~ /.well-known'
+        options: |
+          # Make a regex exception for `/.well-known` so that clients can still
+          # access it despite the existence of the regex rule
+          # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+          # for `/.well-known`.
+
+          location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+          location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+          # Anything else is dynamically handled by Nextcloud
+          location ^~ /.well-known            { return 301 /index.php$uri; }
+
+          try_files $uri $uri/ =404;
+        enabled: '{{ not (owncloud__http_psk_subpath_enabled | bool) }}'
+
+      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:build|tests|config|lib|3rdparty|templates|data)\/'
+        options: |
+          return 404;
+
+      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}(?:\.|autotest|occ|issue|indie|db_|console)'
+        options: |
+          return 404;
+
+      - pattern: '~ ^/{{ owncloud__http_psk_subpath_end_slash }}.*\.php(?:$|/)'
+        options: |  # noqa jinja[spacing]
+          # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+          # which handle static assets (as seen below). If this block is not declared first,
+          # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+          # to the URI, resulting in a HTTP 500 error response.
+
+          # Required for legacy support
+          # https://github.com/nextcloud/documentation/pull/2197#issuecomment-721432337
+          rewrite ^/{{ owncloud__http_psk_subpath_end_slash }}(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
+
+          # (/.*|): The "or empty" regex alternative is needed for custom
+          # subpath because otherwise the whole regex would not match and would
+          # not update ${fastcgi_script_name}.
+          fastcgi_split_path_info ^{{ owncloud__http_psk_subpath_begin_slash }}(.+?\.php)(/.*|)$;
+          set $path_info $fastcgi_path_info;
+          {% if owncloud__http_psk_subpath_enabled | bool %}
+          set $script_name "{{ owncloud__http_psk_subpath_begin_slash }}${fastcgi_script_name}";
+          {% endif %}
+
+          try_files $fastcgi_script_name =404;
+
+          include fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          {% if owncloud__http_psk_subpath_enabled | bool %}
+          fastcgi_param SCRIPT_NAME $script_name;
+          {% endif %}
+          fastcgi_param PATH_INFO $path_info;
+          fastcgi_param HTTPS on;
+
+          fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+          fastcgi_param front_controller_active true;     # Enable pretty urls
+          fastcgi_pass php_owncloud;
+
+          fastcgi_intercept_errors on;
+          {% if (ansible_local.nginx.version | d("0.0")) is version_compare("1.7.11", '>=') %}
+          fastcgi_request_buffering off;
+          {% endif %}
+
+          fastcgi_read_timeout {{ owncloud__timeout }};
+
+      - pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite))$'
+        options: |
+          try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
+          add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+
+          {% if not (owncloud__nginx_access_log_assets | bool) %}
+          access_log off;
+          {% endif %}
+
+          location ~ \.wasm$ {
+              default_type application/wasm;
+          }
+
+      - pattern: '~ {{ owncloud__http_psk_subpath_begin_slash }}(/.*\.woff2?)$'
+        options: |
+          try_files {{ "$1" if (owncloud__http_psk_subpath_enabled | bool) else "$uri" }} /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
+          expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+
+          {% if not (owncloud__nginx_access_log_assets | bool) %}
+          access_log off;
+          {% endif %}
+
+      - pattern: '^~ /{{ owncloud__http_psk_subpath }}'
+        options: |
+          {{ owncloud__nginx_options }}
+        enabled: '{{ owncloud__http_psk_subpath_enabled | bool }}'
+
+      - pattern: '/{{ owncloud__http_psk_subpath_end_slash }}remote'
+        options: |
+          # Rule borrowed from `.htaccess`
+          return 301 /{{ owncloud__http_psk_subpath_end_slash }}remote.php$request_uri;
+
+      - pattern: '/{{ owncloud__http_psk_subpath_end_slash }}'
+        options: |
+          try_files $uri $uri/ /{{ owncloud__http_psk_subpath_end_slash }}index.php$request_uri;
+
+    ## Not used so that the exact order of locations from the upstream nginx
+    ## example can be used.
+    # type: 'php'
+
+
+# .. envvar:: owncloud__nginx__dependent_upstreams
+#
+# PHP upstream server configuration managed by the :ref:`debops.nginx` role.
+owncloud__nginx__dependent_upstreams:
+
+  - name: 'php_owncloud'
+    by_role: 'debops.owncloud'
+    enabled: True
+    state: '{{ owncloud__deploy_state }}'
+    type: 'php'
+    php_pool: 'owncloud'
+
+
+# .. envvar:: owncloud__php__dependent_packages
+#
+# List of PHP packages to install using the :ref:`debops.php` role.
+owncloud__php__dependent_packages:
+
+  - '{{ owncloud__base_php_packages }}'
+  - '{{ owncloud__optional_php_packages }}'
+  - '{{ ["libapache2-mod-php"] if (owncloud__webserver == "apache") else [] }}'
+
+
+# .. envvar:: owncloud__php__dependent_configuration
+#
+# :file:`php.ini` configuration managed by the :ref:`debops.php` role.
+owncloud__php__dependent_configuration:
+
+  - filename: '10-owncloud'
+    by_role: 'debops.owncloud'
+    state: '{{ "present" if (((owncloud__apcu_enabled | bool) and (owncloud__release is match("8\.1"))) or
+            ((owncloud__variant in ["nextcloud"]) and
+            (owncloud__release is version_compare("21.0", ">="))))
+            else "absent" }}'
+    options: |
+      ; Workaround for: https://github.com/owncloud/core/issues/17329
+      apc.enable_cli = 1
+
+  - filename: '30-owncloud-opcache'
+    by_role: 'debops.owncloud'
+    state: '{{ "present"
+               if (owncloud__variant in ["nextcloud"] and owncloud__release is version_compare("12.0", ">="))
+               else "absent" }}'
+    options: |
+      ; https://docs.nextcloud.com/server/25/admin_manual/installation/server_tuning.html#enable-php-opcache
+      ; https://github.com/nextcloud/docker/blob/master/25/fpm/Dockerfile
+
+      [opcache]
+
+      opcache.enable=1
+      opcache.enable_cli=1
+      opcache.interned_strings_buffer=16
+      opcache.max_accelerated_files=10000
+      opcache.memory_consumption=128
+      opcache.save_comments=1
+      opcache.revalidate_freq=60
+
+  - filename: 'debops.owncloud'
+    path: 'apache2/conf.d/'
+    by_role: 'debops.owncloud'
+    state: '{{ (owncloud__php_temp_path | d() and owncloud__webserver == "apache") | ternary("present", "absent") }}'
+    sections:
+
+      - options: |
+          ## TODO: Could not be configured on Apache vhost scope.
+          sys_temp_dir = {{ owncloud__php_temp_path | quote }}
+
+
+# .. envvar:: owncloud__php__dependent_pools
+#
+# PHP pools managed by the :ref:`debops.php` role.
+# Refer to the `official ownCloud documentation <https://doc.owncloud.org/server/10.3/admin_manual/installation/source_installation.html#php-ini-configuration-notes>`__ for details.
+owncloud__php__dependent_pools:
+  name: 'owncloud'
+  by_role: 'debops.owncloud'
+  user: '{{ owncloud__app_user }}'
+  group: '{{ owncloud__app_group }}'
+  pm_max_children: '{{ owncloud__php_max_children }}'
+
+  ## Overwrite DebOps default to ensure that long running syncing jobs don’t
+  ## get killed.
+  ## https://secure.php.net/manual/en/install.fpm.configuration.php
+  request_terminate_timeout: '{{ owncloud__timeout }}'
+
+  ## This is sometimes seen in other peoples ownCloud configuration.
+  ## The role maintainers could not yet verify if it is really needed.
+  # rlimit_files: '131072'
+  # rlimit_core: 'unlimited'
+
+  ## https://github.com/owncloud/core/blob/master/.user.ini
+  ## https://github.com/nextcloud/server/blob/master/.user.ini
+  php_values:
+    ## https://secure.php.net/manual/en/outcontrol.configuration.php#ini.output-buffering
+    output_buffering: '{{ owncloud__php_output_buffering }}'
+
+    ## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
+    upload_max_filesize: '{{ owncloud__upload_size }}'
+
+    ## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
+    post_max_size: '{{ owncloud__upload_size }}'
+
+    ## https://secure.php.net/manual/de/ini.core.php#ini.memory-limit
+    ## Nextcloud now warns with a PHP memory limit lower than 512MB
+    memory_limit: '{{ owncloud__upload_size }}'
+
+    ## https://secure.php.net/manual/en/info.configuration.php#ini.max-input-time
+    max_input_time: '{{ owncloud__timeout }}'
+
+    ## Refer to: https://secure.php.net/manual/en/info.configuration.php#ini.max-execution-time
+    max_execution_time: '{{ owncloud__timeout }}'
+
+  environment:
+    # HOSTNAME: '$HOSTNAME'
+    # TMP: '/tmp'
+    # TMPDIR: '/tmp'
+    # TEMP: '/tmp'
+
+    ## Fixes warning (ownCloud 8.1): "The test with getenv('PATH') only returns an empty response"
+    PATH: '/usr/local/bin:/usr/bin:/bin'
+
+
+# .. envvar:: owncloud__unattended_upgrades__dependent_origins
+#
+# List of origin patterns managed by the :ref:`debops.unattended_upgrades` role.
+owncloud__unattended_upgrades__dependent_origins:
+
+  - origin: 'site=download.owncloud.org'
+    by_role: 'debops.owncloud'
+    state: 'absent'
diff --git a/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0x47AE7F72479BC94B b/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0x47AE7F72479BC94B
new file mode 100644
index 00000000..0fe3dc65
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0x47AE7F72479BC94B
@@ -0,0 +1,73 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQENBFIaurIBCADicvh/agXMz4pI4eXbVCOjvCXjG2dlrqVHGDe6zTsKGvvhuXBW
+uP0fyaTMWbU910Mqe0uiNLYyk45O3/YsUDLSpgqXl1sQ2DG1hPnKne5PeoSRF5Gb
+HPIJPQIg5HQk5PYbFZFYZa1a3qRW52pH91dNyZO2urA1qVNLxEp69VDoTHqg74IU
+dhkoLfO1burfg6mKhgDcCFN6S/WtqiYNAGDu1GvY/+gZoCAz5Nv+8smM6/rlk/oi
+t+TPU0pYkrkoa85KjNFYy5Dm7ObBVhA+QYWnJfKXdJKE/tFsVcUhmc672rZsJkYg
+5qfyRtHNRhYhwLd2HyRDbbg6dY8TIePGDzEnABEBAAG0KW93bkNsb3VkIGJ1aWxk
+IHNlcnZpY2UgPG9ic3J1bkBsb2NhbGhvc3Q+iQE/BBMBCAApAhsDBwsJCAcDAgEG
+FQgCCQoLBBYCAwECHgECF4AFAluAUoIFCRLLmVAACgkQR65/ckebyUvcCwf/WKrS
+sk7O901UyI3809kAs7eLRdPAKoAHLyymbn9/dLAgPiHjdeBryb9Jlu0VMeGoE0RL
+2F3ls59rWfQvs4GP0TaS9O5A4L/o9kS6G9RRMkRqjjF/idPytI2BCDI98k5VY1AK
+Wfx+IG2Vl2Z7auiTOCC/Q/e5Sof8BuSl94aC3sl3gBbR4Gvs7sZI3RKiDneftfLL
+A3ciJEKaYUkftFkrBOXLy574gM9Ip0Oc0ntEtf+rB3dljzfc05ifapTYjswvHhol
+SNeT6GFbDSqUOnKTPMWUZtKgkKZTJk1CnAJfgY9vbH4h65wAZg3L3Slc4PByZ/07
+hHL3Cq7hE4zVkBS2bLkBDQRSGrqyAQgAsZJT/D8EHpjVPsn2ASo4vUGOIeiyLfQe
+IAWfK65s69uJGlHvQrW1HJSIpobEXCwdVrmxadHDyl0CbEqnppM5ePF2Rc8JqOB+
+WuK2tVloboVHHeF8N1PAmsrtQpKvUTbdKKbFBQ1WbTG8rykFV3UBbQDZXRIi6H07
+KO0yf15LP95PHSSH7JZIG+IQibHtn/6zi3J40fFsuOp7QxrC0d1QobkBQPOxrtsy
+tts+4LWnVewnYfjy+9mlJNIWSHUxMCvZLcAS8u5LO3UD0e3y/RJfo0yAjHNPs3BH
+hHAXE1ir3RbdQQogAOjxgNdr7tU0ybaveEYAPDjHtvkLuQznaYxx7wARAQABiQEl
+BBgBCAAPAhsMBQJbgFLeBQkSy5msAAoJEEeuf3JHm8lLWPYH/A5OMEcSBus9HaA+
+cMMjTnt7prdHaLSu036s1ejw7ne1kS+2bDd4woWYzMzLQLwRFSi6Vgfz7Svxdbwc
+vLU+R5SsmjugzxIdi46Ge/+XuhJLxI1iQrK8BW/+YNATyvJpMR/gA2K1Jnqz6yOd
+GyKUcGFWR0l9SPh1eXYWTXlyM86Zu8v8Cy+PhUZeX0AK9eQbt5U5uoiQMi291Jt6
+Qr+c7YVe2f2CVfkMYCzHbA8eD2ymlyjw1fpHqX+ds3lFPRGThEoOwdw9oCRbmUvw
+raTJPAm40R0xPjj06AoiYeaYNvcxlEZJATMe5ROkHDJbaRCaF3JTw3QpN5de0f/x
+BBpfkc+5Ay4EUhq7fBEIAKM3GnOm+lkGXs8QinFcG7DwRpk91H15jr8QFYAr3hUi
+Lt4JtH3fNoabxQNXkftmtZXfiAcFFRrFGQkAazaE3ugkFNWLgXkIFrHfPdsar0dJ
+iCYlKU/DVxduSU74cIDC2YACWyr6KrgD4LinR/W6WEHpadH7KPNWL2DXIW9Fi+Xr
+TbkZnzpOPiUII6DcRe59ow3B8p3YMnr821aqjaPHSJoJoxgO4WPQTxCTQJQY8keT
+p3Kpt1guxgq1IZiXsqW+DwifkxrxBcSqdcFNNd3xhuDDAHt5PHucMt2dVxvQPWlk
+Nu1IozQZ6hLlJ8j5nKpnunh7bDLxZZDFupyX05UU0KMBAP/bxsTSXL2gZDsKXhUs
++LpEk2+xOVdGx8AGS0eEQQBfCACSVYufxaHMc2kBCdNb/BUcyJaJLKI7FGIjBYSs
+2GthvnsbScTQRMMb6Rgdol6xUwk3ZQ3xNVEsDsY+BbC7qEqL4xLYSoXniPfdJYPG
+CCbglt7/7e32yaSK/CVJByamg4ROOaw2/ymL3nn0NRUNLB4/kxJDNmI+Z5Ig7ZjH
+gEwfVkd/53QUV+lDDcmUno2UWLW0EHtryLYhS2F0qVIkO3F3hP+pbnCXKyBAC955
+PDREDAk7YyxbOjZKvdwK0dDlTem2/8YjxqHKuSFHmxfvDQVXnnLLcQnnf2+KZ0ro
+Bet4XArxbfdEfeGCHjvSa/Z6xDEpdH/CgMSrozlw/mUZNwVxB/9nP6KPMDm7V3qS
+Ij4vP1uhfo/n7iYTT3ED4K6hgQhPDaRQQR2M7QigVeM5uLstTd4AsktxghistGX5
+LvZtTYuTAjdZ74lm9CAgyobtYs64gPAvoN2duCLrub00v91AdFlmlsJxJn48Rsdl
+TFaNFeER78c28GoC8wl0asLaj8IRunSlsO5a5PnsTivA6eYsBcVtPih7N2Vn1Nia
+OuUT0tHkAZu9JeJaqjUsMAbYelAIPSAdH3roQ1ZQHwa+KnbSu+m6fH65eUdA9eUD
+80Wp6lmBGJLXTEz84/5a8/hXHEyRQhbIRpuBHGs++bF/gYqNfDBCja2B8qJyuhm2
+/1lvfsc/iQGFBBgBCAAPAhsCBQJbgFMfBQkSy5kjAGpfIAQZEQgABgUCUhq7fAAK
+CRDdJ/RchutgJz6CAP46j07SAMtm4x1GV6K8MMxE5jpwPxwoEk+Pg6ke0ZYzZAD+
+OtDkMJ0Dyw5oM1mqPp5Ptr4fM/vGfjvhNQGPylRY8I8JEEeuf3JHm8lLE8kH/2lX
+6f8rv+ID1HPnutTziuvSexo4u/kzXoLt1UkQALM8ussFI7esIjx4umKzGZLH7Urp
+RYm5mxU/FC+V3aZxdyBgw7Qi6sEX3NkUoLzhb1jeq57w0GlQw7iDHjaTF1+SdcAy
+OgagiyGQ1z3TwKr+J2QJrGM/5Yugh46VpY0b4+Bjg40czXW1dUYldHig9RCZaFgz
+gvOxQujuJtAQ5AAQCkYB/GYAEiWRxHZxyQpyd8I2KMnp7qY4+XmfcO5JP2ZURNA8
+NT/PblRpcufHL8rhVPkYAct6XH7SZ8JoNpJN3/kSKpy0UhLxqqfq7nKNJeGD8Q4e
+YFzIIgbQUcY9vXV97TC5Ag0EUhq7vRAIAIufJ5CF8E1yjBL0i2js9NajUioPTXdM
+wwm/o3KZbPBxrEkqeMv4cXQDOWhIXcT0oXfcSx3URXI4iUQaKDPn4duvrwAl7JBY
+QrW3ary+zgq6iFe5y0yHrqBiL1v1cPyM3i30+CuAgCwpbRMKK9DJpoTpNHd2XMhU
+aiH5SMzCh9APA2qOqDNmDfE0cqs6Y08+gRV1oBHe1dtF9XUoTyZ4mO799MG03X4w
+dzeyz/Oxzp+NNHTOlvizFrmYZmTBc45L+NBLwdtg6OEclvz8SMbyq4q+Gg0I6Abv
+BkJjTfZaJPP2wISnOuMLGUiADLBG1fDuUw0Df7WkzgY3dP7CuMOUZasAAwUH/23u
+xwlHunu1tMprUU4cK797ilzmtA09hME8qm0NAHO96+T63kxUmu+0edlySw5W5BfQ
+mltW+wSFlPdM1pdNgUIEsf8VkQlGW8ZMIyoeo1QXBhxyXM39VzAsu5Cw0NIquDcd
+dZDnv/htq3uI/UdSgTBE7eknE76tEWTfQy2yfr844UA+j3YK0rMqpMUxsf9kUI+m
+SPXz4mL0lIGP9sgZphcp95yqW/bvpkkjzEiGkfDlzFQ/tatxDEhRtutddMy3uuit
+su/FtZRge2bCInNGNstqVThve59WSwMdPBsv84u3vk8AEzpsybguxTpIEhcqYqnn
+itccuDe6MNgnRZYvTrqJASUEGAECAA8FAlIau70CGwwFCQlmAYAACgkQR65/ckeb
+yUt4awf/Vps+XySimfCSC11Ml8iHvemM27YqpdeOds4RqtP2nFxvfigndNNOkJC5
+FsNDkOs55TG45SU7jBr6CDiM87pwpoDn6YFkFTLUf4Jpxuc2K7gOVnUqIc8af/2x
+0gvmCgTGHYqPoJ5OEVXv18ojC3aW9+Xbnt1j/+0o0sq9/yae1/sKamPCZ21iPZsc
+OOmwH8YrejR+QkfzQIRkS/No3farvo8Az6r0UeY3TXgPWCXj/QO7bITOi1GP+KvM
+2mCjN7eGWtFrprZ1CEngMNg/A8qG0surzDpM0VjAP6bpMI05L9QXYqk8HTIXVMXV
+YkJQHR+jNC6dx6SpQyhekzISKlXQ+A==
+=jyKE
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0xAB7C32C35180350A b/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0xAB7C32C35180350A
new file mode 100644
index 00000000..9617c7c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/files/usr/local/src/owncloud/keyring/0xAB7C32C35180350A
@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQENBFYWn8IBCADHCFAJOVx4QyEycu9anbwsxkSJL9QmZgyJeQpegi7HshBfvqOi
+oYRp+TKalfhFuTywLTIdX5B20RRr7cJ0dESwToWMwHY1+Ca1BTw0RnmUX64DuIAM
+7bm94MaKQEsMg/Fdd+Vtoai7yUFtoIiB7gA5H8uKCKNM6SebH69xNQJufaWmuAUm
+G64sd3RUs8ZfKbCTi+3wPyCP10pIc4rv6KJrQaCd02SpO3AJFuqjXhZ3zPnkUSdu
+pzoftilsGrOaw7PHabwtL4vmSONpojSiaCvNPJoqfYGdSZnfBO/vjgZ/j1yzZ8xB
++fA2o8xSFSY3lFhRV3ERdas/EPmQwv76RQ47ABEBAAG0I2NlIE9CUyBQcm9qZWN0
+IDxjZUBzMi5vd25jbG91ZC5jb20+iQE/BBMBAgApBQJWFp/CAhsDBQkEHrAABwsJ
+CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQq3wyw1GANQppPQgAnPg32+0MUoGM
+Art4UT1IyFwvkcx8c3iK7sL6g2bEkkS5r8sRRAxG4Xr7aGmNWeQfHJwkuYB8YviE
+AQSCiqeENW36crKj9zJYddvzNdhZ8YLrikutGdweOe1QuQ4m0vypKhEWLvF/xNOj
+Fc0nIBdS46XkGgArxfakDXR4T+cXH+t36O59MtBHHowqSRQ4mH3TwkJLIwxMrxw7
+qMCNb7hkSGzzhJl6lM6juNvo78xWgjxcX+hQWxsChywArgax9U+C4jyywvytXnVV
+pGD2soA3EZb7dwLIXdE+GZM2HR4mbynO7tpyphtrwWNy8U0jhOknVNVv/KmqAhqv
+/po8xYTfJ4kBHAQTAQIABgUCVhafwgAKCRBHrn9yR5vJSwRCCADDHEWShB3Rko/i
+Z+u9n8ZbYx2yeasumitCTmPNaJBCz9/I0GMoUM2d3FrKJ9dNX/Q60Is17yHUoE5d
+QcEb0/eAu8QeEtp2hAD5ayME1r9hZqBvHrJ4nRn3iWD6nsNRh7ESYeOrfzGSlN5b
+w2NRQ0KBwNCIK/gkgK5YxWq/YYTMhRk1N2EjoJipzRkEqYjnmxBWy5EJoayvJngd
+/wxPMhVvT4zRoqE6TD++g8ibA1j5o5f+RdxaZAgq6wkbtA+iZI6Z3OPkmU0guyrO
+cCqu++L4LegL3mE6iwK1jLx+ytO2JgCTAbk/X4bk8gJtakMAaMtvOGE9yv46IXli
+zcwfgwUz
+=wdVN
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/ansible_collections/debops/debops/roles/owncloud/meta/main.yml b/ansible_collections/debops/debops/roles/owncloud/meta/main.yml
new file mode 100644
index 00000000..5efe60af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/meta/main.yml
@@ -0,0 +1,46 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski, Hartmut Goebel, Robin Schneider'
+  description: 'Install and manage ownCloud instance'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.4'
+
+  platforms:
+
+    - name: Debian
+      versions:
+        - stretch
+
+        ## Main target, used in production.
+        - buster
+
+    - name: Ubuntu
+      versions:
+        ## CI testing target
+        - trusty
+
+  galaxy_tags:
+    - cloud
+    - private
+    - privacy
+    - sharing
+    - files
+    - calendar
+    - contacts
+    - web
+    - owncloud
+    - nextcloud
diff --git a/ansible_collections/debops/debops/roles/owncloud/meta/watch-nextcloud b/ansible_collections/debops/debops/roles/owncloud/meta/watch-nextcloud
new file mode 100644
index 00000000..776a01f3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/meta/watch-nextcloud
@@ -0,0 +1,12 @@
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2022 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: owncloud
+# Package: nextcloud
+# Version: 23.0
+
+version=4
+https://download.nextcloud.com/server/releases/ nextcloud-(.+)\.tar\.bz2
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/copy.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/copy.yml
new file mode 100644
index 00000000..3093fb1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/copy.yml
@@ -0,0 +1,68 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+# Skeleton copied from debops.resources.
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure that parent directories exist
+  ansible.builtin.file:
+    path:    '{{ (owncloud__data_path + "/" + item.dest) | dirname }}'
+    state:   'directory'
+    recurse: '{{ item.parent_dirs_recurse | d(True) }}'
+    owner:   '{{ item.parent_dirs_owner | d(owncloud__app_user) }}'
+    group:   '{{ item.parent_dirs_group | d(owncloud__app_group) }}'
+    mode:    '{{ item.parent_dirs_mode | d("0755") }}'
+  when: ((item.parent_dirs_create | d(True) | bool) and item.dest | d() and item.state | d("present") != 'absent')
+  loop: '{{ q("flattened", owncloud__user_files
+                           + owncloud__user_files_group
+                           + owncloud__user_files_host) }}'
+
+- name: Copy files to ownCloud user profiles
+  ansible.builtin.copy:
+    dest:     '{{ owncloud__data_path + "/" + item.dest }}'
+    src:      '{{ item.src | d(omit) }}'
+    content:  '{{ item.content | d(omit) }}'
+    owner:    '{{ item.owner | d(owncloud__app_user) }}'
+    group:    '{{ item.group | d(owncloud__app_group) }}'
+    mode:     '{{ item.mode | d("u=rwX,g=rX,o=rX") }}'
+    selevel:  '{{ item.selevel | d(omit) }}'
+    serole:   '{{ item.serole | d(omit) }}'
+    setype:   '{{ item.setype | d(omit) }}'
+    seuser:   '{{ item.seuser | d(omit) }}'
+    follow:   '{{ item.follow | d(omit) }}'
+    force:    '{{ item.force | d(omit) }}'
+    backup:   '{{ item.backup | d(omit) }}'
+    validate: '{{ item.validate | d(omit) }}'
+    remote_src: '{{ item.remote_src | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+  register: owncloud__register_create_user_files
+  loop: '{{ q("flattened", owncloud__user_files
+                           + owncloud__user_files_group
+                           + owncloud__user_files_host) }}'
+  when: ((item.src | d() or item.content | d()) and item.dest | d() and
+         (item.state | d('present') != 'absent'))
+
+- name: Delete files on remote hosts
+  ansible.builtin.file:
+    path:  '{{ owncloud__data_path + "/" + item.dest }}'
+    state: 'absent'
+  register: owncloud__register_delete_user_files
+  loop: '{{ q("flattened", owncloud__user_files
+                           + owncloud__user_files_group
+                           + owncloud__user_files_host) }}'
+  when: (item.dest | d() and (item.state | d('present') == 'absent'))
+
+- name: Run occ commands as specified in the inventory
+  ansible.builtin.include_tasks: 'run_occ.yml'  # noqa no-handler
+  loop_control:
+    loop_var: 'owncloud__files_scan_item'
+  when: owncloud__files_scan_item is changed
+  with_items: '{{ (owncloud__register_create_user_files.results | d([])
+                   + owncloud__register_delete_user_files.results | d([]))
+                  if (owncloud__register_create_user_files is defined and
+                      owncloud__register_create_user_files is not skipped)
+                  else [] }}'
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/deploy_state_absent.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/deploy_state_absent.yml
new file mode 100644
index 00000000..e1cfd8df
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/deploy_state_absent.yml
@@ -0,0 +1,14 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Remove shortcut for the occ command
+  ansible.builtin.file:
+    path: '{{ owncloud__occ_bin_file_path }}'
+    state: 'absent'
+  tags: [ 'role::owncloud:occ' ]
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/ldap.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/ldap.yml
new file mode 100644
index 00000000..aa0fb53d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/ldap.yml
@@ -0,0 +1,56 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check default ldap config exists
+  ansible.builtin.command: php --file "{{ owncloud__app_home }}/occ" ldap:show-config "{{ owncloud__ldap_config_id }}"
+  changed_when: False
+  when: (not ansible_check_mode)
+  register: owncloud__register_ldap_default_config_exits
+  become: True
+  become_user: '{{ owncloud__app_user }}'
+  failed_when: (owncloud__register_ldap_default_config_exits.rc != 0 and
+                'Invalid configID' not in owncloud__register_ldap_default_config_exits.stdout)
+
+- name: Create empty LDAP configuration
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         php --file "{{ owncloud__app_home }}/occ" ldap:create-empty-config | awk '{print $NF}'
+  args:
+    executable: 'bash'
+  become: True
+  become_user: '{{ owncloud__app_user }}'
+  register: owncloud__register_ldap_config_id
+  changed_when: owncloud__register_ldap_config_id.changed | bool
+  when: ((not ansible_check_mode) and 'Invalid configID' in owncloud__register_ldap_default_config_exits.stdout | d(""))
+
+- name: Update ownCloud local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/owncloud.fact.j2'
+    dest: '/etc/ansible/facts.d/owncloud.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure LDAP parameters
+  ansible.builtin.command: php --file '{{ owncloud__app_home }}/occ' ldap:set-config '{{ owncloud__ldap_config_id }}' '{{ item.name }}' '{{ item.value }}'
+  changed_when: False
+  become: True
+  become_user: '{{ owncloud__app_user }}'
+  loop: '{{ q("flattened", owncloud__ldap_combined_config) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"option": item.name, "value": item.value} }}'
+  no_log: '{{ debops__no_log | d(True)
+              if (item.name in ["ldapAgentPassword"])
+              else False }}'
+  when: ((not ansible_check_mode) and item.state | d('present') not in ['absent', 'ignore'] and
+         ('Invalid configID' in owncloud__register_ldap_default_config_exits.stdout | d("") or
+         owncloud_ldap_update_settings | bool))
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/main.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/main.yml
new file mode 100644
index 00000000..51a4177a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Manage system package installation
+  ansible.builtin.include_tasks: 'system_package_management.yml'
+  tags: [ 'role::owncloud:pkg' ]
+
+- name: Manage tarball installation
+  ansible.builtin.include_tasks: 'tarball.yml'
+  when: (owncloud__variant in ["nextcloud"])
+  tags: [ 'role::owncloud:tarball' ]
+
+- name: Setup ownCloud configuration
+  ansible.builtin.include_tasks: 'setup_owncloud.yml'
+  tags: [ 'role::owncloud:config' ]
+
+- name: Configure LDAP integration
+  ansible.builtin.include_tasks: 'ldap.yml'
+  when: (owncloud__ldap_enabled | bool)
+  tags: [ 'role::owncloud:ldap' ]
+
+- name: Manage custom ownCloud theme
+  ansible.builtin.include_tasks: 'theme.yml'
+  tags: [ 'role::owncloud:theme' ]
+
+- name: Copy file to user profiles
+  ansible.builtin.include_tasks: 'copy.yml'
+  tags: [ 'role::owncloud:copy' ]
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/main_env.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/main_env.yml
new file mode 100644
index 00000000..9134ee62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/main_env.yml
@@ -0,0 +1,53 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure the custom nginx client body temp directory does exist
+  ansible.builtin.file:
+    path: '{{ owncloud__nginx_client_body_temp_path }}'
+    state: 'directory'
+    owner: '{{ ansible_local.nginx.user | d("www-data") }}'
+    group: 'root'
+    mode: '0700'
+  when: (owncloud__webserver in ["nginx"] and owncloud__nginx_client_body_temp_path | d())
+
+- name: Ensure the custom temp directories are setup
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: '{{ item.mode | d("1750") }}'
+  when: item.path | d()
+  with_items:
+    - path: '{{ owncloud__temp_path }}'
+    - path: '{{ owncloud__php_temp_path }}'
+
+# Ansible local facts [[[
+
+- name: Make sure that Ansible local facts directory is present
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save ownCloud local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/owncloud.fact.j2'
+    dest: '/etc/ansible/facts.d/owncloud.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ.yml
new file mode 100644
index 00000000..335b40cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ.yml
@@ -0,0 +1,89 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# TODO: Switch to scripting occ interface when available: https://github.com/owncloud/core/issues/16068
+#
+#
+# Already tried to fix:
+#  The loop variable 'owncloud__occ_item' is already in
+#  use. You should set the `loop_var` value in the `loop_control` option for the
+#  task to something else to avoid variable collisions and unexpected behavior.
+#
+# using owncloud__occ_item. Did not work.
+
+- name: Construct occ command for ownCloud apps configuration
+  ansible.builtin.set_fact:
+    owncloud__occ_item:
+      command: 'config:app:set {{ owncloud__apps_item.key | quote }} {{ owncloud__apps_setting_item.key | quote }}
+                --value={{ owncloud__apps_setting_item.value | string | quote }}'
+  when: (owncloud__apps_setting_item is defined)
+  tags: [ 'role::owncloud:occ' ]
+
+- name: 'Construct occ command for ownCloud files:scan configuration'
+  ansible.builtin.set_fact:
+    owncloud__occ_item:
+      ## Does not support JSON output although it is listed in the help as of ownCloud 9.0.4.
+      ## Refer to
+      ## https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html#file-operations
+      ## for details.
+      command: 'files:scan --path {{ owncloud__files_scan_item.item.dest | quote }}'
+  when: (owncloud__files_scan_item is defined)
+  tags: [ 'role::owncloud:occ' ]
+
+  # An alternative would be
+  # https://doc.owncloud.org/server/9.1/admin_manual/configuration_user/user_provisioning_api.html
+  # but `occ` is preferred in the case of Ansible.
+- name: Run given occ commands
+  ansible.builtin.command: php --file "{{ owncloud__app_home }}/occ" {{ owncloud__occ_item.command }}
+               {{ "--output=json_pretty" if (owncloud__occ_item.get_output | d() | bool) else "" }}
+  environment: '{{ owncloud__occ_item.env | d({}) }}'
+  tags: [ 'role::owncloud:occ' ]
+  ## TODO: Upstream needs to fix proper support for `changed_when`.
+  changed_when: False
+  # changed_when: (owncloud__occ_item.command | d(omit) is match("config:app:set") and
+  ## Has changed in ownCloud 9.0 and does not work anymore.
+  # changed_when: ('No such app enabled:' not in owncloud__occ_run.stdout and
+                  # ' already ' not in owncloud__occ_run.stdout)
+  failed_when: ((owncloud__occ_run.rc != 0 and 'already exists' not in owncloud__occ_run.stdout and
+                 'already installed' not in owncloud__occ_run.stdout) or
+                ('An unhandled exception has been thrown:' in owncloud__occ_run.stdout))
+  no_log: '{{ debops__no_log | d(True) }}'
+  register: owncloud__occ_run
+  become: True
+  become_user: '{{ owncloud__app_user }}'
+  ## https://github.com/debops/ansible-owncloud/issues/62
+  when: (owncloud__do_autosetup | d() | bool and
+         owncloud__occ_item | d() and
+         owncloud__occ_item.command | d() and
+         (owncloud__occ_item.when | d(True) | bool) and not
+          (ansible_local.owncloud.maintenance | d() | bool and
+           (owncloud__occ_item.command.startswith("dav") or
+            owncloud__occ_item.command.startswith("federation") or
+            owncloud__occ_item.command.startswith("files") or
+            owncloud__occ_item.command.startswith("trashbin") or
+            owncloud__occ_item.command.startswith("versions"))))
+
+# - name: Debug occ command
+#   debug:
+#     var: 'owncloud__occ_run'
+
+# Note: --format=json does not ensure that a valid JSON is returned:
+#
+# $ occ status --output=json
+# ownCloud or one of the apps require upgrade - only a limited number of commands are available
+# You may use your browser or the occ upgrade command to do the upgrade
+# {"installed":true,"version":"9.0.3.2","versionstring":"9.0.3","edition":""}
+
+- name: Convert occ output into Ansible data structure
+  ansible.builtin.set_fact:
+    ## regex_replace: Relies on the fact that `json_pretty` indents the JSON encoded object.
+    owncloud__occ_run_output: '{{ owncloud__occ_run.stdout_lines
+                                  | map("regex_replace", "^[^{} ].*$", "") | join("") | from_json }}'
+  when: (owncloud__do_autosetup | d() | bool and owncloud__occ_item | d() and (owncloud__occ_item.get_output | d() | bool) and (not ansible_check_mode))
+  tags: [ 'role::owncloud:occ_config', 'role::owncloud:occ' ]
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ_app_set.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ_app_set.yml
new file mode 100644
index 00000000..7a8b3cc0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/run_occ_app_set.yml
@@ -0,0 +1,19 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Run occ commands for each app setting
+  ansible.builtin.include_tasks: 'run_occ.yml'
+  loop_control:
+    loop_var: 'owncloud__apps_setting_item'
+  ## Would be another use case for `ok_when`: https://github.com/ansible/ansible/issues/12710
+  when: ("apps" in owncloud__occ_config_current and
+         owncloud__apps_item.key in owncloud__occ_config_current.apps and
+         owncloud__occ_config_current.apps[owncloud__apps_item.key][owncloud__apps_setting_item.key] | d(omit)
+           != owncloud__apps_setting_item.value)
+  with_dict: '{{ owncloud__apps_item.value }}'
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/setup_owncloud.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/setup_owncloud.yml
new file mode 100644
index 00000000..5bf9a79b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/setup_owncloud.yml
@@ -0,0 +1,200 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Enable required Apache modules
+  community.general.apache2_module:
+    name: 'php5'
+    state: 'present'
+  when: owncloud__webserver == "apache"
+  loop: '{{ q("flattened", owncloud__apache_modules) }}'
+
+- name: Ensure restrictive permissions are set for the data directory
+  ansible.builtin.file:
+    path: '{{ owncloud__data_path }}'
+    state: 'directory'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: '0770'
+
+# ownCloud ./config/ [[[
+
+- name: Install ownCloud config file
+  ansible.builtin.template:
+    src: 'srv/www/sites/config/debops.config.php.j2'
+    dest: '{{ owncloud__deploy_path }}/config/debops.config.php'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: '0640'
+    validate: 'php -f %s'
+
+- name: Install ownCloud mail config file
+  ansible.builtin.template:
+    src: 'srv/www/sites/config/mail.config.php.j2'
+    dest: '{{ owncloud__deploy_path }}/config/mail.config.php'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: '0640'
+    validate: 'php -f %s'
+  when: ((owncloud__mail_conf_map.keys() | length) >= 1)
+  tags: [ 'role::owncloud:mail' ]
+
+- name: Ensure the ownCloud mail config file is absent
+  ansible.builtin.file:
+    path: '{{ owncloud__deploy_path }}/config/mail.config.php'
+    state: 'absent'
+  when: ((owncloud__mail_conf_map.keys() | length) == 0)
+
+- name: Ensure deprecated configuration files are absent
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop:
+    - '{{ owncloud__deploy_path }}/config/custom.config.php'
+
+# .. ]]]
+
+# Setup the occ command [[[
+
+- name: Remove legacy files
+  ansible.builtin.file:
+    state: 'absent'
+    path: '{{ ansible_local.php.etc_base | d("/etc/php") + "/cli/conf.d/enable_apc.ini" }}'
+  tags: [ 'role::owncloud:occ' ]
+
+- name: Setup shortcut for the occ command
+  ansible.builtin.template:
+    src: 'usr/local/bin/occ.j2'
+    dest: '{{ owncloud__occ_bin_file_path }}'
+    owner: 'root'
+    group: '{{ owncloud__app_group }}'
+    mode: '0755'
+  tags: [ 'role::owncloud:occ' ]
+
+# .. ]]]
+
+# Auto setup [[[
+
+- name: Get ownCloud setup status
+  ansible.builtin.command: '{{ owncloud__occ_bin_file_path | quote }} check'
+  register: owncloud__register_occ_check
+  changed_when: False
+
+- name: Determine if ownCloud autosetup should be done
+  ansible.builtin.set_fact:
+    owncloud__do_autosetup: '{{ (owncloud__autosetup and
+                                 owncloud__admin_username | d() and
+                                 (owncloud__register_occ_check is not skipped) and
+                                 (("is not installed" in owncloud__register_occ_check.stdout) or
+                                  ("is not installed" in owncloud__register_occ_check.stderr))) }}'
+
+- name: Automatically finish setup via the occ tool
+  ansible.builtin.command: |
+           {{ owncloud__occ_bin_file_path | quote }} maintenance:install
+           '--data-dir={{ owncloud__data_path }}'
+           '--database={{ owncloud__database_map[owncloud__database].dbtype }}'
+           '--database-name={{ owncloud__database_map[owncloud__database].dbname }}'
+           '--database-host={{ owncloud__database_map[owncloud__database].dbhost }}'
+           '--database-user={{ owncloud__database_map[owncloud__database].dbuser }}'
+           '--database-pass={{ owncloud__database_map[owncloud__database].dbpass }}'
+           {% if owncloud__admin_username %}
+           '--admin-user={{ owncloud__admin_username }}'
+           '--admin-pass={{ owncloud__admin_password }}'
+           {% endif %}
+  register: owncloud__register_occ_install
+  changed_when: owncloud__register_occ_install.changed | bool
+  when: owncloud__do_autosetup | bool
+
+# .. ]]]
+
+# ownCloud applications configuration [[[1
+
+- name: Get current ownCloud configuration via occ config:list
+  ansible.builtin.include_tasks: 'run_occ.yml'
+  loop_control:
+    loop_var: 'owncloud__occ_item'
+  tags: [ 'role::owncloud:occ_config' ]
+  when: (owncloud__apps_config_combined is mapping and owncloud__apps_config_combined.keys() | length)
+  loop:
+    - command: 'config:list'
+      get_output: True
+
+- name: Capture occ output in variable
+  ansible.builtin.set_fact:
+    owncloud__occ_config_current: '{{ owncloud__occ_run_output }}'
+  when: (owncloud__do_autosetup | bool and owncloud__apps_config_combined is mapping and owncloud__apps_config_combined.keys() | length and
+         (not ansible_check_mode))
+  tags: [ 'role::owncloud:occ_config' ]
+
+- name: Set ownCloud apps configuration for each app
+  ansible.builtin.include_tasks: 'run_occ_app_set.yml'
+  loop_control:
+    loop_var: 'owncloud__apps_item'
+  with_dict: '{{ owncloud__apps_config_combined | d({}) }}'
+  when: (owncloud__do_autosetup | d() | bool and not ansible_check_mode)
+  tags: [ 'role::owncloud:occ_config' ]
+
+# .. ]]]
+
+# Run occ commands as specified in the inventory [[[
+- name: Run occ commands as specified in the inventory
+  ansible.builtin.include_tasks: 'run_occ.yml'
+  loop_control:
+    loop_var: 'owncloud__occ_item'
+  tags: [ 'role::owncloud:occ' ]
+  loop: '{{ q("flattened", owncloud__role_occ_cmd_list
+                           + owncloud__occ_cmd_list
+                           + owncloud__group_occ_cmd_list
+                           + owncloud__host_occ_cmd_list
+                           + owncloud__dependent_occ_cmd_list) }}'
+# .. ]]]
+
+# Configure cron job for background tasks [[[
+
+- name: Setup cron service (nextcloud)
+  ansible.builtin.cron:
+    name: 'ownCloud Background Jobs'
+    minute: '{{ owncloud__cron_minute }}'
+    user: '{{ owncloud__app_user }}'
+    job: 'test -x /usr/bin/php && test -e {{ (owncloud__deploy_path + "/cron.php") | quote }}
+          && /usr/bin/php -f {{ (owncloud__deploy_path + "/cron.php") | quote }}'
+    cron_file: 'owncloud'
+  when: owncloud__variant == "nextcloud"
+
+- name: Setup cron service (owncloud)
+  ansible.builtin.cron:
+    name: 'ownCloud Background Jobs'
+    minute: '{{ owncloud__cron_minute }}'
+    user: '{{ owncloud__app_user }}'
+    job: 'test -x /usr/bin/php && test -e {{ (owncloud__deploy_path + "/occ") | quote }}
+          && /usr/bin/php {{ (owncloud__deploy_path + "/occ") | quote }} system:cron'
+    cron_file: 'owncloud'
+  when: owncloud__variant == "owncloud"
+
+# .. ]]]
+
+# ownCloud upgrades [[[
+
+- name: Disable the package manager hook script for ownCloud
+  ansible.builtin.file:
+    path: '/etc/apt/apt.conf.d/80owncloud-dpkg-hook'
+    state: 'absent'
+
+# .. ]]]
+
+# ownCloud integrity check [[[
+
+- name: Check ownCloud core integrity
+  ansible.builtin.command: '{{ owncloud__occ_bin_file_path | quote }} integrity:check-core'
+  register: owncloud__register_occ_integrity_check_core
+  failed_when: (owncloud__register_occ_integrity_check_core.rc != 0 or
+                owncloud__register_occ_integrity_check_core.stdout_lines | length != 0)
+  changed_when: False
+  when: owncloud__do_autosetup | bool
+
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/system_package_management.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/system_package_management.yml
new file mode 100644
index 00000000..417064e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/system_package_management.yml
@@ -0,0 +1,55 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure ownCloud APT repository
+  ansible.builtin.template:
+    src: 'etc/apt/sources.list.d/debops_owncloud.list.j2'
+    dest: '/etc/apt/sources.list.d/debops_owncloud.list'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: owncloud__register_apt_repository
+  when: (owncloud__variant in ["owncloud"])
+
+- name: Update APT repository cache
+  ansible.builtin.apt:  # noqa no-handler
+    update_cache: True
+  register: owncloud__register_apt_cache
+  until: owncloud__register_apt_cache is succeeded
+  when: owncloud__register_apt_repository is changed
+
+  ## Use filename when available (2.1.0) https://github.com/ansible/ansible-modules-core/pull/2696
+  ## To avoid multiple of those source files.
+  ## ypid: Does not help much. When the URL changes, the old source entry will
+  ## need to be made absent so stay with the current way.
+  ## Disabled because each repository URLs would need to be made absent
+  ## manually with using `apt_repository`. If that is solved, then go with
+  ## `apt_repository` again.
+# - name: Configure ownCloud APT repository
+#   ansible.builtin.apt_repository:
+#     repo: '{{ owncloud__apt_repo_source }}'
+#     state: 'present'
+#     update_cache: True
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", (owncloud__base_packages
+                              + owncloud__packages
+                              + owncloud__group_packages
+                              + owncloud__host_packages
+                              + owncloud__dependent_packages)) }}'
+    state: '{{ "absent"
+               if (owncloud__deploy_state in ["absent"])
+               else ("latest"
+                     if (ansible_local | d() and ansible_local.owncloud | d() and
+                         ((ansible_local.owncloud.release | d(owncloud__release) != owncloud__release) or
+                          (ansible_local.owncloud.auto_security_updates_enabled | d() | bool)))
+                     else "present") }}'
+  register: owncloud__register_apt_install
+  until: owncloud__register_apt_install is succeeded
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/tarball.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/tarball.yml
new file mode 100644
index 00000000..f2366d8e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/tarball.yml
@@ -0,0 +1,149 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create Nextcloud group
+  ansible.builtin.group:
+    name: '{{ owncloud__system_group }}'
+    state: 'present'
+    system: True
+  tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+- name: Create Nextcloud user
+  ansible.builtin.user:
+    name: '{{ owncloud__system_user }}'
+    group: '{{ owncloud__system_group }}'
+    home: '{{ owncloud__system_home }}'
+    comment: '{{ owncloud__comment }}'
+    shell: '{{ owncloud__shell }}'
+    system: True
+    state: 'present'
+  tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+- name: Create source directory
+  ansible.builtin.file:
+    path: '{{ owncloud__src }}'
+    state: 'directory'
+    owner: '{{ owncloud__system_user }}'
+    group: '{{ owncloud__system_group }}'
+    mode: '0755'
+
+- name: Create deployment directory
+  ansible.builtin.file:
+    path: '{{ owncloud__deploy_path }}'
+    state: 'directory'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: '{{ owncloud__deploy_path_mode }}'
+
+# Application download and validation [[[1
+
+- name: Download and validate the tarball
+  become: True
+  become_user: '{{ owncloud__system_user }}'
+  block:
+
+    # Get latest patch version for release [[[2
+
+    - name: Query for the full version string of the current release  # noqa command-instead-of-module
+      ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+                             curl -s -m 900 {{ (owncloud__variant_download_url_map[owncloud__variant] + "/") | quote }}
+             | sed --silent 's/.*href="nextcloud-\({{ owncloud__release | regex_escape() }}[^"]\+\).zip.asc".*/\1/p'
+             | sort --version-sort --reverse
+      args:
+        executable: 'bash'
+      register: owncloud__register_full_version
+      changed_when: False
+      check_mode: False
+      tags: [ 'role::nextcloud:verify' ]
+
+    # Nextcloud application archive download [[[2
+
+    - name: Create source directories
+      ansible.builtin.file:
+        path: '{{ owncloud__src + "/" + owncloud__variant + "/" + owncloud__register_full_version.stdout_lines[0] }}'
+        state: 'directory'
+        owner: '{{ owncloud__system_user }}'
+        group: '{{ owncloud__system_group }}'
+        mode: '0755'
+      tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+    - name: Download application files needed for verification
+      ansible.builtin.get_url:
+        url: '{{ owncloud__variant_download_url_map[owncloud__variant] + "/" +
+                 owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0] + "." + item }}'
+        dest: '{{ owncloud__src + "/" + owncloud__variant + "/" + owncloud__register_full_version.stdout_lines[0] }}'
+        mode: '0644'
+      with_items:
+        - 'zip.asc'
+        - 'zip.sha512'
+      register: owncloud__register_download_assurance
+      until: owncloud__register_download_assurance is succeeded
+      when: not ansible_check_mode
+      tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+    # Nextcloud application archive authenticity verification [[[2
+
+    - name: Read checksum from file
+      ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+                             cat {{ owncloud__src + "/" + owncloud__variant + "/"
+                    + owncloud__register_full_version.stdout_lines[0] + "/"
+                    + owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0]
+                    + ".zip.sha512" }} | grep '.zip$'
+      args:
+        executable: 'bash'
+      changed_when: False
+      register: owncloud__register_checksum
+      when: not ansible_check_mode  # Latest checksum file may not be available
+      tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+    - name: Download application archive
+      ansible.builtin.get_url:  # noqa no-handler
+        url: '{{ owncloud__variant_download_url_map[owncloud__variant] + "/" +
+                 owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0] + ".zip" }}'
+        dest: '{{ owncloud__src + "/" + owncloud__variant + "/" + owncloud__register_full_version.stdout_lines[0] }}'
+        checksum: 'sha512:{{ (owncloud__register_checksum.stdout_lines[0]).split(" ") | first }}'
+        mode: '0644'
+      register: owncloud__register_download_application
+      until: owncloud__register_download_application is succeeded
+      when: owncloud__register_download_assurance is changed
+      tags: [ 'role::nextcloud:download', 'role::nextcloud:verify' ]
+
+    - name: Verify OpenPGP signature
+      environment:
+        LC_MESSAGES: 'C'
+      ansible.builtin.shell: |
+          set -o nounset -o pipefail -o errexit
+          gpg --verify {{ owncloud__src + "/" + owncloud__variant + "/"
+                          + owncloud__register_full_version.stdout_lines[0] + "/"
+                          + owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0]
+                          + ".zip.asc" }} \
+                       {{ owncloud__src + "/" + owncloud__variant + "/"
+                          + owncloud__register_full_version.stdout_lines[0] + "/"
+                          + owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0]
+                          + ".zip" }} 2>&1 \
+            | sed --silent 's/^Primary key fingerprint: \(.*\)$/\1/p;'
+      args:
+        executable: 'bash'
+      changed_when: False
+      register: owncloud__register_verify_authenticity
+      failed_when: (owncloud__register_verify_authenticity.rc != 0 or
+                    (owncloud__register_verify_authenticity.stdout | replace(" ", ""))
+                    != (owncloud__upstream_key_fingerprint | replace(" ", "")))
+      tags: [ 'role::nextcloud:verify' ]
+
+- name: Unpack the application archive
+  ansible.builtin.unarchive:
+    remote_src: True
+    src: '{{ owncloud__src + "/" + owncloud__variant + "/" + owncloud__register_full_version.stdout_lines[0] + "/" +
+             owncloud__variant + "-" + owncloud__register_full_version.stdout_lines[0] + ".zip" }}'
+    dest: '{{ owncloud__deploy_path + "/.." }}'
+    owner: '{{ owncloud__app_user }}'
+    group: '{{ owncloud__app_group }}'
+    mode: 'u=rwX,g=rX,o=rX'
+    creates: '{{ owncloud__deploy_path + "/index.php" }}'
diff --git a/ansible_collections/debops/debops/roles/owncloud/tasks/theme.yml b/ansible_collections/debops/debops/roles/owncloud/tasks/theme.yml
new file mode 100644
index 00000000..34e4f7b9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/tasks/theme.yml
@@ -0,0 +1,105 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Combine theme copy dictionaries [[[
+- name: Combine theme copy dictionaries
+  ansible.builtin.set_fact:
+    owncloud__theme_copy_files_combined: '{{
+                owncloud__theme_copy_files
+      | combine(owncloud__theme_copy_files_host_group)
+      | combine(owncloud__theme_copy_files_host) }}'
+  tags: [ 'role::owncloud:theme:copy' ]
+# .. ]]]
+
+# Create [[[
+
+- name: Ensure the theme directory is present
+  ansible.builtin.file:
+    path: '{{ owncloud__deploy_path + "/themes/" + owncloud__theme_directory_name }}'
+    state: 'directory'
+    mode: '0755'
+  when: (owncloud__theme_directory_name | d())
+  tags:
+    - 'role::owncloud:theme:common_settings'
+
+- name: Apply common theming options using the defaults.php file
+  ansible.builtin.template:
+    src: 'srv/www/sites/themes/debops-template/defaults.php.j2'
+    dest: '{{ owncloud__deploy_path + "/themes/" + owncloud__theme_directory_name + "/defaults.php" }}'
+    owner: 'root'
+    ## ownCloud itself does not need to change this file and does not even allow to do so.
+    group: '{{ owncloud__app_group }}'
+    mode: '0640'
+    validate: 'php -f %s'
+  when: (owncloud__theme_directory_name | d())
+  tags: [ 'role::owncloud:theme:common_settings' ]
+
+- name: Ensure that parent directories exist
+  ansible.builtin.file:
+    path: '{{ (owncloud__deploy_path + "/themes/" + owncloud__theme_directory_name + "/" + item.key) | dirname }}'
+    state: 'directory'
+    owner: '{{ item.value.base_directory_owner | d(omit) }}'
+    group: '{{ item.value.base_directory_group | d(omit) }}'
+    mode:  '{{ item.value.base_directory_mode | d(omit) }}'
+  with_dict: '{{ owncloud__theme_copy_files_combined }}'
+  when: (owncloud__theme_directory_name | d() and item.value.state | d("present") == "present")
+  tags: [ 'role::owncloud:theme:copy' ]
+
+- name: Copy additional theme files
+  ansible.builtin.copy:
+    dest:           '{{ (owncloud__deploy_path + "/themes/" + owncloud__theme_directory_name + "/" + item.key)
+                        if (not item.key.startswith("/")) else item.key }}'
+    backup:         '{{ item.value.backup | d(omit) }}'
+    content:        '{{ item.value.content | d(omit) }}'
+    directory_mode: '{{ item.value.directory_mode | d(omit) }}'
+    follow:         '{{ item.value.follow | d(omit) }}'
+    force:          '{{ item.value.force | d(omit) }}'
+    owner:          '{{ item.value.owner | d(omit) }}'
+    group:          '{{ item.value.group | d(omit) }}'
+    mode:           '{{ item.value.mode | d(omit) }}'
+    selevel:        '{{ item.value.selevel | d(omit) }}'
+    serole:         '{{ item.value.serole | d(omit) }}'
+    setype:         '{{ item.value.setype | d(omit) }}'
+    seuser:         '{{ item.value.seuser | d(omit) }}'
+    src:            '{{ item.value.src | d(omit) }}'
+    validate:       '{{ item.value.validate | d(omit) }}'
+  with_dict: '{{ owncloud__theme_copy_files_combined }}'
+  when: (owncloud__theme_directory_name | d() and item.value.state | d("present") == "present")
+  tags: [ 'role::owncloud:theme:copy' ]
+
+- name: Activate custom theme
+  ansible.builtin.template:
+    src: 'srv/www/sites/config/theme.config.php.j2'
+    dest: '{{ owncloud__deploy_path }}/config/theme.config.php'
+    owner: 'root'
+    group: '{{ owncloud__app_group }}'
+    mode: '0640'
+  when: (owncloud__theme_active | d())
+  tags: [ 'role::owncloud:theme:activate' ]
+
+# .. ]]]
+
+# Teardown [[[
+
+- name: Deactivate custom theme
+  ansible.builtin.file:
+    path: '{{ owncloud__deploy_path }}/config/theme.config.php'
+    state: 'absent'
+  when: (not owncloud__theme_active | d())
+  tags: [ 'role::owncloud:theme:activate' ]
+
+- name: Delete additional theme files
+  ansible.builtin.file:
+    path: '{{ owncloud__deploy_path + "/themes/" + owncloud__theme_directory_name + "/" + item.key }}'
+    state: 'absent'
+  when: (owncloud__theme_directory_name | d() and item.value.state | d("present") == "absent")
+  with_dict: '{{ owncloud__theme_copy_files_combined }}'
+  tags: [ 'role::owncloud:theme:copy' ]
+
+# .. ]]]
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/etc/ansible/facts.d/owncloud.fact.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/etc/ansible/facts.d/owncloud.fact.j2
new file mode 100644
index 00000000..a235e029
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/etc/ansible/facts.d/owncloud.fact.j2
@@ -0,0 +1,52 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+import os
+from json import loads, dumps
+import subprocess
+
+output = loads('''{{ ({
+    "enabled": (owncloud__deploy_state == "present"),
+    "webserver": owncloud__webserver | string,
+    "variant": owncloud__variant | string,
+    "ldap_config_id": (owncloud__register_ldap_config_id.stdout
+                       if (owncloud__register_ldap_config_id | d() and
+                           owncloud__register_ldap_config_id.stdout | d())
+                       else owncloud__ldap_config_id),
+    }) | to_nice_json }}''')
+
+owncloud_deploy_path = loads('''{{ owncloud__deploy_path | to_json }}''')
+
+if os.path.isfile(owncloud_deploy_path + '/config/config.php'):
+    try:
+        config_cmd = subprocess.Popen(
+            ['php', '-r', 'include "' + owncloud_deploy_path
+             + '/config/config.php"; echo json_encode($CONFIG);'],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        )
+    except Exception:
+        pass
+    else:
+        std_out, std_err = config_cmd.communicate()
+
+        if config_cmd.returncode == 0 and len(std_err) == 0:
+            config = loads(std_out)
+            for key in ['instanceid', 'version', 'updatechecker', 'theme',
+                        'maintenance', 'datadirectory', 'trusted_domains']:
+                if key in config:
+                    output[key] = config[key]
+
+if 'version' in output:
+    output['release'] = '.'.join(output['version'].split('.')[:2])
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/etc/apt/sources.list.d/debops_owncloud.list.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/etc/apt/sources.list.d/debops_owncloud.list.j2
new file mode 100644
index 00000000..0f621fc3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/etc/apt/sources.list.d/debops_owncloud.list.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ owncloud__apt_repo_source }}
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/etc/php/cli/conf.d/enable_apc.ini.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/etc/php/cli/conf.d/enable_apc.ini.j2
new file mode 100644
index 00000000..940d292e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/etc/php/cli/conf.d/enable_apc.ini.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+; {{ ansible_managed }}
+; Set by debops.owncloud role
+
+apc.enable_cli = 1
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/debops.config.php.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/debops.config.php.j2
new file mode 100644
index 00000000..f573e51c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/debops.config.php.j2
@@ -0,0 +1,34 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+#}
+<?php
+/* {{ ansible_managed }} */
+
+{% macro get_value(item) %}{# [[[ #}
+{% set filtered_item = item | to_yaml | from_yaml %}{# Copy dict #}
+{% if item is mapping %}
+{%   for k, v in item.items() if v == omit %}
+{%     set _ = filtered_item.pop(k, None) %}
+{%   endfor %}
+{% endif %}
+{{ filtered_item | to_yaml }}
+{% endmacro %}{# ]]]
+#}
+{% set owncloud__tpl_active_config_dict = {} %}
+{% for config_key, config_item in owncloud__combined_config.items() %}
+{%   if config_item is mapping and "state" in config_item and config_item.state and "value" in config_item %}
+{%     if config_item.state == "present" and config_item.value %}
+{%       set _ = owncloud__tpl_active_config_dict.update({config_key: (get_value(config_item.value) | from_yaml) }) %}
+{%     endif %}
+{%   elif config_item != omit %}
+{#     Assume it is not a control structure for Ansible but the raw value for ownCloud #}
+{%     set _ = owncloud__tpl_active_config_dict.update({config_key: config_item}) %}
+{%   endif %}
+{% endfor %}
+$CONFIG = json_decode('{{ owncloud__tpl_active_config_dict | to_nice_json }}', true);
+?>
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/mail.config.php.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/mail.config.php.j2
new file mode 100644
index 00000000..d67ef953
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/mail.config.php.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/* {{ ansible_managed }} */
+{#
+Copyright 2015 by Steffen Lindner <mail@steffen-lindner.de>
+SPDX-License-Identifier: GPL-3.0-only
+#}
+
+$CONFIG = json_decode('{{ owncloud__mail_conf_map | to_nice_json }}', true);
+?>
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/theme.config.php.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/theme.config.php.j2
new file mode 100644
index 00000000..5d2cb56f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/config/theme.config.php.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+ # Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/* {{ ansible_managed }} */
+
+$CONFIG = json_decode('{{ owncloud__theme_conf_map | to_nice_json }}', true);
+?>
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/themes/debops-template/defaults.php.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/themes/debops-template/defaults.php.j2
new file mode 100644
index 00000000..bf9939de
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/srv/www/sites/themes/debops-template/defaults.php.j2
@@ -0,0 +1,202 @@
+{#
+The current upstream version can be found here: https://github.com/owncloud/core/blob/master/themes/example/defaults.php
+Raw: https://raw.githubusercontent.com/owncloud/core/master/themes/example/defaults.php
+
+* Escape quotes to prevent PHP code injection via variables?
+  No, to allow more flexibility for users of the role. Injecting PHP code can
+  be useful.
+#}
+<?php
+/**
+ * {{ ansible_managed }}
+ *
+ * @author Björn Schießle <schiessle@owncloud.com>
+ * @author Jan-Christoph Borchardt, http://jancborchardt.net
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0-only
+ * SPDX-License-Identifier: AGPL-3.0-only
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ */
+
+class OC_Theme {
+
+  /**
+   * Returns the base URL
+   * @return string URL
+   */
+{% if owncloud__theme_base_url != '' %}
+  public function getBaseUrl() {
+    return '{{ owncloud__theme_base_url }}';
+  }
+{% else %}
+  /* Not otherwise defined. Falling back to ownCloud default value. */
+{% endif %}
+
+  /**
+   * Returns the URL where the sync clients are listed
+   * @return string URL
+   */
+  public function getSyncClientUrl() {
+    return 'https://owncloud.org/install';
+  }
+
+  /**
+   * Returns the URL to the App Store for the iOS Client
+   * @return string URL
+   */
+  public function getiOSClientUrl() {
+    return 'https://itunes.apple.com/us/app/owncloud/id543672169?mt=8';
+  }
+
+  /**
+   * Returns the AppId for the App Store for the iOS Client
+   * @return string AppId
+   */
+  public function getiTunesAppId() {
+    return '543672169';
+  }
+
+  /**
+   * Returns the URL to Google Play for the Android Client
+   * @return string URL
+   */
+  public function getAndroidClientUrl() {
+    return 'https://play.google.com/store/apps/details?id=com.owncloud.android';
+  }
+
+{#
+Fallback not possible as of 9.0.2.
+#}
+  /**
+   * Returns the documentation URL
+   * @return string URL
+   */
+  public function getDocBaseUrl() {
+    return 'https://doc.owncloud.org';
+  }
+
+  /**
+   * Returns the title
+   * @return string title
+   */
+  public function getTitle() {
+    return '{{ owncloud__theme_title }}';
+  }
+
+  /**
+   * Returns the short name of the software
+   * @return string title
+   */
+  public function getName() {
+    return '{{ owncloud__theme_name }}';
+  }
+
+  /**
+   * Returns the short name of the software containing HTML strings
+   * @return string title
+   */
+  public function getHTMLName() {
+    return '{{ owncloud__theme_name_html }}';
+  }
+
+  /**
+   * Returns entity (e.g. company name) - used for footer, copyright
+   * @return string entity name
+   */
+  public function getEntity() {
+    return '{{ owncloud__theme_entity_name }}';
+  }
+
+  /**
+   * Returns slogan
+   * @return string slogan
+   */
+{% if owncloud__theme_slogan != '' %}
+  public function getSlogan() {
+    return '{{ owncloud__theme_slogan }}';
+  }
+{% else %}
+  /* Not otherwise defined. Falling back to ownCloud default value. */
+{% endif %}
+
+{#
+
+# .. envvar:: owncloud__theme_logo_claim
+#
+# The logo claim can be used to add a hidden claim about the logo.
+# This feature seems to be rarely used and it is not sure if that is the intention behind this variable.
+# Checkout `this comment about
+# <https://github.com/owncloud/core/issues/5676#issuecomment-27649493>`_ for a
+# for discussion.
+#
+# https://github.com/owncloud/core/issues/5676#issuecomment-228990394
+# > The use is simply for the ownCloud Enterprise Edition to display »Enterprise
+# > Edition« next to the logo/appname in the header when logged in. It’s used for
+# > nothing else. I would strongly advise against ever using it because it will
+# > just distract and clutter up the header (won’t work on mobile anyway).
+owncloud__theme_logo_claim: ''
+
+#}
+  /**
+   * Returns logo claim
+   * @return string logo claim
+   */
+{% if owncloud__theme_logo_claim | d('') != '' %}
+  public function getLogoClaim() {
+    return '{{ owncloud__theme_logo_claim }}';
+  }
+{% else %}
+  /* Not otherwise defined. Falling back to ownCloud default value. */
+{% endif %}
+
+{#
+Fallback not possible as of 9.0.1.
+#}
+  /**
+   * Returns short version of the footer
+   * @return string short footer
+   */
+  public function getShortFooter() {
+    $footer = {{ owncloud__theme_footer_short }};
+
+    return $footer;
+  }
+
+{#
+Fallback not possible as of 9.0.1.
+#}
+  /**
+   * Returns long version of the footer
+   * @return string long footer
+   */
+  public function getLongFooter() {
+    $footer = {{ owncloud__theme_footer_long }};
+
+    return $footer;
+  }
+
+  public function buildDocLinkToKey($key) {
+    return {{ owncloud__theme_doc_link_to_key }};
+  }
+
+
+  /**
+   * Returns mail header color
+   * @return string
+   */
+  public function getMailHeaderColor() {
+    return '#745bca';
+  }
+
+}
diff --git a/ansible_collections/debops/debops/roles/owncloud/templates/usr/local/bin/occ.j2 b/ansible_collections/debops/debops/roles/owncloud/templates/usr/local/bin/occ.j2
new file mode 100644
index 00000000..4e7345e9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/owncloud/templates/usr/local/bin/occ.j2
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015      Hartmut Goebel <h.goebel@crazy-compilers.com>
+# Copyright (C) 2015-2019 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Shortcut for running ownClouds `occ` command when not logged in as {{ owncloud__app_user }} user and sudo allows it.
+# https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html
+
+# {{ ansible_managed }}
+
+set -o nounset -o pipefail -o errexit
+
+# Environment variable `OC_PASS` is striped normally by `sudo`.
+# `--preserve-env` would preserve all environment variables.
+# This should be OK for this command.
+# It seems to be impossible to set "env_keep" via the command line?
+# Other possibility would be to configure it properly via Defaults!{{ owncloud__app_home }}/occ env_keep=OC_PASS
+
+
+# The occ command should be invoked with PWD set to `owncloud__app_home` to avoid occ not finding it’s DB spec:
+# https://github.com/owncloud/core/issues/17583
+# It is fixed in 8.2 but lets call `occ` like the documentation suggests it:
+# https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/occ_command.html?highlight=occ#using-the-occ-command
+cd '{{ owncloud__app_home }}' || exit 1
+
+# Long command line options seem to be not supported as of 1.8.3 in Ubuntu precise.
+# sudo --preserve-env --user '{{ owncloud__app_user }}' php --file '{{ owncloud__app_home }}/occ' "$@"
+# {#
+# Example cron entry:
+# - name: 'owncloud-some-job'
+#   cron_file: 'owncloud-something'
+#   minute: 23
+#   hour: 05
+#   job: 'USER={{ owncloud__app_user | quote }} {{ some_script | quote }}'
+#   user: '{{ owncloud__app_user }}'
+#
+#}
+
+if [ "$USER" == '{{ owncloud__app_user }}' ]
+then
+    php --file '{{ owncloud__app_home }}/occ' "$@"
+else
+    sudo -E -u '{{ owncloud__app_user }}' php --file '{{ owncloud__app_home }}/occ' "$@"
+fi
diff --git a/ansible_collections/debops/debops/roles/pam_access/COPYRIGHT b/ansible_collections/debops/debops/roles/pam_access/COPYRIGHT
new file mode 100644
index 00000000..b1d78119
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.pam_access - Manage pam_access(8) ACL rules using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/pam_access/defaults/main.yml b/ansible_collections/debops/debops/roles/pam_access/defaults/main.yml
new file mode 100644
index 00000000..f446a2af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/defaults/main.yml
@@ -0,0 +1,84 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _pam_access__ref_defaults:
+
+# debops.pam_access default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: pam_access__enabled [[[
+#
+# Enable or disable support for PAM Access Control files management.
+pam_access__enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Access Control configuration [[[
+# --------------------------------
+
+# These variables define the contents of PAM Access Control files, located in
+# the :file:`/etc/security/` directory. See :ref:`pam_access__ref_rules` for
+# more details.
+
+# .. envvar:: pam_access__default_rules [[[
+#
+# List of PAM Access Control rules defined by the role.
+pam_access__default_rules:
+
+  - name: 'global'
+    filename: 'access.conf'
+    divert: True
+    state: 'init'
+    options: []
+
+                                                                   # ]]]
+# .. envvar:: pam_access__rules [[[
+#
+# List of PAM Access Control rules defined on all hosts in the Ansible
+# inventory.
+pam_access__rules: []
+
+                                                                   # ]]]
+# .. envvar:: pam_access__group_rules [[[
+#
+# List of PAM Access Control rules defined on hosts in a specific Ansible
+# inventory group.
+pam_access__group_rules: []
+
+                                                                   # ]]]
+# .. envvar:: pam_access__host_rules [[[
+#
+# List of PAM Access Control rules defined on specific hosts in the Ansible
+# inventory.
+pam_access__host_rules: []
+
+                                                                   # ]]]
+# .. envvar:: pam_access__dependent_rules [[[
+#
+# List of the PAM Access Control rules defined via dependent role variables.
+pam_access__dependent_rules: []
+
+                                                                   # ]]]
+# .. envvar:: pam_access__combined_rules [[[
+#
+# The variable that combines all other PAM Access Control rules variables and
+# is used in the role tasks and templates.
+pam_access__combined_rules: '{{ q("flattened", (pam_access__default_rules
+                                                + pam_access__dependent_rules
+                                                + pam_access__rules
+                                                + pam_access__group_rules
+                                                + pam_access__host_rules)) }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/pam_access/meta/main.yml b/ansible_collections/debops/debops/roles/pam_access/meta/main.yml
new file mode 100644
index 00000000..e9ff0a91
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski'
+  description: 'Manage pam_access(8) ACL rules'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - pam
+    - acl
+    - security
diff --git a/ansible_collections/debops/debops/roles/pam_access/tasks/main.yml b/ansible_collections/debops/debops/roles/pam_access/tasks/main.yml
new file mode 100644
index 00000000..f3dcefd8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Add/remove diversion of PAM access control files
+  vars:
+    pam_access__var_access_conf: '{{ "/etc/security/"
+                                     + item.filename | d("access-" + (item.name | regex_replace("\.conf$", "")) + ".conf") }}'
+  debops.debops.dpkg_divert:
+    path: '{{ pam_access__var_access_conf }}'
+    state: '{{ item.state | d("present") }}'
+    delete: True
+  loop: '{{ pam_access__combined_rules | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"access_conf": pam_access__var_access_conf, "state": item.state | d("present")} }}'
+  when: (pam_access__enabled | bool and item.name | d() and
+         item.divert | d(False) | bool and
+         item.state | d('present') in ['present', 'absent'])
+
+- name: Generate PAM access control files
+  vars:
+    pam_access__var_access_conf: '{{ "/etc/security/"
+                                     + item.filename | d("access-" + (item.name | regex_replace("\.conf$", "")) + ".conf") }}'
+  ansible.builtin.template:
+    src: 'etc/security/access.conf.j2'
+    dest: '/etc/security/{{ item.filename | d("access-" + (item.name | regex_replace("\.conf$", "")) + ".conf") }}'
+    mode: '0644'
+  loop: '{{ pam_access__combined_rules | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"access_conf": pam_access__var_access_conf, "state": item.state | d("present")} }}'
+  when: pam_access__enabled | bool and item.name | d() and item.options | d() and
+        item.state | d('present') not in ['absent', 'init', 'ignore']
+
+- name: Remove PAM access control files
+  vars:
+    pam_access__var_access_conf: '{{ "/etc/security/"
+                                     + item.filename | d("access-" + (item.name | regex_replace("\.conf$", "")) + ".conf") }}'
+  ansible.builtin.file:
+    path: '/etc/security/{{ item.filename | d("access-" + (item.name | regex_replace("\.conf$", "")) + ".conf") }}'
+    state: 'absent'
+  loop: '{{ pam_access__combined_rules | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"access_conf": pam_access__var_access_conf, "state": item.state | d("present")} }}'
+  when: pam_access__enabled | bool and item.name | d() and
+        not item.divert | d(False) | bool and
+        item.state | d('present') == 'absent'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save pam_access local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/pam_access.fact.j2'
+    dest: '/etc/ansible/facts.d/pam_access.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/pam_access/templates/etc/ansible/facts.d/pam_access.fact.j2 b/ansible_collections/debops/debops/roles/pam_access/templates/etc/ansible/facts.d/pam_access.fact.j2
new file mode 100644
index 00000000..35a4067e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/templates/etc/ansible/facts.d/pam_access.fact.j2
@@ -0,0 +1,27 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+output = loads('''{{ {"configured": True,
+                      "enabled": pam_access__enabled | bool
+                     } | to_nice_json }}''')
+
+access_rules = []
+
+for filename in os.listdir('/etc/security'):
+    if (filename.startswith('access-') and filename.endswith('.conf')):
+        access_rules.append(filename[7:-5])
+
+output['rules'] = access_rules
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/pam_access/templates/etc/security/access.conf.j2 b/ansible_collections/debops/debops/roles/pam_access/templates/etc/security/access.conf.j2
new file mode 100644
index 00000000..4402bb0e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pam_access/templates/etc/security/access.conf.j2
@@ -0,0 +1,49 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set fieldsep = item.fieldsep | d(':') %}
+{% set listsep =  item.listsep  | d(' ') %}
+{% for element in item.options %}
+{%   if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if element.permission | lower in [ 'allow', '+', 'accept' ] %}
+{%       set element_permission = '+' %}
+{%     elif element.permission | lower in [ 'deny', '-', 'decline' ] %}
+{%       set element_permission = '-' %}
+{%     endif %}
+{%     set element_users = [] %}
+{%     if element.users_except | d() or element.groups_except | d() %}
+{%       set _ = element_users.append('ALL EXCEPT') %}
+{%     endif %}
+{%     if element.groups_except | d() %}
+{%       set _ = element_users.extend(([ element.groups_except ] if (element.groups_except is string) else element.groups_except) | map("regex_replace", "(.+)$", "(\\1)") | list) %}
+{%     elif element.groups | d() %}
+{%       set _ = element_users.extend(([ element.groups ] if (element.groups is string) else element.groups) | map("regex_replace", "^(.+)$", "(\\1)") | list) %}
+{%     endif %}
+{%     if element.users_except | d() %}
+{%       set _ = element_users.extend([ element.users_except ] if (element.users_except is string) else element.users_except) %}
+{%     elif element.users | d() %}
+{%       set _ = element_users.extend([ element.users ] if (element.users is string) else element.users) %}
+{%     endif %}
+{%     if element.origins_except | d() %}
+{%       set element_origins = ([ 'ALL EXCEPT' ] + ([ element.origins_except ] if (element.origins_except is string) else element.origins_except)) %}
+{%     elif element.origins | d() %}
+{%       set element_origins = ([ element.origins ] if (element.origins is string) else element.origins) %}
+{%     endif %}
+{%     set element_comment = ('#' if (element.state | d('present') == 'comment') else '') %}
+{%     if element_origins | d() %}
+{%       if element.separator | bool and not element.comment | d() and not loop.first %}
+
+{%       endif %}
+{%       if element.comment | d() %}
+{%         if not loop.first %}
+
+{%         endif %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%       endif %}
+{{ '{}{}{}{}{}{}'.format(element_comment, element_permission, fieldsep, element_users | join(listsep), fieldsep, element_origins | join(listsep)) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/pdns/COPYRIGHT b/ansible_collections/debops/debops/roles/pdns/COPYRIGHT
new file mode 100644
index 00000000..d04a955b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.pdns - Manage PowerDNS authoritative server
+
+Copyright (C) 2020 CipherMail B.V. https://www.ciphermail.com/
+Copyright (C) 2021 Imre Jonk <imre@imrejonk.nl>
+Copyright (C) 2020-2021 DebOps https://debops.org/
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/pdns/defaults/main.yml b/ansible_collections/debops/debops/roles/pdns/defaults/main.yml
new file mode 100644
index 00000000..f6dd29aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/defaults/main.yml
@@ -0,0 +1,504 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2021 Imre Jonk <imre@imrejonk.nl>
+# .. Copyright (C) 2020-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _pdns__ref_defaults:
+
+# debops.pdns default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: pdns__base_packages [[[
+#
+# List of default packages to install for PowerDNS Authoritative Server
+# support.
+pdns__base_packages: '{{ ["pdns-server"]
+                         + (["pdns-backend-pgsql"]
+                            if "gpgsql" in pdns__backends
+                            else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__packages [[[
+#
+# List of additional packages to install with PowerDNS Authoritative Server.
+pdns__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Basic settings [[[
+# ------------------
+
+# .. envvar:: pdns__allow [[[
+#
+# List of addresses/subnets that can access the pdns service.
+pdns__allow: [ '0.0.0.0/0', '::/0' ]
+
+                                                                   # ]]]
+# .. envvar:: pdns__local_address [[[
+#
+# Local IPv4 and IPv6 addresses to bind to. By default bind only to external IP
+# addresses to avoid conflict with the :command:`systemd-resolved` service
+# listening on 127.0.0.53:53.
+pdns__local_address: '{{ (ansible_all_ipv4_addresses
+                          + ansible_all_ipv6_addresses)
+                         | difference(ansible_all_ipv6_addresses | d([])
+                                      | ansible.utils.ipaddr("link-local")) }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__local_port [[[
+#
+# Local port (TCP and UDP) to bind to.
+pdns__local_port: '53'
+
+                                                                   # ]]]
+# .. envvar:: pdns__primary [[[
+#
+# Whether to enable primary operation. Enabling this will instruct pdns to send
+# (optionally TSIG-signed) notifications of changes to secondaries, which can
+# then initiate zone transfers. Notifications are only sent for domains with
+# type MASTER in your backend.
+# See also https://doc.powerdns.com/authoritative/modes-of-operation.html#primary-operation
+pdns__primary: False
+
+                                                                   # ]]]
+# .. envvar:: pdns__secondary [[[
+#
+# Whether to enable secondary operation. Enabling this will instruct pdns to
+# periodically check for zone changes at the primary nameservers, and update
+# the local zones accordingly. These checks happen every 'refresh' seconds (as
+# specified by the SOA record) and are only performed for domains with type
+# SLAVE in your backend.
+# See also https://doc.powerdns.com/authoritative/modes-of-operation.html#secondary-operation
+pdns__secondary: False
+
+                                                                   # ]]]
+# .. envvar:: pdns__autosecondary [[[
+#
+# Whether to enable autosecondary support. Enabling this will instruct pdns to
+# automatically provision domains that it receives notifications for, if the
+# notifications come from an IP address listed in the 'supermasters' table in
+# your backend database. pdns will then act as a secondary for those domains.
+# See also https://doc.powerdns.com/authoritative/modes-of-operation.html#autoprimary-operation
+pdns__autosecondary: False
+
+                                                                   # ]]]
+# .. envvar:: pdns__resolver [[[
+#
+# Recursive DNS server to use for ALIAS lookups and the internal stub resolver.
+# Only one address can be given. A port may be specified after a colon; with
+# IPv6, the address must in that case be enclosed in square brackets.
+pdns__resolver: '{{ ansible_local.resolvconf.nameservers[0]
+                     | d(ansible_dns.nameservers[0]) }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__backends [[[
+#
+# The backends to enable. These can be used for storing DNS records and
+# metadata and will be added to the 'launch' setting. Each backend can be
+# configured separately.
+# See https://doc.powerdns.com/authoritative/backends/index.html
+pdns__backends: [ 'gpgsql' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Built-in webserver and HTTP API [[[
+# -----------------------------------
+
+# .. envvar:: pdns__api [[[
+#
+# Enable/Disable the built-in webserver and HTTP API. For details, see:
+# https://doc.powerdns.com/authoritative/http-api/index.html#enabling-the-api
+pdns__api: '{{ True
+               if "debops_service_pdns_nginx" in group_names
+               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__api_key [[[
+#
+# Static pre-shared authentication key for access to the HTTP API.
+pdns__api_key: '{{ lookup("password", secret + "/pdns/" + ansible_fqdn
+                          + "/api_key chars=ascii_letters,digits length=22")
+                   if pdns__api
+                   else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__metrics [[[
+#
+# Enable/Disable the built-in webserver and metrics endpoint. For details, see:
+# https://doc.powerdns.com/authoritative/http-api/index.html#metrics-endpoint
+pdns__metrics: '{{ pdns__api }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__http_port [[[
+#
+# TCP port which the built-in webserver will bind to. This is different from
+# the default port 8081 because that port is already assigned in the Debian
+# /etc/services file for the tproxy "Transparent Proxy" service.
+pdns__http_port: '16836'
+
+                                                                   # ]]]
+# .. envvar:: pdns__nginx_fqdn [[[
+#
+# The fully qualified domain name used to set up the NGINX webserver for
+# proxying requests to the pdns built-in webserver and HTTP API.
+pdns__nginx_fqdn: 'powerdns.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__nginx_allow [[[
+#
+# List of IP addresses and/or subnets that NGINX allows access to the pdns
+# webserver and HTTP API. An empty list denies all. Note: this does not
+# influence the pdns built-in webserver ACL. For that, see the
+# '`webserver-allow-from`__' setting.
+#
+# .. __: https://doc.powerdns.com/authoritative/settings.html#webserver-allow-from
+pdns__nginx_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Dynamic DNS Update (RFC 2136) [[[
+# ---------------------------------
+
+# pdns has support for updating zone contents using the DNS UPDATE mechanism
+# specified in :rfc:`2136`.
+
+# .. envvar:: pdns__dnsupdate [[[
+#
+# Whether to enable DNS UPDATE processing. Not all backends support this.
+# See https://doc.powerdns.com/authoritative/dnsupdate.html
+pdns__dnsupdate: True
+
+                                                                   # ]]]
+# .. envvar:: pdns__allow_dnsupdate_from [[[
+#
+# List of IP ranges that are allowed to perform DNS updates on all domains
+# **without any authentication**. An empty list denies all. Note that this
+# setting can be applied on a per-domain basis using the ALLOW-DNSUPDATE-FROM
+# domain metadata. You are encouraged to specify fine-grained DNS UPDATE access
+# controls using the ALLOW-DNSUPDATE-FROM and optionally TSIG-ALLOW-DNSUPDATE
+# domain metadata.
+# See https://doc.powerdns.com/authoritative/dnsupdate.html#per-zone-settings
+pdns__allow_dnsupdate_from: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PostgreSQL database configuration [[[
+# -------------------------------------
+
+# The PostgreSQL database will only be configured if :envvar:`pdns__backends`
+# contains 'gpgsql'. Upstream documentation on this backend is available here:
+# https://doc.powerdns.com/authoritative/backends/generic-postgresql.html
+
+# .. envvar:: pdns__postgresql_delegate_to [[[
+#
+# The host that Ansible should configure the PostgreSQL database on.
+pdns__postgresql_delegate_to: '{{ ansible_local.postgresql.delegate_to
+                                   | d(ansible_fqdn) }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_server [[[
+#
+# The host that should be configured in pdns as the PostgreSQL server.
+pdns__postgresql_server: '{{ ansible_local.postgresql.server | d("localhost") }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_port [[[
+#
+# The TCP port of the PostgreSQL server.
+pdns__postgresql_port: '{{ ansible_local.postgresql.port | d("5432") }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_database [[[
+#
+# The PostgreSQL database name.
+pdns__postgresql_database: 'pdns'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_role [[[
+#
+# The role used to authenticate to the PostgreSQL database.
+pdns__postgresql_role: 'pdns'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_password [[[
+#
+# The password used to authenticate to the PostgreSQL database.
+pdns__postgresql_password: '{{ lookup("password", secret + "/postgresql/"
+                                      + pdns__postgresql_delegate_to + "/"
+                                      + pdns__postgresql_port + "/credentials/"
+                                      + pdns__postgresql_role
+                                      + "/password chars=ascii_letters,digits "
+                                      + "length=22")
+                               if "gpgsql" in pdns__backends
+                               else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_schema [[[
+#
+# Filesystem path to the initial PostgreSQL database schema.
+pdns__postgresql_schema: '/usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql_dnssec [[[
+#
+# Whether to enable DNSSEC processing for the PostgreSQL backend.
+# Note that you still need to enable DNSSEC on a per-domain basis.
+# See https://doc.powerdns.com/authoritative/dnssec/index.html
+pdns__postgresql_dnssec: True
+                                                                   # ]]]
+                                                                   # ]]]
+# pdns.conf templating [[[
+# ------------------------
+
+# .. envvar:: pdns__original_configuration [[[
+#
+# The original ``/etc/powerdns/pdns.conf`` configuration as supplied by the
+# 'pdns-server' Debian package.
+pdns__original_configuration:
+
+  - name: 'include-dir'
+    comment: 'Directory to scan for additional config files.'
+    value: '/etc/powerdns/pdns.d'
+
+  - name: 'launch'
+    comment: 'Which backends to launch and order to query them in.'
+    value: ''
+
+  - name: 'security-poll-suffix'
+    comment: 'Zone name from which to query security update notifications.'
+    value: ''
+
+  - name: 'setgid'
+    comment: |-
+      Run as an unprivileged group instead of root. Explicitly configuring this
+      is no longer necessary since pdns 4.3.0.
+    value: 'pdns'
+    state: '{{ "present"
+               if ansible_local.pdns.version is version("4.3.0", "<")
+               else "absent" }}'
+
+  - name: 'setuid'
+    comment: |-
+      Run as an unprivileged user instead of root. Explicitly configuring this
+      is no longer necessary since pdns 4.3.0.
+    value: 'pdns'
+    state: '{{ "present"
+               if ansible_local.pdns.version is version("4.3.0", "<")
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__default_configuration [[[
+#
+# The default ``/etc/powerdns/pdns.conf`` configuration provided by this role.
+pdns__default_configuration:
+
+  - name: 'local-address'
+    comment: |-
+      Local IP addresses to which we bind. Accepts IPv6 addresses since pdns
+      4.3.0.
+    value: '{{ (pdns__local_address if ansible_local.pdns.version is version("4.3.0", ">=")
+                else (pdns__local_address | ansible.utils.ipv4)) | join(",") }}'
+
+  - name: 'local-ipv6'
+    comment: |-
+      Local IPv6 addresses to which we bind. Will be deprecated in pdns 4.3.0
+      and removed in pdns 4.5.0.
+    value: '{{ pdns__local_address | ansible.utils.ipv6 | join(",") }}'
+    state: '{{ "present"
+               if ansible_local.pdns.version is version("4.3.0", "<")
+               else "absent" }}'
+
+  - name: 'local-port'
+    comment: 'Local TCP and UDP port to bind to.'
+    value: '{{ pdns__local_port }}'
+
+  - name: 'resolver'
+    comment: |-
+      Recursive DNS server to use for ALIAS lookups and the internal stub
+      resolver. Only one address can be given.
+    value: '{{ pdns__resolver }}'
+
+  - name: '{{ "primary"
+              if ansible_local.pdns.version is version("4.5.0", ">=")
+              else "master" }}'
+    comment: |-
+      Turn on primary operation. Note: the name of this setting was changed
+      with the release of pdns 4.5.0.
+    value: True
+    state: '{{ "present" if pdns__primary else "absent" }}'
+
+  - name: '{{ "secondary"
+              if ansible_local.pdns.version is version("4.5.0", ">=")
+              else "slave" }}'
+    comment: |-
+      Turn on secondary operation. Note: the name of this setting was changed
+      with the release of pdns 4.5.0.
+    value: True
+    state: '{{ "present" if pdns__secondary else "absent" }}'
+
+  - name: '{{ "autosecondary"
+              if ansible_local.pdns.version is version("4.5.0", ">=")
+              else "superslave"
+                   if ansible_local.pdns.version is version("4.2.0", ">=")
+                   else "supermaster" }}'
+    comment: |-
+      Turn on autosecondary operation. Note: the name of this setting was
+      changed with the release of pdns 4.2.0, and once more with the release of
+      pdns 4.5.0.
+    value: True
+    state: '{{ "present" if pdns__autosecondary else "absent" }}'
+
+  - name: 'api'
+    comment: 'Enable/Disable the built-in webserver and HTTP API.'
+    value: True
+    state: '{{ "present" if pdns__api else "absent" }}'
+
+  - name: 'api-key'
+    comment: 'Static pre-shared authentication key for access to the REST API.'
+    value: '{{ pdns__api_key }}'
+    state: '{{ "present" if pdns__api else "absent" }}'
+
+  - name: 'dnsupdate'
+    comment: 'Enable/Disable DNS update (RFC2136) support.'
+    value: True
+    state: '{{ "present" if pdns__dnsupdate else "absent" }}'
+
+  - name: 'allow-dnsupdate-from'
+    comment: 'Allow DNS updates from these IP ranges.'
+    value: '{{ pdns__allow_dnsupdate_from | join(",") }}'
+    state: '{{ "present" if pdns__dnsupdate else "absent" }}'
+
+  - name: 'launch'
+    comment: 'Which backends to launch and order to query them in.'
+    value: '{{ pdns__backends | join(",") }}'
+
+  - name: 'gpgsql-host'
+    comment: 'The PostgreSQL backend host.'
+    value: '{{ pdns__postgresql_server }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'gpgsql-port'
+    comment: 'The PostgreSQL backend port.'
+    value: '{{ pdns__postgresql_port }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'gpgsql-dbname'
+    comment: 'The PostgreSQL backend database name.'
+    value: '{{ pdns__postgresql_database }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'gpgsql-user'
+    comment: 'The username to authenticate to the PostgreSQL backend with.'
+    value: '{{ pdns__postgresql_role }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'gpgsql-password'
+    comment: 'The password to authenticate to the PostgreSQL backend with.'
+    value: '{{ pdns__postgresql_password }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'gpgsql-dnssec'
+    comment: 'Whether to enable DNSSEC processing for the PostgreSQL backend.'
+    value: '{{ pdns__postgresql_dnssec }}'
+    state: '{{ "present" if "gpgsql" in pdns__backends else "absent" }}'
+
+  - name: 'webserver'
+    comment: 'Enable/Disable the built-in webserver and metrics endpoint.'
+    value: True
+    state: '{{ "present" if pdns__metrics else "absent" }}'
+
+  - name: 'webserver-port'
+    comment: 'The TCP port the built-in webserver will listen on.'
+    value: '{{ pdns__http_port }}'
+    state: '{{ "present" if pdns__api or pdns__metrics else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__configuration [[[
+#
+# Additional ``/etc/powerdns/pdns.conf`` configuration that should be present
+# on all hosts in the Ansible inventory.
+pdns__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: pdns__group_configuration [[[
+#
+# Additional ``/etc/powerdns/pdns.conf`` configuration that should be present
+# on all hosts in the Ansible inventory group.
+pdns__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: pdns__host_configuration [[[
+#
+# Additional ``/etc/powerdns/pdns.conf`` configuration that should be present
+# on specific hosts in the Ansible inventory.
+pdns__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: pdns__combined_configuration [[[
+#
+# The combined pdns configuration variables that will be used to template the
+# ``/etc/powerdns/pdns.conf`` file.
+pdns__combined_configuration: '{{ pdns__original_configuration
+                                  + pdns__default_configuration
+                                  + pdns__configuration
+                                  + pdns__group_configuration
+                                  + pdns__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: pdns__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` role.
+pdns__etc_services__dependent_list:
+
+  - name: 'powerdns-http'
+    port: '{{ pdns__http_port }}'
+    protocols: [ 'tcp' ]
+    comment: 'Added by debops.pdns Ansible role.'
+
+                                                                   # ]]]
+# .. envvar:: pdns__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` role.
+pdns__ferm__dependent_rules:
+
+  - name: 'pdns'
+    by_role: 'debops.pdns'
+    type: 'accept'
+    protocol: [ 'tcp', 'udp' ]
+    dport: [ '{{ pdns__local_port }}' ]
+    saddr: '{{ pdns__allow }}'
+
+                                                                   # ]]]
+# .. envvar:: pdns__nginx__dependent_servers [[[
+#
+# Configuration for the :ref:`debops.nginx` role.
+pdns__nginx__dependent_servers:
+
+  - name: '{{ pdns__nginx_fqdn }}'
+    filename: 'debops.pdns'
+    allow: '{{ pdns__nginx_allow }}'
+    type: 'proxy'
+    proxy_pass: 'http://127.0.0.1:{{ pdns__http_port }}'
+    webroot_create: False
+
+                                                                   # ]]]
+# .. envvar:: pdns__postgresql__dependent_roles [[[
+#
+# Configuration for the :ref:`debops.postgresql` role.
+pdns__postgresql__dependent_roles:
+
+  - role: '{{ pdns__postgresql_role }}'
+    port: '{{ pdns__postgresql_port }}'
+    password: '{{ pdns__postgresql_password }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/pdns/meta/main.yml b/ansible_collections/debops/debops/roles/pdns/meta/main.yml
new file mode 100644
index 00000000..5c7716f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/meta/main.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (C) 2021 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Imre Jonk, CipherMail B.V.'
+  description: 'Manage PowerDNS Authoritative Server'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.10.0'
+  platforms:
+    - name: 'Debian'
+      versions:
+        - 'buster'
+        - 'bullseye'
+  galaxy_tags:
+    - 'powerdns'
+    - 'pdns'
+    - 'authoritative'
+    - 'dns'
diff --git a/ansible_collections/debops/debops/roles/pdns/tasks/init_postgresql.yml b/ansible_collections/debops/debops/roles/pdns/tasks/init_postgresql.yml
new file mode 100644
index 00000000..b6b301e9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/tasks/init_postgresql.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create PostgreSQL database
+  community.postgresql.postgresql_db:
+    name: '{{ pdns__postgresql_database }}'
+    owner: '{{ pdns__postgresql_role }}'
+    state: 'present'
+  delegate_to: '{{ pdns__postgresql_delegate_to }}'
+  register: pdns__register_postgresql_status
+
+- name: Import initial database schema
+  community.postgresql.postgresql_db:
+    login_user: '{{ pdns__postgresql_role }}'
+    login_password: '{{ pdns__postgresql_password }}'
+    name: '{{ pdns__postgresql_database }}'
+    target: '{{ pdns__postgresql_schema }}'
+    state: 'restore'
+  when: pdns__register_postgresql_status is changed  # noqa no-handler
diff --git a/ansible_collections/debops/debops/roles/pdns/tasks/main.yml b/ansible_collections/debops/debops/roles/pdns/tasks/main.yml
new file mode 100644
index 00000000..83b7ac77
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 Imre Jonk <imre@imrejonk.nl>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Ensure PowerDNS support is installed
+  ansible.builtin.package:
+    name: '{{ (pdns__base_packages + pdns__packages) | flatten }}'
+    state: 'present'
+  register: pdns__register_packages
+  until: pdns__register_packages is succeeded
+
+- name: Configure PostgreSQL
+  ansible.builtin.include_tasks: init_postgresql.yml
+  when: ('gpgsql' in pdns__backends)
+
+- name: Divert original configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/powerdns/pdns.conf'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/pdns.fact.j2'
+    dest: '/etc/ansible/facts.d/pdns.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure local PowerDNS changes
+  ansible.builtin.template:
+    src: 'etc/powerdns/pdns.conf.j2'
+    dest: '/etc/powerdns/pdns.conf'
+    owner: 'root'
+    group: 'pdns'
+    mode: '0640'
+  notify: [ 'Restart pdns' ]
diff --git a/ansible_collections/debops/debops/roles/pdns/templates/etc/ansible/facts.d/pdns.fact.j2 b/ansible_collections/debops/debops/roles/pdns/templates/etc/ansible/facts.d/pdns.fact.j2
new file mode 100644
index 00000000..105e354a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/templates/etc/ansible/facts.d/pdns.fact.j2
@@ -0,0 +1,28 @@
+#!{{ ansible_python['executable'] }}
+
+# Copyright (C) 2021 Imre Jonk <imre@imrejonk.nl>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from json import dumps
+import os
+import subprocess
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ['PATH'].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('pdnsutil')}
+
+if output['installed']:
+    output['version'] = subprocess.check_output(
+        ['pdnsutil', '--version'], stderr=subprocess.STDOUT
+    ).decode('utf-8').split(' ')[1].replace('\n', '')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/pdns/templates/etc/powerdns/pdns.conf.j2 b/ansible_collections/debops/debops/roles/pdns/templates/etc/powerdns/pdns.conf.j2
new file mode 100644
index 00000000..96a92c8b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pdns/templates/etc/powerdns/pdns.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2021 Imre Jonk <imre@imrejonk.nl>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{%  for element in pdns__combined_configuration | debops.debops.parse_kv_config %}
+{%      if element.state == "present" %}
+{%          if element.comment | d() %}
+{{ element.comment | regex_replace('$\n', '') | comment(prefix='', postfix='') }}
+{%          endif %}
+{{ element.name }} = {{ element.value }}
+
+{%      endif %}
+{%  endfor %}
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/COPYRIGHT b/ansible_collections/debops/debops/roles/persistent_paths/COPYRIGHT
new file mode 100644
index 00000000..fda61528
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.persistent_paths - Ensure paths are stored on persistent storage
+
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/defaults/main.yml b/ansible_collections/debops/debops/roles/persistent_paths/defaults/main.yml
new file mode 100644
index 00000000..b0c7a10d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/defaults/main.yml
@@ -0,0 +1,110 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _persistent_paths__ref_defaults:
+
+# debops.persistent_paths default variables [[[
+# =============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+# .. include:: ../includes/role.rst
+
+
+# Persistent paths [[[
+# --------------------
+
+# The following dictionary variables can be used to manage the persistence of paths.
+# See :ref:`persistent_paths__ref_paths` for more details.
+
+# .. envvar:: persistent_paths__paths [[[
+#
+# Dict for specifying persistent paths.
+# This variable is intended to be used in Ansible’s global inventory.
+persistent_paths__paths: {}
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__group_paths [[[
+#
+# Dict for specifying persistent paths.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+persistent_paths__group_paths: {}
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__host_paths [[[
+#
+# Dict for specifying persistent paths.
+# This variable is intended to be used in the inventory of hosts.
+persistent_paths__host_paths: {}
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__dependent_paths [[[
+#
+# Dict for specifying persistent paths. This variable is intended for other Ansible
+# roles to be used when using ``debops.persistent_paths`` as role dependency.
+persistent_paths__dependent_paths: {}
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__combined_paths [[[
+#
+# Combined dictionary of persistent paths as it is used by the role.
+# This defines the order in which dictionary keys might "mask" previous once.
+persistent_paths__combined_paths: '{{
+  persistent_paths__dependent_paths
+  | combine(persistent_paths__paths)
+  | combine(persistent_paths__group_paths)
+  | combine(persistent_paths__host_paths) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Qubes OS [[[
+# ------------
+
+# .. envvar:: persistent_paths__qubes_os_enabled [[[
+#
+# Should the role run Qubes OS specific tasks?
+persistent_paths__qubes_os_enabled: '{{ True
+                                        if (ansible_virtualization_role == "guest" and
+                                            "qubes" in (ansible_kernel | lower))
+                                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__qubes_os_config_dir [[[
+#
+# Directory path where the role should maintain the configuration for
+# bind-dirs.sh_.
+persistent_paths__qubes_os_config_dir: '/rw/config/qubes-bind-dirs.d'
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__qubes_os_storage_path [[[
+#
+# Persistent directory path where the files/directories are stored and from
+# which these source paths are then bind mounted to their canonical/original
+# location.
+persistent_paths__qubes_os_storage_path: '/rw/bind-dirs'
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__qubes_os_handler [[[
+#
+# File path to the executable bind-dirs.sh_ script.
+persistent_paths__qubes_os_handler: '/usr/lib/qubes/bind-dirs.sh'
+
+                                                                   # ]]]
+# .. envvar:: persistent_paths__qubes_os_default_persistent_paths [[[
+#
+# Paths which are persistent by default and should be filtered out/not handled
+# by bind-dirs.sh_.
+persistent_paths__qubes_os_default_persistent_paths:
+  - '/home'
+  - '/usr/local'
+  - '/var/spool/cron'
+  - '/rw'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/handlers/main.yml b/ansible_collections/debops/debops/roles/persistent_paths/handlers/main.yml
new file mode 100644
index 00000000..0009f886
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: 'Run bind-dirs'
+  ansible.builtin.command: '{{ persistent_paths__qubes_os_handler }}'
+  register: persistent_paths__register_bind_dirs
+  changed_when: persistent_paths__register_bind_dirs.changed | bool
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/meta/main.yml b/ansible_collections/debops/debops/roles/persistent_paths/meta/main.yml
new file mode 100644
index 00000000..064f70a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Ensure paths are stored on persistent storage'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.4'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - persistent
+    - persistence
+    - qubesos
+    - templatebasedvm
+    - appvm
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/tasks/main.yml b/ansible_collections/debops/debops/roles/persistent_paths/tasks/main.yml
new file mode 100644
index 00000000..91dfec28
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Configure QubesOS environment
+  when: persistent_paths__qubes_os_enabled | bool
+  tags: [ 'role::persistent_paths:qubes_os' ]
+  block:
+
+  - name: Ensure the qubes-bind-dirs.d directory does exist
+    ansible.builtin.file:
+      path: '{{ persistent_paths__qubes_os_config_dir }}'
+      state: 'directory'
+      owner: 'root'
+      group: 'root'
+      mode: '0750'
+
+  - name: Configuration persistent paths on Qubes OS
+    ansible.builtin.template:
+      src: 'rw/config/qubes-bind-dirs.d/default.conf.j2'
+      dest: '{{ persistent_paths__qubes_os_config_dir + "/" + item.key + ".conf" }}'
+      owner: 'root'
+      group: 'root'
+      mode: '0644'
+    when: (item.value.state | d("present") == "present")
+    with_dict: '{{ persistent_paths__combined_paths }}'
+    notify: [ 'Run bind-dirs' ]
+
+  - name: Remove configuration of persistent paths on Qubes OS
+    ansible.builtin.file:
+      path: '{{ persistent_paths__qubes_os_config_dir + "/" + item.key + ".conf" }}'
+      state: 'absent'
+    when: (item.value.state | d("present") == "absent")
+    with_dict: '{{ persistent_paths__combined_paths }}'
+    notify: [ 'Run bind-dirs' ]
+
+# Ansible facts [[[
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create local facts of persistent_paths
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/persistent_paths.fact.j2'
+    dest: '/etc/ansible/facts.d/persistent_paths.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/templates/etc/ansible/facts.d/persistent_paths.fact.j2 b/ansible_collections/debops/debops/roles/persistent_paths/templates/etc/ansible/facts.d/persistent_paths.fact.j2
new file mode 100644
index 00000000..e3955824
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/templates/etc/ansible/facts.d/persistent_paths.fact.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{# Use the generic versions where possible. The role might support multiple persistent storage providers. #}
+{{ ({
+    "enabled": persistent_paths__qubes_os_enabled | bool,
+    "write_to_storage_path": persistent_paths__qubes_os_enabled | bool,
+    "storage_path": persistent_paths__qubes_os_storage_path | string,
+    "default_persistent_paths": persistent_paths__qubes_os_default_persistent_paths,
+    "qubes_os_enabled": persistent_paths__qubes_os_enabled | bool,
+    "qubes_os_config_dir": persistent_paths__qubes_os_config_dir | string,
+    "qubes_os_storage_path": persistent_paths__qubes_os_storage_path | string,
+    "qubes_os_handler": persistent_paths__qubes_os_handler | string,
+    "qubes_os_default_persistent_paths": persistent_paths__qubes_os_default_persistent_paths,
+}) | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/persistent_paths/templates/rw/config/qubes-bind-dirs.d/default.conf.j2 b/ansible_collections/debops/debops/roles/persistent_paths/templates/rw/config/qubes-bind-dirs.d/default.conf.j2
new file mode 100644
index 00000000..06cb6374
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/persistent_paths/templates/rw/config/qubes-bind-dirs.d/default.conf.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% if item.value.by_role | d() %}
+# Managed by role: {{ item.value.by_role }}
+{% endif %}
+
+{% set persistent_paths__tpl_paths = [] %}
+{% for path in item.value.paths %}
+{%   set include_path = { "include": True } %}
+{%   for filter_out_path in persistent_paths__qubes_os_default_persistent_paths %}
+{%     if path.startswith(filter_out_path) %}
+{%       set _ = include_path.update({ "include": False }) %}
+{%     endif %}
+{%   endfor %}
+{%   if include_path.include | bool %}
+{%     set _ = persistent_paths__tpl_paths.append(path) %}
+{%   endif %}
+{% endfor %}
+binds+=( {{ persistent_paths__tpl_paths | map("regex_replace", "^", "'") | map("regex_replace", "$", "'") | sort | join(" ") }} )
+{# Does not work yet:
+binds+=( {{ item.value.paths | map("quote") | join(" ") }} )
+#}
diff --git a/ansible_collections/debops/debops/roles/php/COPYRIGHT b/ansible_collections/debops/debops/roles/php/COPYRIGHT
new file mode 100644
index 00000000..65a48140
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.php - Manage PHP5/PHP7 environment using Ansible
+
+Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/php/defaults/main.yml b/ansible_collections/debops/debops/roles/php/defaults/main.yml
new file mode 100644
index 00000000..6b04fd46
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/defaults/main.yml
@@ -0,0 +1,806 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# .. Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _php__ref_defaults:
+
+# debops.php default variables [[[
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Custom APT package repositories [[[
+# -----------------------------------
+
+# .. envvar:: php__version_preference [[[
+#
+# List of APT package names which are scanned to check available PHP versions.
+# The first found package wins. The ``php5`` packages are not supported.
+php__version_preference: [ 'php7.4', 'php7.3', 'php', 'php5.6' ]
+
+                                                                   # ]]]
+# .. envvar:: php__sury [[[
+#
+# Enable custom APT repositories of Ondřej Surý, Debian and Ubuntu PHP package
+# maintainer. You can enable these repositories to install PHP 7.0 on Debian
+# Jessie. See :ref:`php__ref_sury` for more details.
+php__sury: '{{ ansible_local.php.sury
+                | d(ansible_distribution_release in ["stretch", "trusty", "xenial"]) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: php__sury_apt_key_id [[[
+#
+# The OpenPGP key used to sign Ondřej Surý APT repository, dependent on the current
+# OS distribution.
+php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+
+                                                                   # ]]]
+# .. envvar:: php__sury_apt_repo [[[
+#
+# APT repository URL to Ondřej Surý repository, dependent on the current OS
+# distribution.
+php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
+
+                                                                   # ]]]
+# .. envvar:: php__sury_apt_key_id_map [[[
+#
+# YAML dictionary map of OpenPGP key ids used to sign APT repository information,
+# dependent on the OS distribution.
+php__sury_apt_key_id_map:
+  'Debian':
+    - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
+      repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      state: '{{ "present" if php__sury | bool else "absent" }}'
+
+    # Key replaced due to security concerns
+    # Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
+    - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
+      state: 'absent'
+
+  'Ubuntu':
+    - id: '14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C'
+      repo: 'ppa:ondrej/php'
+      state: '{{ "present" if php__sury | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: php__sury_apt_repo_map [[[
+#
+# YAML dictionary map of APT repository URLs, dependent on the OS distribution.
+php__sury_apt_repo_map:
+  'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+  'Ubuntu': 'ppa:ondrej/php'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT package installation [[[
+# ----------------------------
+
+# The role uses a special filtering for APT package names to ensure support for
+# different PHP versions. PHP APT packages are named in the format::
+#
+#     php<version>-<suffix>
+#
+# For the automatic filter to work, all you need to do to install a package is
+# to specify the ``<suffix>`` part. See :ref:`php__ref_packages` for more
+# details.
+
+# .. envvar:: php__server_api_packages [[[
+#
+# List of PHP Server API packages to install. This list is checked against to
+# enable certain parts of the role if needed. It should contain only the names
+# of the SAPI packages.
+php__server_api_packages: [ 'cli', 'fpm' ]
+
+                                                                   # ]]]
+# .. envvar:: php__base_packages [[[
+#
+# Install set of standard PHP packages.
+php__base_packages:
+  - '{{ "php" + php__version }}'
+  - 'curl'
+  - 'gd'
+  - '{{ [] if php__composer_upstream_enabled | bool else "composer" }}'
+  - '{{ "mcrypt"
+        if (php__version is version_compare("7.2", "<"))
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: php__packages [[[
+#
+# List of additional "global" APT packages to install.
+php__packages: []
+
+                                                                   # ]]]
+# .. envvar:: php__group_packages [[[
+#
+# List of APT packages for a group of hosts (only one group is supported).
+php__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: php__host_packages [[[
+#
+# List of APT packages to install on a specific host.
+php__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: php__dependent_packages [[[
+#
+# List of APT packages to install, requested by a role dependency.
+php__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: php__combined_packages [[[
+#
+# List of all PHP packages requested for installation passed to the filter
+# script as a string of arguments for further processing.
+php__combined_packages: '{{ (lookup("flattened",
+                             php__server_api_packages
+                             + php__base_packages
+                             + php__packages
+                             + php__group_packages
+                             + php__host_packages
+                             + php__dependent_packages).split(",")
+                            | difference(php__included_packages))
+                            | join(" ") }}'
+
+                                                                   # ]]]
+# .. envvar:: php__reset [[[
+#
+# Can be temporally set to ``True`` to reevaluate the preferred PHP version and
+# remove older PHP versions on the next Ansible run.
+# Note that this option is not idempotent. It will reset on every role run.
+php__reset: False
+
+                                                                   # ]]]
+# .. envvar:: php__included_packages [[[
+#
+# List of PHP packages which are shipped with the standard PHP distribution.
+# This variable is used to abstract packaging differences between different
+# PHP repositories or releases. If you use a custom APT package for PHP,
+# you might need to adjust this list for proper package resolution.
+php__included_packages: '{{ php__php_included_packages
+                            if php__sury
+                            else (php__release_included_map[ansible_distribution_release]
+                                  | d(php__php_included_packages)) }}'
+
+                                                                   # ]]]
+# .. envvar:: php__release_included_map [[[
+#
+# Configuration dictionary mapping distribution releases to different PHP
+# packaging configurations. Also see :envvar:`php__included_packages`.
+php__release_included_map:
+  stretch:  '{{ php__php_included_packages }}'
+  buster:   '{{ php__php_included_packages }}'
+  bullseye: '{{ php__php_included_packages }}'
+  sid:      '{{ php__php_included_packages }}'
+  trusty:   '{{ php__php5_included_packages }}'
+  xenial:   '{{ php__php_included_packages }}'
+  zesty:    '{{ php__php_included_packages }}'
+  bionic:   '{{ php__php_included_packages }}'
+  focal:    '{{ php__php_included_packages }}'
+  groovy:    '{{ php__php_included_packages }}'
+
+                                                                   # ]]]
+# .. envvar:: php__php5_included_packages [[[
+#
+# PHP packages usually part of the php5/php5-common packaging.
+php__php5_included_packages: '{{ php__common_included_packages
+                                 + ["bcmath", "bz2", "dba", "dom", "ereg",
+                                    "mbstring", "mhash", "SimpleXML", "soap",
+                                    "wddx", "xml", "xmlreader", "xmlwriter",
+                                    "zip"] }}'
+
+                                                                   # ]]]
+# .. envvar:: php__php_included_packages [[[
+#
+# PHP packages usually part of the php/php-common (PHP 7.x) packaging.
+php__php_included_packages: '{{ php__common_included_packages
+                                + ["sysvsem", "sysvshm"] }}'
+
+                                                                   # ]]]
+# .. envvar:: php__common_included_packages [[[
+#
+# PHP packages usually part of the php/php-common packaging.
+php__common_included_packages:
+  - 'calendar'
+  - 'ctype'
+  - 'date'
+  - 'exif'
+  - 'fileinfo'
+  - 'filter'
+  - 'ftp'
+  - 'gettext'
+  - 'hash'
+  - 'iconv'
+  - 'libxml'
+  - 'openssl'
+  - 'pcntl'
+  - 'pcre'
+  - 'PDO'
+  - 'Phar'
+  - 'posix'
+  - 'Reflection'
+  - 'session'
+  - 'shmop'
+  - 'sockets'
+  - 'SPL'
+  - 'standard'
+  - 'sysvmsg'
+  - 'tokenizer'
+  - 'zlib'
+                                                                   # ]]]
+                                                                   # ]]]
+# PHP Composer support [[[
+# ------------------------
+
+# .. envvar:: php__composer_upstream_enabled [[[
+#
+# Enable or disable installation of the :command:`composer` command from
+# upstream. The ``composer`` package in older OS releases might not work as
+# expected. If upstream installation is disabled, the ``composer`` APT package
+# will be installed instead.
+php__composer_upstream_enabled: '{{ True
+                                    if (ansible_distribution_release in
+                                        ["stretch", "trusty", "xenial",
+                                         "bionic", "focal"])
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: php__composer_upstream_version [[[
+#
+# The version of the PHP Composer release to install from upstream.
+# Remember to update the watch file and the SHA256 checksum on changes.
+php__composer_upstream_version: '1.8.5'
+
+                                                                   # ]]]
+# .. envvar:: php__composer_upstream_checksum [[[
+#
+# The SHA256 checksum of the PHP Composer release selected for installation.
+php__composer_upstream_checksum: 'sha256:23b29b1a921b56db3c12ba531752dffcfaa3de0fcece3e54974e06990e46bbf9'
+
+                                                                   # ]]]
+# .. envvar:: php__composer_upstream_url [[[
+#
+# The URL to the PHP Composer binary which should be installed.
+php__composer_upstream_url: '{{ "https://github.com/composer/composer/releases/download/"
+                                + php__composer_upstream_version + "/composer.phar" }}'
+
+                                                                   # ]]]
+# .. envvar:: php__composer_upstream_dest [[[
+#
+# The absolute path of the PHP Composer binary destination file.
+php__composer_upstream_dest: '/usr/local/bin/composer'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global php.ini configuration [[[
+# --------------------------------
+
+# .. envvar:: php__production [[[
+#
+# This variable determines if the :file:`php.ini` configuration will be
+# configured towards "production" systems (don't display errors), or
+# "development" systems (display all errors).
+php__production: True
+
+                                                                   # ]]]
+# .. envvar:: php__ini_cgi_fix_pathinfo [[[
+#
+# Enable or disable ``cgi.fix_pathinfo`` option in PHP. This is highly
+# dependent on the used webserver (:program:`nginx` should have the option disabled,
+# ``apache2`` needs it to be enabled).
+php__ini_cgi_fix_pathinfo: False
+
+                                                                   # ]]]
+# .. envvar:: php__ini_max_execution_time [[[
+#
+# Specify default maximum execution time, in seconds.
+php__ini_max_execution_time: '30'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_max_input_time [[[
+#
+# Specify default maximum input time, in seconds.
+php__ini_max_input_time: '60'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_memory_limit [[[
+#
+# Specify maximum memory limit for PHP processes, in megabytes.
+php__ini_memory_limit: '128M'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_post_max_size [[[
+#
+# Specify maximum size of the POST data, in megabytes.
+php__ini_post_max_size: '8M'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_file_uploads [[[
+#
+# Enable or disable file uploading in PHP applications.
+php__ini_file_uploads: True
+
+                                                                   # ]]]
+# .. envvar:: php__ini_upload_max_filesize [[[
+#
+# Specify maximum size of uploaded files, in megabytes.
+php__ini_upload_max_filesize: '{{ php__ini_post_max_size }}'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_max_file_uploads [[[
+#
+# Specify maximum number of files uploaded at once.
+php__ini_max_file_uploads: '20'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_default_charset [[[
+#
+# Specify default charset used in PHP environment.
+php__ini_default_charset: 'UTF-8'
+
+                                                                   # ]]]
+# .. envvar:: php__ini_allow_url_fopen [[[
+#
+# Enable or disable access to remote URLs in PHP applications.
+php__ini_allow_url_fopen: True
+
+                                                                   # ]]]
+# .. envvar:: php__ini_date_timezone [[[
+#
+# Configure the PHP timezone. This variable uses configuration provided by the
+# :ref:`debops.core`.
+php__ini_date_timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration added to php.ini [[[
+# ----------------------------------
+
+# The role uses custom :file:`php.ini` configuration files managed by Ansible. See
+# :ref:`php__ref_configuration` for more details.
+
+# .. envvar:: php__default_configuration [[[
+#
+# Default configuration of the :file:`php.ini` added by the role.
+php__default_configuration:
+
+  - filename: '00-ansible'
+    name: 'PHP'
+    sections:
+
+      - options: |
+          max_execution_time =     {{ php__ini_max_execution_time }}
+          max_input_time =         {{ php__ini_max_input_time }}
+          memory_limit =           {{ php__ini_memory_limit }}
+          error_reporting =        {{ (php__production | bool) | ternary('E_ALL & ~E_DEPRECATED & ~E_STRICT', 'E_ALL') }}
+          display_errors =         {{ (php__production | bool) | ternary('Off', 'On') }}
+          display_startup_errors = {{ (php__production | bool) | ternary('Off', 'On') }}
+          {% if php__version is version_compare("7.2", "<") %}
+          track_errors =           {{ (php__production | bool) | ternary('Off', 'On') }}
+          {% endif %}
+          post_max_size =          {{ php__ini_post_max_size }}
+          default_charset =        {{ php__ini_default_charset }}
+          file_uploads =           {{ (php__ini_file_uploads | bool) | ternary('On', 'Off') }}
+          upload_max_filesize =    {{ php__ini_upload_max_filesize }}
+          max_file_uploads =       {{ php__ini_max_file_uploads }}
+          allow_url_fopen =        {{ (php__ini_allow_url_fopen | bool) | ternary('On', 'Off') }}
+
+      - name: 'CGI'
+        options: |
+          cgi.fix_pathinfo =       {{ (php__ini_cgi_fix_pathinfo | bool) | ternary('1', '0') }}
+
+      - name: 'Date'
+        options: |
+          date.timezone =          {{ php__ini_date_timezone }}
+
+  - filename: '../cli/conf.d/30-memory_limit'
+    name: 'PHP'
+    options: |
+      ; Don't limit memory for php-cli execution
+      memory_limit = -1
+
+# ]]]
+# .. envvar:: php__configuration [[[
+#
+# Custom :file:`php.ini` configuration added on all hosts in Ansible inventory.
+php__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: php__group_configuration [[[
+#
+# Custom :file:`php.ini` configuration added on a group of hosts in Ansible
+# inventory.
+php__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: php__host_configuration [[[
+#
+# Custom :file:`php.ini` configuration added on specific hosts in Ansible
+# inventory.
+php__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: php__dependent_configuration [[[
+#
+# Custom :file:`php.ini` configuration by other Ansible roles using dependent
+# variables.
+php__dependent_configuration: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Global PHP-FPM configuration [[[
+# --------------------------------
+
+# .. envvar:: php__fpm_privileged_group [[[
+#
+# What system group has privileged access to :program:`php-fpm` service.
+php__fpm_privileged_group: 'webadmins'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_syslog [[[
+#
+# Enable or disable error logging to ``syslog``. Currently the ``syslog``
+# logging in PHP has some issues: https://bugs.php.net/bug.php?id=67764
+php__fpm_syslog: False
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_error_log [[[
+#
+# Path to the ``error.log`` file which is used by PHP-FPM to log error
+# messages.
+#
+# If it's set to ``syslog``, error logs are sent to the local log daemon.
+php__fpm_error_log: '{{ ("/var/log/php" + php__version + "-fpm.log")
+                        if not php__fpm_syslog | bool else "syslog" }}'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_syslog_ident [[[
+#
+# When ``syslog`` logging is enabled, specify the program identification string
+# used by PHP-FPM. This should be one word string, without spaces.
+php__fpm_syslog_ident: 'php-fpm'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_syslog_facility [[[
+#
+# When ``syslog`` logging is enabled, specify the ``syslog`` facility to use.
+php__fpm_syslog_facility: 'daemon'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_log_level [[[
+#
+# When ``syslog`` logging is enabled, specify the log level used by PHP-FPM.
+php__fpm_log_level: 'notice'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_emergency_restart_threshold [[[
+#
+# Specify number of PHP-FPM child processes that exit with errors during
+# a given interval (see below) that will trigger an automatic restart of the
+# master PHP-FPM process.
+php__fpm_emergency_restart_threshold: '0'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_emergency_restart_interval [[[
+#
+# Specify the interval which is used to determine number of PHP-FPM child
+# processes that exit with errors.
+php__fpm_emergency_restart_interval: '0'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_process_control_timeout [[[
+#
+# Specify maximum wait time the master PHP-FPM process waits for a reaction on
+# the signals sent to the child processes.
+php__fpm_process_control_timeout: '0'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_process_max [[[
+#
+# Maximum number of PHP-FPM child processes.
+php__fpm_process_max: '128'
+                                                                   # ]]]
+                                                                   # ]]]
+# PHP-FPM pool defaults [[[
+# -------------------------
+
+# These configuration variables are used as default values in PHP-FPM pool
+# configuration. They can be specified as the keys of the YAML dictionaries
+# that define specific PHP-FPM pool configuration, after removing the
+# ``php__fpm_`` prefix from the variable name.
+
+# .. envvar:: php__fpm_listen_owner [[[
+#
+# The system user that will be the owner of the PHP-FPM socket. This should be
+# the username of the webserver account, so that it can use the socket to
+# communicate with the PHP-FPM process. This account needs to exist before the
+# PHP-FPM process is started (the ``www-data`` account is created by default on
+# Debian/Ubuntu systems).
+php__fpm_listen_owner: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_listen_group [[[
+#
+# The system group that will be the primary group of the PHP-FPM socket. This
+# should be the group that the webserver belongs to, so that it can use the
+# socket to communicate with the PHP-FPM process. This group needs to exist
+# before the PHP-FPM process is started (the ``www-data`` group is created by
+# default on Debian/Ubuntu systems).
+php__fpm_listen_group: 'www-data'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_listen_mode [[[
+#
+# The default permissions applied to the PHP-FPM pool sockets.
+php__fpm_listen_mode: '0660'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_listen_backlog [[[
+#
+# The default limit for socket connection backlog. If you tune this
+# parameter, you should also consider sysctl parameters
+# ``net.ipv4.tcp_max_syn_backlog``, ``net.ipv4.ip_local_port_range``,
+# ``net.ipv4.tcp_tw_reuse`` and ``net.core.somaxconn``.
+php__fpm_listen_backlog: '511'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm [[[
+#
+# Select the default way the PHP-FPM master process will manage pool child
+# processes. Possible values: ``static``, ``dynamic``, ``ondemand``.
+php__fpm_pm: 'ondemand'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_max_children [[[
+#
+# Maximum number of child processes in a PHP-FPM pool for any management mode.
+php__fpm_pm_max_children: '{{ ansible_processor_vcpus }}'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_start_servers [[[
+#
+# The number of pool child processes created at startup, used by the
+# ``dynamic`` management mode.
+php__fpm_pm_start_servers: '{{ ansible_processor_cores }}'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_min_spare_servers [[[
+#
+# Number of minimum idle spare servers that should be kept around, used by the
+# ``dynamic`` management mode.
+php__fpm_pm_min_spare_servers: '1'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_max_spare_servers [[[
+#
+# Number of maximum idle spare servers that should be kept around, used by the
+# ``dynamic`` management mode.
+php__fpm_pm_max_spare_servers: '{{ php__fpm_pm_max_children }}'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_process_idle_timeout [[[
+#
+# Timeout in seconds for the PHP-FPM pool child processes, used by the
+# ``ondemand`` management mode.
+php__fpm_pm_process_idle_timeout: '10s'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_max_requests [[[
+#
+# Maximum number of requests after which PHP-FPM pool child processes will be
+# respawned.
+php__fpm_pm_max_requests: '500'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_status [[[
+#
+# Enable or disable pool status page in all PHP-FPM pools. You might need to
+# configure the webserver to allow access to this page as well.
+php__fpm_pm_status: False
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_pm_status_path [[[
+#
+# The URL path of the pool status page. It needs to start with ``/``, the
+# ``.php`` prefix is discouraged to not create issues with passing the request
+# to the PHP-FPM process.
+php__fpm_pm_status_path: '/status.php'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_ping_path [[[
+#
+# The URL path of the "ping" request for all PHP-FPM pools.
+php__fpm_ping_path: '/ping.php'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_ping_response [[[
+#
+# A string that defines the expected response of the "ping" request.
+php__fpm_ping_response: 'pong'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_access_log [[[
+#
+# Enable or disable request log in :file:`/var/log/php{5,7.0}-fpm/$pool_access.log`
+# for all PHP-FPM pools.
+php__fpm_access_log: False
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_request_terminate_timeout [[[
+#
+# Specify maximum request time after which the worker process will be killed.
+php__fpm_request_terminate_timeout: '{{ php__ini_max_execution_time }}'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_rlimit_files [[[
+#
+# Specify maximum number of opened file descriptors.
+php__fpm_rlimit_files: '1024'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_rlimit_core [[[
+#
+# Specify maximum size of the ``core`` files.
+php__fpm_rlimit_core: '0'
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_catch_workers_output [[[
+#
+# If enabled, redirect ``stdout`` and ``stderr`` streams of the worker
+# processes to the main ``error.log`` file. Might impact performance.
+php__fpm_catch_workers_output: False
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_security_limit_extensions [[[
+#
+# List of file extensions which are considered to be PHP scripts by the
+# interpreter.
+php__fpm_security_limit_extensions:  [ '.php' ]
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_clear_env [[[
+#
+# If enabled, the PHP-FPM pool will clear the child process environment before
+# adding the specified environment variables.
+php__fpm_clear_env: False
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_environment [[[
+#
+# A YAML dictionary with environment variables that should be set in all
+# PHP-FPM pools on all hosts in Ansible inventory. Each key of the dictionary
+# is a variable name, and its value is the variable value.
+php__fpm_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_group_environment [[[
+#
+# A YAML dictionary with environment variables that should be set in all
+# PHP-FPM pools on a group of hosts in Ansible inventory. Each key of the
+# dictionary is a variable name, and its value is the variable value.
+php__fpm_group_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: php__fpm_host_environment [[[
+#
+# A YAML dictionary with environment variables that should be set in all
+# PHP-FPM pools on a specific hosts in Ansible inventory. Each key of the
+# dictionary is a variable name, and its value is the variable value.
+php__fpm_host_environment: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# PHP-FPM pools [[[
+# -----------------
+
+# Lists of PHP-FPM pools managed by the ``debops.php`` role. Each PHP-FPM pool
+# is defined as a YAML dictionary. See :ref:`php__ref_pools` for more details.
+
+# .. envvar:: php__default_pools [[[
+#
+# List of default PHP-FPM pools configured on all hosts. At least 1 pool is
+# required at all times, otherwise the service will not start properly.
+php__default_pools: [ '{{ php__pool_www_data }}' ]
+
+                                                                   # ]]]
+# .. envvar:: php__pools [[[
+#
+# List of PHP-FPM pools configured on all hosts in Ansible inventory.
+php__pools: []
+
+                                                                   # ]]]
+# .. envvar:: php__group_pools [[[
+#
+# List of PHP-FPM pools configured on a group of hosts in Ansible inventory.
+php__group_pools: []
+
+                                                                   # ]]]
+# .. envvar:: php__host_pools [[[
+#
+# List of PHP-FPM pools configured on specific hosts in Ansible inventory.
+php__host_pools: []
+
+                                                                   # ]]]
+# .. envvar:: php__dependent_pools [[[
+#
+# List of PHP-FPM pools configured by other Ansible roles using dependent
+# variables.
+php__dependent_pools: []
+
+                                                                   # ]]]
+# .. envvar:: php__pool_www_data [[[
+#
+# The default PHP-FPM pool for the ``www-data`` system account.
+php__pool_www_data:
+  name: 'www-data'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: php__apt_preferences__dependent_list [[[
+#
+# Configuration of the :ref:`debops.apt_preferences` role.
+php__apt_preferences__dependent_list:
+
+  - package: '*'
+    pin: 'origin "packages.sury.org"'
+    priority: '100'
+    reason: "Don't upgrade software automatically using packages from external repository"
+    role: 'debops.php'
+    suffix: '_packages_sury_org'
+    state: '{{ "present" if php__sury | bool else "absent" }}'
+
+  - packages: [ 'php', 'php5', 'php5*', 'php7*', 'dh-php', 'php-*',
+                'libpcre2-8-0', 'libpcre3', 'libzip4', 'libpcre16-3',
+                'libpcre32-3', 'libpcrecpp0v5', 'libpcre3-dev',
+                'libapache2-mod-php', 'libapache2-mod-php*',
+                'libsodium23' ]
+    pin: 'origin "packages.sury.org"'
+    priority: '500'
+    reason: 'Prefer PHP packages from the same repository for consistency'
+    role: 'debops.php'
+    suffix: '_packages_sury_org'
+    state: '{{ "present" if php__sury | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: php__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+php__keyring__dependent_apt_keys:
+
+  - '{{ php__sury_apt_key_id }}'
+
+                                                                   # ]]]
+# .. envvar:: php__logrotate__dependent_config [[[
+#
+# Configuration of the :ref:`debops.logrotate` role.
+php__logrotate__dependent_config:
+
+  - filename: 'php{{ php__version }}-fpm'
+    divert: True
+    logs:
+      - '/var/log/php{{ php__version }}-fpm.log'
+      - '/var/log/php{{ php__version }}-fpm/*.log'
+    options: |
+      create 0660 root adm
+      rotate 12
+      missingok
+      weekly
+      notifempty
+      compress
+      delaycompress
+    postrotate: |
+      {% if php__long_version is version_compare("5.5", "<") %}
+      invoke-rc.d php{{ php__version }}-fpm reopen-logs > /dev/null
+      {% else %}
+      {{ php__logrotate_lib_base }}/php{{ php__version }}-fpm-reopenlogs
+      {% endif %}
+
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/php/files/script/php-filter-packages.sh b/ansible_collections/debops/debops/roles/php/files/script/php-filter-packages.sh
new file mode 100755
index 00000000..d1747f25
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/files/script/php-filter-packages.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Filter specified PHP package names to the corresponding APT package names
+# available on the system.
+# Homepage: https://github.com/debops/ansible-php/
+
+# Usage:
+# Specify the PHP version in the $PHP_VERSION environment variable, either '5'
+# or '7.0'. Only one PHP version is supported at a time.
+
+# Specify the list of package names without the 'php5-' or 'php7.0-' prefix
+# as script arguments.
+
+
+set -o pipefail -o errexit
+
+# Look for the PHP packages of a particular version
+php_version="${PHP_VERSION:-5}"
+
+# List of packages to filter
+search_packages=( "$@" )
+
+# List of available PHP packages in APT repositories
+mapfile -t package_list < <( apt-cache pkgnames php ; apt-cache --no-generate pkgnames libapache2-mod-php )
+
+
+# The fast way to search through the list in Bash is to use an associative
+# array. First, create the array with all available package names as keys
+declare -A available_packages
+
+for name in "${package_list[@]}" ; do
+    available_packages["${name}"]=1
+done
+
+# Then, check if a specific key exists in the array
+for element in "${search_packages[@]}" ; do
+
+    # Support for 'php<version>-*' packages
+    if [[ ${available_packages["php${php_version}-${element}"]} ]] ; then
+        echo "php${php_version}-${element}"
+
+    # Support for 'php-*' packages
+    elif [[ ${available_packages["php-${element}"]} ]] ; then
+        echo "php-${element}"
+
+    # Support for 'libapache2-mod-php<version>' package
+    elif [[ ${available_packages["${element}${php_version}"]} ]] ; then
+        echo "${element}${php_version}"
+
+    # Support for other packages
+    else
+        if [ -n "${element}" ] ; then
+            echo "${element}"
+        fi
+    fi
+
+done
diff --git a/ansible_collections/debops/debops/roles/php/files/script/php-synchronize-config.sh b/ansible_collections/debops/debops/roles/php/files/script/php-synchronize-config.sh
new file mode 100755
index 00000000..597a6018
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/files/script/php-synchronize-config.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+set -e
+
+php_version="${1:-5}"
+
+if [ -d "/etc/php${php_version}/ansible" ] ; then
+    php_etc_base="/etc/php${php_version}"
+elif [ -d "/etc/php/${php_version}/ansible" ] ; then
+    php_etc_base="/etc/php/${php_version}"
+fi
+
+if [ -n "${php_etc_base}" ] ; then
+
+    if [ -d "${php_etc_base}/conf.d" ] ; then
+
+        cd "${php_etc_base}/conf.d" || exit 1
+        for config_file in "${php_etc_base}"/ansible/* ; do
+            if [[ ! -L "$(basename "${config_file}")" ]] || [[ ! -r "$(basename "${config_file}")" ]] ; then
+                ln -sfv "../ansible/$(basename "${config_file}")" "$(basename "${config_file}")"
+            fi
+        done
+        for path in "${php_etc_base}"/conf.d/* ; do
+            if [[ -n "${path}" ]] && [[ -L "${path}" ]] ; then
+                if [ ! -r "${path}" ] ; then
+                    rm -fv "${path}"
+                fi
+            fi
+        done
+        cd - > /dev/null
+
+    else
+
+        for sapi in "${php_etc_base}"/{cli,cgi,fpm,embed,apache2} ; do
+            if [[ -n "${sapi}" ]] && [[ -d "${sapi}/conf.d" ]] ; then
+                cd "${sapi}/conf.d" || exit 1
+                for config_file in "${php_etc_base}"/ansible/* ; do
+                    if [[ ! -L "$(basename "${config_file}")" ]] || [[ ! -r "$(basename "${config_file}")" ]] ; then
+                        ln -sfv "../../ansible/$(basename "${config_file}")" "$(basename "${config_file}")"
+                    fi
+                done
+                for path in "${sapi}"/conf.d/* ; do
+                    if [[ -n "${path}" ]] && [[ -L "${path}" ]] ; then
+                        if [ ! -r "${path}" ] ; then
+                            rm -fv "${path}"
+                        fi
+                    fi
+                done
+                cd - > /dev/null
+            fi
+        done
+
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/php/handlers/main.yml b/ansible_collections/debops/debops/roles/php/handlers/main.yml
new file mode 100644
index 00000000..a4948ce9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/handlers/main.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: "Restart php-fpm"
+  ansible.builtin.service:
+    name: "php{{ php__version }}-fpm"
+    state: 'restarted'
+  when: '"fpm" in php__server_api_packages'
+
+- name: "Reload php-fpm"
+  ansible.builtin.service:
+    name: "php{{ php__version }}-fpm"
+    state: 'reloaded'
+  when: '"fpm" in php__server_api_packages'
diff --git a/ansible_collections/debops/debops/roles/php/meta/main.yml b/ansible_collections/debops/debops/roles/php/meta/main.yml
new file mode 100644
index 00000000..30112a79
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Mariano Barcia, Maciej Delmanowski'
+  description: 'Install and manage PHP environment'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - web
+    - php
+    - php5
+    - php7
diff --git a/ansible_collections/debops/debops/roles/php/meta/watch-composer b/ansible_collections/debops/debops/roles/php/meta/watch-composer
new file mode 100644
index 00000000..42d39a31
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/meta/watch-composer
@@ -0,0 +1,13 @@
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: php
+# Package: composer
+# Version: 1.8.5
+
+version=3
+options=uversionmangle=s/-?([^\d.]+)/~$1/i;tr/A-Z/a-z/,dversionmangle=s/\+dfsg$//,repacksuffix=+dfsg \
+https://github.com/composer/composer/releases \
+.*/v?(\d.+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/php/tasks/main.yml b/ansible_collections/debops/debops/roles/php/tasks/main.yml
new file mode 100644
index 00000000..9f5acf1f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/tasks/main.yml
@@ -0,0 +1,225 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# APT packages, directories [[[
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Get available PHP packages for selected version
+  environment:
+    LC_ALL: 'C'
+    PHP_VERSION: '{{ php__version }}'
+  ansible.builtin.script: 'script/php-filter-packages.sh {{ php__combined_packages }}'
+  register: php__register_filtered_packages
+  changed_when: False
+  check_mode: False
+
+- name: Install PHP packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", php__register_filtered_packages.stdout.strip().splitlines()) }}'
+    state: 'present'
+  register: php__register_packages
+  until: php__register_packages is succeeded
+  notify: [ 'Restart php-fpm' ]
+
+- name: Install PHP Composer from upstream
+  ansible.builtin.get_url:
+    url: '{{ php__composer_upstream_url }}'
+    dest: '{{ php__composer_upstream_dest }}'
+    checksum: '{{ php__composer_upstream_checksum }}'
+    mode: '0755'
+  when: php__composer_upstream_enabled | bool
+
+- name: Ensure older PHP packages are absent on reset
+  ansible.builtin.include_tasks: 'packages_absent_for_version.yml'
+  loop_control:
+    loop_var: 'php__version_absent'
+  when: php__reset | bool
+  with_items: '{{ php__version_preference | difference(["php" + php__version | d("")]) | list }}'
+
+- name: 'Create directory for php*-fpm logs'
+  ansible.builtin.file:
+    path: '/var/log/php{{ php__version }}-fpm'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
+  when: '"fpm" in php__server_api_packages'
+
+- name: Ensure that required directories exist
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items:
+    - '{{ php__etc_base }}/ansible'
+    - '{{ php__etc_base }}/fpm/pool.d'
+
+- name: Allow webadmins to control PHP-FPM system service using sudo
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/php-fpm_webadmins.j2'
+    dest: '/etc/sudoers.d/php-fpm_webadmins'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: (ansible_local | d() and ansible_local.sudo | d() and
+         (ansible_local.sudo.installed | d()) | bool)
+
+                                                                   # ]]]
+# php.ini management [[[
+
+- name: Generate php.ini configuration
+  ansible.builtin.template:
+    src: 'etc/php/ansible/php.ini.j2'
+    dest: '{{ php__etc_base + "/" + item.path | d("ansible/") + (item.filename | d("00-ansible")) + ".ini" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", php__default_configuration
+                           + php__configuration
+                           + php__group_configuration
+                           + php__host_configuration
+                           + php__dependent_configuration) }}'
+  when: item.state | d('present') != 'absent'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:config' ]
+
+- name: Remove php.ini configuration if requested
+  ansible.builtin.file:
+    path: '{{ php__etc_base + "/" + item.path | d("ansible/") + (item.filename | d("00-ansible")) + ".ini" }}'
+    state: 'absent'
+  loop: '{{ q("flattened", php__default_configuration
+                           + php__configuration
+                           + php__group_configuration
+                           + php__host_configuration
+                           + php__dependent_configuration) }}'
+  when: item.state | d() and item.state == 'absent'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:config' ]
+
+- name: Synchronize Ansible and PHP SAPI configuration
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.script: script/php-synchronize-config.sh {{ php__version }}
+  register: php__register_synchronize_config
+  changed_when: php__register_synchronize_config.stdout is defined and
+                php__register_synchronize_config.stdout | d()
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:config' ]
+
+                                                                   # ]]]
+# PHP-FPM management [[[
+
+- name: Divert default PHP-FPM configuration and pool
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  with_items:
+    - '{{ php__etc_base + "/fpm/php-fpm.conf" }}'
+    - '{{ php__etc_base + "/fpm/pool.d/www.conf" }}'
+  when: '"fpm" in php__server_api_packages'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Generate php-fpm global configuration
+  ansible.builtin.template:
+    src: 'etc/php/fpm/php-fpm.conf.j2'
+    dest: '{{ php__etc_base }}/fpm/php-fpm.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: '"fpm" in php__server_api_packages'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Generate php-fpm pool configuration
+  ansible.builtin.template:
+    src: 'etc/php/fpm/pool.d/pool.conf.j2'
+    dest: '{{ php__etc_base }}/fpm/pool.d/{{ item.name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", php__default_pools
+                           + php__pools
+                           + php__group_pools
+                           + php__host_pools
+                           + php__dependent_pools) }}'
+  when: '"fpm" in php__server_api_packages and item.state | d("present") != "absent"'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Remove php-fpm pool configuration if requested
+  ansible.builtin.file:
+    dest: '{{ php__etc_base }}/fpm/pool.d/{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", php__default_pools
+                           + php__pools
+                           + php__group_pools
+                           + php__host_pools
+                           + php__dependent_pools) }}'
+  when: '"fpm" in php__server_api_packages and item.state | d() and item.state == "absent"'
+  notify: [ 'Restart php-fpm' ]
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+                                                                   # ]]]
+# Manage groups and user accounts [[[
+
+- name: Make sure required system groups exist
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.owner) }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", php__default_pools
+                           + php__pools
+                           + php__group_pools
+                           + php__host_pools
+                           + php__dependent_pools) }}'
+  when: '"fpm" in php__server_api_packages and item.state | d("present") != "absent" and item.owner | d() and item.home | d()'
+
+- name: Make sure required system accounts exist
+  ansible.builtin.user:
+    name: '{{ item.owner }}'
+    group: '{{ item.group | d(item.owner) }}'
+    home: '{{ item.home }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    createhome: '{{ item.createhome | d(omit) }}'
+    state: 'present'
+  loop: '{{ q("flattened", php__default_pools
+                           + php__pools
+                           + php__group_pools
+                           + php__host_pools
+                           + php__dependent_pools) }}'
+  when: '"fpm" in php__server_api_packages and item.state | d("present") != "absent" and item.owner | d() and item.home | d()'
+
+                                                                   # ]]]
+# Ansible local facts [[[
+
+- name: Make sure that Ansible local facts directory is present
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save PHP-FPM local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/php.fact.j2'
+    dest: '/etc/ansible/facts.d/php.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/php/tasks/main_env.yml b/ansible_collections/debops/debops/roles/php/tasks/main_env.yml
new file mode 100644
index 00000000..b0b124b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/tasks/main_env.yml
@@ -0,0 +1,77 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Reset PHP Ansible local facts
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d/php.fact'
+    state: 'absent'
+  notify: [ 'Refresh host facts' ]
+  when: php__reset | bool
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts on reset
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Detect PHP version from available packages
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         apt-cache madison {{ php__version_preference | join(' ') }} \
+           | awk '{print $3}' \
+           | sed -e 's/^.*://' -e 's/\+.*$//' -e 's/\d+\.\d+//' \
+           | awk -F'.' '{print $1"."$2}' \
+           | head -n 1
+  args:
+    executable: '/bin/bash'
+  register: php__register_version
+  check_mode: False
+  changed_when: False
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Detect PHP long version from available packages
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         apt-cache madison {{ 'php' + php__register_version.stdout }} \
+           | awk '{print $3}' | sed -e 's/^.*://' -e 's/\+.*$//' -e 's/\-.*$//' \
+           | head -n 1
+  args:
+    executable: '/bin/bash'
+  register: php__register_long_version
+  check_mode: False
+  changed_when: False
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Set PHP version
+  ansible.builtin.set_fact:
+    php__version: '{{ ansible_local.php.version | d(php__register_version.stdout) }}'
+    php__long_version: '{{ ansible_local.php.long_version
+                           if (ansible_local | d() and ansible_local.php | d() and
+                               ansible_local.php.long_version | d() != "(none)")
+                           else php__register_long_version.stdout }}'
+  tags: [ 'role::php:pools', 'role::php:config' ]
+
+- name: Set PHP base paths
+  ansible.builtin.set_fact:
+    php__etc_base: '{{ ("/etc/php/" + php__version)
+                       if (php__version is version_compare("7.0", ">=") or php__sury | bool)
+                       else "/etc/php5" }}'
+    php__lib_base: '{{ ("/usr/lib/php/" + php__version)
+                       if (php__version is version_compare("7.0", ">=") or php__sury | bool)
+                       else "/usr/lib/php5" }}'
+    php__run_base: '{{ "/run/php"
+                       if (php__version is version_compare("7.0", ">=") or php__sury | bool)
+                       else "/run" }}'
+    php__logrotate_lib_base: '{{ "/usr/lib/php"
+                                 if (php__version is version_compare("7.0", ">=") or php__sury | bool)
+                                 else "/usr/lib/php5" }}'
+  tags: [ 'role::php:pools', 'role::php:config' ]
diff --git a/ansible_collections/debops/debops/roles/php/tasks/packages_absent_for_version.yml b/ansible_collections/debops/debops/roles/php/tasks/packages_absent_for_version.yml
new file mode 100644
index 00000000..f09b73c9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/tasks/packages_absent_for_version.yml
@@ -0,0 +1,18 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure older PHP packages are absent on reset for given PHP version
+  ansible.builtin.apt:
+    name: '{{ item is search("php.*-") | ternary(item, php__version_absent + "-" + item) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", php__server_api_packages
+                           + php__base_packages
+                           + php__packages
+                           + php__group_packages
+                           + php__host_packages
+                           + php__dependent_packages) }}'
diff --git a/ansible_collections/debops/debops/roles/php/templates/etc/ansible/facts.d/php.fact.j2 b/ansible_collections/debops/debops/roles/php/templates/etc/ansible/facts.d/php.fact.j2
new file mode 100644
index 00000000..614e21fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/templates/etc/ansible/facts.d/php.fact.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+ # Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set php__tpl_sury = ansible_local.php.sury | d(php__sury) | bool %}
+{% if php__sury | bool %}
+{%   set php__tpl_sury = php__sury | bool %}
+{% endif %}
+{
+"enabled": "true",
+"long_version": "{{ php__long_version }}",
+"sury": "{{ php__tpl_sury | bool | lower }}",
+"version": "{{ php__version }}",
+"etc_base": "{{ php__etc_base }}",
+"lib_base": "{{ php__lib_base }}",
+"run_base": "{{ php__run_base }}",
+"logrotate_lib_base": "{{ php__logrotate_lib_base }}"
+}
diff --git a/ansible_collections/debops/debops/roles/php/templates/etc/php/ansible/php.ini.j2 b/ansible_collections/debops/debops/roles/php/templates/etc/php/ansible/php.ini.j2
new file mode 100644
index 00000000..8e3e5fe1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/templates/etc/php/ansible/php.ini.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+ # Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+; {{ ansible_managed }}
+
+{% macro print_config(config) -%}
+{%   if config.state | d('present') != 'absent' %}
+{%     if config.comment | d() %}
+; {{ config.comment }}
+{%     endif %}
+{%     if config.name | d() %}
+[{{ config.name }}]
+{%     endif %}
+{%     if config.options | d() %}
+{{ config.options }}
+{%     endif %}
+{%     if config.sections | d() %}
+{%       for element in config.sections %}
+{{ print_config(element) -}}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endmacro -%}
+{{ print_config(item) }}
diff --git a/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/php-fpm.conf.j2 b/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/php-fpm.conf.j2
new file mode 100644
index 00000000..0af313a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/php-fpm.conf.j2
@@ -0,0 +1,137 @@
+{# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+ # Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+; {{ ansible_managed }}
+{#
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix (/usr). This prefix can be dynamically changed by using the
+; '-p' argument from the command line.
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;; #}
+
+[global]
+
+{# ; Pid file
+; Note: the default prefix is /var
+; Default Value: none #}
+pid = {{ php__run_base }}/php{{ php__version }}-fpm.pid
+
+{#
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; in a local file.
+; Note: the default prefix is /var
+; Default Value: log/php-fpm.log #}
+error_log = {{ php__fpm_error_log }}
+{% if php__fpm_syslog | bool %}
+{#
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon #}
+syslog.facility = {{ php__fpm_syslog_facility }}
+{#
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm #}
+syslog.ident = {{ php__fpm_syslog_ident }}
+{#
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice #}
+log_level = {{ php__fpm_log_level }}
+{% endif %}
+
+{#
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0 #}
+emergency_restart_threshold = {{ php__fpm_emergency_restart_threshold }}
+{#
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated.  This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0 #}
+emergency_restart_interval = {{ php__fpm_emergency_restart_interval }}
+{#
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0 #}
+process_control_timeout = {{ php__fpm_process_control_timeout }}
+{#
+; The maximum number of processes FPM will fork. This has been design to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0 #}
+process.max = {{ php__fpm_process_max }}
+{#
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool process will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19 #}
+{#
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+;daemonize = yes #}
+{#
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024 #}
+{#
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0 #}
+{#
+; Specify the event mechanism FPM will use. The following is available:
+; - select     (any POSIX os)
+; - poll       (any POSIX os)
+; - epoll      (linux >= 2.5.44)
+; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
+; - /dev/poll  (Solaris >= 7)
+; - port       (Solaris >= 10)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll #}
+{#
+; When FPM is build with systemd integration, specify the interval,
+; in second, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10 #}
+{#
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;; #}
+
+{# ; Multiple pools of child processes may be started with different listening
+; ports and different management options.  The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+; Relative path can also be used. They will be prefixed by:
+;  - the global prefix if it's been set (-p argument)
+;  - /usr otherwise #}
+include = {{ php__etc_base }}/fpm/pool.d/*.conf
diff --git a/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/pool.d/pool.conf.j2 b/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/pool.d/pool.conf.j2
new file mode 100644
index 00000000..1690468a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/templates/etc/php/fpm/pool.d/pool.conf.j2
@@ -0,0 +1,500 @@
+{# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+ # Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+; {{ ansible_managed }}
+
+{#
+; Start a new pool named 'www'.
+; the variable $pool can we used in any directive and will be replaced by the
+; pool name ('www' here) #}
+[{{ item.name }}]
+
+{% if item.prefix | d() %}
+{#
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool #}
+prefix = {{ item.prefix }}
+
+{% endif %}
+{#
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used. #}
+user  = {{ item.user | d(item.name) }}
+group = {{ item.group | d(item.name) }}
+
+{#
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory. #}
+listen = {{ item.listen | d('/run/php' + php__version + '-fpm-' + item.name + '.sock') }}
+
+{#
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)  #}
+listen.backlog = {{ item.listen_backlog | d(php__fpm_listen_backlog) }}
+{#
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions.
+; Default Values: user and group are set as the running user
+;                 mode is set to 0660 #}
+listen.owner = {{ item.listen_owner | d(php__fpm_listen_owner) }}
+listen.group = {{ item.listen_group | d(php__fpm_listen_group) }}
+listen.mode  = {{ item.listen_mode  | d(php__fpm_listen_mode) }}
+{% if (php__version is version_compare('7.0', '>=') and (item.listen_acl_users | d() or item.listen_acl_groups | d())) %}
+{#
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored #}
+listen.acl_users  = {{ item.listen_acl_users  if item.listen_acl_users  is string else item.listen_acl_users  | join(',') }}
+listen.acl_groups = {{ item.listen_acl_groups if item.listen_acl_groups is string else item.listen_acl_groups | join(',') }}
+{% endif %}
+
+{#
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1 #}
+{#
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory. #}
+pm = {{ item.pm | d(php__fpm_pm) }}
+
+{#
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory. #}
+pm.max_children = {{ item.pm_max_children | d(php__fpm_pm_max_children) }}
+{% if ((item.pm | d() and item.pm == 'dynamic') or php__fpm_pm == 'dynamic')  %}
+{#
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 #}
+pm.start_servers = {{ item.pm_start_servers | d(php__fpm_pm_start_servers) }}
+{#
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic' #}
+pm.min_spare_servers = {{ item.pm_min_spare_servers | d(php__fpm_pm_min_spare_servers) }}
+{#
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic' #}
+pm.max_spare_servers = {{ item.pm_max_spare_servers | d(php__fpm_pm_max_spare_servers) }}
+{% endif %}
+{% if ((item.pm is undefined or item.pm == 'ondemand') or php__fpm_pm == 'ondemand') %}
+{#
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s #}
+pm.process_idle_timeout = {{ item.pm_process_idle_timeout | d(php__fpm_pm_process_idle_timeout) }}
+{% endif %}
+{#
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0 #}
+pm.max_requests = {{ item.pm_max_requests | d(php__fpm_pm_max_requests) }}
+
+{#
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following information:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then information are related to the
+; last request the process has served. Otherwise information are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/7.0/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set #}
+{% if ((item.pm_status | d() and item.pm_status | bool) or php__fpm_pm_status | bool) %}
+pm.status_path = {{ item.pm_status_path | d(php__fpm_pm_status_path) }}
+{#
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set #}
+ping.path = {{ item.ping_path | d(php__fpm_ping_path) }}
+{#
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong #}
+ping.response = {{ item.ping_response | d(php__fpm_ping_response) }}
+
+{% endif %}
+{% if ((item.access_log | d() and item.access_log | bool) or php__fpm_access_log | bool) %}
+{#
+; The access log file
+; Default: not set #}
+access.log = /var/log/php{{ php__version }}-fpm/$pool_access.log
+{#
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{milliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some examples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s" #}
+access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+{% endif %}
+{% if item.request_slowlog_timeout | d() %}
+{#
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set #}
+slowlog = var/log/php{{ php__version }}-fpm/$pool_slow.log
+{#
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0 #}
+request_slowlog_timeout = {{ item.request_slowlog_timeout }}
+
+{% endif %}
+{#
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0 #}
+request_terminate_timeout = {{ item.request_terminate_timeout | d(php__fpm_request_terminate_timeout) }}
+
+{#
+; Set open file descriptor rlimit.
+; Default Value: system defined value #}
+rlimit_files = {{ item.rlimit_files | d(php__fpm_rlimit_files) }}
+
+{#
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value #}
+rlimit_core = {{ item.rlimit_core | d(php__fpm_rlimit_core) }}
+
+{% if item.chroot | d() %}
+{#
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set #}
+chroot = {{ item.chroot }}
+{% endif %}
+{#
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot #}
+chdir = {{ item.chdir | d('/') }}
+
+{% if ((item.catch_workers_output | d() and item.catch_workers_output | bool) or php__fpm_catch_workers_output | bool) %}
+{#
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environment, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no #}
+catch_workers_output = yes
+
+{% endif %}
+{#
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+; Feature was introduced in PHP 5.6.0: https://secure.php.net/ChangeLog-5.php
+#}
+{% if php__long_version is version_compare('5.6.0', '>=') %}
+clear_env = {{ 'yes' if ((item.clear_env | d() and item.clear_env | bool) or php__fpm_clear_env | bool) else 'no' }}
+{% endif %}
+
+{#
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php #}
+{% if item.security_limit_extensions | d() %}
+security.limit_extensions = {{ item.security_limit_extensions if item.security_limit_extensions is string else item.security_limit_extensions | join(' ') }}
+{% else %}
+security.limit_extensions = {{ php__fpm_security_limit_extensions if php__fpm_security_limit_extensions is string else php__fpm_security_limit_extensions | join(' ') }}
+{% endif %}
+
+{% if (php__fpm_environment or php__fpm_group_environment or php__fpm_host_environment or item.environment | d()) %}
+{#
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp #}
+{% for key, value in (php__fpm_environment | combine(php__fpm_group_environment | combine(php__fpm_host_environment | combine(item.environment | d({}))))).items() %}
+env[{{ key }}] = {{ value }}
+{% endfor %}
+
+{% endif %}
+{#
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M#}
+{% if item.php_flags | d() %}
+{% for key, value in item.php_flags.items() %}
+php_flag[{{ key }}] = {{ value }}
+{% endfor %}
+
+{% endif %}
+{% if item.php_values | d() %}
+{% for key, value in item.php_values.items() %}
+php_value[{{ key }}] = {{ value }}
+{% endfor %}
+
+{% endif %}
+{% if item.php_admin_flags | d() %}
+{% for key, value in item.php_admin_flags.items() %}
+php_admin_flag[{{ key }}] = {{ value }}
+{% endfor %}
+
+{% endif %}
+{% if item.open_basedir | d() %}
+php_admin_value[open_basedir] = {{ item.open_basedir if item.open_basedir is string else item.open_basedir | join(':') }}
+
+{% endif %}
+{% if item.php_admin_values | d() %}
+{% for key, value in item.php_admin_values.items() %}
+php_admin_value[{{ key }}] = {{ value }}
+{% endfor %}
+
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/php/templates/etc/sudoers.d/php-fpm_webadmins.j2 b/ansible_collections/debops/debops/roles/php/templates/etc/sudoers.d/php-fpm_webadmins.j2
new file mode 100644
index 00000000..17d34991
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/php/templates/etc/sudoers.d/php-fpm_webadmins.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2016      Mariano Barcia <mariano.barcia@gmail.com>
+ # Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+Cmnd_Alias PHP_FPM_RELOAD = /etc/init.d/php{{ php__version }}-fpm reload, \
+                            /bin/systemctl reload php{{ php__version }}-fpm.service
+
+Cmnd_Alias PHP_FPM_STATUS = /etc/init.d/php{{ php__version }}-fpm status, \
+                            /bin/systemctl status php{{ php__version }}-fpm.service
+
+Cmnd_Alias PHP_FPM_STOP = /etc/init.d/php{{ php__version }}-fpm stop, \
+                          /bin/systemctl stop php{{ php__version }}-fpm.service
+
+Cmnd_Alias PHP_FPM_START = /etc/init.d/php{{ php__version }}-fpm start, \
+                           /bin/systemctl start php{{ php__version }}-fpm.service
+
+Cmnd_Alias PHP_FPM_RESTART = /etc/init.d/php{{ php__version }}-fpm restart, \
+                             /bin/systemctl restart php{{ php__version }}-fpm.service
+
+%{{ php__fpm_privileged_group }} ALL = (root) NOPASSWD: PHP_FPM_RELOAD
+%{{ php__fpm_privileged_group }} ALL = (root) NOPASSWD: PHP_FPM_STATUS
+%{{ php__fpm_privileged_group }} ALL = (root) NOPASSWD: PHP_FPM_STOP
+%{{ php__fpm_privileged_group }} ALL = (root) NOPASSWD: PHP_FPM_START
+%{{ php__fpm_privileged_group }} ALL = (root) NOPASSWD: PHP_FPM_RESTART
diff --git a/ansible_collections/debops/debops/roles/phpipam/COPYRIGHT b/ansible_collections/debops/debops/roles/phpipam/COPYRIGHT
new file mode 100644
index 00000000..3a8c048a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.phpipam - Manage phpIPAM installation with Ansible
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/phpipam/defaults/main.yml b/ansible_collections/debops/debops/roles/phpipam/defaults/main.yml
new file mode 100644
index 00000000..a4c36533
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/defaults/main.yml
@@ -0,0 +1,377 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _phpipam__ref_defaults:
+
+# debops.phpipam default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration options [[[
+# -------------------------------
+
+# .. envvar:: phpipam__mode [[[
+#
+# What parts of the "phpIPAM stack" to enable:
+#
+# - ``webui``: configure the Web interface
+#
+# - ``scripts``: configure phpipam-scripts
+#
+phpipam__mode: [ 'webui', 'scripts' ]
+
+                                                                   # ]]]
+# ]]]
+
+# Webserver configuration [[[
+# ---------------------------
+
+# .. envvar:: phpipam__fqdn [[[
+#
+# FQDN on which phpIPAM is configured by :ref:`debops.nginx` Ansible role
+phpipam__fqdn: 'ipam.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__nginx_auth_realm [[[
+#
+# Webserver authentication realm.
+phpipam__nginx_auth_realm: 'IPAM access is restricted'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__nginx_access_policy [[[
+#
+# Name of the "nginx access policy" for phpIPAM. See ``debops.nginx``
+# Ansible role for more details.
+phpipam__nginx_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: phpipam__webserver_user [[[
+#
+# phpIPAM webserver user (needs read-only access to the website code)
+phpipam__webserver_user: '{{ ansible_local.nginx.user
+                             if (ansible_local is defined and
+                                 ansible_local.nginx is defined and
+                                 ansible_local.nginx.user is defined)
+                             else "www-data" }}'
+
+                                                                   # ]]]
+# ]]]
+
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: phpipam__user [[[
+#
+# System user for phpIPAM application
+phpipam__user: 'phpipam'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__group [[[
+#
+# System group for phpIPAM application
+phpipam__group: 'phpipam'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__home [[[
+#
+# Home directory of the ``phpipam__user`` user.
+phpipam__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                   + "/" + phpipam__user }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: phpipam__database_user [[[
+#
+# phpIPAM MySQL database configuration
+phpipam__database_user: 'phpipam'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__database_host [[[
+#
+# FQDN of the MariaDB database host. It will be configured by
+# the :ref:`debops.mariadb` role.
+phpipam__database_host: '{{ ansible_local.mariadb.server }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__database_name [[[
+#
+# The database name used by the phpIPAM
+phpipam__database_name: 'phpipam'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__database_password [[[
+#
+# The database password used by the phpIPAM
+phpipam__database_password: "{{ lookup('password', secret + '/mariadb/' +
+                                ansible_local.mariadb.delegate_to +
+                                '/credentials/' + phpipam__database_user +
+                                '/password length=48') }}"
+                                                                   # ]]]
+# .. envvar:: phpipam__database_schema [[[
+#
+# phpIPAM database schema loaded by Ansible
+phpipam__database_schema: '{{ phpipam__git_checkout + "/db/SCHEMA.sql" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Base application directories [[[
+# --------------------------------
+
+# .. envvar:: phpipam__src [[[
+#
+# Base path for git bare repository with phpIPAM source
+phpipam__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                  + "/" + phpipam__user }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__www [[[
+#
+# Base web root directory for phpIPAM website
+phpipam__www: '{{ (ansible_local.nginx.www
+                  if (ansible_local is defined and
+                      ansible_local.nginx is defined and
+                      ansible_local.nginx.www is defined)
+                  else "/srv/www") + "/" + phpipam__user }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Git repository and checkout [[[
+# -------------------------------
+
+# .. envvar:: phpipam__git_repo [[[
+#
+# phpIPAM source repository
+phpipam__git_repo: 'https://github.com/phpipam/phpipam.git'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__git_dest [[[
+#
+# phpIPAM source directory on the host
+phpipam__git_dest: '{{ phpipam__src + "/" + phpipam__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__git_version [[[
+#
+# phpIPAM git branch to deploy
+phpipam__git_version: 'v1.4.1'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__git_checkout [[[
+#
+# Default path where phpIPAM source files will be deployed
+phpipam__git_checkout: '{{ phpipam__www + "/sites/" + phpipam__fqdn + "/public" }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# phpIPAM config.php [[[
+# ----------------------
+
+# .. envvar:: phpipam__php_session_name [[[
+#
+# Custom PHP session name
+phpipam__php_session_name: "{{ lookup('password', secret + '/credentials/'
+                               + inventory_hostname + '/phpipam/php_session_name
+                               chars=hexdigits length=30') }}"
+
+                                                                   # ]]]
+# ]]]
+
+# The phpipam-scripts variables [[[
+# ---------------------------------
+
+# .. envvar:: phpipam__scripts_git_repo [[[
+#
+# phpIPAM scripts source repository
+phpipam__scripts_git_repo: 'https://github.com/debops/phpipam-scripts'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_git_dest [[[
+#
+# phpIPAM scripts source directory on the host
+phpipam__scripts_git_dest: '{{ "/usr/local/src/phpipam/" + phpipam__scripts_git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_git_version [[[
+#
+# phpIPAM scripts git branch to deploy
+phpipam__scripts_git_version: 'master'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_database_user [[[
+#
+# Database configuration for phpipam scripts
+phpipam__scripts_database_user: '{{ phpipam__database_user }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_database_host [[[
+#
+# The hostname or IP address of the database server to use for the
+# phpIPAM DebOps scripts.
+phpipam__scripts_database_host: '{{ phpipam__database_host }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_database_name [[[
+#
+# The database name used by the phpIPAM DebOps scripts
+phpipam__scripts_database_name: '{{ phpipam__database_name }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_database_password [[[
+#
+# The database password used by the phpIPAM DebOps scripts
+phpipam__scripts_database_password: '{{ phpipam__database_password }}'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_config_sections [[[
+#
+# List of phpIPAM sections to include in generated default configuration. If
+# none are specified, all sections will be included.
+phpipam__scripts_config_sections: []
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_config_subnets [[[
+#
+# List of phpIPAM subnets to include in generated default configuration. If
+# none are specified, all subnets will be included.
+phpipam__scripts_config_subnets: []
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_config_output [[[
+#
+# Default configuration file location
+phpipam__scripts_config_output: '/etc/dhcp/dhcpd-hosts.conf'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_config_restart_command [[[
+#
+# A command to issue after the configuration file is generated and changes were
+# noticed.
+phpipam__scripts_config_restart_command: '/etc/init.d/isc-dhcp-server restart'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_config_groups [[[
+#
+# Default configuration for phpipam-hosts script. It will create
+# a ``/etc/dhcp/dhcpd-hosts.conf`` file with all hosts configured in phpIPAM,
+# or just the sections/subnets specified above. If any changes are detected,
+# DHCP server (by default ISC DHCP) will be restarted.
+phpipam__scripts_config_groups:
+  'hosts':
+    sections: '{{ phpipam__scripts_config_sections }}'
+    subnets: '{{ phpipam__scripts_config_subnets }}'
+    active: 'true'
+    reserved: 'false'
+    offline: 'false'
+    dhcp: 'false'
+    output: '{{ phpipam__scripts_config_output }}'
+    restart_command: '{{ phpipam__scripts_config_restart_command }}'
+    restart: 'true'
+
+                                                                   # ]]]
+# .. envvar:: phpipam__scripts_cron_period [[[
+#
+# phpipam-hosts regeneration period in minutes (cron format)
+phpipam__scripts_cron_period: '*/5'
+                                                                   # ]]]
+# ]]]
+
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: phpipam__php__dependent_packages [[[
+#
+# List of PHP packages to install using :ref:`debops.php` role.
+phpipam__php__dependent_packages:
+  - 'mysql'
+  - 'gmp'
+  - 'gd'
+  - 'curl'
+  - 'mcrypt'
+  - 'ldap'
+  - 'php-pear'
+                                                                   # ]]]
+# .. envvar:: phpipam__php__dependent_pools [[[
+#
+# PHP-FMP pool configuration for the  :ref:`debops.php` Ansible role.
+phpipam__php__dependent_pools:
+
+  - name: 'phpipam'
+    enabled: True
+    user: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    owner: '{{ phpipam__user }}'
+    home: '{{ phpipam__home }}'
+                                                                   # ]]]
+# .. envvar:: phpipam__nginx__dependent_upstreams [[[
+#
+# PHP upstream server configuration managed by the :ref:`debops.nginx` Ansible role.
+phpipam__nginx__dependent_upstreams:
+
+  - name: 'php_phpipam'
+    by_role: 'debops.phpipam'
+    enabled: True
+    type: 'php'
+    php_pool: 'phpipam'
+                                                                   # ]]]
+# .. envvar:: phpipam__nginx_dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+phpipam__nginx__dependent_servers:
+
+  - name: '{{ phpipam__fqdn }}'
+    by_role: 'debops.phpipam'
+    enabled: True
+    type: 'php'
+    root: '{{ phpipam__git_checkout }}'
+    webroot_create: False
+    access_policy: '{{ phpipam__nginx_access_policy }}'
+    auth_basic_realm: '{{ phpipam__nginx_auth_realm }}'
+    php_upstream: 'php_phpipam'
+
+    error_pages:
+      '400': '/index.php?page=error&section=400'
+      '401': '/index.php?page=error&section=401'
+      '403': '/index.php?page=error&section=403'
+      '404': '/index.php?page=error&section=404'
+      '500': '/index.php?page=error&section=500'
+
+    location:
+      '/api': |
+        try_files $uri $uri/ /api/index.php?$args =404;
+
+      '/': |
+        rewrite ^/login/dashboard/$                 /dashboard/ redirect;
+        rewrite ^/logout/dashboard/$                /dashboard/ redirect;
+        rewrite ^/tools/search/(.*)/(.*)/(.*)/(.*)$ /index.php?page=tools&section=search&addresses=$1&subnets=$2&vlans=$3&ip=$4 last;
+        rewrite ^/(.*)/(.*)/(.*)/(.*)/(.*)/$        /index.php?page=$1&section=$2&subnetId=$3&sPage=$4&ipaddrid=$5 last;
+        rewrite ^/(.*)/(.*)/(.*)/(.*)/$             /index.php?page=$1&section=$2&subnetId=$3&sPage=$4 last;
+        rewrite ^/(.*)/(.*)/(.*)/$                  /index.php?page=$1&section=$2&subnetId=$3 last;
+        rewrite ^/(.*)/(.*)/$                       /index.php?page=$1&section=$2 last;
+        rewrite ^/(.*)/$                            /index.php?page=$1 last;
+        try_files $uri $uri/ $uri.html $uri.htm /index.html /index.htm =404;
+# ]]]
+
+# .. envvar:: phpipam__mariadb__dependent_users [[[
+#
+# List of user accounts to configure by :ref:`debops.mariadb` Ansible role.
+phpipam__mariadb__dependent_users:
+  - database: '{{ phpipam__database_name }}'
+    user: '{{ phpipam__database_user }}'
+    owner: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    home: '{{ phpipam__home }}'
+    system: True
+                                                                   # ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/phpipam/meta/main.yml b/ansible_collections/debops/debops/roles/phpipam/meta/main.yml
new file mode 100644
index 00000000..3bef5b28
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install phpIPAM, an Open Source IP Address Manager'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0`'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - ipam
diff --git a/ansible_collections/debops/debops/roles/phpipam/meta/watch-phpipam b/ansible_collections/debops/debops/roles/phpipam/meta/watch-phpipam
new file mode 100644
index 00000000..2b0cbf3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/meta/watch-phpipam
@@ -0,0 +1,11 @@
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: phpipam
+# Package: phpipam
+# Version: 1.4.1
+
+version=4
+https://github.com/phpipam/phpipam/tags .*/v?(1\.4\..+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/phpipam/tasks/main.yml b/ansible_collections/debops/debops/roles/phpipam/tasks/main.yml
new file mode 100644
index 00000000..44536a89
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure phpIPAM
+  ansible.builtin.include_tasks: phpipam.yml
+  when: phpipam__mode is defined and 'webui' in phpipam__mode
+
+- name: Configure phpIPAM scripts
+  ansible.builtin.include_tasks: phpipam-scripts.yml
+  when: phpipam__mode is defined and 'scripts' in phpipam__mode
diff --git a/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam-scripts.yml b/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam-scripts.yml
new file mode 100644
index 00000000..4ad6c6ca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam-scripts.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages for phpipam-scripts
+  ansible.builtin.package:
+    name: 'python-mysqldb'
+    state: 'present'
+  register: phpipam__register_packages
+  until: phpipam__register_packages is succeeded
+
+- name: Clone phpipam-scripts
+  ansible.builtin.git:
+    repo: '{{ phpipam__scripts_git_repo }}'
+    dest: '{{ phpipam__scripts_git_dest }}'
+    version: '{{ phpipam__scripts_git_version }}'
+    update: True
+  register: phpipam__register_scripts_src
+
+- name: Install phpipam-scripts
+  ansible.builtin.command: 'make install'  # noqa no-handler
+  args:
+    chdir: '{{ phpipam__scripts_git_dest }}'
+  register: phpipam__register_make_install
+  changed_when: phpipam__register_make_install.changed | bool
+  when: phpipam__register_scripts_src is defined and
+        phpipam__register_scripts_src is changed
+
+- name: Configure phpipam-scripts
+  ansible.builtin.template:
+    src: 'etc/dhcp/phpipam.conf.j2'
+    dest: '/etc/dhcp/phpipam.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+
+- name: Configure phpipam-scripts-wrapper
+  ansible.builtin.template:
+    src: 'usr/local/sbin/phpipam-hosts-wrapper.j2'
+    dest: '/usr/local/sbin/phpipam-hosts-wrapper'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  register: phpipam__register_hosts_wrapper
+
+- name: Create wrapper script entry in cron
+  ansible.builtin.cron:
+    name: 'Regenerate DHCP hosts files'
+    cron_file: 'phpipam-scripts'
+    minute: '{{ phpipam__scripts_cron_period }}'
+    job: '/usr/local/sbin/phpipam-hosts-wrapper'
+    user: 'root'
+    state: 'present'
diff --git a/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam.yml b/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam.yml
new file mode 100644
index 00000000..01f6f906
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/tasks/phpipam.yml
@@ -0,0 +1,137 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# ---- Environment ----
+
+- name: Create phpIPAM group
+  ansible.builtin.group:
+    name: '{{ phpipam__group }}'
+    system: True
+    state: 'present'
+
+- name: Create phpIPAM user
+  ansible.builtin.user:
+    name: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    home: '{{ phpipam__home }}'
+    shell: '/usr/sbin/nologin'
+    comment: 'phpIPAM'
+    system: True
+    state: 'present'
+    createhome: False
+
+
+# ---- Deployment ----
+
+- name: Create phpIPAM source directory
+  ansible.builtin.file:
+    path: '{{ phpipam__src }}'
+    state: 'directory'
+    owner: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    mode: '0750'
+
+- name: Clone phpIPAM source from deploy server
+  ansible.builtin.git:
+    repo: '{{ phpipam__git_repo }}'
+    dest: '{{ phpipam__git_dest }}'
+    version: 'master'
+    bare: True
+    update: True
+  become: True
+  become_user: '{{ phpipam__user }}'
+  register: phpipam__register_source
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create phpIPAM checkout directory
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ phpipam__user }}'
+    group: '{{ phpipam__webserver_user }}'
+    mode: '0750'
+  with_items: [ '{{ phpipam__www }}', '{{ phpipam__git_checkout }}' ]
+
+- name: Prepare phpIPAM worktree
+  ansible.builtin.copy:
+    content: 'gitdir: {{ phpipam__git_dest }}'
+    dest: '{{ phpipam__git_checkout + "/.git" }}'
+    owner: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    mode: '0644'
+
+- name: Get commit hash of target checkout
+  environment:
+    GIT_WORK_TREE: '{{ phpipam__git_checkout }}'
+  ansible.builtin.command: git rev-parse {{ phpipam__git_version }}  # noqa command-instead-of-module
+  args:
+    chdir: '{{ phpipam__git_dest }}'
+  become: True
+  become_user: '{{ phpipam__user }}'
+  register: phpipam__register_target_branch
+  changed_when: phpipam__register_target_branch.stdout != phpipam__register_source.before
+
+- name: Checkout phpIPAM
+  environment:
+    GIT_WORK_TREE: '{{ phpipam__git_checkout }}'
+  ansible.builtin.command: git checkout -f {{ phpipam__git_version }}  # noqa command-instead-of-module
+  args:
+    chdir: '{{ phpipam__git_dest }}'
+  become: True
+  become_user: '{{ phpipam__user }}'
+  register: phpipam__register_checkout
+  changed_when: phpipam__register_checkout.changed | bool
+  when: (phpipam__register_source.before is undefined or
+         (phpipam__register_source.before is defined and
+          phpipam__register_target_branch.stdout is defined and
+          phpipam__register_source.before != phpipam__register_target_branch.stdout))
+
+
+# ---- Configuration ----
+
+- name: Check if phpIPAM configuration exists
+  ansible.builtin.stat:
+    path: '{{ phpipam__git_checkout + "/config.php" }}'
+  register: phpipam__register_configuration
+
+- name: Check if MySQL server is installed
+  ansible.builtin.stat:
+    path: '/var/lib/mysql'
+  register: phpipam__register_mysql
+
+- name: Create phpIPAM database in local MySQL instance
+  community.mysql.mysql_db:
+    name: '{{ phpipam__database_name }}'
+    state: 'present'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: phpipam__database_host == 'localhost' and phpipam__register_mysql.stat.exists
+  register: phpipam__register_database_status
+
+- name: Import initial database schema
+  community.mysql.mysql_db:  # noqa no-handler
+    name: '{{ phpipam__database_name }}'
+    state: 'import'
+    target: '{{ phpipam__database_schema }}'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: (phpipam__database_host == 'localhost' and
+         (phpipam__register_database_status is defined and phpipam__register_database_status is changed) and
+         (phpipam__register_configuration is defined and not phpipam__register_configuration.stat.exists))
+
+- name: Configure phpIPAM
+  ansible.builtin.template:
+    src: 'srv/www/sites/config.php.j2'
+    dest: '{{ phpipam__git_checkout + "/config.php" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Create import directory
+  ansible.builtin.file:
+    path: '{{ phpipam__git_checkout + "/site/admin/csvupload" }}'
+    state: 'directory'
+    owner: '{{ phpipam__user }}'
+    group: '{{ phpipam__group }}'
+    mode: '0755'
diff --git a/ansible_collections/debops/debops/roles/phpipam/templates/etc/dhcp/phpipam.conf.j2 b/ansible_collections/debops/debops/roles/phpipam/templates/etc/dhcp/phpipam.conf.j2
new file mode 100644
index 00000000..085fc2bd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/templates/etc/dhcp/phpipam.conf.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration for phpipam-hosts
+
+# Database configuration
+[mysql]
+user		= {{ phpipam__scripts_database_user }}
+host		= {{ phpipam__scripts_database_host }}
+database	= {{ phpipam__scripts_database_name }}
+password	= {{ phpipam__scripts_database_password }}
+
+{% if phpipam__scripts_config_groups is defined and phpipam__scripts_config_groups %}
+{%   for group, config in phpipam__scripts_config_groups.items() %}
+[{{ group }}]
+{%     for key, value in config.items() %}
+{%       if value is defined and value %}
+{%         if value is string %}
+{{ "%-20s = %s" | format(key | replace("_","-"), value) }}
+{%         else %}
+{{ "%-20s = %s" | format(key | replace("_","-"), value | join(" ")) }}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/phpipam/templates/srv/www/sites/config.php.j2 b/ansible_collections/debops/debops/roles/phpipam/templates/srv/www/sites/config.php.j2
new file mode 100644
index 00000000..54feb5af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/templates/srv/www/sites/config.php.j2
@@ -0,0 +1,44 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+
+/* This file is managed by Ansible, all changes will be lost */
+
+/*	database connection details
+ ******************************/
+$db['host'] = "{{ phpipam__database_host }}";
+$db['user'] = "{{ phpipam__database_user }}";
+$db['pass'] = "{{ phpipam__database_password }}";
+$db['name'] = "{{ phpipam__database_name }}";
+
+/**
+ * php debugging on/off
+ *
+ * true  = SHOW all php errors
+ * false = HIDE all php errors
+ ******************************/
+$debugging = false;
+
+/**
+ *	manual set session name for auth
+ *	increases security
+ *	optional
+ */
+$phpsessname = "{{ phpipam__php_session_name | default('phpipam') }}";
+
+/*
+ *	BASE definition if phpipam
+ *	is not in root directory (e.g. /phpipam/)
+ *
+ *  Also change
+ *	RewriteBase / in .htaccess
+ ******************************/
+if (!defined("BASE")) define("BASE", "/");
+
+/*
+    vim:ft=php
+*/
+?>
diff --git a/ansible_collections/debops/debops/roles/phpipam/templates/usr/local/sbin/phpipam-hosts-wrapper.j2 b/ansible_collections/debops/debops/roles/phpipam/templates/usr/local/sbin/phpipam-hosts-wrapper.j2
new file mode 100755
index 00000000..0f08f9de
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpipam/templates/usr/local/sbin/phpipam-hosts-wrapper.j2
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019      Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# phpipam-hosts wrapper script
+
+number_of_groups="{{ phpipam__scripts_config_groups.keys() | count }}"
+readarray -t config_groups << EOF
+{% for group, config in phpipam__scripts_config_groups.items() %}
+{{ group }}
+{% endfor %}
+EOF
+
+if [ "${number_of_groups}" -eq 1 ] ; then
+    for config_group in "${config_groups[@]}" ; do
+        /usr/local/sbin/phpipam-hosts -g "${config_group}" -x > /dev/null
+    done
+else
+    for config_group in "${config_groups[@]}" ; do
+        /usr/local/sbin/phpipam-hosts -g "${config_group}"
+    done
+    /usr/local/sbin/phpipam-hosts -X > /dev/null
+fi
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/COPYRIGHT b/ansible_collections/debops/debops/roles/phpmyadmin/COPYRIGHT
new file mode 100644
index 00000000..0e0dd08d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.phpmyadmin - Manage phpMyAdmin service using Ansible
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/defaults/main.yml b/ansible_collections/debops/debops/roles/phpmyadmin/defaults/main.yml
new file mode 100644
index 00000000..d243c3c1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/defaults/main.yml
@@ -0,0 +1,99 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _phpmyadmin__ref_defaults:
+
+# debops.phpmyadmin default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# .. envvar:: phpmyadmin_dependencies [[[
+#
+# Should PHPMyAdmin role manage its own dependencies?
+phpmyadmin_dependencies: True
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_domain [[[
+#
+# What subdomain should be used for PHPMyAdmin in nginx configuration
+phpmyadmin_domain: [ 'mysql.{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_password_length [[[
+#
+# Default length of generated passwords
+phpmyadmin_password_length: '20'
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_control_password [[[
+#
+# Default PHPMyAdmin control password
+phpmyadmin_control_password: "{{ lookup('password', secret + '/mariadb/' + ansible_local['mariadb'].delegate_to + '/credentials/' + phpmyadmin_control_user + '/password length=' + phpmyadmin_password_length) }}"
+
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_allow [[[
+#
+# List of IP addresses or network ranges in CIDR format, allowed to access
+# PHPMyAdmin. Leave empty to allow access from all IP addresses/networks
+phpmyadmin_allow: []
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_upload_size [[[
+#
+# Max upload size for nginx and php5
+phpmyadmin_upload_size: '64M'
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin_php5_max_children [[[
+#
+# Maximum number of PHP5 processes for PHPMyAdmin
+phpmyadmin_php5_max_children: '20'
+
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: phpmyadmin__php__dependent_packages [[[
+#
+# Package configuration for the :ref:`debops.php` Ansible role.
+phpmyadmin__php__dependent_packages:
+
+  - 'mysql'
+  - 'mcrypt'
+  - 'gd'
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin__php__dependent_pools [[[
+#
+# Pool configuration for the :ref:`debops.php` Ansible role.
+phpmyadmin__php__dependent_pools:
+
+  - '{{ phpmyadmin_php5_pool }}'
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+phpmyadmin__nginx__dependent_servers:
+
+  - '{{ phpmyadmin_nginx_server }}'
+
+                                                                   # ]]]
+# .. envvar:: phpmyadmin__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+phpmyadmin__nginx__dependent_upstreams:
+
+  - '{{ phpmyadmin_nginx_upstream_php5 }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/meta/main.yml b/ansible_collections/debops/debops/roles/phpmyadmin/meta/main.yml
new file mode 100644
index 00000000..28fa0541
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure PHPMyAdmin on a MySQL database server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mysql
+    - database
+    - php
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/tasks/main.yml b/ansible_collections/debops/debops/roles/phpmyadmin/tasks/main.yml
new file mode 100644
index 00000000..f967fc30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install dbconfig-common
+  ansible.builtin.package:
+    name: 'dbconfig-common'
+    state: 'present'
+  register: phpmyadmin__register_dbconfig_packages
+  until: phpmyadmin__register_dbconfig_packages is succeeded
+
+- name: Pre-configure PHPMyAdmin database
+  ansible.builtin.template:
+    src: 'etc/dbconfig-common/phpmyadmin.conf.j2'
+    dest: '/etc/dbconfig-common/phpmyadmin.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+
+- name: Install PHPMyAdmin packages
+  ansible.builtin.package:
+    name: 'phpmyadmin'
+    state: 'present'
+  register: phpmyadmin__register_packages
+  until: phpmyadmin__register_packages is succeeded
+
+- name: Create database for PHPMyAdmin
+  community.mysql.mysql_db:
+    name: '{{ phpmyadmin_control_database | default("phpmyadmin") }}'
+    state: 'present'
+  register: phpmyadmin_database
+
+- name: Import PHPMyAdmin schema
+  community.mysql.mysql_db:  # noqa no-handler
+    name: '{{ phpmyadmin_control_database | default("phpmyadmin") }}'
+    state: 'import'
+    target: '/usr/share/dbconfig-common/data/phpmyadmin/install/mysql'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: phpmyadmin_database is defined and phpmyadmin_database is changed
+
+- name: Create PHPMyAdmin control user
+  community.mysql.mysql_user:
+    name: "{{ phpmyadmin_control_user | default('phpmyadmin') }}"
+    state: 'present'
+    password: '{{ phpmyadmin_control_password }}'
+    priv: "{{ phpmyadmin_control_database | default('phpmyadmin') }}.*:ALL"
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2 b/ansible_collections/debops/debops/roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2
new file mode 100644
index 00000000..fc53c14d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2
@@ -0,0 +1,81 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# automatically generated by the maintainer scripts of phpmyadmin
+# any changes you make will be preserved, though your comments
+# will be lost!  to change your settings you should edit this
+# file and then run "dpkg-reconfigure phpmyadmin"
+
+# dbc_install: configure database with dbconfig-common?
+#              set to anything but "true" to opt out of assistance
+dbc_install='false'
+
+# dbc_upgrade: upgrade database with dbconfig-common?
+#              set to anything but "true" to opt out of assistance
+dbc_upgrade='false'
+
+# dbc_remove: deconfigure database with dbconfig-common?
+#             set to anything but "true" to opt out of assistance
+dbc_remove=''
+
+# dbc_dbtype: type of underlying database to use
+#	this exists primarily to let dbconfig-common know what database
+#	type to use when a package supports multiple database types.
+#	don't change this value unless you know for certain that this
+#	package supports multiple database types
+dbc_dbtype='mysql'
+
+# dbc_dbuser: database user
+#	the name of the user who we will use to connect to the database.
+dbc_dbuser='{{ phpmyadmin_control_user }}'
+
+# dbc_dbpass: database user password
+#	the password to use with the above username when connecting
+#	to a database, if one is required
+dbc_dbpass='{{ phpmyadmin_control_password }}'
+
+# dbc_dbserver: database host.
+#	leave unset to use localhost (or a more efficient local method
+#	if it exists).
+dbc_dbserver=''
+
+# dbc_dbport: remote database port
+#	leave unset to use the default.  only applicable if you are
+#	using a remote database.
+dbc_dbport=''
+
+# dbc_dbname: name of database
+#	this is the name of your application's database.
+dbc_dbname='{{ phpmyadmin_control_database }}'
+
+# dbc_dbadmin: name of the administrative user
+#	this is the administrative user that is used to create all of the above
+dbc_dbadmin='root'
+
+# dbc_basepath: base directory to hold database files
+#	leave unset to use the default.  only applicable if you are
+#	using a local (filesystem based) database.
+dbc_basepath=''
+
+##
+## postgresql specific settings.  if you don't use postgresql,
+## you can safely ignore all of these
+##
+
+# dbc_ssl: should we require ssl?
+#	set to "true" to require that connections use ssl
+dbc_ssl=''
+
+# dbc_authmethod_admin: authentication method for admin
+# dbc_authmethod_user: authentication method for dbuser
+#	see the section titled "AUTHENTICATION METHODS" in
+#	/usr/share/doc/dbconfig-common/README.pgsql for more info
+dbc_authmethod_admin=''
+dbc_authmethod_user=''
+
+##
+## end postgresql specific settings
+##
diff --git a/ansible_collections/debops/debops/roles/phpmyadmin/vars/main.yml b/ansible_collections/debops/debops/roles/phpmyadmin/vars/main.yml
new file mode 100644
index 00000000..e188efcb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/phpmyadmin/vars/main.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+phpmyadmin_control_user: 'phpmyadmin'
+phpmyadmin_control_database: 'phpmyadmin'
+
+phpmyadmin_nginx_server:
+  by_role: 'debops.phpmyadmin'
+  enabled: True
+  default: False
+  type: 'php5'
+  name: '{{ phpmyadmin_domain }}'
+  root: '/usr/share/phpmyadmin'
+  webroot_create: False
+
+  options: |
+    client_max_body_size  {{ phpmyadmin_upload_size }};
+
+  location:
+
+    # Required for location_allow to work
+    '/': 'try_files $uri $uri/ =404;'
+
+    '~ ^/(setup|libraries)': 'deny all;'
+
+  location_allow:
+    '/': '{{ phpmyadmin_allow }}'
+
+  php5: 'php5_phpmyadmin'
+
+  php5_options: |
+    {% if phpmyadmin_allow is defined and phpmyadmin_allow %}
+    {% for address in phpmyadmin_allow %}
+    allow {{ address }};
+    {% endfor %}
+    deny all;
+    {% endif %}
+
+phpmyadmin_nginx_upstream_php5:
+  enabled: True
+  name: 'php5_phpmyadmin'
+  type: 'php5'
+  php5: 'phpmyadmin'
+
+phpmyadmin_php5_pool:
+  enabled: True
+  name: 'phpmyadmin'
+  user: 'www-data'
+  group: 'www-data'
+  pm_max_children: '{{ phpmyadmin_php5_max_children }}'
+  php_value:
+    post_max_size: '{{ phpmyadmin_upload_size }}'
+    upload_max_filesize: '{{ phpmyadmin_upload_size }}'
diff --git a/ansible_collections/debops/debops/roles/pki/COPYRIGHT b/ansible_collections/debops/debops/roles/pki/COPYRIGHT
new file mode 100644
index 00000000..421e69ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.pki - PKI management using Ansible
+
+Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2014-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/pki/defaults/main.yml b/ansible_collections/debops/debops/roles/pki/defaults/main.yml
new file mode 100644
index 00000000..b3ad1a02
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/defaults/main.yml
@@ -0,0 +1,833 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _pki__ref_defaults:
+
+# debops.pki default variables [[[
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global PKI configuration [[[
+# ----------------------------
+
+# .. envvar:: pki_enabled [[[
+#
+# Enable or disable PKI support.
+pki_enabled: '{{ (True
+                  if pki_default_domain
+                  else False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_download_extra [[[
+#
+# Enable or disable extra file copying.
+pki_download_extra: True
+
+                                                                   # ]]]
+# .. envvar:: pki_internal [[[
+#
+# Enable or disable support for internal certificates. If the support is
+# disabled, the PKI realm will generate its own set of self-signed
+# certificates on remote hosts.
+pki_internal: '{{ (True
+                   if pki_default_domain
+                   else False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_inventory_groups [[[
+#
+# List of Ansible inventory group names which are taken into account while
+# managing the PKI realms. These inventory groups will have their own
+# directories inside the :file:`secret/pki/realms/by-group/` directory on the
+# Ansible Controller, and files put there will be copied to remote hosts.
+pki_inventory_groups: [ 'debops_service_pki' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_vcs_ignore_patterns_role [[[
+#
+# This list of ignore patterns for files below :file:`/etc/pki` that version
+# control systems should ignore.
+# :file:`/etc` is not tracked by default by a version control system.
+# This definition exists preliminary in case you decide to use
+# :program:`etckeeper` for example to track changes in :file:`/etc`. In case
+# you want to track sensitive files by a version control system specify:
+#
+# .. code-block:: yaml
+#   :linenos:
+#
+#    pki_vcs_ignore_patterns_role: []
+#
+# in your inventory and be sure that you know what you are doing!
+#
+# Note that currently, only :command:`git` as version control system is supported. If
+# you use another version control system, be sure to add support for it to
+# this role.
+# Ignore patterns are specified using the :file:`.gitignore` file format
+# documented in :manpage:`gitignore(5)`.
+# By default, any file path below :file:`/etc/pki` contained in a subdirectory
+# called :file:`private` will not be tracked.
+#
+# .. note:: When you started using this role before version 0.2.11 and
+#    sensitive files are already tracked by version control you will need to
+#    manually deleted them from version control history!
+#
+pki_vcs_ignore_patterns_role: [ '**/private/**' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_vcs_ignore_patterns [[[
+#
+# Refer to  :envvar:`pki_vcs_ignore_patterns_role` for details.
+# This variable is intended to be used in Ansible’s global inventory and allows
+# you to define additional file patterns without having to overwrite the
+# recommended ignore list maintained by this role.
+pki_vcs_ignore_patterns: []
+
+                                                                   # ]]]
+# .. envvar:: pki_vcs_ignore_patterns_group [[[
+#
+# Refer to  :envvar:`pki_vcs_ignore_patterns_role` for details.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported) and allows you to define additional file
+# patterns without having to overwrite the recommended ignore list maintained by
+# this role.
+pki_vcs_ignore_patterns_group: []
+
+                                                                   # ]]]
+# .. envvar:: pki_vcs_ignore_patterns_host [[[
+#
+# Refer to  :envvar:`pki_vcs_ignore_patterns_role` for details.
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported) and allows you to define additional file
+# patterns without having to overwrite the recommended ignore list maintained by
+# this role.
+pki_vcs_ignore_patterns_host: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Automatic Certificate Management Environment [[[
+# ------------------------------------------------
+
+# .. envvar:: pki_acme [[[
+#
+# Enable or disable support for ACME certificates.
+pki_acme: '{{ (True
+               if (((ansible_all_ipv4_addresses | d([]) +
+                     ansible_all_ipv6_addresses | d([])) | ansible.utils.ipaddr("public")
+                    and pki_default_domain)
+                   or pki_acme_type != "acme-tiny")
+               else False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_install [[[
+#
+# Install ACME support but don't enable it by default for each realm.
+pki_acme_install: '{{ pki_acme | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_library [[[
+#
+# The crypto library used to generate Certificate Signing Requests for ACME
+# certificates, either :command:`openssl` or :command:`gnutls`. Currently
+# OpenSSL is recommended due to issues with GnuTLS generation.
+pki_acme_library: 'openssl'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_user [[[
+#
+# Name of the system user account which will be used to interact with the ACME
+# Certificate Authority.
+pki_acme_user: 'pki-acme'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_group [[[
+#
+# Name of the system group which will be used to interact with the ACME
+# Certificate Authority.
+pki_acme_group: 'pki-acme'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_home [[[
+#
+# Home of the user account that interacts with the ACME Certificate Authority.
+pki_acme_home: '/run/pki-acme'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_default_subdomains [[[
+#
+# List of DNS subdomains that will be added by default to each apex (root)
+# domain configured in ACME Certificate Signing Requests.
+pki_acme_default_subdomains: []
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_type [[[
+#
+# ACME client to use to interact with the ACME Certificate Authority.
+# Supported values: 'acme-tiny', 'dns-cloudflare', 'dns-digitalocean',
+# 'dns-dnsimple', 'dns-gehirn', 'dns-google', 'dns-linode',
+# 'dns-ovh', 'dns-rfc2136', 'dns-route53', 'dns-sakuracloud', 'dns-gandi'
+pki_acme_type: 'acme-tiny'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_tiny_repo [[[
+#
+# URL of the :program:`acme-tiny` :command:`git` repository.
+pki_acme_tiny_repo: 'https://github.com/diafygi/acme-tiny'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_tiny_version [[[
+#
+# Branch or version of the :program:`acme-tiny` source which should be used.
+pki_acme_tiny_version: 'main'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_tiny_src [[[
+#
+# Directory where :program:`acme-tiny` source code will be cloned into for deployment.
+pki_acme_tiny_src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                       + "/" + pki_acme_user }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_tiny_bin [[[
+#
+# Path where the :program:`acme-tiny` script will be installed.
+pki_acme_tiny_bin: '/usr/local/bin/acme-tiny'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_ca [[[
+#
+# Name of the ACME API endpoint used by the ACME client. The name-URL mapping
+# is done in :envvar:`pki_acme_ca_api_map` dictionary variable.
+pki_acme_ca: 'le-live-v2'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_ca_api_map [[[
+#
+# Dictionary map of the ACME API endpoints, mapped to custom names, used by the
+# ACME client.
+# Refer to the `Let's Encrypt Staging Environment documentation <https://letsencrypt.org/docs/staging-environment/>`__
+# for details about ``le-staging-v2``.
+pki_acme_ca_api_map:
+  'le-live':    'https://acme-v01.api.letsencrypt.org'
+  'le-staging': 'https://acme-staging.api.letsencrypt.org'
+  'le-live-v2': 'https://acme-v02.api.letsencrypt.org/directory'
+  'le-staging-v2': 'https://acme-staging-v02.api.letsencrypt.org/directory'
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_contacts [[[
+#
+# List of (mailto:) URLs that the ACME server can use to contact you for issues
+# related to your account. For example, the server may wish to notify you about
+# server-initiated revocation or certificate expiration.
+pki_acme_contacts: [ 'mailto:{{ ansible_local.core.admin_public_email[0] | d("root@" + ansible_domain) }}' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_challenge_dir [[[
+#
+# Directory where the ACME client should store responses to ACME CA challenges.
+# By default it's defined by the ``debops.nginx`` Ansible role using Ansible
+# facts.
+pki_acme_challenge_dir: '{{ ansible_local.nginx.acme_root | d("/srv/www/sites/acme/public")
+                            + "/.well-known/acme-challenge" }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_create_acme_challenge_dir [[[
+#
+# Whether the directory where the ACME client should store responses
+# should be created.
+pki_create_acme_challenge_dir: '{{ True if (ansible_local.nginx.acme | d() and
+                                            ansible_local.nginx.acme | bool) else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Certbot configuration [[[
+# -------------------------
+
+# The lists below define the contents of the :file:`/etc/letsencrypt/cli.ini`
+# configuration file. See :ref:`pki_ref_certbot_configuration` for more
+# details.
+
+# .. envvar:: pki_certbot_default_configuration [[[
+#
+# The default contents of the Certbot configuration file defined by the role.
+pki_certbot_default_configuration:
+
+  - name: 'key-type'
+    comment: |
+      Define the default key signature algorithm to use for certificates.
+      DebOps currently supports only RSA signature algorithm.
+    value: 'rsa'
+
+  - name: 'max-log-backups'
+    comment: |
+      Because we are using logrotate for greater flexibility, disable the
+      internal certbot logrotation.
+    value: 0
+
+  - name: 'post-hook'
+    comment: |
+      The certbot script does not execute post-hooks on initial certificate
+      issuance, only renewals. This should ensure that the permissions are
+      fixed when certificates are created.
+    value: '/etc/letsencrypt/renewal-hooks/post/000-fix-permissions'
+
+                                                                   # ]]]
+# .. envvar:: pki_certbot_configuration [[[
+#
+# The contents of the Certbot configuration file defined by the user.
+pki_certbot_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: pki_certbot_combined_configuration [[[
+#
+# The variable which combines the Certbot configuration variables and is used
+# in role tasks and templates.
+pki_certbot_combined_configuration: '{{ pki_certbot_default_configuration
+                                        + pki_certbot_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Required software packages [[[
+# ------------------------------
+
+# .. envvar:: pki_base_packages [[[
+#
+# List of APT packages to install by default on the remote host for
+# cryptographic support.
+pki_base_packages: [ 'ssl-cert', 'make', 'ca-certificates',
+                     'gnutls-bin', 'openssl', 'acl' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_acme_packages [[[
+#
+# List of APT packages required by ACME support.
+pki_acme_packages:
+  - '{{ "curl" if (pki_acme_type == "acme-tiny" and pki_acme_install | bool) else [] }}'
+  - '{{ "git" if (pki_acme_type == "acme-tiny" and pki_acme_install | bool) else [] }}'
+  - '{{ [] if (pki_acme_install | bool == false or ansible_distribution_release in
+               ["stretch", "trusty", "xenial", "bionic"])
+           else "acme-tiny" if (pki_acme_type == "acme-tiny") else [] }}'
+  - '{{ "python3-certbot-dns-cloudflare" if (pki_acme_type == "dns-cloudflare" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-digitalocean" if (pki_acme_type == "dns-digitalocean" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-dnsimple" if (pki_acme_type == "dns-dnsimple" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-gehirn" if (pki_acme_type == "dns-gehirn" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-google" if (pki_acme_type == "dns-google" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-linode" if (pki_acme_type == "dns-linode" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-ovh" if (pki_acme_type == "dns-ovh" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-rfc2136" if (pki_acme_type == "dns-rfc2136" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-route53" if (pki_acme_type == "dns-route53" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-sakuracloud" if (pki_acme_type == "dns-sakuracloud" and pki_acme_install | bool) else [] }}'
+  - '{{ "python3-certbot-dns-gandi" if (pki_acme_type == "dns-gandi" and pki_acme_install | bool) else [] }}'
+  - '{{ "certbot" if (pki_acme_type in
+                ["dns-cloudflare", "dns-digitalocean",
+                 "dns-dnsimple", "dns-gehirn", "dns-google",
+                 "dns-linode", "dns-ovh", "dns-rfc2136",
+                 "dns-route53", "dns-sakuracloud", "dns-gandi", "manual"]
+           and pki_acme_install | bool) else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_packages [[[
+#
+# List of additional APT packages to install.
+pki_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory, file and user/group configuration [[[
+# ------------------------------------------------
+
+# .. envvar:: pki_root [[[
+#
+# Root directory of the PKI configuration on remote hosts.
+pki_root: '/etc/pki'
+
+                                                                   # ]]]
+# .. envvar:: pki_public_group [[[
+#
+# Default system group which owns the public files and directories.
+pki_public_group: 'root'
+
+                                                                   # ]]]
+# .. envvar:: pki_private_group [[[
+#
+# Default system group which owns the private files and directories.
+pki_private_group: 'ssl-cert'
+
+                                                                   # ]]]
+# .. envvar:: pki_public_dir_mode [[[
+#
+# Octal permissions of the public directories.
+pki_public_dir_mode: '0755'
+
+                                                                   # ]]]
+# .. envvar:: pki_private_dir_mode [[[
+#
+# Octal permissions of private directories.
+pki_private_dir_mode: '0750'
+
+                                                                   # ]]]
+# .. envvar:: pki_public_mode [[[
+#
+# Octal permissions of public files.
+pki_public_mode: '0644'
+
+                                                                   # ]]]
+# .. envvar:: pki_private_mode [[[
+#
+# Octal permissions of private files.
+pki_private_mode: '0640'
+
+                                                                   # ]]]
+# .. envvar:: pki_private_groups_present [[[
+#
+# Create system group specified here if they don't exist. This can be used to
+# ensure that private directories and files are owned by correct group before the
+# role that creates the group is run by Ansible. See
+# :ref:`pki__ref_private_groups_present` for more details.
+pki_private_groups_present: []
+
+                                                                   # ]]]
+# .. envvar:: pki_private_dir_acl_groups [[[
+#
+# List of system groups which should have access to the ``private`` directory
+# of each realm, unless specified otherwise. The execute access will be granted
+# using the filesystem ACL table.
+pki_private_dir_acl_groups: []
+
+                                                                   # ]]]
+# .. envvar:: pki_private_file_acl_groups [[[
+#
+# List of system groups which should have read access to key files in
+# :file:`private/` directory of each realm, unless specified otherwise. The read
+# access will be granted using the filesystem ACL table.
+pki_private_file_acl_groups: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Certificate sign times [[[
+# --------------------------
+
+# .. envvar:: pki_default_sign_base [[[
+#
+# The base amount of time in days which is used for signing various
+# certificates. By default, 1 year.
+pki_default_sign_base: '365'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_root_sign_multiplier [[[
+#
+# Amount of time which Root Certificate Authority will be valid, multiplied by
+# the base time amount.
+pki_default_root_sign_multiplier: '12'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_ca_sign_multiplier [[[
+#
+# Amount of time which intermediate CA certificates will be valid, multiplied
+# by the base time amount.
+pki_default_ca_sign_multiplier: '10'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_cert_sign_multiplier [[[
+#
+# Amount of time which client/server certificates will be valid, multiplied by
+# the base time amount.
+pki_default_cert_sign_multiplier: '3'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of PKI Realms [[[
+# -------------------------------
+
+# .. envvar:: pki_library [[[
+#
+# The crypto library used to manage PKI realms on remote hosts, either
+# :command:`gnutls` or :command:`openssl`. GnuTLS is preferred on Debian hosts.
+pki_library: 'gnutls'
+
+                                                                   # ]]]
+# .. envvar:: pki_realm_key_size [[[
+#
+# The key size in bits to use when generating realm RSA keys.
+pki_realm_key_size: '2048'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_realm [[[
+#
+# System-wide PKI realm which is used by services by default for server
+# certificates. It will be set in Ansible local facts for use by other Ansible
+# roles.
+pki_system_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_realm [[[
+#
+# System-wide PKI realm which is used by services by default for CA certificate
+# (client authentication). It will be set in Ansible local facts for use by other
+# Ansible roles.
+pki_system_ca_realm: '{{ pki_system_realm }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_domain [[[
+#
+# Default DNS domain used to create Certificate Signing Requests. It will be
+# specified in the certificate Subject if it's not redefined, as well as in the
+# certificate SubjectAltName field.
+pki_default_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_subdomains [[[
+#
+# List of additional subdomains added by default to all domain specified in the
+# Certificate Signing Request. The ``_wildcard_`` is a replacement for the ``*``
+# character and means that each domain will have an alternative wildcard
+# SubjectAltName.
+pki_default_subdomains: [ '_wildcard_' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_authority_preference [[[
+#
+# Order in which different certificate types are used. First certificate type
+# found wins.
+pki_authority_preference: [ 'external', 'acme', 'internal', 'selfsigned' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_realms [[[
+#
+# List of PKI realms configured on all hosts.
+# Refer to the :ref:`documentation of all options <pki__ref_realms>` for
+# more details.
+pki_realms: []
+
+                                                                   # ]]]
+# .. envvar:: pki_default_realms [[[
+#
+# List of the default PKI realms configured on all hosts.
+pki_default_realms:
+
+  - name: 'domain'
+    acme: False
+    default_subdomains:
+      - '{{ ansible_hostname }}'
+      - '*.{{ ansible_hostname }}'
+      - '_wildcard_'
+
+                                                                   # ]]]
+# .. envvar:: pki_group_realms [[[
+#
+# List of PKI realms configured in specific inventory groups.
+pki_group_realms: []
+
+                                                                   # ]]]
+# .. envvar:: pki_host_realms [[[
+#
+# List of PKI realms configured on specific hosts.
+pki_host_realms: []
+
+                                                                   # ]]]
+# .. envvar:: pki_dependent_realms [[[
+#
+# List of PKI realms configured in a role dependency.
+pki_dependent_realms: []
+
+                                                                   # ]]]
+# .. envvar:: pki_scheduler [[[
+#
+# Enable periodic runs of :program:`pki-realm` script for all PKI realms. The
+# script will check realm structure and renew certificates that are near their
+# expiration date.
+pki_scheduler: True
+
+                                                                   # ]]]
+# .. envvar:: pki_scheduler_interval [[[
+#
+# Specify the interval of periodical tasks: ``hourly``, ``daily``, ``weekly``
+# or ``monthly``.
+pki_scheduler_interval: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: pki_dhparam [[[
+#
+# Specify if Diffie-Hellman parameters should be appended to the certificate
+# chain. This is required by applications that don't support DHE parameters in
+# a separate file like HAproxy, ZNC.
+pki_dhparam: '{{ True
+                 if ansible_local.dhparam.default | d()
+                 else False }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_dhparam_file [[[
+#
+# Path to the Diffie-Hellman parameters file which will be appended to the
+# certificate chain, if specified.
+pki_dhparam_file: '{{ ansible_local.dhparam.default | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Internal Certificate Authorities [[[
+# ------------------------------------
+
+# .. envvar:: pki_ca_library [[[
+#
+# The crypto library used by the Certificate Authorities on the Ansible
+# Controller, either :command:`openssl` or :command:`gnutls`. Currently OpenSSL library is
+# preferred due to rich functionality.
+pki_ca_library: 'openssl'
+
+                                                                   # ]]]
+# .. envvar:: pki_default_authority [[[
+#
+# Name of the default Certificate Authority to which host certificates are
+# directed if a PKI realm does not specify a default Authority.
+pki_default_authority: 'domain'
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_name_constraints [[[
+#
+# Specify if the ``nameConstraints`` CA certificate extension should be
+# included in the generated CA certificates by default.
+pki_ca_name_constraints: True
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_name_constraints_critical [[[
+#
+# Specify if the ``nameConstraints`` CA certificate extension should be
+# marked critical by default. Enabling this when using ``nameConstraints`` is
+# recommended by the CA/Browser Forum.
+# Ref: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.4.pdf
+pki_ca_name_constraints_critical: True
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_domain [[[
+#
+# The DNS domain used by default for an Certificate Authority configuration if
+# no specific ``item.domain`` is configured.
+pki_ca_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_organization [[[
+#
+# A string with the organization's name to be used in Distinguished Names
+# (subject).
+pki_ca_organization: '{{ pki_ca_domain.split(".") | first | capitalize }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_root_dn [[[
+#
+# The Distinguished Name (subject) of the Root Certificate Authority.
+pki_ca_root_dn: [ 'o={{ pki_ca_organization }} Certificate Authority' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_root_key_size [[[
+#
+# The key size in bits to use when generating the RSA Root CA key.
+pki_ca_root_key_size: '4096'
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_domain_dn [[[
+#
+# The Distinguished Name (subject) of the Domain Certificate Authority.
+pki_ca_domain_dn: [ 'o={{ pki_ca_organization }}', 'ou=Domain CA' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_domain_key_size [[[
+#
+# The key size in bits to use when generating the RSA Domain CA key.
+pki_ca_domain_key_size: '4096'
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_service_enabled [[[
+#
+# Enable or disable special Service Certificate Authority, which is a Root CA
+# without intermediate CA and sign server certificates directly. This might be
+# needed by specific applications like MySQL which do not support an
+# intermediate CA.
+pki_ca_service_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_service_dn [[[
+#
+# The Distinguished Name (subject) of the Service Certificate Authority.
+pki_ca_service_dn: [ 'o={{ pki_ca_organization }}', 'ou=Internal Services CA' ]
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_service_key_size [[[
+#
+# The key size in bits to use when generating the RSA Service CA key.
+pki_ca_service_key_size: '4096'
+
+                                                                   # ]]]
+# .. envvar:: pki_authorities_ca_root [[[
+#
+# Configuration of the Root Certificate Authority.
+pki_authorities_ca_root:
+  name: 'root'
+  enabled: '{{ True if pki_ca_domain | d() else False }}'
+  subdomain: 'root-ca'
+  subject: '{{ pki_ca_root_dn }}'
+  key_size: '{{ pki_ca_root_key_size }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_authorities_ca_domain [[[
+#
+# Configuration of the Domain Certificate Authority.
+pki_authorities_ca_domain:
+  name: 'domain'
+  enabled: '{{ True if pki_ca_domain | d() else False }}'
+  subdomain: 'domain-ca'
+  subject: '{{ pki_ca_domain_dn }}'
+  issuer_name: 'root'
+  key_size: '{{ pki_ca_domain_key_size }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_authorities_ca_service [[[
+#
+# Configuration of the Service Certificate Authority.
+pki_authorities_ca_service:
+  name: 'service'
+  subdomain: 'service-ca'
+  subject: '{{ pki_ca_service_dn }}'
+  type: 'service'
+  enabled: '{{ True if (pki_ca_domain | d() and pki_ca_service_enabled | bool) else False }}'
+  key_size: '{{ pki_ca_service_key_size }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_authorities [[[
+#
+# List of internal Certificate Authorities managed on an Ansible Controller.
+# Each CA is defined as a dictionary variable.
+pki_authorities:
+  - '{{ pki_authorities_ca_root }}'
+  - '{{ pki_authorities_ca_domain }}'
+  - '{{ pki_authorities_ca_service }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_dependent_authorities [[[
+#
+# List of Certificate Authorities defined as a role dependency.
+pki_dependent_authorities: []
+
+                                                                   # ]]]
+# .. envvar:: pki_ca_certificates_path [[[
+#
+# The path inside :file:`secret/ca-certificates/` directory located on Ansible
+# Controller where Root CA certificates will be symlinked by default. Can be
+# one of:
+#
+# - ``by-group/all`` - certificates copied to all hosts;
+#
+# - ``by-group/{{ group_name }}`` - certificates copied to hosts in a specified
+#   inventory group;
+#
+# - ``by-host/{{ inventory_hostname }}`` - certificates copied to a specific host;
+#
+pki_ca_certificates_path: 'by-group/all'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom file management [[[
+# --------------------------
+
+# You can use custom file lists to copy files to remote hosts or install
+# the content of Jinja variables. See :ref:`custom_file_management` for more
+# details.
+
+# .. envvar:: pki_private_files [[[
+#
+# Copy private files to all hosts in inventory.
+pki_private_files: []
+
+                                                                   # ]]]
+# .. envvar:: pki_group_private_files [[[
+#
+# Copy private files to hosts in specific inventory groups.
+pki_group_private_files: []
+
+                                                                   # ]]]
+# .. envvar:: pki_host_private_files [[[
+#
+# Copy private files to specific hosts in inventory.
+pki_host_private_files: []
+
+                                                                   # ]]]
+# .. envvar:: pki_public_files [[[
+#
+# Copy public files to all hosts in inventory.
+pki_public_files: []
+
+                                                                   # ]]]
+# .. envvar:: pki_group_public_files [[[
+#
+# Copy public files to hosts in specific inventory group.
+pki_group_public_files: []
+
+                                                                   # ]]]
+# .. envvar:: pki_host_public_files [[[
+#
+# Copy public files to specific hosts in inventory.
+pki_host_public_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# System-wide CA Certificates [[[
+# -------------------------------
+
+# See :ref:`system_ca_certificates` for more details about management of
+# system-wide CA certificates.
+
+# .. envvar:: pki_system_ca_certificates_trust_new [[[
+#
+# Set default trust policy for new certificates added to ``ca-certificates``
+# system package.
+pki_system_ca_certificates_trust_new: True
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_blacklist [[[
+#
+# List of blacklisted CA certificates. You can specify either exact names of
+# certificate files or use regular expressions. If a certificate is
+# found in both lists, it will be blacklisted.
+pki_system_ca_certificates_blacklist:
+
+  # Blacklist CNNIC Root Certificates
+  # https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html
+  - 'mozilla/CNNIC_ROOT.crt'
+  - 'mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_whitelist [[[
+#
+# List of whitelisted CA certificates. You can specify either exact names of
+# certificate files or use regular expressions.
+pki_system_ca_certificates_whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_download_by_host [[[
+#
+# If ``True``, by hosts CA certificates are downloaded on remote hosts.
+pki_system_ca_certificates_download_by_host: '{{ pki_enabled | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_download_by_group [[[
+#
+# If ``True``, by group CA certificates are downloaded on remote hosts.
+pki_system_ca_certificates_download_by_group: '{{ pki_enabled | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_download_all_hosts [[[
+#
+# If ``True``, CA certificates intended for all hosts are downloaded on remote
+# hosts.
+pki_system_ca_certificates_download_all_hosts: '{{ pki_enabled | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: pki_system_ca_certificates_download_all_hosts_force [[[
+#
+# If ``True``, force the download of CA certificates intended for all hosts.
+# Note that this will overwrite by-host and by-group CA certificates.
+# This option can be used to push new root certificates from a internal CA to
+# hosts.
+pki_system_ca_certificates_download_all_hosts_force: False
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/deploy/pki-realm-refresh-keys b/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/deploy/pki-realm-refresh-keys
new file mode 100755
index 00000000..38336614
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/deploy/pki-realm-refresh-keys
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# When certbot refreshes a certificate, it generates a new private key for it.
+# This script will update the keys stored in 'private/key_chain.pem' and
+# 'private/key_chain_dhparam.pem' files in a given PKI realm.
+
+set -o nounset -o pipefail -o errexit
+
+if [ -d "/etc/letsencrypt/live" ] ; then
+
+    realm_domain="$(basename "${RENEWED_LINEAGE}")"
+
+    if [ -n "${realm_domain}" ] && [ -d "/etc/pki/realms/${realm_domain}" ] ; then
+
+        cd "/etc/pki/realms/${realm_domain}" > /dev/null
+
+        # Refresh public PEM chains
+        cat public/cert.pem public/intermediate.pem > public/cert_intermediate.pem
+        cat public/cert.pem public/intermediate.pem /etc/pki/dhparam/set0 > public/cert_intermediate_dhparam.pem
+
+        # Refresh PEM chain with private key
+        cat private/key.pem public/cert_intermediate.pem > private/key_chain.pem
+        chmod 0640 private/key_chain.pem
+        chown root:ssl-cert private/key_chain.pem
+
+        # Refresh PEM chain with private key and Diffie-Hellman parameters
+        cat private/key.pem public/cert_intermediate_dhparam.pem > private/key_chain_dhparam.pem
+        chmod 0640 private/key_chain_dhparam.pem
+        chown root:ssl-cert private/key_chain_dhparam.pem
+
+        # Verify that public and private parts match
+        pub=$(openssl x509 -noout -modulus -in default.crt | openssl md5)
+        key=$(openssl rsa  -noout -modulus -in default.key | openssl md5)
+        if test "${pub}" != "${key}"; then
+             pub=$(openssl x509 -noout -modulus -in public/cert_intermediate.pem | openssl md5)
+             if test "${pub}" == "${key}"; then
+                # Change the symlink to public/cert_intermediate.pem
+                ln -sf -T public/cert_intermediate.pem default.crt > /dev/null
+             fi
+        fi
+
+        # When on proxmox, update the application certificates
+        if test -f "/etc/pve/.members"; then
+            nodename=$(python3 <<_EOF
+import json
+with open("/etc/pve/.members") as fd:
+    data = json.load(fd)
+print(data["nodename"])
+_EOF
+)
+            # Use a set without DH params
+            pvesh create "/nodes/${nodename}/certificates/custom" -restart 1 -force -certificate "$(cat public/cert_intermediate.pem)" -key "$(cat default.key)"
+        fi
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/post/000-fix-permissions b/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/post/000-fix-permissions
new file mode 100755
index 00000000..4882489e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/files/etc/letsencrypt/renewal-hooks/post/000-fix-permissions
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Post-hook script for certbot(1) to fix permission issues in the
+# '/etc/letsencrypt/' directory.
+# Based on: https://sigmaris.info/blog/2019/01/make-certbot-lets-encrypt-certificates-readable-by-debian-ssl-cert-group/
+
+set -o nounset -o pipefail -o errexit
+
+if [ -d "/etc/letsencrypt/live" ] ; then
+    # Secure the private keys and make them readable by the 'ssl-cert' UNIX group
+    chmod 0640          /etc/letsencrypt/archive/*/privkey*.pem
+    chown root:ssl-cert /etc/letsencrypt/archive/*/privkey*.pem
+
+    # Allow read-only access to the certificates by anybody (they're public)
+    find /etc/letsencrypt/live    -type d -print0 | xargs -0 chmod 0755
+    find /etc/letsencrypt/archive -type d -print0 | xargs -0 chmod 0755
+fi
diff --git a/ansible_collections/debops/debops/roles/pki/files/secret/pki/lib/pki-authority b/ansible_collections/debops/debops/roles/pki/files/secret/pki/lib/pki-authority
new file mode 100755
index 00000000..370e8d53
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/files/secret/pki/lib/pki-authority
@@ -0,0 +1,1698 @@
+#!/usr/bin/env bash
+# vim: foldmarker={{{,}}}:foldmethod=marker
+
+# pki-authority: CA-side PKI management
+# Copyright (C) 2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+set -o nounset -o pipefail -o errexit
+
+umask 022
+
+script="$(basename "${0}")"
+
+_openssl () {
+    # OpenSSL writes to stderr/stdout even when there are no errors. So just
+    # display the output if the exit code was != 0 to simplify debugging.
+    set +e
+    _openssl_out="$(openssl "${@}" 2>&1)"
+    local rc=$?
+    set -e
+    if [ ${rc} -ne 0 ]; then
+        echo "${script}: Error: failed to run $* (Exitcode: ${rc})" >&2
+        echo >&2
+        echo "Details:" >&2
+        echo "${_openssl_out}" >&2
+        exit ${rc}
+    fi
+    unset _openssl_out
+    return ${rc}
+}
+
+array_exists () {
+    # Check if an element is in an array
+    local array="$1[@]"
+    local seeking=${2}
+    local in=1
+    for element in "${!array}"; do
+        if [[ $element == "$seeking" ]]; then
+            in=0
+            break
+        fi
+    done
+    return $in
+}
+
+# Inlined in the following scripts: pki-authority, pki-realm {{{
+version () {
+    # Normalize version numbers for comparison.
+    echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'
+}
+
+key_exists () {
+    # Check if an associative array has a specified key present
+    # shellcheck disable=SC2086
+    eval '[ ${'$1'[$2]+test_of_existence} ]'
+}
+
+get_absolute_path () {
+    # Get an absolute path to a file
+    if type python3 > /dev/null ; then
+        python3 -c 'import sys, os.path; print(os.path.abspath(sys.argv[1]))' "${1}"
+    else
+        python -c 'import sys, os.path; print(os.path.abspath(sys.argv[1]))' "${1}"
+    fi
+}
+
+get_relative_path () {
+    # Get a relative path to a file
+    if type python3 > /dev/null ; then
+        python3 -c 'import sys, os.path; print(os.path.relpath(sys.argv[1], sys.argv[2]))' "${1}" "${2:-$PWD}"
+    else
+        python -c 'import sys, os.path; print(os.path.relpath(sys.argv[1], sys.argv[2]))' "${1}" "${2:-$PWD}"
+    fi
+}
+
+get_dnsdomainname () {
+    # Wrap dnsdomainname if it's not present (on MacOS X)
+
+    if type dnsdomainname > /dev/null 2>&1 ; then
+        dnsdomainname
+    else
+        local fqdn
+        fqdn="$(get_fqdn)"
+        if [[ ${fqdn} == *.* ]] ; then
+            echo "${fqdn#*.}"
+        else
+            echo ""
+        fi
+    fi
+}
+
+get_fqdn () {
+    shopt -s nocasematch
+    case $OSTYPE in
+        *bsd* | dragonfly* ) hostname;;
+        * ) hostname -f;;
+    esac
+}
+
+chmod_idempotent () {
+    # chmod does a `fchmodat` (after a `stat`) even if it does not need to
+    # change anything as of 8.23-4.
+    # This behavior is not ideal for this script as it would update the ctime.
+
+    local new_mode_in_octal="${1##0}"
+    local file_path="${2}"
+
+    if [ "$(stat -c %a "${file_path}")" != "${new_mode_in_octal}" ] ; then
+        chmod "${new_mode_in_octal}" "${file_path}"
+    fi
+}
+
+chgrp_idempotent () {
+    # chgrp does a `fchownat` (after a `newfstatat`) even if it does not need
+    # to change anything as of 8.23-4.
+    # This behavior is not ideal for this script as it would update the ctime.
+
+    local new_group_name="${1}"
+    local file_path="${2}"
+
+    if [ "$(stat -c %G "${file_path}")" != "${new_group_name}" ] ; then
+        chgrp "${new_group_name}" "${file_path}"
+    fi
+}
+# }}}
+
+get_openssl_ocsp_uri_directive () {
+    local ocsp_uri
+    case "${config['ocsp']}" in
+        true|True)
+            ocsp_uri="OCSP;URI.0              = \$ocsp_url"
+            ;;
+        false|False)
+            ocsp_uri=""
+            ;;
+        *)
+            ocsp_uri="OCSP;URI.0              = ${config['ocsp']}"
+            ;;
+    esac
+    echo "$ocsp_uri"
+}
+
+get_openssl_name_constraints_directive () {
+    local config_domain="${1}"
+    local name_constraints
+    case "${config['name_constraints']}" in
+        true|True)
+            case "${config['name_constraints_critical']}" in
+                false|False)
+                    name_constraints="nameConstraints         = permitted;DNS:${config_domain},permitted;DNS:.${config_domain}"
+                    ;;
+                *)
+                    name_constraints="nameConstraints         = critical, permitted;DNS:${config_domain},permitted;DNS:.${config_domain}"
+                    ;;
+            esac
+            ;;
+        false|False)
+            name_constraints=""
+            ;;
+        *)
+            name_constraints="nameConstraints         = ${config['name_constraints']}"
+            ;;
+    esac
+
+    echo "$name_constraints"
+}
+
+get_openssl_crl_distribution_points_directive () {
+    local crl_distribution_points=''
+    case "${config['crl']}" in
+        true|True)
+            crl_distribution_points="crlDistributionPoints   = @crl_info"
+            ;;
+        false|False)
+            crl_distribution_points=""
+            ;;
+        *)
+            crl_distribution_points="crlDistributionPoints   = ${config['crl']}"
+            ;;
+    esac
+
+    echo "$crl_distribution_points"
+}
+
+initialize_environment () {
+
+    declare -gA config
+
+    config["pki_root"]="${PKI_ROOT:-$(pwd)}"
+    config["pki_library"]="${PKI_LIBRARY:-openssl}"
+    config["pki_ca_certificates"]="${PKI_CA_CERTIFICATES:-${config['pki_root']}/ca-certificates/by-group/all}"
+    config["system_ca"]="true"
+
+    config["pki_authorities"]="${config['pki_root']}/authorities"
+    config["pki_requests"]="${config['pki_root']}/requests"
+
+    config["pki_default_fqdn"]="$(get_fqdn)"
+    config["pki_default_domain"]="$(get_dnsdomainname)"
+    config["pki_default_domain_dn"]=$(echo "${config['pki_default_domain']}" | cut -d. -f1 | sed 's/.*/\u&/')
+
+    config["domain"]=""
+    config["ca_type"]=""
+    config["issuer_name"]=""
+    config["alt_authority"]=""
+    config["name_constraints"]=""
+
+    config["pki_default_sign_base"]="365"
+    config["pki_default_root_sign_multiplier"]="12"
+    config["pki_default_ca_sign_multiplier"]="10"
+    config["pki_default_cert_sign_multiplier"]="3"
+
+    config["root_sign_days"]=""
+    config["ca_sign_days"]=""
+    config["cert_sign_days"]=""
+    config["key_size"]="4096"
+    config["crl"]="true"
+    config["ocsp"]="true"
+
+    config["public_dir_group"]="$(id -g)"
+    config["public_file_group"]="$(id -g)"
+
+    config["private_dir_group"]="$(id -g)"
+    config["private_file_group"]="$(id -g)"
+
+    config["public_dir_mode"]="755"
+    config["private_dir_mode"]="700"
+
+    config["public_file_mode"]="644"
+    config["private_file_mode"]="600"
+
+    # shellcheck disable=SC2174
+    test -d "${config['pki_root']}" || mkdir -p -m "${config['public_dir_mode']}" "${config['pki_root']}"
+}
+
+enter_authority () {
+
+    local authority="${1}"
+    local config_file="${2:-config/authority.conf}"
+
+    mkdir -p "${config['pki_authorities']}/${authority}"
+    chmod_idempotent "${config['public_dir_mode']}" "${config['pki_authorities']}/${authority}"
+
+    cd "${config['pki_authorities']}/${authority}"
+    local rc=$?
+
+    if [ -r "${config_file}" ] ; then
+
+        # shellcheck source=/dev/null
+        . "${config_file}"
+    fi
+
+    return ${rc}
+}
+
+update_symlink () {
+
+    local symlink_target="${1}"
+
+    if [ -n "${symlink_target}" ] ; then
+
+        shift 1
+
+        for target in "${@}" ; do
+            if  [ -r "${target}" ] ; then
+                if [ -L "${symlink_target}" ] && [ "$(readlink "${symlink_target}")" == "${target}" ] ; then
+                    break
+                else
+                    ln -sf "${target}" "${symlink_target}"
+                fi
+                break
+            fi
+        done
+
+    fi
+}
+
+create_openssl_request_config () {
+
+    local config_file="${1:-config/openssl-request.conf}"
+    local config_dn="${2}"
+
+    if [ -n "${config_file}" ] && [ -n "${config_dn}" ] && [ ! -r "${config_file}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+[ req ]
+default_md             = sha256
+default_bits           = ${config['key_size']}
+default_keyfile        = private/key.pem
+prompt                 = no
+encrypt_key            = no
+distinguished_name     = ca_dn
+utf8                   = yes
+string_mask            = utf8only
+
+[ ca_dn ]
+EOF
+        echo "${config_dn}" | tr "/" "\\n" | sed \
+            -e 's/^[Cc]=/countryName=/' \
+            -e 's/^[Ss][Tt]=/stateOrProvinceName=/' \
+            -e 's/^[Ll]=/localityName=/' \
+            -e 's/^[Oo]=/organizationName=/' \
+            -e 's/^[Oo][Uu]=/organizationalUnitName=/' \
+            -e 's/^[Cc][Nn]=/commonName=/' >> "${config_file}"
+
+    fi
+}
+
+create_gnutls_request_config () {
+
+    local config_file="${1:-config/gnutls-request.conf}"
+    local config_dn="${2}"
+
+    if [ -n "${config_file}" ] && [ -n "${config_dn}" ] && [ ! -r "${config_file}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+EOF
+        echo "${config_dn}" | tr "/" "\\n" | sed \
+            -e 's/^[Cc]=/country = "/' \
+            -e 's/^[Ss][Tt]=/state = "/' \
+            -e 's/^[Ll]=/locality = "/' \
+            -e 's/^[Oo]=/organization = "/' \
+            -e 's/^[Oo][Uu]=/unit = "/' \
+            -e 's/^[Cc][Nn]=/cn = "/' \
+            -e 's/$/"/' >> "${config_file}"
+
+    fi
+}
+
+create_openssl_selfsign_config () {
+
+    local config_file="${1:-config/openssl-selfsign.conf}"
+    local config_name="${2}"
+    local config_domain="${3}"
+    local config_ca_type="${4}"
+
+    if [ -n "${config_file}" ] && [ ! -r "${config_file}" ] ; then
+        local ocsp_uri
+        ocsp_uri="$(get_openssl_ocsp_uri_directive)"
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+[ default ]
+name                    = ${config_name}
+domain_suffix           = ${config_domain}
+aia_url                 = http://\$name.\$domain_suffix/crt/
+crl_url                 = http://\$name.\$domain_suffix/crl/
+ocsp_url                = http://\$name.\$domain_suffix/ocsp/
+default_ca              = ca_default
+name_opt                = utf8,esc_ctrl,multiline,lname,align
+
+[ ca_default ]
+home                    = .
+database                = \$home/database/index
+serial                  = \$home/database/serial
+crlnumber               = \$home/database/crlnumber
+certificate             = \$home/subject/cert.pem
+private_key             = \$home/private/key.pem
+RANDFILE                = \$home/private/random
+new_certs_dir           = \$home/certs
+unique_subject          = no
+copy_extensions         = none
+default_days            = ${config['root_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_root_sign_multiplier'] ))}
+default_crl_days        = 365
+default_md              = sha256
+policy                  = policy_default
+x509_extensions         = extension_default
+
+[ crl_info ]
+URI.0                   = \$crl_url
+
+[ issuer_info ]
+caIssuers;URI.0         = \$aia_url
+${ocsp_uri}
+
+[ extension_ocsp ]
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical, CA:false
+extendedKeyUsage        = OCSPSigning
+keyUsage                = critical, digitalSignature
+subjectKeyIdentifier    = hash
+
+[ policy_default ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+[ extension_default ]
+EOF
+
+        local name_constraints=''
+        name_constraints="$(get_openssl_name_constraints_directive "$config_domain")"
+        local crl_distribution_points=''
+        crl_distribution_points="$(get_openssl_crl_distribution_points_directive)"
+        if [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+basicConstraints       = critical, CA:TRUE
+keyUsage               = critical, keyCertSign, cRLSign
+subjectKeyIdentifier   = hash
+${name_constraints}
+
+EOF
+        elif [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+authorityInfoAccess     = @issuer_info
+basicConstraints        = critical, CA:TRUE, pathlen:0
+${crl_distribution_points}
+keyUsage                = critical, keyCertSign, cRLSign
+subjectKeyIdentifier    = hash
+${name_constraints}
+
+EOF
+        fi
+
+    fi
+}
+
+create_gnutls_selfsign_config () {
+
+    local config_file="${1:-config/gnutls-selfsign.conf}"
+    local config_name="${2}"
+    local config_domain="${3}"
+    local config_ca_type="${4}"
+
+    if [ -n "${config_file}" ] && [ ! -r "${config_file}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+expiration_days = ${config['root_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_root_sign_multiplier'] ))}
+
+EOF
+
+        if [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+ca
+cert_signing_key
+crl_signing_key
+
+EOF
+        elif [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+ca
+cert_signing_key
+crl_signing_key
+path_len = 0
+
+#ca_issuers_uri  = "http://${config_name}.${config_domain}/crt/"
+crl_dist_points = "http://${config_name}.${config_domain}/crl/"
+#ocsp_uri        = "http://${config_name}.${config_domain}/ocsp/"
+
+EOF
+        fi
+
+    fi
+}
+
+create_openssl_sign_config () {
+
+    local config_file="${1:-config/openssl-sign.conf}"
+    local config_name="${2}"
+    local config_domain="${3}"
+    local config_ca_type="${4}"
+    local config_issuer="${5}"
+
+    if [ -n "${config_file}" ] && [ ! -r "${config_file}" ] ; then
+        local ocsp_uri
+        ocsp_uri="$(get_openssl_ocsp_uri_directive)"
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+[ default ]
+name                    = ${config_name}
+domain_suffix           = ${config_domain}
+aia_url                 = http://\$name.\$domain_suffix/crt/
+crl_url                 = http://\$name.\$domain_suffix/crl/
+ocsp_url                = http://\$name.\$domain_suffix/ocsp/
+default_ca              = ca_default
+name_opt                = utf8,esc_ctrl,multiline,lname,align
+
+[ ca_default ]
+home                    = .
+database                = \$home/database/index
+serial                  = \$home/database/serial
+crlnumber               = \$home/database/crlnumber
+certificate             = \$home/subject/cert.pem
+private_key             = \$home/private/key.pem
+RANDFILE                = \$home/private/random
+new_certs_dir           = \$home/certs
+unique_subject          = no
+policy                  = policy_default
+x509_extensions         = extension_default
+EOF
+
+        if [ -z "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+copy_extensions         = none
+default_days            = ${config['ca_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_ca_sign_multiplier'] ))}
+default_crl_days        = 365
+default_md              = sha256
+
+EOF
+        elif [ -z "${config_issuer}" ] && [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+copy_extensions         = copy
+default_days            = ${config['cert_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_cert_sign_multiplier'] ))}
+default_crl_days        = 365
+default_md              = sha256
+
+EOF
+        elif [ -n "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "server" ] ; then
+            cat << EOF >> "${config_file}"
+copy_extensions         = copy
+default_days            = ${config['cert_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_cert_sign_multiplier'] ))}
+default_crl_days        = 30
+default_md              = sha256
+
+EOF
+        fi
+
+        cat << EOF >> "${config_file}"
+[ crl_info ]
+URI.0                   = \$crl_url
+
+[ issuer_info ]
+caIssuers;URI.0         = \$aia_url
+${ocsp_uri}
+
+[ extension_ocsp ]
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical, CA:false
+extendedKeyUsage        = OCSPSigning
+keyUsage                = critical, digitalSignature
+subjectKeyIdentifier    = hash
+
+EOF
+
+        if [ -z "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+[ policy_default ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+EOF
+        elif [ -z "${config_issuer}" ] && [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+[ policy_default ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+EOF
+        elif [ -n "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "server" ] ; then
+            cat << EOF >> "${config_file}"
+[ policy_default ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = optional
+emailAddress            = optional
+
+EOF
+        fi
+
+        local name_constraints=''
+        name_constraints="$(get_openssl_name_constraints_directive "$config_domain")"
+        local crl_distribution_points=''
+        crl_distribution_points="$(get_openssl_crl_distribution_points_directive)"
+        if [ -z "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+[ extension_default ]
+authorityInfoAccess     = @issuer_info
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical, CA:TRUE, pathlen:0
+${crl_distribution_points}
+keyUsage                = critical, keyCertSign, cRLSign
+subjectKeyIdentifier    = hash
+${name_constraints}
+
+EOF
+        elif [ -z "${config_issuer}" ] && [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+[ extension_default ]
+authorityInfoAccess     = @issuer_info
+authorityKeyIdentifier  = keyid:always, issuer:always
+basicConstraints        = critical, CA:FALSE
+${crl_distribution_points}
+extendedKeyUsage        = clientAuth, serverAuth
+keyUsage                = critical, digitalSignature, keyEncipherment
+subjectKeyIdentifier    = hash
+
+EOF
+        elif [ -n "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "server" ] ; then
+            cat << EOF >> "${config_file}"
+[ extension_default ]
+authorityInfoAccess     = @issuer_info
+authorityKeyIdentifier  = keyid:always, issuer:always
+basicConstraints        = critical, CA:FALSE
+${crl_distribution_points}
+extendedKeyUsage        = clientAuth, serverAuth
+keyUsage                = critical, digitalSignature, keyEncipherment
+subjectKeyIdentifier    = hash
+
+EOF
+        fi
+
+    fi
+}
+
+create_gnutls_sign_config () {
+
+    local config_file="${1:-config/gnutls-sign.conf}"
+    local config_name="${2}"
+    local config_domain="${3}"
+    local config_ca_type="${4}"
+    local config_issuer="${5}"
+
+    if [ -n "${config_file}" ] && [ ! -r "${config_file}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+EOF
+
+        if [ -z "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "root" ] ; then
+            cat << EOF >> "${config_file}"
+expiration_days = ${config['ca_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_ca_sign_multiplier'] ))}
+
+ca
+cert_signing_key
+crl_signing_key
+path_len = 0
+
+#ca_issuers_uri  = "http://${config_name}.${config_domain}/crt/"
+crl_dist_points = "http://${config_name}.${config_domain}/crl/"
+#ocsp_uri        = "http://${config_name}.${config_domain}/ocsp/"
+
+EOF
+        elif [ -z "${config_issuer}" ] && [ "${config_ca_type}" = "service" ] ; then
+            cat << EOF >> "${config_file}"
+expiration_days = ${config['cert_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_cert_sign_multiplier'] ))}
+#copy_extensions         = copy
+
+signing_key
+encryption_key
+tls_www_client
+tls_www_server
+
+#ca_issuers_uri  = "http://${config_name}.${config_domain}/crt/"
+crl_dist_points = "http://${config_name}.${config_domain}/crl/"
+#ocsp_uri        = "http://${config_name}.${config_domain}/ocsp/"
+
+EOF
+        elif [ -n "${config_issuer}" ] && [ -z "${config_ca_type}" ] || [ "${config_ca_type}" = "server" ] ; then
+            cat << EOF >> "${config_file}"
+expiration_days = ${config['cert_sign_days']:-$(( config['pki_default_sign_base'] * config['pki_default_cert_sign_multiplier'] ))}
+#copy_extensions         = copy
+
+signing_key
+encryption_key
+tls_www_client
+tls_www_server
+
+#ca_issuers_uri  = "http://${config_name}.${config_domain}/crt/"
+crl_dist_points = "http://${config_name}.${config_domain}/crl/"
+#ocsp_uri        = "http://${config_name}.${config_domain}/ocsp/"
+
+EOF
+        fi
+    fi
+
+}
+
+save_authority_config () {
+
+    local config_file="${1:-config/authority.conf}"
+
+    # shellcheck disable=SC2034
+    local ignored_config_vars=( pki_root pki_requests pki_authorities pki_ca_certificates public_file_group public_dir_group private_file_group private_dir_group )
+
+    if [ -r "${config_file}" ] ; then
+        if grep -q -E "^#\\s+Configuration\\s+file\\s+generated\\s+by\\s+pki-authority$" "${config_file}" ; then
+            rm -f "${config_file}"
+        fi
+    fi
+
+    if [ ! -r "${config_file}" ] ; then
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-authority
+
+EOF
+        for key in "${!config[@]}" ; do
+            if ! array_exists ignored_config_vars "${key}" ; then
+                echo "config['${key}']='${config[${key}]}'" >> "${config_file}"
+            fi
+        done
+    fi
+}
+
+check_openssl_req_session_match () {
+    local check_req="${1}"
+    local check_session="${PKI_SESSION_TOKEN:-}"
+
+    if [ -n "${check_req}" ] && [ -n "${check_session}" ] ; then
+        if [ -r "${check_req}" ] ; then
+            openssl asn1parse -in "${check_req}" | grep -q "${check_session}"
+            rc=$?
+            return ${rc}
+        fi
+    fi
+    return 1
+}
+
+check_gnutls_req_session_match () {
+    return "$(check_openssl_req_session_match "${@}")"
+}
+
+check_openssl_crt_ca_match () {
+    local check_crt="${1}"
+    local check_ca="${2}"
+    local check_ca_issuer="${3:-}"
+
+    if [ -n "${check_crt}" ] && [ -n "${check_ca}" ] ; then
+        if [ -r "${check_crt}" ] && [ -r "${check_ca}" ] ; then
+            if [ -n "${check_ca_issuer}" ] && [ -r "${check_ca_issuer}" ] ; then
+                _openssl verify -CAfile "${check_ca_issuer}" -untrusted "${check_ca}" "${check_crt}"
+                local rc=$?
+            else
+                _openssl verify -CAfile "${check_ca}" "${check_crt}"
+                local rc=$?
+            fi
+            return ${rc}
+        fi
+    fi
+    return 1
+}
+
+check_gnutls_crt_ca_match () {
+    return "$(check_openssl_crt_ca_match "${@}")"
+}
+
+check_openssl_req_crt_match () {
+    local check_req="${1}"
+    local check_crt="${2}"
+
+    local req_modulus
+    local crt_modulus
+
+    req_modulus="$(openssl req  -noout -modulus -in "${check_req}" | base64)"
+    crt_modulus="$(openssl x509 -noout -modulus -in "${check_crt}" | base64)"
+
+    if [ "${req_modulus}" = "${crt_modulus}" ] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+check_gnutls_req_crt_match () {
+    return "$(check_openssl_req_crt_match "${@}")"
+}
+
+sign_openssl_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+    local sign_sect="${4}"
+    local sign_ext="${5}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            _openssl ca -batch -notext \
+                -in "${sign_request}" -out "${sign_out}.tmp" \
+                -name "${sign_sect}" -extensions "${sign_ext}" \
+                -config "${sign_config}"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+            if [ -d issuer ] ; then
+                if [ -r "$(dirname "${sign_out}")/intermediate.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                fi
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            else
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            fi
+        fi
+    fi
+}
+
+sign_openssl_host_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+    local sign_alt="${4:-}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            _openssl ca -batch -notext \
+                -in "${sign_request}" -out "${sign_out}.tmp" \
+                -config "${sign_config}"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+            if [ -d issuer ] ; then
+                if [ -r "$(dirname "${sign_out}")/intermediate.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                fi
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            else
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            fi
+
+            if [ -n "${sign_alt}" ] ; then
+
+                if [ -d "${sign_alt}/issuer" ] ; then
+                    if [ -r "$(dirname "${sign_out}")/alt_intermediate.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem"
+                    fi
+                    if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                    fi
+                else
+                    if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                    fi
+                fi
+
+            fi
+        fi
+    fi
+}
+
+sign_gnutls_host_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+    local sign_alt="${4:-}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            certtool --generate-certificate --template "${sign_config}" \
+                --load-request "${sign_request}" --load-ca-privkey private/key.pem \
+                --load-ca-certificate subject/cert.pem --outfile "${sign_out}.tmp"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+            if [ -d issuer ] ; then
+                if [ -r "$(dirname "${sign_out}")/intermediate.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/intermediate.pem"
+                fi
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            else
+                if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                    if ! diff -q -N "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem" > /dev/null ; then
+                        ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                    fi
+                else
+                    ln -sf "$(get_relative_path "subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/root.pem"
+                fi
+            fi
+
+            if [ -n "${sign_alt}" ] ; then
+
+                if [ -d "${sign_alt}/issuer" ] ; then
+                    if [ -r "$(dirname "${sign_out}")/alt_intermediate.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_intermediate.pem"
+                    fi
+                    if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/issuer/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                    fi
+                else
+                    if [ -r "$(dirname "${sign_out}")/root.pem" ] ; then
+                        if ! diff -q -N "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                        fi
+                    else
+                        ln -sf "$(get_relative_path "${sign_alt}/subject/cert.pem" "$(dirname "${sign_out}")")" "$(dirname "${sign_out}")/alt_root.pem"
+                    fi
+                fi
+
+            fi
+        fi
+    fi
+}
+
+sign_openssl_ca_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            _openssl ca -batch -notext \
+                -in "${sign_request}" -out "${sign_out}.tmp" \
+                -config "${sign_config}"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+        fi
+    fi
+
+}
+
+sign_gnutls_ca_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            certtool --generate-certificate --template "${sign_config}" \
+                --load-request "${sign_request}" --load-ca-privkey private/key.pem \
+                --load-ca-certificate subject/cert.pem --outfile "${sign_out}.tmp"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+        fi
+    fi
+
+}
+
+sign_openssl_root_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            _openssl ca -selfsign -batch -notext \
+                -in "${sign_request}" -out "${sign_out}.tmp" \
+                -config "${sign_config}"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+        fi
+    fi
+
+}
+
+sign_gnutls_root_certificate () {
+    local sign_config="${1}"
+    local sign_request="${2}"
+    local sign_out="${3}"
+
+    if [ -n "${sign_config}" ] && [ -n "${sign_request}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_request}" ] && [ ! -r "${sign_out}" ] ; then
+
+            certtool --generate-self-signed --template "${sign_config}" \
+                --load-request "${sign_request}" --load-privkey private/key.pem \
+                --outfile "${sign_out}.tmp"
+
+            if [ -r "${sign_out}.tmp" ] && [ -s "${sign_out}.tmp" ] ; then
+                mv "${sign_out}.tmp" "${sign_out}"
+            fi
+
+        fi
+    fi
+
+}
+
+generate_openssl_request () {
+
+    local req_config="${1}"
+    local req_out="${2}"
+
+    if [ -n "${req_config}" ] && [ -n "${req_out}" ] ; then
+        if [ -r "${req_config}" ] && [ ! -r "${req_out}" ] ; then
+
+            local req_keyfile
+            req_keyfile=$(grep -E '^default_keyfile\s+=\s+' "${req_config}" | awk '{print $3}')
+            if [ -n "${req_keyfile}" ] ; then
+                openssl req -new -key "${req_keyfile}" -config "${req_config}" -out "${req_out}.tmp"
+            else
+                openssl req -new -config "${req_config}" -out "${req_out}.tmp"
+            fi
+            test -r "${req_out}.tmp" && mv "${req_out}.tmp" "${req_out}"
+
+        fi
+    fi
+
+}
+
+generate_gnutls_request () {
+
+    local req_config="${1}"
+    local req_out="${2}"
+
+    if [ -n "${req_config}" ] && [ -n "${req_out}" ] ; then
+        if [ -r "${req_config}" ] && [ ! -r "${req_out}" ] ; then
+
+            certtool --generate-request --template "${req_config}" \
+                     --load-privkey private/key.pem --outfile "${req_out}.tmp"
+            # Remove text output from the request
+            test -r "${req_out}.tmp" && sed -n -i '/-----BEGIN NEW CERTIFICATE REQUEST-----/,$ p' "${req_out}.tmp"
+            test -r "${req_out}.tmp" && mv "${req_out}.tmp" "${req_out}"
+
+        fi
+    fi
+
+}
+
+generate_openssl_serial () {
+    local serial_file="${1}"
+    local serial_length="${2:-16}"
+
+    if [ -n "${serial_file}" ] && [ ! -r "${serial_file}" ] ; then
+        openssl rand -hex "${serial_length}" > "${serial_file}"
+    fi
+}
+
+generate_gnutls_serial () {
+    # GnuTLS doesn't use this, so do nothing
+    return 0
+}
+
+generate_openssl_rsa_private_key () {
+
+    local key_file="${1:-private/key.pem}"
+    local key_size="${2:-${config['key_size']}}"
+    local key_group="${3:-${config['private_file_group']}}"
+
+    test -r "${key_file}" || openssl genrsa -out "${key_file}.tmp" "${key_size}"
+
+    if [ -r "${key_file}.tmp" ] ; then
+        chmod "${config['private_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['private_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+generate_gnutls_rsa_private_key () {
+
+    local key_file="${1:-private/key.pem}"
+    local key_size="${2:-${config['key_size']}}"
+    local key_group="${3:-${config['private_file_group']}}"
+
+    if ! [ -r "${key_file}" ] ; then
+        if [ "$(version "$(certtool --version | head -n 1 | awk '{print $NF}')")" -lt "$(version 3.3.0)" ] ; then
+            certtool --generate-privkey --outfile "${key_file}.tmp" --bits "${key_size}"
+        else
+            certtool --generate-privkey --rsa --outfile "${key_file}.tmp" --bits "${key_size}"
+        fi
+    fi
+
+    if [ -r "${key_file}.tmp" ] ; then
+        sed -n -i '/-----BEGIN RSA PRIVATE KEY-----/,$ p' "${key_file}.tmp"
+        chmod "${config['private_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['private_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+create_public_directories () {
+
+    local dir_group="${1}"
+    if [ -n "${dir_group}" ] ; then
+        shift
+    else
+        return 1
+    fi
+
+    local directories
+    read -r -a directories <<< "${@}"
+
+    for directory in "${directories[@]}" ; do
+        mkdir -p "${directory}"
+        chmod_idempotent "${config['public_dir_mode']}" "${directory}"
+        chgrp_idempotent "${dir_group}" "${directory}"
+    done
+
+}
+
+create_private_directories () {
+
+    local dir_group="${1}"
+    if [ -n "${dir_group}" ] ; then
+        shift
+    else
+        return 1
+    fi
+
+    local directories
+    read -r -a directories <<< "${@}"
+
+    for directory in "${directories[@]}" ; do
+        mkdir -p "${directory}"
+        chmod_idempotent "${config['private_dir_mode']}" "${directory}"
+        chgrp_idempotent "${dir_group}" "${directory}"
+    done
+
+}
+
+sub_sign () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    req)
+                        args["req"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    req=*)
+                        args["req"]=${OPTARG#*=}
+                        ;;
+                    out)
+                        args["out"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    out=*)
+                        args["out"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script} init <-n|--name[=]authority>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    local name=""
+    local req=""
+    local out=""
+
+    if key_exists args "name" ; then
+
+        enter_authority "${args['name']}"
+
+        local library="${config['pki_library']}"
+        local input
+        local output
+        input="$(get_absolute_path "${args['req']}")"
+        output="$(get_absolute_path "${args['out']}")"
+
+        "sign_${library}_certificate" "config/${library}-sign.conf" "${input}" "${output}"
+
+    fi
+}
+
+sub_sign-by-host () {
+
+    if [ $# -gt 0 ] ; then
+        if [ -d requests ] && [ -d realms ] ; then
+            for authority in requests/* ; do
+                if [ -r "authorities/$(basename "${authority}")/subject/cert.pem" ] ; then
+                    for host in "${authority}"/* ; do
+                        for play_host in "${@}" ; do
+                            if [ "$(basename "${host}")" = "${play_host}" ] ; then
+                                for realm in "${host}"/* ; do
+                                    if [ -r "${realm}/request.pem" ] ; then
+
+                                        local input
+                                        local output
+                                        input="$(get_absolute_path "${realm}"/request.pem)"
+                                        output="$(get_absolute_path "realms/by-host/$(basename "${play_host}")/$(basename "${realm}")/internal/cert.pem")"
+
+                                        enter_authority "$(basename "${authority}")"
+
+                                        local alt_authority=""
+
+                                        if [ -n "${config['alt_authority']}" ] && [ -d ../"${config['alt_authority']}" ] ; then
+                                            alt_authority="$(get_absolute_path ../"${config['alt_authority']}")"
+                                        fi
+
+                                        if [ -r "${output}" ] && "check_${config['pki_library']}_req_session_match" "${input}" ; then
+                                            rm -f "${output}"
+                                        fi
+
+                                        if [ -r "${output}" ] && ! "check_${config['pki_library']}_req_crt_match" "${input}" "${output}" ; then
+                                            rm -f "${output}"
+                                            if ! "check_${config['pki_library']}_req_session_match" "${input}" ; then
+                                                rm -f "${input}"
+                                            fi
+                                        fi
+
+                                        if [ -r "${output}" ] && ! "check_${config['pki_library']}_crt_ca_match" "${output}" "subject/cert.pem" "issuer/subject/cert.pem" ; then
+                                            rm -f "${output}"
+                                            if ! "check_${config['pki_library']}_req_session_match" "${input}" ; then
+                                                rm -f "${input}"
+                                            fi
+                                        fi
+
+                                        if [ ! -r "${output}" ] && ! "check_${config['pki_library']}_req_session_match" "${input}" ; then
+                                            rm -f "${input}"
+                                        fi
+
+                                        if [ -r "${input}" ] ; then
+                                            "sign_${config['pki_library']}_host_certificate" "config/${config['pki_library']}-sign.conf" "${input}" "${output}" "${alt_authority}"
+                                        fi
+
+                                        cd - > /dev/null
+
+                                    fi
+                                done
+                            fi
+                        done
+                    done
+                fi
+            done
+        fi
+    else
+        cat << EOF >&2
+Usage: ${script} sign-by-host [host1 host2 ...]
+
+signs certificates for specified hosts and writes them to the secret/pki subdirectory
+EOF
+    exit 1
+    fi
+
+}
+
+sub_new-ca () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    system-ca)
+                        # shellcheck disable=SC2154
+                        args["system_ca"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    system-ca=*)
+                        args["system_ca"]=${OPTARG#*=}
+                        ;;
+                    alt-authority)
+                        args["alt_authority"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    alt-authority=*)
+                        args["alt_authority"]=${OPTARG#*=}
+                        ;;
+                    library)
+                        args["pki_library"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    library=*)
+                        args["pki_library"]=${OPTARG#*=}
+                        ;;
+                    subdomain)
+                        # shellcheck disable=SC2154
+                        args["subdomain"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subdomain=*)
+                        args["subdomain"]=${OPTARG#*=}
+                        ;;
+                    subject)
+                        # shellcheck disable=SC2154
+                        args["subject"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subject=*)
+                        args["subject"]=${OPTARG#*=}
+                        ;;
+                    type)
+                        # shellcheck disable=SC2154
+                        args["ca_type"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    type=*)
+                        args["ca_type"]=${OPTARG#*=}
+                        ;;
+                    issuer-name)
+                        # shellcheck disable=SC2154
+                        args["issuer_name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    issuer-name=*)
+                        args["issuer_name"]=${OPTARG#*=}
+                        ;;
+                    domain)
+                        # shellcheck disable=SC2154
+                        args["domain"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    domain=*)
+                        args["domain"]=${OPTARG#*=}
+                        ;;
+                    root-sign-days)
+                        args["root_sign_days"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    root-sign-days=*)
+                        args["root_sign_days"]=${OPTARG#*=}
+                        ;;
+                    ca-sign-days)
+                        args["ca_sign_days"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    ca-sign-days=*)
+                        args["ca_sign_days"]=${OPTARG#*=}
+                        ;;
+                    cert-sign-days)
+                        args["cert_sign_days"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    cert-sign-days=*)
+                        args["cert_sign_days"]=${OPTARG#*=}
+                        ;;
+                    key-size)
+                        args["key_size"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    key-size=*)
+                        args["key_size"]=${OPTARG#*=}
+                        ;;
+                    crl)
+                        args["crl"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    crl=*)
+                        args["crl"]=${OPTARG#*=}
+                        ;;
+                    ocsp)
+                        args["ocsp"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    ocsp=*)
+                        args["ocsp"]=${OPTARG#*=}
+                        ;;
+                    name-constraints)
+                        args["name_constraints"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name-constraints=*)
+                        args["name_constraints"]=${OPTARG#*=}
+                        ;;
+                    name-constraints-critical)
+                        args["name_constraints_critical"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name-constraints-critical=*)
+                        args["name_constraints_critical"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script} new-ca <-n|--name[=]authority>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+
+        enter_authority "${args['name']}"
+
+        local config_changed="false"
+
+        for key in "${!args[@]}" ; do
+            if [ -n "${args[${key}]+x}" ] ; then
+                if key_exists config "${key}" ; then
+                    if [ "${config[${key}]}" != "${args[${key}]}" ] ; then
+                        local config_changed="true"
+                        config["${key}"]="${args[${key}]}"
+                    fi
+                else
+                    local config_changed="true"
+                    config["${key}"]="${args[${key}]}"
+                fi
+            fi
+        done
+
+        create_public_directories "${config['public_dir_group']}" config database subject certs requests signed
+        create_private_directories "${config['private_dir_group']}" private
+
+        if [ "${config_changed}" = "true" ] ; then
+            save_authority_config config/authority.conf
+        fi
+
+        local name="${config['name']}"
+        local library="${config['pki_library']}"
+
+        "generate_${library}_rsa_private_key" private/key.pem
+
+        "create_${library}_request_config" "config/${library}-request.conf" "${config['subject']}"
+        if [ -z "${config['issuer_name']}" ] ; then
+            "create_${library}_selfsign_config" "config/${library}-selfsign.conf" "${config['subdomain']}" "${config['domain']}" "${config['ca_type']}"
+        fi
+        "create_${library}_sign_config" "config/${library}-sign.conf" "${config['subdomain']}" "${config['domain']}" "${config['ca_type']}" "${config['issuer_name']}"
+        if [ -n "${config['issuer_name']}" ] ; then
+            update_symlink issuer ../"${config['issuer_name']}"
+        fi
+
+        if [ "${library}" = "openssl" ] ; then
+            "generate_${library}_serial" database/serial
+            test -r database/index || touch database/index
+        fi
+
+        "generate_${library}_request" "config/${library}-request.conf" subject/request.pem
+
+        if [ -z "${config['issuer_name']}" ] && [ ! -L issuer ] ; then
+
+            "sign_${library}_root_certificate" "config/${library}-selfsign.conf" \
+                subject/request.pem subject/cert.pem
+
+        elif [ -n "${config['issuer_name']}" ] && [ -L issuer ] ; then
+            local subject_dir
+            subject_dir="$(pwd)"
+            cd issuer || exit 1
+            "sign_${library}_ca_certificate" "config/${library}-sign.conf" \
+                "${subject_dir}/subject/request.pem" "${subject_dir}/subject/cert.pem"
+            cd - > /dev/null
+        fi
+
+        if [ "${config['system_ca']}" = "true" ] && [ -n "${config['pki_ca_certificates']}" ] && [ -n "${config['subdomain']}" ] && [ -z "${config['issuer_name']}" ] && [ ! -L issuer ] ; then
+            if [ -r "$(dirname "${config['pki_ca_certificates']}")/${config['subdomain']}.${config['domain']}.crt" ] ; then
+                if ! diff -q -N "$(get_relative_path "subject/cert.pem" "${config['pki_ca_certificates']}")" "${config['pki_ca_certificates']}/${config['subdomain']}.${config['domain']}.crt" > /dev/null ; then
+                    ln -sf "$(get_relative_path "subject/cert.pem" "${config['pki_ca_certificates']}")" "${config['pki_ca_certificates']}/${config['subdomain']}.${config['domain']}.crt"
+                fi
+            else
+                ln -sf "$(get_relative_path "subject/cert.pem" "${config['pki_ca_certificates']}")" "${config['pki_ca_certificates']}/${config['subdomain']}.${config['domain']}.crt"
+            fi
+        fi
+
+    fi
+}
+
+sub_init () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    library)
+                        args["pki_library"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    library=*)
+                        args["pki_library"]=${OPTARG#*=}
+                        ;;
+                    default-sign-base)
+                        args["pki_default_sign_base"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    default-sign-base=*)
+                        args["pki_default_sign_base"]=${OPTARG#*=}
+                        ;;
+                    root-sign-multiplier)
+                        args["pki_default_root_sign_multiplier"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    root-sign-multiplier=*)
+                        args["pki_default_root_sign_multiplier"]=${OPTARG#*=}
+                        ;;
+                    ca-sign-multiplier)
+                        args["pki_default_ca_sign_multiplier"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    ca-sign-multiplier=*)
+                        args["pki_default_ca_sign_multiplier"]=${OPTARG#*=}
+                        ;;
+                    cert-sign-multiplier)
+                        args["pki_default_cert_sign_multiplier"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    cert-sign-multiplier=*)
+                        args["pki_default_cert_sign_multiplier"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script} init <-n|--name[=]authority>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+
+        enter_authority "${args['name']}"
+
+        for key in "${!args[@]}" ; do
+            if [ -n "${args[${key}]+x}" ] ; then
+                if key_exists config "${key}" ; then
+                    if [ "${config[${key}]}" != "${args[${key}]}" ] ; then
+                        local config_changed="true"
+                        config["${key}"]="${args[${key}]}"
+                    fi
+                else
+                    local config_changed="true"
+                    config["${key}"]="${args[${key}]}"
+                fi
+            fi
+        done
+
+        create_public_directories "${config['public_dir_group']}" config database subject certs requests signed
+        create_private_directories "${config['private_dir_group']}" private
+
+        if [ "${config_changed}" = "true" ] ; then
+            save_authority_config config/authority.conf
+        fi
+
+    fi
+}
+
+print_usage () {
+    cat << EOF >&2
+Usage: ${script} <command> [parameters]
+
+Available commands:
+
+    init
+      usage: pki-authority init <-n|--name[=]authority>
+
+    new-ca
+      usage: pki-authority new-ca <-n|--name[=]authority>
+
+    sign
+      usage: pki-authority init <-n|--name[=]authority>
+
+    sign-by-host
+      usage: ${script} sign-by-host [host1 host2 ...]
+      signs certificates for specified hosts and writes them to the secret/pki subdirectory
+EOF
+
+}
+
+initialize_environment
+
+if [ $# -gt 0 ] ; then
+
+    subcommand="${1}"
+
+    if [ -n "${subcommand}" ] ; then
+        case "${subcommand}" in
+            init|new-ca|sign|sign-by-host)
+                shift
+                "sub_${subcommand}" "${@}"
+                ;;
+
+            *)
+                echo "${script}: Error: unknown subcommand '${subcommand}'" >&2
+                print_usage
+                exit 1
+                ;;
+        esac
+    fi
+
+else
+    print_usage
+    exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/pki/files/usr/local/lib/pki/pki-realm b/ansible_collections/debops/debops/roles/pki/files/usr/local/lib/pki/pki-realm
new file mode 100755
index 00000000..330c1701
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/files/usr/local/lib/pki/pki-realm
@@ -0,0 +1,2792 @@
+#!/usr/bin/env bash
+# vim: foldmarker={{{,}}}:foldmethod=marker
+
+# pki-realm: client-side PKI management
+# Copyright (C) 2016-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+set -o nounset -o pipefail -o errexit
+
+umask 022
+
+script="${0}"
+script_name="$(basename "${script}")"
+pid="$$"
+
+state=()
+
+log_message () {
+    # Display a message if script is used interactively, otherwise send it to syslog
+    local msg="${1:-}"
+
+    if [ -n "${msg}" ] ; then
+        if tty -s > /dev/null 2>&1 ; then
+            echo "${script_name}: ${msg}" 1>&2
+        elif type logger > /dev/null 2>&1 ; then
+            logger -t "${script_name}[${pid}]" "${msg}"
+        fi
+    fi
+}
+
+clean_up () {
+    # Clean up pidfile
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        rm -f "${pidfile}"
+    fi
+    exit 0
+}
+
+wait_for_pid () {
+    # Wait for the specified process to exit
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        local wait_pid
+        wait_pid="$(< "${pidfile}")"
+        while kill -0 "${wait_pid}" > /dev/null 2>&1 ; do
+            log_message "Waiting for PID ${wait_pid} to finish"
+            sleep $(( ( RANDOM % 30 ) + 5 ))
+        done
+        if [ -f "${pidfile}" ] ; then
+            rm -f "${pidfile}"
+        fi
+    fi
+}
+
+create_lock () {
+    local pidfile="${1}"
+
+    # Try and lock the script operation
+    echo "${pid}" > "${pidfile}"
+    sleep 0.5
+
+    # Exclusive lock failed
+    if [ "$(cat "${pidfile}")" != "${pid}" ] ; then
+        log_message "PKI management started by PID $(< "${pidfile}")"
+        exit 0
+    fi
+
+    # Exclusive lock succeeded
+    # shellcheck disable=SC2064
+    trap "clean_up ${pidfile}" EXIT
+}
+
+# Inlined in the following scripts: pki-authority, pki-realm {{{
+version () {
+    # Normalize version numbers for comparison.
+    echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'
+}
+
+key_exists () {
+    # Check if an associative array has a specified key present
+    # shellcheck disable=SC2086
+    eval '[ ${'$1'[$2]+test_of_existence} ]'
+}
+
+get_absolute_path () {
+    # Get an absolute path to a file
+    if type python3 > /dev/null ; then
+        python3 -c 'import sys, os.path; print(os.path.abspath(sys.argv[1]))' "${1}"
+    else
+        python -c 'import sys, os.path; print(os.path.abspath(sys.argv[1]))' "${1}"
+    fi
+}
+
+get_relative_path () {
+    # Get a relative path to a file
+    if type python3 > /dev/null ; then
+        python3 -c 'import sys, os.path; print(os.path.relpath(sys.argv[1], sys.argv[2]))' "${1}" "${2:-$PWD}"
+    else
+        python -c 'import sys, os.path; print(os.path.relpath(sys.argv[1], sys.argv[2]))' "${1}" "${2:-$PWD}"
+    fi
+}
+
+get_dnsdomainname () {
+    # Wrap dnsdomainname if it's not present (on MacOS X)
+
+    if type dnsdomainname > /dev/null 2>&1 ; then
+        dnsdomainname
+    else
+        local fqdn
+        fqdn="$(hostname -f)"
+        if [[ ${fqdn} == *.* ]] ; then
+            echo "${fqdn#*.}"
+        else
+            echo ""
+        fi
+    fi
+}
+
+chmod_idempotent () {
+    # chmod does a `fchmodat` (after a `stat`) even if it does not need to
+    # change anything as of 8.23-4.
+    # This behavior is not ideal for this script as it would update the ctime.
+
+    local new_mode_in_octal="${1##0}"
+    local file_path="${2}"
+
+    if [ "$(stat -c %a "${file_path}")" != "${new_mode_in_octal}" ] ; then
+        chmod "${new_mode_in_octal}" "${file_path}"
+    fi
+}
+
+chgrp_idempotent () {
+    # chgrp does a `fchownat` (after a `newfstatat`) even if it does not need
+    # to change anything as of 8.23-4.
+    # This behavior is not ideal for this script as it would update the ctime.
+
+    local new_group_name="${1}"
+    local file_path="${2}"
+
+    if [ "$(stat -c %G "${file_path}")" != "${new_group_name}" ] ; then
+        chgrp "${new_group_name}" "${file_path}"
+    fi
+}
+# }}}
+
+initialize_environment () {
+
+    declare -gA config
+
+    config["pki_authority_preference"]="external/acme/internal/selfsigned"
+
+    config["acme_user"]="${PKI_ACME_USER:-pki-acme}"
+    config["acme_group"]="${PKI_ACME_GROUP:-pki-acme}"
+
+    config["private_group"]="${PKI_PRIVATE_GROUP:-ssl-cert}"
+
+    config["acme_challenge_dir"]="/srv/www/sites/acme/public/.well-known/acme-challenge"
+
+    config["acme_client"]="acme_tiny"
+
+    local -A acme_client_script_map
+    acme_client_script_map=(
+        ["acme_tiny"]="$(command -v acme-tiny || true)"
+    )
+
+    config["acme_client_script"]="${acme_client_script_map[${config['acme_client']}]}"
+
+    config["acme_ca"]="le-staging-v2"
+
+    local -A acme_ca_api_map
+    acme_ca_api_map=(
+        ["le-live"]="https://acme-v01.api.letsencrypt.org"
+        ["le-live-v2"]="https://acme-v02.api.letsencrypt.org"
+        ["le-staging"]="https://acme-staging.api.letsencrypt.org"
+        ["le-staging-v2"]="https://acme-staging-v02.api.letsencrypt.org"
+    )
+    config["acme_ca_api"]="${acme_ca_api_map[${config['acme_ca']}]}"
+
+    config["acme_contacts"]=""
+
+    config["acme_expiration_days"]="30"
+
+    # shellcheck disable=SC2154
+    config["acme_expiration_seconds"]="$(( 60 * 60 * 24 * config['acme_expiration_days'] ))"
+
+    config["acme_root_ca_path"]="/usr/share/ca-certificates"
+    config["acme_root_ca_file"]="mozilla/ISRG_Root_X1.crt"
+
+    config["pki_default_ca_bundle"]="/etc/ssl/certs/ca-certificates.crt"
+    config["pki_default_subject"]="CN=$(hostname -f)"
+    config["pki_default_fqdn"]="$(hostname -f)"
+    config["pki_default_domain"]="$(get_dnsdomainname)"
+    config["pki_default_subdomains"]="_wildcard_"
+
+    config["pki_dhparam"]="false"
+    config["dhparam_file"]=""
+    config["realm_key_size"]="2048"
+
+    config["internal_expiration_days"]="14"
+    # shellcheck disable=SC2154
+    config["internal_expiration_seconds"]="$(( 60 * 60 * 24 * config['internal_expiration_days'] ))"
+
+    config["selfsigned_sign_days"]="365"
+    # shellcheck disable=SC2154
+    config["selfsigned_sign_seconds"]="$(( 60 * 60 * 24 * config['selfsigned_sign_days'] ))"
+
+    config["selfsigned_expiration_days"]="14"
+    # shellcheck disable=SC2154
+    config["selfsigned_expiration_seconds"]="$(( 60 * 60 * 24 * config['selfsigned_expiration_days'] ))"
+
+    config["subject"]=""
+    config["domains"]=""
+    config["subdomains"]=""
+    config["subject_alt_names"]=""
+
+    config["acme_default_subject"]="CN=$(get_dnsdomainname)"
+    config["acme_default_domain"]="$(get_dnsdomainname)"
+    config["acme_default_subdomains"]="www/ftp/mail/smtp/imap"
+
+    config["acme_type"]=""
+    config["acme_subject"]=""
+    config["acme_domains"]=""
+    config["acme_subdomains"]=""
+    config["acme_alt_names"]=""
+
+    if [ "$EUID" -eq 0 ] ; then
+
+        config["lock_dir"]="/run"
+
+        config["pki_root"]="${PKI_ROOT:-/etc/pki}"
+        config["pki_library"]="${PKI_LIBRARY:-gnutls}"
+        config["pki_acme"]="${PKI_ACME:-true}"
+        config["pki_acme_library"]="${PKI_ACME_LIBRARY:-openssl}"
+        config["pki_internal"]="${PKI_INTERNAL:-true}"
+
+        config["pki_realms"]="${config['pki_root']}/realms"
+        config["pki_hooks"]="${config['pki_root']}/hooks"
+
+        config["public_dir_group"]="root"
+        config["public_file_group"]="root"
+
+        config["realm_dir_group"]="root"
+        config["realm_file_group"]="root"
+
+        if getent group "${config['private_group']}" > /dev/null ; then
+            config["private_dir_group"]="${config['private_group']}"
+            config["private_file_group"]="${config['private_group']}"
+        else
+            config["private_dir_group"]="root"
+            config["private_file_group"]="root"
+        fi
+
+        if getent group "${config['acme_group']}" > /dev/null ; then
+            config["acme_dir_group"]="${config['acme_group']}"
+            config["acme_file_group"]="${config['acme_group']}"
+        else
+            config["acme_dir_group"]="root"
+            config["acme_file_group"]="root"
+        fi
+
+        config["public_dir_mode"]="755"
+        config["acme_dir_mode"]="775"
+        config["private_dir_mode"]="750"
+        config["realm_dir_mode"]="700"
+
+        config["public_file_mode"]="644"
+        config["acme_file_mode"]="640"
+        config["private_file_mode"]="640"
+        config["realm_file_mode"]="400"
+
+    else
+
+        config["lock_dir"]="${XDG_RUNTIME_DIR:-/tmp}"
+
+        config["pki_root"]="${PKI_ROOT:-${XDG_CONFIG_HOME:-${HOME}/.config}/pki}"
+        config["pki_library"]="${PKI_LIBRARY:-gnutls}"
+        config["pki_acme"]="${PKI_ACME:-true}"
+        config["pki_acme_library"]="${PKI_ACME_LIBRARY:-openssl}"
+        config["pki_internal"]="${PKI_INTERNAL:-true}"
+
+        config["pki_realms"]="${config['pki_root']}/realms"
+        config["pki_hooks"]="${config['pki_root']}/hooks"
+
+        config["public_dir_group"]="$(id -g)"
+        config["public_file_group"]="$(id -g)"
+
+        config["private_dir_group"]="$(id -g)"
+        config["private_file_group"]="$(id -g)"
+
+        config["realm_dir_group"]="$(id -g)"
+        config["realm_file_group"]="$(id -g)"
+
+        config["acme_dir_group"]="$(id -g)"
+        config["acme_file_group"]="$(id -g)"
+
+        config["public_dir_mode"]="755"
+        config["acme_dir_mode"]="775"
+        config["private_dir_mode"]="700"
+        config["realm_dir_mode"]="700"
+
+        config["public_file_mode"]="644"
+        config["acme_file_mode"]="640"
+        config["private_file_mode"]="600"
+        config["realm_file_mode"]="400"
+
+    fi
+
+    config["private_dir_acl_groups_x"]=""
+    config["private_file_acl_groups_r"]=""
+
+    mkdir -p "${config['pki_root']}"
+    chmod_idempotent "${config['public_dir_mode']}" "${config['pki_root']}"
+}
+
+check_openssl_key_req_match () {
+    local check_key="${1}"
+    local check_req="${2}"
+
+    local key_modulus
+    local req_modulus
+
+    key_modulus="$(openssl rsa -noout -modulus -in "${check_key}" | base64)"
+    req_modulus="$(openssl req -noout -modulus -in "${check_req}" | base64)"
+
+    if [ "${key_modulus}" = "${req_modulus}" ] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+check_openssl_key_crt_match () {
+    local check_key="${1}"
+    local check_crt="${2}"
+
+    if [ -r "${check_key}" ] && [ -r "${check_crt}" ] ; then
+        local key_modulus
+        local crt_modulus
+
+        key_modulus="$(openssl rsa  -noout -modulus -in "${check_key}" | base64)"
+        crt_modulus="$(openssl x509 -noout -modulus -in "${check_crt}" | base64)"
+
+        if [ "${key_modulus}" = "${crt_modulus}" ] ; then
+            return 0
+        else
+            return 1
+        fi
+    else
+        return 1
+    fi
+}
+
+update_file_signature () {
+    local check_file="${1}"
+
+    if [ -n "${check_file}" ] && [ -r "${check_file}" ] ; then
+        if [ -r "${check_file}.sig" ] ; then
+            set +e
+            md5sum --quiet --status -c "${check_file}.sig"
+            local rc=$?
+            set -e
+            if [ ${rc} -ne 0 ] ; then
+                rm -rf "${check_file}.sig"
+                md5sum "${check_file}" > "${check_file}.sig"
+            fi
+        else
+            md5sum "${check_file}" > "${check_file}.sig"
+        fi
+    fi
+}
+
+check_file_signature () {
+    local check_file="${1}"
+
+    if [ -n "${check_file}" ] && [ -r "${check_file}" ] ; then
+        if [ -r "${check_file}.sig" ] ; then
+            set +e
+            md5sum --quiet --status -c "${check_file}.sig"
+            local rc=$?
+            set -e
+            return "${rc}"
+        fi
+    fi
+    return 1
+}
+
+enter_realm () {
+
+    local realm="${1}"
+    local config_file="${2:-config/realm.conf}"
+
+    mkdir -p "${config['pki_hooks']}"
+    chmod_idempotent "${config['public_dir_mode']}" "${config['pki_hooks']}"
+
+    if [ ! -d "${config['pki_realms']}/${realm}" ] ; then
+        mkdir -p "${config['pki_realms']}/${realm}"
+        chmod "${config['public_dir_mode']}" "${config['pki_realms']}/${realm}"
+        state+=('new-realm')
+    fi
+
+    cd "${config['pki_realms']}/${realm}"
+    local rc=$?
+
+    if [ -r "${config_file}" ] ; then
+
+        # shellcheck source=/dev/null
+        . "${config_file}"
+    fi
+
+    return "${rc}"
+}
+
+run_pki_hooks () {
+
+    if [ -n "${state:-}" ] && [ -d "${config['pki_hooks']}" ] ; then
+
+        export PKI_SCRIPT_REALM="${config['name']}"
+        export PKI_SCRIPT_FQDN="${config['pki_default_fqdn']}"
+        export PKI_SCRIPT_SUBJECT="${config['subject']:-${config['pki_default_subject']}}"
+        export PKI_SCRIPT_DOMAINS="${config['domains']:-${config['pki_default_domain']}}"
+        export PKI_SCRIPT_SUBDOMAINS="${config['subdomains']:-${config['pki_default_subdomains']}}"
+        export PKI_SCRIPT_PRIVATE_KEY
+        PKI_SCRIPT_PRIVATE_KEY="$(get_absolute_path private/key.pem)"
+
+        export PKI_SCRIPT_DEFAULT_CRT
+        export PKI_SCRIPT_DEFAULT_KEY
+        export PKI_SCRIPT_DEFAULT_PEM
+
+        PKI_SCRIPT_DEFAULT_CRT="$(get_absolute_path default.crt)"
+        PKI_SCRIPT_DEFAULT_KEY="$(get_absolute_path default.key)"
+        PKI_SCRIPT_DEFAULT_PEM="$(get_absolute_path default.pem)"
+
+        local current_state
+        current_state=$(printf ",%s" "${state[@]:-}")
+        current_state="${current_state:1}"
+        export PKI_SCRIPT_STATE="${current_state}"
+
+        cd "${config['pki_hooks']}" || exit 1
+        ( run-parts . )
+        cd - > /dev/null 2>&1
+
+    fi
+}
+
+run_external_script () {
+
+    if [ -r external/script ] ; then
+
+        if [ ! -r private/realm_key.pem ] ; then
+            "generate_${config['pki_library']}_rsa_realm_key" private/realm_key.pem
+# FIXME: Redundancy! Why?
+            if [ ! -r private/key.pem ] ; then
+                install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                if type setfacl > /dev/null 2>&1 ; then
+                    local private_file_acl_groups_r
+                    read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                    if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                            fi
+                        done
+                    fi
+                fi
+                cat private/realm_key.pem >> private/key.pem.tmp
+                mv private/key.pem.tmp private/key.pem
+            fi
+        fi
+
+        export PKI_SCRIPT_REALM="${config['name']}"
+        export PKI_SCRIPT_FQDN="${config['pki_default_fqdn']}"
+        export PKI_SCRIPT_SUBJECT="${config['subject']:-${config['pki_default_subject']}}"
+        export PKI_SCRIPT_DOMAINS="${config['domains']:-${config['pki_default_domain']}}"
+        export PKI_SCRIPT_SUBDOMAINS="${config['subdomains']:-${config['pki_default_subdomains']}}"
+
+# FIXME: Redundancy! Why?
+        export PKI_SCRIPT_PRIVATE_KEY
+        PKI_SCRIPT_PRIVATE_KEY="$(get_absolute_path private/key.pem)"
+
+        export PKI_SCRIPT_DEFAULT_CRT
+        export PKI_SCRIPT_DEFAULT_KEY
+        export PKI_SCRIPT_DEFAULT_PEM
+
+        PKI_SCRIPT_DEFAULT_CRT="$(get_absolute_path default.crt)"
+        PKI_SCRIPT_DEFAULT_KEY="$(get_absolute_path default.key)"
+        PKI_SCRIPT_DEFAULT_PEM="$(get_absolute_path default.pem)"
+
+        local current_state
+        current_state=$(printf ",%s" "${state[@]:-}")
+        current_state="${current_state:1}"
+        export PKI_SCRIPT_STATE="${current_state}"
+
+        test -x external/script || chmod ug+x external/script
+
+        cd external || exit 1
+        ( ./script )
+        cd - > /dev/null 2>&1
+    fi
+}
+
+update_symlink () {
+
+    local symlink_target="${1}"
+
+    if [ -n "${symlink_target}" ] ; then
+
+        shift 1
+
+        for target in "${@}" ; do
+            if  [ -r "${target}" ] ; then
+                if [ -L "${symlink_target}" ] && [ "$(readlink "${symlink_target}")" == "${target}" ] ; then
+                    break
+                else
+                    ln -sf "${target}" "${symlink_target}"
+                fi
+                break
+            fi
+        done
+
+        if [ ! -e "${symlink_target}" ] ; then
+            rm -f "${symlink_target}"
+        fi
+
+    fi
+}
+
+create_openssl_config () {
+
+    local config_file="${1:-config/openssl.conf}"
+    local config_type="${2:-internal}"
+    local req_dn="${3}"
+    local req_domains="${4}"
+    local req_subdomains="${5:-}"
+    local req_san="${6:-}"
+
+    if [ -n "${config_file}" ] && [ -n "${req_dn}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-realm
+
+[ req ]
+default_md         = sha256
+default_bits       = ${config['realm_key_size']}
+default_keyfile    = private/key.pem
+prompt             = no
+encrypt_key        = no
+distinguished_name = req_dn
+req_extensions     = ext_req
+utf8               = yes
+string_mask        = utf8only
+EOF
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ "${config_type}" = "internal" ] ; then
+            cat << EOF >> "${config_file}"
+attributes         = req_attributes
+
+[ req_attributes ]
+challengePassword  = \${ENV::PKI_SESSION_TOKEN}
+EOF
+        fi
+
+        # shellcheck disable=SC2129
+        cat << EOF >> "${config_file}"
+
+[ req_dn ]
+EOF
+
+        echo "${req_dn}" | tr "/" "\\n" | grep --invert-match '^\s*$' | sed \
+            -e 's/^[Cc]=/countryName=/' \
+            -e 's/^[Ss][Tt]=/stateOrProvinceName=/' \
+            -e 's/^[Ll]=/localityName=/' \
+            -e 's/^[Oo]=/organizationName=/' \
+            -e 's/^[Oo][Uu]=/organizationalUnitName=/' \
+            -e 's/^[Cc][Nn]=/commonName=/' >> "${config_file}"
+
+        cat << EOF >> "${config_file}"
+
+[ ext_req ]
+basicConstraints   = CA:FALSE
+keyUsage           = digitalSignature, keyEncipherment
+extendedKeyUsage   = serverAuth, clientAuth
+EOF
+        if [ -n "${req_domains}" ] || [ -n "${req_subdomains}" ] || [ -n "${req_san}" ] ; then
+            cat << EOF >> "${config_file}"
+subjectAltName     = @ext_req_san
+
+[ ext_req_san ]
+EOF
+
+            local domains
+            read -r -a domains <<< "$(echo "${req_domains}" | tr "/" " ")"
+            local subdomains
+            read -r -a subdomains <<< "$(echo "${req_subdomains}" | tr "/" " ")"
+
+            local san_ip
+            read -r -a san_ip <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^ip://pi'    | xargs )"
+            local san_dns
+            read -r -a san_dns <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^dns://pi'   | xargs )"
+            local san_uri
+            read -r -a san_uri <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^uri://pi'   | xargs )"
+            local san_email
+            read -r -a san_email <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^email://pi' | xargs )"
+
+            local all_dns
+            read -r -a all_dns <<< "${domains[@]:-}"
+
+            if [ ${#subdomains[@]} -gt 0 ] ; then
+                for i in "${!domains[@]}" ; do
+                    for j in "${!subdomains[@]}" ; do
+                        if [ "${subdomains[${j}]}" == "_wildcard_" ] ; then
+                            all_dns+=( "*.${domains[${i}]}" )
+                        else
+                            all_dns+=( "${subdomains[${j}]}.${domains[${i}]}" )
+                        fi
+                    done
+                done
+            fi
+
+            # FIXME: Not sure how to handle appending to the array in this case
+            # shellcheck disable=SC2206
+            all_dns+=( ${san_dns[@]:-} )
+
+            for i in "${!all_dns[@]}" ; do
+                printf "%-18s = %s\\n" "DNS.${i}" "${all_dns[${i}]}" >> "${config_file}"
+            done
+
+            for i in "${!san_ip[@]}" ; do
+                printf "%-18s = %s\\n" "IP.${i}" "${san_ip[${i}]}" >> "${config_file}"
+            done
+
+            for i in "${!san_uri[@]}" ; do
+                printf "%-18s = %s\\n" "URI.${i}" "${san_uri[${i}]}" >> "${config_file}"
+            done
+
+            for i in "${!san_email[@]}" ; do
+                printf "%-18s = %s\\n" "email.${i}" "${san_email[${i}]}" >> "${config_file}"
+            done
+
+        fi
+
+    fi
+}
+
+create_gnutls_config () {
+
+    local config_file="${1:-config/gnutls.conf}"
+    local config_type="${2:-internal}"
+    local req_dn="${3}"
+    local req_domains="${4}"
+    local req_subdomains="${5:-}"
+    local req_san="${6:-}"
+
+    if [ -n "${config_file}" ] && [ -n "${req_dn}" ] ; then
+
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-realm
+
+signing_key
+encryption_key
+tls_www_client
+tls_www_server
+
+EOF
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ "${config_type}" = "internal" ] ; then
+            cat << EOF >> "${config_file}"
+# This password is meaningless outside of current session
+challenge_password  = ${PKI_SESSION_TOKEN:-}
+
+EOF
+        elif [ "${config_type}" = "selfsigned" ] ; then
+            cat << EOF >> "${config_file}"
+expiration_days = ${config['selfsigned_sign_days']}
+EOF
+        fi
+
+        echo "${req_dn}" | tr "/" "\\n" | grep --invert-match '^\s*$' | sed \
+            -e 's/^[Cc]=/country = "/' \
+            -e 's/^[Ss][Tt]=/state = "/' \
+            -e 's/^[Ll]=/locality = "/' \
+            -e 's/^[Oo]=/organization = "/' \
+            -e 's/^[Oo][Uu]=/unit = "/' \
+            -e 's/^[Cc][Nn]=/cn = "/' \
+            -e 's/$/"/' >> "${config_file}"
+
+        local domains
+        read -r -a domains <<< "$(echo "${req_domains}" | tr "/" " ")"
+        local subdomains
+        read -r -a subdomains <<< "$(echo "${req_subdomains}" | tr "/" " ")"
+
+        local san_ip
+        read -r -a san_ip <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^ip://pi'    | xargs )"
+        local san_dns
+        read -r -a san_dns <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^dns://pi'   | xargs )"
+        local san_uri
+        read -r -a san_uri <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^uri://pi'   | xargs )"
+        local san_email
+        read -r -a san_email <<< "$( echo "${req_san}" | tr "|" "\\n" | sed --quiet -e 's/^email://pi' | xargs )"
+
+        local all_dns
+        read -r -a all_dns <<< "${domains[@]:-}"
+
+        if [ ${#subdomains[@]} -gt 0 ] ; then
+            for i in "${!domains[@]}" ; do
+                for j in "${!subdomains[@]}" ; do
+                    if [ "${subdomains[${j}]}" == "_wildcard_" ] ; then
+                        all_dns+=( "*.${domains[${i}]}" )
+                    else
+                        all_dns+=( "${subdomains[${j}]}.${domains[${i}]}" )
+                    fi
+                done
+            done
+        fi
+
+        # FIXME: Not sure how to handle appending to the array in this case
+        # shellcheck disable=SC2206
+        all_dns+=( ${san_dns[@]:-} )
+
+        for i in "${!all_dns[@]}" ; do
+            printf 'dns_name = "%s"\n' "${all_dns[${i}]}" >> "${config_file}"
+        done
+
+        for i in "${!san_ip[@]}" ; do
+            printf 'ip_address = "%s"\n' "${san_ip[${i}]}" >> "${config_file}"
+        done
+
+        if [ "$(version "$(certtool --version | head -n 1 | awk '{print $NF}')")" -ge "$(version 3.0.20)" ] ; then
+            for i in "${!san_uri[@]}" ; do
+                printf 'uri = "%s"\n' "${san_uri[${i}]}" >> "${config_file}"
+            done
+        fi
+
+        for i in "${!san_email[@]}" ; do
+            printf 'email = "%s"\n' "${san_email[${i}]}" >> "${config_file}"
+        done
+
+    fi
+}
+
+save_realm_config () {
+
+    local config_file="${1:-config/realm.conf}"
+
+    if [ -r "${config_file}" ] ; then
+        if grep -q -E "^#\\s+Configuration\\s+file\\s+generated\\s+by\\s+pki-realm$" "${config_file}" ; then
+            rm -f "${config_file}"
+        fi
+    fi
+
+    if [ ! -r "${config_file}" ] ; then
+        cat << EOF > "${config_file}"
+# Configuration file generated by pki-realm
+
+EOF
+        for key in "${!config[@]}" ; do
+            echo "config['${key}']='${config[${key}]}'" >> "${config_file}"
+        done
+    fi
+}
+
+generate_openssl_request () {
+
+    local req_config="${1}"
+    local req_out="${2}"
+
+    if [ -n "${req_config}" ] && [ -n "${req_out}" ] ; then
+        if [ -r "${req_config}" ] && [ ! -r "${req_out}" ] ; then
+
+            local req_keyfile
+            req_keyfile=$(grep -E '^default_keyfile\s+=\s+' "${req_config}" | awk '{print $3}')
+            if [ -n "${req_keyfile}" ] ; then
+                openssl req -new -key "${req_keyfile}" -config "${req_config}" -out "${req_out}.tmp"
+            else
+                openssl req -new -config "${req_config}" -out "${req_out}.tmp"
+            fi
+            test -r "${req_out}.tmp" && mv "${req_out}.tmp" "${req_out}"
+
+        fi
+    fi
+
+}
+
+generate_gnutls_request () {
+
+    local req_config="${1}"
+    local req_out="${2}"
+
+    if [ -n "${req_config}" ] && [ -n "${req_out}" ] ; then
+        if [ -r "${req_config}" ] && [ ! -r "${req_out}" ] ; then
+
+            certtool --generate-request --template "${req_config}" \
+                     --load-privkey private/key.pem --outfile "${req_out}.tmp"
+            # Remove text output from the request
+            test -r "${req_out}.tmp" && sed -n -i '/-----BEGIN NEW CERTIFICATE REQUEST-----/,$ p' "${req_out}.tmp"
+            test -r "${req_out}.tmp" && mv "${req_out}.tmp" "${req_out}"
+
+        fi
+    fi
+
+}
+
+selfsign_openssl_request () {
+
+    local sign_req="selfsigned/request.pem"
+    local sign_out="selfsigned/cert.pem"
+    local root_out="selfsigned/root.pem"
+
+    if [ -n "${sign_req}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_req}" ] && [ ! -r "${sign_out}" ] ; then
+
+            openssl x509 -in "${sign_req}" -out "${sign_out}.tmp" \
+                    -req -signkey private/key.pem -days "${config['selfsigned_sign_days']}"
+            test -r "${sign_out}.tmp" && mv "${sign_out}.tmp" "${sign_out}"
+            if [ -r "${sign_out}" ] && [ ! -r "${root_out}" ] ; then
+                cd "$(dirname "${root_out}")" || exit 1
+                ln -s "$(basename ${sign_out})" "$(basename "${root_out}")"
+                cd - > /dev/null
+            fi
+
+        fi
+    fi
+
+}
+
+selfsign_gnutls_request () {
+
+    local sign_req="selfsigned/request.pem"
+    local sign_out="selfsigned/cert.pem"
+    local root_out="selfsigned/root.pem"
+
+    if [ -n "${sign_req}" ] && [ -n "${sign_out}" ] ; then
+        if [ -r "${sign_req}" ] && [ ! -r "${sign_out}" ] ; then
+
+            certtool --generate-self-signed --load-privkey private/key.pem \
+                     --load-request "${sign_req}" --outfile "${sign_out}.tmp" \
+                     --template selfsigned/gnutls.conf
+            test -r "${sign_out}.tmp" && mv "${sign_out}.tmp" "${sign_out}"
+            if [ -r "${sign_out}" ] && [ ! -r "${root_out}" ] ; then
+                cd "$(dirname "${root_out}")" || exit 1
+                ln -s "$(basename ${sign_out})" "$(basename "${root_out}")"
+                cd - > /dev/null
+            fi
+
+        fi
+    fi
+
+}
+
+generate_openssl_rsa_realm_key () {
+
+    local key_file="${1:-private/realm_key.pem}"
+    local key_size="${2:-${config['realm_key_size']}}"
+    local key_group="${3:-${config['realm_file_group']}}"
+
+    test -r "${key_file}" || openssl genrsa -out "${key_file}.tmp" "${key_size}"
+
+    if [ -r "${key_file}.tmp" ] ; then
+        chmod "${config['realm_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['realm_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+generate_gnutls_rsa_realm_key () {
+
+    local key_file="${1:-private/realm_key.pem}"
+    local key_size="${2:-${config['realm_key_size']}}"
+    local key_group="${3:-${config['realm_file_group']}}"
+
+    if ! [ -r "${key_file}" ] ; then
+        if [ "$(version "$(certtool --version | head -n 1 | awk '{print $NF}')")" -lt "$(version 3.1.0)" ] ; then
+            certtool --generate-privkey --outfile "${key_file}.tmp" --bits "${key_size}"
+        else
+            certtool --generate-privkey --rsa --outfile "${key_file}.tmp" --bits "${key_size}"
+        fi
+    fi
+
+    if [ -r "${key_file}.tmp" ] ; then
+        sed -n -i '/-----BEGIN RSA PRIVATE KEY-----/,$ p' "${key_file}.tmp"
+        chmod "${config['realm_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['realm_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+generate_openssl_rsa_private_key () {
+
+    local key_file="${1:-private/key.pem}"
+    local key_size="${2:-${config['realm_key_size']}}"
+    local key_group="${3:-${config['private_file_group']}}"
+    local key_acl="${4:-true}"
+
+    test -r "${key_file}" || openssl genrsa -out "${key_file}.tmp" "${key_size}"
+
+    if [ -r "${key_file}.tmp" ] ; then
+        chmod "${config['private_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        if [ "${key_acl}" = "true" ] ; then
+            if type setfacl > /dev/null 2>&1 ; then
+                local private_file_acl_groups_r
+                read -r private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                    for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                        if getent group "${acl_group}" > /dev/null ; then
+                            setfacl -m "g:${acl_group}:r" "${key_file}.tmp"
+                        fi
+                    done
+                fi
+            fi
+        fi
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['private_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+generate_gnutls_rsa_private_key () {
+
+    local key_file="${1:-private/key.pem}"
+    local key_size="${2:-${config['realm_key_size']}}"
+    local key_group="${3:-${config['private_file_group']}}"
+    local key_acl="${4:-true}"
+
+    if ! [ -r "${key_file}" ] ; then
+        if [ "$(version "$(certtool --version | head -n 1 | awk '{print $NF}')")" -lt "$(version 3.1.0)" ] ; then
+            certtool --generate-privkey --outfile "${key_file}.tmp" --bits "${key_size}"
+        else
+            certtool --generate-privkey --rsa --outfile "${key_file}.tmp" --bits "${key_size}"
+        fi
+    fi
+
+    if [ -r "${key_file}.tmp" ] ; then
+        sed -n -i '/-----BEGIN RSA PRIVATE KEY-----/,$ p' "${key_file}.tmp"
+        chmod "${config['private_file_mode']}" "${key_file}.tmp"
+        chgrp "${key_group}" "${key_file}.tmp"
+        if [ "${key_acl}" = "true" ] ; then
+            if type setfacl > /dev/null 2>&1 ; then
+                local private_file_acl_groups_r
+                read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                    for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                        if getent group "${acl_group}" > /dev/null ; then
+                            setfacl -m "g:${acl_group}:r" "${key_file}.tmp"
+                        fi
+                    done
+                fi
+            fi
+        fi
+        mv "${key_file}.tmp" "${key_file}"
+    fi
+
+    chmod_idempotent "${config['private_file_mode']}" "${key_file}"
+    chgrp_idempotent "${key_group}" "${key_file}"
+
+}
+
+create_public_directories () {
+
+    local dir_group="${1}"
+    if [ -n "${dir_group}" ] ; then
+        shift
+    else
+        return 1
+    fi
+
+    local directories
+    read -r -a directories <<< "${@}"
+
+    for directory in "${directories[@]}" ; do
+        mkdir -p "${directory}"
+        chmod_idempotent "${config['public_dir_mode']}" "${directory}"
+        chgrp_idempotent "${dir_group}" "${directory}"
+    done
+
+}
+
+create_private_directories () {
+
+    local dir_group="${1}"
+    if [ -n "${dir_group}" ] ; then
+        shift
+    else
+        return 1
+    fi
+
+    local directories
+    read -r -a directories <<< "${@}"
+
+    for directory in "${directories[@]}" ; do
+        mkdir -p "${directory}"
+        chmod_idempotent "${config['private_dir_mode']}" "${directory}"
+        chgrp_idempotent "${dir_group}" "${directory}"
+        if type setfacl > /dev/null 2>&1 ; then
+            local private_dir_acl_groups_x
+            read -r -a private_dir_acl_groups_x <<< "$(echo "${config['private_dir_acl_groups_x']}" | tr "/" " ")"
+            if [ ${#private_dir_acl_groups_x[@]} -ne 0 ] ; then
+                for acl_group in "${private_dir_acl_groups_x[@]}" ; do
+                    if getent group "${acl_group}" > /dev/null ; then
+                        setfacl -m "g:${acl_group}:x" "${directory}"
+                    fi
+                done
+            fi
+        fi
+    done
+
+}
+
+create_private_noacl_directories () {
+
+    local dir_group="${1}"
+    if [ -n "${dir_group}" ] ; then
+        shift
+    else
+        return 1
+    fi
+
+    local directories
+    read -r -a directories <<< "${@}"
+
+    for directory in "${directories[@]}" ; do
+        mkdir -p "${directory}"
+        chmod_idempotent "${config['private_dir_mode']}" "${directory}"
+        chgrp_idempotent "${dir_group}" "${directory}"
+    done
+
+}
+
+check_expiration_time () {
+
+    local cert_file="${1}"
+    local seconds="${2}"
+
+    if [ -n "${cert_file}" ] && [ -r "${cert_file}" ] ; then
+
+        current_time="$(date +%s)"
+        cert_enddate="$(openssl x509 -in "${cert_file}" -noout -enddate | cut -d= -f2)"
+        cert_expires=$(date --date="${cert_enddate}" +%s)
+
+        if [ -n "${seconds}" ] ; then
+            cert_expires="$(( cert_expires - seconds ))"
+        fi
+
+        if (( (cert_expires - current_time) >= 0 )) ; then
+            return 0
+        else
+            return 1
+        fi
+
+    else
+        return 1
+    fi
+}
+
+convert_der_to_pem () {
+
+    local input_file="${1}"
+
+    if [ -n "${input_file}" ] && [ -r "${input_file}" ] ; then
+        if ! openssl x509 -inform PEM -in "${input_file}" -noout 2>/dev/null ; then
+            openssl x509 -inform DER -in "${input_file}" -outform PEM -out "${input_file}.tmp"
+            mv "${input_file}.tmp" "${input_file}"
+        fi
+    fi
+}
+
+request_acme_tiny_certificate () {
+
+    # Import per-realm environment variables
+    # shellcheck disable=SC1091
+    source config/environment
+
+    # Rotate acme/error.log if it was modified more than two days ago. This
+    # allows another renewal attempt, but still prevents hitting rate limits.
+    # Let's Encrypt limits duplicate certificate requests to five per week
+    # (https://letsencrypt.org/docs/rate-limits/).
+    if [[ -e acme/error.log ]] && [[ $(find acme/error.log -mtime +1) ]]; then
+        mv acme/error.log "acme/error-$(date +%s).log"
+    fi
+
+    if [ -x "${config['acme_client_script']}" ] && [ -d "${config['acme_challenge_dir']}" ] && [ ! -e acme/error.log ] && [ -r acme/request.pem ] ; then
+
+        if ! ( check_expiration_time acme/cert.pem "${config['acme_expiration_seconds']}" && check_openssl_key_crt_match private/key.pem acme/cert.pem ) ; then
+
+            local acme_tiny_request_params="--account-key acme/account_key.pem \
+                    --directory-url \"${config['acme_ca_api']}\" --csr acme/request.pem \
+                    --acme-dir \"${config['acme_challenge_dir']}\""
+
+            if [ -n "${config['acme_contacts']}" ]; then
+                acme_tiny_request_params+=(" --contact \"${config['acme_contacts']//,/\" \"}\"")
+            fi
+
+            if [ "$EUID" -eq 0 ] ; then
+
+                set +e
+                su --shell /bin/bash -c "umask 0022 ; source config/environment ; ${config['acme_client_script']} ${acme_tiny_request_params[*]} > acme/cert.pem.tmp 2>acme/error.log" "${config['acme_user']}"
+                set -e
+
+            else
+
+                set +e
+                "${config['acme_client_script']}" "${acme_tiny_request_params[*]}" > acme/cert.pem.tmp 2>acme/error.log
+                set -e
+
+            fi
+
+            if [ -r acme/cert.pem.tmp ] && [ -s acme/cert.pem.tmp ] ; then
+
+                # Let's Encrypt provides certificates with attached
+                # intermediates but we don't want that, PKI realms handle the
+                # intermediates themselves. Extract the first certificate from
+                # the generated file and swap it in, so the rest of the script
+                # works.
+                openssl x509 -in acme/cert.pem.tmp -out acme/first-cert.pem.tmp
+                mv acme/first-cert.pem.tmp acme/cert.pem.tmp
+
+                if [ -r acme/cert.pem ] ; then
+                    mv acme/cert.pem acme/cert.pem.old
+                fi
+                mv acme/cert.pem.tmp acme/cert.pem
+
+                local acme_intermediate_uri
+                acme_intermediate_uri="$(openssl x509 -in acme/cert.pem -text -noout -certopt ca_default,no_validity,no_serial | grep -E '^\s+CA\s+Issuers\s+-\s+URI:' | awk '{print $4}' | sed -e 's/^URI://')"
+
+                if [ ! -r acme/intermediate.pem ] ; then
+
+                    if [ -n "${acme_intermediate_uri}" ] ; then
+                        curl -s -L -o acme/intermediate.pem.tmp "${acme_intermediate_uri}"
+                        convert_der_to_pem acme/intermediate.pem.tmp
+                        mv acme/intermediate.pem.tmp acme/intermediate.pem
+                        if [ ! -r acme/intermediate_uri.txt ] ; then
+                            echo "${acme_intermediate_uri}" > acme/intermediate_uri.txt
+                        fi
+                    fi
+
+                elif [ -r acme/intermediate.pem ] ; then
+
+                    if [ -n "${acme_intermediate_uri}" ] && [ -r acme/intermediate_uri.txt ] ; then
+                        if [ "${acme_intermediate_uri}" != "$(<acme/intermediate_uri.txt)" ] ; then
+                            curl -s -L -o acme/intermediate.pem.tmp "${acme_intermediate_uri}"
+                            if ! diff -q -N acme/intermediate.pem acme/intermediate.pem.tmp > /dev/null ; then
+                                rm -f acme/intermediate.pem acme/intermediate_uri.txt
+                                convert_der_to_pem acme/intermediate.pem.tmp
+                                mv acme/intermediate.pem.tmp acme/intermediate.pem
+                                if [ ! -r acme/intermediate_uri.txt ] ; then
+                                    echo "${acme_intermediate_uri}" > acme/intermediate_uri.txt
+                                fi
+                            else
+                                rm -f acme/intermediate.pem.tmp acme/intermediate_uri.txt
+                                if [ ! -r acme/intermediate_uri.txt ] ; then
+                                    echo "${acme_intermediate_uri}" > acme/intermediate_uri.txt
+                                fi
+                            fi
+                        fi
+                    fi
+
+                fi
+
+                if [ ! -r acme/root.pem ] ; then
+                    if [ -n "${config['acme_root_ca_path']}" ] && [ -n "${config['acme_root_ca_file']}" ] ; then
+                        if [ -r "${config['acme_root_ca_path']}/${config['acme_root_ca_file']}" ] && grep -q "${config['acme_root_ca_file']}" /etc/ca-certificates.conf ; then
+                            ln -s "${config['acme_root_ca_path']}/${config['acme_root_ca_file']}" acme/root.pem
+                        fi
+                    fi
+                fi
+
+                if [ -r acme/error.log ] ; then
+                    rm -f acme/error.log
+                fi
+
+            elif [ -r acme/cert.pem.tmp ] && [ ! -s acme/cert.pem.tmp ] ; then
+                rm -f acme/cert.pem.tmp
+            fi
+
+        fi
+
+    fi
+
+}
+
+request_acme_dns_certificate() {
+    # We expect the API secrets to be in ./private/dns-*-credentials.key
+    local credentials=/etc/pki/realms/${config['name']}/private/${config['acme_type']}-credentials.key
+    local pkirealm=/etc/pki/realms/${config['name']}
+    local email=""
+
+    if [ -n "${config['acme_contacts']}" ]; then
+        email="-m${config['acme_contacts']}"
+    fi
+
+    local all_dns
+    local req_subjects=${config['subject']:-${config['pki_default_subject']:-}}
+    # shellcheck disable=SC2001
+    req_subjects=$(echo "${req_subjects}" | sed 's/^[Cc][Nn]=//')
+
+    local req_domains="${config['domains']:-${config['pki_default_domain']}}"
+    local req_subdomains="${config['subdomains']:-${config['pki_default_subdomains']:-}}"
+
+    read -r -a all_dns <<< "$(echo "${req_subjects}" | tr "/" " ")"
+
+    local domains
+    read -r -a domains <<< "$(echo "${req_domains}" | tr "/" " ")"
+
+    # shellcheck disable=SC2206
+    all_dns+=( ${domains[*]:-} )
+
+    local subdomains
+    read -r -a subdomains <<< "$(echo "${req_subdomains}" | tr "/" " ")"
+
+    if [ ${#subdomains[@]} -gt 0 ] ; then
+        for i in "${!domains[@]}" ; do
+            for j in "${!subdomains[@]}" ; do
+                if [ "${subdomains[${j}]}" == "_wildcard_" ] ; then
+                    all_dns+=( "*.${domains[${i}]}" )
+                else
+                    all_dns+=( "${subdomains[${j}]}.${domains[${i}]}" )
+                fi
+            done
+        done
+    fi
+
+    # remove redundant domains
+    for i in "${all_dns[@]}"; do
+        for j in "${all_dns[@]}"; do
+            if test "${i}" == "${j}"; then
+                true
+            elif test "*.${i#*\.}" == "${j}"; then
+                # i is part of j. j is wildcard
+                all_dns=( "${all_dns[@]/$i}" )
+            fi
+        done
+    done
+
+    local all_dns_str
+    # remove duplicate lines without sorting
+    all_dns_str=$(printf '%s\n' "${all_dns[@]}" | awk '!x[$0]++' | xargs)
+    # shellcheck disable=SC2086
+    all_dns_str=$(echo " "${all_dns_str} | sed 's/ / -d/g')
+
+    if test "${config['acme_ca']}" == 'le-live-v2'; then
+      # shellcheck disable=SC2086
+      certbot certonly -n --authenticator ${config['acme_type']} --expand --agree-tos "${email}" --${config['acme_type']}-credentials ${credentials} ${all_dns_str}
+    elif test "${config['acme_ca']}" == 'le-staging-v2'; then
+      # shellcheck disable=SC2086
+      certbot certonly --test-cert -n --authenticator ${config['acme_type']} --expand --agree-tos "${email}" --${config['acme_type']}-credentials ${credentials} ${all_dns_str}
+    fi
+
+    local folder
+    local letsencrypt
+    folder=$(printf '%s\n' "${all_dns[@]}" | xargs | cut -d' ' -f1)
+    letsencrypt="/etc/letsencrypt/live/${folder}"
+    if [ -f "${letsencrypt}/privkey.pem" ]; then
+        ln -vsfT "${letsencrypt}/privkey.pem"   "${pkirealm}/private/key.pem"
+        ln -vsfT "${letsencrypt}/cert.pem"      "${pkirealm}/acme/cert.pem"
+        ln -vsfT "${letsencrypt}/chain.pem"     "${pkirealm}/acme/intermediate.pem"
+    else
+      echo "error: could not symlink let's encrypt certificates into pki realm" >&2
+    fi
+}
+
+request_acme_manual_certificate() {
+    # We expect the API secrets to be in ./private/dns-*-credentials.key
+    local pkirealm=/etc/pki/realms/${config['name']}
+    local email=""
+
+    if [ -n "${config['acme_contacts']}" ]; then
+        email="-m${config['acme_contacts']}"
+    fi
+
+    local all_dns
+    local req_subjects=${config['subject']:-${config['pki_default_subject']:-}}
+    # shellcheck disable=SC2001
+    req_subjects=$(echo "${req_subjects}" | sed 's/^[Cc][Nn]=//')
+
+    local req_domains="${config['domains']:-${config['pki_default_domain']}}"
+    local req_subdomains="${config['subdomains']:-${config['pki_default_subdomains']:-}}"
+
+    read -r -a all_dns <<< "$(echo "${req_subjects}" | tr "/" " ")"
+
+    local domains
+    read -r -a domains <<< "$(echo "${req_domains}" | tr "/" " ")"
+
+    # shellcheck disable=SC2206
+    all_dns+=( ${domains[*]:-} )
+
+    local subdomains
+    read -r -a subdomains <<< "$(echo "${req_subdomains}" | tr "/" " ")"
+
+    if [ ${#subdomains[@]} -gt 0 ] ; then
+        for i in "${!domains[@]}" ; do
+            for j in "${!subdomains[@]}" ; do
+                if [ "${subdomains[${j}]}" == "_wildcard_" ] ; then
+                    all_dns+=( "*.${domains[${i}]}" )
+                else
+                    all_dns+=( "${subdomains[${j}]}.${domains[${i}]}" )
+                fi
+            done
+        done
+    fi
+
+    # remove redundant domains
+    for i in "${all_dns[@]}"; do
+        for j in "${all_dns[@]}"; do
+            if test "${i}" == "${j}"; then
+                true
+            elif test "*.${i#*\.}" == "${j}"; then
+                # i is part of j. j is wildcard
+                all_dns=( "${all_dns[@]/$i}" )
+            fi
+        done
+    done
+
+    local all_dns_str
+    # remove duplicate lines without sorting
+    all_dns_str=$(printf '%s\n' "${all_dns[@]}" | awk '!x[$0]++' | xargs)
+    # shellcheck disable=SC2086
+    all_dns_str=$(echo " "${all_dns_str} | sed 's/ / -d/g')
+
+    if test "${config['acme_ca']}" == 'le-live-v2'; then
+      # shellcheck disable=SC2086
+      certbot certonly -n --authenticator ${config['acme_type']} --preferred-challenges=dns --expand --agree-tos "${email}" ${all_dns_str}
+    elif test "${config['acme_ca']}" == 'le-staging-v2'; then
+      # shellcheck disable=SC2086
+      certbot certonly --test-cert -n --authenticator ${config['acme_type']} --preferred-challenges=dns --expand --agree-tos "${email}" ${all_dns_str}
+    fi
+
+    local folder
+    local letsencrypt
+    folder=$(printf '%s\n' "${all_dns[@]}" | xargs | cut -d' ' -f1)
+    letsencrypt="/etc/letsencrypt/live/${folder}"
+    if [ -f "${letsencrypt}/privkey.pem" ]; then
+        ln -vsfT "${letsencrypt}/privkey.pem"   "${pkirealm}/private/key.pem"
+        ln -vsfT "${letsencrypt}/cert.pem"      "${pkirealm}/acme/cert.pem"
+        ln -vsfT "${letsencrypt}/chain.pem"     "${pkirealm}/acme/intermediate.pem"
+    else
+      echo "error: could not symlink let's encrypt certificates into pki realm" >&2
+    fi
+}
+
+request_acme_certificate () {
+    if [ "${config['pki_acme']}" = "true" ]; then
+        if [ "${config['acme_type']}" == "acme-tiny" ] || [ "${config['acme_type']}" == "" ]; then
+          request_acme_tiny_certificate
+        fi
+        if [[ "${config['acme_type']}" =~ "dns-" ]]; then
+          request_acme_dns_certificate
+        fi
+        if [[ "${config['acme_type']}" == "manual" ]]; then
+          request_acme_manual_certificate
+        fi
+
+    fi
+}
+
+check_public_certificate () {
+
+    if [ -r public/cert.pem ] ; then
+        if ! check_file_signature public/cert.pem ; then
+            state+=("changed-certificate")
+            state+=("file-change")
+        fi
+    fi
+
+}
+
+check_files () {
+
+    local name="${config['name']}"
+    local library="${config['pki_library']}"
+    local acme_library="${config['pki_acme_library']}"
+
+    if [ "${config['pki_internal']}" == "true" ] ; then
+
+        if [ ! -r private/realm_key.pem ] ; then
+            "generate_${library}_rsa_realm_key" private/realm_key.pem
+            if [ ! -r private/key.pem ] ; then
+                install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                if type setfacl > /dev/null 2>&1 ; then
+                    local private_file_acl_groups_r
+                    read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                    if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                            fi
+                        done
+                    fi
+                fi
+                cat private/realm_key.pem >> private/key.pem.tmp
+                mv private/key.pem.tmp private/key.pem
+                state+=('new-private-key')
+            fi
+        fi
+
+        if [ -r private/key.pem ] ; then
+            if type setfacl > /dev/null 2>&1 ; then
+                local private_file_acl_groups_r
+                read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                    if ! getfacl -sc private/key.pem | grep -Eq '^group' ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem
+                            fi
+                        done
+                    fi
+                fi
+            fi
+        fi
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ -r internal/cert.pem ] ; then
+            if ! ( check_expiration_time internal/cert.pem "${config['internal_expiration_seconds']}" && check_openssl_key_crt_match private/key.pem internal/cert.pem ) ; then
+                rm -f "internal/${library}.conf" internal/request.pem
+            fi
+        fi
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ ! -r public/cert.pem ] ; then
+            if ! ( check_expiration_time internal/cert.pem "${config['internal_expiration_seconds']}" && check_openssl_key_crt_match private/key.pem internal/cert.pem ) ; then
+                rm -f "internal/${library}.conf" internal/request.pem
+            fi
+        fi
+
+        if [ ! -r "internal/${library}.conf" ] && [ ! -r internal/request.pem ] ; then
+
+            if [[ ${name} != *.* && ${name} != *@* ]] ; then
+
+                "create_${library}_config" "internal/${library}.conf" internal "${config['subject']:-${config['pki_default_subject']}}" "${config['domains']:-${config['pki_default_domain']}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+
+            elif [[ ${name} == *.* && ${name} != *@* ]] ; then
+
+                "create_${library}_config" "internal/${library}.conf" internal "${config['subject']:-cn=${name}}" "${config['domains']:-${name:-${config['pki_default_domain']}}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+
+            fi
+
+            "generate_${library}_request" "internal/${library}.conf" internal/request.pem
+            state+=('new-internal-request')
+        fi
+
+        if [ -r "internal/${library}.conf" ] && [ -r internal/request.pem ] ; then
+            if ! check_openssl_key_req_match private/key.pem internal/request.pem ; then
+
+                rm -f internal/request.pem
+                "generate_${library}_request" "internal/${library}.conf" internal/request.pem
+                state+=('new-internal-request')
+
+            fi
+        fi
+
+    elif [ "${config['pki_internal']}" == "false" ] ; then
+
+        if [ ! -r private/realm_key.pem ] ; then
+            "generate_${library}_rsa_realm_key" private/realm_key.pem
+            if [ ! -r private/key.pem ] ; then
+                install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                if type setfacl > /dev/null 2>&1 ; then
+                    local private_file_acl_groups_r
+                    read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                    if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                            fi
+                        done
+                    fi
+                fi
+                cat private/realm_key.pem >> private/key.pem.tmp
+                mv private/key.pem.tmp private/key.pem
+                state+=('new-private-key')
+            fi
+        fi
+
+        if [ -r private/key.pem ] ; then
+            if type setfacl > /dev/null 2>&1 ; then
+                local private_file_acl_groups_r
+                read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                    if ! getfacl -sc private/key.pem | grep -Eq '^group' ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem
+                            fi
+                        done
+                    fi
+                fi
+            fi
+        fi
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ -r selfsigned/cert.pem ] ; then
+            if ! ( check_expiration_time selfsigned/cert.pem "${config['selfsigned_expiration_seconds']}" && check_openssl_key_crt_match private/key.pem selfsigned/cert.pem ) ; then
+                rm -f "selfsigned/${library}.conf" selfsigned/request.pem
+            fi
+        fi
+
+        if [ -n "${PKI_SESSION_TOKEN:-}" ] && [ ! -r public/cert.pem ] ; then
+            if ! ( check_expiration_time selfsigned/cert.pem "${config['selfsigned_expiration_seconds']}" && check_openssl_key_crt_match private/key.pem selfsigned/cert.pem ) ; then
+                rm -f "selfsigned/${library}.conf" selfsigned/request.pem
+            fi
+        fi
+
+        if [ ! -r "selfsigned/${library}.conf" ] && [ ! -r selfsigned/request.pem ] ; then
+
+            if [[ ${name} != *.* && ${name} != *@* ]] ; then
+
+                "create_${library}_config" "selfsigned/${library}.conf" selfsigned \
+                    "${config['subject']:-${config['pki_default_subject']}}" \
+                    "${config['domains']:-${config['pki_default_domain']}}" \
+                    "${config['subdomains']:-${config['pki_default_subdomains']}}" \
+                    "${config['subject_alt_names']:-}"
+
+            elif [[ ${name} == *.* && ${name} != *@* ]] ; then
+
+                "create_${library}_config" "selfsigned/${library}.conf" selfsigned \
+                    "${config['subject']:-cn=${name}}" \
+                    "${config['domains']:-${name:-${config['pki_default_domain']}}}" \
+                    "${config['subdomains']:-${config['pki_default_subdomains']}}" \
+                    "${config['subject_alt_names']:-}"
+
+            fi
+
+            "generate_${library}_request" "selfsigned/${library}.conf" selfsigned/request.pem
+            "selfsign_${library}_request"
+            state+=('new-selfsigned-certificate')
+        fi
+
+        if [ -r "selfsigned/${library}.conf" ] && [ -r selfsigned/request.pem ] ; then
+            if ! check_openssl_key_req_match private/key.pem selfsigned/request.pem ; then
+
+                rm -f selfsigned/request.pem
+                "generate_${library}_request" "selfsigned/${library}.conf" selfsigned/request.pem
+                "selfsign_${library}_request"
+                state+=('new-selfsigned-certificate')
+
+            fi
+        fi
+
+    fi
+
+    if [ "${config['pki_acme']}" = "true" ] ; then
+
+        if [ ! -r private/realm_key.pem ] ; then
+            "generate_${library}_rsa_realm_key" private/realm_key.pem
+            if [ ! -r private/key.pem ] ; then
+                install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                if type setfacl > /dev/null 2>&1 ; then
+                    local private_file_acl_groups_r
+                    read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                    if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                        for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                            if getent group "${acl_group}" > /dev/null ; then
+                                setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                            fi
+                        done
+                    fi
+                fi
+                cat private/realm_key.pem >> private/key.pem.tmp
+                mv private/key.pem.tmp private/key.pem
+                state+=('new-private-key')
+            fi
+        fi
+
+        if [ -r acme/cert.pem ] && [ -r "acme/${acme_library}.conf" ] && [ -r acme/request.pem ] ; then
+            if ! check_expiration_time acme/cert.pem "${config['acme_expiration_seconds']}" ; then
+                rm -f "acme/${acme_library}.conf" acme/request.pem
+            fi
+        fi
+
+        if [ ! -r "acme/${acme_library}.conf" ] && [ ! -r acme/request.pem ] ; then
+
+            if [[ ${name} != *.* && ${name} != *@* ]] ; then
+
+                "create_${acme_library}_config" "acme/${acme_library}.conf" acme "${config['acme_subject']:-${config['acme_default_subject']}}" "${config['acme_domains']:-${config['acme_default_domain']}}" "${config['acme_subdomains']:-${config['acme_default_subdomains']}}" "${config['acme_alt_names']:-}"
+
+            elif [[ ${name} == *.* && ${name} != *@* ]] ; then
+
+                "create_${acme_library}_config" "acme/${acme_library}.conf" acme "${config['acme_subject']:-cn=${name}}" "${config['acme_domains']:-${name:-${config['acme_default_domain']}}}" "${config['acme_subdomains']:-${config['acme_default_subdomains']}}" "${config['acme_alt_names']:-}"
+
+            fi
+
+            "generate_${library}_rsa_private_key" acme/account_key.pem 4096 "${config['acme_file_group']}" false
+            "generate_${acme_library}_request" "acme/${acme_library}.conf" acme/request.pem
+            chgrp "${config['acme_file_group']}" acme/request.pem
+            chmod "${config['acme_file_mode']}" acme/request.pem
+            chmod "${config['acme_dir_mode']}" acme
+            state+=('new-acme-request')
+        fi
+
+        if [ -r "acme/${acme_library}.conf" ] && [ -r acme/request.pem ] ; then
+            if ! check_openssl_key_req_match private/key.pem acme/request.pem ; then
+
+                rm -f acme/request.pem
+                "generate_${acme_library}_request" "acme/${acme_library}.conf" acme/request.pem
+                chgrp "${config['acme_file_group']}" acme/request.pem
+                chmod "${config['acme_file_mode']}" acme/request.pem
+                state+=('new-acme-request')
+
+            fi
+
+        elif [ -r "acme/${acme_library}.conf" ] && [ ! -r acme/request.pem ] ; then
+
+            "generate_${acme_library}_request" "acme/${acme_library}.conf" acme/request.pem
+            chgrp "${config['acme_file_group']}" acme/request.pem
+            chmod "${config['acme_file_mode']}" acme/request.pem
+            state+=('new-acme-request')
+
+        fi
+
+    fi
+
+}
+
+process_public_files () {
+    # Select the preferred authority in a given PKI realm (external, acme,
+    # internal) and check all of the files, make sure that everything is in order
+
+    local authority_preference
+    read -r -a authority_preference <<< "$(echo "${config['pki_authority_preference']}" | tr "/" " ")"
+
+    for authority in "${authority_preference[@]}" ; do
+
+        if [ -r "${authority}/cert.pem" ] && ( check_expiration_time "${authority}/cert.pem" $(( 60 * 60 * 24 * 10 )) || [ "${authority}" = "${authority_preference[-1]}" ] ) ; then
+
+            if ! ( diff -q -N "${authority}/cert.pem" public/cert.pem > /dev/null && check_file_signature public/cert.pem ) ; then
+
+                for source_file in "${authority}/cert.pem" "${authority}/intermediate.pem" "${authority}/root.pem" "${authority}/alt_intermediate.pem" "${authority}/alt_root.pem" ; do
+
+                    if [ -r "${source_file}" ] ; then
+                        if ! diff -q -N "${source_file}" "${source_file/${authority}/public}" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${source_file}" "public")" "${source_file/${authority}/public}.tmp"
+                        fi
+                    elif [ ! -r "${source_file}" ] && [ -r "${source_file/${authority}/public}" ] ; then
+                        rm -f "${source_file/${authority}/public}"
+                    fi
+
+                done
+
+                if [ -r public/cert.pem ] ; then
+                    if ! check_file_signature public/cert.pem ; then
+                        if [ -r public/intermediate.pem ] ; then
+                            if [ -r public/cert_intermediate.pem.tmp ] ; then
+                                rm -f public/cert_intermediate.pem.tmp
+                            fi
+                            cat public/cert.pem public/intermediate.pem > public/cert_intermediate.pem.tmp
+                        fi
+                    fi
+                fi
+
+                if [ -r public/cert.pem.tmp ] && [ -r public/intermediate.pem.tmp ] ; then
+                        cat public/cert.pem.tmp public/intermediate.pem.tmp > public/cert_intermediate.pem.tmp
+                elif [ -r public/cert.pem.tmp ] && [ -r public/intermediate.pem ] ; then
+                        cat public/cert.pem.tmp public/intermediate.pem > public/cert_intermediate.pem.tmp
+                fi
+
+                if [ -r public/intermediate.pem.tmp ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/intermediate.pem.tmp public/root.pem.tmp > public/intermediate_root.pem.tmp
+                elif [ -r public/intermediate.pem ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/intermediate.pem public/root.pem.tmp > public/intermediate_root.pem.tmp
+                fi
+
+                if [ -r public/cert.pem.tmp ] && [ -r public/intermediate_root.pem.tmp ] ; then
+                    cat public/cert.pem.tmp public/intermediate_root.pem.tmp > public/full.pem.tmp
+                elif [ -r public/cert.pem.tmp ] && [ -r public/intermediate_root.pem ] ; then
+                    cat public/cert.pem.tmp public/intermediate_root.pem > public/full.pem.tmp
+                elif [ -r public/cert.pem ] && [ -r public/intermediate_root.pem.tmp ] ; then
+                    cat public/cert.pem public/intermediate_root.pem.tmp > public/full.pem.tmp
+                elif [ -r public/cert.pem.tmp ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/cert.pem.tmp public/root.pem.tmp > public/full.pem.tmp
+                elif [ -r public/cert.pem.tmp ] && [ -r public/root.pem ] ; then
+                    cat public/cert.pem.tmp public/root.pem > public/full.pem.tmp
+                elif [ -r public/cert.pem ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/cert.pem public/root.pem.tmp > public/full.pem.tmp
+                fi
+
+                if [ -r public/alt_intermediate.pem.tmp ] && [ -r public/alt_root.pem.tmp ] ; then
+                    cat public/alt_intermediate.pem.tmp public/alt_root.pem.tmp > public/alt_intermediate_root.pem.tmp
+                elif [ -r public/alt_intermediate.pem ] && [ -r public/alt_root.pem.tmp ] ; then
+                    cat public/alt_intermediate.pem public/alt_root.pem.tmp > public/alt_intermediate_root.pem.tmp
+                fi
+
+                for public_file in public/*.pem ; do
+                    if [ ! -r "${public_file/public/${authority}}" ] && [ ! -r "${public_file}.tmp" ] ; then
+                        touch "${public_file}.rm"
+                    fi
+                done
+
+            fi
+
+            if [ -r private/key.pem ] && [ -r public/cert.pem ] && [ -r public/intermediate.pem ] && [ -r public/cert_intermediate.pem ] ; then
+
+                if ! check_openssl_key_crt_match private/key.pem public/cert_intermediate.pem ; then
+                    if [ -r public/cert_intermediate.pem.tmp ] ; then
+                        rm -f public/cert_intermediate.pem.tmp
+                    fi
+                    cat public/cert.pem public/intermediate.pem > public/cert_intermediate.pem.tmp
+                fi
+
+            fi
+
+            if [ "${config['pki_dhparam']}" = "true" ] && [ -n "${config['dhparam_file']}" ] && [ -r "${config['dhparam_file']}" ] ; then
+
+                if [ -r public/cert_intermediate.pem.tmp ] ; then
+                    cat public/cert_intermediate.pem.tmp "${config['dhparam_file']}" > public/cert_intermediate_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ -r public/cert.pem.tmp ] ; then
+                    cat public/cert.pem.tmp "${config['dhparam_file']}" > public/cert_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ ! -r public/cert_intermediate_dhparam.pem ] && [ -r public/cert_intermediate.pem ] ; then
+                    cat public/cert_intermediate.pem "${config['dhparam_file']}" > public/cert_intermediate_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ ! -r public/cert_dhparam.pem ] && [ ! -r public/cert_intermediate.pem ] && [ -r public/cert.pem ] ; then
+                    cat public/cert.pem "${config['dhparam_file']}" > public/cert_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ -r public/cert_intermediate_dhparam.pem ] ; then
+                    if ! diff -q -N "${config['dhparam_file']}" <( sed -n '/-----BEGIN DH PARAMETERS-----/,/-----END DH PARAMETERS-----/p' public/cert_intermediate_dhparam.pem ) > /dev/null ; then
+                        cat public/cert_intermediate.pem "${config['dhparam_file']}" > public/cert_intermediate_dhparam.pem.tmp
+                        state+=("changed-dhparam")
+                    fi
+                elif [ -r public/cert_dhparam.pem ] ; then
+                    if ! diff -q -N "${config['dhparam_file']}" <( sed -n '/-----BEGIN DH PARAMETERS-----/,/-----END DH PARAMETERS-----/p' public/cert_dhparam.pem ) > /dev/null ; then
+                        cat public/cert.pem "${config['dhparam_file']}" > public/cert_dhparam.pem.tmp
+                        state+=("changed-dhparam")
+                    elif ! check_file_signature public/cert.pem ; then
+                        cat public/cert.pem "${config['dhparam_file']}" > public/cert_dhparam.pem.tmp
+                        state+=("changed-dhparam")
+                    fi
+                fi
+
+            fi
+
+            break
+
+        elif [ ! -r "${authority}/cert.pem" ] && [ -r "${authority}/root.pem" ] ; then
+
+            if ! diff -q -N "${authority}/root.pem" public/root.pem > /dev/null ; then
+
+                for source_file in "${authority}/intermediate.pem" "${authority}/root.pem" "${authority}/alt_intermediate.pem" "${authority}/alt_root.pem" ; do
+
+                    if [ -r "${source_file}" ] ; then
+                        if ! diff -q -N "${source_file}" "${source_file/${authority}/public}" > /dev/null ; then
+                            ln -sf "$(get_relative_path "${source_file}" "public")" "${source_file/${authority}/public}.tmp"
+                        fi
+                    fi
+
+                done
+
+                if [ -r public/intermediate.pem.tmp ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/intermediate.pem.tmp public/root.pem.tmp > public/intermediate_root.pem.tmp
+                elif [ -r "${authority}/intermediate.pem" ] && [ -r public/intermediate.pem ] && [ -r public/root.pem.tmp ] ; then
+                    cat public/intermediate.pem public/root.pem.tmp > public/intermediate_root.pem.tmp
+                fi
+
+                if [ -r public/alt_intermediate.pem.tmp ] && [ -r public/alt_root.pem.tmp ] ; then
+                    cat public/alt_intermediate.pem.tmp public/alt_root.pem.tmp > public/alt_intermediate_root.pem.tmp
+                elif [ -r "${authority}/alt_intermediate.pem" ] && [ -r public/alt_intermediate.pem ] && [ -r public/alt_root.pem.tmp ] ; then
+                    cat public/alt_intermediate.pem public/alt_root.pem.tmp > public/alt_intermediate_root.pem.tmp
+                fi
+
+                for public_file in public/*.pem ; do
+                    if [ ! -r "${public_file/public/${authority}}" ] && [ ! -r "${public_file}.tmp" ] ; then
+                        touch "${public_file}.rm"
+                    fi
+                done
+
+            fi
+
+            break
+
+        fi
+
+    done
+
+}
+
+process_private_files () {
+
+    local current_umask
+    current_umask="$(umask)"
+    umask 027
+
+    local authority_preference
+    read -r -a authority_preference <<< "$(echo "${config['pki_authority_preference']}" | tr "/" " ")"
+
+    for authority in "${authority_preference[@]}" ; do
+
+        if [ -r "${authority}/cert.pem" ] && ( check_expiration_time "${authority}/cert.pem" $(( 60 * 60 * 24 * 10 )) || [ "${authority}" = "${authority_preference[-1]}" ] ) ; then
+
+            if [ ! -r private/key.pem ] ; then
+
+                if check_openssl_key_crt_match private/realm_key.pem "${authority}/cert.pem" ; then
+
+                    if [ -r private/key.pem.tmp ] ; then
+                        rm -f private/key.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/realm_key.pem >> private/key.pem.tmp
+
+                fi
+            fi
+
+            if [ -r public/cert.pem.tmp ] || [ -r public/cert_intermediate.pem.tmp ] ; then
+
+                if [ -r public/cert.pem.tmp ] && [ -r private/realm_key.pem ] ; then
+
+                    if ! check_openssl_key_crt_match private/key.pem public/cert.pem.tmp ; then
+
+                        if [ -r private/key.pem.tmp ] ; then
+                            rm -f private/key.pem.tmp
+                        fi
+                        install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+                        if type setfacl > /dev/null 2>&1 ; then
+                            local private_file_acl_groups_r
+                            read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                            if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                                for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                    if getent group "${acl_group}" > /dev/null ; then
+                                        setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                                    fi
+                                done
+                            fi
+                        fi
+                        cat private/realm_key.pem >> private/key.pem.tmp
+
+                    fi
+
+                fi
+
+                if [ -r public/cert_intermediate.pem.tmp ] ; then
+
+                    if [ -r private/key_chain.pem.tmp ] ; then
+                        rm -f private/key_chain.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    if [ -r private/key.pem ] && check_openssl_key_crt_match private/key.pem public/cert_intermediate.pem.tmp ; then
+                        cat private/key.pem public/cert_intermediate.pem.tmp >> private/key_chain.pem.tmp
+                    elif [ -r private/realm_key.pem ] && check_openssl_key_crt_match private/realm_key.pem public/cert_intermediate.pem.tmp ; then
+                        cat private/realm_key.pem public/cert_intermediate.pem.tmp >> private/key_chain.pem.tmp
+                    fi
+
+                elif [ -r public/cert.pem.tmp ] ; then
+
+                    if [ -r private/key_chain.pem.tmp ] ; then
+                        rm -f private/key_chain.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    if [ -r private/key.pem ] ; then
+                        cat private/key.pem public/cert.pem.tmp >> private/key_chain.pem.tmp
+                    elif [ -r private/realm_key.pem ] ; then
+                        cat private/realm_key.pem public/cert.pem.tmp >> private/key_chain.pem.tmp
+                    fi
+
+                fi
+            fi
+
+            if [ -r private/key.pem ] && [ -r public/cert_intermediate.pem ] ; then
+
+                if ! check_openssl_key_crt_match private/key.pem public/cert_intermediate.pem ; then
+                    if [ -r private/key_chain.pem.tmp ] ; then
+                        rm -f private/key_chain.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/key.pem public/cert_intermediate.pem >> private/key_chain.pem.tmp
+                fi
+
+            elif [ -r private/key.pem ] && [ -r public/cert.pem ] ; then
+
+                if ! check_openssl_key_crt_match private/key.pem public/cert.pem ; then
+                    if [ -r private/key_chain.pem.tmp ] ; then
+                        rm -f private/key_chain.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/key.pem public/cert.pem >> private/key_chain.pem.tmp
+                elif ! check_file_signature public/cert.pem ; then
+                    if [ -r private/key_chain.pem.tmp ] ; then
+                        rm -f private/key_chain.pem.tmp
+                    fi
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/key.pem public/cert.pem >> private/key_chain.pem.tmp
+                fi
+
+            fi
+
+            if [ "${config['pki_dhparam']}" = "true" ] && [ -n "${config['dhparam_file']}" ] && [ -r "${config['dhparam_file']}" ] ; then
+                if [ -r private/key_chain.pem.tmp ] ; then
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain_dhparam.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain_dhparam.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/key_chain.pem.tmp "${config['dhparam_file']}" >> private/key_chain_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ ! -r private/key_chain_dhparam.pem ] && [ -r private/key_chain.pem ] ; then
+                    install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain_dhparam.pem.tmp
+                    if type setfacl > /dev/null 2>&1 ; then
+                        local private_file_acl_groups_r
+                        read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                        if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                            for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                if getent group "${acl_group}" > /dev/null ; then
+                                    setfacl -m "g:${acl_group}:r" private/key_chain_dhparam.pem.tmp
+                                fi
+                            done
+                        fi
+                    fi
+                    cat private/key_chain.pem "${config['dhparam_file']}" >> private/key_chain_dhparam.pem.tmp
+                    state+=("changed-dhparam")
+                elif [ -r private/key_chain_dhparam.pem ] ; then
+                    if ! diff -q -N "${config['dhparam_file']}" <( sed -n '/-----BEGIN DH PARAMETERS-----/,/-----END DH PARAMETERS-----/p' private/key_chain_dhparam.pem ) > /dev/null ; then
+                        install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key_chain_dhparam.pem.tmp
+                        if type setfacl > /dev/null 2>&1 ; then
+                            local private_file_acl_groups_r
+                            read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                            if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                                for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                                    if getent group "${acl_group}" > /dev/null ; then
+                                        setfacl -m "g:${acl_group}:r" private/key_chain_dhparam.pem.tmp
+                                    fi
+                                done
+                            fi
+                        fi
+                        cat private/key_chain.pem "${config['dhparam_file']}" >> private/key_chain_dhparam.pem.tmp
+                        state+=("changed-dhparam")
+                    fi
+                fi
+            fi
+
+            break
+
+        elif [ ! -r "${authority}/cert.pem" ] && [ -r "${authority}/root.pem" ] ; then
+
+            if ! diff -q -N "${authority}/root.pem" public/root.pem > /dev/null ; then
+
+                if [ -r private/key_chain.pem ] ; then
+                    touch private/key_chain.pem.rm
+                fi
+                if [ -r private/key_chain_dhparam.pem ] ; then
+                    touch private/key_chain_dhparam.pem.rm
+                fi
+
+            fi
+
+            break
+        fi
+
+    done
+
+    umask "${current_umask}"
+}
+
+activate_new_files () {
+
+    if [ -r public/cert.pem.tmp ] || [ -r public/root.pem.tmp ] ; then
+
+        if [ ! -r public/intermediate.pem.tmp ] && [ -r public/intermediate.pem ] ; then
+            rm -f public/intermediate.pem public/cert_intermediate.pem public/cert_intermediate_dhparam.pem public/chain.pem public/intermediate_root.pem
+            state+=("file-change")
+        fi
+
+        if [ ! -r public/alt_intermediate.pem.tmp ] && [ -r public/alt_intermediate.pem ] ; then
+            rm -f public/alt_intermediate.pem public/alt_intermediate_root.pem public/alt_trusted.pem
+            state+=("file-change")
+        fi
+
+        state+=("changed-certificate")
+    fi
+
+    while IFS= read -r -d '' rm_file
+    do
+        rm -f "${rm_file/.rm/}" "${rm_file}"
+        state+=("file-deletion")
+    done <   <(find public/ -maxdepth 1 -name '*.rm' -print0)
+
+    if [ ! -r public/cert.pem ] && [ -e public/cert.pem.sig ] ; then
+        rm -f public/cert.pem.sig
+    fi
+
+    while IFS= read -r -d '' new_file
+    do
+        mv --force "${new_file}" "${new_file/.tmp/}"
+        state+=("changed-public-file")
+        state+=("file-change")
+    done <   <(find public/ -maxdepth 1 -name '*.tmp' -print0)
+
+    while IFS= read -r -d '' rm_file
+    do
+        rm -f "${rm_file/.rm/}" "${rm_file}"
+        state+=("file-deletion")
+    done <   <(find private/ -maxdepth 1 -name '*.rm' -print0)
+
+    while IFS= read -r -d '' new_file
+    do
+        mv --force "${new_file}" "${new_file/.tmp/}"
+        state+=("changed-private-file")
+        state+=("file-change")
+    done <   <(find private/ -maxdepth 1 -name '*.tmp' -print0)
+
+    update_file_signature public/cert.pem
+    update_realm_symlinks
+
+}
+
+update_realm_symlinks () {
+
+    if [ -r public/intermediate.pem ] ; then
+        cd public || exit 1
+        update_symlink chain.pem cert_intermediate_dhparam.pem cert_intermediate.pem cert_dhparam.pem cert.pem
+        update_symlink trusted.pem intermediate_root.pem root.pem
+        cd - > /dev/null
+    fi
+
+    if [ -r public/alt_intermediate_root.pem ] ; then
+        cd public || exit 1
+        update_symlink alt_trusted.pem alt_intermediate_root.pem alt_root.pem
+        cd - > /dev/null
+    fi
+
+    update_symlink default.crt public/chain.pem public/cert_dhparam.pem public/cert.pem
+    update_symlink default.key private/key.pem
+    update_symlink default.pem private/key_chain_dhparam.pem private/key_chain.pem
+    update_symlink CA.crt public/alt_trusted.pem public/alt_root.pem public/trusted.pem public/root.pem "${config['pki_default_ca_bundle']}"
+    update_symlink trusted.crt public/trusted.pem public/root.pem
+
+}
+
+sub_new-realm () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    library)
+                        args["pki_library"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    library=*)
+                        args["pki_library"]=${OPTARG#*=}
+                        ;;
+                    acme-library)
+                        args["pki_acme_library"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-library=*)
+                        args["pki_acme_library"]=${OPTARG#*=}
+                        ;;
+                    internal)
+                        args["pki_internal"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    internal=*)
+                        args["pki_internal"]=${OPTARG#*=}
+                        ;;
+                    subject)
+                        args["subject"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subject=*)
+                        args["subject"]=${OPTARG#*=}
+                        ;;
+                    domains)
+                        args["domains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    domains=*)
+                        args["domains"]=${OPTARG#*=}
+                        ;;
+                    subdomains)
+                        args["subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subdomains=*)
+                        args["subdomains"]=${OPTARG#*=}
+                        ;;
+                    subject-alt-names)
+                        args["subject_alt_names"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subjest-alt-names=*)
+                        args["subject_alt_names"]=${OPTARG#*=}
+                        ;;
+                    acme)
+                        args["pki_acme"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme=*)
+                        args["pki_acme"]=${OPTARG#*=}
+                        ;;
+                    acme-type)
+                        args["acme_type"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-type=*)
+                        args["acme_type"]=${OPTARG#*=}
+                        ;;
+                    acme-subject)
+                        args["acme_subject"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-subject=*)
+                        args["acme_subject"]=${OPTARG#*=}
+                        ;;
+                    acme-domains)
+                        args["acme_domains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-domains=*)
+                        args["acme_domains"]=${OPTARG#*=}
+                        ;;
+                    acme-subdomains)
+                        args["acme_subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-subdomains=*)
+                        args["acme_subdomains"]=${OPTARG#*=}
+                        ;;
+                    acme-alt-names)
+                        # shellcheck disable=SC2154
+                        args["acme_alt_names"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-alt-names=*)
+                        args["acme_alt_names"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script_name} new-realm <-n|--name[=]realm>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+
+        local pidfile="${config['lock_dir']}/${script_name}-${args['name']}.pid"
+
+        wait_for_pid "${pidfile}"
+        create_lock "${pidfile}"
+
+        enter_realm "${args['name']}"
+
+        local config_changed="false"
+
+        for key in "${!args[@]}" ; do
+            if [ -n "${args[${key}]+x}" ] ; then
+                if key_exists config "${key}" ; then
+                    if [ "${config[${key}]}" != "${args[${key}]}" ] ; then
+                        local config_changed="true"
+                        config["${key}"]="${args[${key}]}"
+                    fi
+                else
+                    local config_changed="true"
+                    config["${key}"]="${args[${key}]}"
+                fi
+            fi
+        done
+
+        create_public_directories "${config['public_dir_group']}" config external internal public
+
+        if [ "${config['pki_internal']}" = "false" ] ; then
+            create_public_directories "${config['public_dir_group']}" selfsigned
+        fi
+
+        create_private_directories "${config['private_dir_group']}" private
+        create_private_noacl_directories "${config['acme_dir_group']}" acme
+
+        if [ "${config_changed}" = "true" ] ; then
+            save_realm_config config/realm.conf
+        fi
+
+        local name="${config['name']}"
+        local library="${config['pki_library']}"
+        local acme_library="${config['pki_acme_library']}"
+
+        "generate_${library}_rsa_realm_key" private/realm_key.pem
+        if [ ! -r private/key.pem ] ; then
+            install -g "${config['private_file_group']}" -m "${config['private_file_mode']}" /dev/null private/key.pem.tmp
+            if type setfacl > /dev/null 2>&1 ; then
+                local private_file_acl_groups_r
+                read -r -a private_file_acl_groups_r <<< "$(echo "${config['private_file_acl_groups_r']}" | tr "/" " ")"
+                if [ ${#private_file_acl_groups_r[@]} -ne 0 ] ; then
+                    for acl_group in "${private_file_acl_groups_r[@]}" ; do
+                        if getent group "${acl_group}" > /dev/null ; then
+                            setfacl -m "g:${acl_group}:r" private/key.pem.tmp
+                        fi
+                    done
+                fi
+            fi
+            cat private/realm_key.pem >> private/key.pem.tmp
+            mv private/key.pem.tmp private/key.pem
+            state+=("new-private-key")
+        fi
+
+        if [[ ${name} != *.* && ${name} != *@* ]] ; then
+
+            if [ "${config['pki_internal']}" = "false" ] ; then
+                "create_${library}_config" "selfsigned/${library}.conf" selfsigned "${config['subject']:-${config['pki_default_subject']}}" "${config['domains']:-${config['pki_default_domain']}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+            fi
+
+            "create_${library}_config" "internal/${library}.conf" internal "${config['subject']:-${config['pki_default_subject']}}" "${config['domains']:-${config['pki_default_domain']}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+
+            if [ "${config['pki_acme']}" = "true" ] ; then
+                "create_${acme_library}_config" "acme/${acme_library}.conf" acme "${config['acme_subject']:-${config['acme_default_subject']}}" "${config['acme_domains']:-${config['acme_default_domain']}}" "${config['acme_subdomains']:-${config['acme_default_subdomains']}}" "${config['acme_alt_names']:-}"
+            fi
+
+        elif [[ ${name} == *.* && ${name} != *@* ]] ; then
+
+            if [ "${config['pki_internal']}" = "false" ] ; then
+                "create_${library}_config" "selfsigned/${library}.conf" selfsigned "${config['subject']:-cn=${name}}" "${config['domains']:-${name:-${config['pki_default_domain']}}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+            fi
+
+            "create_${library}_config" "internal/${library}.conf" internal "${config['subject']:-cn=${name}}" "${config['domains']:-${name:-${config['pki_default_domain']}}}" "${config['subdomains']:-${config['pki_default_subdomains']}}" "${config['subject_alt_names']:-}"
+
+            if [ "${config['pki_acme']}" = "true" ] ; then
+                "create_${acme_library}_config" "acme/${acme_library}.conf" acme "${config['acme_subject']:-cn=${name}}" "${config['acme_domains']:-${name:-${config['acme_default_domain']}}}" "${config['acme_subdomains']:-${config['acme_default_subdomains']}}" "${config['acme_alt_names']:-}"
+            fi
+
+        fi
+
+        if [ "${config['pki_internal']}" = "false" ] ; then
+            "generate_${library}_request" "selfsigned/${library}.conf" selfsigned/request.pem
+            "selfsign_${library}_request"
+            state+=("new-selfsigned-certificate")
+        fi
+
+        "generate_${library}_request" "internal/${library}.conf" internal/request.pem
+        state+=("new-internal-request")
+        if [ "${config['pki_acme']}" = "true" ] ; then
+            "generate_${library}_rsa_private_key" acme/account_key.pem 4096 "${config['acme_file_group']}" false
+            "generate_${acme_library}_request" "acme/${acme_library}.conf" acme/request.pem
+            chgrp "${config['acme_file_group']}" acme/request.pem
+            chmod "${config['acme_file_mode']}" acme/request.pem
+            chmod "${config['acme_dir_mode']}" acme
+            state+=("new-acme-request")
+        fi
+
+        update_realm_symlinks
+
+        run_pki_hooks
+
+    fi
+}
+
+sub_init () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    public-dir-group)
+                        args["public_dir_group"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    public-dir-group=*)
+                        args["public_dir_group"]=${OPTARG#*=}
+                        ;;
+                    private-dir-group)
+                        args["private_dir_group"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    private-dir-group=*)
+                        args["private_dir_group"]=${OPTARG#*=}
+                        ;;
+                    private-file-group)
+                        args["private_file_group"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    private-file-group=*)
+                        args["private_file_group"]=${OPTARG#*=}
+                        ;;
+                    private-dir-acl-groups)
+                        args["private_dir_acl_groups_x"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    private-dir-acl-groups=*)
+                        args["private_dir_acl_groups_x"]=${OPTARG#*=}
+                        ;;
+                    private-file-acl-groups)
+                        args["private_file_acl_groups_r"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    private-file-acl-groups=*)
+                        args["private_file_acl_groups_r"]=${OPTARG#*=}
+                        ;;
+                    authority-preference)
+                        args["pki_authority_preference"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    authority-preference=*)
+                        args["pki_authority_preference"]=${OPTARG#*=}
+                        ;;
+                    library)
+                        args["pki_library"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    library=*)
+                        args["pki_library"]=${OPTARG#*=}
+                        ;;
+                    internal)
+                        args["pki_internal"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    internal=*)
+                        args["pki_internal"]=${OPTARG#*=}
+                        ;;
+                    selfsigned-sign-days)
+                        args["selfsigned_sign_days"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    selfsigned-sign-days=*)
+                        args["selfsigned_sign_days"]=${OPTARG#*=}
+                        ;;
+                    subject)
+                        args["subject"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subject=*)
+                        args["subject"]=${OPTARG#*=}
+                        ;;
+                    domains)
+                        args["domains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    domains=*)
+                        args["domains"]=${OPTARG#*=}
+                        ;;
+                    subdomains)
+                        args["subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subdomains=*)
+                        args["subdomains"]=${OPTARG#*=}
+                        ;;
+                    subject-alt-names)
+                        args["subject_alt_names"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    subjest-alt-names=*)
+                        args["subject_alt_names"]=${OPTARG#*=}
+                        ;;
+                    default-domain)
+                        args["pki_default_domain"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    default-domain=*)
+                        args["pki_default_domain"]=${OPTARG#*=}
+                        ;;
+                    default-subdomains)
+                        args["pki_default_subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    default-subdomains=*)
+                        args["pki_default_subdomains"]=${OPTARG#*=}
+                        ;;
+                    dhparam)
+                        args["pki_dhparam"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    dhparam=*)
+                        args["pki_dhparam"]=${OPTARG#*=}
+                        ;;
+                    dhparam-file)
+                        args["dhparam_file"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    dhparam-file=*)
+                        args["dhparam_file"]=${OPTARG#*=}
+                        ;;
+                    realm-key-size)
+                        args["realm_key_size"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    realm-key-size=*)
+                        args["realm_key_size"]=${OPTARG#*=}
+                        ;;
+                    acme)
+                        args["pki_acme"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme=*)
+                        args["pki_acme"]=${OPTARG#*=}
+                        ;;
+                    acme-type)
+                        args["acme_type"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-type=*)
+                        args["acme_type"]=${OPTARG#*=}
+                        ;;
+                    acme-subject)
+                        args["acme_subject"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-subject=*)
+                        args["acme_subject"]=${OPTARG#*=}
+                        ;;
+                    acme-domains)
+                        args["acme_domains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-domains=*)
+                        args["acme_domains"]=${OPTARG#*=}
+                        ;;
+                    acme-subdomains)
+                        args["acme_subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-subdomains=*)
+                        args["acme_subdomains"]=${OPTARG#*=}
+                        ;;
+                    acme-alt-names)
+                        args["acme_alt_names"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-alt-names=*)
+                        args["acme_alt_names"]=${OPTARG#*=}
+                        ;;
+                    acme-ca)
+                        args["acme_ca"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-ca=*)
+                        args["acme_ca"]=${OPTARG#*=}
+                        ;;
+                    acme-ca-api)
+                        args["acme_ca_api"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-ca-api=*)
+                        args["acme_ca_api"]=${OPTARG#*=}
+                        ;;
+                    acme-contacts)
+                        args["acme_contacts"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-contacts=*)
+                        args["acme_contacts"]=${OPTARG#*=}
+                        ;;
+                    acme-default-subdomains)
+                        args["acme_default_subdomains"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-default-subdomains=*)
+                        args["acme_default_subdomains"]=${OPTARG#*=}
+                        ;;
+                    acme-challenge-dir)
+                        args["acme_challenge_dir"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    acme-challenge-dir=*)
+                        args["acme_challenge_dir"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script_name} init <-n|--name[=]realm>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+
+        local pidfile="${config['lock_dir']}/${script_name}-${args['name']}.pid"
+
+        wait_for_pid "${pidfile}"
+        create_lock "${pidfile}"
+
+        enter_realm "${args['name']}"
+
+        local config_changed="false"
+
+        for key in "${!args[@]}" ; do
+            if [ -n "${args[${key}]+x}" ] ; then
+                if key_exists config "${key}" ; then
+                    if [ "${config[${key}]}" != "${args[${key}]}" ] ; then
+                        local config_changed="true"
+                        config["${key}"]="${args[${key}]}"
+                    fi
+                else
+                    local config_changed="true"
+                    config["${key}"]="${args[${key}]}"
+                fi
+            fi
+        done
+
+        create_public_directories "${config['public_dir_group']}" config external internal public
+        create_private_directories "${config['private_dir_group']}" private
+        create_private_noacl_directories "${config['acme_dir_group']}" acme
+
+        if [ "${config['pki_internal']}" = "false" ] ; then
+            create_public_directories "${config['public_dir_group']}" selfsigned
+        fi
+
+        if [ "${config_changed}" = "true" ] ; then
+            save_realm_config config/realm.conf
+        fi
+
+        run_pki_hooks
+
+    fi
+}
+
+sub_run () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script_name} run <-n|--name[=]realm>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+
+        local pidfile="${config['lock_dir']}/${script_name}-${args['name']}.pid"
+
+        wait_for_pid "${pidfile}"
+        create_lock "${pidfile}"
+
+        enter_realm "${args['name']}"
+
+        check_files
+        request_acme_certificate
+        run_external_script
+        process_public_files
+        process_private_files
+        activate_new_files
+        update_realm_symlinks
+        check_public_certificate
+        run_pki_hooks
+
+    fi
+}
+
+schedule_job () {
+    local name="${1}"
+    local scheduler_type="${2}"
+    local min_delay="${3:-30}"
+    local max_delay="${4:-300}"
+
+    if [ -n "${scheduler_type}" ] && [ "${scheduler_type}" = "batch" ] ; then
+        if type batch > /dev/null 2>&1 ; then
+            echo "${script} run -n '${name}'" | batch > /dev/null 2>&1
+        fi
+    elif [ -n "${scheduler_type}" ] && [ "${scheduler_type}" = "sleep" ] ; then
+        ( sleep $(( ( RANDOM % max_delay ) + min_delay )) ; ${script} run -n "${name}" ) &
+    else
+        if type batch > /dev/null 2>&1 ; then
+            echo "${script} run -n '${name}'" | batch > /dev/null 2>&1
+        else
+            ( sleep $(( ( RANDOM % max_delay ) + min_delay )) ; ${script} run -n "${name}" ) &
+        fi
+    fi
+}
+
+sub_schedule () {
+
+    local -A args
+
+    local optspec=":hn-:"
+    while getopts "${optspec}" optchar; do
+        case "${optchar}" in
+            -)
+                case "${OPTARG}" in
+                    name)
+                        args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    name=*)
+                        args["name"]=${OPTARG#*=}
+                        ;;
+                    realm-dir)
+                        # shellcheck disable=SC2154
+                        args["realm_dir"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    realm-dir=*)
+                        args["realm_dir"]=${OPTARG#*=}
+                        ;;
+                    type)
+                        # shellcheck disable=SC2154
+                        args["type"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    type=*)
+                        args["type"]=${OPTARG#*=}
+                        ;;
+                    min-delay)
+                        args["min_delay"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    min-delay=*)
+                        args["min_delay"]=${OPTARG#*=}
+                        ;;
+                    max-delay)
+                        args["max_delay"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                        ;;
+                    max-delay=*)
+                        args["max_delay"]=${OPTARG#*=}
+                        ;;
+                    *)
+                        if [ "$OPTERR" = 1 ] && [ "${optspec:0:1}" != ":" ]; then
+                            echo "Unknown option --${OPTARG}" >&2
+                        fi
+                        ;;
+                esac
+                ;;
+            h)
+                echo "usage: ${script_name} schedule <-n|--name[=]realm>" >&2
+                exit 2
+                ;;
+            n)
+                args["name"]="${!OPTIND}"; OPTIND=$(( OPTIND + 1 ))
+                ;;
+            *)
+                if [ "$OPTERR" != 1 ] || [ "${optspec:0:1}" = ":" ]; then
+                    echo "Non-option argument: '-${OPTARG}'" >&2
+                fi
+                ;;
+        esac
+    done
+
+    if key_exists args "name" ; then
+        schedule_job "${args['name']}" "${args['type']:-}" "${args['min_delay']:-}" "${args['max_delay']:-}"
+    elif key_exists args "realm_dir" ; then
+        for realm in "${args['realm_dir']}"/* ; do
+            schedule_job "$(basename "${realm}")" "${args['type']:-}" "${args['min_delay']:-}" "${args['max_delay']:-}"
+        done
+    else
+        if [ -d "${config['pki_realms']}" ] ; then
+            for realm in "${config['pki_realms']}"/* ; do
+                schedule_job "$(basename "${realm}")" "${args['type']:-}" "${args['min_delay']:-}" "${args['max_delay']:-}"
+            done
+        fi
+    fi
+}
+
+print_usage () {
+    cat << EOF
+Usage: ${script_name} <command> [parameters]
+Available commands:
+
+            init
+            "usage: ${script_name} init <-n|--name[=]realm>"
+
+            new-realm
+            "usage: ${script_name} new-realm <-n|--name[=]realm>"
+
+            run
+            "usage: ${script_name} run <-n|--name[=]realm>"
+
+            schedule
+            "usage: ${script_name} schedule <-n|--name[=]realm>"
+EOF
+
+}
+
+initialize_environment
+
+if [ $# -gt 0 ] ; then
+
+    subcommand="${1}"
+
+    if [ -n "${subcommand}" ] ; then
+        case "${subcommand}" in
+            init|new-realm|run|schedule)
+                shift
+                "sub_${subcommand}" "${@}"
+                ;;
+
+            *)
+                echo "${script_name}: Error: unknown subcommand '${subcommand}'" >&2
+                print_usage
+                exit 1
+                ;;
+        esac
+    fi
+
+else
+    print_usage
+    exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/pki/meta/main.yml b/ansible_collections/debops/debops/roles/pki/meta/main.yml
new file mode 100644
index 00000000..98c62c9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - encryption
+    - hardening
+    - security
+    - pki
+    - ssl
+    - tls
+    - acme
+    - letsencrypt
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/acme_tiny.yml b/ansible_collections/debops/debops/roles/pki/tasks/acme_tiny.yml
new file mode 100644
index 00000000..7661cad4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/acme_tiny.yml
@@ -0,0 +1,66 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create ACME system group
+  ansible.builtin.group:
+    name: '{{ pki_acme_group }}'
+    state: 'present'
+    system: True
+
+- name: Create ACME system account
+  ansible.builtin.user:
+    name: '{{ pki_acme_user }}'
+    group: '{{ pki_acme_group }}'
+    home: '{{ pki_acme_home }}'
+    state: 'present'
+    system: True
+    createhome: False
+    shell: '/bin/false'
+
+- name: Install acme-tiny from source
+  when: ansible_distribution_release in
+        ["stretch", "buster", "bookworm", "trusty", "xenial", "bionic"]
+  block:
+
+    - name: Create source directory
+      ansible.builtin.file:
+        path: '{{ pki_acme_tiny_src }}'
+        state: 'directory'
+        owner: 'root'
+        group: 'root'
+        mode: '0755'
+
+    - name: Clone acme-tiny source code
+      ansible.builtin.git:
+        repo: '{{ pki_acme_tiny_repo }}'
+        dest: '{{ pki_acme_tiny_src + "/acme-tiny" }}'
+        version: '{{ pki_acme_tiny_version }}'
+
+    - name: Install acme-tiny script
+      ansible.builtin.file:
+        path: '{{ pki_acme_tiny_bin }}'
+        src: '{{ pki_acme_tiny_src }}/acme-tiny/acme_tiny.py'
+        state: 'link'
+        force: True  # Overwrite previously copied script
+        mode: '0755'
+
+- name: Create ACME challenge path
+  ansible.builtin.file:
+    path: '{{ pki_acme_challenge_dir | dirname }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: pki_create_acme_challenge_dir
+
+- name: Create ACME challenge directory
+  ansible.builtin.file:
+    path: '{{ pki_acme_challenge_dir }}'
+    state: 'directory'
+    owner: '{{ pki_acme_user }}'
+    group: '{{ pki_acme_group }}'
+    mode: '0755'
+  when: pki_create_acme_challenge_dir
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/ca_certificates.yml b/ansible_collections/debops/debops/roles/pki/tasks/ca_certificates.yml
new file mode 100644
index 00000000..353f9b80
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/ca_certificates.yml
@@ -0,0 +1,70 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Set default trust policy for new certificates
+  ansible.builtin.debconf:
+    name: 'ca-certificates'
+    question: 'ca-certificates/trust_new_crts'
+    vtype: 'select'
+    value: '{{ "yes" if (pki_system_ca_certificates_trust_new | bool) else "no" }}'
+
+- name: Get list of known certificates
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         grep -E -e '^[^#].*$' /etc/ca-certificates.conf | sed -e 's/^!//' || true
+  args:
+    executable: 'bash'
+  register: pki_register_ca_certificates_known
+  changed_when: False
+  check_mode: False
+
+- name: Get list of untrusted certificates
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         grep -E -e '^!+' /etc/ca-certificates.conf | sed -e 's/^!//' || true
+  args:
+    executable: 'bash'
+  register: pki_register_ca_certificates_untrusted
+  changed_when: False
+  check_mode: False
+
+- name: Get list of trusted certificates
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         grep -E -e '^[^#!].*$' /etc/ca-certificates.conf | sed -e 's/^!//' || true
+  args:
+    executable: 'bash'
+  register: pki_register_ca_certificates_trusted
+  changed_when: False
+  check_mode: False
+
+- name: Get list of blacklisted certificates
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         grep -E -e '{{ pki_system_ca_certificates_blacklist | join("' -e '") }}'
+         /etc/ca-certificates.conf | sed -e 's/^!//' || true
+  args:
+    executable: 'bash'
+  register: pki_register_ca_certificates_blacklist
+  changed_when: False
+  check_mode: False
+  when: pki_system_ca_certificates_blacklist is defined and pki_system_ca_certificates_blacklist
+
+- name: Get list of whitelisted certificates
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         grep -E -e '{{ pki_system_ca_certificates_whitelist | join("' -e '") }}'
+              /etc/ca-certificates.conf | sed -e 's/^!//' || true
+  args:
+    executable: 'bash'
+  register: pki_register_ca_certificates_whitelist
+  changed_when: False
+  check_mode: False
+  when: pki_system_ca_certificates_whitelist is defined and pki_system_ca_certificates_whitelist
+
+- name: Configure system CA certificates
+  ansible.builtin.template:
+    src: 'etc/ca-certificates.conf.j2'
+    dest: '/etc/ca-certificates.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reconfigure ca-certificates' ]
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/certbot.yml b/ansible_collections/debops/debops/roles/pki/tasks/certbot.yml
new file mode 100644
index 00000000..20f54edd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/certbot.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# The 'certbot' package and its dependencies should be installed at this point.
+
+- name: Make sure that the post-hook directory exists
+  ansible.builtin.file:
+    path: '/etc/letsencrypt/renewal-hooks/post'
+    state: 'directory'
+    mode: '0755'
+
+- name: Install deploy-hook scripts
+  ansible.builtin.copy:
+    src: 'etc/letsencrypt/renewal-hooks/deploy/'
+    dest: '/etc/letsencrypt/renewal-hooks/deploy/'
+    mode: '0755'
+
+- name: Install post-hook scripts
+  ansible.builtin.copy:
+    src: 'etc/letsencrypt/renewal-hooks/post/'
+    dest: '/etc/letsencrypt/renewal-hooks/post/'
+    mode: '0755'
+
+- name: Divert the original certbot configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/letsencrypt/cli.ini'
+    state: 'present'
+
+- name: Generate certbot configuration file
+  ansible.builtin.template:
+    src: 'etc/letsencrypt/cli.ini.j2'
+    dest: '/etc/letsencrypt/cli.ini'
+    mode: '0644'
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/main.yml b/ansible_collections/debops/debops/roles/pki/tasks/main.yml
new file mode 100644
index 00000000..97791bfc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/main.yml
@@ -0,0 +1,568 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'pki/pre_main.yml') }}"
+
+- name: Generate random session token
+  ansible.builtin.set_fact:
+    pki_fact_session_token: '{{ 9999999999999999999999999999999999999 | random | string | hash("sha256") }}'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+
+- name: Expose host FQDN and library path in temporary variables
+  ansible.builtin.set_fact:
+    pki_fact_lib_path: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                           + "/pki" }}'
+
+# Install PKI packages [[[
+- name: Install PKI packages
+  ansible.builtin.apt:
+    name: '{{ (pki_base_packages
+             + (pki_acme_packages if (pki_acme | bool or pki_acme_install | bool) else [])
+             + pki_packages)
+             | flatten }}'
+    state: 'present'
+    install_recommends: False
+    cache_valid_time: '{{ ansible_local.core.cache_valid_time | d("86400") }}'
+  register: pki__register_packages
+  until: pki__register_packages is succeeded
+  when: pki_enabled | bool
+# .. ]]]
+
+# Assert that required dependencies are met as documented [[[
+- name: Check Ansible Controller bash version
+  ansible.builtin.command: "/usr/bin/env bash -c 'echo $BASH_VERSION'"
+  changed_when: False
+  register: pki__register_bash_version
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  check_mode: False
+
+- name: Check Ansible Controller crypto library version
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if pki_ca_library == 'gnutls' %}
+    certtool --version | head -n 1 | awk '{print $NF}'
+    {% elif pki_ca_library == 'openssl' %}
+    openssl version | awk '{print $2}'
+    {% endif %}
+  args:
+    executable: 'bash'
+  changed_when: False
+  register: pki__register_crypto_library_version
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  check_mode: False
+
+- name: Assert that required dependencies are met as documented
+  ansible.builtin.assert:
+    that:
+      - 'pki__register_bash_version.stdout | regex_replace("[^0-9.]", "") is version_compare("4.3.0", ">=")'
+      - 'pki__register_crypto_library_version.stdout | regex_replace("[a-z]", "")
+         is version_compare("1.0.1" if (pki_ca_library == "openssl")
+                                    else pki__register_crypto_library_version.stdout, ">=")'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  when: pki_authorities | d() and pki_dependent_authorities | d()
+# .. ]]]
+
+# Create scripts and library/secrets directory [[[
+- name: Create library directory
+  ansible.builtin.file:
+    path: '{{ pki_fact_lib_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: pki_enabled | bool
+
+- name: Install local PKI scripts
+  ansible.builtin.copy:
+    src: 'secret/pki/lib/'
+    dest: '{{ secret + "/pki/lib/" }}'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  run_once: True
+  when: (pki_authorities or pki_dependent_authorities)
+
+- name: Install remote PKI scripts
+  ansible.builtin.copy:
+    src: 'usr/local/lib/pki/'
+    dest: '{{ pki_fact_lib_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: pki_enabled | bool
+# .. ]]]
+
+- name: Create private groups if requested
+  ansible.builtin.group:
+    name: '{{ item.name | d(item) }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  with_items: '{{ pki_private_groups_present }}'
+  when: ((pki_enabled | bool and pki_private_groups_present) and
+         (item.when | d(True) | bool))
+
+- name: Configure acme-tiny support
+  ansible.builtin.include_tasks: acme_tiny.yml
+  when: (pki_enabled | bool and
+         (pki_acme | bool or pki_acme_install | bool))
+
+- name: Configure certbot support
+  ansible.builtin.include_tasks: certbot.yml
+  when: (pki_enabled | bool and
+         (pki_acme | bool or pki_acme_install | bool) and
+          pki_acme_type != 'acme-tiny')
+
+# Initialize PKI realms [[[
+
+- name: Ensure that /etc/pki directory exists
+  ansible.builtin.file:
+    path: '/etc/pki'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Ensure that sensitive files are excluded from version control
+  ansible.builtin.template:
+    src: 'etc/pki/gitignore.j2'
+    dest: '/etc/pki/.gitignore'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Initialize PKI realms
+  environment:
+    PKI_ROOT: '{{ pki_root }}'
+    PKI_ACME: '{{ (item.acme | d(pki_acme)) | bool | lower }}'
+    PKI_INTERNAL: '{{ (item.internal | d(pki_internal)) | bool | lower }}'
+    PKI_LIBRARY: '{{ item.library | d(pki_library) }}'
+    PKI_ACME_LIBRARY: '{{ item.acme_library | d(pki_acme_library) }}'
+  ansible.builtin.command: |
+    "{{ pki_fact_lib_path }}/pki-realm" init -n "{{ item.name }}"
+    --authority-preference "{{ (item.authority_preference | d(pki_authority_preference)) | join('/') }}"
+    --library "{{ item.library | d(pki_library) }}"
+    --realm-key-size "{{ item.realm_key_size | d(pki_realm_key_size) }}"
+    --internal "{{ (item.internal | d(pki_internal)) | bool | lower }}"
+    --private-dir-group "{{ item.private_dir_group | d(pki_private_group) }}"
+    --private-file-group "{{ item.private_file_group | d(pki_private_group) }}"
+    --private-dir-acl-groups "{{ (item.private_dir_acl_groups | d(pki_private_dir_acl_groups)) | join('/') }}"
+    --private-file-acl-groups "{{ (item.private_file_acl_groups | d(pki_private_file_acl_groups)) | join('/') }}"
+    --acme-ca "{{ item.acme_ca | d(pki_acme_ca) }}"
+    --acme-ca-api "{{ item.acme_ca_api | d(pki_acme_ca_api_map[item.acme_ca | d(pki_acme_ca)]) }}"
+    --acme-type "{{ item.type | d(pki_acme_type) }}"
+    --acme-contacts "{{ item.acme_contacts | d(pki_acme_contacts) | join(',') }}"
+    --acme-domains "{{ item.acme_domains | d([]) | join('/') }}"
+    --acme-default-subdomains "{{ (item.acme_default_subdomains | d(pki_acme_default_subdomains)) | join('/') }}"
+    --acme-challenge-dir "{{ item.acme_challenge_dir | d(pki_acme_challenge_dir) }}"
+    --default-domain "{{ item.default_domain | d(pki_default_domain) }}"
+    --default-subdomains "{{ (item.default_subdomains | d(pki_default_subdomains)) | join('/') }}"
+    --dhparam "{{ (item.dhparam | d(pki_dhparam)) | bool | lower }}"
+    --dhparam-file "{{ item.dhparam_file | d(pki_dhparam_file) }}"
+    --selfsigned-sign-days "{{ item.selfsigned_sign_days | d('365') }}"
+  args:
+    creates: '{{ pki_root + "/realms/" + item.name + "/config/realm.conf" }}'
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  when: (pki_enabled | bool and item.name is defined and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+
+- name: Configure PKI realm environment
+  ansible.builtin.template:
+    src: 'etc/pki/realms/realm/config/environment.j2'
+    dest: '{{ pki_root + "/realms/" + item.name + "/config/environment" }}'
+    mode: '0640'
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  when: (pki_enabled | bool and item.name is defined and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+# ]]]
+
+# Download files [[[
+- name: Download private files to remove hosts
+  when: pki_download_extra | bool
+  block:
+    - name: Download custom private files
+      ansible.builtin.copy:
+        src: '{{ item.src | d(omit) }}'
+        content: '{{ item.content | d(omit) }}'
+        dest: '{{ item.dest }}'
+        owner: '{{ item.owner | d("root") }}'
+        group: '{{ item.group | d(pki_private_group) }}'
+        mode: '{{ item.mode | d("0640") }}'
+        directory_mode: '{{ item.directory_mode | d(omit) }}'
+        follow: '{{ item.follow | d(omit) }}'
+        force: '{{ item.force | d(omit) }}'
+      loop: '{{ q("flattened", pki_private_files
+                               + pki_group_private_files
+                               + pki_host_private_files) }}'
+      when: (pki_enabled | bool and (item.src is defined or item.content is defined) and
+             item.dest is defined)
+
+    - name: Download private realm contents by host
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-host/" + inventory_hostname + "/" + item.name + "/private/" }}'
+        dest: '/etc/pki/realms/{{ item.name }}/private/'
+        owner: 'root'
+        group: '{{ item.private_file_group | d(pki_private_group) }}'
+        mode: '0640'
+      with_items:
+        - '{{ pki_realms + pki_group_realms + pki_host_realms + pki_default_realms + pki_dependent_realms }}'
+      when: (pki_enabled | bool and item.name is defined and
+             (item.enabled | d(True) | bool) and
+             (item.when | d(True) | bool))
+
+    - name: Download private realm contents by group
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-group/" + item.1 + "/" + item.0.name + "/private/" }}'
+        dest: '/etc/pki/realms/{{ item.0.name }}/private/'
+        owner: 'root'
+        group: '{{ item.private_file_group | d(pki_private_group) }}'
+        mode: '0640'
+        force: False
+      with_nested:
+        - '{{ pki_group_realms + pki_default_realms }}'
+        - '{{ pki_inventory_groups }}'
+      when: (pki_enabled | bool and (item.0.name is defined and
+             (item.0.enabled | d(True) | bool) and
+             (item.0.when | d(True) | bool)) and
+             (item.1 is defined and item.1 in group_names))
+
+    - name: Download private realm contents for all hosts
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-group/all/" + item.name + "/private/" }}'
+        dest: '/etc/pki/realms/{{ item.name }}/private/'
+        owner: 'root'
+        group: '{{ item.private_file_group | d(pki_private_group) }}'
+        mode: '0640'
+        force: False
+      with_items:
+        - '{{ pki_realms + pki_default_realms }}'
+      when: (pki_enabled | bool and item.name is defined and
+             (item.enabled | d(True) | bool) and
+             (item.when | d(True) | bool))
+    # ]]]
+
+# Create new PKI realms [[[
+- name: Create new PKI realms
+  environment:
+    PKI_SESSION_TOKEN: '{{ pki_fact_session_token }}'
+  ansible.builtin.command: |
+           "{{ pki_fact_lib_path }}/pki-realm" new-realm -n "{{ item.name }}"
+           --subject "{{ item.subject | d([]) | join('/') }}"
+           --domains "{{ item.domains | d([]) | join('/') }}"
+           --subdomains "{{ item.subdomains | d([]) | join('/') }}"
+           --acme "{{ item.acme | d(pki_acme) | bool | lower }}"
+           --acme-type "{{ item.type | d(pki_acme_type) }}"
+           --acme-subject "{{ item.acme_subject | d([]) | join('/') }}"
+           --acme-domains "{{ item.acme_domains | d([]) | join('/') }}"
+           --acme-subdomains "{{ item.acme_subdomains | d([]) | join('/') }}"
+           --subject-alt-names "{{ item.subject_alt_names | d([]) | join('|') }}"
+           --acme-alt-names "{{ item.acme_alt_names | d([]) | join('|') }}"
+  args:
+    creates: '/etc/pki/realms/{{ item.name }}/default.key'
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  when: (pki_enabled | bool and item.name is defined and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+# ]]]
+
+# Execute PKI realm commands [[[
+- name: Execute PKI realm commands
+  environment:
+    PKI_SESSION_TOKEN: '{{ pki_fact_session_token }}'
+  ansible.builtin.command: '"{{ pki_fact_lib_path }}/pki-realm" run -n "{{ item.name }}"'
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  changed_when: False
+  when: (pki_enabled | bool and item.name is defined and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+# ]]]
+
+# Upload internal certificate requests [[[
+- name: Upload internal certificate requests
+  ansible.builtin.fetch:
+    src: '/etc/pki/realms/{{ item.name }}/internal/request.pem'
+    dest: '{{ secret + "/pki/requests/" + (item.authority | d(pki_default_authority)) +
+              "/" + inventory_hostname + "/" + item.name + "/request.pem" }}'
+    flat: True
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  when: (pki_enabled | bool and item.name is defined and
+         ((item.internal | d(True) | bool) and pki_internal | bool) and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+# ]]]
+
+# PKI authorities [[[
+- name: Initialize PKI authorities
+  environment:
+    PKI_ROOT: '{{ secret + "/pki" }}'
+    PKI_LIBRARY: '{{ item.pki_ca_library | d(pki_ca_library) }}'
+    PKI_CA_CERTIFICATES: '{{ secret + "/pki/ca-certificates/"
+                             + (item.ca_certificates_path | d(pki_ca_certificates_path)) }}'
+  ansible.builtin.command: ./lib/pki-authority init --name "{{ item.name }}"
+           --default-sign-base "{{ pki_default_sign_base }}"
+           --root-sign-multiplier "{{ pki_default_root_sign_multiplier }}"
+           --ca-sign-multiplier "{{ pki_default_ca_sign_multiplier }}"
+           --cert-sign-multiplier "{{ pki_default_cert_sign_multiplier }}"
+  args:
+    chdir: '{{ secret + "/pki" }}'
+    creates: '{{ secret + "/pki/authorities/" + item.name + "/config/authority.conf" }}'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  loop: '{{ q("flattened", pki_authorities + pki_dependent_authorities) }}'
+  when: (item.name is defined and (item.enabled | d(True) | bool))
+
+- name: Create PKI authorities
+  environment:
+    PKI_SESSION_TOKEN: '{{ pki_fact_session_token }}'
+    PKI_ROOT: '{{ secret + "/pki" }}'
+    PKI_LIBRARY: '{{ item.pki_ca_library | d(pki_ca_library) }}'
+    PKI_CA_CERTIFICATES: '{{ secret + "/pki/ca-certificates/"
+                             + (item.ca_certificates_path | d(pki_ca_certificates_path)) }}'
+  ansible.builtin.command: ./lib/pki-authority new-ca --name "{{ item.name }}"
+           --type "{{ item.type | d('') }}"
+           --domain "{{ item.domain | d(pki_ca_domain) }}"
+           --subdomain "{{ item.subdomain }}"
+           --subject "{{ item.subject | join('/') }}"
+           --issuer-name "{{ item.issuer_name | d('') }}"
+           --root-sign-days "{{ item.root_sign_days | d('') }}"
+           --ca-sign-days "{{ item.ca_sign_days | d('') }}"
+           --cert-sign-days "{{ item.cert_sign_days | d('') }}"
+           --system-ca "{{ (item.system_ca | d(True)) | bool | lower }}"
+           --alt-authority "{{ item.alt_authority | d('') }}"
+           --key-size "{{ item.key_size | d('') }}"
+           --crl "{{ item.crl | d(True) }}"
+           --ocsp "{{ item.ocsp | d(True) }}"
+           --name-constraints "{{ item.name_constraints | d(pki_ca_name_constraints) }}"
+           --name-constraints-critical "{{ item.name_constraints_critical | d(pki_ca_name_constraints_critical) }}"
+  args:
+    chdir: '{{ secret + "/pki" }}'
+    creates: '{{ secret + "/pki/authorities/" + item.name + "/subject/cert.pem" }}'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  loop: '{{ q("flattened", pki_authorities + pki_dependent_authorities) }}'
+  when: (item.name is defined and (item.enabled | d(True) | bool))
+# ]]]
+
+# Sign certificate requests [[[
+- name: Sign certificate requests for current hosts
+  environment:
+    PKI_SESSION_TOKEN: '{{ pki_fact_session_token }}'
+  ansible.builtin.command: ./lib/pki-authority sign-by-host
+           {% for host in play_hosts %}{{ host }} {% endfor %}
+  args:
+    chdir: '{{ secret + "/pki" }}'
+  delegate_to: 'localhost'
+  register: pki_register_sign_by_host
+  become: False
+  run_once: True
+  when: (pki_authorities or pki_dependent_authorities)
+  changed_when: pki_register_sign_by_host.stdout | d()
+# ]]]
+
+# Download files [[[
+- name: Download public files to remote hosts
+  when: pki_download_extra | bool
+  block:
+    - name: Download public realm contents by host
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-host/" + inventory_hostname + "/" + item.0.name + "/" + item.1 + "/" }}'
+        dest: '/etc/pki/realms/{{ item.0.name }}/{{ item.1 }}/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+      with_nested:
+        - '{{ pki_realms + pki_group_realms + pki_host_realms + pki_default_realms + pki_dependent_realms }}'
+        - [ 'external', 'internal' ]
+      when: (pki_enabled | bool and item.0.name is defined and
+             (item.0.enabled | d(True) | bool) and
+             (item.0.when | d(True) | bool))
+
+    - name: Download custom public files
+      ansible.builtin.copy:
+        src: '{{ item.src | d(omit) }}'
+        content: '{{ item.content | d(omit) }}'
+        dest: '{{ item.dest }}'
+        owner: '{{ item.owner | d("root") }}'
+        group: '{{ item.group | d(pki_public_group) }}'
+        mode: '{{ item.mode | d("0644") }}'
+        directory_mode: '{{ item.directory_mode | d(omit) }}'
+        follow: '{{ item.follow | d(omit) }}'
+        force: '{{ item.force | d(omit) }}'
+      loop: '{{ q("flattened", pki_public_files
+                               + pki_group_public_files
+                               + pki_host_public_files) }}'
+      when: (pki_enabled | bool and (item.src is defined or item.content is defined) and
+             item.dest is defined)
+
+    - name: Download external realm contents by group
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-group/" + item.1 + "/" + item.0.name + "/external/" }}'
+        dest: '/etc/pki/realms/{{ item.0.name }}/external/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        force: False
+      with_nested:
+        - '{{ pki_group_realms + pki_default_realms }}'
+        - '{{ pki_inventory_groups }}'
+      when: (pki_enabled | bool and (item.0.name is defined and
+              (item.0.enabled | d(True) | bool) and
+              (item.0.when | d(True) | bool)) and
+              (item.1 is defined and item.1 in group_names))
+
+    - name: Download external realm contents for all hosts
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/realms/by-group/all/" + item.name + "/external/" }}'
+        dest: '/etc/pki/realms/{{ item.name }}/external/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        force: False
+      with_items:
+        - '{{ pki_realms + pki_default_realms }}'
+      when: (pki_enabled | bool and item.name is defined and
+             (item.enabled | d(True) | bool) and
+             (item.when | d(True) | bool))
+
+    - name: Download custom CA certificates by host
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/ca-certificates/by-host/" + inventory_hostname + "/" }}'
+        dest: '/usr/local/share/ca-certificates/pki/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+      notify: [ 'Regenerate ca-certificates.crt' ]
+      when: pki_system_ca_certificates_download_by_host | d(pki_enabled) | bool
+
+    - name: Download custom CA certificates by group
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/ca-certificates/by-group/" + item + "/" }}'
+        dest: '/usr/local/share/ca-certificates/pki/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        force: False
+      with_items: '{{ pki_inventory_groups }}'
+      notify: [ 'Regenerate ca-certificates.crt' ]
+      when: ((pki_system_ca_certificates_download_by_group | d(pki_enabled) | bool) and item in group_names)
+
+    - name: Download custom CA certificates for all hosts
+      ansible.builtin.copy:
+        src: '{{ secret + "/pki/ca-certificates/by-group/all/" }}'
+        dest: '/usr/local/share/ca-certificates/pki/'
+        owner: 'root'
+        group: 'root'
+        mode: '0644'
+        force: '{{ pki_system_ca_certificates_download_all_hosts_force | bool }}'
+      notify: [ 'Regenerate ca-certificates.crt' ]
+      when: pki_system_ca_certificates_download_all_hosts | d(pki_enabled) | bool
+# ]]]
+
+# Execute PKI realm commands [[[
+- name: Execute PKI realm commands
+  environment:
+    PKI_SESSION_TOKEN: '{{ pki_fact_session_token }}'
+  ansible.builtin.command: '"{{ pki_fact_lib_path }}/pki-realm" run -n "{{ item.name }}"'
+  loop: '{{ q("flattened", pki_realms
+                           + pki_group_realms
+                           + pki_host_realms
+                           + pki_default_realms
+                           + pki_dependent_realms) }}'
+  changed_when: False
+  when: (pki_enabled | bool and item.name is defined and
+         (item.enabled | d(True) | bool) and
+         (item.when | d(True) | bool))
+# ]]]
+
+# Manage PKI scheduler [[[
+- name: Manage PKI scheduler
+  ansible.builtin.cron:
+    name: 'Process PKI system realms'
+    user: 'root'
+    cron_file: 'pki-realm-scheduler'
+    job: 'test -x "{{ pki_fact_lib_path }}/pki-realm" && "{{ pki_fact_lib_path }}/pki-realm" schedule'
+    special_time: '{{ pki_scheduler_interval }}'
+    state: '{{ "present" if (pki_enabled | bool and pki_scheduler | bool) else "absent" }}'
+  when: not ansible_check_mode
+# ]]]
+
+- name: Manage system CA certificates
+  ansible.builtin.include_tasks: ca_certificates.yml
+  when: pki_enabled | bool
+
+# Ansible local facts [[[
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/pki.fact.j2'
+    dest: '/etc/ansible/facts.d/pki.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  register: pki_register_facts
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Flush handlers for PKI
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'pki/post_main.yml') }}"
+
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/main_env.yml b/ansible_collections/debops/debops/roles/pki/tasks/main_env.yml
new file mode 100644
index 00000000..793d4517
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/main_env.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.pki environment
+  ansible.builtin.set_fact:
+    pki_env_secret_directories: '{{ lookup("template", "lookup/pki_env_secret_directories.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/pki/post_main.yml b/ansible_collections/debops/debops/roles/pki/tasks/pki/post_main.yml
new file mode 100644
index 00000000..06e067d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/pki/post_main.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# You can have your own tasks run before and after the pki role
+# by creating a tasks/pki/pre_main.yml relative to your playbook.
+# To make debops find these, place something like following in
+# your .debops.cfg:
+#   [paths]
+#   template-paths: ansible/templates
+#   task-paths: ansible/tasks/
+#   file-paths: ansible/files/
diff --git a/ansible_collections/debops/debops/roles/pki/tasks/pki/pre_main.yml b/ansible_collections/debops/debops/roles/pki/tasks/pki/pre_main.yml
new file mode 100644
index 00000000..06e067d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/tasks/pki/pre_main.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# You can have your own tasks run before and after the pki role
+# by creating a tasks/pki/pre_main.yml relative to your playbook.
+# To make debops find these, place something like following in
+# your .debops.cfg:
+#   [paths]
+#   template-paths: ansible/templates
+#   task-paths: ansible/tasks/
+#   file-paths: ansible/files/
diff --git a/ansible_collections/debops/debops/roles/pki/templates/etc/ansible/facts.d/pki.fact.j2 b/ansible_collections/debops/debops/roles/pki/templates/etc/ansible/facts.d/pki.fact.j2
new file mode 100644
index 00000000..2cee3216
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/etc/ansible/facts.d/pki.fact.j2
@@ -0,0 +1,75 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import re
+
+# Temporary workaround to allow Jinja templating in a Python script
+"""
+{% set pki_tpl_known_realms = [] %}
+{% if pki_enabled | bool %}
+{%   for realm in (pki_realms + pki_default_realms + pki_group_realms
+                   + pki_host_realms + pki_dependent_realms) %}
+{%     if (realm.name is defined and
+           ((realm.enabled is undefined or realm.enabled | bool) and
+           (realm.when is undefined or realm.when | bool))) %}
+{%       set _ = pki_tpl_known_realms.append(realm.name) %}
+{%     endif %}
+{%   endfor %}
+{%   if (ansible_local.pki.known_realms | d()) %}
+{%     for realm in ansible_local.pki.known_realms %}
+{%       if realm not in pki_tpl_known_realms %}
+{%         set _ = pki_tpl_known_realms.append(realm) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+"""
+
+output = loads('''{{ ({
+        "acme": (pki_acme | bool | lower),
+        "base_path": (pki_root + "/realms"),
+        "ca": "CA.crt",
+        "ca_realm": pki_system_ca_realm,
+        "crt": "default.crt",
+        "enabled": (pki_enabled | bool | lower),
+        "hooks": (pki_root + "/hooks"),
+        "internal": pki_internal | bool | lower,
+        "key": "default.key",
+        "known_realms": pki_tpl_known_realms,
+        "path": (pki_root + "/realms"),
+        "pem": "default.pem",
+        "realm": pki_system_realm,
+        "trusted": "trusted.crt",
+    }) | to_nice_json }}''')
+
+try:
+    openssl_version_stdout = subprocess.check_output(['openssl', 'version'])
+    _re = re.match(
+            r'\w+ (?P<full_version>(?P<strict_version>[^a-z ]+)[^ ]*)',
+            openssl_version_stdout, re.IGNORECASE)
+    if _re:
+        output['openssl_strict_version'] = _re.group('strict_version')
+        output['openssl_version'] = _re.group('full_version')
+except Exception:
+    pass
+
+try:
+    certtool_version_stdout = subprocess.check_output(
+            ['certtool', '--version']).split('\n')[0]
+    _re = re.match(r'\w+ (?P<version>[^ ]+)', certtool_version_stdout)
+    if _re:
+        output['gnutls_version'] = _re.group('version')
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/pki/templates/etc/ca-certificates.conf.j2 b/ansible_collections/debops/debops/roles/pki/templates/etc/ca-certificates.conf.j2
new file mode 100644
index 00000000..68412064
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/etc/ca-certificates.conf.j2
@@ -0,0 +1,33 @@
+{# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# This file lists certificates that you wish to use or to ignore to be
+# installed in /etc/ssl/certs.
+# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
+#
+# This is autogenerated by dpkg-reconfigure ca-certificates.
+# Certificates should be installed under /usr/share/ca-certificates
+# and files with extension '.crt' is recognized as available certs.
+#
+# line begins with # is comment.
+# line begins with ! is certificate filename to be deselected.
+#
+{% for rootca in pki_register_ca_certificates_known.stdout_lines | d([]) %}
+{% if rootca in (pki_register_ca_certificates_blacklist.stdout_lines | d([]) | intersect(pki_register_ca_certificates_whitelist.stdout_lines | d([]))) %}
+!{{ rootca }}
+{% else %}
+{% if rootca in (pki_register_ca_certificates_blacklist.stdout_lines | d([]) | difference(pki_register_ca_certificates_whitelist.stdout_lines | d([]))) %}
+!{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_whitelist.stdout_lines | d([]) %}
+{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_untrusted.stdout_lines | d([]) %}
+!{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_trusted.stdout_lines | d([]) %}
+{{ rootca }}
+{% endif %}
+{% endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/pki/templates/etc/letsencrypt/cli.ini.j2 b/ansible_collections/debops/debops/roles/pki/templates/etc/letsencrypt/cli.ini.j2
new file mode 100644
index 00000000..d68c7730
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/etc/letsencrypt/cli.ini.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% for element in pki_certbot_combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if element.comment | d() %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{{       element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     set element_comment = ('#' if element.state | d('present') == 'comment' else '') %}
+{%     set element_name = (element.option | d(element.name)) %}
+{{     '{}{} = {}'.format(element_comment, element_name, element.value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/pki/templates/etc/pki/gitignore.j2 b/ansible_collections/debops/debops/roles/pki/templates/etc/pki/gitignore.j2
new file mode 100644
index 00000000..47016e1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/etc/pki/gitignore.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# Ensure that sensitive files are excluded from version control.
+#
+{{ (pki_vcs_ignore_patterns_role +
+    pki_vcs_ignore_patterns +
+    pki_vcs_ignore_patterns_group +
+    pki_vcs_ignore_patterns_host) | unique | sort | join("\n") }}
diff --git a/ansible_collections/debops/debops/roles/pki/templates/etc/pki/realms/realm/config/environment.j2 b/ansible_collections/debops/debops/roles/pki/templates/etc/pki/realms/realm/config/environment.j2
new file mode 100644
index 00000000..f7cecae7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/etc/pki/realms/realm/config/environment.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2024 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Custom environment variables for a PKI realm
+{% if item.environment | d() %}
+{%   for key, value in item.environment.items() %}
+{{     '{}={}'.format(key, value) }}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/pki/templates/lookup/pki_env_secret_directories.j2 b/ansible_collections/debops/debops/roles/pki/templates/lookup/pki_env_secret_directories.j2
new file mode 100644
index 00000000..90b10daf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/pki/templates/lookup/pki_env_secret_directories.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2013-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set pki_tpl_group_directories = [ 'external', 'private' ] %}
+{% set pki_tpl_host_directories = [ 'external', 'internal', 'private' ] %}
+  - 'pki/lib'
+  - 'pki/ca-certificates/by-host/{{ inventory_hostname }}'
+  - 'pki/ca-certificates/by-group/all'
+{% for group in pki_inventory_groups %}
+  - 'pki/ca-certificates/by-group/{{ group }}'
+{% endfor %}
+{% for realm in pki_realms + pki_default_realms %}
+{%   if realm.name is defined and ((realm.enabled is undefined or realm.enabled | bool) and (realm.when is undefined or realm.when | bool)) %}
+{%     for directory in pki_tpl_group_directories %}
+  - 'pki/realms/by-group/all/{{ realm.name }}/{{ directory }}'
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{% for group in pki_inventory_groups %}
+{%   for realm in pki_group_realms + pki_default_realms %}
+{%     if realm.name is defined and ((realm.enabled is undefined or realm.enabled | bool) and (realm.when is undefined or realm.when | bool)) %}
+{%       for directory in pki_tpl_group_directories %}
+  - 'pki/realms/by-group/{{ group }}/{{ realm.name }}/{{ directory }}'
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+{% for realm in (pki_host_realms + pki_group_realms + pki_realms + pki_default_realms + pki_dependent_realms) %}
+{%   if realm.name is defined and ((realm.enabled is undefined or realm.enabled | bool) and (realm.when is undefined or realm.when | bool)) %}
+{%     for directory in pki_tpl_host_directories %}
+  - 'pki/realms/by-host/{{ inventory_hostname }}/{{ realm.name }}/{{ directory }}'
+{%     endfor %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postconf/COPYRIGHT b/ansible_collections/debops/debops/roles/postconf/COPYRIGHT
new file mode 100644
index 00000000..a07fb54e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postconf - Configure Postfix using Ansible via debops.postfix
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postconf/defaults/main.yml b/ansible_collections/debops/debops/roles/postconf/defaults/main.yml
new file mode 100644
index 00000000..53babd29
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/defaults/main.yml
@@ -0,0 +1,437 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postconf__ref_defaults:
+
+# debops.postconf default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Postfix capabilities [[[
+# ------------------------
+
+# These variables roughly define what functionality will be enabled in Postfix.
+# See :ref:`postconf__ref_capabilities` for more details.
+
+# .. envvar:: postconf__autodetect_capabilities [[[
+#
+# List of Postfix capabilities enabled dynamically during role execution.
+postconf__autodetect_capabilities: '{{ postconf__env_capabilities }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__default_capabilities [[[
+#
+# List of Postfix capabilities enabled by default by the role.
+postconf__default_capabilities: [ 'overhead' ]
+
+                                                                   # ]]]
+# .. envvar:: postconf__capabilities [[[
+#
+# List of Postfix capabilities which should be enabled on all hosts in the
+# Ansible inventory.
+postconf__capabilities: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__group_capabilities [[[
+#
+# List of Postfix capabilities which should be enabled on hosts in specific
+# Ansible inventory group.
+postconf__group_capabilities: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__host_capabilities [[[
+#
+# List of Postfix capabilities which should be enabled in specific hosts in the
+# Ansible inventory.
+postconf__host_capabilities: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__combined_capabilities [[[
+#
+# List that combines all Postfix capabilities from the other variables and is
+# used in other configuration variables and Ansible tasks.
+postconf__combined_capabilities: '{{ postconf__autodetect_capabilities
+                                     + postconf__default_capabilities
+                                     + postconf__capabilities
+                                     + postconf__group_capabilities
+                                     + postconf__host_capabilities }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix configuration variables [[[
+# -----------------------------------
+
+# .. envvar:: postconf__deploy_state [[[
+#
+# Select the state of the :ref:`debops.postconf` configuration options in
+# Postfix configuration.
+postconf__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: postconf__fqdn [[[
+#
+# The Fully Qualified Domain Name of this SMTP host.
+postconf__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__sasl_auth_method [[[
+#
+# Select the preferred SASL authentication method for accepting authenticated
+# e-mail messages. Currently supported methods are "cyrus" which will use the
+# :command:`saslauthd` service, or "dovecot" which will use the Dovecot
+# service. The default preference is to use :command:`saslauthd` when it is
+# installed to allow for more flexible client authentication methods,
+# authenticated mail relays, and the like.
+postconf__sasl_auth_method: '{{ "cyrus"
+                                if (ansible_local | d() and ansible_local.saslauthd | d() and
+                                    (ansible_local.saslauthd.installed | d()) | bool and
+                                    "smtpd" in ansible_local.saslauthd.instances)
+                                else "dovecot" }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__unauth_sender_domains [[[
+#
+# List of FQDN domains which are handled by this Postfix instance. Any
+# unauthenticated mail messages from these domains that are sent from external
+# hosts will be blocked. This list should be synchronized with the Postfix
+# ``$mydestination``, ``$relay_domains``, ``$virtual_mailbox_domains`` and
+# ``$virtual_alias_domains`` configuration parameters.
+postconf__unauth_sender_domains: [ '{{ postconf__fqdn }}' ]
+
+                                                                   # ]]]
+# .. envvar:: postconf__unauth_sender_default_action [[[
+#
+# The error message which will be sent to the SMTP servers that try to deliver
+# unauthenticated mail messages.
+postconf__unauth_sender_default_action: 'REJECT This server requires SMTP authentication'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix lookup tables [[[
+# -------------------------
+
+# These lists define Postfix lookup tables placed in the :file:`/etc/postfix/`
+# directory. The configuration format is specified in the :ref:`debops.postfix`
+# role documentation.
+
+# .. envvar:: postconf__default_lookup_tables [[[
+#
+# List of default lookup tables defined by the role.
+postconf__default_lookup_tables:
+
+  - name: 'auth_header_checks.pcre'
+    by_role: 'debops.postconf'
+    comment: |
+      Cleanup headers in mail messages sent by authenticated clients through
+      submission/smtps service.
+
+      Documentation: https://askubuntu.com/questions/78163/
+    default_action: 'IGNORE'
+    options:
+      - '/^X-Mailer:/':   'IGNORE'
+      - '/^User-Agent:/': 'IGNORE'
+    state: '{{ "present"
+               if (postconf__deploy_state == "present" and
+                   "authcleanup" in postconf__combined_capabilities)
+               else ("absent"
+                     if (postconf__deploy_state == "absent")
+                     else "ignore") }}'
+
+  - name: 'mx_access.cidr'
+    by_role: 'debops.postconf'
+    comment: |
+      Check if sender MX server is in subnets not accessible from the public
+      Internet. If so, reject mail delivery from these servers, because any
+      replies will be non-deliverable.
+    options:
+      - '0.0.0.0/8':       'REJECT Domain MX in broadcast network'
+      - '10.0.0.0/8':      'REJECT Domain MX in RFC 1918 private network'
+      - '127.0.0.0/8':     'REJECT Domain MX in loopback network'
+      - '169.254.0.0/16':  'REJECT Domain MX in link local network'
+      - '172.16.0.0/12':   'REJECT Domain MX in RFC 1918 private network'
+      - '192.0.2.0/24':    'REJECT Domain MX in TEST-NET-1 network'
+      - '192.168.0.0/16':  'REJECT Domain MX in RFC 1918 private network'
+      - '198.51.100.0/24': 'REJECT Domain MX in TEST-NET-2 network'
+      - '203.0.113.0/24':  'REJECT Domain MX in TEST-NET-3 network'
+      - '224.0.0.0/4':     'REJECT Domain MX in class D multicast network'
+      - '240.0.0.0/5':     'REJECT Domain MX in class E reserved network'
+      - '248.0.0.0/5':     'REJECT Domain MX in reserved network'
+
+      - '::1/128':         'REJECT Domain MX is Loopback address'
+      - '::/128':          'REJECT Domain MX is Unspecified address'
+      - '::/96':           'REJECT Domain MX in IPv4-Compatible IPv6'
+      - '::ffff:0:0/96':   'REJECT Domain MX in IPv4-Mapped IPv6'
+      - 'ff00::/8':        'REJECT Domain MX in Multicast network'
+      - 'fe80::/10':       'REJECT Domain MX in Link-local unicast network'
+      - 'fec0::/10':       'REJECT Domain MX in Site-local unicast network'
+    state: '{{ "present"
+               if (postconf__deploy_state == "present" and
+                   "public-mx-required" in postconf__combined_capabilities)
+               else ("absent"
+                     if (postconf__deploy_state == "absent")
+                     else "ignore") }}'
+
+  - name: 'unauth_sender_access.in'
+    by_role: 'debops.postconf'
+    comment: |
+      Block any unauthenticated external mail that uses our domain names. Users
+      that send this mail need to enable SMTP authentication and use the
+      'submission' service.
+
+      Documentation: https://serverfault.com/a/51122
+    default_action: '{{ postconf__unauth_sender_default_action }}'
+    content: '{{ postconf__unauth_sender_domains }}'
+    state: '{{ "present"
+               if (postconf__deploy_state == "present" and
+                   "auth" in postconf__combined_capabilities and
+                   "unauth-sender" in postconf__combined_capabilities)
+               else ("absent"
+                     if (postconf__deploy_state == "absent")
+                     else "ignore") }}'
+
+  - name: 'overhead_checks.pcre'
+    by_role: 'debops.postconf'
+    comment: |
+      "A man is not dead while his name is still spoken."
+                - Going Postal, Chapter 4 prologue
+
+      Ref: http://www.gnuterrypratchett.com/
+    options:
+      - '/^X-Clacks-Overhead:/': 'IGNORE'
+      - '/^To:/': 'PREPEND X-Clacks-Overhead: GNU Terry Pratchett'
+    state: '{{ "present"
+               if (postconf__deploy_state == "present" and
+                   "overhead" in postconf__combined_capabilities)
+               else ("absent"
+                     if (postconf__deploy_state == "absent")
+                     else "ignore") }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__lookup_tables [[[
+#
+# List of lookup tables that are managed on all hosts in the Ansible inventory.
+postconf__lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__group_lookup_tables [[[
+#
+# List of lookup tables that are managed on hosts in specific Ansible inventory
+# group.
+postconf__group_lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__host_lookup_tables [[[
+#
+# List of lookup tables that are managed on specific hosts in the Ansible
+# inventory.
+postconf__host_lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postconf__combined_lookup_tables [[[
+#
+# Variable that combines the other lookup table lists together for eas of use.
+postconf__combined_lookup_tables: '{{ postconf__default_lookup_tables
+                                      + postconf__lookup_tables
+                                      + postconf__group_lookup_tables
+                                      + postconf__host_lookup_tables }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: postconf__postfix__dependent_packages [[[
+#
+# List of APT packages to install passed to the :ref:`debops.postfix` Ansible
+# role.
+postconf__postfix__dependent_packages:
+  - '{{ "libsasl2-modules"
+        if ("auth" in postconf__combined_capabilities)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__postfix__dependent_lookup_tables [[[
+#
+# Lookup table configuration passed to the :ref:`debops.postfix` Ansible role.
+postconf__postfix__dependent_lookup_tables:
+  - '{{ postconf__combined_lookup_tables }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration passed to the :ref:`debops.postfix` Ansible role.
+postconf__postfix__dependent_maincf:
+
+  - name: 'smtpd_sasl_auth_enable'
+    value: True
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sasl_authenticated_header'
+    value: True
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'broken_sasl_auth_clients'
+    value: True
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sasl_security_options'
+    value: [ 'noanonymous', 'noplaintext' ]
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sasl_tls_security_options'
+    value: [ 'noanonymous' ]
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sasl_type'
+    value: '{{ "cyrus"
+               if (postconf__sasl_auth_method == "cyrus")
+               else "dovecot" }}'
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sasl_path'
+    value: '{{ "smtpd"
+               if (postconf__sasl_auth_method == "cyrus")
+               else "private/auth" }}'
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sender_restrictions'
+    value:
+      - name: 'check_sender_mx_access cidr:${config_directory}/mx_access.cidr'
+        weight: 50
+    state: '{{ "present"
+               if ("public-mx-required" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_sender_restrictions'
+    value:
+
+      - name: 'permit_mynetworks'
+
+      - name: 'reject_authenticated_sender_login_mismatch'
+        copy_id_from: 'permit_mynetworks'
+        weight: 10
+
+      - name: 'permit_sasl_authenticated'
+        copy_id_from: 'reject_authenticated_sender_login_mismatch'
+        weight: 10
+
+      - name: 'check_sender_access hash:${config_directory}/unauth_sender_access'
+        copy_id_from: 'permit_sasl_authenticated'
+        weight: 10
+
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities and
+                   "unauth-sender" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtpd_relay_restrictions'
+    value:
+
+      - name: 'reject_authenticated_sender_login_mismatch'
+        copy_id_from: 'permit_mynetworks'
+        weight: 10
+
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities and
+                   "unauth-sender" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtp_header_checks'
+    value: [ 'pcre:${config_directory}/overhead_checks.pcre' ]
+    state: '{{ "present"
+               if ("overhead" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: postconf__postfix__dependent_mastercf [[[
+#
+# The :file:`master.cf` configuration passed to the :ref:`debops.postfix` Ansible
+# role.
+postconf__postfix__dependent_mastercf:
+
+  - name: 'submission'
+    options:
+
+      - name: 'smtpd_helo_restrictions'
+        value: ''
+        state: '{{ "present"
+                   if ("public-mx-required" in postconf__combined_capabilities)
+                   else "ignore" }}'
+
+      - name: 'smtpd_sender_restrictions'
+        value: 'reject_authenticated_sender_login_mismatch'
+        state: '{{ "present"
+                   if ("unauth-sender" in postconf__combined_capabilities)
+                   else "ignore" }}'
+
+      - name: 'cleanup_service_name'
+        value: 'authcleanup'
+        state: '{{ "present"
+                   if ("authcleanup" in postconf__combined_capabilities)
+                   else "ignore" }}'
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'smtps'
+    options:
+
+      - name: 'smtpd_helo_restrictions'
+        value: ''
+        state: '{{ "present"
+                   if ("public-mx-required" in postconf__combined_capabilities)
+                   else "ignore" }}'
+
+      - name: 'smtpd_sender_restrictions'
+        value: 'reject_authenticated_sender_login_mismatch'
+        state: '{{ "present"
+                   if ("unauth-sender" in postconf__combined_capabilities)
+                   else "ignore" }}'
+
+      - name: 'cleanup_service_name'
+        value: 'authcleanup'
+        state: '{{ "present"
+                   if ("authcleanup" in postconf__combined_capabilities)
+                   else "ignore" }}'
+    state: '{{ "present"
+               if ("auth" in postconf__combined_capabilities)
+               else "ignore" }}'
+
+  - name: 'authcleanup'
+    type: 'unix'
+    private: False
+    maxproc: 0
+    command: 'cleanup'
+    options:
+      - name: 'syslog_name'
+        value: 'postfix/authcleanup'
+      - name: 'header_checks'
+        value: [ 'regexp:/etc/postfix/auth_header_checks.pcre' ]
+    state: '{{ "present"
+               if ("authcleanup" in postconf__combined_capabilities)
+               else "ignore" }}'
+    copy_id_from: 'cleanup'
+    weight: 10
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postconf/meta/main.yml b/ansible_collections/debops/debops/roles/postconf/meta/main.yml
new file mode 100644
index 00000000..68ef8c95
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure Postfix SMTP service via debops.postfix'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smtp
+    - mail
+    - lmtp
+    - submission
+    - postfix
+    - sasl
+    - antispam
diff --git a/ansible_collections/debops/debops/roles/postconf/tasks/main.yml b/ansible_collections/debops/debops/roles/postconf/tasks/main.yml
new file mode 100644
index 00000000..37ef24ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Postconf local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postconf.fact.j2'
+    dest: '/etc/ansible/facts.d/postconf.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/postconf/tasks/main_env.yml b/ansible_collections/debops/debops/roles/postconf/tasks/main_env.yml
new file mode 100644
index 00000000..44138233
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare postconf environment
+  ansible.builtin.set_fact:
+    postconf__env_capabilities: '{{ lookup("template", "lookup/postconf__env_capabilities.j2") }}'
diff --git a/ansible_collections/debops/debops/roles/postconf/templates/etc/ansible/facts.d/postconf.fact.j2 b/ansible_collections/debops/debops/roles/postconf/templates/etc/ansible/facts.d/postconf.fact.j2
new file mode 100644
index 00000000..7b961ee6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/templates/etc/ansible/facts.d/postconf.fact.j2
@@ -0,0 +1,19 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+
+output = loads("""{{ {'installed': (True
+                                    if (postconf__deploy_state == "present")
+                                    else False)}
+                     | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/postconf/templates/lookup/postconf__env_capabilities.j2 b/ansible_collections/debops/debops/roles/postconf/templates/lookup/postconf__env_capabilities.j2
new file mode 100644
index 00000000..1eada66b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postconf/templates/lookup/postconf__env_capabilities.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set postconf__tpl_env_capabilities = [] %}
+{% if (ansible_local | d() and
+       ((ansible_local.saslauthd | d() and (ansible_local.saslauthd.installed | d()) | bool and 'smtpd' in ansible_local.saslauthd.instances) or
+        (ansible_local.dovecot | d() and (ansible_local.dovecot.installed | d()) | bool))) %}
+{%   set _ = postconf__tpl_env_capabilities.extend([ 'auth', 'unauth-sender' ]) %}
+{% endif %}
+{% if (ansible_all_ipv4_addresses | d([]) + ansible_all_ipv6_addresses | d([])) | ansible.utils.ipaddr('public') %}
+{%   set _ = postconf__tpl_env_capabilities.append('public-mx-required') %}
+{% endif %}
+{{ postconf__tpl_env_capabilities | list }}
diff --git a/ansible_collections/debops/debops/roles/postfix/COPYRIGHT b/ansible_collections/debops/debops/roles/postfix/COPYRIGHT
new file mode 100644
index 00000000..5b61c9ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postfix - Configure Postfix SMTP service using Ansible
+
+Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postfix/defaults/main.yml b/ansible_collections/debops/debops/roles/postfix/defaults/main.yml
new file mode 100644
index 00000000..8edb6af4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/defaults/main.yml
@@ -0,0 +1,1359 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postfix__ref_defaults:
+
+# debops.postfix default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, version [[[
+# -------------------------
+
+# .. envvar:: postfix__base_packages [[[
+#
+# List of the default APT packages to install for Postfix support.
+postfix__base_packages: [ 'postfix', 'postfix-pcre', 'bsd-mailx', 'make',
+                          'ssl-cert', 'ca-certificates' ]
+
+                                                                   # ]]]
+# .. envvar:: postfix__dependent_packages [[[
+#
+# List of additional APT packages requested by other Ansible roles via role
+# dependent variables.
+postfix__dependent_packages: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__packages [[[
+#
+# List of custom APT packages to install with Postfix.
+postfix__packages: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__group_packages [[[
+#
+# List of custom APT packages installed on hosts in a specific group
+# in Ansible inventory.
+postfix__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__host_packages [[[
+#
+# List of custom APT packages installed on specific hosts in Ansible
+# inventory.
+postfix__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__purge_packages [[[
+#
+# List of APT packages to purge when Postfix is installed, to remove the
+# remnants of other SMTP services.
+postfix__purge_packages: [ 'exim4-base', 'exim4-config',
+                           'exim4-daemon-light', 'nullmailer' ]
+
+                                                                   # ]]]
+# .. envvar:: postfix__version [[[
+#
+# The currently installed Postfix version. This variable is defined by the
+# Ansible local facts and it's here for convenience, shouldn't be set manually.
+postfix__version: '{{ ansible_local.postfix.version | d("0.0.0") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__doc_installed [[[
+#
+# The ``postfix-doc`` APT package modifies the :file:`/etc/postfix/main.cf`
+# configuration file directly, therefore the role takes its presence into
+# account during configuration. The package presence is checked by the Ansible
+# local facts.
+postfix__doc_installed: '{{ ansible_local.postfix.doc_installed
+                            if (ansible_local | d() and ansible_local.postfix | d() and
+                                ansible_local.postfix.doc_installed is defined)
+                            else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS, mail next-hop configuration [[[
+# ------------------------------------
+
+# .. envvar:: postfix__fqdn [[[
+#
+# The host's Fully Qualified Domain Name used in the Postfix configuration.
+postfix__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__domain [[[
+#
+# The host's DNS domain name used in the Postfix configuration.
+postfix__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__relayhost [[[
+#
+# Next-hop destination of non-local mail.
+postfix__relayhost: ''
+
+                                                                   # ]]]
+# .. envvar:: postfix__mailname [[[
+#
+# The name of this mail system, configured in :file:`/etc/mailname` file. This
+# name is used as the domain part in sender mail addresses that don't have one.
+# See https://wiki.debian.org/EtcMailName for more details.
+postfix__mailname: '{{ postfix__fqdn }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: postfix__accept_any [[[
+#
+# Specofy the default firewall policy for Postfix services.
+#
+# If ``True``, any host can connect to the Postfix services unless allow
+# restrictions are defined using the variables below.
+#
+# If ``False``, no hosts can connect to the Postfix services by default. You
+# need to specify IP addresses or subnets that can access the services using
+# the variables below.
+postfix__accept_any: True
+
+                                                                   # ]]]
+# .. envvar:: postfix_allow_smtp [[[
+#
+# List of hosts/networks that can access the ``smtp`` port (25).
+postfix__allow_smtp: []
+
+                                                                   # ]]]
+# .. envvar:: postfix_allow_submission [[[
+#
+# List of hosts/networks that can access the ``submission`` port (587).
+postfix__allow_submission: []
+
+                                                                   # ]]]
+# .. envvar:: postfix_allow_smtps [[[
+#
+# List of hosts/networks that can access the ``smtps`` port (465).
+postfix__allow_smtps: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI / TLS configuration [[[
+# ---------------------------
+
+# .. envvar:: postfix__pki [[[
+#
+# Enable or disable support for TLS in Postfix, managed by the :ref:`debops.pki`
+# Ansible role.
+postfix__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_path [[[
+#
+# Absolute path to the directory where PKI realms are located.
+postfix__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_realm [[[
+#
+# Name of the default PKI realm used by Postfix.
+postfix__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_ca [[[
+#
+# Name of the Root Certificate Authority certificate file used by Postfix,
+# relative to the PKI realm directory.
+postfix__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_crt [[[
+#
+# Name of the certificate file used by Postfix, relative to the PKI realm
+# directory.
+postfix__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_key [[[
+#
+# Name of the private key file used by Postfix, relative to the PKI realm
+# directory.
+postfix__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_ca_file [[[
+#
+# Absolute path of the Root Certificate Authority certificate file used in the
+# Postfix configuration. This file should also be present in the Postfix chroot
+# directory.
+postfix__tls_ca_file: '/etc/ssl/certs/ca-certificates.crt'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_cert_file [[[
+#
+# Absolute path of the certificate file used in the Postfix configuration.
+postfix__tls_cert_file: '{{ (postfix__pki_path + "/" + postfix__pki_realm + "/" + postfix__pki_crt)
+                            if postfix__pki | bool else "/etc/ssl/certs/ssl-cert-snakeoil.pem" }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_key_file [[[
+#
+# Absolute path of the private key file used in the Postfix configuration.
+postfix__tls_key_file: '{{ (postfix__pki_path + "/" + postfix__pki_realm + "/" + postfix__pki_key)
+                           if postfix__pki | bool else "/etc/ssl/private/ssl-cert-snakeoil.key" }}'
+                                                                   # ]]]
+# .. envvar:: postfix__pki_hook_name [[[
+#
+# Name of the hook script which will be stored in hook directory.
+postfix__pki_hook_name: 'postfix'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_hook_path [[[
+#
+# Directory with PKI hooks.
+postfix__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__pki_hook_action [[[
+#
+# Specify how changes in PKI should affect postfix, either 'reload' or 'restart'.
+postfix__pki_hook_action: 'reload'
+                                                                   # ]]]
+                                                                   # ]]]
+# Diffie-Hellman parameters [[[
+# -----------------------------
+
+# .. envvar:: postfix__dhparam [[[
+#
+# Enable or disable support for custom Diffie-Hellman parameters managed by the
+# :ref:`debops.dhparam` Ansible role.
+postfix__dhparam: '{{ ansible_local.dhparam.enabled
+                      if (ansible_local | d() and ansible_local.dhparam | d() and
+                          ansible_local.dhparam.enabled is defined)
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__dhparam_set [[[
+#
+# Name of the Diffie-Hellman parameter set to use in Postfix configuration. See
+# :ref:`debops.dhparam` Ansible role for more details.
+postfix__dhparam_set: 'default'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_dh1024_param_file [[[
+#
+# Absolute path to Diffie-Hellman parameters file which should be used for
+# non-export grade connections.
+postfix__tls_dh1024_param_file: '{{ ansible_local.dhparam[postfix__dhparam_set]
+                                    if (ansible_local | d() and ansible_local.dhparam | d() and
+                                        ansible_local.dhparam[postfix__dhparam_set] | d())
+                                    else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_dh512_param_file [[[
+#
+# Absolute path to Diffie-Hellman parameters file which should be used for
+# export grade connections.
+postfix__tls_dh512_param_file: '{{ ansible_local.dhparam[postfix__dhparam_set]
+                                   if (ansible_local | d() and ansible_local.dhparam | d() and
+                                       ansible_local.dhparam[postfix__dhparam_set] | d())
+                                   else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix 'main.cf' configuration [[[
+# -----------------------------------
+
+# These variables define the contents of the :file:`/etc/postfix/main.cf`
+# configuration file. See :ref:`postfix__ref_maincf` for more details.
+
+# .. envvar:: postfix__original_maincf [[[
+#
+# List of options defined by the Debian ``postfix`` package when the default
+# "Internet Site" configuration type is selected during installation. This list
+# is used as the base configuration.
+postfix__original_maincf:
+
+  - name: 'myorigin_example'
+    option: 'myorigin'
+    value: '/etc/mailname'
+    comment: |
+      Debian specific:  Specifying a file name will cause the first
+      line of that file to be used as the name.  The Debian default
+      is /etc/mailname.
+    state: 'comment'
+    section: 'base'
+
+  - name: 'smtpd_banner'
+    value: '$myhostname ESMTP $mail_name (Debian/GNU)'
+    section: 'base'
+
+  - name: 'biff'
+    value: False
+    section: 'base'
+
+  - name: 'append_dot_mydomain'
+    value: False
+    comment: "appending .domain is the MUA's job."
+    section: 'base'
+
+  - name: 'delay_warning_time'
+    value: '4h'
+    comment: 'Uncomment the next line to generate "delayed mail" warnings'
+    state: 'comment'
+    section: 'base'
+
+  - name: 'readme_directory'
+    value: '{{ "/usr/share/doc/postfix"
+               if postfix__doc_installed | bool
+               else False }}'
+    section: 'base'
+
+  - name: 'compatibility_level'
+    value: 2
+    comment: |
+      See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+      fresh installs.
+    section: 'base'
+    state: '{{ "present"
+               if (postfix__version is version_compare("3.0.0", ">="))
+               else "ignore" }}'
+
+  - name: 'smtpd_tls_cert_file'
+    value: '{{ postfix__tls_cert_file }}'
+    comment: 'TLS parameters'
+    section: 'base'
+
+  - name: 'smtpd_tls_key_file'
+    value: '{{ postfix__tls_key_file }}'
+    section: 'base'
+
+  - name: 'smtpd_use_tls'
+    value: True
+    section: 'base'
+
+  - name: 'smtpd_tls_session_cache_database'
+    value: 'btree:${data_directory}/smtpd_scache'
+    section: 'base'
+
+  - name: 'smtp_tls_session_cache_database'
+    value: 'btree:${data_directory}/smtp_scache'
+    section: 'base'
+
+  - name: 'smtp_tls_client_comment'
+    comment: |
+      See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+      information on enabling SSL in the smtp client.
+    state: 'hidden'
+    section: 'base'
+
+  - name: 'smtpd_relay_restrictions'
+    section: 'base'
+    state: '{{ "present"
+               if (postfix__version is version_compare("2.10.0", ">="))
+               else "ignore" }}'
+    value:
+
+      - name: 'permit_mynetworks'
+        weight: -300
+
+      - name: 'permit_sasl_authenticated'
+        weight: -200
+
+      - name: 'defer_unauth_destination'
+        weight: -100
+
+  - name: 'myhostname'
+    value: '{{ postfix__fqdn }}'
+    section: 'base'
+
+  - name: 'alias_maps'
+    value: [ 'hash:/etc/aliases' ]
+    section: 'base'
+
+  - name: 'alias_database'
+    value: [ 'hash:/etc/aliases' ]
+    section: 'base'
+
+  - name: 'myorigin'
+    value: '/etc/mailname'
+    section: 'base'
+
+  - name: 'mydestination'
+    section: 'base'
+    value:
+
+      - '{{ postfix__fqdn }}'
+
+      - name: 'localhost.{{ postfix__domain }}'
+        weight: 190
+
+      - name: 'localhost'
+        weight: 200
+
+  - name: 'relayhost'
+    value: '{{ postfix__relayhost }}'
+    section: 'base'
+
+  - name: 'mynetworks'
+    section: 'base'
+    value:
+
+      - name: '127.0.0.0/8'
+        weight: 100
+
+      - name: '::ffff:127.0.0.0/104'
+        weight: 100
+
+      - name: '::1/128'
+        weight: 100
+
+  - name: 'mailbox_size_limit'
+    value: 0
+    section: 'base'
+
+  - name: 'recipient_delimiter'
+    value: '+'
+    section: 'base'
+
+  - name: 'inet_interfaces'
+    value: 'all'
+    section: 'base'
+
+  - name: 'inet_protocols'
+    value: 'all'
+    section: 'base'
+    state: '{{ "present"
+               if (ansible_distribution_release == "stretch")
+               else "ignore" }}'
+
+  - name: 'html_directory'
+    value: '{{ "/usr/share/doc/postfix/html"
+               if postfix__doc_installed | bool
+               else False }}'
+    section: 'base'
+
+                                                                   # ]]]
+# .. envvar:: postfix__default_maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# defined by default by the ``debops.postfix`` Ansible role.
+postfix__default_maincf:
+
+  - name: 'smtpd_banner'
+    value: '$myhostname ESMTP'
+
+  - name: 'enable_long_queue_ids'
+    value: True
+    section: 'base'
+    state: '{{ "present"
+               if (postfix__version is version_compare("2.9.0", ">="))
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# defined by default by the ``debops.postfix`` Ansible role which configure
+# TLS/SSL encryption.
+postfix__tls_maincf:
+
+  - name: 'smtp_tls_client_comment'
+    state: 'absent'
+
+  - name: 'smtpd_use_tls'
+    section: 'smtpd-tls'
+    weight: -500
+
+  - name: 'smtpd_tls_cert_file'
+    section: 'smtpd-tls'
+    comment: ''
+
+  - name: 'smtpd_tls_key_file'
+    section: 'smtpd-tls'
+
+  - name: 'smtpd_tls_CAfile'
+    value: '{{ postfix__tls_ca_file }}'
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_CAfile'
+    value: '{{ postfix__tls_ca_file }}'
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_CAfile'
+    value: '{{ postfix__tls_ca_file }}'
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_session_cache_database'
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_session_cache_database'
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_session_cache_database'
+    value: 'btree:${data_directory}/lmtp_scache'
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_dh1024_param_file'
+    value: '{{ postfix__tls_dh1024_param_file }}'
+    state: '{{ "present" if postfix__dhparam | bool else "ignore" }}'
+    section: 'smtpd-tls'
+
+  - name: 'smtpd_tls_dh512_param_file'
+    value: '{{ postfix__tls_dh512_param_file }}'
+    state: '{{ "present" if postfix__dhparam | bool else "ignore" }}'
+    section: 'smtpd-tls'
+
+  - name: 'smtpd_tls_loglevel'
+    value: 1
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_loglevel'
+    value: 1
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_loglevel'
+    value: 1
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_security_level'
+    value: 'may'
+    section: 'smtpd-tls'
+    weight: -500
+
+  - name: 'smtp_tls_security_level'
+    value: 'may'
+    section: 'smtp-tls'
+    weight: -500
+
+  - name: 'lmtp_tls_security_level'
+    value: 'may'
+    section: 'lmtp-tls'
+    weight: -500
+
+  - name: 'smtpd_tls_auth_only'
+    value: True
+    section: 'smtpd-tls'
+
+  - name: 'smtpd_tls_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_mandatory_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_mandatory_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_mandatory_protocols'
+    value: [ '!SSLv2', '!SSLv3', '!TLSv1', 'TLSv1.1', 'TLSv1.2' ]
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_ciphers'
+    value: 'high'
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_ciphers'
+    value: 'high'
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_ciphers'
+    value: 'high'
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_mandatory_ciphers'
+    value: 'high'
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_mandatory_ciphers'
+    value: 'high'
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_mandatory_ciphers'
+    value: 'high'
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_exclude_ciphers'
+    value: [ 'aNULL', 'RC4', 'MD5', 'DES', '3DES', 'RSA', 'SHA' ]
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_exclude_ciphers'
+    value: [ 'aNULL', 'RC4', 'MD5', 'DES', '3DES', 'RSA', 'SHA' ]
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_exclude_ciphers'
+    value: [ 'aNULL', 'RC4', 'MD5', 'DES', '3DES', 'RSA', 'SHA' ]
+    section: 'lmtp-tls'
+
+  - name: 'smtpd_tls_eecdh_grade'
+    value: 'ultra'
+    section: 'smtpd-tls'
+
+  - name: 'smtpd_tls_received_header'
+    value: True
+    section: 'smtpd-tls'
+
+  - name: 'smtp_tls_note_starttls_offer'
+    value: True
+    section: 'smtp-tls'
+
+  - name: 'lmtp_tls_note_starttls_offer'
+    value: True
+    section: 'lmtp-tls'
+
+  - name: 'tls_preempt_cipherlist'
+    value: True
+    section: 'tls'
+
+  - name: 'tls_ssl_options'
+    value: 'NO_COMPRESSION'
+    section: 'tls'
+    state: '{{ "present"
+              if (postfix__version is version_compare("2.11.0", ">="))
+              else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__restrictions_maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# defined by default by the ``debops.postfix`` Ansible role which configure
+# mail relay and delivery restrictions.
+postfix__restrictions_maincf:
+
+  - name: 'smtpd_helo_required'
+    value: True
+    section: 'restrictions'
+
+  - name: 'strict_rfc821_envelopes'
+    value: True
+    section: 'restrictions'
+
+  - name: 'smtpd_reject_unlisted_sender'
+    value: True
+    section: 'restrictions'
+
+  - name: 'disable_vrfy_command'
+    value: True
+    section: 'restrictions'
+
+  - name: 'smtpd_client_restrictions'
+    section: 'restrictions'
+    weight: 10
+    separator: True
+
+  - name: 'smtpd_helo_restrictions'
+    section: 'restrictions'
+    weight: 20
+    value:
+
+      - name: 'permit_mynetworks'
+        weight: -400
+
+      - name: 'reject_invalid_helo_hostname'
+        weight: -300
+
+      - name: 'reject_non_fqdn_helo_hostname'
+        weight: -200
+
+      - name: 'reject_unknown_helo_hostname'
+        weight: -100
+
+  - name: 'smtpd_sender_restrictions'
+    section: 'restrictions'
+    weight: 30
+    value:
+
+      - name: 'reject_non_fqdn_sender'
+        weight: -200
+
+      - name: 'reject_unknown_sender_domain'
+        weight: -100
+
+      - name: 'permit_mynetworks'
+
+  - name: 'smtpd_relay_restrictions'
+    section: 'restrictions'
+    copy_id_from: 'smtpd_sender_restrictions'
+    weight: 40
+    state: '{{ "present"
+               if (postfix__version is version_compare("2.10.0", ">="))
+               else "ignore" }}'
+
+  - name: 'smtpd_recipient_restrictions'
+    section: 'restrictions'
+    weight: 50
+    value:
+
+      - name: 'reject_non_fqdn_recipient'
+        weight: -200
+      - name: 'reject_unknown_recipient_domain'
+        weight: -100
+
+  - name: 'smtpd_data_restrictions'
+    section: 'restrictions'
+    weight: 60
+    value:
+
+      - name: 'reject_unauth_pipelining'
+        weight: -200
+      - name: 'reject_multi_recipient_bounce'
+        weight: -100
+
+  - name: 'smtpd_discard_ehlo_keywords'
+    section: 'restrictions'
+    value:
+      - 'dsn'  # Disallow Delivery Status Notification requests
+      - 'etrn'  # Disallow Remote Message Queue Starting
+
+                                                                   # ]]]
+# .. envvar:: postfix__maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# which should be present on all hosts in the Ansible inventory.
+postfix__maincf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__group_maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# which should be present on hosts in the specific Ansible inventory group.
+postfix__group_maincf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__host_maincf [[[
+#
+# The list of Postfix :file:`/etc/postfix/main.cf` configuration file options
+# which should be present on specific hosts in the Ansible inventory.
+postfix__host_maincf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__dependent_maincf [[[
+#
+# List of the :file:`/etc/postfix/main.cf` configuration options defined by
+# other roles through role dependent variables. The configuration syntax
+# differs from a normal :file:`main.cf` configuration,
+# see :ref:`postfix__ref_dependency` for more details.
+# This variable will be merged with the persistent configuration stored on the
+# Ansible Controller at runtime.
+postfix__dependent_maincf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__combined_maincf [[[
+#
+# List which combines all of the :file:`main.cf`-related variables and is used
+# in the configuration template.
+postfix__combined_maincf: '{{ postfix__original_maincf
+                              + postfix__default_maincf
+                              + postfix__tls_maincf
+                              + postfix__restrictions_maincf
+                              + postfix__env_persistent_maincf
+                              + postfix__maincf
+                              + postfix__group_maincf
+                              + postfix__host_maincf }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__init_maincf [[[
+#
+# This variable contains initial state of :file:`main.cf` configuration options
+# based on the contents of `:envvar:`postfix__combined_maincf` variable. It's
+# used to dynamically assign Postfix options to configuration file sections in
+# case that a section is not specified.
+postfix__init_maincf: '{{ lookup("template",
+                          "lookup/postfix__init_maincf.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__maincf_sections [[[
+#
+# List of configuration sections which are defined in the
+# :file:`/etc/postfix/main.cf` configuration file.
+# See :ref:`postfix__ref_maincf_sections` for more details.
+postfix__maincf_sections:
+
+  - name: 'base'
+
+  - name: 'auth'
+    title: 'Authentication and authorization'
+
+  - name: 'route'
+    title: 'Message routing'
+
+  - name: 'virtual'
+    title: 'Virtual mail configuration'
+
+  - name: 'tls'
+    title: 'TLS/SSL configuration'
+
+  - name: 'smtpd-tls'
+    title: 'SMTP Server (smtpd) TLS configuration'
+
+  - name: 'smtp-tls'
+    title: 'SMTP Client (smtp) TLS configuration'
+
+  - name: 'lmtp-tls'
+    title: 'Local Mail Transfer Protocol (lmtp) TLS configuration'
+
+  - name: 'postscreen'
+    title: 'postscreen options'
+
+  - name: 'restrictions'
+    title: 'SMTP Server (smtpd) restrictions'
+
+  - name: 'filter'
+    title: 'Mail filtering configuration'
+
+  - name: 'limit'
+    title: 'Rate limits'
+
+  - name: 'unknown'
+    title: 'Other options'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix 'master.cf' configuration [[[
+# -------------------------------------
+
+# These variables define the contents of the :file:`/etc/postfix/master.cf`
+# configuration file. See :ref:`postfix__ref_mastercf` for more details.
+
+# .. envvar:: postfix__original_mastercf [[[
+#
+# List of options defined by the Debian ``postfix`` package when the default
+# "Internet Site" configuration type is selected during installation. This list
+# is used as the base configuration.
+postfix__original_mastercf:
+
+  - name: 'smtp'
+    type: 'inet'
+    private: False
+    chroot: True
+    command: 'smtpd'
+
+  - name: 'postscreen'
+    service: 'smtp'
+    type: 'inet'
+    private: False
+    chroot: True
+    maxproc: 1
+    command: 'postscreen'
+    state: 'comment'
+
+  - name: 'smtpd'
+    type: 'pass'
+    chroot: True
+    state: 'comment'
+
+  - name: 'dnsblog'
+    type: 'unix'
+    chroot: True
+    maxproc: 0
+    state: 'comment'
+
+  - name: 'tlsproxy'
+    type: 'unix'
+    chroot: True
+    maxproc: 0
+    state: 'comment'
+
+  - name: 'submission'
+    type: 'inet'
+    private: False
+    chroot: True
+    command: 'smtpd'
+    state: 'comment'
+    options:
+
+      - syslog_name: 'postfix/submission'
+      - smtpd_tls_security_level: 'encrypt'
+      - smtpd_sasl_auth_enable: True
+      - smtpd_reject_unlisted_recipient: False
+
+      - name: 'smtpd_client_restrictions'
+        value: '$mua_client_restrictions'
+        state: 'comment'
+
+      - name: 'smtpd_helo_restrictions'
+        value: '$mua_helo_restrictions'
+        state: 'comment'
+
+      - name: 'smtpd_sender_restrictions'
+        value: '$mua_sender_restrictions'
+        state: 'comment'
+
+      - smtpd_recipient_restrictions: ''
+
+      - name: 'smtpd_relay_restrictions'
+        value: [ 'permit_sasl_authenticated', 'reject' ]
+        state: '{{ "present"
+                  if (postfix__version is version_compare("2.10.0", ">="))
+                  else "ignore" }}'
+
+      - milter_macro_daemon_name: 'ORIGINATING'
+
+  - name: 'smtps'
+    type: 'inet'
+    private: False
+    chroot: True
+    command: 'smtpd'
+    state: 'comment'
+    options:
+
+      - syslog_name: 'postfix/smtps'
+      - smtpd_tls_wrappermode: True
+      - smtpd_sasl_auth_enable: True
+      - smtpd_reject_unlisted_recipient: False
+
+      - name: 'smtpd_client_restrictions'
+        value: '$mua_client_restrictions'
+        state: 'comment'
+
+      - name: 'smtpd_helo_restrictions'
+        value: '$mua_helo_restrictions'
+        state: 'comment'
+
+      - name: 'smtpd_sender_restrictions'
+        value: '$mua_sender_restrictions'
+        state: 'comment'
+
+      - smtpd_recipient_restrictions: ''
+
+      - name: 'smtpd_relay_restrictions'
+        value: [ 'permit_sasl_authenticated', 'reject' ]
+        state: '{{ "present"
+                  if (postfix__version is version_compare("2.10.0", ">="))
+                  else "ignore" }}'
+
+      - milter_macro_daemon_name: 'ORIGINATING'
+
+  - name: 'qmqp'
+    service: '628'
+    type: 'inet'
+    private: False
+    chroot: True
+    command: 'qmqpd'
+    state: 'comment'
+
+  - name: 'pickup'
+    type: 'unix'
+    private: False
+    chroot: True
+    wakeup: 60
+    maxproc: 1
+
+  - name: 'cleanup'
+    type: 'unix'
+    private: False
+    chroot: True
+    maxproc: 0
+
+  - name: 'qmgr'
+    type: 'unix'
+    private: False
+    chroot: False
+    wakeup: 300
+    maxproc: 1
+
+  - name: 'oqmgr'
+    service: 'qmgr'
+    type: 'unix'
+    private: False
+    chroot: False
+    wakeup: 300
+    maxproc: 1
+    command: 'oqmgr'
+    state: 'comment'
+
+  - name: 'tlsmgr'
+    type: 'unix'
+    chroot: True
+    wakeup: '1000?'
+    maxproc: 1
+
+  - name: 'rewrite'
+    type: 'unix'
+    chroot: True
+    command: 'trivial-rewrite'
+
+  - name: 'bounce'
+    type: 'unix'
+    chroot: True
+    maxproc: 0
+
+  - name: 'defer'
+    type: 'unix'
+    chroot: True
+    maxproc: 0
+    command: 'bounce'
+
+  - name: 'trace'
+    type: 'unix'
+    chroot: True
+    maxproc: 0
+    command: 'bounce'
+
+  - name: 'verify'
+    type: 'unix'
+    chroot: True
+    maxproc: 1
+
+  - name: 'flush'
+    type: 'unix'
+    private: False
+    chroot: True
+    wakeup: '1000?'
+    maxproc: 0
+
+  - name: 'proxymap'
+    type: 'unix'
+    chroot: False
+
+  - name: 'proxywrite'
+    type: 'unix'
+    chroot: False
+    maxproc: 1
+    command: 'proxymap'
+
+  - name: 'smtp_unix'
+    service: 'smtp'
+    type: 'unix'
+    chroot: True
+    command: 'smtp'
+
+  - name: 'relay'
+    type: 'unix'
+    chroot: True
+    command: 'smtp'
+    options:
+
+      - name: 'smtp_helo_timeout'
+        value: 5
+        state: 'comment'
+
+      - name: 'smtp_connect_timeout'
+        value: 5
+        state: 'comment'
+
+  - name: 'showq'
+    type: 'unix'
+    chroot: True
+    private: False
+
+  - name: 'error'
+    type: 'unix'
+    chroot: True
+
+  - name: 'retry'
+    type: 'unix'
+    chroot: True
+    command: 'error'
+
+  - name: 'discard'
+    type: 'unix'
+    chroot: True
+
+  - name: 'local'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+
+  - name: 'virtual'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+
+  - name: 'lmtp'
+    type: 'unix'
+    chroot: True
+
+  - name: 'anvil'
+    type: 'unix'
+    chroot: True
+    maxproc: 1
+
+  - name: 'scache'
+    type: 'unix'
+    chroot: True
+    maxproc: 1
+
+  - name: 'non-postfix-sftware'
+    comment: |
+      ====================================================================
+      Interfaces to non-Postfix software. Be sure to examine the manual
+      pages of the non-Postfix software to find out what options it wants.
+
+      Many of the following services use the Postfix pipe(8) delivery
+      agent.  See the pipe(8) man page for information about ${recipient}
+      and other message envelope options.
+      ====================================================================
+    state: 'hidden'
+
+  - name: 'maildrop'
+    comment: |
+      maildrop. See the Postfix MAILDROP_README file for details.
+      Also specify in main.cf: maildrop_destination_recipient_limit=1
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}'
+
+  - name: 'cyrus-lmtp-note'
+    comment: |
+      ====================================================================
+
+      Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+
+      Specify in cyrus.conf:
+        lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+
+      Specify in main.cf one or more of the following:
+       mailbox_transport = lmtp:inet:localhost
+       virtual_transport = lmtp:inet:localhost
+
+      ====================================================================
+    state: 'hidden'
+
+  - name: 'cyrus'
+    comment: |
+      Cyrus 2.1.5 (Amos Gouaux)
+      Also specify in main.cf: cyrus_destination_recipient_limit=1
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}'
+    state: 'comment'
+
+  - name: 'old-cyrus'
+    comment: |
+      ====================================================================
+      Old example of delivery via Cyrus.
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}'
+    state: 'comment'
+
+  - name: 'uucp'
+    comment: |
+      ====================================================================
+
+      See the Postfix UUCP_README file for configuration details.
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)'
+
+  - name: 'other-delivery-methods'
+    comment: 'Other external delivery methods.'
+    state: 'hidden'
+
+  - name: 'ifmail'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)'
+
+  - name: 'bsmtp'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    command: 'pipe'
+    args: 'flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient'
+
+  - name: 'scalemail-backend'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    maxproc: 2
+    command: 'pipe'
+    args: 'flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}'
+
+  - name: 'mailman'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    args: |
+      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+      ${nexthop} ${user}
+    command: 'pipe'
+
+                                                                   # ]]]
+# .. envvar:: postfix__default_mastercf [[[
+#
+# The list of Postfix :file:`/etc/postfix/master.cf` configuration file options
+# defined by default by the ``debops.postfix`` Ansible role.
+postfix__default_mastercf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__tls_mastercf [[[
+#
+# The list of Postfix :file:`/etc/postfix/master.cf` configuration file options
+# defined by default by the ``debops.postfix`` Ansible role which configure
+# TLS/SSL encryption.
+postfix__tls_mastercf:
+
+  - name: 'submission'
+    options:
+      - tls_preempt_cipherlist: True
+
+  - name: 'smtps'
+    options:
+      - tls_preempt_cipherlist: True
+
+                                                                   # ]]]
+# .. envvar:: postfix__mastercf [[[
+#
+# The list of Postfix :file:`/etc/postfix/master.cf` configuration file options
+# which should be present on all hosts in the Ansible inventory.
+postfix__mastercf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__group_mastercf [[[
+#
+# The list of Postfix :file:`/etc/postfix/master.cf` configuration file options
+# which should be present on hosts in the specific Ansible inventory group.
+postfix__group_mastercf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__host_mastercf [[[
+#
+# The list of Postfix :file:`/etc/postfix/master.cf` configuration file options
+# which should be present on specific hosts in the Ansible inventory.
+postfix__host_mastercf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__dependent_mastercf [[[
+#
+# List of the :file:`/etc/postfix/master.cf` configuration options defined by
+# other roles through role dependent variables. The configuration syntax
+# differs from a normal :file:`master.cf` configuration,
+# see :ref:`postfix__ref_dependency` for more details.
+# This variable will be merged with the persistent configuration stored on the
+# Ansible Controller at runtime.
+postfix__dependent_mastercf: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__combined_mastercf [[[
+#
+# List which combines all of the :file:`master.cf`-related variables and is used
+# in the configuration template.
+postfix__combined_mastercf: '{{ postfix__original_mastercf
+                                + postfix__default_mastercf
+                                + postfix__tls_mastercf
+                                + postfix__env_persistent_mastercf
+                                + postfix__mastercf
+                                + postfix__group_mastercf
+                                + postfix__host_mastercf }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix lookup tables [[[
+# -------------------------
+
+# These variables define the contents of the various Postfix lookup tables
+# which will be placed in the :file:`/etc/postfix/` directory.
+# See :ref:`postfix__ref_lookup_tables` for more details.
+
+# .. envvar:: postfix__lookup_tables [[[
+#
+# List of lookup tables which will be managed on all hosts in the Ansible
+# inventory.
+postfix__lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__group_lookup_tables [[[
+#
+# List of lookup tables which will be managed on hosts in specific Ansible
+# inventory group.
+postfix__group_lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__host_lookup_tables [[[
+#
+# List of lookup tables which will be managed on specific hosts in the Ansible
+# inventory.
+postfix__host_lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__dependent_lookup_tables [[[
+#
+# List of lookup tables which are defined by other Ansible roles through role
+# dependent variables.
+postfix__dependent_lookup_tables: []
+
+                                                                   # ]]]
+# .. envvar:: postfix__dependent_lookup_tables_filter [[[
+#
+# This variable filters the configuration defined by other Ansible roles to be
+# usable with the rest of the lookup tables configuration.
+postfix__dependent_lookup_tables_filter: '{{ lookup("flattened",
+                                             postfix__dependent_lookup_tables) }}'
+
+                                                                   # ]]]
+# .. envvar:: postfix__combined_lookup_tables [[[
+#
+# Variable which combines all lookup table lists and passes them to the Ansible
+# tasks. It also defines the order in which the entries are processed.
+postfix__combined_lookup_tables: '{{ ([postfix__dependent_lookup_tables_filter]
+                                      if postfix__dependent_lookup_tables_filter is mapping
+                                      else postfix__dependent_lookup_tables_filter)
+                                     + postfix__lookup_tables
+                                     + postfix__group_lookup_tables
+                                     + postfix__host_lookup_tables }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: postfix__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+postfix__ferm__dependent_rules:
+
+  - name: 'postfix_smtp'
+    type: 'accept'
+    by_role: 'debops.postfix'
+    dport: [ 'smtp' ]
+    saddr: '{{ postfix__allow_smtp }}'
+    accept_any: '{{ postfix__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("smtp" in postfix__env_active_services | d([]))
+                    else "absent" }}'
+
+  - name: 'postfix_smtps'
+    type: 'accept'
+    by_role: 'debops.postfix'
+    dport: [ 'smtps' ]
+    saddr: '{{ postfix__allow_smtps }}'
+    accept_any: '{{ postfix__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("smtps" in postfix__env_active_services | d([]))
+                    else "absent" }}'
+
+  - name: 'postfix_submission'
+    type: 'accept'
+    by_role: 'debops.postfix'
+    dport: [ 'submission' ]
+    saddr: '{{ postfix__allow_submission }}'
+    accept_any: '{{ postfix__accept_any }}'
+    rule_state: '{{ "present"
+                    if ("submission" in postfix__env_active_services | d([]))
+                    else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postfix/meta/main.yml b/ansible_collections/debops/debops/roles/postfix/meta/main.yml
new file mode 100644
index 00000000..040cfbdc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage Postfix SMTP service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smtp
+    - mail
+    - lmtp
+    - submission
diff --git a/ansible_collections/debops/debops/roles/postfix/tasks/main.yml b/ansible_collections/debops/debops/roles/postfix/tasks/main.yml
new file mode 100644
index 00000000..c4f8d8e2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/tasks/main.yml
@@ -0,0 +1,160 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Postfix APT packages
+  ansible.builtin.apt:
+    name: '{{ (postfix__base_packages
+             + postfix__dependent_packages
+             + postfix__host_packages
+             + postfix__group_packages
+             + postfix__packages)
+             | flatten }}'
+    state: 'present'
+    install_recommends: False
+  register: postfix__register_packages
+  until: postfix__register_packages is succeeded
+  when: ansible_pkg_mgr == 'apt'
+  tags: [ 'meta::provision' ]
+
+- name: Purge other SMTP servers
+  ansible.builtin.apt:
+    name: '{{ postfix__purge_packages | flatten }}'
+    state: 'absent'
+    purge: True
+  when: postfix__purge_packages | d() and ansible_pkg_mgr == 'apt'
+  tags: [ 'meta::provision' ]
+
+- name: Disable Postfix configuration in debconf
+  ansible.builtin.debconf:
+    name: 'postfix'
+    question: 'postfix/main_mailer_type'
+    vtype: 'select'
+    value: 'No configuration'
+  when: ansible_pkg_mgr == 'apt'
+
+- name: Make sure Ansible local facts directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure Postfix local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postfix.fact.j2'
+    dest: '/etc/ansible/facts.d/postfix.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure /etc/mailname
+  ansible.builtin.copy:
+    content: "{{ postfix__mailname + '\n' }}"
+    dest: '/etc/mailname'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check postfix and reload' ]
+
+- name: Install /etc/postfix/Makefile
+  ansible.builtin.template:
+    src: 'etc/postfix/Makefile.j2'
+    dest: '/etc/postfix/Makefile'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Generate Postfix 'main.cf' configuration
+  ansible.builtin.template:
+    src: 'etc/postfix/main.cf.j2'
+    dest: '/etc/postfix/main.cf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check postfix and reload' ]
+
+- name: Generate Postfix 'master.cf' configuration
+  ansible.builtin.template:
+    src: 'etc/postfix/master.cf.j2'
+    dest: '/etc/postfix/master.cf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check postfix and reload' ]
+
+- name: Remove Postfix lookup tables
+  ansible.builtin.file:
+    path: '/etc/postfix/{{ item.name }}'
+    state: 'absent'
+  loop: '{{ postfix__combined_lookup_tables | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+  notify: [ 'Process Postfix Makefile', 'Check postfix and reload' ]
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True if (item.mode | d("0644") == "0600") else False) }}'
+
+- name: Generate Postfix lookup tables
+  ansible.builtin.template:
+    src:   'etc/postfix/lookup_table.j2'
+    dest:  '/etc/postfix/{{ item.name }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("postfix") }}'
+    mode:  '{{ item.mode | d("0640") }}'
+  loop: '{{ postfix__combined_lookup_tables | debops.debops.parse_kv_items }}'
+  notify: [ 'Process Postfix Makefile', 'Check postfix and reload' ]
+  when: item.name | d() and item.state | d('present') != 'absent'
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True if (item.mode | d("0640") in ["0640", "0600"])
+                  else False) }}'
+
+- name: Save dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: '{{ "secret/postfix/dependent_config/inventory_hostname/" + item + ".j2" }}'
+    dest: '{{ secret + "/postfix/dependent_config/" + inventory_hostname + "/" + item }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  with_items: [ 'maincf.json', 'mastercf.json' ]
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ postfix__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: postfix__pki | bool
+
+- name: Manage PKI postfix hook
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/postfix.j2'
+    dest: '{{ postfix__pki_hook_path + "/" + postfix__pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: postfix__pki | bool
+
+- name: Ensure the PKI postfix hook is absent
+  ansible.builtin.file:
+    path: '{{ postfix__pki_hook_path + "/" + postfix__pki_hook_name }}'
+    state: 'absent'
+  when: not (postfix__pki | bool)
diff --git a/ansible_collections/debops/debops/roles/postfix/tasks/main_env.yml b/ansible_collections/debops/debops/roles/postfix/tasks/main_env.yml
new file mode 100644
index 00000000..8f412df3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/tasks/main_env.yml
@@ -0,0 +1,14 @@
+---
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Load persistent Postfix configuration
+  ansible.builtin.set_fact:
+    postfix__env_persistent_maincf:   '{{ lookup("template", "lookup/postfix__env_persistent_maincf.j2") | from_yaml }}'
+    postfix__env_persistent_mastercf: '{{ lookup("template", "lookup/postfix__env_persistent_mastercf.j2") | from_yaml }}'
+
+- name: Prepare Postfix environment
+  ansible.builtin.set_fact:
+    postfix__env_active_services: '{{ lookup("template", "lookup/postfix__env_active_services.j2") | from_yaml }}'
+    postfix__secret__directories: '{{ lookup("template", "lookup/postfix__secret__directories.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/ansible/facts.d/postfix.fact.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/ansible/facts.d/postfix.fact.j2
new file mode 100644
index 00000000..a735b9dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/ansible/facts.d/postfix.fact.j2
@@ -0,0 +1,52 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = {'installed': True}
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        postconf_stdout = subprocess.check_output(
+            ["LC_MESSAGES=C dpkg-query -W -f='${Version}' 'postfix'"],
+            shell=True, stderr=devnull)
+
+except subprocess.CalledProcessError:
+    pass
+
+# The 'postfix-doc' package modifies the Postfix 'main.cf' file, so let's
+# account for that
+postfix_doc_status = ''
+postfix_doc_cmd = ["/usr/bin/dpkg-query",
+                   "--show",
+                   "--showformat='${db:Status-Status}'",
+                   "'postfix-doc'"]
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        postfix_doc_status = subprocess.check_output(
+            ' '.join(postfix_doc_cmd), shell=True, stderr=devnull)
+
+except subprocess.CalledProcessError:
+    pass
+
+if postconf_stdout:
+    output['version'] = postconf_stdout.decode('utf-8').split('-')[0]
+
+if postfix_doc_status == 'installed':
+    output['doc_installed'] = True
+else:
+    output['doc_installed'] = False
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/pki/hooks/postfix.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/pki/hooks/postfix.j2
new file mode 100644
index 00000000..03f7e5a4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/pki/hooks/postfix.j2
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2020 Rainer Schuth <devel@reixd.net>
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart postfix on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+postfix_config="/etc/postfix/main.cf"
+postfix_action="{{ postfix__pki_hook_action }}"
+
+# Check if current PKI realm is used by the 'postfix' webserver
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${postfix_config} || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                postfix_state="$(systemctl is-active postfix.service)"
+                if [ "${postfix_state}" = "active" ] ; then
+                    if postfix check > /dev/null 2>&1 ; then
+                        systemctl "${postfix_action}" postfix.service
+                    fi
+                fi
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/Makefile.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/Makefile.j2
new file mode 100644
index 00000000..1e26576d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/Makefile.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Manage Postfix hash tables idempotently.
+#
+# Documentation: http://www.postfix.org/DATABASE_README.html#safe_db
+
+
+# All '*.in' files in current directory are hash tables that need to be
+# processed by 'postmap'.
+HASH_TABLES = $(patsubst %.in,%.db,$(wildcard *.in))
+
+all: $(HASH_TABLES)
+
+%.db: %.in
+	@postmap "$<" && mv -- "$<.db" "$@"
+
+clean:
+	@rm -f *.db
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/lookup_table.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/lookup_table.j2
new file mode 100644
index 00000000..51b1aeff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/lookup_table.j2
@@ -0,0 +1,65 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set ldap_table_params = [ 'server_host', 'server_port', 'timeout', 'search_base',
+                             'query_filter', 'result_format', 'domain', 'result_attribute',
+                             'special_result_attribute', 'terminal_result_attribute',
+                             'leaf_result_attribute', 'scope', 'bind', 'bind_dn',
+                             'bind_pw', 'cache_expiry', 'cache_size', 'recursion_limit',
+                             'expansion_limit', 'size_limit', 'dereference', 'chase_referrals',
+                             'version', 'debuglevel', 'sasl_mechs', 'sasl_realm', 'sasl_authz_id',
+                             'sasl_minssf', 'start_tls', 'tls_ca_cert_dir', 'tls_ca_cert_file',
+                             'tls_cert', 'tls_key', 'tls_require_cert', 'tls_random_file',
+                             'tls_cipher_suite' ] %}
+{% set sql_table_params = [ 'hosts', 'user', 'password', 'dbname', 'query', 'result_format',
+                            'domain', 'expansion_limit', 'option_file', 'option_group',
+                            'require_result_set', 'tls_cert_file', 'tls_key_file',
+                            'tls_CAfile', 'tls_CApath', 'tls_verify_cert', 'dbpath' ] %}
+{% if item.by_role | d() %}
+# File generated by Ansible role: '{{ item.by_role }}'
+
+{% endif %}
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% set default_action = item.default_action | d('DUNNO') %}
+{% set auto_margin = {'length': 8} %}
+{% if item.raw | d() %}
+{{ item.raw }}
+{% elif (item.config | d() or item.connection | d()) %}
+{%   for config_key in (ldap_table_params + sql_table_params + ((item.connection | d({})).keys() | sort) + ((item.config | d({})).keys() | sort)) | unique %}
+{%     if item.connection[config_key] is defined %}
+{%       set value = item.connection[config_key] %}
+{{ '{} = {}'.format(config_key, (([ value ] if value is string else value) | join(', '))) }}
+{%     elif item.config[config_key] is defined %}
+{%       set value = item.config[config_key] %}
+{{ '{} = {}'.format(config_key, (([ value ] if value is string else value) | join(', '))) }}
+{%     elif config_key in item.keys() | sort %}
+{%       set value = item[config_key] %}
+{%       if value is iterable %}
+{{ '{} = {}'.format(config_key, (([ value ] if value is string else value) | join(', '))) }}
+{%       else %}
+{{ '{} = {}'.format(config_key, value) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{%   for element in (item.options | d([]) + item.content | d([])) %}
+{%     if (element.key | d(element.name | d(element))) | length > auto_margin['length'] | int %}
+{%       set _ = auto_margin.update({'length': (element.key | d(element.name | d(element))) | length | int}) %}
+{%     endif %}
+{%   endfor %}
+{%   for element in (item.options | d([]) + item.content | d([])) %}
+{%     if element.state | d('present') != 'absent' %}
+{%       set option_commented = ('#' if element.state | d('present') == 'comment' else '') %}
+{%       set margin = (7 if element.state | d('present') == 'comment' else 8) %}
+{%       if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='\n', postfix='') -}}
+{%       endif %}
+{{ ('{}{:<' + (margin + auto_margin['length']) | string + '} {}').format(option_commented, element.key | d(element.name | d(element)), element.action | d(element.value | d(default_action))).rstrip() }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/main.cf.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/main.cf.j2
new file mode 100644
index 00000000..223150c0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/main.cf.j2
@@ -0,0 +1,105 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+{% set postfix__tpl_maincf = ((postfix__init_maincf + postfix__combined_maincf) | debops.debops.parse_kv_config) %}
+{% set postfix__tpl_filtered_maincf_sections = [] %}
+{% for element in postfix__tpl_maincf %}
+{%   if element.state | d('present') not in [ 'init', 'absent' ] %}
+{%     set _ = postfix__tpl_filtered_maincf_sections.append(element) %}
+{%   endif %}
+{% endfor %}
+{% set postfix__tpl_sections = ((postfix__tpl_filtered_maincf_sections | map(attribute='section')) | list | unique) %}
+{% for section in postfix__maincf_sections %}
+{%   if section.state | d('present') != 'absent' %}
+{%     set section_loop = [] %}
+{%     set section_comment_prefix = ('' if loop.first | bool else '\n') %}
+{%     if section.name in postfix__tpl_sections %}
+{%       if section.title | d() %}
+
+{{ '{:-^70}'.format(' ' + section.title + ' ') | comment(prefix=section_comment_prefix, postfix='') }}
+{%       endif %}
+{%       for element in postfix__tpl_maincf %}
+{%         if element.section == section.name and element.state | d('present') not in [ 'init', 'absent' ] %}
+{%           set comment_prefix =   ('' if not section_loop else '\n') %}
+{%           set option_commented =  ('#' if element.state | d('present') == 'comment' else '') %}
+{%           set element_name = (element.option | d(element.name)) %}
+{%           if element.value is defined %}
+{%             if element.value | bool and element.value is not iterable %}
+{%               if element.value | int and element.value | string != 'True' %}
+{%                 set element_value = element.value %}
+{%               else %}
+{%                 set element_value = 'yes' %}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int or element.value | string == '0' %}
+{%                   set element_value = element.value %}
+{%                 else %}
+{%                   set element_value = 'no' %}
+{%                 endif %}
+{%               endif %}
+{%             elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%               set element_value = [] %}
+{%               for option in element.value %}
+{%                 if option.state | d('present') != 'absent' %}
+{%                   set _ = element_value.append(option.name) %}
+{%                 endif %}
+{%               endfor %}
+{%             else %}
+{%               set element_value = element.value %}
+{%             endif %}
+{%           else %}
+{%             set element_value = [] %}
+{%           endif %}
+{%           if element.comment | d() %}
+{%             set comment_footer = ('#\n' if (element.comment.split('\n') | list | count >= 5) else '') %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix=comment_prefix, postfix=comment_footer) -}}
+{%             if element.state | d('present') == 'hidden' %}
+
+{%             endif %}
+{%           elif element.separator is defined and element.separator | bool %}
+
+{%           endif %}
+{%           if element.state | d('present') != 'hidden' %}
+{%             if element_value is not string and element_value is not mapping and element_value is iterable %}
+{%               if element_value | ansible.utils.ipwrap | join(', ') | length <= 50 %}
+{{ ('{}{} ={}{}').format(option_commented, element_name, (' ' if (element_value or element_value == 0) else ''), element_value | ansible.utils.ipwrap | join(', ')) }}
+{%               else %}
+{{ ('{}{} =').format(option_commented, element_name) }}
+{%                 for thing in element_value %}
+{{ ('{}{:<4}{}').format(option_commented, '', (thing | ansible.utils.ipwrap) + ('' if loop.last | bool else ',')) }}
+{%                 endfor %}
+
+{%               endif %}
+{%             elif element_value is string %}
+{%               if element_value.split('\n') | list | count > 1 %}
+{{ ('{}{} =').format(option_commented, element_name) }}
+{%                 set element_value_strip = element_value | regex_replace('\n$','') %}
+{%                 for thing in element_value_strip.split('\n') | list %}
+{{ ('{}{:<4}{}').format(option_commented, '', thing | ansible.utils.ipwrap) }}
+{%                 endfor %}
+{%                 if not option_commented %}
+
+{%                 endif %}
+{%               else %}
+{{ ('{}{} ={}{}').format(option_commented, element_name, (' ' if (element_value or element_value == 0) else ''), element_value | ansible.utils.ipwrap) }}
+{%               endif %}
+{%             else %}
+{{ ('{}{} ={}{}').format(option_commented, element_name, (' ' if (element_value or element_value == 0) else ''), element_value) }}
+{%             endif %}
+{%             if option_commented | d() and element.comment | d() %}
+
+{%             endif %}
+{%             set _ = section_loop.append(True) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/master.cf.j2 b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/master.cf.j2
new file mode 100644
index 00000000..2998bd79
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/etc/postfix/master.cf.j2
@@ -0,0 +1,129 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+{% set postfix__tpl_default_chroot = ((postfix__version is version_compare("3.0.0", "<")) | ternary('yes', 'no')) %}
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+{{ "# {:<8}{:<6}{:<8}{:<8}{:<8}{:<8}{}".format('', '', '(yes)', '(yes)', '(' + postfix__tpl_default_chroot + ')', '(never)', '(100)') }}
+# ==========================================================================
+{% macro set_value(option) %}
+{%   set output = '-' %}
+{%   if option | bool and option is not iterable %}
+{%     if option | int and option | string != 'True' %}
+{%       set output = option %}
+{%     else %}
+{%       set output = 'y' %}
+{%     endif %}
+{%   elif not option | bool and option is not iterable %}
+{%     if option is not none %}
+{%       if option | int or option | string == '0' %}
+{%         set output = option %}
+{%       else %}
+{%         set output = 'n' %}
+{%       endif %}
+{%     endif %}
+{%   elif option is string %}
+{%     set output = option %}
+{%   endif %}
+{{ output | to_json }}
+{% endmacro %}
+{% set param_empty = {
+  'command': [ 'service', 'name' ]
+} %}
+{% set param_defaults = {
+  'private': '-',
+  'unpriv':  '-',
+  'chroot':  '-',
+  'wakeup':  '-',
+  'maxproc': '-'
+} %}
+{% set postfix__tpl_mastercf = (postfix__combined_mastercf | debops.debops.parse_kv_items(empty=param_empty, defaults=param_defaults)) %}
+{% for element in postfix__tpl_mastercf %}
+{%   if element.name | d() and element.state | d('present') not in [ 'init', 'absent' ] %}
+{%     set option_commented = ('#' if element.state | d('present') == 'comment' else '') %}
+{%     set element_name =     (element.service | d(element.name)) %}
+{%     set element_type =     element.type %}
+{%     set element_private =  set_value(element.private) | from_json %}
+{%     set element_unpriv =   set_value(element.unpriv) | from_json %}
+{%     set element_chroot =   set_value(element.chroot) | from_json %}
+{%     if element_chroot == postfix__tpl_default_chroot[0] %}
+{%       if postfix__version is version_compare("3.0.0", "<") %}
+{%         set element_chroot = '-' %}
+{%       endif %}
+{%     endif %}
+{%     set element_wakeup =   set_value(element.wakeup) | from_json %}
+{%     set element_maxproc =  set_value(element.maxproc) | from_json %}
+{%     set element_command =  element.command %}
+{%     set element_args =     (element.args | d('') | regex_replace('\n$','')) %}
+{%     set name_indent =      (option_commented | ternary('8', '9')) %}
+{%     set type_indent =      ((element_name | length > 8) | ternary('4', '5')) %}
+{%     set private_indent =   ((element_name | length > 8 and option_commented) | ternary('6', '7')) %}
+{%     set option_format =    ('{}{:<' + name_indent + '} {:<' + type_indent + '} {:<' + private_indent + '} {:<7} {:<7} {:<7} {:<7} {}') %}
+{%     if element.comment | d() %}
+{%       set comment_header = ('#' if (element.state | d('present') == 'hidden' or (element.comment.split('\n') | list | count >= 3)) else '') %}
+{%       set comment_footer = ('#\n' if (element.comment.split('\n') | list | count < 5) else '') %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix=comment_header, postfix=comment_footer) -}}
+{%     elif element.separator is defined and element.separator | bool %}
+
+{%     endif %}
+{%     if element.state | d('present') != 'hidden' %}
+{{ option_format.format(option_commented, element_name, element_type, element_private, element_unpriv, element_chroot, element_wakeup, element_maxproc, element_command) }}
+{%       if element.options | d() %}
+{%         set parsed_options = [] %}
+{%         for option in element.options %}
+{%           set option_dict = {'name': (option.option | d(option.name)), 'state': option.state | d('present') } %}
+{%           if option.value is defined %}
+{%             if option.value | bool and option.value is not iterable %}
+{%               if option.value | int and option.value | string != 'True' %}
+{%                 set _ = option_dict.update({ 'value': option.value | string }) %}
+{%               else %}
+{%                 set _ = option_dict.update({ 'value': 'yes' }) %}
+{%               endif %}
+{%             elif not option.value | bool and option.value is not iterable %}
+{%               if option.value is not none %}
+{%                 if option.value | int or option.value | string == '0' %}
+{%                   set _ = option_dict.update({ 'value': option.value | string }) %}
+{%                 else %}
+{%                   set _ = option_dict.update({ 'value': 'no' }) %}
+{%                 endif %}
+{%               endif %}
+{%             elif option.value is not string and option.value is not mapping and option.value is iterable %}
+{%               set option_values = [] %}
+{%               for option_item in option.value %}
+{%                 if option_item.state | d('present') != 'absent' %}
+{%                   set _ = option_values.append(option_item.name) %}
+{%                 endif %}
+{%               endfor %}
+{%               set _ = option_dict.update({ 'value': option_values }) %}
+{%             else %}
+{%               set _ = option_dict.update({ 'value': option.value | string }) %}
+{%             endif %}
+{%           else %}
+{%             set _ = option_dict.update({'value': [] }) %}
+{%           endif %}
+{%           set _ = parsed_options.append(option_dict) %}
+{%         endfor %}
+{%         if parsed_options | count > 0 %}
+{%           for thing in parsed_options %}
+{%             set thing_commented = ('#' if thing.state | d('present') == 'comment' else '') %}
+{{ '{}  -o {{ {} = {} }}'.format(option_commented if option_commented else thing_commented, thing.name, ([ thing.value ] if thing.value is string else thing.value) | join(', ')) }}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%       if element_args | d() %}
+{%         for line in element_args.split('\n') %}
+{{ '{}{}'.format(option_commented, '  ' + line) }}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_active_services.j2 b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_active_services.j2
new file mode 100644
index 00000000..1ee90665
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_active_services.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set postfix__tpl_active_services = [] %}
+{% set postfix__tpl_mastercf = (postfix__combined_mastercf | debops.debops.parse_kv_items) %}
+{% for element in postfix__tpl_mastercf %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'comment', 'hidden' ] %}
+{%     set _ = postfix__tpl_active_services.append((element.service | d(element.name))) %}
+{%   endif %}
+{% endfor %}
+{{ postfix__tpl_active_services | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_maincf.j2 b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_maincf.j2
new file mode 100644
index 00000000..a8ca13e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_maincf.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if (ansible_local.postfix.installed | d()) | bool %}
+{% set postfix__tpl_persistent_maincf = (
+     lookup("file", secret + "/postfix/dependent_config/" + inventory_hostname + "/maincf.json",
+            errors="ignore") | d("{}", True) | from_json) %}
+{% else %}
+{%   set postfix__tpl_persistent_maincf = {} %}
+{% endif %}
+{% if postfix__dependent_maincf %}
+{%   for element in q("flattened", postfix__dependent_maincf) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set _ = postfix__tpl_persistent_maincf.update( {element.role: q("flattened", element.config) }) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = postfix__tpl_persistent_maincf.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set _ = postfix__tpl_persistent_maincf.update( {role: q("flattened", config)} ) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set postfix__tpl_output_maincf = [] %}
+{% for role, config in postfix__tpl_persistent_maincf.items() %}
+{%   set _ = postfix__tpl_output_maincf.extend(config) %}
+{% endfor %}
+{{ postfix__tpl_output_maincf | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_mastercf.j2 b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_mastercf.j2
new file mode 100644
index 00000000..21d16752
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__env_persistent_mastercf.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if (ansible_local.postfix.installed | d()) | bool %}
+{% set postfix__tpl_persistent_mastercf = (
+     lookup("file", secret + "/postfix/dependent_config/" + inventory_hostname + "/mastercf.json",
+            errors="ignore") | d("{}", True) | from_json) %}
+{% else %}
+{%   set postfix__tpl_persistent_mastercf = {} %}
+{% endif %}
+{% if postfix__dependent_mastercf %}
+{%   for element in q("flattened", postfix__dependent_mastercf) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set _ = postfix__tpl_persistent_mastercf.update( {element.role: q("flattened", element.config) }) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = postfix__tpl_persistent_mastercf.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set _ = postfix__tpl_persistent_mastercf.update( {role: q("flattened", config)} ) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set postfix__tpl_output_mastercf = [] %}
+{% for role, config in postfix__tpl_persistent_mastercf.items() %}
+{%   set _ = postfix__tpl_output_mastercf.extend(config) %}
+{% endfor %}
+{{ postfix__tpl_output_mastercf | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__init_maincf.j2 b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__init_maincf.j2
new file mode 100644
index 00000000..5efdadf5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__init_maincf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set postfix__tpl_init_maincf = [] %}
+{% for entry in postfix__combined_maincf %}
+{%   if 'section' not in entry.keys() %}
+{%     set entry_name = (entry.name | d(entry | list | first)) %}
+{%     if entry_name is search('_sasl_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'auth'}) %}
+{%     elif entry_name.startswith('smtpd_tls_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'smtpd-tls'}) %}
+{%     elif entry_name.startswith('smtp_tls_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'smtp-tls'}) %}
+{%     elif entry_name.startswith('lmtp_tls_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'lmtp-tls'}) %}
+{%     elif entry_name.startswith('virtual_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'virtual'}) %}
+{%     elif entry_name.startswith('postscreen_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'postscreen'}) %}
+{%     elif entry_name.startswith('anvil_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'limit'}) %}
+{%     elif entry_name.endswith('_limit') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'limit'}) %}
+{%     elif entry_name.endswith('_canonical_maps') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'route'}) %}
+{%     elif entry_name in [ 'canonical_maps', 'relay_domains', 'local_recipient_maps', 'relay_recipient_maps', 'transport_maps' ] %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'route'}) %}
+{%     elif entry_name in [ 'smtpd_milters', 'non_smtpd_milters', 'header_checks', 'body_checks', 'content_filter' ] %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'filter'}) %}
+{%     elif entry_name.startswith('milter_') %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'filter'}) %}
+{%     elif entry_name in [ 'smtpd_client_event_limit_exceptions', 'smtpd_error_sleep_time' ] %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'limit'}) %}
+{%     elif entry_name in [ 'smtpd_sender_login_maps' ] %}
+{%       set _ = postfix__tpl_init_maincf.append({'name': entry_name, 'state': 'init', 'section': 'auth'}) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ postfix__tpl_init_maincf }}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__secret__directories.j2 b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__secret__directories.j2
new file mode 100644
index 00000000..512ae34c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/lookup/postfix__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'postfix/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/maincf.json.j2 b/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/maincf.json.j2
new file mode 100644
index 00000000..bdec63e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/maincf.json.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if postfix__env_persistent_maincf %}
+{% set postfix__tpl_persistent_maincf = (
+     lookup("file", secret + "/postfix/dependent_config/" + inventory_hostname + "/maincf.json",
+            errors="ignore") | d("{}", True) | from_json) %}
+{% else %}
+{%   set postfix__tpl_persistent_maincf = {} %}
+{% endif %}
+{% if postfix__dependent_maincf %}
+{%   for element in q("flattened", postfix__dependent_maincf) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set _ = postfix__tpl_persistent_maincf.update( {element.role: q("flattened", element.config) }) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = postfix__tpl_persistent_maincf.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set _ = postfix__tpl_persistent_maincf.update( {role: q("flattened", config)} ) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ postfix__tpl_persistent_maincf | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/mastercf.json.j2 b/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/mastercf.json.j2
new file mode 100644
index 00000000..a949810b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postfix/templates/secret/postfix/dependent_config/inventory_hostname/mastercf.json.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2014-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if postfix__env_persistent_mastercf %}
+{% set postfix__tpl_persistent_mastercf = (
+     lookup("file", secret + "/postfix/dependent_config/" + inventory_hostname + "/mastercf.json",
+            errors="ignore") | d("{}", True) | from_json) %}
+{% else %}
+{%   set postfix__tpl_persistent_mastercf = {} %}
+{% endif %}
+{% if postfix__dependent_mastercf %}
+{%   for element in q("flattened", postfix__dependent_mastercf) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set _ = postfix__tpl_persistent_mastercf.update( {element.role: q("flattened", element.config) }) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = postfix__tpl_persistent_mastercf.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set _ = postfix__tpl_persistent_mastercf.update( {role: q("flattened", config)} ) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ postfix__tpl_persistent_mastercf | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/postgresql/COPYRIGHT b/ansible_collections/debops/debops/roles/postgresql/COPYRIGHT
new file mode 100644
index 00000000..b7585b3f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postgresql - Manage PostgreSQL client using Ansible
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postgresql/defaults/main.yml b/ansible_collections/debops/debops/roles/postgresql/defaults/main.yml
new file mode 100644
index 00000000..56582adc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/defaults/main.yml
@@ -0,0 +1,282 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postgresql__ref_defaults:
+
+# debops.postgresql default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# PostgreSQL installation, packages [[[
+# -------------------------------------
+
+# .. envvar:: postgresql__upstream [[[
+#
+# Enable PostgreSQL Global Development Group APT repository?
+# More information: https://wiki.postgresql.org/wiki/Apt
+postgresql__upstream: False
+
+                                                                   # ]]]
+# .. envvar:: postgresql__upstream_key_id [[[
+#
+# The GPG fingerprint of the upstream APT repository key.
+postgresql__upstream_key_id: 'B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__upstream_apt_repo [[[
+#
+# The upstream APT repository URL in the ``sources.list`` format.
+postgresql__upstream_apt_repo: 'deb http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__base_packages [[[
+#
+# List of base PostgreSQL packages to install.
+postgresql__base_packages: [ 'postgresql-client' ]
+
+                                                                   # ]]]
+# .. envvar:: postgresql__python_packages [[[
+#
+# List of Python packages to install with PostgreSQL.
+postgresql__python_packages: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__packages [[[
+#
+# Install additional packages with PostgreSQL.
+postgresql__packages: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__preferred_version [[[
+#
+# Specify preferred version of the PostgreSQL packages to install. Only makes
+# sense when multiple PostgreSQL versions are available as APT packages, for
+# example when the upstream APT repository is enabled. See the
+# :ref:`postgresql__ref_preferred_version` for more details.
+postgresql__preferred_version: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql__user [[[
+#
+# PostgreSQL user account to which Ansible will switch to perform
+# database-related operations. Should be the same on local and remote database
+# servers.
+postgresql__user: 'postgres'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__server [[[
+#
+# FQDN hostname of the remote PostgreSQL server to use. Role detects if a local
+# server is available and uses it automatically.
+postgresql__server: '{{ ansible_local.postgresql.server
+                        if (ansible_local.postgresql.server | d() and
+                            ansible_local.postgresql.server != "localhost")
+                        else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__port [[[
+#
+# Default port number of the PostgreSQL server to use (local or remote).
+postgresql__port: '5432'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__delegate_to [[[
+#
+# FQDN hostname of the host that will execute Ansible tasks related to the
+# PostgreSQL database and role management. If PostgreSQL server is available
+# locally, host will delegate the tasks to itself automatically.
+postgresql__delegate_to: '{{ postgresql__server
+                             if (postgresql__server | d() and
+                                 postgresql__server != "localhost")
+                             else inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__password_hostname [[[
+#
+# The hostname used in the password lookup if the ``password`` parameter for
+# a given PostgreSQL role is not set. Passwords are stored on the Ansible
+# Controller in the :file:`secret/` directory; see :ref:`debops.secret` role for more
+# details.
+postgresql__password_hostname: '{{ postgresql__delegate_to
+                                   if (postgresql__delegate_to != omit)
+                                   else inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__password_length [[[
+#
+# Length of the randomly generated passwords in PostgreSQL database.
+postgresql__password_length: '64'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__password_characters [[[
+#
+# Characters allowed in the randomly generated passwords in PostgreSQL database.
+postgresql__password_characters: 'ascii_letters,digits,.-_~&()*='
+                                                                   # ]]]
+                                                                   # ]]]
+# pg_wrapper integration [[[
+# --------------------------
+
+# .. envvar:: postgresql__default_database [[[
+#
+# Name of the database the users should connect to, set as default in
+# :file:`/etc/postgresql-common/user_clusters`. If the name is ``*``, users will
+# connect to the database with the same name as their login.
+postgresql__default_database: '*'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__default_user_clusters [[[
+#
+# Default entry specified in :file:`/etc/postgresql-common/user_clusters`, used by
+# ``pg_wrapper`` script to direct users to correct PostgreSQL server. See
+# :ref:`postgresql__ref_user_clusters` for more details.
+postgresql__default_user_clusters:
+
+  - user: '*'
+    group: '*'
+    cluster: '{{ (postgresql__server + ":" + postgresql__port)
+                  if (postgresql__server | d() and postgresql__server)
+                  else "main" }}'
+    database: '{{ postgresql__default_database }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__user_clusters [[[
+#
+# Custom user/cluster mappings stored in
+# :file:`/etc/postgresql-common/user_clusters`. See :ref:`postgresql__ref_user_clusters`
+# for more details.
+postgresql__user_clusters: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PostgreSQL roles and databases [[[
+# ----------------------------------
+
+# .. envvar:: postgresql__roles [[[
+#
+# List of PostgreSQL roles, specified as YAML dicts. See
+# :ref:`postgresql__ref_roles` for more details.
+postgresql__roles: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_roles [[[
+#
+# List of PostgreSQL roles, specified as YAML dicts by other Ansible roles via
+# dependency variables. See :ref:`postgresql__ref_roles` for more details.
+postgresql__dependent_roles: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__groups [[[
+#
+# List of PostgreSQL role groups, specified as YAML dicts. See
+# :ref:`postgresql__ref_groups` for more details.
+postgresql__groups: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_groups [[[
+#
+# List of PostgreSQL role groups, specified as YAML dicts by other roles via
+# dependency variables. See :ref:`postgresql__ref_groups` for more details.
+postgresql__dependent_groups: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__databases [[[
+#
+# List of PostgreSQL databases, specified as YAML dicts. See
+# :ref:`postgresql__ref_databases` for more details.
+postgresql__databases: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_databases [[[
+#
+# List of PostgreSQL databases, specified as a YAML dicts, defined by other
+# roles via dependency variables. See :ref:`postgresql__ref_databases` for more
+# details.
+postgresql__dependent_databases: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__privileges [[[
+#
+# List of PostgreSQL privileges, specified as YAML dicts. See
+# :ref:`postgresql__ref_privileges` for more details.
+postgresql__privileges: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_privileges [[[
+#
+# List of PostgreSQL privileges, specified as a YAML dicts, defined by other
+# roles via dependency variables. See :ref:`postgresql__ref_privileges` for
+# more details.
+postgresql__dependent_privileges: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__extensions [[[
+#
+# List of PostgreSQL extensions enabled in specific databases, each extension
+# specified as a YAML dict. See :ref:`postgresql__ref_extensions` for more
+# details.
+postgresql__extensions: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_extensions [[[
+#
+# List of PostgreSQL extensions enabled in specific databases, each extension
+# specified as a YAML dict. This list can be used by other roles via dependency
+# variables. See :ref:`postgresql__ref_extensions` for more details.
+postgresql__dependent_extensions: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__pgpass [[[
+#
+# List of role/password mappings stored in user directories in ``~/.pgpass``
+# configuration file. See :ref:`postgresql__ref_pgpass` for more details.
+postgresql__pgpass: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql__dependent_pgpass [[[
+#
+# List of role/password mappings stored in user directories in ``~/.pgpass``
+# configuration file, defined by other roles via dependency variables. See
+# :ref:`postgresql__ref_pgpass` for more details.
+postgresql__dependent_pgpass: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: postgresql__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+postgresql__keyring__dependent_apt_keys:
+
+  - id: '{{ postgresql__upstream_key_id }}'
+    repo: '{{ postgresql__upstream_apt_repo }}'
+    state: '{{ "present" if postgresql__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+postgresql__python__dependent_packages3:
+
+  - 'python3-psycopg2'
+
+                                                                   # ]]]
+# .. envvar:: postgresql__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+postgresql__python__dependent_packages2:
+
+  - 'python-psycopg2'
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postgresql/meta/main.yml b/ansible_collections/debops/debops/roles/postgresql/meta/main.yml
new file mode 100644
index 00000000..1eb390f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage local or remote PostgreSQL roles and databases'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - 'postgresql'
+    - 'databases'
diff --git a/ansible_collections/debops/debops/roles/postgresql/tasks/main.yml b/ansible_collections/debops/debops/roles/postgresql/tasks/main.yml
new file mode 100644
index 00000000..fcdc0925
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/tasks/main.yml
@@ -0,0 +1,286 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Get default PostgreSQL version
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          apt-cache policy postgresql-client | grep -E '^\\s+Candidate:\\s+' | awk '{print $2}' | cut -d+ -f1"
+  args:
+    executable: 'bash'
+  register: postgresql__register_version
+  check_mode: False
+  changed_when: False
+
+- name: Set default PostgreSQL version variable
+  ansible.builtin.set_fact:
+    postgresql__version: '{{ (ansible_local.postgresql.version
+                              if (ansible_local.postgresql.version | d())
+                                 else (postgresql__preferred_version
+                                       if postgresql__preferred_version | d()
+                                       else postgresql__register_version.stdout)) }}'
+
+- name: Install PostgreSQL packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (postgresql__base_packages
+                              + postgresql__python_packages
+                              + postgresql__packages)) }}'
+    state: 'present'
+  register: postgresql__register_packages
+  until: postgresql__register_packages is succeeded
+
+- name: Check if database server is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'postgresql' | grep -v '^$'
+  args:
+    executable: 'bash'
+  register: postgresql__register_server
+  changed_when: False
+  check_mode: False
+  failed_when: False
+
+- name: Configure system-wide user to cluster mapping
+  ansible.builtin.template:
+    src: 'etc/postgresql-common/user_clusters.j2'
+    dest: '/etc/postgresql-common/user_clusters'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save PostgreSQL local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postgresql.fact.j2'
+    dest: '/etc/ansible/facts.d/postgresql.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Drop PostgreSQL roles if requested
+  community.postgresql.postgresql_user:
+    name: '{{ item.name | d(item.role) }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", postgresql__roles
+                           + postgresql_roles | d([])
+                           + postgresql__dependent_roles) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create PostgreSQL roles
+  community.postgresql.postgresql_user:
+    name: '{{ item.name | d(item.role) }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    password: '{{ item.password | d(lookup("password",
+                  secret + "/postgresql/" + postgresql__password_hostname +
+                  "/" + (item.port | d(postgresql__port)) +
+                  "/credentials/" + item.name | d(item.role) + "/password " +
+                  "length=" + postgresql__password_length + " chars=" + postgresql__password_characters)) }}'
+    encrypted: '{{ item.encrypted | d(True) }}'
+    expires: '{{ item.expires | d(omit) }}'
+    role_attr_flags: '{{ (item.flags | d() | join(",")) | d(omit) }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql__roles
+                           + postgresql_roles | d([])
+                           + postgresql__dependent_roles) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: item.state | d('present') == 'present'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Drop PostgreSQL databases if requested
+  community.postgresql.postgresql_db:
+    name: '{{ item.name | d(item.database) }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", postgresql__databases
+                           + postgresql_databases | d([])
+                           + postgresql__dependent_databases) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: item.state | d('present') == 'absent'
+
+- name: Create PostgreSQL databases
+  community.postgresql.postgresql_db:
+    name: '{{ item.name | d(item.database) }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    owner: '{{ item.owner | d(omit) }}'
+    template: '{{ item.template | d(omit) }}'
+    encoding: '{{ item.encoding | d(omit) }}'
+    lc_collate: '{{ item.lc_collate | d(omit) }}'
+    lc_ctype: '{{ item.lc_ctype | d(omit) }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql__databases
+                           + postgresql_databases | d([])
+                           + postgresql__dependent_databases) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: (item.state | d('present') == 'present') and
+        item.create_db | d(True)
+
+- name: Enable or disable specified database extensions
+  community.postgresql.postgresql_ext:
+    db: '{{ item.database }}'
+    name: '{{ item.extension }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", postgresql__extensions
+                           + postgresql__dependent_extensions) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: item.state | d('present') in ['present', 'absent']
+
+- name: Grant public schema permissions
+  community.postgresql.postgresql_privs:
+    roles: '{{ item.owner }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    type: '{{ item.type | d("schema") }}'
+    database: '{{ item.name | d(item.database) }}'
+    objs: '{{ item.objs | d("public") }}'
+    privs: '{{ item.public_privs | d(["ALL"]) | join(",") }}'
+    grant_option: '{{ item.grant_option | d("yes") }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql__databases
+                           + postgresql_databases | d([])
+                           + postgresql__dependent_databases) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: (item.state | d('present') == 'present') and
+        item.owner | d()
+
+- name: Grant PostgreSQL groups
+  community.postgresql.postgresql_privs:
+    roles: '{{ item.roles | join(",") }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    type: 'group'
+    database: '{{ item.database }}'
+    objs: '{{ item.groups | join(",") }}'
+    grant_option: '{{ item.grant_option | d(omit) }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql__groups
+                           + postgresql_groups | d([])
+                           + postgresql__dependent_groups) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: (item.state | d('present') == 'present') and
+        item.enabled | d(True) | bool
+
+- name: Grant database privileges to PostgreSQL roles
+  community.postgresql.postgresql_user:
+    name: '{{ item.name | d(item.role) }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    db: '{{ item.db }}'
+    priv: '{{ item.priv | join("/") }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql__roles
+                           + postgresql_roles | d([])
+                           + postgresql__dependent_roles) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: (item.state | d('present') == 'present') and
+        (item.db | d() and item.priv | d())
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Grant or revoke extra privileges
+  community.postgresql.postgresql_privs:
+    database: '{{ item.database }}'
+    port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
+    grant_option: '{{ item.grant_option | d(omit) }}'
+    objs: '{{ item.objs | join(",") }}'
+    privs: '{{ item.public_privs | d(["ALL"]) | join(",") }}'
+    roles: '{{ item.roles | join(",") }}'
+    schema: '{{ item.schema | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+    target_roles: '{{ item.target_roles | d(omit) }}'
+    type: '{{ item.type }}'
+  loop: '{{ q("flattened", postgresql__privileges
+                           + postgresql__dependent_privileges) }}'
+  become: True
+  become_user: '{{ postgresql__user }}'
+  delegate_to: '{{ postgresql__delegate_to }}'
+  when: (item.state | d('present') == 'present') and
+        item.enabled | d(True) | bool
+
+- name: Make sure required system groups exist
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.owner) }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  loop: '{{ q("flattened", postgresql__pgpass
+                           + postgresql_pgpass | d([])
+                           + postgresql__dependent_pgpass) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Make sure required system accounts exist
+  ansible.builtin.user:
+    name: '{{ item.owner }}'
+    group: '{{ item.group | d(item.owner) }}'
+    home: '{{ item.home | d(omit) }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  loop: '{{ q("flattened", postgresql__pgpass
+                           + postgresql_pgpass | d([])
+                           + postgresql__dependent_pgpass) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Populate ~/.pgpass file
+  ansible.builtin.lineinfile:
+    dest: '{{ "~" + item.owner }}/.pgpass'
+    regexp: '{{ "^" + ([((item.server | d(postgresql__server if postgresql__server else "localhost")) | replace(".", "\.")),
+                        (item.port | d(postgresql__port)),
+                        (item.database | d("\*")),
+                        (item.name | d(item.role | d(item.owner | d("\*"))))] | join(":")) + ":" }}'
+    line: '{{ [(item.server | d(postgresql__server if postgresql__server else "localhost")),
+               (item.port | d(postgresql__port)),
+               (item.database | d("*")),
+               (item.role | d(item.owner)),
+               (item.password | d(lookup("password",
+                                  secret + "/postgresql/" + (item.server | d(postgresql__password_hostname))
+                                  + "/" + (item.port | d(postgresql__port)) + "/credentials/"
+                                  + item.name | d(item.role | d(item.owner))
+                                  + "/password length=" + postgresql__password_length))
+                                 | regex_replace("\\", "\\\\") | regex_replace(":", "\:"))]
+              | join(":") }}'
+    state: 'present'
+    create: True
+    owner: '{{ item.owner }}'
+    group: '{{ item.owner }}'
+    mode: '0600'
+  loop: '{{ q("flattened", postgresql__pgpass
+                           + postgresql_pgpass | d([])
+                           + postgresql__dependent_pgpass) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/postgresql/templates/etc/ansible/facts.d/postgresql.fact.j2 b/ansible_collections/debops/debops/roles/postgresql/templates/etc/ansible/facts.d/postgresql.fact.j2
new file mode 100644
index 00000000..beddcbb2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/templates/etc/ansible/facts.d/postgresql.fact.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set postgresql__tpl_server = ansible_local.postgresql.server | d(postgresql__server) %}
+{% if (postgresql__register_server | d() and postgresql__register_server.stdout) %}
+{%   set postgresql__tpl_server = "localhost" %}
+{% endif %}
+{
+"delegate_to": "{{ ansible_local.postgresql.delegate_to | d(postgresql__delegate_to) }}",
+"password_chars": "{{ postgresql__password_characters }}",
+"port": "{{ ansible_local.postgresql.port | d(postgresql__port) }}",
+"server": "{{ postgresql__tpl_server }}",
+"user": "{{ ansible_local.postgresql.user | d(postgresql__user) }}",
+"version": "{{ ansible_local.postgresql.version | d(postgresql__version) }}"
+}
diff --git a/ansible_collections/debops/debops/roles/postgresql/templates/etc/postgresql-common/user_clusters.j2 b/ansible_collections/debops/debops/roles/postgresql/templates/etc/postgresql-common/user_clusters.j2
new file mode 100644
index 00000000..642fc354
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql/templates/etc/postgresql-common/user_clusters.j2
@@ -0,0 +1,73 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% macro print_user_clusters(postgresql__tpl_user_clusters_list) %}
+{% if postgresql__tpl_user_clusters_list | d() and postgresql__tpl_user_clusters_list %}
+{%   for entry in postgresql__tpl_user_clusters_list %}
+{%     set entry_tpl_user = [] %}
+{%     if entry.name | d() %}
+{%       if entry.name is string %}
+{%           set entry_tpl_user = [ entry.name ] %}
+{%       else %}
+{%         for element in entry.name %}
+{%           if element %}
+{%             set _ = entry_tpl_user.append(element) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     elif entry.user | d() %}
+{%       if entry.user is string %}
+{%           set entry_tpl_user = [ entry.user ] %}
+{%       else %}
+{%         for element in entry.user %}
+{%           if element %}
+{%             set _ = entry_tpl_user.append(element) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     set entry_tpl_group = [] %}
+{%     if entry.group | d() %}
+{%       if entry.group is string %}
+{%           set entry_tpl_group = [ entry.group ] %}
+{%       else %}
+{%         for element in entry.group %}
+{%           if element %}
+{%             set _ = entry_tpl_group.append(element) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     set entry_tpl_cluster = "main" %}
+{%     if entry.cluster | d() %}
+{%       set entry_tpl_cluster = entry.cluster %}
+{%     elif entry.host | d() and entry.port | d() %}
+{%       set entry_tpl_host = entry.host %}
+{%       set entry_tpl_port = entry.port %}
+{%       set entry_tpl_cluster = entry.host + ":" + entry_tpl_port %}
+{%     endif %}
+{%     set entry_tpl_database = entry.database | d("*") %}
+{%     if entry_tpl_user %}
+{%       for user_name in entry_tpl_user %}
+{%         if entry_tpl_group %}
+{%           for group_name in entry_tpl_group %}
+{{ "%-14s %-14s %-10s %-20s %s" | format(user_name, group_name, entry.version | d(postgresql__version), entry_tpl_cluster, entry_tpl_database) }}
+{%           endfor %}
+{%         else %}
+{{ "%-14s %-14s %-10s %-20s %s" | format(user_name, user_name, entry.version | d(postgresql__version), entry_tpl_cluster, entry_tpl_database) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+
+{%   endfor %}
+{% endif %}
+{% endmacro %}
+
+# USER         GROUP          VERSION    CLUSTER              DATABASE
+
+{% if postgresql__user_clusters | d() and postgresql__user_clusters %}
+{{ print_user_clusters(postgresql__user_clusters) }}{% endif %}
+{% if postgresql__default_user_clusters | d() and postgresql__default_user_clusters %}
+{{ print_user_clusters(postgresql__default_user_clusters) }}{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/COPYRIGHT b/ansible_collections/debops/debops/roles/postgresql_server/COPYRIGHT
new file mode 100644
index 00000000..c16ea667
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postgresql_server - Manage PostgreSQL server using Ansible
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/defaults/main.yml b/ansible_collections/debops/debops/roles/postgresql_server/defaults/main.yml
new file mode 100644
index 00000000..d873d2a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/defaults/main.yml
@@ -0,0 +1,700 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postgresql_server__ref_defaults:
+
+# debops.postgresql_server default variables
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# PostgreSQL installation, packages [[[
+# -------------------------------------
+
+# .. envvar:: postgresql_server__upstream [[[
+#
+# Enable PostgreSQL Global Development Group APT repository?
+# More information: https://wiki.postgresql.org/wiki/Apt
+postgresql_server__upstream: False
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__upstream_key_id [[[
+#
+# The GPG fingerprint of the upstream APT repository key.
+postgresql_server__upstream_key_id: 'B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__upstream_apt_repo [[[
+#
+# The upstream APT repository URL in the ``sources.list`` format.
+postgresql_server__upstream_apt_repo: 'deb http://apt.postgresql.org/pub/repos/apt {{ ansible_distribution_release }}-pgdg main'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__base_packages [[[
+#
+# List of base PostgreSQL packages to install.
+postgresql_server__base_packages: [ 'postgresql', 'postgresql-client',
+                                    'postgresql-contrib', 'pgtop' ]
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__python_packages [[[
+#
+# List of Python packages to install with PostgreSQL.
+postgresql_server__python_packages: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__packages [[[
+#
+# Install additional packages with PostgreSQL.
+postgresql_server__packages: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__preferred_version [[[
+#
+# Specify preferred version of the PostgreSQL packages to install. Only makes
+# sense when multiple PostgreSQL versions are available as APT packages, for
+# example when the upstream APT repository is enabled. See the
+# :ref:`postgresql_server__ref_preferred_version` for more details.
+postgresql_server__preferred_version: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__user [[[
+#
+# System user which manages PostgreSQL clusters.
+postgresql_server__user: 'postgres'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__group [[[
+#
+# System group which manages PostgreSQL clusters.
+postgresql_server__group: 'postgres'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__delegate_to [[[
+#
+# This is a counterpart variable to the one in :ref:`debops.postgresql` role, it
+# should point to the FQDN hostname of the server so that other role can
+# correctly delegate Ansible tasks.
+postgresql_server__delegate_to: '{{ inventory_hostname }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network connections, firewall [[[
+# ---------------------------------
+
+# .. envvar:: postgresql_server__listen_addresses [[[
+#
+# List of IP addresses on which PostgreSQL clusters will listen for TCP
+# connections by default.
+postgresql_server__listen_addresses: [ 'localhost' ]
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__allow [[[
+#
+# List of IP addresses or CIDR subnets that can connect to all PostgreSQL
+# clusters. If it's empty, remote connections are blocked, but individual
+# clusters can add their own firewall rules.
+postgresql_server__allow: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__max_connections [[[
+#
+# Default maximum number of connections to a PostgreSQL cluster.
+postgresql_server__max_connections: '100'
+                                                                   # ]]]
+                                                                   # ]]]
+# Database admin and trusted roles [[[
+# ------------------------------------
+
+# .. envvar:: postgresql_server__admins [[[
+#
+# List of local UNIX accounts which will be allowed to login to any database
+# as ``postgres`` role with peer authentication. The special ``*postgres*``
+# account name is replaced with username of the cluster system user.
+postgresql_server__admins: '{{ ["root", "*postgres*"] +
+                               ansible_local.core.admin_users | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__admin_password [[[
+#
+# The default password for the PostgreSQL admin account (not the ``postgres``
+# UNIX system account).
+postgresql_server__admin_password: "{{ lookup('password', secret + '/credentials/' +
+                                       inventory_hostname + '/postgresql/default/' +
+                                       postgresql_server__user + '/password length=' +
+                                       postgresql_server__password_length +
+                                       ' chars=' + postgresql_server__password_characters) }}"
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__password_length [[[
+#
+# Length of the autogenerated ``postgres`` password.
+postgresql_server__password_length: '64'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__password_characters [[[
+#
+# Characters allowed in the autogenerated ``postgres`` password.
+postgresql_server__password_characters: 'ascii_letters,digits,.-_~&()*='
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__trusted [[[
+#
+# List of local UNIX accounts that are implicitly trusted by PostgreSQL server
+# and can login to their own roles without password.
+postgresql_server__trusted: '{{ ansible_local.core.admin_users | d([]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Cluster configuration [[[
+# -------------------------
+
+# .. envvar:: postgresql_server__log_destination [[[
+#
+# Where to log system/error messages.
+# Options: ``stderr``, ``csvlog``, ``syslog``, and ``eventlog``.
+postgresql_server__log_destination: 'syslog'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__locale [[[
+#
+# Default localization settings. This locale will be used at cluster creation
+# to set default database encoding.
+postgresql_server__locale: 'en_US.UTF-8'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__locale_messages [[[
+#
+# Separate locale settings for server messages in PostgreSQL logs.
+postgresql_server__locale_messages: 'C'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__timezone [[[
+#
+# Timezone configured in PostgreSQL clusters.
+postgresql_server__timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__start_conf [[[
+#
+# Specify default startup behaviour for PostgreSQL clusters:
+#
+# - ``auto``: cluster will be started on boot
+#
+# - ``manual``: cluster will not be started on boot
+#
+postgresql_server__start_conf: 'auto'
+                                                                   # ]]]
+                                                                   # ]]]
+# Public Key Infrastructure configuration [[[
+# -------------------------------------------
+
+# .. envvar:: postgresql_server__pki [[[
+#
+# Enable or disable support for PKI infrastructure managed by :ref:`debops.pki`.
+postgresql_server__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_path [[[
+#
+# Base path of PKI infrastructure, managed by :ref:`debops.pki` role.
+postgresql_server__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_realm [[[
+#
+# PKI realm used by PostgreSQL role.
+postgresql_server__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_ca [[[
+#
+# Default Root CA certificate used by PostgreSQL clusters, relative to
+# :envvar:`postgresql_server__pki_realm` path.
+postgresql_server__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_crt [[[
+#
+# Certificate file used by PostgreSQL server, relative to
+# :envvar:`postgresql_server__pki_realm` path.
+postgresql_server__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_key [[[
+#
+# Private key used by PostgreSQL server, relative to
+# :envvar:`postgresql_server__pki_realm` path.
+postgresql_server__pki_key: 'default.key'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__pki_crl [[[
+#
+# Certificate Revocation List file used by PostgreSQL server, relative to
+# :envvar:`postgresql_server__pki_realm` path.
+postgresql_server__pki_crl: 'default.crl'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__ssl_ciphers [[[
+#
+# Default SSL ciphers enabled in PostgreSQL clusters.
+postgresql_server__ssl_ciphers: 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global cluster resources [[[
+# ----------------------------
+
+# .. envvar:: postgresql_server__shmmax_limiter [[[
+#
+# Percentage of maximum shared memory segment to use for shared buffer
+# calculations.
+postgresql_server__shmmax_limiter: '0.8'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__shm_memory_limiter [[[
+#
+# Percentage of available RAM to use for shared buffer calculations, in case
+# that maximum shared buffers are not defined correctly.
+postgresql_server__shm_memory_limiter: '0.4'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__wal_level [[[
+#
+# Default Write Ahead Log level to use: ``minimal``, ``archive``,
+# ``hot_standby``. Modes other than ``minimal`` may require additional
+# configuration.
+postgresql_server__wal_level: 'minimal'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__archive_command [[[
+#
+# Command executed by ``postgres`` user when WAL mode is set to ``archive``.
+postgresql_server__archive_command: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Host Based Authentication configuration [[[
+# -------------------------------------------
+
+# Host-Based Authentication is used to filter and restrict local and remote
+# connections to the PostgreSQL databases. See :ref:`postgresql_server__ref_hba` for
+# more details.
+
+# .. envvar:: postgresql_server__hba_system [[[
+#
+# Host Based Authentication - system accounts.
+postgresql_server__hba_system:
+
+  - comment:  'Database superuser account, do not disable'
+    type:     'local'
+    database: 'all'
+    user:     '*postgres*'
+    method:   'peer'
+    options:  'map=system'
+
+  - comment:  'Block remote connections to admin account'
+    type:     'host'
+    database: 'all'
+    user:     '*postgres*'
+    address:  'all'
+    method:   'reject'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__hba_replication [[[
+#
+# Host Based Authentication - replication connections.
+postgresql_server__hba_replication:
+
+  - comment:  'Remote replication connections'
+    type:     'hostssl'
+    database: 'replication'
+    user:     'replication'
+    address:  'samenet'
+    method:   'md5'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__hba_public [[[
+#
+# Host Based Authentication - public connections to ``postgres`` database,
+# needed by some applications.
+postgresql_server__hba_public:
+
+  - comment:  'Allow public connections to postgres database'
+    type:     'local'
+    database: 'postgres'
+    user:     'all'
+    method:   'md5'
+
+  - comment:  'Allow public connections to postgres database'
+    type:     'hostssl'
+    database: 'postgres'
+    user:     'all'
+    address:  'samenet'
+    method:   'md5'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__hba_trusted [[[
+#
+# Host Based Authentication - trusted connections from ``localhost``.
+postgresql_server__hba_trusted:
+
+  - comment:  'Access through local UNIX socket'
+    type:     'local'
+    database: 'samerole'
+    user:     '@trusted'
+    method:   'peer'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__hba_local [[[
+#
+# Host Based Authentication - connections from ``localhost``.
+postgresql_server__hba_local:
+
+  - comment:  'Access through local UNIX socket with password'
+    type:     'local'
+    database: 'samerole'
+    user:     'all'
+    method:   'md5'
+
+  - comment:  'Access from localhost over IPv6'
+    type:     'host'
+    database: 'samerole'
+    user:     'all'
+    address:  '::1/128'
+    method:   'md5'
+
+  - comment:  'Access from localhost over IPv4'
+    type:     'host'
+    database: 'samerole'
+    user:     'all'
+    address:  '127.0.0.1/32'
+    method:   'md5'
+
+  - comment:  'Access from localhost'
+    type:     'host'
+    database: 'samerole'
+    user:     'all'
+    address:  'localhost'
+    method:   'md5'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__hba_remote [[[
+#
+# Host Based Authentication - remote connections.
+postgresql_server__hba_remote:
+
+  - comment:  'Remote connections from local networks'
+    type:     'hostssl'
+    database: 'samerole'
+    user:     'all'
+    address:  'samenet'
+    method:   'md5'
+                                                                   # ]]]
+                                                                   # ]]]
+# Ident map configuration [[[
+# ---------------------------
+
+# Ident map in :file:`pg_ident.conf` is used to map local UNIX accounts to
+# PostgreSQL roles. See :ref:`postgresql_server__ref_ident` for more details.
+
+# .. envvar:: postgresql_server__ident_system [[[
+#
+# UNIX account to PostgreSQL role mapping - 'system' map.
+postgresql_server__ident_system:
+
+  - map:  'system'
+    user: '{{ postgresql_server__admins }}'
+    role: '*postgres*'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__ident_trusted [[[
+#
+# UNIX account to PostgreSQL role mapping - 'trusted' map.
+postgresql_server__ident_trusted: []
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__ident_local [[[
+#
+# UNIX account to PostgreSQL role mapping - 'local' map.
+postgresql_server__ident_local: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PostgreSQL cluster configuration [[[
+# ------------------------------------
+
+# .. envvar:: postgresql_server__data_directory [[[
+#
+# the base directory for the postgresql create cluster
+postgresql_server__data_directory: '/var/lib/postgresql'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__log_directory [[[
+#
+# The absolute path of the custom PostgreSQL log directory located on the
+# server. You can use this variable to put the log files on a different
+# partition; if it's not specified, the default :file:`/var/log/postgresql/`
+# directory is used.
+postgresql_server__log_directory: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__clusters [[[
+#
+# List of PostgreSQL clusters to manage. Each entry should have at least a name
+# and a port on which to bind the cluster. You can also specify configuration
+# from :file:`postgresql.conf` as the cluster parameters.
+# See :ref:`postgresql_server__ref_clusters` for more details.
+postgresql_server__clusters: [ '{{ postgresql_server__cluster_main }}' ]
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__cluster_main [[[
+#
+# Configuration for default "main" cluster.
+postgresql_server__cluster_main:
+  name: 'main'
+  port: '5432'
+                                                                   # ]]]
+                                                                   # ]]]
+# AutoPostgreSQLBackup configuration [[[
+# --------------------------------------
+
+# .. envvar:: postgresql_server__autopostgresqlbackup [[[
+#
+# Global toggle to enable/disable support for local ``autopostgresqlbackup``
+# snapshots.
+postgresql_server__autopostgresqlbackup: '{{ False
+                                             if (ansible_distribution_release in ["bullseye"])
+                                             else True }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup [[[
+#
+# Enable or disable automatic daily snapshots in all clusters.
+postgresql_server__auto_backup: True
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_dir [[[
+#
+# Directory where automatic backups will be stored.
+postgresql_server__auto_backup_dir: '/var/lib/autopostgresqlbackup'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_pg_opts [[[
+#
+# Extra options to be passed to the psql command line when running backup.
+postgresql_server__auto_backup_pg_opts: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_pg_dump_opts [[[
+#
+# Extra options to be passed to the pg_dump command line when running backup.
+postgresql_server__auto_backup_pg_dump_opts: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_extension [[[
+#
+# Specify the file extension used by the backup files. Normal SQL dumps use
+# 'sql', pg_dump custom format uses 'pgdump'.
+postgresql_server__auto_backup_extension: 'sql'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_mail [[[
+#
+# Configure backup mail notification. Available options:
+#
+# - ``log``: send only the log file
+#
+# - ``files``: send the log file and sql files as attachments
+#
+# - ``stdout``: output the log to the screen if run manually
+#
+# - ``quiet``: only send logs if an error occurs
+#
+postgresql_server__auto_backup_mail: 'quiet'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_mail_size [[[
+#
+# The maximum allowed size of the e-mail, 4000 = about 5 MB.
+postgresql_server__auto_backup_mail_size: 4000
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_mail_to [[[
+#
+# Who should receive the backup mails?
+postgresql_server__auto_backup_mail_to: 'backup@{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_create_database [[[
+#
+# Include ``CREATE DATABASE`` in the backup?
+postgresql_server__auto_backup_create_database: True
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_isolate_databases [[[
+#
+# Use a separate backup directory and file for each database?
+postgresql_server__auto_backup_isolate_databases: True
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_weekly [[[
+#
+# Which day of the week do you want to perform weekly backups?
+# 1 = Monday , ... , 7 = Sunday.
+postgresql_server__auto_backup_weekly: '6'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_monthly [[[
+#
+# Which day of the month do you want to perform monthly backups?
+postgresql_server__auto_backup_monthly: '01'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_encryption [[[
+#
+# Should the dumps be encrypted?
+postgresql_server__auto_backup_encryption: False
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_encryption_key [[[
+#
+# Specify :command:`openssl` encryption key to use.
+postgresql_server__auto_backup_encryption_key: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_encryption_cipher [[[
+#
+# Specify :command:`openssl` encryption cipher.
+postgresql_server__auto_backup_encryption_cipher: 'aes256'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_encryption_suffix [[[
+#
+# Suffix appended to encrypted filenames.
+postgresql_server__auto_backup_encryption_suffix: '.enc'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_compression [[[
+#
+# Specify compression method to use for snapshots. The special value
+# ``pg_dump`` causes pg_dump to compress the backup internally without
+# writing an uncompress dump first and compressing it afterwards.
+postgresql_server__auto_backup_compression: 'gzip'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_pre_script [[[
+#
+# Path to the script which should be executed before snapshotting.
+postgresql_server__auto_backup_pre_script: ''
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_post_script [[[
+#
+# Path to the script which should be executed after snapshotting.
+postgresql_server__auto_backup_post_script: ''
+                                                                   # ]]]
+# .. envvar:: postgresql_server__auto_backup_permissions [[[
+#
+# The permissions for the backup files
+postgresql_server__auto_backup_permissions: '0600'
+                                                                   # ]]]
+                                                                   # ]]]
+# Role-dependent configuration [[[
+# --------------------------------
+
+# .. envvar:: postgresql_server__etc_services__dependent_list [[[
+#
+# Configuration for :ref:`debops.etc_services` role. It will set up custom
+# :file:`/etc/services` entries for additional PostgreSQL clusters.
+postgresql_server__etc_services__dependent_list:
+  name: 'postgresql'
+  custom: |
+    {% for item in postgresql_server__clusters %}
+    {% if item.port is defined and item.port != "5432" %}
+    postgresql-{{ (item.port | int - 5430) }}    {{ item.port }}/tcp
+    {% endif %}
+    {% endfor %}
+
+# ]]]
+# .. envvar:: postgresql_server__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+postgresql_server__keyring__dependent_apt_keys:
+
+  - id: '{{ postgresql_server__upstream_key_id }}'
+    repo: '{{ postgresql_server__upstream_apt_repo }}'
+    state: '{{ "present" if postgresql_server__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__locales__dependent_list [[[
+#
+# Configuration for the :ref:`debops.locales` Ansible role.
+postgresql_server__locales__dependent_list:
+  - name: '{{ postgresql_server__locale }}'
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__ferm__dependent_rules [[[
+#
+# Configuration for :command:`ferm` firewall. It should be added when
+# :ref:`debops.ferm` role is used to configure PostgreSQL firewall rules.
+postgresql_server__ferm__dependent_rules:
+  type: 'custom'
+  by_role: 'debops.postgresql_server'
+  name: 'postgresql_custom_rules'
+  weight_class: 'default'
+  rules: |
+    {% set postgresql_server__tpl_ports = [] %}
+    {% for cluster in postgresql_server__clusters %}
+    {% set _ = postgresql_server__tpl_ports.append(cluster.port) %}
+    {% endfor %}
+    {% if postgresql_server__tpl_ports | d() and postgresql_server__allow | d() %}
+    domain $domains table filter chain INPUT {
+        protocol tcp dport ({{ postgresql_server__tpl_ports | unique | join(" ") }}) {
+            @def $ITEMS = ( @ipfilter( ({{ postgresql_server__allow | unique | join(" ") }}) ) );
+            @if @ne($ITEMS,"") {
+                    saddr $ITEMS ACCEPT;
+            }
+        }
+    }
+
+    {% endif %}
+    {% for cluster in postgresql_server__clusters %}
+    {% if cluster.name | d() and cluster.port | d() and cluster.allow | d() %}
+    domain $domains table filter chain INPUT {
+        protocol tcp dport ({{ cluster.port }}) {
+            @def $ITEMS = ( @ipfilter( ({{ cluster.allow | unique | join(" ") }}) ) );
+            @if @ne($ITEMS,"") {
+                    saddr $ITEMS ACCEPT;
+            }
+        }
+    }
+    {% endif %}
+    {% endfor %}
+
+# ]]]
+# ]]]
+# Configuration for other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: postgresql_server__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+postgresql_server__python__dependent_packages3:
+
+  - 'python3-psycopg2'
+
+                                                                   # ]]]
+# .. envvar:: postgresql_server__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+postgresql_server__python__dependent_packages2:
+
+  - 'python-psycopg2'
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/meta/main.yml b/ansible_collections/debops/debops/roles/postgresql_server/meta/main.yml
new file mode 100644
index 00000000..289f6841
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage PostgreSQL Server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - postgresql
+    - databases
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/tasks/install_postgresql.yml b/ansible_collections/debops/debops/roles/postgresql_server/tasks/install_postgresql.yml
new file mode 100644
index 00000000..4966e832
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/tasks/install_postgresql.yml
@@ -0,0 +1,45 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if database server is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         dpkg-query -W -f='${Version}\n' 'postgresql' 'postgresql-{{ postgresql_server__version }}' | grep -v '^$'
+  args:
+    executable: 'bash'
+  register: postgresql_server__register_installed
+  changed_when: False
+  check_mode: False
+  failed_when: False
+
+- name: Install PostgreSQL packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (postgresql_server__base_packages
+                              + postgresql_server__python_packages
+                              + postgresql_server__packages
+                              + (["autopostgresqlbackup"]
+                                 if (postgresql_server__autopostgresqlbackup | d()) | bool
+                                 else []))) }}'
+    state: 'present'
+  register: postgresql_server__register_packages
+  until: postgresql_server__register_packages is succeeded
+
+- name: Check if default PostgreSQL cluster exists
+  ansible.builtin.stat:
+    path: '/var/lib/postgresql/{{ postgresql_server__version }}/main/postmaster.opts'
+  register: postgresql_server__register_installed_main
+
+  # Main cluster will be recreated later, with correct encoding
+- name: Remove default PostgreSQL cluster on first install
+  ansible.builtin.command: pg_dropcluster --stop {{ postgresql_server__version }} main
+  register: postgresql_server__register_dropcluster
+  changed_when: postgresql_server__register_dropcluster.changed | bool
+  when: ((postgresql_server__register_installed | d() and not postgresql_server__register_installed.stdout) and
+         (postgresql_server__register_installed_main | d() and postgresql_server__register_installed_main.stat.exists) and
+          (ansible_local is undefined or
+           (ansible_local | d() and ansible_local.postgresql is undefined or
+            (ansible_local | d() and ansible_local.postgresql | d() and
+             ansible_local.postgresql.server != 'localhost'))))
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/tasks/main.yml b/ansible_collections/debops/debops/roles/postgresql_server/tasks/main.yml
new file mode 100644
index 00000000..596cffc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/tasks/main.yml
@@ -0,0 +1,110 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Get default PostgreSQL version
+  environment:
+    LC_ALL: 'C'
+  ansible.builtin.shell: "set -o nounset -o pipefail -o errexit &&
+          apt-cache policy postgresql | grep -E '^\\s+Candidate:\\s+' | awk '{print $2}' | cut -d+ -f1"
+  args:
+    executable: 'bash'
+  register: postgresql_server__register_version
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::postgresql_server:packages', 'role::postgresql_server:config',
+          'role::postgresql_server:auto_backup' ]
+
+- name: Set default PostgreSQL version variable
+  ansible.builtin.set_fact:
+    postgresql_server__version: '{{ (ansible_local.postgresql.version
+                                     if (ansible_local.postgresql.version | d())
+                                     else (postgresql_server__preferred_version
+                                           if postgresql_server__preferred_version | d()
+                                           else postgresql_server__register_version.stdout)) }}'
+  tags: [ 'role::postgresql_server:packages', 'role::postgresql_server:config',
+          'role::postgresql_server:auto_backup' ]
+
+- name: Install PostgreSQL database service
+  ansible.builtin.include_tasks: install_postgresql.yml
+  tags: [ 'role::postgresql_server:packages' ]
+
+- name: Configure custom PostgreSQL data directory
+  ansible.builtin.lineinfile:
+    path: '/etc/postgresql-common/createcluster.conf'
+    regexp: '^data_directory\s+='
+    line: "data_directory = '{{ postgresql_server__data_directory }}/%v/%c'"
+    mode: '0644'
+  when: postgresql_server__data_directory != '/var/lib/postgresql'
+
+- name: Make sure that custom PostgreSQL data directory exists
+  ansible.builtin.file:
+    path: '{{ postgresql_server__data_directory }}'
+    state: 'directory'
+    owner: '{{ postgresql_server__user }}'
+    group: '{{ postgresql_server__group }}'
+    mode: '0750'
+  when: postgresql_server__data_directory != '/var/lib/postgresql'
+
+- name: Make sure that custom PostgreSQL Log directory exists
+  ansible.builtin.file:
+    path: '{{ postgresql_server__log_directory }}'
+    state: 'directory'
+    owner: '{{ postgresql_server__user }}'
+    group: '{{ postgresql_server__group }}'
+    mode: '0750'
+  when: postgresql_server__log_directory | d()
+
+- name: Count number of currently configured clusters
+  ansible.builtin.set_fact:
+    postgresql_server__fact_cluster_count: '{{ (postgresql_server__clusters | length | int) * 1 }}'
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Get current maximum shared memory value
+  ansible.builtin.command: cat /proc/sys/kernel/shmmax
+  register: postgresql_server__register_sysctl_shmmax
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Manage PostgreSQL clusters
+  ansible.builtin.include_tasks: manage_clusters.yml
+
+- name: Secure PostgreSQL installation
+  ansible.builtin.include_tasks: secure_installation.yml
+
+- name: Manage AutoPostgreSQLBackup script
+  ansible.builtin.include_tasks: manage_autopostgresqlbackup.yml
+  when: postgresql_server__autopostgresqlbackup | bool
+  tags: [ 'role::postgresql_server:auto_backup' ]
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save PostgreSQL local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postgresql.fact.j2'
+    dest: '/etc/ansible/facts.d/postgresql.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts', 'role::postgresql_server:config' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+  #tags: [ 'role::postgresql_server:config' ]
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_autopostgresqlbackup.yml b/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_autopostgresqlbackup.yml
new file mode 100644
index 00000000..ee26e2b4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_autopostgresqlbackup.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Divert the original autopostgresqlbackup script
+  debops.debops.dpkg_divert:
+    path: '/usr/sbin/autopostgresqlbackup'
+    divert: '/usr/share/doc/autopostgresqlbackup/script.dpkg-divert'
+
+- name: Divert the original autopostgresqlbackup cron job
+  debops.debops.dpkg_divert:
+    path: '/etc/cron.daily/autopostgresqlbackup'
+    divert: '/usr/share/doc/autopostgresqlbackup/cron.dpkg-divert'
+
+- name: Configure autopostgresqlbackup defaults
+  ansible.builtin.template:
+    src: 'etc/default/autopostgresqlbackup.j2'
+    dest: '/etc/default/autopostgresqlbackup-{{ item.version | d(postgresql_server__version) }}-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+
+- name: Configure autopostgresqlbackup
+  ansible.builtin.template:
+    src: 'usr/sbin/autopostgresqlbackup.j2'
+    dest: '/usr/sbin/autopostgresqlbackup-{{ item.version | d(postgresql_server__version) }}-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+
+- name: Disable autopostgresqlbackup from running daily
+  ansible.builtin.file:
+    path: '/etc/cron.daily/autopostgresqlbackup-{{ (item.version | d(postgresql_server__version))
+                                                   | replace(".", "_") }}-{{ item.name }}'
+    state: 'absent'
+  when: ((item.auto_backup | d() and not item.auto_backup | bool) or not postgresql_server__auto_backup | bool)
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+
+- name: Enable autopostgresqlbackup to run daily
+  ansible.builtin.template:
+    src: 'etc/cron.daily/autopostgresqlbackup.j2'
+    dest: '/etc/cron.daily/autopostgresqlbackup-{{ (item.version | d(postgresql_server__version))
+                                                   | replace(".", "_") }}-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: ((item.auto_backup is undefined or item.auto_backup | bool) and postgresql_server__auto_backup | bool)
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_clusters.yml b/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_clusters.yml
new file mode 100644
index 00000000..30923046
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/tasks/manage_clusters.yml
@@ -0,0 +1,254 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if shared memory support is available
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && mount | grep /dev/shm || true
+  args:
+    executable: 'bash'
+  register: postgresql_server__register_shm
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Create PostgreSQL clusters
+  environment:
+    LANG: '{{ item.locale | d(postgresql_server__locale) }}'
+    LC_ALL: '{{ item.locale | d(postgresql_server__locale) }}'
+  ansible.builtin.command: pg_createcluster --user={{ item.user | d(postgresql_server__user) }}
+           --group={{ item.group | d(postgresql_server__group) }}
+           --locale={{ item.locale | d(postgresql_server__locale) }}
+           --start-conf={{ item.start_conf | d(postgresql_server__start_conf) }}
+           --port={{ item.port }} {{ item.version | d(postgresql_server__version) }} {{ item.name }}
+  args:
+    creates: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/postgresql.conf'
+  register: postgresql_server__register_createcluster
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d() and item.port | d()
+
+- name: Remove data directory for PostgreSQL replication standby clusters
+  ansible.builtin.file:
+    path: '{{ item.item.data_directory | d(postgresql_server__data_directory + "/"
+                                           + (item.item.version | d(postgresql_server__version))
+                                           + "/" + item.item.name) }}'
+    state: absent
+  when:
+    - item.item.standby is defined
+    - item is changed  # noqa no-handler
+    - item is success
+  with_items: '{{ postgresql_server__register_createcluster.results }}'
+  loop_control:
+    label: '{{ item.item }}'
+
+- name: Synchronize data for PostgreSQL replication standby clusters
+  environment:
+    LANG: '{{ item.item.locale | d(postgresql_server__locale) }}'
+    LC_ALL: '{{ item.item.locale | d(postgresql_server__locale) }}'
+  ansible.builtin.command: >-
+    pg_basebackup
+    --pgdata={{ item.item.data_directory | d(postgresql_server__data_directory + "/"
+                                             + (item.item.version | d(postgresql_server__version))
+                                             + "/" + item.item.name) }}
+    --dbname="{{ item.item.standby.conninfo }}"
+    --write-recovery-conf
+    {% if item.item.standby.slot_name is defined %}
+    --slot={{ item.item.standby.slot_name }}
+    --create-slot
+    {% endif %}
+  become: True
+  become_user: '{{ item.user | d(postgresql_server__user) }}'
+  when:
+    - item.item.standby is defined
+    - item is changed  # noqa no-handler
+    - item is success
+  with_items: '{{ postgresql_server__register_createcluster.results }}'
+  loop_control:
+    label: '{{ item.item }}'
+  register: postgresql_server__register_basebackup
+  changed_when: postgresql_server__register_basebackup.changed | bool
+
+- name: Log directory path
+  ansible.builtin.file:
+    name: "{{ item.log_directory }}"
+    mode: '0750'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    state: directory
+    recurse: yes
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.log_directory | d() and item.log_directory is abs
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Ensure that conf.d directories exist
+  ansible.builtin.file:
+    path: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/conf.d'
+    state: 'directory'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0755'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL clusters
+  ansible.builtin.template:
+    src: 'etc/postgresql/postgresql.conf.j2'
+    dest: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/postgresql.conf'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_config
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL cluster environment
+  ansible.builtin.template:
+    src: 'etc/postgresql/environment.j2'
+    dest: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/environment'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_config_environment
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL user identification
+  ansible.builtin.template:
+    src: 'etc/postgresql/pg_ident.conf.j2'
+    dest: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/pg_ident.conf'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0640'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_config_ident
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL cluster host authentication
+  ansible.builtin.template:
+    src: 'etc/postgresql/pg_hba.conf.j2'
+    dest: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/pg_hba.conf'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0640'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_config_hba
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL cluster trusted local roles
+  ansible.builtin.template:
+    src: 'etc/postgresql/trusted.j2'
+    dest: '/etc/postgresql/{{ (item.version | d(postgresql_server__version)) + "/" + item.name + "/trusted" }}'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0640'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_trusted
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Configure PostgreSQL cluster start options
+  ansible.builtin.template:
+    src: 'etc/postgresql/start.conf.j2'
+    dest: '/etc/postgresql/{{ item.version | d(postgresql_server__version) }}/{{ item.name }}/start.conf'
+    owner: '{{ item.user | d(postgresql_server__user) }}'
+    group: '{{ item.group | d(postgresql_server__group) }}'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: item.name | d()
+  register: postgresql_server__register_config_start
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Symlink SSL root certificate
+  ansible.builtin.file:
+    src: '{{ item.pki_path | d(postgresql_server__pki_path) + "/" + item.pki_realm | d(postgresql_server__pki_realm)
+             + "/" + item.pki_ca | d(postgresql_server__pki_ca) }}'
+    dest: '{{ (item.data_directory | d(postgresql_server__data_directory
+                                       + (item.version | d(postgresql_server__version)) + "/" + item.name))
+              + "/root.crt" }}'
+    state: 'link'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: ((postgresql_server__pki | d() and postgresql_server__pki | bool) and
+         (item.name | d()) and
+         ((item.version | d() and item.version == '9.1') or
+          (postgresql_server__version | d() and postgresql_server__version == '9.1')))
+
+- name: Symlink SSL certificate
+  ansible.builtin.file:
+    src: '{{ item.pki_path | d(postgresql_server__pki_path) + "/" + item.pki_realm | d(postgresql_server__pki_realm)
+             + "/" + item.pki_crt | d(postgresql_server__pki_crt) }}'
+    dest: '{{ (item.data_directory | d(postgresql_server__data_directory
+                                       + (item.version | d(postgresql_server__version)) + "/" + item.name))
+              + "/server.crt" }}'
+    state: 'link'
+    mode: '0644'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: ((postgresql_server__pki | d() and postgresql_server__pki | bool) and
+         (item.name | d()) and
+         ((item.version | d() and item.version == '9.1') or
+          (postgresql_server__version | d() and postgresql_server__version == '9.1')))
+
+- name: Symlink SSL key
+  ansible.builtin.file:
+    src: '{{ item.pki_path | d(postgresql_server__pki_path) + "/" + item.pki_realm | d(postgresql_server__pki_realm)
+             + "/" + item.pki_key | d(postgresql_server__pki_key) }}'
+    dest: '{{ (item.data_directory | d(postgresql_server__data_directory
+                                       + (item.version | d(postgresql_server__version)) + "/" + item.name))
+              + "/server.key" }}'
+    state: 'link'
+    mode: '0640'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: ((postgresql_server__pki | d() and postgresql_server__pki | bool) and
+         (item.name | d()) and
+         ((item.version | d() and item.version == '9.1') or
+          (postgresql_server__version | d() and postgresql_server__version == '9.1')))
+
+- name: Start PostgreSQL clusters when not started
+  ansible.builtin.command: pg_ctlcluster {{ item.version | d(postgresql_server__version) }} {{ item.name }} start
+  args:
+    creates: '{{ item.external_pid_file | d("/var/run/postgresql/" + (item.version | d(postgresql_server__version))
+                                            + "-" + item.name + ".pid") }}'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: (ansible_service_mgr != 'systemd' and
+         ((item.name | d()) and
+          (item.start_conf is undefined or item.start_conf == 'auto')))
+
+- name: Start PostgreSQL clusters when not started (systemd)
+  ansible.builtin.service:
+    name: 'postgresql@{{ item.version | d(postgresql_server__version) }}-{{ item.name }}.service'
+    state: 'started'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  when: (ansible_service_mgr == 'systemd' and
+         ((item.name | d()) and
+          (item.start_conf is undefined or item.start_conf == 'auto')))
+
+- name: Reload PostgreSQL clusters when needed
+  ansible.builtin.command: 'pg_ctlcluster {{ item.item.version | d(postgresql_server__version) }} {{ item.item.name }} reload'  # noqa no-handler
+  loop: '{{ q("flattened", postgresql_server__register_config.results
+                           + postgresql_server__register_config_hba.results
+                           + postgresql_server__register_config_ident.results
+                           + postgresql_server__register_trusted.results) }}'
+  register: postgresql_server__register_pg_cluster_reload
+  changed_when: postgresql_server__register_pg_cluster_reload.changed | bool
+  when: (ansible_service_mgr != 'systemd' and
+         ((item is changed and
+          (item.item.start_conf is undefined or item.item.start_conf == 'auto'))))
+  tags: [ 'role::postgresql_server:config' ]
+
+- name: Reload PostgreSQL clusters when needed (systemd)
+  ansible.builtin.service:  # noqa no-handler
+    name: 'postgresql@{{ item.item.version | d(postgresql_server__version) }}-{{ item.item.name }}.service'
+    state: 'reloaded'
+  loop: '{{ q("flattened", postgresql_server__register_config.results
+                           + postgresql_server__register_config_hba.results
+                           + postgresql_server__register_config_ident.results
+                           + postgresql_server__register_trusted.results) }}'
+  when: (ansible_service_mgr == 'systemd' and
+         ((item is changed and
+          (item.item.start_conf is undefined or item.item.start_conf == 'auto'))))
+  tags: [ 'role::postgresql_server:config' ]
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/tasks/secure_installation.yml b/ansible_collections/debops/debops/roles/postgresql_server/tasks/secure_installation.yml
new file mode 100644
index 00000000..4a4df8f9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/tasks/secure_installation.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update default admin password
+  community.postgresql.postgresql_user:
+    name: '{{ item.user | d(postgresql_server__user) }}'
+    password: '{{ item.admin_password | d(postgresql_server__admin_password) }}'
+    encrypted: True
+    port: '{{ item.port }}'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  become: True
+  become_user: '{{ item.user | d(postgresql_server__user) }}'
+  when:
+    - item.name | d()
+    - item.standby is not defined
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Grant connect on postgres to PUBLIC
+  community.postgresql.postgresql_privs:
+    database: 'postgres'
+    port: '{{ item.port }}'
+    role: 'PUBLIC'
+    type: 'database'
+    privs: 'CONNECT'
+    state: 'present'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  become: True
+  become_user: '{{ item.user | d(postgresql_server__user) }}'
+  when:
+    - item.name | d()
+    - item.standby is not defined
+  changed_when: False  # Module always reports "changed" for PUBLIC role
+
+- name: Revoke temporary on postgres from PUBLIC
+  community.postgresql.postgresql_privs:
+    database: 'postgres'
+    port: '{{ item.port }}'
+    role: 'PUBLIC'
+    type: 'database'
+    privs: 'TEMPORARY'
+    state: 'absent'
+  loop: '{{ q("flattened", postgresql_server__clusters) }}'
+  become: True
+  become_user: '{{ item.user | d(postgresql_server__user) }}'
+  when:
+    - item.name | d()
+    - item.standby is not defined
+  changed_when: False  # Module always reports "changed" for PUBLIC role
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/ansible/facts.d/postgresql.fact.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/ansible/facts.d/postgresql.fact.j2
new file mode 100644
index 00000000..75261336
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/ansible/facts.d/postgresql.fact.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{
+"delegate_to": "{{ ansible_local.postgresql.delegate_to | d(postgresql_server__delegate_to) }}",
+"password_chars": "{{ postgresql_server__password_characters }}",
+"port": "{{ ansible_local.postgresql.port | d("5432") }}",
+"server": "{{ ansible_local.postgresql.server | d("localhost") }}",
+"user": "{{ ansible_local.postgresql.user | d(postgresql_server__user) }}",
+"version": "{{ ansible_local.postgresql.version | d(postgresql_server__version) }}"
+}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/cron.daily/autopostgresqlbackup.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/cron.daily/autopostgresqlbackup.j2
new file mode 100644
index 00000000..1f5eb006
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/cron.daily/autopostgresqlbackup.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+VERSION="{{ item.version | d(postgresql_server__version) }}"
+NAME="{{ item.name }}"
+
+if [ -r "/etc/postgresql/${VERSION}/${NAME}/postgresql.conf" ] \
+   && [ -x "/usr/sbin/autopostgresqlbackup-${VERSION}-${NAME}" ]; then
+        "/usr/sbin/autopostgresqlbackup-${VERSION}-${NAME}"
+fi
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/default/autopostgresqlbackup.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/default/autopostgresqlbackup.j2
new file mode 100644
index 00000000..d0575d54
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/default/autopostgresqlbackup.j2
@@ -0,0 +1,118 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#=====================================================================
+# Set the following variables to your system needs
+# (Detailed instructions below variables)
+#=====================================================================
+
+# By default, on Debian systems, only 'postgres' user
+# is allowed to access PostgreSQL databases without password.
+# In order to dump databases we need to run pg_dump/psql
+# commands as 'postgres' with su.
+#
+# The following setting has been added to workraound this issue.
+# (if it is set to empty, 'su' usage will be disabled)
+SU_USERNAME="{{ item.user | d(postgresql_server__user) }}"
+
+# Username to access the PostgreSQL server e.g. dbuser
+USERNAME="{{ item.user | d(postgresql_server__user) }}"
+
+# Host name (or IP address) of PostgreSQL server e.g localhost
+DBHOST="localhost"
+
+# List of DBNAMES for Daily/Weekly Backup e.g. "DB1 DB2 DB3".
+DBNAMES="all"
+
+# Backup directory location e.g /backups
+BACKUPDIR="{{ item.auto_backup_dir | d(postgresql_server__auto_backup_dir) }}/$DBCLUSTER"
+
+# Permissions for the dump file
+BACKUPPERM="{{ item.backup_permissions | d(postgresql_server__auto_backup_permissions) }}"
+
+# Mail setup
+# What would you like to be mailed to you?
+# - log   : send only log file
+# - files : send log file and sql files as attachments (see docs)
+# - stdout : will simply output the log to the screen if run manually.
+# - quiet : Only send logs if an error occurs to the MAILADDR.
+MAILCONTENT="{{ item.auto_backup_mail | d(postgresql_server__auto_backup_mail) }}"
+
+# Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs])
+MAXATTSIZE="{{ item.auto_backup_mail_size | d(postgresql_server__auto_backup_mail_size) }}"
+
+# Email Address to send mail to? (user@domain.com)
+MAILADDR="{{ item.auto_backup_mail_to | d(postgresql_server__auto_backup_mail_to) }}"
+
+# ============================================================
+# === ADVANCED OPTIONS ( Read the doc's below for details )===
+#=============================================================
+
+# List of DBBNAMES for Monthly Backups.
+MDBNAMES="template1 all"
+
+# List of DBNAMES to EXCLUDE if DBNAMES are set to all (must be in "" quotes).
+DBEXCLUDE=""
+
+# Include CREATE DATABASE in backup?
+CREATE_DATABASE={{ "yes" if ((item.auto_backup_create_database | d(postgresql_server__auto_backup_create_database)) | bool) else "no" }}
+
+# Separate backup directory and file for each DB? (yes or no)
+SEPDIR={{ "yes" if ((item.auto_backup_isolate_databases | d(postgresql_server__auto_backup_isolate_databases)) | bool) else "no" }}
+
+# Which day do you want weekly backups? (1 to 7 where 1 is Monday)
+DOWEEKLY={{ item.auto_backup_weekly | d(postgresql_server__auto_backup_weekly) }}
+
+# Which day do you want monthly backups?
+DOMONTHLY={{ item.auto_backup_monthly | d(postgresql_server__auto_backup_monthly) }}
+
+{% set auto_backup_compression = item.auto_backup_compression
+                                 | d(postgresql_server__auto_backup_compression) %}
+# Choose Compression type. (gzip or bzip2)
+COMP="{{ auto_backup_compression }}"
+
+# Compress backup on the fly with pg_dump (instead of afterwards with gzip or bzip2)
+# set compression level from 0 to 9 (0 means no compression)
+COMMCOMP={{ item.auto_backup_compression_level
+            | default((auto_backup_compression == "pg_dump") | ternary(6,0)) }}
+
+# Additionally keep a copy of the most recent backup in a separate directory.
+LATEST=no
+
+# Backup files extension
+EXT="{{ item.auto_backup_extension | d(postgresql_server__auto_backup_extension) }}"
+
+# Encyrption settings
+# (inspired by http://blog.altudov.com/2010/09/27/using-openssl-for-asymmetric-encryption-of-backups/)
+#
+# Once the backup done, each SQL dump will be encrypted and the original file
+# will be deleted (if encryption was successful).
+# It is recommended to backup into a staging directory, and then use the
+# POSTBACKUP script to sync the encrypted files to the desired location.
+#
+# Encryption uses private/public keys. You can generate the key pairs like the following:
+# openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout backup.key -out backup.crt -subj '/'
+#
+# Decryption:
+# openssl smime -decrypt -in backup.sql.gz.enc -binary -inform DEM -inkey backup.key -out backup.sql.gz
+
+# Enable encryption
+ENCRYPTION={{ "yes" if ((item.auto_backup_encryption | d(postgresql_server__auto_backup_encryption)) | bool) else "no" }}
+
+# Encryption public key
+ENCRYPTION_PUBLIC_KEY="{{ item.auto_backup_encryption_key | d(postgresql_server__auto_backup_encryption_key) }}"
+
+# Encryption Cipher (see enc manpage)
+ENCRYPTION_CIPHER="{{ item.auto_backup_encryption_cipher | d(postgresql_server__auto_backup_encryption_cipher) }}"
+
+# Suffix for encyrpted files
+ENCRYPTION_SUFFIX="{{ item.auto_backup_encryption_suffix | d(postgresql_server__auto_backup_encryption_suffix) }}"
+
+# Command to run before backups
+PREBACKUP="{{ item.auto_backup_pre_script | d(postgresql_server__auto_backup_pre_script) }}"
+
+# Command to run after backups
+POSTBACKUP="{{ item.auto_backup_post_script | d(postgresql_server__auto_backup_post_script) }}"
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/environment.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/environment.j2
new file mode 100644
index 00000000..592faee8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/environment.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# environment variables for postmaster process
+# This file has the same syntax as postgresql.conf:
+#  VARIABLE = simple_value
+#  VARIABLE2 = 'any value!'
+# I. e. you need to enclose any value which does not only consist of letters,
+# numbers, and '-', '_', '.' in single quotes. Shell commands are not
+# evaluated.
+
+{% if item.environment is defined and item.environment %}
+{% for key, value in item.environment.items() %}
+{{ key }} = '{{ value }}'
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_hba.conf.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_hba.conf.j2
new file mode 100644
index 00000000..3e789b10
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_hba.conf.j2
@@ -0,0 +1,131 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% macro print_hba(postgresql_server__tpl_hba_list) %}
+{% if postgresql_server__tpl_hba_list | d() and postgresql_server__tpl_hba_list %}
+{%   for entry in postgresql_server__tpl_hba_list %}
+{%     set entry_tpl_skip = False %}
+{%     set entry_tpl_database = [] %}
+{%     if entry.database is string %}
+{%       set entry_tpl_database = [ entry.database ] %}
+{%     else %}
+{%       set entry_tpl_database = entry.database %}
+{%     endif %}
+{%     set entry_tpl_user = [] %}
+{%     if entry.user is string %}
+{%       if entry.user == '*postgres*' %}
+{%         set entry_tpl_user = [ item.user | d(postgresql_server__user) ] %}
+{%       else %}
+{%         set entry_tpl_user = [ entry.user ] %}
+{%       endif %}
+{%     else %}
+{%       for element in entry.user %}
+{%         if element == '*postgres*' %}
+{%           set _ = entry_tpl_user.append(item.user | d(postgresql_server__user)) %}
+{%         else %}
+{%           set _ = entry_tpl_user.append(element) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     set entry_tpl_address = [] %}
+{%     if entry.type not in [ 'local' ] %}
+{%       if entry.address | d() and entry.address %}
+{%         if entry.address is string %}
+{%           set entry_tpl_address = [ entry.address ] %}
+{%         else %}
+{%           set entry_tpl_address = entry.address %}
+{%         endif %}
+{%       elif entry.hosts | d() and entry.hosts %}
+{%         if entry.hosts is string %}
+{%           set entry_tpl_hosts = [ entry.hosts ] %}
+{%         else %}
+{%           set entry_tpl_hosts = entry.hosts %}
+{%         endif %}
+{%         for host in entry_tpl_hosts %}
+{%           if host != inventory_hostname and hostvars[host] | d() and hostvars[host].ansible_all_ipv4_addresses | d() %}
+{%             set element_tpl_address = [] %}
+{%             set element_tpl_address4 = hostvars[host].ansible_all_ipv4_addresses | d([]) %}
+{%             if element_tpl_address4 %}
+{%               for part in element_tpl_address4 %}
+{%                 set _ = element_tpl_address.append(part | ansible.utils.ipaddr('cidr')) %}
+{%               endfor %}
+{%             endif %}
+{%             if hostvars[host].ansible_all_ipv6_addresses | d() %}
+{%               set element_tpl_address6 = (hostvars[host].ansible_all_ipv6_addresses | difference(hostvars[host].ansible_all_ipv6_addresses | ansible.utils.ipaddr('link-local'))) %}
+{%               if element_tpl_address6 %}
+{%                 for part in element_tpl_address6 %}
+{%                   set _ = element_tpl_address.append(part | ansible.utils.ipaddr('cidr')) %}
+{%                 endfor %}
+{%               endif %}
+{%             endif %}
+{%             for part in element_tpl_address %}
+{%               set _ = entry_tpl_address.append(part) %}
+{%             endfor %}
+{%           elif host == inventory_hostname %}
+{%             set _ = entry_tpl_address.append('localhost') %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     set entry_tpl_options = [] %}
+{%     if entry.options | d() and entry.options %}
+{%       if entry.options is string %}
+{%         set entry_tpl_options = [ entry.options ] %}
+{%       else %}
+{%         set entry_tpl_options = entry.options %}
+{%       endif %}
+{%     endif %}
+{%     if ((entry_tpl_address and entry.type not in [ 'local' ]) and (entry.state is undefined or entry.state not in [ 'absent' ])) %}
+{%       if entry.comment | d() and entry.comment %}
+# {{ entry.comment }}
+{%       endif %}
+{%       if (entry.type in [ 'hostssl' ] and (item.ssl is undefined or not item.ssl) and not postgresql_server__pki | bool) %}
+# SSL not available, hostssl entry disabled
+{%       else %}
+{%         for address in entry_tpl_address %}
+{{ "%-10s %-15s %-15s %-28s %s%s" | format(entry.type, entry_tpl_database | join(","), entry_tpl_user | join(","), address, entry.method, ((" " + entry_tpl_options | join(" ")) if entry_tpl_options else "")) }}
+{%         endfor %}
+{%       endif %}
+{%     elif entry.type in [ 'local' ] and (entry.state is undefined or entry.state not in [ 'absent' ]) %}
+{%       if entry.comment | d() and entry.comment %}
+# {{ entry.comment }}
+{%       endif %}
+{{ "%-10s %-15s %-15s %-28s %s%s" | format(entry.type, entry_tpl_database | join(","), entry_tpl_user | join(","), "", entry.method, ((" " + entry_tpl_options | join(" ")) if entry_tpl_options else "")) }}
+{%     elif not entry_tpl_skip and (entry.state is undefined or entry.state not in [ 'absent' ]) %}
+# Error in HBA entry: {{ entry | to_json }}
+{%     endif %}
+
+{%   endfor %}
+{% endif %}
+{% endmacro %}
+
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+
+# TYPE	   DATABASE        USER            ADDRESS                      METHOD
+
+{% if postgresql_server__hba_system | d() and postgresql_server__hba_system %}
+{{ print_hba(postgresql_server__hba_system) }}{% endif %}
+{% if ((postgresql_server__hba_replication | d() and postgresql_server__hba_replication) and
+       (item.hba_replication is undefined or item.hba_replication)) %}
+{{ print_hba(item.hba_replication | d(postgresql_server__hba_replication)) }}{% endif %}
+{% if ((postgresql_server__hba_public | d() and postgresql_server__hba_public) and
+       (item.hba_public is undefined or item.hba_public)) %}
+{{ print_hba(item.hba_public | d(postgresql_server__hba_public)) }}{% endif %}
+{% if ((postgresql_server__trusted | d() and postgresql_server__trusted) and
+       (item.trusted is undefined or item.trusted)) %}
+{% if ((postgresql_server__hba_trusted | d() and postgresql_server__hba_trusted) and
+       (item.hba_trusted is undefined or item.hba_trusted)) %}
+{{ print_hba(item.hba_trusted | d(postgresql_server__hba_trusted)) }}{% endif %}
+{% endif %}
+{% if ((postgresql_server__hba_local | d() and postgresql_server__hba_local) and
+       (item.hba_local is undefined or item.hba_local)) %}
+{{ print_hba(item.hba_local | d(postgresql_server__hba_local)) }}{% endif %}
+{% if ((postgresql_server__hba_remote | d() and postgresql_server__hba_remote) and
+       (item.hba_remote is undefined or item.hba_remote)) %}
+{{ print_hba(item.hba_remote | d(postgresql_server__hba_remote)) }}{% endif %}
+{% if (item.hba | d() and item.hba) %}
+{{ print_hba(item.hba) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_ident.conf.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_ident.conf.j2
new file mode 100644
index 00000000..7b613bd1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/pg_ident.conf.j2
@@ -0,0 +1,80 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% macro print_ident(postgresql_server__tpl_ident_list) %}
+{% if postgresql_server__tpl_ident_list | d() and postgresql_server__tpl_ident_list %}
+{%   for entry in postgresql_server__tpl_ident_list %}
+{%     set entry_tpl_user = [] %}
+{%     if entry.user %}
+{%       if entry.user is string %}
+{%         if entry.user == '*postgres*' %}
+{%           set entry_tpl_user = [ item.user | d(postgresql_server__user) ] %}
+{%         else %}
+{%           set entry_tpl_user = [ entry.user ] %}
+{%         endif %}
+{%       else %}
+{%         for element in entry.user %}
+{%           if element %}
+{%             if element == '*postgres*' %}
+{%               set _ = entry_tpl_user.append(item.user | d(postgresql_server__user)) %}
+{%             else %}
+{%               set _ = entry_tpl_user.append(element) %}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     set entry_tpl_role = [] %}
+{%     if entry.role | d() %}
+{%       if entry.role is string %}
+{%         if entry.role == '*postgres*' %}
+{%           set entry_tpl_role = [ item.user | d(postgresql_server__user) ] %}
+{%         else %}
+{%           set entry_tpl_role = [ entry.role ] %}
+{%         endif %}
+{%       else %}
+{%         for element in entry.role %}
+{%           if element %}
+{%             if element == '*postgres*' %}
+{%               set _ = entry_tpl_role.append(item.user | d(postgresql_server__user)) %}
+{%             else %}
+{%               set _ = entry_tpl_role.append(element) %}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     if entry_tpl_user %}
+{%       for user_name in entry_tpl_user %}
+{%         if entry_tpl_role %}
+{%           for role_name in entry_tpl_role %}
+{{ "%-16s %-24s %s" | format(entry.map, user_name, role_name) }}
+{%           endfor %}
+{%         else %}
+{{ "%-16s %-24s %s" | format(entry.map, user_name, user_name) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+
+{%   endfor %}
+{% endif %}
+{% endmacro %}
+
+# PostgreSQL User Name Maps
+# =========================
+
+# MAPNAME        SYSTEM-USERNAME          PG-USERNAME
+
+{% if postgresql_server__ident_system | d() and postgresql_server__ident_system %}
+{{ print_ident(postgresql_server__ident_system) }}{% endif %}
+{% if ((postgresql_server__ident_trusted | d() and postgresql_server__ident_trusted) and
+       (item.ident_trusted is undefined or item.ident_trusted)) %}
+{{ print_ident(item.ident_trusted | d(postgresql_server__ident_trusted)) }}{% endif %}
+{% if ((postgresql_server__ident_local | d() and postgresql_server__ident_local) and
+       (item.ident_local is undefined or item.ident_local)) %}
+{{ print_ident(item.ident_local | d(postgresql_server__ident_local)) }}{% endif %}
+{% if (item.ident | d() and item.ident) %}
+{{ print_ident(item.ident) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/postgresql.conf.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/postgresql.conf.j2
new file mode 100644
index 00000000..d5651c04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/postgresql.conf.j2
@@ -0,0 +1,531 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#------------------------------------------------------------------------------
+# PostgreSQL {{ item.version | d(postgresql_server__version) + '/' + item.name }} configuration file
+#------------------------------------------------------------------------------
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+data_directory = '{{ item.data_directory | d(postgresql_server__data_directory + "/" + item.version | d(postgresql_server__version) + "/" + item.name) }}'
+hba_file = '{{ item.hba_file | d("/etc/postgresql/" + item.version | d(postgresql_server__version) + "/" + item.name + "/pg_hba.conf") }}'
+ident_file = '{{ item.ident_file | d("/etc/postgresql/" + item.version | d(postgresql_server__version) + "/" + item.name + "/pg_ident.conf") }}'
+external_pid_file = '{{ item.external_pid_file | d("/var/run/postgresql/" + item.version | d(postgresql_server__version) + "-" + item.name + ".pid") }}'
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '{{ item.listen_addresses | d(postgresql_server__listen_addresses) | join(",") }}'
+port = {{ item.port }}
+max_connections = {{ item.max_connections | d(postgresql_server__max_connections) }}
+superuser_reserved_connections = {{ item.superuser_reserved_connections | d('3') }}
+
+{% if ((item.version | d(postgresql_server__version)) is version_compare('9.1','<=')) %}
+unix_socket_directory = '{{ item.unix_socket_directories | d("/var/run/postgresql") }}'
+{% else %}
+unix_socket_directories = '{{ item.unix_socket_directories | d("/var/run/postgresql") }}'
+{% endif %}
+unix_socket_group = '{{ item.unix_socket_group | d("") }}'
+unix_socket_permissions = {{ item.unix_socnet_permissions | d('0777') }}
+
+bonjour = {{ item.bonjour | d('off') }}
+bonjour_name = '{{ item.bonjour_name | d("") }}'
+
+
+# - Security and Authentication -
+
+authentication_timeout = {{ item.authentication_timeout | d('1min') }}
+
+ssl = {{ item.ssl | d(postgresql_server__pki | bool | lower) }}
+
+{% if (item.version | d(postgresql_server__version)) is version_compare('8.2','>') %}
+{# https://www.postgresql.org/docs/current/static/release-8-3.html #}
+ssl_ciphers = '{{ item.ssl_ciphers | d(postgresql_server__ssl_ciphers) }}'
+
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.5','<') %}
+{# https://www.postgresql.org/docs/current/static/release-9-5.html #}
+ssl_renegotiation_limit = {{ item.ssl_renegotiation_limit | d('512MB') }}
+{% endif %}
+{% endif %}
+
+{% if ((item.version | d(postgresql_server__version)) is version_compare('9.1','>')) %}
+{# ref: https://www.postgresql.org/docs/current/static/release-9-2.html #}
+ssl_cert_file = '{{ item.ssl_cert_file | d(((item.pki_path | d(postgresql_server__pki_path)) + "/" + (item.pki_realm | d(postgresql_server__pki_realm)) + "/" + (item.pki_crt | d(postgresql_server__pki_crt))) if (postgresql_server__pki | d() and postgresql_server__pki | bool) else "") }}'
+ssl_key_file = '{{ item.ssl_key_file | d(((item.pki_path | d(postgresql_server__pki_path)) + "/" + (item.pki_realm | d(postgresql_server__pki_realm)) + "/" + (item.pki_key | d(postgresql_server__pki_key))) if (postgresql_server__pki | d() and postgresql_server__pki | bool) else "") }}'
+ssl_ca_file = '{{ item.ssl_ca_file | d(((item.pki_path | d(postgresql_server__pki_path)) + "/" + (item.pki_realm | d(postgresql_server__pki_realm)) + "/" + (item.pki_ca | d(postgresql_server__pki_ca))) if (postgresql_server__pki | d() and postgresql_server__pki | bool) else "") }}'
+#ssl_crl_file = ''
+{% endif %}
+
+{% if ((item.version | d(postgresql_server__version)) is version_compare('9.3','>')) %}
+{# https://www.postgresql.org/docs/current/static/release-9-4.html #}
+ssl_prefer_server_ciphers = {{ item.ssl_prefer_server_ciphers | d('on') }}
+ssl_ecdh_curve = {{ item.ssl_ecdh_curve | d('prime256v1') }}
+{% endif %}
+
+{% if (item.version | d(postgresql_server__version)) is version_compare('14','>=') %}
+password_encryption = {{ item.password_encryption | d('scram-sha-256') }}
+{% else %}
+password_encryption = {{ item.password_encryption | d('on') }}
+{% endif %}
+db_user_namespace = {{ item.db_user_namespace | d('off') }}
+
+
+# - Kerberos and GSSAPI -
+
+krb_server_keyfile = '{{ item.krb_server_keyfile | d("") }}'
+# does not seem to work correctly, comment it out in the ansible template
+#krb_srvname = '{{ item.krb_srvname | d(item.name) }}'
+krb_caseins_users = {{ item.krb_caseins_users | d('off') }}
+
+
+# - TCP Keepalives -
+
+tcp_keepalives_idle = {{ item.tcp_keepalives_idle | d('0') }}
+tcp_keepalives_interval = {{ item.tcp_keepalives_interval | d('0') }}
+tcp_keepalives_count = {{ item.tcp_keepalives_count | d('0') }}
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+{% if item.max_connections is defined and item.max_connections %}
+{%   set postgresql_server__tpl_max_connections = item.max_connections | int %}
+{% else %}
+{%   set postgresql_server__tpl_max_connections = postgresql_server__max_connections | int %}
+{% endif %}
+{% if (postgresql_server__register_sysctl_shmmax.stdout | int >= (ansible_memtotal_mb | int * 1024 * 1024)) %}
+{%   set postgresql_server__tpl_shmmax = ((ansible_memtotal_mb | int * 1024 * 1024) * postgresql_server__shm_memory_limiter | float) | round | int %}
+{% else %}
+{%   set postgresql_server__tpl_shmmax = postgresql_server__register_sysctl_shmmax.stdout %}
+{% endif %}
+{% if not item.shared_buffers | d() %}
+# (( {{ (postgresql_server__tpl_shmmax | int / 1024 / 1024) | round | int }} MB of maximum shared buffer size * {{ postgresql_server__shmmax_limiter }} ) - ( 16 kB * {{ postgresql_server__tpl_max_connections }} max connections )) / {{ postgresql_server__fact_cluster_count }} cluster(s)
+{% endif %}
+shared_buffers = {{ item.shared_buffers | d((((((postgresql_server__tpl_shmmax | int * postgresql_server__shmmax_limiter | float) | round | int - (16384 * postgresql_server__tpl_max_connections | int)) / postgresql_server__fact_cluster_count | int) / 1024 / 1024)) | round | int | string + 'MB') }}
+temp_buffers = {{ item.temp_buffers | d('8MB') }}
+max_prepared_transactions = {{ item.max_prepared_transactions | d('0') }}
+work_mem = {{ item.work_mem | d('1MB') }}
+maintenance_work_mem = {{ item.maintenance_work_mem | d('16MB') }}
+max_stack_depth = {{ item.max_stack_depth | d('2MB') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.4','>=') %}
+huge_pages = {{ item.huge_pages | d('try') }}
+autovacuum_work_mem = {{ item.autovacuum_work_mem | d('-1') }}
+{% endif %}
+
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.3','>') %}
+{% if postgresql_server__register_shm | d() and postgresql_server__register_shm.stdout %}
+dynamic_shared_memory_type = {{ item.dynamic_shared_memory_type | d('posix') }}
+{% else %}
+dynamic_shared_memory_type = {{ item.dynamic_shared_memory_type | d('sysv') }}
+{% endif %}
+{% endif %}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+
+# - Disk -
+
+temp_file_limit = {{ item.temp_file_limit | d('-1') }}
+{% endif %}
+
+# - Kernel Resource Usage -
+
+max_files_per_process = {{ item.max_files_per_process | d('1000') }}
+shared_preload_libraries = '{{ item.shared_preload_libraries | d("") }}'
+
+
+# - Cost-Based Vacuum Delay -
+
+vacuum_cost_delay = {{ item.vacuum_cost_delay | d('0ms') }}
+vacuum_cost_page_hit = {{ item.vacuum_cost_page_hit | d('1') }}
+vacuum_cost_page_miss = {{ item.vcuum_cost_page_miss | d('10') }}
+vacuum_cost_page_dirty = {{ item.vacuum_cost_page_dirty | d('20') }}
+vacuum_cost_limit = {{ item.vacuum_cost_limit | d('200') }}
+
+
+# - Background Writer -
+
+bgwriter_delay = {{ item.bgwriter_delay | d('200ms') }}
+bgwriter_lru_maxpages = {{ item.bgwriter_lru_maxpages | d('100') }}
+bgwriter_lru_multiplier = {{ item.bgwriter_lru_multiplier | d('2.0') }}
+
+
+# - Asynchronous Behavior -
+
+effective_io_concurrency = {{ item.effective_io_concurrency | d('1') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.4','>=') %}
+max_worker_processes = {{ item.max_worker_processes | d('8') }}
+{% endif %}
+
+
+#------------------------------------------------------------------------------
+# WRITE AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+wal_level = {{ item.wal_level | d(postgresql_server__wal_level) }}
+fsync = {{ item.fsync | d('on') }}
+synchronous_commit = {{ item.synchronous_commit | d('on') }}
+wal_sync_method = {{ item.wal_sync_method | d('fsync') }}
+full_page_writes = {{ item.full_page_writes | d('on') }}
+wal_buffers = {{ item.wal_buffers | d('-1') }}
+wal_writer_delay = {{ item.wal_writer_delay | d('200ms') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.3','>') %}
+wal_log_hints = {{ item.wal_log_hints | d('off') }}
+{% endif %}
+
+commit_delay = {{ item.commit_delay | d('0') }}
+commit_siblings = {{ item.commit_siblings | d('5') }}
+
+
+# - Checkpoints -
+
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.5','<') %}
+checkpoint_segments = {{ item.checkpoint_segments | d('3') }}
+{% endif %}
+checkpoint_timeout = {{ item.checkpoint_timeout | d('5min') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.5','>=') %}
+min_wal_size = {{ item.min_wal_size | d('80MB') }}
+max_wal_size = {{ item.max_wal_size | d('1GB') }}
+{% endif %}
+checkpoint_completion_target = {{ item.checkpoint_completion_target | d('0.5') }}
+checkpoint_warning = {{ item.checkpoint_warning | d('30s') }}
+
+
+# - Archiving -
+
+{% if item.archive_mode | d() and item.archive_mode %}
+archive_mode = {{ item.archive_mode }}
+{% elif item.wal_level | d() and item.wal_level == 'archive' %}
+archive_mode = on
+{% elif postgresql_server__wal_level | d() and postgresql_server__wal_level == 'archive' %}
+archive_mode = on
+{% else %}
+archive_mode = off
+{% endif %}
+archive_command = '{{ item.archive_command | d(postgresql_server__archive_command) }}'
+archive_timeout = {{ item.archive_timeout | d('0') }}
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Server(s) -
+
+# Set these on the master and on any standby that will send replication data
+max_wal_senders = {{ item.max_wal_senders | d('0') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('13','<') %}
+wal_keep_segments = {{ item.wal_keep_segments | d('0') }}
+{% endif %}
+{% if (item.version | d(postgresql_server__version)) is version_compare('13','>=') %}
+wal_keep_size = {{ item.wal_keep_size | d('0') }}
+{% endif %}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+wal_sender_timeout = {{ item.wal_sender_timeout | d('60s') }}
+{% endif %}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.3','>') %}
+max_replication_slots = {{ item.max_replication_slots | d('0') }}
+{% endif %}
+
+# - Master Server -
+
+# These settings are ignored on a standby server
+synchronous_standby_names = '{{ item.synchronous_standby_names | d("") }}'
+{% if (item.version | d(postgresql_server__version)) is version_compare('16','<') %}
+vacuum_defer_cleanup_age = {{ item.vacuum_defer_cleanup_age | d('0') }}
+{% endif %}
+
+
+# - Standby Servers -
+
+# These settings are ignored on a master server
+hot_standby = {{ item.hot_standby | d('off') }}
+max_standby_archive_delay = {{ item.max_standby_archive_delay | d('30s') }}
+max_standby_streaming_delay = {{ item.max_standby_streaming_delay | d('30s') }}
+wal_receiver_status_interval = {{ item.wal_receiver_status_interval | d('10s') }}
+hot_standby_feedback = {{ item.hot_standby_feedback | d('off') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+wal_receiver_timeout = {{ item.wal_receiver_timeout | d('60s') }}
+{% endif %}
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+enable_bitmapscan = {{ item.enable_bitmapscan | d('on') }}
+enable_hashagg = {{ item.enable_hashagg | d('on') }}
+enable_hashjoin = {{ item.enable_hashjoin | d('on') }}
+enable_indexscan = {{ item.enable_indexscan | d('on') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+enable_indexonlyscan = {{ item.enable_indexonlyscan | d('on') }}
+{% endif %}
+enable_material = {{ item.enable_material | d('on') }}
+enable_mergejoin = {{ item.enable_mergejoin | d('on') }}
+enable_nestloop = {{ item.enable_nestloop | d('on') }}
+enable_seqscan = {{ item.enable_seqscan | d('on') }}
+enable_sort = {{ item.enable_sort | d('on') }}
+enable_tidscan = {{ item.enable_tidscan | d('on') }}
+
+
+# - Planner Cost Constants -
+
+seq_page_cost = {{ item.seq_page_cost | d('1.0') }}
+random_page_cost = {{ item.random_page_cost | d('4.0') }}
+cpu_tuple_cost = {{ item.cpu_tuple_cost | d('0.01') }}
+cpu_index_tuple_cost = {{ item.cpu_index_tuple_cost | d('0.005') }}
+cpu_operator_cost = {{ item.cpu_operator_cost | d('0.0025') }}
+effective_cache_size = {{ item.effective_cache_size | d('128MB') }}
+
+
+# - Genetic Query Optimizer -
+
+geqo = {{ item.geqo | d('on') }}
+geqo_threshold = {{ item.geqo_threshold | d('12') }}
+geqo_effort = {{ item.geqo_effort | d('5') }}
+geqo_pool_size = {{ item.geqo_pool_size | d('0') }}
+geqo_generations = {{ item.geqo_generations | d('0') }}
+geqo_selection_bias = {{ item.geqo_selection_bias | d('2.0') }}
+geqo_seed = {{ item.geqo_seed | d('0.0') }}
+
+
+# - Other Planner Options -
+
+default_statistics_target = {{ item.default_statistics_target | d('100') }}
+constraint_exclusion = {{ item.constraint_exclusion | d('partition') }}
+cursor_tuple_fraction = {{ item.cursor_tuple_fraction | d('0.1') }}
+from_collapse_limit = {{ item.from_collapse_limit | d('8') }}
+join_collapse_limit = {{ item.join_collapse_limit | d('8') }}
+
+
+#------------------------------------------------------------------------------
+# ERROR REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+log_destination = '{{ item.log_destination | d(postgresql_server__log_destination) }}'
+
+# This is used when logging to stderr:
+logging_collector = {{ item.logging_collector | d('off') }}
+
+# These are only used if logging_collector is on:
+log_directory = '{{ item.log_directory | d("pg_log") }}'
+log_filename = '{{ item.log_filename | d("postgresql-%Y-%m-%d_%H%M%S.log") }}'
+log_file_mode = {{ item.log_file_mode | d('0600') }}
+log_truncate_on_rotation = {{ item.log_truncate_on_rotation | d('off') }}
+log_rotation_age = {{ item.log_rotation_age | d('1d') }}
+log_rotation_size = {{ item.log_rotation_size | d('10MB') }}
+
+# These are relevant when logging to syslog:
+syslog_facility = '{{ item.syslog_facility | d("LOCAL0") }}'
+syslog_ident = '{{ item.syslog_ident | d("postgres-" + item.name) }}'
+
+
+# - When to Log -
+
+client_min_messages = {{ item.client_min_messages | d('notice') }}
+log_min_messages = {{ item.log_min_messages | d('warning') }}
+log_min_error_statement = {{ item.log_min_error_statement | d('error') }}
+log_min_duration_statement = {{ item.log_min_duration_statement | d('-1') }}
+
+
+# - What to Log -
+
+debug_print_parse = {{ item.debug_print_parse | d('off') }}
+debug_print_rewritten = {{ item.debug_print_rewritten | d('off') }}
+debug_print_plan = {{ item.debug_print_plan | d('off') }}
+debug_pretty_print = {{ item.debug_pretty_print | d('on') }}
+log_checkpoints = {{ item.log_checkpoints | d('off') }}
+log_connections = {{ item.log_connections | d('off') }}
+log_disconnections = {{ item.log_disconnections | d('off') }}
+log_duration = {{ item.log_duration | d('off') }}
+log_error_verbosity = {{ item.log_error_verbosity | d('default') }}
+log_hostname = {{ item.log_hostname | d('off') }}
+log_line_prefix = '{{ item.log_line_prefix | d("%t [%p-%l] %q%u@%d ") }}'
+log_lock_waits = {{ item.log_lock_waits | d('off') }}
+log_statement = '{{ item.log_statement | d("none") }}'
+log_temp_files = {{ item.log_temp_files | d('-1') }}
+log_timezone = '{{ item.log_timezone | d(postgresql_server__timezone) }}'
+
+
+#------------------------------------------------------------------------------
+# RUNTIME STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query/Index Statistics Collector -
+
+track_activities = {{ item.track_activities | d('on') }}
+track_counts = {{ item.track_counts | d('on') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+track_io_timing = {{ item.track_io_timing | d('off') }}
+{% endif %}
+track_functions = {{ item.track_functions | d('none') }}
+track_activity_query_size = {{ item.track_activity_query_size | d('1024') }}
+update_process_title = {{ item.update_process_title | d('on') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('15','>=') %}
+{% elif (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+stats_temp_directory = '{{ item.stats_temp_directory | d("/var/run/postgresql/" + (item.version | d(postgresql_server__version)) + "-" + item.name + ".pg_stat_tmp") }}'
+{% else %}
+stats_temp_directory = '{{ item.stats_temp_directory | d("pg_stat_tmp") }}'
+{% endif %}
+
+
+# - Statistics Monitoring -
+
+log_parser_stats = {{ item.log_parser_stats | d('off') }}
+log_planner_stats = {{ item.log_planner_stats | d('off') }}
+log_executor_stats = {{ item.log_executor_stats | d('off') }}
+log_statement_stats = {{ item.log_statement_stats | d('off') }}
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM PARAMETERS
+#------------------------------------------------------------------------------
+
+autovacuum = {{ item.autovacuum | d('on') }}
+log_autovacuum_min_duration = {{ item.log_autovacuum_min_duration | d('-1') }}
+autovacuum_max_workers = {{ item.autovacuum_max_workers | d('3') }}
+autovacuum_naptime = {{ item.autovacuum_naptime | d('1min') }}
+autovacuum_vacuum_threshold = {{ item.autovacuum_vacuum_threshold | d('50') }}
+autovacuum_analyze_threshold = {{ item.autovacuum_analyze_threshold | d('50') }}
+autovacuum_vacuum_scale_factor = {{ item.autovacuum_vacuum_scale_factor | d('0.2') }}
+autovacuum_analyze_scale_factor = {{ item.autovacuum_analyze_scale_factor | d('0.1') }}
+autovacuum_freeze_max_age = {{ item.autovacuum_freeze_max_age | d('200000000') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+autovacuum_multixact_freeze_max_age = {{ item.autovacuum_multixact_freeze_max_age | d('400000000') }}
+{% endif %}
+autovacuum_vacuum_cost_delay = {{ item.autovacuum_vacuum_cost_delay | d('20ms') }}
+autovacuum_vacuum_cost_limit = {{ item.autovacuum_vacuum_cost_limit | d('-1') }}
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+search_path = '{{ item.search_path | d("\"$user\",public") }}'
+default_tablespace = '{{ item.default_tablespace | d("") }}'
+temp_tablespaces = '{{ item.temp_tablespaces | d("") }}'
+check_function_bodies = {{ item.check_function_bodies | d('on') }}
+default_transaction_isolation = '{{ item.default_transaction_isolation | d("read committed") }}'
+default_transaction_read_only = {{ item.default_transaction_read_only | d('off') }}
+default_transaction_deferrable = {{ item.default_transaction_deferrable | d('off') }}
+session_replication_role = '{{ item.session_replication_role | d("origin") }}'
+statement_timeout = {{ item.statement_timeout | d('0') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+lock_timeout = {{ item.lock_timeout | d('0') }}
+{% endif %}
+vacuum_freeze_min_age = {{ item.vacuum_freeze_min_age | d('50000000') }}
+vacuum_freeze_table_age = {{ item.vacuum_freeze_table_age | d('150000000') }}
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.1','>') %}
+vacuum_multixact_freeze_min_age = {{ item.vacuum_multixact_freeze_min_age | d('5000000') }}
+vacuum_multixact_freeze_table_age = {{ item.vacuum_multixact_freeze_table_age | d('150000000') }}
+{% endif %}
+bytea_output = '{{ item.bytea_output | d("hex") }}'
+xmlbinary = '{{ item.xmlbinary | d("base64") }}'
+xmloption = '{{ item.xmloption | d("content") }}'
+
+
+# - Locale and Formatting -
+
+datestyle = '{{ item.datestyle | d("iso, dmy") }}'
+intervalstyle = '{{ item.intervalstyle | d("postgres") }}'
+timezone = '{{ item.timezone | d(postgresql_server__timezone) }}'
+timezone_abbreviations = '{{ item.timezone_abbreviations | d("Default") }}'
+extra_float_digits = {{ item.extra_float_digits | d('0') }}
+{% if item.client_encoding | d() %}
+client_encoding = {{ item.client_encoding }}
+{% else %}
+#client_encoding = # based on the database encoding
+{% endif %}
+lc_messages = '{{ item.locale_messages | d(postgresql_server__locale_messages) }}'
+lc_monetary = '{{ item.locale | d(postgresql_server__locale) }}'
+lc_numeric = '{{ item.locale | d(postgresql_server__locale) }}'
+lc_time = '{{ item.locale | d(postgresql_server__locale) }}'
+
+# default configuration for text search
+default_text_search_config = '{{ item.default_text_search_config | d("pg_catalog.simple") }}'
+
+
+# - Other Defaults -
+
+dynamic_library_path = '{{ item.dynamic_library_path | d("$libdir") }}'
+local_preload_libraries = '{{ item.local_preload_libraries | d("") }}'
+{% if (item.version | d(postgresql_server__version)) is version_compare('9.3','>') %}
+session_preload_libraries = '{{ item.session_preload_libraries | d("") }}'
+{% endif %}
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+deadlock_timeout = {{ item.deadlock_timeout | d('1s') }}
+max_locks_per_transaction = {{ item.max_locks_per_transaction | d('64') }}
+max_pred_locks_per_transaction = {{ item.max_pred_locks_per_transaction | d('64') }}
+
+
+#------------------------------------------------------------------------------
+# VERSION/PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+array_nulls = {{ item.array_nulls | d('on') }}
+backslash_quote = {{ item.backslash_quote | d('safe_encoding') }}
+default_with_oids = {{ item.default_with_oids | d('off') }}
+escape_string_warning = {{ item.escape_string_warning | d('on') }}
+lo_compat_privileges = {{ item.lo_compat_privileges | d('off') }}
+quote_all_identifiers = {{ item.quote_all_identifiers | d('off') }}
+{% if ((item.version | d(postgresql_server__version)) is version_compare('10','<')) %}
+sql_inheritance = {{ item.sql_inheritance | d('on') }}
+{% endif %}
+standard_conforming_strings = {{ item.standard_conforming_strings | d('on') }}
+synchronize_seqscans = {{ item.synchronize_seqscans | d('on') }}
+
+
+# - Other Platforms and Clients -
+
+transform_null_equals = {{ item.transform_null_equals | d('off') }}
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+exit_on_error = {{ item.exit_on_error | d('off') }}
+restart_after_crash = {{ item.restart_after_crash | d('on') }}
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.
+
+include_dir = 'conf.d'                  # include files ending in '.conf' from
+                                        # directory 'conf.d'
+#include_if_exists = 'exists.conf'      # include file only if it exists
+#include = 'special.conf'               # include file
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/start.conf.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/start.conf.j2
new file mode 100644
index 00000000..48b1d0b4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/start.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Automatic startup configuration
+# auto: automatically start/stop the cluster in the init script
+# manual: do not start/stop in init scripts, but allow manual startup with
+#         pg_ctlcluster
+# disabled: do not allow manual startup with pg_ctlcluster (this can be easily
+#           circumvented and is only meant to be a small protection for
+#           accidents).
+
+{{ item.start_conf | default(postgresql_server__start_conf) }}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/trusted.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/trusted.j2
new file mode 100644
index 00000000..e7474218
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/etc/postgresql/trusted.j2
@@ -0,0 +1,51 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set postgresql_server__tpl_trusted = [] %}
+{% if item.trusted | d() and item.trusted %}
+{%   if item.trusted is string %}
+{%     if item.trusted == '*postgres*' %}
+{%       set postgresql_server__tpl_trusted = [ item.user | d(postgresql_server__user) ] %}
+{%     else %}
+{%       set postgresql_server__tpl_trusted = [ item.trusted ] %}
+{%     endif %}
+{%   else %}
+{%     for element in item.trusted %}
+{%       if element %}
+{%         if element == '*postgres*' %}
+{%           set _ = postgresql_server__tpl_trusted.append(item.user | d(postgresql_server__user)) %}
+{%         else %}
+{%           set _ = postgresql_server__tpl_trusted.append(element) %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% elif postgresql_server__trusted | d() and postgresql_server__trusted %}
+{%   if postgresql_server__trusted is string %}
+{%     if postgresql_server__trusted == '*postgres*' %}
+{%       set postgresql_server__tpl_trusted = [ item.user | d(postgresql_server__user) ] %}
+{%     else %}
+{%       set postgresql_server__tpl_trusted = [ postgresql_server__trusted ] %}
+{%     endif %}
+{%   else %}
+{%     for element in postgresql_server__trusted %}
+{%       if element %}
+{%         if element == '*postgres*' %}
+{%           set _ = postgresql_server__tpl_trusted.append(item.user | d(postgresql_server__user)) %}
+{%         else %}
+{%           set _ = postgresql_server__tpl_trusted.append(element) %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if (item.trusted is undefined or item.trusted) %}
+{%   if postgresql_server__tpl_trusted %}
+{%     for element in postgresql_server__tpl_trusted %}
+{%       if element %}
+{{ element }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/postgresql_server/templates/usr/sbin/autopostgresqlbackup.j2 b/ansible_collections/debops/debops/roles/postgresql_server/templates/usr/sbin/autopostgresqlbackup.j2
new file mode 100644
index 00000000..d416f81a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postgresql_server/templates/usr/sbin/autopostgresqlbackup.j2
@@ -0,0 +1,609 @@
+#!/usr/bin/env bash
+
+# {{ ansible_managed }}
+
+# PostgreSQL Backup Script Ver 1.0
+# http://autopgsqlbackup.frozenpc.net
+# Copyright (c) 2005 Aaron Axelsen <axelseaa@amadmax.com>
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# This script is based of the AutoMySQLBackup Script Ver 2.2
+# It can be found at https://sourceforge.net/projects/automysqlbackup/
+#
+# The PostgreSQL changes are based on a patch against AutoMySQLBackup 1.9
+# created by Friedrich Lobenstock <fl@fl.priv.at>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+
+# This gets appended to the BACKUPDIR to form a path for this cluster.
+# shellcheck disable=SC2034
+DBCLUSTER="{{ item.version | d(postgresql_server__version) }}/{{ item.name }}"
+
+# Add the port so it supports pg clusters.
+OPT="-p {{ item.port }} {{ postgresql_server__auto_backup_pg_dump_opts | d() }}"
+PSQLOPT="-p {{ item.port }} {{ postgresql_server__auto_backup_pg_opts | d() }}"
+
+# ===============================
+# === Debian specific options ===
+#================================
+
+DBCLUSTER_VERSION="{{ item.version | d(postgresql_server__version) }}"
+DBCLUSTER_NAME="{{ item.name }}"
+if [ -f "/etc/default/autopostgresqlbackup-${DBCLUSTER_VERSION}-${DBCLUSTER_NAME}" ]; then
+  # shellcheck disable=SC1090
+  . "/etc/default/autopostgresqlbackup-${DBCLUSTER_VERSION}-${DBCLUSTER_NAME}"
+fi
+
+#=====================================================================
+# Options documentation
+#=====================================================================
+# Set USERNAME and PASSWORD of a user that has at least SELECT permission
+# to ALL databases.
+#
+# Set the DBHOST option to the server you wish to backup, leave the
+# default to backup "this server".(to backup multiple servers make
+# copies of this file and set the options for that server)
+#
+# Put in the list of DBNAMES(Databases)to be backed up. If you would like
+# to backup ALL DBs on the server set DBNAMES="all".(if set to "all" then
+# any new DBs will automatically be backed up without needing to modify
+# this backup script when a new DB is created).
+#
+# If the DB you want to backup has a space in the name replace the space
+# with a % e.g. "data base" will become "data%base"
+# NOTE: Spaces in DB names may not work correctly when SEPDIR=no.
+#
+# You can change the backup storage location from /backups to anything
+# you like by using the BACKUPDIR setting..
+#
+# The MAILCONTENT and MAILADDR options and pretty self explanatory, use
+# these to have the backup log mailed to you at any email address or multiple
+# email addresses in a space separated list.
+# (If you set mail content to "log" you will require access to the "mail" program
+# on your server. If you set this to "files" you will have to have mutt installed
+# on your server. If you set it to "stdout" it will log to the screen if run from
+# the console or to the cron job owner if run through cron. If you set it to "quiet"
+# logs will only be mailed if there are errors reported. )
+#
+# MAXATTSIZE sets the largest allowed email attachments total (all backup files) you
+# want the script to send. This is the size before it is encoded to be sent as an email
+# so if your mail server will allow a maximum mail size of 5MB I would suggest setting
+# MAXATTSIZE to be 25% smaller than that so a setting of 4000 would probably be fine.
+#
+# Finally copy autopostgresqlbackup.sh to anywhere on your server and make sure
+# to set executable permission. You can also copy the script to
+# /etc/cron.daily to have it execute automatically every night or simply
+# place a symlink in /etc/cron.daily to the file if you wish to keep it
+# somewhere else.
+# NOTE:On Debian copy the file with no extension for it to be run
+# by cron e.g just name the file "autopostgresqlbackup"
+#
+# That's it..
+#
+#
+# === Advanced options doc's ===
+#
+# The list of MDBNAMES is the DB's to be backed up only monthly. You should
+# always include "template1" in this list to backup the default database
+# template used to create new databases.
+# NOTE: If DBNAMES="all" then MDBNAMES has no effect as all DBs will be backed
+# up anyway.
+#
+# If you set DBNAMES="all" you can configure the option DBEXCLUDE. Other
+# wise this option will not be used.
+# This option can be used if you want to backup all dbs, but you want
+# exclude some of them. (eg. a db is to big).
+#
+# Set CREATE_DATABASE to "yes" (the default) if you want your SQL-Dump to create
+# a database with the same name as the original database when restoring.
+# Saying "no" here will allow your to specify the database name you want to
+# restore your dump into, making a copy of the database by using the dump
+# created with autopostgresqlbackup.
+# NOTE: Not used if SEPDIR=no
+#
+# The SEPDIR option allows you to choose to have all DBs backed up to
+# a single file (fast restore of entire server in case of crash) or to
+# separate directories for each DB (each DB can be restored separately
+# in case of single DB corruption or loss).
+#
+# To set the day of the week that you would like the weekly backup to happen
+# set the DOWEEKLY setting, this can be a value from 1 to 7 where 1 is Monday,
+# The default is 6 which means that weekly backups are done on a Saturday.
+#
+# COMP is used to choose the copmression used, options are gzip or bzip2.
+# bzip2 will produce slightly smaller files but is more processor intensive so
+# may take longer to complete.
+#
+# COMMCOMP is used to set the compression level (from 0 to 9, 0 means no compression)
+# between the client and the server, so it is useful to save bandwidth when backing up
+# a remote postgresql server over the network.
+#
+# LATEST is to store an additional copy of the latest backup to a standard
+# location so it can be downloaded bt third party scripts.
+#
+# Use PREBACKUP and POSTBACKUP to specify Per and Post backup commands
+# or scripts to perform tasks either before or after the backup process.
+#
+#
+#=====================================================================
+# Backup Rotation..
+#=====================================================================
+#
+# Daily Backups are rotated weekly..
+# Weekly Backups are run by default on Saturday Morning when
+# cron.daily scripts are run...Can be changed with DOWEEKLY setting..
+# Weekly Backups are rotated on a 5 week cycle..
+# Monthly Backups are run on the 1st of the month..
+# Monthly Backups are NOT rotated automatically...
+# It may be a good idea to copy Monthly backups offline or to another
+# server..
+#
+#=====================================================================
+# Please Note!!
+#=====================================================================
+#
+# I take no responsibility for any data loss or corruption when using
+# this script..
+# This script will not help in the event of a hard drive crash. If a
+# copy of the backup has not be stored offline or on another PC..
+# You should copy your backups offline regularly for best protection.
+#
+# Happy backing up...
+#
+#=====================================================================
+# Restoring
+#=====================================================================
+# Firstly you will need to uncompress the backup file.
+# eg.
+# gunzip file.gz (or bunzip2 file.bz2)
+#
+# Next you will need to use the postgresql client to restore the DB from the
+# sql file.
+# eg.
+# psql --host dbserver --dbname database < /path/file.sql
+#
+# NOTE: Make sure you use "<" and not ">" in the above command because
+# you are piping the file.sql to psql and not the other way around.
+#
+# Lets hope you never have to use this.. :)
+#
+#=====================================================================
+# Change Log
+#=====================================================================
+#
+# VER 1.0 - (2005-03-25)
+#   Initial Release - based on AutoMySQLBackup 2.2
+#
+#=====================================================================
+#=====================================================================
+#=====================================================================
+#
+# Should not need to be modified from here down!!
+#
+#=====================================================================
+#=====================================================================
+#=====================================================================
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/postgres/bin:/usr/local/pgsql/bin
+DATE=$(date +%Y-%m-%d_%Hh%Mm)    # Datestamp e.g 2002-09-21
+DOW=$(date +%A)                                  # Day of the week e.g. Monday
+DNOW=$(date +%u)                                 # Day number of the week 1 to 7 where 1 represents Monday
+DOM=$(date +%d)                                  # Date of the Month e.g. 27
+M=$(date +%B)                                    # Month e.g January
+W=$(date +%V)                                    # Week Number e.g 37
+VER=1.0                                                 # Version Number
+LOGFILE="$BACKUPDIR/$DBHOST-$(date +%N).log"                       # Logfile Name
+LOGERR="$BACKUPDIR/ERRORS_$DBHOST-$(date +%N).log"         # Logfile Name
+BACKUPFILES=""
+
+# Add --compress pg_dump option to $OPT
+if [ "$COMMCOMP" -gt 0 ];
+  then
+  OPT="$OPT --compress=$COMMCOMP"
+fi
+
+# Create required directories
+if [ ! -e "$BACKUPDIR" ]                # Check Backup Directory exists.
+  then
+  mkdir -p "$BACKUPDIR"
+fi
+
+if [ ! -e "$BACKUPDIR/daily" ]          # Check Daily Directory exists.
+  then
+  mkdir -p "$BACKUPDIR/daily"
+fi
+
+if [ ! -e "$BACKUPDIR/weekly" ]         # Check Weekly Directory exists.
+  then
+  mkdir -p "$BACKUPDIR/weekly"
+fi
+
+if [ ! -e "$BACKUPDIR/monthly" ]        # Check Monthly Directory exists.
+  then
+  mkdir -p "$BACKUPDIR/monthly"
+fi
+
+if [ "$LATEST" = "yes" ]
+then
+  if [ ! -e "$BACKUPDIR/latest" ]       # Check Latest Directory exists.
+  then
+    mkdir -p "$BACKUPDIR/latest"
+  fi
+rm -f "$BACKUPDIR"/latest/*
+fi
+
+# IO redirection for logging.
+touch "$LOGFILE"
+exec 6>&1           # Link file descriptor #6 with stdout.
+                    # Saves stdout.
+exec > "$LOGFILE"   # stdout replaced with file $LOGFILE.
+touch "$LOGERR"
+exec 7>&2           # Link file descriptor #7 with stderr.
+                    # Saves stderr.
+exec 2> "$LOGERR"   # stderr replaced with file $LOGERR.
+
+
+# Functions
+
+# Database dump function
+dbdump () {
+  rm -f "$2"
+  touch "$2"
+  chmod "$BACKUPPERM" "$2"
+  for db in $1 ; do
+    if [ -n "$SU_USERNAME" ]; then
+      if [ "$db" = "$GLOBALS_OBJECTS" ]; then
+        su - "$SU_USERNAME" -c "pg_dumpall $PGHOST --globals-only" >> "$2"
+      else
+        su - "$SU_USERNAME" -c "pg_dump $PGHOST $OPT $db" >> "$2"
+      fi
+    else
+      if [ "$db" = "$GLOBALS_OBJECTS" ]; then
+        pg_dumpall --username="$USERNAME" "$PGHOST" --globals-only >> "$2"
+      else
+        # shellcheck disable=SC2086
+        pg_dump --username="$USERNAME" "$PGHOST" $OPT $db >> "$2"
+      fi
+    fi
+  done
+  return 0
+}
+
+# Encryption function
+encryption() {
+  ENCRYPTED_FILE="$1$ENCRYPTION_SUFFIX"
+  # Encrypt as needed
+  if [ "$ENCRYPTION" = "yes" ]; then
+    echo
+    echo "Encrypting $1"
+    echo "      to $ENCRYPTED_FILE"
+    echo "      using cypher $ENCRYPTION_CIPHER and public key $ENCRYPTION_PUBLIC_KEY"
+    if openssl smime -encrypt -"$ENCRYPTION_CIPHER" -binary -outform DEM \
+      -out "$ENCRYPTED_FILE" \
+      -in "$1" "$ENCRYPTION_PUBLIC_KEY" ; then
+      echo "    and remove $1"
+      rm -f "$1"
+    fi
+  fi
+  return 0
+}
+
+# Compression (and encrypt) function plus latest copy
+SUFFIX=""
+compression () {
+if [ "$COMP" = "gzip" ]; then
+  gzip -f "$1"
+  echo
+  echo Backup Information for "$1"
+  gzip -l "$1.gz"
+  SUFFIX=".gz"
+elif [ "$COMP" = "bzip2" ]; then
+  echo Compression information for "$1.bz2"
+  bzip2 -f -v "$1" 2>&1
+  SUFFIX=".bz2"
+else
+  echo "No compression option set, check advanced settings"
+fi
+encryption "$1$SUFFIX"
+if [ "$LATEST" = "yes" ]; then
+  cp "$1$SUFFIX"* "$BACKUPDIR/latest/"
+fi
+return 0
+}
+
+# Run command before we begin
+if [ "$PREBACKUP" ]
+  then
+  echo ======================================================================
+  echo "Prebackup command output."
+  echo
+  $PREBACKUP
+  echo
+  echo ======================================================================
+  echo
+fi
+
+
+if [ "$SEPDIR" = "yes" ]; then # Check if CREATE DATABASE should be included in Dump
+  if [ "$CREATE_DATABASE" = "no" ]; then
+    true
+  else
+    OPT="$OPT --create"
+  fi
+else
+  true
+fi
+
+# Hostname for LOG information
+if [ "$DBHOST" = "localhost" ]; then
+  HOST=$(hostname)
+  PGHOST=""
+else
+  HOST=$DBHOST
+  PGHOST="-h $DBHOST"
+fi
+
+# If backing up all DBs on the server
+if [ "$DBNAMES" = "all" ]; then
+  if [ -n "$SU_USERNAME" ]; then
+    # shellcheck disable=SC2086
+    DBNAMES="$(su - "$SU_USERNAME" -c "LANG=C psql -U $USERNAME $PGHOST $PSQLOPT -l -A -F: | sed -ne '/:/ { /Name:Owner/d; /template0/d; s/:.*$//; p }'")"
+  else
+    # shellcheck disable=SC2086
+    DBNAMES="$(LANG=C psql -U "$USERNAME" "$PGHOST" $PSQLOPT -l -A -F: | sed -ne "/:/ { /Name:Owner/d; /template0/d; s/:.*$//; p }")"
+  fi
+
+  # If DBs are excluded
+  for exclude in $DBEXCLUDE
+  do
+    # shellcheck disable=SC2001
+    DBNAMES=$(echo "$DBNAMES" | sed "s/\\b$exclude\\b//g")
+  done
+  DBNAMES="$(echo "$DBNAMES" | tr '\n' ' ')"
+  MDBNAMES=$DBNAMES
+fi
+
+# Include global objects (users, tablespaces)
+DBNAMES="$GLOBALS_OBJECTS $DBNAMES"
+MDBNAMES="$GLOBALS_OBJECTS $MDBNAMES"
+
+echo ======================================================================
+echo "AutoPostgreSQLBackup VER $VER"
+echo http://autopgsqlbackup.frozenpc.net/
+echo
+echo "Backup of Database Server - $HOST"
+echo ======================================================================
+
+# Test is separate DB backups are required
+if [ "$SEPDIR" = "yes" ]; then
+echo "Backup Start Time $(date)"
+echo ======================================================================
+  # Monthly Full Backup of all Databases
+  if [ "$DOM" = "$DOMONTHLY" ]; then
+    for MDB in $MDBNAMES
+    do
+
+       # Prepare $DB for using
+       # shellcheck disable=SC2001
+       MDB="$(echo "$MDB" | sed 's/%/ /g')"
+
+      if [ ! -e "$BACKUPDIR/monthly/$MDB" ]             # Check Monthly DB Directory exists.
+      then
+        mkdir -p "$BACKUPDIR/monthly/$MDB"
+      fi
+      echo "Monthly Backup of $MDB..."
+        dbdump "$MDB" "$BACKUPDIR/monthly/$MDB/${MDB}_$DATE.$M.$MDB.$EXT"
+        compression "$BACKUPDIR/monthly/$MDB/${MDB}_$DATE.$M.$MDB.$EXT"
+        BACKUPFILES="$BACKUPFILES $BACKUPDIR/monthly/$MDB/${MDB}_$DATE.$M.$MDB.$EXT$SUFFIX*"
+      echo ----------------------------------------------------------------------
+    done
+  fi
+
+  for DB in $DBNAMES
+  do
+  # Prepare $DB for using
+  # shellcheck disable=SC2001
+  DB="$(echo "$DB" | sed 's/%/ /g')"
+
+  # Create Separate directory for each DB
+  if [ ! -e "$BACKUPDIR/daily/$DB" ]            # Check Daily DB Directory exists.
+    then
+    mkdir -p "$BACKUPDIR/daily/$DB"
+  fi
+
+  if [ ! -e "$BACKUPDIR/weekly/$DB" ]           # Check Weekly DB Directory exists.
+    then
+    mkdir -p "$BACKUPDIR/weekly/$DB"
+  fi
+
+  # Weekly Backup
+  if [ "$DNOW" = "$DOWEEKLY" ]; then
+    echo "Weekly Backup of Database \\( $DB \\)"
+    echo Rotating 5 weeks Backups...
+      if [ "$W" -le 05 ];then
+        REMW=$(( 48 + W ))
+      elif [ "$W" -lt 15 ];then
+        # shellcheck disable=SC2003
+        REMW=0$(expr "$W" - 5)
+      else
+        REMW=$(( W - 5 ))
+      fi
+    rm -fv "$BACKUPDIR/weekly/$DB/${DB}_week.$REMW".*
+    echo
+      dbdump "$DB" "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.$EXT"
+      compression "$BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.$EXT"
+      BACKUPFILES="$BACKUPFILES $BACKUPDIR/weekly/$DB/${DB}_week.$W.$DATE.$EXT$SUFFIX*"
+    echo ----------------------------------------------------------------------
+
+  # Daily Backup
+  else
+    echo "Daily Backup of Database \\( $DB \\)"
+    echo Rotating last weeks Backup...
+    rm -fv "$BACKUPDIR/daily/$DB"/*."$DOW"."$EXT".*
+    echo
+      dbdump "$DB" "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.$EXT"
+      compression "$BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.$EXT"
+      BACKUPFILES="$BACKUPFILES $BACKUPDIR/daily/$DB/${DB}_$DATE.$DOW.$EXT$SUFFIX*"
+    echo ----------------------------------------------------------------------
+  fi
+  done
+echo "Backup End $(date)"
+echo ======================================================================
+
+
+else # One backup file for all DBs
+echo "Backup Start $(date)"
+echo ======================================================================
+  # Monthly Full Backup of all Databases
+  if [ "$DOM" = "$DOMONTHLY" ]; then
+    echo "Monthly full Backup of \\( $MDBNAMES \\)..."
+      dbdump "$MDBNAMES" "$BACKUPDIR/monthly/$DATE.$M.all-databases.$EXT"
+      compression "$BACKUPDIR/monthly/$DATE.$M.all-databases.$EXT"
+      BACKUPFILES="$BACKUPFILES $BACKUPDIR/monthly/$DATE.$M.all-databases.$EXT$SUFFIX*"
+    echo ----------------------------------------------------------------------
+  fi
+
+  # Weekly Backup
+  if [ "$DNOW" = "$DOWEEKLY" ]; then
+    echo "Weekly Backup of Databases \\( $DBNAMES \\)"
+    echo
+    echo Rotating 5 weeks Backups...
+      if [ "$W" -le 05 ];then
+        REMW=$(( 48 + W ))
+      elif [ "$W" -lt 15 ];then
+        # shellcheck disable=SC2003
+        REMW=0$(expr "$W" - 5)
+      else
+        REMW=$(( W - 5 ))
+      fi
+    rm -fv "$BACKUPDIR/weekly/week.$REMW".*
+    echo
+      dbdump "$DBNAMES" "$BACKUPDIR/weekly/week.$W.$DATE.$EXT"
+      compression "$BACKUPDIR/weekly/week.$W.$DATE.$EXT"
+      BACKUPFILES="$BACKUPFILES $BACKUPDIR/weekly/week.$W.$DATE.$EXT$SUFFIX*"
+    echo ----------------------------------------------------------------------
+
+  # Daily Backup
+  else
+    echo "Daily Backup of Databases \\( $DBNAMES \\)"
+    echo
+    echo Rotating last weeks Backup...
+    rm -fv "$BACKUPDIR"/daily/*."$DOW"."$EXT".*
+    echo
+      dbdump "$DBNAMES" "$BACKUPDIR/daily/$DATE.$DOW.$EXT"
+      compression "$BACKUPDIR/daily/$DATE.$DOW.$EXT"
+      BACKUPFILES="$BACKUPFILES $BACKUPDIR/daily/$DATE.$DOW.$EXT$SUFFIX*"
+    echo ----------------------------------------------------------------------
+  fi
+echo "Backup End Time $(date)"
+echo ======================================================================
+fi
+echo Total disk space used for backup storage..
+echo Size - Location
+du -hs "$BACKUPDIR"
+echo
+
+
+# Run command when we're done
+if [ "$POSTBACKUP" ]
+  then
+  echo ======================================================================
+  echo "Postbackup command output."
+  echo
+  $POSTBACKUP
+  echo
+  echo ======================================================================
+fi
+
+#Clean up IO redirection
+exec 1>&6 6>&-      # Restore stdout and close file descriptor #6.
+exec 2>&7 7>&-      # Restore stdout and close file descriptor #7.
+
+if [ "$MAILCONTENT" = "files" ]
+then
+  if [ -s "$LOGERR" ]
+  then
+    # Include error log if is larger than zero.
+    BACKUPFILES="$BACKUPFILES $LOGERR"
+    ERRORNOTE="WARNING: Error Reported - "
+    export ERRORNOTE
+  fi
+  #Get backup size
+  # shellcheck disable=SC2086
+  ATTSIZE=$(du -c $BACKUPFILES | grep "[[:digit:][:space:]]total$" |sed 's/\s*total//')
+  if [ "$MAXATTSIZE" -ge "$ATTSIZE" ]
+  then
+    if type biabam >/dev/null 2>&1
+    then
+      # shellcheck disable=SC2001 disable=SC2086
+      BACKUPFILES=$(echo $BACKUPFILES | sed -r -e 's#\s+#,#g')
+      biabam -s "PostgreSQL Backup Log and SQL Files for $HOST - $DATE" "$BACKUPFILES" "$MAILADDR" < "$LOGFILE"
+    elif type heirloom-mailx >/dev/null 2>&1
+    then
+      # shellcheck disable=SC2001 disable=SC2086
+      BACKUPFILES=$(echo $BACKUPFILES | sed -e 's# # -a #g')
+      heirloom-mailx -s "PostgreSQL Backup Log and SQL Files for $HOST - $DATE" "$BACKUPFILES" "$MAILADDR" < "$LOGFILE"
+    elif type mutt >/dev/null 2>&1
+    then
+      # shellcheck disable=SC2001 disable=SC2086
+      BACKUPFILES=$(echo $BACKUPFILES | sed -e 's# # -a #g')
+      # shellcheck disable=SC2086
+      mutt -s "PostgreSQL Backup Log and SQL Files for $HOST - $DATE" $BACKUPFILES "$MAILADDR" < "$LOGFILE"
+    else
+      < "$LOGFILE" mail -s "WARNING! - Enable to send PostgreSQL Backup dumps, no suitable mail client found on $HOST - $DATE" "$MAILADDR"
+    fi
+  else
+    < "$LOGFILE" mail -s "WARNING! - PostgreSQL Backup exceeds set maximum attachment size on $HOST - $DATE" "$MAILADDR"
+  fi
+elif [ "$MAILCONTENT" = "log" ]
+then
+  < "$LOGFILE" mail -s "PostgreSQL Backup Log for $HOST - $DATE" "$MAILADDR"
+  if [ -s "$LOGERR" ]
+    then
+      < "$LOGERR" mail -s "ERRORS REPORTED: PostgreSQL Backup error Log for $HOST - $DATE" "$MAILADDR"
+  fi
+elif [ "$MAILCONTENT" = "quiet" ]
+then
+  if [ -s "$LOGERR" ]
+    then
+      < "$LOGERR" mail -s "ERRORS REPORTED: PostgreSQL Backup error Log for $HOST - $DATE" "$MAILADDR"
+      < "$LOGFILE" mail -s "PostgreSQL Backup Log for $HOST - $DATE" "$MAILADDR"
+  fi
+else
+  if [ -s "$LOGERR" ]
+    then
+      cat "$LOGFILE"
+      echo
+      echo "###### WARNING ######"
+      echo "Errors reported during AutoPostgreSQLBackup execution.. Backup failed"
+      echo "Error log below.."
+      cat "$LOGERR"
+  else
+    cat "$LOGFILE"
+  fi
+fi
+
+if [ -s "$LOGERR" ]
+  then
+    STATUS=1
+  else
+    STATUS=0
+fi
+
+# Clean up Logfile
+rm -f "$LOGFILE"
+rm -f "$LOGERR"
+
+exit $STATUS
diff --git a/ansible_collections/debops/debops/roles/postldap/COPYRIGHT b/ansible_collections/debops/debops/roles/postldap/COPYRIGHT
new file mode 100644
index 00000000..7dd4c891
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postldap/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postldap - Configure Postfix SMTP service to use Virtual Mail with LDAP support
+
+Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postldap/defaults/main.yml b/ansible_collections/debops/debops/roles/postldap/defaults/main.yml
new file mode 100644
index 00000000..8e830c18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postldap/defaults/main.yml
@@ -0,0 +1,794 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postldap__ref_defaults:
+
+# debops.postldap default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: postldap__postfix__dependent_packages [[[
+#
+# List of additional APT packages needed for the LDAP support.
+postldap__postfix__dependent_packages: '{{ ["postfix-ldap"]
+                                           if postldap__ldap_enabled else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS / PKI / TLS configuration [[[
+# ---------------------------------
+
+# .. envvar:: postldap__domain [[[
+#
+# The DNS domain used to generate a :man:`ldap_table(5)` pattern for LDAP
+# search queries.
+postldap__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__domain_rev_pattern [[[
+#
+# The search pattern based on the primary DNS domain of the host, with entries
+# defined in reverse order, for example ``%3.%2.%1``, depending on the number
+# of levels in the domain with maximum of 9. See :man:`ldap_table(5)` manual
+# page for more details about usage of this pattern.
+#
+# This pattern may be used in LDAP search queries which look for the host DNS
+# domain or its subdomains. If multiple DNS domains are used in LDAP with
+# different levels (number of domain parts), each level needs to be defined
+# separately in the LDAP search query.
+postldap__domain_rev_pattern: |-
+  {% set reversed = [] %}
+  {% for element in postldap__domain.split(".") %}
+  {% set _ = reversed.append("%" + loop.index | string) %}
+  {% endfor %}
+  {% if reversed | length == 1 %}
+  {{ "%d" }}{% else %}
+  {{ reversed[0:9][::-1] | join(".") }}{% endif %}
+
+# ]]]
+# .. envvar:: postldap__tls_ca_cert_dir [[[
+#
+# Directory containing X509 Certification  Authority  certificates
+# in  PEM  format  which  are  to  be  recognized by the client in
+# SSL/TLS connections. The files each contain one CA  certificate.
+postldap__tls_ca_cert_dir: '/etc/ssl/certs/'
+                                                                   # ]]]
+                                                                   # ]]]
+# Virtual Mail [[[
+# ----------------
+#
+# The settings below help to configure to enable Postfix to host multiple
+# (virtual) domains, and thus provide email to several domains with just one
+# "mail server".  Currently the Virtual Mail support works only with LDAP
+# enabled, in the future MariaDB support could be added as well.
+
+# .. envvar:: postldap__vmail_posix_user [[[
+#
+# Virtual Mail POSIX username
+# For the accesses to the mailbox directories a separate user `vmail` (`Virtual Mail`) is created,
+# under which the accesses of Postfix, Dovecot and other components of the mail server should take place.
+# On the one hand this prevents mail server components from accessing sensitive system directories,
+# on the other hand it protects the mailboxes from external access.
+# Only vmail (and root) are allowed to access the mailboxes.
+postldap__vmail_posix_user: 'vmail'
+
+                                                                   # ]]]
+# .. envvar:: postldap__vmail_posix_uidnumber [[[
+#
+# Virtual Mail POSIX uidNumber
+postldap__vmail_posix_uidnumber: '{{ ansible_local.postldap.vmail_posix_uidnumber | d(None) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__vmail_posix_group [[[
+#
+# Virtual Mail POSIX group
+postldap__vmail_posix_group: 'vmail'
+
+                                                                   # ]]]
+# .. envvar:: postldap__vmail_posix_gidnumber [[[
+#
+# Virtual Mail POSIX gidNumber
+postldap__vmail_posix_gidnumber: '{{ ansible_local.postldap.vmail_posix_gidnumber | d(None) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__mailbox_base [[[
+#
+# All mailboxes are stored directly in the file system of the server.
+#
+# This setting describes the prefix that the virtual delivery agent prepends to all pathname results from
+# ``$virtual_mailbox_maps`` table lookups.
+# The directories under this base contain the users MailDirs.
+# This directory must be created in advance and must be writeable by all potential mail users.
+# To achieve this, either use the same GID across all mail users and set group ownership to that GID,
+# or make the directory world writable.
+#
+# This variable should be synchronized with the :envvar:`mailbox base directory
+# <dovecot__vmail_base>` value in Dovecot or other IMAP/POP3 server.
+postldap__mailbox_base: '/var/vmail'
+
+                                                                   # ]]]
+# .. envvar:: postldap__virtual_mailbox_maps_attribute [[[
+#
+# The attribute needed to reconstruct the mailbox path used by the
+# :file:`ldap_virtual_mailbox_maps.cf` lookup table.
+postldap__virtual_mailbox_maps_attribute: 'mailAddress'
+
+                                                                   # ]]]
+# .. envvar:: postldap__virtual_mailbox_maps_format [[[
+#
+# The relative path to the user mailbox used by the
+# :file:`ldap_virtual_mailbox_maps.cf` lookup table. The value will be expanded
+# according to the LDAP attribute specified above; expansion syntax can be
+# found in the :man:`ldap_table(5)` manual page.
+#
+# The path should be synchronized with the :envvar:`mailbox home
+# <dovecot__vmail_home>` and :envvar:`Maildir base <dovecot__mail_location>`
+# locations in Dovecot or other IMAP/POP3 server.
+#
+# By default the path to the user mailbox is formatted as ``/%d/%u/Maildir/``
+# which corresponds to the "domain" and "local" parts of the primary e-mail
+# address. This requires the ``mailAddress`` attribute from the LDAP lookup.
+# Other possibilities include:
+#
+# - ``/%u/Maildir/``, used with the ``uid`` LDAP attribute, to have only one
+#   level of mailboxes based on the usernames;
+#
+# - ``%s/Maildir/``, used with the ``mailHomeDirectory`` LDAP attribute, which
+#   will be used as a path relative to the :envvar:`postldap__mailbox_base`
+#   directory to point to the user's mail storage directory. The
+#   ``mailHomeDirectory`` LDAP attribute needs to be defined for all accounts in
+#   this case;
+#
+# If you use Dovecot as the virtual mail delivery transport, Dovecot will
+# expand the user mailbox path independently and this value will not be used.
+# This might be useful in case where only specific accounts use
+# ``mailHomeDirectory`` LDAP attribute and the rest use standardized directory
+# structure.
+postldap__virtual_mailbox_maps_format: '/%d/%u/Maildir/'
+
+                                                                   # ]]]
+# .. envvar:: postldap__virtual_alias_maps [[[
+#
+# Optional lookup tables that alias specific mail addresses or domains
+# to other local or remote address.
+# The default option, when using Virtual Mail with LDAP, will first go over the
+# alisaes set by :ref:`debops.etc_aliases` and if no match is found query
+# the LDAP for the email address.
+#
+# Specify zero or more `type:name` lookup tables, separated by whitespace or comma.
+# Tables will be searched in the specified order until a match is found.
+# Note: these lookups are recursive.
+postldap__virtual_alias_maps:
+  - '$alias_maps'
+  - 'ldap:/etc/postfix/ldap_virtual_forward_maps.cf'
+  - 'ldap:/etc/postfix/ldap_virtual_alias_maps.cf'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postfix 'main.cf' configuration [[[
+# -----------------------------------
+
+# These variables define the contents of the :file:`/etc/postfix/main.cf`
+# configuration file. See :ref:`postfix__ref_maincf` for more details.
+
+# .. envvar:: postldap__postfix__dependent_maincf [[[
+#
+# List of options needed by `postfix` for the Virtual Mail configuration
+postldap__postfix__dependent_maincf:
+
+  # Postfix is final destination for the specified list of domains; mail is delivered
+  # via the $virtual_transport mail delivery transport
+  - name: 'virtual_mailbox_domains'
+    value: 'ldap:/etc/postfix/ldap_virtual_mailbox_domains.cf'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  # Optional lookup tables that alias specific mail addresses or domains to other local or remote address.
+  - name: 'virtual_alias_maps'
+    value: '{{ postldap__virtual_alias_maps }}'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  #A prefix that the virtual delivery agent prepends to all pathname results from $virtual_mailbox_maps table lookups.
+  # This is a safety measure to ensure that an out of control map doesn't litter the file system with mailboxes.
+  - name: 'virtual_mailbox_base'
+    value: '{{ postldap__mailbox_base }}'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  # Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains.
+  - name: 'virtual_mailbox_maps'
+    value: 'ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  # Lookup tables with the per-recipient user ID that the virtual delivery agent uses while writing
+  # to the recipient's mailbox.
+  - name: 'virtual_uid_maps'
+    value: 'static:{{ postldap__vmail_posix_uidnumber | mandatory }}'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  # Lookup tables with the per-recipient group ID for virtual mailbox delivery.
+  - name: 'virtual_gid_maps'
+    value: 'static:{{ postldap__vmail_posix_gidnumber | mandatory }}'
+    section: 'virtual'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool and
+                postfix__version is version_compare("2.0", ">="))
+            else "absent" }}'
+
+  # The minimum user ID value that the virtual delivery agent accepts as a result from $virtual_uid_maps table lookup
+  # FIXME: problems while parsing number.
+  - name: 'virtual_minimum_uid'
+    value: '{{ postldap__vmail_posix_uidnumber | mandatory }}'
+    section: 'virtual'
+    state: 'absent'
+
+  # Optional lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
+  - name: 'smtpd_sender_login_maps'
+    value: [ 'ldap:/etc/postfix/ldap_smtpd_sender_login_maps.cf' ]
+    section: 'base'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool)
+            else "absent" }}'
+
+  - name: 'smtpd_sender_restrictions'
+    value:
+      - name: 'check_sasl_access ldap:${config_directory}/ldap_known_sender_relays.cf'
+        copy_id_from: 'permit_mynetworks'
+        weight: 5
+      - name: 'check_sender_access ldap:${config_directory}/ldap_unauth_sender_access.cf'
+        copy_id_from: 'permit_sasl_authenticated'
+        weight: 10
+      - name: 'check_sender_access ldap:${config_directory}/ldap_unauth_domain_access.cf'
+        copy_id_from: 'permit_sasl_authenticated'
+        weight: 15
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool)
+            else "ignore" }}'
+
+  - name: 'smtpd_relay_restrictions'
+    value:
+      - name: 'check_sasl_access ldap:${config_directory}/ldap_known_sender_relays.cf'
+        copy_id_from: 'permit_mynetworks'
+        weight: 5
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool)
+            else "ignore" }}'
+
+  - name: 'smtpd_restriction_classes'
+    value: [ 'smtpd_permit_known_sender_relays' ]
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool)
+            else "ignore" }}'
+
+  - name: 'smtpd_permit_known_sender_relays'
+    value:
+      # FIXME: Needs a better check, empty result doesn't block spoofed e-mail
+      # senders passed through a known relay
+      - 'reject_unlisted_sender'
+      - 'permit_sasl_authenticated'
+      - 'reject'
+    state: '{{ "present"
+            if (postldap__ldap_enabled | bool)
+            else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__postfix_ldap_connection [[[
+#
+# The header of the lookup table containing the settings to connect to the LDAP server
+postldap__postfix_ldap_connection:
+  server_host: '{{ postldap__ldap_uri }}'
+  start_tls: '{{ "yes"
+                  if (postldap__ldap_start_tls | bool)
+                  else "no" }}'
+  version: '3'
+  tls_ca_cert_dir: '{{ postldap__tls_ca_cert_dir }}'
+  bind: 'yes'
+  bind_dn: '{{ postldap__ldap_binddn }}'
+  bind_pw: '{{ postldap__ldap_bindpw }}'
+  scope: 'sub'
+
+                                                                   # ]]]
+# .. envvar:: postldap__postfix__dependent_lookup_tables [[[
+#
+# The Virtual Mail lookup tables for postfix
+postldap__postfix__dependent_lookup_tables:
+
+  - name: 'ldap_virtual_alias_maps.cf'
+    state: 'present'
+    comment: |
+      The virtual_alias_maps setting is used to find the final delivery address,
+      given an alias.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(&
+                     (objectClass=mailRecipient)
+                     (mailAlternateAddress=%s)
+                     (|
+                       (authorizedService=all)
+                       (authorizedService=mail:receive)
+                     )
+                   )'
+    result_attribute: 'mailAddress'
+
+  - name: 'ldap_virtual_forward_maps.cf'
+    state: 'present'
+    comment: |
+      The virtual_forward_maps setting is used to find the final delivery address,
+      given a distribution list.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(&
+                     (|
+                       (objectClass=mailAlias)
+                       (objectClass=mailDistributionList)
+                     )
+                     (mailAddress=%s)
+                     (|
+                       (authorizedService=all)
+                       (authorizedService=mail:receive)
+                     )
+                   )'
+    result_attribute: 'mailForwardTo'
+    special_result_attribute: 'member'
+    leaf_result_attribute: 'mailAddress'
+
+  - name: 'ldap_virtual_mailbox_maps.cf'
+    state: 'present'
+    comment: |
+      As we only want to accept mail, where we know the recipients
+      (and are responsible for them), the virtual_mailbox_maps configuration is used.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(&
+                    (objectClass=mailRecipient)
+                    (|
+                      (mailAddress=%s)
+                    )
+                    (|
+                      (authorizedService=all)
+                      (authorizedService=mail:receive)
+                    )
+                  )'
+    result_attribute: '{{ postldap__virtual_mailbox_maps_attribute }}'
+    result_format: '{{ postldap__virtual_mailbox_maps_format }}'
+
+  - name: 'ldap_virtual_mailbox_domains.cf'
+    state: 'present'
+    comment: |
+      The virtual_mailbox_domains configurations performs a lookup,
+      if the postfix is responsible for the given domain.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_domains_dn | join(",") }}'
+    query_filter: '(&
+                    (objectClass=dNSDomain)
+                    (dc=%s)
+                   )'
+    result_attribute: 'dc'
+
+  - name: 'ldap_smtpd_sender_login_maps.cf'
+    state: 'present'
+    comment: |
+      The smtpd_sender_login_maps configurations performs a lookup from an incoming
+      email-sender to a username. Postfix first performs a full lookup
+      on user@domain, then user and then @domain.
+      The later one is also used for catchalls where the mailAlternateAddress
+      is set to e.g. @foobar.com
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(&
+                     (|
+                       (&
+                         (objectClass=mailRecipient)
+                         (|
+                           (mailAddress=%s)
+                           (mailAlternateAddress=%s)
+                         )
+                       )
+                       (&
+                         (objectClass=account)
+                         (uid=%u)
+                         (host=%d)
+                       )
+                     )
+                     (|
+                       (authorizedService=all)
+                       (authorizedService=mail:send)
+                     )
+                   )'
+    result_attribute: ''
+    special_result_attribute: 'member'
+    leaf_result_attribute: '{{ postldap__virtual_mailbox_maps_attribute }}'
+    size_limit: 1
+
+  - name: 'ldap_known_sender_relays.cf'
+    state: 'present'
+    comment: |
+      This lookup table checks if a given SASL authenticated login specified as
+      'user@fqdn' is a service account which can be used to relay e-mails from
+      other hosts through Postfix. If such service account is found, the lookup
+      table tells Postfix to use a relaxed sender and relay restrictions which
+      don't check for sender <-> login mismatch. This is required for accepting
+      e-mail messages from trusted SMTP services, for example nullmailer, which
+      can send e-mail messages on behalf of other users but cannot authenticate
+      as them.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(&
+                    (objectClass=account)
+                    (uid=%u)
+                    (host=%d)
+                    (|
+                      (authorizedService=all)
+                      (authorizedService=mail:send)
+                    )
+                  )'
+    result_attribute: 'uid'
+    result_format: 'smtpd_permit_known_sender_relays'
+    size_limit: 1
+
+  - name: 'ldap_unauth_sender_access.cf'
+    state: 'present'
+    comment: |
+      This lookup table is used to check if a sender exists after authenticated
+      sender has been accepted. If a sender exists, it means that the sender has
+      not been authenticated properly, or perhaps somebody tries to send e-mail
+      as one of our own users which is not allowed without authentication. In
+      such cases, the mail will be rejected with a sensible response indicating
+      that the sender needs to enable SMTP authentication.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(|
+                    (&
+                      (objectClass=mailRecipient)
+                      (|
+                        (mailAddress=%s)
+                        (mailAlternateAddress=%s)
+                      )
+                    )
+                    (&
+                      (objectClass=account)
+                      (uid=%u)
+                      (host=%d)
+                    )
+                  )'
+    result_attribute: 'uid, mailAddress, mailAlternateAddress'
+    result_format: '550 Authentication Required'
+
+  - name: 'ldap_unauth_domain_access.cf'
+    state: 'present'
+    comment: |
+      This lookup table is used to check if a sender domain is one of our own
+      domains. This check is performed after authenticated senders have been
+      accepted, and if the domain is one of our own domains, it means that
+      somebody tries to send an e-mail with our own DNS domain which is not
+      allowed. The e-mail will be rejected with a message suggesting that the
+      SMTP authentication needs to be enabled.
+    no_log: '{{ debops__no_log | d(True) }}'
+    connection: '{{ postldap__postfix_ldap_connection }}'
+    search_base: '{{ postldap__ldap_base_dn | join(",") }}'
+    query_filter: '(|
+                     (&
+                       (objectClass=dNSDomain)
+                       (|
+                         (dc=%d)
+                         (dc={{ postldap__domain_rev_pattern }})
+                       )
+                     )
+                     (&
+                       (objectClass=domainRelatedObject)
+                       ( |
+                         (associatedDomain=%d)
+                         (associatedDomain={{ postldap__domain_rev_pattern }})
+                       )
+                     )
+                   )'
+    result_attribute: 'dc, associatedDomain'
+    result_format: '550 Domain Authentication Required'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP [[[
+# --------
+
+# LDAP authentication [[[
+# ^^^^^^^^^^^^^^^^^^^^^^^
+
+# .. envvar:: postldap__ldap_enabled [[[
+#
+# In order to enable Virtual Mail support LDAP authentication needs to be enabled.
+# When enabled, `postfix` will configure mail-boxes locally and allow LDAP authenticated users to
+# send email over this instance.
+postldap__ldap_enabled: '{{ True
+                            if (ansible_local | d() and ansible_local.ldap | d() and
+                               (ansible_local.ldap.enabled | d()) | bool)
+                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, automated Postfix LDAP configuration will not be performed.
+postldap__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the Postfix service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+postldap__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# Postfix service to access the LDAP directory.
+postldap__ldap_self_rdn: 'uid=postfix'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the `postfix` service to access the LDAP directory.
+postldap__ldap_self_object_classes: [ 'account', 'simpleSecurityObject',
+                                      'authorizedServiceObject' ]
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# Postfix service to access the LDAP directory.
+postldap__ldap_self_attributes:
+  uid: '{{ postldap__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ postldap__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "Postfix" service to access the LDAP directory'
+  authorizedService: 'mail:send'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# Postfix service to bind to the LDAP directory.
+postldap__ldap_binddn: '{{ ([postldap__ldap_self_rdn]
+                            + postldap__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the Postfix service
+# to bind to the LDAP directory.
+postldap__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                   + postldap__ldap_binddn | to_uuid + ".password length=32 "
+                                   + "chars=ascii_letters,digits,!@_#$%^&*"))
+                           if postldap__ldap_enabled | bool
+                           else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the user
+# accounts stored in LDAP.
+postldap__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d("ou=People") }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_people_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the user accounts
+# used by Postfix.
+postldap__ldap_people_dn: '{{ [postldap__ldap_people_rdn]
+                              + postldap__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_uri [[[
+#
+# List of LDAP URIs that point to the directory servers which should be used by
+# `postfix virtual`.
+postldap__ldap_uri: '{{ ansible_local.ldap.uri | d([""]) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_private_subtree [[[
+#
+# When this variable is enabled, the :ref:`debops.ldap` role will create
+# separate LDAP objects that manage the Postfix groups as subtree of the
+# Postfix service LDAP object. If you set this parameter to ``False``, the
+# role will use the **global** ``ou=Groups,dc=example,dc=org`` subtree instead.
+#
+# This setting can be used to scale the Postfix server vertically.
+postldap__ldap_private_subtree: False
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the groups
+# stored in LDAP.
+postldap__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn | d("ou=Groups") }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_domains_rdn [[[
+#
+# The Relative Distinguished Name of the LDAP object which contains the (virtual mail)
+# domains stored in LDAP.
+postldap__ldap_domains_rdn: '{{ ansible_local.ldap.domains_rdn | d("ou=Domains") }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_groups_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the groups used by
+# Postfix. If private groups are enabled, this object will be created
+# automatically.
+postldap__ldap_groups_dn: '{{ ([postldap__ldap_groups_rdn, postldap__ldap_self_rdn]
+                               + postldap__ldap_device_dn)
+                              if postldap__ldap_private_subtree | bool
+                              else ([postldap__ldap_groups_rdn]
+                                    + postldap__ldap_base_dn) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_domains_dn [[[
+#
+# The Distinguished Name of the LDAP object which contains the (virtual mail) domains used by
+# Postfix. If private groups are enabled, this object will be created
+# automatically.
+postldap__ldap_domains_dn: '{{ ([postldap__ldap_domains_rdn, postldap__ldap_self_rdn]
+                                + postldap__ldap_device_dn)
+                               if postldap__ldap_private_subtree | bool
+                               else ([postldap__ldap_domains_rdn]
+                                     + postldap__ldap_base_dn) }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_default_virtual_domain_rdn [[[
+#
+# The rdn of the default virtual mail domain used by Postfix.
+# This is usually the same domain used by the LDAP.
+postldap__ldap_default_virtual_domain_rdn: '{{ ansible_domain }}'
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_default_virtual_domain_dn [[[
+#
+# The dn of the default virtual mail domain used by Postfix.
+postldap__ldap_default_virtual_domain_dn: '{{ (["dc="
+                                               + postldap__ldap_default_virtual_domain_rdn]
+                                               + postldap__ldap_domains_dn) | join(",") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP connection options [[[
+# ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+# .. envvar:: postldap__ldap_server_uri [[[
+#
+# The URI address of the LDAP server used by Postfix.
+postldap__ldap_server_uri: '{{ ansible_local.ldap.uri | d([""]) | first }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_start_tls [[[
+#
+# If ``True``, Postfix will use STARTTLS extension to make encrypted
+# connections to the LDAP server.
+postldap__ldap_start_tls: '{{ ansible_local.ldap.start_tls | d(True) | bool }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP settings [[[
+# ^^^^^^^^^^^^^^^^^
+
+# .. envvar:: postldap__ldap_default_config [[[
+#
+# The LDAP configuration options defined by default.
+postldap__ldap_default_config: []
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_config [[[
+#
+# List of custom LDAP configuration options defined for all hosts
+# in the Ansible inventory.
+postldap__ldap_config: []
+
+                                                                   # ]]]
+# .. envvar:: postldap__group_ldap_config [[[
+#
+# List of custom LDAP configuration options defined on hosts in
+# a specific Ansible inventory group.
+postldap__group_ldap_config: []
+
+                                                                   # ]]]
+# .. envvar:: postldap__host_ldap_config [[[
+#
+# List of custom LDAP configuration options defined on specific
+# hosts in the Ansible inventory.
+postldap__host_ldap_config: []
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap_combined_config [[[
+#
+# The variable that combines default and user LDAP configuration and is used in
+# the role tasks and templates.
+postldap__ldap_combined_config: '{{ postldap__ldap_default_config
+                                    + postldap__ldap_config
+                                    + postldap__group_ldap_config
+                                    + postldap__host_ldap_config }}'
+
+                                                                   # ]]]
+# .. envvar:: postldap__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+postldap__ldap__dependent_tasks:
+  - name: 'Create Postfix account for {{ postldap__ldap_device_dn | join(",") }}'
+    dn: '{{ postldap__ldap_binddn }}'
+    objectClass: '{{ postldap__ldap_self_object_classes }}'
+    attributes: '{{ postldap__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+                if (postldap__ldap_enabled | bool and
+                    postldap__ldap_device_dn | d())
+                else "ignore" }}'
+
+  - name: 'Create Postfix group container for {{ postldap__ldap_device_dn | join(",") }}'
+    dn: '{{ postldap__ldap_groups_dn }}'
+    objectClass: 'organizationalStructure'
+    attributes:
+      ou: '{{ postldap__ldap_groups_rdn.split("=")[1] }}'
+      description: 'User groups used in Postfix'
+    state: '{{ "present"
+               if (postldap__ldap_enabled | bool and
+                   postldap__ldap_device_dn | d() and
+                   postldap__ldap_private_subtree | bool)
+               else "ignore" }}'
+
+  - name: 'Create Postfix domains container for {{ postldap__ldap_device_dn | join(",") }}'
+    dn: '{{ postldap__ldap_domains_dn }}'
+    objectClass: 'organizationalStructure'
+    attributes:
+      ou: '{{ postldap__ldap_domains_rdn.split("=")[1] }}'
+      description: 'Virtual Mail Domains used in Postfix'
+    state: '{{ "present"
+               if (postldap__ldap_enabled | bool and
+                   postldap__ldap_device_dn | d() and
+                   postldap__ldap_private_subtree | bool)
+               else "ignore" }}'
+
+  - name: 'Create Postfix Default Virtual Mail Domain for {{ postldap__ldap_default_virtual_domain_dn }}'
+    dn: '{{ postldap__ldap_default_virtual_domain_dn }}'
+    objectClass: 'dNSDomain'
+    state: '{{ "present"
+               if (postldap__ldap_enabled | bool and
+                   postldap__ldap_device_dn | d() and
+                   postldap__ldap_private_subtree | bool)
+               else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postldap/meta/main.yml b/ansible_collections/debops/debops/roles/postldap/meta/main.yml
new file mode 100644
index 00000000..d1ce875b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postldap/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: "Rainer 'rei' Schuth"
+  description: 'Configure Postfix to use Virtual Mail users'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mail
+    - postfix
+    - ldap
diff --git a/ansible_collections/debops/debops/roles/postldap/tasks/main.yml b/ansible_collections/debops/debops/roles/postldap/tasks/main.yml
new file mode 100644
index 00000000..f83a5e3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postldap/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+# Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Make sure required POSIX group exist
+  ansible.builtin.group:
+    name: '{{ postldap__vmail_posix_group |
+              d(postldap__vmail_posix_user) }}'
+    state: 'present'
+    system: True
+  tags: [ 'role::postldap:user', 'role::postldap:group' ]
+
+- name: Make sure required POSIX system account exist
+  ansible.builtin.user:
+    name: '{{ postldap__vmail_posix_user }}'
+    state: 'present'
+    comment: 'Postfix Virtual Mail user'
+    group: '{{ postldap__vmail_posix_group |
+               d(postldap__vmail_posix_user) }}'
+    home: '{{ postldap__mailbox_base }}'
+    create_home: True
+    system: True
+    shell: '/usr/sbin/nologin'
+    skeleton: null
+  tags: [ 'role::postldap:user' ]
+
+- name: Create vmail home directory {{ postldap__mailbox_base }}
+  ansible.builtin.file:
+    dest: '{{ postldap__mailbox_base }}'
+    state: 'directory'
+    owner: '{{ postldap__vmail_posix_user }}'
+    group: '{{ postldap__vmail_posix_group }}'
+    mode: '0750'
+  tags: [ 'role::postldap:user' ]
+
+- name: Make sure Ansible local facts directory exists
+  ansible.builtin.file:
+    dest: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Configure PostLDAP local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postldap.fact.j2'
+    dest: '/etc/ansible/facts.d/postldap.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/postldap/templates/etc/ansible/facts.d/postldap.fact.j2 b/ansible_collections/debops/debops/roles/postldap/templates/etc/ansible/facts.d/postldap.fact.j2
new file mode 100644
index 00000000..b3609115
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postldap/templates/etc/ansible/facts.d/postldap.fact.j2
@@ -0,0 +1,33 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Rainer 'rei' Schuth <devel@reixd.net>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from pwd import getpwall
+from grp import getgrall
+
+output = loads('''{{ {"installed": True,
+                      "vmail_posix_user":  postldap__vmail_posix_user,
+                      "vmail_posix_group": postldap__vmail_posix_group,
+                      "mailbox_base":      postldap__mailbox_base
+                     } | to_nice_json }}''')
+
+unix_accounts = getpwall()
+
+for account in unix_accounts:
+    if account.pw_name == output['vmail_posix_user']:
+        output['vmail_posix_uidnumber'] = account.pw_uid
+
+unix_groups = getgrall()
+
+for group in unix_groups:
+    if group.gr_name == output['vmail_posix_group']:
+        output['vmail_posix_gidnumber'] = group.gr_gid
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/postscreen/COPYRIGHT b/ansible_collections/debops/debops/roles/postscreen/COPYRIGHT
new file mode 100644
index 00000000..4434b7c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postscreen - Manage Postscreen Postfix service using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postscreen/defaults/main.yml b/ansible_collections/debops/debops/roles/postscreen/defaults/main.yml
new file mode 100644
index 00000000..65dd9e17
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/defaults/main.yml
@@ -0,0 +1,311 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postscreen__ref_defaults:
+
+# debops.postscreen default variables [[[
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: postscreen__deploy_state [[[
+#
+# Specify if the Postscreen service should be enabled (``present``) or disabled
+# (``absent``) on a given host.
+postscreen__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postscreen static whitelist/blacklist [[[
+# -----------------------------------------
+
+# These lists contain IP addresses or CIDR subnets which should be statically
+# whitelisted or blacklisted by the Postscreen service. By default specified
+# entries are whitelisted. See :ref:`postscreen__ref_access` for more details.
+
+# .. envvar:: postscreen__access [[[
+#
+# List of whitelist/blacklist entries that should be present on all hosts in
+# the Ansible inventory.
+postscreen__access: []
+
+                                                                   # ]]]
+# .. envvar:: postscreen__group_access [[[
+#
+# List of whitelist/blacklist entries that should be present on hosts in
+# specific Ansible inventory group.
+postscreen__group_access: []
+
+                                                                   # ]]]
+# .. envvar:: postscreen__host_access [[[
+#
+# List of whitelist/blacklist entries that should be present on specific hosts
+# in the Ansible inventory.
+postscreen__host_access: []
+
+                                                                   # ]]]
+# .. envvar:: postscreen__combined_access [[[
+#
+# Combined list of all whitelist/blacklist entries used in the configuration
+# template.
+postscreen__combined_access: '{{ postscreen__access
+                                 + postscreen__group_access
+                                 + postscreen__host_access }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# DNS blacklist/whitelist [[[
+# ---------------------------
+
+# .. envvar:: postscreen__dnsbl_enabled [[[
+#
+# Enable or disable use of DNS Blacklists by Postscreen to check incoming
+# client IP addresses. The DNS Blacklists will be automatically enabled on
+# hosts with public IP addresses.
+postscreen__dnsbl_enabled: '{{ True
+                               if ((ansible_all_ipv4_addresses | d([])
+                                    + ansible_all_ipv6_addresses | d([]))
+                                   | ansible.utils.ipaddr("public"))
+                               else False }}'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__dnsbl_providers [[[
+#
+# Simple list of DNSBL providers, useful to easily enable or disable specific
+# providers as needed. Some providers are not enabled by default due to issues
+# encountered during testing.
+postscreen__dnsbl_providers:
+  - 'spamhaus'
+  #- 'barracuda'
+  - 'cbl'
+  #- 'spameatingmonkey'
+  - 'spamcop'
+  #- 'psbl'
+  - 'mailspike'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__dnsbl_sites [[[
+#
+# List of DNS Blacklists used by Postscreen.
+# See http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites for more
+# details.
+postscreen__dnsbl_sites:
+
+  # Spamhaus ZEN: https://www.spamhaus.org/zen/
+  # Might require registration.
+  - name: 'zen.spamhaus.org*3'
+    state: '{{ "present"
+               if "spamhaus" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # Barracuda Reputation Block List: http://barracudacentral.org/rbl
+  # Requires registration.
+  - name: 'b.barracudacentral.org*2'
+    state: '{{ "present"
+               if "barracuda" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # Composite Blocking List: https://www.abuseat.org/
+  - name: 'cbl.abuseat.org*2'
+    state: '{{ "present"
+               if "cbl" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # Spam Eating Monkey: http://spameatingmonkey.com/lists.html
+  # Might require registration.
+  - name: 'bl.spameatingmonkey.net*2'
+    state: '{{ "present"
+               if "spameatingmonkey" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  - name: 'backscatter.spameatingmonkey.net*2'
+    state: '{{ "present"
+               if "spameatingmonkey" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # SpamCop Blocking List: https://www.spamcop.net/bl.shtml
+  - name: 'bl.spamcop.net'
+    state: '{{ "present"
+               if "spamcop" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # Passive Spam Block List: http://psbl.org/
+  - name: 'psbl.surriel.com'
+    state: '{{ "present"
+               if "psbl" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+  # mailspike: http://mailspike.net/usage.html
+  # Might require contact.
+  - name: 'bl.mailspike.net'
+    state: '{{ "present"
+               if "mailspike" in postscreen__dnsbl_providers
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__dnsbl_wl_sites [[[
+#
+# List of DNS Whitelists used by Postscreen.
+# See http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites for more
+# details.
+postscreen__dnsbl_wl_sites:
+
+  # SpamHaus Whitelist: http://www.spamhauswhitelist.com/en/usage.html
+  # Might require registration. Currently not active.
+  #- 'swl.spamhaus.org*-4'
+
+  # DNS Whitelist: https://dnswl.org/tech
+  # Might require registration.
+  - 'list.dnswl.org=127.[0..255].[0..255].0*-2'
+  - 'list.dnswl.org=127.[0..255].[0..255].1*-3'
+  - 'list.dnswl.org=127.[0..255].[0..255].[2..255]*-4'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__dnsbl_reply_pcre_map [[[
+#
+# List of PCRE regular expressions which are used to match the DNS Blacklist
+# responses and send modified responses to the SMTP clients.
+# See :ref:`postscreen__ref_dnsbl_reply_pcre_map` for more details.
+postscreen__dnsbl_reply_pcre_map:
+  - '/^zen\.spamhaus\.org$/'
+  - '/^b\.barracudacentral\.org$/'
+  - '/^bl\.spameatingmonkey\.net$/'
+  - '/^backscatter\.spameatingmonkey\.net$/'
+  - '/^bl\.spamcop\.net$/'
+  - '/^psbl\.surriel\.com$/'
+  - '/^bl\.mailspike\.net$/'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__dnsbl_default_reply [[[
+#
+# The default reply used if none was configured for a specific DNS Blacklist.
+postscreen__dnsbl_default_reply: 'blocked by RBL, see http://multirbl.valli.org/'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: postscreen__postfix__dependent_packages [[[
+#
+# List of APT packages to install by the :ref:`debops.postfix` Ansible role.
+postscreen__postfix__dependent_packages:
+  - 'postfix-pcre'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration for the :ref:`debops.postfix` Ansible role.
+postscreen__postfix__dependent_maincf:
+
+  - name: 'postscreen_blacklist_action'
+    value: 'drop'
+    state: 'present'
+
+  - name: 'postscreen_greet_action'
+    value: 'enforce'
+    state: 'present'
+
+  - name: 'postscreen_dnsbl_action'
+    value: 'enforce'
+    state: 'present'
+
+  - name: 'postscreen_access_list'
+    value:
+      - 'permit_mynetworks'
+      - 'cidr:${config_directory}/postscreen_access.cidr'
+    state: 'present'
+
+  - name: 'postscreen_dnsbl_sites'
+    value: '{{ postscreen__dnsbl_sites + postscreen__dnsbl_wl_sites }}'
+    state: '{{ "present"
+               if postscreen__dnsbl_enabled | bool
+               else "comment" }}'
+
+  - name: 'postscreen_dnsbl_reply_map'
+    value: [ 'pcre:${config_directory}/postscreen_dnsbl_reply_map.pcre' ]
+    state: '{{ "present"
+               if postscreen__dnsbl_enabled | bool
+               else "comment" }}'
+
+  - name: 'postscreen_dnsbl_threshold'
+    value: 3
+    state: '{{ "present"
+               if postscreen__dnsbl_enabled | bool
+               else "comment" }}'
+
+  - name: 'postscreen_dnsbl_whitelist_threshold'
+    value: -1
+    state: '{{ "present"
+               if postscreen__dnsbl_enabled | bool
+               else "comment" }}'
+
+  - name: 'postscreen_whitelist_interfaces'
+    value: [ 'static:all' ]
+    state: 'present'
+
+  - name: 'postscreen_pipelining_enable'
+    value: True
+    state: 'present'
+
+  - name: 'postscreen_pipelining_action'
+    value: 'enforce'
+    state: 'present'
+
+  - name: 'postscreen_non_smtp_command_enable'
+    value: True
+    state: 'present'
+
+  - name: 'postscreen_non_smtp_command_action'
+    value: 'drop'
+    state: 'present'
+
+  - name: 'postscreen_bare_newline_enable'
+    value: True
+    state: 'present'
+
+  - name: 'postscreen_bare_newline_action'
+    value: 'ignore'
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: postscreen__postfix__dependent_mastercf [[[
+#
+# The :file:`master.cf` configuration for the :ref:`debops.postfix` Ansible role.
+postscreen__postfix__dependent_mastercf:
+
+  - name: 'smtp'
+    state: '{{ "comment"
+               if (postscreen__deploy_state == "present")
+               else "ignore" }}'
+
+  - name: 'postscreen'
+    state: '{{ "present"
+               if (postscreen__deploy_state == "present")
+               else "ignore" }}'
+
+  - name: 'smtpd'
+    state: '{{ "present"
+               if (postscreen__deploy_state == "present")
+               else "ignore" }}'
+
+  - name: 'dnsblog'
+    state: '{{ "present"
+               if (postscreen__deploy_state == "present")
+               else "ignore" }}'
+
+  - name: 'tlsproxy'
+    state: '{{ "present"
+               if (postscreen__deploy_state == "present")
+               else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postscreen/meta/main.yml b/ansible_collections/debops/debops/roles/postscreen/meta/main.yml
new file mode 100644
index 00000000..17d2093d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Postscreen Postfix service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smtp
+    - antispam
diff --git a/ansible_collections/debops/debops/roles/postscreen/tasks/main.yml b/ansible_collections/debops/debops/roles/postscreen/tasks/main.yml
new file mode 100644
index 00000000..b672d6ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Generate Postscreen configuration files
+  ansible.builtin.template:
+    src: 'etc/postfix/{{ item }}.j2'
+    dest: '/etc/postfix/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'postscreen_access.cidr'
+    - 'postscreen_dnsbl_reply_map.pcre'
+  notify: [ 'Check postfix and reload' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Postscreen local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postscreen.fact.j2'
+    dest: '/etc/ansible/facts.d/postscreen.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/postscreen/templates/etc/ansible/facts.d/postscreen.fact.j2 b/ansible_collections/debops/debops/roles/postscreen/templates/etc/ansible/facts.d/postscreen.fact.j2
new file mode 100644
index 00000000..ea62644f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/templates/etc/ansible/facts.d/postscreen.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_access.cidr.j2 b/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_access.cidr.j2
new file mode 100644
index 00000000..9a426f40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_access.cidr.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# CIDR table of hosts/subnets blacklisted or whitelisted in postscreen service.
+#
+# Documentation: http://www.postfix.org/POSTSCREEN_README.html#perm_white_black
+# Documentation: http://www.postfix.org/postconf.5.html#postscreen_access_list
+
+{% set default_action = 'permit' %}
+{% for element in postscreen__combined_access %}
+{%   if element.state | d('present') != 'absent' %}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='\n', postfix='') -}}
+{%     endif %}
+{{ "{:<32} {}".format(element.cidr | d(element.name | d(element)), element.action | d(element.value | d(default_action))) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_dnsbl_reply_map.pcre.j2 b/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_dnsbl_reply_map.pcre.j2
new file mode 100644
index 00000000..84c32dbc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postscreen/templates/etc/postfix/postscreen_dnsbl_reply_map.pcre.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# PCRE table which is used to define the responses sent to the clients when
+# their messages are blocked by a DNS Block List.
+#
+# Documentation: http://www.postfix.org/POSTSCREEN_README.html#dnsbl
+# Documentation: http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map
+
+{% for element in postscreen__dnsbl_reply_pcre_map %}
+{%   if element.state | d('present') != 'absent' %}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='\n', postfix='') -}}
+{%     endif %}
+{{ "{:<50} {}".format(element.pcre | d(element.name | d(element)), element.reply | d(element.value | d(postscreen__dnsbl_default_reply))) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/postwhite/COPYRIGHT b/ansible_collections/debops/debops/roles/postwhite/COPYRIGHT
new file mode 100644
index 00000000..05014349
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.postwhite - Manage Postscreen SPF Whitelist using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/postwhite/defaults/main.yml b/ansible_collections/debops/debops/roles/postwhite/defaults/main.yml
new file mode 100644
index 00000000..0c8b76ef
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/defaults/main.yml
@@ -0,0 +1,242 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _postwhite__ref_defaults:
+
+# debops.postwhite default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Application environment [[[
+# ---------------------------
+
+# .. envvar:: postwhite__base_packages [[[
+#
+# List of base APT packages required by Postwhite.
+postwhite__base_packages: [ 'curl' ]
+
+                                                                   # ]]]
+# .. envvar:: postwhite__packages [[[
+#
+# List of additional APT packages to install with Postwhite.
+postwhite__packages: []
+
+                                                                   # ]]]
+# .. envvar:: postwhite__user [[[
+#
+# The UNIX system account which will be used to manage the whitelist.
+postwhite__user: 'postwhite'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__group [[[
+#
+# The UNIX system group which will be used to manage the whitelist.
+postwhite__group: 'postwhite'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__shell [[[
+#
+# The default shell of the UNIX system account.
+postwhite__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__gecos [[[
+#
+# The GECOS field of the UNIX system account.
+postwhite__gecos: 'Postscreen SPF Whitelist'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__home [[[
+#
+# The home directory of the UNIX system account.
+postwhite__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                     + "/" + postwhite__user }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Software stack [[[
+# ------------------
+
+# .. envvar:: postwhite__src [[[
+#
+# Base directory where the Postwhite and spf-tools source code will be cloned.
+postwhite__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                    + "/" + postwhite__user }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__spftools_git_repo [[[
+#
+# The URL of the 'spf-tools' git repository.
+postwhite__spftools_git_repo: 'https://github.com/jsarenik/spf-tools'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__spftools_git_version [[[
+#
+# The 'spf-tools' git branch/tag to check out.
+postwhite__spftools_git_version: 'master'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__spftools_git_dest [[[
+#
+# Directory where 'spf-tools' repository will be checked out.
+postwhite__spftools_git_dest: '{{ postwhite__src + "/"
+                                  + postwhite__spftools_git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__git_repo [[[
+#
+# The URL of the 'postwhite' git repository.
+postwhite__git_repo: 'https://github.com/stevejenkins/postwhite'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__git_version [[[
+#
+# The 'postwhite' git branch/tag to check out.
+postwhite__git_version: 'master'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__git_dest [[[
+#
+# Directory where 'postwhite' repository will be checked out.
+postwhite__git_dest: '{{ postwhite__src + "/"
+                         + postwhite__git_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__software_stack [[[
+#
+# Map of the required git repositories to clone, passed to the role tasks.
+postwhite__software_stack:
+
+  - git_repo:    '{{ postwhite__spftools_git_repo }}'
+    git_dest:    '{{ postwhite__spftools_git_dest }}'
+    git_version: '{{ postwhite__spftools_git_version }}'
+
+  - git_repo:    '{{ postwhite__git_repo }}'
+    git_dest:    '{{ postwhite__git_dest }}'
+    git_version: '{{ postwhite__git_version }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Postwhite configuration options [[[
+# -----------------------------------
+
+# .. envvar:: postwhite__spf_whitelist_path [[[
+#
+# Absolute path to the SPF whitelist file.
+postwhite__spf_whitelist_path: '{{ postwhite__home + "/postscreen_spf_whitelist.cidr" }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__spf_blacklist_path [[[
+#
+# Absolute path to the SPF blacklist file.
+postwhite__spf_blacklist_path: '{{ postwhite__home + "/postscreen_spf_blacklist.cidr" }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__whitelist_hosts [[[
+#
+# List of additional hosts or domains to add to the whitelist in addition to
+# the list predefined by Postwhite.
+postwhite__whitelist_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: postwhite__include_yahoo [[[
+#
+# Enable or disable inclusion of the custom list of Yahoo! mail servers.
+postwhite__include_yahoo: True
+
+                                                                   # ]]]
+# .. envvar:: postwhite__blacklist [[[
+#
+# If enabled, :command:`postwhite` will generate an additional file with
+# blacklisted SMTP servers.
+postwhite__blacklist: '{{ True if postwhite__blacklist_hosts | d() else False }}'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__blacklist_hosts [[[
+#
+# List of DNS domain names which will be added to the blacklist.
+postwhite__blacklist_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: postwhite__invalid_ipv4 [[[
+#
+# Specify what Postwhite should do with invalid IPv4 addresses (see Postwhite
+# documentation for details). Possible values: ``remove``, ``keep``, ``fix``.
+postwhite__invalid_ipv4: 'remove'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__simplify [[[
+#
+# if enabled, Postwhite will remove the single IP addresses included in
+# a bigger CIDR ranges, however this might slow down whitelist generation.
+postwhite__simplify: False
+
+                                                                   # ]]]
+# .. envvar:: postwhite__reload_postfix [[[
+#
+# Enable or disable automatic reload of Postfix after the script is finished.
+# In DebOps this should be disabled, Postfix is reloaded independently by the
+# wrapper script.
+postwhite__reload_postfix: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Other options [[[
+# -----------------
+
+# .. envvar:: postwhite__cron_whitelist_update_frequency [[[
+#
+# Specify the frequency (``hourly``, ``daily``, ``weekly``) of the whitelist
+# update job.
+postwhite__cron_whitelist_update_frequency: 'daily'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__cron_yahoo_update_frequency [[[
+#
+# Specify the frequency (``hourly``, ``daily``, ``weekly``) of the Yahoo!
+# address list update job.
+postwhite__cron_yahoo_update_frequency: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: postwhite__initial_update_method [[[
+#
+# Select the method which will be used to update the whitelist in the
+# background after the role configures Postwhite:
+#
+# - ``async``: use Ansible ``async`` task execution method
+#
+# - ``batch``: use :command:`batch` command managed by :command:`at` service
+#
+postwhite__initial_update_method: '{{ "batch"
+                                     if (ansible_local | d() and ansible_local.atd | d() and
+                                         (ansible_local.atd.enabled | d()) | bool)
+                                     else "async" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: postwhite__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration for the :ref:`debops.postfix` Ansible role.
+postwhite__postfix__dependent_maincf:
+
+  - name: 'postscreen_access_list'
+    state: 'append'
+    value:
+      - name: 'cidr:{{ postwhite__spf_whitelist_path }}'
+        state: 'present'
+        weight: 100
+
+      - name: 'cidr:{{ postwhite__spf_blacklist_path }}'
+        weight: 110
+        state: '{{ "present" if postwhite__blacklist | bool else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/postwhite/handlers/main.yml b/ansible_collections/debops/debops/roles/postwhite/handlers/main.yml
new file mode 100644
index 00000000..85379a9a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/handlers/main.yml
@@ -0,0 +1,22 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Update Postwhite in the background using async
+  ansible.builtin.command: /usr/local/lib/postwhite
+  async: '1800'
+  poll: '0'
+  register: postwhite__register_async
+  changed_when: postwhite__register_async.changed | bool
+  when: postwhite__initial_update_method == 'async'
+
+- name: Update Postwhite in the background using batch
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    echo '/usr/local/lib/postwhite' | batch > /dev/null 2>&1
+  args:
+    executable: 'bash'
+  register: postwhite__register_batch
+  changed_when: postwhite__register_batch.changed | bool
+  when: postwhite__initial_update_method == 'batch'
diff --git a/ansible_collections/debops/debops/roles/postwhite/meta/main.yml b/ansible_collections/debops/debops/roles/postwhite/meta/main.yml
new file mode 100644
index 00000000..2b19bce6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Postwhite, Postscreen SPF Whitelist Generator'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smtp
+    - postscreen
+    - spf
+    - antispam
diff --git a/ansible_collections/debops/debops/roles/postwhite/tasks/main.yml b/ansible_collections/debops/debops/roles/postwhite/tasks/main.yml
new file mode 100644
index 00000000..4a660e12
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/tasks/main.yml
@@ -0,0 +1,134 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (postwhite__base_packages
+                              + postwhite__packages)) }}'
+    state: 'present'
+  register: postwhite__register_packages
+  until: postwhite__register_packages is succeeded
+
+- name: Create the UNIX system group
+  ansible.builtin.group:
+    name: '{{ postwhite__group }}'
+    state: 'present'
+    system: True
+
+- name: Create the UNIX system account
+  ansible.builtin.user:
+    name: '{{ postwhite__user }}'
+    group: '{{ postwhite__group }}'
+    home: '{{ postwhite__home }}'
+    comment: '{{ postwhite__gecos }}'
+    shell: '{{ postwhite__shell }}'
+    state: 'present'
+    system: True
+
+- name: Create the source directory
+  ansible.builtin.file:
+    path: '{{ postwhite__src }}'
+    state: 'directory'
+    owner: '{{ postwhite__user }}'
+    group: '{{ postwhite__group }}'
+    mode: '0755'
+
+- name: Clone and install the software stack
+  ansible.builtin.git:
+    repo: '{{ item.git_repo }}'
+    dest: '{{ item.git_dest }}'
+    version: '{{ item.git_version }}'
+    update: True
+  with_items: '{{ postwhite__software_stack }}'
+  become: True
+  become_user: '{{ postwhite__user }}'
+
+- name: Generate Postwhite configuration
+  ansible.builtin.template:
+    src: 'etc/postwhite.conf.j2'
+    dest: '/etc/postwhite.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Install the Postwhite wrapper script
+  ansible.builtin.template:
+    src: 'usr/local/lib/postwhite.j2'
+    dest: '/usr/local/lib/postwhite'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Update Yahoo! static host list
+  ansible.builtin.command: bash {{ postwhite__git_dest }}/scrape_yahoo
+  become: True
+  become_user: '{{ postwhite__user }}'
+  notify:
+    - 'Update Postwhite in the background using async'
+    - 'Update Postwhite in the background using batch'
+  register: postwhite__register_scrape_yahoo
+  changed_when: postwhite__register_scrape_yahoo.changed | bool
+  when: (ansible_local is undefined or
+         (ansible_local | d() and ansible_local.postwhite is undefined or
+          (ansible_local.postwhite | d() and
+           not (ansible_local.postwhite.installed | d()) | bool)))
+
+- name: Initialize whitelist/blacklist files
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'touch'
+    owner: '{{ postwhite__user }}'
+    group: '{{ postwhite__group }}'
+    mode: '0644'
+  with_items:
+    - '{{ postwhite__spf_whitelist_path }}'
+    - '{{ postwhite__spf_blacklist_path }}'
+  when: (ansible_local is undefined or
+         (ansible_local | d() and ansible_local.postwhite is undefined or
+          (ansible_local.postwhite | d() and
+           not (ansible_local.postwhite.installed | d()) | bool)))
+
+- name: Update Postwhite access lists daily
+  ansible.builtin.cron:
+    job: '/usr/local/lib/postwhite'
+    cron_file: 'postwhite'
+    name: 'Update Postwhite access lists'
+    special_time: '{{ postwhite__cron_whitelist_update_frequency }}'
+    user: 'root'
+    state: 'present'
+
+- name: Update Yahoo IP address list weekly
+  ansible.builtin.cron:
+    job: 'bash {{ postwhite__git_dest + "/scrape_yahoo" }} > /dev/null'
+    cron_file: 'postwhite'
+    name: 'Update Yahoo IP address list'
+    special_time: '{{ postwhite__cron_yahoo_update_frequency }}'
+    user: 'postwhite'
+    state: 'present'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Postwhite local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/postwhite.fact.j2'
+    dest: '/etc/ansible/facts.d/postwhite.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/postwhite/templates/etc/ansible/facts.d/postwhite.fact.j2 b/ansible_collections/debops/debops/roles/postwhite/templates/etc/ansible/facts.d/postwhite.fact.j2
new file mode 100644
index 00000000..ea62644f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/templates/etc/ansible/facts.d/postwhite.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/postwhite/templates/etc/postwhite.conf.j2 b/ansible_collections/debops/debops/roles/postwhite/templates/etc/postwhite.conf.j2
new file mode 100644
index 00000000..476b8089
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/templates/etc/postwhite.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# CONFIGURATION OPTIONS FOR POSTWHITE
+# https://github.com/stevejenkins/postwhite
+# POSTWHITE WILL LOOK FOR THIS FILE IN /etc/postwhite.conf
+
+# FILE PATHS
+spftoolspath="{{ postwhite__spftools_git_dest }}"
+postfixpath="{{ postwhite__home }}"
+postfixbinarypath="/usr/sbin"
+whitelist="{{ postwhite__spf_whitelist_path | basename }}"
+blacklist="{{ postwhite__spf_blacklist_path | basename }}"
+yahoo_static_hosts="{{ postwhite__home }}/yahoo_static_hosts.txt"
+
+# CUSTOM HOSTS
+# Enter custom hosts separated by a space, ex: "example.com example2.com example3.com"
+custom_hosts="{{ ([ postwhite__whitelist_hosts ] if postwhite__whitelist_hosts is string else postwhite__whitelist_hosts) | join(' ') }}"
+
+# Include list of Yahoo Outbound IPs from https://help.yahoo.com/kb/SLN23997.html?
+include_yahoo="{{ 'yes' if postwhite__include_yahoo | bool else 'no' }}"
+
+# Do you also want to build a blacklist?
+enable_blacklist="{{ 'yes' if postwhite__blacklist | bool else 'no' }}"
+blacklist_hosts="{{ ([ postwhite__blacklist_hosts ] if postwhite__blacklist_hosts is string else postwhite__blacklist_hosts) | join(' ') }}"
+
+# Do what to invalid IPv4 addresses and CIDRs?
+# Valid settings are 'remove' 'fix' or 'keep'
+invalid_ip4="{{ postwhite__invalid_ipv4 }}"
+
+# Simplify (remove) IP addresses from the whitelist that are already covered by CIDRs?
+# WARNING: Enabling this option can dramatically increase the time Postwhite takes to
+# run if you have many mailers selected. Try it once, then come back and turn it off. :)
+simplify="{{ 'yes' if postwhite__simplify | bool else 'no' }}"
+
+# Reload Postfix Automatically when done?
+reload_postfix="{{ 'yes' if postwhite__reload_postfix | bool else 'no' }}"
diff --git a/ansible_collections/debops/debops/roles/postwhite/templates/usr/local/lib/postwhite.j2 b/ansible_collections/debops/debops/roles/postwhite/templates/usr/local/lib/postwhite.j2
new file mode 100644
index 00000000..2a483c5d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/postwhite/templates/usr/local/lib/postwhite.j2
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# This is a wrapper script for Postwhite, a Postscreen SPF Whitelist Generator
+
+set -o nounset -o pipefail -o errexit
+
+
+readonly POSTWHITE_SCRIPT="{{ postwhite__git_dest }}/postwhite"
+readonly POSTWHITE_USER="{{ postwhite__user }}"
+readonly LOCK_FILE="/run/lock/postwhite.lock"
+readonly LOCK_FD="200"
+
+acquire_lock () {
+    local fd="${LOCK_FD}"
+    local lock_file="${LOCK_FILE}"
+
+    # Create lock file
+    eval "exec ${fd}>${lock_file}"
+
+    # Acquire lock
+    if flock -n "${fd}" ; then
+        trap "clean_up" EXIT
+        return 0
+    else
+        return 1
+    fi
+}
+
+clean_up () {
+    if [ -n "${LOCK_FILE}" ] && [ -r "${LOCK_FILE}" ] ; then
+        rm -f "${LOCK_FILE}"
+    fi
+
+    exit 0
+}
+
+error_exit () {
+    local message="${*}"
+
+    printf "Error: %s\\n" "${message}"
+    exit 1
+}
+
+update_access_list () {
+    if [ -x "${POSTWHITE_SCRIPT}" ] ; then
+        if tty -s > /dev/null 2>&1 ; then
+            su --shell /bin/sh -c "umask 0022 ; nice ${POSTWHITE_SCRIPT}" "${POSTWHITE_USER}"
+            if [ -x "/usr/sbin/postfix" ] ; then
+                /usr/sbin/postfix reload
+            fi
+        else
+            su --shell /bin/sh -c "umask 0022 ; nice ${POSTWHITE_SCRIPT} > /dev/null 2>&1" "${POSTWHITE_USER}"
+            if [ -x "/usr/sbin/postfix" ] ; then
+                /usr/sbin/postfix reload > /dev/null 2>&1
+            fi
+        fi
+    fi
+}
+
+main () {
+    acquire_lock || error_exit "Cannot acquire lock on \"${LOCK_FILE}\""
+    update_access_list
+}
+
+main
diff --git a/ansible_collections/debops/debops/roles/preseed/COPYRIGHT b/ansible_collections/debops/debops/roles/preseed/COPYRIGHT
new file mode 100644
index 00000000..5b697d1d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.preseed - Manage Debian Preseeding configuration with Ansible
+
+Copyright (C) 2015-2021 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/preseed/defaults/main.yml b/ansible_collections/debops/debops/roles/preseed/defaults/main.yml
new file mode 100644
index 00000000..e8668265
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/defaults/main.yml
@@ -0,0 +1,1462 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _preseed__ref_defaults:
+
+# debops.preseed default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Preseed server configuration [[[
+# --------------------------------
+
+# .. envvar:: preseed__subdomain [[[
+#
+# Name of the subdomain which will be used to serve Preseed files.
+preseed__subdomain: 'seed'
+
+                                                                   # ]]]
+# .. envvar:: preseed__base_domain [[[
+#
+# Full base domain on which the Preseed files are located, required for download of
+# postinst scripts.
+preseed__base_domain: '{{ preseed__subdomain + "." + ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: preseed__domains [[[
+#
+# A set of domains configured in the :command:`nginx` server that serves the
+# Preseed files. First element of the list should be a "normal" domain, the
+# rest are regular expressions which look up correct subdirectories to serve
+# files.
+preseed__domains:
+  - '{{ preseed__base_domain }}'
+  - '{{ preseed__base_domain | split(".") | first }}'
+  - '{{ "~^(?<preseed>.+)\." + preseed__base_domain | replace(".", "\.") + "$" }}'
+  - '{{ "~^(?<preseed>.+)\." + ansible_domain | replace(".", "\.") + "$" }}'
+  - '{{ "~^(?<preseed>.+)\." + preseed__subdomain | replace(".", "\.") + "$" }}'
+  - '{{ "~^(?<preseed>.+)$" }}'
+
+                                                                   # ]]]
+# .. envvar:: preseed__www [[[
+#
+# Path to main directory where Preseed files are served from.
+preseed__www: '{{ (ansible_local.fhs.www | d("/srv/www"))
+                  + "/sites/debian-preseed/public" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Preseed post-install configuration [[[
+# --------------------------------------
+
+# .. envvar:: preseed__root_sshkeys [[[
+#
+# List of SSH public keys installed on the ``root`` UNIX account of the
+# preseeded host.
+preseed__root_sshkeys: [ '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || cat ~/.ssh/authorized_keys || true") }}' ]  # noqa jinja[spacing]
+
+                                                                   # ]]]
+# .. envvar:: preseed__admin_name [[[
+#
+# Name of the administrative UNIX account which will be created on selected
+# Preseed flavors and given full :command:`sudo` access.
+preseed__admin_name: 'ansible'
+
+                                                                   # ]]]
+# .. envvar:: preseed__admin_fullname [[[
+#
+# The administrative account GECOS information which will be set in
+# :file:`/etc/passwd` database.
+preseed__admin_fullname: 'Ansible Control User'
+
+                                                                   # ]]]
+# .. envvar:: preseed__admin_sshkeys [[[
+#
+# List of SSH public keys installed on the administrative UNIX account of the
+# preseeded host.
+preseed__admin_sshkeys: [ '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || cat ~/.ssh/authorized_keys || true") }}' ]  # noqa jinja[spacing]
+
+                                                                   # ]]]
+# .. envvar:: preseed__debian_postinst_commands [[[
+#
+# YAML text block which can contain a set of simple Bash commands, executed at
+# the end of the postinst script. Commands are executed one at a time.
+preseed__debian_postinst_commands: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Preseed base template configuration [[[
+# ---------------------------------------
+
+# .. envvar:: preseed__debian_packages [[[
+#
+# List of APT packages to install on the preseeded host, included in all
+# Preseed flavors using the ``pkgsel/include`` Preseed option.
+preseed__debian_packages: [ 'python3', 'python3-apt', 'python3-pip',
+                            'python3-debian', 'lsb-release', 'git', 'curl' ]
+
+                                                                   # ]]]
+# .. envvar:: preseed__debian_kernel_arguments [[[
+#
+# List of additional Linux kernel arguments which should be added to
+# :command:`grub` during installation on all Preseed flavors, using the
+# ``debian-installer/add-kernel-opts`` Preseed option.
+#
+# The default set of arguments enables memory and swap cgroup accounting,
+# useful in containerization and process management.
+preseed__debian_kernel_arguments:
+  - 'cgroup_enable=memory'
+  - 'swapaccount=1'
+
+                                                                   # ]]]
+# .. envvar:: preseed__debian_password_length [[[
+#
+# Length of the UNIX account passwords generated by Ansible.
+preseed__debian_password_length: '32'
+
+                                                                   # ]]]
+# .. envvar:: preseed__debian_root_password [[[
+#
+# The :man:`crypt(3)` hash of the ``root`` UNIX account password generated by
+# Ansible and saved in the :file:`secret/` directory, managed by the
+# :ref:`debops.secret` Ansible role. The hash will be stored in the generated
+# Preseed configuration files and will be readable by the public via the
+# webserver.
+preseed__debian_root_password: "{{ lookup('password', secret + '/credentials/' + inventory_hostname
+                                          + '/preseed/debian/root/password '
+                                          + 'encrypt=sha512_crypt length=' + preseed__debian_password_length) }}"
+
+                                                                   # ]]]
+# .. envvar:: preseed__debian_admin_password [[[
+#
+# The :man:`crypt(3)` hash of the administrative UNIX account password
+# generated by Ansible and saved in the :file:`secret/` directory, managed by
+# the :ref:`debops.secret` Ansible role. The hash will be stored in the
+# generated Preseed configuration files and will be readable by the public via
+# the webserver.
+preseed__debian_admin_password: "{{ lookup('password', secret + '/credentials/' + inventory_hostname
+                                           + '/preseed/debian/' + preseed__admin_name + '/password '
+                                           + 'encrypt=sha512_crypt length=' + preseed__debian_password_length) }}"
+                                                                   # ]]]
+                                                                   # ]]]
+# Preseed definitions [[[
+# -----------------------
+
+# These lists define what :file:`preseed.cfg` configuration files and
+# :file:`postinst.sh` scripts will be generated by the role, as well as what
+# will be their contents. See :ref:`preseed__ref_definitions` for more details.
+
+# .. envvar:: preseed__default_definitions [[[
+#
+# List of Preseed definitions created by default by the role.
+preseed__default_definitions:
+
+  - name: 'debian-stretch'
+    flavor: 'debian'
+    release: 'stretch'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_enable_nonfree }}'
+
+  - name: 'debian-buster'
+    flavor: 'debian'
+    release: 'buster'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_enable_nonfree }}'
+
+  - name: 'debian-bullseye'
+    flavor: 'debian'
+    release: 'bullseye'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_enable_nonfree }}'
+
+  - name: 'debian-bookworm'
+    flavor: 'debian'
+    release: 'bookworm'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_enable_nonfree }}'
+
+  - name: 'debian-trixie'
+    flavor: 'debian'
+    release: 'trixie'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_enable_nonfree }}'
+
+  - name: 'debian-stretch-user'
+    flavor: 'debian-user'
+    release: 'stretch'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_ansible_user
+                 + preseed__options_enable_nonfree }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-buster-user'
+    flavor: 'debian-user'
+    release: 'buster'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_ansible_user
+                 + preseed__options_enable_nonfree }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-bullseye-user'
+    flavor: 'debian-user'
+    release: 'bullseye'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_ansible_user
+                 + preseed__options_enable_nonfree }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-bookworm-user'
+    flavor: 'debian-user'
+    release: 'bookworm'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_ansible_user
+                 + preseed__options_enable_nonfree }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-trixie-user'
+    flavor: 'debian-user'
+    release: 'trixie'
+    options: '{{ preseed__options_interactive_partman
+                 + preseed__options_ansible_user
+                 + preseed__options_enable_nonfree }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-stretch-vm'
+    flavor: 'debian-vm'
+    release: 'stretch'
+
+  - name: 'debian-buster-vm'
+    flavor: 'debian-vm'
+    release: 'buster'
+
+  - name: 'debian-bullseye-vm'
+    flavor: 'debian-vm'
+    release: 'bullseye'
+
+  - name: 'debian-bookworm-vm'
+    flavor: 'debian-vm'
+    release: 'bookworm'
+
+  - name: 'debian-trixie-vm'
+    flavor: 'debian-vm'
+    release: 'trixie'
+
+  - name: 'debian-stretch-vm-user'
+    flavor: 'debian-vm-user'
+    release: 'stretch'
+    options: '{{ preseed__options_ansible_user }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-buster-vm-user'
+    flavor: 'debian-vm-user'
+    release: 'buster'
+    options: '{{ preseed__options_ansible_user }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-bullseye-vm-user'
+    flavor: 'debian-vm-user'
+    release: 'bullseye'
+    options: '{{ preseed__options_ansible_user }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-bookworm-vm-user'
+    flavor: 'debian-vm-user'
+    release: 'bookworm'
+    options: '{{ preseed__options_ansible_user }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+  - name: 'debian-trixie-vm-user'
+    flavor: 'debian-vm-user'
+    release: 'trixie'
+    options: '{{ preseed__options_ansible_user }}'
+    admin_username: '{{ preseed__admin_name }}'
+
+                                                                   # ]]]
+# .. envvar:: preseed__definitions [[[
+#
+# List of Preseed definitions created on all hosts in the Ansible inventory.
+preseed__definitions: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__group_definitions [[[
+#
+# List of Preseed definitions created on hosts in a specific Ansible inventory
+# group.
+preseed__group_definitions: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__host_definitions [[[
+#
+# List of Preseed definitions created on specific hosts in the Ansible
+# inventory.
+preseed__host_definitions: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__combined_definitions [[[
+#
+# Variable which combines all Preseed definition lists and is used in role
+# tasks and templates.
+preseed__combined_definitions: '{{ preseed__default_definitions
+                                   + preseed__definitions
+                                   + preseed__group_definitions
+                                   + preseed__host_definitions }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Preseed configuration templates [[[
+# -----------------------------------
+
+# The lists below define a "template configuration" for all Preseed
+# definitions. The configuration can then be modified per-definition if
+# necessary. See :ref:`preseed__ref_configuration` for more details.
+
+# .. envvar:: preseed__original_configuration [[[
+#
+# This is the `Example Debian Stable (bullseye) Preseed`__ configuration file,
+# formatted to be compatible with the :ref:`debops.preseed` format.
+#
+# .. __: https://www.debian.org/releases/stable/example-preseed.txt
+#
+preseed__original_configuration:
+
+  - name: 'comment_contents'
+    comment: 'Contents of the preconfiguration file (for ${flavor} on ${release})'
+    state: 'hidden'
+
+  - name: 'debian-installer/locale'
+    comment: |
+      Localization
+      Preseeding only locale sets language, country and locale
+    value: 'en_US'
+
+  - name: 'debian-installer/language'
+    comment: 'The values can also be preseeded individually for greater flexibility.'
+    value: 'en'
+    state: 'comment'
+
+  - name: 'debian-installer/country'
+    value: 'NL'
+    state: 'comment'
+
+  - name: 'comment_debian-installer/locale'
+    option: 'debian-installer/locale'
+    value: 'en_GB.UTF-8'
+    state: 'comment'
+
+  - name: 'localechooser/supported-locales'
+    comment: 'Optionally specify additional locales to be generated.'
+    type: 'multiselect'
+    value: 'en_US.UTF-8, nl_NL.UTF-8'
+    state: 'comment'
+
+  - name: 'keyboard-configuration/xkb-keymap'
+    comment: 'Keyboard selection.'
+    type: 'select'
+    value: 'us'
+
+  - name: 'keyboard-configuration/toggle'
+    type: 'select'
+    value: 'No toggling'
+    state: 'comment'
+
+  - name: 'netcfg/enable'
+    comment: |
+      Network configuration
+      Disable network configuration entirely. This is useful for cdrom
+      installations on non-networked devices where the network questions,
+      warning and long timeouts are a nuisance.
+    value: False
+    state: 'comment'
+
+  - name: 'netcfg/choose_interface'
+    comment: |
+      netcfg will choose an interface that has link if possible. This makes it
+      skip displaying a list if there is more than one interface.
+    type: 'select'
+    value: 'auto'
+
+  - name: 'comment_netcfg/choose_interface'
+    option: 'netcfg/choose_interface'
+    comment: 'To pick a particular interface instead:'
+    type: 'select'
+    value: 'eth1'
+    state: 'comment'
+
+  - name: 'netcfg/link_wait_timeout'
+    comment: |
+      To set a different link detection timeout (default is 3 seconds).
+      Values are interpreted as seconds.
+    value: '10'
+    state: 'comment'
+
+  - name: 'netcfg/dhcp_timeout'
+    comment: |
+      If you have a slow dhcp server and the installer times out waiting for
+      it, this might be useful.
+    value: '60'
+    state: 'comment'
+
+  - name: 'netcfg/dhcpv6_timeout'
+    value: '60'
+    state: 'comment'
+
+  - name: 'netcfg/disable_autoconfig'
+    comment: |
+      If you prefer to configure the network manually, uncomment this line and
+      the static network configuration below.
+    value: True
+    state: 'comment'
+
+  - name: 'netcfg/dhcp_failed'
+    comment: |
+      If you want the preconfiguration file to work on systems both with and
+      without a dhcp server, uncomment these lines and the static network
+      configuration below.
+    type: 'note'
+    state: 'comment'
+
+  - name: 'netcfg/dhcp_options'
+    type: 'select'
+    value: 'Configure network manually'
+    state: 'comment'
+
+  - name: 'netcfg/get_ipaddress'
+    comment: |
+      Static network configuration.
+      IPv4 example
+    value: '192.0.2.42'
+    state: 'comment'
+
+  - name: 'netcfg/get_netmask'
+    value: '255.255.255.0'
+    state: 'comment'
+
+  - name: 'netcfg/get_gateway'
+    value: '192.0.2.1'
+    state: 'comment'
+
+  - name: 'netcfg/get_nameservers'
+    value: '192.0.2.1'
+    state: 'comment'
+
+  - name: 'netcfg/confirm_static'
+    value: True
+    state: 'comment'
+
+  - name: 'ipv6_netcfg/get_ipaddress'
+    comment: 'IPv6 example'
+    option: 'netcfg/get_ipaddress'
+    value: '2001:db8::2'
+    state: 'comment'
+
+  - name: 'ipv6_netcfg/get_netmask'
+    option: 'netcfg/get_netmask'
+    value: 'ffff:ffff:ffff:ffff::'
+    state: 'comment'
+
+  - name: 'ipv6_netcfg/get_gateway'
+    option: 'netcfg/get_gateway'
+    value: '2001:db8::1'
+    state: 'comment'
+
+  - name: 'ipv6_netcfg/get_nameservers'
+    option: 'netcfg/get_nameservers'
+    value: '2001:db8::1'
+    state: 'comment'
+
+  - name: 'ipv6_netcfg/confirm_static'
+    option: 'netcfg/confirm_static'
+    value: True
+    state: 'comment'
+
+  - name: 'netcfg/get_hostname'
+    comment: |
+      Any hostname and domain names assigned from dhcp take precedence over
+      values set here. However, setting the values still prevents the questions
+      from being shown, even if values come from dhcp.
+    value: 'unassigned-hostname'
+
+  - name: 'netcfg/get_domain'
+    value: 'unassigned-domain'
+
+  - name: 'netcfg/hostname'
+    comment: |
+      If you want to force a hostname, regardless of what either the DHCP
+      server returns or what the reverse DNS entry for the IP is, uncomment
+      and adjust the following line.
+    value: 'somehost'
+    state: 'comment'
+
+  - name: 'netcfg/wireless_wep'
+    comment: 'Disable that annoying WEP key dialog.'
+    value: ''
+
+  - name: 'netcfg/dhcp_hostname'
+    comment: |
+      The wacky dhcp hostname that some ISPs use as a password of sorts.
+    value: 'radish'
+    state: 'comment'
+
+  - name: 'hw-detect/load_firmware'
+    comment: |
+      If non-free firmware is needed for the network or other hardware, you can
+      configure the installer to always try to load it, without prompting. Or
+      change to false to disable asking.
+    value: True
+    state: 'comment'
+
+  - name: 'anna/choose_modules'
+    comment: |
+      Network console
+      Use the following settings if you wish to make use of the network-console
+      component for remote installation over SSH. This only makes sense if you
+      intend to perform the remainder of the installation manually.
+    value: 'network-console'
+    state: 'comment'
+
+  - name: 'network-console/authorized_keys_url'
+    value: 'http://192.0.2.1/openssh-key'
+    state: 'comment'
+
+  - name: 'network-console/password'
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'network-console/password-again'
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'mirror/protocol'
+    comment: |
+      Mirror settings
+      If you select ftp, the mirror/country string does not need to be set.
+    value: 'ftp'
+    state: 'comment'
+
+  - name: 'mirror/country'
+    value: 'manual'
+
+  - name: 'mirror/http/hostname'
+    value: 'http.us.debian.org'
+
+  - name: 'mirror/http/directory'
+    value: '/debian'
+
+  - name: 'mirror/http/proxy'
+    value: ''
+
+  - name: 'mirror/suite'
+    comment: 'Suite to install.'
+    value: 'testing'
+    state: 'comment'
+
+  - name: 'mirror/udeb/suite'
+    comment: 'Suite to use for loading installer components (optional)'
+    value: 'testing'
+    state: 'comment'
+
+  - name: 'passwd/root-login'
+    comment: |
+      Account setup
+      Skip creation of a root account (normal user account will be able to
+      use sudo).
+    value: False
+    state: 'comment'
+
+  - name: 'passwd/make-user'
+    comment: 'Alternatively, to skip creation of a normal user account.'
+    value: False
+    state: 'comment'
+
+  - name: 'passwd/root-password'
+    comment: 'Root password, either in clear text'
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'passwd/root-password-again'
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'passwd/root-password-crypted'
+    comment: 'or encrypted using a crypt(3) hash.'
+    type: 'password'
+    value: '[crypt(3) hash]'
+    state: 'comment'
+
+  - name: 'passwd/user-fullname'
+    comment: 'To create a normal user account.'
+    value: 'Debian User'
+    state: 'comment'
+
+  - name: 'passwd/username'
+    value: 'debian'
+    state: 'comment'
+
+  - name: 'passwd/user-password'
+    comment: "Normal user's password, either in clear text"
+    type: 'password'
+    value: 'insecure'
+    state: 'comment'
+
+  - name: 'passwd/user-password-again'
+    type: 'password'
+    value: 'insecure'
+    state: 'comment'
+
+  - name: 'passwd/user-password-crypted'
+    comment: 'or encrypted using a crypt(3) hash.'
+    type: 'password'
+    value: '[crypt(3) hash]'
+    state: 'comment'
+
+  - name: 'passwd/user-uid'
+    comment: 'Create the first user with the specified UID instead of the default.'
+    value: '1010'
+    state: 'comment'
+
+  - name: 'passwd/user-default-groups'
+    comment: |
+      The user account will be added to some standard initial groups.
+      To override that, use this.
+    value: [ 'audio', 'cdrom', 'video' ]
+    state: 'comment'
+
+  - name: 'clock-setup/utc'
+    comment: |
+      Clock and time zone setup
+      Controls whether or not the hardware clock is set to UTC.
+    value: True
+
+  - name: 'time/zone'
+    comment: |
+      You may set this to any valid setting for $TZ; see the contents of
+      /usr/share/zoneinfo/ for valid values.
+    value: 'US/Eastern'
+
+  - name: 'clock-setup/ntp'
+    comment: 'Controls whether to use NTP to set the clock during the install'
+    value: True
+
+  - name: 'clock-setup/ntp-server'
+    comment: 'NTP server to use. The default is almost always fine here.'
+    value: 'ntp.example.com'
+    state: 'comment'
+
+  - name: 'partman-auto/init_automatically_partition'
+    comment: |
+      Partitioning
+      If the system has free space you can choose to only partition that space.
+      This is only honoured if partman-auto/method (below) is not set.
+    type: 'select'
+    value: 'biggest_free'
+    state: 'comment'
+
+  - name: 'partman-auto/disk'
+    comment: |
+      Alternatively, you may specify a disk to partition. If the system has only
+      one disk the installer will default to using that, but otherwise the device
+      name must be given in traditional, non-devfs format (so e.g. /dev/sda
+      and not e.g. /dev/discs/disc0/disc).
+      For example, to use the first SCSI/SATA hard disk:
+    value: '/dev/sda'
+    state: 'comment'
+
+  - name: 'partman-auto/method'
+    comment: |
+      In addition, you'll need to specify the method to use.
+      The presently available methods are:
+      - regular: use the usual partition types for your architecture
+      - lvm:     use LVM to partition the disk
+      - crypto:  use LVM within an encrypted partition
+    value: 'lvm'
+
+  - name: 'partman-auto-lvm/guided_size'
+    comment: |
+      You can define the amount of space that will be used for the LVM volume
+      group. It can either be a size with its unit (eg. 20 GB), a percentage of
+      free space or the 'max' keyword.
+    value: 'max'
+
+  - name: 'partman-lvm/device_remove_lvm'
+    comment: |
+      If one of the disks that are going to be automatically partitioned
+      contains an old LVM configuration, the user will normally receive a
+      warning. This can be preseeded away...
+    value: True
+
+  - name: 'partman-md/device_remove_md'
+    comment: 'The same applies to pre-existiing software RAID array:'
+    value: True
+
+  - name: 'partman-lvm/confirm'
+    comment: 'And the same goes for the confirmation to write the lvm partitions.'
+    value: True
+
+  - name: 'partman-lvm/confirm_nooverwrite'
+    value: True
+
+  - name: 'partman-auto/choose_recipe'
+    comment: |
+      You can choose one of the three predefined partitioning recipes:
+      - atomic: all files in one partition
+      - home:   separate /home partition
+      - multi:  separate /home, /var, and /tmp partitions
+    type: 'select'
+    value: 'multi'
+
+  - name: 'partman-auto/expert_recipe_file'
+    comment: |
+      Or provide a recipe of your own...
+      If you have a way to get a recipe file into the d-i environment, you can
+      just point at it.
+    value: '/hd-media/recipe'
+    state: 'comment'
+
+  - name: 'partman-auto/expert_recipe'
+    comment: |
+      If not, you can put an entire recipe into the preconfiguration file in one
+      (logical) line. This example creates a small /boot partition, suitable
+      swap, and uses the rest of the space for the root partition:
+    value: |
+      boot-root ::                                            \
+              40 50 100 ext3                                  \
+                      $primary{ } $bootable{ }                \
+                      method{ format } format{ }              \
+                      use_filesystem{ } filesystem{ ext3 }    \
+                      mountpoint{ /boot }                     \
+              .                                               \
+              500 10000 1000000000 ext3                       \
+                      method{ format } format{ }              \
+                      use_filesystem{ } filesystem{ ext3 }    \
+                      mountpoint{ / }                         \
+              .                                               \
+              64 512 300% linux-swap                          \
+                      method{ swap } format{ }                \
+              .
+    state: 'comment'
+
+  - name: 'comment_partman_docs'
+    comment: |
+      The full recipe format is documented in the file partman-auto-recipe.txt
+      included in the 'debian-installer' package or available from D-I source
+      repository. This also documents how to specify settings such as file
+      system labels, volume group names and which physical devices to include
+      in a volume group.
+    state: 'hidden'
+
+  - name: 'comment_partman_efi'
+    comment: |
+      Partitioning for EFI
+      If your system needs an EFI partition you could add something like
+      this to the recipe above, as the first element in the recipe:
+                    538 538 1075 free                              \
+                           $iflabel{ gpt }                         \
+                           $reusemethod{ }                         \
+                           method{ efi }                           \
+                           format{ }                               \
+                    .                                              \
+
+      The fragment above is for the amd64 architecture; the details may be
+      different on other architectures. The 'partman-auto' package in the
+      D-I source repository may have an example you can follow.
+    state: 'hidden'
+
+  - name: 'partman-partitioning/confirm_write_new_label'
+    comment: |
+      This makes partman automatically partition without confirmation, provided
+      that you told it what to do using one of the methods above.
+    value: True
+
+  - name: 'partman/choose_partition'
+    type: 'select'
+    value: 'finish'
+
+  - name: 'partman/confirm'
+    value: True
+
+  - name: 'partman/confirm_nooverwrite'
+    value: True
+
+  - name: 'partman-efi/non_efi_system'
+    comment: |
+      Force UEFI booting ('BIOS compatibility' will be lost). Default: false.
+    value: True
+    state: 'comment'
+
+  - name: 'partman-partitioning/choose_label'
+    comment: |
+      Ensure the partition table is GPT - this is required for EFI
+    value: 'gpt'
+    state: 'comment'
+
+  - name: 'partman-partitioning/default_label'
+    value: 'gpt'
+    state: 'comment'
+
+  - name: 'partman-auto-crypto/erase_disks'
+    comment: |
+      When disk encryption is enabled, skip wiping the partitions beforehand.
+    value: False
+    state: 'comment'
+
+  - name: 'raid_partman-auto/method'
+    option: 'partman-auto/method'
+    comment: |
+      Partitioning using RAID
+      The method should be set to "raid".
+    value: 'raid'
+    state: 'comment'
+
+  - name: 'raid_partman-auto/disk'
+    option: 'partman-auto/disk'
+    comment: |
+      Specify the disks to be partitioned. They will all get the same layout,
+      so this will only work if the disks are the same size.
+    value:
+      - '/dev/sda'
+      - '/dev/sdb'
+    state: 'comment'
+
+  - name: 'raid_partman-auto/expert_recipe'
+    option: 'partman-auto/expert_recipe'
+    comment: |
+      Next you need to specify the physical partitions that will be used.
+    value: |
+      multiraid ::                                         \
+              1000 5000 4000 raid                          \
+                      $primary{ } method{ raid }           \
+              .                                            \
+              64 512 300% raid                             \
+                      method{ raid }                       \
+              .                                            \
+              500 10000 1000000000 raid                    \
+                      method{ raid }                       \
+              .
+    state: 'comment'
+
+  - name: 'partman-auto-raid/recipe'
+    comment: |
+      Last you need to specify how the previously defined partitions will be
+      used in the RAID setup. Remember to use the correct partition numbers
+      for logical partitions. RAID levels 0, 1, 5, 6 and 10 are supported;
+      devices are separated using "#".
+      Parameters are:
+      <raidtype> <devcount> <sparecount> <fstype> <mountpoint> \
+               <devices> <sparedevices>
+    value: |
+      1 2 0 ext3 /                    \
+            /dev/sda1#/dev/sdb1       \
+      .                               \
+      1 2 0 swap -                    \
+            /dev/sda5#/dev/sdb5       \
+      .                               \
+      0 2 0 ext3 /home                \
+            /dev/sda6#/dev/sdb6       \
+      .
+    state: 'comment'
+
+  - name: 'comment_partman-raid'
+    comment: |
+      For additional information see the file partman-auto-raid-recipe.txt
+      included in the 'debian-installer' package or available from D-I source
+      repository.
+    state: 'hidden'
+
+  - name: 'partman-md/confirm'
+    comment: 'This makes partman automatically partition without confirmation.'
+    value: True
+    state: 'comment'
+
+  - name: 'partman/mount_style'
+    comment: |
+      Controlling how partitions are mounted
+      The default is to mount by UUID, but you can also choose "traditional" to
+      use traditional device names, or "label" to try filesystem labels before
+      falling back to UUIDs.
+    type: 'select'
+    value: 'uuid'
+    state: 'comment'
+
+  - name: 'base-installer/install-recommends'
+    comment: |
+      Base system installation
+      Configure APT to not install recommended packages by default. Use of this
+      option can result in an incomplete system and should only be used by very
+      experienced users.
+    value: False
+    state: 'comment'
+
+  - name: 'base-installer/kernel/image'
+    comment: |
+      The kernel image (meta) package to be installed; "none" can be used if no
+      kernel is to be installed.
+    value: 'linux-image-amd64'
+    state: 'comment'
+
+  - name: 'apt-setup/non-free'
+    comment: |
+      Apt setup
+      You can choose to install non-free and contrib software.
+    value: True
+    state: 'comment'
+
+  - name: 'apt-setup/contrib'
+    value: True
+    state: 'comment'
+
+  - name: 'apt-setup/use_mirror'
+    comment: |
+      Uncomment this if you don't want to use a network mirror.
+    value: False
+    state: 'comment'
+
+  - name: 'apt-setup/services-select'
+    comment: |
+      Select which update services to use; define the mirrors to be used.
+      Values shown below are the normal defaults.
+    type: 'multiselect'
+    value: 'security, updates'
+    state: 'comment'
+
+  - name: 'apt-setup/security_host'
+    value: 'security.debian.org'
+    state: 'comment'
+
+  - name: 'apt-setup/local0/repository'
+    comment: |
+      Additional repositories, local[0-9] available
+    value: 'http://server.example.org/debian stable main'
+    state: 'comment'
+
+  - name: 'apt-setup/local0/comment'
+    value: 'local server'
+    state: 'comment'
+
+  - name: 'apt-setup/local0/source'
+    comment: 'Enable deb-src lines'
+    value: True
+    state: 'comment'
+
+  - name: 'apt-setup/local0/key'
+    comment: |
+      URL to the public key of the local repository; you must provide a key or
+      apt will complain about the unauthenticated repository and so the
+      sources.list line will be left commented out.
+
+      If the provided key file ends in ".asc" the key file needs to be an
+      ASCII-armoured PGP key, if it ends in ".gpg" it needs to use the
+      "GPG key public keyring" format, the "keybox database" format is
+      currently not supported.
+    value: 'http://server.example.org/key.asc'
+    state: 'comment'
+
+  - name: 'debian-installer/allow_unauthenticated'
+    comment: |
+      By default the installer requires that repositories be authenticated
+      using a known gpg key. This setting can be used to disable that
+      authentication. Warning: Insecure, not recommended.
+    value: True
+    state: 'comment'
+
+  - name: 'apt-setup/multiarch'
+    comment: |
+      Uncomment this to add multiarch configuration for i386
+    value: 'i386'
+    state: 'comment'
+
+  - name: 'tasksel/first'
+    owner: 'tasksel'
+    comment: 'Package selection'
+    type: 'multiselect'
+    value: 'standard, web-server, kde-desktop'
+    state: 'comment'
+
+  - name: 'pkgsel/include'
+    comment: 'Individual additional packages to install'
+    value: 'openssh-server build-essential'
+    state: 'comment'
+
+  - name: 'pkgsel/upgrade'
+    comment: |
+      Whether to upgrade packages after debootstrap.
+      Allowed values: none, safe-upgrade, full-upgrade
+    type: 'select'
+    value: 'none'
+    state: 'comment'
+
+  - name: 'popularity-contest/participate'
+    owner: 'popularity-contest'
+    comment: |
+      Some versions of the installer can report back on what software you have
+      installed, and what software you use. The default is not to report back,
+      but sending reports helps the project determine what software is most
+      popular and should be included on the first CD/DVD.
+    value: False
+    state: 'comment'
+
+  - name: 'grub-installer/only_debian'
+    comment: |
+      Boot loader installation
+      Grub is the boot loader (for x86).
+
+      This is fairly safe to set, it makes grub install automatically to the UEFI
+      partition/boot record if no other operating system is detected on the machine.
+    value: True
+
+  - name: 'grub-installer/with_other_os'
+    comment: |
+      This one makes grub-installer install to the UEFI partition/boot record, if
+      it also finds some other OS, which is less safe as it might not be able to
+      boot that other OS.
+    value: True
+
+  - name: 'grub-installer/bootdev'
+    comment: |
+      Due notably to potential USB sticks, the location of the primary drive can
+      not be determined safely in general, so this needs to be specified:
+    value: '/dev/sda'
+    state: 'comment'
+
+  - name: 'grub-installer/bootdev_default'
+    option: 'grub-installer/bootdev'
+    comment: |
+      To install to the primary device (assuming it is not a USB stick):
+    value: 'default'
+    state: 'comment'
+
+  - name: 'other_grub-installer/only_debian'
+    option: 'grub-installer/only_debian'
+    comment: |
+      Alternatively, if you want to install to a location other than the UEFI
+      partition/boot record, uncomment and edit these lines:
+    value: False
+    state: 'comment'
+
+  - name: 'other_grub-installer/with_other_os'
+    option: 'grub-installer/with_other_os'
+    value: False
+    state: 'comment'
+
+  - name: 'other_grub-installer/bootdev'
+    option: 'grub-installer/bootdev'
+    value: '(hd0,1)'
+    state: 'comment'
+
+  - name: 'multi_grub-installer/bootdev'
+    option: 'grub-installer/bootdev'
+    comment: 'To install grub to multiple disks:'
+    value:
+      - '(hd0,1)'
+      - '(hd1,1)'
+      - '(hd2,1)'
+    state: 'comment'
+
+  - name: 'grub-installer/password'
+    comment: |
+      Optional password for grub, either in clear text
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'grub-installer/password-again'
+    type: 'password'
+    value: 'r00tme'
+    state: 'comment'
+
+  - name: 'grub-installer/password-crypted'
+    comment: |
+      or encrypted using an MD5 hash, see grub-md5-crypt(8).
+    type: 'password'
+    value: '[MD5 hash]'
+    state: 'comment'
+
+  - name: 'debian-installer/add-kernel-opts'
+    comment: |
+      Use the following option to add additional boot parameters for the
+      installed system (if supported by the bootloader installer).
+      Note: options passed to the installer will be added automatically.
+    value: 'nousb'
+    state: 'comment'
+
+  - name: 'finish-install/keep-consoles'
+    comment: |
+      Finishing up the installation
+      During installations from serial console, the regular virtual consoles
+      (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
+      line to prevent this.
+    value: True
+    state: 'comment'
+
+  - name: 'finish-install/reboot_in_progress'
+    comment: 'Avoid that last message about the install being complete.'
+    type: 'note'
+    value: ''
+
+  - name: 'cdrom-detect/eject'
+    comment: |
+      This will prevent the installer from ejecting the CD during the reboot,
+      which is useful in some situations.
+    value: False
+    state: 'comment'
+
+  - name: 'debian-installer/exit/halt'
+    comment: |
+      This is how to make the installer shutdown when finished, but not
+      reboot into the installed system.
+    value: True
+    state: 'comment'
+
+  - name: 'debian-installer/exit/poweroff'
+    comment: |
+      This will power off the machine instead of just halting it.
+    value: True
+    state: 'comment'
+
+  - name: 'comment_other_preseeds'
+    comment: |
+      Preseeding other packages
+      Depending on what software you choose to install, or if things go wrong
+      during the installation process, it's possible that other questions may
+      be asked. You can preseed those too, of course. To get a list of every
+      possible question that could be asked during an install, do an
+      installation, and then run these commands:
+        debconf-get-selections --installer > file
+        debconf-get-selections >> file
+    state: 'hidden'
+
+  - name: 'comment_advanced_options'
+    comment: |
+      Advanced options
+      Running custom commands during the installation
+      d-i preseeding is inherently not secure. Nothing in the installer checks
+      for attempts at buffer overflows or other exploits of the values of a
+      preconfiguration file like this one. Only use preconfiguration files from
+      trusted locations! To drive that home, and because it's generally useful,
+      here's a way to run any shell command you'd like inside the installer,
+      automatically.
+    state: 'hidden'
+
+  - name: 'preseed/early_command'
+    comment: |
+      This first command is run as early as possible, just after
+      preseeding is read.
+    value: 'anna-install some-udeb'
+    state: 'comment'
+
+  - name: 'partman/early_command'
+    comment: |
+      This command is run immediately before the partitioner starts. It may be
+      useful to apply dynamic partitioner preseeding that depends on the state
+      of the disks (which may not be visible when preseed/early_command runs).
+    value: 'debconf-set partman-auto/disk "$(list-devices disk | head -n1)"'
+    state: 'comment'
+
+  - name: 'preseed/late_command'
+    comment: |
+      This command is run just before the install finishes, but when there is
+      still a usable /target directory. You can chroot to /target and use it
+      directly, or use the apt-install and in-target commands to easily install
+      packages and run commands in the target system.
+    value: 'apt-install zsh; in-target chsh -s /bin/zsh'
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: preseed__default_configuration [[[
+#
+# This is a list of Preseed template options defined by the
+# :ref:`debops.preseed` role, which might override the original Preseed
+# configuration.
+preseed__default_configuration:
+
+  - name: 'debian-installer/locale'
+    value: '{{ ansible_local.locales.system_locale | d("en_US.UTF-8") }}'
+
+  - name: 'mirror/http/hostname'
+    value: 'deb.debian.org'
+
+  - name: 'passwd/make-user'
+    value: False
+    state: 'present'
+
+  - name: 'passwd/root-password-crypted'
+    value: '{{ preseed__debian_root_password }}'
+    state: 'present'
+
+  - name: 'time/zone'
+    value: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+
+  - name: 'clock-setup/ntp-server'
+    value:
+      - '0.debian.pool.ntp.org'
+      - '1.debian.pool.ntp.org'
+      - '2.debian.pool.ntp.org'
+      - '3.debian.pool.ntp.org'
+    state: 'present'
+
+  - name: 'partman-efi/non_efi_system'
+    state: 'present'
+
+  - name: 'partman-partitioning/choose_label'
+    state: 'present'
+
+  - name: 'partman-partitioning/default_label'
+    state: 'present'
+
+  - name: 'apt-setup/services-select'
+    value: 'security, updates, backports'
+    state: 'present'
+
+  - name: 'apt-setup/cdrom/set-first'
+    copy_id_from: 'apt-setup/multiarch'
+    comment: |
+      Do not scan the CD-ROM image for available packages
+      Ref: https://unix.stackexchange.com/a/409237
+    value: False
+
+  - name: 'apt-setup/cdrom/set-next'
+    copy_id_from: 'apt-setup/multiarch'
+    value: False
+
+  - name: 'apt-setup/cdrom/set-failed'
+    copy_id_from: 'apt-setup/multiarch'
+    value: False
+
+  - name: 'apt-setup/disable-cdrom-entries'
+    copy_id_from: 'apt-setup/multiarch'
+    value: True
+
+  - name: 'tasksel/first'
+    value: 'ssh-server'
+    state: 'present'
+
+  - name: 'pkgsel/include'
+    value: '{{ preseed__debian_packages }}'
+    state: 'present'
+
+  - name: 'pkgsel/upgrade'
+    value: 'full-upgrade'
+    state: 'present'
+
+  - name: 'grub-installer/with_other_os'
+    value: False
+
+  - name: 'grub-installer/bootdev_default'
+    state: 'present'
+
+  - name: 'debian-installer/add-kernel-opts'
+    value: '{{ preseed__debian_kernel_arguments }}'
+    state: 'present'
+
+  - name: 'cdrom-detect/eject'
+    value: True
+    state: 'present'
+
+  - name: 'preseed/late_command'
+    value: |
+      in-target curl --output /tmp/postinst.sh http://{{ preseed__base_domain }}/${flavor}/d-i/${release}/postinst.sh;\
+      in-target chmod +x /tmp/postinst.sh;\
+      in-target /tmp/postinst.sh
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: preseed__configuration [[[
+#
+# This is a list of Preseed template options defined on all hosts in the
+# Ansible inventory.
+preseed__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__group_configuration [[[
+#
+# This is a list of Preseed template options defined on hosts in a specific
+# Ansible inventory group.
+preseed__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__host_configuration [[[
+#
+# This is a list of Preseed template options defined on specific hosts in the
+# Ansible inventory.
+preseed__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: preseed__combined_configuration [[[
+#
+# This variable combines all Preseed template configuration variables and is
+# used in role tasks and templates.
+preseed__combined_configuration: '{{ preseed__original_configuration
+                                     + preseed__default_configuration
+                                     + preseed__configuration
+                                     + preseed__group_configuration
+                                     + preseed__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Preseed template augments [[[
+# -----------------------------
+
+# The lists below define modifications to the default Preseed configuration
+# template. They use the same format as :ref:`preseed__ref_configuration` and
+# are used as a list of options in various :ref:`preseed__ref_definitions` to
+# create different Preseed "flavors".
+
+# .. envvar:: preseed__options_interactive_partman [[[
+#
+# Disable autoconfiguration of disk partitions and ensure that the user is
+# asked to configure them by hand. This might be useful on hardware hosts which
+# might need a custom partition layout. These options are used in the
+# ``debian`` and ``debian-user`` flavors.
+preseed__options_interactive_partman:
+
+  - name: 'partman-auto/method'
+    state: 'comment'
+
+  - name: 'partman-auto-lvm/guided_size'
+    state: 'comment'
+
+  - name: 'partman-lvm/device_remove_lvm'
+    state: 'comment'
+
+  - name: 'partman-md/device_remove_md'
+    state: 'comment'
+
+  - name: 'partman-lvm/confirm'
+    state: 'comment'
+
+  - name: 'partman-lvm/confirm_nooverwrite'
+    state: 'comment'
+
+  - name: 'partman-auto/choose_recipe'
+    state: 'comment'
+
+  - name: 'partman-partitioning/confirm_write_new_label'
+    state: 'comment'
+
+  - name: 'partman/choose_partition'
+    state: 'comment'
+
+  - name: 'partman/confirm'
+    state: 'comment'
+
+  - name: 'partman/confirm_nooverwrite'
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: preseed__options_ansible_user [[[
+#
+# Configure Debian Installer to disable access to the ``root`` UNIX account via
+# password and create an administrative UNIX account with :command:`sudo`
+# access instead. These options are used in the ``debian-user`` and
+# ``debian-vm-user`` flavors.
+preseed__options_ansible_user:
+
+  - name: 'passwd/root-login'
+    value: False
+    state: 'present'
+
+  - name: 'passwd/make-user'
+    value: True
+    state: 'present'
+
+  - name: 'passwd/user-fullname'
+    value: '{{ preseed__admin_fullname }}'
+    state: 'present'
+
+  - name: 'passwd/username'
+    value: '{{ preseed__admin_name }}'
+    state: 'present'
+
+  - name: 'passwd/user-password-crypted'
+    value: '{{ preseed__debian_admin_password }}'
+    state: 'present'
+
+  - name: 'passwd/user-default-groups'
+    value: [ 'adm', 'staff' ]
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: preseed__options_enable_nonfree [[[
+#
+# During installation, configure APT to use the ``contrib`` and ``non-free``
+# archive components, providing access to non-free firmware which might be
+# required by hardware hosts to function properly. These options are used by
+# ``debian`` and ``debian-user`` flavors.
+preseed__options_enable_nonfree:
+
+  - name: 'apt-setup/non-free'
+    value: True
+    state: 'present'
+
+  - name: 'apt-setup/contrib'
+    value: True
+    state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: preseed__nginx__servers [[[
+#
+# List of :program:`nginx` server configurations managed by the
+# :ref:`debops.nginx` role.
+preseed__nginx__dependent_servers:
+
+  - by_role: 'debops.preseed'
+    enabled: True
+    ssl: False  # disable port 443
+    filename: 'debops.preseed_http'
+    name: '{{ preseed__domains }}'
+    root: '{{ preseed__www + "/$preseed" }}'
+    webroot_create: False
+    location:
+      '/': |
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+        types {
+                text/plain cfg sh;
+        }
+
+      '~ /d-i/': |
+        index index.html index.htm preseed.cfg ;
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+        types {
+                text/plain cfg sh;
+        }
+    state: 'present'
+
+  - by_role: 'debops.preseed'
+    enabled: True
+    listen: False  # disable port 80
+    filename: 'debops.preseed_https'
+    name: '{{ preseed__domains }}'
+    root: '{{ preseed__www + "/$preseed" }}'
+    webroot_create: False
+    location:
+      '/': |
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+        types {
+                text/plain cfg sh;
+        }
+
+      '~ /d-i/': |
+        index index.html index.htm preseed.cfg ;
+        try_files $uri $uri/ $uri.html /index.html =404;
+        autoindex on;
+        types {
+                text/plain cfg sh;
+        }
+    state: '{{ "present" if (ansible_local.pki.enabled | d()) | bool else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/preseed/meta/main.yml b/ansible_collections/debops/debops/roles/preseed/meta/main.yml
new file mode 100644
index 00000000..5275016a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Provide Debian Preseed configuration files over HTTP'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - bootstrap
+    - bootstrapping
+    - installation
+    - deployment
diff --git a/ansible_collections/debops/debops/roles/preseed/tasks/main.yml b/ansible_collections/debops/debops/roles/preseed/tasks/main.yml
new file mode 100644
index 00000000..04b94055
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (C) 2015-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Remove configuration directories if requested
+  ansible.builtin.file:
+    path: '{{ preseed__www + "/" + item.flavor + "/d-i/" + item.release }}'
+    state: 'absent'
+  loop: '{{ preseed__combined_definitions | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state, "flavor": item.flavor, "release": item.release} }}'
+  when: item.state | d('present') in ['absent']
+
+- name: Create configuration directories
+  ansible.builtin.file:
+    path: '{{ preseed__www + "/" + item.flavor + "/d-i/" + item.release }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ preseed__combined_definitions | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state, "flavor": item.flavor, "release": item.release} }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Generate Preseed configuration files
+  ansible.builtin.template:
+    src: 'srv/www/sites/debian-preseed/public/preseed.cfg.j2'
+    dest: '{{ preseed__www + "/" + item.flavor + "/d-i/"
+              + item.release + "/preseed.cfg" }}'
+    owner: 'root'
+    group: 'www-data'
+    mode: '0640'
+  loop: '{{ preseed__combined_definitions
+            | debops.debops.parse_kv_items(defaults={"options": preseed__combined_configuration
+                                                                | debops.debops.parse_kv_config}) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state, "flavor": item.flavor, "release": item.release} }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Generate postinst scripts
+  ansible.builtin.template:
+    src: 'srv/www/sites/debian-preseed/public/postinst.sh.j2'
+    dest: '{{ preseed__www + "/" + item.flavor + "/d-i/"
+              + item.release + "/postinst.sh" }}'
+    owner: 'root'
+    group: 'www-data'
+    mode: '0640'
+  loop: '{{ preseed__combined_definitions
+            | debops.debops.parse_kv_items(defaults={"options": preseed__combined_configuration
+                                                                | debops.debops.parse_kv_config}) }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state, "flavor": item.flavor, "release": item.release} }}'
+  when: item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Preseed local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/preseed.fact.j2'
+    dest: '/etc/ansible/facts.d/preseed.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/preseed/templates/etc/ansible/facts.d/preseed.fact.j2 b/ansible_collections/debops/debops/roles/preseed/templates/etc/ansible/facts.d/preseed.fact.j2
new file mode 100644
index 00000000..da701708
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/templates/etc/ansible/facts.d/preseed.fact.j2
@@ -0,0 +1,29 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+base_path = loads('''{{ preseed__www | to_nice_json }}''')
+subdomain = loads('''{{ preseed__subdomain | to_nice_json }}''')
+flavors = []
+
+if (os.path.exists(base_path) and os.path.isdir(base_path)):
+    for element in os.listdir(base_path):
+        if os.path.isdir(element):
+            flavors.append(element)
+
+output = {'base_path': base_path,
+          'configured': True,
+          'flavors': flavors,
+          'subdomain': subdomain}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/postinst.sh.j2 b/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/postinst.sh.j2
new file mode 100644
index 00000000..3083574b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/postinst.sh.j2
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+set -o nounset -o pipefail -o errexit
+
+# We are working as root inside of the chrooted system
+export HOME="/root"
+
+# Set of SSH keys used for root access
+PRESEED_ROOT_SSHKEYS="{{ (item.root_sshkeys | d([]) + preseed__root_sshkeys) | join('\n') }}"
+
+# Name of the administrative UNIX account
+PRESEED_ADMIN_NAME="{{ item.admin_username | d() }}"
+
+# Set of SSH keys used for administrative access
+PRESEED_ADMIN_SSHKEYS="{{ (item.admin_sshkeys | d([]) + preseed__admin_sshkeys) | join('\n') }}"
+
+
+# Prevent service startup while we are working in chroot
+cat > /usr/sbin/policy-rc.d <<EOF
+#!/bin/sh
+echo "All runlevel operations denied by policy" >&2
+exit 101
+EOF
+chmod +x /usr/sbin/policy-rc.d
+
+# Install SSH public keys used by root account
+if [ -n "${PRESEED_ROOT_SSHKEYS}" ] ; then
+
+    # shellcheck disable=SC2174
+    mkdir -p -m 700 "/root/.ssh"
+    touch "/root/.ssh/authorized_keys"
+    printf "%s\n" "${PRESEED_ROOT_SSHKEYS}" >> "/root/.ssh/authorized_keys"
+
+fi
+
+# Install SSH keys used by the administrative account, if enabled
+if [ -n "${PRESEED_ADMIN_NAME}" ] && [ -n "${PRESEED_ADMIN_SSHKEYS}" ] ; then
+
+    admin_home="$(getent passwd "${PRESEED_ADMIN_NAME}" | cut -d: -f6)"
+
+    if [ -n "${admin_home}" ] ; then
+
+        # shellcheck disable=SC2174
+        mkdir -p -m 700 "${admin_home}/.ssh"
+        touch "${admin_home}/.ssh/authorized_keys"
+        printf "%s\n" "${PRESEED_ADMIN_SSHKEYS}" >> "${admin_home}/.ssh/authorized_keys"
+        chown -R "${PRESEED_ADMIN_NAME}:${PRESEED_ADMIN_NAME}" "${admin_home}/.ssh"
+
+        # Configure passwordless admin access in sudo. We assume that sudo is
+        # installed by the Debian Installer when root access is disabled.
+        printf "# File created by DebOps Preseed\n\n%s ALL = (ALL:ALL) NOPASSWD: SETENV: ALL\n" "${PRESEED_ADMIN_NAME}" \
+            >> "/etc/sudoers.d/preseed_admin_access"
+        chmod 0440 "/etc/sudoers.d/preseed_admin_access"
+
+    fi
+fi
+
+# Disable deb-src lines in APT sources
+sed -i '/^deb-src/s/^/#/' /etc/apt/sources.list
+apt-get update
+
+# Set of custom commands added via Ansible variables
+readarray -t POSTINST_COMMANDS << EOF
+{% if preseed__debian_postinst_commands %}
+{{ preseed__debian_postinst_commands }}
+{% endif %}
+{% if item.postinst_commands | d() %}
+{{ item.postinst_commands }}
+{% endif %}
+EOF
+
+# Execute custom commands
+if [[ "${POSTINST_COMMANDS[*]}" ]] ; then
+    for index in "${!POSTINST_COMMANDS[@]}" ; do
+        # shellcheck disable=SC2086
+        eval ${POSTINST_COMMANDS[${index}]}
+    done
+fi
+
+# Unlock service startup
+rm -rf /usr/sbin/policy-rc.d
diff --git a/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/preseed.cfg.j2 b/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/preseed.cfg.j2
new file mode 100644
index 00000000..385b938a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/preseed/templates/srv/www/sites/debian-preseed/public/preseed.cfg.j2
@@ -0,0 +1,77 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+#_preseed_V1
+
+# {{ ansible_managed }}
+
+# Documentation: https://www.debian.org/releases/stable/amd64/apbs03.en.html
+# Example preseed: https://www.debian.org/releases/stable/example-preseed.txt
+
+{% for element in item.options | d([]) %}
+{%   set element_owner = element.owner  | d("d-i") %}
+{%   set element_name  = element.option | d(element.name) %}
+{%   set element_type  = element.type   | d('string') %}
+{%   set element_seen  = element.seen   | d(True) %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if element.comment | d() %}
+{%       if not loop.first %}
+
+{%       endif %}
+{%       set comment_string = element.comment | regex_replace('\${flavor}', item.flavor) | regex_replace('\${release}', item.release) %}
+{{       comment_string | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     set element_comment = ('#' if element.state | d('present') == 'comment' else '') %}
+{%     if element.value is defined %}
+{%       if element.value is string and not element.value | bool %}
+{%         set element_value = element.value %}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           set element_type  = element.type | d('boolean') %}
+{%           set element_value = 'true' %}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             if element.value | string == '0' %}
+{%               set element_value = element.value %}
+{%             else %}
+{%               set element_type  = element.type | d('boolean') %}
+{%               set element_value = 'false' %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ') %}
+{%       endif %}
+{%     else %}
+{%       set element_value = element.value | d() %}
+{%     endif %}
+{%     if element.state | d('present') not in [ 'hidden' ] %}
+{%       if element_value %}
+{%         set element_value = element_value | regex_replace('\${flavor}', item.flavor) | regex_replace('\${release}', item.release) %}
+{%         if element_value.split('\n') | length > 1 %}
+{%           if element_comment %}
+{{             '{}{} {} {} \\'.format(element_comment, element_owner, element_name, element_type) }}
+{{             element_value | regex_replace('\n$', '') | indent(4, true) | regex_replace('^', '#', multiline=True) }}
+{%           else %}
+{{             '{}{} {} {} \\'.format(element_comment, element_owner, element_name, element_type) }}
+{{             element_value | regex_replace('\n$', '') | indent(4, true) }}
+{%           endif %}
+{%         else %}
+{{           '{}{} {} {} {}'.format(element_comment, element_owner, element_name, element_type, element_value) }}
+{%         endif %}
+{%       else %}
+{{         '{}{} {} {}'.format(element_comment, element_owner, element_name, element_type) }}
+{%       endif %}
+{%       if not element_seen %}
+{{         '{}{} {} {} {}'.format(element_comment, element_owner, element_name, 'seen', 'false') }}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/COPYRIGHT b/ansible_collections/debops/debops/roles/proc_hidepid/COPYRIGHT
new file mode 100644
index 00000000..8b011aa0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.proc_hidepid - Configure /proc hidepid= options
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/defaults/main.yml b/ansible_collections/debops/debops/roles/proc_hidepid/defaults/main.yml
new file mode 100644
index 00000000..18943c53
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/defaults/main.yml
@@ -0,0 +1,121 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _proc_hidepid__ref_defaults:
+
+# debops.proc_hidepid default variables
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration, APT packages [[[
+# ---------------------------------------
+
+# .. envvar:: proc_hidepid__enabled [[[
+#
+# Enable or disable support for managing the ``/proc`` ``hidepid=`` option
+# using Ansible.
+proc_hidepid__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__base_packages [[[
+#
+# List of APT packages required for hidepid support.
+proc_hidepid__base_packages: [ 'libcap2-bin' ]
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__packages [[[
+#
+# List of additional APT packages to install with hidepid support.
+proc_hidepid__packages: []
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__skip_packages [[[
+#
+# List of APT packages which are known to cause issues when hidepid is
+# enabled. When the role detects that they are installed on the host, it
+# will default to using more permissive settings.
+proc_hidepid__skip_packages: [ 'policykit-1', 'polkitd' ]
+
+                                                                   # ]]]
+                                                                   # ]]]
+# The ``/proc`` filesystem options [[[
+# ------------------------------------
+
+# .. envvar:: proc_hidepid__remount [[[
+#
+# When enabled, the role will try and remount the ``/proc`` filesystem to
+# enable the ``hidepid=`` options. This might not be possible in certain
+# environments like LXC/Docker containers, in which case the role will only
+# passively set up the required facts and other configuration.
+proc_hidepid__remount: '{{ True
+                           if ((((ansible_system_capabilities_enforced | d()) | bool and
+                                 "cap_sys_admin" in ansible_system_capabilities) or
+                                not (ansible_system_capabilities_enforced | d(True)) | bool) and
+                               (ansible_local | d() and ansible_local.proc_hidepid | d() and
+                                (ansible_local.proc_hidepid.proc_owner | d("root")) == "root"))
+                           else False }}'
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__level [[[
+#
+# Specify what level of protection for the ``/proc`` files to configure:
+#
+# - ``0``: no protection, files are world-readable
+#
+# - ``1``: the ``/proc`` contents are protected using UNIX permissions, file
+#          owners can access their own files
+#
+# - ``2``: the ``/proc`` contents are invisible to non-owners, only ``root``
+#          and users in the specific UNIX system group can see everything
+#
+proc_hidepid__level: '{{ "0"
+                          if (("debops_service_libvirtd" in group_names) or
+                              (ansible_local.libvirtd.installed | d() | bool))
+                          else (proc_hidepid__fact_default_level | d("2")) }}'
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__group [[[
+#
+# Name of the UNIX system group which will have unrestricted access to the
+# ``/proc`` filesystem.
+proc_hidepid__group: 'procadmins'
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__gid [[[
+#
+# The GID used by the UNIX system group. If not specified, it will be selected
+# automatically. If you change the GID, you need to remount the :file:`/proc`
+# filesystem manually and restart any services that rely on this functionality.
+proc_hidepid__gid: '70'
+                                                                   # ]]]
+                                                                   # ]]]
+# The ``/proc/sched_debug`` options [[[
+# -------------------------------------
+
+# .. envvar:: proc_hidepid__secure_scheduler_enabled [[[
+#
+# Enable or disable file attributes change of the :file:`/proc/sched_debug`
+# file to not be world-readable. Note: the ``root`` account in privileged LXC
+# containers can read the file and change its permissions at will.
+proc_hidepid__secure_scheduler_enabled: '{{ True
+                                            if (proc_hidepid__register_sched.stat.exists | bool and
+                                                proc_hidepid__register_sched.stat.uid == 0)
+                                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: proc_hidepid__secure_scheduler_group [[[
+#
+# Name of the UNIX system group which will be able to read the contents of the
+# :file:`/proc/sched_debug` file.
+proc_hidepid__secure_scheduler_group: '{{ proc_hidepid__group }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/meta/main.yml b/ansible_collections/debops/debops/roles/proc_hidepid/meta/main.yml
new file mode 100644
index 00000000..2de9459a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure /proc hidepid= options'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
+    - hidepid
+    - proc
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/tasks/main.yml b/ansible_collections/debops/debops/roles/proc_hidepid/tasks/main.yml
new file mode 100644
index 00000000..a1a9d3b8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/tasks/main.yml
@@ -0,0 +1,129 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if any incompatible package is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    dpkg --get-selections | grep -w -E '({{ proc_hidepid__skip_packages | join("|") }})'
+                          | awk '{print $1}' || true
+  args:
+    executable: '/bin/bash'
+  register: proc_hidepid__register_incompatible
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Set default enforcement level
+  ansible.builtin.set_fact:
+    proc_hidepid__fact_default_level: '{{ "2"
+                                          if (not proc_hidepid__register_incompatible.stdout | d())
+                                          else "0" }}'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (proc_hidepid__base_packages
+                              + proc_hidepid__packages)) }}'
+    state: 'present'
+  register: proc_hidepid__register_install
+  until: proc_hidepid__register_install is succeeded
+  when: proc_hidepid__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save proc_hidepid local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/proc_hidepid.fact.j2'
+    dest: '/etc/ansible/facts.d/proc_hidepid.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that UNIX system group with /proc access exists
+  ansible.builtin.group:
+    name: '{{ proc_hidepid__group }}'
+    gid: '{{ proc_hidepid__gid if proc_hidepid__gid | d() else omit }}'
+    state: 'present'
+    system: True
+  when: proc_hidepid__enabled | bool
+
+- name: Configure /proc with hidepid= option in /etc/fstab
+  ansible.posix.mount:
+    name: '/proc'
+    src: 'proc'
+    fstype: 'proc'
+    opts: 'defaults,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }}'
+    state: 'mounted'
+  notify: [ 'Refresh host facts' ]
+  when: proc_hidepid__enabled | bool and proc_hidepid__remount | bool
+
+  # This is a workaround for Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/1039887
+- name: Remount /proc from rc.local when needed
+  ansible.builtin.lineinfile:
+    dest: '/etc/rc.local'
+    regexp: '^mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
+    line: 'mount -o remount,hidepid={{ proc_hidepid__level }},gid={{ proc_hidepid__group }} /proc'
+    insertbefore: 'exit 0'
+    state: 'present'
+    mode: '0755'
+  when: (proc_hidepid__enabled | bool and proc_hidepid__remount | bool and
+         (ansible_distribution in ['Ubuntu'] and
+          ansible_distribution_release in ['trusty']))
+
+- name: Check /proc/sched_debug file attributes
+  ansible.builtin.stat:
+    path: '/proc/sched_debug'
+  register: proc_hidepid__register_sched
+
+- name: Generate tmpfiles configuration for securing /proc/sched_debug
+  ansible.builtin.template:
+    src: 'etc/tmpfiles.d/proc-sched_debug.conf.j2'
+    dest: '/etc/tmpfiles.d/proc-sched_debug.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Create temporary files' ]
+  when: proc_hidepid__enabled | bool and ansible_service_mgr == 'systemd' and
+        proc_hidepid__secure_scheduler_enabled | bool
+
+- name: Create the systemd override directories
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/system/" + item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: [ 'systemd-logind.service.d', 'user@.service.d' ]
+  when: proc_hidepid__enabled | bool and ansible_service_mgr == 'systemd'
+
+- name: Ensure that systemd services are exempt from hidepid
+  ansible.builtin.template:
+    src: '{{ "etc/systemd/system/" + item + "/hidepid.conf.j2" }}'
+    dest: '{{ "/etc/systemd/system/" + item + "/hidepid.conf" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: [ 'systemd-logind.service.d', 'user@.service.d' ]
+  notify: [ 'Reload service manager' ]
+  when: proc_hidepid__enabled | bool and ansible_service_mgr == 'systemd'
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/ansible/facts.d/proc_hidepid.fact.j2 b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/ansible/facts.d/proc_hidepid.fact.j2
new file mode 100644
index 00000000..9452c464
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/ansible/facts.d/proc_hidepid.fact.j2
@@ -0,0 +1,52 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from pwd import getpwuid
+from grp import getgrgid
+from os import stat
+
+
+def find_owner(filename):
+    return getpwuid(stat(filename).st_uid).pw_name
+
+
+output = {'configured': True,
+          'enabled': False,
+          'gid': '',
+          'group': '',
+          'level': '',
+          'proc_owner': find_owner('/proc')}
+
+with open('/proc/mounts', 'r') as mounts:
+    for line in mounts:
+        if line.startswith('proc '):
+            entry = line.strip().split()
+
+            if entry[1] == '/proc':
+                entry_options = entry[3].split(',')
+
+                # Check if any option of a given mount entry has 'hidepid='
+                if any("hidepid=" in s for s in entry_options):
+                    output['enabled'] = True
+
+                    for option in entry_options:
+                        if option.startswith('hidepid='):
+                            output['level'] = option.split('=')[1]
+                        elif option.startswith('gid='):
+                            output['gid'] = option.split('=')[1]
+
+if output['gid']:
+    try:
+        output['group'] = getgrgid(int(output['gid'])).gr_name
+    except KeyError:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2 b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2
new file mode 100644
index 00000000..cc2ed012
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/systemd-logind.service.d/hidepid.conf.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Based on https://github.com/indiv0/ansible-role-console
+
+[Service]
+SupplementaryGroups={{ proc_hidepid__group }}
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/user@.service.d/hidepid.conf.j2 b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/user@.service.d/hidepid.conf.j2
new file mode 100644
index 00000000..b4f24f05
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/systemd/system/user@.service.d/hidepid.conf.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Override required in unified cgroupv2 hierarchy when hidepid= option is used
+# with the /proc filesystem.
+# Ref: https://github.com/systemd/systemd/issues/12955
+
+[Service]
+SupplementaryGroups={{ proc_hidepid__group }}
diff --git a/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/tmpfiles.d/proc-sched_debug.conf.j2 b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/tmpfiles.d/proc-sched_debug.conf.j2
new file mode 100644
index 00000000..314b9439
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/proc_hidepid/templates/etc/tmpfiles.d/proc-sched_debug.conf.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# The '/proc/sched_debug' file contains information about all Linux processes,
+# which is accessible even from unprivileged namespaces (eg. unprivileged LXC
+# containers). To protect information leakage about other containers, limit the
+# access to this file to a specific UNIX system group.
+# More details:
+# - https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1549391
+# - https://www.nccgroup.trust/us/our-research/abusing-privileged-and-unprivileged-linux-containers/
+
+#Type Path              Mode UID  GID        Age Argument
+f     /proc/sched_debug 0440 root {{ proc_hidepid__secure_scheduler_group }} -   -
diff --git a/ansible_collections/debops/debops/roles/prosody/COPYRIGHT b/ansible_collections/debops/debops/roles/prosody/COPYRIGHT
new file mode 100644
index 00000000..584ff732
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.prosody - Manage Prosody XMPP server with Ansible
+
+Copyright (C) 2018 Norbert Summer <git@o-g.at>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/prosody/defaults/main.yml b/ansible_collections/debops/debops/roles/prosody/defaults/main.yml
new file mode 100644
index 00000000..8bc2f1c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/defaults/main.yml
@@ -0,0 +1,379 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _prosody__ref_defaults:
+
+# debops.prosody default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: prosody__base_packages [[[
+#
+# List of base packages to install.
+prosody__base_packages:
+  - 'prosody'
+  - 'lua-zlib'
+  - 'lua-sec'
+  - 'prosody-modules'  # for ldap auth
+  - '{{ "lua-event" if prosody__use_libevent | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__packages [[[
+#
+# List of additional APT packages to install with Prosody.
+prosody__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# PKI [[[
+# -------
+
+# .. envvar:: prosody__pki [[[
+#
+# Enable or disable support for PKI/SSL/TLS in prosody.
+# Defaults to ``True`` if :ref:`debops.pki` is enabled on the remote host.
+prosody__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_realm_path [[[
+#
+# Directory path where PKI realm live.
+prosody__pki_realm_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_realm [[[
+#
+# Default PKI realm to use.
+prosody__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_crt_filename [[[
+#
+# Default CRT file name to use.
+prosody__pki_crt_filename: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_key_filename [[[
+#
+# Default private key file name to use.
+prosody__pki_key_filename: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_hook_name [[[
+#
+# Name of the hook script which will be stored in hook directory.
+prosody__pki_hook_name: 'prosody'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_hook_path [[[
+#
+# Directory with PKI hooks.
+prosody__pki_hook_path: '{{ ansible_local.pki.hooks | d("/etc/pki/hooks") }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__pki_hook_action [[[
+#
+# Specify how changes in PKI should affect prosody, either 'reload' or 'restart'.
+prosody__pki_hook_action: 'reload'
+                                                                   # ]]]
+                                                                   # ]]]
+# Prosody Configuration [[[
+# -------------------------
+
+# .. envvar:: prosody__deploy_state [[[
+#
+# Set to `absent` to disable and uninstall this role
+prosody__deploy_state: "present"
+
+                                                                   # ]]]
+# .. envvar:: prosody__domain [[[
+#
+# The hosts's DNS domain name used in the Prosody configuration.
+prosody__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__admins [[[
+#
+# List of admin jabber accounts of this prosody instance
+prosody__admins: []
+
+                                                                   # ]]]
+# .. envvar:: prosody__use_libevent [[[
+#
+# Set this to true to enable the libevent backend
+# @see https://prosody.im/doc/libevent
+prosody__use_libevent: false
+
+                                                                   # ]]]
+# .. envvar:: prosody__modules_default [[[
+#
+# Modules that are loaded by default
+# @see https://prosody.im/doc/configure
+prosody__modules_default:
+  - "roster"
+  - "saslauth"
+  - "tls"
+  - "dialback"
+  - "disco"
+  - "private"
+  - "vcard"
+  - "privacy"  #@TODO check version < 0.10
+  - "version"
+  - "uptime"
+  - "time"
+  - "ping"
+  - "pep"
+  - "admin_adhoc"
+  - "posix"
+  - "groups"
+  - "carbons"
+  - "mam"
+  - "blocking"
+  - "smacks"
+  #- "s2s_auth_dane"
+
+                                                                   # ]]]
+# .. envvar:: prosody__modules [[[
+#
+# Modules that should be enabled
+prosody__modules: '{{ prosody__modules_default }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__authentication [[[
+#
+# Providers:
+#  - internal_plain
+#  - internal_hashed
+#  - cyrus
+#  - anonymous
+#  - ldap2 (TODO)
+#
+# https://prosody.im/doc/authentication
+prosody__authentication: 'internal_plain'
+
+                                                                   # ]]]
+# .. envvar:: prosody__insecure_domains [[[
+#
+# List of insecure domains. As example `gmail.com`
+# https://prosody.im/doc/s2s
+prosody__insecure_domains: []
+
+                                                                   # ]]]
+# .. envvar:: prosody__allow_registration [[[
+#
+# Allow new registrations
+prosody__allow_registration: False
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_ldap [[[
+#
+# LDAP config, this is used when `prosody__authentication` is ldap2.
+# https://modules.prosody.im/mod_auth_ldap2.html
+prosody__config_ldap:
+  ldap:
+    hostname: 'ldap.{{ ansible_domain }}'
+    user:
+      basedn: 'ou=users,..@TODO'
+      usernamefield: 'uid'
+    bind_dn: 'uid=....,dc=...@TODO'
+    bind_password: 'lookup..@TODO'
+    use_tls: True
+
+                                                                   # ]]]
+# .. envvar:: prosody__default_config_global [[[
+#
+# Main prosody configuration, default values
+# @see https://prosody.im/doc/configure
+prosody__default_config_global:
+  admins: '{{ prosody__admins }}'
+  modules_enabled: '{{ prosody__modules }}'
+  allow_registration: '{{ prosody__allow_registration }}'
+  daemonize: True
+  pidfile: "/var/run/prosody/prosody.pid"
+  use_libevent: '{{ prosody__use_libevent }}'
+  c2s_require_encryption: True
+  s2s_require_encryption: True
+  s2s_secure_auth: True
+  s2s_insecure_domains: '{{ prosody__insecure_domains }}'
+  authentication: '{{ prosody__authentication }}'
+  log:
+    info: "/var/log/prosody/prosody.log"
+    error: "/var/log/prosody/prosody.err"
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_http_server [[[
+#
+# HTTP server specific settings.
+# More infos at https://prosody.im/doc/http
+prosody__config_http_server:
+  http_port:
+    - 5280
+  http_interface:
+    - '*'
+  https_port:
+    - 5281
+  https_interface:
+    - '*'
+  https_ssl:
+    certificate: '{{ prosody__pki_realm_path + "/" + prosody__pki_realm + "/" + prosody__pki_crt_filename }}'
+    key: '{{ prosody__pki_realm_path + "/" + prosody__pki_realm + "/" + prosody__pki_key_filename }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_global [[[
+#
+# Mapping for global configs which will be managed on all hosts in the Ansible
+# inventory.
+prosody__config_global: {}
+
+                                                                   # ]]]
+# .. envvar:: prosody__group_config_global [[[
+#
+# Mapping for global configs which will be managed on specific groups in the Ansible
+# inventory.
+prosody__group_config_global: {}
+
+                                                                   # ]]]
+# .. envvar:: prosody__host_config_global [[[
+#
+# Mapping for global configs which will be managed on specific hosts in the Ansible
+# inventory.
+prosody__host_config_global: {}
+
+                                                                   # ]]]
+# .. envvar:: prosody__combined_config_global [[[
+#
+# Mapping which combines all of the global config variables and is used
+# in the configuration template.
+prosody__combined_config_global: '{{ prosody__default_config_global | combine(prosody__config_http_server,
+                                                                              prosody__config_ldap if prosody__authentication == "ldap2" else {},
+                                                                              prosody__config_global,
+                                                                              prosody__group_config_global,
+                                                                              prosody__host_config_global) }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_virtual_hosts [[[
+#
+# List of virtual hosts
+prosody__config_virtual_hosts:
+  - name: '{{ ansible_domain }}'
+    enabled: false
+    pki_realm: 'domain'
+
+                                                                   # ]]]
+# .. envvar:: prosody__http_upload [[[
+#
+#  http_upload enables upload via http(s) for clients to share files
+#  https://modules.prosody.im/mod_http_upload.html
+#  XEP-0363
+prosody__http_upload: True
+
+                                                                   # ]]]
+# .. envvar:: prosody__muc [[[
+#
+#  muc (multi user channel) enables group channel function.
+#  https://prosody.im/doc/modules/mod_muc
+#  XEP-0045
+prosody__muc: True
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_http_upload [[[
+#
+#  http_upload config is for client upload via http(s) to share files
+#  https://modules.prosody.im/mod_http_upload.html
+#  XEP-0363
+prosody__config_http_upload:
+  - domain: 'upload.{{ prosody__domain }}'
+    params: '"http_upload"'
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_muc [[[
+#
+#  muc (multi user channel) config for group channel function.
+#  https://prosody.im/doc/modules/mod_muc
+#  XEP-0045
+prosody__config_muc:
+  - domain: 'conference.{{ prosody__domain }}'
+    params: '"muc"'
+
+                                                                   # ]]]
+# .. envvar:: prosody__default_config_components [[[
+#
+# List of default components
+prosody__default_config_components: '{{ (prosody__config_http_upload if prosody__http_upload | bool else [])
+                                      + (prosody__config_muc if prosody__muc | bool else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__config_components [[[
+#
+# List of components which will be managed on all hosts in the Ansible
+# inventory.
+prosody__config_components: []
+
+                                                                   # ]]]
+# .. envvar:: prosody__group_config_components [[[
+#
+# List of components which will be managed on specific groups in the Ansible
+# inventory.
+prosody__group_config_components: []
+
+                                                                   # ]]]
+# .. envvar:: prosody__host_config_components [[[
+#
+# List of components which will be managed on specific hosts in the Ansible
+# inventory.
+prosody__host_config_components: []
+
+                                                                   # ]]]
+# .. envvar:: prosody__combined_config_components [[[
+#
+# List which combines all of the global config variables and is used
+# in the configuration template.
+prosody__combined_config_components: '{{ prosody__default_config_components
+                                         + prosody__config_components
+                                         + prosody__group_config_components
+                                         + prosody__host_config_components }}'
+
+                                                                   # ]]]
+# .. envvar:: prosody__ferm__dependent_rules [[[
+#
+# Configuration for :command:`iptables` firewall managed by :program:`ferm`.
+prosody__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ '5222' ]
+    accept_any: True
+    weight: '40'
+    by_role: 'prosody'
+    name: 'prosody-xmpp-client'
+    multiport: True
+    rule_state: '{{ prosody__deploy_state }}'
+  - type: 'accept'
+    dport: [ '5269' ]
+    accept_any: True
+    weight: '40'
+    by_role: 'prosody'
+    name: 'prosody-xmpp-server'
+    multiport: True
+    rule_state: '{{ prosody__deploy_state }}'
+  - type: 'accept'
+    dport: [ '5280', '5281' ]
+    accept_any: True
+    weight: '40'
+    by_role: 'prosody'
+    name: 'prosody-http'
+    multiport: True
+    rule_state: '{{ prosody__deploy_state }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/prosody/meta/main.yml b/ansible_collections/debops/debops/roles/prosody/meta/main.yml
new file mode 100644
index 00000000..d9e9bba4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Norbert Summer'
+  description: 'Lightweight Jabber/XMPP server'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: Debian
+      versions:
+        - stretch
+
+    - name: Ubuntu
+      versions:
+        - xenial
+        - artful
+
+  galaxy_tags:
+    - prosody
+    - jabber
+    - xmpp
diff --git a/ansible_collections/debops/debops/roles/prosody/tasks/main.yml b/ansible_collections/debops/debops/roles/prosody/tasks/main.yml
new file mode 100644
index 00000000..8c9349fe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/tasks/main.yml
@@ -0,0 +1,55 @@
+---
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (prosody__base_packages
+                              + prosody__packages)) }}'
+    state: 'present'
+  register: prosody__register_packages
+  until: prosody__register_packages is succeeded
+
+- name: Generate Prosody configuration
+  ansible.builtin.template:
+    src: 'etc/prosody/prosody.cfg.lua.j2'
+    dest: '/etc/prosody/prosody.cfg.lua'
+    mode: '0640'
+  notify: [ 'Restart prosody' ]
+
+- name: Enable Services
+  ansible.builtin.service:
+    name: '{{ item }}'
+    enabled: 'yes'
+    state: 'started'
+  with_items:
+    - prosody
+
+- name: Make sure that PKI hook directory exists
+  ansible.builtin.file:
+    path: '{{ prosody__pki_hook_path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (prosody__pki | bool and prosody__deploy_state in ['present'])
+
+- name: Manage PKI prosody hook
+  ansible.builtin.template:
+    src: 'etc/pki/hooks/prosody.j2'
+    dest: '{{ prosody__pki_hook_path + "/" + prosody__pki_hook_name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (prosody__pki | bool and prosody__deploy_state in ['present'])
+
+- name: Ensure the PKI prosody hook is absent
+  ansible.builtin.file:
+    path: '{{ prosody__pki_hook_path + "/" + prosody__pki_hook_name }}'
+    state: 'absent'
+  when: (prosody__deploy_state in ['absent'])
diff --git a/ansible_collections/debops/debops/roles/prosody/templates/etc/pki/hooks/prosody.j2 b/ansible_collections/debops/debops/roles/prosody/templates/etc/pki/hooks/prosody.j2
new file mode 100644
index 00000000..aee9088a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/templates/etc/pki/hooks/prosody.j2
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Reload or restart prosody on a certificate state change
+
+set -o nounset -o pipefail -o errexit
+
+prosody_config="/etc/prosody/prosody.cfg.lua"
+prosody_action="{{ prosody__pki_hook_action }}"
+
+# Check if current PKI realm is used by the 'prosody' webserver
+certificate=$(grep -r "${PKI_SCRIPT_DEFAULT_CRT:-}" ${prosody_config} || true)
+
+# Get list of current realm states
+read -r -a states <<< "$(echo "${PKI_SCRIPT_STATE:-}" | tr "," " ")"
+
+if [ -n "${certificate}" ] && [[ ${states[*]} ]] ; then
+
+    for state in "${states[@]}" ; do
+
+        if [ "${state}" = "changed-certificate" ] || [ "${state}" = "changed-dhparam" ] ; then
+
+            # Check if current init is systemd
+            if pidof systemd > /dev/null 2>&1 ; then
+
+                prosody_state="$(systemctl is-active prosody.service)"
+                if [ "${prosody_state}" = "active" ] ; then
+                    if prosodyctl check > /dev/null 2>&1 ; then
+                        systemctl "${prosody_action}" prosody.service
+                    fi
+                fi
+            fi
+
+            break
+        fi
+
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2 b/ansible_collections/debops/debops/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2
new file mode 100644
index 00000000..05023e07
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2
@@ -0,0 +1,54 @@
+{# Copyright (C) 2018 Norbert Summer <git@o-g.at>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+-- {{ ansible_managed }}
+{% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+
+{% macro lua_print(object, prefix='',depth=0) %}
+{%   if object is mapping                      %}
+{%     set prefix = prefix + '  '             %}
+{%     if depth!=0  %}{{ "{\n"  }}{% endif %}
+{%     for _item_name, _value in object |dictsort   %}
+{{      _item_name+' = '+lua_print(_value, prefix,depth+1)|indent(2,true) }}
+{%     endfor                                 %}
+{%     if depth!=0  %}{{ '}'  }}{% endif %}
+{%   elif 'bool' == object|type_debug %}
+{%     if object  %}{{ 'true;'|indent(2,true)  }}
+{%     else       %}{{ 'false;'|indent(2,true)  }}{% endif %}
+{%   elif object is string                    %}
+{{     '"' + object + '";'                     }}
+{%   elif object is iterable                  %}
+{%     if depth!=0  %}{{ "{\n"  }}{% endif %}
+{%     for _item in object                    %}
+{{       lua_print(_item, prefix,depth+1)|indent(2,true) }}
+{%     endfor                                 %}
+{%     if depth!=0  %}{{ '}'  }}{% endif %}
+{%   elif object is number                    %}
+{{     '%d' | format(object)|indent(2,true) }}
+{%   else                                     %}
+error unknown type
+{%   endif                                    %}
+{%  endmacro %}
+
+
+{{ lua_print(prosody__combined_config_global,'',false) }}
+
+
+{%   for item in prosody__config_virtual_hosts %}
+{% set prosody__tpl_pki_realm = item.pki_realm %}{#| d((debops__tpl_macros.get_realm_yaml_list(item.name, prosody__pki_realm) | from_yaml)[0]) %#}
+{% set prosody__tpl_pki_realm_path = prosody__pki_realm_path + "/" + prosody__tpl_pki_realm %}
+VirtualHost "{{ item.name }}"
+  enabled = {{ item.enabled }}
+
+  ssl = {
+    certificate = "{{ item.tls_crt | d(prosody__tpl_pki_realm_path + "/" + (item.pki_crt | d(prosody__pki_crt_filename))) }}";
+    key =  "{{ item.tls_key | d(prosody__tpl_pki_realm_path + "/" + (item.pki_key | d(prosody__pki_key_filename))) }}";
+  }
+  {{ item.raw | d("") }}
+{%   endfor %}
+
+
+{% for _component in prosody__combined_config_components %}
+Component "{{ _component.domain }}" {{ _component.params }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/prosody/templates/import/debops__tpl_macros.j2 b/ansible_collections/debops/debops/roles/prosody/templates/import/debops__tpl_macros.j2
new file mode 100644
index 00000000..a661bc41
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/prosody/templates/import/debops__tpl_macros.j2
@@ -0,0 +1,225 @@
+{# vim: foldmarker=[[[,]]]:foldmethod=marker
+# Commonly used set of macros in DebOps.
+# It can be imported in repositories as needed.
+# Changes to this file should go upstream: https://github.com/debops/debops-playbooks/blob/master/templates/debops__tpl_macros.j2
+#
+# Copyright [[[
+# =============
+#
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# This file is part of DebOps.
+#
+# DebOps is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3, as
+# published by the Free Software Foundation.
+#
+# DebOps is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with DebOps. If not, see https://www.gnu.org/licenses/.
+#
+# ]]]
+#
+# Usage [[[
+# =========
+#
+# Copy the template file to `./templates/import/debops__tpl_macros.j2` of your
+# role and import it from there into various other templates or even use it
+# in templates which are called by {{ lookup("template", ...) }}.
+#
+# Make sure to retain the filename of this file so that automatic updates of
+# this file can be implemented.
+#
+# To use the macros in your own template, this file needs to be imported like so:
+#
+# {% import 'templates/import/debops__tpl_macros.j2' as debops__tpl_macros with context %}
+#
+# Then you can start using the macros like this:
+#
+# {{ debops__tpl_macros.indent(some_content, 4) }}
+#
+# ]]] #}
+
+{% macro get_realm_yaml_list(domains, fallback_realm) %}{# [[[ #}
+{% set custom_realm_list = [] %}
+{% if domains and (ansible_local.pki.known_realms | d()) %}
+{%   for domain in (get_yaml_list_for_elem(domains) | from_yaml) %}
+{%     if domain in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain) %}
+{%     elif (domain.split('.')[1:] | join('.')) in ansible_local.pki.known_realms %}
+{%       set _ = custom_realm_list.append(domain.split('.')[1:] | join('.')) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if custom_realm_list | length == 0 %}
+{%   set _ = custom_realm_list.append(fallback_realm) %}
+{% endif %}
+{{ custom_realm_list | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_version() %}{# [[[ #}
+{{ ansible_local.apache.version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_apache_min_version() %}{# [[[ #}
+{{ ansible_local.apache.min_version | d("2.4.0") -}}
+{% endmacro %}{# ]]] #}
+
+{% macro get_openssl_version() %}{# [[[ #}
+{{ ansible_local.pki.openssl_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro get_gnutls_version() %}{# [[[ #}
+{{ ansible_local.pki.gnutls_version | d("0.0.0") }}
+{% endmacro %}{# ]]] #}
+
+{% macro indent(content, width=4, indentfirst=False) %}{# [[[ #}
+{#
+## Fixed version of the `indent` filter which does not insert trailing spaces on empty lines.
+## Note that you can not use this macro like a filter but have to use it like a regular macro.
+## Example: {{ debops__tpl_macros.indent(some_content, 4) }}
+##
+## Python re.sub seems to default to re.MULTILINE in Ansible.
+#}
+{{ content | indent(width, indentfirst) | regex_replace("[ \\t\\r\\f\\v]+(\\n|$)", "\\1") -}}
+{% endmacro %}{# ]]] #}
+
+{%  macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}{# [[[ #}
+{#
+## Recursively merges nested dictionaries or a nested dictionary with a list of
+## dictionaries. In the second case, a key name can be given whose value will
+## be used as top-level key for the dictionary item. Note that for merging simple
+## dictionaries you should use the regular `combined` Jinja filter.
+##
+## This can be used to define default variables as YAML dictionaries and then
+## use YAML lists of dictionaries either in the inventory or in role dependent
+## variables which lets you add multiple YAML lists together.
+##
+## Arguments:
+##   current_dict:   Nested dictionary whose values might get overwritten if
+##                   defined in `to_merge_dict`.
+##   to_merge_dict:  Dictionary or list of dictionaries being merged into `current_dict`.
+##   dict_key:       Key in the `to_merge_dict` item which is used to match the
+##                   dictionary item being merged in `current_dict` in case `to_merge_dict`
+##                   is a list of dictionaries.
+##
+## Return: JSON-formatted dictionary
+##
+## Examples:
+##
+## 1. Merge single-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'},
+##                                        'item2': {'key3': 'val3', 'key4': 'val4'}},
+##                                       {'item1': {'key2': 'new_val2'},
+##                                        'item2': {'key5': 'val5'    }}) }}
+##
+##     Will output: {"item1": {"key1": "val1", "key2": "new_val2"},
+##                   "item2": {"key3": "val3", "key4": "val4", "key5": "val5"}}
+##
+## 2. Merge double-nested dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'prop1': {'key1': 'val1'}}},
+##                                       {'item1': {'prop1': {'key3': 'val3'},
+##                                                  'prop2': {'key2': 'val2'}}}) }}
+##
+##     Will output: {"item1": {"prop1": {"key1": "val1", "key3": "val3"},
+##                             "prop2": {"key2": "val2"}}}
+##
+## 3. Merge nested dictionary with list of dictionaries:
+##     {{ debops__tmpl_macros.merge_dict({'item1': {'key1': 'val1', 'key2': 'val2'}},
+##                                       [{'name': 'item2', 'key3': 'val3'},
+##                                        {'name': 'item3', 'key4': 'val4'}]) }}
+##
+##     Will output: {"item1: {"key1": "val1", "key2": "val2"},
+##                   "item2: {"name": "item2", "key3": "val3"},
+##                   "item3: {"name": "item3", "key4": "val4"}}
+#}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro flattened() %}{# [[[ #}
+{# This macro does what the flattened lookup from Ansible fails to do in Jinja templates as of Ansible 2.2.
+## All macro arguments are flattened into one "flat" list.
+## Uses a less known feature of Jinja for using the *args and *kwargs syntax as known from
+## Python. Even if the macro does not declare any arguments, it will happyily
+## flatten any non-key-value arguments you provide.
+## Additional key-value arguments can be used to influence the behavior of the macro.
+## The macro uses recursion to flatten nested lists.
+## Ref: https://stackoverflow.com/questions/13944751/args-kwargs-in-jinja2-macros
+## Returns flattened object as JSON which you will need to deserialize using `from_yaml`.
+## Usage:
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_undef=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, null, "raw1", 22, true, false]
+##
+## {{ debops__tpl_macros.flattened(['list1', 55, ["deeplist1", "deeplist elem", True, False, undefined], {'mapping': True}], 'raw1', 22, True, False, filter_mapping=False) }}
+## → ["list1", 55, "deeplist1", "deeplist elem", true, false, {"mapping": true}, "raw1", 22, true, false]
+##
+## Ansible versions tested with: 2.1, 2.2
+## Jinja versions tested with: 2.8.1
+#}
+{% set filter_undef = kwargs.filter_undef | d(True) | bool %}
+{% set filter_mapping = kwargs.filter_mapping | d(True) | bool %}
+{# The following options are planned but currently don’t work: #}
+{% set append_mapping_keys = kwargs.append_mapping_keys | d(False) | bool %}
+{% set append_mapping_values = kwargs.append_mapping_values | d(False) | bool %}
+{#
+{{ "filter_undef:" + (filter_undef | string) }}
+{{ "filter_mapping:" + (filter_mapping | string) }}
+{{ "varargs:" + (varargs | string) }}
+#}
+{% set elem_flattened = [] %}
+{% for arg in varargs %}
+{#
+{{ "arg: " + (arg | string) }}
+#}
+{%   if filter_undef and (arg is undefined) %}
+{#     Filter out. #}
+{%   elif append_mapping_keys and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.keys(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif append_mapping_values and (arg is mapping) %}
+{#     Does not work as of Jinja 2.8? #}
+{%     set _ = elem_flattened.extend(flattened(arg.values(), filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%   elif filter_mapping and (arg is mapping) %}
+{#     Filter out. #}
+{%   elif (arg is undefined) %}
+{%     set _ = elem_flattened.append(None) %}
+{%   elif (arg is string) or (arg is number) or (arg is sameas True) or (arg is sameas False) or (arg is mapping) %}
+{%     set _ = elem_flattened.append(arg) %}
+{%   elif (arg is iterable) %}
+{%     for element in arg %}
+{%       set _ = elem_flattened.extend(flattened(element, filter_undef=filter_undef, filter_mapping=filter_mapping) | from_yaml) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{{ elem_flattened | to_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/python/COPYRIGHT b/ansible_collections/debops/debops/roles/python/COPYRIGHT
new file mode 100644
index 00000000..9b82557e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.python - Manage Python environment using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/python/defaults/main.yml b/ansible_collections/debops/debops/roles/python/defaults/main.yml
new file mode 100644
index 00000000..9bf0678d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/defaults/main.yml
@@ -0,0 +1,271 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _python__ref_defaults:
+
+# debops.python default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: python__enabled [[[
+#
+# Enable or disable Python management via the :ref:`debops.python` role.
+python__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: python__raw_apt_cache_valid_time [[[
+#
+# During Python bootstrapping, check if the APT cache was modified X minutes
+# ago (must be a negative number), by default 12h. If the APT cache is older
+# than the specified time in minutes, the role will automatically refresh it.
+# Set to ``0`` to refresh the APT cache on each Ansible run.
+python__raw_apt_cache_valid_time: '-{{ 60 * 60 * 12 }}'
+
+                                                                   # ]]]
+# .. envvar:: python__raw_etc_hosts [[[
+#
+# String or YAML text block with "<ip> <host>" data, injected into the
+# :file:`/etc/hosts` configuration file as-is. This is done only at bootstrap
+# time, the :ref:`debops.netbase` role then takes ownership of the
+# :file:`/etc/hosts` file.
+#
+# Some installations do not have proper DNS services available and rely on
+# :file:`/etc/hosts` for name resolution. This presents a problem during early
+# bootstrap steps, for example if access to the APT repositories is done via
+# a proxy. This variable can be used to add entries in :file:`/etc/hosts` as
+# early as possible, to allow for proper name resolution.
+python__raw_etc_hosts: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Python 3 management [[[
+# -----------------------
+
+# .. envvar:: python__v3 [[[
+#
+# Enable or disable support for Python 3 management.
+python__v3: True
+
+                                                                   # ]]]
+# .. envvar:: python__core_packages3 [[[
+#
+# List of core Python 3 APT packages to install. These packages will be
+# installed in the "raw" mode as well as during normal role operation.
+python__core_packages3:
+  - 'python3'
+  - 'python3-apt'
+  - 'python3-debian'
+
+                                                                   # ]]]
+# .. envvar:: python__base_packages3 [[[
+#
+# List of base Python 3 packages to install via APT. These packages should allow
+# creation of Python 3 virtual environments and installation of Python packages
+# via the :command:`pip3` command from the PyPI repository, as well as Ansible
+# operation on the remote host.
+python__base_packages3:
+  - 'python3-httplib2'
+  - 'python3-pip'
+  - 'python3-setuptools'
+  - 'python3-pycurl'
+  - 'python3-virtualenv'
+  - 'python3-wheel'
+  - 'virtualenv'
+
+                                                                   # ]]]
+# .. envvar:: python__packages3 [[[
+#
+# List of Python 3 APT packages which should be installed on all hosts in the
+# Ansible inventory.
+python__packages3: []
+
+                                                                   # ]]]
+# .. envvar:: python__group_packages3 [[[
+#
+# List of Python 3 APT packages which should be installed on hosts in
+# a specific Ansible inventory group.
+python__group_packages3: []
+
+                                                                   # ]]]
+# .. envvar:: python__host_packages3 [[[
+#
+# List of Python 3 APT packages which should be installed on specific hosts in
+# the Ansible inventory.
+python__host_packages3: []
+
+                                                                   # ]]]
+# .. envvar:: python__dependent_packages3 [[[
+#
+# List of Python 3 APT packages defined by other Ansible roles via role
+# dependent variables.
+python__dependent_packages3: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Python 2 management [[[
+# -----------------------
+
+# .. envvar:: python__v2 [[[
+#
+# Enable or disable support for Python 2.7 management. Python 2.7 support will
+# be automatically disabled if the ``ansible_python_interpreter`` inventory
+# variable is set to ``/usr/bin/python3``, or Ansible detects the Python 3.x
+# interpreter dynamically, otherwise it will be enabled by default on older OS
+# releases.
+#
+# On Debian Buster and beyond, Python 2.7 support is disabled by default to
+# configure a Python 3.x-only environment.
+#
+# If Python 2.7 support is disabled, using the role in the "raw" mode will
+# purge Python 2.7 packages automatically. This can be controlled by the
+# :envvar:`python__raw_purge_v2` variable.
+python__v2: '{{ ansible_local.python.installed2
+                if (ansible_local | d() and ansible_local.python | d() and
+                    ansible_local.python.installed2 is defined)
+                else (True
+                      if ((ansible_python_interpreter | d("")).endswith("python") or
+                          (discovered_interpreter_python | d("")).endswith("python") or
+                           (python__register_raw_release | d() and
+                            (python__register_raw_release.stdout | d("")).strip() in
+                            ["stretch", "trusty", "xenial"]))
+                      else False) }}'
+
+                                                                   # ]]]
+# .. envvar:: python__core_packages2 [[[
+#
+# List of core Python 2 APT packages to install. These packages will be
+# installed in the "raw" mode as well as during normal role operation.
+python__core_packages2:
+  - 'python'
+  - 'python-apt-common'
+
+                                                                   # ]]]
+# .. envvar:: python__base_packages2 [[[
+#
+# List of base Python 2 packages to install via APT. These packages should allow
+# creation of Python 2 virtual environments and installation of Python packages
+# via the :command:`pip` command from the PyPI repository, as well as Ansible
+# operation on the remote host.
+python__base_packages2:
+  - 'python-httplib2'
+  - '{{ "python-pip"
+        if (ansible_distribution_release in
+            ["stretch", "buster",
+             "trusty", "xenial", "bionic"])
+           else [] }}'
+  - 'python-setuptools'
+  - 'python-pycurl'
+  - 'python-virtualenv'
+  - 'python-wheel'
+
+                                                                   # ]]]
+# .. envvar:: python__packages2 [[[
+#
+# List of Python 2 APT packages which should be installed on all hosts in the
+# Ansible inventory.
+python__packages2: []
+
+                                                                   # ]]]
+# .. envvar:: python__group_packages2 [[[
+#
+# List of Python 2 APT packages which should be installed on hosts in
+# a specific Ansible inventory group.
+python__group_packages2: []
+
+                                                                   # ]]]
+# .. envvar:: python__host_packages2 [[[
+#
+# List of Python 2 APT packages which should be installed on specific hosts in
+# the Ansible inventory.
+python__host_packages2: []
+
+                                                                   # ]]]
+# .. envvar:: python__dependent_packages2 [[[
+#
+# List of Python 2 APT packages defined by other Ansible roles via role
+# dependent variables.
+python__dependent_packages2: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Python 2/3 package installation [[[
+# -----------------------------------
+
+# .. envvar:: python__core_packages [[[
+#
+# List of APT packages that contains core Python packages selected by the role
+# for installation. These packages will be installed in the "raw" mode as well
+# as during normal operation. This variable is used in the role tasks.
+python__core_packages: '{{ (python__core_packages3
+                            if (python__v3 | bool) else [])
+                           + (python__core_packages2
+                              if (python__v2 | bool) else []) }}'
+
+                                                                   # ]]]
+# .. envvar:: python__combined_packages [[[
+#
+# List of APT packages that contains Python packages selected by the role for
+# installation. This variable is used in the role tasks.
+python__combined_packages: '{{ python__core_packages
+                               + ((python__base_packages3
+                                   + python__packages3
+                                   + python__group_packages3
+                                   + python__host_packages3
+                                   + python__dependent_packages3)
+                                  if python__v3 | bool else [])
+                               + ((python__base_packages2
+                                   + python__packages2
+                                   + python__group_packages2
+                                   + python__host_packages2
+                                   + python__dependent_packages2)
+                                  if python__v2 | bool else []) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Python 2 package purging [[[
+# ----------------------------
+
+# .. envvar:: python__raw_purge_v2 [[[
+#
+# Enable or disable purging of the Python 2.7 packages in the "raw" mode. This
+# is useful if you want to completely remove Python 2.7 environment during host
+# bootstrapping, and will be enabled by default if the
+# ``ansible_python_interpreter`` inventory variable is set to
+# ``/usr/bin/python3``.
+#
+# The packages will not be purged if the role detects the presence of the
+# :file:`/etc/ansible/facts.d/python.fact` script.
+python__raw_purge_v2: '{{ False
+                          if (python__v2 | bool)
+                          else True }}'
+
+                                                                   # ]]]
+# .. envvar:: python__raw_purge_packages2 [[[
+#
+# List of Python 2.7 APT packages which will be purged by the role in the "raw"
+# mode.
+python__raw_purge_packages2:
+  - 'python'
+  - 'python2.7'
+  - 'libpython2.7-minimal'
+                                                                   # ]]]
+                                                                   # ]]]
+# PIP configuration [[[
+# ---------------------
+
+# .. envvar:: python__pip_version_check [[[
+#
+# Whether PIP should check for version updates itself.
+# Defaults to ``False`` because the system takes care of PIP updates.
+python__pip_version_check: False
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/python/meta/main.yml b/ansible_collections/debops/debops/roles/python/meta/main.yml
new file mode 100644
index 00000000..a12b8f06
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Python environment'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - pip
+    - python
+    - python2
+    - python3
+    - programming
+    - virtualenv
diff --git a/ansible_collections/debops/debops/roles/python/tasks/main.yml b/ansible_collections/debops/debops/roles/python/tasks/main.yml
new file mode 100644
index 00000000..cf562090
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Python local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/python.fact.j2'
+    dest: '/etc/ansible/facts.d/python.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Install requested packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", python__combined_packages) }}'
+    state: 'present'
+  register: python__register_packages
+  until: python__register_packages is succeeded
+  when: python__enabled | bool
+
+- name: Generate pip configuration
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/pip.conf.j2") }}'
+    dest: '/etc/pip.conf'
+    mode: '0644'
+
+- name: Update the role status in local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/python.fact.j2'
+    dest: '/etc/ansible/facts.d/python.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: (python__enabled | bool and ansible_local | d() and
+         ansible_local.python | d() and
+         not ansible_local.python.configured | bool)
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/python/tasks/main_raw.yml b/ansible_collections/debops/debops/roles/python/tasks/main_raw.yml
new file mode 100644
index 00000000..d9568846
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/tasks/main_raw.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Inject host entries into /etc/hosts
+  ansible.builtin.raw: |
+    if ! grep "{{ python__raw_etc_hosts.split() | first }}" /etc/hosts ; then
+      printf "%s\n" "{{ python__raw_etc_hosts | regex_replace('\n$', '') }}" >> /etc/hosts
+    fi
+  register: python__register_etc_hosts
+  changed_when: python__register_etc_hosts.stdout == ''
+  when: python__enabled | bool and python__raw_etc_hosts | d()
+
+- name: Detect the OS release manually, no Ansible facts available
+  ansible.builtin.raw: grep -E '^VERSION=' /etc/os-release | tr -d '(")' | cut -d" " -f2
+  register: python__register_raw_release
+  changed_when: False
+  check_mode: False
+  tags: [ 'meta::facts' ]
+
+- name: Update APT repositories, install core Python packages
+  ansible.builtin.raw: |
+    if [ -z "$(find /var/cache/apt/pkgcache.bin -mmin {{ python__raw_apt_cache_valid_time }})" ]; then
+        apt-get -q update
+    fi
+    if [ "{{ python__raw_purge_v2 | bool | lower }}" = "true" ] && [ ! -f "/etc/ansible/facts.d/python.fact" ] ; then
+        LANG=C apt-get --purge -yq remove {{ python__raw_purge_packages2 | join(" ") }}
+    fi
+    LANG=C apt-get --no-install-recommends -yq install {{ python__core_packages | join(" ") }}
+  register: python__register_raw
+  when: python__enabled | bool
+  changed_when: (not python__register_raw.stdout
+                     | regex_search('0 upgraded, 0 newly installed, 0 to remove and \d+ not upgraded\.') or
+                 python__register_raw.stdout | regex_search('.+ set to manually installed\.'))
+  tags: [ 'meta::facts' ]
+
+- name: Reset connection to the host
+  ansible.builtin.meta: 'reset_connection'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/python/templates/etc/ansible/facts.d/python.fact.j2 b/ansible_collections/debops/debops/roles/python/templates/etc/ansible/facts.d/python.fact.j2
new file mode 100644
index 00000000..78f07b73
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/templates/etc/ansible/facts.d/python.fact.j2
@@ -0,0 +1,60 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import os
+import subprocess
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads("""{{ ({'enabled':  python__enabled | bool,
+                       'enabled2': python__v2      | bool,
+                       'enabled3': python__v3      | bool,
+                       'configured': (True
+                                      if (ansible_local | d() and
+                                          ansible_local.python | d() and
+                                          (ansible_local.python.configured
+                                           is defined))
+                                      else False)
+                     }) | to_nice_json }}""")
+
+output['installed2'] = cmd_exists('python2')
+output['installed3'] = cmd_exists('python3')
+
+if output['installed2']:
+    try:
+        # If this hack breaks in any way, switch to the platform module.
+        # Check the git log for an implementation.
+        output['version2'] = subprocess.check_output(
+            ['python2', '--version'],
+            stderr=subprocess.STDOUT
+        ).decode('utf-8').strip().split(' ')[-1]
+    except Exception:
+        pass
+
+if output['installed3']:
+    try:
+        # If this hack breaks in any way, switch to the platform module.
+        # Check the git log for an implementation.
+        output['version3'] = subprocess.check_output(
+            ['python3', '--version'],
+            stderr=subprocess.STDOUT
+        ).decode('utf-8').strip().split(' ')[-1]
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/python/templates/etc/pip.conf.j2 b/ansible_collections/debops/debops/roles/python/templates/etc/pip.conf.j2
new file mode 100644
index 00000000..2014fc89
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/python/templates/etc/pip.conf.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2020 Robin Schneider <ypid@riseup.net>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[global]
+disable-pip-version-check = {{ not python__pip_version_check }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_management/COPYRIGHT b/ansible_collections/debops/debops/roles/rabbitmq_management/COPYRIGHT
new file mode 100644
index 00000000..948a79f3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_management/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.rabbitmq_management - Configure RabbitMQ Management Console
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_management/defaults/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_management/defaults/main.yml
new file mode 100644
index 00000000..c745df52
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_management/defaults/main.yml
@@ -0,0 +1,187 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rabbitmq_management__ref_defaults:
+
+# debops.rabbitmq_management default variables [[[
+# ================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration [[[
+# -----------------------
+
+# .. envvar:: rabbitmq_management__local [[[
+#
+# Enable or disable configuration of the RabbitMQ Management Console on a given
+# host. Other services like :command:`nginx` will still be configured if this
+# variable is set to ``False``, the role just assumes that the Management
+# Console is on a different host.
+rabbitmq_management__local: True
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__deploy_state [[[
+#
+# If ``present``, RabbitMQ Management Console will be configured on a given
+# host. If ``absent``, the RabbitMQ Management Console will be uninstalled.
+rabbitmq_management__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__fqdn [[[
+#
+# The Fully Qualified Domain Name address on which the RabbitMQ Management
+# Console will be accessible.
+rabbitmq_management__fqdn: 'rabbitmq.{{ rabbitmq_management__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__domain [[[
+#
+# The DNS domain used by default to configure the main application FQDN.
+rabbitmq_management__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__webserver_allow [[[
+#
+# List of IP addresses or CIDR subnets which will be permitted to access the
+# RabbitMQ Management Console web interface. If the list is empty, anybody can
+# access the service.
+rabbitmq_management__webserver_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ plugins [[[
+# --------------------
+
+# .. envvar:: rabbitmq_management__default_plugins [[[
+#
+# List of default RabbitMQ plugins to enable.
+rabbitmq_management__default_plugins: [ 'rabbitmq_management' ]
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__plugins [[[
+#
+# List of additional RabbitMQ plugins to enable.
+rabbitmq_management__plugins: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Backend plugin configuration [[[
+# --------------------------------
+
+# .. envvar:: rabbitmq_management__app_port [[[
+#
+# The TCP port used by the RabbitMQ Management Console plugin.
+rabbitmq_management__app_port: '15672'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__app_bind [[[
+#
+# The interface to which the plugin will be bound. Keep in mind that the
+# Management Console needs to be accessed over an interface different than the
+# ``localhost``, otherwise the ``loopback_users`` RabbitMQ configuration option
+# will not work. A firewall is very useful to protect the external TCP port.
+#
+# With the default configuration, the plugin will listen on both IPv4 and IPv6
+# networks.
+rabbitmq_management__app_bind: '::'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__app_host [[[
+#
+# The FQDN address on which the plugin will be accessed by the reverse proxy
+# (:command:`nginx`). By default it's the host's own FQDN.
+rabbitmq_management__app_host: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__app_protocol [[[
+#
+# The HTTP protocol to use to contact the backend service. If the service is
+# installed locally, ``http://`` is used by default, else the ``https://`` is
+# assumed as default.
+rabbitmq_management__app_protocol: '{{ "http"
+                                       if rabbitmq_management__local | bool
+                                       else "https" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ main configuration [[[
+# -------------------------------
+
+# .. envvar:: rabbitmq_management__default_config [[[
+#
+# Default configuration options for the RabbitMQ Management Console. See the
+# documentation of the ``debops.rabbitmq_server`` Ansible role for more
+# details.
+rabbitmq_management__default_config:
+
+  - name: 'rabbitmq_management'
+    state: '{{ rabbitmq_management__deploy_state }}'
+    options:
+
+      - name: 'listener'
+        value: |
+          [{port, {{ rabbitmq_management__app_port + '}' }},
+           {ip, "{{ rabbitmq_management__app_bind }}"}]
+        comment: |
+          Communication with the Management Console is done using
+          a reverse proxy at 'https://{{ rabbitmq_management__fqdn }}/'
+        type: 'raw'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__config [[[
+#
+# Additional configuration options set in the RabbitMQ configuration file.
+rabbitmq_management__config: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: rabbitmq_management__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+rabbitmq_management__etc_services__dependent_list:
+
+  - name: 'rabbitmq-mgmt'
+    port: '{{ rabbitmq_management__app_port }}'
+    comment: 'RabbitMQ Management Console'
+    state: '{{ rabbitmq_management__deploy_state }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__rabbitmq_server__dependent_config [[[
+#
+# Configuration for the :ref:`debops.rabbitmq_server` Ansible role.
+rabbitmq_management__rabbitmq_server__dependent_config:
+  - '{{ rabbitmq_management__default_config }}'
+  - '{{ rabbitmq_management__config }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+rabbitmq_management__nginx__dependent_servers:
+  - name: '{{ rabbitmq_management__fqdn }}'
+    by_role: 'debops.rabbitmq_management'
+    filename: 'debops.rabbitmq_management'
+    state: '{{ rabbitmq_management__deploy_state }}'
+    type: 'proxy'
+    proxy_pass: '{{ rabbitmq_management__app_protocol }}://rabbitmq_management'
+    proxy_redirect: 'default'
+    allow: '{{ rabbitmq_management__webserver_allow }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_management__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+rabbitmq_management__nginx__dependent_upstreams:
+  - name: 'rabbitmq_management'
+    server: '{{ rabbitmq_management__app_host + ":" + rabbitmq_management__app_port }}'
+    state: '{{ rabbitmq_management__deploy_state }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_management/meta/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_management/meta/main.yml
new file mode 100644
index 00000000..42fac313
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_management/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure RabbitMQ Management Console'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - amqp
+    - stomp
+    - mqtt
+    - broker
+    - queue
+    - networking
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_management/tasks/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_management/tasks/main.yml
new file mode 100644
index 00000000..18d29988
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_management/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage RabbitMQ plugins
+  community.rabbitmq.rabbitmq_plugin:
+    names: '{{ (rabbitmq_management__default_plugins
+                + rabbitmq_management__plugins) | join(",") }}'
+    state: '{{ "enabled" if rabbitmq_management__deploy_state != "absent" else "disabled" }}'
+    new_only: True
+  when: rabbitmq_management__local | bool
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/COPYRIGHT b/ansible_collections/debops/debops/roles/rabbitmq_server/COPYRIGHT
new file mode 100644
index 00000000..7f4bd7ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.rabbitmq_server - Manage RabbitMQ service using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/defaults/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_server/defaults/main.yml
new file mode 100644
index 00000000..bad9ef44
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/defaults/main.yml
@@ -0,0 +1,961 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017-2024 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017-2024 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rabbitmq_server__ref_defaults:
+
+# debops.rabbitmq_server default variables [[[
+# ============================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: rabbitmq_server__base_packages [[[
+#
+# List of base APT packages to install for RabbitMQ service.
+rabbitmq_server__base_packages: [ 'rabbitmq-server' ]
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__packages [[[
+#
+# List of additional APT packages to install with RabbitMQ service.
+rabbitmq_server__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# System configuration [[[
+# ------------------------
+
+# .. envvar:: rabbitmq_server__user [[[
+#
+# Name of the UNIX system account used by RabbitMQ service.
+rabbitmq_server__user: 'rabbitmq'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group [[[
+#
+# Name of the UNIX system group used by RabbitMQ service.
+rabbitmq_server__group: 'rabbitmq'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__append_groups [[[
+#
+# List of additional UNIX groups to add the RabbitMQ user into. The
+# ``ssl-cert`` UNIX group is used for the X.509 private key access.
+rabbitmq_server__append_groups: '{{ ["ssl-cert"] if rabbitmq_server__pki | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__home [[[
+#
+# Absolute path of the RabbitMQ home directory.
+rabbitmq_server__home: '/var/lib/rabbitmq'
+                                                                   # ]]]
+                                                                   # ]]]
+# Resource utilization [[[
+# ------------------------
+
+# .. envvar:: rabbitmq_server__relative_disk_free_limit [[[
+#
+# Floating point which tells RabbitMQ how much of the free disk space relative
+# to system RAM it should expect before allowing for operation. The default
+# value tells RabbitMQ to expect twice the amount of available RAM to be free
+# on the disk.
+#
+# See https://www.rabbitmq.com/production-checklist.html for more details.
+rabbitmq_server__relative_disk_free_limit: 2.0
+                                                                   # ]]]
+                                                                   # ]]]
+# Erlang cookie [[[
+# -----------------
+
+# .. envvar:: rabbitmq_server__erlang_cookie_path [[[
+#
+# Absolute path of the Erlang cookie file used by RabbitMQ.
+rabbitmq_server__erlang_cookie_path: '{{ rabbitmq_server__home + "/.erlang.cookie" }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__erlang_cookie_password [[[
+#
+# The contents of the Erlang cookie file used by RabbitMQ. It needs to be the
+# same on all nodes in the RabbitMQ cluster.
+rabbitmq_server__erlang_cookie_password: '{{ lookup("password", secret
+                                             + "/rabbitmq_server/cluster/erlang_cookie "
+                                             + "length=64") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Advanced Message Queuing Protocol (AMQP) configuration [[[
+# ----------------------------------------------------------
+
+# .. envvar:: rabbitmq_server__amqp_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# RabbitMQ service over plaintext ``amqp://`` connection.
+#
+# If the TLS support is enabled, only the hosts and subnets specified in this
+# list will be allowed to connect.
+#
+# If the TLS support is disabled, and nothing is specified, anybody will be
+# able to connect over plaintext. You can specify the entries to limit the
+# connections to selected IPs and subnets.
+rabbitmq_server__amqp_allow: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__amqps_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# RabbitMQ service over TLS ``amqps://`` connection.
+#
+# If this list is empty, anybody can connect over encrypted connection.
+rabbitmq_server__amqps_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ environment [[[
+# ------------------------
+
+# These variables define contents of the
+# :file:`/etc/rabbitmq/rabbitmq-env.conf` configuration file. This file is
+# sourced by the RabbitMQ init script and should contain shell environment
+# variables that should be defined in the server environment. Each variable is
+# a YAML dictionary, dictionary keys are variable names (they will be written
+# as uppercase automatically), dictionary values are environment values.
+
+# You can find the list of known environment variables in the RabbitMQ
+# documentation: https://www.rabbitmq.com/configure.html#customise-environment
+
+# .. envvar:: rabbitmq_server__environment [[[
+#
+# The RabbitMQ environment variables defined on all hosts in the Ansible
+# inventory.
+rabbitmq_server__environment: {}
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_environment [[[
+#
+# The RabbitMQ environment variables defined on hosts in a specific Ansible
+# inventory group.
+rabbitmq_server__group_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_environment [[[
+#
+# The RabbitMQ environment variables defined on specific hosts in the Ansible
+# inventory.
+rabbitmq_server__host_environment: {}
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_environment [[[
+#
+# The variable which combines all of the environment variables and is used in
+# the configuration template.
+rabbitmq_server__combined_environment: '{{ rabbitmq_server__environment
+                                           | combine(rabbitmq_server__group_environment,
+                                                     rabbitmq_server__host_environment) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ main configuration [[[
+# -------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/rabbitmq/rabbitmq.config` configuration file.
+# See :ref:`rabbitmq_server__ref_config` for more details.
+
+# .. envvar:: rabbitmq_server__default_config [[[
+#
+# The default configuration defined by the ``debops.rabbitmq_server`` Ansible
+# role.
+rabbitmq_server__default_config:
+
+  - name: 'ssl'
+    state: '{{ "present" if rabbitmq_server__pki | bool else "ignore" }}'
+    options:
+
+      - name: 'versions'
+        value: [ 'tlsv1.2', 'tlsv1.1' ]
+        type: 'atom'
+
+      - name: 'ciphers'
+        value: |
+          [
+            {{ rabbitmq_server__ssl_ciphers | indent(2) }}
+          ]
+        type: 'raw'
+        state: '{{ "present"
+                   if rabbitmq_server__ssl_ciphers
+                   else "ignore" }}'
+
+      - client_renegotiation: False
+
+      - secure_renegotiate: True
+
+      - reuse_sessions: True
+
+      - honor_cipher_order: True
+
+      - honor_ecc_order: True
+
+  - name: 'rabbit'
+    state: '{{ "present" if rabbitmq_server__pki | bool else "ignore" }}'
+    options:
+
+      - name: 'tcp_listeners'
+        comment: |
+          Listen for TCP connections only on the 'localhost' interface
+          when the TLS support is enabled
+        value: |
+          [{"127.0.0.1", 5672},
+           {"::1",       5672}]
+        type: 'raw'
+        state: '{{ "ignore" if rabbitmq_server__amqp_allow else "present" }}'
+
+      - ssl_listeners: [ 5671 ]
+
+      - name: 'ssl_options'
+        value: |
+          [{cacertfile,           "{{ rabbitmq_server__cacertfile }}"},
+           {certfile,             "{{ rabbitmq_server__certfile }}"},
+           {keyfile,              "{{ rabbitmq_server__keyfile }}"},
+           {% if rabbitmq_server__ssl_dhparam %}
+          {dhfile,               "{{ rabbitmq_server__ssl_dhparam }}"},
+           {% endif -%}
+           {versions,             ['tlsv1.2', 'tlsv1.1']},
+           {depth,                2},
+           {% if rabbitmq_server__ssl_ciphers %}
+          {ciphers,              [
+                                    {{ rabbitmq_server__ssl_ciphers | indent(26) }}
+                                  ]},
+           {% endif -%}
+           {honor_cipher_order,   true},
+           {honor_ecc_order,      true},
+           {client_renegotiation, false},
+           {secure_renegotiate,   true},
+           {reuse_sessions,       true},
+           {verify,               verify_peer},
+           {fail_if_no_peer_cert, false}]
+        type: 'raw'
+
+  - name: 'rabbit'
+    options:
+
+      - name: 'disk_free_limit'
+        value: '{mem_relative, {{ rabbitmq_server__relative_disk_free_limit }}{{ "}" }}'
+        type: 'raw'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__config [[[
+#
+# List of RabbitMQ configuration options defined for all hosts in the Ansible
+# inventory.
+rabbitmq_server__config: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_config [[[
+#
+# List of RabbitMQ configuration options defined for hosts in a specific
+# Ansible inventory group.
+rabbitmq_server__group_config: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_config [[[
+#
+# List of RabbitMQ configuration options defined for specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_config: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__dependent_role [[[
+#
+# A string that identifies another Ansible role that uses the
+# ``debops.rabbitmq_server`` role as a dependency. This value is needed to
+# correctly store the dependent configuration options.
+# See :ref:`rabbitmq_server__ref_dependency` for more details.
+rabbitmq_server__dependent_role: ''
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__dependent_state [[[
+#
+# Specify the state of the dependent configuration options, either ``present``
+# (options should be included in the configuration file) or ``absent`` (options
+# should be removed from the configuration file).
+# See :ref:`rabbitmq_server__ref_dependency` for more details.
+rabbitmq_server__dependent_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__dependent_config [[[
+#
+# List of RabbitMQ configuration options defined by another Ansible role
+# and specified using role dependent variables.
+rabbitmq_server__dependent_config: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__dependent_config_filter [[[
+#
+# Actual variable used in the combined RabbitMQ configuration that unwraps
+# the dependent configuration specified by other Ansible roles and converts it
+# into format understood by the ``debops.rabbitmq_server`` configuration
+# template. See :ref:`rabbitmq_server__ref_dependency` for more details.
+rabbitmq_server__dependent_config_filter: '{{ lookup("template",
+                                              "lookup/rabbitmq_server__dependent_config_filter.j2")
+                                              | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_config [[[
+#
+# List that combines RabbitMQ configuration variables and passes them to the
+# template file.
+rabbitmq_server__combined_config: '{{ rabbitmq_server__default_config
+                                      + rabbitmq_server__dependent_config_filter
+                                      + rabbitmq_server__config
+                                      + rabbitmq_server__group_config
+                                      + rabbitmq_server__host_config }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ plugin configuration [[[
+# ---------------------------------
+
+# These variables specify what RabbitMQ plugins should be enabled on a given
+# host. See :ref:`rabbitmq_server__ref_plugins` for more details.
+
+# .. envvar:: rabbitmq_server__default_plugins [[[
+#
+# List of default RabbitMQ plugins enabled by this Ansible role.
+rabbitmq_server__default_plugins:
+
+  # Required on all hosts by RabbitMQ Management Console
+  - name: 'rabbitmq_management_agent'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__plugins [[[
+#
+# List of RabbitMQ plugins to enable on all hosts in the Ansible inventory.
+rabbitmq_server__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_plugins [[[
+#
+# List of RabbitMQ plugins to enable on hosts in a specific Ansible inventory
+# group.
+rabbitmq_server__group_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_plugins [[[
+#
+# List of RabbitMQ plugins to enable on specific hosts in the Ansible
+# inventory.
+rabbitmq_server__host_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_plugins [[[
+#
+# Combined list of RabbitMQ plugins passed to the Ansible module.
+rabbitmq_server__combined_plugins: '{{ rabbitmq_server__default_plugins
+                                       + rabbitmq_server__plugins
+                                       + rabbitmq_server__group_plugins
+                                       + rabbitmq_server__host_plugins }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ virtual host configuration [[[
+# ---------------------------------------
+
+# These variables can be used to configure RabbitMQ virtual hosts.
+# See :ref:`rabbitmq_server__ref_vhosts` for more details.
+
+# .. envvar:: rabbitmq_server__vhosts [[[
+#
+# List of RabbitMQ virtual hosts managed on all hosts in the Ansible inventory.
+rabbitmq_server__vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_vhosts [[[
+#
+# List of RabbitMQ virtual hosts managed on hosts in specific Ansible inventory
+# group.
+rabbitmq_server__group_vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_vhosts [[[
+#
+# List of RabbitMQ virtual hosts managed on specific hosts in the Ansible
+# inventory.
+rabbitmq_server__host_vhosts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__parameters_vhosts [[[
+#
+# List of RabbitMQ virtual hosts that are mentioned in parameter configuration.
+# Each virtual host will be created if not already present.
+rabbitmq_server__parameters_vhosts: '{{ lookup("template",
+                                        "lookup/rabbitmq_server__parameters_vhosts.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__policies_vhosts [[[
+#
+# List of RabbitMQ virtual hosts that are mentioned in policy configuration.
+# Each virtual host will be created if not already present.
+rabbitmq_server__policies_vhosts: '{{ lookup("template",
+                                      "lookup/rabbitmq_server__policies_vhosts.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__accounts_vhosts [[[
+#
+# List of RabbitMQ virtual hosts that are mentioned in user account
+# configuration. Each virtual host will be created if not already present.
+rabbitmq_server__accounts_vhosts: '{{ lookup("template",
+                                      "lookup/rabbitmq_server__accounts_vhosts.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_vhosts [[[
+#
+# Combined list of RabbitMQ virtual hosts passed to the Ansible task.
+rabbitmq_server__combined_vhosts: '{{ rabbitmq_server__vhosts
+                                      + rabbitmq_server__group_vhosts
+                                      + rabbitmq_server__host_vhosts
+                                      + rabbitmq_server__parameters_vhosts
+                                      + rabbitmq_server__policies_vhosts
+                                      + rabbitmq_server__accounts_vhosts }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ vhost limits [[[
+# -------------------------
+
+# These variables can be used to define RabbitMQ virtual host limits (maximum
+# number of connections and queues).
+# See :ref:`rabbitmq_server__ref_vhost_limits` for more details.
+
+# .. envvar:: rabbitmq_server__vhost_limits [[[
+#
+# List of vhost limits which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__vhost_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_vhost_limits [[[
+#
+# List of vhost limits which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_vhost_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_vhost_limits [[[
+#
+# List of vhost limits which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_vhost_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_vhost_limits [[[
+#
+# Combined list of all vhost limits used in role tasks and templates.
+rabbitmq_server__combined_vhost_limits: '{{ rabbitmq_server__vhost_limits
+                                          + rabbitmq_server__group_vhost_limits
+                                          + rabbitmq_server__host_vhost_limits }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ parameter configuration [[[
+# ------------------------------------
+
+# These variables can be used to manage RabbitMQ parameters.
+# See :ref:`rabbitmq_server__ref_parameters` for more details.
+
+# .. envvar:: rabbitmq_server__parameters [[[
+#
+# List of RabbitMQ parameters which should be configured on all hosts in the
+# Ansible inventory.
+rabbitmq_server__parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_parameters [[[
+#
+# List of RabbitMQ parameters which should be configured on hosts in specific
+# Ansible inventory group.
+rabbitmq_server__group_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_parameters [[[
+#
+# List of RabbitMQ parameters which should be configured on specific hosts in
+# the Ansible inventory.
+rabbitmq_server__host_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_parameters [[[
+#
+# Combined list of all RabbitMQ parameters passed to the Ansible task.
+rabbitmq_server__combined_parameters: '{{ rabbitmq_server__parameters
+                                          + rabbitmq_server__group_parameters
+                                          + rabbitmq_server__host_parameters }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ policy configuration [[[
+# ---------------------------------
+
+# These variables can be used to manage RabbitMQ policies.
+# See :ref:`rabbitmq_server__ref_policies` for more details.
+
+# .. envvar:: rabbitmq_server__policies [[[
+#
+# List of RabbitMQ policies which should be configured on all hosts in the
+# Ansible inventory.
+rabbitmq_server__policies: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_policies [[[
+#
+# List of RabbitMQ policies which should be configured on hosts in specific
+# Ansible inventory group.
+rabbitmq_server__group_policies: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_policies [[[
+#
+# List of RabbitMQ policies which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_policies: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_policies [[[
+#
+# Combined list of all RabbitMQ policies passed to the Ansible task.
+rabbitmq_server__combined_policies: '{{ rabbitmq_server__policies
+                                        + rabbitmq_server__group_policies
+                                        + rabbitmq_server__host_policies }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ user account configuration [[[
+# ---------------------------------------
+
+# These variables can be used to manage RabbitMQ user accounts.
+# See :ref:`rabbitmq_server__ref_accounts` for more details.
+
+# .. envvar:: rabbitmq_server__admin_accounts [[[
+#
+# List of automatically managed administrator accounts, based of the admin
+# users managed by the :ref:`debops.core` Ansible role.
+rabbitmq_server__admin_accounts: '{{ lookup("template",
+                                     "lookup/rabbitmq_server__admin_accounts.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__default_accounts [[[
+#
+# List of default RabbitMQ user accounts defined by the role.
+rabbitmq_server__default_accounts:
+
+  # Remove the default user account
+  - name: 'guest'
+    state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__accounts [[[
+#
+# List of RabbitMQ user accounts which should be managed on all hosts in the
+# Ansible inventory.
+rabbitmq_server__accounts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_accounts [[[
+#
+# List of RabbitMQ user accounts which should be managed on hosts in a specific
+# Ansible inventory group.
+rabbitmq_server__group_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_accounts [[[
+#
+# List of RabbitMQ user accounts which should be managed on specific hosts in
+# the Ansible inventory.
+rabbitmq_server__host_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_accounts [[[
+#
+# Combined list of RabbitMQ user accounts, passed to the Ansible task.
+rabbitmq_server__combined_accounts: '{{ rabbitmq_server__admin_accounts
+                                        + rabbitmq_server__default_accounts
+                                        + rabbitmq_server__accounts
+                                        + rabbitmq_server__group_accounts
+                                        + rabbitmq_server__host_accounts }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__admin_default_vhost [[[
+#
+# The default RabbitMQ virtual host which will be configured for the RabbitMQ
+# administrator accounts.
+rabbitmq_server__admin_default_vhost: '/'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__account_password_length [[[
+#
+# The default length of the autogenerated user account passwords.
+rabbitmq_server__account_password_length: '32'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ user limits [[[
+# ------------------------
+
+# These variables can be used to define RabbitMQ per-user limits (maximum number
+# of connections and used channels).
+# See :ref:`rabbitmq_server__ref_user_limits` for more details.
+
+# .. envvar:: rabbitmq_server__user_limits [[[
+#
+# List of user limits which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__user_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_user_limits [[[
+#
+# List of user limits which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_user_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_user_limits [[[
+#
+# List of user limits which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_user_limits: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_user_limits [[[
+#
+# Combined list of all user limits used in role tasks and templates.
+rabbitmq_server__combined_user_limits: '{{ rabbitmq_server__user_limits
+                                           + rabbitmq_server__group_user_limits
+                                           + rabbitmq_server__host_user_limits }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ exchanges [[[
+# ----------------------
+
+# These variables can be used to define RabbitMQ exchanges which receive
+# messages for processing.
+# See :ref:`rabbitmq_server__ref_exchanges` for more details.
+
+# .. envvar:: rabbitmq_server__exchanges [[[
+#
+# List of exchanges which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__exchanges: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_exchanges [[[
+#
+# List of exchanges which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_exchanges: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_exchanges [[[
+#
+# List of exchanges which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_exchanges: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_exchanges [[[
+#
+# Combined list of all exchanges used in role tasks and templates.
+rabbitmq_server__combined_exchanges: '{{ rabbitmq_server__exchanges
+                                         + rabbitmq_server__group_exchanges
+                                         + rabbitmq_server__host_exchanges }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ queues [[[
+# -------------------
+
+# These variables can be used to define RabbitMQ queues which store processed
+# messages for consumers.
+# See :ref:`rabbitmq_server__ref_queues` for more details.
+
+# .. envvar:: rabbitmq_server__queues [[[
+#
+# List of queues which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__queues: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_queues [[[
+#
+# List of queues which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_queues: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_queues [[[
+#
+# List of queues which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_queues: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_queues [[[
+#
+# Combined list of all queues used in role tasks and templates.
+rabbitmq_server__combined_queues: '{{ rabbitmq_server__queues
+                                      + rabbitmq_server__group_queues
+                                      + rabbitmq_server__host_queues }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ bindings [[[
+# ---------------------
+
+# These variables can be used to define RabbitMQ bindings which connect
+# exchanges and queues.
+# See :ref:`rabbitmq_server__ref_bindings` for more details.
+
+# .. envvar:: rabbitmq_server__bindings [[[
+#
+# List of bindings which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__bindings: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_bindings [[[
+#
+# List of bindings which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_bindings: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_bindings [[[
+#
+# List of bindings which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_bindings: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_bindings [[[
+#
+# Combined list of all bindings used in role tasks and templates.
+rabbitmq_server__combined_bindings: '{{ rabbitmq_server__bindings
+                                        + rabbitmq_server__group_bindings
+                                        + rabbitmq_server__host_bindings }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ feature flags [[[
+# --------------------------
+
+# These variables can be used to define RabbitMQ feature flags which should be
+# present on specific or all RabbitMQ nodes.
+# See :ref:`rabbitmq_server__ref_feature_flags` for more details.
+
+# .. envvar:: rabbitmq_server__feature_flags [[[
+#
+# List of feature flags which should be configured on all hosts in the Ansible
+# inventory.
+rabbitmq_server__feature_flags: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_feature_flags [[[
+#
+# List of feature flags which should be configured on hosts in specific Ansible
+# inventory group.
+rabbitmq_server__group_feature_flags: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_feature_flags [[[
+#
+# List of feature flags which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_feature_flags: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_feature_flags [[[
+#
+# Combined list of all feature flags used in role tasks and templates.
+rabbitmq_server__combined_feature_flags: '{{ rabbitmq_server__feature_flags
+                                             + rabbitmq_server__group_feature_flags
+                                             + rabbitmq_server__host_feature_flags }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ global parameters [[[
+# ------------------------------
+
+# These variables can be used to define RabbitMQ global parameters on one or
+# more RabbitMQ nodes.
+# See :ref:`rabbitmq_server__ref_global_parameters` for more details.
+
+# .. envvar:: rabbitmq_server__global_parameters [[[
+#
+# List of global parameters which should be configured on all hosts in the
+# Ansible inventory.
+rabbitmq_server__global_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__group_global_parameters [[[
+#
+# List of global parameters which should be configured on hosts in specific
+# Ansible inventory group.
+rabbitmq_server__group_global_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__host_global_parameters [[[
+#
+# List of global parameters which should be configured on specific hosts in the
+# Ansible inventory.
+rabbitmq_server__host_global_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__combined_global_parameters [[[
+#
+# Combined list of all global parameters used in role tasks and templates.
+rabbitmq_server__combined_global_parameters: '{{ rabbitmq_server__global_parameters
+                                                 + rabbitmq_server__group_global_parameters
+                                                 + rabbitmq_server__host_global_parameters }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RabbitMQ cluster configuration [[[
+# ----------------------------------
+
+# .. envvar:: rabbitmq_server__cluster_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to communicate with
+# the RabbitMQ service to form a cluster (TCP ports 4369, 25672).
+# If nothing is specified, no direct cluster communication is allowed.
+rabbitmq_server__cluster_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Public Key Infrastructure configuration [[[
+# -------------------------------------------
+
+# These variables configure the PKI environment for RabbitMQ service using the
+# :ref:`debops.pki` Ansible role. See its documentation for more details.
+
+# .. envvar:: rabbitmq_server__pki [[[
+#
+# Enable or disable PKI support.
+rabbitmq_server__pki: '{{ True
+                          if (ansible_local.pki.enabled | d() and
+                              ansible_local.pki.enabled | bool) else False }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__pki_path [[[
+#
+# Absolute path to the directory with PKI realms.
+rabbitmq_server__pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__pki_realm [[[
+#
+# Name of the PKI realm to use by the RabbitMQ service.
+rabbitmq_server__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__pki_ca [[[
+#
+# Name of the Certificate Authority certificate file to use.
+rabbitmq_server__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__pki_crt [[[
+#
+# Name of the X.509 certificate file to use.
+rabbitmq_server__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__pki_key [[[
+#
+# Name of the X.509 private key file to use.
+rabbitmq_server__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__cacertfile [[[
+#
+# Absolute path of the Certificate Authority certificate to use.
+rabbitmq_server__cacertfile: '{{ rabbitmq_server__pki_path
+                                 + "/" + rabbitmq_server__pki_realm
+                                 + "/" + rabbitmq_server__pki_ca }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__certfile [[[
+#
+# Absolute path of the X.509 certificate to use.
+rabbitmq_server__certfile: '{{ rabbitmq_server__pki_path
+                               + "/" + rabbitmq_server__pki_realm
+                               + "/" + rabbitmq_server__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__keyfile [[[
+#
+# Absolute path of the X.509 private key to use.
+rabbitmq_server__keyfile: '{{ rabbitmq_server__pki_path
+                              + "/" + rabbitmq_server__pki_realm
+                              + "/" + rabbitmq_server__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__ssl_versions [[[
+#
+# List of TLS/SSL protocol versions supported by the RabbitMQ service.
+rabbitmq_server__ssl_versions: [ 'tlsv1.2', 'tlsv1.1' ]
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__ssl_ciphers [[[
+#
+# A Erlang raw string which contains a list of TLS/SSL ciphers to allow by the
+# server. Contents of this variable are gathered by the Ansible local facts.
+rabbitmq_server__ssl_ciphers: '{{ ansible_local.rabbitmq_server.raw_erlang_ssl_ciphers | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__ssl_dhparam [[[
+#
+# Path to the file with Diffie-Hellman parameters to use by the RabbitMQ
+# service. See :ref:`debops.dhparam` Ansible role for more details.
+rabbitmq_server__ssl_dhparam: '{{ (ansible_local.dhparam[rabbitmq_server__ssl_dhparam_set]
+                                   if (ansible_local | d() and ansible_local.dhparam | d() and
+                                       ansible_local.dhparam[rabbitmq_server__ssl_dhparam_set] | d())
+                                   else "") }}'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__ssl_dhparam_set [[[
+#
+# Name of the ``dhparam`` set to use.
+rabbitmq_server__ssl_dhparam_set: 'default'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: rabbitmq_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+rabbitmq_server__etc_services__dependent_list:
+
+  - name: 'einc'
+    port: '25672'
+    comment: 'Erlang Inter-Node Communication (RabbitMQ)'
+
+                                                                   # ]]]
+# .. envvar:: rabbitmq_server__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+rabbitmq_server__ferm__dependent_rules:
+
+  - name: 'rabbitmq-amqp'
+    type: 'accept'
+    saddr: '{{ rabbitmq_server__amqp_allow }}'
+    dport: [ 'amqp' ]
+    accept_any: '{{ False if rabbitmq_server__pki | bool else True }}'
+
+  - name: 'rabbitmq-amqps'
+    type: 'accept'
+    saddr: '{{ rabbitmq_server__amqps_allow }}'
+    dport: [ 'amqps' ]
+    accept_any: True
+    rule_state: '{{ "present" if rabbitmq_server__pki | bool else "absent" }}'
+
+  - name: 'rabbitmq-cluster'
+    type: 'accept'
+    saddr: '{{ rabbitmq_server__cluster_allow }}'
+    dport: [ 'epmd', 'einc' ]
+    accept_any: False
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/meta/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_server/meta/main.yml
new file mode 100644
index 00000000..aee3dbfd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage RabbitMQ service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - amqp
+    - stomp
+    - mqtt
+    - broker
+    - queue
+    - networking
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main.yml b/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main.yml
new file mode 100644
index 00000000..fe0fcc94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main.yml
@@ -0,0 +1,311 @@
+---
+# Copyright (C) 2017-2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Make sure that required UNIX group exists
+  ansible.builtin.group:
+    name: '{{ rabbitmq_server__group }}'
+    state: 'present'
+    system: True
+
+- name: Make sure that required UNIX account exists
+  ansible.builtin.user:
+    name: '{{ rabbitmq_server__user }}'
+    group: '{{ rabbitmq_server__group }}'
+    groups: '{{ rabbitmq_server__append_groups | join(",") }}'
+    home: '{{ rabbitmq_server__home }}'
+    comment: 'RabbitMQ messaging server'
+    shell: '/bin/false'
+    state: 'present'
+    system: True
+    append: True
+
+  # Without this, first Erlang cookie lookup on each host
+  # returns different values.
+- name: Initialize Erlang cookie on the Ansible Controller
+  ansible.builtin.set_fact:
+    rabbitmq_server__fact_erlang_cookie: '{{ rabbitmq_server__erlang_cookie_password }}'
+  delegate_to: 'localhost'
+  become: False
+  run_once: True
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Configure Erlang cookie
+  ansible.builtin.copy:
+    content: '{{ rabbitmq_server__erlang_cookie_password }}'
+    dest: '{{ rabbitmq_server__erlang_cookie_path }}'
+    owner: '{{ rabbitmq_server__user }}'
+    group: '{{ rabbitmq_server__group }}'
+    mode: '0400'
+  notify: [ 'Restart rabbitmq-server' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Ensure that configuration directory exists
+  ansible.builtin.file:
+    path: '/etc/rabbitmq'
+    state: 'directory'
+    owner: '{{ rabbitmq_server__user }}'
+    group: '{{ rabbitmq_server__group }}'
+    mode: '0755'
+
+- name: Generate RabbitMQ environment file
+  ansible.builtin.template:
+    src: 'etc/rabbitmq/rabbitmq-env.conf.j2'
+    dest: '/etc/rabbitmq/rabbitmq-env.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart rabbitmq-server' ]
+  tags: [ 'role::rabbitmq_server:config' ]
+
+- name: Install RabbitMQ packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (rabbitmq_server__base_packages
+                              + rabbitmq_server__packages)) }}'
+    state: 'present'
+  register: rabbitmq_server__register_packages
+  until: rabbitmq_server__register_packages is succeeded
+
+- name: Check if the dependent config file exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/rabbitmq_server/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: rabbitmq_server__register_dependent_config_file
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local | d() and ansible_local.rabbitmq_server | d() and
+         ansible_local.rabbitmq_server.installed is defined and
+         ansible_local.rabbitmq_server.installed | bool)
+  tags: [ 'role::rabbitmq_server:config' ]
+
+- name: Load the dependent configuration from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/rabbitmq_server/dependent_config/" + inventory_hostname + "/config.json" }}'
+  register: rabbitmq_server__register_dependent_config
+  become: False
+  delegate_to: 'localhost'
+  when: (ansible_local | d() and ansible_local.rabbitmq_server | d() and
+         ansible_local.rabbitmq_server.installed is defined and
+         ansible_local.rabbitmq_server.installed | bool and
+         rabbitmq_server__register_dependent_config_file.stat.exists | bool)
+  tags: [ 'role::rabbitmq_server:config' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save RabbitMQ local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rabbitmq_server.fact.j2'
+    dest: '/etc/ansible/facts.d/rabbitmq_server.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Generate RabbitMQ configuration
+  ansible.builtin.template:
+    src: 'etc/rabbitmq/rabbitmq.config.j2'
+    dest: '/etc/rabbitmq/rabbitmq.config'
+    owner: '{{ rabbitmq_server__user }}'
+    group: '{{ rabbitmq_server__group }}'
+    mode: '0600'
+  notify: [ 'Restart rabbitmq-server' ]
+  tags: [ 'role::rabbitmq_server:config' ]
+
+- name: Manage RabbitMQ plugins
+  community.rabbitmq.rabbitmq_plugin:
+    names:  '{{ item.name | d(item) }}'
+    state:  '{{ "enabled" if item.state | d("present") != "absent" else "disabled" }}'
+    prefix: '{{ item.prefix | d(omit) }}'
+    new_only: True
+  loop: '{{ q("flattened", rabbitmq_server__combined_plugins) }}'
+  notify: [ 'Restart rabbitmq-server' ]
+  tags: [ 'role::rabbitmq_server:config' ]
+
+- name: Manage RabbitMQ virtual hosts
+  community.rabbitmq.rabbitmq_vhost:
+    name:    '{{ item.name | d(item) }}'
+    node:    '{{ item.node | d(omit) }}'
+    state:   '{{ item.state | d("present") }}'
+    tracing: '{{ item.tracing | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_vhosts) }}'
+  tags: [ 'role::rabbitmq_server:vhost', 'role::rabbitmq_server:parameter',
+          'role::rabbitmq_server:policy', 'role::rabbitmq_server:user' ]
+
+- name: Manage RabbitMQ virtual host limits
+  community.rabbitmq.rabbitmq_vhost_limits:
+    vhost: '{{ item.vhost }}'
+    node: '{{ item.node | d(omit) }}'
+    max_connections: '{{ item.max_connections | d(omit) }}'
+    max_queues: '{{ item.max_queues | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_vhost_limits) }}'
+  tags: [ 'role::rabbitmq_server:vhost' ]
+
+- name: Manage RabbitMQ feature flags
+  community.rabbitmq.rabbitmq_feature_flag:
+    name: '{{ item.name }}'
+    node: '{{ item.node | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_feature_flags) }}'
+
+- name: Manage RabbitMQ global parameters
+  community.rabbitmq.rabbitmq_global_parameter:
+    name:      '{{ item.name }}'
+    node:      '{{ item.node | d(omit) }}'
+    state:     '{{ item.state | d("present") }}'
+    value:     '{{ item.value | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_global_parameters) }}'
+  tags: [ 'role::rabbitmq_server:parameter' ]
+
+- name: Manage RabbitMQ parameters
+  community.rabbitmq.rabbitmq_parameter:
+    component: '{{ item.component }}'
+    name:      '{{ item.name }}'
+    node:      '{{ item.node | d(omit) }}'
+    state:     '{{ item.state | d("present") }}'
+    value:     '{{ item.value | d(omit) }}'
+    vhost:     '{{ item.vhost | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_parameters) }}'
+  when: (item.name | d() and item.component | d())
+  tags: [ 'role::rabbitmq_server:parameter' ]
+
+- name: Manage RabbitMQ policies
+  community.rabbitmq.rabbitmq_policy:
+    name:     '{{ item.name }}'
+    pattern:  '{{ item.pattern }}'
+    tags:     '{{ item.tags }}'
+    apply_to: '{{ item.apply_to | d(omit) }}'
+    node:     '{{ item.node | d(omit) }}'
+    priority: '{{ item.priority | d(omit) }}'
+    state:    '{{ item.state | d("present") }}'
+    vhost:    '{{ item.vhost | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_policies) }}'
+  when: (item.name | d() and item.pattern | d() and item.tags | d())
+  tags: [ 'role::rabbitmq_server:policy' ]
+
+- name: Manage RabbitMQ user accounts
+  community.rabbitmq.rabbitmq_user:
+    user:           '{{ item.user | d(item.name) | d(item) }}'
+    force:          '{{ item.force | d(omit) }}'
+    node:           '{{ item.node | d(omit) }}'
+    permissions:    '{{ item.permissions | d(omit) }}'  # noqa args[module]
+    configure_priv: '{{ item.configure_priv | d(omit) }}'
+    read_priv:      '{{ item.read_priv | d(omit) }}'
+    write_priv:     '{{ item.write_priv | d(omit) }}'
+    state:          '{{ item.state | d("present") }}'
+    vhost:          '{{ item.vhost | d(omit) }}'
+    password:       '{{ item.password | d(lookup("password",
+                        secret + "/rabbitmq_server/accounts/"
+                        + (item.user | d(item.name | d(item)))
+                        + "/password length="
+                        + rabbitmq_server__account_password_length)) }}'
+    tags:           '{{ (((item.tags.split(",") | list)
+                          if (item.tags | d() and item.tags is string)
+                          else item.tags) | join(","))
+                        if item.tags | d() else omit }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_accounts) }}'
+  tags: [ 'role::rabbitmq_server:user' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage RabbitMQ user limits
+  community.rabbitmq.rabbitmq_user_limits:
+    user: '{{ item.user }}'
+    node: '{{ item.node | d(omit) }}'
+    max_connections: '{{ item.max_connections | d(omit) }}'
+    max_channels: '{{ item.max_channels | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_user_limits) }}'
+  tags: [ 'role::rabbitmq_server:user' ]
+
+- name: Manage RabbitMQ exchanges
+  community.rabbitmq.rabbitmq_exchange:
+    name: '{{ item.name }}'
+    arguments: '{{ item.arguments | d(omit) }}'
+    auto_delete: '{{ item.auto_delete | d(omit) }}'
+    ca_cert: '{{ item.ca_cert | d(omit) }}'
+    client_cert: '{{ item.client_cert | d(omit) }}'
+    client_key: '{{ item.client_key | d(omit) }}'
+    durable:  '{{ item.durable | d(omit) }}'
+    exchange_type: '{{ item.exchange_type | d(omit) }}'
+    internal: '{{ item.internal | d(omit) }}'
+    login_host: '{{ item.login_host | d(omit) }}'
+    login_password: '{{ item.login_password | d(omit) }}'
+    login_port: '{{ item.login_port | d(omit) }}'
+    login_protocol: '{{ item.login_protocol | d(omit) }}'
+    login_user: '{{ item.login_user | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+    vhost: '{{ item.vhost | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_exchanges) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Manage RabbitMQ queues
+  community.rabbitmq.rabbitmq_queue:
+    name: '{{ item.name }}'
+    arguments: '{{ item.arguments | d(omit) }}'
+    auto_delete: '{{ item.auto_delete | d(omit) }}'
+    auto_expires: '{{ item.auto_expires | d(omit) }}'
+    ca_cert: '{{ item.ca_cert | d(omit) }}'
+    client_cert: '{{ item.client_cert | d(omit) }}'
+    client_key: '{{ item.client_key | d(omit) }}'
+    dead_letter_exchange: '{{ item.dead_letter_exchange | d(omit) }}'
+    dead_letter_routing_key: '{{ item.dead_letter_routing_key | d(omit) }}'
+    durable:  '{{ item.durable | d(omit) }}'
+    login_host: '{{ item.login_host | d(omit) }}'
+    login_password: '{{ item.login_password | d(omit) }}'
+    login_port: '{{ item.login_port | d(omit) }}'
+    login_protocol: '{{ item.login_protocol | d(omit) }}'
+    login_user: '{{ item.login_user | d(omit) }}'
+    max_length: '{{ item.max_length | d(omit) }}'
+    max_priority: '{{ item.max_priority | d(omit) }}'
+    message_ttl: '{{ item.message_ttl | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+    vhost: '{{ item.vhost | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_queues) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  tags: [ 'role::rabbitmq_server:queue' ]
+
+- name: Manage RabbitMQ bindings
+  community.rabbitmq.rabbitmq_binding:
+    name: '{{ item.name }}'
+    ca_cert: '{{ item.ca_cert | d(omit) }}'
+    client_cert: '{{ item.client_cert | d(omit) }}'
+    client_key: '{{ item.client_key | d(omit) }}'
+    destination: '{{ item.destination }}'
+    destination_type: '{{ item.destination_type }}'
+    login_host: '{{ item.login_host | d(omit) }}'
+    login_password: '{{ item.login_password | d(omit) }}'
+    login_port: '{{ item.login_port | d(omit) }}'
+    login_protocol: '{{ item.login_protocol | d(omit) }}'
+    login_user: '{{ item.login_user | d(omit) }}'
+    arguments: '{{ item.arguments | d(omit) }}'
+    routing_key: '{{ item.routing_key | d(omit) }}'
+    state: '{{ item.state | d("present") }}'
+    vhost: '{{ item.vhost | d(omit) }}'
+  loop: '{{ q("flattened", rabbitmq_server__combined_bindings) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Save RabbitMQ dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/rabbitmq_server/dependent_config/inventory_hostname/config.json.j2'
+    dest: '{{ secret + "/rabbitmq_server/dependent_config/" + inventory_hostname + "/config.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  tags: [ 'role::rabbitmq_server:config' ]
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main_env.yml b/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main_env.yml
new file mode 100644
index 00000000..38cbad15
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/tasks/main_env.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.rabbitmq_server environment
+  ansible.builtin.set_fact:
+    rabbitmq_server__secret__directories: '{{ lookup("template", "lookup/rabbitmq_server__secret__directories.j2")
+                                              | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/ansible/facts.d/rabbitmq_server.fact.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/ansible/facts.d/rabbitmq_server.fact.j2
new file mode 100644
index 00000000..7c5b2093
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/ansible/facts.d/rabbitmq_server.fact.j2
@@ -0,0 +1,60 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = loads('''{{ ({
+    "installed": true
+}) | to_nice_json }}''')
+
+# Strings in the 'rabbitmqctl` output which will be filtered out
+disable_ciphers = ('rc4', '3des', '{rsa,aes_', ',sha}')
+
+erlang_output = []
+raw_erlang_stdout = ''
+
+try:
+    FNULL = open('/dev/null', 'w')
+    raw_erlang_stdout = subprocess.check_output(
+            ["/usr/sbin/rabbitmqctl -q eval 'ssl:cipher_suites().'"],
+            shell=True, stderr=FNULL).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if raw_erlang_stdout:
+    for line in raw_erlang_stdout.split('\n'):
+        if (line and not any(s in line for s in disable_ciphers)
+                and not line.endswith('...done.')):
+            line_clean = (line.replace(
+                '[{', '').replace(
+                    ' {', '').replace(
+                        '},', '').replace(
+                            '}]', '').split(','))
+            if len(line_clean) == 3:
+                erlang_output.append(
+                        "{{ '{{' }}{:<16} {:<13} {}{{ '}}' }},".format(
+                            line_clean[0] + ',', line_clean[1] + ',',
+                            line_clean[2]))
+            elif len(line_clean) == 4:
+                erlang_output.append(
+                        "{{ '{{' }}{:<16} {:<13} {:<8} {}{{ '}}' }},".format(
+                            line_clean[0] + ',', line_clean[1] + ',',
+                            line_clean[2] + ',', line_clean[3]))
+
+    raw_erlang_output = "{}".format("\n".join(erlang_output).rstrip(','))
+    if raw_erlang_output:
+        output.update({'raw_erlang_ssl_ciphers': raw_erlang_output})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq-env.conf.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq-env.conf.j2
new file mode 100644
index 00000000..2c3662ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq-env.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}}
+
+# Custom environment variables for RabbitMQ Server
+
+{% for env_key, env_value in rabbitmq_server__combined_environment.items() %}
+{{ '{}="{}"'.format(env_key | upper, env_value) }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq.config.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq.config.j2
new file mode 100644
index 00000000..f6c43fd4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/etc/rabbitmq/rabbitmq.config.j2
@@ -0,0 +1,236 @@
+%% -*- mode: erlang -*-
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+
+%% {{ ansible_managed }}
+
+%% ---------------------------------------------------------------------
+%% RabbitMQ Configuration File.
+%%
+%% See https://www.rabbitmq.com/configure.html for details.
+%% ---------------------------------------------------------------------
+
+{% set rabbitmq_server__tpl_config = {} %}
+{% for element in rabbitmq_server__combined_config %}
+{%   if element is mapping %}
+{%     if element.name | d() and element.state | d('present') != 'ignore' %}
+{%       set rabbitmq_server__tpl_application = (rabbitmq_server__tpl_config[element.name].copy() if rabbitmq_server__tpl_config[element.name] is defined else {}) %}
+{%       set _ = rabbitmq_server__tpl_application.update({
+  'name':   element.name,
+  'state':  element.state  | d('present'),
+  'weight': element.weight | d(rabbitmq_server__tpl_application.weight | d(0)) | int
+}) %}
+{%       if element.comment | d() %}
+{%         set _ = rabbitmq_server__tpl_application.update({ 'comment': element.comment }) %}
+{%       endif %}
+{%       if element.options | d() %}
+{%         set rabbitmq_server__tpl_options = (rabbitmq_server__tpl_application['options'].copy() if rabbitmq_server__tpl_application['options'] is defined else {}) %}
+{%         for option in element.options %}
+{%           if option.name | d() and option.state | d('present') != 'ignore' %}
+{%             set option_params = (rabbitmq_server__tpl_options[option.name].copy() if rabbitmq_server__tpl_options[option.name] is defined else {}) %}
+{%             set _ = option_params.update({
+  'name':   option.name   | d(rabbitmq_server__tpl_options.name),
+  'value':  option.value  | d(rabbitmq_server__tpl_options.value),
+  'state':  option.state  | d(rabbitmq_server__tpl_options.state  | d('present')),
+  'weight': option.weight | d(rabbitmq_server__tpl_options.weight | d(0)) | int
+}) %}
+{%             if option.comment is defined %}
+{%               set _ = option_params.update({ 'comment': option.comment }) %}
+{%             endif %}
+{%             if option.option is defined %}
+{%               set _ = option_params.update({ 'option': option.option }) %}
+{%             endif %}
+{%             if option.type is defined %}
+{%               set _ = option_params.update({ 'type': option.type }) %}
+{%             else %}
+{%               if option.value is defined %}
+{%                 if option.value | bool and option.value is not iterable %}
+{%                   set _ = option_params.update({ 'type': 'boolean' }) %}
+{%                 elif not option.value | bool and option.value is not iterable %}
+{%                   if option.value is not none %}
+{%                     if option.value | int or option.value | string == '0' %}
+{%                       set _ = option_params.update({ 'type': 'number' }) %}
+{%                     else %}
+{%                       set _ = option_params.update({ 'type': 'boolean' }) %}
+{%                     endif %}
+{%                   endif %}
+{%                 elif option.value is string %}
+{%                   if (option.value.split('\n') | list | count > 1) %}
+{%                     set _ = option_params.update({ 'type': 'raw' }) %}
+{%                   elif option_params.type is undefined %}
+{%                     set _ = option_params.update({ 'type': 'string' }) %}
+{%                   elif option_params.type is defined and option_params.type in [ 'bit-string', 'bit-list' ] %}
+{%                     set _ = option_params.update({ 'type': 'bit-string' }) %}
+{%                   endif %}
+{%                 elif option.value is number %}
+{%                   set _ = option_params.update({ 'type': 'number' }) %}
+{%                 elif option.value is mapping %}
+{%                   set _ = option_params.update({ 'type': 'mapping' }) %}
+{%                 elif option.value is not string and option.value is not mapping %}
+{%                   if option_params.type is undefined %}
+{%                     set _ = option_params.update({ 'type': 'list' }) %}
+{%                   elif option_params.type is defined and option_params.type in [ 'bit-string', 'bit-list' ] %}
+{%                     set _ = option_params.update({ 'type': 'bit-list' }) %}
+{%                   endif %}
+{%                 endif %}
+{%               endif %}
+{%             endif %}
+{%             if option_params | d() %}
+{%               set _ = rabbitmq_server__tpl_options.update({ option.name: option_params }) %}
+{%             endif %}
+{%           elif option is mapping and (not option.name | d() and not option.state | d()) %}
+{%             for option_key, option_value in option.items() %}
+{%               set option_params = (rabbitmq_server__tpl_options[option_key].copy() if rabbitmq_server__tpl_options[option_key] is defined else {}) %}
+{%               set _ = option_params.update({
+  'name':   option_key,
+  'value':  option_value,
+  'state':  rabbitmq_server__tpl_options.state  | d('present'),
+  'weight': rabbitmq_server__tpl_options.weight | d(0) | int
+}) %}
+{%               if option_value | bool and option_value is not iterable %}
+{%                 set _ = option_params.update({ 'type': 'boolean' }) %}
+{%               elif not option_value | bool and option_value is not iterable %}
+{%                 if option_value is not none %}
+{%                   if option_value | int or option_value | string == '0' %}
+{%                     set _ = option_params.update({ 'type': 'number' }) %}
+{%                   else %}
+{%                     set _ = option_params.update({ 'type': 'boolean' }) %}
+{%                   endif %}
+{%                 endif %}
+{%               elif option_value is string %}
+{%                 if (option_value.split('\n') | list | count > 1) %}
+{%                   set _ = option_params.update({ 'type': 'raw' }) %}
+{%                 elif option_params.type is undefined %}
+{%                   set _ = option_params.update({ 'type': 'string' }) %}
+{%                 elif option_params.type is defined and option_params.type in [ 'bit-string', 'bit-list' ] %}
+{%                   set _ = option_params.update({ 'type': 'bit-string' }) %}
+{%                 endif %}
+{%               elif option_value is number %}
+{%                 set _ = option_params.update({ 'type': 'number' }) %}
+{%               elif option_value is mapping %}
+{%                 set _ = option_params.update({ 'type': 'mapping' }) %}
+{%               elif option_value is not string and option_value is not mapping %}
+{%                 if option_params.type is defined and option_params.type in [ 'bit-string', 'bit-list' ] %}
+{%                   set _ = option_params.update({ 'type': 'bit-list' }) %}
+{%                 else %}
+{%                   set _ = option_params.update({ 'type': 'list' }) %}
+{%                 endif %}
+{%               endif %}
+{%               if option_params | d() %}
+{%                 set _ = rabbitmq_server__tpl_options.update({ option_key: option_params }) %}
+{%               endif %}
+{%             endfor %}
+{%           endif %}
+{%         endfor %}
+{%         if rabbitmq_server__tpl_options | d() %}
+{%           set _ = rabbitmq_server__tpl_application.update({ 'options': rabbitmq_server__tpl_options }) %}
+{%         endif %}
+{%       endif %}
+{%       set _ = rabbitmq_server__tpl_config.update({ element.name: rabbitmq_server__tpl_application }) %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{# ------------------------------------------------------------------ #}
+{% macro print_values(elements) %}
+{%   if elements.type in [ 'bit-list', 'bit-string' ] %}
+{%     if elements.value is string %}
+{{ '<<"{}">>'.format(elements.value) -}}
+{%     elif elements.value is not string and elements.value is not mapping %}
+{{ '[<<"{}">>]'.format(elements.value | join('">>, <<"')) -}}
+{%     endif %}
+{%   elif elements.type == 'string' %}
+{{ '"{}"'.format(elements.value) -}}
+{%   elif elements.type in [ 'number', 'raw' ] %}
+{{ '{}'.format(elements.value) -}}
+{%   elif elements.type == 'list' %}
+{{ '{}'.format(elements.value | to_json) -}}
+{%   elif elements.type == 'atom' %}
+{%     if elements.value is string %}
+{%       if elements.value is search('^[A-Z].+') %}
+{{ "'{}'".format(elements.value) -}}
+{%       elif elements.value is search('[^a-zA-Z0-9@_].+') %}
+{{ "'{}'".format(elements.value) -}}
+{%       else %}
+{{ '{}'.format(elements.value) -}}
+{%       endif %}
+{%     elif elements.value is not string and elements.value is not mapping %}
+{%       set rabbitmq_server__tpl_atom_list = [] %}
+{%       for thing in elements.value %}
+{%         if thing is search('^[A-Z].+') %}
+{%           set _ = rabbitmq_server__tpl_atom_list.append("'{}'".format(thing)) %}
+{%         elif thing is search('[^a-zA-Z0-9@_].+') %}
+{%          set _ = rabbitmq_server__tpl_atom_list.append("'{}'".format(thing)) %}
+{%         else %}
+{%           set _ = rabbitmq_server__tpl_atom_list.append('{}'.format(thing)) %}
+{%         endif %}
+{%       endfor %}
+{%       if rabbitmq_server__tpl_atom_list %}
+{{ '[' + (rabbitmq_server__tpl_atom_list | join(', ')) + ']' -}}
+{%       endif %}
+{%     endif %}
+{%   elif elements.type == 'boolean' %}
+{{ '{}'.format(elements.value | bool | lower) -}}
+{%   endif %}
+{% endmacro %}
+{# ------------------------------------------------------------------ #}
+{% macro print_options(elements) %}
+{%   set rabbitmq_server__tpl_print_options = [] %}
+{%   for key, value in elements.items() %}
+{%     if value.state | d('present') not in [ 'absent' ] %}
+{%       set _ = rabbitmq_server__tpl_print_options.append(value) %}
+{%     endif %}
+{%   endfor %}
+{%   for option in rabbitmq_server__tpl_print_options | sort(attribute='weight') %}
+{%     if option.comment | d() %}
+{{ option.comment | regex_replace('\n$','') | comment(decoration='    %% ', prefix='', postfix='') -}}
+{%     endif %}
+{%     if option.type != 'raw' %}
+{{ '    {{{:<30} {}}}{}'.format((option.option | d(option.name)) + ',', print_values(option), (',\n' if not loop.last | bool else '')) }}
+{%     else %}
+{%       if option.value is string %}
+{%         if option.value.split('\n') | list | count == 1 %}
+{{ '    {{{:<30} {}{}'.format((option.option | d(option.name)) + ',', option.value.split('\n')[0], ('},\n' if not loop.last | bool else '}')) }}
+{%         else %}
+{{ '    {{{:<30} {}'.format((option.option | d(option.name)) + ',', option.value.split('\n')[0]) }}
+{%           set outer_loop = loop %}
+{%           for line in option.value.split('\n')[1:] %}
+{%             if line %}
+{{ '    {:<31} {}'.format('', line) }}
+{%             endif %}
+{%             if loop.last | bool %}
+{{ '    }}{}'.format((',\n' if not outer_loop.last | bool else '')) }}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+{# ------------------------------------------------------------------ #}
+{% macro print_erlang(erlang_config) %}
+{%   set rabbitmq_server__tpl_sorted_config = [] %}
+{%   for application, params in erlang_config.items() %}
+{%     set _ = rabbitmq_server__tpl_sorted_config.append(params) %}
+{%   endfor %}
+{%   for params in rabbitmq_server__tpl_sorted_config | sort(attribute='weight') %}
+{%     if params is mapping and params.state | d('present') != 'absent' %}
+{%       if params.comment | d() %}
+{{ params.comment | regex_replace('\n$','') | comment(decoration='  %% ', prefix='  %% -------------------------------------------------------------------', postfix='  %% -------------------------------------------------------------------\n') -}}
+{%       endif %}
+{{ '  {{{}, ['.format(params.name) }}
+{%       if params.options | d() %}
+{{ print_options(params.options) -}}
+{%       endif %}
+{%       if loop.last | bool %}
+  ]}
+{%       else %}
+  ]},
+
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endmacro %}
+[{{ ('\n' + print_erlang(rabbitmq_server__tpl_config)) if rabbitmq_server__tpl_config else '' -}}
+].
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__accounts_vhosts.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__accounts_vhosts.j2
new file mode 100644
index 00000000..20ca7c89
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__accounts_vhosts.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_accounts_vhosts = [] %}
+{% for account in lookup("flattened", rabbitmq_server__combined_accounts) %}
+{%   set entry = {} %}
+{%   if account.vhost | d() and account.state | d('present') != 'absent' %}
+{%     set _ = entry.update({'name': account.vhost}) %}
+{%     if account.node | d() %}
+{%       set _ = entry.update({'node': account.node}) %}
+{%     endif %}
+{%     if account.tracing | d() %}
+{%       set _ = entry.update({'tracing': account.tracing}) %}
+{%     endif %}
+{%   endif %}
+{%   if entry | d() %}
+{%     set _ = rabbitmq_server__tpl_accounts_vhosts.append(entry) %}
+{%   endif %}
+{% endfor %}
+{{ rabbitmq_server__tpl_accounts_vhosts }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__admin_accounts.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__admin_accounts.j2
new file mode 100644
index 00000000..10857e6a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__admin_accounts.j2
@@ -0,0 +1,18 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_admin_accounts = [] %}
+{% if ansible_local.core.admin_users | d() %}
+{%   for admin in ansible_local.core.admin_users %}
+{%     set _ = rabbitmq_server__tpl_admin_accounts.append({
+  'name': admin,
+  'vhost': rabbitmq_server__admin_default_vhost,
+  'tags': 'administrator',
+  'configure_priv': '.*',
+  'read_priv': '.*',
+  'write_priv': '.*'
+}) %}
+{%   endfor %}
+{% endif %}
+{{ rabbitmq_server__tpl_admin_accounts }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__dependent_config_filter.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__dependent_config_filter.j2
new file mode 100644
index 00000000..026c5fe1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__dependent_config_filter.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_dependent_config = {} %}
+{% if (rabbitmq_server__register_dependent_config | d() and rabbitmq_server__register_dependent_config.content | d()) %}
+{%   set _ = rabbitmq_server__tpl_dependent_config.update(rabbitmq_server__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if rabbitmq_server__dependent_role | d() %}
+{%   if rabbitmq_server__dependent_state == 'present' %}
+{%     set rabbitmq_server__tpl_flattened_config = lookup('flattened', rabbitmq_server__dependent_config) %}
+{%     set _ = rabbitmq_server__tpl_dependent_config.update({
+  rabbitmq_server__dependent_role: ([ rabbitmq_server__tpl_flattened_config ] if rabbitmq_server__tpl_flattened_config is mapping else rabbitmq_server__tpl_flattened_config)
+}) %}
+{%   elif rabbitmq_server__dependent_state == 'absent' %}
+{%     set _ = rabbitmq_server__tpl_dependent_config.pop(rabbitmq_server__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{% set rabbitmq_server__tpl_output = [] %}
+{% for key, value in rabbitmq_server__tpl_dependent_config.items() %}
+{%   set _ = rabbitmq_server__tpl_output.extend(value) %}
+{% endfor %}
+{{ rabbitmq_server__tpl_output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__parameters_vhosts.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__parameters_vhosts.j2
new file mode 100644
index 00000000..8f932f0c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__parameters_vhosts.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_parameters_vhosts = [] %}
+{% for parameter in lookup("flattened", rabbitmq_server__combined_parameters) %}
+{%   if parameter.vhost | d() and parameter.state | d('present') != 'absent' %}
+{%     set _ = rabbitmq_server__tpl_parameters_vhosts.append({ 'name': parameter.vhost }) %}
+{%   endif %}
+{%   if parameter.node | d() %}
+{%     set _ = rabbitmq_server__tpl_parameters_vhosts.append({ 'node': parameter.node }) %}
+{%   endif %}
+{%   if parameter.tracing | d() %}
+{%     set _ = rabbitmq_server__tpl_parameters_vhosts.append({ 'tracing': parameter.tracing }) %}
+{%   endif %}
+{% endfor %}
+{{ rabbitmq_server__tpl_parameters_vhosts }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__policies_vhosts.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__policies_vhosts.j2
new file mode 100644
index 00000000..0221da2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__policies_vhosts.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_policies_vhosts = [] %}
+{% for policy in lookup("flattened", rabbitmq_server__combined_policies) %}
+{%   if policy.vhost | d() and policy.state | d('present') != 'absent' %}
+{%     set _ = rabbitmq_server__tpl_policies_vhosts.append({ 'name': policy.vhost }) %}
+{%   endif %}
+{%   if policy.node | d() %}
+{%     set _ = rabbitmq_server__tpl_policies_vhosts.append({ 'node': policy.node }) %}
+{%   endif %}
+{%   if policy.tracing | d() %}
+{%     set _ = rabbitmq_server__tpl_policies_vhosts.append({ 'tracing': policy.tracing }) %}
+{%   endif %}
+{% endfor %}
+{{ rabbitmq_server__tpl_policies_vhosts }}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__secret__directories.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__secret__directories.j2
new file mode 100644
index 00000000..3fd86c37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/lookup/rabbitmq_server__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'rabbitmq_server/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config/inventory_hostname/config.json.j2 b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config/inventory_hostname/config.json.j2
new file mode 100644
index 00000000..de6df235
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rabbitmq_server/templates/secret/rabbitmq_server/dependent_config/inventory_hostname/config.json.j2
@@ -0,0 +1,19 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set rabbitmq_server__tpl_dependent_config = {} %}
+{% if (rabbitmq_server__register_dependent_config | d() and rabbitmq_server__register_dependent_config.content | d()) %}
+{%   set _ = rabbitmq_server__tpl_dependent_config.update(rabbitmq_server__register_dependent_config.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if rabbitmq_server__dependent_role | d() %}
+{%   if rabbitmq_server__dependent_state == 'present' %}
+{%     set rabbitmq_server__tpl_flattened_config = lookup('flattened', rabbitmq_server__dependent_config) %}
+{%     set _ = rabbitmq_server__tpl_dependent_config.update({
+  rabbitmq_server__dependent_role: ([ rabbitmq_server__tpl_flattened_config ] if rabbitmq_server__tpl_flattened_config is mapping else rabbitmq_server__tpl_flattened_config)
+}) %}
+{%   elif rabbitmq_server__dependent_state == 'absent' %}
+{%     set _ = rabbitmq_server__tpl_dependent_config.pop(rabbitmq_server__dependent_role, None) %}
+{%   endif %}
+{% endif %}
+{{ rabbitmq_server__tpl_dependent_config | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/radvd/COPYRIGHT b/ansible_collections/debops/debops/roles/radvd/COPYRIGHT
new file mode 100644
index 00000000..25b253e6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.radvd - Manage Router Advertisement Daemon using Ansible
+
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/radvd/defaults/main.yml b/ansible_collections/debops/debops/roles/radvd/defaults/main.yml
new file mode 100644
index 00000000..d8b35567
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/defaults/main.yml
@@ -0,0 +1,109 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _radvd__ref_defaults:
+
+# debops.radvd default variables [[[
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: radvd__base_packages [[[
+#
+# List of base APT packages required for :command:`radvd` support.
+radvd__base_packages: [ 'radvd' ]
+
+                                                                   # ]]]
+# .. envvar:: radvd__packages [[[
+#
+# List of additional APT packages to install with APT.
+radvd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Autogenerated configuration [[[
+# -------------------------------
+
+# These variables manage options which will be included in the autogenerated
+# configuration.
+
+# .. envvar:: radvd__rdnss [[[
+#
+# List of DNS nameservers which should be advertised to the IPv6 clients.
+radvd__rdnss: '{{ (ansible_dns.nameservers | d([])) | ansible.utils.ipv6 }}'
+
+                                                                   # ]]]
+# .. envvar:: radvd__dnssl [[[
+#
+# List of DNS search domains which should be advertised to the IPv6 clients.
+radvd__dnssl: '{{ ansible_dns.search | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: radvd__minimum_advertisement_interval [[[
+#
+# Minimum number of seconds between Router Advertisements.
+radvd__minimum_advertisement_interval: '5'
+
+                                                                   # ]]]
+# .. envvar:: radvd__maximum_advertisement_interval [[[
+#
+# Maximum number of seconds between Router Advertisements.
+radvd__maximum_advertisement_interval: '15'
+                                                                   # ]]]
+                                                                   # ]]]
+# Interface configuration [[[
+# ---------------------------
+
+# These variables are used to manage interface configuration in the
+# :file:`/etc/radvd.conf` file. See :ref:`radvd__ref_interfaces` for more
+# details.
+
+# .. envvar:: radvd__default_interfaces [[[
+#
+# List of automatically generated interface configuration entries.
+radvd__default_interfaces: '{{ lookup("template",
+                               "lookup/radvd__default_interfaces.j2") }}'
+
+                                                                   # ]]]
+# .. envvar:: radvd__interfaces [[[
+#
+# List of interface configuration entries defined on all hosts in the Ansible
+# inventory.
+radvd__interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: radvd__group_interfaces [[[
+#
+# List of interface configuration entries defined on hosts in specific Ansible
+# inventory group.
+radvd__group_interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: radvd__host_interfaces [[[
+#
+# List of interface configuration entries defined on specific hosts in the
+# Ansible inventory.
+radvd__host_interfaces: []
+
+                                                                   # ]]]
+# .. envvar:: radvd__combined_interfaces [[[
+#
+# The list that combines all of the interface configuration entries and is used
+# in the configuration file template.
+radvd__combined_interfaces: '{{ radvd__default_interfaces
+                                + radvd__interfaces
+                                + radvd__group_interfaces
+                                + radvd__host_interfaces }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/radvd/meta/main.yml b/ansible_collections/debops/debops/roles/radvd/meta/main.yml
new file mode 100644
index 00000000..41106bd1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage radvd (IPv6 router advertisement daemon)'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ipv6
+    - slaac
+    - networking
+    - routing
diff --git a/ansible_collections/debops/debops/roles/radvd/tasks/main.yml b/ansible_collections/debops/debops/roles/radvd/tasks/main.yml
new file mode 100644
index 00000000..baf01916
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install radvd support
+  ansible.builtin.package:
+    name: '{{ q("flattened", (radvd__base_packages
+                              + radvd__packages)) }}'
+    state: 'present'
+  register: radvd__register_packages
+  until: radvd__register_packages is succeeded
+
+- name: Generate radvd configuration
+  ansible.builtin.template:
+    src: 'etc/radvd.conf.j2'
+    dest: '/etc/radvd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Test radvd and restart' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save radvd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/radvd.fact.j2'
+    dest: '/etc/ansible/facts.d/radvd.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/radvd/templates/etc/ansible/facts.d/radvd.fact.j2 b/ansible_collections/debops/debops/roles/radvd/templates/etc/ansible/facts.d/radvd.fact.j2
new file mode 100644
index 00000000..253be9bb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/templates/etc/ansible/facts.d/radvd.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/radvd/templates/etc/radvd.conf.j2 b/ansible_collections/debops/debops/roles/radvd/templates/etc/radvd.conf.j2
new file mode 100644
index 00000000..8a0ed5c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/templates/etc/radvd.conf.j2
@@ -0,0 +1,220 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro filter_bool(value) %}
+{%   if value | bool and value is not iterable %}
+{{ '{}'.format('on') -}}
+{%   elif not value | bool and value is not iterable %}
+{%     if value is not none %}
+{%       if value | int or value | string == '0' %}
+{{ '{}'.format(value) -}}
+{%       else %}
+{{ '{}'.format('off') -}}
+{%       endif %}
+{%     endif %}
+{%   else %}
+{{ '{}'.format(value) -}}
+{%   endif %}
+{% endmacro %}
+{% set radvd__tpl_interfaces = [] %}
+{% for interface in radvd__combined_interfaces | debops.debops.parse_kv_items %}
+{%   if interface.name | d() and interface.state | d('present') not in [ 'init', 'absent' ] %}
+{%     set _ = radvd__tpl_interfaces.append(interface) %}
+{%   endif %}
+{% endfor %}
+{% for interface in radvd__tpl_interfaces %}
+{%   if interface.name | d() and interface.state | d('present') not in [ 'init', 'absent' ] %}
+{%     set radvd__tpl_prefixes = [] %}
+{%     if interface.prefix | d() %}
+{%       set _ = radvd__tpl_prefixes.extend([ interface.prefix ] if (interface.prefix is string) else interface.prefix) %}
+{%     endif %}
+{%     if interface.prefixes | d() %}
+{%       set _ = radvd__tpl_prefixes.extend([ interface.prefixes ] if (interface.prefixes is string) else interface.prefixes) %}
+{%     endif %}
+{%     set radvd__tpl_clients = [] %}
+{%     if interface.client | d() %}
+{%       set _ = radvd__tpl_clients.extend([ interface.client ] if (interface.client is string) else interface.client) %}
+{%     endif %}
+{%     if interface.clients | d() %}
+{%       set _ = radvd__tpl_clients.extend([ interface.clients ] if (interface.clients is string) else interface.clients) %}
+{%     endif %}
+{%     set radvd__tpl_routes = [] %}
+{%     if interface.route | d() %}
+{%       set _ = radvd__tpl_routes.extend([ interface.route ] if (interface.route is string) else interface.route) %}
+{%     endif %}
+{%     if interface.routes | d() %}
+{%       set _ = radvd__tpl_routes.extend([ interface.routes ] if (interface.routes is string) else interface.routes) %}
+{%     endif %}
+{%     set radvd__tpl_rdnss = [] %}
+{%     if interface.rdnss | d() %}
+{%       for element in ([ interface.rdnss ] if interface.rdnss is string else interface.rdnss) %}
+{%         if element is string %}
+{%           set _ = radvd__tpl_rdnss.append(element) %}
+{%         elif element is mapping %}
+{%           if element.name | d() and element.state | d('present') != 'absent' %}
+{%             set _ = radvd__tpl_rdnss.append(element.name) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     set radvd__tpl_dnssl = [] %}
+{%     if interface.dnssl | d() %}
+{%       for element in ([ interface.dnssl ] if interface.dnssl is string else interface.dnssl) %}
+{%         if element is string %}
+{%           set _ = radvd__tpl_dnssl.append(element) %}
+{%         elif element is mapping %}
+{%           if element.name | d() and element.state | d('present') != 'absent' %}
+{%             set _ = radvd__tpl_dnssl.append(element.name) %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     set radvd__tpl_abro = [] %}
+{%     if interface.abro | d() %}
+{%       set _ = radvd__tpl_abro.extend([ interface.abro ] if (interface.abro is string) else interface.abro) %}
+{%     endif %}
+{%     if interface.comment | d() %}
+{{ interface.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+interface {{ interface.name }} {
+{%     if interface.options | d() %}
+{%       for option in interface.options %}
+{%         if option.state | d('present') != 'absent' %}
+{{ "        {} {};".format(option.name, filter_bool(option.value)) }}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if radvd__tpl_prefixes %}
+{%       for prefix in radvd__tpl_prefixes %}
+{%         if prefix is string %}
+{%           if prefix | ansible.utils.ipv6('subnet') %}
+
+{{ "        prefix {} {{\n        }};".format(prefix | ansible.utils.ipv6('subnet')) }}
+{%           endif %}
+{%         elif prefix is mapping %}
+{%           if prefix.name | d() and prefix.state | d('present') != 'absent' %}
+
+{{ "        prefix {} {{".format(prefix.name | ansible.utils.ipv6('subnet')) }}
+{%             if prefix.options | d() %}
+{%               for option in prefix.options %}
+{%                 if option.name | d() and option.value | d() and option.state | d('present') != 'absent' %}
+{{ "                {} {};".format(option.name, filter_bool(option.value)) }}
+{%                 else %}
+{%                   for key, value in option.items() %}
+{{ "                {} {};".format(key, filter_bool(value)) }}
+{%                   endfor %}
+{%                 endif %}
+{%               endfor %}
+{%             endif %}
+        };
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if radvd__tpl_clients %}
+
+        clients {
+{%       for client in radvd__tpl_clients %}
+{%         if client is string %}
+{{ "                {};".format(client) }}
+{%         elif client is mapping %}
+{%           if client.name | d() and client.state | d('present') != 'absent' %}
+{{ "                {};".format(client.name) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+        };
+{%     endif %}
+{%     if radvd__tpl_routes %}
+{%       for route in radvd__tpl_routes %}
+{%         if route is string %}
+{%           if route | ansible.utils.ipv6('subnet') %}
+
+{{ "        route {} {{\n        }};".format(route | ansible.utils.ipv6('subnet')) }}
+{%           endif %}
+{%         elif route is mapping %}
+{%           if route.name | d() and route.state | d('present') != 'absent' %}
+
+{{ "        route {} {{".format(route.name | ansible.utils.ipv6('subnet')) }}
+{%             if route.options | d() %}
+{%               for option in route.options %}
+{%                 if option.name | d() and option.value | d() and option.state | d('present') != 'absent' %}
+{{ "                {} {};".format(option.name, filter_bool(option.value)) }}
+{%                 else %}
+{%                   for key, value in option.items() %}
+{{ "                {} {};".format(key, filter_bool(value)) }}
+{%                   endfor %}
+{%                 endif %}
+{%               endfor %}
+{%             endif %}
+        };
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if radvd__tpl_rdnss %}
+
+{{ "        RDNSS {} {{".format(radvd__tpl_rdnss | join(' ')) }}
+{%       if interface.rdnss_options | d() %}
+{%         for option in interface.rdnss_options %}
+{%           if option.name | d() and option.value | d() and option.state | d('present') != 'absent' %}
+{{ "                {} {};".format(option.name, filter_bool(option.value)) }}
+{%           else %}
+{%             for key, value in option.items() %}
+{{ "                {} {};".format(key, filter_bool(value)) }}
+{%             endfor %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+        };
+{%     endif %}
+{%     if radvd__tpl_dnssl %}
+
+{{ "        DNSSL {} {{".format(radvd__tpl_dnssl | join(' ')) }}
+{%       if interface.dnssl_options | d() %}
+{%         for option in interface.dnssl_options %}
+{%           if option.name | d() and option.value | d() and option.state | d('present') != 'absent' %}
+{{ "                {} {};".format(option.name, filter_bool(option.value)) }}
+{%           else %}
+{%             for key, value in option.items() %}
+{{ "                {} {};".format(key, filter_bool(value)) }}
+{%             endfor %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+        };
+{%     endif %}
+{%     if radvd__tpl_abro %}
+{%       for abro in radvd__tpl_abro %}
+{%         if abro is string %}
+
+{{ "        abro {} {{\n        }};".format(abro) }}
+{%         elif abro is mapping %}
+{%           if abro.name | d() and abro.state | d('present') != 'absent' %}
+
+{{ "        abro {} {{".format(abro.name) }}
+{%             if abro.options | d() %}
+{%               for option in abro.options %}
+{%                 if option.name | d() and option.value | d() and option.state | d('present') != 'absent' %}
+{{ "                {} {};".format(option.name, filter_bool(option.value)) }}
+{%                 else %}
+{%                   for key, value in option.items() %}
+{{ "                {} {};".format(key, filter_bool(value)) }}
+{%                   endfor %}
+{%                 endif %}
+{%               endfor %}
+{%             endif %}
+        };
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+};
+{%     if not loop.last | bool %}
+
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/radvd/templates/lookup/radvd__default_interfaces.j2 b/ansible_collections/debops/debops/roles/radvd/templates/lookup/radvd__default_interfaces.j2
new file mode 100644
index 00000000..c9632ff6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/radvd/templates/lookup/radvd__default_interfaces.j2
@@ -0,0 +1,53 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set radvd__tpl_output = [] %}
+{% if (ansible_all_ipv6_addresses | difference(ansible_all_ipv6_addresses | ansible.utils.ipv6('link-local'))) %}
+{%   set _ = radvd__tpl_output.append({'addresses': (ansible_all_ipv6_addresses | difference(ansible_all_ipv6_addresses | ansible.utils.ipv6('link-local')))}) %}
+{%   for interface in ansible_interfaces %}
+{%     if interface != 'lo' %}
+{%       set radvd__tpl_interface = {
+  'name': interface,
+  'options': [
+    {'AdvSendAdvert': True},
+    {'IgnoreIfMissing': True},
+    {'MinRtrAdvInterval': radvd__minimum_advertisement_interval},
+    {'MaxRtrAdvInterval': radvd__maximum_advertisement_interval}
+  ],
+  'state': 'init'
+} %}
+{%       if hostvars[inventory_hostname]['ansible_' + interface].ipv6 | d() %}
+{%         set radvd__tpl_prefixes = [] %}
+{%         for element in hostvars[inventory_hostname]['ansible_' + interface].ipv6 %}
+{%           if element.scope == 'global' %}
+{%             set _ = radvd__tpl_prefixes.append({
+  'name': (element.address + '/' + element.prefix),
+  'options': [
+    {'AdvOnLink': True},
+    {'AdvAutonomous': True}
+  ],
+  'state': 'present'
+}) %}
+{%           endif %}
+{%         endfor %}
+{%         set _ = radvd__tpl_interface.update({'prefixes': radvd__tpl_prefixes}) %}
+{%         set radvd__tpl_rdnss = [] %}
+{%         if radvd__rdnss | d() %}
+{%           set _ = radvd__tpl_rdnss.extend([ radvd__rdnss ] if radvd__rdnss is string else radvd__rdnss) %}
+{%         endif %}
+{%         set _ = radvd__tpl_interface.update({'rdnss': radvd__tpl_rdnss}) %}
+{%         set radvd__tpl_dnssl = [] %}
+{%         if radvd__dnssl | d() %}
+{%           set _ = radvd__tpl_dnssl.extend([ radvd__dnssl ] if radvd__dnssl is string else radvd__dnssl) %}
+{%         endif %}
+{%         set _ = radvd__tpl_interface.update({'dnssl': radvd__tpl_dnssl}) %}
+{%         if hostvars[inventory_hostname]['ansible_' + interface].type in [ 'bridge' ] and radvd__tpl_prefixes %}
+{%           set _ = radvd__tpl_interface.update({'state': 'present'}) %}
+{%         endif %}
+{%       endif %}
+{%       set _ = radvd__tpl_output.append(radvd__tpl_interface) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ radvd__tpl_output }}
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/COPYRIGHT b/ansible_collections/debops/debops/roles/rails_deploy/COPYRIGHT
new file mode 100644
index 00000000..d76923f7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.rails_deploy - Deploy Rails applications using Ansible
+
+Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/defaults/main.yml b/ansible_collections/debops/debops/roles/rails_deploy/defaults/main.yml
new file mode 100644
index 00000000..ddeeb28d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/defaults/main.yml
@@ -0,0 +1,509 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rails_deploy__ref_defaults:
+
+# debops.rails_deploy default variables
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# ---- System ----
+
+# .. envvar:: rails_deploy_dependencies [[[
+#
+# Should certain services/envs be setup for you automatically?
+# Redis will only be setup if you enable background worker support.
+#
+# Keep in mind that if you remove ruby then you will be expected to put
+# ruby on the system and ensure its binaries are on the system path.
+rails_deploy_dependencies: ['database', 'redis', 'nginx', 'ruby', 'monit']
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_packages [[[
+#
+# Which packages do you want installed?
+# Add as many packages as you want, the database_package will automatically
+# pick libpq-dev or libmysqlclient-dev depending on what database you picked.
+rails_deploy_packages: ['{{ rails_deploy_database_package }}']
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_user_groups [[[
+#
+# A list of additional groups that this app's user belongs to.
+# If you want to be able to ssh into the server then you must include 'sshusers'.
+rails_deploy_user_groups: []
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_user_sshkey [[[
+#
+# Where should the public ssh key be read in from? This is only used when you
+# have included 'sshusers' in the user_groups list.
+rails_deploy_user_sshkey: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+
+                                                                   # ]]]
+# ---- Hosts ----
+
+# .. envvar:: rails_deploy_hosts_group [[[
+#
+# What inventory group does your app belong to?
+# If you want to have multiple apps then make this group gather up all sub-groups
+# such as debops_rails_deploy_myapp and debops_rails_deploy_anotherapp.
+rails_deploy_hosts_group: 'debops_rails_deploy'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_hosts_master [[[
+#
+# Which application server should run database related tasks?
+rails_deploy_hosts_master: '{{ groups[rails_deploy_hosts_group][0] }}'
+
+                                                                   # ]]]
+# ---- Git ----
+
+# .. envvar:: rails_deploy_git_location [[[
+#
+# The location repo which will get cloned during each deploy. You can use a
+# remote or local repo.
+rails_deploy_git_location: ''
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_git_version [[[
+#
+# Which branch or tag should be used?
+rails_deploy_git_version: 'master'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_git_remote [[[
+#
+# Which remote should be used?
+rails_deploy_git_remote: 'origin'
+
+                                                                   # ]]]
+# Supply your git provider's api token to automatically set deploy keys.
+# If False you will have to manually add deploy keys for each app server.
+
+# .. envvar:: rails_deploy_git_access_token [[[
+#
+# Supports github and gitlab for now:
+# Github: https://github.com/settings/applications
+# Under personal access tokens, check off 'write:public_key'.
+# You may want to enable other access limits for repo/public_repo, etc..
+#
+# Gitlab: https://yourgitlabhost.com/profile/account
+# Your private token should already be there.
+rails_deploy_git_access_token: False
+
+                                                                   # ]]]
+# ---- Deploy ----
+
+# .. envvar:: rails_deploy_service [[[
+#
+# What should the service be named?
+# The default value plucks out your repo name (without .git) from your location.
+rails_deploy_service: "{{ rails_deploy_git_location | basename | replace('.git', '') }}"
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_home [[[
+#
+# Where should the user's home directory be?
+rails_deploy_home: '/var/local/{{ rails_deploy_service }}'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_src [[[
+#
+# Where should the git repository be cloned to?
+rails_deploy_src: '{{ rails_deploy_home }}/{{ rails_deploy_nginx_domains[0] }}/{{ rails_deploy_service }}/src'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_system_env [[[
+#
+# What should the system environment be set to?
+rails_deploy_system_env: 'production'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_bundle_without [[[
+#
+# A list of environments to skip, it will remove your system env from the list
+# during the deploy phase automatically.
+rails_deploy_bundle_without: ['development', 'staging', 'production', 'test']
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_service_timeout [[[
+#
+# Timeout for service and worker startup, in seconds
+rails_deploy_service_timeout: '60'
+
+                                                                   # ]]]
+# ---- Backend ----
+
+# .. envvar:: rails_deploy_backend [[[
+#
+# Which backend type are you using? 'unicorn' and 'puma' are supported so far.
+# You can also disable the backend by setting it to False in case you use passenger.
+rails_deploy_backend: 'unicorn'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_backend_bind [[[
+#
+# What do you want to listen on? You can choose a tcp addr:port or unix socket.
+# Do not bother to include the socket/tcp prefix, that will be handled for you.
+rails_deploy_backend_bind: '{{ rails_deploy_service_socket }}'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_backend_state [[[
+#
+# What state should the backend be in?
+rails_deploy_backend_state: 'started'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_backend_enabled [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_backend_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_backend_always_restart [[[
+#
+# When set to true the backend will always restart instead of reload but it
+# will only restart if the repo changed. This makes for hands free deployment
+# at the cost of a few seconds+ of downtime per deploy.
+#
+# You may want to combine this with force migrate in which case all you ever have
+# to do is push your app and you don't have to wonder whether or not the code
+# you're changing requires a full restart or not.
+rails_deploy_backend_always_restart: False
+
+                                                                   # ]]]
+# ---- Database ----
+
+# .. envvar:: rails_deploy_database_create [[[
+#
+# Should the database be created by default?
+rails_deploy_database_create: True
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_prepare [[[
+#
+# Should the database get a db:schema:load and db:seed in an idempotent way?
+rails_deploy_database_prepare: True
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_migrate [[[
+#
+# Should the database get automatically migrated in an idempotent way?
+rails_deploy_database_migrate: True
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_force_migrate [[[
+#
+# Should the database get migrated no matter what?
+# You may want to do this as a 1 off command with --extra-vars in case your
+# schema file's checksum somehow gets out of sync and you need to migrate.
+#
+# Another use case would be if you have automatic migrations turned off and
+# you just deployed but now you want to do an isolated migration.
+rails_deploy_database_force_migrate: False
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_adapter [[[
+#
+# It supports 'postgresql' or 'mysql' for now.
+rails_deploy_database_adapter: 'postgresql'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_postgresql_cluster [[[
+#
+# Make sure this matches your pg cluster info, ignore it if you use mysql.
+rails_deploy_postgresql_cluster: '9.1/main'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_host [[[
+#
+# Where is your database hosted?
+rails_deploy_database_host: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_port [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_database_port: '5432'  # 3306 for mysql
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_postgresql_super_username [[[
+#
+# What are your super user names?
+rails_deploy_postgresql_super_username: 'postgres'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_mysql_super_username [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_mysql_super_username: 'mysql'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_user_role_attrs [[[
+#
+# What are the roles that should be applied to the app postgres user?
+# See https://docs.ansible.com/postgresql_user_module.html for available options
+rails_deploy_database_user_role_attrs: ''
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_pool [[[
+#
+# What should some of the configuration options be set to?
+rails_deploy_database_pool: 25
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_database_timeout [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_database_timeout: 5000
+
+                                                                   # ]]]
+# ---- Background Worker ----
+
+# .. envvar:: rails_deploy_worker_enabled [[[
+#
+# Enable background worker support. This will create an init.d service, register
+# it with monit and add it into the deploy life cycle.
+rails_deploy_worker_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_worker_state [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_worker_state: 'started'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_worker [[[
+#
+# At the moment it only supports sidekiq but resque could happen in the future.
+rails_deploy_worker: 'sidekiq'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_worker_host [[[
+#
+# Where is your worker hosted?
+rails_deploy_worker_host: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_worker_port [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+rails_deploy_worker_port: '6379'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_worker_url [[[
+#
+# How should the connection be made to the redis server?
+# If your server has a password you must add it here.
+# Example: redis://:mypassword@{{ rails_deploy_worker_host }}:{{ rails_deploy_worker_port }}/0'
+rails_deploy_worker_url: 'redis://{{ rails_deploy_worker_host }}:{{ rails_deploy_worker_port }}/0'
+
+                                                                   # ]]]
+# ---- Commands ----
+
+# Execute shell commands at various points in the deploy life cycle.
+# They are executed in the context of the root directory of your app
+# and are also only ran when your repo has changed.
+
+# .. envvar:: rails_deploy_pre_migrate_shell_commands [[[
+#
+# Shell commands to run before migration
+# They will still run even if you have migrations turned off.
+rails_deploy_pre_migrate_shell_commands: []
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_post_migrate_shell_commands [[[
+#
+# Shell commands to run after migration
+# They will still run even if you have migrations turned off.
+rails_deploy_post_migrate_shell_commands:
+  - 'bundle exec rake assets:precompile'
+  - 'rm -rf tmp/cache'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_post_restart_shell_commands [[[
+#
+# Shell commands to run after the backend was started
+# Let's say you wanted to execute whenever after your app reloads/restarts:
+#
+# - 'bundle exec whenever --clear-crontab {{ rails_deploy_service }}'
+#
+# This is the absolute last thing that happens during a deploy.
+# They will still run even if you have no backend.
+rails_deploy_post_restart_shell_commands: []
+
+                                                                   # ]]]
+# ---- Services ----
+
+# Add 1 or more custom services related to the app, they will have
+# their state changed on each deploy. The changed_state is the action to
+# take when the state of the git repo has changed.
+
+# .. envvar:: rails_deploy_extra_services [[[
+#
+# They will get restarted/reloaded at the end of the deploy.
+# Everything is optional except for the name.
+rails_deploy_extra_services: []
+
+                                                                   # ]]]
+#rails_deploy_extra_services:
+#  - name: ''
+#    changed_state: 'reloaded'
+#    state: 'started'
+#    enabled: True
+
+
+# ---- Log rotation ----
+
+# .. envvar:: rails_deploy_logrotate_interval [[[
+#
+# How often should they be rotated?
+# Accepted values: hourly, daily, weekly, monthly and yearly
+rails_deploy_logrotate_interval: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_logrotate_rotation [[[
+#
+# Log files are rotated N times before being removed.
+rails_deploy_logrotate_rotation: 24
+
+                                                                   # ]]]
+# ---- Environment settings ----
+
+# Both the default and custom environment variables will get added together
+# and be written to /etc/default/{{ rails_deploy_service }}.
+
+# .. envvar:: rails_deploy_default_env [[[
+#
+# Default environment variables added to each app.
+rails_deploy_default_env:
+  RAILS_ENV: '{{ rails_deploy_system_env }}'
+
+  DATABASE_URL: "{{ rails_deploy_database_adapter }}://{{ rails_deploy_service }}:{{ rails_deploy_database_user_password }}@{{ rails_deploy_database_host }}:{{ rails_deploy_database_port }}/{{ rails_deploy_service }}_{{ rails_deploy_system_env }}?pool={{ rails_deploy_database_pool }}&timeout={{ rails_deploy_database_timeout }}"
+
+  # Application variables, they are used in the backend/worker variables below.
+  SERVICE: '{{ rails_deploy_service }}'
+  LOG_FILE: '{{ rails_deploy_log }}/{{ rails_deploy_service }}.log'
+  RUN_STATE_PATH: '{{ rails_deploy_run }}'
+
+  # Backend variables, they work in conjunction with the example
+  # server configs. Check docs/examples/rails/config/puma.rb|unicorn.rb.
+  LISTEN_ON: '{{ rails_deploy_backend_bind }}'
+
+  THREADS_MIN: 0
+  THREADS_MAX: 16
+  WORKERS: 2
+
+  # Background worker variables. Check docs/examples/rails/config/sidekiq.yml
+  # and initializers/sidekiq.rb on how use this in your application.
+  BACKGROUND_URL: '{{ rails_deploy_worker_url }}'
+  BACKGROUND_THREADS: '{{ rails_deploy_database_pool }}'
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_env [[[
+#
+# Custom environment variables added to a specific app.
+rails_deploy_env: {}
+
+                                                                   # ]]]
+# ---- Nginx settings ----
+
+# .. envvar:: rails_deploy_nginx_server_enabled [[[
+#
+# Should nginx be enabled?
+rails_deploy_nginx_server_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_nginx_domains [[[
+#
+# What domain names should the app be associated to?
+rails_deploy_nginx_domains: ['{{ ansible_fqdn }}']
+
+                                                                   # ]]]
+# If you want to edit any of the values for nginx below, you will need to copy
+# the whole variable over even if you need to edit 1 value.
+#
+# Consult the debops.nginx documentation if needed.
+
+# .. envvar:: rails_deploy_nginx_upstream [[[
+#
+# Configure the upstream.
+rails_deploy_nginx_upstream:
+  enabled: '{{ rails_deploy_nginx_server_enabled }}'
+  name: '{{ rails_deploy_service }}'
+  server: "{{ 'unix:' + rails_deploy_backend_bind if not ':' in rails_deploy_backend_bind else rails_deploy_backend_bind }}"
+
+                                                                   # ]]]
+# .. envvar:: rails_deploy_nginx_server [[[
+#
+# Configure the sites-available.
+rails_deploy_nginx_server:
+  enabled: '{{ rails_deploy_nginx_server_enabled }}'
+  name: '{{ rails_deploy_nginx_domains }}'
+  root: '{{ rails_deploy_src }}/public'
+  webroot_create: False
+
+  error_pages:
+    '404': '/404.html'
+    '422': '/422.html'
+    '500': '/500.html'
+    '502 503 504': '/502.html'
+
+  location_list:
+    - pattern: '/'
+      options: |
+        try_files $uri $uri/index.html $uri.html @{{ rails_deploy_nginx_upstream.name }};
+    - pattern: '~ ^/(assets|system)/'
+      options: |
+        gzip_static on;
+        expires max;
+        add_header Cache-Control public;
+        add_header Last-Modified "";
+        add_header ETag "";
+    - pattern: '@{{ rails_deploy_nginx_upstream.name }}'
+      options: |
+        gzip off;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_set_header   Host              $http_host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_redirect     off;
+        proxy_pass         http://{{ rails_deploy_nginx_upstream.name }};
+
+# ]]]
+# Usage examples:
+
+# ---- Bare minimum ----
+#rails_deploy_git_location: 'git@github.com:yourname/mycoolapp.git'
+
+# ---- Use a custom service name ----
+#rails_deploy_service: 'myawesomeapp'
+
+# ---- Use a tag or branch instead of master ----
+#rails_deploy_git_version: 'v0.1.0'
+
+# ---- Use mysql instead of postgres ----
+#rails_deploy_database_adapter: 'mysql'
+
+# ---- Use puma instead of unicorn ----
+#rails_deploy_backend: 'puma'
+
+# ---- Enable the background worker ----
+#rails_deploy_worker_enable: True
+
+# ---- Listen on a tcp port instead of a socket ----
+#rails_deploy_backend_bind: '{{ ansible_fqdn }}:8080'
+
+# ---- Deploy to staging instead of production ----
+#rails_deploy_system_env: 'staging'
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/meta/main.yml b/ansible_collections/debops/debops/roles/rails_deploy/meta/main.yml
new file mode 100644
index 00000000..a818b6a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/meta/main.yml
@@ -0,0 +1,96 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+# Currently the role does not have a corresponding Ansible playbook so we
+# cannot move dependencies there. Keep them commented out for the time being to
+# avoid issues with ansible-lint.
+
+#  - role: etc_services
+#
+#  - role: apt_preferences
+#    tags: [ 'role::apt_preferences' ]
+#    apt_preferences__dependent_list:
+#      - '{{ nodejs__apt_preferences__dependent_list }}'
+#
+#  - role: nodejs
+#    when: '"bundle exec rake assets:precompile" in rails_deploy_post_migrate_shell_commands'
+#    tags: nodejs
+#
+#  - role: ruby
+#    when: rails_deploy_dependencies is defined and
+#          'ruby' in rails_deploy_dependencies
+#    tags: ruby
+#
+#  - role: redis_server
+#    when: rails_deploy_worker_enabled and
+#          rails_deploy_dependencies is defined and
+#          'redis' in rails_deploy_dependencies
+#    tags: redis
+#
+#  - role: postgresql
+#    when: inventory_hostname == rails_deploy_hosts_master and
+#          (rails_deploy_dependencies is defined and
+#          'database' in rails_deploy_dependencies) and
+#          rails_deploy_database_adapter == 'postgresql'
+#    tags: postgresql
+#
+#  - role: debops.mysql
+#    when: inventory_hostname == rails_deploy_hosts_master and
+#          (rails_deploy_dependencies is defined and
+#          'database' in rails_deploy_dependencies) and
+#          rails_deploy_database_adapter == 'mysql'
+#    tags: mysql
+#
+#  - role: nginx
+#    nginx_servers: [ '{{ rails_deploy_nginx_server }}' ]
+#    nginx_upstreams: [ '{{ rails_deploy_nginx_upstream }}' ]
+#    when: rails_deploy_dependencies is defined and
+#          'nginx' in rails_deploy_dependencies
+#    tags: nginx
+#
+#  - role: monit
+#    monit_process_host_list:
+#      - pid: '{{ rails_deploy_service }}/{{ rails_deploy_service }}.pid'
+#    when: rails_deploy_dependencies is defined and
+#          'monit' in rails_deploy_dependencies and
+#          not rails_deploy_worker_enabled
+#    tags: monit
+#
+#  - role: monit
+#    monit_process_host_list:
+#      - pid: '{{ rails_deploy_service }}/{{ rails_deploy_service }}.pid'
+#      - pid: '{{ rails_deploy_service }}/{{ rails_deploy_worker }}.pid'
+#    when: rails_deploy_dependencies is defined and
+#          'monit' in rails_deploy_dependencies and
+#          rails_deploy_worker_enabled
+#    tags: monit
+
+galaxy_info:
+
+  author: 'Nick Janetakis'
+  description: 'Deploy and monitor rails applications'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - ruby
+    - rails
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/database.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/database.yml
new file mode 100644
index 00000000..70a7987a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/database.yml
@@ -0,0 +1,74 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create PostgreSQL user
+  community.postgresql.postgresql_user:
+    login_host: '{{ rails_deploy_database_host }}'
+    port: '{{ rails_deploy_database_port }}'
+    login_user: '{{ rails_deploy_postgresql_super_username }}'
+    login_password: '{{ rails_deploy_database_super_password }}'
+    name: '{{ rails_deploy_service }}'
+    password: '{{ rails_deploy_database_user_password }}'
+    encrypted: False
+    state: 'present'
+    role_attr_flags: '{{ rails_deploy_database_user_role_attrs }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+  when: rails_deploy_database_adapter == 'postgresql' and
+        inventory_hostname == rails_deploy_hosts_master
+  become: True
+  become_user: '{{ rails_deploy_postgresql_super_username }}'
+
+- name: Create PostgreSQL database if enabled
+  community.postgresql.postgresql_db:
+    login_host: '{{ rails_deploy_database_host }}'
+    port: '{{ rails_deploy_database_port }}'
+    login_user: '{{ rails_deploy_postgresql_super_username }}'
+    login_password: '{{ rails_deploy_database_super_password }}'
+    name: '{{ rails_deploy_service }}_{{ rails_deploy_system_env }}'
+    owner: '{{ rails_deploy_service }}'
+    encoding: 'UTF-8'
+    state: 'present'
+    template: 'template1'
+  register: rails_deploy_register_database_created
+  when: rails_deploy_database_adapter == 'postgresql' and
+        inventory_hostname == rails_deploy_hosts_master
+  become: True
+  become_user: '{{ rails_deploy_postgresql_super_username }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create MySQL user
+  community.mysql.mysql_user:
+    login_host: '{{ rails_deploy_database_host }}'
+    login_port: '{{ rails_deploy_database_port }}'
+    login_user: '{{ rails_deploy_mysql_super_username }}'
+    login_password: '{{ rails_deploy_database_super_password }}'
+    name: '{{ rails_deploy_service }}'
+    password: '{{ rails_deploy_mysql_user_password }}'
+    state: 'present'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: rails_deploy_database_adapter == 'mysql' and
+        inventory_hostname == rails_deploy_hosts_master
+  become: True
+  become_user: '{{ rails_deploy_mysql_super_username }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create MySQL database if enabled
+  community.mysql.mysql_db:
+    login_host: '{{ rails_deploy_database_host }}'
+    login_port: '{{ rails_deploy_database_port }}'
+    login_user: '{{ rails_deploy_mysql_super_username }}'
+    login_password: '{{ rails_deploy_database_super_password }}'
+    name: '{{ rails_deploy_service }}_{{ rails_deploy_system_env }}'
+    encoding: 'UTF-8'
+    state: 'present'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  register: rails_deploy_register_database_created
+  when: rails_deploy_database_adapter == 'mysql' and
+        inventory_hostname == rails_deploy_hosts_master
+  become: True
+  become_user: '{{ rails_deploy_mysql_super_username }}'
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy.yml
new file mode 100644
index 00000000..d0ce7bd8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy.yml
@@ -0,0 +1,215 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Clone the app's source code
+  ansible.builtin.git:
+    repo: '{{ rails_deploy_git_location }}'
+    dest: '{{ rails_deploy_src }}'
+    version: '{{ rails_deploy_git_version }}'
+    remote: '{{ rails_deploy_git_remote }}'
+    accept_hostkey: True
+  register: rails_deploy_register_repo_status
+  when: rails_deploy_git_location is defined and rails_deploy_git_location
+  become: True
+  become_user: '{{ rails_deploy_service }}'
+
+- name: Detect a temporary public deploy page
+  ansible.builtin.stat:
+    path: '{{ rails_deploy_src }}/public/deploy.html'
+  register: rails_deploy_register_public_deploy_page
+
+- name: Enable the temporary deploy page
+  ansible.builtin.copy:
+    src: '{{ rails_deploy_src }}/public/deploy.html'
+    dest: '{{ rails_deploy_src }}/public/index.html'
+    mode: '0644'
+    remote_src: True
+  when: rails_deploy_register_public_deploy_page.stat.exists and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  changed_when: False
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+
+- name: Update gems
+  ansible.builtin.command: bundle install --deployment
+           --without={{ rails_deploy_bundle_without | difference([rails_deploy_system_env]) | join(',') }}
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  changed_when: False
+  when: rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+
+- name: Restart the background worker asynchronously
+  ansible.builtin.service:
+    name: '{{ rails_deploy_worker }}'
+    state: 'restarted'
+  async: 90  # noqa no-handler
+  when: rails_deploy_worker_enabled and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+
+- name: Prepare the database
+  ansible.builtin.shell: '{{ rails_deploy_env_source }} && bundle exec rake db:schema:load db:seed'
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  when: (rails_deploy_database_create and rails_deploy_register_database_created is defined and
+        rails_deploy_register_database_created is changed and
+        rails_app_database_prepare) and
+        inventory_hostname == rails_deploy_hosts_master and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+  register: rails_deploy__register_db_schema_load
+  changed_when: rails_deploy__register_db_schema_load.changed | bool
+
+- name: Store mtime of the config folder
+  ansible.builtin.stat:
+    path: '{{ rails_deploy_src }}/config'
+  register: rails_deploy_register_mtime_config
+  when: inventory_hostname == rails_deploy_hosts_master and
+        rails_deploy_git_location is defined and rails_deploy_git_location
+
+- name: Store mtime of the db/schema.rb file
+  ansible.builtin.stat:
+    path: '{{ rails_deploy_src }}/db/schema.rb'
+  register: rails_deploy_register_mtime_schema
+  when: inventory_hostname == rails_deploy_hosts_master and
+        rails_deploy_git_location is defined and rails_deploy_git_location
+
+- name: Execute shell commands before migration
+  ansible.builtin.shell: '{{ rails_deploy_env_source }} && {{ item }}'
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  when: rails_deploy_pre_migrate_shell_commands and rails_deploy_git_location and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  with_items: '{{ rails_deploy_pre_migrate_shell_commands }}'
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+  register: rails_deploy__register_migration_pre_commands
+  changed_when: rails_deploy__register_migration_pre_commands.changed | bool
+
+- name: Migrate the database
+  ansible.builtin.shell: '{{ rails_deploy_env_source }} && bundle exec rake db:migrate'
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  when: inventory_hostname == rails_deploy_hosts_master and
+        (rails_deploy_database_force_migrate or
+        (rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed and
+        (rails_deploy_register_mtime_schema.stat.mtime !=
+         ansible_local.rails_deploy[rails_deploy_service].mtime.schema) or
+        ansible_local.rails_deploy[rails_deploy_service].mtime.schema is undefined))
+  register: rails_deploy_register_migration
+  changed_when: rails_deploy_register_migration.changed | bool
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+
+- name: Execute shell commands after migration
+  ansible.builtin.shell: '{{ rails_deploy_env_source }} && {{ item }}'
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  when: rails_deploy_post_migrate_shell_commands and rails_deploy_git_location and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  with_items: '{{ rails_deploy_post_migrate_shell_commands }}'
+  become: True
+  become_user: '{{ rails_deploy_service }}'  # noqa no-handler
+  register: rails_deploy__register_migration_post_commands
+  changed_when: rails_deploy__register_migration_post_commands.changed | bool
+
+- name: Reload the backend server
+  ansible.builtin.service:
+    name: '{{ rails_deploy_service }}'
+    state: 'reloaded'
+  when: rails_deploy_backend and (rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed and
+        (inventory_hostname == rails_deploy_hosts_master or
+        inventory_hostname != item) and
+        not rails_deploy_register_migration is changed and
+        rails_deploy_register_mtime_config.stat.mtime == ansible_local.rails_deploy[rails_deploy_service].mtime.config
+        and
+        not rails_deploy_backend_always_restart)
+  delegate_to: '{{ item }}'
+  with_items: '{{ groups[rails_deploy_hosts_group] }}'  # noqa no-handler
+
+- name: Restart the backend server
+  ansible.builtin.service:
+    name: '{{ rails_deploy_service }}'
+    state: 'restarted'
+  when: rails_deploy_backend and (rails_deploy_database_force_migrate or
+        ((rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed) and rails_deploy_register_migration is changed) and
+        (inventory_hostname == rails_deploy_hosts_master or
+        inventory_hostname != item)
+        or
+        rails_deploy_register_mtime_config.stat.mtime != ansible_local.rails_deploy[rails_deploy_service].mtime.config
+        or
+        (rails_deploy_backend_always_restart and rails_deploy_git_location and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed))
+  delegate_to: '{{ item }}'
+  with_items: '{{ groups[rails_deploy_hosts_group] }}'  # noqa no-handler
+
+- name: Set the extra services state
+  ansible.builtin.service:
+    name: '{{ item.name }}'
+    state: '{{ item.changed_state | default("reloaded") }}'
+  when: rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed and rails_deploy_extra_services
+  with_items: '{{ rails_deploy_extra_services }}'  # noqa no-handler
+
+- name: Set the initial backend server state
+  ansible.builtin.service:
+    name: '{{ rails_deploy_service }}'
+    state: '{{ rails_deploy_backend_state }}'
+    enabled: '{{ rails_deploy_backend_enabled }}'
+  when: rails_deploy_git_location is defined and rails_deploy_git_location and rails_deploy_backend
+
+- name: Set the initial background worker state
+  ansible.builtin.service:
+    name: '{{ rails_deploy_worker }}'
+    state: '{{ rails_deploy_worker_state }}'
+    enabled: '{{ rails_deploy_worker_enabled }}'
+  when: rails_deploy_worker_enabled and
+        rails_deploy_git_location is defined and rails_deploy_git_location
+
+- name: Set the initial extra services state
+  ansible.builtin.service:
+    name: '{{ item.name }}'
+    state: '{{ item.state | default("started") }}'
+    enabled: '{{ item.enabled | default(True) }}'
+  when: rails_deploy_git_location is defined and rails_deploy_git_location and
+        rails_deploy_extra_services
+  with_items: '{{ rails_deploy_extra_services }}'
+
+- name: Execute shell commands after the backend is ready
+  ansible.builtin.shell: '{{ rails_deploy_env_source }} && {{ item }}  # noqa no-handler'
+  args:
+    chdir: '{{ rails_deploy_src }}'
+  when: rails_deploy_post_restart_shell_commands and rails_deploy_git_location and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  with_items: '{{ rails_deploy_post_restart_shell_commands }}'
+  become: True
+  become_user: '{{ rails_deploy_service }}'
+  register: rails_deploy__register_shell_commands
+  changed_when: rails_deploy__register_shell_commands.changed | bool
+
+- name: Disable the temporary deploy page
+  ansible.builtin.file:  # noqa no-handler
+    path: '{{ rails_deploy_src + "/public/index.html" }}'
+    state: 'absent'
+  when: rails_deploy_register_public_deploy_page.stat.exists and
+        rails_deploy_register_repo_status is defined and
+        rails_deploy_register_repo_status is changed
+  changed_when: False
+  become: True
+  become_user: '{{ rails_deploy_service }}'
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy_keys.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy_keys.yml
new file mode 100644
index 00000000..ce131f16
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/deploy_keys.yml
@@ -0,0 +1,56 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Slurp the deploy key
+  ansible.builtin.slurp:
+    src: '{{ rails_deploy_home }}/.ssh/id_rsa.pub'
+  register: rails_deploy_register_deploy_key
+  when: rails_deploy_service is defined and rails_deploy_service and
+        rails_deploy_register_deploy_key is undefined
+
+- name: Create a json formatted deploy key
+  ansible.builtin.set_fact:
+    rails_deploy_key_data:
+      title: '{{ rails_deploy_service }}@{{ ansible_hostname }} deployed by Ansible'
+      key: '{{ rails_deploy_register_deploy_key.content | b64decode | trim }}'
+  when: rails_deploy_service is defined and rails_deploy_service and
+        rails_deploy_register_deploy_key is defined
+
+  # FIXME: Use a proper Ansible module instead of the 'command' module
+- name: Transfer the deploy key to Github  # noqa command-instead-of-module
+  ansible.builtin.command: "curl --silent --header 'Authorization: token {{ rails_deploy_git_access_token }}'
+                 --data '{{ rails_deploy_key_data | to_nice_json }}'
+                 https://api.github.com/repos/{{ rails_deploy_git_account }}/{{ rails_deploy_git_repo }}/keys"
+  changed_when: False
+  when: rails_deploy_git_access_token and
+        'file://' not in rails_deploy_git_location and
+        rails_deploy_register_deploy_key is defined and
+        'github' in rails_deploy_git_host
+
+- name: Get the Gitlab repo id
+  ansible.builtin.uri:
+    url: 'https://{{ rails_deploy_git_host }}/api/v3/projects/{{
+                     rails_deploy_git_account }}%2F{{ rails_deploy_git_repo }}'
+    headers:
+      'PRIVATE-TOKEN': '{{ rails_deploy_git_access_token }}'
+  register: rails_deploy_register_gitlab_response
+  when: rails_deploy_git_access_token and
+        'file://' not in rails_deploy_git_location and
+        rails_deploy_register_deploy_key is defined and
+        not 'github' in rails_deploy_git_host
+
+  # FIXME: Use a proper Ansible module instead of the 'command' module
+- name: Transfer the deploy key to Gitlab  # noqa command-instead-of-module
+  ansible.builtin.command: "curl --insecure --header 'PRIVATE-TOKEN: {{ rails_deploy_git_access_token }}'
+                 --data '{{ rails_deploy_key_data | to_nice_json }}'
+                 https://{{ rails_deploy_git_host }}/api/v3/projects/{{
+                   rails_deploy_register_gitlab_response.json.id }}/keys"
+  changed_when: False
+  register: rails_deploy_register_gitlab_access_token
+  when: rails_deploy_git_access_token and
+        'file://' not in rails_deploy_git_location and
+        rails_deploy_register_deploy_key is defined and
+        not 'github' in rails_deploy_git_host
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/local_facts.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/local_facts.yml
new file mode 100644
index 00000000..18a7f399
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/local_facts.yml
@@ -0,0 +1,23 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create Ansible facts directory
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: rails_deploy_database_force_migrate or
+        rails_deploy_git_location is defined and rails_deploy_git_location
+
+- name: Create local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rails_deploy.fact.j2'
+    dest: '/etc/ansible/facts.d/rails_deploy.fact'
+    mode: '0644'
+  when: rails_deploy_database_force_migrate or
+        rails_deploy_git_location is defined and rails_deploy_git_location
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/main.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/main.yml
new file mode 100644
index 00000000..45616686
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure system environment
+  ansible.builtin.include_tasks: system.yml
+  tags: 'rails_deploy'
+
+- name: Configure database
+  ansible.builtin.include_tasks: database.yml
+  when: rails_deploy_database_create
+  tags: 'rails_deploy_setup'
+
+- name: Deploy access keys
+  ansible.builtin.include_tasks: deploy_keys.yml
+  tags: 'rails_deploy_setup'
+
+- name: Deploy application
+  ansible.builtin.include_tasks: deploy.yml
+  tags: 'rails_deploy'
+
+- name: Configure local facts
+  ansible.builtin.include_tasks: local_facts.yml
+  tags: 'rails_deploy'
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/tasks/system.yml b/ansible_collections/debops/debops/roles/rails_deploy/tasks/system.yml
new file mode 100644
index 00000000..e513d7ef
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/tasks/system.yml
@@ -0,0 +1,115 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install app packages
+  ansible.builtin.package:
+    name: '{{ item }}'
+    state: 'present'
+  with_items: '{{ rails_deploy_packages + ["git"] }}'
+  register: rails_deploy__register_packages
+  until: rails_deploy__register_packages is succeeded
+
+- name: Create app group
+  ansible.builtin.group:
+    name: '{{ rails_deploy_service }}'
+    state: 'present'
+    system: True
+  when: rails_deploy_service is defined and rails_deploy_service
+
+- name: Create app user
+  ansible.builtin.user:
+    name: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    home: '{{ rails_deploy_home }}'
+    generate_ssh_key: True
+    comment: '{{ rails_deploy_service }}'
+    groups: '{{ rails_deploy_user_groups | join(",") }}'
+    shell: '/bin/bash'
+    append: True
+    system: True
+    state: 'present'
+  when: rails_deploy_service is defined and rails_deploy_service
+
+- name: Allow ssh access from the app user
+  ansible.posix.authorized_key:
+    key: '{{ rails_deploy_user_sshkey }}'
+    user: '{{ rails_deploy_service }}'
+    manage_dir: False
+  when: rails_deploy_service is defined and rails_deploy_service and
+        'sshusers' in rails_deploy_user_groups and rails_deploy_user_sshkey
+
+- name: Create backup copy of the host's ssh keys
+  ansible.builtin.fetch:
+    dest: '{{ secret }}/storage/sensitive/{{ rails_deploy_service }}'
+    src: '{{ item }}'
+    validate_md5: True
+  when: rails_deploy_service is defined and rails_deploy_service and
+        secret is defined and secret
+  with_items:
+    - '{{ rails_deploy_home }}/.ssh/id_rsa'
+    - '{{ rails_deploy_home }}/.ssh/id_rsa.pub'
+  tags: system_backup
+
+- name: Secure app home directory
+  ansible.builtin.file:
+    path: '{{ rails_deploy_home }}'
+    state: 'directory'
+    owner: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    mode: '0751'
+  when: rails_deploy_service is defined and rails_deploy_service
+
+- name: Create src, log and run state paths
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    mode: '0755'
+  when: rails_deploy_service is defined and rails_deploy_service
+  with_items:
+    - '{{ rails_deploy_src }}'
+    - '{{ rails_deploy_log }}'
+    - '{{ rails_deploy_run }}'
+
+- name: Create logrotate file
+  ansible.builtin.template:
+    src: 'etc/logrotate.d/service.j2'
+    dest: '/etc/logrotate.d/{{ rails_deploy_service }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: rails_deploy_service is defined and rails_deploy_service
+
+- name: Create /etc/default/app file
+  ansible.builtin.template:
+    src: 'etc/default/app.j2'
+    dest: '/etc/default/{{ rails_deploy_service }}'
+    owner: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    mode: '0644'
+  when: rails_deploy_service is defined and rails_deploy_service
+
+- name: Create application service
+  ansible.builtin.template:
+    src: 'etc/init.d/service.j2'
+    dest: '/etc/init.d/{{ rails_deploy_service }}'
+    owner: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    mode: '0755'
+  when: rails_deploy_service is defined and rails_deploy_service and rails_deploy_backend
+  with_items: [ 'service' ]
+
+- name: Create background worker service
+  ansible.builtin.template:
+    src: 'etc/init.d/service.j2'
+    dest: '/etc/init.d/{{ rails_deploy_worker }}'
+    owner: '{{ rails_deploy_service }}'
+    group: '{{ rails_deploy_service }}'
+    mode: '0755'
+  when: rails_deploy_worker_enabled and
+        rails_deploy_worker is defined and rails_deploy_worker
+  with_items: [ 'worker' ]
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/ansible/facts.d/rails_deploy.fact.j2 b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/ansible/facts.d/rails_deploy.fact.j2
new file mode 100644
index 00000000..648329dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/ansible/facts.d/rails_deploy.fact.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+ # Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{# mtime.config: -#}
+{% set rails_deploy_tpl_mtime_config_readable = rails_deploy_register_mtime_config is defined and rails_deploy_register_mtime_config.has_key('stat') -%}
+{% set rails_deploy_tpl_mtime_config = rails_deploy_register_mtime_config.stat.mtime if rails_deploy_tpl_mtime_config_readable else False -%}
+{# mtime.schema: -#}
+{% set rails_deploy_tpl_mtime_schema_readable = rails_deploy_register_mtime_schema is defined and rails_deploy_register_mtime_schema.has_key('stat') -%}
+{% set rails_deploy_tpl_mtime_schema = rails_deploy_register_mtime_schema.stat.mtime if rails_deploy_tpl_mtime_schema_readable else False -%}
+{# stat.migrated: #}
+{% set rails_deploy_tpl_migrated_readable = rails_deploy_tpl_mtime_config_readable and ansible_local is defined and ansible_local.rails_deploy is defined and ansible_local.rails_deploy[rails_deploy_service] is defined -%}
+{% set rails_deploy_tpl_migrated = rails_deploy_database_force_migrate or rails_deploy_register_mtime_schema.stat.mtime != ansible_local.rails_deploy[rails_deploy_service].mtime.schema if rails_deploy_tpl_migrated_readable else False -%}
+{
+"{{ rails_deploy_service }}": {
+  "mtime": {
+    "config": {{ rails_deploy_tpl_mtime_config | to_nice_json }},
+    "schema": {{ rails_deploy_tpl_mtime_schema | to_nice_json }}
+  },
+  "stat": {
+    "version": {{ rails_deploy_git_version | to_nice_json }},
+    "migrated": {{ rails_deploy_tpl_migrated | to_nice_json }},
+    "bind": {{ rails_deploy_backend_bind | to_nice_json }}
+  }
+}
+}
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/default/app.j2 b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/default/app.j2
new file mode 100644
index 00000000..05d38251
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/default/app.j2
@@ -0,0 +1,13 @@
+{# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+ # Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+{% for key, value in rails_deploy_default_env.items() -%}
+export {{ key }}='{{ value }}'
+{% endfor -%}
+{% for key, value in rails_deploy_env.items() -%}
+export {{ key }}='{{ value }}'
+{% endfor -%}
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/init.d/service.j2 b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/init.d/service.j2
new file mode 100755
index 00000000..1ec2e144
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/init.d/service.j2
@@ -0,0 +1,305 @@
+#! /bin/bash
+
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# Heavily inspired by: https://github.com/gitlabhq/gitlabhq
+
+### BEGIN INIT INFO
+# Provides:          {{ rails_deploy_service if item == 'service' else rails_deploy_worker }}
+# Required-Start:    $local_fs $remote_fs $network $rsyslog
+# Required-Stop:     $local_fs $remote_fs $network $rsyslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Manage {{ rails_deploy_service if item == 'service' else rails_deploy_worker }}
+# Description:       Manage {{ rails_deploy_service if item == 'service' else rails_deploy_worker }}
+### END INIT INFO
+
+# ---------------------------------------------------------------------------
+# configuration options
+# ---------------------------------------------------------------------------
+bundle="bundle"
+
+service="{{ rails_deploy_service if item == 'service' else rails_deploy_worker }}"
+backend="{{ rails_deploy_backend if item == 'service' else rails_deploy_worker }}"
+item_type="{{ item }}"
+src="{{ rails_deploy_src }}"
+env_source="{{ rails_deploy_env_source }}"
+run="{{ rails_deploy_run }}"
+bin="{{ rails_deploy_src }}/bin/${backend}"
+
+if [ "${item_type}" = "service" ] ; then
+    socket="{{ rails_deploy_service_socket }}"
+fi
+
+pid="{{ rails_deploy_service_pid if item == 'service' else rails_deploy_worker_pid }}"
+service_timeout="{{ rails_deploy_service_timeout }}"
+
+if [ "${backend}" = "puma" ] || [ "${backend}" = "sidekiq" ] ; then
+    config="C"
+    daemon="d"
+elif [ "${backend}" = "unicorn" ] ; then
+    config="c"
+    daemon="D"
+fi
+
+config_flag="-$config $src/config/{{ rails_deploy_backend + '.rb' if item == 'service' else rails_deploy_worker + '.yml' }}"
+
+# ---------------------------------------------------------------------------
+# source the environment, ensure correct user, and set the path
+# ---------------------------------------------------------------------------
+if ! $env_source ; then
+ echo "failed to source environment for $service, exiting"; exit 1;
+fi
+
+if ! cd "$src" ; then
+ echo "failed to cd into $src, exiting"; exit 1;
+fi
+
+# ---------------------------------------------------------------------------
+# private commands to control {{ rails_deploy_service if item == 'service' else rails_deploy_worker }}
+# ---------------------------------------------------------------------------
+service_start(){
+$bundle exec "$bin" "$config_flag" "-$daemon" 2>&1 | logger -t "${backend}" &
+}
+
+service_stop(){
+  if [ "${item_type}" = "service" ] ; then
+      kill -KILL "$wpid"
+  else
+      $bundle exec bin/sidekiqctl stop "$pid"
+  fi
+}
+
+service_reload(){
+  kill -USR2 "$wpid"
+}
+
+# ---------------------------------------------------------------------------
+# get the pid from the file
+# ---------------------------------------------------------------------------
+check_pids(){
+  if ! mkdir -p "$run"; then
+    echo "could not create the path $run needed to store the pids"; exit 1
+  fi
+  if [ -f "$pid" ]; then
+    # read an existing pid file
+    wpid=$(cat "$pid")
+  else
+    wpid=0
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# used after starting the service and are waiting for its pid
+# ---------------------------------------------------------------------------
+wait_for_pids(){
+  # sleep for a bit to give it time
+  i=0;
+  while [ ! -f "$pid" ]; do
+    sleep 0.1;
+    i=$((i+1))
+    if [ $((i%10)) = 0 ]; then
+      echo -n "."
+    elif [ $((i)) = $(( service_timeout * 10 + 1 )) ]; then
+      echo "waited ${service_timeout}s for the process to write its pid, something went wrong, exiting"
+      exit 1;
+    fi
+  done
+  echo
+}
+
+# ---------------------------------------------------------------------------
+# always check the pid
+# ---------------------------------------------------------------------------
+check_pids
+
+# ---------------------------------------------------------------------------
+# determine if the service is running or not
+# ---------------------------------------------------------------------------
+check_status(){
+  check_pids
+
+  # if the service is running kill -0 $pid returns true, or rather 0
+  # checks of *_status should only check for == 0 or != 0, never anything else
+  if [ "$wpid" -ne "0" ]; then
+    kill -0 "$wpid" 2>/dev/null
+    service_status="$?"
+  else
+    service_status="-1"
+  fi
+  if [ $service_status = 0 ]; then
+    exit_status=0
+  else
+    # http://refspecs.linuxbase.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/iniscrptact.html
+    # code 3 means 'program is not running'
+    exit_status=3
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# check for stale pids and remove them if necessary
+# ---------------------------------------------------------------------------
+check_stale_pids(){
+  check_status
+  # if there is a pid it is something else than 0, the service is running if
+  # *_status is == 0
+  if [ "$wpid" != "0" ] && [ "$service_status" != "0" ]; then
+    echo "removing stale $service pid, this is most likely caused by $service crashing the last time it ran"
+    if ! rm "$pid"; then
+      echo "unable to remove stale pid, exiting"
+      exit 1
+    fi
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# nothing is running so it is safe to exit
+# ---------------------------------------------------------------------------
+exit_if_not_running(){
+  check_stale_pids
+  if [ "$service_status" != "0" ]; then
+    echo "$service is not running"
+    exit
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# start the service if it is not running
+# ---------------------------------------------------------------------------
+start() {
+  check_stale_pids
+
+  if [ "$service_status" != "0" ]; then
+    echo -n "starting $service"
+  fi
+
+  # then check if the service is running
+  # if it is, don't start again
+  if [ "$service_status" = "0" ]; then
+    echo "$service is already running with pid $wpid, not restarting"
+  else
+    if [ "${item_type}" = "service" ] ; then
+      # remove old socket if it exists before starting
+      rm -f "$socket" 2>/dev/null
+    fi
+    service_start
+  fi
+
+  # wait for the pids to be planted
+  wait_for_pids
+
+  # finally check the status to tell whether or not the service is running
+  print_status
+}
+
+# ---------------------------------------------------------------------------
+# stop the service if it is running
+# ---------------------------------------------------------------------------
+stop() {
+  exit_if_not_running
+
+  # if the service is running, stop it
+  if [ "$service_status" = "0" ]; then
+    echo -n "shutting down $service"
+    service_stop
+  fi
+
+  # if something needs to be stopped, wait for it because
+  # using SIGKILL is bad in a script
+  while [ "$service_status" = "0" ]; do
+    sleep 1
+    check_status
+    printf "."
+    if [ "$service_status" != "0" ]; then
+      printf "\\n"
+      break
+    fi
+  done
+
+  sleep 1
+
+  # clean up the pid file
+  rm "$pid" 2>/dev/null
+
+  print_status
+}
+
+# ---------------------------------------------------------------------------
+# output the status of the service
+# ---------------------------------------------------------------------------
+print_status() {
+  check_status
+  if [ "$service_status" != "0" ]; then
+    echo "$service is not running"
+    return
+  fi
+  if [ "$service_status" = "0" ]; then
+      echo "$service with pid $wpid is running"
+  else
+      printf "%s\\n" "$service is \\033[31mnot running\\033[0m"
+  fi
+  if [ "$service_status" = "0" ]; then
+    printf "%s\\n" "$service is \\033[32mup and running\\033[0m"
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# reload the app process
+# ---------------------------------------------------------------------------
+reload(){
+  exit_if_not_running
+  if [ "$wpid" = "0" ];then
+    echo "$service is not running, its configuration can't be reloaded, exiting"
+    exit 1
+  fi
+  printf "%s" "reloading $service configuration..."
+  service_reload
+  echo "done!"
+
+  wait_for_pids
+  print_status
+}
+
+# ---------------------------------------------------------------------------
+# restart the app process by stopping it and then starting it
+# ---------------------------------------------------------------------------
+restart(){
+  check_status
+  if [ "$service_status" = "0" ]; then
+    stop
+  fi
+  start
+}
+
+# ---------------------------------------------------------------------------
+# handle the input
+# ---------------------------------------------------------------------------
+case "$1" in
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  restart)
+        restart
+        ;;
+  reload|force-reload)
+        reload
+        ;;
+  status)
+        print_status
+        exit $exit_status
+        ;;
+  *)
+        echo "Usage: service $service { {{ 'start|stop|restart|reload|status' if item == 'service' else 'start|stop|restart|status}' }} }"
+        exit 1
+        ;;
+esac
+
+exit
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/logrotate.d/service.j2 b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/logrotate.d/service.j2
new file mode 100644
index 00000000..a26545a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/templates/etc/logrotate.d/service.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+ # Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+{{ rails_deploy_log }}/*.log {
+        {{ rails_deploy_logrotate_interval }}
+        missingok
+        copytruncate
+        create 0640 {{ rails_deploy_service }} {{ rails_deploy_service }}
+        rotate {{ rails_deploy_logrotate_rotation }}
+        compress
+        notifempty
+}
diff --git a/ansible_collections/debops/debops/roles/rails_deploy/vars/main.yml b/ansible_collections/debops/debops/roles/rails_deploy/vars/main.yml
new file mode 100644
index 00000000..0d766d25
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rails_deploy/vars/main.yml
@@ -0,0 +1,26 @@
+---
+# Copyright (C) 2014      Nick Janetakis <nickjanetakis@gmail.com>
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps Project <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Break down the git location.
+rails_deploy_git_location_pieces: "{{ rails_deploy_git_location.split('@')[1].split('/') if not 'file://' in rails_deploy_git_location else False }}"
+rails_deploy_git_host: "{{ (rails_deploy_git_location_pieces[0] if 'ssh://' in rails_deploy_git_location else rails_deploy_git_location_pieces[0].split(':')[0]) if rails_deploy_git_location_pieces else '' }}"
+rails_deploy_git_account: "{{ (rails_deploy_git_location_pieces[-2] if 'ssh://' in rails_deploy_git_location else rails_deploy_git_location_pieces[0].split(':')[1]) if rails_deploy_git_location_pieces else '' }}"
+rails_deploy_git_repo: "{{ rails_deploy_git_location | basename | replace('.git', '') if not 'file://' in rails_deploy_git_location else '' }}"
+
+# Service/Worker related paths.
+rails_deploy_env_source: '. /etc/default/{{ rails_deploy_service }}'
+rails_deploy_log: '/var/log/{{ rails_deploy_service }}'
+rails_deploy_run: '/var/run/{{ rails_deploy_service }}'
+rails_deploy_service_socket: '{{ rails_deploy_run }}/{{ rails_deploy_service }}'
+rails_deploy_service_pid: '{{ rails_deploy_run }}/{{ rails_deploy_service }}.pid'
+rails_deploy_worker_pid: '{{ rails_deploy_run }}/{{ rails_deploy_worker }}.pid'
+
+# Database related values.
+rails_deploy_database_package: "{{ 'libpq-dev' if rails_deploy_database_adapter == 'postgresql' else 'libmysqlclient-dev' }}"
+
+rails_deploy_database_super_password: "{{ lookup('password', secret + '/credentials/' + rails_deploy_database_host + '/postgresql/default/' + rails_deploy_postgresql_super_username + '/password length=20') if 'postgresql' in rails_deploy_database_adapter else lookup('password', secret + '/credentials/' + rails_deploy_database_host + '/mysql/' + rails_deploy_mysql_super_username + '/password length=20') }}"
+
+rails_deploy_database_user_password: "{{ lookup('password', secret + '/credentials/' + rails_deploy_database_host + '/postgresql/' + rails_deploy_postgresql_cluster + rails_deploy_service + '/password length=20') if 'postgresql' in rails_deploy_database_adapter else lookup('password', secret + '/credentials/' + rails_deploy_database_host + '/mysql/' + rails_deploy_service + '/password length=20') }}"
diff --git a/ansible_collections/debops/debops/roles/reboot/COPYRIGHT b/ansible_collections/debops/debops/roles/reboot/COPYRIGHT
new file mode 100644
index 00000000..15ed8536
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reboot/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.reboot - Reboot DebOps hosts
+
+Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+Copyright (C) 2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/reboot/defaults/main.yml b/ansible_collections/debops/debops/roles/reboot/defaults/main.yml
new file mode 100644
index 00000000..b448eac1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reboot/defaults/main.yml
@@ -0,0 +1,72 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# .. Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _reboot__ref_defaults:
+
+# debops.reboot default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Reboot configuration [[[
+# ------------------------
+
+# .. envvar:: reboot__boot_time_command [[[
+#
+# Command to run that returns a unique string indicating the last time the
+# system was booted.
+#
+# By default, the ``reboot`` Ansible module checks the contents of the
+# :file:`/proc/sys/kernel/random/boot_id` file. This causes issues in LXC
+# containers however. Using the :command:`uptime` command seems to fix the
+# problem, so it is used by the role for the meantime.
+#
+# Ref: https://github.com/ansible/ansible/issues/57768
+reboot__boot_time_command: 'uptime'
+
+                                                                   # ]]]
+# .. envvar:: reboot__force [[[
+#
+# If set to ``True``, the role will reboot the host on each execution even if
+# the :file:`/var/run/reboot-required` file is not present.
+reboot__force: False
+
+                                                                   # ]]]
+# .. envvar:: reboot__default_search_paths [[[
+#
+# List of filesystem paths to search on the remote machine for the
+# :command:`shutdown` command. The ``$PATH`` variable is ignored in the remote
+# node when searching for the :command:`shutdown` command.
+reboot__default_search_paths:
+  - '/lib/molly-guard'
+  - '/sbin'
+  - '/usr/sbin'
+  - '/usr/local/sbin'
+
+                                                                   # ]]]
+# .. envvar:: reboot__search_paths [[[
+#
+# List of additional paths which should be searched for the :command:`shutdown`
+# command.
+reboot__search_paths: []
+
+                                                                   # ]]]
+# .. envvar:: reboot__timeout [[[
+#
+# Maximum number of seconds to wait for machine to reboot and respond to a test
+# command.
+#
+# This timeout is evaluated separately for both reboot verification and test
+# command success so the maximum execution time for the module is twice this
+# amount.
+reboot__timeout: 600
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/reboot/meta/main.yml b/ansible_collections/debops/debops/roles/reboot/meta/main.yml
new file mode 100644
index 00000000..75315c64
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reboot/meta/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Julien Lecomte'
+  description: 'Reboot DebOps hosts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/reboot/tasks/main.yml b/ansible_collections/debops/debops/roles/reboot/tasks/main.yml
new file mode 100644
index 00000000..c20e69a1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reboot/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2022 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if reboot is required
+  ansible.builtin.stat:
+    path: '/var/run/reboot-required'
+    get_checksum: False
+  register: reboot__register_required
+
+- name: Reboot DebOps hosts if needed or requested
+  ansible.builtin.reboot:
+    boot_time_command: '{{ reboot__boot_time_command }}'
+    search_paths: '{{ (reboot__default_search_paths + reboot__search_paths) | flatten }}'
+    reboot_timeout: "{{ reboot__timeout }}"
+  when: "reboot__register_required.stat.exists | bool or reboot__force | bool"
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/COPYRIGHT b/ansible_collections/debops/debops/roles/redis_sentinel/COPYRIGHT
new file mode 100644
index 00000000..d1021720
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.redis_sentinel - Manage Redis Sentinel instances using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/defaults/main.yml b/ansible_collections/debops/debops/roles/redis_sentinel/defaults/main.yml
new file mode 100644
index 00000000..92950aec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/defaults/main.yml
@@ -0,0 +1,373 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _redis_sentinel__ref_defaults:
+
+# debops.redis_sentinel default variables
+# =======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, Redis Sentinel version [[[
+# ----------------------------------------
+
+# .. envvar:: redis_sentinel__base_packages [[[
+#
+# List of the default APT packages to install for Redis Sentinel support.
+redis_sentinel__base_packages: [ 'redis-sentinel', 'redis-tools' ]
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__packages [[[
+#
+# List of additional APT packages to install with Redis Sentinel.
+redis_sentinel__packages: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__version [[[
+#
+# The version of the installed Redis Sentinel. It will be detected via Ansible
+# local facts, installed by the role.
+redis_sentinel__version: '{{ ansible_local.redis_sentinel.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: redis_sentinel__user [[[
+#
+# Name of the UNIX system account which is used to run Redis Sentinel service.
+redis_sentinel__user: 'redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__group [[[
+#
+# Name of the UNIX system group which is used to run Redis Sentinel service.
+redis_sentinel__group: 'redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__auth_group [[[
+#
+# Name of the UNIX system group which has read-only access to the Redis
+# configuration and can be used to retrieve the authentication password by
+# running the :command:`redis-password` script.
+redis_sentinel__auth_group: 'redis-auth'
+                                                                   # ]]]
+                                                                   # ]]]
+# Domain, password authentication [[[
+# -----------------------------------
+
+# .. envvar:: redis_sentinel__domain [[[
+#
+# The DNS domain used in the role to configure Redis and Sentinel parameters,
+# primarily to retrieve the shared password.
+redis_sentinel__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__auth_password [[[
+#
+# The password used for authentication in Redis. The same password is used on
+# all nodes in the Redis/Sentinel cluster to simplify authentication.
+redis_sentinel__auth_password: '{{ ansible_local.redis_sentinel.password
+                                   if (ansible_local.redis_sentinel.password | d())
+                                   else (lookup("password", secret +
+                                         "/redis/clusters/" + redis_sentinel__domain +
+                                         "/password length=" + redis_sentinel__password_length +
+                                         " chars=ascii_letters,digits,-_.")) }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__password_length [[[
+#
+# Length of the generated random passwords. Redis documentation suggests to use
+# long passwords due to speed of the engine making it easy to test short
+# passwords. See: https://redis.io/topics/security
+redis_sentinel__password_length: '256'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: redis_sentinel__bind [[[
+#
+# A string or a list of IP addresses on which Redis Sentinel instances should
+# listen for connections. It can be overridden per instance, see
+# :ref:`redis_sentinel__ref_instances` for more details.
+#
+# By default Redis Sentinel instances will listen only on the loopback network
+# interface. To listen for IPv4 and IPv6 connections you can set this variable
+# to ``[ '0.0.0.0', '::' ]``. Ensure that the firewall access is configured
+# properly to avoid security issues.
+redis_sentinel__bind: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Sentinel instances over the network, on all hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`redis_sentinel__ferm__dependent_rules` variable directly.
+redis_sentinel__allow: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Sentinel instances over the network, on hosts in the specific Ansible
+# inventory group. This variable configures the firewall for all instances at
+# the same time, for individual instance configuration you should modify the
+# :envvar:`redis_sentinel__ferm__dependent_rules` variable directly.
+redis_sentinel__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Sentinel instances over the network, on specific hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`redis_sentinel__ferm__dependent_rules` variable directly.
+redis_sentinel__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Sentinel base options [[[
+# -------------------------------
+
+# .. envvar:: redis_sentinel__default_base_options [[[
+#
+# The default set of configuration options, applied to all Redis Sentinel
+# instances. See :ref:`redis_sentinel__ref_configuration` for more details.
+redis_sentinel__default_base_options:
+
+  - name: 'syslog-enabled'
+    value: True
+
+  - name: 'syslog-facility'
+    value: 'local0'
+
+  - name: 'loglevel'
+    value: 'notice'
+
+  - name: 'daemonize'
+    value: True
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__base_options [[[
+#
+# An additional set of configuration options, applied to all Redis Sentinel
+# instances. See :ref:`redis_sentinel__ref_configuration` for more details.
+redis_sentinel__base_options: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Sentinel instances [[[
+# ----------------------------
+
+# These variables define what Redis Sentinel instances are present on the host.
+# See :ref:`redis_sentinel__ref_instances` for more details.
+
+# .. envvar:: redis_sentinel__default_instances [[[
+#
+# The list of the Redis Sentinel instances defined by default by the role.
+redis_sentinel__default_instances:
+
+  - name: 'main'
+    port: '26379'
+    pidfile: '/var/run/sentinel/redis-sentinel.pid'
+    unixsocket: '/var/run/sentinel/redis-sentinel.sock'
+    systemd_override: |
+      [Service]
+      PIDFile=/var/run/sentinel/redis-sentinel.pid
+      RuntimeDirectory=sentinel
+      ReadWriteDirectories=-/var/run/sentinel
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__instances [[[
+#
+# List of the Redis Sentinel instances defined on all hosts in the Ansible
+# inventory.
+redis_sentinel__instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__group_instances [[[
+#
+# List of the Redis Sentinel instances defined on hosts in a specific Ansible
+# inventory group.
+redis_sentinel__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__host_instances [[[
+#
+# List of the Redis Sentinel instances defined on specific hosts in the Ansible
+# inventory.
+redis_sentinel__host_instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__combined_instances [[[
+#
+# Variable which combines all of the defined Redis Sentinel instance lists and
+# is used in the role tasks and templates.
+redis_sentinel__combined_instances: '{{ redis_sentinel__default_instances
+                                        + redis_sentinel__instances
+                                        + redis_sentinel__group_instances
+                                        + redis_sentinel__host_instances }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Sentinel monitors [[[
+# ---------------------------
+
+# These variables define the monitoring configuration for Redis Sentinel
+# instances. By default each configured monitor will be defined in all Sentinel
+# instances, but this can be restricted to a specific instance.
+# See :ref:`redis_sentinel__ref_monitors` for more details.
+
+# .. envvar:: redis_sentinel__default_monitors [[[
+#
+# List of the default Redis Sentinel monitors defined by the role.
+redis_sentinel__default_monitors:
+
+  - name: 'redis-ha'
+    host: 'localhost'
+    port: '6379'
+    quorum: '2'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__monitors [[[
+#
+# List of the Redis Sentinel monitors defined on all hosts in the Ansible
+# inventory.
+redis_sentinel__monitors: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__group_monitors [[[
+#
+# List of the Redis Sentinel monitors defined on hosts in a specific Ansible
+# inventory group.
+redis_sentinel__group_monitors: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__host_monitors [[[
+#
+# List of the Redis Sentinel monitors defined on specific hosts in the Ansible
+# inventory.
+redis_sentinel__host_monitors: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__combined_monitors [[[
+#
+# The variable that combines all of the Redis Sentinel monitor lists and is
+# used in the role tasks and templates.
+redis_sentinel__combined_monitors: '{{ redis_sentinel__default_monitors
+                                       + redis_sentinel__monitors
+                                       + redis_sentinel__group_monitors
+                                       + redis_sentinel__host_monitors }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Sentinel configuration options [[[
+# ----------------------------------------
+
+# These variables define the configuration used by the
+# :ref:`debops.redis_sentinel` Ansible role to manage the Redis Sentinel
+# instances. See :ref:`redis_sentinel__ref_configuration` for more details.
+
+# .. envvar:: redis_sentinel__default_configuration [[[
+#
+# The default Redis Sentinel configuration, generated automatically, based on the
+# defined Redis Sentinel instances.
+redis_sentinel__default_configuration: '{{ lookup("template", "lookup/redis_sentinel__filtered_instances.j2")
+                                           | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__configuration [[[
+#
+# The Redis Sentinel configuration options defined for all hosts in the Ansible
+# inventory.
+redis_sentinel__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__group_configuration [[[
+#
+# The Redis Sentinel configuration options defined for hosts in a specific
+# Ansible inventory group.
+redis_sentinel__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__host_configuration [[[
+#
+# The Redis Sentinel configuration options defined for specific hosts in the
+# Ansible inventory.
+redis_sentinel__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__combined_configuration [[[
+#
+# The variable which combines lists with Redis Sentinel configuration options
+# and is used in the role tasks and templates.
+redis_sentinel__combined_configuration: '{{ redis_sentinel__default_configuration
+                                            + redis_sentinel__configuration
+                                            + redis_sentinel__group_configuration
+                                            + redis_sentinel__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: redis_sentinel__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+redis_sentinel__apt_preferences__dependent_list:
+
+  - packages: [ 'redis', 'redis-*' ]
+    backports: [ 'stretch' ]
+    by_role: 'debops.redis_sentinel'
+    reason: 'Support for multiple Redis instances, compatibility with newer Debian releases'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+redis_sentinel__etc_services__dependent_list:
+
+  - name: 'redis-sentinel'
+    port: '26379'
+    comment: 'Redis Sentinel'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+redis_sentinel__python__dependent_packages3:
+
+  - 'python3-redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+redis_sentinel__python__dependent_packages2:
+
+  - 'python-redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_sentinel__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+redis_sentinel__ferm__dependent_rules:
+
+  - name: 'redis_sentinel'
+    type: 'accept'
+    dport: '{{ redis_sentinel__env_ports }}'
+    saddr: '{{ redis_sentinel__allow + redis_sentinel__group_allow + redis_sentinel__host_allow }}'
+    weight: '40'
+    accept_any: False
+    multiport: True
+    by_role: 'debops.redis_sentinel'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/meta/main.yml b/ansible_collections/debops/debops/roles/redis_sentinel/meta/main.yml
new file mode 100644
index 00000000..ab0e9950
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure Redis Sentinel instances'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - redis
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main.yml b/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main.yml
new file mode 100644
index 00000000..44fde191
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main.yml
@@ -0,0 +1,175 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Redis Sentinel packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (redis_sentinel__base_packages
+                              + redis_sentinel__packages)) }}'
+    state: 'present'
+  register: redis_sentinel__register_packages
+  until: redis_sentinel__register_packages is succeeded
+
+- name: Ensure that standalone Redis Sentinel is stopped on install
+  ansible.builtin.systemd:
+    name: 'redis-sentinel.service'
+    state: 'stopped'
+  when: ((ansible_local is undefined or
+          ansible_local.redis_sentinel is undefined) and
+         ansible_service_mgr == 'systemd')
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Setup Redis Sentinel local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/redis_sentinel.fact.j2'
+    dest: '/etc/ansible/facts.d/redis_sentinel.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create Redis Sentinel auth UNIX group
+  ansible.builtin.group:
+    name: '{{ redis_sentinel__auth_group }}'
+    state: 'present'
+    system: True
+
+- name: Create Redis Sentinel instance directories
+  ansible.builtin.file:
+    path: '/etc/redis/sentinel-{{ item.0.name + item.1 }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items
+            | product(["", "/reconfig.d", "/notify.d"]) | list }}'
+  when: item.0.name | d() and item.0.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate initial Redis Sentinel configuration
+  ansible.builtin.template:
+    src: 'etc/redis/sentinel-instance/sentinel.conf.j2'
+    dest: '/etc/redis/sentinel-{{ item.name }}/sentinel.conf'
+    owner: '{{ redis_sentinel__user }}'
+    group: '{{ redis_sentinel__auth_group }}'
+    mode: '0640'
+    force: False
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore']
+  notify: [ 'Refresh host facts' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate Redis Sentinel notify and reconfig scripts
+  ansible.builtin.template:
+    src: 'etc/redis/sentinel-instance/{{ item.1 }}.j2'
+    dest: '/etc/redis/sentinel-{{ item.0.name }}/{{ item.1 }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  loop: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items
+            | product(["notify.sh", "reconfig.sh"]) | list }}'
+  when: item.0.name | d() and item.0.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Install custom systemd unit files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/systemd/system/redis-sentinel@.service'
+    - 'etc/systemd/system/redis-sentinel.service'
+  notify: [ 'Reload service manager' ]
+
+- name: Create systemd override directories for instances
+  ansible.builtin.file:
+    path: '/etc/systemd/system/redis-sentinel@{{ item.name }}.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore'] and
+        item.systemd_override | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate systemd instance override files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/redis-sentinel@.service.d/ansible-override.conf.j2'
+    dest: '/etc/systemd/system/redis-sentinel@{{ item.name }}.service.d/ansible-override.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore'] and
+        item.systemd_override | d()
+  notify: [ 'Reload service manager' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Stop Redis Sentinel instances if requested
+  ansible.builtin.systemd:
+    name: 'redis-sentinel@{{ item.name }}.service'
+    state: 'stopped'
+    enabled: False
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove Redis Sentinel instance systemd override if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/system/redis-sentinel@{{ item.name }}.service.d'
+    state: 'absent'
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Reload service manager' ]
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove Redis Sentinel instance configuration if requested
+  ansible.builtin.file:
+    path: '/etc/redis/sentinel-{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Reload systemd configuration when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that Redis Sentinel instances are started
+  ansible.builtin.systemd:
+    name: 'redis-sentinel@{{ item.name }}.service'
+    state: 'started'
+    enabled: True
+  with_items: '{{ redis_sentinel__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main_env.yml b/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main_env.yml
new file mode 100644
index 00000000..ad48f38f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare Redis Sentinel role environment
+  ansible.builtin.set_fact:
+    redis_sentinel__env_ports: '{{ lookup("template", "lookup/redis_sentinel__env_ports.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/ansible/facts.d/redis_sentinel.fact.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/ansible/facts.d/redis_sentinel.fact.j2
new file mode 100644
index 00000000..b165cae3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/ansible/facts.d/redis_sentinel.fact.j2
@@ -0,0 +1,144 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+from operator import itemgetter
+import subprocess
+import signal
+import os
+import redis
+
+output = {'installed': False}
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def unwrap_quotes(input_line):
+    out = input_line.split(' ')[1].rstrip('\n')
+    if out.startswith('"') and out.endswith('"'):
+        out = out[1:-1]
+    return out
+
+
+def get_immediate_subdirectories(a_dir):
+    return [name for name in os.listdir(a_dir)
+            if os.path.isdir(os.path.join(a_dir, name))]
+
+
+output['installed'] = cmd_exists('redis-sentinel')
+
+if output['installed']:
+    try:
+        redis_sentinel_version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "redis-sentinel"]).decode('utf-8').split('-')[0]
+        output['version'] = redis_sentinel_version_stdout.split(':')[1]
+
+    except Exception:
+        pass
+
+    sentinel_instances = []
+
+    for directory in get_immediate_subdirectories('/etc/redis'):
+        if directory.startswith('sentinel-'):
+            instance = {'name': directory.split('-')[1]}
+            if os.path.isfile('/etc/redis/' + directory + '/sentinel.conf'):
+                try:
+                    for config_file in ['/etc/redis/' + directory
+                                        + '/sentinel.conf']:
+                        try:
+                            pass_map = {}
+                            with open(config_file) as fh:
+                                for line in fh:
+                                    if line.startswith('bind'):
+                                        instance['bind'] = unwrap_quotes(line)
+
+                                    if line.startswith('port'):
+                                        instance['port'] = unwrap_quotes(line)
+
+                                    elif line.startswith('unixsocket'):
+                                        instance['socket'] = (
+                                                unwrap_quotes(line))
+
+                                    elif line.startswith('sentinel auth-pass'):
+                                        monitor = line.split(' ')[2]
+                                        pass_map[monitor] = (
+                                            line.split(' ')[3].rstrip('\n'))
+
+                            try:
+                                r = redis.StrictRedis(
+                                        host=instance['bind'],
+                                        port=instance['port'])
+                                instance['redis_mode'] = (
+                                        str(r.info()['redis_mode']))
+                                monitors = []
+                                for monitor in r.sentinel_masters().keys():
+                                    master_ip_port = (
+                                            r.sentinel_get_master_addr_by_name(
+                                                monitor))
+                                    sentinels = []
+                                    for entry in r.sentinel_sentinels(monitor):
+                                        sentinels.append(
+                                                {'ip': entry['ip'],
+                                                 'port': entry['port']})
+                                    monitor_entry = (
+                                            {'name': monitor,
+                                             'master_host': (
+                                                 master_ip_port[0].decode(
+                                                     'utf-8')),
+                                             'master_port': master_ip_port[1],
+                                             'other_sentinels': sentinels})
+                                    if monitor in pass_map.keys():
+                                        monitor_entry['master_password'] = (
+                                                pass_map[monitor])
+
+                                    monitors.append(monitor_entry)
+
+                                instance['monitors'] = monitors
+
+                            except Exception:
+                                pass
+
+                        except Exception:
+                            pass
+
+                    sentinel_instances.append(instance)
+                    if instance['name'] == 'main':
+                        output['bind'] = instance['bind']
+                        output['port'] = instance['port']
+                        output['socket'] = instance['socket']
+                        output['monitor_name'] = (
+                                instance['monitors'][0]['name'])
+                        output['master_host'] = (
+                                instance['monitors'][0]['master_host'])
+                        output['master_port'] = (
+                                instance['monitors'][0]['master_port'])
+
+                        if 'master_password' in instance['monitors'][0].keys():
+                            output['master_password'] = (
+                                    instance['monitors'][0]['master_password'])
+                        output['other_sentinels'] = (
+                                instance['monitors'][0]['other_sentinels'])
+                except Exception:
+                    pass
+
+    try:
+        output['instances'] = sorted(sentinel_instances,
+                                     key=itemgetter('port'))
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/notify.sh.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/notify.sh.j2
new file mode 100755
index 00000000..68c2a317
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/notify.sh.j2
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Run scripts in /etc/redis/sentinel-{{ item.0.name }}/notify.d when Redis Sentinel notices
+# configuration change.
+
+
+set -o nounset -o pipefail -o errexit
+
+event_type="${1}"
+event_desc="${2}"
+
+notify_dir="/etc/redis/sentinel-{{ item.0.name }}/notify.d"
+
+if [ -d "${notify_dir}" ] ; then
+    run-parts \
+        --arg="${event_type}" \
+        --arg="${event_desc}" \
+        "${notify_dir}"
+fi
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/reconfig.sh.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/reconfig.sh.j2
new file mode 100755
index 00000000..c3a8a373
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/reconfig.sh.j2
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Run scripts in /etc/redis/sentinel-{{ item.0.name }}/reconfig.d when Redis Sentinel notices
+# configuration change.
+
+
+set -o nounset -o pipefail -o errexit
+
+master_name="${1}"
+role="${2}"
+state="${3}"
+from_ip="${4}"
+from_port="${5}"
+to_ip="${6}"
+to_port="${7}"
+
+reconfig_dir="/etc/redis/sentinel-{{ item.0.name }}/reconfig.d"
+
+if [ -d "${reconfig_dir}" ] ; then
+    run-parts \
+        --arg="${master_name}" \
+        --arg="${role}" \
+        --arg="${state}" \
+        --arg="${from_ip}" \
+        --arg="${from_port}" \
+        --arg="${to_ip}" \
+        --arg="${to_port}" \
+        "${reconfig_dir}"
+fi
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/sentinel.conf.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/sentinel.conf.j2
new file mode 100644
index 00000000..ca462dc0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/redis/sentinel-instance/sentinel.conf.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# Redis Sentinel configuration initialized by Ansible
+
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     set element_prefix = element.prefix | d('sentinel ') %}
+{%     if element.name in [ 'daemonize', 'pidfile', 'logfile', 'bind', 'port',
+                            'dir', 'syslog-facility', 'syslog-ident',
+                            'syslog-enabled', 'loglevel', 'unixsocket' ] %}
+{%       set element_prefix = element.prefix | d('') %}
+{%     endif %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%       if (element.separator | d()) | bool %}
+
+{%       endif %}
+{%       if element.value is string and not element.value | bool %}
+{{ '{}{} {}'.format(element_prefix, element.name, element.value) }}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{{ '{}{} {}'.format(element_prefix, element.name, element.value) }}
+{%         else %}
+{{ '{}{} {}'.format(element_prefix, element.name, 'yes') }}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{{ '{}{} {}'.format(element_prefix, element.name, element.value) }}
+{%           else %}
+{%             if element.value | string == '0' %}
+{{ '{}{} {}'.format(element_prefix, element.name, element.value) }}
+{%             else %}
+{{ '{}{} {}'.format(element_prefix, element.name, 'no') }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       elif element.value is iterable and element.value is not string and element.value is not mapping %}
+{%         if (element.multiple | d(True)) | bool %}
+{%           for thing in (element.value | map(attribute='name') | list) %}
+{{ '{}{} {}'.format(element_prefix, element.name, thing) }}
+{%           endfor %}
+{%         else %}
+{{ '{}{} {}'.format(element_prefix, element.name, element.value | map(attribute='name') | list | join(' ')) }}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel.service.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel.service.j2
new file mode 100644
index 00000000..f1c2a089
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel.service.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Advanced key-value store - Sentinel
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-sentinel(1)
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecReload=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+Alias=sentinel.service
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.d/ansible-override.conf.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.d/ansible-override.conf.j2
new file mode 100644
index 00000000..4a1a4f61
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.d/ansible-override.conf.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ item.systemd_override | regex_replace('$\n', '') }}
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.j2
new file mode 100644
index 00000000..52963aee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/etc/systemd/system/redis-sentinel@.service.j2
@@ -0,0 +1,58 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Redis - advanced key-value store (%I) - Sentinel
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-sentinel(1)
+ConditionPathExists=/etc/redis/sentinel-%I/sentinel.conf
+PartOf=redis-sentinel.service
+ReloadPropagatedFrom=redis-sentinel.service
+Before=redis-sentinel.service
+After=redis-server.service
+
+[Service]
+Type=forking
+Slice=system-redis-sentinel.slice
+ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel-%i/sentinel.conf
+ExecStop=/bin/kill -s TERM $MAINPID
+PIDFile=/var/run/sentinel-%i/redis-sentinel.pid
+TimeoutStopSec=0
+Restart=always
+User=redis
+Group=redis
+RuntimeDirectory=sentinel-%i
+RuntimeDirectoryMode=2755
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome=yes
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/redis
+ReadWriteDirectories=-/var/log/redis
+ReadWriteDirectories=-/var/run/sentinel-%i
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+ProtectSystem=true
+ReadWriteDirectories=-/etc/redis
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=redis-sentinel.service
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__env_ports.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__env_ports.j2
new file mode 100644
index 00000000..49d0a1ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__env_ports.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{%   for element in redis_sentinel__combined_configuration | debops.debops.parse_kv_items %}
+{%     if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.options | d() %}
+{%       for option in element.options %}
+{%         if option.name == 'port' and option.value | d() %}
+{%           set _ = output.append(option.value) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{{ output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__filtered_instances.j2 b/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__filtered_instances.j2
new file mode 100644
index 00000000..b67e7b3a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_sentinel/templates/lookup/redis_sentinel__filtered_instances.j2
@@ -0,0 +1,53 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{% for element in redis_sentinel__combined_instances | debops.debops.parse_kv_items %}
+{%   set element_options = [
+  {"name": "port",         "value": element.port},
+  {"name": "bind",         "value": (element.bind         | d(redis_sentinel__bind)), "multiple": False},
+  {"name": "dir",          "value": (element.dir          | d("/var/lib/redis"))},
+  {"name": "pidfile",      "value": (element.pidfile      | d("/var/run/sentinel-" + element.name + "/redis-sentinel.pid"))},
+  {"name": "logfile",      "value": (element.logfile      | d("/var/log/redis/redis-sentinel-" + element.name + ".log"))},
+  {"name": "unixsocket",   "value": (element.unixsocket   | d("/var/run/sentinel-" + element.name + "/redis-sentinel.sock"))},
+  {"name": "syslog-ident", "value": (element.syslog_ident | d("sentinel-" + element.name))}
+] %}
+{%   set instance_monitors = [] %}
+{%   for monitor in redis_sentinel__combined_monitors | debops.debops.parse_kv_items %}
+{%     if monitor.name | d() and monitor.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%       if ((monitor.instance is defined and monitor.instance == element.name) or monitor.instance is undefined) %}
+{%         set _ = instance_monitors.extend([
+  {"name": ('monitor ' + monitor.name), "value": (monitor.host + ' ' + monitor.port | string + ' ' + monitor.quorum | string), "separator": True},
+  {"name": ('notification-script ' + monitor.name), "value": ('/etc/redis/sentinel-' + element.name + '/notify.sh')},
+  {"name": ('client-reconfig-script ' + monitor.name), "value": ('/etc/redis/sentinel-' + element.name + '/reconfig.sh')}
+]) %}
+{%         if ((monitor.password is defined and monitor.password | bool) or monitor.password is undefined) %}
+{%           set _ = instance_monitors.extend([
+  {"name": ('auth-pass ' + monitor.name), "value": (monitor.password | d(redis_sentinel__auth_password))}
+]) %}
+{%         endif %}
+{%         for key, value in monitor.items() %}
+{%           if key not in [ 'name', 'host', 'id', 'instance', 'state', 'weight', 'separator', 'real_weight', 'port', 'quorum', 'password' ] %}
+{%             set _ = instance_monitors.extend([
+  {"name": (key + ' ' + monitor.name), "value": value}
+]) %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{%   set entry = {
+  "name": element.name,
+  "state": element.state | d('present'),
+  "options": (redis_sentinel__default_base_options + redis_sentinel__base_options + element_options + instance_monitors) | debops.debops.parse_kv_config
+} %}
+{%   if element.port is undefined %}
+{%     set _ = entry.update({'state': "init"}) %}
+{%   endif %}
+{%   if element.systemd_override | d() %}
+{%     set _ = entry.update({'systemd_override': element.systemd_override}) %}
+{%   endif %}
+{%   set _ = output.append(entry) %}
+{% endfor %}
+{{ output | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/redis_server/COPYRIGHT b/ansible_collections/debops/debops/roles/redis_server/COPYRIGHT
new file mode 100644
index 00000000..f2612b7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.redis_server - Manage Redis Server instances using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/redis_server/defaults/main.yml b/ansible_collections/debops/debops/roles/redis_server/defaults/main.yml
new file mode 100644
index 00000000..47387c13
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/defaults/main.yml
@@ -0,0 +1,433 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _redis_server__ref_defaults:
+
+# debops.redis_server default variables
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages, Redis version [[[
+# -------------------------------
+
+# .. envvar:: redis_server__base_packages [[[
+#
+# List of the default APT packages to install for Redis Server support.
+redis_server__base_packages: [ 'redis-server', 'redis-tools' ]
+
+                                                                   # ]]]
+# .. envvar:: redis_server__packages [[[
+#
+# List of additional APT packages to install with Redis Server.
+redis_server__packages: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__version [[[
+#
+# The version of the installed Redis Server. It will be detected via Ansible
+# local facts, installed by the role.
+redis_server__version: '{{ ansible_local.redis_server.version | d("0.0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: redis_server__user [[[
+#
+# Name of the UNIX system account which is used to run the Redis Server.
+redis_server__user: 'redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__group [[[
+#
+# Name of the UNIX system group which is used to run the Redis Server.
+redis_server__group: 'redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__auth_group [[[
+#
+# Name of the UNIX system group which has read-only access to the Redis Server
+# configuration and can be used to retrieve the authentication password by
+# running the :command:`redis-password` script.
+redis_server__auth_group: 'redis-auth'
+                                                                   # ]]]
+                                                                   # ]]]
+# Domain, password authentication [[[
+# -----------------------------------
+
+# .. envvar:: redis_server__domain [[[
+#
+# The DNS domain used in the role to configure Redis and Sentinel parameters,
+# primarily to retrieve the shared password.
+redis_server__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__auth_password [[[
+#
+# The password used for authentication in Redis. The same password is used on
+# all nodes in the Redis/Sentinel cluster to simplify authentication.
+redis_server__auth_password: '{{ ansible_local.redis_server.password
+                                 if (ansible_local.redis_server.password | d())
+                                 else (lookup("password", secret +
+                                       "/redis/clusters/" + redis_server__domain +
+                                       "/password length=" + redis_server__password_length +
+                                       " chars=ascii_letters,digits,-_.")) }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__password_length [[[
+#
+# Length of the generated random passwords. Redis documentation suggests to use
+# long passwords due to speed of the engine making it easy to test short
+# passwords. See: https://redis.io/topics/security
+redis_server__password_length: '256'
+                                                                   # ]]]
+                                                                   # ]]]
+# Memory management [[[
+# ---------------------
+
+# .. envvar:: redis_server__maxmemory_multiplier [[[
+#
+# Specify the base amount of the system memory which will be available to Redis
+# Server instances. By default half of the available memory will be used.
+redis_server__maxmemory_multiplier: '0.5'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__maxmemory_total [[[
+#
+# Calculate the maximum amount of system memory available to Redis Server
+# instances, based on the specified amount of available memory.
+redis_server__maxmemory_total: '{{ (((ansible_memtotal_mb | int * 1024 * 1024)
+                                     * redis_server__maxmemory_multiplier | float) | round | int) }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__maxmemory_instances [[[
+#
+# Set the number of Redis Server instances which will split the available
+# memory equally among themselves. The Redis Server instances defined
+# "manually" via the configuration pipeline are not counted.
+# See :ref:`redis_server__ref_config_pipeline` for more details.
+redis_server__maxmemory_instances: '{{ redis_server__combined_instances
+                                       | debops.debops.parse_kv_items
+                                       | selectattr("state", "equalto", "present")
+                                       | list | count | int }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__maxmemory_shared [[[
+#
+# Calculate the amount of system memory used by each Redis Server instance.
+redis_server__maxmemory_shared: '{{ (redis_server__maxmemory_total | int
+                                     / redis_server__maxmemory_instances | int)
+                                    | round | int }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: redis_server__bind [[[
+#
+# A string or a list of IP addresses on which Redis Server instances should
+# listen for connections. It can be overridden per instance, see
+# :ref:`redis_server__ref_instances` for more details.
+#
+# By default Redis Server instances will listen only on the loopback network
+# interface. To listen for IPv4 and IPv6 connections you can set this variable
+# to ``[ '0.0.0.0', '::' ]``. Ensure that the firewall access is configured
+# properly to avoid security issues.
+redis_server__bind: [ '127.0.0.1', '::1' ]
+
+                                                                   # ]]]
+# .. envvar:: redis_server__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Server instances over the network, on all hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`redis_server__ferm__dependent_rules` variable directly.
+redis_server__allow: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Server instances over the network, on hosts in the specific Ansible
+# inventory group. This variable configures the firewall for all instances at
+# the same time, for individual instance configuration you should modify the
+# :envvar:`redis_server__ferm__dependent_rules` variable directly.
+redis_server__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Redis Server instances over the network, on specific hosts in the Ansible
+# inventory. This variable configures the firewall for all instances at the
+# same time, for individual instance configuration you should modify the
+# :envvar:`redis_server__ferm__dependent_rules` variable directly.
+redis_server__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Server base options [[[
+# -----------------------------
+
+# .. envvar:: redis_server__default_base_options [[[
+#
+# The default set of configuration options, applied to all Redis Server
+# instances. See :ref:`redis_server__ref_configuration` for more details.
+redis_server__default_base_options:
+
+  - name: 'masterauth'
+    value: '{{ redis_server__auth_password }}'
+    state: '{{ "present" if redis_server__auth_password | d() else "ignore" }}'
+
+  - name: 'requirepass'
+    value: '{{ redis_server__auth_password }}'
+    state: '{{ "present" if redis_server__auth_password | d() else "ignore" }}'
+
+  - name: 'always-show-logo'
+    value: False
+    state: '{{ "present"
+               if (redis_server__version is version_compare("4.0.0", ">="))
+               else "ignore" }}'
+
+  - name: 'syslog-enabled'
+    value: True
+
+  - name: 'syslog-facility'
+    value: 'local0'
+
+  - name: 'loglevel'
+    value: 'notice'
+    dynamic: True
+
+  - name: 'slave-read-only'
+    value: True
+    dynamic: True
+
+  - name: 'slave-serve-stale-date'
+    value: True
+    dynamic: True
+
+  - name: 'min-slaves-to-write'
+    value: 0
+    dynamic: True
+
+  - name: 'maxmemory'
+    value: '{{ redis_server__maxmemory_shared }}'
+    dynamic: True
+
+  - name: 'maxmemory-policy'
+    value: 'volatile-lru'
+    dynamic: True
+
+  - name: 'maxmemory-samples'
+    value: 3
+    dynamic: True
+
+  - name: 'save'
+    value: [ '900 1', '300 10', '60 10000' ]
+    dynamic: True
+
+  # This parameter should be synchronized with the 'net.core.somaxconn' sysctl
+  # parameter of the host
+  - name: 'tcp-backlog'
+    value: 128
+
+                                                                   # ]]]
+# .. envvar:: redis_server__base_options [[[
+#
+# An additional set of the configuration options, applied to all Redis Server
+# instances. See :ref:`redis_server__ref_configuration` for more details.
+redis_server__base_options: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Server instances [[[
+# --------------------------
+
+# These variables define what Redis Server instances are present on the host.
+# See :ref:`redis_server__ref_instances` for more details.
+
+# .. envvar:: redis_server__default_instances [[[
+#
+# The list of the Redis Server instances defined by default by the role.
+redis_server__default_instances:
+
+  - name: 'main'
+    port: '6379'
+    pidfile: '/var/run/redis/redis-server.pid'
+    unixsocket: '/var/run/redis/redis-server.sock'
+    systemd_override: |
+      [Service]
+      PIDFile=/var/run/redis/redis-server.pid
+      RuntimeDirectory=redis
+      ReadWriteDirectories=-/var/run/redis
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__instances [[[
+#
+# List of the Redis Server instances defined on all hosts in the Ansible
+# inventory.
+redis_server__instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__group_instances [[[
+#
+# List of the Redis Server instances defined on hosts in a specific Ansible
+# inventory group.
+redis_server__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__host_instances [[[
+#
+# List of the Redis Server instances defined on specific hosts in the Ansible
+# inventory.
+redis_server__host_instances: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__combined_instances [[[
+#
+# Variable which combines all of the defined Redis Server instance lists and is
+# used in the role tasks and templates.
+redis_server__combined_instances: '{{ redis_server__default_instances
+                                      + redis_server__instances
+                                      + redis_server__group_instances
+                                      + redis_server__host_instances }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis Server configuration options [[[
+# --------------------------------------
+
+# These variables define the configuration used by the
+# :ref:`debops.redis_server` Ansible role to manage the Redis Server instances.
+# See :ref:`redis_server__ref_configuration` for more details.
+
+# .. envvar:: redis_server__default_configuration [[[
+#
+# The default Redis Server configuration, generated automatically, based on the
+# defined Redis Server instances.
+redis_server__default_configuration: '{{ lookup("template", "lookup/redis_server__filtered_instances.j2")
+                                         | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__configuration [[[
+#
+# The Redis Server configuration options defined for all hosts in the Ansible
+# inventory.
+redis_server__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__group_configuration [[[
+#
+# The Redis Server configuration options defined for hosts in a specific
+# Ansible inventory group.
+redis_server__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__host_configuration [[[
+#
+# The Redis Server configuration options defined for specific hosts in the
+# Ansible inventory.
+redis_server__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: redis_server__combined_configuration [[[
+#
+# The variable which combines lists with Redis Server configuration options and
+# is used in the role tasks and templates.
+redis_server__combined_configuration: '{{ redis_server__default_configuration
+                                          + redis_server__configuration
+                                          + redis_server__group_configuration
+                                          + redis_server__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: redis_server__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+redis_server__apt_preferences__dependent_list:
+
+  - packages: [ 'redis', 'redis-*' ]
+    backports: [ 'stretch' ]
+    by_role: 'debops.redis_server'
+    reason: 'Support for multiple Redis instances, compatibility with newer Debian releases'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+redis_server__etc_services__dependent_list:
+
+  - name: 'redis-server'
+    port: '6379'
+    comment: 'Redis Server'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+redis_server__python__dependent_packages3:
+
+  - 'python3-redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+redis_server__python__dependent_packages2:
+
+  - 'python-redis'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+redis_server__ferm__dependent_rules:
+
+  - name: 'redis_server'
+    type: 'accept'
+    dport: '{{ redis_server__env_ports }}'
+    saddr: '{{ redis_server__allow + redis_server__group_allow + redis_server__host_allow }}'
+    weight: '40'
+    accept_any: False
+    multiport: True
+    by_role: 'debops.redis_server'
+
+                                                                   # ]]]
+# .. envvar:: redis_server__sysctl__dependent_parameters [[[
+#
+# Configuration for the :ref:`debops.sysctl` Ansible role.
+redis_server__sysctl__dependent_parameters:
+
+  - name: 'redis-server'
+    weight: 80
+    options:
+
+      - name: 'vm.overcommit_memory'
+        comment: |
+          Required to allow background saving of the Redis database without
+          issues. Ref: https://redis.io/topics/faq
+        value: 1
+
+                                                                   # ]]]
+# .. envvar:: redis_server__sysfs__dependent_attributes [[[
+#
+# Configuration for the :ref:`debops.sysfs` Ansible role.
+redis_server__sysfs__dependent_attributes:
+
+  - role: 'redis_server'
+    config:
+      - name: 'transparent_hugepages'
+        state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/redis_server/files/usr/local/bin/redis-password b/ansible_collections/debops/debops/roles/redis_server/files/usr/local/bin/redis-password
new file mode 100755
index 00000000..1d632861
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/files/usr/local/bin/redis-password
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Return Redis password on the standard output
+
+# Usage:
+#
+#     redis-password [instance] [config file]
+#
+#     redis-cli -a $(redis-password)
+#
+# If instance is not specified, "main" is used by default
+
+
+set -o nounset -o pipefail -o errexit
+
+redis_instance="${1:-main}"
+redis_conf="${2:-/etc/redis/${redis_instance}/redis.conf}"
+
+if [ -r "${redis_conf}" ] ; then
+    grep -E '^masterauth' "${redis_conf}" | awk '{print $2}' | sed -e 's/^"//' -e 's/"$//'
+else
+    exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/redis_server/meta/main.yml b/ansible_collections/debops/debops/roles/redis_server/meta/main.yml
new file mode 100644
index 00000000..a4bf6c2e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure Redis Server instances'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - redis
diff --git a/ansible_collections/debops/debops/roles/redis_server/tasks/main.yml b/ansible_collections/debops/debops/roles/redis_server/tasks/main.yml
new file mode 100644
index 00000000..1b5bcf07
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/tasks/main.yml
@@ -0,0 +1,248 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install Redis Server packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (redis_server__base_packages
+                              + redis_server__packages)) }}'
+    state: 'present'
+  register: redis_server__register_packages
+  until: redis_server__register_packages is succeeded
+
+- name: Ensure that standalone Redis Server is stopped on install
+  ansible.builtin.systemd:
+    name: 'redis-server.service'
+    state: 'stopped'
+  when: ((ansible_local is undefined or
+          ansible_local.redis_server is undefined) and
+         ansible_service_mgr == 'systemd')
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Setup Redis local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/redis_server.fact.j2'
+    dest: '/etc/ansible/facts.d/redis_server.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Install custom Redis scripts
+  ansible.builtin.copy:
+    src: 'usr/local/bin/'
+    dest: '/usr/local/bin/'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create Redis auth UNIX group
+  ansible.builtin.group:
+    name: '{{ redis_server__auth_group }}'
+    state: 'present'
+    system: True
+
+- name: Create Redis instance directories
+  ansible.builtin.file:
+    path: '/etc/redis/{{ item.name }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Install the original Redis config file to instance
+  ansible.builtin.command: 'install -o {{ redis_server__user }} -g {{ redis_server__auth_group }} -m 0640
+            /etc/redis/redis.conf /etc/redis/{{ item.name }}/redis.conf'
+  args:
+    creates: '/etc/redis/{{ item.name }}/redis.conf'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate dynamic Redis configuration scripts
+  ansible.builtin.template:
+    src: 'etc/redis/instance/ansible-redis-dynamic.conf.j2'
+    dest: '/etc/redis/{{ item.name }}/ansible-redis-dynamic.conf'
+    owner: 'root'
+    group: '{{ redis_server__group }}'
+    mode: '0750'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore']
+  register: redis_server__register_config_dynamic
+  notify: [ 'Refresh host facts' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate static Redis configuration files
+  ansible.builtin.template:
+    src: 'etc/redis/instance/ansible-redis-static.conf.j2'
+    dest: '/etc/redis/{{ item.name }}/ansible-redis-static.conf'
+    owner: 'root'
+    group: '{{ redis_server__group }}'
+    mode: '0640'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore']
+  register: redis_server__register_config_static
+  notify: [ 'Refresh host facts' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove include line from redis.conf
+  ansible.builtin.lineinfile:  # noqa no-handler
+    dest: '/etc/redis/{{ item.item.name }}/redis.conf'
+    regexp: '^include\s+/etc/redis/{{ item.item.name }}/ansible-redis-static.conf'
+    state: 'absent'
+  with_items: '{{ redis_server__register_config_static.results }}'
+  when: item is changed
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Add include line into redis.conf
+  ansible.builtin.lineinfile:  # noqa no-handler
+    dest: '/etc/redis/{{ item.item.name }}/redis.conf'
+    regexp: '^include\s+/etc/redis/{{ item.item.name }}/ansible-redis-static.conf'
+    line: 'include /etc/redis/{{ item.item.name }}/ansible-redis-static.conf'
+    insertafter: 'EOF'
+    state: 'present'
+    mode: '0640'
+  with_items: '{{ redis_server__register_config_static.results }}'
+  when: not ansible_check_mode | bool and item is changed
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Install custom systemd unit files
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items:
+    - 'etc/systemd/system/redis-server@.service'
+    - 'etc/systemd/system/redis-server.service'
+  notify: [ 'Reload service manager' ]
+
+- name: Create systemd override directories for instances
+  ansible.builtin.file:
+    path: '/etc/systemd/system/redis-server@{{ item.name }}.service.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore'] and
+        item.systemd_override | d()
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Generate systemd instance override files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/redis-server@.service.d/ansible-override.conf.j2'
+    dest: '/etc/systemd/system/redis-server@{{ item.name }}.service.d/ansible-override.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') not in ['absent', 'init', 'ignore'] and
+        item.systemd_override | d()
+  notify: [ 'Reload service manager' ]
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Stop Redis instances if requested
+  ansible.builtin.systemd:
+    name: 'redis-server@{{ item.name }}.service'
+    state: 'stopped'
+    enabled: False
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove Redis instance systemd override if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/system/redis-server@{{ item.name }}.service.d'
+    state: 'absent'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  notify: [ 'Reload service manager' ]
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove Redis instance configuration if requested
+  ansible.builtin.file:
+    path: '/etc/redis/{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') == 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Reload systemd configuration when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that Redis instances are started
+  ansible.builtin.systemd:
+    name: 'redis-server@{{ item.name }}.service'
+    state: 'started'
+    enabled: True
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ansible_service_mgr == 'systemd' and item.name | d() and
+        item.state | d('present') not in ['absent', 'init', 'ignore']
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Restart Redis instances if their configuration changed
+  ansible.builtin.systemd:  # noqa no-handler
+    name: 'redis-server@{{ item.item.name }}.service'
+    state: 'restarted'
+  with_items: '{{ redis_server__register_config_static.results }}'
+  when: item is changed
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Apply dynamic configuration to Redis instances
+  ansible.builtin.command: '/etc/redis/{{ item.item.name }}/ansible-redis-dynamic.conf config'  # noqa no-handler
+  with_items: '{{ redis_server__register_config_dynamic.results }}'
+  register: redis_server__register_config_apply
+  changed_when: redis_server__register_config_apply.changed | bool
+  when: item is changed
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Set Redis Server slave status on first install
+  community.general.redis:
+    command: 'slave'
+    master_host: '{{ item.master_host }}'
+    master_port: '{{ item.master_port }}'
+    login_port: '{{ item.port }}'
+    login_password: '{{ item.requirepass | d(omit) }}'
+  with_items: '{{ redis_server__combined_configuration | debops.debops.parse_kv_items }}'
+  when: ((ansible_local is undefined or
+          (ansible_local.redis_server is undefined or
+           (ansible_local.redis_server.instances is undefined or
+            (item.name not in
+             (ansible_local.redis_server.instances
+              | selectattr('name', 'defined') | list
+              | map(attribute='name') | list))))) and
+         item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         item.master_host | d() and item.master_port | d())
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/redis_server/tasks/main_env.yml b/ansible_collections/debops/debops/roles/redis_server/tasks/main_env.yml
new file mode 100644
index 00000000..00e64d40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare Redis role environment
+  ansible.builtin.set_fact:
+    redis_server__env_ports: '{{ lookup("template", "lookup/redis_server__env_ports.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/ansible/facts.d/redis_server.fact.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/ansible/facts.d/redis_server.fact.j2
new file mode 100644
index 00000000..55c5e3ab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/ansible/facts.d/redis_server.fact.j2
@@ -0,0 +1,115 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+from operator import itemgetter
+import subprocess
+import signal
+import os
+import redis
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def unwrap_quotes(input_line):
+    out = input_line.split(' ')[1].rstrip('\n')
+    if out.startswith('"') and out.endswith('"'):
+        out = out[1:-1]
+    return out
+
+
+def get_immediate_subdirectories(a_dir):
+    return [name for name in os.listdir(a_dir)
+            if os.path.isdir(os.path.join(a_dir, name))]
+
+
+output = {}
+
+output['auth_group'] = '{{ redis_server__auth_group }}'
+
+output['installed'] = cmd_exists('redis-server')
+
+if output['installed']:
+    try:
+        redis_server_version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "redis-server"]).decode('utf-8').split('-')[0]
+        output['version'] = redis_server_version_stdout.split(':')[1]
+
+    except Exception:
+        pass
+
+    redis_instances = []
+
+    try:
+        for directory in get_immediate_subdirectories('/etc/redis'):
+            instance = {'name': directory}
+            if os.path.isfile('/etc/redis/' + directory + '/redis.conf'):
+                for config_file in ['/etc/redis/' + directory
+                                    + '/redis.conf',
+                                    '/etc/redis/' + directory
+                                    + '/ansible-redis-static.conf']:
+                    try:
+                        with open(config_file) as fh:
+                            for line in fh:
+                                if line.startswith('bind'):
+                                    instance['bind'] = unwrap_quotes(line)
+
+                                if line.startswith('port'):
+                                    instance['port'] = unwrap_quotes(line)
+
+                                elif line.startswith('unixsocket'):
+                                    instance['socket'] = unwrap_quotes(line)
+
+                                elif line.startswith('masterauth'):
+                                    instance['password'] = unwrap_quotes(line)
+
+                        if 'password' not in instance:
+                            instance['password'] = None
+
+                        try:
+                            r = redis.StrictRedis(
+                                    host=instance['bind'],
+                                    port=instance['port'],
+                                    password=instance['password'])
+                            instance['role'] = str(r.info()['role'])
+                            instance['redis_mode'] = (
+                                    str(r.info()['redis_mode']))
+                            if instance['role'] == 'slave':
+                                instance['master_host'] = (
+                                        str(r.info()['master_host']))
+                                instance['master_port'] = (
+                                        str(r.info()['master_port']))
+                        except Exception:
+                            pass
+
+                    except Exception:
+                        pass
+
+                redis_instances.append(instance)
+                if instance['name'] == 'main':
+                    output['bind'] = instance['bind']
+                    output['port'] = instance['port']
+                    output['password'] = instance['password']
+                    output['socket'] = instance['socket']
+
+        output['instances'] = sorted(redis_instances, key=itemgetter('port'))
+
+    except Exception:
+        pass
+
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-dynamic.conf.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-dynamic.conf.j2
new file mode 100644
index 00000000..15f8e82b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-dynamic.conf.j2
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Configure certain Redis server parameters dynamically.
+
+
+set -o nounset -o pipefail -o errexit
+
+# A workaround to have Jinja template in a shell script
+readarray -t redis_dynamic_config_map << EOF
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] and (element.dynamic | d()) | bool %}
+{%       if element.value is string and not element.value | bool %}
+{{ '{}={}'.format(element.name, element.value) }}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{{ '{}={}'.format(element.name, element.value) }}
+{%         else %}
+{{ '{}={}'.format(element.name, 'yes') }}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{{ '{}={}'.format(element.name, element.value) }}
+{%           else %}
+{%             if element.value | string == '0' %}
+{{ '{}={}'.format(element.name, element.value) }}
+{%             else %}
+{{ '{}={}'.format(element.name, 'no') }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       elif element.value is iterable and element.value is not string and element.value is not mapping %}
+{{ '{}={}'.format(element.name, element.value | selectattr("state", "equalto", "present") | map(attribute='name') | list | join(' ')) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+EOF
+
+declare -A dynamic_config
+
+if [[ "${redis_dynamic_config_map[*]}" ]] ; then
+    for line in "${redis_dynamic_config_map[@]}" ; do
+        key=${line%%=*}
+        value=${line#*=}
+        dynamic_config["${key}"]="${value}"
+    done
+fi
+
+subcommand="${1:-config}"
+
+redis_instance="{{ item.name }}"
+redis_host="localhost"
+
+redis_conf_port="$(grep --no-filename -E '^port\s+' "/etc/redis/${redis_instance}/redis.conf" "/etc/redis/${redis_instance}/ansible-redis-static.conf" || true)"
+redis_conf_password="$(grep --no-filename -E '^requirepass\s+' "/etc/redis/${redis_instance}/redis.conf" "/etc/redis/${redis_instance}/ansible-redis-static.conf" || true)"
+redis_conf_pidfile="$(grep --no-filename -E '^pidfile\s+' "/etc/redis/${redis_instance}/redis.conf" "/etc/redis/${redis_instance}/ansible-redis-static.conf" || true)"
+
+redis_port="$(echo "${redis_conf_port}" | tail -n 1 | awk '{print $2}')"
+redis_password="$(echo "${redis_conf_password}" | tail -n 1 | awk '{print $2}' | sed -e 's/^"//'  -e 's/"$//')"
+redis_pidfile="$(echo "${redis_conf_pidfile}" | tail -n 1 | awk '{print $2}' | sed -e 's/^"//'  -e 's/"$//')"
+
+redis_options=(-h "${redis_host}" -p "${redis_port}")
+
+if [ -n "${redis_password}" ] ; then
+    redis_options+=(-a "${redis_password}")
+fi
+
+if [ -f "${redis_pidfile}" ] ; then
+    if kill -0 "$(<"${redis_pidfile}")" > /dev/null 2>&1 ; then
+
+        if [ "${subcommand}" = "config" ]  ; then
+            for index in "${!dynamic_config[@]}" ; do
+                redis-cli "${redis_options[@]}" config set "${index}" "${dynamic_config[${index}]}"
+            done
+        fi
+
+        if [ "${subcommand}" = "config" ] || [ "${subcommand}" = "rewrite" ] ; then
+            redis-cli "${redis_options[@]}" config rewrite
+        fi
+
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-static.conf.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-static.conf.j2
new file mode 100644
index 00000000..e05d5f65
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/redis/instance/ansible-redis-static.conf.j2
@@ -0,0 +1,41 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] and not (element.dynamic | d()) | bool %}
+{%       if element.value is string and not element.value | bool %}
+{{ '{} {}'.format(element.name, element.value) }}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{{ '{} {}'.format(element.name, element.value) }}
+{%         else %}
+{{ '{} {}'.format(element.name, 'yes') }}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{{ '{} {}'.format(element.name, element.value) }}
+{%           else %}
+{%             if element.value | string == '0' %}
+{{ '{} {}'.format(element.name, element.value) }}
+{%             else %}
+{{ '{} {}'.format(element.name, 'no') }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       elif element.value is iterable and element.value is not string and element.value is not mapping %}
+{%         if (element.multiple | d(True)) | bool %}
+{%           for thing in (element.value | map(attribute='name') | list) %}
+{{ '{} {}'.format(element.name, thing) }}
+{%           endfor %}
+{%         else %}
+{{ '{} {}'.format(element.name, element.value | map(attribute='name') | list | join(' ')) }}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server.service.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server.service.j2
new file mode 100644
index 00000000..a2afd6ca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server.service.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Advanced key-value store
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecReload=/bin/true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+Alias=redis.service
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.d/ansible-override.conf.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.d/ansible-override.conf.j2
new file mode 100644
index 00000000..4a1a4f61
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.d/ansible-override.conf.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ item.systemd_override | regex_replace('$\n', '') }}
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.j2
new file mode 100644
index 00000000..77e40725
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/etc/systemd/system/redis-server@.service.j2
@@ -0,0 +1,60 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Redis - advanced key-value store (%I)
+After=network.target
+Documentation=http://redis.io/documentation, man:redis-server(1)
+ConditionPathExists=/etc/redis/%I/redis.conf
+PartOf=redis-server.service
+ReloadPropagatedFrom=redis-server.service
+Before=redis-server.service
+
+[Service]
+Type=forking
+Slice=system-redis-server.slice
+ExecStart=/usr/bin/redis-server /etc/redis/%i/redis.conf
+ExecStop=/bin/kill -s TERM $MAINPID
+PIDFile=/var/run/redis-%i/redis-server.pid
+TimeoutStopSec=0
+Restart=always
+User=redis
+Group=redis
+RuntimeDirectory=redis-%i
+RuntimeDirectoryMode=755
+
+# Disable OOM killer for Redis Server process
+OOMScoreAdjust=-1000
+
+UMask=007
+PrivateTmp=yes
+LimitNOFILE=65535
+PrivateDevices=yes
+ProtectHome=yes
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/redis
+ReadWriteDirectories=-/var/log/redis
+ReadWriteDirectories=-/var/run/redis-%i
+
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
+MemoryDenyWriteExecute=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# redis-server can write to its own config file when in cluster mode so we
+# permit writing there by default. If you are not using this feature, it is
+# recommended that you replace the following lines with "ProtectSystem=full".
+ProtectSystem=true
+ReadWriteDirectories=-/etc/redis
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=redis-server.service
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__env_ports.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__env_ports.j2
new file mode 100644
index 00000000..6275e2ec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__env_ports.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{%   for element in redis_server__combined_configuration | debops.debops.parse_kv_items %}
+{%     if element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.options | d() %}
+{%       for option in element.options %}
+{%         if option.name == 'port' and option.value | d() %}
+{%           set _ = output.append(option.value) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{{ output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__filtered_instances.j2 b/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__filtered_instances.j2
new file mode 100644
index 00000000..1c2aad7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/redis_server/templates/lookup/redis_server__filtered_instances.j2
@@ -0,0 +1,34 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{% for element in redis_server__combined_instances | debops.debops.parse_kv_items %}
+{%   set element_options = [
+  {"name": "port",         "value": element.port},
+  {"name": "bind",         "value": (element.bind         | d(redis_server__bind)), "multiple": False},
+  {"name": "dbfilename",   "value": (element.dbfilename   | d("dump-" + element.name + ".rdb"))},
+  {"name": "pidfile",      "value": (element.pidfile      | d("/var/run/redis-" + element.name + "/redis-server.pid"))},
+  {"name": "logfile",      "value": (element.logfile      | d("/var/log/redis/redis-server-" + element.name + ".log"))},
+  {"name": "unixsocket",   "value": (element.unixsocket   | d("/var/run/redis-" + element.name + "/redis-server.sock"))},
+  {"name": "syslog-ident", "value": (element.syslog_ident | d("redis-" + element.name))}
+] %}
+{%   set entry = {
+  "name": element.name,
+  "state": element.state | d('present'),
+  "requirepass": (element.requirepass | d(redis_server__auth_password)),
+  "port": element.port,
+  "options": (redis_server__default_base_options + redis_server__base_options + element_options) | debops.debops.parse_kv_config
+} %}
+{%   if element.port is undefined %}
+{%     set _ = entry.update({'state': "init"}) %}
+{%   endif %}
+{%   if element.systemd_override | d() %}
+{%     set _ = entry.update({'systemd_override': element.systemd_override}) %}
+{%   endif %}
+{%   if element.master_host | d() and element.master_port | d() %}
+{%     set _ = entry.update({'master_host': element.master_host, 'master_port': element.master_port}) %}
+{%   endif %}
+{%   set _ = output.append(entry) %}
+{% endfor %}
+{{ output | to_nice_yaml }}
diff --git a/ansible_collections/debops/debops/roles/reprepro/COPYRIGHT b/ansible_collections/debops/debops/roles/reprepro/COPYRIGHT
new file mode 100644
index 00000000..725d6b89
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.reprepro - Manage local APT repositories using Ansible
+
+Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/reprepro/defaults/main.yml b/ansible_collections/debops/debops/roles/reprepro/defaults/main.yml
new file mode 100644
index 00000000..3fac0814
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/defaults/main.yml
@@ -0,0 +1,388 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _reprepro__ref_defaults:
+
+# debops.reprepro default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: reprepro__base_packages [[[
+#
+# The list of default APT packages to install for repository management.
+reprepro__base_packages: [ 'reprepro', 'dpkg-dev' ]
+
+                                                                   # ]]]
+# .. envvar:: reprepro__packages [[[
+#
+# List of additional APT packages to install with :command:`reprepro`.
+reprepro__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: reprepro__user [[[
+#
+# UNIX system account which manages local APT repositories.
+reprepro__user: 'reprepro'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__group [[[
+#
+# UNIX system group which manages local APT repositories.
+reprepro__group: 'reprepro'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__additional_groups [[[
+#
+# List of additional UNIX groups which the :command:`reprepro` account should
+# be a member of.
+reprepro__additional_groups:
+
+  # Allow direct SSH logins for administrators
+  - '{{ ansible_local.system_groups.local_prefix + "sshusers" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__home [[[
+#
+# Path where :command:`reprepro` home directory is stored.
+reprepro__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                    + "/" + reprepro__user }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__comment [[[
+#
+# The GECOS field of the :command:`reprepro` UNIX account.
+reprepro__comment: 'Local APT repositories'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__data_root [[[
+#
+# Path where :command:`reprepro` data files are stored, separated by instances.
+reprepro__data_root: '{{ reprepro__home + "/repositories" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__public_root [[[
+#
+# Path where public contents of the APT repositories are stored, separated by
+# instances.
+reprepro__public_root: '{{ (ansible_local.fhs.www | d("/srv/www"))
+                           + "/reprepro" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__spool_root [[[
+#
+# Path where uploads are stored for the incoming queue, separated by instances.
+reprepro__spool_root: '{{ (ansible_local.fhs.spool | d("/var/spool"))
+                          + "/reprepro" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__admin_sshkeys [[[
+#
+# List of public SSH keys which allow access to the :command:`reprepro` UNIX
+# account via SSH. By default this role will add the SSH keys of the person
+# currently executing the role to the account's SSH keyring.
+reprepro__admin_sshkeys:
+  - '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || cat ~/.ssh/authorized_keys || true") }}'  # noqa jinja[spacing]
+                                                                   # ]]]
+                                                                   # ]]]
+# Global reprepro configuration [[[
+# ---------------------------------
+
+# .. envvar:: reprepro__fqdn [[[
+#
+# The default Fully Qualified Domain Name used in various parts of the
+# configuration.
+reprepro__fqdn: '{{ ansible_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__domain [[[
+#
+# The default DNS domain used in various parts of the configuration.
+reprepro__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__origin [[[
+#
+# The value of the "Origin:" field defined for all APT repositories managed by
+# :command:`reprepro`. This variable needs to be referenced in the
+# :file:`conf/distributions` configuration to be effective.
+reprepro__origin: '{{ ansible_local.machine.organization
+                      | d(reprepro__domain.split(".")[0] | capitalize) }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__mail_from [[[
+#
+# The default e-mail sender address for e-mails sent on each repository change.
+reprepro__mail_from: '{{ reprepro__user + "@" + reprepro__fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__mail_to [[[
+#
+# The default e-mail recipient for e-mails sent on each repository change.
+reprepro__mail_to: '{{ "root@" + reprepro__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__max_body_size [[[
+#
+# Maximum size of a single upload to the incoming queue.
+reprepro__max_body_size: '50M'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__auth_realm [[[
+#
+# The default realm string used when access controls are enabled in a given APT
+# repository.
+reprepro__auth_realm: 'Access to this APT repository is restricted'
+                                                                   # ]]]
+                                                                   # ]]]
+# GnuPG environment [[[
+# ---------------------
+
+# .. envvar:: reprepro__gpg_snapshot_name [[[
+#
+# Name of the snapshot file which contains :command:`reprepro` GnuPG snapshot.
+# It will be backed up on Ansible Controller.
+reprepro__gpg_snapshot_name: 'gnupg.tar'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_snapshot_path [[[
+#
+# Directory on Ansible Controller where :command:`reprepro` GnuPG snapshot will
+# be archived.
+reprepro__gpg_snapshot_path: '{{ secret + "/reprepro/snapshots/" + inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_key_type [[[
+#
+# Settings for GPG key used to sign :command:`reprepro` repositories.
+reprepro__gpg_key_type: 'RSA'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_key_length [[[
+#
+# Length of the GPG key used by :command:`reprepro`.
+reprepro__gpg_key_length: '4096'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_name [[[
+#
+# String used as the name of the GPG key used to sign :command:`reprepro` APT
+# repositories.
+reprepro__gpg_name: '{{ reprepro__origin + " Automatic Signing Key" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_email [[[
+#
+# E-mail address of the GPG key used to sign :command:`reprepro` APT
+# repositories.
+reprepro__gpg_email: '{{ "apt-packages@" + reprepro__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_expire_days [[[
+#
+# Duration in days after which the GPG keys for the APT repositories will
+# expire (default: 10 years).
+reprepro__gpg_expire_days: '{{ (365 * 10) }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_public_filename [[[
+#
+# Filename of the GPG public key published in the root of the APT repositories
+# managed by :ref:`debops.reprepro` role.
+reprepro__gpg_public_filename: '{{ reprepro__domain + ".asc" }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__gpg_uploaders_keys [[[
+#
+# List of GPG fingerprints of people or services that are allowed to upload
+# packages to APT repositories managed by :command:`reprepro`. They will be
+# added to the UNIX account by the :ref:`debops.keyring` role. See its
+# documentation for more details.
+reprepro__gpg_uploaders_keys: []
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Local APT repository instances [[[
+# ----------------------------------
+
+# The variables below define list of APT repository instances managed by
+# :ref:`debops.reprepro` role. See :ref:`reprepro__ref_instances` documentation
+# for more details.
+
+# .. envvar:: reprepro__default_instances [[[
+#
+# List of default APT repository instances managed by :ref:`debops.reprepro`.
+reprepro__default_instances:
+
+  - name: 'main'
+    fqdn: '{{ reprepro__fqdn }}'
+
+    incoming:
+
+      - name: 'incoming'
+        Allow:
+          - 'forky'
+          - 'testing>forky'
+          - 'trixie'
+          - 'stable>trixie'
+          - 'bookworm'
+          - 'oldstable>bookworm'
+          - 'bullseye'
+          - 'oldoldstable>bullseye'
+        Options:
+          - 'multiple_distributions'
+        Cleanup:
+          - 'on_deny'
+          - 'on_error'
+
+    distributions:
+
+      - name: 'forky'
+        Description: 'Packages for Debian GNU/Linux 14 (Forky)'
+        Origin: '{{ reprepro__origin }}'
+        Codename: 'forky'
+        Suite: 'testing'
+        Architectures: [ 'source', 'amd64', 'arm64', 'armhf',
+                         'ppc64el', 'riscv64', 's390x' ]
+        Components: [ 'main', 'contrib', 'non-free', 'non-free-firmware' ]
+        Uploaders: 'uploaders/anybody'
+        SignWith: 'default'
+        DebIndices: [ 'Packages', 'Release', '.', '.gz', '.xz' ]
+        DscIndices: [ 'Sources', 'Release', '.gz', '.xz' ]
+        Log: |
+          packages.forky.log
+          --type=dsc email-changes.sh
+        state: 'present'
+
+      - name: 'trixie'
+        Description: 'Packages for Debian GNU/Linux 13 (Trixie)'
+        Origin: '{{ reprepro__origin }}'
+        Codename: 'trixie'
+        Suite: 'stable'
+        Architectures: [ 'source', 'amd64', 'arm64', 'armel', 'armhf',
+                         'ppc64el', 'riscv64', 's390x' ]
+        Components: [ 'main', 'contrib', 'non-free', 'non-free-firmware' ]
+        Uploaders: 'uploaders/anybody'
+        SignWith: 'default'
+        DebIndices: [ 'Packages', 'Release', '.', '.gz', '.xz' ]
+        DscIndices: [ 'Sources', 'Release', '.gz', '.xz' ]
+        Log: |
+          packages.trixie.log
+          --type=dsc email-changes.sh
+        state: 'present'
+
+      - name: 'bookworm'
+        Description: 'Packages for Debian GNU/Linux 12 (Bookworm)'
+        Origin: '{{ reprepro__origin }}'
+        Codename: 'bookworm'
+        Suite: 'oldstable'
+        Architectures: [ 'source', 'amd64', 'arm64', 'armel', 'armhf', 'i386',
+                         'mips64el', 'mipsel', 'ppc64el', 'riscv64', 's390x' ]
+        Components: [ 'main', 'contrib', 'non-free', 'non-free-firmware' ]
+        Uploaders: 'uploaders/anybody'
+        SignWith: 'default'
+        DebIndices: [ 'Packages', 'Release', '.', '.gz', '.xz' ]
+        DscIndices: [ 'Sources', 'Release', '.gz', '.xz' ]
+        Log: |
+          packages.bookworm.log
+          --type=dsc email-changes.sh
+        state: 'present'
+
+      - name: 'bullseye'
+        Description: 'Packages for Debian GNU/Linux 11 (Bullseye)'
+        Origin: '{{ reprepro__origin }}'
+        Codename: 'bullseye'
+        Suite: 'oldoldstable'
+        Architectures: [ 'source', 'amd64', 'arm64', 'armel', 'armhf', 'i386',
+                         'mips64el', 'mipsel', 'ppc64el', 's390x' ]
+        Components: [ 'main', 'contrib', 'non-free' ]
+        Uploaders: 'uploaders/anybody'
+        SignWith: 'default'
+        DebIndices: [ 'Packages', 'Release', '.', '.gz', '.xz' ]
+        DscIndices: [ 'Sources', 'Release', '.gz', '.xz' ]
+        Log: |
+          packages.bullseye.log
+          --type=dsc email-changes.sh
+        state: 'present'
+
+    uploaders:
+
+      - name: 'anybody'
+        raw: |
+          allow * by any key
+        state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__instances [[[
+#
+# List of APT repository instances that should be created on all hosts in the
+# Ansible inventory.
+reprepro__instances: []
+
+                                                                   # ]]]
+# .. envvar:: reprepro__group_instances [[[
+#
+# List of APT repository instances that should be created on hosts in
+# a specific Ansible inventory group.
+reprepro__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: reprepro__host_instances [[[
+#
+# List of APT repository instances that should be created on specific hosts in
+# the Ansible inventory.
+reprepro__host_instances: []
+
+                                                                   # ]]]
+# .. envvar:: reprepro__combined_instances [[[
+#
+# Variable which combines all APT repository instances and is used in role
+# tasks and templates.
+reprepro__combined_instances: '{{ reprepro__default_instances
+                                     + reprepro__instances
+                                     + reprepro__group_instances
+                                     + reprepro__host_instances }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: reprepro__keyring__dependent_gpg_user [[[
+#
+# UNIX account which will contain GPG keys managed by the :ref:`debops.keyring`
+# Ansible role.
+reprepro__keyring__dependent_gpg_user: '{{ reprepro__user }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__keyring__dependent_gpg_keys [[[
+#
+# List of GPG keys managed by the :ref:`debops.keyring` Ansible role.
+reprepro__keyring__dependent_gpg_keys:
+
+  - user: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    home: '{{ reprepro__home }}'
+
+  - '{{ q("flattened", reprepro__gpg_uploaders_keys) }}'
+
+                                                                   # ]]]
+# .. envvar:: reprepro__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+reprepro__nginx__dependent_servers: '{{ reprepro__env_nginx_servers }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/reprepro/meta/main.yml b/ansible_collections/debops/debops/roles/reprepro/meta/main.yml
new file mode 100644
index 00000000..3f08b630
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage local APT repositories with reprepro'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - packaging
+    - apt
+    - repository
diff --git a/ansible_collections/debops/debops/roles/reprepro/tasks/configure_gnupg.yml b/ansible_collections/debops/debops/roles/reprepro/tasks/configure_gnupg.yml
new file mode 100644
index 00000000..adea0fe7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/tasks/configure_gnupg.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Check if GnuPG directory exists
+  ansible.builtin.stat:
+    path: '{{ reprepro__home + "/.gnupg/gpg.conf" }}'
+  register: reprepro__register_gpg
+
+- name: Check if GnuPG snapshot exists on Ansible Controller
+  ansible.builtin.stat:
+    path: '{{ reprepro__gpg_snapshot_path + "/" + reprepro__gpg_snapshot_name }}'
+  register: reprepro__register_gpg_snapshot
+  delegate_to: 'localhost'
+  become: False
+
+- name: Restore GnuPG snapshots
+  ansible.builtin.unarchive:
+    src: '{{ reprepro__gpg_snapshot_path + "/" + reprepro__gpg_snapshot_name }}'
+    dest: '{{ reprepro__home }}'
+    mode: 'u=rwX,g=,o='
+  when: reprepro__register_gpg_snapshot.stat.exists and
+        not reprepro__register_gpg.stat.exists
+
+- name: Ensure that ~/.gnupg directory exists
+  ansible.builtin.file:
+    path: '{{ reprepro__home + "/.gnupg" }}'
+    state: 'directory'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0700'
+
+- name: Configure reprepro GnuPG instance
+  ansible.builtin.template:
+    src: 'home/reprepro/gnupg/gpg.conf.j2'
+    dest: '{{ reprepro__home + "/.gnupg/gpg.conf" }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0644'
+
+- name: Check if private keys are present
+  ansible.builtin.find:
+    paths: '{{ reprepro__home + "/.gnupg/private-keys-v1.d/" }}'
+  register: reprepro__register_private_keys
+
+- name: Create repository key template
+  ansible.builtin.template:
+    src: 'home/reprepro/gnupg-key-template.j2'
+    dest: '{{ reprepro__home + "/.gnupg-key-template" }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0644'
+  when: reprepro__register_private_keys.matched == 0
+
+- name: Generate automatic signing key
+  ansible.builtin.command: 'gpg --batch --gen-key .gnupg-key-template'
+  args:
+    chdir: '{{ reprepro__home }}'
+  register: reprepro__register_keygen
+  changed_when: reprepro__register_keygen.changed | bool
+  become: True
+  become_user: '{{ reprepro__user }}'
+  when: reprepro__register_private_keys.matched == 0
+
+- name: Archive ~/.gnupg directory
+  community.general.archive:
+    path: '{{ reprepro__home + "/.gnupg" }}'
+    dest: '{{ reprepro__home + "/" + reprepro__gpg_snapshot_name }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0600'
+  register: reprepro__register_gpg_archive
+
+- name: Upload ~/.gnupg archive to Ansible Controller
+  ansible.builtin.fetch:  # noqa no-handler
+    src: '{{ reprepro__home + "/" + reprepro__gpg_snapshot_name }}'
+    dest: '{{ reprepro__gpg_snapshot_path + "/" + reprepro__gpg_snapshot_name }}'
+    flat: True
+  when: reprepro__register_gpg_archive is changed
+
+- name: Remove old automatic signing key
+  ansible.builtin.file:  # noqa no-handler
+    path: '{{ reprepro__home + "/" + reprepro__gpg_public_filename }}'
+    state: 'absent'
+  when: reprepro__register_keygen is changed
+
+- name: Export automatic signing key
+  ansible.builtin.shell: 'gpg --armor --export "{{ reprepro__gpg_email }}" > "{{ reprepro__home + "/" + reprepro__gpg_public_filename }}"'
+  args:
+    creates: '{{ reprepro__home + "/" + reprepro__gpg_public_filename }}'
+  become: True
+  become_user: '{{ reprepro__user }}'
diff --git a/ansible_collections/debops/debops/roles/reprepro/tasks/configure_reprepro.yml b/ansible_collections/debops/debops/roles/reprepro/tasks/configure_reprepro.yml
new file mode 100644
index 00000000..2d8771c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/tasks/configure_reprepro.yml
@@ -0,0 +1,117 @@
+---
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create reprepro spool directory
+  ansible.builtin.file:
+    path: '{{ reprepro__spool_root + "/" + repo.name }}'
+    state: 'directory'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0755'
+  when: repo.state | d('present') not in ['absent', 'ignore']
+
+- name: Create directory for reprepro uploads
+  ansible.builtin.file:
+    path: '{{ reprepro__spool_root + "/" + repo.name + "/incoming" }}'
+    state: 'directory'
+    owner: '{{ reprepro__user }}'
+    group: 'www-data'
+    mode: '0730'
+  when: repo.state | d('present') not in ['absent', 'ignore']
+
+- name: Create reprepro internal directories
+  ansible.builtin.file:
+    path: '{{ reprepro__data_root + "/" + repo.name + "/" + item }}'
+    state: 'directory'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0755'
+  loop: [ 'conf/uploaders', 'tmp' ]
+  when: repo.state | d('present') not in ['absent', 'ignore']
+
+- name: Create public reprepro repository
+  ansible.builtin.file:
+    path: '{{ reprepro__public_root + "/sites/" + repo.name + "/public" }}'
+    state: 'directory'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0755'
+  when: repo.state | d('present') not in ['absent', 'ignore'] and
+        not repo.outdir | d()
+
+- name: Copy GPG public key to public space
+  ansible.builtin.copy:
+    src: '{{ reprepro__home + "/" + reprepro__gpg_public_filename }}'
+    dest: '{{ reprepro__public_root + "/sites/" + repo.name + "/public/" + reprepro__gpg_public_filename }}'
+    remote_src: True
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0644'
+  when: repo.state | d('present') not in ['absent', 'ignore'] and
+        not repo.outdir | d()
+
+- name: Manage reprepro configuration files
+  ansible.builtin.template:
+    src: 'home/reprepro/repositories/instance/conf/{{ item }}.j2'
+    dest: '{{ reprepro__data_root + "/" + repo.name + "/conf/" + item }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0644'
+  loop: [ 'distributions', 'incoming', 'options', 'pulls', 'updates' ]
+  register: reprepro__register_config
+  when: (repo.state | d('present') not in ['absent', 'ignore'] and
+         (item in repo.keys() or item in ['options']))
+
+- name: Configure uploaders configuration files
+  ansible.builtin.template:
+    src: 'home/reprepro/repositories/instance/conf/uploaders/template.j2'
+    dest: '{{ reprepro__data_root + "/" + repo.name + "/conf/uploaders/" + item.name }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0644'
+  loop: '{{ repo.uploaders }}'
+  register: reprepro__register_uploaders
+  when: repo.state | d('present') not in ['absent', 'ignore'] and 'uploaders' in repo.keys()
+
+- name: Initialize reprepro repositories
+  ansible.builtin.command: 'reprepro export'
+  args:
+    chdir: '{{ reprepro__data_root + "/" + repo.name }}'
+  become: True
+  become_user: '{{ reprepro__user }}'
+  register: reprepro__register_export
+  changed_when: reprepro__register_export.changed | bool
+  when: (repo.state | d('present') not in ['absent', 'ignore'] and repo.distributions | d() and
+         (reprepro__register_config is changed or reprepro__register_uploaders is changed))
+
+- name: Generate symlinks
+  ansible.builtin.command: 'reprepro --delete createsymlinks'
+  args:
+    chdir: '{{ reprepro__data_root + "/" + repo.name }}'
+  become: True
+  become_user: '{{ reprepro__user }}'
+  changed_when: False
+  when: (repo.state | d('present') not in ['absent', 'ignore'] and repo.distributions | d())
+
+- name: Enable incoming queue monitoring
+  ansible.builtin.systemd:
+    name: '{{ "reprepro-incoming@" + repo.name + ".path" }}'
+    state: '{{ "started"
+               if (repo.state | d("present") not in ["absent", "ignore"])
+               else "stopped" }}'
+    enabled: '{{ True
+               if (repo.state | d("present") not in ["absent", "ignore"])
+               else False }}'
+  when: repo.incoming | d()
+
+- name: Manage reprepro scripts
+  ansible.builtin.template:
+    src: 'home/reprepro/repositories/instance/conf/{{ item }}.j2'
+    dest: '{{ reprepro__data_root + "/" + repo.name + "/conf/" + item }}'
+    owner: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    mode: '0755'
+  with_items: [ 'email-changes.sh' ]
+  when: repo.state | d('present') not in ['absent', 'ignore']
diff --git a/ansible_collections/debops/debops/roles/reprepro/tasks/main.yml b/ansible_collections/debops/debops/roles/reprepro/tasks/main.yml
new file mode 100644
index 00000000..bd42986c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install packages for Debian repository management
+  ansible.builtin.package:
+    name: '{{ q("flattened", (reprepro__base_packages + reprepro__packages)) }}'
+    state: 'present'
+  register: reprepro__register_packages
+  until: reprepro__register_packages is succeeded
+
+- name: Create UNIX system group for reprepro
+  ansible.builtin.group:
+    name: '{{ reprepro__group }}'
+    system: True
+    state: 'present'
+
+- name: Create UNIX system account for reprepro
+  ansible.builtin.user:
+    name: '{{ reprepro__user }}'
+    group: '{{ reprepro__group }}'
+    groups: '{{ reprepro__additional_groups }}'
+    append: True
+    system: True
+    shell: '/bin/bash'
+    home: '{{ reprepro__home }}'
+    comment: '{{ reprepro__comment }}'
+    state: 'present'
+
+- name: Add admin SSH keys to reprepro UNIX account
+  ansible.posix.authorized_key:
+    key: "{{ (reprepro__admin_sshkeys
+              if reprepro__admin_sshkeys is string
+              else '\n'.join(q('flattened', reprepro__admin_sshkeys))) | string }}"
+    state: 'present'
+    user: '{{ reprepro__user }}'
+    exclusive: False
+  when: reprepro__admin_sshkeys | d()
+
+- name: Generate queue processing services
+  ansible.builtin.template:
+    src: '{{ "etc/systemd/system/" + item + ".j2" }}'
+    dest: '{{ "/etc/systemd/system/" + item }}'
+    mode: '0644'
+  loop:
+    - 'reprepro-incoming@.service'
+    - 'reprepro-incoming@.path'
+  notify: [ 'Reload systemd daemon' ]
+  when: ansible_service_mgr == 'systemd'
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage the GnuPG environment for reprepro
+  ansible.builtin.import_tasks: 'configure_gnupg.yml'
+
+- name: Manage reprepro instances
+  ansible.builtin.include_tasks: 'configure_reprepro.yml'
+  loop_control:
+    loop_var: 'repo'
+    label: '{{ {"name": repo.name, "state": repo.state | d("present"),
+                "outdir": (repo.outdir | d(reprepro__public_root + "/sites/" + repo.name + "/public"))} }}'
+  loop: '{{ q("flattened", reprepro__combined_instances)
+            | debops.debops.parse_kv_items(merge_keys=["distributions", "incoming", "pulls", "updates"]) }}'
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Generate reprepro Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/reprepro.fact.j2'
+    dest: '/etc/ansible/facts.d/reprepro.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Refresh host facts when needed
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/reprepro/tasks/main_env.yml b/ansible_collections/debops/debops/roles/reprepro/tasks/main_env.yml
new file mode 100644
index 00000000..32b1ef29
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/tasks/main_env.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare reprepro environment
+  ansible.builtin.set_fact:
+    reprepro__env_nginx_servers: '{{ lookup("template", "lookup/reprepro__env_nginx_servers.j2") | from_yaml }}'
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/etc/ansible/facts.d/reprepro.fact.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/etc/ansible/facts.d/reprepro.fact.j2
new file mode 100644
index 00000000..1c3b0575
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/etc/ansible/facts.d/reprepro.fact.j2
@@ -0,0 +1,26 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'configured': True,
+          'installed': cmd_exists('reprepro')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.path.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.path.j2
new file mode 100644
index 00000000..0cd7c988
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.path.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Icoming queue monitor for reprepro %i instance
+After=syslog.target network-online.target
+Wants=network.target
+
+[Path]
+PathExistsGlob={{ reprepro__spool_root + '/%i/incoming/*.changes' }}
+Unit=reprepro-incoming@%i.service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.service.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.service.j2
new file mode 100644
index 00000000..7dc08f85
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/etc/systemd/system/reprepro-incoming@.service.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Unit]
+Description=Icoming queue processor for reprepro %i instance
+After=syslog.target network-online.target
+Wants=network.target
+
+[Service]
+Type=oneshot
+User={{ reprepro__user }}
+Group={{ reprepro__group }}
+WorkingDirectory={{ reprepro__data_root + '/%i' }}
+ExecStart=/usr/bin/reprepro processincoming incoming
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg-key-template.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg-key-template.j2
new file mode 100644
index 00000000..a71512ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg-key-template.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+Key-Type: {{ reprepro__gpg_key_type }}
+Subkey-Type: {{ reprepro__gpg_key_type }}
+Key-Length: {{ reprepro__gpg_key_length }}
+Subkey-Length: {{ reprepro__gpg_key_length }}
+Name-Real: {{ reprepro__gpg_name }}
+Name-Email: {{ reprepro__gpg_email }}
+Expire-Date: {{ reprepro__gpg_expire_days }}
+%no-ask-passphrase
+%no-protection
+%commit
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg/gpg.conf.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg/gpg.conf.j2
new file mode 100644
index 00000000..250bf215
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/gnupg/gpg.conf.j2
@@ -0,0 +1,33 @@
+{# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set digest_preference = 'SHA512 SHA384 SHA256 SHA224' %}
+# This file is managed remotely, all changes will be lost
+
+# GPG Configuration Options
+default-recipient-self
+list-options show-uid-validity show-keyserver-urls
+verify-options show-uid-validity
+display-charset utf-8
+utf8-strings
+trust-model pgp
+ask-cert-level
+default-cert-level 0
+keyid-format 0xlong
+no-greeting
+
+# GPG Input/Output Options
+armor
+fixed-list-mode
+
+# OpenPGP Options
+personal-digest-preferences {{ digest_preference }}
+
+# GPG Esoteric Options
+default-preference-list {{ digest_preference }} AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+cert-digest-algo SHA512
+no-comments
+no-emit-version
+
+sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/distributions.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/distributions.j2
new file mode 100644
index 00000000..842786a7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/distributions.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ # Format: deb822
+ #}
+# {{ ansible_managed }}
+
+{% if repo.distributions | d() %}
+{%   for section in repo.distributions %}
+{%     if section.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{%       if section.comment | d() %}
+{{         section.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{%       endif %}
+{%       if section.raw | d() %}
+{{         section.raw | regex_replace('\n$', '') }}
+{%       else %}
+{{         'Codename: {}'.format(section.Codename | d(section.name)) }}
+{%         for key, value in section | dictsort %}
+{%           if key not in [ 'name', 'Codename', 'value', 'id', 'comment', 'state', 'weight', 'real_weight', 'separator', 'section' ] %}
+{%             set section_value = value %}
+{%             if value is not string and value is not mapping and value is iterable %}
+{%               set section_value = (value | join(' ')) %}
+{%             endif %}
+{%             if section_value is iterable and section_value.split('\n') | count > 1 %}
+{%               set value_first = section_value.split('\n')[0] %}
+{%               set value_rest = section_value.split('\n')[1:] | join('\n') %}
+{{               '{}: {}'.format(key, value_first) }}
+{{               '{}'.format(value_rest | regex_replace('\n$','') | indent(1, true)) }}
+{%             else %}
+{{               '{}: {}'.format(key, section_value) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{{   '# No distributions defined for {}'.format(repo.name) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/email-changes.sh.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/email-changes.sh.j2
new file mode 100755
index 00000000..47c2985f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/email-changes.sh.j2
@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2013      Vincent Bernat <vincent@bernat.ch>
+# Copyright (C) 2014-2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Send information about repository changes to administrator
+# Sourced from: https://gist.github.com/vincentbernat/7404733
+
+
+INSTANCE="{{ repo.name }}"
+MAIL_FROM="{{ (repo.mail_name | d('Reprepro ' + repo.name + ' repository')) + ' <' + (repo.mail_from | d(reprepro__mail_from)) + '>' }}"
+read -r -a MAIL_TO <<< "{{ repo.mail_to | d(reprepro__mail_to) }}"
+
+[ -n "${REPREPRO_OUT_DIR}" ] || {
+	echo "needs to be run by reprepro!" >&2
+	exit 1
+}
+cd "${REPREPRO_OUT_DIR}" || exit 1
+
+dsc() {
+	dsc="$(readlink --canonicalize "$1")"
+	tmp="$(mktemp -d)"
+        trap 'rm -rf -- $tmp' EXIT
+	(cd -- "$tmp" && dpkg-source --no-copy -x "$dsc" > /dev/null)
+	cat <<EOF > "$tmp/mail"
+
+✂--------------------- Changelog --------------------------
+
+EOF
+	changelog="$(echo "$tmp"/*/debian/changelog)"
+	# shellcheck disable=SC2129
+	dpkg-parsechangelog -l"$changelog" \
+		${OLDVERSION:+--since "$OLDVERSION"} \
+		${VERSION:+--to "$VERSION"} \
+		>> "$tmp/mail"
+	cat <<EOF >> "$tmp/mail"
+
+✂--------------------- DSC file ---------------------------
+
+EOF
+	cat "$dsc" >> "$tmp/mail"
+
+	mail -r "${MAIL_FROM}" \
+		-s "[PACKAGES] ($INSTANCE) $CODENAME/$COMPONENT: $ACTION $NAME" \
+		-- "${MAIL_TO[@]}" < "$tmp/mail"
+}
+
+ACTION="$1"
+CODENAME="$2"
+PACKAGETYPE="$3"
+COMPONENT="$4"
+ARCHITECTURE="$5"
+NAME="$6"
+[ "$PACKAGETYPE" = "dsc" ] || {
+	echo "Should be a DSC package, not $PACKAGETYPE" >&2
+	exit 1
+}
+[ "$ARCHITECTURE" = "source" ] || {
+	echo "Should be a source package, not $ARCHITECTURE" >&2
+	exit 1
+}
+shift 6
+
+case "$ACTION" in
+	add|info)
+		VERSION="$1" ; shift
+		[ "$1" = "--" ] || exit 2
+		shift
+
+		while [ "$#" -gt 0 ] ; do
+			case "$1" in
+				*.dsc)
+					dsc "$1"
+					;;
+				--)
+					exit 2
+					;;
+			esac
+			shift
+		done
+		;;
+	remove)
+		OLDVERSION="$1" ; shift
+		[ "$1" = "--" ] || exit 2
+		shift
+		while [ "$#" -gt 0 ] ; do
+			case "$1" in
+				*.dsc)
+					dsc "$1"
+					;;
+				--)
+					exit 2
+					;;
+			esac
+			shift
+		done
+		;;
+	replace)
+		VERSION="$1" ; shift
+		OLDVERSION="$1" ; shift
+		[ "$1" = "--" ] || exit 2
+		shift
+		while [ "$#" -gt 0 ] && [ "$1" != "--" ]; do
+			case "$1" in
+				*.dsc)
+					dsc "$1"
+					;;
+			esac
+			shift
+		done
+		[ "$1" = "--" ] || exit 2
+		# Ignore replaced dsc
+		;;
+esac
+
+exit 0
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/incoming.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/incoming.j2
new file mode 100644
index 00000000..c0fdefa5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/incoming.j2
@@ -0,0 +1,48 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ # Format: deb822
+ #}
+# {{ ansible_managed }}
+
+{% if repo.incoming | d() %}
+{%   for section in repo.incoming %}
+{%     if section.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{%       if section.comment | d() %}
+{{         section.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{%       endif %}
+{%       if section.raw | d() %}
+{{         section.raw | regex_replace('\n$', '') }}
+{%       else %}
+{{         'Name: {}'.format(section.Name | d(section.name)) }}
+{%         if 'IncomingDir' not in section.keys() %}
+{%           set _ = section.update({'IncomingDir': (reprepro__spool_root + '/' + repo.name + '/' + (section.Name | d(section.name)))}) %}
+{%         endif %}
+{%         if 'TempDir' not in section.keys() %}
+{%           set _ = section.update({'TempDir': 'tmp'}) %}
+{%         endif %}
+{%         for key, value in section | dictsort %}
+{%           if key not in [ 'name', 'Name', 'value', 'id', 'comment', 'state', 'weight', 'real_weight', 'separator', 'section' ] %}
+{%             set section_value = value %}
+{%             if value is not string and value is not mapping and value is iterable %}
+{%               set section_value = (value | join(' ')) %}
+{%             endif %}
+{%             if section_value is iterable and section_value.split('\n') | count > 1 %}
+{%               set value_first = section_value.split('\n')[0] %}
+{%               set value_rest = section_value.split('\n')[1:] | join('\n') %}
+{{               '{}: {}'.format(key, value_first) }}
+{{               '{}'.format(value_rest | regex_replace('\n$','') | indent(1, true)) }}
+{%             else %}
+{{               '{}: {}'.format(key, section_value) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{{   '# No incoming sources defined for {}'.format(repo.name) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/options.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/options.j2
new file mode 100644
index 00000000..68b5f78c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/options.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+{% set default_options = [
+  {'basedir': (repo.basedir | d(reprepro__data_root + '/' + repo.name))},
+  {'outdir': (repo.outdir | d(reprepro__public_root + '/sites/' + repo.name + '/public/' + (repo.os | d('debian'))))},
+  {'waitforlock': 3},
+  {'verbose': ''}
+] %}
+{% for option in ((default_options + repo.options | d([])) | debops.debops.parse_kv_config) %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if option.value | d() %}
+{{       '{} {}'.format(option.name, option.value) }}
+{%     else %}
+{{       '{}'.format(option.name) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/pulls.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/pulls.j2
new file mode 100644
index 00000000..e09d800e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/pulls.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ # Format: deb822
+ #}
+# {{ ansible_managed }}
+
+{% if repo.pulls | d() %}
+{%   for section in repo.pulls %}
+{%     if section.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{%       if section.comment | d() %}
+{{         section.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{%       endif %}
+{%       if section.raw | d() %}
+{{         section.raw | regex_replace('\n$', '') }}
+{%       else %}
+{{         'Name: {}'.format(section.Name | d(section.name)) }}
+{%         for key, value in section | dictsort %}
+{%           if key not in [ 'name', 'Name', 'value', 'id', 'comment', 'state', 'weight', 'real_weight', 'separator', 'section' ] %}
+{%             set section_value = value %}
+{%             if value is not string and value is not mapping and value is iterable %}
+{%               set section_value = (value | join(' ')) %}
+{%             endif %}
+{%             if section_value is iterable and section_value.split('\n') | count > 1 %}
+{%               set value_first = section_value.split('\n')[0] %}
+{%               set value_rest = section_value.split('\n')[1:] | join('\n') %}
+{{               '{}: {}'.format(key, value_first) }}
+{{               '{}'.format(value_rest | regex_replace('\n$','') | indent(1, true)) }}
+{%             else %}
+{{               '{}: {}'.format(key, section_value) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{{   '# No pull rules defined for {}'.format(repo.name) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/updates.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/updates.j2
new file mode 100644
index 00000000..97bd38e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/updates.j2
@@ -0,0 +1,42 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ # Format: deb822
+ #}
+# {{ ansible_managed }}
+
+{% if repo.updates | d() %}
+{%   for section in repo.updates %}
+{%     if section.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%       if not loop.first %}
+{{         '' }}
+{%       endif %}
+{%       if section.comment | d() %}
+{{         section.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{%       endif %}
+{%       if section.raw | d() %}
+{{         section.raw | regex_replace('\n$', '') }}
+{%       else %}
+{{         'Name: {}'.format(section.Name | d(section.name)) }}
+{%         for key, value in section | dictsort %}
+{%           if key not in [ 'name', 'Name', 'value', 'id', 'comment', 'state', 'weight', 'real_weight', 'separator', 'section' ] %}
+{%             set section_value = value %}
+{%             if value is not string and value is not mapping and value is iterable %}
+{%               set section_value = (value | join(' ')) %}
+{%             endif %}
+{%             if section_value is iterable and section_value.split('\n') | count > 1 %}
+{%               set value_first = section_value.split('\n')[0] %}
+{%               set value_rest = section_value.split('\n')[1:] | join('\n') %}
+{{               '{}: {}'.format(key, value_first) }}
+{{               '{}'.format(value_rest | regex_replace('\n$','') | indent(1, true)) }}
+{%             else %}
+{{               '{}: {}'.format(key, section_value) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{{   '# No update sources defined for {}'.format(repo.name) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/uploaders/template.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/uploaders/template.j2
new file mode 100644
index 00000000..c8eba97a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/home/reprepro/repositories/instance/conf/uploaders/template.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.raw | d() %}
+{{   '{}'.format(item.raw | regex_replace('\n$','')) }}
+{% else %}
+{{   '# No "{}" uploaders defined for {}'.format(item.name, repo.name) }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/reprepro/templates/lookup/reprepro__env_nginx_servers.j2 b/ansible_collections/debops/debops/roles/reprepro/templates/lookup/reprepro__env_nginx_servers.j2
new file mode 100644
index 00000000..8d049c8a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/reprepro/templates/lookup/reprepro__env_nginx_servers.j2
@@ -0,0 +1,94 @@
+{# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = [] %}
+{% for repo in q("flattened", reprepro__combined_instances) | debops.debops.parse_kv_items(merge_keys=["distributions", "incoming", "pulls", "updates"]) %}
+{%   if repo.fqdn | d() %}
+{%     set repo_data_http = {
+         'by_role': 'debops.reprepro',
+         'state': (repo.state if repo.public | d(True) else 'absent'),
+         'enabled': True,
+         'ssl': False,
+         'name': repo.fqdn,
+         'filename': ('debops.reprepro_' + repo.name + '_http'),
+         'root': (repo.outdir | d(reprepro__public_root + '/sites/' + repo.name + '/public')),
+         'webroot_create': False,
+         'location_list': [
+           {'pattern': '/',
+            'allow': repo.allow | d([]),
+            'options': 'try_files $uri $uri/ =404;\nautoindex on;\nautoindex_exact_size off;\nautoindex_localtime on;'
+           },
+           {'pattern': '~ /(.+)/(.*)',
+            'allow': repo.allow | d([]),
+            'options': 'try_files $uri $uri/ =404;\nautoindex on;\nautoindex_exact_size off;\nautoindex_localtime on;'
+           }
+         ]
+       } %}
+{%     set _ = output.append(repo_data_http) %}
+{%     set location_list_https = [
+         {'pattern': '/',
+          'allow': repo.allow | d([]),
+          'options': 'try_files $uri $uri/ =404;\nautoindex on;\nautoindex_exact_size off;\nautoindex_localtime on;'
+         }
+       ] %}
+{%     if repo.public | d(True) %}
+{%       set _ = location_list_https.append(
+           {'pattern': '~ /(.+)/(.*)',
+            'allow': repo.allow | d([]),
+            'options': 'try_files $uri $uri/ =404;\nautoindex on;\nautoindex_exact_size off;\nautoindex_localtime on;'
+           }
+         ) %}
+{%     else %}
+{%       set _ = location_list_https.append(
+           {'pattern': '~ /(.+)/(.*)',
+            'allow': repo.allow | d([]),
+            'options': 'try_files $uri $uri/ =404;\nautoindex on;\nautoindex_exact_size off;\nautoindex_localtime on;',
+            'access_policy': repo.access_policy | d(''),
+            'auth_basic_realm': repo.auth_realm | d(reprepro__auth_realm)
+           }
+         ) %}
+{%     endif %}
+{%     if repo.upload_map | d() %}
+{%       for path, alias in repo.upload_map | dictsort %}
+{%         if alias | d() %}
+{%           set alias_path = alias %}
+{%         else %}
+{%           set alias_path = (reprepro__spool_root + '/' + repo.name + '/incoming') %}
+{%         endif %}
+{%         set _ = location_list_https.append(
+             {'pattern': '^~ /' + (path | regex_replace('^/','')),
+              'allow': repo.allow_upload | d([]),
+              'options': ('alias ' + alias_path + ';\ndav_access all:rw;\ndav_methods PUT;\nlimit_except PUT {\n    deny all;\n}')
+             }
+           ) %}
+{%       endfor %}
+{%     else %}
+{%       set _ = location_list_https.append(
+           {'pattern': '^~ /upload',
+            'allow': repo.allow_upload | d([]),
+            'options': ('alias ' + reprepro__spool_root + '/' + repo.name + '/incoming;\ndav_access all:rw;\ndav_methods PUT;\nlimit_except PUT {\n    deny all;\n}')
+           }
+         ) %}
+{%     endif %}
+{%     set repo_data_https = {
+         'by_role': 'debops.reprepro',
+         'state': (repo.state if (ansible_local.pki.enabled | d()) | bool else 'absent'),
+         'enabled': True,
+         'name': repo.fqdn,
+         'filename': ('debops.reprepro_' + repo.name + '_https'),
+         'root': (repo.outdir | d(reprepro__public_root + '/sites/' + repo.name + '/public')),
+         'webroot_create': False,
+         'options': ('client_max_body_size ' + repo.max_body_size | d(reprepro__max_body_size) + ';'),
+         'location_list': location_list_https
+       } %}
+{%     if repo.public | d(True) %}
+{%       set _ = repo_data_https.update({'listen': False}) %}
+{%     endif %}
+{%     if repo.pki_realm | d() %}
+{%       set _ = repo_data_https.update({'pki_realm': repo.pki_realm}) %}
+{%     endif %}
+{%     set _ = output.append(repo_data_https) %}
+{%   endif %}
+{% endfor %}
+{{ output | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/resolvconf/COPYRIGHT b/ansible_collections/debops/debops/roles/resolvconf/COPYRIGHT
new file mode 100644
index 00000000..5cdf7c71
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.resolvconf - Configure systemw-wide DNS resolver via Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/resolvconf/defaults/main.yml b/ansible_collections/debops/debops/roles/resolvconf/defaults/main.yml
new file mode 100644
index 00000000..52c14697
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/defaults/main.yml
@@ -0,0 +1,302 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _resolvconf__ref_defaults:
+
+# debops.resolvconf default variables
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role configuration [[[
+# ----------------------
+
+# .. envvar:: resolvconf__enabled [[[
+#
+# Enable or disable the :ref:`debops.resolvconf` Ansible role configuration.
+# This can be used to disable the role without removing it from the
+# :file:`common.yml` playbook.
+resolvconf__enabled: '{{ ansible_local.resolvconf.installed
+                          | d(ansible_interfaces | count > 2 or
+                            resolvconf__combined_services | d()) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__deploy_state [[[
+#
+# If ``present``, the role will apply its own DNS resolver configuration. If
+# ``absent``, the role will restore the original configuration from the
+# ``resolvconf`` package.
+resolvconf__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: resolvconf__base_packages [[[
+#
+# List of APT packages to install for ``resolvconf`` support.
+resolvconf__base_packages: [ 'resolvconf' ]
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__packages [[[
+#
+# List of additional APT packages to install with ``resolvconf``.
+resolvconf__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Static DNS configuration [[[
+# ----------------------------
+
+# .. envvar:: resolvconf__static_enabled [[[
+#
+# Enable or disable support for static DNS configuration.
+resolvconf__static_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__static_filename [[[
+#
+# Name of the file in the :file:`/run/resolvconf/interface/` directory which
+# contains static DNS configuration. The role will not clean up old files if
+# this name is changed when the configuration is already applied on the host.
+#
+# You can change the interface name "prefix" to affect the order of the search
+# domains in the generated :file:`/etc/resolv.conf` configuration file.
+resolvconf__static_filename: 'lo.static'
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__static_content [[[
+#
+# String or YAML text block with static :man:`resolv.conf(5)` configuration
+# which should be merged into the generated :file:`/etc/resolv.conf`
+# configuration file.
+#
+# If ``resolvconf__deploy_state`` is not ``present``, that is either
+# ``absent`` or ``ignore``, then contents will be copied as-is to
+# :file:`/etc/resolv.conf`.
+resolvconf__static_content: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Network interface order [[[
+# ---------------------------
+
+# These variables define the order of the network interfaces in the
+# :file:`/etc/resolvconf/interface-order` configuration file. See
+# :ref:`resolvconf__ref_interface_order` for more details.
+
+# .. envvar:: resolvconf__original_interface_order [[[
+#
+# The original contents of the :file:`/etc/resolvconf/interface-order`
+# configuration file that come with the APT package.
+resolvconf__original_interface_order:
+
+  - name: 'loopback-interface'
+    value: |
+      lo.inet6
+      lo.inet
+      lo.@(dnsmasq|pdnsd)
+      lo.!(pdns|pdns-recursor)
+      lo
+
+  - name: 'vpn-interfaces'
+    value: |
+      tun*
+      tap*
+
+  - name: 'wwan-interfaces'
+    value: 'hso*'
+
+  - name: 'ethernet-interfaces'
+    value: |
+      em+([0-9])?(_+([0-9]))*
+      p+([0-9])p+([0-9])?(_+([0-9]))*
+      @(br|eth)*([^.]).inet6
+      @(br|eth)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(br|eth)*([^.]).inet
+      @(br|eth)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(br|eth)*
+
+  - name: 'wireless-interfaces'
+    value: |
+      @(ath|wifi|wlan)*([^.]).inet6
+      @(ath|wifi|wlan)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(ath|wifi|wlan)*([^.]).inet
+      @(ath|wifi|wlan)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(ath|wifi|wlan)*
+
+  - name: 'ppp-interfaces'
+    value: 'ppp*'
+
+  - name: 'all-interfaces'
+    value: '*'
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__default_interface_order [[[
+#
+# The modifications in the :file:`/etc/resolvconf/interface-order`
+# configuration file set by the role conditionally.
+resolvconf__default_interface_order:
+
+  # Place configuration from NetworkManager between Ethernet and Wireless
+  # interface configuration
+  - name: 'network-manager-interfaces'
+    copy_id_from: 'ethernet-interfaces'
+    value: 'NetworkManager'
+
+  # Add missing Predictable Network Interface Names definitions
+  # Ref: https://bugs.debian.org/877695, https://bugs.debian.org/905907
+  - name: 'wwan-interfaces'
+    value: '@(hso|ww)*'
+
+  # Add missing Predictable Network Interface Names definitions
+  # Ref: https://bugs.debian.org/877695, https://bugs.debian.org/905907
+  - name: 'ethernet-interfaces'
+    value: |
+      em+([0-9])?(_+([0-9]))*
+      p+([0-9])p+([0-9])?(_+([0-9]))*
+      @(br|en|eth)*([^.]).inet6
+      @(br|en|eth)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(br|en|eth)*([^.]).inet
+      @(br|en|eth)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(br|en|eth)*
+
+  # Add missing Predictable Network Interface Names definitions
+  # Ref: https://bugs.debian.org/877695, https://bugs.debian.org/905907
+  - name: 'wireless-interfaces'
+    value: |
+      @(ath|wifi|wl|wlan)*([^.]).inet6
+      @(ath|wifi|wl|wlan)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(ath|wifi|wl|wlan)*([^.]).inet
+      @(ath|wifi|wl|wlan)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(ath|wifi|wl|wlan)*
+
+  # Add missing Predictable Network Interface Names definitions
+  # Ref: https://bugs.debian.org/877695, https://bugs.debian.org/905907
+  - name: 'ppp-interfaces'
+    value: '@(ppp|sl)*'
+
+  # When a local DNS resolver is present, the VPN interface configuration
+  # received via DHCP should be pushed after the Enternet configuration to not
+  # disrupt the local host DNS domain configuration.
+  # Ref: https://bugs.debian.org/612351
+  - name: 'vpn-interfaces'
+    copy_id_from: 'ppp-interfaces'
+    state: '{{ "present"
+               if ("unbound" in resolvconf__combined_services or
+                   "dnsmasq" in resolvconf__combined_services or
+                   "bind" in resolvconf__combined_services)
+               else "ignore" }}'
+
+  # Add the 'vlan*' and 'vxlan*' interfaces before the tunnel interfaces
+  - name: 'vlan-interfaces'
+    value: |
+      @(vlan|vxlan)*([^.]).inet6
+      @(vlan|vxlan)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(vlan|vxlan)*([^.]).inet
+      @(vlan|vxlan)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(vlan|vxlan)*
+    copy_id_from: 'vpn-interfaces'
+    weight: -10
+
+  # Add the 'mesh*' interfaces for mesh-like VPNs before the tunnel interfaces
+  - name: 'mesh-interfaces'
+    value: |
+      @(mesh)*([^.]).inet6
+      @(mesh)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
+      @(mesh)*([^.]).inet
+      @(mesh)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
+      @(mesh)*
+    copy_id_from: 'vpn-interfaces'
+    weight: -5
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__interface_order [[[
+#
+# List of :file:`/etc/resolvconf/interface-order` configuration file entries
+# defined on all hosts in the Ansible inventory.
+resolvconf__interface_order: []
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__group_interface_order [[[
+#
+# List of :file:`/etc/resolvconf/interface-order` configuration file entries
+# defined on hosts in a specific Ansible inventory group.
+resolvconf__group_interface_order: []
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__host_interface_order [[[
+#
+# List of :file:`/etc/resolvconf/interface-order` configuration file entries
+# defined on specific hosts in the Ansible inventory.
+resolvconf__host_interface_order: []
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__combined_interface_order [[[
+#
+# The variable that combines interface order configuration from other variables
+# and is used in the role tasks and templates.
+resolvconf__combined_interface_order: '{{ resolvconf__original_interface_order
+                                          + resolvconf__default_interface_order
+                                          + resolvconf__interface_order
+                                          + resolvconf__group_interface_order
+                                          + resolvconf__host_interface_order }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Local DNS services [[[
+# ----------------------
+
+# These variables define what DNS services are present on a host. This
+# information is used to modify the interface order conditionally during role
+# execution.
+
+# .. envvar:: resolvconf__default_services [[[
+#
+# List of local DNS services present on a host that uses Ansible local facts to
+# detect their presence.
+resolvconf__default_services:
+
+  - '{{ "dnsmasq"
+        if (ansible_local.dnsmasq.installed | d() | bool)
+        else [] }}'
+
+  - '{{ "unbound"
+        if (ansible_local.unbound.installed | d() | bool)
+        else [] }}'
+
+  - '{{ "bind"
+        if (ansible_local.bind.installed | d() | bool)
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__services [[[
+#
+# List of local DNS services specified via the Ansible inventory.
+resolvconf__services: []
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__dependent_services [[[
+#
+# List of local DNS services specified via the role dependent variables. This
+# variable can be used in the Ansible playbook to "prime" the
+# :ref:`debops.resolvconf` role configuration for presence of a given DNS
+# service before it is installed on a host.
+resolvconf__dependent_services: []
+
+                                                                   # ]]]
+# .. envvar:: resolvconf__combined_services [[[
+#
+# The variable that combines other lists of local DNS services and is used in
+# the role tasks and templates.
+resolvconf__combined_services: '{{ q("flattened",
+                                     (resolvconf__default_services
+                                      + resolvconf__services
+                                      + resolvconf__dependent_services)) }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/resolvconf/meta/main.yml b/ansible_collections/debops/debops/roles/resolvconf/meta/main.yml
new file mode 100644
index 00000000..ae9d1ec3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/meta/main.yml
@@ -0,0 +1,36 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure system-wide DNS resolver'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+  galaxy_tags:
+    - dns
+    - resolvconf
+    - tinc
+    - dnsmasq
+    - unbound
+    - bind
+    - networking
+    - nameservers
diff --git a/ansible_collections/debops/debops/roles/resolvconf/tasks/main.yml b/ansible_collections/debops/debops/roles/resolvconf/tasks/main.yml
new file mode 100644
index 00000000..7e0e611b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/tasks/main.yml
@@ -0,0 +1,109 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (resolvconf__base_packages
+                              + resolvconf__packages)) }}'
+    state: '{{ resolvconf__deploy_state }}'
+  register: resolvconf__register_packages
+  until: resolvconf__register_packages is succeeded
+  when: (resolvconf__enabled | bool and
+         resolvconf__deploy_state in ['present', 'absent'])
+
+- name: Generate static configuration script
+  ansible.builtin.template:
+    src: 'usr/local/lib/resolvconf-static.j2'
+    dest: '/usr/local/lib/resolvconf-static'
+    mode: '0755'
+  notify: [ 'Apply static resolvconf configuration' ]
+  when: (resolvconf__enabled | bool and resolvconf__static_enabled | bool and
+         resolvconf__deploy_state in ['present'])
+
+- name: Create systemd override directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/resolvconf.service.d'
+    state: 'directory'
+    mode: '0755'
+  when: (resolvconf__enabled | bool and resolvconf__static_enabled | bool and
+         resolvconf__deploy_state in ['present'])
+
+- name: Generate systemd service override
+  ansible.builtin.template:
+    src: 'etc/systemd/system/resolvconf.service.d/static.conf.j2'
+    dest: '/etc/systemd/system/resolvconf.service.d/static.conf'
+    mode: '0644'
+  notify: [ 'Reload service manager' ]
+  when: (resolvconf__enabled | bool and resolvconf__static_enabled | bool and
+         resolvconf__deploy_state in ['present'])
+
+- name: Add diversion of /etc/resolvconf/interface-order
+  debops.debops.dpkg_divert:
+    path: '/etc/resolvconf/interface-order'
+    state: '{{ resolvconf__deploy_state }}'
+    delete: True
+  notify: [ 'Refresh /etc/resolv.conf' ]
+  when: (resolvconf__enabled | bool and
+         resolvconf__deploy_state in ['present'])
+
+- name: Remove diversion of /etc/resolvconf/interface-order
+  debops.debops.dpkg_divert:
+    path: '/etc/resolvconf/interface-order'
+    state: '{{ resolvconf__deploy_state }}'
+    delete: True
+  when: (resolvconf__enabled | bool and
+         resolvconf__deploy_state in ['absent'])
+
+- name: Generate /etc/resolvconf/interface-order configuration
+  ansible.builtin.template:
+    src: 'etc/resolvconf/interface-order.j2'
+    dest: '/etc/resolvconf/interface-order'
+    mode: '0644'
+  notify: [ 'Refresh /etc/resolv.conf' ]
+  when: resolvconf__enabled | bool and resolvconf__deploy_state == 'present'
+
+- name: Remove configuration
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  when: (resolvconf__enabled | bool and
+         resolvconf__deploy_state in ['absent'])
+  loop:
+    - '/usr/local/lib/resolvconf-static'
+    - '/etc/systemd/system/resolvconf.service.d/static.conf'
+    - '/etc/systemd/system/resolvconf.service.d'
+
+- name: Create static /etc/resolv.conf
+  ansible.builtin.copy:
+    mode: '0755'
+    dest: "/etc/resolv.conf"
+    content: '{{ resolvconf__static_content }}'
+  when: (resolvconf__enabled | bool and resolvconf__static_enabled | bool and
+         resolvconf__static_content != '' and resolvconf__deploy_state != 'present')
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Generate resolvconf Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/resolvconf.fact.j2'
+    dest: '/etc/ansible/facts.d/resolvconf.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/resolvconf/templates/etc/ansible/facts.d/resolvconf.fact.j2 b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/ansible/facts.d/resolvconf.fact.j2
new file mode 100644
index 00000000..8d4addf7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/ansible/facts.d/resolvconf.fact.j2
@@ -0,0 +1,80 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def read_resolv_file(resolv_file):
+    try:
+        with open(resolv_file, 'r') as f:
+            nameservers = []
+            for line in f:
+                if line.startswith('nameserver'):
+                    nameservers.append(line.strip().split()[1])
+
+            return nameservers
+
+    except Exception:
+        pass
+
+
+output = loads('''{{ {"configured": True,
+                      "deploy_state": resolvconf__deploy_state
+                     } | to_nice_json }}''')
+
+output['installed'] = cmd_exists('resolvconf')
+
+if not output['installed']:
+    output['deploy_state'] = 'absent'
+
+# Get the primary resolver configuration
+nameservers = read_resolv_file('/etc/resolv.conf')
+
+# Get the upstream resolver configuration
+upstream_nameservers = []
+resolvconf_files = []
+resolvconf_path = '/run/resolvconf/interface'
+systemdresolved_path = '/run/systemd/resolve/resolv.conf'
+if os.path.isdir(resolvconf_path):
+    resolvconf_files = ([os.path.join(resolvconf_path, f)
+                         for f in os.listdir(resolvconf_path)
+                         if os.path.isfile(os.path.join(resolvconf_path, f))])
+
+if os.path.isfile(systemdresolved_path):
+    resolvconf_files.append(systemdresolved_path)
+
+for element in resolvconf_files:
+    try:
+        for server in read_resolv_file(element):
+            if not server.startswith('127.'):
+                if server not in upstream_nameservers:
+                    upstream_nameservers.append(server)
+
+    except Exception:
+        pass
+
+# If nameservers contains a localhost address, and we've found some
+# upstream nameservers, then output the upstream nameservers.
+# - 127.0.0.1 is the stub address used by resolvconf
+# - 127.0.0.53 is the stub address used by systemd-resolved
+if (('127.0.0.1' in nameservers or
+        '127.0.0.53' in nameservers) and
+        upstream_nameservers):
+    output['upstream_nameservers'] = upstream_nameservers
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/resolvconf/templates/etc/resolvconf/interface-order.j2 b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/resolvconf/interface-order.j2
new file mode 100644
index 00000000..162c39f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/resolvconf/interface-order.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# interface-order(5)
+{% for element in resolvconf__combined_interface_order | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value | d() and element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if element.comment | d() %}
+
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{{ '{}'.format(element.value | regex_replace('\n$','')) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/resolvconf/templates/etc/systemd/system/resolvconf.service.d/static.conf.j2 b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/systemd/system/resolvconf.service.d/static.conf.j2
new file mode 100644
index 00000000..3eeae927
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/templates/etc/systemd/system/resolvconf.service.d/static.conf.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Service]
+ExecStartPost=-/usr/local/lib/resolvconf-static
diff --git a/ansible_collections/debops/debops/roles/resolvconf/templates/usr/local/lib/resolvconf-static.j2 b/ansible_collections/debops/debops/roles/resolvconf/templates/usr/local/lib/resolvconf-static.j2
new file mode 100644
index 00000000..ca0eec18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolvconf/templates/usr/local/lib/resolvconf-static.j2
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+static_enabled="{{ 'true' if resolvconf__static_content | d() else 'false' }}"
+static_filename="/run/resolvconf/interface/{{ resolvconf__static_filename }}"
+
+reload_resolvconf () {
+    # Don't try to restart resolvconf under systemd if it's not running
+    # This avoids issues with resolvconf starting early during boot
+    if [ -d /run/systemd/system ]; then
+        if [ "$(systemctl is-active resolvconf.service)" = "active" ] ; then
+            resolvconf -u
+        fi
+    else
+        resolvconf -u
+    fi
+}
+
+if [ "${static_enabled}" = "true" ] ; then
+
+    # Ensure that the parent directories exist
+    if ! [ -d "$(dirname "${static_filename}")" ] ; then
+        mkdir -p "$(dirname "${static_filename}")"
+    fi
+
+    # shellcheck disable=SC1117
+    cat <<EOF > "${static_filename}"
+{{ resolvconf__static_content | regex_replace("\n$","") }}
+EOF
+    reload_resolvconf
+
+else
+
+    if [ -f "${static_filename}" ] ; then
+        rm -f "${static_filename}"
+        reload_resolvconf
+    fi
+
+fi
diff --git a/ansible_collections/debops/debops/roles/resolved/COPYRIGHT b/ansible_collections/debops/debops/roles/resolved/COPYRIGHT
new file mode 100644
index 00000000..187715d5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.resolved - Manage Network Name Resolver using Ansible
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/resolved/defaults/main.yml b/ansible_collections/debops/debops/roles/resolved/defaults/main.yml
new file mode 100644
index 00000000..e4bfdbb6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/defaults/main.yml
@@ -0,0 +1,338 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _resolved__ref_defaults:
+
+# debops.resolved default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General options [[[
+# -------------------
+
+# .. envvar:: resolved__enabled [[[
+#
+# Enable or disable management of the :command:`systemd-resolved` service using
+# DebOps. If the parameter is set to ``False``, the role will not touch service
+# configuration.
+resolved__enabled: '{{ True
+                       if (ansible_service_mgr == "systemd" and
+                           resolved__fact_service_state == "present")
+                       else False }}'
+
+                                                                   # ]]]
+# .. envvar:: resolved__deploy_state [[[
+#
+# This variable controls if the :command:`systemd-resolved` main configuration
+# file is managed on the host (``present``) or not (``absent``, default). If
+# deployment state is disabled, :command:`systemd-resolved` will use the
+# configuration provided with the OS package.
+resolved__deploy_state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: resolved__resolv_conf [[[
+#
+# Specify the file which will be symlinked as the system-wide resolver
+# configuration file (see :man:`resolv.conf(5)` for details). The role will
+# symlink the specified file as :file:`/etc/resolv.conf` when both
+# :command:`systemd-networkd` and :command:`systemd-resolved` services are
+# enabled on a host.
+#
+# To not make any changes, set this variable to ``/etc/resolv.conf``.
+resolved__resolv_conf: '/run/systemd/resolve/stub-resolv.conf'
+
+                                                                   # ]]]
+# .. envvar:: resolved__fallback_conf [[[
+#
+# Name of the :command:`systemd-resolved` configuration file stored in the
+# :file:`/etc/systemd/resolved.conf.d/` directory which will contain nameserver
+# and search domain configuration saved from Ansible facts before the service
+# is installed. If the name is empty, the file will not be created by the role.
+resolved__fallback_conf: '00fallback-dns.conf'
+
+                                                                   # ]]]
+# .. envvar:: resolved__dnssd_enabled [[[
+#
+# Enable or disable support for publishing and resolving DNS-SD resource
+# records using the Multicast DNS protocol. See :man:`systemd.dnssd(5)` for
+# more details about the service configuration itself and
+# :ref:`resolved__ref_dnssd` documentation section about support of this
+# functionality in the Ansible role. For this variable to work, the
+# :envvar:`resolved__deploy_state` variable needs to be set to ``present``.
+resolved__dnssd_enabled: True
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages and installation [[[
+# ---------------------------------
+
+# .. envvar:: resolved__base_packages [[[
+#
+# List of base APT packages for :command:`systemd-resolved` support. The APT
+# package is separate from ``systemd`` APT package since Debian Bookworm to
+# allow for conflict resolution with other APT packages that provide the
+# ``resolvconf`` service.
+resolved__base_packages: '{{ ["libnss-resolve"]
+                              if (ansible_distribution_release in
+                                  (["stretch", "buster", "bullseye",
+                                    "bionic", "focal", "jammy"]))
+                              else ["systemd-resolved", "libnss-resolve"] }}'
+
+                                                                   # ]]]
+# .. envvar:: resolved__packages [[[
+#
+# List of additional APT packages to install for :command:`systemd-resolved`
+# support.
+resolved__packages: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__skip_packages [[[
+#
+# List of APT packages which provide the ``resolvconf`` service. When the role
+# detects that they are installed on the host, it will turn itself off to avoid
+# conflicts.
+resolved__skip_packages: [ 'resolvconf', 'openresolv' ]
+
+                                                                   # ]]]
+# .. envvar:: resolved__version [[[
+#
+# Specify the version of the :command:`systemd-resolved` daemon installed on
+# the host. By default this variable is defined using Ansible local facts and
+# can be used to alter configuration depending on the version of the service.
+resolved__version: '{{ ansible_local.resolved.version | d("0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-resolved` service configuration [[[
+# ---------------------------------------------------------
+
+# These variables affect the behaviour of the
+# :command:`systemd-resolved.service` unit that can't be configured at the
+# daemon configuration level.
+
+# .. envvar:: resolved__synthesize_hostname [[[
+#
+# If enabled, the :command:`systemd-resolved` daemon will generate responses
+# for queries about local hostname without sending them to the upstream DNS
+# servers. This might result in undesired behaviour, for example not resolving
+# a host's FQDN by its hostname. If disabled, queries for local hostname are
+# sent to upstream DNS servers. Ref: https://github.com/systemd/systemd/issues/34897
+#
+# This option is enabled by default in systemd v256, but is disabled in DebOps
+# to preserve previous functionality.
+resolved__synthesize_hostname: False
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-resolved` daemon configuration [[[
+# --------------------------------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/systemd/resolved.conf` configuration file. Check the
+# :man:`resolved.conf(5)` manual page for more information about the
+# configuration options, and :ref:`resolved__ref_configuration` for details
+# about the configuration of the role itself.
+#
+# By default the configuration is not applied on the hosts, you need to set
+# :envvar:`resolved__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: resolved__default_configuration [[[
+#
+# List of the default configuration options defined by the role.
+resolved__default_configuration:
+
+  - name: 'DNS'
+    value: []
+    state: 'init'
+
+  - name: 'FallbackDNS'
+    value: []
+    state: 'init'
+
+  - name: 'Domains'
+    value: []
+    state: 'init'
+
+  - name: 'DNSSEC'
+    value: False
+    state: 'init'
+
+  - name: 'DNSOverTLS'
+    value: False
+    state: 'init'
+
+  - name: 'MulticastDNS'
+    value: '{{ resolved__dnssd_enabled | bool }}'
+    state: '{{ "init" if (resolved__dnssd_enabled | bool) else "present" }}'
+
+  - name: 'LLMNR'
+    value: True
+    state: 'init'
+
+  - name: 'Cache'
+    value: True
+    state: 'init'
+
+  - name: 'DNSStubListener'
+    value: True
+    state: 'init'
+
+  - name: 'DNSStubListenerExtra'
+    value: ''
+    state: 'init'
+
+  - name: 'ReadEtcHosts'
+    value: True
+    state: 'init'
+
+  - name: 'ResolveUnicastSingleLabel'
+    value: False
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: resolved__configuration [[[
+#
+# List of the configuration options which should be present on all hosts in the
+# Ansible inventory.
+resolved__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__group_configuration [[[
+#
+# List of the configuration options which should be present on hosts in
+# a specific Ansible inventory group.
+resolved__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__host_configuration [[[
+#
+# List of the configuration options which should be present on specific hosts
+# in the Ansible inventory.
+resolved__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__combined_configuration [[[
+#
+# Variable which combines all configuration lists and is used in the role tasks
+# and templates.
+resolved__combined_configuration: '{{ resolved__default_configuration
+                                      + resolved__configuration
+                                      + resolved__group_configuration
+                                      + resolved__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The DNS-SD configuration units [[[
+# ----------------------------------
+
+# These variables can be used to manage :command:`systemd-resolved`
+# :file:`*.dnssd` files located in the :file:`/etc/systemd/dnssd/` directory.
+# Check the :man:`systemd.dnssd(5)` manual page for more information about
+# files themselves, and :ref:`resolved__ref_units` for details about
+# configuring units using this role.
+
+# .. envvar:: resolved__default_units [[[
+#
+# List of the default :command:`systemd-resolved` units defined by the role.
+resolved__default_units:
+
+  - name: 'workstation.dnssd'
+    comment: 'Publish information about the host in mDNS'
+    raw: |
+      [Service]
+      Name=%H
+      Type=_workstation._tcp
+      Port=9
+    state: 'present'
+
+  - name: 'ssh.dnssd'
+    comment: 'Publish information about the SSH service'
+    raw: |
+      [Service]
+      Name=%H
+      Type=_ssh._tcp
+      Port=22
+    state: 'present'
+
+  - name: 'sftp-ssh.dnssd'
+    comment: 'Publish information about the SFTP service'
+    raw: |
+      [Service]
+      Name=%H
+      Type=_sftp-ssh._tcp
+      Port=22
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: resolved__units [[[
+#
+# List of :command:`systemd-resolved` units which should be present on all
+# hosts in the Ansible inventory.
+resolved__units: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__group_units [[[
+#
+# List of :command:`systemd-resolved` units which should be present on hosts in
+# a specific Ansible inventory group.
+resolved__group_units: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__host_units [[[
+#
+# List of :command:`systemd-resolved` units which should be present on specific
+# hosts in the Ansible inventory.
+resolved__host_units: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__dependent_units [[[
+#
+# List of :command:`systemd-resolved` units which are defined by other Ansible
+# roles using dependent role variables.
+resolved__dependent_units: []
+
+                                                                   # ]]]
+# .. envvar:: resolved__combined_units [[[
+#
+# Variable which combines all of the :command:`systemd-resolved` unit lists and
+# is used in role tasks and templates.
+resolved__combined_units: '{{ resolved__default_units
+                              + resolved__dependent_units
+                              + resolved__units
+                              + resolved__group_units
+                              + resolved__host_units }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: resolved__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+resolved__etc_services__dependent_list:
+
+  - name: 'llmnr'
+    port: '5355'
+    protocols: [ 'tcp', 'udp' ]
+
+                                                                   # ]]]
+# .. envvar:: resolved__dpkg_cleanup__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.dpkg_cleanup` Ansible role.
+resolved__dpkg_cleanup__dependent_packages:
+
+  - name: 'systemd-resolved'
+    ansible_fact: 'resolved'
+    state: '{{ "absent"
+               if (ansible_distribution_release in
+                   (["stretch", "buster", "bullseye",
+                     "bionic", "focal", "jammy"]))
+               else "present" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/resolved/meta/main.yml b/ansible_collections/debops/debops/roles/resolved/meta/main.yml
new file mode 100644
index 00000000..6c31c065
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Network Name Resolver systemd-resolved'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - systemd
+    - dns
+    - nss
+    - resolved
diff --git a/ansible_collections/debops/debops/roles/resolved/tasks/main.yml b/ansible_collections/debops/debops/roles/resolved/tasks/main.yml
new file mode 100644
index 00000000..a75a6161
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/tasks/main.yml
@@ -0,0 +1,201 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if other resolvers are installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    dpkg --get-selections | grep -w -E '({{ resolved__skip_packages | join("|") }})'
+                          | awk '{print $1}' || true
+  args:
+    executable: '/bin/bash'
+  register: resolved__register_resolvers
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Set resolved deployment state
+  ansible.builtin.set_fact:
+    resolved__fact_service_state: '{{ "present"
+                                       if (not resolved__register_resolvers.stdout | d())
+                                       else "absent" }}'
+
+- name: Create systemd-resolved configuration directory for fallback
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when:
+    - resolved__enabled | bool
+    - resolved__fallback_conf != ''
+    - resolved__resolv_conf != '/etc/resolv.conf'
+    - not (ansible_local.resolved.installed | d()) | bool
+
+- name: Save existing nameservers as fallback to ensure connectivity
+  ansible.builtin.template:
+    src: 'etc/systemd/resolved.conf.d/fallback-dns.conf.j2'
+    dest: '{{ "/etc/systemd/resolved.conf.d/" + resolved__fallback_conf }}'
+    mode: '0644'
+  when:
+    - resolved__enabled | bool
+    - resolved__fallback_conf != ''
+    - resolved__resolv_conf != '/etc/resolv.conf'
+    - not (ansible_local.resolved.installed | d()) | bool
+
+- name: Create systemd-resolved.service configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/system/systemd-resolved.service.d'
+    state: 'directory'
+    mode: '0755'
+  when:
+    - resolved__enabled | bool
+
+- name: Configure synthesis of local hostname by systemd-resolved
+  ansible.builtin.template:
+    src: 'etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf.j2'
+    dest: '/etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf'
+    mode: '0644'
+  when:
+    - resolved__enabled | bool
+  notify: [ 'Reload systemd daemon', 'Restart systemd-resolved service' ]
+
+- name: Install required resolved packages
+  ansible.builtin.package:
+    name: '{{ resolved__base_packages + resolved__packages }}'
+    state: 'present'
+  register: resolved__register_packages
+  until: resolved__register_packages is succeeded
+  when: resolved__enabled | bool
+
+- name: Enable and start systemd-resolved service
+  ansible.builtin.systemd:
+    name: 'systemd-resolved.service'
+    state: 'started'
+    enabled: True
+  when: resolved__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: resolved__enabled | bool
+
+- name: Save resolved local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/resolved.fact.j2'
+    dest: '/etc/ansible/facts.d/resolved.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: resolved__enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Remove systemd-resolved configuuration if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d/ansible.conf'
+    state: 'absent'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: resolved__enabled | bool and resolved__deploy_state == 'absent'
+
+- name: Create systemd-resolved configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/resolved.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: resolved__enabled | bool and resolved__deploy_state != 'absent'
+
+- name: Generate systemd-resolved configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/resolved.conf.d/ansible.conf.j2'
+    dest: '/etc/systemd/resolved.conf.d/ansible.conf'
+    mode: '0644'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: resolved__enabled | bool and resolved__deploy_state != 'absent'
+
+- name: Ensure that /etc/systemd/dnssd/ directory exists
+  ansible.builtin.file:
+    path: '/etc/systemd/dnssd'
+    state: 'directory'
+    mode: '0755'
+  when: resolved__enabled | bool and resolved__dnssd_enabled | bool
+
+- name: Remove dnssd units if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/dnssd/" + item.name }}'
+    state: 'absent'
+  loop: '{{ resolved__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: resolved__enabled | bool and resolved__dnssd_enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Remove dnssd unit overrides if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/dnssd/" + item.name + ".d" }}'
+    state: 'absent'
+  loop: '{{ resolved__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: resolved__enabled | bool and resolved__dnssd_enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Create directories for dnssd units
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/dnssd/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ resolved__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: resolved__enabled | bool and resolved__dnssd_enabled | bool and
+        item.raw | d() and item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        (item.name | dirname).endswith('.d')
+
+- name: Generate dnssd units
+  ansible.builtin.template:
+    src: 'etc/systemd/dnssd/template.j2'
+    dest: '{{ "/etc/systemd/dnssd/" + item.name }}'
+    mode: '0644'
+  loop: '{{ resolved__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Restart systemd-resolved service' ]
+  when: resolved__enabled | bool and resolved__dnssd_enabled | bool and
+        item.raw | d() and item.state | d("present") not in ['absent', 'ignore', 'init']
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Manage /etc/resolv.conf configuration file
+  ansible.builtin.file:
+    path: '/etc/resolv.conf'
+    src: '{{ resolved__resolv_conf }}'
+    state: 'link'
+    force: True
+  when:
+    - resolved__enabled | bool
+    - resolved__resolv_conf != '/etc/resolv.conf'
+    - (ansible_local.networkd.state | d('disabled')) == 'enabled'
+    - (ansible_local.resolved.state | d('disabled')) == 'enabled'
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ resolved__dpkg_cleanup__dependent_packages }}'
+  when: resolved__enabled | bool
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::resolved:dpkg_cleanup' ]
diff --git a/ansible_collections/debops/debops/roles/resolved/templates/etc/ansible/facts.d/resolved.fact.j2 b/ansible_collections/debops/debops/roles/resolved/templates/etc/ansible/facts.d/resolved.fact.j2
new file mode 100644
index 00000000..f16a2efd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/templates/etc/ansible/facts.d/resolved.fact.j2
@@ -0,0 +1,45 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def binary_exists(binary):
+    if os.path.exists(binary) and os.path.isfile(binary):
+        return True
+    else:
+        return False
+
+
+output = {'installed': binary_exists('/lib/systemd/systemd-resolved')}
+
+try:
+    is_enabled = subprocess.check_output(
+            ["systemctl", "is-enabled",
+                "systemd-resolved.service"]).decode('utf-8')
+    output['state'] = is_enabled.strip()
+except subprocess.CalledProcessError:
+    output['state'] = 'disabled'
+
+try:
+    resolved_version_stdout = subprocess.check_output(
+            ["resolvectl", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in resolved_version_stdout.split('\n'):
+        if line.lower().startswith('systemd '):
+            output['version'] = line.split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/dnssd/template.j2 b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/dnssd/template.j2
new file mode 100644
index 00000000..f202cb62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/dnssd/template.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{{ item.raw | regex_replace('\n$', '') }}
diff --git a/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..a2366681
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/ansible.conf.j2
@@ -0,0 +1,52 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
+# Google:     8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
+# Quad9:      9.9.9.9 2620:fe::fe
+{% for element in resolved__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is undefined %}
+{%       set element_value = '' %}
+{%     elif element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ') %}
+{%     endif %}
+{%     if element.raw | d() %}
+{%       if element.state | d('present') in [ 'init', 'comment' ] %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '') | comment(decoration='#', prefix='', postfix='')) -}}
+{%       else %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%       endif %}
+{%     else %}
+{{       '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2 b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2
new file mode 100644
index 00000000..e2561d33
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/resolved.conf.d/fallback-dns.conf.j2
@@ -0,0 +1,27 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See resolved.conf(5) for details.
+
+# This file can be safely removed once nameserver configuration is defined in
+# systemd-resolved options.
+
+{% set fallback_dns = [] %}
+{% for element in ansible_facts['dns']['nameservers'] | d([]) %}
+{%   if element != '127.0.0.53' %}
+{%     set _ = fallback_dns.append(element) %}
+{%   endif %}
+{% endfor %}
+{% set domains = [] %}
+{% if ansible_facts['dns']['domain'] | d([]) %}
+{%   set _ = domains.append(ansible_facts['dns']['domain']) %}
+{% endif %}
+{% for element in ansible_facts['dns']['search'] | d([]) %}
+{%   set _ = domains.append(element) %}
+{% endfor %}
+[Resolve]
+{{ 'FallbackDNS={}'.format(fallback_dns | join(' ')) }}
+{{ 'Domains={}'.format(domains | join(' ')) }}
diff --git a/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf.j2 b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf.j2
new file mode 100644
index 00000000..b408d629
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resolved/templates/etc/systemd/system/systemd-resolved.service.d/synthesize-hostname.conf.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2025 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2025 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+[Service]
+
+# Enable or disable synthesis of local hostname by systemd-resolved service.
+# If enabled, local hostname queries won't be sent to upstream DNS servers.
+# Ref: https://github.com/systemd/systemd/issues/34897
+{% if resolved__synthesize_hostname | bool %}
+Environment=SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME=1
+{% else %}
+Environment=SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME=0
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/resources/COPYRIGHT b/ansible_collections/debops/debops/roles/resources/COPYRIGHT
new file mode 100644
index 00000000..6647510d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/COPYRIGHT
@@ -0,0 +1,17 @@
+debops.resources - Manage custom file resources through Ansible inventory
+
+Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/resources/defaults/main.yml b/ansible_collections/debops/debops/roles/resources/defaults/main.yml
new file mode 100644
index 00000000..212f8c7c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/defaults/main.yml
@@ -0,0 +1,440 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _resources__ref_defaults:
+
+# debops.resources default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Role configuration [[[
+# ----------------------
+
+# .. envvar:: resources__enabled [[[
+#
+# Enable or disable management of custom resources.
+resources__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: resources__src [[[
+#
+# Absolute path to the directory on Ansible Controller where custom resources
+# can be found. You need to create this directory manually.
+#
+# By default, path is relative to the Ansible inventory.
+resources__src: '{{ inventory_dir | realpath + "/../resources/" }}'
+                                                                   # ]]]
+# .. envvar:: resources__time_format [[[
+#
+# Time format to be used for the `Ansible ansible.builtin.file module`_.
+# This is used for example when the ``access_time`` is specified.
+# It is set here to `ISO 8601`_ because the Ansible
+# default format is hardly human readable
+# (without separators like ``-`` and ``:``).
+# Example: ``2023-05-23T23:42:42``
+resources__time_format: '%Y-%m-%dT%H:%M:%S'
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage parent directories [[[
+# -----------------------------
+
+# This section allows to configure the behavior for non existing parent
+# directories for destination file paths.
+#
+# This applies to the following sections:
+#
+# - `Manage custom remote resources`_
+# - `Manage custom archives`_
+# - `Manage custom files`_
+#
+
+# .. envvar:: resources__parent_dirs_create [[[
+#
+# Should the parent directories be created by the role? Not creating it will
+# cause an Ansible run time error when the directory does not exist.
+# The global setting can be overwritten for individual items using
+# ``item.parent_dirs_create``.
+resources__parent_dirs_create: True
+
+                                                                   # ]]]
+# .. envvar:: resources__parent_dirs_recurse [[[
+#
+# Recursively set the specified file attributes of parent directories when
+# creating them.
+# The global setting can be overwritten for individual items using
+# ``item.parent_dirs_recurse``.
+resources__parent_dirs_recurse: True
+
+                                                                   # ]]]
+# .. envvar:: resources__parent_dirs_owner [[[
+#
+# Unix system user who owns the parent directory.
+# See also :envvar:`resources__parent_dirs_recurse`.
+# The global setting can be overwritten for individual items using
+# ``item.parent_dirs_owner``.
+resources__parent_dirs_owner: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: resources__parent_dirs_group [[[
+#
+# Unix system group of the parent directory.
+# See also :envvar:`resources__parent_dirs_recurse`.
+# The global setting can be overwritten for individual items using
+# ``item.parent_dirs_group``.
+resources__parent_dirs_group: '{{ omit }}'
+
+                                                                   # ]]]
+# .. envvar:: resources__parent_dirs_mode [[[
+#
+# Unix permissions of the parent directory.
+# See also :envvar:`resources__parent_dirs_recurse`.
+# The global setting can be overwritten for individual items using
+# ``item.parent_dirs_mode``.
+resources__parent_dirs_mode: '{{ omit }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom templates [[[
+# ---------------------------
+
+# These variables define how the role will manage custom templates on remote
+# hosts. See :ref:`resources__ref_templates` for more details.
+
+# .. envvar:: resources__templates [[[
+#
+# Directory which contains templates that should be generated on all hosts in
+# the Ansible inventory.
+resources__templates: [ '{{ resources__src + "templates/by-group/all" }}' ]
+
+                                                                   # ]]]
+# .. envvar:: resources__group_templates [[[
+#
+# List of paths containing the directories of all the groups the current host is in, based on the content of ``group_names``.
+# See `Ansible - Playbooks Variables <https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#accessing-information-about-other-hosts-with-magic-variables>`_.
+#
+# For example if the host ``debian1`` is member of ``group-name1`` and ``group-name2``
+# `debops.resources` will then search all template files inside the directories placed here: :file:`ansible/resources/templates/by-group/`.
+# Resulting in: ``[ "ansible/resources/templates/by-group/group-name1", "ansible/resources/templates/by-group/group-name2" ]``.
+#
+# Read the documentation about :ref:`resources__ref_templates` for more details on templating with `debops.resources`.
+resources__group_templates: '{{ group_names | map("regex_replace", "^(.*)$", resources__src + "templates/by-group/\1") | list }}'
+
+                                                                   # ]]]
+# .. envvar:: resources__host_templates [[[
+#
+# Directory which contains templates that should be generated on specific hosts
+# in the Ansible inventory.
+resources__host_templates: [ '{{ resources__src + "templates/by-host/" + inventory_hostname }}' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom paths [[[
+# -----------------------
+
+# These lists allow you to manage file and directory paths on remote hosts
+# using `Ansible ansible.builtin.file module`_. By default role treats specified
+# paths as directory names which should be present on the remote host. You can
+# use all parameters supported by the `Ansible ansible.builtin.file module`_.
+#
+# See :ref:`resources__ref_paths` for more details.
+
+# .. envvar:: resources__paths [[[
+#
+# Paths managed on all hosts in Ansible inventory.
+resources__paths: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_paths [[[
+#
+# Paths managed on hosts in a specific group in Ansible inventory.
+resources__group_paths: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_paths [[[
+#
+# Paths managed on specific hosts in Ansible inventory.
+resources__host_paths: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage git repositories [[[
+# ---------------------------
+
+# These lists allow you to manage :command:`git` repositories on remote hosts
+# using the `Ansible ansible.builtin.git module`_. See
+# :ref:`resources__ref_repositories` for more details.
+
+# .. envvar:: resources__repositories [[[
+#
+# Manage :command:`git` repositories on all hosts in the Ansible inventory.
+resources__repositories: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_repositories [[[
+#
+# Manage :command:`git` repositories on hosts in a specific Ansible inventory
+# group.
+resources__group_repositories: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_repositories [[[
+#
+# Manage :command:`git` repositories on specific hosts in the Ansible
+# inventory.
+resources__host_repositories: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom remote resources [[[
+# ----------------------------------
+
+# These lists allow you to specify remote resources to download to the hosts
+# using the `Ansible ansible.builtin.get_url module`. You can download files
+# over HTTP, HTTPS, FTP and use all options supported by this module.
+#
+# See :ref:`resources__ref_urls` for more details.
+
+# .. envvar:: resources__urls [[[
+#
+# Manage online resources on all hosts in Ansible inventory.
+resources__urls: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_urls [[[
+#
+# Manage online resources on hosts in a specific group in Ansible inventory.
+resources__group_urls: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_urls [[[
+#
+# Manage online resources on specific hosts in Ansible inventory.
+resources__host_urls: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom archives [[[
+# --------------------------
+
+# These lists allow you to unpack archives stored on Ansible Controller to
+# remote hosts using the `Ansible ansible.builtin.unarchive module`_. You can
+# use all of the parameters supported by this module.
+#
+# See :ref:`resources__ref_archives` for more details.
+
+# .. envvar:: resources__archives [[[
+#
+# Manage archives on all hosts in Ansible inventory.
+resources__archives: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_archives [[[
+#
+# Manage archives on hosts in specific group in Ansible inventory.
+resources__group_archives: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_archives [[[
+#
+# Manage archives on specific hosts in Ansible inventory.
+resources__host_archives: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom files [[[
+# -----------------------
+
+# These lists allow you to manage file contents on remote hosts, either by
+# copying files from the Ansible Controller, or providing the contents directly in
+# Ansible inventory. You can use all parameters supported by the
+# `Ansible ansible.builtin.copy module`_.
+#
+# See :ref:`resources__ref_files` for more details.
+
+# .. envvar:: resources__files [[[
+#
+# Manage file contents on all hosts in Ansible inventory.
+resources__files: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_files [[[
+#
+# Manage file contents on hosts in a specific group in Ansible inventory.
+resources__group_files: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_files [[[
+#
+# Manage file contents on specific hosts in Ansible inventory.
+resources__host_files: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage pip and virtual environments [[[
+# ---------------------------------------
+
+# These lists allow you to manage Python library dependencies. See
+# :ref:`resources__ref_pip` documentation for more details.
+
+# .. envvar:: resources__pip [[[
+#
+# Manage Python library dependencies on all hosts in Ansible inventory.
+resources__pip: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_pip [[[
+#
+# Manage Python library dependencies on hosts in a specific group in Ansible inventory.
+resources__group_pip: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_pip [[[
+#
+# Manage Python library dependencies on specific hosts in Ansible inventory.
+resources__host_pip: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage file capabilities [[[
+# ----------------------------
+
+# These lists allow you to manipulate file privileges using the Linux
+# :manpage:`capabilities(7)` system.
+# You can use all parameters supported by the
+# `Ansible community.general.capabilities module`_.
+#
+# See :ref:`resources__ref_capabilities` for more details.
+
+# .. envvar:: resources__file_capabilities [[[
+#
+# Manage file capabilities on all hosts in Ansible inventory.
+resources__file_capabilities: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_file_capabilities [[[
+#
+# Manage file capabilities on hosts in a specific group in Ansible inventory.
+resources__group_file_capabilities: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_file_capabilities [[[
+#
+# Manage file capabilities on specific hosts in Ansible inventory.
+resources__host_file_capabilities: []
+                                                                   # ]]]
+# .. envvar:: resources__combined_file_capabilities [[[
+#
+# Variable which combines all other file capabilities variables and is used in
+# the role tasks.
+resources__combined_file_capabilities: '{{ resources__file_capabilities
+                                           + resources__group_file_capabilities
+                                           + resources__host_file_capabilities }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Manage custom delayed paths [[[
+# -------------------------------
+
+# These lists allow you to manage file and directory paths on remote hosts
+# using the `Ansible ansible.builtin.file module`_.
+# The lists can be used exactly the same as
+# :regexp:`resources__(?:group_|host_)?paths` from the `Manage custom paths`_ section.
+# The only difference is that the custom delayed paths are handled after all
+# non delayed resources.
+# This allows to create symbolic links to files provided by
+# :regexp:`resources__(?:group_|host_)?files` for example.
+#
+# See :ref:`resources__ref_paths` for more details.
+
+# .. envvar:: resources__delayed_paths [[[
+#
+# Paths managed on all hosts in Ansible inventory.
+resources__delayed_paths: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_delayed_paths [[[
+#
+# Paths managed on hosts in a specific group in Ansible inventory.
+resources__group_delayed_paths: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_delayed_paths [[[
+#
+# Paths managed on specific hosts in Ansible inventory.
+resources__host_delayed_paths: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom shell commands [[[
+# -------------------------
+
+# The variables below let you define shell commands (or even small shell
+# scripts) to execute on the remote hosts as the ``root`` UNIX account. You
+# need to ensure idempotency by yourself. This is not a replacement for
+# a normal Ansible role.
+#
+# See :ref:`resources__ref_commands` for more details.
+
+# .. envvar:: resources__commands [[[
+#
+# List of shell commands which should be executed on all hosts in the Ansible
+# inventory.
+resources__commands: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_commands [[[
+#
+# List of shell commands which should be executed on hosts in a specific
+# Ansible inventory group.
+resources__group_commands: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_commands [[[
+#
+# List of shell commands which should be executed on specific hosts in the
+# Ansible inventory.
+resources__host_commands: []
+
+                                                                   # ]]]
+# .. envvar:: resources__combined_commands [[[
+#
+# Variable which combines all other shell command variables and is used in the
+# role tasks.
+resources__combined_commands: '{{ resources__commands
+                                  + resources__group_commands
+                                  + resources__host_commands }}'
+                                                                   # ]]]
+# String replacement management [[[
+# ---------------------------------
+
+# The variables below let you define string replacement in files.
+
+# .. envvar:: resources__replacements [[[
+#
+# List of replacements which should be executed on all hosts in the
+# Ansible inventory.
+resources__replacements: []
+
+                                                                   # ]]]
+# .. envvar:: resources__group_replacements [[[
+#
+# List of replacements which should be executed on hosts in a
+# specific Ansible inventory group.
+resources__group_replacements: []
+
+                                                                   # ]]]
+# .. envvar:: resources__host_replacements [[[
+#
+# List of replacements which should be executed on specific hosts
+# in the Ansible inventory.
+resources__host_replacements: []
+
+                                                                   # ]]]
+# .. envvar:: resources__combined_replacements[[[
+#
+# Variable which combines all other line replacements variables and
+# is used in the role tasks.
+resources__combined_replacements: '{{ resources__replacements
+                                      + resources__group_replacements
+                                      + resources__host_replacements }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/resources/meta/main.yml b/ansible_collections/debops/debops/roles/resources/meta/main.yml
new file mode 100644
index 00000000..cfc9221d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage custom file resources through Ansible inventory'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - all
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - files
+    - directories
+    - urls
+    - paths
+    - archives
+    - repositories
diff --git a/ansible_collections/debops/debops/roles/resources/tasks/main.yml b/ansible_collections/debops/debops/roles/resources/tasks/main.yml
new file mode 100644
index 00000000..65a4dab5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/tasks/main.yml
@@ -0,0 +1,370 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# DebOps pre-hook [[[1
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "resources/pre_main.yml") }}'
+
+# Manage git repositories [[[1
+- name: Manage git repositories
+  ansible.builtin.git:
+    repo:             '{{ item.repo | d(item.url | d(item.src)) }}'
+    dest:             '{{ item.dest | d(item.name | d(item.path)) }}'
+    accept_hostkey:   '{{ item.accept_hostkey | d(omit) }}'
+    bare:             '{{ item.bare | d(omit) }}'
+    clone:            '{{ item.clone | d(omit) }}'
+    depth:            '{{ item.depth | d(omit) }}'
+    executable:       '{{ item.executable | d(omit) }}'
+    force:            '{{ item.force | d(omit) }}'
+    key_file:         '{{ item.key_file | d(omit) }}'
+    recursive:        '{{ item.recursive | d(omit) }}'
+    reference:        '{{ item.reference | d(omit) }}'
+    refspec:          '{{ item.refspec | d(omit) }}'
+    remote:           '{{ item.remote | d(omit) }}'
+    ssh_opts:         '{{ item.ssh_opts | d(omit) }}'
+    track_submodules: '{{ item.track_submodules | d(omit) }}'
+    umask:            '{{ item.umask | d(omit) }}'
+    update:           '{{ item["_update"] | d(omit) }}'
+    verify_commit:    '{{ item.verify_commit | d(omit) }}'
+    version:          '{{ item.version | d(omit) }}'
+  become: True
+  become_user:        '{{ item.owner | d("root") }}'
+  loop: '{{ q("flattened", resources__repositories
+                           + resources__group_repositories
+                           + resources__host_repositories) }}'
+  when: (resources__enabled | bool and (item.repo | d() or item.url | d() or item.src | d()) and
+         (item.dest | d() or item.name | d() or item.path | d()))
+  tags: [ 'role::resources:repositories' ]
+
+# Manage custom templates [[[1
+- name: Ensure that template directories exist
+  ansible.builtin.file:
+    path: '/{{ item.path }}'
+    mode: '{{ item.mode }}'
+    state: 'directory'
+  with_community.general.filetree: '{{ (resources__host_templates
+                                        + resources__group_templates
+                                        + resources__templates) | flatten }}'
+  when: item.state == 'directory'
+
+- name: Generate custom templates
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/{{ item.path }}'
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '{{ (resources__host_templates
+                                        + resources__group_templates
+                                        + resources__templates) | flatten }}'
+  when: item.state == 'file'
+
+- name: Recreate custom symlinks
+  ansible.builtin.file:
+    src: '{{ item.src }}'
+    dest: '/{{ item.path }}'
+    mode: '{{ item.mode }}'
+    state: 'link'
+    force: True
+  with_community.general.filetree: '{{ (resources__host_templates
+                                        + resources__group_templates
+                                        + resources__templates) | flatten }}'
+  when: item.state == 'link'
+
+# Manage custom paths [[[1
+- name: Manage paths on remote hosts
+  ansible.builtin.file:
+    path:    '{{ (item.path | d(item.dest | d(item.name))) | d(item) }}'
+    state:   '{{ item.state | d("directory") }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(omit) }}'
+    mode:    '{{ item.mode | d(omit) }}'
+    selevel: '{{ item.selevel | d(omit) }}'
+    serole:  '{{ item.serole | d(omit) }}'
+    setype:  '{{ item.setype | d(omit) }}'
+    seuser:  '{{ item.seuser | d(omit) }}'
+    follow:  '{{ item.follow | d(omit) }}'
+    force:   '{{ item.force | d(omit) }}'
+    src:     '{{ item.src | d(omit) }}'
+    recurse: '{{ item.recurse | d(omit) }}'
+    attributes:               '{{ item.attributes | d(omit) }}'
+    access_time:              '{{ item.access_time | d(omit) }}'
+    access_time_format:       '{{ item.access_time_format | d(resources__time_format) }}'
+    modification_time:        '{{ item.modification_time | d(omit) }}'
+    modification_time_format: '{{ item.modification_time_format | d(resources__time_format) }}'
+  loop: '{{ q("flattened", resources__paths
+                           + resources__group_paths
+                           + resources__host_paths) }}'
+  when: (resources__enabled | bool and
+         ((item.path | d() or item.dest | d() or item.name | d()) or item))
+  tags: [ 'role::resources:paths' ]
+
+# Create parent directories [[[1
+- name: Ensure that parent directories exist
+  ansible.builtin.file:
+    path:    '{{ (item.dest | d(item.name | d(item.path))) | dirname }}'
+    state:   'directory'
+    recurse: '{{ item.parent_dirs_recurse | d(resources__parent_dirs_recurse) }}'
+    owner:   '{{ item.parent_dirs_owner | d(resources__parent_dirs_owner) }}'
+    group:   '{{ item.parent_dirs_group | d(resources__parent_dirs_group) }}'
+    mode:    '{{ item.parent_dirs_mode | d(resources__parent_dirs_mode) }}'
+  when: (resources__enabled | bool and
+         (item.parent_dirs_create | d(resources__parent_dirs_create) | bool) and
+         item.state | d("present") != 'absent')
+  loop: '{{ q("flattened", resources__urls
+                           + resources__group_urls
+                           + resources__host_urls
+                           + resources__archives
+                           + resources__group_archives
+                           + resources__host_archives
+                           + resources__files
+                           + resources__group_files
+                           + resources__host_files) }}'
+  tags: [ 'role::resources:urls', 'role::resources:archives', 'role::resources:files' ]
+
+# Manage custom remote resources [[[1
+- name: Download online resources to remote hosts
+  ansible.builtin.get_url:  # noqa args[module]
+    url:              '{{ item.url | d(item.src) }}'
+    dest:             '{{ item.dest | d(item.name | d(item.path)) }}'
+    owner:            '{{ item.owner | d(omit) }}'
+    group:            '{{ item.group | d(omit) }}'
+    mode:             '{{ item.mode | d(omit) }}'
+    checksum:         '{{ item.checksum | d(omit) }}'
+    force:            '{{ item.force | d(omit) }}'
+    force_basic_auth: '{{ item.force_basic_auth | d(omit) }}'
+    headers:          '{{ item.headers | d(omit) }}'
+    sha256sum:        '{{ item.sha256sum | d(omit) }}'
+    timeout:          '{{ item.timeout | d(omit) }}'
+    url_password:     '{{ item.url_password | d(omit) }}'
+    url_username:     '{{ item.url_username | d(omit) }}'
+    use_proxy:        '{{ item.use_proxy | d(omit) }}'
+    validate_certs:   '{{ item.validate_certs | d(omit) }}'
+  loop: '{{ q("flattened", resources__urls
+                           + resources__group_urls
+                           + resources__host_urls) }}'
+  when: (resources__enabled | bool and (item.url | d() or item.src | d()) and
+         (item.dest | d() or item.name | d() or item.path | d()))
+  no_log: '{{ debops__no_log | d(True if item.url_password | d() else omit) }}'
+  tags: [ 'role::resources:urls' ]
+
+# Manage custom archives [[[1
+- name: Unpack archives to remote hosts
+  ansible.builtin.unarchive:
+    src:        '{{ item.src }}'
+    dest:       '{{ item.dest | d(item.name | d(item.path)) }}'
+    owner:      '{{ item.owner | d(omit) }}'
+    group:      '{{ item.group | d(omit) }}'
+    mode:       '{{ item.mode | d(omit) }}'
+    selevel:    '{{ item.selevel | d(omit) }}'
+    serole:     '{{ item.serole | d(omit) }}'
+    setype:     '{{ item.setype | d(omit) }}'
+    seuser:     '{{ item.seuser | d(omit) }}'
+    creates:    '{{ item.creates | d(omit) }}'
+    exclude:    '{{ item.exclude | d(omit) }}'
+    keep_newer: '{{ item.keep_newer | d(omit) }}'
+    extra_opts: '{{ item.extra_opts | d(omit) }}'
+    attributes: '{{ item.attributes | d(omit) }}'
+    list_files: '{{ item.list_files | d(omit) }}'
+    remote_src: '{{ item.remote_src | d(omit) }}'
+    unsafe_writes: '{{ item.unsafe_writes | d(omit) }}'
+    validate_certs: '{{ item.validate_certs | d(omit) }}'
+  loop: '{{ q("flattened", resources__archives
+                           + resources__group_archives
+                           + resources__host_archives) }}'
+  when: (resources__enabled | bool and item.src | d() and
+         (item.dest | d() or item.name | d() or item.path | d()))
+  tags: [ 'role::resources:archives' ]
+
+# Manage custom files [[[1
+
+- name: Delete files on remote hosts
+  ansible.builtin.file:
+    path:  '{{ item.dest | d(item.path | d(item.name)) }}'
+    state: 'absent'
+  loop: '{{ q("flattened", resources__files
+                           + resources__group_files
+                           + resources__host_files) }}'
+  when: (resources__enabled | bool and
+         (item.dest | d() or item.path | d() or item.name | d()) and
+         (item.state | d('present') == 'absent'))
+  tags: [ 'role::resources:files' ]
+
+- name: Copy files to remote hosts
+  ansible.builtin.copy:
+    dest:     '{{ item.dest | d(item.path | d(item.name)) }}'
+    src:      '{{ item.src | d(omit) }}'
+    content:  '{{ item.content | d(omit) }}'
+    owner:    '{{ item.owner | d(omit) }}'
+    group:    '{{ item.group | d(omit) }}'
+    mode:     '{{ item.mode | d(omit) }}'
+    selevel:  '{{ item.selevel | d(omit) }}'
+    serole:   '{{ item.serole | d(omit) }}'
+    setype:   '{{ item.setype | d(omit) }}'
+    seuser:   '{{ item.seuser | d(omit) }}'
+    follow:   '{{ item.follow | d(omit) }}'
+    force:    '{{ item.force | d(omit) }}'
+    backup:   '{{ item.backup | d(omit) }}'
+    validate: '{{ item.validate | d(omit) }}'
+    remote_src: '{{ item.remote_src | d(omit) }}'
+    directory_mode: '{{ item.directory_mode | d(omit) }}'
+  loop: '{{ q("flattened", resources__files
+                           + resources__group_files
+                           + resources__host_files) }}'
+  when: (resources__enabled | bool and
+         (item.src | d() or item.content is defined) and
+         (item.dest | d() or item.path | d() or item.name | d()) and
+         (item.state | d('present') != 'absent'))
+  tags: [ 'role::resources:files' ]
+
+- name: Manage virtual environments
+  ansible.builtin.pip:
+    chdir:        '{{ item.chdir | d(omit) }}'
+    editable:     '{{ item.editable | d(omit) }}'
+    executable:   '{{ item.executable | d(omit) }}'
+    extra_args:   '{{ item.extra_args | d(omit) }}'
+    name:         '{{ item.name | d(omit) }}'
+    requirements: '{{ item.requirements | d(omit) }}'
+    state:        '{{ item.state | d(omit) }}'
+    umask:        '{{ item.umask | d(omit) }}'
+    version:      '{{ item.version | d(omit) }}'
+    virtualenv:   '{{ item.virtualenv | d(omit) }}'
+    virtualenv_command: '{{ item.virtualenv_command | d(omit) }}'
+    virtualenv_python: '{{ item.virtualenv_python | d(omit) }}'
+    virtualenv_site_packages: '{{ item.virtualenv_site_packages | d(omit) }}'
+  loop: '{{ q("flattened", resources__pip
+                           + resources__group_pip
+                           + resources__host_pip) }}'
+  become: True
+  become_user: '{{ item.owner | d("root") }}'
+  when: (resources__enabled | bool and
+         (item.name | d() or item.requirements is defined) and
+         (item.state | d('present') != 'absent'))
+  tags: [ 'role::resources:pip' ]
+
+- name: Manage replacements inside files
+  ansible.builtin.replace:
+    dest:          '{{ item.dest | d(item.name | d(item.path)) }}'
+    after:         '{{ item.after | d(omit) }}'
+    attributes:    '{{ item.attributes | d(item.attr | d(omit)) }}'
+    backup:        '{{ item.backup | d(omit) }}'
+    before:        '{{ item.before | d(omit) }}'
+    encoding:      '{{ item.encoding | d(omit) }}'
+    group:         '{{ item.group | d(omit) }}'
+    mode:          '{{ item.mode | d(omit) }}'
+    others:        '{{ item.others | d(omit) }}'
+    owner:         '{{ item.owner | d(omit) }}'
+    regexp:        '{{ item.regexp | d(omit) }}'
+    replace:       '{{ item.replace | d(omit) }}'
+    selevel:       '{{ item.selevel | d(omit) }}'
+    serole:        '{{ item.serole | d(omit) }}'
+    setype:        '{{ item.setype | d(omit) }}'
+    seuser:        '{{ item.seuser | d(omit) }}'
+    unsafe_writes: '{{ item.unsafe_writes | d(omit) }}'
+    validate:      '{{ item.validate | d(omit) }}'
+  loop: '{{ q("flattened", resources__replacements
+                           + resources__group_replacements
+                           + resources__host_replacements) }}'
+  when: (resources__enabled | bool and item.regexp | d() and
+         (item.dest | d() or item.path | d() or item.name | d()))
+  tags: [ 'role::resources:lineinfile' ]
+
+# Manage ACLs [[[1
+- name: Set ACLs on remote hosts
+  ansible.posix.acl:
+    path:        '{{ item.1.path | d(item.0.name) | d(item.0.dest) | d(item.0.path) }}'
+    default:     '{{ item.1.default | d(omit) }}'
+    entity:      '{{ item.1.entity | d(omit) }}'
+    entry:       '{{ item.1.entry | d(omit) }}'
+    etype:       '{{ item.1.etype | d(omit) }}'
+    permissions: '{{ item.1.permissions | d(omit) }}'
+    follow:      '{{ item.1.follow | d(omit) }}'
+    recursive:   '{{ item.1.recursive | d(omit) }}'
+    state:       '{{ item.1.state | d("present") }}'
+  loop: '{{ (lookup("flattened",
+                    resources__paths
+                    + resources__group_paths
+                    + resources__host_paths
+                    + resources__repositories
+                    + resources__group_repositories
+                    + resources__host_repositories
+                    + resources__urls
+                    + resources__group_urls
+                    + resources__host_urls
+                    + resources__archives
+                    + resources__group_archives
+                    + resources__host_archives
+                    + resources__files
+                    + resources__group_files
+                    + resources__host_files,
+                    wantlist=True))
+             | selectattr("acl", "defined") | list
+             | subelements("acl") }}'
+  loop_control:
+    label: '{{ {"name": (item.0.name | d(item.0.dest) | d(item.0.path)),
+                "acl": item.1} }}'
+  when: item.0.state | d('present') != 'absent'
+  tags: [ 'role::resources:acl' ]
+
+# Manage custom delayed paths [[[1
+- name: Manage delayed paths on remote hosts
+  ansible.builtin.file:
+    path:    '{{ (item.path | d(item.dest | d(item.name))) | d(item) }}'
+    state:   '{{ item.state | d("directory") }}'
+    owner:   '{{ item.owner | d(omit) }}'
+    group:   '{{ item.group | d(omit) }}'
+    mode:    '{{ item.mode | d(omit) }}'
+    selevel: '{{ item.selevel | d(omit) }}'
+    serole:  '{{ item.serole | d(omit) }}'
+    setype:  '{{ item.setype | d(omit) }}'
+    seuser:  '{{ item.seuser | d(omit) }}'
+    follow:  '{{ item.follow | d(omit) }}'
+    force:   '{{ item.force | d(omit) }}'
+    src:     '{{ item.src | d(omit) }}'
+    recurse: '{{ item.recurse | d(omit) }}'
+    attributes:               '{{ item.attributes | d(omit) }}'
+    access_time:              '{{ item.access_time | d(omit) }}'
+    access_time_format:       '{{ item.access_time_format | d(resources__time_format) }}'
+    modification_time:        '{{ item.modification_time | d(omit) }}'
+    modification_time_format: '{{ item.modification_time_format | d(resources__time_format) }}'
+  loop: '{{ q("flattened", resources__delayed_paths
+                           + resources__group_delayed_paths
+                           + resources__host_delayed_paths) }}'
+  when: (resources__enabled | bool and
+         ((item.path | d() or item.dest | d() or item.name | d()) or item))
+  tags: [ 'role::resources:paths' ]
+
+- name: Set custom file capabilities
+  community.general.capabilities:
+    path:       '{{ item.path | d(item.name) }}'
+    capability: '{{ item.capability }}'
+    state:      '{{ item.state | d("present") }}'
+  loop: '{{ q("flattened", resources__combined_file_capabilities) }}'
+  when: resources__enabled | bool
+  tags: [ 'role::resources:capabilities' ]
+
+# Execute custom shell commands [[[1
+# This is not an alternative to a fully-fledged Ansible role.
+- name: Execute shell commands
+  ansible.builtin.include_tasks: 'shell_commands.yml'
+  loop: '{{ q("flattened", resources__combined_commands) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name} }}'
+  when: resources__enabled | bool and
+        item.name | d() and item.state | d('present') not in [ 'absent', 'ignore' ]
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+  tags: [ 'role::resources:commands' ]
+
+# DebOps post-hook [[[1
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "resources/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/resources/tasks/resources/post_main.yml b/ansible_collections/debops/debops/roles/resources/tasks/resources/post_main.yml
new file mode 100644
index 00000000..74fa4e57
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/tasks/resources/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/resources/tasks/resources/pre_main.yml b/ansible_collections/debops/debops/roles/resources/tasks/resources/pre_main.yml
new file mode 100644
index 00000000..74fa4e57
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/tasks/resources/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/resources/tasks/shell_commands.yml b/ansible_collections/debops/debops/roles/resources/tasks/shell_commands.yml
new file mode 100644
index 00000000..16f44c6e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/resources/tasks/shell_commands.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  ansible.builtin.shell: '{{ item.script | d(item.shell | d(item.command)) }}'  # noqa command-instead-of-shell
+  args:
+    chdir:      '{{ item.chdir | d(omit) }}'
+    creates:    '{{ item.creates | d(omit) }}'
+    removes:    '{{ item.removes | d(omit) }}'
+    executable: '{{ item.executable | d("bash") }}'
+  when: item.name | d() and item.state not in ['absent', 'ignore']
+  no_log: '{{ debops__no_log | d(item.no_log) | d(False) }}'
+  tags: [ 'role::resources:commands' ]
diff --git a/ansible_collections/debops/debops/roles/root_account/COPYRIGHT b/ansible_collections/debops/debops/roles/root_account/COPYRIGHT
new file mode 100644
index 00000000..b268da96
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.root_account - Manage the host's root account
+
+Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/root_account/defaults/main.yml b/ansible_collections/debops/debops/roles/root_account/defaults/main.yml
new file mode 100644
index 00000000..8b11bf6a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/defaults/main.yml
@@ -0,0 +1,265 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _root_account__ref_defaults:
+
+# debops.root_account default variables [[[
+# =========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: root_account__enabled [[[
+#
+# Whether to manage the root account.
+root_account__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: root_account__shell_package_map [[[
+#
+# YAML dictionary that maps known shells used in the :file:`/etc/passwd`
+# database to the APT packages with these shells. The role will install missing
+# shell packages if the ``root`` account uses them as their login shell.
+root_account__shell_package_map:
+  '/bin/bash':     'bash'
+  '/bin/csh':      'csh'
+  '/usr/bin/fish': 'fish'
+  '/bin/ksh':      'ksh'
+  '/bin/zsh':      'zsh'
+
+                                                                   # ]]]
+# .. envvar:: root_account__base_packages [[[
+#
+# List of APT packages required by the role.
+root_account__base_packages: [ 'openssh-client' ]
+
+                                                                   # ]]]
+# .. envvar:: root_account__shell_packages [[[
+#
+# List of login shell APT packages expected on the host.
+root_account__shell_packages: '{{ lookup("template", "lookup/root_account__shell_packages.j2") | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__packages [[[
+#
+# List of additional APT packages to install for root account support.
+root_account__packages: []
+
+                                                                   # ]]]
+# .. envvar:: root_account__password [[[
+#
+# Password set on root account, saved in secrets
+root_account__password: '{{ lookup("password", secret
+                            + "/credentials/" + inventory_hostname
+                            + "/root_account/password encrypt=sha512_crypt length="
+                            + root_account__password_length | string) }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__password_length [[[
+#
+# Length of the root password.
+root_account__password_length: '32'
+
+                                                                   # ]]]
+# .. envvar:: root_account__password_update [[[
+#
+# This variable controls if the role should update the ``root`` account
+# password on each run. By default it will be updated only the first time the
+# role is executed. If you want to update the password on each run, set this
+# variable to ``True``.
+root_account__password_update: '{{ False
+                                   if (ansible_local.root_account.configured | d())
+                                   else True }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__generate_ssh_key [[[
+#
+# Whether to generate a SSH key pair for root.
+root_account__generate_ssh_key: True
+
+                                                                   # ]]]
+# .. envvar:: root_account__ssh_key_type [[[
+#
+# Specify the SSH private key type to use. By default role will generate
+# ED25519 keys if they are supported by the remote host, otherwise RSA keys
+# will be generated.
+root_account__ssh_key_type: '{{ "ed25519"
+                                if ("ssh-ed25519" in root_account__register_key_types.stdout_lines)
+                                else "rsa" }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__ssh_key_file [[[
+#
+# Absolute path to the SSH private key to manage.
+root_account__ssh_key_file: '/root/.ssh/id_{{ root_account__ssh_key_type }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__ssh_key_comment [[[
+#
+# Custom comment added to the generated SSH public key.
+root_account__ssh_key_comment: 'root@{{ ansible_hostname }} generated by Ansible'
+
+                                                                   # ]]]
+# .. envvar:: root_account__ssh_key_bits [[[
+#
+# Specifies the number of bits in the key to create, only relevant for RSA
+# keys.
+root_account__ssh_key_bits: '4096'
+
+                                                                   # ]]]
+# .. envvar:: root_account__group [[[
+#
+# Define the primary UNIX system group of the ``root`` UNIX account. The
+# primary ``root`` group might be different on other operating systems, for
+# example FreeBSD.
+root_account__group: '{{ "wheel"
+                         if (ansible_distribution in ["FreeBSD"])
+                         else "root" }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__shell [[[
+#
+# Default root shell, set to empty string to not change the shell.
+root_account__shell: ''
+
+                                                                   # ]]]
+                                                                   # ]]]
+# The root dotfiles [[[
+# ---------------------
+
+# The dotfiles of the ``root`` account are managed using the :command:`yadm`
+# script, installed by the :ref:`debops.yadm` role.
+
+# .. envvar:: root_account__dotfiles_enabled [[[
+#
+# Enable or disable dotfiles management, depending on the availability of the
+# dotfiles repository installed by the :ref:`debops.yadm` role.
+root_account__dotfiles_enabled: '{{ True
+                                    if ansible_local.yadm.dotfiles | d()
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__dotfiles_repo [[[
+#
+# An URL or an absolute directory to the :command:`git` repository that
+# contains dotfiles for the ``root`` account.
+root_account__dotfiles_repo: '{{ ansible_local.yadm.dotfiles | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Authorized SSH keys [[[
+# -----------------------
+
+# .. envvar:: root_account__authorized_keys [[[
+#
+# List of public SSH keys which will be added to the
+# :file:`/root/.ssh/authorized_keys` file on all hosts in the Ansible
+# inventory.
+root_account__authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: root_account__group_authorized_keys [[[
+#
+# List of public SSH keys which will be added to the
+# :file:`/root/.ssh/authorized_keys` file on hosts in a specific Ansible
+# inventory group.
+root_account__group_authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: root_account__host_authorized_keys [[[
+#
+# List of public SSH keys which will be added to the
+# :file:`/root/.ssh/authorized_keys` file on specific hosts in the Ansible
+# inventory.
+root_account__host_authorized_keys: []
+
+                                                                   # ]]]
+# .. envvar:: root_account__combined_authorized_keys [[[
+#
+# This variable combines all root_account__*authorized_keys variables
+# together and is used in the role tasks and templates.
+root_account__combined_authorized_keys: '{{ root_account__authorized_keys
+                                            + root_account__group_authorized_keys
+                                            + root_account__host_authorized_keys }}'
+
+                                                                   # ]]]
+# .. envvar:: root_account__authorized_keys_exclusive [[[
+#
+# If ``True``, only the public SSH keys defined in the above variable will be
+# present on the ``root`` account, all other keys will be removed.
+#
+# If ``False``, the public SSH keys defined in the above variable will be added
+# to the existing keys on the ``root`` account.
+root_account__authorized_keys_exclusive: False
+
+                                                                   # ]]]
+# .. envvar:: root_account__authorized_keys_follow [[[
+#
+# If ``True``, follow symlinks instead of replacing the file.
+root_account__authorized_keys_follow: False
+
+                                                                   # ]]]
+# .. envvar:: root_account__authorized_keys_state [[[
+#
+# If ``present``, the role will manage the :file:`/root/.ssh/authorized_keys`
+# file and add any public SSH keys to the ``root`` account. If ``absent``, the
+# :file:`/root/.ssh/authorized_keys` file will be removed.
+root_account__authorized_keys_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Subordinate UID/GID ranges [[[
+# ------------------------------
+
+# .. envvar:: root_accout__subuid_enabled [[[
+#
+# Enable or disable configuration of subordinate UIDs/GIDs for the ``root``
+# system account.
+root_account__subuid_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: root_account__subuid_start [[[
+#
+# List of subordinate UID/GID numbers which can be remapped to be the ``root``
+# account in new user namespaces created by the system ``root`` account.
+#
+# Multiple UID/GID ranges are possible, they shouldn't overlap with either
+# normal system UID/GID ranges or other subordinate UID/GID ranges for security
+# reasons. Check the contents of the :file:`/etc/subuid` and
+# :file:`/etc/subgid` files to verify what UID/GID ranges are used on a given
+# host.
+#
+# If the :ref:`debops.ldap` role was applied on the host, the default UID/GID
+# ranges will change to include the ranges used :ref:`in the LDAP directory
+# <ldap__ref_posix>`.
+root_account__subuid_start: [ '{{ (ansible_local.ldap.uid_gid_max | int + 1)
+                                  if (ansible_local | d() and ansible_local.ldap | d() and
+                                      (ansible_local.ldap.uid_gid_max | int > 100000))
+                                  else "100000" }}' ]
+
+                                                                   # ]]]
+# .. envvar:: root_account__subuid_count [[[
+#
+# Specify the number of UIDs/GIDs to reserve for a given subordinate UID/GID
+# range. Remember that using lower UID/GID number than 65535 may cause issues
+# due to some system accounts like ``nobody`` and groups like ``nogroup``
+# having UID and GID numbers at the end of the normal 0-65535 range.
+#
+# If the :ref:`debops.ldap` role was applied on the host, the default UID/GID
+# ranges will change to include the ranges used :ref:`in the LDAP directory
+# <ldap__ref_posix>`.
+root_account__subuid_count: '{{ ansible_local.ldap.uid_gid_max
+                                if (ansible_local | d() and ansible_local.ldap | d() and
+                                    (ansible_local.ldap.uid_gid_max | int > 65536))
+                                else "65535" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/root_account/meta/main.yml b/ansible_collections/debops/debops/roles/root_account/meta/main.yml
new file mode 100644
index 00000000..3b48578d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Fabio Bonelli'
+  description: 'Manage the root account'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/root_account/tasks/main.yml b/ansible_collections/debops/debops/roles/root_account/tasks/main.yml
new file mode 100644
index 00000000..d3e8851b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/tasks/main.yml
@@ -0,0 +1,150 @@
+---
+# Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Ensure that required packages are installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", (root_account__base_packages
+                              + root_account__shell_packages
+                              + root_account__packages)) }}'
+    state: 'present'
+  register: root_account__register_packages
+  until: root_account__register_packages is succeeded
+  when: root_account__enabled | bool
+
+- name: Check available SSH key types
+  ansible.builtin.shell: ssh -Q key 2>/dev/null || echo "ssh-rsa"
+  register: root_account__register_key_types
+  changed_when: False
+  check_mode: False
+  tags: [ 'meta::facts' ]
+
+- name: Check if preferred shell exists
+  ansible.builtin.stat:
+    path: '{{ root_account__shell }}'
+  register: root_account__register_shell
+  when: root_account__enabled | bool and root_account__shell | d(False)
+
+- name: Fail if setting a shell that does not exist
+  ansible.builtin.fail:
+    msg: "Trying to set a shell that does not exist, this can lock you out!"
+  when: root_account__enabled | bool and root_account__shell | d(False) and not root_account__register_shell.stat.exists and
+        not ansible_check_mode
+
+- name: Enforce root system group
+  ansible.builtin.group:
+    name: 'root'
+    gid: '0'
+    system: True
+    state: 'present'
+  when: root_account__enabled | bool
+
+- name: Enforce root system account
+  ansible.builtin.user:
+    name: 'root'
+    state: 'present'
+    home: '/root'
+    uid: '0'
+    groups: ''
+    append: False
+    system: True
+    group:            '{{ root_account__group }}'
+    generate_ssh_key: '{{ root_account__generate_ssh_key | bool }}'
+    ssh_key_bits:     '{{ root_account__ssh_key_bits }}'
+    ssh_key_type:     '{{ root_account__ssh_key_type }}'
+    ssh_key_file:     '{{ root_account__ssh_key_file }}'
+    ssh_key_comment:  '{{ root_account__ssh_key_comment }}'
+    update_password:  '{{ "always" if root_account__password_update | bool else "on_create" }}'
+    password:         '{{ root_account__password if root_account__password else omit }}'
+    shell:            '{{ root_account__shell if root_account__shell else omit }}'
+  when: root_account__enabled | bool
+  # Note: using the override variable might not work here correctly when
+  # 'passlib' Python module is not installed on the Ansible Controller.
+  # The task will show up as hidden even when the 'debops__no_log=false' is used.
+  no_log: '{{ (debops__no_log | d(True)) if root_account__password else False }}'
+
+- name: Enforce root home permissions
+  ansible.builtin.file:
+    path: '/root'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0700'
+  when: root_account__enabled | bool
+
+- name: Configure authorized SSH keys for root account
+  ansible.posix.authorized_key:
+    key: "{{ q('flattened', root_account__combined_authorized_keys)
+              | join('\n') }}"
+    exclusive: '{{ root_account__authorized_keys_exclusive | bool }}'
+    state: 'present'
+    user: 'root'
+    follow: '{{ root_account__authorized_keys_follow | bool }}'
+  when: root_account__enabled | bool and root_account__authorized_keys_state != 'absent'
+
+- name: Remove /root/.ssh/authorized_keys file if requested
+  ansible.builtin.file:
+    path: '/root/.ssh/authorized_keys'
+    state: 'absent'
+  when: root_account__enabled | bool and root_account__authorized_keys_state == 'absent'
+
+- name: Check subuid presence for root account
+  ansible.builtin.shell: grep -E '^root:' /etc/subuid || true
+  register: root_account__register_subuid
+  check_mode: False
+  changed_when: False
+  when: root_account__enabled | bool and root_account__subuid_enabled | bool
+
+- name: Add subuids and subgids for root account
+  ansible.builtin.command: usermod --add-subuids {{ (item | string + "-" + (item | int + root_account__subuid_count | int) | string) }}
+                   --add-subgids {{ (item | string + "-" + (item | int + root_account__subuid_count | int) | string) }} root
+  with_items: '{{ root_account__subuid_start }}'
+  register: root_account__register_usermod
+  changed_when: root_account__register_usermod.changed | bool
+  when: root_account__enabled | bool and root_account__subuid_enabled | bool and
+        not root_account__register_subuid.stdout | d()
+
+- name: Manage root dotfiles
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    if ! yadm status > /dev/null ; then
+        yadm clone --bootstrap "{{ root_account__dotfiles_repo }}"
+    else
+        yadm pull
+    fi
+  register: root_account__register_dotfiles
+  changed_when: ('Already up to date.' not in root_account__register_dotfiles.stdout_lines | regex_replace('-', ' '))
+  when: ((ansible_local | d() and ansible_local.yadm | d() and (ansible_local.yadm.installed | d()) | bool) and
+         root_account__dotfiles_enabled | bool)
+  check_mode: False
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Setup root account local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/root_account.fact.j2'
+    dest: '/etc/ansible/facts.d/root_account.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/root_account/templates/etc/ansible/facts.d/root_account.fact.j2 b/ansible_collections/debops/debops/roles/root_account/templates/etc/ansible/facts.d/root_account.fact.j2
new file mode 100644
index 00000000..d54e05bc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/templates/etc/ansible/facts.d/root_account.fact.j2
@@ -0,0 +1,69 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+from operator import itemgetter
+import os
+
+# Workaround for Jinja template in a Python script
+"""
+{% set root_account__tpl_facts = {
+  "configured": True,
+  "ssh_authorized_keys": False,
+  "ssh_key": (root_account__generate_ssh_key | bool),
+  "ssh_key_type": root_account__ssh_key_type,
+  "ssh_key_file": (root_account__ssh_key_file + '.pub')
+} %}
+"""
+
+output = loads('''{{ root_account__tpl_facts | to_nice_json }}''')
+
+if (os.path.isfile('/root/.ssh/authorized_keys')
+        and os.stat('/root/.ssh/authorized_keys').st_size > 0):
+    output['ssh_authorized_keys'] = True
+
+if output['ssh_key']:
+
+    if os.path.isfile(output['ssh_key_file']):
+        try:
+            fh = open(output['ssh_key_file'])
+            for line in fh:
+                output.update({"ssh_public_key": line})
+            fh.close()
+
+        except Exception:
+            pass
+
+if os.path.exists('/etc/subuid') and os.path.isfile('/etc/subuid'):
+    try:
+        subuid_list = []
+        subgid_list = []
+        with open('/etc/subuid', 'r') as f:
+            for line in f:
+                if line.startswith('root:'):
+                    parts = line.strip().split(':')
+                    subuid_list.append({'start': parts[1],
+                                        'count': parts[2]})
+        with open('/etc/subgid', 'r') as f:
+            for line in f:
+                if line.startswith('root:'):
+                    parts = line.strip().split(':')
+                    subgid_list.append({'start': parts[1],
+                                        'count': parts[2]})
+            output.update({'subuids': sorted(subuid_list,
+                                             key=itemgetter('start'))})
+            output.update({'subgids': sorted(subgid_list,
+                                             key=itemgetter('start'))})
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/root_account/templates/lookup/root_account__shell_packages.j2 b/ansible_collections/debops/debops/roles/root_account/templates/lookup/root_account__shell_packages.j2
new file mode 100644
index 00000000..7656804a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/root_account/templates/lookup/root_account__shell_packages.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Fabio Bonelli <fb@fabiobonelli.it>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set root_account__tpl_shells = [] %}
+{% if root_account__shell | d() %}
+{%   if root_account__shell in root_account__shell_package_map.keys() %}
+{%     set _ = root_account__tpl_shells.append(root_account__shell_package_map[root_account__shell]) %}
+{%   endif %}
+{% endif %}
+{{ root_account__tpl_shells | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/roundcube/COPYRIGHT b/ansible_collections/debops/debops/roles/roundcube/COPYRIGHT
new file mode 100644
index 00000000..81aae192
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/COPYRIGHT
@@ -0,0 +1,17 @@
+debops.roundcube - Manage Roundcube Web mail with Ansible
+
+Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+Copyright (C) 2016-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/roundcube/defaults/main.yml b/ansible_collections/debops/debops/roles/roundcube/defaults/main.yml
new file mode 100644
index 00000000..19da123c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/defaults/main.yml
@@ -0,0 +1,4655 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# .. Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _roundcube__ref_defaults:
+
+# debops.roundcube default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: roundcube__required_php_packages [[[
+#
+# List of PHP packages required by Roundcube.
+# Refer to the `official Roundcube documentation <https://github.com/roundcube/roundcubemail/wiki/Install-Requirements>`__ for details.
+roundcube__required_php_packages:
+  - 'iconv'
+  - 'openssl'
+  - 'session'
+  - 'sockets'
+  - 'xml'
+  # Included in the xml package
+  #- 'dom'
+  - 'mbstring'
+  - 'json'
+  - 'intl'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__optional_php_packages [[[
+#
+# List of recommended/optional PHP packages for Roundcube.
+# Refer to the `official Roundcube documentation <https://github.com/roundcube/roundcubemail/wiki/Install-Requirements>`__ for details.
+roundcube__optional_php_packages:
+  - '{{ "ldap" if roundcube__ldap_enabled | bool else [] }}'
+  - '{{ "memcached" if roundcube__memcached_enabled | bool else [] }}'
+  - '{{ "redis" if roundcube__redis_enabled | bool else [] }}'
+  - 'fileinfo'
+  - 'enchant'
+  - 'zip'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__custom_php_packages [[[
+#
+# List of user defined PHP packages for Roundcube.
+roundcube__custom_php_packages: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__base_php_packages [[[
+#
+# List of base PHP packages required by Roundcube.
+roundcube__base_php_packages:
+  - '{{ roundcube__required_php_packages }}'
+  - '{{ roundcube__apt_php_packages }}'
+  - '{{ roundcube__optional_php_packages }}'
+  - '{{ ["mysql"] if (roundcube__database_map[roundcube__database].dbtype == "mysql") else [] }}'
+  - '{{ ["pgsql"] if (roundcube__database_map[roundcube__database].dbtype == "postgresql") else [] }}'
+  - '{{ ["sqlite3"] if (roundcube__database_map[roundcube__database].dbtype == "sqlite") else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__apt_php_packages [[[
+#
+# PHP packages which are installed via APT repository if they are available
+# in a sufficiently new version in the current distribution. The required
+# minimal versions are taken from the file:`composer.json.dist` of the Roundcube
+# 1.3.0 release. If you install an older version of Roundcube you may want
+# to adjust this list.
+roundcube__apt_php_packages: '{{ ["mail-mime", "net-smtp", "pear"]
+                                 if ansible_distribution_release in ["stretch", "buster", "sid", "xenial", "yakkety", "zesty", "artful"]
+                                 else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__packages [[[
+#
+# List of additional APT packages (e. g. language dictionaries) that should
+# be installed with Roundcube.
+roundcube__packages: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__base_packages [[[
+#
+# APT packages required for the Roundcube installation.
+roundcube__base_packages: [ 'curl', 'file', 'unzip', 'aspell', 'aspell-en' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Roundcube user account [[[
+# --------------------------
+
+# .. envvar:: roundcube__user [[[
+#
+# Roundcube system user account.
+roundcube__user: 'roundcube'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__group [[[
+#
+# Roundcube system user group.
+roundcube__group: 'roundcube'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__home [[[
+#
+# Path to the home directory of the Roundcube system account.
+roundcube__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                     + "/" + roundcube__user }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__comment [[[
+#
+# The GECOS string set for the Roundcube account.
+roundcube__comment: 'Roundcube Webmail'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__shell [[[
+#
+# The default shell of the Roundcube account.
+roundcube__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Roundcube source and deployment [[[
+# -----------------------------------
+
+# .. envvar:: roundcube__git_gpg_key [[[
+#
+# The GPG key used to sign Roundcube releases.
+roundcube__git_gpg_key: '4295 5C9D 6F2A CA9D 3E96  D55F 3E54 28D0 262C 54F8'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__git_additional_gpg_keys [[[
+#
+# List of additional GPG keys to add to the Roundcue user account. This might
+# be needed if multiple people/organizations sign :command:`git` commits or
+# tags in the Roundcube repository, or installation from a private repository
+# is used instead of a public one.
+roundcube__git_additional_gpg_keys: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__git_repo [[[
+#
+# Roundcube source repository. You can specify a public or private
+# :command:`git` repository using the ``https://`` protocol.
+# See :ref:`roundcube__ref_private_repo` for more details.
+roundcube__git_repo: 'https://github.com/roundcube/roundcubemail.git'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__git_dir [[[
+#
+# Roundcube source directory on the host.
+roundcube__git_dir: '{{ roundcube__src + "/"
+                        + roundcube__git_repo.split("@"
+                                                    if ("@" in roundcube__git_repo)
+                                                    else "://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__git_version [[[
+#
+# Roundcube release tag to deploy.
+roundcube__git_version: '1.6.0'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__git_dest [[[
+#
+# Default path where Roundcube source files will be deployed.
+roundcube__git_dest: '{{ roundcube__www + "/sites/" + roundcube__user + "/public" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__src [[[
+#
+# Base path for git bare repository with Roundcube source.
+roundcube__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                    + "/" + roundcube__user }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__www [[[
+#
+# Base web root directory for Roundcube website.
+roundcube__www: '{{ ansible_local.nginx.www
+                    if (ansible_local | d() and ansible_local.nginx | d())
+                    else "/srv/www" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__webserver_user [[[
+#
+# Roundcube webserver user (needs read-only access to the website code).
+roundcube__webserver_user: '{{ ansible_local.nginx.user | d("www-data") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: roundcube__database [[[
+#
+# Database definition to use from the :envvar:`roundcube__database_map`.
+roundcube__database: 'sqlite-default'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_user [[[
+#
+# Database user account to use for Roundcube.
+roundcube__database_user: 'roundcube'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_password_path [[[
+#
+# Path to the database password file.
+roundcube__database_password_path: '{{ secret + "/credentials/" + inventory_hostname
+                                       + "/roundcube/" + roundcube__database
+                                       + "/" + roundcube__database_user + "/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_password [[[
+#
+# Database password for the account given in :envvar:`roundcube__database_user`.
+roundcube__database_password: '{{ lookup("password", roundcube__database_password_path + " length=30") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_name [[[
+#
+# Name of the database to use for Roundcube.
+roundcube__database_name: '{{ roundcube__database_user
+                              if roundcube__database == "postgresql-default"
+                              else "roundcubemail" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_map [[[
+#
+# Database connection definitions. Select the database connection to use in
+# :envvar:`roundcube__database`.
+roundcube__database_map:
+
+  sqlite-default:
+    dbtype: 'sqlite'
+    dbname: 'db/roundcube.db'
+
+  mysql-default:
+    dbtype: 'mysql'
+    dbname: '{{ roundcube__database_name }}'
+    dbuser: '{{ roundcube__database_user }}'
+    dbpass: '{{ roundcube__database_password }}'
+    dbhost: 'localhost'
+    dbtableprefix: ''
+
+  postgresql-default:
+    dbtype: 'postgresql'
+    dbname: '{{ roundcube__database_name }}'
+    dbuser: '{{ roundcube__database_user }}'
+    dbpass: '{{ roundcube__database_password }}'
+    dbhost: 'localhost'
+    dbtableprefix: ''
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_schema_map [[[
+#
+# Database type to schema mapping.
+roundcube__database_schema_map:
+  mysql:      '{{ roundcube__git_dest + "/SQL/mysql.initial.sql" }}'
+  postgresql: '{{ roundcube__git_dest + "/SQL/postgres.initial.sql" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__database_schema [[[
+#
+# Initial Roundcube database schema loaded by Ansible.
+roundcube__database_schema: '{{ roundcube__database_schema_map[roundcube__database_map[roundcube__database].dbtype]
+                                if roundcube__database_schema_map[roundcube__database_map[roundcube__database].dbtype] | d()
+                                else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Cache configuration [[[
+# -----------------------
+
+# .. envvar:: roundcube__memcached_enabled [[[
+#
+# Enable or disable support for :command:`memcached` service. It will be
+# enabled automatically if local instance of :command:`memcached` is detected.
+roundcube__memcached_enabled: '{{ True
+                                  if (ansible_local | d() and ansible_local.memcached | d() and
+                                      (ansible_local.memcached.installed | d()) | bool)
+                                  else False }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__memcached_hosts [[[
+#
+# List of the :command:`memcached` instances to use by Roundcube. By default
+# only the local instance will be used, if detected.
+# See :ref:`debops.memcached` for more details.
+roundcube__memcached_hosts: [ 'localhost:11211' ]
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_enabled [[[
+#
+# Enable or disable support for :command:`redis` service. It will be enabled
+# automatically if local instance of :command:`redis` is detected.
+roundcube__redis_enabled: '{{ True
+                              if (ansible_local | d() and ansible_local.redis_server | d() and
+                                  (ansible_local.redis_server.installed | d()) | bool)
+                              else False }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_host [[[
+#
+# The address of the Redis server instance to use. Currently only a single
+# server is supported by Roundcube. By default the Redis instance on the same
+# host will be used, if it's detected via Ansible local facts.
+roundcube__redis_server: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_port [[[
+#
+# The TCP port to use for Redis connections.
+roundcube__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_database [[[
+#
+# The Redis "database" number to use.
+roundcube__redis_database: '1'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_password [[[
+#
+# Specify the password required for authentication to Redis.
+roundcube__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__redis_hosts [[[
+#
+# List of the Redis instances which should be used by Roundcube. Currently only
+# a single instance is supported, but the variable expects a list.
+roundcube__redis_hosts: [ '{{ ([roundcube__redis_server,
+                                roundcube__redis_port,
+                                roundcube__redis_database,
+                                roundcube__redis_password])
+                              | join(":") }}' ]
+
+                                                                   # ]]]
+# .. envvar:: roundcube__session_storage [[[
+#
+# Select the session storage type to use. Currently supported are ``redis`` and
+# ``memcached``. The session storage will be selected automatically by
+# detecting available cache services via Ansible local facts. If the variable
+# is empty, session storage will not be configured and will fall back to
+# the ``db`` storage type.
+roundcube__session_storage: '{{ "redis"
+                                if roundcube__redis_enabled | bool
+                                else ("memcached"
+                                      if roundcube__memcached_enabled | bool
+                                      else "") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP configuration [[[
+# ----------------------
+
+# These variables configure the access to the LDAP address book managed by
+# DebOps. See :ref:`debops.ldap` and :ref:`debops.slapd` role documentation to
+# learn more about managing LDAP infrastructure with DebOps, and `Roundcube
+# LDAP Address Books`__ documentation to learn more about configuring LDAP
+# access in Roundcube.
+
+# .. __: https://github.com/roundcube/roundcubemail/wiki/Configuration:-LDAP-Address-Books
+
+# .. envvar:: roundcube__ldap_enabled [[[
+#
+# Enable or disable LDAP integration in Roundcube.
+roundcube__ldap_enabled: '{{ ansible_local.ldap.enabled
+                             if (ansible_local | d() and ansible_local.ldap | d() and
+                                 ansible_local.ldap.enabled is defined)
+                             else False }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_password_enabled [[[
+#
+# Enable or disable support for changing user passwords using the "password"
+# Roundcube plugin. The plugin will be configured to use LDAP Password Modify
+# Extended Operation (:rfc:`3062`).
+#
+# If the password change support is disabled, the "password" plugin will be
+# disabled as well. Password change via other mechanisms can be configured
+# separately via Ansible inventory variables.
+roundcube__ldap_password_enabled: '{{ roundcube__ldap_enabled }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_addressbook_name [[[
+#
+# The name of the LDAP address book. It will be visible on the address book
+# list and as the source of the search results.
+roundcube__ldap_addressbook_name: 'LDAP Address Book'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_hosts [[[
+#
+# List of the FQDN addresses of the LDAP directory servers which should be used
+# by Roundcube.
+roundcube__ldap_hosts: '{{ ansible_local.ldap.hosts | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_port [[[
+#
+# The TCP port to use to connect to the LDAP directory.
+roundcube__ldap_port: '{{ ansible_local.ldap.port | d("389") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_use_tls [[[
+#
+# Enable or disable support for STARTTLS extension while connecting to the LDAP
+# directory.
+roundcube__ldap_use_tls: '{{ ansible_local.ldap.start_tls | d(True) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_base_dn [[[
+#
+# The Base Distinguished Name of the LDAP directory, defined as a YAML list.
+roundcube__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the Roundcube application account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+roundcube__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# Roundcube application to access the LDAP directory.
+roundcube__ldap_self_rdn: '{{ "uid=" + roundcube__user }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the Roundcube application to access the LDAP directory.
+roundcube__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# Roundcube application to access the LDAP directory.
+roundcube__ldap_self_attributes:
+  uid: '{{ roundcube__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ roundcube__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "Roundcube" application to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# Roundcube application to bind to the LDAP directory.
+roundcube__ldap_binddn: '{{ ([roundcube__ldap_self_rdn] + roundcube__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the Roundcube
+# application to bind to the LDAP directory.
+roundcube__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                    + roundcube__ldap_binddn | to_uuid + ".password length=32"))
+                            if roundcube__ldap_enabled | bool
+                            else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_people_rdn [[[
+#
+# The Relative Distinguished Name of the people subtree which contains personal
+# LDAP entries.
+roundcube__ldap_people_rdn: '{{ ansible_local.ldap.people_rdn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_people_dn [[[
+#
+# The Distinguished Name of the people subtree which will be used for LDAP
+# address book searches.
+roundcube__ldap_people_dn: '{{ [roundcube__ldap_people_rdn]
+                               + roundcube__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_groups_rdn [[[
+#
+# The Relative Distinguished Name of the groups subtree which contains group
+# LDAP entries.
+roundcube__ldap_groups_rdn: '{{ ansible_local.ldap.groups_rdn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_groups_dn [[[
+#
+# The Distinguished Name of the groups subtree which will be used for LDAP
+# address book searches.
+roundcube__ldap_groups_dn: '{{ [roundcube__ldap_groups_rdn]
+                               + roundcube__ldap_base_dn }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_hidden [[[
+#
+# Show or hide the LDAP address book in the Address Books interface. Hiding the
+# LDAP address book still allows for searching its contents and autocompletion
+# of recipient e-mail addresses.
+#
+# Since the default LDAP address book configuration disables direct browsing of
+# the contents and is read-only, displaying an entry for it is not very useful.
+# Therefore it will be hidden by default.
+roundcube__ldap_hidden: True
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap_field_map [[[
+#
+# YAML dictionary which defines mapping between Roundcube address book fields
+# and LDAP entry attributes. Some of the fields are not mapped yet because they
+# don't work or there are currently no good LDAP equivalents.
+roundcube__ldap_field_map:
+  name: 'cn'
+  firstname: 'givenName'
+  #middlename
+  #prefix
+  #suffix
+  surname: 'sn'
+  #nicname
+  #maidenname
+  #gender
+  #spouse
+  #organization
+  #department
+  jobtitle: 'title'
+  #assistant
+  #manager
+  email: 'mail:*'
+  'phone:home': 'homePhone'
+  'phone:work': 'telephoneNumber'
+  'phone:mobile': 'mobile'
+  'phone:pager': 'pager'
+  'phone:workfax': 'facsimileTelephoneNumber'
+  street: 'street'
+  zipcode: 'postalCode'
+  region: 'st'
+  locality: 'l'
+  #address
+  #birthday
+  #anniversary
+  #website
+  #im
+  notes: 'description:*'
+  photo: 'jpegPhoto'
+                                                                   # ]]]
+                                                                   # ]]]
+# Roundcube application options [[[
+# ---------------------------------
+
+# .. envvar:: roundcube__fqdn [[[
+#
+# The default DNS address of the RoundCube web application, used in the HTTP
+# server configuration.
+roundcube__fqdn: 'webmail.{{ roundcube__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__domain [[[
+#
+# The DNS domain of the RoundCube installation.
+roundcube__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__imap_srv_rr [[[
+#
+# List which contains the result of the DNS query for IMAP server ``SRV``
+# resource records in the host's domain. See :rfc:`6186` for details.
+#
+# If there are no resource records, the role checks if a local Dovecot
+# installation is present and uses the host FQDN as the IMAP server address.
+# Finally, ``imap.<domain>`` is used as a fallback.
+roundcube__imap_srv_rr: '{{ q("debops.debops.dig_srv", "_imaps._tcp." + roundcube__domain,
+                              ansible_fqdn
+                              if (ansible_local | d() and ansible_local.dovecot | d() and
+                                  (ansible_local.dovecot.installed | d()) | bool)
+                              else "imap." + roundcube__domain, 993) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__imap_fqdn [[[
+#
+# The FQDN address of the IMAP server which stores user mailboxes.
+#
+# The use of the FQDN instead of ``localhost`` is required for X.509
+# certificate verification and for correct information in system logs.
+roundcube__imap_fqdn: '{{ roundcube__imap_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__imap_port [[[
+#
+# The TCP port to use for IMAP connections.
+roundcube__imap_port: '{{ roundcube__imap_srv_rr[0]["port"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__imap_server [[[
+#
+# The IMAP host chosen to perform the log-in.
+# This variable is also called `default_server` by Roundcube  .
+#
+# Leave blank to show a textbox at login, give a list of hosts
+# to display a pulldown menu or set one host as string.
+# To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+# Supported replacement variables:
+# %n - hostname ($_SERVER['SERVER_NAME'])
+# %t - hostname without the first part
+# %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+# %s - domain name after the '@' from e-mail address provided at login screen
+# For example %n = mail.domain.tld, %t = domain.tld
+roundcube__imap_server: '{{ ("ssl://"
+                             if (roundcube__imap_port == "993")
+                             else ("tls://"
+                                   if (roundcube__imap_port == "143")
+                                   else "tls://"))
+                             + roundcube__imap_fqdn
+                             + ":" + roundcube__imap_port }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_srv_rr [[[
+#
+# List which contains the result of the DNS query for the SMTP
+# (submission) server ``SRV`` resource records in the host's domain. See
+# :rfc:`6186` for details.
+#
+# If there are no resource records, the role checks if a local Postfix
+# installation is present and uses the host FQDN as the SMTP server address.
+# Finally, ``smtp.<domain>`` is used as a fallback.
+roundcube__smtp_srv_rr: '{{ q("debops.debops.dig_srv", "_submissions._tcp." + roundcube__domain,
+                              ansible_fqdn
+                              if (ansible_local | d() and ansible_local.postfix | d() and
+                                  (ansible_local.postfix.installed | d()) | bool)
+                              else ("smtp." + roundcube__domain), 465) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_fqdn [[[
+#
+# The FQDN address of the SMTP (submission) server which will be used to send
+# e-mail messages.
+#
+# The use of the FQDN instead of ``localhost`` is required for X.509
+# certificate verification and for correct information in system logs.
+roundcube__smtp_fqdn: '{{ roundcube__smtp_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_port [[[
+#
+# The TCP port to use for SMTP connections.
+#
+# Common values include 25 for unencrypted communication, 587 for STARTTLS,
+# or 465 for SMTP over SSL (aka SMTPS).
+roundcube__smtp_port: '{{ roundcube__smtp_srv_rr[0]["port"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_server [[[
+#
+# SMTP server host (for sending mails).
+#
+# Enter hostname with prefix tls:// to use STARTTLS, or use
+# prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
+# Supported replacement variables:
+# %h - user's IMAP hostname
+# %n - hostname ($_SERVER['SERVER_NAME'])
+# %t - hostname without the first part
+# %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+# %z - IMAP domain (IMAP hostname without the first part)
+# For example %n = mail.domain.tld, %t = domain.tld
+roundcube__smtp_server: '{{ ("ssl://"
+                             if (roundcube__smtp_port == "465")
+                             else ("tls://"
+                                   if (roundcube__smtp_port == "587")
+                                   else "tls://"))
+                             + roundcube__smtp_fqdn
+                             + ":" + roundcube__smtp_port }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_user [[[
+#
+# SMTP username (if required) if you use %u as the username Roundcube will
+# use the current username for login.
+roundcube__smtp_user: '%u'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__smtp_pass [[[
+#
+# SMTP password (if required) if you use %p as the password Roundcube will
+# use the current user's password for login.
+roundcube__smtp_pass: '%p'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__sieve_srv_rr [[[
+#
+# List which contains the result of the DNS query for Sieve server
+# ``SRV`` resource records in the host's domain. See :rfc:`5804` for details.
+#
+# If there are no resource records, the role checks if a local Dovecot
+# installation is present and uses the host FQDN as the Sieve server address.
+# Finally, ``sieve.<domain>`` is used as a fallback.
+roundcube__sieve_srv_rr: '{{ q("debops.debops.dig_srv", "_sieve._tcp." + roundcube__domain,
+                               ansible_fqdn
+                               if (ansible_local | d() and ansible_local.dovecot | d() and
+                                   (ansible_local.dovecot.installed | d()) | bool)
+                               else ("sieve." + roundcube__domain), 4190) }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__sieve_fqdn [[[
+#
+# The FQDN address of the Sieve server which allows management of the Sieve
+# filter scripts.
+#
+# The use of the FQDN instead of ``localhost`` is required for X.509
+# certificate verification and for correct information in system logs.
+roundcube__sieve_fqdn: '{{ roundcube__sieve_srv_rr[0]["target"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__sieve_port [[[
+#
+# The TCP port used for Sieve connections.
+roundcube__sieve_port: '{{ roundcube__sieve_srv_rr[0]["port"] }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__sieve_server [[[
+#
+# The Sieve host chosen to access the Sieve configuration interface.
+# Replacement variables supported in host name:
+# %h - user's IMAP hostname
+# %n - http hostname ($_SERVER['SERVER_NAME'])
+# %d - domain (http hostname without the first part)
+# For example %n = mail.domain.tld, %d = domain.tld
+roundcube__sieve_server: '{{ "tls://" + roundcube__sieve_fqdn }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__product_name [[[
+#
+# Name your service. This is displayed on the login screen and in the window title
+roundcube__product_name: '{{ ansible_local.machine.organization | d("Roundcube") + " Webmail" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__des_key [[[
+#
+# Encryption key for the users imap password which is stored in the session
+# record (and the client cookie if remember password is enabled).
+roundcube__des_key: '{{ lookup("password", secret + "/credentials/" + inventory_hostname + "/roundcube/des_key chars=hexdigits length=24") }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__username_domain [[[
+#
+# Specify a domain (realm) to add to usernames without a specified domain.
+# Defining a default domain helps avoid creating separate RoundCube profiles
+# when users use logins with and without a domain specified.
+#
+# The default is to create a domain based on the host DNS domain.
+roundcube__username_domain: '%d'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__log_driver [[[
+#
+# Define the log driver. Currently available: ``syslog``, ``stdout``, ``file``.
+roundcube__log_driver: 'syslog'
+                                                                   # ]]]
+                                                                   # ]]]
+# Roundcube configuration file [[[
+# --------------------------------
+
+# These variables define the contents of the :file:`config/config.inc.php`
+# local configuration file. See :ref:`roundcube__ref_configuration` for more
+# details.
+
+# .. envvar:: roundcube__original_configuration [[[
+#
+# The list defines the Roundcube configuration options stored in the
+# :file:`config.inc.php.sample` configuration file. Modifications to these
+# configuration options should be done using the subsequent variables.
+roundcube__original_configuration:
+
+    # [[[ init
+  - name: 'init_config'
+    raw: |
+      $config = array();
+    section: 'init'
+                                                                   # ]]]
+    # [[[  sql
+  - name: 'db_dsnw'
+    comment: |
+      Database connection string (DSN) for read+write operations
+      Format (compatible with PEAR MDB2): db_provider://user:password@host/database
+      Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
+      For examples see https://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
+      Note: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
+            or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
+      Note: Various drivers support various additional arguments for connection,
+            for Mysql: key, cipher, cert, capath, ca, verify_server_cert,
+            for Postgres: application_name, sslmode, sslcert, sslkey,
+            sslrootcert, sslcrl, sslcompression, service.
+            e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
+    value: 'mysql://roundcube:pass@localhost/roundcubemail'
+    section: 'sql'
+
+  - name: 'db_dsnr'
+    comment: |
+      Database DSN for read-only operations (if empty write database will be used)
+      useful for database replication
+    value: ''
+    section: 'sql'
+    state: 'init'
+
+  - name: 'db_dsnw_noread'
+    comment: 'Disable the use of already established dsnw connections for subsequent reads'
+    value: False
+    section: 'sql'
+    state: 'init'
+
+  - name: 'db_persistent'
+    comment: |
+      use persistent db-connections
+      beware this will not "always" work as expected
+      see: http://www.php.net/manual/en/features.persistent-connections.php
+    value: False
+    section: 'sql'
+    state: 'init'
+
+  - name: 'db_prefix'
+    comment: 'You can define specific table (and sequence) names prefix'
+    value: ''
+    section: 'sql'
+    state: 'init'
+
+  - name: 'db_table_dsn'
+    comment: |
+      Mapping of table names and connections to use for ALL operations.
+      This can be used in a setup with replicated databases and a DB master
+      where read/write access to cache tables should not go to master.
+    array:
+      - 'cache':          'r'
+        'cache_index':    'r'
+        'cache_thread':   'r'
+        'cache_messages': 'r'
+    section: 'sql'
+    state: 'init'
+
+  - name: 'db_max_allowed_packet'
+    comment: |
+      It is possible to specify database variable values e.g. some limits here.
+      Use them if your server is not MySQL or for better performance.
+      For example Roundcube uses max_allowed_packet value (in bytes)
+      which limits query size for database cache operations.
+    value: null
+    section: 'sql'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ logging
+  - name: 'log_driver'
+    comment: |
+      Log driver: 'syslog', 'stdout' or 'file'.
+    value: 'file'
+    section: 'logging'
+    state: 'init'
+
+  - name: 'log_date_format'
+    comment: |
+      Date format for log entries
+      (read https://php.net/manual/en/function.date.php for all format characters)
+    value: 'd-M-Y H:i:s O'
+    section: 'logging'
+    state: 'init'
+
+  - name: 'log_session_id'
+    comment: |
+      Length of the session ID to prepend each log line with
+      set to 0 to avoid session IDs being logged.
+    value: 8
+    section: 'logging'
+    state: 'init'
+
+  - name: 'log_file_ext'
+    comment: 'Default extension used for log file name'
+    value: '.log'
+    section: 'logging'
+    state: 'init'
+
+  - name: 'syslog_id'
+    comment: 'Syslog ident string to use, if using the "syslog" log driver.'
+    value: 'roundcube'
+    section: 'logging'
+    state: 'init'
+
+  - name: 'syslog_facility'
+    comment: |
+      Syslog facility to use, if using the 'syslog' log driver.
+      For possible values see installer or https://php.net/manual/en/function.openlog.php
+    value: 'LOG_USER'
+    quotes: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'per_user_logging'
+    comment: |
+      Activate this option if logs should be written to per-user directories.
+      Data will only be logged if a directory <log_dir>/<username>/ exists and is writable.
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'smtp_log'
+    comment: 'Log sent messages to <log_dir>/sendmail.log or to syslog'
+    value: True
+    section: 'logging'
+    state: 'init'
+
+  - name: 'log_logins'
+    comment: 'Log successful/failed logins to <log_dir>/userlogins.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'session_debug'
+    comment: |
+      Log session debug information/authentication errors to <log_dir>/session.log or to syslog
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'sql_debug'
+    comment: 'Log SQL queries to <log_dir>/sql.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'imap_debug'
+    comment: 'Log IMAP conversation to <log_dir>/imap.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'ldap_debug'
+    comment: 'Log LDAP conversation to <log_dir>/ldap.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'smtp_debug'
+    comment: 'Log SMTP conversation to <log_dir>/smtp.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'memcache_debug'
+    comment: 'Log Memcache conversation to <log_dir>/memcache.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'apc_debug'
+    comment: 'Log APC conversation to <log_dir>/apc.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+
+  - name: 'redis_debug'
+    comment: 'Log Redis conversation to <log_dir>/redis.log or to syslog'
+    value: False
+    section: 'logging'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ imap
+  - name: 'imap_host'
+    comment: |
+      IMAP host chosen to perform the log-in.
+      See defaults.inc.php for the option description.
+    value: 'localhost:143'
+    section: 'imap'
+
+  - name: 'imap_auth_type'
+    comment: |
+      IMAP authentication method (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null).
+      Use 'IMAP' to authenticate with IMAP LOGIN command.
+      By default the most secure method (from supported) will be selected.
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_conn_options'
+    comment: |
+      IMAP socket context options
+      See https://php.net/manual/en/context.ssl.php
+      The example below enables server certificate validation
+      Note: These can be also specified as an array of options indexed by hostname
+    array:
+      - ssl:
+          - verify_peer: True
+            verify_depth: 3
+            cafile: '/etc/ssl/certs/ca-certificates.crt'
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_timeout'
+    comment: 'IMAP connection timeout, in seconds. Default: 0 (use default_socket_timeout)'
+    value: 0
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_auth_cid'
+    comment: 'Optional IMAP authentication identifier to be used as authorization proxy'
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_auth_pw'
+    comment: 'Optional IMAP authentication password to be used for imap_auth_cid'
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_delimiter'
+    comment: |
+      If you know your imap's folder delimiter, you can specify it here.
+      Otherwise it will be determined automatically
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_vendor'
+    comment: |
+      If you know your imap's folder vendor, you can specify it here.
+      Otherwise it will be determined automatically. Use lower-case
+      identifiers, e.g. 'dovecot', 'cyrus', 'gimap', 'hmail', 'uw-imap'.
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_ns_personal'
+    comment: |
+      If IMAP server doesn't support NAMESPACE extension, but you're
+      using shared folders or personal root folder is non-empty, you'll need to
+      set these options. All can be strings or arrays of strings.
+      Note: Folders need to be ended with directory separator, e.g. "INBOX."
+            (special directory "~" is an exception to this rule)
+      Note: These can be used also to overwrite server's namespaces
+      Note: Set these to FALSE to disable access to specified namespace
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_ns_other'
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_ns_shared'
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_force_caps'
+    comment: |
+      By default IMAP capabilities are read after connection to IMAP server
+      In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
+      after login. Set to True if you've got this case.
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_force_lsub'
+    comment: |
+      By default list of subscribed folders is determined using LIST-EXTENDED
+      extension if available. Some servers (dovecot 1.x) returns wrong results
+      for shared namespaces in this case. https://github.com/roundcube/roundcubemail/issues/2474
+      Enable this option to force LSUB command usage instead.
+      Deprecated: Use imap_disabled_caps = array('LIST-EXTENDED')
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_force_ns'
+    comment: |
+      Some server configurations (e.g. Courier) doesn't list folders in all namespaces
+      Enable this option to force listing of folders in all namespaces
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_skip_hidden_folders'
+    comment: |
+      Some servers return hidden folders (name starting with a dot)
+      from user home directory. IMAP RFC does not forbid that.
+      Enable this option to hide them and disable possibility to create such.
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_dual_use_folders'
+    comment: |
+      Some servers do not support folders with both folders and messages inside
+      If your server supports that use true, if it does not, use false.
+      By default it will be determined automatically (once per user session).
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_disabled_caps'
+    comment: |
+      List of disabled imap extensions.
+      Use if your IMAP server has broken implementation of some feature
+      and you can't remove it from CAPABILITY string on server-side.
+      For example UW-IMAP server has broken ESEARCH.
+      Note: Because the list is cached, re-login is required after change.
+    value: []
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_log_session'
+    comment: |
+      Log IMAP session identifiers after each IMAP login.
+      This is used to relate IMAP session with Roundcube user sessions
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_cache'
+    comment: |
+      Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
+    value: null
+    section: 'imap'
+    state: 'init'
+
+  - name: 'messages_cache'
+    comment: |
+      Enables messages cache. Only 'db' cache is supported.
+      This requires an IMAP server that supports QRESYNC and CONDSTORE
+      extensions (RFC7162). See synchronize() in program/lib/Roundcube/rcube_imap_cache.php
+      for further info, or if you experience syncing problems.
+    value: False
+    section: 'imap'
+    state: 'init'
+
+  - name: 'imap_cache_ttl'
+    comment: 'Lifetime of IMAP indexes cache. Possible units: s, m, h, d, w'
+    value: '10d'
+    section: 'imap'
+    state: 'init'
+
+  - name: 'messages_cache_ttl'
+    comment: 'Lifetime of messages cache. Possible units: s, m, h, d, w'
+    value: '10d'
+    section: 'imap'
+    state: 'init'
+
+  - name: 'messages_cache_threshold'
+    comment: |
+      Maximum cached message size in kilobytes.
+      Note: On MySQL this should be less than (max_allowed_packet - 30%)
+    value: 50
+    section: 'imap'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ smtp
+  - name: 'smtp_host'
+    comment: |
+      SMTP server host (for sending mails).
+      See defaults.inc.php for the option description.
+    value: 'localhost:587'
+    section: 'smtp'
+
+  - name: 'smtp_user'
+    comment: |
+      SMTP username (if required) if you use %u as the username Roundcube
+      will use the current username for login
+    value: '%u'
+    section: 'smtp'
+
+  - name: 'smtp_pass'
+    comment: |
+      SMTP password (if required) if you use %p as the password Roundcube
+      will use the current user's password for login
+    value: '%p'
+    section: 'smtp'
+
+  - name: 'smtp_auth_type'
+    comment: |
+      SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
+      best server supported one)
+    value: null
+    section: 'smtp'
+    state: 'init'
+
+  - name: 'smtp_auth_cid'
+    comment: |
+      Optional SMTP authentication identifier to be used as authorization proxy
+    value: null
+    section: 'smtp'
+    state: 'init'
+
+  - name: 'smtp_auth_pw'
+    comment: |
+      Optional SMTP authentication password to be used for smtp_auth_cid
+    value: null
+    section: 'smtp'
+    state: 'init'
+
+  - name: 'smtp_helo_host'
+    comment: |
+      SMTP HELO host
+      Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
+      Leave this blank and you will get the server variable 'server_name' or
+      localhost if that isn't defined.
+    value: ''
+    section: 'smtp'
+    state: 'init'
+
+  - name: 'smtp_timeout'
+    comment: |
+      SMTP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
+      Note: There's a known issue where using ssl connection with
+      timeout > 0 causes connection errors (https://bugs.php.net/bug.php?id=54511)
+    value: 0
+    section: 'smtp'
+    state: 'init'
+
+  - name: 'smtp_conn_options'
+    comment: |
+      SMTP socket context options
+      See https://php.net/manual/en/context.ssl.php
+      The example below enables server certificate validation, and
+      requires 'smtp_timeout' to be non zero.
+      Note: These can be also specified as an array of options indexed by hostname
+    array:
+      - ssl:
+          - verify_peer: True
+            verify_depth: 3
+            cafile: '/etc/ssl/certs/ca-certificates.crt'
+    section: 'smtp'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ ldap
+  - name: 'ldap_cache'
+    comment: |
+      Type of LDAP cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
+    value: 'db'
+    section: 'ldap'
+    state: 'init'
+
+  - name: 'ldap_cache_ttl'
+    comment: 'Lifetime of LDAP cache. Posibble units: s, m, h, d, w'
+    value: '10m'
+    section: 'ldap'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ cache
+  - name: 'memcache_hosts'
+    comment: |
+      Use these hosts for accessing memcached
+      Define any number of hosts in the form of hostname:port or unix:///path/to/socket.file
+      Example: array('localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock');
+    value: null
+    section: 'cache'
+    state: 'init'
+
+  - name: 'memcache_pconnect'
+    comment: |
+      Controls the use of a persistent connections to memcache servers
+      See https://php.net/manual/en/memcache.addserver.php
+    value: True
+    section: 'cache'
+    state: 'init'
+
+  - name: 'memcache_timeout'
+    comment: |
+      Value in seconds which will be used for connecting to the daemon
+      See https://php.net/manual/en/memcache.addserver.php
+    value: 1
+    section: 'cache'
+    state: 'init'
+
+  - name: 'memcache_retry_interval'
+    comment: |
+      Controls how often a failed server will be retried (value in seconds).
+      Setting this parameter to -1 disables automatic retry.
+      See https://php.net/manual/en/memcache.addserver.php
+    value: 15
+    section: 'cache'
+    state: 'init'
+
+  - name: 'redis_hosts'
+    comment: |
+      Use these hosts for accessing Redis.
+      Currently only one host is supported. Cluster support may come in a future release.
+      You can pass 4 fields, host, port (optional), database (optional) and password (optional).
+      Unset fields will be set to the default values host=127.0.0.1, port=6379.
+      Examples:
+          array('localhost:6379');
+          array('192.168.1.1:6379:1:secret');
+          array('unix:///var/run/redis/redis-server.sock:1:secret');
+    value: null
+    section: 'cache'
+    state: 'init'
+
+  - name: 'memcache_max_allowed_packet'
+    comment: 'Maximum size of an object in memcache (in bytes). Default: 2MB'
+    value: '2M'
+    section: 'cache'
+    state: 'init'
+
+  - name: 'apc_mac_allowed_packet'
+    comment: 'Maximum size of an object in APC cache (in bytes). Default: 2MB'
+    value: '2M'
+    section: 'cache'
+    state: 'init'
+
+  - name: 'redis_max_allowed_packet'
+    comment: 'Maximum size of an object in Redis cache (in bytes). Default: 2MB'
+    value: '2M'
+    section: 'cache'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ system
+  - name: 'enable_installer'
+    comment: |
+      THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
+      ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'dont_override'
+    comment: "Don't allow these settings to be overridden by the user"
+    value: []
+    section: 'system'
+    state: 'init'
+
+  - name: 'disabled_actions'
+    comment: 'List of disabled UI elements/actions'
+    value: []
+    section: 'system'
+    state: 'init'
+
+  - name: 'advanced_prefs'
+    comment: |
+      Define which settings should be listed under the 'advanced' block
+      which is hidden by default
+    value: []
+    section: 'system'
+    state: 'init'
+
+  - name: 'support_url'
+    comment: |
+      Provide an URL where a user can get support for this Roundcube installation
+      PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
+    value: ''
+    section: 'system'
+
+  - name: 'skin_logo'
+    comment: |
+      Logo image replacement. Specifies location of the image as:
+      - URL relative to the document root of this Roundcube installation
+      - full URL with http:// or https:// prefix
+      - URL relative to the current skin folder (when starts with a '/')
+
+      An array can be used to specify different logos for specific template files
+      The array key specifies the place(s) the logo should be applied to and
+      is made up of (up to) 3 parts:
+      - skin name prefix (always with colon, can be replaced with *)
+      - template name (or * for all templates)
+      - logo type - it is used for logos used on multiple templates
+        the available types include '[favicon]' for favicon, '[print]' for logo on all print
+        templates (e.g. messageprint, contactprint) and '[small]' for small screen logo in supported skins
+
+      Example config for skin_logo
+
+      array(
+        // show the image /images/logo_login_small.png for the Login screen in the Elastic skin on small screens
+        "elastic:login[small]" => "/images/logo_login_small.png",
+        // show the image /images/logo_login.png for the Login screen in the Elastic skin
+        "elastic:login" => "/images/logo_login.png",
+        // show the image /images/logo_small.png in the Elastic skin
+        "elastic:*[small]" => "/images/logo_small.png",
+        // show the image /images/larry.png in the Larry skin
+        "larry:*" => "/images/larry.png",
+        // show the image /images/logo_login.png on the login template in all skins
+        "login" => "/images/logo_login.png",
+        // show the image /images/logo_print.png for all print type logos in all skins
+        "[print]" => "/images/logo_print.png",
+      );
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'auto_create_user'
+    comment: |
+      Automatically create a new Roundcube user when log-in the first time.
+      A new user will be created once the IMAP login succeeds.
+      Set to false if only registered users can use this service
+    value: True
+    section: 'system'
+    state: 'init'
+
+  - name: 'user_aliases'
+    comment: 'Enables possibility to log in using email address from user identities'
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'log_dir'
+    comment: |
+      use this folder to store log files
+      must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
+      This is used by the 'file' log driver.
+    value: "RCUBE_INSTALL_PATH . 'logs/'"
+    quotes: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'temp_dir'
+    comment: |
+      Use this folder to store temp files
+      Must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
+    value: "RCUBE_INSTALL_PATH . 'temp/'"
+    quotes: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'temp_dir_ttl'
+    comment: |
+      Expire files in temp_dir after 48 hours
+      Possible units: s, m, h, d, w
+    value: '48h'
+    section: 'system'
+    state: 'init'
+
+  - name: 'force_https'
+    comment: |
+      Enforce connections over https
+      With this option enabled, all non-secure connections will be redirected.
+      It can be also a port number, hostname or hostname:port if they are
+      different than default HTTP_HOST:443
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'use_https'
+    comment: |
+      Tell PHP that it should work as under secure connection
+      even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
+      e.g. when you're running Roundcube behind a https proxy
+      This option is mutually exclusive to 'force_https' and only either one of
+      them should be set to true.
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_autocomplete'
+    comment: |
+      Allow browser-autocompletion on login form.
+      0 - disabled, 1 - username and host only, 2 - username, host, password
+    value: 0
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_lc'
+    comment: |
+      Forces conversion of logins to lower case.
+      0 - disabled, 1 - only domain part, 2 - domain and local part.
+      If users authentication is case-insensitive this must be enabled.
+      Note: After enabling it all user records need to be updated, e.g. with query:
+            UPDATE users SET username = LOWER(username);
+    value: 2
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_username_maxlen'
+    comment: 'Maximum length (in bytes) of logon username and password.'
+    value: 1024
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_password_maxlen'
+    value: 1024
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_username_filter'
+    comment: |
+      Logon username filter. Regular expression for use with preg_match().
+      Example: '/^[a-z0-9_@.-]+$/'
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'login_rate_limit'
+    comment: |
+      Brute-force attacks prevention.
+      The value specifies maximum number of failed logon attempts per minute.
+    value: 3
+    section: 'system'
+    state: 'init'
+
+  - name: 'skin_include_php'
+    comment: 'Includes should be interpreted as PHP files'
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'display_product_info'
+    comment: |
+      Display product name and software version on login screen
+      0 - hide product name and version number,
+      1 - show product name only,
+      2 - show product name and version number
+    value: 1
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_lifetime'
+    comment: 'Session lifetime in minutes'
+    value: 10
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_domain'
+    comment: 'Session domain: .example.org'
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_name'
+    comment: |
+      Session name. Default: 'roundcube_sessid'
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_auth_name'
+    comment: |
+      Session authentication cookie name. Default: 'roundcube_sessauth'
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_path'
+    comment: |
+      Session path. Defaults to PHP session.cookie_path setting.
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'session_storage'
+    comment: |
+      Backend to use for session storage. Can either be 'db' (default), 'redis', 'memcache', or 'php'
+
+      If set to 'memcache' or 'memcached', a list of servers need to be specified in 'memcache_hosts'
+      Make sure the Memcache extension (https://pecl.php.net/package/memcache) version >= 2.0.0
+      or the Memcached extension (https://pecl.php.net/package/memcached) version >= 2.0.0 is installed.
+
+      If set to 'redis', a server needs to be specified in 'redis_hosts'
+      Make sure the Redis extension (https://pecl.php.net/package/redis) version >= 2.0.0 is installed.
+
+      Setting this value to 'php' will use the default session save handler configured in PHP
+    value: 'db'
+    section: 'system'
+    state: 'init'
+
+  - name: 'proxy_whitelist'
+    comment: |
+      List of trusted proxies
+      X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
+    value: []
+    section: 'system'
+    state: 'init'
+
+  - name: 'trusted_host_pattern'
+    comment: |
+      List of trusted host names
+      Attackers can modify Host header of the HTTP request causing $_SERVER['SERVER_NAME']
+      or $_SERVER['HTTP_HOST'] variables pointing to a different host, that could be used
+      to collect user names and passwords. Some server configurations prevent that, but not all.
+      An empty list accepts any host name. The list can contain host names
+      or PCRE patterns (without // delimiters, that will be added automatically).
+    value: []
+    section: 'system'
+    state: 'init'
+
+  - name: 'ip_check'
+    comment: 'Check client IP in session authorization'
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'x_frame_options'
+    comment: |
+      X-Frame-Options HTTP header value sent to prevent from Clickjacking.
+      Possible values: sameorigin|deny|allow-from <uri>.
+      Set to false in order to disable sending the header.
+    value: 'sameorigin'
+    section: 'system'
+    state: 'init'
+
+  - name: 'des_key'
+    comment: |
+      this key is used to encrypt the users imap password which is stored
+      in the session record (and the client cookie if remember password is enabled).
+      please provide a string of exactly 24 chars.
+      YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
+    value: 'rcmail-!24ByteDESkey*Str'
+    section: 'system'
+
+  - name: 'cipher_method'
+    comment: |
+      Encryption algorithm. You can use any method supported by OpenSSL.
+      Default is set for backward compatibility to DES-EDE3-CBC,
+      but you can choose e.g. AES-256-CBC which we consider a better choice.
+    value: 'DES-EDE3-CBC'
+    section: 'system'
+    state: 'init'
+
+  - name: 'username_domain'
+    comment: |
+      Automatically add this domain to user names for login
+      Only for IMAP servers that require full e-mail addresses for login
+      Specify an array with 'host' => 'domain' values to support multiple hosts
+      Supported replacement variables:
+      %h - user's IMAP hostname
+      %n - hostname ($_SERVER['SERVER_NAME'])
+      %t - hostname without the first part
+      %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+      %z - IMAP domain (IMAP hostname without the first part)
+      For example %n = mail.domain.tld, %t = domain.tld
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'username_domain_forced'
+    comment: |
+      Force domain configured in username_domain to be used for login.
+      Any domain in username will be replaced by username_domain.
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'mail_domain'
+    comment: |
+      This domain will be used to form e-mail addresses of new users
+      Specify an array with 'host' => 'domain' values to support multiple hosts
+      Supported replacement variables:
+      %h - user's IMAP hostname
+      %n - http hostname ($_SERVER['SERVER_NAME'])
+      %d - domain (http hostname without the first part)
+      %z - IMAP domain (IMAP hostname without the first part)
+      For example %n = mail.domain.tld, %t = domain.tld
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'password_charset'
+    comment: |
+      Password character set, to change the password for user
+      authentication or for password change operations
+    value: 'UTF-8'
+    section: 'system'
+    state: 'init'
+
+  - name: 'sendmail_delay'
+    comment: 'How many seconds must pass between emails sent by a user'
+    value: 0
+    section: 'system'
+    state: 'init'
+
+  - name: 'max_message_size'
+    comment: |
+      Message size limit. Note that SMTP server(s) may use a different value.
+      This limit is verified when user attaches files to a composed message.
+      Size in bytes (possible unit suffix: K, M, G)
+    value: '100M'
+    section: 'system'
+    state: 'init'
+
+  - name: 'max_recipients'
+    comment: |
+      Maximum number of recipients per message (including To, Cc, Bcc).
+      Default: 0 (no limit)
+    value: 0
+    section: 'system'
+    state: 'init'
+
+  - name: 'max_disclosed_recipients'
+    comment: |
+      Maximum number of recipients per message excluding Bcc header.
+      This is a soft limit, which means we only display a warning to the user.
+      Default: 5
+    value: 5
+    section: 'system'
+    state: 'init'
+
+  - name: 'max_group_members'
+    comment: |
+      Maximum allowed number of members of an address group. Default: 0 (no limit)
+      If 'max_recipients' is set this value should be less or equal
+    value: 0
+    section: 'system'
+    state: 'init'
+
+  - name: 'product_name'
+    comment: |
+      Name your service. This is displayed on the login screen and in the window title
+    value: 'Roundcube Webmail'
+    section: 'system'
+
+  - name: 'useragent'
+    comment: 'Add this user-agent to message headers when sending'
+    value: "'Roundcube Webmail/'.RCUBE_VERSION"
+    quotes: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'include_host_config'
+    comment: |
+      Try to load host-specific configuration
+      See https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
+      for more details
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'generic_message_footer'
+    comment: |
+      Path to a text file which will be added to each sent message
+      Paths are relative to the Roundcube root folder
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'generic_message_footer_html'
+    comment: |
+      Path to a text file which will be added to each sent HTML message
+      Paths are relative to the Roundcube root folder
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'http_received_header'
+    comment: |
+      Add a received header to outgoing mails containing the creators IP and hostname
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'http_received_header_encrypt'
+    comment: |
+      Whether or not to encrypt the IP address and the host name
+      these could, in some circles, be considered as sensitive information;
+      however, for the administrator, these could be invaluable help
+      when tracking down issues.
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'line_length'
+    comment: |
+      Number of chars allowed for line when wrapping text.
+      Text wrapping is done when composing/sending messages
+    value: 72
+    section: 'system'
+    state: 'init'
+
+  - name: 'send_format_flowed'
+    comment: 'Send plaintext messages as format=flowed'
+    value: True
+    section: 'system'
+    state: 'init'
+
+  - name: 'mdn_use_from'
+    comment: |
+      According to RFC2298, return receipt envelope sender address must be
+      empty. If this option is true, Roundcube will use user's identity as
+      envelope sender for MDN responses.
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'identities_level'
+    comment: |
+      Set identities access level:
+      0 - many identities with possibility to edit all params
+      1 - many identities with possibility to edit all params but not email address
+      2 - one identity with possibility to edit all params
+      3 - one identity with possibility to edit all params but not email address
+      4 - one identity with possibility to edit only signature
+    value: 0
+    section: 'system'
+    state: 'init'
+
+  - name: 'identity_image_size'
+    comment: |
+      Maximum size of uploaded image in kilobytes
+      Images (in html signatures) are stored in database as data URIs
+    value: 64
+    section: 'system'
+    state: 'init'
+
+  - name: 'client_mimetypes'
+    comment: |
+      Mimetypes supported by the browser.
+      Attachments of these types will open in a preview window
+      Either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'mime_magic'
+    comment: |
+      Path to a local mime magic database file for PHPs finfo extension.
+      Set to null if the default path should be used.
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'mime_types'
+    comment: |
+      Absolute path to a local mime.types mapping table file.
+      This is used to derive mime-types from the filename extension or vice versa.
+      Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
+      download it from https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'im_identify_path'
+    comment: |
+      Path to imagemagick identify binary (if not set we'll use Imagick or GD extensions)
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'im_convert_path'
+    comment: |
+      Path to imagemagick convert binary (if not set we'll use Imagick or GD extensions)
+    value: null
+    section: 'system'
+    state: 'init'
+
+  - name: 'image_thumbnail_size'
+    comment: |
+      Size of thumbnails from image attachments displayed below the message content.
+      Note: whether images are displayed at all depends on the 'inline_images' option.
+      Set to 0 to display images in full size.
+    value: 240
+    section: 'system'
+    state: 'init'
+
+  - name: 'contact_photo_size'
+    comment: 'Maximum size of uploaded contact photos in pixel'
+    value: 160
+    section: 'system'
+    state: 'init'
+
+  - name: 'email_dns_check'
+    comment: 'Enable DNS checking for e-mail address validation'
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'no_save_sent_messages'
+    comment: |
+      Disables saving sent messages in Sent folder (like gmail) (Default: false)
+      Note: useful when SMTP server stores sent mail in user mailbox
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'use_secure_urls'
+    comment: |
+      Improve system security by using special URL with security token.
+      This can be set to a number defining token length. Default: 16.
+      Warning: This requires http server configuration. Sample:
+         RewriteRule ^/roundcubemail/[a-zA-Z0-9]{16}/(.*) /roundcubemail/$1 [PT]
+         Alias /roundcubemail /var/www/roundcubemail/
+      Note: Use assets_path to not prevent the browser from caching assets
+    value: False
+    section: 'system'
+    state: 'init'
+
+  - name: 'assets_path'
+    comment: |
+      Allows to define separate server/path for image/js/css files
+      Warning: If the domain is different cross-domain access to some
+      resources need to be allowed
+      Sample:
+         <FilesMatch ".(eot|ttf|woff)">
+         Header set Access-Control-Allow-Origin "*"
+         </FilesMatch>
+    value: ''
+    section: 'system'
+    state: 'init'
+
+  - name: 'assets_dir'
+    comment: |
+      While assets_path is for the browser, assets_dir informs
+      PHP code about the location of asset files in filesystem
+    value: ''
+    section: 'system'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ plugins
+  - name: 'plugins'
+    comment: 'List of active plugins (in plugins/ directory)'
+    value: [ 'archive', 'zipdownload' ]
+    section: 'plugins'
+                                                                   # ]]]
+    # [[[ ui
+  - name: 'message_sort_col'
+    comment: |
+      Default messages sort column. Use empty value for default server's sorting,
+      or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
+    value: ''
+    section: 'ui'
+    state: 'init'
+
+  - name: 'message_sort_order'
+    comment: 'Default messages sort order'
+    value: 'DESC'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'list_cols'
+    comment: |
+      These cols are shown in the message list. Available cols are:
+      subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, priority
+    value: [ 'subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment' ]
+    section: 'ui'
+    state: 'init'
+
+  - name: 'language'
+    comment: |
+      The default locale setting (leave empty for auto-detection)
+      RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
+    value: null
+    section: 'ui'
+    state: 'init'
+
+  - name: 'date_format'
+    comment: 'Use this format for date display (date or strftime format)'
+    value: 'Y-m-d'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'date_formats'
+    comment: |
+      Give this choice of date formats to the user to select from
+      Note: do not use ambiguous formats like m/d/Y
+    value: [ 'Y-m-d', 'Y/m/d', 'Y.m.d', 'd-m-Y', 'd/m/Y', 'd.m.Y', 'j.n.Y' ]
+    section: 'ui'
+    state: 'init'
+
+  - name: 'time_format'
+    comment: 'Use this format for time display (date or strftime format)'
+    value: 'H:i'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'time_formats'
+    comment: 'Give this choice of time formats to the user to select from'
+    value: [ 'G:i', 'H:i', 'g:i a', 'h:i A' ]
+    section: 'ui'
+    state: 'init'
+
+  - name: 'date_short'
+    comment: |
+      Use this format for short date display (derived from date_format and
+      time_format)
+    value: 'D H:i'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'date_long'
+    comment: |
+      Use this format for detailed date/time formatting (derived from
+      date_format and time_format)
+    value: 'Y-m-d H:i'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'drafts_mbox'
+    comment: |
+      Store draft message is this mailbox
+      Leave blank if draft messages should not be stored
+      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+    value: 'Drafts'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'junk_mbox'
+    comment: |
+      Store spam messages in this mailbox
+      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+    value: 'Junk'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'sent_mbox'
+    comment: |
+      Store sent message is this mailbox
+      Leave blank if sent messages should not be stored
+      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+    value: 'Sent'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'trash_mbox'
+    comment: |
+      Move messages to this folder when deleting them
+      Leave blank if they should be deleted directly
+      NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+    value: 'Trash'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'create_default_folders'
+    comment: |
+      Automatically create the above listed default folders on user login
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'protect_default_folders'
+    comment: |
+      Protect the default folders from renames, deletes, and subscription changes
+    value: True
+    section: 'ui'
+    state: 'init'
+
+  - name: 'show_real_foldernames'
+    comment: |
+      Disable localization of the default folder names listed above
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'quota_zero_as_unlimited'
+    comment: |
+      If in your system 0 quota means no limit set this option to true
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'enable_spellcheck'
+    comment: |
+      Make use of the built-in spell checker. It is based on GoogieSpell.
+    value: True
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_engine'
+    comment: |
+      Set the spell checking engine. Possible values:
+      - 'googie'  - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting)
+      - 'pspell'  - requires the PHP Pspell module and aspell installed
+      - 'enchant' - requires the PHP Enchant module
+      - 'atd'     - install your own After the Deadline server or check with
+                    the people at http://www.afterthedeadline.com before using their API
+      Since Google shut down their public spell checking service, the default settings
+      connect to https://spell.roundcube.net/ which is a hosted service provided by Roundcube.
+      You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
+    value: 'googie'
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_uri'
+    comment: |
+      For locally installed Nox Spell Server or After the Deadline services,
+      please specify the URI to call it.
+      Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 or
+      the After the Deadline package from http://www.afterthedeadline.com.
+      Leave empty to use the public API of service.afterthedeadline.com
+    value: ''
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_languages'
+    comment: |
+      These languages can be selected for spell checking.
+      Configure as a PHP style hash array: array('en'=>'English', 'de'=>'Deutsch');
+      Leave empty for default set of available language.
+    value: null
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_ignore_caps'
+    comment: |
+      Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_ignore_nums'
+    comment: |
+      Makes that words with numbers will be ignored (e.g. g00gle)
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'spellcheck_ignore_syms'
+    comment: |
+      Makes that words with symbols will be ignored (e.g. g@@gle)
+    value: False
+    section: 'ui'
+    state: 'init'
+
+  - name: 'sig_max_lines'
+    comment: |
+      Number of lines at the end of a message considered to contain the signature.
+      Increase this value if signatures are not properly detected and colored
+    value: 15
+    section: 'ui'
+    state: 'init'
+
+  - name: 'max_pagesize'
+    comment: |
+      Don't let users set pagesize to more than this value if set
+    value: 200
+    section: 'ui'
+    state: 'init'
+
+  - name: 'min_refresh_interval'
+    comment: |
+      Minimal value of user's 'refresh_interval' setting (in seconds)
+    value: 60
+    section: 'ui'
+    state: 'init'
+
+  - name: 'undo_timeout'
+    comment: |
+      Specifies for how many seconds the Undo button will be available
+      after object delete action. Currently used with supporting address book sources.
+      Setting it to 0, disables the feature.
+    value: 0
+    section: 'ui'
+    state: 'init'
+
+  - name: 'compose_responses_static'
+    comment: |
+      A static list of canned responses which are immutable for the user
+    array:
+      - [ 'name': 'Canned Response 1', 'text': 'Static Response One' ]
+      - [ 'name': 'Canned Response 2', 'text': 'Static Response Two' ]
+    section: 'ui'
+    state: 'init'
+
+  - name: 'keyservers'
+    comment: |
+      List of HKP key servers for PGP public key lookups in Enigma/Mailvelope
+      Default: array("keys.fedoraproject.org", "keybase.io")
+    value: []
+    section: 'ui'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ addressbook
+  - name: 'address_book_type'
+    comment: |
+      This indicates which type of address book to use. Possible choices:
+      'sql' - built-in sql addressbook enabled (default),
+      ''    - built-in sql addressbook disabled.
+              Still LDAP or plugin-added addressbooks will be available.
+              BC Note: The value can actually be anything except 'sql', it does not matter.
+    value: 'sql'
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'ldap_public'
+    comment: |
+      In order to enable public ldap search, configure an array like the Verisign
+      example further below. if you would like to test, simply uncomment the example.
+      Array key must contain only safe characters, ie. a-zA-Z0-9_
+    value: []
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'ldap_public_verisign'
+    option: [ 'ldap_public', 'Verisign' ]
+    comment: |
+      If you are going to use LDAP for individual address books, you will need to
+      set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
+
+      The recommended directory structure for LDAP is to store all the address book entries
+      under the users main entry, e.g.:
+
+       o=root
+        ou=people
+         uid=user@domain
+       mail=contact@contactdomain
+
+      So the base_dn would be uid=%fu,ou=people,o=root
+      The bind_dn would be the same as based_dn or some super user login.
+    array:
+      - name: 'Verisign.com'
+        # Replacement variables supported in host names:
+        # %h - user's IMAP hostname
+        # %n - hostname ($_SERVER['SERVER_NAME'])
+        # %t - hostname without the first part
+        # %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+        # %z - IMAP domain (IMAP hostname without the first part)
+        # For example %n = mail.domain.tld, %t = domain.tld
+        hosts: [ 'directory.verisign.com' ]
+        port: 389
+        use_tls: False
+        ldap_version: 3  # using LDAPv3
+        # The timeout (in seconds) for connect + bind arrempts. This is only
+        # supported in PHP >= 5.3.0 with OpenLDAP 2.x
+        network_timeout: 10
+        # If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
+        user_specific: False
+        # When 'user_specific' is enabled following variables can be used in base_dn/bind_dn config:
+        # %fu - The full username provided, assumes the username is an email
+        #       address, uses the username_domain value if not an email address.
+        # %u  - The username prior to the '@'.
+        # %d  - The domain name after the '@'.
+        # %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+        # %dn - DN found by ldap search when search_filter/search_base_dn are used
+        base_dn: ''
+        bind_dn: ''
+        bind_pass: ''
+        # It's possible to bind for an individual address book
+        # The login name is used to search for the DN to bind with
+        search_base_dn: ''
+        search_filter: ''  # e.g. '(& (objectClass=posixAccount) (uid=%u) )'
+        # DN and password to bind as before searching for bind DN, if anonymous search is not allowed
+        search_bind_dn: ''
+        search_bind_pw: ''
+        # Base DN and filter used for resolving the user's domain root DN which feeds the %dc variables
+        # Leave empty to skip this lookup and derive the root DN from the username domain
+        domain_base_dn: ''
+        domain_filter: ''
+        # Optional map of replacement strings => attributes used when binding for an individual address book
+        search_bind_attrib: []  # e.g. array('%udc' => 'ou')
+        # Default for %dn variable if search doesn't return DN value
+        search_dn_default: ''
+        # Optional authentication identifier to be used as SASL authorization proxy
+        # bind_dn need to be empty
+        auth_cid: ''
+        # SASL authentication method (for proxy auth), e.g. DIGEST-MD5
+        auth_method: ''
+        # Indicates if the addressbook shall be hidden from the list.
+        # With this option enabled you can still search/view contacts.
+        hidden: False
+        # Indicates if the addressbook shall not list contacts but only allows searching.
+        searchonly: False
+        # Indicates if we can write to the LDAP directory or not.
+        # If writable is true then these fields need to be populated:
+        # LDAP_Object_Classes, required_fields, LDAP_rdn
+        writable: False
+        # To create a new contact these are the object classes to specify
+        # (or any other classes you wish to use).
+        LDAP_Object_Classes: [ 'top', 'inetOrgPerson' ]
+        # The RDN field that is used for new entries, this field needs
+        # to be one of the search_fields, the base of base_dn is appended
+        # to the RDN to insert into the LDAP directory.
+        LDAP_rdn: 'cn'
+        # The required fields needed to build a new contact as required by
+        # the object classes (can include additional fields not required by the object classes).
+        required_fields: [ 'cn', 'sn', 'mail' ]
+        search_fields: [ 'mail', 'cn' ]  # Fields to search in
+        # Mapping of contact fields to directory attributes
+        #   1. for every attribute one can specify the number of values (limit) allowed.
+        #      default is 1, a wildcard * means unlimited
+        #   2. another possible parameter is separator character for composite fields
+        #   3. it's possible to define field format for write operations, e.g. for date fields
+        #      example: 'birthday:date[YmdHis\\Z]'
+        fieldmap:
+          # Roundcube        LDAP:limit
+          - 'name':          'cn'
+            'surname':       'sn'
+            'firstname':     'givenName'
+            'jobtitle':      'title'
+            'email':         'mail:*'
+            'phone:home':    'homePhone'
+            'phone:work':    'telephoneNumber'
+            'phone:mobile':  'mobile'
+            'phone:pager':   'pager'
+            'phone:workfax': 'facsimileTelephoneNumber'
+            'street':        'street'
+            'zipcode':       'postalCode'
+            'region':        'st'
+            'locality':      'l'
+            # If you country is a complex object, you need to configure 'sub_fields' below
+            'country':       'c'
+            'organization':  'o'
+            'department':    'ou'
+            'notes':         'description'
+            'photo':         'jpegPhoto'
+            # These currently don't work
+            #'manager':      'manager'
+            #'assistant':    'secretary'
+        # Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
+        sub_fields: []
+        # Generate values for the following LDAP attributes automatically when creating a new record
+        autovalues:
+          - 'uid':  'md5(microtime())'               # You may specify PHP code snippets which are then eval'ed
+            'mail': '{givenname}.{sn}@mydomain.com'  # or composite strings with placeholders for existing attributes
+        sort: 'cn'    # The field to sort the listing by.
+        scope: 'sub'  # Search mode sub|base | list
+        # Used for basic listing (if not empty) and will be &'d with search queries. Example: status=act
+        filter: '(objectClass=inetOrgPerson)'
+        fuzzy_search: True  # Server allows wildcard search
+        # Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
+        vlv: False
+        # Use Virtual List View functions for autocompletion searches (if server supports it)
+        vlv_search: False
+        # With VLV, we also use numSubOrdinates to query the total number of
+        # records. Set this filter to get all numSubOrdinates attributes for
+        # counting
+        numsub_filter: '(objectClass=organizationalUnit)'
+        # Root DN to search config entries (e.g. vlv indexes)
+        config_root_dn: 'cn=config'
+        # Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
+        sizelimit: '0'
+        # Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
+        timelimit: '0'
+        # Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
+        referrals: False
+        # Sets the LDAP_OPT_DEREF option. One of: LDAP_DEREF_NEVER, LDAP_DEREF_SEARCHING, LDAP_DEREF_FINDING, LDAP_DEREF_ALWAYS
+        # Used where addressbook contains aliases to objects elsewhere in the LDAP tree.
+        dereference: 0
+
+        # Definition for contact groups (uncomment if no groups are supported)
+        # for the groups base_dn, the user replacements %fu, %u, %d and %dc work as for base_dn (see above)
+        # if the groups base_dn is empty, the contact base_dn is used for the groups as well
+        # -> in this case, assure that groups and contacts are separated due to the concernig filters!
+        groups:
+          - 'base_dn': ''
+            'scope': 'sub'  # Search mode: sub|base | list
+            'filter': '(objectClass=groupOfNames)'
+            'object_classes': [ 'top', 'groupOfNames' ]  # Object classes to be assigned to new groups
+            'member_attr':   'member'           # Name of the default member attribute, e.g. uniqueMember
+            'name_attr':     'cn'               # Attribute to be used as group name
+            'email_attr':    'mail'             # Group email address attribute (e.g. for mailing lists)
+            'member_filter': '(objectClass=*)'  # Optional filter to use when querying for group members
+            'vlv': False                        # Use VLV controls to list groups
+            'class_member_attr':                # Mapping of group object class to member attribute used in these objects
+              - 'groupOfNames': 'member'
+                'groupOfUniqueNames': 'uniqueMember'
+
+        # This configuration replaces the regular groups listing in the directory tree with
+        # a hard-conoded list of groups, each listing entries with the configured base DN and filter.
+        # if the 'groups' option from above is set, it'll be shown as the first entry with the name 'Groups'
+        group_filters:
+          - departments:
+              - 'name':      'Company Departments'
+                'scope':     'list'
+                'base_dn':   'ou=Groups,dc=mydomain,dc=com'
+                'filter':    '(| (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs) )'
+                'name_attr': 'cn'
+          - customers:
+              - 'name':      'Customers'
+                'scope':     'sub'
+                'base_dn':   'ou=Customers,dc=mydomain,dc=com'
+                'filter':    '(objectClass=inetOrgPerson)'
+                'name_attr': 'sn'
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'autocomplete_addressbooks'
+    comment: |
+      An ordered array of the ids of the addressbooks that should be searched
+      when populating address autocomplete fields server-side. ex: array('sql','Verisign');
+    value: [ 'sql' ]
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'autocomplete_min_length'
+    comment: |
+      The minimum number of characters required to be typed in an autocomplete field
+      before address books will be searched. Most useful for LDAP directories that
+      may need to do lengthy results building given overly-broad searches
+    value: 1
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'autocomplete_threads'
+    comment: |
+      Number of parallel autocomplete requests.
+      If there's more than one address book, n parallel (async) requests will be created,
+      where each request will search in one address book. By default (0), all address
+      books are searched in one request.
+    value: 0
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'autocomplete_max'
+    comment: 'Max. number of entries in autocomplete popup. Default: 15.'
+    value: 15
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'address_template'
+    comment: |
+      Show address fields in this order
+      Available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
+    value: '{street}<br/>{locality} {zipcode}<br/>{country} {region}'
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'addressbook_search_mode'
+    comment: |
+      Matching mode for addressbook search (including autocompletion)
+      0 - partial (*abc*), default
+      1 - strict (abc)
+      2 - prefix (abc*)
+      Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
+    value: 0
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'contactlist_fields'
+    comment: |
+      List of fields used on contacts list and for autocompletion searches
+      Warning: These are field names not LDAP attributes (see 'fieldmap' setting)!
+    value: [ 'name', 'firstname', 'surname', 'email' ]
+    section: 'addressbook'
+    state: 'init'
+
+  - name: 'contact_search_name'
+    comment: |
+      Template of contact entry on the autocompletion list.
+      You can use contact fields as: name, email, organization, department, etc.
+      See program/steps/addressbook/func.inc for a list
+    value: '{name} <{email}>'
+    section: 'addressbook'
+    state: 'init'
+                                                                   # ]]]
+    # [[[ userprefs
+  - name: 'default_charset'
+    comment: 'Use this charset as fallback for message decoding'
+    value: 'ISO-8859-1'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'skin'
+    comment: 'Skin name: folder from skins/'
+    value: 'elastic'
+    section: 'userprefs'
+
+  - name: 'skins_allowed'
+    comment: 'Limit skins available/shown in the settings section'
+    value: []
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'standard_windows'
+    comment: |
+      Enables using standard browser windows (that can be handled as tabs)
+      instead of popup windows
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'mail_pagesize'
+    comment: 'Show up to X items in messages list view'
+    value: 50
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'addressbook_pagesize'
+    comment: 'Show up to X items in contacts list view'
+    value: 50
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'addressbook_sort_col'
+    comment: |
+      Sort contacts by this col (preferably either one of name, firstname, surname)
+    value: 'surname'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'addressbook_name_listing'
+    comment: |
+      The way how contact names are displayed in the list.
+      0: prefix firstname middlename surname suffix (only if display name is not set)
+      1: firstname middlename surname
+      2: surname firstname middlename
+      3: surname, firstname middlename
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'timezone'
+    comment: |
+      Use this timezone to display date/time
+      Valid timezone identifiers are listed here: php.net/manual/en/timezones.php
+      'auto' will use the browser's timezone settings
+    value: 'auto'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'prefer_html'
+    comment: 'Prefer displaying HTML messages'
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'show_images'
+    comment: |
+      Display remote resources (inline images, styles)
+      0 - Never, always ask
+      1 - Ask if sender is not in address book
+      2 - Always allow
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'message_extwin'
+    comment: 'Open messages in new window'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'compose_extwin'
+    comment: 'Open message compose form in new window'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'htmleditor'
+    comment: |
+      Compose html formatted messages by default
+       0 - never,
+       1 - always,
+       2 - on reply to HTML message,
+       3 - on forward or reply to HTML message
+       4 - always, except when replying to plain text message
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'compose_save_localstorage'
+    comment: |
+      Save copies of compose messages in the browser's local storage
+      for recovery in case of browser crashes and session timeout.
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'prettydate'
+    comment: 'Show pretty dates as standard'
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'draft_autosave'
+    comment: 'Save compose message every 300 seconds (5min)'
+    value: 300
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'layout'
+    comment: |
+      Interface layout. Default: 'widescreen'.
+       'widescreen' - three columns
+       'desktop'    - two columns, preview on bottom
+       'list'       - two columns, no preview
+    value: 'widescreen'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'mail_read_time'
+    comment: |
+      Mark as read when viewing a message (delay in seconds)
+      Set to -1 if messages should not be marked as read
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'logout_purge'
+    comment: 'Clear Trash on logout'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'logout_expunge'
+    comment: 'Compact INBOX on logout'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'inline_images'
+    comment: 'Display attached images below the message body'
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'mime_param_folding'
+    comment: |
+      Encoding of long/non-ascii attachment names:
+      0 - Full RFC 2231 compatible
+      1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
+      2 - Full 2047 compatible
+    value: 1
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'skip_deleted'
+    comment: |
+      Set true if deleted messages should not be displayed
+      This will make the application run slower
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'read_when_deleted'
+    comment: |
+      Set true to Mark deleted messages as read as well as deleted
+      False means that a message's read status is not affected by marking it as deleted
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'flag_for_deletion'
+    comment: |
+      Set to true to never delete messages immediately
+      Use 'Purge' to remove messages marked as deleted
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'refresh_interval'
+    comment: |
+      Default interval for auto-refresh requests (in seconds)
+      These are requests for system state updates e.g. checking for new messages, etc.
+      Setting it to 0 disables the feature.
+    value: 60
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'check_all_folders'
+    comment: 'If true all folders will be checked for recent messages'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'display_next'
+    comment: |
+      If true, after message/contact delete/move, the next message/contact will be displayed
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'default_list_mode'
+    comment: |
+      Default messages listing mode. One of 'threads' or 'list'.
+    value: 'list'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'autoexpand_threads'
+    comment: |
+      0 - Do not expand threads
+      1 - Expand all threads automatically
+      2 - Expand only threads with unread messages
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'reply_mode'
+    comment: |
+      When replying:
+      -1 - don't cite the original message
+      0  - place cursor below the original message
+      1  - place cursor above original message (top posting)
+      2  - place cursor above original message (top posting), but do not indent the quote
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'strip_existing_sig'
+    comment: 'When replying strip original signature from message'
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'show_sig'
+    comment: |
+      Show signature:
+      0 - Never
+      1 - Always
+      2 - New messages only
+      3 - Forwards and Replies only
+    value: 1
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'sig_below'
+    comment: |
+      By default the signature is placed depending on cursor position (reply_mode).
+      Sometimes it might be convenient to start the reply on top but keep
+      the signature below the quoted text (sig_below = true).
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'sig_separator'
+    comment: |
+      Enables adding of standard separator to the signature
+    value: True
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'force_7bit'
+    comment: |
+      Use MIME encoding (quoted-printable) for 8bit characters in message body
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'search_mods'
+    comment: |
+      Defaults of the search field configuration.
+      The array can contain a per-folder list of header fields which should be considered when searching
+      The entry with key '*' stands for all folders which do not have a specific list set.
+      Please note that folder names should to be in sync with $config['*_mbox'] options
+      Example: array('*' => array('subject'=>1, 'from'=>1), 'Sent' => array('subject'=>1, 'to'=>1));
+    value: null
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'addressbook_search_mods'
+    comment: |
+      Defaults of the addressbook search field configuration.
+      Example: array('name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1);
+    value: null
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'delete_junk'
+    comment: 'Directly delete messages in Junk instead of moving to Trash'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'mdn_requests'
+    comment: |
+      Behavior if a received message requests a message delivery notification (read receipt)
+      0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
+      3 = send automatically if sender is in addressbook, otherwise ask the user
+      4 = send automatically if sender is in addressbook, otherwise ignore
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'mdn_default'
+    comment: 'Return receipt checkbox default state'
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'dsn_default'
+    comment: |
+      Delivery Status Notification checkbox default state
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'reply_same_folder'
+    comment: |
+      Place replies in the folder of the message being replied to
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'forward_attachment'
+    comment: |
+      Sets default mode of Forward feature to "forward as attachment"
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'default_addressbook'
+    comment: |
+      Defines address book (internal index) to which new contacts will be added
+      By default it is the first writeable addressbook.
+      Note: Use '0' for built-in address book.
+    value: null
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'spellcheck_before_send'
+    comment: 'Enables spell checking before sending a message.'
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'autocomplete_single'
+    comment: |
+      Skip alternative email addresses in autocompletion (show one address per contact)
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'default_font'
+    comment: |
+      Default font for composed HTML message.
+      Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
+      Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
+    value: 'Verdana'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'default_font_size'
+    comment: |
+      Default font size for composed HTML message.
+      Supported sizes: 8pt, 10pt, 12pt, 14pt, 18pt, 24pt, 36pt
+    value: '10pt'
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'message_show_email'
+    comment: |
+      Enables display of email address with name instead of a name (and address in title)
+    value: False
+    section: 'userprefs'
+    state: 'init'
+
+  - name: 'reply_all_mode'
+    comment: |
+      Default behavior of Reply-All button:
+      0 - Reply-All always
+      1 - Reply-List if mailing list is detected
+    value: 0
+    section: 'userprefs'
+    state: 'init'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. envvar:: roundcube__default_configuration [[[
+#
+# This list defines Roundcube configuration options which are defined by the
+# role and override the original configuration options.
+roundcube__default_configuration:
+
+  - name: 'db_dsnw'
+    value: '{{ "sqlite:///" + roundcube__git_dest + "/"
+                            + roundcube__database_map[roundcube__database].dbname | d()
+                            + "?mode=640" }}'
+    state: '{{ "present"
+               if (roundcube__database_map[roundcube__database].dbtype == "sqlite")
+               else "ignore" }}'
+
+  - name: 'db_dsnw'
+    value: '{{ "mysql://" + roundcube__database_map[roundcube__database].dbuser | d() + ":"
+                          + roundcube__database_map[roundcube__database].dbpass | d() + "@"
+                          + roundcube__database_map[roundcube__database].dbhost | d() + "/"
+                          + roundcube__database_map[roundcube__database].dbname | d() }}'
+    state: '{{ "present"
+               if (roundcube__database_map[roundcube__database].dbtype == "mysql")
+               else "ignore" }}'
+
+  - name: 'db_dsnw'
+    value: '{{ "pgsql://" + roundcube__database_map[roundcube__database].dbuser | d() + ":"
+                          + roundcube__database_map[roundcube__database].dbpass | d() + "@"
+                          + roundcube__database_map[roundcube__database].dbhost | d() + "/"
+                          + roundcube__database_map[roundcube__database].dbname | d() }}'
+    state: '{{ "present"
+               if (roundcube__database_map[roundcube__database].dbtype == "postgresql")
+               else "ignore" }}'
+
+  - name: 'log_driver'
+    comment: |
+      Log driver: "syslog", "stdout" or "file"
+    value: '{{ roundcube__log_driver }}'
+
+  - name: 'imap_host'
+    value: '{{ roundcube__imap_server }}'
+
+    # Enable use of memcached to cache IMAP indexes, if local memcached
+    # instance is detected
+  - name: 'imap_cache'
+    value: 'memcached'
+    state: '{{ "present" if roundcube__memcached_enabled | bool else "ignore" }}'
+
+    # Enable message caching in the database if the IMAP server is remote
+  - name: 'messages_cache'
+    value: True
+    state: '{{ "ignore"
+               if (ansible_local | d() and ansible_local.dovecot | d() and
+                   (ansible_local.dovecot.installed | d()) | bool)
+               else "present" }}'
+
+  - name: 'smtp_host'
+    value: '{{ roundcube__smtp_server }}'
+
+  - name: 'smtp_user'
+    value: '{{ roundcube__smtp_user }}'
+
+  - name: 'smtp_pass'
+    value: '{{ roundcube__smtp_pass }}'
+
+    # Enable use of memcached to cache LDAP data, if local memcached instance
+    # is detected
+  - name: 'ldap_cache'
+    value: 'memcached'
+    state: '{{ "present" if roundcube__memcached_enabled | bool else "ignore" }}'
+
+    # Enable support for memcached on localhost if it's detected
+  - name: 'memcache_hosts'
+    value: '{{ roundcube__memcached_hosts }}'
+    state: '{{ "present" if roundcube__memcached_enabled | bool else "ignore" }}'
+
+    # Enable support for Redis on localhost if it's detected
+  - name: 'redis_hosts'
+    value: '{{ roundcube__redis_hosts }}'
+    state: '{{ "present" if roundcube__redis_enabled | bool else "ignore" }}'
+
+  - name: 'skin_logo'
+    value: '{{ roundcube__skin_logo }}'
+
+    # Ensure that all communication to the client is encrypted
+  - name: 'force_https'
+    value: True
+
+    # Configure preferred session storage backend
+  - name: 'session_storage'
+    value: '{{ roundcube__session_storage }}'
+    state: '{{ "present" if roundcube__session_storage | d() else "ignore" }}'
+
+  - name: 'des_key'
+    value: '{{ roundcube__des_key }}'
+
+    # Roundcube developers consider this a better choice
+  - name: 'cipher_method'
+    value: 'AES-256-CBC'
+
+  - name: 'username_domain'
+    value: '{{ roundcube__username_domain }}'
+
+    # Slow down potential bots
+  - name: 'sendmail_delay'
+    value: 5
+
+  - name: 'product_name'
+    value: '{{ roundcube__product_name }}'
+
+    # Use the system-wide MIME database from the 'mime-support' APT package
+  - name: 'mime_types'
+    value: '/etc/mime.types'
+
+    # Help mitigate mails to non-existent DNS domains
+  - name: 'email_dns_check'
+    value: True
+
+  - name: 'plugins'
+    value: '{{ roundcube__combined_plugins | debops.debops.parse_kv_items
+               | selectattr("state", "equalto", "enabled")
+               | map(attribute="name") | list | unique }}'
+
+    # Create Special Folders automatically. This will ensure that the Junk
+    # folder is present and selected in the preferences.
+  - name: 'create_default_folders'
+    value: True
+
+    # Set minimum refresh interval available to users to 5 minutes, to lower
+    # the IMAP server load.
+  - name: 'min_refresh_interval'
+    value: 300
+
+    # Enable autocompletion for the LDAP address book.
+  - name: 'autocomplete_addressbooks'
+    value: '{{ (["sql"] + (["People"] if roundcube__ldap_enabled | bool else []))
+               | flatten }}'
+    state: '{{ "present" if roundcube__ldap_enabled | bool else "ignore" }}'
+
+    # Set the default number of autocompletion characters for lower sever load.
+  - name: 'autocomplete_min_length'
+    value: 3
+
+    # Only pick single e-mail address in autocomplete, this reduces the number
+    # of entries shown to the user.
+  - name: 'autocomplete_single'
+    value: True
+
+    # Configure the access to the default LDAP address book managed by DebOps.
+    # Roundcube will use user credentials to login to the LDAP directory.
+  - name: 'ldap_public_people'
+    option: [ 'ldap_public', 'People' ]
+    section: 'addressbook'
+    state: '{{ "present" if roundcube__ldap_enabled | bool else "ignore" }}'
+    array:
+      - name: '{{ roundcube__ldap_addressbook_name }}'
+        hosts: '{{ (["tls://"] if roundcube__ldap_use_tls else [""])
+                   | product(roundcube__ldap_hosts) | map("join")
+                   | product([roundcube__ldap_port]) | map("join") }}'
+        ldap_version: 3
+        user_specific: True
+        base_dn: '{{ roundcube__ldap_people_dn | join(",") }}'
+        bind_dn: '{{ "uid=%u," + roundcube__ldap_people_dn | join(",") }}'
+        bind_pass: ''
+        search_base_dn: '{{ roundcube__ldap_base_dn | join(",") }}'
+        search_filter: '(&
+                          (objectClass=mailRecipient)
+                          (|
+                            (uid=%u)
+                            (mail=%fu)
+                          )
+                        )'
+        search_bind_dn: '{{ roundcube__ldap_binddn }}'
+        search_bind_pw: '{{ roundcube__ldap_bindpw }}'
+        filter: '(objectClass=inetOrgPerson)'
+        scope: 'sub'
+        searchonly: True
+        vlv: False
+        sort: 'sn'
+        search_fields: [ 'sn', 'cn', 'mail', 'telephoneNumber' ]
+        hidden: '{{ roundcube__ldap_hidden }}'
+        writable: False
+        groups:
+          - base_dn: '{{ roundcube__ldap_groups_dn | join(",") }}'
+            filter: '(objectClass=groupOfNames)'
+            object_classes: [ 'groupOfNames' ]
+        fieldmap: [ '{{ roundcube__ldap_field_map }}' ]
+
+    # Set the default mail charset to Unicode
+  - name: 'default_charset'
+    value: 'UTF-8'
+
+  - name: 'skin'
+    value: '{{ roundcube__skin_folder }}'
+
+    # Don't prefer HTML message view by default
+  - name: 'prefer_html'
+    value: False
+
+    # Refresh the mail status in longer intervals (15 minutes) by default, to
+    # make the IMAP server load lower.
+  - name: 'refresh_interval'
+    value: 900
+
+    # Delete spam messages without moving them to Trash first
+  - name: 'delete_junk'
+    value: True
+
+    # Forward e-mails as attachments by default
+  - name: 'forward_attachment'
+    value: True
+
+    # Display the sender e-mail address by default to help users detect forged
+    # senders
+  - name: 'message_show_email'
+    value: True
+
+    # Better support for mailing lists
+  - name: 'reply_all_mode'
+    value: 1
+
+  - name: 'swipe_actions'
+    comment: |
+      Configuration for the 'swipe' Roundcube plugin
+    array:
+      - messagelist:
+          - left:  'swipe-read'
+            right: 'move'
+            down:  'checkmail'
+      - contactlist:
+          - left:  'none'
+            right: 'compose'
+            down:  'none'
+
+  - name: 'enable_spellcheck'
+    value: True
+    state: 'present'
+
+  - name: 'spellcheck_engine'
+    value: 'enchant'
+    state: 'present'
+
+  - name: 'spellcheck_ignore_caps'
+    value: True
+    state: 'present'
+
+  - name: 'spellcheck_ignore_nums'
+    value: True
+    state: 'present'
+
+  - name: 'spellcheck_ignore_syms'
+    value: True
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__configuration [[[
+#
+# This list defines Roundcube configuration options which should be present on
+# all hosts in the Ansible inventory.
+roundcube__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__group_configuration [[[
+#
+# This list defines Roundcube configuration options which should be present on
+# hosts in a specific Ansible inventory group.
+roundcube__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__host_configuration [[[
+#
+# This list defines Roundcube configuration options which should be present on
+# specific hosts in the Ansible inventory.
+roundcube__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__combined_configuration [[[
+#
+# This variable combines all Roundcube configuration lists and is used in role
+# tasks and templates.
+roundcube__combined_configuration: '{{ roundcube__original_configuration
+                                       + roundcube__default_configuration
+                                       + roundcube__configuration
+                                       + roundcube__group_configuration
+                                       + roundcube__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration file sections [[[
+# -------------------------------
+
+# These variables define the sections in the Roundcube
+# :file:`config/config.inc.php` configuration file. See
+# :ref:`roundcube__ref_configuration_sections` for more details.
+
+# .. envvar:: roundcube__default_configuration_sections [[[
+#
+# The list of the default configuration sections defined by the role.
+roundcube__default_configuration_sections:
+
+  - name: 'init'
+    state: 'hidden'
+
+  - name: 'sql'
+    title: 'SQL DATABASE'
+
+  - name: 'logging'
+    title: 'LOGGING/DEBUGGING'
+
+  - name: 'imap'
+
+  - name: 'smtp'
+
+  - name: 'ldap'
+
+  - name: 'cache'
+    title: 'CACHE(S)'
+
+  - name: 'system'
+
+  - name: 'plugins'
+
+  - name: 'ui'
+    title: 'USER INTERFACE'
+
+  - name: 'addressbook'
+    title: 'ADDRESSBOOK SETTINGS'
+
+  - name: 'userprefs'
+    title: 'USER PREFERENCES'
+
+  - name: 'unknown'
+    title: 'OTHER OPTIONS'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__configuration_sections [[[
+#
+# List of configuration sections defined by the user.
+roundcube__configuration_sections: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__combined_configuration_sections [[[
+#
+# Variable which combines all of the configuration section lists and is used in
+# role tasks and templates.
+roundcube__combined_configuration_sections: '{{ roundcube__default_configuration_sections
+                                                + roundcube__configuration_sections }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Roundcube plugins [[[
+# ---------------------
+
+# The variables below contain configuration of Roundcube plugins installed
+# using PHP Composer. See :ref:`roundcube__ref_plugins` for more details.
+
+# .. envvar:: roundcube__default_plugins [[[
+#
+# List of Roundcube plugins configured by the role.
+roundcube__default_plugins:
+
+    # Plugin that adds a new button to the toolbar to move messages to a (user
+    # selectable) archive folder.
+  - name: 'archive'
+    state: 'enabled'
+
+    # This is a core plugin which provides support for handling attachments
+    # through the filesystem. It might be required by other plugins.
+  - name: 'filesystem_attachments'
+    state: 'enabled'
+
+    # This plugin provides jQuery library and features for other plugins.
+  - name: 'jqueryui'
+    state: 'enabled'
+
+    # This plugin adds an option to download all attachments to a message in
+    # one zip file, when a message has multiple attachments. The plugin also
+    # allows the download of a selection of messages in 1 zip file.
+  - name: 'zipdownload'
+    state: 'enabled'
+    options:
+
+      - name: 'zipdownload_attachments'
+        comment: |
+          Zip attachments
+          Only show the link when there are more than this many attachments
+          -1 to prevent downloading of attachments as zip
+        value: 1
+
+      - name: 'zipdownload_selection'
+        comment: |
+          Zip selection of mail messages
+          This option enables downloading of multiple messages as one zip archive.
+          The number or string value specifies maximum total size of all messages
+          in the archive (not the size of the archive itself).
+        value: '50MB'
+
+      - name: 'zipdownload_charset'
+        comment: |
+          Charset to use for filenames inside the zip
+        value: 'UTF-8'
+
+    # This entry installs the libraries required for LDAP support in Roundcube.
+    # It's not a real plugin.
+  - name: 'ldap_support'
+    package: 'kolab/net_ldap3'
+    state: '{{ "present" if roundcube__ldap_enabled | bool else "ignore" }}'
+
+    # This plugin adds right-click context menus to various parts of the
+    # Roundcube interface.
+  - name: 'contextmenu'
+    package: 'johndoh/contextmenu{{ ":3.2.1"
+              if roundcube__git_version is version("1.5", "<") else "" }}'
+    state: 'enabled'
+
+    # This plugin provides a toolbar button and folder menu option which
+    # calculates and displays the sizes of the message folders.
+  - name: 'show_folder_size'
+    package: 'jfcherng/show-folder-size'
+    state: 'enabled'
+    options:
+
+      - name: 'auto_show_folder_size'
+        comment: |
+          Automatically show the folder size without clicking on the toolbar button.
+          This could be a serious performance penalty if there are many users
+        value: False
+
+      - name: 'show_mailboxoptions_button'
+        comment: 'Show mailbox options button'
+        value: True
+
+      - name: 'show_toolbar_button'
+        comment: 'Show the toolbar button'
+        value: False
+
+    # This plugin adds a button on the main toolbar which opens the
+    # Nextcloud/ownCloud instance at specified URL.
+  - name: 'cloud_button'
+    package: 'san4op/cloud_button'
+    state: 'enabled'
+    options:
+
+      - name: 'cloud_button_url'
+        comment: 'URL to cloud storage'
+        value: '{{ "https://cloud." + ansible_domain + "/" }}'
+
+    # This plugin uses the LDAP directory to create the user identity at login.
+    # Roundcube 1.4.x might need to be patched for this to work correctly.
+    # See: https://github.com/roundcube/roundcubemail/issues/7667
+  - name: 'new_user_identity'
+    state: '{{ "enabled" if roundcube__ldap_enabled | bool else "ignore" }}'
+    options:
+
+      - name: 'new_user_identity_addressbook'
+        comment: |
+          The id of the address book to use to automatically set a
+          user's full name in their new identity. (This should be an
+          string, which refers to the $config['ldap_public'] array.)
+        value: 'People'
+
+      - name: 'new_user_identity_match'
+        comment: |
+          When automatically setting a user's full name in their
+          new identity, match the user's login name against this field.
+        value: 'mail'
+
+      - name: 'new_user_identity_onlogin'
+        comment: |
+          Determine whether to import user's identities on each login.
+          New user identity will be created for each e-mail address
+          present in address book, but not assigned to any identity.
+        value: True
+
+  - name: 'password'
+    state: '{{ "enabled" if roundcube__ldap_password_enabled | bool else "absent" }}'
+    options:
+
+      - name: 'password_driver'
+        comment: |
+          Password Plugin options
+          -----------------------
+          A driver to use for password change. Default: "sql".
+          See README file for list of supported driver names.
+        value: '{{ "ldap_exop" if roundcube__ldap_password_enabled | bool else "sql" }}'
+
+      - name: 'password_strength_driver'
+        comment: |
+          A driver to use for checking password strength. Default: null (disabled).
+          See README file for list of supported driver names.
+        value: null
+
+      - name: 'password_confirm_current'
+        comment: |
+          Determine whether current password is required to change password.
+          Default: false.
+        value: True
+
+      - name: 'password_minimum_length'
+        comment: |
+          Require the new password to be a certain length.
+          set to blank to allow passwords of any length
+        value: 0
+
+      - name: 'password_minimum_score'
+        comment: |
+          Require the new password to have at least the specified strength score.
+          Note: Password strength is scored from 1 (week) to 5 (strong).
+        value: 0
+
+      - name: 'password_log'
+        comment: |
+          Enables logging of password changes into logs/password
+        value: False
+
+      - name: 'password_login_exceptions'
+        comment: |
+          Comma-separated list of login exceptions for which password change
+          will be not available (no Password tab in Settings)
+        value: null
+
+      - name: 'password_hosts'
+        comment: |
+          Array of hosts that support password changing.
+          Listed hosts will feature a Password option in Settings; others will not.
+          Example: array('mail.example.com', 'mail2.example.org');
+          Default is NULL (all hosts supported).
+        value: null
+
+      - name: 'password_force_save'
+        comment: |
+          Enables saving the new password even if it matches the old password. Useful
+          for upgrading the stored passwords after the encryption scheme has changed.
+        value: False
+
+      - name: 'password_force_new_user'
+        comment: |
+          Enables forcing new users to change their password at their first login.
+        value: False
+
+      - name: 'password_algorithm'
+        comment: |
+          Default password hashing/crypting algorithm.
+          Possible options: des-crypt, ext-des-crypt, md5-crypt, blowfish-crypt,
+          sha256-crypt, sha512-crypt, md5, sha, smd5, ssha, ssha512, samba, ad, dovecot, clear.
+          For details see password::hash_password() method.
+        value: 'clear'
+
+      - name: 'password_algorithm_prefix'
+        comment: |
+          Password prefix (e.g. {CRYPT}, {SHA}) for passwords generated
+          using password_algorithm above. Default: empty.
+        value: ''
+
+      - name: 'password_dovecotpw'
+        comment: |
+          Path for dovecotpw/doveadm-pw (if not in the $PATH).
+          Used for password_algorithm = 'dovecot'.
+          $config['password_dovecotpw'] = '/usr/local/sbin/dovecotpw'; // for dovecot-1.x
+        value: '/usr/bin/doveadm pw'  # for dovecot-2.x
+
+      - name: 'password_dovecotpw_method'
+        comment: |
+          Dovecot password scheme.
+          Used for password_algorithm = 'dovecot'.
+        value: 'CRAM-MD5'
+
+      - name: 'password_dovecotpw_with_method'
+        comment: |
+          Enables use of password with method prefix, e.g. {MD5}$1$LUiMYWqx$fEkg/ggr/L6Mb2X7be4i1/
+          when using password_algorithm=dovecot
+        value: False
+
+      - name: 'password_blowfish_cost'
+        comment: |
+          Iteration count parameter for Blowfish-based hashing algo.
+          It must be between 4 and 31. Default: 12.
+          Be aware, the higher the value, the longer it takes to generate the password hashes.
+        value: 12
+
+      - name: 'password_crypt_rounds'
+        comment: |
+          Number of rounds for the sha256 and sha512 crypt hashing algorithms.
+          Must be at least 1000. If not set, then the number of rounds is left up
+          to the crypt() implementation. On glibc this defaults to 5000.
+          Be aware, the higher the value, the longer it takes to generate the password hashes.
+        value: 50000
+
+      - name: 'password_disabled'
+        comment: |
+          This option temporarily disables the password change functionality.
+          Use it when the users database server is in maintenance mode or sth like that.
+          You can set it to TRUE/FALSE or a text describing the reason
+          which will replace the default.
+        value: False
+
+      - name: 'password_username_format'
+        comment: |
+          Various drivers/setups use different format of the username.
+          This option allows you to force specified format use. Default: '%u'.
+          Supported variables:
+              %u - full username,
+              %l - the local part of the username (in case the username is an email address)
+              %d - the domain part of the username (in case the username is an email address)
+          Note: This may no apply to some drivers implementing their own rules, e.g. sql.
+        value: '%u'
+
+      - name: 'password_db_dsn'
+        comment: |
+          SQL Driver options
+          ------------------
+          PEAR database DSN for performing the query. By default
+          Roundcube DB settings are used.
+          Supported replacement variables:
+          %h - user's IMAP hostname
+          %n - hostname ($_SERVER['SERVER_NAME'])
+          %t - hostname without the first part
+          %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+          %z - IMAP domain (IMAP hostname without the first part)
+        value: ''
+
+      - name: 'password_query'
+        comment: |
+          The SQL query used to change the password.
+          The query can contain the following macros that will be expanded as follows:
+               %p is replaced with the plaintext new password
+               %P is replaced with the encrypted/hashed new password
+                  according to configured password_method
+               %o is replaced with the old (current) password
+               %O is replaced with the encrypted/hashed old (current) password
+                  according to configured password_method
+               %h is replaced with the imap host (from the session info)
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username
+                  (in case the username is an email address)
+               %d is replaced with the domain part of the username
+                  (in case the username is an email address)
+          Deprecated macros:
+               %c is replaced with the crypt version of the new password, MD5 if available
+                  otherwise DES. More hash function can be enabled using the password_crypt_hash
+                  configuration parameter.
+               %D is replaced with the dovecotpw-crypted version of the new password
+               %n is replaced with the hashed version of the new password
+               %q is replaced with the hashed password before the change
+          Escaping of macros is handled by this module.
+          Default: "SELECT update_passwd(%c, %u)"
+        value: 'SELECT update_passwd(%c, %u)'
+
+      - name: 'password_crypt_hash'
+        comment: |
+          By default the crypt() function which is used to create the %c
+          parameter uses the md5 algorithm (deprecated, use %P).
+          You can choose between: des, md5, blowfish, sha256, sha512.
+        value: 'md5'
+
+      - name: 'password_idn_ascii'
+        comment: |
+          By default domains in variables are using unicode.
+          Enable this option to use punycoded names
+        value: False
+
+      - name: 'password_hash_algorithm'
+        comment: |
+          Using a password hash for %n and %q variables (deprecated, use %P).
+          Determine which hashing algorithm should be used to generate
+          the hashed new and current password for using them within the
+          SQL query. Requires PHP's 'hash' extension.
+        value: 'sha1'
+
+      - name: 'password_hash_base64'
+        comment: |
+          You can also decide whether the hash should be provided
+          as hex string or in base64 encoded format.
+        value: False
+
+      - name: 'password_pop_host'
+        comment: |
+          Poppassd Driver options
+          -----------------------
+          The host which changes the password (default: localhost)
+          Supported replacement variables:
+            %n - hostname ($_SERVER['SERVER_NAME'])
+            %t - hostname without the first part
+            %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+            %h - IMAP host
+            %z - IMAP domain without first part
+            %s - domain name after the '@' from e-mail address provided at login screen
+        value: 'localhost'
+
+      - name: 'password_pop_port'
+        comment: |
+          TCP port used for poppassd connections (default: 106)
+        value: 106
+
+      - name: 'password_saslpasswd_args'
+        comment: |
+          SASL Driver options
+          -------------------
+          Additional arguments for the saslpasswd2 call
+        value: ''
+
+      - name: 'password_ldap_host'
+        comment: |
+          LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
+          -----------------------------------
+          LDAP server name to connect to.
+          You can provide one or several hosts in an array in which case the hosts are tried from left to right.
+          Example: array('ldap1.example.com', 'ldap2.example.com');
+          Default: 'localhost'
+        value: '{{ (roundcube__ldap_hosts | first)
+                   if roundcube__ldap_hosts | d()
+                   else "" }}'
+
+      - name: 'password_ldap_port'
+        comment: |
+          LDAP server port to connect to
+          Default: '389'
+        value: '{{ roundcube__ldap_port }}'
+
+      - name: 'password_ldap_starttls'
+        comment: |
+          TLS is started after connecting
+          Using TLS for password modification is recommended.
+          Default: false
+        value: '{{ roundcube__ldap_use_tls | bool }}'
+
+      - name: 'password_ldap_version'
+        comment: |
+          LDAP version
+          Default: '3'
+        value: '3'
+
+      - name: 'password_ldap_basedn'
+        comment: |
+          LDAP base name (root directory)
+          Example: 'dc=example,dc=com'
+        value: '{{ roundcube__ldap_base_dn | join(",") }}'
+
+      - name: 'password_ldap_method'
+        comment: |
+          LDAP connection method
+          There are two connection methods for changing a user's LDAP password.
+          'user': use user credential (recommended, require password_confirm_current=true)
+          'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
+          Default: 'user'
+        value: 'user'
+
+      - name: 'password_ldap_adminDN'
+        comment: |
+          LDAP Admin DN
+          Used only in admin connection mode
+          Default: null
+        value: null
+
+      - name: 'password_ldap_adminPW'
+        comment: |
+          LDAP Admin Password
+          Used only in admin connection mode
+          Default: null
+        value: null
+
+      - name: 'password_ldap_userDN_mask'
+        comment: |
+          LDAP user DN mask
+          The user's DN is mandatory and as we only have his login,
+          we need to re-create his DN using a mask
+          '%login' will be replaced by the current roundcube user's login
+          '%name' will be replaced by the current roundcube user's name part
+          '%domain' will be replaced by the current roundcube user's domain part
+          '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+          Example: 'uid=%login,ou=people,dc=example,dc=com'
+        value: 'uid=%login,ou=people,dc=example,dc=com'
+        state: 'comment'  # use searches instead
+
+      - name: 'password_ldap_searchDN'
+        comment: |
+          LDAP search DN
+          The DN roundcube should bind with to find out user's DN
+          based on his login. Note that you should comment out the default
+          password_ldap_userDN_mask setting for this to take effect.
+          Use this if you cannot specify a general template for user DN with
+          password_ldap_userDN_mask. You need to perform a search based on
+          users login to find his DN instead. A common reason might be that
+          your users are placed under different ou's like engineering or
+          sales which cannot be derived from their login only.
+        value: '{{ roundcube__ldap_binddn }}'
+
+      - name: 'password_ldap_searchPW'
+        comment: |
+          LDAP search password
+          If password_ldap_searchDN is set, the password to use for
+          binding to search for user's DN. Note that you should comment out the default
+          password_ldap_userDN_mask setting for this to take effect.
+          Warning: Be sure to set appropriate permissions on this file so this password
+          is only accessible to roundcube and don't forget to restrict roundcube's access to
+          your directory as much as possible using ACLs. Should this password be compromised
+          you want to minimize the damage.
+        value: '{{ roundcube__ldap_bindpw }}'
+
+      - name: 'password_ldap_search_base'
+        comment: |
+          LDAP search base
+          If password_ldap_searchDN is set, the base to search in using the filter below.
+          Note that you should comment out the default password_ldap_userDN_mask setting
+          for this to take effect.
+        value: '{{ roundcube__ldap_base_dn | join(",") }}'
+
+      - name: 'password_ldap_search_filter'
+        comment: |
+          LDAP search filter
+          If password_ldap_searchDN is set, the filter to use when
+          searching for user's DN. Note that you should comment out the default
+          password_ldap_userDN_mask setting for this to take effect.
+          '%login' will be replaced by the current roundcube user's login
+          '%name' will be replaced by the current roundcube user's name part
+          '%domain' will be replaced by the current roundcube user's domain part
+          '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+          Example: '(uid=%login)'
+          Example: '(&(objectClass=posixAccount)(uid=%login))'
+        value: '(&
+                  (objectClass=mailRecipient)
+                  (|
+                    (uid=%name)
+                    (mail=%login)
+                  )
+                )'
+
+      - name: 'password_ldap_encodage'
+        comment: |
+          LDAP password hash type
+          Standard LDAP encryption type which must be one of: crypt,
+          ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, ad, cram-md5 (dovecot style) or clear.
+          Set to 'default' if you want to use method specified in password_algorithm option above.
+          Multiple password Values can be generated by concatenating encodings with a +. E.g. 'cram-md5+crypt'
+          Default: 'crypt'.
+        value: 'clear'  # default: crypt
+
+      - name: 'password_ldap_pwattr'
+        comment: |
+          LDAP password attribute
+          Name of the ldap's attribute used for storing user password
+          Default: 'userPassword'
+        value: 'userPassword'
+
+      - name: 'password_ldap_force_replace'
+        comment: |
+          LDAP password force replace
+          Force LDAP replace in cases where ACL allows only replace not read
+          See https://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
+          Default: true
+        value: True
+
+      - name: 'password_ldap_lchattr'
+        comment: |
+          LDAP Password Last Change Date
+          Some places use an attribute to store the date of the last password change
+          The date is measured in "days since epoch" (an integer value)
+          Whenever the password is changed, the attribute will be updated if set (e.g. shadowLastChange)
+        value: ''
+
+      - name: 'password_ldap_samba_pwattr'
+        comment: |
+          LDAP Samba password attribute, e.g. sambaNTPassword
+          Name of the LDAP's Samba attribute used for storing user password
+        value: ''
+
+      - name: 'password_ldap_samba_lchattr'
+        comment: |
+          LDAP Samba Password Last Change Date attribute, e.g. sambaPwdLastSet
+          Some places use an attribute to store the date of the last password change
+          The date is measured in "seconds since epoch" (an integer value)
+          Whenever the password is changed, the attribute will be updated if set
+        value: ''
+
+      - name: 'password_ldap_ppolicy_cmd'
+        comment: |
+          LDAP PPolicy Driver options
+          -----------------------------------
+          LDAP Change password command - filename of the perl script
+          Example: 'change_ldap_pass.pl'
+        value: 'change_ldap_pass.pl'
+
+      - name: 'password_ldap_ppolicy_uri'
+        comment: |
+          LDAP URI
+          Example: 'ldap://ldap.example.com/ ldaps://ldap2.example.com:636/'
+        value: 'ldap://localhost/'
+
+      - name: 'password_ldap_ppolicy_basedn'
+        comment: |
+          LDAP base name (root directory)
+          Example: 'dc=example,dc=com'
+        value: 'dc=example,dc=com'
+
+      - name: 'password_ldap_ppolicy_searchDN'
+        value: 'cn=someuser,dc=example,dc=com'
+
+      - name: 'password_ldap_ppolicy_searchPW'
+        value: 'secret'
+
+      - name: 'password_ldap_policy_search_filter'
+        comment: |
+          LDAP search filter
+          Example: '(uid=%login)'
+          Example: '(&(objectClass=posixAccount)(uid=%login))'
+        value: '(uid=%login)'
+
+      - name: 'password_ldap_ppolicy_cafile'
+        comment: |
+          CA Certificate file if in URI is LDAPS connection
+        value: '/etc/ssl/certs/ca-certificates.crt'
+
+      - name: 'password_directadmin_host'
+        comment: |
+          DirectAdmin Driver options
+          --------------------------
+          The host which changes the password
+          Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
+          The host can contain the following macros that will be expanded as follows:
+              %h is replaced with the imap host (from the session info)
+              %d is replaced with the domain part of the username (if the username is an email)
+        value: 'tcp://localhost'
+
+      - name: 'password_directadmin_port'
+        comment: |
+          TCP port used for DirectAdmin connections
+        value: 2222
+
+      - name: 'password_vpopmaild_host'
+        comment: |
+          vpopmaild Driver options
+          -----------------------
+          The host which changes the password
+        value: 'localhost'
+
+      - name: 'password_vpopmaild_port'
+        comment: |
+          TCP port used for vpopmaild connections
+        value: 89
+
+      - name: 'password_vpopmaild_timeout'
+        comment: |
+          Timeout used for the connection to vpopmaild (in seconds)
+        value: 10
+
+      - name: 'password_cpanel_host'
+        comment: |
+          cPanel Driver options
+          --------------------------
+          The cPanel Host name
+        value: 'host.domain.com'
+
+      - name: 'password_cpanel_username'
+        comment: |
+          The cPanel admin username
+        value: 'username'
+
+      - name: 'password_cpanel_password'
+        comment: |
+          The cPanel admin password
+        value: 'password'
+
+      - name: 'password_cpanel_hash'
+        comment: |
+          The cPanel admin hash
+          If you prefer to use a hash (Remote Access Key) instead of plain password, enter it below.
+          Hash takes precedence over password auth.
+          You can generate a Remote Access Key in WHM -> Clusters -> Remote Access Key
+        value: ''
+
+      - name: 'password_cpanel_port'
+        comment: |
+          The cPanel port to use
+        value: 2087
+
+      - name: 'password_cpanel_webmail_host'
+        comment: |
+          cPanel Webmail Driver options
+          -----------------------------
+          The cPanel Host name
+        value: 'host.domain.com'
+
+      - name: 'password_cpanel_webmail_port'
+        comment: |
+          The cPanel port to use
+        value: 2096
+
+      - name: 'password_ximss_host'
+        comment: |
+          XIMSS (Communigate server) Driver options
+          -----------------------------------------
+          Host name of the Communigate server
+        value: 'mail.example.com'
+
+      - name: 'password_ximss_port'
+        comment: |
+          XIMSS port on Communigate server
+        value: 11024
+
+      - name: 'password_chpasswd_cmd'
+        comment: |
+          chpasswd Driver options
+          ---------------------
+          Command to use (see "Sudo setup" in README)
+        value: 'sudo /usr/sbin/chpasswd 2> /dev/null'
+
+      - name: 'xmail_host'
+        comment: |
+          XMail Driver options
+          ---------------------
+        value: 'localhost'
+
+      - name: 'xmail_user'
+        value: 'YourXmailControlUser'
+
+      - name: 'xmail_pass'
+        value: 'YourXmailControlPass'
+
+      - name: 'xmail_port'
+        value: 6017
+
+      - name: 'hmailserver_remote_dcom'
+        comment: |
+          hMail Driver options
+          -----------------------
+          Remote hMailServer configuration
+          true:  HMailserver is on a remote box (php.ini: com.allow_dcom = true)
+          false: Hmailserver is on same box as PHP
+        value: False
+
+      - name: 'hmailserver_server'
+        comment: 'Windows credentials'
+        array:
+          - Server: 'localhost'
+          - Username: 'administrator'
+          - Password: 'password'
+
+      - name: 'password_pw_usermod_cmd'
+        comment: |
+          pw_usermod Driver options
+          --------------------------
+          Use comma delimited exlist to disable password change for users.
+          See "Sudo setup" in README file.
+        value: 'sudo /usr/sbin/pw usermod -h 0 -n'
+
+      - name: 'password_dbmail_args'
+        comment: |
+          DBMail Driver options
+          -------------------
+          Additional arguments for the dbmail-users call
+        value: '-p sha512'
+
+      - name: 'password_expect_bin'
+        comment: |
+          Expect Driver options
+          ---------------------
+          Location of expect binary
+        value: '/usr/bin/expect'
+
+      - name: 'password_expect_script'
+        comment: |
+          Location of expect script (see helpers/passwd-expect)
+        value: ''
+
+      - name: 'password_expect_params'
+        comment: |
+          Arguments for the expect script. See the helpers/passwd-expect file for details.
+          This is probably a good starting default:
+            -telent -host localhost -output /tmp/passwd.log -log /tmp/passwd.log
+        value: ''
+
+      - name: 'password_smb_host'
+        comment: |
+          smb Driver options
+          ---------------------
+          Samba host (default: localhost)
+          Supported replacement variables:
+          %n - hostname ($_SERVER['SERVER_NAME'])
+          %t - hostname without the first part
+          %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+        value: 'localhost'
+
+      - name: 'password_smb_cmd'
+        comment: |
+          Location of smbpasswd binary (default: /usr/bin/smbpasswd)
+        value: '/usr/bin/smbpasswd'
+
+      - name: 'password_gearman_host'
+        comment: |
+          gearman driver options
+          ---------------------
+          Gearman host (default: localhost)
+        value: 'localhost'
+
+      - name: 'password_plesk_host'
+        comment: |
+          Plesk/PPA Driver options
+          --------------------
+          You need to allow RCP for IP of roundcube-server in Plesk/PPA Panel
+
+          Plesk RCP Host
+        value: '10.0.0.5'
+
+      - name: 'password_plesk_user'
+        comment: 'Plesk RPC Username'
+        value: 'admin'
+
+      - name: 'password_plesk_pass'
+        comment: 'Plesk RPC Password'
+        value: 'password'
+
+      - name: 'password_plesk_rpc_port'
+        comment: 'Plesk RPC Port'
+        value: '8443'
+
+      - name: 'password_plesk_rpc_path'
+        comment: 'Plesk RPC Path'
+        value: 'enterprise/control/agent.php'
+
+      - name: 'password_kpasswd_cmd'
+        comment: |
+          kasswd Driver options
+          ---------------------
+          Command to use
+        value: '/usr/bin/kpasswd'
+
+      - name: 'password_modoboa_api_token'
+        comment: |
+          Modoboa Driver options
+          ---------------------
+          put token number from Modoboa server
+        value: ''
+
+  - name: 'help'
+    state: 'enabled'
+    options:
+
+      - name: 'help_source'
+        comment: |
+          Help content iframe source
+          %l will be replaced by the language code resolved using the 'help_language_map' option
+          If you are serving roundcube via https, then change this URL to https also.
+        value: 'https://docs.roundcube.net/doc/help/1.1/%l/'
+
+      - name: 'help_index_map'
+        comment: |
+          Map task/action combinations to deep-links
+          Use '<task>/<action>' or only '<task>' strings as keys
+          The values will be appended to the 'help_source' URL
+        array:
+          - 'login':                'login.html'
+            'mail':                 'mail/index.html'
+            'mail/compose':         'mail/compose.html'
+            'addressbook':          'addressbook/index.html'
+            'settings':             'settings/index.html'
+            'settings/preferences': 'settings/preferences.html'
+            'settings/folders':     'settings/folders.html'
+            'settings/identities':  'settings/identities.html'
+
+      - name: 'help_language_map'
+        comment: |
+          Map to translate Roundcube language codes into help document languages
+          The '*' entry will be used as default
+        array:
+          - '*': 'en_US'
+
+      - name: 'help_about_url'
+        comment: |
+          Enter an absolute URL to a page displaying information about this webmail
+          Alternatively, create a HTML file under <this-plugin-dir>/content/about.html
+        value: null
+
+      - name: 'help_license_url'
+        comment: |
+          Enter an absolute URL to a page displaying information about this webmail
+          Alternatively, put your license text to <this-plugin-dir>/content/license.html
+        value: null
+
+      - name: 'help_open_extwin'
+        comment: 'Determine whether to open the elp in a new window'
+        value: False
+
+      - name: 'help_csrf_info'
+        comment: 'URL to additional information about CSRF protection'
+        value: null
+
+  - name: 'markasjunk'
+    state: 'enabled'
+    options:
+
+      - name: 'markasjunk_learning_driver'
+        comment: |
+          Learning driver
+          Use an external process such as sa-learn to learn from spam/ham messages. Default: null.
+          Please see the README for more information
+        value: null
+
+      - name: 'markasjunk_ham_mbox'
+        comment: |
+          Ham mailbox
+          Mailbox messages should be moved to when they are marked as ham. null = INBOX
+          set to FALSE to disable message moving
+        value: null
+
+      - name: 'markasjunk_spam_mbox'
+        comment: |
+          Spam mailbox
+          Mailbox messages should be moved to when they are marked as spam.
+          null = the mailbox assigned as the spam folder in Roundcube settings
+          set to FALSE to disable message moving
+        value: null
+
+      - name: 'markasjunk_read_spam'
+        comment: 'Mark messages as read when reporting them as spam'
+        value: True  # original: False
+
+      - name: 'markasjunk_unread_ham'
+        comment: 'Mark messages as unread when reporting them as ham'
+        value: True  # original: False
+
+      - name: 'markasjunk_spam_flag'
+        comment: |
+          Add flag to messages marked as spam (flag will be removed when marking as ham)
+          If you do not want to use message flags set this to false
+        value: 'Junk'
+
+      - name: 'markasjunk_ham_flag'
+        comment: |
+          Add flag to messages marked as ham (flag will be removed when marking as spam)
+          If you do not want to use message flags set this to false
+        value: 'NonJunk'
+
+      - name: 'markasjunk_debug'
+        comment: 'Write output from spam/ham commands to the log for debug'
+        value: False
+
+      - name: 'markasjunk_toolbar'
+        comment: |
+          The mark as spam/ham icon can either be displayed on the toolbar or as part of the mark messages menu.
+          Set to False to use Mark menu instead of the toolbar. Default: true.
+        value: True
+
+      - name: 'markasjunk_move_spam'
+        comment: |
+          Learn any message moved to the spam mailbox as spam (not just when the button is pressed)
+        value: True  # original: False
+
+      - name: 'markasjunk_move_ham'
+        comment: |
+          Learn any message moved from the spam mailbox to the ham mailbox as ham (not just when the button is pressed)
+        value: True  # original: False
+
+      - name: 'markasjunk_permanently_remove'
+        comment: |
+          Some drivers create new copies of the target message(s), in this case the original message(s) will be deleted
+          Rather than deleting the message(s) (moving to Trash) setting this option true will cause the original message(s) to be permanently removed
+        value: False
+
+      - name: 'markasjunk_spam_only'
+        comment: 'Display only a mark as spam button'
+        value: False
+
+      - name: 'markasjunk_allowed_hosts'
+        comment: |
+          Activate markasjunk for selected mail hosts only. If this is not set all mail hosts are allowed.
+          Example: $config['markasjunk_allowed_hosts'] = array('mail1.domain.tld', 'mail2.domain.tld');
+        value: null
+
+      - name: 'markasjunk_host_config'
+        comment: |
+          Load specific config for different mail hosts
+          Example: $config['markasjunk_host_config'] = array(
+             'mail1.domain.tld' => 'mail1_config.inc.php',
+             'mail2.domain.tld' => 'mail2_config.inc.php',
+          );
+        value: null
+
+      - name: 'markasjunk_spam_cmd'
+        comment: |
+          cmd_learn Driver options
+          ------------------------
+          The command used to learn that a message is spam
+          The command can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %i is replaced with the email address from the user's default identity
+               %s is replaced with the email address the message is from
+               %f is replaced with the path to the message file
+               %h:<header name> is replaced with the content of that header from the message (lower case) eg: %h:x-dspam-signature
+          If you do not want to run the command set this to null
+        value: null
+
+      - name: 'markasjunk_ham_cmd'
+        comment: |
+          The command used to learn that a message is ham
+          The command can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %i is replaced with the email address from the user's default identity
+               %s is replaced with the email address the message is from
+               %f is replaced with the path to the message file
+               %h:<header name> is replaced with the content of that header from the message (lower case) eg: %h:x-dspam-signature
+          If you do not want to run the command set this to null
+        value: null
+
+      - name: 'markasjunk_spam_dir'
+        comment: |
+          dir_learn Driver options
+          ------------------------
+          The full path of the directory used to store spam (must be writable by webserver)
+        value: null
+
+      - name: 'markasjunk_ham_dir'
+        comment: |
+          The full path of the directory used to store ham (must be writable by webserver)
+        value: null
+
+      - name: 'markasjunk_filename'
+        comment: |
+          The filename prefix
+          The filename can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %t is replaced with the type of message (spam/ham)
+        value: null
+
+      - name: 'markasjunk_email_spam'
+        comment: |
+          email_learn Driver options
+          --------------------------
+          The email address that spam messages will be sent to
+          The address can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %i is replaced with the email address from the user's default identity
+          If you do not want to send an email set this to null
+        value: null
+
+      - name: 'markasjunk_email_ham'
+        comment: |
+          The email address that ham messages will be sent to
+          The address can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %i is replaced with the email address from the user's default identity
+          If you do not want to send an email set this to null
+        value: null
+
+      - name: 'markasjunk_email_attach'
+        comment: 'Should the spam/ham message be sent as an attachment'
+        value: True
+
+      - name: 'markasjunk_email_subject'
+        comment: |
+          The email subject (when sending as attachment)
+          The subject can contain the following macros that will be expanded as follows:
+               %u is replaced with the username (from the session info)
+               %l is replaced with the local part of the username (if the username is an email address)
+               %d is replaced with the domain part of the username (if the username is an email address or default mail domain if not)
+               %t is replaced with the type of message (spam/ham)
+        value: 'learn this message as %t'
+
+      - name: 'markasjunk_sauserprefs_config'
+        comment: |
+          sa_blacklist Driver options
+          ---------------------------
+          Path to SAUserPrefs config file
+        value: '../sauserprefs/config.inc.php'
+
+      - name: 'markasjunk_amacube_config'
+        comment: |
+          amavis_blacklist Driver options
+          ---------------------------
+          Path to amacube config file
+        value: '../amacube/config.inc.php'
+
+      - name: 'markasjunk_spam_patterns'
+        comment: |
+          edit_headers Driver options
+          ---------------------------
+          Patterns to match and replace headers for spam messages
+          Replacement method uses preg_replace - http://www.php.net/manual/function.preg-replace.php
+          WARNING: Be sure to match the entire header line, including the name of the header, also use ^ and $ and the 'm' flag
+          see the README for an example
+          TEST CAREFULLY BEFORE USE ON REAL MESSAGES
+        array:
+          - patterns:     []
+            replacements: []
+
+      - name: 'markasjunk_ham_patterns'
+        comment: |
+          Patterns to match and replace headers for spam messages
+          Replacement method uses preg_replace - http://www.php.net/manual/function.preg-replace.php
+          WARNING: Be sure to match the entire header line, including the name of the header, also use ^ and $ and the 'm' flag
+          see the README for an example
+          TEST CAREFULLY BEFORE USE ON REAL MESSAGES
+        array:
+          - patterns:     []
+            replacements: []
+
+    # This plugin adds additional commands in the header of the message if
+    # Roundcube detects it's a mailing list message.
+  - name: 'listcommands'
+    package: 'cor/listcommands'
+    state: 'enabled'
+
+    # This plugin provides support for swipe gestures on mobile devices in the
+    # Elastic skin.
+  - name: 'swipe'
+    package: 'johndoh/swipe:0.1.0'
+    state: 'enabled'
+
+    # This plugin includes additional information in Dovecot connections to
+    # provide better logging capabilities.
+  - name: 'dovecot_ident'
+    package: 'cor/dovecot-ident'
+    state: 'enabled'
+
+    # This plugin adds support for parsing vCard attachments in e-mail
+    # messages.
+  - name: 'vcard_attachments'
+    state: 'enabled'
+
+    # This plugin adds support for generating Identicon avatars for contacts
+    # without images.
+  - name: 'identicon'
+    state: 'enabled'
+
+  - name: 'managesieve'
+    state: 'enabled'
+    options:
+
+      - name: 'managesieve_host'
+        comment: |
+          managesieve server address, default is localhost.
+          Replacement variables supported in host name:
+          %h - user's IMAP hostname
+          %n - http hostname ($_SERVER['SERVER_NAME'])
+          %d - domain (http hostname without the first part)
+          For example %n = mail.domain.tld, %d = domain.tld
+        value: '{{ roundcube__sieve_server }}'
+
+      - name: 'managesieve_auth_type'
+        comment: |
+          Authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL
+          or none. Optional, defaults to best method supported by server.
+        value: null
+
+      - name: 'managesieve_auth_cid'
+        comment: |
+          Optional managesieve authentication identifier to be used as authorization proxy.
+          Authenticate as a different user but act on behalf of the logged in user.
+          Works with PLAIN and DIGEST-MD5 auth.
+        value: null
+
+      - name: 'managesieve_auth_pw'
+        comment: |
+          Optional managesieve authentication password to be used for imap_auth_cid
+        value: null
+
+      - name: 'managesieve_conn_options'
+        comment: |
+          Connection scket context options
+          See https://php.net/manual/en/context.ssl.php
+          The example below enables server certificate validation
+        array:
+          - ssl:
+              - verify_peer: True
+                verify_depth: 3
+                cafile: '/etc/ssl/certs/ca-certificates.crt'
+        state: 'comment'
+
+      - name: 'managesieve_default'
+        comment: |
+          A file with default script content (eg. spam filter)
+        value: '/etc/dovecot/sieve/global'
+
+      - name: 'managesieve_script_name'
+        comment: |
+          The name of the script which will be used when there's no user script
+        value: 'managesieve'
+
+      - name: 'managesieve_mbox_encoding'
+        comment: |
+          Sieve RFC says that we should use UTF-8 encoding for mailbox names,
+          but some implementations does not convert UTF-8 to modified UTF-7.
+          Defaults to UTF7-IMAP
+        value: 'UTF-8'
+
+      - name: 'managesieve_replace_delimiter'
+        comment: |
+          I need this because my dovecot (with listescape plugin) uses
+          ':' delimiter, but creates folders with dot delimiter
+        value: ''
+
+      - name: 'managesieve_disabled_extensions'
+        comment: |
+          Disabled sieve extensions (body, copy, date, editheader, encoded-character,
+          envelope, environment, ereject, fileinto, ihave, imap4flags, index,
+          mailbox, mboxmetadata, regex, reject, relational, servermetadata,
+          spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.
+          Note: not all extensions are implemented
+        value: []
+
+      - name: 'managesieve_debug'
+        comment: |
+          Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve
+        value: False
+
+      - name: 'managesieve_kolab_master'
+        comment: |
+          Enables features described in http://wiki.kolab.org/KEP:14
+        value: False
+
+      - name: 'managesieve_filename_extension'
+        comment: |
+          Script name extension used for scripts including. Dovecot uses '.sieve',
+          Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.
+        value: '.sieve'
+
+      - name: 'managesieve_filename_exceptions'
+        comment: |
+          List of reserved script names (without extension).
+          Scripts listed here will be not presented to the user.
+        value: []
+
+      - name: 'managesieve_domains'
+        comment: |
+          List of domains limiting destination emails in redirect action
+          If not empty, user will need to select domain from a list
+        value: []
+
+      - name: 'managesieve_default_headers'
+        comment: |
+          Default list of entries in header selector
+        value: [ 'Subject', 'From', 'To' ]
+
+      - name: 'managesieve_vacation'
+        comment: |
+          Enables separate management interface for vacation responses (out-of-office)
+          0 - no separate section (default),
+          1 - add Vacation section,
+          2 - add Vacation section, but hide Filters section
+        value: 1
+
+      - name: 'managesieve_forward'
+        comment: |
+          Enables separate management interface for setting forwards (redirect to and copy to)
+          0 - no separate section (default),
+          1 - add Forward section,
+          2 - add Forward section, but hide Filters section
+        value: 1
+
+      - name: 'managesieve_vacation_interval'
+        comment: |
+          Default vacation interval (in days).
+          Note: If server supports vacation-seconds extension it is possible
+          to define interval in seconds here (as a string), e.g. "3600s".
+        value: 0
+
+      - name: 'managesieve_vacation_addresses_init'
+        comment: |
+          Some servers require vacation :addresses to be filled with all
+          user addresses (aliases). This option enables automatic filling
+          of these on initial vacation form creation.
+        value: True
+
+      - name: 'managesieve_vacation_from_init'
+        comment: |
+          Sometimes you want to always reply with mail email address
+          This option enables automatic filling of :from field on initial
+          vacation form creation.
+        value: True
+
+      - name: 'managesieve_notify_methods'
+        comment: |
+          Supported methods of notify extension. Default: 'mailto'
+        value: [ 'mailto' ]
+
+      - name: 'managesieve_raw_editor'
+        comment: 'Enables scripts RAW editor feature'
+        value: True
+
+      - name: 'managesieve_disabled_actions'
+        comment: |
+          Disabled actions
+          Prevent user from performing specific actions:
+          list_sets, enable_disable_set, delete_set, new_set, download_set, new_rule, delete_rule
+          Note: disabling list_sets removes the Filter sets widget from the UI and means
+                the set defined in managesieve_script_name will always be used (and activated)
+        value: []
+
+      - name: 'managesieve_allowed_hosts'
+        comment: |
+          List of hosts that support managesieve.
+          Activate managesieve for selected hosts only. If this is not set all hosts are allowed.
+          Example: $config['managesieve_allowed_hosts'] = array('host1.mydomain.com','host2.mydomain.com');
+        value: null
+
+                                                                   # ]]]
+# .. envvar:: roundcube__plugins [[[
+#
+# List of Roundcube plugins configured on all hosts in the Ansible inventory.
+roundcube__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__group_plugins [[[
+#
+# List of Roundcube plugins configured on hosts in a specific Ansible inventory
+# group.
+roundcube__group_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__host_plugins [[[
+#
+# List of Roundcube plugins configured on specific hosts in the Ansible
+# inventory.
+roundcube__host_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: roundcube__combined_plugins [[[
+#
+# Varlabie which combines all Roundcube plugin lists and is used in role tasks
+# and templates.
+roundcube__combined_plugins: '{{ roundcube__default_plugins
+                                 + roundcube__plugins
+                                 + roundcube__group_plugins
+                                 + roundcube__host_plugins }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Skins [[[
+# -------------------
+
+# .. envvar:: roundcube__skin_folder [[[
+#
+# skin name: folder from `/skins <https://github.com/roundcube/roundcubemail/tree/1.4.0/skins>`_
+# Currently available:
+#
+# - classic
+# - elastic [default] (mobile-ready, requires nodejs dependency, due to CSS-LESS syntax)
+# - larry
+#
+roundcube__skin_folder: 'elastic'
+                                                                   # ]]]
+# .. envvar:: roundcube__skin_logo [[[
+#
+# Logo image replacement. Specifies location of the image as:
+#
+# - URL relative to the document root of this Roundcube installation
+# - full URL with http:// or https:// prefix
+# - URL relative to the current skin folder (when starts with a '/')
+#
+roundcube__skin_logo: null
+                                                                   # ]]]
+                                                                   # ]]]
+# Other variables [[[
+# -------------------
+
+# .. envvar:: roundcube__max_file_size [[[
+#
+# Maximum upload size, in MB.
+roundcube__max_file_size: '30'
+                                                                   # ]]]
+                                                                   # ]]]
+# Role-dependent configuration [[[
+# --------------------------------
+
+# .. envvar:: roundcube__keyring__dependent_gpg_user [[[
+#
+# The UNIX account which will be used to install additional GPG keys by the
+# :ref:`debops.keyring` role.
+roundcube__keyring__dependent_gpg_user: '{{ roundcube__user }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__keyring__dependent_gpg_keys [[[
+#
+# GPG key configuration for the :ref:`debops.keyring` Ansible role.
+roundcube__keyring__dependent_gpg_keys:
+
+  - user: '{{ roundcube__user }}'
+    group: '{{ roundcube__group }}'
+    home: '{{ roundcube__home }}'
+    id: '{{ roundcube__git_gpg_key }}'
+
+  - '{{ roundcube__git_additional_gpg_keys }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+roundcube__ldap__dependent_tasks:
+
+  - name: 'Create roundcube account for {{ roundcube__ldap_device_dn | join(",") }}'
+    dn: '{{ roundcube__ldap_binddn }}'
+    objectClass: '{{ roundcube__ldap_self_object_classes }}'
+    attributes: '{{ roundcube__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if roundcube__ldap_password_enabled and
+                            roundcube__ldap_device_dn | d() else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__nginx__dependent_servers [[[
+#
+# :program:`nginx` server configuration managed by the debops.nginx_ role.
+roundcube__nginx__dependent_servers:
+
+  - name: '{{ roundcube__fqdn }}'
+    filename: 'debops.roundcube'
+    by_role: 'debops.roundcube'
+    type: 'php'
+    root: '{{ roundcube__git_dest }}'
+    webroot_create: False
+    access_policy: '{{ roundcube__nginx_access_policy }}'
+    index: 'index.php'
+
+    options: |
+      autoindex off;
+      client_max_body_size {{ roundcube__max_file_size }}M;
+      client_body_buffer_size 128k;
+
+    location_list:
+      - pattern: '/'
+        options: |
+          try_files $uri $uri/ @roundcube;
+
+      - pattern: '@roundcube'
+        options: |
+          rewrite ^/favicon\.ico$ skins/{{ roundcube__skin_folder }}/images/favicon.ico last;
+
+      - pattern: '~ ^/?(installer|[A-Z0-9]+$)'
+        options: |
+          deny all;
+
+      - pattern: '~ ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))'
+        options: |
+          deny all;
+
+      - pattern: '~ /(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$'
+        options: |
+          deny all;
+
+    php_options: |
+      fastcgi_intercept_errors        on;
+      fastcgi_ignore_client_abort     off;
+      fastcgi_connect_timeout         60;
+      fastcgi_send_timeout            180;
+      fastcgi_read_timeout            180;
+      fastcgi_buffer_size             128k;
+      fastcgi_buffers               4 256k;
+      fastcgi_busy_buffers_size       256k;
+      fastcgi_temp_file_write_size    256k;
+
+    php_upstream: 'php_roundcube'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__nginx_access_policy [[[
+#
+# Name of the "nginx access policy" for Roundcube webpage. See debops.nginx_
+# Ansible role for more details.
+roundcube__nginx_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: roundcube__nginx__dependent_upstreams [[[
+#
+# PHP upstream server configuration managed by the debops.nginx_ role.
+roundcube__nginx__dependent_upstreams:
+
+  - name: 'php_roundcube'
+    by_role: 'debops.roundcube'
+    enabled: True
+    type: 'php'
+    php_pool: 'roundcube'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__php__dependent_packages [[[
+#
+# List of PHP packages to install using the debops.php_ role.
+roundcube__php__dependent_packages:
+  - '{{ roundcube__base_php_packages }}'
+  - '{{ roundcube__optional_php_packages }}'
+  - '{{ roundcube__custom_php_packages }}'
+
+                                                                   # ]]]
+# .. envvar:: roundcube__php__dependent_pools [[[
+#
+# PHP pools managed by the debops.php_ role.
+roundcube__php__dependent_pools:
+  name: 'roundcube'
+  by_role: 'debops.roundcube'
+  user: '{{ roundcube__user }}'
+  group: '{{ roundcube__group }}'
+  owner: '{{ roundcube__user }}'
+  home: '{{ roundcube__home }}'
+
+  php_values:
+    ## https://secure.php.net/manual/en/info.configuration.php#ini.upload-max-filesize
+    upload_max_filesize:        '{{ roundcube__max_file_size }}M'
+
+    ## https://secure.php.net/manual/en/ini.core.php#ini.post-max-size
+    post_max_size:              '{{ roundcube__max_file_size }}M'
+
+    ## https://github.com/roundcube/roundcubemail/wiki/Install-Requirements
+    file_uploads:               'on'
+    mbstring.func_overload:     'off'
+    memory_limit:               '64M'
+    magic_quotes_runtime:       'off'
+    magic_quotes_sybase:        'off'
+    session.auto_start:         'off'
+    suhosin.session.encrypt:    'off'
+                                                                   # ]]]
+# .. envvar:: roundcube__nodejs__npm_dependent_packages [[[
+#
+# Configuration for the :ref:`debops.nodejs` Ansible role.
+roundcube__nodejs__npm_dependent_packages:
+  # Dependency for the 'elastic' skin to compile the CSS files
+  - 'less'
+  - 'tslib'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/roundcube/meta/main.yml b/ansible_collections/debops/debops/roles/roundcube/meta/main.yml
new file mode 100644
index 00000000..89a13d51
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Reto Gantenbein'
+  description: 'Manage Roundcube, a browser-based IMAP client written in PHP'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - debops
+    - email
+    - mail
+    - imap
+    - web
diff --git a/ansible_collections/debops/debops/roles/roundcube/meta/watch-roundcubemail b/ansible_collections/debops/debops/roles/roundcube/meta/watch-roundcubemail
new file mode 100644
index 00000000..531bf132
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/meta/watch-roundcubemail
@@ -0,0 +1,10 @@
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: roundcube
+# Package: roundcubemail
+# Version: 1.6.0
+
+version=4
+https://github.com/roundcube/roundcubemail/tags .*/v?(.*\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/configure_mysql.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_mysql.yml
new file mode 100644
index 00000000..5794252a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_mysql.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create Roundcube MySQL/MariaDB database
+  community.mysql.mysql_db:
+    name: '{{ roundcube__database_map[roundcube__database].dbname }}'
+    state: 'present'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  delegate_to: '{{ ansible_local.mariadb.delegate_to }}'
+  register: roundcube__register_database_status
+
+- name: Import initial database schema
+  community.mysql.mysql_db:  # noqa no-handler
+    name: '{{ roundcube__database_map[roundcube__database].dbname }}'
+    state: import
+    target: '{{ roundcube__database_schema }}'
+    login_user: '{{ roundcube__database_map[roundcube__database].dbuser }}'
+    login_password: '{{ roundcube__database_map[roundcube__database].dbpass }}'
+    login_host: '{{ ansible_local.mariadb.server }}'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: (roundcube__register_database_status | d() is defined and roundcube__register_database_status is changed)
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/configure_postgresql.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_postgresql.yml
new file mode 100644
index 00000000..ca7a531f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_postgresql.yml
@@ -0,0 +1,24 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create Roundcube PostgreSQL database
+  community.postgresql.postgresql_db:
+    name: '{{ roundcube__database_map[roundcube__database].dbname }}'
+    owner: '{{ roundcube__database_map[roundcube__database].dbuser }}'
+    state: 'present'
+  delegate_to: '{{ ansible_local.postgresql.delegate_to }}'
+  register: roundcube__register_postgresql_status
+
+- name: Import initial database schema
+  community.postgresql.postgresql_db:  # noqa no-handler
+    name: '{{ roundcube__database_map[roundcube__database].dbname }}'
+    state: 'restore'
+    target: '{{ roundcube__database_schema }}'
+    login_user: '{{ roundcube__database_map[roundcube__database].dbuser }}'
+    login_password: '{{ roundcube__database_map[roundcube__database].dbpass }}'
+    login_host: '{{ roundcube__database_map[roundcube__database].dbhost }}'
+  when: (roundcube__register_postgresql_status | d() is defined and
+         roundcube__register_postgresql_status is changed)
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/configure_skins.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_skins.yml
new file mode 100644
index 00000000..76aa3134
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/configure_skins.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Generate CSS files for the 'elastic' skin
+  when: roundcube__skin_folder is defined
+        and roundcube__skin_folder == 'elastic'
+        and roundcube__git_dest is defined
+  tags: [ 'role::roundcube:skin:elastic' ]
+  block:
+    - name: Set 'elastic' skin CSS files
+      ansible.builtin.set_fact:
+        roundcube__fact_skin_elastic_css_files:
+          - { src: 'styles/styles.less', dest: 'styles/styles.css' }
+          - { src: 'styles/print.less',  dest: 'styles/print.css' }
+          - { src: 'styles/embed.less',  dest: 'styles/embed.css' }
+
+    - name: Generate CSS files for the 'elastic' skin
+      ansible.builtin.command: 'lessc --compress {{ item.src }} {{ item.dest }}'
+      args:
+        chdir: '{{ roundcube__git_dest }}/skins/{{ roundcube__skin_folder }}'
+        creates: '{{ item.dest }}'
+      loop: '{{ roundcube__fact_skin_elastic_css_files }}'
+
+    - name: Adjust permissions of CSS files
+      ansible.builtin.file:
+        path: '{{ roundcube__git_dest }}/skins/{{ roundcube__skin_folder }}/{{ item.dest }}'
+        owner: '{{ roundcube__user }}'
+        group: '{{ roundcube__group }}'
+        mode: '0644'
+      loop: '{{ roundcube__fact_skin_elastic_css_files }}'
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/deploy_roundcube.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/deploy_roundcube.yml
new file mode 100644
index 00000000..49b3b891
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/deploy_roundcube.yml
@@ -0,0 +1,127 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# ---- System Account ----
+
+- name: Create Roundcube group
+  ansible.builtin.group:
+    name: '{{ roundcube__group }}'
+    system: True
+    state: 'present'
+
+- name: Create Roundcube user
+  ansible.builtin.user:
+    name: '{{ roundcube__user }}'
+    group: '{{ roundcube__group }}'
+    home: '{{ roundcube__home }}'
+    shell: '{{ roundcube__shell }}'
+    comment: '{{ roundcube__comment }}'
+    system: True
+    state: 'present'
+
+
+# ---- Deployment ----
+
+- name: Create required Roundcube directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    state: 'directory'
+    owner: '{{ roundcube__user }}'
+    group: '{{ roundcube__group }}'
+    mode: '{{ item.mode | d("0755") }}'
+  loop:
+    - { path: '{{ roundcube__src }}' }
+    - { path: '{{ roundcube__git_dir | dirname }}', mode: "0750" }
+    - { path: '{{ roundcube__git_dest | dirname }}' }
+
+- name: Clone Roundcube source from upstream repository
+  ansible.builtin.git:
+    repo: '{{ roundcube__git_repo }}'
+    dest: '{{ roundcube__git_dest }}'
+    version: '{{ roundcube__git_version }}'
+    separate_git_dir: '{{ roundcube__git_dir }}'
+    verify_commit: True
+    # FIXME: At the moment GPG whitelisting does not work correctly
+    #gpg_whitelist: '{{ [ roundcube__git_gpg_key ]
+    #                   + roundcube__git_additional_gpg_keys
+    #                   | flatten }}'
+  become: True
+  become_user: '{{ roundcube__user }}'
+  register: roundcube__register_git
+  notify: [ 'Refresh host facts' ]
+
+- name: Read PHP composer data from upstream
+  ansible.builtin.slurp:  # noqa no-handler
+    src: '{{ roundcube__git_dest + "/composer.json-dist" }}'
+  register: roundcube__register_composer_dist
+  when: roundcube__register_git is changed
+
+- name: Read currently deployed PHP composer data
+  ansible.builtin.slurp:  # noqa no-handler
+    src: '{{ roundcube__git_dest + "/composer.json" }}'
+  register: roundcube__register_composer_installed
+  when: (ansible_local | d() and ansible_local.roundcube | d() and
+         (ansible_local.roundcube.installed | d()) | bool and
+        roundcube__register_git is changed)
+
+- name: Update PHP composer data
+  ansible.builtin.template:  # noqa no-handler
+    src: 'srv/www/sites/roundcube/public/composer.json.j2'
+    dest: '{{ roundcube__git_dest + "/composer.json" }}'
+    owner: '{{ roundcube__user }}'
+    group: '{{ roundcube__group }}'
+    mode: '0644'
+  when: roundcube__register_git is changed
+
+# ---- Post deployment ----
+
+- name: Install or upgrade PHP packages via Composer
+  community.general.composer:  # noqa no-handler
+    command: '{{ "upgrade"
+                 if (ansible_local | d() and ansible_local.roundcube | d() and
+                     (ansible_local.roundcube.installed | d()) | bool)
+                 else "install" }}'
+    working_dir: '{{ roundcube__git_dest }}'
+    no_dev: True
+  become: True
+  become_user: '{{ roundcube__user }}'
+  register: roundcube__register_composer
+  until: roundcube__register_composer is succeeded
+  when: roundcube__register_git is changed
+
+- name: Install Roundcube plugins via Composer
+  community.general.composer:  # noqa jinja[spacing]
+    command: 'require'
+    arguments: '{{ item }}'
+    working_dir: '{{ roundcube__git_dest }}'
+    no_dev: True
+  loop: '{{ roundcube__combined_plugins | debops.debops.parse_kv_items
+            | selectattr("state", "match", "^(enabled|present)$")
+            | selectattr("package", "defined")
+            | map(attribute="package") | list }}'
+  become: True
+  become_user: '{{ roundcube__user }}'
+  register: roundcube__register_composer_plugins
+  until: roundcube__register_composer_plugins is succeeded
+  tags: [ 'skip::roundcube:plugins' ]
+
+- name: Install Javascript packages
+  ansible.builtin.command: bin/install-jsdeps.sh
+  args:
+    chdir: '{{ roundcube__git_dest }}'
+  become: True
+  become_user: '{{ roundcube__user }}'
+  # The script does not have any useful status output
+  # FIXME: Find better way to make this task idempotent
+  changed_when: False
+
+- name: Enable cleandb.sh Cron job
+  ansible.builtin.cron:
+    name: Roundcube daily database housekeeping
+    user: '{{ roundcube__user }}'
+    job: '{{ roundcube__git_dest }}/bin/cleandb.sh > /dev/null'
+    cron_file: 'roundcube'
+    hour: '22'
+    minute: '0'
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/main.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/main.yml
new file mode 100644
index 00000000..17460cbd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/main.yml
@@ -0,0 +1,129 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "roundcube/pre_main.yml") }}'
+
+
+# ---- Environment ----
+
+- name: Get version of current Roundcube installation  # noqa command-instead-of-module
+  ansible.builtin.command: sed -n "s/^define('RCMAIL_VERSION', '\(.*\)');/\1/p" \
+           {{ roundcube__git_dest }}/program/include/iniset.php
+  changed_when: False
+  failed_when: False
+  register: roundcube__register_version
+  tags: [ 'role::roundcube:database' ]
+
+
+# ---- Deployment ----
+
+- name: Install pre-requisite packages for Roundcube
+  ansible.builtin.package:
+    name: '{{ q("flattened", (roundcube__base_packages
+                              + roundcube__packages)) }}'
+    state: 'present'
+  register: roundcube__register_packages
+  until: roundcube__register_packages is succeeded
+  tags: [ 'role::roundcube:pkg' ]
+
+- name: Deploy Roundcube
+  ansible.builtin.include_tasks: deploy_roundcube.yml
+  tags: [ 'role::roundcube:deployment' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save RoundCube local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/roundcube.fact.j2'
+    dest: '/etc/ansible/facts.d/roundcube.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+# ---- Skins/Themes ----
+
+- name: Configure skins
+  ansible.builtin.include_tasks: configure_skins.yml
+  tags: [ 'role::roundcube:skins', 'role::roundcube:themes' ]
+
+# ---- Configuration ----
+
+- name: Make sure database directory exists
+  ansible.builtin.file:
+    path: '{{ roundcube__git_dest }}/{{ roundcube__database_map[roundcube__database].dbname | dirname }}'
+    state: directory
+    owner: '{{ roundcube__user }}'
+    group: '{{ roundcube__group }}'
+    mode: '0750'
+  when: roundcube__database_map[roundcube__database].dbtype == 'sqlite'
+  tags: [ 'role::roundcube:database' ]
+
+- name: Configure MySQL/MariaDB support
+  ansible.builtin.include_tasks: configure_mysql.yml
+  when: roundcube__database_map[roundcube__database].dbtype == 'mysql'
+  tags: [ 'role::roundcube:database' ]
+
+- name: Configure PostgreSQL support
+  ansible.builtin.include_tasks: configure_postgresql.yml
+  when: roundcube__database_map[roundcube__database].dbtype == 'postgresql'
+  tags: [ 'role::roundcube:database' ]
+
+- name: Generate Roundcube configuration
+  ansible.builtin.template:
+    src: 'srv/www/sites/roundcube/public/config/config.inc.php.j2'
+    dest: '{{ roundcube__git_dest + "/config/config.inc.php" }}'
+    owner: 'root'
+    group: '{{ roundcube__group }}'
+    mode: '0640'
+  tags: [ 'role::roundcube:config' ]
+
+- name: Generate Roundcube plugin configuration
+  ansible.builtin.template:  # noqa jinja[spacing]
+    src: 'srv/www/sites/roundcube/public/plugins/config.inc.php.j2'
+    dest: '{{ roundcube__git_dest + "/plugins/" + item.name + "/config.inc.php" }}'
+    owner: 'root'
+    group: '{{ roundcube__group }}'
+    mode: '0640'
+  loop: '{{ roundcube__combined_plugins | debops.debops.parse_kv_items
+            | selectattr("state", "match", "^(enabled|present)$")
+            | selectattr("options", "defined") | list }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [ 'role::roundcube:config' ]
+
+- name: Update database schema
+  ansible.builtin.command: 'php bin/updatedb.sh --package=roundcube --dir={{ roundcube__git_dest }}/SQL'
+  args:
+    chdir: '{{ roundcube__git_dest }}'
+  become: True
+  become_user: '{{ roundcube__user }}'
+  register: roundcube__register_updatedb
+  changed_when: roundcube__register_updatedb.stdout | d()
+  when: (roundcube__register_version.stdout | d() and
+         (ansible_local.roundcube.version | d("0.0.0")) is version_compare(roundcube__register_version.stdout, '>'))
+  tags: [ 'role::roundcube:database' ]
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "roundcube/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/post_main.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/post_main.yml
new file mode 100644
index 00000000..5fe3ee45
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/pre_main.yml b/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/pre_main.yml
new file mode 100644
index 00000000..5fe3ee45
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/tasks/roundcube/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/roundcube/templates/etc/ansible/facts.d/roundcube.fact.j2 b/ansible_collections/debops/debops/roles/roundcube/templates/etc/ansible/facts.d/roundcube.fact.j2
new file mode 100644
index 00000000..2729ca20
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/templates/etc/ansible/facts.d/roundcube.fact.j2
@@ -0,0 +1,36 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+# Copyright (C) 2016-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+roundcube_deploy_path = loads('''{{ roundcube__git_dest
+                                    | to_nice_json }}''')
+
+roundcube_version_file = (roundcube_deploy_path +
+                          '/program/include/iniset.php')
+
+output = {'installed': False}
+
+try:
+    with open(roundcube_version_file, 'r') as f:
+        for line in f:
+            if "define('RCMAIL_VERSION'," in line.strip().split():
+                line = line.strip().split()[1]
+                line = line.lstrip("'").rstrip("');")
+
+                output.update(
+                        {'installed': True,
+                         'version': line})
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/composer.json.j2 b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/composer.json.j2
new file mode 100644
index 00000000..f8342ee7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/composer.json.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2016-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = {} %}
+{% if roundcube__register_composer_installed.content | d() %}
+{%   set output = (roundcube__register_composer_installed.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if roundcube__register_composer_dist.content | d() %}
+{%   set dist = (roundcube__register_composer_dist.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if dist | d() and output | d() %}
+{%   set output_require = output.require %}
+{%   for package, version in dist.require.items() %}
+{%     set _ = output_require.update({ package: version }) %}
+{%   endfor %}
+{%   set _ = output.update({ 'require': output_require}) %}
+{% else %}
+{%   set output = dist %}
+{% endif %}
+{{ output | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/config/config.inc.php.j2 b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/config/config.inc.php.j2
new file mode 100644
index 00000000..5154dc37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/config/config.inc.php.j2
@@ -0,0 +1,189 @@
+{# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2016-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+
+/* {{ ansible_managed }} */
+
+/*
+ +-----------------------------------------------------------------------+
+ | Local configuration for the Roundcube Webmail installation.           |
+ |                                                                       |
+ | This is a local configuration file which contains the options         |
+ | which override the values defined in the defaults.inc.php file.       |
+ +-----------------------------------------------------------------------+
+*/
+{% macro print_value(data) %}
+{%   if data is mapping %}
+{%     for key, value in data.items() %}
+{%       if value is not string and value is not mapping and value is iterable %}
+{{ "'{}' => {}".format(key, print_value(value)) -}}
+{% else %}
+{{ "'{}' => {},".format(key, print_value(value)) -}}
+{%       endif %}
+{%     endfor %}
+{%   elif data is none %}
+{{ "null" -}}
+{%   elif data | bool and data is not iterable %}
+{%     if data | int and data | string != 'True' %}
+{{ "{}".format(data) -}}
+{%     else %}
+{{ "true" -}}
+{%     endif %}
+{%   elif not data | bool and data is not iterable %}
+{%     if data is not none %}
+{%       if data | int or data | string == '0' %}
+{{ "{}".format(data) -}}
+{%       else %}
+{{ "false" -}}
+{%       endif %}
+{%     endif %}
+{%   elif data is string %}
+{{ "'{}'".format(data) -}}
+{%   elif data is not string and data is not mapping and data is iterable %}
+{{ "array(" }}
+{{ print_array(data) | indent(4, true) -}}
+{{ ")," -}}
+{%   endif %}
+{% endmacro %}
+{% macro print_array(data) %}
+{%   if data is not string and data is not mapping and data is iterable %}
+{%     for entry in data %}
+{%       if entry is mapping %}
+{%         for key, value in entry.items() %}
+{%           if key is number %}
+{%             set quote_char = "" %}
+{%           else %}
+{%             set quote_char = "'" %}
+{%           endif %}
+{%           if value is none %}
+{{ "{}{}{} => null,".format(quote_char, key, quote_char) }}
+{%           elif value | bool and value is not iterable %}
+{%             if value | int and value | string != 'True' %}
+{{ "{}{}{} => {},".format(quote_char, key, quote_char, value) }}
+{%             else %}
+{{ "{}{}{} => true,".format(quote_char, key, quote_char) }}
+{%             endif %}
+{%           elif not value | bool and value is not iterable %}
+{%             if value is not none %}
+{%               if value | int or value | string == '0' %}
+{{ "{}{}{} => {},".format(quote_char, key, quote_char, value) }}
+{%               else %}
+{{ "{}{}{} => false,".format(quote_char, key, quote_char) }}
+{%               endif %}
+{%             endif %}
+{%           elif value is string %}
+{{ "{}{}{} => '{}',".format(quote_char, key, quote_char, value) }}
+{%           elif value is not string and value is not mapping and value is iterable %}
+{%             if value %}
+{{ "{}{}{} => array(".format(quote_char, key, quote_char) }}
+{{ print_array(value) | indent(4, true) -}}
+{{ ")," }}
+{%             else %}
+{{ "{}{}{} => array(),".format(quote_char, key, quote_char) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       elif entry is string %}
+{{ "'{}',".format(entry) }}
+{%       elif entry is not string and entry is not mapping and entry is iterable %}
+{{ "array(" }}
+{%         for thing in entry %}
+{{ print_value(thing) | indent(4, true) }}
+{%         endfor %}
+{{ ")," }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% for section in roundcube__combined_configuration_sections | debops.debops.parse_kv_config %}
+{%   if section.name | d() and section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set loop_next = [] %}
+{%     set section_config = (roundcube__combined_configuration | debops.debops.parse_kv_config
+                             | selectattr("section", "equalto", section.name) | list) %}
+{%     if section_config | d() %}
+{%       if section.state != 'hidden' %}
+{%         if ('present' in (section_config | map(attribute='state') | list)) %}
+{{ (section.title | d(section.name | upper)) | comment(
+    prefix='\n// ----------------------------------',
+    postfix='// ----------------------------------\n',
+    decoration='// ') }}
+{%         endif %}
+{%       else %}
+
+{%       endif %}
+{%       for element in section_config %}
+{%         if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%           if ((element.comment | d() and loop_next) or
+                 (element.separator | d()) | bool and loop_next) %}
+
+{%           endif %}
+{%           set _ = loop_next.append(True) %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='// ') -}}
+{%           endif %}
+{%           if element.state | d('present') == 'comment' %}
+{%             set comment_state = '//' %}
+{%           else %}
+{%             set comment_state = '' %}
+{%           endif %}
+{%           if (element.quotes | d(True)) | bool %}
+{%             set quote_char = "'" %}
+{%           else %}
+{%             set quote_char = "" %}
+{%           endif %}
+{%           if element.option | d() %}
+{%             set element_name = ([ element.option ] if element.option is string else element.option) | join("']['") %}
+{%           else %}
+{%             set element_name = element.name %}
+{%           endif %}
+{%           if element.raw is not defined and element.value is not defined and element.array is not defined %}
+{{ "{}$config['{}'] = array();".format(comment_state, element_name) }}
+{%           elif element.raw is defined %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "/*" }}
+{%             endif %}
+{{ element.raw | regex_replace('\n$', '') }}
+{%             if element.state | d('present') == 'comment' %}
+{{ "*/" }}
+{%             endif %}
+{%           elif element.array | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "/*" }}
+{%             endif %}
+{{ "$config['{}'] = array(".format(element_name) }}
+{{ print_array(element.array) | indent(4, true) -}}
+{{ ");" }}
+{%             if element.state | d('present') == 'comment' %}
+{{ "*/" }}
+{%             endif %}
+{%           elif element.value is defined %}
+{%             if element.value is none %}
+{{ "{}$config['{}'] = null;".format(comment_state, element_name) }}
+{%             elif element.value | bool and element.value is not iterable %}
+{%               if element.value | int and element.value | string != 'True' %}
+{{ "{}$config['{}'] = {};".format(comment_state, element_name, element.value) }}
+{%               else %}
+{{ "{}$config['{}'] = true;".format(comment_state, element_name) }}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int or element.value | string == '0' %}
+{{ "{}$config['{}'] = {};".format(comment_state, element_name, element.value) }}
+{%                 else %}
+{{ "{}$config['{}'] = false;".format(comment_state, element_name) }}
+{%                 endif %}
+{%               endif %}
+{%             elif element.value is string %}
+{{ "{}$config['{}'] = {}{}{};".format(comment_state, element_name, quote_char, element.value, quote_char) }}
+{%             elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%               set array_elements = (element.value | selectattr("state", "equalto", "present") | map(attribute="name") | list) %}
+{{ "{}$config['{}'] = array({});".format(comment_state, element_name, "'" + (array_elements | join("', '")) + "'") }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/plugins/config.inc.php.j2 b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/plugins/config.inc.php.j2
new file mode 100644
index 00000000..105877f3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/roundcube/templates/srv/www/sites/roundcube/public/plugins/config.inc.php.j2
@@ -0,0 +1,182 @@
+{# Copyright (C) 2016-2018 Reto Gantenbein <reto.gantenbein@linuxmonk.ch>
+ # Copyright (C) 2016-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+
+/* {{ ansible_managed }} */
+
+/* Configuration for the '{{ item.name }}' Roundcube plugin */
+{% macro print_value(data) %}
+{%   if data is mapping %}
+{%     for key, value in data.items() %}
+{%       if value is not string and value is not mapping and value is iterable %}
+{{ "'{}' => {}".format(key, print_value(value)) -}}
+{% else %}
+{{ "'{}' => {},".format(key, print_value(value)) -}}
+{%       endif %}
+{%     endfor %}
+{%   elif data is none %}
+{{ "null" -}}
+{%   elif data | bool and data is not iterable %}
+{%     if data | int and data | string != 'True' %}
+{{ "{}".format(data) -}}
+{%     else %}
+{{ "true" -}}
+{%     endif %}
+{%   elif not data | bool and data is not iterable %}
+{%     if data is not none %}
+{%       if data | int or data | string == '0' %}
+{{ "{}".format(data) -}}
+{%       else %}
+{{ "false" -}}
+{%       endif %}
+{%     endif %}
+{%   elif data is string %}
+{{ "'{}'".format(data) -}}
+{%   elif data is not string and data is not mapping and data is iterable %}
+{{ "array(" }}
+{{ print_array(data) | indent(4, true) -}}
+{{ ")," -}}
+{%   endif %}
+{% endmacro %}
+{% macro print_array(data) %}
+{%   if data is not string and data is not mapping and data is iterable %}
+{%     for entry in data %}
+{%       if entry is mapping %}
+{%         for key, value in entry.items() %}
+{%           if key is number %}
+{%             set quote_char = "" %}
+{%           else %}
+{%             set quote_char = "'" %}
+{%           endif %}
+{%           if value is none %}
+{{ "{}{}{} => null,".format(quote_char, key, quote_char) }}
+{%           elif value | bool and value is not iterable %}
+{%             if value | int and value | string != 'True' %}
+{{ "{}{}{} => {},".format(quote_char, key, quote_char, value) }}
+{%             else %}
+{{ "{}{}{} => true,".format(quote_char, key, quote_char) }}
+{%             endif %}
+{%           elif not value | bool and value is not iterable %}
+{%             if value is not none %}
+{%               if value | int or value | string == '0' %}
+{{ "{}{}{} => {},".format(quote_char, key, quote_char, value) }}
+{%               else %}
+{{ "{}{}{} => false,".format(quote_char, key, quote_char) }}
+{%               endif %}
+{%             endif %}
+{%           elif value is string %}
+{{ "{}{}{} => '{}',".format(quote_char, key, quote_char, value) }}
+{%           elif value is not string and value is not mapping and value is iterable %}
+{%             if value %}
+{{ "{}{}{} => array(".format(quote_char, key, quote_char) }}
+{{ print_array(value) | indent(4, true) -}}
+{{ ")," }}
+{%             else %}
+{{ "{}{}{} => array(),".format(quote_char, key, quote_char) }}
+{%             endif %}
+{%           endif %}
+{%         endfor %}
+{%       elif entry is string %}
+{{ "'{}',".format(entry) }}
+{%       elif entry is not string and entry is not mapping and entry is iterable %}
+{{ "array(" }}
+{%         for thing in entry %}
+{{ print_value(thing) | indent(4, true) }}
+{%         endfor %}
+{{ ")," }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% for section in (item.options_sections | d([ {"name": "unknown", "state": "hidden"} ])) | debops.debops.parse_kv_config %}
+{%   if section.name | d() and section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set loop_next = [] %}
+{%     set section_config = (item.options | debops.debops.parse_kv_config
+                             | selectattr("section", "equalto", section.name) | list) %}
+{%     if section_config | d() %}
+{%       if section.state != 'hidden' %}
+{%         if ('present' in (section_config | map(attribute='state') | list)) %}
+{{ (section.title | d(section.name | upper)) | comment(
+    prefix='\n// ----------------------------------',
+    postfix='// ----------------------------------\n',
+    decoration='// ') }}
+{%         endif %}
+{%       else %}
+
+{%       endif %}
+{%       for element in section_config %}
+{%         if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%           if ((element.comment | d() and loop_next) or
+                 (element.separator | d()) | bool and loop_next) %}
+
+{%           endif %}
+{%           set _ = loop_next.append(True) %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='', decoration='// ') -}}
+{%           endif %}
+{%           if element.state | d('present') == 'comment' %}
+{%             set comment_state = '//' %}
+{%           else %}
+{%             set comment_state = '' %}
+{%           endif %}
+{%           if (element.quotes | d(True)) | bool %}
+{%             set quote_char = "'" %}
+{%           else %}
+{%             set quote_char = "" %}
+{%           endif %}
+{%           if element.option | d() %}
+{%             set element_name = ([ element.option ] if element.option is string else element.option) | join("']['") %}
+{%           else %}
+{%             set element_name = element.name %}
+{%           endif %}
+{%           if element.raw is not defined and element.value is not defined and element.array is not defined %}
+{{ "{}$config['{}'] = array();".format(comment_state, element_name) }}
+{%           elif element.raw is defined %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "/*" }}
+{%             endif %}
+{{ element.raw | regex_replace('\n$', '') }}
+{%             if element.state | d('present') == 'comment' %}
+{{ "*/" }}
+{%             endif %}
+{%           elif element.array | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "/*" }}
+{%             endif %}
+{{ "$config['{}'] = array(".format(element_name) }}
+{{ print_array(element.array) | indent(4, true) -}}
+{{ ");" }}
+{%             if element.state | d('present') == 'comment' %}
+{{ "*/" }}
+{%             endif %}
+{%           elif element.value is defined %}
+{%             if element.value is none %}
+{{ "{}$config['{}'] = null;".format(comment_state, element_name) }}
+{%             elif element.value | bool and element.value is not iterable %}
+{%               if element.value | int and element.value | string != 'True' %}
+{{ "{}$config['{}'] = {};".format(comment_state, element_name, element.value) }}
+{%               else %}
+{{ "{}$config['{}'] = true;".format(comment_state, element_name) }}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int or element.value | string == '0' %}
+{{ "{}$config['{}'] = {};".format(comment_state, element_name, element.value) }}
+{%                 else %}
+{{ "{}$config['{}'] = false;".format(comment_state, element_name) }}
+{%                 endif %}
+{%               endif %}
+{%             elif element.value is string %}
+{{ "{}$config['{}'] = {}{}{};".format(comment_state, element_name, quote_char, element.value, quote_char) }}
+{%             elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%               set array_elements = (element.value | selectattr("state", "equalto", "present") | map(attribute="name") | list) %}
+{{ "{}$config['{}'] = array({});".format(comment_state, element_name, "'" + (array_elements | join("', '")) + "'") }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/COPYRIGHT b/ansible_collections/debops/debops/roles/rsnapshot/COPYRIGHT
new file mode 100644
index 00000000..5cf72ddd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.rsnapshot - Manage rsnapshot backups using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/defaults/main.yml b/ansible_collections/debops/debops/roles/rsnapshot/defaults/main.yml
new file mode 100644
index 00000000..d07d805d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/defaults/main.yml
@@ -0,0 +1,910 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rsnapshot__ref_defaults:
+
+# debops.rsnapshot default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: rsnapshot__base_packages [[[
+#
+# List of the default APT packages to install for :command:`rsnapshot` support.
+rsnapshot__base_packages: [ 'rsnapshot', 'dnsutils' ]
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__packages [[[
+#
+# List of additional APT packages to install with :command:`rsnapshot`.
+rsnapshot__packages: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__host_packages [[[
+#
+# List of APT packages to install on the remote :command:`rsync` servers to
+# allow the :command:`rsnapshot` command to work.
+rsnapshot__host_packages: [ 'rsync' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Backup client environment [[[
+# -----------------------------
+
+# .. envvar:: rsnapshot__config_dir [[[
+#
+# Absolute path of the directory which contains the :command:`rsnapshot`
+# configuration for each host to back up, in separate subdirectories.
+rsnapshot__config_dir: '/etc/rsnapshot/hosts'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__snapshot_root [[[
+#
+# Absolute path of the directory which contains snapshots of the remote host,
+# in separate subdirectories.
+rsnapshot__snapshot_root: '/var/cache/rsnapshot/hosts'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__limit [[[
+#
+# This variable can be used as an alternative to the Ansible ``--limit``
+# argument, to limit what hosts are configured on a given Ansible run. Specify
+# the list of ``name`` parameters (either inventory hostnames or FQDNs for
+# external hosts) during Ansible execution using the ``--extra-vars`` argument.
+# Only the hosts specified in this list will be configured by the role on
+# a given Ansible run.
+rsnapshot__limit: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Remote host environment [[[
+# ---------------------------
+
+# .. envvar:: rsnapshot__rrsync_source [[[
+#
+# Absolute path of the :command:`rrsync` tarball on the remote host, which will
+# be the source of the :command:`rrsync` binary. The role will automatically
+# decompress a ``.gz`` compressed file if found.
+rsnapshot__rrsync_source: '/usr/share/doc/rsync/scripts/rrsync'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__rrsync_binary [[[
+#
+# Absolute path of the :command:`rrsync` script installed on the remote hosts
+# to perform backups securely. If the script is not found in that path, it will
+# be installed by the role on hosts in the Ansible inventory.
+rsnapshot__rrsync_binary: '/usr/local/bin/rrsync'
+                                                                   # ]]]
+                                                                   # ]]]
+# Snapshot scheduler configuration [[[
+# ------------------------------------
+
+# .. envvar:: rsnapshot__scheduler_type [[[
+#
+# Method by which :command:`rsnapshot-scheduler` script issues new backup jobs:
+#
+# - ``batch``: use the :command:`batch` from the ``at`` package to run backups
+#   depending on system load. If not present, the scheduler script will fall
+#   back to the :command:`sleep` command.
+#
+# - ``sleep``: use the :command:`sleep` command with a random delay in minutes
+#   to spread the load of the backup jobs over time.
+#
+rsnapshot__scheduler_type: '{{ "batch"
+                               if (ansible_local | d() and ansible_local.atd | d() and
+                                   (ansible_local.atd.enabled | d()) | bool)
+                               else "sleep" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__scheduler_batch_queue [[[
+#
+# The :command:`at` queue used by the :command:`rsnapshot` backup jobs. A queue
+# should be defined by a single, capital letter to ensure that the jobs are
+# managed by ``batch`` command according to the current load average.
+# See :man:`at(1)` for more details.
+rsnapshot__scheduler_batch_queue: 'R'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__scheduler_batch_command [[[
+#
+# Command used to schedule backup jobs.
+rsnapshot__scheduler_batch_command: 'at -q {{ rsnapshot__scheduler_batch_queue }} now'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__scheduler_sleep_max_delay [[[
+#
+# Maximum delay in minutes for the ``sleep`` scheduler type.
+rsnapshot__scheduler_sleep_max_delay: '20'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__scheduler_run_max_delay [[[
+#
+# Maximum delay in minutes for the scheduler to check if another backup job has
+# finished before running.
+rsnapshot__scheduler_run_max_delay: '5'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSH client configuration [[[
+# ----------------------------
+
+# .. envvar:: rsnapshot__ssh_key_bits [[[
+#
+# The default size of the SSH RSA keys generated by the role.
+rsnapshot__ssh_key_bits: '4096'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_key_comment [[[
+#
+# The comment added to the SSH keys generated by the role.
+rsnapshot__ssh_key_comment: 'root@{{ ansible_fqdn }} generated by debops.rsnapshot via Ansible'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_key_type [[[
+#
+# The default SSH key type of the keys generated by the role.
+rsnapshot__ssh_key_type: '{{ ansible_local.root_account.ssh_key_type | d("ed25519") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_default_identities [[[
+#
+# List of the default SSH identities (SSH key pairs stored in the
+# :file:`/root/.ssh/` directory) created by the role.
+# See :ref:`rsnapshot__ref_ssh_identities` for more details.
+rsnapshot__ssh_default_identities:
+
+  - name: 'id_rsnapshot'
+    type: '{{ rsnapshot__ssh_key_type }}'
+
+  - name: 'id_rsnapshot_rsa'
+    type: 'rsa'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_identities [[[
+#
+# List of additional SSH identities created by the role.
+# See :ref:`rsnapshot__ref_ssh_identities` for more details.
+rsnapshot__ssh_identities: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_main_identity [[[
+#
+# The default SSH identity used by the :command:`rsnapshot` to connect to the
+# hosts if no custom identity has been set via the ``item.ssh_identity``
+# parameter.
+rsnapshot__ssh_main_identity: 'id_rsnapshot'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_options [[[
+#
+# The default SSH options added to the SSH keys installed on the remote hosts
+# by the role in the :file:`/root/.ssh/authorized_keys` file.
+rsnapshot__ssh_options: 'no-pty,no-agent-forwarding,no-X11-forwarding,no-port-forwarding'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__ssh_command [[[
+#
+# Command which will be added to the SSH key in the
+# :file:`/root/.ssh/authorized_keys` file of each host backed up by
+# :command:`rsnapshot`. By default it allows for read-only access to the entire
+# filesystem, with lowered I/O and CPU usage.
+rsnapshot__ssh_command: 'ionice -c 3 nice {{ rsnapshot__rrsync_binary }} -ro /'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of hosts to back up [[[
+# -------------------------------------
+
+# These lists contain the :command:`rsnapshot` configuration for each remote
+# host to back up. See :ref:`rsnapshot__ref_hosts` for more details.
+
+# .. envvar:: rsnapshot__default_hosts [[[
+#
+# List of hosts to back up configured by default by the role.
+rsnapshot__default_hosts:
+
+  # The backup of the rsnapshot host
+  - name: '{{ inventory_hostname }}'
+    local: True
+    options:
+
+      # Don't create the snapshot directory automatically. Useful for backing
+      # up to the removable media.
+      - name: 'no_create_root'
+        state: 'present'
+        value: 1
+
+      # Create hourly snapshots by default.
+      - name: 'hourly'
+        state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__hosts [[[
+#
+# List of hosts to back up configured on all hosts in the Ansible inventory.
+rsnapshot__hosts: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__group_hosts [[[
+#
+# List of hosts to back up configured on hosts in a specific Ansible inventory
+# group.
+rsnapshot__group_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__host_hosts [[[
+#
+# List of hosts to back up configured on specific hosts in the Ansible
+# inventory.
+rsnapshot__host_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__combined_hosts [[[
+#
+# The variable that combines all other host lists and is used in role tasks and
+# templates.
+rsnapshot__combined_hosts: '{{ q("flattened",
+                                 rsnapshot__default_hosts
+                                 + rsnapshot__hosts
+                                 + rsnapshot__group_hosts
+                                 + rsnapshot__host_hosts) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of excluded file paths [[[
+# ----------------------------------------
+
+# These variables define a default list of file paths which will be excluded
+# from backups. The list will be inserted into each host configuration, and can
+# be augmeneted via the ``item.excludes`` parameter of the host configuration.
+#
+# See the :ref:`rsnapshot__ref_excludes_includes` for more details.
+
+# .. envvar:: rsnapshot__default_excludes [[[
+#
+# The default list of excluded file paths defined by the role.
+rsnapshot__default_excludes:
+
+  - '/bin'
+
+  - '/boot'
+
+  - '/cdrom'
+
+  - '/dev'
+
+  - '/lib'
+
+  - '/lib32'
+
+  - '/lib64'
+
+  - '/libx32'
+
+  - '/media'
+
+  - '/mnt'
+
+  - '/proc'
+
+  - '/run'
+
+  - '/sbin'
+
+  - '/selinux'
+
+  - '/sys'
+
+  - '/tmp'
+
+  - name: '/usr/local'
+    rule: 'include'
+
+  - '/usr/*'
+
+  - '/initrd*'
+
+  - '/swapfile*'
+
+  - '/vmlinuz*'
+
+  - '/var/agentx'
+
+  - '/var/cache'
+
+  - '/var/lib/apt'
+
+  - '/var/lib/amavis/tmp'
+
+  - '/var/lib/libvirt/images'
+
+  - '/var/lib/lxc'
+
+  - '/var/lib/lxcsnaps'
+
+  - '/var/lib/mysql'
+
+  - '/var/lib/postgresql'
+
+  - '/var/lib/python-support'
+
+  - name: '/var/lib/vz/dump'
+    rule: 'include'
+
+  - '/var/lib/vz/*'
+
+  - '/var/lock'
+
+    # A sparse file, can get to GB/TB sizes on large installations
+  - '/var/log/lastlog'
+
+  - '/var/run'
+
+  - '/var/spool/postfix'
+
+  - '/var/tmp'
+
+  - '/vz'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__excludes [[[
+#
+# The list of custom file paths to exclude from the backups by default.
+rsnapshot__excludes: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__combined_excludes [[[
+#
+# The variable that combines all lists of default excluded file patha and is
+# used in the role tasks and templates.
+rsnapshot__combined_excludes: '{{ rsnapshot__default_excludes
+                                  + rsnapshot__excludes }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of included file paths [[[
+# ----------------------------------------
+
+# These variables define a default list of file paths which will be included in
+# backups. The list will be inserted into each host configuration, and can be
+# augmeneted via the ``item.includes`` parameter of the host configuration.
+#
+# See the :ref:`rsnapshot__ref_excludes_includes` for more details.
+
+# .. envvar:: rsnapshot__default_includes [[[
+#
+# The default list of included file paths defined by the role.
+rsnapshot__default_includes:
+
+  # Include everything by default, specific files and directories are excluded
+  # in a separate list.
+  - '/*'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__includes [[[
+#
+# The list of custom file paths to include in the backups by default.
+rsnapshot__includes: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__combined_includes [[[
+#
+# The variable that combines all lists of default included file patha and is
+# used in the role tasks and templates.
+rsnapshot__combined_includes: '{{ rsnapshot__default_includes
+                                  + rsnapshot__includes }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`rsnapshot.conf` configuration files [[[
+# -----------------------------------------------------
+
+# These variables define the default contents for the
+# :file:`/etc/rsnapshot/hosts/*/rsnapshot.conf` configuration files. They are
+# inserted into each host configuration and can be modified per-host using the
+# ``item.options`` parameter.
+#
+# See :ref:`rsnapshot__ref_configuration` for more details.
+
+# .. envvar:: rsnapshot__original_configuration [[[
+#
+# The original contents of the :file:`/etc/rsnapshot.conf` configuration file
+# defined as the parsable configuration.
+rsnapshot__original_configuration:
+
+  - name: 'config_version'
+    value: '1.2'
+    section: 'config-version'
+
+  - name: 'snapshot_root'
+    comment: 'All snapshots will be stored under this root directory.'
+    value: '/var/cache/rsnapshot'
+    section: 'snapshot-root'
+
+  - name: 'no_create_root'
+    comment: |
+      If no_create_root is enabled, rsnapshot will not automatically create the
+      snapshot_root directory. This is particularly useful if you are backing
+      up to removable media, such as a FireWire or USB drive.
+    value: '1'
+    state: 'comment'
+    section: 'snapshot-root'
+
+  - name: 'cmd_cp'
+    comment: |
+      LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
+      EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
+
+      See the README file or the man page for more details.
+    value: '/bin/cp'
+    section: 'external-programs'
+
+  - name: 'cmd_rm'
+    comment: 'Uncomment this to use the rm program instead of the built-in perl routine.'
+    value: '/bin/rm'
+    section: 'external-programs'
+
+  - name: 'cmd_rsync'
+    comment: |
+      rsync must be enabled for anything to work. This is the only command that
+      must be enabled.
+    value: '/bin/rsync'
+    section: 'external-programs'
+
+  - name: 'cmd_ssh'
+    comment: 'Uncomment this to enable remote ssh backups over rsync.'
+    value: '/usr/bin/ssh'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'cmd_logger'
+    comment: 'Comment this out to disable syslog support.'
+    value: '/usr/bin/logger'
+    section: 'external-programs'
+
+  - name: 'cmd_du'
+    comment: |
+      Uncomment this to specify the path to "du" for disk usage checks.
+      If you have an older version of "du", you may also want to check the
+      "du_args" parameter below.
+    value: '/usr/bin/du'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'cmd_rsnapshot_diff'
+    comment: 'Uncomment this to specify the path to rsnapshot-diff.'
+    value: '/usr/bin/rsnapshot-diff'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'cmd_preexec'
+    comment: |
+      Specify the path to a script (and any optional arguments) to run right
+      before rsnapshot syncs files
+    value: '/path/to/preexec/script'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'cmd_postexec'
+    comment: |
+      Specify the path to a script (and any optional arguments) to run right
+      after rsnapshot syncs files
+    value: '/path/to/postexec/script'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'linux_lvm_cmd_lvcreate'
+    comment: |
+      Paths to lvcreate, lvremove, mount and umount commands, for use with
+      Linux LVMs.
+    value: '/sbin/lvcreate'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'linux_lvm_cmd_lvremove'
+    value: '/sbin/lvremove'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'linux_lvm_cmd_mount'
+    value: '/bin/mount'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'linux_lvm_cmd_umount'
+    value: '/bin/umount'
+    state: 'comment'
+    section: 'external-programs'
+
+  - name: 'alpha'
+    option: 'retain'
+    value: 6
+    section: 'backup-levels'
+
+  - name: 'beta'
+    option: 'retain'
+    value: 7
+    section: 'backup-levels'
+
+  - name: 'gamma'
+    option: 'retain'
+    value: 4
+    section: 'backup-levels'
+
+  - name: 'delta'
+    option: 'retain'
+    value: 3
+    state: 'comment'
+    section: 'backup-levels'
+
+  - name: 'verbose'
+    comment: |
+      Verbose level, 1 through 5.
+      1     Quiet           Print fatal errors only
+      2     Default         Print errors and warnings only
+      3     Verbose         Show equivalent shell commands being executed
+      4     Extra Verbose   Show extra verbose information
+      5     Debug mode      Everything
+    value: 2
+    section: 'global-options'
+
+  - name: 'loglevel'
+    comment: |
+      Same as "verbose" above, but controls the amount of data sent to the
+      logfile, if one is being used. The default is 3.
+      If you want the rsync output, you have to set it to 4
+    value: 3
+    section: 'global-options'
+
+  - name: 'logfile'
+    comment: |
+      If you enable this, data will be written to the file you specify. The
+      amount of data written is controlled by the "loglevel" parameter.
+    value: '/var/log/rsnapshot.log'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'lockfile'
+    comment: |
+      If enabled, rsnapshot will write a lockfile to prevent two instances
+      from running simultaneously (and messing up the snapshot_root).
+      If you enable this, make sure the lockfile directory is not world
+      writable. Otherwise anyone can prevent the program from running.
+    value: '/var/run/rsnapshot.pid'
+    section: 'global-options'
+
+  - name: 'stop_on_stale_lockfile'
+    comment: |
+      By default, rsnapshot check lockfile, check if PID is running
+      and if not, consider lockfile as stale, then start
+      Enabling this stop rsnapshot if PID in lockfile is not running
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'rsync_short_args'
+    comment: 'Default rsync args. All rsync commands have at least these options set.'
+    value: '-a'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'rsync_long_args'
+    value: '--delete --numeric-ids --relative --delete-excluded'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'ssh_args'
+    comment: 'ssh has no args passed by default, but you can specify some here.'
+    value: '-p 22'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'du_args'
+    comment: |
+      Default arguments for the "du" program (for disk space reporting).
+      The GNU version of "du" is preferred. See the man page for more details.
+      If your version of "du" does not support the -h flag, try -k flag instead.
+    value: '-csh'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'one_fs'
+    comment: |
+      If this is enabled, rsync will not span filesystem partitions within a
+      backup point. This essentially passes the -x option to rsync.
+      The default is 0 (off).
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'include_exclude'
+    comment: |
+      The include and exclude parameters, if enabled, simply get passed directly
+      to rsync. If you have multiple include/exclude patterns, put each one on a
+      separate line. Please look up the --include and --exclude options in the
+      rsync man page for more details on how to specify file name patterns.
+    raw: |
+      include	????
+      include	????
+      exclude	????
+      exclude	????
+    state: 'comment'
+    section: 'global-options'
+
+    # The order of the include_file and exclude_file is reversed by default.
+    # The role will exclude specific files first, and then include everything
+    # so that files not covered by the role are backed up automatically.
+  - name: 'exclude_file'
+    comment: |
+      The include_file and exclude_file parameters, if enabled, simply get
+      passed directly to rsync. Please look up the --include-from and
+      --exclude-from options in the rsync man page for more details.
+    value: '/path/to/exclude/file'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'include_file'
+    value: '/path/to/include/file'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'link_dest'
+    comment: |
+      If your version of rsync supports --link-dest, consider enabling this.
+      This is the best way to support special files (FIFOs, etc) cross-platform.
+      The default is 0 (off).
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'sync_first'
+    comment: |
+      When sync_first is enabled, it changes the default behaviour of rsnapshot.
+      Normally, when rsnapshot is called with its lowest interval
+      (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
+      intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
+      and all interval calls simply rotate files. See the man page for more
+      details. The default is 0 (off).
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'use_lazy_deletes'
+    comment: |
+      If enabled, rsnapshot will move the oldest directory for each interval
+      to [interval_name].delete, then it will remove the lockfile and delete
+      that directory just before it exits. The default is 0 (off).
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'rsync_numtries'
+    comment: |
+      Number of rsync re-tries. If you experience any network problems or
+      network card issues that tend to cause ssh to fail with errors like
+      "Corrupted MAC on input", for example, set this to a non-zero value
+      to have the rsync operation re-tried.
+    value: 0
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'linux_lvm_snapshotsize'
+    comment: |
+      LVM parameters. Used to backup with creating lvm snapshot before backup
+      and removing it after. This should ensure consistency of data in some special
+      cases
+
+      LVM snapshot(s) size (lvcreate --size option).
+    value: '100M'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'linux_lvm_snapshotname'
+    comment: 'Name to be used when creating the LVM logical volume snapshot(s).'
+    value: 'rsnapshot'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'linux_lvm_vgpath'
+    comment: 'Path to the LVM Volume Groups.'
+    value: '/dev'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'linux_lvm_mountpath'
+    comment: 'Mount point to use to temporarily mount the snapshot(s).'
+    value: '/path/to/mount/lvm/snapshot/during/backup'
+    state: 'comment'
+    section: 'global-options'
+
+  - name: 'backup_localhost'
+    comment: 'LOCALHOST'
+    raw: |
+      backup	/home/		localhost/
+      backup	/etc/		localhost/
+      backup	/usr/local/	localhost/
+    section: 'backup-points'
+
+  - name: 'backup_localhost_extra'
+    raw: |
+      backup	/var/log/rsnapshot		localhost/
+      backup	/etc/passwd	localhost/
+      backup	/home/foo/My Documents/		localhost/
+      backup	/foo/bar/	localhost/	one_fs=1, rsync_short_args=-urltvpog
+      backup_script	/usr/local/bin/backup_pgsql.sh	localhost/postgres/
+    state: 'comment'
+    section: 'backup-points'
+
+  - name: 'backup_localhost_lvm'
+    comment: 'You must set linux_lvm_* parameters below before using lvm snapshots'
+    raw: |
+      backup	lvm://vg0/xen-home/	lvm-vg0/xen-home/
+    state: 'comment'
+    section: 'backup-points'
+
+  - name: 'backup_example_com'
+    comment: 'EXAMPLE.COM'
+    raw: |
+      backup_exec	/bin/date "+ backup of example.com started at %c"
+      backup	root@example.com:/home/	example.com/	+rsync_long_args=--bwlimit=16,exclude=core
+      backup	root@example.com:/etc/	example.com/	exclude=mtab,exclude=core
+      backup_exec	ssh root@example.com "mysqldump -A > /var/db/dump/mysql.sql"
+      backup	root@example.com:/var/db/dump/	example.com/
+      backup_exec	/bin/date "+ backup of example.com ended at %c"
+    state: 'comment'
+    section: 'backup-points'
+
+  - name: 'backup_cvs_sourceforge_net'
+    comment: 'CVS.SOURCEFORGE.NET'
+    raw: |
+      backup_script	/usr/local/bin/backup_rsnapshot_cvsroot.sh	rsnapshot.cvs.sourceforge.net/
+    state: 'comment'
+    section: 'backup-points'
+
+  - name: 'backup_rsync_samba_org'
+    comment: 'RSYNC.SAMBA.ORG'
+    raw: |
+      backup	rsync://rsync.samba.org/rsyncftp/	rsync.samba.org/rsyncftp/
+    state: 'comment'
+    section: 'backup-points'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__default_configuration [[[
+#
+# The :command:`rsnapshot` configuration options modified by default by the
+# role. Some of these enable or disable certain original options.
+rsnapshot__default_configuration:
+
+  - name: 'snapshot_root'
+    value: '{{ rsnapshot__snapshot_root }}'
+
+    # Decrease the default loglevel for easier log parsing by humans
+  - name: 'loglevel'
+    value: 2
+
+  - name: 'logfile'
+    state: 'present'
+
+  - name: 'cmd_rsync'
+    value: '/usr/local/sbin/rsync-no-vanished'
+
+  - name: 'cmd_ssh'
+    state: 'present'
+
+  - name: 'one_fs'
+    value: 1
+    state: 'present'
+
+  - name: 'link_dest'
+    value: 1
+    state: 'present'
+
+  - name: 'sync_first'
+    value: 1
+    state: 'present'
+
+  - name: 'alpha'
+    state: 'absent'
+
+  - name: 'beta'
+    state: 'absent'
+
+  - name: 'gamma'
+    state: 'absent'
+
+  - name: 'delta'
+    state: 'absent'
+
+  - name: 'hourly'
+    option: 'retain'
+    value: 6
+    state: 'comment'
+    section: 'backup-levels'
+
+  - name: 'daily'
+    option: 'retain'
+    value: 7
+    section: 'backup-levels'
+
+  - name: 'weekly'
+    option: 'retain'
+    value: 4
+    section: 'backup-levels'
+
+  - name: 'monthly'
+    option: 'retain'
+    value: 6
+    section: 'backup-levels'
+
+  - name: 'exclude_file'
+    state: 'present'
+
+  - name: 'include_file'
+    state: 'present'
+
+  - name: 'backup_localhost'
+    state: 'comment'
+
+  # The value will be replaced during config file generation with the correct
+  # hostname and directory. You can use the 'raw' parameter to override it.
+  - name: 'root@fqdn:/'
+    comment: 'Backup of the configured host'
+    option: 'backup'
+    value: './'
+    section: 'backup-points'
+    weight: -300
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__configuration [[[
+#
+# The list of custom :file:`rsnapshot.conf` configuration options added to all
+# hosts by default. You can use the ``item.options`` parameter to add or modify
+# configuration options on a per-host basis.
+rsnapshot__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__combined_configuration [[[
+#
+# The variable that combines the lists of default configuration options and is
+# used in role tasks and templates.
+rsnapshot__combined_configuration: '{{ rsnapshot__original_configuration
+                                       + rsnapshot__default_configuration
+                                       + rsnapshot__configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: rsnapshot__configuration_sections [[[
+#
+# The variable that defines the sections of the :file:`rsnapshot.conf`
+# configuration files.
+rsnapshot__configuration_sections:
+
+  - name: 'config-version'
+    value: 'Config file version'
+
+  - name: 'snapshot-root'
+    value: 'Snapshot root directory'
+
+  - name: 'external-programs'
+    value: 'External program dependencies'
+
+  - name: 'backup-levels'
+    value: 'Backup levels / intervals'
+    comment: |
+      Must be unique and in ascending order
+      e.g. alpha, beta, gamma, etc.
+
+  - name: 'global-options'
+    value: 'Global options'
+    comment: 'All are optional, with sensible defaults'
+
+  - name: 'backup-points'
+    value: 'Backup points / scripts'
+
+  - name: 'unknown'
+    value: 'Other options'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsnapshot-scheduler b/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsnapshot-scheduler
new file mode 100755
index 00000000..d895f1d4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsnapshot-scheduler
@@ -0,0 +1,312 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Manage rsnapshot backups configured in /etc/rsnapshot/hosts/
+
+
+display_usage () {
+
+    cat <<EOF
+Usage: $(basename "${0}") <run|schedule> <level> <all|host>
+
+run           start the backup of a given host on a given level
+schedule      create a backup job with given parameters
+
+<level>       name of a rsnapshot backup level to use
+              (hourly, daily, weekly, monthly, etc.)
+
+all           schedule backup job for all hosts
+<host>        name of the host directory in /etc/rsnapshot
+EOF
+
+}
+
+script="${0}"
+
+scheduler_config="/etc/$(basename "${script}").conf"
+
+scheduler_config_dir="/etc/rsnapshot/hosts"
+scheduler_snapshot_root="/var/cache/rsnapshot/hosts"
+scheduler_lock_dir="/run/rsnapshot-scheduler"
+scheduler_type="batch"
+scheduler_batch_command="at -q R now"
+scheduler_sleep_max_delay="20"
+scheduler_run_max_delay="5"
+
+# shellcheck disable=SC1090
+[ -r "${scheduler_config}" ] && . "${scheduler_config}"
+
+pid="$$"
+
+arg_mode="${1}"
+arg_backup_level="${2}"
+arg_host="${3}"
+
+log_message () {
+    if tty -s > /dev/null 2>&1 ; then
+        echo "$(basename "${script}"): ${*}"
+    elif type logger > /dev/null 2>&1 ; then
+        logger -t "$(basename "${script}")[${pid}]" "${*}"
+    fi
+}
+
+if [ -r "${scheduler_config_dir}/stop" ] || [ -r "${scheduler_config_dir}/disable" ] || [ -r "${scheduler_config_dir}/disabled" ] ; then
+    log_message "Exit: rsnapshot backups are disabled globally"
+    exit 0
+fi
+
+if [ -r "${scheduler_snapshot_root}/stop" ] || [ -r "${scheduler_snapshot_root}/disable" ] || [ -r "${scheduler_snapshot_root}/disabled" ] ; then
+    log_message "Exit: rsnapshot backups are disabled globally via snapshot root directory"
+    exit 0
+fi
+
+if [ -z "${arg_mode}" ] ; then
+    display_usage
+    exit 0
+fi
+
+if [ -z "${arg_backup_level}" ] ; then
+    log_message "Error: backup level not specified"
+    exit 1
+fi
+
+if [ -z "${arg_host}" ] ; then
+    log_message "Error: host not specified"
+    exit 1
+fi
+
+clean_up () {
+
+    local backup_level="${1}"
+    local host="${2}"
+
+    local scheduler_pidfile
+    scheduler_pidfile="${scheduler_lock_dir}/$(basename "${script}")-${backup_level}-${host}.pid"
+
+    test -f "${scheduler_pidfile}" && rm -f "${scheduler_pidfile}"
+}
+
+wait_for_pid () {
+
+    local backup_level="${1}"
+    local host="${2}"
+
+    local scheduler_pidfile
+    scheduler_pidfile="${scheduler_lock_dir}/$(basename "${script}")-${backup_level}-${host}.pid"
+
+    if [ -f "${scheduler_pidfile}" ] ; then
+        while kill -0 "$(<"${scheduler_pidfile}")" > /dev/null 2>&1 ; do
+            log_message "Scheduled ${backup_level} backup of host ${host} is waiting for PID $(<"${scheduler_pidfile}") to finish"
+            sleep $(( ( RANDOM % scheduler_run_max_delay ) + 1))m
+        done
+        test -f "${scheduler_pidfile}" && rm -f "${scheduler_pidfile}"
+    fi
+
+}
+
+# shellcheck disable=SC2120
+delay_backup () {
+
+    local delay="${1}"
+
+    if [ -n "${delay}" ] ; then
+        sleep "${delay}"
+    else
+        sleep $(( ( RANDOM % scheduler_sleep_max_delay ) + 1 ))m
+    fi
+}
+
+run_backup () {
+
+    local backup_level="${1}"
+    local host="${2}"
+
+    local scheduler_pidfile
+    scheduler_pidfile="${scheduler_lock_dir}/$(basename "${script}")-${backup_level}-${host}.pid"
+
+    if [ "${host}" == "all" ] ; then
+        log_message "Error: cannot backup host ${host}"
+        exit 1
+    fi
+
+    if [ -r "${scheduler_config_dir}/${host}/rsnapshot.conf" ] ; then
+        local config="${scheduler_config_dir}/${host}/rsnapshot.conf"
+    else
+        log_message "Error: configuration for ${host} not found"
+        exit 1
+    fi
+
+    if [ -r "${scheduler_config_dir}/${host}/stop" ] || [ -r "${scheduler_config_dir}/${host}/disable" ] || [ -r "${scheduler_config_dir}/${host}/disabled" ] ; then
+        log_message "Exit: backup of ${host} is disabled"
+        exit 0
+    fi
+
+    if [ -r "${config}" ] ; then
+
+        read -r -a snapshot_root <<< "$(grep -E "^snapshot_root\\s+" "${config}" | awk '{print $2}' | head -n 1)"
+        read -r -a no_create_root <<< "$(grep -E "^no_create_root\\s+1" "${config}")"
+        read -r -a sync_first <<< "$(grep -E "^sync_first\\s+1" "${config}")"
+        read -r -a retain_first <<< "$(grep -E "^retain\\s+" "${config}" | awk '{print $2}' | head -n 1)"
+        read -r -a retain_name <<< "$(grep -E "^retain\\s+${backup_level}\\s+" "${config}" | awk '{print $2}' | head -n 1)"
+        read -r -a lockfile <<< "$(grep -E "^lockfile\\s+" "${config}" | awk '{print $2}' | head -n 1)"
+
+        # If no_create_root is enabled, check the existence of the root backup
+        # directory early so that we can avoid spamming the system
+        # administrator with e-mails about missing root directory.
+        if [ -n "${no_create_root[*]}" ] ; then
+            if [ -n "${snapshot_root[*]}" ] && [ ! -d "${snapshot_root[*]}" ] ; then
+                log_message "Exit: Backup of ${host} at ${backup_level} level stopped, snapshot directory not found and will not be created automatically"
+                exit 0
+            fi
+        fi
+
+        if [ "${retain_name[*]}" == "${backup_level[*]}" ] ; then
+
+            if [ -f "${scheduler_pidfile}" ] ; then
+                if kill -0 "$(<"${scheduler_pidfile}")" > /dev/null 2>&1 ; then
+                    log_message "Exit: Backup of ${host} at ${backup_level} level already in progress, managed by PID $(cat "${scheduler_pidfile}")"
+                    exit 0
+                else
+                    rm -f "${scheduler_pidfile}"
+                fi
+            fi
+
+            # shellcheck disable=SC2174
+            test -d "$(dirname "${scheduler_pidfile}")" || mkdir -p -m 755 "$(dirname "${scheduler_pidfile}")"
+            echo ${pid} > "${scheduler_pidfile}"
+            sleep 1
+
+            if [ "$(cat "${scheduler_pidfile}")" != "${pid}" ] ; then
+                log_message "Exit: Backup of ${host} at ${backup_level} level started by PID $(cat "${scheduler_pidfile}"), exiting"
+                exit 0
+            fi
+
+            # shellcheck disable=SC2064
+            trap "clean_up ${backup_level} ${host}" EXIT
+
+            if [ -n "${lockfile[*]}" ] && [ -r "${lockfile[*]}" ] ; then
+                if kill -0 "$(<"${lockfile[*]}")" > /dev/null 2>&1 ; then
+                    while [ -r "${lockfile[*]}" ] ; do
+                        sleep $(( ( RANDOM % scheduler_run_max_delay ) + 1))m
+                    done
+                fi
+            fi
+
+            if [ -n "${sync_first[*]}" ] && [ "${retain_name[*]}" == "${retain_first[*]}" ] ; then
+                log_message "Starting sync for ${backup_level} backup of ${host}"
+                rsnapshot -c "${config}" sync
+            fi
+            if [ -n "${sync_first[*]}" ] && [ "${retain_name[*]}" == "${retain_first[*]}" ] ; then
+                log_message "Rotating ${backup_level} snapshot of ${host}"
+            else
+                log_message "Starting ${backup_level} backup of ${host}"
+            fi
+            rsnapshot -c "${config}" "${backup_level}"
+        else
+            log_message "Error: Specified backup level '${backup_level}' is not configured in ${config}"
+            exit 1
+        fi
+
+    else
+
+        log_message "Error: Config file ${config} not found"
+        exit 1
+
+    fi
+}
+
+prepare_backup () {
+
+    local backup_level="${1}"
+    local host="${2}"
+
+    local scheduler_pidfile
+    scheduler_pidfile="${scheduler_lock_dir}/$(basename "${script}")-${backup_level}-${host}.pid"
+
+    if [ -r "${scheduler_config_dir}/${host}/rsnapshot.conf" ] ; then
+        local config="${scheduler_config_dir}/${host}/rsnapshot.conf"
+    else
+        log_message "Error: configuration for ${host} not found"
+        return
+    fi
+
+    if [ -r "${scheduler_config_dir}/${host}/stop" ] || [ -r "${scheduler_config_dir}/${host}/disable" ] || [ -r "${scheduler_config_dir}/${host}/disabled" ] ; then
+        log_message "Exit: backup of ${host} is disabled"
+        return
+    fi
+
+    if [ -r "${config}" ] ; then
+
+        local retain_name
+        read -r -a retain_name <<< "$(grep -E "^retain\\s+${backup_level}\\s+" "${config}" | awk '{print $2}' | head -n 1)"
+
+        if [ "${retain_name[*]}" == "${backup_level}" ] ; then
+
+            if [ -f "${scheduler_pidfile}" ] ; then
+                log_message "Backup of ${host} at ${backup_level} level already in progress, managed by PID $(cat "${scheduler_pidfile}")"
+                return
+            fi
+
+            # shellcheck disable=SC2174
+            test -d "$(dirname "${scheduler_pidfile}")" || mkdir -p -m 755 "$(dirname "${scheduler_pidfile}")"
+            echo ${pid} > "${scheduler_pidfile}"
+            sleep 1
+
+            if [ "$(cat "${scheduler_pidfile}")" != "${pid}" ] ; then
+                log_message "Backup of ${host} at ${backup_level} level started by PID $(cat "${scheduler_pidfile}")"
+                return
+            fi
+
+            if [ "${scheduler_type}" == "batch" ] ; then
+
+                if type batch > /dev/null 2>&1 ; then
+                    log_message "Scheduling ${backup_level} backup of ${host} using batch"
+                    echo "${script} batchrun ${backup_level} ${host}" | ${scheduler_batch_command} > /dev/null 2>&1
+                else
+                    log_message "Scheduling ${backup_level} backup of ${host}"
+                    (${script} delayrun "${backup_level}" "${host}") &
+                fi
+
+            elif [ "${scheduler_type}" == "sleep" ] ; then
+
+                log_message "Scheduling ${backup_level} backup of ${host}"
+                (${script} delayrun "${backup_level}" "${host}") &
+
+            fi
+
+        fi
+
+    fi
+}
+
+schedule_backup () {
+
+    local backup_level="${1}"
+    local host="${2}"
+
+    if [ "${host}" != "all" ] ; then
+
+        prepare_backup "${backup_level}" "${host}"
+
+    elif [ "${host}" == "all" ] ; then
+        local random_hosts
+        read -r -a random_hosts <<< "$(find "${scheduler_config_dir}" -maxdepth 1 -mindepth 1 -type d -printf "%f\\n" | sort -R | xargs)"
+        for name in "${random_hosts[@]}" ; do
+            prepare_backup "${backup_level}" "$(basename "${name}")"
+        done
+    fi
+
+}
+
+case ${arg_mode} in
+    run)         run_backup "${arg_backup_level}" "${arg_host}" ;;
+    batchrun)    wait_for_pid "${arg_backup_level}" "${arg_host}" ; run_backup "${arg_backup_level}" "${arg_host}" ;;
+    delayrun)
+                 # shellcheck disable=SC2119
+                 delay_backup ; run_backup "${arg_backup_level}" "${arg_host}" ;;
+    schedule)    schedule_backup "${arg_backup_level}" "${arg_host}" ;;
+    *)           display_usage && exit 0 ;;
+esac
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsync-no-vanished b/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsync-no-vanished
new file mode 100755
index 00000000..d1b6f33a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/files/usr/local/sbin/rsync-no-vanished
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Use this script instead of /usr/bin/rsync command to avoid issues with
+# vanishing files.
+# https://bugzilla.samba.org/show_bug.cgi?id=3653
+
+IGNOREEXIT=24
+IGNOREOUT='^(file has vanished: |rsync warning: some files vanished before they could be transferred)'
+
+set -o pipefail
+
+rsync "${@}" 2>&1 | (grep -v -E "$IGNOREOUT" || true)
+ret=$?
+
+if [[ $ret == "$IGNOREEXIT" ]]; then
+    ret=0
+fi
+
+exit $ret
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/meta/main.yml b/ansible_collections/debops/debops/roles/rsnapshot/meta/main.yml
new file mode 100644
index 00000000..e1c65ff9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure rsnapshot and rsync to backup a set of servers remotely'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - backup
+    - rsync
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/tasks/main.yml b/ansible_collections/debops/debops/roles/rsnapshot/tasks/main.yml
new file mode 100644
index 00000000..73900f8a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/tasks/main.yml
@@ -0,0 +1,255 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (rsnapshot__base_packages
+                              + rsnapshot__packages)) }}'
+    state: 'present'
+  register: rsnapshot__register_packages
+  until: rsnapshot__register_packages is succeeded
+
+- name: Install custom backup scripts
+  ansible.builtin.copy:
+    src: 'usr/local/sbin/'
+    dest: '{{ (ansible_local.fhs.sbin | d("/usr/local/sbin")) + "/" }}'
+    mode: '0755'
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    mode: '{{ item.mode }}'
+    state: 'directory'
+  loop:
+    - { path: '{{ rsnapshot__config_dir }}',    mode: '0755' }
+    - { path: '{{ rsnapshot__snapshot_root }}', mode: '0700' }
+
+- name: Configure rsnapshot-scheduler
+  ansible.builtin.template:
+    src: 'etc/rsnapshot-scheduler.conf.j2'
+    dest: '/etc/rsnapshot-scheduler.conf'
+    mode: '0644'
+
+- name: Configure rsnapshot backup scripts in cron
+  ansible.builtin.template:
+    src: 'etc/cron/rsnapshot-wrapper.j2'
+    dest: '/etc/cron.{{ item }}/rsnapshot-wrapper'
+    mode: '0755'
+  loop: [ 'hourly', 'daily', 'weekly', 'monthly' ]
+
+- name: Ensure that rsnapshot SSH identities are present
+  ansible.builtin.user:
+    name: 'root'
+    generate_ssh_key: True
+    ssh_key_file:    '.ssh/{{ item.name }}'
+    ssh_key_type:    '{{ item.type | d(rsnapshot__ssh_key_type) }}'
+    ssh_key_bits:    '{{ item.bits | d(rsnapshot__ssh_key_bits) }}'
+    ssh_key_comment: '{{ item.comment | d(rsnapshot__ssh_key_comment) }}'
+  loop: '{{ q("flattened", (rsnapshot__ssh_default_identities + rsnapshot__ssh_identities)) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Refresh host facts' ]
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore']
+
+- name: Make sure /root/.ssh/known_hosts file exists
+  ansible.builtin.command: touch /root/.ssh/known_hosts
+  args:
+    creates: '/root/.ssh/known_hosts'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save rsnapshot local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rsnapshot.fact.j2'
+    dest: '/etc/ansible/facts.d/rsnapshot.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+  # The host facts are needed so that we have the real "ansible_fqdn" value
+  # that the backup host will use which could be different from the
+  # "inventory_hostname" or "ansible_host" values, which might be unusable by
+  # the 'rsnapshot' command.
+- name: Gather facts from configured hosts
+  ansible.builtin.setup:
+    gather_subset: '!all'
+    fact_path: '/dev/null'
+  delegate_to: '{{ item.name }}'
+  delegate_facts: True
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+         not item.fqdn | d() and hostvars[item.name] | d() and
+         hostvars[item.name]['ansible_fqdn'] is not defined and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+- name: Install required packages on hosts
+  ansible.builtin.package:
+    name: '{{ q("flattened", rsnapshot__host_packages) }}'
+    state: 'present'
+  register: rsnapshot__register_host_packages
+  until: rsnapshot__register_host_packages is succeeded
+  delegate_to: '{{ item.name }}'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present"),
+                "packages": q("flattened", rsnapshot__host_packages)} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+         (item.rsync | d(True)) | bool and hostvars[item.name] | d() and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+  # Example: https://github.com/anamba/rrsync-custom
+  # Example: https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/
+- name: Install restricted rsync script used for backups
+  environment:
+    rrsync_source: '{{ item.rrsync_source | d(rsnapshot__rrsync_source) }}'
+    rrsync_binary: '{{ item.rrsync_binary | d(rsnapshot__rrsync_binary) }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit
+    if [ -r "${rrsync_source}.gz" ] ; then
+        gzip -d -c "${rrsync_source}.gz" > "${rrsync_binary}"
+    elif [ -r "${rrsync_source}" ] ; then
+        cp "${rrsync_source}" "${rrsync_binary}"
+    fi
+    chmod 0755 "${rrsync_binary}"
+  args:
+    executable: 'bash'
+    creates: '{{ item.rrsync_binary | d(rsnapshot__rrsync_binary) }}'
+  delegate_to: '{{ item.name }}'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present"),
+                "packages": q("flattened", rsnapshot__host_packages)} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+         (item.rsync | d(True)) | bool and hostvars[item.name] | d() and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+- name: Deploy root ssh public key on configured hosts
+  ansible.posix.authorized_key:
+    user: '{{ item.ssh_user | d("root") }}'
+    key: '{{ ansible_local.rsnapshot.ssh_identities[item.ssh_identity | d(rsnapshot__ssh_main_identity)]
+             if (ansible_local.rsnapshot.ssh_identities | d() and
+                 ansible_local.rsnapshot.ssh_identities[item.ssh_identity | d(rsnapshot__ssh_main_identity)] | d())
+             else "" }}'
+    key_options: '{{ item.ssh_options | d(rsnapshot__ssh_options) }},command="{{ item.ssh_command | d(rsnapshot__ssh_command) }}"'
+    state: '{{ item.state | d("present") }}'
+  delegate_to: '{{ item.fqdn | d(item.name) }}'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: rsnapshot__register_ssh_keys
+  when: (item.name | d() and item.state | d('present') not in ['ignore'] and
+         not (item.local | d()) | bool and (item.ssh_key | d(True)) | bool and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+- name: Remove old SSH host fingerprints if keys were modified
+  environment:  # noqa no-handler
+    item_fqdn: '{{ item.item.fqdn | d(hostvars[item.item.name].ansible_fqdn if hostvars[item.item.name] | d() else item.item.name) }}'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit
+    if type dig > /dev/null ; then
+        host_names=(
+            "${item_fqdn}"
+            $(dig +short A "${item_fqdn}")
+            $(dig +short AAAA "${item_fqdn}")
+            $(dig +search +short "${item_fqdn}")
+        )
+        for address in ${host_names[@]} ; do
+            ssh-keygen -R ${address}
+        done
+    else
+        ssh-keygen -R "${item_fqdn}"
+    fi
+  args:
+    executable: 'bash'
+  loop: '{{ rsnapshot__register_ssh_keys.results }}'
+  loop_control:
+    label: '{{ {"name": item.item.name, "state": item.item.state | d("present")} }}'
+  register: rsnapshot__register_keygen_remove
+  changed_when: rsnapshot__register_keygen_remove.changed | bool
+  when: (item.item.name | d() and item.item.state | d('present') not in ['absent', 'ignore'] and
+         not (item.item.local | d()) | bool and (item.item.ssh_scan | d(True)) | bool and item is changed and
+         (not rsnapshot__limit | d() or (item.item.name in rsnapshot__limit)))
+
+- name: Get list of already scanned host fingerprints
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         ssh-keygen -f /root/.ssh/known_hosts -F {{ item.fqdn | d(hostvars[item.name].ansible_fqdn if hostvars[item.name] | d() else item.name) }}
+         | grep -q '^# Host {{ item.fqdn | d(hostvars[item.name].ansible_fqdn if hostvars[item.name] | d() else item.name) }} found'
+  args:
+    executable: 'bash'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+         not (item.local | d()) | bool and (item.ssh_scan | d(True)) | bool and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+  register: rsnapshot__register_known_hosts
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Scan SSH fingerprints of the configured hosts
+  ansible.builtin.shell: 'ssh-keyscan -H -T 10 -p {{ item.item.ssh_port | d("22") }}
+          {{ item.item.fqdn | d(hostvars[item.item.name].ansible_fqdn if hostvars[item.item.name] | d() else item.item.name) }} >> /root/.ssh/known_hosts'
+  loop: '{{ rsnapshot__register_known_hosts.results }}'
+  loop_control:
+    label: '{{ {"name": item.item.name, "state": item.item.state | d("present")} }}'
+  register: rsnapshot__register_ssh_keyscan
+  changed_when: rsnapshot__register_ssh_keyscan.changed | bool
+  when: (item.item.name | d() and item.item.state | d('present') not in ['absent', 'ignore'] and
+         not (item.item.local | d()) | bool and (item.item.ssh_scan | d(True)) | bool and item.rc | d() > 0 and
+         (not rsnapshot__limit | d() or (item.item.name in rsnapshot__limit)))
+
+- name: Remove host configuration directories if requested
+  ansible.builtin.file:
+    path: '{{ rsnapshot__config_dir + "/" + item.name }}'
+    state: 'absent'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (item.name | d() and item.state | d('present') == 'absent' and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+- name: Create host configuration directories
+  ansible.builtin.file:
+    path: '{{ rsnapshot__config_dir + "/" + item.name }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ rsnapshot__combined_hosts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (item.name | d() and item.state | d('present') not in ['absent', 'ignore'] and
+         (not rsnapshot__limit | d() or (item.name in rsnapshot__limit)))
+
+- name: Generate host configuration files
+  ansible.builtin.template:
+    src: 'etc/rsnapshot/hosts/{{ item.1 }}.j2'
+    dest: '{{ rsnapshot__config_dir + "/" + item.0.name + "/" + item.1 }}'
+    mode: '0644'
+  loop: '{{ (rsnapshot__combined_hosts | debops.debops.parse_kv_items(defaults={"options": (rsnapshot__combined_configuration | debops.debops.parse_kv_config),
+                                                                                "excludes": (rsnapshot__combined_excludes | debops.debops.parse_kv_items),
+                                                                                "includes": (rsnapshot__combined_includes | debops.debops.parse_kv_items)},
+                                                                      merge_keys=["excludes", "includes"]))
+            | product(["include.txt", "exclude.txt", "rsnapshot.conf"]) | list }}'
+  loop_control:
+    label: '{{ {"name": item.0.name, "state": item.0.state | d("present"), "file": item.1} }}'
+  when: (item.0.name | d() and item.0.state | d('present') not in ['absent', 'ignore'] and
+         (not rsnapshot__limit | d() or (item.0.name in rsnapshot__limit)))
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/ansible/facts.d/rsnapshot.fact.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/ansible/facts.d/rsnapshot.fact.j2
new file mode 100644
index 00000000..bd1d7650
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/ansible/facts.d/rsnapshot.fact.j2
@@ -0,0 +1,36 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('rsnapshot'),
+          'ssh_identities': {}}
+
+try:
+    for filename in os.listdir('/root/.ssh'):
+        if filename.endswith('.pub'):
+            with open('/root/.ssh/' + filename, 'r') as f:
+                for line in f:
+                    output['ssh_identities'].update({
+                        filename.rstrip('.pub'): line})
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/cron/rsnapshot-wrapper.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/cron/rsnapshot-wrapper.j2
new file mode 100755
index 00000000..f56d31d0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/cron/rsnapshot-wrapper.j2
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Launch rsnapshot {{ item }} backups
+
+scheduler="{{ ansible_local.fhs.sbin | d('/usr/local/sbin') + '/rsnapshot-scheduler' }}"
+scheduler_item="{{ item }}"
+
+if test -x "${scheduler}" ; then
+    "${scheduler}" schedule "${scheduler_item}" all
+fi
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot-scheduler.conf.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot-scheduler.conf.j2
new file mode 100644
index 00000000..82856b9a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot-scheduler.conf.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration for 'rsnapshot-scheduler' script
+
+# Directory where rsnapshot configuration is stored
+scheduler_config_dir="{{ rsnapshot__config_dir }}"
+
+# Directory where backup snapshots are stored
+scheduler_snapshot_root="{{ rsnapshot__snapshot_root }}"
+
+# How backup jobs should be scheduled, either "batch" or "sleep"
+scheduler_type="{{ rsnapshot__scheduler_type }}"
+
+# Command used to schedule backup jobs in 'at'
+scheduler_batch_command="{{ rsnapshot__scheduler_batch_command }}"
+
+# Sleep scheduler uses 'sleep' command with a random time in minutes before
+# starting the backup. This variable defined maximum delay in minutes.
+scheduler_sleep_max_delay="{{ rsnapshot__scheduler_sleep_max_delay }}"
+
+# When another instance of 'rsnapshot-scheduler' is detected which manages
+# backup for different snapshot level, scheduler script will sleep for this
+# amount of minutes before checking again if it's OK to proceed.
+scheduler_run_max_delay="{{ rsnapshot__scheduler_run_max_delay }}"
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/exclude.txt.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/exclude.txt.j2
new file mode 100644
index 00000000..a05968dd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/exclude.txt.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set host = item.0 %}
+{% set rule_map = {
+  'exclude':   '-',
+  'include':   '+',
+  'merge':     '.',
+  'dir-merge': ':',
+  'hide':      'H',
+  'show':      'S',
+  'protect':   'P',
+  'risk':      'R',
+  'clear':     '!'
+} %}
+{% for option in host.excludes %}
+{%   if option.name | d() and option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{{ "{} {}".format(rule_map[option.rule | d('exclude')], option.name) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/include.txt.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/include.txt.j2
new file mode 100644
index 00000000..506a825d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/include.txt.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set host = item.0 %}
+{% set rule_map = {
+  'exclude':   '-',
+  'include':   '+',
+  'merge':     '.',
+  'dir-merge': ':',
+  'hide':      'H',
+  'show':      'S',
+  'protect':   'P',
+  'risk':      'R',
+  'clear':     '!'
+} %}
+{% for option in host.includes %}
+{%   if option.name | d() and option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{{ "{} {}".format(rule_map[option.rule | d('include')], option.name) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/rsnapshot.conf.j2 b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/rsnapshot.conf.j2
new file mode 100644
index 00000000..fa1efd1e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsnapshot/templates/etc/rsnapshot/hosts/rsnapshot.conf.j2
@@ -0,0 +1,114 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#################################################
+# rsnapshot.conf - rsnapshot configuration file #
+#################################################
+#                                               #
+# PLEASE BE AWARE OF THE FOLLOWING RULES:       #
+#                                               #
+# This file requires tabs between elements      #
+#                                               #
+#################################################
+{% set host = item.0 %}
+{% for section in rsnapshot__configuration_sections %}
+{%   set host_options = host.options | selectattr('section', 'defined') | selectattr('section', 'equalto', section.name) | list %}
+{%   if host_options | d() %}
+
+{%     set section_title = {'width': ((section.value | length) | int + 4)} %}
+{%     if section.comment | d() %}
+{%       for line in (section.comment | regex_replace('\n$', '')).split('\n') %}
+{%         if ((line | length) | int + 4) > section_title.width %}
+{%           set _ = section_title.update({'width': ((line | length) | int + 4)}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{{ ('{:#^' + (section_title.width | string) + 's}').format('') }}
+{{ ('# {:^' + ((section_title.width - 4) | string) + '} #').format(section.value | upper) }}
+{%     if section.comment | d() %}
+{%       for line in (section.comment | regex_replace('\n$', '')).split('\n') %}
+{{ ('# {:<' + ((section_title.width - 4) | string) + '} #').format(line) }}
+{%       endfor %}
+{%     endif %}
+{{ ('{:#^' + (section_title.width | string) + 's}').format('') }}
+
+{%     for option in host_options %}
+{%       if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%         if option.comment | d() %}
+{%           if not loop.first %}
+
+{%           endif %}
+{{ option.comment | regex_replace("\n$", "") | comment(prefix='', postfix='#') }}
+{%         endif %}
+{%         if option.raw | d() %}
+{%           if option.state | d('present') == 'comment' %}
+{{ option.raw | regex_replace('\n$', '') | comment(decoration='#', prefix='', postfix='') -}}
+{%           else %}
+{{ option.raw -}}
+{%           endif %}
+{%         elif option.value is defined %}
+{%           set option_alias = ((option.option + '\t') if option.option | d() else '') %}
+{%           set option_comment = ('#' if (option.state | d('present') == 'comment') else '') %}
+{%           set option_name = option.name %}
+{%           set option_tabs = ('\t' if ((option_comment + option_name) | length < 8) else '') %}
+{%           set option_value = option.value %}
+{%           if option.name == 'snapshot_root' and option.value == rsnapshot__snapshot_root %}
+{%             set option_value = (rsnapshot__snapshot_root + '/' + host.name) %}
+{%           endif %}
+{%           if option.name == 'lockfile' and option.value == '/var/run/rsnapshot.pid' %}
+{%             set option_value = ('/var/run/rsnapshot-' + host.name + '.pid') %}
+{%           endif %}
+{%           if option.name == 'include_file' and option.state == 'present' and option.value == '/path/to/include/file' %}
+{%             set option_value = (rsnapshot__config_dir + '/' + host.name + '/include.txt') %}
+{%           endif %}
+{%           if option.name == 'exclude_file' and option.state == 'present' and option.value == '/path/to/exclude/file' %}
+{%             set option_value = (rsnapshot__config_dir + '/' + host.name + '/exclude.txt') %}
+{%           endif %}
+{%           set option_overrides = [] %}
+{%           if option.name == 'root@fqdn:/' %}
+{%             set option_filesystems = {'/': (host.dest_root | d('./'))} %}
+{%             if host.filesystems | d() %}
+{%               if host.filesystems is mapping %}
+{%                 for key, value in host.filesystems.items() %}
+{%                   set _ = option_filesystems.update({key: value}) %}
+{%                 endfor %}
+{%               else %}
+{%                 for source in ([ host.filesystems ] if (host.filesystems is string) else host.filesystems) %}
+{%                   set _ = option_filesystems.update({source: (host.dest_root | d('./'))}) %}
+{%                 endfor %}
+{%               endif %}
+{%             endif %}
+{%             for src, dest in option_filesystems | dictsort %}
+{%               if (host.local | d()) | bool %}
+{%                 set option_name = src %}
+{%                 set option_overrides = [] %}
+{%               else %}
+{%                 if hostvars[host.name] | d() %}
+{%                   set option_name = (host.ssh_user | d('root')) + '@' + (host.fqdn | d(hostvars[host.name]['ansible_fqdn'])) + ':' + src %}
+{%                 else %}
+{%                   set option_name = (host.ssh_user | d('root')) + '@' + (host.fqdn | d(host.name)) + ':' + src %}
+{%                 endif %}
+{%                 set override_ssh_args = ([ '-i ~/.ssh/' + (host.ssh_identity | d(rsnapshot__ssh_main_identity)) ]) %}
+{%                 if host.ssh_port | d() %}
+{%                   set _ = override_ssh_args.append('-p ' + host.ssh_port | string) %}
+{%                 endif %}
+{%                 set option_overrides = ([ '+ssh_args=' + (override_ssh_args | join(' ')) ]) %}
+{%               endif %}
+{%               set option_tabs = (('\t' if ((option_comment + option_name) | length < 8) else '') + ('\t' if (((option_comment + option_name) | length) % 8 >= 7) else '') + ('\t' if (((option_comment + option_name) | length) % 8 > 7 and src == '/') else '')) %}
+{%               set option_value = dest %}
+{%               if host.overrides | d() %}
+{%                 set _ = option_overrides.extend([ host.overrides ] if host.overrides is string else host.overrides) %}
+{%               endif %}
+{{ "{}{}{}\t{}{}{}".format(option_comment, option_alias, option_name, option_tabs, option_value, ('\t' if option_overrides | d() else '') + option_overrides | join(',')) }}
+{%             endfor %}
+{%           else %}
+{{ "{}{}{}\t{}{}{}".format(option_comment, option_alias, option_name, option_tabs, option_value, ('\t' if option_overrides | d() else '') + option_overrides | join(',')) }}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rspamd/COPYRIGHT b/ansible_collections/debops/debops/roles/rspamd/COPYRIGHT
new file mode 100644
index 00000000..e6a8d612
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.rspamd - Manage rspamd with Ansible
+
+Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rspamd/defaults/main.yml b/ansible_collections/debops/debops/roles/rspamd/defaults/main.yml
new file mode 100644
index 00000000..b384230a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/defaults/main.yml
@@ -0,0 +1,669 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rspamd__ref_defaults:
+
+# debops.rspamd default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: rspamd__packages [[[
+#
+# List of additional APT packages that should be installed with rspamd.
+rspamd__packages: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__base_packages [[[
+#
+# APT packages required for the rspamd installation.
+rspamd__base_packages:
+  - 'rspamd'
+  - '{{ "bind9-dnsutils" if rspamd__dkim_update_method is search("nsupdate") else [] }}'
+  - '{{ "krb5-user" if rspamd__dkim_update_method == "nsupdate_gsstsig" else [] }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# DKIM configuration [[[
+# -----------------------
+
+# .. envvar:: rspamd__dkim_enabled [[[
+#
+# Whether to enable DKIM signing of messages. Note that this defaults to
+# false because DKIM requires some manual configuration, see
+# :ref:`rspamd__ref_dkim` for more details.
+rspamd__dkim_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_domains [[[
+#
+# DKIM domains to generate, manage and use signing keys for.
+rspamd__dkim_domains: [ '{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_log_dir [[[
+#
+# Absolute path to the directory which contains DKIM logs.
+rspamd__dkim_log_dir: '/var/log/rspamd'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_keygen_default_configuration [[[
+#
+# The default configuration for the ``rspamd-dkim-keygen`` script.
+rspamd__dkim_keygen_default_configuration:
+  - name: 'key_directory'
+    value: '/var/lib/rspamd/dkim/'
+
+  - name: 'key_archive'
+    value: '/var/lib/rspamd/dkim-archive/'
+
+  - name: 'update_script'
+    value: '/usr/local/sbin/rspamd-dkim-update'
+
+  - name: 'future_config'
+    value: 'dkim-future.conf'
+
+  - name: 'active_config'
+    value: 'dkim-active.conf'
+
+  - name: 'expired_config'
+    value: 'dkim-expired.conf'
+
+  - name: 'future_period'
+    value: 1
+
+  - name: 'active_period'
+    value: 3
+
+  - name: 'expired_period'
+    value: 1
+
+  - name: 'domains'
+    value: '{{ rspamd__dkim_domains }}'
+
+  - name: 'key_types'
+    value:
+      - { type: 'ed25519' }
+      - { type: 'rsa', extra_args: [ '--bits', '2048' ] }
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_keygen_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for all hosts in the
+# Ansible inventory.
+rspamd__dkim_keygen_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_keygen_group_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for all hosts in a
+# specific Ansible inventory group.
+rspamd__dkim_keygen_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_keygen_host_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for a specific host
+# in the Ansible inventory.
+rspamd__dkim_keygen_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_keygen_combined_configuration [[[
+#
+# This variable combines other :command:`rspamd` configuration options and
+# is used by the role template to generate the configuration snippets in
+# :file:`/etc/rspamd/local.d`.
+rspamd__dkim_keygen_combined_configuration: '{{
+  rspamd__dkim_keygen_default_configuration
+   + rspamd__dkim_keygen_configuration
+   + rspamd__dkim_keygen_group_configuration
+   + rspamd__dkim_keygen_host_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_method [[[
+#
+# The method to use to publish/remove DKIM keys as DNS RRs.
+#
+# Supported values are:
+#
+# log
+#   Key updates will simply be logged to a file.
+# email
+#   Emails will be sent to the admin email address for manual handling.
+# nsupdate
+#   The :command:`nsupdate` tool will be used to update DNS RRs as necessary.
+# nsupdate_tsig
+#   Same as ``nsupdate``, but a ``TSIG`` or ``SIG(0)`` key will be used to
+#   authenticate the update requests.
+# nsupdate_gsstsig
+#   Same as ``nsupdate``, but ``GSS-TSIG`` (Kerberos credentials) will be
+#   used to authenticate the update requests.
+#
+# Note that the various ``nsupdate`` methods most likely require some manual
+# configuration of the DNS server to trust this host to make the required
+# updates and/or to create suitable key material/keytabs on the Ansible
+# controller. See :ref:`rspamd__ref_configuration` for more details.
+rspamd__dkim_update_method: 'email'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_default_configuration [[[
+#
+# The default configuration for the ``rspamd-dkim-update`` script.
+rspamd__dkim_update_default_configuration:
+  - name: 'method'
+    value: '{{ rspamd__dkim_update_method }}'
+
+  - name: 'log_file'
+    value: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
+
+  - name: 'email_to'
+    value: '{{ ansible_local.core.admin_public_email[0]
+               | d("root@" + ansible_domain) }}'
+
+  - name: 'email_from'
+    value: '{{ "noreply@" + ansible_domain }}'
+
+  - name: 'email_host'
+    value: 'localhost'
+
+  - name: 'email_port'
+    value: 25
+
+  - name: 'email_subject'
+    value: 'Rspamd DKIM DNS updates'
+
+  - name: 'nsupdate_keyfile'
+    value: '{{ "" if rspamd__dkim_update_method in ["email", "nsupdate"]
+               else "/etc/rspamd/dkim_dns_key" }}'
+
+  - name: 'nsupdate_gsstsig_princ'
+    value: '{{ "" if rspamd__dkim_update_method != "nsupdate_gsstsig"
+               else "rspamd@" + ansible_domain | upper }}'
+
+  - name: 'nsupdate_ttl'
+    value: 3600
+
+  - name: 'nsupdate_server'
+    value: '{{ ansible_dns.nameservers[0] | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for all hosts in the
+# Ansible inventory.
+rspamd__dkim_update_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_group_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for all hosts in a
+# specific Ansible inventory group.
+rspamd__dkim_update_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_host_configuration [[[
+#
+# The :command:`rspamd` configuration options defined for a specific host
+# in the Ansible inventory.
+rspamd__dkim_update_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__dkim_update_combined_configuration [[[
+#
+# This variable combines other :command:`rspamd` configuration options and
+# is used by the role template to generate the configuration snippets in
+# :file:`/etc/rspamd/local.d`.
+rspamd__dkim_update_combined_configuration: '{{
+  rspamd__dkim_update_default_configuration
+   + rspamd__dkim_update_configuration
+   + rspamd__dkim_update_group_configuration
+   + rspamd__dkim_update_host_configuration }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Redis configuration [[[
+# -----------------------
+
+# .. envvar:: rspamd__redis_host [[[
+#
+# The hostname of the Redis server.
+rspamd__redis_host: '{{ ansible_local.redis_server.host | d("127.0.0.1") }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__redis_port [[[
+#
+# The port which the Redis server is listening to.
+rspamd__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__redis_password [[[
+#
+# The Redis authentication password.
+rspamd__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__redis_db [[[
+#
+# The Redis db to use.
+rspamd__redis_db: '0'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Service configuration [[[
+# -------------------------
+
+# These variables define the contents of the :file:`/etc/rspamd/local.d` and
+# :file:`/etc/rspamd/override.d` configuration directories.  See
+# :ref:`rspamd__ref_configuration` and the `Rspamd configuration documentation
+# <https://rspamd.com/doc/configuration/>`_
+# for further details.
+
+# .. envvar:: rspamd__default_local_configuration [[[
+#
+# The default :command:`rspamd` :file:`local.d` configuration.
+rspamd__default_local_configuration:
+
+  - file: 'worker-proxy.inc'
+    comment: |
+      Proxy worker configuration
+      https://rspamd.com/doc/workers/rspamd_proxy.html
+    options:
+
+      - name: 'bind_socket'
+        value: 'localhost:11332'
+
+      - name: 'milter'
+        value: True
+
+      - name: 'timeout'
+        value: 120
+
+      - name: 'upstream "local"'
+        options:
+
+          - name: 'default'
+            value: True
+
+          - name: 'self_scan'
+            value: True
+
+  - file: 'worker-controller.inc'
+    comment: |
+      Controller worker configuration
+      https://rspamd.com/doc/workers/controller.html
+    options:
+
+      - name: 'password'
+        value: '{{ rspamd__controller_password_hash }}'
+
+  - file: 'redis.conf'
+    comment: |
+      Redis configuration
+      https://rspamd.com/doc/configuration/redis.html
+    options:
+
+      - name: 'servers'
+        value: '{{ rspamd__redis_host }}:{{ rspamd__redis_port }}'
+
+      - name: 'db'
+        value: '{{ rspamd__redis_db }}'
+
+      - name: 'password'
+        value: '{{ rspamd__redis_password }}'
+
+  - file: 'milter_headers.conf'
+    comment: |
+      Milter headers configuration
+      https://rspamd.com/doc/modules/milter_headers.html
+    options:
+
+      - name: 'use'
+        value: [ 'x-spamd-bar', 'x-spam-level', 'authentication-results' ]
+
+      - name: 'authenticated_headers'
+        value: [ 'authentication-results' ]
+
+  - file: 'dkim_signing.conf'
+    comment: |
+      DKIM signing configuration
+      https://rspamd.com/doc/modules/dkim_signing.html
+    state: '{{ "present" if rspamd__dkim_enabled | d(False) else "absent" }}'
+    options:
+
+      - name: 'allow_username_mismatch'
+        value: True
+
+      - name: 'include_dkim_keys'
+        raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
+
+  - file: 'arc.conf'
+    comment: |
+      ARC signature check configuration
+      https://rspamd.com/doc/modules/arc.html
+    state: '{{ "present" if rspamd__dkim_enabled | d(False) else "absent" }}'
+    options:
+
+      - name: 'allow_username_mismatch'
+        value: True
+
+      - name: 'include_dkim_keys'
+        raw: '.include(try=true,priority=1,duplicate=merge) "/var/lib/rspamd/dkim/dkim-active.conf"'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__local_configuration [[[
+#
+# The default :command:`rspamd` :file:`local.d` configuration defined for all
+# hosts in the Ansible inventory.
+rspamd__local_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__group_local_configuration [[[
+#
+# The default :command:`rspamd` :file:`local.d` configuration defined for all
+# hosts in a specific Ansible inventory group.
+rspamd__group_local_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__host_local_configuration [[[
+#
+# The default :command:`rspamd` :file:`local.d` configuration defined for a
+# specific host in the Ansible inventory.
+rspamd__host_local_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__combined_local_configuration [[[
+#
+# This variable combines other :command:`rspamd` configuration options and
+# is used by the role template to generate the configuration snippets in
+# :file:`/etc/rspamd/local.d`.
+rspamd__combined_local_configuration: '{{ rspamd__default_local_configuration
+                                           + rspamd__local_configuration
+                                           + rspamd__group_local_configuration
+                                           + rspamd__host_local_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__default_override_configuration [[[
+#
+# The default :command:`rspamd` :file:`override.d` configuration.
+rspamd__default_override_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__override_configuration [[[
+#
+# The default :command:`rspamd` :file:`override.d` configuration defined for
+# all hosts in the Ansible inventory.
+rspamd__override_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__group_override_configuration [[[
+#
+# The default :command:`rspamd` :file:`override.d` configuration defined for
+# all hosts in a specific Ansible inventory group.
+rspamd__group_override_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__host_override_configuration [[[
+#
+# The default :command:`rspamd` :file:`override.d` configuration defined for a
+# specific host in the Ansible inventory.
+rspamd__host_override_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__combined_override_configuration [[[
+#
+# This variable combines other :command:`rspamd` configuration options and
+# is used by the role template to generate the configuration snippets in
+# :file:`/etc/rspamd/override.d`.
+rspamd__combined_override_configuration: '{{ rspamd__default_override_configuration
+                                              + rspamd__override_configuration
+                                              + rspamd__group_override_configuration
+                                              + rspamd__host_override_configuration }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__controller_password [[[
+#
+# This variable controls the password necessary to access e.g. the web-based
+# user interface of :command:`rspamd`. Note that the WebUI is only accessible
+# via ``http://localhost:11334/``, so for remote access, a :command:`ssh`
+# tunnel or `local proxy server`__ is necessary. The latter can be configured
+# automatically by this role (see :envvar:`rspamd__nginx_enabled` below).
+#
+# .. __: https://rspamd.com/doc/faq.html#how-to-use-the-webui-behind-a-proxy-server
+rspamd__controller_password: '{{ lookup("password",
+                                        secret
+                                         + "/credentials/"
+                                         + inventory_hostname
+                                         + "/rspamd/controller_password"
+                                         + " chars=ascii_letters,digits"
+                                         + " length=32") }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__controller_password_salt [[[
+#
+# The salt used to hash the :envvar:`rspamd__controller_password`.
+# The default might look complicated, but it's a workaround for
+# `Ansible issue #36129`__.
+#
+# .. __: https://github.com/ansible/ansible/issues/36129
+rspamd__controller_password_salt: '{{ (lookup("password",
+                                              secret
+                                               + "/credentials/"
+                                               + inventory_hostname
+                                               + "/rspamd/salt"
+                                               + " chars=ascii_letters,digits"
+                                               + " length=21"))[:21]
+                                      + ("Oeu"
+                                          | shuffle(seed=inventory_hostname)
+                                          | join)[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__controller_password_hash [[[
+#
+# The hashed version of :envvar:`rspamd__controller_password`. If you want to
+# set a password manually, you probably want to change that variable instead.
+rspamd__controller_password_hash: '{{ rspamd__controller_password
+                                      | password_hash("bcrypt",
+                                                      salt=rspamd__controller_password_salt) }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__nginx_enabled [[[
+#
+# If enabled, :command:`nginx` will be setup to provide remote access to
+# the WebUI of :command:`rspamd`.
+rspamd__nginx_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: rspamd__nginx_fqdns [[[
+#
+# List of FQDNs which :command:`nginx` should use to make the WebUI available.
+rspamd__nginx_fqdns:
+  - 'rspamd.{{ ansible_domain }}'
+  - '{{ ansible_hostname }}-rspamd.{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__nginx_access_policy [[[
+#
+# The nginx access policy, by default none.
+rspamd__nginx_access_policy: ''
+
+                                                                   # ]]]
+# .. envvar:: rspamd__proxy_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to
+# :command:`rspamd`'s ``proxy`` worker remotely. If the list is empty, remote
+# connections are denied. Note that this only influences the firewall settings,
+# further configuration is still necessary to make :command:`rspamd` actually
+# listen for remote connections (see the ``bind_socket`` and ``secure_ip``
+# options in the `workers documentation`__).
+#
+# .. __: https://rspamd.com/doc/workers/
+rspamd__proxy_allow: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__normal_allow [[[
+#
+# Same as :envvar:`rspamd__proxy_allow`, but for the ``normal`` worker.
+rspamd__normal_allow: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__controller_allow [[[
+#
+# Same as :envvar:`rspamd__proxy_allow`, but for the ``controller`` worker.
+rspamd__controller_allow: []
+
+                                                                   # ]]]
+# .. envvar:: rspamd__fuzzy_allow [[[
+#
+# Same as :envvar:`rspamd__proxy_allow`, but for the ``fuzzy`` worker.
+rspamd__fuzzy_allow: []
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: rspamd__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` role.
+rspamd__logrotate__dependent_config:
+
+  - filename: 'rspamd-dkim'
+    logs: '{{ rspamd__dkim_log_dir + "/rspamd-dkim-update.log" }}'
+    options: |
+      notifempty
+      missingok
+      yearly
+      maxsize 16M
+      rotate 10
+      compress
+    comment: 'Rspamd DKIM key rotation logs'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` role.
+rspamd__etc_services__dependent_list:
+
+  - name: 'rspamd-proxy'
+    port: '11332'
+    protocols: [ 'tcp' ]
+    comment: 'Added by debops.rspamd Ansible role.'
+
+  - name: 'rspamd-normal'
+    port: '11333'
+    protocols: [ 'tcp' ]
+    comment: 'Added by debops.rspamd Ansible role.'
+
+  - name: 'rspamd-controller'
+    port: '11334'
+    protocols: [ 'tcp' ]
+    comment: 'Added by debops.rspamd Ansible role.'
+
+  - name: 'rspamd-fuzzy'
+    port: '11335'
+    protocols: [ 'udp' ]
+    comment: 'Added by debops.rspamd Ansible role.'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__nginx__dependent_servers [[[
+#
+# Configuration for the :ref:`debops.nginx` role.
+rspamd__nginx__dependent_servers:
+
+  - name: '{{ rspamd__nginx_fqdns }}'
+    filename: 'debops.rspamd'
+    by_role: 'debops.rspamd'
+    access_policy: '{{ rspamd__nginx_access_policy }}'
+    webroot_create: False
+    type: 'proxy'
+    proxy_pass: 'http://localhost:11334'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` role.
+rspamd__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'rspamd-proxy' ]
+    protocol: [ 'tcp' ]
+    saddr: '{{ rspamd__proxy_allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'rspamd'
+
+  - type: 'accept'
+    dport: [ 'rspamd-normal' ]
+    protocol: [ 'tcp' ]
+    saddr: '{{ rspamd__normal_allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'rspamd'
+
+  - type: 'accept'
+    dport: [ 'rspamd-controller' ]
+    protocol: [ 'tcp' ]
+    saddr: '{{ rspamd__controller_allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'rspamd'
+
+  - type: 'accept'
+    dport: [ 'rspamd-fuzzy' ]
+    protocol: [ 'udp' ]
+    saddr: '{{ rspamd__fuzzy_allow }}'
+    accept_any: False
+    weight: '50'
+    role: 'rspamd'
+
+                                                                   # ]]]
+# .. envvar:: rspamd__postfix__dependent_maincf [[[
+#
+# The :file:`main.cf` configuration for the :ref:`debops.postfix` role.
+rspamd__postfix__dependent_maincf:
+
+  - name: 'smtpd_milters'
+    comment: 'Added by the rspamd role'
+    value:
+      - name: 'inet:localhost:11332'
+        weight: -400
+    state: 'present'
+
+  - name: 'non_smtpd_milters'
+    comment: 'Added by the rspamd role'
+    value:
+      - name: 'inet:localhost:11332'
+        weight: -400
+    state: 'present'
+
+  - name: 'milter_mail_macros'
+    comment: 'Added by the rspamd role'
+    value: '{{ "i {auth_type} {auth_authen} {auth_author} "
+               + "{client_addr} {client_name} {mail_addr} "
+               + "{mail_host} {mail_mailer}" }}'
+    state: 'present'
+
+  - name: 'milter_default_action'
+    comment: 'Added by the rspamd role'
+    value: 'accept'
+    state: 'comment'
+
+  - name: 'milter_protocol'
+    comment: 'Added by the rspamd role'
+    value: 6
+    state: 'comment'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-keygen b/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-keygen
new file mode 100755
index 00000000..57d940e5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-keygen
@@ -0,0 +1,740 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR Apache-2.0
+
+"""Rspamd DKIM key generation/rollover script
+
+This script is meant to be executed on a monthly basis (e.g. via cron
+or systemd) and will automatically manage DKIM key rollover.
+
+Keys go through four states:
+* future  - a key which is created in advance of being used and which
+            should be published in the DNS zone ASAP
+* current - key which is actively being used to sign emails
+* expired - key which is no longer used to sign emails but the DNS
+            entry is still kept in order to make sure that queued
+            and in-flight emails will still have a valid signature
+* dead    - key which can (hopefully) be safely removed from the file
+            system and from the DNS zone after enough time has passed
+            that no signed emails are in flight anymore
+
+These states correspond to the published/active/inactive/removed states
+known from DNSSEC key rollover.
+
+The default settings can be overridden by creating a JSON snippet in
+/etc/rspamd/dkim-keygen.json (the path can be overridden with the
+-c/--config parameter, use -C/--create-config to print a config
+template).
+
+At least "domains" and "key_types" need to be set using the config file.
+If "update_script" is set, it will be called for each key which is created
+or deleted, with the following arguments:
+    <add/del> <domain> <selector> <dns_entry_file_path>
+"""
+
+from __future__ import (print_function, division)
+import os
+import sys
+import json
+import time
+import logging
+import tempfile
+import argparse
+import subprocess
+import shutil
+
+__license__ = 'GPL-2.0 OR Apache-2.0'
+__author__ = 'David Härdeman <david@hardeman.nu>'
+__version__ = '1.0.1'
+
+LOG = logging.getLogger(__name__)
+
+
+class Key:
+    """Keeps track of a real or virtual key
+
+    Attributes:
+        dryrun             whether to change any files
+        current_month      as the number of months since year 0
+        key_archive        directory to move expired keys to
+        update_script      script to execute upon key creation/removal
+        update_script_args list of arguments to pass to the update_script
+        future_period      time between key creation and activation (months)
+        active_period      key active time (months)
+        expired_period     time between key inactivation and deletion (months)
+    """
+    dryrun = False
+    current_month = 0
+    key_archive = None
+    update_script = None
+    update_script_args = []
+    future_period = 1
+    active_period = 3
+    expired_period = 1
+
+    def __init__(self):
+        self.state = "init"
+        self.key_path = ""
+        self.txt_path = ""
+        self.valid_from = 0
+        self.age = 0
+        self.type = ""
+        self.domain = ""
+        self.selector = ""
+        self.error = ""
+
+    def validate_filename(self, path, selector):
+        """Validate the filename of a key
+
+        The expected path is e.g. /some/path/YYYYMM_keytype_domain.key
+        with the DNS record in /some/path/YYYYMM_keytype_domain.txt
+        """
+
+        abspath = os.path.abspath(path)
+        if not abspath.endswith(".key"):
+            raise ValueError("key name suffix invalid")
+        abspath_wo_suffix = abspath[:-len(".key")]
+        basename = os.path.basename(abspath_wo_suffix)
+
+        parts = basename.split("_")
+        if len(parts) != 3:
+            raise ValueError("key name missing components")
+
+        self.key_path = abspath
+        self.txt_path = abspath_wo_suffix + ".txt"
+        self.type = parts[1]
+        self.domain = parts[2]
+        self.selector = selector or ("{}-{}".format(parts[0].strip(), self.type))
+
+        date = parts[0].strip()
+        if len(date) != 6:
+            raise ValueError("key validity incorrect size")
+        try:
+            year = int(date[0:4])
+            month = int(date[4:6])
+        except ValueError:
+            raise ValueError("key validity not numeric") from None
+        self.valid_from = year * 12 + month
+        self.age = self.current_month - self.valid_from
+
+        if self.type not in KeyType.key_types:
+            raise ValueError("key type unknown")
+
+    def read(self, path, selector=None, skip_exist_check=False):
+        """Read a DKIM key"""
+
+        self.error = ""
+        try:
+            self.validate_filename(path, selector)
+        except Exception as err:
+            self.state = "invalid"
+            self.error = str(err)
+            LOG.debug("Key {}, invalid filename: {}".format(path, self.error))
+            return False
+
+        if not skip_exist_check:
+            try:
+                with open(self.key_path, "r"):
+                    pass
+            except Exception as err:
+                self.state = "invalid"
+                self.error = "can't open key file"
+                LOG.debug("Key {}, {}: {}".format(self.key_path, self.error, err))
+                return False
+
+            try:
+                with open(self.txt_path, "r"):
+                    pass
+            except Exception as err:
+                self.state = "invalid"
+                self.error = "can't open txt file"
+                LOG.debug("Key {}, {}: {}".format(self.txt_path, self.error, err))
+                return False
+
+        if self.age >= self.active_period + self.expired_period:
+            self.state = "dead"
+        elif self.age >= self.active_period:
+            self.state = "expired"
+        elif self.age >= 0:
+            self.state = "active"
+        else:
+            self.state = "future"
+        LOG.debug("Key {} loaded, state {}".format(path, self.state))
+        LOG.debug(vars(self))
+        return True
+
+    def create(self, domain, key_type, offset):
+        """Create a DKIM key"""
+
+        valid_from = self.current_month + offset
+        datestr = "{:04d}{:02d}".format(valid_from // 12, valid_from % 12)
+        selector = "{}-{}".format(datestr, key_type.type)
+        self.key_path = os.path.abspath("{}_{}_{}.key".format(
+            datestr, key_type.type, domain))
+        self.txt_path = os.path.abspath("{}_{}_{}.txt".format(
+            datestr, key_type.type, domain))
+
+        LOG.debug("Asked to create key {}".format(self.key_path))
+        if self.read(self.key_path, selector):
+            return
+
+        if not self.dryrun:
+            try:
+                os.unlink(self.key_path)
+            except Exception:
+                pass
+
+            try:
+                os.unlink(self.txt_path)
+            except Exception:
+                pass
+
+        if self.dryrun:
+            LOG.info("Would have created key {}".format(self.key_path))
+        else:
+            key_type.create(domain, selector, self.key_path, self.txt_path)
+            LOG.info("Created key {}".format(self.key_path))
+
+        self.read(self.key_path, selector, skip_exist_check=self.dryrun)
+        if self.state == "invalid":
+            die("Created key is invalid!?")
+
+        self.__class__.update_script_args += \
+            ["add", self.domain, self.selector, self.txt_path]
+
+    def delete(self):
+        """Delete/archive a key from the file system"""
+
+        self.__class__.update_script_args += \
+            ["del", self.domain, self.selector, self.txt_path]
+
+        for path in self.key_path, self.txt_path:
+            if not os.path.exists(path):
+                continue
+
+            if self.dryrun:
+                if self.key_archive:
+                    LOG.info("Would have archived {}".format(path))
+                else:
+                    LOG.info("Would have unlinked {}".format(path))
+                continue
+
+            try:
+                if self.key_archive:
+                    LOG.info("Archiving {}".format(path))
+                    os.rename(path, os.path.join(self.key_archive,
+                                                 os.path.basename(path)))
+                else:
+                    LOG.info("Unlinking {}".format(path))
+                    os.unlink(path)
+            except Exception:
+                pass
+
+    @classmethod
+    def pending_changes(cls):
+        return len(cls.update_script_args) > 0
+
+    @classmethod
+    def run_update_script(cls):
+        """Run the update_script if configured and if there are any changes"""
+        if cls.update_script and cls.update_script_args:
+            args = [cls.update_script] + cls.update_script_args
+
+            if cls.dryrun:
+                LOG.debug("Would have called key script {}".format(args))
+            else:
+                try:
+                    LOG.debug("Calling key script {}".format(args))
+                    subprocess.call(args)
+                except Exception as err:
+                    LOG.error("Calling key script failed: {}".format(err))
+
+        cls.update_script_args = []
+
+
+class KeyType:
+    """Keeps track of configured key types and associated attributes
+
+    Attributes:
+        instances       list of created instances
+        key_types       list of known key types
+    """
+    instances = []
+    key_types = []
+
+    def __init__(self, key_type_dict):
+        """Create a new key type from a dict object"""
+
+        key_type_name = key_type_dict.get("type")
+        if key_type_name is None:
+            raise ValueError("Key type definition missing key type")
+        elif key_type_name in self.__class__.key_types:
+            raise ValueError("Key type {} defined twice".format(type))
+
+        self.type = key_type_name
+        extra_args = key_type_dict.get("extra_args")
+        if extra_args is not None:
+            self.extra_args = extra_args
+
+        self.__class__.key_types.append(key_type_name)
+        self.__class__.instances.append(self)
+
+    def create(self, domain, selector, key_path, txt_path):
+        """Create a key of the given type"""
+
+        args = ["rspamadm", "dkim_keygen",
+                "--type", self.type,
+                "--domain", domain,
+                "--selector", selector,
+                "--privkey", key_path]
+
+        if hasattr(self, "extra_args"):
+            args.extend(self.extra_args)
+
+        LOG.debug("Key creation command: {}".format(args))
+
+        with open(txt_path, "w") as tout:
+            with subprocess.Popen(args, text=True, stdout=tout,
+                                  stderr=subprocess.PIPE) as process:
+                stdout, stderr = process.communicate()
+                if process.returncode != 0:
+                    LOG.debug("Key creation rc: {}".format(process.returncode))
+                    LOG.debug("Key creation stdout: {}".format(stdout))
+                    LOG.debug("Key creation stderr: {}".format(stderr))
+                    die("Key creation failed ({})".format(stderr))
+
+
+class KeyConfig:
+    """Keeps track of a set of configured keys
+
+    Attributes:
+        dryrun      whether to change any files
+    """
+    dryrun = False
+
+    def __init__(self, path, state):
+        self.keys = {}
+        self.raw_json = None
+        self.path = os.path.abspath(path)
+        self.state = state
+
+    def remove_invalid(self):
+        """Remove and return all keys unsuited for this config"""
+
+        invalid = []
+        for domain, domain_keys in self.keys.items():
+            valid = []
+            for key in domain_keys:
+                if key.state == self.state:
+                    valid.append(key)
+                else:
+                    invalid.append(key)
+            self.keys[domain] = valid
+
+        return invalid
+
+    def get(self, domain, key_type, state, remove=False):
+        """Get and optionally remove a key from this config"""
+
+        if domain in self.keys:
+            for i, key in enumerate(self.keys[domain]):
+                if key.type != key_type.type:
+                    continue
+                if key.error:
+                    continue
+                if key.state != state:
+                    continue
+                if remove:
+                    LOG.debug("Removing key {} from {} config".format(
+                        key.key_path, self.state))
+                    del self.keys[domain][i]
+                return key
+
+        return None
+
+    def add(self, key):
+        """Adds a key to this config"""
+
+        if key.domain not in self.keys:
+            self.keys[key.domain] = []
+        LOG.debug("Adding key {} to {} config".format(key.key_path, self.state))
+        self.keys[key.domain].append(key)
+
+    def read(self):
+        """ Read configuration file"""
+        try:
+            with open(self.path, "r") as f:
+                self.raw_json = f.read()
+                cfg = json.loads("{" + self.raw_json + "}").get("domain", {})
+                LOG.debug("Processing file {}".format(self.path))
+        except FileNotFoundError:
+            LOG.debug("File {} not found".format(self.path))
+            return
+        except json.decoder.JSONDecodeError as err:
+            LOG.error("Failed to parse {}: {}".format(self.path, str(e)))
+            return
+        except Exception as err:
+            die("Error reading {}: {}".format(self.path, err))
+
+        for domain in cfg:
+            LOG.debug("Configured domain {}".format(domain))
+
+            if "selectors" not in cfg[domain]:
+                LOG.debug("File {} contains no selectors".format(self.path))
+                continue
+
+            for item in cfg[domain]["selectors"]:
+                if "path" not in item:
+                    LOG.error("Key entry in {} missing a selector".format(self.path))
+                    continue
+
+                LOG.debug("Configured key {}, selector {}".format(
+                    item["path"], item.get("selector", "<unknown>")))
+                key = Key()
+                key.read(item["path"], item.get("selector"))
+                self.add(key)
+
+        LOG.debug("Done processing file {}".format(self.path))
+
+    def to_json(self, include_invalid):
+        """Converts the current configuration to a JSON fragment
+
+        Note that the fragment is suitable for inclusion in other
+        JSON files (i.e. in the Rspamd configuration files),
+        which is why the opening/closing curly braces are removed.
+        """
+        json_dict = {"domain": {}}
+        for domain, domain_keys in self.keys.items():
+            key_list = []
+
+            for key in domain_keys:
+                if include_invalid or key.state == self.state:
+                    key_list.append({"path": key.key_path,
+                                     "selector": key.selector})
+
+            if key_list:
+                json_dict["domain"][domain] = {"selectors": key_list}
+
+        json_lines = []
+        raw_json = json.dumps(json_dict, sort_keys=True, indent=4)
+        for line in raw_json.split("\n")[1:-1]:
+            # Python 2 and 3 differ in the trailing whitespace
+            json_lines.append(line[4:].rstrip())
+        return "\n".join(json_lines)
+
+    def dump(self, reason):
+        """Prints the current configuration as a JSON fragment"""
+        json = self.to_json(True)
+        LOG.debug("Dumping {} {} config".format(reason, self.state))
+        LOG.debug(json)
+
+    def write(self):
+        """Writes out the current configuration as a JSON fragment"""
+        json = self.to_json(False)
+
+        if json == self.raw_json:
+            LOG.info("Not updating {}, no changes".format(self.path))
+            return
+
+        self.raw_json = json
+        if self.dryrun:
+            LOG.info("Would have written {}".format(self.path))
+            return
+
+        LOG.info("Writing {}".format(self.path))
+        wd = os.path.dirname(self.path)
+        with tempfile.NamedTemporaryFile(mode="w", dir=wd, delete=False) as f:
+            f.write(self.raw_json)
+            f.close()
+            os.rename(f.name, self.path)
+            os.chmod(self.path, 0o640)
+
+
+def die(msg):
+    LOG.error(msg)
+    sys.exit(1)
+
+
+def get_args_parser():
+    args_parser = argparse.ArgumentParser(
+        prog='rspamd-dkim-keygen',
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=__doc__,
+        description="Generate and rollover DKIM keys.",
+    )
+    args_parser.add_argument(
+        '-V', '--version',
+        action='version',
+        version=__version__,
+    )
+    args_parser.add_argument(
+        '-d', '--debug',
+        help="Enable debug output",
+        action='store_const',
+        dest='loglevel',
+        const=logging.DEBUG,
+    )
+    args_parser.add_argument(
+        '-v', '--verbose',
+        help="Enable verbose output",
+        action="store_const",
+        dest="loglevel",
+        const=logging.INFO,
+    )
+    args_parser.add_argument(
+        '-c', '--config',
+        help="Configuration file path",
+        default="/etc/rspamd/dkim-keygen.json",
+        dest="config_path",
+    )
+    args_parser.add_argument(
+        '-C', '--print-config',
+        help="Print a configuration file example",
+        action="store_true",
+        default=False,
+        dest="print_config",
+    )
+    args_parser.add_argument(
+        '-m', '--month',
+        help="Set current month (for testing)",
+        type=int,
+        default=0,
+        dest="month",
+    )
+    args_parser.add_argument(
+        "--dry-run",
+        help="don't change any files",
+        action="store_true",
+        default=False,
+        dest="dryrun",
+    )
+
+    return args_parser
+
+
+def get_default_config():
+    return {
+        "key_directory": "/var/lib/rspamd/dkim",
+        "key_archive": Key.key_archive,
+        "update_script": Key.update_script,
+        "active_config": "dkim-active.conf",
+        "future_config": "dkim-future.conf",
+        "expired_config": "dkim-expired.conf",
+        "future_period": Key.future_period,
+        "active_period": Key.active_period,
+        "expired_period": Key.expired_period,
+        "domains": [],
+        "key_types": [vars(x) for x in KeyType.instances],
+    }
+
+
+def print_example_config():
+    KeyType({"type": "ed25519"})
+    KeyType({"type": "rsa", "extra_args": ["--bits", "2048"]})
+
+    config = get_default_config()
+
+    config["key_archive"] = "/var/lib/rspamd/dkim_archive"
+    config["update_script"] = "/usr/local/sbin/rspamd-dkim-update"
+    config["domains"] = ["example.com"]
+
+    print(json.dumps(config, sort_keys=False, indent=4))
+    sys.exit(0)
+
+
+def read_config_file(path):
+    config = get_default_config()
+
+    try:
+        with open(path, "r") as f:
+            data = f.read()
+    except Exception as err:
+        LOG.info("Can't open cfg file {}: {}".format(path, str(err)))
+        data = None
+
+    if data is not None:
+        try:
+            j = json.loads(data)
+            config.update(j)
+        except Exception as err:
+            die("Unable to parse cfg file {}: {}".format(path, str(err)))
+
+    if not config["key_directory"]:
+        die("Key directory not configured")
+
+    if not os.path.isdir(config["key_directory"]):
+        die("Key directory \"{}\" not found".format(config["key_directory"]))
+
+    try:
+        os.chdir(config["key_directory"])
+    except Exception as err:
+        die("Failed to chdir to key directory: {}".format(err))
+
+    if config["key_archive"] and not os.path.isdir(config["key_archive"]):
+        die("Key archive \"{}\" not found".format(config["key_archive"]))
+    else:
+        Key.key_archive = config["key_archive"]
+
+    if config["update_script"] and not os.access(config["update_script"], os.X_OK):
+        die("Update script \"{}\" not found".format(config["update_script"]))
+    else:
+        Key.update_script = config["update_script"]
+
+    if not isinstance(config["domains"], list) or len(config["domains"]) < 1:
+        die("No domains configured")
+
+    if isinstance(config["key_types"], list) and len(config["key_types"]) > 0:
+        for key_type in config["key_types"]:
+            try:
+                KeyType(key_type)
+            except Exception as err:
+                die("Invalid key type definition: {}".format(err))
+    else:
+        die("No key types configured")
+
+    if isinstance(config["future_period"], int) and config["future_period"] > 0:
+        Key.future_period = config["future_period"]
+    else:
+        die("Invalid future_period")
+
+    if isinstance(config["active_period"], int) and config["active_period"] > 0:
+        Key.active_period = config["active_period"]
+    else:
+        die("Invalid active_period")
+
+    if isinstance(config["expired_period"], int) and config["expired_period"] > 0:
+        Key.expired_period = config["expired_period"]
+    else:
+        die("Invalid expired_period")
+
+    return config
+
+
+def main():
+    os.umask(0o027)
+    args_parser = get_args_parser()
+    args_parser.set_defaults(loglevel=logging.WARN)
+    args = args_parser.parse_args()
+
+    logging.basicConfig(
+        format='%(levelname)s{}, %(asctime)s: %(message)s'.format(
+            ' (%(filename)s:%(lineno)s)'
+            if args.loglevel <= logging.DEBUG else '',
+        ),
+        level=args.loglevel,
+    )
+
+    if args.print_config:
+        print_example_config()
+
+    if shutil.which("rspamadm") is None:
+        die("rspamadm executable not found")
+
+    if args.month == 0:
+        current_time = time.localtime()
+        args.month = current_time.tm_year * 12 + current_time.tm_mon
+    Key.current_month = args.month
+
+    Key.dryrun = args.dryrun
+    KeyConfig.dryrun = args.dryrun
+
+    config = read_config_file(args.config_path)
+
+    LOG.debug("Current month: {}".format(Key.current_month))
+
+    active_keys = KeyConfig(config["active_config"], "active")
+    active_keys.read()
+    active_keys.dump("old")
+
+    future_keys = KeyConfig(config["future_config"], "future")
+    future_keys.read()
+    future_keys.dump("old")
+
+    expired_keys = KeyConfig(config["expired_config"], "expired")
+    expired_keys.read()
+    expired_keys.dump("old")
+
+    LOG.debug("Handling active and future keys")
+    for domain in config["domains"]:
+        for key_type in KeyType.instances:
+
+            # First, check for an already valid & configured key
+            active_key = active_keys.get(domain, key_type, "active")
+            if active_key:
+                LOG.info("Using existing key {}".format(active_key.key_path))
+
+            # Second, see if there's a future key which has become active
+            if active_key is None:
+                active_key = future_keys.get(domain, key_type, "active", remove=True)
+                if active_key:
+                    LOG.info("Using future key {}".format(active_key.key_path))
+                    active_keys.add(active_key)
+
+            # Third, since expired keys should still have valid DNS records,
+            # keep using an expired key while waiting for a future key to become
+            # active.
+            if active_key is None:
+                active_key = active_keys.get(domain, key_type, "expired")
+                if active_key:
+                    LOG.info("Using expired key {}".format(active_key.key_path))
+                    active_key.state = "active"
+
+            # As a fallback, create a brand new key
+            if active_key is None:
+                try:
+                    active_key = Key()
+                    active_key.create(domain, key_type, 0)
+                except Exception as err:
+                    die("Can't create active key for domain {}: {}".format(
+                        domain, err))
+
+                LOG.info("Using created key {}".format(active_key.key_path))
+                active_keys.add(active_key)
+
+            # Finally, make sure we have a future key if expiry is approaching
+            if Key.active_period - active_key.age <= Key.future_period:
+                future_key = future_keys.get(domain, key_type, "future")
+                if future_key is None:
+                    try:
+                        future_key = Key()
+                        future_key.create(domain, key_type, Key.future_period)
+                    except Exception as err:
+                        die("Can't create future key for domain {}: {}".format(
+                            domain, err))
+
+                    LOG.info("Created future key {}".format(future_key.key_path))
+                    future_keys.add(future_key)
+
+    LOG.debug("Handling expired/invalid keys")
+    invalid_keys = []
+    for key in active_keys.remove_invalid() + future_keys.remove_invalid():
+        if key.state == "expired":
+            LOG.info("Key {} expired".format(key.key_path))
+            expired_keys.add(key)
+        else:
+            invalid_keys.append(key)
+
+    LOG.debug("Handling dead/invalid keys")
+    dead_keys = invalid_keys + expired_keys.remove_invalid()
+    for key in dead_keys:
+        LOG.info("Key {} invalid/dead".format(key.key_path))
+        key.delete()
+
+    LOG.debug("Writing updated configuration files")
+    active_keys.write()
+    future_keys.write()
+    expired_keys.write()
+
+    active_keys.dump("new")
+    future_keys.dump("new")
+    expired_keys.dump("new")
+
+    if Key.pending_changes():
+        LOG.debug("Changes detected, potentially calling update_script")
+        Key.run_update_script()
+        sys.exit(2)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-update b/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-update
new file mode 100755
index 00000000..0989bc89
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/files/usr/local/sbin/rspamd-dkim-update
@@ -0,0 +1,370 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR Apache-2.0
+
+"""Rspamd DKIM key update/notification script
+
+This script is meant to be called by rspamd-dkim-keygen and will perform
+various actions (log, email the administrator, or attempt an automated
+update using nsupdate) when DNS entries for DKIM keys should be
+added/removed.
+"""
+
+from __future__ import (print_function)
+import os
+import sys
+import json
+import socket
+import logging
+import smtplib
+import argparse
+import datetime
+import subprocess
+import shutil
+
+__license__ = 'GPL-2.0 OR Apache-2.0'
+__author__ = 'David Härdeman <david@hardeman.nu>'
+__version__ = '1.0.1'
+
+LOG = logging.getLogger(__name__)
+
+
+def die(msg):
+    LOG.error(msg)
+    sys.exit(1)
+
+
+def get_args_parser():
+    args_parser = argparse.ArgumentParser(
+        prog='rspamd-dkim-update',
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog=__doc__,
+        description="Update DKIM configuration in DNS.",
+    )
+    args_parser.add_argument(
+        '-V', '--version',
+        action='version',
+        version=__version__,
+    )
+    args_parser.add_argument(
+        '-d', '--debug',
+        help="Enable debug output",
+        action='store_const',
+        dest='loglevel',
+        const=logging.DEBUG,
+    )
+    args_parser.add_argument(
+        '-v', '--verbose',
+        help="Enable verbose output",
+        action="store_const",
+        dest="loglevel",
+        const=logging.INFO,
+    )
+    args_parser.add_argument(
+        '-c', '--config',
+        help="Configuration file path",
+        default="/etc/rspamd/dkim-update.json",
+        dest="config_path",
+    )
+    args_parser.add_argument(
+        '-C', '--print-config',
+        help="Print a configuration file example",
+        action="store_true",
+        default=False,
+        dest="print_config",
+    )
+    args_parser.add_argument(
+        metavar='<"add"/"del"> <domain> <selector> <dns_entry_file_path>',
+        help="4-tuple(s) defining the key which has been added/removed",
+        nargs="*",
+        dest="keys",
+    )
+
+    return args_parser
+
+
+def get_default_config():
+    return {
+        "method": "log/email/nsupdate/nsupdate_tsig/nsupdate_gsstsig",
+        "log_file": "/var/log/rspamd/rspamd-dkim-update.log",
+        "email_to": "root@localhost",
+        "email_from": "noreply@{}".format(socket.getfqdn()),
+        "email_host": "localhost",
+        "email_port": 25,
+        "email_subject": "Rspamd DKIM DNS updates",
+        "nsupdate_keyfile": "/etc/rspamd/dkim_dns_key",
+        "nsupdate_gsstsig_princ": "dnsupdate@EXAMPLE.COM",
+        "nsupdate_ttl": 3600,
+        "nsupdate_server": "dns.example.com",
+    }
+
+
+def print_example_config():
+    config = get_default_config()
+    print(json.dumps(config, sort_keys=False, indent=4))
+    sys.exit(0)
+
+
+def read_config_file(path):
+    config = get_default_config()
+
+    try:
+        with open(path, "r") as f:
+            data = f.read()
+    except Exception as err:
+        LOG.info("Can't open cfg file {}: {}".format(path, str(err)))
+        data = None
+
+    if data is not None:
+        try:
+            j = json.loads(data)
+            config.update(j)
+        except Exception as err:
+            die("Can't parse cfg file {}: {}".format(path, str(err)))
+
+    if not config["method"]:
+        die("Method not configured")
+
+    elif config["method"] == "log":
+        if not config["log_file"]:
+            die("Log file path not configured")
+
+    elif config["method"] == "email":
+        if not config["email_to"]:
+            die("Recipient email address not configured")
+
+        if not config["email_host"]:
+            die("SMTP host not configured")
+
+        if not config["email_port"]:
+            die("SMTP port not configured")
+
+        if not config["email_subject"]:
+            die("Email subject not configured")
+
+    elif config["method"] in ["nsupdate", "nsupdate_tsig", "nsupdate_gsstsig"]:
+        if (config["method"] in ["nsupdate_tsig", "nsupdate_gsstsig"] and
+                not config["nsupdate_keyfile"]):
+            die("nsupdate keyfile not configured")
+
+        if (config["method"] == "nsupdate_gsstsig" and
+                not config["nsupdate_gsstsig_princ"]):
+            die("nsupdate gsstsig principal not configured")
+
+    # Note: invalid methods are caught in main()
+    return config
+
+
+def get_keys(key_list):
+    for i in range(0, len(key_list), 4):
+        action = key_list[i]
+        domain = key_list[i + 1]
+        selector = key_list[i + 2]
+        dns_file = key_list[i + 3]
+        name = "{}._domainkey".format(selector)
+        domain_name = "{}.{}.".format(name, domain)
+        rr = "{} IN TXT".format(domain_name)
+
+        rr_data = ""
+        # The public key files generated by rspamadm have the following format:
+        # <selector>._domainkey IN TXT ( "v=DKIM1; k=<keytype>; "
+        # \t"chunk1"
+        # \t"chunk2"
+        # \t...
+        # \t"chunkN"
+        # ) ;
+        #
+        # The last line can also be:
+        # \t"chunkN" ) ;
+        #
+        if action == "add":
+            try:
+                with open(dns_file, "r") as f:
+                    rr_data = f.read().strip()
+            except Exception as err:
+                die("Can't open file {}: {}".format(dns_file, str(err)))
+
+            parts = rr_data.split(maxsplit=3)
+            if len(parts) != 4:
+                die("Invalid file {}: missing parts".format(dns_file))
+            elif parts[0] != name:
+                die("Invalid file {}: name mismatch".format(dns_file))
+            elif parts[1].upper() != "IN":
+                die("Invalid file {}: IN missing".format(dns_file))
+            elif parts[2].upper() != "TXT":
+                die("Invalid file {}: TXT missing".format(dns_file))
+
+            rr_lines = parts[3].strip("\r\n\t ();").split("\n")
+            # nsupdate wants the data in < 256 byte chunks
+            rr_data = " ".join([line.strip("\r\n\t ") for line in rr_lines])
+
+        elif action == "del":
+            action = "delete"
+
+        else:
+            die("Invalid action specified")
+
+        yield {
+            "action": action,
+            "domain": domain,
+            "selector": selector,
+            "dns_file": dns_file,
+            "name": name,
+            "domain_name": domain_name,
+            "rr": rr,
+            "rr_data": rr_data,
+        }
+
+
+def do_nsupdate(config, keys):
+    # First, prepare the commands and make sure all executables are present
+    if shutil.which("nsupdate") is None:
+        die("nsupdate executable not found")
+
+    pre_cmd = []
+    main_cmd = ["nsupdate"]
+    post_cmd = []
+
+    if config["method"] in ["nsupdate_tsig", "nsupdate_gsstsig"]:
+        if not os.path.isfile(config["nsupdate_keyfile"]):
+            die("keyfile {} missing".format(config["nsupdate_keyfile"]))
+
+    if config["method"] == "nsupdate_tsig":
+        main_cmd += ["-k", config["nsupdate_keyfile"]]
+
+    elif config["method"] == "nsupdate_gsstsig":
+        main_cmd += ["-g"]
+
+        if shutil.which("kinit") is None:
+            die("kinit executable not found")
+        pre_cmd = [
+            "kinit", "-k",
+            "-t", config["nsupdate_keyfile"],
+            "-p", config["nsupdate_gsstsig_princ"]
+        ]
+
+        if shutil.which("kdestroy") is None:
+            die("kdestroy executable not found")
+        post_cmd = ["kdestroy"]
+
+    # Second, prepare the list of nsupdate commands
+    cmds = ""
+
+    if config["nsupdate_server"]:
+        cmds += "server {}\n".format(config["nsupdate_server"])
+
+    if config["nsupdate_ttl"]:
+        cmds += "ttl {}\n".format(config["nsupdate_ttl"])
+
+    for key in keys:
+        cmds += "update {} {} {}\n".format(
+            key["action"].lower(),
+            key["rr"],
+            key["rr_data"])
+
+    cmds += "send\n"
+
+    # Third, launch our commands
+    if pre_cmd:
+        LOG.debug("Calling nsupdate pre cmd: {}".format(pre_cmd))
+        if subprocess.call(pre_cmd) != 0:
+            die("Failed to call {}".format(pre_cmd))
+
+    LOG.debug("Calling {}".format(main_cmd))
+    main_cmd_rc = subprocess.call(main_cmd)
+
+    # Note: we always want to call post_cmd, even if main_cmd failed
+    if post_cmd:
+        LOG.debug("Calling nsupdate post cmd: {}".format(post_cmd))
+        if subprocess.call(post_cmd) != 0:
+            die("Failed to call {}".format(post_cmd))
+
+    if main_cmd_rc != 0:
+        die("Failed to call {}".format(main_cmd))
+
+
+def create_message(config, keys, sep):
+    msg = "{}{}Executed at {}{}".format(
+        sys.argv[0],
+        sep,
+        datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"),
+        sep)
+
+    msg += "The following DKIM key changes need to be made in the DNS" + sep
+    msg += "========================================================="
+
+    for key in keys:
+        msg += "{}{} {} {}{}".format(
+            sep,
+            key["action"].upper(),
+            key["rr"],
+            key["rr_data"],
+            sep)
+
+    msg += "=========================================================" + sep
+    msg += sep
+    msg += sep
+    return msg
+
+
+def do_email(config, keys):
+    msg = "From: {}\r\nTo: {}\r\nSubject: {}\r\n\r\n".format(
+        config["email_from"],
+        config["email_to"],
+        config["email_subject"])
+
+    msg += create_message(config, keys, "\r\n")
+
+    with smtplib.SMTP(host=config["email_host"],
+                      port=config["email_port"]) as smtp:
+        # smtp.set_debuglevel(1)
+        smtp.sendmail(config["email_from"], config["email_to"], msg)
+
+
+def do_log(config, keys):
+    if not config["log_file"]:
+        return
+
+    msg = create_message(config, keys, "\n")
+    with open(config["log_file"], "a") as f:
+        f.write(msg)
+
+
+def main():
+    args_parser = get_args_parser()
+    args_parser.set_defaults(loglevel=logging.WARN)
+    args = args_parser.parse_args()
+
+    logging.basicConfig(
+        format='%(levelname)s{}, %(asctime)s: %(message)s'.format(
+            ' (%(filename)s:%(lineno)s)'
+            if args.loglevel <= logging.DEBUG else '',
+        ),
+        level=args.loglevel,
+    )
+
+    if args.print_config:
+        print_example_config()
+
+    if len(args.keys) < 4:
+        die("At least 4 positional arguments are necessary")
+
+    if len(args.keys) % 4 != 0:
+        die("A multiple of 4 positional arguments are necessary")
+
+    config = read_config_file(args.config_path)
+    keys = list(get_keys(args.keys))
+
+    if config["method"] == "email":
+        do_email(config, keys)
+    elif config["method"] in ["nsupdate", "nsupdate_tsig", "nsupdate_gsstsig"]:
+        do_nsupdate(config, keys)
+    elif config["method"] != "log":
+        die("Invalid method configured")
+
+    do_log(config, keys)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/debops/debops/roles/rspamd/meta/main.yml b/ansible_collections/debops/debops/roles/rspamd/meta/main.yml
new file mode 100644
index 00000000..f1d52e3e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'David Härdeman'
+  description: 'Install and manage Rspamd service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - mail
+    - spam
+    - smtp
+    - antispam
diff --git a/ansible_collections/debops/debops/roles/rspamd/tasks/main.yml b/ansible_collections/debops/debops/roles/rspamd/tasks/main.yml
new file mode 100644
index 00000000..4d37d698
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install rspamd packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (rspamd__base_packages
+                              + rspamd__packages)) }}'
+    state: 'present'
+  register: rspamd__register_packages
+  until: rspamd__register_packages is succeeded
+  tags: [ 'role::rspamd:pkg' ]
+
+- name: Make sure that the Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save rspamd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rspamd.fact.j2'
+    dest: '/etc/ansible/facts.d/rspamd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Create configuration directories and files
+  ansible.builtin.include_tasks: main_cfgdir.yml
+  loop:
+    - { 'path': '/etc/rspamd/local.d',
+        'config': '{{ rspamd__combined_local_configuration
+                       | debops.debops.parse_kv_items(name="file") }}' }
+    - { 'path': '/etc/rspamd/override.d',
+        'config': '{{ rspamd__combined_override_configuration
+                       | debops.debops.parse_kv_items(name="file") }}' }
+  loop_control:
+    loop_var: cfgdir
+    label: '{{ cfgdir.path }}'
+
+- name: Handle DKIM configuration
+  ansible.builtin.include_tasks: main_dkim.yml
+
+- name: Update Ansible facts and restart Rspamd if necessary
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/rspamd/tasks/main_cfgdir.yml b/ansible_collections/debops/debops/roles/rspamd/tasks/main_cfgdir.yml
new file mode 100644
index 00000000..7743eb44
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/tasks/main_cfgdir.yml
@@ -0,0 +1,51 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2020 CipherMail B.V. <https://www.ciphermail.com/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create directory {{ cfgdir.path }}
+  ansible.builtin.file:
+    path: '{{ cfgdir.path }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create configuration snippets in {{ cfgdir.path }}
+  ansible.builtin.template:
+    src: 'etc/rspamd/snippet.j2'
+    dest: '{{ cfgdir.path + "/" + item.file }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("_rspamd") }}'
+    mode: '{{ item.mode | d("0640") }}'
+  loop: '{{ cfgdir.config
+             | rejectattr("state", "in", ["absent", "init", "ignore"]) }}'
+  loop_control:
+    label: '{{ item.file }}'
+  notify: [ 'Restart rspamd' ]
+
+- name: Generate a list of created configuration snippets in {{ cfgdir.path }}
+  ansible.builtin.set_fact:
+    rspamd__created_snippets: '{{
+      cfgdir.config
+       | rejectattr("state", "in", ["absent", "init"])
+       | map(attribute="file")
+       | map("regex_replace", "^", cfgdir.path + "/") }}'
+
+- name: Find all configuration snippets in {{ cfgdir.path }}
+  ansible.builtin.find:
+    paths: '{{ cfgdir.path }}'
+    recurse: no
+    file_type: 'file'
+  register: rspamd__found_snippets
+
+- name: Remove superfluous configuration snippets from {{ cfgdir.path }}
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop: '{{ rspamd__found_snippets.files
+             | map(attribute="path")
+             | list
+             | difference(rspamd__created_snippets) }}'
+  notify: [ 'Restart rspamd' ]
diff --git a/ansible_collections/debops/debops/roles/rspamd/tasks/main_dkim.yml b/ansible_collections/debops/debops/roles/rspamd/tasks/main_dkim.yml
new file mode 100644
index 00000000..4233f6dc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/tasks/main_dkim.yml
@@ -0,0 +1,96 @@
+---
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Make sure the DKIM directories exist
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    mode: '0750'
+    owner: '_rspamd'
+    group: '_rspamd'
+  loop:
+    - '/var/lib/rspamd'
+    - '/var/lib/rspamd/dkim'
+    - '/var/lib/rspamd/dkim-archive'
+    - '{{ rspamd__dkim_log_dir }}'
+  when: rspamd__dkim_enabled | d(False)
+
+- name: Create DKIM key generation/update configuration
+  ansible.builtin.template:
+    src: 'etc/rspamd/dkim-json.j2'
+    dest: '{{ item.dest }}'
+    mode: '0644'
+  loop:
+    - { config: '{{ rspamd__dkim_keygen_combined_configuration }}',
+        dest: "/etc/rspamd/dkim-keygen.json" }
+    - { config: '{{ rspamd__dkim_update_combined_configuration }}',
+        dest: "/etc/rspamd/dkim-update.json" }
+  loop_control:
+    label: '{{ item.dest }}'
+  when: rspamd__dkim_enabled | d(False)
+
+- name: Install DKIM scripts
+  ansible.builtin.copy:
+    src: "{{ lookup('debops.debops.file_src', item.src) }}"
+    dest: "{{ item.dest }}"
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode: '{{ item.mode | d("0755") }}'
+  with_items:
+    - { src: 'usr/local/sbin/rspamd-dkim-keygen',
+        dest: '/usr/local/sbin/rspamd-dkim-keygen' }
+    - { src: 'usr/local/sbin/rspamd-dkim-update',
+        dest: '/usr/local/sbin/rspamd-dkim-update' }
+  when: rspamd__dkim_enabled | d(False)
+
+- name: See if a nsupdate keyfile/keytab exists on the Ansible controller
+  ansible.builtin.set_fact:
+    rspamd__dkim_local_keyfile: '{{ lookup("debops.debops.file_src", "etc/rspamd/dkim_dns_key", errors="ignore") }}'
+  when: >
+    rspamd__dkim_enabled | d(False) and
+    rspamd__dkim_update_method in ["nsupdate_tsig", "nsupdate_gsstsig"]
+
+- name: Copy nsupdate keyfile/keytab from controller to host
+  ansible.builtin.copy:
+    src: '{{ rspamd__dkim_local_keyfile }}'
+    dest: '/etc/rspamd/dkim_dns_key'
+    owner: 'root'
+    group: '_rspamd'
+    mode: '0640'
+  when: >
+    rspamd__dkim_enabled | d(False) and
+    rspamd__dkim_update_method in ["nsupdate_tsig", "nsupdate_gsstsig"] and
+    rspamd__dkim_local_keyfile is defined and
+    rspamd__dkim_local_keyfile | length > 0
+
+- name: Create DKIM keys
+  ansible.builtin.command: /usr/local/sbin/rspamd-dkim-keygen
+  become: True
+  become_user: '_rspamd'
+  register: rspamd__dkim_tmp_output
+  changed_when: rspamd__dkim_tmp_output.rc == 2
+  failed_when: rspamd__dkim_tmp_output.rc not in [0, 2]
+  when: rspamd__dkim_enabled | d(False)
+  notify: [ 'Restart rspamd' ]
+
+- name: Configure DKIM key generation/rollover cron job
+  ansible.builtin.cron:
+    name: 'Generate/rollover DKIM keys for rspamd'
+    special_time: 'monthly'
+    cron_file: 'rspamd-dkim-keygen'
+    user: '_rspamd'
+    state: '{{ "present" if rspamd__dkim_enabled | d(False) else "absent" }}'
+    job: '/usr/local/sbin/rspamd-dkim-keygen'
+
+- name: Purge DKIM configuration/scripts
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'absent'
+  loop:
+    - '/etc/rspamd/dkim-keygen.json'
+    - '/etc/rspamd/dkim-update.json'
+    - '/usr/local/sbin/rspamd-dkim-keygen'
+    - '/usr/local/sbin/rspamd-dkim-update'
+  when: not rspamd__dkim_enabled | d(False)
diff --git a/ansible_collections/debops/debops/roles/rspamd/templates/etc/ansible/facts.d/rspamd.fact.j2 b/ansible_collections/debops/debops/roles/rspamd/templates/etc/ansible/facts.d/rspamd.fact.j2
new file mode 100644
index 00000000..d0722d8b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/templates/etc/ansible/facts.d/rspamd.fact.j2
@@ -0,0 +1,100 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+def get_value(input_line, key, output, output_key=None):
+    if input_line.startswith(key):
+        output[output_key if output_key is not None else key] = \
+            input_line.split("=", 1)[1].strip(' "\'\t\r\n;')
+
+
+output = {}
+
+output['installed'] = cmd_exists('rspamd')
+
+if output['installed']:
+    try:
+        rspamd_version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "rspamd"]).decode('utf-8').split('-')[0]
+        output['version'] = rspamd_version_stdout
+
+    except Exception:
+        pass
+
+    try:
+        if os.path.isfile('/etc/rspamd/local.d/worker-proxy.inc'):
+            try:
+                with open('/etc/rspamd/local.d/worker-proxy.inc') as fh:
+                    for line in fh:
+                        get_value(line, 'milter', output, 'milter_enabled')
+                        get_value(line, 'bind_socket', output, 'milter_socket')
+
+            except Exception:
+                pass
+
+        if output.get('milter_enabled', 'false').lower() in ['true', 'yes', 'on']:
+            output['milter_enabled'] = True
+            milter_host_port = output.get('milter_socket', 'localhost:11332').split(":")
+            output['milter_host'] = milter_host_port[0].strip()
+            if len(milter_host_port) > 1:
+                output['milter_port'] = milter_host_port[1].strip()
+            else:
+                output['milter_port'] = 11332
+        else:
+            output['milter_enabled'] = False
+
+        output['redis_enabled'] = False
+        if os.path.isfile('/etc/rspamd/local.d/redis.conf'):
+            try:
+                with open('/etc/rspamd/local.d/redis.conf') as fh:
+                    for line in fh:
+                        get_value(line, 'servers', output, 'redis_servers')
+                        get_value(line, 'db', output, 'redis_db')
+                        get_value(line, 'password', output, 'redis_password')
+                if 'redis_servers' in output:
+                    output['redis_servers'] = output['redis_servers'].split(',')
+                output['redis_enabled'] = True
+
+            except Exception:
+                pass
+
+        output['dkim_enabled'] = False
+        if os.path.isfile('/etc/rspamd/local.d/dkim_signing.conf'):
+            try:
+                with open('/etc/rspamd/local.d/dkim_signing.conf') as fh:
+                    for line in fh:
+                        get_value(line, 'path', output, 'dkim_path')
+                        get_value(line, 'selector', output, 'dkim_selector')
+                if ('dkim_path' in output and 'dkim_selector' in output and
+                        os.path.isfile(output['dkim_path'])):
+                    output['dkim_enabled'] = True
+
+            except Exception:
+                pass
+
+    except Exception:
+        pass
+
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/dkim-json.j2 b/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/dkim-json.j2
new file mode 100644
index 00000000..e0220bbc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/dkim-json.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set output = { "_comments": [ item.dest, ansible_managed ] } %}
+{% for opt in item.config | debops.debops.parse_kv_items %}
+{%   set _ = output.update({ opt.name : opt.value }) %}
+{% endfor %}
+{{ output | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/snippet.j2 b/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/snippet.j2
new file mode 100644
index 00000000..9a1a7ec4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rspamd/templates/etc/rspamd/snippet.j2
@@ -0,0 +1,62 @@
+{# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2021 DebOps <https://debops.org>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# /etc/rspamd/local.d/{{ item.file }}
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='#', postfix='#', decoration='# ') }}
+{% endif %}
+
+{% macro print_element(element, commented, loop_first, indent) %}
+{%   set prefix = ("{:^" + indent | string + "}").format('') %}
+{%   set comment_prefix = (prefix + "# ") %}
+{%   if commented or element.state | d('present') == 'comment' %}
+{%     set commented = True %}
+{%     set prefix = comment_prefix %}
+{%   else %}
+{%     set commented = False %}
+{%   endif %}
+{%   if element.options | d() and not loop_first %}
+{{     '' }}
+{%   endif %}
+{%   if element.comment | d() %}
+{{     element.comment | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='') -}}
+{%   endif %}
+{%   if element.raw | d() %}
+{%     if commented %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration=comment_prefix, postfix='')) -}}
+{%     else %}
+{{       '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%     endif %}
+{%   elif element.options | d() %}
+{{     '{}{} {{'.format(prefix, element.option | d(element.name) | regex_replace('\n$', '')) }}
+{%     for element in element.options %}
+{%       if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{{         print_element(element, commented, loop.first, indent + 8) -}}
+{%       endif %}
+{%     endfor %}
+{{     '{}}}'.format(prefix) }}
+{%   else %}
+{%     if element.value is not string and element.value is not mapping and element.value is iterable %}
+{%       set element_value = [] %}
+{%       for option in element.value %}
+{%         if option.state | d('present') != 'absent' and option.name | d("") | length > 0 %}
+{%           set _ = element_value.append(option.name) %}
+{%         endif %}
+{%       endfor %}
+{%     else %}
+{%       set element_value = element.value | d("") | to_json %}
+{%     endif %}
+{{     '{}{} = {};'.format(prefix, element.option | d(element.name), element_value) }}
+{%   endif %}
+{% endmacro %}
+{##}
+{% if item.options %}
+{%   for option in item.options %}
+{%     if option.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{{       print_element(option, option.state | d('present') == 'comment', loop.first, 0) -}}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/COPYRIGHT b/ansible_collections/debops/debops/roles/rstudio_server/COPYRIGHT
new file mode 100644
index 00000000..2eeb32a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.rstudio_server - Manage RStudio Server using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/defaults/main.yml b/ansible_collections/debops/debops/roles/rstudio_server/defaults/main.yml
new file mode 100644
index 00000000..7ff681d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/defaults/main.yml
@@ -0,0 +1,295 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rstudio_server__ref_defaults:
+
+# debops.rstudio_server default variables [[[
+# ===========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Application sources [[[
+# -----------------------
+
+# .. envvar:: rstudio_server__rstudio_in_apt [[[
+#
+# Variable which contains the information about presence of the
+# ``rstudio-server`` package in APT. If not, the ``.deb`` package containing
+# RStudio Server will be downloaded by the role and installed directly.
+rstudio_server__rstudio_in_apt: '{{ True
+                                    if (rstudio_server__register_package_rstudio.stdout)
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__src [[[
+#
+# Directory where downloaded packages will be stored.
+rstudio_server__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                         + "/" + rstudio_server__user }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__release_deb_map [[[
+#
+# The map of the RStudio releases matched to supported OS distributions and releases.
+rstudio_server__release_deb_map:
+  'Ubuntu':
+    package:  'https://download2.rstudio.org/server/trusty/amd64/rstudio-server-1.2.1335-amd64.deb'
+    checksum: 'sha256:a41f16fd7e7e471fca77f081a4b302a1d66d14fb32dffcea1299e0c1dbf30e44'
+  'Debian':
+    package: 'https://download2.rstudio.org/server/debian9/x86_64/rstudio-server-1.2.1335-amd64.deb'
+    checksum: 'sha256:a95d0b33d1f7d85fbd7403a610aa39b3bb8354e7efdba3e80f4d919d1589ca95'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__rstudio_deb_url [[[
+#
+# The URL of the ``rstudio-server`` ``.deb`` package to download.
+rstudio_server__rstudio_deb_url: '{{ rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release].package
+                                     if (rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release] | d())
+                                     else rstudio_server__release_deb_map[ansible_distribution].package }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__rstudio_deb_checksum [[[
+#
+# The SHA256 checksum of the ``rstudio-server`` ``.deb`` package.
+rstudio_server__rstudio_deb_checksum: '{{ rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release].checksum
+                                          if (rstudio_server__release_deb_map[ansible_distribution + "_" + ansible_distribution_release] | d())
+                                          else rstudio_server__release_deb_map[ansible_distribution].checksum }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__signing_key_id [[[
+#
+# The fingerprint of the GPG key used by RStudio Inc. to sign the released
+# ``.deb`` packages, used for verification of the package before installation.
+# See https://www.rstudio.com/code-signing/ for more details.
+rstudio_server__signing_key_id: 'FE85 64CF F1AB 93F1 7286  4519 3F32 EE77 E331 692F'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: rstudio_server__base_packages [[[
+#
+# List of APT packages required by RStudio Server.
+rstudio_server__base_packages:
+  - 'dpkg-sig'
+  - '{{ "rstudio-server"
+        if rstudio_server__rstudio_in_apt | bool
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__packages [[[
+#
+# List of additional APT packages to install with RStudio Server.
+rstudio_server__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# RStudio system account [[[
+# --------------------------
+
+# .. envvar:: rstudio_server__user [[[
+#
+# The UNIX system account used by RStudio Server.
+rstudio_server__user: 'rstudio-server'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__group [[[
+#
+# The UNIX system group used by RStudio Server.
+rstudio_server__group: 'rstudio-server'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__home [[[
+#
+# RStudio Server home directory.
+rstudio_server__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+                          + "/" + rstudio_server__user }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__shell [[[
+#
+# The UNIX shell used by the RStudio user account.
+rstudio_server__shell: '/usr/sbin/nologin'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__comment [[[
+#
+# The comment/GECOS field of the RStudio Server account.
+rstudio_server__comment: 'RStudio Server'
+                                                                   # ]]]
+                                                                   # ]]]
+# User account access [[[
+# -----------------------
+
+# These variables can be used to grant access to the RStudio Server service to
+# specific UNIX accounts. Only existing accounts will be added to the
+# authentication group. See :ref:`rstudio_server__ref_allow_users` for more
+# details.
+
+# .. envvar:: rstudio_server__allow_users [[[
+#
+# Specify list of UNIX user accounts that will be allowed to access RStudio
+# Server on all hosts in the Ansible inventory.
+rstudio_server__allow_users: []
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__group_allow_users [[[
+#
+# Specify list of UNIX user accounts that will be allowed to access RStudio
+# Server on hosts in a specific Ansible inventory group.
+rstudio_server__group_allow_users: []
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__host_allow_users [[[
+#
+# Specify list of UNIX user accounts that will be allowed to access RStudio
+# Server on specific hosts in the Ansible inventory.
+rstudio_server__host_allow_users: []
+                                                                   # ]]]
+                                                                   # ]]]
+# RStudio Server options [[[
+# --------------------------
+
+# .. envvar:: rstudio_server__bind [[[
+#
+# IP address of the interface on which :command:`rstudio-server` listens for
+# connections.
+rstudio_server__bind: '127.0.0.1'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__port [[[
+#
+# The TCP port used by RServer Studio service.
+rstudio_server__port: '8787'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__auth_group [[[
+#
+# The UNIX system group which allows access to RStudio Server.
+rstudio_server__auth_group: 'rstudio-users'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__session_timeout [[[
+#
+# RStudio session timeout in minutes. When it passes, idle sessions will be
+# saved on disk and disabled.
+rstudio_server__session_timeout: '120'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__cran_mirror [[[
+#
+# The URL of the Comprehensive R Archive Network mirror which should be used by
+# RStudio Server.
+rstudio_server__cran_mirror: '{{ ansible_local.cran.mirror | d("https://cloud.r-project.org/") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# RStudio Server configuration files [[[
+# --------------------------------------
+
+# These variables define the contents of the RStudio Server configuration
+# files. See :ref:`rstudio_server__ref_conf` for more details.
+
+# .. envvar:: rstudio_server__rserver_conf [[[
+#
+# The contents of the :file:`/etc/rstudio/rserver.conf` configuration file.
+rstudio_server__rserver_conf:
+
+  - 'www-address':              '{{ rstudio_server__bind }}'
+  - 'www-port':                 '{{ rstudio_server__port }}'
+  - 'auth-required-user-group': '{{ rstudio_server__auth_group }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__rsession_conf [[[
+#
+# The contents of the :file:`/etc/rstudio/rsession.conf` configuration file.
+rstudio_server__rsession_conf:
+
+  - 'session-timeout-minutes': '{{ rstudio_server__session_timeout }}'
+  - 'r-cran-repos':            '{{ rstudio_server__cran_mirror }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Webserver configuration [[[
+# ---------------------------
+
+# .. envvar:: rstudio_server__fqdn [[[
+#
+# The Fully Qualified Domain Name of the RStudio Server web service.
+rstudio_server__fqdn: 'rstudio.{{ rstudio_server__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__domain [[[
+#
+# The DNS domain on which RStudio Server will be available.
+rstudio_server__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__upload_size [[[
+#
+# Maximum upload size allowed by the webserver, in megabytes.
+rstudio_server__upload_size: '50m'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: rstudio_server__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+rstudio_server__etc_services__dependent_list:
+
+  - name: 'rstudio'
+    port: '{{ rstudio_server__port }}'
+    comment: 'RStudio Server'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+rstudio_server__keyring__dependent_gpg_keys:
+
+  - user: '{{ rstudio_server__user }}'
+    group: '{{ rstudio_server__group }}'
+    home: '{{ rstudio_server__home }}'
+    id: '{{ rstudio_server__signing_key_id }}'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__cran__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.cran` Ansible role.
+rstudio_server__cran__dependent_packages:
+
+  - 'r-doc-html'
+
+                                                                   # ]]]
+# .. envvar:: rstudio_server__nginx__dependent_servers [[[
+#
+# Configuration for the :ref:`debops.nginx` Ansible role.
+rstudio_server__nginx__dependent_servers:
+
+  - by_role: 'debops.rstudio_server'
+    name: '{{ rstudio_server__fqdn }}'
+    filename: 'debops.rstudio_server'
+
+    options: |
+        client_max_body_size {{ rstudio_server__upload_size }};
+
+    location_list:
+      - pattern: '/'
+        options: |
+          proxy_pass http://127.0.0.1:{{ rstudio_server__port }};
+          proxy_redirect http://127.0.0.1:{{ rstudio_server__port }}/ $scheme://$host/;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+          proxy_read_timeout 20d;
+        state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/meta/main.yml b/ansible_collections/debops/debops/roles/rstudio_server/meta/main.yml
new file mode 100644
index 00000000..b3a97d7d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/meta/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure RStudio Server, an Integrated Development Environment for R'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - rlang
+    - rstudio
+    - ide
+    - web
+    - programming
+    - development
+    - statistics
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/meta/watch-rstudio b/ansible_collections/debops/debops/roles/rstudio_server/meta/watch-rstudio
new file mode 100644
index 00000000..d2ccc67e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/meta/watch-rstudio
@@ -0,0 +1,14 @@
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: rstudio_server
+# Package: rstudio-server
+# Version: 1.2.1335
+#
+# Note: on version change, check if the role can be tested in GitLab CI using
+# Debian Stable - common due to old libssl versions required by the upstream.
+
+version=4
+opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/rstudio-$1\.tar\.gz/ \
+  https://github.com/rstudio/rstudio/tags .*/v?(1\.*\S+)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/tasks/main.yml b/ansible_collections/debops/debops/roles/rstudio_server/tasks/main.yml
new file mode 100644
index 00000000..34ee2664
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/tasks/main.yml
@@ -0,0 +1,125 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if rstudio-server package is available
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && apt-cache pkgnames | grep rstudio-server || true
+  args:
+    executable: 'bash'
+  register: rstudio_server__register_package_rstudio
+  changed_when: False
+  check_mode: False
+
+- name: Create required system groups
+  ansible.builtin.group:
+    name: '{{ item }}'
+    state: 'present'
+    system: True
+  with_items:
+    - '{{ rstudio_server__group }}'
+    - '{{ rstudio_server__auth_group }}'
+
+- name: Create system account for RStudio Server
+  ansible.builtin.user:
+    name: '{{ rstudio_server__user }}'
+    group: '{{ rstudio_server__group }}'
+    home: '{{ rstudio_server__home }}'
+    shell: '{{ rstudio_server__shell }}'
+    comment: '{{ rstudio_server__comment }}'
+    system: True
+    state: 'present'
+
+- name: Get the current user accounts
+  ansible.builtin.getent:
+    database: 'passwd'
+
+- name: Allow specified user accounts to access RStudio Server
+  ansible.builtin.user:
+    name: '{{ item.name | d(item) }}'
+    groups: '{{ rstudio_server__auth_group }}'
+    append: True
+  loop: '{{ q("flattened", rstudio_server__allow_users
+                           + rstudio_server__group_allow_users
+                           + rstudio_server__host_allow_users) }}'
+  when: item.name | d(item) in getent_passwd.keys() and
+        item.state | d('present') != 'absent'
+
+- name: Install RStudio Server packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (rstudio_server__base_packages
+                              + rstudio_server__packages)) }}'
+    state: 'present'
+  register: rstudio_server__register_packages
+  until: rstudio_server__register_packages is succeeded
+
+- name: Create source directory
+  ansible.builtin.file:
+    path: '{{ rstudio_server__src }}'
+    state: 'directory'
+    owner: '{{ rstudio_server__user }}'
+    group: '{{ rstudio_server__group }}'
+    mode: '0755'
+  when: not rstudio_server__rstudio_in_apt | bool
+
+- name: Download RStudio Server .deb package
+  ansible.builtin.get_url:
+    url: '{{ rstudio_server__rstudio_deb_url }}'
+    dest: '{{ rstudio_server__src + "/" + rstudio_server__rstudio_deb_url | basename }}'
+    checksum: '{{ rstudio_server__rstudio_deb_checksum }}'
+    mode: '0644'
+  become: True
+  become_user: '{{ rstudio_server__user }}'
+  register: rstudio_server__register_rstudio_package
+  until: rstudio_server__register_rstudio_package is succeeded
+  when: not rstudio_server__rstudio_in_apt | bool
+
+- name: Verify RStudio Server package signature
+  ansible.builtin.command: dpkg-sig --verify {{ rstudio_server__src + '/' + (rstudio_server__rstudio_deb_url | basename) }}
+  become: True
+  become_user: '{{ rstudio_server__user }}'
+  changed_when: False
+  check_mode: False
+
+- name: Install RStudio Server .deb package
+  ansible.builtin.apt:
+    deb: '{{ rstudio_server__src + "/" + rstudio_server__rstudio_deb_url | basename }}'
+    state: 'present'
+  register: rstudio_server__register_rstudio_deb
+  until: rstudio_server__register_rstudio_deb is succeeded
+  when: not rstudio_server__rstudio_in_apt | bool
+
+- name: Configure RStudio Server
+  ansible.builtin.template:
+    src: 'etc/rstudio/{{ item }}.j2'
+    dest: '/etc/rstudio/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'rserver.conf', 'rsession.conf' ]
+  notify: [ 'Verify rstudio-server' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save RStudio Server local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rstudio_server.fact.j2'
+    dest: '/etc/ansible/facts.d/rstudio_server.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/ansible/facts.d/rstudio_server.fact.j2 b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/ansible/facts.d/rstudio_server.fact.j2
new file mode 100644
index 00000000..9a50b363
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/ansible/facts.d/rstudio_server.fact.j2
@@ -0,0 +1,31 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+import subprocess
+import signal
+import os
+
+output = {"installed": True}
+
+try:
+    with open(os.devnull, 'w') as devnull:
+        app_stdout = subprocess.check_output(
+            ["/usr/sbin/rstudio-server version"],
+            shell=True, stderr=devnull).decode('utf-8')
+
+except subprocess.CalledProcessError:
+    pass
+
+if app_stdout:
+    output['version'] = app_stdout.strip()
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rserver.conf.j2 b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rserver.conf.j2
new file mode 100644
index 00000000..92197d11
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rserver.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Server Configuration File
+
+{% for element in rstudio_server__rserver_conf %}
+{%   if element is mapping %}
+{%     if 'name' in element.keys() %}
+{%       if element.value | d() and element.state | d('present') != 'absent' %}
+{{ "{}={}".format(element.name, element.value) }}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{{ "{}={}".format(key, value) }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rsession.conf.j2 b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rsession.conf.j2
new file mode 100644
index 00000000..f00a7cc8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rstudio_server/templates/etc/rstudio/rsession.conf.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# R Session Configuration File
+
+{% for element in rstudio_server__rsession_conf %}
+{%   if element is mapping %}
+{%     if 'name' in element.keys() %}
+{%       if element.value | d() and element.state | d('present') != 'absent' %}
+{{ "{}={}".format(element.name, element.value) }}
+{%       endif %}
+{%     else %}
+{%       for key, value in element.items() %}
+{{ "{}={}".format(key, value) }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rsyslog/COPYRIGHT b/ansible_collections/debops/debops/roles/rsyslog/COPYRIGHT
new file mode 100644
index 00000000..97eee478
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.rsyslog - Manage syslog daemon using Ansible
+
+Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/rsyslog/defaults/main.yml b/ansible_collections/debops/debops/roles/rsyslog/defaults/main.yml
new file mode 100644
index 00000000..4bbc648e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/defaults/main.yml
@@ -0,0 +1,1220 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _rsyslog__ref_defaults:
+
+# debops.rsyslog default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: rsyslog__enabled [[[
+#
+# Enable or disable the management of the :command:`rsyslog` service using the
+# :ref:`debops.rsyslog` Ansible role.
+rsyslog__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__deploy_state [[[
+#
+# Define the desired state of the :command:`rsyslog` service on a given host,
+# either ``present`` to install and configure the service, or ``absent`` to
+# uninstall it and remove any changes applied by Ansible.
+rsyslog__deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__unprivileged [[[
+#
+# Enable or disable unprivileged ``rsyslogd`` operation. Warning, enabling this
+# option requires additional configuration outside of the ``debops.rsyslog``
+# role. See :ref:`rsyslog__unprivileged` for more details.
+rsyslog__unprivileged: '{{ "True"
+                           if (ansible_distribution in ["Ubuntu"])
+                           else "False" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__remote_enabled [[[
+#
+# Enable or disable support for receiving logs from remote hosts. It will be
+# enabled automatically if a list of hosts or subnets allowed to connect to the
+# :command:`rsyslog` service is defined in the Ansible inventory.
+rsyslog__remote_enabled: '{{ True
+                             if (rsyslog__allow
+                                 + rsyslog__group_allow
+                                 + rsyslog__host_allow)
+                             else False }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__forward_enabled [[[
+#
+# Enable or disable support for forwarding logs to another host. The forwarding
+# will be enabled automatically if any forward targets are configured and
+# support for receiving logs via the :envvar:`rsyslog__remote_enabled` variable
+# is not active.
+rsyslog__forward_enabled: '{{ True
+                              if q("flattened", (rsyslog__default_forward
+                                                 + rsyslog__forward
+                                                 + rsyslog__group_forward
+                                                 + rsyslog__host_forward))
+                              else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: rsyslog__base_packages [[[
+#
+# List of default APT packages to install.
+rsyslog__base_packages: [ 'rsyslog' ]
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__tls_packages [[[
+#
+# List of APT packages required for TLS support.
+rsyslog__tls_packages: [ 'rsyslog-gnutls' ]
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__packages [[[
+#
+# List of additional APT packages to install.
+rsyslog__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# User, group, home, file ownership [[[
+# -------------------------------------
+
+# .. envvar:: rsyslog__user [[[
+#
+# The unprivileged system user account used by the ``rsyslogd`` daemon, when
+# unprivileged operation is enabled.
+rsyslog__user: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__group [[[
+#
+# The unprivileged system group account used by the ``rsyslogd`` daemon, when
+# unprivileged operation is enabled.
+rsyslog__group: '{{ "syslog" if rsyslog__unprivileged | bool else "root" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__append_groups [[[
+#
+# List of additional UNIX groups to add the rsyslog user into. The
+# ``ssl-cert`` UNIX group is used for the X.509 private key access.
+rsyslog__append_groups: '{{ ["ssl-cert"] if (rsyslog__unprivileged | bool
+				and rsyslog__pki | bool) else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__home [[[
+#
+# The home directory of the :envvar:`rsyslog__user` user, dependent on the OS
+# defaults. Takes effect only when the unprivileged mode is enabled.
+rsyslog__home: '{{ "/home/syslog"
+                   if (ansible_distribution in ["Ubuntu"])
+                   else "/var/log" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__file_owner [[[
+#
+# The account which will be set as the owner of the log files generated by
+# ``rsyslogd``. When an unprivileged mode is enabled, it should be the same as
+# the ``rsyslogd`` user account.
+rsyslog__file_owner: '{{ rsyslog__user }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__file_group [[[
+#
+# The system group which will be set as the default group of the log files
+# generated by ``rsyslogd``.
+rsyslog__file_group: 'adm'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_logfiles [[[
+#
+# List of default logfiles managed by ``debops.rsyslog`` role. This list is
+# used in the :ref:`debops.logrotate` configuration to create log rotation, as
+# well as to change the file owner/group when unprivileged operation is
+# enabled.
+rsyslog__default_logfiles:
+  - '/var/log/syslog'
+  - '/var/log/kern.log'
+  - '/var/log/auth.log'
+  - '/var/log/user.log'
+  - '/var/log/daemon.log'
+  - '/var/log/messages'
+  - '/var/log/mail.log'
+  - '/var/log/mail.info'
+  - '/var/log/mail.warn'
+  - '/var/log/mail.err'
+  - '/var/log/cron.log'
+  - '/var/log/lpr.log'
+  - '/var/log/debug'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__logfiles [[[
+#
+# List of additional logfiles managed by the ``debops.rsyslog`` role.
+rsyslog__logfiles: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Encrypted communication [[[
+# ---------------------------
+
+# .. envvar:: rsyslog__pki [[[
+#
+# Enable or disable support for X.509 certificates managed by :ref:`debops.pki`
+# role, used for TLS connections.
+rsyslog__pki: '{{ ansible_local.pki.enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__pki_path [[[
+#
+# Path to the directory with PKI realms.
+rsyslog__pki_path: '{{ ansible_local.pki.path | d("/etc/pki") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__pki_realm [[[
+#
+# Name of the PKi realm to use with ``rsyslogd``.
+rsyslog__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__pki_ca [[[
+#
+# Name of the root CA certificate used by the ``debops.rsyslog`` role.
+rsyslog__pki_ca: '{{ ansible_local.pki.ca | d("CA.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__pki_crt [[[
+#
+# Name of the client certificate file used by the ``debops.rsyslog`` role.
+rsyslog__pki_crt: '{{ ansible_local.pki.crt | d("default.crt") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__pki_key [[[
+#
+# Name of the private key file used by the ``debops.rsyslog`` role.
+rsyslog__pki_key: '{{ ansible_local.pki.key | d("default.key") }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_netstream_driver [[[
+#
+# Specify the default NetStream driver used by the ``imtcp`` module. The
+# ``gtls`` will be enabled by default if the support for PKI is enabled,
+# otherwise ``ptcp`` will be used.
+rsyslog__default_netstream_driver: '{{ "gtls"
+                                       if rsyslog__pki | bool
+                                       else "ptcp" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_driver_mode [[[
+#
+# The NetStream driver mode. The ptcp driver only supports mode 0 (unencrypted
+# transmission). The gtls driver supports modes 0 (unencrypted transmission,
+# just like the ptcp driver) and 1 (TLS-protected operation).
+# Ref: https://rsyslog.readthedocs.io/en/latest/concepts/netstrm_drvr.html
+rsyslog__default_driver_mode: '{{ "1"
+                                  if rsyslog__default_netstream_driver == "gtls"
+                                  else "0" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_driver_authmode [[[
+#
+# Specify the default network driver authentication mode. Currently only
+# `x509/name` or `anon` are available:
+rsyslog__default_driver_authmode: '{{ "x509/name"
+                                      if rsyslog__default_netstream_driver == "gtls" and
+                                         rsyslog__default_driver_mode == "1"
+                                      else "anon" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__domain [[[
+#
+# The default DNS domain used to accept remote incoming logs from remote hosts.
+rsyslog__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__permitted_peers [[[
+#
+# List of hostnames, IP addresses or wildcard DNS domains which will be allowed
+# by the ``rsyslogd`` server to connect and send logs over TLS.
+rsyslog__permitted_peers: [ '*.{{ rsyslog__domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__send_permitted_peers [[[
+#
+# Hostname, IP address or wildcard DNS domain which will be verified by the
+# ``rsyslogd`` client and will allow to connect and send logs to the remote
+# server over TLS. Currently only one peer is supported by :command:`rsyslog`.
+rsyslog__send_permitted_peers: '{{ rsyslog__permitted_peers | first }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall, UDP, TCP ports [[[
+# ----------------------------
+
+# .. envvar:: rsyslog__allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# ``rsyslogd`` ports by the firewall. This variable should be used for all
+# hosts in the inventory.
+rsyslog__allow: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# ``rsyslogd`` ports by the firewall. This variable should be used for specific
+# group of hosts in the inventory.
+rsyslog__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# ``rsyslogd`` ports by the firewall. This variable should be used for specific
+# hosts in the inventory.
+rsyslog__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Log forwarding [[[
+# ------------------
+
+# The variables below define lists of syslog servers to which the logs
+# generated by a given host will be forwarded. The role will create the
+# :file:`/etc/rsyslog.d/00forward-logs.conf` configuration file with
+# configuration for each host defined here. See :ref:`rsyslog__ref_forward`
+# documentation for more details.
+
+# .. envvar:: rsyslog__syslog_srv_rr [[[
+#
+# List which contains the result of the DNS query for syslog server ``SRV``
+# resource records in the host's domain.
+# See https://tools.ietf.org/html/draft-schoenw-opsawg-nm-srv-03 for details.
+rsyslog__syslog_srv_rr: '{{ q("debops.debops.dig_srv", "_syslog._tcp." + rsyslog__domain,
+                              "syslog." + rsyslog__domain, 6514) }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_forward [[[
+#
+# List of the hosts detected via the DNS ``SRV`` resource records to which log
+# messages will be forwarded. If multiple servers are configured in the SRV
+# record, logs will be sent to all of them.
+rsyslog__default_forward: '{{ rsyslog__syslog_srv_rr
+                              if (rsyslog__syslog_srv_rr[0]["dig_srv_src"] | d("") != "fallback" and
+                                  not rsyslog__remote_enabled | bool and
+                                  rsyslog__pki | bool)
+                              else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__forward [[[
+#
+# List of ``rsyslogd`` options that configure log forwarding for all hosts in
+# the inventory. See :ref:`rsyslog__ref_forward` for more details.
+rsyslog__forward: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__group_forward [[[
+#
+# List of ``rsyslogd`` options that configure log forwarding for hosts in
+# a specific group. See :ref:`rsyslog__ref_forward` for more details.
+rsyslog__group_forward: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__host_forward [[[
+#
+# List of ``rsyslogd`` options that configure log forwarding for specific hosts
+# in Ansible inventory. See :ref:`rsyslog__ref_forward` for more details.
+rsyslog__host_forward: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Main rsyslog configuration [[[
+# ------------------------------
+
+# The variables below define the contents of the :file:`/etc/rsyslog.conf`
+# configuration file. See :ref:`rsyslog__ref_configuration` for more details.
+
+# .. envvar:: rsyslog__original_configuration [[[
+#
+# The original configuration options included in the Debian package.
+rsyslog__original_configuration:
+
+  - name: 'module_imuxsock'
+    comment: 'Provides support for local system logging'
+    raw: |
+      module(load="imuxsock")
+    state: 'present'
+    section: 'modules'
+
+  - name: 'module_imklog'
+    comment: 'Provides kernel logging support'
+    raw: |
+      module(load="imklog")
+    state: 'present'
+    section: 'modules'
+
+  - name: 'module_immark'
+    comment: 'Provides --MARK-- message capability'
+    raw: |
+      module(load="immark")
+    state: 'comment'
+    section: 'modules'
+
+  - name: 'module_imudp'
+    comment: 'Provides UDP syslog reception'
+    raw: |
+      module(load="imudp")
+      input(type="imudp" port="514")
+    state: 'comment'
+    section: 'modules'
+
+  - name: 'module_imtcp'
+    comment: 'Provides TCP syslog reception'
+    raw: |
+      module(load="imtcp")
+      input(type="imtcp" port="514")
+    state: 'comment'
+    section: 'modules'
+
+  - name: 'default_template'
+    comment: |
+      Use traditional timestamp format.
+      To enable high precision timestamps, comment out the following line.
+    raw: |
+      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+    state: 'present'
+    section: 'global'
+
+  - name: 'default_permissions'
+    comment: 'Set the default permissions for all log files.'
+    raw: |
+      $FileOwner root
+      $FileGroup adm
+      $FileCreateMode 0640
+      $DirCreateMode 0755
+      $Umask 0022
+    state: 'present'
+    section: 'global'
+
+  - name: 'spool_state'
+    comment: 'Where to place spool and state files'
+    raw: |
+      $WorkDirectory /var/spool/rsyslog
+    state: 'present'
+    section: 'global'
+
+  - name: 'include_config'
+    comment: 'Include all config files in /etc/rsyslog.d/'
+    raw: |
+      $IncludeConfig /etc/rsyslog.d/*.conf
+    state: 'present'
+    section: 'global'
+
+  - name: 'auth_facility'
+    comment: 'First some standard log files.  Log by facility.'
+    raw: |
+      auth,authpriv.*			/var/log/auth.log
+      *.*;auth,authpriv.none		-/var/log/syslog
+    state: 'present'
+    section: 'rules'
+
+  - name: 'cron_facility'
+    raw: |
+      cron.*				/var/log/cron.log
+    state: 'comment'
+    section: 'rules'
+
+  - name: 'daemon_facility'
+    raw: |
+      daemon.*			-/var/log/daemon.log
+    state: 'present'
+    section: 'rules'
+
+  - name: 'kern_facility'
+    raw: |
+      kern.*				-/var/log/kern.log
+    state: 'present'
+    section: 'rules'
+
+  - name: 'lpr_facility'
+    raw: |
+      lpr.*				-/var/log/lpr.log
+    state: 'present'
+    section: 'rules'
+
+  - name: 'mail_facility'
+    raw: |
+      mail.*				-/var/log/mail.log
+    state: 'present'
+    section: 'rules'
+
+  - name: 'user_facility'
+    raw: |
+      user.*				-/var/log/user.log
+    state: 'present'
+    section: 'rules'
+
+  - name: 'mail_log'
+    comment: |
+      Logging for the mail system.  Split it up so that
+      it is easy to write scripts to parse these files.
+    raw: |
+      mail.info			-/var/log/mail.info
+      mail.warn			-/var/log/mail.warn
+      mail.err			/var/log/mail.err
+    state: 'present'
+    section: 'rules'
+
+  - name: 'debug_log'
+    comment: 'Some "catch-all" log files.'
+    raw: |
+      *.=debug;\
+      	auth,authpriv.none;\
+      	news.none;mail.none	-/var/log/debug
+    state: 'present'
+    section: 'rules'
+
+  - name: 'messages'
+    raw: |
+      *.=info;*.=notice;*.=warn;\
+      	auth,authpriv.none;\
+      	cron,daemon.none;\
+      	mail,news.none		-/var/log/messages
+    state: 'present'
+    section: 'rules'
+
+  - name: 'emergencies'
+    comment: 'Emergencies are sent to everybody logged in.'
+    raw: |
+      *.emerg				:omusrmsg:*
+    state: 'present'
+    section: 'rules'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__default_configuration [[[
+#
+# The default :command:`rsyslog` configuration defined by the role.
+rsyslog__default_configuration:
+
+  # Don't load the kernel input module in Linux Containers
+  - name: 'module_imklog'
+    state: '{{ "comment"
+               if (ansible_virtualization_type in ["lxc", "docker", "openvz"])
+               else "ignore" }}'
+
+  - name: 'module_imudp'
+    raw: |
+      module(load="imudp")
+      input(type="imudp" port="514" ruleset="remote")
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "comment" }}'
+
+  - name: 'include_modules'
+    comment: 'Include *.input files in /etc/rsyslog.d/'
+    raw: |
+      $IncludeConfig /etc/rsyslog.d/*.input
+    state: 'present'
+    section: 'modules'
+
+  - name: 'default_permissions'
+    raw: |
+      $FileOwner {{ rsyslog__file_owner }}
+      $FileGroup {{ rsyslog__file_group }}
+      $FileCreateMode 0640
+      $DirCreateMode 0755
+      $Umask 0022
+      {% if rsyslog__unprivileged | bool %}
+      $PrivDropToUser {{ rsyslog__user }}
+      $PrivDropToGroup {{ rsyslog__group }}
+      {% endif %}
+    state: 'present'
+
+  - name: 'cron_facility'
+    state: 'present'
+
+  - name: 'include_templates'
+    comment: 'Include *.template files in /etc/rsyslog.d/'
+    raw: |
+      $IncludeConfig /etc/rsyslog.d/*.template
+    state: 'present'
+    section: 'global'
+    copy_id_from: 'default_template'
+
+  - name: 'include_outputs'
+    comment: 'Include *.output files in /etc/rsyslog.d/'
+    raw: |
+      $IncludeConfig /etc/rsyslog.d/*.output
+    state: 'present'
+    section: 'global'
+
+  - name: 'include_rules'
+    comment: 'Include *.ruleset files in /etc/rsyslog.d/'
+    raw: |
+      $IncludeConfig /etc/rsyslog.d/*.ruleset
+    state: 'present'
+    section: 'rules'
+
+  - name: 'include_remote_rules'
+    comment: 'Include *.remote files in /etc/rsyslog.d/'
+    raw: |
+      ruleset(name="remote") {
+        $IncludeConfig /etc/rsyslog.d/*.remote
+      }
+    section: 'rules'
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__configuration [[[
+#
+# The :command:`rsyslog` configuration options defined on all hosts in the
+# Ansible inventory.
+rsyslog__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__group_configuration [[[
+#
+# The :command:`rsyslog` configuration options defined on hosts in a specific
+# Ansible inventory group.
+rsyslog__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__host_configuration [[[
+#
+# The :command:`rsyslog` configuration options defined on specific hosts in the
+# Ansible inventory.
+rsyslog__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__combined_configuration [[[
+#
+# The variable which combines all other main configuration variables and is
+# used in the role tasks and templates.
+rsyslog__combined_configuration: '{{ rsyslog__original_configuration
+                                     + rsyslog__default_configuration
+                                     + rsyslog__configuration
+                                     + rsyslog__group_configuration
+                                     + rsyslog__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Main configuration sections [[[
+# -------------------------------
+
+# The variables below define the configuration sections inside the
+# :file:`/etc/rsyslog.conf` configuration file.
+# See :ref:`rsyslog__ref_configuration_sections` for more details.
+
+# .. envvar:: rsyslog__default_configuration_sections [[[
+#
+# The default configuration sections defined by the role.
+rsyslog__default_configuration_sections:
+
+  - name: 'modules'
+
+  - name: 'global'
+    title: 'Global directives'
+
+  - name: 'templates'
+    state: 'hidden'
+
+  - name: 'output'
+    title: 'Output channels'
+    state: 'hidden'
+
+  - name: 'rules'
+
+  - name: 'unknown'
+    title: 'Other options'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__configuration_sections [[[
+#
+# The configuration sections defined by the user.
+rsyslog__configuration_sections: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__combined_configuration_sections [[[
+#
+# The variable which combines all configuration sections variables and is used
+# in the role tasks and templates.
+rsyslog__combined_configuration_sections: '{{ rsyslog__default_configuration_sections
+                                              + rsyslog__configuration_sections }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Rsyslog configuration rules [[[
+# -------------------------------
+
+# .. envvar:: rsyslog__default_rules [[[
+#
+# List of YAML dictionaries, each dictionary should contain ``rsyslogd``
+# configuration in a special format. See :ref:`rsyslog__ref_rules` for more
+# details. This lis specifies default ``rsyslogd`` configuration enabled in the
+# role.
+rsyslog__default_rules:
+
+  - name: '00forward-logs.conf'
+    state: '{{ "present"
+               if (rsyslog__forward_enabled | bool and
+                   rsyslog__pki | bool)
+               else "absent" }}'
+    options:
+
+      - name: 'forward_logs_to_hosts'
+        comment: 'Forward logs to specified hosts'
+        raw: |-
+          {% for element in q("flattened", (rsyslog__default_forward
+                                            + rsyslog__forward
+                                            + rsyslog__group_forward
+                                            + rsyslog__host_forward)) %}
+          {{ element.selector | d("*.*") }} action(
+                type="omfwd"
+                target="{{ (element.target | d(element)) | regex_replace("\.$", "") }}"
+                port="{{ element.port | d('6514') }}"
+                protocol="{{ element.protocol | d('tcp') }}"
+                queue.type="{{ element.queue_type | d('linkedList') }}"
+                queue.size="{{ element.queue_size | d('10000') }}"
+                action.resumeRetryCount="{{ element.resume_retry_count | d('100') }}"
+                streamDriver="{{ element.netstream_driver | d(rsyslog__default_netstream_driver) }}"
+                streamDriverMode="{{ element.driver_mode | d(rsyslog__default_driver_mode) }}"
+                streamDriverAuthMode="{{ element.driver_authmode | d(rsyslog__default_driver_authmode) }}"
+          {% if element.driver_authmode | d(rsyslog__default_driver_authmode) != "anon" %}
+          {% if rsyslog__send_permitted_peers is string %}
+                streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers }}"
+          {% else %}
+                streamDriverPermittedPeers="{{ rsyslog__send_permitted_peers | first }}"
+          {% endif %}
+          {% endif %}
+              )
+          {% endfor %}
+        state: 'present'
+
+  - name: 'cron-session.conf'
+    comment: |
+      Redirect PAM session information for 'cron' entries to the cron log file,
+      to avoid filling up auth.log
+    raw: |
+      if ($msg contains "pam_unix(cron:session): session opened for user") then {
+        action(
+          type="omfile"
+          file="/var/log/cron.log"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+      {% if rsyslog__remote_enabled | bool %}
+        action(
+          type="omfile"
+          dynaFile="RemoteHostCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        action(
+          type="omfile"
+          dynaFile="RemoteServiceCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+      {% endif %}
+        stop
+      } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
+        action(
+          type="omfile"
+          file="/var/log/cron.log"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+      {% if rsyslog__remote_enabled | bool %}
+        action(
+          type="omfile"
+          dynaFile="RemoteHostCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        action(
+          type="omfile"
+          dynaFile="RemoteServiceCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+      {% endif %}
+        stop
+      }
+    state: 'present'
+
+  - name: 'network.conf'
+    comment: 'Network and TLS configuration options'
+    raw: |-
+      global(
+        defaultNetstreamDriver="{{ rsyslog__default_netstream_driver }}"
+      {% if rsyslog__pki | bool %}
+        defaultNetstreamDriverCAFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_ca }}"
+        defaultNetstreamDriverCertFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_crt }}"
+        defaultNetstreamDriverKeyFile="{{ rsyslog__pki_path + '/' + rsyslog__pki_realm + '/' + rsyslog__pki_key }}"
+      {% endif %}
+      )
+    state: '{{ "present"
+               if (rsyslog__remote_enabled | bool or
+                   rsyslog__forward_enabled | bool)
+               else "absent" }}'
+
+  - name: 'remote.input'
+    state: '{{ "present"
+               if rsyslog__remote_enabled | bool
+               else "absent" }}'
+    options:
+
+      - name: 'tcp_plain_module'
+        comment: 'Enable plain TCP support'
+        raw: |-
+          module(
+            load="imptcp"
+          )
+        state: 'present'
+
+      - name: 'tcp_tls_module'
+        comment: 'Enable GnuTLS TCP support'
+        raw: |-
+          module(
+            load="imtcp"
+            streamDriver.name="gtls"
+            streamDriver.mode="1"
+            streamDriver.authMode="{{ rsyslog__default_driver_authmode }}"
+          {% if rsyslog__default_driver_authmode != "anon" %}
+          {% if rsyslog__permitted_peers is string %}
+            permittedPeer="{{ rsyslog__permitted_peers }}"
+          {% else %}
+            permittedPeer=["{{ rsyslog__permitted_peers | join('","') }}"]
+          {% endif %}
+          {% endif %}
+          )
+        state: '{{ "present" if rsyslog__pki | bool else "absent" }}'
+
+      - name: 'tcp_plain_input'
+        comment: 'Enable plain TCP input'
+        raw: |-
+          input(
+              type="imptcp"
+              port="514"
+              ruleset="remote"
+          )
+        state: 'present'
+
+      - name: 'tcp_tls_input'
+        comment: 'Enable GnuTLS TCP input'
+        raw: |-
+          input(
+            type="imtcp"
+            port="6514"
+            ruleset="remote"
+          )
+        state: '{{ "present" if rsyslog__pki | bool else "absent" }}'
+
+  - name: '20-ufw.conf'
+    divert: True
+    divert_to: '65-ufw.conf'
+    state: '{{ rsyslog__deploy_state
+               if (ansible_distribution in ["Ubuntu"])
+               else "ignore" }}'
+
+  - name: '50-default.conf'
+    divert: True
+    state: '{{ "present"
+               if (ansible_distribution in ["Ubuntu"])
+               else "absent" }}'
+
+  - name: 'remote.template'
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+    options:
+
+      - name: 'remote_host_syslog'
+        comment: 'Remote host system logs'
+        raw: |-
+          template(
+            name="RemoteHostSyslog"
+            type="string"
+            string="/var/log/remote/hosts/%HOSTNAME%/syslog"
+          )
+        state: 'present'
+
+      - name: 'remote_host_auth_log'
+        comment: 'Remote host auth logs'
+        raw: |-
+          template(
+            name="RemoteHostAuthLog"
+            type="string"
+            string="/var/log/remote/hosts/%HOSTNAME%/auth.log"
+          )
+        state: 'present'
+
+      - name: 'remote_host_cron_log'
+        comment: 'Remote host cron logs'
+        raw: |-
+          template(
+            name="RemoteHostCronLog"
+            type="string"
+            string="/var/log/remote/hosts/%HOSTNAME%/cron.log"
+          )
+        state: 'present'
+
+      - name: 'remote_service_auth_log'
+        comment: 'Remote service auth logs'
+        raw: |-
+          template(
+            name="RemoteServiceAuthLog"
+            type="string"
+            string="/var/log/remote/services/auth/auth.log"
+          )
+        state: 'present'
+
+      - name: 'remote_service_cron_log'
+        comment: 'Remote service cron logs'
+        raw: |-
+          template(
+            name="RemoteServiceCronLog"
+            type="string"
+            string="/var/log/remote/services/cron/cron.log"
+          )
+        state: 'present'
+
+      - name: 'remote_service_mail_log'
+        comment: 'Remote service mail logs'
+        raw: |-
+          template(
+            name="RemoteServiceMailLog"
+            type="string"
+            string="/var/log/remote/services/mail/mail.log"
+          )
+        state: 'present'
+
+  - name: 'local-as-remote.ruleset'
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+    options:
+
+      - name: 'remote_log_copy'
+        comment: 'Copy of the local log files to complete remote logs'
+        raw: |-
+          auth,authpriv.*                ?RemoteHostAuthLog
+          auth,authpriv.*                ?RemoteServiceAuthLog
+          *.*;cron,auth,authpriv.none    -?RemoteHostSyslog
+          cron.*                         -?RemoteHostCronLog
+          cron.*                         -?RemoteServiceCronLog
+          mail.*                         -?RemoteServiceMailLog
+        state: 'present'
+
+  - name: 'cron-session.remote'
+    raw: |
+      if ($msg contains "pam_unix(cron:session): session opened for user") then {
+        action(
+          type="omfile"
+          dynaFile="RemoteHostCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        action(
+          type="omfile"
+          dynaFile="RemoteServiceCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        stop
+      } else if ($msg contains "pam_unix(cron:session): session closed for user") then {
+        action(
+          type="omfile"
+          dynaFile="RemoteHostCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        action(
+          type="omfile"
+          dynaFile="RemoteServiceCronLog"
+          fileOwner="{{ rsyslog__file_owner }}"
+          fileGroup="{{ rsyslog__file_group }}"
+          fileCreateMode="0640"
+          dirCreateMode="0755"
+        )
+        stop
+      }
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+
+  - name: '50-dynamic-logs.remote'
+    state: 'absent'
+
+  - name: 'ruleset.remote'
+    comment: 'Store remote logs in separate logfiles'
+    raw: |-
+      auth,authpriv.*                     ?RemoteHostAuthLog
+      auth,authpriv.*                     ?RemoteServiceAuthLog
+      *.*;cron,auth,authpriv.none         -?RemoteHostSyslog
+      cron.*                              -?RemoteHostCronLog
+      cron.*                              -?RemoteServiceCronLog
+      mail.*                              -?RemoteServiceMailLog
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+
+  - name: 'zz-stop.remote'
+    comment: |-
+      This is a workaround to support empty "remote" ruleset on
+      older versions of rsyslog package.
+      http://comments.gmane.org/gmane.comp.sysutils.rsyslog/15616
+    raw: |-
+      stop
+    state: '{{ "present" if rsyslog__remote_enabled | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__legacy_rules [[[
+#
+# These rules remove the old files that were used by previous
+# :ref:`debops.rsyslog` role implementations. This variable will be removed in
+# the future.
+rsyslog__legacy_rules:
+
+  - name: '00-global.conf'
+    state: 'absent'
+
+  - name: '05-common-defaults.conf'
+    state: 'absent'
+
+  - name: '10-local-modules.conf'
+    state: 'absent'
+
+  - name: '20-templates.conf'
+    state: 'absent'
+
+  - name: '40-cron.system'
+    state: 'absent'
+
+  - name: '50-default-rulesets.conf'
+    state: 'absent'
+
+  - name: '50-default.system'
+    state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__rules [[[
+#
+# List of YAML dictionaries, each dictionary should contain ``rsyslogd``
+# configuration in a special format. See :ref:`rsyslog__ref_rules` for more
+# details. This list should be used for configuration of all hosts in the
+# inventory.
+rsyslog__rules: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__group_rules [[[
+#
+# List of YAML dictionaries, each dictionary should contain ``rsyslogd``
+# configuration in a special format. See :ref:`rsyslog__ref_rules` for more
+# details. This list should be used for configuration of a group of hosts in
+# the inventory.
+rsyslog__group_rules: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__host_rules [[[
+#
+# List of YAML dictionaries, each dictionary should contain ``rsyslogd``
+# configuration in a special format. See :ref:`rsyslog__ref_rules` for more
+# details. This list should be used for configuration of specific hosts in the
+# inventory.
+rsyslog__host_rules: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__dependent_rules [[[
+#
+# List of YAML dictionaries, each dictionary should contain ``rsyslogd``
+# configuration in a special format. See :ref:`rsyslog__ref_rules` for more
+# details. This list should be used for configuration by other Ansible roles.
+rsyslog__dependent_rules: []
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__combined_rules [[[
+#
+# This variable combines all other rule variables and is used in the role tasks
+# and templates.
+rsyslog__combined_rules: '{{ rsyslog__default_rules
+                             + rsyslog__legacy_rules
+                             + rsyslog__rules
+                             + rsyslog__group_rules
+                             + rsyslog__host_rules
+                             + rsyslog__dependent_rules }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Log rotation [[[
+# ----------------
+
+# .. envvar:: rsyslog__rotation_period_system [[[
+#
+# How often to rotate local system logs
+rsyslog__rotation_period_system: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__rotation_count_system [[[
+#
+# How many old logfiles to keep for local system logs.
+rsyslog__rotation_count_system: '8'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__rotation_period_remote [[[
+#
+# How often to rotate remote logs.
+rsyslog__rotation_period_remote: 'weekly'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__rotation_count_remote [[[
+#
+# How many old logfiles to keep for remote logs.
+rsyslog__rotation_count_remote: '52'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: rsyslog__ferm__dependent_rules [[[
+#
+# Configuration for :ref:`debops.ferm` Ansible role.
+rsyslog__ferm__dependent_rules:
+
+  - name: 'syslog_udp_tcp'
+    type: 'accept'
+    dport: [ '514' ]
+    protocols: [ 'udp', 'tcp' ]
+    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
+    role: 'rsyslog'
+    accept_any: False
+    rule_state: '{{ "present"
+                    if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
+                        rsyslog__remote_enabled | bool)
+                    else "absent" }}'
+
+  - name: 'syslog-tls'
+    type: 'accept'
+    dport: [ 'syslog-tls' ]
+    saddr: '{{ rsyslog__allow + rsyslog__group_allow + rsyslog__host_allow }}'
+    role: 'rsyslog'
+    accept_any: False
+    rule_state: '{{ "present"
+                    if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
+                        rsyslog__remote_enabled | bool)
+                    else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__logrotate__dependent_config [[[
+#
+# Configuration for :ref:`debops.logrotate` Ansible role.
+rsyslog__logrotate__dependent_config:
+
+  - filename: '000rsyslog-unprivileged'
+    comment: 'The rsyslog daemon is run unprivileged'
+    options: |
+      su root {{ rsyslog__group }}
+    state: '{{ "present"
+                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
+                    rsyslog__unprivileged | bool)
+                else "absent" }}'
+
+  - filename: 'rsyslog'
+    divert: True
+    sections:
+
+      - logs: '/var/log/syslog'
+        options: |
+          rotate {{ rsyslog__rotation_count_system }}
+          {{ rsyslog__rotation_period_system }}
+          maxsize 1G
+          missingok
+          notifempty
+          delaycompress
+          compress
+        postrotate: |
+          {{ "invoke-rc.d rsyslog rotate > /dev/null"
+            if (ansible_distribution_release in
+                 (["stretch", "trusty"]))
+            else "/usr/lib/rsyslog/rsyslog-rotate" }}
+
+      - logs: '{{ (rsyslog__default_logfiles
+                   + rsyslog__logfiles)
+                  | difference(["/var/log/syslog"]) | sort }}'
+        options: |
+          rotate {{ rsyslog__rotation_count_system }}
+          {{ rsyslog__rotation_period_system }}
+          maxsize 1G
+          missingok
+          notifempty
+          compress
+          delaycompress
+          sharedscripts
+        postrotate: |
+          {{ "invoke-rc.d rsyslog rotate > /dev/null"
+            if (ansible_distribution_release in
+                 (["stretch", "trusty"]))
+            else "/usr/lib/rsyslog/rsyslog-rotate" }}
+    state: '{{ "present"
+                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent")
+                else "absent" }}'
+
+  - filename: 'rsyslog-remote'
+    logs: [ '/var/log/remote/*/*/syslog', '/var/log/remote/*/*/*.log' ]
+    options: |
+      rotate {{ rsyslog__rotation_count_remote }}
+      {{ rsyslog__rotation_period_remote }}
+      maxsize 1G
+      missingok
+      notifempty
+      compress
+      delaycompress
+      sharedscripts
+    postrotate: |
+      {{ "invoke-rc.d rsyslog rotate > /dev/null"
+        if (ansible_distribution_release in
+             (["stretch", "trusty"]))
+        else "/usr/lib/rsyslog/rsyslog-rotate" }}
+    state: '{{ "present"
+                if (rsyslog__enabled | bool and rsyslog__deploy_state != "absent" and
+                    rsyslog__remote_enabled | bool)
+                else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: rsyslog__dpkg_cleanup__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.dpkg_cleanup` Ansible role.
+rsyslog__dpkg_cleanup__dependent_packages:
+
+  - name: 'rsyslog'
+    revert_files:
+      - '/etc/rsyslog.conf'
+      - '/etc/logrotate.d/rsyslog'
+      - '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
+            | selectattr("divert", "defined") | list
+            | selectattr("divert", "equalto", True) | list
+            | map(attribute="name") | list
+            | map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'
+    remove_files:
+      - '/etc/logrotate.d/rsyslog-remote'
+      - '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
+            | selectattr("divert", "undefined") | list
+            | map(attribute="name") | list
+            | map("regex_replace", "^(.*)$", "/etc/rsyslog.d/\1") | list }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/rsyslog/meta/main.yml b/ansible_collections/debops/debops/roles/rsyslog/meta/main.yml
new file mode 100644
index 00000000..2c3d77e2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/meta/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage rsyslog configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - logging
+    - logs
+    - security
+    - audit
diff --git a/ansible_collections/debops/debops/roles/rsyslog/tasks/main.yml b/ansible_collections/debops/debops/roles/rsyslog/tasks/main.yml
new file mode 100644
index 00000000..9aaf9bbe
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/tasks/main.yml
@@ -0,0 +1,169 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Manage rsyslog APT packages
+  ansible.builtin.apt:
+    name: '{{ (rsyslog__base_packages
+               + (rsyslog__tls_packages if (rsyslog__pki | bool) else [])
+               + rsyslog__packages) | flatten }}'
+    state: '{{ rsyslog__deploy_state }}'
+    purge: True
+  register: rsyslog__register_packages
+  until: rsyslog__register_packages is succeeded
+  when: rsyslog__enabled | bool and ansible_pkg_mgr == 'apt'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Save rsyslog local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rsyslog.fact.j2'
+    dest: '/etc/ansible/facts.d/rsyslog.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create required system group
+  ansible.builtin.group:
+    name: '{{ rsyslog__group }}'
+    state: 'present'
+    system: True
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__group != 'root'
+
+- name: Create required system user
+  ansible.builtin.user:
+    name: '{{ rsyslog__user }}'
+    group: '{{ rsyslog__group }}'
+    groups: '{{ rsyslog__append_groups | join(",") | default(omit) }}'
+    append: True
+    home: '{{ rsyslog__home }}'
+    shell: '/bin/false'
+    state: 'present'
+    createhome: False
+    system: True
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__user != 'root'
+
+- name: Fix directory permissions if needed
+  ansible.builtin.file:
+    path: '/var/spool/rsyslog'
+    owner: '{{ rsyslog__user }}'
+    group: '{{ rsyslog__file_group }}'
+    mode: '0700'
+  register: rsyslog__register_unprivileged_files
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__user != 'root'
+
+- name: Update directory and file permissions
+  ansible.builtin.shell: |
+    [ ! -d {{ rsyslog__home }} ] \
+      || ( [ "$(stat -c '%G' {{ rsyslog__home }})" = "{{ rsyslog__group }}" ] \
+             || chown -v root:{{ rsyslog__group }} {{ rsyslog__home }} ; \
+           [ "$(stat -c '%a' {{ rsyslog__home }})" = "775" ] \
+             || chmod -v 775 {{ rsyslog__home }} )
+    for i in {{ rsyslog__default_logfiles | join(" ") }} ; do
+      [ ! -f ${i} ] || \
+        ( [ "$(stat -c '%U' ${i})" = "{{ rsyslog__file_owner }}" ] \
+        || chown -v {{ rsyslog__file_owner }}:{{ rsyslog__file_group }} ${i} )
+    done
+  register: rsyslog__register_file_permissions
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool
+  changed_when: rsyslog__register_file_permissions.stdout | d()
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Create systemd-tmpfiles override
+  ansible.builtin.copy:
+    dest: '/etc/tmpfiles.d/rsyslog-var-log.conf'
+    mode: '0755'
+    content: 'z {{ rsyslog__home }} 0775 root {{ rsyslog__group }} -'
+  notify: [ 'Create temporary files' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        ansible_service_mgr == "systemd" and rsyslog__unprivileged | bool and
+        ansible_distribution == "Debian"
+
+- name: Divert main rsyslog configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/rsyslog.conf'
+    state: 'present'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        ansible_pkg_mgr == 'apt'
+
+- name: Generate main rsyslog configuration
+  ansible.builtin.template:
+    src: 'etc/rsyslog.conf.j2'
+    dest: '/etc/rsyslog.conf'
+    mode: '0644'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Manage configuration file diversions
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/rsyslog.d/" + (item.divert_to | d(item.name)) }}'
+    state: '{{ "present"
+               if (item.state | d("present") not in ["absent", "ignore", "init"])
+               else "absent" }}'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
+            | selectattr("divert", "defined") | list
+            | selectattr("divert", "equalto", True) | list }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Generate rsyslog configuration rules
+  ansible.builtin.template:
+    src: 'etc/rsyslog.d/template.conf.j2'
+    dest: '{{ "/etc/rsyslog.d/" + item.name }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0644") }}'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  when: (rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+         item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.options | d() or item.raw | d()))
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Remove custom config files when requested
+  ansible.builtin.file:
+    path: '{{ "/etc/rsyslog.d/" + item.name }}'
+    state: 'absent'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  when: (rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+         (item.divert is undefined or not item.divert | bool) and
+         item.state | d('present') == 'absent')
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ rsyslog__dpkg_cleanup__dependent_packages }}'
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::rsyslog:dpkg_cleanup' ]
diff --git a/ansible_collections/debops/debops/roles/rsyslog/templates/etc/ansible/facts.d/rsyslog.fact.j2 b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/ansible/facts.d/rsyslog.fact.j2
new file mode 100644
index 00000000..35935198
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/ansible/facts.d/rsyslog.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('rsyslogd')}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["rsyslogd", "-v"]
+            ).decode('utf-8').strip()
+    for line in version_stdout.split('\n'):
+        if line.lower().startswith('rsyslogd '):
+            output['version'] = line.split()[1].rstrip(',')
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.conf.j2 b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.conf.j2
new file mode 100644
index 00000000..4c2b77d2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.conf.j2
@@ -0,0 +1,49 @@
+{# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+{% for section in rsyslog__combined_configuration_sections | debops.debops.parse_kv_config %}
+{%   if section.name | d() and section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set section_config = (rsyslog__combined_configuration | debops.debops.parse_kv_config
+                             | selectattr("section", "equalto", section.name) | list) %}
+{%     if section_config | d() %}
+{%       if section.state != 'hidden' %}
+{%         if ('present' in (section_config | map(attribute='state') | list)) %}
+{%           set section_title = (' ' + ((section.title | d(section.name)) | upper) + ' ') %}
+{%           set section_width = section_title | length + 8 %}
+{{           '' }}
+{{           '' }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           ("{:#^" + section_width | string + "}").format(section_title) }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           '' }}
+{%         endif %}
+{%       else %}
+{{         '' }}
+{%       endif %}
+{%       for element in section_config %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%           if element.comment | d() %}
+{%             if not loop.first %}
+{{               '' }}
+{%             endif %}
+{{             element.comment | regex_replace('\n$', '') | comment }}
+{%           endif %}
+{%           if element.raw | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%             else %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.d/template.conf.j2 b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.d/template.conf.j2
new file mode 100644
index 00000000..a2ae0b40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.d/template.conf.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment }}
+{% endif %}
+{% if item.raw | d() %}
+{%   if item.state | d('present') == 'comment' %}
+{{     '{}'.format(item.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%   else %}
+{{     '{}'.format(item.raw | regex_replace('\n$', '')) }}
+{%   endif %}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%       if element.comment | d() %}
+{%         if not loop.first %}
+
+{%         endif %}
+{{         element.comment | regex_replace('\n$', '') | comment }}
+{%       endif %}
+{%       if element.state | d('present') == 'comment' %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%       else %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/ruby/COPYRIGHT b/ansible_collections/debops/debops/roles/ruby/COPYRIGHT
new file mode 100644
index 00000000..972f7b2d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ruby/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.ruby - Manage Ruby environment with Ansible
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/ruby/defaults/main.yml b/ansible_collections/debops/debops/roles/ruby/defaults/main.yml
new file mode 100644
index 00000000..102ce016
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ruby/defaults/main.yml
@@ -0,0 +1,155 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _ruby__ref_defaults:
+
+# debops.ruby default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Ruby APT packages [[[
+# ---------------------
+
+# .. envvar:: ruby__base_packages [[[
+#
+# List of base APT packages to install.
+ruby__base_packages: [ 'ruby', 'libruby', 'rubygems-integration',
+                       'ruby-bundler' ]
+
+                                                                   # ]]]
+# .. envvar:: ruby__dev_packages [[[
+#
+# List of development packages to install, which are required to compile native
+# Ruby extensions. They will be installed if any Ruby gems are requested using
+# the default lists.
+ruby__dev_packages: '{{ ["ruby-dev", "build-essential"]
+	                if (ruby__dev_support | bool or
+	                    ruby__gems or ruby__group_gems or
+	                    ruby__host_gems or ruby__dependent_gems or
+	                    ruby__user_gems or ruby__group_user_gems or
+	                    ruby__host_user_gems or ruby__dependent_user_gems)
+	                else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: ruby__dev_support [[[
+#
+# By default ``debops.ruby`` installs only the base Ruby packages, unless any
+# Ruby gems are requested. If this variable is set to ``True``, the role will
+# install the build environment automatically without any gems set. This can be
+# used by other roles to request the development packages ahead of time.
+ruby__dev_support: False
+
+                                                                   # ]]]
+# .. envvar:: ruby__packages [[[
+#
+# List of APT packages to install for all hosts in the Ansible inventory.
+ruby__packages: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__group_packages [[[
+#
+# List of APT packages to install on a group of hosts in the Ansible inventory.
+ruby__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__host_packages [[[
+#
+# List of APT packages to install on specific hosts in the Ansible inventory.
+ruby__host_packages: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__dependent_packages [[[
+#
+# List of APT packages to install specified by other roles via dependency
+# variables.
+ruby__dependent_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Ruby gems [[[
+# -------------
+
+# You can specify a list of Ruby gems to install on a host. Each entry in the
+# list is either a gem name, or a YAML dictionary with parameters known by the
+# ``gem`` Ansible module. All specified gems will be installed system-wide.
+#
+# If any gems are specified, role will install additional APT packages required
+# to build native extensions. List of these packages is specified in
+# :envvar:`ruby__dev_packages` variable.
+#
+# See :ref:`ruby__ref_gems` for more details.
+
+# .. envvar:: ruby__gems [[[
+#
+# List of gems that should be installed on all hosts in Ansible inventory.
+ruby__gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__group_gems [[[
+#
+# List of gems that should be installed on a group of hosts in Ansible
+# inventory.
+ruby__group_gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__host_gems [[[
+#
+# List of gems that should be installed on a specific host in Ansible
+# inventory.
+ruby__host_gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__dependent_gems [[[
+#
+# List of gems configured by other Ansible role via role dependency variables.
+ruby__dependent_gems: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Ruby user gems [[[
+# ------------------
+
+# You can specify a list of Ruby gems to install on a host on an user account.
+# Each entry in the list a YAML dictionary with parameters known by the ``gem``
+# Ansible module. All gems will be installed on a specified user account.
+#
+# If any gems are specified, role will install additional APT packages required
+# to build native extensions. List of these packages is specified in
+# :envvar:`ruby__dev_packages` variable.
+#
+# See :ref:`ruby__ref_user_gems` for more details.
+
+# .. envvar:: ruby__user_gems [[[
+#
+# List of gems that should be installed on all hosts in Ansible inventory.
+ruby__user_gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__group_user_gems [[[
+#
+# List of gems that should be installed on a group of hosts in Ansible
+# inventory.
+ruby__group_user_gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__host_user_gems [[[
+#
+# List of gems that should be installed on a specific host in Ansible
+# inventory.
+ruby__host_user_gems: []
+
+                                                                   # ]]]
+# .. envvar:: ruby__dependent_user_gems [[[
+#
+# List of gems configured by other Ansible role via role dependency variables.
+ruby__dependent_user_gems: []
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/ruby/meta/main.yml b/ansible_collections/debops/debops/roles/ruby/meta/main.yml
new file mode 100644
index 00000000..e797efe9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ruby/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install Ruby packages and gems'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - development
+    - programming
+    - ruby
+    - gems
diff --git a/ansible_collections/debops/debops/roles/ruby/tasks/main.yml b/ansible_collections/debops/debops/roles/ruby/tasks/main.yml
new file mode 100644
index 00000000..29d84a3f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/ruby/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install Ruby packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (ruby__base_packages
+                              + ruby__dev_packages
+                              + ruby__packages
+                              + ruby__group_packages
+                              + ruby__host_packages
+                              + ruby__dependent_packages)) }}'
+    state: 'present'
+  register: ruby__register_packages
+  until: ruby__register_packages is succeeded
+
+- name: Install Ruby gems
+  community.general.gem:
+    name:                 '{{ item.name if item.name | d() else item }}'
+    state:                '{{ item.state | d("present") }}'
+    user_install:         '{{ item.user_install | d(False) }}'
+    version:              '{{ item.version | d(omit) }}'
+    repository:           '{{ item.repository | d(omit) }}'
+    include_doc:          '{{ item.include_doc | d(omit) }}'
+    build_flags:          '{{ item.build_flags | d(omit) }}'
+    executable:           '{{ item.executable | d(omit) }}'
+    include_dependencies: '{{ item.include_dependencies | d(omit) }}'
+  loop: '{{ q("flattened", ruby__gems
+                           + ruby__group_gems
+                           + ruby__host_gems
+                           + ruby__dependent_gems) }}'
+
+- name: Make sure that required groups exist
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.owner) }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", ruby__user_gems
+                           + ruby__group_user_gems
+                           + ruby__host_user_gems
+                           + ruby__dependent_user_gems) }}'
+  when: (item.group | d() or item.owner | d())
+
+- name: Make sure that required users exist
+  ansible.builtin.user:
+    name: '{{ item.owner }}'
+    group: '{{ item.group | d(item.owner) }}'
+    home: '{{ item.home | d((ansible_local.fhs.home | d("/var/local"))
+                            + "/" + item.owner) }}'
+    system: '{{ (item.system | d(True)) | bool }}'
+    state: 'present'
+  loop: '{{ q("flattened", ruby__user_gems
+                           + ruby__group_user_gems
+                           + ruby__host_user_gems
+                           + ruby__dependent_user_gems) }}'
+  when: item.owner | d()
+
+- name: Install Ruby user gems
+  community.general.gem:
+    name:                 '{{ item.name }}'
+    state:                '{{ item.state | d("present") }}'
+    user_install:         '{{ item.user_install | d(True) }}'
+    version:              '{{ item.version | d(omit) }}'
+    repository:           '{{ item.repository | d(omit) }}'
+    include_doc:          '{{ item.include_doc | d(omit) }}'
+    build_flags:          '{{ item.build_flags | d(omit) }}'
+    executable:           '{{ item.executable | d(omit) }}'
+    include_dependencies: '{{ item.include_dependencies | d(omit) }}'
+  loop: '{{ q("flattened", ruby__user_gems
+                           + ruby__group_user_gems
+                           + ruby__host_user_gems
+                           + ruby__dependent_user_gems) }}'
+  become: True
+  become_user: '{{ item.user | d(item.owner) }}'
+  when: (item.user | d() or item.owner | d())
diff --git a/ansible_collections/debops/debops/roles/salt/COPYRIGHT b/ansible_collections/debops/debops/roles/salt/COPYRIGHT
new file mode 100644
index 00000000..b30fee50
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/salt/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.salt - Manage Salt Master service using Ansible
+
+Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/salt/defaults/main.yml b/ansible_collections/debops/debops/roles/salt/defaults/main.yml
new file mode 100644
index 00000000..01fa00e2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/salt/defaults/main.yml
@@ -0,0 +1,203 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _salt__ref_defaults:
+
+# debops.salt default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Upstream configuration [[[
+# --------------------------
+
+# .. envvar:: salt__upstream [[[
+#
+# Enable or disable upstream APT repository.
+salt__upstream: '{{ True
+                    if (ansible_distribution_release in ["trusty"])
+                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: salt__upstream_branch [[[
+#
+# Specify the SaltStack "branch" to install from upstream APT repository.
+# See https://repo.saltstack.com/#debian for more details about available
+# upstream branches.
+salt__upstream_branch: 'latest'
+
+                                                                   # ]]]
+# .. envvar:: salt__upstream_arch_map [[[
+#
+# A YAML dictionary that maps the ``ansible_architecture`` variable with its
+# corresponding processor architecture used in the SaltStack repository URLs.
+salt__upstream_arch_map:
+  'x86_64': 'amd64'
+  'armhf':  'armhf'
+
+                                                                   # ]]]
+# .. envvar:: salt__upstream_apt_key_id [[[
+#
+# Specify the upstream APT repository GPG key id to configure.
+salt__upstream_apt_key_id: '754A1A7AE731F165D5E6D4BD0E08A149DE57BFBE'
+
+                                                                   # ]]]
+# .. envvar:: salt__upstream_apt_repo_map [[[
+#
+# A YAML dictionary that defines the upstream APT repository URLs depending on
+# the current OS distribution, release and processor architecture.
+salt__upstream_apt_repo_map:
+  Debian: '{{ "deb http://repo.saltstack.com/apt/debian/"
+              + ansible_distribution_major_version + "/" + salt__upstream_arch_map[ansible_architecture]
+              + "/" + salt__upstream_branch + " " + ansible_distribution_release + " main" }}'
+  Ubuntu: '{{ "deb http://repo.saltstack.com/apt/ubuntu/"
+              + ansible_distribution_version + "/" + salt__upstream_arch_map[ansible_architecture]
+              + "/" + salt__upstream_branch + " " + ansible_distribution_release + " main" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: salt__base_packages [[[
+#
+# List of base APT packages to install for Salt Master service.
+salt__base_packages: [ 'salt-master' ]
+
+                                                                   # ]]]
+# .. envvar:: salt__packages [[[
+#
+# List of additional APT packages to install with Salt Master.
+salt__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: salt__allow [[[
+#
+# List of IP addresses or CIDR subnets that can connect to the Salt Master
+# service. If the list is empty, any host is allowed to connect.
+salt__allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Salt Master configuration [[[
+# -----------------------------
+
+# .. envvar:: salt__configuration [[[
+#
+# Enable or disable configuration of Salt Master by Ansible.
+salt__configuration: True
+
+                                                                   # ]]]
+# .. envvar:: salt__configuration_file [[[
+#
+# Absolute path of the Salt Master configuration file which will be managed by
+# Ansible.
+salt__configuration_file: '/etc/salt/master.d/ansible.conf'
+                                                                   # ]]]
+                                                                   # ]]]
+# Salt configuration options [[[
+# ------------------------------
+
+# .. envvar:: salt__interface [[[
+#
+# Specify the network interface the Salt Master will listen on for connections,
+# using an IP address specification.
+salt__interface: '{{ "::" if salt__ipv6 | bool else "0.0.0.0" }}'
+
+                                                                   # ]]]
+# .. envvar:: salt__ipv6 [[[
+#
+# Enable/disable IPv6 support in Salt Master.
+salt__ipv6: True
+
+                                                                   # ]]]
+# .. envvar:: salt__publish_port [[[
+#
+# The network port to set up the publication interface.
+salt__publish_port: '4505'
+
+                                                                   # ]]]
+# .. envvar:: salt__return_port [[[
+#
+# The port used by the return server, this is the server used by Salt to
+# receive execution returns and command executions.
+salt__return_port: '4506'
+
+                                                                   # ]]]
+# .. envvar:: salt__worker_threads [[[
+#
+# Number of Salt Master workers to run.
+salt__worker_threads: '{{ ansible_processor_vcpus }}'
+
+                                                                   # ]]]
+# .. envvar:: salt__custom_options [[[
+#
+# Additional Salt Master options in YAML text block format.
+salt__custom_options: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: salt__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+salt__keyring__dependent_apt_keys:
+
+  - id: '{{ salt__upstream_apt_key_id }}'
+    repo: '{{ salt__upstream_apt_repo_map[ansible_distribution] }}'
+    state: '{{ "present" if salt__upstream | bool else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: salt__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+salt__python__dependent_packages3:
+
+  - 'python3-tornado'
+
+                                                                   # ]]]
+# .. envvar:: salt__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+salt__python__dependent_packages2:
+
+  - 'python-tornado'
+
+                                                                   # ]]]
+# .. envvar:: salt__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+salt__etc_services__dependent_list:
+
+  - name: 'salt-publish'
+    port: '{{ salt__publish_port }}'
+    comment: 'Salt Master (publish)'
+
+  - name: 'salt-return'
+    port: '{{ salt__return_port }}'
+    comment: 'Salt Master (return)'
+
+                                                                   # ]]]
+# .. envvar:: salt__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+salt__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'salt-publish', 'salt-return' ]
+    saddr: '{{ salt__allow }}'
+    accept_any: True
+    name: 'salt_accept'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/salt/meta/main.yml b/ansible_collections/debops/debops/roles/salt/meta/main.yml
new file mode 100644
index 00000000..97c1536e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/salt/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Salt Master service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - saltstack
+    - configuration
diff --git a/ansible_collections/debops/debops/roles/salt/tasks/main.yml b/ansible_collections/debops/debops/roles/salt/tasks/main.yml
new file mode 100644
index 00000000..12ec97ac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/salt/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install Salt Master packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (salt__base_packages
+                              + salt__packages)) }}'
+    state: 'present'
+  register: salt__register_packages
+  until: salt__register_packages is succeeded
+
+- name: Configure Salt Master using Ansible
+  ansible.builtin.template:
+    src: 'etc/salt/master.d/ansible.conf.j2'
+    dest: '{{ salt__configuration_file }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart salt-master' ]
+  when: salt__configuration | bool
+
+- name: Remove Salt Master configuration file if disabled
+  ansible.builtin.file:
+    path: '{{ salt__configuration_file }}'
+    state: 'absent'
+  notify: [ 'Restart salt-master' ]
+  when: not salt__configuration | bool
diff --git a/ansible_collections/debops/debops/roles/salt/templates/etc/salt/master.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/salt/templates/etc/salt/master.d/ansible.conf.j2
new file mode 100644
index 00000000..8479bab4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/salt/templates/etc/salt/master.d/ansible.conf.j2
@@ -0,0 +1,29 @@
+{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# The address of the interface to bind to
+interface: '{{ salt__interface }}'
+
+# Whether the master should listen for IPv6 connections. If this is set to True,
+# the interface option must be adjusted too (for example: "interface: '::'")
+ipv6: {{ salt__ipv6 | bool }}
+
+# The TCP port used by the publisher
+publish_port: {{ salt__publish_port }}
+
+# The number of worker threads to start, these threads are used to manage
+# return calls made from minions to the master, if the master seems to be
+# running slowly, increase the number of threads
+worker_threads: {{ salt__worker_threads }}
+
+# The port used by the communication interface. The ret (return) port is the
+# interface used for the file server, authentication, job returns, etc.
+ret_port: {{ salt__return_port }}
+
+{% if salt__options | d() %}
+# Custom Salt Master options
+{{ salt__custom_options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/samba/COPYRIGHT b/ansible_collections/debops/debops/roles/samba/COPYRIGHT
new file mode 100644
index 00000000..224b7d82
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.samba - Manage Samba service using Ansible
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/samba/defaults/main.yml b/ansible_collections/debops/debops/roles/samba/defaults/main.yml
new file mode 100644
index 00000000..427f0afb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/defaults/main.yml
@@ -0,0 +1,266 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _samba__ref_defaults:
+
+# debops.samba default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: samba__base_packages [[[
+#
+# List of base packages to install.
+# In case you only want to prepare the host for being a Samba client, remove
+# the ``samba`` package from the list. This might be required because
+# applications like ownCloud depend on the :command:`smbclient` which gets things like
+# workgroup from the file :file:`/etc/samba/smb.conf`.
+samba__base_packages:
+  - 'samba'
+  - 'samba-common'
+  - 'samba-common-bin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall configuration [[[
+# --------------------------
+
+# .. envvar:: samba__allow [[[
+#
+# Allow access to Samba through firewall for specified networks.
+# If this variable is undefined or ``False``, allow access from everywhere.
+samba__allow: []
+
+                                                                   # ]]]
+# .. envvar:: samba__kernel_modules_load [[[
+#
+# Use the kernel module
+samba__kernel_modules_load: True
+
+                                                                   # ]]]
+# .. envvar:: samba__kernel_modules [[[
+#
+# Kernel modules to load for optimal operation of Samba.
+samba__kernel_modules:
+  - 'nf_conntrack_netbios_ns'
+                                                                   # ]]]
+                                                                   # ]]]
+# Global Samba options [[[
+# ------------------------
+
+# .. envvar:: samba__workgroup [[[
+#
+# This controls what workgroup your server will appear to be in when queried by
+# clients. Note that this parameter also controls the Domain name used with the::
+#
+#    samba__security: 'domain'
+#
+# setting.
+samba__workgroup: 'WORKGROUP'
+
+                                                                   # ]]]
+# .. envvar:: samba__security [[[
+#
+# This option affects how clients respond to Samba and is one of the most
+# important settings in the :file:`/etc/samba/smb.conf` file.
+samba__security: 'user'
+
+                                                                   # ]]]
+# .. envvar:: samba__netbios_name [[[
+#
+# This sets the NetBIOS name by which a Samba server is known. By default it is
+# the same as the first component of the host's DNS name. If a machine is a
+# browse server or logon server this name (or the first component of the hosts
+# DNS name) will be the name that these services are advertised under.
+samba__netbios_name: '{{ ansible_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: samba__server_string [[[
+#
+# This controls what string will show up in the printer comment box in print
+# manager and next to the IPC connection in net view. It can be any string that
+# you wish to show to your users.
+# It also sets what will appear in browse lists next to the machine name.
+#
+# A ``%v`` will be replaced with the Samba version number.
+#
+# A ``%h`` will be replaced with the hostname.
+samba__server_string: '%h file server'
+
+                                                                   # ]]]
+# .. envvar:: samba__service_name [[[
+#
+# Name of the /etc/init.d/ service script
+samba__service_name: 'samba'
+
+                                                                   # ]]]
+# .. envvar:: samba__name_resolve_order [[[
+#
+# Resolve order of Samba.
+samba__name_resolve_order: 'lmhosts host wins bcast'
+
+                                                                   # ]]]
+# .. envvar:: samba__path [[[
+#
+# Base directory of home directories and shares.
+samba__path: '/srv/samba'
+
+                                                                   # ]]]
+# .. envvar:: samba__default_global [[[
+#
+# Default ``[global]`` configuration.
+samba__default_global:
+
+  # Browsing / Identification.
+  workgroup: '{{ samba__workgroup }}'
+  netbios_name: '{{ samba__netbios_name }}'
+  server_string: '{{ samba__server_string }}'
+
+  # Logs / Accounting.
+  log_file: '/var/log/samba/log.%m'
+  max_log_size: '1000'
+  syslog: '0'
+
+  # Authentication.
+  security: '{{ samba__security }}'
+  encrypt_passwords: 'yes'
+  passdb_backend: 'tdbsam'
+  unix_password_sync: 'no'
+  obey_pam_restrictions: 'yes'
+  invalid_users: 'root bin daemon adm sync shutdown halt mail news uucp proxy www-data backup sshd'
+  map_to_guest: 'never'
+  guest_account: 'nobody'
+
+  # File system / Directories.
+  unix_charset: 'UTF8'
+  locking: 'yes'
+  wide_links: 'no'
+  browsable: 'yes'
+  create_mask: '0660'
+  directory_mask: '0770'
+  dont_descend: './lost+found'
+  use_sendfile: 'yes'
+  hide_unreadable: 'yes'
+  hide_files: '/.*/lost+found/'
+
+  # Networking / Connections.
+  socket_options: 'TCP_NODELAY'
+  deadtime: '10'
+  wins_support: 'no'
+  dns_proxy: 'no'
+  name_resolve_order: '{{ samba__name_resolve_order }}'
+
+  # Disable printing by default.
+  printing: 'bsd'
+  load_printers: 'no'
+  printcap_name: '/dev/null'
+  show_add_printer_wizard: 'no'
+  disable_spoolss: 'yes'
+
+                                                                   # ]]]
+# .. envvar:: samba__global [[[
+#
+# Which hash variable is used to configure the ``[global]`` section in
+# :file:`/etc/samba/smb.conf`.
+samba__global: '{{ samba__default_global }}'
+
+                                                                   # ]]]
+# .. envvar:: samba__global_custom [[[
+#
+# You can specify additional options in a separate hash.
+samba__global_custom: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Home directories [[[
+# --------------------
+
+# .. envvar:: samba__homes_path [[[
+#
+# Location of home directories on the Samba server.
+samba__homes_path: '{{ samba__path }}/home'
+
+                                                                   # ]]]
+# .. envvar:: samba__homes [[[
+#
+# Which hash variable is used to configure the ``[homes]`` section in
+# :file:`/etc/samba/smb.conf`.
+samba__homes: '{{ samba__default_homes }}'
+
+                                                                   # ]]]
+# .. envvar:: samba__default_homes [[[
+#
+# Default ``[homes]`` section.
+samba__default_homes:
+  path: '{{ samba__homes_path }}/%S'
+  comment: 'Home Directory'
+  browsable: 'no'
+  read_only: 'no'
+  create_mask: '0600'
+  directory_mask: '0700'
+  valid_users: '%S'
+  guest_ok: 'no'
+  root_preexec: '/usr/local/sbin/samba-homedir.sh %S'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network shares [[[
+# ------------------
+
+# .. envvar:: samba__shares_path [[[
+#
+# Base directory for shares.
+samba__shares_path: '{{ samba__path }}/shares'
+
+                                                                   # ]]]
+# .. envvar:: samba__shares [[[
+#
+# Which hash of hashes is used to configure shares in
+# :file:`/etc/samba/smb.conf`.
+samba__shares: '{{ samba__default_shares }}'
+
+                                                                   # ]]]
+# .. envvar:: samba__default_shares [[[
+#
+# Hash of hashes of default shares.
+samba__default_shares:
+
+  'Public Files':
+    path: '{{ samba__shares_path }}/public'
+    comment: 'Public Files'
+    read_only: 'yes'
+    guest_ok: 'yes'
+                                                                   # ]]]
+                                                                   # ]]]
+# .. envvar:: samba__ferm__dependent_rules [[[
+#
+# Configuration for :command:`iptables` firewall managed by :program:`ferm`.
+samba__ferm__dependent_rules:
+
+  - type: 'accept'
+    protocol: [ 'udp' ]
+    dport: [ 'netbios-ns', 'netbios-dgm' ]
+    saddr: '{{ samba__allow }}'
+    accept_any: True
+    filename: 'samba__dependency_accept_udp'
+    delete: '{{ "samba" not in samba__base_packages }}'
+    weight: '50'
+
+  - type: 'accept'
+    protocol: [ 'tcp' ]
+    dport: [ 'netbios-ssn', 'microsoft-ds' ]
+    saddr: '{{ samba__allow }}'
+    accept_any: True
+    filename: 'samba__dependency_accept_tcp'
+    delete: '{{ "samba" not in samba__base_packages }}'
+    weight: '50'
+
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/samba/docs/examples.rst b/ansible_collections/debops/debops/roles/samba/docs/examples.rst
new file mode 100644
index 00000000..9d9cb6cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/docs/examples.rst
@@ -0,0 +1,28 @@
+.. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+.. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Examples
+========
+
+Add additional/custom options to smb.conf
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not every option of upstream Samba's smb.conf is available as role variable in debops.samba.
+So to specify these additional parameters you may add them to the hash `samba__global_custom`
+
+example of host_vars for enabling Windows style ACLs:
+
+    .. code:: shell
+
+    samba__global_custom:
+      vfs_objects: 'acl_xattr'
+      map_acl_inherit: 'yes'
+      store_dos_attributes: 'yes'
+
+    # above vfs_objects setting needs additional vfs-modules pkg installed
+    samba__base_packages:
+      - 'samba'
+      - 'samba-common'
+      - 'samba-common-bin'
+      - 'samba-vfs-modules'
diff --git a/ansible_collections/debops/debops/roles/samba/meta/main.yml b/ansible_collections/debops/debops/roles/samba/meta/main.yml
new file mode 100644
index 00000000..ccef4631
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Samba file sharing server.'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - networking
diff --git a/ansible_collections/debops/debops/roles/samba/tasks/main.yml b/ansible_collections/debops/debops/roles/samba/tasks/main.yml
new file mode 100644
index 00000000..62c193a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install Samba packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", samba__base_packages) }}'
+    state: 'present'
+  register: samba__register_packages
+  until: samba__register_packages is succeeded
+
+- name: Create root Samba directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0751'
+  loop: '{{ q("flattened", samba__path
+                           + samba__homes_path
+                           + samba__shares_path) }}'
+  when: ('samba' in samba__base_packages)
+
+- name: Setup samba-homedir.sh script
+  ansible.builtin.template:
+    src: 'usr/local/sbin/samba-homedir.sh.j2'
+    dest: '/usr/local/sbin/samba-homedir.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: ('samba' in samba__base_packages)
+
+- name: Configure Samba
+  ansible.builtin.template:
+    src: 'etc/samba/smb.conf.j2'
+    dest: '/etc/samba/smb.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check samba config' ]
+
+# Kernel modules [[[
+
+- name: Load kernel module specified by samba__kernel_modules
+  community.general.modprobe:
+    name: '{{ item }}'
+    state: 'present'
+  loop: '{{ q("flattened", samba__kernel_modules) }}'
+  when: (('samba' in samba__base_packages) and
+        (samba__kernel_modules_load | bool))
+
+- name: Ensure kernel modules are loaded on system boot
+  ansible.builtin.template:
+    src: 'etc/modules-load.d/ansible-samba.conf.j2'
+    dest: '/etc/modules-load.d/ansible-samba.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (('samba' in samba__base_packages) and
+        (samba__kernel_modules_load | bool))
+
+- name: Remove legacy entries from /etc/modules
+  ansible.builtin.lineinfile:
+    dest: '/etc/modules'
+    regexp: '^nf_conntrack_netbios_ns'
+    state: 'absent'
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/samba/templates/etc/modules-load.d/ansible-samba.conf.j2 b/ansible_collections/debops/debops/roles/samba/templates/etc/modules-load.d/ansible-samba.conf.j2
new file mode 100644
index 00000000..d5989606
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/templates/etc/modules-load.d/ansible-samba.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## {{ ansible_managed }}
+
+{% for module in samba__kernel_modules %}
+{{ module }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/samba/templates/etc/samba/smb.conf.j2 b/ansible_collections/debops/debops/roles/samba/templates/etc/samba/smb.conf.j2
new file mode 100644
index 00000000..fc03e5bb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/templates/etc/samba/smb.conf.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+{% macro print_hash(hash) %}
+{% for key, value in hash|dictsort %}
+	{{ "%-30s" | format(key) | replace("_"," ") }} = {{ value }}
+{% endfor %}
+{% endmacro %}
+{% macro print_section(hash, section='global') %}
+[{{ section }}]
+{{ print_hash(hash) }}
+{% endmacro %}
+
+[global]
+	# Default options
+{{ print_hash(hash=samba__global) }}
+{% if samba__global_custom is defined and samba__global_custom %}
+	# Custom options
+{{ print_hash(hash=samba__global_custom) }}
+{% endif %}
+{% if samba__homes is defined and samba__homes %}
+{{ print_section(hash=samba__homes, section='homes') }}
+{% endif %}
+{% if samba__shares is defined and samba__shares %}
+{% for share in samba__shares.keys() %}
+[{{ share }}]
+{{ print_hash(hash=samba__shares[share]) }}
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/samba/templates/usr/local/sbin/samba-homedir.sh.j2 b/ansible_collections/debops/debops/roles/samba/templates/usr/local/sbin/samba-homedir.sh.j2
new file mode 100755
index 00000000..b63ce194
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/samba/templates/usr/local/sbin/samba-homedir.sh.j2
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Automatically create Samba user's home directory
+# shellcheck disable=SC2174
+mkdir -m 700 -p "{{ samba__homes_path }}/${1}"
+chown "${1}":"${1}" "{{ samba__homes_path }}/${1}"
+
+exit 0
diff --git a/ansible_collections/debops/debops/roles/saslauthd/COPYRIGHT b/ansible_collections/debops/debops/roles/saslauthd/COPYRIGHT
new file mode 100644
index 00000000..8ad19b6c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.saslauthd - Manage Cyrus SASL authentication service using Ansible
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/saslauthd/defaults/main.yml b/ansible_collections/debops/debops/roles/saslauthd/defaults/main.yml
new file mode 100644
index 00000000..01111e16
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/defaults/main.yml
@@ -0,0 +1,384 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _saslauthd__ref_defaults:
+
+# debops.saslauthd default variables [[[
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global configuration [[[
+# ------------------------
+
+# .. envvar:: saslauthd__default_mechanism [[[
+#
+# The default authentication mechanism used by :command:`saslauthd` if none is
+# specified.
+saslauthd__default_mechanism: '{{ "ldap" if saslauthd__ldap_device_dn | d() else "pam" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: saslauthd__base_packages [[[
+#
+# List of base APT packages to install for SASL support.
+saslauthd__base_packages: [ 'sasl2-bin', 'libsasl2-modules' ]
+
+                                                                   # ]]]
+# .. envvar:: sslauthd__packages [[[
+#
+# List of additional APT packages to install with SASL support.
+saslauthd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of saslauthd instances [[[
+# ----------------------------------------
+
+# These variables define the instances of :command:`saslauthd` managed by this
+# role. See :ref:`saslauthd__ref_instances` for more details.
+
+# .. envvar:: saslauthd__default_instances [[[
+#
+# The list of default :command:`saslauthd` instances defined by the role.
+saslauthd__default_instances:
+
+  - name: 'smtpd'
+    group: 'postfix'
+    description: 'Postfix SASL Authentication Daemon'
+    config_path: '/etc/postfix/sasl/smtpd.conf'
+    config_group: 'postfix'
+    config_raw: |
+      pwcheck_method: saslauthd
+      mech_list: PLAIN LOGIN
+    socket_path: '/var/spool/postfix/var/run/saslauthd'
+    socket_group: 'postfix'
+    ldap_profile: 'smtpd'
+    state: '{{ "present"
+               if ((ansible_local | d() and ansible_local.postfix | d() and
+                    (ansible_local.postfix.installed | d()) | bool) or
+                   ("debops_service_postfix" in group_names))
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__instances [[[
+#
+# List of :command:`saslauthd` instances defined on all hosts in the Ansible
+# inventory.
+saslauthd__instances: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__group_instances [[[
+#
+# List of :command:`saslauthd` instances defined on hosts in specific Ansible
+# inventory group.
+saslauthd__group_instances: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__host_instances [[[
+#
+# List of :command:`saslauthd` instances defined on specific hosts in the
+# Ansible inventory.
+saslauthd__host_instances: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__dependent_instances [[[
+#
+# List of :command:`saslauthd` instances defined by other Ansible roles via
+# role dependent variables.
+saslauthd__dependent_instances: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__combined_instances [[[
+#
+# The combined list of instances passed to the Ansible tasks.
+saslauthd__combined_instances: '{{ q("flattened", (saslauthd__default_instances
+                                                  + saslauthd__instances
+                                                  + saslauthd__group_instances
+                                                  + saslauthd__host_instances
+                                                  + saslauthd__dependent_instances)) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: saslauthd__ldap_enabled [[[
+#
+# Enable or disable integration with the LDAP directory. The integration is
+# enabled automatically when the :ref:`debops.ldap` environment is configured
+# on the host.
+saslauthd__ldap_enabled: '{{ ansible_local.ldap.enabled
+                             if (ansible_local | d() and ansible_local.ldap | d() and
+                                 ansible_local.ldap.enabled is defined)
+                             else False }}'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, :file:`/etc/saslauthd.conf` configuration file will not be
+# generated.
+saslauthd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the :command:`saslauthd` service account
+# LDAP object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+saslauthd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# :command:`saslauthd` service to access the LDAP directory.
+saslauthd__ldap_self_rdn: 'uid=saslauthd'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`saslauthd` service to access the LDAP directory.
+saslauthd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`saslauthd` service to access the LDAP directory.
+saslauthd__ldap_self_attributes:
+  uid: '{{ saslauthd__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ saslauthd__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "saslauthd" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# :command:`saslauthd` service to bind to the LDAP directory.
+saslauthd__ldap_binddn: '{{ ([saslauthd__ldap_self_rdn] + saslauthd__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the :command:`saslauthd`
+# service to bind to the LDAP directory.
+saslauthd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                                    + saslauthd__ldap_binddn | to_uuid + ".password length=32"))
+                            if saslauthd__ldap_enabled | bool
+                            else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP profiles [[[
+# -----------------
+
+# The variables below define different "LDAP profiles" which can be used by
+# :command:`saslauthd` instances to bind to and interact with the LDAP
+# directory. See :ref:`saslauthd__ref_ldap_profiles` for more details.
+
+# .. envvar:: saslauthd__ldap_default_profiles [[[
+#
+# List of default LDAP profiles for the :command:`saslauthd` service defined by
+# the role.
+saslauthd__ldap_default_profiles:
+
+  - name: 'global'
+    state: '{{ "present" if saslauthd__ldap_device_dn | d() else "ignore" }}'
+    options:
+
+      - name: 'ldap_servers'
+        value: '{{ ansible_local.ldap.uri | d("") }}'
+
+      - name: 'ldap_bind_dn'
+        value: '{{ saslauthd__ldap_binddn }}'
+
+      - name: 'ldap_password'
+        value: '{{ saslauthd__ldap_bindpw }}'
+
+      - name: 'ldap_search_base'
+        value: '{{ (["ou=People"] + saslauthd__ldap_base_dn) | join(",") }}'
+
+      - name: 'ldap_filter'
+        value: '(&
+                  (objectClass=inetOrgPerson)
+                  (uid=%u)
+                )'
+
+      - name: 'ldap_scope'
+        value: 'sub'
+
+      - name: 'ldap_start_tls'
+        value: 'yes'
+
+      - name: 'ldap_tls_check_peer'
+        value: 'yes'
+
+      - name: 'ldap_tls_cacert_file'
+        value: '/etc/ssl/certs/ca-certificates.crt'
+
+  - name: 'slapd'
+    state: '{{ "present"
+               if (saslauthd__ldap_device_dn | d() and
+                   ((ansible_local | d() and ansible_local.slapd | d() and
+                     (ansible_local.slapd.installed | d()) | bool) or
+                    ("debops_service_slapd" in group_names)))
+               else "ignore" }}'
+    options:
+
+      - name: 'ldap_servers'
+        value: '{{ ansible_local.ldap.uri | d("") }}'
+
+      - name: 'ldap_bind_dn'
+        value: '{{ saslauthd__ldap_binddn }}'
+
+      - name: 'ldap_password'
+        value: '{{ saslauthd__ldap_bindpw }}'
+
+      - name: 'ldap_search_base'
+        value: '{{ saslauthd__ldap_base_dn | join(",") }}'
+
+      - name: 'ldap_filter'
+        value: '(|
+                  (&
+                    (objectClass=inetOrgPerson)
+                    (uid=%u)
+                  )
+                  (&
+                    (objectClass=account)
+                    (uid=%U)
+                    (host=%r)
+                  )
+                )'
+
+      - name: 'ldap_scope'
+        value: 'sub'
+
+      - name: 'ldap_start_tls'
+        value: 'yes'
+
+      - name: 'ldap_tls_check_peer'
+        value: 'yes'
+
+      - name: 'ldap_tls_cacert_file'
+        value: '/etc/ssl/certs/ca-certificates.crt'
+
+  - name: 'smtpd'
+    state: '{{ "present"
+               if (saslauthd__ldap_device_dn | d() and
+                   ((ansible_local | d() and ansible_local.postfix | d() and
+                     (ansible_local.postfix.installed | d()) | bool) or
+                    ("debops_service_postfix" in group_names)))
+               else "ignore" }}'
+    options:
+
+      - name: 'ldap_servers'
+        value: '{{ ansible_local.ldap.uri | d("") }}'
+
+      - name: 'ldap_bind_dn'
+        value: '{{ saslauthd__ldap_binddn }}'
+
+      - name: 'ldap_password'
+        value: '{{ saslauthd__ldap_bindpw }}'
+
+      - name: 'ldap_search_base'
+        value: '{{ saslauthd__ldap_base_dn | join(",") }}'
+
+      - name: 'ldap_filter'
+        value: '(|
+                  (&
+                    (objectClass=mailRecipient)
+                    (|
+                      (uid=%u)
+                      (mailAddress=%U@%r)
+                      (mailAlternateAddress=%U@%r)
+                    )
+                    (|
+                      (authorizedService=all)
+                      (authorizedService=mail:send)
+                    )
+                  )
+                  (&
+                    (objectClass=account)
+                    (uid=%U)
+                    (host=%r)
+                    (|
+                      (authorizedService=all)
+                      (authorizedService=mail:send)
+                    )
+                  )
+                )'
+
+      - name: 'ldap_scope'
+        value: 'sub'
+
+      - name: 'ldap_start_tls'
+        value: 'yes'
+
+      - name: 'ldap_tls_check_peer'
+        value: 'yes'
+
+      - name: 'ldap_tls_cacert_file'
+        value: '/etc/ssl/certs/ca-certificates.crt'
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_profiles [[[
+#
+# List of LDAP profiles for the :command:`saslauthd` service which should be
+# present on all hosts in the Ansible inventory.
+saslauthd__ldap_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_group_profiles [[[
+#
+# List of LDAP profiles for the :command:`saslauthd` service which should be
+# present on hosts in a specific Ansible inventory group.
+saslauthd__ldap_group_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_host_profiles [[[
+#
+# List of LDAP profiles for the :command:`saslauthd` service which should be
+# present on specific hosts in the Ansible inventory.
+saslauthd__ldap_host_profiles: []
+
+                                                                   # ]]]
+# .. envvar:: saslauthd__ldap_combined_profiles [[[
+#
+# Variable which combines all other LDAP profile lists and is used in the role
+# tasks and templates.
+saslauthd__ldap_combined_profiles: '{{ saslauthd__ldap_default_profiles
+                                       + saslauthd__ldap_profiles
+                                       + saslauthd__ldap_group_profiles
+                                       + saslauthd__ldap_host_profiles }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: saslauthdd__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+saslauthd__ldap__dependent_tasks:
+
+  - name: 'Create saslauthd account for {{ saslauthd__ldap_device_dn | join(",") }}'
+    dn: '{{ saslauthd__ldap_binddn }}'
+    objectClass: '{{ saslauthd__ldap_self_object_classes }}'
+    attributes: '{{ saslauthd__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present" if saslauthd__ldap_device_dn | d() else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/saslauthd/meta/main.yml b/ansible_collections/debops/debops/roles/saslauthd/meta/main.yml
new file mode 100644
index 00000000..3b38b213
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage Cyrus SASL authentication service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
+    - authentication
+    - smtp
+    - sasl
diff --git a/ansible_collections/debops/debops/roles/saslauthd/tasks/main.yml b/ansible_collections/debops/debops/roles/saslauthd/tasks/main.yml
new file mode 100644
index 00000000..e66dab7a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/tasks/main.yml
@@ -0,0 +1,166 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (saslauthd__base_packages
+                              + saslauthd__packages)) }}'
+    state: 'present'
+  register: saslauthd__register_packages
+  until: saslauthd__register_packages is succeeded
+
+- name: Stop saslauthd instance before removal
+  ansible.builtin.command: /etc/init.d/saslauthd stop-instance saslauthd-{{ item.name }}
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  register: saslauthd__register_stop_instance
+  changed_when: saslauthd__register_stop_instance.changed | bool
+  when: item.name | d() and item.socket_path | d() and
+        item.state | d('present') == 'absent'
+
+- name: Remove saslauthd instance if requested
+  ansible.builtin.file:
+    path: '/etc/default/saslauthd-{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.socket_path | d() and
+        item.state | d('present') == 'absent'
+
+- name: Generate saslauthd instance configuration
+  ansible.builtin.template:
+    src: 'etc/default/saslauthd.j2'
+    dest: '/etc/default/saslauthd-{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart saslauthd' ]
+  when: item.name | d() and item.socket_path | d() and
+        item.state | d('present') != 'absent'
+
+- name: Ensure that required UNIX groups exist
+  ansible.builtin.group:
+    name: '{{ item.group }}'
+    state: 'present'
+    system: '{{ (item.system | d(True)) | bool }}'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.group | d() and
+        item.state | d('present') != 'absent'
+
+- name: Create SASL config directory
+  ansible.builtin.file:
+    path: '{{ item.config_path | dirname }}'
+    state: 'directory'
+    owner: '{{ item.config_dir_owner | d("root") }}'
+    group: '{{ item.config_dir_group | d("root") }}'
+    mode: '{{ item.config_dir_mode | d("0755") }}'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.config_path | d() and
+        item.state | d('present') != 'absent'
+
+- name: Remove SASL instance configuration if requested
+  ansible.builtin.file:
+    path: '{{ item.config_path }}'
+    state: 'absent'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  notify: '{{ item.notify if item.notify | d() else omit }}'
+  when: item.name | d() and item.config_path | d() and
+        item.state | d('present') == 'absent'
+
+- name: Generate SASL instance configuration
+  ansible.builtin.template:
+    src: 'etc/instance.conf.j2'
+    dest: '{{ item.config_path }}'
+    owner: '{{ item.config_owner | d("root") }}'
+    group: '{{ item.config_group | d("sasl") }}'
+    mode: '{{ item.config_mode | d("0640") }}'
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  notify: '{{ item.notify if item.notify | d() else omit }}'
+  when: item.name | d() and item.config_path | d() and
+        item.state | d('present') != 'absent'
+
+- name: Remove SASL LDAP profiles if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/saslauthd.conf"
+              if (item.name == "global")
+              else "/etc/saslauthd-" + item.name + ".conf" }}'
+    state: 'absent'
+  with_items: '{{ saslauthd__ldap_combined_profiles | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate SASL LDAP profiles
+  ansible.builtin.template:
+    src: 'etc/saslauthd.conf.j2'
+    dest: '{{ "/etc/saslauthd.conf"
+              if (item.name == "global")
+              else "/etc/saslauthd-" + item.name + ".conf" }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("sasl") }}'
+    mode: '{{ item.mode | d("0640") }}'
+  with_items: '{{ saslauthd__ldap_combined_profiles | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart saslauthd' ]
+  when: item.name | d() and item.state | d('present') not in ['absent', 'ignore']
+
+- name: Get list of dpkg-stateoverride paths
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && dpkg-statoverride --list | awk '{print $4}'
+  args:
+    executable: 'bash'
+  register: saslauthd__register_statoverride
+  changed_when: False
+  check_mode: False
+
+- name: Remove a dpkg-statoverride entry if requested
+  ansible.builtin.command: dpkg-statoverride --remove {{ item.socket_path }}
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart saslauthd' ]
+  register: saslauthd__register_statoverride_remove
+  changed_when: saslauthd__register_statoverride_remove.changed | bool
+  when: item.name | d() and item.socket_path | d() and item.state | d('present') == 'absent' and
+        item.socket_path in saslauthd__register_statoverride.stdout_lines
+
+- name: Create a dpkg-statoverride entry
+  ansible.builtin.command: dpkg-statoverride --add
+           {{ item.socket_owner | d('root') }}
+           {{ item.socket_group | d('sasl') }}
+           {{ item.socket_mode | d('710') }}
+           {{ item.socket_path }}
+  with_items: '{{ saslauthd__combined_instances | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart saslauthd' ]
+  register: saslauthd__register_statoverride_add
+  changed_when: saslauthd__register_statoverride_add.changed | bool
+  when: item.name | d() and item.socket_path | d() and item.state | d('present') != 'absent' and
+        item.socket_path not in saslauthd__register_statoverride.stdout_lines
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save saslauthd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/saslauthd.fact.j2'
+    dest: '/etc/ansible/facts.d/saslauthd.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/saslauthd/templates/etc/ansible/facts.d/saslauthd.fact.j2 b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/ansible/facts.d/saslauthd.fact.j2
new file mode 100644
index 00000000..e3be6748
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/ansible/facts.d/saslauthd.fact.j2
@@ -0,0 +1,23 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+from glob import glob
+
+output = {'installed': True}
+instances = []
+
+for name in glob('/etc/default/saslauthd-*'):
+    instances.append(name.replace('/etc/default/saslauthd-', ''))
+
+output.update({'instances': instances})
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/saslauthd/templates/etc/default/saslauthd.j2 b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/default/saslauthd.j2
new file mode 100644
index 00000000..6e146cca
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/default/saslauthd.j2
@@ -0,0 +1,67 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START={{ 'yes' if ((item.start | d(True))  | bool) else 'no' }}
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="{{ item.desc | d(item.description | d(item.name | capitalize + ' SASL Authentication Daemon')) }}"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd-{{ item.name }}"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="{{ item.mech | d(item.mechanism | d(item.mechanisms | d(saslauthd__default_mechanism))) }}"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS="{{ item.mech_options | d('') }}"
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS={{ item.threads | d(ansible_processor_vcpus) }}
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
+OPTIONS="{{ item.daemon_options | d('-c') + ' -m ' + item.socket_path + ((' -O /etc/saslauthd-' + item.ldap_profile + '.conf') if (item.ldap_profile | d('global') != 'global' and saslauthd__ldap_device_dn | d()) else '') }}"
diff --git a/ansible_collections/debops/debops/roles/saslauthd/templates/etc/instance.conf.j2 b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/instance.conf.j2
new file mode 100644
index 00000000..a4548a66
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/instance.conf.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# SASL configuration for: {{ item.name }}
+
+{% if item.config_raw | d() %}
+{{ item.config_raw }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/saslauthd/templates/etc/saslauthd.conf.j2 b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/saslauthd.conf.j2
new file mode 100644
index 00000000..8796ffa6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/saslauthd/templates/etc/saslauthd.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# SASL LDAP configuration for: {{ item.name }}
+
+{% if item.raw | d() %}
+{{ item.raw }}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.name | d() and element.value | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{{ "{}: {}".format(element.name, (element.value if element.value is string else (element.value | selectattr("state", "equalto", "present") | map(attribute="name") | list | join(" ")))) }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/secret/COPYRIGHT b/ansible_collections/debops/debops/roles/secret/COPYRIGHT
new file mode 100644
index 00000000..f9de9ead
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/secret/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.secret - Manage sensitive data in the filesystem
+
+Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/secret/defaults/main.yml b/ansible_collections/debops/debops/roles/secret/defaults/main.yml
new file mode 100644
index 00000000..cf55fc1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/secret/defaults/main.yml
@@ -0,0 +1,248 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _secret__ref_defaults:
+
+# debops.secret default variables [[[
+# ===================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Local storage of sensitive data [[[
+# -----------------------------------
+
+# .. envvar:: secret [[[
+#
+# Absolute path to directory with sensitive data. It will be configured as
+# relative to current inventory directory. Use this variable in file and
+# password lookups.
+secret: '{{ (secret__root + "/" + ((secret__levels + "/") if secret__levels else "") + secret__name) | realpath }}'  # noqa var-naming[no-role-prefix]
+
+                                                                   # ]]]
+# .. envvar:: secret__root [[[
+#
+# Path to a directory in which a relative secret directory will be created.
+# By default, it will be relative to Ansible inventory.
+secret__root: '{{ inventory_dir | realpath }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__name [[[
+#
+# Name of the directory which contains sensitive data.
+secret__name: 'secret'
+
+                                                                   # ]]]
+# .. envvar:: secret__levels [[[
+#
+# How many directory levels to add relative to secret_root, by default 1 level.
+# For example, to go 2 levels up, set this variable to ``../..``.
+secret__levels: '..'
+
+                                                                   # ]]]
+# .. envvar:: secret__directories [[[
+#
+# List of subdirectories which should be present in the :file:`secret/` directory.
+secret__directories: []
+
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP server admin access [[[
+# ----------------------------
+
+# The ``secret__ldap_*`` variables are used by ``ldap_*`` Ansible modules to
+# access LDAP server for the current domain with administrative privileges, by
+# binding to the admin account with specified bind DN and password. Because
+# these need to be provided with every task that uses ``ldap_*`` modules,
+# variables below are used as a convenient central location.
+
+# .. envvar:: secret__ldap_domain [[[
+#
+# Domain used for LDAP base DN and to select default LDAP server.
+secret__ldap_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_fqdn [[[
+#
+# LDAP server hostname / IP address which holds the database. ``ldap_*``
+# modules will connect to it natively, so it should be available at least from
+# the Ansible Controller.
+secret__ldap_fqdn: '{{ "ldap." + secret__ldap_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_server_uri [[[
+#
+# URI used in tasks to connect to LDAP server natively, it should be used in
+# ``ldap_attr`` and ``ldap_entry`` tasks.
+secret__ldap_server_uri: '{{ "ldap://" + secret__ldap_fqdn + "/" }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_start_tls [[[
+#
+# Enable or disable STARTTLS for encrypted communication with the LDAP server.
+# Should always be enabled.
+secret__ldap_start_tls: True
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_basedn [[[
+#
+# LDAP Base DN used for to create bind DN.
+secret__ldap_basedn: '{{ "dc=" + secret__ldap_domain.split(".") | join(",dc=") }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_bind_dn [[[
+#
+# LDAP administrator account.
+secret__ldap_bind_dn: '{{ "cn=admin," + secret__ldap_basedn }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_bind_pw [[[
+#
+# LDAP administrator password.
+secret__ldap_bind_pw: '{{ lookup("password", secret__ldap_admin_password) }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_admin_password [[[
+#
+# Path to a file in :file:`secret/` directory which stores password for specified
+# admin account on configured LDAP server. This file will be populated by
+# ``debops.slapd`` role if a server is configured with it.
+secret__ldap_admin_password: '{{ secret + "/ldap/" + secret__ldap_domain
+                                 + "/credentials/" + secret__ldap_fqdn + "/"
+                                 + secret__ldap_bind_dn + ".password" }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_delegate_to [[[
+#
+# Each LDAP administrative task should be delegated to either ``localhost``
+# (Ansible Controller), or to the LDAP server itself. This host will have
+# access to LDAP admin password, and requires installed ``python-ldap``
+# package.
+secret__ldap_delegate_to: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_become [[[
+#
+# Access through :command:`sudo` is not required on ``localhost``, but if LDAP tasks
+# are delegated to different hosts, it might be required there.
+secret__ldap_become: False
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_ou_groups_dn [[[
+#
+# Base DN for LDAP groups.
+secret__ldap_ou_groups_dn: '{{ "ou=Groups," + secret__ldap_basedn }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_ou_machines_dn [[[
+#
+# Base DN for LDAP machine accounts.
+secret__ldap_ou_machines_dn: '{{ "ou=Machines," + secret__ldap_basedn }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_ou_people_dn [[[
+#
+# Base DN for LDAP people accounts.
+secret__ldap_ou_people_dn: '{{ "ou=People," + secret__ldap_basedn }}'
+
+                                                                   # ]]]
+# .. envvar:: secret__ldap_ou_services_dn [[[
+#
+# Base DN for LDAP service accounts.
+secret__ldap_ou_services_dn: '{{ "ou=Services," + secret__ldap_basedn }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Old LDAP server admin access [[[
+# --------------------------------
+
+# The variables below are here to provide backwards compatibility with older
+# Ansible roles that haven't yet switched to the new LDAP variable naming
+# scheme. You should treat these variables as deprecated and switch to the new
+# ones. Keep in mind that the old and new variables currently might contain
+# different values therefore you should synchronize them using Ansible
+# inventory if necessary.
+
+# .. envvar:: secret_ldap_domain [[[
+#
+# Domain used for LDAP base DN and to select default LDAP server.
+secret_ldap_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_server [[[
+#
+# LDAP server hostname / IP address which holds the database. ``ldap_*``
+# modules will connect to it natively, so it should be available at least from
+# the Ansible Controller.
+secret_ldap_server: '{{ "ldap." + secret_ldap_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_server_uri [[[
+#
+# URI used in tasks to connect to LDAP server natively, it should be used in
+# ``ldap_attr`` and ``ldap_entry`` tasks.
+secret_ldap_server_uri: '{{ "ldap://" + secret_ldap_server + "/" }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_start_tls [[[
+#
+# Enable or disable STARTTLS for encrypted communication with the LDAP server.
+# Should always be enabled.
+secret_ldap_start_tls: True
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_basedn [[[
+#
+# LDAP Base DN used for to create bind DN.
+secret_ldap_basedn: '{{ "dc=" + secret_ldap_domain.split(".") | join(",dc=") }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_admin_bind_dn [[[
+#
+# LDAP administrator account.
+secret_ldap_admin_bind_dn: '{{ "cn=admin," + secret_ldap_basedn }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_admin_password [[[
+#
+# Path to a file in :file:`secret/` directory which stores password for specified
+# admin account on configured LDAP server. This file will be populated by
+# ``debops.slapd`` role if a server is configured with it.
+secret_ldap_admin_password: '{{ secret + "/ldap/" + ansible_domain + "/credentials/" + secret_ldap_server + "/" + secret_ldap_admin_bind_dn + ".password" }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_admin_bind_pw [[[
+#
+# LDAP administrator password.
+secret_ldap_admin_bind_pw: '{{ lookup("password", secret_ldap_admin_password) }}'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_delegate_to [[[
+#
+# Each LDAP administrative task should be delegated to either ``localhost``
+# (Ansible Controller), or to the LDAP server itself. This host will have
+# access to LDAP admin password, and requires installed ``python-ldap``
+# package.
+secret_ldap_delegate_to: 'localhost'
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_sudo [[[
+#
+# Access through :command:`sudo` is not required on ``localhost``, but if LDAP tasks
+# are delegated to different hosts, it might be required there.
+secret_ldap_sudo: False
+
+                                                                   # ]]]
+# .. envvar:: secret_ldap_services_dn [[[
+#
+# Base for LDAP service accounts. For example GitLab uses "cn=gitlab,"+ secret_ldap_services_dn.
+secret_ldap_services_dn: '{{ "ou=Services," + secret_ldap_basedn }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/secret/meta/main.yml b/ansible_collections/debops/debops/roles/secret/meta/main.yml
new file mode 100644
index 00000000..eb80ca3d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/secret/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage sensitive data in a separate directory relative to Ansible inventory'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  galaxy_tags:
+  - system
+  - secret
+  - password
+  - pki
+  - ldap
diff --git a/ansible_collections/debops/debops/roles/secret/tasks/main.yml b/ansible_collections/debops/debops/roles/secret/tasks/main.yml
new file mode 100644
index 00000000..eb7bdfaa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/secret/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+  # This task is needed for Ansible to correctly pass the 'secret' variable to
+  # other roles
+- name: Define variables used by Ansible roles
+  ansible.builtin.set_fact:
+    secret: '{{ secret }}'  # noqa var-naming[no-role-prefix]
+
+- name: Create secret directories on Ansible Controller
+  ansible.builtin.file:
+    path: '{{ secret + "/" + item }}'
+    state: 'directory'
+    mode: '0755'
+  become: False
+  delegate_to: 'localhost'
+  loop: '{{ [secret__directories, secret_directories | d([])] | flatten }}'
+  when: (secret__directories or secret_directories | d()) and item
+  changed_when: False
diff --git a/ansible_collections/debops/debops/roles/sks/COPYRIGHT b/ansible_collections/debops/debops/roles/sks/COPYRIGHT
new file mode 100644
index 00000000..eb26ab28
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.sks - Install and configure SKS Keyserver
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sks/defaults/main.yml b/ansible_collections/debops/debops/roles/sks/defaults/main.yml
new file mode 100644
index 00000000..13ccc225
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/defaults/main.yml
@@ -0,0 +1,126 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sks__ref_defaults:
+
+# debops.sks default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# SKS configuration [[[
+# ---------------------
+
+# .. envvar:: sks_autoinit [[[
+#
+# Automatically create keyserver database? Database will be empty
+# If you want to seed the database with public GPG keys or connect to public
+# SKS Keyserver network, you should set this variable to "False" and seed the
+# database manually. See: http://keysigning.org/sks/
+sks_autoinit: False
+
+                                                                   # ]]]
+# .. envvar:: sks_contact [[[
+#
+# GPG fingerprint of server administrator
+sks_contact: ''
+
+                                                                   # ]]]
+# .. envvar:: sks_from [[[
+#
+# From header for outgoing mail
+sks_from: 'PGP Key Server <pgp-public-keys@{{ ansible_fqdn }}>'
+
+                                                                   # ]]]
+# .. envvar:: sks_domain [[[
+#
+# DNS domain on which SKS frontend webserver should be configured
+sks_domain: [ 'keyserver.{{ ansible_domain }}' ]
+
+                                                                   # ]]]
+# .. envvar:: sks_cluster [[[
+#
+# Ansible group of hosts which are included in SKS cluster
+sks_cluster: '{{ groups.debops_service_sks }}'
+
+                                                                   # ]]]
+# .. envvar:: sks_frontends [[[
+#
+# List of inventory hosts which provide frontend web service
+sks_frontends: [ '{{ sks_cluster[0] }}' ]
+
+                                                                   # ]]]
+# .. envvar:: sks_hkp_allow [[[
+#
+# List of hosts which can connect to hkp service. If this list is empty,
+# anybody can connect.
+sks_hkp_allow: []
+
+                                                                   # ]]]
+# .. envvar:: sks_public_list [[[
+#
+# List of public SKS keyservers you want to peer with. It's a list of simple
+# lines, which allows you to include custom ports and comments (see sks(8)
+# documentation). It's good etiquette to ask someone for permission before you
+# add their server to this list (and their server needs to have yours for the
+# communication to work).
+# You should probably connect only one of your private keyservers to the public
+# keyserver network, your other servers will propagate the changes between
+# themselves.
+sks_public_list: []
+
+#  - name: 'keyserver.example.org'
+#    port: '{{ sks_recon_port }}'
+#    email: 'Server Administrator <root@example.org'
+#    gpg: '0xDEADBEEF'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: sks__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+sks__etc_services__dependent_list:
+
+  - name: '{{ sks_recon_name }}'
+    port: '{{ sks_recon_port }}'
+    comment: 'SKS Keyserver Reconcilliation Service'
+
+  - name: '{{ sks_hkp_frontend_name }}'
+    port: '{{ sks_hkp_frontend_port }}'
+    comment: 'SKS Keyserver Backend Service'
+
+                                                                   # ]]]
+# .. envvar:: sks__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+# FIXME: Move configuration from the template.
+sks__ferm__dependent_rules: []
+
+                                                                   # ]]]
+# .. envvar:: sks__nginx__dependent_servers [[[
+#
+# Server configuration for the :ref:`debops.nginx` Ansible role.
+sks__nginx__dependent_servers:
+
+  - '{{ sks_nginx_frontend }}'
+  - '{{ sks_nginx_ssl_frontend }}'
+
+                                                                   # ]]]
+# .. envvar:: sks__nginx__dependent_upstreams [[[
+#
+# Upstream configuration for the :ref:`debops.nginx` Ansible role.
+sks__nginx__dependent_upstreams:
+
+  - '{{ sks_nginx_upstreams }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/index.html b/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/index.html
new file mode 100644
index 00000000..63d62318
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/index.html
@@ -0,0 +1,52 @@
+<?xml version="1.0"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>SKS OpenPGP Public Key Server</title>
+  </head>
+  <body>
+  <h1>SKS OpenPGP Public Key Server</h1>
+  <hr />
+  <h2>
+  <a id="extract" name="extract">Extracting a OpenPGP Key</a>
+  </h2>
+  <form action="/pks/lookup" method="get">
+    <p>Index:
+    <input type="radio" name="op" value="index" />
+     Verbose Index:
+    <input type="radio" name="op" value="vindex" checked="checked" />
+    </p>
+    <p>Search String:
+    <input name="search" size="40" value="openpkg" />
+    </p>
+    <p>
+    <input type="checkbox" name="fingerprint" checked="checked" />
+     Show OpenPGP &quot;fingerprints&quot; for keys</p>
+    <p>
+    <input type="checkbox" name="exact" />
+     Only return exact matches</p>
+    <p>
+    <input type="reset" value="Reset" />
+
+    <input type="submit" value="Search!" />
+    </p>
+  </form>
+  <hr />
+  <h2>
+  <a id="submit" name="submit">Submitting a new OpenPGP Key</a>
+  </h2>
+  <form action="/pks/add" method="post">
+    <p>Enter ASCII-armored OpenPGP key here:</p>
+    <p>
+    <textarea name="keytext" rows="20" cols="66"></textarea>
+    </p>
+    <p>
+    <input type="reset" value="Reset" />
+
+    <input type="submit" value="Submit!" />
+    </p>
+  </form>
+  <hr />
+  </body>
+</html>
diff --git a/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/robots.txt b/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/robots.txt
new file mode 100644
index 00000000..1f53798b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/files/srv/www/sites/default/public/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/ansible_collections/debops/debops/roles/sks/meta/main.yml b/ansible_collections/debops/debops/roles/sks/meta/main.yml
new file mode 100644
index 00000000..59a03831
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and manage SKS Keyserver cluster'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - gpg
+    - pgp
+    - keyserver
diff --git a/ansible_collections/debops/debops/roles/sks/tasks/main.yml b/ansible_collections/debops/debops/roles/sks/tasks/main.yml
new file mode 100644
index 00000000..7aa83a43
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/tasks/main.yml
@@ -0,0 +1,69 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install SKS Keyserver
+  ansible.builtin.apt:
+    name: 'sks'
+    state: 'present'
+    install_recommends: 'no'
+  register: sks__register_packages
+  until: sks__register_packages is succeeded
+
+- name: Configure firewall for SKS Keyserver
+  ansible.builtin.template:
+    src: 'etc/ferm/filter-input.d/sks.conf.j2'
+    dest: '/etc/ferm/filter-input.d/sks.conf'
+    owner: 'root'
+    group: 'adm'
+    mode: '0644'
+  notify: [ 'Restart ferm' ]
+
+- name: Check if SKS Keyserver database exists
+  ansible.builtin.stat:
+    path: '/var/lib/sks/DB/key'
+  register: sks_register_database_pre_build
+
+- name: Configure SKS Keyserver without database
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'etc/sks/sksconf', 'etc/sks/mailsync', 'etc/sks/membership' ]
+  when: sks_register_database_pre_build is defined and not sks_register_database_pre_build.stat.exists
+
+- name: Build SKS Keyserver database
+  become: True
+  become_user: 'debian-sks'
+  ansible.builtin.command: /usr/sbin/sks build
+  args:
+    chdir: '/var/lib/sks'
+    creates: '/var/lib/sks/DB/key'
+  when: sks_autoinit is defined and sks_autoinit
+
+- name: Check if SKS Keyserver database exists
+  ansible.builtin.stat:
+    path: '/var/lib/sks/DB/key'
+  register: sks_register_database_post_build
+
+- name: Configure SKS Keyserver with database
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart sks' ]
+  with_items: [ 'etc/default/sks', 'etc/sks/sksconf', 'etc/sks/mailsync', 'etc/sks/membership' ]
+  when: sks_register_database_post_build is defined and sks_register_database_post_build.stat.exists
+
+- name: Configure frontend webserver
+  ansible.builtin.include_tasks: sks_frontend.yml
+  when: sks_frontends is defined and inventory_hostname in sks_frontends
diff --git a/ansible_collections/debops/debops/roles/sks/tasks/sks_frontend.yml b/ansible_collections/debops/debops/roles/sks/tasks/sks_frontend.yml
new file mode 100644
index 00000000..4b9d2670
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/tasks/sks_frontend.yml
@@ -0,0 +1,27 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure that webpage directory exists
+  ansible.builtin.file:
+    path: '/srv/www/sites/{{ sks_domain[0] }}/public'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Check if index.html page exists
+  ansible.builtin.stat:
+    path: '/srv/www/sites/{{ sks_domain[0] }}/public/index.html'
+  register: sks_register_index_html
+
+- name: Configure SKS Keyserver webpage if not present
+  ansible.builtin.copy:
+    src: 'srv/www/sites/default/public/{{ item }}'
+    dest: '/srv/www/sites/{{ sks_domain[0] }}/public/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'index.html', 'robots.txt' ]
+  when: sks_register_index_html is defined and not sks_register_index_html.stat.exists
diff --git a/ansible_collections/debops/debops/roles/sks/templates/etc/default/sks.j2 b/ansible_collections/debops/debops/roles/sks/templates/etc/default/sks.j2
new file mode 100644
index 00000000..35d8ccc7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/templates/etc/default/sks.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# by default we do NOT start sks!
+# Set to yes if you want to start it in the init script.
+initstart=yes
diff --git a/ansible_collections/debops/debops/roles/sks/templates/etc/ferm/filter-input.d/sks.conf.j2 b/ansible_collections/debops/debops/roles/sks/templates/etc/ferm/filter-input.d/sks.conf.j2
new file mode 100644
index 00000000..3893d860
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/templates/etc/ferm/filter-input.d/sks.conf.j2
@@ -0,0 +1,53 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+{% if sks_hkp_allow is defined %}
+# Access to hkp service from outside
+protocol tcp dport (hkp) {
+{% if sks_hkp_allow %}
+	@def $ITEMS = ( @ipfilter( ({{ sks_hkp_allow | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% else %}
+        ACCEPT;
+{% endif %}
+}
+{% endif %}
+
+{% if sks_cluster is defined and (sks_cluster | count > 1) %}
+# SKS reconcilliation service between cluster hosts
+protocol tcp dport ({{ sks_recon_name }}) {
+{% for host in sks_cluster %}
+{% if host != inventory_hostname %}
+{% if host in play_hosts and hostvars[host].ansible_all_ipv4_addresses is defined %}
+        @if @eq($DOMAIN, ip) saddr ({{ hostvars[host].ansible_all_ipv4_addresses | join(' ') }}) ACCEPT;
+{% endif %}
+{% if host in play_hosts and hostvars[host].ansible_all_ipv6_addresses is defined %}
+{% for host in hostvars[host].ansible_all_ipv6_addresses %}
+{% if not host.startswith('fe80:') %}
+        @if @eq($DOMAIN, ip6) saddr {{ host }} ACCEPT;
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endfor %}
+}
+{% endif %}
+
+{% if sks_public_list is defined and sks_public_list %}
+# Access to SKS reconcilliation service from the outside of local cluster
+{% for host in sks_public_list %}
+protocol tcp dport ({{ sks_recon_name }}) {
+{% if host.name is defined and host.name %}
+	@def $ITEMS = ( @ipfilter( ({{ host.name | unique | join(" ") }}) ) );
+	@if @ne($ITEMS,"") {
+		saddr $ITEMS ACCEPT;
+	}
+{% endif %}
+}
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/sks/templates/etc/sks/mailsync.j2 b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/mailsync.j2
new file mode 100644
index 00000000..ea5c04b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/mailsync.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# TODO: Finish configuration when mail system is ready
+
+# /etc/sks/mailsync
+#
+# The mailsync should contains a list of email addresses of PKS
+# keyservers, one per line. This file is important, because it ensures
+# that keys submitted directly to an SKS keyserver are also forwarded
+# to PKS keyservers.
+#
+# Empty lines and whitespace-only lines are ignored, as are lines
+# whose first non-whitespace character is a `#'.
+#
+# IMPORTANT: don't add someone to your mailsync file without getting
+# their permission first!
+#
+# Jonathan McDowell <pgp-keyserver-admin@earth.li> says that having
+# his keyserver's address in the Debian package is fine.
+#pgp-public-keys@the.earth.li
diff --git a/ansible_collections/debops/debops/roles/sks/templates/etc/sks/membership.j2 b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/membership.j2
new file mode 100644
index 00000000..3813b9d2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/membership.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# /etc/sks/membership
+#
+# With SKS, two hosts can efficiently compare their databases then
+# repair whatever differences are found.  In order to set up
+# reconciliation, you first need to find other SKS servers that will
+# agree to gossip with you. The hostname and port of the server that
+# has agreed to do so should be added to this file.
+#
+# Empty lines and whitespace-only lines are ignored, as are lines
+# whose first non-whitespace character is a `#'.
+#
+# Example:
+# keyserver.linux.it 11370
+{% if sks_cluster is defined and (sks_cluster | count > 1) %}
+
+# Local cluster
+{% for host in sks_cluster %}
+{% if host != inventory_hostname %}
+{% if host in play_hosts and hostvars[host].ansible_fqdn is defined %}
+{{ hostvars[host].ansible_fqdn }} {{ sks_recon_port | default('11370') }}
+{% else %}
+# Unknown DNS domain of {{ host }}
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if sks_public_list is defined and sks_public_list %}
+
+# Public peers
+{% for entry in sks_public_list %}
+{{ entry.name }} {{ entry.port | default(sks_recon_port) }} # {{ entry.email | default('No email specified') }}, {{ entry.gpg | default('No GPG key specified') }}
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/sks/templates/etc/sks/sksconf.j2 b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/sksconf.j2
new file mode 100644
index 00000000..d48e97b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/templates/etc/sks/sksconf.j2
@@ -0,0 +1,62 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# /etc/sks/sksconf
+#
+# The configuration file for your SKS server.
+# You can find more options in sks(8) manpage.
+
+# Set server hostname
+hostname: {{ ansible_fqdn }}
+
+# Set recon binding address
+#recon_address: 0.0.0.0
+
+# Set recon port number
+#recon_port: {{ sks_recon_port | default('11370') }}
+
+# Set hkp binding address
+{% if inventory_hostname in sks_frontends %}
+hkp_address: 127.0.0.1
+{% else %}
+hkp_address: 0.0.0.0
+{% endif %}
+
+# Set hkp port number
+{% if inventory_hostname in sks_frontends %}
+hkp_port: {{ sks_hkp_frontend_port }}
+{% else %}
+hkp_port: 11371
+{% endif %}
+
+# Have the HKP interface listen on port 80, as well as the hkp_port
+#use_port_80:
+
+# From address used in synchronization emails used to communicate with PKS
+from_addr: "{{ sks_from }}"
+
+# Command used for sending mail (you can use -f option to specify the
+# envelope sender address, if your MTA trusts the sks user)
+#sendmail_cmd: /usr/lib/sendmail -t -oi
+
+# Disable mail-based synchronization
+disable_mailsync:
+
+# Runs database statistics calculation on boot (time and cpu expensive)
+initial_stat:
+
+# bdb's db_tune program suggests a pagesize of 65536 for [K]DB/key. In practice
+# this caused page deadlocks. I found 8K (16) and 16K (32) to be better values
+pagesize:          16
+#
+# The tuner recommended 4096 (8) for the pagesize for PTree/ptree. I have had
+# very good results with 8196
+ptree_pagesize:    16
+
+{% if sks_contact is defined and sks_contact %}
+# Contact to server administrator
+server_contact: {{ sks_contact }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/sks/vars/main.yml b/ansible_collections/debops/debops/roles/sks/vars/main.yml
new file mode 100644
index 00000000..15f1816a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sks/vars/main.yml
@@ -0,0 +1,61 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Configuration of SKS reconcilliation service port
+sks_recon_name: 'sks'
+sks_recon_port: 11370
+
+# Configuration of SKS keyserver service on a frontend host
+sks_hkp_frontend_name: 'hkp-backend'
+sks_hkp_frontend_port: '11372'
+
+# Configuration for HTTP web frontend
+sks_nginx_frontend:
+  by_role: 'debops.sks'
+  enabled: True
+  default: False
+  name: '{{ ["default_sks"] + sks_domain }}'
+  root: '{{ "/srv/www/sites/" + sks_domain[0] + "/public" }}'
+  webroot_create: False
+  ssl: False
+  listen: [ '[::]:80', '[::]:11371' ]
+  location:
+    '/': |
+      try_files $uri $uri/ =404;
+      index index.html;
+    '/pks': |
+      proxy_pass http://sks_servers/pks;
+      proxy_pass_header Server;
+      add_header Via "1.1 {{ ansible_fqdn }} (nginx)";
+      proxy_ignore_client_abort on;
+
+# Configuration for HTTPS web frontend
+sks_nginx_ssl_frontend:
+  by_role: 'debops.sks'
+  enabled: True
+  default: False
+  state: '{{ "present"
+             if (ansible_local | d() and ansible_local.pki | d() and
+                 (ansible_local.pki.enabled | d()) | bool)
+             else "absent" }}'
+  name: '{{ sks_domain }}'
+  listen: False
+  location:
+    '/': |
+      try_files $uri $uri/ =404;
+      index index.html;
+    '/pks': |
+      proxy_pass http://sks_servers/pks;
+      proxy_pass_header Server;
+      add_header Via "1.1 {{ ansible_fqdn }} (nginx)";
+      proxy_ignore_client_abort on;
+
+# SKS server upstreams
+sks_nginx_upstreams:
+  enabled: True
+  name: 'sks_servers'
+  server: 'localhost:{{ sks_hkp_frontend_port }}'
+  cluster: '{{ sks_cluster | difference(sks_frontends) }}'
+  port: '11371'
diff --git a/ansible_collections/debops/debops/roles/slapd/COPYRIGHT b/ansible_collections/debops/debops/roles/slapd/COPYRIGHT
new file mode 100644
index 00000000..95fdcdcf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.slapd - Manage OpenLDAP server using Ansible
+
+Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/slapd/defaults/main.yml b/ansible_collections/debops/debops/roles/slapd/defaults/main.yml
new file mode 100644
index 00000000..a92d76f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/defaults/main.yml
@@ -0,0 +1,1714 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _slapd__ref_defaults:
+
+# Default variables
+# =================
+#
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# LDAP schemas [[[
+# ----------------
+
+# These variables define what additional LDAP schemas will be imported by
+# the :ref:`debops.slapd` role to the managed OpenLDAP server.
+# See :ref:`custom LDAP schemas <slapd__ref_ldap_schemas>` for more details.
+
+# .. envvar:: slapd__rfc2307bis_enabled [[[
+#
+# Enable or disable support for an upgraded ``nis`` schema defined as
+# ``rfc2307bis``, that changes the ``posixGroup`` object type from
+# ``STRUCTURAL`` to ``AUXILIARY``. This allows better management of UNIX groups
+# in the LDAP directory, but may require additional changes in existing
+# databases. See :ref:`the rfc2307bis schema <slapd__ref_rfc2307bis>` for more
+# details.
+slapd__rfc2307bis_enabled: '{{ ansible_local.slapd.rfc2307bis | d(True) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__debops_schema_path [[[
+#
+# Absolute path to the directory that contains custom DebOps schema definitions
+# on the remote host.
+slapd__debops_schema_path: '/etc/ldap/schema/debops'
+
+                                                                   # ]]]
+# .. envvar:: slapd__default_schemas [[[
+#
+# List of the default LDAP schemas imported into the OpenLDAP server, defined
+# by the role.
+slapd__default_schemas:
+
+  # Base schema for LDAP schemas developed in DebOps, other custom schemas will
+  # depend on object identifiers defined here
+  - '{{ slapd__debops_schema_path + "/debops.schema" }}'
+
+  # Custom DebOps schema that defines the missing 'gid' posixGroup attribute
+  - '{{ slapd__debops_schema_path + "/posixgroupid.schema" }}'
+
+  # Custom DebOps schema that creates LDAP object definitions used for tracking
+  # the next available POSIX UID/GID numbers
+  - '{{ slapd__debops_schema_path + "/nextuidgid.schema" }}'
+
+  # Custom DebOps schema that creates LDAP object definition of the
+  # 'organizationalStructure' object, used to define basic directory structure.
+  - '{{ slapd__debops_schema_path + "/orgstructure.schema" }}'
+
+  # Password Policy schema, included in the 'slapd' APT package
+  - '/etc/ldap/schema/ppolicy.schema'
+
+  # Support for 'host' and 'authorizedService' attributes, useful for granular
+  # access control to services and machines
+  - '/etc/ldap/schema/fusiondirectory/ldapns.schema'
+
+  # Custom schema which defines a 'groupOfEntries' LDAP object which can create
+  # empty groups
+  - '{{ slapd__debops_schema_path + "/groupofentries.schema" }}'
+
+  # Support for SSH public keys in LDAP directory
+  - '{{ slapd__debops_schema_path + "/openssh-lpk.schema" }}'
+
+  # Support for 'sudo' rules in LDAP directory
+  - '/etc/ldap/schema/fusiondirectory/sudo.schema'
+
+  # Support for 'eduPerson' and 'eduOrg' schema, included in DebOps
+  - '{{ slapd__debops_schema_path + "/eduperson.schema" }}'
+
+  # Support for 'schac' schema, SCHema for ACademia
+  - '{{ slapd__debops_schema_path + "/schac.schema" }}'
+
+  # Support for 'nextcloud' schema, included in DebOps
+  - '{{ slapd__debops_schema_path + "/nextcloud.schema" }}'
+
+  # Custom DebOps schema that defines mail-related LDAP objects and attributes
+  - '{{ slapd__debops_schema_path + "/mailservice.schema" }}'
+
+  # Custom DebOps schema that adds support for Dynamic Groups maintained by AutoGroup overlay
+  - '{{ slapd__debops_schema_path + "/dyngroup.schema" }}'
+
+  # Base schema for FreeRADIUS LDAP objects, which defines objectIdentifiers
+  # for other FreeRADIUS schema files included in DebOps
+  - '{{ slapd__debops_schema_path + "/freeradius.schema" }}'
+
+  # FreeRADIUS RADIUS Client schema
+  - '{{ slapd__debops_schema_path + "/freeradius-client.schema" }}'
+
+  # FreeRADIUS RADIUS Profile schema
+  - '{{ slapd__debops_schema_path + "/freeradius-profile.schema" }}'
+
+  # FreeRADIUS RADIUS Accounting schema
+  - '{{ slapd__debops_schema_path + "/freeradius-radacct.schema" }}'
+
+  # FreeRADIUS DHCPv4 schema
+  - '{{ slapd__debops_schema_path + "/freeradius-dhcpv4.schema" }}'
+
+  # FreeRADIUS DHCPv6 schema
+  - '{{ slapd__debops_schema_path + "/freeradius-dhcpv6.schema" }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__schemas [[[
+#
+# Lisf of LDAP schemas imported into the OpenLDAP server on all hosts in the
+# Ansible inventory.
+slapd__schemas: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__group_schemas [[[
+#
+# List of LDAP schemas imported into the OpenLDAP server on hosts in a specific
+# Ansible inventory group.
+slapd__group_schemas: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__host_schemas [[[
+#
+# List of LDAP schemas imported into the OpenLDAP server on specific hosts in
+# the Ansible inventory.
+slapd__host_schemas: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__combined_schemas [[[
+#
+# Variable which combines all of the schema lists together and is used in the
+# role tasks. The list is not merged intelligently and is only additive.
+slapd__combined_schemas: '{{ slapd__default_schemas
+                             + slapd__schemas
+                             + slapd__group_schemas
+                             + slapd__host_schemas }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: slapd__base_packages [[[
+#
+# List of required APT packages for OpenLDAP service.
+slapd__base_packages: [ 'slapd', 'ldap-utils', 'ssl-cert', 'libldap-common' ]
+
+                                                                   # ]]]
+# .. envvar:: slapd__rfc2307bis_packages [[[
+#
+# List of APT packages to install in preparation to use ``rfc2307bis`` schema
+# instead of the ``nis`` schema.
+slapd__rfc2307bis_packages: [ 'fusiondirectory-schema' ]
+
+                                                                   # ]]]
+# .. envvar:: slapd__schema_packages [[[
+#
+# List of APT packages that contain LDAP schemas loaded into the directory by
+# the server. Debian has multiple ``fusiondirectory-*-schema`` and
+# ``gosa-*-schema`` packages that conflict with each other, therefore the list
+# of packages should be synchronized.
+slapd__schema_packages:
+
+  # Support for 'sudo' rules in LDAP
+  - 'fusiondirectory-plugin-sudo-schema'
+
+                                                                   # ]]]
+# .. envvar:: slapd__packages [[[
+#
+# List of additional APT packages to install with OpenLDAP service.
+slapd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenLDAP UNIX environment [[[
+# -----------------------------
+
+# .. envvar:: slapd__user [[[
+#
+# Name of the UNIX account used by the OpenLDAP service.
+slapd__user: 'openldap'
+
+                                                                   # ]]]
+# .. envvar:: slapd__group [[[
+#
+# Name of the UNIX group used by the OpenLDAP service.
+slapd__group: 'openldap'
+
+                                                                   # ]]]
+# .. envvar:: slapd__additional_groups [[[
+#
+# List of additional UNIX groups the OpenLDAP account should have access to.
+slapd__additional_groups: [ 'ssl-cert' ]
+
+                                                                   # ]]]
+# .. envvar:: slapd__additional_database_dirs [[[
+#
+# The default "main" OpenLDAP database is stored in the :file:`/var/lib/ldap/`
+# directory. This variable contains a list of additional database directories
+# which should be present on the host, specified as absolute paths. These
+# directories will be owned by the OpenLDAP UNIX account and can be used to
+# store additional OpenLDAP databases.
+slapd__additional_database_dirs: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__log_dir [[[
+#
+# Absolute path to the directory which contains OpenLDAP logs.
+slapd__log_dir: '/var/log/slapd'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP database environment [[[
+# -----------------------------
+
+# .. envvar:: slapd__domain [[[
+#
+# DNS domain name which will be used for OpenLDAP BaseDN. This value is also
+# defined in the :command:`debconf` database before OpenLDAP installation to
+# create the BaseDN LDAP object in the initialized database.
+slapd__domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__base_dn [[[
+#
+# BaseDN value of the main OpenLDAP server that contains the LDAP data, defined
+# as a YAML list.
+slapd__base_dn: '{{ slapd__domain.split(".")
+                    | map("regex_replace", "^(.*)$", "dc=\1")
+                    | list }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__basedn [[[
+#
+# BaseDN value of the main OpenLDAP server that contains the LDAP data, defined
+# as a string.
+slapd__basedn: '{{ slapd__base_dn | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__superuser_config_password [[[
+#
+# The hashed password defined for the superuser of the ``cn=config`` LDAP database.
+slapd__superuser_config_password: '{{ "{CRYPT}" + lookup("password", secret
+                                                         + "/slapd/credentials/"
+                                                         + slapd__config_rootdn | to_uuid + ".password"
+                                                         + " encrypt=sha512_crypt length=32") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__config_rootdn [[[
+#
+# The Distinguished Name of the ``cn=config`` database root account.
+slapd__config_rootdn: 'cn=admin,cn=config'
+
+                                                                   # ]]]
+# .. envvar:: slapd__config_rootpw [[[
+#
+# The plaintext password of the ``cn=config`` database root account, useful for
+# Sync Replication authentication.
+slapd__config_rootpw: '{{ lookup("file", secret + "/slapd/credentials/"
+                                         + slapd__config_rootdn | to_uuid
+                                         + ".password").split()[0] }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__superuser_data_password [[[
+#
+# The password defined for the superuser of the main LDAP database.
+slapd__superuser_data_password: '{{ "{CRYPT}" + lookup("password", secret
+                                                       + "/slapd/credentials/"
+                                                       + slapd__data_rootdn | to_uuid + ".password"
+                                                       + " encrypt=sha512_crypt length=32") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__data_rootdn [[[
+#
+# The Distinguished Name of the main database root account.
+slapd__data_rootdn: '{{ (["cn=admin"] + slapd__base_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__data_rootpw [[[
+#
+# The plaintext password of the ``cn=config`` database root account, useful for
+# Sync Replication authentication.
+slapd__data_rootpw: '{{ lookup("file", secret + "/slapd/credentials/"
+                                       + slapd__data_rootdn | to_uuid
+                                       + ".password").split()[0] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP POSIX environment [[[
+# --------------------------
+
+# These variables define default parameters of the POSIX environment expected
+# by the LDAP directory, not the OpenLDAP service itself. These parameters
+# should be the same as the POSIX environment defined in the :ref:`debops.ldap`
+# Ansible role for consistency. See :ref:`ldap__ref_posix` for more details.
+
+# .. envvar:: slapd__uid_gid_min [[[
+#
+# First UID/GID which is considered to be managed by the LDAP directory and not
+# by the local NSS database.
+slapd__uid_gid_min: '2000000000'
+
+                                                                   # ]]]
+# .. envvar:: slapd__groupid_min [[[
+#
+# First UID/GID reserved for shared groups in the LDAP directory. Default: the
+# same as the start of the LDAP directory UID/GID range.
+slapd__groupid_min: '{{ slapd__uid_gid_min }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__groupid_max [[[
+#
+# Last UID/GID reserved for shared groups in the LDAP directory. Higher UID/GID
+# numbers are meant to be used for people, machine or service accounts with
+# matching User Private Groups. Default: 2001999999
+#
+# Ref: https://wiki.debian.org/UserPrivateGroups
+slapd__groupid_max: '{{ slapd__uid_gid_min | int + 1999999 }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__uid_gid_max [[[
+#
+# Last UID/GID which is considered to be managed by the LDAP directory and not
+# by the local NSS database. Default: 2099999999
+slapd__uid_gid_max: '{{ slapd__uid_gid_min | int + 99999999 }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP database tuning [[[
+# ------------------------
+
+# .. envvar:: slapd__saslauthd_enabled [[[
+#
+# Boolean, whether the saslauthd configuration should be managed.
+slapd__saslauthd_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: slapd__data_max_size [[[
+#
+# Specify the maximum size of the main database, in bytes, default is 10 GB.
+# The value shouldn't be smaller than the size of the existing data; increasing
+# the existing size should be safe.
+slapd__data_max_size: '{{ (1024 * 1024 * 1024) * 10 }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Support for DebOps PKI and TLS [[[
+# ----------------------------------
+
+# .. envvar:: slapd__pki [[[
+#
+# Enable or disable support for X.509 certificates using the :ref:`debops.pki`
+# Ansible role.
+slapd__pki: '{{ ansible_local.pki.enabled | d(False) | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__pki_path [[[
+#
+# Absolute path to the directory that contains PKI realms.
+slapd__pki_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__pki_realm [[[
+#
+# Default PKI realm used by the OpenLDAP server. In a multi-master clustered
+# setup the configuration is shared, therefore all cluster nodes should use the
+# same PKI realm name.
+slapd__pki_realm: '{{ slapd__domain
+                      if (slapd__domain in ansible_local.pki.known_realms | d([]))
+                      else ansible_local.pki.realm | d("domain") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__pki_ca [[[
+#
+# Name of the Root CA certificate file used by the OpenLDAP server, relative to
+# the PKI realm directory.
+slapd__pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: slapd__pki_crt [[[
+#
+# Name of the X.509 certificate file used by the OpenLDAP server, relative to
+# the PKI realm directory.
+slapd__pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: slapd__pki_key [[[
+#
+# Name of the private key used by the OpenLDAP server, relative to the PKI
+# realm directory.
+slapd__pki_key: 'default.key'
+
+                                                                   # ]]]
+# .. envvar:: slapd__dhparam_set [[[
+#
+# Specify the Diffie-Hellman parameter set to use by the OpenLDAP server.
+# See :ref:`debops.dhparam` Ansible role for more details.
+slapd__dhparam_set: 'default'
+
+                                                                   # ]]]
+# .. envvar:: slapd__dhparam_file [[[
+#
+# Absolute path to the file with Diffie-Hellman parameters used by the OpenLDAP
+# server. If it's empty, the custom Diffie-Hellman parameters will not be
+# configured.
+slapd__dhparam_file: '{{ ansible_local.dhparam[slapd__dhparam_set] | d("") }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tls_ca_certificate [[[
+#
+# Absolute path to the Root CA certificate used by the OpenLDAP server to
+# authenticate TLS client certificates.
+slapd__tls_ca_certificate: '{{ slapd__pki_path + "/" + slapd__pki_realm + "/" + slapd__pki_ca }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tls_certificate [[[
+#
+# Absolute path to the X.509 certificate used by the OpenLDAP server.
+slapd__tls_certificate: '{{ slapd__pki_path + "/" + slapd__pki_realm + "/" + slapd__pki_crt }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tls_private_key [[[
+#
+# Absolute path to the private key used by the OpenLDAP server.
+slapd__tls_private_key: '{{ slapd__pki_path + "/" + slapd__pki_realm + "/" + slapd__pki_key }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tls_cipher_suite [[[
+#
+# TLS cipher suite required by the server. On Debian, you need to use the
+# GnuTLS cipher suite names, because :command:`slapd` daemon is compiled
+# against GnuTLS instead of OpenSSL.
+slapd__tls_cipher_suite: 'SECURE256:PFS:-VERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.2:-SHA1:-ARCFOUR-128'
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenLDAP configuration tasks [[[
+# --------------------------------
+
+# These variables define a dynamic set of tasks to perform in the OpenLDAP
+# server ``cn=config`` database. See :ref:`slapd__ref_tasks` for more details.
+
+# .. envvar:: slapd__default_tasks [[[
+#
+# List of the default tasks performed on the OpenLDAP server, defined by the
+# role.
+slapd__default_tasks:
+
+  - name: 'Define the maximum size of the main database'
+    dn: [ 'olcDatabase={1}mdb', 'cn=config' ]
+    attributes:
+      olcDbMaxSize: '{{ slapd__data_max_size }}'
+    state: 'exact'
+
+  - name: 'Load dynamic OpenLDAP modules'
+    dn: 'cn=module{0},cn=config'
+    attributes:
+      olcModuleLoad:
+        - '{0}back_mdb'
+        - '{1}syncprov'
+        - '{2}ppolicy'
+        - '{3}unique'
+        - '{4}memberof'
+        - '{5}refint'
+        - '{6}auditlog'
+        - '{7}constraint'
+        - '{8}back_monitor'
+        - '{9}lastbind'
+        - '{10}autogroup'
+    ordered: True
+
+  - name: 'Enable Sync Provider overlay in the cn=config database'
+    dn: 'olcOverlay={0}syncprov,olcDatabase={0}config,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcSyncProvConfig' ]
+    attributes:
+      olcOverlay: '{0}syncprov'
+
+  - name: 'Enable Sync Provider overlay in the main database'
+    dn: 'olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcSyncProvConfig' ]
+    attributes:
+      olcOverlay: '{0}syncprov'
+
+  - name: 'Enable Password Policy overlay in the main database'
+    dn: 'olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcPPolicyConfig' ]
+    attributes:
+      olcOverlay: '{1}ppolicy'
+
+  - name: 'Enable Unique overlay in the main database'
+    dn: 'olcOverlay={2}unique,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcUniqueConfig' ]
+    attributes:
+      olcOverlay: '{2}unique'
+
+  - name: 'Enable memberOf overlay in the main database for groupOfNames'
+    dn: 'olcOverlay={3}memberof,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
+    attributes:
+      olcOverlay: '{3}memberof'
+
+  - name: 'Enable memberOf overlay in the main database for groupOfEntries'
+    dn: 'olcOverlay={4}memberof,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
+    attributes:
+      olcOverlay: '{4}memberof'
+
+  - name: 'Enable memberOf overlay in the main database for AutoGroups'
+    dn: 'olcOverlay={5}memberof,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
+    attributes:
+      olcOverlay: '{5}memberof'
+
+  - name: 'Enable memberOf overlay in the main database for Roles'
+    dn: 'olcOverlay={6}memberof,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
+    attributes:
+      olcOverlay: '{6}memberof'
+
+  - name: 'Enable Referential Integrity overlay in the main database'
+    dn: 'olcOverlay={7}refint,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcRefintConfig' ]
+    attributes:
+      olcOverlay: '{7}refint'
+
+  - name: 'Enable Audit Logging overlay in the main database'
+    dn: 'olcOverlay={8}auditlog,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcAuditLogConfig' ]
+    attributes:
+      olcOverlay: '{8}auditlog'
+
+  - name: 'Enable Constraint overlay in the main database'
+    dn: 'olcOverlay={9}constraint,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcConstraintConfig' ]
+    attributes:
+      olcOverlay: '{9}constraint'
+
+  - name: 'Enable AutoGroup overlay in the main database'
+    dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcAutomaticGroups' ]
+    attributes:
+      olcOverlay: '{10}autogroup'
+
+  - name: 'Enable LastBind overlay in the main database'
+    dn: 'olcOverlay={11}lastbind,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcLastBindConfig' ]
+    attributes:
+      olcOverlay: '{11}lastbind'
+
+  - name: 'Configure Password Policy overlay in the main database'
+    dn: 'olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcPPolicyDefault: 'cn=Default Password Policy,ou=Password Policies,{{ slapd__basedn }}'
+      olcPPolicyHashCleartext: 'TRUE'
+      olcPPolicyUseLockout: 'FALSE'
+      olcPPolicyForwardUpdates: 'FALSE'
+    state: 'exact'
+
+  - name: 'Configure Unique overlay in the main database'
+    dn: 'olcOverlay={2}unique,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcUniqueURI:
+        - 'ldap:///{{ slapd__basedn }}?uidNumber?sub'
+        - 'ldap:///{{ slapd__basedn }}?gidNumber?sub'
+        - 'ldap:///{{ slapd__basedn }}?mail?sub'
+        - 'ldap:///{{ slapd__basedn }}?mailAddress,mailAlternateAddress?sub'
+        - 'ldap:///{{ slapd__basedn }}?mailPrivateAddress?sub'
+        - 'ldap:///ou=People,{{ slapd__basedn }}?employeeNumber?sub'
+        - 'ldap:///ou=People,{{ slapd__basedn }}?uid?sub'
+        - 'ldap:///ou=People,{{ slapd__basedn }}?gid?sub'
+    state: 'exact'
+
+  - name: 'Configure memberOf overlay in the main database for groupOfNames'
+    dn: 'olcOverlay={3}memberof,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcMemberOfDangling: 'ignore'
+      olcMemberOfRefInt: 'TRUE'
+      olcMemberOfGroupOC: 'groupOfNames'
+      olcMemberOfMemberAD: 'member'
+      olcMemberOfMemberOfAD: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure memberOf overlay in the main database for groupOfEntries'
+    dn: 'olcOverlay={4}memberof,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcMemberOfDangling: 'ignore'
+      olcMemberOfRefInt: 'TRUE'
+      olcMemberOfGroupOC: 'groupOfEntries'
+      olcMemberOfMemberAD: 'member'
+      olcMemberOfMemberOfAD: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure memberOf overlay in the main database for AutoGroups'
+    dn: 'olcOverlay={5}memberof,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcMemberOfDangling: 'ignore'
+      olcMemberOfRefInt: 'TRUE'
+      olcMemberOfGroupOC: 'groupOfURLs'
+      olcMemberOfMemberAD: 'member'
+      olcMemberOfMemberOfAD: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure memberOf overlay in the main database for Roles'
+    dn: 'olcOverlay={6}memberof,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcMemberOfDangling: 'ignore'
+      olcMemberOfRefInt: 'TRUE'
+      olcMemberOfGroupOC: 'organizationalRole'
+      olcMemberOfMemberAD: 'roleOccupant'
+      olcMemberOfMemberOfAD: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure Referential Integrity overlay in the main database'
+    dn: 'olcOverlay={7}refint,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcRefintAttribute:
+        - 'member'
+        - 'memberOf'
+        - 'uniqueMember'
+        - 'manager'
+        - 'owner'
+        - 'roleOccupant'
+        - 'seeAlso'
+        - 'secretary'
+        - 'documentAuthor'
+    state: 'exact'
+
+  - name: 'Configure Audit Logging overlay in the main database'
+    dn: 'olcOverlay={8}auditlog,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcAuditlogFile: '{{ slapd__log_dir + "/slapd-auditlog-main.ldif" }}'
+    state: 'exact'
+
+  - name: 'Configure Constraint overlay in the main database'
+    dn: 'olcOverlay={9}constraint,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcConstraintAttribute:
+        - 'jpegPhoto size 524288'  # 512 KiB
+        - 'userPassword count 5'
+        - 'employeeNumber regex ^[[:digit:]]+$'
+        - 'uidNumber regex ^[[:digit:]]+$'
+        - 'gidNumber regex ^[[:digit:]]+$'
+        - 'macAddress regex ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$'
+        - 'mailAddress set "this/mailAddress & this/mail"'
+        - 'mailPrivateAddress set "this/mailPrivateAddress & this/mail"'
+        - 'mailAlternateAddress set "this/mailAlternateAddress & this/mail"'
+    state: 'exact'
+
+  - name: 'Configure AutoGroup overlay in the main database'
+    dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcAGattrSet:
+        - '{0}groupOfURLs memberURL member'
+      olcAGmemberOfAd: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure LastBind overlay in the main database'
+    dn: 'olcOverlay={11}lastbind,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcLastBindPrecision: '{{ (60 * 60 * 24) }}'
+    state: 'exact'
+
+  - name: 'Configure the OpenLDAP server log level'
+    dn: 'cn=config'
+    attributes:
+      olcLogLevel: 'none'
+    state: 'exact'
+
+  - name: 'Define the default password hashing method'
+    dn: [ 'olcDatabase={-1}frontend', 'cn=config' ]
+    attributes:
+      olcPasswordHash: '{CRYPT}'
+    state: 'exact'
+
+  - name: 'Configure password salt format used by the crypt(3) hash function'
+    dn: 'cn=config'
+    attributes:
+      olcPasswordCryptSaltFormat: '$6$rounds=100001$%.16s'
+    state: 'exact'
+
+  - name: 'Set the cn=config database root credentials'
+    dn: [ 'olcDatabase={0}config', 'cn=config' ]
+    attributes:
+      olcRootDN: '{{ slapd__config_rootdn }}'
+      olcRootPW: '{{ slapd__superuser_config_password }}'
+    state: 'exact'
+    no_log: '{{ debops__no_log | d(True) }}'
+
+  - name: 'Set the cn=config database access control list'
+    dn: [ 'olcDatabase={0}config', 'cn=config' ]
+    attributes:
+      olcAccess:
+        - |-
+          {0}to dn.subtree="cn=config"
+             by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+             by group/organizationalRole/roleOccupant.exact="cn=LDAP Administrator, ou=Roles,{{ slapd__basedn }}" manage
+             by * break
+    state: 'exact'
+
+  - name: 'Set the main database root credentials'
+    dn: [ 'olcDatabase={1}mdb', 'cn=config' ]
+    attributes:
+      olcRootDN: '{{ slapd__data_rootdn }}'
+      olcRootPW: '{{ slapd__superuser_data_password }}'
+    state: 'exact'
+    no_log: '{{ debops__no_log | d(True) }}'
+
+  - name: 'Configure idle and write timeouts'
+    dn: 'cn=config'
+    attributes:
+      olcIdleTimeout: '900'
+      olcWriteTimeout: '900'
+    state: 'exact'
+
+  - name: 'Configure TLS certificates'
+    dn: 'cn=config'
+    attributes:
+      olcTLSCACertificateFile:  '{{ slapd__tls_ca_certificate }}'
+      olcTLSCertificateFile:    '{{ slapd__tls_certificate }}'
+      olcTLSCertificateKeyFile: '{{ slapd__tls_private_key }}'
+    state: '{{ "exact" if slapd__pki | bool else "init" }}'
+
+  - name: 'Configure Diffie-Hellman parameters'
+    dn: 'cn=config'
+    attributes:
+      olcTLSDHParamFile: '{{ slapd__dhparam_file }}'
+    state: '{{ "exact" if (slapd__pki | bool and slapd__dhparam_file | d()) else "init" }}'
+
+  - name: 'Configure TLS cipher suites'
+    dn: 'cn=config'
+    attributes:
+      olcTLSCipherSuite: '{{ slapd__tls_cipher_suite }}'
+    state: '{{ "exact" if slapd__pki | bool else "init" }}'
+
+  - name: 'Set default Security Strength Factors enforced by the server'
+    dn: 'cn=config'
+    attributes:
+      olcLocalSSF: '128'
+      olcSecurity: 'ssf=128 update_ssf=128 simple_bind=128'
+    state: '{{ "exact" if slapd__pki | bool else "init" }}'
+
+  - name: 'Configure supported SASL authentication methods'
+    dn: 'cn=config'
+    attributes:
+      olcSaslSecProps: 'noanonymous,minssf={{ "128" if slapd__pki | bool else "0" }}'
+    state: 'exact'
+
+    # Warning: OpenLDAP v2.4.x requires a restart when this attribute is changed
+  - name: 'Define SASL regex matching rules'
+    dn: 'cn=config'
+    attributes:
+      olcAuthzRegexp:
+        - '{0}uid=([^,]*),cn=[^,]*,cn=auth uid=$1,ou=People,{{ slapd__basedn }}'
+        - '{1}uid=([^,]*),cn=([^,]*),cn=[^,]*,cn=auth ldap:///ou=Hosts,{{ slapd__basedn }}??sub?(&(objectClass=account)(uid=$1)(host=$2))'
+    state: 'exact'
+
+  - name: 'Define indexes present in the main database'
+    dn: [ 'olcDatabase={1}mdb', 'cn=config' ]
+    attributes:
+      olcDbIndex:
+        - 'dc eq'
+        - 'cn,uid eq'
+        - 'member,memberUid eq'
+        - 'roleOccupant eq'
+        - 'memberOf eq'
+        - 'objectClass eq'
+        - 'sn eq,pres'
+        - 'gn eq,pres'
+        - 'gecos eq,pres'
+        - 'homeDirectory,loginShell eq'
+        - 'employeeNumber eq'
+        - 'uidNumber,gidNumber eq'
+        - 'entryCSN,entryUUID eq'
+        - 'sudoHost,sudoUser eq,sub'
+        - 'modifyTimestamp eq'
+        - 'authorizedService eq'
+        - 'host eq,sub'
+        - 'gid eq'
+        - 'mail eq,sub'
+        - 'mailAddress eq,sub'
+        - 'mailPrivateAddress eq,sub'
+        - 'mailAlternateAddress eq,sub'
+
+  - name: 'Enable the monitor database'
+    dn: 'olcDatabase={2}monitor,cn=config'
+    objectClass: [ 'olcDatabaseConfig', 'olcMonitorConfig' ]
+    attributes:
+      olcDatabase: '{2}monitor'
+      olcAccess:
+        - |-
+          {0}to dn.subtree="cn=Monitor"
+             by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read
+             by group/organizationalRole/roleOccupant.exact="cn=LDAP Administrator, ou=Roles,{{ slapd__basedn }}" read
+             by group/organizationalRole/roleOccupant.exact="cn=LDAP Monitor,       ou=Roles,{{ slapd__basedn }}" read
+             by group/groupOfNames/member.exact="cn=LDAP Administrators, ou=System Groups,{{ slapd__basedn }}" read
+             by group/groupOfNames/member.exact="cn=LDAP Monitors,       ou=System Groups,{{ slapd__basedn }}" read
+             by * none
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: slapd__acl_tasks [[[
+#
+# Separate list of tasks performed on the OpenLDAP server, defined by the role,
+# meant for the Access Control List configuration. Check the
+# :ref:`slapd__ref_acl` documentation for more details.
+slapd__acl_tasks:
+
+  - name: 'Configure Access Control List'
+    dn: 'olcDatabase={1}mdb,cn=config'
+    ordered: True
+    attributes:
+      olcAccess:
+
+        - |-
+          to dn.subtree="{{ slapd__basedn }}"
+          by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Administrator, ou=Roles,{{ slapd__basedn }}" manage
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Replicator,    ou=Roles,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=LDAP Administrators, ou=System Groups,{{ slapd__basedn }}" manage
+          by group/groupOfNames/member.exact="cn=LDAP Replicators,    ou=System Groups,{{ slapd__basedn }}" read
+          by * break
+
+        - |-
+          to dn.subtree="{{ slapd__basedn }}" filter="(memberOf=cn=Hidden Objects, ou=Groups,{{ slapd__basedn }})"
+             attrs="children,entry"
+          by self break
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Administrator,    ou=Roles,{{ slapd__basedn }}" break
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor,           ou=Roles,{{ slapd__basedn }}" break
+          by group/organizationalRole/roleOccupant.exact="cn=Hidden Object Viewer,  ou=Roles,{{ slapd__basedn }}" break
+          by group/groupOfNames/member.exact="cn=LDAP Administrators,    ou=System Groups,{{ slapd__basedn }}" break
+          by group/groupOfNames/member.exact="cn=LDAP Editors,           ou=System Groups,{{ slapd__basedn }}" break
+          by * none
+
+        - |-
+          to filter="(| (objectClass=posixAccount) (objectClass=posixGroup) (objectClass=posixGroupId) (objectClass=uidNext) (objectClass=gidNext) )"
+             attrs="uid,uidNumber,gid,gidNumber,homeDirectory"
+          by group/groupOfNames/member="cn=UNIX Administrators, ou=Groups,{{ slapd__basedn }}"        write
+          by group/groupOfNames/member="cn=UNIX Administrators, ou=System Groups,{{ slapd__basedn }}" write
+          by users read
+
+        - |-
+          to dn.subtree="ou=SUDOers,{{ slapd__basedn }}"
+          by group/groupOfNames/member="cn=UNIX Administrators, ou=Groups,{{ slapd__basedn }}"        write
+          by group/groupOfNames/member="cn=UNIX Administrators, ou=System Groups,{{ slapd__basedn }}" write
+          by users read
+
+        - |-
+          to dn.subtree="ou=People,{{ slapd__basedn }}"
+             attrs="shadowLastChange"
+          by self write
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor,           ou=Roles,{{ slapd__basedn }}" write
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" write
+          by group/organizationalRole/roleOccupant.exact="cn=Password Reset Agent,  ou=Roles,{{ slapd__basedn }}" =w
+          by group/groupOfNames/member.exact="cn=LDAP Editors,           ou=System Groups,{{ slapd__basedn }}" write
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" write
+          by group/groupOfNames/member.exact="cn=Password Reset Agents,  ou=System Groups,{{ slapd__basedn }}" =w
+          by users read
+
+        - |-
+          to dn.subtree="ou=People,{{ slapd__basedn }}"
+             attrs="userPassword"
+          by self =wx
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor,           ou=Roles,{{ slapd__basedn }}" =w
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" =w
+          by group/organizationalRole/roleOccupant.exact="cn=Password Reset Agent,  ou=Roles,{{ slapd__basedn }}" =w
+          by group/groupOfNames/member.exact="cn=LDAP Editors,           ou=System Groups,{{ slapd__basedn }}" =w
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" =w
+          by group/groupOfNames/member.exact="cn=Password Reset Agents,  ou=System Groups,{{ slapd__basedn }}" =w
+          by anonymous auth
+          by * none
+
+        - |-
+          to attrs="userPassword"
+          by self      =wx
+          by anonymous auth
+          by *         none
+
+        - |-  # noqa jinja[spacing]
+          to dn.regex="^cn=(LDAP Administrator|LDAP Replicator), ou=Roles,{{ slapd__basedn }}$"
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor,           ou=Roles,{{ slapd__basedn }}" read
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=LDAP Editors,           ou=System Groups,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" read
+          by * break
+
+        - |-
+          to dn.subtree="cn=UNIX Administrators, ou=Groups,{{ slapd__basedn }}"
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor,           ou=Roles,{{ slapd__basedn }}" read
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=LDAP Editors,           ou=System Groups,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" read
+          by * break
+
+        - |-
+          to dn.subtree="ou=System Groups,{{ slapd__basedn }}"
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor, ou=Roles,{{ slapd__basedn }}" read
+          by group/groupOfNames/member.exact="cn=LDAP Editors, ou=System Groups,{{ slapd__basedn }}" read
+          by * break
+
+        - |-
+          to dn.subtree="{{ slapd__basedn }}"
+          by group/organizationalRole/roleOccupant.exact="cn=LDAP Editor, ou=Roles,{{ slapd__basedn }}" write
+          by group/groupOfNames/member.exact="cn=LDAP Editors, ou=System Groups,{{ slapd__basedn }}" write
+          by * break
+
+        - |-  # noqa jinja[spacing]
+          to dn.regex="^cn=[^,]+,ou=(System Groups|Groups),{{ slapd__basedn }}$"
+             attrs="member"
+          by dnattr="owner" write
+          by * break
+
+        - |-  # noqa jinja[spacing]
+          to dn.regex="^([^,]+,)?ou=(People|Groups|Machines),{{ slapd__basedn }}$"
+             attrs="children,entry"
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" write
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" write
+          by * break
+
+        - |-  # noqa jinja[spacing]
+          to dn.regex="^[^,]+,ou=(People|Groups|Machines),{{ slapd__basedn }}$"
+          by group/organizationalRole/roleOccupant.exact="cn=Account Administrator, ou=Roles,{{ slapd__basedn }}" write
+          by group/groupOfNames/member.exact="cn=Account Administrators, ou=System Groups,{{ slapd__basedn }}" write
+          by * break
+
+        - |-
+          to attrs="carLicense,homePhone,homePostalAddress"
+          by self write
+          by * none
+
+        - |-
+          to attrs="mobile"
+          by self write
+          by group/organizationalRole/roleOccupant.exact="cn=SMS Gateway, ou=Roles,{{ slapd__basedn }}" read
+          by * none
+
+        - |-
+          to *
+          by users read
+          by * none
+
+    state: 'exact'
+
+                                                                   # ]]]
+# .. envvar:: slapd__cluster_tasks [[[
+#
+# Separate list of LDAP tasks meant to be used to configure OpenLDAP clustering
+# on multiple hosts in an Ansible inventory group.
+slapd__cluster_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__structure_tasks [[[
+#
+# List of the tasks performed on the OpenLDAP server which create the basic
+# structure of the directory itself.
+slapd__structure_tasks:
+
+  - name: 'Remove the default cn=admin object'
+    dn: '{{ ["cn=admin"] + slapd__base_dn }}'
+    state: 'absent'
+    entry_state: 'absent'
+
+  - name: 'Create the ou=Groups object'
+    dn: '{{ ["ou=Groups"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=Machines object'
+    dn: '{{ ["ou=Machines"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=Hosts object'
+    dn: '{{ ["ou=Hosts"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=People object'
+    dn: '{{ ["ou=People"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=Roles object'
+    dn: '{{ ["ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=Services object'
+    dn: '{{ ["ou=Services"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=Password Policies object'
+    dn: '{{ ["ou=Password Policies"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+  - name: 'Create the ou=System object'
+    dn: '{{ ["ou=System"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+
+    # Refer to slapo-ppolicy(5) for details
+  - name: 'Create the cn=Default Password Policy object'
+    dn: '{{ ["cn=Default Password Policy", "ou=Password Policies"] + slapd__base_dn }}'
+    objectClass: [ 'namedObject', 'pwdPolicy' ]
+    attributes:
+      cn: 'Default Password Policy'
+      pwdAttribute: 'userPassword'
+      pwdMaxAge: '0'
+      pwdInHistory: '5'
+      pwdCheckQuality: '1'
+      pwdMinLength: '10'
+      pwdExpireWarning: '1209600'
+      pwdGraceAuthNLimit: '5'
+      pwdLockout: 'FALSE'
+      pwdLockoutDuration: '300'
+      pwdMaxFailure: '5'
+      pwdFailureCountInterval: '0'
+      pwdMustChange: 'FALSE'
+      pwdAllowUserChange: 'TRUE'
+      pwdSafeModify: 'FALSE'
+
+  - name: 'Create cn=LDAP Administrator role'
+    dn: '{{ ["cn=LDAP Administrator", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'LDAP Administrator'
+      description: 'People responsible for LDAP infrastructure'
+
+  - name: 'Create cn=LDAP Replicator role'
+    dn: '{{ ["cn=LDAP Replicator", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'LDAP Replicator'
+      description: 'Service accounts used for LDAP replication'
+
+  - name: 'Create cn=LDAP Monitor role'
+    dn: '{{ ["cn=LDAP Monitor", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'LDAP Monitor'
+      description: 'Accounts which can read cn=Monitor information'
+
+  - name: 'Create cn=LDAP Editor role'
+    dn: '{{ ["cn=LDAP Editor", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'LDAP Editor'
+      description: 'People responsible for LDAP contents'
+
+  - name: 'Create cn=UNIX Administrators group'
+    dn: '{{ ["cn=UNIX Administrators", "ou=Groups"] + slapd__base_dn }}'
+    objectClass: [ 'groupOfEntries', 'posixGroup', 'posixGroupId',
+                   'authorizedServiceObject', 'hostObject' ]
+    attributes:
+      cn: 'UNIX Administrators'
+      gid: 'admins'
+      gidNumber: '{{ slapd__groupid_min }}'
+      description: 'People responsible for UNIX-like infrastructure'
+      host: 'posix:all'
+
+  - name: 'Create cn=Account Administrator role'
+    dn: '{{ ["cn=Account Administrator", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'Account Administrator'
+      description: 'People responsible for personal accounts'
+
+  - name: 'Create cn=Password Reset Agent role'
+    dn: '{{ ["cn=Password Reset Agent", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'Password Reset Agent'
+      description: 'Services that can perform password changes on behalf of users'
+
+  - name: 'Create cn=SMS Gateway role'
+    dn: '{{ ["cn=SMS Gateway", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'SMS Gateway'
+      description: 'Devices which send SMS messages to mobile numbers'
+
+  - name: 'Create cn=Hidden Object Viewer role'
+    dn: '{{ ["cn=Hidden Object Viewer", "ou=Roles"] + slapd__base_dn }}'
+    objectClass: 'organizationalRole'
+    attributes:
+      cn: 'Hidden Object Viewer'
+      memberOf: '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}'
+      description: 'LDAP objects which can see hidden objects'
+
+  - name: 'Create cn=Hidden Objects group'
+    dn: '{{ ["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn }}'
+    objectClass: 'groupOfNames'
+    attributes:
+      cn: 'Hidden Objects'
+      member:
+        - '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}'
+        - '{{ (["cn=Hidden Object Viewer", "ou=Roles"] + slapd__base_dn) | join(",") }}'
+      memberOf: '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}'
+      description: 'LDAP objects which are accessible only by privileged accounts'
+
+  - name: 'Create cn=UNIX SSH users group'
+    dn: '{{ ["cn=UNIX SSH users", "ou=Groups"] + slapd__base_dn }}'
+    objectClass: [ 'groupOfEntries', 'posixGroup', 'posixGroupId',
+                   'authorizedServiceObject', 'hostObject' ]
+    attributes:
+      cn: 'UNIX SSH users'
+      gid: 'sshusers'
+      gidNumber: '{{ slapd__groupid_min | int + 1 }}'
+      description: 'People who can connect to UNIX-like infrastructure via SSH'
+      host: 'posix:all'
+
+  - name: 'Create cn=Next POSIX UID object'
+    dn: '{{ ["cn=Next POSIX UID", "ou=System"] + slapd__base_dn }}'
+    objectClass: 'uidNext'
+    attributes:
+      cn: 'Next POSIX UID'
+      uidNumber: '{{ slapd__groupid_max | int + 2 }}'
+      description: 'The next available uidNumber value'
+
+  - name: 'Create cn=Next POSIX GID object'
+    dn: '{{ ["cn=Next POSIX GID", "ou=System"] + slapd__base_dn }}'
+    objectClass: 'gidNext'
+    attributes:
+      cn: 'Next POSIX GID'
+      gidNumber: '{{ slapd__groupid_min | int + 2 }}'
+      description: 'The next available gidNumber value'
+
+  - name: 'Create SUDOers container'
+    dn: '{{ ["ou=SUDOers"] + slapd__base_dn }}'
+    objectClass: 'organizationalStructure'
+    attributes:
+      ou: 'SUDOers'
+      description: 'Container for sudoers.ldap(5) configuration'
+
+  - name: 'Create sudoer defaults LDAP entry'
+    dn: '{{ ["cn=defaults", "ou=SUDOers"] + slapd__base_dn }}'
+    objectClass: 'sudoRole'
+    attributes:
+      cn: 'defaults'
+      description: 'Object which contains default options for all sudo roles'
+
+  - name: 'Allow admins to gain root privileges via sudo'
+    dn: '{{ ["cn=%admins", "ou=SUDOers"] + slapd__base_dn }}'
+    objectClass: 'sudoRole'
+    attributes:
+      cn: '%admins'
+      description: 'Grant privileged access to UNIX accounts in the "admins" UNIX group'
+      sudoUser: '%admins'
+      sudoRunAsUser: 'ALL'
+      sudoRunAsGroup: 'ALL'
+      sudoHost: 'ALL'
+      sudoCommand: 'ALL'
+      sudoOption:
+        - '!authenticate'
+        - '!requiretty'
+        - 'env_check+=SSH_CLIENT'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tasks [[[
+#
+# List of the tasks performed on the OpenLDAP server, defined on all hosts in
+# the Ansible inventory.
+slapd__tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__group_tasks [[[
+#
+# List of the tasks performed on the OpenLDAP server, defined on hosts in
+# a specific Ansible inventory group.
+slapd__group_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__host_tasks [[[
+#
+# List of the tasks performed on the OpenLDAP server, defined on specific hosts
+# in the Ansible inventory.
+slapd__host_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__combined_tasks [[[
+#
+# Variable which combines all of the OpenLDAP task variables and is used in the
+# role tasks and templates.
+slapd__combined_tasks: '{{ slapd__default_tasks
+                           + slapd__acl_tasks
+                           + slapd__cluster_tasks
+                           + slapd__structure_tasks
+                           + slapd__tasks
+                           + slapd__group_tasks
+                           + slapd__host_tasks }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Backup snapshots [[[
+# --------------------
+
+# These variables configure periodic backup snapshots of the OpenLDAP
+# databases. See :ref:`slapd__ref_backup_restore` for more details.
+
+# .. envvar:: slapd__snapshot_deploy_state [[[
+#
+# If ``present``, the snapshot :command:`cron` jobs will be configured to run
+# the :command:`slapd-snapshot` script periodically to create snapshots of
+# known OpenLDAP databases. If ``absent``, the :command:`cron` jobs will be
+# removed.
+slapd__snapshot_deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: slapd__snapshot_cron_jobs [[[
+#
+# List of :command:`cron` periods during which the :command:`slapd-snapshot`
+# script should be executed to create OpenLDAP snapshots.
+slapd__snapshot_cron_jobs: [ 'daily', 'weekly', 'monthly' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Network access to OpenLDAP server [[[
+# -------------------------------------
+
+# .. envvar:: slapd__services [[[
+#
+# List of the service URLs on which OpenLDAP should listen for new connections.
+# Network access is controlled using the firewall rules defined below.
+slapd__services:
+
+  # Listen for plaintext and StartTLS connections
+  - 'ldap:///'
+
+  # Listen for encrypted SSL connections (deprecated)
+  - '{{ "ldaps:///" if slapd__pki | bool else [] }}'
+
+  # Listen for connections on local UNIX domain socket
+  - 'ldapi:///'
+
+                                                                   # ]]]
+# .. envvar:: slapd__ports [[[
+#
+# List of TCP service names of the ports on which OpenLDAP listens for network
+# connections. These ports will be opened in the firewall so that other hosts
+# can contact the LDAP service.
+slapd__ports:
+
+  # Plaintext and StartTLS connections on port 389/tcp
+  - 'ldap'
+
+  # Encrypted SSL connections on port 636/tcp (deprecated)
+  - '{{ "ldaps" if slapd__pki | bool else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__accept_any [[[
+#
+# If ``True``, the role will configure the firewall and TCP Wrappers to accept
+# connections to the OpenLDAP service from any network, specific IP addresses
+# or subnets can be blocked using the ``slapd__*_deny`` variables.
+#
+# If ``False``, the role will block connections to the OpenLDAP via the system
+# firewall and TCP Wrappers from any host; hosts that can connect must be
+# specified via the ``slapd__*_allow`` variables.
+slapd__accept_any: False
+
+                                                                   # ]]]
+# .. envvar:: slapd__deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the OpenLDAP server, defined on all hosts in the Ansible inventory.
+slapd__deny: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__group_deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the OpenLDAP server, defined on hosts in a specific Ansible inventory group.
+slapd__group_deny: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__host_deny [[[
+#
+# List of IP addresses or CIDR subnets which should be blocked from access to
+# the OpenLDAP server, defined on specific hosts in the Ansible inventory.
+slapd__host_deny: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the OpenLDAP
+# server, defined on all hosts in the Ansible inventory.
+slapd__allow: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the OpenLDAP
+# server, defined on hosts in a specific Ansible inventory group.
+slapd__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which should have access to the OpenLDAP
+# server, defined on specific hosts in the Ansible inventory.
+slapd__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP Access Control List tests [[[
+# ----------------------------------
+
+# These variables control the ACL rule testing using a generated
+# :command:`bash` script. See :ref:`slapd__ref_acl_tests` for more details
+# about the ACL testing, and the :ref:`slapd__ref_slapacl_tests` for details
+# about test definition.
+
+# .. envvar:: slapd__slapacl_deploy_state [[[
+#
+# If ``present``, the :command:`slapacl` test suite script will be generated on
+# the host. If ``absent``, the script will be removed.
+slapd__slapacl_deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_test_objects_state [[[
+#
+# This variable controls if the role should add or remove various LDAP objects
+# used for more extensive ACL tests. By default they are not added to avoid
+# issues with production data; they can be very useful in development
+# environments to properly check and verify that the defined ACL rules are
+# consistent with the defined access policy. The supported values are
+# ``present`` or ``absent``.
+slapd__slapacl_test_objects_state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_run_tests [[[
+#
+# When enabled, the :command:`slapacl` test suite will be run on each
+# :ref:`debops.slapd` role execution to test any changes in the ACL rules. You
+# can use this variable to temporarily disable the ACL tests using the
+# ``--extra-vars`` Ansible option, or permanently via the Ansible inventory.
+# The script still will be generated and can be used independently on the
+# OpenLDAP servers to test the ACLs.
+slapd__slapacl_run_tests: True
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_script [[[
+#
+# Absolute path of the :command:`slapacl` test suite script generated by the
+# role.
+slapd__slapacl_script: '/etc/ldap/slapacl-test-suite'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_default_tasks [[[
+#
+# Some of the :command:`slapacl` tests require existing LDAP objects to work
+# correctly. The ``slapd__*slapacl_*_tasks`` variables define list of LDAP
+# objects which will be created or removed, depending on the value of the
+# :envvar:`slapd__slapacl_test_objects_state` variable. The syntax of these
+# lists is the same as the :ref:`slapd__ref_tasks` variables. You can refer to
+# the created LDAP objects in the :command:`slapacl` tests defined elsewhere to
+# test ACL rules.
+#
+# This variable defines the default set of test objects to manage.
+slapd__slapacl_default_tasks:
+
+  - name: 'Manage LDAP Administrator object for ACL tests'
+    dn: 'uid=slapacl-test-ldap-admin,ou=People,{{ slapd__basedn }}'
+    objectClass: [ 'inetOrgPerson' ]
+    attributes:
+      uid: 'slapacl-test-ldap-admin'
+      cn: 'LDAP Administrator'
+      surname: 'Administrator'
+    state: '{{ slapd__slapacl_test_objects_state }}'
+
+  - name: 'Manage cn=LDAP Administrator role'
+    dn: 'cn=LDAP Administrator,ou=Roles,{{ slapd__basedn }}'
+    attributes:
+      roleOccupant: 'uid=slapacl-test-ldap-admin,ou=People,{{ slapd__basedn }}'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "ignore" }}'
+
+
+  - name: 'Manage LDAP Editor object for ACL tests'
+    dn: 'uid=slapacl-test-ldap-editor,ou=People,{{ slapd__basedn }}'
+    objectClass: [ 'inetOrgPerson' ]
+    attributes:
+      uid: 'slapacl-test-ldap-editor'
+      cn: 'LDAP Editor'
+      surname: 'Editor'
+    state: '{{ slapd__slapacl_test_objects_state }}'
+
+  - name: 'Manage cn=LDAP Editor role'
+    dn: 'cn=LDAP Editor,ou=Roles,{{ slapd__basedn }}'
+    attributes:
+      roleOccupant: 'uid=slapacl-test-ldap-editor,ou=People,{{ slapd__basedn }}'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "ignore" }}'
+
+
+  - name: 'Manage UNIX Administrator object for ACL tests'
+    dn: 'uid=slapacl-test-unix-admin,ou=People,{{ slapd__basedn }}'
+    objectClass: [ 'inetOrgPerson' ]
+    attributes:
+      uid: 'slapacl-test-unix-admin'
+      cn: 'UNIX Administrator'
+      surname: 'Administrator'
+    state: '{{ slapd__slapacl_test_objects_state }}'
+
+  - name: 'Manage cn=UNIX Administrator group'
+    dn: 'cn=UNIX Administrators,ou=Groups,{{ slapd__basedn }}'
+    attributes:
+      member: 'uid=slapacl-test-unix-admin,ou=People,{{ slapd__basedn }}'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "ignore" }}'
+
+
+  - name: 'Manage Account Administrator object for ACL tests'
+    dn: 'uid=slapacl-test-account-admin,ou=People,{{ slapd__basedn }}'
+    objectClass: [ 'inetOrgPerson' ]
+    attributes:
+      uid: 'slapacl-test-account-admin'
+      cn: 'Account Administrator'
+      surname: 'Administrator'
+    state: '{{ slapd__slapacl_test_objects_state }}'
+
+  - name: 'Manage cn=Account Administrator role'
+    dn: 'cn=Account Administrator,ou=Roles,{{ slapd__basedn }}'
+    attributes:
+      roleOccupant: 'uid=slapacl-test-account-admin,ou=People,{{ slapd__basedn }}'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "ignore" }}'
+
+
+  - name: 'Manage unprivileged user object for ACL tests'
+    dn: 'uid=slapacl-test-unpriv-user,ou=People,{{ slapd__basedn }}'
+    objectClass: [ 'inetOrgPerson' ]
+    attributes:
+      uid: 'slapacl-test-unpriv-user'
+      cn: 'Unprivileged User'
+      surname: 'User'
+    state: '{{ slapd__slapacl_test_objects_state }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_tasks [[[
+#
+# This variable defines a list of test objects to manage on all hosts in the
+# Ansible inventory. See :ref:`slapd__ref_tasks` for syntax details.
+slapd__slapacl_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_group_tasks [[[
+#
+# This variable defines a list of test objects to manage on hosts in a specific
+# Ansible inventory group. See :ref:`slapd__ref_tasks` for syntax details.
+slapd__slapacl_group_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_host_tasks [[[
+#
+# This variable defines a list of test objects to manage on specific hosts in
+# the Ansible inventory. See :ref:`slapd__ref_tasks` for syntax details.
+slapd__slapacl_host_tasks: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_combined_tasks [[[
+#
+# This variable combines all lists of :command:`slapacl` test objects and is
+# used in the role tasks and templates.
+slapd__slapacl_combined_tasks: '{{ slapd__slapacl_default_tasks
+                                   + slapd__slapacl_tasks
+                                   + slapd__slapacl_group_tasks
+                                   + slapd__slapacl_host_tasks }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_default_tests [[[
+#
+# The list of the OpenLDAP ACL test rules for the :man:`slapacl(8)` command
+# defined by the role. See :ref:`slapd__ref_slapacl_tests` for more details.
+slapd__slapacl_default_tests:
+
+  - name: 'Deny anonymous access to cn=config'
+    dn: 'cn=config'
+    authdn: ''
+    policy: '=0'
+    dry_run: True
+
+  - name: 'Allow administrator access to cn=config'
+    dn: 'cn=config'
+    authdn: 'cn=admin,cn=config'
+    policy: 'manage(=mwrscxd)'
+    dry_run: True
+
+  - name: 'Deny regular user access to cn=config'
+    dn: 'cn=config'
+    authdn: 'uid=slapacl-test-unpriv-user,ou=People,{{ slapd__basedn }}'
+    policy: '=0'
+    dry_run: True
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: 'Deny direct admin access to cn=config'
+    dn: 'cn=config'
+    authdn: 'uid=slapacl-test-ldap-admin,ou=People,{{ slapd__basedn }}'
+    policy: '=0'
+    dry_run: True
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: 'Deny anonymous access to cn=Monitor'
+    dn: 'cn=Monitor'
+    authdn: ''
+    query: 'entry'
+    policy: 'none(=0)'
+    dry_run: True
+
+  - name: 'Deny anonymous access to base DN'
+    dn: '{{ slapd__basedn }}'
+    authdn: ''
+    policy: 'none(=0)'
+
+  - name: "Allow authentication by anonymous users"
+    dn: 'uid=slapacl-test-unpriv-user,ou=People,{{ slapd__basedn }}'
+    authdn: ''
+    query: 'userPassword'
+    policy: 'auth(=xd)'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: "Deny password read access by anonymous users"
+    dn: 'uid=slapacl-test-unpriv-user,ou=People,{{ slapd__basedn }}'
+    authdn: ''
+    query: 'userPassword/read'
+    policy: 'denied'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: 'Deny anonymous access to ou=People'
+    dn: 'ou=People,{{ slapd__basedn }}'
+    authdn: ''
+    queries:
+
+      - name: 'entry'
+        result: 'entry: none(=0)'
+
+      - name: 'children'
+        result: 'children: none(=0)'
+
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: 'Deny write access to ou=People by unprivileged users'
+    dn: 'ou=People,{{ slapd__basedn }}'
+    authdn: 'uid=slapacl-test-unpriv-user,ou=People,{{ slapd__basedn }}'
+    query: 'entry/write'
+    policy: 'denied'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+  - name: 'Allow write access to ou=People by administrators'
+    dn: 'ou=People,{{ slapd__basedn }}'
+    authdn: 'uid=slapacl-test-ldap-admin,ou=People,{{ slapd__basedn }}'
+    query: 'entry/write'
+    policy: 'allowed'
+    state: '{{ "present"
+               if (slapd__slapacl_test_objects_state == "present")
+               else "init" }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_tests [[[
+#
+# The list of the OpenLDAP ACL test rules for the :man:`slapacl(8)` command
+# defined on all hosts in the Ansible inventory.
+# See :ref:`slapd__ref_slapacl_tests` for more details.
+slapd__slapacl_tests: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_group_tests [[[
+#
+# The list of the OpenLDAP ACL test rules for the :man:`slapacl(8)` command
+# defined on hosts in a specific Ansible inventory group.
+# See :ref:`slapd__ref_slapacl_tests` for more details.
+slapd__slapacl_group_tests: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_host_tests [[[
+#
+# The list of the OpenLDAP ACL test rules for the :man:`slapacl(8)` command
+# defined on specific hosts in the Ansible inventory.
+# See :ref:`slapd__ref_slapacl_tests` for more details.
+slapd__slapacl_host_tests: []
+
+                                                                   # ]]]
+# .. envvar:: slapd__slapacl_combined_tests [[[
+#
+# The variable which combines all of the ACL test rule lists and is used in
+# role tasks and templates.
+slapd__slapacl_combined_tests: '{{ slapd__slapacl_default_tests
+                                   + slapd__slapacl_tests
+                                   + slapd__slapacl_group_tests
+                                   + slapd__slapacl_host_tests }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration variables for other Ansible roles [[[
+# ---------------------------------------------------
+
+# .. envvar:: slapd__logrotate__dependent_config [[[
+#
+# Configuration for the :ref:`debops.logrotate` Ansible role.
+slapd__logrotate__dependent_config:
+
+  - filename: 'slapd'
+    sections:
+
+      - logs: '{{ slapd__log_dir + "/*.log" }}'
+        options: |
+          notifempty
+          missingok
+          weekly
+          maxsize 256M
+          rotate 120
+          compress
+        comment: 'OpenLDAP server logs'
+
+      - logs: '{{ slapd__log_dir + "/*.ldif" }}'
+        options: |
+          notifempty
+          missingok
+          monthly
+          maxsize 256M
+          rotate 120
+          compress
+        comment: 'OpenLDAP audit logs'
+
+                                                                   # ]]]
+# .. envvar:: slapd__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+slapd__python__dependent_packages3:
+
+  - '{{ []
+        if (ansible_distribution_release in
+            ["stretch", "trusty", "xenial"])
+        else "python3-ldap" }}'
+
+                                                                   # ]]]
+# .. envvar:: slapd__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+slapd__python__dependent_packages2:
+
+  - 'python-ldap'
+
+                                                                   # ]]]
+# .. envvar:: slapd__ferm__dependent_rules [[[
+#
+# Firewall configuration managed by the :ref:`debops.ferm` Ansible role.
+slapd__ferm__dependent_rules:
+
+  - name: 'reject_slapd'
+    type: 'accept'
+    protocol: 'tcp'
+    dport: '{{ q("flattened", slapd__ports) }}'
+    multiport: True
+    saddr: '{{ slapd__deny + slapd__group_deny + slapd__host_deny }}'
+    weight: '45'
+    by_role: 'debops.slapd'
+    target: 'REJECT'
+    rule_state: '{{ "present"
+                    if (slapd__deny + slapd__group_deny + slapd__host_deny)
+                    else "absent" }}'
+
+  - name: 'accept_slapd'
+    type: 'accept'
+    protocol: 'tcp'
+    dport: '{{ q("flattened", slapd__ports) }}'
+    multiport: True
+    saddr: '{{ slapd__allow + slapd__group_allow + slapd__host_allow }}'
+    accept_any: '{{ slapd__accept_any }}'
+    weight: '50'
+    by_role: 'debops.slapd'
+
+                                                                   # ]]]
+# .. envvar:: slapd__tcpwrappers__dependent_allow [[[
+#
+# Configuration of TCP Wrappers through the :ref:`debops.tcpwrappers` Ansible
+# role.
+slapd__tcpwrappers__dependent_allow:
+
+  - daemon: 'slapd'
+    client: '{{ slapd__allow + slapd__group_allow + slapd__host_allow }}'
+    default: 'ALL'
+    accept_any: '{{ slapd__accept_any }}'
+    weight: '50'
+    filename: 'slapd_dependent_allow'
+    comment: 'Allow connections to OpenLDAP service'
+
+                                                                   # ]]]
+# .. envvar:: slapd__saslauthd__dependent_instances [[[
+#
+# Configuration for the :ref:`debops.saslauthd` Ansible role.
+slapd__saslauthd__dependent_instances:
+
+  - name: 'slapd'
+    group: '{{ slapd__group }}'
+    description: 'OpenLDAP SASL Authentication Daemon'
+    config_path: '/etc/ldap/sasl2/slapd.conf'
+    config_group: '{{ slapd__group }}'
+    config_raw: |
+      pwcheck_method: saslauthd
+      mech_list: PLAIN LOGIN EXTERNAL
+      saslauthd_path: /var/lib/slapd/saslauthd/mux
+    socket_path: '/var/lib/slapd/saslauthd'
+    socket_group: '{{ slapd__group }}'
+    ldap_profile: 'slapd'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/debops.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/debops.schema
new file mode 100644
index 00000000..15246b0a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/debops.schema
@@ -0,0 +1,31 @@
+# debops.schema - Define base object identifiers for DebOps LDAP schemas
+#
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+# The Private Enterprise Number of the DebOps project registered at IANA
+# https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
+objectIdentifier DebOps 1.3.6.1.4.1.53622
+
+# The DebOps project LDAP namespace
+objectIdentifier DebOpsLDAP DebOps:42
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema
new file mode 100644
index 00000000..e50136ab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema
@@ -0,0 +1,96 @@
+# dyngroup.schema -- Dynamic Group schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <https://www.openldap.org/>.
+##
+## Copyright (C) 1998-2018 The OpenLDAP Foundation.
+## Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+## Copyright (C) 2020      DebOps <https://debops.org/>
+## SPDX-License-Identifier: OLDAP-2.8
+##
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <https://www.openldap.org/license.html>.
+#
+# Dynamic Group schema (experimental), as defined by Netscape.  See
+# https://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf
+# page 70 for details on how these groups were used.
+#
+# A description of the objectclass definition is available here:
+# https://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745
+#
+# depends upon:
+#	core.schema
+#
+# These definitions are considered experimental due to the lack of
+# a formal specification (e.g., RFC).
+#
+# NOT RECOMMENDED FOR PRODUCTION USE!  USE WITH CAUTION!
+#
+# The Netscape documentation describes this as an auxiliary objectclass
+# but their implementations have always defined it as a structural class.
+# The sloppiness here is because Netscape-derived servers don't actually
+# implement the X.500 data model, and they don't honor the distinction
+# between structural and auxiliary classes. This fact is noted here:
+# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636
+#
+# In accordance with other existing implementations, we define it as a
+# structural class.
+#
+# Our definition of memberURL also does not match theirs but again
+# their published definition and what works in practice do not agree.
+# In other words, the Netscape definitions are broken and interoperability
+# is not guaranteed.
+#
+# Also see the new DynGroup proposed spec at
+# https://tools.ietf.org/html/draft-haripriya-dynamicgroup-02
+#
+# This schema is modified to support the 'autogroup' overlay by adding a MAY
+# 'member' attribute to the 'groupOfURLs' LDAP object.
+
+objectIdentifier NetscapeRoot 2.16.840.1.113730
+
+objectIdentifier NetscapeLDAP NetscapeRoot:3
+objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1
+objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2
+
+objectIdentifier OpenLDAPExp11	1.3.6.1.4.1.4203.666.11
+objectIdentifier DynGroupBase	OpenLDAPExp11:8
+objectIdentifier DynGroupAttr	DynGroupBase:1
+objectIdentifier DynGroupOC	DynGroupBase:2
+
+attributetype ( NetscapeLDAPattributeType:198
+	NAME 'memberURL'
+	DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.'
+	SUP labeledURI )
+
+attributetype ( DynGroupAttr:1
+	NAME 'dgIdentity'
+	DESC 'Identity to use when processing the memberURL'
+	SUP distinguishedName SINGLE-VALUE )
+
+attributeType ( DynGroupAttr:2
+	NAME 'dgAuthz'
+	DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
+	EQUALITY authzMatch
+	SYNTAX 1.3.6.1.4.1.4203.666.2.7
+	X-ORDERED 'VALUES' )
+
+objectClass ( NetscapeLDAPobjectClass:33
+	NAME 'groupOfURLs'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( memberURL $ businessCategory $ description $ o $ ou $
+	      member $ owner $ seeAlso ) )
+
+# The Haripriya dyngroup schema still needs a lot of work.
+# We're just adding support for the dgIdentity attribute for now...
+objectClass ( DynGroupOC:1
+	NAME 'dgIdentityAux'
+	SUP top AUXILIARY
+	MAY ( dgIdentity $ dgAuthz ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/eduperson.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/eduperson.schema
new file mode 100644
index 00000000..45a67ec8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/eduperson.schema
@@ -0,0 +1,436 @@
+# eduperson.schema - eduPerson & eduOrg schema definition
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+# Based on:                https://www.internet2.edu/products-services/trust-identity/eduperson-eduorg/
+# Based on Debian package: fusiondirectory-plugin-supann-schema
+# eduPerson definition:    https://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
+# eduOrg definition:       https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduOrg-200210.pdf
+
+
+# Object namespace definitions
+# ----------------------------
+
+# The Private Enterprise Number of the Internet2 project registered at IANA
+# https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
+objectIdentifier Internet2 1.3.6.1.4.1.5923
+
+# The eduPerson attribute namespace
+objectIdentifier eduPersonAttribute Internet2:1.1.1
+
+# The eduPerson object namespace
+objectIdentifier eduPersonObject Internet2:1.1.2
+
+# The eduOrg attribute namespace
+objectIdentifier eduOrgAttribute Internet2:1.2.1
+
+# The eduOrg object namespace
+objectIdentifier eduOrgObject Internet2:1.2.2
+
+
+# eduPerson attribute definitions
+# -------------------------------
+
+attributeType ( eduPersonAttribute:1
+                NAME 'eduPersonAffiliation'
+                DESC 'Specifies the person\27s relationship(s) to the
+                      institution in broad categories such as student,
+                      faculty, staff, alum, etc.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:7
+                NAME 'eduPersonEntitlement'
+                DESC 'URI (either URN or URL) that indicates a set
+                      of rights to specific resources.'
+                EQUALITY caseExactMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:2
+                NAME 'eduPersonNickname'
+                DESC 'Person\27s nickname, or the informal name
+                      by which they are accustomed to be hailed.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:3
+                NAME 'eduPersonOrgDN'
+                DESC 'The distinguished name (DN) of the directory entry
+                      representing the institution with which the person
+                      is associated.'
+                EQUALITY distinguishedNameMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:4
+                NAME 'eduPersonOrgUnitDN'
+                DESC 'The distinguished name(s) (DN) of the directory entries
+                      representing the person\27s Organizational Unit(s).'
+                EQUALITY distinguishedNameMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
+
+attributeType ( eduPersonAttribute:5
+                NAME 'eduPersonPrimaryAffiliation'
+                DESC 'Specifies the person\27s primary relationship to the
+                      institution in broad categories such as student,
+                      faculty, staff, alum, etc.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:8
+                NAME 'eduPersonPrimaryOrgUnitDN'
+                DESC 'The distinguished name (DN) of the directory entry
+                      representing the person\27s primary Organizational Unit(s).'
+                EQUALITY distinguishedNameMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:6
+                NAME 'eduPersonPrincipalName'
+                DESC 'A scoped identifier for a person. It should be represented
+                      in the form "user@scope" where "user" is a name-based
+                      identifier for the person and where the "scope" portion MUST be
+                      the administrative domain of the identity system where
+                      the identifier was created and assigned.
+
+                      Each value of "scope" defines a namespace within which
+                      the assigned identifiers MUST be unique. Given this rule,
+                      if two eduPersonPrincipalName (ePPN) values are the same
+                      at a given point in time, they refer to the same person.
+                      There must be one and only one "@" sign in valid values
+                      of eduPersonPrincipalName.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:12
+                NAME 'eduPersonPrincipalNamePrior'
+                DESC 'Each value of this multi-valued attribute represents
+                      an ePPN (eduPersonPrincipalName) value that was previously
+                      associated with the entry. The values MUST NOT include
+                      the currently valid ePPN value. There is no implied
+                      or assumed order to the values.
+
+                      This attribute MUST NOT be populated if ePPN values are ever
+                      reassigned to a different entry (after, for example, a period
+                      of dormancy). That is, they MUST be unique in space and over time.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:9
+                NAME 'eduPersonScopedAffiliation'
+                DESC 'Specifies the person\27s affiliation within a particular
+                      security domain in broad categories such as student,
+                      faculty, staff, alum, etc.
+
+                      The values consist of a left and right component separated
+                      by an "@" sign. The left component is one of the values
+                      from the eduPersonAffiliation controlled vocabulary. This
+                      right-hand side syntax of eduPersonScopedAffiliation
+                      intentionally matches that used for the right-hand side
+                      values for eduPersonPrincipalName. The "scope" portion
+                      MUST be the administrative domain to which the affiliation applies.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:10
+                NAME 'eduPersonTargetedID'
+                DESC 'A persistent, non-reassigned, opaque identifier for a principal.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:11
+                NAME 'eduPersonAssurance'
+                DESC 'Set of URIs that assert compliance with specific standards for identity assurance.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:13
+                NAME 'eduPersonUniqueId'
+                DESC 'A long-lived, non re-assignable, omnidirectional identifier
+                      suitable for use as a principal identifier by authentication
+                      providers or as a unique external key by applications.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:16
+                NAME 'eduPersonOrcid'
+                DESC 'ORCID iDs are persistent digital identifiers for individual
+                      researchers. Their primary purpose is to unambiguously and
+                      definitively link them with their scholarly work products.
+                      ORCID iDs are assigned, managed and maintained by the
+                      ORCID organization.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:17
+                NAME 'eduPersonGlobalId'
+                DESC 'Specifies the person\27s global identifier associated to
+                      him/her outside of the organization, for example national
+                      identification number. This attribute should normally be
+                      protected and with a restricted access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:18
+                NAME 'eduPersonGlobalIdType'
+                DESC 'Specifies the type of the global identifier associated to
+                      a given person outside of the organization, for example
+                      national identification number. This attribute should
+                      normally be protected and with a restricted access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:19
+                NAME 'eduPersonPrimaryLocalId'
+                DESC 'Specifies the person\27s primary local identifier
+                      associated to him/her inside of the organization, for
+                      example student card number. This attribute should
+                      normally be protected and with a restricted access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:20
+                NAME 'eduPersonLocalId'
+                DESC 'Specifies the person\27s local identifier associated
+                      to him/her inside of the organization, for
+                      example student card number. Multiple values are
+                      permitted to allow for historical data. This attribute
+                      should normally be protected and with a restricted
+                      access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:21
+                NAME 'eduPersonPosition'
+                DESC 'Denotes a position of a given person within the
+                      organization.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:22
+                NAME 'eduPersonFunction'
+                DESC 'Denotes a function of a given person within the
+                      organization.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduPersonAttribute:23
+                NAME 'eduPersonAcademicDegree'
+                DESC 'Denotes an academic degree of a given person.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:24
+                NAME 'eduPersonDormBuildingName'
+                DESC 'Specifies the name of the dorm on the organizational
+                      campus in which a given person resides. This attribute
+                      should normally be protected and with a restricted
+                      access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15{256}' )
+
+attributeType ( eduPersonAttribute:25
+                NAME 'eduPersonDormRoomNumber'
+                DESC 'Specifies the dorm room number on the organizational
+                      campus in which a given person resides. This attribute
+                      should normally be protected and with a restricted
+                      access.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15{256}' )
+
+attributeType ( eduPersonAttribute:26
+                NAME 'eduPersonVisible'
+                DESC 'This attribute can be used as an indicator that a given
+                      person should be visible in general views.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:27
+                NAME 'eduPersonSearchable'
+                DESC 'This attribute can be used as an indicator that a given
+                      person should be included in search results.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduPersonAttribute:28
+                NAME 'eduPersonPublic'
+                DESC 'This attribute can be used as an indicator that specific
+                      attributes of a person can be displayed publicly.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+
+# eduPerson object definitions
+# ----------------------------
+
+objectClass ( eduPersonObject
+              NAME 'eduPerson'
+              AUXILIARY
+              MAY ( organizationalStatus $ personalSignature $ personalTitle $
+                    buildingName $ roomNumber $ manager $ secretary $
+                    eduPersonAffiliation $ eduPersonNickname $
+                    eduPersonOrgDN $ eduPersonOrgUnitDN $
+                    eduPersonPrimaryAffiliation $ eduPersonPrincipalName $
+                    eduPersonPrincipalNamePrior $ eduPersonEntitlement $
+                    eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation $
+                    eduPersonTargetedID $ eduPersonAssurance $
+                    eduPersonUniqueId $ eduPersonOrcid $
+                    eduPersonGlobalId $ eduPersonGlobalIdType $
+                    eduPersonPrimaryLocalId $ eduPersonLocalId $
+                    eduPersonPosition $ eduPersonFunction $
+                    eduPersonAcademicDegree $
+                    eduPersonDormBuildingName $ eduPersonDormRoomNumber $
+                    eduPersonVisible $ eduPersonSearchable $ eduPersonPublic ) )
+
+
+# eduOrg attribute definitions
+# ----------------------------
+
+attributeType ( eduOrgAttribute:2
+                NAME 'eduOrgHomePageURI'
+                DESC 'The URL for the organization\27s top level home page.'
+                EQUALITY caseExactMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduOrgAttribute:3
+                NAME 'eduOrgIdentityAuthNPolicyURI'
+                DESC 'An URI pointing to the location of the organization\27s
+                      policy regarding identification and authentication
+                      (the issuance and use of digital credentials). Most often
+                      an URL, but with appropriate resolution mechanisms in place,
+                      could be an URN.'
+                EQUALITY caseExactMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduOrgAttribute:4
+                NAME 'eduOrgLegalName'
+                DESC 'The organization\27s legal corporate name.'
+                EQUALITY caseIgnoreMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduOrgAttribute:5
+                NAME 'eduOrgSuperiorURI'
+                DESC 'LDAP URL for the organization object one level
+                      superior to this entry.'
+                EQUALITY caseExactMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduOrgAttribute:6
+                NAME 'eduOrgWhitePagesURI'
+                DESC 'The URL of the open white pages directory service
+                      for the university, predominantly LDAP these days.'
+                EQUALITY caseExactMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
+
+attributeType ( eduOrgAttribute:7
+                NAME 'eduOrgUnitNumber'
+                DESC 'This attribute specifies an unit number within an
+                      organization. An unit can be composed of multiple
+                      organizational departments.
+
+                      This is a non-standard eduOrg attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduOrgAttribute:8
+                NAME 'eduOrgDepartmentNumber'
+                DESC 'This attribute specifies an unique organizational
+                      department number within an organization.
+
+                      This is a non-standard eduOrg attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduOrgAttribute:9
+                NAME 'eduOrgVisible'
+                DESC 'This attribute can be used as an indicator that a given
+                      organizational unit should be visible in general views.
+
+                      This is a non-standard eduOrg attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( eduOrgAttribute:10
+                NAME 'eduOrgSearchable'
+                DESC 'This attribute can be used as an indicator that a given
+                      organizational unit should be included in search results.
+
+                      This is a non-standard eduPerson attribute.'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+# eduOrg object definitions
+# -------------------------
+
+objectClass ( eduOrgObject
+              NAME 'eduOrg'
+              AUXILIARY
+              MAY ( cn $ buildingName $ roomNumber $ businessCategory $
+                    organizationalStatus $ manager $ secretary $
+                    eduOrgHomePageURI $ eduOrgIdentityAuthNPolicyURI $
+                    eduOrgLegalName $ eduOrgSuperiorURI $ eduOrgWhitePagesURI $
+                    eduOrgUnitNumber $ eduOrgDepartmentNumber $
+                    eduOrgVisible $ eduOrgSearchable ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-client.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-client.schema
new file mode 100644
index 00000000..78cb8ed2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-client.schema
@@ -0,0 +1,96 @@
+# freeradius-clients.schema - Define RADIUS Client LDAP objects used by FreeRADIUS
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/freeradius-clients.schema
+
+# Depends on:
+# - freeradius.schema
+
+
+# Attribute definitions
+# ---------------------
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:1
+                NAME 'radiusClientIdentifier'
+                DESC 'RADIUS Client Identifier'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:2
+                NAME 'radiusClientSecret'
+                DESC 'RADIUS Client Secret'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:3
+                NAME 'radiusClientShortname'
+                DESC 'RADIUS Client Shortname'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:4
+                NAME 'radiusClientVirtualServer'
+                DESC 'RADIUS VirtualServer'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:5
+                NAME 'radiusClientType'
+                DESC 'RADIUS Client Type'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:6
+                NAME 'radiusClientRequireMa'
+                DESC 'RADIUS: Require Message Authenticator'
+                EQUALITY booleanMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSClientAttr:7
+                NAME 'radiusClientComment'
+                DESC 'RADIUS Client comment'
+                EQUALITY caseIgnoreMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+
+# Object definitions
+# ------------------
+
+# This objectClass was changed to AUXILIARY because "RADIUS client" is usually
+# a property of something else, like an Access Point, which then can be defined
+# with its own 'device' STRUCTURAL objectClass.
+objectClass ( FreeRADIUSldapRADIUSClientObject:1
+              NAME 'radiusClient'
+              DESC 'radiusClient object class'
+              SUP top
+              AUXILIARY
+              MUST ( radiusClientIdentifier $ radiusClientSecret )
+              MAY ( radiusClientShortname $ radiusClientVirtualServer $
+                    radiusClientType $ radiusClientRequireMa $
+                    radiusClientComment ) )
+
+# This is a non-standard objectClass that can be used to create "bare" RADIUS
+# Client objects.
+objectClass ( FreeRADIUSldapRADIUSClientObject:2
+              NAME 'radiusClientObject'
+              DESC 'A container ObjectClass to be used for creating RADIUS Client objects'
+              SUP top
+              STRUCTURAL
+              MUST cn
+              MAY ( uid $ userPassword $ description $ owner $ manager $ seeAlso ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv4.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv4.schema
new file mode 100644
index 00000000..17f2fd06
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv4.schema
@@ -0,0 +1,60 @@
+# freeradius-dhcpv4.schema - Define DHCPv4 LDAP objects used by FreeRADIUS
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/freeradius-dhcpv4.schema
+
+# Depends on:
+# - freeradius.schema
+
+
+# Attribute definitions
+# ---------------------
+
+attributeType ( FreeRADIUSldapDHCPv4ProfileAttr:1
+                NAME 'freeradiusDhcpv4Attribute'
+                DESC 'DHCP attribute in format [<list>:]<attr> <op> <value>'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( FreeRADIUSldapDHCPv4ProfileObject:2
+              NAME 'freeradiusDhcpv4Profile'
+              SUP top
+              AUXILIARY
+              MAY ( freeradiusDhcpv4Attribute ) )
+
+
+attributeType ( FreeRADIUSldapDHCPv4ClientAttr:1
+                NAME 'freeradiusDhcpv4GatewayIdentifier'
+                DESC 'Gateway Identifier, usually Option 82 Remote ID'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributeType ( FreeRADIUSldapDHCPv4ClientAttr:2
+                NAME 'freeradiusDhcpv4GatewayAddr'
+                DESC 'Gateway IP address, usually GIADDR'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributeType ( FreeRADIUSldapDHCPv4ClientAttr:3
+                NAME 'freeradiusDhcpv4PoolName'
+                DESC 'DHCP ip pool name'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+objectClass ( FreeRADIUSldapDHCPv4ClientObject:1
+              NAME 'freeradiusDhcpv4Gateway'
+              DESC 'A DHCP gateway, and attributes specific to it'
+              SUP top
+              AUXILIARY
+              MAY ( freeradiusDhcpv4GatewayIdentifier $
+                    freeradiusDhcpv4GatewayAddr $
+                    freeradiusDhcpv4PoolName ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv6.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv6.schema
new file mode 100644
index 00000000..f0aec59d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-dhcpv6.schema
@@ -0,0 +1,60 @@
+# freeradius-dhcpv6.schema - Define DHCPv6 LDAP objects used by FreeRADIUS
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/freeradius-dhcpv6.schema
+
+# Depends on:
+# - freeradius.schema
+
+
+# Attribute definitions
+# ---------------------
+
+attributeType ( FreeRADIUSldapDHCPv6ProfileAttr:1
+                NAME 'freeradiusDhcpv6Attribute'
+                DESC 'DHCP attribute in format [<list>:]<attr> <op> <value>'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectClass ( FreeRADIUSldapDHCPv6ProfileObject:2
+              NAME 'freeradiusDhcpv6Profile'
+              SUP top
+              AUXILIARY
+              MAY ( freeradiusDhcpv6Attribute ) )
+
+
+attributeType ( FreeRADIUSldapDHCPv6ClientAttr:1
+                NAME 'freeradiusDhcpv6GatewayIdentifier'
+                DESC 'Gateway Identifier'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributeType ( FreeRADIUSldapDHCPv6ClientAttr:2
+                NAME 'freeradiusDhcpv6GatewayAddr'
+                DESC 'Gateway IP address'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+attributeType ( FreeRADIUSldapDHCPv6ClientAttr:3
+                NAME 'freeradiusDhcpv6PoolName'
+                DESC 'DHCP ip pool name'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+                SINGLE-VALUE )
+
+objectClass ( FreeRADIUSldapDHCPv6ClientObject:1
+              NAME 'freeradiusDhcpv6Gateway'
+              DESC 'A DHCP gateway, and attributes specific to it'
+              SUP top
+              AUXILIARY
+              MAY ( freeradiusDhcpv6GatewayIdentifier $
+                    freeradiusDhcpv6GatewayAddr $
+                    freeradiusDhcpv6PoolName ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-profile.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-profile.schema
new file mode 100644
index 00000000..29067346
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-profile.schema
@@ -0,0 +1,451 @@
+# freeradius-profile.schema - Define RADIUS Profile LDAP objects used by FreeRADIUS
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/freeradius.schema
+
+# Depends on:
+# - freeradius.schema
+
+
+# Attribute definitions
+# ---------------------
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:1
+                NAME 'radiusArapFeatures'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:2
+                NAME 'radiusArapSecurity'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:3
+                NAME 'radiusArapZoneAccess'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:44
+                NAME 'radiusAuthType'
+                DESC 'controlItem: Auth-Type'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:4
+                NAME 'radiusCallbackId'
+                DESC 'replyItem: Callback-Id'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:5
+                NAME 'radiusCallbackNumber'
+                DESC 'replyItem: Callback-Number'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:6
+                NAME 'radiusCalledStationId'
+                DESC 'controlItem: Called-Station-Id'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:7
+                NAME 'radiusCallingStationId'
+                DESC 'controlItem: Calling-Station-Id'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:8
+                NAME 'radiusClass'
+                DESC 'replyItem: Class'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:45
+                NAME 'radiusClientIPAddress'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:9
+                NAME 'radiusFilterId'
+                DESC 'replyItem: Filter-Id'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:10
+                NAME 'radiusFramedAppleTalkLink'
+                DESC 'replyItem: Framed-AppleTalk-Link'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:11
+                NAME 'radiusFramedAppleTalkNetwork'
+                DESC 'replyItem: Framed-AppleTalk-Network'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:12
+                NAME 'radiusFramedAppleTalkZone'
+                DESC 'replyItem: Framed-AppleTalk-Zone'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:13
+                NAME 'radiusFramedCompression'
+                DESC 'replyItem: Framed-Compression'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:14
+                NAME 'radiusFramedIPAddress'
+                DESC 'replyItem: Framed-IP-Address'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:15
+                NAME 'radiusFramedIPNetmask'
+                DESC 'replyItem: Framed-IP-Netmask'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:16
+                NAME 'radiusFramedIPXNetwork'
+                DESC 'replyItem: Framed-IPX-Network'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:17
+                NAME 'radiusFramedMTU'
+                DESC 'replyItem: Framed-MTU'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:18
+                NAME 'radiusFramedProtocol'
+                DESC 'replyItem: Framed-Protocol'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:19
+                NAME 'radiusFramedRoute'
+                DESC 'replyItem: Framed-Route'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:20
+                NAME 'radiusFramedRouting'
+                DESC 'replyItem: Framed-Routing'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:46
+                NAME 'radiusGroupName'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:47
+                NAME 'radiusHint'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:48
+                NAME 'radiusHuntgroupName'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:21
+                NAME 'radiusIdleTimeout'
+                DESC 'replyItem: Idle-Timeout'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:22
+                NAME 'radiusLoginIPHost'
+                DESC 'replyItem: Login-IP-Host'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:23
+                NAME 'radiusLoginLATGroup'
+                DESC 'replyItem: Login-LAT-Group'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:24
+                NAME 'radiusLoginLATNode'
+                DESC 'replyItem: Login-LAT-Node'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:25
+                NAME 'radiusLoginLATPort'
+                DESC 'replyItem: Login-LAT-Port'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:26
+                NAME 'radiusLoginLATService'
+                DESC 'replyItem: Login-LAT-Service'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:27
+                NAME 'radiusLoginService'
+                DESC 'replyItem: Login-Service'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:28
+                NAME 'radiusLoginTCPPort'
+                DESC 'replyItem: Login-TCP-Port'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:29
+                NAME 'radiusPasswordRetry'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:30
+                NAME 'radiusPortLimit'
+                DESC 'replyItem: Port-Limit'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:49
+                NAME 'radiusProfileDN'
+                EQUALITY distinguishedNameMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:31
+                NAME 'radiusPrompt'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:50
+                NAME 'radiusProxyToRealm'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:51
+                NAME 'radiusReplicateToRealm'
+                DESC 'control:Replicate-To-Realm'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:52
+                NAME 'radiusRealm'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:32
+                NAME 'radiusServiceType'
+                DESC 'replyItem: Service-Type'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:33
+                NAME 'radiusSessionTimeout'
+                DESC 'replyItem: Session-Timeout'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:34
+                NAME 'radiusTerminationAction'
+                DESC 'replyItem: Termination-Action'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:35
+                NAME 'radiusTunnelAssignmentId'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:36
+                NAME 'radiusTunnelMediumType'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:37
+                NAME 'radiusTunnelPassword'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:38
+                NAME 'radiusTunnelPreference'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:39
+                NAME 'radiusTunnelPrivateGroupId'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:40
+                NAME 'radiusTunnelServerEndpoint'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:41
+                NAME 'radiusTunnelType'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:42
+                NAME 'radiusVSA'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:43
+                NAME 'radiusTunnelClientEndpoint'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:53
+                NAME 'radiusSimultaneousUse'
+                DESC 'controlItem: Simultaneous-Use'
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:54
+                NAME 'radiusLoginTime'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:55
+                NAME 'radiusUserCategory'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:56
+                NAME 'radiusStripUserName'
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:57
+                NAME 'dialupAccess'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:58
+                NAME 'radiusExpiration'
+                DESC 'controlItem: Expiration'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:59
+                NAME 'radiusAttribute'
+                DESC 'controlItem: $GENERIC$'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:61
+                NAME 'radiusNASIpAddress'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:62
+                NAME 'radiusReplyMessage'
+                DESC 'replyItem: Reply-Message'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:63
+                NAME 'radiusControlAttribute'
+                DESC 'controlItem: $GENERIC$'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:64
+                NAME 'radiusReplyAttribute'
+                DESC 'replyItem: $GENERIC$'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributeType ( FreeRADIUSldapRADIUSProfileAttr:65
+                NAME 'radiusRequestAttribute'
+                DESC 'requestItem: $GENERIC$'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+
+# Object definitions
+# ------------------
+
+objectClass ( FreeRADIUSldapRADIUSProfileObject:1
+              NAME 'radiusProfile'
+              SUP top
+              AUXILIARY
+              MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
+                    radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
+                    radiusCalledStationId $ radiusCallingStationId $ radiusClass $
+                    radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
+                    radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
+                    radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $
+                    radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $
+                    radiusAttribute $ radiusFramedRoute $ radiusFramedRouting $
+                    radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $
+                    radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
+                    radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
+                    radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
+                    radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $
+                    radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $
+                    radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $
+                    radiusProfileDN $ radiusSimultaneousUse $ radiusTunnelAssignmentId $
+                    radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $
+                    radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $
+                    radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $
+                    radiusNASIpAddress $ radiusReplyMessage $ radiusControlAttribute $
+                    radiusReplyAttribute $ radiusRequestAttribute ) )
+
+# Originally: radiusObjectProfile
+objectClass ( FreeRADIUSldapRADIUSProfileObject:2
+              NAME 'radiusProfileObject'
+              DESC 'A container ObjectClass to be used for creating RADIUS Profile objects'
+              SUP top
+              STRUCTURAL
+              MUST cn
+              MAY ( uid $ userPassword $ description $ owner $ seeAlso ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-radacct.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-radacct.schema
new file mode 100644
index 00000000..298c106d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius-radacct.schema
@@ -0,0 +1,159 @@
+# freeradius-radacct.schema - Define RADIUS Accounting LDAP objects used by FreeRADIUS
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/freeradius-radacct.schema
+
+# Depends on:
+# - freeradius.schema
+
+
+# Attribute definitions
+# ---------------------
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:66
+                NAME 'radiusAcctAuthentic'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:67
+                NAME 'radiusAcctInputOctets'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:68
+                NAME 'radiusAcctInterval'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:69
+                NAME 'radiusAcctOutputOctets'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:70
+                NAME 'radiusAcctSessionId'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:71
+                NAME 'radiusAcctSessionTime'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:72
+                NAME 'radiusAcctStartTime'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:73
+                NAME 'radiusAcctStopTime'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:74
+                NAME 'radiusAcctTerminateCause'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:75
+                NAME 'radiusAcctUniqueId'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:76
+                NAME 'radiusAcctUpdateTime'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:77
+                NAME 'radiusConnectInfoStart'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:78
+                NAME 'radiusConnectInfoStop'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:79
+                NAME 'radiusNASIdentifier'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:80
+                NAME 'radiusNASPort'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:81
+                NAME 'radiusNASPortId'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:82
+                NAME 'radiusNASPortType'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+attributeType ( FreeRADIUSldapRADIUSAcctAttr:83
+                NAME 'radiusUserName'
+                DESC ''
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+                SINGLE-VALUE )
+
+
+# Object definitions
+# ------------------
+
+objectClass ( FreeRADIUSldapRADIUSAcctObject:3
+              NAME 'radiusAcct'
+              SUP top
+              AUXILIARY
+              MAY ( radiusAcctAuthentic $ radiusAcctInputOctets $
+                    radiusAcctInterval $ radiusAcctOutputOctets $
+                    radiusAcctSessionId $ radiusAcctSessionTime $
+                    radiusAcctStartTime $ radiusAcctStopTime $
+                    radiusAcctTerminateCause $ radiusAcctUniqueId $
+                    radiusAcctUpdateTime $ radiusConnectInfoStart $
+                    radiusConnectInfoStop $ radiusNASIdentifier $
+                    radiusNASPort $ radiusNASPortId $
+                    radiusNASPortType $ radiusUserName ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius.schema
new file mode 100644
index 00000000..c15f8a8a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/freeradius.schema
@@ -0,0 +1,108 @@
+# freeradius.schema - Define base FreeRADIUS LDAP object identifiers
+#
+# Copyright (C) 2009-2020 The FreeRADIUS Server Project <https://freeradius.org/>
+# Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020      DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Based on: https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/schemas/ldap/openldap/oid_layout.txt
+
+
+# Object namespace definitions
+# ----------------------------
+
+# The Private Enterprise Number of the FreeRADIUS Server project registered at IANA
+# https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
+objectIdentifier FreeRADIUS 1.3.6.1.4.1.11344
+
+
+# Specific server areas:
+
+# Dictionary namespace
+objectIdentifier FreeRADIUSdict FreeRADIUS:1
+
+# LDAP namespace
+objectIdentifier FreeRADIUSldap FreeRADIUS:4
+
+
+# Split between protocol identifiers:
+
+# RADIUS objects
+objectIdentifier FreeRADIUSldapRADIUS FreeRADIUSldap:1
+
+# DHCPv4 objects
+objectIdentifier FreeRADIUSldapDHCPv4 FreeRADIUSldap:2
+
+# DHCPv6 objects
+objectIdentifier FreeRADIUSldapDHCPv6 FreeRADIUSldap:3
+
+
+# Split between sets of attributes:
+
+# RADIUS Client attributes
+objectIdentifier FreeRADIUSldapRADIUSClient FreeRADIUSldapRADIUS:1
+
+# RADIUS Profile attributes
+objectIdentifier FreeRADIUSldapRADIUSProfile FreeRADIUSldapRADIUS:2
+
+# RADIUS Accounting attributes
+objectIdentifier FreeRADIUSldapRADIUSAcct FreeRADIUSldapRADIUS:3
+
+# DHCPv4 Client attributes
+objectIdentifier FreeRADIUSldapDHCPv4Client FreeRADIUSldapDHCPv4:1
+
+# DHCPv4 Profile attributes
+objectIdentifier FreeRADIUSldapDHCPv4Profile FreeRADIUSldapDHCPv4:2
+
+# DHCPv6 Client attributes
+objectIdentifier FreeRADIUSldapDHCPv6Client FreeRADIUSldapDHCPv6:1
+
+# DHCPv6 Profile attributes
+objectIdentifier FreeRADIUSldapDHCPv6Profile FreeRADIUSldapDHCPv6:2
+
+
+# LDAP object namespaces:
+
+# RADIUS Client LDAP attributes
+objectIdentifier FreeRADIUSldapRADIUSClientAttr FreeRADIUSldapRADIUSClient:2
+
+# RADIUS Client LDAP objects
+objectIdentifier FreeRADIUSldapRADIUSClientObject FreeRADIUSldapRADIUSClient:1
+
+# RADIUS Profile LDAP attributes
+objectIdentifier FreeRADIUSldapRADIUSProfileAttr FreeRADIUSldapRADIUSProfile:1
+
+# RADIUS Profile LDAP objects
+objectIdentifier FreeRADIUSldapRADIUSProfileObject FreeRADIUSldapRADIUSProfile:2
+
+# RADIUS Accounting LDAP attributes
+objectIdentifier FreeRADIUSldapRADIUSAcctAttr FreeRADIUSldapRADIUSAcct:1
+
+# RADIUS Accounting LDAP objects
+objectIdentifier FreeRADIUSldapRADIUSAcctObject FreeRADIUSldapRADIUSAcct:2
+
+
+# DHCPv4 Client LDAP attributes
+objectIdentifier FreeRADIUSldapDHCPv4ClientAttr FreeRADIUSldapDHCPv4Client:2
+
+# DHCPv4 Client LDAP objects
+objectIdentifier FreeRADIUSldapDHCPv4ClientObject FreeRADIUSldapDHCPv4Client:1
+
+# DHCPv4 Profile LDAP attributes
+objectIdentifier FreeRADIUSldapDHCPv4ProfileAttr FreeRADIUSldapDHCPv4Profile:1
+
+# DHCPv4 Profile LDAP objects
+objectIdentifier FreeRADIUSldapDHCPv4ProfileObject FreeRADIUSldapDHCPv4Profile:2
+
+
+# DHCPv6 Client LDAP attributes
+objectIdentifier FreeRADIUSldapDHCPv6ClientAttr FreeRADIUSldapDHCPv6Client:2
+
+# DHCPv6 Client LDAP objects
+objectIdentifier FreeRADIUSldapDHCPv6ClientObject FreeRADIUSldapDHCPv6Client:1
+
+# DHCPv6 Profile LDAP attributes
+objectIdentifier FreeRADIUSldapDHCPv6ProfileAttr FreeRADIUSldapDHCPv6Profile:1
+
+# DHCPv6 Profile LDAP objects
+objectIdentifier FreeRADIUSldapDHCPv6ProfileObject FreeRADIUSldapDHCPv6Profile:2
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/groupofentries.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/groupofentries.schema
new file mode 100644
index 00000000..e8d0827d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/groupofentries.schema
@@ -0,0 +1,39 @@
+# groupofentries.schema - Add an alternative groupOfNames LDAP object
+#
+# Copyright (C) 2007 Andrew Findlay <andrew.findlay@skills-1st.co.uk>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# This LDAP schema defines the "groupOfEntries" LDAP object, which is an
+# alternative to the "groupOfNames" object. The new groupOfEntries object can
+# be used to create empty groups that don't contain any members.
+
+# Based on: https://tools.ietf.org/html/draft-findlay-ldap-groupofentries-00
+
+# Definition of the groupOfEntries LDAP object
+objectClass ( 1.2.826.0.1.3458854.2.1.1.1
+              NAME 'groupOfEntries'
+              DESC 'a group of names (DNs), can be empty'
+              SUP top STRUCTURAL
+              MUST cn
+              MAY ( member $ businessCategory $ seeAlso $
+                    owner $ ou $ o $ description ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/mailservice.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/mailservice.schema
new file mode 100644
index 00000000..eb83e7b3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/mailservice.schema
@@ -0,0 +1,376 @@
+# mailservice.schema - Support for generic mail service objects and attributes
+#
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# Based on:
+# https://tools.ietf.org/html/draft-srivastava-ldap-mail-00
+# https://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
+# https://tools.ietf.org/html/draft-steinback-ldap-mailgroups-00
+
+# The schema is designed to use the 'mail' LDAP attribute as an uniqueness
+# constraint for the mailAddress, mailAlternateAddress and other attributes
+# across LDAP entries. The 'mail' attribute itself should not be involved in
+# e-mail service operation; it can be used for authentication based on user
+# e-mail addresses.
+
+# Depends upon:
+#     debops.schema
+
+
+# Object namespace definitions
+# ----------------------------
+
+# The mailservice.schema namespace
+objectIdentifier mailService DebOpsLDAP:2
+
+# The mailservice.schema attribute namespace
+objectIdentifier mailServiceAttribute mailService:3
+
+# The mailservice.schema object namespace
+objectIdentifier mailServiceObject mailService:4
+
+
+# mailService attribute definitions
+# ---------------------------------
+
+attributeType ( mailServiceAttribute:1
+                NAME 'mailAddress'
+                DESC 'Primary RFC 822 email address of this recipient, can be
+                      used as a login identifier.'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:2
+                NAME 'mailAlternateAddress'
+                DESC 'Alternate RFC 822 email address(es) of this recipient'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:3
+                NAME 'mailPrivateAddress'
+                DESC 'A confidential RFC 822 email address of this recipient
+                      which can be used as a login identifier.'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:4
+                NAME 'mailContactAddress'
+                DESC 'RFC 822 email address of this recipient which is meant to
+                      be public and serve as the primary contact address.'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:5
+                NAME 'mailInternalAddress'
+                DESC 'An internal RFC 822 email address of this recipient
+                      which will be rewritten to an external email address'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:6
+                NAME 'mailExternalAddress'
+                DESC 'An external RFC 822 email address of this recipient
+                      which will be rewritten to an internal email address'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:7
+                NAME 'mailSenderBccTo'
+                DESC 'RFC 822 BCC email address(es) to add for a given mail sender'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:8
+                NAME 'mailRecipientBccTo'
+                DESC 'RFC 822 BCC email address(es) to add for a given mail recipient'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:9
+                NAME 'mailForwardTo'
+                DESC 'RFC 822 email address(es) to forward all incoming messages to'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:10
+                NAME 'mailForwardToURL'
+                DESC 'LDAP search URL that defines the recipients of the mail messages
+                      sent to this mailing list'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:11
+                NAME 'mailErrorsTo'
+                DESC 'RFC 822 email address(es) to use when routing error and notification
+                      messages to the owner(s) of an email distribution list'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:12
+                NAME 'mailRequestsTo'
+                DESC 'RFC 822 email address(es) to use when routing request
+                      messages sent to the email distribution list'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}' )
+
+attributeType ( mailServiceAttribute:13
+                NAME 'mailEnvelopeAddress'
+                DESC 'RFC 822 envelope sender email address of a given mail user
+                      or email distribution list'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:14
+                NAME 'mailRoutingAddress'
+                DESC 'RFC 822 email address to use when routing messages to
+                      the SMTP MTA of this recipient'
+                EQUALITY caseIgnoreIA5Match
+                SUBSTR caseIgnoreIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:15
+                NAME 'mailHost'
+                DESC 'Fully Qualified Domain Name of the SMTP MTA that
+                      handles messages for this recipient'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15{256}'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:16
+                NAME 'mailTransport'
+                DESC 'MTA mail transport method which will take care of the email delivery'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:17
+                NAME 'mailUidNumber'
+                DESC 'UID required to access the mailbox'
+                EQUALITY integerMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.27'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:18
+                NAME 'mailGidNumber'
+                DESC 'GID required to access the mailbox'
+                EQUALITY integerMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.27'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:19
+                NAME 'mailHomeDirectory'
+                DESC 'The absolute path to the mail user home directory'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+
+attributeType ( mailServiceAttribute:20
+                NAME 'mailMessageStore'
+                DESC 'The path to the mail user mailbox storage directory'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:21
+                NAME 'mailQuota'
+                DESC 'Mail quota limit in kilobytes'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:22
+                NAME 'mailGroupACL'
+                DESC 'Comma-separated list of mail groups a given mail user
+                      belongs to, used for mailbox access control'
+                EQUALITY caseExactIA5Match
+                SUBSTR caseExactIA5SubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributetype ( mailServiceAttribute:23
+                NAME 'mailExpungeTrash'
+                DESC 'Time to automatically expunge Trash mailbox'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:24
+                NAME 'mailSieveRuleSource'
+                DESC 'Definition of a Sieve filter script for a given mail user'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:25
+                NAME 'mailSuppressErrors'
+                DESC 'Suppress error messages from being sent back to message originator'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:26
+                NAME 'mailDeliveryFile'
+                DESC 'Path to a file used for archiving messages sent to the distribution list'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:27
+                NAME 'mailDeliveryOption'
+                DESC 'Message handling option for messages sent to a designated recipient'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:28
+                NAME 'mailProgramDeliveryInfo'
+                DESC 'Named programs for message post-processing'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:29
+                NAME 'mailAuthorizedDomain'
+                DESC 'Domains authorized to submit messages to the distribution list'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:30
+                NAME 'mailAuthorizedSender'
+                DESC 'Addresses authorized to submit messages to the distribution list'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:31
+                NAME 'mailUnauthorizedDomain'
+                DESC 'Domains not authorized to submit messages to the distribution list'
+                EQUALITY caseIgnoreIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:32
+                NAME 'mailUnauthorizedSender'
+                DESC 'Addresses not authorized to submit messages to the distribution list'
+                EQUALITY caseExactIA5Match
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:33
+                NAME 'mailRemoveHeader'
+                DESC 'Headers to remove from the messages sent to the mailing list'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:34
+                NAME 'mailAddHeader'
+                DESC 'Headers to add to the messages sent to the mailing list'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )
+
+attributeType ( mailServiceAttribute:35
+                NAME 'mailAntispamPolicy'
+                DESC 'Name of the anti-spam policy to apply to a given LDAP entry'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:36
+                NAME 'mailAntivirusPolicy'
+                DESC 'Name of the anti-virus policy to apply to a given LDAP entry'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+attributeType ( mailServiceAttribute:37
+                NAME 'mailContentPolicy'
+                DESC 'Name of the content policy to apply to a given LDAP entry'
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.26'
+                SINGLE-VALUE )
+
+
+# mailService object definitions
+# ------------------------------
+
+objectClass ( mailServiceObject:1
+              NAME 'mailRecipient'
+              DESC 'The entry represents an entity within the organization that
+                    can receive SMTP mail, such as a mail user account'
+              SUP top AUXILIARY
+              MUST ( mailAddress $ mail )
+              MAY ( mailAlternateAddress $ mailPrivateAddress $ mailContactAddress $
+                    mailEnvelopeAddress $ mailRoutingAddress $
+                    mailExternalAddress $ mailInternalAddress $ mailSenderBccTo $
+                    mailRecipientBccTo $ mailHost $ mailTransport $ mailUidNumber $ mailGidNumber $
+                    mailHomeDirectory $ mailMessageStore $ mailQuota $ mailGroupACL $
+                    mailExpungeTrash $ mailSieveRuleSource $ mailDeliveryOption $
+                    mailProgramDeliveryInfo $ cn $ description $ uid $ userPassword ) )
+
+objectClass ( mailServiceObject:2
+              NAME 'mailAlias'
+              DESC 'The entry represents an entity within the organization that
+                    defines an email alias for mail recipients'
+              SUP top STRUCTURAL
+              MUST ( mailAddress $ mail )
+              MAY ( mailForwardTo $ mailForwardToURL $ mailHost $ mailTransport $
+                    mailDeliveryFile $ mailDeliveryOption $ mailProgramDeliveryInfo $
+                    cn $ description $ owner ) )
+
+objectClass ( mailServiceObject:3
+              NAME 'mailDistributionList'
+              DESC 'The entry represents an entity within the organization that
+                    can receive and forward SMTP mail, such as a mail
+                    group account (mailing list)'
+              SUP top AUXILIARY
+              MUST ( mailAddress $ mail )
+              MAY ( mailForwardTo $ mailForwardToURL $ mailEnvelopeAddress $ mailErrorsTo $
+                    mailRequestsTo $ mailSuppressErrors $ mailHost $ mailTransport $
+                    mailDeliveryFile $ mailDeliveryOption $ mailProgramDeliveryInfo $
+                    mailAuthorizedDomain $ mailAuthorizedSender $ mailUnauthorizedDomain $
+                    mailUnauthorizedSender $ mailRemoveHeader $ mailAddHeader $
+                    cn $ description $ owner $ manager $ seeAlso ) )
+
+objectClass ( mailServiceObject:4
+              NAME 'mailDomain'
+              DESC 'The entry represents an entity within the organization that
+                    defines an email domain'
+              SUP domain STRUCTURAL
+              MAY ( mailHost $ mailTransport $ mailSenderBccTo $ mailRecipientBccTo $
+                    mailErrorsTo $ mailSuppressErrors $ mailAuthorizedDomain $
+                    mailAuthorizedSender $ mailUnauthorizedDomain $ mailUnauthorizedSender $
+                    mailRemoveHeader $ mailAddHeader $ description $ owner $ manager ) )
+
+objectClass ( mailServiceObject:5
+              NAME 'mailFilter'
+              DESC 'The entry represents an entity within the organization that
+                    can filter email messages according to various policies'
+              SUP top AUXILIARY
+              MAY ( mailAntispamPolicy $ mailAntivirusPolicy $ mailContentPolicy $
+                    cn $ description $ seeAlso ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextcloud.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextcloud.schema
new file mode 100644
index 00000000..61447654
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextcloud.schema
@@ -0,0 +1,78 @@
+# nextcloud.schema - Nextcloud schema definition
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+# Based on: https://docs.nextcloud.com/server/stable/admin_manual/configuration_user/user_auth_ldap.html
+
+
+# Object namespace definitions
+# ----------------------------
+
+# The Private Enterprise Number of the Nextcloud project registered at IANA
+# https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
+objectIdentifier Nextcloud 1.3.6.1.4.1.49213
+
+# The Nextcloud LDAP namespace
+objectIdentifier NextcloudLDAP Nextcloud:1
+
+# The Nextcloud LDAP attribute namespace
+objectIdentifier NextcloudLDAPAttribute NextcloudLDAP:1
+
+# The Nextcloud LDAP object namespace
+objectIdentifier NextcloudLDAPObject NextcloudLDAP:2
+
+
+# Nextcloud attribute definitions
+# -------------------------------
+
+attributeType ( NextcloudLDAPAttribute:1
+                NAME 'nextcloudQuota'
+                DESC 'Nextcloud disk quota (e.g. 15 GB)'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+attributeType ( NextcloudLDAPAttribute:2
+                NAME 'nextcloudEnabled'
+                DESC 'Whether user or group should be available in Nextcloud'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
+
+
+# Nextcloud object definitions
+# ----------------------------
+
+objectClass ( NextcloudLDAPObject:1
+              NAME 'nextcloudAccount'
+              DESC 'Object with attributes used by Nextcloud user accounts'
+              AUXILIARY
+              MUST ( cn $ uid )
+              MAY ( nextcloudQuota $ nextcloudEnabled ) )
+
+objectClass ( NextcloudLDAPObject:2
+              NAME 'nextcloudGroup'
+              DESC 'Object with attributes used by Nextcloud groups'
+              AUXILIARY
+              MUST ( cn )
+              MAY ( nextcloudEnabled ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextuidgid.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextuidgid.schema
new file mode 100644
index 00000000..b935beb5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/nextuidgid.schema
@@ -0,0 +1,53 @@
+# nextuidgid.schema - Helper LDAP objects that keep track of next UID/GID values
+#
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+# Based on: https://www.rexconsulting.net/ldap-protocol-uidnumber.html/
+
+# Depends upon:
+#     rfc2307bis.schema
+#     debops.schema
+
+
+# The nextuidgid.schema namespace
+objectIdentifier nextUidGid DebOpsLDAP:3
+
+# The nextuidgid.schema object namespace
+objectIdentifier nextUidGidObject nextUidGid:1
+
+# Definition of the object which tracks the next UID value
+objectClass ( nextUidGidObject:1
+              NAME 'uidNext'
+              DESC 'LDAP object which tracks the next available UID number'
+              SUP top STRUCTURAL
+              MUST ( cn $ uidNumber )
+              MAY description )
+
+# Definition of the object which tracks the next GID value
+objectClass ( nextUidGidObject:2
+              NAME 'gidNext'
+              DESC 'LDAP object which tracks the next available GID number'
+              SUP top STRUCTURAL
+              MUST ( cn $ gidNumber )
+              MAY description )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/openssh-lpk.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/openssh-lpk.schema
new file mode 100644
index 00000000..c87ea5ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/openssh-lpk.schema
@@ -0,0 +1,60 @@
+# openssh-lpk.schema: LDAP Public Key Patch schema for use with openssh-ldappubkey
+#
+# Copyright (C) 2008 Eric AUGE <eau@phear.org>
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Based on the proposal of : Mark Ruijter
+#
+# This schema extends the popular 'openssh-lpk' LDAP schema with an additional
+# 'sshPublicKeyId' attribute. This attribute can be used to hold the OpenSSH
+# public key fingerprint, used in the OpenSSH server logs, for easy lookup in
+# the directory. This might be useful when multiple people or services have
+# access to the same SSH account.
+#
+# Newer OpenSSH versions include the public key fingerprint in the logs as
+# a SHA256 hash encoded using base64. To generate the hash from the
+# 'id_rsa.pub' file, use the command:
+#
+#     ssh-keygen -lf ~/.ssh/id_rsa.pub
+#
+# Alternatively, to generate the hash manually you can use the command:
+#
+#     cat ~/.ssh/id_rsa.pub | awk '{print $2}' | base64 -d \
+#         | sha256sum | awk '{print $1}' | xxd -r -p | base64
+#
+# The 'sshPublicKeyId' attribute can be used to store the current and past SSH
+# public key fingerprints, for auditing. Log monitoring software can then
+# extract the hashes from logs and lookup the users in the LDAP directory. The
+# fingerprints should only be included in the LDAP entries of the key owners;
+# the service accounts don't need them.
+#
+# Suggested format of the entries:
+#
+#     sshPublicKeyId: SHA256:<hash>
+#
+# Reference: https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting
+
+
+# octetString SYNTAX
+attributeType ( 1.3.6.1.4.1.24552.500.1.1.1.13
+                NAME 'sshPublicKey'
+                DESC 'SSH public key material'
+                EQUALITY octetStringMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+# octetString SYNTAX
+attributeType ( 1.3.6.1.4.1.24552.500.1.1.1.14
+                NAME 'sshPublicKeyId'
+                DESC 'SSH public key fingerprint'
+                EQUALITY caseExactMatch
+                SUBSTR caseExactSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# printableString SYNTAX yes|no
+objectClass ( 1.3.6.1.4.1.24552.500.1.1.2.0
+              NAME 'ldapPublicKey'
+              SUP top AUXILIARY
+              DESC 'This object can contain SSH public key information'
+              MAY ( uid $ sshPublicKey $ sshPublicKeyId ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/orgstructure.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/orgstructure.schema
new file mode 100644
index 00000000..04371652
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/orgstructure.schema
@@ -0,0 +1,55 @@
+# orgstructure.schema - Object which helps define the base tree structure
+#
+# Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+# Depends upon:
+#     core.schema
+#     cosine.schema
+#     debops.schema
+
+# This LDAP schema defines the 'organizationalStructure' object, which is meant
+# to be used in base structure of the directory, for example to create such
+# objects as "ou=People,dc=example,dc=org" or "ou=Groups,dc=example,dc=org".
+#
+# These objects are usually created by using the 'organizationalUnit' object
+# type, however this may have an impact on the possible OpenLDAP ACL rules.
+# Using a separate object type permits definition of extensive access control
+# rules, for example to allow owners of a given object to modify it and its
+# subtrees, and managers to only allow modifications in the subtrees of a given
+# object.
+
+
+# The organizationalstructure.schema namespace
+objectIdentifier orgStructureSchema DebOpsLDAP:4
+
+# The organizationalstructure.schema object namespace
+objectIdentifier orgStructureSchemaObject orgStructureSchema:1
+
+# Definition of the organizationalStructure object
+objectClass ( orgStructureSchemaObject:1
+              NAME 'organizationalStructure'
+              DESC 'Object which defines the base structure of an organization'
+              SUP top STRUCTURAL
+              MAY ( o $ cn $ ou $ description $ owner $ manager $
+                    organizationalStatus $ uniqueIdentifier $ seeAlso ) )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/posixgroupid.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/posixgroupid.schema
new file mode 100644
index 00000000..9f8dd950
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/posixgroupid.schema
@@ -0,0 +1,66 @@
+# posixgroupid.schema - Add missing 'gid' attribute to rfc2307bis schema
+#
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: MIT
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+
+# Depends upon:
+#     rfc2307bis.schema
+#     debops.schema
+
+
+# The posixgroupid.schema namespace
+objectIdentifier posixGroupId DebOpsLDAP:1
+
+# The posixgroupid.schema attribute namespace
+objectIdentifier posixGroupIdAttribute posixGroupId:3
+
+# The posixgroupid.schema object namespace
+objectIdentifier posixGroupIdObject posixGroupId:4
+
+# Definition of the 'gid' / 'groupid' attribute which is a POSIX group
+# identifier. It should be used instead of the 'cn' attribute for posixGroup
+# objects to allow the 'cn' attribute to be used as a "human-readable" name of
+# the group in the LDAP directory.
+#
+# Syntax: Directory String
+attributeType ( posixGroupIdAttribute:1
+                NAME ( 'gid' 'groupid' )
+                DESC 'POSIX group identifier'
+                EQUALITY caseIgnoreMatch
+                SUBSTR caseIgnoreSubstringsMatch
+                SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+# Simple LDAP object with the 'gid' attribute
+objectClass ( posixGroupIdObject:1
+              NAME 'gidObject'
+              DESC 'An object with a POSIX group identifier'
+              SUP 'top' AUXILIARY
+              MUST gid )
+
+# A POSIX group with an associated name in the 'gid' attribute, subclass of the
+# 'posixGroup' object class.
+objectClass ( posixGroupIdObject:2
+              NAME 'posixGroupId'
+              DESC 'Abstraction of a named group of POSIX accounts'
+              SUP 'posixGroup' AUXILIARY
+              MUST gid )
diff --git a/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/schac.schema b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/schac.schema
new file mode 100644
index 00000000..50ea4a28
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/etc/ldap/schema/debops/schac.schema
@@ -0,0 +1,666 @@
+# schac.schema - SCHema for ACademia
+
+# Copyright (C) 2005-2015 Heather Flanagan, SCHAC Shepherd <refeds@terena.org>
+# SPDX-License-Identifier: CC-BY-3.0
+# License information: https://refeds.org/about/participants
+
+#----------------------------------------------------------------------
+#
+# schac v: 20150413-1.5.0
+#
+# SCHema for ACademia
+# Attribute definitions for individual data
+#
+# The latest version of this document is available at
+# https://wiki.refeds.org/display/STAN/SCHAC+Releases
+#
+#----------------------------------------------------------------------
+#
+# Changelog
+#
+# 20150413 - 1.5.0
+# 20110705 - 1.4.1
+# 20110602 - Changed the example of attribute schacPersonalUniqueID from
+#            "NIF" to "DNI"
+# 20100916 - Changed "# of values" from single-valued to multivalued in
+#            schacHomeOrganizationType.
+# 20090326 - 1.4.0
+# 20090313 - Added schacYearOfBirth experimental attribute.
+# 20090304 - Changed schacProjectMembership and schacProjectSpecificRole
+#            from experimental OID branch to official branch below
+#            schacGroupMembership object class.
+#          - OIDs schacExpAttr:1 and schacExpAttr:2 are obsoleted and
+#            will not be reused ever.
+# 20061215 - Added schacExerimental ObjectClass and schacProjectMembership
+#            and schacProjectSpecificRole experimental attributes
+# 20061212 - 1.3.0
+#          - Changed references from terena.org to terena.org.
+# 20061125 - Changed schacPersonalPosition and schacUserStaus format
+#            and samples
+# 20061017 - Delete shacUUID attribute (TF-EMC2 M�laga)
+# 20060928 - Changed schacHomeOrganization syntax OID
+#          - New definition of shacUUID attribute
+# 20060504 - 1.2.0
+#          - Changed schacUserPresenceID syntax from URN to URI.
+#          - Added references to the TERENA URN registry.
+#          - Clarify schaExpiryDate scope.
+# 20060327 - SCHAC URN assigned:  urn:mace:terena.org:schac
+# 20060310 - 1.1.1
+#          - TERENA OID assigned: 1.3.6.1.4.1.25178
+# 20060210 - Second release
+# 20051122 - Initial release
+#
+
+objectIdentifier TERENA 1.3.6.1.4.1.25178
+
+objectIdentifier schac TERENA:1
+objectIdentifier schacExperimental schac:0
+objectIdentifier schacObjectClass schac:1
+objectIdentifier schacAttributeType schac:2
+objectIdentifier schacExpObjClass schacExperimental:1
+objectIdentifier schacExpAttr schacExperimental:2
+
+
+#----------------------------------------------------------------------
+# Attributes
+#----------------------------------------------------------------------
+
+#
+# schacMotherTongue
+#
+# Descrip: Is the language a person learns first. Correspondingly,
+#          the person is called a native speaker of the language.
+#          Usually a child learns the basics of their first language
+#          from their family.
+#
+#  Format: See RFC 3066 Tags for the Identification of Languages
+#
+# Example: schacMotherTongue: fr
+# Example: schacMotherTongue: es-ES
+#
+attributetype ( schacAttributeType:1
+    NAME 'schacMotherTongue'
+    DESC 'RFC 3066 code for preferred language of communication'
+    EQUALITY caseExactMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacGender
+#
+# Descrip: The state of being male or female. The gender attribute
+#          specifies the legal gender of the subject it is associated with.
+#          "Either of the two groups that people, animals and plants are
+#          divided into according to their function of producing young"
+#          (Oxford Advanced Learner's Dictionary)
+#
+#  Format: 0  Not known
+#          1  Male
+#          2  Female
+#          9  Not specified
+#
+# Example: schacGender: 2
+#
+attributetype ( schacAttributeType:2
+    NAME 'schacGender'
+    DESC 'Representation of human sex (see ISO 5218)'
+    EQUALITY integerMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+#
+# schacDateOfBirth
+#
+# Descrip: The date of birth for the subject it is associated with
+#
+#  Format: Numeric value YYYYMMDD, using 4 digits for year, 2 digits
+#          for month and 2 digits for day as described in RFC 3339
+#          'Date and Time on the Internet: Timestamps' as reference
+#          using the  'full-date' format from paragraph 5.6 but without
+#          the dashes.
+#
+# Example: schacDateOfBirth: 19660412
+#
+attributetype ( schacAttributeType:3
+    NAME 'schacDateOfBirth'
+    DESC 'Date of birth (format YYYYMMDD, only numeric chars)'
+    EQUALITY numericStringMatch
+    ORDERING numericStringOrderingMatch
+    SUBSTR numericStringSubstringsMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
+
+#
+# schacPlaceOfBirth
+#
+# Descrip: Specifies the place of birth for the subject it is associated with.
+#
+#  Format: Free string
+#
+# Example: schacPlaceOfBirth: Algeciras, Spain
+#
+attributetype ( schacAttributeType:4
+    NAME 'schacPlaceOfBirth'
+    DESC 'Birth place of a person'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacCountryOfCitizenship
+#
+# Descrip: Specifies the (claimed) countries of citizenship for the
+#          subject it is associated with.
+#
+#  Format: Two-letter country acronym in accordance with ISO 3166.
+#
+# Example: schacCountryOfCitizenship: es
+#
+attributetype ( schacAttributeType:5
+    NAME 'schacCountryOfCitizenship'
+    DESC 'Country of citizenship of a person. Format two-letter acronym according to ISO 3166'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacSn1
+#
+# Descrip: First surname of a person ("the surname" in international terms)
+#
+#          schacSn1 would contain whatever values the described person
+#          thinks they should contain. Splitting shall be done by humans.
+#          That means that, when filling a SCHAC-based description that
+#          allows the use of schacSn1 and schacSn2, the  administrators
+#          must ask for 1st surname and 2nd surname (if applicable) as
+#          well as they do for givenName, surname, etc.
+#
+#  Format: Free string
+#
+# Example: In Spain, if sn = Lopez de la Moraleda y de Las Altas Alcurnias
+#          and that person uses Lopez de la Moraleda as the first component
+#          of the surname we can write:
+#
+#          schacSn1: Lopez de la Moraleda
+#
+#          In Poland, if sn = Gorecka-Wolniewicz and we decide to use the
+#          national convention for the sn attribute, we can write:
+#
+#          schacSn1: Wolniewicz
+#
+attributetype ( schacAttributeType:6
+    NAME 'schacSn1'
+    DESC 'First surname of a person'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacSn2
+#
+# Descrip: Second surname of a person (how this is assigned is a local matter).
+#
+#          schacSn2 would contain whatever values the described person
+#          thinks they should contain. Splitting shall be done by humans.
+#          That means that, when filling a SCHAC-based description that
+#          allows the use of schacSn1 and schacSn2, the administrators
+#          must ask for 1st surname and 2nd surname (if applicable) as well
+#          as they do for givenName, surname, etc.
+#
+#  Format: Free string
+#
+# Example: In Spain, if sn = Lopez de la Moraleda y de Las Altas Alcurnias
+#          and that person uses Lopez de la Moraleda as the second component
+#          of the surname we can write:
+#
+#          schacSn2: de Las Altas Alcurnias
+#
+#          In Poland, if sn = Gorecka-Wolniewicz and we decide to use the
+#          national convention for the sn attribute, we can write:
+#
+#          schacSn2: Gorecka
+#
+attributetype ( schacAttributeType:7
+    NAME 'schacSn2'
+    DESC 'Second surname of a person'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacPersonalTitle
+#
+# Descrip: The Personal Title attribute type specifies a personal title
+#          or salutation for a person. Examples of personal titles are
+#          "Ms", "Dr", "Prof", "Rev", "Sr".
+#
+#  Format: Free string
+#
+# Example: schacPersonalTitle: Prof
+#
+attributetype ( schacAttributeType:8
+    NAME 'schacPersonalTitle'
+    DESC 'RFC1274: personal title'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SINGLE-VALUE
+    SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacHomeOrganization
+#
+# Descrip: Specifies a person�s home organization using the domain name
+#          of the organization
+#
+#  Format: Domain name according to RFC 1035.
+#
+# Example: schacHomeOrganization: tut.fi
+#
+attributetype ( schacAttributeType:9
+    NAME 'schacHomeOrganization'
+    DESC 'Domain name of the home organization'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacHomeOrganizationType
+#
+# Descrip: Type of a Home Organization
+#
+#  Format: urn:mace:terena.org:schac:homeOrganizationType:<country-code>:<string>
+#
+#          - The <country-code> must be a valid two-letter ISO 3166
+#            country code identifier or the string "int", and assigned by
+#            TERENA URN Registry for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/homeOrganizationType/
+#
+#          - <string> from a nationally controlled vocabulary, published
+#            through the URI identified at the above mentioned TERENA URN
+#            registry
+#
+# Example: Common values:
+#
+#          urn:mace:terena.org:schac:homeOrganizationType:int:university
+#          urn:mace:terena.org:schac:homeOrganizationType:int:uas
+#          urn:mace:terena.org:schac:homeOrganizationType:int:research-institution
+#          urn:mace:terena.org:schac:homeOrganizationType:int:university-hospital
+#          urn:mace:terena.org:schac:homeOrganizationType:int:nren
+#          urn:mace:terena.org:schac:homeOrganizationType:int:other
+#
+#          National extensions:
+#
+#          urn:mace:terena.org:schac:homeOrganizationType:ch:vho
+#          urn:mace:terena.org:schac:homeOrganizationType:es:opi
+#
+attributetype ( schacAttributeType:10
+    NAME 'schacHomeOrganizationType'
+    DESC 'Type of the home organization'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacCountryOfResidence
+#
+# Descrip: Specifies the (claimed) country of residence for the subject
+#          is associated with.
+#
+#  Format: Two-letter country acronym in accordance with ISO 3166 country
+#          code identifier.
+#
+# Example: schacCountryOfResidence: es
+#
+attributetype ( schacAttributeType:11
+    NAME 'schacCountryOfResidence'
+    DESC 'Country of residence of a person. Format two-letter acronym according to ISO 3166'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacUserPresenceID
+#
+# Descrip: To store a set of user identifiers in presence and instant
+#          messaging systems and protocols
+#
+#  Format: URI
+#
+# Example: schacUserPresenceID: xmpp:pepe@im.univx.es
+#          schacUserPresenceID: sip:jose.perez@myweb.es
+#          schacUserPresenceID: sip:+34-95-505-6600@univx.es;transport=TCP;user=phone
+#          schacUserPresenceID: sips:alice@atlanta.com?subject=project%20x&priority=urgent
+#          schacUserPresenceID: h323:pepe@myweb.fi:808;pars
+#          schacUserPresenceID: skype:pepe.perez
+#
+attributetype ( schacAttributeType:12
+    NAME 'schacUserPresenceID'
+    DESC 'Used to store a set of values related to the network presence'
+    EQUALITY caseExactMatch
+    SUBSTR caseExactSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacPersonalPosition
+#
+# Descrip: Specifies a personal position inside an institution
+#
+#  Format: urn:mace:terena.org:schac:personalPosition:<country-code>:<domain>:<iNSS>
+#
+#          - The <country-code> must be a valid two-letter ISO 3166 country
+#            code identifier or the string "int", and assigned by the
+#            TERENA URN Registry for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/personalPosition/
+#
+#          - <domain> is the institution domain name according to RFC 1035
+#
+#          - <iNSS> is a Namespace Specific String as defined in RFC 2141
+#            but case insenstitive. Valid components for it are those
+#            specified (or explicitly delegated) by the TERENA URN Registry
+#            for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/personalPosition/
+#
+# Example: schacPersonalPosition: urn:mace:terena.org:schac:personalPosition:pl:umk.pl:programmer
+#
+attributetype ( schacAttributeType:13
+    NAME 'schacPersonalPosition'
+    DESC 'Position inside an institution'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacPersonalUniqueCode
+#
+# Descrip: Specifies a "unique code" for the subject it is associated with.
+#          Its value does not necessarily correspond to any identifier
+#          outside the scope of the directories using this schema.
+#
+#          This might be Student number, Employee number,...
+#
+#  Format: urn:mace:terena.org:schac:personalUniqueCode:<country-code>:<iNSS>
+#
+#          - The <country-code> must be a valid two-letter ISO 3166 country
+#            code identifier or the string "int", and assigned by the TERENA
+#            URN Registry for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/personalUniqueCode/
+#
+#          - <iNSS> is a Namespace Specific String as defined in RFC 2141
+#            but case insensitive.
+#
+# Example: Common Values:
+#
+#          urn:mace:terena.org:schac:personalUniqueCode:int:studentID:<country-code>:<code>
+#
+#          National extensions:
+#
+#          urn:mace:terena.org:schac:personalUniqueCode:fi:tut.fi:hetu:010161-995A
+#          urn:mace:terena.org:schac:personalUniqueCode:es:uma:estudiante:a3b123c12
+#          urn:mace:terena.org:schac:personalUniqueCode:se:LIN:87654321
+#
+attributetype ( schacAttributeType:14
+    NAME 'schacPersonalUniqueCode'
+    DESC 'unique code for the subject'
+    EQUALITY caseIgnoreMatch
+    ORDERING caseIgnoreOrderingMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacPersonalUniqueID
+#
+# Descrip: Specifies a "legal unique identifier" for the subject it
+#          is associated with.
+#          This might be DNI in Spain, FIC in Finland, NIN in Sweden.
+#
+#  Format: urn:mace:terena.org:schac:personalUniqueID:<country-code>:<idType>:<idValue>
+#
+#          - The <country-code> must be a valid two-letter ISO 3166 country
+#            code identifier or the string "int", and assigned by the TERENA
+#            URN Registry for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/personalUniqueID/
+#
+#          - <idType>. Acceptable values must be declared per each country
+#            code through the URI identified at the above mentioned TERENA URN
+#            registry.
+#
+#          - <idValue>
+#
+# Example: National extensions
+#
+#          urn:mace:terena.org:schac:personalUniqueID:fi:FIC:260667-123F
+#          urn:mace:terena.org:schac:personalUniqueID:es:DNI:31241312L
+#          urn:mace:terena.org:schac:personalUniquelD:se:NIN:12345678
+#
+attributetype ( schacAttributeType:15
+    NAME 'schacPersonalUniqueID'
+    DESC 'Unique identifier for the subject'
+    EQUALITY caseExactMatch
+    ORDERING caseExactOrderingMatch
+    SUBSTR caseExactSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#
+# schacExpiryDate
+#
+# Descrip: The date from which the set of data is to be considered
+#          invalid (specifically, in what refers to rights and
+#          entitlements). This date applies to the entry as a whole.
+#
+#  Format: schacExpiryDate values MUST be expressed Greenwich Mean
+#          Time (Zulu) and MUST include seconds (i.e., times are
+#          YYYYMMDDhhmmssZ), even where the number of seconds is zero.
+#          GeneralizedTime values MUST NOT include fractional seconds.
+#
+# Example: schacExpiryDate: 20051231125959Z
+#
+attributetype ( schacAttributeType:17
+    NAME 'schacExpiryDate'
+    DESC 'Date from which the set of data is to be considered invalid (format YYYYMMDDhhmmssZ)'
+    EQUALITY generalizedTimeMatch
+    ORDERING generalizedTimeOrderingMatch
+    SINGLE-VALUE
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+#
+# schacUserPrivateAttribute
+#
+# Descrip: Used to model privacy requirements, as expressed by the user
+#          and/or the organizational policies. The values are intended
+#          to be attribute type names and applies to the attribute and i
+#          any subtypes of it for a given entity.
+#
+#          In what respects to data exchange, it applies to the
+#          expression of privacy requirements.
+#
+#          This attribute can also have specific operational semantics
+#          that will be defined in a separate document.
+#
+#  Format: An attribute type identifier.
+#          Operational semantics may imply specific values as wildcards.
+#
+# Example: Attributes mail and telephoneNumber are considered private
+#
+#          schacUserPrivateAttribute: mail
+#          schacUserPrivateAttribute: telephoneNumber
+#
+attributetype ( schacAttributeType:18
+    NAME 'schacUserPrivateAttribute'
+    DESC 'Set of denied access attributes'
+    EQUALITY caseIgnoreIA5Match
+    SUBSTR caseIgnoreIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+#
+# schacUserStatus
+#
+# Descrip: Used to store a set of status of a person as user of services
+#
+#  Format: urn:mace:terena.org:schac:userStatus:<country-code>:<domain>:<iNSS>
+#
+#          - The <country-code> must be a valid two-letter ISO 3166 country
+#            code identifier or the string "int", and assigned by the TERENA
+#            URN Registry for this attribute at
+#            http://www.terena.org/registry/terena.org/schac/userStatus/
+#
+#          - <domain> is the institution domain name according to RFC 1035
+#
+#          - <iNSS> is a Namespace Specific String as defined in RFC 2141
+#            but case insensitive.
+#
+# Example: To store different user activity states at University of
+#          M�laga (uma.es):
+#
+#          urn:mace:terena.org:schac:userStatus:uma.es:affiliation:expired
+#          urn:mace:terena.org:schac:userStatus:uma.es:sendMail:expired
+#          urn:mace:terena.org:schac:userStatus:uma.es:getMail:active
+#
+#          A parameter in the URN can be used to represent the temporal
+#          validity of the status:
+#
+#          urn:mace:terena.org:schac:userStatus:ujl.si:webmail:active+ttl=20060531
+#
+attributetype ( schacAttributeType:19
+    NAME 'schacUserStatus'
+    DESC 'Used to store a set of status of a person as user of services'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# schacProjectMembership
+#
+# Descrip: The name of the project
+#
+#  Format: <project-name>
+#
+#          The <project-name> must be a name assigned by the TERENA
+#          URN Registry for this attribute at
+#          http://www.terena.org/registry/terena.org/schac/projectSpecificRole/
+#
+# Example: perfsonar
+#
+attributetype ( schacAttributeType:20
+    NAME 'schacProjectMembership'
+    DESC 'Name of the project'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+# schacProjectSpecificRole
+#
+# Descrip: Used to store a set of roles inside specific projects
+#
+#  Format: urn:mace:terena.org:schac:projectSpecificRole:<project-name>:<iNSS>
+#
+#          The <project-name> must be a name assigned by the TERENA
+#          URN Registry for this attribute at
+#          http://www.terena.org/registry/terena.org/schac/projectSpecificRole/
+#          <iNSS> is a Namespace Specific String as defined in RFC 2131 but
+#          case insensitive
+#
+# Example: urn:mace:terena.org:schac:projectSpecificRole:perfsonar:developer
+#
+attributetype ( schacAttributeType:21
+    NAME 'schacProjectSpecificRole'
+    DESC 'Used to store a set of roles of a person inside a project'
+    EQUALITY caseIgnoreMatch
+    SUBSTR caseIgnoreSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+#----------------------------------------------------------------------
+# ObjectClasses
+#----------------------------------------------------------------------
+objectClass ( schacObjectClass:1
+    NAME 'schacPersonalCharacteristics'
+    DESC 'Personal characteristics describe the individual person represented by the entry'
+    AUXILIARY
+    MAY ( schacMotherTongue $ schacGender $ schacDateOfBirth $
+          schacPlaceOfBirth $ schacCountryOfCitizenship $
+          schacSn1 $ schacSn2 $ schacPersonalTitle ) )
+
+objectClass ( schacObjectClass:2
+    NAME 'schacContactLocation'
+    DESC 'Primary means of locating and contacting potential collaborators and other persons-of-interest at peer institutions'
+    AUXILIARY
+    MAY ( schacHomeOrganization $ schacHomeOrganizationType $
+          schacCountryOfResidence $ schacUserPresenceID ) )
+
+objectClass ( schacObjectClass:3
+    NAME 'schacEmployeeInfo'
+    DESC 'Employee information includes attributes that have relevance to the employee role, such as position, office hours, and job title'
+    AUXILIARY
+    MAY ( schacPersonalPosition ) )
+
+objectClass ( schacObjectClass:4
+    NAME 'schacLinkageIdentifiers'
+    DESC 'Used to link a directory entry with records in external data stores or other directory entries'
+    AUXILIARY
+    MAY ( schacPersonalUniqueCode $ schacPersonalUniqueID ) )
+
+objectClass ( schacObjectClass:5
+    NAME 'schacEntryMetadata'
+    DESC 'Used to contain information about the entry itself, often its status, birth, and death'
+    AUXILIARY
+    MAY ( schacExpiryDate ) )
+
+objectClass ( schacObjectClass:6
+    NAME 'schacEntryConfidentiality'
+    DESC 'Used to indicate whether an entry is visible publicly, visible only to affiliates of the institution, or not visible at all'
+    AUXILIARY
+    MAY ( schacUserPrivateAttribute ) )
+
+objectClass ( schacObjectClass:7
+    NAME 'schacUserEntitlements'
+    DESC 'Authorization for services'
+    AUXILIARY
+    MAY ( schacUserStatus ) )
+
+objectClass ( schacObjectClass:8
+    NAME 'schacGroupMembership'
+    DESC 'Groups used to provide/restrict authorization to entries and attributes'
+    AUXILIARY
+    MAY ( schacProjectMembership $ schacProjectSpecificRole ) )
+
+#----------------------------------------------------------------------
+#
+# Experimental attributes
+#
+
+#
+# schacYearOfBirth
+#
+# Descrip: The year of birth for the subject it is associated with
+#
+#  Format: Numeric value YYYY, using 4 digits for the year, as
+#          described in RFC 3339 'Date and Time on the Internet:
+#          Timestamps' as reference using the 'full-date' format from
+#          paragraph 5.6 but without the dashes
+#
+# Exammple: schacYearOfBirth: 1966
+#
+attributetype ( schacExpAttr:3
+   NAME 'schacYearOfBirth'
+   DESC 'Year of birth (format YYYY, only numeric chars)'
+   EQUALITY numericStringMatch
+   ORDERING numericStringOrderingMatch
+   SUBSTR numericStringSubstringsMatch
+   SINGLE-VALUE
+   SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 )
+
+
+#----------------------------------------------------------------------
+#
+# Experimental objectclasses
+#
+
+objectClass ( schacExpObjClass:1
+    NAME 'schacExperimentalOC'
+    DESC 'Experimental Object Class'
+    AUXILIARY
+    MAY ( schacYearOfBirth) )
+
+#----------------------------------------------------------------------
+# End of SCHAC schema
+#----------------------------------------------------------------------
diff --git a/ansible_collections/debops/debops/roles/slapd/files/script/ldap-load-schema b/ansible_collections/debops/debops/roles/slapd/files/script/ldap-load-schema
new file mode 100755
index 00000000..3271e921
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/script/ldap-load-schema
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Check if specified LDAP schema file is loaded in the local slapd cn=config
+# database. If not, try loading it in the server.
+
+
+set -o nounset -o pipefail -o errexit
+
+schema_file="${1}"
+
+if [ -z "${schema_file}" ] ; then
+    printf "Error: You need to specify schema file to load\\n" && exit 1
+fi
+
+if [ ! -e "${schema_file}" ] ; then
+    printf "Error: %s does not exist\\n" "${schema_file}" && exit 1
+fi
+
+if [ ! -r "${schema_file}" ] ; then
+    printf "Error: %s is unreadable\\n" "${schema_file}" && exit 1
+fi
+
+# The schema file is already converted, we can deal with them directly
+if [[ "${schema_file}" == *.ldif ]] ; then
+
+    # Get the DN of the schema
+    schema_dn="$(grep -E '^^dn:\s' "${schema_file}")"
+
+    # Get list of already installed schemas from local LDAP server
+    schema_list() {
+        ldapsearch -Y EXTERNAL -H ldapi:/// -LLLQ -b 'cn=schema,cn=config' dn \
+        | sed -e '/^$/d' -e 's/{[0-9]\+}//'
+    }
+
+    if schema_list | grep -q "${schema_dn}" ; then
+
+        # Schema is already installed, do nothing
+        exit 0
+
+    else
+
+        # Try installing the schema in the database
+        ldapadd -Y EXTERNAL -H ldapi:/// -f "${schema_file}"
+
+    fi
+
+# The schema is not converted to ldif, defer to a helper script
+elif [[ "${schema_file}" == *.schema ]] ; then
+
+    if type fusiondirectory-insert-schema > /dev/null ; then
+        fusiondirectory-insert-schema -i "${schema_file}"
+    else
+        printf "Error: %s needs to be in the .ldif format\\n" "${schema_file}" && exit 1
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-config b/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-config
new file mode 100755
index 00000000..7e57d5ba
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-config
@@ -0,0 +1,754 @@
+#!/usr/bin/env bash
+#
+# This file is managed by Ansible, all changes will be lost
+# Script updated up to commit 56bec75c0989ca54eb61ed21cdc95ccc38a655b8
+# TODO: Switch to uscan to track upstream changes via git HEAAD tracking
+#
+# slapd runtime configuration management tool
+# Homepage: https://github.com/cepharum/slapd-config
+#
+# Copyright (C) 2012-2013 Thomas Urban <thomas.urban@cepharum.de>
+# (c) 2012-2013, cepharum GmbH, Berlin
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# $Date: 2012-04-14 22:50:40 +0000 (Sa, 14. Apr 2012) $ $Revision: 4 $
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+# use SASL/EXTERNAL authentication by default
+AUTHENTICATION="${AUTHENTICATION:--Q -H ldapi:/// -Y EXTERNAL}"
+
+
+# detect base64 encoder/decoder
+if type base64 &>/dev/null; then
+	B64ENC=( base64 )
+	B64DEC=( base64 -d )
+elif type openssl &>/dev/null; then
+	B64ENC=( openssl base64 )
+	B64DEC=( openssl base64 -d )
+elif type recode &>/dev/null; then
+	B64ENC=( recode ..base64 )
+	B64DEC=( recode base64.. )
+else
+	B64ENC=( echo 'missing base64 encoder' \>\&2 \&\& exit 5 )
+	B64DEC=( echo 'missing base64 decoder' \>\&2 \&\& exit 5 )
+fi
+
+
+
+findEntries()
+{
+	if [ "${1}" = "-dn" ]
+	then
+		basedn="${2}"
+		shift 2
+	else
+		basedn="cn=config"
+	fi
+
+	query="${1}"
+	[ -z "$query" ] && query='objectClass=*'
+
+	shift
+
+	# shellcheck disable=SC2086
+	ldapsearch $AUTHENTICATION -LLL -b "$basedn" "$query" "$@" | sed -ne '/^ *$/!p' | sed -ne '1h;1!H;${;x;s/\n //g;p;}'
+}
+
+DBName2DN()
+{
+	for dn in $(listDatabaseDNs); do
+		name="$(DBDN2Name "$dn")"
+		[ "${1}" = "$name" ] || [ "${1}" = "${name#*\}}" ] && { echo "$dn"; return 0; }
+	done
+
+	echo "invalid database: ${1}" >&2
+	exit 1
+}
+
+DBDN2Name()
+{
+	[ "${2}" = "unique" ] && DN="${1#*=}" || DN="${1#*\}}"
+	echo "${DN%%,*}"
+}
+
+values2LDIF()
+{
+	values=
+	i=0
+
+	while read -r line; do
+		# insert line break
+		[ $i -eq 0 ] || values="$values\\n"
+
+		# add numeric indices to lines of values unless disabled
+		[ "${2}" = "nonumbers" ] || line="{$i}${line}"
+
+		# base64-encode line if required
+		echo -n "$line" | awk '/^[\x01-\x09\x0B\x0C\x0E-\x1F\x21-\x39\x3B\x3D-\x7F][\x01-\x09\x0B\x0C\x0E-\x7F]*$/ {print "valid"}' | grep valid &>/dev/null || {
+			line="$(echo -n "$line" | "${B64ENC[@]}")"
+		}
+
+		values="$values${1}: ${line}"
+		i=$((i+1))
+	done
+
+	# shellcheck disable=SC2001
+	{ [ $i -lt 2 ] && [ "${2}" != "nonumbers" ] && sed 's/^\([^:]\+: \){0}/\1/' <<<"$values" || echo "$values"; } | sed 's/\\n/\n/g' | sed -n ':p;s/\([^\n]\{78\}\)\([^\n]\)/\1\n \2/;tp;p'
+}
+
+listEntries()
+{
+	dn="${1}"
+	scope="${2:-sub}"
+
+	shift 2
+
+	findEntries -dn "${dn}" "objectClass=*" dn -s "$scope" "$@" | sed -n '/^ *$/!s/[^:]*::? ?//p'
+}
+
+showEntry()
+{
+	dn="${1}"
+
+	shift
+
+	findEntries -dn "${dn}" "objectClass=*" -s base | sed -n '/^ *$/!p'
+}
+
+readAttribute()
+{
+	dn="${1}"
+	attr="${2}"
+
+	findEntries -dn "$dn" "$attr=*" "$attr" -s base | sed -n '
+/^'"$attr"':/!d
+s/^'"$attr"': *\({\(-\?[0-9][0-9]*\)}\)\?/=/
+s/^'"$attr"':: */!/
+p' | while read -r line; do
+		case "${line:0:1}" in
+			"=")
+				echo "${line:1}"
+				;;
+			'!')
+				echo -n "${line:1}" | "${B64DEC[@]}"
+				;;
+		esac
+	done
+}
+
+writeAttribute()
+{
+	dn="${1}"
+	attr="${2}"
+	[ "${3}" = "nonumbers" ] && mode=nonumbers || mode=
+
+	# shellcheck disable=SC2086
+	ldapmodify $AUTHENTICATION <<EOT
+dn: $dn
+changetype: modify
+replace: $attr
+$(values2LDIF "$attr" $mode)
+-
+EOT
+}
+
+insertAttributeLine()
+{
+	dn="${1}"
+	attr="${2}"
+	idx="${3}"
+	rule="${4//;/\\;}"
+
+	[ "$idx" -lt 1 ] && idx=1
+
+	{
+		readAttribute "$dn" "$attr" | {
+			if [ "$idx" -le "$(readAttribute "$dn" "$attr" | wc -l)" ]; then
+				sed "${idx}i${rule}"
+			else
+				sed -n "p;\$i${rule}"
+			fi
+		}
+	} | writeAttribute "$dn" "$attr" "${5}"
+}
+
+deleteAttributeLine()
+{
+	dn="${1}"
+	attr="${2}"
+	idx="${3}"
+
+	if ! [ "$idx" -ge 1 ] && [ "$idx" -le "$(readAttribute "$dn" "$attr" | wc -l)" ] ; then
+		echo "index out of bound" >&2
+		return 1
+	fi
+
+	readAttribute "$dn" "$attr" | sed "${idx}d" | writeAttribute "$dn" "$attr" "${4}"
+}
+
+schema2CN()
+{
+	name="${1}"
+
+	grep -E '^[1-9][0-9]*$' <<<"$name" &>/dev/null && index="$((name-1))" || index="x"
+
+	cn=$(findEntries -dn 'cn=schema,cn=config' 'objectClass=*' dn -s one | sed "/^dn: cn={$index}.\\|}$name,cn=schema,cn=config\$/!d;s/^[^{]\\+\\({[^,]\\+\\),cn=schema,cn=config\$/\\1/")
+
+	# shellcheck disable=SC2181
+	if [ $? -ne 0 ] || [ -z "$cn" ]; then
+		if [ -n "${2}" ]; then
+			idx=-1
+			for cidx in $(findEntries -dn 'cn=schema,cn=config' 'objectClass=*' dn -s one | sed -n 's/^[^{]\+{\([0-9]\+\)}.*$/\1/p'); do
+				[ "$cidx" -gt "$idx" ] && idx=$cidx
+			done
+
+			echo "{$((idx+1))}$name"
+		else
+			return 1
+		fi
+	else
+		echo "$cn"
+	fi
+}
+
+schema2DN()
+{
+	cn="$(schema2CN "${1}")" || return 1
+	echo "cn=${cn},cn=schema,cn=config"
+}
+
+DN2Schema()
+{
+	dn="${dn#*\}}"
+	echo "${dn%%,*}"
+}
+
+listSchemata()
+{
+	findEntries -dn 'cn=schema,cn=config' 'objectClass=*' dn -s one | sed -n '/^ *$/!s/^dn: *cn={-\?[0-9]*}//;s/,.*$//p'
+}
+
+testSchema()
+{
+	schema2CN "${1}" &>/dev/null && return 0 || return 1
+}
+
+readSchema()
+{
+	dn="$(schema2DN "${1}")" || { echo "invalid or missing schema" >&2; exit 1; }
+
+	cat <<EOT
+# Copy of schema $(readAttribute "$dn" cn)
+# DN in LDAP is $dn
+
+$(readAttribute "$dn" olcObjectIdentifier | sed 's/^/\nobjectidentifier /;s/ \(NAME\|DESC\|EQUALITY\|SUBSTR\|SYNTAX\|SINGLE-VALUE\|SUP\)/\n\t\1/g')
+
+$(readAttribute "$dn" olcAttributeTypes | sed 's/^/\nattributetype /;s/ \(NAME\|DESC\|EQUALITY\|SUBSTR\|SYNTAX\|SINGLE-VALUE\|SUP\)/\n\t\1/g')
+
+$(readAttribute "$dn" olcObjectClasses | sed 's/^/\nobjectclass /;s/ \(NAME\|DESC\|SUP\|STRUCTURAL\|AUXILIARY\|MAY\|MUST\)/\n\t\1/g')
+EOT
+}
+
+schemaFileToLDIF()
+{
+	sed -e '/^#/d;/^ *$/d' | sed -ne '1h;1!H;${;x;s/[ \t]\+/ /g;s/ \?\n / /g;p;}' | (
+		iidx=0
+		aidx=0
+		oidx=0
+
+		iline=""
+		aline=""
+		cline=""
+
+		while read -r rule; do
+			ruletype="${rule%% *}"
+			case "${ruletype,,}" in
+				objectidentifier)
+					[ $iidx -eq 0 ] || iline="${iline}\\n"
+					iline="${iline}olcObjectIdentifier: {$iidx}${rule#* }"
+					iidx=$((iidx+1))
+					;;
+				attributetype)
+					[ $aidx -eq 0 ] || aline="${aline}\\n"
+					aline="${aline}olcAttributeTypes: {$aidx}${rule#* }"
+					aidx=$((aidx+1))
+					;;
+				objectclass)
+					[ $oidx -eq 0 ] || cline="${cline}\\n"
+					cline="${cline}olcObjectClasses: {$oidx}${rule#* }"
+					oidx=$((oidx+1))
+					;;
+				*)
+					echo -e "invalid rule in schema file:\\n$rule" >&2
+					exit 2
+			esac
+		done
+
+
+		cat <<-EOT
+$iline
+$aline
+$cline
+		EOT
+	)
+}
+
+writeSchema()
+{
+	schemaFileToLDIF | (
+		read -r identifiers
+		read -r attributes
+		read -r classes
+
+		testSchema "${1}"
+		# shellcheck disable=SC2181
+		if [ $? -eq 0 ]; then
+			dn="$(schema2DN "${1}")"
+
+			ldif="dn: ${dn}
+changetype: modify
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$identifiers" ] && ldif="${ldif}replace: olcObjectIdentifier
+$(sed 's/\\n/\n/g' <<<"$identifiers")
+-
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$attributes" ] && ldif="${ldif}replace: olcAttributeTypes
+$(sed 's/\\n/\n/g' <<<"$attributes")
+-
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$classes" ] && ldif="${ldif}replace: olcObjectClasses
+$(sed 's/\\n/\n/g' <<<"$classes")
+-
+"
+
+			# shellcheck disable=SC2086
+			ldapmodify $AUTHENTICATION <<<"$ldif"
+		else
+			cn="$(schema2CN "${1}" y)"
+
+			ldif="dn: cn=${cn},cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: ${cn}
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$identifiers" ] && ldif="${ldif}$(sed 's/\\n/\n/g' <<<"$identifiers")
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$attributes" ] && ldif="${ldif}$(sed 's/\\n/\n/g' <<<"$attributes")
+"
+
+			# shellcheck disable=SC2001
+			[ -n "$classes" ] && ldif="${ldif}$(sed 's/\\n/\n/g' <<<"$classes")
+"
+
+			# shellcheck disable=SC2086
+			ldapadd $AUTHENTICATION <<<"$ldif"
+		fi
+	)
+}
+
+deleteSchema()
+{
+	dn="$(schema2DN "${1}")" || { echo "invalid or missing schema" >&2; exit 1; }
+
+	idx="${dn#*{}"
+	idx="${idx%%\}*}"
+
+	# shellcheck disable=SC2086
+	ldapdelete $AUTHENTICATION "${dn}" || { echo "failed to delete schema ${dn}" >&2; exit 2; }
+
+	while testSchema "$((idx+1))"; do
+		olddn="$(schema2DN "$((idx+1))")"
+		newcn="$(DN2Schema "${olddn}")"
+		newcn="{$idx}$newcn"
+
+		# shellcheck disable=SC2086
+		ldapmodify $AUTHENTICATION <<-EOT
+dn: ${olddn}
+changetype: modrdn
+newrdn: cn=${newcn}
+deleteoldrdn: 1
+newsuperior: cn=schema,cn=config
+-
+		EOT
+
+		# shellcheck disable=SC2181
+		[ $? -ne 0 ] && { echo "failed to move schema $olddn to cn=$newcn,cn=schema,cn=config" >&2; exit 2; }
+	done
+}
+
+listDatabaseDNs()
+{
+	findEntries "olcDatabase=*" dn | awk '$1 ~ /dn:/ {print substr($0,5)}'
+}
+
+listAllDatabases()
+{
+	for dn in $(listDatabaseDNs); do
+		echo "$(DBDN2Name "$dn")	$dn"
+	done
+}
+
+listDatabases()
+{
+	for dn in $(listDatabaseDNs)
+	do
+		if suffix=$(findEntries -dn "$dn" "olcSuffix=*" olcSuffix | grep -E '^olcSuffix: '); then
+			echo "$(DBDN2Name "$dn")	${suffix#*: }	$dn"
+		fi
+	done
+}
+
+writeSslCertificate()
+{
+	certFilename="${1}"
+	keyFilename="${2}"
+	caFilename="${3}"
+
+	[ -f "$certFilename" ] || { echo "missing certificate file: $certFilename" >&2; exit 1; }
+	[ -f "$keyFilename" ] || { echo "missing key file: $keyFilename" >&2; exit 1; }
+
+	if [ -n "$caFilename" ]
+	then
+		[ -f "$caFilename" ] || { echo "missing CA certificate file: $caFilename" >&2; exit 1; }
+
+		echo "setting up certificate file (incl. CA certificate)" >&2
+		# shellcheck disable=SC2086
+		ldapmodify $AUTHENTICATION <<-EOT
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+$(values2LDIF olcTLSCACertificateFile <<<"$caFilename")
+-
+replace: olcTLSCertificateFile
+$(values2LDIF olcTLSCertificateFile <<<"$certFilename")
+-
+replace: olcTLSCertificateKeyFile
+$(values2LDIF olcTLSCertificateKeyFile <<<"$keyFilename")
+-
+		EOT
+	else
+		echo "setting up certificate/key files" >&2
+		# shellcheck disable=SC2086
+		ldapmodify $AUTHENTICATION <<-EOT
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+$(values2LDIF olcTLSCertificateFile <<<"$certFilename")
+-
+replace: olcTLSCertificateKeyFile
+$(values2LDIF olcTLSCertificateKeyFile <<<"$keyFilename")
+-
+		EOT
+	fi
+}
+
+deleteSslCertificate()
+{
+	if [ -n "$(readAttribute "cn=config" "olcTLSCertificateFile")" ]
+	then
+		echo "dropping certificate/key file" >&2
+		# shellcheck disable=SC2086
+		ldapmodify $AUTHENTICATION <<-EOT
+dn: cn=config
+changetype: modify
+delete: olcTLSCertificateFile
+-
+delete: olcTLSCertificateKeyFile
+-
+		EOT
+	fi
+
+	if [ -n "$(readAttribute "cn=config" "olcTLSCACertificateFile")" ]
+	then
+		echo "dropping CA certificate file" >&2
+		# shellcheck disable=SC2086
+		ldapmodify $AUTHENTICATION <<-EOT
+dn: cn=config
+changetype: modify
+delete: olcTLSCACertificateFile
+-
+		EOT
+	fi
+}
+
+
+
+usage()
+{
+	cat >&2 <<EOT
+OpenLDAP (slapd) runtime configuration utility
+(c) 2012-2013, cepharum GmbH, Berlin (distributed under terms of GPLv3)
+
+common usage: $APPNAME <module> <action> [ <parameters> ]
+
+EOT
+
+	sed 's/\\n/\n/g' >&2
+
+	exit 1
+}
+
+badaction()
+{
+	cat >&2 <<EOT
+missing or invalid action: $ACTION
+
+read help available by invoking
+
+$APPNAME $MODULE help
+
+EOT
+
+	exit 1
+}
+
+
+
+APPNAME="${0}"
+MODULE="${1}"
+ACTION="${2}"
+
+shift 2
+
+[ -z "$MODULE" ] && { echo "missing module" >&2; MODULE=help; }
+
+
+
+
+
+
+case "$MODULE" in
+
+	-h|--help|help)
+		usage <<-EOT
+available modules are: db raw schema ssl
+
+module-specific help is available with:
+
+  $APPNAME <module> help
+
+		EOT
+		;;
+
+	raw)
+		case "$ACTION" in
+			help)
+				usage <<-EOT
+module: raw
+
+actions are:
+
+  read      read all value lines from a single DNs attribute
+  write     write all value lines of a single DNs attribute read from stdin
+  insert    insert value line before selected one in attribute of single DN
+  delete    remove selected value line from attribute of single DN
+  list      list DNs of subordinated entries using scope one or sub
+  show      list all entries and their values of entry selected by DN
+
+				EOT
+				;;
+			"read")
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME raw read <DN> <attr>\\n"
+				readAttribute "$@"
+				;;
+			write)
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME raw write <DN> <attr> [ nonumbers ]\\n       (providing value lines on stdin)\\n"
+				writeAttribute "$@"
+				;;
+			insert)
+				[ $# -lt 4 ] && usage <<<"usage: $APPNAME raw insert <DN> <attr> <linenum> \"<value>\" [ nonumbers ]\\n"
+				insertAttributeLine "$@"
+				;;
+			delete)
+				[ $# -lt 3 ] && usage <<<"usage: $APPNAME raw delete <DN> <attr> <linenum> [ nonumbers ]\\n"
+				deleteAttributeLine "$@"
+				;;
+			list)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME raw list <baseDN> [ one | sub ]\\n"
+				listEntries "$@"
+				;;
+			show)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME raw show <DN>\\n"
+				showEntry "$@"
+				;;
+			*)
+				badaction
+				;;
+		esac
+		;;
+
+	schema)
+		case "$ACTION" in
+			help)
+				usage <<-EOT
+module: schema
+
+actions are:
+
+  list    list declared schemata
+  exists  test whether schema selected by name or index exists or not
+  read    read schema selected by name or index
+  write   write schema selected by name or index (file read from stdin)
+  delete  delete schema selected by name or index (not supported by OpenLDAP)
+
+				EOT
+				;;
+			list)
+				listSchemata "$@"
+				;;
+			exists)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME schema exists <schema>\\n"
+				testSchema "$@"
+				;;
+			"read")
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME schema read <schema>\\n"
+				readSchema "$@"
+				;;
+			write)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME schema write <schema> \"<\" <file>\\n"
+				writeSchema "$@"
+				;;
+			delete)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME schema delete <schema>\\n"
+				deleteSchema "$@"
+				;;
+			*)
+				badaction
+				;;
+		esac
+		;;
+
+	db)
+		case "$ACTION" in
+			help)
+				usage <<-EOT
+module: db
+
+actions are:
+
+  list          list name, suffix and DN of every DB containing LDAP thread
+  list-all      list name and DN of every DB (incl. config databases etc.)
+  show          provide properties of a single DB selected in parameter
+  read          read attribute from configuration of selected DB
+  write         write attribute in configuration of selected DB
+  insert        insert value line before selected one in attribute of DB
+  delete        remove selected value line from attribute of DB
+  read-access   read access rules from DB selected in parameter
+  write-access  write access rules to DB selected in parameter (rules on stdin)
+  insert-access insert single access rule in set of rules of selected DB
+  delete-access remove single access rule from set of rules of selected DB
+
+				EOT
+				;;
+			list)
+				listDatabases "$@"
+				;;
+			list-all)
+				listAllDatabases "$@"
+				;;
+			show)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME db show <dbname>\\n"
+				findEntries -dn "$(DBName2DN "${1}")"
+				;;
+			read)
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME db read <dbname> <attr>\\n"
+				readAttribute "$(DBName2DN "${1}")" "${2}"
+				;;
+			write)
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME db write <dbname> <attr> [ nonumbers ]\\n       (providing value lines on stdin)\\n"
+				# shellcheck disable=SC2086
+				writeAttribute "$(DBName2DN "${1}")" "${2}" ${3}
+				;;
+			insert)
+				[ $# -lt 4 ] && usage <<<"usage: $APPNAME db insert <dbname> <attr> <linenum> \"<value>\" [ nonumbers ]\\n"
+				# shellcheck disable=SC2086
+				insertAttributeLine "$(DBName2DN "${1}")" "${2}" "${3}" "${4}" ${5}
+				;;
+			delete)
+				[ $# -lt 3 ] && usage <<<"usage: $APPNAME db delete <dbname> <attr> <linenum> [ nonumbers ]\\n"
+				# shellcheck disable=SC2086
+				deleteAttributeLine "$(DBName2DN "${1}")" "${2}" "${3}" ${4}
+				;;
+			read-access)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME db read-access <dbname>\\n"
+				readAttribute "$(DBName2DN "${1}")" olcAccess
+				;;
+			write-access)
+				[ $# -lt 1 ] && usage <<<"usage: $APPNAME db write-access <dbname>\\n"
+				writeAttribute "$(DBName2DN "${1}")" olcAccess
+				;;
+			insert-access)
+				[ $# -lt 3 ] && usage <<<"usage: $APPNAME db insert-access <dbname> <ruleindex> \"<rule>\"\\n"
+				insertAttributeLine "$(DBName2DN "${1}")" olcAccess "${2}" "${3}"
+				;;
+			delete-access)
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME db delete-access <dbname> <ruleindex>\\n"
+				deleteAttributeLine "$(DBName2DN "${1}")" olcAccess "${2}"
+				;;
+			*)
+				badaction
+				;;
+		esac
+		;;
+
+	ssl)
+		case "$ACTION" in
+			help)
+				usage <<-EOT
+module: ssl
+
+actions are:
+
+  write    update SSL/TLS certificate and key of server
+  delete   delete any existing SSL/TLS certificate of server
+  show     display configured SSL/TLS certificate and key of server
+
+				EOT
+				;;
+			write)
+				[ $# -lt 2 ] && usage <<<"usage: $APPNAME ssl write <cert-filename> <key-filename> [ <ca-cert-filename> ]\\n"
+				writeSslCertificate "$@"
+				;;
+			delete)
+				deleteSslCertificate
+				;;
+			show)
+				findEntries -dn "cn=config" | awk '/^olcTLS/ {print $0}'
+				;;
+			*)
+				badaction
+				;;
+		esac
+		;;
+
+	*)
+		cat >&2 <<-EOT
+unknown module: $MODULE
+
+use "$APPNAME help" for list of available modules
+
+EOT
+		;;
+esac
diff --git a/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-snapshot b/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-snapshot
new file mode 100755
index 00000000..0e7e93a9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/files/usr/local/sbin/slapd-snapshot
@@ -0,0 +1,363 @@
+#!/usr/bin/env bash
+
+# This file is managed remotely, all changes will be lost
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Create LDIF backup snapshots of the OpenLDAP databases. The "frontend"
+# database, as well as any databases in the read-only mode are not backed up.
+# The script will automatically enable and disable read-only mode for each
+# backed up database, apart from the cn=config database.
+
+
+set -o nounset -o pipefail -o errexit
+
+umask 027
+
+SCRIPT="$(basename "${0}")"
+readonly SCRIPT
+readonly PID="$$"
+readonly PIDFILE="/run/${SCRIPT}.pid"
+readonly SUBCOMMAND="${1:-}"
+
+readonly SLAPCAT="/usr/sbin/slapcat"
+
+BACKUP_USER="backup"
+BACKUP_GROUP="backup"
+BACKUP_ROOT="$(getent passwd "${BACKUP_USER}" | cut -f6 -d:)/slapd"
+
+if [ -f "/etc/default/slapd-snapshot" ] ; then
+    # shellcheck disable=SC1091
+    . "/etc/default/slapd-snapshot"
+fi
+
+print_usage () {
+    cat <<EOF
+Usage: ${SCRIPT} <daily|weekly|monthly|latest|now>
+
+Create periodic backup snapshots of the OpenLDAP databases
+EOF
+}
+
+
+get_databases () {
+    local result
+    local search_filter
+
+    # Find all OpenLDAP databases, but skip the frontend and monitor database, and don't
+    # include databases that have "olcReadOnly" attribute set.
+    search_filter="(&(olcDatabase=*)(!(objectClass=olcFrontendConfig))(!(objectClass=olcMonitorConfig))(!(olcReadOnly=*)))"
+
+    result="$(ldapsearch -QALLL -Y EXTERNAL -H ldapi:/// -b cn=config -s one "${search_filter}" dn)"
+    if [ -n "${result}" ] ; then
+        printf "%s\n" "${result}" | sed -e '/./!d' -e 's/^dn: //'
+    else
+
+        # The first search was empty, most likely due to not enabled cn=Monitor
+        # configuration. Let's search again, without it.
+        search_filter="(&(olcDatabase=*)(!(objectClass=olcFrontendConfig))(!(olcReadOnly=*)))"
+
+        result="$(ldapsearch -QALLL -Y EXTERNAL -H ldapi:/// -b cn=config -s one "${search_filter}" dn)"
+        if [ -n "${result}" ] ; then
+            printf "%s\n" "${result}" | sed -e '/./!d' -e 's/^dn: //'
+        else
+
+            # There was no result either, give up.
+            printf "\n"
+        fi
+    fi
+}
+mapfile -t SLAPD_DATABASES < <(get_databases)
+
+log_message () {
+    # Display a message if script is used interactively, otherwise send it to syslog
+    local msg="${1:-}"
+
+    if [ -n "${msg}" ] ; then
+        if tty -s > /dev/null 2>&1 ; then
+            echo "${SCRIPT}: ${msg}" 1>&2
+        elif type logger > /dev/null 2>&1 ; then
+            logger -t "${SCRIPT}[${PID}]" "${msg}"
+        fi
+    fi
+}
+
+
+clean_up () {
+    # Clean up pidfile
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        rm -f "${pidfile}"
+    fi
+    exit 0
+}
+
+
+wait_for_pid () {
+    # Wait for the specified process to exit
+    local pidfile="${1}"
+
+    if [ -n "${pidfile}" ] && [ -r "${pidfile}" ] ; then
+        local wait_pid
+        wait_pid="$(< "${pidfile}")"
+        while kill -0 "${wait_pid}" > /dev/null 2>&1 ; do
+            log_message "Waiting for PID ${wait_pid} to finish"
+            sleep $(( ( RANDOM % 30 ) + 5 ))
+        done
+        if [ -f "${pidfile}" ] ; then
+            rm -f "${pidfile}"
+        fi
+    fi
+}
+
+
+create_lock () {
+    local pidfile="${1}"
+    local pid="${PID}"
+
+    # Try and lock the script operation
+    echo "${pid}" > "${pidfile}"
+    sleep 0.5
+
+    # Exclusive lock failed
+    if [ "$(cat "${pidfile}")" != "${pid}" ] ; then
+        log_message "OpenLDAP snapshot procedure started by $(< "${pidfile}")"
+        exit 0
+    fi
+
+    # Exclusive lock succeeded
+    # shellcheck disable=SC2064
+    trap "clean_up ${pidfile}" EXIT
+}
+
+
+enable_read_only_mode () {
+    local -a slapd_databases
+    local db
+    local db_id
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    db="${1}"
+    db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+             | awk -F '[{}]' '{print $2}')"
+
+    if [ "${db_id}" -ne 0 ] ; then
+
+        log_message "Enabling read-only mode in the slapd:${db_id} database"
+        ldapmodify -Q -Y EXTERNAL -H ldapi:/// >/dev/null <<EOF
+dn: ${slapd_databases[${db}]}
+changeType: modify
+replace: olcReadOnly
+olcReadOnly: TRUE
+EOF
+    fi
+}
+
+
+disable_read_only_mode () {
+    local -a slapd_databases
+    local db
+    local db_id
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    db="${1}"
+    db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+             | awk -F '[{}]' '{print $2}')"
+
+    if [ "${db_id}" -ne 0 ] ; then
+
+        log_message "Disabling read-only mode in the slapd:${db_id} database"
+        ldapmodify -Q -Y EXTERNAL -H ldapi:/// >/dev/null <<EOF
+dn: ${slapd_databases[${db}]}
+changeType: modify
+replace: olcReadOnly
+olcReadOnly: FALSE
+
+dn: ${slapd_databases[${db}]}
+changeType: modify
+delete: olcReadOnly
+EOF
+    fi
+}
+
+
+create_snapshot () {
+    local -a slapd_databases
+
+    local backup_user
+    local backup_group
+    local backup_root
+    local slapcat
+
+    local db
+    local db_id
+    local backup_file
+    local backup_dir
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+
+    backup_user="${BACKUP_USER}"
+    backup_group="${BACKUP_GROUP}"
+    backup_root="${BACKUP_ROOT}"
+    slapcat="${SLAPCAT}"
+
+    db="${1}"
+    backup_file="${2}"
+    backup_dir="$(dirname "${backup_file}")"
+
+    db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+             | awk -F '[{}]' '{print $2}')"
+
+    if [ ! -d "${backup_dir}" ] ; then
+        mkdir -p "${backup_dir}"
+        chown -R "${backup_user}:${backup_group}" "${backup_root}"
+    fi
+
+    enable_read_only_mode "${db}"
+    log_message "Dumping the slapd:${db_id} database"
+    "${slapcat}" -n "${db_id}" -l "${backup_file}"
+    disable_read_only_mode "${db}"
+
+    if [ -f "${backup_file}.gz.gpg" ] ; then
+        rm -f "${backup_file}.gz.gpg"
+    fi
+
+    if [ -f "${backup_file}.gz.asc" ] ; then
+        rm -f "${backup_file}.gz.asc"
+    fi
+
+    nice gzip -f "${backup_file}"
+    chown "${backup_user}:${backup_group}" "${backup_file}.gz"
+}
+
+
+snapshot_daily () {
+    local -a slapd_databases
+    local backup_root
+
+    local day
+    local weekday
+    local backup_file
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    backup_root="${BACKUP_ROOT}"
+
+    day="$(date +%w)"
+    weekday="$(date +%A)"
+
+    for db in "${!slapd_databases[@]}" ; do
+        db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+                 | awk -F '[{}]' '{print $2}')"
+
+        backup_file="${backup_root}/daily/slapd_day${day}_${weekday}_db${db_id}.ldif"
+
+        log_message "Creating daily snapshot of the slapd:${db_id} database"
+        create_snapshot "${db}" "${backup_file}"
+        log_message "Daily snapshot of the slapd:${db_id} database created successfully"
+    done
+}
+
+
+snapshot_weekly () {
+    local -a slapd_databases
+    local backup_root
+
+    local week
+    local backup_file
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    backup_root="${BACKUP_ROOT}"
+
+    # Find out the week number in the current month
+    week="$(( ( $(date +%_d) - 1 ) / 7 + 1 ))"
+
+    for db in "${!slapd_databases[@]}" ; do
+        db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+                 | awk -F '[{}]' '{print $2}')"
+
+        backup_file="${backup_root}/weekly/slapd_week${week}_db${db_id}.ldif"
+
+        log_message "Creating weekly snapshot of the slapd:${db_id} database"
+        create_snapshot "${db}" "${backup_file}"
+        log_message "Weekly snapshot of the slapd:${db_id} database created successfully"
+    done
+}
+
+
+snapshot_monthly () {
+    local -a slapd_databases
+    local backup_root
+
+    local month
+    local month_name
+    local backup_file
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    backup_root="${BACKUP_ROOT}"
+
+    month="$(date +%m)"
+    month_name="$(date +%B)"
+
+    for db in "${!slapd_databases[@]}" ; do
+        db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+                 | awk -F '[{}]' '{print $2}')"
+
+        backup_file="${backup_root}/monthly/slapd_month${month}_${month_name}_db${db_id}.ldif"
+
+        log_message "Creating monthly snapshot of the slapd:${db_id} database"
+        create_snapshot "${db}" "${backup_file}"
+        log_message "Monthly snapshot of the slapd:${db_id} database created successfully"
+    done
+}
+
+
+snapshot_latest () {
+    local -a slapd_databases
+    local backup_root
+
+    local current_date
+    local backup_file
+
+    slapd_databases=( "${SLAPD_DATABASES[@]}" )
+    backup_root="${BACKUP_ROOT}"
+
+    current_date="$(date +%F_%R)"
+
+    if [ -d "${backup_root}/latest" ] ; then
+        # Remove old set of database backups
+        find "${backup_root}/latest" -type f -name "slapd_*_db*" -delete
+    fi
+
+    for db in "${!slapd_databases[@]}" ; do
+        db_id="$(printf "%s\\n" "${slapd_databases[${db}]}" \
+                 | awk -F '[{}]' '{print $2}')"
+
+        backup_file="${backup_root}/latest/slapd_${current_date}_db${db_id}.ldif"
+
+        log_message "Creating a snapshot of the slapd:${db_id} database"
+        create_snapshot "${db}" "${backup_file}"
+        log_message "Snapshot of the slapd:${db_id} database created successfully"
+    done
+}
+
+
+main () {
+    local pidfile="${PIDFILE}"
+    local subcommand="${SUBCOMMAND}"
+
+    wait_for_pid "${pidfile}"
+    create_lock "${pidfile}"
+
+    case "${subcommand}" in
+        daily)      snapshot_daily  ;;
+        weekly)     snapshot_weekly ;;
+        monthly)    snapshot_monthly ;;
+        now|latest) snapshot_latest ;;
+        *)          print_usage && exit 1 ;;
+    esac
+}
+
+main
diff --git a/ansible_collections/debops/debops/roles/slapd/meta/main.yml b/ansible_collections/debops/debops/roles/slapd/meta/main.yml
new file mode 100644
index 00000000..6cc05078
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage slapd - OpenLDAP server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - database
+    - ldap
+    - authentication
+    - olc
+    - openldap
+    - slapd
diff --git a/ansible_collections/debops/debops/roles/slapd/tasks/main.yml b/ansible_collections/debops/debops/roles/slapd/tasks/main.yml
new file mode 100644
index 00000000..587b7bd1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/tasks/main.yml
@@ -0,0 +1,205 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Prepare OpenLDAP installation to use the rfc2307bis schema
+  ansible.builtin.include_tasks: 'prepare_rfc2307bis.yml'
+  when: (slapd__rfc2307bis_enabled | bool and
+         (ansible_local is undefined or ansible_local.slapd is undefined))
+
+- name: Initialize BaseDN value in debconf using a DNS domain
+  ansible.builtin.debconf:
+    name: 'slapd'
+    question: '{{ item }}'
+    vtype: 'string'
+    value: '{{ slapd__domain }}'
+  loop: [ 'slapd/domain', 'shared/organization' ]
+
+- name: Install OpenLDAP packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (slapd__base_packages
+                              + slapd__schema_packages
+                              + slapd__packages)) }}'
+    state: 'present'
+  register: slapd__register_packages
+  until: slapd__register_packages is succeeded
+
+- name: Allow access to additional UNIX groups by the OpenLDAP service
+  ansible.builtin.user:
+    name: '{{ slapd__user }}'
+    groups: '{{ slapd__additional_groups }}'
+    append: True
+    state: 'present'
+  register: slapd__register_unix_groups
+
+- name: Divert the OpenLDAP environment file
+  debops.debops.dpkg_divert:
+    path: '/etc/default/slapd'
+
+- name: Generate the OpenLDAP environment file
+  ansible.builtin.template:
+    src: 'etc/default/slapd.j2'
+    dest: '/etc/default/slapd'
+    mode: '0644'
+  register: slapd__register_environment
+
+- name: Restart slapd if its configuration was modified
+  ansible.builtin.service:  # noqa no-handler
+    name: 'slapd'
+    state: 'restarted'
+  when: slapd__register_unix_groups is changed or
+        slapd__register_environment is changed
+
+- name: Ensure that the log directory exists
+  ansible.builtin.file:
+    path: '{{ slapd__log_dir }}'
+    state: 'directory'
+    owner: '{{ slapd__user }}'
+    group: '{{ slapd__group }}'
+    mode: '0750'
+
+- name: Install helper scripts
+  ansible.builtin.copy:
+    src: 'usr/local/sbin/'
+    dest: '/usr/local/sbin/'
+    mode: '0755'
+  tags: [ 'role::slapd:scripts' ]
+
+- name: Ensure that DebOps schema directory exists
+  ansible.builtin.file:
+    path: '{{ slapd__debops_schema_path }}'
+    state: 'directory'
+    mode: '0755'
+
+- name: Copy custom DebOps schemas to the OpenLDAP host
+  ansible.builtin.copy:
+    src: 'etc/ldap/schema/debops/'
+    dest: '{{ slapd__debops_schema_path + "/" }}'
+    mode: '0644'
+
+- name: Load custom LDAP schemas
+  ansible.builtin.script: 'script/ldap-load-schema {{ item }}'
+  loop: '{{ q("flattened", slapd__combined_schemas) }}'
+  register: slapd__register_load_schemas
+  changed_when: (slapd__register_load_schemas.stdout | d() and
+                 (item | basename | regex_replace('.schema$', '') + ' already exists in the LDAP, skipping…')
+                 not in slapd__register_load_schemas.stdout_lines)
+  tags: [ 'role::slapd:schema' ]
+
+- name: Ensure that additional database directories exist
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: '{{ slapd__user }}'
+    group: '{{ slapd__group }}'
+    mode: '0755'
+  loop: '{{ slapd__additional_database_dirs }}'
+
+- name: Configure backup snapshots as cron jobs
+  ansible.builtin.cron:
+    name: 'Create {{ item }} backup snapshots of OpenLDAP databases'
+    special_time: '{{ item }}'
+    cron_file: 'slapd-snapshot'
+    user: 'root'
+    state: '{{ slapd__snapshot_deploy_state
+               if (item in slapd__snapshot_cron_jobs)
+               else "absent" }}'
+    job: '/usr/local/sbin/slapd-snapshot {{ item }}'
+  loop: [ 'daily', 'weekly', 'monthly' ]
+  loop_control:
+    label: '{{ {"state": (slapd__snapshot_deploy_state
+                          if (item in slapd__snapshot_cron_jobs)
+                          else "absent"),
+                "cron_job": item} }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save OpenLDAP server local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/slapd.fact.j2'
+    dest: '/etc/ansible/facts.d/slapd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Perform OpenLDAP tasks
+  ansible.builtin.include_tasks: 'slapd_tasks.yml'
+  loop: '{{ q("flattened", slapd__combined_tasks) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"state": item.state,
+                "dn": item.dn,
+                "attributes": item.attributes | d({})} }}'
+  when: item.name | d() and item.dn | d() and
+        item.state | d('present') not in [ 'init', 'ignore' ]
+  tags: [ 'role::slapd:tasks' ]
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True
+                  if ("userPassword" in (item.attributes | d({})).keys() or
+                      "olcRootPW" in (item.attributes | d({})).keys())
+                  else False) }}'
+
+- name: Remove slapacl test suite if requested
+  ansible.builtin.file:
+    path: '{{ slapd__slapacl_script }}'
+    state: 'absent'
+  when: slapd__slapacl_deploy_state == 'absent'
+  tags: [ 'role::slapd:slapacl', 'role::slapd:tasks' ]
+
+- name: Perform OpenLDAP slapacl tasks
+  ansible.builtin.include_tasks: 'slapd_tasks.yml'
+  loop: '{{ q("flattened", slapd__slapacl_combined_tasks) | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"state": item.state,
+                "dn": item.dn,
+                "attributes": item.attributes | d({})} }}'
+  when: slapd__slapacl_deploy_state == 'present' and
+        item.name | d() and item.dn | d() and
+        item.state | d('present') not in [ 'init', 'ignore' ]
+  tags: [ 'role::slapd:slapacl', 'role::slapd:tasks' ]
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True
+                  if ("userPassword" in (item.attributes | d({})).keys() or
+                      "olcRootPW" in (item.attributes | d({})).keys())
+                  else False) }}'
+
+- name: Generate slapacl test suite script
+  ansible.builtin.template:
+    src: 'etc/ldap/slapacl-test-suite.j2'
+    dest: '{{ slapd__slapacl_script }}'
+    group: '{{ slapd__group }}'
+    mode: '0750'
+  register: slapd__register_slapacl_script
+  when: slapd__slapacl_deploy_state == 'present'
+  tags: [ 'role::slapd:slapacl', 'role::slapd:tasks' ]
+
+- name: Test ACL rules using slapacl
+  environment:
+    SLAPACL_STDOUT: 'false'
+  ansible.builtin.command: '{{ slapd__slapacl_script }}'
+  become: True
+  become_user: '{{ slapd__user }}'
+  register: slapd__register_slapacl_test
+  when: slapd__slapacl_deploy_state == 'present' and
+        slapd__slapacl_run_tests | bool
+  changed_when: slapd__register_slapacl_test.stderr | d()
+  tags: [ 'role::slapd:slapacl', 'role::slapd:tasks' ]
diff --git a/ansible_collections/debops/debops/roles/slapd/tasks/prepare_rfc2307bis.yml b/ansible_collections/debops/debops/roles/slapd/tasks/prepare_rfc2307bis.yml
new file mode 100644
index 00000000..86ae5dea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/tasks/prepare_rfc2307bis.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install APT packages with rfc2307bis LDAP schema
+  ansible.builtin.package:
+    name: '{{ slapd__rfc2307bis_packages }}'
+    state: 'present'
+  register: slapd__register_rfc2307bis_packages
+  until: slapd__register_rfc2307bis_packages is succeeded
+
+- name: Divert the original NIS schema included in Debian
+  debops.debops.dpkg_divert:
+    path: '/etc/ldap/schema/{{ item }}'
+  loop:
+    - 'nis.schema'
+    - 'nis.ldif'
+
+- name: Convert FusionDirectory rfc2307bis schema to ldif
+  ansible.builtin.shell: schema2ldif rfc2307bis.schema > rfc2307bis.ldif
+  args:
+    creates: '/etc/ldap/schema/fusiondirectory/rfc2307bis.ldif'
+    chdir: '/etc/ldap/schema/fusiondirectory'
+  when: '"fusiondirectory-schema" in slapd__rfc2307bis_packages'
+
+- name: Symlink the new rfc2307bis schema in place of NIS schema
+  ansible.builtin.file:
+    state: 'link'
+    path: '/etc/ldap/schema/{{ item | replace("rfc2307bis", "nis") }}'
+    src: '{{ (("fusiondirectory-schema" in slapd__rfc2307bis_packages)
+              | ternary("fusiondirectory", "gosa")) + "/" + item }}'
+    mode: '0644'
+  loop: [ 'rfc2307bis.schema', 'rfc2307bis.ldif' ]
+  when: not ansible_check_mode | bool
diff --git a/ansible_collections/debops/debops/roles/slapd/tasks/slapd_tasks.yml b/ansible_collections/debops/debops/roles/slapd/tasks/slapd_tasks.yml
new file mode 100644
index 00000000..2bf02946
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/tasks/slapd_tasks.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  community.general.ldap_entry:
+    dn:          '{{ item.dn if (item.dn is string) else item.dn | join(",") }}'
+    objectClass: '{{ item.objectClass | d(omit) }}'
+    attributes:  '{{ item.attributes | d(omit) }}'
+    state:       '{{ item.entry_state | d(item.state) }}'
+  run_once:      '{{ item.run_once | d(False) }}'
+  when: (item.objectClass | d() or item.entry_state | d()) and item.state not in ['init', 'ignore']
+  tags: [ 'role::slapd:tasks', 'role::slapd:slapacl' ]
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True
+                  if ("userPassword" in (item.attributes | d({})).keys() or
+                      "olcRootPW" in (item.attributes | d({})).keys())
+                  else False) }}'
+
+- name: '{{ item.name }}'  # noqa name[casing]
+  community.general.ldap_attrs:
+    dn:         '{{ item.dn if (item.dn is string) else item.dn | join(",") }}'
+    attributes: '{{ item.attributes | d({}) }}'
+    ordered:    '{{ item.ordered | d(False) }}'
+    state:      '{{ item.state }}'
+  run_once:     '{{ item.run_once | d(False) }}'
+  when: not item.objectClass | d() and not item.entry_state | d() and item.state not in ['init', 'ignore']
+  tags: [ 'role::slapd:tasks', 'role::slapd:slapacl' ]
+  no_log: '{{ debops__no_log | d(item.no_log)
+              | d(True
+                  if ("userPassword" in (item.attributes | d({})).keys() or
+                      "olcRootPW" in (item.attributes | d({})).keys())
+                  else False) }}'
diff --git a/ansible_collections/debops/debops/roles/slapd/templates/etc/ansible/facts.d/slapd.fact.j2 b/ansible_collections/debops/debops/roles/slapd/templates/etc/ansible/facts.d/slapd.fact.j2
new file mode 100644
index 00000000..b88c0a5b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/templates/etc/ansible/facts.d/slapd.fact.j2
@@ -0,0 +1,24 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('slapd')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/slapd/templates/etc/default/slapd.j2 b/ansible_collections/debops/debops/roles/slapd/templates/etc/default/slapd.j2
new file mode 100644
index 00000000..966c117c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/templates/etc/default/slapd.j2
@@ -0,0 +1,51 @@
+{# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="{{ slapd__user }}"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="{{ slapd__group }}"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="{{ q('flattened', slapd__services) | join(' ') }}"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/ansible_collections/debops/debops/roles/slapd/templates/etc/ldap/slapacl-test-suite.j2 b/ansible_collections/debops/debops/roles/slapd/templates/etc/ldap/slapacl-test-suite.j2
new file mode 100644
index 00000000..ff77ed98
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/slapd/templates/etc/ldap/slapacl-test-suite.j2
@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Script generated by the 'debops.slapd' Ansible role
+# Test the current OpenLDAP Access Control List rules against the defined policy
+
+# Usage:
+#
+# slapacl-test-suite
+#     run standalone to see only policy errors
+#
+# slapacl-test-suite | more
+#     see all policy rules and their status
+#
+# slapacl-test-suite 2 > /tmp/errors
+#     redirect errors to /tmp/errors
+
+set -o nounset  #-o pipefail -o errexit
+
+
+print_acl () {
+    if [ ! -t 1 ] && [ "${print_stdout}" = "true" ] ; then
+        if [ "${stdout_has_started}" -gt 0 ] ; then
+            printf "\n"
+        fi
+        stdout_has_started=1
+        printf "test: %s\ndn: \"%s\"\n" "${test_name}" "${test_dn}"
+        printf "%s\n" "${results}"
+    fi
+}
+
+check_single_acl () {
+    if printf "%s\n" "${results}" | grep -q ": ${policy}" ; then
+        if [ ! -t 2 ] && [ -t 1 ] ; then
+            printf "."
+        fi
+        if [ ! -t 1 ] && [ "${print_stdout}" = "true" ] ; then
+            if [ "${stdout_has_started}" -gt 0 ] ; then
+                printf "\n"
+            fi
+            stdout_has_started=1
+            if [ -t 2 ] ; then
+                stderr_has_started=1
+            fi
+            printf "test: %s\ndn: \"%s\"\n" "${test_name}" "${test_dn}"
+            printf "%s\n" "${results}" | grep "authcDN: "
+            printf "%s\n" "${results}" | grep -v "authcDN: "
+            printf "policy: %s\n" "${policy}"
+            if [ -n "${options}" ] ; then
+                printf "options: %s\n" "${options}"
+            fi
+        fi
+    else
+        if [ ! -t 2 ] && [ -t 1 ] ; then
+            printf "X"
+        fi
+        if [ "${stderr_has_started}" -gt 0 ] ; then
+            printf "\n" 1>&2
+        fi
+        test_has_errors=1
+        stderr_has_started=1
+        printf "test: %s\ndn: \"%s\"\n" "${test_name}" "${test_dn}" 1>&2
+        printf "%s\n" "${results}" | grep "authcDN: " 1>&2
+        printf "%s\n" "${results}" | grep -v "authcDN: " 1>&2
+        printf "policy: %s\n" "${policy}" 1>&2
+        if [ -n "${options}" ] ; then
+            printf "options: %s\n" "${options}" 1>&2
+        fi
+    fi
+}
+
+check_multi_acl () {
+    if printf "%s\n" "${results}" | grep -v "authcDN: " | diff -u - <( printf "%s\n" "${test_case}" ) > /dev/null ; then
+        if [ ! -t 2 ] ; then
+            printf "."
+        fi
+        if [ ! -t 1 ] && [ "${print_stdout}" = "true" ] ; then
+            if [ "${stdout_has_started}" -gt 0 ] ; then
+                printf "\n"
+            fi
+            stdout_has_started=1
+            if [ -t 2 ] ; then
+                stderr_has_started=1
+            fi
+            printf "test: %s\ndn: \"%s\"\n" "${test_name}" "${test_dn}"
+            printf "%s\n" "${results}"
+            if [ -n "${options}" ] ; then
+                printf "options: %s\n" "${options}"
+            fi
+        fi
+    else
+        if [ ! -t 2 ] ; then
+            printf "X"
+        fi
+        if [ "${stderr_has_started}" -gt 0 ] ; then
+            printf "\n" 1>&2
+        fi
+        test_has_errors=1
+        stderr_has_started=1
+        printf "test: %s\ndn: \"%s\"\n" "${test_name}" "${test_dn}" 1>&2
+        printf "%s\n" "${results}" | grep "authcDN: " 1>&2
+        printf "%s\n" "${results}" | grep -v "authcDN: " | diff -u - <( printf "%s\n" "${test_case}" ) | grep -v -E '(\-\-\-|\+\+\+|@@)' 1>&2
+        if [ -n "${options}" ] ; then
+            printf "options: %s\n" "${options}" 1>&2
+        fi
+    fi
+}
+
+test_has_errors=0
+stdout_has_started=0
+stderr_has_started=0
+print_stdout="${SLAPACL_STDOUT:-true}"
+
+if [ ! -t 2 ] && [ -t 1 ] ; then
+    printf "Testing OpenLDAP ACL policies "
+fi
+
+{% for element in slapd__slapacl_combined_tests | debops.debops.parse_kv_items(merge_keys=['queries']) %}
+{%   if element.name | d() and element.dn | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if not loop.first %}
+
+{%     endif %}
+{%     set check_command = 'print_acl' %}
+{%     set slapacl_command = [ 'slapacl', '-b', '"${test_dn}"' ] %}
+{%     if element.authdn is defined %}
+{%       set _ = slapacl_command.extend([ '-D', '"${test_authdn}"' ]) %}
+{%     elif element.uid is defined %}
+{%       set _ = slapacl_command.extend([ '-U', '"${test_uid}"' ]) %}
+{%     endif %}
+{%     if element.authzid is defined %}
+{%       set _ = slapacl_command.extend([ '-X', '"${test_authzid}"' ]) %}
+{%     endif %}
+{%     if (element.dry_run | d()) | bool %}
+{%       set _ = slapacl_command.extend([ '-u' ]) %}
+{%     endif %}
+{%     if element.debug | d() %}
+{%       set _ = slapacl_command.extend([ '-d', '"${debug}"' ]) %}
+{%     endif %}
+{%     if element.options | d() %}
+{%       set _ = slapacl_command.extend( (element.options | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) | map('regex_replace', '^(.*)$', '-o \\1') | list ) %}
+{%     endif %}
+{%     if element.queries | d() %}
+{%       set check_command = 'check_multi_acl' %}
+{%       set _ = slapacl_command.extend( (element.queries | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) | map('regex_replace', '^(.*)$', '"\\1"') | list ) %}
+{%     elif element.query | d('entry') and element.policy | d() %}
+{%       set check_command = 'check_single_acl' %}
+{%       set _ = slapacl_command.extend( [ '"' + element.query | d('entry') + '"' ] ) %}
+{%     endif %}
+{%     set _ = slapacl_command.extend( [ '2>&1' ] ) %}
+{%     if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+test_name="{{ element.name }}"
+test_dn="{{ element.dn }}"
+{%     if element.queries | d() %}
+unset policy
+test_case="{{ element.queries | selectattr('state', 'equalto', 'present') | selectattr('result', 'defined') | map(attribute='result') | list | join('\n') }}"
+{%     elif element.query | d('entry') and element.policy | d() %}
+{%       if element.policy in [ 'allow', 'allowed', 'accept', 'grant', 'permit' ] %}
+policy="ALLOWED"
+{%       elif element.policy in [ 'disallow', 'denied', 'reject', 'revoke', 'deny' ] %}
+policy="DENIED"
+{%       else %}
+policy="{{ element.policy }}"
+{%       endif %}
+{%     endif %}
+{%     if element.debug | d() %}
+debug="{{ element.debug }}"
+{%     endif %}
+{%     if element.options is defined %}
+options="{{ (element.options | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) | join(' ') | regex_replace('"','\\"') }}"
+{%     else %}
+options=""
+{%     endif %}
+{%     if element.authdn is defined %}
+test_authdn="{{ element.authdn }}"
+{%     elif element.uid is defined %}
+test_uid="{{ element.uid }}"
+{%     endif %}
+{%     if element.authzid is defined %}
+test_authzid="{{ element.authzid }}"
+{%     endif %}
+results="$({{ slapacl_command | join(' ') }})"
+{{ check_command }}
+{%   endif %}
+{% endfor %}
+
+if [ "${test_has_errors}" -eq 0 ] ; then
+    if [ ! -t 2 ] && [ -t 1 ] ; then
+        printf "\n"
+    fi
+else
+    if [ ! -t 2 ] && [ -t 1 ] ; then
+        printf " done, errors found\n"
+    fi
+    exit 1
+fi
diff --git a/ansible_collections/debops/debops/roles/smstools/COPYRIGHT b/ansible_collections/debops/debops/roles/smstools/COPYRIGHT
new file mode 100644
index 00000000..0b544d22
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.smstools - Manage SMS Gateway using Ansible
+
+Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/smstools/defaults/main.yml b/ansible_collections/debops/debops/roles/smstools/defaults/main.yml
new file mode 100644
index 00000000..4e145982
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/defaults/main.yml
@@ -0,0 +1,262 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _smstools__ref_defaults:
+
+# debops.smstools default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# ---- TCP -> SMS gateway ----
+
+# .. envvar:: smstools_service_allow [[[
+#
+# List of IP addresses or CIDR network ranges which are allowed to access TCP
+# service
+smstools_service_allow: []
+
+                                                                   # ]]]
+# ---- mail -> SMS gateway ----
+
+# Settings for subdomains and domains which are used to send messages to SMS
+# gateway
+
+# .. envvar:: smstools_mail_transport_subdomain [[[
+#
+# Subdomain for SMS transport
+smstools_mail_transport_subdomain: 'sms'
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_alias_subdomain [[[
+#
+# Subdomain for mail aliases which are resolved to mobile numbers
+smstools_mail_alias_subdomain: 'gsm'
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_domain [[[
+#
+# Main domain used by this role
+smstools_mail_domain: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_transport_domain [[[
+#
+# Domains that combine above subdomains with main host domain
+smstools_mail_transport_domain: '{{ smstools_mail_transport_subdomain }}.{{ smstools_mail_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_alias_domain [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+smstools_mail_alias_domain: '{{ smstools_mail_alias_subdomain }}.{{ smstools_mail_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools_default_country_prefix [[[
+#
+# Default country prefix (with +) to add if number has only 9 digits
+smstools_default_country_prefix: ''
+
+                                                                   # ]]]
+# .. envvar:: smstools_default_senders [[[
+#
+# List of default mail senders that are allowed to send mail messages to mobile
+# recipients
+# Options:
+#    - name: 'mail@example.com'            # required
+#      state: 'permit/deny'                # optional
+smstools_default_senders:
+  - name: 'root@{{ smstools_mail_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools_senders [[[
+#
+# Additional list of mail senders
+smstools_senders: []
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_recipients [[[
+#
+# Hash table which specifies mail alias to mobile number mapping. Aliases will
+# be generated in a domain specified with smstools_mail_alias_* variables
+smstools_mail_recipients: {}
+  #'recipient1': [ '+00123123123' ]
+  #'recipient2': [ '+00123123123', '+00321321321' ]
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_aliases [[[
+#
+# Hash table which specifies aliases for groups of recipients from
+# smstools_mail_recipients table. Aliases will be created in a domain specified
+# with smstools_mail_alias_* variables
+smstools_mail_aliases: {}
+  #'alias': [ 'recipient1', 'recipient2' ]
+
+                                                                   # ]]]
+# .. envvar:: smstools_mail_msgdel_list [[[
+#
+# List of regexps which will be used to find and remove strings in SMS messages
+# before they are sent
+smstools_mail_msgdel_list: []
+  #- 'linux'
+  #- '^Ansible'
+
+                                                                   # ]]]
+# .. envvar:: smstools_sms_log [[[
+#
+# Log sent SMS messages for accounting purposes, use monthly log rotation, logs
+# should be kept for 2 years
+smstools_sms_log: '/var/log/sms.log'
+
+                                                                   # ]]]
+# .. envvar:: smstools_sms_log_rotation [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+smstools_sms_log_rotation: 'monthly'
+
+                                                                   # ]]]
+# .. envvar:: smstools_sms_log_rotation_interval [[[
+#
+# FIXME(yaml4rst): Describe what this variable is doing.
+smstools_sms_log_rotation_interval: '{{ (12 * 2) }}'
+
+                                                                   # ]]]
+# ---- SMS gateway testing ----
+
+# .. envvar:: smstools_test_recipients [[[
+#
+# List of mobile numbers to send a test message to on host reboot
+# Example: [ '+00123123123' ]
+smstools_test_recipients: []
+
+                                                                   # ]]]
+# .. envvar:: smstools_test_message [[[
+#
+# Test message to send on host reboot
+smstools_test_message: 'This is a test of the SMS gateway on {{ ansible_fqdn }} sent at $(date)'
+
+                                                                   # ]]]
+# ---- smstools options ----
+
+# .. envvar:: smstools_sleep [[[
+#
+# Time between queue checks, in seconds
+smstools_sleep: 1
+
+                                                                   # ]]]
+# .. envvar:: smstools_stats_interval [[[
+#
+# Generate modem stats once a day
+smstools_stats_interval: '{{ (60 * 60 * 24) | round | int }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools_global_options [[[
+#
+# Hash with options configured in /etc/smsd.conf
+smstools_global_options:
+  delaytime: '{{ smstools_sleep }}'
+  delaytime_mainprocess: '{{ smstools_sleep }}'
+  receive_before_send: no
+  autosplit: 3
+  loglevel: 5
+
+                                                                   # ]]]
+# .. envvar:: smstools_devices [[[
+#
+# List of modems known to smsd, by default it's configured to use one modem on
+# serial interface
+smstools_devices:
+  - name: 'GSM1'
+    device: '/dev/ttyS0'
+    options:
+      baudrate: 115200
+      incoming: yes
+
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: smstools__etc_services__dependent_list [[[
+#
+# Configuration for the debops.etc_services_ Ansible role.
+smstools__etc_services__dependent_list:
+
+  - name: '{{ smstools_service_name }}'
+    port: '{{ smstools_service_port }}'
+    comment: 'SMS service'
+
+                                                                   # ]]]
+# .. envvar:: smstools__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the debops.tcpwrappers_ Ansible role.
+smstools__tcpwrappers__dependent_allow:
+
+  - daemon: '{{ smstools_service_name }}'
+    client: '{{ smstools_service_allow }}'
+    weight: '50'
+    filename: 'smstools_dependency_allow'
+    comment: 'Allow connections to SMS service'
+
+                                                                   # ]]]
+# .. envvar:: smstools__ferm__dependent_rules [[[
+#
+# Configuration for the debops.ferm_ Ansible role.
+smstools__ferm__dependent_rules:
+
+  - name: 'smstools_accept'
+    type: 'accept'
+    dport: [ '{{ smstools_service_name }}' ]
+    saddr: '{{ smstools_service_allow }}'
+
+                                                                   # ]]]
+# .. envvar:: smstools__postfix__dependent_maincf [[[
+#
+# The Postfix 'main.cf' configuration for the debops.postfix_ Ansible role.
+smstools__postfix__dependent_maincf:
+
+  - name: 'recipient_canonical_maps'
+    value: [ 'texthash:/usr/local/lib/smstools/postfix_recipient_canonical_map' ]
+
+  - name: 'transport_maps'
+    value: [ 'texthash:/usr/local/lib/smstools/postfix_transport' ]
+
+  - name: 'relay_domains'
+    value: [ '{{ smstools_mail_transport_domain }}' ]
+
+  - name: 'relay_recipient_maps'
+    value: [ 'regexp:/usr/local/lib/smstools/postfix_relay_recipient_map' ]
+
+  - name: 'virtual_alias_domains'
+    value: [ '{{ smstools_mail_alias_domain }}' ]
+
+  - name: 'virtual_alias_maps'
+    value: [ 'texthash:/usr/local/lib/smstools/postfix_virtual_alias_map' ]
+
+  - name: 'sms_destination_recipient_limit'
+    value: 1
+
+                                                                   # ]]]
+# .. envvar:: smstools__postfix__dependent_mastercf [[[
+#
+# The Postfix 'master.cf' configuration for the debops.postfix_ Ansible role.
+smstools__postfix__dependent_mastercf:
+
+  - name: 'sms'
+    type: 'unix'
+    unpriv: False
+    chroot: False
+    maxproc: 1
+    args: |
+      flags=hqu user=smsd argv=/usr/local/lib/smstools/sms-transport
+      ${sender} ${mailbox}
+    command: 'pipe'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/smstools/meta/main.yml b/ansible_collections/debops/debops/roles/smstools/meta/main.yml
new file mode 100644
index 00000000..fefef55d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Create an TCP-SMS and mail-SMS gateway using a GSM modem'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - sms
+    - notification
diff --git a/ansible_collections/debops/debops/roles/smstools/tasks/main.yml b/ansible_collections/debops/debops/roles/smstools/tasks/main.yml
new file mode 100644
index 00000000..b69c233f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/tasks/main.yml
@@ -0,0 +1,194 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install SMS Tools packages
+  ansible.builtin.package:
+    name: '{{ item }}'
+    state: 'present'
+  with_items: [ 'smstools', 'xinetd', 'libconfig-tiny-perl' ]
+  register: smstools__register_packages
+  until: smstools__register_packages is succeeded
+
+- name: Check current smsd home directory
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit && getent passwd smsd | grep "/home/smsd" || true
+  args:
+    executable: 'bash'
+  register: smstools_register_home
+  changed_when: False
+
+- name: Stop smsd for home directory change
+  ansible.builtin.service:
+    name: 'smstools'
+    state: 'stopped'
+  when: smstools_register_home is defined and smstools_register_home.stdout | d()
+
+- name: Fix smsd home directory
+  ansible.builtin.user:
+    name: 'smsd'
+    home: '/var/spool/sms'
+  when: smstools_register_home is defined and smstools_register_home.stdout | d()
+
+- name: Start smsd with new home directory
+  ansible.builtin.service:
+    name: 'smstools'
+    state: 'started'
+  when: smstools_register_home is defined and smstools_register_home.stdout | d()
+
+- name: Configure smsd
+  ansible.builtin.template:
+    src: 'etc/smsd.conf.j2'
+    dest: '/etc/smsd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart smstools' ]
+
+- name: Make sure /srv/users home directory exists
+  ansible.builtin.file:
+    dest: '/srv/users'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0751'
+
+- name: Create SMS service system group
+  ansible.builtin.group:
+    name: '{{ smstools_service_group }}'
+    system: True
+    state: 'present'
+
+- name: Create SMS service system user
+  ansible.builtin.user:
+    name: '{{ smstools_service_user }}'
+    group: '{{ smstools_service_group }}'
+    system: True
+    home: '{{ smstools_service_home }}'
+    state: 'present'
+    shell: '/bin/false'
+
+- name: Create directory for SMS service scripts
+  ansible.builtin.file:
+    dest: '/usr/local/lib/smstools'
+    state: 'directory'
+    owner: 'root'
+    group: 'staff'
+    mode: '0755'
+
+- name: Install smsd scripts
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'smsd'
+    group: 'sms'
+    mode: '0750'
+  with_items: [ 'usr/local/bin/sendsms',
+                'usr/local/lib/smstools/sms-service',
+                'usr/local/lib/smstools/sms-transport',
+                'usr/local/lib/smstools/test-sms-on-reboot' ]
+
+- name: Install root scripts
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0750'
+  with_items: [ 'usr/local/lib/smstools/fix-device-permissions' ]
+
+- name: Install Postfix configuration files
+  ansible.builtin.template:
+    src: 'usr/local/lib/smstools/{{ item }}.j2'
+    dest: '/usr/local/lib/smstools/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'postfix_recipient_canonical_map', 'postfix_transport',
+                'postfix_relay_recipient_map', 'postfix_virtual_alias_map' ]
+  notify: [ 'Reload postfix' ]
+
+- name: Configure access to sendsms via sudo
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/smstools.j2'
+    dest: '/etc/sudoers.d/smstools'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  when: (ansible_local | d() and ansible_local.sudo | d() and
+         (ansible_local.sudo.installed | d()) | bool)
+
+- name: Configure xinetd SMS service
+  ansible.builtin.template:
+    src: 'etc/xinetd.d/sms.j2'
+    dest: '/etc/xinetd.d/sms'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reload xinetd' ]
+
+- name: Configure mail to SMS transport
+  ansible.builtin.template:
+    src: '{{ item }}.j2'
+    dest: '/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: [ 'etc/sms-senders', 'etc/sms-msgdel', 'etc/sms-transport.conf' ]
+
+- name: Fix device permissions on boot in OpenVZ containers
+  ansible.builtin.lineinfile:
+    dest: '/etc/rc.local'
+    state: 'present'
+    insertbefore: '^exit 0'
+    regexp: '^/usr/local/lib/smstools/fix-device-permissions'
+    line: '/usr/local/lib/smstools/fix-device-permissions'
+    mode: '0755'
+  register: smstools_register_fixpermissions
+  when: (ansible_virtualization_type is defined and ansible_virtualization_type == 'openvz') and
+        (ansible_virtualization_role is defined and ansible_virtualization_role == 'guest')
+
+- name: Fix permissions manually if installed
+  ansible.builtin.command: /usr/local/lib/smstools/fix-device-permissions  # noqa no-handler
+  register: smstools__register_fix_perms
+  changed_when: smstools__register_fix_perms.changed | bool
+  when: smstools_register_fixpermissions is defined and smstools_register_fixpermissions is changed
+
+- name: Configure SMS gateway test on reboot
+  ansible.builtin.cron:
+    name: 'SMS gateway test on reboot'
+    user: '{{ smstools_service_user }}'
+    job: '/usr/local/lib/smstools/test-sms-on-reboot'
+    special_time: 'reboot'
+    state: 'present'
+  when: (smstools_test_recipients is defined and smstools_test_recipients)
+
+- name: Check if rsyslog is installed
+  ansible.builtin.stat:
+    path: '/etc/rsyslog.d'
+  register: smstools_register_rsyslog
+
+- name: Configure syslog
+  ansible.builtin.template:
+    src: 'etc/rsyslog.d/smstools.conf.j2'
+    dest: '/etc/rsyslog.d/smstools.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart rsyslogd' ]
+  when: (smstools_register_rsyslog is defined and smstools_register_rsyslog) and
+        smstools_register_rsyslog.stat.exists
+
+- name: Configure logrotate
+  ansible.builtin.template:
+    src: 'etc/logrotate.d/sms.j2'
+    dest: '/etc/logrotate.d/sms'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: (smstools_register_rsyslog is defined and smstools_register_rsyslog) and
+        smstools_register_rsyslog.stat.exists
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/logrotate.d/sms.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/logrotate.d/sms.j2
new file mode 100644
index 00000000..d62bb8ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/logrotate.d/sms.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+{{ smstools_sms_log }} {
+	rotate {{ smstools_sms_log_rotation_interval | default('52') }}
+	{{ smstools_sms_log_rotation | default('weekly') }}
+	missingok
+	notifempty
+	compress
+	delaycompress
+}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/rsyslog.d/smstools.conf.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/rsyslog.d/smstools.conf.j2
new file mode 100644
index 00000000..08e8a5e7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/rsyslog.d/smstools.conf.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Send copy of SMS gateway logs to a separate log file for accounting
+if $programname == 'sms-transport' then {{ smstools_sms_log }}
+if $programname == 'sms-service' then {{ smstools_sms_log }}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-msgdel.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-msgdel.j2
new file mode 100644
index 00000000..8a7df083
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-msgdel.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# List of regexps of strings to remove from SMS messages
+{% if smstools_mail_msgdel_list is defined and smstools_mail_msgdel_list %}
+{% for regexp in smstools_mail_msgdel_list %}
+{{ regexp }}
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-senders.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-senders.j2
new file mode 100644
index 00000000..4eed4b34
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-senders.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# List of e-mail accounts or domains allowed to send SMS messages
+{% if smstools_default_senders is defined and smstools_default_senders %}
+{% for sender in smstools_default_senders %}
+{% if sender.state is undefined or (sender.state is defined and sender.state == 'permit') %}
+{{ "%-40s permit" | format(sender.name + ":") }}
+{% else %}
+{{ "%-40s deny" | format(sender.name + ":") }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if smstools_senders is defined and smstools_senders %}
+{% for sender in smstools_senders %}
+{% if sender.state is undefined or (sender.state is defined and sender.state == 'permit') %}
+{{ "%-40s permit" | format(sender.name + ":") }}
+{% else %}
+{{ "%-40s deny" | format(sender.name + ":") }}
+{% endif %}
+{% endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-transport.conf.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-transport.conf.j2
new file mode 100644
index 00000000..5c243891
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/sms-transport.conf.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Configuration for sms-transport mail service
+
+# Path to sendsms script to be used to send SMS messages
+sendsms = {{ smstools_mail_transport_sendsms }}
+
+# Path to file with list of allowed or denied sender addresses/domains
+senders = {{ smstools_mail_transport_senders }}
+
+# Max length of an SMS message to send
+maxchars = {{ smstools_mail_transport_maxchars }}
+
+# Regexp list of strings to remove from SMS messages
+msgdel = {{ smstools_mail_transport_msgdel }}
+
+# Debug option, change to 1 to make scripts more verbose
+debug = 0
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/smsd.conf.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/smsd.conf.j2
new file mode 100644
index 00000000..cd86f8af
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/smsd.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# /etc/smsd.conf
+#
+# Description: Main configuration file for smsd
+
+devices = {% for modem in smstools_devices %}{{ modem.name }}{% if not loop.last %}, {% endif %}{% endfor %}
+
+# Global options
+{% for key, value in smstools_global_options.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+
+outgoing = /var/spool/sms/outgoing
+checked = /var/spool/sms/checked
+incoming = /var/spool/sms/incoming
+logfile = /var/log/smstools/smsd.log
+infofile = /var/run/smstools/smsd.working
+pidfile = /var/run/smstools/smsd.pid
+outgoing = /var/spool/sms/outgoing
+checked = /var/spool/sms/checked
+failed = /var/spool/sms/failed
+incoming = /var/spool/sms/incoming
+sent = /var/spool/sms/sent
+
+stats = /var/log/smstools/smsd_stats
+stats_interval = {{ smstools_stats_interval }}
+stats_no_zeroes = yes
+
+{% for modem in smstools_devices %}
+[{{ modem.name }}]
+device = {{ modem.device }}
+{% for key, value in modem.options.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/sudoers.d/smstools.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/sudoers.d/smstools.j2
new file mode 100644
index 00000000..63bf2b94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/sudoers.d/smstools.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+%{{ smstools_service_group }} ALL = (smsd) NOPASSWD: /usr/local/bin/sendsms
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/etc/xinetd.d/sms.j2 b/ansible_collections/debops/debops/roles/smstools/templates/etc/xinetd.d/sms.j2
new file mode 100644
index 00000000..c93ca25c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/etc/xinetd.d/sms.j2
@@ -0,0 +1,24 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# SMS service configuration for xinetd
+# only_from is not required, xinetd in Debian is secured using tcpwrappers
+# (/etc/hosts.allow, /etc/hosts.deny)
+
+service {{ smstools_service_name }}
+{
+	disable		= no
+	server		= /usr/local/lib/smstools/sms-service
+	port		= {{ smstools_service_port }}
+	socket_type	= stream
+	protocol	= tcp
+	libwrap		= {{ smstools_service_name }}
+	user		= {{ smstools_service_user }}
+	group		= {{ smstools_service_group }}
+	wait		= no
+	instances	= 10
+	nice		= -18
+}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/bin/sendsms.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/bin/sendsms.j2
new file mode 100755
index 00000000..f842de77
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/bin/sendsms.j2
@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# This script sends a text message at the command line by creating
+# a sms file in the outgoing queue.
+
+# $1 is the destination phone number.
+# $2 is the message text.
+# If you leave $2 or both empty, the script will ask you.
+# If you give more than 2 arguments, last is taken as a text and
+# all other are taken as destination numbers.
+# If a destination is asked, you can type multiple numbers
+# delimited with spaces.
+
+# Keys for example: "password" and "keke":
+#KEYS="5f4dcc3b5aa765d61d8327deb882cf99 4a5ea11b030ec1cfbc8b9947fdf2c872 "
+
+KEYS=""
+
+# When creating keys, remember to use -n for echo:
+# echo -n "key" | md5sum
+
+smsd_user="smsd"
+
+# Will need echo which accepts -n argument:
+ECHO="echo"
+case $(uname) in
+  SunOS)
+    ECHO="/usr/ucb/echo"
+    ;;
+esac
+
+if [ -n "$KEYS" ]; then
+  printf "Key: "
+  read -r KEY
+  if [ -z "$KEY" ]; then
+    echo "Key required, stopping."
+    exit 1
+  fi
+  KEY="$($ECHO -n "$KEY" | md5sum | awk '{print $1;}')"
+  if ! echo "$KEYS" | grep "$KEY" >/dev/null; then
+    echo "Incorrect key, stopping."
+    exit 1
+  fi
+fi
+
+DEST=$1
+TEXT=$2
+
+if [ -z "$DEST" ]; then
+  printf "Destination(s): "
+  read -r DEST
+  if [ -z "$DEST" ]; then
+    echo "No destination, stopping."
+    exit 1
+  fi
+fi
+
+if [ -z "$TEXT" ]; then
+  printf "Text: "
+  read -r TEXT
+  if [ -z "$TEXT" ]; then
+    echo "No text, stopping."
+    exit 1
+  fi
+fi
+
+if [ $# -gt 2 ]; then
+  n=$#
+  while [ "$n" -gt 1 ]; do
+    destinations="$destinations $1"
+    shift
+    n=$(( n - 1 ))
+  done
+  TEXT=$1
+else
+  destinations=$DEST
+fi
+
+echo "-- "
+echo "Text: $TEXT"
+
+ALPHABET=""
+if type iconv > /dev/null 2>&1; then
+  if ! $ECHO -n "$TEXT" | iconv -t ISO-8859-15 >/dev/null 2>&1; then
+    ALPHABET="Alphabet: UCS"
+  fi
+fi
+
+owner=""
+if [ -f /etc/passwd ]; then
+  if grep $smsd_user: /etc/passwd >/dev/null; then
+    owner=$smsd_user
+  fi
+fi
+
+for destination in $destinations
+do
+  echo "To: $destination"
+
+  TMPFILE="$(mktemp /tmp/smsd_XXXXXXXXXXXX)"
+
+  $ECHO "To: $destination" >> "$TMPFILE"
+  [ -n "$ALPHABET" ] && $ECHO "$ALPHABET" >> "$TMPFILE"
+  $ECHO "" >> "$TMPFILE"
+  if [ -z "$ALPHABET" ]; then
+    $ECHO -n "$TEXT" >> "$TMPFILE"
+  else
+    $ECHO -n "$TEXT" | iconv -t UNICODEBIG >> "$TMPFILE"
+  fi
+
+  if [ -n "$owner" ]; then
+    chown $owner "$TMPFILE"
+  fi
+
+  FILE="$(mktemp /var/spool/sms/outgoing/send_XXXXXXXXXXXX)"
+  mv "$TMPFILE" "$FILE"
+done
+
+# vim:ft=sh
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/fix-device-permissions.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/fix-device-permissions.j2
new file mode 100755
index 00000000..465e0bde
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/fix-device-permissions.j2
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# Fix device permissions (needed in OpenVZ containers)
+
+owner='root'
+group='dialout'
+mode='ug=rw'
+
+read -r -a modem_devices <<< "{{ smstools_devices | selectattr('device', 'defined') | map(attribute='device') | list | join(' ') }}"
+
+for modem in "${modem_devices[@]}" ; do
+    if [ -e "${modem}" ]; then
+        chown ${owner}:${group} "${modem}"
+        chmod ${mode} "${modem}"
+    fi
+done
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_recipient_canonical_map.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_recipient_canonical_map.j2
new file mode 100644
index 00000000..38c6f9ab
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_recipient_canonical_map.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Postfix rewrite map used to rewrite short recipient addresses to long
+# recipient addresses for SMS messages
+{{ "%-40s %s" | format('@' + smstools_mail_alias_subdomain, '@' + smstools_mail_alias_domain) }}
+{{ "%-40s %s" | format('@' + smstools_mail_transport_subdomain, '@' + smstools_mail_transport_domain) }}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_relay_recipient_map.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_relay_recipient_map.j2
new file mode 100644
index 00000000..2e2983b4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_relay_recipient_map.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Postfix relay_recipient_maps table, should accept only correctly formatted
+# mobile numbers
+{% for regexp in [ '^[0-9]{9}', '^[0-9]{11}', '^\+[0-9]{11}' ] %}
+{{ "%-40s OK" | format('/' + regexp + '@' + smstools_mail_transport_domain + '/') }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_transport.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_transport.j2
new file mode 100644
index 00000000..a723ca6d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_transport.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Postfix transport_maps configuration to relay mail messages to SMS gateway
+{{ "%-40s %s" | format(smstools_mail_transport_domain, smstools_service_name + ":") }}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_virtual_alias_map.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_virtual_alias_map.j2
new file mode 100644
index 00000000..31aa92dd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/postfix_virtual_alias_map.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# This file is managed by Ansible, all changes will be lost
+
+# Mapping of aliases in {{ smstools_mail_alias_domain }} domain to mobile
+# numbers in {{ smstools_mail_transport_domain }} domain, for Postfix
+# virtual_alias_maps.
+
+{% if smstools_mail_recipients is defined and smstools_mail_recipients %}
+{% for alias, recipients in smstools_mail_recipients.items() %}
+{% if recipients is defined and recipients %}
+{{ "%-40s" | format(alias + '@' + smstools_mail_alias_domain) }} {% for number in recipients %}{{ number + '@' + smstools_mail_transport_domain }}{% if not loop.last %}, {% endif %}{% endfor %}
+
+{% endif %}
+{% endfor %}
+
+{% endif %}
+{% if smstools_mail_aliases is defined and smstools_mail_aliases %}
+{% for alias, recipients in smstools_mail_aliases.items() %}
+{% if recipients is defined and recipients %}
+{{ "%-40s" | format(alias + '@' + smstools_mail_alias_domain) }} {% for alias in recipients %}{{ alias + '@' + smstools_mail_alias_domain }}{% if not loop.last %}, {% endif %}{% endfor %}
+
+{% endif %}
+{% endfor %}
+
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-service.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-service.j2
new file mode 100755
index 00000000..83f040f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-service.j2
@@ -0,0 +1,65 @@
+#!/usr/bin/env perl
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# Simple service script which listens on a port and passes message to send to
+# sendsms script. Use with xinetd for best results.
+
+# This is a very simple wrapper to send SMS messages, uses SMTP status codes
+# for responses. This should be probably rewritten to post SMS messages
+# directly to smsd queue, support better sanitization, security features and
+# error handling.
+
+# Change current directory to home of 'sms' user.
+chdir "{{ smstools_service_home }}";
+
+$myname="sms-service";
+$facility='mail';
+my $mypid=$$;	# global, even when we fork
+
+sub syslog {
+	my ($level,$msg)=@_;
+	my $pri=$facility.".".$level;
+	$ENV{'HOME'}="/tmp";
+	$ENV{'PATH'}="";
+	$ENV{'BASH_ENV'}="";
+	# the way we're calling system makes it easy to trust $msg
+	# as long as it's not too big, so we just untaint it
+	if ($msg =~ /(.*)/s) {
+		$msg=$1;
+	} else {
+		die "Problem with untainting log message\n";
+	}
+	$msg =~ s/\n/ /g;
+	$msg = substr($msg,0,255)
+		if length($msg) > 255;
+	system("/usr/bin/logger","-p",$pri,"-t",$myname."[".$mypid."]","--",$msg);
+}
+
+# New connection, waiting for input
+$input = <STDIN>;
+
+if ($input =~ /(QUIT|BYE)/i) {
+	print "221 Bye\n";
+} elsif ($input =~ /TEXT\s+([0-9]{9})\s+(.+)/i) {
+	system("/usr/bin/sudo -u smsd /usr/local/bin/sendsms {{ smstools_default_country_prefix }}$1 '$2' > /dev/null");
+	syslog('info',"from=<unknown>, prefix=<{{ smstools_default_country_prefix }}>, to=<$1>, size=".length($2).", msg=[$2]\n");
+	print "OK\n";
+} elsif ($input =~ /TEXT\s+([0-9]{11})\s+(.+)/i) {
+	system("/usr/bin/sudo -u smsd /usr/local/bin/sendsms +$1 '$2' > /dev/null");
+	syslog('info',"from=<unknown>, prefix=<+>, to=<$1>, size=".length($2).", msg=[$2]\n");
+	print "OK\n";
+} elsif ($input =~ /TEXT\s+(\+[0-9]{11})\s+(.+)/i) {
+	system("/usr/bin/sudo -u smsd /usr/local/bin/sendsms $1 '$2' > /dev/null");
+	syslog('info',"from=<unknown>, to=<$1>, size=".length($2).", msg=[$2]\n");
+	print "OK\n";
+} else {
+	print "500 Command not recognized\n";
+	exit;
+}
+
+# vim:ft=perl
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-transport.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-transport.j2
new file mode 100755
index 00000000..3dad7285
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/sms-transport.j2
@@ -0,0 +1,313 @@
+#!/usr/bin/perl -Tw
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This file is managed by Ansible, all changes will be lost
+
+# sms transport for postfix
+# uses smstools for delivery
+#
+#-------------------------------------------------------------------
+# Jeremy Laidman, AnswerZ
+# Version 1.0 - March 2003
+# Maciej Delmanowski <drybjed@gmail.com>, DebOps project
+# Version 2.0 - July 2014
+#
+# Installation into postfix:
+#
+# 1) Copy this script into /usr/local/lib/smstools/sms-transport
+#
+# 2) Create the user "sms" with their own group "sms", eg:
+#	useradd -r sms -c "SMS Delivery User for Postfix"
+#
+# 3) Add these lines
+#	/etc/postfix/transport:
+#		sms.example.com    sms:
+#
+#	/etc/postfix/master.cf
+#		sms     unix    -       n       n       -       1       pipe
+#		   flags=hqu user=sms argv=/usr/local/lib/smstools/sms-transport ${sender} ${mailbox}
+#
+# 4) Add "sms.example.com" to relay_domains parameter in main.cf
+#
+# 5) Run "postfix reload".
+#
+# 6) Send mail to number@sms.example.com
+#
+# 7) Create alias entries mapping usernames to numbers
+#	/etc/postfix/aliases
+#		freddy:	0412555555@sms.example.com
+#
+# 8) Run "newaliases".
+#
+# 9) Send mail to freddy.
+#
+#-------------------------------------------------------------------
+# Configuration Options Here (will be in config file one day)
+
+# if non-empty, will reject messages not from matching addresses
+# a leading dot means any subdomain
+# if empty, allows from anyone
+# if non-mepty there's an implicit '' => 'deny'
+
+use Config::Tiny;
+
+$config_file = "/etc/sms-transport.conf";
+
+my $config = Config::Tiny->read($config_file);
+
+$senders_file = $config->{_}->{senders};
+$msgdel_file = $config->{_}->{msgdel};
+$sendsms_path = $config->{_}->{sendsms};
+$maxsmschars = $config->{_}->{maxchars};
+$debug = $config->{_}->{debug};
+
+my %sender_addresses;
+my @msgdel;
+
+#-------------------------------------------------------------------
+
+# We receive the sender address as @ARGV[0], the number as @ARGV[1]
+# and the message body on STDIN.  We should only receive one message
+# per user.
+#
+# All headers are stripped and only the body is sent.
+#
+# Any recipients in the wrong format are bounced with EX_NOUSER=67.
+# Errors in calling sendsms are assumed to be temporary and are answered
+# with EX_TEMPFAIL=75.  Messages with senders (from-space) that don't
+# end in anything in the local domains list are bounced with EX_NOPERM=77.
+#
+#-------------------------------------------------------------------
+#
+# Constants for returning status back to postfix.
+# (see sysexits.h for the full list)
+$EX_NOUSER	= 67;
+$EX_TEMPFAIL	= 75;
+$EX_NOPERM	= 77;
+$EX_NOINPUT	= 66;
+#-------------------------------------------------------------------
+
+my $sender;
+my $recipient;
+my $message;
+
+#-------------------------------------------------------------------
+
+$myname="sms-transport";
+$facility='mail';
+my $mypid=$$;	# global, even when we fork
+
+sub syslog {
+	my ($level,$msg)=@_;
+	my $pri=$facility.".".$level;
+	$ENV{'HOME'}="/tmp";
+	$ENV{'PATH'}="";
+	$ENV{'BASH_ENV'}="";
+	# the way we're calling system makes it easy to trust $msg
+	# as long as it's not too big, so we just untaint it
+	if ($msg =~ /(.*)/s) {
+		$msg=$1;
+	} else {
+		die "Problem with untainting log message\n";
+	}
+	$msg =~ s/\n/ /g;
+	$msg = substr($msg,0,255)
+		if length($msg) > 255;
+	system("/usr/bin/logger","-p",$pri,"-t",$myname."[".$mypid."]","--",$msg);
+}
+
+sub bailout {
+	my ($rc,$msg)=@_;
+	print STDERR "$msg","\n";
+	syslog('error',$msg);
+	exit $rc;
+}
+
+sub check_perms {
+	my $sender=lc(shift);
+	my $test;
+	return 1 unless scalar(%sender_addresses);
+
+	# strip enclosing brackets except for <>
+	if ($sender =~ /<[^>]+>/) {
+		$sender=$1;
+	}
+
+	foreach $test (keys %sender_addresses) {
+		$test=lc($test);
+		if ($test =~ /\@/) {
+			# an email address
+			return 1
+				if $test eq $sender;
+		} else {
+			# a domain
+			$sender =~ s/^.*@//;
+			if ($test =~ /^\./) {
+				# allow subdomains
+				return 1
+					if $test eq $sender;
+				return 1
+					if $test eq substr($sender,-length($test));
+			} else {
+				# exact match only
+				return 1
+					if $test eq $sender;
+			}
+		}
+	}
+	return 0;	# failed
+}
+
+sub process_email {
+	my $in_headers=1;
+	my $msg="";
+	my $subject="";
+	my $sender;
+	my $linenum=0;
+
+	while(<STDIN>) {
+		chomp;
+		if ($in_headers) {
+			# headers
+			if (length($_) == 0) {
+				$in_headers=0;
+				next;
+			}
+			if ($_ =~ /^Subject:\s*/) {
+				$subject=$_;
+			}
+		} else {
+			# body
+			$msg .= "\r\n" if $msg =~ /\S/;
+			$msg .= $_;
+		}
+		last if $linenum++ > 500;
+	}
+
+	# no body?  return subject
+	$msg = $subject if (!length($msg));
+
+	return $msg;
+}
+
+sub send_message {
+	my $recipient_local=shift;
+	my $message_local=shift;
+
+	if ($recipient_local =~ /^([0-9]{9}|[0-9]{11}|\+[0-9]{11})$/) {
+		$recipient_num=$1;	# now is untainted
+	}
+	if ($message_local =~ /^(.+)$/) {
+		$message=$1;            # now is untained
+	}
+
+	if (length($message) > $maxsmschars) {
+		syslog('info',"Truncated message from ".length($message)." to ".$maxsmschars."-3 chars\n");
+		$message=substr($message,0,$maxsmschars-3)."...";
+	}
+
+	(-x $sendsms_path)
+		|| bailout($EX_TEMPFAIL,"Unable to exec $sendsms_path: $!");
+	$ENV{'HOME'}="/tmp";
+	$ENV{'PATH'}="/bin:/usr/bin";
+	exec($sendsms_path,"$recipient_num","$message")
+		|| bailout($EX_TEMPFAIL,"Unable to exec $sendsms_path: $!");
+	# will never get here
+}
+
+sub clean_message {
+	my $msg=shift;
+	$msg =~ s/(\r\n)+$//;	# remove trailing crlf
+	# delete message bits that we don't want
+	my $regex;
+	my $changed=0;
+	foreach $regex (@msgdel) {
+		syslog('debug',"Testing if msg [$msg] matches /$regex/")
+			if $debug;
+		if ($msg =~ s/$regex//) {
+			$changed++;
+		}
+	}
+	if ($changed) {
+		syslog('debug',"Message deletions - new message: [$msg]\n")
+			if $debug;
+	}
+	return $msg;
+}
+
+# -------------------------------------------------------------------
+
+$0 .= "";
+
+$sender_given=$ARGV[0];
+$recipient_given=$ARGV[1];
+if (defined($sender_given) and $sender_given =~ /([-A-Za-z0-9_+]+\@[-A-Za-z0-9.]+)/) {
+	$sender=$1;	# now is untainted
+} else {
+	bailout($EX_NOUSER,"Sender address not given")
+		if !defined($sender_given);
+	bailout($EX_NOUSER,"Invalid sender address: $sender_given");
+}
+if (defined($recipient_given) and $recipient_given =~ /^([0-9]{9})$/) {
+	$recipient="{{ smstools_default_country_prefix }}$1";	# now is untainted
+} elsif (defined($recipient_given) and $recipient_given =~ /^([0-9]{11})$/) {
+	$recipient="+$1";	# now is untainted
+} elsif (defined($recipient_given) and $recipient_given =~ /^(\+[0-9]{11})$/) {
+	$recipient="$1";	# now is untainted
+} else {
+	bailout($EX_NOUSER,"Mobile number not given")
+		if !defined($recipient_given);
+	bailout($EX_NOUSER,"Not a mobile number: <$recipient_given>");
+	exit $EX_NOUSER;
+}
+
+open(FILE,"<$senders_file") or die "Unable to get list of senders from $senders_file: $!\n";
+while(<FILE>) {
+	chomp;
+	next if /^\s*#/;
+	next if /^\s*$/;
+	# lines are colon-delimited, like aliases
+	my ($addr,$perm);
+	($addr,$perm)=split(/\s*:\s*/);
+	next unless defined($addr) and length($addr);
+	next unless defined($perm) and length($perm);
+	$perm=lc($perm);
+	if ($perm =~ /(permit|deny)/) {
+		$sender_addresses{$addr}=$1;
+	}
+}
+close(FILE);
+
+if (open(FILE,"<$msgdel_file")) {
+	while(<FILE>) {
+		chomp;
+		next if /^\s*#/;
+		next if /^\s*$/;
+		# each line is a regex
+		push @msgdel,$_;
+	}
+	close(FILE);
+	syslog('debug',"Message deletions read in: ".join(',',@msgdel)."\n")
+			if $debug;
+}
+
+$message=process_email;
+$message=clean_message($message);
+length($message) ||
+	bailout($EX_NOINPUT,"No message body - nothing to send");
+
+syslog('info',"from=<$sender>, to=<$recipient>, size=".length($message).", msg=[$message]\n");
+
+if (!check_perms($sender)) {
+	bailout($EX_NOPERM,"Permission denied for <$sender>");
+}
+
+send_message($recipient,$message);
+syslog('info',"sendsms sent message OK\n");
+
+# ALl OK if it got this far.
+
+# vim:ft=perl
diff --git a/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/test-sms-on-reboot.j2 b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/test-sms-on-reboot.j2
new file mode 100755
index 00000000..ffa689ef
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/templates/usr/local/lib/smstools/test-sms-on-reboot.j2
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# This is a script that should be run on reboot. It will send a test SMS
+# message to specified recipients to confirm that SMS gateway is working
+# correctly.
+
+PATH="/bin:/usr/bin:/usr/local/bin"
+
+test_message="{{ smstools_test_message }}"
+read -r -a test_recipients <<< "{{ smstools_test_recipients | join(' ') }}"
+
+if [[ "${test_recipients[*]}" ]] ; then
+    for recipient in "${test_recipients[@]}" ; do
+        /usr/bin/sudo -u smsd /usr/local/bin/sendsms "${recipient}" "${test_message}" > /dev/null
+    done
+fi
diff --git a/ansible_collections/debops/debops/roles/smstools/vars/main.yml b/ansible_collections/debops/debops/roles/smstools/vars/main.yml
new file mode 100644
index 00000000..691fc98e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/smstools/vars/main.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Settings for system user account
+smstools_service_user: 'sms'
+smstools_service_group: 'sms'
+smstools_service_home: '/srv/users/{{ smstools_service_user }}'
+
+# Settings for TCP service (name and port)
+smstools_service_name: 'sms'
+smstools_service_port: '9898'
+
+# Settings for mail transport script
+smstools_mail_transport_sendsms: '/usr/local/bin/sendsms'
+smstools_mail_transport_senders: '/etc/sms-senders'
+smstools_mail_transport_msgdel: '/etc/sms-msgdel'
+smstools_mail_transport_maxchars: '158'
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/COPYRIGHT b/ansible_collections/debops/debops/roles/snapshot_snapper/COPYRIGHT
new file mode 100644
index 00000000..1c0d538c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/COPYRIGHT
@@ -0,0 +1,19 @@
+snapshot_snapper - Configure snapshots with snapper
+
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/defaults/main.yml b/ansible_collections/debops/debops/roles/snapshot_snapper/defaults/main.yml
new file mode 100644
index 00000000..5b0c1bb3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/defaults/main.yml
@@ -0,0 +1,158 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _snapshot_snapper__ref_defaults:
+
+# debops-contrib.snapshot_snapper default variables [[[
+# =====================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Required packages [[[
+# ---------------------
+
+# .. envvar:: snapshot_snapper__base_packages [[[
+#
+# List of base packages to install.
+snapshot_snapper__base_packages:
+  - 'snapper'
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__packages [[[
+#
+# List of optional packages to install.
+# If the ``mlocate`` package is listed, the :envvar:`snapshot_snapper__directory`
+# will be excluded from mlocate. (Currently ``mlocate`` is required to be installed for this role).
+snapshot_snapper__packages:
+  - 'mlocate'
+                                                                   # ]]]
+                                                                   # ]]]
+# Snapper templates [[[
+# ---------------------
+
+# .. envvar:: snapshot_snapper__templates [[[
+#
+# Sets the global default settings for snapper. If empty, the default of snapper
+# will be left unchanged.
+#
+# Example:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    snapshot_snapper__templates:
+#      default:
+#        TIMELINE_LIMIT_HOURLY: 12
+#        TIMELINE_LIMIT_DAILY: 10
+#        TIMELINE_LIMIT_MONTHLY: 6
+#        TIMELINE_LIMIT_YEARLY: 0
+#
+snapshot_snapper__templates: {}
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__host_group_templates [[[
+#
+# Sets the host group default settings for snapper.
+snapshot_snapper__host_group_templates: {}
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__host_templates [[[
+#
+# Sets the host default settings for snapper.
+snapshot_snapper__host_templates: {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Volume configuration [[[
+# ------------------------
+
+# .. envvar:: snapshot_snapper__volumes [[[
+#
+# "Global" list of volumes to snapshot.
+#
+# ``path``
+#   String, required. Path of the volume.
+#
+# ``name``
+#   String, required. Name of the volume. Only used by snapper.
+#
+# ``template``
+#   String, optional. Defaults to ``default``.
+#   Name of the template to base the configuration on.
+#
+# ``config``
+#   Dictionary of strings, optional.
+#   Allows you to overwrite a setting from the template.
+#
+# ``state``
+#   String, optional. Defaults to ``present``.
+#   Choices ``present``, ``absent``.
+#
+# Example:
+#
+# .. code-block:: yaml
+#    :linenos:
+#
+#    snapshot_snapper__volumes:
+#      - path: '/'
+#        name: 'root'
+#        template: 'common'
+#        config:
+#          TIMELINE_LIMIT_MONTHLY: 9
+#          TIMELINE_LIMIT_YEARLY: 2
+#
+snapshot_snapper__volumes: []
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__host_group_volumes [[[
+#
+# "Host group" list of volumes to snapshot.
+snapshot_snapper__host_group_volumes: []
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__host_volumes [[[
+#
+# "Host" list of volumes to snapshot.
+snapshot_snapper__host_volumes: []
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__auto_reinit [[[
+#
+# Automatically reinitialize the snapshots for a volume if the directory
+# containing the actual snapshots has vanished.
+# This can be useful if the volume has been reformatted but the old snapper
+# configuration is still in place.
+# All what snapper does in such case is to return "IO Error." when trying to
+# work with this volume configuration.
+#
+# When this option is set to ``True``, the role will do some manually
+# intervention to automatically fix this if necessary.
+snapshot_snapper__auto_reinit: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Role internal configuration [[[
+# -------------------------------
+
+# .. envvar:: snapshot_snapper__directory [[[
+#
+# Name of the directory in the root of the volume containing the snapshots and
+# metadata.
+snapshot_snapper__directory: '.snapshots'
+
+                                                                   # ]]]
+# .. envvar:: snapshot_snapper__divert_files [[[
+#
+# List of files which the role will divert.
+snapshot_snapper__divert_files:
+  - '/etc/updatedb.conf'
+  - '/etc/snapper/config-templates/default'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/changelog.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/changelog.rst
new file mode 100644
index 00000000..ee2c9731
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/copyright.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/copyright.rst
new file mode 100644
index 00000000..37ca8d76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/getting-started.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/getting-started.rst
new file mode 100644
index 00000000..0ecef820
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/getting-started.rst
@@ -0,0 +1,55 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To configure volume snapshots on host given in
+``debops_service_snapshot_snapper`` Ansible inventory group:
+
+.. code:: ini
+
+    [debops_service_snapshot_snapper]
+    hostname
+
+Example playbook
+----------------
+
+Here's an example playbook that uses the ``debops-contrib.snapshot_snapper`` role:
+
+.. literalinclude:: playbooks/snapshot_snapper.yml
+   :language: yaml
+   :lines: 1,5-
+
+The playbooks is shipped with this role under
+:file:`./docs/playbooks/snapshot_snapper.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::snapshot_snapper``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::snapshot_snapper:reinit``
+  Execute tasks related to automatic reinitialization of volume snapshots.
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/includes/all.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/includes/all.rst
new file mode 100644
index 00000000..07ba5bdc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/index.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/index.rst
new file mode 100644
index 00000000..1b79bf8b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.snapshot_snapper:
+
+Ansible role: debops-contrib.snapshot_snapper
+=============================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/introduction.rst b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/introduction.rst
new file mode 100644
index 00000000..a64547bb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/introduction.rst
@@ -0,0 +1,31 @@
+.. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016-2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+Snapper can manage snapshots for the following filesystems and volume managers:
+
+* btrfs
+* ext4
+* lvm2
+
+This role allows to setup and configure snapper with Ansible.
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.3``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.snapshot_snapper
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/docs/playbooks/snapshot_snapper.yml b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/playbooks/snapshot_snapper.yml
new file mode 100644
index 00000000..e782c39a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/docs/playbooks/snapshot_snapper.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure volume snapshots with snapper
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_snapshot_snapper' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: snapshot_snapper
+      tags: [ 'role::snapshot_snapper' ]
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/meta/main.yml b/ansible_collections/debops/debops/roles/snapshot_snapper/meta/main.yml
new file mode 100644
index 00000000..28af52b0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Configure snapshots with snapper'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - snapshot
+    - snapper
+    - filesystem
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/configure_snapper_volume.yml b/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/configure_snapper_volume.yml
new file mode 100644
index 00000000..ef9540e1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/configure_snapper_volume.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+  ## Alternative: `snapper -c home set-config ALLOW_GROUPS=user` but it gives no feedback if it changed something.
+  ## FIXME: ALLOW_USERS and SYNC_ACL should be changed via ``snapper`` to work properly.
+- name: Configure snapper volume
+  ansible.builtin.lineinfile:
+    dest: '/etc/snapper/configs/{{ snapshot_snapper__volume.name }}'
+    regexp: '^{{ item.key }}='
+    line: '{{ item.key }}="{{ item.value }}"'
+    mode: '0644'
+  with_dict: '{{ (snapshot_snapper__templates_combined[snapshot_snapper__volume.template | d("default")] | d({}))
+                 | combine(snapshot_snapper__volume.config | d({})) }}'
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/main.yml b/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/main.yml
new file mode 100644
index 00000000..febd473c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/tasks/main.yml
@@ -0,0 +1,162 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+# Combine snapper inventory variables [[[
+- name: Combine snapper inventory variables
+  ansible.builtin.set_fact:
+    snapshot_snapper__templates_combined: '{{
+                snapshot_snapper__templates
+      | combine(snapshot_snapper__host_group_templates, recursive=True)
+      | combine(snapshot_snapper__host_templates, recursive=True) }}'
+    snapshot_snapper__volumes_combined: '{{
+      (snapshot_snapper__volumes | list) +
+      (snapshot_snapper__host_group_volumes | list) +
+      (snapshot_snapper__host_volumes | list) }}'
+    snapshot_snapper__combined_packages: '{{
+      (snapshot_snapper__base_packages | list) +
+      (snapshot_snapper__packages | list) }}'
+  tags:
+    - 'role::snapshot_snapper:reinit'
+# .. ]]]
+
+# Installation [[[
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", snapshot_snapper__combined_packages) }}'
+    state: 'present'
+  register: snapshot_snapper__register_packages
+  until: snapshot_snapper__register_packages is succeeded
+
+# .. ]]]
+
+# Configure updatedb to exclude snapshots [[[
+- name: 'Divert original configuration under /etc'
+  debops.debops.dpkg_divert:
+    path: '{{ item }}'
+  register: snapshot_snapper__updatedb_diverted_register
+  when: ansible_os_family in ["Debian"]
+  loop: '{{ snapshot_snapper__divert_files | flatten }}'
+
+- name: Copy diverted configuration file to original location
+  ansible.builtin.copy:  # noqa no-handler
+    src: '{{ item }}.dpkg-divert'
+    dest: '{{ item }}'
+    remote_src: True
+    force: False
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: snapshot_snapper__updatedb_diverted_register is changed
+  loop: '{{ q("flattened", snapshot_snapper__divert_files) }}'
+
+- name: Check if snapshots are already excluded from updatedb
+  ansible.builtin.command: grep PRUNENAMES=.*{{ snapshot_snapper__directory }}.* /etc/updatedb.conf
+  failed_when: False
+  changed_when: False
+  check_mode: False
+  when: snapshot_snapper__directory | d() and "mlocate" in snapshot_snapper__combined_packages
+  register: snapshot_snapper__register_updatedb_configured
+
+- name: Configure updatedb to exclude snapshots
+  ansible.builtin.lineinfile:
+    dest: '/etc/updatedb.conf'
+    backrefs: yes
+    regexp: '^(# )?PRUNENAMES=(".*)"$'
+    line: 'PRUNENAMES=\2 {{ snapshot_snapper__directory }}"'
+    mode: '0644'
+  when: snapshot_snapper__register_updatedb_configured.rc != 0
+# .. ]]]
+
+# Automatic snapper volume reinitialization [[[
+- name: Check which snapper /etc/snapper/configs/ exist
+  ansible.builtin.stat:
+    path: '/etc/snapper/configs/{{ item.name }}'
+  when: (snapshot_snapper__auto_reinit | bool and item.path | d() and item.name | d() and
+         (item.state | d("present") == "present"))
+  register: snapshot_snapper__register_snapper_configs
+  tags: [ 'role::snapshot_snapper:reinit' ]
+  with_items: '{{ snapshot_snapper__volumes_combined }}'
+
+- name: Check which snapper snapshot directories exist
+  ansible.builtin.stat:
+    path: '{{ item.path + "/" + snapshot_snapper__directory }}'
+  when: (snapshot_snapper__auto_reinit | bool and item.path | d() and item.name | d() and
+         (item.state | d("present") == "present"))
+  tags: [ 'role::snapshot_snapper:reinit' ]
+  register: snapshot_snapper__register_snapshot_directory
+  with_items: '{{ snapshot_snapper__volumes_combined }}'
+
+- name: Delete snapper configuration to automatically reinit
+  ansible.builtin.file:
+    path: '/etc/snapper/configs/{{ item.0.item.name }}'
+    state: 'absent'
+  tags: [ 'role::snapshot_snapper:reinit' ]
+  when: (item.0 is not skipped and item.1 is not skipped and
+         item.0.stat.exists | d(item.0.stat.isreg) and not item.1.stat.exists)
+  register: snapshot_snapper__register_snapper_configs_delete
+  with_together:
+    - '{{ snapshot_snapper__register_snapper_configs.results }}'
+    - '{{ snapshot_snapper__register_snapshot_directory.results }}'
+
+- name: Get list of active snapper volumes
+  ansible.builtin.find:
+    file_type: 'file'
+    paths: [ '/etc/snapper/configs/' ]
+    hidden: False
+    recurse: False
+  register: snapshot_snapper__register_snapper_configs_current
+  when: (snapshot_snapper__auto_reinit | bool)
+  tags: [ 'role::snapshot_snapper:reinit' ]
+
+- name: Update active snapper volumes in /etc/default/snapper
+  ansible.builtin.lineinfile:
+    dest: '/etc/default/snapper'
+    state: 'present'
+    regexp: '^SNAPPER_CONFIGS="[^"]*"$'
+    line: 'SNAPPER_CONFIGS="{{
+           snapshot_snapper__register_snapper_configs_current.files
+           | map(attribute="path")
+           | map("replace", "/etc/snapper/configs/", "")
+           | join(" ") }}"'
+    mode: '0644'
+  when: (snapshot_snapper__auto_reinit | bool)
+  tags: [ 'role::snapshot_snapper:reinit' ]
+# .. ]]]
+
+# Configure snapper templates [[[
+- name: Configure snapper templates
+  ansible.builtin.template:
+    src: 'etc/snapper/config-templates/item.j2'
+    dest: '/etc/snapper/config-templates/{{ item.key }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_dict: '{{ snapshot_snapper__templates_combined }}'
+# .. ]]]
+
+# Create initial configuration per volume [[[
+- name: Create initial configuration per volume
+  ansible.builtin.command: snapper --config '{{ item.name | default("root") }}'
+           create-config
+           {{ ("'--template' '" + item.template + "'") if (item.template | d()) else '' }}
+           '{{ item.path }}'
+  args:
+    creates: '/etc/snapper/configs/{{ item.name }}'
+  when: (item.path | d() and item.name | d() and (item.state | d("present") == "present"))
+  with_items: '{{ snapshot_snapper__volumes_combined }}'
+# .. ]]]
+
+- name: Adjust configuration per volume
+  ansible.builtin.include_tasks: configure_snapper_volume.yml
+  loop_control:
+    loop_var: 'snapshot_snapper__volume'
+  with_items: '{{ snapshot_snapper__volumes_combined }}'
diff --git a/ansible_collections/debops/debops/roles/snapshot_snapper/templates/etc/snapper/config-templates/item.j2 b/ansible_collections/debops/debops/roles/snapshot_snapper/templates/etc/snapper/config-templates/item.j2
new file mode 100644
index 00000000..2ccc59bc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snapshot_snapper/templates/etc/snapper/config-templates/item.j2
@@ -0,0 +1,55 @@
+{# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2016-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+## {{ ansible_managed }}
+
+# subvolume to snapshot
+SUBVOLUME="{{ item.value.SUBVOLUME | d("/") }}"
+
+# filesystem type
+FSTYPE="{{ item.value.FSTYPE | d("btrfs") }}"
+
+
+# users and groups allowed to work with config
+ALLOW_USERS="{{ item.value.ALLOW_USERS | d("") }}"
+ALLOW_GROUPS="{{ item.value.ALLOW_GROUPS | d("") }}"
+
+# sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots
+# directory
+SYNC_ACL="{{ item.value.SYNC_ACL | d("no") }}"
+
+
+# start comparing pre- and post-snapshot in background after creating
+# post-snapshot
+BACKGROUND_COMPARISON="{{ item.value.BACKGROUND_COMPARISON | d("yes") }}"
+
+
+# run daily number cleanup
+NUMBER_CLEANUP="{{ item.value.NUMBER_CLEANUP | d("yes") }}"
+
+# limit for number cleanup
+NUMBER_MIN_AGE="{{ item.value.NUMBER_MIN_AGE | d("1800") }}"
+NUMBER_LIMIT="{{ item.value.NUMBER_LIMIT | d("50") }}"
+NUMBER_LIMIT_IMPORTANT="{{ item.value.NUMBER_LIMIT_IMPORTANT | d("10") }}"
+
+
+# create hourly snapshots
+TIMELINE_CREATE="{{ item.value.TIMELINE_CREATE | d("yes") }}"
+
+# cleanup hourly snapshots after some time
+TIMELINE_CLEANUP="{{ item.value.TIMELINE_CLEANUP | d("yes") }}"
+
+# limits for timeline cleanup
+TIMELINE_MIN_AGE="{{ item.value.TIMELINE_MIN_AGE | d("1800") }}"
+TIMELINE_LIMIT_HOURLY="{{ item.value.TIMELINE_LIMIT_HOURLY | d("10") }}"
+TIMELINE_LIMIT_DAILY="{{ item.value.TIMELINE_LIMIT_DAILY | d("10") }}"
+TIMELINE_LIMIT_MONTHLY="{{ item.value.TIMELINE_LIMIT_MONTHLY | d("10") }}"
+TIMELINE_LIMIT_YEARLY="{{ item.value.TIMELINE_LIMIT_YEARLY | d("10") }}"
+
+
+# cleanup empty pre-post-pairs
+EMPTY_PRE_POST_CLEANUP="{{ item.value.EMPTY_PRE_POST_CLEANUP | d("yes") }}"
+
+# limits for empty pre-post-pair cleanup
+EMPTY_PRE_POST_MIN_AGE="{{ item.value.EMPTY_PRE_POST_MIN_AGE | d("1800") }}"
diff --git a/ansible_collections/debops/debops/roles/snmpd/COPYRIGHT b/ansible_collections/debops/debops/roles/snmpd/COPYRIGHT
new file mode 100644
index 00000000..70a6b636
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.snmpd - Manage SNMP service using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/snmpd/defaults/main.yml b/ansible_collections/debops/debops/roles/snmpd/defaults/main.yml
new file mode 100644
index 00000000..7a4f6ebc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/defaults/main.yml
@@ -0,0 +1,386 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _snmpd__ref_defaults:
+
+# debops.snmpd default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Basic configuration options [[[
+# -------------------------------
+
+# .. envvar:: snmpd_packages [[[
+#
+# List of additional packages to install with ``snmpd``.
+snmpd_packages: []
+
+                                                                   # ]]]
+# .. envvar:: snmpd_user [[[
+#
+# The user account used by the :command:`snmpd` daemon.
+snmpd_user: '{{ "snmp"
+                if (ansible_distribution == "Ubuntu" and
+                    ansible_distribution_release not in ["bionic"])
+                else "Debian-snmp" }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_group [[[
+#
+# The group used by the :command:`snmpd` daemon.
+snmpd_group: '{{ "snmp"
+                 if (ansible_distribution == "Ubuntu" and
+                     ansible_distribution_release not in ["bionic"])
+                 else "Debian-snmp" }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_logging_options [[[
+#
+# String with ``snmpd`` log-related options, can be used to change log
+# verbosity for debugging.
+snmpd_logging_options: '-LScd'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_custom_options [[[
+#
+# Custom ``snmpd`` options written in YAML text block format,
+# inserted into ``/etc/snmp/snmpd.conf`` configuration file on
+# all hosts in the inventory.
+snmpd_custom_options: ''
+
+                                                                   # ]]]
+# .. envvar:: snmpd_group_custom_options [[[
+#
+# Custom ``snmpd`` options written in YAML text block format,
+# inserted into ``/etc/snmp/snmpd.conf`` configuration file on
+# hosts in specific inventory group.
+snmpd_group_custom_options: ''
+
+                                                                   # ]]]
+# .. envvar:: snmpd_host_custom_options [[[
+#
+# Custom ``snmpd`` options written in YAML text block format,
+# inserted into ``/etc/snmp/snmpd.conf`` configuration file on
+# specific hosts in the inventory.
+snmpd_host_custom_options: ''
+
+                                                                   # ]]]
+# .. envvar:: snmpd_combined_custom_options [[[
+#
+# List which combines all of the ``snmp_*_custom_options`` entries
+# together and is used in the role tasks and templates.
+snmpd_combined_custom_options: '{{ snmpd_custom_options
+                                   + snmpd_group_custom_options
+                                   + snmpd_host_custom_options }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_download_mibs [[[
+#
+# Download MIB definitions by default?
+snmpd_download_mibs: '{{ True
+                         if (ansible_local | d() and ansible_local.apt | d() and
+                             (ansible_local.apt.nonfree | d()) | bool)
+                         else False }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_extension_scripts [[[
+#
+# Path on the remote host where extension scripts are stored
+snmpd_extension_scripts: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
+                             + "/snmpd" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Network options, firewall, TCP wrappers [[[
+# -------------------------------------------
+
+# .. envvar:: snmpd_allow [[[
+#
+# List of IP addresses or CIDR networks which can connect to SNMP service
+# (global). If not specified, remote connections are blocked.
+snmpd_allow: []
+
+                                                                   # ]]]
+# .. envvar:: snmpd_group_allow [[[
+#
+# List of IP addresses or CIDR networks which can connect to SNMP service
+# (per Ansible group). If not specified, remote connections are blocked.
+snmpd_group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: snmpd_host_allow [[[
+#
+# List of IP addresses or CIDR networks which can connect to SNMP service
+# (per Ansible host). If not specified, remote connections are blocked.
+snmpd_host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: snmpd_local_allow [[[
+#
+# List of IP addresses or CIDR networks which can connect to SNMP service
+# (from localhost). If not specified, remote connections are blocked.
+snmpd_local_allow: '{{ ansible_all_ipv4_addresses | d([]) +
+                       (ansible_all_ipv6_addresses | d([])
+                        | difference(ansible_all_ipv6_addresses | d([])
+                                     | ansible.utils.ipaddr("link-local"))) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_agent_address [[[
+#
+# List of addresses on which to listen for incoming connections. By default
+# ``snmpd`` listens on all interfaces and firewall / TCP wrappers are used to
+# limit what remote hosts can connect.
+snmpd_agent_address: [ 'udp:0.0.0.0:161', 'udp6:[::]:161' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# sysLocation, sysContact, sysName SNMP variables [[[
+# ---------------------------------------------------
+
+# .. envvar:: snmpd_organization [[[
+#
+# Organization name used in ``sysLocation`` and ``sysContact`` SNMP variables.
+snmpd_organization: '{{ ansible_domain.split(".") | first | capitalize }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_location [[[
+#
+# String set as ``sysLocation`` SNMP variable.
+snmpd_sys_location: '{{ snmpd_organization + " " + snmpd_sys_location_name }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_location_name [[[
+#
+# Name of the "virtual" location, appended to the organization name derived
+# from DNS domain name.
+snmpd_sys_location_name: 'Data Center'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_contact [[[
+#
+# Contact information for a device set as ``sysContact`` SNMP variable.
+snmpd_sys_contact: '{{ snmpd_sys_contact_name + " <" + snmpd_sys_contact_email + ">" }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_contact_name [[[
+#
+# Name of the contact set as ``sysContact`` variable.
+snmpd_sys_contact_name: '{{ snmpd_organization + " System Administrator" }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_contact_email [[[
+#
+# E-mail address of the contact set as ``sysContact`` variable.
+snmpd_sys_contact_email: 'root@{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_sys_name [[[
+#
+# Host FQDN set as the ``sysName`` SNMP variable.
+snmpd_sys_name: '{{ ansible_fqdn }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# CPU load average monitoring [[[
+# -------------------------------
+
+# .. envvar:: snmpd_load [[[
+#
+# Enable or disable load average monitoring
+snmpd_load: True
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_profile [[[
+#
+# Name of the load average "profile" to use, see ``snmpd_load_percent_map`` and
+# ``snmpd_load_weight_map`` variables for list of profiles.
+snmpd_load_profile: 'default'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_percent [[[
+#
+# Name of the profile used to define amount of available CPU power taken into
+# account for load average profile calculation. See ``snmpd_load_percent_map``
+# variable for list of available profiles.
+snmpd_load_percent: '{{ snmpd_load_profile }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_weight [[[
+#
+# Name of the profile used to scale the load average profile calculation for
+# different time periods. See ``snmpd_load_percent_map`` variable for list of
+# available profiles.
+snmpd_load_weight: '{{ snmpd_load_profile }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_base [[[
+#
+# Base value used to calculate load average profiles - number of vCPU cores.
+snmpd_load_base:  '{{ ansible_processor_vcpus }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_percent_map [[[
+#
+# Dict with CPU percentage profiles.
+#
+# Each profile is a list of entries, 1 minute load average, 5 minutes and 15
+# minutes. Each entry defines how much of total CPU power available on a host
+# is taken into account, divided by number of virtual CPUs present; for example
+# with 4 vCPUs, 100% means 4 vCPUs, 50% means ~2 vCPUs, 200% means ~8 vCPUs,
+# and so on.
+#
+# Values lower than 100% mean that alerts will be fired earlier, values higher
+# than 100% give processes more time to do the work before firing the alerts.
+snmpd_load_percent_map:
+  'default': [ '90', '90', '100' ]
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_weight_map [[[
+#
+# Dict with load average weight profiles.
+#
+# Each profile is a list of entries, 1 minute load average, 5 minutes and 15
+# minutes. Each entry defines how the calculation for a particular average is
+# scaled. You can use this parameter to make each value lower (with less than
+# 1.0) or higher (with more than 1.0) and change the shape of the load average
+# profile independently of the number of cores available.
+#
+# It's hard to explain, essentially it's another parameter which you can use to
+# tune the load average monitoring.
+snmpd_load_weight_map:
+  'default': [ '1.5', '1.7', '1.8' ]
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_1min [[[
+#
+# 1 minute load average value which will trigger a SNMP trap.
+snmpd_load_1min:  '{{ (((snmpd_load_base | float) *
+                      (snmpd_load_percent_map[snmpd_load_percent][0] | float) / 100) | float *
+                       snmpd_load_weight_map[snmpd_load_weight][0] | float) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_5min [[[
+#
+# 5 minute load average value which will trigger a SNMP trap.
+snmpd_load_5min:  '{{ (((snmpd_load_base | float) *
+                      (snmpd_load_percent_map[snmpd_load_percent][1] | float) / 100) | float *
+                       snmpd_load_weight_map[snmpd_load_weight][1] | float) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_load_15min [[[
+#
+# 15 minute load average value which will trigger a SNMP trap.
+snmpd_load_15min: '{{ (((snmpd_load_base | float) *
+                      (snmpd_load_percent_map[snmpd_load_percent][2] | float) / 100) | float *
+                       snmpd_load_weight_map[snmpd_load_weight][2] | float) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Process monitoring [[[
+# ----------------------
+
+# .. envvar:: snmpd_proc_hidepid [[[
+#
+# Should the ``debops.snmpd`` add the ``snmp`` user account to a group that has
+# access to the ``/proc`` filesystem?
+snmpd_proc_hidepid: '{{ True
+                        if (ansible_local | d() and ansible_local.proc_hidepid | d() and
+                            (ansible_local.proc_hidepid.enabled | d()) | bool)
+                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_proc_hidepid_group [[[
+#
+# Name of the system group which ``snmp`` user will be added to to get
+# information about processes.
+snmpd_proc_hidepid_group: '{{ ansible_local.proc_hidepid.group | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SNMPv3 admin, agent and local accounts [[[
+# ------------------------------------------
+
+# .. envvar:: snmpd_account [[[
+#
+# Enable or disable automatic creation of "admin" (RW), "agent" (RO) and
+# "local" (RO) SNMPv3 accounts.
+snmpd_account: True
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_username_length [[[
+#
+# Length of the randomly generated usernames.
+snmpd_account_username_length: '16'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_password_length [[[
+#
+# Length of the randomly generated passwords.
+snmpd_account_password_length: '48'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_admin_username [[[
+#
+# Randomly generated, global SNMPv3 username of administrator account,
+# read-write, deactivated after ``snmpd`` is configured.
+snmpd_account_admin_username: '{{ lookup("password", secret +
+                                  "/snmp/credentials/admin/username chars=ascii_letters,digits length=" +
+                                  snmpd_account_username_length) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_admin_password [[[
+#
+# Randomly generated, global SNMPv3 password of administrator account,
+# read-write, deactivated after ``snmpd`` is configured.
+snmpd_account_admin_password: '{{ lookup("password", secret +
+                                  "/snmp/credentials/admin/password chars=ascii_letters,digits,hexdigits length=" +
+                                  snmpd_account_password_length) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_agent_username [[[
+#
+# Randomly generated, global SNMPv3 username of agent account, read-only.
+snmpd_account_agent_username: '{{ lookup("password", secret +
+                                  "/snmp/credentials/agent/username chars=ascii_letters,digits length=" +
+                                  snmpd_account_username_length) }}'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_account_agent_password [[[
+#
+# Randomly generated, global SNMPv3 password of agent account, read-only.
+snmpd_account_agent_password: '{{ lookup("password", secret +
+                                  "/snmp/credentials/agent/password chars=ascii_letters,digits,hexdigits length=" +
+                                  snmpd_account_password_length) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of other Ansible roles [[[
+# ----------------------------------------
+
+# .. envvar:: snmpd_ferm_dependent_rules [[[
+#
+# Configuration for ``debops.ferm`` role.
+snmpd_ferm_dependent_rules:
+
+  - type: 'accept'
+    protocol: [ 'udp' ]
+    dport: [ 'snmp' ]
+    saddr: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
+    role: 'snmpd'
+
+                                                                   # ]]]
+# .. envvar:: snmpd_tcpwrappers_dependent_allow [[[
+#
+# Configuration for ``debops.tcpwrappers`` role.
+snmpd_tcpwrappers_dependent_allow:
+
+  - daemon: 'snmpd'
+    client: '{{ snmpd_allow + snmpd_group_allow + snmpd_host_allow + snmpd_local_allow }}'
+    weight: '50'
+    filename: 'snmpd_dependency_allow'
+    comment: 'Allow remote connections to SNMP daemon'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/snmpd/files/etc/systemd/system/snmpd.service b/ansible_collections/debops/debops/roles/snmpd/files/etc/systemd/system/snmpd.service
new file mode 100644
index 00000000..63e14f23
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/files/etc/systemd/system/snmpd.service
@@ -0,0 +1,29 @@
+# snmpd.service unit file
+# Copyright (C) Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# This unit file fixes issues with snmpd service running inside LXC containers
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727105
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718702
+
+[Unit]
+Description=Simple Network Management Protocol (SNMP) Daemon
+Documentation=man:snmpd(8)
+Documentation=man:snmpcmd(1)
+After=network.target
+StartLimitIntervalSec=500
+StartLimitBurst=5
+
+[Service]
+Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf"
+EnvironmentFile=-/etc/default/snmpd
+PIDFile=/run/snmpd.pid
+TimeoutStartSec=0
+ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=lldpd.service
diff --git a/ansible_collections/debops/debops/roles/snmpd/files/usr/local/lib/snmpd/os-release b/ansible_collections/debops/debops/roles/snmpd/files/usr/local/lib/snmpd/os-release
new file mode 100755
index 00000000..a8606ded
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/files/usr/local/lib/snmpd/os-release
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Detect installed operating system release
+
+if [ -r /etc/os-release ] ; then
+  # shellcheck disable=SC1091
+  . /etc/os-release
+
+  echo "${PRETTY_NAME}"
+fi
diff --git a/ansible_collections/debops/debops/roles/snmpd/meta/main.yml b/ansible_collections/debops/debops/roles/snmpd/meta/main.yml
new file mode 100644
index 00000000..c0b1d84a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure SNMP service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - snmp
+    - networking
+    - monitoring
diff --git a/ansible_collections/debops/debops/roles/snmpd/tasks/configure_snmpv3_credentials.yml b/ansible_collections/debops/debops/roles/snmpd/tasks/configure_snmpv3_credentials.yml
new file mode 100644
index 00000000..f2a4acbf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/tasks/configure_snmpv3_credentials.yml
@@ -0,0 +1,64 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Stop snmpd before admin account initialization
+  ansible.builtin.service:
+    name: 'snmpd'
+    state: 'stopped'
+
+- name: Prepare admin account
+  ansible.builtin.lineinfile:
+    dest: '/var/lib/snmp/snmpd.conf'
+    regexp: '^createUser {{ snmpd_fact_account_admin_username }}'
+    line: 'createUser {{ snmpd_fact_account_admin_username }} SHA "{{ snmpd_fact_account_admin_password }}" AES'
+    state: 'present'
+    mode: '0600'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Start snmpd to initialize admin account
+  ansible.builtin.service:
+    name: 'snmpd'
+    state: 'started'
+
+- name: Create read-only agent account
+  ansible.builtin.command: snmpusm -u {{ snmpd_fact_account_admin_username }} -l authPriv -a SHA -x AES
+           -A "{{ snmpd_fact_account_admin_password }}"
+           -X "{{ snmpd_fact_account_admin_password }}" localhost
+           create {{ snmpd_fact_account_agent_username }} {{ snmpd_fact_account_admin_username }}
+  changed_when: False
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Change agent account password
+  ansible.builtin.command: snmpusm -u {{ snmpd_fact_account_admin_username }} -l authPriv -a SHA -x AES
+           -A "{{ snmpd_fact_account_admin_password }}"
+           -X "{{ snmpd_fact_account_admin_password }}" localhost
+           passwd "{{ snmpd_fact_account_admin_password }}" "{{ snmpd_fact_account_agent_password }}"
+           {{ snmpd_fact_account_agent_username }}
+  changed_when: False
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Create read-only local account
+  ansible.builtin.command: snmpusm -u {{ snmpd_fact_account_admin_username }} -l authPriv -a SHA -x AES
+           -A "{{ snmpd_fact_account_admin_password }}"
+           -X "{{ snmpd_fact_account_admin_password }}" localhost
+           create {{ snmpd_account_local_username }} {{ snmpd_fact_account_admin_username }}
+  changed_when: False
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Change local account password
+  ansible.builtin.command: snmpusm -u {{ snmpd_fact_account_admin_username }} -l authPriv -a SHA -x AES
+           -A "{{ snmpd_fact_account_admin_password }}"
+           -X "{{ snmpd_fact_account_admin_password }}" localhost
+           passwd "{{ snmpd_fact_account_admin_password }}" "{{ snmpd_account_local_password }}"
+           {{ snmpd_account_local_username }}
+  changed_when: False
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove admin account from snmpd.conf
+  ansible.builtin.lineinfile:
+    dest: '/etc/snmp/snmpd.conf'
+    regexp: '^rwuser\s+{{ snmpd_fact_account_admin_username }}\s+priv'
+    state: 'absent'
+  no_log: '{{ debops__no_log | d(True) }}'
diff --git a/ansible_collections/debops/debops/roles/snmpd/tasks/main.yml b/ansible_collections/debops/debops/roles/snmpd/tasks/main.yml
new file mode 100644
index 00000000..26d8cde5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/tasks/main.yml
@@ -0,0 +1,170 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Check if snmpd is installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.command: dpkg-query -W -f='${Version}\n' snmpd
+  register: snmpd_register_version
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (["snmp", "snmpd"]
+                              + (["snmp-mibs-downloader"]
+                                 if snmpd_download_mibs
+                                 else [])
+                              + (["lm-sensors"]
+                                 if (ansible_virtualization_role is undefined or
+                                     ansible_virtualization_role not in ["guest"])
+                                 else [])
+                              + snmpd_packages)) }}'
+    state: 'present'
+  register: snmpd__register_packages
+  until: snmpd__register_packages is succeeded
+
+- name: Install custom snmpd.service unit file
+  ansible.builtin.copy:
+    src: 'etc/systemd/system/snmpd.service'
+    dest: '/etc/systemd/system/snmpd.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart snmpd' ]
+
+- name: Reload systemd daemon and enable snmpd.service
+  ansible.builtin.systemd:
+    daemon_reload: True
+    name: 'snmpd.service'
+    enabled: True
+  when: ((ansible_service_mgr == "systemd") and not ansible_local.snmpd | d())
+
+- name: Allow 'snmp' user access to /proc if needed
+  ansible.builtin.user:
+    name: '{{ snmpd_user }}'
+    groups: '{{ snmpd_proc_hidepid_group }}'
+    append: True
+    create_home: False
+  when: snmpd_proc_hidepid | bool
+  notify: [ 'Restart snmpd' ]
+
+- name: Enable MIBs support
+  ansible.builtin.lineinfile:
+    dest: '/etc/snmp/snmp.conf'
+    state: 'present'
+    regexp: 'mibs\s:'
+    line: '#mibs :'
+    mode: '0644'
+  notify: [ 'Restart snmpd' ]
+  when: snmpd_download_mibs | d() and snmpd_download_mibs
+
+- name: Divert default configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/snmp/snmpd.conf'
+  notify: [ 'Restart snmpd' ]
+
+- name: Initialize local account
+  ansible.builtin.set_fact:
+    snmpd_account_local_username: '{{ ansible_local.snmpd.username
+                                      if (ansible_local | d() and ansible_local.snmpd | d() and
+                                          ansible_local.snmpd.username)
+                                      else lookup("pipe", "openssl rand -hex "
+                                                  + (((snmpd_account_username_length | int) / 2) | int) | string) }}'
+    snmpd_account_local_password: '{{ ansible_local.snmpd.password | d(lookup("pipe", "openssl rand -base64 " + snmpd_account_password_length)) }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Configure snmpd daemon variables
+  ansible.builtin.template:
+    src: 'etc/default/snmpd.j2'
+    dest: '/etc/default/snmpd'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart snmpd' ]
+
+- name: Configure local SNMP credentials
+  ansible.builtin.template:
+    src: 'etc/snmp/snmp.local.conf.j2'
+    dest: '/etc/snmp/snmp.local.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+
+- name: Create snmpd extension script directory
+  ansible.builtin.file:
+    path: '{{ snmpd_extension_scripts }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Install snmpd extension scripts
+  ansible.builtin.copy:
+    src: 'usr/local/lib/snmpd/'
+    dest: '{{ snmpd_extension_scripts + "/" }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Initialize admin and agent accounts
+  ansible.builtin.set_fact:
+    snmpd_fact_account_admin_username: '{{ snmpd_account_admin_username }}'
+    snmpd_fact_account_admin_password: '{{ snmpd_account_admin_password }}'
+    snmpd_fact_account_agent_username: '{{ snmpd_account_agent_username }}'
+    snmpd_fact_account_agent_password: '{{ snmpd_account_agent_password }}'
+  no_log: '{{ debops__no_log | d(True) }}'
+  when: snmpd_account | d() and snmpd_account
+
+- name: Configure snmpd service
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/snmp/snmpd.conf.j2") }}'
+    dest: '/etc/snmp/snmpd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify: [ 'Restart snmpd' ]
+
+- name: Configure SNMPv3 credentials
+  ansible.builtin.include_tasks: configure_snmpv3_credentials.yml
+  when: ((snmpd_register_version | d() and not snmpd_register_version.stdout) and
+         (snmpd_account | d() and snmpd_account))
+
+- name: Save local SNMPv3 password for retrieval via Ansible facts
+  ansible.builtin.template:
+    src: 'etc/snmp/ansible-local-password.json.j2'
+    dest: '/etc/snmp/ansible-local-password.json'
+    mode: '0600'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save snmpd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/snmpd.fact.j2'
+    dest: '/etc/ansible/facts.d/snmpd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/snmpd/templates/etc/ansible/facts.d/snmpd.fact.j2 b/ansible_collections/debops/debops/roles/snmpd/templates/etc/ansible/facts.d/snmpd.fact.j2
new file mode 100644
index 00000000..7efbf57a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/templates/etc/ansible/facts.d/snmpd.fact.j2
@@ -0,0 +1,34 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+password_file = '/etc/snmp/ansible-local-password.json'
+
+output = {'installed': cmd_exists('snmpd')}
+
+if os.path.exists(password_file) and os.path.isfile(password_file):
+    try:
+        with open(password_file, 'r') as f:
+            output.update(load(f))
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/snmpd/templates/etc/default/snmpd.j2 b/ansible_collections/debops/debops/roles/snmpd/templates/etc/default/snmpd.j2
new file mode 100644
index 00000000..d1851988
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/templates/etc/default/snmpd.j2
@@ -0,0 +1,38 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if ansible_distribution_release in [ 'trusty' ] %}
+# This file controls the activity of snmpd and snmptrapd
+{% else %}
+# This file controls the activity of snmpd
+{% endif %}
+
+# Don't load any MIBs by default.
+# You might comment this lines once you have the MIBs downloaded.
+{% if snmpd_download_mibs | d() and snmpd_download_mibs %}
+#export MIBS=
+{% else %}
+export MIBS=
+{% endif %}
+
+# snmpd control (yes means start daemon).
+SNMPDRUN=yes
+
+# snmpd options (use syslog, close stdin/out/err).
+SNMPDOPTS='{{ snmpd_logging_options }} -Lf /dev/null -u {{ snmpd_user }} -g {{ snmpd_group }} -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
+
+{% if ansible_distribution_release in [ 'trusty' ] %}
+# snmptrapd control (yes means start daemon).  As of net-snmp version
+# 5.0, master agentx support must be enabled in snmpd before snmptrapd
+# can be run.  See snmpd.conf(5) for how to do this.
+TRAPDRUN=no
+
+# snmptrapd options (use syslog).
+TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'
+
+# create symlink on Debian legacy location to official RFC path
+SNMPDCOMPAT=yes
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/ansible-local-password.json.j2 b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/ansible-local-password.json.j2
new file mode 100644
index 00000000..f55a09fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/ansible-local-password.json.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set snmpd__tpl_username = ansible_local.snmpd.username | d(snmpd_account_local_username) %}
+{% set snmpd__tpl_password = ansible_local.snmpd.password | d(snmpd_account_local_password) %}
+{% set output = {"username": snmpd__tpl_username,
+                 "password": snmpd__tpl_password} %}
+{{ output | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmp.local.conf.j2 b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmp.local.conf.j2
new file mode 100644
index 00000000..8e874c6e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmp.local.conf.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# SNMP client configuration
+
+defVersion         v3
+
+defSecurityLevel   authPriv
+defAuthType        SHA
+defPrivType        AES
+
+defSecurityName    {{ snmpd_account_local_username }}
+defPassphrase      {{ snmpd_account_local_password }}
diff --git a/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmpd.conf.j2 b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmpd.conf.j2
new file mode 100644
index 00000000..f5f1a1fd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/snmpd/templates/etc/snmp/snmpd.conf.j2
@@ -0,0 +1,47 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+agentAddress  {{ snmpd_agent_address | join(",") }}
+
+sysName       {{ snmpd_sys_name }}
+sysLocation   {{ snmpd_sys_location }}
+sysContact    {{ snmpd_sys_contact }}
+
+sysServices   72
+
+{% if snmpd_account | d() and snmpd_account %}
+{% if snmpd_register_version | d() and not snmpd_register_version.stdout %}
+rwuser        {{ snmpd_account_admin_username }}   priv
+{% endif %}
+rouser        {{ snmpd_account_agent_username }}   priv
+rouser        {{ snmpd_account_local_username }}   priv
+
+iquerySecName {{ snmpd_account_agent_username }}
+agentSecName  {{ snmpd_account_agent_username }}
+
+{% endif %}
+master agentx
+
+{% if snmpd_load | d() and snmpd_load %}
+# CPU load average monitoring
+# ===========================
+# Profile: {{ snmpd_load_profile }}
+# {{ "%-5s = (%s * %-5s * %s" | format("1min", snmpd_load_base, snmpd_load_percent_map[snmpd_load_percent][0] + "%)", snmpd_load_weight_map[snmpd_load_weight][0]) }}
+# {{ "%-5s = (%s * %-5s * %s" | format("5min", snmpd_load_base, snmpd_load_percent_map[snmpd_load_percent][1] + "%)", snmpd_load_weight_map[snmpd_load_weight][1]) }}
+# {{ "%-5s = (%s * %-5s * %s" | format("15min", snmpd_load_base, snmpd_load_percent_map[snmpd_load_percent][2] + "%)", snmpd_load_weight_map[snmpd_load_weight][2]) }}
+
+load {{ snmpd_load_1min }} {{ snmpd_load_5min }} {{ snmpd_load_15min }}
+
+{% endif %}
+{% if snmpd_combined_custom_options | d() and snmpd_combined_custom_options %}
+{{ snmpd_combined_custom_options }}
+{% endif %}
+
+# Extension scripts
+# =================
+
+# LibreNMS - Operating System release detection
+extend .1.3.6.1.4.1.2021.7890.1 distro {{ snmpd_extension_scripts }}/os-release
diff --git a/ansible_collections/debops/debops/roles/sshd/COPYRIGHT b/ansible_collections/debops/debops/roles/sshd/COPYRIGHT
new file mode 100644
index 00000000..c00f9fda
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/COPYRIGHT
@@ -0,0 +1,21 @@
+debops.sshd - Manage OpenSSH server using Ansible
+
+Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+Copyright (C) 2014-2022 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sshd/defaults/main.yml b/ansible_collections/debops/debops/roles/sshd/defaults/main.yml
new file mode 100644
index 00000000..f3bb4092
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/defaults/main.yml
@@ -0,0 +1,1319 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2023      Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2017,2020 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2014-2023      DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sshd__ref_defaults:
+
+# debops.sshd default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# OpenSSH packages [[[
+# --------------------
+
+# .. envvar:: sshd__base_packages [[[
+#
+# List of base packages that should be installed for OpenSSH support.
+sshd__base_packages: [ 'openssh-server', 'openssh-client' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__recommended_packages [[[
+#
+# List of recommended packages that should be installed with OpenSSH.
+sshd__recommended_packages: '{{ ["openssh-blacklist", "openssh-blacklist-extra"]
+                                if (ansible_distribution_release in
+                                    ["trusty", "xenial"]) else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__optional_packages [[[
+#
+# List of optional packages that should be installed with OpenSSH.
+sshd__optional_packages: [ 'molly-guard' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_packages [[[
+#
+# List of packages related to LDAP support required by OpenSSH.
+sshd__ldap_packages: '{{ ["ldap-utils"]
+                         if (sshd__authorized_keys_lookup | bool and
+                             ("ldap" in sshd__authorized_keys_lookup_type))
+                         else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__packages [[[
+#
+# List of additional packages to install.
+sshd__packages: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__version [[[
+#
+# The version of the currently installed :command:`sshd` daemon, exposed using
+# Ansible local facts.
+sshd__version: '{{ ansible_local.sshd.version | d("0.0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Host whitelists and allow lists [[[
+# -----------------------------------
+
+# .. envvar:: sshd__whitelist [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# SSH without any restrictions. This list does not disallow connections from
+# other hosts. This is a global list.
+sshd__whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__group_whitelist [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# SSH without any restrictions. This list does not disallow connections from
+# other hosts. This is a group-based list.
+sshd__group_whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__host_whitelist [[[
+#
+# List of IP addresses or CIDR subnets which should be allowed to connect to
+# SSH without any restrictions. This list does not disallow connections from
+# other hosts. This is a host-based list.
+sshd__host_whitelist: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__allow [[[
+#
+# List of IP addresses or CIDR subnets that should be allowed to access SSH
+# service. If it's set, access from hosts and networks not specified here is
+# denied in TCP Wrappers and limited in :command:`iptables`. This is a global list.
+sshd__allow: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__group_allow [[[
+#
+# List of IP addresses or CIDR subnets that should be allowed to access SSH
+# service. If it's set, access from hosts and networks not specified here is
+# denied in TCP Wrappers and limited in :command:`iptables`. This is a group list.
+sshd__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__host_allow [[[
+#
+# List of IP addresses or CIDR subnets that should be allowed to access SSH
+# service. If it's set, access from hosts and networks not specified here is
+# denied in TCP Wrappers and limited in :command:`iptables`. This is a host list.
+sshd__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# TCP Wrappers configuration [[[
+# ------------------------------
+
+# .. envvar:: sshd__tcpwrappers_default [[[
+#
+# If list of allowed hosts is not specified, this value will be set in TCP
+# Wrappers for ``sshd`` service. By default any host is allowed to connect.
+sshd__tcpwrappers_default: 'ALL'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall (ferm) configuration [[[
+# ---------------------------------
+
+# .. envvar:: sshd__ferm_weight [[[
+#
+# Specify the "weight" of the ``sshd`` firewall rules. The more weight they
+# have, the later in the firewall they will be defined. If you change the
+# default weight, you will need to remove the old rules manually from the remote
+# host.
+sshd__ferm_weight: '30'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_limit [[[
+#
+# Enable or disable limited SSH access from all hosts in :command:`ip(6)tables`.
+# Recent new connections are filtered and when too many new connections are
+# created in specified time window, the host is added to the recent blocklist.
+sshd__ferm_limit: True
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_limit_seconds [[[
+#
+# Length of the time window used by firewall to catch new offenders,
+# by default 5 minutes.
+sshd__ferm_limit_seconds: '{{ (60 * 5) }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_limit_hits [[[
+#
+# How many new connections to allow in specified time window.
+sshd__ferm_limit_hits: '8'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_limit_chain [[[
+#
+# Name of the iptables chain used for filtering SSH connections.
+sshd__ferm_limit_chain: 'filter-ssh'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_limit_target [[[
+#
+# Specify what happens with packets filtered by the firewall that are above the
+# specified limit. Either ``REJECT``, ``DROP`` or name of :command:`iptables` chain
+# where packets will be sent through.
+sshd__ferm_limit_target: 'REJECT'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_ports [[[
+#
+# List of TCP ports to open in the firewall for SSH connections. You can use
+# port numbers or service names from :file:`/etc/services`.
+# If you use socket activation, remember to define firewall ports separately.
+sshd__ferm_ports: '{{ sshd__ports
+                      if ((ansible_local.sshd.socket_activation | d("disabled")) == "disabled")
+                      else ["22"] }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ferm_interface [[[
+#
+# List of interfaces to open in the firewall for SSH connections.
+# Consider settings this to ``{{ [ ansible_default_ipv4.interface ] }}``
+# for example if the host has multiple network interfaces like when it is
+# running a VPN.
+sshd__ferm_interface: []
+                                                                   # ]]]
+                                                                   # ]]]
+# OpenSSH server configuration [[[
+# --------------------------------
+
+# .. envvar:: sshd__ports [[[
+#
+# List of ports which ``sshd`` will listen on. Make sure that the ``22`` TCP
+# port is included if you want to change this list. When :command:`systemd`
+# socket activation is enabled, you can define here listen streams using the
+# :man:`systemd.socket(5)` configuration syntax.
+#
+# With socket activation enabled, you might need to open access to the
+# additional TCP ports in the firewall separately, using the
+# :envvar:`sshd__ferm_ports` variable.
+sshd__ports: [ '22' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__host_keys [[[
+#
+# List of SSH host keys that should be enabled, in order of preference.
+sshd__host_keys: [ 'ed25519', 'rsa', 'ecdsa' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__trusted_user_ca_keys [[[
+#
+# List of CA public keys used to assemble a TrustedUserCAKeys file.
+sshd__trusted_user_ca_keys: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__trusted_user_ca_keys_file [[[
+#
+# File name which will contain CA trusted keys
+sshd__trusted_user_ca_keys_file: '/etc/ssh/trusted-user-ca-keys.pem'
+
+                                                                   # ]]]
+# .. envvar:: sshd__scan_for_host_certs [[[
+#
+# Detect, and add, any host certificates found in /etc/ssh/ that match
+# ssh_host_*_key-cert.pub, as long as the key type matches what's in
+# `sshd__host_keys`
+sshd__scan_for_host_certs: False
+                                                                   # ]]]
+                                                                   # ]]]
+# SSH daemon configuration file [[[
+# ---------------------------------
+
+# These variables define the contents of the :file:`/etc/ssh/sshd_config`
+# configuration file. See :ref:`sshd__ref_configuration` for more details.
+
+# .. envvar:: sshd__original_configuration [[[
+#
+# List of SSH daemon configuration options defined by default by the Debian
+# package on installation. You can find the original configuration in the
+# :file:`/usr/share/openssh/sshd_config` file.
+sshd__original_configuration:
+
+  - name: 'Include_sshd_config.d'
+    option: 'Include'
+    value: '/etc/ssh/sshd_config.d/*.conf'
+    state: '{{ "absent" if ansible_distribution_release in ["stretch", "buster"] else "present" }}'
+
+  - name: 'Port'
+    value: 22
+    state: 'init'
+    separator: True
+
+  - name: 'AddressFamily'
+    value: 'any'
+    state: 'init'
+
+  - name: 'ListenAddress_ipv4'
+    option: 'ListenAddress'
+    value: '0.0.0.0'
+    state: 'init'
+
+  - name: 'ListenAddress_ipv6'
+    option: 'ListenAddress'
+    value: '::'
+    state: 'init'
+
+    # Define host keys in one entry, so that it can be easily regenerated later
+  - name: 'HostKey'
+    raw: |
+      HostKey /etc/ssh/ssh_host_rsa_key
+      HostKey /etc/ssh/ssh_host_ecdsa_key
+      HostKey /etc/ssh/ssh_host_ed25519_key
+    state: 'init'
+    separator: True
+
+  - name: 'RekeyLimit'
+    comment: 'Ciphers and keyring'
+    value: 'default none'
+    state: 'init'
+
+  - name: 'SyslogFacility'
+    comment: 'Logging'
+    value: 'AUTH'
+    state: 'init'
+
+  - name: 'LogLevel'
+    value: 'INFO'
+    state: 'init'
+
+  - name: 'LoginGraceTime'
+    comment: 'Authentication'
+    value: '2m'
+    state: 'init'
+
+  - name: 'PermitRootLogin'
+    value: 'prohibit-password'
+    state: 'init'
+
+  - name: 'StrictModes'
+    value: True
+    state: 'init'
+
+  - name: 'MaxAuthTries'
+    value: 6
+    state: 'init'
+
+  - name: 'MaxSessions'
+    value: 10
+    state: 'init'
+
+  - name: 'PubkeyAuthentication'
+    value: True
+    state: 'init'
+    separator: True
+
+  - name: 'AuthorizedKeysFile'
+    comment: 'Expect .ssh/authorized_keys2 to be disregarded by default in future.'
+    value:
+      - '.ssh/authorized_keys'
+      - '.ssh/authorized_keys2'
+    state: 'init'
+
+  - name: 'AuthorizedPrincipalsFile'
+    value: 'none'
+    state: 'init'
+    separator: True
+
+  - name: 'AuthorizedKeysCommand'
+    value: 'none'
+    state: 'init'
+    separator: True
+
+  - name: 'AuthorizedKeysCommandUser'
+    value: 'nobody'
+    state: 'init'
+
+  - name: 'HostbasedAuthentication'
+    comment: 'For this to work you will also need host keys in /etc/ssh/ssh_known_hosts'
+    value: False
+    state: 'init'
+
+  - name: 'IgnoreUserKnownHosts'
+    comment: |
+      Change to yes if you don't trust ~/.ssh/known_hosts for
+      HostbasedAuthentication
+    value: False
+    state: 'init'
+
+  - name: 'IgnoreRhosts'
+    comment: "Don't read the user's ~/.rhosts and ~/.shosts files"
+    value: True
+    state: 'init'
+
+  - name: 'PasswordAuthentication'
+    comment: 'To disable tunneled clear text passwords, change to no here!'
+    value: True
+    state: 'init'
+
+  - name: 'ChallengeResponseAuthentication'
+    comment: |
+      Change to yes to enable challenge-response passwords (beware issues with
+      some PAM modules and threads). From openssh-server version 8.7, this option
+      is deprecated and is an alias of KbdInteractiveAuthentication.
+    value: False
+    state: 'init'
+
+  - name: 'KbdInteractiveAuthentication'
+    comment: |
+      Change to yes to enable challenge-response passwords (beware issues with
+      some PAM modules and threads)
+    value: False
+    state: 'init'
+
+  - name: 'PermitEmptyPasswords'
+    value: False
+    state: 'init'
+
+  - name: 'KerberosAuthentication'
+    comment: 'Kerberos options'
+    value: False
+    state: 'init'
+
+  - name: 'KerberosOrLocalPasswd'
+    value: True
+    state: 'init'
+
+  - name: 'KerberosTicketCleanup'
+    value: True
+    state: 'init'
+
+  - name: 'KerberosGetAFSToken'
+    value: False
+    state: 'init'
+
+  - name: 'GSSAPIAuthentication'
+    comment: 'GSSAPI options'
+    value: False
+    state: 'init'
+
+  - name: 'GSSAPICleanupCredentials'
+    value: True
+    state: 'init'
+
+  - name: 'GSSAPIStrictAcceptorCheck'
+    value: True
+    state: 'init'
+
+  - name: 'GSSAPIKeyExchange'
+    value: False
+    state: 'init'
+
+  - name: 'UsePAM'
+    comment: |
+      Set this to 'yes' to enable PAM authentication, account processing,
+      and session processing. If this is enabled, PAM authentication will
+      be allowed through the ChallengeResponseAuthentication and
+      PasswordAuthentication.  Depending on your PAM configuration,
+      PAM authentication via ChallengeResponseAuthentication may bypass
+      the setting of "PermitRootLogin without-password".
+      If you just want the PAM account and session checks to run without
+      PAM authentication, then enable this but set PasswordAuthentication
+      and ChallengeResponseAuthentication to 'no'.
+    value: True
+
+  - name: 'AllowAgentForwarding'
+    value: True
+    state: 'init'
+    separator: True
+
+  - name: 'AllowTcpForwarding'
+    value: True
+    state: 'init'
+
+  - name: 'GatewayPorts'
+    value: False
+    state: 'init'
+
+  - name: 'X11Forwarding'
+    value: True
+
+  - name: 'X11DisplayOffset'
+    value: 10
+    state: 'init'
+
+  - name: 'X11UseLocalhost'
+    value: True
+    state: 'init'
+
+  - name: 'PermitTTY'
+    value: True
+    state: 'init'
+
+  - name: 'PrintMotd'
+    value: False
+
+  - name: 'PrintLastLog'
+    value: True
+    state: 'init'
+
+  - name: 'TCPKeepAlive'
+    value: True
+    state: 'init'
+
+  - name: 'PermitUserEnvironment'
+    value: False
+    state: 'init'
+
+  - name: 'Compression'
+    value: 'delayed'
+    state: 'init'
+
+  - name: 'ClientAliveInterval'
+    value: 0
+    state: 'init'
+
+  - name: 'ClientAliveCountMax'
+    value: 3
+    state: 'init'
+
+  - name: 'UseDNS'
+    value: False
+    state: 'init'
+
+  - name: 'PidFile'
+    value: '/var/run/sshd.pid'
+    state: 'init'
+
+  - name: 'MaxStartups'
+    value: '10:30:100'
+    state: 'init'
+
+  - name: 'PermitTunnel'
+    value: False
+    state: 'init'
+
+  - name: 'ChrootDirectory'
+    value: 'none'
+    state: 'init'
+
+  - name: 'VersionAddendum'
+    value: 'none'
+    state: 'init'
+
+  - name: 'Banner'
+    comment: 'no default banner path'
+    value: 'none'
+    state: 'init'
+
+  - name: 'AcceptEnv'
+    comment: 'Allow client to pass locale environment variables'
+    value:
+      - 'LANG'
+      - 'LC_*'
+
+  - name: 'Subsystem_sftp'
+    option: 'Subsystem'
+    comment: 'override default of no subsystems'
+    value: 'sftp   /usr/lib/openssh/sftp-server'
+
+  - name: 'Match_user_anoncvs'
+    option: 'Match'
+    comment: 'Example of overriding settings on a per-user basis'
+    value:
+      - 'User anoncvs'
+    config: |
+      X11Forwarding no
+      AllowTcpForwarding no
+      PermitTTY no
+      ForceCommand cvs server
+    state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: sshd__default_configuration [[[
+#
+# List of SSH daemon configuration options defined by default by the
+# :ref:`debops.sshd` Ansible role.
+sshd__default_configuration:
+
+  # Generate a set of "Port" configuration options based on the default list of
+  # ports to listen on. We cannot use a list as the value, because each port
+  # needs to be specified in its own "Port" entry.
+  - name: 'Port'
+    raw: |
+      {% for port in sshd__ports %}
+      {{ 'Port {}'.format(port) }}
+      {% endfor %}
+    state: '{{ "ignore"
+               if (sshd__ports | length == 1 and
+                   sshd__ports | first | string == "22")
+               else ("ignore"
+                     if ((ansible_local.sshd.socket_activation | d("disabled")) == "enabled")
+                     else "present") }}'
+
+  # Generate a set of "HostKey" configuration options based on the list of
+  # "allowed" host keys. We cannot use a list as the value, because each host
+  # key needs to be specified in its own "HostKey" entry.
+  - name: 'HostKey'
+    raw: |
+      {% for hostkey in sshd__host_keys %}
+      {% if ('ssh_host_' + hostkey + '_key') in sshd__register_host_keys.stdout_lines %}
+      {{ 'HostKey /etc/ssh/ssh_host_{}_key'.format(hostkey) }}
+      {% endif %}
+      {% endfor %}
+    state: 'present'
+
+  # Generate a list of host certificates detected on the host.
+  - name: 'HostCertificate'
+    raw: |
+      {% if (sshd__register_host_certs is defined and
+                   "stdout_lines" in sshd__register_host_certs) %}
+      {% for cert in sshd__register_host_certs.stdout_lines %}
+      {% set sshd__key_matching_cert = cert | regex_replace('-cert', '') %}
+      {% set sshd__key_matching_host_keys = sshd__key_matching_cert | regex_replace('ssh_host_(\w+)_key', '\\1') %}
+      {% if sshd__key_matching_cert in sshd__register_host_keys.stdout_lines and sshd__key_matching_host_keys in sshd__host_keys %}
+      {{ 'HostCertificate /etc/ssh/{}.pub'.format(cert) }}
+      {% endif %}
+      {% endfor %}
+      {% endif %}
+    state: '{{ "present"
+               if (sshd__register_host_certs is defined and
+                   "stdout_lines" in sshd__register_host_certs)
+               else "ignore" }}'
+    copy_id_from: 'HostKey'
+
+  # Add support for authorized keys managed by the
+  # "debops.authorized_keys" Ansible role.
+  - name: 'AuthorizedKeysFile'
+    value:
+      - name: '/etc/ssh/authorized_keys/%u'
+        weight: -100
+    state: 'present'
+
+  # If trusted CA keys are defined in the Ansible inventory, include them in
+  # the configuration file as well.
+  - name: 'TrustedUserCAKeys'
+    value: '{{ sshd__trusted_user_ca_keys_file }}'
+    state: '{{ "present"
+               if (sshd__trusted_user_ca_keys | d() | length > 0)
+               else "ignore" }}'
+    copy_id_from: 'AuthorizedKeysFile'
+
+  # Default "Match" conditional block which defines configuration for SFTPonly
+  # accounts. The 'stfponly' UNIX system group is created by the
+  # 'debops.system_groups' Ansible role.
+  - name: 'Match_group_sftponly'
+    option: 'Match'
+    comment: 'Support for strict SFTP UNIX accounts'
+    value: 'Group sftponly'
+    config: |
+      AuthorizedKeysFile /etc/ssh/authorized_keys/%u
+      ChrootDirectory %h
+      X11Forwarding no
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      PermitTunnel no
+      ForceCommand internal-sftp
+    state: 'present'
+    separator: True
+
+  # Specify if access to "root" UNIX account should be granted. By default, if
+  # the 'debops.root_account' role has been applied on the host, the "root"
+  # UNIX account can be accessed only using SSH public keys, since the role is
+  # expected to set them up. Otherwise, access via password is allowed.
+  # Alternatively, configured sysadmin accounts via the 'debops.system_users'
+  # role disable password-based access.
+  - name: 'PermitRootLogin'
+    value: '{{ "prohibit-password"
+               if (ansible_local.root_account.ssh_authorized_keys | d() | bool or
+                   ansible_local.system_users.configured | d() | bool)
+               else True }}'
+    state: 'present'
+
+  # Enable or disable password authentication. This option will be enabled if
+  # the 'root' account does not have SSH authorized keys present, to allow the
+  # 'root' account to login to the host. Alternatively, sysadmin access
+  # configured by the 'debops.system_users' role disables password
+  # authentication.
+  - name: 'PasswordAuthentication'
+    value: '{{ False
+               if (ansible_local.root_account.ssh_authorized_keys | d() | bool or
+                   ansible_local.system_users.configured | d() | bool)
+               else True }}'
+    state: 'present'
+
+  # Disable ChallengeResponseAuthentication by default. Otherwise, setting
+  # PasswordAuthentication to False is not enough to force authentication
+  # by public key. From openssh-server 8.7, ChallengeResponseAuthentication
+  # is deprecated and is an alias for KbdInteractiveAuthentication.
+  - name: 'ChallengeResponseAuthentication'
+    value: False
+    state: 'present'
+
+  # Disable KbdInteractiveAuthentication (new name of the deprecated
+  # ChallengeResponseAuthentication) by default. Otherwise, setting
+  # PasswordAuthentication to False is not enough to force authentication
+  # by public key.
+  - name: 'KbdInteractiveAuthentication'
+    value: False
+    state: 'present'
+
+  # Enable support for client hostname lookups by the SSH service. This is
+  # required if access control based on hostnames is used in the SSH server
+  # configuration, authorized keys or PAM access rules.
+  - name: 'UseDNS'
+    value: True
+    state: 'present'
+
+  - name: 'Ciphers'
+    comment: 'List of ciphers which are allowed for connections'
+    raw: |
+      {% set sshd__tpl_ciphers_max_version = sshd__ciphers_map.keys() | select('version_compare', sshd__version, '<=') | max %}
+      {% set sshd__tpl_ciphers = sshd__ciphers_map[sshd__tpl_ciphers_max_version] %}
+      {% set sshd__tpl_ciphers = (sshd__tpl_ciphers + sshd__ciphers_additional) | unique %}
+      {% if sshd__tpl_ciphers and sshd__paranoid | bool %}
+      {{ 'Ciphers {}'.format(([sshd__tpl_ciphers | first] + sshd__ciphers_additional) | unique | join(",")) }}
+      {% elif sshd__tpl_ciphers %}
+      {{ 'Ciphers {}'.format(sshd__tpl_ciphers | join(",")) }}
+      {% endif %}
+    state: 'present'
+    copy_id_from: 'RekeyLimit'
+
+  - name: 'KexAlgorithms'
+    comment: 'List of allowed key exchange algorithms'
+    raw: |
+      {% set sshd__tpl_kex_algorithms_max_version = sshd__kex_algorithms_map.keys() | select('version_compare', sshd__version, '<=') | max %}
+      {% set sshd__tpl_kex_algorithms = sshd__kex_algorithms_map[sshd__tpl_kex_algorithms_max_version] %}
+      {% set sshd__tpl_kex_algorithms = (sshd__tpl_kex_algorithms + sshd__kex_algorithms_additional) | unique %}
+      {% if sshd__tpl_kex_algorithms and sshd__paranoid | bool %}
+      {{ 'KexAlgorithms {}'.format(([sshd__tpl_kex_algorithms | first] + sshd__kex_algorithms_additional) | unique | join(",")) }}
+      {% elif sshd__tpl_kex_algorithms %}
+      {{ 'KexAlgorithms {}'.format(sshd__tpl_kex_algorithms | join(",")) }}
+      {% endif %}
+    state: 'present'
+    copy_id_from: 'RekeyLimit'
+
+  - name: 'MACs'
+    comment: 'List of allowed Message Authentication Code algorithms'
+    raw: |
+      {% set sshd__tpl_macs_max_version = sshd__macs_map.keys() | select('version_compare', sshd__version, '<=') | max %}
+      {% set sshd__tpl_macs = sshd__macs_map[sshd__tpl_macs_max_version] %}
+      {% set sshd__tpl_macs = (sshd__tpl_macs + sshd__macs_additional) | unique %}
+      {% if sshd__tpl_macs and sshd__paranoid | bool %}
+      {{ 'MACs {}'.format(([sshd__tpl_macs | first] + sshd__macs_additional) | unique | join(",")) }}
+      {% elif sshd__tpl_macs %}
+      {{ 'MACs {}'.format(sshd__tpl_macs | join(",")) }}
+      {% endif %}
+    state: 'present'
+    copy_id_from: 'RekeyLimit'
+
+    # Privilege Separation is default for sshd v7.5+
+  - name: 'UsePrivilegeSeparation'
+    comment: 'Privilege Separation is turned on for security'
+    value: 'sandbox'
+    state: '{{ "present" if (sshd__version is version("7.5", "<")) else "ignore" }}'
+    copy_id_from: 'RekeyLimit'
+
+  - name: 'KeyRegenerationInterval'
+    comment: 'Lifetime and size of ephemeral version 1 server key'
+    value: 3600
+    state: '{{ "present" if (sshd__version is version("7.4", "<")) else "ignore" }}'
+    copy_id_from: 'RekeyLimit'
+
+  - name: 'ServerKeyBits'
+    value: 1024
+    state: '{{ "present" if (sshd__version is version("7.4", "<")) else "ignore" }}'
+    copy_id_from: 'RekeyLimit'
+
+  - name: 'AuthorizedKeysCommand'
+    value: '/etc/ssh/authorized_keys_lookup'
+    state: '{{ "present"
+               if (sshd__authorized_keys_lookup | bool and
+                   sshd__version is version("6.2", ">="))
+               else "ignore" }}'
+
+  - name: 'AuthorizedKeysCommandUser'
+    value: '{{ sshd__authorized_keys_lookup_user }}'
+    state: '{{ "present"
+               if (sshd__authorized_keys_lookup | bool and
+                   sshd__version is version("6.2", ">="))
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__configuration [[[
+#
+# List of SSH daemon configuration options which should be defined on all hosts
+# in the Ansible inventory.
+sshd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__group_configuration [[[
+#
+# List of SSH daemon configuration options which should be defined on hosts in
+# a specific Ansible inventory group.
+sshd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__host_configuration [[[
+#
+# List of SSH daemon configuration options which should be defined on specific
+# hosts in the Ansible inventory.
+sshd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__combined_configuration [[[
+#
+# Variable which combines all of the SSH daemon configuration lists and is used
+# in role tasks and templates.
+sshd__combined_configuration: '{{ sshd__original_configuration
+                                  + sshd__default_configuration
+                                  + sshd__configuration
+                                  + sshd__group_configuration
+                                  + sshd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System-wide host fingerprints [[[
+# ---------------------------------
+
+# .. envvar:: sshd__known_hosts [[[
+#
+# List of FQDN hostnames that should be scanned to add host fingerprints to the
+# system-wide known hosts file (global).
+sshd__known_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__group_known_hosts [[[
+#
+# List of FQDN hostnames that should be scanned to add host fingerprints to the
+# system-wide known hosts file (host group).
+sshd__group_known_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__host_known_hosts [[[
+#
+# List of FQDN hostnames that should be scanned to add host fingerprints to the
+# system-wide known hosts file (host).
+sshd__host_known_hosts: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__known_hosts_file [[[
+#
+# System-wide file where host fingerprints are stored.
+sshd__known_hosts_file: '/etc/ssh/ssh_known_hosts'
+
+                                                                   # ]]]
+# .. envvar:: sshd__known_hosts_command [[[
+#
+# Command used to scan host fingerprints into system-wide known hosts file.
+sshd__known_hosts_command: 'ssh-keyscan -H -T 10'
+                                                                   # ]]]
+                                                                   # ]]]
+# Encryption parameters [[[
+# -------------------------
+
+# .. envvar:: sshd__ciphers_map [[[
+#
+# Dict with list of ciphers which should be used by the ``sshd`` server,
+# depending on available version, ordered from strongest to weakest. Newer version
+# supersedes older version.
+sshd__ciphers_map:
+
+  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
+  '6.5': [ 'chacha20-poly1305@openssh.com', 'aes256-gcm@openssh.com',
+           'aes128-gcm@openssh.com', 'aes256-ctr', 'aes192-ctr',
+           'aes128-ctr' ]
+
+  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
+  '6.0': [ 'aes256-ctr', 'aes192-ctr', 'aes128-ctr' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__ciphers_additional [[[
+#
+# List of additional key exchange algorithms which should be used by the
+# ``sshd`` server, depending on available version, depending on available
+# version, ordered from stronger to weaker. Newer version supersedes older
+# version.
+sshd__ciphers_additional: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__kex_algorithms_map [[[
+#
+# Dict with list of key exchange algorithms which should be used by the
+# ``sshd`` server, depending on available version, ordered from strongest to
+# oldest. Newer version supersedes older version.
+sshd__kex_algorithms_map:
+
+  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
+  '6.5': [ 'curve25519-sha256@libssh.org', 'ecdh-sha2-nistp521',
+           'ecdh-sha2-nistp384', 'ecdh-sha2-nistp256',
+           'diffie-hellman-group-exchange-sha256' ]
+
+  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
+  '6.0': [ 'diffie-hellman-group-exchange-sha256' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__kex_algorithms_additional [[[
+#
+# List of additional key exchange algorithms which should be used by the
+# ``sshd`` server, depending on available version, depending on available
+# version, ordered from stronger to weaker. Newer version supersedes older
+# version.
+sshd__kex_algorithms_additional: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__macs_map [[[
+#
+# Dict with list of message authentication code algorithms which should be used
+# by the ``sshd`` server, depending on available version, ordered from stronger
+# to weaker. Newer version supersedes older version.
+sshd__macs_map:
+
+  # Source: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
+  '6.5': [ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com',
+           'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256',
+           'umac-128@openssh.com' ]
+
+  # Source: https://xivilization.net/~marek/blog/2015/01/12/secure-secure-shell-on-debian-wheezy/
+  '6.0': [ 'hmac-sha2-512', 'hmac-sha2-256', 'hmac-ripemd160' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__macs_additional [[[
+#
+# List of additional message authentication code algorithms to support
+# by the ``sshd`` server, depending on available version, ordered from stronger
+# to weaker. Newer version supersedes older version.
+sshd__macs_additional: []
+
+                                                                   # ]]]
+# .. envvar:: sshd__moduli_minimum [[[
+#
+# Specify minimum size of Diffie-Hellman parameters available to the SSH
+# server. Parameters smaller than the given amount will be removed from the
+# :file:`/etc/ssh/moduli` file.
+sshd__moduli_minimum: '2048'
+
+                                                                   # ]]]
+# .. envvar:: sshd__paranoid [[[
+#
+# If set to True, only the first item (which is considered the strongest method
+# available) from the lists :envvar:`sshd__ciphers_map`,
+# :envvar:`sshd__kex_algorithms_map` and :envvar:`sshd__macs_map` will be configured for
+# ``sshd``. Use this with care as it will deny access to anyone not able to use
+# the first cryptographic method.
+# See https://github.com/debops/ansible-sshd/issues/20
+sshd__paranoid: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Authorized key lookup configuration [[[
+# ---------------------------------------
+
+# .. envvar:: sshd__authorized_keys_lookup [[[
+#
+# Enable support for looking up authorized public keys in external data sources
+# (currently LDAP is supported). This function works only with OpenSSH 6.2+.
+sshd__authorized_keys_lookup: '{{ ansible_local.ldap.posix_enabled | d() | bool }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__authorized_keys_lookup_user [[[
+#
+# Name of the UNIX account which will be used to look up authorized keys.
+sshd__authorized_keys_lookup_user: 'sshd'
+
+                                                                   # ]]]
+# .. envvar:: sshd__authorized_keys_lookup_type [[[
+#
+# List of lookup scripts that should be enabled on a host.
+sshd__authorized_keys_lookup_type: [ 'ldap', 'sss' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP lookup configuration [[[
+# -----------------------------
+
+# .. envvar:: sshd__ldap_enabled [[[
+#
+# Enable or disable integration with the LDAP directory. The integration is
+# enabled automatically when the :ref:`debops.ldap` environment is configured
+# on the host.
+sshd__ldap_enabled: '{{ ansible_local.ldap.enabled
+                        if (ansible_local | d() and ansible_local.ldap | d() and
+                            ansible_local.ldap.enabled is defined)
+                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_base_dn [[[
+#
+# The base LDAP Distinguished Name used for SSH public key lookups.
+sshd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_device_dn [[[
+#
+# The Distinguished Name of the device LDAP object that represents current
+# host. It will be used as a base DN for the ``sshd`` LDAP account object.
+sshd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_device_object_classes [[[
+#
+# List of additional LDAP Object Classes to add to the device LDAP object.
+sshd__ldap_device_object_classes: [ 'ldapPublicKey' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_device_attributes [[[
+#
+# YAML dictionary with additional LDAP attributes which will be added to the
+# device LDAP object.
+sshd__ldap_device_attributes:
+  sshPublicKey: '{{ sshd__env_register_host_public_keys.stdout_lines }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the ``sshd`` LDAP account object.
+sshd__ldap_self_rdn: 'uid={{ sshd__authorized_keys_lookup_user }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_self_object_classes [[[
+#
+# The LDAP Object Classes used to create the ``sshd`` LDAP account object.
+sshd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_self_attributes [[[
+#
+# YAML dictionary that contains the attributes of the ``sshd`` LDAP account
+# object.
+sshd__ldap_self_attributes:
+  uid: '{{ sshd__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ sshd__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "sshd" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_binddn [[[
+#
+# The Distinguished Name of the ``sshd`` LDAP account object used to
+# authenticate to the LDAP directory, defined as a string.
+sshd__ldap_binddn: '{{ ([sshd__ldap_self_rdn] + sshd__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_bindpw [[[
+#
+# The password defined in the ``sshd`` LDAP account object used to authenticate
+# to the LDAP directory.
+sshd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                               + sshd__ldap_binddn | to_uuid + ".password length=32"))
+                       if sshd__ldap_enabled | bool
+                       else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_filter [[[
+#
+# Active ``ldapsearch`` filter used to select correct account while looking up
+# the SSH public key.
+sshd__ldap_filter: '{{ sshd__ldap_filter_map["service+host"] }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_posix_urns [[[
+#
+# List of LDAP search filters which are derived from URN-like patterns defined
+# for a given host in the :ref:`debops.ldap` role.
+# See :ref:`ldap__ref_ldap_access_host` for more details.
+sshd__ldap_posix_urns: '{{ ansible_local.ldap.urn_patterns | d([])
+                           | map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
+                           | list }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap_filter_map [[[
+#
+# Dict with set of available LDAP filters that can be used to lookup the SSH
+# public key.
+sshd__ldap_filter_map:
+
+  # User account needs 'authorizedService' attribute
+  'service': '(&
+                (objectClass=posixAccount)
+                (uid=$username)
+                (|
+                  (authorizedService=all)
+                  (authorizedService=$service)
+                  (authorizedService=shell)
+                )
+              )'
+
+  # User account needs 'host' attribute
+  'host': '(&
+             (objectClass=posixAccount)
+             (uid=$username)
+             (|
+               (host=posix:all)
+               (host=posix:$fqdn)
+               (host=posix:\2a.$domain)
+               {{ sshd__ldap_posix_urns | join(" ") }}
+             )
+           )'
+
+  # User account needs both 'authorizedService' and 'host' attributes.
+  'service+host': '(&
+                     (objectClass=posixAccount)
+                     (uid=$username)
+                     (|
+                       (authorizedService=all)
+                       (authorizedService=$service)
+                       (authorizedService=shell)
+                     )
+                     (|
+                       (host=posix:all)
+                       (host=posix:$fqdn)
+                       (host=posix:\2a.$domain)
+                       {{ sshd__ldap_posix_urns | join(" ") }}
+                     )
+                   )'
+                                                                   # ]]]
+                                                                   # ]]]
+# PAM configuration [[[
+# ---------------------
+
+# .. envvar:: sshd__pam_deploy_state [[[
+#
+# Enable or disable support for custom PAM configuration for the ``sshd``
+# service. Set to ``absent`` to remove the customizations.
+sshd__pam_deploy_state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: sshd__pam_access_file [[[
+#
+# Specify the absolute path of the PAM access file to use for the ``sshd``
+# service.
+sshd__pam_access_file: '{{ "/etc/security/access-sshd.conf"
+                           if ("sshd" in ansible_local.pam_access.rules | d([]))
+                           else "/etc/security/access.conf" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration of other services [[[
+# -----------------------------------
+
+# .. envvar:: sshd__ferm__dependent_rules: [[[
+#
+# Configuration for :command:`iptables` firewall managed by :program:`ferm`.
+sshd__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: '{{ sshd__ferm_ports }}'
+    interface: '{{ sshd__ferm_interface }}'
+    weight: '0'
+    weight_class: 'sshd-chain'
+    name: 'sshd_jump-filter-ssh'
+    target: '{{ sshd__ferm_limit_chain }}'
+    rule_state: '{{ "present" if sshd__ferm_limit | bool else "absent" }}'
+    comment: 'Create a separate "iptables" chain for SSH rules'
+
+  - chain: '{{ sshd__ferm_limit_chain if (sshd__ferm_limit | bool) else "INPUT" }}'
+    type: 'accept'
+    dport: '{{ sshd__ferm_ports }}'
+    saddr: '{{ sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist }}'
+    interface: '{{ [] if (sshd__ferm_limit | bool) else sshd__ferm_interface }}'
+    weight: '1'
+    weight_class: 'sshd-chain'
+    name: 'sshd_whitelist'
+    subchain: False
+    accept_any: False
+    comment: 'Accept any hosts in the whitelist unconditionally'
+
+  - chain: '{{ sshd__ferm_limit_chain if sshd__ferm_limit | bool else "INPUT" }}'
+    type: 'accept'
+    dport: '{{ sshd__ferm_ports }}'
+    saddr: '{{ sshd__allow + sshd__group_allow + sshd__host_allow }}'
+    interface: '{{ [] if (sshd__ferm_limit | bool) else sshd__ferm_interface }}'
+    weight: '2'
+    weight_class: 'sshd-chain'
+    name: 'sshd_allow'
+    subchain: False
+    accept_any: '{{ False if sshd__ferm_limit | bool else True }}'
+    comment: |
+      Accept any hosts in the allow list. If there are any hosts specified,
+      block connections from other hosts using TCP Wrappers.
+
+  - chain: '{{ sshd__ferm_limit_chain }}'
+    type: 'recent'
+    weight: '3'
+    weight_class: 'sshd-chain'
+    name: 'sshd_block-ssh'
+    dport: '{{ sshd__ferm_ports }}'
+    state: [ 'NEW' ]
+    subchain: False
+    recent_name: 'ssh-new'
+    recent_update: True
+    recent_seconds: '{{ sshd__ferm_limit_seconds }}'
+    recent_hitcount: '{{ sshd__ferm_limit_hits }}'
+    recent_target: 'REJECT'
+    rule_state: '{{ "present" if sshd__ferm_limit | bool else "absent" }}'
+    comment: |
+      Block new SSH connections that have been marked as recent if they make
+      too many new connection attempts.
+
+  - chain: '{{ sshd__ferm_limit_chain }}'
+    type: 'recent'
+    weight: '4'
+    weight_class: 'sshd-chain'
+    name: 'sshd_mark-ssh'
+    dport: '{{ sshd__ferm_ports }}'
+    state: [ 'NEW' ]
+    subchain: False
+    recent_set_name: 'ssh-new'
+    recent_log: False
+    rule_state: '{{ "present" if sshd__ferm_limit | bool else "absent" }}'
+    comment: 'Mark new connections to the SSH service for recent tracking'
+
+  - chain: '{{ sshd__ferm_limit_chain }}'
+    type: 'accept'
+    weight: '5'
+    weight_class: 'sshd-chain'
+    role: 'sshd'
+    role_weight: '60'
+    name: 'sshd_accept-ssh'
+    dport: '{{ sshd__ferm_ports }}'
+    rule_state: '{{ "present" if sshd__ferm_limit | bool else "absent" }}'
+    comment: 'Accept connections to the SSH service'
+
+                                                                   # ]]]
+# .. envvar:: sshd__tcpwrappers__dependent_allow [[[
+#
+# Configure TCP wrappers to allow access to the ``sshd`` daemon.
+sshd__tcpwrappers__dependent_allow:
+
+  - daemon: 'sshd'
+    client: '{{ sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist }}'
+    accept_any: '{{ False if (sshd__allow + sshd__group_allow + sshd__host_allow) else True }}'
+    weight: '25'
+    filename: 'sshd_dependent_whitelist'
+    comment: 'Whitelist of hosts allowed to connect to ssh'
+
+  - daemon: 'sshd'
+    client: '{{ sshd__allow + sshd__group_allow + sshd__host_allow }}'
+    default: '{{ sshd__tcpwrappers_default }}'
+    accept_any: '{{ True if (sshd__whitelist + sshd__group_whitelist + sshd__host_whitelist) else False }}'
+    weight: '30'
+    filename: 'sshd_dependent_allow'
+    comment: 'List of hosts allowed to connect to ssh'
+
+                                                                   # ]]]
+# .. envvar:: sshd__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+sshd__ldap__dependent_tasks:
+
+  - name: 'Add missing LDAP object classes to {{ sshd__ldap_device_dn | join(",") }}'
+    dn: '{{ sshd__ldap_device_dn }}'
+    attributes:
+      objectClass: '{{ sshd__ldap_device_object_classes }}'
+    state: '{{ "present"
+               if ((ansible_local.ldap.posix_enabled | d()) | bool and
+                   sshd__ldap_device_dn | d())
+               else "ignore" }}'
+
+  - name: 'Update SSH host public keys in {{ sshd__ldap_device_dn | join(",") }}'
+    dn: '{{ sshd__ldap_device_dn }}'
+    attributes: '{{ sshd__ldap_device_attributes }}'
+    state: '{{ "exact"
+               if ((ansible_local.ldap.posix_enabled | d()) | bool and
+                   sshd__ldap_device_dn | d())
+               else "ignore" }}'
+
+  - name: 'Create sshd account for {{ sshd__ldap_device_dn | join(",") }}'
+    dn: '{{ sshd__ldap_binddn }}'
+    objectClass: '{{ sshd__ldap_self_object_classes }}'
+    attributes: '{{ sshd__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if (sshd__authorized_keys_lookup | bool and
+                   ("ldap" in sshd__authorized_keys_lookup_type))
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: sshd__pam_access__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.pam_access` Ansible role.
+sshd__pam_access__dependent_rules:
+
+  - name: 'sshd'
+    options:
+
+      - name: 'allow-root-ansible-controllers'
+        comment: 'Grant access via SSH to root account from the Ansible Controller hosts'
+        permission: 'allow'
+        users: 'root'
+        origins: '{{ ansible_local.core.ansible_controllers | d([]) }}'
+
+      - name: 'allow-root'
+        comment: 'Grant access via SSH to root account on the same DNS domain'
+        permission: 'allow'
+        users: 'root'
+        origins: '.{{ ansible_domain }}'
+
+      - name: 'deny-root'
+        comment: 'Deny access to root account via SSH from anywhere else'
+        permission: 'deny'
+        users: 'root'
+        origins: 'ALL'
+
+      - name: 'allow-system-groups'
+        comment: |
+          Grant access via SSH to members of UNIX groups defined on this host
+        permission: 'allow'
+        groups: '{{ ansible_local.system_groups.access.sshd
+                    | d(["admins", "sshusers", "sftponly"]) }}'
+        origins: 'ALL'
+
+      - name: 'allow-ldap-groups'
+        comment: |
+          Grant access via SSH to members of UNIX groups defined in LDAP
+        permission: 'allow'
+        groups: [ 'admins', 'sshusers', 'sftponly' ]
+        origins: 'ALL'
+        state: '{{ "present"
+                   if (ansible_local.ldap.posix_enabled | d() | bool)
+                   else "absent" }}'
+
+      - name: 'allow-domain'
+        comment: |
+          Grant access via SSH to users on the same DNS domain. The SSH server
+          needs to have UseDNS option enabled for this rule to work correctly.
+        permission: 'allow'
+        users: 'ALL'
+        origins: '.{{ ansible_domain }}'
+
+      - name: 'deny-all'
+        comment: 'Deny access via SSH by anyone from anywhere'
+        permission: 'deny'
+        users: 'ALL'
+        origins: 'ALL'
+        weight: 99999
+                                                                   # ]]]
+# .. envvar:: sshd__sudo__dependent_sudoers [[[
+#
+# Configuration for the :ref:`debops.sudo` Ansible role.
+sshd__sudo__dependent_sudoers:
+
+  - name: 'sshd'
+    options:
+
+      - name: 'env_keep_ssh'
+        comment: |-
+          Allow molly-guard to detect that we connected via ssh even if
+          combined with sudo and tmux.
+          https://superuser.com/questions/666931/getting-molly-guard-to-work-with-sudo
+          It is not perfect, but works in most cases.
+          A case where it does not work is when `sudo tmux` is started via
+          local tty and then attached to it via ssh.
+          Or `sudo tmux` is executed via ssh and then attached locally.
+          But when a new shell is created in tmux, the environment variables in
+          that new shell are correct.
+        value: |
+          Defaults env_keep += SSH_CONNECTION
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/sshd/meta/main.yml b/ansible_collections/debops/debops/roles/sshd/meta/main.yml
new file mode 100644
index 00000000..396c5024
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure OpenSSH server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ssh
+    - sshd
+    - openssh
diff --git a/ansible_collections/debops/debops/roles/sshd/tasks/authorized_keys_lookup.yml b/ansible_collections/debops/debops/roles/sshd/tasks/authorized_keys_lookup.yml
new file mode 100644
index 00000000..a7c46566
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/tasks/authorized_keys_lookup.yml
@@ -0,0 +1,48 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2014-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Create OpenSSH LDAP bind password file
+  ansible.builtin.template:
+    src: 'etc/ssh/ldap_authorized_keys_bindpw.j2'
+    dest: '/etc/ssh/ldap_authorized_keys_bindpw'
+    owner: '{{ sshd__authorized_keys_lookup_user }}'
+    group: 'root'
+    mode: '0600'
+  when: '"ldap" in sshd__authorized_keys_lookup_type | d([])'
+  no_log: '{{ debops__no_log | d(True) }}'
+
+- name: Remove OpenSSH LDAP bind password file
+  ansible.builtin.file:
+    path: '/etc/ssh/ldap_authorized_keys_bindpw'
+    state: 'absent'
+  when: '"ldap" not in sshd__authorized_keys_lookup_type | d([])'
+
+- name: Create /etc/ssh/authorized_keys_lookup.d directory
+  ansible.builtin.file:
+    path: '/etc/ssh/authorized_keys_lookup.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Generate authorized keys lookup scripts
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/ssh/authorized_keys_lookup.d/" + item + ".j2") }}'
+    dest: '/etc/ssh/authorized_keys_lookup.d/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_items: '{{ sshd__authorized_keys_lookup_type }}'
+  when: sshd__authorized_keys_lookup_type | d()
+
+- name: Generate authorized keys lookup hook
+  ansible.builtin.template:
+    src: 'etc/ssh/authorized_keys_lookup.j2'
+    dest: '/etc/ssh/authorized_keys_lookup'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
diff --git a/ansible_collections/debops/debops/roles/sshd/tasks/main.yml b/ansible_collections/debops/debops/roles/sshd/tasks/main.yml
new file mode 100644
index 00000000..4f1dac3b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/tasks/main.yml
@@ -0,0 +1,245 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "sshd/pre_main.yml") }}'
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Ansible local fact script
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sshd.fact.j2'
+    dest: '/etc/ansible/facts.d/sshd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload Ansible local facts
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Make sure that OpenSSH configuration directory exists
+  ansible.builtin.file:
+    path: '/etc/ssh'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Block OpenSSH server from starting immediately when installed
+  #
+  # SSH server must not start, until security options are configured!
+  # https://unix.stackexchange.com/questions/321621/configuring-my-sshd-securely-with-automation
+  #
+  # However, SSH might already be configured, started, and in use.
+  # In this case we should not block it.  Something could try to restart
+  # SSH e.g. unattended-upgrades.  We would end up locking ourselves out.
+  #
+  # In-between states could result from an failed upgrade.  The upgrade is
+  # retried when we demand a package be installed.  The service would be
+  # restarted, so once again we must not block it.
+  #
+  # In-between states could also result from a failed install.  We can't
+  # tell the difference.  (Note if the failed install was from this role,
+  # then we blocked the SSH server already).
+  #
+  # Users are responsible for avoiding situations, where a retried install
+  # starts an SSH server which does not meet their current security
+  # requirements.  Again, the trigger for the retry would be an install
+  # of _any_ package.  This may be considered further illustration of the
+  # problem with how Debian packages work.  It can be prevented by
+  # remembering to remove the failed package first.  Fortunately, it is not
+  # common for a package to fail to install.
+  #
+  # The state "config-files" is the result of `apt-get remove` without
+  # `--purge`; the SSH server will not be running in this state.
+  ansible.builtin.copy:
+    dest: /etc/ssh/sshd_not_to_be_run
+    content: |
+      This file disables the ssh server.  It was created by debops.sshd.
+      This file will be removed when configuration is successfully completed.
+    mode: '0644'
+  when: (ansible_local | d() and ansible_local.sshd | d() and
+         not (ansible_local.sshd.installed | d()) | bool)
+
+  # In a case where the OpenSSH server is installed by the role but not started
+  # due to conditions specified above, this task will ensure that the runtime
+  # directory exists. Without this, configuration check before the daemon is
+  # restarted fails and stops the playbook execution.
+- name: Ensure that the '/run/sshd' directory exists on first install
+  ansible.builtin.file:
+    path: '/run/sshd'
+    state: 'directory'
+    mode: '0755'
+
+- name: Ensure OpenSSH support is installed
+  ansible.builtin.apt:
+    name: '{{ (sshd__base_packages
+             + sshd__recommended_packages
+             + sshd__optional_packages
+             + sshd__ldap_packages
+             + sshd__packages)
+             | flatten }}'
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.sshd | d())
+               else "latest" }}'
+    install_recommends: False
+  register: sshd__register_packages
+  notify: [ 'Refresh host facts' ]
+  until: sshd__register_packages is succeeded
+
+- name: Reload Ansible local facts
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that Ed25519 host key is present
+  ansible.builtin.command: ssh-keygen -q -t ed25519 -N "" -f ssh_host_ed25519_key
+  args:
+    chdir: '/etc/ssh'
+    creates: '/etc/ssh/ssh_host_ed25519_key'
+  when: sshd__version is version('6.5', '>=')
+  tags: [ 'role::sshd:config' ]
+
+- name: Configure authorized_keys lookup
+  ansible.builtin.include_tasks: authorized_keys_lookup.yml
+  when: sshd__version is version('6.2', '>=') and
+        sshd__authorized_keys_lookup | bool
+  tags: [ 'role::sshd:config' ]
+
+- name: Get list of available host keys
+  ansible.builtin.shell: find /etc/ssh -maxdepth 1 -type f -name 'ssh_host_*_key.pub' -exec basename {} .pub \;
+  register: sshd__register_host_keys
+  changed_when: False
+  check_mode: False
+  tags: [ 'role::sshd:config' ]
+
+- name: Get list of available host certs
+  ansible.builtin.shell: find /etc/ssh -maxdepth 1 -type f -name 'ssh_host_*_key-cert.pub' -exec basename {} .pub \;
+  register: sshd__register_host_certs
+  changed_when: False
+  check_mode: False
+  when: sshd__scan_for_host_certs | bool
+  tags: [ 'role::sshd:config' ]
+
+- name: Setup trusted user CA key file
+  ansible.builtin.template:
+    src:      '{{ lookup("debops.debops.template_src", "etc/ssh/trusted_user_ca_file.pem.j2") }}'
+    dest:     '{{ sshd__trusted_user_ca_keys_file }}'
+    owner:    'root'
+    group:    'root'
+    mode:     '0644'
+  when: sshd__trusted_user_ca_keys | d() | length > 0 and
+        sshd__trusted_user_ca_keys_file is defined
+  tags: [ 'role::sshd:config' ]
+
+- name: Setup /etc/ssh/sshd_config
+  ansible.builtin.template:
+    src:    '{{ lookup("debops.debops.template_src", "etc/ssh/sshd_config.j2") }}'
+    dest:   '/etc/ssh/sshd_config'
+    owner:  'root'
+    group:  'root'
+    mode:   '0644'
+  notify: [ 'Test sshd configuration and restart' ]
+  tags: [ 'role::sshd:config' ]
+
+- name: Configuration of additional SSH ports with socket activation
+  when: (sshd__ports | length > 1 and ansible_service_mgr == 'systemd' and
+         (ansible_local.sshd.socket_activation | d('disabled')) == 'enabled')
+  block:
+
+    - name: Create systemd override directory if needed
+      ansible.builtin.file:
+        path: '/etc/systemd/system/ssh.socket.d'
+        state: 'directory'
+        mode: '0755'
+
+    - name: Generate systemd socket configuration
+      ansible.builtin.template:
+        src: 'etc/systemd/system/ssh.socket.d/listen.conf.j2'
+        dest: '/etc/systemd/system/ssh.socket.d/listen.conf'
+        mode: '0644'
+      notify: [ 'Reload systemd daemon' ]
+
+- name: Make sure the system-wide known_hosts file exists
+  ansible.builtin.command: touch {{ sshd__known_hosts_file }}
+  args:
+    creates: '{{ sshd__known_hosts_file }}'
+  tags: [ 'role::sshd:known_hosts' ]
+
+- name: Get list of already scanned host fingerprints
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         ssh-keygen -f {{ sshd__known_hosts_file }} -F {{ item }} | grep -q '^# Host {{ item }} found'
+  args:
+    executable: 'bash'
+  loop: '{{ q("flattened", sshd__known_hosts
+                           + sshd__group_known_hosts
+                           + sshd__host_known_hosts) }}'
+  when: item is defined and item
+  register: sshd__register_known_hosts
+  changed_when: False
+  failed_when: False
+  check_mode: False
+  tags: [ 'role::sshd:known_hosts' ]
+
+- name: Scan SSH fingerprints of specified hosts
+  ansible.builtin.shell: '{{ sshd__known_hosts_command }} {{ item.item }} >> {{ sshd__known_hosts_file }}'
+  with_items: '{{ sshd__register_known_hosts.results | d([]) }}'
+  register: sshd__register_known_hosts_scan
+  changed_when: sshd__register_known_hosts_scan.changed | bool
+  when: item is defined and item.rc > 0
+  tags: [ 'role::sshd:known_hosts' ]
+
+- name: Check if /etc/ssh/moduli contains weak DH parameters
+  ansible.builtin.shell: awk '$5 < {{ (sshd__moduli_minimum | int - 1) }}' /etc/ssh/moduli
+  register: sshd__register_moduli
+  changed_when: sshd__register_moduli.stdout
+  check_mode: False
+
+- name: Remove DH parameters smaller than the requested size
+  ansible.builtin.shell: awk '$5 >= {{ (sshd__moduli_minimum | int - 1) }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  notify: [ 'Test sshd configuration and restart' ]
+  register: sshd__register_moduli
+  changed_when: sshd__register_moduli.changed | bool
+  when: sshd__register_moduli.stdout
+
+- name: Remove block on OpenSSH server startup
+  ansible.builtin.file:
+    name: '/etc/ssh/sshd_not_to_be_run'
+    state: 'absent'
+  notify: [ 'Test sshd configuration and restart' ]
+
+- name: Add/remove diversion of /etc/pam.d/sshd
+  debops.debops.dpkg_divert:
+    path: '/etc/pam.d/sshd'
+    state: '{{ "present"
+               if sshd__pam_deploy_state | d("present") != "absent"
+               else "absent" }}'
+    delete: True
+
+- name: Generate /etc/pam.d/sshd configuration
+  ansible.builtin.template:
+    src: '{{ lookup("debops.debops.template_src", "etc/pam.d/sshd.j2") }}'
+    dest: '/etc/pam.d/sshd'
+    mode: '0644'
+  when: sshd__pam_deploy_state == 'present'
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "sshd/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/sshd/tasks/main_env.yml b/ansible_collections/debops/debops/roles/sshd/tasks/main_env.yml
new file mode 100644
index 00000000..e9651315
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/tasks/main_env.yml
@@ -0,0 +1,17 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# The SSH host keys gathered by Ansible facts don't contain the full
+# information, therefore we should grab them by ourselves
+- name: Gather SSH host public keys
+  ansible.builtin.shell: 'set -o nounset -o pipefail -o errexit &&
+          cat /etc/ssh/ssh_host_*_key.pub || true'
+  args:
+    executable: '/bin/bash'
+  register: sshd__env_register_host_public_keys
+  changed_when: False
+  check_mode: False
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/sshd/tasks/sshd/post_main.yml b/ansible_collections/debops/debops/roles/sshd/tasks/sshd/post_main.yml
new file mode 100644
index 00000000..1e402761
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/tasks/sshd/post_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/sshd/tasks/sshd/pre_main.yml b/ansible_collections/debops/debops/roles/sshd/tasks/sshd/pre_main.yml
new file mode 100644
index 00000000..1e402761
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/tasks/sshd/pre_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ansible/facts.d/sshd.fact.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ansible/facts.d/sshd.fact.j2
new file mode 100644
index 00000000..80adb9fb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ansible/facts.d/sshd.fact.j2
@@ -0,0 +1,78 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from re import match, IGNORECASE
+from sys import exit
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+sshd_facts = [
+    {'variable': 'AllowUsers',
+     'fact': 'allow_users',
+     'default': []},
+    {'variable': 'AllowGroups',
+     'fact': 'allow_groups',
+     'default': []}
+]
+
+output = {'configured': True,
+          'installed': cmd_exists('sshd')}
+
+for item in sshd_facts:
+    output.update({item['fact']: item['default']})
+
+try:
+    version_stdout = subprocess.check_output(
+            ["dpkg-query", "-W", "-f=${Version}",
+             "openssh-server"]).decode('utf-8').split('-')[0]
+    if version_stdout:
+        output['version'] = version_stdout.split(':')[1].split('p')[0]
+
+except Exception:
+    pass
+
+try:
+    with open("/etc/ssh/sshd_config") as fd:
+        for line in fd.readlines():
+            for item in sshd_facts:
+                match_fact = match(
+                    r"^" + item['variable'] + r" ([ \w]+)",
+                    line, flags=IGNORECASE)
+                if match_fact:
+                    if isinstance(item['default'], list):
+                        output[item['fact']] = match_fact.groups()[0].split()
+                    elif isinstance(item['default'], str):
+                        output[item['fact']] = match_fact.groups()[0]
+                    elif isinstance(item['default'], int):
+                        output[item['fact']] = int(match_fact.groups()[0])
+
+except Exception as e:
+    print("{}")
+    exit()
+
+try:
+    socket_activation = subprocess.check_output(
+            ["systemctl", "is-enabled", "ssh.socket"]).decode('utf-8')
+    output['socket_activation'] = socket_activation.strip()
+
+except subprocess.CalledProcessError:
+    output['socket_activation'] = 'disabled'
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/pam.d/sshd.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/pam.d/sshd.j2
new file mode 100644
index 00000000..8e8a8948
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/pam.d/sshd.j2
@@ -0,0 +1,62 @@
+{# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account    required     pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+account  required     pam_access.so nodefgroup accessfile={{ sshd__pam_access_file }}
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule.  This ensures that any
+# lingering context has been cleared.  Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
+
+# Set the loginuid process attribute.
+session    required     pam_loginuid.so
+
+# Create a new session keyring.
+session    optional     pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional     pam_motd.so  motd=/run/motd.dynamic
+session    optional     pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session    optional     pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session    required     pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session    required     pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context.  Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/ldap.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/ldap.j2
new file mode 100644
index 00000000..3e4f5f9b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/ldap.j2
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Lookup SSH public key in LDAP
+
+# shellcheck disable=SC2034
+username="${1}"
+
+# shellcheck disable=SC2034
+service="sshd"
+
+# shellcheck disable=SC2034
+hostname="$(hostname)"
+
+# shellcheck disable=SC2034
+domain="$(dnsdomainname)"
+
+# shellcheck disable=SC2034
+fqdn="$(hostname --fqdn)"
+
+ldap_binddn="{{ sshd__ldap_binddn }}"
+
+ldap_filter="{{ sshd__ldap_filter }}"
+
+ATTRIBUTE=$(ldapsearch -Z -LLL -x -y /etc/ssh/ldap_authorized_keys_bindpw -D "${ldap_binddn}" -o ldif-wrap=no -S sshPublicKey "${ldap_filter}" sshPublicKey | grep -v 'dn:')
+
+if [[ $ATTRIBUTE == sshPublicKey::* ]];
+then
+  KEY=$(echo "$ATTRIBUTE" | perl -pe 's/sshPublicKey:: //;' | base64 -d)
+else
+  KEY=$(echo "$ATTRIBUTE" | perl -pe 's/sshPublicKey: //;')
+fi
+
+if [ -n "${KEY}" ] ; then
+  echo "${KEY}"
+fi
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/sss.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/sss.j2
new file mode 100644
index 00000000..1d67fbc5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.d/sss.j2
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Lookup SSH public key in SSSD
+
+if [ -x "/usr/bin/sss_ssh_authorizedkeys" ] ; then
+    /usr/bin/sss_ssh_authorizedkeys "${1}"
+fi
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.j2
new file mode 100644
index 00000000..7eb8b005
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/authorized_keys_lookup.j2
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# Lookup SSH public keys
+
+username="${1}"
+
+if [ -d /etc/ssh/authorized_keys_lookup.d ] ; then
+    keys="$(/bin/run-parts --arg="${username}" /etc/ssh/authorized_keys_lookup.d)"
+
+    if [ -n "${keys}" ] ; then
+        echo "${keys}"
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/ldap_authorized_keys_bindpw.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/ldap_authorized_keys_bindpw.j2
new file mode 100644
index 00000000..e312c9cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/ldap_authorized_keys_bindpw.j2
@@ -0,0 +1,5 @@
+{# Copyright (C) 2022 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{- sshd__ldap_bindpw -}}
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/sshd_config.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/sshd_config.j2
new file mode 100644
index 00000000..946a4aa5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/sshd_config.j2
@@ -0,0 +1,68 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information. The original configuration file can be
+# found at /usr/share/openssh/sshd_config.
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+{% for element in sshd__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     set element_name = (element.option | d(element.name)) %}
+{%     if element.value is defined %}
+{%       if element.value is string and not element.value | bool %}
+{%         set element_value = element.value %}
+{%       elif element.value | bool and element.value is not iterable %}
+{%         if element.value | string == '1' %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           set element_value = 'yes' %}
+{%         endif %}
+{%       elif not element.value | bool and element.value is not iterable %}
+{%         if element.value is not none %}
+{%           if element.value | int %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             if element.value | string == '0' %}
+{%               set element_value = element.value %}
+{%             else %}
+{%               set element_value = 'no' %}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         set element_value = element.value | map(attribute='name') | list | join(' ') %}
+{%       endif %}
+{%     endif %}
+{%     if (element.separator | d()) | bool or element.comment | d() %}
+{{       '' }}
+{%     endif %}
+{%     if element.comment | d() %}
+{{       element.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{%     if element.raw | d() %}
+{%       if element.state == 'comment' %}
+{{         element.raw | regex_replace('\n$', '') | comment(decoration='#', prefix='', postfix='') }}
+{%       else %}
+{{         element.raw | regex_replace('\n$', '') }}
+{%       endif %}
+{%     else %}
+{{       '{}{} {}'.format(element_comment, element_name, element_value) }}
+{%       if element.config | d() %}
+{%         if element.state == 'comment' %}
+{{           element.config | regex_replace('\n$', '') | indent(8, true) | comment(decoration='#', prefix='', postfix='') }}
+{%         else %}
+{{           element.config | regex_replace('\n$', '') | indent(8, true) }}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/trusted_user_ca_file.pem.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/trusted_user_ca_file.pem.j2
new file mode 100644
index 00000000..e1a29e38
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/ssh/trusted_user_ca_file.pem.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2013-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2014-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{{ sshd__trusted_user_ca_keys | join("\n") }}
diff --git a/ansible_collections/debops/debops/roles/sshd/templates/etc/systemd/system/ssh.socket.d/listen.conf.j2 b/ansible_collections/debops/debops/roles/sshd/templates/etc/systemd/system/ssh.socket.d/listen.conf.j2
new file mode 100644
index 00000000..6dade77d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sshd/templates/etc/systemd/system/ssh.socket.d/listen.conf.j2
@@ -0,0 +1,15 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# List of additional SSH service listening sockets to enable in systemd
+[Socket]
+{% for socket in sshd__ports %}
+{%   if socket | string == '22' %}
+{{     '#ListenStream={}'.format(socket) }}
+{%   else %}
+{{     'ListenStream={}'.format(socket) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sssd/COPYRIGHT b/ansible_collections/debops/debops/roles/sssd/COPYRIGHT
new file mode 100644
index 00000000..e1041093
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.sssd - Configure LDAP support for NSS and PAM lookups
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+Copyright (C) 2019-2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sssd/defaults/main.yml b/ansible_collections/debops/debops/roles/sssd/defaults/main.yml
new file mode 100644
index 00000000..894eab24
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/defaults/main.yml
@@ -0,0 +1,435 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019-2021 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sssd__ref_defaults:
+
+# debops.sssd default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: sssd__base_packages [[[
+#
+# List of APT packages required for LDAP lookups via NSS and PAM.
+sssd__base_packages:
+  - [ 'sssd', 'libnss-sss', 'libsss-sudo', 'libpam-sss' ]
+
+                                                                   # ]]]
+# .. envvar:: sssd__packages [[[
+#
+# List of additional APT packages to install with :command:`sssd` package.
+sssd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: sssd__mkhomedir_umask [[[
+#
+# Default umask for new home directories created by the ``pam_mkhomedir`` PAM
+# module.
+sssd__mkhomedir_umask: '{{ ansible_local.core.homedir_umask | d("0027") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: sssd__ldap_enabled [[[
+#
+# Enable or disable integration with the LDAP directory. The integration is
+# enabled automatically when the :ref:`debops.ldap` environment is configured
+# on the host.
+sssd__ldap_enabled: '{{ ansible_local.ldap.enabled
+                        if (ansible_local | d() and ansible_local.ldap | d() and
+                            ansible_local.ldap.enabled is defined)
+                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list. If this variable
+# is empty, :file:`/etc/sssd/sssd.conf` configuration file will not be generated.
+sssd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the :command:`sssd` service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+sssd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# :command:`sssd` service to access the LDAP directory.
+sssd__ldap_self_rdn: 'uid=sssd'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`sssd` service to access the LDAP directory.
+sssd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`sssd` service to access the LDAP directory.
+sssd__ldap_self_attributes:
+  uid: '{{ sssd__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ sssd__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "sssd" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# :command:`sssd` service to bind to the LDAP directory.
+sssd__ldap_binddn: '{{ ([sssd__ldap_self_rdn] + sssd__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the :command:`sssd`
+# service to bind to the LDAP directory.
+sssd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                               + sssd__ldap_binddn | to_uuid + ".password length=32"))
+                       if sssd__ldap_enabled | bool
+                       else "" }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_posix_urns [[[
+#
+# List of LDAP search filters which are derived from URN-like patterns defined
+# for a given host in the :ref:`debops.ldap` role.
+# See :ref:`ldap__ref_ldap_access_host` for more details.
+sssd__ldap_posix_urns: '{{ (ansible_local.ldap.urn_patterns
+                            if (ansible_local.ldap.urn_patterns | d())
+                            else [])
+                           | map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
+                           | list }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__ldap_host_filter [[[
+#
+# The LDAP filter used in ``passwd`` and ``group`` filters to
+# control the access to UNIX environment on specific hosts or domains.
+sssd__ldap_host_filter: '(|
+                           (host=posix:all)
+                           (host=posix:{{ ansible_fqdn }})
+                           (host=posix:\2a.{{ ansible_domain }})
+                           {{ sssd__ldap_posix_urns | join(" ") }}
+                         )'
+                                                                   # ]]]
+                                                                   # ]]]
+# Service configuration [[[
+# -------------------------
+
+# These variables define the contents of the :file:`/etc/sssd/sssd.conf`
+# configuration file. See :ref:`sssd__ref_configuration` for more details, and
+# :man:`sssd.conf(5)` together with the service-specific man pages (such as
+# :man:`sssd-ldap(5)` and :man:`sssd-krb5(5)`) for possible configuration
+# parameters.
+
+# .. envvar:: sssd__default_configuration [[[
+#
+# The default :command:`sssd` configuration options defined by the role.
+sssd__default_configuration:
+
+  - section: 'sssd'
+    title: 'Global directives'
+    options:
+
+      - name: 'config_file_version'
+        comment: 'Indicates the syntax of the config file, SSSD 0.6.0 and later uses version 2'
+        value: 2
+
+      - name: 'domains'
+        comment: 'A domain is a label for a source of user information, sssd supports multiple domains'
+        value: 'default'
+
+      - name: 'services'
+        comment: 'Services to offer (nss, pam, sudo, autofs, ssh, pac, ifp)'
+        value: [ 'nss', 'pam', 'sudo', 'ssh' ]
+        state: '{{ "present" if ansible_distribution_release in ["stretch", "buster", "bionic"] else "ignore" }}'
+
+      - name: 'debug_level'
+        comment: |
+          Note that debug level is a bitmap and only applies to a given section
+          of the config file, so you might want to set it in other sections as
+          well if you want to enable debugging (see sssd.conf(5)).
+        value: '0x0770'
+        state: 'comment'
+
+  - section: 'nss'
+    title: 'Name Service Switch directives'
+    options:
+
+      - name: 'filter_users'
+        comment: 'Users which should be excluded from being fetched via sss (default: root)'
+        value: 'root'
+        state: 'comment'
+
+      - name: 'filter_groups'
+        comment: 'Groups which should be excluded from being fetched via sss (default: root)'
+        value: 'root'
+        state: 'comment'
+
+  - section: 'pam'
+    title: 'Pluggable Authentication Modules directives'
+    options:
+
+      - name: 'offline_credentials_expiration'
+        comment: 'How long should offline logins be allowed (in days since last successful online login, default: 0 - no limit)'
+        value: 0
+        state: 'comment'
+
+      - name: 'offline_failed_login_attempts'
+        comment: 'How many failed offline login attempts are allowed'
+        value: 5
+
+      - name: 'offline_failed_login_delay'
+        comment: 'Delay (in minutes) between login attempts after offline_failed_login_attempts has been reached'
+        value: 1
+
+  - section: 'sudo'
+    title: 'Sudo directives'
+    options:
+
+      - name: 'sudo_timed'
+        comment: 'Whether to evaluate the sudoNotBefore and sudoNotAfter attributes'
+        value: False
+        state: 'comment'
+
+  - section: 'ssh'
+    title: 'Secure SHell directives'
+    options:
+
+      - name: 'ssh_hash_known_hosts'
+        comment: 'Whether to hash the managed known_hosts file'
+        value: True
+        state: 'comment'
+
+      - name: 'ssh_known_hosts_timeout'
+        comment: 'How many seconds to keep a host in the managed known_hosts file'
+        value: 180
+        state: 'comment'
+
+  - section: 'domain/default'
+    title: 'Default domain directives'
+    options:
+
+      - name: 'id_provider'
+        comment: |
+          The identification provider to use for the domain. Possible providers
+          include e.g. ldap, ipa and ad (see the corresponding sssd-* man pages).
+        value: 'ldap'
+
+      - name: 'auth_provider'
+        comment: |
+          The authentication provider to use for the domain. Possible providers
+          include e.g. ldap, krb5, ipa and ad (see the corresponding sssd-* man
+          pages).
+        value: 'ldap'
+
+      - name: 'chpass_provider'
+        comment: |
+          The password change provider to use for the domain. Possible providers
+          include e.g. ldap, krb5, ipa and ad (see the corresponding sssd-* man
+          pages).
+        value: 'ldap'
+
+      - name: 'sudo_provider'
+        comment: |
+          The SUDO rules provider to use for the domain. Possible providers
+          include e.g. ldap, ipa and ad (see the corresponding sssd-* man
+          pages).
+        value: 'ldap'
+
+      - name: 'access_provider'
+        comment: |
+          The access control provider to use for the domain. Possible providers
+          include e.g. permit, deny, ldap, ipa, ad and simple (see the
+          corresponding sssd-* man pages).
+        value: 'ldap'
+
+      - name: 'ldap_access_order'
+        comment: |
+          SSSD has builtin support for checking authorizedServices and host
+          attributes, but it looks for "*" rather than "all" or "posix:all"
+          as in DebOps, and it also only checks the attributes for posixAccount
+          and not posixGroup entries, therefore the authorized_service and host
+          checks cannot be enabled by default.
+        value: 'pwd_expire_policy_renew'
+
+      - name: 'ldap_uri'
+        comment: 'The location at which the LDAP server(s) should be reachable.'
+        value: '{{ ansible_local.ldap.uri | d("") }}'
+
+      - name: 'ldap_default_bind_dn'
+        comment: 'The DN to bind with for normal lookups.'
+        value: '{{ sssd__ldap_binddn }}'
+
+      - name: 'ldap_default_authtok'
+        value: '{{ sssd__ldap_bindpw }}'
+
+      - name: 'ldap_schema'
+        comment: 'Specifies the schema used on the LDAP server (rfc2307, rfc2307bis, ipa, ad)'
+        value: 'rfc2307bis'
+
+      - name: 'ldap_pwd_policy'
+        comment: |
+          Which policy should be used to evaluate password expiration
+          (none, shadow, mit_kerberos). Note that if you enable this, users
+          without shadowAccount attributes *will* be denied access.
+        value: 'shadow'
+        state: 'comment'
+
+      - name: 'ldap_connection_expire_timeout'
+        comment: |
+          The idle timelimit for connections with the LDAP server. This should be
+          lower than the server's olcIdleTimeout (default: 900).
+        value: 600
+
+      - name: 'min_id'
+        comment: |
+          First valid UID/GID number expected to be in the LDAP directory.
+          UIDs/GIDs lower than this value will be ignored.
+        value: '{{ ansible_local.ldap.uid_gid_min | d("10000") }}'
+
+      - name: 'max_id'
+        comment: |
+          Last valid UID/GID number expected to be in the LDAP directory.
+          UIDs/GIDs higher than this value will be ignored (0 = no limit).
+        value: '{{ ansible_local.ldap.uid_gid_max | d("0") }}'
+
+      - name: 'cache_credentials'
+        comment: |
+          Whether user credentials should also be cached (in hashed form) in a
+          local cache in order to allow offline logins (see also the
+          "offline_credentials_expiration" parameter in the [pam] section).
+        value: True
+
+      - name: 'enumerate'
+        comment: |
+          Enumeration means that sssd will download and cache ALL users and
+          groups from the remote server. This means that they will be available
+          in case of sudden network outages, etc, but is not suitable for
+          large environments.
+        value: False
+
+      - name: 'ldap_enumeration_refresh_timeout'
+        comment: 'Specifies how often re-enumeration should be performed (in seconds).'
+        value: 300
+
+      - name: 'ldap_id_use_start_tls'
+        comment: 'SSL options'
+        value: '{{ True
+                  if (ansible_local | d() and ansible_local.ldap | d() and
+                      (ansible_local.ldap.start_tls | d()) | bool)
+                  else False }}'
+
+      - name: 'ldap_tls_reqcert'
+        value: 'demand'
+
+      - name: 'ldap_tls_cacert'
+        value: '/etc/ssl/certs/ca-certificates.crt'
+
+      - name: 'ldap_group_name'
+        comment: |
+          Use the 'gid' attribute instead of 'cn' as the POSIX group name.
+        value: 'gid'
+
+      - name: 'ldap_search_base'
+        comment: |
+          The search base that will be used for queries. "ldap_search_base"
+          defines the default search base which will be used unless a more
+          specific "ldap_*_search_base" has been defined.
+          Format: search_base[?scope?[filter][?search_base?scope?[filter]]*]
+        value: '{{ sssd__ldap_base_dn | join(",") }}'
+
+      - name: 'ldap_user_search_base'
+        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + sssd__ldap_host_filter }}'
+
+      - name: 'ldap_group_search_base'
+        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + sssd__ldap_host_filter }}'
+
+      - name: 'ldap_sudo_search_base'
+        value: '{{ sssd__ldap_base_dn | join(",") + "?subtree?" + "" }}'
+        state: 'comment'
+
+                                                                   # ]]]
+# .. envvar:: sssd__configuration [[[
+#
+# The :command:`sssd` configuration options defined on all hosts in the
+# Ansible inventory.
+sssd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sssd__group_configuration [[[
+#
+# The :command:`sssd` configuration options defined on hosts in a specific
+# Ansible inventory group.
+sssd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sssd__host_configuration [[[
+#
+# The :command:`sssd` configuration options defined on specific hosts in the
+# Ansible inventory.
+sssd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sssd__combined_configuration [[[
+#
+# The variable that combines other :command:`sssd` configuration options and
+# is used in the role template.
+sssd__combined_configuration: '{{ sssd__default_configuration
+                                   + sssd__configuration
+                                   + sssd__group_configuration
+                                   + sssd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: sssd__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+sssd__ldap__dependent_tasks:
+
+  - name: 'Create sssd account for {{ sssd__ldap_device_dn | join(",") }}'
+    dn: '{{ sssd__ldap_binddn }}'
+    objectClass: '{{ sssd__ldap_self_object_classes }}'
+    attributes: '{{ sssd__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if ((ansible_local.ldap.posix_enabled | d()) | bool and
+                   sssd__ldap_device_dn | d())
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: sssd__nsswitch__dependent_services [[[
+#
+# Configuration for the :ref:`debops.nsswitch` Ansible role.
+sssd__nsswitch__dependent_services: [ 'sss' ]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sssd/meta/main.yml b/ansible_collections/debops/debops/roles/sssd/meta/main.yml
new file mode 100644
index 00000000..89c0a889
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'David Härdeman'
+  description: 'Configure LDAP support for NSS and PAM lookups'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - ldap
+    - sssd
+    - nss
+    - pam
+    - system
diff --git a/ansible_collections/debops/debops/roles/sssd/tasks/main.yml b/ansible_collections/debops/debops/roles/sssd/tasks/main.yml
new file mode 100644
index 00000000..e703b037
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure pam-mkhomedir to create home directories
+  ansible.builtin.template:
+    src: 'usr/share/pam-configs/mkhomedir.j2'
+    dest: '/usr/share/pam-configs/mkhomedir'
+    mode: '0644'
+  register: sssd__register_mkhomedir
+
+- name: Enable mkhomedir PAM module
+  ansible.builtin.shell: 'pam-auth-update --package --remove mkhomedir 2>/dev/null && pam-auth-update --package --enable mkhomedir 2>/dev/null'  # noqa no-handler
+  register: sssd__register_pam_update
+  changed_when: sssd__register_pam_update.changed | bool
+  when: sssd__register_mkhomedir is changed
+
+- name: Install packages for sssd support
+  ansible.builtin.package:
+    name: '{{ q("flattened", sssd__base_packages + sssd__packages) }}'
+    state: 'present'
+  register: sssd__register_packages
+  until: sssd__register_packages is succeeded
+
+- name: Generate sssd configuration
+  ansible.builtin.template:
+    src: 'etc/sssd/sssd.conf.j2'
+    dest: '/etc/sssd/sssd.conf'
+    mode: '0600'
+  register: sssd__register_config
+  when: sssd__ldap_base_dn | d()
+
+- name: Restart sssd if its configuration was modified
+  ansible.builtin.service:  # noqa no-handler
+    name: 'sssd'
+    state: 'restarted'
+  when: sssd__register_config is changed
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save sssd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sssd.fact.j2'
+    dest: '/etc/ansible/facts.d/sssd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/sssd/templates/etc/ansible/facts.d/sssd.fact.j2 b/ansible_collections/debops/debops/roles/sssd/templates/etc/ansible/facts.d/sssd.fact.j2
new file mode 100644
index 00000000..f81fe649
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/templates/etc/ansible/facts.d/sssd.fact.j2
@@ -0,0 +1,26 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+# Copyright (C) 2019-2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+from sys import exit
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('sssd')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sssd/templates/etc/sssd/sssd.conf.j2 b/ansible_collections/debops/debops/roles/sssd/templates/etc/sssd/sssd.conf.j2
new file mode 100644
index 00000000..9b6d2c85
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/templates/etc/sssd/sssd.conf.j2
@@ -0,0 +1,73 @@
+{# Copyright (C) 2019-2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021      David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2019-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/sssd/sssd.conf	Configuration file for sssd.
+#
+#			For more information, see sssd.conf(5)
+{% for section in sssd__combined_configuration | debops.debops.parse_kv_items(name='section') %}
+{%   if section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     if section.options | d() %}
+{%       if section.state != 'hidden' %}
+{%         if (['present', 'comment'] | intersect(section.options | map(attribute='state') | list)) %}
+{%           set section_title = (' ' + ((section.title | d(section.section)) | upper) + ' ') %}
+{%           set section_width = section_title | length + 8 %}
+{{           '' }}
+{{           '' }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           ("{:#^" + section_width | string + "}").format(section_title) }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           ("[{}]").format(section.section) }}
+{{           '' }}
+{%         endif %}
+{%       else %}
+{{         '' }}
+{%       endif %}
+{%       for element in section.options %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%           if element.comment | d() %}
+{%             if not loop.first %}
+{{               '' }}
+{%             endif %}
+{{             element.comment | regex_replace('\n$', '') | comment(prefix='', decoration='# ', postfix='') -}}
+{%           endif %}
+{%           if element.raw | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%             else %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%             endif %}
+{%           else %}
+{%             if element.value is string and not element.value | bool %}
+{%               set element_value = element.value %}
+{%             elif element.value | bool and element.value is not iterable %}
+{%               if element.value | string == '1' %}
+{%                 set element_value = element.value %}
+{%               else %}
+{%                 set element_value = 'true' %}
+{%               endif %}
+{%             elif not element.value | bool and element.value is not iterable %}
+{%               if element.value is not none %}
+{%                 if element.value | int %}
+{%                   set element_value = element.value %}
+{%                 else %}
+{%                   if element.value | string == '0' %}
+{%                     set element_value = element.value %}
+{%                   else %}
+{%                     set element_value = 'false' %}
+{%                   endif %}
+{%                 endif %}
+{%               endif %}
+{%             else %}
+{%               set element_value = (element.value | selectattr("name", "defined") | map(attribute="name") | list | join(', ')) %}
+{%             endif %}
+{{ '{}{} = {}'.format(('#' if (element.state | d('present') == 'comment') else ''), element.name, element_value) }}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sssd/templates/usr/share/pam-configs/mkhomedir.j2 b/ansible_collections/debops/debops/roles/sssd/templates/usr/share/pam-configs/mkhomedir.j2
new file mode 100644
index 00000000..18e880e0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sssd/templates/usr/share/pam-configs/mkhomedir.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 David Härdeman <david@hardeman.nu>
+ # Copyright (C) 2019-2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+Name: activate mkhomedir managed by Ansible
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required                        pam_mkhomedir.so umask={{ sssd__mkhomedir_umask }} skel=/etc/skel
diff --git a/ansible_collections/debops/debops/roles/stunnel/COPYRIGHT b/ansible_collections/debops/debops/roles/stunnel/COPYRIGHT
new file mode 100644
index 00000000..d43e855b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.stunnel - manage STunnel proxy using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/stunnel/defaults/main.yml b/ansible_collections/debops/debops/roles/stunnel/defaults/main.yml
new file mode 100644
index 00000000..60241a30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/defaults/main.yml
@@ -0,0 +1,146 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _stunnel__ref_defaults:
+
+# debops.stunnel default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Tunnel connections [[[
+# ----------------------
+
+# .. envvar:: stunnel_services [[[
+#
+# List of client-server tunnels configurd by ``debops.stunnel``
+# See :ref:`stunnel_services` for more details.
+stunnel_services: []
+
+                                                                   # ]]]
+# .. envvar:: stunnel_server [[[
+#
+# List of hostnames, CNAMEs or service names which indicate that this host
+# should be configured as a stunnel server.
+stunnel_server: []
+
+                                                                   # ]]]
+# .. envvar:: stunnel_server_addresses [[[
+#
+# List of hostnames, IP addresses and FQDN domains configured on a given
+# server. If any entries here are included in ``item.client_connect``, a given
+# host will be configured as the stunnel server, otherwise it will be
+# configured as stunnel client.
+stunnel_server_addresses: '{{ [ansible_hostname, ansible_fqdn] +
+                              ansible_all_ipv4_addresses | d([]) +
+                              ansible_all_ipv6_addresses | d([]) +
+                              stunnel_server }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# SSL, PKI and encryption [[[
+# ---------------------------
+
+# .. envvar:: stunnel_ssl_ciphers [[[
+#
+# List of SSL ciphers used by stunnel
+stunnel_ssl_ciphers: 'ALL:ECDHE:!SSLv3:!SSLv2:!kEDH:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!RC4:RSA:HIGH'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_curve [[[
+#
+# Elliptic Curve used by stunnel
+stunnel_ssl_curve: 'prime256v1'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_opts [[[
+#
+# List of SSL options passed to the OpenSSL library
+# See stunnel4(8) for more details.
+stunnel_ssl_opts: [ 'NO_SSLv3' ]
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_verify [[[
+#
+# What level of scrutiny should stunnel use to check validity of
+# a client/server certificate. See stunnel4(8) for more details.
+stunnel_ssl_verify: '2'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_ssl_check_crl [[[
+#
+# Should stunnel use CRL to check validity of the certificate?
+stunnel_ssl_check_crl: False
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki [[[
+#
+# Enable or disable support for PKI/SSL/TLS in stunnel, managed by
+# ``debops.pki`` role
+stunnel_pki: '{{ ansible_local.pki.enabled | d() }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_path [[[
+#
+# PKI base directory
+stunnel_pki_path: '{{ ansible_local.pki.base_path
+                      if (ansible_local | d() and ansible_local.pki | d())
+                      else "/etc/pki" }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_realm [[[
+#
+# PKI realm to use for stunnel
+stunnel_pki_realm: '{{ ansible_local.pki.realm
+                       if (ansible_local | d() and ansible_local.pki | d())
+                       else "system" }}'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_ca [[[
+#
+# CA certificate to use, relative to ``stunnel_pki_realm`` variable
+stunnel_pki_ca: 'CA.crt'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_crl [[[
+#
+# Certificate Revocation List file to use, relative to ``stunnel_pki_realm``
+# variable
+stunnel_pki_crl: 'default.crl'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_crt [[[
+#
+# Certificate file to use, relative to ``stunnel_pki_crt`` variable
+stunnel_pki_crt: 'default.crt'
+
+                                                                   # ]]]
+# .. envvar:: stunnel_pki_key [[[
+#
+# Private key file to use, relative to ``stunnel_pki_key`` variable
+stunnel_pki_key: 'default.key'
+                                                                   # ]]]
+                                                                   # ]]]
+# Other options [[[
+# -----------------
+
+# .. envvar:: stunnel_options [[[
+#
+# Additional options added to all tunnel configuration files, specified as
+# a YAML text block
+stunnel_options: ''
+
+                                                                   # ]]]
+# .. envvar:: stunnel_debug [[[
+#
+# Debug level, determines log verbosity
+stunnel_debug: '4'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/stunnel/meta/main.yml b/ansible_collections/debops/debops/roles/stunnel/meta/main.yml
new file mode 100644
index 00000000..08e87fd5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Create an encrypted TCP tunnel between two hosts using stunnel and SSL'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.8.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - tunnel
+    - ssl
diff --git a/ansible_collections/debops/debops/roles/stunnel/tasks/main.yml b/ansible_collections/debops/debops/roles/stunnel/tasks/main.yml
new file mode 100644
index 00000000..399a71e9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "stunnel/pre_main.yml") }}'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (["stunnel4", "openssl", "ssl-cert"])) }}'
+    state: 'present'
+  register: stunnel__register_packages
+  until: stunnel__register_packages is succeeded
+
+- name: Configure default variables
+  ansible.builtin.template:
+    src: 'etc/default/stunnel4.j2'
+    dest: '/etc/default/stunnel4'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Restart stunnel' ]
+
+- name: Add stunnel user to ssl-cert system group
+  ansible.builtin.user:
+    name: 'stunnel4'
+    state: 'present'
+    createhome: False
+    groups: 'ssl-cert'
+    append: True
+
+- name: Remove SSL tunnels if requested
+  ansible.builtin.file:
+    path: '/etc/stunnel/{{ item.filename | default(item.name) }}.conf'
+    state: 'absent'
+  with_items: "{{ stunnel_services }}"
+  when: ((item.name is defined and item.name) and
+         (item.delete is defined and item.delete | bool))
+  notify: [ 'Restart stunnel' ]
+
+- name: Configure SSL tunnels
+  ansible.builtin.template:
+    src: 'etc/stunnel/service.conf.j2'
+    dest: '/etc/stunnel/{{ item.filename | default(item.name) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: "{{ stunnel_services }}"
+  when: ((item.name is defined and item.name) and
+         (item.delete is undefined or not item.delete | bool))
+  notify: [ 'Restart stunnel' ]
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "stunnel/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/post_main.yml b/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/post_main.yml
new file mode 100644
index 00000000..7b4f625d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/pre_main.yml b/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/pre_main.yml
new file mode 100644
index 00000000..7b4f625d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/tasks/stunnel/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/stunnel/templates/etc/default/stunnel4.j2 b/ansible_collections/debops/debops/roles/stunnel/templates/etc/default/stunnel4.j2
new file mode 100644
index 00000000..9ee64a7f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/templates/etc/default/stunnel4.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS=""
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0
diff --git a/ansible_collections/debops/debops/roles/stunnel/templates/etc/stunnel/service.conf.j2 b/ansible_collections/debops/debops/roles/stunnel/templates/etc/stunnel/service.conf.j2
new file mode 100644
index 00000000..3ed5de41
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/stunnel/templates/etc/stunnel/service.conf.j2
@@ -0,0 +1,110 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set stunnel_tpl_server = [] %}
+{% if item.name in stunnel_server %}
+{%   set _ = stunnel_tpl_server.append('true') %}
+{% endif %}
+{% if ((item.client_accept is undefined or item.client_accept is defined and not item.client_accept) and
+       (item.client_port is undefined or item.client_port is defined and not item.client_port)) %}
+{%   set _ = stunnel_tpl_server.append('true') %}
+# server: {{ stunnel_tpl_server }}
+{% endif %}
+{% if item.client_connect is defined and item.client_connect %}
+{%   if item.client_connect is string %}
+{%     if item.client_connect.split(':')[0] in stunnel_server_addresses %}
+{%       set _ = stunnel_tpl_server.append('true') %}
+{%     endif %}
+{%   elif item.client_connect is mapping %}
+{%     for key, value in item.client_connect.items() %}
+{%       if key in stunnel_server_addresses %}
+{%         set _ = stunnel_tpl_server.append('true') %}
+{%       endif %}
+{%     endfor %}
+{%   else %}
+{%     for entry in item.client_connect %}
+{%       if entry in stunnel_server_addresses %}
+{%         set _ = stunnel_tpl_server.append('true') %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+# {{ ansible_managed }}
+
+setuid		= stunnel4
+setgid		= stunnel4
+pid		= /var/run/stunnel4/{{ item.name }}.pid
+debug		= {{ item.debug | default(stunnel_debug) }}
+
+ciphers		= {{ item.ssl_ciphers | default(stunnel_ssl_ciphers) }}
+curve		= {{ item.ssl_curve   | default(stunnel_ssl_curve) }}
+
+sslVersion	= all
+{% if item.ssl_opts is defined and item.ssl_opts %}
+{%   for opt in item.ssl_opts %}
+options         = {{ opt }}
+{%   endfor %}
+{% else %}
+{%   for opt in stunnel_ssl_opts %}
+options         = {{ opt }}
+{%   endfor %}
+{% endif %}
+verify		= {{ item.ssl_verify | default(stunnel_ssl_verify) }}
+
+{% if stunnel_pki is defined and stunnel_pki %}
+CAfile		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_ca  | default(stunnel_pki_ca)  }}
+{% if stunnel_ssl_check_crl %}
+CRLfile		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_crl | default(stunnel_pki_crl) }}
+{% endif %}
+cert		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_crt | default(stunnel_pki_crt) }}
+key		= {{ stunnel_pki_path + "/" + stunnel_pki_realm + "/" + item.pki_key | default(stunnel_pki_key) }}
+{% endif %}
+{% if stunnel_options is defined and stunnel_options %}
+
+{{ stunnel_options }}
+{% endif %}
+
+[{{ item.name }}]
+
+{% if stunnel_tpl_server %}
+client		= no
+accept		= {{ item.server_accept if item.server_accept | d() else (':::' + item.server_port) }}
+{% if item.server_connect is defined %}
+{% if item.server_connect is string %}
+connect		= {{ item.server_connect }}
+{% elif item.server_connect is mapping %}
+{% for key, value in item.server_connect.items() %}
+connect		= {{ key + ':' + value }}
+{% endfor %}
+{% else %}
+{% for entry in item.server_connect %}
+connect		= {{ entry + ':' + (item.client_accept.split(':')[-1] if item.client_accept | d() else item.client_port) }}
+{% endfor %}
+{% endif %}
+{% else %}
+connect		= {{ item.client_port }}
+{% endif %}
+{% if item.server_options is defined and item.server_options %}
+{{ item.server_options }}
+{% endif %}
+{% else %}
+client		= yes
+accept		= {{ item.client_accept if item.client_accept | d() else (':::' + item.client_port) }}
+{% if item.client_connect is defined and item.client_connect %}
+{% if item.client_connect is string %}
+connect		= {{ item.client_connect }}
+{% elif item.client_connect is mapping %}
+{% for key, value in item.client_connect.items() %}
+connect		= {{ key + ':' + value }}
+{% endfor %}
+{% else %}
+{% for entry in item.client_connect %}
+connect		= {{ entry + ':' + (item.server_accept.split(':')[-1] if item.server_accept | d() else item.server_port) }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if item.client_options is defined and item.client_options %}
+{{ item.client_options }}
+{% endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/sudo/COPYRIGHT b/ansible_collections/debops/debops/roles/sudo/COPYRIGHT
new file mode 100644
index 00000000..1426396d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.sudo - Configure 'sudo' support using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sudo/defaults/main.yml b/ansible_collections/debops/debops/roles/sudo/defaults/main.yml
new file mode 100644
index 00000000..55fcd8c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/defaults/main.yml
@@ -0,0 +1,261 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sudo__ref_defaults:
+
+# debops.sudo default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: sudo__enabled [[[
+#
+# Enable or disable support for :command:`sudo` management on a host.
+sudo__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: sudo__base_packages [[[
+#
+# List of base APT packages to install for :command:`sudo` support.
+sudo__base_packages: '{{ ["sudo-ldap"]
+                         if sudo__ldap_enabled | bool
+                         else ["sudo"] }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__packages [[[
+#
+# List of additional APT packages to install with :command:`sudo` command.
+sudo__packages: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__logind_session [[[
+#
+# Enable or disable a workaround for :command:`sudo` login session not having
+# a ``$XDG_RUNTIME_DIR`` environment variable set. This allows control over
+# another user's :command:`systemd` instance.
+sudo__logind_session: '{{ True if (ansible_service_mgr == "systemd") else False }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP environment [[[
+# --------------------
+
+# .. envvar:: sudo__ldap_base_dn [[[
+#
+# The base Distinguished Name which should be used to create Distinguished
+# Names of the LDAP directory objects, defined as a YAML list.
+sudo__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_device_dn [[[
+#
+# The Distinguished Name of the current host LDAP object, defined as a YAML
+# list. It will be used as a base for the :command:`sudo` service account LDAP
+# object. If the list is empty, the role will not create the account LDAP
+# object automatically.
+sudo__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_self_rdn [[[
+#
+# The Relative Distinguished Name of the account LDAP object used by the
+# :command:`sudo` service to access the LDAP directory.
+sudo__ldap_self_rdn: 'uid=sudo'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_self_object_classes [[[
+#
+# List of the LDAP object classes which will be used to create the LDAP object
+# used by the :command:`sudo` service to access the LDAP directory.
+sudo__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_self_attributes [[[
+#
+# YAML dictionary that defines the attributes of the LDAP object used by the
+# :command:`sudo` service to access the LDAP directory.
+sudo__ldap_self_attributes:
+  uid: '{{ sudo__ldap_self_rdn.split("=")[1] }}'
+  userPassword: '{{ sudo__ldap_bindpw }}'
+  host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
+  description: 'Account used by the "sudo" service to access the LDAP directory'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_binddn [[[
+#
+# The Distinguished Name of the account LDAP object used by the
+# :command:`sudo` service to bind to the LDAP directory.
+sudo__ldap_binddn: '{{ ([sudo__ldap_self_rdn] + sudo__ldap_device_dn) | join(",") }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_bindpw [[[
+#
+# The password stored in the account LDAP object used by the :command:`sudo`
+# service to bind to the LDAP directory.
+sudo__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+                               + sudo__ldap_binddn | to_uuid + ".password length=32"))
+                       if sudo__ldap_enabled | bool
+                       else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Local sudoers configuration [[[
+# -------------------------------
+
+# These lists define what :command:`sudo` configuration will be present in the
+# :file:`/etc/sudoers.d/` directory. See :ref:`sudo__ref_sudoers` for more
+# details.
+
+# .. envvar:: sudo__sudoers [[[
+#
+# Configuration which should be present on all hosts in the Ansible inventory.
+sudo__sudoers: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__group_sudoers [[[
+#
+# Configuration which should be present on hosts in a specific Ansible
+# inventory group.
+sudo__group_sudoers: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__host_sudoers [[[
+#
+# Configuration which should be present on specific hosts in the Ansible
+# inventory.
+sudo__host_sudoers: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__dependent_sudoers [[[
+#
+# List of sudoers configurations defined in other Ansible roles
+sudo__dependent_sudoers: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__combined_sudoers [[[
+#
+# The variable which combines all other ``sudoers`` configuration variables and
+# is used in the role tasks.
+sudo__combined_sudoers: '{{ sudo__sudoers
+                            + sudo__group_sudoers
+                            + sudo__host_sudoers
+                            + sudo__dependent_sudoers }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# LDAP sudoers configuration [[[
+# ------------------------------
+
+# The variables below define the contents of the :file:`/etc/sudo-ldap.conf`
+# configuration file which is used by :command:`sudo` service to access the
+# LDAP directory and retrieve sudoers configuration stored in the directory.
+#
+# The syntax of the ``sudo__ldap_*_configuration`` variables is the same as the
+# :ref:`ldap__ref_configuration` variable syntax. Refer to its documentation
+# for more details. The configuration options supported by :command:`sudo` can
+# be found in the :man:`sudoers.ldap(5)` manual page.
+
+# .. envvar:: sudo__ldap_enabled [[[
+#
+# Enable or disable support for the :file:`/etc/sudo-ldap.conf` configuration
+# file management. If the support is disabled, existing configuration file will
+# not be changed or removed.
+sudo__ldap_enabled: '{{ True
+                        if (ansible_local | d() and ansible_local.ldap | d() and
+                            (ansible_local.ldap.posix_enabled | d()) | bool and not
+                            (ansible_local.sssd | d() and ansible_local.sssd.installed | d()) | bool)
+                        else False }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_default_configuration [[[
+#
+# The contents of the :file:`/etc/sudo-ldap.conf` configuration file defined by
+# default in the role.
+sudo__ldap_default_configuration:
+
+  - name: 'sudoers_base'
+    comment: 'The base DN to use when performing "sudo" LDAP queries.'
+    value: '{{ (["ou=SUDOers"] + sudo__ldap_base_dn) | join(",") }}'
+
+  - name: 'uri'
+    comment: 'The location at which the LDAP server(s) should be reachable.'
+    value: '{{ ansible_local.ldap.uri | d("") }}'
+
+  - name: 'ssl'
+    comment: 'SSL options'
+    value: '{{ "start_tls"
+               if (ansible_local | d() and ansible_local.ldap | d() and
+                   (ansible_local.ldap.start_tls | d()) | bool)
+               else "on" }}'
+
+  - name: 'tls_reqcert'
+    value: 'demand'
+
+  - name: 'tls_cacert'
+    value: '/etc/ssl/certs/ca-certificates.crt'
+
+  - name: 'binddn'
+    comment: 'The "sudo" service LDAP credentials used to bind to the directory.'
+    value: '{{ sudo__ldap_binddn }}'
+
+  - name: 'bindpw'
+    value: '{{ sudo__ldap_bindpw }}'
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_configuration [[[
+#
+# The contents of the :file:`/etc/sudo-ldap.conf` configuration file defined on
+# all hosts in the Ansible inventory.
+sudo__ldap_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_group_configuration [[[
+#
+# The contents of the :file:`/etc/sudo-ldap.conf` configuration file defined on
+# hosts in a specific Ansible inventory group.
+sudo__ldap_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_host_configuration [[[
+#
+# The contents of the :file:`/etc/sudo-ldap.conf` configuration file defined on
+# specific hosts in the Ansible inventory.
+sudo__ldap_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: sudo__ldap_combined_configuration [[[
+#
+# Variable which combines :command:`sudo` LDAP configuration from other
+# variables and is used in the role templates.
+sudo__ldap_combined_configuration: '{{ sudo__ldap_default_configuration
+                                       + sudo__ldap_configuration
+                                       + sudo__ldap_group_configuration
+                                       + sudo__ldap_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: sudo__ldap__dependent_tasks [[[
+#
+# Configuration for the :ref:`debops.ldap` Ansible role.
+sudo__ldap__dependent_tasks:
+
+  - name: 'Create sudo account for {{ sudo__ldap_device_dn | join(",") }}'
+    dn: '{{ sudo__ldap_binddn }}'
+    objectClass: '{{ sudo__ldap_self_object_classes }}'
+    attributes: '{{ sudo__ldap_self_attributes }}'
+    no_log: '{{ debops__no_log | d(True) }}'
+    state: '{{ "present"
+               if sudo__ldap_enabled | bool
+               else "ignore" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sudo/meta/main.yml b/ansible_collections/debops/debops/roles/sudo/meta/main.yml
new file mode 100644
index 00000000..1dc02522
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure sudo support on a host'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - sudo
+    - authentication
+    - authorization
+    - security
diff --git a/ansible_collections/debops/debops/roles/sudo/tasks/main.yml b/ansible_collections/debops/debops/roles/sudo/tasks/main.yml
new file mode 100644
index 00000000..3e20ec5c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/tasks/main.yml
@@ -0,0 +1,102 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Configure access to LDAP directory
+  ansible.builtin.template:
+    src: 'etc/sudo-ldap.conf.j2'
+    dest: '/etc/sudo-ldap.conf'
+    mode: '0440'
+  when: sudo__enabled | bool and sudo__ldap_enabled | bool
+
+- name: Install required packages
+  environment:
+    SUDO_FORCE_REMOVE: 'yes'
+  ansible.builtin.package:
+    name: '{{ q("flattened", (sudo__base_packages
+                              + sudo__packages)) }}'
+    state: 'present'
+  register: sudo__register_packages
+  until: sudo__register_packages is succeeded
+  when: sudo__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save sudo local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sudo.fact.j2'
+    dest: '/etc/ansible/facts.d/sudo.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Ensure that '/etc/sudoers' includes '/etc/sudoers.d'
+  ansible.builtin.lineinfile:
+    dest: '/etc/sudoers'
+    regexp: '^(?:@|#)includedir\s+\/etc\/sudoers.d$'
+    line: '{{ ("#"
+               if ansible_local.sudo.version | d("0.0.0") is version("1.9.1", "<")
+               else "@") + "includedir /etc/sudoers.d" }}'
+    insertafter: 'EOF'
+    state: 'present'
+    validate: 'visudo -cf "%s"'
+    mode: '0440'
+  when: sudo__enabled | bool and not ansible_check_mode | bool
+
+- name: Remove sudoers configuration if requested
+  ansible.builtin.file:
+    path: '/etc/sudoers.d/{{ item.filename | d(item.name) }}'
+    state: 'absent'
+  with_items: '{{ sudo__combined_sudoers | flatten | debops.debops.parse_kv_items }}'
+  notify: [ 'Refresh host facts' ]
+  when: sudo__enabled | bool and
+        item.name | d() and item.state | d('present') == 'absent'
+
+- name: Configure sudoers
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/config.j2'
+    dest: '/etc/sudoers.d/{{ item.filename | d(item.name) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+    validate: 'visudo -cf %s'
+  with_items: '{{ sudo__combined_sudoers | flatten | debops.debops.parse_kv_items }}'
+  notify: [ 'Refresh host facts' ]
+  when: sudo__enabled | bool and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore']
+
+- name: Configure workaround for logind sessions via sudo
+  ansible.builtin.template:
+    src: 'etc/profile.d/sudo_logind_session.sh.j2'
+    dest: '/etc/profile.d/sudo_logind_session.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: sudo__enabled | bool and sudo__logind_session | bool
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/sudo/templates/etc/ansible/facts.d/sudo.fact.j2 b/ansible_collections/debops/debops/roles/sudo/templates/etc/ansible/facts.d/sudo.fact.j2
new file mode 100644
index 00000000..9a401208
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/templates/etc/ansible/facts.d/sudo.fact.j2
@@ -0,0 +1,55 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import os
+import subprocess
+import locale
+
+
+try:
+    from subprocess import DEVNULL
+except ImportError:
+    DEVNULL = open(os.devnull, 'wb')
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+# Ensure that external application output is consistent
+locale.setlocale(locale.LC_MESSAGES, 'C')
+
+output = {'configured': True,
+          'installed': cmd_exists('sudo')}
+
+if output['installed']:
+    try:
+        version_stdout = subprocess.check_output(
+                ["dpkg-query", "-W", "-f=${Version}",
+                 "sudo-ldap"]).decode('utf-8').split('-')[0]
+        if version_stdout:
+            output['version'] = version_stdout.split('p')[0]
+            output['package'] = 'sudo-ldap'
+        else:
+            version_stdout = subprocess.check_output(
+                    ["dpkg-query", "-W", "-f=${Version}",
+                     "sudo"]).decode('utf-8').split('-')[0]
+            if version_stdout:
+                output['version'] = version_stdout.split('p')[0]
+                output['package'] = 'sudo'
+
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sudo/templates/etc/profile.d/sudo_logind_session.sh.j2 b/ansible_collections/debops/debops/roles/sudo/templates/etc/profile.d/sudo_logind_session.sh.j2
new file mode 100644
index 00000000..b2507a8c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/templates/etc/profile.d/sudo_logind_session.sh.j2
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Workaround for missing XDG_RUNTIME_DIR environment variable in interactive
+# login sessions. This assumes that an existing user session is present, for
+# example when a given UNIX account is configured to "linger" in logind.
+#
+# This workaround allows control over another user's 'systemd' instance, when
+# accessed via 'sudo' login session, for example:
+#
+#     sudo -u <user> -l
+#
+# The 'pam_systemd.so' PAM module will not help in this case because an
+# existing login session is present and the module refuses to create a new one.
+# More details: https://bugs.debian.org/825949, https://github.com/systemd/systemd/issues/7451
+
+if [ "`id -u`" -ne 0 ] && [ -n "${SUDO_USER}" ] && [ -z "${XDG_RUNTIME_DIR}" ] ; then
+    XDG_RUNTIME_DIR="/run/user/${UID}"
+    export XDG_RUNTIME_DIR
+fi
diff --git a/ansible_collections/debops/debops/roles/sudo/templates/etc/sudo-ldap.conf.j2 b/ansible_collections/debops/debops/roles/sudo/templates/etc/sudo-ldap.conf.j2
new file mode 100644
index 00000000..dcf5e492
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/templates/etc/sudo-ldap.conf.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See sudoers.ldap(5) for details.
+# This file shouldn't be world readable.
+
+{% for option in sudo__ldap_combined_configuration | debops.debops.parse_kv_config %}
+{%   if option.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     if ((option.separator | d()) | bool or option.comment | d()) and not loop.first %}
+
+{%     endif %}
+{%     if option.comment | d() %}
+{{ option.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     endif %}
+{{ '{}{}\t{}{}'.format(('#' if (option.state | d('present') == 'comment') else ''), option.name | upper, ('\t' if (option.name | count < 8) else ''), (option.value if option.value is string else (option.value | selectattr("name", "defined") | map(attribute="name") | list | join(' ')))) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sudo/templates/etc/sudoers.d/config.j2 b/ansible_collections/debops/debops/roles/sudo/templates/etc/sudoers.d/config.j2
new file mode 100644
index 00000000..8a28d592
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sudo/templates/etc/sudoers.d/config.j2
@@ -0,0 +1,30 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='\n') -}}
+{% endif %}
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element is mapping %}
+{%       if element.name | d() and element.value | d() and element.state | d('present') != 'absent' %}
+{%         if not loop.first %}
+
+{%         endif %}
+{%         if element.comment | d() %}
+{%           if not loop.first %}
+
+{%           endif %}
+{{           element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%         endif %}
+{{         element.value -}}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/swapfile/COPYRIGHT b/ansible_collections/debops/debops/roles/swapfile/COPYRIGHT
new file mode 100644
index 00000000..bf7d7f74
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/swapfile/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.swapfile - Configure one or multiple swap files on a Linux system
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/swapfile/defaults/main.yml b/ansible_collections/debops/debops/roles/swapfile/defaults/main.yml
new file mode 100644
index 00000000..2738806d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/swapfile/defaults/main.yml
@@ -0,0 +1,54 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _swapfile__ref_defaults:
+
+# debops.swapfile default variables [[[
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Swap file configuration [[[
+# ---------------------------
+
+# .. envvar:: swapfile__size [[[
+#
+# Default size of swap files, in MB.
+swapfile__size: '{{ ((ansible_memtotal_mb | int * 2)
+                     if (ansible_memtotal_mb | int <= 2048)
+                     else "512") }}'
+
+                                                                   # ]]]
+# .. envvar:: swapfile__priority [[[
+#
+# Default swap file priority, from ``-1`` to ``32767``.
+# Higher numbers indicate higher  priority.
+# Refer to :manpage:`swapon(8)` for details.
+swapfile__priority: '-1'
+
+                                                                   # ]]]
+# .. envvar:: swapfile__use_dd [[[
+#
+# By default ``debops.swapfile`` uses the ``fallocate`` command to create the swap
+# files. If you use unsupported filesystems (``ext4`` is supported) you can
+# enable this variable to use ``dd`` command to create the files.
+swapfile__use_dd: False
+
+                                                                   # ]]]
+# .. envvar:: swapfile__files [[[
+#
+# List of swap files. Specify either a path to a file on a filesystem, or
+# a YAML dict. See :ref:`swapfile__files` for more details.
+swapfile__files: [ '/swapfile' ]
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/swapfile/meta/main.yml b/ansible_collections/debops/debops/roles/swapfile/meta/main.yml
new file mode 100644
index 00000000..39f1d304
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/swapfile/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  company: 'DebOps'
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Configure one or multiple swap files on a Linux system'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
diff --git a/ansible_collections/debops/debops/roles/swapfile/tasks/main.yml b/ansible_collections/debops/debops/roles/swapfile/tasks/main.yml
new file mode 100644
index 00000000..d641fd3b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/swapfile/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Disable swap files when requested
+  ansible.builtin.shell: test -f {{ item.path | d(item) }} && swapoff {{ item.path | d(item) }} || true
+  changed_when: False
+  with_items: '{{ swapfile__files }}'
+  when: (item.state | d("present") == 'absent' and
+         ((ansible_system_capabilities_enforced | d()) | bool and
+          "cap_sys_admin" in ansible_system_capabilities) or
+         not (ansible_system_capabilities_enforced | d(True)) | bool)
+
+- name: Create swap files
+  ansible.builtin.command: |
+    {% if swapfile__use_dd | bool %}
+    dd if=/dev/zero of={{ item.path | d(item) }} bs=1M count={{ item.size | d(swapfile__size) }}
+    {% else %}
+    fallocate -l {{ ((item.size | d(swapfile__size)) | int * 1024 * 1024) }} {{ item.path | d(item) }}
+    {% endif %}
+  args:
+    creates: '{{ item.path | d(item) }}'
+  register: swapfile__register_allocation
+  with_items: '{{ swapfile__files }}'
+  when: (item.state | d("present") != 'absent')
+
+- name: Enforce permissions
+  ansible.builtin.file:
+    path: '{{ item.path | d(item) }}'
+    state: 'file'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  with_items: '{{ swapfile__files }}'
+  when: (item.state | d("present") != 'absent' and not ansible_check_mode)
+
+- name: Initialize swap files
+  ansible.builtin.command: 'mkswap {{ item.item.path | d(item.item) }}'  # noqa no-handler
+  register: swapfile__register_init
+  changed_when: swapfile__register_init.changed | bool
+  with_items: '{{ swapfile__register_allocation.results | d([]) }}'
+  when: (item is changed and item.state | d("present") != 'absent')
+
+- name: Enable swap files
+  ansible.builtin.command: 'swapon -p {{ item.item.priority | d(swapfile__priority) }} {{ item.item.path | d(item.item) }}'  # noqa no-handler
+  with_items: '{{ swapfile__register_allocation.results | d([]) }}'
+  register: swapfile__register_swapon
+  changed_when: swapfile__register_swapon.changed | bool
+  when: (
+        (item is changed and item.state | d("present") != 'absent') and
+        ((
+            (ansible_system_capabilities_enforced | d()) | bool and
+            "cap_sys_admin" in ansible_system_capabilities
+        ) or not (ansible_system_capabilities_enforced | d(True)) | bool )
+        )
+
+- name: Disable swap files
+  ansible.builtin.shell: 'test -f {{ item.path | d(item) }} && swapoff -v {{ item.path | d(item) }} || true'  # noqa no-handler
+  with_items: '{{ swapfile__files }}'
+  register: swapfile__register_swapoff
+  changed_when: swapfile__register_swapoff.stdout == ('swapoff ' + item.path | d(item))
+  when: (
+        (item.state | d("present") == 'absent') and
+        ((
+            (ansible_system_capabilities_enforced | d()) | bool and
+            "cap_sys_admin" in ansible_system_capabilities
+        ) or not (ansible_system_capabilities_enforced | d(True)) | bool )
+        )
+
+- name: Manage swap files in /etc/fstab
+  ansible.posix.mount:
+    src: '{{ item.path | d(item) }}'
+    name:   'none'
+    fstype: 'swap'
+    opts:   'sw,nofail,pri={{ item.priority | d(swapfile__priority) }}'
+    dump:   '0'
+    passno: '0'
+    state:  '{{ item.state | d("present") }}'
+  with_items: '{{ swapfile__files }}'
+
+- name: Remove swap files
+  ansible.builtin.file:
+    path: '{{ item.path | d(item) }}'
+    state: 'absent'
+  with_items: '{{ swapfile__files }}'
+  when: (item.state | d("present") == 'absent')
+
+- name: Remove legacy kernel parameters file
+  ansible.builtin.file:
+    path: '{{ swapfile__sysctl_file | d("/etc/sysctl.d/30-debops.swapfile.conf") }}'
+    state: 'absent'
diff --git a/ansible_collections/debops/debops/roles/sysctl/COPYRIGHT b/ansible_collections/debops/debops/roles/sysctl/COPYRIGHT
new file mode 100644
index 00000000..eed935c1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.sysctl - Manage kernel parameters using sysctl
+
+Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sysctl/defaults/main.yml b/ansible_collections/debops/debops/roles/sysctl/defaults/main.yml
new file mode 100644
index 00000000..278cba49
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/defaults/main.yml
@@ -0,0 +1,365 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sysctl__ref_defaults:
+
+# debops.sysctl default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: sysctl__enabled [[[
+#
+# Enable or disable management of the kernel configuration in the
+# :file:`/proc/sys/` directory using Ansible.
+sysctl__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: sysctl__writable [[[
+#
+# List of paths in :file:`/proc/sys/` directory that are considered writable in
+# the current namespace (host, VM, container). The path elements need to be
+# separated by a dot (``.``) instead of a slash (``/``).
+# See :ref:`sysctl__ref_writable` for more details.
+sysctl__writable: '{{ ansible_local.sysctl.writable | d([]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Shared memory configuration [[[
+# -------------------------------
+
+# .. envvar:: sysctl__shared_memory_base [[[
+#
+# Base amount of memory used for shared memory calculations.
+sysctl__shared_memory_base: '{{ ((ansible_memtotal_mb | int * 1024 * 1024) - 8192) }}'
+
+                                                                   # ]]]
+# .. envvar:: sysctl__shared_memory_shmall_limiter [[[
+#
+# How much of the total memory is reserved for shared memory.
+sysctl__shared_memory_shmall_limiter: '{{ 0.8
+                                          if (ansible_memtotal_mb | int >= 4096)
+                                          else 0.5 }}'
+
+                                                                   # ]]]
+# .. envvar:: sysctl__shared_memory_shmall [[[
+#
+# Number of memory pages that can be used for shared memory.
+sysctl__shared_memory_shmall: '{{ ((sysctl__shared_memory_base | int *
+                                    sysctl__shared_memory_shmall_limiter | float) / 4096)
+                                  | round | int }}'
+
+                                                                   # ]]]
+# .. envvar:: sysctl__shared_memory_max_limiter [[[
+#
+# Maximum size of shared memory segment as % of available memory
+sysctl__shared_memory_max_limiter: '{{ 0.5
+                                       if (ansible_memtotal_mb | int >= 4096)
+                                       else 0.2 }}'
+
+                                                                   # ]]]
+# .. envvar:: sysctl__shared_memory_shmmax [[[
+#
+# Maximum amount of shared memory a process can reserve for itself
+sysctl__shared_memory_shmmax: '{{ (sysctl__shared_memory_base | int *
+                                   sysctl__shared_memory_max_limiter | float)
+                                   | round | int }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Hardening [[[
+# -------------
+
+# .. envvar:: sysctl__hardening_enabled [[[
+#
+# Should the hardening options be applied?
+sysctl__hardening_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: sysctl__system_ip_forwarding_enabled [[[
+#
+# Should the system forward IP traffic for all interfaces?
+# Refer to ``debops.ifupdown`` which can selectively enable traffic forwarding.
+sysctl__system_ip_forwarding_enabled: '{{ True
+                                          if ansible_local.docker_server.installed | d(False)
+                                          else False }}'
+
+                                                                   # ]]]
+# .. envvar:: sysctl__hardening_ipv6_disabled [[[
+#
+# Whether IPv6 should be disabled.
+sysctl__hardening_ipv6_disabled: False
+
+                                                                   # ]]]
+# .. envvar:: sysctl__hardening_experimental_enabled [[[
+#
+# Should experimental settings in the hardening options be applied?
+sysctl__hardening_experimental_enabled: False
+                                                                   # ]]]
+                                                                   # ]]]
+# Performance parameters [[[
+# --------------------------
+
+# .. envvar:: sysctl__tcp_performance_enabled [[[
+#
+# Should the TCP performance options be applied? The current options are:
+#
+# - ``net.ipv4.tcp_slow_start_after_idle`` (enabled by default, enabling
+#   performance mode will disable this kernel parameter)
+#
+sysctl__tcp_performance_enabled: False
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Kernel parameters [[[
+# ---------------------
+
+# These variables define the kernel parameters managed by the role.
+# See :ref:`sysctl__ref_parameters` for more details.
+
+# .. envvar:: sysctl__default_parameters [[[
+#
+# The default kernel parameters defined by the role.
+sysctl__default_parameters:
+
+  - name: 'memory'
+    weight: 10
+    options:
+
+      - name: 'kernel.shmmax'
+        value: '{{ sysctl__shared_memory_shmmax }}'
+
+      - name: 'kernel.shmall'
+        value: '{{ sysctl__shared_memory_shmall }}'
+
+      - name: 'vm.swappiness'
+        comment: |
+          How aggressively the kernel swaps out anonymous memory relative to
+          pagecache and other caches. Increasing the value increases the amount
+          of swapping. Can be set to values between 0 and 100 inclusive.
+        value: 60
+
+      - name: 'vm.vfs_cache_pressure'
+        comment: |
+          Tendency of the kernel to reclaim the memory which is used for caching of VFS
+          caches, versus pagecache and swap. Increasing this value increases the rate
+          at which VFS caches are reclaimed.
+        value: 100
+
+  - name: 'network'
+    weight: 20
+    options:
+
+      - name: 'net.ipv4.ip_forward'
+        value: '{{ sysctl__system_ip_forwarding_enabled | bool | ternary(1, 0) }}'
+        comment: 'Enable or disable IPv4 traffic forwarding'
+        state: 'present'
+
+      - name: 'net.ipv6.conf.all.forwarding'
+        value: '{{ sysctl__system_ip_forwarding_enabled | bool | ternary(1, 0) }}'
+        comment: 'Enable or disable IPv6 traffic forwarding'
+        state: 'present'
+
+      - name: 'net.ipv6.conf.all.accept_ra'
+        value: 0
+        comment: 'Ignore IPv6 RAs.'
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv6.conf.default.accept_ra'
+        value: 0
+        comment: 'Ignore IPv6 RAs.'
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.conf.all.rp_filter'
+        value: 1
+        comment: 'Enable RFC-recommended source validation feature.'
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.conf.default.rp_filter'
+        value: 1
+        comment: 'Enable RFC-recommended source validation feature.'
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.icmp_echo_ignore_broadcasts'
+        value: 1
+        comment: |
+          Reduce the surface on SMURF attacks.
+          Make sure to ignore ECHO broadcasts, which are only required in broad
+          network analysis.
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.icmp_ignore_bogus_error_responses'
+        value: 1
+        comment: |
+          Do not log bogus ICMP error responses.
+          Nobody would want to accept bogus error responses, so we can safely
+          ignore them.
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.icmp_ratelimit'
+        value: 100
+        comment: 'Limit the amount of traffic the system uses for ICMP.'
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.icmp_ratemask'
+        value: 88089
+        comment: |
+          Adjust the ICMP ratelimit to include ping, dst unreachable,
+          source quench, ime exceed, param problem, timestamp reply,
+          information reply
+        state: '{{ sysctl__hardening_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv6.conf.all.disable_ipv6'
+        value: 1
+        comment: 'Disable IPv6.'
+        state: '{{ sysctl__hardening_ipv6_disabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.tcp_timestamps'
+        value: 0
+        comment: 'Protect against wrapping sequence numbers at gigabit speeds.'
+        state: '{{ (sysctl__hardening_enabled | bool and
+                    not (ansible_virtualization_role == "guest" and ansible_virtualization_type == "openvz"))
+                  | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.conf.all.arp_ignore'
+        value: 1
+        comment: 'Define restriction level for announcing the local source IP.'
+        state: '{{ sysctl__hardening_experimental_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.conf.all.arp_announce'
+        value: 2
+        comment: |
+          Define mode for sending replies in response to received ARP requests
+          that resolve local target IP addresses
+        state: '{{ sysctl__hardening_experimental_enabled | bool | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.tcp_rfc1337'
+        value: 1
+        comment: 'RFC 1337 fix F1.'
+        state: '{{ (sysctl__hardening_enabled | bool and
+                    not (ansible_virtualization_role == "guest" and
+                         ansible_virtualization_type == "openvz"))
+                  | ternary("present", "absent") }}'
+
+      - name: 'net.ipv4.tcp_slow_start_after_idle'
+        value: '{{ sysctl__tcp_performance_enabled | bool | ternary(0, 1) }}'
+        comment: |
+          If set, provide RFC2861 behavior and time out the congestion window
+          after an idle period. An idle period is defined at the current RTO.
+          If unset, the congestion window will not be timed out after an idle
+          period.
+        state: 'present'
+
+  # The '/proc/sys/fs/' namespace is usually read-only in unprivileged LXC
+  # containers. The default 'protect-links.conf' file that comes with the
+  # 'procps' APT package has the 'fs.*' parameters uncommented, which breaks
+  # the 'sysctl' configuration via the role. Therefore, let's divert the
+  # original file and regenerate it; the read-only parameters will be
+  # automatically commented out in unprivileged LXC containers.
+  - name: 'protect-links'
+    filename: '{{ "protect-links.conf"
+                  if (ansible_distribution_release in ["stretch", "buster", "bullseye"])
+                  else "99-protect-links.conf" }}'
+    divert: True
+    comment: |
+      Protected links
+
+      Protects against creating or following links under certain conditions
+      Debian kernels have both set to 1 (restricted)
+      See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
+    options:
+
+      - name: 'fs.protected_fifos'
+        value: 1
+
+      - name: 'fs.protected_hardlinks'
+        value: 1
+
+      - name: 'fs.protected_regular'
+        value: 2
+
+      - name: 'fs.protected_symlinks'
+        value: 1
+
+  # The '/proc/sys/kernel/' namespace is usually read-only in uprivileged LXC
+  # containers. The '/usr/lib/sysctl.d/50-pid-max.conf' file included in the
+  # 'systemd' Debian package has the 'kernel.*' parameters uncommented and this
+  # can cause issues inside unprivileged LXC containers. The configuration
+  # below creates a "masked" configuration file with kernel parameters
+  # commented out when they cannot be modified.
+  - name: 'pid-max'
+    filename: '50-pid-max.conf'
+    comment: |
+      This file is part of systemd.
+
+      systemd is free software; you can redistribute it and/or modify it
+      under the terms of the GNU Lesser General Public License as published by
+      the Free Software Foundation; either version 2.1 of the License, or
+      (at your option) any later version.
+
+      See sysctl.d(5) and core(5) for documentation.
+
+      To override settings in this file, create a local file in /etc
+      (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
+      there.
+    state: '{{ "present"
+               if ((ansible_local.core.is_64bits | d(True)) | bool)
+               else "absent" }}'
+    options:
+
+      - name: 'kernel.pid_max'
+        comment: |
+          Bump the numeric PID range to its maximum of 2^22 (from the in-kernel default
+          of 2^16), to make PID collisions less likely.
+        value: 4194304
+
+                                                                   # ]]]
+# .. envvar:: sysctl__parameters [[[
+#
+# This variable is intended to be used in Ansible’s global inventory.
+sysctl__parameters: []
+
+                                                                   # ]]]
+# .. envvar:: sysctl__group_parameters [[[
+#
+# This variable is intended to be used in a host inventory group of Ansible
+# (only one host group is supported).
+sysctl__group_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: sysctl__host_parameters [[[
+#
+# This variable is intended to be used in the inventory of hosts.
+sysctl__host_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: sysctl__dependent_parameters [[[
+#
+# Kernel parameters defined by other Ansible roles via role default variables.
+# These parameters are not tracked by the role, it's best to create
+# configuration files with "weight" number > 50 to ensure that the desired
+# parameters are correctly overridden by :program:`sysctl` command.
+sysctl__dependent_parameters: []
+
+                                                                   # ]]]
+# .. envvar:: sysctl__combined_parameters [[[
+#
+# Sysctl configuration file path where all kernel parameters will be configured
+# by ``debops.sysctl``.
+sysctl__combined_parameters: '{{ sysctl__default_parameters
+                                 + lookup("flattened", sysctl__dependent_parameters, wantlist=True)
+                                 + sysctl__parameters
+                                 + sysctl__group_parameters
+                                 + sysctl__host_parameters }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sysctl/meta/main.yml b/ansible_collections/debops/debops/roles/sysctl/meta/main.yml
new file mode 100644
index 00000000..9fb44b2c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Manage kernel parameters using sysctl'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
+    - hardening
+    - linux
diff --git a/ansible_collections/debops/debops/roles/sysctl/tasks/main.yml b/ansible_collections/debops/debops/roles/sysctl/tasks/main.yml
new file mode 100644
index 00000000..c56c9234
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/tasks/main.yml
@@ -0,0 +1,110 @@
+---
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# The 'sysctl' Ansible module was used previously, however using a template and
+# 'sysctl --system' command is faster and doesn't create accidental idempotency
+# loops when kernel parameters are modified in other configuration files.
+#
+# Check the role commit history for details.
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Pre hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "sysctl/pre_main.yml") }}'
+  when: sysctl__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save sysctl local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sysctl.fact.j2'
+    dest: '/etc/ansible/facts.d/sysctl.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Add/remove diversion of custom sysctl configuration files
+  debops.debops.dpkg_divert:
+    path: '/etc/sysctl.d/{{ item.filename | d(item.weight | string + "-" + item.name + ".conf") }}'
+    state: '{{ item.state | d("present") }}'
+    delete: True
+  loop: '{{ sysctl__combined_parameters | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (sysctl__enabled | bool and item.name | d() and
+         item.state | d('present') in ['present', 'absent'] and
+         item.divert | d(False) | bool)
+
+- name: Remove custom sysctl configuration files
+  ansible.builtin.file:
+    path: '/etc/sysctl.d/{{ item.filename | d(item.weight | string + "-" + item.name + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ sysctl__combined_parameters | debops.debops.parse_kv_items }}'
+  register: sysctl__register_config_removed
+  when: sysctl__enabled | bool and item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate custom sysctl configuration files
+  ansible.builtin.template:
+    src: 'etc/sysctl.d/parameters.conf.j2'
+    dest: '/etc/sysctl.d/{{ item.filename | d(item.weight | string + "-" + item.name + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ sysctl__combined_parameters | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ item.name }}'
+  register: sysctl__register_config_created
+  when: sysctl__enabled | bool and item.name | d() and item.options | d() and item.state | d('present') not in ['absent', 'ignore', 'init']
+
+- name: Check sysctl command capabilities
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         sysctl --help | grep -E '^\s+\-\-system\s+' || true
+  args:  # noqa no-handler
+    executable: 'bash'
+  register: sysctl__register_system
+  changed_when: sysctl__register_system.changed | bool
+  when: (sysctl__enabled | bool and
+         (sysctl__register_config_created is changed or
+          sysctl__register_config_removed is changed))
+  check_mode: False
+
+- name: Apply kernel parameters if they were modified
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    {% if (sysctl__register_system.stdout | d()) %}
+    sysctl --system
+    {% else %}
+    sysctl -e -p $(find /etc/sysctl.d -mindepth 1 -maxdepth 1 -name '*.conf' -print0 | sort -z | xargs -r0)
+                 /etc/sysctl.conf
+    {% endif %}
+  args:  # noqa no-handler
+    executable: 'bash'
+  register: sysctl__register_apply
+  changed_when: sysctl__register_apply.changed | bool
+  when: (sysctl__enabled | bool and
+         (sysctl__register_config_created is changed or
+          sysctl__register_config_removed is changed))
+
+- name: Post hooks
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "sysctl/post_main.yml") }}'
+  when: sysctl__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/post_main.yml b/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/post_main.yml
new file mode 100644
index 00000000..45a854b1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/post_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/pre_main.yml b/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/pre_main.yml
new file mode 100644
index 00000000..45a854b1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/tasks/sysctl/pre_main.yml
@@ -0,0 +1,5 @@
+---
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/sysctl/templates/etc/ansible/facts.d/sysctl.fact.j2 b/ansible_collections/debops/debops/roles/sysctl/templates/etc/ansible/facts.d/sysctl.fact.j2
new file mode 100644
index 00000000..9670d87b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/templates/etc/ansible/facts.d/sysctl.fact.j2
@@ -0,0 +1,47 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+output = loads("""{{ {'configured': True,
+                      'enabled': sysctl__enabled | bool,
+                      'writable': []} | to_nice_json }}""")
+
+# Find all paths in '/proc/sys/' that are writable, ie. mounted with
+# read-write permission. If there are no writable paths found, and /proc/sys
+# itself is writable, assume that all paths are writable and add all of them to
+# the list.
+
+proc_sys_rw = True
+
+with open('/proc/mounts', 'r') as mounts:
+    for line in mounts:
+        if line.startswith('proc ') or line.startswith('none '):
+            entry = line.strip().split()
+
+            if entry[1] == '/proc/sys':
+                entry_options = entry[3].split(',')
+                if 'ro' in entry_options:
+                    proc_sys_rw = False
+
+            elif entry[1].startswith('/proc/sys/'):
+                entry_path = entry[1].lstrip('/proc/sys/').replace('/', '.')
+                entry_options = entry[3].split(',')
+                if entry_path:
+                    if 'rw' in entry_options:
+                        output['writable'].append(entry_path)
+
+if not output['writable'] and proc_sys_rw:
+    for element in os.listdir('/proc/sys'):
+        output['writable'].append(element)
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sysctl/templates/etc/sysctl.d/parameters.conf.j2 b/ansible_collections/debops/debops/roles/sysctl/templates/etc/sysctl.d/parameters.conf.j2
new file mode 100644
index 00000000..df732c88
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysctl/templates/etc/sysctl.d/parameters.conf.j2
@@ -0,0 +1,59 @@
+{# Copyright (C) 2015-2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro parse_value(value) %}
+{%   if value | bool and value is not iterable %}
+{{ '1' -}}
+{%   elif not value | bool and value is not iterable %}
+{%     if value is not none %}
+{%       if value | int or value | string == '0' %}
+{{ value | string -}}
+{%       else %}
+{{ '0' -}}
+{%       endif %}
+{%     endif %}
+{%   elif value is string %}
+{{ value -}}
+{%   endif %}
+{% endmacro %}
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% set param_tracker = [] %}
+{% set tracker = {'seen_comment': False} %}
+{% for element in item.options %}
+{%   if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%     if element.comment | d() %}
+{%       if not loop.first and param_tracker and not tracker.seen_comment | bool %}
+
+{%       endif %}
+{%       set _ = tracker.update({'seen_comment': True}) %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%     else %}
+{%       set _ = tracker.update({'seen_comment': False}) %}
+{%     endif %}
+{%     set _ = param_tracker.append(True) %}
+{%     set commented_entry = '' %}
+{%     if ((element.state | d('present') == 'comment') or (item.state | d('present') == 'comment')) %}
+{%       set commented_entry = '#' %}
+{%     endif %}
+{%     set is_writable = [] %}
+{%     for writable_path in sysctl__writable %}
+{%       if element.name.startswith(writable_path) %}
+{%         set _ = is_writable.append(True) %}
+{%       endif %}
+{%     endfor %}
+{%     if not is_writable %}
+{%       set commented_entry = '#' %}
+# Read-only parameter.
+{%     endif %}
+{{ '{}{} = {}'.format(commented_entry, element.name, parse_value(element.value)) }}
+{%     if element.comment | d() and not loop.last %}
+
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sysfs/COPYRIGHT b/ansible_collections/debops/debops/roles/sysfs/COPYRIGHT
new file mode 100644
index 00000000..0aab6e4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.sysfs - Manage kernel /sys filesystem using sysfsutils
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sysfs/defaults/main.yml b/ansible_collections/debops/debops/roles/sysfs/defaults/main.yml
new file mode 100644
index 00000000..eab1601e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/defaults/main.yml
@@ -0,0 +1,151 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sysfs__ref_defaults:
+
+# debops.sysfs default variables [[[
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Main configuration [[[
+# ----------------------
+
+# .. envvar:: sysfs__enabled [[[
+#
+# Enable or disable ``sysfs`` configuration. if the role is disabled, existing
+# ``sysfs`` configuration will not be modified.
+# Container environments usually don't allow modification of the ``/sys``
+# filesystem.
+sysfs__enabled: '{{ False
+                    if (ansible_virtualization_type in ["lxc", "openvz"] and
+                        ansible_virtualization_role == "guest")
+                    else True }}'
+
+                                                                   # ]]]
+# .. envvar:: sysfs__base_packages [[[
+#
+# The list of default APT packages to install for ``sysfs`` support.
+sysfs__base_packages: [ 'sysfsutils' ]
+
+                                                                   # ]]]
+# .. envvar:: sysfs__packages [[[
+#
+# The list of additional APT packages to install with ``sysfsutils``.
+sysfs__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Sysfs configuration [[[
+# -----------------------
+
+# These variables define the options you can set in the ``sysfs`` filesystem.
+# See :ref:`sysfs__ref_attributes` for more details.
+
+# .. envvar:: sysfs__default_attributes [[[
+#
+# The list of default ``sysfs`` attributes defined by the role.
+sysfs__default_attributes:
+
+  - name: 'ksm'
+    comment: |
+      Kernel Same-page Merging (KSM) configuration.
+      These parameters can be useful on hosts that are used as Virtual Machine
+      hypervisors, to allow for lower memory footprint of virtual machines,
+      however this feature has certain security risks.
+      https://www.linux-kvm.org/page/KSM
+      https://en.wikipedia.org/wiki/Kernel_same-page_merging
+    state: 'defined'
+    options:
+
+      - name: 'kernel/mm/ksm/run'
+        comment: 'Enable Kernel Same-page Merging'
+        value: 1
+
+      - name: 'kernel/mm/ksm/sleep_milisecs'
+        comment: 'How long to sleep between scans, in miliseconds'
+        value: 20
+
+      - name: 'kernel/mm/ksm/pages_to_scan'
+        comment: 'How many pages to scan in one run'
+        value: 100
+
+  - name: 'transparent_hugepages'
+    comment: |
+      Configuration of Transparent HugePages support.
+      Disable THP by default to increase performance in certain applications
+      like MongoDB, Redis, MariaDB, PostgreSQL. This is only effective when
+      real HugePages support is configured.
+      https://www.kernel.org/doc/Documentation/vm/transhuge.txt
+      https://stackoverflow.com/a/42592382/6996970
+    state: 'defined'
+    options:
+
+      - name: 'kernel/mm/transparent_hugepage/enabled'
+        value: 'never'
+
+      - name: 'kernel/mm/transparent_hugepage/defrag'
+        value: 'never'
+
+      - name: 'kernel/mm/transparent_hugepage/khugepaged/defrag'
+        value: 0
+
+                                                                   # ]]]
+# .. envvar:: sysfs__attributes [[[
+#
+# The list of ``sysfs`` attributes defined on all hosts in the Ansible
+# inventory.
+sysfs__attributes: []
+
+                                                                   # ]]]
+# .. envvar:: sysfs__group_attributes [[[
+#
+# The list of ``sysfs`` attributes defined on hosts in a specific Ansible
+# inventory group.
+sysfs__group_attributes: []
+
+                                                                   # ]]]
+# .. envvar:: sysfs__host_attributes [[[
+#
+# The list of ``sysfs`` attributes defined on specific hosts in the Ansible
+# inventory.
+sysfs__host_attributes: []
+
+                                                                   # ]]]
+# .. envvar:: sysfs__dependent_attributes [[[
+#
+# The list of ``sysfs`` attributes defined by other Ansible roles through role
+# dependent variables.
+sysfs__dependent_attributes: []
+
+                                                                   # ]]]
+# .. envvar:: sysfs__dependent_attributes_filter [[[
+#
+# The variable which is used to filter the data from dependent variables, join
+# it with the data from other roles and pass it to the combined attributes
+# variable.
+sysfs__dependent_attributes_filter: '{{ lookup("template",
+                                               "lookup/sysfs__dependent_attributes_filter.j2")
+                                               | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: sysfs__combined_attributes [[[
+#
+# The variable which combines all of the attribute configuration and is used in
+# the Ansible tasks. It also defines the other in which different attribute
+# variables are combined.
+sysfs__combined_attributes: '{{ sysfs__default_attributes
+                                + sysfs__dependent_attributes_filter
+                                + sysfs__attributes
+                                + sysfs__group_attributes
+                                + sysfs__host_attributes }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sysfs/meta/main.yml b/ansible_collections/debops/debops/roles/sysfs/meta/main.yml
new file mode 100644
index 00000000..f0b6d0f9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage kernel /sys filesystem using sysfsutils'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.2.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - linux
+    - kernel
+    - hardware
diff --git a/ansible_collections/debops/debops/roles/sysfs/tasks/main.yml b/ansible_collections/debops/debops/roles/sysfs/tasks/main.yml
new file mode 100644
index 00000000..4375e9d5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/tasks/main.yml
@@ -0,0 +1,95 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (sysfs__base_packages
+                              + sysfs__packages)) }}'
+    state: 'present'
+  register: sysfs__register_packages
+  until: sysfs__register_packages is succeeded
+  when: sysfs__enabled | bool
+
+- name: Check if the dependent configuration exists
+  ansible.builtin.stat:
+    path: '{{ secret + "/sysfs/dependent_config/" + inventory_hostname + "/attributes.json" }}'
+  register: sysfs__register_dependent_attributes_file
+  become: False
+  delegate_to: 'localhost'
+  when: (sysfs__enabled | bool and ansible_local | d() and ansible_local.sysfs | d() and
+         (ansible_local.sysfs.configured | d()) | bool)
+
+- name: Load the dependent configuration from Ansible Controller
+  ansible.builtin.slurp:
+    src: '{{ secret + "/sysfs/dependent_config/" + inventory_hostname + "/attributes.json" }}'
+  register: sysfs__register_dependent_attributes
+  become: False
+  delegate_to: 'localhost'
+  when: (sysfs__enabled | bool and ansible_local | d() and ansible_local.sysfs | d() and
+         (ansible_local.sysfs.configured | d()) | bool and
+         sysfs__register_dependent_attributes_file.stat.exists | bool)
+
+- name: Remove sysfs configuration files if requested
+  ansible.builtin.file:
+    path: '/etc/sysfs.d/{{ item.filename | d(item.name | replace("/", "_")) }}.conf'
+    state: 'absent'
+  with_items: '{{ sysfs__combined_attributes | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart sysfsutils' ]
+  when: (sysfs__enabled | bool and item.name | d() and
+         item.state | d('present') == 'absent')
+
+- name: Generate sysfs configuration files
+  ansible.builtin.template:
+    src: 'etc/sysfs.d/attribute.conf.j2'
+    dest: '/etc/sysfs.d/{{ item.filename | d(item.name | replace("/", "_")) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ sysfs__combined_attributes | debops.debops.parse_kv_items }}'
+  notify: [ 'Restart sysfsutils' ]
+  when: (sysfs__enabled | bool and item.name | d() and
+         item.state | d('present') not in ['defined', 'absent'])
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save sysfs local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sysfs.fact.j2'
+    dest: '/etc/ansible/facts.d/sysfs.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Save dependent configuration on Ansible Controller
+  ansible.builtin.template:
+    src: 'secret/sysfs/dependent_config/inventory_hostname/attributes.json.j2'
+    dest: '{{ secret + "/sysfs/dependent_config/" + inventory_hostname + "/attributes.json" }}'
+    mode: '0644'
+  become: False
+  delegate_to: 'localhost'
+  when: sysfs__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/sysfs/tasks/main_env.yml b/ansible_collections/debops/debops/roles/sysfs/tasks/main_env.yml
new file mode 100644
index 00000000..d8ed5812
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/tasks/main_env.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare sysfs environment
+  ansible.builtin.set_fact:
+    sysfs__secret__directories: '{{ lookup("template", "lookup/sysfs__secret__directories.j2") | from_yaml }}'
+  when: sysfs__enabled | bool
diff --git a/ansible_collections/debops/debops/roles/sysfs/templates/etc/ansible/facts.d/sysfs.fact.j2 b/ansible_collections/debops/debops/roles/sysfs/templates/etc/ansible/facts.d/sysfs.fact.j2
new file mode 100644
index 00000000..027db5ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/templates/etc/ansible/facts.d/sysfs.fact.j2
@@ -0,0 +1,19 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads('''{{
+    {"enabled": sysfs__enabled | bool,
+     "configured": True} | to_json
+}}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sysfs/templates/etc/sysfs.d/attribute.conf.j2 b/ansible_collections/debops/debops/roles/sysfs/templates/etc/sysfs.d/attribute.conf.j2
new file mode 100644
index 00000000..6a9edeeb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/templates/etc/sysfs.d/attribute.conf.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% macro print_config(element, global_state='') %}
+{%   set prepend_comment = '' %}
+{%   if global_state == 'comment' or element.state | d('present') == 'comment' %}
+{%     set prepend_comment = '#' %}
+{%   endif %}
+{%   if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') -}}
+{%   endif %}
+{%   if element.owner is defined %}
+{{ "{}owner {} = {}".format(prepend_comment, element.name, element.owner) }}
+{%   endif %}
+{%   if element.mode is defined %}
+{{ "{}mode {} = {}".format(prepend_comment, element.name, element.mode) }}
+{%   endif %}
+{%   if element.value is defined %}
+{{ "{}{} = {}".format(prepend_comment, element.name, element.value) }}
+{%   endif %}
+{% endmacro %}
+{% if item.comment | d() and item.options is defined %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.options | d() %}
+{%   for option in item.options %}
+{%     if option.state | d('present') not in [ 'init', 'absent' ] %}
+{%     if not loop.first | bool and option.comment | d() %}
+
+{%     endif %}
+{{ print_config(option, global_state=item.state) -}}
+{%     endif %}
+{%   endfor %}
+{% else %}
+{{ print_config(item, global_state=item.state) -}}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__dependent_attributes_filter.j2 b/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__dependent_attributes_filter.j2
new file mode 100644
index 00000000..092840aa
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__dependent_attributes_filter.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set sysfs__tpl_dependent_attributes = {} %}
+{% if (sysfs__register_dependent_attributes | d() and sysfs__register_dependent_attributes.content | d()) %}
+{%   set _ = sysfs__tpl_dependent_attributes.update(sysfs__register_dependent_attributes.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if sysfs__dependent_attributes %}
+{%   set sysfs__tpl_flattened_attributes = lookup('flattened', sysfs__dependent_attributes) %}
+{%   for element in ([ sysfs__tpl_flattened_attributes ] if sysfs__tpl_flattened_attributes is mapping else sysfs__tpl_flattened_attributes) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = sysfs__tpl_dependent_attributes.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = sysfs__tpl_dependent_attributes.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = sysfs__tpl_dependent_attributes.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set sysfs__tpl_output_attributes = [] %}
+{% for key, value in sysfs__tpl_dependent_attributes.items() %}
+{%   set _ = sysfs__tpl_output_attributes.extend(value) %}
+{% endfor %}
+{{ sysfs__tpl_output_attributes | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__secret__directories.j2 b/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__secret__directories.j2
new file mode 100644
index 00000000..6658dbdf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/templates/lookup/sysfs__secret__directories.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% for host in play_hosts %}
+  - 'sysfs/dependent_config/{{ host }}'
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/sysfs/templates/secret/sysfs/dependent_config/inventory_hostname/attributes.json.j2 b/ansible_collections/debops/debops/roles/sysfs/templates/secret/sysfs/dependent_config/inventory_hostname/attributes.json.j2
new file mode 100644
index 00000000..18d84c76
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysfs/templates/secret/sysfs/dependent_config/inventory_hostname/attributes.json.j2
@@ -0,0 +1,31 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set sysfs__tpl_dependent_attributes = {} %}
+{% if (sysfs__register_dependent_attributes | d() and sysfs__register_dependent_attributes.content | d()) %}
+{%   set _ = sysfs__tpl_dependent_attributes.update(sysfs__register_dependent_attributes.content | b64decode | trim | from_json) %}
+{% endif %}
+{% if sysfs__dependent_attributes %}
+{%   set sysfs__tpl_flattened_attributes = lookup('flattened', sysfs__dependent_attributes) %}
+{%   for element in ([ sysfs__tpl_flattened_attributes ] if sysfs__tpl_flattened_attributes is mapping else sysfs__tpl_flattened_attributes) %}
+{%     if element.role | d() and element.config | d() %}
+{%       if element.state | d('present') not in [ 'ignore', 'absent' ] %}
+{%         set flattened_config = lookup('flattened', element.config) %}
+{%         set _ = sysfs__tpl_dependent_attributes.update({
+  element.role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       elif element.state | d('present') == 'absent' %}
+{%         set _ = sysfs__tpl_dependent_attributes.pop(element.role, None) %}
+{%       endif %}
+{%     elif element is mapping and 'role' not in element.keys() and 'config' not in element.keys() %}
+{%       for role, config in element.items() %}
+{%         set flattened_config = lookup('flattened', config) %}
+{%         set _ = sysfs__tpl_dependent_attributes.update({
+  role: ([ flattened_config ] if flattened_config is mapping else flattened_config)
+}) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{{ sysfs__tpl_dependent_attributes | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/sysnews/COPYRIGHT b/ansible_collections/debops/debops/roles/sysnews/COPYRIGHT
new file mode 100644
index 00000000..47212fde
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.sysnews - Manage System News using Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/sysnews/defaults/main.yml b/ansible_collections/debops/debops/roles/sysnews/defaults/main.yml
new file mode 100644
index 00000000..42c5e1b5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/defaults/main.yml
@@ -0,0 +1,160 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _sysnews__ref_defaults:
+
+# debops.sysnews default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: sysnews__base_packages [[[
+#
+# List of the default APT packages to install for System News support.
+sysnews__base_packages: [ 'sysnews' ]
+
+                                                                   # ]]]
+# .. envvar:: sysnews__packages [[[
+#
+# List of additional APT packages to install for System News support.
+sysnews__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# News notification [[[
+# ---------------------
+
+# .. envvar:: sysnews__notification [[[
+#
+# Enable or disable notification about unread News items after login.
+sysnews__notification: True
+
+                                                                   # ]]]
+# .. envvar:: sysnews__notification_min_uid [[[
+#
+# Specify the minimum UID number for an UNIX account to see the notification.
+# This is done so that the news notification does not show up after switching
+# to the ``root`` account via :command:`su` or :command:`sudo`.
+sysnews__notification_min_uid: '900'
+
+                                                                   # ]]]
+# .. envvar:: sysnews__notification_max_uid [[[
+#
+# Specify the maximum UID number for an UNIX account to see the notification.
+# This might be useful if you want to limit the System News to only for the
+# system administrators in a multi-person team.
+#
+# The value usually would be ``999`` for non-clustered hosts where normal users
+# start at ``1000``, and ``9999`` for clustered hosts where users in the LDAP
+# database might start at ``10000``. By default, all users will see the
+# notification.
+sysnews__notification_max_uid: ''
+
+                                                                   # ]]]
+# .. envvar:: sysnews__notification_command [[[
+#
+# The shell command executed to display System News notification after login.
+sysnews__notification_command: '/usr/bin/news -l -n'
+                                                                   # ]]]
+                                                                   # ]]]
+# Misc configuration [[[
+# ----------------------
+
+# .. envvar:: sysnews__group [[[
+#
+# Name of the UNIX system group which grants write access to the
+# :file:`/var/lib/sysnews/` directory. This group is defined in the
+# :command:`sysnews` Debian package and preferably shouldn't be changed.
+sysnews__group: 'staff'
+
+                                                                   # ]]]
+# .. envvar:: sysnews__entry_contact [[[
+#
+# The string used as the contact information for the host administrators,
+# inserted in one of the default System News entries if set.
+sysnews__entry_contact: '{{ ansible_local.machine.contact | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System News static entries [[[
+# ------------------------------
+
+# These variables define configuration of the System News entries which will
+# not expire automatically. See :ref:`sysnews__ref_entries` for more details.
+
+# .. envvar:: sysnews__default_entries [[[
+#
+# List of default System News entries defined by the role.
+sysnews__default_entries:
+
+  - name: 'Welcome to System News'
+    content: |
+      This host has support for the "System News" bulletin, which can be read
+      using the 'news' command.
+
+      Members of the '{{ sysnews__group }}' UNIX system group can create news entries in the form
+      of text files located in the '/var/lib/sysnews/' directory. The news items
+      will automatically expire after a month, unless they are specifically
+      marked for no expiration.
+
+      Read the news(1) manpage for more details.
+    state: 'present'
+
+  - name: 'This machine is managed using Ansible'
+    content: |
+      Ansible is a Configuration Management tool used to configure hosts in an
+      automated fashion.
+
+      Any changes in files which are managed using Ansible may be unexpectedly
+      lost if not accounted for by the system administrator. These files can be
+      recognized by a special annotation near the top of the file which informs
+      that this file is managed remotely.
+      {% if sysnews__entry_contact | d() %}
+
+      If you want to perform system modifications on this host, consider
+      contacting the system administrators first. They can be reached using
+      {{ sysnews__entry_contact }}
+      {% endif %}
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: sysnews__entries [[[
+#
+# List of System News entries which should be present on all hosts in the
+# Ansible inventory.
+sysnews__entries: []
+
+                                                                   # ]]]
+# .. envvar:: sysnews__group_entries [[[
+#
+# List of System News entries which should be present on hosts in a specific
+# Ansible inventory group.
+sysnews__group_entries: []
+
+                                                                   # ]]]
+# .. envvar:: sysnews__host_entries [[[
+#
+# List of System News entries which should be present on specific hosts in the
+# Ansible inventory.
+sysnews__host_entries: []
+
+                                                                   # ]]]
+# .. envvar:: sysnews__combined_entries [[[
+#
+# This list combines all of the other System News entry lists and passes them
+# to the role tasks.
+sysnews__combined_entries: '{{ sysnews__default_entries
+                               + sysnews__entries
+                               + sysnews__group_entries
+                               + sysnews__host_entries }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/sysnews/meta/main.yml b/ansible_collections/debops/debops/roles/sysnews/meta/main.yml
new file mode 100644
index 00000000..4c90b142
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage System News for UNIX accounts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - motd
+    - login
+    - news
diff --git a/ansible_collections/debops/debops/roles/sysnews/tasks/main.yml b/ansible_collections/debops/debops/roles/sysnews/tasks/main.yml
new file mode 100644
index 00000000..569d9af0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/tasks/main.yml
@@ -0,0 +1,86 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install packages required for System News
+  ansible.builtin.package:
+    name: '{{ q("flattened", (sysnews__base_packages
+                              + sysnews__packages)) }}'
+    state: 'present'
+  register: sysnews__register_packages
+  until: sysnews__register_packages is succeeded
+
+- name: Disable System News notification after login
+  ansible.builtin.file:
+    path: '/etc/profile.d/sysnews.sh'
+    state: 'absent'
+  when: not sysnews__notification | bool
+
+- name: Configure System News notification after login
+  ansible.builtin.template:
+    src: 'etc/profile.d/sysnews.sh.j2'
+    dest: '/etc/profile.d/sysnews.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: sysnews__notification | bool
+
+- name: Remove persistent news files
+  ansible.builtin.file:
+    path: '/var/lib/sysnews/{{ item.name }}'
+    state: 'absent'
+  with_items: '{{ sysnews__combined_entries | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Generate persistent news files
+  ansible.builtin.copy:
+    src: '{{ item.src | d(omit) }}'
+    content: '{{ item.content | d(omit) }}'
+    dest: '/var/lib/sysnews/{{ item.name }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ sysnews__combined_entries | debops.debops.parse_kv_items }}'
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Update list of persistent news files
+  ansible.builtin.blockinfile:
+    content: |
+      {% for entry in sysnews__combined_entries | debops.debops.parse_kv_items %}
+      {{ entry.name }}
+      {% endfor %}
+    dest: '/var/lib/sysnews/.noexpire'
+    create: True
+    owner: 'root'
+    group: '{{ sysnews__group }}'
+    mode: '0664'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save System News local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/sysnews.fact.j2'
+    dest: '/etc/ansible/facts.d/sysnews.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/sysnews/templates/etc/ansible/facts.d/sysnews.fact.j2 b/ansible_collections/debops/debops/roles/sysnews/templates/etc/ansible/facts.d/sysnews.fact.j2
new file mode 100644
index 00000000..060f8d8b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/templates/etc/ansible/facts.d/sysnews.fact.j2
@@ -0,0 +1,16 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+from sys import exit
+
+output = {'installed': True}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/sysnews/templates/etc/profile.d/sysnews.sh.j2 b/ansible_collections/debops/debops/roles/sysnews/templates/etc/profile.d/sysnews.sh.j2
new file mode 100644
index 00000000..684ab703
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/sysnews/templates/etc/profile.d/sysnews.sh.j2
@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Print System News notification after login
+
+SYSNEWS_MIN_UID="{{ sysnews__notification_min_uid }}"
+SYSNEWS_MAX_UID="{{ sysnews__notification_max_uid }}"
+SYSNEWS_COMMAND="{{ sysnews__notification_command }}"
+
+# Check if sysnews is installed
+type /usr/bin/news > /dev/null 2>&1 || return 0
+
+# Make sure that shell is bash or zsh
+[ -n "$BASH_VERSION" -o -n "$ZSH_VERSION" ] || return 0
+
+# Make sure that it's interactive session
+[[ $- == *i* ]] || return 0
+
+# Show news only to selected users
+if [ "${EUID}" -ge "${SYSNEWS_MIN_UID}" ] ; then
+    if [ -n "${SYSNEWS_MAX_UID}" ] ; then
+        if [ "${EUID}" -le "${SYSNEWS_MAX_UID}" ] ; then
+            tty -s && eval "${SYSNEWS_COMMAND}"
+        fi
+    else
+        tty -s && eval "${SYSNEWS_COMMAND}"
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/system_groups/COPYRIGHT b/ansible_collections/debops/debops/roles/system_groups/COPYRIGHT
new file mode 100644
index 00000000..b488b7b7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.system_groups - Manage UNIX system groups with Ansible
+
+Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2018 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/system_groups/defaults/main.yml b/ansible_collections/debops/debops/roles/system_groups/defaults/main.yml
new file mode 100644
index 00000000..aca334f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/defaults/main.yml
@@ -0,0 +1,234 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2018 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _system_groups__ref_defaults:
+
+# debops.system_groups default variables
+# ======================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: system_groups__enabled [[[
+#
+# Enable or disable support for managing UNIX system groups.
+system_groups__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: system_groups__sudo_enabled [[[
+#
+# Enable or disable support for :file:`/etc/sudoers.d/` configuration.
+system_groups__sudo_enabled: '{{ True
+                                 if (ansible_local.sudo.installed | d() | bool)
+                                 else False }}'
+
+                                                                   # ]]]
+# .. envvar:: system_groups__admins_sudo_nopasswd [[[
+#
+# If enabled, the role will add the ``NOPASSWD:`` tag in the ``sudoers``
+# configuration of the ``admins`` and ``wheel`` UNIX groups. This allows
+# execution of :command:`sudo` commands without password authentication.
+# See :man:`sudoers(5)` for more details.
+#
+# You can disable this and configure the ``ansible_become_pass`` variable in
+# the Ansible inventory for each affected host to provide password
+# authentication. You can use the Ansible Vault functionality to encrypt the
+# password in inventory variables, or store the password in the :file:`secret/`
+# directory and use the ``lookup('file')`` module to retrieve it.
+# See :ref:`debops.secret` documentation for details.
+#
+# The ``NOPASSWD:`` tag is disabled by default if Ansible manages the local
+# host so that local users can still control access to ``root`` account using
+# a password.
+system_groups__admins_sudo_nopasswd: '{{ False
+                                         if (system_groups__fact_ansible_connection == "local")
+                                         else True }}'
+
+                                                                   # ]]]
+# .. envvar:: system_groups__prefix [[[
+#
+# Add a prefix to the custom UNIX system group names created by DebOps.
+# By default, no prefix is added.
+#
+# If the role detects that the LDAP support has been, or will be, enabled on a
+# host by the :ref:`debops.ldap` Ansible role, custom UNIX group names created
+# locally on the host will have the ``_`` prefix to indicate that they are
+# local to a given host and not create conflicts with any UNIX groups defined
+# in LDAP.
+#
+# If the LDAP support was enabled after the system groups have been created,
+# the role will keep the current prefix value to not duplicate the UNIX groups.
+system_groups__prefix: '{{ ansible_local.system_groups.local_prefix
+                           if (ansible_local | d() and ansible_local.system_groups | d() and
+                               ansible_local.system_groups.local_prefix is defined)
+                           else ("_"
+                                 if ("debops_service_ldap" in group_names or
+                                     (ansible_local.ldap.posix_enabled | d() | bool))
+                                 else "") }}'
+
+                                                                   # ]]]
+# .. envvar:: system_groups__throttle [[[
+#
+# Number of the CPU cores available on the ansible controller. This variable is
+# used to throttle the number of parallel tasks on one specific CPU intensive
+# task and helps to reduces memory consumption on big environments (> 100).
+system_groups__throttle: '8'
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX system groups [[[
+# ----------------------
+
+# These lists define what UNIX system groups should be present on
+# DebOps-managed hosts and configure additional facilities like :command:`sudo`
+# access. See :ref:`system_groups__ref_list` for more details.
+
+# .. envvar:: system_groups__default_list [[[
+#
+# List of UNIX system groups defined by default by the role.
+system_groups__default_list:
+
+  # This is the current default UNIX group which grants unrestricted 'root'
+  # shell access via the `sudo` command.
+  #
+  # Users in the 'admins' UNIX group are allowed to connect to the host via SSH
+  # service and gain shell access on the host. They can also use the `sudo`
+  # command to execute commands as any UNIX account or gain superuser ('root')
+  # access.
+  - name: '{{ system_groups__prefix }}admins'
+    sudoers_filename: 'system_groups-admins'
+    sudoers: |
+      # This might be required to allow Ansible pipelining connections
+      Defaults: %{{ system_groups__prefix }}admins !requiretty
+
+      # This variable is used to configure access by Ansible Controller hosts
+      Defaults: %{{ system_groups__prefix }}admins env_check += "SSH_CLIENT"
+
+      # Allow execution of any command as any user on the system.
+      # This is required for Ansible operation.
+      {{ ('%' + system_groups__prefix + 'admins ALL = (ALL:ALL) '
+          + ('NOPASSWD: ' if system_groups__admins_sudo_nopasswd | bool else '')
+          + 'ALL') }}
+    members: '{{ ansible_local.core.admin_users | d([]) }}'
+    access: [ 'root', 'sshd' ]
+
+
+  # This might be a new future UNIX system group that grants admin access, it
+  # is not currently created on the hosts.
+  # See https://en.wikipedia.org/wiki/Wheel_(Unix_term) for rationale.
+  #
+  # Users in the 'wheel' UNIX group are allowed to connect to the host via SSH
+  # service and gain shell access on the host. They can also use the `sudo`
+  # command to execute commands as any UNIX account or gain superuser ('root')
+  # access.
+  - name: '{{ system_groups__prefix }}wheel'
+    sudoers_filename: 'system_groups-wheel'
+    sudoers: |
+      # This might be required to allow Ansible pipelining connections
+      Defaults: %{{ system_groups__prefix }}wheel !requiretty
+
+      # This variable is used to configure access by Ansible Controller hosts
+      Defaults: %{{ system_groups__prefix }}wheel env_check += "SSH_CLIENT"
+
+      # Allow execution of any command as any user on the system.
+      # This is required for Ansible operation.
+      {{ ('%' + system_groups__prefix + 'wheel ALL = (ALL:ALL) '
+          + ('NOPASSWD: ' if system_groups__admins_sudo_nopasswd | bool else '')
+          + 'ALL') }}
+    members: '{{ ansible_local.core.admin_users | d([]) }}'
+    access: [ 'root', 'sshd' ]
+    state: 'init'
+
+
+  # This group is present on Debian installations by default.
+  #
+  # Users in the 'adm' UNIX group have read-only access to various log files in
+  # the '/var/log/' directory as well as firewall configuration in the
+  # '/etc/ferm/' directory.
+  - name: 'adm'
+    members: '{{ ansible_local.core.admin_users | d([]) }}'
+
+
+  # This group is present on Debian installations by default.
+  #
+  # Users in the 'staff' UNIX group have write access to the '/usr/local/' and
+  # '/var/local/' directories and can manage content inside of them.
+  - name: 'staff'
+    members: '{{ ansible_local.core.admin_users | d([]) }}'
+
+
+  # Users in the 'sshusers' UNIX group are allowed to connect to the host via
+  # SSH service and gain shell access on the host.  See the 'debops.sshd' role
+  # for more details.
+  - name: '{{ system_groups__prefix }}sshusers'
+    access: [ 'sshd' ]
+
+
+  # Users in the 'sftponly' UNIX group have access to chrooted SFTP service,
+  # without full shell access. They cannot use SSH public keys in the
+  # '~/.ssh/authorized_keys' file, only keys in the
+  # '/etc/ssh/authorized_keys.d/<user>' file are allowed.
+  # See the 'debops.sshd' and 'debops.authorized_keys' roles for more details.
+  - name: '{{ system_groups__prefix }}sftponly'
+    access: [ 'sshd' ]
+
+
+  # This is a UNIX group used in multiple DebOps roles. Its configuration will
+  # be conditional in the future so that it's not created on DebOps hosts that
+  # don't provide webserver services.
+  #
+  # Users in the 'webadmins' UNIX group can reload webserver services using
+  # specific `sudo` commands. See the 'debops.nginx' or 'debops.php' roles for
+  # more details.
+  - name: '{{ system_groups__prefix }}webadmins'
+    access: [ 'webserver' ]
+
+                                                                   # ]]]
+# .. envvar:: system_groups__list [[[
+#
+# List of UNIX system groups that should be present on all hosts in the Ansible
+# inventory.
+system_groups__list: []
+
+                                                                   # ]]]
+# .. envvar:: system_groups__group_list [[[
+#
+# List of UNIX system groups that should be present on hosts in a specific
+# Ansible inventory group.
+system_groups__group_list: []
+
+                                                                   # ]]]
+# .. envvar:: system_groups__host_list [[[
+#
+# List of UNIX system groups that should be present on specific hosts in the
+# Ansible inventory.
+system_groups__host_list: []
+
+                                                                   # ]]]
+# .. envvar:: system_groups__dependent_list [[[
+#
+# List of UNIX system groups that are defined by other Ansible roles via role
+# dependent variables.
+system_groups__dependent_list: []
+
+                                                                   # ]]]
+# .. envvar:: system_groups__combined_list [[[
+#
+# List which combines all of the other UNIX group lists and is used in the role
+# tasks.
+system_groups__combined_list: '{{ system_groups__default_list
+                                  + system_groups__dependent_list
+                                  + system_groups__list
+                                  + system_groups__group_list
+                                  + system_groups__host_list }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/system_groups/meta/main.yml b/ansible_collections/debops/debops/roles/system_groups/meta/main.yml
new file mode 100644
index 00000000..e950d860
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage UNIX system groups'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - access
+    - authz
+    - acl
+    - sudo
+    - ssh
diff --git a/ansible_collections/debops/debops/roles/system_groups/tasks/main.yml b/ansible_collections/debops/debops/roles/system_groups/tasks/main.yml
new file mode 100644
index 00000000..248907c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/tasks/main.yml
@@ -0,0 +1,107 @@
+---
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create a fact that knows the Ansible connection type
+  ansible.builtin.set_fact:
+    system_groups__fact_ansible_connection: '{{ ansible_connection }}'
+  tags: [ 'meta::facts' ]
+
+- name: Ensure that requested UNIX system groups exist
+  ansible.builtin.group:
+    name: '{{ item.name }}'
+    gid: '{{ item.gid | d(omit) }}'
+    state: 'present'
+    system: '{{ item.system | d(True) }}'
+  with_items: '{{ system_groups__combined_list | debops.debops.parse_kv_items }}'
+  when: system_groups__enabled | bool and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore']
+
+- name: Get list of existing UNIX accounts
+  ansible.builtin.getent:
+    database: 'passwd'
+  when: system_groups__enabled | bool
+
+- name: Add specified UNIX accounts to system groups if present
+  ansible.builtin.user:
+    name: '{{ item.name }}'
+    append: '{{ item.append }}'
+    groups: '{{ item.groups }}'
+    create_home: False
+  with_items: '{{ lookup("template", "lookup/system_groups_members.j2") | from_yaml }}'
+  when: system_groups__enabled | bool
+  throttle: '{{ system_groups__throttle }}'
+
+- name: Remove sudo configuration if not specified
+  ansible.builtin.file:
+    path: '/etc/sudoers.d/{{ item.sudoers_filename | d("system_groups-" + item.name) }}'
+    state: 'absent'
+  with_items: '{{ system_groups__combined_list | debops.debops.parse_kv_items }}'
+  when: system_groups__enabled | bool and system_groups__sudo_enabled | bool and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore'] and
+        not item.sudoers | d()
+
+- name: Configure sudo for UNIX system groups
+  ansible.builtin.template:
+    src: 'etc/sudoers.d/system_groups.j2'
+    dest: '/etc/sudoers.d/{{ item.sudoers_filename | d("system_groups-" + item.name) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+    validate: '/usr/sbin/visudo -cf %s'
+  with_items: '{{ system_groups__combined_list | debops.debops.parse_kv_items }}'
+  when: system_groups__enabled | bool and system_groups__sudo_enabled | bool and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore'] and
+        item.sudoers | d()
+
+- name: Remove tmpfiles configuration if not specified
+  ansible.builtin.file:
+    path: '/etc/tmpfiles.d/{{ item.tmpfiles_filename | d("system_groups-" + item.name + ".conf") }}'
+    state: 'absent'
+  with_items: '{{ system_groups__combined_list | debops.debops.parse_kv_items }}'
+  when: system_groups__enabled | bool and ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore'] and
+        not item.tmpfiles | d()
+
+- name: Generate tmpfiles configuration for UNIX system groups
+  ansible.builtin.template:
+    src: 'etc/tmpfiles.d/system_groups.conf.j2'
+    dest: '/etc/tmpfiles.d/{{ item.tmpfiles_filename | d("system_groups-" + item.name + ".conf") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  with_items: '{{ system_groups__combined_list | debops.debops.parse_kv_items }}'
+  notify: [ 'Create temporary files' ]
+  when: system_groups__enabled | bool and ansible_service_mgr == 'systemd' and
+        item.name | d() and item.state | d('present') not in ['init', 'absent', 'ignore'] and
+        item.tmpfiles | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save system groups local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/system_groups.fact.j2'
+    dest: '/etc/ansible/facts.d/system_groups.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/system_groups/templates/etc/ansible/facts.d/system_groups.fact.j2 b/ansible_collections/debops/debops/roles/system_groups/templates/etc/ansible/facts.d/system_groups.fact.j2
new file mode 100644
index 00000000..56748b98
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/templates/etc/ansible/facts.d/system_groups.fact.j2
@@ -0,0 +1,65 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2018 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+# A workaround for Jinja templates in Python scripts
+"""
+{% set system_groups__tpl_acl = {} %}
+{% set system_groups__tpl_access = ansible_local.system_groups.access | d({}) %}
+{% for element in (system_groups__combined_list | debops.debops.parse_kv_items) %}
+{%   if (element.name | d() and element.state | d('present') not in
+         [ 'init', 'absent', 'ignore' ]) %}
+{%     if element.access | d() %}
+{%       for token in ([ element.access ]
+                         if element.access is string
+                         else element.access) %}
+{%         set _ = system_groups__tpl_access.update(
+               {token:
+                (((system_groups__tpl_access[token] | d([]))
+                  + [ element.name ]) | unique)}) %}
+{%       endfor %}
+{%     endif %}
+{%     if element.allow | d() %}
+{%       for token in ([ element.allow ]
+                         if element.allow is string
+                         else element.allow) %}
+{%         set _ = system_groups__tpl_access.update(
+               {token:
+                (((system_groups__tpl_access[token] | d([]))
+                  + [ element.name ]) | unique)}) %}
+{%       endfor %}
+{%     endif %}
+{%     if element.deny | d() %}
+{%       for token in ([ element.deny ]
+                         if element.deny is string
+                         else element.deny) %}
+{%         if element.name in (system_groups__tpl_access[token] | d([])) %}
+{%           set _ = system_groups__tpl_access[token].remove(element.name) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% for element, group_list in system_groups__tpl_access.items() %}
+{%   if group_list %}
+{%     set _ = system_groups__tpl_acl.update({element: group_list}) %}
+{%   endif %}
+{% endfor %}
+"""
+
+output = loads("""{{ {'configured': True,
+                      'enabled': system_groups__enabled | bool,
+                      'access': system_groups__tpl_acl,
+                      'local_prefix': system_groups__prefix
+                     } | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/system_groups/templates/etc/sudoers.d/system_groups.j2 b/ansible_collections/debops/debops/roles/system_groups/templates/etc/sudoers.d/system_groups.j2
new file mode 100644
index 00000000..8fda972a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/templates/etc/sudoers.d/system_groups.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration managed by the 'debops.system_groups' Ansible role
+
+{{ item.sudoers }}
diff --git a/ansible_collections/debops/debops/roles/system_groups/templates/etc/tmpfiles.d/system_groups.conf.j2 b/ansible_collections/debops/debops/roles/system_groups/templates/etc/tmpfiles.d/system_groups.conf.j2
new file mode 100644
index 00000000..055379f1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/templates/etc/tmpfiles.d/system_groups.conf.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Configuration managed by the 'debops.system_groups' Ansible role
+
+#Type Path              Mode UID     GID     Age Argument
+{{ item.tmpfiles }}
diff --git a/ansible_collections/debops/debops/roles/system_groups/templates/lookup/system_groups_members.j2 b/ansible_collections/debops/debops/roles/system_groups/templates/lookup/system_groups_members.j2
new file mode 100644
index 00000000..a724490e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_groups/templates/lookup/system_groups_members.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2018 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set system_groups__tpl_items = [] %}
+{% for account in getent_passwd.keys() %}
+{%   set system_groups__tpl_append_groups = [] %}
+{%   for element in (system_groups__combined_list | debops.debops.parse_kv_items) %}
+{%     if element.name | d() and element.state | d('present') not in [ 'init', 'absent', 'ignore' ] %}
+{%       if (element.members | d() and (system_groups__prefix + account) in ([ element.members ] if element.members is string else element.members)) %}
+{%         set _ = system_groups__tpl_append_groups.append(element.name) %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{%   if system_groups__tpl_append_groups %}
+{%     set _ = system_groups__tpl_items.append({
+  "name": (system_groups__prefix + account),
+  "append": True,
+  "groups": (system_groups__tpl_append_groups | join(','))
+}) %}
+{%   endif %}
+{% endfor %}
+{{ system_groups__tpl_items | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/system_users/COPYRIGHT b/ansible_collections/debops/debops/roles/system_users/COPYRIGHT
new file mode 100644
index 00000000..50639768
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.system_users - Manage admin accounts using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/system_users/defaults/main.yml b/ansible_collections/debops/debops/roles/system_users/defaults/main.yml
new file mode 100644
index 00000000..f0609c4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/defaults/main.yml
@@ -0,0 +1,296 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _system_users__ref_defaults:
+
+# debops.system_users default variables
+# =====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global defaults [[[
+# -------------------
+
+# .. envvar:: system_users__enabled [[[
+#
+# Should Ansible manage system user accounts? Set to False to disable.
+system_users__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: system_users__acl_enabled [[[
+#
+# Enable or disable support for filesystem ACL management.
+system_users__acl_enabled: '{{ True if ("acl" in system_users__base_packages) else False }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__default_shell [[[
+#
+# Specify absolute path of the shell which should be configured on all user
+# accounts managed by this role, if not overridden by the user configuration. If
+# not specified, the shell won't be changed, but new accounts will not have
+# a defined shell either.
+system_users__default_shell: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: system_users__shell_package_map [[[
+#
+# YAML dictionary that maps known shells used in the :file:`/etc/passwd`
+# database to the APT packages with these shells. The role will install missing
+# shell packages if any users have them as their login shells.
+system_users__shell_package_map:
+  '/bin/bash':     'bash'
+  '/bin/csh':      'csh'
+  '/usr/bin/fish': 'fish'
+  '/bin/ksh':      'ksh'
+  '/bin/zsh':      'zsh'
+
+                                                                   # ]]]
+# .. envvar:: system_users__base_packages [[[
+#
+# List of base APT packages to install.
+system_users__base_packages: [ 'acl' ]
+
+                                                                   # ]]]
+# .. envvar:: system_users__shell_packages [[[
+#
+# List of login shell APT packages expected on the host.
+system_users__shell_packages: '{{ lookup("template", "lookup/system_users__shell_packages.j2") | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__packages [[[
+#
+# List of custom APT packages to install.
+system_users__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Home directories, LDAP integration [[[
+# --------------------------------------
+
+# .. envvar:: system_users__prefix [[[
+#
+# Add a prefix to the custom UNIX system account names created by DebOps.
+# By default, no prefix is added.
+#
+# If the role detects that the LDAP support has been, or will be, enabled on a
+# host by the :ref:`debops.ldap` Ansible role, custom UNIX account names
+# created locally on the host will have the ``_`` prefix to indicate that they
+# are local to a given host and not create conflicts with any UNIX accounts
+# defined in LDAP.
+#
+# If the LDAP support was enabled after the system accounts have been created,
+# the role will keep the current prefix value to not duplicate the UNIX
+# accounts.
+system_users__prefix: '{{ ansible_local.system_users.prefix | d("_"
+                            if ("debops_service_ldap" in group_names or
+                                (ansible_local.ldap.posix_enabled | d() | bool))
+                            else "") }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__home_root [[[
+#
+# The base path of the home directories for the UNIX accounts managed by
+# DebOps. In the LDAP environment, the :file:`/home` directory might be shared
+# between multiple hosts and mounted from a remote location (for example NFS),
+# therefore :file:`/var/local` is used to avoid issues with the remote
+# filesystem. The ``item.home`` parameter can be used to specify the home
+# directory path and override the autogenerated one.
+system_users__home_root: '{{ "/var/local"
+                             if ("debops_service_ldap" in group_names or
+                                 (ansible_local.ldap.posix_enabled | d() | bool))
+                             else "/home" }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__default_home_mode [[[
+#
+# The default set of permissions for the home directories, specified in octal.
+# It can be overridden on a per-account basis with the ``item.home_mode``
+# parameter.
+system_users__default_home_mode: '0751'
+                                                                   # ]]]
+                                                                   # ]]]
+# Administrator account status [[[
+# --------------------------------
+
+# .. envvar:: system_users__admin_groups [[[
+#
+# List of the UNIX groups to which the defined system administrator users (with
+# the ``admin`` parameter) will be added by default. These groups grant
+# privileged access to the ``root`` UNIX account, system logs and other
+# important services.
+system_users__admin_groups: '{{ ansible_local.system_groups.access.root | d(["admins"]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# User configuration files (dotfiles) [[[
+# ---------------------------------------
+
+# These variables are used to manage the user configuration files (dotfiles).
+
+# .. envvar:: system_users__dotfiles_enabled [[[
+#
+# Enable or disable management of user dotfiles via :command:`yadm` script. See
+# the :ref:`debops.yadm` role for script installation and dotfile mirroring.
+system_users__dotfiles_enabled: '{{ True
+                                    if ansible_local.yadm.dotfiles | d()
+                                    else False }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__dotfiles_repo [[[
+#
+# An URL or an absolute path on the remote host to the :command:`git` dotfiles
+# repository. The repository will be used by default if the dotfiles management
+# is enabled without specifying a custom repository for the user.
+system_users__dotfiles_repo: '{{ ansible_local.yadm.dotfiles | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The "current Ansible user" configuration [[[
+# --------------------------------------------
+
+# .. envvar:: system_users__self [[[
+#
+# Enable or disable management of the UNIX account for the "current Ansible
+# user". Specific parameters like the username, preferred shell, GECOS values
+# will be automatically detected on the Ansible Controller host.
+system_users__self: '{{ False
+                        if (system_users__self_name == "root" or
+                            ansible_connection | d("ssh") == "local")
+                        else True }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__self_name [[[
+#
+# The username of the "current Ansible user", used as a basis to create the
+# private UNIX group, UNIX account, home directory. The account name can
+# contain the "prefix" specified in the :envvar:`system_users__prefix`
+# variable; it will be automatically stripped when necessary.
+#
+# See the :ref:`system_users__ref_control_user` documentation for more details
+# about configuring a shared "control user" account.
+system_users__self_name: '{{ lookup("env", "USER") }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__self_comment [[[
+#
+# The value of the GECOS field of the control user account, used when local
+# UNIX account information is not available.
+system_users__self_comment: 'Ansible Control User'
+
+                                                                   # ]]]
+# .. envvar:: system_users__self_shell [[[
+#
+# The default UNIX shell used by the control user account, used when local UNIX
+# account information is not available.
+system_users__self_shell: '/bin/bash'
+                                                                   # ]]]
+                                                                   # ]]]
+# Lists of managed UNIX system groups and accounts [[[
+# ----------------------------------------------------
+
+# These lists can be used to manage UNIX system groups as well as UNIX system
+# accounts through the Ansible inventory. See :ref:`system_users__ref_accounts`
+# for more details.
+
+# .. envvar:: system_users__groups [[[
+#
+# List of UNIX system groups to manage on all hosts in Ansible inventory.
+system_users__groups: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__group_groups [[[
+#
+# List of UNIX system groups to manage on hosts in specific Ansible inventory
+# group.
+system_users__group_groups: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__host_groups [[[
+#
+# List of UNIX system groups to manage on specific hosts in Ansible inventory.
+system_users__host_groups: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__dependent_groups [[[
+#
+# List of UNIX system groups to manage on the current playbook host. This variable is
+# meant to be used from a role dependency in :file:`role/meta/main.yml` or in
+# a playbook.
+system_users__dependent_groups: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__default_accounts [[[
+#
+# List of default UNIX system user accounts managed by Ansible.
+system_users__default_accounts:
+
+  - name: '{{ system_users__self_name }}'
+    group: '{{ system_users__self_name }}'
+    prefix: '{{ "" if ansible_user | d() else system_users__prefix }}'
+    comment: '{{ system_users__fact_self_comment
+                 | d(system_users__self_comment)
+                 | regex_replace(",,,$", "") }}'
+    # home path is generated automatically
+    shell: '{{ (system_users__fact_self_shell | d(system_users__self_shell))
+               if ((system_users__fact_self_shell | d(system_users__self_shell))
+                   in system_users__shell_package_map.keys())
+               else omit }}'
+    admin: True
+    sshkeys: '{{ lookup("pipe", "ssh-add -L | grep ^\\\(sk-\\\)\\\?ssh || cat ~/.ssh/*.pub || cat ~/.ssh/authorized_keys || true") }}'  # noqa jinja[spacing]
+    state: '{{ "present"
+               if system_users__self | bool
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: system_users__accounts [[[
+#
+# List of UNIX system user accounts to manage on all hosts in Ansible
+# inventory.
+system_users__accounts: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__group_accounts [[[
+#
+# List of UNIX system user accounts to manage on hosts in specific Ansible
+# inventory group.
+system_users__group_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__host_accounts [[[
+#
+# List of UNIX system user accounts to manage on specific hosts in Ansible
+# inventory.
+system_users__host_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__dependent_accounts [[[
+#
+# List of UNIX system user accounts to manage on the current playbook host.
+# This variable is meant to be used from a role dependency in
+# :file:`role/meta/main.yml` or in a playbook.
+system_users__dependent_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: system_users__combined_accounts [[[
+#
+# This variable combines other group and account variables together and is used
+# in the role tasks and templates.
+system_users__combined_accounts: '{{ system_users__groups
+                                     + system_users__group_groups
+                                     + system_users__host_groups
+                                     + (system_users__dependent_groups | flatten)
+                                     + system_users__default_accounts
+                                     + system_users__accounts
+                                     + system_users__group_accounts
+                                     + system_users__host_accounts
+                                     + (system_users__dependent_accounts | flatten) }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/system_users/files/script/getent_passwd.py3 b/ansible_collections/debops/debops/roles/system_users/files/script/getent_passwd.py3
new file mode 100755
index 00000000..e43e43ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/files/script/getent_passwd.py3
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Get the specified user information from the system password database.
+# This solution should work on all platforms; Ansible 'getent' module does not
+# work correctly on Apple macOS.
+# Ref: https://github.com/ansible/ansible/issues/38339
+#
+# Usage: getent_passwd.py <username>
+
+import sys
+import os
+import pwd
+import operator
+import subprocess
+from json import dumps
+
+
+def getent(user):
+    all = pwd.getpwall()
+    user = sorted(
+        (u for u in all if u.pw_name == user),
+        key=operator.attrgetter("pw_name"),
+    )[0]
+    return ({user.pw_name: ["x", user.pw_uid, user.pw_gid, user.pw_gecos,
+                            user.pw_dir, user.pw_shell]})
+
+
+def getent_bin(user):
+    binoutput = subprocess.check_output(['getent', 'passwd', user])
+    output = binoutput.decode("utf-8")
+    parts = output.strip().split(":")
+
+    if len(parts) != 7 or parts[0] != user:
+        raise RuntimeError("Unexpected output from getent")
+
+    return ({parts[0]: ["x", parts[2], parts[3], parts[4], parts[5], parts[6]]})
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 2:
+        print("Usage: %s <user>" % os.path.basename(sys.argv[0]))
+        sys.exit(1)
+
+    user = sys.argv[1]
+    try:
+        print(dumps(getent(user), sort_keys=True, indent=4))
+        sys.exit(0)
+    except IndexError:
+        pass
+
+    # As an alternative, try the "getent" binary which can get
+    # entries from databases supported by the NSS libraries
+    # (e.g. LDAP users)
+    try:
+        print(dumps(getent_bin(user), sort_keys=True, indent=4))
+        sys.exit(0)
+    except Exception as e:
+        print("Except: " + repr(e))
+        sys.exit(2)
diff --git a/ansible_collections/debops/debops/roles/system_users/meta/main.yml b/ansible_collections/debops/debops/roles/system_users/meta/main.yml
new file mode 100644
index 00000000..d8ae7ba9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage UNIX system accounts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - users
+    - admins
+    - acl
diff --git a/ansible_collections/debops/debops/roles/system_users/tasks/main.yml b/ansible_collections/debops/debops/roles/system_users/tasks/main.yml
new file mode 100644
index 00000000..28ff5edf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/tasks/main.yml
@@ -0,0 +1,421 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Gather local Ansible user details
+  ansible.builtin.script: 'script/getent_passwd.py3 {{ system_users__self_name }}'
+  register: system_users__register_passwd
+  delegate_to: 'localhost'
+  become: False
+  changed_when: False
+  check_mode: False
+  run_once: True
+  when: system_users__self_name == lookup('env', 'USER')
+
+- name: Remember local Ansible user details
+  ansible.builtin.set_fact:
+    system_users__fact_self_comment: '{{ (system_users__register_passwd.stdout | from_json)[system_users__self_name][3] }}'
+    system_users__fact_self_shell: '{{ (system_users__register_passwd.stdout | from_json)[system_users__self_name][5] }}'
+  when: system_users__self_name == lookup('env', 'USER')
+
+- name: Ensure that required packages are installed
+  ansible.builtin.package:
+    name: '{{ q("flattened", (system_users__base_packages
+                              + system_users__shell_packages
+                              + system_users__packages)) }}'
+    state: 'present'
+  register: system_users__register_packages
+  until: system_users__register_packages is succeeded
+  when: system_users__enabled | bool
+
+- name: Create UNIX groups for system users
+  ansible.builtin.group:
+    name:   '{{ (item.prefix | d(system_users__prefix)) + (item.group | d(item.name)) }}'
+    system: '{{ item.system | d(False if (item.user | d(True)) | bool else True) }}'
+    gid:    '{{ item.gid | d(omit) }}'
+    state:  'present'
+    local: '{{ True if (item.user | d(True)) | bool else False }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + (item.group | d(item.name)),
+                "state": item.state | d("present")} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         (item.private_group | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Gather information about existing remote users
+  ansible.builtin.getent:
+    database: 'passwd'
+
+- name: Manage UNIX accounts for system users
+  ansible.builtin.user:
+    name:               '{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+    group:              '{{ ((item.prefix | d(system_users__prefix)) + (item.group | d(item.name))) }}'
+    home:               '{{ item.home
+                            | d(((getent_passwd[(item.prefix | d(system_users__prefix)) + item.name][4])
+                                 if (getent_passwd[(item.prefix | d(system_users__prefix)) + item.name] | d())
+                                 else (system_users__home_root + "/" + ((item.prefix | d(system_users__prefix)) + item.name)))
+                                if ((item.create_home | d(True)) | bool)
+                                else omit) }}'
+    uid:                '{{ item.uid | d(omit) }}'
+    state:              '{{ item.state | d("present") }}'
+    comment:            '{{ item.comment | d(omit) }}'
+    password:           '{{ item.password | d("*") }}'
+    update_password:    '{{ item.update_password | d("on_create") }}'
+    system:             '{{ item.system | d(omit) }}'
+    shell:              '{{ item.shell | d(system_users__default_shell
+                                           if system_users__default_shell | d()
+                                           else omit) }}'
+    create_home:        '{{ item.create_home | d(omit) }}'
+    move_home:          '{{ item.move_home | d(omit) }}'
+    skeleton:           '{{ item.skeleton | d(omit) }}'
+    expires:            '{{ item.expires | d(omit) }}'
+    remove:             '{{ item.remove | d(omit) }}'
+    force:              '{{ item.force | d(omit) }}'
+    non_unique:         '{{ item.non_unique | d(omit) }}'
+    generate_ssh_key:   '{{ item.generate_ssh_key | d(omit) }}'
+    ssh_key_bits:       '{{ item.ssh_key_bits | d(omit) }}'
+    ssh_key_comment:    '{{ item.ssh_key_comment | d(omit) }}'
+    ssh_key_file:       '{{ item.ssh_key_file | d(omit) }}'
+    ssh_key_passphrase: '{{ item.ssh_key_passphrase | d(omit) }}'
+    ssh_key_type:       '{{ item.ssh_key_type | d(omit) }}'
+    local:              '{{ item.local | d(True) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"), "gecos": item.comment | d()} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['ignore'] and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Gather information about existing remote groups
+  ansible.builtin.getent:
+    database: 'group'
+
+  # libuser does not support supplemental groups
+  # Ref: https://github.com/ansible/ansible/issues/48722
+- name: Manage additional UNIX groups for system users
+  ansible.builtin.user:
+    name:   '{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+    groups: '{{ (((([item.groups]
+                    if (item.groups is string)
+                    else item.groups)
+                   if (item.groups is defined)
+                   else [])
+                  + (system_users__admin_groups
+                     if ((item.admin | d()) | bool)
+                     else []))
+                 | intersect(getent_group.keys()))
+                if (item.groups is defined or (item.admin | d()) | bool)
+                else omit }}'
+    append: '{{ item.append | d(True) }}'
+    state:  '{{ item.state | d("present") }}'
+    create_home: '{{ item.create_home | d(omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"), "gecos": item.comment | d(),
+                "groups": item.groups | d()} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['ignore'] and
+         (item.groups | d() or (item.admin | d()) | bool) and
+         (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Manage system users home directories
+  ansible.builtin.file:
+    path: '{{ item.home
+              | d(((getent_passwd[(item.prefix | d(system_users__prefix)) + item.name][4])
+                   if (getent_passwd[(item.prefix | d(system_users__prefix)) + item.name] | d())
+                   else (system_users__home_root + "/" + ((item.prefix | d(system_users__prefix)) + item.name)))
+                  if ((item.create_home | d(True)) | bool)
+                  else omit) }}'
+    state: 'directory'
+    owner: '{{ item.home_owner | d(omit) }}'
+    group: '{{ item.home_group | d(omit) }}'
+    mode:  '{{ item.home_mode | d(system_users__default_home_mode if (item.local | d(True)) | bool else omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"),
+                "home": (item.home | d(((getent_passwd[(item.prefix | d(system_users__prefix)) + item.name][4])
+                                        if (getent_passwd[(item.prefix | d(system_users__prefix)) + item.name] | d())
+                                        else (system_users__home_root + "/" + ((item.prefix | d(system_users__prefix)) + item.name)))
+                                       if ((item.create_home | d(True)) | bool)
+                                       else ""))} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and (item.create_home | d(True)) | bool and
+         (item.home_owner | d() or item.home_group | d() or item.home_mode | d() or (item.local | d(True)) | bool) and
+         (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Manage system users home directory ACLs
+  ansible.posix.acl:
+    path:        '{{ item.0.home
+                     | d(((getent_passwd[(item.0.prefix | d(system_users__prefix)) + item.0.name][4])
+                          if (getent_passwd[(item.0.prefix | d(system_users__prefix)) + item.0.name] | d())
+                          else (system_users__home_root + "/" + ((item.0.prefix | d(system_users__prefix)) + item.0.name)))
+                         if ((item.0.create_home | d(True)) | bool)
+                         else omit) }}'
+    default:     '{{ item.1.default | d(omit) }}'
+    entity:      '{{ item.1.entity | d(omit) }}'
+    entry:       '{{ item.1.entry | d(omit) }}'
+    etype:       '{{ item.1.etype | d(omit) }}'
+    permissions: '{{ item.1.permissions | d(omit) }}'
+    follow:      '{{ item.1.follow | d(omit) }}'
+    recursive:   '{{ item.1.recursive | d(omit) }}'
+    state:       '{{ item.1.state | d("present") }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("home_acl", "defined") | list
+            | subelements("home_acl") }}'
+  loop_control:
+    label: '{{ {"name": (item.0.prefix | d(system_users__prefix)) + item.0.name,
+                "state": item.0.state | d("present"), "home_acl": item.1} }}'
+  when: (system_users__enabled | bool and system_users__acl_enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and (item.0.create_home | d(True)) | bool and
+         item.0.home_acl | d() and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+  tags: [ 'role::system_users:home_acl', 'skip::system_users:home_acl', 'skip::check' ]
+
+- name: Allow specified system UNIX accounts to linger when not logged in
+  ansible.builtin.command: loginctl enable-linger {{ (item.prefix | d(system_users__prefix)) + item.name }}
+  args:
+    creates: '/var/lib/systemd/linger/{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"), "linger": item.linger | d(False)} }}'
+  when: (system_users__enabled | bool and ansible_service_mgr == 'systemd' and
+         item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.linger is defined and item.linger | bool and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Disallow specified UNIX accounts to linger when not logged in
+  ansible.builtin.command: loginctl disable-linger {{ (item.prefix | d(system_users__prefix)) + item.name }}
+  args:
+    removes: '/var/lib/systemd/linger/{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"), "linger": item.linger | d(False)} }}'
+  when: (system_users__enabled | bool and ansible_service_mgr == 'systemd' and
+         item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.linger is defined and not item.linger | bool and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Configure SSH authorized keys for system users
+  ansible.posix.authorized_key:
+    key: "{{ (item.sshkeys if item.sshkeys is string else '\n'.join(item.sshkeys)) | string }}"
+    state: 'present'
+    user: '{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+    exclusive: '{{ item.sshkeys_exclusive | d(omit) }}'
+    follow: '{{ item.sshkeys_follow | d(omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"), "sshkeys": item.sshkeys | d()} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and (item.create_home | d(True)) | bool and
+         item.sshkeys | d() and item.sshkeys_state | d('present') != 'absent' and (item.user | d(True)) | bool and
+         not ansible_check_mode)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::system_users:authorized_keys', 'skip::system_users:authorized_keys', 'skip::check' ]
+
+- name: Remove SSH authorized keys from system user accounts if requested
+  ansible.builtin.file:
+    path: '~{{ (item.prefix | d(system_users__prefix)) + item.name }}/.ssh/authorized_keys'
+    state: 'absent'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"),
+                "sshkeys_state": item.sshkeys_state | d("present")} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and (item.create_home | d(True)) | bool and
+         item.sshkeys | d() and item.sshkeys_state | d('present') == 'absent' and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Configure system user mail forwarding
+  ansible.builtin.lineinfile:
+    dest: '~/.forward'
+    regexp: "{{ '^' + (item.forward if item.forward is string else item.forward[0]) }}"
+    line: '{{ item.forward if item.forward is string else item.forward | join(", ") }}'
+    state: '{{ item.forward_state | d("present") }}'
+    create: True
+    mode: '0644'
+  become: True
+  become_user: '{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"),
+                "forward": item.forward | d()} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.create_home | d(True) and item.forward | d() and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::system_users:forward', 'skip::system_users:forward', 'skip::check' ]
+
+- name: Manage system users dotfiles
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    if ! yadm status > /dev/null ; then
+        yadm clone --bootstrap "{{ item.dotfiles_repo | d(system_users__dotfiles_repo) }}"
+    else
+        yadm pull
+    fi
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present"),
+                "dotfiles": (item.dotfiles | d(item.dotfiles_enabled | d(system_users__dotfiles_enabled))),
+                "dotfiles_repo": ((item.dotfiles_repo | d(system_users__dotfiles_repo))
+                                  if ((item.dotfiles | d(item.dotfiles_enabled | d(system_users__dotfiles_enabled))) | bool)
+                                  else "")} }}'
+  become: True
+  become_user: '{{ (item.prefix | d(system_users__prefix)) + item.name }}'
+  check_mode: False
+  register: system_users__register_dotfiles
+  changed_when: ('Already up to date.' not in system_users__register_dotfiles.stdout_lines | regex_replace('-', ' '))
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and (item.create_home | d(True)) | bool and
+         (ansible_local | d() and ansible_local.yadm | d() and (ansible_local.yadm.installed | d()) | bool) and
+         (item.dotfiles | d(item.dotfiles_enabled | d(system_users__dotfiles_enabled))) | bool and
+         (item.dotfiles_repo | d(system_users__dotfiles_repo)) and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::system_users:dotfiles', 'skip::system_users:dotfiles', 'skip::check' ]
+
+- name: Manage system user resource directories
+  ansible.builtin.file:
+    path:    '{{ "~" + (item.0.prefix | d(system_users__prefix)) + item.0.name + "/" + (item.1.path | d(item.1.dest | d(item.1))) }}'
+    src:     '{{ item.1.src | d(omit) }}'
+    state:   '{{ item.1.state | d("directory") }}'
+    owner:   '{{ item.1.owner | d((item.0.prefix | d(system_users__prefix)) + item.0.name) }}'
+    group:   '{{ item.1.group | d((item.0.prefix | d(system_users__prefix)) + (item.0.group | d(item.0.name))) }}'
+    mode:    '{{ item.1.mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+    recurse: '{{ item.1.recurse | d(omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": ((item.0.prefix | d(system_users__prefix)) + item.0.name),
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (system_users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['directory', 'link', 'touch'] and
+         item.1.content is undefined)
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Manage system user resource parent directories
+  ansible.builtin.file:
+    path:    '{{ ("~" + (item.0.prefix | d(system_users__prefix)) + item.0.name + "/" + (item.1.path | d(item.1.dest))) | dirname }}'
+    state:   'directory'
+    owner:   '{{ item.1.parent_owner | d((item.0.prefix | d(system_users__prefix)) + item.0.name) }}'
+    group:   '{{ item.1.parent_group | d((item.0.prefix | d(system_users__prefix)) + (item.0.group | d(item.0.name))) }}'
+    mode:    '{{ item.1.parent_mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+    recurse: '{{ item.1.parent_recurse | d(omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": ((item.0.prefix | d(system_users__prefix)) + item.0.name),
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (system_users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['present', 'file'])
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Manage system user resource files
+  ansible.builtin.copy:
+    dest:    '{{ "~" + (item.0.prefix | d(system_users__prefix)) + item.0.name + "/" + (item.1.path | d(item.1.dest)) }}'
+    src:     '{{ item.1.src | d(omit) }}'
+    content: '{{ item.1.content | d(omit) }}'
+    owner:   '{{ item.1.owner | d((item.0.prefix | d(system_users__prefix)) + item.0.name) }}'
+    group:   '{{ item.1.group | d((item.0.prefix | d(system_users__prefix)) + (item.0.group | d(item.0.name))) }}'
+    mode:    '{{ item.1.mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": ((item.0.prefix | d(system_users__prefix)) + item.0.name),
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (system_users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['present', 'file'] and
+         (item.1.dest | d() or item.1.path | d()) and (item.1.src | d() or item.1.content | d()))
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Remove system user resources if requested
+  ansible.builtin.file:
+    path:  '{{ "~" + (item.0.prefix | d(system_users__prefix)) + item.0.name + "/" + (item.1.path | d(item.1.dest | d(item.1))) }}'
+    state: 'absent'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": ((item.0.prefix | d(system_users__prefix)) + item.0.name),
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (system_users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') == 'absent')
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Remove user groups if requested
+  ansible.builtin.group:
+    name:  '{{ (item.prefix | d(system_users__prefix)) + (item.group | d(item.name)) }}'
+    state: 'absent'
+    local: '{{ item.local | d(True if (item.user | d(True)) | bool else False) }}'
+  loop: '{{ system_users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.prefix | d(system_users__prefix)) + item.name,
+                "state": item.state | d("present")} }}'
+  when: (system_users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') == 'absent' and
+         (item.private_group | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save system users local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/system_users.fact.j2'
+    dest: '/etc/ansible/facts.d/system_users.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/system_users/templates/etc/ansible/facts.d/system_users.fact.j2 b/ansible_collections/debops/debops/roles/system_users/templates/etc/ansible/facts.d/system_users.fact.j2
new file mode 100644
index 00000000..ebf61f18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/templates/etc/ansible/facts.d/system_users.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads("""{{ {'configured': True,
+                      'prefix': system_users__prefix
+                     } | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/system_users/templates/lookup/system_users__shell_packages.j2 b/ansible_collections/debops/debops/roles/system_users/templates/lookup/system_users__shell_packages.j2
new file mode 100644
index 00000000..512d610c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/system_users/templates/lookup/system_users__shell_packages.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set system_users__tpl_shells = [] %}
+{% for shell in (system_users__combined_accounts | debops.debops.parse_kv_items | selectattr("state", "equalto", "present") | selectattr("shell", "defined") | map(attribute="shell") | unique | list) %}
+{%   if shell in system_users__shell_package_map.keys() %}
+{%     set _ = system_users__tpl_shells.append(system_users__shell_package_map[shell]) %}
+{%   endif %}
+{% endfor %}
+{{ system_users__tpl_shells | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/systemd/COPYRIGHT b/ansible_collections/debops/debops/roles/systemd/COPYRIGHT
new file mode 100644
index 00000000..a624f1bd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.systemd - Configure system and service manager using Ansible
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/systemd/defaults/main.yml b/ansible_collections/debops/debops/roles/systemd/defaults/main.yml
new file mode 100644
index 00000000..5897801a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/defaults/main.yml
@@ -0,0 +1,767 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _systemd__ref_defaults:
+
+# debops.systemd default variables
+# ================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General options [[[
+# -------------------
+
+# .. envvar:: systemd__enabled [[[
+#
+# Enable or disable management of the :command:`systemd` service manager using
+# DebOps. If the parameter is set to ``False``, the role will not touch service
+# configuration.
+systemd__enabled: '{{ True
+                      if (ansible_service_mgr == "systemd")
+                      else False }}'
+
+                                                                   # ]]]
+# .. envvar:: systemd__deploy_state [[[
+#
+# This variable controls if the :command:`systemd` configuration files for the
+# "system" and "user" scope are managed on the host (``present``) or not
+# (``absent``, default). If deployment state is disabled, :command:`systemd`
+# will use the configuration provided with the OS package. Configuration of
+# the specific service units is not affected by this variable.
+systemd__deploy_state: 'absent'
+
+                                                                   # ]]]
+# .. envvar:: systemd__version [[[
+#
+# Specify the version of the :command:`systemd` daemon installed on the host.
+# By default this variable is defined using Ansible local facts and can be used
+# to alter configuration depending on the version of the service.
+systemd__version: '{{ ansible_local.systemd.version | d("0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd` system instance configuration [[[
+# --------------------------------------------------------
+
+# These variables define the contents of the system-wide :command:`systemd`
+# configuration. Check the :man:`systemd-system.conf(5)` manual page for more
+# information about the configuration options, and
+# :ref:`systemd__ref_configuration` for details about the configuration of the
+# role itself.
+#
+# By default the system configuration is not applied on the hosts, you need to
+# set :envvar:`systemd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: systemd__default_configuration [[[
+#
+# List of the default system-wide configuration options defined by the role.
+systemd__default_configuration:
+
+  - name: 'LogLevel'
+    value: 'info'
+    state: 'init'
+
+  - name: 'LogTarget'
+    value: 'journal-or-kmsg'
+    state: 'init'
+
+  - name: 'LogColor'
+    value: True
+    state: 'init'
+
+  - name: 'LogLocation'
+    value: False
+    state: 'init'
+
+  - name: 'LogTime'
+    value: False
+    state: 'init'
+
+  - name: 'DumpCore'
+    value: True
+    state: 'init'
+
+  - name: 'ShowStatus'
+    value: True
+    state: 'init'
+
+  - name: 'CrashChangeVT'
+    value: False
+    state: 'init'
+
+  - name: 'CrashShell'
+    value: False
+    state: 'init'
+
+  - name: 'CrashReboot'
+    value: False
+    state: 'init'
+
+  - name: 'CtrlAltDelBurstAction'
+    value: 'reboot-force'
+    state: 'init'
+
+  - name: 'CPUAffinity'
+    value: '1 2'
+    state: 'init'
+
+  - name: 'NUMAPolicy'
+    value: 'default'
+    state: 'init'
+
+  - name: 'NUMAMask'
+    value: ''
+    state: 'init'
+
+  - name: 'RuntimeWatchdogSec'
+    value: 0
+    state: 'init'
+
+  - name: 'RebootWatchdogSec'
+    value: '10min'
+    state: 'init'
+
+  - name: 'ShutdownWatchdogSec'
+    value: '10min'
+    state: 'init'
+
+  - name: 'KExecWatchdogSec'
+    value: 0
+    state: 'init'
+
+  - name: 'WatchdogDevice'
+    value: ''
+    state: 'init'
+
+  - name: 'CapabilityBoundingSet'
+    value: ''
+    state: 'init'
+
+  - name: 'NoNewPrivileges'
+    value: False
+    state: 'init'
+
+  - name: 'SystemCallArchitectures'
+    value: ''
+    state: 'init'
+
+  - name: 'TimerSlackNSec'
+    value: ''
+    state: 'init'
+
+  - name: 'StatusUnitFormat'
+    value: 'description'
+    state: 'init'
+
+  - name: 'DefaultTimerAccuracySec'
+    value: '1min'
+    state: 'init'
+
+  - name: 'DefaultStandardOutput'
+    value: 'journal'
+    state: 'init'
+
+  - name: 'DefaultStandardError'
+    value: 'inherit'
+    state: 'init'
+
+  - name: 'DefaultTimeoutStartSec'
+    value: '90s'
+    state: 'init'
+
+  - name: 'DefaultTimeoutStopSec'
+    value: '90s'
+    state: 'init'
+
+  - name: 'DefaultTimeoutAbortSec'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultRestartSec'
+    value: '100ms'
+    state: 'init'
+
+  - name: 'DefaultStartLimitIntervalSec'
+    value: '10s'
+    state: 'init'
+
+  - name: 'DefaultStartLimitBurst'
+    value: 5
+    state: 'init'
+
+  - name: 'DefaultEnvironment'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultCPUAccounting'
+    value: False
+    state: 'init'
+
+  - name: 'DefaultIOAccounting'
+    value: False
+    state: 'init'
+
+  - name: 'DefaultIPAccounting'
+    value: False
+    state: 'init'
+
+  - name: 'DefaultBlockIOAccounting'
+    value: False
+    state: 'init'
+
+  - name: 'DefaultMemoryAccounting'
+    value: True
+    state: 'init'
+
+  - name: 'DefaultTasksAccounting'
+    value: True
+    state: 'init'
+
+  - name: 'DefaultTasksMax'
+    value: '15%'
+    state: 'init'
+
+  - name: 'DefaultLimitCPU'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitFSIZE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitDATA'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitSTACK'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitCORE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRSS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNOFILE'
+    value: '1024:524288'
+    state: 'init'
+
+  - name: 'DefaultLimitAS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNPROC'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitMEMLOCK'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitLOCKS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitSIGPENDING'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitMSGQUEUE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNICE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRTPRIO'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRTTIME'
+    value: ''
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: systemd__configuration [[[
+#
+# List of the system-wide configuration options which should be present on all
+# hosts in the Ansible inventory.
+systemd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__group_configuration [[[
+#
+# List of the system-wide configuration options which should be present on
+# hosts in a specific Ansible inventory group.
+systemd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__host_configuration [[[
+#
+# List of the system-wide configuration options which should be present on
+# specific hosts in the Ansible inventory.
+systemd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__combined_configuration [[[
+#
+# Variable which combines all system-wide configuration lists and is used in
+# the role tasks and templates.
+systemd__combined_configuration: '{{ systemd__default_configuration
+                                     + systemd__configuration
+                                     + systemd__group_configuration
+                                     + systemd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd` user instance global configuration [[[
+# -------------------------------------------------------------
+
+# These variables define configuration of all :command:`systemd --user`
+# instances system-wide. Check the :man:`systemd-user.conf(5)` manual page for
+# more information about the configuration options, and
+# :ref:`systemd__ref_configuration` for details about the configuration of the
+# role itself.
+#
+# By default the system configuration is not applied on the hosts, you need to
+# set :envvar:`systemd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: systemd__user_default_configuration [[[
+#
+# List of the default system-wide configuration options for the user instances,
+# defined by the role.
+systemd__user_default_configuration:
+
+  - name: 'LogLevel'
+    value: 'info'
+    state: 'init'
+
+  - name: 'LogTarget'
+    value: 'console'
+    state: 'init'
+
+  - name: 'LogColor'
+    value: True
+    state: 'init'
+
+  - name: 'LogLocation'
+    value: False
+    state: 'init'
+
+  - name: 'LogTime'
+    value: False
+    state: 'init'
+
+  - name: 'SystemCallArchitectures'
+    value: ''
+    state: 'init'
+
+  - name: 'TimerSlackNSec'
+    value: ''
+    state: 'init'
+
+  - name: 'StatusUnitFormat'
+    value: 'description'
+    state: 'init'
+
+  - name: 'DefaultTimerAccuracySec'
+    value: '1min'
+    state: 'init'
+
+  - name: 'DefaultStandardOutput'
+    value: 'inherit'
+    state: 'init'
+
+  - name: 'DefaultStandardError'
+    value: 'inherit'
+    state: 'init'
+
+  - name: 'DefaultTimeoutStartSec'
+    value: '90s'
+    state: 'init'
+
+  - name: 'DefaultTimeoutStopSec'
+    value: '90s'
+    state: 'init'
+
+  - name: 'DefaultTimeoutAbortSec'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultRestartSec'
+    value: '100ms'
+    state: 'init'
+
+  - name: 'DefaultStartLimitIntervalSec'
+    value: '10s'
+    state: 'init'
+
+  - name: 'DefaultStartLimitBurst'
+    value: 5
+    state: 'init'
+
+  - name: 'DefaultEnvironment'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitCPU'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitFSIZE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitDATA'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitSTACK'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitCORE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRSS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNOFILE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitAS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNPROC'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitMEMLOCK'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitLOCKS'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitSIGPENDING'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitMSGQUEUE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitNICE'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRTPRIO'
+    value: ''
+    state: 'init'
+
+  - name: 'DefaultLimitRTTIME'
+    value: ''
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_configuration [[[
+#
+# List of the :command:`systemd --user` instances system-wide configuration
+# options which should be present on all hosts in the Ansible inventory.
+systemd__user_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_group_configuration [[[
+#
+# List of the :command:`systemd --user` instances system-wide configuration
+# options which should be present on hosts in a specific Ansible inventory
+# group.
+systemd__user_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_host_configuration [[[
+#
+# List of the :command:`systemd --user` instances system-wide configuration
+# options which should be present on specific hosts in the Ansible inventory.
+systemd__user_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_combined_configuration [[[
+#
+# Variable which combines all system-wide :command:`systemd --user` instance
+# configuration lists and is used in role tasks and templates.
+systemd__user_combined_configuration: '{{ systemd__user_default_configuration
+                                          + systemd__user_configuration
+                                          + systemd__user_group_configuration
+                                          + systemd__user_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-logind` configuration [[[
+# -----------------------------------------------
+
+# These variables define configuration of the :command:`systemd-logind`
+# service. Check the :man:`logind.conf(5)` manual page for more information
+# about the configuration options, and :ref:`systemd__ref_configuration` for
+# details about the configuration of the role itself.
+#
+# By default the system configuration is not applied on the hosts, you need to
+# set :envvar:`systemd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: systemd__logind_default_configuration [[[
+#
+# List of the default configuration options for the :command:`systemd-logind`
+# service, defined by the role.
+systemd__logind_default_configuration:
+
+  - name: 'NAutoVTs'
+    value: 6
+    state: 'init'
+
+  - name: 'ReserveVT'
+    value: 6
+    state: 'init'
+
+  - name: 'KillUserProcesses'
+    value: False
+    state: 'init'
+
+  - name: 'KillOnlyUsers'
+    value: []
+    state: 'init'
+
+  - name: 'KillExcludeUsers'
+    value: [ 'root' ]
+    state: 'init'
+
+  - name: 'InhibitDelayMaxSec'
+    value: 5
+    state: 'init'
+
+  - name: 'UserStopDelaySec'
+    value: 10
+    state: 'init'
+
+  - name: 'HandlePowerKey'
+    value: 'poweroff'
+    state: 'init'
+
+  - name: 'HandleSuspendKey'
+    value: 'suspend'
+    state: 'init'
+
+  - name: 'HandleHibernateKey'
+    value: 'hibernate'
+    state: 'init'
+
+  - name: 'HandleLidSwitch'
+    value: 'suspend'
+    state: 'init'
+
+  - name: 'HandleLidSwitchExternalPower'
+    value: 'suspend'
+    state: 'init'
+
+  - name: 'HandleLidSwitchDocked'
+    value: 'ignore'
+    state: 'init'
+
+  - name: 'HandleRebootKey'
+    value: 'reboot'
+    state: 'init'
+
+  - name: 'PowerKeyIgnoreInhibited'
+    value: False
+    state: 'init'
+
+  - name: 'SuspendKeyIgnoreInhibited'
+    value: False
+    state: 'init'
+
+  - name: 'HibernateKeyIgnoreInhibited'
+    value: False
+    state: 'init'
+
+  - name: 'LidSwitchIgnoreInhibited'
+    value: True
+    state: 'init'
+
+  - name: 'RebootKeyIgnoreInhibited'
+    value: False
+    state: 'init'
+
+  - name: 'HoldoffTimeoutSec'
+    value: '30s'
+    state: 'init'
+
+  - name: 'IdleAction'
+    value: 'ignore'
+    state: 'init'
+
+  - name: 'IdleActionSec'
+    value: '30min'
+    state: 'init'
+
+  - name: 'RuntimeDirectorySize'
+    value: '10%'
+    state: 'init'
+
+  - name: 'RuntimeDirectoryInodes'
+    value: '400k'
+    state: 'init'
+
+  - name: 'RemoveIPC'
+    value: True
+    state: 'init'
+
+  - name: 'InhibitorsMax'
+    value: 8192
+    state: 'init'
+
+  - name: 'SessionsMax'
+    value: 8192
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: systemd__logind_configuration [[[
+#
+# List of the :command:`systemd-logind` service configuration options which
+# should be present on all hosts in the Ansible inventory.
+systemd__logind_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__logind_group_configuration [[[
+#
+# List of the :command:`systemd-logind` service configuration options which
+# should be present on hosts in a specific Ansible inventory group.
+systemd__logind_group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__logind_host_configuration [[[
+#
+# List of the :command:`systemd-logind` service configuration options which
+# should be present on specific hosts in the Ansible inventory.
+systemd__logind_host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__logind_combined_configuration [[[
+#
+# Variable which combines all :command:`systemd-logind` service configuration
+# lists and is used in role tasks and templates.
+systemd__logind_combined_configuration: '{{ systemd__logind_default_configuration
+                                            + systemd__logind_configuration
+                                            + systemd__logind_group_configuration
+                                            + systemd__logind_host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd` system instance units [[[
+# ------------------------------------------------
+
+# These variables can be used to manage system-wide :command:`systemd` units
+# located in the :file:`/etc/systemd/system/` directory. Check the
+# :man:`systemd.unit(5)` for more information about units themselves, and
+# :ref:`systemd__ref_units` for details about configuring units using this
+# role.
+
+# .. envvar:: systemd__units [[[
+#
+# List of :command:`systemd` units which should be present on all hosts in the
+# Ansible inventory.
+systemd__units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__group_units [[[
+#
+# List of :command:`systemd` units which should be present on hosts in
+# a specific Ansible inventory group.
+systemd__group_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__host_units [[[
+#
+# List of :command:`systemd` units which should be present on specific hosts in
+# the Ansible inventory.
+systemd__host_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__dependent_units [[[
+#
+# List of :command:`systemd` units which are defined by other Ansible roles
+# using dependent role variables.
+systemd__dependent_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__combined_units [[[
+#
+# Variable which combines all of the :command:`systemd` unit lists and is used
+# in role tasks and templates.
+systemd__combined_units: '{{ systemd__dependent_units
+                             + systemd__units
+                             + systemd__group_units
+                             + systemd__host_units }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd --user` instance global units [[[
+# -------------------------------------------------------
+
+# These variables can be used to manage global units present in the
+# :command:`systemd --user` instances, located in the
+# :file:`/etc/systemd/user/` directory. Check the :man:`systemd.unit(5)` for
+# more information about units themselves, and :ref:`systemd__ref_units` for
+# details about configuring units using this role.
+
+# .. envvar:: systemd__user_units [[[
+#
+# List of :command:`systemd --user` global units which should be present on all
+# hosts in the Ansible inventory.
+systemd__user_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_group_units [[[
+#
+# List of :command:`systemd --user` global units which should be present on
+# hosts in a specific Ansible inventory group.
+systemd__user_group_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_host_units [[[
+#
+# List of :command:`systemd --user` global units which should be present on
+# specific hosts in the Ansible inventory.
+systemd__user_host_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_dependent_units [[[
+#
+# List of :command:`systemd --user` global units which are defined by other
+# Ansible roles using dependent role variables.
+systemd__user_dependent_units: []
+
+                                                                   # ]]]
+# .. envvar:: systemd__user_combined_units [[[
+#
+# Variable which combines all of the :command:`systemd --user` global unit
+# lists and is used in role tasks and templates.
+systemd__user_combined_units: '{{ systemd__user_dependent_units
+                                  + systemd__user_units
+                                  + systemd__user_group_units
+                                  + systemd__user_host_units }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/systemd/meta/main.yml b/ansible_collections/debops/debops/roles/systemd/meta/main.yml
new file mode 100644
index 00000000..7bc9b2ed
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure systemd, system and service manager'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - services
+    - init
diff --git a/ansible_collections/debops/debops/roles/systemd/tasks/main.yml b/ansible_collections/debops/debops/roles/systemd/tasks/main.yml
new file mode 100644
index 00000000..c79236ea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/tasks/main.yml
@@ -0,0 +1,188 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save systemd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/systemd.fact.j2'
+    dest: '/etc/ansible/facts.d/systemd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Remove systemd configuuration if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/" + item + ".d/ansible.conf" }}'
+    state: 'absent'
+  loop: [ 'system.conf', 'user.conf', 'logind.conf' ]
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and systemd__deploy_state == 'absent'
+
+- name: Create systemd configuration directories
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/" + item + ".d" }}'
+    state: 'directory'
+    mode: '0755'
+  loop: [ 'system.conf', 'user.conf', 'logind.conf' ]
+  when: systemd__enabled | bool and systemd__deploy_state != 'absent'
+
+- name: Generate systemd configuration
+  ansible.builtin.template:
+    src: '{{ "etc/systemd/" + item + ".d/ansible.conf.j2" }}'
+    dest: '{{ "/etc/systemd/" + item + ".d/ansible.conf" }}'
+    mode: '0644'
+  loop: [ 'system.conf', 'user.conf', 'logind.conf' ]
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and systemd__deploy_state != 'absent'
+
+- name: Remove system units if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/system/" + item.name }}'
+    state: 'absent'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: systemd__register_units_removed
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Remove system unit overrides if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/system/" + item.name + ".d" }}'
+    state: 'absent'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Create directories for system units
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/system/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: systemd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        (item.name | dirname).endswith('.d')
+
+- name: Generate system units
+  ansible.builtin.template:
+    src: 'etc/systemd/system/template.j2'
+    dest: '{{ "/etc/systemd/system/" + item.name }}'
+    mode: '0644'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  register: systemd__register_units_created
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init']
+
+- name: Remove user units if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/user/" + item.name }}'
+    state: 'absent'
+  loop: '{{ systemd__user_combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Remove user unit overrides if requested
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/user/" + item.name + ".d" }}'
+    state: 'absent'
+  loop: '{{ systemd__user_combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and
+        item.state | d("present") == 'absent'
+
+- name: Create directories for user units
+  ansible.builtin.file:
+    path: '{{ "/etc/systemd/user/" + (item.name | dirname) }}'
+    state: 'directory'
+    mode: '0755'
+  loop: '{{ systemd__user_combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: systemd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        (item.name | dirname).endswith('.d')
+
+- name: Generate user units
+  ansible.builtin.template:
+    src: 'etc/systemd/user/template.j2'
+    dest: '{{ "/etc/systemd/user/" + item.name }}'
+    mode: '0644'
+  loop: '{{ systemd__user_combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  notify: [ 'Reload systemd daemon' ]
+  when: systemd__enabled | bool and item.raw | d() and
+        item.state | d("present") not in ['absent', 'ignore', 'init']
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure system units
+  ansible.builtin.systemd:
+    name: '{{ item.name }}'
+    enabled: '{{ item.enabled | d(False if (item.masked | d() | bool) else True) }}'
+    force: '{{ item.force | d(omit) }}'
+    masked: '{{ item.masked | d(omit) }}'
+    state: '{{ item.state if (item.state in ["reloaded", "restarted", "started", "stopped"]) else omit }}'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: systemd__enabled | bool and
+        item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        not (item.name | dirname).endswith('.d')
+
+- name: Restart system units if modified
+  ansible.builtin.systemd:
+    name: '{{ item.restart }}'
+    state: 'restarted'
+  loop: '{{ systemd__combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"restart": item.restart | d()} }}'
+  when: systemd__enabled | bool and item.restart | d() and
+        item.state | d("present") not in ['ignore', 'init'] and
+        ((item.name in (systemd__register_units_removed.results | selectattr("changed", "true") | map(attribute="item.name") | list)) or
+         (item.name in (systemd__register_units_created.results | selectattr("changed", "true") | map(attribute="item.name") | list)))
+
+- name: Configure user units
+  ansible.builtin.systemd:
+    name: '{{ item.name }}'
+    enabled: '{{ item.enabled | d(False if (item.masked | d() | bool) else True) }}'
+    force: '{{ item.force | d(omit) }}'
+    masked: '{{ item.masked | d(omit) }}'
+    state: '{{ item.state if (item.state in ["reloaded", "restarted", "started", "stopped"]) else omit }}'
+    scope: 'global'
+  loop: '{{ systemd__user_combined_units | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: systemd__enabled | bool and
+        item.state | d("present") not in ['absent', 'ignore', 'init'] and
+        not (item.name | dirname).endswith('.d')
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/ansible/facts.d/systemd.fact.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/ansible/facts.d/systemd.fact.j2
new file mode 100644
index 00000000..fa6d139b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/ansible/facts.d/systemd.fact.j2
@@ -0,0 +1,39 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('systemctl'),
+          'enabled': loads('''{{ systemd__enabled
+                                 | bool | to_json }}''')}
+
+try:
+    systemd_version_stdout = subprocess.check_output(
+            ["systemctl", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in systemd_version_stdout.split('\n'):
+        if line.lower().startswith('systemd '):
+            output['version'] = line.split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/logind.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/logind.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..46669765
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/logind.conf.d/ansible.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See logind.conf(5) for details.
+
+[Login]
+{% for element in systemd__logind_combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is undefined %}
+{%       set element_value = '' %}
+{%     elif element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ') %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..66a1d21e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system.conf.d/ansible.conf.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See systemd-system.conf(5) for details.
+
+[Manager]
+{% for element in systemd__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system/template.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system/template.j2
new file mode 100644
index 00000000..f202cb62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/system/template.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{{ item.raw | regex_replace('\n$', '') }}
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..14637d57
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user.conf.d/ansible.conf.j2
@@ -0,0 +1,36 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See systemd-user.conf(5) for details.
+
+[Manager]
+{% for element in systemd__user_combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.value is defined and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user/template.j2 b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user/template.j2
new file mode 100644
index 00000000..f202cb62
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/systemd/templates/etc/systemd/user/template.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') -}}
+{% endif %}
+{{ item.raw | regex_replace('\n$', '') }}
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/COPYRIGHT b/ansible_collections/debops/debops/roles/tcpwrappers/COPYRIGHT
new file mode 100644
index 00000000..0f2b7aea
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.tcpwrappers - Manage host access controlled by libwrap
+
+Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2016 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/defaults/main.yml b/ansible_collections/debops/debops/roles/tcpwrappers/defaults/main.yml
new file mode 100644
index 00000000..f4769fe5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/defaults/main.yml
@@ -0,0 +1,112 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2016 DebOps <http://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tcpwrappers__ref_defaults:
+
+# debops.tcpwrappers default variables [[[
+# ========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Main configuration [[[
+# ----------------------
+
+# .. envvar:: tcpwrappers__enabled [[[
+#
+# Enable or disable configuration of ``tcpwrappers``.
+tcpwrappers__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__base_packages [[[
+#
+# List of base APT packages required by TCP Wrappers.
+tcpwrappers__base_packages: [ 'libwrap0' ]
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__packages [[[
+#
+# List of additional APT packages to install with TCP Wrappers.
+tcpwrappers__packages: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__ansible_controllers [[[
+#
+# Optional list of CIDR hosts which will be allowed to connect to ``sshd``
+# service. Entries are saved in the local facts on remote hosts.
+#
+# Remember to specify IP address from the remote host point of view.
+# Format: "IP address/netmask", for example: ``192.168.1.1/32``.
+#
+# Note: If you are using ``debop.ferm`` role too (or the DebOps playbook),
+#       mind setting ``ferm__ansible_controllers``. An easier way would
+#       be to use the ``debops.sshd`` role to configure ``ssh`` service.
+tcpwrappers__ansible_controllers: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__deny_all [[[
+#
+# By default ``debops.tcpwrappers`` will deny all connections using
+# ``/etc/hosts.deny`` file and only allow whitelisted connections in
+# ``/etc/hosts.allow``. Set this variable to ``False`` to disable that.
+tcpwrappers__deny_all: True
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__divert_hosts_allow [[[
+#
+# Path of the diverted ``/etc/hosts.allow`` file. It will be merged with the
+# rest of the generated configuration files using ``assemble`` ansible module.
+# Warning: do not change this variable while the role is enabled.
+tcpwrappers__divert_hosts_allow: '/etc/hosts.allow.d/05_debian_hosts.allow'
+                                                                   # ]]]
+                                                                   # ]]]
+# TCP Wrappers allow lists [[[
+# ----------------------------
+
+# .. envvar:: tcpwrappers__allow [[[
+#
+# List of allow rules for all hosts in the Ansible inventory. See
+# :ref:`tcpwrappers__allow` for more details.
+tcpwrappers__allow: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__group_allow [[[
+#
+# List of allow rules for hosts in a specific host group. See
+# :ref:`tcpwrappers__allow` for more details.
+tcpwrappers__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__host_allow [[[
+#
+# List of allow rules for specific hosts in the inventory. See
+# :ref:`tcpwrappers__allow` for more details.
+tcpwrappers__host_allow: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__dependent_allow [[[
+#
+# List of allow rules specified by other Ansible roles as a dependency. See
+# :ref:`tcpwrappers__allow` for more details.
+tcpwrappers__dependent_allow: []
+
+                                                                   # ]]]
+# .. envvar:: tcpwrappers__localhost_allow [[[
+#
+# By default allow unrestricted access from ``localhost``.
+tcpwrappers__localhost_allow:
+  - daemon: 'ALL'
+    client: [ '127.0.0.0/8', '::1/128' ]
+    comment: 'Access from localhost'
+    filename: 'allow_localhost'
+    weight: '06'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/meta/main.yml b/ansible_collections/debops/debops/roles/tcpwrappers/meta/main.yml
new file mode 100644
index 00000000..27959b20
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage host access rules in /etc/hosts.{allow,deny}'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
+    - tcpwrappers
+    - networking
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/tasks/main.yml b/ansible_collections/debops/debops/roles/tcpwrappers/tasks/main.yml
new file mode 100644
index 00000000..e4e2e53a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/tasks/main.yml
@@ -0,0 +1,127 @@
+---
+# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2016 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (tcpwrappers__base_packages
+                              + tcpwrappers__packages)) }}'
+    state: 'present'
+  register: tcpwrappers__register_packages
+  until: tcpwrappers__register_packages is succeeded
+  when: tcpwrappers__enabled | bool
+
+- name: Make sure /etc/hosts.allow.d directory exists
+  ansible.builtin.file:
+    path: '/etc/hosts.allow.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create /etc/hosts.allow.d/00_ansible
+  ansible.builtin.template:
+    src: 'etc/hosts.allow.d/00_ansible.j2'
+    dest: '/etc/hosts.allow.d/00_ansible'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Add/remove diversion of /etc/hosts.allow
+  debops.debops.dpkg_divert:
+    path: '/etc/hosts.allow'
+    divert: '{{ tcpwrappers__divert_hosts_allow }}'
+    state: '{{ "present" if tcpwrappers__enabled | bool else "absent" }}'
+    delete: True
+  when: not ansible_check_mode | bool
+
+- name: Allow access from Ansible Controller to sshd
+  ansible.builtin.template:
+    src: 'etc/hosts.allow.d/ansible_controller.j2'
+    dest: '/etc/hosts.allow.d/10_ansible_controller'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
+- name: Remove hosts.allow entries if requested
+  ansible.builtin.file:
+    path: '/etc/hosts.allow.d/{{ item.weight | default("50") }}_{{ item.filename
+            | d((item.daemon if item.daemon is string else item.daemon[0]) + "_allow") }}'
+    state: 'absent'
+  loop: '{{ q("flattened", tcpwrappers__allow
+                           + tcpwrappers__group_allow
+                           + tcpwrappers__host_allow
+                           + tcpwrappers__dependent_allow
+                           + tcpwrappers__localhost_allow
+                           + tcpwrappers_allow | d([])
+                           + tcpwrappers_group_allow | d([])
+                           + tcpwrappers_host_allow | d([])
+                           + tcpwrappers_dependent_allow | d([])) }}'
+  when: ((item.daemon | d() or item.daemons | d()) and
+         item.state | d() and item.state == 'absent')
+
+- name: Generate hosts.allow entries
+  ansible.builtin.template:
+    src: 'etc/hosts.allow.d/allow.j2'
+    dest: '/etc/hosts.allow.d/{{ item.weight | default("50") }}_{{ item.filename
+            | d((item.daemon if item.daemon is string else item.daemon[0]) + "_allow") }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", tcpwrappers__allow
+                           + tcpwrappers__group_allow
+                           + tcpwrappers__host_allow
+                           + tcpwrappers__dependent_allow
+                           + tcpwrappers__localhost_allow
+                           + tcpwrappers_allow | d([])
+                           + tcpwrappers_group_allow | d([])
+                           + tcpwrappers_host_allow | d([])
+                           + tcpwrappers_dependent_allow | d([])) }}'
+  when: ((item.daemon | d() or item.daemons | d()) and
+         (item.state is undefined or item.state != 'absent'))
+
+- name: Assemble hosts.allow.d
+  ansible.builtin.assemble:
+    src: '/etc/hosts.allow.d'
+    dest: '/etc/hosts.allow'
+    backup: False
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: tcpwrappers__enabled | bool
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save tcpwrappers local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tcpwrappers.fact.j2'
+    dest: '/etc/ansible/facts.d/tcpwrappers.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'meta::facts' ]
+
+- name: Configure access in /etc/hosts.deny
+  ansible.builtin.lineinfile:
+    dest: '/etc/hosts.deny'
+    regexp: '^ALL: ALL'
+    line: 'ALL: ALL'
+    create: True
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    state: '{{ "present"
+               if (tcpwrappers__enabled | bool and
+                   tcpwrappers__deny_all | bool)
+               else "absent" }}'
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/ansible/facts.d/tcpwrappers.fact.j2 b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/ansible/facts.d/tcpwrappers.fact.j2
new file mode 100644
index 00000000..0d3c8455
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/ansible/facts.d/tcpwrappers.fact.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2016 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tcpwrappers__tpl_ansible_controllers = [] %}
+{% if (ansible_local.core.ansible_controllers | d()) %}
+{%   for element in ansible_local.core.ansible_controllers %}
+{%     set _ = tcpwrappers__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% if (ansible_local.tcpwrappers.ansible_controllers | d()) %}
+{%   for element in ansible_local.tcpwrappers.ansible_controllers %}
+{%     set _ = tcpwrappers__tpl_ansible_controllers.append(element) %}
+{%   endfor %}
+{% endif %}
+{% for element in tcpwrappers__ansible_controllers or [] %}
+{%       set _ = tcpwrappers__tpl_ansible_controllers.append(element) %}
+{% endfor %}
+{
+"enabled": "{{ tcpwrappers__enabled | bool | lower }}",
+"ansible_controllers": {{ tcpwrappers__tpl_ansible_controllers | unique | sort | to_nice_json }}
+}
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/00_ansible.j2 b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/00_ansible.j2
new file mode 100644
index 00000000..d984dd7b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/00_ansible.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2016 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Warning: this file is created by Ansible 'assemble' module, that combines
+# files in /etc/hosts.allow.d/ directory into file /etc/hosts.allow. Do not
+# modify this file directly, instead put your additions in the
+# /etc/hosts.allow.d/ directory with a proper name, preferably after diverted
+# original /etc/hosts.allow. Your changes will be included and preserved on the
+# next Ansible run.
+#
+{% if tcpwrappers__enabled | bool %}
+# Original /etc/hosts.allow has been diverted to {{ tcpwrappers__divert_hosts_allow }}
+# Original contents follow.
+{% else %}
+# /etc/hosts.allow diversion is not active, contents of /etc/hosts.allow.d/ won't be
+# included in /etc/hosts.allow
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/allow.j2 b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/allow.j2
new file mode 100644
index 00000000..2e130e72
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/allow.j2
@@ -0,0 +1,79 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2016 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% if item.comment | d() %}
+# {{ item.comment }}
+{% endif %}
+{% if item.custom | d() %}
+{{ item.custom }}
+{% else %}
+{%   set tcpwrappers__tpl_daemon = [] %}
+{%   set tcpwrappers__tpl_client = [] %}
+{%   set tcpwrappers__tpl_option = [] %}
+{%   if item.daemon | d() %}
+{%     if item.daemon is string %}
+{%       set _ = tcpwrappers__tpl_daemon.append(item.daemon) %}
+{%     else %}
+{%       for element in item.daemon %}
+{%         set _ = tcpwrappers__tpl_daemon.append(element) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if item.daemons | d() %}
+{%     if item.daemons is string %}
+{%       set _ = tcpwrappers__tpl_daemon.append(item.daemons) %}
+{%     else %}
+{%       for element in item.daemons %}
+{%         set _ = tcpwrappers__tpl_daemon.append(element) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if item.client | d() %}
+{%     if item.client is string %}
+{%       set _ = tcpwrappers__tpl_client.append(item.client | ansible.utils.ipwrap) %}
+{%     else %}
+{%       for element in item.client %}
+{%         set _ = tcpwrappers__tpl_client.append(element | ansible.utils.ipwrap) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if item.clients | d() %}
+{%     if item.clients is string %}
+{%       set _ = tcpwrappers__tpl_client.append(item.clients | ansible.utils.ipwrap) %}
+{%     else %}
+{%       for element in item.clients %}
+{%         set _ = tcpwrappers__tpl_client.append(element | ansible.utils.ipwrap) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if item.option | d() %}
+{%     if item.option is string %}
+{%       set _ = tcpwrappers__tpl_option.append(item.option | replace(':','\:')) %}
+{%     else %}
+{%       for element in item.option %}
+{%         set _ = tcpwrappers__tpl_option.append(element | replace(':','\:')) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if item.options | d() %}
+{%     if item.options is string %}
+{%       set _ = tcpwrappers__tpl_option.append(item.options | replace(':','\:')) %}
+{%     else %}
+{%       for element in item.options %}
+{%         set _ = tcpwrappers__tpl_option.append(element | replace(':','\:')) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if tcpwrappers__tpl_client %}
+{{ tcpwrappers__tpl_daemon | sort | unique | join(', ') }} : {{ tcpwrappers__tpl_client | unique | join(', ') }}{% if tcpwrappers__tpl_option %} : {{ tcpwrappers__tpl_option | join(' : ') }}{% endif %}
+{%   elif item.accept_any is undefined or item.accept_any | bool %}
+{{ tcpwrappers__tpl_daemon | sort | unique | join(', ') }} : {{ item.default | d('ALL') }}{% if tcpwrappers__tpl_option %} : {{ tcpwrappers__tpl_option | join(' : ') }}{% endif %}
+{%   elif not item.accept_any | bool %}
+# Access to '{{ tcpwrappers__tpl_daemon | sort | unique | join(', ') }}' from any host is not allowed
+{%   elif item.default | d() %}
+{{ tcpwrappers__tpl_daemon | sort | unique | join(', ') }} : {{ item.default }}{% if tcpwrappers__tpl_option %} : {{ tcpwrappers__tpl_option | join(' : ') }}{% endif %}
+{%   else %}
+# Access to '{{ tcpwrappers__tpl_daemon | sort | unique | join(', ') }}' from any host is not allowed
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/ansible_controller.j2 b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/ansible_controller.j2
new file mode 100644
index 00000000..20384f87
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tcpwrappers/templates/etc/hosts.allow.d/ansible_controller.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2014-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2016 DebOps <http://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# Ansible Controllers
+{% set tcpwrappers__tpl_local_ansible_controllers = [] %}
+{% if ansible_local.core.ansible_controllers | d() %}
+{%   for element in ansible_local.core.ansible_controllers %}
+{%     set _ = tcpwrappers__tpl_local_ansible_controllers.append(element | ansible.utils.ipwrap) %}
+{%   endfor %}
+{% endif %}
+{% if (ansible_local.tcpwrappers.ansible_controllers | d()) %}
+{%   for element in ansible_local.tcpwrappers.ansible_controllers %}
+{%     set _ = tcpwrappers__tpl_local_ansible_controllers.append(element | ansible.utils.ipwrap) %}
+{%   endfor %}
+{% endif %}
+{% for element in tcpwrappers__ansible_controllers or [] %}
+{%       set _ = tcpwrappers__tpl_local_ansible_controllers.append(element | ansible.utils.ipwrap) %}
+{% endfor %}
+{% for element in (tcpwrappers__tpl_local_ansible_controllers | unique | sort) %}
+sshd : {{ element }}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/telegraf/COPYRIGHT b/ansible_collections/debops/debops/roles/telegraf/COPYRIGHT
new file mode 100644
index 00000000..c0daa75c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.telegraf - Manage Telegraf instance using Ansible
+
+Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-or-later
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/telegraf/defaults/main.yml b/ansible_collections/debops/debops/roles/telegraf/defaults/main.yml
new file mode 100644
index 00000000..102ecb90
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/defaults/main.yml
@@ -0,0 +1,218 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# .. Copyright (C) 2021 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-or-later
+
+# .. _telegraf__ref_defaults:
+
+# debops.telegraf default variables
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: telegraf__base_packages [[[
+#
+# List of the default APT packages to install Telegraf.
+telegraf__base_packages: [ 'telegraf' ]
+
+                                                                   # ]]]
+# .. envvar:: telegraf__packages [[[
+#
+# List of additional APT packages ta install with Telegraf.
+telegraf__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: telegraf__additional_groups [[[
+#
+# List of UNIX groups to which the Telegraf UNIX account should belong to
+# provide access.
+telegraf__additional_groups:
+
+  # Integration with the 'debops.proc_hidepid' role to provide system-wide
+  # access to the /proc filesystem.
+  - '{{ (ansible_local.proc_hidepid.group | d("procadmins"))
+        if (ansible_local.proc_hidepid.enabled | d()) | bool
+        else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Telegraf configuration file [[[
+# -------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/telegraf/telegraf.conf` configuration file
+# See :ref:`telegraf__ref_configuration` for more details.
+
+# .. envvar:: telegraf__default_configuration [[[
+#
+# Default configuration options defined by the role.
+telegraf__default_configuration:
+
+  # Configuration based on the original 'telegraf.conf' configuration file
+  # included in the APT package.
+  - name: 'agent'
+    config:
+      agent:
+        interval: '10s'
+        round_interval: True
+        metric_batch_size: 1000
+        metric_buffer_limit: 10000
+        collection_jitter: '0s'
+        flush_interval: '10s'
+        flush_jitter: '0s'
+        precision: ''
+        hostname: ''
+        omit_hostname: False
+
+                                                                   # ]]]
+# .. envvar:: telegraf__configuration [[[
+#
+# The configuration options which should be present on all hosts in the Ansible
+# inventory.
+telegraf__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf__group_configuration [[[
+#
+# The configuration options which should be present on hosts in a specific
+# Ansible inventory group.
+telegraf__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf_host_configuration [[[
+#
+# The configuration options which should be present on specific hosts in the
+# Ansible inventory.
+telegraf__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf__combined_configuration [[[
+#
+# Full list of Telegraf configuration options passed to the
+# configuration template tasks.
+telegraf__combined_configuration: '{{ telegraf__default_configuration
+                                      + telegraf__configuration
+                                      + telegraf__group_configuration
+                                      + telegraf__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Telegraf configuration plugins [[[
+# ----------------------------------
+
+# The variables below define the contents of the
+# :file:`/etc/telegraf/telegraf.d/` configuration directory.
+# See :ref:`telegraf__ref_plugins` for more details.
+
+# .. envvar:: telegraf__default_plugins [[[
+#
+# Telegraf plugin configuration defined by default in the role.
+telegraf__default_plugins:
+
+  - name: 'input_system'
+    config:
+      inputs:
+        kernel: {}
+        mem: {}
+        processes: {}
+        swap: {}
+        system: {}
+
+  - name: 'input_cpu'
+    config:
+      inputs:
+        cpu:
+          - percpu: True
+            totalcpu: True
+            collect_cpu_time: False
+            report_active: False
+
+  - name: 'input_disk'
+    config:
+      inputs:
+        disk:
+          - ignore_fs:
+              - 'tmpfs'
+              - 'devtmpfs'
+              - 'devfs'
+              - 'iso8660'
+              - 'ovelay'
+              - 'aufs'
+              - 'squashfs'
+
+  - name: 'input_diskio'
+    config:
+      inputs:
+        diskio: {}
+
+  - name: 'input_internal'
+    config:
+      inputs:
+        internal: {}
+
+  - name: 'input_influxdb_local'
+    config:
+      inputs:
+        influxdb_v2_listener:
+          service_address: '127.0.0.1:38086'
+    state: 'present'
+
+  - name: 'output_discard'
+    config:
+      outputs:
+        discard: {}
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: telegraf__plugins [[[
+#
+# Telegraf plugin configuration which should be present on all hosts in the
+# Ansible inventory.
+telegraf__plugins: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf__group_plugins [[[
+#
+# Telegraf plugin configuration which should be present on hosts in a specific
+# Ansible inventory group.
+telegraf__group_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf__host_plugins [[[
+#
+# Telegraf plugin configuration which should be present on specific hosts in
+# the Ansible inventory.
+telegraf__host_plugins: []
+
+                                                                   # ]]]
+# .. envvar:: telegraf__combined_plugins [[[
+#
+# Full list of Telegraf configuration options passed to the
+# configuration template tasks.
+telegraf__combined_plugins: '{{ telegraf__default_plugins
+                                + telegraf__plugins
+                                + telegraf__group_plugins
+                                + telegraf__host_plugins }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: telegraf__influxdata__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.influxdata` Ansible role.
+telegraf__influxdata__dependent_packages:
+  - '{{ telegraf__base_packages }}'
+  - '{{ telegraf__packages }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/telegraf/meta/main.yml b/ansible_collections/debops/debops/roles/telegraf/meta/main.yml
new file mode 100644
index 00000000..f62f4c1a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Dr. Serge Victor'
+  description: 'Install and manage a Telegraf instance'
+  company: 'DebOps'
+  license: 'GPL-3.0-or-later'
+  min_ansible_version: '2.9.0'
+  platforms:
+    - name: 'Debian'
+      versions:
+        - 'bullseye'
+        - 'buster'
+    - name: 'Ubuntu'
+      versions:
+        - 'focal'
+        - 'bionic'
+  galaxy_tags:
+    - 'monitoring'
+    - 'influxdb'
diff --git a/ansible_collections/debops/debops/roles/telegraf/tasks/main.yml b/ansible_collections/debops/debops/roles/telegraf/tasks/main.yml
new file mode 100644
index 00000000..f0a916cf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Add Telegraf UNIX account to required groups
+  ansible.builtin.user:
+    name: 'telegraf'
+    groups: '{{ telegraf__additional_groups | flatten | join(",") }}'
+    state: 'present'
+    append: True
+  notify: [ 'Check telegraf and restart' ]
+
+- name: Configure Telegraf instance leading file
+  ansible.builtin.template:
+    src: 'etc/telegraf/telegraf.conf.j2'
+    dest: '/etc/telegraf/telegraf.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check telegraf and restart' ]
+
+- name: Remove plugins configuration if requested
+  ansible.builtin.file:
+    path: '/etc/telegraf/telegraf.d/{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ telegraf__combined_plugins | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: item.state | d('present') == 'absent' and item.config | d()
+  notify: [ 'Check telegraf and restart' ]
+
+- name: Find plugins which are in filesystem
+  ansible.builtin.find:
+    paths: '/etc/telegraf/telegraf.d'
+    patterns: '*.conf'
+  register: telegraf__register_existing_plugins_filenames
+
+- name: Backup and disactivate plugins unexisting in desired configuration
+  ansible.builtin.command:
+    cmd: mv -f '{{ item.path | quote }}' '{{ item.path | quote }}.inactive'
+    removes: '{{ item.path }}'
+  loop: '{{ telegraf__register_existing_plugins_filenames.files }}'
+  loop_control:
+    label: '{{ {"path": item.path} }}'
+  when: item.path | basename | splitext | first not in telegraf__combined_plugins | debops.debops.parse_kv_items | map(attribute="name")
+  notify: [ 'Check telegraf and restart' ]
+
+- name: Configure plugins
+  ansible.builtin.template:
+    src: 'etc/telegraf/telegraf.d/plugin.conf.j2'
+    dest: '/etc/telegraf/telegraf.d/{{ item.name }}.conf'
+    owner: 'root'
+    group: 'telegraf'
+    mode: '0640'
+  loop: '{{ telegraf__combined_plugins | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": item.state | d("present")} }}'
+  when: (item.state | d('present') not in ['absent', 'ignore'] and
+         (item.config | d() or item.raw | d()))
+  no_log: '{{ debops__no_log | d(True) }}'
+  notify: [ 'Check telegraf and restart' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Telegraf instance local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/telegraf.fact.j2'
+    dest: '/etc/ansible/facts.d/telegraf.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Re-read local facts if they have been modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/telegraf/templates/etc/ansible/facts.d/telegraf.fact.j2 b/ansible_collections/debops/debops/roles/telegraf/templates/etc/ansible/facts.d/telegraf.fact.j2
new file mode 100644
index 00000000..c44b8e53
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/templates/etc/ansible/facts.d/telegraf.fact.j2
@@ -0,0 +1,25 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {}
+output['installed'] = cmd_exists('telegraf')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.conf.j2 b/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.conf.j2
new file mode 100644
index 00000000..2080159a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.conf.j2
@@ -0,0 +1,22 @@
+{# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{% set telegraf__tpl_configuration = {} %}
+{% for element in telegraf__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'init', 'ignore' ] and element.config | d() %}
+{%     set combined_config = telegraf__tpl_configuration | combine(element.config, recursive=True) %}
+{%     set _ = telegraf__tpl_configuration.update(combined_config) %}
+{%   endif %}
+{% endfor %}
+{% if telegraf__tpl_configuration %}
+{{   telegraf__tpl_configuration | debops.debops.to_toml | regex_replace('\n$','') }}
+{% else %}
+# This Telegraf instance is configured in:
+#
+#   /etc/telegraf/telegraf.d/
+#
+# directory only.
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.d/plugin.conf.j2 b/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.d/plugin.conf.j2
new file mode 100644
index 00000000..179032b3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/telegraf/templates/etc/telegraf/telegraf.d/plugin.conf.j2
@@ -0,0 +1,23 @@
+{# Copyright (C) 2021 Dr. Serge Victor <https://dr.sergevictor.eu/>
+ # Copyright (C) 2021 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if item.raw | d() %}
+{%   if item.state | d('present') == 'comment' %}
+{{     item.raw | regex_replace('\n$', '') | regex_replace('^', '#', multiline=True) }}
+{%   else %}
+{{     item.raw | regex_replace('\n$', '') }}
+{%   endif %}
+{% elif item.config | d() %}
+{%   if item.state | d('present') == 'comment' %}
+{{     item.config | debops.debops.to_toml | regex_replace('^', '#', multiline=True) }}
+{%   else %}
+{{     item.config | debops.debops.to_toml }}
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tftpd/COPYRIGHT b/ansible_collections/debops/debops/roles/tftpd/COPYRIGHT
new file mode 100644
index 00000000..55ed6afc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.tftpd - Manage TFTP server using Ansible
+
+Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tftpd/defaults/main.yml b/ansible_collections/debops/debops/roles/tftpd/defaults/main.yml
new file mode 100644
index 00000000..5ffa9b04
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/defaults/main.yml
@@ -0,0 +1,138 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tftpd__ref_defaults:
+
+# debops.tftpd default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: tftpd__base_packages [[[
+#
+# List of base APT packages to install for TFTP server support.
+tftpd__base_packages: [ 'tftpd-hpa' ]
+
+                                                                   # ]]]
+# .. envvar:: tftpd__packages [[[
+#
+# List of additional APT packages to install with TFTP server.
+tftpd__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# TFTP server configuration [[[
+# -----------------------------
+
+# .. envvar:: tftpd__address [[[
+#
+# Address and port on which TFTP server is listening for new connections.
+tftpd__address: '[::]:69'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__directory [[[
+#
+# Root directory with files served over TFTP.
+tftpd__directory: '/srv/tftp'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__username [[[
+#
+# UNIX system account used by the TFTP server.
+tftpd__username: 'tftp'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__options [[[
+#
+# Additional options passed to the :command:`tftpd-hpa` daemon, defined as
+# a string or a YAML list (lists will be flattened automatically).
+tftpd__options:
+  - '--secure'
+  - '{{ ["--permissive", "--create", ("--umask " + tftpd__upload_umask)]
+        if tftpd__upload_enabled | bool else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Support for file uploads [[[
+# ----------------------------
+
+# .. envvar:: tftpd__upload_enabled [[[
+#
+# Enable or disable support for file uploads over TFTP service.
+tftpd__upload_enabled: '{{ True if tftpd__allow | d() else False }}'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__upload_directory [[[
+#
+# Name of the upload subdirectory located in the TFTP root directory which will
+# be owned by the TFTP user with write access.
+tftpd__upload_directory: 'upload'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__upload_group [[[
+#
+# Specify the primary UNIX group of the upload directory.
+tftpd__upload_group: 'tftp'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__upload_mode [[[
+#
+# Specify the UNIX attributes of the upload directory.
+tftpd__upload_mode: '0751'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__upload_umask [[[
+#
+# Specify the :man:`umask(2)` used during file uploads by the TFTP server.
+tftpd__upload_umask: '0002'
+                                                                   # ]]]
+                                                                   # ]]]
+# Firewall and TCP Wrappers configuration [[[
+# -------------------------------------------
+
+# .. envvar:: tftpd__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to TFTP
+# server. If it's empty, anybody can connect to the FTP server.
+tftpd__allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: tftpd__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+tftpd__ferm__dependent_rules:
+
+  - type: 'accept'
+    protocols: [ 'udp' ]
+    dport: [ 'tftp' ]
+    saddr: '{{ tftpd__allow }}'
+    accept_any: True
+    weight: '50'
+    filename: 'tftpd_dependency_accept'
+
+                                                                   # ]]]
+# .. envvar:: tftpd__tcpwrappers__dependent_allow [[[
+#
+# Configuration for the :ref:`debops.tcpwrappers` Ansible role.
+tftpd__tcpwrappers__dependent_allow:
+
+  - daemon: 'in.tftpd'
+    client: '{{ tftpd__allow }}'
+    accept_any: True
+    weight: '50'
+    filename: 'tftpd_dependency_allow'
+    comment: 'Allow remote connections to TFTP server'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tftpd/meta/main.yml b/ansible_collections/debops/debops/roles/tftpd/meta/main.yml
new file mode 100644
index 00000000..7de84899
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage standalone TFTP server'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+  platforms:
+    - name: Ubuntu
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+  galaxy_tags:
+    - tftp
+    - provisioning
+    - networking
+    - pxe
+    - ipxe
diff --git a/ansible_collections/debops/debops/roles/tftpd/tasks/main.yml b/ansible_collections/debops/debops/roles/tftpd/tasks/main.yml
new file mode 100644
index 00000000..3efd3d1d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (tftpd__base_packages + tftpd__packages)) }}'
+    state: 'present'
+  register: tftpd__register_install
+  until: tftpd__register_install is succeeded
+
+- name: Configure tftpd service
+  ansible.builtin.template:
+    src: 'etc/default/tftpd-hpa.j2'
+    dest: '/etc/default/tftpd-hpa'
+    mode: '0644'
+  notify: [ 'Restart tftpd-hpa' ]
+
+- name: Create the upload directory if enabled
+  ansible.builtin.file:
+    path:  '{{ tftpd__directory + "/" + tftpd__upload_directory }}'
+    owner: '{{ tftpd__username }}'
+    group: '{{ tftpd__upload_group }}'
+    mode:  '{{ tftpd__upload_mode }}'
+    state: 'directory'
+  when: tftpd__upload_enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save tftpd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tftpd.fact.j2'
+    dest: '/etc/ansible/facts.d/tftpd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/tftpd/templates/etc/ansible/facts.d/tftpd.fact.j2 b/ansible_collections/debops/debops/roles/tftpd/templates/etc/ansible/facts.d/tftpd.fact.j2
new file mode 100644
index 00000000..78b0391b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/templates/etc/ansible/facts.d/tftpd.fact.j2
@@ -0,0 +1,30 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {'installed': False,
+                      'directory': tftpd__directory,
+                      'upload_directory':
+                        (tftpd__directory + "/" + tftpd__upload_directory)
+                     } | to_nice_json }}''')
+
+output['installed'] = cmd_exists('in.tftpd')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/tftpd/templates/etc/default/tftpd-hpa.j2 b/ansible_collections/debops/debops/roles/tftpd/templates/etc/default/tftpd-hpa.j2
new file mode 100644
index 00000000..f6877f03
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tftpd/templates/etc/default/tftpd-hpa.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2015-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# /etc/default/tftpd-hpa
+
+TFTP_USERNAME="{{ tftpd__username }}"
+TFTP_DIRECTORY="{{ tftpd__directory }}"
+TFTP_ADDRESS="{{ tftpd__address }}"
+TFTP_OPTIONS="{{ q('flattened', ([ tftpd__options ] if tftpd__options is string else tftpd__options)) | join(' ') }}"
diff --git a/ansible_collections/debops/debops/roles/tgt/COPYRIGHT b/ansible_collections/debops/debops/roles/tgt/COPYRIGHT
new file mode 100644
index 00000000..35334ce8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.tgt - Manage userspace iSCSI Target service using Ansible
+
+Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tgt/defaults/main.yml b/ansible_collections/debops/debops/roles/tgt/defaults/main.yml
new file mode 100644
index 00000000..f05180d8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/defaults/main.yml
@@ -0,0 +1,86 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2015 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tgt__ref_defaults:
+
+# debops.tgt default variables
+# ============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# TGT configuration [[[
+# ---------------------
+
+# .. envvar:: tgt_packages [[[
+#
+# List of packages installed for iSCSI Target support.
+tgt_packages: [ 'tgt' ]
+
+                                                                   # ]]]
+# .. envvar:: tgt_iqn_date [[[
+#
+# Year and month when the Naming Authority of this iSCSI host was established.
+tgt_iqn_date: '{{ ansible_date_time.year + "-" + ansible_date_time.month }}'
+
+                                                                   # ]]]
+# .. envvar:: tgt_iqn_authority [[[
+#
+# DNS domain name of the Naming Authority responsible for this iSCSI Target.
+tgt_iqn_authority: '{{ ansible_domain }}'
+
+                                                                   # ]]]
+# .. envvar:: tgt_iqn_base [[[
+#
+# iSCSI Qualified Name of this iSCSI Target host, will be saved in Ansible
+# local facts to prevent changes related to the default date field.
+tgt_iqn_base: '{{ (ansible_local.tgt.iqn_base
+                   if (ansible_local.tgt.iqn_base | d())
+                   else ("iqn." + tgt_iqn_date + "." +
+                         tgt_iqn_authority.split(".")[::-1] | join("."))) }}'
+
+                                                                   # ]]]
+# .. envvar:: tgt_allow [[[
+#
+# List of IP addresses or CIDR networks which will be allowed to connect to
+# ``iscsi-target`` service through the firewall. If none are specified,
+# connections can be initiated from anywhere.
+tgt_allow: []
+
+                                                                   # ]]]
+# .. envvar:: tgt_options [[[
+#
+# Global ``tgt`` options specified as a YAML text block
+tgt_options: ''
+
+                                                                   # ]]]
+# .. envvar:: tgt_targets [[[
+#
+# List of iSCSI Targets configured on this host. See :ref:`tgt_targets` for
+# more details.
+tgt_targets: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: tgt__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+tgt__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'iscsi-target' ]
+    saddr: '{{ tgt_allow }}'
+    accept_any: True
+    filename: 'tgt_dependency_accept'
+    weight: '50'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tgt/meta/main.yml b/ansible_collections/debops/debops/roles/tgt/meta/main.yml
new file mode 100644
index 00000000..bb3686cb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure iSCSI Targets using tgt'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.7.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - storage
+    - networking
+    - iscsi
diff --git a/ansible_collections/debops/debops/roles/tgt/tasks/main.yml b/ansible_collections/debops/debops/roles/tgt/tasks/main.yml
new file mode 100644
index 00000000..b3aeabe9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "tgt/pre_main.yml") }}'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", tgt_packages) }}'
+    state: 'present'
+  register: tgt__register_packages
+  until: tgt__register_packages is succeeded
+
+- name: Configure tgt global options
+  ansible.builtin.template:
+    src: 'etc/tgt/conf.d/00_tgt_options.conf.j2'
+    dest: '/etc/tgt/conf.d/00_tgt_options.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  notify: [ 'Reload tgt' ]
+
+- name: Remove iSCSI targets if requested
+  ansible.builtin.file:
+    path: '/etc/tgt/conf.d/{{ item.filename | default(item.name) }}.conf'
+    state: 'absent'
+  with_items: '{{ tgt_targets }}'
+  notify: [ 'Reload tgt' ]
+  when: ((item.name is defined and item.name) and
+         (item.delete is defined and item.delete))
+
+- name: Configure iSCSI targets
+  ansible.builtin.template:
+    src: 'etc/tgt/conf.d/target.conf.j2'
+    dest: '/etc/tgt/conf.d/{{ item.filename | default(item.name) }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0600'
+  with_items: '{{ tgt_targets }}'
+  notify: [ 'Reload tgt' ]
+  when: ((item.name is defined and item.name) and
+         (item.delete is undefined or not item.delete))
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save iSCSI Target facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tgt.fact.j2'
+    dest: '/etc/ansible/facts.d/tgt.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'meta::facts' ]
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: '{{ lookup("debops.debops.task_src", "tgt/post_main.yml") }}'
diff --git a/ansible_collections/debops/debops/roles/tgt/tasks/tgt/post_main.yml b/ansible_collections/debops/debops/roles/tgt/tasks/tgt/post_main.yml
new file mode 100644
index 00000000..7b4f625d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/tasks/tgt/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/tgt/tasks/tgt/pre_main.yml b/ansible_collections/debops/debops/roles/tgt/tasks/tgt/pre_main.yml
new file mode 100644
index 00000000..7b4f625d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/tasks/tgt/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/tgt/templates/etc/ansible/facts.d/tgt.fact.j2 b/ansible_collections/debops/debops/roles/tgt/templates/etc/ansible/facts.d/tgt.fact.j2
new file mode 100644
index 00000000..2be5b4cf
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/templates/etc/ansible/facts.d/tgt.fact.j2
@@ -0,0 +1,8 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tgt_tpl_iqn_base = ansible_local.tgt.iqn_base | d(tgt_iqn_base) %}
+{
+"iqn_base":"{{ tgt_tpl_iqn_base }}"
+}
diff --git a/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/00_tgt_options.conf.j2 b/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/00_tgt_options.conf.j2
new file mode 100644
index 00000000..c5e81c3f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/00_tgt_options.conf.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Global tgt options
+{% if tgt_options is defined and tgt_options %}
+{{ tgt_options }}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/target.conf.j2 b/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/target.conf.j2
new file mode 100644
index 00000000..dd952264
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tgt/templates/etc/tgt/conf.d/target.conf.j2
@@ -0,0 +1,39 @@
+{# Copyright (C) 2015 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro print_target(target) %}
+{% if target.iqn is undefined %}
+{% set tgt_tpl_target_iqn = tgt_iqn_base + ":" + item.name %}
+{% elif target.iqn %}
+{% set tgt_tpl_target_iqn = target.iqn %}
+{% endif %}
+<target {{ tgt_tpl_target_iqn }}>
+{% if target.backing_stores is defined and target.backing_stores %}
+{% for element in target.backing_stores | sort | unique %}
+{{ print_store('backing', element) }}
+{% endfor %}
+{% endif %}
+{% if target.direct_stores is defined and target.direct_stores %}
+{% for element in target.direct_stores | sort | unique %}
+{{ print_store('direct', element) }}
+{% endfor %}
+{% endif %}
+{% if target.options is defined and target.options %}
+{{ target.options | indent(4,true) }}
+{% endif %}
+</target>
+
+{% endmacro %}
+{% macro print_store(type, store) %}
+{% if store is mapping %}
+{{ "<%s-store %s>" | format(type, store.store) | indent(4, true) }}
+{% if store.options is defined and store.options %}
+{{ store.options | indent(8, true) }}
+{% endif %}
+{{ "</%s-store>" | format(type) | indent(4,true) }}
+{% else %}{{ "%s-store %s" | format(type, store) | indent(4, true) }}{% endif %}
+{% endmacro %}
+# {{ ansible_managed }}
+
+{{ print_target(item) }}
diff --git a/ansible_collections/debops/debops/roles/timesyncd/COPYRIGHT b/ansible_collections/debops/debops/roles/timesyncd/COPYRIGHT
new file mode 100644
index 00000000..3450334b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.timesyncd - Manage time synchronization using systemd-timesyncd
+
+Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2023 DebOps <http://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/timesyncd/defaults/main.yml b/ansible_collections/debops/debops/roles/timesyncd/defaults/main.yml
new file mode 100644
index 00000000..dfb1234d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/defaults/main.yml
@@ -0,0 +1,162 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2023 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _timesyncd__ref_defaults:
+
+# debops.timesyncd default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General options [[[
+# -------------------
+
+# .. envvar:: timesyncd__enabled [[[
+#
+# Enable or disable management of the :command:`systemd-timesyncd` service using
+# DebOps. If the parameter is set to ``False``, the role will not touch service
+# configuration.
+timesyncd__enabled: '{{ True
+                       if (ansible_service_mgr == "systemd" and
+                           timesyncd__fact_service_state == "present")
+                       else False }}'
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__deploy_state [[[
+#
+# This variable controls if the :command:`systemd-timesyncd` main configuration
+# file is managed on the host (``present``) or not (``absent``, default). If
+# deployment state is disabled, :command:`systemd-timesyncd` will use the
+# configuration provided with the OS package.
+timesyncd__deploy_state: 'absent'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages and installation [[[
+# ---------------------------------
+
+# .. envvar:: timesyncd__base_packages [[[
+#
+# List of base APT packages for :command:`systemd-timesyncd` support. The APT
+# package is separate from ``systemd`` APT package to allow for conflict
+# resolution with other APT packages that provide the ``time-daemon`` virtual
+# package.
+timesyncd__base_packages: [ 'systemd-timesyncd' ]
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__packages [[[
+#
+# List of additional APT packages to install for :command:`systemd-timesyncd`
+# support.
+timesyncd__packages: []
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__skip_packages [[[
+#
+# List of APT packages which provide the ``time-daemon`` virtual package. When
+# the role detects that they are installed on the host, it will turn itself off
+# to avoid conflicts.
+timesyncd__skip_packages: [ 'openntpd', 'ntpsec', 'ntp', 'chrony' ]
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__version [[[
+#
+# Specify the version of the :command:`systemd-timesyncd` daemon installed on
+# the host. By default this variable is defined using Ansible local facts and
+# can be used to alter configuration depending on the version of the service.
+timesyncd__version: '{{ ansible_local.timesyncd.version | d("0") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# The :command:`systemd-timesyncd` daemon configuration [[[
+# ---------------------------------------------------------
+
+# These variables define the contents of the
+# :file:`/etc/systemd/timesyncd.conf` configuration file. Check the
+# :man:`timesyncd.conf(5)` manual page for more information about the
+# configuration options, and :ref:`timesyncd__ref_configuration` for details
+# about the configuration of the role itself.
+#
+# By default the configuration is not applied on the hosts, you need to set
+# :envvar:`timesyncd__deploy_state` variable to ``present`` to deploy the
+# configuration.
+
+# .. envvar:: timesyncd__default_configuration [[[
+#
+# List of the default configuration options defined by the role.
+timesyncd__default_configuration:
+
+  - name: 'NTP'
+    value: []
+    state: 'init'
+
+  - name: 'FallbackNTP'
+    value:
+      - '0.debian.pool.ntp.org'
+      - '1.debian.pool.ntp.org'
+      - '2.debian.pool.ntp.org'
+      - '3.debian.pool.ntp.org'
+    state: 'init'
+
+  - name: 'RootDistanceMaxSec'
+    value: 5
+    state: 'init'
+
+  - name: 'PollIntervalMinSec'
+    value: 32
+    state: 'init'
+
+  - name: 'PollIntervalMaxSec'
+    value: 2048
+    state: 'init'
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__configuration [[[
+#
+# List of the configuration options which should be present on all hosts in the
+# Ansible inventory.
+timesyncd__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__group_configuration [[[
+#
+# List of the configuration options which should be present on hosts in
+# a specific Ansible inventory group.
+timesyncd__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__host_configuration [[[
+#
+# List of the configuration options which should be present on specific hosts
+# in the Ansible inventory.
+timesyncd__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: timesyncd__combined_configuration [[[
+#
+# Variable which combines all configuration lists and is used in the role tasks
+# and templates.
+timesyncd__combined_configuration: '{{ timesyncd__default_configuration
+                                       + timesyncd__configuration
+                                       + timesyncd__group_configuration
+                                       + timesyncd__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: timesyncd__dpkg_cleanup__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.dpkg_cleanup` Ansible role.
+timesyncd__dpkg_cleanup__dependent_packages:
+
+  - name: 'systemd-timesyncd'
+    ansible_fact: 'timesyncd'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/timesyncd/meta/main.yml b/ansible_collections/debops/debops/roles/timesyncd/meta/main.yml
new file mode 100644
index 00000000..a92aa1a3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <http://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage time synchronization using systemd-timesyncd'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - systemd
+    - time
+    - ntp
diff --git a/ansible_collections/debops/debops/roles/timesyncd/tasks/main.yml b/ansible_collections/debops/debops/roles/timesyncd/tasks/main.yml
new file mode 100644
index 00000000..fbc89c93
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/tasks/main.yml
@@ -0,0 +1,90 @@
+---
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Check if other time daemons are installed
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    set -o nounset -o pipefail -o errexit &&
+    dpkg --get-selections | grep -w -E '({{ timesyncd__skip_packages | join("|") }})'
+                          | awk '{print $1}' || true
+  args:
+    executable: '/bin/bash'
+  register: timesyncd__register_time_daemons
+  changed_when: False
+  failed_when: False
+  check_mode: False
+
+- name: Set timesyncd deployment state
+  ansible.builtin.set_fact:
+    timesyncd__fact_service_state: '{{ "present"
+                                       if (not timesyncd__register_time_daemons.stdout | d())
+                                       else "absent" }}'
+
+- name: Install required timesyncd packages
+  ansible.builtin.package:
+    name: '{{ timesyncd__base_packages + timesyncd__packages }}'
+    state: 'present'
+  register: timesyncd__register_packages
+  until: timesyncd__register_packages is succeeded
+  when: timesyncd__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: timesyncd__enabled | bool
+
+- name: Save timesyncd local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/timesyncd.fact.j2'
+    dest: '/etc/ansible/facts.d/timesyncd.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: timesyncd__enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Remove systemd-timesyncd configuration if requested
+  ansible.builtin.file:
+    path: '/etc/systemd/timesyncd.conf.d/ansible.conf'
+    state: 'absent'
+  notify: [ 'Restart systemd-timesyncd service' ]
+  when: timesyncd__enabled | bool and timesyncd__deploy_state == 'absent'
+
+- name: Create systemd-timesyncd configuration directory
+  ansible.builtin.file:
+    path: '/etc/systemd/timesyncd.conf.d'
+    state: 'directory'
+    mode: '0755'
+  when: timesyncd__enabled | bool and timesyncd__deploy_state != 'absent'
+
+- name: Generate systemd-timesyncd configuration
+  ansible.builtin.template:
+    src: 'etc/systemd/timesyncd.conf.d/ansible.conf.j2'
+    dest: '/etc/systemd/timesyncd.conf.d/ansible.conf'
+    mode: '0644'
+  notify: [ 'Restart systemd-timesyncd service' ]
+  when: timesyncd__enabled | bool and timesyncd__deploy_state != 'absent'
+
+- name: Flush handlers when needed
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ timesyncd__dpkg_cleanup__dependent_packages }}'
+  when: timesyncd__enabled | bool
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::timesyncd:dpkg_cleanup' ]
diff --git a/ansible_collections/debops/debops/roles/timesyncd/templates/etc/ansible/facts.d/timesyncd.fact.j2 b/ansible_collections/debops/debops/roles/timesyncd/templates/etc/ansible/facts.d/timesyncd.fact.j2
new file mode 100644
index 00000000..39e2df6d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/templates/etc/ansible/facts.d/timesyncd.fact.j2
@@ -0,0 +1,39 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2023 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def binary_exists(binary):
+    if os.path.exists(binary) and os.path.isfile(binary):
+        return True
+    else:
+        return False
+
+
+output = {'installed': binary_exists('/lib/systemd/systemd-timesyncd'),
+          'enabled': loads('''{{ timesyncd__enabled
+                                 | bool | to_json }}''')}
+
+try:
+    timesyncd_version_stdout = subprocess.check_output(
+            ["timedatectl", "--version"]
+            ).decode('utf-8').strip()
+
+    for line in timesyncd_version_stdout.split('\n'):
+        if line.lower().startswith('systemd '):
+            output['version'] = line.split()[1]
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/timesyncd/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2 b/ansible_collections/debops/debops/roles/timesyncd/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2
new file mode 100644
index 00000000..0a7a1b1d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/timesyncd/templates/etc/systemd/timesyncd.conf.d/ansible.conf.j2
@@ -0,0 +1,40 @@
+{# Copyright (C) 2023 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2023 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# See timesyncd.conf(5) for details.
+
+[Time]
+{% for element in timesyncd__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%     set element_comment = ('#' if (element.state | d('present') in [ 'init', 'comment' ]) else '') %}
+{%     if element.value is undefined %}
+{%       set element_value = '' %}
+{%     elif element.value is string and not element.value | bool %}
+{%       set element_value = element.value %}
+{%     elif element.value | bool and element.value is not iterable %}
+{%       if element.value | string == '1' %}
+{%         set element_value = element.value %}
+{%       else %}
+{%         set element_value = 'yes' %}
+{%       endif %}
+{%     elif not element.value | bool and element.value is not iterable %}
+{%       if element.value is not none %}
+{%         if element.value | int %}
+{%           set element_value = element.value %}
+{%         else %}
+{%           if element.value | string == '0' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'no' %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
+{%     else %}
+{%       set element_value = element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list | join(' ') %}
+{%     endif %}
+{{     '{}{}={}'.format(element_comment, element.name, element_value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/tinc/COPYRIGHT b/ansible_collections/debops/debops/roles/tinc/COPYRIGHT
new file mode 100644
index 00000000..e0d42297
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.tinc - Configure tinc mesh VPN network
+
+Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tinc/defaults/main.yml b/ansible_collections/debops/debops/roles/tinc/defaults/main.yml
new file mode 100644
index 00000000..632ad751
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/defaults/main.yml
@@ -0,0 +1,337 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tinc__ref_defaults:
+
+# debops.tinc default variables [[[
+# =================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Network configuration [[[
+# -------------------------
+
+# This is a set of YAML dictionary variables which contain configuration of
+# Tinc mesh networks. Each network is a YAML dictionary with specific
+# parameters. See :ref:`tinc__ref_networks` for more details.
+
+# .. envvar:: tinc__default_networks [[[
+#
+# YAML dictionary that contains the configuration of the default Tinc mesh
+# network.
+tinc__default_networks:
+  'mesh0':
+    port: '655'
+
+                                                                   # ]]]
+# .. envvar:: tinc__networks [[[
+#
+# YAML dictionary that contains the configuration of the Tinc mesh networks
+# configured on all hosts in the Ansible inventory.
+tinc__networks: {}
+
+                                                                   # ]]]
+# .. envvar:: tinc__group_networks [[[
+#
+# YAML dictionary that contains the configuration of the Tinc mesh networks
+# configured on a group of hosts in Ansible inventory.
+tinc__group_networks: {}
+
+                                                                   # ]]]
+# .. envvar:: tinc__host_networks [[[
+#
+# YAML dictionary that contains the configuration of the Tinc mesh networks
+# configured on specific hosts in Ansible inventory.
+tinc__host_networks: {}
+
+                                                                   # ]]]
+# .. envvar:: tinc__combined_networks [[[
+#
+# YAML dictionary which contains configuration of Tinc networks combined using
+# other dictionaries configured in the Ansible inventory. This variable is used
+# by the role tasks and templates.
+tinc__combined_networks: '{{ lookup("template",
+                             "lookup/tinc__combined_networks.j2",
+                             convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: tinc__base_packages [[[
+#
+# List of APT packages to install for ``tinc`` support.
+tinc__base_packages: [ 'tinc' ]
+
+                                                                   # ]]]
+# .. envvar:: tinc__packages [[[
+#
+# List of additional APT packages to install during ``tinc`` configuration.
+tinc__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Ansible inventory parameters [[[
+# --------------------------------
+
+# .. envvar:: tinc__inventory_hosts [[[
+#
+# This list defines which hosts in Ansible inventory participate in a Tinc VPN.
+# They will have their own directories in the :file:`secret/` store on the Ansible
+# Controller used to distribute public host keys.
+tinc__inventory_hosts: '{{ groups.debops_service_tinc | d([]) }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__inventory_self [[[
+#
+# This list specifies what inventory hostnames the node considers as its own.
+# These hostnames will be ignored when they appear on the list of the hosts to
+# connect to.
+tinc__inventory_self:
+  - '{{ tinc__hostname }}'
+  - '{{ tinc__inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__inventory_hostname [[[
+#
+# Name of this node in Ansible’s inventory. This variable is used during the
+# file upload/download to have consistent mapping between directories and
+# Ansible’s inventory.
+tinc__inventory_hostname: '{{ inventory_hostname }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__hostname [[[
+#
+# Name of this node used in configuration files of the mesh. Don't
+# change this unless you know what you are doing.
+tinc__hostname: '{{ inventory_hostname_short }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Application environment [[[
+# ---------------------------
+
+# .. envvar:: tinc__user [[[
+#
+# System user account which is used to run ``tincd``.
+# For more details refer to :ref:`item.user <tinc__ref_networks_user>`.
+tinc__user: 'tinc-vpn'
+
+                                                                   # ]]]
+# .. envvar:: tinc__group [[[
+#
+# System group which is used to access ``tincd`` configuration files.
+tinc__group: 'tinc-vpn'
+
+                                                                   # ]]]
+# .. envvar:: tinc__home [[[
+#
+# Home directory of the ``tincd`` user.
+tinc__home: '/etc/tinc'
+
+                                                                   # ]]]
+# .. envvar:: tinc__ulimit_memlock [[[
+#
+# Specify the maximum amount of memory that shouldn't be moved to swap
+# ("memlock) by the kernel. This value is passed to the :command:`ulimit`
+# command and defined in the :command:`tinc` :command:`systemd` unit file.
+tinc__ulimit_memlock: '{{ (1024 * tinc__rsa_key_length | int * 16) }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__ulimit_options [[[
+#
+# List of options passed to ``ulimit`` command before starting ``tincd``
+# processes. Set the maximum size of address space locked into memory, in KB.
+tinc__ulimit_options: '-l {{ tinc__ulimit_memlock }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__extra_options [[[
+#
+# String with extra options to be passed to all ``tincd`` instances in the
+# :file:`/etc/default/tinc` config file and :command:`systemd` unit.
+tinc__extra_options: ''
+
+                                                                   # ]]]
+# .. envvar:: tinc__systemd [[[
+#
+# Enable support for ``systemd`` if it is detected as the init system.
+tinc__systemd: '{{ True
+                   if (ansible_service_mgr | d("unknown") == "systemd")
+                   else False }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__vcs_ignore_patterns [[[
+#
+# This list of ignore patterns for files below :file:`/etc/tinc` that version
+# control systems should ignore.
+# :file:`/etc` is not tracked by default by a version control system.
+# This definition exists preliminary in case you decide to use :program:`etckeeper` for
+# example to track changes in :file:`/etc`.
+#
+# Note that currently, only :command:`git` as version control system is supported. If
+# you use another version control system, be sure to add support for it to
+# this role.
+# Ignore patterns are specified using the :file:`.gitignore` file format
+# documented in :manpage:`gitignore(5)`.
+# By default, any file below :file:`/etc/tinc/` called :file:`rsa_key.priv`
+# will not be tracked.
+#
+# .. note:: When you started using this role before version 0.3.0 and
+#    sensitive files are already tracked by version control you will need to
+#    manually deleted them from version control history!
+#
+tinc__vcs_ignore_patterns: [ 'rsa_key.priv' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# tinc daemon configuration [[[
+# -----------------------------
+
+# .. envvar:: tinc__rsa_key_length [[[
+#
+# Length of the RSA private key generated on each node.
+tinc__rsa_key_length: '8192'
+
+                                                                   # ]]]
+# .. envvar:: tinc__hwaddr_prefix [[[
+#
+# A stable MAC address prefix that will make sure that the randomly generated
+# MAC address of any Tinc interface is located within a set of Locally
+# Administered Address Ranges. https://serverfault.com/questions/40712/
+# Reserved prefixes: `[0-9a-f]2`, `[0-9a-f]6`, `[0-9a-f]a`, `[0-9a-f]e`.
+tinc__hwaddr_prefix: 'de'
+
+                                                                   # ]]]
+# .. envvar:: tinc__metric [[[
+#
+# The default route metric configured by the :command:`dhclient` daemon.
+tinc__metric: '100'
+
+                                                                   # ]]]
+# .. envvar:: tinc__host_addresses [[[
+#
+# List of FQDN or IP addresses which are included in the public key file of
+# a given host. Other hosts will use these addresses to connect to that host.
+tinc__host_addresses: '{{ tinc__host_addresses_fqdn +
+                          tinc__host_addresses_ip_public }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__host_addresses_fqdn [[[
+#
+# Include the host FQDN if public IP addresses are available.
+tinc__host_addresses_fqdn: '{{ [ansible_fqdn]
+                               if ((ansible_all_ipv4_addresses | d([])
+                                    + (ansible_all_ipv6_addresses | d([])
+                                       | difference(ansible_all_ipv6_addresses | d([])
+                                                    | ansible.utils.ipaddr("link-local"))))
+                                   | ansible.utils.ipaddr("public"))
+                               else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__host_addresses_ip_public [[[
+#
+# Include all public IP addresses, without IPv6 link-local.
+tinc__host_addresses_ip_public: '{{ (ansible_all_ipv4_addresses | d([])
+                                     + (ansible_all_ipv6_addresses | d([])
+                                        | difference(ansible_all_ipv6_addresses | d([])
+                                                     | ansible.utils.ipaddr("link-local"))))
+                                    | ansible.utils.ipaddr("public") }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__host_addresses_ip_private [[[
+#
+# Include all private IP addresses, without IPv6 link-local.
+tinc__host_addresses_ip_private: '{{ (ansible_all_ipv4_addresses | d([])
+                                      + (ansible_all_ipv6_addresses | d([])
+                                         | difference(ansible_all_ipv6_addresses | d([])
+                                                      | ansible.utils.ipaddr("link-local"))))
+                                     | ansible.utils.ipaddr("private") }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__exclude_addresses [[[
+#
+# List of FQDN host entries or IP addresses which should be excluded from the
+# list of connection addresses in the public key file.
+tinc__exclude_addresses: '{{ lookup("template",
+                             "lookup/tinc__exclude_addresses.j2",
+                             convert_data=False) | from_yaml }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Kernel modules [[[
+# ------------------
+
+# .. envvar:: tinc__modprobe [[[
+#
+# Load required kernel modules if they are not present, and ensure that they
+# are loaded at boot time.
+tinc__modprobe: True
+
+                                                                   # ]]]
+# .. envvar:: tinc__modprobe_modules [[[
+#
+# List of kernel modules to load.
+tinc__modprobe_modules: [ 'tun' ]
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: tinc__secret__directories [[[
+#
+# Configuration for the :ref:`debops.secret`.
+tinc__secret__directories: '{{ lookup("template",
+                               "lookup/tinc__secret_directories.j2",
+                               convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services`.
+tinc__etc_services__dependent_list: '{{ lookup("template",
+                                        "lookup/tinc__etc_services__dependent_list.j2",
+                                        convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm`.
+tinc__ferm__dependent_rules: '{{ lookup("template",
+                                 "lookup/tinc__ferm__dependent_rules.j2",
+                                 convert_data=False) | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: tinc__persistent_paths__dependent_paths [[[
+#
+# Configuration for the :ref:`debops.persistent_paths`.
+#
+# Note that when the same network gets deleted and then added again to
+# :envvar:`tinc__combined_networks`, the role might need two runs to also
+# update the defaults file in the persistent location.
+#
+# Note that bind-dirs in Qubes OS currently does not restore symlinks (only their destination).
+# (:file:`/etc/systemd/system/multi-user.target.wants/tinc.service` is a symlink).
+# This works for ``ypid`` as he does not want auto start on Qubes OS AppVMs anyway.
+# If you need it on Qubes OS, feel free to discuss and patch bind-dirs.
+tinc__persistent_paths__dependent_paths:
+
+  '50_debops_tinc':
+    by_role: 'debops.tinc'
+    paths: |
+      {{ [
+        '/etc/tinc',
+        '/etc/systemd/system/tinc.service',
+        '/etc/systemd/system/tinc@.service',
+        '/etc/systemd/system/multi-user.target.wants/tinc.service',
+      ] + ((ansible_local.tinc.networks.keys() | map("regex_replace", "^", "/etc/default/tinc-") | list)
+           if (ansible_local.tinc.networks | d())
+           else [])
+      }}
+# ]]]
+# ]]]
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/tinc/meta/main.yml b/ansible_collections/debops/debops/roles/tinc/meta/main.yml
new file mode 100644
index 00000000..a9b02b46
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Configure tinc mesh VPN network'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - networking
+    - tinc
+    - vpn
diff --git a/ansible_collections/debops/debops/roles/tinc/tasks/main.yml b/ansible_collections/debops/debops/roles/tinc/tasks/main.yml
new file mode 100644
index 00000000..c49e0980
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/tasks/main.yml
@@ -0,0 +1,357 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# Package installation [[[1
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (tinc__base_packages
+                              + tinc__packages)) }}'
+    state: 'present'
+  register: tinc__register_install
+  until: tinc__register_install is succeeded
+
+# Create user [[[1
+- name: Create system group for VPN service
+  ansible.builtin.group:
+    name: '{{ tinc__group }}'
+    state: 'present'
+    system: True
+
+- name: Create system user for VPN service
+  ansible.builtin.user:
+    name: '{{ tinc__user }}'
+    state: 'present'
+    system: True
+    comment: 'tinc VPN service'
+    home: '{{ tinc__home }}'
+    group: '{{ tinc__group }}'
+    shell: '/bin/false'
+    createhome: False
+
+# Kernel modules [[[1
+- name: Load the required kernel modules
+  community.general.modprobe:
+    name: '{{ item }}'
+    state: 'present'
+  with_items: '{{ tinc__modprobe_modules }}'
+  when: (tinc__modprobe | bool and
+         (((ansible_system_capabilities_enforced | d()) | bool and
+          "cap_sys_admin" in ansible_system_capabilities) or
+         not (ansible_system_capabilities_enforced | d(True)) | bool))
+
+- name: Make sure that required modules are loaded on boot
+  ansible.builtin.lineinfile:
+    dest: '/etc/modules'
+    regexp: '^{{ item }}$'
+    line: '{{ item }}'
+    state: 'present'
+    mode: '0644'
+  with_items: '{{ tinc__modprobe_modules }}'
+  when: (tinc__modprobe | bool and
+         (((ansible_system_capabilities_enforced | d()) | bool and
+          "cap_sys_admin" in ansible_system_capabilities) or
+         not (ansible_system_capabilities_enforced | d(True)) | bool))
+
+# Tinc configuration [[[1
+- name: Set tincd default environment
+  ansible.builtin.template:
+    src: 'etc/default/tinc.j2'
+    dest: '/etc/default/tinc'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Reload tinc' ]
+
+- name: Disable tinc networks in systemd if requested
+  ansible.builtin.service:  # noqa no-handler
+    name: 'tinc@{{ item.value.name | d(item.key) }}'
+    enabled: False
+    state: '{{ (item.state | d("present") in ["absent"]) | ternary("started", "stopped") }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: tinc__systemd | bool and item.value.state | d('present') == 'absent' and
+        not tinc__register_install is changed
+
+- name: Remove tinc network configuration if requested
+  ansible.builtin.file:
+    path: '/etc/tinc/{{ item.value.name | d(item.key) }}'
+    state: 'absent'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') == 'absent'
+
+- name: Create required directories
+  ansible.builtin.file:
+    path: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.hostname | d(tinc__hostname))
+                                                                  | replace("-", "_") }}.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+
+- name: Generate main configuration file
+  ansible.builtin.template:
+    src: 'etc/tinc/network/tinc.conf.j2'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/tinc.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent' and item.value.tinc_options | d()
+  notify: [ 'Reload tinc' ]
+
+- name: Remove deprecated dhclient hook script
+  ansible.builtin.file:
+    dest: '/etc/dhcp/dhclient-enter-hooks.d/00debops-tinc'
+    state: 'absent'
+
+- name: Generate tinc-up network scripts
+  ansible.builtin.template:
+    src: 'etc/tinc/network/tinc-up.j2'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/tinc-up'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0750'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: (item.value.state | d('present') != 'absent' and item.value.generate_tinc_up | d(True) | bool)
+
+- name: Generate tinc-down network scripts
+  ansible.builtin.template:
+    src: 'etc/tinc/network/tinc-down.j2'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/tinc-down'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0750'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: (item.value.state | d('present') != 'absent' and item.value.generate_tinc_up | d(True) | bool)
+
+- name: Configure which networks are started at boot
+  ansible.builtin.template:
+    src: 'etc/tinc/nets.boot.j2'
+    dest: '/etc/tinc/nets.boot'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+
+# RSA key management [[[1
+
+- name: Ensure that sensitive files are excluded from version control
+  ansible.builtin.template:
+    src: 'etc/tinc/gitignore.j2'
+    dest: '/etc/tinc/.gitignore'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+
+- name: Initialize RSA key pairs
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         sh -c 'yes || true' | tincd -n {{ item.value.name | d(item.key) }}
+                                     -K {{ item.value.rsa_key_length | d(tinc__rsa_key_length) }}
+  args:
+    executable: 'bash'
+    creates: '/etc/tinc/{{ item.value.name | d(item.key) }}/rsa_key.priv'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+
+- name: Create persistent copy of host public key
+  ansible.builtin.command: cp /etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                     | replace("-", "_") }}
+              /etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                     | replace("-", "_") + ".d/99_rsa-public-key" }}
+  args:
+    creates: /etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                    | replace("-", "_") + ".d/99_rsa-public-key" }}
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+
+# Tinc host configuration [[[1
+- name: Generate host configuration file
+  ansible.builtin.template:
+    src: 'etc/tinc/network/hosts/host-config.j2'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                  | replace("-", "_") }}.d/00_host-config'
+    owner: 'root'
+    group: 'root'
+    mode: '0640'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+
+- name: Assemble host configuration file from parts
+  ansible.builtin.assemble:
+    src: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                 | replace("-", "_") }}.d'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                  | replace("-", "_") }}'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0640'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+  notify: [ 'Reload tinc' ]
+
+# Tinc host configuration distribution [[[1
+- name: Upload public keys from hosts to Ansible Controller
+  ansible.builtin.fetch:
+    src: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/{{ (item.value.hostname | d(tinc__hostname))
+                                                                 | replace("-", "_") }}'
+    dest: '{{ secret + "/tinc/networks/" + item.value.name | d(item.key)
+              + "/by-network/" + item.value.name | d(item.key) + "/hosts/"
+              + (item.value.hostname | d(tinc__hostname) | replace("-", "_")) }}'
+    flat: True
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+
+- name: Download public keys per network
+  ansible.builtin.copy:
+    src: '{{ secret + "/tinc/networks/" + item.value.name | d(item.key)
+             + "/by-network/" + item.value.name | d(item.key) + "/hosts/" }}'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0640'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+  notify: [ 'Reload tinc' ]
+
+- name: Download public keys for all hosts
+  ansible.builtin.copy:
+    src: '{{ secret + "/tinc/networks/" + item.value.name | d(item.key) + "/by-group/all/hosts/" }}'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0640'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+  notify: [ 'Reload tinc' ]
+
+- name: Download public keys per group
+  ansible.builtin.copy:
+    src: '{{ secret + "/tinc/networks/" + item.0.name + "/by-group/" + item.1 + "/hosts/" }}'
+    dest: '/etc/tinc/{{ item.0.name }}/hosts/'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0640'
+  with_nested:
+    - '{{ lookup("template", "lookup/tinc__network_list.j2", convert_data=False) | from_yaml }}'
+    - '{{ lookup("template", "lookup/tinc__inventory_groups.j2", convert_data=False) | from_yaml }}'
+  when: (item.0.name | d() and item.0.state | d('present') != 'absent' and
+         item.1 in item.0.inventory_groups | d([]) and item.1 in group_names)
+  notify: [ 'Reload tinc' ]
+
+- name: Download public keys per host
+  ansible.builtin.copy:
+    src: '{{ secret + "/tinc/networks/" + item.value.name | d(item.key)
+             + "/by-host/" + ((item.value.inventory_hostname | d(tinc__inventory_hostname))) + "/hosts/" }}'
+    dest: '/etc/tinc/{{ item.value.name | d(item.key) }}/hosts/'
+    owner: 'root'
+    group: '{{ tinc__group }}'
+    mode: '0640'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: item.value.state | d('present') != 'absent'
+  notify: [ 'Reload tinc' ]
+
+# systemd configuration [[[1
+- name: Configure systemd default variables
+  ansible.builtin.template:
+    src: 'etc/default/tinc-network.j2'
+    dest: '/etc/default/tinc-{{ item.value.name | d(item.key) }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: tinc__systemd | bool and item.value.state | d('present') != 'absent'
+  notify: [ 'Reload tinc' ]
+
+- name: Configure tinc-down wrapper script
+  ansible.builtin.template:
+    src: 'usr/local/lib/tinc-down-wrapper.j2'
+    dest: '/usr/local/lib/tinc-down-wrapper'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  when: tinc__systemd | bool
+
+- name: Clean up old systemd configuration
+  ansible.builtin.file:
+    path: '/etc/systemd/system/network.target.wants/tinc.service'
+    state: 'absent'
+
+- name: Configure systemd unit files
+  ansible.builtin.template:
+    src: 'etc/systemd/system/{{ item }}.j2'
+    dest: '/etc/systemd/system/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  with_items: [ 'tinc.service', 'tinc@.service' ]
+  register: tinc__register_systemd
+  when: tinc__systemd | bool
+
+- name: Reload systemd daemon configuration
+  ansible.builtin.systemd:  # noqa no-handler
+    daemon_reload: True
+    name: 'tinc.service'
+    enabled: True
+  when: tinc__register_systemd is changed
+
+- name: Start tinc VPN networks on first install
+  ansible.builtin.service:  # noqa no-handler
+    name: 'tinc'
+    state: 'restarted'
+  when: not tinc__systemd | bool and tinc__register_install is changed
+
+- name: Configure tinc network services in systemd
+  ansible.builtin.service:
+    name: 'tinc@{{ item.value.name | d(item.key) }}'
+    enabled: '{{ (item.value.boot | d(True)) | bool }}'
+    state: '{{ (item.value.state | d("present") in ["absent"]) | ternary("stopped", "started") }}'
+  with_dict: '{{ tinc__combined_networks }}'
+  when: tinc__systemd | bool and item.value.state | d('present') != 'absent' and
+        item.value.port | d()
+
+# Ansible facts [[[1
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Create local facts of tinc
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tinc.fact.j2'
+    dest: '/etc/ansible/facts.d/tinc.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/tinc/tasks/main_env.yml b/ansible_collections/debops/debops/roles/tinc/tasks/main_env.yml
new file mode 100644
index 00000000..d5d485b2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/tasks/main_env.yml
@@ -0,0 +1,11 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Prepare debops.tinc environment
+  ansible.builtin.set_fact:
+    tinc__env_secret__directories:          '{{ tinc__secret__directories }}'
+    tinc__env_etc_services__dependent_list: '{{ tinc__etc_services__dependent_list }}'
+    tinc__env_ferm__dependent_rules:        '{{ tinc__ferm__dependent_rules }}'
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/ansible/facts.d/tinc.fact.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/ansible/facts.d/tinc.fact.j2
new file mode 100644
index 00000000..0839ddb3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/ansible/facts.d/tinc.fact.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ ({
+    "enabled": True,
+    "networks": tinc__combined_networks,
+}) | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc-network.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc-network.j2
new file mode 100644
index 00000000..f0f690b8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc-network.j2
@@ -0,0 +1,26 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set network = item.value %}
+{% set tinc__tpl_options = [] %}
+{% if network.interface | d() %}
+{%   set _ = tinc__tpl_options.append("-o Interface=" + network.interface) %}
+{% endif %}
+{% if network.mlock | d() | bool %}
+{%   set _ = tinc__tpl_options.append("--mlock") %}
+{% endif %}
+{% if network.chroot | d() | bool %}
+{%   set _ = tinc__tpl_options.append("--chroot") %}
+{% endif %}
+{% if network.user | d() %}
+{%   set _ = tinc__tpl_options.append("--user=" + network.user) %}
+{% endif %}
+# Configuration for {{ item.value.name | d(item.key) }} tinc network
+TINC_NETWORK_OPTIONS="{{ tinc__tpl_options | join(' ') }}"
+
+# Variables used by custom scripts
+INTERFACE="{{ network.interface }}"
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc.j2
new file mode 100644
index 00000000..59153448
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/default/tinc.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# Extra options to be passed to tincd.
+EXTRA="{{ tinc__extra_options }}"
+
+# Limits to be configured for the tincd process. Please read your shell
+# (pointed by /bin/sh) documentation for ulimit. You probably want to raise the
+# max locked memory value if using both --mlock and --user flags.
+LIMITS="{{ tinc__ulimit_options | default('-l 1024') }}"
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc.service.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc.service.j2
new file mode 100644
index 00000000..93b24b68
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc.service.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This is a mostly empty service, but allows commands like stop, start, reload
+# to propagate to all tinc@ service instances.
+
+[Unit]
+Description=Tinc VPN
+Documentation=man:tinc(8) man:tinc.conf(5)
+Documentation=https://tinc-vpn.org/docs/
+Wants=network-online.target
+After=local-fs.target network-pre.target apparmor.service systemd-sysctl.service systemd-modules-load.service networking.service ifup-allow-all-auto.service ifup-allow-boot.service
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+ExecReload=/bin/true
+ExecStop=/bin/true
+WorkingDirectory=/etc/tinc
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc@.service.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc@.service.j2
new file mode 100644
index 00000000..4bdca92a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/systemd/system/tinc@.service.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+#{{ ansible_managed }}
+
+[Unit]
+Description=Tinc VPN for %i network
+Documentation=man:tincd(8) man:tinc.conf(5)
+Documentation=https://tinc-vpn.org/docs/
+PartOf=tinc.service
+ReloadPropagatedFrom=tinc.service
+After=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=/etc/tinc/%i
+EnvironmentFile=-/etc/default/tinc
+EnvironmentFile=-/etc/default/tinc-%i
+ExecStart=/usr/sbin/tincd --net %i --no-detach $EXTRA $TINC_NETWORK_OPTIONS
+ExecReload=/usr/sbin/tincd --net %i --kill=HUP
+
+# Fix for systemd not executing tinc-down script on network shutdown
+# https://bugzilla.redhat.com/show_bug.cgi?id=1307222
+ExecStop=/usr/local/lib/tinc-down-wrapper %i
+KillSignal=SIGTERM
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=10
+LimitMEMLOCK={{ tinc__ulimit_memlock }}
+
+[Install]
+WantedBy=tinc.service
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/gitignore.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/gitignore.j2
new file mode 100644
index 00000000..44ba4e9e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/gitignore.j2
@@ -0,0 +1,10 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+#
+# Ensure that sensitive files are excluded from version control.
+#
+{{ tinc__vcs_ignore_patterns | unique | sort | join("\n") }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/nets.boot.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/nets.boot.j2
new file mode 100644
index 00000000..c1fcd955
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/nets.boot.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+## This file contains all names of the networks to be started on system startup.
+
+{% for key, params in tinc__combined_networks.items() %}
+{%   if (params.tinc_options | d() and params.state | d('present') != 'absent' and params.boot | d(True) | bool) %}
+{{ params.name | d(key) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/hosts/host-config.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/hosts/host-config.j2
new file mode 100644
index 00000000..8a11216a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/hosts/host-config.j2
@@ -0,0 +1,50 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set network = item.value %}
+{% set network_name = item.value.name | d(item.key) %}
+{% set tinc__tpl_host_keys_seen = [] %}
+{% if network.tinc_host_options | d() %}
+{%   for key, value in network.tinc_host_options.items() %}
+{%     if key | lower not in [ '{{ (network.hostname | d(tinc__hostname)) | replace("-","_") }}-up', '{{ (network.hostname | d(tinc__hostname)) | replace("-","_") }}-down', 'host-up', 'host-down' ] %}
+{%       if key not in tinc__tpl_host_keys_seen %}
+{%         if value is string %}
+{{ key }} = {{ value }}
+{%         else %}
+{%           for element in value %}
+{{ key }} = {{ element }}
+{%           endfor %}
+{%         endif %}
+{%         set _ = tinc__tpl_host_keys_seen.append(key) %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if (('Address' not in tinc__tpl_host_keys_seen) or ('address' not in tinc__tpl_host_keys_seen)) %}
+{%   set tinc__tpl_host_addresses = [] %}
+{%   set tinc__tpl_exclude_addresses = [] %}
+{%   if network.host_address | d() %}
+{%     set _ = tinc__tpl_host_addresses.extend([ network.host_address ] if network.host_address is string else network.host_address) %}
+{%   endif %}
+{%   if network.host_addresses | d() %}
+{%     set _ = tinc__tpl_host_addresses.extend([ network.host_addresses ] if network.host_addresses is string else network.host_addresses) %}
+{%   endif %}
+{%   if network.exclude_address | d() %}
+{%     set _ = tinc__tpl_exclude_addresses.extend([ network.exclude_address ] if network.exclude_address is string else network.exclude_address) %}
+{%   endif %}
+{%   if network.exclude_addresses | d() %}
+{%     set _ = tinc__tpl_exclude_addresses.extend([ network.exclude_addresses ] if network.exclude_addresses is string else network.exclude_addresses) %}
+{%   endif %}
+{%   if not tinc__tpl_exclude_addresses %}
+{%     set _ = tinc__tpl_exclude_addresses.extend([ tinc__exclude_addresses ] if tinc__exclude_addresses is string else tinc__exclude_addresses) %}
+{%   endif %}
+{%   for address in tinc__tpl_host_addresses %}
+{%     if address not in tinc__tpl_exclude_addresses %}
+Address = {{ address }} {{ network.tinc_options.Port if network.tinc_options.Port | d() else network.port }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-down.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-down.j2
new file mode 100644
index 00000000..99a557cc
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-down.j2
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+custom_tinc_down="{{ item.value.tinc_down | d() }}"
+pre_tinc_down="{{ item.value.pre_down | d() }}"
+
+tinc_mode="{{ item.value.tinc_options.Mode | d() }}"
+
+link_type="{{ item.value.link_type | d() }}"
+link_metric="{{ item.value.metric | d() }}"
+
+readarray -t interface_addresses << EOF
+{% set tinc__tpl_addresses = [] %}
+{% if item.value.address | d() %}
+{%   set _ = tinc__tpl_addresses.extend(([ item.value.address ]
+                                         if item.value.address is string
+                                         else item.value.address)
+                                        | ansible.utils.ipaddr('host/prefix')) %}
+{% endif %}
+{% if item.value.addresses | d() %}
+{%   set _ = tinc__tpl_addresses.extend(([ item.value.addresses ]
+                                         if item.value.addresses is string
+                                         else item.value.addresses)
+                                        | ansible.utils.ipaddr('host/prefix')) %}
+{% endif %}
+{% for entry in tinc__tpl_addresses %}
+{{ entry }}
+{% endfor %}
+EOF
+
+interface_bridge="{{ item.value.bridge | d() }}"
+
+read -r -d '' resolvconf_config << EOF
+{% set tinc__tpl_resolvconf = [] %}
+{% if item.value.dns_nameservers | d() %}
+{%   for dns_ns in ([ item.value.dns_nameservers ]
+                    if item.value.dns_nameservers is string
+                    else item.value.dns_nameservers) %}
+{%     set _ = tinc__tpl_resolvconf.append("nameserver " + dns_ns) %}
+{%   endfor %}
+{% endif %}
+{% if item.value.dns_search | d() %}
+{%   for dns_search in ([ item.value.dns_search ]
+                        if item.value.dns_search is string
+                        else item.value.dns_search) %}
+{%     set _ = tinc__tpl_resolvconf.append("search " + dns_search) %}
+{%   endfor %}
+{% endif %}
+{% for line in tinc__tpl_resolvconf %}
+{{ line }}
+{% endfor %}
+EOF
+
+manage_dhclient="{{ (item.value.dhclient | d(True)) | bool | lower }}"
+
+if [ -n "${custom_tinc_down}" ] ; then
+    eval "${custom_tinc_down}"
+else
+    if [ -n "${pre_tinc_down}" ]; then
+        eval "${pre_tinc_down}"
+    fi
+
+    if [ "${link_type}" = "static" ] ; then
+
+        if [ -n "${resolvconf_config}" ] ; then
+            if type resolvconf > /dev/null 2>&1 ; then
+                resolvconf -d "${INTERFACE}.inet"
+            fi
+        fi
+        if [ -n "${interface_bridge}" ] ; then
+            ip link set "${INTERFACE}" nomaster
+        fi
+        if [[ "${interface_addresses[*]}" ]] ; then
+            for address in "${interface_addresses[@]}" ; do
+                ip addr del "${address}" dev "${INTERFACE}"
+            done
+        else
+            ip addr del '0.0.0.0/32' dev "${INTERFACE}"
+        fi
+
+    elif [ "${link_type}" = "dynamic" ] ; then
+
+        if [ "${manage_dhclient}" = "true" ] && [ "${tinc_mode}" = "switch" ] ; then
+            dhclient -r -v -pf "/run/dhclient.${INTERFACE}.pid" -e IF_METRIC="${link_metric}" \
+                -lf "/var/lib/dhcp/client.${INTERFACE}.leases" \
+                "${INTERFACE}"
+        fi
+
+    fi
+
+    ip link set "${INTERFACE}" down
+fi
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-up.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-up.j2
new file mode 100644
index 00000000..d2d6847f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc-up.j2
@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+custom_tinc_up="{{ item.value.tinc_up | d() }}"
+post_tinc_up="{{ item.value.post_up | d() }}"
+
+tinc_mode="{{ item.value.tinc_options.Mode | d() }}"
+
+hwaddr="{{ item.value.hwaddr | d() }}"
+hwaddr_prefix="{{ item.value.hwaddr_prefix | d(tinc__hwaddr_prefix) }}"
+
+link_type="{{ item.value.link_type | d() }}"
+link_metric="{{ item.value.metric | d() }}"
+
+read -r accept_ra << EOF
+{% set tinc__tpl_accept_ra = '1'
+       if item.value.accept_ra | d(True) == True
+       else item.value.accept_ra  %}
+{{ tinc__tpl_accept_ra
+   if tinc__tpl_accept_ra in ['0', '1', '2']
+   else '' }}
+EOF
+
+
+readarray -t interface_addresses << EOF
+{% set tinc__tpl_addresses = [] %}
+{% if item.value.address | d() %}
+{%   set _ = tinc__tpl_addresses.extend(([ item.value.address ]
+                                         if item.value.address is string
+                                         else item.value.address)
+                                        | ansible.utils.ipaddr('host')) %}
+{% endif %}
+{% if item.value.addresses | d() %}
+{%   set _ = tinc__tpl_addresses.extend(([ item.value.addresses ]
+                                         if item.value.addresses is string
+                                         else item.value.addresses)
+                                        | ansible.utils.ipaddr('host')) %}
+{% endif %}
+{% for entry in tinc__tpl_addresses %}
+{{ entry }}
+{% endfor %}
+EOF
+
+interface_bridge="{{ item.value.bridge | d() }}"
+
+read -r -d '' resolvconf_config << EOF
+{% set tinc__tpl_resolvconf = [] %}
+{% if item.value.dns_nameservers | d() %}
+{%   for dns_ns in ([ item.value.dns_nameservers ]
+                    if item.value.dns_nameservers is string
+                    else item.value.dns_nameservers) %}
+{%     set _ = tinc__tpl_resolvconf.append("nameserver " + dns_ns) %}
+{%   endfor %}
+{% endif %}
+{% if item.value.dns_search | d() %}
+{%   for dns_search in ([ item.value.dns_search ]
+                        if item.value.dns_search is string
+                        else item.value.dns_search) %}
+{%     set _ = tinc__tpl_resolvconf.append("search " + dns_search) %}
+{%   endfor %}
+{% endif %}
+{% for line in tinc__tpl_resolvconf %}
+{{ line }}
+{% endfor %}
+EOF
+
+manage_dhclient="{{ (item.value.dhclient | d(True)) | bool | lower }}"
+
+if [ -n "${custom_tinc_up}" ] ; then
+    eval "${custom_tinc_up}"
+else
+    if [ -z "${hwaddr}" ] ; then
+        # Create random but predictable MAC address
+        static_hwaddr="$(echo "$(hostname -f)${INTERFACE}" | md5sum \
+                         | sed "s/^\\(..\\)\\(..\\)\\(..\\)\\(.\\)\\(..\\).*$/${hwaddr_prefix}:\\1:\\2:\\3:\\4:\\5/")"
+    fi
+
+    if [ "${hwaddr}" = "*" ] ; then
+        ip link set dev "${INTERFACE}"  up
+    else
+        if [ -n "${hwaddr}" ] ; then
+            ip link set dev "${INTERFACE}" address "${hwaddr}" up
+        else
+            ip link set dev "${INTERFACE}" address "${static_hwaddr}" up
+        fi
+    fi
+
+    if [ "${link_type}" = "static" ] ; then
+
+        if [[ "${interface_addresses[*]}" ]] ; then
+            for address in "${interface_addresses[@]}" ; do
+                ip addr add "${address}" dev "${INTERFACE}"
+            done
+        else
+            ip addr add '0.0.0.0/32' dev "${INTERFACE}"
+        fi
+        if [ -n "${interface_bridge}" ] ; then
+            if [ -d "/sys/class/net/${interface_bridge}/bridge" ] ; then
+                ip link set "${INTERFACE}" master "${interface_bridge}"
+            fi
+        fi
+        if [ -n "${resolvconf_config}" ] ; then
+            if type resolvconf > /dev/null 2>&1 ; then
+                printf "%s\\n" "${resolvconf_config}" | resolvconf -a "${INTERFACE}.inet"
+            fi
+        fi
+
+    elif [ "${link_type}" = "dynamic" ] ; then
+
+        if [ "${manage_dhclient}" = "true" ] && [ "${tinc_mode}" = "switch" ] ; then
+            dhclient -v -pf "/run/dhclient.${INTERFACE}.pid" -e IF_METRIC="${link_metric}" \
+                -lf "/var/lib/dhcp/client.${INTERFACE}.leases" \
+                "${INTERFACE}" &
+        fi
+
+    fi
+
+    if [ -n "${accept_ra}" ]; then
+        sysctl "net.ipv6.conf.${INTERFACE}.accept_ra=${accept_ra}"
+    fi
+
+    if [ -n "${post_tinc_up}" ]; then
+        eval "${post_tinc_up}"
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc.conf.j2 b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc.conf.j2
new file mode 100644
index 00000000..4ac24e40
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/etc/tinc/network/tinc.conf.j2
@@ -0,0 +1,38 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set network = item.value %}
+{% set network_name = item.value.name | d(item.key) %}
+{% set tinc__tpl_seen_keys = [ 'name', 'tinc-up', 'tinc-down', 'host-up', 'host-down', 'subnet-up', 'subnet-down' ] %}
+{% if network.tinc_options | d() %}
+Name = {{ network.hostname | d(network.tinc_options.Name | d(tinc__hostname )) | replace("-","_") }}
+{%   for key, value in network.tinc_options.items() %}
+{%     if key | lower not in tinc__tpl_seen_keys %}
+{%       if value is string %}
+{%         if key | lower in [ 'connectto' ] %}
+{{ key }} = {{ value.split(".") | first | replace("-","_") }}
+{%         else %}
+{{ key }} = {{ value }}
+{%         endif %}
+{%       else %}
+{%         for element in value %}
+{%           if key | lower in [ 'connectto' ] %}
+{{ key }} = {{ element.split(".") | first | replace("-","_") }}
+{%           else %}
+{{ key }} = {{ element }}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{%   if not (network.node_reachable | d(True) | bool) and "BindToInterface" | lower not in tinc__tpl_seen_keys %}
+# Disabled because with this experimental feature enabled Tinc failed to
+# connect to the VPN with "Error looking up [peer]: Name or service not known"
+# as of 1.0.24-2.1+b1.
+#BindToInterface = lo
+{%   endif %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__combined_networks.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__combined_networks.j2
new file mode 100644
index 00000000..e0b9ae6c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__combined_networks.j2
@@ -0,0 +1,116 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro merge_dict(current_dict, to_merge_dict, dict_key='name') %}
+{%   set merged_dict = current_dict %}
+{%   if to_merge_dict %}
+{%     if to_merge_dict is mapping %}
+{%       for dict_name in to_merge_dict.keys() | sort %}
+{%         if to_merge_dict[dict_name][dict_key] | d() %}
+{%           set _ = merged_dict.update({to_merge_dict[dict_name][dict_key]:(current_dict[to_merge_dict[dict_name][dict_key]] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         elif to_merge_dict[dict_name][dict_key] is undefined %}
+{%           set _ = merged_dict.update({dict_name:(current_dict[dict_name] | d({}) | combine(to_merge_dict[dict_name], recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     elif to_merge_dict is not string and to_merge_dict is not mapping %}
+{%       set flattened_dict = lookup("flattened", to_merge_dict) %}
+{%       for element in ([ flattened_dict ] if flattened_dict is mapping else flattened_dict) %}
+{%         if element[dict_key] | d() %}
+{%           set _ = merged_dict.update({element[dict_key]:(current_dict[element[dict_key]] | d({}) | combine(element, recursive=True))}) %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{{ merged_dict | to_yaml }}
+{% endmacro %}
+{% set tinc__tpl_merge_all =   (merge_dict(tinc__default_networks, tinc__networks,       'name') | from_yaml) %}
+{% set tinc__tpl_merge_group = (merge_dict(tinc__tpl_merge_all,    tinc__group_networks, 'name') | from_yaml) %}
+{% set tinc__tpl_networks =    (merge_dict(tinc__tpl_merge_group,  tinc__host_networks,  'name') | from_yaml) %}
+{% set tinc__tpl_filtered_networks = {} %}
+{% for name, params in tinc__tpl_networks.items() %}
+{%   set network_name = (params["name"] | d(name)) %}
+{%   if params["boot"] is undefined %}
+{%     set _ = params.update({"boot":True}) %}
+{%   endif %}
+{%   if params["mlock"] is undefined %}
+{%     set _ = params.update({"mlock":True}) %}
+{%   endif %}
+{%   if params["chroot"] is undefined %}
+{%     set _ = params.update({"chroot":True}) %}
+{%   endif %}
+{%   if params["user"] is undefined %}
+{%     set _ = params.update({"user":tinc__user}) %}
+{%   endif %}
+{%   if params["link_type"] is undefined %}
+{%     if params["bridge"] | d() %}
+{%       set _ = params.update({"link_type":"static"}) %}
+{%     else %}
+{%       set _ = params.update({"link_type":"dynamic"}) %}
+{%     endif %}
+{%   endif %}
+{%   if params["metric"] is undefined %}
+{%     set _ = params.update({"metric":tinc__metric}) %}
+{%   endif %}
+{%   if params["host_address"] is undefined and params["host_addresses"] is undefined %}
+{%     set _ = params.update({"host_addresses":tinc__host_addresses}) %}
+{%   endif %}
+{%   if params["mode"] is undefined %}
+{%     set _ = params.update({"mode":"switch"}) %}
+{%   endif %}
+{%   if params["device_type"] is undefined %}
+{%     set _ = params.update({"device_type":"tap"}) %}
+{%   endif %}
+{%   if params["cipher"] is undefined %}
+{%     set _ = params.update({"cipher":"aes-256-cbc"}) %}
+{%   endif %}
+{%   if params["digest"] is undefined %}
+{%     set _ = params.update({"digest":"SHA512"}) %}
+{%   endif %}
+{%   if params["compression"] is undefined %}
+{%     set _ = params.update({"compression":"0"}) %}
+{%   endif %}
+{%   if params["address_family"] is undefined %}
+{%     set _ = params.update({"address_family":"any"}) %}
+{%   endif %}
+{%   if params["hostname"] is undefined %}
+{%     set _ = params.update({"hostname":tinc__hostname}) %}
+{%   endif %}
+{%   if params["interface"] is undefined %}
+{%     if network_name.startswith(('tun','tap')) %}
+{%       set _ = params.update({"interface":network_name}) %}
+{%     else %}
+{%       set _ = params.update({"interface":(params["device_type"] + '-' + network_name)}) %}
+{%     endif %}
+{%   endif %}
+{%   if params["inventory_self"] is undefined %}
+{%     set _ = params.update({"inventory_self":(([ tinc__inventory_self ] if tinc__inventory_self is string else tinc__inventory_self) | unique)}) %}
+{%   endif %}
+{%   if params["connect_to"] is undefined %}
+{%     if params["link_type"] != 'static' %}
+{%       set _ = params.update({"connect_to":(tinc__inventory_hosts | difference(params["inventory_self"]))}) %}
+{%     else %}
+{%       set _ = params.update({"connect_to":[]}) %}
+{%     endif %}
+{%   elif params["connect_to"] %}
+{%     set _ = params.update({"connect_to":(( [ params["connect_to"] ] if params["connect_to"] is string else params["connect_to"]) | difference(params["inventory_self"]))}) %}
+{%   endif %}
+{%   if params["tinc_options"] is undefined %}
+{%     set tinc__tpl_tinc_options = {
+  "Name":          params["hostname"],
+  "Port":          params["port"],
+  "Mode":          params["mode"],
+  "DeviceType":    params["device_type"],
+  "Cipher":        params["cipher"],
+  "Digest":        params["digest"],
+  "Compression":   params["compression"],
+  "AddressFamily": params["address_family"],
+  "Interface":     params["interface"],
+  "ConnectTo":     ((params["connect_to"] + (( [ params["add_connect_to"] ] if params["add_connect_to"] is string else params["add_connect_to"]) if params["add_connect_to"] | d() else [])) | unique)
+} %}
+{%     set _ = params.update({"tinc_options":tinc__tpl_tinc_options | combine(params["add_tinc_options"] | d({}))}) %}
+{%   endif %}
+{%   set _ = tinc__tpl_filtered_networks.update({network_name:params}) %}
+{% endfor %}
+{{ tinc__tpl_filtered_networks | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__etc_services__dependent_list.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__etc_services__dependent_list.j2
new file mode 100644
index 00000000..5eab38d6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__etc_services__dependent_list.j2
@@ -0,0 +1,20 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_services = [] %}
+{% set tinc__tpl_existing_port = '655' %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if (network.port | d() and network.port != tinc__tpl_existing_port) %}
+{%     set tinc__tpl_service = {
+  "name": ('tinc-' + network.name | d(key)),
+  "port": network.port,
+  "protocols": [ 'tcp', 'udp' ],
+  "comment": ('tinc ' + network.name | d(key) + ' VPN'),
+  "state": (network.state | d("present"))
+} %}
+{%     set _ = tinc__tpl_services.append(tinc__tpl_service) %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_services | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__exclude_addresses.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__exclude_addresses.j2
new file mode 100644
index 00000000..504103a5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__exclude_addresses.j2
@@ -0,0 +1,35 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_exclude_addresses = [] %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if hostvars[inventory_hostname]["ansible_" + (network.interface | replace('-','_') | replace('.','_'))] | d() %}
+{%     set tinc__tpl_interface = hostvars[inventory_hostname]["ansible_" + (network.interface | replace('-','_') | replace('.','_'))] %}
+{%     if tinc__tpl_interface.ipv4 | d() and tinc__tpl_interface.ipv4.address | d() %}
+{%       set _ = tinc__tpl_exclude_addresses.append(tinc__tpl_interface.ipv4.address) %}
+{%     endif %}
+{%     if tinc__tpl_interface.ipv4_secondaries | d() %}
+{%       set _ = tinc__tpl_exclude_addresses.extend(tinc__tpl_interface.ipv4_secondaries | map(attribute="address") | list) %}
+{%     endif %}
+{%     if tinc__tpl_interface.ipv6 | d() %}
+{%       set _ = tinc__tpl_exclude_addresses.extend(tinc__tpl_interface.ipv6 | map(attribute="address") | list) %}
+{%     endif %}
+{%   endif %}
+{%   if network.bridge | d() %}
+{%     if hostvars[inventory_hostname]["ansible_" + (network.bridge | replace('-','_') | replace('.','_'))] | d() %}
+{%       set tinc__tpl_bridge = hostvars[inventory_hostname]["ansible_" + (network.bridge | replace('-','_') | replace('.','_'))] %}
+{%       if tinc__tpl_bridge.ipv4 | d() and tinc__tpl_bridge.ipv4.address | d() %}
+{%         set _ = tinc__tpl_exclude_addresses.append(tinc__tpl_bridge.ipv4.address) %}
+{%       endif %}
+{%       if tinc__tpl_bridge.ipv4_secondaries | d() %}
+{%         set _ = tinc__tpl_exclude_addresses.extend(tinc__tpl_bridge.ipv4_secondaries | map(attribute="address") | list) %}
+{%       endif %}
+{%       if tinc__tpl_bridge.ipv6 | d() %}
+{%         set _ = tinc__tpl_exclude_addresses.extend(tinc__tpl_bridge.ipv6 | map(attribute="address") | list) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_exclude_addresses | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__ferm__dependent_rules.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__ferm__dependent_rules.j2
new file mode 100644
index 00000000..dc377843
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__ferm__dependent_rules.j2
@@ -0,0 +1,21 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_rules = [] %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if network.port | d() %}
+{%     set tinc__tpl_rule = {
+  "type": "accept",
+  "protocol": [ 'tcp', 'udp' ],
+  "dport": [ network.port ],
+  "saddr": ((([ network.allow ]) if network.allow is string else network.allow) if network.allow | d() else []),
+  "by_role": "debops.tinc",
+  "name": ("tinc_" + (network.name | d(key))),
+  "rule_state": (((network.state | d("present") not in ["absent"]) and network.node_reachable | d(True)| bool) | ternary("present", "absent"))
+} %}
+{%     set _ = tinc__tpl_rules.append(tinc__tpl_rule) %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_rules | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__inventory_groups.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__inventory_groups.j2
new file mode 100644
index 00000000..7f789088
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__inventory_groups.j2
@@ -0,0 +1,16 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_groups = [] %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if network.state | d('present') != 'absent' %}
+{%     if network.inventory_groups | d() %}
+{%       for group in ([ network.inventory_groups ] if network.inventory_groups is string else network.inventory_groups) %}
+{% set _ = tinc__tpl_groups.append(group) %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_groups | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__network_list.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__network_list.j2
new file mode 100644
index 00000000..e7621062
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__network_list.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_networks = [] %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if network.state | d('present') != 'absent' %}
+{%     set tinc__tpl_network = {
+  "name": (network.name | d(key)),
+  "state": (network.state | d('present')),
+  "inventory_groups": (network.inventory_groups | d([])),
+} %}
+{%     set _ = tinc__tpl_networks.append(tinc__tpl_network) %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_networks | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__secret_directories.j2 b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__secret_directories.j2
new file mode 100644
index 00000000..0ac5882b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/lookup/tinc__secret_directories.j2
@@ -0,0 +1,32 @@
+{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set tinc__tpl_directories = [] %}
+{% for key, network in tinc__combined_networks.items() %}
+{%   if network.state | d('present') != 'absent' %}
+{% set _ = tinc__tpl_directories.append('tinc/networks/' + network.name | d(key) + '/by-group/all/hosts') %}
+{% set _ = tinc__tpl_directories.append('tinc/networks/' + network.name | d(key) + '/by-network/' + network.name | d(key) + '/hosts') %}
+{%     if network.inventory_groups | d() %}
+{%       for group in ([ network.inventory_groups ] if network.inventory_groups is string else network.inventory_groups) %}
+{% set _ = tinc__tpl_directories.append('tinc/networks/' + network.name | d(key) + '/by-group/' + group + '/hosts') %}
+{%       if groups[group] %}
+{%         for host in groups[group] %}
+{%           if host == network.inventory_hostname | d(tinc__inventory_hostname) %}
+{% set _ = tinc__tpl_directories.append('tinc/networks/' + network.name | d(key) + '/by-host/' + host + '/hosts') %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       endfor %}
+{%     endif %}
+{%     if tinc__inventory_hosts %}
+{%       for host in tinc__inventory_hosts %}
+{%         if host == network.inventory_hostname | d(tinc__inventory_hostname) %}
+{% set _ = tinc__tpl_directories.append('tinc/networks/' + network.name | d(key) + '/by-host/' + host + '/hosts') %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{{ tinc__tpl_directories | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/tinc/templates/usr/local/lib/tinc-down-wrapper.j2 b/ansible_collections/debops/debops/roles/tinc/templates/usr/local/lib/tinc-down-wrapper.j2
new file mode 100644
index 00000000..2210adae
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinc/templates/usr/local/lib/tinc-down-wrapper.j2
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+# This script is used by the tinc@.service systemd unit to execute the
+# 'tinc-down' script when a Tinc service is stopped. This is done to fix the
+# issue with Tinc not executing the 'tinc-down' script properly under systemd
+# https://bugzilla.redhat.com/show_bug.cgi?id=1307222
+
+# Usage: tinc-down-wrapper <tinc-network>
+
+
+set -o nounset -o pipefail -o errexit
+
+if [ -n "${1}" ] ; then
+    if [ -x /etc/tinc/"${1}"/tinc-down ] ; then
+        /etc/tinc/"${1}"/tinc-down
+    fi
+fi
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/COPYRIGHT b/ansible_collections/debops/debops/roles/tinyproxy/COPYRIGHT
new file mode 100644
index 00000000..7e9c2afb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.tinyproxy - Install Tinyproxy on a Debian/Ubuntu host using Ansible
+
+Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/defaults/main.yml b/ansible_collections/debops/debops/roles/tinyproxy/defaults/main.yml
new file mode 100644
index 00000000..a8772905
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/defaults/main.yml
@@ -0,0 +1,530 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# .. Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# debops.tinyproxy default variables
+# ==================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Installation, APT packages [[[
+# ------------------------------
+
+# .. envvar:: tinyproxy__base_packages [[[
+#
+# List of APT base packages which are required by the Tinyproxy application.
+tinyproxy__base_packages: [ 'tinyproxy' ]
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__packages [[[
+#
+# List of APT packages which are required by the Tinyproxy application.
+tinyproxy__packages: []
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__allow [[[
+#
+# List of IP addresses or CIDR subnets which will be allowed to connect to the
+# Tinyproxy server in :command:`ip(6)tables` and TCP wrappers. If it's empty, remote
+# connections are not allowed.
+tinyproxy__allow: []
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__port [[[
+#
+# Port number on which this Tinyproxy listens on.
+tinyproxy__port: '8888'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# System configuration [[[
+# ------------------------
+
+# .. envvar:: tinyproxy__user [[[
+#
+# Name of the UNIX system account used by Tinyproxy service.
+tinyproxy__user: 'tinyproxy'
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__group [[[
+#
+# Name of the UNIX system group used by Tinyproxy service.
+tinyproxy__group: 'tinyproxy'
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__home [[[
+#
+# Absolute path of the Tinyproxy home directory.
+tinyproxy__home: '/run/tinyproxy'
+                                                                   # ]]]
+                                                                   # ]]]
+# Tinyproxy configuration file [[[
+# --------------------------------
+
+# .. envvar:: tinyproxy__configuration_file [[[
+#
+# The full path for the Tinyproxy configuration file
+tinyproxy__configuration_file: '{{ "/etc/tinyproxy.conf"
+                                   if (ansible_distribution_release in
+                                       ["trusty", "xenial"])
+                                   else "/etc/tinyproxy/tinyproxy.conf" }}'
+                                                                   # ]]]
+# The variables below define the contents of the
+# :file:`/etc/tinyproxy/tinyproxy.conf` configuration file.
+# See :ref:`tinyproxy__ref_configuration` for more details.
+
+# .. envvar:: tinyproxy__default_configuration [[[
+#
+# The default configuration options which should be present in the main
+# configuration file.
+tinyproxy__default_configuration:
+
+  - name: 'tinyproxy.conf'
+    options:
+
+      - name: 'User Group'
+        comment: |
+          User/Group: This allows you to set the user and group that will be
+          used for tinyproxy after the initial binding to the port has been done
+          as the root user. Either the user or group name or the UID or GID
+          number may be used.
+        raw: |
+          User {{ tinyproxy__user }}
+          Group {{ tinyproxy__group }}
+        state: 'present'
+
+      - name: 'Port'
+        comment: |
+          Port: Specify the port which tinyproxy will listen on.  Please note
+          that should you choose to run on a port lower than 1024 you will need
+          to start tinyproxy using root.
+        raw: |
+          Port {{ tinyproxy__port }}
+        state: 'present'
+
+      - name: 'Listen'
+        comment: |
+          Listen: If you have multiple interfaces this allows you to bind to
+          only one. If this is commented out, tinyproxy will bind to all
+          interfaces present.
+        raw: |
+          Listen 192.168.0.1
+        state: 'comment'
+
+      - name: 'Bind'
+        comment: |
+          Bind: This allows you to specify which interface will be used for
+          outgoing connections.  This is useful for multi-home'd machines where
+          you want all traffic to appear outgoing from one particular interface.
+        raw: |
+          Bind 192.168.0.1
+        state: 'comment'
+
+      - name: 'BindSame'
+        comment: |
+          BindSame: If enabled, tinyproxy will bind the outgoing connection to the
+          ip address of the incoming connection.
+        raw: |
+          BindSame yes
+        state: 'comment'
+
+      - name: 'Timeout'
+        comment: |
+          Timeout: The maximum number of seconds of inactivity a connection is
+          allowed to have before it is closed by tinyproxy.
+        raw: |
+          Timeout 600
+        state: 'present'
+
+      - name: 'ErrorFile'
+        comment: |
+          ErrorFile: Defines the HTML file to send when a given HTTP error
+          occurs.  You will probably need to customize the location to your
+          particular install.  The usual locations to check are:
+            /usr/local/share/tinyproxy
+            /usr/share/tinyproxy
+            /etc/tinyproxy
+        raw: |
+          ErrorFile 404 "/usr/share/tinyproxy/404.html"
+          ErrorFile 400 "/usr/share/tinyproxy/400.html"
+          ErrorFile 503 "/usr/share/tinyproxy/503.html"
+          ErrorFile 403 "/usr/share/tinyproxy/403.html"
+          ErrorFile 408 "/usr/share/tinyproxy/408.html"
+        state: 'comment'
+
+      - name: 'DefaultErrorFile'
+        comment: |
+          DefaultErrorFile: The HTML file that gets sent if there is no
+          HTML file defined with an ErrorFile keyword for the HTTP error
+          that has occurred.
+        raw: |
+          DefaultErrorFile "/usr/share/tinyproxy/default.html"
+        state: 'present'
+
+      - name: 'StatHost'
+        comment: |
+          StatHost: This configures the host name or IP address that is treated
+          as the stat host: Whenever a request for this host is received,
+          Tinyproxy will return an internal statistics page instead of
+          forwarding the request to that host.  The default value of StatHost is
+          tinyproxy.stats.
+        raw: |
+          StatHost "tinyproxy.stats"
+        state: 'comment'
+
+      - name: 'StatFile'
+        comment: |
+          StatFile: The HTML file that gets sent when a request is made
+          for the stathost.  If this file doesn't exist a basic page is
+          hardcoded in tinyproxy.
+        raw: |
+          StatFile "/usr/share/tinyproxy/stats.html"
+        state: 'present'
+
+      - name: 'LogFile'
+        comment: |
+          Logfile: Allows you to specify the location where information should
+          be logged to.  If you would prefer to log to syslog, then disable this
+          and enable the Syslog directive.  These directives are mutually
+          exclusive.
+        raw: |
+          Logfile "/var/log/tinyproxy/tinyproxy.log"
+        state: 'present'
+
+      - name: 'Syslog'
+        comment: |
+          Syslog: Tell tinyproxy to use syslog instead of a logfile.  This
+          option must not be enabled if the Logfile directive is being used.
+          These two directives are mutually exclusive.
+        raw: |
+          Syslog On
+        state: 'comment'
+
+      - name: 'LogLevel'
+        comment: |
+          LogLevel:
+
+          Set the logging level. Allowed settings are:
+          Critical  (least verbose)
+          Error
+          Warning
+          Notice
+          Connect   (to log connections without Info's noise)
+          Info    (most verbose)
+
+          The LogLevel logs from the set level and above. For example, if the
+          LogLevel was set to Warning, then all log messages from Warning to
+          Critical would be output, but Notice and below would be suppressed.
+        raw: |
+          LogLevel Info
+        state: 'present'
+
+      - name: 'PidFile'
+        comment: |
+          PidFile: Write the PID of the main tinyproxy thread to this file so it
+          can be used for signalling purposes.
+        raw: |
+          PidFile "/run/tinyproxy/tinyproxy.pid"
+        state: 'present'
+
+      - name: 'XTinyproxy'
+        comment: |
+          XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
+          contains the client's IP address.
+        raw: |
+          XTinyproxy Yes
+        state: 'comment'
+
+      - name: 'upstream'
+        comment: |
+          Upstream:
+
+          Turns on upstream proxy support.
+
+          The upstream rules allow you to selectively route upstream connections
+          based on the host/domain of the site being accessed.
+
+          For example:
+           # connection to test domain goes through testproxy
+           upstream testproxy:8008 ".test.domain.invalid"
+           upstream testproxy:8008 ".our_testbed.example.com"
+           upstream testproxy:8008 "192.168.128.0/255.255.254.0"
+
+           # no upstream proxy for internal websites and unqualified hosts
+           no upstream ".internal.example.com"
+           no upstream "www.example.com"
+           no upstream "10.0.0.0/8"
+           no upstream "192.168.0.0/255.255.254.0"
+           no upstream "."
+
+           # connection to these boxes go through their DMZ firewalls
+           upstream cust1_firewall:8008 "testbed_for_cust1"
+           upstream cust2_firewall:8008 "testbed_for_cust2"
+
+           # default upstream is internet firewall
+           upstream firewall.internal.example.com:80
+
+          The LAST matching rule wins the route decision.  As you can see, you
+          can use a host, or a domain:
+           name     matches host exactly
+           .name    matches any host in domain "name"
+           .        matches any host with no domain (in 'empty' domain)
+           IP/bits  matches network/mask
+           IP/mask  matches network/mask
+        raw: |
+          Upstream some.remote.proxy:port
+        state: 'comment'
+
+      - name: 'MaxClients'
+        comment: |
+          MaxClients: This is the absolute highest number of threads which will
+          be created. In other words, only MaxClients number of clients can be
+          connected at the same time.
+        raw: |
+          MaxClients 100
+        state: 'present'
+
+      - name: 'MinSpareServers MaxSpareServers'
+        comment: |
+          MinSpareServers/MaxSpareServers: These settings set the upper and
+          lower limit for the number of spare servers which should be available.
+
+          If the number of spare servers falls below MinSpareServers then new
+          server processes will be spawned.  If the number of servers exceeds
+          MaxSpareServers then the extras will be killed off.
+        raw: |
+          MinSpareServers 5
+          MaxSpareServers 20
+        state: 'present'
+
+      - name: 'StartServers'
+        comment: |
+          StartServers: The number of servers to start initially.
+        raw: |
+          StartServers 10
+        state: 'present'
+
+      - name: 'MaxRequestsPerChild'
+        comment: |
+          MaxRequestsPerChild: The number of connections a thread will handle
+          before it is killed. In practise this should be set to 0, which
+          disables thread reaping. If you do notice problems with memory
+          leakage, then set this to something like 10000.
+        raw: |
+          MaxRequestsPerChild 0
+        state: 'present'
+
+      - name: 'Allow'
+        comment: |
+          Allow: Customization of authorization controls. If there are any
+          access control keywords then the default action is to DENY. Otherwise,
+          the default action is ALLOW.
+
+          The order of the controls are important. All incoming connections are
+          tested against the controls based on order.
+        raw: |
+          Allow 127.0.0.1
+          {% for item in tinyproxy__allow %}
+          Allow {{ item }}
+          {% endfor %}
+          #Allow 192.168.0.0/16
+          #Allow 172.16.0.0/12
+          #Allow 10.0.0.0/8
+        state: 'present'
+
+      - name: 'AddHeader'
+        comment: |
+          AddHeader: Adds the specified headers to outgoing HTTP requests that
+          Tinyproxy makes. Note that this option will not work for HTTPS
+          traffic, as Tinyproxy has no control over what headers are exchanged.
+        raw: |
+          AddHeader "X-My-Header" "Powered by Tinyproxy"
+        state: 'comment'
+
+      - name: 'ViaProxyName'
+        comment: |
+          ViaProxyName: The "Via" header is required by the HTTP RFC, but using
+          the real host name is a security concern.  If the following directive
+          is enabled, the string supplied will be used as the host name in the
+          Via header; otherwise, the server's host name will be used.
+        raw: |
+          ViaProxyName "tinyproxy"
+        state: 'present'
+
+      - name: 'DisableViaHeader'
+        comment: |
+          DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
+          the Via header to the requests. This virtually puts Tinyproxy into
+          stealth mode. Note that RFC 2616 requires proxies to set the Via
+          header, so by enabling this option, you break compliance.
+          Don't disable the Via header unless you know what you are doing...
+        raw: |
+          DisableViaHeader Yes
+        state: 'comment'
+
+      - name: 'Filter'
+        comment: |
+          Filter: This allows you to specify the location of the filter file.
+        raw: |
+          Filter "/etc/tinyproxy/filter"
+        state: 'comment'
+
+      - name: 'FilterURLs'
+        comment: |
+          FilterURLs: Filter based on URLs rather than domains.
+        raw: |
+          FilterURLs On
+        state: 'comment'
+
+      - name: 'FilterExtended'
+        comment: |
+          FilterExtended: Use POSIX Extended regular expressions rather than
+          basic.
+        raw: |
+          FilterExtended On
+        state: 'comment'
+
+      - name: 'FilterCaseSensitive'
+        comment: |
+          FilterCaseSensitive: Use case sensitive regular expressions.
+        raw: |
+          FilterCaseSensitive On
+        state: 'comment'
+
+      - name: 'FilterDefaultDeny'
+        comment: |
+          FilterDefaultDeny: Change the default policy of the filtering system.
+          If this directive is commented out, or is set to "No" then the default
+          policy is to allow everything which is not specifically denied by the
+          filter file.
+
+          However, by setting this directive to "Yes" the default policy becomes
+          to deny everything which is _not_ specifically allowed by the filter
+          file.
+        raw: |
+          FilterDefaultDeny Yes
+        state: 'comment'
+
+      - name: 'Anonymous'
+        comment: |
+          Anonymous: If an Anonymous keyword is present, then anonymous proxying
+          is enabled.  The headers listed are allowed through, while all others
+          are denied. If no Anonymous keyword is present, then all headers are
+          allowed through.  You must include quotes around the headers.
+
+          Most sites require cookies to be enabled for them to work correctly, so
+          you will need to allow Cookies through if you access those sites.
+        raw: |
+          Anonymous "Host"
+          Anonymous "Authorization"
+          Anonymous "Cookie"
+        state: 'comment'
+
+      - name: 'ConnectPort'
+        comment: |
+          ConnectPort: This is a list of ports allowed by tinyproxy when the
+          CONNECT method is used.  To disable the CONNECT method altogether, set
+          the value to 0.  If no ConnectPort line is found, all ports are
+          allowed (which is not very secure.)
+
+          The following two ports are used by SSL.
+        raw: |
+          ConnectPort 443
+          ConnectPort 563
+        state: 'present'
+
+      - name: 'ReversePath'
+        comment: |
+          Configure one or more ReversePath directives to enable reverse proxy
+          support. With reverse proxying it's possible to make a number of
+          sites appear as if they were part of a single site.
+
+          If you uncomment the following two directives and run tinyproxy
+          on your own computer at port 8888, you can access Google using
+          http://localhost:8888/google/ and Wired News using
+          http://localhost:8888/wired/news/. Neither will actually work
+          until you uncomment ReverseMagic as they use absolute linking.
+        raw: |
+          ReversePath "/google/" "https://www.google.com/"
+          ReversePath "/wired/"  "https://www.wired.com/"
+        state: 'comment'
+
+      - name: 'ReverseOnly'
+        comment: |
+          When using tinyproxy as a reverse proxy, it is STRONGLY recommended
+          that the normal proxy is turned off by uncommenting the next directive.
+        raw: |
+          ReverseOnly Yes
+        state: 'comment'
+
+      - name: 'ReverseMagic'
+        comment: |
+          Use a cookie to track reverse proxy mappings. If you need to reverse
+          proxy sites which have absolute links you must uncomment this.
+        raw: |
+          ReverseMagic Yes
+        state: 'comment'
+
+      - name: 'ReverseBaseURL'
+        comment: |
+          The URL that's used to access this reverse proxy. The URL is used to
+          rewrite HTTP redirects so that they won't escape the proxy. If you
+          have a chain of reverse proxies, you'll need to put the outermost
+          URL here (the address which the end user types into his/her browser).
+
+          If not set then no rewriting occurs.
+        raw: |
+          ReverseBaseURL "http://localhost:8888/"
+        state: 'comment'
+
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__configuration [[[
+#
+# List of configuration options defined on all hosts in the Tinyproxy inventory.
+tinyproxy__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__combined_configuration [[[
+#
+# Actual list of Tinyproxy configuration options passed to the
+# configuration template. This list defines the order in which the options from
+# different variables are processed.
+tinyproxy__combined_configuration: '{{ tinyproxy__default_configuration + tinyproxy__configuration }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: tinyproxy__ferm__dependent_rules [[[
+#
+# Configuration for :ref:`debops.ferm` Tinyproxy role.
+tinyproxy__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: [ 'tinyproxy' ]
+    saddr: '{{ tinyproxy__allow }}'
+    accept_any: False
+    weight: '40'
+    role: 'tinyproxy'
+
+                                                                   # ]]]
+# .. envvar:: tinyproxy__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services` Ansible role.
+tinyproxy__etc_services__dependent_list:
+
+  - name: 'tinyproxy'
+    port: '{{ tinyproxy__port }}'
+
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/meta/main.yml b/ansible_collections/debops/debops/roles/tinyproxy/meta/main.yml
new file mode 100644
index 00000000..8175c092
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Bechea Leonardo, Alin Alexandru'
+  description: 'Install and manage Tinyproxy service'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '1.2'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - tinyproxy
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/tasks/main.yml b/ansible_collections/debops/debops/roles/tinyproxy/tasks/main.yml
new file mode 100644
index 00000000..8d7bf4a8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", tinyproxy__base_packages
+                             + tinyproxy__packages) }}'
+    state: 'present'
+  register: tinyproxy__register_packages
+  until: tinyproxy__register_packages is succeeded
+  notify: [ 'Restart tinyproxy' ]
+
+- name: Create required UNIX system group
+  ansible.builtin.group:
+    name: '{{ tinyproxy__group }}'
+    state: 'present'
+    system: True
+
+- name: Make sure that required UNIX account exists
+  ansible.builtin.user:
+    name: '{{ tinyproxy__user }}'
+    group: '{{ tinyproxy__group }}'
+    home: '{{ tinyproxy__home }}'
+    comment: 'Tinyproxy daemon'
+    shell: '/bin/false'
+    state: 'present'
+    system: True
+
+- name: Divert the original tinyproxy configuration file
+  debops.debops.dpkg_divert:
+    path: '{{ tinyproxy__configuration_file }}'
+    state: 'present'
+    delete: True
+
+- name: Generate tinyproxy configuration
+  ansible.builtin.template:
+    src: 'etc/tinyproxy/tinyproxy.conf.j2'
+    dest: '{{ tinyproxy__configuration_file }}'
+    mode: '0644'
+  notify: [ 'Restart tinyproxy' ]
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save Tinyproxy local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tinyproxy.fact.j2'
+    dest: '/etc/ansible/facts.d/tinyproxy.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/ansible/facts.d/tinyproxy.fact.j2 b/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/ansible/facts.d/tinyproxy.fact.j2
new file mode 100644
index 00000000..c9e07bf4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/ansible/facts.d/tinyproxy.fact.j2
@@ -0,0 +1,25 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+# Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('tinyproxy')}
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/tinyproxy/tinyproxy.conf.j2 b/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/tinyproxy/tinyproxy.conf.j2
new file mode 100644
index 00000000..bc7e4206
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tinyproxy/templates/etc/tinyproxy/tinyproxy.conf.j2
@@ -0,0 +1,59 @@
+{# Copyright (C) 2019 Leonardo Bechea <leonardo.bechea@innobyte.com>
+ # Copyright (C) 2019 Alin Alexandru <alin.alexandru@innobyte.com>
+ # Copyright (C) 2019 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+##
+## tinyproxy.conf -- tinyproxy daemon configuration file
+##
+{% for item in tinyproxy__combined_configuration | debops.debops.parse_kv_items %}
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment() }}
+{% endif %}
+{% if item.options | d() %}
+{%   for element in item.options %}
+{%     if element is string %}
+{%       if not loop.first %}
+
+{%       endif %}
+{{ "{}".format(element) }}
+{%     elif element is mapping %}
+{%       if element.name | d() %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore' ] %}
+{%           if (loop.first and item.comment | d() and element.comment | d()) or (not loop.first and (element.comment | d() or (element.separator | d()) | bool)) %}
+
+{%           endif %}
+{%           if element.comment | d() %}
+{{ element.comment | regex_replace('\n$','') | comment() }}
+{%           endif %}
+{%           if element.value | d() %}
+{%             if element.value is string %}
+{{ "{}{} = {}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name), element.value) }}
+{%             else %}
+{%               for thing in (element.value | selectattr('state', 'equalto', 'present') | map(attribute='name') | list) %}
+{{ "{}{} = {}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name), thing) }}
+{%               endfor %}
+{%             endif %}
+{%           elif element.raw | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{ "{}".format(element.raw | regex_replace('\n$','')) | comment() }}
+{%             else %}
+{{ "{}".format(element.raw | regex_replace('\n$','')) }}
+{%             endif %}
+{%           else %}
+{{ "{}{}".format(('#' if (element.state | d('present') == 'comment') else ''), element.option | d(element.name)) }}
+{%           endif %}
+{%         endif %}
+{%       else %}
+{%         for key, value in element.items() %}
+{{ "{} = {}".format(key, value) }}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% if item.raw | d() %}
+{{ item.raw | regex_replace('\n$','') }}
+{% endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/tor/COPYRIGHT b/ansible_collections/debops/debops/roles/tor/COPYRIGHT
new file mode 100644
index 00000000..a1bc473b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/COPYRIGHT
@@ -0,0 +1,19 @@
+tor - FIXME
+
+Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tor/defaults/main.yml b/ansible_collections/debops/debops/roles/tor/defaults/main.yml
new file mode 100644
index 00000000..784087f3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/defaults/main.yml
@@ -0,0 +1,65 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tor__ref_defaults:
+
+# debops-contrib.tor default variables [[[
+# ==========================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: tor__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that Tor is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that Tor is uninstalled and it's configuration is removed.
+#
+tor__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: tor__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+tor__ferm__dependent_rules:
+
+  - type: 'accept'
+    dport: '{{ ((tor_ports | map(attribute="orport") | list) + (tor_ports | map(attribute="dirport") | list)) | unique | sort }}'
+    accept_any: True
+    weight: '40'
+    by_role: 'debops-contrib.tor'
+    name: 'tor'
+    rule_state: '{{ "present" if (tor__deploy_state != "purged") else "absent" }}'
+                                                                   # ]]]
+# .. envvar:: tor__ferm__dependent_rules [[[
+#
+# Configuration of the ``debops.unattended_upgrades`` role.
+# https://trac.torproject.org/projects/tor/wiki/TorRelayGuide/DebianUbuntuUpdates
+tor__unattended_upgrades__dependent_origins:
+
+  - origin: 'origin=TorProject'
+    by_role: 'debops-contrib.tor'
+    state: '{{ "present"
+               if (tor__deploy_state == "present")
+               else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tor/docs/changelog.rst b/ansible_collections/debops/debops/roles/tor/docs/changelog.rst
new file mode 100644
index 00000000..6d01c6ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/tor/docs/copyright.rst b/ansible_collections/debops/debops/roles/tor/docs/copyright.rst
new file mode 100644
index 00000000..ce69ac9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/tor/docs/getting-started.rst b/ansible_collections/debops/debops/roles/tor/docs/getting-started.rst
new file mode 100644
index 00000000..fa6a7a87
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/getting-started.rst
@@ -0,0 +1,79 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _tor__ref_getting_started:
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Example inventory
+-----------------
+
+To manage `changeme/FIXME** on a given host or set of hosts, they need to
+be added to the ``[debops_service_tor]`` Ansible group in the inventory:
+
+.. code:: ini
+
+   [debops_service_tor]
+   hostname
+
+It is proposed to change some of the nusenu.relayor defaults to better match DebOps Standards.
+The recommended way to do this adaption is to symlink the
+:file:`docs/inventory/debops_service_tor_global_role_vars` file shipped
+with this role in the documentation (:file:`ansible/roles/debops-contrib.tor/docs/inventory/debops_service_tor_global_role_vars.yml`)` into your inventory under
+:file:`ansible/inventory/group_vars/debops_service_tor_global_role_vars.yml`
+and include all hosts from the ``debops_service_tor`` in the
+``debops_service_tor_global_role_vars`` host group by adding this:
+
+.. code:: ini
+
+   [debops_service_tor_global_role_vars:children]
+   debops_service_tor
+
+into your host inventory which makes the following adjustments to the defaults
+variables of other roles:
+
+.. literalinclude:: inventory/debops_service_tor_global_role_vars.yml
+   :language: yaml
+   :lines: 1,7-
+
+Example playbook
+----------------
+
+If you are using this role without DebOps, here's an example Ansible playbook
+that uses the ``debops-contrib.tor`` role:
+
+.. literalinclude:: playbooks/tor.yml
+   :language: yaml
+   :lines: 1,5-
+
+The playbook is shipped with this role under
+:file:`./docs/playbooks/tor.yml` from which you can symlink it to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::tor``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::tor:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
diff --git a/ansible_collections/debops/debops/roles/tor/docs/includes/all.rst b/ansible_collections/debops/debops/roles/tor/docs/includes/all.rst
new file mode 100644
index 00000000..84ba4678
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/tor/docs/index.rst b/ansible_collections/debops/debops/roles/tor/docs/index.rst
new file mode 100644
index 00000000..9ffb4046
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.tor:
+
+Ansible role: debops-contrib.tor
+===============================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/tor/docs/introduction.rst b/ansible_collections/debops/debops/roles/tor/docs/introduction.rst
new file mode 100644
index 00000000..419052d3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/introduction.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.tor`` role allows you to manage and configure
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.5``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.tor
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/tor/docs/inventory/debops_service_tor_global_role_vars.yml b/ansible_collections/debops/debops/roles/tor/docs/inventory/debops_service_tor_global_role_vars.yml
new file mode 100644
index 00000000..fe9133be
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/docs/inventory/debops_service_tor_global_role_vars.yml
@@ -0,0 +1,12 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Where do you want to store key material on the ansible control machine?
+tor_offline_masterkey_dir: '{{ secret + "/tor" }}'
+
+# No need to create a backup of the torrc on remote systems as etckeeper is used by default.
+tor_backup_torrc: False
diff --git a/ansible_collections/debops/debops/roles/tor/meta/main.yml b/ansible_collections/debops/debops/roles/tor/meta/main.yml
new file mode 100644
index 00000000..ba55edff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'The Tor network aims to provide communication privacy'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - security
diff --git a/ansible_collections/debops/debops/roles/tor/tasks/main.yml b/ansible_collections/debops/debops/roles/tor/tasks/main.yml
new file mode 100644
index 00000000..957f5d66
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tor/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# - name: Ensure specified packages are in there desired state
+#   ansible.builtin.package:
+#     name: '{{ item }}'
+#     state: '{{ "present" if (tor__deploy_state == "present") else "absent" }}'
+#   with_flattened: '{{ tor__base_packages }}'
+#   tags: [ 'role::tor:pkgs' ]
diff --git a/ansible_collections/debops/debops/roles/tzdata/COPYRIGHT b/ansible_collections/debops/debops/roles/tzdata/COPYRIGHT
new file mode 100644
index 00000000..15d3f69f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.tzdata - Manage system time zone using Ansible
+
+Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/tzdata/defaults/main.yml b/ansible_collections/debops/debops/roles/tzdata/defaults/main.yml
new file mode 100644
index 00000000..add682f6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/defaults/main.yml
@@ -0,0 +1,70 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2020 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _tzdata__ref_defaults:
+
+# debops.tzdata default variables
+# ===============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global options [[[
+# ------------------
+
+# .. envvar:: tzdata__enabled [[[
+#
+# Enable or disable time zone management using the :ref:`debops.tzdata` role.
+tzdata__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: tzdata__timezone [[[
+#
+# Specify timezone in the form of 'Area/Zone'. Use :command:`timedatectl
+# list-timezones` to see a list of possible values. To set the UTC timezone,
+# specify it as 'Etc/UTC'.
+tzdata__timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: tzdata__base_packages [[[
+#
+# List of the APT packages to install for time zone support.
+tzdata__base_packages: [ 'tzdata' ]
+
+                                                                   # ]]]
+# .. envvar:: tzdata__packages [[[
+#
+# List of additional APT packages to install with the ``tzdata`` package.
+tzdata__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Service restart [[[
+# -------------------
+
+# .. envvar:: tzdata__restart_default_services [[[
+#
+# List of the default :command:`systemd` service units which should be
+# restarted when time zone is changed. Only currently active services will be
+# restarted.
+tzdata__restart_default_services:
+  - 'cron.service'
+  - 'rsyslog.service'
+
+                                                                   # ]]]
+# .. envvar:: tzdata__restart_services [[[
+#
+# List of additional :command:`systemd` service units which should be restarted
+# when time zone is changed.
+tzdata__restart_services: []
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/tzdata/meta/main.yml b/ansible_collections/debops/debops/roles/tzdata/meta/main.yml
new file mode 100644
index 00000000..792d5d94
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/meta/main.yml
@@ -0,0 +1,29 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Configure system time zone'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.9.0'
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  galaxy_tags:
+  - timezone
+  - tzdata
+  - ntp
diff --git a/ansible_collections/debops/debops/roles/tzdata/tasks/legacy.yml b/ansible_collections/debops/debops/roles/tzdata/tasks/legacy.yml
new file mode 100644
index 00000000..75071ef6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/tasks/legacy.yml
@@ -0,0 +1,62 @@
+---
+# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2014-2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Configure tzdata area in debconf
+  ansible.builtin.debconf:
+    name: 'tzdata'
+    question: 'tzdata/Areas'
+    vtype: 'select'
+    value: '{{ tzdata__timezone.split("/")[0] }}'
+  register: tzdata__register_debconf_set_area
+  notify: [ 'Refresh host facts' ]
+  when: tzdata__enabled | bool
+
+- name: Configure tzdata zone in debconf
+  ansible.builtin.debconf:
+    name: 'tzdata'
+    question: 'tzdata/Zones/{{ tzdata__timezone.split("/")[0] }}'
+    vtype: 'select'
+    value: '{{ tzdata__timezone.split("/")[1] }}'
+  register: tzdata__register_debconf_set_zone
+  notify: [ 'Refresh host facts' ]
+  when: tzdata__enabled | bool
+
+  # tzdata ignores debconf answers when configured non-interactively
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704089
+- name: Configure timezone in /etc/timezone
+  ansible.builtin.copy:
+    content: '{{ tzdata__timezone }}'
+    dest: '/etc/timezone'
+    mode: '0644'
+  register: tzdata__register_etc_timezone
+  notify: [ 'Refresh host facts' ]
+  when: tzdata__enabled | bool
+
+- name: Check if /etc/localtime is a symlink
+  ansible.builtin.stat:
+    path: '/etc/localtime'
+  register: tzdata__register_etc_localtime
+  when: tzdata__enabled | bool
+
+- name: Symlink correct timezone as /etc/localtime
+  ansible.builtin.file:  # noqa no-handler
+    path: '/etc/localtime'
+    src: '/usr/share/zoneinfo/{{ tzdata__timezone }}'
+    state: 'link'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: (tzdata__enabled | bool and
+         tzdata__register_etc_timezone is changed and
+         tzdata__register_etc_localtime.stat.islnk | bool)
+
+- name: Reconfigure tzdata
+  ansible.builtin.command: 'dpkg-reconfigure --frontend noninteractive tzdata'  # noqa no-handler
+  register: tzdata__register_dpkg_reconfigure
+  changed_when: tzdata__register_dpkg_reconfigure.changed | bool
+  when: (tzdata__enabled | bool and
+         (tzdata__register_debconf_set_area is changed or
+          tzdata__register_debconf_set_zone is changed or
+          tzdata__register_etc_timezone is changed))
diff --git a/ansible_collections/debops/debops/roles/tzdata/tasks/main.yml b/ansible_collections/debops/debops/roles/tzdata/tasks/main.yml
new file mode 100644
index 00000000..74aa2e6a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", tzdata__base_packages + tzdata__packages) }}'
+    state: '{{ "present"
+               if ((ansible_local.tzdata.configured | d()) | bool)
+               else "latest" }}'
+  register: tzdata__register_packages
+  until: tzdata__register_packages is succeeded
+  when: tzdata__enabled | bool
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: tzdata__enabled | bool and not ansible_local | d()
+
+- name: Save tzdata local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/tzdata.fact.j2'
+    dest: '/etc/ansible/facts.d/tzdata.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: tzdata__enabled | bool
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Configure the time zone
+  community.general.timezone:
+    name: '{{ tzdata__timezone }}'
+  register: tzdata__register_timezone
+  notify: [ 'Refresh host facts' ]
+  when: (tzdata__enabled | bool and ansible_service_mgr == "systemd" and
+         (ansible_local.tzdata.timezone | d('Etc/UTC')) != tzdata__timezone)
+
+- name: Execute legacy timezone tasks
+  ansible.builtin.include_tasks: 'legacy.yml'
+  when: (tzdata__enabled | bool and ansible_service_mgr != "systemd" and
+         (ansible_local.tzdata.timezone | d('Etc/UTC')) != tzdata__timezone)
+
+- name: Update Ansible facts if time zone was modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Get list of currently running systemd services
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         systemctl list-units --state active | awk 'match($1, /\./) {print $1}'
+  args:  # noqa no-handler
+    executable: 'bash'
+  register: tzdata__register_services
+  changed_when: tzdata__register_services.changed | bool
+  when: (tzdata__enabled | bool and ansible_service_mgr == 'systemd' and
+         tzdata__register_timezone is changed)
+
+- name: Request restart of services affected by time zone modification
+  ansible.builtin.systemd:  # noqa no-handler
+    name: '{{ item }}'
+    state: 'restarted'
+    no_block: True
+  loop: '{{ q("flattened", (tzdata__restart_default_services
+                            + tzdata__restart_services)) }}'
+  when: (tzdata__enabled | bool and ansible_service_mgr == 'systemd' and
+         tzdata__register_timezone is changed and
+         item in tzdata__register_services.stdout_lines)
diff --git a/ansible_collections/debops/debops/roles/tzdata/templates/etc/ansible/facts.d/tzdata.fact.j2 b/ansible_collections/debops/debops/roles/tzdata/templates/etc/ansible/facts.d/tzdata.fact.j2
new file mode 100644
index 00000000..85c3f335
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/tzdata/templates/etc/ansible/facts.d/tzdata.fact.j2
@@ -0,0 +1,30 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+timezone_file = '/etc/timezone'
+
+output = loads('''{{ {"configured": True,
+                      "enabled": tzdata__enabled | bool
+                     } | to_nice_json }}''')
+
+if os.path.exists(timezone_file) and os.path.isfile(timezone_file):
+    try:
+        with open(timezone_file, 'r') as f:
+            for line in f:
+                output.update({'timezone': line.strip()})
+    except Exception:
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/COPYRIGHT b/ansible_collections/debops/debops/roles/unattended_upgrades/COPYRIGHT
new file mode 100644
index 00000000..36ad881d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.unattended_upgrades - Configure unattended upgrades on Debian-based hosts
+
+Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+Copyright (C) 2015-2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/defaults/main.yml b/ansible_collections/debops/debops/roles/unattended_upgrades/defaults/main.yml
new file mode 100644
index 00000000..9382dbb1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/defaults/main.yml
@@ -0,0 +1,287 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _unattended_upgrades__ref_defaults:
+
+# debops.unattended_upgrades default variables [[[
+# ================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Main configuration [[[
+# ----------------------
+
+# .. envvar:: unattended_upgrades__enabled [[[
+#
+# Enable or disable unattended package upgrades. If disabled,
+# ``unattended-upgrades`` package won't be removed if it's installed, and its
+# configuration will be restored to default values.
+unattended_upgrades__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__release [[[
+#
+# By default, :program:`unattended-upgrade` performs only upgrades of packages
+# from security repositories. This variable allows you to enable upgrades from
+# all repositories (main, updates, backports).
+unattended_upgrades__release: False
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__base_packages [[[
+#
+# List of base APT packages which will be installed by the role.
+unattended_upgrades__base_packages: [ 'unattended-upgrades' ]
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__packages [[[
+#
+# List of additional APT packages which will be installed by the role.
+unattended_upgrades__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Periodic APT updates [[[
+# ------------------------
+
+# .. envvar:: unattended_upgrades__periodic [[[
+#
+# Enable or disable daily execution of :file:`/etc/cron.daily/apt` script. This
+# script runs :program:`unattended-upgrade`, but also performs some other
+# actions which can be useful on their own. Enabling periodic APT runs
+# automatically enables repository updates, but not upgrades.
+unattended_upgrades__periodic: '{{ False
+                                   if (ansible_local.apt.suite | d() == "archive")
+                                   else unattended_upgrades__enabled }}'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__periodic_download [[[
+#
+# Download new versions of installed packages without upgrading.
+unattended_upgrades__periodic_download: '{{ unattended_upgrades__periodic }}'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__periodic_autoclean [[[
+#
+# Clean up obsolete and removed packages in APT cache every n days.
+unattended_upgrades__periodic_autoclean: '7'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__periodic_verbosity [[[
+#
+# Specify verbosity level of the :file:`/etc/cron.daily/apt` script, supported
+# levels are 0-3, higher level means higher verbosity. Enabling this option
+# will result in mails from :program:`cron` with the script output being sent
+# to ``root``.
+unattended_upgrades__periodic_verbosity: '0'
+                                                                   # ]]]
+                                                                   # ]]]
+# Unattended upgrade origin patterns [[[
+# --------------------------------------
+
+# See :ref:`unattended_upgrades__ref_origins` for more details about how
+# origin entries can be defined.
+
+# .. envvar:: unattended_upgrades__origins [[[
+#
+# List of origin patterns which define repositories that will be considered for
+# unattended package upgrades.
+unattended_upgrades__origins: []
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__origins_lookup [[[
+#
+# List of strings which are used to select different origin patterns depending
+# on installed OS and its release. The first found match wins.
+unattended_upgrades__origins_lookup:
+  - '{{ ansible_distribution + "_" + (ansible_distribution_release.split("/")[0]) }}'
+  - '{{ ansible_distribution }}'
+  - 'default'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__security_origins [[[
+#
+# Map of the security repositories of different Linux distributions.
+unattended_upgrades__security_origins:
+
+  # https://www.debian.org/security/
+  'Debian':
+    - 'o=Debian,n=${distro_codename},l=Debian-Security'
+    - 'o=Debian,n=${distro_codename}-security,l=Debian-Security'
+    - 'o=${distro_id},n=${distro_codename}-updates'
+
+  # https://www.devuan.org/
+  'Devuan':
+    - 'o=Devuan,n=${distro_codename}-security,l=Devuan-Security'
+    - 'o=Devuan,n=${distro_codename}-updates'
+
+  # https://www.ubuntu.com/usn/
+  'Ubuntu':
+    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-security'
+    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-updates'
+
+  'default':
+    - 'o=${distro_id},n=${distro_codename},l=${distro_id}-Security'
+    - 'o=${distro_id},n=${distro_codename}-updates'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__release_origins [[[
+#
+# List of origin patterns that specify the default repositories of the current
+# OS release. Enabled/disabled by the :envvar:`unattended_upgrades__release`
+# variable.
+unattended_upgrades__release_origins:
+
+  'Debian':
+    - 'o=${distro_id},n=${distro_codename}'
+    - 'o=${distro_id} Backports,n=${distro_codename}-backports'
+
+  'Devuan':
+    - 'o=${distro_id},n=${distro_codename}'
+    - 'o=${distro_id} Backports,n=${distro_codename}-backports'
+
+  'Ubuntu':
+    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}'
+    - 'o=Ubuntu,n=${distro_codename},a=${distro_codename}-backports'
+
+  'default':
+    - 'o=${distro_id},n=${distro_codename}'
+    - 'o=${distro_id},n=${distro_codename}-backports'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__dependent_origins [[[
+#
+# List of origin patterns which can be used by other Ansible roles to add their
+# own repositories to be automatically upgraded. This list is saved in the
+# remote host Ansible local facts to avoid idempotency loops.
+unattended_upgrades__dependent_origins: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Unattended upgrade blacklists [[[
+# ---------------------------------
+
+# See :ref:`unattended_upgrades__ref_blacklist` for more details about how
+# blacklist entries can be defined.
+
+# .. envvar:: unattended_upgrades__default_blacklist [[[
+#
+# Default list of APT packages which should not be upgraded automatically.
+unattended_upgrades__default_blacklist: []
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__blacklist [[[
+#
+# List of APT packages that won't be upgraded automatically, used on all hosts.
+unattended_upgrades__blacklist: []
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__group_blacklist [[[
+#
+# List of APT packages that won't be upgraded automatically, specific to a
+# group of hosts in Ansible inventory.
+unattended_upgrades__group_blacklist: []
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__host_blacklist [[[
+#
+# List of APT packages that won't be upgraded automatically, host-specific.
+unattended_upgrades__host_blacklist: []
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__dependent_blacklist [[[
+#
+# List of APT packages that won't be upgraded automatically. This list should
+# be used by other Ansible roles through role dependencies. Its contents will
+# be saved in the remote host Ansible local facts to avoid idempotency loops.
+unattended_upgrades__dependent_blacklist: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Unattended upgrade misc options [[[
+# -----------------------------------
+
+# .. envvar:: unattended_upgrades__auto_fix_interrupted_dpkg [[[
+#
+# Automatically run :command:`dpkg --force-confold --configure -a` before
+# unattended upgrades to fix any :command:`dpkg` errors.
+unattended_upgrades__auto_fix_interrupted_dpkg: True
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__ignore_app_require_restart [[[
+#
+# The :program:`unattended-upgrade` script will automatically upgrade packages
+# that require a service restart. To disable this, set the option to ``False``.
+unattended_upgrades__ignore_app_require_restart: True
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__minimal_steps [[[
+#
+# Split the upgrades into smallest possible steps so that the upgrade process
+# can be interrupted if necessary.
+unattended_upgrades__minimal_steps: True
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__install_on_shutdown [[[
+#
+# Enable or disable unattended upgrades at the host shutdown instead of
+# performing it in the background.
+unattended_upgrades__install_on_shutdown: False
+
+# ]]]
+# .. envvar:: unattended_upgrades__mail_from [[[
+#
+# The email address used as the From: field.
+# If empty, the default specified by /usr/bin/unattended-upgrade is used.
+unattended_upgrades__mail_from: ''
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__mail_to [[[
+#
+# List of email addresses to which the :program:`unattended-upgrade` script
+# will sent the emails with upgrade results. Specify an empty list to disable.
+unattended_upgrades__mail_to: '{{ ansible_local.core.admin_private_email
+                                  | d(["root@" + ansible_domain]) }}'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__mail_only_on_error [[[
+#
+# Enable or disable an option to only send mail messages when errors occur
+# during unattended upgrades.
+unattended_upgrades__mail_only_on_error: True
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__remove_unused [[[
+#
+# Enable or disable automatic removal of the unused package dependencies after
+# unattended upgrade (:program:`apt-get autoremove`).
+unattended_upgrades__remove_unused: False
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__auto_reboot [[[
+#
+# Automatically reboot the host without confirmation after unattended upgrade
+# if any packages require it.
+unattended_upgrades__auto_reboot: False
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__auto_reboot_time [[[
+#
+# Specify the time of the automatic reboot instead of ``now``.
+unattended_upgrades__auto_reboot_time: '{{ "02:30"
+                                            if (ansible_virtualization_role in ["host", "NA"])
+                                            else ("02:%02d" | format(55 | random(seed=inventory_hostname, start=40))) }}'
+
+                                                                   # ]]]
+# .. envvar:: unattended_upgrades__bandwidth_limit [[[
+#
+# Limit the amount of bandwidth used by APT to download packages, in kb/s
+# (kilobytes per second).
+unattended_upgrades__bandwidth_limit: ''
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/meta/main.yml b/ansible_collections/debops/debops/roles/unattended_upgrades/meta/main.yml
new file mode 100644
index 00000000..cb46bd8f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski, Robin Schneider'
+  description: 'Configure unattended upgrades on Debian-based hosts'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - 'apt'
+    - 'system'
+    - 'security'
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/tasks/main.yml b/ansible_collections/debops/debops/roles/unattended_upgrades/tasks/main.yml
new file mode 100644
index 00000000..12fdeb1b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2015-2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Install required packages
+  ansible.builtin.apt:
+    name: '{{ (unattended_upgrades__base_packages
+             + unattended_upgrades__packages)
+             | flatten }}'
+    state: 'present'
+    install_recommends: False
+  register: unattended_upgrades__register_packages
+  until: unattended_upgrades__register_packages is succeeded
+  when: unattended_upgrades__enabled | bool
+
+- name: Configure debconf answer
+  ansible.builtin.debconf:
+    name: 'unattended-upgrades'
+    question: 'unattended-upgrades/enable_auto_updates'
+    vtype: 'boolean'
+    value: '{{ "true" if unattended_upgrades__enabled | bool else "false" }}'
+
+- name: Configure periodic APT updates
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/20periodic.j2'
+    dest: '/etc/apt/apt.conf.d/20periodic'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: ((unattended_upgrades__periodic | bool) or
+         (ansible_local | d() and ansible_local.unattended_upgrades | d() and
+          ansible_local.unattended_upgrades.periodic | bool))
+
+- name: Configure periodic APT upgrades
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/20auto-upgrades.j2'
+    dest: '/etc/apt/apt.conf.d/20auto-upgrades'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: ((unattended_upgrades__enabled | bool) or
+         (ansible_local | d() and ansible_local.unattended_upgrades | d() and
+          ansible_local.unattended_upgrades.enabled | bool))
+
+- name: Add/remove diversion of unattended-upgrades configuration
+  debops.debops.dpkg_divert:
+    path: '/etc/apt/apt.conf.d/50unattended-upgrades'
+    state: '{{ "present" if unattended_upgrades__enabled | bool else "absent" }}'
+    delete: True
+
+- name: Configure unattended-upgrades
+  ansible.builtin.template:
+    src: 'etc/apt/apt.conf.d/50unattended-upgrades.j2'
+    dest: '/etc/apt/apt.conf.d/50unattended-upgrades'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  when: unattended_upgrades__enabled | bool
+
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Ansible local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/unattended_upgrades.fact.j2'
+    dest: '/etc/ansible/facts.d/unattended_upgrades.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags: [ 'meta::facts' ]
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades.fact.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades.fact.j2
new file mode 100644
index 00000000..5bc0615c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades.fact.j2
@@ -0,0 +1,12 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'unattended_upgrades__tpl_macros.j2' as unattended_upgrades__tpl_macros with context %}
+{{ ({
+      "enabled":   unattended_upgrades__enabled  | bool | lower,
+      "periodic":  unattended_upgrades__periodic | bool | lower,
+      "blacklist": unattended_upgrades__tpl_macros.get_blacklist_as_json() | from_yaml,
+      "origins":   unattended_upgrades__tpl_macros.get_origins_as_json()   | from_yaml,
+}) | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades__tpl_macros.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades__tpl_macros.j2
new file mode 120000
index 00000000..5871a651
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/ansible/facts.d/unattended_upgrades__tpl_macros.j2
@@ -0,0 +1 @@
+../../../unattended_upgrades__tpl_macros.j2
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20auto-upgrades.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20auto-upgrades.j2
new file mode 100644
index 00000000..595d8dac
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20auto-upgrades.j2
@@ -0,0 +1,7 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+APT::Periodic::Update-Package-Lists "{{ '1' if unattended_upgrades__enabled | bool else '0' }}";
+APT::Periodic::Unattended-Upgrade "{{ '1' if unattended_upgrades__enabled | bool else '0' }}";
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20periodic.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20periodic.j2
new file mode 100644
index 00000000..3e873080
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/20periodic.j2
@@ -0,0 +1,25 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+// {{ ansible_managed }}
+
+// Enable the update/upgrade script (0=disable)
+APT::Periodic::Enable "{{ '1' if unattended_upgrades__periodic | bool else '0' }}";
+
+// Do "apt-get update" automatically every n-days (0=disable)
+APT::Periodic::Update-Package-Lists "{{ '1' if unattended_upgrades__periodic | bool else '0' }}";
+
+// Do "apt-get upgrade --download-only" every n-days (0=disable)
+APT::Periodic::Download-Upgradeable-Packages "{{ "1" if unattended_upgrades__periodic_download | bool else '0' }}";
+
+// Do "apt-get autoclean" every n-days (0=disable)
+APT::Periodic::AutocleanInterval "{{ unattended_upgrades__periodic_autoclean }}";
+
+// Send report mail to root
+//  0:  no report             (or null string)
+//  1:  progress report       (actually any string)
+//  2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
+//  3:  + trace on
+APT::Periodic::Verbose "{{ unattended_upgrades__periodic_verbosity }}";
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2
new file mode 100644
index 00000000..5e457535
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/50unattended-upgrades.j2
@@ -0,0 +1,109 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'unattended_upgrades__tpl_macros.j2' as unattended_upgrades__tpl_macros with context %}
+// {{ ansible_managed }}
+
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
+Unattended-Upgrade::Origins-Pattern {
+{% set unattended_upgrades__tpl_security_origins = [] %}
+{% set unattended_upgrades__tpl_release_origins = [] %}
+{% for element in unattended_upgrades__origins_lookup  %}
+{%   if element in unattended_upgrades__security_origins.keys()
+        and not unattended_upgrades__tpl_security_origins %}
+{%     for item in unattended_upgrades__security_origins[element] %}
+{%       set _ = unattended_upgrades__tpl_security_origins.append(item) %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{% if unattended_upgrades__release | bool %}
+{%   for element in unattended_upgrades__origins_lookup %}
+{%     if element in unattended_upgrades__release_origins.keys()
+          and not unattended_upgrades__tpl_release_origins %}
+{%       for item in unattended_upgrades__release_origins[element] %}
+{%         set _ = unattended_upgrades__tpl_release_origins.append(item) %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% set unattended_upgrades__tpl_origins = unattended_upgrades__tpl_macros.get_origins_as_json(unattended_upgrades__tpl_security_origins + unattended_upgrades__tpl_release_origins) | from_yaml %}
+{% for item in unattended_upgrades__tpl_origins %}
+        "{{ item }}";
+{% endfor %}
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+{% set unattended_upgrades__tpl_blacklist = unattended_upgrades__tpl_macros.get_blacklist_as_json(
+    unattended_upgrades__default_blacklist +
+    unattended_upgrades__blacklist +
+    unattended_upgrades__group_blacklist) | from_yaml %}
+{% for item in unattended_upgrades__tpl_blacklist %}
+        "{{ item }}";
+{% endfor %}
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "{{ unattended_upgrades__auto_fix_interrupted_dpkg | bool | lower }}";
+
+// By default unattended-upgrade script performs upgrades of all packages, even
+// if they require a service restart. Set this parameter to "false" to not
+// perform automatic upgrades of such services.
+Unattended-Upgrade::IgnoreAppsRequireRestart "{{ unattended_upgrades__ignore_app_require_restart | bool | lower }}";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "{{ unattended_upgrades__minimal_steps | bool | lower }}";
+
+// Install all unattended-upgrades when the machine is shutting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+Unattended-Upgrade::InstallOnShutdown "{{ unattended_upgrades__install_on_shutdown | bool | lower }}";
+
+
+{% if unattended_upgrades__mail_from %}
+// Send email FROM this address
+Unattended-Upgrade::Sender "{{ unattended_upgrades__mail_from }}";
+{% endif %}
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "{{ unattended_upgrades__mail_to | join(',') }}";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+Unattended-Upgrade::MailOnlyOnError "{{ unattended_upgrades__mail_only_on_error | bool | lower }}";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "{{ unattended_upgrades__remove_unused | bool | lower }}";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades__auto_reboot | bool | lower }}";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//  Example: "02:00"
+Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades__auto_reboot_time }}";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+{% if unattended_upgrades__bandwidth_limit %}
+Acquire::http::Dl-Limit "{{ unattended_upgrades__bandwidth_limit }}";
+{% else %}
+//Acquire::http::Dl-Limit "70";
+{% endif %}
+
+// vim:ft=aptconf
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/unattended_upgrades__tpl_macros.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/unattended_upgrades__tpl_macros.j2
new file mode 120000
index 00000000..5871a651
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/etc/apt/apt.conf.d/unattended_upgrades__tpl_macros.j2
@@ -0,0 +1 @@
+../../../unattended_upgrades__tpl_macros.j2
\ No newline at end of file
diff --git a/ansible_collections/debops/debops/roles/unattended_upgrades/templates/unattended_upgrades__tpl_macros.j2 b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/unattended_upgrades__tpl_macros.j2
new file mode 100644
index 00000000..a46a3e42
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unattended_upgrades/templates/unattended_upgrades__tpl_macros.j2
@@ -0,0 +1,87 @@
+{# Copyright (C) 2015-2016 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2016      Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2015-2016 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+#}
+
+{% macro get_string_or_list_as_json_list(item) %}{# [[[ #}
+{{ ([ item ]
+   if (item is string)
+   else (item | list)) | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro assemble_origins_list(origins, unattended_upgrades__tpl_origins, unattended_upgrades__tpl_origins_absent) %}{# [[[ #}
+{% for item in origins %}
+{%   if item is string %}
+{%     set _ = unattended_upgrades__tpl_origins.append(item) %}
+{%   elif item is mapping %}
+{%     if item.origin | d(item.origins | d()) and "state" in item and item.state is string %}
+{%       if item.state == "present" %}
+{%         for origin in (get_string_or_list_as_json_list(item.origin | d(item.origins | d())) | from_yaml) %}
+{%           set _ = unattended_upgrades__tpl_origins.append(origin) %}
+{%         endfor %}
+{%       else %}
+{%         for origin in (get_string_or_list_as_json_list(item.origin | d(item.origins | d())) | from_yaml) %}
+{%           set _ = unattended_upgrades__tpl_origins_absent.append(origin) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   else %}
+{%     set _ = assemble_origins_list(item, unattended_upgrades__tpl_origins, unattended_upgrades__tpl_origins_absent) %}
+{%   endif %}
+{% endfor %}
+{% endmacro %}{# ]]] #}
+
+{% macro get_origins_as_json(origins=[]) %}{# [[[ #}
+{% set unattended_upgrades__tpl_origins = origins %}
+{% set unattended_upgrades__tpl_origins_absent = [] %}
+{% set _ = assemble_origins_list(
+   (origins + unattended_upgrades__origins + unattended_upgrades__dependent_origins),
+   unattended_upgrades__tpl_origins,
+   unattended_upgrades__tpl_origins_absent) %}
+{% if (ansible_local.unattended_upgrades.origins | d()) %}
+{%   for item in ansible_local.unattended_upgrades.origins %}
+{%     set _ = unattended_upgrades__tpl_origins.append(item) %}
+{%   endfor %}
+{% endif %}
+{{ unattended_upgrades__tpl_origins | difference(unattended_upgrades__tpl_origins_absent) | sort | unique | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
+
+{% macro assemble_blacklist(blacklist, unattended_upgrades__tpl_blacklist, unattended_upgrades__tpl_blacklist_absent) %}{# [[[ #}
+{% for item in blacklist %}
+{%   if item is string %}
+{%     set _ = unattended_upgrades__tpl_blacklist.append(item) %}
+{%   elif item is mapping %}
+{%     if "name" in item and "state" in item and item.state is string %}
+{%       if item.state == "present" %}
+{%         for name in (get_string_or_list_as_json_list(item.name) | from_yaml) %}
+{%           set _ = unattended_upgrades__tpl_blacklist.append(name) %}
+{%         endfor %}
+{%       else %}
+{%         for name in (get_string_or_list_as_json_list(item.name) | from_yaml) %}
+{%           set _ = unattended_upgrades__tpl_blacklist_absent.append(name) %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   else %}
+{%     set _ = assemble_blacklist(item, unattended_upgrades__tpl_blacklist, unattended_upgrades__tpl_blacklist_absent) %}
+{%   endif %}
+{% endfor %}
+{% endmacro %}{# ]]] #}
+
+{% macro get_blacklist_as_json(blacklist=[]) %}{# [[[ #}
+{% set unattended_upgrades__tpl_blacklist = [] %}
+{% set unattended_upgrades__tpl_blacklist_absent = [] %}
+{% set _ = assemble_blacklist(
+   (blacklist + unattended_upgrades__dependent_blacklist),
+   unattended_upgrades__tpl_blacklist,
+   unattended_upgrades__tpl_blacklist_absent) %}
+{% if (ansible_local.unattended_upgrades.blacklist | d()) %}
+{%   for item in ansible_local.unattended_upgrades.blacklist %}
+{%     set _ = unattended_upgrades__tpl_blacklist.append(item) %}
+{%   endfor %}
+{% endif %}
+{{ unattended_upgrades__tpl_blacklist | difference(unattended_upgrades__tpl_blacklist_absent) | sort | unique | to_nice_yaml }}
+{% endmacro %}{# ]]] #}
diff --git a/ansible_collections/debops/debops/roles/unbound/COPYRIGHT b/ansible_collections/debops/debops/roles/unbound/COPYRIGHT
new file mode 100644
index 00000000..83da80f0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.unbound - Manage Unbound, local DNS resolver
+
+Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This repository is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/unbound/defaults/main.yml b/ansible_collections/debops/debops/roles/unbound/defaults/main.yml
new file mode 100644
index 00000000..0c2afa4f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/defaults/main.yml
@@ -0,0 +1,269 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _unbound__ref_defaults:
+
+# debops.unbound default variables [[[
+# ====================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: unbound__base_packages [[[
+#
+# List of default APT packages to install for Unbound support.
+unbound__base_packages: [ 'unbound' ]
+
+                                                                   # ]]]
+# .. envvar:: unbound__packages [[[
+#
+# List of additional APT packages to install with Unbound.
+unbound__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Server (main) configuration [[[
+# -------------------------------
+
+# These variables can be used to configure main :command:`unbound`
+# configuration options. See :ref:`unbound__ref_server` for more details.
+
+# .. envvar:: unbound__default_server [[[
+#
+# The default Unbound 'server' configuration defined by the role.
+unbound__default_server:
+
+  - name: 'localhost-allow_snoop'
+    option: 'access-control'
+    comment: |
+      By default unbound blocks non-recursive queries to prevent abuse; this
+      prevents commands like 'dig +trace' from working correctly. Since query
+      tracing is a useful debugging and diagnostic tool, non-recursive queries
+      will be allowed when the host is managed locally with assumption that
+      this is an administrator's machine.
+    value:
+
+      - name: '127.0.0.0/8'
+        args: 'allow_snoop'
+
+      - name: '::1/128'
+        args: 'allow_snoop'
+
+    state: '{{ "present"
+               if (unbound__fact_ansible_connection == "local")
+               else "ignore" }}'
+
+                                                                   # ]]]
+# .. envvar:: unbound__server [[[
+#
+# The Unbound 'server' configuration which should be present on all hosts in
+# the Ansible inventory.
+unbound__server: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__group_server [[[
+#
+# The Unbound 'server' configuration which should be present on hosts in
+# a specific Ansible inventory group.
+unbound__group_server: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__host_server [[[
+#
+# The Unbound 'server' configuration which should be present on specific hosts
+# in the Ansible inventory.
+unbound__host_server: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__combined_server [[[
+#
+# This variable combines the 'server' configuration from other variables and
+# passes it to the configuration file template.
+unbound__combined_server: '{{ unbound__default_server
+                              + unbound__server
+                              + unbound__group_server
+                              + unbound__host_server }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Remote control configuration [[[
+# --------------------------------
+
+# These variables can be used to configure :command:`unbound-control`
+# configuration options. The syntax is the same as the 'server' configuration.
+# See :ref:`unbound__ref_server` for more details.
+
+# .. envvar:: unbound__default_remote_control [[[
+#
+# The default 'remote-control' configuration defined by the role.
+unbound__default_remote_control:
+
+  # On Debian Buster, remote control is disabled by default
+  - name: 'control-enable'
+    comment: |
+      Enable remote control of the 'unbound' daemon by default. This is needed
+      for the 'systemctl reload unbound.service' command to work correctly.
+    value: True
+
+                                                                   # ]]]
+# .. envvar:: unbound__remote_control [[[
+#
+# The Unbound 'remote-control' configuration which should be present on all
+# hosts in the Ansible inventory.
+unbound__remote_control: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__group_remote_control [[[
+#
+# The Unbound 'remote-control' configuration which should be present on hosts
+# in a specific Ansible inventory group.
+unbound__group_remote_control: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__host_remote_control [[[
+#
+# The Unbound 'remote-control' configuration which should be present on
+# specific hosts in the Ansible inventory.
+unbound__host_remote_control: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__combined_remote_control [[[
+#
+# This variable combines the 'remote-control' configuration from other
+# variables and passes it to the configuration file template.
+unbound__combined_remote_control: '{{ unbound__default_remote_control
+                                      + unbound__remote_control
+                                      + unbound__group_remote_control
+                                      + unbound__host_remote_control }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom forward/stub DNS zones [[[
+# ---------------------------------
+
+# These variables configure custom 'forward' or 'stub' DNS zones served by
+# Unbound. See :ref:`unbound__ref_zones` for more details.
+
+# .. envvar:; unbound__default_zones [[[
+#
+# List of forward or stub DNS zones defined by the role.
+unbound__default_zones:
+
+  - name: 'block-dns-over-https'
+    comment: |
+      Blocking the 'use-application-dns.net' domain instructs the applications
+      that support DNS over HTTPS to not use it and rely on the system resolver
+      instead. This might be required for certain applications to support
+      access to internal services, resolve split-DNS correctly, etc.
+
+      Ref: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
+    zone: 'use-application-dns.net.'
+    type: 'local'
+    local_zone_type: 'always_nxdomain'
+
+  - name: 'lxc-net'
+    comment: |
+      Support for resolving LXC container hosts that use the 'lxc-net' bridge
+      configuration
+    zone: '{{ (ansible_local.lxc.net_domain + ".")
+              if (ansible_local.lxc.net_domain | d())
+              else "" }}'
+    revdns: '{{ ansible_local.lxc.net_subnet | d("") }}'
+    nameserver: '{{ ansible_local.lxc.net_address | d("") }}'
+    state: '{{ "present"
+               if (ansible_local.lxc.net_domain | d())
+               else "absent" }}'
+
+  # Ref: https://learn.hashicorp.com/consul/security-networking/forwarding#unbound-setup
+  - name: 'consul'
+    comment: |
+      Support for Consul Agent DNS service on localhost
+      Ref: https://www.consul.io/docs/agent/dns.html
+    zone: 'consul.'
+    type: 'stub'
+    options:
+      - 'stub-addr': '127.0.0.1@8600'
+    server_options:
+      - 'do-not-query-localhost': False
+      - 'domain-insecure': 'consul.'
+    state: '{{ "present"
+               if (ansible_local | d() and ansible_local.consul | d() and
+                   (ansible_local.consul.installed | d()) | bool)
+               else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: unbound__zones [[[
+#
+# List of forward or stub DNS zones which should be defined on all hosts in the
+# Ansible inventory.
+unbound__zones: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__group_zones [[[
+#
+# List of forward or stub DNS zones which should be defined on hosts in
+# specific Ansible inventory group.
+unbound__group_zones: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__host_zones [[[
+#
+# List of forward or stub DNS zones which should be defined on specific hosts
+# in the Ansible inventory.
+unbound__host_zones: []
+
+                                                                   # ]]]
+# .. envvar:: unbound__combined_zones [[[
+#
+# The variable that combines the zone configuration from other variables.
+unbound__combined_zones: '{{ unbound__default_zones
+                             + unbound__zones
+                             + unbound__group_zones
+                             + unbound__host_zones }}'
+
+                                                                   # ]]]
+# .. envvar:: unbound__parsed_zones [[[
+#
+# The variable that parses the combined zone configuration and is used in the
+# Ansible tasks to manage the DNS zone files.
+unbound__parsed_zones: '{{ unbound__combined_zones
+                                | debops.debops.parse_kv_items(merge_keys=["server_options"]) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: unbound__python__dependent_packages3 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+unbound__python__dependent_packages3:
+
+  - 'python3-unbound'
+
+                                                                   # ]]]
+# .. envvar:: unbound__python__dependent_packages2 [[[
+#
+# Configuration for the :ref:`debops.python` Ansible role.
+unbound__python__dependent_packages2:
+
+  - 'python-unbound'
+
+                                                                   # ]]]
+# .. envvar:: unbound__etc_services__dependent_list [[[
+#
+# Configuration for the :ref:`debops.etc_services`.
+unbound__etc_services__dependent_list:
+
+  - name: 'unbound-ctrl'
+    port: '8953'
+    comment: 'Unbound control service'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/unbound/meta/main.yml b/ansible_collections/debops/debops/roles/unbound/meta/main.yml
new file mode 100644
index 00000000..3380f339
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/meta/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install and configure Unbound, local DNS resolver'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.3.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - dns
+    - dnssec
diff --git a/ansible_collections/debops/debops/roles/unbound/tasks/main.yml b/ansible_collections/debops/debops/roles/unbound/tasks/main.yml
new file mode 100644
index 00000000..86e19a18
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/tasks/main.yml
@@ -0,0 +1,106 @@
+---
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Create a fact that knows the Ansible connection type
+  ansible.builtin.set_fact:
+    unbound__fact_ansible_connection: '{{ ansible_connection }}'
+
+- name: Create Unbound configuration directory
+  ansible.builtin.file:
+    path: '/etc/unbound/unbound.conf.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Remove Unbound server configuration
+  ansible.builtin.file:
+    path: '/etc/unbound/unbound.conf.d/ansible-server.conf'
+    state: 'absent'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: not unbound__combined_server | d()
+
+- name: Remove Unbound remote control configuration
+  ansible.builtin.file:
+    path: '/etc/unbound/unbound.conf.d/ansible-remote-control.conf'
+    state: 'absent'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: not unbound__combined_remote_control | d()
+
+- name: Generate Unbound server configuration
+  ansible.builtin.template:
+    src: 'etc/unbound/unbound.conf.d/ansible-server.conf.j2'
+    dest: '/etc/unbound/unbound.conf.d/ansible-server.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: unbound__combined_server | d()
+
+- name: Generate Unbound remote control configuration
+  ansible.builtin.template:
+    src: 'etc/unbound/unbound.conf.d/ansible-remote-control.conf.j2'
+    dest: '/etc/unbound/unbound.conf.d/ansible-remote-control.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: unbound__combined_remote_control | d()
+
+- name: Remove DNS zones if requested
+  ansible.builtin.file:
+    path: '/etc/unbound/unbound.conf.d/zone_{{ item.name }}.conf'
+    state: 'absent'
+  loop: '{{ q("flattened", unbound__parsed_zones) }}'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: item.name | d() and item.state | d('present') == 'absent'
+
+- name: Configure DNS zones
+  ansible.builtin.template:
+    src: 'etc/unbound/unbound.conf.d/zone.conf.j2'
+    dest: '/etc/unbound/unbound.conf.d/zone_{{ item.name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop: '{{ q("flattened", unbound__parsed_zones) }}'
+  notify: [ 'Check unbound configuration and reload' ]
+  when: item.name | d() and item.state | d('present') != 'absent'
+
+- name: Install unbound APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (unbound__base_packages
+                              + unbound__packages)) }}'
+    state: 'present'
+  register: unbound__register_packages
+  until: unbound__register_packages is succeeded
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+
+- name: Save Unbound local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/unbound.fact.j2'
+    dest: '/etc/ansible/facts.d/unbound.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/unbound/templates/etc/ansible/facts.d/unbound.fact.j2 b/ansible_collections/debops/debops/roles/unbound/templates/etc/ansible/facts.d/unbound.fact.j2
new file mode 100644
index 00000000..8c0f5e37
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/templates/etc/ansible/facts.d/unbound.fact.j2
@@ -0,0 +1,18 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import load, loads, dumps
+from sys import exit
+
+output = loads('''{{ ({
+    "installed": true
+}) | to_nice_json }}''')
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-remote-control.conf.j2 b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-remote-control.conf.j2
new file mode 100644
index 00000000..b37b8c22
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-remote-control.conf.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'macros.j2' as get with context %}
+# {{ ansible_managed }}
+
+{% set unbound__tpl_remote_control = (unbound__combined_remote_control | debops.debops.parse_kv_config) %}
+remote-control:
+{% for element in unbound__tpl_remote_control %}
+{%   set element_name = (element.option | d(element.name)) %}
+{%   if element.state | d('present') != 'absent' %}
+{%     if element.comment | d() %}
+
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') | indent(4, true) }}
+{%       if element.state | d('present') == 'hidden' %}
+
+{%       endif %}
+{%     elif element.separator is defined and element.separator | bool %}
+
+{%     endif %}
+{%     if element.value is not string and element.value is not mapping %}
+{{ get.print_option(element_name, element.value) -}}
+{%     else %}
+{{ get.print_option(element_name, [{'name': element.value}]) -}}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-server.conf.j2 b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-server.conf.j2
new file mode 100644
index 00000000..4cd39370
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/ansible-server.conf.j2
@@ -0,0 +1,28 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% import 'macros.j2' as get with context %}
+# {{ ansible_managed }}
+
+{% set unbound__tpl_server = (unbound__combined_server | debops.debops.parse_kv_config) %}
+server:
+{% for element in unbound__tpl_server %}
+{%   set element_name = (element.option | d(element.name)) %}
+{%   if element.state | d('present') != 'absent' %}
+{%     if element.comment | d() %}
+
+{{ element.comment | regex_replace('\n$','') | comment(prefix='', postfix='') | indent(4, true) }}
+{%       if element.state | d('present') == 'hidden' %}
+
+{%       endif %}
+{%     elif element.separator is defined and element.separator | bool %}
+
+{%     endif %}
+{%     if element.value is not string and element.value is not mapping %}
+{{ get.print_option(element_name, element.value) -}}
+{%     else %}
+{{ get.print_option(element_name, [{'name': element.value}]) -}}
+{%     endif %}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/macros.j2 b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/macros.j2
new file mode 100644
index 00000000..7006a728
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/macros.j2
@@ -0,0 +1,63 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% macro print_option(option_name, option_values, value_indent='30') %}
+{%   if option_values | bool and option_values is not iterable %}
+{%     if option_values | int and option_values | string != 'True' %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', option_values) }}
+{%     else %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', 'yes') }}
+{%     endif %}
+{%   elif not option_values | bool and option_values is not iterable %}
+{%     if option_values is not none %}
+{%       if option_values | int or option_values | string == '0' %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', option_values) }}
+{%       else %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', 'no') }}
+{%       endif %}
+{%     endif %}
+{%   elif option_values is string %}
+{%     if option_values | ansible.utils.ipaddr %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', option_values) }}
+{%     elif ('@' in option_values and option_values.split('@')[0] | ansible.utils.ipaddr and option_values.split('@')[1] | int) %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', option_values) }}
+{%     elif '"' in option_values %}
+{{ ("    {:<" + value_indent + "} '{}'").format(option_name + ':', option_values) }}
+{%     else %}
+{{ ('    {:<' + value_indent + '} "{}"').format(option_name + ':', option_values) }}
+{%     endif %}
+{%   elif option_values is not string and option_values is not mapping %}
+{%     for value in ([ option_values ] if option_values is mapping else option_values) %}
+{%       set option_args = '' %}
+{%       if value.args is defined and value.args is string %}
+{%         set option_args = value.args %}
+{%       endif %}
+{%       if value.name | bool and value.name is not iterable %}
+{%         if value.name | int and value.name | string != 'True' %}
+{{ ('    {:<' + value_indent + '} {}{}').format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%         else %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', 'yes') }}
+{%         endif %}
+{%       elif not value.name | bool and value.name is not iterable %}
+{%         if value.name is not none %}
+{%           if value.name | int or value.name | string == '0' %}
+{{ ('    {:<' + value_indent + '} {}{}').format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%           else %}
+{{ ('    {:<' + value_indent + '} {}').format(option_name + ':', 'no') }}
+{%           endif %}
+{%         endif %}
+{%       elif value.name is string %}
+{%         if value.name | ansible.utils.ipaddr %}
+{{ ('    {:<' + value_indent + '} {}{}').format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%         elif ('@' in value.name and value.name.split('@')[0] | ansible.utils.ipaddr and value.name.split('@')[1] | int) %}
+{{ ('    {:<' + value_indent + '} {}{}').format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%         elif '"' in value.name %}
+{{ ("    {:<" + value_indent + "} '{}'{}").format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%         else %}
+{{ ('    {:<' + value_indent + '} "{}"{}').format(option_name + ':', value.name, (' ' + option_args) if option_args else '') }}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
diff --git a/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/zone.conf.j2 b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/zone.conf.j2
new file mode 100644
index 00000000..fb7754f2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/unbound/templates/etc/unbound/unbound.conf.d/zone.conf.j2
@@ -0,0 +1,212 @@
+{# Copyright (C) 2017 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% set unbound__tpl_ipv4_revdns_zones = [] %}
+{% set unbound__tpl_local_zones = [] %}
+{% set unbound__tpl_nameservers = [] %}
+{% if item.revdns | d() %}
+{%   for entry in ([ item.revdns ] if item.revdns is string else item.revdns) | ansible.utils.ipv4('subnet') %}
+{#
+ # This currently doesn't work properly for subnet sizes < 16
+ # due to netaddr library always returning /24 revdns delegation
+#}
+{%     if (entry | ansible.utils.ipaddr('prefix') | int <= 15) %}
+{%       set subnet_prefix = '16' %}
+{%     elif (entry | ansible.utils.ipaddr('prefix') | int <= 24) %}
+{%       set subnet_prefix = '24' %}
+{%     else %}
+{%       set subnet_prefix = '24' %}
+{%     endif %}
+{%     for i in range(0, (entry | ansible.utils.ipsubnet(subnet_prefix) | int)) %}
+{%       set _ = unbound__tpl_ipv4_revdns_zones.append((entry | ansible.utils.ipsubnet(subnet_prefix, i) | ansible.utils.ipaddr('revdns')).split('.')[1:-1] | join('.')) %}
+{%     endfor %}
+{%   endfor %}
+{%   set unbound__tpl_local_zones = item.revdns | ansible.utils.ipaddr("private") %}
+{% endif %}
+{% if item.nameserver | d() %}
+{%   for entry in ([ item.nameserver ] if item.nameserver is string else item.nameserver) %}
+{%     set _ = unbound__tpl_nameservers.append(entry) %}
+{%   endfor %}
+{% endif %}
+{% if item.nameservers | d() %}
+{%   for entry in ([ item.nameservers ] if item.nameservers is string else item.nameservers) %}
+{%     set _ = unbound__tpl_nameservers.append(entry) %}
+{%   endfor %}
+{% endif %}
+{% macro print_private_domain(config) %}
+{%   set real_zone_name = (config.zone | d(config.name)) %}
+{%   set zone_name = (real_zone_name + ('.' if not real_zone_name.endswith('.') else '')) %}
+    private-domain: "{{ zone_name }}"
+{% endmacro %}
+{% macro print_domain_insecure(config) %}
+{%   set real_zone_name = (config.zone | d(config.name)) %}
+{%   set zone_name = (real_zone_name + ('.' if not real_zone_name.endswith('.') else '')) %}
+    domain-insecure: "{{ zone_name }}"
+{% endmacro %}
+{% macro print_local_zone(config) %}
+{%   set real_zone_name = (config.zone | d(config.name)) %}
+{%   set zone_name = (real_zone_name + ('.' if not real_zone_name.endswith('.') else '')) %}
+    local-zone: "{{ zone_name }}" {{ item.local_zone_type | d('transparent') }}
+{% endmacro %}
+{% macro print_zone(config) %}
+{%   set real_zone_name = (config.zone | d(config.name)) %}
+{%   set zone_name = (real_zone_name + ('.' if not real_zone_name.endswith('.') else '')) %}
+{%   if config.type | d('forward') == 'local' %}
+server:
+    local-zone: "{{ (zone_name | regex_replace('\n$','') | regex_replace('\.$','')) + '.' }}" {{ config.local_zone_type | d('static') }}
+{%     if config.local_zone_data | d() %}
+{%       for record in ([ config.local_zone_data ] if (config.local_zone_data is string) else config.local_zone_data) %}
+    local-data: "{{ ((zone_name | regex_replace('\n$','') | regex_replace('\.$','')) + '. ') + record | regex_replace('\n$','') }}"
+{%       endfor %}
+{%     endif %}
+{%   else %}
+{{ config.type | d('forward') }}-zone:
+    name: "{{ zone_name }}"
+{%   endif %}
+{%   if unbound__tpl_nameservers %}
+{%     for entry in unbound__tpl_nameservers %}
+    {{ config.type | d('forward') }}-addr: {{ entry }}
+{%     endfor %}
+{%   endif %}
+{%   if config.options | d() %}
+{%     for element in config.options %}
+{%       set element_name = (element.option | d(element.name)) %}
+{%       set element_state = (element.state | d('present')) %}
+{%       if element.value is defined %}
+{%         if element.value | bool and element.value is not iterable %}
+{%           if element.value | int and element.value | string != 'True' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'yes' %}
+{%           endif %}
+{%         elif not element.value | bool and element.value is not iterable %}
+{%           if element.value is not none %}
+{%             if element.value | int or element.value | string == '0' %}
+{%               set element_value = element.value %}
+{%             else %}
+{%               set element_value = 'no' %}
+{%             endif %}
+{%           endif %}
+{%         elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%           set element_value = [] %}
+{%           for option in element.value %}
+{%             if option.state | d('present') != 'absent' %}
+{%               set _ = element_value.append(option.name) %}
+{%             endif %}
+{%           endfor %}
+{%         else %}
+{%           set element_value = element.value %}
+{%         endif %}
+{%       else %}
+{%         set element_value = [] %}
+{%       endif %}
+{%       if element_state != 'absent' %}
+{%         if element_value is not string and element_value is not mapping and element_value is iterable %}
+{%           for thing in element_value %}
+{{ '    {} {}'.format(element_name + ':', thing) }}
+{%           endfor %}
+{%         else %}
+{{ '    {} {}'.format(element_name + ':', element_value) }}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if config.server_options | d() %}
+
+server:
+{%     for element in config.server_options %}
+{%       set element_name = (element.option | d(element.name)) %}
+{%       set element_state = (element.state | d('present')) %}
+{%       if element.value is defined %}
+{%         if element.value | bool and element.value is not iterable %}
+{%           if element.value | int and element.value | string != 'True' %}
+{%             set element_value = element.value %}
+{%           else %}
+{%             set element_value = 'yes' %}
+{%           endif %}
+{%         elif not element.value | bool and element.value is not iterable %}
+{%           if element.value is not none %}
+{%             if element.value | int or element.value | string == '0' %}
+{%               set element_value = element.value %}
+{%             else %}
+{%               set element_value = 'no' %}
+{%             endif %}
+{%           endif %}
+{%         elif element.value is not string and element.value is not mapping and element.value is iterable %}
+{%           set element_value = [] %}
+{%           for option in element.value %}
+{%             if option.state | d('present') != 'absent' %}
+{%               set _ = element_value.append(option.name) %}
+{%             endif %}
+{%           endfor %}
+{%         else %}
+{%           set element_value = element.value %}
+{%         endif %}
+{%       else %}
+{%         set element_value = [] %}
+{%       endif %}
+{%       if element_state != 'absent' %}
+{%         if element_value is not string and element_value is not mapping and element_value is iterable %}
+{%           for thing in element_value %}
+{{ '    {} {}'.format(element_name + ':', thing) }}
+{%           endfor %}
+{%         else %}
+{{ '    {} {}'.format(element_name + ':', element_value) }}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endmacro %}
+{% if item.comment | d() %}
+{{ item.comment | regex_replace('\n$','') | comment(prefix='', postfix='') }}
+{% endif %}
+{% if unbound__tpl_local_zones %}
+{%   if (item.private_domain | d(True)) | bool %}
+server:
+{{ print_private_domain(item) -}}
+{%     if unbound__tpl_ipv4_revdns_zones %}
+{%       for zone in unbound__tpl_ipv4_revdns_zones %}
+{%         set mangled_zone = item.copy() %}
+{%         set _ = mangled_zone.update({'zone': zone}) %}
+{{ print_private_domain(mangled_zone) -}}
+{%       endfor %}
+{%     endif %}
+
+{%   endif %}
+{%   if (item.domain_insecure | d(True)) | bool %}
+server:
+{{ print_domain_insecure(item) -}}
+{%     if unbound__tpl_ipv4_revdns_zones %}
+{%       for zone in unbound__tpl_ipv4_revdns_zones %}
+{%         set mangled_zone = item.copy() %}
+{%         set _ = mangled_zone.update({'zone': zone}) %}
+{{ print_domain_insecure(mangled_zone) -}}
+{%       endfor %}
+{%     endif %}
+
+{%   endif %}
+{%   if (item.local_zone | d(True)) | bool %}
+server:
+{{ print_local_zone(item) -}}
+{%     if unbound__tpl_ipv4_revdns_zones %}
+{%       for zone in unbound__tpl_ipv4_revdns_zones %}
+{%         set mangled_zone = item.copy() %}
+{%         set _ = mangled_zone.update({'zone': zone}) %}
+{{ print_local_zone(mangled_zone) -}}
+{%       endfor %}
+{%     endif %}
+
+{%   endif %}
+{% endif %}
+{{ print_zone(item) -}}
+{% if unbound__tpl_ipv4_revdns_zones %}
+{%   for zone in unbound__tpl_ipv4_revdns_zones %}
+{%     set mangled_zone = item.copy() %}
+{%     set _ = mangled_zone.update({'zone': zone}) %}
+
+{{ print_zone(mangled_zone) -}}
+{%   endfor %}
+{% endif %}
diff --git a/ansible_collections/debops/debops/roles/users/COPYRIGHT b/ansible_collections/debops/debops/roles/users/COPYRIGHT
new file mode 100644
index 00000000..2621a8a0
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.users - Manage local users and groups using Ansible
+
+Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2014-2019 <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/users/defaults/main.yml b/ansible_collections/debops/debops/roles/users/defaults/main.yml
new file mode 100644
index 00000000..03aa5787
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/defaults/main.yml
@@ -0,0 +1,205 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2014-2019 <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _users__ref_defaults:
+
+# debops.users default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# Global defaults [[[
+# -------------------
+
+# .. envvar:: users__enabled [[[
+#
+# Should Ansible manage local user accounts? Set to False to disable.
+users__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: users__acl_enabled [[[
+#
+# Enable or disable support for filesystem ACL management.
+users__acl_enabled: '{{ True if ("acl" in users__base_packages) else False }}'
+
+                                                                   # ]]]
+# .. envvar:: users__default_shell [[[
+#
+# Specify absolute path of the shell which should be configured on all user
+# accounts managed by this role, if not overridden by the user configuration. If
+# not specified, the shell won't be changed, but new accounts will not have
+# a defined shell either.
+users__default_shell: ''
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: users__shell_package_map [[[
+#
+# YAML dictionary that maps known shells used in the :file:`/etc/passwd`
+# database to the APT packages with these shells. The role will install missing
+# shell packages if any users have them as their login shells.
+users__shell_package_map:
+  '/bin/bash':     'bash'
+  '/bin/csh':      'csh'
+  '/usr/bin/fish': 'fish'
+  '/bin/ksh':      'ksh'
+  '/bin/zsh':      'zsh'
+
+                                                                   # ]]]
+# .. envvar:: users__base_packages [[[
+#
+# List of base APT packages to install.
+users__base_packages: [ 'acl' ]
+
+                                                                   # ]]]
+# .. envvar:: users__shell_packages [[[
+#
+# List of login shell APT packages expected on the host.
+users__shell_packages: '{{ lookup("template", "lookup/users__shell_packages.j2") | from_yaml }}'
+
+                                                                   # ]]]
+# .. envvar:: users__packages [[[
+#
+# List of custom packages to install.
+users__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Home directories [[[
+# --------------------
+
+# .. envvar:: users__default_home_mode [[[
+#
+# The default set of permissions for the home directories, specified in octal.
+# It can be overridden on a per-account basis with the ``item.home_mode``
+# parameter.
+users__default_home_mode: '0751'
+                                                                   # ]]]
+                                                                   # ]]]
+# Chroot account status [[[
+# -------------------------
+
+# .. envvar:: users__chroot_groups [[[
+#
+# List of UNIX groups in which a chrooted UNIX account should be included. This
+# depends on the configuration of the OpenSSH service, see :ref:`debops.sshd`
+# for more details.
+users__chroot_groups: [ 'sftponly' ]
+
+                                                                   # ]]]
+# .. envvar:: users__chroot_shell [[[
+#
+# The shell used for chrooted UNIX accounts if none is specified.
+users__chroot_shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# User configuration files (dotfiles) [[[
+# ---------------------------------------
+
+# These variables are used to manage the user configuration files (dotfiles).
+
+# .. envvar:: users__dotfiles_enabled [[[
+#
+# Enable or disable management of user dotfiles via :command:`yadm` script. See
+# the :ref:`debops.yadm` role for script installation and dotfile mirroring.
+users__dotfiles_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: users__dotfiles_repo [[[
+#
+# An URL or an absolute path on the remote host to the :command:`git` dotfiles
+# repository. The repository will be used by default if the dotfiles management
+# is enabled without specifying a custom repository for the user.
+users__dotfiles_repo: '{{ ansible_local.yadm.dotfiles | d("") }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Lists of managed UNIX groups and accounts [[[
+# ---------------------------------------------
+
+# These lists can be used to manage UNIX groups as well as UNIX accounts
+# through the Ansible inventory. See :ref:`users__ref_accounts` for more
+# details.
+
+# .. envvar:: users__groups [[[
+#
+# List of UNIX groups to manage on all hosts in Ansible inventory.
+users__groups: []
+
+                                                                   # ]]]
+# .. envvar:: users__group_groups [[[
+#
+# List of UNIX groups to manage on hosts in specific Ansible inventory group.
+users__group_groups: []
+
+                                                                   # ]]]
+# .. envvar:: users__host_groups [[[
+#
+# List of UNIX groups to manage on specific hosts in Ansible inventory.
+users__host_groups: []
+
+                                                                   # ]]]
+# .. envvar:: users__dependent_groups [[[
+#
+# List of UNIX groups to manage on the current playbook host. This variable is
+# meant to be used from a role dependency in :file:`role/meta/main.yml` or in
+# a playbook.
+users__dependent_groups: []
+
+                                                                   # ]]]
+# .. envvar:: users__default_accounts [[[
+#
+# List of default UNIX user accounts managed by Ansible.
+users__default_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: users__accounts [[[
+#
+# List of user accounts to manage on all hosts in Ansible inventory.
+users__accounts: []
+
+                                                                   # ]]]
+# .. envvar:: users__group_accounts [[[
+#
+# List of UNIX user accounts to manage on hosts in specific Ansible inventory
+# group.
+users__group_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: users__host_accounts [[[
+#
+# List of UNIX user accounts to manage on specific hosts in Ansible inventory.
+users__host_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: users__dependent_accounts [[[
+#
+# List of user accounts to manage on the current playbook host. This variable
+# is meant to be used from a role dependency in :file:`role/meta/main.yml` or
+# in a playbook.
+users__dependent_accounts: []
+
+                                                                   # ]]]
+# .. envvar:: users__combined_accounts [[[
+#
+# This variable combines other group and account variables together and is used
+# in the role tasks and templates.
+users__combined_accounts: '{{ users__groups
+                              + users__group_groups
+                              + users__host_groups
+                              + users__dependent_groups
+                              + users__default_accounts
+                              + users__accounts
+                              + users__group_accounts
+                              + users__host_accounts
+                              + users__dependent_accounts }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/users/meta/main.yml b/ansible_collections/debops/debops/roles/users/meta/main.yml
new file mode 100644
index 00000000..7b3ff1c7
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/meta/main.yml
@@ -0,0 +1,31 @@
+---
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2022 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Create and manage user accounts using Ansible inventory'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - users
+    - groups
diff --git a/ansible_collections/debops/debops/roles/users/tasks/main.yml b/ansible_collections/debops/debops/roles/users/tasks/main.yml
new file mode 100644
index 00000000..26a77ed9
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/tasks/main.yml
@@ -0,0 +1,411 @@
+---
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2019 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+- name: Install required packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (users__base_packages
+                              + users__shell_packages
+                              + users__packages)) }}'
+    state: 'present'
+  register: users__register_packages
+  until: users__register_packages is succeeded
+  when: users__enabled | bool
+
+- name: DebOps pre_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'users/pre_main.yml') }}"
+
+- name: Create user groups
+  ansible.builtin.group:
+    name:   '{{ item.group | d(item.name) }}'
+    system: '{{ item.system | d(False if (item.user | d(True)) | bool else True) }}'
+    gid:    '{{ item.gid | d(omit) }}'
+    state: 'present'
+    local: '{{ item.local | d(True if (item.user | d(True)) | bool else False) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.group | d(item.name)),
+                "state": item.state | d("present")} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') != 'absent' and (item.private_group | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Gather information about existing remote users
+  ansible.builtin.getent:
+    database: 'passwd'
+
+- name: Manage user accounts
+  ansible.builtin.user:
+    name:               '{{ item.name }}'
+    group:              '{{ item.group | d(item.name) }}'
+    home:               '{{ item.home
+                            | d((getent_passwd[item.name][4])
+                                if (getent_passwd[item.name] | d())
+                                else omit) }}'
+    uid:                '{{ item.uid | d(omit) }}'
+    state:              '{{ item.state | d("present") }}'
+    comment:            '{{ item.comment | d(omit) }}'
+    password:           '{{ item.password | d("*") }}'
+    update_password:    '{{ item.update_password | d("on_create") }}'
+    system:             '{{ item.system | d(omit) }}'
+    shell:              '{{ item.shell | d(users__chroot_shell
+                                           if (item.chroot | d()) | bool
+                                           else (users__default_shell
+                                                 if users__default_shell | d()
+                                                 else omit)) }}'
+    create_home:        '{{ item.create_home | d(omit) }}'
+    move_home:          '{{ item.move_home | d(omit) }}'
+    skeleton:           '{{ item.skeleton | d(omit) }}'
+    expires:            '{{ item.expires | d(omit) }}'
+    remove:             '{{ item.remove | d(omit) }}'
+    force:              '{{ item.force | d(omit) }}'
+    non_unique:         '{{ item.non_unique | d(omit) }}'
+    generate_ssh_key:   '{{ item.generate_ssh_key | d(omit) }}'
+    ssh_key_bits:       '{{ item.ssh_key_bits | d(omit) }}'
+    ssh_key_comment:    '{{ item.ssh_key_comment | d(omit) }}'
+    ssh_key_file:       '{{ item.ssh_key_file | d(omit) }}'
+    ssh_key_passphrase: '{{ item.ssh_key_passphrase | d(omit) }}'
+    ssh_key_type:       '{{ item.ssh_key_type | d(omit) }}'
+    local:              '{{ item.local | d(True) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"), "gecos": item.comment | d()} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['ignore'] and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Gather information about existing remote groups
+  ansible.builtin.getent:
+    database: 'group'
+
+  # libuser does not support supplemental groups
+  # Ref: https://github.com/ansible/ansible/issues/48722
+- name: Manage additional UNIX groups for UNIX accounts
+  ansible.builtin.user:
+    name:         '{{ item.name }}'
+    groups:       '{{ (((([item.groups]
+                          if (item.groups is string)
+                          else item.groups)
+                         if (item.groups is defined)
+                         else [])
+                        + (users__chroot_groups
+                           if ((item.chroot | d()) | bool)
+                           else []))
+                       | intersect(getent_group.keys()))
+                      if (item.groups is defined or (item.chroot | d()) | bool)
+                      else omit }}'
+    append:       '{{ item.append | d(True) }}'
+    state:        '{{ item.state | d("present") }}'
+    create_home:  '{{ item.create_home | d(omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"), "gecos": item.comment | d(),
+                "groups": item.groups | d()} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['ignore'] and
+         (item.groups | d() or (item.chroot | d()) | bool) and
+         (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Manage user home directories
+  ansible.builtin.file:
+    path: '{{ item.home
+              | d(((getent_passwd[item.name][4])
+                   if (getent_passwd[item.name] | d())
+                   else ("~" + item.name))
+                  if ((item.create_home | d(True)) | bool)
+                  else omit) }}'
+    state: 'directory'
+    owner: '{{ item.home_owner | d("root" if ((item.chroot | d()) | bool) else omit) }}'
+    group: '{{ item.home_group | d(omit) }}'
+    mode:  '{{ item.home_mode | d(users__default_home_mode if (item.local | d(True)) | bool else omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"),
+                "home": (item.home | d(((getent_passwd[item.name][4])
+                                        if (getent_passwd[item.name] | d())
+                                        else ("~" + item.name))
+                                       if ((item.create_home | d(True)) | bool)
+                                       else ""))} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and item.create_home | d(True) and
+         (item.home_owner | d() or item.home_group | d() or item.home_mode | d() or (item.local | d(True)) | bool) and
+         (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Manage home directory ACLs
+  ansible.posix.acl:
+    path:        '{{ item.0.home
+                     | d(((getent_passwd[item.0.name][4])
+                          if (getent_passwd[item.0.name] | d())
+                          else ("~" + item.0.name))
+                         if ((item.0.create_home | d(True)) | bool)
+                         else omit) }}'
+    default:     '{{ item.1.default | d(omit) }}'
+    entity:      '{{ item.1.entity | d(omit) }}'
+    entry:       '{{ item.1.entry | d(omit) }}'
+    etype:       '{{ item.1.etype | d(omit) }}'
+    permissions: '{{ item.1.permissions | d(omit) }}'
+    follow:      '{{ item.1.follow | d(omit) }}'
+    recursive:   '{{ item.1.recursive | d(omit) }}'
+    state:       '{{ item.1.state | d("present") }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("home_acl", "defined") | list
+            | subelements("home_acl") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name,
+                "state": item.0.state | d("present"), "home_acl": item.1} }}'
+  when: (users__enabled | bool and users__acl_enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.home_acl | d() and (item.0.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::users:home_acl', 'skip::users:home_acl', 'skip::check' ]
+
+- name: Allow specified UNIX accounts to linger when not logged in
+  ansible.builtin.command: loginctl enable-linger {{ item.name }}
+  args:
+    creates: '/var/lib/systemd/linger/{{ item.name }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"), "linger": item.linger | d(False)} }}'
+  when: (users__enabled | bool and ansible_service_mgr == 'systemd' and
+         item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.linger is defined and item.linger | bool and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Disallow specified UNIX accounts to linger when not logged in
+  ansible.builtin.command: loginctl disable-linger {{ item.name }}
+  args:
+    removes: '/var/lib/systemd/linger/{{ item.name }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"), "linger": item.linger | d(False)} }}'
+  when: (users__enabled | bool and ansible_service_mgr == 'systemd' and
+         item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.linger is defined and not item.linger | bool and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Configure ~/.ssh/authorized_keys for users
+  ansible.posix.authorized_key:
+    key: "{{ (item.sshkeys if item.sshkeys is string else '\n'.join(item.sshkeys)) | string }}"
+    state: 'present'
+    user: '{{ item.name }}'
+    exclusive: '{{ item.sshkeys_exclusive | d(omit) }}'
+    follow: '{{ item.sshkeys_follow | d(omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"), "sshkeys": item.sshkeys | d()} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and item.create_home | d(True) and
+         item.sshkeys | d() and item.sshkeys_state | d('present') != 'absent' and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::users:authorized_keys', 'skip::users:authorized_keys', 'skip::check' ]
+
+- name: Remove ~/.ssh/authorized_keys from user account if disabled
+  ansible.builtin.file:
+    path: '~{{ item.name }}/.ssh/authorized_keys'
+    state: 'absent'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"),
+                "sshkeys_state": item.sshkeys_state | d("present")} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and item.create_home | d(True) and
+         item.sshkeys_state | d('present') == 'absent' and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Configure user mail forwarding
+  ansible.builtin.lineinfile:
+    dest: '{{ "~" + item.name + "/.forward" }}'
+    regexp: "{{ '^' + (item.forward if item.forward is string else item.forward[0]) }}"
+    line: '{{ item.forward if item.forward is string else item.forward | join(", ") }}'
+    state: '{{ item.forward_state | d("present") }}'
+    create: True
+    owner: '{{ item.name if ((item.chroot | d()) | bool) else omit }}'
+    group: '{{ (item.group | d(item.name)) if ((item.chroot | d()) | bool) else omit }}'
+    mode: '0644'
+  become: True
+  become_user: '{{ "root" if ((item.chroot | d()) | bool) else item.name }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"),
+                "forward": item.forward | d()} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and
+         item.create_home | d(True) and item.forward | d() and (item.user | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::users:forward', 'skip::users:forward', 'skip::check' ]
+
+- name: Manage users dotfiles
+  environment:
+    LC_MESSAGES: 'C'
+  ansible.builtin.shell: |
+    if ! yadm status > /dev/null ; then
+        yadm clone --bootstrap "{{ item.dotfiles_repo | d(users__dotfiles_repo) }}"
+    else
+        yadm pull
+    fi
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name,
+                "state": item.state | d("present"),
+                "dotfiles": (item.dotfiles | d(item.dotfiles_enabled | d(users__dotfiles_enabled))),
+                "dotfiles_repo": ((item.dotfiles_repo | d(users__dotfiles_repo))
+                                  if ((item.dotfiles | d(item.dotfiles_enabled | d(users__dotfiles_enabled))) | bool)
+                                  else "")} }}'
+  become: True
+  become_user: '{{ item.name }}'
+  check_mode: False
+  register: users__register_dotfiles
+  changed_when: ('Already up to date.' not in users__register_dotfiles.stdout_lines | regex_replace('-', ' '))
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') not in ['absent', 'ignore'] and item.create_home | d(True) and
+         (ansible_local | d() and ansible_local.yadm | d() and (ansible_local.yadm.installed | d()) | bool) and
+         (item.dotfiles | d(item.dotfiles_enabled | d(users__dotfiles_enabled))) | bool and
+         (item.dotfiles_repo | d(users__dotfiles_repo)) and (item.user | d(True)) | bool and not (item.chroot | d()) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+  tags: [ 'role::users:dotfiles', 'skip::users:dotfiles', 'skip::check' ]
+
+- name: Manage user resource directories
+  ansible.builtin.file:
+    path:    '{{ "~" + item.0.name + "/" + (item.1.path | d(item.1.dest | d(item.1))) }}'
+    src:     '{{ item.1.src | d(omit) }}'
+    state:   '{{ item.1.state | d("directory") }}'
+    owner:   '{{ item.1.owner | d(item.0.name) }}'
+    group:   '{{ item.1.group | d(item.0.group | d(item.0.name)) }}'
+    mode:    '{{ item.1.mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+    recurse: '{{ item.1.recurse | d(omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name,
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['directory', 'link', 'touch'] and
+         item.1.content is undefined)
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Manage user resource parent directories
+  ansible.builtin.file:
+    path:    '{{ ("~" + item.0.name + "/" + (item.1.path | d(item.1.dest))) | dirname }}'
+    state:   'directory'
+    owner:   '{{ item.1.parent_owner | d(item.0.name) }}'
+    group:   '{{ item.1.parent_group | d(item.0.group | d(item.0.name)) }}'
+    mode:    '{{ item.1.parent_mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+    recurse: '{{ item.1.parent_recurse | d(omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name,
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['present', 'file'])
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Manage user resource files
+  ansible.builtin.copy:
+    dest:    '{{ "~" + item.0.name + "/" + (item.1.path | d(item.1.dest)) }}'
+    src:     '{{ item.1.src | d(omit) }}'
+    content: '{{ item.1.content | d(omit) }}'
+    owner:   '{{ item.1.owner | d(item.0.name) }}'
+    group:   '{{ item.1.group | d(item.0.group | d(item.0.name)) }}'
+    mode:    '{{ item.1.mode | d(omit) }}'
+    force:   '{{ item.1.force | d(omit) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name,
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') in ['present', 'file'] and
+         (item.1.dest | d() or item.1.path | d()) and (item.1.src | d() or item.1.content | d()))
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Remove user resources if requested
+  ansible.builtin.file:
+    path:  '{{ "~" + item.0.name + "/" + (item.1.path | d(item.1.dest | d(item.1))) }}'
+    state: 'absent'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items
+            | selectattr("resources", "defined") | list
+            | subelements("resources") }}'
+  loop_control:
+    label: '{{ {"name": item.0.name,
+                "state": item.0.state | d("present"), "resources": item.1} }}'
+  when: (users__enabled | bool and
+         item.0.name | d() and item.0.name != 'root' and
+         item.0.state | d('present') not in ['absent', 'ignore'] and
+         item.0.create_home | d(True) and item.0.resources | d() and (item.0.user | d(True)) | bool and
+         item.1.state | d('directory') == 'absent')
+  no_log: '{{ debops__no_log | d(item.0.no_log) | d(True if item.0.password | d() else False) }}'
+
+- name: Remove user groups if requested
+  ansible.builtin.group:
+    name: '{{ item.group | d(item.name) }}'
+    state: 'absent'
+    local: '{{ item.local | d(True if (item.user | d(True)) | bool else False) }}'
+  loop: '{{ users__combined_accounts | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": (item.group | d(item.name)),
+                "state": item.state | d("present")} }}'
+  when: (users__enabled | bool and item.name | d() and item.name != 'root' and
+         item.state | d('present') == 'absent' and
+         (item.private_group | d(True)) | bool)
+  no_log: '{{ debops__no_log | d(item.no_log) | d(True if item.password | d() else False) }}'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save users local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/users.fact.j2'
+    dest: '/etc/ansible/facts.d/users.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: DebOps post_tasks hook
+  ansible.builtin.include_tasks: "{{ lookup('debops.debops.task_src', 'users/post_main.yml') }}"
diff --git a/ansible_collections/debops/debops/roles/users/tasks/users/post_main.yml b/ansible_collections/debops/debops/roles/users/tasks/users/post_main.yml
new file mode 100644
index 00000000..6923b8ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/tasks/users/post_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2019 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/users/tasks/users/pre_main.yml b/ansible_collections/debops/debops/roles/users/tasks/users/pre_main.yml
new file mode 100644
index 00000000..6923b8ee
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/tasks/users/pre_main.yml
@@ -0,0 +1,4 @@
+---
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2019 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
diff --git a/ansible_collections/debops/debops/roles/users/templates/etc/ansible/facts.d/users.fact.j2 b/ansible_collections/debops/debops/roles/users/templates/etc/ansible/facts.d/users.fact.j2
new file mode 100644
index 00000000..28c96448
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/templates/etc/ansible/facts.d/users.fact.j2
@@ -0,0 +1,17 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2014-2019 <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+from sys import exit
+
+output = loads("""{{ {'configured': True
+                     } | to_nice_json }}""")
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/users/templates/lookup/users__shell_packages.j2 b/ansible_collections/debops/debops/roles/users/templates/lookup/users__shell_packages.j2
new file mode 100644
index 00000000..6605c45f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/users/templates/lookup/users__shell_packages.j2
@@ -0,0 +1,14 @@
+{# Copyright (C) 2013-2019 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2014-2019 <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{% set users__tpl_shells = [] %}
+{% for shell in ((users__combined_accounts | debops.debops.parse_kv_items
+                  | selectattr("state", "equalto", "present")
+                  | selectattr("shell", "defined")
+                  | map(attribute="shell") | list) + [ users__default_shell ] | unique | list) %}
+{%   if shell in users__shell_package_map.keys() %}
+{%     set _ = users__tpl_shells.append(users__shell_package_map[shell]) %}
+{%   endif %}
+{% endfor %}
+{{ users__tpl_shells | to_yaml }}
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/COPYRIGHT b/ansible_collections/debops/debops/roles/volkszaehler/COPYRIGHT
new file mode 100644
index 00000000..30052750
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/COPYRIGHT
@@ -0,0 +1,19 @@
+volkszaehler - Setup and manage volkszaehler
+
+Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2017 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/defaults/main.yml b/ansible_collections/debops/debops/roles/volkszaehler/defaults/main.yml
new file mode 100644
index 00000000..be8fb672
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/defaults/main.yml
@@ -0,0 +1,584 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2017 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _volkszahler__ref_defaults:
+
+# debops-contrib.volkszaehler default variables [[[
+# =================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# System packages [[[
+# -------------------
+
+# .. envvar:: volkszaehler__base_packages [[[
+#
+# List of base packages to install.
+volkszaehler__base_packages:
+  - 'git-core'
+
+  - '{{ ["php-xml", "php-mbstring"]
+        if (ansible_local.php.version | d() is version_compare("7", ">="))
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__optional_packages [[[
+#
+# List of optional packages to install.
+volkszaehler__optional_packages:
+  # Server-side chart generation for volkszaehler.
+  - 'libphp-jpgraph'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__packages [[[
+#
+# List of additional packages to install as configured by the system
+# administrator.
+volkszaehler__packages: []
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that volkszaehler is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that volkszaehler is uninstalled and it's configuration is removed.
+#
+# ``purged``
+#   Same as ``absent`` but additionally also ensures that the database and
+#   other persistent data is removed.
+#
+volkszaehler__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# FQDN and DNS addresses [[[
+# --------------------------
+
+# .. envvar:: volkszaehler__fqdn [[[
+#
+# The Fully Qualified Domain Name of the volkszaehler instance. This address is
+# used to configure the webserver frontend.
+volkszaehler__fqdn: 'vz.{{ volkszaehler__domain }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__domain [[[
+#
+# Domain that will be configured for the volkszaehler instance.
+volkszaehler__domain: '{{ ansible_domain }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Database configuration [[[
+# --------------------------
+
+# .. envvar:: volkszaehler__database [[[
+#
+# Autodetected variable containing the database management system which should be used.
+# The supported and tested option is ``mariadb``.
+#
+# Refer to :ref:`volkszaehler__ref_getting_started` for details.
+#
+# .. Planned are ``mariadb``, ``postgresql``, ``sqlite``.
+#
+volkszaehler__database: '{{ ansible_local.volkszaehler.database
+                            if (ansible_local.volkszaehler.database | d())
+                            else ("mariadb"
+                                  if (ansible_local | d() and ansible_local.mariadb is defined)
+                                  else ("postgresql"
+                                        if (ansible_local | d() and ansible_local.postgresql is defined)
+                                        else "no-database-detected")) }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_doctrine_map [[[
+#
+# Database name mapping from the names as used in DebOps to doctrine database
+# driver names.
+volkszaehler__database_doctrine_map:
+  'mariadb': 'pdo_mysql'
+  'postgresql': 'pdo_pgsql'
+  'sqlite': 'pdo_sqlite'
+
+  # Legacy:
+  'mysql': 'pdo_mysql'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_server [[[
+#
+# FQDN of the database server. It will be configured by
+# the debops.mariadb_ or debops.postgresql_ role.
+volkszaehler__database_server: '{{ ansible_local[volkszaehler__database].server }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_port [[[
+#
+# Port database is listening on.
+volkszaehler__database_port: '{{ ansible_local[volkszaehler__database].port }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_name [[[
+#
+# Name of the database to use for volkszaehler.
+volkszaehler__database_name: 'volkszaehler'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_user [[[
+#
+# Database user to use for volkszaehler.
+volkszaehler__database_user: 'volkszaehler'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_password_path [[[
+#
+# Path to database password file.
+volkszaehler__database_password_path: '{{ secret + "/" + volkszaehler__database + "/"
+                                          + ansible_local[volkszaehler__database].delegate_to
+                                          + (("/" + ansible_local[volkszaehler__database].port)
+                                             if (volkszaehler__database == "postgresql")
+                                             else "")
+                                          + "/credentials/" + volkszaehler__database_user + "/password" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_password [[[
+#
+# Database password for volkszaehler.
+volkszaehler__database_password: '{{ lookup("password", volkszaehler__database_password_path + " length=48 chars=ascii_letters,digits,.:-_") }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__database_user_priv [[[
+#
+# Privileges of the :envvar:`volkszaehler__database_user`.
+volkszaehler__database_user_priv: |
+  {{
+    [
+      volkszaehler__database_name + ".*:USAGE",
+      volkszaehler__database_name + ".*:SELECT,UPDATE,INSERT",
+    ] + ([
+          volkszaehler__database_name + ".*:DELETE",
+      ] if (volkszaehler__allow_channel_deletion | bool)
+        else [
+          volkszaehler__database_name + ".entities_in_aggregator:CREATE,DELETE",
+          volkszaehler__database_name + ".properties:CREATE,DELETE",
+        ]
+    )
+  }}
+
+# ]]]
+# .. envvar:: volkszaehler__database_demo_insert [[[
+#
+# Insert demo data in to database?
+volkszaehler__database_demo_insert: False
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__allow_channel_deletion [[[
+#
+# Allow channel deletion? Note that you might not be able to change this after
+# the database user has been created. You can drop the database user manually
+# and let the role re-create the user to enforce new privileges.
+volkszaehler__allow_channel_deletion: False
+                                                                   # ]]]
+                                                                   # ]]]
+# PHP configuration [[[
+# ---------------------
+
+# .. envvar:: volkszaehler__base_php_packages [[[
+#
+# List of base PHP packages required by volkszaehler.
+volkszaehler__base_php_packages:
+  - 'doctrine-orm'
+  - 'doctrine-dbal'
+  - 'symfony-console'
+  - '{{ ["symfony-http-foundation"] if (not (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["trusty"])) else [] }}'
+  - '{{ ["symfony-http-kernel"] if (not (ansible_distribution == "Ubuntu" and ansible_distribution_release in ["trusty"])) else [] }}'
+  - 'symfony-routing'
+
+  - '{{ ["mysql"] if (volkszaehler__database in ["mariadb", "mysql"]) else [] }}'
+  - '{{ ["pgsql"] if (volkszaehler__database in ["postgresql"]) else [] }}'
+  - '{{ ["libapache2-mod-php"] if (volkszaehler__webserver == "apache") else [] }}'
+
+  ## Included in normal PHP installations but require it here because it is
+  ## used internally by the role:
+  - 'json'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__optional_php_packages [[[
+#
+# List of optional PHP packages for volkszaehler.
+volkszaehler__optional_php_packages:
+  # Server-side chart generation for volkszaehler.
+  - 'libphp-jpgraph'
+
+  - 'apcu'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__max_file_size [[[
+#
+# Maximum upload size.
+volkszaehler__max_file_size: '1M'
+                                                                   # ]]]
+                                                                   # ]]]
+# Webserver configuration [[[
+# ---------------------------
+
+# .. envvar:: volkszaehler__webserver [[[
+#
+# Autodetected variable containing the webserver which should be used.
+#
+# Refer to :ref:`volkszaehler__ref_getting_started` for details.
+volkszaehler__webserver: '{{ ansible_local.volkszaehler.webserver
+                             if (ansible_local.volkszaehler.webserver | d())
+                             else ("apache"
+                                   if (ansible_local.apache.enabled | d() | bool)
+                                   else ("nginx"
+                                         if (ansible_local.nginx.enabled | d() | bool)
+                                         else "no-webserver-detected")) }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__webserver_http_methods [[[
+#
+# List of allowed HTTP methods.
+volkszaehler__webserver_http_methods: |
+  {{ ['GET', 'HEAD', 'POST', 'PATCH']
+     + (['DELETE']
+        if (volkszaehler__allow_channel_deletion | bool)
+         else []) }}
+
+# ]]]
+# .. envvar:: volkszaehler__apache_modules [[[
+#
+# Dict of required Apache modules.
+volkszaehler__apache_modules:
+  'rewrite': {}
+                                                                   # ]]]
+                                                                   # ]]]
+# Directory paths [[[
+# -------------------
+
+# .. envvar:: volkszaehler__home_path [[[
+#
+# The volkszaehler system account home directory.
+volkszaehler__home_path: '{{ ansible_local.nginx.www | d("/srv/www") + "/" + volkszaehler__user }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__www_path [[[
+#
+# Base web root directory for volkszaehler.
+volkszaehler__www_path: '{{ volkszaehler__git_dest + "/htdocs" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# System user and group [[[
+# -------------------------
+
+# .. envvar:: volkszaehler__user [[[
+#
+# System UNIX account used by the volkszaehler middleware and for application
+# deployment.
+volkszaehler__user: 'volkszaehler'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__group [[[
+#
+# System UNIX group used by the volkszaehler middleware.
+volkszaehler__group: 'volkszaehler'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__gecos [[[
+#
+# Contents of the GECOS field set for the volkszaehler account.
+volkszaehler__gecos: 'volkszaehler.org'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__shell [[[
+#
+# The default shell set on the volkszaehler account.
+volkszaehler__shell: '/usr/sbin/nologin'
+                                                                   # ]]]
+                                                                   # ]]]
+# Volkszaehler sources and deployment [[[
+# ---------------------------------------
+
+# .. envvar:: volkszaehler__git_repo [[[
+#
+# The URI of the volkszaehler git source repository.
+volkszaehler__git_repo: 'https://github.com/volkszaehler/volkszaehler.org.git'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__git_version [[[
+#
+# The git branch or tag which will be installed.
+# Defaults to the commit hash of latest master as the role was written.
+# This is done because volkszaehler development is not cryptographically
+# signed and this role wants to comply with the
+# `DebOps Software Source Policy <https://docs.debops.org/en/latest/debops-policy/docs/software-source-policy.html#software-installed-from-git-repositories>`__.
+# Defaults to the latest stable version. Currently v0.7.
+# For PHP versions below 7, a commit before v0.7 is used which is still compatible with PHP 5.
+volkszaehler__git_version: '{{ "05422cf80490bb27c43bdde3a427b4f16b55bcbf"
+                                if (ansible_local.php.version | d("7") | int >= 7)
+                                else "fadb821555527d0fb4d729a3f62e238cde10f168" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__git_dest [[[
+#
+# Path where the volkszaehler sources will be checked out (installation path).
+volkszaehler__git_dest: '{{ volkszaehler__home_path + "/volkszaehler.org" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__git_recursive [[[
+#
+# Should the git repository be cloned recursively?
+volkszaehler__git_recursive: False
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__git_update [[[
+#
+# Should new revisions be retrieved from the origin repository?
+volkszaehler__git_update: True
+                                                                   # ]]]
+                                                                   # ]]]
+# Volkszaehler configuration [[[
+# ------------------------------
+
+# .. envvar:: volkszaehler__config_user [[[
+#
+# The system owner of the :file:`etc/volkszaehler.conf.php` file.
+volkszaehler__config_user: '{{ volkszaehler__user
+                               if (volkszaehler__webserver in ["apache"])
+                               else "root" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__config_group [[[
+#
+# The system group of the :file:`etc/volkszaehler.conf.php` file.
+volkszaehler__config_group: '{{ (ansible_local.apache.user
+                                 if (ansible_local.apache.user | d())
+                                 else "www-data")
+                                if (volkszaehler__webserver in ["apache"])
+                                else volkszaehler__user }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__locale [[[
+#
+# The default locale to use, ordered by preference.
+# See `setlocale <https://secure.php.net/manual/en/function.setlocale.php>`_ for details.
+volkszaehler__locale:
+  - 'en_US'
+  - 'de_DE'
+  - 'C'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__upstream_config [[[
+#
+# Configuration as defined by upstream volkszaehler in
+# :file:`volkszaehler.conf.template.php`.
+volkszaehler__upstream_config:
+
+  push:
+    # Set to True to enable push updates.
+    enabled: False
+    server: 5582
+    broadcast: 8082
+    routes:
+      wamp:
+        - '/'
+        - '/ws'
+      websocket: []
+
+  security:
+    maxbodysize: False
+
+  locale:
+    - 'en_US'
+    - 'de_DE'
+    - 'C'
+
+  # Only used by jpGraph for server-side plotting!
+  colors:
+    - '#83CAFF'
+    - '#7E0021'
+    - '#579D1C'
+    - '#FFD320'
+    - '#FF420E'
+    - '#004586'
+    - '#0084D1'
+    - '#C5000B'
+    - '#FF950E'
+    - '#4B1F6F'
+    - '#AECF00'
+    - '#314004'
+
+  devmode: False
+  cache:
+    # Only used if devmode == False
+    ttl: 3600
+
+  debug: 0
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__role_config [[[
+#
+# This dict is managed by the role itself, controlled by other default variables.
+volkszaehler__role_config:
+
+  db:
+    driver: '{{ volkszaehler__database_doctrine_map[volkszaehler__database] }}'
+    host: '{{ volkszaehler__database_server }}'
+    user: '{{ volkszaehler__database_user }}'
+    password: '{{ volkszaehler__database_password }}'
+    dbname: '{{ volkszaehler__database_name }}'
+    charset: 'UTF8'
+
+  locale: '{{ volkszaehler__locale }}'
+
+  security:
+    maxbodysize: '{{ volkszaehler__max_file_size }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__config [[[
+#
+# This dict is intended to be used in Ansible’s global inventory as needed.
+volkszaehler__config: {}
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__group_config [[[
+#
+# This dict is intended to be used in a host inventory group of Ansible
+# (only one host group is supported) as needed.
+volkszaehler__group_config: {}
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__host_config [[[
+#
+# This dict is intended to be used in the inventory of hosts as needed.
+volkszaehler__host_config: {}
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__combined_config [[[
+#
+# The configuration written to :file:`etc/volkszaehler.conf.php`.
+volkszaehler__combined_config: '{{ volkszaehler__upstream_config
+                                   | combine(volkszaehler__role_config,
+                                             volkszaehler__config,
+                                             volkszaehler__group_config,
+                                             volkszaehler__host_config) }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: volkszaehler__mariadb__dependent_databases [[[
+#
+# Configuration of the volkszaehler database managed by the debops.mariadb_ role.
+volkszaehler__mariadb__dependent_databases:
+
+  - database: '{{ volkszaehler__database_name }}'
+    state: '{{ "present" if (volkszaehler__deploy_state != "purged") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__mariadb__dependent_users [[[
+#
+# Configuration of the volkszaehler database user managed by the debops.mariadb_ role.
+volkszaehler__mariadb__dependent_users:
+
+  - database: '{{ volkszaehler__database_name }}'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+    user: '{{ volkszaehler__database_user }}'
+    owner: '{{ volkszaehler__user }}'
+    group: '{{ volkszaehler__group }}'
+    home: '{{ volkszaehler__home_path }}'
+    system: True
+    password: '{{ volkszaehler__database_password }}'
+    priv_default: False
+    priv_aux: False
+    priv: '{{ volkszaehler__database_user_priv }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__php__dependent_packages [[[
+#
+# List of PHP packages to install using the debops.php_ role.
+volkszaehler__php__dependent_packages:
+  - '{{ volkszaehler__base_php_packages }}'
+  - '{{ volkszaehler__optional_php_packages }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__php__dependent_pools [[[
+#
+# Configuration of the volkszaehler PHP-FPM pool managed by the debops.php_ role.
+volkszaehler__php__dependent_pools:
+
+  - name: 'volkszaehler'
+    user: '{{ volkszaehler__user }}'
+    group: '{{ volkszaehler__group }}'
+    owner: '{{ volkszaehler__user }}'
+    home: '{{ volkszaehler__home }}'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+
+    php_admin_values:
+      post_max_size:       '{{ volkszaehler__max_file_size }}'
+      upload_max_filesize: '{{ volkszaehler__max_file_size }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__nginx__dependent_upstreams [[[
+#
+# Configuration of the volkszaehler nginx upstream, used by the debops.nginx_
+# Ansible role.
+volkszaehler__nginx__dependent_upstreams:
+
+  - name: 'php_volkszaehler'
+    type: 'php'
+    php_pool: 'volkszaehler'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: volkszaehler__nginx__dependent_servers [[[
+#
+# Configuration of the volkszaehler nginx server, used by the debops.nginx_
+# Ansible role.
+volkszaehler__nginx__dependent_servers:
+
+  - name: '{{ volkszaehler__fqdn }}'
+    filename: 'debops.volkszaehler'
+    by_role: 'debops-contrib.volkszaehler'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+    type: 'php'
+    root: '{{ volkszaehler__www_path }}'
+    php_upstream: 'php_volkszaehler'
+    csp: "default-src 'self'; connect-src * ws: wss: http: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
+    csp_enabled: True
+    php_limit_except: '{{ volkszaehler__webserver_http_methods }}'
+
+    options: |
+      client_max_body_size {{ volkszaehler__max_file_size }};
+      client_body_buffer_size 128k;
+
+    location:
+      '/': |
+        rewrite ^/middleware/(.*)  /middleware.php/$1  last;
+        rewrite ^/frontend/(.*)    /$1                 last;
+
+# ]]]
+# .. envvar:: volkszaehler__apache__dependent_vhosts [[[
+#
+# Apache virtual host managed by the debops.apache_ role.
+volkszaehler__apache__dependent_vhosts:
+
+  - type: 'default'
+    name: '{{ volkszaehler__fqdn }}'
+    filename: 'debops.volkszaehler'
+    by_role: 'debops-contrib.volkszaehler'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+    root: '{{ volkszaehler__www_path }}'
+    webroot_create: False
+    options: 'Indexes FollowSymLinks MultiViews'
+    allow_override: 'FileInfo Limit Options Indexes AuthConfig'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/changelog.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/changelog.rst
new file mode 100644
index 00000000..6d01c6ce
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/copyright.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/copyright.rst
new file mode 100644
index 00000000..ce69ac9d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/getting-started.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/getting-started.rst
new file mode 100644
index 00000000..ed6f43c3
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/getting-started.rst
@@ -0,0 +1,114 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _volkszaehler__ref_getting_started:
+
+Getting started
+===============
+
+.. include:: includes/all.rst
+
+.. contents::
+   :local:
+
+
+Database support
+----------------
+
+It is recommended that you install a database server. You can install one on
+the same host as volkszaehler or choose a different host:
+
+.. code-block:: none
+
+    [debops_service_mariadb_server]
+    hostname
+
+In case you chose a different host, you will need to specify which of your
+database servers the volkszaehler instance should use by specifying the database
+server host as :envvar:`volkszaehler__database_server`.
+
+Webserver support
+-----------------
+
+The following two webservers are supported by the role:
+
+* Apache_ using debops.apache_.
+* Nginx_ using debops.nginx_.
+
+The role maintainer has chosen Nginx as webserver for his deployments.
+He added Apache support because he is very familiar with debops.apache_ (author).
+Note that integration testing is done with debops.nginx_ only, currently.
+
+In case you chose Apache, you don’t need PHP FPM which debops.php_ might
+install by default.
+To ensure that FPM is not going to be installed, add the following to your
+inventory:
+
+.. code-block:: yaml
+
+   php__server_api_packages:
+     - 'cli'
+
+Example inventory
+-----------------
+
+To manage volkszaehler on a given host or set of hosts, they need to be added
+to the ``[debops_service_volkszaehler_${webserver}]`` Ansible group in the inventory:
+
+.. code:: ini
+
+   [debops_service_volkszaehler_apache]
+   hostname
+
+   [debops_service_mariadb_server]
+   hostname
+
+   [debops_service_volkszaehler_nginx]
+   hostname2
+
+Example playbook
+----------------
+
+Ansible playbook that uses the ``debops-contrib.volkszaehler`` role together
+with debops.apache_:
+
+.. literalinclude:: playbooks/volkszaehler-apache.yml
+   :language: yaml
+   :lines: 1,5-
+
+Ansible playbook that uses the ``debops-contrib.volkszaehler`` role together
+with debops.nginx_:
+
+.. literalinclude:: playbooks/volkszaehler-nginx.yml
+   :language: yaml
+   :lines: 1,5-
+
+These playbooks are shipped with this role under
+:file:`./docs/playbooks/` from which you can symlink them to your
+playbook directory.
+In case you use multiple `DebOps Contrib`_ roles, consider using the
+`DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::volkszaehler:env``
+  Environment role tag, should be used in the playbook to execute a special
+  environment role contained in the main role. The environment role prepares
+  the environment for other dependency roles to work correctly.
+
+``role::volkszaehler``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
+
+``role::volkszaehler:pkgs``
+  Tasks related to system package management like installing or
+  removing packages.
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/all.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/all.rst
new file mode 100644
index 00000000..3d8020e4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/all.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
+.. include:: includes/role.rst
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/role.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/role.rst
new file mode 100644
index 00000000..7d06a288
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/includes/role.rst
@@ -0,0 +1,6 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _volkszaehler.org: https://volkszaehler.org/
+.. _volkszaehler: https://volkszaehler.org/
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/index.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/index.rst
new file mode 100644
index 00000000..00f0ee10
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.volkszaehler:
+
+Ansible role: debops-contrib.volkszaehler
+=========================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/introduction.rst b/ansible_collections/debops/debops/roles/volkszaehler/docs/introduction.rst
new file mode 100644
index 00000000..b8b6c457
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/introduction.rst
@@ -0,0 +1,33 @@
+.. Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2017 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.volkszaehler`` role allows to setup your own volkszaehler.org_ instance.
+volkszaehler.org is a free smart meter implementation with focus on data privacy.
+
+A volkszaehler instance consists of a middleware written in PHP which is backed by a SQL database.
+The middleware provides an API for frontends to query data and for controllers to insert data.
+
+This role installs the default middleware together with the
+default/bundled HTML/JavaScript frontend.
+
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.5``. To install it, run:
+
+.. code-block:: console
+
+   ansible-galaxy install debops-contrib.volkszaehler
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-apache.yml b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-apache.yml
new file mode 100644
index 00000000..2182f618
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-apache.yml
@@ -0,0 +1,72 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage volkszaehler with Apache as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_apache' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+    - name: Prepare apache environment
+      ansible.builtin.import_role:
+        name: 'apache'
+        tasks_from: 'main_env'
+      tags: [ 'role::apache', 'role::apache:env' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: apache
+      tags: [ 'role::apache' ]
+      apache__dependent_vhosts:
+        - '{{ volkszaehler__apache__dependent_vhosts }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-nginx.yml b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-nginx.yml
new file mode 100644
index 00000000..056495a6
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler-nginx.yml
@@ -0,0 +1,69 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage volkszaehler with Nginx as webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_volkszaehler_nginx' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  pre_tasks:
+
+    - name: Prepare volkszaehler environment
+      ansible.builtin.import_role:
+        name: 'volkszaehler'
+        tasks_from: 'main_env'
+      tags: [ 'role::volkszaehler', 'role::volkszaehler:env', 'role::mariadb' ]
+
+    - name: Prepare php environment
+      ansible.builtin.import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: ferm
+      tags: [ 'role::ferm', 'skip::ferm' ]
+      ferm__dependent_rules:
+        - '{{ nginx__ferm__dependent_rules }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb' ]
+      mariadb__dependent_databases: '{{ volkszaehler__mariadb__dependent_databases }}'
+      mariadb__dependent_users: '{{ volkszaehler__mariadb__dependent_users }}'
+      when: (volkszaehler__database == 'mariadb')
+
+    - role: php
+      tags: [ 'role::php' ]
+      php__dependent_packages:
+        - '{{ volkszaehler__php__dependent_packages }}'
+      php__dependent_pools:
+        - '{{ volkszaehler__php__dependent_pools }}'
+
+    - role: logrotate
+      tags: [ 'role::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: nginx
+      tags: [ 'role::nginx' ]
+      nginx__dependent_upstreams:
+        - '{{ volkszaehler__nginx__dependent_upstreams }}'
+      nginx__dependent_servers:
+        - '{{ volkszaehler__nginx__dependent_servers }}'
+
+    - role: volkszaehler
+      tags: [ 'role::volkszaehler' ]
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler.yml b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler.yml
new file mode 100644
index 00000000..4cefd2a2
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/docs/playbooks/volkszaehler.yml
@@ -0,0 +1,10 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Manage Volkszaehler with Apache frontend
+  import_playbook: 'volkszaehler-apache.yml'
+
+- name: Manage Volkszaehler with nginx frontend
+  import_playbook: 'volkszaehler-nginx.yml'
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/meta/main.yml b/ansible_collections/debops/debops/roles/volkszaehler/meta/main.yml
new file mode 100644
index 00000000..f7d0415b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup and manage volkszaehler'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.5'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - smartmeter
+    - smarthome
+    - logging
+    - web
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/tasks/main.yml b/ansible_collections/debops/debops/roles/volkszaehler/tasks/main.yml
new file mode 100644
index 00000000..c47e76ff
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/tasks/main.yml
@@ -0,0 +1,151 @@
+---
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# System packages [[[
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.package:
+    name: '{{ q("flattened", (volkszaehler__base_packages
+                              + volkszaehler__optional_packages
+                              + volkszaehler__packages)) }}'
+    state: '{{ "present" if (volkszaehler__deploy_state in ["present"]) else "absent" }}'
+  register: volkszaehler__register_packages
+  until: volkszaehler__register_packages is succeeded
+  tags: [ 'role::volkszaehler:pkgs' ]
+# ]]]
+
+# System user and group [[[
+- name: Create volkszaehler system group
+  ansible.builtin.group:
+    name: '{{ volkszaehler__group }}'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+    system: True
+
+- name: Create volkszaehler system user
+  ansible.builtin.user:
+    name: '{{ volkszaehler__user }}'
+    group: '{{ volkszaehler__group }}'
+    home: '{{ volkszaehler__home_path }}'
+    comment: '{{ volkszaehler__gecos }}'
+    shell: '{{ volkszaehler__shell }}'
+    state: '{{ "present" if (volkszaehler__deploy_state == "present") else "absent" }}'
+    system: True
+# ]]]
+
+- name: Enable required Apache modules
+  community.general.apache2_module:
+    name: '{{ item.key }}'
+    state: '{{ item.value.state | d("present") }}'
+  when: (volkszaehler__webserver == "apache")
+  with_dict: '{{ volkszaehler__apache_modules }}'
+
+- name: Clone volkszaehler git repository
+  ansible.builtin.git:
+    repo: '{{ volkszaehler__git_repo }}'
+    dest: '{{ volkszaehler__git_dest }}'
+    version: '{{ volkszaehler__git_version }}'
+    recursive: '{{ volkszaehler__git_recursive | bool }}'
+    update: '{{ volkszaehler__git_update | bool }}'
+  become: True
+  become_user: '{{ volkszaehler__user }}'
+  register: volkszaehler__register_git
+  when: (volkszaehler__deploy_state == "present")
+
+- name: Install volkszaehler config file
+  ansible.builtin.template:
+    src: 'etc/volkszaehler.conf.php.j2'
+    dest: '{{ volkszaehler__git_dest }}/etc/volkszaehler.conf.php'
+    owner: '{{ volkszaehler__config_user }}'
+    group: '{{ volkszaehler__config_group }}'
+    mode: '0640'
+    validate: 'php -f %s'
+  when: (volkszaehler__deploy_state == "present")
+
+- name: Install PHP dependencies with composer
+  community.general.composer:  # noqa no-handler
+    command: 'require'
+    working_dir: '{{ volkszaehler__git_dest }}'
+  environment:
+    PATH: '{{ ansible_env.PATH }}:/usr/local/bin'
+  register: volkszaehler__register_composer
+  until: volkszaehler__register_composer is succeeded
+  become: True
+  become_user: '{{ volkszaehler__user }}'
+  when: volkszaehler__register_git is changed
+
+# Database initialization [[[
+- name: Write database initialization SQL dump
+  ansible.builtin.shell: php {{ (volkszaehler__git_dest + "/misc/tools/doctrine") | quote }} \
+         orm:schema-tool:create --dump-sql > {{ (volkszaehler__home_path + "/create_db.sql") | quote }}
+  become: True
+  become_user: '{{ volkszaehler__user }}'
+  register: volkszaehler__register_sql_init_dump
+  changed_when: volkszaehler__register_sql_init_dumo.changed | bool
+  when: (not (ansible_local.volkszaehler[volkszaehler__database + "_initialized"] | bool
+              if (ansible_local | d() and ansible_local.volkszaehler | d() and
+                  ansible_local.volkszaehler[volkszaehler__database + "_initialized"] | d())
+              else False))
+
+- name: Import database initialization SQL dump
+  community.mysql.mysql_db:  # noqa no-handler
+    name: '{{ volkszaehler__database_name }}'
+    target: '{{ (volkszaehler__home_path + "/create_db.sql") | quote }}'
+    state: 'import'
+    login_unix_socket: '/run/mysqld/mysqld.sock'
+  when: (volkszaehler__register_sql_init_dump is changed and volkszaehler__database in ['mariadb'])
+
+- name: Insert demo data into database
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit &&
+         cat {{ (volkszaehler__git_dest + "/misc/sql/demo.sql") | quote }} | mysql {{ volkszaehler__database_name }}
+  args:
+    executable: 'bash'
+  become: True
+  become_user: '{{ volkszaehler__user }}'
+  register: volkszaehler__register_demo_data
+  changed_when: volkszaehler__register_demo_data.changed | bool
+  when: (not (ansible_local.volkszaehler[volkszaehler__database + "_demo_insert"] | bool
+              if (ansible_local | d() and ansible_local.volkszaehler | d() and
+                  ansible_local.volkszaehler[volkszaehler__database + "_demo_insert"] | d())
+              else False)) and (volkszaehler__database_demo_insert | bool)
+# ]]]
+
+- name: Generate proxy classes
+  ansible.builtin.command: php {{ (volkszaehler__git_dest + "/misc/tools/doctrine") | quote }} orm:generate-proxies
+  become: True
+  become_user: '{{ volkszaehler__user }}'
+  changed_when: False
+  when: (volkszaehler__deploy_state == "present")
+
+# Ansible local facts [[[
+- name: Make sure that Ansible local facts directory is present
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (volkszaehler__deploy_state == "present")
+
+- name: Save volkszaehler local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/volkszaehler.fact.j2'
+    dest: '/etc/ansible/facts.d/volkszaehler.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Refresh host facts' ]
+  when: (volkszaehler__deploy_state == "present")
+  tags: [ 'meta::facts' ]
+
+- name: Gather facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/tasks/main_env.yml b/ansible_collections/debops/debops/roles/volkszaehler/tasks/main_env.yml
new file mode 100644
index 00000000..f6ec0233
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/tasks/main_env.yml
@@ -0,0 +1,15 @@
+---
+# vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2017 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure the parent directory for volkszaehler home exists
+  ansible.builtin.file:
+    path: '{{ volkszaehler__home_path | dirname }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: (volkszaehler__deploy_state == "present")
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/ansible/facts.d/volkszaehler.fact.j2 b/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/ansible/facts.d/volkszaehler.fact.j2
new file mode 100644
index 00000000..64354995
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/ansible/facts.d/volkszaehler.fact.j2
@@ -0,0 +1,11 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+{{ ({
+    "enabled": True,
+    "database": volkszaehler__database,
+    "webserver": volkszaehler__webserver,
+    (volkszaehler__database + "_initialized"): True,
+    (volkszaehler__database + "_demo_insert"): volkszaehler__database_demo_insert | bool,
+}) | to_nice_json }}
diff --git a/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/volkszaehler.conf.php.j2 b/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/volkszaehler.conf.php.j2
new file mode 100644
index 00000000..803c9e73
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/volkszaehler/templates/etc/volkszaehler.conf.php.j2
@@ -0,0 +1,9 @@
+{# Copyright (C) 2017 Robin Schneider <ypid@riseup.net>
+ # Copyright (C) 2017 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+<?php
+/* {{ ansible_managed }} */
+
+$config = json_decode('{{ volkszaehler__combined_config | to_nice_json }}', true);
+?>
diff --git a/ansible_collections/debops/debops/roles/wpcli/COPYRIGHT b/ansible_collections/debops/debops/roles/wpcli/COPYRIGHT
new file mode 100644
index 00000000..b8c702f8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/COPYRIGHT
@@ -0,0 +1,20 @@
+debops.wpcli - Install WP-CLI framework using Ansible
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2021 Alin Alexandru <alin.alexandru@innobyte.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/wpcli/defaults/main.yml b/ansible_collections/debops/debops/roles/wpcli/defaults/main.yml
new file mode 100644
index 00000000..5a452224
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/defaults/main.yml
@@ -0,0 +1,176 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021 Alin Alexandru <alin.alexandru@innobyte.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _wpcli__ref_defaults:
+
+# debops.wpcli default variables
+# ==============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# APT packages [[[
+# ----------------
+
+# .. envvar:: wpcli__base_packages [[[
+#
+# List of useful APT packages to install with WP-CLI.
+wpcli__base_packages: [ 'bash-completion' ]
+
+                                                                   # ]]]
+# .. envvar:: wpcli__packages [[[
+#
+# List of additional APT packages to install with WP-CLI.
+wpcli__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# WP-CLI installation from upstream [[[
+# -------------------------------------
+
+# .. envvar:: wpcli__gpg_key_id [[[
+#
+# The fingerprint of the GPG key used to sign the WP-CLI releases.
+wpcli__gpg_key_id: '63AF 7AA1 5067 C056 16FD  DD88 A3A2 E8F2 26F0 BC06'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__version [[[
+#
+# The version of the WP-CLI framework to install. On changes, remember to
+# update the :file:`meta/watch-wp-cli` file as well.
+wpcli__version: '2.5.0'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__release_files [[[
+#
+# List of files corresponding to a given WP-CLI version which should be
+# downloaded to the source directory. The parameters have the same meaning as
+# the ``get_url`` Ansible module parameters. The ``*.phar.gpg`` file will be
+# decrypted and verified via the :command:`gpg` command before installation.
+wpcli__release_files:
+
+  - url: 'https://github.com/wp-cli/wp-cli/releases/download/v2.2.0/wp-cli-2.2.0.phar.gpg'
+    dest: '{{ wpcli__src }}/wp-cli-2.2.0.phar.gpg'
+    checksum: 'sha256:6ed3c78adea2801ce900f3dc8f09ce799958955cc842b5f8d17d8ffb74eca7a2'
+    version: '2.2.0'
+
+  - url: 'https://raw.githubusercontent.com/wp-cli/wp-cli/v2.2.0/utils/wp-completion.bash'
+    dest: '{{ wpcli__src }}/wp-cli-2.2.0.completion.bash'
+    checksum: 'sha256:443ca0610ccae8d2d6aceba0ec4aa7929b87ed6cf54f666afed18d663a18a395'
+    version: '2.2.0'
+
+  - url: 'https://github.com/wp-cli/wp-cli/releases/download/v2.3.0/wp-cli-2.3.0.phar.gpg'
+    dest: '{{ wpcli__src }}/wp-cli-2.3.0.phar.gpg'
+    checksum: 'sha256:24e16d96d22baec166ffb8807bf751cabd62b84e1716523f94d61b2a8d7e2255'
+    version: '2.3.0'
+
+  - url: 'https://raw.githubusercontent.com/wp-cli/wp-cli/v2.3.0/utils/wp-completion.bash'
+    dest: '{{ wpcli__src }}/wp-cli-2.3.0.completion.bash'
+    checksum: 'sha256:443ca0610ccae8d2d6aceba0ec4aa7929b87ed6cf54f666afed18d663a18a395'
+    version: '2.3.0'
+
+  - url: 'https://github.com/wp-cli/wp-cli/releases/download/v2.4.0/wp-cli-2.4.0.phar.gpg'
+    dest: '{{ wpcli__src }}/wp-cli-2.4.0.phar.gpg'
+    checksum: 'sha256:c009a0d9e84436eab671272ca0d0a75b5aefd1af17177c83c2b33ad945976def'
+    version: '2.4.0'
+
+  - url: 'https://raw.githubusercontent.com/wp-cli/wp-cli/v2.4.0/utils/wp-completion.bash'
+    dest: '{{ wpcli__src }}/wp-cli-2.4.0.completion.bash'
+    checksum: 'sha256:443ca0610ccae8d2d6aceba0ec4aa7929b87ed6cf54f666afed18d663a18a395'
+    version: '2.4.0'
+
+  - url: 'https://github.com/wp-cli/wp-cli/releases/download/v2.5.0/wp-cli-2.5.0.phar.gpg'
+    dest: '{{ wpcli__src }}/wp-cli-2.5.0.phar.gpg'
+    checksum: 'sha256:a5faf98302ac3c96f0aad38e5d1a7142cfbd28fc2df03c687094b3fbf67a19a8'
+    version: '2.5.0'
+
+  - url: 'https://raw.githubusercontent.com/wp-cli/wp-cli/v2.5.0/utils/wp-completion.bash'
+    dest: '{{ wpcli__src }}/wp-cli-2.5.0.completion.bash'
+    checksum: 'sha256:443ca0610ccae8d2d6aceba0ec4aa7929b87ed6cf54f666afed18d663a18a395'
+    version: '2.5.0'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__src [[[
+#
+# Absolute path to the directory on the remote host, where the WP-CLI source
+# files will be stored.
+wpcli__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                + "/wpcli" }}'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__binary [[[
+#
+# Absolute path where the WP-CLI script will be installed. The :command:`wp`
+# command is hardcoded all over the place, therefore changing the name could
+# result in issues during usage.
+wpcli__binary: '/usr/local/bin/wp'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__bash_completion [[[
+#
+# Absolute path where the :command:`bash` completion functions for WP-CLI
+# script will be installed.
+wpcli__bash_completion: '/etc/bash_completion.d/wp-completion'
+                                                                   # ]]]
+                                                                   # ]]]
+# Security of the :file:`wp-config.php` files [[[
+# -----------------------------------------------
+
+# WordPress installer creates the :file:`wp-config.php` configuration files
+# with insecure, world-writeable permissions (``0666``, the mode of the Beast).
+# The :ref:`debops.wpcli` role by default creates a :command:`cron` job that
+# looks for such files once a day and changes their permission to ``0600`` to
+# improve security in shared environments.
+#
+# See also: https://core.trac.wordpress.org/ticket/37264
+
+# .. envvar:: wpcli__secure_wpconfig_enabled [[[
+#
+# Enable or disable a :command:`cron` job which will secure all
+# :file:`wp-config.php` files found on the server.
+wpcli__secure_wpconfig_enabled: True
+
+                                                                   # ]]]
+# .. envvar:: wpcli__secure_wpconfig_command [[[
+#
+# The command that will be executed by :command:`cron` as ``root`` to find all
+# :file:`wp-config.php` files and secure them. System administrators will
+# receive e-mail messages when permissions of found files are changed.
+wpcli__secure_wpconfig_command: 'find /home /srv -type f -iname "wp-config.php" -perm /o+r -exec chmod -v 600 "{}" \;'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__secure_wpconfig_interval [[[
+#
+# The :command:`cron` interval to use to look for insecure
+# :file:`wp-config.php` files on the server. Supported intervals: ``hourly``,
+# ``daily``, ``weekly``, ``monthly``.
+wpcli__secure_wpconfig_interval: 'daily'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: wpcli__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+wpcli__keyring__dependent_gpg_keys:
+
+  # This key will be installed in the 'root' GPG keyring
+  - '{{ wpcli__gpg_key_id }}'
+
+                                                                   # ]]]
+# .. envvar:: wpcli__php__dependent_packages [[[
+#
+# List of PHP packages to install by ``debops.php`` role.
+wpcli__php__dependent_packages:
+
+  - 'mysql'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/wpcli/files/usr/local/bin/run-wp-cron b/ansible_collections/debops/debops/roles/wpcli/files/usr/local/bin/run-wp-cron
new file mode 100755
index 00000000..3410148c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/files/usr/local/bin/run-wp-cron
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+# Run wp-cron using WP-CLI.
+
+# Copyright (C) 2017 Carl Alexander <carlalexander@gmail.com>
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Usage:
+#     cd path/to/wordpress ; run-wp-cron
+#     run-wp-cron path/to/wordpress
+
+
+set -o nounset -o pipefail -o errexit
+
+pid="$$"
+script="$(basename "${0}")"
+wp="/usr/local/bin/wp"
+wp_path="${1:-"$(pwd)"}"
+
+log_message () {
+    # Display a message if script is used interactively, otherwise send it to syslog
+    local msg="${1:-}"
+
+    if [ -n "${msg}" ] ; then
+        if tty -s > /dev/null 2>&1 ; then
+            printf "%s: %s\\n" "${script}" "${msg}" 1>&2
+        elif type logger > /dev/null 2>&1 ; then
+            logger -t "${script}[${pid}]" "${msg}"
+        fi
+    fi
+}
+
+# Check if WP-CLI is installed.
+if ! [ -f "${wp}" ] ; then
+    log_message "Error: WP-CLI is not available"
+    exit 1
+fi
+
+if [ -n "${wp_path}" ] ; then
+    cd "${wp_path}"
+fi
+
+# Check if WordPress is installed at the given path.
+if ! "${wp}" core is-installed --quiet 2>/dev/null ; then
+    log_message "Error: WordPress is not installed in ${wp_path}"
+    exit 1
+fi
+
+# Get all the site urls of the WordPress installation.
+if "${wp}" core is-installed --quiet --network 2>/dev/null ; then
+    site_urls="$( "${wp}" site list --fields=url --archived=0 --deleted=0 --format=csv --path="${wp_path}" | sed 1d )"
+else
+    site_urls=( "$("${wp}" option get siteurl)" )
+fi
+
+# Check if we can use "batch" on this account to use it as a scheduler
+if type batch > /dev/null 2>&1 && atq > /dev/null 2>&1 ; then
+
+    # Loop through all the sites urls and call wp-cron for each.
+    for site_url in "${site_urls[@]}" ; do
+        log_message "Running wp-cron for ${site_url} in ${wp_path} via batch"
+        printf "\"%s\" cron event run --due-now --url=\"%s\" --quiet\\n" "${wp}" "${site_url}" \
+            | batch > /dev/null 2>&1
+    done
+
+else
+
+    # Loop through all the sites urls and call wp-cron for each.
+    for site_url in "${site_urls[@]}" ; do
+        log_message "Running wp-cron for ${site_url} in ${wp_path}"
+        ("${wp}" cron event run --due-now --url="${site_url}" --quiet) &
+    done
+
+fi
diff --git a/ansible_collections/debops/debops/roles/wpcli/meta/main.yml b/ansible_collections/debops/debops/roles/wpcli/meta/main.yml
new file mode 100644
index 00000000..cf19e605
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install WP-CLI framework'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7.0'
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+        - focal
+    - name: GenericLinux
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - wordpress
+    - wpcli
+    - php
diff --git a/ansible_collections/debops/debops/roles/wpcli/meta/watch-wp-cli b/ansible_collections/debops/debops/roles/wpcli/meta/watch-wp-cli
new file mode 100644
index 00000000..21b66ff4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/meta/watch-wp-cli
@@ -0,0 +1,12 @@
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021 Alin Alexandru <alin.alexandru@innobyte.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: wpcli
+# Package: wp-cli
+# Version: 2.5.0
+
+version=3
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/$1\.tar\.gz/ \
+       https://github.com/wp-cli/wp-cli/tags .*/v?(\d\S*)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/wpcli/tasks/main.yml b/ansible_collections/debops/debops/roles/wpcli/tasks/main.yml
new file mode 100644
index 00000000..aaff337d
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", (wpcli__base_packages + wpcli__packages)) }}'
+    state: 'present'
+  register: wpcli__register_packages
+  until: wpcli__register_packages is succeeded
+
+- name: Create wp-cli source directory
+  ansible.builtin.file:
+    path: '{{ wpcli__src }}'
+    state: 'directory'
+    mode: '0755'
+
+- name: Download wp-cli release files
+  ansible.builtin.get_url:
+    url: '{{ item.url }}'
+    dest: '{{ item.dest }}'
+    checksum: '{{ item.checksum }}'
+    mode: '0644'
+  loop: '{{ wpcli__release_files }}'
+  register: wpcli__register_release_files
+  until: wpcli__register_release_files is succeeded
+  when: item.version == wpcli__version
+
+- name: Verify and install wp-cli binary
+  ansible.builtin.shell: set -o nounset -o pipefail -o errexit
+         && gpg --batch --decrypt --output {{ wpcli__src + "/wp-cli-" + wpcli__version + ".phar" }} \
+                                           {{ wpcli__src + "/wp-cli-" + wpcli__version + ".phar.gpg" }}
+         && ( install --mode 755 --owner root --group root \
+              {{ wpcli__src + "/wp-cli-" + wpcli__version + ".phar" }} {{ wpcli__binary }}
+              && install --mode 644 --owner root --group root \
+                 {{ wpcli__src + "/wp-cli-" + wpcli__version + ".completion.bash" }} {{ wpcli__bash_completion }} )
+         || ( rm -f {{ wpcli__src + "/wp-cli-" + wpcli__version + ".phar" }} && exit 2 )
+  args:  # noqa no-handler
+    executable: 'bash'
+  when: wpcli__register_release_files is changed
+  register: wpcli__register_install_files
+  changed_when: wpcli__register_install_files.changed | bool
+
+- name: Install additional wp-cli scripts
+  ansible.builtin.copy:
+    src: 'usr/local/bin/'
+    dest: '/usr/local/bin/'
+    mode: '0755'
+
+- name: Manage wp-config.php security via cron
+  ansible.builtin.cron:
+    name: 'Secure wp-config.php files on the server'
+    user: 'root'
+    cron_file: 'wpcli-secure-wpconfig'
+    job: '{{ wpcli__secure_wpconfig_command }}'
+    special_time: '{{ wpcli__secure_wpconfig_interval }}'
+    state: '{{ "present" if wpcli__secure_wpconfig_enabled | bool else "absent" }}'
+
+- name: Make sure Ansible fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save wpcli local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/wpcli.fact.j2'
+    dest: '/etc/ansible/facts.d/wpcli.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/wpcli/templates/etc/ansible/facts.d/wpcli.fact.j2 b/ansible_collections/debops/debops/roles/wpcli/templates/etc/ansible/facts.d/wpcli.fact.j2
new file mode 100644
index 00000000..487ae934
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/wpcli/templates/etc/ansible/facts.d/wpcli.fact.j2
@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'configured': True,
+          'installed': cmd_exists('wp')}
+
+try:
+    wpcli_version_stdout = subprocess.check_output(
+            ["wp", "--allow-root", "cli", "version"]
+            ).decode('utf-8').strip().split()[1]
+    output['version'] = wpcli_version_stdout
+
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/x2go_server/COPYRIGHT b/ansible_collections/debops/debops/roles/x2go_server/COPYRIGHT
new file mode 100644
index 00000000..03a14ea8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/COPYRIGHT
@@ -0,0 +1,19 @@
+x2go_server - Setup and manage the server-side of X2go
+
+Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+Copyright (C) 2016 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/x2go_server/defaults/main.yml b/ansible_collections/debops/debops/roles/x2go_server/defaults/main.yml
new file mode 100644
index 00000000..96b35763
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/defaults/main.yml
@@ -0,0 +1,109 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# .. Copyright (C) 2016 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _x2go_server__ref_defaults:
+
+# debops-contrib.x2go_server default variables [[[
+# ================================================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: includes/all.rst
+
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: x2go_server__base_packages [[[
+#
+# List of base packages to install.
+# You can checkout the Ansible role ypid.packages_ which can install
+# additional packages to support your desktop environment better.
+x2go_server__base_packages:
+  - '{{ ["x2go-keyring"] if (ansible_distribution in ["Debian"]) else [] }}'
+  - 'x2goserver'
+  - 'x2goserver-xsession'
+
+                                                                   # ]]]
+# .. envvar:: x2go_server__deploy_state [[[
+#
+# What is the desired state which this role should achieve? Possible options:
+#
+# ``present``
+#   Default. Ensure that X2Go is installed and configured as requested.
+#
+# ``absent``
+#   Ensure that X2Go is uninstalled and it's configuration is removed.
+#
+x2go_server__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Software sources [[[
+# --------------------
+#
+
+# .. envvar:: x2go_server__apt_repo_key_fingerprint [[[
+#
+# APT PGP key fingerprint used to sign the upstream X2Go repository and it’s
+# packages per distributions corresponding to ``ansible_distribution``.
+# Refer to the `official X2Go documentation <http://wiki.x2go.org/doku.php/wiki:repositories:debian>`__ for details.
+x2go_server__apt_repo_key_fingerprint: '972FD88FA0BAFB578D0476DFE1F958385BFE2B6E'
+
+                                                                   # ]]]
+# .. envvar:: x2go_server__upstream_release_channel [[[
+#
+# Release channel to use. Choices:
+#
+# ``main``
+#   Release builds, default.
+#
+# ``heuler``
+#   Nightly builds.
+#
+x2go_server__upstream_release_channel: 'main'
+
+                                                                   # ]]]
+# .. envvar:: x2go_server__upstream_mirror_url [[[
+#
+# URL of the X2Go upstream APT repository.
+x2go_server__upstream_mirror_url: 'http://packages.x2go.org/{{ ansible_distribution | lower }}/'
+
+                                                                   # ]]]
+# .. envvar:: x2go_server__upstream_repository_map [[[
+#
+# APT repository definition for using the X2Go upstream repository per
+# distribution corresponding to ``ansible_distribution``.
+x2go_server__upstream_repository_map:
+  'Ubuntu': 'ppa:x2go/{{ x2go_server__ppa_release_channel_map[x2go_server__upstream_release_channel] }}'
+  'Linuxmint': 'ppa:x2go/{{ x2go_server__ppa_release_channel_map[x2go_server__upstream_release_channel] }}'
+  'default': 'deb {{ x2go_server__upstream_mirror_url }} {{ ansible_distribution_release }} {{ x2go_server__upstream_release_channel }}'
+
+                                                                   # ]]]
+# .. envvar:: x2go_server__ppa_release_channel_map [[[
+#
+# Mapping from :envvar:`x2go_server__upstream_release_channel` to the names used
+# in PPAs.
+x2go_server__ppa_release_channel_map:
+  'main': 'stable'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: x2go_server__keyring__dependent_apt_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+x2go_server__keyring__dependent_apt_keys:
+
+  - id: '{{ x2go_server__apt_repo_key_fingerprint }}'
+    repo: '{{ x2go_server__upstream_repository_map[ansible_distribution]
+              | d(x2go_server__upstream_repository_map["default"]) }}'
+    state: '{{ "present" if (x2go_server__deploy_state == "present") else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/changelog.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/changelog.rst
new file mode 100644
index 00000000..b3ca1e2a
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/changelog.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: ../CHANGES.rst
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/copyright.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/copyright.rst
new file mode 100644
index 00000000..a8b5ec4c
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/copyright.rst
@@ -0,0 +1,8 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Copyright
+=========
+
+.. literalinclude:: ../COPYRIGHT
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/getting-started.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/getting-started.rst
new file mode 100644
index 00000000..73b3bd2e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/getting-started.rst
@@ -0,0 +1,73 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Getting started
+===============
+
+.. contents::
+   :local:
+
+.. include:: includes/all.rst
+
+
+Example inventory
+-----------------
+
+To setup and manage the X2Go server, add the hosts to the
+``debops_service_x2go_server`` Ansible inventory host group:
+
+.. code:: ini
+
+    [debops_service_x2go_server]
+    hostname
+
+If you are using debops.sshd_ for configuring your OpenSSH server, you will
+need to adapt some of the defaults of this role to allow X2Go clients to
+connect to the X2Go server via SSH.
+The recommended way to do this adaption is to symlink the
+:file:`docs/inventory/debops_service_x2go_server_global_role_vars.yml` file shipped
+with this role into your inventory under
+:file:`ansible/inventory/group_vars/debops_service_x2go_server_global_role_vars.yml`
+and include all hosts from the ``debops_service_x2go_server`` in the
+``debops_service_x2go_server_global_role_vars`` host group by adding this:
+
+.. code:: ini
+
+   [debops_service_x2go_server_global_role_vars:children]
+   debops_service_x2go_server
+
+into your host inventory which makes the following adjustments to the defaults
+variables of other roles:
+
+.. literalinclude:: inventory/debops_service_x2go_server_global_role_vars.yml
+   :language: yaml
+   :lines: 1,7-
+
+Example playbook
+----------------
+
+Here's an example playbook that can be used to setup and manage X2Go server:
+
+.. literalinclude:: playbooks/x2go_server.yml
+   :language: yaml
+   :lines: 1,5-
+
+This playbooks is shipped with this role under
+:file:`docs/playbooks/x2go_server.yml` from which you can symlink it to your
+playbook directory. In case you use multiple `DebOps Contrib`_ roles, consider
+using the `DebOps Contrib playbooks`_.
+
+Ansible tags
+------------
+
+You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
+tasks are performed during Ansible run. This can be used after a host was first
+configured to speed up playbook execution, when you are sure that most of the
+configuration is already in the desired state.
+
+Available role tags:
+
+``role::x2go_server``
+  Main role tag, should be used in the playbook to execute all of the role
+  tasks as well as role dependencies.
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/includes/all.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/includes/all.rst
new file mode 100644
index 00000000..73d42c4e
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/includes/all.rst
@@ -0,0 +1,5 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. include:: includes/global.rst
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/index.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/index.rst
new file mode 100644
index 00000000..df679d96
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/index.rst
@@ -0,0 +1,23 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+.. _debops-contrib.x2go_server:
+
+Ansible role: debops-contrib.x2go_server
+========================================
+
+.. toctree::
+   :maxdepth: 2
+
+   introduction
+   getting-started
+   defaults
+   copyright
+   changelog
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/introduction.rst b/ansible_collections/debops/debops/roles/x2go_server/docs/introduction.rst
new file mode 100644
index 00000000..efca1f69
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/introduction.rst
@@ -0,0 +1,26 @@
+.. Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+.. Copyright (C) 2016 DebOps <https://debops.org/>
+.. SPDX-License-Identifier: GPL-3.0-only
+
+Introduction
+============
+
+.. include:: includes/all.rst
+
+The ``debops-contrib.x2go_server`` role allows you to setup and manage
+`X2Go`_ on the server-side.
+X2Go enables you to access a graphical desktop of a computer over a low
+bandwidth (or high bandwidth) connection.
+
+Installation
+~~~~~~~~~~~~
+
+This role requires at least Ansible ``v2.1.3``. To install it, run::
+
+    ansible-galaxy install debops-contrib.x2go_server
+
+..
+ Local Variables:
+ mode: rst
+ ispell-local-dictionary: "american"
+ End:
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/inventory/debops_service_x2go_server_global_role_vars.yml b/ansible_collections/debops/debops/roles/x2go_server/docs/inventory/debops_service_x2go_server_global_role_vars.yml
new file mode 100644
index 00000000..8e30b2e8
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/inventory/debops_service_x2go_server_global_role_vars.yml
@@ -0,0 +1,25 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Required configuration for debops.sshd [[[
+
+# Require the following cryptography methods as X2Go seems to only support a
+# subset of which OpenSSH does support.
+sshd__ciphers_additional: '{{ [ "aes256-ctr" ] if (x2go_server__deploy_state | d("present") == "present") else [] }}'
+sshd__kex_algorithms_additional: '{{ [ "curve25519-sha256@libssh.org" ] if (x2go_server__deploy_state | d("present") == "present") else [] }}'
+sshd__macs_additional: '{{ [ "hmac-sha1" ] if (x2go_server__deploy_state | d("present") == "present") else [] }}'
+
+# ]]]
+
+# Optional configuration for debops.sshd [[[
+
+# Enabled for performance reasons. X11 forwarding over SSH is not directly used.
+# http://wiki.x2go.org/doku.php/doc:faq:start#why_am_i_told_to_enable_x11_forwarding_with_x2go_i_thought_that_x2go_uses_nx-libs_instead_of_x11_forwarding
+# https://www.nomachine.com/AR05D00391
+sshd__x11_forwarding: 'yes'
+
+# ]]]
diff --git a/ansible_collections/debops/debops/roles/x2go_server/docs/playbooks/x2go_server.yml b/ansible_collections/debops/debops/roles/x2go_server/docs/playbooks/x2go_server.yml
new file mode 100644
index 00000000..e5aa880f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/docs/playbooks/x2go_server.yml
@@ -0,0 +1,19 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Setup and manage the server-side of X2Go
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debops_service_x2go_server' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  roles:
+
+    - role: x2go_server
+      tags: [ 'role::x2go_server' ]
diff --git a/ansible_collections/debops/debops/roles/x2go_server/meta/main.yml b/ansible_collections/debops/debops/roles/x2go_server/meta/main.yml
new file mode 100644
index 00000000..488a0b14
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/meta/main.yml
@@ -0,0 +1,32 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Robin Schneider'
+  description: 'Setup and manage the server-side of X2Go'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.1.3'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - desktop
+    - remote
+    - x11
+    - ssh
diff --git a/ansible_collections/debops/debops/roles/x2go_server/tasks/main.yml b/ansible_collections/debops/debops/roles/x2go_server/tasks/main.yml
new file mode 100644
index 00000000..e7d5199f
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/x2go_server/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# Copyright (C) 2016 Robin Schneider <ypid@riseup.net>
+# Copyright (C) 2016 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Ensure specified packages are in there desired state
+  ansible.builtin.apt:
+    name: '{{ q("flattened", x2go_server__base_packages) }}'
+    state: '{{ "latest" if (x2go_server__deploy_state == "present") else "absent" }}'
+    install_recommends: False
+    purge: True
+  register: x2go_server__register_packages
+  until: x2go_server__register_packages is succeeded
+  when: (not ansible_check_mode)
+  ## This might fail in check mode in case the repository has not been added yet.
diff --git a/ansible_collections/debops/debops/roles/yadm/COPYRIGHT b/ansible_collections/debops/debops/roles/yadm/COPYRIGHT
new file mode 100644
index 00000000..c25ccd81
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/COPYRIGHT
@@ -0,0 +1,19 @@
+debops.yadm - Manage yadm, Yet Another Dotfiles Manager
+
+Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2019 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.
diff --git a/ansible_collections/debops/debops/roles/yadm/defaults/main.yml b/ansible_collections/debops/debops/roles/yadm/defaults/main.yml
new file mode 100644
index 00000000..2710daec
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/defaults/main.yml
@@ -0,0 +1,233 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2019 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _yadm__ref_defaults:
+
+# debops.yadm default variables
+# =============================
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+
+# General configuration [[[
+# -------------------------
+
+# .. envvar:: yadm__enabled [[[
+#
+# Enable or disable support for Yet Another Dotfiles Manager.
+yadm__enabled: True
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles_enabled [[[
+#
+# Enable or disable download of the custom dotfiles to a local centralized
+# directory. The dotfiles will be cloned using the ``root`` account, but no
+# code will be executed at this point. See below for the configuration of the
+# custom dotfile lists.
+yadm__dotfiles_enabled: False
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles_root [[[
+#
+# Absolute path to the directory where the role will clone dotfile
+# repositories. The repositories will be cloned in subdirectories based on the
+# URL path. Users can then install the dotfiles from a local mirror of the
+# repository instead of directly from the Internet.
+yadm__dotfiles_root: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                         + "/yadm" }}'
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles_host [[[
+#
+# The host of the default dotfiles defined in the Ansible local facts.
+yadm__dotfiles_host: 'github.com'
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles_owner [[[
+#
+# The owner of the default dotfiles defined in the Ansible local facts; usually
+# a GitHub account which owns a ``dotfiles`` repository.
+# The current owner is temporary, until DebOps will have its own set of default
+# dotfiles available.
+yadm__dotfiles_owner: 'drybjed'
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles_path [[[
+#
+# Absolute path of the default dotfiles to use, exposed in Ansible local facts.
+# If custom dotfiles are not enabled, the fact will be empty.
+# The role clones the dotfiles as a bare repository with the ``.git`` extension
+# in the directory name; be sure to include it in the inventory definition.
+yadm__dotfiles_path: '{{ (yadm__dotfiles_root + "/" + yadm__dotfiles_host + "/"
+                          + yadm__dotfiles_owner + "/dotfiles.git")
+                         if yadm__dotfiles_enabled | bool
+                         else "" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# APT packages [[[
+# ----------------
+
+# .. envvar:: yadm__base_packages [[[
+#
+# List of the default APT packages installed with yadm. Including shells here
+# ensures that users with login shells other than :command:`/bin/bash` will be
+# able to login to the host regardless of their dotfiles configuration.
+yadm__base_packages:
+  - 'git'
+  - 'less'
+  - 'ncurses-term'
+  - 'tmux'
+  - '{{ [] if yadm__upstream_enabled | bool else "yadm" }}'
+
+                                                                   # ]]]
+# .. envvar:: yadm__packages [[[
+#
+# List of additional APT packages to install on all hosts in the Ansible
+# inventory.
+yadm__packages: []
+
+                                                                   # ]]]
+# .. envvar:: yadm__group_packages [[[
+#
+# List of additional APT packages to install on hosts in a specific Ansible
+# inventory group.
+yadm__group_packages: []
+
+                                                                   # ]]]
+# .. envvar:: yadm__host_packages [[[
+#
+# List of additional APT packages to install on specific hosts in the Ansible
+# inventory.
+yadm__host_packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Upstream yadm installation [[[
+# ------------------------------
+
+# .. envvar:: yadm__upstream_enabled [[[
+#
+# Enable or disable installation of the :command:`yadm` script from upstream
+# :command:`git` repository.
+yadm__upstream_enabled: '{{ True
+                            if (ansible_distribution_release in
+                                ["trusty", "xenial"])
+                            else False }}'
+
+                                                                   # ]]]
+# .. envvar:: yadm__upstream_gpg_id [[[
+#
+# The GPG fingerprint of the key used to sign the :command:`yadm` releases.
+yadm__upstream_gpg_id: '31B9 62F7 CC57 473B 0329  CB9A 6CBE 24C2 FD8C F76E'
+
+                                                                   # ]]]
+# .. envvar:: yadm__upstream_repo [[[
+#
+# The URL of the yadm upstream :command:`git` repository.
+yadm__upstream_repo: 'https://github.com/TheLocehiliosan/yadm'
+
+                                                                   # ]]]
+# .. envvar:: yadm__upstream_dest [[[
+#
+# Absolute path to the directory where the yadm upstream :command:`git`
+# repository will be cloned into.
+yadm__upstream_dest: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
+                          + "/yadm/" + yadm__upstream_repo.split("://")[1] }}'
+
+                                                                   # ]]]
+# .. envvar:: yadm__upstream_version [[[
+#
+# The version of the upstream :command:`git` repository to check out.
+yadm__upstream_version: '1.12.0'
+
+                                                                   # ]]]
+# .. envvar:: yadm__upstream_link [[[
+#
+# The absolute path of the symlink created to expose the :command:`yadm` binary
+# in the ``$PATH`` environment.
+yadm__upstream_link: '/usr/local/bin/yadm'
+                                                                   # ]]]
+                                                                   # ]]]
+# Custom dotfiles [[[
+# -------------------
+
+# These variables define custom dotfile repositories to clone to the host, so
+# that they are available locally to users. See :ref:`yadm__ref_dotfiles` for
+# more details.
+
+# .. envvar:: yadm__default_dotfiles [[[
+#
+# List of the custom dotfile repositories defined by the role.
+yadm__default_dotfiles:
+
+  - name: 'drybjed'
+    gpg: '2706 7A91 D620 EE91 D503  09D9 2DCC F53E 9BC7 4BEC'
+    git: 'https://github.com/drybjed/dotfiles'
+
+                                                                   # ]]]
+# .. envvar:: yadm__dotfiles [[[
+#
+# List of the custom dotfile repositories defined on all hosts in the Ansible
+# inventory.
+yadm__dotfiles: []
+
+                                                                   # ]]]
+# .. envvar:: yadm__group_dotfiles [[[
+#
+# List of the custom dotfile repositories defined on hosts in a specific
+# Ansible inventory group.
+yadm__group_dotfiles: []
+
+                                                                   # ]]]
+# .. envvar:: yadm__host_dotfiles [[[
+#
+# List of the custom dotfile repositories defined on specific hosts in the
+# Ansible inventory.
+yadm__host_dotfiles: []
+
+                                                                   # ]]]
+# .. envvar:: yadm__combined_dotfiles [[[
+#
+# Variable which combines custom dotfile lists and is used in the role tasks.
+yadm__combined_dotfiles: '{{ yadm__default_dotfiles
+                             + yadm__dotfiles
+                             + yadm__group_dotfiles
+                             + yadm__host_dotfiles }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: yadm__apt_preferences__dependent_list [[[
+#
+# Configuration for the :ref:`debops.apt_preferences` Ansible role.
+yadm__apt_preferences__dependent_list:
+
+  - package: 'yadm'
+    backports: [ 'stretch' ]
+    reason:  'Version parity with Debian Buster'
+    by_role: 'debops.yadm'
+
+                                                                   # ]]]
+# .. envvar:: yadm__keyring__dependent_gpg_keys [[[
+#
+# Configuration for the :ref:`debops.keyring` Ansible role.
+yadm__keyring__dependent_gpg_keys:
+
+  - id: '{{ yadm__upstream_gpg_id }}'
+    state: '{{ "present" if yadm__upstream_enabled | bool else "absent" }}'
+
+  # Extract a list of GPG keys from the dotfile configuration; they will be
+  # added to the 'root' GPG keyring.
+  - '{{ (yadm__combined_dotfiles | debops.debops.parse_kv_items
+         | selectattr("gpg", "defined") | selectattr("state", "equalto", "present")
+         | map(attribute="gpg") | list)
+        if yadm__dotfiles_enabled | bool else [] }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/yadm/meta/main.yml b/ansible_collections/debops/debops/roles/yadm/meta/main.yml
new file mode 100644
index 00000000..0506bc30
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/meta/main.yml
@@ -0,0 +1,34 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Install yadm, Yet Another Dotfiles Manager'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.7'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - shell
+    - bash
+    - zsh
+    - dotfiles
+    - yadm
diff --git a/ansible_collections/debops/debops/roles/yadm/meta/watch-yadm b/ansible_collections/debops/debops/roles/yadm/meta/watch-yadm
new file mode 100644
index 00000000..26967db4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/meta/watch-yadm
@@ -0,0 +1,11 @@
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Role: yadm
+# Package: yadm
+# Version: 1.12.0
+
+version=3
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/$1\.tar\.gz/ \
+       https://github.com/TheLocehiliosan/yadm/tags .*/v?(\d\S*)\.tar\.gz
diff --git a/ansible_collections/debops/debops/roles/yadm/tasks/main.yml b/ansible_collections/debops/debops/roles/yadm/tasks/main.yml
new file mode 100644
index 00000000..4e449a7b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Install required APT packages
+  ansible.builtin.package:
+    name: '{{ q("flattened", yadm__base_packages
+                             + yadm__packages
+                             + yadm__group_packages
+                             + yadm__host_packages) }}'
+    state: 'present'
+  register: yadm__register_packages
+  until: yadm__register_packages is succeeded
+  when: yadm__enabled | bool
+
+- name: Install yadm from upstream
+  ansible.builtin.include_tasks: 'upstream_yadm.yml'
+  when: yadm__enabled | bool and yadm__upstream_enabled | bool
+
+- name: Ensure that the /root/.gnupg directory exists
+  ansible.builtin.file:
+    path: '~/.gnupg'
+    state: 'directory'
+    mode: '0700'
+  when: yadm__enabled | bool and yadm__dotfiles_enabled | bool
+
+- name: Download custom dotfile repositories
+  ansible.builtin.include_tasks: 'manage_dotfiles.yml'
+  loop: '{{ q("flattened", yadm__combined_dotfiles) | debops.debops.parse_kv_items }}'
+  loop_control:
+    loop_var: 'dotfile'
+    label: '{{ dotfile.name }}'
+  when: yadm__enabled | bool and yadm__dotfiles_enabled | bool and
+        dotfile.name | d()
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+
+- name: Save yadm local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/yadm.fact.j2'
+    dest: '/etc/ansible/facts.d/yadm.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/yadm/tasks/manage_dotfiles.yml b/ansible_collections/debops/debops/roles/yadm/tasks/manage_dotfiles.yml
new file mode 100644
index 00000000..42e9e916
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/tasks/manage_dotfiles.yml
@@ -0,0 +1,45 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Clone dotfiles repo {{ dotfile.name }}
+  ansible.builtin.git:
+    repo: '{{ item_git.repo | d(item_git) }}'
+    dest: '{{ yadm__dotfiles_root + "/"
+              + (item_git.repo | d(item_git)).split("://")[1] | regex_replace("\.git$", "")
+              + ".git" }}'
+    version: '{{ item_git.version | d("master") }}'
+    verify_commit: '{{ True if dotfile.gpg | d() else omit }}'
+    bare: True
+  loop: '{{ q("flattened", dotfile.git) }}'
+  loop_control:
+    loop_var: 'item_git'
+  when: dotfile.git | d() and dotfile.state | d('present') not in ['absent', 'ignore'] and
+        not ansible_check_mode
+
+- name: Remove dotfiles repo {{ dotfile.name }}
+  ansible.builtin.file:
+    dest: '{{ (yadm__dotfiles_root + "/"
+               + (item_git.repo | d(item_git)).split("://")[1] | regex_replace("\.git$", "")
+               + ".git") | dirname }}'
+    state: 'absent'
+  loop: '{{ q("flattened", dotfile.git) }}'
+  loop_control:
+    loop_var: 'item_git'
+  when: dotfile.git | d() and dotfile.state | d('present') == 'absent'
+
+- name: Manage the cloned dotfiles repo in system-wide /etc/gitconfig
+  community.general.git_config:
+    scope: 'system'
+    name: 'safe.directory'
+    value: '{{ yadm__dotfiles_root + "/"
+              + (item_git.repo | d(item_git)).split("://")[1] | regex_replace("\.git$", "")
+              + ".git" }}'
+    add_mode: 'add'
+    state: '{{ "present"
+               if (dotfile.git | d() and (dotfile.state | d("present")) == "present")
+               else "absent" }}'
+  loop: '{{ q("flattened", dotfile.git) }}'
+  loop_control:
+    loop_var: 'item_git'
diff --git a/ansible_collections/debops/debops/roles/yadm/tasks/upstream_yadm.yml b/ansible_collections/debops/debops/roles/yadm/tasks/upstream_yadm.yml
new file mode 100644
index 00000000..f812b387
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/tasks/upstream_yadm.yml
@@ -0,0 +1,18 @@
+---
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Clone the yadm upstream repository
+  ansible.builtin.git:
+    repo: '{{ yadm__upstream_repo }}'
+    dest: '{{ yadm__upstream_dest }}'
+    version: '{{ yadm__upstream_version }}'
+    verify_commit: True
+
+- name: Symlink the upstream yadm binary in $PATH
+  ansible.builtin.file:
+    dest: '{{ yadm__upstream_link }}'
+    src: '{{ yadm__upstream_dest + "/yadm" }}'
+    state: 'link'
+    mode: '0755'
diff --git a/ansible_collections/debops/debops/roles/yadm/templates/etc/ansible/facts.d/yadm.fact.j2 b/ansible_collections/debops/debops/roles/yadm/templates/etc/ansible/facts.d/yadm.fact.j2
new file mode 100644
index 00000000..580d264b
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/yadm/templates/etc/ansible/facts.d/yadm.fact.j2
@@ -0,0 +1,37 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2019 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import dumps, loads
+import os
+import subprocess
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = loads('''{{ {"installed": False,
+                      "dotfiles": yadm__dotfiles_path}
+                     | to_nice_json }}''')
+
+if not os.path.exists(output['dotfiles']):
+    output['dotfiles'] = ''
+
+output['installed'] = cmd_exists('yadm')
+
+if output['installed']:
+    output['version'] = subprocess.check_output(
+        ['yadm', 'version'], stderr=subprocess.STDOUT
+    ).decode('utf-8').strip().split()[1]
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/COPYRIGHT b/ansible_collections/debops/debops/roles/zabbix_agent/COPYRIGHT
new file mode 100644
index 00000000..ae9bb3f4
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/COPYRIGHT
@@ -0,0 +1,17 @@
+debops.zabbix_agent - Manage Zabbix agent with Ansible
+
+Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+Copyright (C) 2021 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see https://www.gnu.org/licenses/
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/defaults/main.yml b/ansible_collections/debops/debops/roles/zabbix_agent/defaults/main.yml
new file mode 100644
index 00000000..af3e6331
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/defaults/main.yml
@@ -0,0 +1,588 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# .. Copyright (C) 2021      Julien Lecomte <julien@lecomte.at>
+# .. Copyright (C) 2021-2022 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2021-2022 DebOps <https://debops.org/>
+# .. SPDX-License-Identifier: GPL-3.0-only
+
+# .. _zabbix_agent__ref_defaults:
+
+# .. contents:: Sections
+#    :local:
+#
+# .. include:: ../../../../includes/global.rst
+
+# Agent flavor and state [[[
+# --------------------------
+
+# .. envvar:: zabbix_agent__flavor [[[
+#
+# Select the "flavor" of the Zabbix Agent to use. This option determines which
+# APT package will be used by the role to manage Zabbix Agent on a given host.
+# The role does not support changing flavor on existing installations
+# (uninstall the current Zabbix Agent before installing a different one).
+# Currently supported flavors: ``C``, ``Go``.
+# See https://www.zabbix.com/documentation/current/en/manual/appendix/agent_comparison
+# for details about differences between Zabbix Agent flavors.
+zabbix_agent__flavor: 'C'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__deploy_state [[[
+#
+# Define the desired state of the Zabbix Agent on a given host. If ``present``,
+# the role will install and configure the Zabbix Agent of a given flavor. If
+# ``absent``, the role will uninstall and purge Zabbix Agent and its
+# configuration from the host. This parameter can be used to clean up the
+# configuration on a host before changing the Zabbix Agent flavor to
+# a different one.
+zabbix_agent__deploy_state: 'present'
+                                                                   # ]]]
+                                                                   # ]]]
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: zabbix_agent__base_packages [[[
+#
+# List of APT packages to install for :command:`zabbix_agent` support.
+zabbix_agent__base_packages: '{{ ["zabbix-agent"]
+                                 if (zabbix_agent__flavor == "C")
+                                 else ["zabbix-agent2"] }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__packages [[[
+#
+# List of additional APT packages to install during
+# :command:`zabbix_agent` configuration.
+zabbix_agent__packages: []
+                                                                   # ]]]
+                                                                   # ]]]
+# Network configuration [[[
+# -------------------------
+
+# .. envvar:: zabbix_agent__allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Zabbix agent over the network, on all hosts in the Ansible inventory.
+# If not specified, all hosts can connect to Zabbix agent.
+zabbix_agent__allow: []
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__group_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Zabbix agent over the network, on hosts in a specific Ansible inventory
+# group. If not specified, all hosts can connect to Zabbix agent.
+zabbix_agent__group_allow: []
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__host_allow [[[
+#
+# List of IP addresses or CIDR subnets which are allowed to connect to the
+# Zabbix agent over the network, on specific hosts in the Ansible
+# inventory. If not specified, all hosts can connect to Zabbix agent.
+zabbix_agent__host_allow: []
+                                                                   # ]]]
+                                                                   # ]]]
+# UNIX environment [[[
+# --------------------
+
+# .. envvar:: zabbix_agent__user [[[
+#
+# Name of the UNIX account used to run Zabbix agent.
+zabbix_agent__user: 'zabbix'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__group [[[
+#
+# Name of the UNIX group used by Zabbix agent.
+zabbix_agent__group: 'zabbix'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__additional_groups [[[
+#
+# List of additional UNIX groups which should include the Zabbix agent account.
+zabbix_agent__additional_groups:
+
+  # Integration with the 'debops.proc_hidepid' role to provide system-wide
+  # access to the /proc filesystem.
+  - '{{ (ansible_local.proc_hidepid.group | d("procadmins"))
+        if (ansible_local.proc_hidepid.enabled | d()) | bool
+        else [] }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__conf_file_path [[[
+#
+# The absolute path to the main Zabbix Agent configuration file.
+zabbix_agent__conf_file_path: '{{ "/etc/zabbix/zabbix_agentd.conf"
+                                  if (zabbix_agent__flavor == "C")
+                                  else "/etc/zabbix/zabbix_agent2.conf" }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Zabbix agent configuration [[[
+# ------------------------------
+
+# These variables define the contents of the main Zabbix Agent configuration
+# file.
+
+# .. envvar:: zabbix_agent__tls_psk_identity [[[
+#
+# Unique, case sensitive string used to identify the pre-shared key.
+zabbix_agent__tls_psk_identity: '{{ lookup("password", secret
+                                    + "/zabbix/identities/" + inventory_hostname
+                                    + "/identity.key length=32 chars=ascii_letters,digits") }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__tls_psk_secret [[[
+#
+# Case sensitive secret key stored in a file and used
+# with the pre-shared key.
+zabbix_agent__tls_psk_secret: '{{ lookup("password", secret
+                                  + "/zabbix/identities/" + inventory_hostname
+                                  + "/secret.key length=64 chars=abcdef,digits") }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__original_configuration [[[
+#
+# List of the default configuration options defined in the Debian package.
+zabbix_agent__original_configuration:
+
+  - name: 'PidFile'
+    comment: |
+      Name of PID file.
+    value: '/var/run/zabbix/zabbix_agentd.pid'
+    state: '{{ "present" if (zabbix_agent__flavor == "C") else "comment" }}'
+
+  - name: 'LogType'
+    comment: |
+      Specifies where log messages are written to
+        system  - syslog
+        file    - file specified with LogFile parameter
+        console - standard output
+    value: 'file'
+    state: 'comment'
+
+  - name: 'LogFile'
+    comment: |
+      Log file name for LogType 'file' parameter.
+      Mandatory: yes, if LogType is set to file, otherwise no
+    value: '/var/log/zabbix-agent/zabbix_agentd.log'
+    state: '{{ "present" if (zabbix_agent__flavor == "C") else "comment" }}'
+
+  - name: 'LogFileSize'
+    comment: |
+      Maximum size of log file in MB.
+      0 - disable automatic log rotation.
+      Range: 0-1024
+    value: 0
+    state: 'present'
+
+  - name: 'DebugLevel'
+    comment: |
+      Specifies debug level:
+      0 - basic information about starting and stopping of Zabbix processes
+      1 - critical information
+      2 - error information
+      3 - warnings
+      4 - for debugging (produces lots of information)
+      5 - extended debugging (produces even more information)
+    value: 3
+    state: 'comment'
+
+  - name: 'SourceIP'
+    comment: |
+      Source IP address for outgoing connections.
+    value: ''
+    state: 'comment'
+
+  - name: 'EnableRemoteCommands'
+    comment: |
+      Whether remote commands from Zabbix server are allowed.
+      0 - not allowed
+      1 - allowed
+    value: "0"
+    state: 'comment'
+
+  - name: 'LogRemoteCommands'
+    comment: |
+      Enable logging of executed shell commands as warnings.
+      0 - disabled
+      1 - enabled
+    value: "0"
+    state: 'comment'
+
+  - name: 'Server'
+    comment: |
+      List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies.
+      Incoming connections will be accepted only from the hosts listed here.
+      If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
+      and '::/0' will allow any IPv4 or IPv6 address.
+      '0.0.0.0/0' can be used to allow any IPv4 address.
+      Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
+      Mandatory: yes, if StartAgents is not explicitly set to 0
+    value: '127.0.0.1'
+    state: 'present'
+
+  - name: 'ListenPort'
+    comment: |
+      Agent will listen on this port for connections from the server.
+      Range: 1024-32767
+    value: 10050
+    state: 'comment'
+
+  - name: 'ListenIP'
+    comment: |
+      List of comma delimited IP addresses that the agent should listen on.
+      First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
+    value: '0.0.0.0'
+    state: 'comment'
+
+  - name: 'StartAgents'
+    comment: |
+      Number of pre-forked instances of zabbix_agentd that process passive checks.
+      If set to 0, disables passive checks and the agent will not listen on any TCP port.
+      Range: 0-100
+    value: 3
+    state: 'comment'
+
+  - name: 'ServerActive'
+    comment: |
+      List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks.'
+      If port is not specified, default port is used.
+      IPv6 addresses must be enclosed in square brackets if port for that host is specified.
+      If port is not specified, square brackets for IPv6 addresses are optional.
+      If this parameter is not specified, active checks are disabled.
+      Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
+    value: '127.0.0.1'
+    state: 'present'
+
+  - name: 'Hostname'
+    comment: |
+      Unique, case sensitive hostname.
+      Required for active checks and must match hostname as configured on the server.
+      Value is acquired from HostnameItem if undefined.
+    value: ''
+    state: 'comment'
+
+  - name: 'HostnameItem'
+    comment: |
+      Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
+      Does not support UserParameters or aliases.
+    value: 'system.hostname'
+    state: 'comment'
+
+  - name: 'HostMetadata'
+    comment: |
+      Optional parameter that defines host metadata.
+      Host metadata is used at host auto-registration process.
+      An agent will issue an error and not start if the value is over limit of 255 characters.
+      If not defined, value will be acquired from HostMetadataItem.
+      Range: 0-255 characters
+    value: ''
+    state: 'comment'
+
+  - name: 'HostMetadataItem'
+    comment: |
+      Optional parameter that defines an item used for getting host metadata.
+      Host metadata is used at host auto-registration process.
+      During an auto-registration request an agent will log a warning message if
+      the value returned by specified item is over limit of 255 characters.
+      This option is only used when HostMetadata is not defined.
+    value: ''
+    state: 'comment'
+
+  - name: 'RefreshActiveChecks'
+    comment: |
+      How often list of active checks is refreshed, in seconds.
+      Range: 60-3600
+    value: 120
+    state: 'comment'
+
+  - name: 'BufferSend'
+    comment: |
+      Do not keep data longer than N seconds in buffer.
+      Range: 1-3600
+    value: 5
+    state: 'comment'
+
+  - name: 'BufferSize'
+    comment: |
+      Maximum number of values in a memory buffer. The agent will send
+      all collected data to Zabbix Server or Proxy if the buffer is full.
+      Range: 2-65535
+    value: 100
+    state: 'comment'
+
+  - name: 'MaxLinesPerSecond'
+    comment: |
+      Maximum number of new lines the agent will send per second to Zabbix Server
+      or Proxy processing 'log' and 'logrt' active checks.
+      The provided value will be overridden by the parameter 'maxlines',
+      provided in 'log' or 'logrt' item keys.
+      Range: 1-1000
+    value: 20
+    state: 'comment'
+
+  - name: 'Alias'
+    comment: |
+      Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
+      Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
+      Different Alias keys may reference the same item key.
+      For example, to retrieve the ID of user 'zabbix':
+      Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
+      Now shorthand key zabbix.userid may be used to retrieve data.
+      Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
+    value: ''
+    state: 'comment'
+
+  - name: 'Timeout'
+    comment: |
+      Spend no more than Timeout seconds on processing
+      Range: 1-30
+    value: 3
+    state: 'comment'
+
+  - name: 'AllowRoot'
+    comment: |
+      Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
+      will try to switch to the user specified by the User configuration option instead.
+      Has no effect if started under a regular user.
+      0 - do not allow
+      1 - allow
+    value: 0
+    state: 'comment'
+
+  - name: 'User'
+    comment: |
+      Drop privileges to a specific, existing user on the system.
+      Only has effect if run as 'root' and AllowRoot is disabled.
+    value: 'zabbix'
+    state: 'comment'
+
+  - name: 'Include'
+    comment: |
+      You may include individual files or all files in a directory in the configuration file.
+      Installing Zabbix will create include directory in /etc/zabbix, unless modified during the compile time.
+    value: '{{ "/etc/zabbix/zabbix_agentd.conf.d/*.conf"
+               if (zabbix_agent__flavor == "C")
+               else "/etc/zabbix/zabbix_agent2.d/*.conf" }}'
+    state: 'present'
+
+  - name: 'UnsafeUserParameters'
+    comment: |
+      Allow all characters to be passed in arguments to user-defined parameters.
+      The following characters are not allowed:
+      \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
+      Additionally, newline characters are not allowed.
+        0 - do not allow
+        1 - allow
+    value: 0
+    state: 'comment'
+
+  - name: 'UserParameter'
+    comment: |
+      User-defined parameter to monitor. There can be several user-defined parameters.
+      Format: UserParameter=<key>,<shell command>
+      See 'zabbix_agentd' directory for examples.
+    value: ''
+    state: 'comment'
+
+  - name: 'LoadModulePath'
+    comment: |
+      Full path to location of agent modules.
+      Default depends on compilation options.
+      To see the default path run command "zabbix_agentd --help".
+    value: '${libdir}/modules'
+    state: 'comment'
+
+  - name: 'LoadModule'
+    comment: |
+      Module to load at agent startup. Modules are used to extend functionality of the agent.
+      Format: LoadModule=<module.so>
+      The modules must be located in directory specified by LoadModulePath.
+      It is allowed to include multiple LoadModule parameters.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSConnect'
+    comment: |
+      How the agent should connect to server or proxy. Used for active checks.
+      Only one value can be specified:
+          unencrypted - connect without encryption
+          psk         - connect using TLS and a pre-shared key
+          cert        - connect using TLS and a certificate
+      Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+    value: 'unencrypted'
+    state: 'comment'
+
+  - name: 'TLSAccept'
+    comment: |
+      What incoming connections to accept.
+      Multiple values can be specified, separated by comma:
+          unencrypted - accept connections without encryption
+          psk         - accept connections secured with TLS and a pre-shared key
+          cert        - accept connections secured with TLS and a certificate
+      Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+    value: 'unencrypted'
+    state: 'comment'
+
+  - name: 'TLSCAFile'
+    comment: |
+      Full pathname of a file containing the top-level CA(s) certificates for
+      peer certificate verification.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSCRLFile'
+    comment: |
+      Full pathname of a file containing revoked certificates.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSServerCertIssuer'
+    comment: |
+      Allowed server certificate issuer.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSServerCertSubject'
+    comment: |
+      Allowed server certificate subject.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSCertFile'
+    comment: |
+      Full pathname of a file containing the agent certificate or certificate chain.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSKeyFile'
+    comment: |
+      Full pathname of a file containing the agent private key.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSPSKIdentity'
+    comment: |
+      Unique, case sensitive string used to identify the pre-shared key.
+    value: ''
+    state: 'comment'
+
+  - name: 'TLSPSKFile'
+    comment: |
+      Full pathname of a file containing the pre-shared key.
+    value: ''
+    state: 'comment'
+
+  - name: 'IncludePlugins'
+    option: 'Include'
+    comment: 'Include configuration files for plugins'
+    value: './zabbix_agent2.d/plugins.d/*.conf'
+    state: '{{ "present" if zabbix_agent__flavor == "Go" else "absent" }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__default_configuration [[[
+#
+# List of the default configuration options defined by the role.
+zabbix_agent__default_configuration:
+
+  - name: 'TLSPSKIdentity'
+    value: '{{ zabbix_agent__tls_psk_identity | d() }}'
+    state: 'present'
+
+  - name: 'TLSPSKFile'
+    value: '/etc/zabbix/secret.key'
+    state: 'present'
+
+  - name: 'User'
+    value: '{{ zabbix_agent__user }}'
+    state: '{{ "present" if zabbix_agent__flavor == "C" else "ignore" }}'
+
+  - name: 'TLSConnect'
+    value: 'psk'
+    state: 'present'
+
+  - name: 'TLSAccept'
+    value: 'psk'
+    state: 'present'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__configuration [[[
+#
+# List of zabbix_agent configuration options defined on all hosts in
+# the Ansible inventory.
+zabbix_agent__configuration: []
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__group_configuration [[[
+#
+# List of zabbix_agent configuration options defined on hosts in a specific Ansible
+# inventory group.
+zabbix_agent__group_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__host_configuration [[[
+#
+# List of zabbix_agent configuration options defined on specific hosts in the
+# Ansible inventory.
+zabbix_agent__host_configuration: []
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__combined_configuration [[[
+#
+# Variable which combines zabbix_agent configuration lists and is used in role
+# tasks and templates.
+zabbix_agent__combined_configuration: '{{ zabbix_agent__original_configuration
+                                      + zabbix_agent__default_configuration
+                                      + zabbix_agent__configuration
+                                      + zabbix_agent__group_configuration
+                                      + zabbix_agent__host_configuration }}'
+                                                                   # ]]]
+                                                                   # ]]]
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
+
+# .. envvar:: zabbix_agent__ferm__dependent_rules [[[
+#
+# Configuration for the :ref:`debops.ferm` Ansible role.
+zabbix_agent__ferm__dependent_rules:
+
+  - name: 'zabbix_agent_allow_http'
+    type: 'accept'
+    dport: [ 'zabbix-agent' ]
+    protocol: [ 'tcp', 'udp' ]
+    saddr: '{{ zabbix_agent__allow + zabbix_agent__group_allow + zabbix_agent__host_allow }}'
+    weight: '50'
+    by_role: 'debops.zabbix_agent'
+    rule_state: '{{ zabbix_agent__deploy_state }}'
+
+                                                                   # ]]]
+# .. envvar:: zabbix_agent__dpkg_cleanup__dependent_packages [[[
+#
+# Configuration for the :ref:`debops.dpkg_cleanup` Ansible role.
+zabbix_agent__dpkg_cleanup__dependent_packages:
+
+  - name: 'zabbix-agent'
+    ansible_fact: 'zabbix_agent'
+    revert_files:
+      - '/etc/zabbix/zabbix_agentd.conf'
+    remove_files:
+      - '/etc/zabbix/secret.key'
+    remove_directories:
+      - '/etc/zabbix/zabbix_agentd.conf.d'
+    restart_services:
+      - 'ferm'
+    state: '{{ "present" if (zabbix_agent__flavor == "C") else "absent" }}'
+
+  - name: 'zabbix-agent2'
+    ansible_fact: 'zabbix_agent'
+    revert_files:
+      - '/etc/zabbix/zabbix_agent2.conf'
+    remove_files:
+      - '/etc/zabbix/secret.key'
+    restart_services:
+      - 'ferm'
+    state: '{{ "present" if (zabbix_agent__flavor == "Go") else "absent" }}'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/meta/main.yml b/ansible_collections/debops/debops/roles/zabbix_agent/meta/main.yml
new file mode 100644
index 00000000..60e0a2c5
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/meta/main.yml
@@ -0,0 +1,25 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Julien Lecomte'
+  description: 'Configure Zabbix agent'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.4.0'
+  platforms:
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+  galaxy_tags:
+    - zabbix
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/tasks/main.yml b/ansible_collections/debops/debops/roles/zabbix_agent/tasks/main.yml
new file mode 100644
index 00000000..814c65eb
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/tasks/main.yml
@@ -0,0 +1,123 @@
+---
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+
+# Copyright (C) 2021      Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2021-2022 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Import DebOps secret role
+  ansible.builtin.import_role:
+    name: 'secret'
+
+# Package installation [[[1
+- name: Install Zabbix agent packages
+  ansible.builtin.apt:
+    name: '{{ (zabbix_agent__base_packages
+             + zabbix_agent__packages) | flatten }}'
+    state: '{{ zabbix_agent__deploy_state }}'
+    purge: True
+  register: zabbix_agent__register_packages
+  until: zabbix_agent__register_packages is succeeded
+
+- name: Add Zabbix UNIX account to required groups
+  ansible.builtin.user:
+    name: '{{ zabbix_agent__user }}'
+    groups: '{{ zabbix_agent__additional_groups | flatten | join(",") }}'
+    state: 'present'
+    append: True
+  notify: [ 'Check zabbix-agent and restart', 'Check zabbix-agent2 and restart' ]
+  when: zabbix_agent__deploy_state != 'absent'
+
+- name: Divert Zabbix agent configuration file
+  debops.debops.dpkg_divert:
+    path: '{{ zabbix_agent__conf_file_path }}'
+    state: 'present'
+  notify: [ 'Check zabbix-agent and restart', 'Check zabbix-agent2 and restart' ]
+  when: zabbix_agent__deploy_state != 'absent'
+
+# Zabbix agent configuration [[[1
+- name: Generate Zabbix agent configuration file
+  ansible.builtin.template:
+    src: 'etc/zabbix/zabbix_agentd.conf.j2'
+    dest: '{{ zabbix_agent__conf_file_path }}'
+    owner: 'root'
+    group: '{{ zabbix_agent__group }}'
+    mode: '0640'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Check zabbix-agent and restart', 'Check zabbix-agent2 and restart' ]
+  when: zabbix_agent__deploy_state != 'absent'
+
+- name: Install secret key
+  ansible.builtin.copy:
+    content: '{{ zabbix_agent__tls_psk_secret }}'
+    dest: '/etc/zabbix/secret.key'
+    owner: 'root'
+    group: '{{ zabbix_agent__group }}'
+    mode: '0640'
+  no_log: '{{ debops__no_log | d(True) }}'
+  notify: [ 'Check zabbix-agent and restart', 'Check zabbix-agent2 and restart' ]
+  when: zabbix_agent__deploy_state != 'absent'
+
+- name: Ensure configuration folder exists
+  ansible.builtin.file:
+    path: '/etc/zabbix/zabbix_agentd.conf.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: zabbix_agent__deploy_state != 'absent' and
+        zabbix_agent__flavor == 'C'
+
+- name: Ensure log folder exists
+  ansible.builtin.file:
+    path: '/var/log/zabbix-agent'
+    state: 'directory'
+    owner: '{{ zabbix_agent__user }}'
+    group: '{{ zabbix_agent__group }}'
+    mode: '0755'
+  when: zabbix_agent__deploy_state != 'absent' and
+        zabbix_agent__flavor == 'C'
+
+# Ansible facts [[[1
+- name: Make sure that Ansible local fact directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: zabbix_agent__deploy_state != 'absent'
+
+- name: Create local facts of Zabbix agent
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/zabbix_agent.fact.j2'
+    dest: '/etc/ansible/facts.d/zabbix_agent.fact'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+    unsafe_writes: '{{ True if (core__unsafe_writes | d(ansible_local.core.unsafe_writes | d()) | bool) else omit }}'
+  notify: [ 'Refresh host facts' ]
+  when: zabbix_agent__deploy_state != 'absent'
+  tags: [ 'meta::facts' ]
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ zabbix_agent__dpkg_cleanup__dependent_packages }}'
+  when: zabbix_agent__deploy_state != 'absent'
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::zabbix_agent:dpkg_cleanup' ]
+
+- name: Reload facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/ansible/facts.d/zabbix_agent.fact.j2 b/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/ansible/facts.d/zabbix_agent.fact.j2
new file mode 100644
index 00000000..38511cb1
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/ansible/facts.d/zabbix_agent.fact.j2
@@ -0,0 +1,42 @@
+#!{{ ansible_python['executable'] }}
+#
+# Copyright (C) 2021 Julien Lecomte <julien@lecomte.at>
+# Copyright (C) 2024 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2021-2024 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+#
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import os
+
+output = {
+    'ListenPort': 10050
+}
+
+if os.path.isfile("/etc/zabbix/zabbix_agentd.conf"):
+    zabbix_agent_conf = "/etc/zabbix/zabbix_agentd.conf"
+elif os.path.isfile("/etc/zabbix/zabbix_agent2.conf"):
+    zabbix_agent_conf = "/etc/zabbix/zabbix_agent2.conf"
+
+try:
+    with open(zabbix_agent_conf, 'r') as fp:
+        output["configured"] = True
+        for line in fp:
+            if line.startswith("ListenPort="):
+                output["ListenPort"] = line[11:].strip()
+            elif line.startswith("TLSPSKIdentity="):
+                output["TLSPSKIdentity"] = line[15:].strip()
+except (FileNotFoundError, PermissionError):
+    pass
+
+if os.path.isfile("/etc/zabbix/secret.key"):
+    try:
+        with open("/etc/zabbix/secret.key", "r") as fp:
+            for line in fp:
+                output["TLSPSKSecret"] = line.strip()
+    except (FileNotFoundError, PermissionError):
+        pass
+
+print(dumps(output, sort_keys=True, indent=4))
diff --git a/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/zabbix/zabbix_agentd.conf.j2 b/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/zabbix/zabbix_agentd.conf.j2
new file mode 100644
index 00000000..00bb22cd
--- /dev/null
+++ b/ansible_collections/debops/debops/roles/zabbix_agent/templates/etc/zabbix/zabbix_agentd.conf.j2
@@ -0,0 +1,17 @@
+{# Copyright (C) 2021      Julien Lecomte <julien@lecomte.at>
+ # Copyright (C) 2021-2022 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2021-2022 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+# This is a configuration file for Zabbix agent daemon (Unix)
+# To get more information about Zabbix, visit http://www.zabbix.com
+{% for element in zabbix_agent__combined_configuration | debops.debops.parse_kv_config %}
+{%   if element.name | d() and element.state | d('present') not in [ 'absent', 'ignore' ] %}
+
+{{     element.comment | regex_replace('\n$','') | comment() }}
+{%     set element_comment = ('#' if element.state | d('present') == 'comment' else '') %}
+{{     '{}{}={}'.format(element_comment, element.option | d(element.name), element.value) }}
+{%   endif %}
+{% endfor %}
diff --git a/ansible_collections/grafana/grafana/.ansible-lint b/ansible_collections/grafana/grafana/.ansible-lint
new file mode 100644
index 00000000..6dab8332
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.ansible-lint
@@ -0,0 +1,18 @@
+---
+profile: production
+
+exclude_paths:
+  - .cache/
+  - .github/
+  - examples/
+
+parseable: true
+verbosity: 1
+
+use_default_rules: true
+
+skip_list:
+  - '204'  # Allow string length greater than 160 chars
+  - 'no-changed-when'  # False positives for running command shells
+  - 'yaml' # Disable YAML linting since it's done by yamllint
+  - 'empty-string-compare'  # Allow compare to empty string
diff --git a/ansible_collections/grafana/grafana/.config/molecule/config.yml b/ansible_collections/grafana/grafana/.config/molecule/config.yml
new file mode 100644
index 00000000..b91b78df
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.config/molecule/config.yml
@@ -0,0 +1,83 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: almalinux-8
+    image: dokken/almalinux-8
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: almalinux-9
+    image: dokken/almalinux-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-7
+    image: dokken/centos-7
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /usr/lib/systemd/systemd
+  - name: centos-stream-8
+    image: dokken/centos-stream-8
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-stream-9
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-10
+    image: dokken/debian-10
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-11
+    image: dokken/debian-11
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-36
+    image: dokken/fedora-36
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-37
+    image: dokken/fedora-37
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-18.04
+    image: dokken/ubuntu-18.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-20.04
+    image: dokken/ubuntu-20.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-22.04
+    image: dokken/ubuntu-22.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+provisioner:
+  env:
+    ANSIBLE_INJECT_FACT_VARS: false
+verifier:
+  name: testinfra
diff --git a/ansible_collections/grafana/grafana/.editorconfig b/ansible_collections/grafana/grafana/.editorconfig
new file mode 100644
index 00000000..9a7d285d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.editorconfig
@@ -0,0 +1,42 @@
+# This file is the top-most EditorConfig file
+root = true
+
+# All Files
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# JSON Files
+[*.{json,json5,webmanifest}]
+indent_size = 2
+
+# YAML Files
+[*.{yml,yaml}]
+indent_size = 2
+
+# Markdown Files
+[*.{md,mdx}]
+indent_size = 2
+trim_trailing_whitespace = false
+
+# Web Files
+[*.{htm,html,js,jsm,ts,tsx,cjs,cts,ctsx,mjs,mts,mtsx,css,sass,scss,less,pcss,svg,vue}]
+indent_size = 2
+
+# Bash Files
+[*.sh]
+indent_size = 2
+end_of_line = lf
+
+# Makefiles
+[{Makefile,**.mk}]
+indent_style = tab
+
+# Python Files
+[*.py]
+indent_style = space
+indent_size = 4
diff --git a/ansible_collections/grafana/grafana/.github/dependabot.yml b/ansible_collections/grafana/grafana/.github/dependabot.yml
new file mode 100644
index 00000000..9d866e39
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/ansible_collections/grafana/grafana/.github/workflows/alloy-molecule.yml b/ansible_collections/grafana/grafana/.github/workflows/alloy-molecule.yml
new file mode 100644
index 00000000..fd4c92e3
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/alloy-molecule.yml
@@ -0,0 +1,45 @@
+---
+name: Alloy Molecule
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+defaults:
+  run:
+    working-directory: roles/alloy
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - rockylinux9
+          - ubuntu2204
+          - debian12
+          - opensuseleap15
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/full-integration-test.yml b/ansible_collections/grafana/grafana/.github/workflows/full-integration-test.yml
new file mode 100644
index 00000000..a7fd9c48
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/full-integration-test.yml
@@ -0,0 +1,69 @@
+---
+name: Full Integration Test
+
+# yamllint disable-line rule:truthy
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+env:
+  NAMESPACE: grafana
+  COLLECTION_NAME: grafana
+
+jobs:
+
+  integration:
+    runs-on: ubuntu-20.04
+    name: ${{ matrix.ansible }}-py${{ matrix.python }}
+    strategy:
+      fail-fast: true
+      max-parallel: 1
+      matrix:
+        ansible:
+          - stable-2.11
+          - stable-2.12
+          - stable-2.13
+          - devel
+        python:
+          - '2.7'
+          - '3.5'
+          - '3.6'
+          - '3.7'
+          - '3.8'
+          - '3.9'
+          - '3.10'
+        exclude:
+          - ansible: stable-2.11
+            python: '3.10'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: create integration_config
+        working-directory: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}/tests/integration
+        run: |
+          cat <<EOF > integration_config.yml
+          stack_name: ${{ secrets.ANSIBLE_TEST_STACK_NAME }}
+          org_name: ${{ secrets.ANSIBLE_TEST_ORG_NAME }}
+          grafana_cloud_api_key: ${{ secrets.ANSIBLE_TEST_CLOUD_API_KEY }}
+          grafana_api_key: ${{ secrets.ANSIBLE_TEST_GRAFANA_API_KEY }}
+          test_stack_name: ${{ secrets.ANSIBLE_TEST_CI_STACK }}
+          EOF
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10'
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Test Modules
+        run: ansible-test integration -v alert_contact_point alert_notification_policy cloud_api_key cloud_plugin cloud_stack dashboard datasource folder --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Cooling Period
+        run: sleep 3m
diff --git a/ansible_collections/grafana/grafana/.github/workflows/lint.yaml b/ansible_collections/grafana/grafana/.github/workflows/lint.yaml
new file mode 100644
index 00000000..a53315d2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/lint.yaml
@@ -0,0 +1,63 @@
+---
+name: Lint
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  lint:
+    name: Perform Linting
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install shellcheck
+        run: |
+          wget -c https://github.com/koalaman/shellcheck/releases/download/v0.9.0/shellcheck-v0.9.0.linux.x86_64.tar.xz -O shellcheck.tar.xz && \
+            tar -xvf shellcheck.tar.xz && \
+            sudo mv ./shellcheck-v0.9.0/shellcheck /usr/bin/shellcheck && \
+            rm -rf shellcheck-v0.9.0
+
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+          cache: npm
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Install pipenv
+        run: |
+          python -m pip install --upgrade pipenv wheel
+
+      - name: Install dependencies
+        run: make install
+
+      - name: Shell Linting
+        run: make ci-lint-shell
+        if: success() || failure()
+
+      # - name: Markdown Linting
+      #   run: make ci-lint-markdown
+      #   if: success() || failure()
+
+      # - name: Text Linting
+      #   run: make ci-lint-text
+      #   if: success() || failure()
+
+      - name: Yaml Linting
+        run: make ci-lint-yaml
+        if: success() || failure()
+
+      - name: Editorconfig Linting
+        run: make ci-lint-editorconfig
+        if: success() || failure()
+
+      - name: Ansible Linting
+        run: make ci-lint-ansible
+        if: success() || failure()
diff --git a/ansible_collections/grafana/grafana/.github/workflows/loki-molecule.yml b/ansible_collections/grafana/grafana/.github/workflows/loki-molecule.yml
new file mode 100644
index 00000000..8d8da57f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/loki-molecule.yml
@@ -0,0 +1,44 @@
+---
+name: Loki Molecule
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+defaults:
+  run:
+    working-directory: roles/loki
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - rockylinux9
+          - ubuntu2204
+          - debian12
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/mimir-molecule.yml b/ansible_collections/grafana/grafana/.github/workflows/mimir-molecule.yml
new file mode 100644
index 00000000..2c6b374f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/mimir-molecule.yml
@@ -0,0 +1,51 @@
+---
+name: Mimir Molecule
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+defaults:
+  run:
+    working-directory: roles/mimir
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - rockylinux9
+          - rockylinux8
+          - ubuntu2204
+          - debian12
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible-core==2.16 'molecule-plugins[docker]' pytest-testinfra jmespath selinux passlib
+
+      - name: create docker network
+        run: docker network create molecule
+
+      - name: Start s3 backend
+        run: docker run -d -p 9000:9000 -p 9001:9001 --name minio-mimir --network molecule -e "MINIO_ROOT_USER=testtest" -e "MINIO_ROOT_PASSWORD=testtest" -e "MINIO_DEFAULT_BUCKETS=mimir" bitnamilegacy/minio:latest
+
+      - name: Run Molecule tests.
+        run: molecule --debug test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/modules-test.yml b/ansible_collections/grafana/grafana/.github/workflows/modules-test.yml
new file mode 100644
index 00000000..20f78978
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/modules-test.yml
@@ -0,0 +1,98 @@
+---
+name: Modules Test
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+  schedule:
+    - cron: '0 6 * * *'
+env:
+  NAMESPACE: grafana
+  COLLECTION_NAME: grafana
+
+jobs:
+
+  sanity:
+    name: Sanity (Ⓐ${{ matrix.ansible }})
+    strategy:
+      matrix:
+        ansible:
+          - stable-2.12
+          - stable-2.13
+          - stable-2.14
+          - devel
+    runs-on: ubuntu-20.04
+    steps:
+
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Run sanity tests
+        run: ansible-test sanity -v --docker --color --coverage
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+  integration:
+    runs-on: ubuntu-20.04
+    name: Integration (Ⓐ${{ matrix.ansible }}-py${{ matrix.python }})
+    strategy:
+      fail-fast: true
+      max-parallel: 1
+      matrix:
+        ansible:
+          - stable-2.13
+        python:
+          - '3.10'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: create integration_config
+        working-directory: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}/tests/integration
+        run: |
+          cat <<EOF > integration_config.yml
+          org_name: ${{ secrets.ANSIBLE_TEST_ORG_NAME }}
+          grafana_cloud_api_key: ${{ secrets.ANSIBLE_TEST_CLOUD_API_KEY }}
+          grafana_api_key: ${{ secrets.ANSIBLE_TEST_GRAFANA_API_KEY }}
+          grafana_url: ${{ secrets.ANSIBLE_GRAFANA_URL }}
+          test_stack_name: ${{ secrets.ANSIBLE_TEST_CI_STACK }}
+          EOF
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Install Requests
+        run: pip install requests
+
+      - name: Create Test Stack
+        run: ansible-test integration -v create_cloud_stack --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Test Modules
+        run: ansible-test integration -v alert_contact_point alert_notification_policy cloud_api_key cloud_plugin dashboard datasource folder --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Delete Test Stack
+        if: success() || failure()
+        run: ansible-test integration -v delete_cloud_stack --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/opentelemetry-collector-molecule.yml b/ansible_collections/grafana/grafana/.github/workflows/opentelemetry-collector-molecule.yml
new file mode 100644
index 00000000..4ee16cdd
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/opentelemetry-collector-molecule.yml
@@ -0,0 +1,44 @@
+---
+name: OpenTelemetry Collector Molecule
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+defaults:
+  run:
+    working-directory: roles/opentelemetry_collector
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        scenario:
+          - default
+          - default-check-first
+          - latest
+          - non-contrib
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker pytest-testinfra
+
+      - name: Run Molecule tests.
+        run: molecule test -s ${{ matrix.scenario }}
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
diff --git a/ansible_collections/grafana/grafana/.github/workflows/promtail-molecule.yml b/ansible_collections/grafana/grafana/.github/workflows/promtail-molecule.yml
new file mode 100644
index 00000000..e8168b45
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/promtail-molecule.yml
@@ -0,0 +1,44 @@
+---
+name: Promtail Molecule
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+defaults:
+  run:
+    working-directory: roles/promtail
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - rockylinux9
+          - ubuntu2204
+          - debian12
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible molecule molecule-plugins[docker] docker
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/release.yml b/ansible_collections/grafana/grafana/.github/workflows/release.yml
new file mode 100644
index 00000000..cdf1b2bd
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/release.yml
@@ -0,0 +1,159 @@
+---
+name: GitHub Release
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version number to release'
+        required: true
+env:
+  NAMESPACE: grafana
+  COLLECTION_NAME: grafana
+
+jobs:
+  sanity:
+    name: Sanity (Ⓐ${{ matrix.ansible }})
+    strategy:
+      matrix:
+        ansible:
+          - stable-2.12
+          - stable-2.13
+          - stable-2.14
+          - devel
+    runs-on: ubuntu-20.04
+    steps:
+
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Run sanity tests
+        run: ansible-test sanity -v --docker --color --coverage
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+  integration:
+    runs-on: ubuntu-20.04
+    name: Integration (Ⓐ${{ matrix.ansible }}-py${{ matrix.python }})
+    strategy:
+      fail-fast: true
+      max-parallel: 1
+      matrix:
+        ansible:
+          - stable-2.13
+        python:
+          - '3.10'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: create integration_config
+        working-directory: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}/tests/integration
+        run: |
+          cat <<EOF > integration_config.yml
+          org_name: ${{ secrets.ANSIBLE_TEST_ORG_NAME }}
+          grafana_cloud_api_key: ${{ secrets.ANSIBLE_TEST_CLOUD_API_KEY }}
+          grafana_api_key: ${{ secrets.ANSIBLE_TEST_GRAFANA_API_KEY }}
+          grafana_url: ${{ secrets.ANSIBLE_GRAFANA_URL }}
+          test_stack_name: ${{ secrets.ANSIBLE_TEST_CI_STACK }}
+          EOF
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Install Requests
+        run: pip install requests
+
+      - name: Create Test Stack
+        run: ansible-test integration -v create_cloud_stack --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Test Modules
+        run: ansible-test integration -v alert_contact_point alert_notification_policy cloud_api_key cloud_plugin dashboard datasource folder --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Delete Test Stack
+        if: success() || failure()
+        run: ansible-test integration -v delete_cloud_stack --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+  publish:
+    name: Publish to Galaxy
+    runs-on: ubuntu-latest
+    needs: [sanity, integration]
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10'
+
+      - name: Install Ansible
+        run: pip install ansible-core
+      
+      - name: Install PyYaml
+        run: pip install pyyaml
+
+      - name: Validate version matches
+        run: |
+          VERSION=$(python -c "import yaml; print(yaml.safe_load(open('galaxy.yml'))['version'])")
+          if [ "$VERSION" != "${{ github.event.inputs.version }}" ]; then
+            echo "Error: Input version (${{ github.event.inputs.version }}) doesn't match galaxy.yml version ($VERSION)"
+            exit 1
+          fi
+
+      - name: Build collection
+        id: build
+        run: |
+          ansible-galaxy collection build
+          echo "archive_path=$(ls *.tar.gz)" >> $GITHUB_OUTPUT
+
+      - name: Publish collection to Galaxy
+        env:
+          ANSIBLE_GALAXY_API_KEY: ${{ secrets.ANSIBLE_GALAXY_API_KEY }}
+        run: ansible-galaxy collection publish --api-key ${{ secrets.ANSIBLE_GALAXY_API_KEY }} ${{ steps.build.outputs.archive_path }}
+
+  release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: [publish]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10'
+
+      - name: Install PyYaml
+        run: pip install pyyaml
+
+      - name: Validate version is published to Galaxy
+        run: curl --head -s -f -o /dev/null https://galaxy.ansible.com/download/grafana-grafana-${{ github.event.inputs.version }}.tar.gz
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.event.inputs.version }}
diff --git a/ansible_collections/grafana/grafana/.github/workflows/roles-test.yml b/ansible_collections/grafana/grafana/.github/workflows/roles-test.yml
new file mode 100644
index 00000000..95955054
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.github/workflows/roles-test.yml
@@ -0,0 +1,90 @@
+---
+name: Roles Test
+
+# yamllint disable-line rule:truthy
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+  schedule:
+    - cron: '0 6 * * *'
+env:
+  NAMESPACE: grafana
+  COLLECTION_NAME: grafana
+
+jobs:
+
+  sanity:
+    name: Sanity (Ⓐ${{ matrix.ansible }})
+    strategy:
+      matrix:
+        ansible:
+          - stable-2.12
+          - stable-2.13
+          - stable-2.14
+          - devel
+    runs-on: ubuntu-20.04
+    steps:
+
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: Set up Python
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.10'
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Run sanity tests
+        run: ansible-test sanity -v --docker --color --coverage
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+  integration:
+    runs-on: ubuntu-20.04
+    name: Integration (Ⓐ${{ matrix.ansible }}-py${{ matrix.python }})
+    strategy:
+      fail-fast: true
+      max-parallel: 1
+      matrix:
+        ansible:
+          - stable-2.13
+        python:
+          - '3.10'
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          path: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
+
+      - name: create integration_config
+        working-directory: ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}/tests/integration
+        run: |
+          cat <<EOF > integration_config.yml
+          stack_name: ${{ secrets.ANSIBLE_TEST_STACK_NAME }}
+          org_name: ${{ secrets.ANSIBLE_TEST_ORG_NAME }}
+          grafana_cloud_api_key: ${{ secrets.ANSIBLE_TEST_CLOUD_API_KEY }}
+          grafana_api_key: ${{ secrets.ANSIBLE_TEST_GRAFANA_API_KEY }}
+          grafana_url: ${{ secrets.ANSIBLE_GRAFANA_URL }}
+          test_stack_name: ${{ secrets.ANSIBLE_TEST_CI_STACK }}
+          EOF
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Install ansible-base (${{ matrix.ansible }})
+        run: pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible }}.tar.gz --disable-pip-version-check
+
+      - name: Install Requests
+        run: pip install requests
+
+      - name: Test Roles
+        run: ansible-test integration -v molecule-grafana-alternative molecule-grafana-default --color --retry-on-error --continue-on-error --diff --python ${{ matrix.python }} --coverage --docker
+        working-directory: ./ansible_collections/${{env.NAMESPACE}}/${{env.COLLECTION_NAME}}
diff --git a/ansible_collections/grafana/grafana/.gitignore b/ansible_collections/grafana/grafana/.gitignore
new file mode 100644
index 00000000..9d1b5557
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.gitignore
@@ -0,0 +1,237 @@
+# Project
+# ---------------------------------------------------
+*.pyc
+.vscode
+.idea
+hosts
+*.log
+yala
+
+# MacOS
+# ---------------------------------------------------
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+
+# Windows
+# ---------------------------------------------------
+# Windows thumbnail cache files
+Thumbs.db
+Thumbs.db:encryptable
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+
+# MS Office
+# ---------------------------------------------------
+*.tmp
+
+# Word temporary
+~$*.doc*
+
+# Word Auto Backup File
+Backup of *.doc*
+
+# Excel temporary
+~$*.xls*
+
+# Excel Backup File
+*.xlk
+
+# PowerPoint temporary
+~$*.ppt*
+
+# Visio autosave temporary files
+*.~vsd*
+
+
+# VS Code
+# ---------------------------------------------------
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+
+# Local History for Visual Studio Code
+.history/
+*.app
+.snapshots/*
+
+
+# NodeJS
+# ---------------------------------------------------
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
diff --git a/ansible_collections/grafana/grafana/.markdownlint.yaml b/ansible_collections/grafana/grafana/.markdownlint.yaml
new file mode 100644
index 00000000..f12a082d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.markdownlint.yaml
@@ -0,0 +1,261 @@
+---
+# Example markdownlint YAML configuration with all properties set to their default value
+
+# Default state for all rules
+default: true
+
+# Path to configuration file to extend
+extends: null
+
+# MD001/heading-increment/header-increment - Heading levels should only increment by one level at a time
+MD001: true
+
+# MD002/first-heading-h1/first-header-h1 - First heading should be a top-level heading
+MD002:
+  # Heading level
+  level: 1
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Heading style
+  style: "consistent"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  # List style
+  style: "consistent"
+
+# MD005/list-indent - Inconsistent indentation for list items at the same level
+MD005: true
+
+# MD006/ul-start-left - Consider starting bulleted lists at the beginning of the line
+MD006: true
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: false
+  # Spaces for first level indent (when start_indented is set)
+  start_indent: 2
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: true
+  # Fenced code languages to ignore
+  ignore_code_languages: []
+  # Number of spaces for each hard tab
+  spaces_per_tab: 2
+
+# MD011/no-reversed-links - Reversed link syntax
+MD011: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+
+# MD013/line-length - Line length
+MD013:
+  # Number of characters
+  line_length: 150
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 100
+  # Include code blocks
+  code_blocks: true
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Include headings
+  headers: true
+  # Strict length checking
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD014/commands-show-output - Dollar signs used before commands without showing output
+MD014: false
+
+# MD018/no-missing-space-atx - No space after hash on atx style heading
+MD018: true
+
+# MD019/no-multiple-space-atx - Multiple spaces after hash on atx style heading
+MD019: true
+
+# MD020/no-missing-space-closed-atx - No space inside hashes on closed atx style heading
+MD020: true
+
+# MD021/no-multiple-space-closed-atx - Multiple spaces inside hashes on closed atx style heading
+MD021: true
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD023/heading-start-left/header-start-left - Headings must start at the beginning of the line
+MD023: true
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content
+MD024: false
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters not allowed at end of headings
+  punctuation: ".,;:!。，；：！"
+
+# MD027/no-multiple-space-blockquote - Multiple spaces after blockquote symbol
+MD027: true
+
+# MD028/no-blanks-blockquote - Blank line inside blockquote
+MD028: true
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 3
+  # Spaces for single-line ordered list items
+  ol_single: 2
+  # Spaces for multi-line unordered list items
+  ul_multi: 3
+  # Spaces for multi-line ordered list items
+  ol_multi: 2
+
+# MD031/blanks-around-fences - Fenced code blocks should be surrounded by blank lines
+MD031:
+  # Include list items
+  list_items: true
+
+# MD032/blanks-around-lists - Lists should be surrounded by blank lines
+MD032: true
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements:
+    - div
+    - br
+    - hr
+
+# MD034/no-bare-urls - Bare URL used
+MD034: true
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "consistent"
+
+# MD036/no-emphasis-as-heading/no-emphasis-as-header - Emphasis used instead of a heading
+MD036: false
+
+# MD037/no-space-in-emphasis - Spaces inside emphasis markers
+MD037: true
+
+# MD038/no-space-in-code - Spaces inside code span elements
+MD038: true
+
+# MD039/no-space-in-links - Spaces inside link text
+MD039: true
+
+# MD040/fenced-code-language - Fenced code blocks should have a language specified
+MD040:
+  # List of languages
+  allowed_languages: []
+  # Require language only
+  language_only: false
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD042/no-empty-links - No empty links
+MD042: true
+
+# MD043/required-headings/required-headers - Required heading structure
+MD043:
+  # List of headings
+  headings:
+    - "*"
+  # List of headings
+  headers: []
+  # Match case of headings
+  match_case: false
+
+# MD044/proper-names - Proper names should have the correct capitalization
+MD044:
+  # List of proper names
+  names: []
+  # Include code blocks
+  code_blocks: true
+  # Include HTML elements
+  html_elements: true
+
+# MD045/no-alt-text - Images should have alternate text (alt text)
+MD045: true
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "consistent"
+
+# MD047/single-trailing-newline - Files should end with a single newline character
+MD047: true
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence style
+  style: "consistent"
+
+# MD049/emphasis-style - Emphasis style should be consistent
+MD049:
+  # Emphasis style should be consistent
+  style: "consistent"
+
+# MD050/strong-style - Strong style should be consistent
+MD050:
+  # Strong style should be consistent
+  style: "consistent"
+
+# MD051/link-fragments - Link fragments should be valid
+MD051: false
+
+# MD052/reference-links-images - Reference links and images should use a label that is defined
+MD052: true
+
+# MD053/link-image-reference-definitions - Link and image reference definitions should be needed
+MD053:
+  # Ignored definitions
+  ignored_definitions: [
+    "//"
+  ]
diff --git a/ansible_collections/grafana/grafana/.shellcheckrc b/ansible_collections/grafana/grafana/.shellcheckrc
new file mode 100644
index 00000000..9eac5ba5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.shellcheckrc
@@ -0,0 +1,7 @@
+# Allow opening any 'source'd file, even if not specified as input
+external-sources=true
+
+# some files are sourced which can make some areas appear unreachable
+disable=SC2317
+disable=SC2250
+disable=SC2312
diff --git a/ansible_collections/grafana/grafana/.textlintrc b/ansible_collections/grafana/grafana/.textlintrc
new file mode 100644
index 00000000..1ea8e9c7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.textlintrc
@@ -0,0 +1,187 @@
+{
+  "rules": {
+    "common-misspellings": true,
+    "no-todo": true,
+    "terminology": {
+      "defaultTerms": false,
+      "terms": [
+        "Grafana",
+        ["GrafanaLabs", "Grafana Labs"],
+        ["GrafanaCloud", "Grafana Cloud"],
+        "Mimir",
+        "Loki",
+        "Phlare",
+        "Tempo",
+        "Faro",
+        "Raintank",
+        "Prometheus",
+        "PromQL",
+        ["(E|e)xamplars", "$1xemplars"],
+        ["(D|d)atasource", "$1ata source"],
+        "CData",
+        "Google",
+        "Amazon",
+        "RedHat",
+        "Azure",
+        "Airbnb",
+        "Android",
+        "AppleScript",
+        "AppVeyor",
+        "AVA",
+        "BrowserStack",
+        "Browsersync",
+        "Codecov",
+        "CodePen",
+        "CodeSandbox",
+        "DefinitelyTyped",
+        "EditorConfig",
+        "ESLint",
+        "GitHub",
+        "GraphQL",
+        "iOS",
+        "JavaScript",
+        "JetBrains",
+        "jQuery",
+        "LinkedIn",
+        "Lodash",
+        "MacBook",
+        "Markdown",
+        "OpenType",
+        "PayPal",
+        "PhpStorm",
+        "RubyMine",
+        "Sass",
+        "SemVer",
+        "TypeScript",
+        "UglifyJS",
+        "Wasm",
+        "WebAssembly",
+        "WebStorm",
+        "WordPress",
+        "YouTube",
+        ["Common[ .]js", "CommonJS"],
+        ["JSDocs?", "JSDoc"],
+        ["Nodejs", "Node.js"],
+        ["React[ .]js", "React"],
+        ["SauceLabs", "Sauce Labs"],
+        ["StackOverflow", "Stack Overflow"],
+        ["styled ?components", "styled-components"],
+        ["HTTP[ /]2(?:\\.0)?", "HTTP/2"],
+        ["OS X", "macOS"],
+        ["Mac ?OS", "macOS"],
+        ["a npm", "an npm"],
+        "ECMAScript",
+        ["ES2015", "ES6"],
+        ["ES7", "ES2016"],
+        "3D",
+        ["3-D", "3D"],
+        "Ajax",
+        "API",
+        ["API[']?s", "APIs"],
+        "CSS",
+        "GIF",
+        " HTML ",
+        "HTTPS",
+        "IoT",
+        "I/O",
+        ["I-O", "I/O"],
+        "JPEG",
+        "MIME",
+        "OK",
+        "PaaS",
+        " PDF ",
+        "PNG",
+        "SaaS",
+        "URL",
+        ["URL[']?s", "URLs"],
+        ["an URL", "a URL"],
+        ["wi[- ]?fi", "Wi-Fi"],
+        "McKenzie",
+        "McConnell",
+        [" id", " ID"],
+        ["id[']?s", "IDs"],
+        ["backwards compatible", "backward compatible"],
+        ["build system(s?)", "build tool$1"],
+        ["CLI tool(s?)", "command-line tool$1"],
+        ["he or she", "they"],
+        ["he/she", "they"],
+        ["\\(s\\)he", "they"],
+        ["repo\\b", "repository"],
+        ["smartphone(s?)", "mobile phone$1"],
+        ["web[- ]?site(s?)", "site$1"],
+        ["auto[- ]complete", "autocomplete"],
+        ["auto[- ]format", "autoformat"],
+        ["auto[- ]fix", "autofix"],
+        ["auto[- ]fixing", "autofixing"],
+        ["back[- ]end(\\w*)", "backend$1"],
+        ["bug[- ]fix(es?)", "bugfix$1"],
+        ["change[- ]log(s?)", "changelog$1"],
+        ["check[- ]box(es?)", "checkbox$1"],
+        ["code[- ]base(es?)", "codebase$1"],
+        ["co[- ]locate(d?)", "colocate$1"],
+        ["end[- ]point(s?)", "endpoint$1"],
+        ["e[- ]mail(s?)", "email$1"],
+        ["file[- ]name(s?)", "filename$1"],
+        ["front[- ]end(\\w*)", "frontend$1"],
+        ["hack[- ]a[- ]thon(s?)", "hackathon$1"],
+        ["host[- ]name(s?)", "hostname$1"],
+        ["hot[- ]key(s?)", "hotkey$1"],
+        ["life[- ]cycle", "lifecycle"],
+        ["life[- ]stream(s?)", "lifestream$1"],
+        ["lock[- ]file(s?)", "lockfile$1"],
+        ["mark-up", "markup"],
+        ["meta[- ]data", "metadata"],
+        ["micro[- ]service(s?)", "microservice$1"],
+        ["name[- ]space(s?)", "namespace$1"],
+        ["pre[- ]condition(s?)", "precondition$1"],
+        ["pre[- ]defined", "predefined"],
+        ["pre[- ]release(s?)", "prerelease$1"],
+        ["re[- ]write", "rewrite"],
+        ["run[- ]time", "runtime"],
+        ["screen[- ]shot(s?)", "screenshot$1"],
+        ["screen[- ]?snap(s?)", "screenshot$1"],
+        ["sub[- ]class((?:es|ing)?)", "subclass$1"],
+        ["sub[- ]tree(s?)", "subtree$1"],
+        ["time[- ]stamp(s?)", "timestamp$1"],
+        ["touch[- ]screen(s?)", "touchscreen$1"],
+        ["user[- ]name(s?)", "username$1"],
+        ["walk[- ]through", "walkthrough"],
+        ["white[- ]space", "whitespace"],
+        ["wild[- ]card(s?)", "wildcard$1"],
+        ["css-?in-?js", "CSS in JS"],
+        ["code-?review(s?)", "code review$1"],
+        ["code-?splitting", "code splitting"],
+        ["end-?user(s?)", "end user$1"],
+        ["file-?type(s?)", "file type$1"],
+        ["micro-?frontend(s?)", "micro frontend$1"],
+        ["open-?source(ed?)", "open source$1"],
+        ["regexp?(s?)", "regular expression$1"],
+        ["style-?guide(s?)", "style guide$1"],
+        ["tree-?shaking", "tree shaking"],
+        ["source-?map(s?)", "source map$1"],
+        ["style-?sheet(s?)", "style sheet$1"],
+        ["user-?base", "user base"],
+        ["web-?page(s?)", "web page$1"],
+        ["built ?in", "built-in"],
+        ["client ?side", "client-side"],
+        ["command ?line", "command-line"],
+        ["end ?to ?end", "end-to-end"],
+        ["error ?prone", "error-prone"],
+        ["higher ?order", "higher-order"],
+        ["key[/ ]?value", "key-value"],
+        ["server ?side", "server-side"],
+        ["two ?steps?", "two-step"],
+        ["2 ?steps?", "two-step"],
+        ["(\\w+[^.?!]\\)? )base64", "$1base64"],
+        ["(\\w+[^.?!]\\)? )internet", "$1internet"],
+        ["(\\w+[^.?!]\\)? )stylelint", "$1stylelint"],
+        ["(\\w+[^.?!]\\)? )webpack", "$1webpack"],
+        ["(\\w+[^.?!]\\)? )npm", "$1npm"],
+        ["environemnt(s?)", "environment$1"],
+        ["pacakge(s?)", "package$1"],
+        ["tilda", "tilde"],
+        ["falsey", "falsy"]
+      ]
+    }
+  }
+}
diff --git a/ansible_collections/grafana/grafana/.yamllint b/ansible_collections/grafana/grafana/.yamllint
new file mode 100644
index 00000000..53231c45
--- /dev/null
+++ b/ansible_collections/grafana/grafana/.yamllint
@@ -0,0 +1,15 @@
+---
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+  - ".yamllint"
+
+ignore:
+  - node_modules
+
+extends: default
+
+rules:
+  line-length:
+    max: 150
+    level: warning
diff --git a/ansible_collections/grafana/grafana/CHANGELOG.rst b/ansible_collections/grafana/grafana/CHANGELOG.rst
new file mode 100644
index 00000000..8ff5919a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/CHANGELOG.rst
@@ -0,0 +1,695 @@
+=============================
+Grafana.Grafana Release Notes
+=============================
+
+.. contents:: Topics
+
+v6.0.6
+======
+
+Major Changes
+-------------
+
+- Restore default listen address and port in Mimir by @56quarters in https://github.com/grafana/grafana-ansible-collection/pull/456
+- fix broken Grafana apt repository addition by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/454
+
+v6.0.5
+======
+
+Major Changes
+-------------
+
+- Fallback to empty dict in case grafana_ini is undefined by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/403
+- Fix Mimir config file validation task by @Windos in https://github.com/grafana/grafana-ansible-collection/pull/428
+- Fixes issue by @digiserg in https://github.com/grafana/grafana-ansible-collection/pull/421
+- Import custom dashboards only when directory exists by @mahendrapaipuri in https://github.com/grafana/grafana-ansible-collection/pull/430
+- Updated YUM repo urls from `packages.grafana.com` to `rpm.grafana.com` by @DejfCold in https://github.com/grafana/grafana-ansible-collection/pull/414
+- Use credentials from grafana_ini when importing dashboards by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/402
+- do not skip scrape latest github version even in check_mode by @cmehat in https://github.com/grafana/grafana-ansible-collection/pull/408
+- fix datasource documentation by @jeremad in https://github.com/grafana/grafana-ansible-collection/pull/437
+- fix mimir_download_url_deb & mimir_download_url_rpm by @germebl in https://github.com/grafana/grafana-ansible-collection/pull/400
+- update catalog info by @Duologic in https://github.com/grafana/grafana-ansible-collection/pull/434
+- use deb822 for newer debian versions by @Lukas-Heindl in https://github.com/grafana/grafana-ansible-collection/pull/440
+
+v6.0.4
+======
+
+Major Changes
+-------------
+
+- Add SUSE support to Alloy role by @pozsa in https://github.com/grafana/grafana-ansible-collection/pull/423
+- Fixes to foldersFromFilesStructure option by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/351
+- Migrate RedHat install to ansible.builtin.package by @r65535 in https://github.com/grafana/grafana-ansible-collection/pull/431
+- add macOS support to alloy role by @l50 in https://github.com/grafana/grafana-ansible-collection/pull/418
+- replace None with [] for safe length checks by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/426
+
+v6.0.3
+======
+
+Major Changes
+-------------
+
+- Bump ansible-lint from 24.9.2 to 25.6.1 by @dependabot[bot] in https://github.com/grafana/grafana-ansible-collection/pull/391
+- Bump brace-expansion from 1.1.11 to 1.1.12 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/grafana/grafana-ansible-collection/pull/396
+- Changes for issue
+- Update Mimir README.md by @Gufderald in https://github.com/grafana/grafana-ansible-collection/pull/397
+- declare collection dependencies by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/390
+- declare collection dependencies by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/392
+- ensure IP assert returns boolean result by @aardbol in https://github.com/grafana/grafana-ansible-collection/pull/398
+- improve mimir/alloy examples playbook by @smCloudInTheSky in https://github.com/grafana/grafana-ansible-collection/pull/369
+- store APT key with .asc extension by @derhuerst in https://github.com/grafana/grafana-ansible-collection/pull/394
+
+v6.0.2
+======
+
+Major Changes
+-------------
+
+- Add delete protection by @KucicM in https://github.com/grafana/grafana-ansible-collection/pull/381
+- Don't override defaults by @56quarters in https://github.com/grafana/grafana-ansible-collection/pull/382
+- Don't use a proxy when doing Alloy readiness check by @benoitc-croesus in https://github.com/grafana/grafana-ansible-collection/pull/375
+- Fix Mimir URL verify task by @parcimonic in https://github.com/grafana/grafana-ansible-collection/pull/358
+- Fix some regression introduced by v6 by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/376
+- Update when statement to test for dashboard files found by @hal58th in https://github.com/grafana/grafana-ansible-collection/pull/363
+- Use become false in find task by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/368
+- alloy_readiness_check_use_https by @piotr-g in https://github.com/grafana/grafana-ansible-collection/pull/359
+- declare collection dependencies by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/386
+- ensure alerting provisioning directory exists by @derhuerst in https://github.com/grafana/grafana-ansible-collection/pull/364
+- mark configuration deployment task with `no_log` by @kkantonop in https://github.com/grafana/grafana-ansible-collection/pull/380
+- properly validate config by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/354
+- template ingester and querier section by @Gufderald in https://github.com/grafana/grafana-ansible-collection/pull/371
+- use ansible_facts instead of variables by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/365
+
+v6.0.1
+======
+
+Minor Changes
+-------------
+
+- Remove Node modules from Ansible Collection build
+
+v6.0.0
+======
+
+Major Changes
+-------------
+
+- Add foldersFromFilesStructure option by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/326
+- Add tempo role by @CSTDev in https://github.com/grafana/grafana-ansible-collection/pull/323
+- Do not log grafana.ini contents when setting facts by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/325
+- Fix loki_operational_config section not getting rendered in config.yml by @olegkaspersky in https://github.com/grafana/grafana-ansible-collection/pull/330
+- Fix sectionless items edge case by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/303
+- Fix tags Inherit default vars by @MJurayev in https://github.com/grafana/grafana-ansible-collection/pull/341
+- Fix the markdown code fences for install command by @benmatselby in https://github.com/grafana/grafana-ansible-collection/pull/306
+- Grafana fix facts in main.yml by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/315
+- Make dashboard imports more flexible by @torfbolt in https://github.com/grafana/grafana-ansible-collection/pull/308
+- Make systemd create /var/lib/otel-collector by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/336
+- Validate config by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/327
+- add catalog-info file for internal dev catalog by @theSuess in https://github.com/grafana/grafana-ansible-collection/pull/317
+- add publish step to GitHub Actions workflow for Ansible Galaxy by @thelooter in https://github.com/grafana/grafana-ansible-collection/pull/340
+- add user module to create/update/delete grafana users by @mvalois in https://github.com/grafana/grafana-ansible-collection/pull/178
+- force temporary directory even in check mode for  dashboards.yml by @cmehat in https://github.com/grafana/grafana-ansible-collection/pull/339
+- integrate sles legacy init-script support by @floerica in https://github.com/grafana/grafana-ansible-collection/pull/184
+- management of the config.river with the conversion of the config.yaml by @lbrule in https://github.com/grafana/grafana-ansible-collection/pull/149
+- use ansible_facts instead of ansible_* variables by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/296
+
+v5.7.0
+======
+
+Major Changes
+-------------
+
+- Ability to set custom directory path for \*.alloy config files by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/294
+- Add tests and support version latest by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/299
+- Fix 'dict object' has no attribute 'path' when running with --check by @JMLX42 in https://github.com/grafana/grafana-ansible-collection/pull/283
+- Update grafana template by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/300
+- add loki bloom support by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/298
+- grafana.ini yaml syntax by @intermittentnrg in https://github.com/grafana/grafana-ansible-collection/pull/232
+
+v5.6.0
+======
+
+Major Changes
+-------------
+
+- Adding "distributor" section support to mimir config file by @HamzaKhait in https://github.com/grafana/grafana-ansible-collection/pull/247
+- Allow alloy_user_groups variable again by @pjezek in https://github.com/grafana/grafana-ansible-collection/pull/276
+- Alloy Role Improvements by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/281
+- Bump ansible-lint from 24.6.0 to 24.9.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/270
+- Bump pylint from 3.2.5 to 3.3.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/273
+- Ensure check-mode works for otel collector by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/264
+- Fix message argument of dashboard task by @Nemental in https://github.com/grafana/grafana-ansible-collection/pull/256
+- Update Alloy variables to use the `grafana_alloy_` namespace so they are unique by @Aethylred in https://github.com/grafana/grafana-ansible-collection/pull/209
+- Update README.md by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/272
+- Update README.md by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/275
+- Update main.yml by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/274
+- add grafana_plugins_ops to defaults and docs by @weakcamel in https://github.com/grafana/grafana-ansible-collection/pull/251
+- add option to populate google_analytics_4_id value by @copolycube in https://github.com/grafana/grafana-ansible-collection/pull/249
+- fix ansible-lint warnings on Forbidden implicit octal value "0640" by @copolycube in https://github.com/grafana/grafana-ansible-collection/pull/279
+
+v5.5.1
+======
+
+Bugfixes
+--------
+
+- Add check_mode: false to Loki "Scrape GitHub" Task by @winsmith in https://github.com/grafana/grafana-ansible-collection/pull/262
+
+v5.5.0
+======
+
+Major Changes
+-------------
+
+- add support for extra args by @harryfinbow in https://github.com/grafana/grafana-ansible-collection/pull/259
+- mimir molecule should use ansible core 2.16 by @GVengelen in https://github.com/grafana/grafana-ansible-collection/pull/254
+
+v5.4.1
+======
+
+Major Changes
+-------------
+
+- Updated promtail arch map for aarch64 matching by @gianmarco-mameli in https://github.com/grafana/grafana-ansible-collection/pull/257
+
+v5.4.0
+======
+
+Major Changes
+-------------
+
+- Use a variable to control uninstall behavior instead of tags by @dobbi84 in https://github.com/grafana/grafana-ansible-collection/pull/253
+
+v5.3.0
+======
+
+Major Changes
+-------------
+
+- Add a config check before restarting mimir by @panfantastic in https://github.com/grafana/grafana-ansible-collection/pull/198
+- Add support for configuring feature_toggles in grafana role by @LexVar in https://github.com/grafana/grafana-ansible-collection/pull/173
+- Backport post-setup healthcheck from agent to alloy by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/213
+- Bump ansible-lint from 24.2.3 to 24.5.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/207
+- Bump ansible-lint from 24.5.0 to 24.6.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/216
+- Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/218
+- Bump pylint from 3.1.0 to 3.1.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/200
+- Bump pylint from 3.1.1 to 3.2.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/208
+- Bump pylint from 3.2.2 to 3.2.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/217
+- Bump pylint from 3.2.3 to 3.2.5 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/234
+- Change from config.river to config.alloy by @cardasac in https://github.com/grafana/grafana-ansible-collection/pull/225
+- Fix Grafana Configuration for Unified and Legacy Alerting Based on Version by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/215
+- Fix env file location by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/211
+- Support adding alloy user to extra groups by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/212
+- Updated result.json['message'] to result.json()['message'] by @CPreun in https://github.com/grafana/grafana-ansible-collection/pull/223
+- readme styling & language improvements by @tigattack in https://github.com/grafana/grafana-ansible-collection/pull/214
+
+v5.2.0
+======
+
+Major Changes
+-------------
+
+- Add a new config part to configure KeyCloak based auth by @he0s in https://github.com/grafana/grafana-ansible-collection/pull/191
+- Add promtail role by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/197
+- Bump ansible-lint from 24.2.2 to 24.2.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/195
+
+v5.1.0
+======
+
+Major Changes
+-------------
+
+- Uninstall Step for Loki and Mimir by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/193
+
+v5.0.0
+======
+
+Major Changes
+-------------
+
+- Add Grafana Loki role by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/188
+- Add Grafana Mimir role by @GVengelen in https://github.com/grafana/grafana-ansible-collection/pull/183
+
+v4.0.0
+======
+
+Major Changes
+-------------
+
+- Add an Ansible role for Grafana Alloy by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/169
+
+Minor Changes
+-------------
+
+- Apply correct uid + gid for imported dashboards by @hypery2k in https://github.com/grafana/grafana-ansible-collection/pull/167
+- Bump ansible-lint from 24.2.0 to 24.2.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/164
+- Bump ansible-lint from 24.2.0 to 24.2.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/168
+- Bump black from 24.1.1 to 24.3.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/165
+- Clarify grafana-server configuration in README by @VGerris in https://github.com/grafana/grafana-ansible-collection/pull/177
+- Update description to match module by @brmurphy in https://github.com/grafana/grafana-ansible-collection/pull/179
+
+v3.0.0
+======
+
+Major Changes
+-------------
+
+- Add an Ansible role for OpenTelemetry Collector by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/138
+
+Minor Changes
+-------------
+
+- Bump pylint from 3.0.3 to 3.1.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/158
+- Bump pylint from 3.0.3 to 3.1.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/161
+- Bump the pip group across 1 directories with 1 update by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/156
+- Bump yamllint from 1.33.0 to 1.35.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/155
+- Bump yamllint from 1.33.0 to 1.35.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/159
+- ExecStartPre and EnvironmentFile settings to system unit file by @fabiiw05 in https://github.com/grafana/grafana-ansible-collection/pull/157
+- datasources url parameter fix by @dergudzon in https://github.com/grafana/grafana-ansible-collection/pull/162
+
+v2.2.5
+======
+
+Release Summary
+---------------
+
+Grafana and Agent Role bug fixes and security updates
+
+Minor Changes
+-------------
+
+- Add 'run_once' to download&unzip tasks by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/136
+- Adding `oauth_allow_insecure_email_lookup` to fix oauth user sync error by @hypery2k in https://github.com/grafana/grafana-ansible-collection/pull/132
+- Bump ansible-core from 2.15.4 to 2.15.8 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/137
+- Bump ansible-lint from 6.13.1 to 6.14.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/139
+- Bump ansible-lint from 6.14.3 to 6.22.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/142
+- Bump ansible-lint from 6.22.2 to 24.2.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/150
+- Bump jinja2 from 3.1.2 to 3.1.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/129
+- Bump pylint from 2.16.2 to 3.0.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/141
+- Bump yamllint from 1.29.0 to 1.33.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/140
+- Bump yamllint from 1.29.0 to 1.33.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/143
+- Bump yamllint from 1.33.0 to 1.34.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/151
+- Change handler to systemd by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/135
+- Fix links in grafana_agent/defaults/main.yaml by @PabloCastellano in https://github.com/grafana/grafana-ansible-collection/pull/134
+- Topic/grafana agent idempotency by @ohdearaugustin in https://github.com/grafana/grafana-ansible-collection/pull/147
+
+v2.2.4
+======
+
+Release Summary
+---------------
+
+Grafana and Agent Role bug fixes and security updates
+
+Minor Changes
+-------------
+
+- Bump cryptography from 41.0.4 to 41.0.6 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/126
+- Drop curl check by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/120
+- Fix check mode for grafana role by @Boschung-Mecatronic-AG-Infrastructure in https://github.com/grafana/grafana-ansible-collection/pull/125
+- Fix check mode in Grafana Agent by @AmandaCameron in https://github.com/grafana/grafana-ansible-collection/pull/124
+- Update tags in README by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/121
+
+v2.2.3
+======
+
+Release Summary
+---------------
+
+Remove dependency on local-fs.target from Grafana Agent role
+
+Minor Changes
+-------------
+
+- Remove dependency on local-fs.target from Grafana Agent role
+
+v2.2.2
+======
+
+Release Summary
+---------------
+
+Grafana Role bug fixes and security updates
+
+Minor Changes
+-------------
+
+- Bump cryptography from 41.0.3 to 41.0.4
+- Create missing notification directory in Grafana Role
+- Remove check_mode from create local directory task in Grafana Role
+
+v2.2.1
+======
+
+Release Summary
+---------------
+
+Allow alert resource provisioning in Grafana Role
+
+Minor Changes
+-------------
+
+- Allow alert resource provisioning in Grafana Role
+
+v2.2.0
+======
+
+Release Summary
+---------------
+
+Grafana Agent Role Updates
+
+Minor Changes
+-------------
+
+- Use 'ansible_system' env variable to detect os typ in Grafana Agent Role
+- hange grafana Agent Wal and Positions Directory in Grafana Agent Role
+
+v2.1.9
+======
+
+Release Summary
+---------------
+
+Security Updates and Grafana Agent Version failure fixes
+
+Minor Changes
+-------------
+
+- Add check for Curl and failure step if Agent Version is not retrieved
+- Bump cryptography from 39.0.2 to 41.0.3
+- Bump semver from 5.7.1 to 5.7.2
+- Bump word-wrap from 1.2.3 to 1.2.5
+- Create local dashboard directory in check mode
+- Update CI Testing
+- Update Cloud Stack Module failures
+
+v2.1.8
+======
+
+Release Summary
+---------------
+
+Fix grafana dashboard import in Grafana Role
+
+Minor Changes
+-------------
+
+- Fix grafana dashboard import in Grafana Role
+
+v2.1.7
+======
+
+Release Summary
+---------------
+
+YAML Fixes
+
+Minor Changes
+-------------
+
+- YAML Fixes
+
+v2.1.6
+======
+
+Release Summary
+---------------
+
+Grafana and Grafana Agent role updates
+
+Minor Changes
+-------------
+
+- Add overrides.conf with CAP_NET_BIND_SERVICE for grafana-server unit
+- Fix Grafana Dashboard Import for Grafana Role
+- Make grafana_agent Idempotent
+- Provisioning errors in YAML
+- Use new standard to configure Grafana APT source for Grafana Role
+
+v2.1.5
+======
+
+Release Summary
+---------------
+
+Update Grafana Agent Download varibale and ZIP file
+
+Minor Changes
+-------------
+
+- Add Grafana Agent Version and CPU Arch to Downloaded ZIP in Grafana Agent Role
+- Move _grafana_agent_base_download_url from /vars to /defaults in Grafana Agent Role
+
+v2.1.4
+======
+
+Release Summary
+---------------
+
+Update Datasource Tests and minor fixes
+
+Minor Changes
+-------------
+
+- Datasource test updates and minor fixes
+
+v2.1.3
+======
+
+Release Summary
+---------------
+
+Update modules to fix failing Sanity Tests
+
+Minor Changes
+-------------
+
+- indentation and Lint fixes to modules
+
+v2.1.2
+======
+
+Release Summary
+---------------
+
+Idempotency Updates and minor api_url fixes
+
+Minor Changes
+-------------
+
+- Fix Deleting datasources
+- Fix alert_notification_policy failing on fresh instance
+- Making Deleting folders idempotent
+- Remove trailing slash automatically from grafana_url
+
+v2.1.1
+======
+
+Release Summary
+---------------
+
+Update Download tasks in Grafana Agent Role
+
+Minor Changes
+-------------
+
+- Update Download tasks in Grafana Agent Role
+
+v2.1.0
+======
+
+Release Summary
+---------------
+
+Add Grafana Server role and plugins support on-prem Grafana
+
+Major Changes
+-------------
+
+- Addition of Grafana Server role by @gardar
+- Configurable agent user groups by @NormanJS
+- Grafana Plugins support on-prem Grafana installation by @ishanjainn
+- Updated Service for flow mode by @bentonam
+
+Minor Changes
+-------------
+
+- Ability to configure date format in grafana server role by @RomainMou
+- Avoid using shell for fetching latest version in Grafana Agent Role by @gardar
+- Fix for invalid yaml with datasources list enclosed in quotes by @elkozmon
+- Remove agent installation custom check by @VLZZZ
+- Remove explicit user creation check by @v-zhuravlev
+
+v2.0.0
+======
+
+Release Summary
+---------------
+
+Updated Grafana Agent Role
+
+Major Changes
+-------------
+
+- Added Lint support
+- Configs for server, metrics, logs, traces, and integrations
+- Installation of the latest version
+- Local installations when internet connection is not allowed
+- Only download binary to controller once instead of hosts
+- Skip install if the agent is already installed and the version is the same as the requested version
+- Support for Grafana Agent Flow
+- Validation of variables
+
+v1.1.1
+======
+
+Release Summary
+---------------
+
+Updated return description and value for grafana.grafana.folder module
+
+Minor Changes
+-------------
+
+- Updated the return message in grafana.grafana.folder module
+
+v1.1.0
+======
+
+Release Summary
+---------------
+
+Added Role to deploy Grafana Agent on linux hosts
+
+Major Changes
+-------------
+
+- Added Role for Grafana Agent
+
+v1.0.5
+======
+
+Release Summary
+---------------
+
+Add Note to modules which don't support Idempotency
+
+Minor Changes
+-------------
+
+- Added Note to datasource and dashboard module about not supporting Idempotency
+
+v1.0.4
+======
+
+Release Summary
+---------------
+
+Bug fixes and idempotency fixes for modules
+
+Major Changes
+-------------
+
+- All modules except dashboard and datasource modules now support idempotency
+
+Minor Changes
+-------------
+
+- All modules use `missing_required_lib`` to compose the message for module.fail_json() when required library is missing from host
+
+Bugfixes
+--------
+
+- Fixed cases where cloud_stack and alert_contact_point modules do not return a tuple when nothing in loop matches
+
+v1.0.3
+======
+
+Minor Changes
+-------------
+
+- Add a fail method to modules source code if `requests` library is not present
+- Fixed markup for arg option in Documentation
+- Updated Documentation with `notes` to specify if the check_mode feature is supported by modules
+- removed `supports_check_mode=True` from source code of modules
+
+v1.0.2
+======
+
+Release Summary
+---------------
+
+Documentation updates with updated description for modules
+
+v1.0.1
+======
+
+Release Summary
+---------------
+
+Documentation updates with updated examples
+
+v1.0.0
+======
+
+Release Summary
+---------------
+
+CI and testing improvements
+
+v0.0.7
+======
+
+Release Summary
+---------------
+
+Documentation update for return values in `grafana.grafana.dashboard`
+
+v0.0.6
+======
+
+Minor Changes
+-------------
+
+- Idempotency updates to cloud_api_key and datasource modules
+
+v0.0.5
+======
+
+Release Summary
+---------------
+
+Documentation update and code cleanup
+
+v0.0.4
+======
+
+Bugfixes
+--------
+
+- Fix an issue with `cloud_stack` idempotency
+
+v0.0.3
+======
+
+Release Summary
+---------------
+
+Documentation update and code cleanup
+
+v0.0.2
+======
+
+Release Summary
+---------------
+
+Updated input parameters description for all modules
+
+v0.0.1
+======
+
+Release Summary
+---------------
+
+It's a release! First version to publish to Ansible Galaxy
diff --git a/ansible_collections/grafana/grafana/CODEOWNERS b/ansible_collections/grafana/grafana/CODEOWNERS
new file mode 100644
index 00000000..9074ce2c
--- /dev/null
+++ b/ansible_collections/grafana/grafana/CODEOWNERS
@@ -0,0 +1,8 @@
+./                             @ishanjainn
+/roles/grafana                 @gardar @ishanjainn
+/roles/grafana_agent           @ishanjainn @v-zhuravlev @gardar
+/roles/alloy                   @ishanjainn @v-zhuravlev @gardar @voidquark
+/roles/opentelemetry_collector @ishanjainn
+/roles/loki                    @voidquark @ishanjainn
+/roles/mimir                   @GVengelen @gardar @ishanjainn
+/roles/promtail                @voidquark @ishanjainn
diff --git a/ansible_collections/grafana/grafana/FILES.json b/ansible_collections/grafana/grafana/FILES.json
new file mode 100644
index 00000000..78da78b8
--- /dev/null
+++ b/ansible_collections/grafana/grafana/FILES.json
@@ -0,0 +1,2483 @@
+{
+ "files": [
+  {
+   "name": ".",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".config",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".config/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".config/molecule/config.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "59790413f9b987046f0781a0fc8e3c9b145626024cd05a15424bd4bac19c3b29",
+   "format": 1
+  },
+  {
+   "name": "tools",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tools/setup.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "56b5525e62563c65e6b5b71f27c797d60c1561e3b66578f999c65642f4ec9049",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-yaml.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "51c10eabc5c1360649fc5cab528151135f13d2bbc97cbe907d0e939d6e979e03",
+   "format": 1
+  },
+  {
+   "name": "tools/includes",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tools/includes/utils.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "16a2ebce5931f01510c8e0d7597b632d017a0f10154a83f42d538926913e6eb5",
+   "format": 1
+  },
+  {
+   "name": "tools/includes/logging.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e90aa1f7b29d85263926e228f4321fa31304448f6ce2ff8d48a0e461d076474b",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-shell.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d969bd175bfdf137539a5f4d97cfc2644dd5c81c677e2c40a40082af9333e36",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-text.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c01a1e5d52ba8a65e4417d641d1958cfe129112562cb74e11131f8846e6db95",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-ansible.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87867490595fd8cb5fcd09337f90c8b9135dce7864c0af10c72960081ca0981d",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-markdown.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6f58c8dfd68ddf75eea250ea0f44ad9e9b567deeedacc70ea357f2cd4d92037c",
+   "format": 1
+  },
+  {
+   "name": "tools/lint-editorconfig.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c438197ed79286cc7ea91cebcbeaaa53ccd5a0b3f04dc66e38c998ebccad271",
+   "format": 1
+  },
+  {
+   "name": ".textlintrc",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "89110cd16e278a39577eae8098d6dd2f4d6ea094b164163e012e31d021ea301e",
+   "format": 1
+  },
+  {
+   "name": "LICENSE",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8b1ba204bb69a0ade2bfcf65ef294a920f6bb361b317dba43c7ef29d96332b9b",
+   "format": 1
+  },
+  {
+   "name": "requirements.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a135d423a3b683d3448f933e0ac4981cb9b53413fe13962dcef9d3cc15af5c4a",
+   "format": 1
+  },
+  {
+   "name": ".shellcheckrc",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "60a0a1e54cc805233096790628fd1ff4b629bf389eeef72d8194c331e7ae1912",
+   "format": 1
+  },
+  {
+   "name": "plugins",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/modules",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/user.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "dbccfa5a0c89c3ea76b7e761a4f4ad05bcab76a4fa0884244659ee90bac14f03",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/cloud_api_key.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ebbfbeceb34bb531249efb27262ab75181a8900f5c36c6a87064af0ab50ceaa3",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/folder.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1827a9e4437b4ee582854170071181a9f5a0c3d95638ea65e206377b4201e039",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/alert_contact_point.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e2f809303c82d6cc8f7dbce84d89877af8adb7b4ce1e8ac6f8ef5937bcd966e8",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/cloud_stack.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "166f88bab2700a2583b1d81a5ca4013f59cdf46628225af9c7f2f8e8d0bd721c",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/datasource.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0cd8f1463b943ba8c930ad5803a22a96a04bacc4f7cb30e452d6541b24e9e0a6",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/dashboard.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85f1f71a5dadfbec6e8e76fe5e4ffc4fa160230ba2dd9e0531e1c3fac6a33ea0",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/cloud_plugin.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0c43025843f1676aa318b51e7baeaf2287234a3d48ebd1390ea593f89a7eb49f",
+   "format": 1
+  },
+  {
+   "name": "plugins/modules/alert_notification_policy.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08f8cb0771a570847101227438f631d71a84c8ac9622068ab3e4232fae1da381",
+   "format": 1
+  },
+  {
+   "name": "Makefile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8be8db2081029f79bc49bca1f6d8f71a5be2ce62b8aa2e5d7c6782c60db284a4",
+   "format": 1
+  },
+  {
+   "name": "CODEOWNERS",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1e09cf7162103a1689404cb3c5a9ca2b6a135168d6d563f5d08006075ec32c73",
+   "format": 1
+  },
+  {
+   "name": ".yamllint",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8a17bf0fc69dcfd57f1c2f0ab83dd0f276d7bb29edfbf6b7433f201f6abbeece",
+   "format": 1
+  },
+  {
+   "name": "tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/requirements.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ec72420df5dfbdce4111f715c96338df3b7cb75f58e478d2449c9720e560de8c",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/create_cloud_stack",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/create_cloud_stack/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/create_cloud_stack/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f7c98fab7394b31039b9df11a55837b58730bf54d45f9d6e65998340189e64a",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/datasource",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/datasource/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/datasource/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "718567f42c8a703129aa43a1ff5e8e7753c1c10ada929dde5bde7a8597186bf5",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/delete_cloud_stack",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/delete_cloud_stack/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/delete_cloud_stack/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d44026e2c68a4714eb678ae9a40478db8576cdf1969d689bf5b00d9dc7b147b",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_contact_point",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_contact_point/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_contact_point/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3321d37a53b34abef1f6f3993c10e4697fc04fd7c901e0876dce13daea0450cb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/folder",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/folder/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/folder/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eeada75fe04b1a9a7d5354aa0508fcbda37e82ea50a9a6cbf2645e65de25abfb",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/user",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/user/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/user/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2a6e22b96daec82286b98fef5cdda70faff61e3c2037e2a7220bcd2e9cc59307",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/dashboard",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/dashboard/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/dashboard/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "606bda87aa90a67bdaf0cb03fb29fc02033c2b245b7f2f0fc993305c90397e78",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/molecule-grafana-alternative",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/molecule-grafana-alternative/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2879c89b4f2adf554de77e72bb21681933f1c3ffad0ff6097a11e40c97bd78c1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_api_key",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_api_key/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_api_key/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6ab83417398137412541c07bc2e4461435d1b2393b3a8108f6c7380dbee71944",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_notification_policy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_notification_policy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/alert_notification_policy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "be57120a8025ae23e8715ba7063460f8556de076c97d65a7f3d6cd2d6c1d33bf",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/molecule-grafana-default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/molecule-grafana-default/runme.sh",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2879c89b4f2adf554de77e72bb21681933f1c3ffad0ff6097a11e40c97bd78c1",
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_plugin",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_plugin/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "tests/integration/targets/cloud_plugin/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7eb8a48e85835bc5154d9e6cc867e22e8ec0aca3dbc6b43f385bb6f2370a4486",
+   "format": 1
+  },
+  {
+   "name": "meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "meta/runtime.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "47e045205cccf3dab2959ce5a559aaea3e4283d3ed07fb1fb0392d8fb70f4be5",
+   "format": 1
+  },
+  {
+   "name": "roles",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/vars/RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f394612587593187d93e3922eec14f3b5de21318a387731623fb3c014fccb9bd",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/vars/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac758b3fba0197537c49b009a6d26c289499e064740f6436f3d0033c5146c161",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks/uninstall.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d85303e200fcf7376c2370a091624ca5d7a44c37c1ec67316663ce9cbe49e071",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "26c1495550cf3e9731bd04cb61cbb6dcd210283457037a78e2a528e0323777a4",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks/setup-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b9d4bc07b290530bf5e61ac0abb65480f6dd276d3495517515aa6f71d1d81797",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c4270cb7f8a7ec74555aea31bbd0c0f39967fd2be2b84ad995d59279b5231ac7",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/tasks/setup-RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1fade302a0c20ed1a816a7138263f0f63188b4f57f8a7dc25f68e883649d59c9",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9533d3d849adf6bb82558951ee09fed8c9476b12a18a75943e759a5dc8eb073",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "facc42a3dbe7e34f8962f9b46284ecc093f592720eeca7d063cb3a21a7d45549",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0e9aabb9d0e1acc2c935d23f5bf527ab5ea1cd0570d7a29f24795387c0ba0f56",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/templates/rules.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "524a654736d43d183f035daa7868594f428775a1aad7790fd970406ed44a7b64",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/templates/config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fab3d42e3625c1bfcee019e62bcaf790ae1a05af8bf211456e99858faac9328b",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2fb19d8e5973db9cd226780c4ecf9ae5947286626de40224c1228a6463b1114",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b95320fa1dc8f93e4033f5d71f9334aef2148629837022bac6364e3e27078cdb",
+   "format": 1
+  },
+  {
+   "name": "roles/loki/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/loki/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "079093b3b6b2863893eaab7343eaa99ebf01a094961b18c15ed00ce462068d3e",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/tasks/configure.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84b2c8f184b5c728e9034711c0847bd3360f8cbcecf8e4ff7eb9fdcfb56967d4",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/tasks/service.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b0854c515fcf0c91a3a91066163a4b6acf1f66daa226406926c17679b5367f81",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/tasks/install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "669aeda05c6aeb21ece810252da30835521165de1b8751f73ffea34784693795",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bfcb34af928fe8e68f24db9957bc22baf9979b2c4402de34b93a19f8b06397e0",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "de3d17460f2f7473558ee9747f18246f51a1603699c4925e51401c625ab59307",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bf47367cf80d78b306e11e15a767c44b2e2ac0f1062734c416a8c1ebf731b11e",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fee604a3e44317a009938d708f256cde9f2cba860674e6abf9cf03f3180a07d9",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/templates/otel_collector.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4151782c8b320ddc7410d5ce653afcd874af2a2813f25a52c658e609232e7286",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/templates/otel_collector_config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "25bfc9deadd0a49a3fa1ce78f299ddc78219b60ca1be90693ed5a211c7f16ef3",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default-check-first",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default-check-first/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2e8726eb2a9a3387d1345bb52544cc84272e8fb05267f5b256943f38568d1fdc",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default-check-first/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default-check-first/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0073627f68771e285d6d51cb85479c86096fe22605291fd234fb60750ec13156",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default-check-first/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4fdc9f830f35247eba6a6e8483f9bcd4493309ad6392e12e50bc8ac146287152",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2141fd5357e9fabdf337a73e6677bb2f9e5d738baedb728230b78c03c99fe0c",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b23d9f0cadf56c5409fb02ce9430078086e3d36b5ddb8c389537eab5833fc3fd",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4fdc9f830f35247eba6a6e8483f9bcd4493309ad6392e12e50bc8ac146287152",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/latest",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/latest/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2141fd5357e9fabdf337a73e6677bb2f9e5d738baedb728230b78c03c99fe0c",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/latest/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/latest/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0073627f68771e285d6d51cb85479c86096fe22605291fd234fb60750ec13156",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/latest/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0ea58dd65767b4070ec15d9a77d8a5e5479f57d47223861dff39c8f7348a9170",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/non-contrib",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/non-contrib/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2141fd5357e9fabdf337a73e6677bb2f9e5d738baedb728230b78c03c99fe0c",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/non-contrib/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/non-contrib/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "05ae78fed5975b9aab9f5844e194d4bb2444543fa605359cb90a0d288eb1c86a",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/molecule/non-contrib/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ad998bb682100df580346e77408f525f59ce8ec3a528b487b85a25835072c644",
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/opentelemetry_collector/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a5e2367beaf276f16440801197e4de1df40edc2b88a8a8cb5c6327c74464dc84",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/vars/.gitkeep",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks/uninstall.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ffd027c9ae756e0728246dcfb93527af68d320c3095f53e4f90a8a0402b60818",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "410cb2562d865c98ba13304788d77ba7468330b4a932c63b7916a52ea7040dc7",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks/setup-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "eff282795fb43bda8db141d0ff6e9bf35e90ed703d51ba913cc445043cffe962",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "607c36ec13511951520a162f5d82f2005d9585ae38953a5c70fc289e4a9f0577",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/tasks/setup-Redhat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03fcced9ddeccdffe4ddb3ed2f9d48fb857aa7b7273d5992fb8369a3c5213171",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "222aacd94d53179d52908ed830973bf2629f4a6e0e1d1ee49f159162dfee6fdd",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "212258f9434167e2133d610568ef7366dfce6de12513b756471d88e9c8dc9ca3",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "99be8e0541edd984f68d746091912807256a1c7a0041652a3e30c3527d8809c1",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/files",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/files/.gitkeep",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/templates/.gitkeep",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/templates/config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "33a402aeb143628d337909481994f86e1f5a34f69f2a7c450e54a2183f685411",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87e569bbddb1f1f702c5dc3fc9e580e48aa7a0eb262e8027cdf130da01bf13d9",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule/default/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule/default/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b956a72585ad5b7caa162e3078db1af7ee33d266cd9890f87057875ea9746f1",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "08280357d62d228a056fcf031d2dca1675c2a38aa090567838c5d812f572854c",
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/mimir/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a49c94f2932683da280c81f687145642fdaa4681e073ed9dbca4630ce5d3e70f",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars/RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5eb6f619c3275fa5aa96867f74ff73e3a85aae9d9f6dee637e10edc08d4a29a2",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars/Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5eb6f619c3275fa5aa96867f74ff73e3a85aae9d9f6dee637e10edc08d4a29a2",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars/Darwin.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a1643c85df7377a8c97342c1646580694442b29ef23167504622b452d57b0b8f",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "21aa98b24b68ca478a66eb83c577fa8c5efbf7176a20c27ad2a0795f271bf565",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "863ec787d94796fc2ea7b1fa1f16d33a08e29f2448a3588e7c0a9480e8165d85",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/preflight.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a6fe1a9ce9635cee542b477d6cdb0deb3615aa64036fba14bc0ec7742aa77146",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/uninstall.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6d8347407212848dbfc83c4f0429eba633b4f3d7d614281ba4352002105461da",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c5a1050e69b473c1ba5ce774cae689d1b15f3c70aad357889feb35a503093e9",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/setup-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "39c25d3aca1e019411d978d6cd24a47938ac733255d39871f81c54cf3a5189b6",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/setup-Darwin.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ac418849af311d6351d0ca3e5a632e0f6dac93980f058ccf65d2ae0062559666",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/setup-Suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c1e50ac43b7873c04414b1e58807eae3ef06fdd13e7fdc895296033d40f9f6d",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b889117721a268ce6f7ff6fdfb9241be234495dfa11a1f70f0c4ebc00a885e26",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/tasks/setup-RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c21142d2d8498ec1d8e459840538627486cc77aaedefed665b1d22bcc80aaf64",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1850078f19e0eb71a3685da37b19af7cdec2871b48f007fc68e18519f87d1e89",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ee3b0e5af6601f49cee6ec0904a71824a61c508b2a1f1538d380190b5809b01",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4c73e65c66e95bff83cfc0206d95edb787fcdf9369319e199b0f786ef2297776",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/templates/override.conf.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c38b148ef1d5fece4b3a3a5875ce0a1b0b17da3231f668b5051b05a52cb46cf0",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/templates/config.alloy.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4cd49253f97d5dd4796a6f03c70a33608b5db9e48fa1ff1567a9af06789c62cd",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/templates/alloy.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "68f77ac2f0c2d05d29a1466f233289238923d18e9eb0eb193b765b8d5c9664cb",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2fb19d8e5973db9cd226780c4ecf9ae5947286626de40224c1228a6463b1114",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f777298cd5e54cbbfed852027c8350e7a9c4d5462dc9b8dd51a7660ff6e9e339",
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/alloy/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "321bc645401b1d43881d14054ff6fdcb78b085af00ad6125f504bd0e696328b5",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/vars/main.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b79d04ea2a1b584531ec6a89bbeebd4490c8c52d50db2c1c58053218bf1a40a1",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install/directories.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58cac80f91405cd323266b7435e58e656a16740ad9ac27f31b7167a1e6de84dd",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install/user-group.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6c36f9389415ee98e51bb7727045d5f6fae4e24a31ea62a74d48922af84abfd1",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install/download-install.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8771b974c8e7592292ee66941c5c68e49b196408ea4b5655b80b849802255770",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install/local-install.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "73d7d9cb92f3f837ac941d160296ee510fe4598685c1c67303c9246f459268aa",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/ga-started.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "03c283e74fef8eac9f628c37cb795d87bdbdb4c804acb2f2924813fb31ce6b82",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/configure.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8f34f15d924d4d56f1f5a427e92b208da92a6e82cd8bfce162a1ad3491d4622f",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/main.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb0018dd15d6c1deb675428d0088213b3a6bbd3bbbc795e7c847a2346b05ab9d",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/install.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "aea56415837b4074ea9ec2e442bdc3eb509caf3b0574b54897c03b76b7eb190d",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6518c23dabc92eb772132cd2dbb764ef381b93df8535ee59d7d5a4f0a39a24d4",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight/download.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5e90c5e06f97a8d2fa8398c6ab4f18857ad73553249558dfacc28f382a53502e",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight/vars.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "87d1a4c7f9a02423c6cecd4927e79c89e126287d5671d26ae391a70de9a34a1a",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight/systemd.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bb3204fcfd6122d33b27d0986fa80aca2536b1b4c6b237b0ca36c94a3bae95d5",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/tasks/preflight/install.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53c0a1d31af571b48eea830d1d53ca6f91d2e0149b98882af4240ba6a9e1e5bf",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/meta/main.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "00ec33a60eed132359ae684f2602eaafd80c67bc8dc8103d4558857b37a89df5",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "db482b9928a877cd5622797a030a67f964f1dc3bc9a6d56291e16523c0260f90",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/defaults/main.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8ae44ab181bd1825f041ec8d4048e21708d142965068ecb883793b5b696549ff",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/templates/EnvironmentFile.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "84e17b3fe98509c19641c7ccc56b3fbd42d32892870350ca561b80b41734a063",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/templates/config.yaml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cfa09ee60dc6869ea28d6f4b81a10b8499ddc91b0c2715e863dd967927b18459",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/templates/grafana-agent.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "13e5dc455a1311ef9f11fb8aeeb2c2c7d990935a51cd267c7d532ddaa6a7c10a",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana_agent/handlers/main.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f04d1539911e34d8d0b41ecb1148195bb6e05f7d8a01bd7d1737b15a201a8d25",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/vars/RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cc2aacac69f22ee310848d401b7233841de4fadac08429f4a2b27c801c242007",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/vars/Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cea2932d24a235426e1b46128d8f0ce172511cf5f37eb3f392a60d9b922da34e",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/uninstall.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0d9ef472ec04e41aac9dccbfa984f3aa7fc0c602dc3d24648b2394ac6134128a",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e095b42e83e2ea4ef39b55241e2f4922780ca607b330b3721bdf10035a93b1a",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/setup-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c7e439a199b159b97cd8ea220a69ad225fcb1e9f5745a53b7dc9cc33b016b113",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/acl_configuration.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9c6917d51e9f3b5483a3d0395f286f80921952e07fc618141d4fd7c5862fb810",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c8fed29064f297cc0a63ea4edf9dbb20124a3cb0b785f45f436495e806e7f94a",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/tasks/setup-RedHat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3085dc8e0679de7c6e59b4213f8658f5f6ca2df15009497ff7fdc93a709a661",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f554dff3877cb2ff20aa904cd7673960b2a6020542545990d40be2e50d9119a6",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "d4ec50a7329970762cfdc2010a2310b23fc5b15e49e681bf1e4c9823227a6f41",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8301a0470be4434e88638c5840172a3b7bc76ba9144efc7c7a37d6a1357bbf82",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/templates/promtail.service.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8417ab8f8c0400a8255599d7299f4ac9b2a93afcfd9012d300831a4bb9acdfe1",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/templates/config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7a60b181374ac3404f41dd2c81fba86f95d007db5980fb5416d0939e311a5b10",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/templates/promtail_acl.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a337a0e3744d0482abf95ee2100a97c457c06fda93a0104f909c8aa366035580",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2fb19d8e5973db9cd226780c4ecf9ae5947286626de40224c1228a6463b1114",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "755256d62289b14c360d0825818fb6430ac08862b0e58812bf17faafd5587141",
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/promtail/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "90dcad6dfb252014c1e5550c359a721d897aad56a4677b5d62329255c60a002e",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/vars/distro",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/vars/distro/redhat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "54082a7385b630fb01d158412031ccdb3ab724ec0920d2b938fc2abfe5f231b1",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/vars/distro/suse.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9880f2ab2126a4409db3b69f70c44eb0bf0e2b8eb607ffbeff161fd04bed8f81",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/vars/distro/debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "14f9b18cb343938cd8e414361748140261c4a36ef6affa86d233912d99cd93d9",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/preflight.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fa41682d8c796efc486c9560707616a4b2f06fb3c2c51ab211b3855365325fa8",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/configure.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9f84da00a93af7fac6f7d88c42855c825fb6406f9e18db8f2d6fef0087eeccc0",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/dashboards.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f0bec3097daf078bc96aeefe6b415411a50c1b0859aedbaa371c90d6e10fe345",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/notifications.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "123f29864faaa40d8ea0f5ff4d4df7293b396910a800acc35d48760554d4b3ba",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/api_keys.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f061076854651264033730689cbd794dc41140d03c7967c5738d87e03eaddae1",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/plugins.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3e4d9290510a14220bf2e258ab5d6c3c687949a28ac6f6b41547fa345713287c",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/datasources.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "41d770c41e6fe38119abbc30eb7023fcf7c88a0effffa692264b4d001d548b7f",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/install.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3218ab4f0ed5def0759e8c8d63aafda028320e4c45ffc357daa2d00d94c85255",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd12254c292e9e58eb02f9b55e98d35ac0fccea11a6fd6eb04ffeb460401eda2",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/test-requirements.txt",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd70637dd6307a21c6084e83828c1ae13ac7818001bb9cffef2f8c0ea4e18b7b",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d423f87d9e19d5e6891f793447b323055110a24390a884e98b8b2175515b08f",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0faff6169a1080bfc70f33763aa1edb1c1a1f76e70bf845eb1c4a95475e4e15e",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4dc47b40ef7cd700e1fbbc790b2461b8a84c3b10432f862bbbc0130da90fd399",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/templates/grafana.ini.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0aaf3b482f772d23fa7c0f9273c4ebb73036dbc7cad402bcf998cb5dd3b90fa4",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/templates/ldap.toml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8eaf66b16c9bbb51b8365b86e17a6bfc4776f58a4a0cb3804702707281c99abd",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/templates/tmpfiles.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "270716b0fbf8ed71d894661a5df761275f4081f2bee258093409b92276c60c9e",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/alternative",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/alternative/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f52d711103d50a437830c6fbcd04fb4bab49a0f82f6d26d1c791c6e8488dd090",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/alternative/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/alternative/tests/test_alternative.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "38cb4a0397ae36a77d8db4471e725be59d74a15350ccf42cffac3b5e7c399898",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/alternative/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "88a6d1ca5d3a4c7c09629e700dfcbbb1dc302ca321e71747dca8a3b6759674aa",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f52d711103d50a437830c6fbcd04fb4bab49a0f82f6d26d1c791c6e8488dd090",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/default/tests",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/default/tests/test_default.py",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f2d9786e6b222db39baa9259d1b420b46489595c74dec50804462ef3b1976a0",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7af480efbf26c3d329908d5afb54e56107255653aedede8f610cd5775efb5dff",
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/grafana/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "58d24ea2c67751f3e7d2aa356bc26fc41327490a32c23c6ca0c1fa2f2975281f",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/vars",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/vars/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "448130606b153682770de55f8e460d25028c2d55875ec56f3eb44183a6c4f528",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks/uninstall.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "e20324369f7695a846f9b14e12e76a7b146415018cc78b17007171552c45e072",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks/deploy.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8dbb0c049770d470a6d24772bd9afd54c31629af66635b8c4aa9cf3859f665c2",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks/setup-Debian.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "98c77bb45453df2997dcfe4f5cf5f82c98d860f34c04ccbdc4e4b83d822f7132",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c07b5e0f7ada044d54ad87f73d32097f5da36c37eb1bbd676a3ad0f974fe0f20",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/tasks/setup-Redhat.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2b1494a1333bd6bc277b8a78cd6b26f42d3535ba787760d5d728d4dc75d8c844",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/meta",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/meta/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "9b1df86ecf7a8f7ebaef2f018f1e859f37aa6a4539ff0214b1eabb76e1fa9f1d",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4ccd3163b1ef40eeb3641a1a94988a6e4ea3c7a932d6d5f20e79d8445fdb62f7",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/defaults",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/defaults/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f56fec1b71b6401055ff5e9de70dd3ce253af52a7637341a2ae329897ba8127d",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/templates",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/templates/config.yml.j2",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "fea0382c2123f076798e765fd6eb0da681a9714dc311ad5729c16ed01dccc29f",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/molecule",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/molecule/default",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/molecule/default/molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f2fb19d8e5973db9cd226780c4ecf9ae5947286626de40224c1228a6463b1114",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/molecule/default/converge.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5298aa93547d6e0fe0edbd44a22de537440814c179a84b1124d97b71eaf0e8ca",
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/handlers",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "roles/tempo/handlers/main.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "53479f9f10a66ee23305713e79d17a5730ab98dffe28fbf8947208cf04f170c4",
+   "format": 1
+  },
+  {
+   "name": ".editorconfig",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f1c0a5b9b3d1b8330cb6b4f2efc2df0be1bfb76faf1f4d67c9f1b65decc97c22",
+   "format": 1
+  },
+  {
+   "name": "changelogs",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "changelogs/config.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "c3589ee373e4787fad20ff37228dfb90696a54ee0023c5f61ff5bf3abcf4b720",
+   "format": 1
+  },
+  {
+   "name": "changelogs/.plugin-cache.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "ecb225f206a6cf765d85bdb0b86d03df8437b0e2549161721d2f3abb70d66e77",
+   "format": 1
+  },
+  {
+   "name": "changelogs/changelog.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3eda7df24b1881c6afdddf50ecee1c50028d4605138dcd6f7f5df270c51bd4a6",
+   "format": 1
+  },
+  {
+   "name": "README.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5d1813750439efd015ce2216ab667916bc14b3334d7808a5429409426bc9209a",
+   "format": 1
+  },
+  {
+   "name": "Pipfile",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bff84596ba119820dc1922243474b4af58efdf46dfd690389e922611078d46fe",
+   "format": 1
+  },
+  {
+   "name": "yarn.lock",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1f1c2098461842c10bde3df88354ee158d308929af03ddaa1aa4c0f0865b943f",
+   "format": 1
+  },
+  {
+   "name": ".ansible-lint",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04baf7f010586545cab0fe765309cc43f22c2a2cb63361480c74e37b878d8684",
+   "format": 1
+  },
+  {
+   "name": ".gitignore",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a09430ce7bbf9c75791cc3bee42e6f47187a40b99461beaec5c1185fbd1a16b0",
+   "format": 1
+  },
+  {
+   "name": "package.json",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b2bb1491300328b7736ace99ef86cd6e7c97ffd9a36dd8303c0b76ef28cc4787",
+   "format": 1
+  },
+  {
+   "name": "examples",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": "examples/monitor-multiple-instance-otel.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0b655cc01142478e478cbc266f376e718b8e209e59aac98a09bcde43bda3e09d",
+   "format": 1
+  },
+  {
+   "name": "examples/loki-local-filesystem-with-retention-and-alert.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8ccad2dcd5b8c5753135e2bbd6bcd32898e3ba44fb28b6f5160483cefa73cad8",
+   "format": 1
+  },
+  {
+   "name": "examples/loki-basic-no-options.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "66ca6d2b2ce29a6057c60041fe4b694d071752b74a90ef61dcde8faa5d1bc249",
+   "format": 1
+  },
+  {
+   "name": "examples/agent-mode-flow-with-dynamic-conf.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "8c6a11dd9a481dfcfb5d5ceb313b849e1541732899932419ee8c340b4d40b2ce",
+   "format": 1
+  },
+  {
+   "name": "examples/agent-basic-no-options.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cda05d1f95640fbfc976b77d7fcf3a319e8fb0bf9ba5e514b49bc99e04ac1c11",
+   "format": 1
+  },
+  {
+   "name": "examples/opentelemetry-collector.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "0234500a96941f52701a0cdd7e852373507cb18d9113fa22cd36c30efdf2d18a",
+   "format": 1
+  },
+  {
+   "name": "examples/monitor-multiple-instances-agent.md",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "312db8918e6f1e22bd0a6a2aefad5f5db8c0ab9bb88562c883aa047614b7b701",
+   "format": 1
+  },
+  {
+   "name": "examples/mimir-3-hosts.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "5a382e93b3a307cdf21a81d645677a4077e7c6d3b7cf538199cd2ef2a40164d3",
+   "format": 1
+  },
+  {
+   "name": "examples/agent-send-to-grafana-cloud.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "50b70488a9b4089b5add092fe3aeb7560ac172ce0fd1a08350564c05ec77bf6a",
+   "format": 1
+  },
+  {
+   "name": "examples/ansible.cfg",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b78e2db98e14c343e41120940b0e1c5e553a30f4b61b1978515b1bd8e74aadd0",
+   "format": 1
+  },
+  {
+   "name": "examples/alloy.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "62dd8f404e08d82596c4e67ecbcb3a8b83c181280fce6b42b321b0897545018f",
+   "format": 1
+  },
+  {
+   "name": "examples/promtail-multiple-logs.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3b2be171ed1effad6eca589bdf37892d7e94f98be2a96d469f742caffcebb105",
+   "format": 1
+  },
+  {
+   "name": "examples/mimir-single-host.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "f21cf1f3c4424b736f8534e1fc758ebd576dfefdc44234ce5423eef9046a3d2f",
+   "format": 1
+  },
+  {
+   "name": "ansible.cfg",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2caa654e85c7e66be39d494d173f69f7565059c504b7201f2ee033173ab80df0",
+   "format": 1
+  },
+  {
+   "name": ".github",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows",
+   "ftype": "dir",
+   "chksum_type": null,
+   "chksum_sha256": null,
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/release.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "cd8f9a378120b2b02d023c621cecfc8f3d87df6d686fa82cb0f348fdb21de4a4",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/full-integration-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "22d2553954fd81ff4e395d58122959f39d93fa9a0654c6aea6c421f49d348df3",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/alloy-molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "1a4b502ea8fdd28d289b477bb78edaf46b007a36c818c806f88631c1b4e92781",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/roles-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "6da36e4715b551f98fdbdcb578cc27b06b29f58b47f1e5cd8ac979e5c682089b",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/loki-molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a02e6776151e0fd03cd754771d80e73e1470c7088d861b514d5a7dafd47ad6b8",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/mimir-molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "7e3b0689bfb32e5eed91629fc5821e39481cc77e283f0f759bad69944c55bdd5",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/opentelemetry-collector-molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "a9d0a4be85a774bf6d4df1ba327b2b6296661957cbcacc53696162e09a1c6379",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/promtail-molecule.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "b1179c60a308fb166a8ca3839fe7480db7143394f816cbc6089af5252ae74142",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/lint.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3355027fd55404c8c9b90118f8d3c8818c5f8eff4a2121bf7a8e5b03b7883193",
+   "format": 1
+  },
+  {
+   "name": ".github/workflows/modules-test.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "4077b0be0f8279e1cf8a34d1c0a7fae86ed91c5019a99023a36e0164ba867272",
+   "format": 1
+  },
+  {
+   "name": ".github/dependabot.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "04b7f69732d281e9a97d10e72202312b72cb45358cbd1f1514983b6e6923f5bf",
+   "format": 1
+  },
+  {
+   "name": "requirements.yml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "85c5d41624847de7aa4a49e6d8060fc60e71af5a610b21e75cff8391494ce65c",
+   "format": 1
+  },
+  {
+   "name": ".markdownlint.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "2d0b5ccb1e0c0105040a8c8fbe80b52f812951ff844f6b44ce8a8f8019debf5f",
+   "format": 1
+  },
+  {
+   "name": "CHANGELOG.rst",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bd6fb2ccd317ab278bf45a26c2b736855f0cdcb9567e3c60c27ab8dcf36ce0ca",
+   "format": 1
+  },
+  {
+   "name": "Pipfile.lock",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "bad9f5d3e4a5d97c3a7c1a0a0e2454e88ba51e2137e822dd608b45dbf5057d54",
+   "format": 1
+  },
+  {
+   "name": "catalog-info.yaml",
+   "ftype": "file",
+   "chksum_type": "sha256",
+   "chksum_sha256": "3ca812bb5e73e809034b62f5261529b2d2f9d420afe12248c802fdf6a5c909b7",
+   "format": 1
+  }
+ ],
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/LICENSE b/ansible_collections/grafana/grafana/LICENSE
new file mode 100644
index 00000000..e72bfdda
--- /dev/null
+++ b/ansible_collections/grafana/grafana/LICENSE
@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/MANIFEST.json b/ansible_collections/grafana/grafana/MANIFEST.json
new file mode 100644
index 00000000..78027d26
--- /dev/null
+++ b/ansible_collections/grafana/grafana/MANIFEST.json
@@ -0,0 +1,40 @@
+{
+ "collection_info": {
+  "namespace": "grafana",
+  "name": "grafana",
+  "version": "6.0.6",
+  "authors": [
+   "Grafana Labs <grafana.com>",
+   "Ishan Jain <ishan.jain@grafana.com>",
+   "Gerard van Engelen <g.vanengelen@codepeople.nl>"
+  ],
+  "readme": "README.md",
+  "tags": [
+   "grafana",
+   "observability",
+   "monitoring"
+  ],
+  "description": "Ansible collection to manage Grafana resources",
+  "license": [
+   "GPL-3.0-or-later"
+  ],
+  "license_file": null,
+  "dependencies": {
+   "community.general": ">=8.2.0",
+   "community.grafana": ">=1.5.4",
+   "ansible.posix": ">=1.5.4"
+  },
+  "repository": "https://github.com/grafana/grafana-ansible-collection",
+  "documentation": "https://docs.ansible.com/ansible/latest/collections/grafana/grafana/index.html",
+  "homepage": null,
+  "issues": "https://github.com/grafana/grafana-ansible-collection/issues"
+ },
+ "file_manifest_file": {
+  "name": "FILES.json",
+  "ftype": "file",
+  "chksum_type": "sha256",
+  "chksum_sha256": "80df907b5a9fb9307fe01b40e266d87f9c9f55c389a6692ef6677f5e08a5b5f4",
+  "format": 1
+ },
+ "format": 1
+}
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/Makefile b/ansible_collections/grafana/grafana/Makefile
new file mode 100644
index 00000000..b999dbd0
--- /dev/null
+++ b/ansible_collections/grafana/grafana/Makefile
@@ -0,0 +1,86 @@
+.DEFAULT_GOAL:= lint
+PATH := ./node_modules/.bin:$(PATH)
+SHELL := /bin/bash
+args = $(filter-out $@, $(MAKECMDGOALS))
+.PHONY: all setup install clean reinstall build compile pdfs lint lint-sh lint-shell lint-md lint-markdown lint-txt lint-text pdf lint-yaml lint-yml lint-editorconfig lint-ec ci-lint ci-lint-shell ci-lint-markdown ci-lint-text ci-lint-yaml ci-lint-editorconfig lint-ansible ci-lint-ansible
+
+default: all
+
+all: install
+
+####################################################################
+#                   Installation / Setup                           #
+####################################################################
+setup:
+	@./tools/setup.sh
+
+install:
+	yarn install
+	pipenv install
+
+# remove the build and log folders
+clean:
+	rm -rf build node_modules
+
+# reinstall the node_modules and start with a fresh node build
+reinstall: clean install
+
+####################################################################
+#                           Linting                                #
+####################################################################
+lint: lint-shell lint-markdown lint-text lint-yaml lint-editorconfig lint-ansible
+
+# Note "|| true" is added to locally make lint can be ran and all linting is preformed, regardless of exit code
+
+# Shell Linting
+lint-sh lint-shell:
+	@./tools/lint-shell.sh || true
+
+# Markdown Linting
+lint-md lint-markdown:
+	@./tools/lint-markdown.sh || true
+
+# Text Linting
+lint-txt lint-text:
+	@./tools/lint-text.sh || true
+
+# Yaml Linting
+lint-yml lint-yaml:
+	@./tools/lint-yaml.sh || true
+
+# Editorconfig Linting
+lint-ec lint-editorconfig:
+	@./tools/lint-editorconfig.sh || true
+
+# Ansible Linting
+lint-ansible:
+	@./tools/lint-ansible.sh || true
+
+####################################################################
+#                              CI                                  #
+####################################################################
+ci-lint: ci-lint-shell ci-lint-markdown ci-lint-text ci-lint-yaml ci-lint-editorconfig ci-lint-ansible
+
+# Shell Linting
+ci-lint-shell:
+	@./tools/lint-shell.sh
+
+# Markdown Linting
+ci-lint-markdown:
+	@./tools/lint-markdown.sh
+
+# Text Linting
+ci-lint-text:
+	@./tools/lint-text.sh
+
+# Yaml Linting
+ci-lint-yaml:
+	@./tools/lint-yaml.sh
+
+# Editorconfig Linting
+ci-lint-editorconfig:
+	@./tools/lint-editorconfig.sh
+
+# Ansible Linting
+ci-lint-ansible:
+	@./tools/lint-ansible.sh
diff --git a/ansible_collections/grafana/grafana/Pipfile b/ansible_collections/grafana/grafana/Pipfile
new file mode 100644
index 00000000..8e4fcb2a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/Pipfile
@@ -0,0 +1,14 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+yamllint = "==1.35.1"
+ansible-lint = ">=6.13.1,<26.0.0"
+pylint = ">=2.16.2,<4.0.0"
+
+[dev-packages]
+
+[requires]
+python_version = "3.10"
diff --git a/ansible_collections/grafana/grafana/Pipfile.lock b/ansible_collections/grafana/grafana/Pipfile.lock
new file mode 100644
index 00000000..89f9bc16
--- /dev/null
+++ b/ansible_collections/grafana/grafana/Pipfile.lock
@@ -0,0 +1,909 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "d803b04fc4ca6ceec39a226c518fc618049f8996dc9d14d09f42ab1b3471e085"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.10"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "ansible-compat": {
+            "hashes": [
+                "sha256:c2b4bfeca6383b2047b2e1dea473cec4f1f9f2dd59beef71d6c47f632eaf97c9",
+                "sha256:cced722001bd7b617d418e54017e308c8b27ef3815f377843c00e020fa07165e"
+            ],
+            "markers": "python_version >= '3.10'",
+            "version": "==25.6.0"
+        },
+        "ansible-core": {
+            "hashes": [
+                "sha256:24fb30783fcd3e800b839b15a396a1f9d622c007bc358e98f2992156ace52671",
+                "sha256:cb74f3a148b77fa0c89a284e48e7515d13fda10ad8c789eb92274c72f017a9a0"
+            ],
+            "markers": "python_version >= '3.10'",
+            "version": "==2.17.12"
+        },
+        "ansible-lint": {
+            "hashes": [
+                "sha256:69fe294a3cc30d8819b5a30625a7e25225f48558cadb83ad3d4dec597c1b8c2c",
+                "sha256:6a1dd2b7a9f3f202c9e92a6c80296ff33ca863348c3acf978f80fb0d4536dce4"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.10'",
+            "version": "==25.6.1"
+        },
+        "astroid": {
+            "hashes": [
+                "sha256:5eba185467253501b62a9f113c263524b4f5d55e1b30456370eed4cdbd6438fd",
+                "sha256:e73d0b62dd680a7c07cb2cd0ce3c22570b044dd01bd994bc3a2dd16c6cbba162"
+            ],
+            "markers": "python_full_version >= '3.9.0'",
+            "version": "==3.3.4"
+        },
+        "attrs": {
+            "hashes": [
+                "sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3",
+                "sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==25.3.0"
+        },
+        "black": {
+            "hashes": [
+                "sha256:030b9759066a4ee5e5aca28c3c77f9c64789cdd4de8ac1df642c40b708be6171",
+                "sha256:055e59b198df7ac0b7efca5ad7ff2516bca343276c466be72eb04a3bcc1f82d7",
+                "sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da",
+                "sha256:172b1dbff09f86ce6f4eb8edf9dede08b1fce58ba194c87d7a4f1a5aa2f5b3c2",
+                "sha256:1e2978f6df243b155ef5fa7e558a43037c3079093ed5d10fd84c43900f2d8ecc",
+                "sha256:33496d5cd1222ad73391352b4ae8da15253c5de89b93a80b3e2c8d9a19ec2666",
+                "sha256:3b48735872ec535027d979e8dcb20bf4f70b5ac75a8ea99f127c106a7d7aba9f",
+                "sha256:4b60580e829091e6f9238c848ea6750efed72140b91b048770b64e74fe04908b",
+                "sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32",
+                "sha256:8f0b18a02996a836cc9c9c78e5babec10930862827b1b724ddfe98ccf2f2fe4f",
+                "sha256:95e8176dae143ba9097f351d174fdaf0ccd29efb414b362ae3fd72bf0f710717",
+                "sha256:96c1c7cd856bba8e20094e36e0f948718dc688dba4a9d78c3adde52b9e6c2299",
+                "sha256:a1ee0a0c330f7b5130ce0caed9936a904793576ef4d2b98c40835d6a65afa6a0",
+                "sha256:a22f402b410566e2d1c950708c77ebf5ebd5d0d88a6a2e87c86d9fb48afa0d18",
+                "sha256:a39337598244de4bae26475f77dda852ea00a93bd4c728e09eacd827ec929df0",
+                "sha256:afebb7098bfbc70037a053b91ae8437c3857482d3a690fefc03e9ff7aa9a5fd3",
+                "sha256:bacabb307dca5ebaf9c118d2d2f6903da0d62c9faa82bd21a33eecc319559355",
+                "sha256:bce2e264d59c91e52d8000d507eb20a9aca4a778731a08cfff7e5ac4a4bb7096",
+                "sha256:d9e6827d563a2c820772b32ce8a42828dc6790f095f441beef18f96aa6f8294e",
+                "sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9",
+                "sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba",
+                "sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==25.1.0"
+        },
+        "bracex": {
+            "hashes": [
+                "sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952",
+                "sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==2.6"
+        },
+        "cffi": {
+            "hashes": [
+                "sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8",
+                "sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2",
+                "sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1",
+                "sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15",
+                "sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36",
+                "sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824",
+                "sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8",
+                "sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36",
+                "sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17",
+                "sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf",
+                "sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc",
+                "sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3",
+                "sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed",
+                "sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702",
+                "sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1",
+                "sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8",
+                "sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903",
+                "sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6",
+                "sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d",
+                "sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b",
+                "sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e",
+                "sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be",
+                "sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c",
+                "sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683",
+                "sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9",
+                "sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c",
+                "sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8",
+                "sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1",
+                "sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4",
+                "sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655",
+                "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67",
+                "sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595",
+                "sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0",
+                "sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65",
+                "sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41",
+                "sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6",
+                "sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401",
+                "sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6",
+                "sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3",
+                "sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16",
+                "sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93",
+                "sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e",
+                "sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4",
+                "sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964",
+                "sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c",
+                "sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576",
+                "sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0",
+                "sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3",
+                "sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662",
+                "sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3",
+                "sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff",
+                "sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5",
+                "sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd",
+                "sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f",
+                "sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5",
+                "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14",
+                "sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d",
+                "sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9",
+                "sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7",
+                "sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382",
+                "sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a",
+                "sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e",
+                "sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a",
+                "sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4",
+                "sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99",
+                "sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87",
+                "sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==1.17.1"
+        },
+        "click": {
+            "hashes": [
+                "sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202",
+                "sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b"
+            ],
+            "markers": "python_version >= '3.10'",
+            "version": "==8.2.1"
+        },
+        "cryptography": {
+            "hashes": [
+                "sha256:0339a692de47084969500ee455e42c58e449461e0ec845a34a6a9b9bf7df7fb8",
+                "sha256:03dbff8411206713185b8cebe31bc5c0eb544799a50c09035733716b386e61a4",
+                "sha256:06509dc70dd71fa56eaa138336244e2fbaf2ac164fc9b5e66828fccfd2b680d6",
+                "sha256:0cf13c77d710131d33e63626bd55ae7c0efb701ebdc2b3a7952b9b23a0412862",
+                "sha256:23b9c3ea30c3ed4db59e7b9619272e94891f8a3a5591d0b656a7582631ccf750",
+                "sha256:25eb4d4d3e54595dc8adebc6bbd5623588991d86591a78c2548ffb64797341e2",
+                "sha256:2882338b2a6e0bd337052e8b9007ced85c637da19ef9ecaf437744495c8c2999",
+                "sha256:3530382a43a0e524bc931f187fc69ef4c42828cf7d7f592f7f249f602b5a4ab0",
+                "sha256:425a9a6ac2823ee6e46a76a21a4e8342d8fa5c01e08b823c1f19a8b74f096069",
+                "sha256:46cf7088bf91bdc9b26f9c55636492c1cce3e7aaf8041bbf0243f5e5325cfb2d",
+                "sha256:4828190fb6c4bcb6ebc6331f01fe66ae838bb3bd58e753b59d4b22eb444b996c",
+                "sha256:49fe9155ab32721b9122975e168a6760d8ce4cffe423bcd7ca269ba41b5dfac1",
+                "sha256:4ca0f52170e821bc8da6fc0cc565b7bb8ff8d90d36b5e9fdd68e8a86bdf72036",
+                "sha256:51dfbd4d26172d31150d84c19bbe06c68ea4b7f11bbc7b3a5e146b367c311349",
+                "sha256:5f31e6b0a5a253f6aa49be67279be4a7e5a4ef259a9f33c69f7d1b1191939872",
+                "sha256:627ba1bc94f6adf0b0a2e35d87020285ead22d9f648c7e75bb64f367375f3b22",
+                "sha256:680806cf63baa0039b920f4976f5f31b10e772de42f16310a6839d9f21a26b0d",
+                "sha256:6a3511ae33f09094185d111160fd192c67aa0a2a8d19b54d36e4c78f651dc5ad",
+                "sha256:6a5bf57554e80f75a7db3d4b1dacaa2764611ae166ab42ea9a72bcdb5d577637",
+                "sha256:6b613164cb8425e2f8db5849ffb84892e523bf6d26deb8f9bb76ae86181fa12b",
+                "sha256:7405ade85c83c37682c8fe65554759800a4a8c54b2d96e0f8ad114d31b808d57",
+                "sha256:7aad98a25ed8ac917fdd8a9c1e706e5a0956e06c498be1f713b61734333a4507",
+                "sha256:7bedbe4cc930fa4b100fc845ea1ea5788fcd7ae9562e669989c11618ae8d76ee",
+                "sha256:7ef2dde4fa9408475038fc9aadfc1fb2676b174e68356359632e980c661ec8f6",
+                "sha256:817ee05c6c9f7a69a16200f0c90ab26d23a87701e2a284bd15156783e46dbcc8",
+                "sha256:944e9ccf67a9594137f942d5b52c8d238b1b4e46c7a0c2891b7ae6e01e7c80a4",
+                "sha256:964bcc28d867e0f5491a564b7debb3ffdd8717928d315d12e0d7defa9e43b723",
+                "sha256:96d4819e25bf3b685199b304a0029ce4a3caf98947ce8a066c9137cc78ad2c58",
+                "sha256:a77c6fb8d76e9c9f99f2f3437c1a4ac287b34eaf40997cfab1e9bd2be175ac39",
+                "sha256:b0a97c927497e3bc36b33987abb99bf17a9a175a19af38a892dc4bbb844d7ee2",
+                "sha256:b97737a3ffbea79eebb062eb0d67d72307195035332501722a9ca86bab9e3ab2",
+                "sha256:bbc505d1dc469ac12a0a064214879eac6294038d6b24ae9f71faae1448a9608d",
+                "sha256:c22fe01e53dc65edd1945a2e6f0015e887f84ced233acecb64b4daadb32f5c97",
+                "sha256:ce1678a2ccbe696cf3af15a75bb72ee008d7ff183c9228592ede9db467e64f1b",
+                "sha256:e00a6c10a5c53979d6242f123c0a97cff9f3abed7f064fc412c36dc521b5f257",
+                "sha256:eaa3e28ea2235b33220b949c5a0d6cf79baa80eab2eb5607ca8ab7525331b9ff",
+                "sha256:f3fe7a5ae34d5a414957cc7f457e2b92076e72938423ac64d215722f6cf49a9e"
+            ],
+            "markers": "python_version >= '3.7' and python_full_version not in '3.9.0, 3.9.1'",
+            "version": "==45.0.4"
+        },
+        "dill": {
+            "hashes": [
+                "sha256:468dff3b89520b474c0397703366b7b95eebe6303f108adf9b19da1f702be87a",
+                "sha256:81aa267dddf68cbfe8029c42ca9ec6a4ab3b22371d1c450abc54422577b4512c"
+            ],
+            "markers": "python_version < '3.11'",
+            "version": "==0.3.9"
+        },
+        "filelock": {
+            "hashes": [
+                "sha256:adbc88eabb99d2fec8c9c1b229b171f18afa655400173ddc653d5d01501fb9f2",
+                "sha256:c401f4f8377c4464e6db25fff06205fd89bdd83b65eb0488ed1b160f780e21de"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==3.18.0"
+        },
+        "importlib-metadata": {
+            "hashes": [
+                "sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000",
+                "sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==8.7.0"
+        },
+        "isort": {
+            "hashes": [
+                "sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109",
+                "sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6"
+            ],
+            "markers": "python_full_version >= '3.8.0'",
+            "version": "==5.13.2"
+        },
+        "jinja2": {
+            "hashes": [
+                "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d",
+                "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"
+            ],
+            "markers": "python_version >= '3.7'",
+            "version": "==3.1.6"
+        },
+        "jsonschema": {
+            "hashes": [
+                "sha256:0b4e8069eb12aedfa881333004bccaec24ecef5a8a6a4b6df142b2cc9599d196",
+                "sha256:a462455f19f5faf404a7902952b6f0e3ce868f3ee09a359b05eca6673bd8412d"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==4.24.0"
+        },
+        "jsonschema-specifications": {
+            "hashes": [
+                "sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af",
+                "sha256:630159c9f4dbea161a6a2205c3011cc4f18ff381b189fff48bb39b9bf26ae608"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==2025.4.1"
+        },
+        "lazy-object-proxy": {
+            "hashes": [
+                "sha256:09763491ce220c0299688940f8dc2c5d05fd1f45af1e42e636b2e8b2303e4382",
+                "sha256:0a891e4e41b54fd5b8313b96399f8b0e173bbbfc03c7631f01efbe29bb0bcf82",
+                "sha256:189bbd5d41ae7a498397287c408617fe5c48633e7755287b21d741f7db2706a9",
+                "sha256:18b78ec83edbbeb69efdc0e9c1cb41a3b1b1ed11ddd8ded602464c3fc6020494",
+                "sha256:1aa3de4088c89a1b69f8ec0dcc169aa725b0ff017899ac568fe44ddc1396df46",
+                "sha256:212774e4dfa851e74d393a2370871e174d7ff0ebc980907723bb67d25c8a7c30",
+                "sha256:2d0daa332786cf3bb49e10dc6a17a52f6a8f9601b4cf5c295a4f85854d61de63",
+                "sha256:5f83ac4d83ef0ab017683d715ed356e30dd48a93746309c8f3517e1287523ef4",
+                "sha256:659fb5809fa4629b8a1ac5106f669cfc7bef26fbb389dda53b3e010d1ac4ebae",
+                "sha256:660c94ea760b3ce47d1855a30984c78327500493d396eac4dfd8bd82041b22be",
+                "sha256:66a3de4a3ec06cd8af3f61b8e1ec67614fbb7c995d02fa224813cb7afefee701",
+                "sha256:721532711daa7db0d8b779b0bb0318fa87af1c10d7fe5e52ef30f8eff254d0cd",
+                "sha256:7322c3d6f1766d4ef1e51a465f47955f1e8123caee67dd641e67d539a534d006",
+                "sha256:79a31b086e7e68b24b99b23d57723ef7e2c6d81ed21007b6281ebcd1688acb0a",
+                "sha256:81fc4d08b062b535d95c9ea70dbe8a335c45c04029878e62d744bdced5141586",
+                "sha256:8fa02eaab317b1e9e03f69aab1f91e120e7899b392c4fc19807a8278a07a97e8",
+                "sha256:9090d8e53235aa280fc9239a86ae3ea8ac58eff66a705fa6aa2ec4968b95c821",
+                "sha256:946d27deaff6cf8452ed0dba83ba38839a87f4f7a9732e8f9fd4107b21e6ff07",
+                "sha256:9990d8e71b9f6488e91ad25f322898c136b008d87bf852ff65391b004da5e17b",
+                "sha256:9cd077f3d04a58e83d04b20e334f678c2b0ff9879b9375ed107d5d07ff160171",
+                "sha256:9e7551208b2aded9c1447453ee366f1c4070602b3d932ace044715d89666899b",
+                "sha256:9f5fa4a61ce2438267163891961cfd5e32ec97a2c444e5b842d574251ade27d2",
+                "sha256:b40387277b0ed2d0602b8293b94d7257e17d1479e257b4de114ea11a8cb7f2d7",
+                "sha256:bfb38f9ffb53b942f2b5954e0f610f1e721ccebe9cce9025a38c8ccf4a5183a4",
+                "sha256:cbf9b082426036e19c6924a9ce90c740a9861e2bdc27a4834fd0a910742ac1e8",
+                "sha256:d9e25ef10a39e8afe59a5c348a4dbf29b4868ab76269f81ce1674494e2565a6e",
+                "sha256:db1c1722726f47e10e0b5fdbf15ac3b8adb58c091d12b3ab713965795036985f",
+                "sha256:e7c21c95cae3c05c14aafffe2865bbd5e377cfc1348c4f7751d9dc9a48ca4bda",
+                "sha256:e8c6cfb338b133fbdbc5cfaa10fe3c6aeea827db80c978dbd13bc9dd8526b7d4",
+                "sha256:ea806fd4c37bf7e7ad82537b0757999264d5f70c45468447bb2b91afdbe73a6e",
+                "sha256:edd20c5a55acb67c7ed471fa2b5fb66cb17f61430b7a6b9c3b4a1e40293b1671",
+                "sha256:f0117049dd1d5635bbff65444496c90e0baa48ea405125c088e93d9cf4525b11",
+                "sha256:f0705c376533ed2a9e5e97aacdbfe04cecd71e0aa84c7c0595d02ef93b6e4455",
+                "sha256:f12ad7126ae0c98d601a7ee504c1122bcef553d1d5e0c3bfa77b16b3968d2734",
+                "sha256:f2457189d8257dd41ae9b434ba33298aec198e30adf2dcdaaa3a28b9994f6adb",
+                "sha256:f699ac1c768270c9e384e4cbd268d6e67aebcfae6cd623b4d7c3bfde5a35db59"
+            ],
+            "markers": "python_version >= '3.7'",
+            "version": "==1.9.0"
+        },
+        "markdown-it-py": {
+            "hashes": [
+                "sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1",
+                "sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==3.0.0"
+        },
+        "markupsafe": {
+            "hashes": [
+                "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4",
+                "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30",
+                "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0",
+                "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9",
+                "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396",
+                "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13",
+                "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028",
+                "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca",
+                "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557",
+                "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832",
+                "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0",
+                "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b",
+                "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579",
+                "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a",
+                "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c",
+                "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff",
+                "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c",
+                "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22",
+                "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094",
+                "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb",
+                "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e",
+                "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5",
+                "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a",
+                "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d",
+                "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a",
+                "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b",
+                "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8",
+                "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225",
+                "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c",
+                "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144",
+                "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f",
+                "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87",
+                "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d",
+                "sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93",
+                "sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf",
+                "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158",
+                "sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84",
+                "sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb",
+                "sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48",
+                "sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171",
+                "sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c",
+                "sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6",
+                "sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd",
+                "sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d",
+                "sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1",
+                "sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d",
+                "sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca",
+                "sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a",
+                "sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29",
+                "sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe",
+                "sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798",
+                "sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c",
+                "sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8",
+                "sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f",
+                "sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f",
+                "sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a",
+                "sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178",
+                "sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0",
+                "sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79",
+                "sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430",
+                "sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==3.0.2"
+        },
+        "mccabe": {
+            "hashes": [
+                "sha256:348e0240c33b60bbdf4e523192ef919f28cb2c3d7d5c7794f74009290f236325",
+                "sha256:6c2d30ab6be0e4a46919781807b4f0d834ebdd6c6e3dca0bda5a15f863427b6e"
+            ],
+            "markers": "python_version >= '3.6'",
+            "version": "==0.7.0"
+        },
+        "mdurl": {
+            "hashes": [
+                "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8",
+                "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"
+            ],
+            "markers": "python_version >= '3.7'",
+            "version": "==0.1.2"
+        },
+        "mypy-extensions": {
+            "hashes": [
+                "sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505",
+                "sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==1.1.0"
+        },
+        "packaging": {
+            "hashes": [
+                "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484",
+                "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==25.0"
+        },
+        "pathspec": {
+            "hashes": [
+                "sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08",
+                "sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.12.1"
+        },
+        "platformdirs": {
+            "hashes": [
+                "sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc",
+                "sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==4.3.8"
+        },
+        "pycparser": {
+            "hashes": [
+                "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6",
+                "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==2.22"
+        },
+        "pygments": {
+            "hashes": [
+                "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199",
+                "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==2.18.0"
+        },
+        "pylint": {
+            "hashes": [
+                "sha256:2f846a466dd023513240bc140ad2dd73bfc080a5d85a710afdb728c420a5a2b9",
+                "sha256:9f3dcc87b1203e612b78d91a896407787e708b3f189b5fa0b307712d49ff0c6e"
+            ],
+            "index": "pypi",
+            "markers": "python_full_version >= '3.9.0'",
+            "version": "==3.3.1"
+        },
+        "pyyaml": {
+            "hashes": [
+                "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff",
+                "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48",
+                "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086",
+                "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e",
+                "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133",
+                "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5",
+                "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484",
+                "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee",
+                "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5",
+                "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68",
+                "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a",
+                "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf",
+                "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99",
+                "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8",
+                "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85",
+                "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19",
+                "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc",
+                "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a",
+                "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1",
+                "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317",
+                "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c",
+                "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631",
+                "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d",
+                "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652",
+                "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5",
+                "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e",
+                "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b",
+                "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8",
+                "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476",
+                "sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706",
+                "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563",
+                "sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237",
+                "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b",
+                "sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083",
+                "sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180",
+                "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425",
+                "sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e",
+                "sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f",
+                "sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725",
+                "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183",
+                "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab",
+                "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774",
+                "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725",
+                "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e",
+                "sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5",
+                "sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d",
+                "sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290",
+                "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44",
+                "sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed",
+                "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4",
+                "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba",
+                "sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12",
+                "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==6.0.2"
+        },
+        "referencing": {
+            "hashes": [
+                "sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa",
+                "sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==0.36.2"
+        },
+        "resolvelib": {
+            "hashes": [
+                "sha256:04ce76cbd63fded2078ce224785da6ecd42b9564b1390793f64ddecbe997b309",
+                "sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf"
+            ],
+            "version": "==1.0.1"
+        },
+        "rich": {
+            "hashes": [
+                "sha256:1760a3c0848469b97b558fc61c85233e3dafb69c7a071b4d60c38099d3cd4c06",
+                "sha256:8260cda28e3db6bf04d2d1ef4dbc03ba80a824c88b0e7668a0f23126a424844a"
+            ],
+            "markers": "python_full_version >= '3.7.0'",
+            "version": "==13.8.1"
+        },
+        "rpds-py": {
+            "hashes": [
+                "sha256:0317177b1e8691ab5879f4f33f4b6dc55ad3b344399e23df2e499de7b10a548d",
+                "sha256:036ded36bedb727beeabc16dc1dad7cb154b3fa444e936a03b67a86dc6a5066e",
+                "sha256:048893e902132fd6548a2e661fb38bf4896a89eea95ac5816cf443524a85556f",
+                "sha256:0701942049095741a8aeb298a31b203e735d1c61f4423511d2b1a41dcd8a16da",
+                "sha256:083a9513a33e0b92cf6e7a6366036c6bb43ea595332c1ab5c8ae329e4bcc0a9c",
+                "sha256:09eab132f41bf792c7a0ea1578e55df3f3e7f61888e340779b06050a9a3f16e9",
+                "sha256:0e6a327af8ebf6baba1c10fadd04964c1965d375d318f4435d5f3f9651550f4a",
+                "sha256:0eb90e94f43e5085623932b68840b6f379f26db7b5c2e6bcef3179bd83c9330f",
+                "sha256:114a07e85f32b125404f28f2ed0ba431685151c037a26032b213c882f26eb908",
+                "sha256:115874ae5e2fdcfc16b2aedc95b5eef4aebe91b28e7e21951eda8a5dc0d3461b",
+                "sha256:140f61d9bed7839446bdd44852e30195c8e520f81329b4201ceead4d64eb3a9f",
+                "sha256:1521031351865e0181bc585147624d66b3b00a84109b57fcb7a779c3ec3772cd",
+                "sha256:1c0c434a53714358532d13539272db75a5ed9df75a4a090a753ac7173ec14e11",
+                "sha256:1d1fadd539298e70cac2f2cb36f5b8a65f742b9b9f1014dd4ea1f7785e2470bf",
+                "sha256:1de336a4b164c9188cb23f3703adb74a7623ab32d20090d0e9bf499a2203ad65",
+                "sha256:1ee3e26eb83d39b886d2cb6e06ea701bba82ef30a0de044d34626ede51ec98b0",
+                "sha256:245550f5a1ac98504147cba96ffec8fabc22b610742e9150138e5d60774686d7",
+                "sha256:2a40046a529cc15cef88ac5ab589f83f739e2d332cb4d7399072242400ed68c9",
+                "sha256:2c2cd1a4b0c2b8c5e31ffff50d09f39906fe351389ba143c195566056c13a7ea",
+                "sha256:2cb9e5b5e26fc02c8a4345048cd9998c2aca7c2712bd1b36da0c72ee969a3523",
+                "sha256:33358883a4490287e67a2c391dfaea4d9359860281db3292b6886bf0be3d8692",
+                "sha256:35634369325906bcd01577da4c19e3b9541a15e99f31e91a02d010816b49bfda",
+                "sha256:35a8d1a24b5936b35c5003313bc177403d8bdef0f8b24f28b1c4a255f94ea992",
+                "sha256:3af5b4cc10fa41e5bc64e5c198a1b2d2864337f8fcbb9a67e747e34002ce812b",
+                "sha256:3bcce0edc1488906c2d4c75c94c70a0417e83920dd4c88fec1078c94843a6ce9",
+                "sha256:3c5b317ecbd8226887994852e85de562f7177add602514d4ac40f87de3ae45a8",
+                "sha256:3c6564c0947a7f52e4792983f8e6cf9bac140438ebf81f527a21d944f2fd0a40",
+                "sha256:3ebd879ab996537fc510a2be58c59915b5dd63bccb06d1ef514fee787e05984a",
+                "sha256:3f0b1798cae2bbbc9b9db44ee068c556d4737911ad53a4e5093d09d04b3bbc24",
+                "sha256:401ca1c4a20cc0510d3435d89c069fe0a9ae2ee6495135ac46bdd49ec0495763",
+                "sha256:454601988aab2c6e8fd49e7634c65476b2b919647626208e376afcd22019eeb8",
+                "sha256:4593c4eae9b27d22df41cde518b4b9e4464d139e4322e2127daa9b5b981b76be",
+                "sha256:45e484db65e5380804afbec784522de84fa95e6bb92ef1bd3325d33d13efaebd",
+                "sha256:48d64155d02127c249695abb87d39f0faf410733428d499867606be138161d65",
+                "sha256:4fbb0dbba559959fcb5d0735a0f87cdbca9e95dac87982e9b95c0f8f7ad10255",
+                "sha256:4fd52d3455a0aa997734f3835cbc4c9f32571345143960e7d7ebfe7b5fbfa3b2",
+                "sha256:50f2c501a89c9a5f4e454b126193c5495b9fb441a75b298c60591d8a2eb92e1b",
+                "sha256:58f77c60956501a4a627749a6dcb78dac522f249dd96b5c9f1c6af29bfacfb66",
+                "sha256:5a3ddb74b0985c4387719fc536faced33cadf2172769540c62e2a94b7b9be1c4",
+                "sha256:5c4a128527fe415d73cf1f70a9a688d06130d5810be69f3b553bf7b45e8acf79",
+                "sha256:5d473be2b13600b93a5675d78f59e63b51b1ba2d0476893415dfbb5477e65b31",
+                "sha256:5d9e40f32745db28c1ef7aad23f6fc458dc1e29945bd6781060f0d15628b8ddf",
+                "sha256:5f048bbf18b1f9120685c6d6bb70cc1a52c8cc11bdd04e643d28d3be0baf666d",
+                "sha256:605ffe7769e24b1800b4d024d24034405d9404f0bc2f55b6db3362cd34145a6f",
+                "sha256:6099263f526efff9cf3883dfef505518730f7a7a93049b1d90d42e50a22b4793",
+                "sha256:659d87430a8c8c704d52d094f5ba6fa72ef13b4d385b7e542a08fc240cb4a559",
+                "sha256:666fa7b1bd0a3810a7f18f6d3a25ccd8866291fbbc3c9b912b917a6715874bb9",
+                "sha256:68f6f060f0bbdfb0245267da014d3a6da9be127fe3e8cc4a68c6f833f8a23bb1",
+                "sha256:6d273f136e912aa101a9274c3145dcbddbe4bac560e77e6d5b3c9f6e0ed06d34",
+                "sha256:6d50841c425d16faf3206ddbba44c21aa3310a0cebc3c1cdfc3e3f4f9f6f5728",
+                "sha256:771c16060ff4e79584dc48902a91ba79fd93eade3aa3a12d6d2a4aadaf7d542b",
+                "sha256:785ffacd0ee61c3e60bdfde93baa6d7c10d86f15655bd706c89da08068dc5038",
+                "sha256:796ad874c89127c91970652a4ee8b00d56368b7e00d3477f4415fe78164c8000",
+                "sha256:79dc317a5f1c51fd9c6a0c4f48209c6b8526d0524a6904fc1076476e79b00f98",
+                "sha256:7c9409b47ba0650544b0bb3c188243b83654dfe55dcc173a86832314e1a6a35d",
+                "sha256:7d779b325cc8238227c47fbc53964c8cc9a941d5dbae87aa007a1f08f2f77b23",
+                "sha256:816568614ecb22b18a010c7a12559c19f6fe993526af88e95a76d5a60b8b75fb",
+                "sha256:8378fa4a940f3fb509c081e06cb7f7f2adae8cf46ef258b0e0ed7519facd573e",
+                "sha256:85608eb70a659bf4c1142b2781083d4b7c0c4e2c90eff11856a9754e965b2540",
+                "sha256:85fc223d9c76cabe5d0bff82214459189720dc135db45f9f66aa7cffbf9ff6c1",
+                "sha256:88ec04afe0c59fa64e2f6ea0dd9657e04fc83e38de90f6de201954b4d4eb59bd",
+                "sha256:8960b6dac09b62dac26e75d7e2c4a22efb835d827a7278c34f72b2b84fa160e3",
+                "sha256:89706d0683c73a26f76a5315d893c051324d771196ae8b13e6ffa1ffaf5e574f",
+                "sha256:89c24300cd4a8e4a51e55c31a8ff3918e6651b241ee8876a42cc2b2a078533ba",
+                "sha256:8c742af695f7525e559c16f1562cf2323db0e3f0fbdcabdf6865b095256b2d40",
+                "sha256:8dbd586bfa270c1103ece2109314dd423df1fa3d9719928b5d09e4840cec0d72",
+                "sha256:8eb8c84ecea987a2523e057c0d950bcb3f789696c0499290b8d7b3107a719d78",
+                "sha256:921954d7fbf3fccc7de8f717799304b14b6d9a45bbeec5a8d7408ccbf531faf5",
+                "sha256:9a46c2fb2545e21181445515960006e85d22025bd2fe6db23e76daec6eb689fe",
+                "sha256:9c006f3aadeda131b438c3092124bd196b66312f0caa5823ef09585a669cf449",
+                "sha256:9ceca1cf097ed77e1a51f1dbc8d174d10cb5931c188a4505ff9f3e119dfe519b",
+                "sha256:9e5fc7484fa7dce57e25063b0ec9638ff02a908304f861d81ea49273e43838c1",
+                "sha256:9f2f48ab00181600ee266a095fe815134eb456163f7d6699f525dee471f312cf",
+                "sha256:9fca84a15333e925dd59ce01da0ffe2ffe0d6e5d29a9eeba2148916d1824948c",
+                "sha256:a49e1d7a4978ed554f095430b89ecc23f42014a50ac385eb0c4d163ce213c325",
+                "sha256:a58d1ed49a94d4183483a3ce0af22f20318d4a1434acee255d683ad90bf78129",
+                "sha256:a61d0b2c7c9a0ae45732a77844917b427ff16ad5464b4d4f5e4adb955f582890",
+                "sha256:a714bf6e5e81b0e570d01f56e0c89c6375101b8463999ead3a93a5d2a4af91fa",
+                "sha256:a7b74e92a3b212390bdce1d93da9f6488c3878c1d434c5e751cbc202c5e09500",
+                "sha256:a8bd2f19e312ce3e1d2c635618e8a8d8132892bb746a7cf74780a489f0f6cdcb",
+                "sha256:b0be9965f93c222fb9b4cc254235b3b2b215796c03ef5ee64f995b1b69af0762",
+                "sha256:b24bf3cd93d5b6ecfbedec73b15f143596c88ee249fa98cefa9a9dc9d92c6f28",
+                "sha256:b5ffe453cde61f73fea9430223c81d29e2fbf412a6073951102146c84e19e34c",
+                "sha256:bc120d1132cff853ff617754196d0ac0ae63befe7c8498bd67731ba368abe451",
+                "sha256:bd035756830c712b64725a76327ce80e82ed12ebab361d3a1cdc0f51ea21acb0",
+                "sha256:bffcf57826d77a4151962bf1701374e0fc87f536e56ec46f1abdd6a903354042",
+                "sha256:c2013ee878c76269c7b557a9a9c042335d732e89d482606990b70a839635feb7",
+                "sha256:c4feb9211d15d9160bc85fa72fed46432cdc143eb9cf6d5ca377335a921ac37b",
+                "sha256:c8980cde3bb8575e7c956a530f2c217c1d6aac453474bf3ea0f9c89868b531b6",
+                "sha256:c98f126c4fc697b84c423e387337d5b07e4a61e9feac494362a59fd7a2d9ed80",
+                "sha256:ccc6f3ddef93243538be76f8e47045b4aad7a66a212cd3a0f23e34469473d36b",
+                "sha256:ccfa689b9246c48947d31dd9d8b16d89a0ecc8e0e26ea5253068efb6c542b76e",
+                "sha256:cda776f1967cb304816173b30994faaf2fd5bcb37e73118a47964a02c348e1bc",
+                "sha256:ce4c8e485a3c59593f1a6f683cf0ea5ab1c1dc94d11eea5619e4fb5228b40fbd",
+                "sha256:d3c10228d6cf6fe2b63d2e7985e94f6916fa46940df46b70449e9ff9297bd3d1",
+                "sha256:d4ca54b9cf9d80b4016a67a0193ebe0bcf29f6b0a96f09db942087e294d3d4c2",
+                "sha256:d4cb2b3ddc16710548801c6fcc0cfcdeeff9dafbc983f77265877793f2660309",
+                "sha256:d50e4864498a9ab639d6d8854b25e80642bd362ff104312d9770b05d66e5fb13",
+                "sha256:d74ec9bc0e2feb81d3f16946b005748119c0f52a153f6db6a29e8cd68636f295",
+                "sha256:d8222acdb51a22929c3b2ddb236b69c59c72af4019d2cba961e2f9add9b6e634",
+                "sha256:db58483f71c5db67d643857404da360dce3573031586034b7d59f245144cc192",
+                "sha256:dc3c1ff0abc91444cd20ec643d0f805df9a3661fcacf9c95000329f3ddf268a4",
+                "sha256:dd326a81afe332ede08eb39ab75b301d5676802cdffd3a8f287a5f0b694dc3f5",
+                "sha256:dec21e02e6cc932538b5203d3a8bd6aa1480c98c4914cb88eea064ecdbc6396a",
+                "sha256:e1dafef8df605fdb46edcc0bf1573dea0d6d7b01ba87f85cd04dc855b2b4479e",
+                "sha256:e2f6a2347d3440ae789505693a02836383426249d5293541cd712e07e7aecf54",
+                "sha256:e37caa8cdb3b7cf24786451a0bdb853f6347b8b92005eeb64225ae1db54d1c2b",
+                "sha256:e43a005671a9ed5a650f3bc39e4dbccd6d4326b24fb5ea8be5f3a43a6f576c72",
+                "sha256:e5e2f7280d8d0d3ef06f3ec1b4fd598d386cc6f0721e54f09109a8132182fbfe",
+                "sha256:e87798852ae0b37c88babb7f7bbbb3e3fecc562a1c340195b44c7e24d403e380",
+                "sha256:ee86d81551ec68a5c25373c5643d343150cc54672b5e9a0cafc93c1870a53954",
+                "sha256:f251bf23deb8332823aef1da169d5d89fa84c89f67bdfb566c49dea1fccfd50d",
+                "sha256:f3d86373ff19ca0441ebeb696ef64cb58b8b5cbacffcda5a0ec2f3911732a194",
+                "sha256:f4ad628b5174d5315761b67f212774a32f5bad5e61396d38108bd801c0a8f5d9",
+                "sha256:f70316f760174ca04492b5ab01be631a8ae30cadab1d1081035136ba12738cfa",
+                "sha256:f73ce1512e04fbe2bc97836e89830d6b4314c171587a99688082d090f934d20a",
+                "sha256:ff7c23ba0a88cb7b104281a99476cccadf29de2a0ef5ce864959a52675b1ca83"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==0.25.1"
+        },
+        "ruamel.yaml": {
+            "hashes": [
+                "sha256:710ff198bb53da66718c7db27eec4fbcc9aa6ca7204e4c1df2f282b6fe5eb6b2",
+                "sha256:7227b76aaec364df15936730efbf7d72b30c0b79b1d578bbb8e3dcb2d81f52b7"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.18.14"
+        },
+        "ruamel.yaml.clib": {
+            "hashes": [
+                "sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b",
+                "sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4",
+                "sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef",
+                "sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5",
+                "sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3",
+                "sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632",
+                "sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6",
+                "sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7",
+                "sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680",
+                "sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf",
+                "sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da",
+                "sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6",
+                "sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a",
+                "sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01",
+                "sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519",
+                "sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6",
+                "sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f",
+                "sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd",
+                "sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2",
+                "sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52",
+                "sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd",
+                "sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d",
+                "sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c",
+                "sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6",
+                "sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb",
+                "sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a",
+                "sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969",
+                "sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28",
+                "sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d",
+                "sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e",
+                "sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45",
+                "sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4",
+                "sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12",
+                "sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31",
+                "sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642",
+                "sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e",
+                "sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285",
+                "sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed",
+                "sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1",
+                "sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7",
+                "sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3",
+                "sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475",
+                "sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5",
+                "sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76",
+                "sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987",
+                "sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==0.2.12"
+        },
+        "setuptools": {
+            "hashes": [
+                "sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05",
+                "sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==69.0.3"
+        },
+        "subprocess-tee": {
+            "hashes": [
+                "sha256:21942e976715af4a19a526918adb03a8a27a8edab959f2d075b777e3d78f532d",
+                "sha256:91b2b4da3aae9a7088d84acaf2ea0abee3f4fd9c0d2eae69a9b9122a71476590"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.4.2"
+        },
+        "tomli": {
+            "hashes": [
+                "sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6",
+                "sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd",
+                "sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c",
+                "sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b",
+                "sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8",
+                "sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6",
+                "sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77",
+                "sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff",
+                "sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea",
+                "sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192",
+                "sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249",
+                "sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee",
+                "sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4",
+                "sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98",
+                "sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8",
+                "sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4",
+                "sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281",
+                "sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744",
+                "sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69",
+                "sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13",
+                "sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140",
+                "sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e",
+                "sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e",
+                "sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc",
+                "sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff",
+                "sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec",
+                "sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2",
+                "sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222",
+                "sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106",
+                "sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272",
+                "sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a",
+                "sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==2.2.1"
+        },
+        "tomlkit": {
+            "hashes": [
+                "sha256:7a974427f6e119197f670fbbbeae7bef749a6c14e793db934baefc1b5f03efde",
+                "sha256:fff5fe59a87295b278abd31bec92c15d9bc4a06885ab12bcea52c71119392e79"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.13.2"
+        },
+        "typing-extensions": {
+            "hashes": [
+                "sha256:8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4",
+                "sha256:a1514509136dd0b477638fc68d6a91497af5076466ad0fa6c338e44e359944af"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==4.14.0"
+        },
+        "wcmatch": {
+            "hashes": [
+                "sha256:5848ace7dbb0476e5e55ab63c6bbd529745089343427caa5537f230cc01beb8a",
+                "sha256:f11f94208c8c8484a16f4f48638a85d771d9513f4ab3f37595978801cb9465af"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==10.1"
+        },
+        "wrapt": {
+            "hashes": [
+                "sha256:02fce1852f755f44f95af51f69d22e45080102e9d00258053b79367d07af39c0",
+                "sha256:077ff0d1f9d9e4ce6476c1a924a3332452c1406e59d90a2cf24aeb29eeac9420",
+                "sha256:078e2a1a86544e644a68422f881c48b84fef6d18f8c7a957ffd3f2e0a74a0d4a",
+                "sha256:0970ddb69bba00670e58955f8019bec4a42d1785db3faa043c33d81de2bf843c",
+                "sha256:1286eb30261894e4c70d124d44b7fd07825340869945c79d05bda53a40caa079",
+                "sha256:21f6d9a0d5b3a207cdf7acf8e58d7d13d463e639f0c7e01d82cdb671e6cb7923",
+                "sha256:230ae493696a371f1dbffaad3dafbb742a4d27a0afd2b1aecebe52b740167e7f",
+                "sha256:26458da5653aa5b3d8dc8b24192f574a58984c749401f98fff994d41d3f08da1",
+                "sha256:2cf56d0e237280baed46f0b5316661da892565ff58309d4d2ed7dba763d984b8",
+                "sha256:2e51de54d4fb8fb50d6ee8327f9828306a959ae394d3e01a1ba8b2f937747d86",
+                "sha256:2fbfbca668dd15b744418265a9607baa970c347eefd0db6a518aaf0cfbd153c0",
+                "sha256:38adf7198f8f154502883242f9fe7333ab05a5b02de7d83aa2d88ea621f13364",
+                "sha256:3a8564f283394634a7a7054b7983e47dbf39c07712d7b177b37e03f2467a024e",
+                "sha256:3abbe948c3cbde2689370a262a8d04e32ec2dd4f27103669a45c6929bcdbfe7c",
+                "sha256:3bbe623731d03b186b3d6b0d6f51865bf598587c38d6f7b0be2e27414f7f214e",
+                "sha256:40737a081d7497efea35ab9304b829b857f21558acfc7b3272f908d33b0d9d4c",
+                "sha256:41d07d029dd4157ae27beab04d22b8e261eddfc6ecd64ff7000b10dc8b3a5727",
+                "sha256:46ed616d5fb42f98630ed70c3529541408166c22cdfd4540b88d5f21006b0eff",
+                "sha256:493d389a2b63c88ad56cdc35d0fa5752daac56ca755805b1b0c530f785767d5e",
+                "sha256:4ff0d20f2e670800d3ed2b220d40984162089a6e2c9646fdb09b85e6f9a8fc29",
+                "sha256:54accd4b8bc202966bafafd16e69da9d5640ff92389d33d28555c5fd4f25ccb7",
+                "sha256:56374914b132c702aa9aa9959c550004b8847148f95e1b824772d453ac204a72",
+                "sha256:578383d740457fa790fdf85e6d346fda1416a40549fe8db08e5e9bd281c6a475",
+                "sha256:58d7a75d731e8c63614222bcb21dd992b4ab01a399f1f09dd82af17bbfc2368a",
+                "sha256:5c5aa28df055697d7c37d2099a7bc09f559d5053c3349b1ad0c39000e611d317",
+                "sha256:5fc8e02f5984a55d2c653f5fea93531e9836abbd84342c1d1e17abc4a15084c2",
+                "sha256:63424c681923b9f3bfbc5e3205aafe790904053d42ddcc08542181a30a7a51bd",
+                "sha256:64b1df0f83706b4ef4cfb4fb0e4c2669100fd7ecacfb59e091fad300d4e04640",
+                "sha256:74934ebd71950e3db69960a7da29204f89624dde411afbfb3b4858c1409b1e98",
+                "sha256:75669d77bb2c071333417617a235324a1618dba66f82a750362eccbe5b61d248",
+                "sha256:75760a47c06b5974aa5e01949bf7e66d2af4d08cb8c1d6516af5e39595397f5e",
+                "sha256:76407ab327158c510f44ded207e2f76b657303e17cb7a572ffe2f5a8a48aa04d",
+                "sha256:76e9c727a874b4856d11a32fb0b389afc61ce8aaf281ada613713ddeadd1cfec",
+                "sha256:77d4c1b881076c3ba173484dfa53d3582c1c8ff1f914c6461ab70c8428b796c1",
+                "sha256:780c82a41dc493b62fc5884fb1d3a3b81106642c5c5c78d6a0d4cbe96d62ba7e",
+                "sha256:7dc0713bf81287a00516ef43137273b23ee414fe41a3c14be10dd95ed98a2df9",
+                "sha256:7eebcdbe3677e58dd4c0e03b4f2cfa346ed4049687d839adad68cc38bb559c92",
+                "sha256:896689fddba4f23ef7c718279e42f8834041a21342d95e56922e1c10c0cc7afb",
+                "sha256:96177eb5645b1c6985f5c11d03fc2dbda9ad24ec0f3a46dcce91445747e15094",
+                "sha256:96e25c8603a155559231c19c0349245eeb4ac0096fe3c1d0be5c47e075bd4f46",
+                "sha256:9d37ac69edc5614b90516807de32d08cb8e7b12260a285ee330955604ed9dd29",
+                "sha256:9ed6aa0726b9b60911f4aed8ec5b8dd7bf3491476015819f56473ffaef8959bd",
+                "sha256:a487f72a25904e2b4bbc0817ce7a8de94363bd7e79890510174da9d901c38705",
+                "sha256:a4cbb9ff5795cd66f0066bdf5947f170f5d63a9274f99bdbca02fd973adcf2a8",
+                "sha256:a74d56552ddbde46c246b5b89199cb3fd182f9c346c784e1a93e4dc3f5ec9975",
+                "sha256:a89ce3fd220ff144bd9d54da333ec0de0399b52c9ac3d2ce34b569cf1a5748fb",
+                "sha256:abd52a09d03adf9c763d706df707c343293d5d106aea53483e0ec8d9e310ad5e",
+                "sha256:abd8f36c99512755b8456047b7be10372fca271bf1467a1caa88db991e7c421b",
+                "sha256:af5bd9ccb188f6a5fdda9f1f09d9f4c86cc8a539bd48a0bfdc97723970348418",
+                "sha256:b02f21c1e2074943312d03d243ac4388319f2456576b2c6023041c4d57cd7019",
+                "sha256:b06fa97478a5f478fb05e1980980a7cdf2712015493b44d0c87606c1513ed5b1",
+                "sha256:b0724f05c396b0a4c36a3226c31648385deb6a65d8992644c12a4963c70326ba",
+                "sha256:b130fe77361d6771ecf5a219d8e0817d61b236b7d8b37cc045172e574ed219e6",
+                "sha256:b56d5519e470d3f2fe4aa7585f0632b060d532d0696c5bdfb5e8319e1d0f69a2",
+                "sha256:b67b819628e3b748fd3c2192c15fb951f549d0f47c0449af0764d7647302fda3",
+                "sha256:ba1711cda2d30634a7e452fc79eabcadaffedf241ff206db2ee93dd2c89a60e7",
+                "sha256:bbeccb1aa40ab88cd29e6c7d8585582c99548f55f9b2581dfc5ba68c59a85752",
+                "sha256:bd84395aab8e4d36263cd1b9308cd504f6cf713b7d6d3ce25ea55670baec5416",
+                "sha256:c99f4309f5145b93eca6e35ac1a988f0dc0a7ccf9ccdcd78d3c0adf57224e62f",
+                "sha256:ca1cccf838cd28d5a0883b342474c630ac48cac5df0ee6eacc9c7290f76b11c1",
+                "sha256:cd525e0e52a5ff16653a3fc9e3dd827981917d34996600bbc34c05d048ca35cc",
+                "sha256:cdb4f085756c96a3af04e6eca7f08b1345e94b53af8921b25c72f096e704e145",
+                "sha256:ce42618f67741d4697684e501ef02f29e758a123aa2d669e2d964ff734ee00ee",
+                "sha256:d06730c6aed78cee4126234cf2d071e01b44b915e725a6cb439a879ec9754a3a",
+                "sha256:d5fe3e099cf07d0fb5a1e23d399e5d4d1ca3e6dfcbe5c8570ccff3e9208274f7",
+                "sha256:d6bcbfc99f55655c3d93feb7ef3800bd5bbe963a755687cbf1f490a71fb7794b",
+                "sha256:d787272ed958a05b2c86311d3a4135d3c2aeea4fc655705f074130aa57d71653",
+                "sha256:e169e957c33576f47e21864cf3fc9ff47c223a4ebca8960079b8bd36cb014fd0",
+                "sha256:e20076a211cd6f9b44a6be58f7eeafa7ab5720eb796975d0c03f05b47d89eb90",
+                "sha256:e826aadda3cae59295b95343db8f3d965fb31059da7de01ee8d1c40a60398b29",
+                "sha256:eef4d64c650f33347c1f9266fa5ae001440b232ad9b98f1f43dfe7a79435c0a6",
+                "sha256:f2e69b3ed24544b0d3dbe2c5c0ba5153ce50dcebb576fdc4696d52aa22db6034",
+                "sha256:f87ec75864c37c4c6cb908d282e1969e79763e0d9becdfe9fe5473b7bb1e5f09",
+                "sha256:fbec11614dba0424ca72f4e8ba3c420dba07b4a7c206c8c8e4e73f2e98f4c559",
+                "sha256:fd69666217b62fa5d7c6aa88e507493a34dec4fa20c5bd925e4bc12fce586639"
+            ],
+            "markers": "python_version < '3.11'",
+            "version": "==1.15.0"
+        },
+        "yamllint": {
+            "hashes": [
+                "sha256:2e16e504bb129ff515b37823b472750b36b6de07963bd74b307341ef5ad8bdc3",
+                "sha256:7a003809f88324fd2c877734f2d575ee7881dd9043360657cc8049c809eba6cd"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.8'",
+            "version": "==1.35.1"
+        },
+        "zipp": {
+            "hashes": [
+                "sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e",
+                "sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166"
+            ],
+            "markers": "python_version >= '3.9'",
+            "version": "==3.23.0"
+        }
+    },
+    "develop": {}
+}
diff --git a/ansible_collections/grafana/grafana/README.md b/ansible_collections/grafana/grafana/README.md
new file mode 100644
index 00000000..5c36aac6
--- /dev/null
+++ b/ansible_collections/grafana/grafana/README.md
@@ -0,0 +1,159 @@
+# Ansible Collection for Grafana
+
+[![Grafana](https://img.shields.io/badge/grafana-%23F46800.svg?&logo=grafana&logoColor=white)](https://grafana.com)
+[![Ansible Collection](https://img.shields.io/badge/grafana.grafana-orange)](https://galaxy.ansible.com/ui/repo/published/grafana/grafana/)
+[![GitHub tag](https://img.shields.io/github/tag/grafana/grafana-ansible-collection.svg)](https://github.com/grafana/grafana-ansible-collection/tags)
+[![GitHub Last Commit](https://img.shields.io/github/last-commit/grafana/grafana-ansible-collection)](https://github.com/grafana/grafana-ansible-collection/tags)
+[![GitHub Contributors](https://img.shields.io/github/contributors/grafana/grafana-ansible-collection)](https://github.com/grafana/grafana-ansible-collection/tags)
+
+This collection (`grafana.grafana`) contains modules and roles to assist in automating the management of resources in **Grafana**, **Grafana Agent**, **OpenTelemetry Collector**, **Loki**, **Mimir**, **Alloy**, and **Promtail** with Ansible.
+
+-   [Ansible collection Documentation](https://docs.ansible.com/ansible/latest/collections/grafana/grafana/)
+-   [Grafana](https://grafana.com)
+-   [Grafana Cloud](https://grafana.com/products/cloud/)
+
+## Ansible version compatibility
+
+The collection is tested and supported with: `ansible >= 2.9`
+
+## Installing the collection
+
+Before using the Grafana collection, you need to install it using the below command:
+
+```shell
+ansible-galaxy collection install grafana.grafana
+```
+
+You can also include it in a `requirements.yml` file and install it via `ansible-galaxy collection install -r requirements.yml`, using the format:
+
+```yaml
+---
+collections:
+  - name: grafana.grafana
+```
+
+A specific version of the collection can be installed by using the version keyword in the `requirements.yml` file:
+
+```yaml
+---
+collections:
+  - name: grafana.grafana
+    version: 1.0.0
+```
+
+## Roles included in the collection
+
+This collection includes the following roles to help set up and manage Grafana, Grafana Agent, Alloy, OpenTelemetry Collector, Loki, Mimir and Promtail:
+
+- **Grafana**: Installs and configures Grafana on your target hosts.
+- **Grafana Agent**: Deploys and configures Grafana Agent, allowing for efficient metrics, logs, and trace data shipping to Grafana Cloud or other endpoints.
+- **Alloy**: The replacement for Grafana Agent and Promtail. Alloy can be used to collect traces, metrics, and logs.
+- **OpenTelemetry Collector**: Sets up and configures the OpenTelemetry Collector, enabling advanced observability features through data collection and transmission.
+- **Loki**: Deploy and manage Loki, the log aggregation system.
+- **Mimir**: Deploy and manage Mimir, the scalable long-term storage for Prometheus.
+- **Promtail**: Deploy and manage Promtail, the agent which ships the contents of local logs to a private Grafana Loki.
+
+## Using this collection
+
+You can call modules by their Fully Qualified Collection Namespace (FQCN), such as `grafana.grafana.cloud_stack`:
+
+```yaml
+- name: Using grafana collection
+  hosts: localhost
+  tasks:
+    - name: Create a Grafana Cloud stack
+      grafana.grafana.cloud_stack:
+        name: mystack
+        stack_slug: mystack
+        org_slug: myorg
+        cloud_api_key: "{{ cloud_api_key }}"
+        region: eu
+        state: present
+```
+
+or you can add full namespace and collection name in the `collections` element in your playbook
+
+```yaml
+- name: Using grafana collection
+  hosts: localhost
+  collection:
+    - grafana.grafana
+  tasks:
+    - name: Create a Grafana Cloud stack
+      cloud_stack:
+        name: mystack
+        stack_slug: mystack
+        org_slug: myorg
+        cloud_api_key: "{{ cloud_api_key }}"
+        region: eu
+        state: present
+```
+
+## Contributing
+
+We are accepting GitHub pull requests and issues. There are many ways in which you can participate in the project, for example:
+
+-   Submit bugs and feature requests, and help us verify them
+-   Submit and review source code changes in GitHub pull requests
+-   Add new modules for more Grafana resources
+
+## Testing and Development
+
+If you want to develop new content for this collection or improve what is already
+here, the easiest way to work on the collection is to clone it into one of the configured
+[`COLLECTIONS_PATHS`](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths),
+and work on it there.
+
+### Testing with `ansible-test`
+
+We use `ansible-test` for sanity.
+
+## Commands
+
+| Command | Description |
+| :--- | :----------- |
+| `make setup` | Checks to see if necessary tools are installed |
+| `make install` | Installs project dependencies |
+| `make lint` | Performs all linting commands |
+| `make lint-sh` / `make lint-shell` | Performs shell script linting |
+| `make lint-md` / `make lint-markdown` | Performs Markdown linting |
+| `make lint-txt` / `make lint-text` | Performs text linting |
+| `make lint-yml` / `make lint-yaml` | Performs Yaml linting |
+| `make lint-ec` / `make lint-editorconfig` | Performs EditorConfig Checks |
+| `make lint-ansible` | Performs Ansible linting |
+| `make clean` | Removes the `./node_modules` and `./build` directories |
+| `make reinstall` | Shortcut to `make clean` and `make install` |
+
+## Releasing, Versioning and Deprecation
+
+This collection follows [Semantic Versioning](https://semver.org/). More details on versioning can be found [in the Ansible docs](https://docs.ansible.com/ansible/latest/dev_guide/developing_collections.html#collection-versions).
+
+We plan to regularly release new minor or bugfix versions once new features or bugfixes have been implemented.
+
+Releasing the current major version on GitHub happens from the `main` branch by the
+[GitHub Release Workflow](https://github.com/grafana/grafana-ansible-collection/blob/main/.github/workflows/release.yml).
+Before the [GitHub Release Workflow](https://github.com/grafana/grafana-ansible-collection/blob/main/.github/workflows/release.yml)
+is run, Contributors should push the new version on Ansible Galaxy Manually.
+
+To generate changelogs for a new release, Refer [Generating Changelogs](https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_changelogs.html#generating-changelogs) or run `antsibull-changelog generate`and `antsibull-changelog lint-changelog-yaml changelogs/changelog.yaml` to validate the YAML file.
+
+To generate the tarball to be uploaded on Ansible Galaxy, Refer [Building collection tarball](https://docs.ansible.com/ansible/latest/dev_guide/developing_collections_distributing.html#building-your-collection-tarball)
+
+## Code of Conduct
+
+This collection follows the Ansible project's [Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html).
+Please read and familiarize yourself with this doc
+
+## More information
+
+-   [Maintainer guidelines](https://docs.ansible.com/ansible/devel/community/maintainers.html)
+-   Subscribe to the [news-for-maintainers](https://github.com/ansible-collections/news-for-maintainers) repository and track announcements there.
+-   [Ansible Collection overview](https://github.com/ansible-collections/overview)
+-   [Ansible User guide](https://docs.ansible.com/ansible/latest/user_guide/index.html)
+-   [Ansible Developer guide](https://docs.ansible.com/ansible/latest/dev_guide/index.html)
+-   [Ansible Collection Developer Guide](https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html)
+-   [Ansible Community code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html)
+
+## License
+
+GPL-3.0-or-later
diff --git a/ansible_collections/grafana/grafana/ansible.cfg b/ansible_collections/grafana/grafana/ansible.cfg
new file mode 100644
index 00000000..fecf5b66
--- /dev/null
+++ b/ansible_collections/grafana/grafana/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+collections_paths = ./
diff --git a/ansible_collections/grafana/grafana/catalog-info.yaml b/ansible_collections/grafana/grafana/catalog-info.yaml
new file mode 100644
index 00000000..de02c6a2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/catalog-info.yaml
@@ -0,0 +1,19 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: grafana-ansible-collection
+  title: grafana-ansible-collection
+  description: |
+    This collection (grafana.grafana) contains modules and roles to assist in automating the management of resources in Grafana, Grafana Agent, OpenTelemetry Collector, Loki, Mimir, Alloy, and Promtail with Ansible.
+  tags:
+    - gitops
+  links:
+    - title: "Internal Slack Channel #ansible-collection"
+      url: https://grafanalabs.enterprise.slack.com/archives/C04T7GX8C69
+  annotations:
+    backstage.io/techdocs-ref: dir:.
+    github.com/project-slug: grafana/grafana-ansible-collection
+spec:
+  type: tool
+  owner: group:default/devex
+  lifecycle: production
diff --git a/ansible_collections/grafana/grafana/changelogs/.plugin-cache.yaml b/ansible_collections/grafana/grafana/changelogs/.plugin-cache.yaml
new file mode 100644
index 00000000..1fc6190d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/changelogs/.plugin-cache.yaml
@@ -0,0 +1,59 @@
+objects:
+  role: {}
+plugins:
+  become: {}
+  cache: {}
+  callback: {}
+  cliconf: {}
+  connection: {}
+  filter: {}
+  httpapi: {}
+  inventory: {}
+  lookup: {}
+  module:
+    alert_contact_point:
+      description: Manage Alerting Contact points in Grafana
+      name: alert_contact_point
+      namespace: ''
+      version_added: 0.0.1
+    alert_notification_policy:
+      description: Manage Alerting Policies points in Grafana
+      name: alert_notification_policy
+      namespace: ''
+      version_added: 0.0.1
+    cloud_api_key:
+      description: Manage Grafana Cloud API keys
+      name: cloud_api_key
+      namespace: ''
+      version_added: 0.0.1
+    cloud_plugin:
+      description: Manage Grafana Cloud Plugins
+      name: cloud_plugin
+      namespace: ''
+      version_added: 0.0.1
+    cloud_stack:
+      description: Manage Grafana Cloud stack
+      name: cloud_stack
+      namespace: ''
+      version_added: 0.0.1
+    dashboard:
+      description: Manage Dashboards in Grafana
+      name: dashboard
+      namespace: ''
+      version_added: 0.0.1
+    datasource:
+      description: Manage Data sources in Grafana
+      name: datasource
+      namespace: ''
+      version_added: 0.0.1
+    folder:
+      description: Manage Folders in Grafana
+      name: folder
+      namespace: ''
+      version_added: 0.0.1
+  netconf: {}
+  shell: {}
+  strategy: {}
+  test: {}
+  vars: {}
+version: 6.2.0
diff --git a/ansible_collections/grafana/grafana/changelogs/changelog.yaml b/ansible_collections/grafana/grafana/changelogs/changelog.yaml
new file mode 100644
index 00000000..22a21e29
--- /dev/null
+++ b/ansible_collections/grafana/grafana/changelogs/changelog.yaml
@@ -0,0 +1,442 @@
+ancestor: null
+releases:
+  0.0.1:
+    changes:
+      release_summary: It's a release! First version to publish to Ansible Galaxy
+    release_date: '2022-08-09'
+  0.0.2:
+    changes:
+      release_summary: Updated input parameters description for all modules
+    release_date: '2022-08-10'
+  0.0.3:
+    changes:
+      release_summary: Documentation update and code cleanup
+    release_date: '2022-08-10'
+  0.0.4:
+    changes:
+      bugfixes:
+      - Fix an issue with `cloud_stack` idempotency
+    release_date: '2022-08-10'
+  0.0.5:
+    changes:
+      release_summary: Documentation update and code cleanup
+    release_date: '2022-08-10'
+  0.0.6:
+    changes:
+      minor_changes:
+      - Idempotency updates to cloud_api_key and datasource modules
+    release_date: '2022-08-10'
+  0.0.7:
+    changes:
+      release_summary: Documentation update for return values in `grafana.grafana.dashboard`
+    release_date: '2022-08-11'
+  1.0.0:
+    changes:
+      release_summary: CI and testing improvements
+    release_date: '2022-08-16'
+  1.0.1:
+    changes:
+      release_summary: Documentation updates with updated examples
+    release_date: '2022-08-23'
+  1.0.2:
+    changes:
+      release_summary: Documentation updates with updated description for modules
+    release_date: '2022-08-30'
+  1.0.3:
+    changes:
+      minor_changes:
+      - Add a fail method to modules source code if `requests` library is not present
+      - Fixed markup for arg option in Documentation
+      - Updated Documentation with `notes` to specify if the check_mode feature is
+        supported by modules
+      - removed `supports_check_mode=True` from source code of modules
+    release_date: '2022-10-20'
+  1.0.4:
+    changes:
+      bugfixes:
+      - Fixed cases where cloud_stack and alert_contact_point modules do not return
+        a tuple when nothing in loop matches
+      major_changes:
+      - All modules except dashboard and datasource modules now support idempotency
+      minor_changes:
+      - All modules use `missing_required_lib`` to compose the message for module.fail_json()
+        when required library is missing from host
+      release_summary: Bug fixes and idempotency fixes for modules
+    release_date: '2022-11-01'
+  1.0.5:
+    changes:
+      minor_changes:
+      - Added Note to datasource and dashboard module about not supporting Idempotency
+      release_summary: Add Note to modules which don't support Idempotency
+    release_date: '2022-11-10'
+  1.1.0:
+    changes:
+      major_changes:
+      - Added Role for Grafana Agent
+      release_summary: Added Role to deploy Grafana Agent on linux hosts
+    release_date: '2022-11-22'
+  1.1.1:
+    changes:
+      minor_changes:
+      - Updated the return message in grafana.grafana.folder module
+      release_summary: Updated return description and value for grafana.grafana.folder
+        module
+    release_date: '2023-02-08'
+  2.0.0:
+    changes:
+      major_changes:
+      - Added Lint support
+      - Configs for server, metrics, logs, traces, and integrations
+      - Installation of the latest version
+      - Local installations when internet connection is not allowed
+      - Only download binary to controller once instead of hosts
+      - Skip install if the agent is already installed and the version is the same
+        as the requested version
+      - Support for Grafana Agent Flow
+      - Validation of variables
+      release_summary: Updated Grafana Agent Role
+    release_date: '2023-03-27'
+  2.1.0:
+    changes:
+      major_changes:
+      - Addition of Grafana Server role by @gardar
+      - Configurable agent user groups by @NormanJS
+      - Grafana Plugins support on-prem Grafana installation by @ishanjainn
+      - Updated Service for flow mode by @bentonam
+      minor_changes:
+      - Ability to configure date format in grafana server role by @RomainMou
+      - Avoid using shell for fetching latest version in Grafana Agent Role by @gardar
+      - Fix for invalid yaml with datasources list enclosed in quotes by @elkozmon
+      - Remove agent installation custom check by @VLZZZ
+      - Remove explicit user creation check by @v-zhuravlev
+      release_summary: Add Grafana Server role and plugins support on-prem Grafana
+    release_date: '2023-06-26'
+  2.1.1:
+    changes:
+      minor_changes:
+      - Update Download tasks in Grafana Agent Role
+      release_summary: Update Download tasks in Grafana Agent Role
+    release_date: '2023-06-26'
+  2.1.2:
+    changes:
+      minor_changes:
+      - Fix Deleting datasources
+      - Fix alert_notification_policy failing on fresh instance
+      - Making Deleting folders idempotent
+      - Remove trailing slash automatically from grafana_url
+      release_summary: Idempotency Updates and minor api_url fixes
+    release_date: '2023-06-27'
+  2.1.3:
+    changes:
+      minor_changes:
+      - indentation and Lint fixes to modules
+      release_summary: Update modules to fix failing Sanity Tests
+    release_date: '2023-06-27'
+  2.1.4:
+    changes:
+      minor_changes:
+      - Datasource test updates and minor fixes
+      release_summary: Update Datasource Tests and minor fixes
+    release_date: '2023-06-27'
+  2.1.5:
+    changes:
+      minor_changes:
+      - Add Grafana Agent Version and CPU Arch to Downloaded ZIP in Grafana Agent
+        Role
+      - Move _grafana_agent_base_download_url from /vars to /defaults in Grafana Agent
+        Role
+      release_summary: Update Grafana Agent Download varibale and ZIP file
+    release_date: '2023-08-10'
+  2.1.6:
+    changes:
+      minor_changes:
+      - Add overrides.conf with CAP_NET_BIND_SERVICE for grafana-server unit
+      - Fix Grafana Dashboard Import for Grafana Role
+      - Make grafana_agent Idempotent
+      - Provisioning errors in YAML
+      - Use new standard to configure Grafana APT source for Grafana Role
+      release_summary: Grafana and Grafana Agent role updates
+    release_date: '2023-09-11'
+  2.1.7:
+    changes:
+      minor_changes:
+      - YAML Fixes
+      release_summary: YAML Fixes
+    release_date: '2023-09-11'
+  2.1.8:
+    changes:
+      minor_changes:
+      - Fix grafana dashboard import in Grafana Role
+      release_summary: Fix grafana dashboard import in Grafana Role
+    release_date: '2023-09-12'
+  2.1.9:
+    changes:
+      minor_changes:
+      - Add check for Curl and failure step if Agent Version is not retrieved
+      - Bump cryptography from 39.0.2 to 41.0.3
+      - Bump semver from 5.7.1 to 5.7.2
+      - Bump word-wrap from 1.2.3 to 1.2.5
+      - Create local dashboard directory in check mode
+      - Update CI Testing
+      - Update Cloud Stack Module failures
+      release_summary: Security Updates and Grafana Agent Version failure fixes
+    release_date: '2023-09-19'
+  2.2.0:
+    changes:
+      minor_changes:
+      - Use 'ansible_system' env variable to detect os typ in Grafana Agent Role
+      - hange grafana Agent Wal and Positions Directory in Grafana Agent Role
+      release_summary: Grafana Agent Role Updates
+    release_date: '2023-09-20'
+  2.2.1:
+    changes:
+      minor_changes:
+      - Allow alert resource provisioning in Grafana Role
+      release_summary: Allow alert resource provisioning in Grafana Role
+    release_date: '2023-09-27'
+  2.2.2:
+    changes:
+      minor_changes:
+      - Bump cryptography from 41.0.3 to 41.0.4
+      - Create missing notification directory in Grafana Role
+      - Remove check_mode from create local directory task in Grafana Role
+      release_summary: Grafana Role bug fixes and security updates
+    release_date: '2023-09-29'
+  2.2.3:
+    changes:
+      minor_changes:
+      - Remove dependency on local-fs.target from Grafana Agent role
+      release_summary: Remove dependency on local-fs.target from Grafana Agent role
+    release_date: '2023-10-05'
+  2.2.4:
+    changes:
+      minor_changes:
+      - Bump cryptography from 41.0.4 to 41.0.6 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/126
+      - Drop curl check by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/120
+      - Fix check mode for grafana role by @Boschung-Mecatronic-AG-Infrastructure
+        in https://github.com/grafana/grafana-ansible-collection/pull/125
+      - Fix check mode in Grafana Agent by @AmandaCameron in https://github.com/grafana/grafana-ansible-collection/pull/124
+      - Update tags in README by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/121
+      release_summary: Grafana and Agent Role bug fixes and security updates
+    release_date: '2023-12-08'
+  2.2.5:
+    changes:
+      minor_changes:
+      - Add 'run_once' to download&unzip tasks by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/136
+      - Adding `oauth_allow_insecure_email_lookup` to fix oauth user sync error by
+        @hypery2k in https://github.com/grafana/grafana-ansible-collection/pull/132
+      - Bump ansible-core from 2.15.4 to 2.15.8 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/137
+      - Bump ansible-lint from 6.13.1 to 6.14.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/139
+      - Bump ansible-lint from 6.14.3 to 6.22.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/142
+      - Bump ansible-lint from 6.22.2 to 24.2.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/150
+      - Bump jinja2 from 3.1.2 to 3.1.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/129
+      - Bump pylint from 2.16.2 to 3.0.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/141
+      - Bump yamllint from 1.29.0 to 1.33.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/140
+      - Bump yamllint from 1.29.0 to 1.33.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/143
+      - Bump yamllint from 1.33.0 to 1.34.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/151
+      - Change handler to systemd by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/135
+      - Fix links in grafana_agent/defaults/main.yaml by @PabloCastellano in https://github.com/grafana/grafana-ansible-collection/pull/134
+      - Topic/grafana agent idempotency by @ohdearaugustin in https://github.com/grafana/grafana-ansible-collection/pull/147
+      release_summary: Grafana and Agent Role bug fixes and security updates
+    release_date: '2024-02-13'
+  3.0.0:
+    changes:
+      major_changes:
+      - Add an Ansible role for OpenTelemetry Collector by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/138
+      minor_changes:
+      - Bump pylint from 3.0.3 to 3.1.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/158
+      - Bump pylint from 3.0.3 to 3.1.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/161
+      - Bump the pip group across 1 directories with 1 update by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/156
+      - Bump yamllint from 1.33.0 to 1.35.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/155
+      - Bump yamllint from 1.33.0 to 1.35.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/159
+      - ExecStartPre and EnvironmentFile settings to system unit file by @fabiiw05
+        in https://github.com/grafana/grafana-ansible-collection/pull/157
+      - datasources url parameter fix by @dergudzon in https://github.com/grafana/grafana-ansible-collection/pull/162
+    release_date: '2024-03-12'
+  4.0.0:
+    changes:
+      major_changes:
+      - Add an Ansible role for Grafana Alloy by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/169
+      minor_changes:
+      - Bump ansible-lint from 24.2.0 to 24.2.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/164
+      - Update description to match module by @brmurphy in https://github.com/grafana/grafana-ansible-collection/pull/179
+      - Clarify grafana-server configuration in README by @VGerris in https://github.com/grafana/grafana-ansible-collection/pull/177
+      - Bump ansible-lint from 24.2.0 to 24.2.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/168
+      - Bump black from 24.1.1 to 24.3.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/165
+      - Apply correct uid + gid for imported dashboards by @hypery2k in https://github.com/grafana/grafana-ansible-collection/pull/167
+    release_date: '2024-04-10'
+  5.0.0:
+    changes:
+      major_changes:
+      - Add Grafana Mimir role by @GVengelen in https://github.com/grafana/grafana-ansible-collection/pull/183
+      - Add Grafana Loki role by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/188
+    release_date: '2024-04-29'
+  5.1.0:
+    changes:
+      major_changes:
+      - Uninstall Step for Loki and Mimir by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/193
+    release_date: '2024-05-07'
+  5.2.0:
+    changes:
+      major_changes:
+      - Bump ansible-lint from 24.2.2 to 24.2.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/195
+      - Add promtail role by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/197
+      - Add a new config part to configure KeyCloak based auth by @he0s in https://github.com/grafana/grafana-ansible-collection/pull/191
+    release_date: '2024-05-13'
+  5.3.0:
+    changes:
+      major_changes:
+      - Add support for configuring feature_toggles in grafana role by @LexVar in https://github.com/grafana/grafana-ansible-collection/pull/173
+      - Bump pylint from 3.1.0 to 3.1.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/200
+      - Add a config check before restarting mimir by @panfantastic in https://github.com/grafana/grafana-ansible-collection/pull/198
+      - Bump pylint from 3.1.1 to 3.2.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/208
+      - Bump ansible-lint from 24.2.3 to 24.5.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/207
+      - Fix env file location by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/211
+      - Support adding alloy user to extra groups by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/212
+      - Backport post-setup healthcheck from agent to alloy by @v-zhuravlev in https://github.com/grafana/grafana-ansible-collection/pull/213
+      - readme styling & language improvements by @tigattack in https://github.com/grafana/grafana-ansible-collection/pull/214
+      - Bump ansible-lint from 24.5.0 to 24.6.0 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/216
+      - Bump pylint from 3.2.2 to 3.2.3 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/217
+      - Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/218
+      - Change from config.river to config.alloy by @cardasac in https://github.com/grafana/grafana-ansible-collection/pull/225
+      - Updated result.json['message'] to result.json()['message'] by @CPreun in https://github.com/grafana/grafana-ansible-collection/pull/223
+      - Bump pylint from 3.2.3 to 3.2.5 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/234
+      - Fix Grafana Configuration for Unified and Legacy Alerting Based on Version by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/215
+    release_date: '2024-07-12'
+  5.4.0:
+    changes:
+      major_changes:
+      - Use a variable to control uninstall behavior instead of tags by @dobbi84 in https://github.com/grafana/grafana-ansible-collection/pull/253
+    release_date: '2024-08-09'
+  5.4.1:
+    changes:
+      major_changes:
+      - Updated promtail arch map for aarch64 matching by @gianmarco-mameli in https://github.com/grafana/grafana-ansible-collection/pull/257
+    release_date: '2024-08-13'
+  5.5.0:
+    changes:
+      major_changes:
+      - mimir molecule should use ansible core 2.16 by @GVengelen in https://github.com/grafana/grafana-ansible-collection/pull/254
+      - add support for extra args by @harryfinbow in https://github.com/grafana/grafana-ansible-collection/pull/259
+    release_date: '2024-08-16'
+  5.5.1:
+    changes:
+      bugfixes:
+      - 'Add check_mode: false to Loki "Scrape GitHub" Task by @winsmith in https://github.com/grafana/grafana-ansible-collection/pull/262'
+    release_date: '2024-09-13'
+  5.6.0:
+    changes:
+      major_changes:
+      - Update Alloy variables to use the `grafana_alloy_` namespace so they are unique by @Aethylred in https://github.com/grafana/grafana-ansible-collection/pull/209
+      - Allow alloy_user_groups variable again by @pjezek in https://github.com/grafana/grafana-ansible-collection/pull/276
+      - Update README.md by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/275
+      - Update main.yml by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/274
+      - Update README.md by @aioue in https://github.com/grafana/grafana-ansible-collection/pull/272
+      - Ensure check-mode works for otel collector by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/264
+      - Bump pylint from 3.2.5 to 3.3.1 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/273
+      - Bump ansible-lint from 24.6.0 to 24.9.2 by @dependabot in https://github.com/grafana/grafana-ansible-collection/pull/270
+      - Alloy Role Improvements by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/281
+      - Fix message argument of dashboard task by @Nemental in https://github.com/grafana/grafana-ansible-collection/pull/256
+      - add grafana_plugins_ops to defaults and docs by @weakcamel in https://github.com/grafana/grafana-ansible-collection/pull/251
+      - fix ansible-lint warnings on Forbidden implicit octal value "0640" by @copolycube in https://github.com/grafana/grafana-ansible-collection/pull/279
+      - add option to populate google_analytics_4_id value by @copolycube in https://github.com/grafana/grafana-ansible-collection/pull/249
+      - Adding "distributor" section support to mimir config file by @HamzaKhait in https://github.com/grafana/grafana-ansible-collection/pull/247
+    release_date: '2024-10-21'
+  5.7.0:
+    changes:
+      major_changes:
+      - Fix 'dict object' has no attribute 'path' when running with --check by @JMLX42 in https://github.com/grafana/grafana-ansible-collection/pull/283
+      - Ability to set custom directory path for \*.alloy config files by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/294
+      - grafana.ini yaml syntax by @intermittentnrg in https://github.com/grafana/grafana-ansible-collection/pull/232
+      - Update grafana template by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/300
+      - Add tests and support version latest by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/299
+      - add loki bloom support by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/298
+    release_date: '2024-12-05'
+  6.0.0:
+    changes:
+      major_changes:
+      - use ansible_facts instead of ansible_* variables by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/296
+      - Fix the markdown code fences for install command by @benmatselby in https://github.com/grafana/grafana-ansible-collection/pull/306
+      - Grafana fix facts in main.yml by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/315
+      - add catalog-info file for internal dev catalog by @theSuess in https://github.com/grafana/grafana-ansible-collection/pull/317
+      - Fix sectionless items edge case by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/303
+      - Fix loki_operational_config section not getting rendered in config.yml by @olegkaspersky in https://github.com/grafana/grafana-ansible-collection/pull/330
+      - Fix tags Inherit default vars by @MJurayev in https://github.com/grafana/grafana-ansible-collection/pull/341
+      - add publish step to GitHub Actions workflow for Ansible Galaxy by @thelooter in https://github.com/grafana/grafana-ansible-collection/pull/340
+      - force temporary directory even in check mode for  dashboards.yml by @cmehat in https://github.com/grafana/grafana-ansible-collection/pull/339
+      - Make systemd create /var/lib/otel-collector by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/336
+      - Validate config by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/327
+      - Add foldersFromFilesStructure option by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/326
+      - Do not log grafana.ini contents when setting facts by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/325
+      - Add tempo role by @CSTDev in https://github.com/grafana/grafana-ansible-collection/pull/323
+      - Make dashboard imports more flexible by @torfbolt in https://github.com/grafana/grafana-ansible-collection/pull/308
+      - integrate sles legacy init-script support by @floerica in https://github.com/grafana/grafana-ansible-collection/pull/184
+      - add user module to create/update/delete grafana users by @mvalois in https://github.com/grafana/grafana-ansible-collection/pull/178
+      - management of the config.river with the conversion of the config.yaml by @lbrule in https://github.com/grafana/grafana-ansible-collection/pull/149
+    release_date: '2025-04-24'
+  6.0.1:
+    changes:
+      minor_changes:
+      - Remove Node modules from Ansible Collection build
+    release_date: '2025-05-06'
+  6.0.2:
+    changes:
+      major_changes:
+      - Update when statement to test for dashboard files found by @hal58th in https://github.com/grafana/grafana-ansible-collection/pull/363
+      - Fix Mimir URL verify task by @parcimonic in https://github.com/grafana/grafana-ansible-collection/pull/358
+      - properly validate config by @pieterlexis-tomtom in https://github.com/grafana/grafana-ansible-collection/pull/354
+      - alloy_readiness_check_use_https by @piotr-g in https://github.com/grafana/grafana-ansible-collection/pull/359
+      - use ansible_facts instead of variables by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/365
+      - Use become false in find task by @santilococo in https://github.com/grafana/grafana-ansible-collection/pull/368
+      - Don't use a proxy when doing Alloy readiness check by @benoitc-croesus in https://github.com/grafana/grafana-ansible-collection/pull/375
+      - mark configuration deployment task with `no_log` by @kkantonop in https://github.com/grafana/grafana-ansible-collection/pull/380
+      - Don't override defaults by @56quarters in https://github.com/grafana/grafana-ansible-collection/pull/382
+      - Add delete protection by @KucicM in https://github.com/grafana/grafana-ansible-collection/pull/381
+      - declare collection dependencies by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/386
+      - Fix some regression introduced by v6 by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/376
+      - template ingester and querier section by @Gufderald in https://github.com/grafana/grafana-ansible-collection/pull/371
+      - ensure alerting provisioning directory exists by @derhuerst in https://github.com/grafana/grafana-ansible-collection/pull/364
+    release_date: '2025-06-23'
+  6.0.3:
+    changes:
+      major_changes:
+      - declare collection dependencies by @ishanjainn in https://github.com/grafana/grafana-ansible-collection/pull/390
+      - improve mimir/alloy examples playbook by @smCloudInTheSky in https://github.com/grafana/grafana-ansible-collection/pull/369
+      - Changes for issue #383. Added alloy_github_api_url varaible. by @ILikePhysics in https://github.com/grafana/grafana-ansible-collection/pull/393
+      - store APT key with .asc extension by @derhuerst in https://github.com/grafana/grafana-ansible-collection/pull/394
+      - declare collection dependencies by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/392
+      - Bump ansible-lint from 24.9.2 to 25.6.1 by @dependabot[bot] in https://github.com/grafana/grafana-ansible-collection/pull/391
+      - Bump brace-expansion from 1.1.11 to 1.1.12 in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/grafana/grafana-ansible-collection/pull/396
+      - ensure IP assert returns boolean result by @aardbol in https://github.com/grafana/grafana-ansible-collection/pull/398
+      - Update Mimir README.md by @Gufderald in https://github.com/grafana/grafana-ansible-collection/pull/397
+    release_date: '2025-07-29'
+  6.0.4:
+    changes:
+      major_changes:
+      - Fixes to foldersFromFilesStructure option by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/351
+      - add macOS support to alloy role by @l50 in https://github.com/grafana/grafana-ansible-collection/pull/418
+      - replace None with [] for safe length checks by @voidquark in https://github.com/grafana/grafana-ansible-collection/pull/426
+      - Add SUSE support to Alloy role by @pozsa in https://github.com/grafana/grafana-ansible-collection/pull/423
+      - Migrate RedHat install to ansible.builtin.package by @r65535 in https://github.com/grafana/grafana-ansible-collection/pull/431
+    release_date: '2025-09-27'
+  6.0.5:
+    changes:
+      major_changes:
+      - Fixes issue by @digiserg in https://github.com/grafana/grafana-ansible-collection/pull/421
+      - use deb822 for newer debian versions by @Lukas-Heindl in https://github.com/grafana/grafana-ansible-collection/pull/440
+      - fix datasource documentation by @jeremad in https://github.com/grafana/grafana-ansible-collection/pull/437
+      - update catalog info by @Duologic in https://github.com/grafana/grafana-ansible-collection/pull/434
+      - Fix Mimir config file validation task by @Windos in https://github.com/grafana/grafana-ansible-collection/pull/428
+      - Import custom dashboards only when directory exists by @mahendrapaipuri in https://github.com/grafana/grafana-ansible-collection/pull/430
+      - fix mimir_download_url_deb & mimir_download_url_rpm by @germebl in https://github.com/grafana/grafana-ansible-collection/pull/400
+      - Use credentials from grafana_ini when importing dashboards by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/402
+      - Fallback to empty dict in case grafana_ini is undefined by @root-expert in https://github.com/grafana/grafana-ansible-collection/pull/403
+      - do not skip scrape latest github version even in check_mode by @cmehat in https://github.com/grafana/grafana-ansible-collection/pull/408
+      - Updated YUM repo urls from `packages.grafana.com` to `rpm.grafana.com` by @DejfCold in https://github.com/grafana/grafana-ansible-collection/pull/414
+    release_date: '2025-10-11'
+  6.0.6:
+    changes:
+      major_changes:
+      - Restore default listen address and port in Mimir by @56quarters in https://github.com/grafana/grafana-ansible-collection/pull/456
+      - fix broken Grafana apt repository addition by @kleini in https://github.com/grafana/grafana-ansible-collection/pull/454
+    release_date: '2025-10-22'
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/changelogs/config.yaml b/ansible_collections/grafana/grafana/changelogs/config.yaml
new file mode 100644
index 00000000..8710b513
--- /dev/null
+++ b/ansible_collections/grafana/grafana/changelogs/config.yaml
@@ -0,0 +1,33 @@
+---
+changelog_filename_template: ../CHANGELOG.rst
+changelog_filename_version_depth: 0
+changes_file: changelog.yaml
+changes_format: combined
+ignore_other_fragment_extensions: true
+keep_fragments: false
+mention_ancestor: true
+new_plugins_after_name: removed_features
+notesdir: fragments
+prelude_section_name: release_summary
+prelude_section_title: Release Summary
+sanitize_changelog: true
+sections:
+  - - major_changes
+    - Major Changes
+  - - minor_changes
+    - Minor Changes
+  - - breaking_changes
+    - Breaking Changes / Porting Guide
+  - - deprecated_features
+    - Deprecated Features
+  - - removed_features
+    - Removed Features (previously deprecated)
+  - - security_fixes
+    - Security Fixes
+  - - bugfixes
+    - Bugfixes
+  - - known_issues
+    - Known Issues
+title: Grafana.Grafana
+trivial_section_name: trivial
+use_fqcn: true
diff --git a/ansible_collections/grafana/grafana/examples/agent-basic-no-options.yaml b/ansible_collections/grafana/grafana/examples/agent-basic-no-options.yaml
new file mode 100644
index 00000000..7ccc5fb7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/agent-basic-no-options.yaml
@@ -0,0 +1,10 @@
+---
+- hosts: all
+  become: true
+  # pre_tasks happen before roles are executed / applied
+  pre_tasks: []
+  # roles are ran after pre_tasks
+  roles:
+    - grafana_agent
+  # tasks are ran after roles
+  tasks: []
diff --git a/ansible_collections/grafana/grafana/examples/agent-mode-flow-with-dynamic-conf.yaml b/ansible_collections/grafana/grafana/examples/agent-mode-flow-with-dynamic-conf.yaml
new file mode 100644
index 00000000..be469d0b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/agent-mode-flow-with-dynamic-conf.yaml
@@ -0,0 +1,12 @@
+- hosts: all
+  tasks:
+    - name: Install Grafana Agent
+      ansible.builtin.include_role:
+        name: grafana.grafana.grafana_agent
+      vars:
+        grafana_agent_mode: flow
+        # Change config file on the host to .river
+        grafana_agent_config_filename: config.river
+        # Remove default flags
+        grafana_agent_flags_extra:
+          server.http.listen-addr: '0.0.0.0:12345'
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/examples/agent-send-to-grafana-cloud.yaml b/ansible_collections/grafana/grafana/examples/agent-send-to-grafana-cloud.yaml
new file mode 100644
index 00000000..f90dda9f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/agent-send-to-grafana-cloud.yaml
@@ -0,0 +1,95 @@
+---
+- hosts: all
+  become: true
+  vars:
+    grafana_agent_metrics_config:
+      global:
+        external_labels:
+          datacenter: primary
+          cluster: my-cluster
+          instance: "{{ ansible_host }}"
+        remote_write:
+          - url: https://prometheus-<your region>.grafana.net/api/prom/push
+            basic_auth:
+              username: "1234567"    # your username / instanceID
+              password: "..."   # your grafana.com token
+      configs:
+        - name: local
+          scrape_configs:
+            # scrape a an application on the localhost
+            - job_name: my-app
+              metrics_path: /metrics
+              static_configs:
+                - targets:
+                    - localhost:8080
+              relabel_configs: []
+              metric_relabel_configs: []
+
+    grafana_agent_logs_config:
+      global:
+        clients:
+          - url: https://logs-<your region>.grafana.net/loki/api/v1/push
+            basic_auth:
+              username: "1234567"    # your username / instanceID
+              password: "..."   # your grafana.com token
+      configs:
+        - name: local
+          positions:
+            filename: /tmp/positions.yaml
+          target_config:
+            sync_period: 10s
+          scrape_configs:
+            # scrape all of the log files in /var/log on the localhost
+            - job_name: log-files
+              static_configs:
+                - targets:
+                    - localhost
+                  labels:
+                    job: var-logs
+                    instance: "{{ ansible_host }}"
+                    __path__: /var/log/*.log
+            # scrape all of the journal logs on localhost
+            - job_name: systemd-journal
+              journal:
+                max_age: 12h
+                labels:
+                  job: systemd-journal
+              relabel_configs:
+                - source_labels:
+                    - __journal__systemd_unit
+                  target_label: systemd_unit
+                - source_labels:
+                    - __journal__hostname
+                  target_label: hostname
+                - source_labels:
+                    - __journal_syslog_identifier
+                  target_label: syslog_identifier
+                - source_labels:
+                    - __journal__pid
+                  target_label: pid
+                - source_labels:
+                    - __journal__uid
+                  target_label: uid
+                - source_labels:
+                    - __journal__transport
+                  target_label: transport
+    grafana_agent_integrations_config:
+      scrape_integrations: true
+      # get metrics about the agent
+      agent:
+        enabled: true
+        relabel_configs: []
+        metric_relabel_configs: []
+      # get node exporter metrics
+      node_exporter:
+        enabled: true
+        relabel_configs: []
+        metric_relabel_configs: []
+
+  # pre_tasks happen before roles are executed / applied
+  pre_tasks: []
+  # roles are ran after pre_tasks
+  roles:
+    - grafana_agent
+  # tasks are ran after roles
+  tasks: []
diff --git a/ansible_collections/grafana/grafana/examples/alloy.yaml b/ansible_collections/grafana/grafana/examples/alloy.yaml
new file mode 100644
index 00000000..cd156a8f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/alloy.yaml
@@ -0,0 +1,17 @@
+---
+- name: Deploy alloy
+  hosts: all
+  become: true
+  roles:
+    - role: grafana.grafana.alloy
+  vars:
+    alloy_config: |
+      prometheus.scrape "default" {
+          targets = [{"__address__" = "127.0.0.1:12345"}]
+          forward_to = [prometheus.remote_write.prom.receiver]
+      }
+      prometheus.remote_write "prom" {
+        endpoint {
+            url = "http://mimir:9009/api/v1/push"
+        }
+      }
diff --git a/ansible_collections/grafana/grafana/examples/ansible.cfg b/ansible_collections/grafana/grafana/examples/ansible.cfg
new file mode 100644
index 00000000..f0e70e2b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/ansible.cfg
@@ -0,0 +1,32 @@
+[defaults]
+# (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`.  This is only relevant for those two modules.
+ansible_managed="Ansible managed file.  Be wary of possible overwrites."
+
+# (boolean) Toggle to control the showing of deprecation warnings
+deprecation_warnings=False
+
+# (boolean) Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host
+host_key_checking=False
+
+# (pathlist) Comma separated list of Ansible inventory sources
+inventory=hosts
+
+# (pathspec) Colon separated paths in which Ansible will search for Modules.
+library=../plugins/modules
+
+# (path) File to which Ansible will log on the controller. When empty logging is disabled.
+log_path=./ansible.log
+
+# (pathspec) Colon separated paths in which Ansible will search for Roles.
+roles_path=../roles
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use
+# paramiko on older platforms rather than removing it
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+
+# if True, make ansible use scp if the connection type is ssh
+# (default is sftp)
+scp_if_ssh = True
diff --git a/ansible_collections/grafana/grafana/examples/loki-basic-no-options.yml b/ansible_collections/grafana/grafana/examples/loki-basic-no-options.yml
new file mode 100644
index 00000000..cda128da
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/loki-basic-no-options.yml
@@ -0,0 +1,6 @@
+---
+- name: Deploy Loki using the default configuration
+  hosts: all
+  become: true
+  roles:
+    - role: grafana.grafana.loki
diff --git a/ansible_collections/grafana/grafana/examples/loki-local-filesystem-with-retention-and-alert.yml b/ansible_collections/grafana/grafana/examples/loki-local-filesystem-with-retention-and-alert.yml
new file mode 100644
index 00000000..f3771881
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/loki-local-filesystem-with-retention-and-alert.yml
@@ -0,0 +1,70 @@
+---
+- name: Deploy Loki using the local filesystem
+  hosts: all
+  become: true
+  roles:
+    - role: grafana.grafana.loki
+  vars:
+    loki_querier:
+      max_concurrent: 16
+      engine:
+        max_look_back_period: 8760h
+    loki_storage_config:
+      tsdb_shipper:
+        active_index_directory: "{{ loki_working_path }}/tsdb-index"
+        cache_location: "{{ loki_working_path }}/tsdb-cache"
+      filesystem:
+        directory: "{{ loki_working_path }}/chunks"
+    loki_ingester:
+      wal:
+        enabled: true
+        dir: "{{ loki_working_path }}/wal"
+      lifecycler:
+        address: 127.0.0.1
+        ring:
+          kvstore:
+            store: inmemory
+          replication_factor: 1
+        final_sleep: 0s
+      chunk_idle_period: 1h
+      max_chunk_age: 2h
+      chunk_target_size: 1048576
+      query_store_max_look_back_period: 8760h
+    loki_limits_config:
+      split_queries_by_interval: 0
+      reject_old_samples: true
+      reject_old_samples_max_age: 168h
+      max_query_length: 0
+      max_query_series: 50000
+      retention_period: 8760h
+      allow_structured_metadata: false
+      max_query_lookback: 8760h
+    loki_compactor:
+      working_directory: "{{ loki_working_path }}/compactor"
+      compaction_interval: 10m
+      retention_enabled: true
+      retention_delete_delay: 2h
+      retention_delete_worker_count: 150
+      delete_request_store: filesystem
+    loki_common:
+      path_prefix: "{{ loki_working_path }}"
+      storage:
+        filesystem:
+          rules_directory: "{{ loki_working_path }}/rules"
+      replication_factor: 1
+      ring:
+        instance_addr: 127.0.0.1
+        kvstore:
+          store: inmemory
+    loki_ruler_alerts:
+      - name: Logs.sshd
+        rules:
+        - alert: SshLoginFailed
+          expr: |
+            count_over_time({job=~"secure"} |="sshd[" |~": Failed|: Invalid|: Connection closed by authenticating user" | __error__="" [15m]) > 6
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: "{% raw %}SSH authentication failure (instance {{ $labels.instance }}).{% endraw %}"
+            description: "{% raw %}Increase of SSH authentication failures in last 15 minutes\\n VALUE = {{ $value }}{% endraw %}"
diff --git a/ansible_collections/grafana/grafana/examples/mimir-3-hosts.yaml b/ansible_collections/grafana/grafana/examples/mimir-3-hosts.yaml
new file mode 100644
index 00000000..a5ff1858
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/mimir-3-hosts.yaml
@@ -0,0 +1,32 @@
+- name: Install mimir
+  hosts: [mimir-1, mimir-2, mimir-3]
+  become: true
+
+  tasks:
+    - name: Install mimir
+      ansible.builtin.include_role:
+        name: grafana.grafana.mimir
+      vars:
+        # Run against minio blob store backed, see readme for local setup or mimir docs for Azure,   AWS, etc.
+        mimir_storage:
+          storage:
+            backend: s3
+            s3:
+              endpoint: localhost:9000
+              access_key_id: testtest
+              secret_access_key: testtest
+              insecure: true
+              bucket_name: mimir
+
+        # Blocks storage requires a prefix when using a common object storage bucket.
+        mimir_blocks_storage:
+          storage_prefix: blocks
+          tsdb:
+            dir: "{{ mimir_working_path}}/ingester"
+
+        # Use memberlist, a gossip-based protocol, to enable the 3 Mimir replicas to communicate
+        mimir_memberlist:
+          join_members:
+            - mimir-1:7946
+            - mimir-2:7946
+            - mimir-3:7946
diff --git a/ansible_collections/grafana/grafana/examples/mimir-single-host.yaml b/ansible_collections/grafana/grafana/examples/mimir-single-host.yaml
new file mode 100644
index 00000000..36915f8e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/mimir-single-host.yaml
@@ -0,0 +1,34 @@
+- name: Install mimir
+  hosts: monitoring-node
+  become: true
+
+  tasks:
+    - name: Install mimir
+      ansible.builtin.include_role:
+        name: grafana.grafana.mimir
+      vars:
+        mimir_storage:
+          storage:
+            backend: s3
+            s3:
+              endpoint: "{{ s3_endpoint }}"
+              access_key_id: "{{ vault_s3_access }}"
+              secret_access_key: "{{ vault_s3_secret }}"
+              bucket_name: your-mimir-bucket
+
+        # Blocks storage requires a prefix when using a common object storage bucket.
+        mimir_blocks_storage:
+          storage_prefix: blocks
+          tsdb:
+            dir: "{{ mimir_working_path}}/ingester"
+
+        mimir_limits:
+          # set metrics retenion to 30d
+          compactor_blocks_retention_period: 30d
+          max_label_names_per_series: 100
+
+        # this setting is required to prevent mimir from attempting
+        # to make quorum
+        mimir_ingester:
+          ring:
+            replication_factor: 1
diff --git a/ansible_collections/grafana/grafana/examples/monitor-multiple-instance-otel.md b/ansible_collections/grafana/grafana/examples/monitor-multiple-instance-otel.md
new file mode 100644
index 00000000..89762ca1
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/monitor-multiple-instance-otel.md
@@ -0,0 +1,193 @@
+# Scaling OpenTelemetry Collector Deployments Using Grafana Ansible Collection
+This guide is focused on scaling the OpenTelemetry Collector deployment across various Linux hosts by leveraging Ansible, to function both as gateways and agents within your observability architecture. Utilizing the OpenTelemetry Collector in this dual capacity enables a robust collection and forwarding of metrics, traces, and logs to analysis and visualization platforms, such as Grafana Cloud. 
+
+Here, we outline a strategy for deploying and managing the OpenTelemetry Collector's scalable instances throughout your infrastructure with Ansible, enhancing your overall monitoring strategy and data visualization capabilities in Grafana Cloud.
+
+## Before You Begin
+
+To follow this guide, ensure you have:
+
+- Linux hosts.
+- SSH access to each of these Linux hosts.
+- Account permissions to install and configure the OpenTelemetry Collector on these hosts.
+
+## Install the Grafana Ansible collection
+
+The [Grafana Agent role](https://github.com/grafana/grafana-ansible-collection/tree/main/roles/grafana_agent) is available in the Grafana Ansible collection as of the 1.1.0 release.
+
+To install the Grafana Ansible collection, run this command:
+
+```
+ansible-galaxy collection install grafana.grafana
+```
+
+## Create an Ansible inventory file
+
+Next, you will set up your hosts and create an inventory file.
+
+1. Create your hosts and add public SSH keys to them.
+
+  This example uses eight Linux hosts: two Ubuntu hosts, two CentOS hosts, two Fedora hosts, and two Debian hosts.
+
+1. Create an Ansible inventory file.
+
+  The Ansible inventory, which resides in a file named `inventory`, looks similar to this:
+
+  ```
+  146.190.208.216    # hostname = ubuntu-01
+  146.190.208.190    # hostname = ubuntu-02
+  137.184.155.128    # hostname = centos-01
+  146.190.216.129    # hostname = centos-02
+  198.199.82.174     # hostname = debian-01
+  198.199.77.93      # hostname = debian-02
+  143.198.182.156    # hostname = fedora-01
+  143.244.174.246    # hostname = fedora-02
+  ```
+
+  > **Note**: If you are copying the above file, remove the comments (#).
+
+1. Create an `ansible.cfg` file within the same directory as `inventory`, with the following values:
+  ```
+  [defaults]
+  inventory = inventory  # Path to the inventory file
+  private_key_file = ~/.ssh/id_rsa   # Path to my private SSH Key
+  remote_user=root
+  ```
+
+## Use the OpenTelemetry Collector Ansible Role
+
+Next, you'll define an Ansible playbook to apply your chosen or created OpenTelemetry Collector role across your hosts.
+
+Create a file named `deploy-opentelemetry.yml` in the same directory as your `ansible.cfg` and `inventory`. 
+
+```yaml
+- name: Install OpenTelemetry Collector
+  hosts: all
+  become: true
+
+  vars:
+    grafana_cloud_api_key: <Your Grafana.com API Key>        # Example - eyJrIjoiYjI3NjI5MGQxZTcyOTIxYTc0MDgzMGVhNDhlODNhYzA5OTk2Y2U5YiIsIm4iOiJhbnNpYmxldGVzdCIsImlkIjo2NTI5
+    metrics_username: <prometheus-username>                  # Example - 825019
+    logs_username: <loki-username>                           # Example - 411478
+    prometheus_url: <prometheus-push-url>                    # Example - https://prometheus-us-central1.grafana.net/api/prom/push
+    loki_url: <loki-push-url>                                # Example - https://logs-prod-017.grafana.net/loki/api/v1/push
+    tempo_url: <tempo-push-url>                              # Example - tempo-prod-04-prod-us-east-0.grafana.net:443
+    traces_username: <tempo-username>                         # Example - 411478
+
+  tasks:
+    - name: Install OpenTelemetry Collector
+      ansible.builtin.include_role:
+        name: grafana.grafana.opentelemetry_collector
+      vars:
+        otel_collector_extensions:
+          basicauth/grafana_cloud_tempo:
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/basicauthextension
+            client_auth:
+              username: "{{ traces_username }}"
+              password: "{{ grafana_cloud_api_key }}"
+          basicauth/grafana_cloud_prometheus:
+            client_auth:
+              username: "{{ prometheus_url }}"
+              password: "{{ grafana_cloud_api_key }}"
+          basicauth/grafana_cloud_loki:
+            client_auth:
+              username: "{{ logs_username }}"
+              password: "{{ grafana_cloud_api_key }}"
+
+
+        otel_collector_receivers:
+          otlp:
+            # https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver/otlpreceiver
+            protocols:
+              grpc:
+              http:
+          hostmetrics:
+            # Optional. Host Metrics Receiver added as an example of Infra Monitoring capabilities of the OpenTelemetry Collector
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/hostmetricsreceiver
+            scrapers:
+              load:
+              memory:
+
+        otel_collector_processors:
+          batch:
+            # https://github.com/open-telemetry/opentelemetry-collector/tree/main/processor/batchprocessor
+          resourcedetection:
+            # Enriches telemetry data with resource information from the host
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/resourcedetectionprocessor
+            detectors: ["env", "system"]
+            override: false
+          transform/add_resource_attributes_as_metric_attributes:
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/transformprocessor
+            error_mode: ignore
+            metric_statements:
+              - context: datapoint
+                statements:
+                  - set(attributes["deployment.environment"], resource.attributes["deployment.environment"])
+                  - set(attributes["service.version"], resource.attributes["service.version"])
+
+        otel_collector_exporters:
+          otlp/grafana_cloud_traces:
+            # https://github.com/open-telemetry/opentelemetry-collector/tree/main/exporter/otlpexporter
+            endpoint: "{{ tempo_url }}"
+            auth:
+              authenticator: basicauth/grafana_cloud_tempo
+
+          loki/grafana_cloud_logs:
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/lokiexporter
+            endpoint: "{{ loki_url }}"
+            auth:
+              authenticator: basicauth/grafana_cloud_loki
+
+          prometheusremotewrite/grafana_cloud_metrics:
+            # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/exporter/prometheusremotewriteexporter
+            endpoint: "{{ prometheus_url }}"
+            add_metric_suffixes: false
+            auth:
+              authenticator: basicauth/grafana_cloud_prometheus
+
+
+        otel_collector_service:
+          extensions: [basicauth/grafana_cloud_tempo, basicauth/grafana_cloud_prometheus, basicauth/grafana_cloud_loki]
+          pipelines:
+            traces:
+              receivers: [otlp]
+              processors: [resourcedetection, batch]
+              exporters: [otlp/grafana_cloud_traces]
+            metrics:
+              receivers: [otlp, hostmetrics]
+              processors: [resourcedetection, transform/add_resource_attributes_as_metric_attributes, batch]
+              exporters: [prometheusremotewrite/grafana_cloud_metrics]
+            logs:
+              receivers: [otlp]
+              processors: [resourcedetection, batch]
+              exporters: [loki/grafana_cloud_logs]
+```
+
+> **Note:** You'll need to adjust the configuration to match the specific telemetry data you intend to collect and where you plan to forward it. The configuration snippet above is a basic example designed for traces, logs and metrics collection via OTLP and forwarding to Grafana Cloud. 
+
+
+## Running the Ansible Playbook
+
+Deploy the OpenTelemetry Collector across your hosts by executing:
+
+```sh
+ansible-playbook deploy-opentelemetry.yml
+```
+
+## Verifying Data Ingestion into Grafana Cloud
+
+Once you've deployed the OpenTelemetry Collector and configured it to forward data to Grafana Cloud, you can verify the ingestion:
+
+- Log into your Grafana Cloud instance.
+- Navigate to the **Explore** section.
+- Select your Grafana Cloud Prometheus data source from the dropdown menu.
+- Execute a query to confirm the reception of metrics, e.g., `{instance="ubuntu-01"}` for a specific host's metrics.
+
+## Visualizing Metrics and Logs in Grafana
+
+With data successfully ingested into Grafana Cloud, you can create custom dashboards to visualize the metrics, logs and traces received from your OpenTelemetry Collector. Utilize Grafana's powerful query builder and visualization tools to derive insights from your data effectively.
+
+- Consider creating dashboards that offer a comprehensive overview of your infrastructure's health and performance.
+- Utilize Grafana's alerting features to proactively manage and respond to issues identified through the OpenTelemetry data.
+
+This guide simplifies the deployment of the OpenTelemetry Collector across multiple Linux hosts using Ansible and illustrates how to visualize collected telemetry data in Grafana Cloud. Tailor the Ansible roles, OpenTelemetry Collector configurations, and Grafana dashboards to suit your specific monitoring and observability requirements.
diff --git a/ansible_collections/grafana/grafana/examples/monitor-multiple-instances-agent.md b/ansible_collections/grafana/grafana/examples/monitor-multiple-instances-agent.md
new file mode 100644
index 00000000..d624c7ec
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/monitor-multiple-instances-agent.md
@@ -0,0 +1,184 @@
+# Monitoring multiple Linux hosts with Grafana Agent Role
+
+Monitoring with Grafana Agents across multiple Linux hosts can be difficult.
+To make it easier, you can use the Grafana Agent role with the Grafana Ansible collection.
+This guide shows how to use the `grafana_agent` Ansible role to deploy and manage Grafana Agents across multiple Linux hosts so you can monitor them in Grafana.
+
+## Before you begin
+
+Before you begin, you should have:
+
+- Linux hosts
+- SSH access to the Linux hosts
+- Account permissions sufficient to install and use Grafana Agent on the Linux hosts
+
+## Install the Grafana Ansible collection
+
+The [Grafana Agent role](https://github.com/grafana/grafana-ansible-collection/tree/main/roles/grafana_agent) is available in the Grafana Ansible collection as of the 1.1.0 release.
+
+To install the Grafana Ansible collection, run this command:
+
+```
+ansible-galaxy collection install grafana.grafana:2.0.0
+```
+
+## Create an Ansible inventory file
+
+Next, you will set up your hosts and create an inventory file.
+
+1. Create your hosts and add public SSH keys to them.
+
+  This example uses eight Linux hosts: two Ubuntu hosts, two CentOS hosts, two Fedora hosts, and two Debian hosts.
+
+1. Create an Ansible inventory file.
+
+  The Ansible inventory, which resides in a file named `inventory`, looks similar to this:
+
+  ```
+  146.190.208.216    # hostname = ubuntu-01
+  146.190.208.190    # hostname = ubuntu-02
+  137.184.155.128    # hostname = centos-01
+  146.190.216.129    # hostname = centos-02
+  198.199.82.174     # hostname = debian-01
+  198.199.77.93      # hostname = debian-02
+  143.198.182.156    # hostname = fedora-01
+  143.244.174.246    # hostname = fedora-02
+  ```
+
+  > **Note**: If you are copying the above file, remove the comments (#).
+
+1. Create an `ansible.cfg` file within the same directory as `inventory`, with the following values:
+  ```
+  [defaults]
+  inventory = inventory  # Path to the inventory file
+  private_key_file = ~/.ssh/id_rsa   # Path to my private SSH Key
+  remote_user=root
+  ```
+
+## Use the Grafana Agent Ansible role
+
+Next you will create an Ansible playbook that calls the `grafana_agent` role from the `grafana.grafana` Ansible collection.
+
+To use the Grafana Agent Ansible role:
+
+1. Create a file named `deploy-agent.yml` in the same directory as `ansible.cfg` and `inventory` and add the configuration below.
+
+  ```yaml
+    - name: Install Grafana Agent
+      hosts: all
+      become: true
+    
+      vars:
+        grafana_cloud_api_key: <Your Grafana.com API Key>        # Example - eyJrIjoiYjI3NjI5MGQxZTcyOTIxYTc0MDgzMGVhNDhlODNhYzA5OTk2Y2U5YiIsIm4iOiJhbnNpYmxldGVzdCIsImlkIjo2NTI5
+        metrics_username: <prometheus-username>                  # Example - 825019
+        logs_username: <loki-username>                           # Example - 411478
+        prometheus_url: <prometheus-push-url>                    # Example - https://prometheus-us-central1.grafana.net/api/prom/push
+        loki_url: <loki-push-url>                                # Example - https://logs-prod-017.grafana.net/loki/api/v1/push
+      tasks: 
+        - name: Install Grafana Agent
+          ansible.builtin.include_role:
+            name: grafana.grafana.grafana_agent
+          vars:
+            grafana_agent_metrics_config:
+              configs:
+                - name: integrations
+                  remote_write:
+                    - basic_auth:
+                        password: "{{ grafana_cloud_api_key }}"
+                        username: "{{ metrics_username }}"
+                      url: "{{ prometheus_url }}"
+
+              global:
+                scrape_interval: 60s
+              wal_directory: /tmp/grafana-agent-wal
+
+            grafana_agent_logs_config:
+              configs:
+                - name: default
+                  clients:
+                    - basic_auth:
+                        password: "{{ grafana_cloud_api_key }}"
+                        username: "{{ logs_username }}"
+                      url: "{{ loki_url }}"
+                  positions:
+                    filename: /tmp/positions.yaml
+                  target_config:
+                    sync_period: 10s
+                  scrape_configs:
+                    - job_name: varlogs
+                      static_configs:
+                        - targets: [localhost]
+                          labels:
+                            instance: ${HOSTNAME:-default}
+                            job: varlogs
+                            __path__: /var/log/*log
+            grafana_agent_integrations_config:
+              node_exporter:
+                enabled: true
+                instance: ${HOSTNAME:-default}
+              prometheus_remote_write:
+                - basic_auth:
+                    password: "{{ grafana_cloud_api_key }}"
+                    username: "{{ metrics_username }}"
+                  url: "{{ prometheus_url }}"
+  ```
+
+  The playbook calls the `grafana_agent` role from the `grafana.grafana` Ansible collection. 
+  The Agent configuration in this playbook send metrics and logs from the linux hosts to your Prometheus and Loki data sources.
+
+  Refer to the [Grafana Ansible documentation](https://github.com/grafana/grafana-ansible-collection/tree/main/roles/grafana_agent#role-variables) to understand the other variables you can pass to the `grafana_agent` role.
+
+  When deploying the Agent across multiple instances for monitoring them, It is essential that the Agent is able to auto-detect the hostname for ease in monitoring.
+  Notice that the label `instance` has been set to the value `${HOSTNAME:-default}`, which is substituted by the value of the HOSTNAME environment variable in the Linux host.
+  To read more about the variable substitution, refer to the Grafana Agent [node_exporter_config](https://grafana.com/docs/agent/latest/configuration/integrations/node-exporter-config/) documentation.
+
+1. To run the playbook, run this command:
+
+  ```
+  ansible-playbook deploy-agent.yml
+  ```
+
+  > **Note:** You can place the `deploy-agent.yml`, `ansible.cfg` and `inventory` files in different directories based on your needs.
+
+## Check that logs and metrics are being ingested into Prometheus and Loki
+
+Logs and metrics will soon be available in Grafana if your Promtheus and Loki datasources are added.
+To test this, use the Explore feature.
+Click the Explore icon (compass icon) in the vertical navigation bar.
+
+### Check logs
+
+To check logs:
+
+1. Use the dropdown menu at the top of the page to select your Loki logs data source.
+
+1. In the log browser, run the query `{instance="centos-01"}` where centos-01 is the hostname of one of the Linux hosts.
+
+  If you see log lines (shown in the example below), logs are being received.
+
+  ![Logs](https://grafana.com/static/assets/img/blog/ansible-to-manage-agent1.png) 
+
+  If no log lines appear, logs are not being collected.
+
+### Check metrics
+
+To check metrics:
+
+1. Use the dropdown menu at the top of the page to select your Prometheus data source.
+
+1. Run the query `{instance="centos-01"}` where centos-01 is the hostname of one of the Linux hosts.
+
+  If you see a metrics graph and table (shown in the example below), metrics are being received.
+
+  ![Metrics](https://grafana.com/static/assets/img/blog/ansible-to-manage-agent2.png)
+
+  If no metrics appear, metrics are not being collected.
+
+### View dashboards
+
+Now that you have logs and metrics in Grafana, you can use dashboards to view them.
+Here's an example of one of the prebuilt dashboards included with the Linux integration in Grafana Cloud:
+
+![Dashboard](https://grafana.com/static/assets/img/blog/ansible-to-manage-agent3.png)
+
+Using the **Instance** dropdown in the dashboard, you can select from the hostnames where you deployed Grafana Agent and start monitoring them.
diff --git a/ansible_collections/grafana/grafana/examples/opentelemetry-collector.yml b/ansible_collections/grafana/grafana/examples/opentelemetry-collector.yml
new file mode 100644
index 00000000..445a3a26
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/opentelemetry-collector.yml
@@ -0,0 +1,43 @@
+- name: Install OpenTelemetry Collector
+  hosts: all
+  become: true
+
+  tasks:
+    - name: Install OpenTelemetry Collector
+      ansible.builtin.include_role:
+        name: grafana.grafana.opentelemetry_collector
+      vars:
+        otel_collector_receivers:
+          otlp:
+            protocols:
+              grpc:
+                endpoint: 0.0.0.0:4317
+              http:
+                endpoint: 0.0.0.0:4318
+        otel_collector_processors:
+          batch:
+
+        otel_collector_exporters:
+          otlp:
+            endpoint: otelcol:4317
+
+        otel_collector_extensions:
+          health_check:
+          pprof:
+          zpages:
+
+        otel_collector_service:
+          extensions: [health_check, pprof, zpages]
+          pipelines:
+            traces:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
+            metrics:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
+            logs:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
diff --git a/ansible_collections/grafana/grafana/examples/promtail-multiple-logs.yml b/ansible_collections/grafana/grafana/examples/promtail-multiple-logs.yml
new file mode 100644
index 00000000..ffef30d9
--- /dev/null
+++ b/ansible_collections/grafana/grafana/examples/promtail-multiple-logs.yml
@@ -0,0 +1,24 @@
+---
+- name: Deploy Promtail to ship logs to the local Loki instance
+  hosts: all
+  become: true
+  roles:
+    - role: grafana.grafana.promtail
+  vars:
+    promtail_clients:
+      - url: http://localhost:3100/loki/api/v1/push
+    promtail_scrape_configs:
+      - job_name: system
+        static_configs:
+          - targets:
+              - localhost
+            labels:
+              job: messages
+              instance: "{{ ansible_facts['fqdn'] }}"
+              __path__: /var/log/messages
+          - targets:
+              - localhost
+            labels:
+              job: nginx
+              instance: "{{ ansible_facts['fqdn'] }}"
+              __path__: /var/log/nginx/*.log
diff --git a/ansible_collections/grafana/grafana/meta/runtime.yml b/ansible_collections/grafana/grafana/meta/runtime.yml
new file mode 100644
index 00000000..08867fae
--- /dev/null
+++ b/ansible_collections/grafana/grafana/meta/runtime.yml
@@ -0,0 +1,2 @@
+---
+requires_ansible: ">=2.12.0,<3.0.0"
diff --git a/ansible_collections/grafana/grafana/package.json b/ansible_collections/grafana/grafana/package.json
new file mode 100644
index 00000000..556b3f23
--- /dev/null
+++ b/ansible_collections/grafana/grafana/package.json
@@ -0,0 +1,26 @@
+{
+  "name": "grafana-ansible-collection",
+  "version": "2.1.4",
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/grafana/grafana-ansible-collection.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/grafana/grafana-ansible-collection/issues"
+  },
+  "homepage": "https://github.com/grafana/grafana-ansible-collection#readme",
+  "dependencies": {
+    "editorconfig-checker": "^5.0.1",
+    "markdownlint-cli2": "^0.6.0",
+    "textlint": "^12.5.1",
+    "textlint-rule-common-misspellings": "^1.0.1",
+    "textlint-rule-no-todo": "^2.0.1",
+    "textlint-rule-terminology": "^3.0.4"
+  }
+}
diff --git a/ansible_collections/grafana/grafana/plugins/modules/alert_contact_point.py b/ansible_collections/grafana/grafana/plugins/modules/alert_contact_point.py
new file mode 100644
index 00000000..9b9a1ca3
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/alert_contact_point.py
@@ -0,0 +1,257 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: alert_contact_point
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Alerting Contact points in Grafana
+description:
+  - Create, Update and delete Contact points using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  name:
+    description:
+      - Sets the name of the contact point.
+    type: str
+    required: true
+  uid:
+    description:
+      - Sets the UID of the Contact point.
+    type: str
+    required: true
+  type:
+    description:
+      - Sets Contact point type.
+    type: str
+    required: true
+  settings:
+    description:
+      - Sets Contact point settings.
+    type: dict
+    required: true
+  disableResolveMessage:
+    description:
+      - When set to C(true), Disables the resolve message [OK] that is sent when alerting state returns to C(false).
+    type: bool
+    default: false
+  grafana_api_key:
+    description:
+      - Grafana API Key used to authenticate with Grafana.
+    type: str
+    required : true
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  state:
+    description:
+      - State for the Grafana Alert Contact Point.
+    choices: [ present, absent ]
+    type: str
+    default: present
+'''
+
+EXAMPLES = '''
+- name: Create/Update Alerting contact point
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: "ops@mydomain.com,devs@mydomain.com"
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+
+- name: Delete Alerting contact point
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: "ops@mydomain.com,devs@mydomain.com"
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing Contact point information information.
+  returned: On success
+  type: dict
+  contains:
+    disableResolveMessage:
+      description: When set to True, Disables the resolve message [OK] that is sent when alerting state returns to false.
+      returned: state is present and on success
+      type: bool
+      sample: false
+    name:
+      description: The name for the contact point.
+      returned: state is present and on success
+      type: str
+      sample: ops-email
+    settings:
+      description: Contains contact point settings.
+      returned: state is present and on success
+      type: dict
+      sample: {
+       addresses: "ops@mydomain.com,devs@mydomain.com"
+      }
+    uid:
+      description: The UID for the contact point.
+      returned: state is present and on success
+      type: str
+      sample: opsemail
+    type:
+      description: The type of contact point.
+      returned: state is present and on success
+      type: str
+      sample: email
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_alert_contact_point(module):
+    body = {
+        'Name': module.params['name'],
+        'UID': module.params['uid'],
+        'type': module.params['type'],
+        'settings': module.params['settings'],
+        'DisableResolveMessage': module.params['disableResolveMessage']
+    }
+
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points'
+
+    headers = {
+        'Authorization': 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+    result = requests.post(api_url, json=body, headers=headers)
+
+    if result.status_code == 202:
+        return False, True, result.json()
+    elif result.status_code == 500:
+        sameConfig = False
+        contactPointInfo = {}
+
+        api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points'
+
+        result = requests.get(api_url, headers=headers)
+
+        for contact_points in result.json():
+            if contact_points['uid'] == module.params['uid']:
+                if (contact_points['name'] == module.params['name'] and contact_points['type'] == module.params['type'] and contact_points['settings']
+                   and contact_points['settings'] == module.params['settings']
+                   and contact_points['disableResolveMessage'] == module.params['disableResolveMessage']):
+
+                    sameConfig = True
+                    contactPointInfo = contact_points
+        if sameConfig:
+            return False, False, contactPointInfo
+        else:
+            api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points/' + module.params['uid']
+
+            result = requests.put(api_url, json=body, headers=headers)
+
+            if result.status_code == 202:
+                api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points'
+
+                result = requests.get(api_url, headers=headers)
+
+                for contact_points in result.json():
+                    if contact_points['uid'] == module.params['uid']:
+                        return False, True, contact_points
+            else:
+                return True, False, {"status": result.status_code, 'response': result.json()['message']}
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_alert_contact_point(module):
+    already_exists = False
+
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points'
+    headers = {
+        'Authorization': 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+
+    result = requests.get(api_url, headers=headers)
+
+    for contact_points in result.json():
+        if contact_points['uid'] == module.params['uid']:
+            already_exists = True
+    if already_exists:
+        api_url = module.params['grafana_url'] + '/api/v1/provisioning/contact-points/' + module.params['uid']
+
+        result = requests.delete(api_url, headers=headers)
+
+        if result.status_code == 202:
+            return False, True, result.json()
+        else:
+            return True, False, {"status": result.status_code, 'response': result.json()['message']}
+    else:
+        return True, False, "Alert Contact point does not exist"
+
+
+def main():
+    module_args = dict(
+        name=dict(type='str', required=True),
+        uid=dict(type='str', required=True),
+        type=dict(type='str', required=True),
+        settings=dict(type='dict', required=True),
+        disableResolveMessage=dict(type='bool', required=False, default=False),
+        grafana_url=dict(type='str', required=True),
+        grafana_api_key=dict(type='str', required=True, no_log=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_alert_contact_point,
+        "absent": absent_alert_contact_point,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/alert_notification_policy.py b/ansible_collections/grafana/grafana/plugins/modules/alert_notification_policy.py
new file mode 100644
index 00000000..779bae3f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/alert_notification_policy.py
@@ -0,0 +1,242 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: alert_notification_policy
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Alerting Policies points in Grafana
+description:
+  - Set the notification policy tree using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  Continue:
+    description:
+      - Continue matching subsequent sibling nodes if set to C(true).
+    type: bool
+    default: false
+  groupByStr:
+    description:
+      - List of string.
+      - Group alerts when you receive a notification based on labels. If empty it will be inherited from the parent policy.
+    type: list
+    default: []
+    elements: str
+  muteTimeIntervals:
+    description:
+      - List of string.
+      - Sets the mute timing for the notfification policy.
+    type: list
+    default: []
+    elements: str
+  rootPolicyReceiver:
+    description:
+      - Sets the name of the contact point to be set as the default receiver.
+    type: str
+    default: grafana-default-email
+  routes:
+    description:
+      - List of objects
+      - Sets the Route that contains definitions of how to handle alerts.
+    type: list
+    required: true
+    elements: dict
+  groupInterval:
+    description:
+      - Sets the wait time to send a batch of new alerts for that group after the first notification was sent. Inherited from the parent policy if empty.
+    type: str
+    default: 5m
+  groupWait:
+    description:
+      - Sets the wait time until the initial notification is sent for a new group created by an incoming alert. Inherited from the parent policy if empty.
+    type: str
+    default: 30s
+  objectMatchers:
+    description:
+      - Matchers is a slice of Matchers that is sortable, implements Stringer, and provides a Matches method to match a LabelSet.
+    type: list
+    default: []
+    elements: dict
+  repeatInterval:
+    description:
+      - Sets the waiting time to resend an alert after they have successfully been sent.
+    type: str
+    default: 4h
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  grafana_api_key:
+    description:
+      - Grafana API Key used to authenticate with Grafana.
+    type: str
+    required : true
+'''
+
+EXAMPLES = '''
+- name: Set Notification policy tree
+  grafana.grafana.alert_notification_policy:
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    routes: [
+      {
+        receiver: myReceiver,
+        object_matchers: [["env", "=", "Production"]],
+      }
+    ]
+
+- name: Set nested Notification policies
+  grafana.grafana.alert_notification_policy:
+    routes: [
+      {
+        receiver: myReceiver,
+        object_matchers: [["env", "=", "Production"],["team", "=", "ops"]],
+        routes: [
+          {
+            receiver: myReceiver2,
+            object_matchers: [["region", "=", "eu"]],
+          }
+        ]
+      },
+      {
+        receiver: myReceiver3,
+        object_matchers: [["env", "=", "Staging"]]
+      }
+    ]
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing Notification tree information.
+  returned: On success
+  type: dict
+  contains:
+    group_interval:
+      description: The waiting time to send a batch of new alerts for that group after the first notification was sent. This is of the parent policy.
+      returned: on success
+      type: str
+      sample: "5m"
+    group_wait:
+      description: The waiting time until the initial notification is sent for a new group created by an incoming alert. This is of the parent policy.
+      returned: on success
+      type: str
+      sample: "30s"
+    receiver:
+      description: The name of the default contact point.
+      returned: state is present and on success
+      type: str
+      sample: "grafana-default-email"
+    repeat_interval:
+      description: The waiting time to resend an alert after they have successfully been sent. This is of the parent policy
+      returned: on success
+      type: str
+      sample: "4h"
+    routes:
+      description: The entire notification tree returned as a list.
+      returned: on success
+      type: list
+      sample: [
+                {
+                    "object_matchers": [
+                        [
+                            "env",
+                            "=",
+                            "Production"
+                        ]
+                    ],
+                    "receiver": "grafana-default-email"
+                }
+              ]
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def alert_notification_policy(module):
+    body = {'routes': module.params['routes'], 'Continue': module.params['Continue'],
+            'groupByStr': module.params['groupByStr'], 'muteTimeIntervals': module.params['muteTimeIntervals'],
+            'receiver': module.params['rootPolicyReceiver'], 'group_interval': module.params['groupInterval'],
+            'group_wait': module.params['groupWait'], 'object_matchers': module.params['objectMatchers'],
+            'repeat_interval': module.params['repeatInterval']}
+
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/v1/provisioning/policies'
+    headers = {
+        'Authorization': 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+    result = requests.get(api_url, headers=headers)
+
+    if 'routes' not in result.json():
+        api_url = module.params['grafana_url'] + '/api/v1/provisioning/policies'
+        result = requests.put(api_url, json=body, headers=headers)
+
+        if result.status_code == 202:
+            return False, True, result.json()
+        else:
+            return True, False, {"status": result.status_code, 'response': result.json()['message']}
+    elif (result.json()['receiver'] == module.params['rootPolicyReceiver'] and result.json()['routes'] == module.params['routes']
+          and result.json()['group_wait'] == module.params['groupWait'] and result.json()['group_interval'] == module.params['groupInterval']
+          and result.json()['repeat_interval'] == module.params['repeatInterval']):
+        return False, False, result.json()
+    else:
+        api_url = module.params['grafana_url'] + '/api/v1/provisioning/policies'
+
+        result = requests.put(api_url, json=body, headers=headers)
+
+        if result.status_code == 202:
+            return False, True, result.json()
+        else:
+            return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(Continue=dict(type='bool', required=False, default=False),
+                       groupByStr=dict(type='list', required=False, default=[], elements='str'),
+                       muteTimeIntervals=dict(type='list', required=False, default=[], elements='str'),
+                       rootPolicyReceiver=dict(type='str', required=False, default='grafana-default-email'),
+                       routes=dict(type='list', required=True, elements='dict'),
+                       groupInterval=dict(type='str', required=False, default='5m'),
+                       groupWait=dict(type='str', required=False, default='30s'),
+                       repeatInterval=dict(type='str', required=False, default='4h'),
+                       objectMatchers=dict(type='list', required=False, default=[], elements='dict'),
+                       grafana_url=dict(type='str', required=True),
+                       grafana_api_key=dict(type='str', required=True, no_log=True), )
+
+    module = AnsibleModule(argument_spec=module_args)
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = alert_notification_policy(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg='Status code is ' + str(result['status']), output=result['response'])
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/cloud_api_key.py b/ansible_collections/grafana/grafana/plugins/modules/cloud_api_key.py
new file mode 100644
index 00000000..6ff6f0c2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/cloud_api_key.py
@@ -0,0 +1,152 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: cloud_api_key
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Grafana Cloud API keys
+description:
+  - Create and delete Grafana Cloud API keys using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  name:
+    description:
+      - Sets the name of the Grafana Cloud API key.
+    type: str
+    required: true
+  role:
+    description:
+      - Sets the role to be associated with the Cloud API key.
+    type: str
+    required: true
+    choices: [Admin, Viewer, Editor, MetricsPublisher]
+  org_slug:
+    description:
+      - Name of the Grafana Cloud organization in which Cloud API key will be created.
+    type: str
+    required: true
+  existing_cloud_api_key:
+    description:
+      - Cloud API Key to authenticate with Grafana Cloud.
+    type: str
+    required : true
+  fail_if_already_created:
+    description:
+      - If set to C(true), the task will fail if the API key with same name already exists in the Organization.
+    type: bool
+    default: True
+  state:
+    description:
+      - State for the Grafana Cloud API Key.
+    type: str
+    default: present
+    choices: [ present, absent ]
+'''
+
+EXAMPLES = '''
+- name: Create Grafana Cloud API key
+  grafana.grafana.cloud_api_key:
+    name: key_name
+    role: Admin
+    org_slug: "{{ org_slug }}"
+    existing_cloud_api_key: "{{ grafana_cloud_api_key }}"
+    fail_if_already_created: False
+    state: present
+
+- name: Delete Grafana Cloud API key
+  grafana.grafana.cloud_api_key:
+    name: key_name
+    org_slug: "{{ org_slug }}"
+    existing_cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: absent
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_cloud_api_key(module):
+    body = {
+        'name': module.params['name'],
+        'role': module.params['role']
+    }
+
+    api_url = 'https://grafana.com/api/orgs/' + module.params['org_slug'] + '/api-keys'
+
+    result = requests.post(api_url, json=body, headers={
+        "Authorization": 'Bearer ' + module.params['existing_cloud_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    elif result.status_code == 409:
+        return module.params['fail_if_already_created'], False, "A Cloud API key with the same name already exists"
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_cloud_api_key(module):
+    api_url = 'https://grafana.com/api/orgs/' + module.params['org_slug'] + '/api-keys/' + module.params['name']
+
+    result = requests.delete(api_url, headers={
+        "Authorization": 'Bearer ' + module.params['existing_cloud_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, "Cloud API key is deleted"
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(
+        name=dict(type='str', required=True),
+        role=dict(type='str', required=True, choices=['Admin', 'Viewer', 'Editor', 'MetricsPublisher']),
+        org_slug=dict(type='str', required=True),
+        existing_cloud_api_key=dict(type='str', required=True, no_log=True),
+        fail_if_already_created=dict(type='bool', required=False, default='True'),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_cloud_api_key,
+        "absent": absent_cloud_api_key,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/cloud_plugin.py b/ansible_collections/grafana/grafana/plugins/modules/cloud_plugin.py
new file mode 100644
index 00000000..bd29c662
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/cloud_plugin.py
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: cloud_plugin
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Grafana Cloud Plugins
+description:
+  - Create, Update and delete Grafana Cloud plugins using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  name:
+    description:
+      - Name of the plugin, e.g. grafana-github-datasource.
+    type: str
+    required: true
+  version:
+    description:
+      - Version of the plugin to install.
+    type: str
+    default: latest
+  stack_slug:
+    description:
+      - Name of the Grafana Cloud stack to which the plugin will be added.
+    type: str
+    required: true
+  cloud_api_key:
+    description:
+      - Cloud API Key to authenticate with Grafana Cloud.
+    type: str
+    required : true
+  state:
+    description:
+      - State for the Grafana Cloud Plugin.
+    type: str
+    default: present
+    choices: [ present, absent ]
+'''
+
+EXAMPLES = '''
+- name: Create/Update a plugin
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    version: 1.0.14
+    stack_slug: "{{ stack_slug }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: present
+
+- name: Delete a Grafana Cloud stack
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    stack_slug: "{{ stack_slug }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: absent
+'''
+
+RETURN = r'''
+  current_version:
+    description: Current version of the plugin.
+    returned: On success
+    type: str
+    sample: "1.0.14"
+  latest_version:
+    description: Latest version available for the plugin.
+    returned: On success
+    type: str
+    sample: "1.0.15"
+  pluginId:
+    description: Id for the Plugin.
+    returned: On success
+    type: int
+    sample: 663
+  pluginName:
+    description: Name of the plugin.
+    returned: On success
+    type: str
+    sample: "GitHub"
+  pluginSlug:
+    description: Slug for the Plugin.
+    returned: On success
+    type: str
+    sample: "grafana-github-datasource"
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_cloud_plugin(module):
+    body = {
+        'plugin': module.params['name'],
+        'version': module.params['version']
+    }
+
+    api_url = 'https://grafana.com/api/instances/' + module.params['stack_slug'] + '/plugins'
+    headers = {
+        'Authorization': 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+
+    result = requests.post(api_url, json=body, headers=headers)
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    elif result.status_code == 409:
+        api_url = 'https://grafana.com/api/instances/' + module.params['stack_slug'] + '/plugins/' + module.params['name']
+        result = requests.get(api_url, headers=headers)
+
+        if result.json()['pluginSlug'] == module.params['name'] and result.json()['version'] == module.params['version']:
+            return False, False, result.json()
+        else:
+            api_url = 'https://grafana.com/api/instances/' + module.params['stack_slug'] + '/plugins/' + module.params[
+                'name']
+            result = requests.post(api_url, json={'version': module.params['version']},
+                                   headers=headers)
+
+            return False, True, result.json()
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_cloud_plugin(module):
+    api_url = 'https://grafana.com/api/instances/' + module.params['stack_slug'] + '/plugins/' + module.params['name']
+
+    result = requests.delete(api_url, headers={
+        "Authorization": 'Bearer ' + module.params['cloud_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(
+        name=dict(type='str', required=True),
+        version=dict(type='str', required=False, default='latest'),
+        stack_slug=dict(type='str', required=True),
+        cloud_api_key=dict(type='str', required=True, no_log=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_cloud_plugin,
+        "absent": absent_cloud_plugin,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed,
+                         pluginId=result['pluginId'],
+                         pluginName=result['pluginName'],
+                         pluginSlug=result['pluginSlug'],
+                         current_version=result['version'],
+                         latest_version=result['latestVersion'])
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/cloud_stack.py b/ansible_collections/grafana/grafana/plugins/modules/cloud_stack.py
new file mode 100644
index 00000000..690e4651
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/cloud_stack.py
@@ -0,0 +1,259 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: cloud_stack
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Grafana Cloud stack
+description:
+  - Create and delete Grafana Cloud stacks using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  name:
+    description:
+      - Sets the name of stack. Conventionally matches the URL of the instance. For example, C(stackslug.grafana.net).
+    type: str
+    required: true
+  stack_slug:
+    description:
+      - Sets the subdomain of the Grafana instance. For example, if slug is B(stackslug), the instance URL will be C(https://stackslug.grafana.net).
+    type: str
+    required: true
+  cloud_api_key:
+    description:
+      - Cloud API Key to authenticate with Grafana Cloud.
+    type: str
+    required : true
+  region:
+    description:
+      - Sets the region for the Grafana Cloud stack.
+    type: str
+    default: us
+    choices: [ us, us-azure, eu, au, eu-azure, prod-ap-southeast-0, prod-gb-south-0, prod-eu-west-3]
+  url:
+    description:
+      - If you use a custom domain for the instance, you can provide it here. If not provided, Will be set to C(https://stackslug.grafana.net).
+    type: str
+  org_slug:
+    description:
+      - Name of the organization under which Cloud stack is created.
+    type: str
+    required: true
+  delete_protection:
+    description:
+      - Enables or disables deletion protection for the Cloud stack.
+      - When set to true, the stack cannot be deleted unless this flag is explicitly disabled.
+    type: bool
+    default: true
+    required: false
+  state:
+    description:
+      - State for the Grafana Cloud stack.
+    type: str
+    default: present
+    choices: [ present, absent ]
+'''
+
+EXAMPLES = '''
+- name: Create a Grafana Cloud stack
+  grafana.grafana.cloud_stack:
+    name: stack_name
+    stack_slug: stack_name
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    region: eu
+    url: https://grafana.company_name.com
+    org_slug: org_name
+    delete_protection: true
+    state: present
+
+- name: Delete a Grafana Cloud stack
+  grafana.grafana.cloud_stack:
+    name: stack_name
+    slug: stack_name
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    org_slug: org_name
+    state: absent
+'''
+
+RETURN = r'''
+  alertmanager_name:
+    description: Name of the alertmanager instance.
+    returned: always
+    type: str
+    sample: "stackname-alerts"
+  alertmanager_url:
+    description: URL of the alertmanager instance.
+    returned: always
+    type: str
+    sample: "https://alertmanager-eu-west-0.grafana.net"
+  cluster_slug:
+    description: Slug for the cluster where the Grafana stack is deployed.
+    returned: always
+    type: str
+    sample: "prod-eu-west-0"
+  id:
+    description: ID of the Grafana Cloud stack.
+    returned: always
+    type: int
+    sample: 458182
+  loki_url:
+    description: URl for the Loki instance.
+    returned: always
+    type: str
+    sample: "https://logs-prod-eu-west-0.grafana.net"
+  orgID:
+    description: ID of the Grafana Cloud organization.
+    returned: always
+    type: int
+    sample: 652992
+  prometheus_url:
+    description: URl for the Prometheus instance.
+    returned: always
+    type: str
+    sample: "https://prometheus-prod-01-eu-west-0.grafana.net"
+  tempo_url:
+    description: URl for the Tempo instance.
+    returned: always
+    type: str
+    sample: "https://tempo-eu-west-0.grafana.net"
+  url:
+    description: URL of the Grafana Cloud stack.
+    returned: always
+    type: str
+    sample: "https://stackname.grafana.net"
+  delete_protection:
+    description:
+      - Enables or disables deletion protection for the Cloud stack.
+      - When set to true, the stack cannot be deleted unless this flag is explicitly disabled.
+    returned: always
+    type: bool
+    sample: true
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_cloud_stack(module):
+    if not module.params['url']:
+        module.params['url'] = 'https://' + module.params['stack_slug'] + '.grafana.net'
+
+    body = {
+        'name': module.params['name'],
+        'slug': module.params['stack_slug'],
+        'region': module.params['region'],
+        'url': module.params['url'],
+        'deleteProtection': module.params.get('delete_protection', True),
+    }
+    api_url = 'https://grafana.com/api/instances'
+    headers = {
+        "Authorization": 'Bearer ' + module.params['cloud_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+
+    result = requests.post(api_url, json=body, headers=headers)
+    if result.status_code == 200:
+        return False, True, result.json()
+    elif result.status_code in [409, 403] and result.json()['message'] in ["That URL has already been taken, please try an alternate URL", "Hosted instance limit reached"]:
+        stack_found = False
+        if result.json()['message'] == "That URL has already been taken, please try an alternate URL":
+            api_url = 'https://grafana.com/api/orgs/' + module.params['org_slug'] + '/instances'
+            result = requests.get(api_url, headers=headers)
+            stackInfo = {}
+            for stack in result.json()['items']:
+                if stack['slug'] == module.params['stack_slug']:
+                    stack_found = True
+                    stackInfo = stack
+            if stack_found:
+                if body['deleteProtection'] == stackInfo['deleteProtection']:
+                    return False, False, stackInfo
+                api_url = f'https://grafana.com/api/instances/{stackInfo["id"]}'
+                result = requests.post(api_url, json={'deleteProtection': body['deleteProtection']}, headers=headers)
+                if result.status_code != 200:
+                    return True, False, {"status": result.status_code, 'response': result.json()['message']}
+                return False, True, result.json()
+            else:
+                return True, False, "Stack is not found under your org"
+        elif result.json()['message'] == "Hosted instance limit reached":
+            return True, False, "You have reached Maximum number of Cloud Stacks in your Org."
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_cloud_stack(module):
+    api_url = 'https://grafana.com/api/instances/' + module.params['stack_slug']
+
+    result = requests.delete(api_url, headers={
+        "Authorization": 'Bearer ' + module.params['cloud_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(
+        name=dict(type='str', required=True),
+        stack_slug=dict(type='str', required=True),
+        cloud_api_key=dict(type='str', required=True, no_log=True),
+        region=dict(type='str', required=False, default='us',
+                    choices=['us', 'us-azure', 'eu', 'au', 'eu-azure', 'prod-ap-southeast-0', 'prod-gb-south-0',
+                             'prod-eu-west-3']),
+        url=dict(type='str', required=False),
+        org_slug=dict(type='str', required=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
+        delete_protection=dict(type=bool, required=False),
+    )
+
+    choice_map = {
+        "present": present_cloud_stack,
+        "absent": absent_cloud_stack,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed,
+                         alertmanager_name=result['amInstanceName'],
+                         url=result['url'], id=result['id'],
+                         cluster_slug=result['clusterName'],
+                         orgID=result['orgId'],
+                         loki_url=result['hlInstanceUrl'],
+                         prometheus_url=result['hmInstancePromUrl'],
+                         tempo_url=result['htInstanceUrl'],
+                         alertmanager_url=result['amInstanceUrl'],
+                         delete_protection=result['deleteProtection'])
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/dashboard.py b/ansible_collections/grafana/grafana/plugins/modules/dashboard.py
new file mode 100644
index 00000000..b11c8603
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/dashboard.py
@@ -0,0 +1,190 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: dashboard
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Dashboards in Grafana
+description:
+  - Create, Update and delete Dashboards using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+  - Does not support C(Idempotency).
+options:
+  dashboard:
+    description:
+      - JSON source code for dashboard.
+    type: dict
+    required: true
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  grafana_api_key:
+    description:
+      - Grafana API Key to authenticate with Grafana Cloud.
+    type: str
+    required : true
+  state:
+    description:
+      - State for the Grafana Dashboard.
+    choices: [ present, absent ]
+    default: present
+    type: str
+'''
+
+EXAMPLES = '''
+- name: Create/Update a dashboard
+  grafana.grafana.dashboard:
+    dashboard: "{{ lookup('ansible.builtin.file', 'dashboard.json') }}"
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+
+- name: Delete dashboard
+  grafana.grafana.dashboard:
+    dashboard: "{{ lookup('ansible.builtin.file', 'dashboard.json') }}"
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing folder information.
+  returned: On success
+  type: dict
+  contains:
+    id:
+      description: The ID for the dashboard.
+      returned: on success
+      type: int
+      sample: 17
+    slug:
+      description: The slug for the dashboard.
+      returned: state is present and on success
+      type: str
+      sample: ansible-integration-test
+    status:
+      description: The status of the dashboard.
+      returned: state is present and on success
+      type: str
+      sample: success
+    uid:
+      description: The UID for the dashboard.
+      returned: state is present and on success
+      type: str
+      sample: "test1234"
+    url:
+      description: The endpoint for the dashboard.
+      returned: state is present and on success
+      type: str
+      sample: "/d/test1234/ansible-integration-test"
+    version:
+      description: The version of the dashboard.
+      returned: state is present and on success
+      type: int
+      sample: 2
+    message:
+      description: The message returned after the operation on the dashboard.
+      returned: state is absent and on success
+      type: str
+      sample: "Dashboard Ansible Integration Test deleted"
+    title:
+      description: The name of the dashboard.
+      returned: state is absent and on success
+      type: str
+      sample: "Ansible Integration Test"
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+
+__metaclass__ = type
+
+
+def present_dashboard(module):
+
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/dashboards/db'
+
+    result = requests.post(api_url, json=module.params['dashboard'], headers={
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_dashboard(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    if 'uid' not in module.params['dashboard']['dashboard']:
+        return True, False, "UID is not defined in the the Dashboard configuration"
+
+    api_url = api_url = module.params['grafana_url'] + '/api/dashboards/uid/' + module.params['dashboard']['dashboard']['uid']
+
+    result = requests.delete(api_url, headers={
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(
+        dashboard=dict(type='dict', required=True),
+        grafana_url=dict(type='str', required=True),
+        grafana_api_key=dict(type='str', required=True, no_log=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_dashboard,
+        "absent": absent_dashboard,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/datasource.py b/ansible_collections/grafana/grafana/plugins/modules/datasource.py
new file mode 100644
index 00000000..748ad409
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/datasource.py
@@ -0,0 +1,209 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: datasource
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Data sources in Grafana
+description:
+  - Create, Update and delete Data sources using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+  - Does not support C(Idempotency).
+options:
+  dataSource:
+    description:
+      - JSON source code for the Data source.
+    type: dict
+    required: true
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  grafana_api_key:
+    description:
+      - Grafana API Key to authenticate with Grafana Cloud.
+    type: str
+    required : true
+  state:
+    description:
+      - State for the Grafana Datasource.
+    choices: [ present, absent ]
+    default: present
+    type: str
+'''
+
+EXAMPLES = '''
+- name: Create/Update Data sources
+  grafana.grafana.datasource:
+    dataSource:
+      name: Prometheus
+      type: prometheus
+      access: proxy
+      url: http://localhost:9090
+      jsonData:
+        httpMethod: POST
+        manageAlerts: true
+        prometheusType: Prometheus
+        cacheLevel: High
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+
+- name: Delete Data sources
+  grafana.grafana.datasource:
+    dataSource: "{{ lookup('ansible.builtin.file', 'datasource.json') | to_yaml }}"
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing Data source information.
+  returned: On success
+  type: dict
+  contains:
+    datasource:
+      description: The response body content for the data source configuration.
+      returned: state is present and on success
+      type: dict
+      sample: {
+                "access": "proxy",
+                "basicAuth": false,
+                "basicAuthUser": "",
+                "database": "db-name",
+                "id": 20,
+                "isDefault": false,
+                "jsonData": {},
+                "name": "ansible-integration",
+                "orgId": 1,
+                "readOnly": false,
+                "secureJsonFields": {
+                    "password": true
+                },
+                "type": "influxdb",
+                "typeLogoUrl": "",
+                "uid": "ansibletest",
+                "url": "https://grafana.github.com/grafana-ansible-collection",
+                "user": "user",
+                "version": 1,
+                "withCredentials": false
+            }
+    id:
+      description: The ID assigned to the data source.
+      returned: on success
+      type: int
+      sample: 20
+    name:
+      description: The name of the data source defined in the JSON source code.
+      returned: state is present and on success
+      type: str
+      sample: "ansible-integration"
+    message:
+      description: The message returned after the operation on the Data source.
+      returned: on success
+      type: str
+      sample: "Datasource added"
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_datasource(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/datasources'
+
+    headers = {
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+    result = requests.post(api_url, json=module.params['dataSource'], headers=headers)
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    elif result.status_code == 409:
+        get_id_url = requests.get(module.params['grafana_url'] + '/api/datasources/id/' + module.params['dataSource']['name'],
+                                  headers=headers)
+
+        api_url = module.params['grafana_url'] + '/api/datasources/' + str(get_id_url.json()['id'])
+
+        result = requests.put(api_url, json=module.params['dataSource'], headers=headers)
+
+        if result.status_code == 200:
+            return False, True, result.json()
+        else:
+            return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_datasource(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    api_url = module.params['grafana_url'] + '/api/datasources/name/' + module.params['dataSource']['name']
+
+    result = requests.delete(api_url, headers={
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    })
+
+    if result.status_code == 200:
+        return False, True, {"status": result.status_code, 'response': result.json()['message']}
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def main():
+
+    module_args = dict(
+        dataSource=dict(type='dict', required=True),
+        grafana_url=dict(type='str', required=True),
+        grafana_api_key=dict(type='str', required=True, no_log=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_datasource,
+        "absent": absent_datasource,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/folder.py b/ansible_collections/grafana/grafana/plugins/modules/folder.py
new file mode 100644
index 00000000..09e99e36
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/folder.py
@@ -0,0 +1,280 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Ishan Jain (@ishanjainn)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+
+DOCUMENTATION = '''
+---
+module: folder
+author:
+  - Ishan Jain (@ishanjainn)
+version_added: "0.0.1"
+short_description: Manage Folders in Grafana
+description:
+  - Create, Update and delete Folders via Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+options:
+  title:
+    description:
+      - Sets the title of the folder.
+    type: str
+    required: true
+  uid:
+    description:
+      - Sets the UID for your folder.
+    type: str
+    required: true
+  overwrite:
+    description:
+      - Set to C(false) if you dont want to overwrite existing folder with newer version.
+    type: bool
+    required: false
+    default: true
+  grafana_api_key:
+    description:
+      - Grafana API Key to authenticate with Grafana.
+    type: str
+    required : true
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  state:
+    description:
+      - State for the Grafana Folder.
+    choices: [ present, absent ]
+    default: present
+    type: str
+'''
+
+EXAMPLES = '''
+- name: Create/Update a Folder in Grafana
+  grafana.grafana.folder:
+    title: folder_name
+    uid: folder_name
+    overwrite: true
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+
+- name: Delete a Folder in Grafana
+  grafana.grafana.folder:
+    uid: folder_name
+    grafana_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing folder information.
+  returned: On success
+  type: dict
+  contains:
+    canAdmin:
+      description: Boolean value specifying if current user can admin in folder.
+      returned: state is present and on success
+      type: bool
+      sample: true
+    canDelete:
+      description: Boolean value specifying if current user can delete the folder.
+      returned: state is present and on success
+      type: bool
+      sample: true
+    canEdit:
+      description: Boolean value specifying if current user can edit in folder.
+      returned: state is present and on success
+      type: bool
+      sample: true
+    canSave:
+      description: Boolean value specifying if current user can save in folder.
+      returned: state is present and on success
+      type: bool
+      sample: true
+    created:
+      description: The date when folder was created.
+      returned: state is present and on success
+      type: str
+      sample: "2022-10-20T09:31:53Z"
+    createdBy:
+      description: The name of the user who created the folder.
+      returned: state is present and on success
+      type: str
+      sample: "Anonymous"
+    hasAcl:
+      description: Boolean value specifying if folder has acl.
+      returned: state is present and on success
+      type: bool
+      sample: true
+    id:
+      description: The ID for the folder.
+      returned: state is present and on success
+      type: int
+      sample: 18
+    title:
+      description: The name of the folder.
+      returned: on success
+      type: str
+      sample: foldername
+    uid:
+      description: The UID for the folder.
+      returned: state is present and on success
+      type: str
+      sample: foldername
+    updated:
+      description: The date when the folder was last updated.
+      returned: state is present and on success
+      type: str
+      sample: "2022-10-20T09:31:53Z"
+    updatedBy:
+      description: The name of the user who last updated the folder.
+      returned: state is present and on success
+      type: str
+      sample: "Anonymous"
+    url:
+      description: The URl for the folder.
+      returned: state is present and on success
+      type: str
+      sample: "/dashboards/f/foldername/foldername"
+    version:
+      description: The version of the folder.
+      returned: state is present and on success
+      type: int
+      sample: 1
+    message:
+      description: The message returned after the operation on the folder.
+      returned: state is absent and on success
+      type: str
+      sample: "Folder has been succesfuly deleted"
+'''
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+__metaclass__ = type
+
+
+def present_folder(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    body = {
+        'uid': module.params['uid'],
+        'title': module.params['title'],
+    }
+    api_url = module.params['grafana_url'] + '/api/folders'
+
+    headers = {
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+
+    result = requests.post(api_url, json=body, headers=headers)
+
+    if result.status_code == 200:
+        return False, True, result.json()
+    elif result.status_code == 412:
+        sameConfig = False
+        folderInfo = {}
+
+        api_url = module.params['grafana_url'] + '/api/folders'
+        result = requests.get(api_url, headers=headers)
+
+        for folder in result.json():
+            if folder['uid'] == module.params['uid'] and folder['title'] == module.params['title']:
+                sameConfig = True
+                folderInfo = folder
+
+        if sameConfig:
+            return False, False, folderInfo
+        else:
+            body = {
+                'uid': module.params['uid'],
+                'title': module.params['title'],
+                'overwrite': module.params['overwrite']
+            }
+            api_url = module.params['grafana_url'] + '/api/folders/' + module.params['uid']
+
+            result = requests.put(api_url, json=body, headers=headers)
+
+            if result.status_code == 200:
+                return False, True, result.json()
+            else:
+                return True, False, {"status": result.status_code, 'response': result.json()['message']}
+    else:
+        return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_folder(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    sameConfig = False
+
+    api_url = module.params['grafana_url'] + '/api/folders'
+    headers = {
+        "Authorization": 'Bearer ' + module.params['grafana_api_key'],
+        'User-Agent': 'grafana-ansible-collection',
+    }
+    result = requests.get(api_url, headers=headers)
+
+    for folder in result.json():
+        if folder['uid'] == module.params['uid'] and folder['title'] == module.params['title']:
+            sameConfig = True
+    if sameConfig is True:
+        api_url = module.params['grafana_url'] + '/api/folders/' + module.params['uid']
+
+        result = requests.delete(api_url, headers=headers)
+
+        if result.status_code == 200:
+            return False, True, {"status": result.status_code, 'response': "Folder has been succesfuly deleted"}
+        else:
+            return True, False, {"status": result.status_code, 'response': "Error deleting folder"}
+    else:
+        return False, True, {"status": 200, 'response': "Folder does not exist"}
+
+
+def main():
+
+    module_args = dict(
+        title=dict(type='str', required=True),
+        uid=dict(type='str', required=True),
+        overwrite=dict(type='bool', required=False, default=True),
+        grafana_url=dict(type='str', required=True),
+        grafana_api_key=dict(type='str', required=True, no_log=True),
+        state=dict(type='str', required=False, default='present', choices=['present', 'absent'])
+    )
+
+    choice_map = {
+        "present": present_folder,
+        "absent": absent_folder,
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/plugins/modules/user.py b/ansible_collections/grafana/grafana/plugins/modules/user.py
new file mode 100644
index 00000000..177eb738
--- /dev/null
+++ b/ansible_collections/grafana/grafana/plugins/modules/user.py
@@ -0,0 +1,284 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2024, téïcée (www.teicee.com)
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import (absolute_import, division, print_function)
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib
+
+DOCUMENTATION = '''
+---
+module: user
+author:
+  - Mathieu Valois, téïcée
+version_added: "0.0.1"
+short_description: Manage Users in Grafana
+description:
+  - Create, Update and delete Users using Ansible.
+requirements: [ "requests >= 1.0.0" ]
+notes:
+  - Does not support C(check_mode).
+  - Does not support C(Idempotency).
+options:
+  grafana_url:
+    description:
+      - URL of the Grafana instance.
+    type: str
+    required: true
+  admin_name:
+    description:
+      - Grafana admin username
+    type: str
+    required : true
+  admin_password:
+    description:
+      - Grafana admin password
+    type: str
+    required : true
+  login:
+    description:
+      - Login of the user
+    type: str
+    required : true
+  password:
+    description:
+      - Password of the user. Should be provided if state=present
+    type: str
+    required : false
+  name:
+    description:
+      - Name of the user.
+    type: str
+    required : false
+  email:
+    description:
+      - Email address of the user.
+    type: str
+    required : false
+  state:
+    description:
+      - State for the Grafana User.
+    choices: [ present, absent ]
+    default: present
+    type: str
+'''
+
+EXAMPLES = '''
+- name: Create/Update a user
+  grafana.grafana.user:
+    login: "grafana_user"
+    password: "{{ lookup('ansible.builtin.password') }}"
+    email: "grafana_user@localhost.local
+    name: "grafana user"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: present
+
+- name: Delete user
+  grafana.grafana.user:
+    login: "grafana_user"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: absent
+'''
+
+RETURN = r'''
+output:
+  description: Dict object containing user information and message.
+  returned: On success
+  type: dict
+  contains:
+    id:
+      description: The ID for the user.
+      returned: on success
+      type: int
+      sample: 17
+    email:
+      description: The email for the user.
+      returned: on success
+      type: str
+      sample: grafana_user@localhost.local
+    name:
+      description: The name for the user.
+      returned: on success
+      type: str
+      sample: grafana user
+    login:
+      description: The login for the user.
+      returned: on success
+      type: str
+      sample: grafana_user
+'''
+
+try:
+    import requests
+    HAS_REQUESTS = True
+except ImportError:
+    HAS_REQUESTS = False
+
+
+__metaclass__ = type
+
+
+def _get_user(grafana_url, admin_name, admin_password, login, email=None):
+    get_user_url = grafana_url + '/api/users/lookup?loginOrEmail='
+
+    # check if user exists by login provided login
+    result = requests.get(f"{get_user_url}{login}", auth=requests.auth.HTTPBasicAuth(
+        admin_name, admin_password))
+    # if no user has this login, check the email if provided
+    if result.status_code == 404 and email is not None:
+        result = requests.get(f"{get_user_url}{email}", auth=requests.auth.HTTPBasicAuth(
+            admin_name, admin_password))
+
+    if result.status_code == 404:
+        return None
+
+    return result.json()
+
+
+def _set_user_password(grafana_url, admin_name, admin_password, user_id, password):
+    """ sets the password for the existing user having user_id.
+    admin_name should be a user having users.password:write permission
+    """
+
+    set_user_password_url = f"{grafana_url}/api/admin/users/{user_id}/password"
+
+    result = requests.put(set_user_password_url, json={'password': password}, auth=requests.auth.HTTPBasicAuth(
+        admin_name, admin_password))
+
+    return result
+
+
+def present_user(module):
+
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    body = {
+        'login': module.params['login'],
+        'password': module.params['password'],
+        'email': module.params['email'],
+        'name': module.params['name'],
+        'OrgId': module.params['orgid']
+    }
+
+    user = _get_user(module.params['grafana_url'], module.params['admin_name'],
+                     module.params['admin_password'], module.params['login'], module.params['email'])
+
+    if user is None:
+        api_url = module.params['grafana_url'] + '/api/admin/users'
+        result = requests.post(api_url, json=body, auth=requests.auth.HTTPBasicAuth(
+            module.params['admin_name'], module.params['admin_password']))
+    else:
+        user_id = user['id']
+        api_url = module.params['grafana_url'] + '/api/users'
+        result = requests.put(f"{api_url}/{user_id}", json=body, auth=requests.auth.HTTPBasicAuth(
+            module.params['admin_name'], module.params['admin_password']))
+
+    if result.status_code == 200:
+        return False, True, result.json()
+
+    return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def absent_user(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    user = _get_user(module.params['grafana_url'], module.params['admin_name'],
+                     module.params['admin_password'], module.params['login'], module.params['email'])
+
+    if user is None:
+        return False, False, "User does not exist"
+
+    user_id = user['id']
+    api_url = f"{module.params['grafana_url']}/api/admin/users/{user_id}"
+    result = requests.delete(api_url, auth=requests.auth.HTTPBasicAuth(
+        module.params['admin_name'], module.params['admin_password']))
+
+    if result.status_code == 200:
+        return False, True, result.json()
+
+    return True, False, {"status": result.status_code, 'response': result.json()['message']}
+
+
+def password_user(module):
+    if module.params['grafana_url'][-1] == '/':
+        module.params['grafana_url'] = module.params['grafana_url'][:-1]
+
+    # try with new password to check if already changed
+    user = _get_user(module.params['grafana_url'], module.params['login'],
+                     module.params['password'], module.params['login'], module.params['email'])
+
+    if 'id' in user:
+        # Auth is OK, password does not need to be changed
+        return False, False, {'message': 'Password has already been changed', 'user': user}
+
+    # from here, we begin password change procedure
+    user = _get_user(module.params['grafana_url'], module.params['admin_name'],
+                     module.params['admin_password'], module.params['login'], module.params['email'])
+
+    if user is None:
+        return True, False, "User does not exist"
+
+    if 'id' not in user:
+        return True, False, user
+
+    result = _set_user_password(module.params['grafana_url'], module.params['admin_name'],
+                                module.params['admin_password'], user['id'], module.params['password'])
+
+    if result.status_code == 200:
+        return False, True, result.json()
+
+    return True, False, result.json()
+
+
+def main():
+
+    # Grafana admin API is only accessible with basic auth, not token
+    # So we shall provide admin name and its password
+    module_args = dict(
+        admin_name=dict(type='str', required=True),
+        admin_password=dict(type='str', required=True, no_log=True),
+        login=dict(type='str', required=True),
+        password=dict(type='str', required=False, no_log=True),
+        email=dict(type='str', required=False),
+        name=dict(type='str', required=False),
+        orgid=dict(type='int', required=False),
+        grafana_url=dict(type='str', required=True),
+        state=dict(type='str', required=False, default='present',
+                   choices=['present', 'absent', 'update_password'])
+    )
+
+    choice_map = {
+        "present": present_user,
+        "absent": absent_user,
+        "update_password": password_user
+    }
+
+    module = AnsibleModule(
+        argument_spec=module_args
+    )
+
+    if not HAS_REQUESTS:
+        module.fail_json(msg=missing_required_lib('requests'))
+
+    if module.params['state'] in ('present', 'update_password') and 'password' not in module.params:
+        module.fail_json(
+            msg="Want to create or update user but password is missing")
+
+    is_error, has_changed, result = choice_map.get(
+        module.params['state'])(module)
+
+    if not is_error:
+        module.exit_json(changed=has_changed, output=result)
+    else:
+        module.fail_json(msg=result)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/ansible_collections/grafana/grafana/requirements.txt b/ansible_collections/grafana/grafana/requirements.txt
new file mode 100644
index 00000000..2d38dea5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/requirements.txt
@@ -0,0 +1,3 @@
+yamllint==1.35.1
+ansible-lint>=6.13.1, <25.0.0
+pylint>=2.16.2,<4.0.0
diff --git a/ansible_collections/grafana/grafana/requirements.yml b/ansible_collections/grafana/grafana/requirements.yml
new file mode 100644
index 00000000..8d80a4d2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/requirements.yml
@@ -0,0 +1,8 @@
+---
+collections:
+  - name: https://github.com/ansible-collections/community.general.git
+    type: git
+  - name: https://github.com/ansible-collections/community.grafana.git
+    type: git
+  - name: https://github.com/ansible-collections/ansible.posix.git
+    type: git
diff --git a/ansible_collections/grafana/grafana/roles/alloy/README.md b/ansible_collections/grafana/grafana/roles/alloy/README.md
new file mode 100644
index 00000000..23e5f22b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/README.md
@@ -0,0 +1,71 @@
+# Ansible role - Alloy
+
+[![License](https://img.shields.io/github/license/grafana/grafana-ansible-collection)](LICENSE)
+
+This Ansible role to install and configure [Alloy](https://grafana.com/docs/alloy/latest/), which can be used to collect traces, metrics, and logs.
+This role is tailored for operating systems such as **RedHat**, **Rocky Linux**, **AlmaLinux**, **Ubuntu**, **Debian**, **macOS**, and **openSUSE**.
+
+## Table of Content
+
+- [Requirements](#requirements)
+- [Role Variables](#role-variables)
+- [Playbook](#playbook)
+
+## Requirements
+
+- Ansible 2.13+
+- `ansible.utils` collection is required. Additionally, you must install the `netaddr` Python library on the host where you are running Ansible (not on the target remote host) if is not present.
+- `community.general` collection is required for macOS support
+- **macOS**: Homebrew must be installed
+
+## Role Variables
+
+| Variable Name         | Description                                                          | Default Value                                                       |
+|-----------------------|----------------------------------------------------------------------|---------------------------------------------------------------------|
+| `alloy_version`             | The version of Alloy to download and deploy. Supported standard version "1.4.2" format or "latest". | `latest` |
+| `alloy_uninstall`           | If set to `true` will perfom uninstall instead of deployment. | `false` |
+| `alloy_expose_port`         | By default, this is set to false. It supports only simple firewalld configurations. If set to true, a firewalld rule is added to expose the TCP alloy port. The Port is automatically extracted from the environment variable `alloy_env_file_vars` in CUSTOM_ARGS when --server.http.listen-addr=0.0.0.0:12345 is defined. If set to false, configuration is skipped. If the firewalld.service is not active, all firewalld tasks are skipped. | `false` |
+| `alloy_user_groups`         | Appends the alloy user to specific groups. | `[]` |
+| `alloy_github_api_url`      | The default Github API URL to check for the latest version available. | `"https://api.github.com/repos/grafana/alloy/releases/latest"` |
+| `alloy_download_url_rpm`    | The default download URL for the Alloy rpm package from GitHub. | `"https://github.com/grafana/alloy/releases/download/v{{ aloy_version }}/alloy-{{ aloy_version }}-1.{{ __alloy_arch }}.rpm"` |
+| `alloy_download_url_deb`    | The default download URL for the Alloy deb package from GitHub. | `"https://github.com/grafana/alloy/releases/download/v{{ aloy_version }}/alloy-{{ aloy_version }}-1.{{ __alloy_arch }}.deb"` |
+| `alloy_readiness_check_use_https` | This boolean variable determines whether the readiness check for the Alloy server should use HTTPS or HTTP when validating the `/-/ready` endpoint. This variable does not enable TLS on the Alloy server itself.  | `false` |
+| `alloy_readiness_check_use_proxy` | This boolean variable determines whether the readiness check for the Alloy server should use a proxy when validating the `/-/ready` endpoint.  If false, it will not use a proxy, even if one is defined in an environment variable on the target hosts.  | `true` |
+| `alloy_env_file_vars`       | You can use environment variables to control the run-time behavior of Grafana Alloy. | `{}` |
+| `alloy_systemd_override`    | Systemd unit drop-in file used to override or extend the default configuration of a systemd unit. | `{}` |
+| `alloy_config`              | This is the configuration that sets up Alloy. Refer to the [configuration blocks](https://grafana.com/docs/alloy/latest/reference/config-blocks/) and [components](https://grafana.com/docs/alloy/latest/reference/components/) documentation for more details. Since the purpose of using Alloy varies, no default configuration is provided. ⚠️ **You must provide either `alloy_config` for single config or set `alloy_env_file_vars.CONFIG_FILE` for multi-config setup**. Note that if you use `alloy_env_file_vars.CONFIG_FILE`, the content of `alloy_config` will not be templated. It is expected that you manage the multi-config content using pre_tasks or with your own role. | `{}` |
+
+## Dependencies
+
+No Dependencies
+
+## Playbook
+
+```yaml
+- name: Manage alloy service
+  hosts: all
+  become: true
+  vars:
+    # alloy_config: |
+    #   Your Config Content
+  roles:
+    - role: grafana.grafana.alloy
+```
+
+- Playbook execution example
+```shell
+# Deploy Alloy
+ansible-playbook function_alloy_play.yml
+
+# Uninstall Alloy
+ansible-playbook function_alloy_play.yml -e "alloy_uninstall=true"
+```
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
+
+## Author Information
+
+-   [Ishan Jain](https://github.com/ishanjainn)
+-   [VoidQuark](https://github.com/voidquark)
diff --git a/ansible_collections/grafana/grafana/roles/alloy/defaults/main.yml b/ansible_collections/grafana/grafana/roles/alloy/defaults/main.yml
new file mode 100644
index 00000000..371759eb
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+# defaults file for alloy
+alloy_version: "latest"
+alloy_uninstall: false
+alloy_expose_port: false
+alloy_github_api_url: "https://api.github.com/repos/grafana/alloy/releases/latest"
+alloy_download_url_rpm: "https://github.com/grafana/alloy/releases/download/v{{ alloy_version }}/alloy-{{ alloy_version }}-1.{{ __alloy_arch }}.rpm"
+alloy_download_url_deb: "https://github.com/grafana/alloy/releases/download/v{{ alloy_version }}/alloy-{{ alloy_version }}-1.{{ __alloy_arch }}.deb"
+alloy_readiness_check_use_https: false
+alloy_readiness_check_use_proxy: true
+
+alloy_user_groups: []
+# alloy_user_groups:
+#   - "systemd-journal"
+
+alloy_env_file_vars: {}
+# alloy_env_file_vars:
+#   CONFIG_FILE: "/custom/path"
+#   CUSTOM_ARGS: "--server.http.listen-addr=0.0.0.0:12345 --stability.level=public-preview --feature.community-components.enabled=true"
+
+alloy_systemd_override: {}
+# alloy_systemd_override: |
+#   [Service]
+#   User=root
+
+alloy_config: {}
+# alloy_config: |
+#   prometheus.scrape "default" {
+#       targets = [{"__address__" = "127.0.0.1:12345"}]
+#       forward_to = [prometheus.remote_write.prom.receiver]
+#   }
+#   prometheus.remote_write "prom" {
+#     endpoint {
+#         url = "http://mimir:9009/api/v1/push"
+#     }
+#   }
diff --git a/ansible_collections/grafana/grafana/roles/alloy/handlers/main.yml b/ansible_collections/grafana/grafana/roles/alloy/handlers/main.yml
new file mode 100644
index 00000000..98cea631
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/handlers/main.yml
@@ -0,0 +1,17 @@
+---
+# handlers file for alloy
+- name: Restart alloy
+  listen: "restart alloy"
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: alloy.service
+    state: restarted
+    enabled: true
+  when: not ansible_check_mode
+
+- name: Restart alloy macos
+  listen: "restart alloy macos"
+  ansible.builtin.command: "brew services restart {{ __alloy_brew_package }}"
+  when:
+    - not ansible_check_mode
+    - ansible_facts['os_family'] == 'Darwin'
diff --git a/ansible_collections/grafana/grafana/roles/alloy/meta/main.yml b/ansible_collections/grafana/grafana/roles/alloy/meta/main.yml
new file mode 100644
index 00000000..6f7048e1
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/meta/main.yml
@@ -0,0 +1,34 @@
+---
+galaxy_info:
+  role_name: alloy
+  author: Ishan Jain, voidquark
+  description: Role to Install and Configure Grafana Alloy
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.13"
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: macOS
+      versions:
+        - all
+    - name: opensuse
+      versions:
+        - all
+  galaxy_tags:
+    - alloy
+    - grafana
+    - observability
+    - monitoring
+    - opentelemetry
+    - telemetry
diff --git a/ansible_collections/grafana/grafana/roles/alloy/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/alloy/molecule/default/converge.yml
new file mode 100644
index 00000000..e14f0e92
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/molecule/default/converge.yml
@@ -0,0 +1,17 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    alloy_version: "1.4.2"
+    alloy_config: |
+      prometheus.scrape "default" {
+          targets = [{"__address__" = "127.0.0.1:12345"}]
+          forward_to = [prometheus.remote_write.prom.receiver]
+      }
+      prometheus.remote_write "prom" {
+        endpoint {
+            url = "http://mimir:9009/api/v1/push"
+        }
+      }
+  roles:
+    - role: grafana.grafana.alloy
diff --git a/ansible_collections/grafana/grafana/roles/alloy/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/alloy/molecule/default/molecule.yml
new file mode 100644
index 00000000..339965a5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+dependency:
+  name: galaxy
+  options:
+    ignore-errors: true
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/deploy.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/deploy.yml
new file mode 100644
index 00000000..7c38cdaa
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/deploy.yml
@@ -0,0 +1,176 @@
+---
+- name: Obtain the latest version from the GitHub repo
+  when: alloy_version == "latest"
+  block:
+    - name: Scrape Github API endpoint to obtain latest Alloy version
+      ansible.builtin.uri:
+        url: "{{ alloy_github_api_url }}"
+        method: GET
+        body_format: json
+      become: false
+      delegate_to: localhost
+      run_once: true
+      check_mode: false
+      register: __github_latest_version
+
+    - name: Latest available Alloy version
+      ansible.builtin.set_fact:
+        alloy_version: "{{ __github_latest_version.json.tag_name | regex_replace('^v?(\\d+\\.\\d+\\.\\d+)$', '\\1') }}"
+
+- name: Verify current deployed version
+  when: ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+  block:
+    - name: Check if Alloy binary is present
+      ansible.builtin.stat:
+        path: "/usr/bin/alloy"
+      register: __already_deployed
+
+    - name: Obtain current deployed Alloy version
+      ansible.builtin.command:
+        cmd: "/usr/bin/alloy --version"
+      changed_when: false
+      register: __current_deployed_version
+      when: __already_deployed.stat.exists | bool
+
+- name: Verify current deployed version on macOS
+  when: ansible_facts['os_family'] == 'Darwin'
+  block:
+    - name: Check if Alloy is installed via Homebrew
+      ansible.builtin.command: brew list --versions {{ __alloy_brew_package }}
+      register: __brew_alloy_version
+      failed_when: false
+      changed_when: false
+
+    - name: Extract current Alloy version on macOS
+      ansible.builtin.set_fact:
+        __current_deployed_version:
+          stdout: "{{ __brew_alloy_version.stdout }}"
+      when: __brew_alloy_version.rc == 0
+
+- name: Include RedHat/Rocky setup
+  ansible.builtin.include_tasks:
+    file: setup-RedHat.yml
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Include Debian/Ubuntu setup
+  ansible.builtin.include_tasks:
+    file: setup-Debian.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Include macOS/Darwin setup
+  ansible.builtin.include_tasks:
+    file: setup-Darwin.yml
+  when: ansible_facts['os_family'] == 'Darwin'
+
+- name: Include SUSE setup
+  ansible.builtin.include_tasks:
+    file: setup-Suse.yml
+  when: ansible_facts['os_family'] == 'Suse'
+
+- name: Alloy systemd override
+  when:
+    - alloy_systemd_override | length > 0
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+  block:
+    - name: Ensure that Alloy systemd override path exist
+      ansible.builtin.file:
+        path: "/etc/systemd/system/alloy.service.d"
+        state: directory
+        owner: "root"
+        group: "root"
+        mode: "0750"
+      notify: restart alloy
+
+    - name: Template Alloy systemd override.conf - /etc/systemd/system/alloy.service.d/override.conf
+      ansible.builtin.template:
+        src: "override.conf.j2"
+        dest: "/etc/systemd/system/alloy.service.d/override.conf"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      notify: restart alloy
+
+- name: Template Alloy env file - {{ __alloy_env_file }}
+  ansible.builtin.template:
+    src: "alloy.j2"
+    dest: "{{ __alloy_env_file }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: restart alloy
+  when: ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+
+- name: Template Alloy config - /etc/alloy/config.alloy
+  ansible.builtin.template:
+    src: "config.alloy.j2"
+    dest: "/etc/alloy/config.alloy"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  when:
+    - alloy_config | length > 0
+    - alloy_env_file_vars.CONFIG_FILE is not defined
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+  notify: restart alloy
+
+- name: Ensure that /etc/alloy/alloy.config is absent when a custom configuration file/dir is specified in alloy_env_file_vars.CONFIG_FILE
+  ansible.builtin.file:
+    path: "/etc/alloy/config.alloy"
+    state: absent
+  when:
+    - alloy_config | length < 1 or alloy_env_file_vars.CONFIG_FILE is defined
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+
+- name: Add the Alloy system user to additional group
+  ansible.builtin.user:
+    name: "alloy"
+    groups: "{{ item }}"
+    system: true
+    append: true
+    create_home: false
+    state: present
+  loop: "{{ alloy_user_groups }}"
+  when:
+    - alloy_user_groups | length > 0
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+
+- name: Get firewalld state
+  ansible.builtin.systemd:
+    name: "firewalld"
+  register: __firewalld_service_state
+  when: ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+
+- name: Enable firewalld rule to expose Alloy tcp port {{ __alloy_server_http_listen_port }}
+  ansible.posix.firewalld:
+    immediate: true
+    permanent: true
+    port: "{{ __alloy_server_http_listen_port }}/tcp"
+    state: enabled
+  when:
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+    - __firewalld_service_state.status.ActiveState == "active"
+    - alloy_expose_port | bool
+
+- name: Flush handlers after deployment
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure that Alloy is started (Linux)
+  ansible.builtin.systemd:
+    name: alloy.service
+    state: started
+  when:
+    - not ansible_check_mode
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
+
+- name: Verify that Alloy URL is responding
+  ansible.builtin.uri:
+    url: "{{ alloy_readiness_check_use_https | ansible.builtin.ternary('https', 'http') }}://{{ __alloy_server_http_listen_address }}:{{ __alloy_server_http_listen_port }}/-/ready"
+    method: GET
+    use_proxy: "{{ alloy_readiness_check_use_proxy | bool }}"
+  register: __alloy_verify_url_status_code
+  retries: 5
+  delay: 8
+  until: __alloy_verify_url_status_code.status == 200
+  when:
+    - not ansible_check_mode
+    - ansible_facts['os_family'] in ['RedHat', 'Debian', 'Suse']
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/main.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/main.yml
new file mode 100644
index 00000000..e5c2462c
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+# tasks file for alloy
+- name: Include OS specific variables
+  ansible.builtin.include_vars:
+    file: "{{ ansible_facts['os_family'] }}.yml"
+
+- name: Preflight
+  ansible.builtin.include_tasks:
+    file: "preflight.yml"
+
+- name: Deploy Alloy service
+  ansible.builtin.include_tasks:
+    file: "deploy.yml"
+  when: not alloy_uninstall
+
+- name: Uninstall Alloy service
+  ansible.builtin.include_tasks:
+    file: "uninstall.yml"
+  when: alloy_uninstall
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/preflight.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/preflight.yml
new file mode 100644
index 00000000..355a2a67
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/preflight.yml
@@ -0,0 +1,26 @@
+---
+- name: Fail when alloy_config or alloy_env_file_vars.CONFIG_FILE is not defined
+  ansible.builtin.fail:
+    msg: Variable alloy_config or alloy_env_file_vars.CONFIG_FILE is required!
+  when:
+    - alloy_config | length < 1
+    - alloy_env_file_vars.CONFIG_FILE is not defined
+    - not alloy_uninstall
+
+- name: Extract IP address and PORT from alloy_env_file_vars
+  when: alloy_env_file_vars.CUSTOM_ARGS is defined and alloy_env_file_vars.CUSTOM_ARGS | length > 0
+  block:
+    - name: Search for server.http.listen-addr string
+      ansible.builtin.set_fact:
+        __alloy_server_http_listen_addr_regex: "{{ alloy_env_file_vars.CUSTOM_ARGS | regex_search('--server.http.listen-addr=([\\d\\.]+):(\\d+)', '\\1', '\\2') or [] }}"
+
+    - name: Extract IP address and port
+      ansible.builtin.set_fact:
+        __alloy_server_http_listen_address: "{{ __alloy_server_http_listen_addr_regex[0] }}"
+        __alloy_server_http_listen_port: "{{ __alloy_server_http_listen_addr_regex[1] }}"
+      when: __alloy_server_http_listen_addr_regex | length > 0
+
+    - name: Assert that extracted IP address is valid
+      ansible.builtin.assert:
+        that: (__alloy_server_http_listen_address | ansible.utils.ipaddr) != ""
+      when: __alloy_server_http_listen_addr_regex | length > 0
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Darwin.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Darwin.yml
new file mode 100644
index 00000000..40839bac
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Darwin.yml
@@ -0,0 +1,96 @@
+---
+- name: Check if Homebrew is installed
+  ansible.builtin.command: which brew
+  register: __brew_check
+  changed_when: false
+  failed_when: false
+
+- name: Fail if Homebrew is not installed
+  ansible.builtin.fail:
+    msg: "Homebrew is required but not installed"
+  when: __brew_check.rc != 0
+
+- name: Get Homebrew prefix
+  ansible.builtin.command: brew --prefix
+  register: __brew_prefix
+  changed_when: false
+
+- name: Set Alloy config directory path
+  ansible.builtin.set_fact:
+    __alloy_config_path: "{{ __alloy_config_path_default }}"
+
+- name: Add Grafana tap to Homebrew
+  community.general.homebrew_tap:
+    name: "{{ __alloy_brew_tap }}"
+    state: present
+
+- name: Install Alloy via Homebrew
+  community.general.homebrew:
+    name: "{{ __alloy_brew_package }}"
+    state: present
+    update_homebrew: true
+
+- name: Ensure Alloy config directory exists
+  ansible.builtin.file:
+    path: "{{ __alloy_config_path }}"
+    state: directory
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_gid }}"
+    mode: '0755'
+
+- name: Template Alloy config
+  ansible.builtin.template:
+    src: "config.alloy.j2"
+    dest: "{{ __alloy_config_path }}/config.alloy"
+    owner: "{{ ansible_user_id }}"
+    group: "{{ ansible_user_gid }}"
+    mode: '0644'
+    backup: true
+  when: alloy_config | length > 0
+  notify: restart alloy macos
+
+- name: Check if Alloy service is loaded
+  ansible.builtin.command: brew services list
+  register: __brew_services
+  changed_when: false
+
+- name: Stop Alloy service if it exists (to clean up any issues)
+  ansible.builtin.command: "brew services stop {{ __alloy_brew_package }}"
+  register: __stop_result
+  failed_when: false
+  changed_when: "'Successfully stopped' in __stop_result.stdout"
+  when: "'alloy' in __brew_services.stdout"
+
+- name: Start Alloy service
+  ansible.builtin.command: "brew services start {{ __alloy_brew_package }}"
+  when:
+    - "'alloy' not in __brew_services.stdout or 'started' not in __brew_services.stdout"
+  register: __service_start
+  failed_when: __service_start.rc != 0
+
+- name: Restart Alloy service if already running
+  ansible.builtin.command: "brew services restart {{ __alloy_brew_package }}"
+  when:
+    - "'alloy' in __brew_services.stdout and 'started' in __brew_services.stdout"
+  register: __service_restart
+  failed_when: __service_restart.rc != 0
+
+- name: Check final service status
+  ansible.builtin.command: brew services list
+  register: __final_brew_services
+  changed_when: false
+
+- name: Verify Alloy installation
+  ansible.builtin.command: alloy --version
+  register: __alloy_version_output
+  changed_when: false
+  failed_when: false
+
+- name: Display Alloy version
+  ansible.builtin.debug:
+    msg: "Alloy version: {{ __alloy_version_output.stdout }}"
+  when: __alloy_version_output.rc == 0
+
+- name: Display service status
+  ansible.builtin.debug:
+    msg: "Alloy service status: {{ __final_brew_services.stdout_lines | select('match', '.*alloy.*') | list }}"
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Debian.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Debian.yml
new file mode 100644
index 00000000..7e380c0f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Debian.yml
@@ -0,0 +1,7 @@
+---
+- name: APT - Install Alloy
+  ansible.builtin.apt:
+    deb: "{{ alloy_download_url_deb }}"
+    state: present
+  notify: restart alloy
+  when: __current_deployed_version.stdout is not defined or alloy_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-RedHat.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-RedHat.yml
new file mode 100644
index 00000000..a3945807
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-RedHat.yml
@@ -0,0 +1,8 @@
+---
+- name: DNF - Install Alloy from remote URL
+  ansible.builtin.package:
+    name: "{{ alloy_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: restart alloy
+  when: __current_deployed_version.stdout is not defined or alloy_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Suse.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Suse.yml
new file mode 100644
index 00000000..a68d6683
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/setup-Suse.yml
@@ -0,0 +1,8 @@
+---
+- name: Zypper - Install Alloy from remote URL
+  community.general.zypper:
+    name: "{{ alloy_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: restart alloy
+  when: __current_deployed_version.stdout is not defined or alloy_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/alloy/tasks/uninstall.yml b/ansible_collections/grafana/grafana/roles/alloy/tasks/uninstall.yml
new file mode 100644
index 00000000..529dfcee
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/tasks/uninstall.yml
@@ -0,0 +1,75 @@
+---
+- name: Stop Alloy service
+  ansible.builtin.systemd:  # noqa ignore-errors
+    name: alloy
+    state: stopped
+  ignore_errors: true
+
+- name: Stop Alloy service on macOS
+  ansible.builtin.command: "brew services stop {{ __alloy_brew_package }}"
+  when: ansible_facts['os_family'] == 'Darwin'
+  failed_when: false
+
+- name: Uninstall Alloy rpm package
+  ansible.builtin.package:
+    name: "alloy"
+    state: absent
+    autoremove: true
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Uninstall Alloy deb package
+  ansible.builtin.apt:
+    name: "alloy"
+    state: absent
+    purge: true
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Uninstall Alloy via Homebrew
+  community.general.homebrew:
+    name: "{{ __alloy_brew_package }}"
+    state: absent
+  when: ansible_facts['os_family'] == 'Darwin'
+
+- name: Uninstall Alloy rpm package (SUSE)
+  community.general.zypper:
+    name: "alloy"
+    state: absent
+  when: ansible_facts['os_family'] == 'Suse'
+
+- name: Ensure that Alloy firewalld rule is not present - tcp port {{ __alloy_server_http_listen_port }}
+  ansible.posix.firewalld:  # noqa ignore-errors
+    immediate: true
+    permanent: true
+    port: "{{ __alloy_server_http_listen_port }}/tcp"
+    state: disabled
+  ignore_errors: true
+
+- name: Remove Alloy directories
+  ansible.builtin.file:
+    path: "{{ remove_me }}"
+    state: absent
+  loop:
+    - "/etc/alloy"
+    - "/etc/systemd/system/alloy.service.d"
+    - "/var/lib/alloy"
+    - "/etc/sysconfig/alloy"
+    - "/etc/default/alloy"
+  loop_control:
+    loop_var: remove_me
+
+- name: Remove Alloy config directory on macOS
+  ansible.builtin.file:
+    path: "{{ __alloy_config_path_default }}"
+    state: absent
+  when: ansible_facts['os_family'] == 'Darwin'
+
+- name: Remove the Alloy system user
+  ansible.builtin.user:
+    name: "alloy"
+    force: true
+    state: absent
+
+- name: Remove Alloy system group
+  ansible.builtin.group:
+    name: "alloy"
+    state: absent
diff --git a/ansible_collections/grafana/grafana/roles/alloy/templates/alloy.j2 b/ansible_collections/grafana/grafana/roles/alloy/templates/alloy.j2
new file mode 100644
index 00000000..ef131abf
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/templates/alloy.j2
@@ -0,0 +1,10 @@
+# Ansible Managed
+
+{% if alloy_env_file_vars.CONFIG_FILE is not defined or alloy_env_file_vars.CONFIG_FILE | length < 1 %}
+CONFIG_FILE="/etc/alloy/config.alloy"
+{% endif %}
+RESTART_ON_UPGRADE=true
+
+{% for key, value in alloy_env_file_vars.items() %}
+{{ key}}="{{value}}"
+{% endfor %}
diff --git a/ansible_collections/grafana/grafana/roles/alloy/templates/config.alloy.j2 b/ansible_collections/grafana/grafana/roles/alloy/templates/config.alloy.j2
new file mode 100644
index 00000000..8a6b406f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/templates/config.alloy.j2
@@ -0,0 +1,3 @@
+// Ansible Managed
+
+{{ alloy_config }}
diff --git a/ansible_collections/grafana/grafana/roles/alloy/templates/override.conf.j2 b/ansible_collections/grafana/grafana/roles/alloy/templates/override.conf.j2
new file mode 100644
index 00000000..77f52b32
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/templates/override.conf.j2
@@ -0,0 +1,3 @@
+# Ansible Managed
+
+{{ alloy_systemd_override }}
diff --git a/ansible_collections/grafana/grafana/roles/alloy/vars/Darwin.yml b/ansible_collections/grafana/grafana/roles/alloy/vars/Darwin.yml
new file mode 100644
index 00000000..2af21169
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/vars/Darwin.yml
@@ -0,0 +1,5 @@
+---
+# macOS/Darwin specific variables
+__alloy_brew_tap: "grafana/grafana"
+__alloy_brew_package: "grafana/grafana/alloy"
+__alloy_config_path_default: "{{ __brew_prefix.stdout | default('/opt/homebrew') }}"
diff --git a/ansible_collections/grafana/grafana/roles/alloy/vars/Debian.yml b/ansible_collections/grafana/grafana/roles/alloy/vars/Debian.yml
new file mode 100644
index 00000000..67a544cc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/vars/Debian.yml
@@ -0,0 +1,2 @@
+---
+__alloy_env_file: "/etc/default/alloy"
diff --git a/ansible_collections/grafana/grafana/roles/alloy/vars/RedHat.yml b/ansible_collections/grafana/grafana/roles/alloy/vars/RedHat.yml
new file mode 100644
index 00000000..4bf22251
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+__alloy_env_file: "/etc/sysconfig/alloy"
diff --git a/ansible_collections/grafana/grafana/roles/alloy/vars/Suse.yml b/ansible_collections/grafana/grafana/roles/alloy/vars/Suse.yml
new file mode 100644
index 00000000..4bf22251
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/vars/Suse.yml
@@ -0,0 +1,2 @@
+---
+__alloy_env_file: "/etc/sysconfig/alloy"
diff --git a/ansible_collections/grafana/grafana/roles/alloy/vars/main.yml b/ansible_collections/grafana/grafana/roles/alloy/vars/main.yml
new file mode 100644
index 00000000..12e99008
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/alloy/vars/main.yml
@@ -0,0 +1,9 @@
+---
+__alloy_server_http_listen_address: 127.0.0.1
+__alloy_server_http_listen_port: 12345
+__alloy_arch_map:
+  x86_64: 'amd64'
+  armv6l: 'arm'
+  armv7l: 'arm'
+  aarch64: 'arm64'
+__alloy_arch: "{{ __alloy_arch_map[ansible_facts['architecture']] | default(ansible_facts['architecture']) }}"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/README.md b/ansible_collections/grafana/grafana/roles/grafana/README.md
new file mode 100644
index 00000000..4addc328
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/README.md
@@ -0,0 +1,132 @@
+<p><img src="https://grafana.com/blog/assets/img/blog/timeshift/grafana_release_icon.png" alt="grafana logo" title="grafana" align="right" height="60" /></p>
+
+# Ansible Role: grafana.grafana.grafana
+
+[![License](https://img.shields.io/badge/license-MIT%20License-brightgreen.svg)](https://opensource.org/licenses/MIT)
+
+Provision and manage [Grafana](https://github.com/grafana/grafana) - platform for analytics and monitoring
+
+## Requirements
+
+- Ansible >= 2.9 (It might work on previous versions, but we cannot guarantee it)
+- libselinux-python on deployer host (only when deployer machine has SELinux)
+- Grafana >= 5.1 (for older Grafana versions use this role in version 0.10.1 or earlier)
+- jmespath on deployer machine. If you are using Ansible from a Python virtualenv, install *jmespath* to the same virtualenv via pip.
+
+## Role Variables
+
+All variables which can be overridden are stored in [defaults/main.yml](defaults/main.yml) file as well as in table below.
+
+| Name           | Default Value | Description                        |
+| -------------- | ------------- | -----------------------------------|
+| `grafana_use_provisioning` | true | Use Grafana provisioning capability when possible (**grafana_version=latest will assume >= 5.0**). |
+| `grafana_provisioning_synced` | false | Ensure no previously provisioned dashboards are kept if not referenced anymore. |
+| `grafana_version` | latest | Grafana package version |
+| `grafana_manage_repo` | true | Manage package repository (or don't) |
+| `grafana_yum_repo` | https://rpm.grafana.com | Yum repository URL |
+| `grafana_yum_key` | https://rpm.grafana.com/gpg.key | Yum repository gpg key |
+| `grafana_rhsm_subscription` | | rhsm subscription name (redhat subscription-manager) |
+| `grafana_rhsm_repo` | | rhsm repository name (redhat subscription-manager) |
+| `grafana_apt_release_channel` | stable | Apt release chanel (stable or beta) |
+| `grafana_apt_arch` | {{ 'arm64' if ansible_facts['architecture'] == 'aarch64' else 'amd64' }} | Apt architecture | 
+| `grafana_apt_repo` | deb [arch={{ grafana_apt_arch }} signed-by=/usr/share/keyrings/grafana.asc] https://apt.grafana.com/ {{ grafana_apt_release_channel }} main | Apt repository string |
+| `grafana_apt_key` | https://apt.grafana.com/gpg.key | Apt repository gpg key |
+| `grafana_ini.instance_name` | {{ ansible_facts['fqdn'] \| default(ansible_host) \| default(inventory_hostname) }} | Grafana instance name |
+| `grafana_ini.paths.logs` | /var/log/grafana | Path to logs directory |
+| `grafana_ini.paths.data` | /var/lib/grafana | Path to database directory |
+| `grafana_ini.server.http_addr` | 0.0.0.0 | Address on which Grafana listens |
+| `grafana_ini.server.http_port` | 3000 | port on which Grafana listens |
+| `grafana_cap_net_bind_service` | false | Enables the use of ports below 1024 without root privileges by leveraging the 'capabilities' of the linux kernel. read: http://man7.org/linux/man-pages/man7/capabilities.7.html |
+| `grafana_ini.server.root_url` | "http://{{ grafana_ini.server.http_addr }}:{{ grafana_ini.server.http_port }}" | Full URL used to access Grafana from a web browser |
+| `grafana_api_url` | "{{ grafana_url }}" | URL used for API calls in provisioning if different from public URL. See [this issue](https://github.com/cloudalchemy/ansible-grafana/issues/70). |
+| `grafana_ini.server.domain` | "{{ ansible_facts['fqdn'] \| default(ansible_host) \| default('localhost') }}" | setting is only used in as a part of the `root_url` option. Useful when using GitHub or Google OAuth |
+| `grafana_ini.server` | { protocol: http, enforce_domain: false, socket: "", cert_key: "", cert_file: "", enable_gzip: false, static_root_path: public, router_logging: false } | [server](http://docs.grafana.org/installation/configuration/#server) configuration section |
+| `grafana_ini.security` | { admin_user: admin, admin_password: "" } | [security](http://docs.grafana.org/installation/configuration/#security) configuration section |
+| `grafana_ini.database` | { type: sqlite3 } | [database](http://docs.grafana.org/installation/configuration/#database) configuration section |
+| `grafana_ini.users` | { allow_sign_up: false, auto_assign_org_role: Viewer, default_theme: dark } | [users](http://docs.grafana.org/installation/configuration/#users) configuration section |
+| `grafana_ini.auth` | {} | [authorization](http://docs.grafana.org/installation/configuration/#auth) configuration section |
+| `grafana_ldap` | {} | [ldap](http://docs.grafana.org/installation/ldap/) configuration section. group_mappings are expanded, see defaults for example |
+| `grafana_dashboards` | [] | List of dashboards which should be imported |
+| `grafana_dashboards_dir` | "dashboards" | Path to a local directory containing dashboards files in `json` format |
+| `grafana_datasources` | [] | List of datasources which should be configured |
+| `grafana_environment` | {} | Optional Environment param for Grafana installation, useful ie for setting http_proxy |
+| `grafana_plugins` | [] |  List of Grafana plugins which should be installed |
+| `grafana_alert_notifications` | [] | List of alert notification channels to be created, updated, or deleted |
+
+Data source example:
+
+```yaml
+grafana_datasources:
+  - name: prometheus
+    type: prometheus
+    access: proxy
+    url: 'http://{{ prometheus_web_listen_address }}'
+    basicAuth: false
+```
+
+Dashboard example:
+
+```yaml
+grafana_dashboards:
+  - dashboard_id: 111
+    revision_id: 1
+    datasource: prometheus
+```
+
+Alert notification channel example:
+
+**NOTE**: setting the variable `grafana_alert_notifications` will only come into
+effect when `grafana_use_provisioning` is `true`. That means the new
+provisioning system using config files, which is available starting from Grafana
+v5.0, needs to be in use.
+
+```yaml
+grafana_alert_notifications:
+  notifiers:
+    - name: Channel 1
+      type: email
+      uid: channel1
+      is_default: false
+      send_reminder: false
+      settings:
+        addresses: "example@example.com"
+        autoResolve: true
+  delete_notifiers:
+    - name: Channel 2
+      uid: channel2
+```
+
+## Supported CPU Architectures
+
+Historically packages were taken from different channels according to CPU architecture. Specifically, armv6/armv7 and aarch64/arm64 packages were via [unofficial packages distributed by fg2it](https://github.com/fg2it/grafana-on-raspberry). Now that Grafana publishes official ARM builds, all packages are taken from the official [Debian/Ubuntu](http://docs.grafana.org/installation/debian/#installing-on-debian-ubuntu) or [RPM](http://docs.grafana.org/installation/rpm/) packages.
+
+## Example
+
+### Playbook
+
+Fill in the admin password field with your choice, the Grafana web page won't ask to change it at the first login.
+
+```yaml
+- hosts: all
+  roles:
+    - role: grafana.grafana.grafana
+      vars:
+        grafana_ini:
+          security:
+            admin_user: admin
+            admin_password: enter_your_secure_password
+```
+
+
+## Local Testing
+
+The preferred way of locally testing the role is to use Docker and [molecule](https://github.com/ansible-community/molecule). You will have to install Docker on your system.
+
+For more information about molecule go to their [docs](http://molecule.readthedocs.io/en/latest/).
+
+## License
+
+This project is licensed under MIT License. See [LICENSE](/LICENSE) for more details.
+
+## Credits
+This role was migrated from [cloudalchemy.grafana](https://github.com/cloudalchemy/ansible-grafana).
diff --git a/ansible_collections/grafana/grafana/roles/grafana/defaults/main.yml b/ansible_collections/grafana/grafana/roles/grafana/defaults/main.yml
new file mode 100644
index 00000000..ac1bfea1
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/defaults/main.yml
@@ -0,0 +1,211 @@
+---
+grafana_version: latest
+grafana_manage_repo: true
+
+grafana_yum_repo: "https://rpm.grafana.com"
+grafana_yum_key: "https://rpm.grafana.com/gpg.key"
+
+grafana_rhsm_subscription: ""
+grafana_rhsm_repo: ""
+
+grafana_apt_release_channel: stable
+grafana_apt_arch: "{{ 'arm64' if ansible_facts['architecture'] == 'aarch64' else 'amd64' }}"
+grafana_apt_repo_uri: "https://apt.grafana.com/"
+grafana_apt_repo: "deb [arch={{ grafana_apt_arch }} signed-by=/usr/share/keyrings/grafana.asc] {{ grafana_apt_repo_uri }} {{ grafana_apt_release_channel }} main"
+grafana_apt_key: "https://apt.grafana.com/gpg.key"
+grafana_apt_name: "grafana"
+
+# Should we use the provisioning capability when possible (provisioning require grafana >= 5.0)
+grafana_use_provisioning: true
+
+# Should the provisioning be kept synced. If true, previous provisioned objects will be removed if not referenced anymore.
+grafana_provisioning_synced: false
+
+# Should we provision dashboards by following the files structure. This sets the foldersFromFilesStructure option
+grafana_provisioning_dashboards_from_file_structure: false
+
+# To enable the use of ports below 1024 for unprivileged processes linux needs to set CAP_NET_BIND_SERVICE.
+# This has some security implications, and should be a conscious choice.
+# Get informed by reading: http://man7.org/linux/man-pages/man7/capabilities.7.html
+grafana_cap_net_bind_service: false
+
+grafana_ini_default:
+  instance_name: "{{ ansible_facts['fqdn'] | default(ansible_host) | default(inventory_hostname) }}"
+
+  paths:
+    logs: "/var/log/grafana"
+    data: "/var/lib/grafana"
+
+  server:
+    http_addr: "0.0.0.0"
+    http_port: 3000
+    # External Grafana address. Variable maps to "root_url" in grafana server section
+    #root_url: "http://{{ grafana_ini.server.http_addr }}:{{ grafana_ini.server.http_port }}"
+    domain: "{{ ansible_facts['fqdn'] | default(ansible_host) | default('localhost') }}"
+
+    # Additional options for grafana "server" section
+    # This section WILL omit options for: http_addr, http_port, domain, and root_url, as those settings are set by variables listed before
+    protocol: http
+    enforce_domain: false
+    socket: ""
+    cert_key: ""
+    cert_file: ""
+    enable_gzip: false
+    static_root_path: public
+    router_logging: false
+    serve_from_sub_path: false
+
+  # Variables correspond to ones in grafana.ini configuration file
+  # Security
+  security:
+    admin_user: admin
+    admin_password: ""
+    # secret_key: ""
+    # login_remember_days: 7
+    # cookie_username: grafana_user
+    # cookie_remember_name: grafana_remember
+    # disable_gravatar: true
+    # data_source_proxy_whitelist:
+
+  # Database setup
+  database:
+    type: sqlite3
+    # host: 127.0.0.1:3306
+    # name: grafana
+    # user: root
+    # password: ""
+    # url: ""
+    # ssl_mode: disable
+    # path: grafana.db
+    # max_idle_conn: 2
+    # max_open_conn: ""
+    # log_queries: ""
+
+  # User management and registration
+  users:
+    allow_sign_up: false
+    # allow_org_create: true
+    # auto_assign_org: true
+    auto_assign_org_role: Viewer
+    # login_hint: "email or username"
+    default_theme: dark
+    # external_manage_link_url: ""
+    # external_manage_link_name: ""
+    # external_manage_info: ""
+
+  # grafana authentication mechanisms
+  auth: {}
+  #  disable_login_form: false
+  #  oauth_auto_login: false
+  #  disable_signout_menu: false
+  #  signout_redirect_url: ""
+  #  anonymous:
+  #    org_name: "Main Organization"
+  #    org_role: Viewer
+  #  ldap:
+  #    config_file: "/etc/grafana/ldap.toml"
+  #    allow_sign_up: false
+  #  basic:
+  #    enabled: true
+
+
+grafana_api_url: "{{ grafana_ini.server.root_url }}"
+
+grafana_ldap: {}
+#  verbose_logging: false
+#  servers:
+#    host: 127.0.0.1
+#    port: 389 # 636 for SSL
+#    use_ssl: false
+#    start_tls: false
+#    ssl_skip_verify: false
+#    root_ca_cert: /path/to/certificate.crt
+#    bind_dn: "cn=admin,dc=grafana,dc=org"
+#    bind_password: grafana
+#    search_filter: "(cn=%s)" # "(sAMAccountName=%s)" on AD
+#    search_base_dns:
+#      - "dc=grafana,dc=org"
+#    group_search_filter: "(&(objectClass=posixGroup)(memberUid=%s))"
+#    group_search_base_dns:
+#      - "ou=groups,dc=grafana,dc=org"
+#    attributes:
+#      name: givenName
+#      surname: sn
+#      username: sAMAccountName
+#      member_of: memberOf
+#      email: mail
+#  group_mappings:
+#    - name: Main Org.
+#      id: 1
+#      groups:
+#        - group_dn: "cn=admins,ou=groups,dc=grafana,dc=org"
+#          org_role: Admin
+#        - group_dn: "cn=editors,ou=groups,dc=grafana,dc=org"
+#          org_role: Editor
+#        - group_dn: "*"
+#          org_role: Viewer
+#    - name: Alternative Org
+#      id: 2
+#      groups:
+#        - group_dn: "cn=alternative_admins,ou=groups,dc=grafana,dc=org"
+#          org_role: Admin
+
+#######
+# Plugins to install from https://grafana.com/plugins
+grafana_plugins: []
+#  - raintank-worldping-app
+
+# Dashboards from https://grafana.com/dashboards
+grafana_dashboards: []
+#  - dashboard_id: '4271'
+#    revision_id: '3'
+#    datasource: 'Prometheus'
+#  - dashboard_id: '1860'
+#    revision_id: '4'
+#    datasource: 'Prometheus'
+#  - dashboard_id: '358'
+#    revision_id: '1'
+#    datasource: 'Prometheus'
+
+grafana_dashboards_dir: "dashboards"
+
+# Alert notification channels to configure
+grafana_alert_notifications: []
+#  - name: "Email Alert"
+#    type: "email"
+#    uid: channel1
+#    is_default: true
+#    settings:
+#      addresses: "example@example.com"
+
+# Alert resources channels to configure
+grafana_alert_resources: {}
+
+# Datasources to configure
+grafana_datasources: []
+#  - name: "Prometheus"
+#    type: "prometheus"
+#    access: "proxy"
+#    url: "http://prometheus.mydomain"
+#    basicAuth: true
+#    basicAuthUser: "admin"
+#    basicAuthPassword: "password"
+#    isDefault: true
+#    jsonData:
+#      tlsAuth: false
+#      tlsAuthWithCACert: false
+#      tlsSkipVerify: true
+
+# API keys to configure
+grafana_api_keys: []
+#  - name: "admin"
+#    role: "Admin"
+#  - name: "viewer"
+#    role: "Viewer"
+#  - name: "editor"
+#    role: "Editor"
+
+# The location where the keys should be stored.
+grafana_api_keys_dir: "{{ lookup('env', 'HOME') }}/grafana/keys"
+
+grafana_environment: {}
diff --git a/ansible_collections/grafana/grafana/roles/grafana/handlers/main.yml b/ansible_collections/grafana/grafana/roles/grafana/handlers/main.yml
new file mode 100644
index 00000000..b00b2f22
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/handlers/main.yml
@@ -0,0 +1,48 @@
+---
+- name: "Restart grafana"
+  ansible.builtin.service:
+    name: grafana-server
+    state: restarted
+  become: true
+  listen: "restart_grafana"
+  tags:
+    - grafana_run
+
+- name: "Set privileges on provisioned dashboards"
+  ansible.builtin.file:
+    path: "{{ grafana_ini.paths.data }}/dashboards"
+    recurse: true
+    owner: "grafana"
+    group: "grafana"
+    mode: "u=rwX,g=rX,o=rX"
+  become: true
+  listen: "provisioned dashboards changed"
+
+- name: "Set privileges on provisioned dashboards directory"
+  ansible.builtin.file:
+    path: "{{ grafana_ini.paths.data }}/dashboards"
+    state: "directory"
+    recurse: false
+    mode: "0755"
+  become: true
+  listen: "provisioned dashboards changed"
+
+- name: "Find dashboards subdirectories"
+  ansible.builtin.find:
+    paths:  "{{ grafana_ini.paths.data }}/dashboards"
+    recurse: yes
+    file_type: directory
+  register: __dashboards_subdirs
+  become: true
+  listen: "provisioned dashboards changed"
+
+- name: "Set privileges on provisioned dashboards sub-directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: "directory"
+    recurse: false
+    mode: "0755"
+  with_items:
+    - "{{ __dashboards_subdirs.files | map(attribute='path') | list }}"
+  become: true
+  listen: "provisioned dashboards changed"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/meta/main.yml b/ansible_collections/grafana/grafana/roles/grafana/meta/main.yml
new file mode 100644
index 00000000..a8dbc334
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/meta/main.yml
@@ -0,0 +1,31 @@
+---
+galaxy_info:
+  author: "Grafana"
+  description: "Grafana - platform for analytics and monitoring"
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - xenial
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: EL
+      versions:
+        - "7"
+        - "8"
+    - name: Fedora
+      versions:
+        - "30"
+        - "31"
+  galaxy_tags:
+    - grafana
+    - dashboard
+    - alerts
+    - alerting
+    - presentation
+    - monitoring
+    - metrics
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/converge.yml b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/converge.yml
new file mode 100644
index 00000000..b8350325
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/converge.yml
@@ -0,0 +1,107 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.grafana
+  vars:
+    grafana_version: 6.2.5
+    grafana_ini:
+      security:
+        admin_user: admin
+        admin_password: "password"
+      server:
+        http_addr: "127.0.0.1"
+      auth:
+        login_maximum_inactive_lifetime_days: 42
+        disable_login_form: false
+        oauth_auto_login: false
+        disable_signout_menu: false
+        signout_redirect_url: ""
+        anonymous:
+          org_name: "Main Organization"
+          org_role: Viewer
+        ldap:
+          config_file: "/etc/grafana/ldap.toml"
+          allow_sign_up: false
+        basic:
+          enabled: true
+      log:
+        mode: syslog
+        level: warn
+    grafana_ldap:
+      verbose_logging: false
+      servers:
+        host: 127.0.0.1
+        port: 389
+        use_ssl: false
+        start_tls: false
+        ssl_skip_verify: false
+        root_ca_cert: /path/to/certificate.crt
+        bind_dn: "cn=admin,dc=grafana,dc=org"
+        bind_password: grafana
+        search_filter: "(cn=%s)"
+        search_base_dns:
+          - "dc=grafana,dc=org"
+        group_search_filter: "(&(objectClass=posixGroup)(memberUid=%s))"
+        group_search_base_dns:
+          - "ou=groups,dc=grafana,dc=org"
+        attributes:
+          name: givenName
+          surname: sn
+          username: sAMAccountName
+          member_of: memberOf
+          email: mail
+      group_mappings:
+        - name: "Main Organization"
+          id: 1
+          groups:
+            - group_dn: "cn=admins,ou=groups,dc=grafana,dc=org"
+              org_role: Admin
+            - group_dn: "cn=editors,ou=groups,dc=grafana,dc=org"
+              org_role: Editor
+            - group_dn: "*"
+              org_role: Viewer
+        - name: "Alternative Org"
+          id: 2
+          groups:
+            - group_dn: "cn=alternative_admins,ou=groups,dc=grafana,dc=org"
+              org_role: Admin
+    grafana_api_keys:
+      - name: "admin"
+        role: "Admin"
+      - name: "viewer"
+        role: "Viewer"
+      - name: "editor"
+        role: "Editor"
+    grafana_api_keys_dir: "/tmp/grafana/keys"
+    grafana_plugins:
+      - raintank-worldping-app
+    grafana_alert_notifications:
+      notifiers:
+        - name: "Email Alert"
+          type: "email"
+          uid: notifier1
+          is_default: true
+          settings:
+            addresses: "example@example.com"
+    grafana_dashboards:
+      - dashboard_id: '1860'
+        revision_id: '4'
+        datasource: 'Prometheus'
+      - dashboard_id: '358'
+        revision_id: '1'
+        datasource: 'Prometheus'
+    grafana_datasources:
+      - name: "Prometheus"
+        type: "prometheus"
+        access: "proxy"
+        url: "http://prometheus.mydomain"
+        basicAuth: true
+        basicAuthUser: "admin"
+        basicAuthPassword: "password"
+        isDefault: true
+        jsonData:
+          tlsAuth: false
+          tlsAuthWithCACert: false
+          tlsSkipVerify: true
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/molecule.yml b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/molecule.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/molecule.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/tests/test_alternative.py b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/tests/test_alternative.py
new file mode 100644
index 00000000..cf6476b0
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/alternative/tests/test_alternative.py
@@ -0,0 +1,52 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/grafana",
+        "/var/log/grafana",
+        "/var/lib/grafana",
+        "/var/lib/grafana/dashboards",
+        "/var/lib/grafana/plugins",
+        "/var/lib/grafana/plugins/raintank-worldping-app"
+    ]
+    files = [
+        "/etc/grafana/grafana.ini",
+        "/etc/grafana/ldap.toml"
+    ]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("grafana-server")
+    # assert s.is_enabled
+    assert s.is_running
+
+
+def test_packages(host):
+    p = host.package("grafana")
+    assert p.is_installed
+    assert p.version == "6.2.5"
+
+
+def test_socket(host):
+    assert host.socket("tcp://127.0.0.1:3000").is_listening
+
+
+def test_custom_auth_option(host):
+    f = host.file("/etc/grafana/grafana.ini")
+    assert f.contains("login_maximum_inactive_lifetime_days = 42")
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/converge.yml
new file mode 100644
index 00000000..29b62293
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/converge.yml
@@ -0,0 +1,11 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.grafana
+  vars:
+    grafana_ini:
+      security:
+        admin_user: admin
+        admin_password: password
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/molecule.yml
new file mode 100644
index 00000000..ed97d539
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/molecule.yml
@@ -0,0 +1 @@
+---
diff --git a/ansible_collections/grafana/grafana/roles/grafana/molecule/default/tests/test_default.py b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/tests/test_default.py
new file mode 100644
index 00000000..67363a3a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/molecule/default/tests/test_default.py
@@ -0,0 +1,50 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/grafana",
+        "/var/log/grafana",
+        "/var/lib/grafana",
+        "/var/lib/grafana/dashboards",
+        "/var/lib/grafana/plugins"
+    ]
+    files = [
+        "/etc/grafana/grafana.ini"
+    ]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("grafana-server")
+    # assert s.is_enabled
+    assert s.is_running
+
+
+def test_packages(host):
+    p = host.package("grafana")
+    assert p.is_installed
+
+
+def test_socket(host):
+    assert host.socket("tcp://0.0.0.0:3000").is_listening
+
+
+def test_yum_repo(host):
+    if host.system_info.distribution in ['centos', 'redhat', 'fedora']:
+        f = host.file("/etc/yum.repos.d/grafana.repo")
+        assert f.exists
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/api_keys.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/api_keys.yml
new file mode 100644
index 00000000..d54f4e37
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/api_keys.yml
@@ -0,0 +1,43 @@
+---
+- name: "Ensure grafana key directory exists"
+  ansible.builtin.file:
+    path: "{{ grafana_api_keys_dir }}/{{ inventory_hostname }}"
+    state: directory
+    mode: "0755"
+  become: false
+  delegate_to: localhost
+
+- name: "Check api key list"
+  ansible.builtin.uri:
+    url: "{{ grafana_api_url }}/api/auth/keys"
+    user: "{{ grafana_ini.security.admin_user }}"
+    password: "{{ grafana_ini.security.admin_password }}"
+    force_basic_auth: true
+    return_content: true
+  register: __existing_api_keys
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+
+- name: "Create grafana api keys"
+  ansible.builtin.uri:
+    url: "{{ grafana_api_url }}/api/auth/keys"
+    user: "{{ grafana_ini.security.admin_user }}"
+    password: "{{ grafana_ini.security.admin_password }}"
+    force_basic_auth: true
+    method: POST
+    body_format: json
+    body: "{{ item | to_json }}"
+  loop: "{{ grafana_api_keys }}"
+  register: __new_api_keys
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+  when: "((__existing_api_keys['json'] | selectattr('name', 'equalto', item['name'])) | list) | length == 0"
+
+- name: "Create api keys file to allow the keys to be seen and used by other automation"
+  ansible.builtin.copy:
+    dest: "{{ grafana_api_keys_dir }}/{{ inventory_hostname }}/{{ item['item']['name'] }}.key"
+    content: "{{ item['json']['key'] }}"
+    backup: false
+    mode: "0644"
+  loop: "{{ __new_api_keys['results'] }}"
+  become: false
+  delegate_to: localhost
+  when: "item['json'] is defined"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/configure.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/configure.yml
new file mode 100644
index 00000000..b434cdca
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/configure.yml
@@ -0,0 +1,107 @@
+---
+- name: "Ensure grafana directories exist"
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: "directory"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('grafana') }}"
+    mode: "{{ item.mode | default('0755') }}"
+  loop:
+    - path: "/etc/grafana"
+    - path: "/etc/grafana/datasources"
+    - path: "/etc/grafana/provisioning"
+    - path: "/etc/grafana/provisioning/datasources"
+    - path: "/etc/grafana/provisioning/dashboards"
+    - path: "/etc/grafana/provisioning/notifiers"
+    - path: "/etc/grafana/provisioning/notification"
+    - path: "/etc/grafana/provisioning/plugins"
+    - path: "/etc/grafana/provisioning/alerting"
+    - path: "{{ grafana_ini.paths.logs }}"
+      owner: grafana
+    - path: "{{ grafana_ini.paths.data }}"
+      owner: grafana
+    - path: "{{ grafana_ini.paths.data }}/dashboards"
+      owner: grafana
+    - path: "{{ grafana_ini.paths.data }}/plugins"
+      owner: grafana
+
+- name: "Create grafana main configuration file"
+  ansible.builtin.template:
+    src: "grafana.ini.j2"
+    dest: "/etc/grafana/grafana.ini"
+    owner: "root"
+    group: "grafana"
+    mode: "0640"
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+  notify: restart_grafana
+
+- name: "Create grafana LDAP configuration file"
+  ansible.builtin.template:
+    src: "ldap.toml.j2"
+    dest: "{{ grafana_ini.auth.ldap.config_file | default('/etc/grafana/ldap.toml') }}"
+    owner: "root"
+    group: "grafana"
+    mode: "0640"
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+  notify: restart_grafana
+  when:
+    - "'ldap' in grafana_ini.auth"
+    - "'enabled' not in grafana_ini.auth.ldap or grafana_ini.auth.ldap.enabled"
+
+- name: "Enable grafana socket"
+  when:
+    - "grafana_ini.server.protocol is defined and grafana_ini.server.protocol == 'socket'"
+    - "grafana_ini.server.socket | dirname != '/var/run'"
+  block:
+    - name: "Create grafana socket directory"
+      ansible.builtin.file:
+        path: "{{ grafana_ini.server.socket | dirname }}"
+        state: "directory"
+        mode: "0775"
+        owner: "grafana"
+        group: "grafana"
+
+    - name: "Ensure grafana socket directory created on startup"
+      ansible.builtin.template:
+        src: "tmpfiles.j2"
+        dest: "/etc/tmpfiles.d/grafana.conf"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+
+- name: "Enable grafana to ports lower than port 1024"
+  community.general.capabilities:
+    path: /usr/sbin/grafana-server
+    capability: CAP_NET_BIND_SERVICE+ep
+    state: present
+  when:
+    - "grafana_ini.server.http_port | int <= 1024"
+    - "grafana_cap_net_bind_service"
+
+- name: Create a directory for overrides.conf unit file if it does not exist
+  ansible.builtin.file:
+    path: /etc/systemd/system/grafana-server.service.d
+    state: directory
+    mode: '0755'
+  when:
+    - "grafana_ini.server.http_port | int <= 1024"
+    - "grafana_cap_net_bind_service"
+
+- name: "Enable grafana to ports lower than port 1024 in systemd unitfile"
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/system/grafana-server.service.d/overrides.conf
+    create: true
+    block: |
+      [Service]
+      AmbientCapabilities=CAP_NET_BIND_SERVICE
+      CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+  when:
+    - "grafana_ini.server.http_port | int <= 1024"
+    - "grafana_cap_net_bind_service"
+
+- name: "Enable and start Grafana systemd unit"
+  ansible.builtin.systemd:
+    name: "grafana-server"
+    enabled: true
+    state: started
+    daemon_reload: true
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/dashboards.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/dashboards.yml
new file mode 100644
index 00000000..a5dcb981
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/dashboards.yml
@@ -0,0 +1,245 @@
+---
+- name: "Create local grafana dashboard directory"
+  become: false
+  delegate_to: localhost
+  run_once: true
+  ansible.builtin.tempfile:
+    state: directory
+  register: __tmp_dashboards
+  changed_when: false
+  check_mode: false
+
+- name: "Download grafana.net dashboards"
+  become: false
+  delegate_to: localhost
+  when:
+    - not ansible_check_mode
+    - "grafana_dashboards | length > 0"
+  block:
+    - name: "Get latest revision id"
+      ansible.builtin.uri:
+        url: "https://grafana.com/api/dashboards/{{ item.dashboard_id }}"
+        method: GET
+        return_content: yes
+      register: __dashboard_info
+      loop: "{{ grafana_dashboards }}"
+      when: item.dashboard_url is not defined
+
+    - name: "Extract revision_id if not defined in grafana_dashboards"
+      ansible.builtin.set_fact:
+        __dashboards_with_revision: >-
+          {{
+            __dashboard_info.results | map(attribute='json.revision')
+              | map('default', 1) | map('community.general.dict_kv', 'revision_id')
+            | zip(grafana_dashboards) | map('combine')
+          }}
+
+    - name: "Download grafana dashboard from grafana.net to local directory"
+      ansible.builtin.get_url:
+        url: "{{ item.dashboard_url if item.dashboard_url is defined else
+          ('https://grafana.com/api/dashboards/' ~ item.dashboard_id ~
+           '/revisions/' ~ item.revision_id | default(1) ~ '/download') }}"
+        dest: "{{ __tmp_dashboards.path }}/{{ item.dashboard_id ~ '.json'
+          if item.dashboard_id is defined else item.dashboard_url | basename}}"
+        mode: "0644"
+      register: __download_dashboards
+      until: "__download_dashboards is succeeded"
+      retries: 5
+      delay: 2
+      changed_when: false
+      loop: "{{ __dashboards_with_revision }}"
+
+    # As noted in [1] an exported dashboard replaces the exporter's datasource
+    # name with a representative name, something like 'DS_GRAPHITE'. The name
+    # is different for each datasource plugin, but always begins with 'DS_'.
+    # In the rest of the data, the same name is used, but captured in braces,
+    # for example: '${DS_GRAPHITE}'.
+    #
+    # [1] http://docs.grafana.org/reference/export_import/#import-sharing-with-grafana-2-x-or-3-0
+    #
+    # The data structure looks (massively abbreviated) something like:
+    #
+    #   "name": "DS_GRAPHITE",
+    #   "datasource": "${DS_GRAPHITE}",
+    #
+    # If we import the downloaded dashboard verbatim, it will not automatically
+    # be connected to the data source like we want it. The Grafana UI expects
+    # us to do the final connection by hand, which we do not want to do.
+    # So, in the below task we ensure that we replace instances of this string
+    # with the data source name we want.
+    # To make sure that we're not being too greedy with the regex replacement
+    # of the data source to use for each dashboard that's uploaded, we make the
+    # regex match very specific by using the following:
+    #
+    # 1. Literal boundaries for " on either side of the match.
+    # 2. Non-capturing optional group matches for the ${} bits which may, or
+    #    or may not, be there..
+    # 3. A case-sensitive literal match for DS .
+    # 4. A one-or-more case-sensitive match for the part that follows the
+    #    underscore, with only A-Z, 0-9 and - or _ allowed.
+    #
+    # This regex can be tested and understood better by looking at the
+    # matches and non-matches in https://regex101.com/r/f4Gkvg/6
+
+    - name: "Set the correct data source name in the dashboard"
+      ansible.builtin.replace:
+        dest: "{{ item.dest }}"
+        regexp: '"(?:\${)?DS_[A-Z0-9_-]+(?:})?"'
+        replace: '"{{ item.item.datasource }}"'
+      changed_when: false
+      loop: "{{ __download_dashboards.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+
+- name: "Import grafana dashboards via api"
+  community.grafana.grafana_dashboard:
+    grafana_url: "{{ grafana_api_url }}"
+    grafana_user: "{{ grafana_ini.security.admin_user }}"
+    grafana_password: "{{ grafana_ini.security.admin_password }}"
+    path: "{{ item }}"
+    commit_message: "Updated by ansible role {{ ansible_role_name }}"
+    state: present
+    overwrite: true
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+  with_fileglob:
+    - "{{ __tmp_dashboards.path }}/*"
+    - "{{ grafana_dashboards_dir }}/*.json"
+  when: "not grafana_use_provisioning"
+
+- name: "Import grafana dashboards through provisioning"
+  when: grafana_use_provisioning
+  block:
+    - name: "Create/Update dashboards file (provisioning)"
+      ansible.builtin.copy:
+        dest: "/etc/grafana/provisioning/dashboards/ansible.yml"
+        content: |
+          apiVersion: 1
+          providers:
+            - name: 'default'
+              orgId: 1
+              folder: ''
+              type: file
+              options:
+                path: "{{ grafana_ini.paths.data }}/dashboards"
+                foldersFromFilesStructure: {{ grafana_provisioning_dashboards_from_file_structure | bool | to_nice_yaml }}
+        backup: false
+        owner: root
+        group: grafana
+        mode: "0640"
+      become: true
+      notify: restart_grafana
+
+    - name: "Register previously copied dashboards"
+      ansible.builtin.find:
+        paths: "{{ grafana_ini.paths.data }}/dashboards"
+        hidden: true
+        recurse: true
+        patterns:
+          - "*.json"
+      register: __dashboards_present
+      when: grafana_provisioning_synced | bool
+
+    - name: "Register previously created folders"
+      ansible.builtin.find:
+        paths: "{{ grafana_ini.paths.data }}/dashboards/"
+        recurse: yes
+        file_type: directory
+      register: __dashboards_dir_present
+      become: true
+      when: grafana_provisioning_synced
+
+    - name: "Import grafana.net dashboards"
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "{{ grafana_ini.paths.data }}/dashboards/{{ item | basename }}"
+        owner: root
+        group: grafana
+        mode: "0644"
+      with_fileglob:
+        - "{{ __tmp_dashboards.path }}/*"
+      become: true
+      register: __dashboards_copied
+      notify: "provisioned dashboards changed"
+      when: not ansible_check_mode
+
+    - name: "Verify if custom grafana dashboards dir exist"
+      ansible.builtin.stat:
+        path: "{{ grafana_dashboards_dir }}"
+      delegate_to: localhost
+      become: false
+      register: __grafana_custom_dashboards_dir
+
+    - name: "Import custom grafana dashboards"
+      when: __grafana_custom_dashboards_dir.stat.exists
+      block:
+        - name: "Find which directories to create"
+          ansible.builtin.find:
+            paths: "{{ grafana_dashboards_dir }}/"
+            recurse: yes
+            file_type: directory
+          register: __dashboards_subdirs
+          delegate_to: localhost
+          become: false
+
+        - name: "Create dashboard folders"
+          ansible.builtin.file:
+            path: "{{ grafana_ini.paths.data }}/dashboards/{{ item }}"
+            state: "directory"
+            recurse: false
+            owner: "grafana"
+            group: "grafana"
+            mode: "0755"
+          loop: "{{ __dashboards_subdirs.files | map(attribute='path') | sort | regex_replace(grafana_dashboards_dir + '/*', '') }}"
+          become: true
+          register: __dashboards_dir_created
+          when: not ansible_check_mode
+          
+        - name: "Copy dashboard files"
+          ansible.builtin.copy:
+            src: "{{ item.path }}"
+            dest: '{{ grafana_ini.paths.data }}/dashboards/{{ item.path | regex_replace(grafana_dashboards_dir + "/*", "") }}'
+            owner: root
+            group: grafana
+            mode: "0644"
+          loop: "{{ __found_dashboards.files | default([]) }}"
+          become: true
+          register: __dashboards_copied_custom
+          notify: "provisioned dashboards changed"
+          when: not ansible_check_mode
+
+    - name: "Register present and copied folders list"
+      ansible.builtin.set_fact:
+        __folders_present_list: "{{ __dashboards_dir_present.files | default([]) | map(attribute='path') | list }}"
+        __folders_copied_list: "{{ __dashboards_dir_created.results | default([]) | map(attribute='path') | list }}"
+      when: not ansible_check_mode
+
+    - name: "Register present and copied dashboards list"
+      ansible.builtin.set_fact:
+        __dashboards_present_list: "{{ __dashboards_present.files | default([]) | map(attribute='path') | list }}"
+        __dashboards_copied_list: "{{
+          (
+            (__dashboards_copied.results | default([]) | map(attribute='dest') | list) +
+            (__dashboards_copied_custom.results | default([]) | map(attribute='dest') | list)
+          ) | list
+        }}"
+      when: not ansible_check_mode
+
+    - name: "Remove dashboards not present on deployer machine (synchronize)"
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop: "{{ __dashboards_present_list | difference(__dashboards_copied_list) }}"
+      become: true
+      when: 
+        - __dashboards_present_list is defined and __dashboards_present_list
+        - __dashboards_copied_list is defined and __dashboards_copied_list
+        - grafana_provisioning_synced | bool
+        - not ansible_check_mode
+
+    - name: "Remove folders not present on deployer machine (synchronize)"
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      loop: "{{ __folders_present_list | difference(__folders_copied_list) }}"
+      become: true
+      when: grafana_provisioning_synced and not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/datasources.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/datasources.yml
new file mode 100644
index 00000000..bcd24572
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/datasources.yml
@@ -0,0 +1,40 @@
+---
+- name: "Ensure datasources exist (via API)"
+  community.grafana.grafana_datasource:
+    grafana_url: "{{ grafana_api_url }}"
+    grafana_user: "{{ grafana_ini.security.admin_user }}"
+    grafana_password: "{{ grafana_ini.security.admin_password }}"
+    name: "{{ item.name }}"
+    ds_url: "{{ item.url }}"
+    ds_type: "{{ item.type }}"
+    access: "{{ item.access | default(omit) }}"
+    is_default: "{{ item.isDefault | default(omit) }}"
+    basic_auth_user: "{{ item.basicAuthUser | default(omit) }}"
+    basic_auth_password: "{{ item.basicAuthPassword | default(omit) }}"
+    database: "{{ item.database | default(omit) }}"
+    user: "{{ item.user | default(omit) }}"
+    password: "{{ item.password | default(omit) }}"
+    aws_auth_type: "{{ item.aws_auth_type | default(omit) }}"
+    aws_default_region: "{{ item.aws_default_region | default(omit) }}"
+    aws_access_key: "{{ item.aws_access_key | default(omit) }}"
+    aws_secret_key: "{{ item.aws_secret_key | default(omit) }}"
+    aws_credentials_profile: "{{ item.aws_credentials_profile | default(omit) }}"
+    aws_custom_metrics_namespaces: "{{ item.aws_custom_metrics_namespaces | default(omit) }}"
+  loop: "{{ grafana_datasources }}"
+  when: "not grafana_use_provisioning"
+
+- name: "Create/Update datasources file (provisioning)"
+  ansible.builtin.copy:
+    dest: "/etc/grafana/provisioning/datasources/ansible.yml"
+    content: |
+      apiVersion: 1
+      deleteDatasources: []
+      datasources:
+      {{ grafana_datasources | to_nice_yaml }}
+    backup: false
+    owner: root
+    group: grafana
+    mode: 0640
+  notify: restart_grafana
+  become: true
+  when: "grafana_use_provisioning"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/install.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/install.yml
new file mode 100644
index 00000000..db642829
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/install.yml
@@ -0,0 +1,133 @@
+---
+- name: "Remove conflicting grafana packages"
+  ansible.builtin.package:
+    name: grafana-data
+    state: absent
+
+- name: "Install dependencies"
+  ansible.builtin.package:
+    name: "{{ _grafana_dependencies }}"
+    state: present
+    update_cache: true
+  when:
+   - _grafana_dependencies is defined
+   - _grafana_dependencies | length > 0
+
+- name: "Prepare zypper"
+  when:
+    - "ansible_facts['pkg_mgr'] == 'zypper'"
+    - "(grafana_manage_repo)"
+  environment: "{{ grafana_environment }}"
+  block:
+    - name: import Grafana RPM Key
+      ansible.builtin.rpm_key:
+        state: present
+        key: "{{ grafana_yum_key }}"
+
+    - name: "Add Grafana zypper repository"
+      community.general.zypper_repository:
+        name: grafana
+        description: grafana
+        repo: "{{ grafana_yum_repo }}"
+        enabled: true
+        disable_gpg_check : "{{ false if (grafana_yum_key) else omit }}"
+        runrefresh: true
+      when: "(not grafana_rhsm_repo)"
+
+- name: "Prepare yum/dnf"
+  when:
+    - "ansible_facts['pkg_mgr'] in ['yum', 'dnf']"
+    - "(grafana_manage_repo)"
+  environment: "{{ grafana_environment }}"
+  block:
+    - name: "Add Grafana yum/dnf repository"
+      ansible.builtin.yum_repository:
+        name: grafana
+        description: grafana
+        baseurl: "{{ grafana_yum_repo }}"
+        enabled: true
+        gpgkey: "{{ grafana_yum_key | default(omit) }}"
+        repo_gpgcheck: "{{ true if (grafana_yum_key) else omit }}"
+        gpgcheck: "{{ true if (grafana_yum_key) else omit }}"
+      when: "(not grafana_rhsm_repo)"
+
+    - name: "Attach RHSM subscription"
+      when: "(grafana_rhsm_subscription)"
+      block:
+        - name: "Check if Grafana RHSM subscription is enabled"
+          ansible.builtin.command:
+            cmd: "subscription-manager list --consumed --matches={{ grafana_rhsm_subscription | quote }} --pool-only"
+          register: __subscription_manager_consumed
+          changed_when: false
+          when: (grafana_rhsm_subscription)
+
+        - name: "Find RHSM repo subscription pool id"
+          ansible.builtin.command:
+            cmd: "subscription-manager list --available --matches={{ grafana_rhsm_subscription | quote }} --pool-only"
+          register: __subscription_manager_available
+          changed_when: false
+          when:
+            - "(grafana_rhsm_subscription)"
+            - "__subscription_manager_consumed.stdout | length <= 0"
+
+        - name: "Attach RHSM subscription"
+          ansible.builtin.command:
+            cmd: "subscription-manager attach --pool={{ __subscription_manager_available.stdout }}"
+          register: __subscription_manager_attach
+          changed_when: "__subscription_manager_attach.stdout is search('Successfully attached a subscription')"
+          failed_when: "__subscription_manager_attach.stdout is search('could not be found')"
+          when:
+            - "(grafana_rhsm_subscription)"
+            - "__subscription_manager_consumed.stdout | default() | length <= 0"
+            - "__subscription_manager_available.stdout | default() | length > 0"
+
+    - name: "Enable RHSM repository"
+      community.general.rhsm_repository:
+        name: "{{ grafana_rhsm_repo }}"
+        state: enabled
+      when: (grafana_rhsm_repo)
+
+- name: "Prepare apt"
+  when:
+    - "ansible_facts['pkg_mgr'] == 'apt'"
+    - "(grafana_manage_repo)"
+  environment: "{{ grafana_environment }}"
+  block:
+    - name: "Use deb822 format?"
+      ansible.builtin.set_fact:
+        __use_deb822: "{{ (ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_major_version'] | int) >= 12) or
+                          (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_major_version'] | int) >= 24) }}"
+    - name: "Import Grafana apt gpg key"
+      ansible.builtin.get_url:
+        url: "{{ grafana_apt_key }}"
+        dest: /usr/share/keyrings/grafana.asc
+        mode: "0644"
+      when: not __use_deb822
+    - name: "Add Grafana apt repository"
+      when: not __use_deb822
+      ansible.builtin.apt_repository:
+        repo: "{{ grafana_apt_repo }}"
+        update_cache: true
+    - name: "Add Grafana apt repository"
+      when: __use_deb822
+      ansible.builtin.deb822_repository:
+        name: "{{ grafana_apt_name }}"
+        types: deb
+        uris: "{{ grafana_apt_repo_uri }}"
+        suites: "{{ grafana_apt_release_channel }}"
+        components:
+          - main
+        architectures:
+          - "{{ grafana_apt_arch }}"
+        signed_by: "{{ grafana_apt_key }}"
+      register: __update_cache
+    - name: "Update apt cache"
+      ansible.builtin.apt:
+        update_cache: true
+      when: __update_cache is defined and __update_cache.changed
+
+- name: "Install Grafana"
+  ansible.builtin.package:
+    name: "{{ grafana_package }}"
+    state: "{{ (grafana_version == 'latest') | ternary('latest', 'present') }}"
+  notify: restart_grafana
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/main.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/main.yml
new file mode 100644
index 00000000..3f8f78bc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/main.yml
@@ -0,0 +1,133 @@
+---
+- name: Inherit default vars
+  ansible.builtin.set_fact:
+    grafana_ini: "{{ grafana_ini_default | ansible.builtin.combine(grafana_ini | default({}), recursive=true) }}"
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
+  tags:
+    - always
+- name: "Gather variables for each operating system"
+  ansible.builtin.include_vars: "{{ distrovars }}"
+  vars:
+    distrovars: "{{ lookup('first_found', params, errors='ignore') }}"
+    params:
+      skip: true
+      files:
+        - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
+        - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
+        - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
+        - "{{ ansible_facts['distribution'] | lower }}.yml"
+        - "{{ ansible_facts['os_family'] | lower }}.yml"
+      paths:
+        - "vars/distro"
+  tags:
+    - grafana_install
+    - grafana_configure
+    - grafana_datasources
+    - grafana_notifications
+    - grafana_dashboards
+
+- name: Preflight
+  ansible.builtin.include_tasks:
+    file: preflight.yml
+    apply:
+      tags:
+        - grafana_install
+        - grafana_configure
+        - grafana_datasources
+        - grafana_notifications
+        - grafana_dashboards
+
+- name: Install
+  ansible.builtin.include_tasks:
+    file: install.yml
+    apply:
+      become: true
+      tags:
+        - grafana_install
+
+- name: Configure
+  ansible.builtin.include_tasks:
+    file: configure.yml
+    apply:
+      become: true
+      tags:
+        - grafana_configure
+
+- name: Plugins
+  ansible.builtin.include_tasks:
+    file: plugins.yml
+    apply:
+      tags:
+        - grafana_configure
+  when: "grafana_plugins != []"
+
+- name: "Restart grafana before configuring datasources and dashboards"
+  ansible.builtin.meta: flush_handlers
+  tags:
+    - grafana_install
+    - grafana_configure
+    - grafana_datasources
+    - grafana_notifications
+    - grafana_dashboards
+    - grafana_run
+
+- name: "Wait for grafana to start"
+  ansible.builtin.wait_for:
+    host: "{{ grafana_ini.server.http_addr if grafana_ini.server.protocol is undefined or grafana_ini.server.protocol in ['http', 'https'] else omit }}"
+    port: "{{ grafana_ini.server.http_port if grafana_ini.server.protocol is undefined or grafana_ini.server.protocol in ['http', 'https'] else omit }}"
+    path: "{{ grafana_ini.server.socket | default() if grafana_ini.server.protocol is defined and grafana_ini.server.protocol == 'socket' else omit }}"
+  tags:
+    - grafana_install
+    - grafana_configure
+    - grafana_datasources
+    - grafana_notifications
+    - grafana_dashboards
+    - grafana_run
+
+- name: "Api keys"
+  ansible.builtin.include_tasks:
+    file: api_keys.yml
+    apply:
+      tags:
+        - grafana_configure
+        - grafana_run
+  when: "grafana_api_keys | length > 0"
+
+- name: Datasources
+  ansible.builtin.include_tasks:
+    file: datasources.yml
+    apply:
+      tags:
+        - grafana_configure
+        - grafana_datasources
+        - grafana_run
+  when: "grafana_datasources != []"
+
+- name: Notifications
+  ansible.builtin.include_tasks:
+    file: notifications.yml
+    apply:
+      tags:
+        - grafana_configure
+        - grafana_notifications
+        - grafana_run
+  when: "grafana_alert_notifications | length > 0 or grafana_alert_resources | length > 0"
+
+- name: Find dashboards to be provisioned
+  ansible.builtin.find:
+    paths: "{{ grafana_dashboards_dir }}"
+    recurse: true
+    patterns: "*.json"
+  delegate_to: localhost
+  become: false
+  register: __found_dashboards
+
+- name: Dashboards
+  ansible.builtin.include_tasks:
+    file: dashboards.yml
+    apply:
+      tags:
+        - grafana_configure
+        - grafana_dashboards
+        - grafana_run
+  when: "grafana_dashboards | length > 0 or __found_dashboards['files'] | length > 0"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/notifications.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/notifications.yml
new file mode 100644
index 00000000..a09c6094
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/notifications.yml
@@ -0,0 +1,28 @@
+---
+# legacy config
+- name: "Create/Delete/Update alert notifications channels (provisioning)"
+  ansible.builtin.copy:
+    content: |
+      apiVersion: 1
+      {{ grafana_alert_notifications | to_nice_yaml }}
+    dest: /etc/grafana/provisioning/notification/ansible.yml
+    owner: root
+    group: grafana
+    mode: "0640"
+  become: true
+  notify: restart_grafana
+  when: grafana_use_provisioning and grafana_alert_notifications | length > 0
+
+# new alert resources
+- name: "Create/Delete/Update alert resources (provisioning)"
+  ansible.builtin.copy:
+    content: |
+      apiVersion: 1
+      {{ grafana_alert_resources | to_nice_yaml }}
+    dest: /etc/grafana/provisioning/alerting/ansible.yml
+    owner: root
+    group: grafana
+    mode: "0640"
+  become: true
+  notify: restart_grafana
+  when: grafana_use_provisioning and grafana_alert_resources | length > 0
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/plugins.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/plugins.yml
new file mode 100644
index 00000000..13117c6a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/plugins.yml
@@ -0,0 +1,20 @@
+---
+- name: "Check which plugins are installed"
+  ansible.builtin.find:
+    file_type: directory
+    recurse: false
+    paths: "{{ grafana_ini.paths.data }}/plugins"
+  register: __installed_plugins
+
+- name: "Install plugins"
+  become: true
+  ansible.builtin.command:
+    cmd: "grafana-cli --pluginsDir {{ grafana_ini.paths.data }}/plugins plugins install {{ item }}"
+    creates: "{{ grafana_ini.paths.data }}/plugins/{{ item }}"
+  loop: "{{ grafana_plugins | difference(__installed_plugins.files) }}"
+  register: __plugin_install
+  until: "__plugin_install is succeeded"
+  retries: 5
+  delay: 2
+  notify:
+    - restart_grafana
diff --git a/ansible_collections/grafana/grafana/roles/grafana/tasks/preflight.yml b/ansible_collections/grafana/grafana/roles/grafana/tasks/preflight.yml
new file mode 100644
index 00000000..74dbc7e2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/tasks/preflight.yml
@@ -0,0 +1,104 @@
+---
+- name: "Check variable types"
+  ansible.builtin.assert:
+    that:
+      - grafana_logs_dir is undefined
+      - grafana_data_dir is undefined
+      - grafana_server is undefined
+      - grafana_database is undefined
+      - grafana_security is undefined
+      - grafana_remote_cache is undefined
+      - grafana_welcome_email_on_sign_up  is undefined
+      - grafana_users is undefined
+      - grafana_auth is undefined
+      - grafana_auth_generic_oauth is undefined
+      - grafana_session is undefined
+      - grafana_analytics is undefined
+      - grafana_smtp is undefined
+      - grafana_alerting is undefined
+      - grafana_unified_alerting is undefined
+      - grafana_log is undefined
+      - grafana_metrics is undefined
+      - grafana_tracing is undefined
+      - grafana_snapshots is undefined
+      - grafana_image_storage is undefined
+      - grafana_date_formats is undefined
+      - grafana_feature_toggles is undefined
+      - grafana_plugins_ops is undefined
+      - grafana_instance is undefined
+      - grafana_address is undefined
+      - grafana_port is undefined
+      - grafana_domain is undefined
+      - grafana_url is undefined
+      - grafana_panels is undefined
+    fail_msg: Check upgrade notes
+
+- name: "Fail when datasources aren't configured when dashboards are set to be installed"
+  ansible.builtin.fail:
+    msg: "You need to specify datasources for dashboards!!!"
+  when: "grafana_dashboards != [] and grafana_datasources == []"
+
+- name: "Fail when grafana admin user isn't set"
+  ansible.builtin.fail:
+    msg: "Please specify grafana admin user (grafana_ini.security.admin_user)"
+  when:
+    - "grafana_ini.security.admin_user == '' or
+        grafana_ini.security.admin_user is not defined"
+
+- name: "Fail when grafana admin password isn't set"
+  ansible.builtin.fail:
+    msg: "Please specify grafana admin password (grafana_ini.security.admin_password)"
+  when:
+    - "grafana_ini.security.admin_password == '' or
+        grafana_ini.security.admin_password is not defined"
+
+- name: "Fail on incorrect variable types in datasource definitions"
+  ansible.builtin.fail:
+    msg: "Boolean variables in grafana_datasources shouldn't be passed as strings. Please remove unneeded apostrophes."
+  when: "( item.isDefault is defined and item.isDefault is string ) or
+          ( item.basicAuth is defined and item.basicAuth is string )"
+  loop: "{{ grafana_datasources }}"
+
+- name: "Fail on bad database configuration"
+  ansible.builtin.fail:
+    msg: "Invalid database configuration. Please look at http://docs.grafana.org/installation/configuration/#database"
+  when: "( grafana_ini.database.type == 'sqlite3' and grafana_ini.database.url is defined ) or
+          ( grafana_ini.database.type != 'sqlite3' and grafana_ini.database.path is defined ) or
+          ( grafana_ini.database.type == 'sqlite3' and grafana_ini.database.host is defined ) or
+          ( grafana_ini.database.type == 'sqlite3' and grafana_ini.database.user is defined ) or
+          ( grafana_ini.database.type == 'sqlite3' and grafana_ini.database.password is defined ) or
+          ( grafana_ini.database.type == 'sqlite3' and grafana_ini.database.server_cert_name is defined )"
+
+- name: "Fail when grafana_api_keys uses invalid role names"
+  ansible.builtin.fail:
+    msg: "Check grafana_api_keys. The role can only be one of the following values: Viewer, Editor or Admin."
+  when: "item.role not in ['Viewer', 'Editor', 'Admin']"
+  loop: "{{ grafana_api_keys }}"
+
+- name: "Fail when grafana_ldap isn't set when grafana_ini.auth.ldap is"
+  ansible.builtin.fail:
+    msg: "You need to configure grafana_ldap.servers and grafana_ldap.group_mappings when grafana_ini.auth.ldap is set"
+  when:
+    - "'ldap' in grafana_ini.auth"
+    - "grafana_ldap is not defined or ('servers' not in grafana_ldap or 'group_mappings' not in grafana_ldap)"
+
+- name: "Force grafana_use_provisioning to false if grafana_version is < 5.0 ( grafana_version is set to '{{ grafana_version }}' )"
+  ansible.builtin.set_fact:
+    grafana_use_provisioning: false
+  when:
+    - "grafana_version != 'latest'"
+    - "grafana_version is version_compare('5.0', '<')"
+
+- name: "Fail if grafana_ini.server.http_port is lower than 1024 and grafana_cap_net_bind_service is not true"
+  ansible.builtin.fail:
+    msg: "Trying to use a port lower than 1024 without setting grafana_cap_net_bind_service."
+  when:
+    - "grafana_ini.server.http_port | int <= 1024"
+    - "not grafana_cap_net_bind_service"
+
+- name: "Fail if grafana_ini.server.socket not defined when in socket mode"
+  ansible.builtin.fail:
+    msg: "You need to configure grafana_ini.server.socket when grafana_ini.server.protocol is set to 'socket'"
+  when:
+    - "grafana_ini.server.protocol is defined and grafana_ini.server.protocol == 'socket'"
+    - "grafana_ini.server.socket is undefined or grafana_ini.server.socket == ''"
diff --git a/ansible_collections/grafana/grafana/roles/grafana/templates/grafana.ini.j2 b/ansible_collections/grafana/grafana/roles/grafana/templates/grafana.ini.j2
new file mode 100644
index 00000000..8ed33dd7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/templates/grafana.ini.j2
@@ -0,0 +1,28 @@
+{{ ansible_managed | comment }}
+# More informations:
+# http://docs.grafana.org/installation/configuration
+# https://github.com/grafana/grafana/blob/master/conf/sample.ini
+
+{% for k, v in grafana_ini.items() %}
+{% if v is not mapping %}
+{{ k }} = {{ v }}
+{% endif %}
+{% endfor %}
+
+{% for section, items in grafana_ini.items() %}
+{% if items is mapping %}
+[{{ section }}]
+{% for sub_key, sub_value in items.items() %}
+{% if sub_value is mapping %}
+
+[{{ section }}.{{ sub_key }}]
+{% for k, v in sub_value.items() %}
+{{ k }} = {{ v }}
+{% endfor %}
+{% else %}
+{{ sub_key }} = {{ sub_value }}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
diff --git a/ansible_collections/grafana/grafana/roles/grafana/templates/ldap.toml.j2 b/ansible_collections/grafana/grafana/roles/grafana/templates/ldap.toml.j2
new file mode 100644
index 00000000..b28e0029
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/templates/ldap.toml.j2
@@ -0,0 +1,39 @@
+{{ ansible_managed | comment }}
+# Documentation: http://docs.grafana.org/installation/ldap/
+{% if 'verbose_logging' in grafana_ldap %}
+verbose_logging = {{ 'true' if grafana_ldap.verbose_logging else 'false' }}
+{% endif %}
+
+[[servers]]
+{% for k,v in grafana_ldap.servers.items() if k != 'attributes' %}
+{%   if k == 'port' %}
+{{ k }} = {{ v | int }}
+{%   elif v in [True, False] %}
+{{ k }} = {{ 'true' if v else 'false' }}
+{%   else %}
+{{ k }} = {{ v | to_nice_json }}
+{%   endif %}
+{% endfor %}
+
+[servers.attributes]
+{% for k,v in grafana_ldap.servers.attributes.items() %}
+{{ k }} = {{ v | to_nice_json }}
+{% endfor %}
+
+{% for org in grafana_ldap.group_mappings %}
+{%   if 'name' in org %}
+# {{ org.name }}
+{%   endif %}
+{%   for group in org.groups %}
+[[servers.group_mappings]]
+org_id = {{ org.id }}
+{%     for k,v in group.items() %}
+{%   if v in [True, False] %}
+{{ k }} = {{ 'true' if v else 'false' }}
+{%   else %}
+{{ k }} = "{{ v }}"
+{%   endif %}
+{%     endfor %}
+
+{%   endfor %}
+{% endfor %}
diff --git a/ansible_collections/grafana/grafana/roles/grafana/templates/tmpfiles.j2 b/ansible_collections/grafana/grafana/roles/grafana/templates/tmpfiles.j2
new file mode 100644
index 00000000..fbf23f5d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/templates/tmpfiles.j2
@@ -0,0 +1,2 @@
+{{ ansible_managed | comment }}
+d {{ grafana_ini.server.socket | dirname }} 0775 grafana grafana
diff --git a/ansible_collections/grafana/grafana/roles/grafana/test-requirements.txt b/ansible_collections/grafana/grafana/roles/grafana/test-requirements.txt
new file mode 100644
index 00000000..af58c110
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/test-requirements.txt
@@ -0,0 +1,6 @@
+molecule
+docker
+pytest-testinfra
+jmespath
+selinux
+passlib
diff --git a/ansible_collections/grafana/grafana/roles/grafana/vars/distro/debian.yml b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/debian.yml
new file mode 100644
index 00000000..7401c933
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/debian.yml
@@ -0,0 +1,8 @@
+---
+grafana_package: "grafana{% if ansible_facts['architecture'] == 'armv6l' %}-rpi{% endif %}{{ (grafana_version != 'latest') | ternary('=' ~ grafana_version, '') }}"
+_grafana_dependencies:
+  - apt-transport-https
+  - adduser
+  - ca-certificates
+  - libfontconfig
+  - gnupg2
diff --git a/ansible_collections/grafana/grafana/roles/grafana/vars/distro/redhat.yml b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/redhat.yml
new file mode 100644
index 00000000..0721829d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/redhat.yml
@@ -0,0 +1,5 @@
+---
+grafana_package: "grafana{{ (grafana_version != 'latest') | ternary('-' ~ grafana_version, '') }}"
+# https://unix.stackexchange.com/questions/534463/cant-enable-grafana-on-boot-in-fedora-because-systemd-sysv-install-missing
+_grafana_dependencies:
+  - chkconfig
diff --git a/ansible_collections/grafana/grafana/roles/grafana/vars/distro/suse.yml b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/suse.yml
new file mode 100644
index 00000000..56486dfe
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana/vars/distro/suse.yml
@@ -0,0 +1,6 @@
+---
+grafana_package: "grafana{{ (grafana_version != 'latest') | ternary('-' ~ grafana_version, '') }}"
+# https://unix.stackexchange.com/questions/534463/cant-enable-grafana-on-boot-in-fedora-because-systemd-sysv-install-missing
+# applies to SuSe too
+_grafana_dependencies:
+  - insserv-compat
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/README.md b/ansible_collections/grafana/grafana/roles/grafana_agent/README.md
new file mode 100644
index 00000000..5301aa58
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/README.md
@@ -0,0 +1,72 @@
+|![](https://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Warning.svg/156px-Warning.svg.png) | This Ansible role is now in maintenance mode only. We recommend using the Grafana Alloy Role for future deployments and updates.
+|---|---|
+
+# Ansible Role for Grafana Agent
+
+Ansible Role to deploy Grafana Agent on Linux hosts. Using this Role, Grafana Agent can be deployed on RedHat, Ubuntu, Debian, CentOS
+and Fedora linux distributions.
+
+## Requirements
+
+Please ensure that `curl` is intalled on Ansible controller.
+
+To use this role, You need a YAML file having the Grafana Agent configuration.
+
+## Role Variables
+
+All variables which can be overridden are stored in [./defaults/main.yaml](./defaults/main.yaml) file as well as in table below.
+
+| Variable | Default | Description |
+| :------ | :------ | :--------- |
+| `grafana_agent_version` | `latest` | version of the agent to install |
+| `grafana_agent_base_download_url` | `https://github.com/{{ _grafana_agent_github_org }}/{{ _grafana_agent_github_repo }}/releases/download` | base download url. Github or mirror to download from |
+| `grafana_agent_install_dir` | `/opt/grafana-agent/bin` | directory to install the binary to |
+| `grafana_agent_binary` | `grafana-agent` | name to use for the binary |
+| `grafana_agent_config_dir` | `/etc/grafana-agent` | directory to store the configuration files in |
+| `grafana_agent_config_filename` | `config.yaml` | name of the configuration file for the agent |
+| `grafana_agent_env_file` | `service.env` | name of the environment file loaded by the system unit file |
+| `grafana_agent_service_extra` | "" | dictionary of additional custom settings for the systemd service file |
+| `grafana_agent_local_tmp_dir` | `/tmp/grafana-agent` | temporary directory to create on the controller/localhost where the archive will be downloaded to |
+| `grafana_agent_data_dir` | `/var/lib/grafana-agent` | the data directory to create for the wal and positions |
+| `grafana_agent_wal_dir` | `"{{ grafana_agent_data_dir }}/data"` | wal directory to use, should be a sub-folder of grafana_agent_data_dir, will automatically be created when the agent starts |
+| `grafana_agent_positions_dir` | `"{{ grafana_agent_data_dir }}/data"` | positions directory to use, should be a sub-folder of grafana_agent_data_dir, will automatically be created when the agent starts |
+| `grafana_agent_mode` | `static` | mode to run Grafana Agent in. Can be "flow" or "static", [Flow Docs](https://grafana.com/docs/agent/latest/flow/) |
+| `grafana_agent_user` | `grafana-agent` | os user to create for the agent to run as |
+| `grafana_agent_user_group` | `grafana-agent` | os user group to create for the agent |
+| `grafana_agent_user_groups` | `[]` | Configurable user groups that the Grafana agent can be put in so that it can access logs |
+| `grafana_agent_user_shell` | `/usr/sbin/nologin` | the shell for the user |
+| `grafana_agent_user_createhome` | `false` | whether or not to create a home directory for the user |
+| `grafana_agent_local_binary_file` | `""` | full path to the local binary if already downloaded or built on the controller, this should only be set, if ansible is not downloading the binary and you have manually downloaded the binary |
+| `grafana_agent_flags_extra` | see [./defaults/main.yaml](./defaults/main.yaml) | dictionary of additional command-line flags, run grafana-agent --help for a complete list. [Docs](https://grafana.com/docs/agent/latest/configuration/flags/) |
+| `grafana_agent_env_vars` | `{}` | sets Environment variables in the systemd service configuration. |
+| `grafana_agent_env_file_vars` | `{}` | dictionary of key/pair values to write to the environment file that is loaded by the service, with the flag `--config.expand-env=true` any generated config files will support the expansion of environment variables at runtime by referencing ${ENVVAR}. be aware of boolean values, when output they will result in the proper-cased string "True" and "False" |
+| `grafana_agent_provisioned_config_file` | `""` | path to a config file on the controller that will be used instead of the provided configs below if specified. |
+| `grafana_agent_server_config` | see [./defaults/main.yaml](./defaults/main.yaml) | Configures the server of the Agent used to enable self-scraping, [Docs](https://grafana.com/docs/agent/latest/configuration/server-config/) |
+| `grafana_agent_metrics_config` | see [./defaults/main.yaml](./defaults/main.yaml) | Configures metric collection, [Docs](https://grafana.com/docs/agent/latest/configuration/metrics-config/) |
+| `grafana_agent_logs_config` | see [./defaults/main.yaml](./defaults/main.yaml) | Configures logs collection, [Docs](https://grafana.com/docs/agent/latest/configuration/logs-config/) |
+| `grafana_agent_traces_config` | see [./defaults/main.yaml](./defaults/main.yaml) | Configures traces collection, [Docs](https://grafana.com/docs/agent/latest/configuration/traces-config/) |
+| `grafana_agent_integrations_config` | see [./defaults/main.yaml](./defaults/main.yaml) | Configures integrations for the agent, [Docs](https://grafana.com/docs/agent/latest/configuration/integrations/) |
+
+## OS Support
+The Grafana Agent role has been tested on below Operating Systems
+- Ubuntu 22.10, Ubunutu 22.04 LTS, Ubunutu 20.04 LTS, Ubunutu 18.04 LTS
+- Fedora 37, Fedora 36
+- Debian 11, Debian 10, Debian 9
+- CentOS 9 Stream, CentOS 8 Stream, CentOS 7
+- AlmaLinux 9, AlmaLinux 8
+- RockyLinux 9, RockyLinux 8
+
+## Example Playbooks
+
+See [examples](../../examples)
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
+
+## Author Information
+
+-   [Grafana Labs](https://github.com/grafana)
+-   [Ishan Jain](https://github.com/ishanjainn)
+-   [Aaron Benton](https://github.com/bentonam)
+-   [Vitaly Zhuravlev](https://github.com/v-zhuravlev)
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/defaults/main.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/defaults/main.yaml
new file mode 100644
index 00000000..31acc5bc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/defaults/main.yaml
@@ -0,0 +1,196 @@
+---
+# version of the agent to install
+grafana_agent_version: latest
+
+# base download url. Github or mirror to download from
+grafana_agent_base_download_url: "https://github.com/{{ _grafana_agent_github_org }}/{{ _grafana_agent_github_repo }}/releases/download"
+
+# directory to install the binary to
+grafana_agent_install_dir: /opt/grafana-agent/bin
+
+# name to use for the binary
+grafana_agent_binary: grafana-agent
+
+# directory to store the configuration files in
+grafana_agent_config_dir: /etc/grafana-agent
+
+# name of the configuration file for the agent
+grafana_agent_config_filename: config.yaml
+
+# name of the environment file loaded by the system unit file
+grafana_agent_env_file: service.env
+
+# dictionary of additional custom settings for the systemd service file
+grafana_agent_service_extra: {}
+
+# temporary directory to create on the controller/localhost where the archive will be downloaded to
+grafana_agent_local_tmp_dir: /tmp/grafana-agent
+
+# data directory to create for the wal and positions
+grafana_agent_data_dir: /var/lib/grafana-agent
+
+# wal directory to use, should be a sub-folder of grafana_agent_data_dir, will automatically be created when the agent starts
+grafana_agent_wal_dir: "{{ grafana_agent_data_dir }}/wal"
+
+# positions directory to use, should be a sub-folder of grafana_agent_data_dir, will automatically be created when the agent starts
+grafana_agent_positions_dir: "{{ grafana_agent_data_dir }}/positions"
+
+# mode to run Grafana Agent in. Can be "flow" or "static".
+# Docs: https://grafana.com/docs/agent/latest/flow/
+grafana_agent_mode: static
+
+# os user to create for the agent to run as
+grafana_agent_user: grafana-agent
+
+# os user group to create for the agent
+grafana_agent_user_group: grafana-agent
+
+# Configurable user groups that the grafana agent can be put in so that it can access logs
+# (See https://github.com/grafana/grafana-ansible-collection/issues/40)
+grafana_agent_user_groups: []
+
+# the shell for the user
+grafana_agent_user_shell: /usr/sbin/nologin
+
+# whether or not to create a home directory for the user
+grafana_agent_user_createhome: false
+
+# full path to the local binary if already downloaded or built on the controller
+# this should only be set, if ansible is not downloading the binary and you have
+# manually downloaded the binary
+grafana_agent_local_binary_file: ""
+
+# dictionary of additional command-line flags, run grafana-agent --help for a complete list
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/flags/
+grafana_agent_flags_extra:
+  config.expand-env: 'true'
+  config.enable-read-api: 'false'
+  server.register-instrumentation: 'true'
+  server.http.address: 127.0.0.1:12345
+  server.grpc.address: 127.0.0.1:12346
+
+# sets Environment variables in the systemd service configuration.
+grafana_agent_env_vars: {}
+
+# dictionary of key/pair values to write to the environment file that is loaded by the service, with the flag --config.expand-env=true
+# any generated config files will support the expansion of environment variables at runtime by referencing ${ENVVAR}.
+# be aware of boolean values, when output they will result in the proper-cased string "True" and "False"
+grafana_agent_env_file_vars: {}
+
+# path to a config file on the controller that will be used instead of the provided configs below if specified.
+grafana_agent_provisioned_config_file: ""
+
+#################################################################################################
+#              Configures the server of the Agent used to enable self-scraping                  #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/server-config/
+# the entire dictionary value for this object is copied to the server: block in the config file
+grafana_agent_server_config:
+  # Log only messages with the given severity or above. Supported values [debug,
+  # info, warn, error]. This level affects logging for all Agent-level logs, not
+  # just the HTTP and gRPC server.
+  #
+  # Note that some integrations use their own loggers which ignore this
+  # setting.
+  log_level: info
+
+#################################################################################################
+#                             Configures metric collection                                      #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/metrics-config/
+# the entire dictionary value for this object is copied to the metrics: block in the config file
+grafana_agent_metrics_config:
+  # Configure values for all Prometheus instances
+  # Docs: https://grafana.com/docs/agent/latest/static/configuration/metrics-config/#global_config
+  global:
+    # How frequently should Prometheus instances scrape.
+    scrape_interval: 1m
+
+    # How long to wait before timing out a scrape from a target.
+    scrape_timeout: 10s
+
+    # A dictionary of key/pair static labels to add for all metrics.
+    external_labels: {}
+
+    # Default set of remote_write endpoints. If an instance doesn't define any
+    # remote_writes, it will use this list.
+    # Docs: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write
+    remote_write: []
+
+  # The list of Prometheus instances to launch with the agent.
+  # Docs: https://grafana.com/docs/agent/latest/static/configuration/metrics-config/#metrics_instance_config
+  configs: []
+  #  - name: name-of-scrape-job
+  #    # Docs: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config
+  #    scrape_configs: []
+  #    # Optional list of remote_write targets, if not specified metrics.global.remote_write is used
+  #    # Docs: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write
+  #    remote_write: []
+
+  # Configure the directory used by instances to store their WAL.
+  #
+  # The Grafana Agent assumes that all folders within wal_directory are managed by
+  # the agent itself.
+  wal_directory: "{{ grafana_agent_wal_dir }}"
+  # Configures how long ago an abandoned (not associated with an instance) WAL
+  # may be written to before being eligible to be deleted
+  wal_cleanup_age: 12h
+  # Configures how often checks for abandoned WALs to be deleted are performed.
+  # A value of 0 disables periodic cleanup of abandoned WALs
+  wal_cleanup_period: 30m
+
+#################################################################################################
+#                              Configures logs collection                                       #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/logs-config/
+# the entire dictionary value for this object is copied to the logs: block in the config file
+grafana_agent_logs_config:
+  # Directory to store Loki Promtail positions files in. Positions files are
+  # required to read logs, and are used to store the last read offset of log
+  # sources. The positions files will be stored in
+  # <positions_directory>/<logs_instance_config.name>.yml.
+  #
+  # Optional only if every config has a positions.filename manually provided.
+  #
+  # This directory will be automatically created if it doesn't exist.
+  positions_directory: "{{ grafana_agent_positions_dir }}"
+  # Configure values for all Loki Promtail instances.
+  global:
+    # Docs: https://grafana.com/docs/agent/latest/static/configuration/logs-config/#logs_instance_config
+    clients: []
+
+#################################################################################################
+#                             Configures traces collection                                      #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/traces-config/
+# the entire dictionary value for this object is copied to the traces: block in the config file
+grafana_agent_traces_config:
+  # Docs: https://grafana.com/docs/agent/latest/static/configuration/traces-config/#traces_instance_config
+  configs: []
+
+#################################################################################################
+#                          Configures integrations for the agent                                #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/static/configuration/integrations/
+# the entire dictionary value for this object is copied to the integrations: block in the config file
+grafana_agent_integrations_config:
+  # Automatically collect metrics from enabled integrations. If disabled,
+  # integrations will be run but not scraped and thus not remote_written. Metrics
+  # for integrations will be exposed at /integrations/<integration_key>/metrics
+  # and can be scraped by an external process.
+  scrape_integrations: true
+  # Controls the Agent integration
+  agent:
+    # Enables the Agent integration, allowing the Agent to automatically
+    # collect and send metrics about itself.
+    enabled: true
+    # Allows for relabeling labels on the target.
+    relabel_configs: []
+    # Relabel metrics coming from the integration, allowing to drop series
+    # from the integration that you don't care about.
+    metric_relabel_configs: []
+
+  # Controls the node_exporter integration
+  # Docs: https://grafana.com/docs/agent/latest/static/configuration/integrations/node-exporter-config/
+  node_exporter:
+    enabled: true
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/handlers/main.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/handlers/main.yaml
new file mode 100644
index 00000000..b5b01aab
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/handlers/main.yaml
@@ -0,0 +1,12 @@
+---
+- name: Restart Grafana Agent
+  become: true
+  ansible.builtin.systemd:
+    name: grafana-agent
+    state: restarted
+    daemon_reload: true
+  listen: "restart grafana-agent"
+
+- name: Check Grafana Agent is started properly
+  ansible.builtin.include_tasks: ga-started.yaml
+  listen: "restart grafana-agent"
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/meta/main.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/meta/main.yaml
new file mode 100644
index 00000000..7ef93089
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/meta/main.yaml
@@ -0,0 +1,25 @@
+---
+dependencies: []
+
+galaxy_info:
+  role_name: grafana_agent
+  author: Ishan Jain
+  description: Ansible Role to deploy Grafana Agent on Linux hosts.
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.11"
+  platforms:
+    - name: Fedora
+      versions:
+        - "all"
+    - name: Debian
+      versions:
+        - "all"
+    - name: Ubuntu
+      versions:
+        - "all"
+    - name: EL
+      versions:
+        - "all"
+  galaxy_tags:
+    - grafana
+    - observability
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/configure.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/configure.yaml
new file mode 100644
index 00000000..5f4db485
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/configure.yaml
@@ -0,0 +1,56 @@
+---
+# these tasks are ran in both install and configure, as directories could have changed
+- name: Configure directories
+  ansible.builtin.import_tasks: install/directories.yaml
+
+- name: Create a symbolic link
+  ansible.builtin.file:
+    src: "{{ grafana_agent_install_dir }}/{{ grafana_agent_binary }}"
+    dest: "/usr/local/bin/{{ grafana_agent_binary }}"
+    owner: root
+    group: root
+    state: link
+
+- name: Overwrite/Create Grafana Agent service
+  ansible.builtin.template:
+    src: grafana-agent.service.j2
+    dest: "{{ _grafana_agent_systemd_dir }}/{{ _grafana_agent_systemd_unit }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: "restart grafana-agent"
+
+- name: Create the Service Environment file
+  ansible.builtin.template:
+    src: EnvironmentFile.j2
+    dest: "{{ grafana_agent_config_dir }}/{{ grafana_agent_env_file }}"
+    owner: root
+    group: "{{ grafana_agent_user_group }}"
+    mode: 0640
+  notify: "restart grafana-agent"
+
+- name: Create Grafana Agent config
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: "{{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }}"
+    force: true
+    owner: root
+    group: "{{ grafana_agent_user_group }}"
+    mode: 0640
+  notify: "restart grafana-agent"
+  when: grafana_agent_provisioned_config_file | length == 0
+
+- name: Create Grafana Agent River Config if flow mode for Grafana Agent
+  ansible.builtin.shell: "AGENT_MODE=flow {{ grafana_agent_install_dir }}/grafana-agent convert -f static {{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }} -o {{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }}"
+  notify: "restart grafana-agent"
+  when: grafana_agent_provisioned_config_file | length == 0
+
+- name: Copy Grafana Agent config
+  ansible.builtin.copy:
+    src: "{{ grafana_agent_provisioned_config_file }}"
+    dest: "{{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }}"
+    owner: root
+    group: "{{ grafana_agent_user_group }}"
+    mode: 0640
+  notify: "restart grafana-agent"
+  when: grafana_agent_provisioned_config_file | length > 0
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/ga-started.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/ga-started.yaml
new file mode 100644
index 00000000..cf66893d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/ga-started.yaml
@@ -0,0 +1,29 @@
+---
+- name:  Health check Grafana Agent
+  ansible.builtin.uri:
+    url: "{{ _grafana_agent_healthcheck_endpoint }}"
+    follow_redirects: none
+    method: GET
+  register: _result
+  failed_when: false
+  until: _result.status == 200
+  retries: 3
+  delay: 5
+  changed_when: false
+  when: not ansible_check_mode
+
+- name: Check system logs if Grafana Agent is not started
+  when: not ansible_check_mode and _result.status != 200
+  block:
+  - name: Run journalctl
+    ansible.builtin.shell:
+      cmd: "journalctl -u grafana-agent -b -n20 --no-pager"
+    register: journal_ret
+    changed_when: false
+  - name: Output Grafana agent logs
+    ansible.builtin.debug:
+      var: journal_ret.stdout_lines
+  - name: Rise alerts
+    ansible.builtin.assert:
+      that: false
+      fail_msg: "Service grafana-agent hasn't started."
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install.yaml
new file mode 100644
index 00000000..ff101eb7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install.yaml
@@ -0,0 +1,19 @@
+---
+# user and group creation
+- name: Configure user groups
+  ansible.builtin.import_tasks: install/user-group.yaml
+
+# directory creation
+- name: Configure directories
+  ansible.builtin.import_tasks: install/directories.yaml
+
+# download and install agent
+- name: Download and install Grafana Agent
+  ansible.builtin.import_tasks: install/download-install.yaml
+  when: (grafana_agent_local_binary_file is not defined) or (grafana_agent_local_binary_file | length == 0)
+
+# local install of agent
+- name: Local install of Grafana Agent
+  ansible.builtin.import_tasks:
+    file: install/local-install.yaml
+  when: __grafana_agent_local_install
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/directories.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/directories.yaml
new file mode 100644
index 00000000..13f3851a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/directories.yaml
@@ -0,0 +1,26 @@
+---
+- name: Create install directories
+  block:
+    - name: Create Grafana Agent install directory
+      ansible.builtin.file:
+        path: "{{ grafana_agent_install_dir }}"
+        state: directory
+        owner: root
+        group: "{{ grafana_agent_user_group }}"
+        mode: 0770
+
+    - name: Create Grafana Agent conf directory
+      ansible.builtin.file:
+        path: "{{ grafana_agent_config_dir }}"
+        state: directory
+        owner: root
+        group: "{{ grafana_agent_user_group }}"
+        mode: 0770
+
+    - name: Create Grafana Agent data directory
+      ansible.builtin.file:
+        path: "{{ grafana_agent_data_dir }}"
+        state: directory
+        owner: root
+        group: "{{ grafana_agent_user_group }}"
+        mode: 0775
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/download-install.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/download-install.yaml
new file mode 100644
index 00000000..6cb1c96b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/download-install.yaml
@@ -0,0 +1,48 @@
+---
+- name: Download Grafana Agent binary to controller (localhost)
+  block:
+    - name: Create Grafana Agent temp directory
+      become: false
+      ansible.builtin.file:
+        path: "{{ grafana_agent_local_tmp_dir }}"
+        state: directory
+        mode: 0751
+      delegate_to: localhost
+      check_mode: false
+      run_once: true
+
+    - name: Download Grafana Agent archive to local folder
+      become: false
+      ansible.builtin.get_url:
+        url: "{{ _grafana_agent_download_url }}"
+        dest: "{{ grafana_agent_local_tmp_dir }}/grafana-agent_{{ _grafana_agent_cpu_arch }}_{{ grafana_agent_version }}.zip"
+        mode: 0664
+      register: _download_archive
+      until: _download_archive is succeeded
+      retries: 5
+      delay: 2
+      delegate_to: localhost
+      check_mode: false
+      run_once: true
+
+    - name: Extract grafana-agent.zip
+      become: false
+      ansible.builtin.unarchive:
+        src: "{{ grafana_agent_local_tmp_dir }}/grafana-agent_{{ _grafana_agent_cpu_arch }}_{{ grafana_agent_version }}.zip"
+        dest: "{{ grafana_agent_local_tmp_dir }}"
+        remote_src: false
+      delegate_to: localhost
+      run_once: true
+
+    - name: Set local path
+      ansible.builtin.set_fact:
+        __grafana_agent_local_binary_file: "{{ grafana_agent_local_tmp_dir }}/{{ grafana_agent_binary }}"
+
+    - name: Propagate downloaded binary
+      ansible.builtin.copy:
+        src: "{{ grafana_agent_local_tmp_dir }}/{{ _grafana_agent_download_binary_file }}"
+        dest: "{{ grafana_agent_install_dir }}/{{ grafana_agent_binary }}"
+        mode: 0755
+        owner: root
+        group: root
+      when: not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/local-install.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/local-install.yaml
new file mode 100644
index 00000000..a2859bb4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/local-install.yaml
@@ -0,0 +1,10 @@
+---
+- name: Install from local
+  block:
+    - name: "Propagate local binary {{ grafana_agent_local_binary_file }}"
+      ansible.builtin.copy:
+        src: "{{ grafana_agent_local_binary_file }}"
+        dest: "{{ grafana_agent_install_dir }}/{{ grafana_agent_binary }}"
+        mode: 0755
+        owner: root
+        group: root
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/user-group.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/user-group.yaml
new file mode 100644
index 00000000..7b6ba7a0
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/install/user-group.yaml
@@ -0,0 +1,38 @@
+---
+- name: Grafana Agent group creation
+  block:
+    - name: "Check if the group exists ({{ grafana_agent_user_group }})"
+      ansible.builtin.getent:
+        database: group
+        key: "{{ grafana_agent_user_group }}"
+        fail_key: false
+
+    - name: Set whether not the user group exists
+      ansible.builtin.set_fact:
+        __grafana_agent_user_group_exists: "{{ ansible_facts.getent_group[grafana_agent_user_group] is not none }}"
+
+    - name: Add user group "{{ grafana_agent_user_group }}"
+      ansible.builtin.group:
+        name: "{{ grafana_agent_user_group }}"
+        system: true
+        state: present
+      when: not __grafana_agent_user_group_exists and grafana_agent_user_group != 'root'
+
+    - name: Grafana Agent user group exists
+      ansible.builtin.debug:
+        msg: |-
+          The user group \"{{ grafana_agent_user_group }}\" already exists and will not be modified,
+          if modifying permissions please perform a separate task
+      when: __grafana_agent_user_group_exists
+
+- name: Grafana Agent user creation
+  block:
+    - name: Add user "{{ grafana_agent_user }}"
+      ansible.builtin.user:
+        name: "{{ grafana_agent_user }}"
+        comment: "Grafana Agent account"
+        groups: "{{ [ grafana_agent_user_group ] + grafana_agent_user_groups }}"
+        system: true
+        shell: "{{ grafana_agent_user_shell }}"
+        createhome: "{{ grafana_agent_user_createhome }}"
+      when: grafana_agent_user != 'root'
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/main.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/main.yaml
new file mode 100644
index 00000000..7677b0a6
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/main.yaml
@@ -0,0 +1,48 @@
+---
+- name: Preflight tasks
+  ansible.builtin.include_tasks:
+    file: preflight.yaml
+    apply:
+      become: true
+      tags:
+        - grafana_agent_install
+        - grafana_agent_configure
+        - grafana_agent_run
+  tags:
+    - grafana_agent_install
+    - grafana_agent_configure
+    - grafana_agent_run
+
+- name: Install tasks
+  ansible.builtin.include_tasks:
+    file: install.yaml
+    apply:
+      become: true
+      tags:
+        - grafana_agent_install
+  tags:
+    - grafana_agent_install
+
+- name: Configuration tasks
+  ansible.builtin.include_tasks:
+    file: configure.yaml
+    apply:
+      become: true
+      tags:
+        - grafana_agent_configure
+  tags:
+    - grafana_agent_configure
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure Grafana Agent is started and enabled on boot
+  become: true
+  ansible.builtin.systemd:
+    name: grafana-agent
+    enabled: true
+    state: started
+  tags:
+    - grafana_agent_install
+    - grafana_agent_configure
+    - grafana_agent_run
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight.yaml
new file mode 100644
index 00000000..09b86d6b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight.yaml
@@ -0,0 +1,12 @@
+---
+- name: Preflight variable checks
+  ansible.builtin.import_tasks: preflight/vars.yaml
+
+- name: Systemd variable checks
+  ansible.builtin.import_tasks: preflight/systemd.yaml
+
+- name: Install variable checks
+  ansible.builtin.import_tasks: preflight/install.yaml
+
+- name: Download variable checks
+  ansible.builtin.import_tasks: preflight/download.yaml
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/download.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/download.yaml
new file mode 100644
index 00000000..d885c9b6
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/download.yaml
@@ -0,0 +1,36 @@
+---
+- name: Get Grafana Agent version from Github
+  when: grafana_agent_version == 'latest' and not __grafana_agent_local_install
+  block:
+    - name: Get the latest published Grafana Agent     # noqa command-instead-of-module
+      ansible.builtin.shell: |
+        curl -s https://api.github.com/repos/{{ _grafana_agent_github_org }}/{{ _grafana_agent_github_repo }}/releases/latest \
+          | grep -m 1 tag_name \
+          | cut -d '"' -f 4 | cut -c 2-
+      changed_when: false
+      run_once: true
+      delegate_to: localhost
+      become: false
+      register: _grafana_agent_version_request
+
+    - name: Fail if cannot get Grafana Agent Version
+      ansible.builtin.fail:
+        msg: Issue getting the Grafana Agent Version
+      when: _grafana_agent_version_request == ""
+
+    - name: Set the Grafana Agent version
+      ansible.builtin.set_fact:
+        grafana_agent_version: "{{ _grafana_agent_version_request.stdout }}"
+
+    - name: Grafana Agent version to download
+      ansible.builtin.debug:
+        var: grafana_agent_version
+
+- name: Set the Grafana Agent download URL
+  ansible.builtin.set_fact:
+    _grafana_agent_download_url: |-
+      {{ grafana_agent_base_download_url }}/v{{ grafana_agent_version }}/{{ _grafana_agent_download_archive_file }}
+
+- name: Grafana Agent download URL
+  ansible.builtin.debug:
+    var: _grafana_agent_download_url
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/install.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/install.yaml
new file mode 100644
index 00000000..833ececc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/install.yaml
@@ -0,0 +1,72 @@
+---
+- name: Default to non-local install
+  ansible.builtin.set_fact:
+    __grafana_agent_local_install: false
+
+- name: Fail when grafana_agent_local_binary_file is defined but the file doesn't exist
+  when: grafana_agent_local_binary_file is defined and grafana_agent_local_binary_file | length > 0
+  block:
+    - name: Check if grafana_agent_local_binary_file exists
+      ansible.builtin.stat:
+        path: "{{ grafana_agent_local_binary_file }}"
+      register: __grafana_agent_local_binary_check
+      become: false
+      delegate_to: localhost
+      check_mode: false
+
+    - name: Fail when the grafana_agent_local_binary_file does not exist
+      ansible.builtin.fail:
+        msg: "The grafana_agent_local_binary_file ({{ grafana_agent_local_binary_file }}) was specified but does not exist"
+      when: not __grafana_agent_local_binary_check.stat.exists
+
+    - name: Change to local install
+      ansible.builtin.set_fact:
+        __grafana_agent_local_install: true
+
+- name: Fail when grafana_agent_provisioned_config_file is defined but the file doesn't exist
+  when: grafana_agent_provisioned_config_file is defined and grafana_agent_provisioned_config_file | length > 0
+  block:
+    - name: Check if grafana_agent_provisioned_config_file exists
+      ansible.builtin.stat:
+        path: "{{ grafana_agent_provisioned_config_file }}"
+      register: __grafana_agent_provisioned_config_file_check
+      become: false
+      delegate_to: localhost
+      check_mode: false
+
+    - name: Fail when the grafana_agent_provisioned_config_file does not exist
+      ansible.builtin.fail:
+        msg: "The grafana_agent_provisioned_config_file ({{ grafana_agent_provisioned_config_file }}) was specified but does not exist"
+      when: not __grafana_agent_provisioned_config_file_check.stat.exists
+
+- name: Check if grafana_agent is already installed on the host
+  ansible.builtin.stat:
+    path: "{{ grafana_agent_install_dir }}/{{ grafana_agent_binary }}"
+  register: __grafana_agent_is_installed
+  check_mode: false
+
+- name: Is Grafana Agent already installed on the host
+  ansible.builtin.debug:
+    var: __grafana_agent_is_installed.stat.exists
+
+- name: Install checks
+  when: __grafana_agent_is_installed.stat.exists and not __grafana_agent_local_install
+  block:
+    - name: Gather currently installed grafana-agent version from the host
+      ansible.builtin.shell:
+        cmd: |
+          {{ grafana_agent_install_dir }}/{{ grafana_agent_binary }} --version | \
+            head -n 1 | \
+            awk '{ print $3; }' | \
+            cut -d 'v' -f 2
+      changed_when: false
+      register: __grafana_agent_current_version_output
+      check_mode: false
+
+    - name: Set Grafana Agent installed version for the host
+      ansible.builtin.set_fact:
+        __grafana_agent_installed_version: "{{ __grafana_agent_current_version_output.stdout }}"
+
+    - name: Grafana Agent installed version on host
+      ansible.builtin.debug:
+        var: __grafana_agent_installed_version
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/systemd.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/systemd.yaml
new file mode 100644
index 00000000..e5ccbec4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/systemd.yaml
@@ -0,0 +1,28 @@
+---
+- name: Assert usage of systemd as an init system
+  ansible.builtin.assert:
+    that: ansible_facts['service_mgr'] == 'systemd'
+    msg: This role only works with systemd
+
+- name: Get systemd version    # noqa command-instead-of-module
+  ansible.builtin.command: systemctl --version
+  changed_when: false
+  check_mode: false
+  register: __systemd_version
+
+- name: Set systemd version fact
+  ansible.builtin.set_fact:
+    grafana_agent_systemd_version: "{{ __systemd_version.stdout_lines[0] | regex_replace('^systemd\\s(\\d+).*$', '\\1') }}"
+
+- name: Fail when _grafana_agent_systemd_dir the directory doesn't exist
+  block:
+    - name: Check if _grafana_agent_systemd_dir exists
+      ansible.builtin.stat:
+        path: "{{ _grafana_agent_systemd_dir }}"
+      register: ___grafana_agent_systemd_dir_check
+      check_mode: false
+
+    - name: Fail when the _grafana_agent_systemd_dir directory does not exist
+      ansible.builtin.fail:
+        msg: "The _grafana_agent_systemd_dir ({{ _grafana_agent_systemd_dir }}) does not exist"
+      when: not ___grafana_agent_systemd_dir_check.stat.exists
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/vars.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/vars.yaml
new file mode 100644
index 00000000..dc133a4a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/tasks/preflight/vars.yaml
@@ -0,0 +1,72 @@
+---
+# Performs initial variable validation
+- name: Fail when variables are not defined
+  ansible.builtin.fail:
+    msg: "The {{ item }} property must be set"
+  when: ( vars[item] is not defined )
+  with_items:
+    - grafana_agent_version
+    - grafana_agent_install_dir
+    - grafana_agent_binary
+    - grafana_agent_config_dir
+    - grafana_agent_config_filename
+    - grafana_agent_env_file
+    - grafana_agent_local_tmp_dir
+    - grafana_agent_wal_dir
+    - grafana_agent_positions_dir
+    - grafana_agent_mode
+    - _grafana_agent_systemd_dir
+    - _grafana_agent_systemd_unit
+    - grafana_agent_user
+    - grafana_agent_user_group
+    - grafana_agent_user_shell
+    - grafana_agent_user_createhome
+    - grafana_agent_local_binary_file
+    - grafana_agent_flags_extra
+    - grafana_agent_env_vars
+    - grafana_agent_env_file_vars
+    - grafana_agent_provisioned_config_file
+    - grafana_agent_metrics_config
+    - grafana_agent_logs_config
+    - grafana_agent_traces_config
+    - grafana_agent_integrations_config
+
+- name: Fail when variables do not have a length
+  ansible.builtin.fail:
+    msg: "The {{ item }} property must be valued"
+  when: ( vars[item] | string | length == 0 )
+  with_items:
+    - grafana_agent_version
+    - grafana_agent_install_dir
+    - grafana_agent_binary
+    - grafana_agent_config_dir
+    - grafana_agent_config_filename
+    - grafana_agent_env_file
+    - grafana_agent_local_tmp_dir
+    - grafana_agent_wal_dir
+    - grafana_agent_positions_dir
+    - grafana_agent_mode
+    - _grafana_agent_systemd_dir
+    - _grafana_agent_systemd_unit
+    - grafana_agent_user
+    - grafana_agent_user_group
+    - grafana_agent_user_shell
+    - grafana_agent_user_createhome
+
+- name: Fail when variables are not a number
+  ansible.builtin.fail:
+    msg: "The {{ item }} property must be number"
+  when: ( vars[item] is defined and vars[item] is not number)
+  with_items: []
+
+- name: Fail when flags are not a boolean
+  ansible.builtin.fail:
+    msg: "The {{ item }} property must be a boolean true or false"
+  when: ( vars[item] | bool | string | lower ) not in ['true', 'false']
+  with_items:
+    - grafana_agent_user_createhome
+
+- name: Fail when the agent mode is not "flow" or "static"
+  ansible.builtin.fail:
+    msg: "The grafana_agent_mode property must be a boolean 'flow' or 'static'"
+  when: grafana_agent_mode not in ['flow', 'static']
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/templates/EnvironmentFile.j2 b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/EnvironmentFile.j2
new file mode 100644
index 00000000..38022d01
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/EnvironmentFile.j2
@@ -0,0 +1,9 @@
+{{ ansible_managed | comment }}
+# Grafana Agent Environment File
+AGENT_MODE={{ grafana_agent_mode }}
+
+GOMAXPROCS={{ ansible_facts['processor_vcpus']|default(ansible_facts['processor_count']) }}
+
+{% for key, value in grafana_agent_env_file_vars.items() %}
+{{key}}={{value}}
+{% endfor %}
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/templates/config.yaml.j2 b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/config.yaml.j2
new file mode 100644
index 00000000..b36ee7a3
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/config.yaml.j2
@@ -0,0 +1,39 @@
+---
+{{ ansible_managed | comment }}
+
+#################################################################################################
+#              Configures the server of the Agent used to enable self-scraping                  #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/configuration/server-config/
+server:
+  {{ grafana_agent_server_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2) }}
+
+#################################################################################################
+#                             Configures metric collection                                      #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/configuration/metrics-config/
+metrics:
+  {{ grafana_agent_metrics_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2) }}
+
+#################################################################################################
+#                              Configures logs collection                                       #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/configuration/logs-config/
+logs:
+  {{ grafana_agent_logs_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2) }}
+
+{% if grafana_agent_mode == 'static' %}
+#################################################################################################
+#                             Configures traces collection                                      #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/configuration/traces-config/
+traces:
+  {{ grafana_agent_traces_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2) }}
+{% endif %}
+
+#################################################################################################
+#                          Configures integrations for the agent                                #
+#################################################################################################
+# Docs: https://grafana.com/docs/agent/latest/configuration/integrations/
+integrations:
+  {{ grafana_agent_integrations_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2) }}
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/templates/grafana-agent.service.j2 b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/grafana-agent.service.j2
new file mode 100644
index 00000000..b4d5bcef
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/templates/grafana-agent.service.j2
@@ -0,0 +1,65 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Grafana Agent
+Documentation=https://grafana.com/docs/agent/latest/
+After=network-online.target
+
+[Service]
+Type=simple
+User={{ grafana_agent_user }}
+Group={{ grafana_agent_user_group }}
+WorkingDirectory={{ grafana_agent_data_dir }}
+{% for key, value in grafana_agent_env_vars.items() %}
+Environment={{key}}={{value}}
+{% endfor %}
+EnvironmentFile={{ grafana_agent_config_dir }}/{{ grafana_agent_env_file}}
+{% for key, value in grafana_agent_service_extra.items() %}
+{{ key }}={{ value }}
+{% endfor %}
+
+{% if grafana_agent_mode == 'flow' %}
+ExecStart={{ grafana_agent_install_dir }}/{{ grafana_agent_binary }} run \
+{% for flag, flag_value in grafana_agent_flags_extra.items() %}
+{% if not flag_value %}
+  --{{ flag }} \
+{% elif flag_value is string %}
+  --{{ flag }}={{ flag_value }} \
+{% elif flag_value is sequence %}
+{% for flag_value_item in flag_value %}
+  --{{ flag }}={{ flag_value_item }} \
+{% endfor %}
+{% endif %}
+{% endfor %}
+  {{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }}
+{% else %}
+ExecStart={{ grafana_agent_install_dir }}/{{ grafana_agent_binary }} \
+{% for flag, flag_value in grafana_agent_flags_extra.items() %}
+{% if not flag_value %}
+  --{{ flag }} \
+{% elif flag_value is string %}
+  --{{ flag }}={{ flag_value }} \
+{% elif flag_value is sequence %}
+{% for flag_value_item in flag_value %}
+  --{{ flag }}={{ flag_value_item }} \
+{% endfor %}
+{% endif %}
+{% endfor %}
+  --config.file={{ grafana_agent_config_dir }}/{{ grafana_agent_config_filename }}
+{% endif %}
+
+SyslogIdentifier=grafana-agent
+Restart=always
+
+{% if grafana_agent_systemd_version | int >= 232 %}
+ProtectSystem=strict
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=yes
+{% else %}
+ProtectSystem=full
+{% endif %}
+ReadWritePaths=/tmp {{ grafana_agent_data_dir }} {{ grafana_agent_positions_dir }} {{ grafana_agent_wal_dir }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/grafana/grafana/roles/grafana_agent/vars/main.yaml b/ansible_collections/grafana/grafana/roles/grafana_agent/vars/main.yaml
new file mode 100644
index 00000000..092d5e9a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/grafana_agent/vars/main.yaml
@@ -0,0 +1,29 @@
+---
+_grafana_agent_github_org: grafana
+_grafana_agent_github_repo: agent
+
+# set the go cpu arch
+_download_cpu_arch_map:
+  i386: '386'
+  x86_64: amd64
+  aarch64: arm64
+  armv7l: armv7
+  armv6l: armv6
+
+_grafana_agent_cpu_arch: "{{ _download_cpu_arch_map[ansible_facts['architecture']] | default(ansible_facts['architecture']) }}"
+
+# set the go os family
+_grafana_agent_os_family: "{{ ansible_facts['system'] | lower }}"
+
+# set the name of the archive file to download
+_grafana_agent_download_archive_file: "grafana-agent-{{ _grafana_agent_os_family }}-{{ _grafana_agent_cpu_arch }}.zip"
+
+# set the name of the binary file
+_grafana_agent_download_binary_file: "grafana-agent-{{ _grafana_agent_os_family }}-{{ _grafana_agent_cpu_arch }}"
+
+# systemd info
+_grafana_agent_systemd_dir: /lib/systemd/system/
+_grafana_agent_systemd_unit: grafana-agent.service
+
+# Server http address, used in self health check after start
+_grafana_agent_healthcheck_endpoint: "http://{{ grafana_agent_flags_extra['server.http.address'] if grafana_agent_flags_extra['server.http.address'] is defined else '127.0.0.1:12345' }}/-/ready"
diff --git a/ansible_collections/grafana/grafana/roles/loki/README.md b/ansible_collections/grafana/grafana/roles/loki/README.md
new file mode 100644
index 00000000..92b4da46
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/README.md
@@ -0,0 +1,247 @@
+# Ansible role - Loki
+
+[![License](https://img.shields.io/github/license/grafana/grafana-ansible-collection)](LICENSE)
+
+The Ansible Loki Role allows you to effortlessly deploy and manage [Loki](https://grafana.com/oss/loki/), the log aggregation system. This role is tailored for operating systems such as **RedHat**, **Rocky Linux**, **AlmaLinux**, **Ubuntu**, and **Debian**.
+
+**🔑 Key Features**
+- **📦 Out-of-the-box Deployment**: Get Loki up and running quickly with default configurations.
+- **🧹 Effortless Uninstall**: Easily remove Loki from your system setting the "loki_uninstall" variable.
+- **🔔 Example Alerting Rules**: Benefit from the included sample Ruler configuration. Utilize the provided example alerting rules as a reference guide for structuring your own rules effectively.
+
+## Table of Content
+
+- [Requirements](#requirements)
+- [Role Variables](#role-variables)
+- - [Default Variables - `defaults/main.yml`](#default-variables---defaultsmainyml)
+- - [Alerting Rules Variables](#alerting-rules-variables)
+- - [Additional Config Variables for `/etc/loki/config.yml`](#additional-config-variables-for-etclokiconfigyml)
+- [Playbook](#playbook)
+
+## Requirements
+
+- Ansible 2.10+
+
+## Role Variables
+
+- 📚 Official Loki configuration [documentation](https://grafana.com/docs/loki/latest/configuration/)
+- 🏗️ Upgrading Loki [documentation](https://grafana.com/docs/loki/latest/upgrading/)
+
+### **Default Variables - `defaults/main.yml`**
+
+```yaml
+loki_version: "latest"
+```
+
+The version of Loki to download and deploy. Supported standard version "3.0.0" format or "latest".
+
+```yaml
+loki_uninstall: "false"
+```
+
+If set to `true` will perfom uninstall instead of deployment.
+
+```yaml
+loki_http_listen_port: 3100
+```
+The TCP port on which Loki listens. By default, it listens on port `3100`.
+
+```yaml
+loki_http_listen_address: "0.0.0.0"
+```
+The address on which Loki listens for HTTP requests. By default, it listens on all interfaces.
+
+```yaml
+loki_expose_port: false
+```
+By default, this is set to `false`. It supports only simple `firewalld` configurations. If set to `true`, a firewalld rule is added to expose the TCP `loki_http_listen_port`. If set to `false`, the system ensures that the rule is not present. If the `firewalld.service` is not active, all firewalld tasks are skipped.
+
+```yaml
+loki_download_url_rpm: "https://github.com/grafana/loki/releases/download/v{{ loki_version }}/loki-{{ loki_version }}.{{ __loki_arch }}.rpm"
+```
+The default download URL for the Loki rpm package from GitHub.
+
+```yaml
+loki_download_url_deb: "https://github.com/grafana/loki/releases/download/v{{ loki_version }}/loki_{{ loki_version }}_{{ __loki_arch }}.deb"
+```
+The default download URL for the Loki deb package from GitHub.
+
+```yaml
+loki_working_path: "/var/lib/loki"
+```
+⚠️ Avoid using `/tmp/loki` as the working path. This role removes the /tmp/loki directory and replaces it with the specified working path to ensure a permanent configuration.
+
+```yaml
+loki_ruler_alert_path: "{{ loki_working_path }}/rules/fake"
+```
+The variable defines the location where the `ruler` configuration `alerts` are stored.
+⚠️ Please note that the role currently does not support multi-tenancy for alerting, so there is no need to modify this variable for different tenants.
+
+```yaml
+loki_auth_enabled: false
+```
+Enables authentication through the X-Scope-OrgID header, which must be present if `true`. If `false`, the OrgID will always be set to `fake`.
+
+```yaml
+loki_target: "all"
+```
+A comma-separated list of components to run. The default value 'all' runs Loki in single binary mode.
+Supported values: `all`, `compactor`, `distributor`, `ingester`, `querier`, `query-scheduler`, `ingester-querier`, `query-frontend`, `index-gateway`, `ruler`, `table-manager`, `read`, `write`.
+
+```yaml
+loki_ballast_bytes: 0
+```
+The amount of virtual memory in bytes to reserve as ballast in order to optimize garbage collection.
+
+```yaml
+loki_server:
+  http_listen_address: "{{ loki_http_listen_address }}"
+  http_listen_port: "{{ loki_http_listen_port }}"
+  grpc_listen_port: 9096
+```
+Configures the `server` of the launched module(s). [All possible values for `server`](https://grafana.com/docs/loki/latest/configuration/#server)
+
+```yaml
+loki_common:
+  instance_addr: 127.0.0.1
+  path_prefix: "{{ loki_working_path }}"
+  storage:
+    filesystem:
+      chunks_directory: "{{ loki_working_path }}/chunks"
+      rules_directory: "{{ loki_working_path }}/rules"
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+```
+Common configuration to be shared between multiple modules. If a more specific configuration is given in other sections, the related configuration within this section will be ignored. [All possible values for `common`](https://grafana.com/docs/loki/latest/configuration/#common)
+
+```yaml
+loki_query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+```
+The `query_range` block configures the query splitting and caching in the Loki query-frontend. [All possible values for `query_range`](https://grafana.com/docs/loki/latest/configuration/#query_range)
+
+```yaml
+loki_schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+```
+Configures the chunk index schema and where it is stored. [All possible values for `schema_config`](https://grafana.com/docs/loki/latest/configuration/#schema_config)
+
+```yaml
+loki_ruler:
+  storage:
+    type: local
+    local:
+      directory: "{{ loki_working_path }}/rules"
+  rule_path: "{{ loki_working_path }}/rules_tmp"
+  ring:
+    kvstore:
+      store: inmemory
+  enable_api: true
+  enable_alertmanager_v2: true
+  alertmanager_url: http://localhost:9093
+```
+The `ruler` block configures the Loki ruler. [All possible values for `ruler`](https://grafana.com/docs/loki/latest/configuration/#ruler)
+
+```yaml
+loki_analytics:
+  reporting_enabled: false
+```
+Enable anonymous usage reporting. Disabled by default.
+
+
+### **Alerting Rules Variables**
+(not set by default)
+
+```yaml
+---
+loki_ruler_alerts:
+  - name: Logs.Nextcloud
+    rules:
+    - alert: NextcloudLoginFailed
+      expr: |
+        count by (filename,env,job) (count_over_time({job=~"nextcloud"} | json | message=~"Login failed.*" [10m])) > 4
+      for: 0m
+      labels:
+        severity: critical
+      annotations:
+        summary: "{% raw %}On {{ $labels.job }} in log {{ $labels.filename }} failed login detected.{% endraw %}"
+  - name: Logs.sshd
+    rules:
+    - alert: SshLoginFailed
+      expr: |
+        count_over_time({job=~"secure"} |="sshd[" |~": Failed|: Invalid|: Connection closed by authenticating user" | __error__="" [15m]) > 15
+      for: 0m
+      labels:
+        severity: critical
+      annotations:
+        summary: "{% raw %}SSH authentication failure (instance {{ $labels.instance }}).{% endraw %}"
+```
+Example alerting rule configuration. You can add multiple alerting rules to suit your requirements. Please note that the alerting rules are not templated by default
+
+### **Additional Config Variables for `/etc/loki/config.yml`**
+(not set by default)
+
+Below variables allow you to extend Loki configuration to fit your needs. Always refer to official [Loki configuration](https://grafana.com/docs/loki/latest/configuration/) to obtain possible configuration parameters.
+
+| Variable Name | Description
+| ----------- | ----------- |
+| `loki_distributor` | Configures the `distributor`. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#distributor)
+| `loki_querier` | Configures the `querier`. Only appropriate when running all modules or just the querier. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#querier)
+| `loki_query_scheduler` | The `query_scheduler` block configures the Loki query scheduler. When configured it separates the tenant query queues from the query-frontend. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#query_scheduler)
+| `loki_frontend` | The `frontend` block configures the Loki query-frontend. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#frontend)
+| `loki_ingester_client` | The `ingester_client` block configures how the distributor will connect to ingesters. Only appropriate when running all components, the distributor, or the querier. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#ingester_client)
+| `loki_ingester` | The `ingester` block configures the ingester and how the ingester will register itself to a key value store. 📚 configuration [documentation](https://grafana.com/docs/loki/latest/configuration/#ingester)
+| `loki_index_gateway` | The `index_gateway` block configures the Loki index gateway server, responsible for serving index queries without the need to constantly interact with the object store. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#index_gateway)
+| `loki_storage_config` | The `storage_config` block configures one of many possible stores for both the index and chunks. Which configuration to be picked should be defined in schema_config block. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#storage_config)
+| `loki_chunk_store_config` | The `chunk_store_config` block configures how chunks will be cached and how long to wait before saving them to the backing store. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#chunk_store_config)
+| `loki_compactor` | The `compactor` block configures the compactor component, which compacts index shards for performance. 📚 [documentation](https://grafana.com/docs/loki/latest/configure/#compactor)
+| `loki_limits_config` | The `limits_config` block configures global and per-tenant limits in Loki. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#limits_config)
+| `loki_frontend_worker` | The `frontend_worker` configures the worker - running within the Loki querier - picking up and executing queries enqueued by the query-frontend. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#frontend_worker)
+| `loki_table_manager` | The `table_manager` block configures the table manager for retention. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#table_manager)
+| `loki_memberlist` | Configuration for memberlist client. Only applies if the selected kvstore is memberlist. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#memberlist)
+| `loki_runtime_config` | Configuration for `runtime config` module, responsible for reloading runtime configuration file. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#runtime_config)
+| `loki_operational_config` | These are values which allow you to control aspects of Loki's operation, most commonly used for controlling types of higher verbosity logging, the values here can be overridden in the configs section of the `runtime_config` file. 📚 [documentation](https://grafana.com/docs/loki/latest/configure/#operational_config)
+| `loki_tracing` | Configuration for tracing. 📚 [documentation](https://grafana.com/docs/loki/latest/configuration/#tracing)
+| `loki_bloom_build` | The `bloom_build` block configures the Loki bloom planner and builder servers, responsible for building bloom filters. 📚 [documentation](https://grafana.com/docs/loki/latest/configure/#bloom_build)
+| `loki_bloom_gateway` | The `bloom_gateway` block configures the Loki bloom gateway server, responsible for serving queries for filtering chunks based on filter expressions. 📚 [documentation](https://grafana.com/docs/loki/latest/configure/#bloom_gateway)
+
+## Playbook
+
+- playbook
+```yaml
+- name: Manage loki service
+  hosts: all
+  become: true
+  roles:
+    - role: grafana.grafana.loki
+```
+
+- Playbook execution example
+```shell
+# Deployment
+ansible-playbook -i inventory/hosts playbook/function_loki_play.yml
+
+# Uninstall
+ansible-playbook -i inventory/hosts playbook/function_loki_play.yml -e "loki_uninstall=true"
+```
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
+
+## Author Information
+
+-   [VoidQuark](https://github.com/voidquark)
diff --git a/ansible_collections/grafana/grafana/roles/loki/defaults/main.yml b/ansible_collections/grafana/grafana/roles/loki/defaults/main.yml
new file mode 100644
index 00000000..8718ac2e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/defaults/main.yml
@@ -0,0 +1,110 @@
+---
+# defaults file for loki
+loki_version: "latest"
+loki_uninstall: false
+loki_http_listen_port: 3100
+loki_http_listen_address: "0.0.0.0"
+loki_expose_port: false
+loki_download_url_rpm: "https://github.com/grafana/loki/releases/download/v{{ loki_version }}/loki-{{ loki_version }}.{{ __loki_arch }}.rpm"
+loki_download_url_deb: "https://github.com/grafana/loki/releases/download/v{{ loki_version }}/loki_{{ loki_version }}_{{ __loki_arch }}.deb"
+loki_working_path: "/var/lib/loki"
+loki_ruler_alert_path: "{{ loki_working_path }}/rules/fake"
+
+# Default Variables for /etc/loki/config.yml
+loki_auth_enabled: false
+loki_target: "all"
+loki_ballast_bytes: 0
+
+loki_server:
+  http_listen_address: "{{ loki_http_listen_address }}"
+  http_listen_port: "{{ loki_http_listen_port }}"
+  grpc_listen_port: 9096
+
+loki_common:
+  instance_addr: 127.0.0.1
+  path_prefix: "{{ loki_working_path }}"
+  storage:
+    filesystem:
+      chunks_directory: "{{ loki_working_path }}/chunks"
+      rules_directory: "{{ loki_working_path }}/rules"
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+loki_query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+loki_schema_config:
+  configs:
+    - from: 2020-10-24
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+loki_ruler:
+  storage:
+    type: local
+    local:
+      directory: "{{ loki_working_path }}/rules"
+  rule_path: "{{ loki_working_path }}/rules_tmp"
+  ring:
+    kvstore:
+      store: inmemory
+  enable_api: true
+  enable_alertmanager_v2: true
+  alertmanager_url: http://localhost:9093
+
+loki_analytics:
+  reporting_enabled: false
+
+# Alerting Rules Variables
+# loki_ruler_alerts:
+#   - name: Logs.Nextcloud
+#     rules:
+#     - alert: NextcloudLoginFailed
+#       expr: |
+#         count by (filename,env,job) (count_over_time({job=~"nextcloud"} | json | message=~"Login failed.*" [10m])) > 4
+#       for: 0m
+#       labels:
+#         severity: critical
+#       annotations:
+#         summary: "{% raw %}On {{ $labels.job }} in log {{ $labels.filename }} failed login detected.{% endraw %}"
+#   - name: Logs.sshd
+#     rules:
+#     - alert: SshLoginFailed
+#       expr: |
+#         count_over_time({job=~"secure"} |="sshd[" |~": Failed|: Invalid|: Connection closed by authenticating user" | __error__="" [15m]) > 15
+#       for: 0m
+#       labels:
+#         severity: critical
+#       annotations:
+#         summary: "{% raw %}SSH authentication failure (instance {{ $labels.instance }}).{% endraw %}"
+
+# Additional Config Variables for /etc/loki/config.yml
+# loki_distributor:
+# loki_querier:
+# loki_query_scheduler:
+# loki_frontend:
+# loki_ingester_client:
+# loki_ingester:
+# loki_index_gateway:
+# loki_storage_config:
+# loki_chunk_store_config:
+# loki_compactor:
+# loki_limits_config:
+# loki_frontend_worker:
+# loki_table_manager:
+# loki_memberlist:
+# loki_runtime_config:
+# loki_operational_config:
+# loki_tracing:
+# loki_bloom_build:
+# loki_bloom_gateway:
diff --git a/ansible_collections/grafana/grafana/roles/loki/handlers/main.yml b/ansible_collections/grafana/grafana/roles/loki/handlers/main.yml
new file mode 100644
index 00000000..76104495
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# handlers file for loki
+- name: Restart loki
+  listen: "restart loki"
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: loki.service
+    state: restarted
+    enabled: true
+  when: not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/loki/meta/main.yml b/ansible_collections/grafana/grafana/roles/loki/meta/main.yml
new file mode 100644
index 00000000..b66e783d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  role_name: loki
+  author: voidquark
+  description: Manage Grafana Loki Application
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.10"
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+  galaxy_tags:
+    - loki
+    - grafana
+    - logging
+    - monitoring
+
+dependencies: []
diff --git a/ansible_collections/grafana/grafana/roles/loki/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/loki/molecule/default/converge.yml
new file mode 100644
index 00000000..1f2ce7f5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/molecule/default/converge.yml
@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: grafana.grafana.loki
diff --git a/ansible_collections/grafana/grafana/roles/loki/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/loki/molecule/default/molecule.yml
new file mode 100644
index 00000000..339965a5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+dependency:
+  name: galaxy
+  options:
+    ignore-errors: true
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
diff --git a/ansible_collections/grafana/grafana/roles/loki/tasks/deploy.yml b/ansible_collections/grafana/grafana/roles/loki/tasks/deploy.yml
new file mode 100644
index 00000000..1532b327
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/tasks/deploy.yml
@@ -0,0 +1,150 @@
+---
+# tasks file for loki deployment
+
+- name: Obtain the latest version from the Loki GitHub repo
+  when: loki_version == "latest"
+  block:
+    - name: Scrape Github API endpoint to obtain latest Loki version
+      ansible.builtin.uri:
+        url: "https://api.github.com/repos/grafana/loki/releases/latest"
+        method: GET
+        body_format: json
+      become: false
+      delegate_to: localhost
+      run_once: true
+      check_mode: false
+      register: __github_latest_version
+
+    - name: Latest available Loki version
+      ansible.builtin.set_fact:
+        loki_version: "{{ __github_latest_version.json.tag_name | regex_replace('^v?(\\d+\\.\\d+\\.\\d+)$', '\\1') }}"
+
+- name: Verify current deployed version
+  block:
+    - name: Check if Loki binary is present
+      ansible.builtin.stat:
+        path: "/usr/bin/loki"
+      register: __already_deployed
+
+    - name: Obtain current deployed Loki version
+      ansible.builtin.command:
+        cmd: "/usr/bin/loki --version"
+      changed_when: false
+      register: __current_deployed_version
+      when: __already_deployed.stat.exists | bool
+
+- name: Include RedHat/Rocky setup
+  ansible.builtin.include_tasks:
+    file: setup-RedHat.yml
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Include Debian/Ubuntu setup
+  ansible.builtin.include_tasks:
+    file: setup-Debian.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Check if Loki default dir is present
+  ansible.builtin.stat:
+    path: "/tmp/loki/boltdb-shipper-active"
+  register: __default_structure
+
+- name: Default structure cleanup
+  when: __default_structure.stat.exists | bool
+  block:
+    - name: Ensure that Loki is stopped before default cleanup
+      ansible.builtin.systemd:
+        name: loki.service
+        state: stopped
+
+    - name: Remove default configuration from "/tmp/loki" directory
+      ansible.builtin.file:
+        path: "/tmp/loki"
+        state: absent
+
+- name: Ensure that Loki working path exists
+  ansible.builtin.file:
+    path: "{{ loki_working_path }}"
+    state: directory
+    owner: "loki"
+    group: "root"
+    mode: "0755"
+
+- name: Template Loki config - /etc/loki/config.yml
+  ansible.builtin.template:
+    src: "config.yml.j2"
+    dest: "/etc/loki/config.yml"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/loki --verify-config -config.file %s"
+  notify: restart loki
+
+- name: Ensure that Loki rule path exists
+  ansible.builtin.file:
+    path: "{{ loki_ruler_alert_path }}"
+    state: directory
+    owner: "loki"
+    group: "root"
+    mode: "0750"
+  when:
+    - loki_ruler_alert_path is defined
+    - loki_ruler is defined
+
+- name: Template Loki Rule File
+  ansible.builtin.template:
+    src: "rules.yml.j2"
+    dest: "{{ loki_ruler_alert_path }}/rules.yml"
+    owner: "loki"
+    group: "root"
+    mode: "0644"
+  notify: restart loki
+  when:
+    - loki_ruler_alerts is defined
+    - loki_ruler_alert_path is defined
+    - loki_ruler is defined
+
+- name: Get firewalld state
+  ansible.builtin.systemd:
+    name: "firewalld"
+  register: __firewalld_service_state
+
+- name: Enable firewalld rule to expose Loki tcp port {{ loki_http_listen_port }}
+  ansible.posix.firewalld:
+    immediate: true
+    permanent: true
+    port: "{{ loki_http_listen_port }}/tcp"
+    state: enabled
+  when:
+    - __firewalld_service_state.status.ActiveState == "active"
+    - loki_expose_port | bool
+
+- name: Ensure that Loki firewalld rule is not present - tcp port {{ loki_http_listen_port }}
+  ansible.posix.firewalld:
+    immediate: true
+    permanent: true
+    port: "{{ loki_http_listen_port }}/tcp"
+    state: disabled
+  when:
+    - __firewalld_service_state.status.ActiveState == "active"
+    - not loki_expose_port | bool
+
+- name: Flush handlers after deployment
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure that Loki is started
+  ansible.builtin.systemd:
+    name: loki.service
+    state: started
+  when: not ansible_check_mode
+
+- name: Verify that Loki URL is responding
+  ansible.builtin.uri:
+    url: "http://{{ loki_http_listen_address }}:{{ loki_http_listen_port }}/ready"
+    method: GET
+  register: loki_verify_url_status_code
+  retries: 5
+  delay: 8
+  until: loki_verify_url_status_code.status == 200
+  when:
+    - loki_expose_port | bool
+    - not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/loki/tasks/main.yml b/ansible_collections/grafana/grafana/roles/loki/tasks/main.yml
new file mode 100644
index 00000000..8e9a63ff
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# tasks file for loki
+- name: Include OS specific variables
+  ansible.builtin.include_vars:
+    file: "{{ ansible_facts['os_family'] }}.yml"
+
+- name: Deploy Loki service
+  ansible.builtin.include_tasks:
+    file: "deploy.yml"
+  when: not loki_uninstall
+
+- name: Uninstall Loki service
+  ansible.builtin.include_tasks:
+    file: "uninstall.yml"
+  when: loki_uninstall
diff --git a/ansible_collections/grafana/grafana/roles/loki/tasks/setup-Debian.yml b/ansible_collections/grafana/grafana/roles/loki/tasks/setup-Debian.yml
new file mode 100644
index 00000000..c71af7f4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/tasks/setup-Debian.yml
@@ -0,0 +1,7 @@
+---
+- name: APT - Install Loki
+  ansible.builtin.apt:
+    deb: "{{ loki_download_url_deb }}"
+    state: present
+  notify: restart loki
+  when: __current_deployed_version.stdout is not defined or loki_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/loki/tasks/setup-RedHat.yml b/ansible_collections/grafana/grafana/roles/loki/tasks/setup-RedHat.yml
new file mode 100644
index 00000000..91e60c50
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/tasks/setup-RedHat.yml
@@ -0,0 +1,8 @@
+---
+- name: DNF - Install Loki from remote URL
+  ansible.builtin.dnf:
+    name: "{{ loki_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: restart loki
+  when: __current_deployed_version.stdout is not defined or loki_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/loki/tasks/uninstall.yml b/ansible_collections/grafana/grafana/roles/loki/tasks/uninstall.yml
new file mode 100644
index 00000000..d82b65f4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/tasks/uninstall.yml
@@ -0,0 +1,51 @@
+---
+# tasks file for loki uninstall
+
+- name: Stop Loki service
+  ansible.builtin.systemd:  # noqa ignore-errors
+    name: loki
+    state: stopped
+  ignore_errors: true
+
+- name: Uninstall Loki rpm package
+  ansible.builtin.dnf:
+    name: "loki"
+    state: absent
+    autoremove: true
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Uninstall Loki deb package
+  ansible.builtin.apt:
+    name: "loki"
+    state: absent
+    purge: true
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Ensure that Loki firewalld rule is not present - tcp port {{ loki_http_listen_port }}
+  ansible.posix.firewalld:  # noqa ignore-errors
+    immediate: true
+    permanent: true
+    port: "{{ loki_http_listen_port }}/tcp"
+    state: disabled
+  ignore_errors: true
+
+- name: Remove Loki directories"
+  ansible.builtin.file:
+    path: "{{ remove_me }}"
+    state: absent
+  loop:
+    - "/etc/loki"
+    - "{{ loki_working_path }}"
+  loop_control:
+    loop_var: remove_me
+
+- name: Remove the Loki system user
+  ansible.builtin.user:
+    name: "loki"
+    force: true
+    state: absent
+
+- name: Remove Loki system group
+  ansible.builtin.group:
+    name: "loki"
+    state: absent
diff --git a/ansible_collections/grafana/grafana/roles/loki/templates/config.yml.j2 b/ansible_collections/grafana/grafana/roles/loki/templates/config.yml.j2
new file mode 100644
index 00000000..60be6f53
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/templates/config.yml.j2
@@ -0,0 +1,107 @@
+{% if loki_target is defined %}
+target: {{ loki_target }}
+{% endif %}
+{% if loki_auth_enabled is defined %}
+auth_enabled: {{ loki_auth_enabled }}
+{% endif %}
+{% if loki_ballast_bytes is defined %}
+ballast_bytes: {{ loki_ballast_bytes }}
+{% endif %}
+server:
+  {{ loki_server | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% if loki_distributor is defined %}
+distributor:
+  {{ loki_distributor | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_querier is defined %}
+querier:
+  {{ loki_querier | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_query_scheduler is defined %}
+query_scheduler:
+  {{ loki_query_scheduler | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_frontend is defined %}
+frontend:
+  {{ loki_frontend | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_query_range is defined %}
+query_range:
+  {{ loki_query_range | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_ruler is defined %}
+ruler:
+  {{ loki_ruler | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_ingester_client is defined %}
+ingester_client:
+  {{ loki_ingester_client | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_ingester is defined %}
+ingester:
+  {{ loki_ingester | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_index_gateway is defined %}
+index_gateway:
+  {{ loki_index_gateway | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_storage_config is defined %}
+storage_config:
+  {{ loki_storage_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_chunk_store_config is defined %}
+chunk_store_config:
+  {{ loki_chunk_store_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_schema_config is defined %}
+schema_config:
+  {{ loki_schema_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_compactor is defined %}
+compactor:
+  {{ loki_compactor | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_limits_config is defined %}
+limits_config:
+  {{ loki_limits_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_frontend_worker is defined %}
+frontend_worker:
+  {{ loki_frontend_worker | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_table_manager is defined %}
+table_manager:
+  {{ loki_table_manager | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_memberlist is defined %}
+memberlist:
+  {{ loki_memberlist | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_runtime_config is defined %}
+runtime_config:
+  {{ loki_runtime_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_operational_config is defined %}
+operational_config:
+  {{ loki_operational_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_tracing is defined %}
+tracing:
+  {{ loki_tracing | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_analytics is defined %}
+analytics:
+  {{ loki_analytics | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_common is defined %}
+common:
+  {{ loki_common | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_bloom_build is defined %}
+bloom_build:
+  {{ loki_bloom_build | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if loki_bloom_gateway is defined %}
+bloom_gateway:
+  {{ loki_bloom_gateway | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
diff --git a/ansible_collections/grafana/grafana/roles/loki/templates/rules.yml.j2 b/ansible_collections/grafana/grafana/roles/loki/templates/rules.yml.j2
new file mode 100644
index 00000000..a3dc3be2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/templates/rules.yml.j2
@@ -0,0 +1,3 @@
+---
+groups:
+  {{ loki_ruler_alerts | to_nice_yaml(indent=2,sort_keys=False) | indent(2,False) }}
diff --git a/ansible_collections/grafana/grafana/roles/loki/vars/Debian.yml b/ansible_collections/grafana/grafana/roles/loki/vars/Debian.yml
new file mode 100644
index 00000000..e98017ce
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/vars/Debian.yml
@@ -0,0 +1,8 @@
+---
+__loki_arch_map:
+  x86_64: 'amd64'
+  armv6l: 'arm'
+  armv7l: 'arm'
+  aarch64: 'arm64'
+
+__loki_arch: "{{ __loki_arch_map[ansible_facts['architecture']] | default(ansible_facts['architecture']) }}"
diff --git a/ansible_collections/grafana/grafana/roles/loki/vars/RedHat.yml b/ansible_collections/grafana/grafana/roles/loki/vars/RedHat.yml
new file mode 100644
index 00000000..ed969e78
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/loki/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+__loki_arch: "{{ ansible_facts['architecture'] }}"
diff --git a/ansible_collections/grafana/grafana/roles/mimir/README.md b/ansible_collections/grafana/grafana/roles/mimir/README.md
new file mode 100644
index 00000000..26061529
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/README.md
@@ -0,0 +1,109 @@
+# Ansible role - Mimir
+
+[![License](https://img.shields.io/github/license/grafana/grafana-ansible-collection)](LICENSE)
+
+This role installs and configures a [Mimir](https://grafana.com/docs/mimir/latest/)
+standalone application.
+
+## Testing with Molecule
+
+To be able to test this collection locally, we use Molecule. Molecule is an Ansible test tool that enable us to run our roles inside containers. In our case, we are using Podman as a container runtime. To be able to run the Molecule test, you need to have the following installed on your machine:
+
+- Podman
+- Ansible
+- Python3
+
+### First Time Setup
+
+To install all the dependencies, use the following commands:
+
+```sh
+# Create a virtual environment
+python -m venv .venv
+
+# On MacOS, WSL, Linux
+source .venv/bin/activate
+
+# On Windows
+.\.venv\Scripts\activate
+
+# Install dependencies
+pip3 install ansible-core==2.16 'molecule-plugins[docker]' pytest-testinfra jmespath selinux passlib
+
+# Create molecule network
+docker network create molecule
+```
+
+### Run Minio for local S3
+
+To be able to run Mimir using an object store backend, run the following command
+
+```sh
+docker run -d \
+      -p 9000:9000 \
+      -p 9001:9001 \
+      --name minio-mimir \
+      --network molecule \
+      -e "MINIO_ROOT_USER=testtest" \
+      -e "MINIO_ROOT_PASSWORD=testtest" \
+      -e "MINIO_DEFAULT_BUCKETS=mimir" \
+      bitnami/minio:latest
+```
+
+### Testing the changes
+
+To test the changes in a role run:
+
+```sh
+molecule converge
+## example: molecule converge
+```
+
+When Ansible has succesfully ran, you can run assertions against your infrastructure using.
+
+```sh
+molecule verify
+## example: `molecule verify`
+```
+
+You can also run commands like `molecule destroy`, `molecule prepare`, and `molecule test`. See Molecule documentation for more information
+
+## Role Variables
+
+---
+
+| Name                                    | Type | Default                                | Description                                                                                                                                                          |
+| --------------------------------------- | ---- | -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| mimir_working_path                      | str  | /usr/share/mimir                       | Used to specify the directory path where Mimir, a component of the Grafana Agent, stores its working files and temporary data.                                       |
+| mimir_uninstall                         | bool | false                                  | If set to `true` will perfom uninstall instead of deployment.                                                                                                        |
+| mimir_ruler_alert_path                  | str  | /data/ruler                            | Used to specify the directory path where the Mimir ruler component of the Grafana Agent stores its alert files.                                                      |
+| mimir_http_listen_port                  | str  | 8080                                   | Used to specify the port number on which the Mimir component of the Grafana Agent listens for incoming HTTP requests.                                                |
+| mimir_http_listen_address               | str  | 0.0.0.0                                | Used to specify the network address on which the Mimir component of the Grafana Agent listens for incoming HTTP requests.                                            |
+| mimir_ruler.rule_path                   | str  | /data/ruler                            | Used to specify the directory path where the Mimir ruler component of the Grafana Agent looks for rule files.                                                        |
+| mimir_ruler.alertmanager_url            | str  | http://127.0.0.1:8080/alertmanager     | Used to specify the URL or address of the Alertmanager API that the Mimir ruler component of the Grafana Agent should communicate with.                              |
+| mimir_ruler.ring.heartbeat_period       | str  | 2s                                     | Used to specify the interval at which the Mimir ruler component of the Grafana Agent sends heartbeat signals to the ring.                                            |
+| mimir_ruler.heartbeat_timeout           | str  | 10s                                    | Used to specify the maximum duration of time that the Mimir ruler component of the Grafana Agent will wait for a heartbeat signal from other components in the ring. |
+| mimir_alertmanager.data_dir             | str  | /data/alertmanager                     | sed to specify the directory path where the Mimir Alertmanager component of the Grafana Agent stores its data files.                                                 |
+| mimir_alertmanager.fallback_config_file | str  | /etc/alertmanager-fallback-config.yaml | Used to specify the path to a fallback configuration file for the Mimir Alertmanager component of the Grafana Agent.                                                 |
+| mimir_alertmanager.external_url         | str  | http://localhost:9009/alertmanager     | Used to specify the external URL or address at which the Mimir Alertmanager component of the Grafana Agent can be accessed.                                          |
+| mimir_memberlist.join_members           | []   | List of members for the Mimir cluster  |
+
+## **Additional Config Variables for `/etc/mimir/config.yml`**
+
+Below variables allow you to extend Mimir configuration to fit your needs.
+Always refer to official [Mimir configuration](https://grafana.com/docs/mimir/latest/configure/about-configurations/)
+to obtain possible configuration parameters.
+
+> [!NOTE]
+> These variables are not set by default.
+
+| Name                         | Description                                                                                                                                                         |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `mimir_blocks_storage`       | Configures the `blocks_storage` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#blocks_storage)             |
+| `mimir_ruler_storage`        | Configures the `ruler_storage` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#ruler_storage)               |
+| `mimir_alertmanager_storage` | Configures the `alertmanager_storage` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#alertmanager_storage) |
+| `mimir_distributor`          | Configures the `distributor` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#distributor)                   |
+| `mimir_ingester`             | Configures the `ingester` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#ingester)                         |
+| `mimir_querier`              | Configures the `querier` component. 📚 [documentation](https://grafana.com/docs/mimir/latest/configure/configuration-parameters/#querier)                           |
+
+For extra configuration samples refer to [`examples` directory](../../examples).
diff --git a/ansible_collections/grafana/grafana/roles/mimir/defaults/main.yml b/ansible_collections/grafana/grafana/roles/mimir/defaults/main.yml
new file mode 100644
index 00000000..64efd462
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/defaults/main.yml
@@ -0,0 +1,31 @@
+---
+# defaults file for mimir
+mimir_version: "latest"
+mimir_uninstall: false
+__mimir_arch: "{{ arch_mapping[ansible_facts['architecture']] | default('amd64') }}"
+mimir_download_url_rpm: "https://github.com/grafana/mimir/releases/download/mimir-{{ mimir_version }}/mimir-{{ mimir_version }}_{{ __mimir_arch }}.rpm"
+mimir_download_url_deb: "https://github.com/grafana/mimir/releases/download/mimir-{{ mimir_version }}/mimir-{{ mimir_version }}_{{ __mimir_arch }}.deb"
+mimir_working_path: "/var/lib/mimir"
+mimir_ruler_alert_path: "{{ mimir_working_path }}/ruler"
+mimir_http_listen_port: 8080
+mimir_http_listen_address: "0.0.0.0"
+
+arch_mapping:
+  x86_64: amd64
+  aarch64: arm64
+  armv7l: armhf
+  i386: i386
+  ppc64le: ppc64le
+
+mimir_server:
+  http_listen_port: "{{ mimir_http_listen_port }}"
+  http_listen_address: "{{ mimir_http_listen_address }}"
+
+mimir_ruler:
+  rule_path: "{{ mimir_working_path }}/ruler"
+  alertmanager_url: "http://localhost:{{ mimir_http_listen_port }}/alertmanager"
+
+mimir_alertmanager:
+  data_dir: "{{ mimir_working_path }}/alertmanager"
+  external_url: "http://localhost:{{ mimir_http_listen_port }}/alertmanager"
+
diff --git a/ansible_collections/grafana/grafana/roles/mimir/files/.gitkeep b/ansible_collections/grafana/grafana/roles/mimir/files/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/grafana/grafana/roles/mimir/handlers/main.yml b/ansible_collections/grafana/grafana/roles/mimir/handlers/main.yml
new file mode 100644
index 00000000..22251ca2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart mimir
+  ansible.builtin.systemd:
+    name: mimir.service
+    state: restarted
diff --git a/ansible_collections/grafana/grafana/roles/mimir/meta/main.yml b/ansible_collections/grafana/grafana/roles/mimir/meta/main.yml
new file mode 100644
index 00000000..596fca2a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/meta/main.yml
@@ -0,0 +1,37 @@
+---
+# meta/main.yml
+galaxy_info:
+  author: "Grafana"
+  role_name: mimir
+  description: "Grafana - platform for analytics and monitoring"
+  license: "MIT"
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Ubuntu
+      versions:
+        - bionic
+        - xenial
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: EL
+      versions:
+        - "7"
+        - "8"
+    - name: Fedora
+      versions:
+        - "30"
+        - "31"
+  galaxy_tags:
+    - grafana
+    - dashboard
+    - alerts
+    - alerting
+    - presentation
+    - monitoring
+    - metrics
+
+dependencies: []
+
+allow_duplicates: true
diff --git a/ansible_collections/grafana/grafana/roles/mimir/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/converge.yml
new file mode 100644
index 00000000..57a36c09
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/converge.yml
@@ -0,0 +1,33 @@
+---
+- name: Converge mimir
+  hosts: all
+  collections:
+    - grafana.grafana
+  vars:
+    mimir_storage:
+      storage:
+        backend: s3
+        s3:
+          endpoint: minio-mimir.:9000
+          access_key_id: testtest
+          secret_access_key: testtest
+          insecure: true
+          bucket_name: mimir
+
+    # Blocks storage requires a prefix when using a common object storage bucket.
+    mimir_blocks_storage:
+      storage_prefix: blocks
+      tsdb:
+        dir: "{{ mimir_working_path}}/ingester"
+
+    # Use memberlist, a gossip-based protocol, to enable the 3 Mimir replicas to communicate
+    mimir_memberlist:
+      join_members:
+        - molecule-grafana-mimir01.:7946
+        - molecule-grafana-mimir02.:7946
+        - molecule-grafana-mimir03.:7946
+
+  tasks:
+    - name: "Run Grafana mimir collection"
+      include_role:
+        name: mimir
diff --git a/ansible_collections/grafana/grafana/roles/mimir/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/molecule.yml
new file mode 100644
index 00000000..2790af53
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/molecule.yml
@@ -0,0 +1,60 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: molecule-grafana-mimir01
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-"/sbin/init"}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    network: molecule
+    network_mode: "molecule"
+    published_ports:
+      - 7946
+      - 9019:9009
+      - 9096
+  - name: molecule-grafana-mimir02
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-"/sbin/init"}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    network: molecule
+    network_mode: "molecule"
+    published_ports:
+      - 7946
+      - 9029:9009
+      - 9096
+  - name: molecule-grafana-mimir03
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-"/sbin/init"}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+    network: molecule
+    network_mode: "molecule"
+    published_ports:
+      - 7946
+      - 9039:9009
+      - 9096
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
+
+verifier:
+  name: testinfra
+lint: |
+  set -e
+  yamllint .
+  ansible-lint .
diff --git a/ansible_collections/grafana/grafana/roles/mimir/molecule/default/tests/test_default.py b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/tests/test_default.py
new file mode 100644
index 00000000..671a5adc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/molecule/default/tests/test_default.py
@@ -0,0 +1,36 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/mimir",
+        "/var/lib/mimir",
+    ]
+    files = [
+        "/etc/mimir/config.yml"
+    ]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("mimir")
+    assert s.is_running
+
+
+def test_packages(host):
+    p = host.package("mimir")
+    assert p.is_installed
diff --git a/ansible_collections/grafana/grafana/roles/mimir/tasks/deploy.yml b/ansible_collections/grafana/grafana/roles/mimir/tasks/deploy.yml
new file mode 100644
index 00000000..622c602e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/tasks/deploy.yml
@@ -0,0 +1,111 @@
+---
+# tasks file for Mimir deployment
+- name: Obtain the latest version from the Mimir GitHub repo
+  when: mimir_version == "latest"
+  block:
+    - name: Scrape Github API endpoint to obtain latest Mimir version
+      ansible.builtin.uri:
+        url: "https://api.github.com/repos/grafana/mimir/releases/latest"
+        method: GET
+        body_format: json
+      become: false
+      delegate_to: localhost
+      run_once: true
+      register: __github_latest_version
+
+    - name: Latest available Mimir version
+      ansible.builtin.set_fact:
+        mimir_version: "{{ __github_latest_version.json.tag_name | regex_replace('^v?(\\d+\\.\\d+\\.\\d+)$', '\\1') }}"
+
+- name: Verify current deployed version
+  block:
+    - name: Check if Mimir binary is present
+      ansible.builtin.stat:
+        path: "/usr/bin/mimir"
+      register: __already_deployed
+
+    - name: Obtain current deployed Mimir version
+      ansible.builtin.command:
+        cmd: "/usr/bin/mimir --version"
+      changed_when: false
+      register: __current_deployed_version
+      when: __already_deployed.stat.exists | bool
+
+- name: Include RedHat/Rocky setup
+  ansible.builtin.include_tasks:
+    file: setup-Redhat.yml
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Include Debian/Ubuntu setup
+  ansible.builtin.include_tasks:
+    file: setup-Debian.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Check if Mimir default dir is present
+  ansible.builtin.stat:
+    path: "/tmp/mimir/boltdb-shipper-active"
+  register: __default_structure
+
+- name: Default structure cleanup
+  when: __default_structure.stat.exists | bool
+  block:
+    - name: Ensure that Mimir is stopped before default cleanup
+      ansible.builtin.systemd:
+        name: mimir.service
+        state: stopped
+
+    - name: Remove default configuration from "/tmp/mimir" directory
+      ansible.builtin.file:
+        path: "/tmp/mimir"
+        state: absent
+
+- name: Ensure that Mimir working path exists
+  ansible.builtin.file:
+    path: "{{ mimir_working_path }}"
+    state: directory
+    owner: "mimir"
+    group: "mimir"
+    mode: "0755"
+
+- name: Ensure that Mimir rule path exists
+  ansible.builtin.file:
+    path: "{{ mimir_ruler_alert_path }}"
+    state: directory
+    owner: "mimir"
+    group: "mimir"
+    mode: "0755"
+  when:
+    - mimir_ruler_alert_path is defined
+    - mimir_ruler is defined
+
+- name: Template Mimir config - /etc/mimir/config.yml
+  ansible.builtin.template:
+    src: "config.yml.j2"
+    dest: "/etc/mimir/config.yml"
+    owner: "mimir"
+    group: "mimir"
+    mode: "0644"
+    validate: "mimir -modules --config.file=%s"
+  environment:
+    PATH: "/usr/local/bin:{{ ansible_env.PATH }}"
+  notify:
+    - Restart mimir
+
+- name: Ensure restart has completed
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure that Mimir is started
+  ansible.builtin.systemd:
+    name: mimir.service
+    state: started
+    enabled: true
+
+
+- name: Verify that Mimir URL is responding
+  ansible.builtin.uri:
+    url: "http://{{ mimir_http_listen_address }}:{{ mimir_http_listen_port }}/ready"
+    method: GET
+  register: mimir_verify_url_status_code
+  retries: 5
+  delay: 8
+  until: mimir_verify_url_status_code.status == 200
diff --git a/ansible_collections/grafana/grafana/roles/mimir/tasks/main.yml b/ansible_collections/grafana/grafana/roles/mimir/tasks/main.yml
new file mode 100644
index 00000000..4e4e8c7a
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: Deploy Mimir service
+  ansible.builtin.include_tasks:
+    file: "deploy.yml"
+  when: not mimir_uninstall
+
+- name: Uninstall Mimir service
+  ansible.builtin.include_tasks:
+    file: "uninstall.yml"
+  when: mimir_uninstall
diff --git a/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Debian.yml b/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Debian.yml
new file mode 100644
index 00000000..7028ed4d
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Debian.yml
@@ -0,0 +1,7 @@
+---
+- name: APT - Install Mimir
+  ansible.builtin.apt:
+    deb: "{{ mimir_download_url_deb }}"
+    state: present
+  notify: Restart mimir
+  when: __current_deployed_version.stdout is not defined or mimir_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Redhat.yml b/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Redhat.yml
new file mode 100644
index 00000000..5bc34a91
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/tasks/setup-Redhat.yml
@@ -0,0 +1,8 @@
+---
+- name: DNF - Install Mimir from remote URL
+  ansible.builtin.dnf:
+    name: "{{ mimir_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: Restart mimir
+  when: __current_deployed_version.stdout is not defined or mimir_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/mimir/tasks/uninstall.yml b/ansible_collections/grafana/grafana/roles/mimir/tasks/uninstall.yml
new file mode 100644
index 00000000..11fe9106
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/tasks/uninstall.yml
@@ -0,0 +1,51 @@
+---
+# tasks file for Mimir uninstall
+
+- name: Stop Mimir service
+  ansible.builtin.systemd:  # noqa ignore-errors
+    name: mimir
+    state: stopped
+  ignore_errors: true
+
+- name: Uninstall Mimir rpm package
+  ansible.builtin.dnf:
+    name: "mimir"
+    state: absent
+    autoremove: true
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Uninstall Mimir deb package
+  ansible.builtin.apt:
+    name: "mimir"
+    state: absent
+    purge: true
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Ensure that Mimir firewalld rule is not present - tcp port {{ mimir_http_listen_port }}
+  ansible.posix.firewalld:  # noqa ignore-errors
+    immediate: true
+    permanent: true
+    port: "{{ mimir_http_listen_port }}/tcp"
+    state: disabled
+  ignore_errors: true
+
+- name: Remove Mimir directories"
+  ansible.builtin.file:
+    path: "{{ remove_me }}"
+    state: absent
+  loop:
+    - "/etc/mimir"
+    - "{{ mimir_working_path }}"
+  loop_control:
+    loop_var: remove_me
+
+- name: Remove the Mimir system user
+  ansible.builtin.user:
+    name: "mimir"
+    force: true
+    state: absent
+
+- name: Remove Mimir system group
+  ansible.builtin.group:
+    name: "mimir"
+    state: absent
diff --git a/ansible_collections/grafana/grafana/roles/mimir/templates/.gitkeep b/ansible_collections/grafana/grafana/roles/mimir/templates/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/grafana/grafana/roles/mimir/templates/config.yml.j2 b/ansible_collections/grafana/grafana/roles/mimir/templates/config.yml.j2
new file mode 100644
index 00000000..4b88b230
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/mimir/templates/config.yml.j2
@@ -0,0 +1,67 @@
+# Run Mimir in single process mode, with all components running in 1 process.
+target: all,alertmanager,overrides-exporter
+
+# Configure Mimir to use Minio as object storage backend.
+common:
+{% if mimir_storage is defined %}
+  {{ mimir_storage | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+# Blocks storage requires a prefix when using a common object storage bucket.
+{% if mimir_blocks_storage is defined %}
+blocks_storage:
+  {{ mimir_blocks_storage | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+# Blocks storage requires a prefix when using a common object storage bucket.
+{% if mimir_ruler_storage is defined %}
+ruler_storage:
+  {{ mimir_ruler_storage | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+# Alertmanager storage requires a prefix when using a common object storage bucket.
+{% if mimir_alertmanager_storage is defined %}
+alertmanager_storage:
+  {{ mimir_alertmanager_storage | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+# Use memberlist, a gossip-based protocol, to enable the 3 Mimir replicas to communicate.
+{% if mimir_memberlist is defined %}
+memberlist:
+  {{ mimir_memberlist | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_ruler is defined %}
+ruler:
+  {{ mimir_ruler | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_alertmanager is defined %}
+alertmanager:
+  {{ mimir_alertmanager | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_server is defined %}
+server:
+  {{ mimir_server | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_limits is defined %}
+limits:
+  {{ mimir_limits | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_distributor is defined %}
+distributor:
+  {{ mimir_distributor | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_ingester is defined %}
+ingester:
+  {{ mimir_ingester | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
+
+{% if mimir_querier is defined %}
+querier:
+  {{ mimir_querier | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False)}}
+{% endif %}
diff --git a/ansible_collections/grafana/grafana/roles/mimir/vars/.gitkeep b/ansible_collections/grafana/grafana/roles/mimir/vars/.gitkeep
new file mode 100644
index 00000000..e69de29b
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/README.md b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/README.md
new file mode 100644
index 00000000..3ee2eb85
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/README.md
@@ -0,0 +1,101 @@
+# Ansible Role for OpenTelemetry Collector
+
+This Ansible role to install and configure the OpenTelemetry Collector, which can be used to collect traces, metrics, and logs.
+
+## Requirements
+
+Please ensure that `curl` is installed on Ansible controller.
+
+## Role Variables
+
+Available variables with their default values are listed below (`defaults/main.yml`):
+
+| Variable Name | Description | Default Value |
+|---------------|-------------|---------------|
+| `otel_collector_version` | Version of OpenTelemetry Collector to install. Set to 'latest' to automatically determine and install the latest release | `"0.90.1"` |
+| `otel_collector_binary_url` | URL for downloading the OpenTelemetry Collector binary. This URL is constructed based on the collector version, type, and architecture. | `"https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v{{ otel_collector_version }}/{% if otel_collector_type == 'contrib' %}otelcol-contrib_{{ otel_collector_version }}_linux_{{ otel_collector_arch }}{% else %}otelcol_{{ otel_collector_version }}_linux_{{ otel_collector_arch }}{% endif %}.tar.gz"` |
+| `arch_mapping` | Mapping of `ansible_facts['architecture']` values to OpenTelemetry Collector binary architecture names. | See below\* |
+| `otel_collector_arch` | Architecture for the OpenTelemetry Collector binary, determined based on the `ansible_facts['architecture']` fact. | `"{{ arch_mapping[ansible_facts['architecture']] | default('amd64') }}"` |
+| `otel_collector_service_name` | The service name for the OpenTelemetry Collector. | `"otel-collector"` |
+| `otel_collector_type` | Type of the OpenTelemetry Collector (`contrib` includes additional components). | `contrib` |
+| `otel_collector_executable` | The executable name of the OpenTelemetry Collector, changes based on the collector type. | `{% if otel_collector_type == 'contrib' %}otelcol-contrib{% else %}otelcol{% endif %}` |
+| `otel_collector_installation_dir` | Installation directory for the OpenTelemetry Collector. | `"/etc/otel-collector"` |
+| `otel_collector_config_dir` | Directory for OpenTelemetry Collector configuration files. | `"/etc/otel-collector"` |
+| `otel_collector_config_file` | The main configuration file name for the OpenTelemetry Collector. | `"config.yaml"` |
+| `otel_collector_service_user` | The system user under which the OpenTelemetry Collector service will run. | `"otel"` |
+| `otel_collector_service_group` | The system group under which the OpenTelemetry Collector service will run. | `"otel"` |
+| `otel_collector_service_statedirectory` | The directory systemd should create under `/var/lib`. | `"otel-collector"` |
+| `otel_collector_receivers` | Receivers configuration for the OpenTelemetry Collector. | `""` |
+| `otel_collector_exporters` | Exporters configuration for the OpenTelemetry Collector. | `""` |
+| `otel_collector_processors` | Processors configuration for the OpenTelemetry Collector. | `""` |
+| `otel_collector_extensions` | Extensions configuration for the OpenTelemetry Collector. | `""` |
+| `otel_collector_service` | Service configuration for the OpenTelemetry Collector. | `""` |
+| `otel_collector_connectors` | Connectors configuration for the OpenTelemetry Collector (optional). | `""` |
+
+\* For `arch_mapping`, the default mapping is as follows:
+- `x86_64`: `amd64`
+- `aarch64`: `arm64`
+- `armv7l`: `armhf`
+- `i386`: `i386`
+- `ppc64le`: `ppc64le`
+
+Users of the role can override these variables as needed.
+
+## Example Playbook
+
+Include this role in your playbook with default settings:
+
+```yaml
+- name: Install OpenTelemetry Collector
+  hosts: all
+  become: true
+
+  tasks: 
+    - name: Install OpenTelemetry Collector
+      ansible.builtin.include_role:
+        name: grafana.grafana.opentelemetry_collector
+      vars:
+        otel_collector_receivers:
+          otlp:
+            protocols:
+              grpc:
+                endpoint: 0.0.0.0:4317
+              http:
+                endpoint: 0.0.0.0:4318
+        otel_collector_processors:
+          batch:
+
+        otel_collector_exporters:
+          otlp:
+            endpoint: otelcol:4317
+
+        otel_collector_extensions:
+          health_check:
+          pprof:
+          zpages:
+
+        otel_collector_service:
+          extensions: [health_check, pprof, zpages]
+          pipelines:
+            traces:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
+            metrics:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
+            logs:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [otlp]
+
+```
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
+
+## Author Information
+
+-   [Ishan Jain](https://github.com/ishanjainn)
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/defaults/main.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/defaults/main.yml
new file mode 100644
index 00000000..13e7b5aa
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/defaults/main.yml
@@ -0,0 +1,30 @@
+otel_collector_version: "0.90.1"
+
+otel_collector_binary_url: "https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v{{ otel_collector_version }}/{% if otel_collector_type == 'contrib' %}otelcol-contrib_{{ otel_collector_version }}_linux_{{ otel_collector_arch }}{% else %}otelcol_{{ otel_collector_version }}_linux_{{ otel_collector_arch }}{% endif %}.tar.gz"
+
+otel_collector_latest_url: 'https://api.github.com/repos/open-telemetry/opentelemetry-collector-releases/releases/latest'
+
+arch_mapping:
+  x86_64: amd64
+  aarch64: arm64
+  armv7l: armhf
+  i386: i386
+  ppc64le: ppc64le
+
+otel_collector_arch: "{{ arch_mapping[ansible_facts['architecture']] | default('amd64') }}"
+otel_collector_service_name: "otel-collector"
+otel_collector_type: contrib
+otel_collector_executable: "{% if otel_collector_type == 'contrib' %}otelcol-contrib{% else %}otelcol{% endif %}"
+otel_collector_installation_dir: "/etc/otel-collector"
+otel_collector_config_dir: "/etc/otel-collector"
+otel_collector_config_file: "config.yaml"
+otel_collector_service_user: "otel"
+otel_collector_service_group: "otel"
+otel_collector_service_statedirectory: "otel-collector"
+
+otel_collector_receivers: ""
+otel_collector_exporters: ""
+otel_collector_processors: ""
+otel_collector_extensions: ""
+otel_collector_service: ""
+otel_collector_connectors: ""
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/handlers/main.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/handlers/main.yml
new file mode 100644
index 00000000..ac8fa586
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: Restart OpenTelemetry Collector
+  ansible.builtin.systemd:
+    name: "{{ otel_collector_service_name }}"
+    state: restarted
+  become: true
+  ignore_errors: '{{ ansible_check_mode | bool }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/meta/main.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/meta/main.yml
new file mode 100644
index 00000000..edd9779c
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/meta/main.yml
@@ -0,0 +1,25 @@
+galaxy_info:
+  author: Ishan Jain
+  description: Role to install and configure OpenTelemetry Collector
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.11"
+  platforms:
+    - name: Fedora
+      versions:
+        - "all"
+    - name: Debian
+      versions:
+        - "all"
+    - name: Ubuntu
+      versions:
+        - "all"
+    - name: EL
+      versions:
+        - "all"
+  galaxy_tags:
+    - grafana
+    - observability
+    - monitoring
+    - opentelemetry
+    - telemetry
+    - collector
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/converge.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/converge.yml
new file mode 100644
index 00000000..7d0801e5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/converge.yml
@@ -0,0 +1,27 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.opentelemetry_collector
+  vars:
+    otel_collector_receivers:
+      hostmetrics:
+        scrapers:
+          cpu:
+          memory:
+    otel_collector_processors:
+      memory_limiter:
+        check_interval: 2s
+        limit_percentage: 80
+        spike_limit_percentage: 25
+      batch:
+    otel_collector_exporters:
+      prometheus:
+        endpoint: '127.0.0.1:9999'
+    otel_collector_service:
+      pipelines:
+        metrics:
+          receivers: '{{ otel_collector_receivers.keys() }}'
+          processors: '{{ otel_collector_processors.keys() }}'
+          exporters: '{{ otel_collector_exporters.keys() }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/molecule.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/molecule.yml
new file mode 100644
index 00000000..f46067e3
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/molecule.yml
@@ -0,0 +1,57 @@
+---
+# This scenario verifies that we can run ansible on an unprovisioned machine in check-mode
+scenario:
+  name: default-check-first
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - create
+    - prepare
+    - check
+    - cleanup
+    - destroy
+
+platforms:
+  - name: almalinux-9
+    image: dokken/almalinux-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-stream-9
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-11
+    image: dokken/debian-11
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-36
+    image: dokken/fedora-36
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-37
+    image: dokken/fedora-37
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-20.04
+    image: dokken/ubuntu-20.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-22.04
+    image: dokken/ubuntu-22.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/tests/test_default.py b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/tests/test_default.py
new file mode 100644
index 00000000..f773241b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default-check-first/tests/test_default.py
@@ -0,0 +1,35 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/otel-collector",
+    ]
+    files = ["/etc/otel-collector/config.yaml"]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("otel-collector")
+    # assert s.is_enabled
+    assert s.is_running
+
+
+def test_socket(host):
+    assert host.socket("tcp://127.0.0.1:9999").is_listening
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/converge.yml
new file mode 100644
index 00000000..7d0801e5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/converge.yml
@@ -0,0 +1,27 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.opentelemetry_collector
+  vars:
+    otel_collector_receivers:
+      hostmetrics:
+        scrapers:
+          cpu:
+          memory:
+    otel_collector_processors:
+      memory_limiter:
+        check_interval: 2s
+        limit_percentage: 80
+        spike_limit_percentage: 25
+      batch:
+    otel_collector_exporters:
+      prometheus:
+        endpoint: '127.0.0.1:9999'
+    otel_collector_service:
+      pipelines:
+        metrics:
+          receivers: '{{ otel_collector_receivers.keys() }}'
+          processors: '{{ otel_collector_processors.keys() }}'
+          exporters: '{{ otel_collector_exporters.keys() }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/molecule.yml
new file mode 100644
index 00000000..6258bc20
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/molecule.yml
@@ -0,0 +1,44 @@
+---
+platforms:
+  - name: almalinux-9
+    image: dokken/almalinux-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-stream-9
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-11
+    image: dokken/debian-11
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-36
+    image: dokken/fedora-36
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-37
+    image: dokken/fedora-37
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-20.04
+    image: dokken/ubuntu-20.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-22.04
+    image: dokken/ubuntu-22.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/tests/test_default.py b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/tests/test_default.py
new file mode 100644
index 00000000..9f42fcea
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/default/tests/test_default.py
@@ -0,0 +1,33 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_directories(host):
+    dirs = ["/etc/otel-collector", "/var/lib/otel-collector"]
+    files = ["/etc/otel-collector/config.yaml"]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("otel-collector")
+    # assert s.is_enabled
+    assert s.is_running
+
+
+def test_socket(host):
+    assert host.socket("tcp://127.0.0.1:9999").is_listening
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/converge.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/converge.yml
new file mode 100644
index 00000000..9d62bd90
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/converge.yml
@@ -0,0 +1,28 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.opentelemetry_collector
+  vars:
+    otel_collector_version: latest
+    otel_collector_receivers:
+      hostmetrics:
+        scrapers:
+          cpu:
+          memory:
+    otel_collector_processors:
+      memory_limiter:
+        check_interval: 2s
+        limit_percentage: 80
+        spike_limit_percentage: 25
+      batch:
+    otel_collector_exporters:
+      prometheus:
+        endpoint: '127.0.0.1:9999'
+    otel_collector_service:
+      pipelines:
+        metrics:
+          receivers: '{{ otel_collector_receivers.keys() }}'
+          processors: '{{ otel_collector_processors.keys() }}'
+          exporters: '{{ otel_collector_exporters.keys() }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/molecule.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/molecule.yml
new file mode 100644
index 00000000..6258bc20
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/molecule.yml
@@ -0,0 +1,44 @@
+---
+platforms:
+  - name: almalinux-9
+    image: dokken/almalinux-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-stream-9
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-11
+    image: dokken/debian-11
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-36
+    image: dokken/fedora-36
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-37
+    image: dokken/fedora-37
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-20.04
+    image: dokken/ubuntu-20.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-22.04
+    image: dokken/ubuntu-22.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/tests/test_default.py b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/tests/test_default.py
new file mode 100644
index 00000000..f773241b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/latest/tests/test_default.py
@@ -0,0 +1,35 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/otel-collector",
+    ]
+    files = ["/etc/otel-collector/config.yaml"]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("otel-collector")
+    # assert s.is_enabled
+    assert s.is_running
+
+
+def test_socket(host):
+    assert host.socket("tcp://127.0.0.1:9999").is_listening
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/converge.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/converge.yml
new file mode 100644
index 00000000..92d542df
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/converge.yml
@@ -0,0 +1,27 @@
+---
+- name: "Run role"
+  hosts: all
+  any_errors_fatal: true
+  roles:
+    - grafana.grafana.opentelemetry_collector
+  vars:
+    otel_collector_type: ''
+    otel_collector_receivers:
+      hostmetrics:
+        scrapers:
+          cpu:
+          memory:
+    otel_collector_processors:
+      memory_limiter:
+        check_interval: 2s
+        limit_percentage: 80
+        spike_limit_percentage: 25
+      batch:
+    otel_collector_exporters:
+      debug:
+    otel_collector_service:
+      pipelines:
+        metrics:
+          receivers: '{{ otel_collector_receivers.keys() }}'
+          processors: '{{ otel_collector_processors.keys() }}'
+          exporters: '{{ otel_collector_exporters.keys() }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/molecule.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/molecule.yml
new file mode 100644
index 00000000..6258bc20
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/molecule.yml
@@ -0,0 +1,44 @@
+---
+platforms:
+  - name: almalinux-9
+    image: dokken/almalinux-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: centos-stream-9
+    image: dokken/centos-stream-9
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: debian-11
+    image: dokken/debian-11
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-36
+    image: dokken/fedora-36
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: fedora-37
+    image: dokken/fedora-37
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-20.04
+    image: dokken/ubuntu-20.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
+  - name: ubuntu-22.04
+    image: dokken/ubuntu-22.04
+    pre_build_image: true
+    privileged: true
+    cgroup_parent: docker.slice
+    command: /lib/systemd/systemd
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/tests/test_default.py b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/tests/test_default.py
new file mode 100644
index 00000000..ec37d6e4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/molecule/non-contrib/tests/test_default.py
@@ -0,0 +1,31 @@
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_directories(host):
+    dirs = [
+        "/etc/otel-collector",
+    ]
+    files = ["/etc/otel-collector/config.yaml"]
+    for directory in dirs:
+        d = host.file(directory)
+        assert d.is_directory
+        assert d.exists
+    for file in files:
+        f = host.file(file)
+        assert f.exists
+        assert f.is_file
+
+
+def test_service(host):
+    s = host.service("otel-collector")
+    # assert s.is_enabled
+    assert s.is_running
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/configure.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/configure.yml
new file mode 100644
index 00000000..fc596479
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/configure.yml
@@ -0,0 +1,20 @@
+- name: Create OpenTelemetry Collector config directory
+  ansible.builtin.file:
+    path: "{{ otel_collector_config_dir }}"
+    state: directory
+    owner: "{{ otel_collector_service_user }}"
+    group: "{{ otel_collector_service_group }}"
+    mode: '0755'
+  become: true
+
+- name: Deploy OpenTelemetry Collector configuration file
+  ansible.builtin.template:
+    src: otel_collector_config.yml.j2
+    dest: "{{ otel_collector_config_dir }}/{{ otel_collector_config_file }}"
+    owner: "{{ otel_collector_service_user }}"
+    group: "{{ otel_collector_service_group }}"
+    mode: '0644'
+    validate: '{{ otel_collector_installation_dir }}/{{ otel_collector_executable }} --config=%s validate'
+  notify: Restart OpenTelemetry Collector
+  become: true
+  no_log: "{{ 'false' if lookup('env', 'CI') else 'true' }}"
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/install.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/install.yml
new file mode 100644
index 00000000..95b5de01
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/install.yml
@@ -0,0 +1,79 @@
+- name: Discover latest OpenTelemetry Collector version
+  ansible.builtin.set_fact:
+    otel_collector_version: "{{ (lookup('url', otel_collector_latest_url, split_lines=False) | from_json).get('tag_name') | replace('v', '') }}"
+  run_once: true
+  until: otel_collector_version is version('0.0.0', '>=')
+  retries: 10
+  when:
+    - otel_collector_version == 'latest'
+
+- name: Discover installed version
+  block:
+    - name: Get installed version
+      register: otel_collector_version_check
+      changed_when: false
+      failed_when: false
+      check_mode: false  # Always run, this does not change anything on the system
+      ansible.builtin.command: '{{ otel_collector_installation_dir }}/{{ otel_collector_executable }} -v'
+
+    - name: Set installed version variable
+      ansible.builtin.set_fact:
+        otel_collector_installed_version: "{{ otel_collector_version_check.stdout_lines[0] | default('otelcorecol version 0.0.0') | ansible.builtin.regex_search('\\d+\\.\\d+\\.\\d+') }}"
+
+- name: Create otel group
+  ansible.builtin.group:
+    name: "{{ otel_collector_service_group }}"
+    system: true
+  become: true
+
+- name: Create otel user
+  ansible.builtin.user:
+    name: "{{ otel_collector_service_user }}"
+    group: "{{ otel_collector_service_group }}"
+    system: true
+    create_home: false  # Appropriate for a system user, usually doesn't need a home directory
+  become: true
+
+- name: Determine the architecture for OpenTelemetry Collector binary
+  set_fact:
+    otel_collector_arch: "{{ arch_mapping[ansible_facts['architecture']] | default('amd64') }}"
+  vars:
+    arch_mapping:
+      x86_64: amd64
+      aarch64: arm64
+      armv7l: armhf
+      i386: i386
+      ppc64le: ppc64le
+
+- name: Download OpenTelemetry Collector binary
+  ansible.builtin.get_url:
+    url: "{{ otel_collector_binary_url }}"
+    dest: "/tmp/otelcol-{{ otel_collector_type }}-{{ otel_collector_version }}.tar.gz"
+    mode: '0755'
+  become: true
+  when: otel_collector_installed_version is version(otel_collector_version, '!=')
+
+- name: Remove existing OpenTelemetry Collector installation directory
+  ansible.builtin.file:
+    path: "{{ otel_collector_installation_dir }}"
+    state: absent
+  become: true
+  when: otel_collector_installed_version is version(otel_collector_version, '!=')
+
+- name: Create OpenTelemetry Collector installation directory
+  ansible.builtin.file:
+    path: "{{ otel_collector_installation_dir }}"
+    state: directory
+    mode: '0755'
+    owner: "{{ otel_collector_service_user }}"
+    group: "{{ otel_collector_service_group }}"
+  become: true
+
+- name: Extract OpenTelemetry Collector binary
+  ansible.builtin.unarchive:
+    src: "/tmp/otelcol-{{ otel_collector_type }}-{{ otel_collector_version }}.tar.gz"
+    dest: "{{ otel_collector_installation_dir }}"
+    remote_src: yes
+  become: true
+  register: extract_result
+  when: not ansible_check_mode and otel_collector_installed_version is version(otel_collector_version, '!=')
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/main.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/main.yml
new file mode 100644
index 00000000..6557285f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Install OpenTelemetry Collector
+  include_tasks: install.yml
+  tags: [install]
+
+- name: Configure OpenTelemetry Collector
+  include_tasks: configure.yml
+  tags: [configure]
+
+- name: Manage OpenTelemetry Collector service
+  include_tasks: service.yml
+  tags: [service]
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/service.yml b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/service.yml
new file mode 100644
index 00000000..a0d180b7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/tasks/service.yml
@@ -0,0 +1,20 @@
+- name: Copy OpenTelemetry Collector systemd unit file
+  ansible.builtin.template:
+    src: otel_collector.service.j2
+    dest: /etc/systemd/system/{{ otel_collector_service_name }}.service
+    mode: '0644'
+  become: true
+  notify: Restart OpenTelemetry Collector
+
+- name: Reload systemd daemon to pick up changes
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  become: true
+
+- name: Ensure OpenTelemetry Collector service is enabled and running
+  ansible.builtin.service:
+    name: "{{ otel_collector_service_name }}"
+    enabled: yes
+    state: started
+  become: true
+  ignore_errors: '{{ ansible_check_mode | bool }}'
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector.service.j2 b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector.service.j2
new file mode 100644
index 00000000..87fae9e0
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenTelemetry Collector
+After=network.target
+
+[Service]
+Type=simple
+ExecStart={{ otel_collector_installation_dir }}/{{ otel_collector_executable }} --config={{ otel_collector_config_dir }}/{{ otel_collector_config_file }}
+User={{ otel_collector_service_user }}
+Group={{ otel_collector_service_group }}
+Restart=on-failure
+StateDirectory={{ otel_collector_service_statedirectory }}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector_config.yml.j2 b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector_config.yml.j2
new file mode 100644
index 00000000..130189bb
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/opentelemetry_collector/templates/otel_collector_config.yml.j2
@@ -0,0 +1,24 @@
+{% if otel_collector_receivers is defined and otel_collector_receivers | length > 0 %}
+receivers:
+{{ otel_collector_receivers | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
+{% if otel_collector_processors is defined and otel_collector_processors | length > 0 %}
+processors:
+{{ otel_collector_processors | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
+{% if otel_collector_exporters is defined and otel_collector_exporters | length > 0 %}
+exporters:
+{{ otel_collector_exporters | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
+{% if otel_collector_extensions is defined and otel_collector_extensions | length > 0 %}
+extensions:
+{{ otel_collector_extensions | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
+{% if otel_collector_service is defined and otel_collector_service | length > 0 %}
+service:
+{{ otel_collector_service | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
+{% if otel_collector_connectors is defined and otel_collector_connectors | length > 0 %}
+connectors:
+{{ otel_collector_connectors | to_nice_yaml(indent=2) | indent(2, true) }}
+{% endif %}
diff --git a/ansible_collections/grafana/grafana/roles/promtail/README.md b/ansible_collections/grafana/grafana/roles/promtail/README.md
new file mode 100644
index 00000000..94dde219
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/README.md
@@ -0,0 +1,175 @@
+# Ansible role - Promtail
+
+[![License](https://img.shields.io/github/license/grafana/grafana-ansible-collection)](LICENSE)
+
+The Ansible Promtail Role allows you to effortlessly deploy and manage Promtail, agent which ships contents of local logs to private Loki.
+This role is tailored for operating systems such as **RedHat**, **Rocky Linux**, **AlmaLinux**, **Ubuntu**, and **Debian**.
+
+**🔑 Key Features**
+- **⚡ Root-less/Root runtime**: By default, Promtail operates in root-less mode, utilizing ACL (Access Control List) to securely access logs without requiring root permissions. You have the option to configure root mode if necessary.
+- **🧹 Effortless Uninstall**: Easily remove Promtail from your system setting the "promtail_uninstall" variable.
+
+📢 **[Check the blog post](https://voidquark.com/blog/rootless-promtail-with-ansible/)** 📝 **Learn more about root-less mode.**
+
+## Table of Content
+
+- [Requirements](#requirements)
+- [Role Variables](#role-variables)
+- [Playbook](#playbook)
+
+## Requirements
+
+- Ansible 2.10+
+
+## Role Variables
+
+```yaml
+promtail_version: "latest"
+```
+The version of Promtail to download and deploy. Supported standard version "3.0.0" format or "latest".
+
+```yaml
+promtail_uninstall: "false"
+```
+
+If set to `true` will perfom uninstall instead of deployment.
+
+```yaml
+promtail_http_listen_port: 9080
+```
+The TCP port on which Promtail listens. By default, it listens on port `9080`.
+
+```yaml
+promtail_http_listen_address: "0.0.0.0"
+```
+The address on which Promtail listens for HTTP requests. By default, it listens on all interfaces.
+
+```yaml
+promtail_expose_port: false
+```
+By default, this is set to `false`. It supports only simple `firewalld` configurations. If set to `true`, a firewalld rule is added to expose the TCP `promtail_http_listen_port`. If set to `false`, configuration is skipped. If the `firewalld.service` is not active, all firewalld tasks are skipped.
+
+```yaml
+promtail_positions_path: "/var/lib/promtail"
+```
+Promtail path for position file. File indicating how far it has read into a file. It is needed for when Promtail is restarted to allow it to continue from where it left off.
+
+```yaml
+promtail_runtime_mode: "acl"
+```
+By default, Promtail runs in root-less mode. It supports two modes:
+- `acl`: Root-less mode, utilizing ACL permission model to read target log files.
+- `root`: Root mode, where Promtail runs as root and ACL configuration is skipped.
+
+```yaml
+promtail_extra_flags: []
+```
+Additional flags to be passed to the Promtail systemd unit.
+
+```yaml
+promtail_user_append_groups:
+  - "systemd-journal"
+```
+Appends the promtail user to specific groups in root-less mode. By default, it appends the user to the `systemd-journal` group, granting permission to read system journal logs.
+
+```yaml
+promtail_download_url_rpm: "https://github.com/grafana/loki/releases/download/v{{ promtail_version }}/promtail-{{ promtail_version }}.{{ __promtail_arch }}.rpm"
+```
+The default download URL for the Promtail rpm package from GitHub.
+
+```yaml
+promtail_download_url_deb: "https://github.com/grafana/loki/releases/download/v{{ promtail_version }}/promtail_{{ promtail_version }}_{{ __promtail_arch }}.deb"
+```
+The default download URL for the Promtail deb package from GitHub.
+
+```yaml
+promtail_server:
+  http_listen_port: "{{ promtail_http_listen_port }}"
+  http_listen_address: "{{ promtail_http_listen_address }}"
+```
+The `server` block configures Promtail behavior as an HTTP server. [All possible values for `server`](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#server)
+
+```yaml
+promtail_positions:
+  filename: "{{ promtail_positions_path }}/positions.yaml"
+```
+The `positions` block configures where Promtail will save a file indicating how far it has read into a file. It is needed for when Promtail is restarted to allow it to continue from where it left off. [All possible values for `positions`](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#positions)
+
+```yaml
+promtail_clients:
+  - url: http://localhost:3100/loki/api/v1/push
+```
+The `clients` block configures how Promtail connects to instances of Loki. [All possible values for `clients`](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#clients). ⚠️ This configuration is mandatory. By default, it's empty, and the example above serves as a simple illustration for inspiration.
+
+```yaml
+promtail_scrape_configs:
+  - job_name: system
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: messages
+          instance: "{{ ansible_facts['fqdn'] }}"
+          __path__: /var/log/messages
+      - targets:
+          - localhost
+        labels:
+          job: nginx
+          instance: "{{ ansible_facts['fqdn'] }}"
+          __path__: /var/log/nginx/*.log
+```
+The `scrape_configs` block configures how Promtail can scrape logs from a series of targets using a specified discovery method. [All possible values for `scrape_configs`](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#scrape_configs). ⚠️ This configuration is mandatory. By default, it's empty, and the example above serves as a simple illustration for inspiration.
+
+| Variable Name | Description
+| ----------- | ----------- |
+| `promtail_limits_config` | The optional limits_config block configures global limits for this instance of Promtail. 📚 [documentation](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#limits_config).
+| `promtail_target_config` | The target_config block controls the behavior of reading files from discovered targets. 📚 [documentation](https://grafana.com/docs/loki/latest/clients/promtail/configuration/#target_config).
+
+## Dependencies
+
+No Dependencies
+
+## Playbook
+
+```yaml
+- name: Manage promtail service
+  hosts: all
+  become: true
+  vars:
+    promtail_clients:
+      - url: http://localhost:3100/loki/api/v1/push
+    promtail_scrape_configs:
+      - job_name: system
+        static_configs:
+          - targets:
+              - localhost
+            labels:
+              job: messages
+              instance: "{{ ansible_facts['fqdn'] }}"
+              __path__: /var/log/messages
+          - targets:
+              - localhost
+            labels:
+              job: nginx
+              instance: "{{ ansible_facts['fqdn'] }}"
+              __path__: /var/log/nginx/*.log
+  roles:
+    - role: grafana.grafana.promtail
+```
+
+- Playbook execution example
+```shell
+# Deploy Promtail
+ansible-playbook function_promtail_play.yml
+
+# Uninstall Promtail
+ansible-playbook function_promtail_play.yml -e "promtail_uninstall=true"
+```
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
+
+## Author Information
+
+-   [VoidQuark](https://github.com/voidquark)
diff --git a/ansible_collections/grafana/grafana/roles/promtail/defaults/main.yml b/ansible_collections/grafana/grafana/roles/promtail/defaults/main.yml
new file mode 100644
index 00000000..4753f561
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/defaults/main.yml
@@ -0,0 +1,52 @@
+---
+# defaults file for promtail
+promtail_version: "latest"
+promtail_uninstall: false
+promtail_http_listen_port: 9080
+promtail_http_listen_address: "0.0.0.0"
+promtail_expose_port: false
+promtail_positions_path: "/var/lib/promtail"
+promtail_runtime_mode: "acl"  # Supported "root" or "acl"
+promtail_extra_flags: []
+# promtail_extra_flags:
+#   - "-server.enable-runtime-reload"
+#   - "-config.expand-env=true"
+
+promtail_user_append_groups:
+  - "systemd-journal"
+
+promtail_download_url_rpm: "https://github.com/grafana/loki/releases/download/v{{ promtail_version }}/promtail-{{ promtail_version }}.{{ __promtail_arch }}.rpm"
+promtail_download_url_deb: "https://github.com/grafana/loki/releases/download/v{{ promtail_version }}/promtail_{{ promtail_version }}_{{ __promtail_arch }}.deb"
+
+# default variables for /etc/promtail/config.yml
+promtail_server:
+  http_listen_port: "{{ promtail_http_listen_port }}"
+  http_listen_address: "{{ promtail_http_listen_address }}"
+
+promtail_positions:
+  filename: "{{ promtail_positions_path }}/positions.yaml"
+
+promtail_clients: []
+# promtail_clients:
+#   - url: http://localhost:3100/loki/api/v1/push
+
+promtail_scrape_configs: []
+# promtail_scrape_configs:
+#   - job_name: system
+#     static_configs:
+#       - targets:
+#           - localhost
+#         labels:
+#           job: messages
+#           instance: "{{ ansible_facts['fqdn'] }}"
+#           __path__: /var/log/messages
+#       - targets:
+#           - localhost
+#         labels:
+#           job: nginx
+#           instance: "{{ ansible_facts['fqdn'] }}"
+#           __path__: /var/log/nginx/*.log
+
+# not set by default
+# promtail_limits_config:
+# promtail_target_config:
diff --git a/ansible_collections/grafana/grafana/roles/promtail/handlers/main.yml b/ansible_collections/grafana/grafana/roles/promtail/handlers/main.yml
new file mode 100644
index 00000000..27134f33
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# handlers file for promtail
+- name: Restart promtail
+  listen: "restart promtail"
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: promtail.service
+    state: restarted
+    enabled: true
+  when: not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/promtail/meta/main.yml b/ansible_collections/grafana/grafana/roles/promtail/meta/main.yml
new file mode 100644
index 00000000..c7cee9a2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  role_name: promtail
+  author: voidquark
+  description: Manage Grafana Promtail Application
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.10"
+  platforms:
+    - name: EL
+      versions:
+        - "9"
+        - "8"
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+  galaxy_tags:
+    - promtail
+    - grafana
+    - logging
+    - monitoring
+
+dependencies: []
diff --git a/ansible_collections/grafana/grafana/roles/promtail/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/promtail/molecule/default/converge.yml
new file mode 100644
index 00000000..5e177bfb
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/molecule/default/converge.yml
@@ -0,0 +1,15 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    promtail_scrape_configs:
+      - job_name: test
+        static_configs:
+          - targets:
+              - localhost
+            labels:
+              job: test
+              instance: "{{ ansible_facts['fqdn'] }}"
+              __path__: /var/log/last*
+  roles:
+    - role: grafana.grafana.promtail
diff --git a/ansible_collections/grafana/grafana/roles/promtail/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/promtail/molecule/default/molecule.yml
new file mode 100644
index 00000000..339965a5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+dependency:
+  name: galaxy
+  options:
+    ignore-errors: true
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/acl_configuration.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/acl_configuration.yml
new file mode 100644
index 00000000..65516b92
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/acl_configuration.yml
@@ -0,0 +1,116 @@
+---
+# tasks file for promtail deploy - acl configuration
+
+- name: Extract log files from static_configs - labels - path
+  ansible.builtin.set_fact:
+    __promtail_acl_log_files: >-
+      {{
+        promtail_scrape_configs
+        | selectattr('static_configs', 'defined')
+        | map(attribute='static_configs')
+        | flatten
+        | map(attribute='labels')
+        | map(attribute='__path__')
+        | list
+      }}
+
+- name: Extract log dirs paths from static_configs - labels - path
+  ansible.builtin.set_fact:
+    __promtail_acl_log_dirs: >-
+      {{
+        promtail_scrape_configs
+        | selectattr('static_configs', 'defined')
+        | map(attribute='static_configs')
+        | flatten
+        | map(attribute='labels')
+        | map(attribute='__path__')
+        | map('dirname')
+        | unique
+        | list
+      }}
+
+- name: Stat log dirs
+  ansible.builtin.stat:
+    path: "{{ item }}"
+  loop: "{{ __promtail_acl_log_dirs }}"
+  register: __promtail_stat_acl_log_dirs
+
+- name: Set recursive default ACL permission for log dirs
+  ansible.posix.acl:
+    path: "{{ item.item }}"
+    recursive: true
+    entity: promtail
+    etype: user
+    permissions: rx
+    default: true
+    state: present
+  loop: "{{ __promtail_stat_acl_log_dirs.results }}"
+  when:
+    - __promtail_stat_acl_log_dirs | length > 0
+    - item.stat.exists
+  notify: restart promtail
+
+- name: Set ACL permission for log dirs
+  ansible.posix.acl:
+    path: "{{ item.item }}"
+    entity: promtail
+    etype: user
+    permissions: rx
+    state: present
+  loop: "{{ __promtail_stat_acl_log_dirs.results }}"
+  when:
+    - __promtail_stat_acl_log_dirs | length > 0
+    - item.stat.exists
+  notify: restart promtail
+
+- name: Find all existing ACL log files
+  ansible.builtin.find:
+    paths: "{{ item | dirname }}"
+    patterns: "{{ item | basename }}"
+  loop: "{{ __promtail_acl_log_files }}"
+  register: __promtail_find_files
+
+- name: Define existing ACL log files
+  ansible.builtin.set_fact:
+    __promtail_existing_acl_log_files: "{{ __promtail_find_files.results | map(attribute='files') | flatten | map(attribute='path') }}"
+
+- name: Set ACL permission for existing log files
+  ansible.posix.acl:
+    path: "{{ item }}"
+    entity: promtail
+    etype: user
+    permissions: r
+    state: present
+  loop: "{{ __promtail_existing_acl_log_files }}"
+  when:
+    - __promtail_existing_acl_log_files | length > 0
+  notify: restart promtail
+
+- name: Promtail ACL Logrotate
+  when:
+    - __promtail_acl_log_dirs | length > 0
+    - __promtail_acl_log_files | length > 0
+  block:
+    - name: Template promtail ACL config for Logrotate
+      ansible.builtin.template:
+        src: "promtail_acl.j2"
+        dest: "/etc/logrotate.d/promtail_acl"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+
+    - name: Ensure that Promtail dummy dir for logrotate ACL configuration exist
+      ansible.builtin.file:
+        path: "/var/log/dummy_promtail_acl"
+        state: directory
+        owner: "promtail"
+        group: "root"
+        mode: "0750"
+
+    - name: Create dummy empty log file for logrotate ACL configuration to work
+      ansible.builtin.copy:
+        content: ""
+        dest: "/var/log/dummy_promtail_acl/dummy_promtail_acl.log"
+        owner: "promtail"
+        group: "root"
+        mode: 0600
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/deploy.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/deploy.yml
new file mode 100644
index 00000000..ee08f1ed
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/deploy.yml
@@ -0,0 +1,144 @@
+---
+# tasks file for promtail deploy
+
+- name: Obtain the latest version from the GitHub repo
+  when: promtail_version == "latest"
+  block:
+    - name: Scrape Github API endpoint to obtain latest Promtail version
+      ansible.builtin.uri:
+        url: "https://api.github.com/repos/grafana/loki/releases/latest"
+        method: GET
+        body_format: json
+      become: false
+      delegate_to: localhost
+      run_once: true
+      check_mode: false
+      register: __github_latest_version
+
+    - name: Latest available Promtail version
+      ansible.builtin.set_fact:
+        promtail_version: "{{ __github_latest_version.json.tag_name | regex_replace('^v?(\\d+\\.\\d+\\.\\d+)$', '\\1') }}"
+
+- name: Verify current deployed version
+  block:
+    - name: Check if Promtail binary is present
+      ansible.builtin.stat:
+        path: "/usr/bin/promtail"
+      register: __already_deployed
+
+    - name: Obtain current deployed Promtail version
+      ansible.builtin.command:
+        cmd: "/usr/bin/promtail --version"
+      changed_when: false
+      register: __current_deployed_version
+      when: __already_deployed.stat.exists | bool
+
+- name: Include RedHat/Rocky setup
+  ansible.builtin.include_tasks:
+    file: setup-RedHat.yml
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Include Debian/Ubuntu setup
+  ansible.builtin.include_tasks:
+    file: setup-Debian.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Ensure that Promtail position path exists
+  ansible.builtin.file:
+    path: "{{ promtail_positions_path }}"
+    state: directory
+    owner: "promtail"
+    group: "root"
+    mode: "0750"
+  notify: restart promtail
+
+- name: Template Promtail config - /etc/promtail/config.yml
+  ansible.builtin.template:
+    src: "config.yml.j2"
+    dest: "/etc/promtail/config.yml"
+    owner: "promtail"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/promtail -config.expand-env=true -check-syntax -config.file %s"
+  notify: restart promtail
+
+- name: Template Promtail systemd - /etc/systemd/system/promtail.service
+  ansible.builtin.template:
+    src: "promtail.service.j2"
+    dest: "/etc/systemd/system/promtail.service"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: restart promtail
+
+- name: Add the Promtail system user to additional group
+  ansible.builtin.user:
+    name: "promtail"
+    groups: "{{ item }}"
+    system: true
+    append: true
+    create_home: false
+    state: present
+  loop: "{{ promtail_user_append_groups }}"
+  when:
+    - promtail_user_append_groups | length > 0
+    - promtail_runtime_mode == "acl"
+
+- name: Include Promtail ACL permission configuration
+  ansible.builtin.include_tasks:
+    file: "acl_configuration.yml"
+  when:
+    - promtail_scrape_configs | length > 0
+    - promtail_runtime_mode == "acl"
+    - not ansible_check_mode
+
+- name: Get firewalld state
+  ansible.builtin.systemd:
+    name: "firewalld"
+  register: __firewalld_service_state
+
+- name: Enable firewalld rule to expose Promtail tcp port {{ promtail_http_listen_port }}
+  ansible.posix.firewalld:
+    immediate: true
+    permanent: true
+    port: "{{ promtail_http_listen_port }}/tcp"
+    state: enabled
+  when:
+    - __firewalld_service_state.status.ActiveState == "active"
+    - promtail_expose_port | bool
+
+- name: Flush handlers after deployment
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure that Promtail is started
+  ansible.builtin.systemd:
+    name: promtail.service
+    state: started
+  when: not ansible_check_mode
+
+- name: Stat position file
+  ansible.builtin.stat:
+    path: "{{ promtail_positions_path }}/positions.yaml"
+  register: __promtail_stat_position_file
+
+- name: Ensure correct owner and group for Promtail position file
+  ansible.builtin.file:
+    path: "{{ promtail_positions_path }}/positions.yaml"
+    state: file
+    owner: "promtail"
+  notify: restart promtail
+  when:
+    - __promtail_stat_position_file.stat.exists
+    - promtail_runtime_mode == "acl"
+
+- name: Verify that Promtail URL is responding
+  ansible.builtin.uri:
+    url: "http://{{ promtail_http_listen_address }}:{{ promtail_http_listen_port }}/ready"
+    method: GET
+  register: promtail_verify_url_status_code
+  retries: 5
+  delay: 8
+  until: promtail_verify_url_status_code.status == 200
+  when:
+    - promtail_expose_port | bool
+    - not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/main.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/main.yml
new file mode 100644
index 00000000..62d6a4a7
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+# tasks file for promtail
+- name: Include OS specific variables
+  ansible.builtin.include_vars:
+    file: "{{ ansible_facts['os_family'] }}.yml"
+
+- name: Deploy Promtail service
+  ansible.builtin.include_tasks:
+    file: "deploy.yml"
+  when: not promtail_uninstall
+
+- name: Uninstall Promtail service
+  ansible.builtin.include_tasks:
+    file: "uninstall.yml"
+  when: promtail_uninstall
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-Debian.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-Debian.yml
new file mode 100644
index 00000000..3192279e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-Debian.yml
@@ -0,0 +1,14 @@
+---
+- name: APT - Ensure that ACL is present
+  ansible.builtin.apt:
+    name: "acl"
+    state: present
+    update_cache: yes
+  when: promtail_runtime_mode == "acl"
+
+- name: APT - Install Promtail
+  ansible.builtin.apt:
+    deb: "{{ promtail_download_url_deb }}"
+    state: present
+  notify: restart promtail
+  when: __current_deployed_version.stdout is not defined or promtail_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-RedHat.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-RedHat.yml
new file mode 100644
index 00000000..b50573da
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/setup-RedHat.yml
@@ -0,0 +1,9 @@
+---
+- name: DNF - Install Promtail from remote URL
+  ansible.builtin.dnf:
+    name: "{{ promtail_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: restart promtail
+  when:
+    - __current_deployed_version.stdout is not defined or promtail_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/promtail/tasks/uninstall.yml b/ansible_collections/grafana/grafana/roles/promtail/tasks/uninstall.yml
new file mode 100644
index 00000000..d3dca766
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/tasks/uninstall.yml
@@ -0,0 +1,119 @@
+---
+# tasks file for promtail uninstall
+- name: Stop Promtail service
+  ansible.builtin.systemd:  # noqa ignore-errors
+    name: promtail
+    state: stopped
+  ignore_errors: true
+
+- name: Extract log files from static_configs - labels - path
+  ansible.builtin.set_fact:
+    __promtail_acl_log_files: >-
+      {{
+        promtail_scrape_configs
+        | selectattr('static_configs', 'defined')
+        | map(attribute='static_configs')
+        | flatten
+        | map(attribute='labels')
+        | map(attribute='__path__')
+        | list
+      }}
+
+- name: Extract log dirs paths from static_configs - labels - path
+  ansible.builtin.set_fact:
+    __promtail_acl_log_dirs: >-
+      {{
+        promtail_scrape_configs
+        | selectattr('static_configs', 'defined')
+        | map(attribute='static_configs')
+        | flatten
+        | map(attribute='labels')
+        | map(attribute='__path__')
+        | map('dirname')
+        | list
+      }}
+
+- name: Remove ACL Permission for log dirs - default
+  ansible.posix.acl:  # noqa ignore-errors
+    path: "{{ item }}"
+    recursive: true
+    entity: promtail
+    etype: user
+    default: true
+    state: absent
+  loop: "{{ __promtail_acl_log_dirs }}"
+  ignore_errors: true
+
+- name: Remove ACL permission for log dirs
+  ansible.posix.acl:  # noqa ignore-errors
+    path: "{{ item }}"
+    entity: promtail
+    etype: user
+    state: absent
+  loop: "{{ __promtail_acl_log_dirs }}"
+  ignore_errors: true
+
+- name: Find all existing ACL log files
+  ansible.builtin.find:
+    paths: "{{ item | dirname }}"
+    patterns: "{{ item | basename }}"
+  loop: "{{ __promtail_acl_log_files }}"
+  register: __promtail_find_files
+
+- name: Define existing ACL log files
+  ansible.builtin.set_fact:
+    __promtail_existing_acl_log_files: "{{ __promtail_find_files.results | map(attribute='files') | flatten | map(attribute='path') }}"
+
+- name: Remove ACL Permission for existing log files
+  ansible.posix.acl:  # noqa ignore-errors
+    path: "{{ item }}"
+    entity: promtail
+    etype: user
+    state: absent
+  loop: "{{ __promtail_existing_acl_log_files }}"
+  ignore_errors: true
+
+- name: Uninstall Promtail rpm package
+  ansible.builtin.dnf:
+    name: "promtail"
+    state: absent
+    autoremove: true
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Uninstall Promtail deb package
+  ansible.builtin.apt:
+    name: "promtail"
+    state: absent
+    purge: true
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Ensure that Promtail firewalld rule is not present - tcp port {{ promtail_http_listen_port }}
+  ansible.posix.firewalld:  # noqa ignore-errors
+    immediate: true
+    permanent: true
+    port: "{{ promtail_http_listen_port }}/tcp"
+    state: disabled
+  ignore_errors: true
+
+- name: Remove Promtail directories"
+  ansible.builtin.file:
+    path: "{{ remove_me }}"
+    state: absent
+  loop:
+    - "/etc/promtail"
+    - "{{ promtail_positions_path }}"
+    - "/etc/logrotate.d/promtail_acl"
+    - "/var/log/dummy_promtail_acl"
+  loop_control:
+    loop_var: remove_me
+
+- name: Remove the Promtail system user
+  ansible.builtin.user:
+    name: "promtail"
+    force: true
+    state: absent
+
+- name: Remove Promtail system group
+  ansible.builtin.group:
+    name: "promtail"
+    state: absent
diff --git a/ansible_collections/grafana/grafana/roles/promtail/templates/config.yml.j2 b/ansible_collections/grafana/grafana/roles/promtail/templates/config.yml.j2
new file mode 100644
index 00000000..83681310
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/templates/config.yml.j2
@@ -0,0 +1,22 @@
+server:
+  {{ promtail_server | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% if promtail_positions is defined %}
+positions:
+  {{ promtail_positions | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if promtail_clients is defined %}
+clients:
+  {{ promtail_clients | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if promtail_scrape_configs is defined %}
+scrape_configs:
+  {{ promtail_scrape_configs | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if promtail_limits_config is defined %}
+limits_config:
+  {{ promtail_limits_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if promtail_target_config is defined %}
+target_config:
+  {{ promtail_target_config | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
diff --git a/ansible_collections/grafana/grafana/roles/promtail/templates/promtail.service.j2 b/ansible_collections/grafana/grafana/roles/promtail/templates/promtail.service.j2
new file mode 100644
index 00000000..3d614499
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/templates/promtail.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=Promtail service
+After=network.target
+
+[Service]
+Type=simple
+{% if promtail_runtime_mode == "acl" %}
+User=promtail
+{% elif promtail_runtime_mode == "root" %}
+User=root
+{% endif %}
+ExecStart=/usr/bin/promtail \
+{% if promtail_extra_flags | length > 0 %}
+{% for flag in promtail_extra_flags %}
+  {{ flag }} \
+{% endfor %}
+{% endif %}
+  -config.file /etc/promtail/config.yml
+
+TimeoutSec = 60
+Restart = on-failure
+RestartSec = 2
+
+[Install]
diff --git a/ansible_collections/grafana/grafana/roles/promtail/templates/promtail_acl.j2 b/ansible_collections/grafana/grafana/roles/promtail/templates/promtail_acl.j2
new file mode 100644
index 00000000..40090658
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/templates/promtail_acl.j2
@@ -0,0 +1,13 @@
+/var/log/dummy_promtail_acl/dummy_promtail_acl.log
+{
+    copytruncate
+    postrotate
+{% for each_dir in __promtail_acl_log_dirs %}
+        /usr/bin/setfacl -R -m d:u:promtail:rx {{ each_dir }}
+        /usr/bin/setfacl -m u:promtail:rx {{ each_dir }}
+{% endfor %}
+{% for each_log in __promtail_acl_log_files %}
+        /usr/bin/setfacl -m u:promtail:r {{ each_log }}
+{% endfor %}
+    endscript
+}
diff --git a/ansible_collections/grafana/grafana/roles/promtail/vars/Debian.yml b/ansible_collections/grafana/grafana/roles/promtail/vars/Debian.yml
new file mode 100644
index 00000000..4b2f3c9c
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/vars/Debian.yml
@@ -0,0 +1,8 @@
+---
+__promtail_arch_map:
+  x86_64: 'amd64'
+  armv6l: 'arm'
+  armv7l: 'arm'
+  aarch64: 'arm64'
+
+__promtail_arch: "{{ __promtail_arch_map[ansible_facts['architecture']] | default(ansible_facts['architecture']) }}"
diff --git a/ansible_collections/grafana/grafana/roles/promtail/vars/RedHat.yml b/ansible_collections/grafana/grafana/roles/promtail/vars/RedHat.yml
new file mode 100644
index 00000000..85273019
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/promtail/vars/RedHat.yml
@@ -0,0 +1,2 @@
+---
+__promtail_arch: "{{ ansible_facts['architecture'] }}"
diff --git a/ansible_collections/grafana/grafana/roles/tempo/README.md b/ansible_collections/grafana/grafana/roles/tempo/README.md
new file mode 100644
index 00000000..d47f1acd
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/README.md
@@ -0,0 +1,15 @@
+# Ansible role - Tempo
+
+[![License](https://img.shields.io/github/license/grafana/grafana-ansible-collection)](LICENSE)
+
+The Ansible Promtail Role allows you to effortlessly deploy and manage Tempo.
+This role is tailored for operating systems such as **RedHat**, **Rocky Linux**, **AlmaLinux**, **Ubuntu**, and **Debian**.
+
+
+## Requirements
+
+- Ansible 2.10+
+
+## License
+
+See [LICENSE](https://github.com/grafana/grafana-ansible-collection/blob/main/LICENSE)
diff --git a/ansible_collections/grafana/grafana/roles/tempo/defaults/main.yml b/ansible_collections/grafana/grafana/roles/tempo/defaults/main.yml
new file mode 100644
index 00000000..e4303d80
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/defaults/main.yml
@@ -0,0 +1,73 @@
+---
+# defaults file for tempo
+tempo_version: "latest"
+tempo_uninstall: false
+__tempo_arch: "{{ arch_mapping[ansible_facts['architecture']] | default('amd64') }}"
+tempo_download_url_rpm: "https://github.com/grafana/tempo/releases/download/v{{ tempo_version }}/tempo_{{ tempo_version }}_linux_{{ __tempo_arch }}.rpm"
+tempo_download_url_deb: "https://github.com/grafana/tempo/releases/download/v{{ tempo_version }}/tempo_{{ tempo_version }}_linux_{{ __tempo_arch }}.deb"
+tempo_working_path: "/var/lib/tempo"
+tempo_http_listen_port: 3200
+tempo_http_listen_address: "0.0.0.0"
+tempo_log_level: warn
+tempo_report_usage: true
+tempo_multitenancy_enabled: false
+
+# Default Variables from /etc/tempo/config.yml
+tempo_server:
+  http_listen_port: "{{ tempo_http_listen_port }}"
+  http_listen_address: "{{ tempo_http_listen_address }}"
+  log_level: "{{ tempo_log_level }}"
+
+tempo_query_frontend:
+  search:
+    duration_slo: 5s
+    throughput_bytes_slo: 1.073741824e+09
+    metadata_slo:
+      duration_slo: 5s
+      throughput_bytes_slo: 1.073741824e+09
+  trace_by_id:
+    duration_slo: 5s
+
+tempo_distributor:
+  receivers:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "{{ tempo_http_listen_address }}:4317"
+
+tempo_metrics_generator:
+  registry:
+    external_labels:
+      source: tempo
+      cluster: docker-compose
+  storage:
+    path: "{{ tempo_working_path }}/generator/wal"
+    remote_write:
+      - url: http://prometheus:9090/api/v1/write
+        send_exemplars: true
+  traces_storage:
+    path: "{{ tempo_working_path }}/generator/traces"
+
+tempo_storage:
+  trace:
+    backend: local                     # backend configuration to use
+    wal:
+      path: "{{ tempo_working_path }}/wal"             # where to store the wal locally
+    local:
+      path: "{{ tempo_working_path }}/blocks"
+
+tempo_overrides:
+  defaults:
+    metrics_generator:
+      processors: [service-graphs, span-metrics, local-blocks] # enables metrics generator
+      generate_native_histograms: both
+
+# Additional Config Variables for /etc/tempo/config.yml
+# tempo_ingester:
+# tempo_ingester_client:
+# tempo_metrics_generator_client:
+# tempo_querier:
+# tempo_compactor:
+# tempo_storage:
+# tempo_memberlist:
+# tempo_cache:
diff --git a/ansible_collections/grafana/grafana/roles/tempo/handlers/main.yml b/ansible_collections/grafana/grafana/roles/tempo/handlers/main.yml
new file mode 100644
index 00000000..b0a020d2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Restart tempo
+  ansible.builtin.systemd:
+    name: tempo.service
+    state: restarted
diff --git a/ansible_collections/grafana/grafana/roles/tempo/meta/main.yml b/ansible_collections/grafana/grafana/roles/tempo/meta/main.yml
new file mode 100644
index 00000000..5fa0efdb
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  role_name: tempo
+  author: Grafana
+  description: Manage Grafana Tempo Application
+  license: "GPL-3.0-or-later"
+  min_ansible_version: "2.10"
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+  galaxy_tags:
+    - tempo
+    - grafana
+    - tracing
+    - monitoring
+
+dependencies: []
diff --git a/ansible_collections/grafana/grafana/roles/tempo/molecule/default/converge.yml b/ansible_collections/grafana/grafana/roles/tempo/molecule/default/converge.yml
new file mode 100644
index 00000000..fa9c6346
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/molecule/default/converge.yml
@@ -0,0 +1,5 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: grafana.grafana.tempo
diff --git a/ansible_collections/grafana/grafana/roles/tempo/molecule/default/molecule.yml b/ansible_collections/grafana/grafana/roles/tempo/molecule/default/molecule.yml
new file mode 100644
index 00000000..339965a5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/molecule/default/molecule.yml
@@ -0,0 +1,20 @@
+---
+dependency:
+  name: galaxy
+  options:
+    ignore-errors: true
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
diff --git a/ansible_collections/grafana/grafana/roles/tempo/tasks/deploy.yml b/ansible_collections/grafana/grafana/roles/tempo/tasks/deploy.yml
new file mode 100644
index 00000000..7d25e3fe
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/tasks/deploy.yml
@@ -0,0 +1,99 @@
+---
+# tasks file for Tempo deployment
+- name: Obtain the latest version from the Tempo GitHub repo
+  when: tempo_version == "latest"
+  block:
+    - name: Scrape Github API endpoint to obtain latest Tempo version
+      ansible.builtin.uri:
+        url: "https://api.github.com/repos/grafana/tempo/releases/latest"
+        method: GET
+        body_format: json
+      become: false
+      delegate_to: localhost
+      run_once: true
+      register: __github_latest_version
+      check_mode: false
+
+    - name: Latest available Tempo version
+      ansible.builtin.set_fact:
+        tempo_version: "{{ __github_latest_version.json.tag_name | regex_replace('^v?(\\d+\\.\\d+\\.\\d+)$', '\\1') }}"
+
+- name: Verify current deployed version
+  block:
+    - name: Check if Tempo binary is present
+      ansible.builtin.stat:
+        path: "/usr/bin/tempo"
+      register: __already_deployed
+
+    - name: Obtain current deployed Tempo version
+      ansible.builtin.command:
+        cmd: "/usr/bin/tempo --version"
+      changed_when: false
+      register: __current_deployed_version
+      when: __already_deployed.stat.exists | bool
+
+- name: Include RedHat/Rocky setup
+  ansible.builtin.include_tasks:
+    file: setup-Redhat.yml
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Include Debian/Ubuntu setup
+  ansible.builtin.include_tasks:
+    file: setup-Debian.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Check if Tempo default dir is present
+  ansible.builtin.stat:
+    path: "/tmp/tempo/boltdb-shipper-active"
+  register: __default_structure
+
+- name: Default structure cleanup
+  when: __default_structure.stat.exists | bool
+  block:
+    - name: Ensure that Tempo is stopped before default cleanup
+      ansible.builtin.systemd:
+        name: tempo.service
+        state: stopped
+
+    - name: Remove default configuration from "/tmp/tempo" directory
+      ansible.builtin.file:
+        path: "/tmp/tempo"
+        state: absent
+
+- name: Ensure that Tempo working path exists
+  ansible.builtin.file:
+    path: "{{ tempo_working_path }}"
+    state: directory
+    owner: "tempo"
+    group: "root"
+    mode: "0755"
+
+- name: Template Tempo config - /etc/tempo/config.yml
+  ansible.builtin.template:
+    src: "config.yml.j2"
+    dest: "/etc/tempo/config.yml"
+    owner: "tempo"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/tempo -config.verify %s"
+  notify: Restart tempo
+
+- name: Ensure restart has completed
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure that Tempo is started
+  ansible.builtin.systemd:
+    name: tempo.service
+    state: started
+    enabled: true
+
+- name: Verify that Tempo URL is responding
+  ansible.builtin.uri:
+    url: "http://{{ tempo_http_listen_address }}:{{ tempo_http_listen_port }}/ready"
+    method: GET
+  register: tempo_verify_url_status_code
+  retries: 5
+  delay: 8
+  until: tempo_verify_url_status_code.status == 200
+  when:
+    - not ansible_check_mode
diff --git a/ansible_collections/grafana/grafana/roles/tempo/tasks/main.yml b/ansible_collections/grafana/grafana/roles/tempo/tasks/main.yml
new file mode 100644
index 00000000..55ccafa1
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: Deploy Tempo service
+  ansible.builtin.include_tasks:
+    file: "deploy.yml"
+  when: not tempo_uninstall
+
+- name: Uninstall Tempo service
+  ansible.builtin.include_tasks:
+    file: "uninstall.yml"
+  when: tempo_uninstall
diff --git a/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Debian.yml b/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Debian.yml
new file mode 100644
index 00000000..9b823dcb
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Debian.yml
@@ -0,0 +1,7 @@
+---
+- name: APT - Install Tempo
+  ansible.builtin.apt:
+    deb: "{{ tempo_download_url_deb }}"
+    state: present
+  notify: Restart tempo
+  when: __current_deployed_version.stdout is not defined or tempo_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Redhat.yml b/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Redhat.yml
new file mode 100644
index 00000000..bafbfe95
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/tasks/setup-Redhat.yml
@@ -0,0 +1,8 @@
+---
+- name: DNF - Install Tempo from remote URL
+  ansible.builtin.dnf:
+    name: "{{ tempo_download_url_rpm }}"
+    state: present
+    disable_gpg_check: true
+  notify: Restart tempo
+  when: __current_deployed_version.stdout is not defined or tempo_version not in __current_deployed_version.stdout
diff --git a/ansible_collections/grafana/grafana/roles/tempo/tasks/uninstall.yml b/ansible_collections/grafana/grafana/roles/tempo/tasks/uninstall.yml
new file mode 100644
index 00000000..4cb659c3
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/tasks/uninstall.yml
@@ -0,0 +1,43 @@
+---
+# tasks file for tempo uninstall
+
+- name: Stop Tempo service
+  ansible.builtin.systemd:  # noqa ignore-errors
+    name: tempo
+    state: stopped
+  ignore_errors: true
+
+- name: Uninstall Tempo rpm package
+  ansible.builtin.dnf:
+    name: "tempo"
+    state: absent
+    autoremove: true
+  when: ansible_facts['os_family'] in ['RedHat', 'Rocky']
+
+- name: Uninstall Tempo deb package
+  ansible.builtin.apt:
+    name: "tempo"
+    state: absent
+    purge: true
+  when: ansible_facts['os_family'] == 'Debian'
+
+- name: Remove Tempo directories"
+  ansible.builtin.file:
+    path: "{{ remove_me }}"
+    state: absent
+  loop:
+    - "/etc/tempo"
+    - "{{ tempo_working_path }}"
+  loop_control:
+    loop_var: remove_me
+
+- name: Remove the Tempo system user
+  ansible.builtin.user:
+    name: "tempo"
+    force: true
+    state: absent
+
+- name: Remove Tempo system group
+  ansible.builtin.group:
+    name: "tempo"
+    state: absent
diff --git a/ansible_collections/grafana/grafana/roles/tempo/templates/config.yml.j2 b/ansible_collections/grafana/grafana/roles/tempo/templates/config.yml.j2
new file mode 100644
index 00000000..645c6b05
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/templates/config.yml.j2
@@ -0,0 +1,57 @@
+---
+server: 
+  {{ tempo_server | to_nice_yaml(indent=2, sort_keys=False) | indent(2, False) }}
+{% if tempo_distributor is defined %}
+distributor:
+  {{ tempo_distributor | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_ingester is defined %}
+ingester:
+  {{ tempo_ingester | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_ingester_client is defined %}
+ingester_client:
+  {{ tempo_ingester_client | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_metrics_generator is defined %}
+metrics_generator:
+  {{ tempo_metrics_generator | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_metrics_generator_client is defined %}
+metrics_generator_client:
+  {{ tempo_metrics_generator_client | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_querier is defined %}
+querier:
+  {{ tempo_querier | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_query_frontend is defined %}
+query_frontend:
+  {{ tempo_query_frontend | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_compactor is defined %}
+compactor:
+  {{ tempo_compactor | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_storage is defined %}
+storage:
+  {{ tempo_storage | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_memberlist is defined %}
+memberlist:
+  {{ tempo_memberlist | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_overrides is defined %}
+overrides:
+  {{ tempo_overrides | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_cache is defined %}
+cache:
+  {{ tempo_cache | to_nice_yaml(indent=2,sort_keys=False) | indent(2, False) }}
+{% endif %}
+{% if tempo_http_api_prefix is defined %}
+http_api_prefix: {{ tempo_http_api_prefix }}
+{% endif %}
+usage_report:
+  reporting_enabled: {{ tempo_report_usage }}
+multitenancy_enabled: {{ tempo_multitenancy_enabled }}
diff --git a/ansible_collections/grafana/grafana/roles/tempo/vars/main.yml b/ansible_collections/grafana/grafana/roles/tempo/vars/main.yml
new file mode 100644
index 00000000..cc535109
--- /dev/null
+++ b/ansible_collections/grafana/grafana/roles/tempo/vars/main.yml
@@ -0,0 +1,6 @@
+__tempo_arch_map:
+  x86_64: 'amd64'
+  armv6l: 'arm'
+  armv7l: 'arm'
+  aarch64: 'arm64'
+__tempo_arch: "{{ __tempo_arch_map[ansible_facts['architecture']] | default(ansible_facts['architecture']) }}"
diff --git a/ansible_collections/grafana/grafana/tests/integration/requirements.txt b/ansible_collections/grafana/grafana/tests/integration/requirements.txt
new file mode 100644
index 00000000..663bd1f6
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/requirements.txt
@@ -0,0 +1 @@
+requests
\ No newline at end of file
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/alert_contact_point/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/alert_contact_point/tasks/main.yml
new file mode 100644
index 00000000..8ba5afaf
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/alert_contact_point/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+- name: Create Alerting contact point
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: ops@mydomain.com,devs@mydomain.com
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: add_result
+
+- name: Add Check
+  ansible.builtin.assert:
+    that:
+      - add_result.failed == false
+      - add_result.output.provenance == "api"
+
+- name: Idempotency Check
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: ops@mydomain.com,devs@mydomain.com
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: idempotent_result
+
+- name: Changed Check
+  ansible.builtin.assert:
+    that:
+      - idempotent_result.changed == false
+      - idempotent_result.output.provenance == "api"
+
+- name: Update Alerting contact point
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: "ops@mydomain.com,devs@mydomain.com,admin@mydomain.com"
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: update_result
+
+- name: Failed Check
+  ansible.builtin.assert:
+    that:
+      - update_result.failed == false
+      - update_result.output.provenance == "api"
+
+- name: Delete Alerting contact point
+  grafana.grafana.alert_contact_point:
+    name: ops-email
+    uid: opsemail
+    type: email
+    settings:
+      addresses: "ops@mydomain.com,devs@mydomain.com,admin@mydomain.com"
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.failed == false
+      - delete_result.output.message == "contactpoint deleted"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/alert_notification_policy/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/alert_notification_policy/tasks/main.yml
new file mode 100644
index 00000000..1e051fca
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/alert_notification_policy/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Set Notification policy tree
+  grafana.grafana.alert_notification_policy:
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    routes: [
+      {
+        receiver: grafana-default-email,
+        object_matchers: [["env", "=", "Production"]],
+      }
+    ]
+  register: result
+
+- assert:
+    that:
+      - result.failed == false
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/cloud_api_key/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/cloud_api_key/tasks/main.yml
new file mode 100644
index 00000000..3e83a681
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/cloud_api_key/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+- name: Create Grafana Cloud API key
+  grafana.grafana.cloud_api_key:
+    name: ansible-integration-test
+    role: Admin
+    org_slug: "{{ org_name }}"
+    existing_cloud_api_key: "{{ grafana_cloud_api_key }}"
+    fail_if_already_created: false
+    state: present
+  register: add_result
+
+- name: Add Check
+  ansible.builtin.assert:
+    that:
+      - add_result.output.name == "ansible-integration-test"
+  when: add_result.output.name is defined
+
+- name: Re-run previous task
+  grafana.grafana.cloud_api_key:
+    name: ansible-integration-test
+    role: Admin
+    org_slug: "{{ org_name }}"
+    existing_cloud_api_key: "{{ grafana_cloud_api_key }}"
+    fail_if_already_created: false
+    state: present
+  register: update_result
+
+- name: Update Check
+  ansible.builtin.assert:
+    that:
+      - update_result.output == "A Cloud API key with the same name already exists"
+
+- name: Delete Grafana Cloud API key
+  grafana.grafana.cloud_api_key:
+    name: ansible-integration-test
+    role: Admin
+    org_slug: "{{ org_name }}"
+    existing_cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.output == "Cloud API key is deleted"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/cloud_plugin/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/cloud_plugin/tasks/main.yml
new file mode 100644
index 00000000..2bb0ab26
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/cloud_plugin/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: Add a plugin
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    version: 1.0.14
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: present
+  register: add_result
+
+- name: Add Check
+  ansible.builtin.assert:
+    that:
+      - add_result.pluginName == "GitHub"
+
+- name: Idempotency Check
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    version: 1.0.14
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: present
+  register: idempotency_result
+
+- name: Idempotency Check
+  ansible.builtin.assert:
+    that:
+      - idempotency_result.pluginName == "GitHub"
+
+- name: Update a plugin
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    version: 1.0.15
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: present
+  register: update_result
+
+- name: Update Check
+  ansible.builtin.assert:
+    that:
+      - update_result.pluginName == "GitHub"
+
+- name: Delete a plugin
+  grafana.grafana.cloud_plugin:
+    name: grafana-github-datasource
+    version: 1.0.15
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.pluginName == "GitHub"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/create_cloud_stack/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/create_cloud_stack/tasks/main.yml
new file mode 100644
index 00000000..642b528b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/create_cloud_stack/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Create a Grafana Cloud stack
+  grafana.grafana.cloud_stack:
+    name: "{{ test_stack_name }}"
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    org_slug: "{{ org_name }}"
+    state: present
+  register: create_result
+
+- name: Create Check
+  ansible.builtin.assert:
+    that:
+      - create_result.url == "https://" + "{{ test_stack_name }}" + ".grafana.net"
+
+- name: Sleep for 45 seconds
+  ansible.builtin.wait_for:
+    timeout: 45
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/dashboard/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/dashboard/tasks/main.yml
new file mode 100644
index 00000000..1e3ee485
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/dashboard/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: Create/Update a dashboard
+  grafana.grafana.dashboard:
+    dashboard:
+      dashboard:
+        uid: test1234
+        title: Ansible Integration Test
+        tags:
+          - templated
+        timezone: browser
+        schemaVersion: 16
+        refresh: 25s
+        version: 0
+      overwrite: true
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: result_present
+
+- name: Create/Update Check
+  ansible.builtin.assert:
+    that:
+      - result_present.changed == true
+      - result_present.output.status == "success"
+
+- name: Delete dashboard
+  grafana.grafana.dashboard:
+    dashboard:
+      dashboard:
+        uid: test1234
+        title: Ansible Integration Test
+        tags:
+          - templated
+        timezone: browser
+        schemaVersion: 16
+        version: 0
+        refresh: 25s
+      overwrite: true
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+  register: result_absent
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - result_absent.changed == true
+      - result_absent.output.message == "Dashboard Ansible Integration Test deleted"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/datasource/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/datasource/tasks/main.yml
new file mode 100644
index 00000000..cd80d2a5
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/datasource/tasks/main.yml
@@ -0,0 +1,52 @@
+---
+- name: Create/Update a Data Source
+  grafana.grafana.datasource:
+    dataSource:
+      name: ansible-integration
+      type: influxdb
+      url: https://grafana.github.com/grafana-ansible-collection
+      user: user
+      secureJsonData:
+        password: password
+      database: db-name
+      id: 123
+      uid: ansibletest
+      access: proxy
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: create_result
+
+- name: Create Check
+  ansible.builtin.assert:
+    that:
+      - create_result.changed == true
+      - create_result.output.message == "Datasource added" or create_result.output.message == "Datasource updated"
+
+- name: Delete a Data Source
+  grafana.grafana.datasource:
+    dataSource:
+      name: ansible-integration
+      type: influxdb
+      url: https://grafana.github.com/grafana-ansible-collection
+      user: user
+      secureJsonData:
+        password: password
+      database: db-name
+      id: 123
+      uid: ansibletest
+      access: proxy
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.changed == true
+      - delete_result.output.response == "Data source deleted"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/delete_cloud_stack/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/delete_cloud_stack/tasks/main.yml
new file mode 100644
index 00000000..39c2e9cc
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/delete_cloud_stack/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Delete a Grafana Cloud stack
+  grafana.grafana.cloud_stack:
+    name: "{{ test_stack_name }}"
+    stack_slug: "{{ test_stack_name }}"
+    cloud_api_key: "{{ grafana_cloud_api_key }}"
+    org_slug: "{{ org_name }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.changed == true
+      - delete_result.url == "https://" + "{{ test_stack_name }}" + ".grafana.net"
+
+- name: Sleep for 45 seconds
+  ansible.builtin.wait_for:
+    timeout: 45
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/folder/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/folder/tasks/main.yml
new file mode 100644
index 00000000..cebde0fd
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/folder/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: Create/Update a Folder in Grafana
+  grafana.grafana.folder:
+    title: Ansible Integration test
+    uid: test123
+    overwrite: true
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: present
+  register: create_result
+
+- name: Create Check
+  ansible.builtin.assert:
+    that:
+      - create_result.failed == false
+
+- name: Delete a folder
+  grafana.grafana.folder:
+    title: Ansible Integration test
+    uid: test123
+    overwrite: true
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.output.status == 200
+      - delete_result.output.response == "Folder has been succesfuly deleted"
+
+- name: Delete Idempotency Check
+  grafana.grafana.folder:
+    title: Ansible Integration test
+    uid: test123
+    overwrite: true
+    grafana_ini:
+      server:
+        root_url: "{{ grafana_url }}"
+    grafana_api_key: "{{ grafana_api_key }}"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.output.status == 200
+      - delete_result.output.response == "Folder does not exist"
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-alternative/runme.sh b/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-alternative/runme.sh
new file mode 100755
index 00000000..87129f7e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-alternative/runme.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+version="0.1.3"
+src="https://github.com/gardar/ansible-test-molecule/releases/download/$version/ansible-test-molecule.sh"
+
+# shellcheck disable=SC1090
+if [[ -v GITHUB_TOKEN ]]
+then
+  source <(curl -L -s -H "Authorization: token $GITHUB_TOKEN" $src)
+else
+  source <(curl -L -s $src)
+fi
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-default/runme.sh b/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-default/runme.sh
new file mode 100755
index 00000000..87129f7e
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/molecule-grafana-default/runme.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+version="0.1.3"
+src="https://github.com/gardar/ansible-test-molecule/releases/download/$version/ansible-test-molecule.sh"
+
+# shellcheck disable=SC1090
+if [[ -v GITHUB_TOKEN ]]
+then
+  source <(curl -L -s -H "Authorization: token $GITHUB_TOKEN" $src)
+else
+  source <(curl -L -s $src)
+fi
diff --git a/ansible_collections/grafana/grafana/tests/integration/targets/user/tasks/main.yml b/ansible_collections/grafana/grafana/tests/integration/targets/user/tasks/main.yml
new file mode 100644
index 00000000..9260aca9
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tests/integration/targets/user/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+- name: Create an User in Grafana
+  grafana.grafana.user:
+    login: "grafana_user"
+    password: "Yeihohghomi2neipuphuakooWeeph3ox"
+    email: "grafana_user@localhost.local"
+    name: "grafana user"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: present
+  register: create_result
+
+- name: Create Check
+  ansible.builtin.assert:
+    that:
+      - create_result.failed == false
+
+- name: Change an User password in Grafana
+  grafana.grafana.user:
+    login: "grafana_user"
+    password: "Yeihohghomi2neipuphuakooWeeph3ox"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: update_password
+  register: update_result
+
+- name: Create Check
+  ansible.builtin.assert:
+    that:
+      - update_result.failed == false
+
+- name: Delete a user
+  grafana.grafana.user:
+    login: "grafana_user"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.failed == false
+
+- name: Delete Idempotency Check
+  grafana.grafana.user:
+    login: "grafana_user"
+    grafana_url: "{{ grafana_url }}"
+    admin_name: "admin"
+    admin_password: "admin"
+    state: absent
+  register: delete_result
+
+- name: Delete Check
+  ansible.builtin.assert:
+    that:
+      - delete_result.failed == false
diff --git a/ansible_collections/grafana/grafana/tools/includes/logging.sh b/ansible_collections/grafana/grafana/tools/includes/logging.sh
new file mode 100755
index 00000000..26134958
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/includes/logging.sh
@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+
+LOG_LEVEL=${LOG_LEVEL:=6} # 7 = debug -> 0 = emergency
+NO_COLOR="${NO_COLOR:-}"
+# shellcheck disable=SC2034
+TRACE="0"
+
+# _log
+# -----------------------------------
+# Handles all logging, all log messages are output to stderr so stdout can still be piped
+#   Example: _log "info" "Some message"
+# -----------------------------------
+# shellcheck disable=SC2034
+_log () {
+  local log_level="${1}" # first option is the level, the rest is the message
+  shift
+  local color_success="\\x1b[32m"
+  local color_debug="\\x1b[36m"
+  local color_info="\\x1b[90m"
+  local color_notice="\\x1b[34m"
+  local color_warning="\\x1b[33m"
+  local color_error="\\x1b[31m"
+  local color_critical="\\x1b[1;31m"
+  local color_alert="\\x1b[1;33;41m"
+  local color_emergency="\\x1b[1;4;5;33;41m"
+  local colorvar="color_${log_level}"
+  local color="${!colorvar:-${color_error}}"
+  local color_reset="\\x1b[0m"
+
+  # If no color is set or a non-recognized terminal is used don't use colors
+  if [[ "${NO_COLOR:-}" = "true" ]] || { [[ "${TERM:-}" != "xterm"* ]] && [[ "${TERM:-}" != "screen"* ]]; } || [[ ! -t 2 ]]; then
+    if [[ "${NO_COLOR:-}" != "false" ]]; then
+      color="";
+      color_reset="";
+    fi
+  fi
+
+  # all remaining arguments are to be printed
+  local log_line=""
+
+  while IFS=$'\n' read -r log_line; do
+    echo -e "$(date +"%Y-%m-%d %H:%M:%S %Z") ${color}[${log_level}]${color_reset} ${log_line}" 1>&2
+  done <<< "${@:-}"
+}
+
+# emergency
+# -----------------------------------
+# Handles emergency logging
+# -----------------------------------
+emergency() {
+  _log emergency "${@}"; exit 1;
+}
+
+# success
+# -----------------------------------
+# Handles success logging
+# -----------------------------------
+success() {
+  _log success "${@}"; true;
+}
+
+# alert
+# -----------------------------------
+# Handles alert logging
+# -----------------------------------
+alert() {
+  [[ "${LOG_LEVEL:-0}" -ge 1 ]] && _log alert "${@}";
+  true;
+}
+
+# critical
+# -----------------------------------
+# Handles critical logging
+# -----------------------------------
+critical() {
+  [[ "${LOG_LEVEL:-0}" -ge 2 ]] && _log critical "${@}";
+  true;
+}
+
+# error
+# -----------------------------------
+# Handles error logging
+# -----------------------------------
+error() {
+  [[ "${LOG_LEVEL:-0}" -ge 3 ]] && _log error "${@}";
+  true;
+}
+
+# warning
+# -----------------------------------
+# Handles warning logging
+# -----------------------------------
+warning() {
+  [[ "${LOG_LEVEL:-0}" -ge 4 ]] && _log warning "${@}";
+  true;
+}
+
+# notice
+# -----------------------------------
+# Handles notice logging
+# -----------------------------------
+notice() {
+  [[ "${LOG_LEVEL:-0}" -ge 5 ]] && _log notice "${@}";
+  true;
+}
+
+# info
+# -----------------------------------
+# Handles info logging
+# -----------------------------------
+info() {
+  [[ "${LOG_LEVEL:-0}" -ge 6 ]] && _log info "${@}";
+  true;
+}
+
+# debug
+# -----------------------------------
+# Handles debug logging and prepends the name of the that called debug in front of the message
+# -----------------------------------
+debug() {
+  [[ "${LOG_LEVEL:-0}" -ge 7 ]] && _log debug "${FUNCNAME[1]}() ${*}";
+  true;
+}
diff --git a/ansible_collections/grafana/grafana/tools/includes/utils.sh b/ansible_collections/grafana/grafana/tools/includes/utils.sh
new file mode 100755
index 00000000..13264ea4
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/includes/utils.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+# heading
+# -----------------------------------
+# Print standard heading
+# -----------------------------------
+heading() {
+  local title="${1}"
+  local message="${2}"
+  local width="75"
+  local orange="\\033[38;5;202m"
+  local reset="\\033[0m"
+  local bold="\\x1b[1m"
+  echo ""
+  echo -e "${orange}    ▒▒▓▓▒▒▒▓    ${reset}    ____                __                        _             _          "
+  echo -e "${orange}  ▓▓▓        ▒  ${reset}   / ___| _ __   __ _  / _|  __ _  _ __    __ _  | |      __ _ | |__    ___ "
+  echo -e "${orange}  ▒▓   ▒▒▒▒▓    ${reset}  | |  _ | '__| / _  || |_  / _  || '_ \\  / _  | | |     / _  || '_  \\ / __|"
+  echo -e "${orange} ▒▓▓   ▒    ▒▒  ${reset}  | |_| || |   | (_| ||  _|| (_| || | | || (_| | | |___ | (_| || |_) | \\__\\"
+  echo -e "${orange}  ▒▓▒       ▒▓  ${reset}   \\____||_|    \\__,_||_|   \\__,_||_| |_| \\__,_| |_____| \\__,_||_.__/ |___/"
+  echo -e "${orange}    ▒▒▒   ▒▒▒   ${reset}  "
+  echo -e "${orange}      ▒▒▒▒▒     ${reset}  $(repeat $(( ((width - ${#title}) - 2) / 2)) " ")${bold}$title${reset}"
+  echo -e "${reset}                  $(repeat $(( ((width - ${#message}) - 2) / 2)) " ")$message${reset}"
+  echo ""
+}
+
+# repeat
+# -----------------------------------
+# Repeat a Character N number of times
+# -----------------------------------
+repeat(){
+  local times="${1:-80}"
+  local character="${2:-=}"
+  local start=1
+  local range
+  range=$(seq "$start" "$times")
+  local str=""
+  # shellcheck disable=SC2034
+  for i in $range; do
+    str="$str${character}"
+  done
+  echo "$str"
+}
+
+# lintWarning
+# -----------------------------------
+# Output a Lint Warning Message
+# -----------------------------------
+lintWarning() {
+  local msg="${1}"
+  local color_warning="\\x1b[33m"
+  local color_reset="\\x1b[0m"
+  local bold="\\x1b[1m"
+  echo -e "    ‣ ${color_warning}${bold}[warn]${color_reset}  $msg"
+}
+
+# lintError
+# -----------------------------------
+# Output a Lint Error Message
+# -----------------------------------
+lintError() {
+  local msg="${1}"
+  local color_error="\\x1b[31m"
+  local color_reset="\\x1b[0m"
+  local bold="\\x1b[1m"
+  echo -e "    ‣ ${color_error}${bold}[error]${color_reset} $msg"
+}
diff --git a/ansible_collections/grafana/grafana/tools/lint-ansible.sh b/ansible_collections/grafana/grafana/tools/lint-ansible.sh
new file mode 100755
index 00000000..47cb90b2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-ansible.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing Ansible Linting using ansible-lint"
+
+# make sure pipenv exists
+if [[ "$(command -v pipenv)" = "" ]]; then
+  echo >&2 "pipenv command is required, see (https://pipenv.pypa.io/en/latest/) or run: brew install pipenv";
+  exit 1;
+fi
+
+# make sure yamllint exists
+if [[ "$(pipenv run pip freeze | grep -c "ansible-lint")" == "0" ]]; then
+  echo >&2 "ansible-lint command is required, see (https://pypi.org/project/ansible-lint/). Run \"make install\" to install it.";
+  exit 1;
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+# run yamllint
+echo "$(pwd)/.ansible-lint"
+pipenv run ansible-lint --config-file "$(pwd)/.ansible-lint" --strict
+statusCode="$?"
+
+if [[ "$statusCode" == "0" ]]; then
+  echo "no issues found"
+  echo ""
+fi
+
+echo ""
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/lint-editorconfig.sh b/ansible_collections/grafana/grafana/tools/lint-editorconfig.sh
new file mode 100755
index 00000000..9150f001
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-editorconfig.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing Editorconfig Linting using editorconfig-checker"
+
+# check to see if remark is installed
+if [[ ! -f "$(pwd)"/node_modules/.bin/editorconfig-checker ]]; then
+  emergency "editorconfig-checker node module is not installed, please run: make install";
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+statusCode=0
+./node_modules/.bin/editorconfig-checker -config="$(pwd)/.editorconfig" -exclude "LICENSE|.+\.txt|.+\.py"
+currentCode="$?"
+# only override the statusCode if it is 0
+if [[ "$statusCode" == 0 ]]; then
+  statusCode="$currentCode"
+fi
+
+if [[ "$statusCode" == "0" ]]; then
+  echo "no issues found"
+  echo ""
+fi
+
+echo ""
+
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+else
+  exit "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/lint-markdown.sh b/ansible_collections/grafana/grafana/tools/lint-markdown.sh
new file mode 100755
index 00000000..4d919ed2
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-markdown.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing Markdown Linting using markdownlint"
+
+# check to see if remark is installed
+if [[ ! -f "$(pwd)"/node_modules/.bin/markdownlint-cli2 ]]; then
+  emergency "markdownlint-cli2 node module is not installed, please run: make install";
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+statusCode=0
+while read -r dir; do
+  info "Checking file/directory: $dir"
+  ./node_modules/.bin/markdownlint-cli2-config "$(pwd)/.markdownlint.yaml" "$dir"
+  currentCode="$?"
+  # if the current code is 0, output the file name for logging purposes
+  if [[ "$currentCode" == 0 ]]; then
+    echo -e "\\x1b[32m$dir\\x1b[0m: no issues found"
+  fi
+  # only override the statusCode if it is 0
+  if [[ "$statusCode" == 0 ]]; then
+    statusCode="$currentCode"
+  fi
+  echo ""
+done < <(find . -type f -name "*.md" -not -path "./node_modules/*" -not -path "./.git/*" -print0 | \
+    xargs -0 dirname | \
+    sort -nr | \
+    uniq | \
+    sort | \
+    xargs printf -- '%s/*.md\n' | \
+    sed 's|\./\*\.md|./README.md|'
+  )
+
+echo ""
+echo ""
+
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+else
+  exit "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/lint-shell.sh b/ansible_collections/grafana/grafana/tools/lint-shell.sh
new file mode 100755
index 00000000..633c7bed
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-shell.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing Shell Linting using shellcheck"
+
+# check to see if shellcheck is installed
+if [[ "$(command -v shellcheck)" = "" ]]; then
+  emergency "shellcheck is required if running lint locally, see: (https://shellcheck.net) or run: brew install nvm && nvm install 18";
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+statusCode=0
+while read -r file; do
+  shellcheck \
+    --external-sources \
+    --shell bash \
+    --source-path "$(dirname "$file")" \
+    "$file"
+  currentCode="$?"
+  # if the current code is 0, output the file name for logging purposes
+  if [[ "$currentCode" == 0 ]]; then
+    echo -e "\\x1b[32m$file\\x1b[0m: no issues found"
+  else
+    echo ""
+  fi
+  # only override the statusCode if it is 0
+  if [[ "$statusCode" == 0 ]]; then
+    statusCode="$currentCode"
+  fi
+done < <(find . -type f -name "*.sh" -not -path "./node_modules/*" -not -path "./.git/*")
+
+echo ""
+echo ""
+
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+else
+  exit "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/lint-text.sh b/ansible_collections/grafana/grafana/tools/lint-text.sh
new file mode 100755
index 00000000..17e4b5df
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-text.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collections" "Performing Text Linting using textlint"
+
+# check to see if remark is installed
+if [[ ! -f "$(pwd)"/node_modules/.bin/textlint ]]; then
+  emergency "remark node module is not installed, please run: make install";
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+statusCode=0
+while read -r file; do
+  "$(pwd)"/node_modules/.bin/textlint --config "$(pwd)/.textlintrc" "$file"
+  currentCode="$?"
+  # if the current code is 0, output the file name for logging purposes
+  if [[ "$currentCode" == 0 ]]; then
+    echo -e "\\x1b[32m$file\\x1b[0m: no issues found"
+  fi
+  # only override the statusCode if it is 0
+  if [[ "$statusCode" == 0 ]]; then
+    statusCode="$currentCode"
+  fi
+done < <(find . -type f -name "*.md" -not -path "./node_modules/*" -not -path "./.git/*")
+
+echo ""
+echo ""
+
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+else
+  exit "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/lint-yaml.sh b/ansible_collections/grafana/grafana/tools/lint-yaml.sh
new file mode 100755
index 00000000..51deee6f
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/lint-yaml.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing YAML Linting using yamllint"
+
+# make sure pipenv exists
+if [[ "$(command -v pipenv)" = "" ]]; then
+  echo >&2 "pipenv command is required, see (https://pipenv.pypa.io/en/latest/) or run: brew install pipenv";
+  exit 1;
+fi
+
+# make sure yamllint exists
+if [[ "$(pipenv run pip freeze | grep -c "yamllint")" == "0" ]]; then
+  echo >&2 "yamllint command is required, see (https://pypi.org/project/yamllint/). Run \"make install\" to install it.";
+  exit 1;
+fi
+
+# determine whether or not the script is called directly or sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+# run yamllint
+pipenv run yamllint --strict --config-file "$(pwd)/.yamllint" .
+statusCode="$?"
+
+if [[ "$statusCode" == "0" ]]; then
+  echo "no issues found"
+  echo ""
+fi
+
+# if the script was called by another, send a valid exit code
+if [[ "$sourced" == "1" ]]; then
+  return "$statusCode"
+fi
diff --git a/ansible_collections/grafana/grafana/tools/setup.sh b/ansible_collections/grafana/grafana/tools/setup.sh
new file mode 100755
index 00000000..9a047e3b
--- /dev/null
+++ b/ansible_collections/grafana/grafana/tools/setup.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+source "$(pwd)/tools/includes/utils.sh"
+
+source "./tools/includes/logging.sh"
+
+# output the heading
+heading "Grafana Ansible Collection" "Performing Setup Checks"
+
+# make sure Node exists
+info "Checking to see if Node is installed"
+if [[ "$(command -v node)" = "" ]]; then
+  warning "node is required if running lint locally, see: (https://nodejs.org) or run: brew install nvm && nvm install 18";
+else
+  success "node is installed"
+fi
+
+# make sure yarn exists
+info "Checking to see if yarn is installed"
+if [[ "$(command -v yarn)" = "" ]]; then
+  warning "yarn is required if running lint locally, see: (https://yarnpkg.com) or run: brew install yarn";
+else
+  success "yarn is installed"
+fi
+
+# make sure shellcheck exists
+info "Checking to see if shellcheck is installed"
+if [[ "$(command -v shellcheck)" = "" ]]; then
+  warning "shellcheck is required if running lint locally, see: (https://shellcheck.net) or run: brew install nvm && nvm install 18";
+else
+  success "shellcheck is installed"
+fi
+
+# make sure pipenv exists
+if [[ "$(command -v pipenv)" = "" ]]; then
+  warning "pipenv command is required, see (https://pipenv.pypa.io/en/latest/) or run: brew install pipenv";
+else
+  success "pipenv is installed"
+fi
diff --git a/ansible_collections/grafana/grafana/yarn.lock b/ansible_collections/grafana/grafana/yarn.lock
new file mode 100644
index 00000000..84aa10bd
--- /dev/null
+++ b/ansible_collections/grafana/grafana/yarn.lock
@@ -0,0 +1,1721 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"@azu/format-text@^1.0.1":
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/@azu/format-text/-/format-text-1.0.2.tgz#abd46dab2422e312bd1bfe36f0d427ab6039825d"
+  integrity sha512-Swi4N7Edy1Eqq82GxgEECXSSLyn6GOb5htRFPzBDdUkECGXtlf12ynO5oJSpWKPwCaUssOu7NfhDcCWpIC6Ywg==
+
+"@azu/style-format@^1.0.0":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@azu/style-format/-/style-format-1.0.1.tgz#b3643af0c5fee9d53e69a97c835c404bdc80f792"
+  integrity sha512-AHcTojlNBdD/3/KxIKlg8sxIWHfOtQszLvOpagLTO+bjC3u7SAszu1lf//u7JJC50aUSH+BVWDD/KvaA6Gfn5g==
+  dependencies:
+    "@azu/format-text" "^1.0.1"
+
+"@nodelib/fs.scandir@2.1.5":
+  version "2.1.5"
+  resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"
+  integrity sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==
+  dependencies:
+    "@nodelib/fs.stat" "2.0.5"
+    run-parallel "^1.1.9"
+
+"@nodelib/fs.stat@2.0.5", "@nodelib/fs.stat@^2.0.2":
+  version "2.0.5"
+  resolved "https://registry.yarnpkg.com/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz#5bd262af94e9d25bd1e71b05deed44876a222e8b"
+  integrity sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==
+
+"@nodelib/fs.walk@^1.2.3":
+  version "1.2.8"
+  resolved "https://registry.yarnpkg.com/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz#e95737e8bb6746ddedf69c556953494f196fe69a"
+  integrity sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==
+  dependencies:
+    "@nodelib/fs.scandir" "2.1.5"
+    fastq "^1.6.0"
+
+"@textlint/ast-node-types@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/ast-node-types/-/ast-node-types-12.6.1.tgz#35ecefe74e701d7f632c083d4fda89cab1b89012"
+  integrity sha512-uzlJ+ZsCAyJm+lBi7j0UeBbj+Oy6w/VWoGJ3iHRHE5eZ8Z4iK66mq+PG/spupmbllLtz77OJbY89BYqgFyjXmA==
+
+"@textlint/ast-node-types@^13.0.2":
+  version "13.3.1"
+  resolved "https://registry.yarnpkg.com/@textlint/ast-node-types/-/ast-node-types-13.3.1.tgz#469cab986e43f4ffb39aa5c31d148888a36d2286"
+  integrity sha512-/qeEjW3hIFpGwESsCkJRroja7mBOlo9wqyx8G4fwayq4FZRvJMm/9DhIo77jd/4wm/VSJcVVr+fs+rVa4jrY5A==
+
+"@textlint/ast-tester@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/ast-tester/-/ast-tester-12.6.1.tgz#853a438829dbb0aec0456a437b5e3894692e970b"
+  integrity sha512-Gxiq6xmDR3PnX0RqRGth/Lu5fyFWoXNPfGxXTLORPFpfs8JKPh/eXGhlwc1f0v4VQzPay2KwVl6SGXvJD5qLXw==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+    debug "^4.3.4"
+
+"@textlint/ast-traverse@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/ast-traverse/-/ast-traverse-12.6.1.tgz#644e46c5ef2e946e1fe1ef2452686c8ba2131392"
+  integrity sha512-Y/j7ip7yDuTjuIV4kTRPVnkJKfpI71U+eqXFnrM9sE2xBA9IsqzqiLQeDY+S5hhfQzmcEnZFtAP0hqrYaT6gNA==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+
+"@textlint/config-loader@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/config-loader/-/config-loader-12.6.1.tgz#151e97d9258361267056dbf47fe4a034c84a193e"
+  integrity sha512-mvChF2pFusxyQC4gFzIgNcZ4izUt7ci+JdXZtGV+DOzykVUuGhgGo3TFTi/ccgYyqZdq9MxJG6I+dvYB1A2Fog==
+  dependencies:
+    "@textlint/kernel" "^12.6.1"
+    "@textlint/module-interop" "^12.6.1"
+    "@textlint/types" "^12.6.1"
+    "@textlint/utils" "^12.6.1"
+    debug "^4.3.4"
+    rc-config-loader "^4.1.2"
+    try-resolve "^1.0.1"
+
+"@textlint/feature-flag@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/feature-flag/-/feature-flag-12.6.1.tgz#20f8a3cf86be939186adc33744ef66084b06067a"
+  integrity sha512-cY/AraTLdzbwDyAhdpaXB7n1Lw6zA+k+7UaT8mmxMmjs0uYGzdMQa499I0rQatctJ6izrdZXYW0NdUQfG2ugiA==
+
+"@textlint/fixer-formatter@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/fixer-formatter/-/fixer-formatter-12.6.1.tgz#b05f28b635c8628f588414da7baab01cd1db6daf"
+  integrity sha512-BMhvoKQbME9LXvl6CfIM/hZckb+IMiAA6ioDvdM3o63N+xDypS42uzJNpRgzXKGYL1Dv/7R1hsmDzz3fgvGhBw==
+  dependencies:
+    "@textlint/module-interop" "^12.6.1"
+    "@textlint/types" "^12.6.1"
+    chalk "^4.1.2"
+    debug "^4.3.4"
+    diff "^4.0.2"
+    is-file "^1.0.0"
+    string-width "^4.2.3"
+    strip-ansi "^6.0.1"
+    text-table "^0.2.0"
+    try-resolve "^1.0.1"
+
+"@textlint/kernel@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/kernel/-/kernel-12.6.1.tgz#6e8e57a0ebd2bfe5ce5c218bb4eedd7b20c793e0"
+  integrity sha512-GjNaI36pYx/boy1Xf7NPJFbS0uWHhY9y9DMMl/8ZJZoldN7XrCvJFivNdeYQxu+LTmfGGaUJoTjDpnllOs6XSQ==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+    "@textlint/ast-tester" "^12.6.1"
+    "@textlint/ast-traverse" "^12.6.1"
+    "@textlint/feature-flag" "^12.6.1"
+    "@textlint/source-code-fixer" "^12.6.1"
+    "@textlint/types" "^12.6.1"
+    "@textlint/utils" "^12.6.1"
+    debug "^4.3.4"
+    deep-equal "^1.1.1"
+    structured-source "^4.0.0"
+
+"@textlint/linter-formatter@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/linter-formatter/-/linter-formatter-12.6.1.tgz#90314ddaa036197c36ccb75cc8fa3fb318895350"
+  integrity sha512-1fQy17vNZy5qem8I71MGEir7gVLSUWcIE4ruQbONiIko9as+AYibt6xX6GtTX+aJejuJJcb+KTeAxKJ+6FA8vg==
+  dependencies:
+    "@azu/format-text" "^1.0.1"
+    "@azu/style-format" "^1.0.0"
+    "@textlint/module-interop" "^12.6.1"
+    "@textlint/types" "^12.6.1"
+    chalk "^4.1.2"
+    debug "^4.3.4"
+    is-file "^1.0.0"
+    js-yaml "^3.14.1"
+    lodash "^4.17.21"
+    optionator "^0.9.1"
+    pluralize "^2.0.0"
+    string-width "^4.2.3"
+    strip-ansi "^6.0.1"
+    table "^6.8.1"
+    text-table "^0.2.0"
+    try-resolve "^1.0.1"
+
+"@textlint/markdown-to-ast@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/markdown-to-ast/-/markdown-to-ast-12.6.1.tgz#fcccb5733b3e76cd0db78a323763ab101f2d803b"
+  integrity sha512-T0HO+VrU9VbLRiEx/kH4+gwGMHNMIGkp0Pok+p0I33saOOLyhfGvwOKQgvt2qkxzQEV2L5MtGB8EnW4r5d3CqQ==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+    debug "^4.3.4"
+    mdast-util-gfm-autolink-literal "^0.1.3"
+    remark-footnotes "^3.0.0"
+    remark-frontmatter "^3.0.0"
+    remark-gfm "^1.0.0"
+    remark-parse "^9.0.0"
+    traverse "^0.6.7"
+    unified "^9.2.2"
+
+"@textlint/module-interop@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/module-interop/-/module-interop-12.6.1.tgz#82adf942281a8880e1ad70b305d8caba87356830"
+  integrity sha512-COyRctLVh2ktAObmht3aNtqUvP0quoellKu1c2RrXny1po+Mf7PkvEKIxphtArE4JXMAmu01cDxfH6X88+eYIg==
+
+"@textlint/source-code-fixer@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/source-code-fixer/-/source-code-fixer-12.6.1.tgz#a674d6250863e5e8aaf2ac4dc2cb679ff37d2c49"
+  integrity sha512-J9UZ3uitT+T50ug5X6AoIOwn6kTl54ZmPYBPB9bmH4lwBamN7e4gT65lSweHY1D21elOkq+3bO/OAJMfQfAVHg==
+  dependencies:
+    "@textlint/types" "^12.6.1"
+    debug "^4.3.4"
+
+"@textlint/text-to-ast@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/text-to-ast/-/text-to-ast-12.6.1.tgz#8f24a424ee08fb82235e5f0dc63ab9e6475388b1"
+  integrity sha512-22tgSBaNerpwb66eCivjXmdZ3CDX2Il38vpuAGchiI+cl+sENU9dpuntxwEJdZQePX5qrkmw8XGj5kgyMF015A==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+
+"@textlint/textlint-plugin-markdown@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/textlint-plugin-markdown/-/textlint-plugin-markdown-12.6.1.tgz#744e36c468141826edaa7d96eb6beb28a5709ef3"
+  integrity sha512-fRKsFCL2fGeu0Bt+08FuEc2WHiI8IMDRvy6KT1pmNWO5irS4yL2/OXNknLH3erXvwcJw/hQnd5WEl4hQzS0Erw==
+  dependencies:
+    "@textlint/markdown-to-ast" "^12.6.1"
+
+"@textlint/textlint-plugin-text@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/textlint-plugin-text/-/textlint-plugin-text-12.6.1.tgz#92570b4f53ab15b2e8412f928a54c8833fb97b94"
+  integrity sha512-ZUfG0Xb8qGymIPNp2eFTq9bHvkJo3N3Ia1Aff5W9fsgZib1/Eb55U16Sp60TjhBFns0/p7L7usBC3nd3+tB5mQ==
+  dependencies:
+    "@textlint/text-to-ast" "^12.6.1"
+
+"@textlint/types@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/types/-/types-12.6.1.tgz#d00c5d625287a113c2807587c2c0cdc1c7f182d8"
+  integrity sha512-t1SZYahu2olnF8MUhlP6qDIEDyl7WmyIaBYxQdE2qU6xUkZWXS2zIxoAT/pVgvFCzDw3KO5HhIYGVeWRp90dTg==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+
+"@textlint/utils@^12.6.1":
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/@textlint/utils/-/utils-12.6.1.tgz#95d00b4b57197987b97bc8342e127d652a7454e1"
+  integrity sha512-HJkqYXT2FAAHDM5XLFpQLF/CEdm8c2ltMeKmPBSSty1VfPXQMi8tGPT1b58b8KWh6dVmi7w0YYB7NrquuzXOKA==
+
+"@types/mdast@^3.0.0":
+  version "3.0.10"
+  resolved "https://registry.yarnpkg.com/@types/mdast/-/mdast-3.0.10.tgz#4724244a82a4598884cbbe9bcfd73dff927ee8af"
+  integrity sha512-W864tg/Osz1+9f4lrGTZpCSO5/z4608eUp19tbozkq2HJK6i3z1kT0H9tlADXuYIb1YYOBByU4Jsqkk75q48qA==
+  dependencies:
+    "@types/unist" "*"
+
+"@types/unist@*", "@types/unist@^2.0.0", "@types/unist@^2.0.2":
+  version "2.0.6"
+  resolved "https://registry.yarnpkg.com/@types/unist/-/unist-2.0.6.tgz#250a7b16c3b91f672a24552ec64678eeb1d3a08d"
+  integrity sha512-PBjIUxZHOuj0R15/xuwJYjFi+KZdNFrehocChv4g5hu6aFroHue8m0lBP0POdK2nKzbw0cgV1mws8+V/JAcEkQ==
+
+ajv@^8.0.1:
+  version "8.12.0"
+  resolved "https://registry.yarnpkg.com/ajv/-/ajv-8.12.0.tgz#d1a0527323e22f53562c567c00991577dfbe19d1"
+  integrity sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==
+  dependencies:
+    fast-deep-equal "^3.1.1"
+    json-schema-traverse "^1.0.0"
+    require-from-string "^2.0.2"
+    uri-js "^4.2.2"
+
+ansi-regex@^5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.1.tgz#082cb2c89c9fe8659a311a53bd6a4dc5301db304"
+  integrity sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
+
+ansi-styles@^4.0.0, ansi-styles@^4.1.0:
+  version "4.3.0"
+  resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-4.3.0.tgz#edd803628ae71c04c85ae7a0906edad34b648937"
+  integrity sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==
+  dependencies:
+    color-convert "^2.0.1"
+
+argparse@^1.0.7:
+  version "1.0.10"
+  resolved "https://registry.yarnpkg.com/argparse/-/argparse-1.0.10.tgz#bcd6791ea5ae09725e17e5ad988134cd40b3d911"
+  integrity sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==
+  dependencies:
+    sprintf-js "~1.0.2"
+
+argparse@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38"
+  integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==
+
+astral-regex@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/astral-regex/-/astral-regex-2.0.0.tgz#483143c567aeed4785759c0865786dc77d7d2e31"
+  integrity sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==
+
+bail@^1.0.0:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/bail/-/bail-1.0.5.tgz#b6fa133404a392cbc1f8c4bf63f5953351e7a776"
+  integrity sha512-xFbRxM1tahm08yHBP16MMjVUAvDaBMD38zsM9EMAUN61omwLmKlOpB/Zku5QkjZ8TZ4vn53pj+t518cH0S03RQ==
+
+balanced-match@^1.0.0:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
+  integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==
+
+boundary@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/boundary/-/boundary-2.0.0.tgz#169c8b1f0d44cf2c25938967a328f37e0a4e5efc"
+  integrity sha512-rJKn5ooC9u8q13IMCrW0RSp31pxBCHE3y9V/tp3TdWSLf8Em3p6Di4NBpfzbJge9YjjFEsD0RtFEjtvHL5VyEA==
+
+brace-expansion@^1.1.7:
+  version "1.1.12"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.12.tgz#ab9b454466e5a8cc3a187beaad580412a9c5b843"
+  integrity sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==
+  dependencies:
+    balanced-match "^1.0.0"
+    concat-map "0.0.1"
+
+braces@^3.0.2:
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
+  integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==
+  dependencies:
+    fill-range "^7.1.1"
+
+call-bind@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.2.tgz#b1d4e89e688119c3c9a903ad30abb2f6a919be3c"
+  integrity sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==
+  dependencies:
+    function-bind "^1.1.1"
+    get-intrinsic "^1.0.2"
+
+ccount@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/ccount/-/ccount-1.1.0.tgz#246687debb6014735131be8abab2d93898f8d043"
+  integrity sha512-vlNK021QdI7PNeiUh/lKkC/mNHHfV0m/Ad5JoI0TYtlBnJAslM/JIkm/tGC88bkLIwO6OQ5uV6ztS6kVAtCDlg==
+
+chalk@^4.1.2:
+  version "4.1.2"
+  resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01"
+  integrity sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==
+  dependencies:
+    ansi-styles "^4.1.0"
+    supports-color "^7.1.0"
+
+character-entities-legacy@^1.0.0:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/character-entities-legacy/-/character-entities-legacy-1.1.4.tgz#94bc1845dce70a5bb9d2ecc748725661293d8fc1"
+  integrity sha512-3Xnr+7ZFS1uxeiUDvV02wQ+QDbc55o97tIV5zHScSPJpcLm/r0DFPcoY3tYRp+VZukxuMeKgXYmsXQHO05zQeA==
+
+character-entities@^1.0.0:
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/character-entities/-/character-entities-1.2.4.tgz#e12c3939b7eaf4e5b15e7ad4c5e28e1d48c5b16b"
+  integrity sha512-iBMyeEHxfVnIakwOuDXpVkc54HijNgCyQB2w0VfGQThle6NXn50zU6V/u+LDhxHcDUPojn6Kpga3PTAD8W1bQw==
+
+character-reference-invalid@^1.0.0:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/character-reference-invalid/-/character-reference-invalid-1.1.4.tgz#083329cda0eae272ab3dbbf37e9a382c13af1560"
+  integrity sha512-mKKUkUbhPpQlCOfIuZkvSEgktjPFIsZKRRbC6KWVEMvlzblj3i3asQv5ODsrwt0N3pHAEvjP8KTQPHkp0+6jOg==
+
+charenc@0.0.2:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/charenc/-/charenc-0.0.2.tgz#c0a1d2f3a7092e03774bfa83f14c0fc5790a8667"
+  integrity sha512-yrLQ/yVUFXkzg7EDQsPieE/53+0RlaWTs+wBrvW36cyilJ2SaDWfl4Yj7MtLTXleV9uEKefbAGUPv2/iWSooRA==
+
+color-convert@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/color-convert/-/color-convert-2.0.1.tgz#72d3a68d598c9bdb3af2ad1e84f21d896abd4de3"
+  integrity sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==
+  dependencies:
+    color-name "~1.1.4"
+
+color-name@~1.1.4:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.4.tgz#c2a09a87acbde69543de6f63fa3995c826c536a2"
+  integrity sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==
+
+concat-map@0.0.1:
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b"
+  integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==
+
+crypt@0.0.2:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/crypt/-/crypt-0.0.2.tgz#88d7ff7ec0dfb86f713dc87bbb42d044d3e6c41b"
+  integrity sha512-mCxBlsHFYh9C+HVpiEacem8FEBnMXgU9gy4zmNC+SXAZNB/1idgp/aulFJ4FgCi7GPEVbfyng092GqL2k2rmow==
+
+debug@^4.0.0, debug@^4.1.1, debug@^4.3.4:
+  version "4.3.4"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.4.tgz#1319f6579357f2338d3337d2cdd4914bb5dcc865"
+  integrity sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==
+  dependencies:
+    ms "2.1.2"
+
+deep-equal@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/deep-equal/-/deep-equal-1.1.1.tgz#b5c98c942ceffaf7cb051e24e1434a25a2e6076a"
+  integrity sha512-yd9c5AdiqVcR+JjcwUQb9DkhJc8ngNr0MahEBGvDiJw8puWab2yZlh+nkasOnZP+EGTAP6rRp2JzJhJZzvNF8g==
+  dependencies:
+    is-arguments "^1.0.4"
+    is-date-object "^1.0.1"
+    is-regex "^1.0.4"
+    object-is "^1.0.1"
+    object-keys "^1.1.1"
+    regexp.prototype.flags "^1.2.0"
+
+deep-is@^0.1.3:
+  version "0.1.4"
+  resolved "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.4.tgz#a6f2dce612fadd2ef1f519b73551f17e85199831"
+  integrity sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==
+
+define-properties@^1.1.3:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/define-properties/-/define-properties-1.2.0.tgz#52988570670c9eacedd8064f4a990f2405849bd5"
+  integrity sha512-xvqAVKGfT1+UAvPwKTVw/njhdQ8ZhXK4lI0bCIuCMrp2up9nPnaDftrLtmpTazqd1o+UY4zgzU+avtMbDP+ldA==
+  dependencies:
+    has-property-descriptors "^1.0.0"
+    object-keys "^1.1.1"
+
+diff@^4.0.2:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/diff/-/diff-4.0.2.tgz#60f3aecb89d5fae520c11aa19efc2bb982aade7d"
+  integrity sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A==
+
+dir-glob@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/dir-glob/-/dir-glob-3.0.1.tgz#56dbf73d992a4a93ba1584f4534063fd2e41717f"
+  integrity sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==
+  dependencies:
+    path-type "^4.0.0"
+
+editorconfig-checker@^5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/editorconfig-checker/-/editorconfig-checker-5.0.1.tgz#cb4bf7a9b80f1b63b141b8897d7cc326fce0d3ae"
+  integrity sha512-6hXq9VVDkyCxVYKdGtIj+yhVR1fi/6W6Ykz/+kItLPARulJvr2/VXgWZ5OGWx1UYm2RD6XOzWyx1JF6DLgQ/8Q==
+
+emoji-regex@^8.0.0:
+  version "8.0.0"
+  resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
+  integrity sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==
+
+entities@~3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/entities/-/entities-3.0.1.tgz#2b887ca62585e96db3903482d336c1006c3001d4"
+  integrity sha512-WiyBqoomrwMdFG1e0kqvASYfnlb0lp8M5o5Fw2OFq1hNZxxcNk8Ik0Xm7LxzBhuidnZB/UtBqVCgUz3kBOP51Q==
+
+error-ex@^1.2.0, error-ex@^1.3.1:
+  version "1.3.2"
+  resolved "https://registry.yarnpkg.com/error-ex/-/error-ex-1.3.2.tgz#b4ac40648107fdcdcfae242f428bea8a14d4f1bf"
+  integrity sha512-7dFHNmqeFSEt2ZBsCriorKnn3Z2pj+fd9kmI6QoWw4//DL+icEBfc0U7qJCisqrTsKTjw4fNFy2pW9OqStD84g==
+  dependencies:
+    is-arrayish "^0.2.1"
+
+escape-string-regexp@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz#14ba83a5d373e3d311e5afca29cf5bfad965bf34"
+  integrity sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==
+
+esprima@^4.0.0:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/esprima/-/esprima-4.0.1.tgz#13b04cdb3e6c5d19df91ab6987a8695619b0aa71"
+  integrity sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==
+
+extend@^3.0.0:
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/extend/-/extend-3.0.2.tgz#f8b1136b4071fbd8eb140aff858b1019ec2915fa"
+  integrity sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==
+
+fast-deep-equal@^3.1.1:
+  version "3.1.3"
+  resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz#3a7d56b559d6cbc3eb512325244e619a65c6c525"
+  integrity sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==
+
+fast-glob@^3.2.11:
+  version "3.2.12"
+  resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.2.12.tgz#7f39ec99c2e6ab030337142da9e0c18f37afae80"
+  integrity sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==
+  dependencies:
+    "@nodelib/fs.stat" "^2.0.2"
+    "@nodelib/fs.walk" "^1.2.3"
+    glob-parent "^5.1.2"
+    merge2 "^1.3.0"
+    micromatch "^4.0.4"
+
+fast-levenshtein@^2.0.6:
+  version "2.0.6"
+  resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
+  integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
+
+fastq@^1.6.0:
+  version "1.15.0"
+  resolved "https://registry.yarnpkg.com/fastq/-/fastq-1.15.0.tgz#d04d07c6a2a68fe4599fea8d2e103a937fae6b3a"
+  integrity sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==
+  dependencies:
+    reusify "^1.0.4"
+
+fault@^1.0.0:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/fault/-/fault-1.0.4.tgz#eafcfc0a6d214fc94601e170df29954a4f842f13"
+  integrity sha512-CJ0HCB5tL5fYTEA7ToAq5+kTwd++Borf1/bifxd9iT70QcXr4MRrO3Llf8Ifs70q+SJcGHFtnIE/Nw6giCtECA==
+  dependencies:
+    format "^0.2.0"
+
+file-entry-cache@^5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/file-entry-cache/-/file-entry-cache-5.0.1.tgz#ca0f6efa6dd3d561333fb14515065c2fafdf439c"
+  integrity sha512-bCg29ictuBaKUwwArK4ouCaqDgLZcysCFLmM/Yn/FDoqndh/9vNuQfXRDvTuXKLxfD/JtZQGKFT8MGcJBK644g==
+  dependencies:
+    flat-cache "^2.0.1"
+
+fill-range@^7.1.1:
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292"
+  integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==
+  dependencies:
+    to-regex-range "^5.0.1"
+
+find-up@^2.0.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/find-up/-/find-up-2.1.0.tgz#45d1b7e506c717ddd482775a2b77920a3c0c57a7"
+  integrity sha512-NWzkk0jSJtTt08+FBFMvXoeZnOJD+jTtsRmBYbAIzJdX6l7dLgR7CTubCM5/eDdPUBvLCeVasP1brfVR/9/EZQ==
+  dependencies:
+    locate-path "^2.0.0"
+
+flat-cache@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/flat-cache/-/flat-cache-2.0.1.tgz#5d296d6f04bda44a4630a301413bdbc2ec085ec0"
+  integrity sha512-LoQe6yDuUMDzQAEH8sgmh4Md6oZnc/7PjtwjNFSzveXqSHt6ka9fPBuso7IGf9Rz4uqnSnWiFH2B/zj24a5ReA==
+  dependencies:
+    flatted "^2.0.0"
+    rimraf "2.6.3"
+    write "1.0.3"
+
+flatted@^2.0.0:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/flatted/-/flatted-2.0.2.tgz#4575b21e2bcee7434aa9be662f4b7b5f9c2b5138"
+  integrity sha512-r5wGx7YeOwNWNlCA0wQ86zKyDLMQr+/RB8xy74M4hTphfmjlijTSSXGuH8rnvKZnfT9i+75zmd8jcKdMR4O6jA==
+
+format@^0.2.0:
+  version "0.2.2"
+  resolved "https://registry.yarnpkg.com/format/-/format-0.2.2.tgz#d6170107e9efdc4ed30c9dc39016df942b5cb58b"
+  integrity sha512-wzsgA6WOq+09wrU1tsJ09udeR/YZRaeArL9e1wPbFg3GG2yDnC2ldKpxs4xunpFF9DgqCqOIra3bc1HWrJ37Ww==
+
+fs.realpath@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"
+  integrity sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==
+
+function-bind@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
+  integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
+
+functions-have-names@^1.2.2:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/functions-have-names/-/functions-have-names-1.2.3.tgz#0404fe4ee2ba2f607f0e0ec3c80bae994133b834"
+  integrity sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==
+
+get-intrinsic@^1.0.2, get-intrinsic@^1.1.1:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.2.0.tgz#7ad1dc0535f3a2904bba075772763e5051f6d05f"
+  integrity sha512-L049y6nFOuom5wGyRc3/gdTLO94dySVKRACj1RmJZBQXlbTMhtNIgkWkUHq+jYmZvKf14EW1EoJnnjbmoHij0Q==
+  dependencies:
+    function-bind "^1.1.1"
+    has "^1.0.3"
+    has-symbols "^1.0.3"
+
+get-stdin@^5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/get-stdin/-/get-stdin-5.0.1.tgz#122e161591e21ff4c52530305693f20e6393a398"
+  integrity sha512-jZV7n6jGE3Gt7fgSTJoz91Ak5MuTLwMwkoYdjxuJ/AmjIsE1UC03y/IWkZCQGEvVNS9qoRNwy5BCqxImv0FVeA==
+
+glob-parent@^5.1.2:
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/glob-parent/-/glob-parent-5.1.2.tgz#869832c58034fe68a4093c17dc15e8340d8401c4"
+  integrity sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==
+  dependencies:
+    is-glob "^4.0.1"
+
+glob@^7.1.3, glob@^7.2.3:
+  version "7.2.3"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.3.tgz#b8df0fb802bbfa8e89bd1d938b4e16578ed44f2b"
+  integrity sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==
+  dependencies:
+    fs.realpath "^1.0.0"
+    inflight "^1.0.4"
+    inherits "2"
+    minimatch "^3.1.1"
+    once "^1.3.0"
+    path-is-absolute "^1.0.0"
+
+globby@13.1.3:
+  version "13.1.3"
+  resolved "https://registry.yarnpkg.com/globby/-/globby-13.1.3.tgz#f62baf5720bcb2c1330c8d4ef222ee12318563ff"
+  integrity sha512-8krCNHXvlCgHDpegPzleMq07yMYTO2sXKASmZmquEYWEmCx6J5UTRbp5RwMJkTJGtcQ44YpiUYUiN0b9mzy8Bw==
+  dependencies:
+    dir-glob "^3.0.1"
+    fast-glob "^3.2.11"
+    ignore "^5.2.0"
+    merge2 "^1.4.1"
+    slash "^4.0.0"
+
+graceful-fs@^4.1.2:
+  version "4.2.10"
+  resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.10.tgz#147d3a006da4ca3ce14728c7aefc287c367d7a6c"
+  integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==
+
+has-flag@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/has-flag/-/has-flag-4.0.0.tgz#944771fd9c81c81265c4d6941860da06bb59479b"
+  integrity sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==
+
+has-property-descriptors@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/has-property-descriptors/-/has-property-descriptors-1.0.0.tgz#610708600606d36961ed04c196193b6a607fa861"
+  integrity sha512-62DVLZGoiEBDHQyqG4w9xCuZ7eJEwNmJRWw2VY84Oedb7WFcA27fiEVe8oUQx9hAUJ4ekurquucTGwsyO1XGdQ==
+  dependencies:
+    get-intrinsic "^1.1.1"
+
+has-symbols@^1.0.2, has-symbols@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.0.3.tgz#bb7b2c4349251dce87b125f7bdf874aa7c8b39f8"
+  integrity sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==
+
+has-tostringtag@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/has-tostringtag/-/has-tostringtag-1.0.0.tgz#7e133818a7d394734f941e73c3d3f9291e658b25"
+  integrity sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==
+  dependencies:
+    has-symbols "^1.0.2"
+
+has@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796"
+  integrity sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==
+  dependencies:
+    function-bind "^1.1.1"
+
+hosted-git-info@^2.1.4:
+  version "2.8.9"
+  resolved "https://registry.yarnpkg.com/hosted-git-info/-/hosted-git-info-2.8.9.tgz#dffc0bf9a21c02209090f2aa69429e1414daf3f9"
+  integrity sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==
+
+ignore@^5.2.0:
+  version "5.2.4"
+  resolved "https://registry.yarnpkg.com/ignore/-/ignore-5.2.4.tgz#a291c0c6178ff1b960befe47fcdec301674a6324"
+  integrity sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==
+
+inflight@^1.0.4:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/inflight/-/inflight-1.0.6.tgz#49bd6331d7d02d0c09bc910a1075ba8165b56df9"
+  integrity sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==
+  dependencies:
+    once "^1.3.0"
+    wrappy "1"
+
+inherits@2:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
+  integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
+
+is-alphabetical@^1.0.0:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-alphabetical/-/is-alphabetical-1.0.4.tgz#9e7d6b94916be22153745d184c298cbf986a686d"
+  integrity sha512-DwzsA04LQ10FHTZuL0/grVDk4rFoVH1pjAToYwBrHSxcrBIGQuXrQMtD5U1b0U2XVgKZCTLLP8u2Qxqhy3l2Vg==
+
+is-alphanumerical@^1.0.0:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-alphanumerical/-/is-alphanumerical-1.0.4.tgz#7eb9a2431f855f6b1ef1a78e326df515696c4dbf"
+  integrity sha512-UzoZUr+XfVz3t3v4KyGEniVL9BDRoQtY7tOyrRybkVNjDFWyo1yhXNGrrBTQxp3ib9BLAWs7k2YKBQsFRkZG9A==
+  dependencies:
+    is-alphabetical "^1.0.0"
+    is-decimal "^1.0.0"
+
+is-arguments@^1.0.4:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/is-arguments/-/is-arguments-1.1.1.tgz#15b3f88fda01f2a97fec84ca761a560f123efa9b"
+  integrity sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==
+  dependencies:
+    call-bind "^1.0.2"
+    has-tostringtag "^1.0.0"
+
+is-arrayish@^0.2.1:
+  version "0.2.1"
+  resolved "https://registry.yarnpkg.com/is-arrayish/-/is-arrayish-0.2.1.tgz#77c99840527aa8ecb1a8ba697b80645a7a926a9d"
+  integrity sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg==
+
+is-buffer@^2.0.0:
+  version "2.0.5"
+  resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-2.0.5.tgz#ebc252e400d22ff8d77fa09888821a24a658c191"
+  integrity sha512-i2R6zNFDwgEHJyQUtJEk0XFi1i0dPFn/oqjK3/vPCcDeJvW5NQ83V8QbicfF1SupOaB0h8ntgBC2YiE7dfyctQ==
+
+is-buffer@~1.1.6:
+  version "1.1.6"
+  resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be"
+  integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==
+
+is-core-module@^2.9.0:
+  version "2.11.0"
+  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.11.0.tgz#ad4cb3e3863e814523c96f3f58d26cc570ff0144"
+  integrity sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==
+  dependencies:
+    has "^1.0.3"
+
+is-date-object@^1.0.1:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/is-date-object/-/is-date-object-1.0.5.tgz#0841d5536e724c25597bf6ea62e1bd38298df31f"
+  integrity sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==
+  dependencies:
+    has-tostringtag "^1.0.0"
+
+is-decimal@^1.0.0:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-decimal/-/is-decimal-1.0.4.tgz#65a3a5958a1c5b63a706e1b333d7cd9f630d3fa5"
+  integrity sha512-RGdriMmQQvZ2aqaQq3awNA6dCGtKpiDFcOzrTWrDAT2MiWrKQVPmxLGHl7Y2nNu6led0kEyoX0enY0qXYsv9zw==
+
+is-extglob@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/is-extglob/-/is-extglob-2.1.1.tgz#a88c02535791f02ed37c76a1b9ea9773c833f8c2"
+  integrity sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==
+
+is-file@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/is-file/-/is-file-1.0.0.tgz#28a44cfbd9d3db193045f22b65fce8edf9620596"
+  integrity sha512-ZGMuc+xA8mRnrXtmtf2l/EkIW2zaD2LSBWlaOVEF6yH4RTndHob65V4SwWWdtGKVthQfXPVKsXqw4TDUjbVxVQ==
+
+is-fullwidth-code-point@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz#f116f8064fe90b3f7844a38997c0b75051269f1d"
+  integrity sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==
+
+is-glob@^4.0.1:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/is-glob/-/is-glob-4.0.3.tgz#64f61e42cbbb2eec2071a9dac0b28ba1e65d5084"
+  integrity sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==
+  dependencies:
+    is-extglob "^2.1.1"
+
+is-hexadecimal@^1.0.0:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/is-hexadecimal/-/is-hexadecimal-1.0.4.tgz#cc35c97588da4bd49a8eedd6bc4082d44dcb23a7"
+  integrity sha512-gyPJuv83bHMpocVYoqof5VDiZveEoGoFL8m3BXNb2VW8Xs+rz9kqO8LOQ5DH6EsuvilT1ApazU0pyl+ytbPtlw==
+
+is-number@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/is-number/-/is-number-7.0.0.tgz#7535345b896734d5f80c4d06c50955527a14f12b"
+  integrity sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==
+
+is-plain-obj@^2.0.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-2.1.0.tgz#45e42e37fccf1f40da8e5f76ee21515840c09287"
+  integrity sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==
+
+is-regex@^1.0.4:
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/is-regex/-/is-regex-1.1.4.tgz#eef5663cd59fa4c0ae339505323df6854bb15958"
+  integrity sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==
+  dependencies:
+    call-bind "^1.0.2"
+    has-tostringtag "^1.0.0"
+
+is-utf8@^0.2.0:
+  version "0.2.1"
+  resolved "https://registry.yarnpkg.com/is-utf8/-/is-utf8-0.2.1.tgz#4b0da1442104d1b336340e80797e865cf39f7d72"
+  integrity sha512-rMYPYvCzsXywIsldgLaSoPlw5PfoB/ssr7hY4pLfcodrA5M/eArza1a9VmTiNIBNMjOGr1Ow9mTyU2o69U6U9Q==
+
+js-yaml@^3.12.0, js-yaml@^3.14.1:
+  version "3.14.1"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
+  integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
+  dependencies:
+    argparse "^1.0.7"
+    esprima "^4.0.0"
+
+js-yaml@^4.1.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
+  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+  dependencies:
+    argparse "^2.0.1"
+
+json-parse-better-errors@^1.0.1:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/json-parse-better-errors/-/json-parse-better-errors-1.0.2.tgz#bb867cfb3450e69107c131d1c514bab3dc8bcaa9"
+  integrity sha512-mrqyZKfX5EhL7hvqcV6WG1yYjnjeuYDzDhhcAAUrq8Po85NBQBJP+ZDUT75qZQ98IkUoBqdkExkukOU7Ts2wrw==
+
+json-schema-traverse@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz#ae7bcb3656ab77a73ba5c49bf654f38e6b6860e2"
+  integrity sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==
+
+json5@^2.1.1, json5@^2.2.2:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
+  integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
+
+levn@^0.4.1:
+  version "0.4.1"
+  resolved "https://registry.yarnpkg.com/levn/-/levn-0.4.1.tgz#ae4562c007473b932a6200d403268dd2fffc6ade"
+  integrity sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==
+  dependencies:
+    prelude-ls "^1.2.1"
+    type-check "~0.4.0"
+
+linkify-it@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-4.0.1.tgz#01f1d5e508190d06669982ba31a7d9f56a5751ec"
+  integrity sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==
+  dependencies:
+    uc.micro "^1.0.1"
+
+load-json-file@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-1.1.0.tgz#956905708d58b4bab4c2261b04f59f31c99374c0"
+  integrity sha512-cy7ZdNRXdablkXYNI049pthVeXFurRyb9+hA/dZzerZ0pGTx42z+y+ssxBaVV2l70t1muq5IdKhn4UtcoGUY9A==
+  dependencies:
+    graceful-fs "^4.1.2"
+    parse-json "^2.2.0"
+    pify "^2.0.0"
+    pinkie-promise "^2.0.0"
+    strip-bom "^2.0.0"
+
+load-json-file@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/load-json-file/-/load-json-file-4.0.0.tgz#2f5f45ab91e33216234fd53adab668eb4ec0993b"
+  integrity sha512-Kx8hMakjX03tiGTLAIdJ+lL0htKnXjEZN6hk/tozf/WOuYGdZBJrZ+rCJRbVCugsjB3jMLn9746NsQIf5VjBMw==
+  dependencies:
+    graceful-fs "^4.1.2"
+    parse-json "^4.0.0"
+    pify "^3.0.0"
+    strip-bom "^3.0.0"
+
+locate-path@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/locate-path/-/locate-path-2.0.0.tgz#2b568b265eec944c6d9c0de9c3dbbbca0354cd8e"
+  integrity sha512-NCI2kiDkyR7VeEKm27Kda/iQHyKJe1Bu0FlTbYp3CqJu+9IFe9bLyAjMxf5ZDDbEg+iMPzB5zYyUTSm8wVTKmA==
+  dependencies:
+    p-locate "^2.0.0"
+    path-exists "^3.0.0"
+
+lodash.truncate@^4.4.2:
+  version "4.4.2"
+  resolved "https://registry.yarnpkg.com/lodash.truncate/-/lodash.truncate-4.4.2.tgz#5a350da0b1113b837ecfffd5812cbe58d6eae193"
+  integrity sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==
+
+lodash@^4.17.15, lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
+longest-streak@^2.0.0:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/longest-streak/-/longest-streak-2.0.4.tgz#b8599957da5b5dab64dee3fe316fa774597d90e4"
+  integrity sha512-vM6rUVCVUJJt33bnmHiZEvr7wPT78ztX7rojL+LW51bHtLh6HTjx84LA5W4+oa6aKEJA7jJu5LR6vQRBpA5DVg==
+
+markdown-it@13.0.1:
+  version "13.0.1"
+  resolved "https://registry.yarnpkg.com/markdown-it/-/markdown-it-13.0.1.tgz#c6ecc431cacf1a5da531423fc6a42807814af430"
+  integrity sha512-lTlxriVoy2criHP0JKRhO2VDG9c2ypWCsT237eDiLqi09rmbKoUetyGHq2uOIRoRS//kfoJckS0eUzzkDR+k2Q==
+  dependencies:
+    argparse "^2.0.1"
+    entities "~3.0.1"
+    linkify-it "^4.0.1"
+    mdurl "^1.0.1"
+    uc.micro "^1.0.5"
+
+markdown-table@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-2.0.0.tgz#194a90ced26d31fe753d8b9434430214c011865b"
+  integrity sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==
+  dependencies:
+    repeat-string "^1.0.0"
+
+markdownlint-cli2-formatter-default@0.0.3:
+  version "0.0.3"
+  resolved "https://registry.yarnpkg.com/markdownlint-cli2-formatter-default/-/markdownlint-cli2-formatter-default-0.0.3.tgz#5aecd6e576ad18801b76e58bbbaf0e916c583ab8"
+  integrity sha512-QEAJitT5eqX1SNboOD+SO/LNBpu4P4je8JlR02ug2cLQAqmIhh8IJnSK7AcaHBHhNADqdGydnPpQOpsNcEEqCw==
+
+markdownlint-cli2@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/markdownlint-cli2/-/markdownlint-cli2-0.6.0.tgz#ffa6aee4098e61f781e5e69528db60f7f39f737c"
+  integrity sha512-Bv20r6WGdcHMWi8QvAFZ3CBunf4i4aYmVdTfpAvXODI/1k3f09DZZ0i0LcX9ZMhlVxjoOzbVDz1NWyKc5hwTqg==
+  dependencies:
+    globby "13.1.3"
+    markdownlint "0.27.0"
+    markdownlint-cli2-formatter-default "0.0.3"
+    micromatch "4.0.5"
+    strip-json-comments "5.0.0"
+    yaml "2.2.1"
+
+markdownlint@0.27.0:
+  version "0.27.0"
+  resolved "https://registry.yarnpkg.com/markdownlint/-/markdownlint-0.27.0.tgz#9dabf7710a4999e2835e3c68317f1acd0bc89049"
+  integrity sha512-HtfVr/hzJJmE0C198F99JLaeada+646B5SaG2pVoEakLFI6iRGsvMqrnnrflq8hm1zQgwskEgqSnhDW11JBp0w==
+  dependencies:
+    markdown-it "13.0.1"
+
+md5@^2.3.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/md5/-/md5-2.3.0.tgz#c3da9a6aae3a30b46b7b0c349b87b110dc3bda4f"
+  integrity sha512-T1GITYmFaKuO91vxyoQMFETst+O71VUPEU3ze5GNzDm0OWdP8v1ziTaAEPUr/3kLsY3Sftgz242A1SetQiDL7g==
+  dependencies:
+    charenc "0.0.2"
+    crypt "0.0.2"
+    is-buffer "~1.1.6"
+
+mdast-util-find-and-replace@^1.1.0:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/mdast-util-find-and-replace/-/mdast-util-find-and-replace-1.1.1.tgz#b7db1e873f96f66588c321f1363069abf607d1b5"
+  integrity sha512-9cKl33Y21lyckGzpSmEQnIDjEfeeWelN5s1kUW1LwdB0Fkuq2u+4GdqcGEygYxJE8GVqCl0741bYXHgamfWAZA==
+  dependencies:
+    escape-string-regexp "^4.0.0"
+    unist-util-is "^4.0.0"
+    unist-util-visit-parents "^3.0.0"
+
+mdast-util-footnote@^0.1.0:
+  version "0.1.7"
+  resolved "https://registry.yarnpkg.com/mdast-util-footnote/-/mdast-util-footnote-0.1.7.tgz#4b226caeab4613a3362c144c94af0fdd6f7e0ef0"
+  integrity sha512-QxNdO8qSxqbO2e3m09KwDKfWiLgqyCurdWTQ198NpbZ2hxntdc+VKS4fDJCmNWbAroUdYnSthu+XbZ8ovh8C3w==
+  dependencies:
+    mdast-util-to-markdown "^0.6.0"
+    micromark "~2.11.0"
+
+mdast-util-from-markdown@^0.8.0:
+  version "0.8.5"
+  resolved "https://registry.yarnpkg.com/mdast-util-from-markdown/-/mdast-util-from-markdown-0.8.5.tgz#d1ef2ca42bc377ecb0463a987910dae89bd9a28c"
+  integrity sha512-2hkTXtYYnr+NubD/g6KGBS/0mFmBcifAsI0yIWRiRo0PjVs6SSOSOdtzbp6kSGnShDN6G5aWZpKQ2lWRy27mWQ==
+  dependencies:
+    "@types/mdast" "^3.0.0"
+    mdast-util-to-string "^2.0.0"
+    micromark "~2.11.0"
+    parse-entities "^2.0.0"
+    unist-util-stringify-position "^2.0.0"
+
+mdast-util-frontmatter@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/mdast-util-frontmatter/-/mdast-util-frontmatter-0.2.0.tgz#8bd5cd55e236c03e204a036f7372ebe9e6748240"
+  integrity sha512-FHKL4w4S5fdt1KjJCwB0178WJ0evnyyQr5kXTM3wrOVpytD0hrkvd+AOOjU9Td8onOejCkmZ+HQRT3CZ3coHHQ==
+  dependencies:
+    micromark-extension-frontmatter "^0.2.0"
+
+mdast-util-gfm-autolink-literal@^0.1.0, mdast-util-gfm-autolink-literal@^0.1.3:
+  version "0.1.3"
+  resolved "https://registry.yarnpkg.com/mdast-util-gfm-autolink-literal/-/mdast-util-gfm-autolink-literal-0.1.3.tgz#9c4ff399c5ddd2ece40bd3b13e5447d84e385fb7"
+  integrity sha512-GjmLjWrXg1wqMIO9+ZsRik/s7PLwTaeCHVB7vRxUwLntZc8mzmTsLVr6HW1yLokcnhfURsn5zmSVdi3/xWWu1A==
+  dependencies:
+    ccount "^1.0.0"
+    mdast-util-find-and-replace "^1.1.0"
+    micromark "^2.11.3"
+
+mdast-util-gfm-strikethrough@^0.2.0:
+  version "0.2.3"
+  resolved "https://registry.yarnpkg.com/mdast-util-gfm-strikethrough/-/mdast-util-gfm-strikethrough-0.2.3.tgz#45eea337b7fff0755a291844fbea79996c322890"
+  integrity sha512-5OQLXpt6qdbttcDG/UxYY7Yjj3e8P7X16LzvpX8pIQPYJ/C2Z1qFGMmcw+1PZMUM3Z8wt8NRfYTvCni93mgsgA==
+  dependencies:
+    mdast-util-to-markdown "^0.6.0"
+
+mdast-util-gfm-table@^0.1.0:
+  version "0.1.6"
+  resolved "https://registry.yarnpkg.com/mdast-util-gfm-table/-/mdast-util-gfm-table-0.1.6.tgz#af05aeadc8e5ee004eeddfb324b2ad8c029b6ecf"
+  integrity sha512-j4yDxQ66AJSBwGkbpFEp9uG/LS1tZV3P33fN1gkyRB2LoRL+RR3f76m0HPHaby6F4Z5xr9Fv1URmATlRRUIpRQ==
+  dependencies:
+    markdown-table "^2.0.0"
+    mdast-util-to-markdown "~0.6.0"
+
+mdast-util-gfm-task-list-item@^0.1.0:
+  version "0.1.6"
+  resolved "https://registry.yarnpkg.com/mdast-util-gfm-task-list-item/-/mdast-util-gfm-task-list-item-0.1.6.tgz#70c885e6b9f543ddd7e6b41f9703ee55b084af10"
+  integrity sha512-/d51FFIfPsSmCIRNp7E6pozM9z1GYPIkSy1urQ8s/o4TC22BZ7DqfHFWiqBD23bc7J3vV1Fc9O4QIHBlfuit8A==
+  dependencies:
+    mdast-util-to-markdown "~0.6.0"
+
+mdast-util-gfm@^0.1.0:
+  version "0.1.2"
+  resolved "https://registry.yarnpkg.com/mdast-util-gfm/-/mdast-util-gfm-0.1.2.tgz#8ecddafe57d266540f6881f5c57ff19725bd351c"
+  integrity sha512-NNkhDx/qYcuOWB7xHUGWZYVXvjPFFd6afg6/e2g+SV4r9q5XUcCbV4Wfa3DLYIiD+xAEZc6K4MGaE/m0KDcPwQ==
+  dependencies:
+    mdast-util-gfm-autolink-literal "^0.1.0"
+    mdast-util-gfm-strikethrough "^0.2.0"
+    mdast-util-gfm-table "^0.1.0"
+    mdast-util-gfm-task-list-item "^0.1.0"
+    mdast-util-to-markdown "^0.6.1"
+
+mdast-util-to-markdown@^0.6.0, mdast-util-to-markdown@^0.6.1, mdast-util-to-markdown@~0.6.0:
+  version "0.6.5"
+  resolved "https://registry.yarnpkg.com/mdast-util-to-markdown/-/mdast-util-to-markdown-0.6.5.tgz#b33f67ca820d69e6cc527a93d4039249b504bebe"
+  integrity sha512-XeV9sDE7ZlOQvs45C9UKMtfTcctcaj/pGwH8YLbMHoMOXNNCn2LsqVQOqrF1+/NU8lKDAqozme9SCXWyo9oAcQ==
+  dependencies:
+    "@types/unist" "^2.0.0"
+    longest-streak "^2.0.0"
+    mdast-util-to-string "^2.0.0"
+    parse-entities "^2.0.0"
+    repeat-string "^1.0.0"
+    zwitch "^1.0.0"
+
+mdast-util-to-string@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/mdast-util-to-string/-/mdast-util-to-string-2.0.0.tgz#b8cfe6a713e1091cb5b728fc48885a4767f8b97b"
+  integrity sha512-AW4DRS3QbBayY/jJmD8437V1Gombjf8RSOUCMFBuo5iHi58AGEgVCKQ+ezHkZZDpAQS75hcBMpLqjpJTjtUL7w==
+
+mdurl@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/mdurl/-/mdurl-1.0.1.tgz#fe85b2ec75a59037f2adfec100fd6c601761152e"
+  integrity sha512-/sKlQJCBYVY9Ers9hqzKou4H6V5UWc/M59TH2dvkt+84itfnq7uFOMLpOiOS4ujvHP4etln18fmIxA5R5fll0g==
+
+merge2@^1.3.0, merge2@^1.4.1:
+  version "1.4.1"
+  resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.4.1.tgz#4368892f885e907455a6fd7dc55c0c9d404990ae"
+  integrity sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==
+
+micromark-extension-footnote@^0.3.0:
+  version "0.3.2"
+  resolved "https://registry.yarnpkg.com/micromark-extension-footnote/-/micromark-extension-footnote-0.3.2.tgz#129b74ef4920ce96719b2c06102ee7abb2b88a20"
+  integrity sha512-gr/BeIxbIWQoUm02cIfK7mdMZ/fbroRpLsck4kvFtjbzP4yi+OPVbnukTc/zy0i7spC2xYE/dbX1Sur8BEDJsQ==
+  dependencies:
+    micromark "~2.11.0"
+
+micromark-extension-frontmatter@^0.2.0:
+  version "0.2.2"
+  resolved "https://registry.yarnpkg.com/micromark-extension-frontmatter/-/micromark-extension-frontmatter-0.2.2.tgz#61b8e92e9213e1d3c13f5a59e7862f5ca98dfa53"
+  integrity sha512-q6nPLFCMTLtfsctAuS0Xh4vaolxSFUWUWR6PZSrXXiRy+SANGllpcqdXFv2z07l0Xz/6Hl40hK0ffNCJPH2n1A==
+  dependencies:
+    fault "^1.0.0"
+
+micromark-extension-gfm-autolink-literal@~0.5.0:
+  version "0.5.7"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm-autolink-literal/-/micromark-extension-gfm-autolink-literal-0.5.7.tgz#53866c1f0c7ef940ae7ca1f72c6faef8fed9f204"
+  integrity sha512-ePiDGH0/lhcngCe8FtH4ARFoxKTUelMp4L7Gg2pujYD5CSMb9PbblnyL+AAMud/SNMyusbS2XDSiPIRcQoNFAw==
+  dependencies:
+    micromark "~2.11.3"
+
+micromark-extension-gfm-strikethrough@~0.6.5:
+  version "0.6.5"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm-strikethrough/-/micromark-extension-gfm-strikethrough-0.6.5.tgz#96cb83356ff87bf31670eefb7ad7bba73e6514d1"
+  integrity sha512-PpOKlgokpQRwUesRwWEp+fHjGGkZEejj83k9gU5iXCbDG+XBA92BqnRKYJdfqfkrRcZRgGuPuXb7DaK/DmxOhw==
+  dependencies:
+    micromark "~2.11.0"
+
+micromark-extension-gfm-table@~0.4.0:
+  version "0.4.3"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm-table/-/micromark-extension-gfm-table-0.4.3.tgz#4d49f1ce0ca84996c853880b9446698947f1802b"
+  integrity sha512-hVGvESPq0fk6ALWtomcwmgLvH8ZSVpcPjzi0AjPclB9FsVRgMtGZkUcpE0zgjOCFAznKepF4z3hX8z6e3HODdA==
+  dependencies:
+    micromark "~2.11.0"
+
+micromark-extension-gfm-tagfilter@~0.3.0:
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm-tagfilter/-/micromark-extension-gfm-tagfilter-0.3.0.tgz#d9f26a65adee984c9ccdd7e182220493562841ad"
+  integrity sha512-9GU0xBatryXifL//FJH+tAZ6i240xQuFrSL7mYi8f4oZSbc+NvXjkrHemeYP0+L4ZUT+Ptz3b95zhUZnMtoi/Q==
+
+micromark-extension-gfm-task-list-item@~0.3.0:
+  version "0.3.3"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm-task-list-item/-/micromark-extension-gfm-task-list-item-0.3.3.tgz#d90c755f2533ed55a718129cee11257f136283b8"
+  integrity sha512-0zvM5iSLKrc/NQl84pZSjGo66aTGd57C1idmlWmE87lkMcXrTxg1uXa/nXomxJytoje9trP0NDLvw4bZ/Z/XCQ==
+  dependencies:
+    micromark "~2.11.0"
+
+micromark-extension-gfm@^0.3.0:
+  version "0.3.3"
+  resolved "https://registry.yarnpkg.com/micromark-extension-gfm/-/micromark-extension-gfm-0.3.3.tgz#36d1a4c089ca8bdfd978c9bd2bf1a0cb24e2acfe"
+  integrity sha512-oVN4zv5/tAIA+l3GbMi7lWeYpJ14oQyJ3uEim20ktYFAcfX1x3LNlFGGlmrZHt7u9YlKExmyJdDGaTt6cMSR/A==
+  dependencies:
+    micromark "~2.11.0"
+    micromark-extension-gfm-autolink-literal "~0.5.0"
+    micromark-extension-gfm-strikethrough "~0.6.5"
+    micromark-extension-gfm-table "~0.4.0"
+    micromark-extension-gfm-tagfilter "~0.3.0"
+    micromark-extension-gfm-task-list-item "~0.3.0"
+
+micromark@^2.11.3, micromark@~2.11.0, micromark@~2.11.3:
+  version "2.11.4"
+  resolved "https://registry.yarnpkg.com/micromark/-/micromark-2.11.4.tgz#d13436138eea826383e822449c9a5c50ee44665a"
+  integrity sha512-+WoovN/ppKolQOFIAajxi7Lu9kInbPxFuTBVEavFcL8eAfVstoc5MocPmqBeAdBOJV00uaVjegzH4+MA0DN/uA==
+  dependencies:
+    debug "^4.0.0"
+    parse-entities "^2.0.0"
+
+micromatch@4.0.5, micromatch@^4.0.4:
+  version "4.0.5"
+  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.5.tgz#bc8999a7cbbf77cdc89f132f6e467051b49090c6"
+  integrity sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==
+  dependencies:
+    braces "^3.0.2"
+    picomatch "^2.3.1"
+
+minimatch@^3.1.1:
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
+  dependencies:
+    brace-expansion "^1.1.7"
+
+minimist@^1.2.6:
+  version "1.2.8"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
+  integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
+
+misspellings@^1.0.1:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/misspellings/-/misspellings-1.1.0.tgz#53d500266cbd09cda9d94c4cf392e60589b5b324"
+  integrity sha512-4QT2u/8X7PccbiHUcsZeEZrt3jGIVEpfcQ1RU01wDHKHVNtNhaP+0Xmsg7YPxD7OCc8bO802BTEWeGPvAXBwuw==
+
+mkdirp@^0.5.1, mkdirp@^0.5.6:
+  version "0.5.6"
+  resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.6.tgz#7def03d2432dcae4ba1d611445c48396062255f6"
+  integrity sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==
+  dependencies:
+    minimist "^1.2.6"
+
+ms@2.1.2:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
+  integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==
+
+normalize-package-data@^2.3.2:
+  version "2.5.0"
+  resolved "https://registry.yarnpkg.com/normalize-package-data/-/normalize-package-data-2.5.0.tgz#e66db1838b200c1dfc233225d12cb36520e234a8"
+  integrity sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==
+  dependencies:
+    hosted-git-info "^2.1.4"
+    resolve "^1.10.0"
+    semver "2 || 3 || 4 || 5"
+    validate-npm-package-license "^3.0.1"
+
+object-is@^1.0.1:
+  version "1.1.5"
+  resolved "https://registry.yarnpkg.com/object-is/-/object-is-1.1.5.tgz#b9deeaa5fc7f1846a0faecdceec138e5778f53ac"
+  integrity sha512-3cyDsyHgtmi7I7DfSSI2LDp6SK2lwvtbg0p0R1e0RvTqF5ceGx+K2dfSjm1bKDMVCFEDAQvy+o8c6a7VujOddw==
+  dependencies:
+    call-bind "^1.0.2"
+    define-properties "^1.1.3"
+
+object-keys@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-1.1.1.tgz#1c47f272df277f3b1daf061677d9c82e2322c60e"
+  integrity sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==
+
+once@^1.3.0:
+  version "1.4.0"
+  resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
+  integrity sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==
+  dependencies:
+    wrappy "1"
+
+optionator@^0.9.1:
+  version "0.9.1"
+  resolved "https://registry.yarnpkg.com/optionator/-/optionator-0.9.1.tgz#4f236a6373dae0566a6d43e1326674f50c291499"
+  integrity sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==
+  dependencies:
+    deep-is "^0.1.3"
+    fast-levenshtein "^2.0.6"
+    levn "^0.4.1"
+    prelude-ls "^1.2.1"
+    type-check "^0.4.0"
+    word-wrap "^1.2.3"
+
+p-limit@^1.1.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-1.3.0.tgz#b86bd5f0c25690911c7590fcbfc2010d54b3ccb8"
+  integrity sha512-vvcXsLAJ9Dr5rQOPk7toZQZJApBl2K4J6dANSsEuh6QI41JYcsS/qhTGa9ErIUUgK3WNQoJYvylxvjqmiqEA9Q==
+  dependencies:
+    p-try "^1.0.0"
+
+p-locate@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/p-locate/-/p-locate-2.0.0.tgz#20a0103b222a70c8fd39cc2e580680f3dde5ec43"
+  integrity sha512-nQja7m7gSKuewoVRen45CtVfODR3crN3goVQ0DDZ9N3yHxgpkuBhZqsaiotSQRrADUrne346peY7kT3TSACykg==
+  dependencies:
+    p-limit "^1.1.0"
+
+p-try@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/p-try/-/p-try-1.0.0.tgz#cbc79cdbaf8fd4228e13f621f2b1a237c1b207b3"
+  integrity sha512-U1etNYuMJoIz3ZXSrrySFjsXQTWOx2/jdi86L+2pRvph/qMKL6sbcCYdH23fqsbm8TH2Gn0OybpT4eSFlCVHww==
+
+parse-entities@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/parse-entities/-/parse-entities-2.0.0.tgz#53c6eb5b9314a1f4ec99fa0fdf7ce01ecda0cbe8"
+  integrity sha512-kkywGpCcRYhqQIchaWqZ875wzpS/bMKhz5HnN3p7wveJTkTtyAB/AlnS0f8DFSqYW1T82t6yEAkEcB+A1I3MbQ==
+  dependencies:
+    character-entities "^1.0.0"
+    character-entities-legacy "^1.0.0"
+    character-reference-invalid "^1.0.0"
+    is-alphanumerical "^1.0.0"
+    is-decimal "^1.0.0"
+    is-hexadecimal "^1.0.0"
+
+parse-json@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-2.2.0.tgz#f480f40434ef80741f8469099f8dea18f55a4dc9"
+  integrity sha512-QR/GGaKCkhwk1ePQNYDRKYZ3mwU9ypsKhB0XyFnLQdomyEqk3e8wpW3V5Jp88zbxK4n5ST1nqo+g9juTpownhQ==
+  dependencies:
+    error-ex "^1.2.0"
+
+parse-json@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/parse-json/-/parse-json-4.0.0.tgz#be35f5425be1f7f6c747184f98a788cb99477ee0"
+  integrity sha512-aOIos8bujGN93/8Ox/jPLh7RwVnPEysynVFE+fQZyg6jKELEHwzgKdLRFHUgXJL6kylijVSBC4BvN9OmsB48Rw==
+  dependencies:
+    error-ex "^1.3.1"
+    json-parse-better-errors "^1.0.1"
+
+path-exists@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-3.0.0.tgz#ce0ebeaa5f78cb18925ea7d810d7b59b010fd515"
+  integrity sha512-bpC7GYwiDYQ4wYLe+FA8lhRjhQCMcQGuSgGGqDkg/QerRWw9CmGRT0iSOVRSZJ29NMLZgIzqaljJ63oaL4NIJQ==
+
+path-is-absolute@^1.0.0:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz#174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f"
+  integrity sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==
+
+path-parse@^1.0.7:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.7.tgz#fbc114b60ca42b30d9daf5858e4bd68bbedb6735"
+  integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==
+
+path-to-glob-pattern@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/path-to-glob-pattern/-/path-to-glob-pattern-1.0.2.tgz#473e6a3a292a9d13fbae3edccee72d3baba8c619"
+  integrity sha512-ryF65N5MBB9XOjE5mMOi+0bMrh1F0ORQmqDSSERvv5zD62Cfc5QC6rK1AR1xuDIG1I091CkNENblbteWy1bXgw==
+
+path-type@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/path-type/-/path-type-1.1.0.tgz#59c44f7ee491da704da415da5a4070ba4f8fe441"
+  integrity sha512-S4eENJz1pkiQn9Znv33Q+deTOKmbl+jj1Fl+qiP/vYezj+S8x+J3Uo0ISrx/QoEvIlOaDWJhPaRd1flJ9HXZqg==
+  dependencies:
+    graceful-fs "^4.1.2"
+    pify "^2.0.0"
+    pinkie-promise "^2.0.0"
+
+path-type@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/path-type/-/path-type-3.0.0.tgz#cef31dc8e0a1a3bb0d105c0cd97cf3bf47f4e36f"
+  integrity sha512-T2ZUsdZFHgA3u4e5PfPbjd7HDDpxPnQb5jN0SrDsjNSuVXHJqtwTnWqG0B1jZrgmJ/7lj1EmVIByWt1gxGkWvg==
+  dependencies:
+    pify "^3.0.0"
+
+path-type@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/path-type/-/path-type-4.0.0.tgz#84ed01c0a7ba380afe09d90a8c180dcd9d03043b"
+  integrity sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==
+
+picomatch@^2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
+  integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
+
+pify@^2.0.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/pify/-/pify-2.3.0.tgz#ed141a6ac043a849ea588498e7dca8b15330e90c"
+  integrity sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==
+
+pify@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/pify/-/pify-3.0.0.tgz#e5a4acd2c101fdf3d9a4d07f0dbc4db49dd28176"
+  integrity sha512-C3FsVNH1udSEX48gGX1xfvwTWfsYWj5U+8/uK15BGzIGrKoUpghX8hWZwa/OFnakBiiVNmBvemTJR5mcy7iPcg==
+
+pinkie-promise@^2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/pinkie-promise/-/pinkie-promise-2.0.1.tgz#2135d6dfa7a358c069ac9b178776288228450ffa"
+  integrity sha512-0Gni6D4UcLTbv9c57DfxDGdr41XfgUjqWZu492f0cIGr16zDU06BWP/RAEvOuo7CQ0CNjHaLlM59YJJFm3NWlw==
+  dependencies:
+    pinkie "^2.0.0"
+
+pinkie@^2.0.0:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/pinkie/-/pinkie-2.0.4.tgz#72556b80cfa0d48a974e80e77248e80ed4f7f870"
+  integrity sha512-MnUuEycAemtSaeFSjXKW/aroV7akBbY+Sv+RkyqFjgAe73F+MR0TBWKBRDkmfWq/HiFmdavfZ1G7h4SPZXaCSg==
+
+pluralize@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/pluralize/-/pluralize-2.0.0.tgz#72b726aa6fac1edeee42256c7d8dc256b335677f"
+  integrity sha512-TqNZzQCD4S42De9IfnnBvILN7HAW7riLqsCyp8lgjXeysyPlX5HhqKAcJHHHb9XskE4/a+7VGC9zzx8Ls0jOAw==
+
+prelude-ls@^1.2.1:
+  version "1.2.1"
+  resolved "https://registry.yarnpkg.com/prelude-ls/-/prelude-ls-1.2.1.tgz#debc6489d7a6e6b0e7611888cec880337d316396"
+  integrity sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==
+
+punycode@^2.1.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.3.0.tgz#f67fa67c94da8f4d0cfff981aee4118064199b8f"
+  integrity sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==
+
+queue-microtask@^1.2.2:
+  version "1.2.3"
+  resolved "https://registry.yarnpkg.com/queue-microtask/-/queue-microtask-1.2.3.tgz#4929228bbc724dfac43e0efb058caf7b6cfb6243"
+  integrity sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==
+
+rc-config-loader@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/rc-config-loader/-/rc-config-loader-3.0.0.tgz#1484ed55d6fb8b21057699c8426370f7529c52a7"
+  integrity sha512-bwfUSB37TWkHfP+PPjb/x8BUjChFmmBK44JMfVnU7paisWqZl/o5k7ttCH+EQLnrbn2Aq8Fo1LAsyUiz+WF4CQ==
+  dependencies:
+    debug "^4.1.1"
+    js-yaml "^3.12.0"
+    json5 "^2.1.1"
+    require-from-string "^2.0.2"
+
+rc-config-loader@^4.1.2:
+  version "4.1.2"
+  resolved "https://registry.yarnpkg.com/rc-config-loader/-/rc-config-loader-4.1.2.tgz#e57fc874bde9b1e48d8a8564f2f824f91eafd920"
+  integrity sha512-qKTnVWFl9OQYKATPzdfaZIbTxcHziQl92zYSxYC6umhOqyAsoj8H8Gq/+aFjAso68sBdjTz3A7omqeAkkF1MWg==
+  dependencies:
+    debug "^4.3.4"
+    js-yaml "^4.1.0"
+    json5 "^2.2.2"
+    require-from-string "^2.0.2"
+
+read-pkg-up@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/read-pkg-up/-/read-pkg-up-3.0.0.tgz#3ed496685dba0f8fe118d0691dc51f4a1ff96f07"
+  integrity sha512-YFzFrVvpC6frF1sz8psoHDBGF7fLPc+llq/8NB43oagqWkx8ar5zYtsTORtOjw9W2RHLpWP+zTWwBvf1bCmcSw==
+  dependencies:
+    find-up "^2.0.0"
+    read-pkg "^3.0.0"
+
+read-pkg@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-1.1.0.tgz#f5ffaa5ecd29cb31c0474bca7d756b6bb29e3f28"
+  integrity sha512-7BGwRHqt4s/uVbuyoeejRn4YmFnYZiFl4AuaeXHlgZf3sONF0SOGlxs2Pw8g6hCKupo08RafIO5YXFNOKTfwsQ==
+  dependencies:
+    load-json-file "^1.0.0"
+    normalize-package-data "^2.3.2"
+    path-type "^1.0.0"
+
+read-pkg@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/read-pkg/-/read-pkg-3.0.0.tgz#9cbc686978fee65d16c00e2b19c237fcf6e38389"
+  integrity sha512-BLq/cCO9two+lBgiTYNqD6GdtK8s4NpaWrl6/rCO9w0TUS8oJl7cmToOZfRYllKTISY6nt1U7jQ53brmKqY6BA==
+  dependencies:
+    load-json-file "^4.0.0"
+    normalize-package-data "^2.3.2"
+    path-type "^3.0.0"
+
+regexp.prototype.flags@^1.2.0:
+  version "1.4.3"
+  resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz#87cab30f80f66660181a3bb7bf5981a872b367ac"
+  integrity sha512-fjggEOO3slI6Wvgjwflkc4NFRCTZAu5CnNfBd5qOMYhWdn67nJBBu34/TkD++eeFmd8C9r9jfXJ27+nSiRkSUA==
+  dependencies:
+    call-bind "^1.0.2"
+    define-properties "^1.1.3"
+    functions-have-names "^1.2.2"
+
+remark-footnotes@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/remark-footnotes/-/remark-footnotes-3.0.0.tgz#5756b56f8464fa7ed80dbba0c966136305d8cb8d"
+  integrity sha512-ZssAvH9FjGYlJ/PBVKdSmfyPc3Cz4rTWgZLI4iE/SX8Nt5l3o3oEjv3wwG5VD7xOjktzdwp5coac+kJV9l4jgg==
+  dependencies:
+    mdast-util-footnote "^0.1.0"
+    micromark-extension-footnote "^0.3.0"
+
+remark-frontmatter@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/remark-frontmatter/-/remark-frontmatter-3.0.0.tgz#ca5d996361765c859bd944505f377d6b186a6ec6"
+  integrity sha512-mSuDd3svCHs+2PyO29h7iijIZx4plX0fheacJcAoYAASfgzgVIcXGYSq9GFyYocFLftQs8IOmmkgtOovs6d4oA==
+  dependencies:
+    mdast-util-frontmatter "^0.2.0"
+    micromark-extension-frontmatter "^0.2.0"
+
+remark-gfm@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/remark-gfm/-/remark-gfm-1.0.0.tgz#9213643001be3f277da6256464d56fd28c3b3c0d"
+  integrity sha512-KfexHJCiqvrdBZVbQ6RopMZGwaXz6wFJEfByIuEwGf0arvITHjiKKZ1dpXujjH9KZdm1//XJQwgfnJ3lmXaDPA==
+  dependencies:
+    mdast-util-gfm "^0.1.0"
+    micromark-extension-gfm "^0.3.0"
+
+remark-parse@^9.0.0:
+  version "9.0.0"
+  resolved "https://registry.yarnpkg.com/remark-parse/-/remark-parse-9.0.0.tgz#4d20a299665880e4f4af5d90b7c7b8a935853640"
+  integrity sha512-geKatMwSzEXKHuzBNU1z676sGcDcFoChMK38TgdHJNAYfFtsfHDQG7MoJAjs6sgYMqyLduCYWDIWZIxiPeafEw==
+  dependencies:
+    mdast-util-from-markdown "^0.8.0"
+
+repeat-string@^1.0.0:
+  version "1.6.1"
+  resolved "https://registry.yarnpkg.com/repeat-string/-/repeat-string-1.6.1.tgz#8dcae470e1c88abc2d600fff4a776286da75e637"
+  integrity sha512-PV0dzCYDNfRi1jCDbJzpW7jNNDRuCOG/jI5ctQcGKt/clZD+YcPS3yIlWuTJMmESC8aevCFmWJy5wjAFgNqN6w==
+
+require-from-string@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/require-from-string/-/require-from-string-2.0.2.tgz#89a7fdd938261267318eafe14f9c32e598c36909"
+  integrity sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==
+
+resolve@^1.10.0:
+  version "1.22.1"
+  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.22.1.tgz#27cb2ebb53f91abb49470a928bba7558066ac177"
+  integrity sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==
+  dependencies:
+    is-core-module "^2.9.0"
+    path-parse "^1.0.7"
+    supports-preserve-symlinks-flag "^1.0.0"
+
+reusify@^1.0.4:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/reusify/-/reusify-1.0.4.tgz#90da382b1e126efc02146e90845a88db12925d76"
+  integrity sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==
+
+rimraf@2.6.3:
+  version "2.6.3"
+  resolved "https://registry.yarnpkg.com/rimraf/-/rimraf-2.6.3.tgz#b2d104fe0d8fb27cf9e0a1cda8262dd3833c6cab"
+  integrity sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==
+  dependencies:
+    glob "^7.1.3"
+
+run-parallel@^1.1.9:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/run-parallel/-/run-parallel-1.2.0.tgz#66d1368da7bdf921eb9d95bd1a9229e7f21a43ee"
+  integrity sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==
+  dependencies:
+    queue-microtask "^1.2.2"
+
+"semver@2 || 3 || 4 || 5":
+  version "5.7.2"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8"
+  integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==
+
+slash@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/slash/-/slash-4.0.0.tgz#2422372176c4c6c5addb5e2ada885af984b396a7"
+  integrity sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==
+
+slice-ansi@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/slice-ansi/-/slice-ansi-4.0.0.tgz#500e8dd0fd55b05815086255b3195adf2a45fe6b"
+  integrity sha512-qMCMfhY040cVHT43K9BFygqYbUPFZKHOg7K73mtTWJRb8pyP3fzf4Ixd5SzdEJQ6MRUg/WBnOLxghZtKKurENQ==
+  dependencies:
+    ansi-styles "^4.0.0"
+    astral-regex "^2.0.0"
+    is-fullwidth-code-point "^3.0.0"
+
+spdx-correct@^3.0.0:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/spdx-correct/-/spdx-correct-3.1.1.tgz#dece81ac9c1e6713e5f7d1b6f17d468fa53d89a9"
+  integrity sha512-cOYcUWwhCuHCXi49RhFRCyJEK3iPj1Ziz9DpViV3tbZOwXD49QzIN3MpOLJNxh2qwq2lJJZaKMVw9qNi4jTC0w==
+  dependencies:
+    spdx-expression-parse "^3.0.0"
+    spdx-license-ids "^3.0.0"
+
+spdx-exceptions@^2.1.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/spdx-exceptions/-/spdx-exceptions-2.3.0.tgz#3f28ce1a77a00372683eade4a433183527a2163d"
+  integrity sha512-/tTrYOC7PPI1nUAgx34hUpqXuyJG+DTHJTnIULG4rDygi4xu/tfgmq1e1cIRwRzwZgo4NLySi+ricLkZkw4i5A==
+
+spdx-expression-parse@^3.0.0:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz#cf70f50482eefdc98e3ce0a6833e4a53ceeba679"
+  integrity sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==
+  dependencies:
+    spdx-exceptions "^2.1.0"
+    spdx-license-ids "^3.0.0"
+
+spdx-license-ids@^3.0.0:
+  version "3.0.12"
+  resolved "https://registry.yarnpkg.com/spdx-license-ids/-/spdx-license-ids-3.0.12.tgz#69077835abe2710b65f03969898b6637b505a779"
+  integrity sha512-rr+VVSXtRhO4OHbXUiAF7xW3Bo9DuuF6C5jH+q/x15j2jniycgKbxU09Hr0WqlSLUs4i4ltHGXqTe7VHclYWyA==
+
+sprintf-js@~1.0.2:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
+  integrity sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==
+
+string-width@^4.2.3:
+  version "4.2.3"
+  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
+  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
+  dependencies:
+    emoji-regex "^8.0.0"
+    is-fullwidth-code-point "^3.0.0"
+    strip-ansi "^6.0.1"
+
+strip-ansi@^6.0.1:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
+  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
+  dependencies:
+    ansi-regex "^5.0.1"
+
+strip-bom@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/strip-bom/-/strip-bom-2.0.0.tgz#6219a85616520491f35788bdbf1447a99c7e6b0e"
+  integrity sha512-kwrX1y7czp1E69n2ajbG65mIo9dqvJ+8aBQXOGVxqwvNbsXdFM6Lq37dLAY3mknUwru8CfcCbfOLL/gMo+fi3g==
+  dependencies:
+    is-utf8 "^0.2.0"
+
+strip-bom@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/strip-bom/-/strip-bom-3.0.0.tgz#2334c18e9c759f7bdd56fdef7e9ae3d588e68ed3"
+  integrity sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==
+
+strip-json-comments@5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-5.0.0.tgz#ec101b766476a703031bc607e3c712569de2aa06"
+  integrity sha512-V1LGY4UUo0jgwC+ELQ2BNWfPa17TIuwBLg+j1AA/9RPzKINl1lhxVEu2r+ZTTO8aetIsUzE5Qj6LMSBkoGYKKw==
+
+strip-json-comments@^3.0.1:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
+  integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
+
+structured-source@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/structured-source/-/structured-source-4.0.0.tgz#0c9e59ee43dedd8fc60a63731f60e358102a4948"
+  integrity sha512-qGzRFNJDjFieQkl/sVOI2dUjHKRyL9dAJi2gCPGJLbJHBIkyOHxjuocpIEfbLioX+qSJpvbYdT49/YCdMznKxA==
+  dependencies:
+    boundary "^2.0.0"
+
+supports-color@^7.1.0:
+  version "7.2.0"
+  resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-7.2.0.tgz#1b7dcdcb32b8138801b3e478ba6a51caa89648da"
+  integrity sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==
+  dependencies:
+    has-flag "^4.0.0"
+
+supports-preserve-symlinks-flag@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz#6eda4bd344a3c94aea376d4cc31bc77311039e09"
+  integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
+
+table@^6.8.1:
+  version "6.8.1"
+  resolved "https://registry.yarnpkg.com/table/-/table-6.8.1.tgz#ea2b71359fe03b017a5fbc296204471158080bdf"
+  integrity sha512-Y4X9zqrCftUhMeH2EptSSERdVKt/nEdijTOacGD/97EKjhQ/Qs8RTlEGABSJNNN8lac9kheH+af7yAkEWlgneA==
+  dependencies:
+    ajv "^8.0.1"
+    lodash.truncate "^4.4.2"
+    slice-ansi "^4.0.0"
+    string-width "^4.2.3"
+    strip-ansi "^6.0.1"
+
+text-table@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/text-table/-/text-table-0.2.0.tgz#7f5ee823ae805207c00af2df4a84ec3fcfa570b4"
+  integrity sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==
+
+textlint-rule-common-misspellings@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/textlint-rule-common-misspellings/-/textlint-rule-common-misspellings-1.0.1.tgz#8c4133cf3bb59aa159199d2c9bced12413365774"
+  integrity sha512-f5KWhQFJzJBUX3RirAS25aSkAaaOHeSHtBeb7d49O+vxnAX3dZBS5DB/e5M1kR4tifW4qae64oqWZygoGYWkjQ==
+  dependencies:
+    misspellings "^1.0.1"
+    textlint-rule-helper "^1.1.5"
+
+textlint-rule-helper@^1.1.5:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/textlint-rule-helper/-/textlint-rule-helper-1.2.0.tgz#be68d47a5146b16dd116278c9aeb7bd35631ccda"
+  integrity sha512-yJmVbmyuUPOndKsxOijpx/G7mwybXXf4M10U2up0BeIZSN+6drUl+aSKAoC+RUHY7bG4ogLwRcmWoNG1lSrRIQ==
+  dependencies:
+    unist-util-visit "^1.1.0"
+
+textlint-rule-helper@^2.0.0, textlint-rule-helper@^2.1.1:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/textlint-rule-helper/-/textlint-rule-helper-2.3.0.tgz#5ab84db686d42fd2e39a63b40310501bb336520d"
+  integrity sha512-Ug78Saahb/qVImttL0NSFyT5/JJ5wXvOPepR2pYAjNi54BsQAAz/hAyyEgKuYeR0+yjFb0KPhby4f880X5vqHA==
+  dependencies:
+    "@textlint/ast-node-types" "^13.0.2"
+    structured-source "^4.0.0"
+    unist-util-visit "^2.0.3"
+
+textlint-rule-no-todo@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/textlint-rule-no-todo/-/textlint-rule-no-todo-2.0.1.tgz#86351ed3521ce8faa3b8224f88887f3cecbf2920"
+  integrity sha512-+adoWaBgoTN2g0WNcrERhVq7gdPKQIf1z7Ol+6XwMGv8XmuoFp5vJljHKtCmJBmGhBihjty2b8oaza2MY6UNlw==
+  dependencies:
+    textlint-rule-helper "^2.0.0"
+
+textlint-rule-terminology@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/textlint-rule-terminology/-/textlint-rule-terminology-3.0.4.tgz#5e51fffe4dc5d1f82c2fa0482137e5c75a7eaaae"
+  integrity sha512-obQ3y0hqX6OWCrM8K5K6WSJGE4BOyNfGF6hUGPet56taTm/xzkRu8XA6vpn2GFr4zom/oMa0sBJ3OtDWCgrS/g==
+  dependencies:
+    lodash "^4.17.15"
+    strip-json-comments "^3.0.1"
+    textlint-rule-helper "^2.1.1"
+
+textlint@^12.5.1:
+  version "12.6.1"
+  resolved "https://registry.yarnpkg.com/textlint/-/textlint-12.6.1.tgz#a8eb605ddfc45f7504e4876e4c50d1a1d5d25cbc"
+  integrity sha512-ro33XJnA9UpQVeheGbPalYa5qpyA2R2yZdIgfC8xEvlOTF5SWJkdeNMm24Ml6d36bgwbqIO2yISKu7vlzBxHRA==
+  dependencies:
+    "@textlint/ast-node-types" "^12.6.1"
+    "@textlint/ast-traverse" "^12.6.1"
+    "@textlint/config-loader" "^12.6.1"
+    "@textlint/feature-flag" "^12.6.1"
+    "@textlint/fixer-formatter" "^12.6.1"
+    "@textlint/kernel" "^12.6.1"
+    "@textlint/linter-formatter" "^12.6.1"
+    "@textlint/module-interop" "^12.6.1"
+    "@textlint/textlint-plugin-markdown" "^12.6.1"
+    "@textlint/textlint-plugin-text" "^12.6.1"
+    "@textlint/types" "^12.6.1"
+    "@textlint/utils" "^12.6.1"
+    debug "^4.3.4"
+    deep-equal "^1.1.1"
+    file-entry-cache "^5.0.1"
+    get-stdin "^5.0.1"
+    glob "^7.2.3"
+    is-file "^1.0.0"
+    md5 "^2.3.0"
+    mkdirp "^0.5.6"
+    optionator "^0.9.1"
+    path-to-glob-pattern "^1.0.2"
+    rc-config-loader "^3.0.0"
+    read-pkg "^1.1.0"
+    read-pkg-up "^3.0.0"
+    structured-source "^4.0.0"
+    try-resolve "^1.0.1"
+    unique-concat "^0.2.2"
+
+to-regex-range@^5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/to-regex-range/-/to-regex-range-5.0.1.tgz#1648c44aae7c8d988a326018ed72f5b4dd0392e4"
+  integrity sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==
+  dependencies:
+    is-number "^7.0.0"
+
+traverse@^0.6.7:
+  version "0.6.7"
+  resolved "https://registry.yarnpkg.com/traverse/-/traverse-0.6.7.tgz#46961cd2d57dd8706c36664acde06a248f1173fe"
+  integrity sha512-/y956gpUo9ZNCb99YjxG7OaslxZWHfCHAUUfshwqOXmxUIvqLjVO581BT+gM59+QV9tFe6/CGG53tsA1Y7RSdg==
+
+trough@^1.0.0:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/trough/-/trough-1.0.5.tgz#b8b639cefad7d0bb2abd37d433ff8293efa5f406"
+  integrity sha512-rvuRbTarPXmMb79SmzEp8aqXNKcK+y0XaB298IXueQ8I2PsrATcPBCSPyK/dDNa2iWOhKlfNnOjdAOTBU/nkFA==
+
+try-resolve@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/try-resolve/-/try-resolve-1.0.1.tgz#cfde6fabd72d63e5797cfaab873abbe8e700e912"
+  integrity sha512-yHeaPjCBzVaXwWl5IMUapTaTC2rn/eBYg2fsG2L+CvJd+ttFbk0ylDnpTO3wVhosmE1tQEvcebbBeKLCwScQSQ==
+
+type-check@^0.4.0, type-check@~0.4.0:
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/type-check/-/type-check-0.4.0.tgz#07b8203bfa7056c0657050e3ccd2c37730bab8f1"
+  integrity sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==
+  dependencies:
+    prelude-ls "^1.2.1"
+
+uc.micro@^1.0.1, uc.micro@^1.0.5:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-1.0.6.tgz#9c411a802a409a91fc6cf74081baba34b24499ac"
+  integrity sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==
+
+unified@^9.2.2:
+  version "9.2.2"
+  resolved "https://registry.yarnpkg.com/unified/-/unified-9.2.2.tgz#67649a1abfc3ab85d2969502902775eb03146975"
+  integrity sha512-Sg7j110mtefBD+qunSLO1lqOEKdrwBFBrR6Qd8f4uwkhWNlbkaqwHse6e7QvD3AP/MNoJdEDLaf8OxYyoWgorQ==
+  dependencies:
+    bail "^1.0.0"
+    extend "^3.0.0"
+    is-buffer "^2.0.0"
+    is-plain-obj "^2.0.0"
+    trough "^1.0.0"
+    vfile "^4.0.0"
+
+unique-concat@^0.2.2:
+  version "0.2.2"
+  resolved "https://registry.yarnpkg.com/unique-concat/-/unique-concat-0.2.2.tgz#9210f9bdcaacc5e1e3929490d7c019df96f18712"
+  integrity sha512-nFT3frbsvTa9rrc71FJApPqXF8oIhVHbX3IWgObQi1mF7WrW48Ys70daL7o4evZUtmUf6Qn6WK0LbHhyO0hpXw==
+
+unist-util-is@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/unist-util-is/-/unist-util-is-3.0.0.tgz#d9e84381c2468e82629e4a5be9d7d05a2dd324cd"
+  integrity sha512-sVZZX3+kspVNmLWBPAB6r+7D9ZgAFPNWm66f7YNb420RlQSbn+n8rG8dGZSkrER7ZIXGQYNm5pqC3v3HopH24A==
+
+unist-util-is@^4.0.0:
+  version "4.1.0"
+  resolved "https://registry.yarnpkg.com/unist-util-is/-/unist-util-is-4.1.0.tgz#976e5f462a7a5de73d94b706bac1b90671b57797"
+  integrity sha512-ZOQSsnce92GrxSqlnEEseX0gi7GH9zTJZ0p9dtu87WRb/37mMPO2Ilx1s/t9vBHrFhbgweUwb+t7cIn5dxPhZg==
+
+unist-util-stringify-position@^2.0.0:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/unist-util-stringify-position/-/unist-util-stringify-position-2.0.3.tgz#cce3bfa1cdf85ba7375d1d5b17bdc4cada9bd9da"
+  integrity sha512-3faScn5I+hy9VleOq/qNbAd6pAx7iH5jYBMS9I1HgQVijz/4mv5Bvw5iw1sC/90CODiKo81G/ps8AJrISn687g==
+  dependencies:
+    "@types/unist" "^2.0.2"
+
+unist-util-visit-parents@^2.0.0:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/unist-util-visit-parents/-/unist-util-visit-parents-2.1.2.tgz#25e43e55312166f3348cae6743588781d112c1e9"
+  integrity sha512-DyN5vD4NE3aSeB+PXYNKxzGsfocxp6asDc2XXE3b0ekO2BaRUpBicbbUygfSvYfUz1IkmjFR1YF7dPklraMZ2g==
+  dependencies:
+    unist-util-is "^3.0.0"
+
+unist-util-visit-parents@^3.0.0:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz#65a6ce698f78a6b0f56aa0e88f13801886cdaef6"
+  integrity sha512-1KROIZWo6bcMrZEwiH2UrXDyalAa0uqzWCxCJj6lPOvTve2WkfgCytoDTPaMnodXh1WrXOq0haVYHj99ynJlsg==
+  dependencies:
+    "@types/unist" "^2.0.0"
+    unist-util-is "^4.0.0"
+
+unist-util-visit@^1.1.0:
+  version "1.4.1"
+  resolved "https://registry.yarnpkg.com/unist-util-visit/-/unist-util-visit-1.4.1.tgz#4724aaa8486e6ee6e26d7ff3c8685960d560b1e3"
+  integrity sha512-AvGNk7Bb//EmJZyhtRUnNMEpId/AZ5Ph/KUpTI09WHQuDZHKovQ1oEv3mfmKpWKtoMzyMC4GLBm1Zy5k12fjIw==
+  dependencies:
+    unist-util-visit-parents "^2.0.0"
+
+unist-util-visit@^2.0.3:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/unist-util-visit/-/unist-util-visit-2.0.3.tgz#c3703893146df47203bb8a9795af47d7b971208c"
+  integrity sha512-iJ4/RczbJMkD0712mGktuGpm/U4By4FfDonL7N/9tATGIF4imikjOuagyMY53tnZq3NP6BcmlrHhEKAfGWjh7Q==
+  dependencies:
+    "@types/unist" "^2.0.0"
+    unist-util-is "^4.0.0"
+    unist-util-visit-parents "^3.0.0"
+
+uri-js@^4.2.2:
+  version "4.4.1"
+  resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.4.1.tgz#9b1a52595225859e55f669d928f88c6c57f2a77e"
+  integrity sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==
+  dependencies:
+    punycode "^2.1.0"
+
+validate-npm-package-license@^3.0.1:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz#fc91f6b9c7ba15c857f4cb2c5defeec39d4f410a"
+  integrity sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==
+  dependencies:
+    spdx-correct "^3.0.0"
+    spdx-expression-parse "^3.0.0"
+
+vfile-message@^2.0.0:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/vfile-message/-/vfile-message-2.0.4.tgz#5b43b88171d409eae58477d13f23dd41d52c371a"
+  integrity sha512-DjssxRGkMvifUOJre00juHoP9DPWuzjxKuMDrhNbk2TdaYYBNMStsNhEOt3idrtI12VQYM/1+iM0KOzXi4pxwQ==
+  dependencies:
+    "@types/unist" "^2.0.0"
+    unist-util-stringify-position "^2.0.0"
+
+vfile@^4.0.0:
+  version "4.2.1"
+  resolved "https://registry.yarnpkg.com/vfile/-/vfile-4.2.1.tgz#03f1dce28fc625c625bc6514350fbdb00fa9e624"
+  integrity sha512-O6AE4OskCG5S1emQ/4gl8zK586RqA3srz3nfK/Viy0UPToBc5Trp9BVFb1u0CjsKrAWwnpr4ifM/KBXPWwJbCA==
+  dependencies:
+    "@types/unist" "^2.0.0"
+    is-buffer "^2.0.0"
+    unist-util-stringify-position "^2.0.0"
+    vfile-message "^2.0.0"
+
+word-wrap@^1.2.3:
+  version "1.2.5"
+  resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.5.tgz#d2c45c6dd4fbce621a66f136cbe328afd0410b34"
+  integrity sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==
+
+wrappy@1:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/wrappy/-/wrappy-1.0.2.tgz#b5243d8f3ec1aa35f1364605bc0d1036e30ab69f"
+  integrity sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==
+
+write@1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/write/-/write-1.0.3.tgz#0800e14523b923a387e415123c865616aae0f5c3"
+  integrity sha512-/lg70HAjtkUgWPVZhZcm+T4hkL8Zbtp1nFNOn3lRrxnlv50SRBv7cR7RqR+GMsd3hUXy9hWBo4CHTbFTcOYwig==
+  dependencies:
+    mkdirp "^0.5.1"
+
+yaml@2.2.1:
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.2.1.tgz#3014bf0482dcd15147aa8e56109ce8632cd60ce4"
+  integrity sha512-e0WHiYql7+9wr4cWMx3TVQrNwejKaEe7/rHNmQmqRjazfOP5W8PB6Jpebb5o6fIapbz9o9+2ipcaTM2ZwDI6lw==
+
+zwitch@^1.0.0:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/zwitch/-/zwitch-1.0.5.tgz#d11d7381ffed16b742f6af7b3f223d5cd9fe9920"
+  integrity sha512-V50KMwwzqJV0NpZIZFwfOD5/lyny3WlSzRiXgA0G7VUnRlqttta1L6UQIHzd6EuBY/cHGfwTIck7w1yH6Q5zUw==
diff --git a/docs/create-new-web-service-vm.md b/docs/create-new-web-service-vm.md
new file mode 100644
index 00000000..f6ccf4af
--- /dev/null
+++ b/docs/create-new-web-service-vm.md
@@ -0,0 +1,114 @@
+# How to create all necessary entries for new (web service) VM
+
+Let's assume that you want to add a new web service `example.hamburg.ccc.de` which is going to be hosted on the VM `example` on chaosknoten. These are the steps that you need to take to create the VM and add it to the Ansible repo.
+
+## IP, DNS, VM
+
+1. Allocate a fresh [IPv6 in Netbox in the 2a00:14b0:42:102::/64 net](https://netbox.hamburg.ccc.de/ipam/prefixes/47/ip-addresses/). This will be the management address for the VM. 
+2. On `ns-intern`:
+   1. Add an entry `example.hosts.hamburg.ccc.de` as an AAAA pointing to the allocated IP.
+   2. Add an entry `example.hamburg.ccc.de` as a CNAME for `public-reverse-proxy` to the same zone.
+   3. Commit and reload the zone.
+3. On Chaosknoten:
+   1. Create a new VM, for example by cloning the Debian template 9023.  
+      Give it the name `example`.
+   2. Edit the ethernet interface to be connected to `vmbr0`, VLAN tag `2`.
+   3. Configure the IPv6 address in the Cloud-Init section. Leave IPv4 set to DHCP.
+   4. Make sure the VM is started at boot (options).
+   5. Adjust any other VM parameters as needed.
+   6. Boot the VM.
+4. Add the [VM to Netbox](https://netbox.hamburg.ccc.de/virtualization/virtual-machines/).
+    - Make sure to enter the VM ID.
+    - Add an Ethernet interface to the VM; we typically use `eth0` as a name.
+    - Add IP for that interface, then choose "Assign IP" and search for the IP you've created. Make it the primary IP of that interface.
+
+## Ansible Basics
+
+As the first step, we need to make the host known to Ansible.
+
+1. In `.sops.yaml`, add an entry for the host. Follow the other entries there.
+   1. `keys.hosts.chaosknoten.age` needs an age public key (must be generated; the private key gets added later in the host-specific YAML)
+   2. `creation_rules` needs an entry for the host, referencing the age key.
+   3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
+2. In `inventories/chaosknoten/hosts.yaml`:
+   1. Configure basic connection info:
+        ```yaml
+        example:
+            ansible_host: example.hosts.hamburg.ccc.de
+            ansible_user: chaos
+            ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+        ```
+        You typically will want to use router as a jump host so that you can run Ansible on an IPv4 only connection.
+    2. Add the host to the desired roles.
+       1. As a minimum, you'll want the following roles:
+          - `base_config_hosts`
+          - `infrastructure_authorized_keys_hosts`
+          - `ansible_pull_hosts`
+       2. For a typical web service based on Docker Compose, you'll also want:
+          - `docker_compose_hosts`
+          - `nginx_hosts`
+          - `certbot_hosts`.
+ 3. In the directory `inventories/chaosknoten/host_var/`:
+    1. A file `inventories/chaosknoten/host_var/example.yaml` with the host/service specific configuration.
+    2. A file `inventories/chaosknoten/host_var/example.sops.yaml` with the encrypted secrets for the host/service. Run `sops inventories/chaosknoten/host_var/example.yaml` to edit/create that file. Entries here should generally be prefixed with `secret__` to make it easier to see where that variable is coming from in templates etc.
+       * Add an entry `ansible_pull__age_private_key` with the age private key you generated above.
+
+## Service-specific config
+
+From here, we go into the details of the web service that you want to configure. For a typical web service with Docker Compose, you will likely want to configure the following.
+
+Make `inventories/chaosknoten/host_var/example.yaml` look like this:
+```yaml
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "example.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/example/docker_compose/compose.yaml.j2') }}"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: example.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf') }}"
+```
+
+This will create `compose.yaml` from the template `resources/chaosknoten/example/docker_compose/compose.yaml.j2'`, and the nginx config from `resources/chaosknoten/spaceapiccc/nginx/example.hamburg.ccc.de.conf`. Of course, depending on your service, you might need additional entries. See the other hosts and the roles for more info.
+
+## First Ansible run
+
+Before you can run Ansible successfully, you will want to make sure you can connect to the VM, and that the host key has been added to your known hosts:
+* `ssh chaos@example.hosts.hamburg.ccc.de`
+* `ssh -J chaos@router.hamburg.ccc.de chaos@example.hosts.hamburg.ccc.de`
+
+Then run Ansible for `public-reverse-proxy` to add the necessary entries:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit public-reverse-proxy
+```
+
+Finally run Ansible for the new host:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/chaosknoten/hosts.yaml --limit example
+```
+
+# Commit your changes
+
+Do not forget to commit your changes, whether it's a new host or you are making changes to an existing host.
+
+And always `git pull` before you run Ansible so avoid reverting anything!
+
+# Monitoring
+
+## Gatus (`status.hamburg.ccc.de`)
+
+After you configured a new service or website, add it to our status and uptime monitoring.  
+Take a look at the configuration in `resources/external/status/docker_compose/config` and extend it to cover the newly added service or website. The configuration should probably happen in either `services-chaosknoten.yaml` or `websites.yaml`. Taking the existing configuration as a reference should give guidance on how to configure new checks. Additionally there's also the comprehensive [Gatus Documentation](https://github.com/TwiN/gatus?tab=readme-ov-file#table-of-contents).
+
+After you've added some checks, the configuration can be deployed using:
+
+```sh
+ansible-playbook playbooks/deploy.yaml --inventory inventories/external --limit status 
+```
diff --git a/docs/setting_up_secrets_using_sops_for_a_new_host.md b/docs/setting_up_secrets_using_sops_for_a_new_host.md
index c88315f9..aaed5151 100644
--- a/docs/setting_up_secrets_using_sops_for_a_new_host.md
+++ b/docs/setting_up_secrets_using_sops_for_a_new_host.md
@@ -2,19 +2,30 @@
 
 Because we're using the `community.sops.sops` vars plugin, the SOPS-encrypted secrets get stored in the inventory.
 
-1. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
-   It should probably hold all admin keys.  
+1. Create a new age key for Ansible pull on the host.
+   ```
+   age-keygen
+   ```
+   Then add an entry to `keys.hosts.chaosknoten.age`
+2. Add a new creation rule for the hosts `host_vars` file in the sops config at `.sops.yaml`.
+   It should probably hold all admin keys plus the host entry.  
    You can use existing creation rules as a reference.
-2. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
+3. Re-encrypt existing files with the new key (manly `group_var/all.sops.yaml`): `find inventories -name "*.sops.*" | xargs sops updatekeys --yes`
+4. Create a SOPS secrets file in the `host_vars` subdirectory of the relevant inventory.
    The name of the file should be in the format `[HOSTNAME].sops.yaml` to get picked up by the vars plugin and to match the previously created creation rule.  
    This can be accomplished with a command similar to this:
    ```
    sops inventories/[chaosknoten|z9]/host_vars/[HOSTNAME].secrets.yaml
    ```
-3. With the editor now open, add the secrets you want to store.
+5. With the editor now open, add the secrets you want to store.
    Because we're using the `community.sops.sops` vars plugin, the stored secrets will be exposed as Ansible variables.  
    Also note that SOPS only encrypts the values, not the keys.  
    When now creating entries, try to adhere to the following variable naming convention:
+   - Make sure to put the prive age key in here under `ansible_pull__age_private_key`.
    - Prefix variable names with `secret__`, if they are intended to be used in a template file or similar. (e.g. `secret__netbox_secret_key: secret_value`)
    - Otherwise, if the variable is directly consumed by a role or similar, directly set the variable. (e.g. `netbox__db_password: secret_value`)
-4. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
+6. Now that the secrets are stored, they are exposed as variables and can simply be used like any other variable.
+
+## GPG Keys
+
+In order to edit encrypted files, you need all the GPG public keys imported into your GPG Keychain. You should be able to find the necessary public keys in https://git.hamburg.ccc.de/CCCHH/password-store.
diff --git a/inventories/chaosknoten/group_vars/all.sops.yaml b/inventories/chaosknoten/group_vars/all.sops.yaml
index ebc53b75..2350f12a 100644
--- a/inventories/chaosknoten/group_vars/all.sops.yaml
+++ b/inventories/chaosknoten/group_vars/all.sops.yaml
@@ -1,363 +1,384 @@
 msmtp__smtp_password: ENC[AES256_GCM,data:xcBVBTb6mfr5Ubyfga9ibKWKhrfrEEaDWD98vIbX8fl8lQ4YTovg8Ax1HTK4UQ6AkJGHq2A0D5B67KUTlp9eLw==,iv:TOp1G1LktRPj/KMCRU5CXBUsgKOqGssUvvk5oY0QnPM=,tag:SVBdDQy+fM0xeEToappP+A==,type:str]
+metrics__chaos_password: ENC[AES256_GCM,data:al234VSAH7oxka8X0hTvEJKVLD6O/WCrCKfVLLvm,iv:+TmA+0hXMV4OxvK7RH2g1dIzm88Lpm3zevxSZxK23QQ=,tag:txCVr5SEW3dVHgNFInR94g==,type:str]
 sops:
   age:
     - recipient: age1ss82zwqkj438re78355p886r89csqrrfmkfp8lrrf8v23nza492qza4ey3
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1S0d6cnB5UGJEZlNKcEpD
-        NGQyYTNwS0E1TjZTbkdaNXlTVHFyendtT3g4Ck0xRkJhZHR2a1RJVDd3bUE5RTl6
-        SVZrN0NIR2VKeTl6Qk9oTUd6VDdQYlEKLS0tIE82YXFoVkQ4bk1SRTU2YTZ0eVF4
-        akdQTFBoY1B1aVZHSGw4bXJPZTd0MHMKnchC61XZk3cPfe7QjijW5uBlDkf2Sjc3
-        /Spp+9cuf9jIJvFg+h3EY7CLAMVyAK59WnODM0HvQNhreXRg8CgK2g==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMc2k4SUxMUEtvODVGMnY2
+        U1gxeWRURmIwNUhYelNUZHVGQ05rRlI3TXljClREc0hCMjlPTFBEakVuOFFjTWVu
+        dHNrbzVHT1d0UklRNW0zSHZCWWJpeW8KLS0tIG85S2h1aEhITUI2aVRwempOVHlr
+        aWFyRDdEZ2RnQjFNUmVZQnBzNGhhR1EKeYR9qIuh/f/o/qXkQV9KZcir9iPQ2IEs
+        X6azikmig0stguQMUQB57+Sk10MlIDQGoY3C0YcmG3dtiUoo/vKTRw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1gdfhx5hy829uqkw4nwjwlpvl7zqvljguzsnjv0dpwz5q5u7dtf6s90wndt
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWW1ScXNWSEo3S1RpYitK
-        aEVsWklvS3Ryc2pqakpUc05mejIwWi9GaG1ZCk90UXdKVVZzdXBuTXowTURDekhM
-        NlJEbU5teThWaCs3R1ltUHBRMWVncGMKLS0tIGszeDJ0ekJIK2FYUW9Xdjcyc0Rl
-        Rlp0RXNhc1N5UXdmMG1NMkNoYkZZNkEK96GpdskKEXHK/ZQFSN+Y//wygKmnxP2b
-        ukFolURV7qlQVamWuDoUC/ToQtl3bU0jce/STQjGY67OwG5kecxEKw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqazJTaVhjdkk2cStHNllr
+        VEhobDJIQ1NKajFNVmJ0NHFrRzJlMVVYL0M0CkVEbHFFbTZ3aU9sblNaTTR5T1hT
+        ZjM3TGZ0SVVkS1ZqMGZxQnh0eHhVaFkKLS0tIGs5RXFta3JJYmRZemNRQzBGbE9E
+        dlZqTStUVWNEWFk4RzNkSmM3dlRxU0EKR+IOa5r/mSl7jnmhEvbJqytWedRgdix6
+        0x0JCJe/q1l90F4IYIwd5onF5jF9DydmVnNdCbgAHF+DYrdwjwt7Uw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age13nm6hfz66ce4wpn89fye05mag3l3h04etvz6wj7szm3vzrdlfupqhrp3fa
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVYzlXY0FvUEtIa3BVTjUv
-        MzI3cE8vbVd6WWF3Q2J5RlRISW5kOU1XZEJjClFsS3VlbXZHVDlWMWZMUGwzdTFC
-        K0xpV3FjRGJmWThDbklNbFByLy9FTXcKLS0tIGpMYlM5S3dodTBhWDY0TjNkT0p4
-        WWpCdVN4cjIwMCtRZXJCR0kvWmV2TDQKeAE9hmGim0wdG7AC9Ypk1/zAOvpWEc9w
-        B5j3MGmJiDV5vqZ6YDJ158fkB3s3XDIohaTP0XT5Y1zEDnn0ee62zA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycmpzTFZ0MWN4TE9Bdld0
+        eXJXTVhVbFpmbHpVbDg3KzJTQjVoU2M5Vmg4CkY5MlBwTEsvVDlBUGp4Yy9KSEtW
+        M0thZncvcFhqcTluR0FRdHBlVERmWkkKLS0tIHlIZ1o3Zm5pcEJUOElKSDU3SEh5
+        MzQzRENjNitaNUtIUDNNM0VxVVZsVjAK8BM7kqL6Pjg8riOTti8tAH13MgD2b3jR
+        EPZEPzWM3vBNMQ71WYSTiljK+fdwQucQbTCZFKVHUyErCiI+7jYrXQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1jtusr294t8mzar2qy857v6s329ret9s353y4kuulxwnlyy4dvpjsvyl67m
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cXdneDFCNUxZR2VYVXpo
-        RzhwNFZnYnhzOXBrTmQ5NlNhUThsbjA4ZENnCjRWVXpzb1lZcjNQeUVoY0lkZTRj
-        bVU1S2thNzg4T2UyaGFqdDlvLzRJVFEKLS0tIFBIMEIvaWtPU08vR1crSGxUSklx
-        Ujh3bDFVdktOOVdvbVNrRGEvM0ZiczgKDAvWbY515jRhcWEkZrNNmtBsSwchclVz
-        FvnQB3G8ZIxJliJCkOHrFokvRskCHt9KJNZogqPtGF9a5OWcKkWgNQ==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkdERkJKQnUxaXhuRk5O
+        cDlxOEZsM2djbk5laFVHWUNKaUNKSit0cDJ3Ck80eFYvajNId0NHdzRONktHZTBM
+        WENsSFZWL3JLeHNpanNBSDB0M1pselUKLS0tIGZPUTRlSW1hNjNPVnVoSEhKK1dJ
+        WFpiUW1QSXk4VktHNWVGemh5czZLdmsKaycC2cLTfboV5MT0W2+fWMg9JCAn4U7u
+        lMkTZausCp1hUlE68BXi8DuVivRif+gjVjVWsBabikQtzW8H//fFDw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1a27euccw8j23wec76ls8vmzp7mntfcn4v8tkyegmg8alzfhk3suqwm6vgv
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdkpuODFJZ2xPT3NOT3ZP
-        MmVuSkx1UmdwWVBEZzJQOUNodUpvUlJrSlNnCjJBT1AyNzZmNC9sZytNaGpEOUZT
-        Tmx3VkdRVGNHOGJkZzgrZmFmRFFFY3cKLS0tIDZONHQ3SUh1bXM0LytmYUVZSmRZ
-        VmEzUkRqdnUvc0s3SmRNcmpZRndvVUUKHRo25oFVNtzJlTqkQ03znzH+Ce8j2rgO
-        Bt/HQ2tJC/0PL67zjCr4oyxWs2RfSuswM6pGh3TXmSkUawzzyMAPTA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWnlvR1BmUlRkcXhHbklZ
+        d2pzRkxxZTVtOGl4YjdGOTQxbEFnRUVGdG1rCkFQMHE1VTdIR3FPeWdlSHRKRGtl
+        Tk9FeHNuQ1ZIRWRFN29EVWh1ZjE2RDAKLS0tIGQrWnJWcjUyZFkwQmdZazBTQmR5
+        cWZ1N1NHVEVqMlc5MExyZThKYTdNc28KEaFjX16Bf0MZsmMTLytDnJFPICeu808r
+        t53faoADnTdhYKhKQYB1Fgk7h3DBvxM36VDw6v3oC0f6B0yEx7a3hQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age133wy6sxhgx3kkwxecra6xf9ey2uhnvtjpgwawwfmpvz0jpd0s5dqe385u3
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd3dwQ290Q3JCclBPbS9X
-        S1pnNVU5YlJjZkkzTEtuWWhlcmh6cEtMZmd3Cis2MW5henJ0dWZwNnpTcy9ia3Uz
-        QThPMlpBN0lkZVI3d1RqQ1pGeDkwTVkKLS0tIElGYWR6QXdkTS91cGRQVUZPZWVE
-        aXNhWGFQWncybG5ycTF3bGUxUEdRYlEKXMlP+iC1L+lCeFB9rnyDE6tKMNiqFAQQ
-        lvQKLGvZVRMk7RNR/OWb2IsZNtK3yGAgqjGpb8UwZKjUwYwgBzkklQ==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVGpwdUVSbVRiVkdBREVX
+        ODl6bzlVNHRkTzk2UXMwNVp3K3A3V0hmdVRBCjlJenlmNDZEU2ZzMUpVYmpFdllR
+        NlNxaU1YYzNZdEVzdzJLTEVMWlloZUEKLS0tIDl0VnAzZUF3QWF3WXpFTjEvY3RP
+        T2J0Kys3WmJRZU1jRk1kUnZud3B3MlEKhgLTCcfyxOBL8X6JPlcuy+CcOlx09VP7
+        AZhfb8lf5JXe/4WqAMOh6s7ZrTM5JFBr8U5GQFo+syIIJeixn5SRBw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1na0nh9ndnr9cxpnlvstrxskr4fxf4spnkw48ufl7m43f98y40y7shhnvgd
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0enhNVHF0eHZkTlB3bTZN
-        ZWJaVDc5TUkrSHFFTnJ0UE9hTEg0Tkt0OVNFClFCNTlsTUJlQ1MySkdFa2o0WGRB
-        VWUzbkxFTkxQMVBqTXJtNEVCb2ZPYW8KLS0tIDR6ZXdoOWNwbjdNcmtxS2FBd1Zx
-        dWVLVUlZWEh0UWRXTlhYV3ZTT01ZQXcKz/ughevubxHCk315eL6WV0JETo4tblck
-        t2b4h0kcDpFO6aPCHBSX69QOLJpBCBnKI8ZBlxgTdTDLFlScG/8HRw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c2NFWkdaMVFTcUxOZWl3
+        Z1hsK1ZvbFRjQ0swbVZlQkIvNW9LU2pZdVgwCkJHcUpTYjMyZy9qKzdIbzExcVRj
+        V0UrWG5yaUF1cTJnK2RDT0E3aXRkK0UKLS0tIGRqTzBsbHdBdGlMTWt2NzNOVDBp
+        U1NVMzBIL3ZBUUFHLytGQXk3M01UK00KZBW1DUeDpN5sstZ1LuqcpxsQcjdUJe5L
+        5HS4O5h0D+/p8/aOW5NPoIf0A6f4/CLVm4o287GHsxkTXeH1sDr2Ng==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1sqs05anv4acculyap35e6vehdxw3g6ycwnvh6hsuv8u33re984zsnqfvqv
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MGlobGt4MG5YbXhYVWM5
-        SDlraHdnR0srZDF2T1FicVFGR3IvNzBhMkVFCm9Nc1JnZ2toOGUzbDZ6cTRTajc3
-        SVk0U2JlSStWQXFYY3htOTh2Uy80aDQKLS0tIHRkRkNwb1Q5dTZ5cDVoVXIwcmVi
-        MXBDdzdWZi84OXRRMUt2Mnh5QStLZWcKR/1GROkmyQWyY2GcZGplX8vYqHoeqvvX
-        ioWRF+QaK3GpgHOaSFybFt3r8wfeILbQ7zMs9qMARTg0kVMVvE/8pA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINFVkbjFMY25pWHpPZEMy
+        Z0xsOW5NZ0cxZC9UR2RCMTBaTlNkRjJuU1dnCnRhVU9iL1lsUWpCTzdKS1RiYnMw
+        TWhjS29jOGNwQXU1Q0NmdjkwOHNRUFUKLS0tIFJnajRUMk9pTDVDdFI5Szd4RkV6
+        TnNkK1RVZnFaRGVmaFRwMnlmd3lUbEEK+CKPUsutEpo5/bHyXM7tMUUM4hka1hCV
+        oto6VkOSVoYnwHNzXSAei+jkfvT8dED7fUQKkZeqN3c4bUrha42BUg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age18qam683rva3ee3wgue7r0ey4ws4jttz4a4dpe3q8kq8lmrp97ezq2cns8d
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGV1VTA3R0FsMkdKYWo5
-        K0VFK3VFR3Z5bmdmS2QzR0hRTWRvOEFEclgwCm9MQUZQSjZqVXJVQ3FoUTMzWjU4
-        Q0luVDE0RUhUNmZGSlZXYWEwNHprS2cKLS0tIHBRQnZibGkrUmU3OHNHVjcvelVF
-        UEtad0g0T1JZRFYxUnpiblNIV0VybE0KVCw68UXleN43Qi/MSFpyGjrbwZS/EtWw
-        tbfZMPLalJ52pv4cxT4nrPfipoUyX7tHxEEd2f1SDzt5RUk0TO7ojA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLY2JBTXFaWEFmNU1PVkgz
+        Uk0xeWJqMkpVOW1QU05Qc3hSeFM2eHVjc2tZCjB3bjZ2ZUZFTHIxSmZUb1V6THpW
+        dHFXZUM3a0ZKcEZSRklqUk5jWGJkaU0KLS0tIEVxUlREKzdCMEdvZG12UlhxUW1p
+        TTVGVllybHUvZkhMT0x5Ty8vb3AzMG8KfuZW6Yj21NHAvfaVs2HedYgGWxUDXWiP
+        aZTbarB/2UzYEacoEO7CMLHDS53X15plRPbzYRWhnRkb9WkDQ/0pOw==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age19rg2cuj9smv8nzxmr03azfqe69edhep53dep6kvh83paf08zv58sntm0fg
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QXVVSlZ2QXA5NWN6Zllh
-        REQ3UE05eWkrUHdyL3FRUHJMTkE3QWtwbENnClBGdnFhT3NzWEJKM0YzT3RpS2FY
-        cnNaczRIRUEzSDgxejNjbTdoaERiRkEKLS0tIEdOOHdISkF0YnNpcFNKekVLYWVN
-        allIenQ4OFoyaEdCK1YrM0tpM0FHRjAKwrOJS9RGCHS7lcPX+eufZnEjaIvO3f73
-        RWThSP0d2iy/vul18hdLF8PqKE2Hy0j6lvs9qhvwI1EQa53zHAWRDg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoaU1FN2JEblVsK3hRNXVO
+        WnBISWgyYno1ZnNqeUtHV0tkcERrdzRhc3dvCmlEQXFrbmVibTVmOVQxVWFiaTdn
+        WUhyVjFvdHduNXpraHVldzNnLzVjYmMKLS0tIEJjODh2TGg3OUlodk1IWnltNGR5
+        SG1TS3l2clZOVkhyTW1INjZNc1E5V1EKCJo7uU1XbW4Z6i5ux2t323Um5TDTwTl+
+        mMirFUiosu62vTfd+nC3TwRyM1XwlpI54EEU27jTHMlF8oSgXeLumQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age16znyzvquuy8467gg27mdwdt8k6kcu3fjrvfm6gnl4nmqp8tuvqaspqgcet
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYmNHaUcvMitRcklkbkU3
-        VDRyQnhhak82d2I4MnRKMk1qdTU3bDRzdlUwCnBzSEJHZmRTazZ3Rktmc2FKaXJC
-        cnJiMU9oUW03Q3dlbGtTZWNtZXZqZk0KLS0tIHVTNU1QU2dRQ3JMclhqQjN1VjBK
-        dHgrU2EyT0FHUng2L0R6dFFZSU1kU1UK2x72pMCRGCz/cyekHrTY/vXhxACPGjYn
-        PxEXKoi70Dq9ox3ggknmE6JLZqMvFoudLoE2GAzvimFomYWb4e3NmQ==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldUpzVlhFc2k3U3ZlT2JK
+        U3N4L0FGZE1iWGRwN0tvNEtwd3VXYTV6N1ZZCmVnYUNpY2poazVibnpQRlZ1MXFN
+        SmtURDFLSmJmM0pHdytjVFM0c3B3eTgKLS0tIEZidTZmS1dpZ1VFRkFpc09EaWxZ
+        cUVIQmVDLysrQ3pMcFIvZ0NCWExJa3cKdwTrVM7aXAi4bBHfXCWllbZIa2c4IbRW
+        FNS1L6tP1mop2y9d0CgmVBiBFQdNAg8yVJRPWs25W9WVFHBDuB+X8g==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1azkgwrcwqhc6flj7gturptpl2uvay6pd94cam4t6yuk2n4wlnsqsj38hca
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMVhJOFh6TTg5RFkybnBy
-        T3ozZ2MvZ2lCVFBvWW1jRElmNFBIUU05MkdjCnZZR0FjUUJlQXR1bnBGU3NPc2t2
-        a3hKVzJZbzNWMkd3dENMUzQ3bk14YTQKLS0tIG5kSEdYS3dLcXdlOXBmWTVzNDFt
-        ekdmK0Zid3A0aUNHUHhmeHp2NHFZMlEKb6116XqAHYMl7P4RFRcz0IlZfx1/buby
-        V8y9TiECFZfWhuY3XaES99wjPw06nGszn/U29C1XtZZ0pc5Soc3dxw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMmR1TnRFVnlnV0t0N21P
+        Uk1QM2dnbEFTb2lJcUZDeW1sTDQxT3F2Q1FJCmJzdEFCQ1ZBeS9QWEZJcmJuVTJi
+        eEpIZUk3YmhKeFlwcE0rK0k3MUx5S3MKLS0tIEdoU2dXRitXeGlsQ1NXT1FqdmhE
+        R1MwNU16K25zdytaMXFQNnhYQVZTSzAKmVjQRe0SKfwh/JoSGGihkjr0Lvx1uVnJ
+        szOHESy/rEKiXUKVSMkBINAh2SUYIwrB4xM38Y+ZKkkXDDtZWLHulg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age17x20h3m6wgfhereusc224u95ac8aj68fzlkkj5ptvs9c5vlz3usqdu7crq
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMVZWQlRZVnY2ZnZweW0x
-        VmswdHpRUjVrNytaS2lZNHdsYXM3WHVCVGlNCmJ0ME9LYjFWTkVrZ1QwOHdtempG
-        dEJ4NGpPcHZabGxJdFJNNStxTm9nREEKLS0tIFB5NkZnZTZjL29YRlZVZEJJOHNu
-        ejRmc0V5RzVwY3BtVGpIY3lqVGt3SGMKvSFU/FZw3CeOrkbVKqz9Nsfmw/DU/obE
-        6bIs15L7m9hOzqj8PeQYv09NO83WCfYj4cjh+Jsdtlvtz8Fz7yt2eA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEb1I5cnJ6NDhvNDFsM2kx
+        aHEwdmJSc3ZQcGc5OXJOMVB0L1JFSlpiUGxFCmtNbW1NUVpEQVdLTkNOd0daMDEx
+        ZTdGVlB1T0M4K0t2VHZYSzBNNUJLVUEKLS0tIDMrVEE1Q3IxaHNTUHNTcGo4UTFX
+        WGo2TVdLS1F5RHNVTWgxbzdZSGV3Z0EKkOZfXMbUeJG62xn0SvqjtCKIkZDIzc7O
+        qSTGJYgl02Edp8smm4x1L9QF2CQYF93ZIjn4q12CyJy2ojBgxNTZNA==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1wnympe3x8ce8hk87cymmt6wvccs4aes5rhhs44hq0s529v5z4g5sfyphwx
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUVhSY2JnZUFjS1lySGlC
-        MUdVdTF1S2xLdDlVODk3Qm1FZ0RxQTdkQ3pnCmFPYVg1dDN0amtoOUdKQWFRNVJS
-        ZkhCM3VFbUc5RHJHS1ZJbit1N05OLzgKLS0tIEhCMmRFN3hLNDFlTkpzUWYvR2R3
-        Y0RZSHZrbnJ1SEc3aCszeG5tTkNvNlEK4pUz8bk/tDKYIxu6dCG/DTk8OtTTYJaL
-        qKNNZ1COhPtVTCHaIbRSPWu8MqFy9+9nf7Hoc9fEE8aM+Yohs4sySw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArZWZmTDRYYUloL3I1QkZ1
+        dnIyRVJSV2ZoaERCc1Z2Z21VYkkxb0F5SURNCmlFcjlPM1VibjQ0TkFNdEhqL0l5
+        eDlHOHdlTnMyb2JPUlMxRlZqTkhWNzAKLS0tIHI0cytiaXVpK2FqcW1XOVpneTR5
+        VDI2WFhud0hpRDRMTTlwMHV2T3RSekUKKi52AcUoATCmUo/+FIVeEEh0sTCjIGy+
+        gl/Ud0Nmuarz5T2HqGxJDBoH2MSfjpwhTkW2z0JW5Dah6MRtNetHZg==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age172pk7lyc6p4ewy0f2h6pau5d5sz6z8cq66hm4u4tpzx3an496a2sljx7x5
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUERGWmwvRW5tQzJleExq
-        VXhmQ0dkMFJuWEwzbHlGMTNudE9UbUwrNEc0CmdMK0hCb0h3NjRuSVZRNEFwYlVl
-        L3VnTnpad2tJL0dCamVrT082ZmUxWUEKLS0tIGJFbG5ZU0Q2b0xQNFNjT3NBTE9I
-        Z2MwSm95Vy9XUDkrWDZMZUEvY3VHcDQKJanzV+qzgfuBpNzHLl2DS1GvXLV+UEKa
-        wD/2s/EkL4RR4F9mV/9+1vwFTNw6Lc8T8ezzxl3/Iu+VpziFgx8ypg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWdMQXMvUHI3YVNqa3hn
+        QTF1V3lDZHB0ekVIcUVURUFGeURWaE92U0dVCjl5WnQ4Q0hGWGVhSnVqSXdIM3Qr
+        eTBWcW9MRDdsZzY0S1puTmt6bk5BVDAKLS0tIDlNaHF4VUt0YzMrVEtIaXhtMkh0
+        d1BJZHNOakIrejNHWXBkT2JnMDE2TlEKgFgEPOc7lgUvi/gBJi4qX8mJQQ0Lb+0J
+        oKgia+lWN+f0dMoQApxtH0R1vvrQB1CyKmYRgvYfEv1z2yibftxFJA==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1p7pxgq5kwcpdkhkh3qq4pvnltrdk4gwf60hdhv8ka0mdxmgnjepqyleyen
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVXdkSHNOSHZmZ3pLWC9B
-        emc2S0NpenVZSW5GMWZha2ovS1VsbGs5OGhBCmZIWDBDaGVYMDhHRDR0bFgzbDN1
-        MlBnOW43Ky9PV0VwZ3VlekJPa2xwMTAKLS0tIGNEVUVkbWIwVmFzaS9vdGhPU2s4
-        a09LaU05VnVBa3ZGcUNMdFFZRXdaYkkKp1TYQXMSlZoGWgfSK9s4WXFu9xG7VFXP
-        3O+FYTXTRTVVnZCPE5V0P0/v3H/BRgdbM2yuIiXTtmz69J8DNjFaNA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWDBLRXVXUVVQNkZzVDZp
+        cjNaNzNseUxFZ3JDTkF3RjZ2Q0FnN09Ub0Y4CkpsaHl4VGtCRDBiaTc5cDErcUM3
+        eXYyK0tGdFVhblo0eUhHVkJWbERVakUKLS0tIHpmektqRjBHZDdDd0hEbWYvWnFr
+        S3BoWW9QYytMZ3RJSld2R0h0dXlZeEUKcifFwdLTAse4HxN48X/iErdi3evc/Hbt
+        dRgCkzWjb0Qc1DEPLm9MLHZqugcm1y0XStdWHCMIwXuh2fcoDUv0mQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1sv7uhpnk9d3u3je9zzvlux0kd83f627aclpamnz2h3ksg599838qjgrvqs
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUJ3cTNUZGp6Q29wTEgx
-        UjQ1RU1uSHREVEhwZGtmbUV0azJEQmtGbG1jCkQxbGZhSmRXTE1uUURaSUhZTlNF
-        U2loMmR5ZExXS2Y4eTBybGFsNFp0WGsKLS0tIHJjRDhDelB5N1BvbHFydW84ak1Z
-        YndpUERJbDJSZlBLQWdnVXpUU3dLdUEKQYddtnDd4U7bkjBeMnCQuYVddCCApnzQ
-        L/LgjBXfUav5ipWWUjW/loZJiHBsxrG5NkCYEyf72WMyDusd8mCN+A==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWGpORGVrclo5N2ZTSUxE
+        WFBYUVRjRlFyVFFXTFIwUDJNR04zYXgwSnprCitVT0JidGp1OEdXdm16WGY5am9R
+        djkxckJEUFpzbHNNZnhqb20rbzBTZEUKLS0tIFpheWIrMkpWalJNS3ZJMVhVNGJC
+        dzFuYXBGMTNRVHRrb2wxTlMyZ0FJWGMKnEtMyof3DN+9rIWRCYn4y0SLpIJbDEbN
+        iXmjwiEtlPIKZjQ34r54g1tsJd5b4fulRFYd6lqTzxtjYYFXDa76BQ==
         -----END AGE ENCRYPTED FILE-----
     - recipient: age1dkecypmfuj0tcm2cz8vnvq5drpu2ddhgnfkzxvscs7m4e79gpseqyhr9pg
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOei9SYzNGMjAyUVJGYlJy
-        QlFBVnV0cDN1TmI4VEt3aGNtbWtvZHJFcXg0CkltM1V4UVp1THFrZEswOEZUUTJy
-        WVVPUDU2emNabFBDek9jMkhScUh4cjQKLS0tIGgrSytmcTZkbTJuUVE3Snp2RERn
-        SnUrSUlvMXhnY3JrbER0TkxBcGJucmsKdBDkRY5FUtOo8zQ0QtfPFGJn0O2Fg5xn
-        mSloxLaFwdXAR9L1QfUdsW+9Vgez4s5bxMJtn8hkwqIfyJc25FEEcA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWkw2NmJjdzdPbnBhNURh
+        SFRBTVhUanpvdFVNLzFWak52bWVJZnV1NHlzCk1SQzA4M3YwZHZIOG82d2lCUE4x
+        dDVWMUNuTW8xdVlkRG5RSnVJUFI2Z0UKLS0tIE9nOXA0LzgrenJKQ21xZ0o2M2hr
+        R3puc1ZOVFJ5Sm5qTks5M0JTbW9yZkkKv20552DPjujiVyr4a4KvTUN4pW8Sh7zA
+        Yxh4nx5mXAwfL4JxIwbvggy4AE3kbc2P3P9qUrRjQ4Iha2X11+fSCA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-10-13T23:45:06Z"
-  mac: ENC[AES256_GCM,data:QxH4lnNyCAAEJhzbgCrq7QeLs+OAtYgwQP4oFm93NE4Fbz7/Hz2dvL/2SopOdW7nYVeb1scuG1ra+yvgzuQDhg4lcgt9eBJoBiynM3qiHBs+FtcSJoKs16I/ACAadQwClALb4E0xxwKFJI8ewMZu5BAxi5EhYbgNfnKCIbhvgWo=,iv:LRa2vX0HUBugeEAVeOqXbPsMQrfrCpyzGUGjK6+VaQc=,tag:/sfhJM8V1IYBh94ZS/TDxQ==,type:str]
+    - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZ0hYeG5hTWxtVFlTaUpY
+        V3lOMUJUNDZxRUhtMnFjK2IyTW9NZ3ZvNTBVCmVHVnFQTGMyd2JIZjZYSmtjZnZ1
+        THBMZW55RTZSR2IrSVd1NWppR0k5UFUKLS0tIEkxRlBsWHFxTlQ2S0xUQ293cHlU
+        ZUhwMUJCVmgyZmlVbDRtV2YxUW95Q2sK8JtVLO86dkYtrxMzXY3mj+S19+S2jIzV
+        MjAkijrdhz9XyEPNsZo38liiO0vwXUVpzmX9xcTTArzWvs/LHYDzQQ==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRXpCQUJxZ1JBWnZkZHRM
+        ejdtdkdqMzNMY1BvOWVuVlZuOXR5YS9UeFMwCjhtYTIyMnhBVm1CT25mRytkdm04
+        ZWg5TGllazVDZEpXNHQvZzUwclFEbTgKLS0tIGxDSDhJcVMvUlg3VkV6YTE2SE4v
+        QnBqalBlY2FqY3lsWEF4elVzamp5elkKaVNJrQ4wNJt0FrQ8PMz0R9VAhk4zIAri
+        QTojz+1HuRMZyDr5wmXz2Jg39yZsBsm4ZmaXSEGw5y/XHeg0ud0DAg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T18:06:26Z"
+  mac: ENC[AES256_GCM,data:plHNLOgGWwNWbakKG6X5EOxwERE3rvYO4EOAzY/sz+uM7cZBEnqU5LZwjlD8B75hgRHqpnDBF0JbHgsEwVxfJJRL1phkeMJFOapQMjZVWMz6j7eb1hOwpdktd+bpuimy4XCD1aOxOoInKpFSK33usxLfyqSxjFDM5+i6D22qBTs=,iv:/iOIfNuSIDsa/UKLP0d63tpOrYMFO3Bk1qPssY0AzuI=,tag:k+824MXD+r0lNUcuvisudw==,type:str]
   pgp:
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxK/JaB2/SdtAQ//QVwiv+sO4ibaxO8UMPFnMnLuNfaTJ+Nry109XkTwLkvp
-        +6I2TW9nAhL+M6cWBcWTJIm8Q9/EAKu0jFrmsmlJg1g7am2DcARoyDTXA2W7RM8x
-        kSshBHJxCjQn15cwWpMcGboKJDnn5uGqfdf1rbFLiJxWlFlIstO8Bia9YF2qSYXe
-        z/w5PQot7GDKa9AFC77I/I0k6hJduVX3jC88N0GZZO7oz017yit24QyOwTSaQtmO
-        J0NgoyC6uN50buRJ6cXbONwU1rOGYvMBc+I7mZrEBho8RbQObkNy8ndQpDbpMqSy
-        /FVECVfhAo1KOGsTSS/i8z+maBcFNnia2+hbOZTpq1gCJ7sgE/pJG9CKWltD8U0G
-        DkgO086x2xuuXGAksJpeiRelbjM4C3ScvFuQu0p+pbsG+0f2pNnkCm3Fi9zFYpqo
-        xzlOKxwwcBRpy76jWIQbVRodnaN8thinT/ySIfuIisfn8TgM6O0IA83jJEMy/CBc
-        QGwWiLFWOED864OOV4kFTBO2rGAi0rLPBoAfWPCpP/z5vpRHICCg35i+Y/Mg9tDJ
-        ToFbH/Q8ZpWaN3kM2J6wNKY58/AoVutODbJkC3ZydLA+m++fKsD122Sk4er335Ev
-        MH2txLTAcBXq6CAUTIYvEb1vSurIxh4vbgC1lN/Sg/b1p5IWKYmOx3onq0kUa7PS
-        XgFmbb6fq6VVS8GOD4bMCDheVGAwYG1z/1utYoiLcuyp3YKAWtwGB3WdawglzRWt
-        ceLfKBRuHl+CnMyMjdTNcRq9ATpupHPniCaoYMRpNy7GuLGHXgRybqxnqSySj0E=
-        =68mZ
+        hQIMAxK/JaB2/SdtAQ//SuDQLIlXIx+E1BfvxQFL4c8TmxEWat2nXHE5CHyuQ9bH
+        esOqdKYtnBMP1iRwQzAi9jVnNUtctCurMK5Lwr093BRHDLhpWqBErBz8FuoTFXGE
+        7WP8ylzno9OUjhhsg9sTrUAxghzU7r3Nr5alypnE3KsEprtEiAKqqqWhaGyMCK+G
+        v3shSx4XmB/MItuHM0BRI80M0uqRn5aQME0KpgTTD5/wsH6NKcPHEiNJTqc2I8K/
+        0dfqa9Hr0WcxooX+UwH/owfzHEkTFWP/3SHqz16osLzO9KOsqw3M4QIoeZwBpAOf
+        +aICTHV3nsbClQ8hQ0XI6xrOqwXYo7SXtx4uNVJdqBO5zfhSGx1yI2OAY258XQ+d
+        As9k4e/oHkzs72qOwCRa2OShDWA0oEWIJ1DZY85yaTyl3qMZJuOweR7lg3eXzITI
+        y4uYAWDfJBXdAOnFgkxQBgb5KSfm3GXQh4Gtu+yfoYqaAibjyJleOPIJFMcwb0yb
+        Y0gr5NflTZooJy2zMZg0u1Ndhike/BdMRQMiTZf8HXk3iiyNXCYTCqnIZRfzZGdy
+        C9Fur0KAOM1h8x6dqXGctMhy1sOmbI6LRyz5feejtE55qHIn9fkyR5wDObsIeiZd
+        OuT6josorB43aotD/XSDwGU8ZeYrUZ9zlwszGASHoji/kI1yXRMCPuNVax86v1HU
+        ZgEJAhAWCZPbbgU8qPifr7naCkxmR2TxtkOJ3Pq/JOeqxMqXXjdGa86A/+1baGdc
+        3z3ygenp34mYIGi4vSCqz7rApU8PHdlpCw2N94buR9/OFN1wHiIoYtVfT79mJsoK
+        yKswIQ1CXQ==
+        =yexT
         -----END PGP MESSAGE-----
       fp: EF643F59E008414882232C78FFA8331EEB7D6B70
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA6EyPtWBEI+2ARAAgWVVIYSzPJeeRYdO7SHudkxO1miNVhEaTa6ArJXhvj9X
-        f7Onb+kPRJ2H45O06+k4QUBN//Jl2wsAayHGvGKb9NmlO1wT8cd8yAe4AllebcTA
-        FGBhWpgD1f8RNyhU6s9YQEmUMFFuze3Frkf5pF36KmSO9Kb0yXNgQebURbUKIwt7
-        W6KVBdlh9+y/8liH78X+QXFMneb8RA50mFvkSp4NxPyHGLV/S74jKaMv28q70ukC
-        3ExtiLu22ACzA3jdn+BGTh/0bp/WRRYEt1TBmt3HFnVcKDkdgxOub2cwYug6YeYt
-        dvA61xnK0mmkt39WfR3wFtmrnMQywJn0r9cRZZwdjfuuKzWmkDGKoaiX4oXcq8hl
-        GJsljraNnRdSZsYCWKeQwM9VnQdTumZZpeyzH99AgbPanNEocLNG3s3WB1MOTBMC
-        SdktojCvHSKg2HBykxApLY1wUOLiYdVGNuTjNyTg8lo8IlNgeEEIa/8MxtPN1U57
-        GDPXDvE9oJy3SvP7Tf0j4KVC7B30UYhb/jwqsG2wzjGKw3JMYucDX2JjgoTEXFxj
-        YqGDr+4/Vfd8bEadcQ8XJnoeCr/cUykflqO7EJnXt7kigQ8P5Jo+Vwu7oRFFlxRW
-        H9YZV0dOeVi3ux5Tw8ft5BRtYym7k0GP5ypQFzSSTeTTUa6QnZMWPssHMHQ+8xbS
-        XgEARDjMMwp6cl8adFfGJnuQmTC8pGCzOPLEhPY00t3Paz/WYvEwhioS6Lz2IsrF
-        QMgw8d2RrOZPJAAv9wq2ztTKk07aFxrQ8WYT9gscYPEgIpPmMUFR4nJ/fzSeiZ0=
-        =1N3o
+        hQIMA6EyPtWBEI+2AQ/8CBUEfUOkvYlMChlGuHKv4CzbEqUrr0aKDbECK/8qGyqE
+        UQeZPMnVvwFL/l5lU1dky2PIqFDebd274h19CfLIcBGZZPwzg/XNJcYcEqeTN640
+        H2ze2Uz/tA79BSfo9Z+W0NfAnzsOZ+I0pPCIqSN1tmMNCNy/m4SxEc8wye5FdV6e
+        YLu0dTatwMG6jsK/PYYoAapNO1CRUDvQHHF8jsAmYlL6eYoYbuikrp5JEyk7Jcmc
+        5OyW49fTAaxmFYF6hjLnORI/WqdF9nTztfFAoH5eU+uzd3Exmunzw+hsZXdbDTWb
+        6YJ7uqwVTxziKwpB7lOxca1B/axYyvLYHNoV6A3Eu9/0ceUcjjLwtcBBAn43UAd6
+        eEwNr3RJ3LY3G6o1QD6tYPXNhY7J8vxb/MKGo7SzB5+Z3TItd1wUlnHDY7kfUtW0
+        hk1R8gug6mV4YEQtgPW3CPOGPsquN6zvxuRPcVqkNyN8+H3q3n0hg8i0xVr3ZyHB
+        G6pSNoQLaJ+x0oFhIgzy3Ndf6AH8MNxzh8Se5gLIhKQCN41wm1ZTguOgcklKdAAX
+        s0QlHXGsJLtev3HeZOfuR6D87rN9HNAaGqPxuKuoZWQBcxzOnsXSGsjJLJUN5bpt
+        RSy2UPlsV2iP9cE2/PTx7cQ3HWHIAjNNz65aJQQnfEM6uog85JRGoY8x6rns6xvS
+        XAHHUsw6hc0xHxgBE8nkVJfU+ynqtk27n+A9h/EaAFvuyHE00yRPM2cJwcSapOuI
+        gXSLjIoiRfbVNxFCgTFEA4KN6B/eqmOyiEoUhEhHXmwzb65bMB7puGbb7jET
+        =e4QR
         -----END PGP MESSAGE-----
       fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAz5uSgHG2iMJARAAl+0vmB2+PBg2aAZHZ1Fa9r/4zByhvLrjZ+5yWWcyf7fS
-        T/1Q2VbnDFvUwsEdbDs2RJYVejGxs5cyIge2ptn/9rnp1aMTu+FG1uQrY3lhGP6L
-        vpyDZWa2e1+bapttkrBBe79TZGZ4ABv+FCqHqWiH2HJ3V6ELXaooNhTrtlURCDqT
-        Cqgs8gH1qdVgISI9kvsxS8uGa58assuM/WW2+jATIoxBzUG9iHTugr75HWJw8xb7
-        R4Xbtfpev5exXicbbAvO8b3scnBU3Y1OUERo7xPxxskVSCu8q2gDtyeckOY9SN0i
-        V4sr+bUBfvPChlfoIq9kifZPo4Pv2yP8EhH6D5pVRqO/aiBYr9l0XtxDaHB+d1Dj
-        Q2f7azUuM5MDRotUM8mhn09hd61haag4R6dVAOq3mL9rxXLj8sdHS4A4ufkjn+dc
-        PI/Q93gL+sFy9N0wgCvHZEhY1QoKssSBCu03q2ZVlLFuYfcXWEIQU3XpbzyCmAA6
-        VkCvwXEA8xRs2ClrBpMOj7wRKzYoS3ATc3nFx0XL5pL74rUE68yiRlsZLccRB+9/
-        nJSY72QzR9FFUhFFv0/DxUFs4OVCUzLwQVVUT+Wi8EZen0aY4zFG1u59F6E03Pre
-        wC9TIxDCR5MY6/SGgYPep5qheeYVdXw7a0TQWrwXpaTPSj7tm2FFQES5DRkVNN3S
-        XgEMoELXGpBjzixYKSsQ0/yT5qX9v7vjrZ/a3EuXtkdh7MAfMbRV+YDl2hlN9IJM
-        vpAo/V/vH1AyWqBL0oQ00xZzNvxi4RiPk0KPZg2zH1C4aokELI7i8D4Dz3L83Tc=
-        =LofD
+        hQIMAz5uSgHG2iMJARAAw43j5wveIlxO0Pi4ayjy6RxnIvB1cy4A3X3rIdbL0TVI
+        lBJfO4ErBitBtWy4F5MQDL5UmKnSvamG0G3Uo1z/PzAob2Fyb8nBM0P/jOcWB8KP
+        Lzv0IM2cQ308HrYsUSpxRBAApc1JWX7PAZgRBhvvm7KW3vLFOgm+aMEHAjLYxFNN
+        zlrWFhe8kLNZFMHr8GnWv4XhwHgicaXfP+hJQs4gHnKsZ1je3dhurgHRdu0PBu8b
+        QUHd+PB8S3dt4dacHGlMdqRRl61jj+ufYqQAVgPfj3m5bvDanJqQNXQubFDMW6kp
+        j6U/rYY0GwZ+r2xFHBr10zbx4TR+bxMQMqJ/YA+PZGVT7Y1S2rwLLdmMg66ENKQn
+        Hbk/rMibXTUab/uc17STBsOAdLam313WpTaa7kfqFZhqaiTARlmULtdPWyRBvOvi
+        PB+NrFI7hboakG8kOaiitdfD/NUanz/p1RKGBPkpL7GZE6B63SHxTKtLm/A141nI
+        9cPNeXNZWhkSZv/2akQ9ea91yBMeIuiydFJnBuZR6ygqvC+ShhAUV5Ag7h8AAlTi
+        2gDoZZvGqsXjRO7FtR82SSaWk+buzVbDtLRdzHiPPgIaDkLtVfXabqEhw2bqaP8/
+        UeH2gZW6MPuO4AWYRgpvQX0XOYJqA2RNsxO83HF3EjvvbUeJhz84iC+OD790ElPS
+        XAHizPVvoinf9dfxckUvFm1RUA5V7xwlHUh2a0Zj4mBkxFAJqGzOINAkg6UAV4sh
+        K9zPafVtVO/SiBdnR8JApH+rb7kXwal/jAOHJYjPtz2JRGeCrFz8YJR9lkaa
+        =jeRO
         -----END PGP MESSAGE-----
       fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAw5vwmoEJHQ1AQ/+Pr/ATDoZJGDuIOTI2RgXFefWN0/iz3KeI8n/8F9/1vkY
-        1G/Bs0X9NkuzT6A/oIjBDa3630DMMvfdbY5Gclqrdwobft9dqhP05naf7BujX2DY
-        oL2SbTnfB06NUPiSsZ9aE/2yyzvnZjAxRczXZCi9DmhBhaXicILiJpJMUReldGtB
-        zbGtRzMUojwXqc1Fi52mXvn8XVTgrD//jX1IOUnpXmaFKa7zJCHe7Qfl0P7LMCw/
-        vTDAXSazVFqvgyASPPHgVFw9oFdJ9Na02ML4jynRnIIra9WoBe+9+aPoaNG5WePP
-        Lqxmaj3uz5Uh2S4Lr8Qr+n7swjPUlYkZKSRY0WDfhoi+aCC1ejtysZaAwH32+CQA
-        sbnh4m+/qnEiNZlgy2vS/6yQKMAQ6HnLkBfkXYTseI4egVw2X7byMFpmAlqo1pwl
-        kr4cKaYGYDBT7/fDDrB8AAdXUq+guABm+8UO4GHvvSCzWY+8ie2/wrTSB4O9rLnQ
-        WQABESou4c/w2hKordim25w1UWWPhiX6TdumBjtep/SPNMrVNShn8s+G8uh+eAwQ
-        blNH7H6EwHW1b7gvSmKrlczW5/TXsi5URl+cuel0C5/ckdWej+jIIbfCPd+D3BbH
-        pFkQWZR0vFpvUZcUfU5kSTUz8N6jh/nGvOuOKZ07645ZFAKHjxE1JqjhqcJEqDDS
-        XgFphkUBFPhmz2FJdIQvfkyl6/CCj+MUfNLsB1hZAd4GRxcBPFyLB1rAkB0kV1QY
-        RdIXX5ahmk6JmtkwJsO+m5aAWu0ft5xpsX3jJKqAyoVWcRO/3kER8b1K9IL57nA=
-        =I4Bv
+        hQIMAw5vwmoEJHQ1ARAAuuTaQOJdkhaTei934YczQbjX1g7cX4yWuxS4BHQ0+Jw+
+        MtZnUUYcjVY4hErlm+w9/iwr/ua6lvsTigHHy8IKiz7F/xuG3qAoQwIR4+bNP730
+        En1EYlczxFw4Xaa2WIayaRy4M34W5zvdDuUwN5SW0XDahcmmut/9WGRmz0K8chGp
+        8opG1KldRY4ynOgXcB00x8w2NnQ5kjisyk+zjtTNas1E9c4m2MJlvrGHy4ffVg9X
+        ID9/66wXr3nimAlaYvHmVW75hd2+MfWyqtrLccThPrB2aNPs2mN1xH2TODX4gEP6
+        pFHyyrAsjK9zP7M195pXw+WE3QnBPgbW2/zmCbPHwPGgP6ljLsDjo1SDXWsxZ6vt
+        88bCECCJCrurkP00HJdnbXd+dXddNMXfYLT15aQvta1nYPp8UmVahCN/QyaNthkN
+        rclV1jmr0sEtG44p4R0SV3yIsATCnFGmr/4pbI/r+aEakIVIPEK6GM/69o/6kW8b
+        7KGEc4riDefZn93jNEGmC4oqotSPLaLlaNg86gWazRrMUBu9hJ2QFpeqSX5Vl5uG
+        XnIokcaWjZmDgZgDOFa5inQBDfT/7wTJ7mGnLpt6Lnibnp/ATvIYBEI4zakHAJpz
+        0qWN89fpS4senq2bZJ2WZYfpLvHpspchxMhmNfjalQaEVdqPfEqQCImJv4h7VlfS
+        XAFGcZB2DSkd1fIxKcOB6XMDEbxGfBAVZq+k7Qw1oBdCa1Wi8uBoVS6QHLEUccbO
+        01Ptf7jWdTYgujdxRvyYSYS9YY4z0nR2GmFzynCB/oCylEwmsBR2ie8J1Ew4
+        =Gjvk
         -----END PGP MESSAGE-----
       fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DerEtaFuTeewSAQdA3oIk2sfUn8ZzJf8T1xFQ/gSWqIoOXZvpAf8R88A5+2ow
-        kM6YFiCCShgt2qGZi1k9xNxoRO1aRmSdEqdwMHAwpFRtEr+tOcE1pq0o1HQUzqqR
-        0l4BUDcJXeyrY44ufOXKRVd9J9LuwSf0GHfvSzGxCfFGQVKAtRx69TUwyo25Xwdb
-        mN/mmVecb+atPqdB5uMSvsMC2Tw+F313Y+uvgjK6B54iK9wjTiudD1TvzrTeaOPY
-        =QmFT
+        hF4DerEtaFuTeewSAQdAgd5EW7q2vIPAOqEzhHiEI5O0WzrC59UqNnagUK8u5T4w
+        e6e9sEaNfzsZE3Ep61sWLZkDDddE1RqF8riVaBRHjFzpj4mNptePNQCCDJSU8jYf
+        0lwBJmRslhasFEdMhQjqJVWLyVeG+z45mcfkXT0VFkBWWs/RDchgiYQjXxi+tMXy
+        iIUKjmu2bb3Cr3KTEglA9P69aVkDtdDvol5LflkzlB925aDev6arSnqFuoZIcQ==
+        =xwmU
         -----END PGP MESSAGE-----
       fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMAxjNhCKPP69fAQ//QqFgN/hbCgpEB/KyJ+5uc8Nmi1FLWFBEPhnstvIlGx34
-        rPkmO+mLxa39ikwNg2bAwFxDRdwFREj/5lcdEPaKMgyxNxngS4PSs7TtHroNvyXk
-        jEsNsyanhaajctcBJNSEcDWNFItTn2gLGmHOuribULXBdixI3sXCjrrDKceNs5YS
-        XUIw4SIl4NS2nCUQcFlMqVlKOiw5d5aNfPND0UzFI2CFGo1740F/G9wugOIzsLwP
-        C69o2JZDmsvs7rwgfWYbS5prxD0hHzXrjuHnONyPD9NdtIRVU0jDEPrcmxJfbj4D
-        nzkTqeEyNmcIGnVhCCM0ysk54e/VxI6Xl3upp8qgz21h0vBu88liJFeQo+uegNsa
-        ozLyvzsFSdbxbIzcqnXxMurWIoDZW59d0AsitmACez1PFHXmC4KEH28bxFNek0/u
-        hpxFiPRvr4hxPouCTSx1pP7HnDGUfJtNOu4BLigO9hjU2K628WBkZt95L4wprBIm
-        kgt/st3Bk96EC6bWLtn4n6Zb6l7+mdv+6qg1XBzbLFDxcu+L62qtd4j7BjI3ckGY
-        hO5tkGroSyRdOkqw9IJ7KoDyk90IE4Q0xy/XM5dqAXQz59sPhIOPBxje1FursyaV
-        RY7tZARigq/JEWwwTLlbOYPd3XGdbw6N5LfDZoXe2Lz+isHsxL2cAqJ+wgYgfb3S
-        XgEIk9UCAztF21PD6IC4E4OkK1ARhpwIGwdluazSGzYeTqKEB2g7N9iowAlp+bcG
-        aZ2DU/R6XYdU5jch6fiU0zz421Li5gngNwg3FOVdZzhdrSiWdjRUFCJEbituyvs=
-        =Msjh
+        hQIMAxjNhCKPP69fAQ//bv/NiT6dblP4GWghe9w9O4u/cwF9rF5x35lNaXUesu5a
+        b7mz1DkK2xzAIPFXpp2EhX4iRj6cQmEIDN4IrknsiKD18tMA6pqv5/1RA4DrjAWm
+        hlURDAJy3Q3kA92pgDcCOhIJu5gKFMUVUL6xG8TeNOr48VCw5LgmnxZ/6PuTJ9hm
+        L0r+OnWfUKZGxKPev5/N6hIWCGKuCpZ44IyPVHU48CK8+yJWRwK2Fb8WAy775RVz
+        NhTxD+IqQuHZlXnYy/6WunlkEmuV/G4bUzByjG0Uun9J9COaaLC+8OFVVm3MMD/l
+        R7JbZlXigj80IHPGybB+FVNu8rUk3JbGo9tOux1H21CTdd0Hmi4YtritLKpt37tK
+        I8lYNCFgfWOTcllRFB582BomMSObeDjffG4tASqtZ7lFYAA1tHO3akM7iQGWnsxE
+        oES2Ibp/bP+tKCh9BnXKzHbSlIiv6g/4AIALRyyLskM/LH1FP6Xwc2wAsck/DfOK
+        ApQRNpkqn0dnGCb8ZIDeT1EWlc2ZSzkP+X3yy71wX0TBZOs26n6crIAjR3LUiHt9
+        UzT09TAHk2Si3dSBcRr54Xitjg/f4lfKhQv9hV0tG1qFdITYjv6JFqihtBUEnNiT
+        BR5udNvLMKw5KOergEUl2EGPWlXDK9LsjI9vzWq9ZOS4cNWAR0zwTjC3LK7BNBLS
+        XAEBjZUJhvPKpa/f8oMGcZ18HP/m4M5MEKCrCbQkk+bYDy5zBjU3I3hqN2MpnGb6
+        UMGEx2tgHxuksdjSaDb1nTNfsanTC5UgqFAfsn5QAiBxQmeXRnjFpj2a4pc0
+        =R+3P
         -----END PGP MESSAGE-----
       fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA1Hthzn+T1OoARAAlYlRUFLenIg5rQuMsq6Qd/3V1L+EomZcDTeVWUlvNBhJ
-        wdh58x2OqaXRbujPT7ekJY1xDg3S541yG+7al5eR3Sv4zcE5ZgNoM/rY/Ik4hnWr
-        03+a/jIRQxoFeIVKAhAMcj9hxjBUCaQeNwvfYRrkWRC2fKAe9X26oTRlk0oEobMI
-        5EZTi558D8ZVxIlK+LCBk5jGFepGkts0FlPjzH0+S43FLtFOqRVV5UGGahbUZ6aq
-        mF8ULy6+V0LxIqOaDYRwfUhX+BvPdCiBRf14yhkMIWKDpDa3lVuKWAzSF/CKk2z6
-        lO12dlpI3+50zwEuG5hyei0UlMPV9rR7nLL4kG7cjIaJKCeXtbgt6Qf9Ml3uAF+t
-        xBjsQmnPstsBJZlj3cBlo+U6RKktkfeiU2Fg2OGUxf+iER6rBfGwBiPLME6RPiXc
-        26RiEMMyIMqzgaM+2I0GL/cMEcsYj3OR/Q3q34EIFFTQXjz7dsWFjuRIELg3lxB2
-        hNJfn8JnDYsP/yw7GMZM9TQCHOcLL2+vzh/GhIy6kBEeI6DSbnMR92REezSUclHi
-        g1292f8mDidAmb7aVFkMPnVkTFrriKiXDMO7Lh6qkIWmnGfcecsLONGif2olW9e4
-        /PZb4d44UrHdG7FIn+iuTqWcwkIY0AuOZg0eDa6qi0pcePPG1IaGnF34R8amkYHS
-        XgFP1eurU9GajS2HDU5Ghd4KMFncCiibP5xA22inFdGwHK0Rc0JH5LbOwWugU/yC
-        5a60wP3Sg7LIxYriI4a4kpmKpqE7+ZhfuqQ10wC3eCXmca5bkqIOFd91X7gfnFc=
-        =m//a
+        hQIMA1Hthzn+T1OoAQ//dfpU2ARKiqEam2TD2QF79ujIPoofrJXX+Rf9zwe9TBNC
+        rZCZLdWLECZzJcE1R/VHM1Np3AFPmze8FZ4onGBgI0Go2vwCrrYtBe6AomAlzXho
+        WXABvr56Eoe1ZmzDHZLPeGs6j2OfsQmq5UYDXOLEPZ6T32jA2f4dvI/k0UEFEbsb
+        Oi3gbmpQgiub4WDE8Czy2o9Jmcsxwq4NhmnGxx+ogXO3rS8jYQjaBG3P5mz8oA3R
+        P5zauE4sZ56WzT2z8rD6NPuNuMc5Dv8OMISQey+WfR9ysco7288v4qr2hMgJF+uc
+        uDQtH8ZFsRXwknyKFaph+KLkmvDBzSKoGiRtcaACzK1WWDbowN+KYcLsCf2WE76T
+        VJPWzZn0tjjyIWWaDLEqrKWuezXajMxW64zSjDje3oqIlJf41Sqr3yVtBI+Willn
+        m0iW883quAICS4ECaaY85+N5vwtaRntlYEGdYUm3k11Io4erEl1qw1fMplD0/E+P
+        I1jA790vOS9PDYzdK8nvGrEoGURW+Y3/q+fSKMBsfHATBCBSGRL6G/SHFvlDBLhK
+        ivJOOeQ2Hw4G7h0GGgQAEGk47EijL0j0+eEYDDvw8DQjVuUe9dWNr0K2qmBfm7p7
+        7ERZuLn2BPkk++h3IMTQL/OnaEgX+dIbGiekw5a26mVi3BB1t0Di8q6gtmThlTbS
+        XAHBzItP/jn8txvNRSHHZN5AvuU3TMyaEjFmhYf59x5vBa047U9WyTqGuwNj1IQR
+        oLJNQXb/qo4Lo1gd397zTecG2KDhHl/ael8SlZsaLkG5Lp/V7LGr9J2FX4Xe
+        =76+h
         -----END PGP MESSAGE-----
       fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA46L6MuPqfJqARAAlOnbIDuRQI95foLsmVkTz3iBPoAGWP4T+BmwRXbBzchI
-        xnb2bVuSp2XS8ndofmqwPVfIA/XzQeS6+R1wE8z7IxBZEr25Oe+l/vnz/iIHfoMy
-        LpJYqP4dAMf/VLQ0h2X/WfN0QYkxbBEHj4vwR8NIjYxb1iygIcZuBEl28/ZqNAAs
-        0CogIZpD057gX+SUdnL4HmpZJu1VcduOxEQq+4TBZELPw7yQ+obCtalncubnXGOh
-        COyjN4DkMeLNyZ5B8JKnsCCEzssn6/gI3nNzR8gTozvVdiPqmItix/lWgNZlxxnD
-        yxHtqs+RRxQrZxMBrVo7Z/2hNm15rT2XmpOYvs6eIKn0NILs46erKSFHi5Vbgu0f
-        rNshtzt8zwPsrGS2gyMauXBq4vB11hXMuOS1zgi9gA/mIzGbLLPl8JYVKjpZdRXj
-        BelPHOpEVEI+6Rk02+QuEGjN5XJnnLOshEt7Gg+be6APCpDsf9KhoxIPeG1e1MV0
-        W5yfykmCC4E059Q7jJp7npNzAk8Xnk6zkScUT1zibXi+DYcaN3sSKqB7UgmjpqJ6
-        vBn17pmhJYCa7CwlJif9abliw6mHt5qN8Xrg2064I3cPwJpzOSaTI/G+kl73Wn4Q
-        x4G2l2XTHAMnvAoL7I4r2F0I1MpmDiubj4BnKp3/C2YhICDOpsCE7e6ceuYI4HHS
-        XgHNkVi8iHF/02oV2nLDAfPASomsCTDQYRE6/dLbt4d38BaGJ6iIIcNMxGbUByMj
-        nAEWtH7+8crR42yJp/OxVPLlXLHKoDEd0IydLpFl9dnsaYAqdPYUqCQ8merJlPg=
-        =5z9a
+        hQIMA46L6MuPqfJqARAAhGXnruY2sbbMVeOpJKn0MfDowextWNPVlhRAcltNO6Pk
+        PUWbX3IOs2ardDbxPJ8QeVPG0QoLAVGwLqbfOulAvRXWoA/NSm+EpW96ofqTNA+P
+        CK9/ZHcef9wv4DK6kJ2Rkyu2rotToMYi9Hxpr7joOVIsI9ewb8s6SSa5S4qAAw/G
+        Y7mH8XMFqwZBKzmWP/9kXxACwas6vlx61s4F0cj0XCcAzmU9fKORydljrcc6hNI9
+        MRRS7j63it0fckq2v7IBQDgJyuNsLvZD6bZ1P/rdZUUqjTSOIQyb5yT6am1T+DvY
+        0ClubdaXhEaQplSL2D0VUEqZmTY7Cmw0yiDBgmyhU5zqjc4MHlJ8S2gssGySWTRo
+        tR+yEFgemtuIiUVFTJN9Set40968hAlN4jYPOqxjC6U7oC6YLah8nXRJasEN3lEg
+        9+fdaCAIQPfK6U/C4j8tEZ1sCXfxaZfaVGpHWrArcxN4L2nei2hT136yLkrIuo4j
+        vfDTBK77Rpwfc6bmg1Nf94ed7XWn9ZQgVvPKPANvvyhXmflE/wVxg2atofzCIe5i
+        1IXX/YHn6MiixqaSbHnzCAaqVQuJKC3b/EO8b3GZJfCcBHZratAQVZq1emnaK0id
+        35OwtOXKOagvk8YoIPY1vCVDvVrrT1RK2XGrRfnwoC2plg4cNws1aUhENEDt4NjS
+        XAE9IcqCFTz5RXO6A7/Q03Ge2GEXrXmI39CTT4gTzy6USEDUiniE7PRudm/2dY8c
+        ZA+AvTFrEdoGK1b/snAvw8dGTFv9lwQqkBr0JDqwD9SGQPIXD6CIUKioxQ78
+        =KPcz
         -----END PGP MESSAGE-----
       fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DQrf1tCqiJxoSAQdATdhehHCg+P5ryd+GcDKRDMHgwv5c88CHXI+L/6meUSEw
-        EXNK49Y4NeLrDllZuDdS8Xd/U3BJtdw/Ef744lhv/CvSCEIBOVu0n7hsHZ6E+MQd
-        0l4BFNDMgxj51IVlf/vNyWKHrcf3iYLLJdDL31sSHiRk/zTElaM2W3s2zujSOgiB
-        cveF2p4/0TZ1lt+kzSWPdKZ7gixngC1vKtb1uok7sAzStAM3wdvpBjvouti/yduQ
-        =Nvpr
+        hF4DQrf1tCqiJxoSAQdAagtCn66tLHM3wXjb8nCEH8nh0g5pKSTzcx/re43tLCYw
+        IbatYjkYoqBofEDr0m4QHTyN7JAtq11Yk106M9zkktUHUPG0H/NG7TKOK65OC1U1
+        0lwBA0l+mdaX06nBkQE8xzXafXcJYJkTp0RvXrzZkXb6K0NBuQwcXO3A0xcJMIZ9
+        A3tWaza1HnUdtlUj3vj/0ykrYaUywLL4rdVgu5FunOMbg0QQV8zy2Kn1dNh6Jg==
+        =wy66
         -----END PGP MESSAGE-----
       fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DzAGzViGx4qcSAQdAVM1+fV0H62T2slKovp8/rIF6CBYl28z6hbbAyixUQFYw
-        0qeyMu6ujpCHiSx9xps+FHYONtfEcjxpZHPk4C9fP6h3D+l4xnfGtzVXo7t1budp
-        0lgBJZCP7JuE7omAuo00L3hjTSaYpa6UWE8cZEbwkOGsm47m1xzMlEzSExBZ61wj
-        dKkSNVFLd7z/5SlKFgFJgbgwuAl7umjDVQjItyrqRNnhuPBUmZbYBEEJ
-        =Xu7e
+        hF4DzAGzViGx4qcSAQdAuK7fsRq3IfaTb8M+wFYeMoAGK7pbIPnuC/i9GAVmaHIw
+        7iTd9Gh7qjZ4Z7BNvD9cH+MMoeKNYEI4iIgzyZBSwADiCwq+GOeeN752uTFzvysY
+        0lYBs4Ny83rYbSQU5eaA0VNrc2blc9D+3gc0NB1czac9pUsJ6w4P6vb8TdtrzvlS
+        zAUSYYWaU2aX1dI8274dFmHmF9o+9/kPsJLSTqkLUFaV8cje170cVQ==
+        =4Es4
         -----END PGP MESSAGE-----
       fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
-    - created_at: "2025-10-20T19:03:07Z"
+    - created_at: "2026-01-27T08:41:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA2pVdGTIrZI+AQ//R6I646qRFql6ouszDIf24Jc1HU49sWK00jfEgfDAMXVX
-        FcHyARVKbjq+4Luzf0ut/KrHaGC17iEcohvfaWVds/j8fOA40RWXXG5wkiqmrXQ9
-        xgPpV418jCpLhrE85W5emNVH8a0sX746sulslm5NhCBbYsKgmvWB0NW/kSmPBAD7
-        xnx6ZysaDEt2kgFy+GhCBMjm+WUOEypF1xoH8YlOO8rtJPVwTX3QPkgEYxrEtloJ
-        T7cScRPJo66y5ne1E4FKFUApH5cDlD4et9/TpJKR76y1hml+geCM9S7oOD1LmHIM
-        PxQFfNVL8/RWUSxNtkA+4ixlERitMbW3x4rqq864m1MnZEyYGOiUgF4uU8t7VruJ
-        bE+qbqOdy+HROi5vBgB7NZ3S1k7iBweGll7xcEfRHWd+lIunezzb/V/lJoShuSBL
-        WEetGEijGGDLPwTWG2ZSGQQsrPZH0VoA2rRS/aZ75Bau3ctIFAEPuNLS2+AnSh1C
-        hWMCXsGu3JVwq53TS0Lg5scquaXWPcuEQPJ6ZEmQOGfq+zjJKCp0Wq3W1GqkMAR+
-        9WFvAeh8/fLFTuDnqGLqHoeO9YQ3AK8uraMRf+hVco7RjXOAYks1JvbGDCijlUhv
-        pUrmkELbYnZgnVvAy/uwpYhVdJkQq4Hev+ELFFfTjcX5i3lO9V9iZJ2UUrXj5cnS
-        XgEBs+srIKZqr9mNQlfc6t3+JfaRtRPs5ozaSgJIJx+K9x2e7Guci+ZSAoEP7kn6
-        163uoxaZiP3W7vW/fVe8IDnPsPAc2FuvI0MbpDlEmUcoHWU/s3aY6foYtwg+w0I=
-        =/9CT
+        hQIMA2pVdGTIrZI+ARAAypV2oZNd7o5dKeu+croXx4IgcbjGPl+jM4v4EwIa8kQ3
+        mqRDXYjz4XdFqoCO5Q7sALx06a3V/Gg3VBhxEmPwYtWIBOaEBjIuFy1TieVNCIz7
+        xZlDKUsUFVCMiaF7geRPvN1QMhP37HbKZEWWL3Dtp6d+9W8N3jjFS7qv+26nlhyT
+        QUtMc4wXYXsfuX+wI+Edb3Ibe2tN6s6rK03XiR456TG4Q5XlT0yuWfLA+uF4WMSe
+        9HmPmggwbZgTjagnzkf8/mLwROqFm+KDpCR0vfTGTW+XZOZxS19A3VRM4oCoPCqm
+        78t2XkLjoddqL/baJLdSsoFjrHh74+eYTvaBAorOXowfc/MTzXGTHlth9r2/HjJ2
+        9gXiQATn9fl7sxdRko4mKOn0ff0DhoC4gGgfxopUs2v/bu9dj5VTsyAe5TqGNnHU
+        Oeo1AaboJfWFRlQhsCT3Fpowuc8kRgHalVbARZqTtdRRZHNuf+ob5BYJq1SDFJiN
+        vxg01gUsqzcvcfZSc1IpLr0vF7tdSvmrKE4nq6GgkJEhHm6wwNftobjSxTYQPO3l
+        mXI7wghCU4G03zVhbIAwsUvdZ9K6K3ylUOf1MOkVEy78N5rR63FVzqpibPsTQCnc
+        myhdrYX8fN3GG/QlXF8NwNPFFwOW57577YQJ1d/K0ksiOEWKBzJlBgOu6Z99i8bU
+        ZgEJAhAZ128S/PPndkywgDN8PEvtH2tRvwt+tS+gMI3o2WiPltT28KmWJv9PoG/s
+        9ZAp6mtI6UDoc8yDVuy5BfTH+MuG0IpJLjkqZkY8XSuRD4zAXYIj+a2xHNuWOMhq
+        8471dLH2IQ==
+        =UCus
         -----END PGP MESSAGE-----
       fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
   unencrypted_suffix: _unencrypted
-  version: 3.10.2
+  version: 3.11.0
diff --git a/inventories/chaosknoten/group_vars/all.yaml b/inventories/chaosknoten/group_vars/all.yaml
index b8f13d0a..76147d88 100644
--- a/inventories/chaosknoten/group_vars/all.yaml
+++ b/inventories/chaosknoten/group_vars/all.yaml
@@ -3,7 +3,7 @@
 ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
 ansible_pull__inventory: inventories/chaosknoten
 ansible_pull__playbook: playbooks/maintenance.yaml
-ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
 ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
 ansible_pull__timer_randomized_delay_sec: 30min
 
@@ -14,3 +14,46 @@ msmtp__smtp_port: 465
 msmtp__smtp_tls_method: smtps
 msmtp__smtp_user: any@hosts.hamburg.ccc.de
 msmtp__smtp_from: "{{ inventory_hostname }}@hosts.hamburg.ccc.de"
+
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ metrics__chaos_password }}"
+      }
+    }
+  }
+
+  prometheus.relabel "chaosknoten_common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      target_label = "site"
+      replacement = "wieske"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.hosts.hamburg.ccc.de"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.chaosknoten_common.receiver]
+  }
diff --git a/inventories/chaosknoten/host_vars/acmedns.sops.yaml b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
new file mode 100644
index 00000000..2e728ca5
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/acmedns.sops.yaml
@@ -0,0 +1,214 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:R0FZVQXrUgqW04VltXpYhEuI8Q8i0gE4K1EI05NTZyTO+9QOynMVzfLOzOOT1Yh+oQNLsE0MFELX8eo3EFKyXIrkE/wr2ECgFqY=,iv:m4N6t03tklKRaRZ9eVl2vv9T8WUy6AiPQDNuyU0UEtI=,tag:XJMnT5GZthv9RPQFZTWZaA==,type:str]
+secret__oidc_client_secret: ENC[AES256_GCM,data:UHbIuftvyPHxtHGRvH+ydMetiCRu3z3JL+zFzLwVaSQ=,iv:1/KKB9IHZEWgEULoab1aVwbPIW7mxfRK7NABiSP2yIQ=,tag:8g3ej7ZJwAuPk9eGdPGyog==,type:str]
+secret__oidc_cookie_secret: ENC[AES256_GCM,data:epKralmaga5W0TK0njjTBP0GIlkUK2ogKEbWQ/zlIhQ=,iv:rDBiSE+DPkX2I2i2fJQ/SrkltlCnPOEyeMfud2xXbFA=,tag:SOGIJHiaKq1t+Dg0NJGnxA==,type:str]
+sops:
+  age:
+    - recipient: age16pxqxdj25xz6w200sf8duc62vyk0xkhzc7y63nyhg29sm077vp8qy4sywv
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SDJ0NHZkK3hvUSt2K2hV
+        TWNKUkFlUFVkaEFlM1lDVTdnZU5EeURiOURzCnQzcWE2RnpiZ3BmRzIwbFRDdkRr
+        VmcreVJvdTl2Z3lBVFJTNmNLZWdyMWcKLS0tIEkwcXAwY0NoNmhCZm9JUDMyRjVC
+        bUM2WC9QeWFrdm43a2N1eStEOFFXVGcKCCqwLQ67aEEjTAyXXabZ2AoBag/QY4HW
+        WwgmI8KNYpC0YXzDJ3fUUL6g4oiSqMxTGvQ+0oABOk+XFnVx+++aoQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T16:16:15Z"
+  mac: ENC[AES256_GCM,data:dBBAJIXeVUXXPXB8Eq4gH5F/0jTpvb79hdu4KD9gV5RL36Tr3iU92SKAZdMcw3/+8zq5L32YWWpYR5HFVPXaSdgls3wtWdrz/1j/C/zRxup+Y8DSOdiebCtz1lJJvglQMZNznRvo7N58lTdF/XqJA4tY51xZZi/krsJXDxtlTgA=,iv:yhwXbXu1MKl4sSYaCKPVUK9aedmIMnt/rzXTcGqmqpk=,tag:hZX6YZrzkrr1mPe6FOs7Xw==,type:str]
+  pgp:
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAi+qxfJ++qxSRxZLZiJ6njtlaOvrmE3uDCxbBwK5/lc7K
+        rt1liJ3Ue1hR1Bt6ozbH72shd5EOQzDuwQiRLZSR/7q6dcM0wdGRrfXuNvsRbQFf
+        Mb1D5L5Md1zOH4HuUx38+GGoB1CchpQwdZpjzcU2+MI5O5YIw3DDcKOAAMa+Nfpy
+        m0aezDSM6zDYYrYKjZUrMCXZFn0cnWAosod1ZJDz+rNMfFaVCPUlcUO4/p8cPzvr
+        rz+B5MV6Nyft3FUpHntFAgGjwlt31ZANZoWeJxJ5/zFlmieXMihjC4x1QPBs42E2
+        den7NPprSZX1ynGdImaZfTHwuwP1bpLrVFegG1EPrMIUwjRbSZDdmWxaR0uvajgM
+        GcbJLRFdvOcc7g7NWh2n4AwjpjcPN0cNrAit5/S0PG7JYdZFi4abfxTur12p9BPk
+        xJacN4ZVnT5qRRnqinPDCCiR4MLg/L9fxG6Dap6xboBTnHS5GksuLiDFMjsSAVh7
+        /63SOn6/Po1BUiiZPRHkvlm1uhkP7k5iDT/cP+gV1QDjdrXbD27D3c2eJveBaX03
+        oLhXi+2/tmitsRw5vp+jTwHP3RDC9ZsORdEoshaGJ7Axbmai1wmUAabaz60vbTzV
+        W5KHaEAdC97YsUFUn4ZgqORJ5MlPRUGUGGmlYJq6peihLYx/wdCLw9DywhZAYiTU
+        aAEJAhACPP4YiVUAbMaXB3q7AJWnoF20oJVBcGD7nvAVIaJJL0zuYe3lsujo2O2L
+        wqzIw80YE0tSaHx9GWJorF3vQQ1/jxrgiZofZNrsrQ5mzVADGO5+JLuU1THyDWXV
+        PPvkTEc7AdD6
+        =GWYV
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ/+KKOoBqMu5MXGmEM70WGKs7qGiqcJ4jizWaf2BjO8JtcU
+        DUJ31xy+KOnZh4pNP3bYptBtv/FehKHfaC1HB+sXBqT7hhAT5k2WyNo6Y1EdsGeG
+        HuccJ8rEMxwRSp3rdpca/53mtFzYHFHDT2nOEc5wkl0KqPITIJAiaGVVeS/ANy6X
+        qijabdecK8Ekb0Ev7OHwxFQT92DdtN7xdQns4bUoxSy9j/7SDUII7btG3alhlH2Z
+        XF+aZ4Fo+P/O8yavyTuwm6GlKWaWtGn9xRhNXvMkpBXIa4rwHC0re3DJNlMqN7EV
+        gW2sxnAxBShNU/ZtpqaQ2ku8L7FPB4Y8hhbk08PVlqz6F1xFm9x5PEriuaIPd1pp
+        0TQtekvntBWiRAQ8QPmrfg96BaLqvL+Hffb3PlIRvnXHmaJY/5Ci0HGgoUjodKIT
+        0tZzP0xcElbm3Mf5z/uyRzCwpx7oLn+q9xiJ2yoYwn4IkMWd2VaJZJlVcKH1RRXS
+        A4OUERkDSV3Fz6VjnI0VQ/hpfLDLCaQp8TzUOtNy4MqzsB0fQbDWnPR1KFrmNmSv
+        SSkS04tSt9CMNDFllrwQg6fbaZMmS97JeXb723mfUrPa0o3MeTxa9EuB/NQvWYuS
+        iBqC+NxIAvUw/IJtKg3unA9ysigCDUTbi6P7F69NMJM9qHet7PSLgqsM9RPdPlLS
+        XgH+T9DivFMWNnGvAS+wMckvKcTtskHWnQMCYdx62VsXzS/LU3iWq+OBz/xf8yhD
+        2vS25oi54fQKz6diOrq/TgO0Cx2/1LXqOYL5m/6+Qvv7wxHHZHeLcdwCRVceLZs=
+        =5SxJ
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAArv3KHUknyw89o/HA+T9vv1orrq0uztAOtOYLXIxF0mPL
+        S+Yrqs8uT0UmIJ/vdNZpf6HYw7Cmk4XErSsT4l15/5JbGfvqbc1ECdoz6j6kNfID
+        eHP3iJkySKbxSqflZ/3Hs8UXV65RU4F1HHK2SsQVvb0FCl03KNqkNAMicqiYZyzH
+        CAKOje7fnCHQ2oClUXakwXDQMnQwboXmhC26ghTvCYHIcb/VD8z91TSjxNitA1nG
+        7Ky1VvBWTuC0qcfaxkrkkwDPcxdfA2BXyxwm7b/w2IwmQX1cce25MCgIhMCFuf0C
+        rvw8GgfJEQ/qI3Rk1R87cpyRte4itrl1cCJI1UgS088+eHhmeS8XOZL860Eiqho4
+        tQJLUCr0P+LSBgOxj6/hnzY56bpPxa1NjRjqCGh+WF9XzeM8vY1MkzIjqHXxq9bD
+        9yGnFujzTcFbpEzdigPfAt6VgMe3jAEWqnr9fTK/f4qKWdXfycEHAJgL9UqHCtR0
+        DMy2+ZsHy5Hn9S5hmXLWpKo579FEWMLeCRA2DZvCHKIWUPhv3O4BAGovh8px9wRR
+        V7HeNK0efhiPm80alIQUGn+JEyNOaBrjAQmS0+ELF1S1AaHzXoLNrxfBCQJJCHd6
+        BvZIC6mVWF9DSeD+s/twk6qGNwAl17OAi3fyahunefODNqMcW73RI6x0BhkBfvnS
+        XgGEHYtdIiwWW+nCWBCrlXHrZ2AqgFKqNInB8lR5t7GtSjVxF6blysWXyv4JtegX
+        A3gMULNrOAZiPMe5Q1DDMNJ34jEnveojMIAOb/j+w7bvcgh7wbrUIUhNQSDgoaY=
+        =H3mo
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAAqbv66yl/dyRf3f1ejNWsZxwD5oo99rHvbfWDCjTEFpzo
+        QUHgi7h+uF3GfRqkbE8YK7oFmTdxDS7DEkiQHw3jbJwI2+K1umubwq5sL1IMhSyG
+        SHZL+3r4ytBj6kuraXoTGqBFjNNht+3rRUEvgK8eXAixp8aHbx2LAVzjhxGTa9WY
+        yT9H4XJgEac5ODiyhyu3wxzZFmcr9VVNpja7C3iJ5PymjKPnzMFHzdhYflVG4ptP
+        lscRsl5TakEL7p4wsjLszeXTSq38ueaH3Bhvts3Kl72BU2rICDzlBOzGszq3gI2c
+        o97Vydku1MBsIwbUdKAOdhjA4BFyPAg1z1VkeEOrH1ThaZ0cfalN6TxBfCeKftSv
+        VAn9ErK6cRjM5peyJPSHUjpXZEcomtZonhAIBUfDeFW3Sk4lE7+SnIvJkLtrvSZy
+        QDgbA4dE19d8MUL0uu+fyp85+OkXI+e1QOOoZX+7/Mco3wKbCbP5T21T/+SLsH0N
+        oNrQpQlDch5YB+vLISUE7+buFdlMpIlcHAnL9scjgIdU0Z/X75p/5t7g99D/0nc/
+        WGu4l2n9fbrvimnqc6wWzBHgQZVcPKr5tMB6jVQu4WCdHX9VkI+Ru2IfCFsQ09TD
+        RQMybPT3tTdYODVCeoE3NmilqE+igEzFYRDwFdKjR2eLnuli5mI7GlXrboPGjWPS
+        XgEpnUxHg7oik0vO8YsyRldQ2Vyw1vIskRq9cdUY0Ix3u0gyqUF56aWhA+4fhr3H
+        Q8RsT8OXXswSozzkw3AvKi3VaGjwDr1Wasq6YVRtV5pjS0Rx/ILo85grKi5vgpk=
+        =bY3Q
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAh8vUqXwXAq615cIswD1e2FbDgcFp4pDKWP4Of9bDRWYw
+        5UMSvrCgWei0lytGCaApC6J+Ppd5o9D34fux8X0/ztoRopIV1RlrcepPr9jo3ROk
+        0l4B4T+mFz+FNrO79ldBuysOEo6qX7kSfJ63cpy48nDNVi0pTDr87OiJTQQD3gfx
+        wQdkqjYs204YvFP8Zp/+Ow+52z0W2ecLwgByVxsiusf8JLlYQMHOL9QisPxWMErr
+        =C2Ii
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ//YH0pZvxXkXYi9tRWPSVllAsKgwzZsKkXS2LrfysCvnNS
+        LmcLrWNV8upH8g6ubHwwq1Q6WcpaoraIGB2Pw7OPKvynqqhMamk6jAzuYF1hMsd/
+        efGlsIF/wE/MLo0AizDZ5H/k6g/BfdSm3VFvAYbdHObQld/+uEMdotBrUjtXJlA/
+        lare1GFxSt+P9J+h5U0kf8VFWbgzf7SkViWBvEpyUaBa0VLgyOc59e9BZzWX8h2R
+        FjNX40MkZHxdbqBx3Bw8MZmQz+Q1O8w7uNcf6YZxl7+tYka99DSoK2T6YxTqqqrt
+        FtqDAUAS+yweg4hP7CwUK05VzmH/y6S4brVJz73NzahVNUBRpPXJUWs8QsR96xx/
+        hUMRGOrfd0qJ/jv2P+oMJipGsWZ5b6rkj/LX9ZAyGW7TgWbelr4zwM2C/n5xDkKf
+        LSQFH1Nx9QG0Aq6JT6staq+xiw/w1ipn0IDL18YPvX5kkO3KNUZk1F7zF6rbXRXa
+        LQIY+lhDnslkOMHmUIvqPSFWDQT/a/ttg0jVazz9IHnCz/+ShCh8nwiXXa6swlGC
+        XFzJS0Lyz55JfRcEN2h4lc6U7sE7MN9WEo8DWNv2UJwIZtu5dHBI9PjFSAxm73KJ
+        FSQDFxqlR7a7BXKw+KfvHUzWcRInWLE3bMQlg9ECJX1sQf2Bu8/YxU9bFT2fzfLS
+        XgHsHSJqqcZ3gwwUPNeQMadRylccXoPOCns3rf3W+7zKRBb8poRpj0hK2J2eIkGG
+        M5kRRudGy07hLV2wQGitucekIFUStxumRSQqpcUhk+RKTOyTMIqT4o6ykVBgke0=
+        =/EHL
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+IxC99h9NXy1lKs8K3O6zNPE4vvoUdlHyU7MngSUe7FID
+        cfVoJmqumGJ2VL052PyGNuJl4wwI0Bk4GJ1B17sDiROM21BgV2xJN44I8DzU/s2i
+        1P/WOcpofsng7xBPib5vETo2ypfiNzurNwKidID6rc8k3TL2Eq3U9gPajdgaHWTx
+        jCBEiBs4B2H0Jv0teH7NK7VY21v/GQ6wCATUdFugjOocWT/Up9SbIKgvzXgxmoB7
+        glmOZGtqMsorMw7Rr9fy5qdL6HK50dYbzQ8IppZFG7PrFLyLsp//S7fReFbtp8oD
+        yCBbhOfywLuhyWmLu78F32l5upv4Q/RPfsOEQVRd13+4XeYIYqbVlBRI4c38iA8k
+        sKgN/l5mH4FPmFWhRfeMOQn51tTDiq/n8G86EJETJJxC2kAhfLXi5YLECH693Vzw
+        Mad81jxssJP5pTTUDBzog6oMNyCvs9paRgb0O4Bt0Zpox+BFdQcTNJahj9wDyfZV
+        TjV6lUtuQ7QvHDYyujxhkJWUOyd2Urfk9Ku8A/xeCGwLRJS9BKYgwvatc49zL5zZ
+        3GZ59gBGERbBCBPoFZgpVh73ZF/riAMHbgh+ZzUlFxJNY4fVvCk79bMitsihAbp8
+        NAELn1kiDPjlW1SsiiIzkdq87ttJ7aVtR1vQBYWapWmU9eSkn8XZcX4PxFot68zS
+        XgEvZxgH4TgGrPuTYusDaopSObkq19jiEJ/A44Jiy2yvU9hXeOn8CeXHTJnwcSeQ
+        ey3QV0vu+gYPL26T5M8fp3DwgZYr+dtAX2jydweT9MKjgeUyZAZmIieY1gdguIw=
+        =WwLj
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/9FcgBwOTVqwohN7+iNCiq13Na/qcvFvFxymSo5ZhtjB/q
+        rMfLaSwsVAZuN9ishdip+a9tFb4oBPpwZjztvsgetoVNvLOrP/ZQag9SDy1fe8KH
+        DDlPFFRjTYtPdS+5ScHc8pGTLmyQzYDfieD0FCdZsNwz5PpAtUu7itvpZKtNWMXr
+        k/N3Mjena5iv79ngDsRlc9O/YXWsAPf8scgApwi+lVilJ7E/jTkrXxiku0knrlfl
+        NnNJKqh5iT2NWXB3Dgw0fQMLbAuDUOlkvrdwxnaJsIyjo8D5g/gh9rXBCJsMMFCp
+        1qppPBTV2f/gZb1gKFpnlBJAiDhmBWoBhlgbmFXv0E/V7F/7bFtsHagb50nEHZlA
+        QH0JjRHN83eGCR9ZBUttxMh0FWV2ND3YlxnCNb43TEoCx9f5ml7L5GbGqu0+8Yrc
+        fHCGPW8DSUh7zTrmB0bn6R60hXcWchNcPdorPopROhGTSC4pkAKn+mt3jvEkyLsW
+        TGqNCEbFbMBJlhhn9w5fxT7vEX0Rt/vO4gXKIzPfcyzsgORIW1YxwtaGyRQErlqo
+        ITnLtowfgrlvU1hI+hwivD9kQ32kmEyYKa9J8fBx07XArYRR64+Eyaaq4lOeZbE4
+        1l0zskD5i1R8NO3yzxpIAqi+H7VPhYLwidjXT54QT8vyqrkmvksANR8UqydYUgnS
+        XgGuO1O1pKkiHHLcb8EydlgW61sLIZZjlkYynMRM5MjgPD5Z3ikeD6VaNSYnOw6c
+        gkisHXqY9EFSPfw8EHnGspyD/mvzDUz63GrylUO+wXgMKdByrsYRaj93j7vfYZ4=
+        =Bk3g
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdADv1xBEY68JQ6Xo2ZT1FV2BJgeB7Yaahi9OQ/aypT0i8w
+        FJRRTtmWVBRtOecoG6SrHLtmYozuLyNFG8/ZFOU7jTSZL6lXr5NV6GIyNZPFTjvE
+        0l4Bqjjh871cqN4Cq5CF3kDibHTyZYsvcQ0BmxSZy2v+moYqZGFPEjNiniS6JrK/
+        Ch+cZvlsGIjTmP96IZfHbO3+hL+tVhO78bmixnN6SE6UDOzdmWcMkQ9DHSZp+p4j
+        =xd/t
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdASnWlOX4oItUMy2BNF+UdGfSkijvIKK1WohLp2rJmQGMw
+        /rpiFcCiX7rZNyn3f+eOULjCPbNtfwqG5Ji6YzGJPEaLg9J/CCYDP7eZ0M13tK9V
+        0lgBjTZZwa7SYs+c49UkhUN92Jrt439mTud3Sa6hvfQTntISOUF3QsMyQO+2h0EH
+        zvaV7dmtiLZZ6ukp9vJG2asPcA1McYBHABUUcjlmFkQ74CYhPFU03/kb
+        =9oyC
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T14:20:25Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAvugr3SudoqZm6B9o/a2bYVlR8eee3Cxtqb/SDfFKJ42J
+        /KIJHOpfs0iyoJzeq4GXn89RU08EHz+1/rAqIHN/cMGc/IjOOXcqKcKVBqhb68+I
+        OyEyxx0YAV939Jc+L9rxb4FnqV/HFJuA087jqP43NgPWySoUzWZshK57Yw/VJNxd
+        U5zDMAciWNVISL/ArcJFroK0n9dvRRsHHHx3/OgQ9Lnl73X5JEAleIPJVb1SDV4e
+        HgmBrlRFpp9e/Mu94Gp9yFd9PqziSA47lkdMwjMYHntTwbT3dqUGOJLF1D1oqC9V
+        +t+5FO5fP+LbnmuFQIGRGqdPpCy4S60d2EqocwBl6q6xn/DLQw1j9hGNpMl3GwBI
+        O7zquV2MyXJR9JqyklWoCmKldLIhpsnPtTx/AhIsMLWq2hvNfbBBNA41sMkofcvl
+        H2Hggi+TkpOh6bre1/uPkr8T3MLsiZIUB/1uHcgYO3FH13K2Ow9ChxmkeLsW6Afu
+        hbQcG7SKr0sCHAmvzbTsIRCpryORDRw4vwrsKuVVgA7neD8HtCItJ/Vk1JmV2xYZ
+        96ilVPPpDs0tmQ/6dZZosoXLGi37Hs+FRgcAUuAdZ3bzb65e+CxtSVjRALG7hz9R
+        XPKmsD6tTgdLpau/zugxdKx3yKMCHzC+AouD+esea8GNuoeGug58IEoglLXDctbU
+        aAEJAhC0Js4STROmS43wGXP2v4umeLw9iF3Wp9L6o12BL3FZXi121py2ogosjAY2
+        30wzFU2KJGqS25/pnXw6r9ycgxdXeKsddR94Q4TOulO3SSEdjs7B+iOKwUkGKoBq
+        9iHTzz6Gpajo
+        =bBZ5
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0
diff --git a/inventories/chaosknoten/host_vars/acmedns.yaml b/inventories/chaosknoten/host_vars/acmedns.yaml
new file mode 100644
index 00000000..364aa9af
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/acmedns.yaml
@@ -0,0 +1,23 @@
+---
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files:
+  - name: acmedns.cfg
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2') }}"
+  - name: oauth2-proxy.cfg
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2') }}"
+  - name: html/index.html
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/acmedns/docker_compose/index.html.j2') }}"
+docker_compose__pull: missing
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  # - "spaceapi.ccc.de" # after DNS has been adjusted
+  - "acmedns.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: acmedns.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf') }}"
diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml
index 0cbcd4d1..b6cf7715 100644
--- a/inventories/chaosknoten/host_vars/cloud.yaml
+++ b/inventories/chaosknoten/host_vars/cloud.yaml
@@ -1,11 +1,11 @@
 # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 nextcloud__version: 32
 # renovate: datasource=docker depName=docker.io/library/postgres
-nextcloud__postgres_version: 15.14
+nextcloud__postgres_version: 15.15
 nextcloud__fqdn: cloud.hamburg.ccc.de
 nextcloud__data_dir: /data/nextcloud
 nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}"
 nextcloud__use_custom_new_user_skeleton: true
 nextcloud__custom_new_user_skeleton_directory: "resources/chaosknoten/cloud/nextcloud/new_user_skeleton_directory/"
-nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
+nextcloud__proxy_protocol_reverse_proxy_ip: "2a00:14b0:4200:3000:125::1"
 nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml
index 2e3672e2..b87a1989 100644
--- a/inventories/chaosknoten/host_vars/grafana.yaml
+++ b/inventories/chaosknoten/host_vars/grafana.yaml
@@ -53,17 +53,7 @@ nginx__configurations:
   - name: metrics.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf') }}"
 
-
-alloy_config: |
-  prometheus.remote_write "default" {
-    endpoint {
-      url = "https://metrics.hamburg.ccc.de/api/v1/write"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__metrics_chaos }}"
-      }
-    }
-  }
+alloy_config_additional: |
   loki.write "default" {
     endpoint {
       url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
@@ -99,9 +89,9 @@ alloy_config: |
     }
     rule {
       source_labels = ["__journal__hostname"]
-      target_label = "host"
+      target_label = "instance"
       regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
+      replacement = "${1}.hosts.hamburg.ccc.de"
       action = "replace"
     }
   }
@@ -112,30 +102,3 @@ alloy_config: |
     format_as_json = true
     labels        = {component = "loki.source.journal", org = "ccchh"}
   }
-
-  logging {
-    level = "info"
-  }
-  prometheus.exporter.unix "local_system" {
-    enable_collectors = ["systemd"]
-  }
-
-  prometheus.relabel "default" {
-    forward_to = [prometheus.remote_write.default.receiver]
-    rule {
-      target_label = "org"
-      replacement = "ccchh"
-    }
-    rule {
-      source_labels = ["instance"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  prometheus.scrape "scrape_metrics" {
-    targets           = prometheus.exporter.unix.local_system.targets
-    forward_to        = [prometheus.relabel.default.receiver]
-  }
diff --git a/inventories/chaosknoten/host_vars/netbox.yaml b/inventories/chaosknoten/host_vars/netbox.yaml
index 60dd94ad..2c68c171 100644
--- a/inventories/chaosknoten/host_vars/netbox.yaml
+++ b/inventories/chaosknoten/host_vars/netbox.yaml
@@ -1,5 +1,5 @@
 # renovate: datasource=github-releases depName=netbox packageName=netbox-community/netbox
-netbox__version: "v4.4.5"
+netbox__version: "v4.5.0"
 netbox__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/netbox/netbox/configuration.py.j2') }}"
 netbox__custom_pipeline_oidc_group_and_role_mapping: true
 
diff --git a/inventories/chaosknoten/host_vars/ntfy.sops.yaml b/inventories/chaosknoten/host_vars/ntfy.sops.yaml
index e860cca5..1328d664 100644
--- a/inventories/chaosknoten/host_vars/ntfy.sops.yaml
+++ b/inventories/chaosknoten/host_vars/ntfy.sops.yaml
@@ -1,5 +1,3 @@
-secret__loki_chaos: ENC[AES256_GCM,data:LWFTOyER+m021ogmXYBrcr/2fUe3XuZhs5ho0KbM,iv:808LWnSUAPeclhsIgOyR6SutTvJGOu7mrGaVayo7v8M=,tag:f2WCPyUESfMiGDQ4Km5Dyw==,type:str]
-secret__metrics_chaos: ENC[AES256_GCM,data:lAepzCI4pwkF8KiGYzGnC4dPASdHDn+LfbJTFSvt,iv:EUW+CGeYUqhY4G1kb2bbU16j9iLwABHfRCdn2vac5gY=,tag:IcyscB9lZuZgC04XTxDb5w==,type:str]
 secret__ntfy_web_push_private_key: ENC[AES256_GCM,data:YqNEYa1Ln3NFpNoIuBUN1V/WRzod5HAtYueBJYHOwyM59cCaYhQR1S9aQg==,iv:t8bEs5ZAEe6pqbbOb0mpJdfgruX1P9Jd+sbNurGqkng=,tag:Cdy5HKkvb55V6AeRt+MVHg==,type:str]
 ntfy:
   user:
@@ -18,8 +16,8 @@ sops:
         bUhGdEFwOEVxUzVZdERReVF6cmcxeDgKDlO+jacsYgWXqjoxAIKJiB8mCHZ8U7TM
         sGD3oaCi9x6Uvse7hq0BaUe/LaJt2tDaqve9nm3n06V93HNcR9/cdw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-10-20T19:01:39Z"
-  mac: ENC[AES256_GCM,data:a87jRAGBIypZfYCILYCOM+H8KCVUBgb2/1sG05wDbPmLe9IfDT6rzlljbRFOUozq9xsqxpFLsPQx1wPVDi1lhaRT+5oE/NDgVH8aQCofA96DQd3SeB8fWn3LhYjOpmo9ZsFSemvGcXYk/SjVvoU9aN8KG4DHYCOOseGIBTa/a2Y=,iv:5Atem3ACdfdCPUp184cAf/EI9BEXQ1i719l+sIlOnUY=,tag:LWQCxrsZ3660UCcOjY4gMQ==,type:str]
+  lastmodified: "2026-01-25T18:41:48Z"
+  mac: ENC[AES256_GCM,data:2+628ZxPIto0AUhRExTB0UF/XKD7l0qz/NVncKbk+E5nZ5IRGwnhvY5DPiaDNWxskngaYhSYaQZTJTuvC1TuflCr8+IsZRYobj22mYEsrK2KWbozQvYsuooK2HdSWAkE2U5xKKodev2KqxMT+ZY0AIq8ifCo033ro6t0rnIEVQI=,iv:ncKxlhfZ+04rylNmMtOaWyonCJO4gbsuABMAJfVDDIQ=,tag:6c141UrWXNuGM5giTS7Ecw==,type:str]
   pgp:
     - created_at: "2025-10-20T19:03:04Z"
       enc: |-
diff --git a/inventories/chaosknoten/host_vars/ntfy.yaml b/inventories/chaosknoten/host_vars/ntfy.yaml
index cab4e761..2d68bfaa 100644
--- a/inventories/chaosknoten/host_vars/ntfy.yaml
+++ b/inventories/chaosknoten/host_vars/ntfy.yaml
@@ -15,90 +15,8 @@ nginx__configurations:
   - name: ntfy.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf') }}"
 
-alloy_config: |
-  prometheus.remote_write "default" {
-    endpoint {
-      url = "https://metrics.hamburg.ccc.de/api/v1/write"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__metrics_chaos }}"
-      }
-    }
-  }
-  loki.write "default" {
-    endpoint {
-      url = "https://loki.hamburg.ccc.de/loki/api/v1/push"
-      basic_auth {
-        username = "chaos"
-        password = "{{ secret__loki_chaos }}"
-      }
-    }
-  }
-
-  loki.relabel "journal" {
-    forward_to = []
-
-    rule {
-      source_labels = ["__journal__systemd_unit"]
-      target_label  = "systemd_unit"
-    }
-    rule {
-      source_labels = ["__journal__hostname"]
-      target_label = "instance"
-    }
-    rule {
-      source_labels = ["__journal__transport"]
-      target_label = "systemd_transport"
-    }
-    rule {
-      source_labels = ["__journal_syslog_identifier"]
-      target_label = "syslog_identifier"
-    }
-    rule {
-      source_labels = ["__journal_priority_keyword"]
-      target_label  = "level"
-    }
-    rule {
-      source_labels = ["__journal__hostname"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  loki.source.journal "read_journal"  {
-    forward_to    = [loki.write.default.receiver]
-    relabel_rules = loki.relabel.journal.rules
-    format_as_json = true
-    labels        = {component = "loki.source.journal", org = "ccchh"}
-  }
-
-  prometheus.exporter.unix "local_system" {
-    enable_collectors = ["systemd"]
-  }
-
-  prometheus.relabel "default" {
-    forward_to = [prometheus.remote_write.default.receiver]
-    rule {
-      target_label = "org"
-      replacement = "ccchh"
-    }
-    rule {
-      source_labels = ["instance"]
-      target_label = "host"
-      regex  = "([^:]+)"
-      replacement = "${1}.hamburg.ccc.de"
-      action = "replace"
-    }
-  }
-
-  prometheus.scrape "unix_metrics" {
-    targets           = prometheus.exporter.unix.local_system.targets
-    forward_to        = [prometheus.relabel.default.receiver]
-  }
-
+alloy_config_additional: |
   prometheus.scrape "ntfy_metrics" {
     targets     = [{"__address__" = "localhost:9586", job = "ntfy", instance = "ntfy", __scrape_interval__ = "120s"}]
-    forward_to  = [prometheus.relabel.default.receiver]
+    forward_to  = [prometheus.relabel.chaosknoten_common.receiver]
   }
diff --git a/inventories/chaosknoten/host_vars/router.yaml b/inventories/chaosknoten/host_vars/router.yaml
new file mode 100644
index 00000000..adbc8d95
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/router.yaml
@@ -0,0 +1,5 @@
+systemd_networkd__config_dir: 'resources/chaosknoten/router/systemd_networkd/'
+systemd_networkd__global_config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/systemd_networkd_global_config.conf') }}"
+nftables__config: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/router/nftables/nftables.conf') }}"
+ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
+ansible_pull__timer_randomized_delay_sec: 0min
diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml
new file mode 100644
index 00000000..4f06e92a
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/spaceapiccc.sops.yaml
@@ -0,0 +1,215 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:ZQJCVOcc2UTH/3tZRZEZAig2A7Vc/zBBz5IY+gKYMYpIKhLZN9S/OGrRdCc8VbXkN7pmZhzDL531PapI54cmFeCKr2yFJMlfXdE=,iv:1ilb+njcqgYVdownNiMNcAcG/TNpyRnLtAjEUGsCsl0=,tag:Od7kvNn8ZBl1LUnMyFwxpA==,type:str]
+secret__spaceapiccc__shared_secret: ENC[AES256_GCM,data:0foffl4HF1SeL9rE3g==,iv:GzRTZAmr7zSBs1W+Vhyv6sMGhPnSy/SUZOSO39lzWHk=,tag:8IAS6Lt9vfpsJQwQfcunXg==,type:str]
+secret__spaceapiccc__doku_ccc_de__username: ENC[AES256_GCM,data:fbrZROQz8Fzg/vI=,iv:LaR5UmkS3IhtroJp3C3xNF4ja7IhIiPRzGBHAfQbQGw=,tag:/VCNMKkw5qRbnRNHDnPj/w==,type:str]
+secret__spaceapiccc__doku_ccc_de__password: ENC[AES256_GCM,data:mwkjOjRT7gOv,iv:wBzSeLzSWWe0j3LJesN/wnZ0tmUmXMVkRIBnp00qRhg=,tag:JSsbq1+qs2yA9BM2LouG1w==,type:str]
+sops:
+  age:
+    - recipient: age1mdtnk78aeqnwqadjqje5pfha04wu92d3ecchyqajjmy434kwq98qksq2wa
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCY1Z0Slg4UmpQQUhGKzJX
+        S0ROZ2owdmNVRUFzbDhjWEJpNkxGQnF1RFFVClgrZDlZRDNCbllWeElEWFN4Uy95
+        YXNzUGptcU9adjdJQVphSS9NQ1NaVTQKLS0tIEtQUlIyTURXK2lDbWtmMXU2OWtx
+        TnNtQjVpMUIzZjgzQnZicHV6OXE3ZlUKtChQKJlUmTV42FEpO2S1sTAI2+K/mro+
+        C3cvwiqydpOlbH6tulcP6HSeDVExAAMeDZMfjebg/5cfq7Yfh6xa5Q==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-25T11:18:43Z"
+  mac: ENC[AES256_GCM,data:4s5GiYhU/+kieEGUY9bS5W0MAQ/AUS3TbvLezSypH8Div5HRoM7YfMeqgLq4jC+TjUL9d+ZfusjAmsOEG9PjHbIH051gg8U5TvB38wzmw3RpJxnpDtmiFrRh9QbXl+Fz8V/Oigf6hhXbgu01zZpZY9jy6YLNtUZc6AoqAQh27us=,iv:YUS/vGXcbgQPM1CKcK8YjOH5+KPlzBXcOtx3jmUblqA=,tag:jYzqaMfHv4Tyv2NelSSVvQ==,type:str]
+  pgp:
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAoP0ZuYWL+Z9vrnMN+ISg6/yx8Z3Oq2GufmYMowk/nQ7A
+        wk+xQQcywn7zLCweaTNtNb8CXtAcInnLhXZNRjviOecyAexZdFxcX+SIiT9x32aZ
+        xk2M3Bgnrtf9GQMV9q/mr7fgn+iaILyRjWTQMjUYFGuA5Hu7PNICxZZtA1y6p3G8
+        iBDROt1vZS2M6WorA5n3FGSwCRFUCqWnRsBR+AkR0vjb/0xEmS4YpDZCdsqWVITq
+        fBxDZntznqQpmlTH9AxJV48QlfYMLAYFV7seHxp5VSjgDxaPJD4QIiNZMOylRa/y
+        9hx1S5VN8KIfT9eW5piOeyNikE3Wv7hdwd4zOQ/ObESADh/QWFN582Smk+fxf76Q
+        /KlP7BM8JW7afjkvTHXg7cvc1qo9+GilWcWX9pK04v9bZtXTbO6H+uOhydlSmtUe
+        FGoHgQsMi52S4vHTFF1A8o76pvpQAIYNC2Zif2zZYq9ERvbLeAcgoIoo7bQihttc
+        lY8ZOqxQj9KbkFNbyLTlyekebNhfa512XjJij14YkYUVU2Y65kxtimZ3WpwKvLO2
+        JcDWHOJduhUC+21TGTq6QFo1LNhpowyC447eybi8T0/WxMCBms/fhW+m4Mkt4bRi
+        ByjgQe8makgLqw2/EUlFl1qyF4zU0zjn+97pISvg0YBfQYhPIb5k8AWWkUF4mHHU
+        aAEJAhDMVlvoC4bopmVlgoCrCejX5wb+ULW9hle6S69440PVK4uN94Ral+NSH99o
+        CU4gmqngD9N6sw8SBp8lFFUzjhoqfcNwJ9cv8T9PIPgHLriPnRqwPsy4dHSYSsv1
+        wWY4KUeOqk6Y
+        =Wm7O
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAh2b51c4cFL0wOPTuQtxjthkEZGVv0sQC19PiDOWAy/zi
+        457Ix+QPA31Wmun4uGQF8E+vJC9StDXvOuEku2639wK7Gx8UVHSJM+QhFt+f9tiI
+        df5mVRPz4R1tVMU6P/f2rTOqqQyugR2pi3wCcwntnZplEuL/Gxw2SI4gGAq9B1Kb
+        FVVdMkJOxhx33QWFhIEOqLLfMU+gdvGPtRaDPkMA5KJD5FDO0xYzgd+5j6wKLsdb
+        rY7MVvaP3HWbmsMOpJD+8zo3ONBeaG3OwdhhF8KgbHxGP/49r25WwI5YWqXI44K9
+        xIQvtBJFTLaisO3q5rTOZgqKEvWAAX3e82cY3tCUG4aDyKEeF8dOqQ9GbI+KWaKh
+        kqTFDz3gh9sWI3Ex2/JHxq4xGJE433x4ArxHgSmXxfKWfc9zhiDuhtE1GBfEWP8t
+        a+07FWvsG8TCbS8pzFu40z/6we2O/VGXnZBa+vlc/9YPyLBN+zmAH3+jfhgYzV22
+        oF0HPQTzLdd6FoUx771ETTOqDgwg2H8Lqv+cC5MjPgxUPyScP4G7t0r9TMSydxFv
+        85Yo7ZWiBjo5TgdiU7agCCLKYct1C1R+9M20uRyrttDBhrVSjDlsIKmuStIdI7jk
+        k/PPLjxUKf5osTw8KKsSLvHTxt0G+rRzt38HgOCsOPBSoE6zlMTn79rgy+Ipm7fS
+        XgHPPTT78/y2Xvx3QGx9C2X9YqPDGhs12uzQ7HdcRlUu3Ay9akrSiV99CKCFb6ZZ
+        lDzOZrWvuWHcOLLqykhK3x8uhieMmwsM5WCNopr1j7i74b8UlVCmItXFXCaTRqg=
+        =ytkN
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAA7Wenq30iYLUH7qTgwPJyIyPz0blUzqEpEeDyVjfLVxee
+        VzXUfrxL8ybD+1JNISQNogDRP+gi4Sa/kTwAwEudqg9nv8DTff2l+Ge7YRifTgoO
+        tK1yjPKpl/iH33s2tIRRPI9DJ38NKtIN7pFrZ9Icyinyx8O+Tx0U/rVOs+4I4i0K
+        eIhsjG2tD6z5AvDkTqJ70S16LWdlr+hrHfEFmZ9NDbesoVj6YlDjx8yXr6UAdBAd
+        nx4aVjy2vygBJFZHN3iqitD6pnBvFC6QM1SZTRfe1l0lb1NXiVbT42ir7hsQ1/Di
+        MKRw/GuD+5jwHWLAzFbmMeirLY1hw418AzMPmCUqg3xJxmm53v4abD/j6cnHaM8h
+        vkSEsO9iA9exDjM9RPqS5GXCGx3E2MdBzgBMZIdvRmEV8G7FTqBZAJZsElAA/wTl
+        WhCEB3iDqdTSuDUnEj2FHIrUGNG4IDKOm9mIexqkpdvF6ByXYHeOAVbeb0ByJmgO
+        3QIYGsOYiWW2Uq1OCT2F+sP9ogn2GxInfMgPK7shFcUiXUbUKSnfBh4b5DbKPcJJ
+        wFtuJA4NbWgXbDPn0k2Lwbv33tMVuwQBRbCjseXD5JYUA+wEbNg341oNEl7gIBCp
+        oNyNJ0y2rkp8rxvf5mYLjk6VsMs0VO4vgRItg8oi78cZMmSrk2zdCda9yZA+JeHS
+        XgGnSemRkXBLcDcZMa1M178H/YTxispkRvsGyscxn7sjBRUgrFHnWM9j9P0GHtHE
+        RzBflQuBiG60jDb14l0SBEGDAm3Dp1bT5Up8attUJ0+03ta6E4G6iAR+fMXiBJA=
+        =LEoh
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ/7Be0MaQ6HSb4N2DW+z2ALOuKSljRhSHLiLXt6bmhot+2Z
+        RRMsfsPGHWwDFzy5WWL6117ViPsxdFy88ZC8IhfT2ysf9d7IsNqBAj/W/a1kUXBg
+        b3PLPGXT3yHRitmRA0PxBWjmKBHuiKJgpj2AvKPBqmpJOpyWU8Yr0yu+fdPgHHmO
+        9gMPwmoeDKCuVUQMtg78cxx3b9v3WzBXbx+VuhPepVPPUr7/iTWYnLWy8+s55hOV
+        A6qQS8f6JH9rhS7dqoSCMQ3wrqkSVzXhluhjfUXa/FW/EVp0g1r+lLMXHARA1Gtp
+        EGQS2SfwDB95xl6uLfqKblezzxt52yPvGp+hisAhgkCyoLonhL27fMTmtZ0+q9RX
+        FJoT2pPNTSP/zoLxfEJzsa9MgTCDKQL55215hTGHS2I/2ZeDtfINyc+/4LE/AhSc
+        4OOdPSbgG7bIPkCepphBAccjbCVmPOQqaEOk5C9TfLbZREEBv0mQA7pzWVIsa6Gc
+        xep0qJGMSmRT5rmqs9pFFISAx57H7w91cRaEtwtGkg9/90+wTW2kIvnHMLXV/T6z
+        wxVG4RHn7eXlDdh9oz0ncpA1uh2A4fvEJN5dAbQHawiAUaOokm8cmv42LQ1zTF0x
+        4EcZPQ1VAFzKsZE7/3TnCWoLPOUSNSOG+uJm2Gaps8P1DzIfgUAcSybaB+3cbGjS
+        XgEVALzLzyRrFB48McT/fU4l0dMiQ49OdFmWm5oWgOWDCCrHBomxPmWRQ5cUzVSV
+        wvgo/MrfGVOLrwinfeu/izoy9U0LxFcJtqiVLyxtUTARDlDcjv6OYWoRzvb0DzA=
+        =KudR
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAlSeQVBNgJ8WxD85XYmcCHmlNXIyIkAJPEu0coBpNpVQw
+        mGZKY6j0WkQSmHdCVAeh8/z6LOEgXMphP2jn0ZpZHiMu3FGNJJtWFloRKxOvOxr5
+        0l4BXq0oVpIYhcxeVxS1prF1F2EJf/OuRX8Zz9ngZuL7UlMoToBYHksPMaBfLlKB
+        iFcXPURafpmhvWpRaqD9CRqM3XRagm1nYPS6Zg8Yae9cfSmU7UnYMtJZwdMmJ+x4
+        =gfNC
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQILAxjNhCKPP69fAQ/4mdGngFM8WhiX5P5RFo679yRMp5iHtiPqD0V1dE1byyje
+        d7WzceQwOYfYq/UEEw2ruiqIPhUjHlzB/GQ6wqFbj0+1tm7+/X2B42tO7vkO9gQf
+        2mvG0gCGB1iykMnfARQ6EH1s90oAHCBcPFamjBZ3oawS0sI34aSInQGqLl7Ss+O+
+        UgoOc2fbhYmRriZW7Elyx+8DuQg4RZ6/oPs18mtwQdLfKB8dwrt1TQrJvBx7iPh4
+        RQWrRf3id+C8EeysmWPtMotukh1FgvBtBFEXIL66wntJTDC65AlNU1c2xkgUTATI
+        rA6ucSoyROTGDOTAWhBdwA+yV9Tf2zw5hzu8G2vT1nFLU+DFQiuQWj6TNn1s5xzc
+        63bQ9bFzY/0pKKB2T1TLdeU6xoSt9QoJukagFS86Tgh3NcoMi69dFSSlchldgeX2
+        wiJwpUjl8DgeJFEXcQES1vbn+MNJHYZHSSAcZecQX5rauSj6EmTFTXxYg7Vp98D9
+        S4lVnXl6P7OByxqRJyQUzBmSD21KYeVXs6O4hY4cAxKx+pXYXqlGMmSpQi4SqJKF
+        xyD0f7Iz1FjB1u3dpcJmf5/71wLkZWc9smKfJICLaFZzYKfbfrF32xbAPGRuTq50
+        Fv5d3R1YJKA9afQUI3HT0PpCEOnsI44WPqgnoOPHyT032gruZt9geL7yM1sRj9Je
+        AfCwLc18oeiRWhnZLw/K1YMTnDACVhMMRufyoE7MEEixsV3xhuG54+5FIufERSO3
+        aW2vmDt65mLjqGVcepqbEz/Ip4hfGeMOnPfNbNil79Hc6TV1SzTcPnem40QPAA==
+        =7Qbv
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ//QizKfdVMoIVzretcwqPNQPhXnKYbHNI/AHhpsK2AeOFw
+        N2pP+8itgzpoJ+l3qYc1s7HnUYqN69cVXNOkuB9+EKUmEoubj9oLJEJQdfr1apux
+        wrqgvIfeXuQZWp4E4aI/02ndyWzzedfVV3/qf+JC0ZColccmKFReSsMedz7dOmWK
+        BM2bieM1PajS65leCAO2VVFTrwayKiHWpURMUY8HvrMk8N6GQkXqe1XDdxXNJqFr
+        irXgWtBaKbl/KJgrxnT9HwlH9YkCebsyCi2sZKmJEqyIi78SOrhmWzeoTs5Mgg/M
+        EqZLWrGhOOD2/ineOxiDhFPOEDVjgoprghxei2Ef0i9pYITJmGMuB76KayMW3nbY
+        mEJgASKsWFN10zTiZK5DjxJoDEq4fyqtzFhYhRenwcvZqiklr2JudSzBWkKfx4Y/
+        TOoLwwn93TQDLoIIEsOlLaWMBxm3LsAe4MAr2k9/gAkGGMzeOiTRISHJeFtaNRPe
+        xPv2hJBKqAJJkWu5nlcn5FEtAqdG8hPRPqEZWDyWRmQDlk0Rx286UFIS+BKSfwvo
+        Ak52YxruVlkwxn4lRJ8yCrIneZocLFlBgTNoqbr0uYSHkg6XHwzniN+qGRHxjrm8
+        hDYcnVeAnLCDGEwPpMcx7KYVtLeEcr2Tm5btAlHugpQ1pNrUuZ3Lf47AdneMSY7S
+        XgE32gbAcEaZVQRl1fnehRIwqqNIuFDxjhFpDYpvX1Rep2NEUtEaxd50aqMh3PKm
+        XE6ZBkKbhSylRnOs8dgVZK3nqEe1xDsdcx5hFAoyyhs1QhWVT/MHUtfuB2PBcjo=
+        =T4dN
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ//SZac3kFkPkHZ4CveGECwnJLKA/UJO/XoV44mjiQDtY4Q
+        tFJ+YauR7GHK3CYMvpx8uWejiW6PzMkuqVuKwk5QMBsRA7q/6SmQeLUNNIPx8AAm
+        s1Lo1Cdjv5Ku8AnR7gAJ9w3O+qM635xo7zgtvEv5qJuPrwbqy8kstvS2fnxg9Zb3
+        Dl4J+Wp1kRs8hHsFIkECKPqKNB0LfP57s63Vwd5tI2TltDMlMkvKvjgsQSPhUqQl
+        z0AIPT+zON37P4EW5buJ5NKvojYZ/QyzoqJ+Zb+2jn3uyMRDo4lqaT+uiVDcmB6w
+        jg2yBGKgU5XGAU5NyCSldBGW3yQfNHAEjTPHWIvcplfUOUQ2mKIV31c3ci8cBWa5
+        zfA4K2UOFPSHSraohaT770Ani/qvm5XH9HvAA2HOI50LuIh4t8cWGocbW1f5PfvZ
+        gMIuA27UfWWD10tz+J3qvz2RGcfBPV+3BS8BJUh2SRC80ba8nDM/VSuQUkxQA1go
+        AHogKohH7v5vIPEN6ggRxZ3yCroQ3zfdABekrP8sfKXU652/vhw5MFPtqp8ow5hU
+        uJ3S3lCoKQCKE8tc+288WuJXIGaYG4LKhaVlFWFqQDib+0jfm8RfwqqxV5vis7np
+        mbPMIyl/MTAeevsQC2yqbHeZ+nDXhrb8b4lfWCnn5jpNwZFpP+RZpJT6XxFbONTS
+        XgGQowdDlIEa1Hs1klR8lPOScW3VyhWbTyfWkhg4cI6js21/0MMsC22myhjxjZKU
+        rCn8k0mgZw+HyB9qfm3eM4fYXHs+CXQM22eBQK+IK2VvzT9jbpSBIoJEDW0B47c=
+        =PbAZ
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdArbiHTkrjSYBSPIIgSNnEoAWkU43Zn8/6rtksEivhPVgw
+        ik9/LvTH3VUSS1pDtLNoJq3wfE8aCoGTVXHjCtaEQqp7PJ9c83afZuT0/jSs20vo
+        0l4Bbp+AopvK8wlLakYZM0rbXzJw7LyW7hyA3wSN/gL0MwT8sW6hb08BB3+zRY+f
+        dQGtPMDNZ0aJ8nzJ/WLVxi4GdC3pAWxqw/1AX0SwwMb0PEf9kdYSgnrmYQsqx9KU
+        =Cbzj
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAQKsWq8NPJbW2SBhKhlgkW1gzYnx9baL8spEk1Wv31Asw
+        fuq75JZ/m8yR6+jnchE8ikuWrVQ1IRwyQBB2qlaArrdwnVpkF5HG/ggpDy4l5UYK
+        0lgBhuKG36g1P7G0incMXR+S+UswYQhzm+19LqoB247HvZZoyIT4m0k7XndHBpUw
+        fzQyFTKdwQpmWyQWsbkW/ycvxkKyKcEce6xkga0e8UbB8w1fJ0P6gErz
+        =g5Ck
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T11:17:03Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+AQ//X0eMLW5Con7f2J4S15RwQX/uMc+p0tabrfSYAT8cg1oR
+        X8qyFgBWL4EK/VAcgS+Loe6cOCO8pDv7R81nn18wg2D6hVN3BOcotgLtLpqWEdMz
+        FguVIc++/Nh5+s+H1oDxqfwO6LbcuewBvvNS9xvBUtHBMuoAGVO0mUu7jpxrg+4k
+        dh2QeA/YWc4hGly/lO6eOhq61arAY4tukqs1K4JRY7z1vZYb2658HamfruLcRP1j
+        kM6yvJ9bgrg3hIEPG48lWX3SATRpKDP4ukyTYMFPN5rePUu67rnkwCvXwvBzWV4v
+        fvjmDZ4U2AD6Ihn5Be3ThZyQivZJPmxBlgit6uQOdu08Q5/S0DDWSS/MnbRnElQt
+        caQMnIcSbwLJfum2/0AS/dcl6f36vOl5t9eiy3nnrgufFEUcAMgJ2bJk8+6nPRli
+        MImBTXLMor97XD4DS+xyQ8NjYzf8XxEDduCzWA/EQborLkkaXj5J9ZmQSKDfv6bb
+        wcGfxt0+JGEPmOuOD/BwZHhEcd6eV8k3cM6k4oQ3k9cMGele+dtSkrlkyFKnnBNV
+        NrZVBE5j62sgnUUgKCesbKPfauETE5Z+R2uvOK5Y0gqjTfaw8hV1YF2q+x2qRWig
+        6NjHheUtjigCgF61OK4x1a5WDJmVeuAe03JnwKYMujN4H5Oi9YMhSX65lX1+fhrU
+        aAEJAhCV01dJAuYksyvp+F5Dx62eKZj7gL/MHL3zHw97WbONvI7ApC3/Q7fkupYm
+        oPfYKQD5ov77V3u+Y8nVOoYM+Hb4thFQdEV01r90g9WUj8LrXvxd08j3GwAnzDMG
+        xU5hdDPzz/jT
+        =zb8A
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0
diff --git a/inventories/chaosknoten/host_vars/spaceapiccc.yaml b/inventories/chaosknoten/host_vars/spaceapiccc.yaml
new file mode 100644
index 00000000..3689be7e
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/spaceapiccc.yaml
@@ -0,0 +1,15 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2') }}"
+docker_compose__build: never
+docker_compose__pull: never
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "spaceapi.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+nginx__version_spec: ""
+nginx__configurations:
+  - name: spaceapi.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index b9e6358b..395b154f 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -1,31 +1,31 @@
 all:
   hosts:
     ccchoir:
-      ansible_host: ccchoir-intern.hamburg.ccc.de
+      ansible_host: ccchoir.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     chaosknoten:
       ansible_host: chaosknoten.hamburg.ccc.de
     cloud:
-      ansible_host: cloud-intern.hamburg.ccc.de
+      ansible_host: cloud.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     eh22-wiki:
-      ansible_host: eh22-wiki-intern.hamburg.ccc.de
+      ansible_host: eh22-wiki.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     grafana:
-      ansible_host: grafana-intern.hamburg.ccc.de
+      ansible_host: grafana.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     tickets:
-      ansible_host: tickets-intern.hamburg.ccc.de
+      ansible_host: tickets.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     keycloak:
-      ansible_host: keycloak-intern.hamburg.ccc.de
+      ansible_host: keycloak.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     lists:
       ansible_host: lists.hamburg.ccc.de
       ansible_user: chaos
@@ -33,49 +33,61 @@ all:
       ansible_host: mumble.hamburg.ccc.de
       ansible_user: chaos
     netbox:
-      ansible_host: netbox-intern.hamburg.ccc.de
+      ansible_host: netbox.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     onlyoffice:
-      ansible_host: onlyoffice-intern.hamburg.ccc.de
+      ansible_host: onlyoffice.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     pad:
-      ansible_host: pad-intern.hamburg.ccc.de
+      ansible_host: pad.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     pretalx:
-      ansible_host: pretalx-intern.hamburg.ccc.de
+      ansible_host: pretalx.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     public-reverse-proxy:
       ansible_host: public-reverse-proxy.hamburg.ccc.de
       ansible_user: chaos
+    router:
+      ansible_host: router.hamburg.ccc.de
+      ansible_user: chaos
     wiki:
-      ansible_host: wiki-intern.hamburg.ccc.de
+      ansible_host: wiki.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     zammad:
-      ansible_host: zammad-intern.hamburg.ccc.de
+      ansible_host: zammad.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     ntfy:
-      ansible_host: ntfy-intern.hamburg.ccc.de
+      ansible_host: ntfy.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     sunders:
-      ansible_host: sunders-intern.hamburg.ccc.de
+      ansible_host: sunders.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
     renovate:
-      ansible_host: renovate-intern.hamburg.ccc.de
+      ansible_host: renovate.hosts.hamburg.ccc.de
       ansible_user: chaos
-      ansible_ssh_common_args: -J ssh://chaos@public-reverse-proxy.hamburg.ccc.de
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    spaceapiccc:
+      ansible_host: spaceapiccc.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    acmedns:
+      ansible_host: acmedns.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
 hypervisors:
   hosts:
     chaosknoten:
 base_config_hosts:
   hosts:
+    acmedns:
     ccchoir:
     cloud:
     eh22-wiki:
@@ -88,14 +100,23 @@ base_config_hosts:
     pad:
     pretalx:
     public-reverse-proxy:
+    router:
     tickets:
     wiki:
     zammad:
     ntfy:
     sunders:
     renovate:
-docker_compose_hosts:
+    spaceapiccc:
+systemd_networkd_hosts:
   hosts:
+    router:
+nftables_hosts:
+  hosts:
+    router:
+docker_compose_hosts:
+  hosts: 
+    acmedns:
     ccchoir:
     grafana:
     tickets:
@@ -107,11 +128,13 @@ docker_compose_hosts:
     zammad:
     ntfy:
     sunders:
+    spaceapiccc:
 nextcloud_hosts:
   hosts:
     cloud:
 nginx_hosts:
   hosts:
+    acmedns:
     ccchoir:
     eh22-wiki:
     grafana:
@@ -128,11 +151,13 @@ nginx_hosts:
     zammad:
     ntfy:
     sunders:
+    spaceapiccc:
 public_reverse_proxy_hosts:
   hosts:
     public-reverse-proxy:
 certbot_hosts:
   hosts:
+    acmedns:
     ccchoir:
     eh22-wiki:
     grafana:
@@ -148,11 +173,11 @@ certbot_hosts:
     zammad:
     ntfy:
     sunders:
-prometheus_node_exporter_hosts:
+    spaceapiccc:
+alloy_hosts:
   hosts:
     ccchoir:
     eh22-wiki:
-    tickets:
     keycloak:
     netbox:
     onlyoffice:
@@ -160,6 +185,15 @@ prometheus_node_exporter_hosts:
     pretalx:
     wiki:
     zammad:
+    grafana:
+    ntfy:
+    tickets:
+    renovate:
+    cloud:
+    public-reverse-proxy:
+    router:
+    sunders:
+    spaceapiccc:
 infrastructure_authorized_keys_hosts:
   hosts:
     ccchoir:
@@ -173,11 +207,13 @@ infrastructure_authorized_keys_hosts:
     pad:
     pretalx:
     public-reverse-proxy:
+    router:
     wiki:
     zammad:
     ntfy:
     sunders:
     renovate:
+    spaceapiccc:
 wiki_hosts:
   hosts:
     eh22-wiki:
@@ -188,10 +224,6 @@ netbox_hosts:
 proxmox_vm_template_hosts:
   hosts:
     chaosknoten:
-alloy_hosts:
-  hosts:
-    grafana:
-    ntfy:
 ansible_pull_hosts:
   hosts:
     netbox:
@@ -212,6 +244,7 @@ ansible_pull_hosts:
     public-reverse-proxy:
     zammad:
     ntfy:
+    spaceapiccc:
 msmtp_hosts:
   hosts:
 renovate_hosts:
diff --git a/inventories/external/group_vars/all.sops.yaml b/inventories/external/group_vars/all.sops.yaml
new file mode 100644
index 00000000..06eeb17c
--- /dev/null
+++ b/inventories/external/group_vars/all.sops.yaml
@@ -0,0 +1,210 @@
+msmtp__smtp_password: ENC[AES256_GCM,data:0vb2d0BMSiG4DLwNeKk52/kGYM9rQpfRrtYiarbyVW9YOP/WIdpwesUZuad+o6XSODkAGqnU2RQZFs1h,iv:a/LwVf+tQKviYR4mIoSDiEgmsVyCl2v1vWXVFQkn6M4=,tag:bNf+N1bTIk8ppMEabcC6jg==,type:str]
+sops:
+  age:
+    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkL1F2VVhGTGZ3QWlrZi8w
+        c2JVMVlnNGVHdUxJQVRZeDBlSkJjR3V4NHowCmdQVVJRVEZlWWVHZjdSYzRlcnRN
+        clVuRU1rRXdDSUJ6Tk4rajl1R3U3YzAKLS0tIFg0QXBieXdjYmRab2duckNsNWRQ
+        aGdmdDcwY3RPc28waGt0cm1salpNRkkK+X6LF1lCpxIS8P8nEUE7t3VxB817jm4Y
+        mXjKqdaM39MR3CyXWq8bVQ/QRxg1xA6MV7mLrQpJCSpr6uDJD84iJQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-01-15T21:28:28Z"
+  mac: ENC[AES256_GCM,data:Z9uyXhnckrVJ0LZM1aT8cSUZCPdQ0ufBC1HYxpzAGb6FS/p3Jni5tFfgijaCT3/T3yDGiV1zQqoSDLwjd48UaMjCtJYCUCAiVo7i4YJ3+aZfS87b4h4VsOFlTLFlBklNYxHd4pcPFl5X9fZGdD10Tvmtm6TlJ33Ma7gmuFs3Og4=,iv:tNeG2I9qNAgzbGwxTbCrrN7KorCneJtFildGvtPVX88=,tag:e0rXgetLFenA3zNBNe631A==,type:str]
+  pgp:
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtARAAlJ6HHQZKe3t86f1Y/DsKmO4f+xaMRd9mw9sNlxvmuX3I
+        b8Tvyl1abbJSEf+6SV3SXxlu+05DZEzerMQHdSNHCpO6oSMBH/fEBbtJh3mxYzwY
+        /fS09/CPpq1HYcaOUEB8YHKGDY7okN8ZCHYFF2fWmWsPNLq38nmtCQY3lKPdhKDu
+        Jg8w+9XT/kHJEjQRPjlJG0iRk90cMMBLaR5ToJVzpM3rOSkK/dFALP9PUGhjDVT/
+        e27KW0OQERCxoc401DXFPJg5xrGMJaDpMlDxm+kzNC2/rt/OhhFd1pqMEMGHwZ8B
+        inHjCL8SNy4w3jKs3xvpE38vEUmKgbHavjjd4j8PU/z8PnIAKBCZClTbBARevMYw
+        P1qgwbAXEv0LwN6/Eu4mN6ogbREFk671PTabJ1O9zWFZBPKSOWVjvs6ka/5nRdow
+        RMobY/t6FDOe1i4eQM90QKyTcyBzyFZCl3piBKDvpG9tTEVHriX4bTXNtnGw3h1W
+        XoMUz27G0IZmKZRcYFkqSNPeg3yLXBgsL6by+euw/OwOXuxcR3G/5HpiO4XgWdDn
+        gYvOGvVa4WbG3yASWPJNJZ6ivtLhAgts44ClMIk5mjDgHz0yL2iwx93g6bUzmswV
+        HcpCLSy7wm5XNl4l5p4l90iy6/K32Zp0a7ftobA7U7VyeWfPalE3IYE3s6b+1gTS
+        XAFWL49B69eVA4YJ/iRSZcfqEPMkKzQUplODPUfaHHtLRwR7BhpFX/u3lly/YNQH
+        tCN+vKShpC2PM/Jw8+UxDZXoXNiGCtTIDFq5+VaifkYsEAIVqEFv5noY95/a
+        =Xw0f
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAqcJfa4paWWvQxKnNQT230iT2iRCCskzkzrG9z9rnSbR+
+        U4BO0QVcKZ06+4/WatZC6HuxIPyajAQthNsmMMBr83OFiT8FPHnOOGHc9lemO0/L
+        eshneJhJ7LeYUh3dOeN5lVwCQuw2Hy4MXmKJgdt2Nr5dXmRD8ypKxD/i5Nc4nkXW
+        TY61C/Q9QJF+HZG4toHt+zq+ROjdsTbIhNceRWnt4mIGvqIzhRwk65o5WILbCFQc
+        OL7R+JyyqouN579tO1O6bRT594ufnyQ6oxLRDQqKMdTHYwWijRuA/FyzieuYGbmo
+        b7e6tZeJzlm3H8sSz1WwAD6RoA/O3yyCw1gL9UWFLSfF7iwEKmr+oSN+mEUPJdhR
+        8zZqSQUH3n59IVNdD4UyJB/I5AHmGW6QV3ZF42lwmmstIoY3uDzgf3US+ZvPPsem
+        Scg3PIDSxg+SV9G/53TJM+Og7V2XAA02EWIemiIaJZ7rPiySq1RmQOjnx4ZX+ORk
+        +PDF0gDpA10sTPXQM5NoN8YSilIV1VENjUnESfo+36BlCepmbC88Yr6oexIK2xoq
+        5SnDYNOkVClYcEV6/URo0zr6Eh6+pWaK1MqruyZpRrZFbribK+5t65eIq0fc8oNb
+        ip7VfArpcpYINfL1GuWoFMI0Uj/IMevlN64Ci/Ub9NddCWCQy5WF7u8lAVNMoVbS
+        XAE70ICHJqH9SqHe/dchwYcsLIPwX7r2KoaI23XkK7iROX1NL6LC2nISh/Y5P+X7
+        RX5sBhgiaSwY8L6QseSQzyqTmwxCaq7e/f/+grSUYKmf1FSJe+VxGsJ6Ji0u
+        =k6m5
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJARAAzD/3ycZW/qMLjjSG2T/7378ogylYenCyV5r97m7//MTJ
+        z2jCtWiAPDkiuDDfcqt5LxthPxCr3A/WSTaSsfZQ/zWedQlm/U/RBMEs30DBIUQr
+        AIckqIrJUrgPEo8A0/SnCBNS116BVspI+9n/u7PBPVb70JX3j4Xp3dRGrEYHVpwX
+        EGSk4GirHwutIRE6xP9fnvQxyK64jYTDCfo4t6cIUf2/we0LyK+fU4zrm6wRffzd
+        txiEu4YXvsGbxWeAV3/7/BRo2HJBc/Xqb7mzTnfScltC7hiRD2McmFJs1Hfv0Lg3
+        CGaMOJ5w6Gk8Q+9pgg6R2MQu8DZA7PILm51Bc98ZdiVwg0i8l24ndswUx9+WIWeX
+        AeOxvIVvF0XtQK/JJAkoyoVssIQSFI1OjTDnSHWjFw0Vgev8hRzwqS6HKJUfCrnt
+        KeuGuUOa9QBf3bnbIINyL8QEj9/cnNDCQGoXSZIqPXUs7tIqcLgNryGVnrEn4dDf
+        53Tudml438QRgzV1d87jEKSmUBtqzUDRNQdZqNbzOdaCQaQgkgZlQvWQtbZNMSdQ
+        iQ+v3Hz7pI4yKHhqxXrWrxPwC3KdGTA5qymUS1d1G0BwOWSr+cU6xJBeSqRc6fZn
+        Q8rBKS/gL2Lm3BAVhHBVWGwtbdBhV5ZL/bdT436pJd5ku3cWFTuiMY2SEC1ZvNXS
+        XAFb+jgjB5XzlRZhRosWl1X/qyWO4GXN4aypi14eAQDsbCjGnFZh6utoV3rNmNFX
+        OJ3kRhyHmF+gbp/e0YRq/BnWu+5uzTZQso4fzepgjui+rF/qk/2Oe1nODtM0
+        =seAB
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ/+J9MXLZrMucsbcgdZ/yflnA7Ai2WynSZ9NEzLX24NybGZ
+        ynq9daa+61w5S5thnEV1Be4YEyFXIXfD0bs9KEO2kv41HUySD9FR5QXXSiad5Ij7
+        vPzZMMwjCfNg/JvGQ9p4h2Syc5LYtJ+4BNnl52zjKCJdp1scJqAist3aWbaHoCAh
+        GiJCjv/02NP25WoVShw9pNvvYPEhtPbvO1j3bnvUARXT8IzhblNbfntDwPb+fK4R
+        ksMBIvAN1171l530s0zPzzkJTkxRBohyCixvtgZKoEnYeUAAHk5Clah6GrLGErvA
+        q0XUAEridgDwe4xG+WpzFWwTaGzQPBLR5NPqtph13/02CdaABctbr80WQPoch5vN
+        F1BnObne8ZE+do30v0KYNTkFKhK5ek+w4RS/1rlBEgQMaNyGHsjUtoO1/6JfFXyT
+        968gsga/YR/shZwLaxLQePi5qTcvUzGNgNvFLjy4sRlbWiNCrtZo0JpMmRc1YTXb
+        Tq7KhivgEB3gCYLdzWTCeYw3aZXsTFUFM8MpH0BMABpfpNCdiDrd+RZmgDa2KShH
+        RlpqvN1cXPVY4niGqb0TjQJGbmCrMfSbEXCCYLMP+T+jH+MUs0Br4IVcuXIV9EWM
+        WrYY/r2tCblU9DaVbgzLlIIu/2BtKV0/Iu4KLV2vWBocLPNlKnbhS8NxnIf1eHbS
+        XAFxlY0r1uOCI7d55ZRpih3NnccBWYKmxs/WZavFdooPcRS6QKV6d2ByZtjqlO0T
+        X8xmDpyoxkNahauxi3Vw4o78HyxEqQz2u0HNBJlFC6iFQJnylkOyitIyNCTt
+        =t5WG
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdArBEh0/AnTDRmDT2r74ejRgmbbZpWjVBmvC7mgFdEq0gw
+        OdEsqFl/ihieW3XkAC0UWxUhacc03Vq3FTY4Fpj7eQTQdfDdn8X10YQcH94XGLxu
+        0lwBvUseBCslA8gjyzFEtFp4TnDEi2JZV3nhfQg8SxrYIQ2Uo6vlsTzvYBvikwaD
+        kLu7fV7lxV09qoROlSpXVm6II6sIk0nmiajb49HM15md3ZElulGZf7A+6d86Wg==
+        =8Qs3
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/7B2zWxGFqZr98hAyQwNaXp+/T534xRU63dXkYV15EL9q2
+        SlmbEWhl5iVwWoZHl3r7yqy4zXZJkH0XX7g/MlwMTHIu/Sslvb+9ME+QmpI26Awm
+        +0pQN6gZXEhQ4RFtDMSc3PIZYgaJ5AdEk1p/nMwYsQ17Gu6RZeuSL/5b4oXEsIwB
+        nc8kqskd846KDspSoa4HprP3QUyfwChy5+d3/S/SMak/iY97UgYm3iyHXWr+sbAm
+        ykXGQo6Y/QpSiBBc9Z8hyekBQBjiftTpH5T/nzSn5O1p2G56NqK837SZj8CgyanH
+        xOIy1JZYbSfYiEzqXVSj7KGs3aNFFUi9H+Fy+wzDaOWeEYt76koTWZnutOg+JwCP
+        2N5DiDOhoYGygh5aO+dAIoGLQufoTDrlMO9FWnNXXCPIwCUoyH5daiMyn7G9jfwv
+        4rTkXe2mHXXkoNCDHzjNcAEpndpczdUO0CbDNyOuaZzyEYWObJMOdBP0+fmwhaRP
+        AWd0OSbUUkl6RTI7R9l+3wBC0A/be7kOvqvTru0RSZaY4Ba7zokZaNJsoUTvjjL5
+        fjT5MhV/93wEvaHNmGy+IiXipS7ItTmW0xckaFkEbQUbw9p+9UZMxNqF3l5pw8hV
+        J5tTo+rlHda5KBDpTEEz3vUK7MgbgAzzERqqDaUqzWTJy4KeOjYCUfvNyQiT7m3S
+        XAFxCx0poAo6GCoNMhjyQT00iBfpjvUhDrWSHezKW/J/U+Z+TkcICC3Orsxy35uD
+        QtOZIayVIF5scDAIQa31zETB/Jjaq7YeUZvTzUv7Shhq+sJhVUQ7iUEVEXZn
+        =NJUn
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoARAAsc5cxMwr0YCwJq1j5EcQ2AF2LvyxH4dvwuCkyrqxuV33
+        rTxOt40kqHcatZgHLfHt1qvfR/lGisUyvvtJ7Gdw/MEzunqwux6cKisRoyTB0dSU
+        b0DBQdNAxujVuBng6v2aoZDXAZNZ9I0epuGnBRcq2+FRAWjRH3YtwuRuChd/VtqB
+        VJJjUJDczermc0kvdrZ6AZ8bSemOIFOYWfZ1iw7qXMiuIXKJqY23KzWSpYC3F9S6
+        z1XKviqJlWcb7VyCA7LDLfjYCAb6/yvj1mB0+fxYJJps6DWsbxvoZWF5mdh5f4oc
+        y74XZehQZTHp4JMs0uSdsuMV3w8zMGUXvFPEJXB1mvPlYAsyjwusf2fqeAJk3JZk
+        pPF/hkwR+LpbVNKk9KbauQLkt+p6E5YWDir1pzeIN6rsl0Carau0TRT9EEn04f/6
+        DL1nF7crXl+7KTgEOt+ih4VuHpXz9lrboUD/WnUpjVu6XwmMH4wrxJggTq+tJzdS
+        55PAZ0qiTGwnxtOn8NGa+01JGcrmtLnfwRUGUO6xxpyy4AtcyyHwEvBSjKRlBvV2
+        Yx6v6l6OlpBdYdlKjEeOLPnQqn+iRolQtUTWWk1Hu/a2sfJjZPMpXNSKbgN9tMOS
+        2zGLe8OOU1M9V9ESdD6He49GRCWNXD00Yv+IUdqFuY7laqxBQCcyIthGA2wfLITS
+        XAGKF54TE7VkuCQ2vw0HZG4TgQtmw7W/hBMcbSatGwFwyPSs2+9wsJFmJUniArCZ
+        e7RUz4C1MIFP97ZSFtfLd8tsIO0zTyK9fRAOUwh8wdAZhvS9Fv5/Mwmctj9h
+        =gUj7
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ/8CKPe91CQYybuRlIb4bRl3sZ2nXYw0OS2p8NYo3sawcsw
+        YFwgwT4GHMAMviZ3U/Dm1VVtUEH0dSZ/tYoPFE0pCOLWYrVjqLY69uM23ZHV1IX4
+        W7A+jzNTv3ODj/lc/azjgBcBVZpSxgAQG2wiyX1Dq4Lx5cpOCYQm4KYp9hD6ddly
+        m6zk8vH3MBRvPAlacg3C6PSy1PV7sTgBZMBIE3DY/HIjv4nzV3/itIPZcf27dYTl
+        AEjiI6eGH6sUWTFRF5mCP4sRycaU2g8iZ471nZdHe7PpldginWJEN9SD06oewZJB
+        QjvXpVNjVu+RQ/hOl5LwIllAAkk0ghK2bRsh7gVB5b5Kjv+mKKNe8yjKxKcpZuVW
+        fUEaRpyILTCwe6aFnmUa6vUtpgU2QRKzv2ycqO1FGil1yZJ/RPVCc0RQoLSpZRsT
+        XvrZzw/OVfLespNRPcC/PTvNwhIhBYyIDvEAgQOnEnRCGoijnPAOE4Z5zA6Rtxfw
+        Kxw+E5s+xV1ff+qo5Dm0J/LyC90FR3vstzSkM5n2HEy5OkbACi9CiLRaIiYxlDfv
+        v5H3Gc0hdVRELkK1T9ND3I2RAyJVdDq0WvxjWRIfdRULLsk86pFoFjus0acx3ukt
+        zotRh1wI1o319j517B06v+Jn49bLx81ipeHfsiz69P0sDSRKyOcN/i4TA/Tj0OfS
+        XAFfmEOJHnhD1WOlbJO2EiGY3QD9PIV/lipja4lQKv7ROWlIPVtdvgBnaaNYAvUb
+        YLIA3oTcZB43vm5QW3hXsTz2cn/w/JvnuojtD0kKzT643dR5BC3D2XsWpHWV
+        =pL2f
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAxf+RXofQmgst0qgbY34RgfqVKCCYHHH3mbCdGKbfXiQw
+        0307FFijrW2i+wHW/Ugob489EH46zUENkmEjxPcOao+p5TWqOhryWOmj+5K5iKin
+        0lwBDuM+y3AsogL5PAerDRGMIqmUO9AAuRlKJb67O+n31fA0CSlRdYIlR/0IiXk8
+        KmagDpdTyNWD0M8PRohazoKEiB6OrEuLfRiDwyMhyuRtIXRnckwZ8anC2B2cLg==
+        =slU2
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAYTkme6X4+jr7/5qNidpUZjiwQzR9nhJMHU9ALot5mQkw
+        bVYbs+lqddtYRVKLh4jhqFb9WGjC05JMnb8o/OVqgvOV516WqCzg9qmn2JMn5CvL
+        0lYBtBwzrQfqM7RbckekoQcabirca/67RzCAqB9O7Lud85+aQxBR/GB9qE/7FLfp
+        JVT42+KjcKSQBYWS+lyjgfXs7H4WhNYsai8OFn+JzqswG+MpWPQ+Fw==
+        =1DIj
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-15T21:28:06Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAAvoshi1af/mG21B9x8XOtYn2CmsjZCLWYWuhdM+oMe204
+        CJglTK8C8CzuJcXu84IKrdV8nx5Yk0VvtgtSXiKSouDKWeQDHHqhKEsPlc6+FL99
+        e95uzp8ozvODxch4xaBP3FZkbgGgFHDZSF47NIC9AkyyGe4GARq+OvtADUMjpb4R
+        6WXCzqaH976KRMcgH4PXlWIUiYvFJz+6k+chbLfcf+uJxWL02mvPV+ArSbGc1Ns1
+        M2kRYdEPZ4c6FCU6DYaneJp22ywPNgJm3dL8WU7Nn5uv7iYGDyceh3dnGtF0p0jN
+        Mo5TT8MzobIGgD2RtsP4NrufV56+Y4G5oqk9jPMofC8QUeVR1j2GHDfHrls2N/2L
+        vt0VX1wsv7ToAY9bUUNDLutLnwQlpHNP/sacudw0VpYDl55ULa1dLC97qG/4va8G
+        k3wdzqwNwgzIOPDIiQ3P8xkn4RZ9b4SwPNFb9BRqufFaA+neZcNelfpTqsT3WNfm
+        MYdzDQtQdTNi9u0ADsuZ2JIX2uUVsB1ol5Wgw9D5+yksTeC3n89TTmbmt4PYkCZ/
+        3MH3gLGGlPLfc9w/q9JqfQ8idiPgWc6CMO83gGXUWbe0SkDCBY4evyP41s9ojSdF
+        XrkZQycNoardD+co14Se4d5g0oxYfhNUCIYEo2JwLkuE11iMXG1bjt8JB+F514vS
+        XAHzAelcyBaqqwZqKw1OKWz1Vr+hy9S+uOs+8Qg5G/H0nxa7BG+PhUB+O5i8x4Dn
+        96Eq2r2OsVJ3z8YeLcH2FbnVECX+/nj8a4z8yqfpajmoKswOfhp2b2G49aYz
+        =IYeC
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0
diff --git a/inventories/external/group_vars/all.yaml b/inventories/external/group_vars/all.yaml
new file mode 100644
index 00000000..80d3efc2
--- /dev/null
+++ b/inventories/external/group_vars/all.yaml
@@ -0,0 +1,16 @@
+# ansible_pull
+# ansible_pull__age_private_key needs to be defined per host (probably HOST.sops.yaml).
+ansible_pull__repo_url: https://git.hamburg.ccc.de/CCCHH/ansible-infra.git
+ansible_pull__inventory: inventories/external
+ansible_pull__playbook: playbooks/maintenance.yaml
+ansible_pull__timer_on_calendar: "*-*-* 04:30:00 Europe/Berlin"
+ansible_pull__failure_notification_address: noc-notifications@lists.hamburg.ccc.de
+ansible_pull__timer_randomized_delay_sec: 30min
+
+# msmtp
+# msmtp__smtp_password is defined in the all.sops.yaml.
+msmtp__smtp_host: cow.hamburg.ccc.de
+msmtp__smtp_port: 465
+msmtp__smtp_tls_method: smtps
+msmtp__smtp_user: any@external-hosts.hamburg.ccc.de
+msmtp__smtp_from: "{{ inventory_hostname }}@external-hosts.hamburg.ccc.de"
diff --git a/inventories/external/host_vars/status.sops.yaml b/inventories/external/host_vars/status.sops.yaml
new file mode 100644
index 00000000..a67b8a13
--- /dev/null
+++ b/inventories/external/host_vars/status.sops.yaml
@@ -0,0 +1,213 @@
+ansible_pull__age_private_key: ENC[AES256_GCM,data:u0tluAG5YmXTs71/F6RjuTITCrEoJco0K7+o/F7An4OMdOAwJVBvvMCnEaYsKhLhdesnMIoA24oz2j22lKRFgZUNtkF08ZwH9gw=,iv:oqTTeOi8l6ig4vvqOKict5bqxjmiBW+kwlZhbozoCSU=,tag:ZL2wuIczCHguGJIhbY0NuQ==,type:str]
+secret__gatus_db_password: ENC[AES256_GCM,data:fwtdWmXVTA7odBsKnlxH7mKKGtplAt/rQqscFBAxbDky6DNqgk6PP2OsqbIEpnpzs9Yn7Kd2VAxzfJfK,iv:ox/Lm+LlxxRcssOPc++nRp6nVa2DF3/46eEsGzTOBmA=,tag:i1e71Gm01ojHr5pGy0S9rA==,type:str]
+secret__gatus_matrix_access_token: ENC[AES256_GCM,data:adNtFvg2LXwRiNE7mvTZNO1hXxN3qasWZrDEQOGk5mYEVH0t9pglNrM=,iv:30xXR31qmrywLP3M34u6YgsyQY348zVvt9RM4/bGhtY=,tag:vhgpON0IdQ+FS4uQ/0TpsQ==,type:str]
+secret__gatus_acme_dns_update_test_x_api_key: ENC[AES256_GCM,data:rBMHvYT7g+o6Rc+edjikYT2jn4wKnkOJWOMf5Ys1zjKpsRCKEF0PZA==,iv:Tp4ELKMfhxtwaJljW4sMCVgW3KCTL89NfW2/LQTmO1Y=,tag:YMbvE0xgLTYCFXche/mvFA==,type:str]
+sops:
+  age:
+    - recipient: age1yl9ts8k6ceymaxjs72r5puetes5mtuzxuger7qgme9qkagfrm9hqzxx9qr
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Y0Vib1U3ZGpyZTlBNWMx
+        UEtCbnArRzAvZ0o1dmdJL0hSZERTR241RlNrCjZ6QzlJSEFhWk0wazlwRVlDeUlq
+        M0syWDZlc0o2d2NDYmVyUmJpWUdwdzAKLS0tIGR5NUVwMkprRnkxZnI0TmlGUGVk
+        RFl1MnI1K0h2MUhvYk40d2JjbDRaUmMKNlPo1s06hVdxAamKhJy4HhNDX8PKQlq2
+        13PjdTJub64fydGEJng5NigcnNcPo7goGLz5QV7vE+6bO0gNZxBmmw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-02-01T21:17:51Z"
+  mac: ENC[AES256_GCM,data:YO5RoJnkjZeouYJa3ui/cRGLcpSzbs1Ou4D+XU9fZ6ZEc8snmLoN/e8vK91+9qigQECOc/WHHaln4ghYs6wNH+xje4ImCYL92p1RbMPvT8OoS3qu+pTF3sUfQfV/Rju61njNHA7XNAmGCxSiJQxgq2o92aoEB7qKs+AwCFEmTpE=,iv:QrRkSv4novqk3+YCnfFW59df1mvcGONTDO3zCUyXUME=,tag:oBy402SSczs3qyHhBpQqnw==,type:str]
+  pgp:
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/+ORxsmaobaTVCnVlaaTlvG3GRPlL0G1NG18eF3Mra2FU/
+        HSY4/QTu4BjGRzwOlKJt3NBMGlFZucwklIecAl1cCDXPSvIRnwuIsAI8gxNnjmVW
+        w7URAscgfVobWxpLqFhlnQ+8ozMPXW7D0ZDLe4wKPa5wNuE/kdzM5ZCl3NB4q3fi
+        o0C8uSnsTAp8clay/xnTtnJxOsyzyJ29JVsinxAyg64m6AYNa53yNZoy5kL6VIIr
+        dnNx4DtOsxFuNhKuvENePoGjuB68i0NWitsfei3G+GLUp+CbPisrzElM6vsXQ0wT
+        QAu2OpTnrQSv/YWi8Dv+1YXIKu6nOuMc+avQGLsiuZ6hagrvfRTmoQirbx6THDB+
+        97N/ZZUoGVdCtb5BRoBxzl7prwYGXsW+fP7B/PlBBBM5pI/s5jasFMOBfrrlJiDE
+        dyBcE2rjcehmZ0DN0YddZoo1UMYzsn6HEMH+kFp/VD3+y4A47Kk9Ou0d9+Q7ufsf
+        j8ThNihOBrwz8DlvOb5/5HacBFOH5T9b42j6yOmyrlAXnC8sQwFDMDERs7XcVSXT
+        B9SlX6OVZ6/xgG1UjkY5aqYiWkIBUO/9k1OP3OMoZM7WPitIJS0a92u8EASX4zT9
+        cJjyym8oDojsM4+/GWMCHcEA5QVSEFsz5JBONiEJkv9UCYXOWj375SH6WjTHQyPS
+        XgFA0rCYobVrmH4oQ3EzmbqTGwBuejwcDVA++KiUePb6jhK9DGrETHEOzUyOonpI
+        tNfgyohULH3eDRjC/4gR9JDr+UCC2t31Rx5kNmonz4H3KQlgm/5UulKZZfFk6VQ=
+        =HCWY
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ/+Is5OSeCOwUDFocaFiGIpKKicsRkF5WJXcV0eTquCvn3M
+        UeDpYww0CatCOmx0u5/ELzyvr2NhLGwoblLxwwb2HA+dTWRzRiTGZrpGJ3DUwEK6
+        KvqFgrOIDttnSCqrGiPsNBkGP3oIH/WIYXF4SJl5stlnujTOW+wNP8f+9gZspyY4
+        JdDXIGL7cbvzEzionilKbroKgDTNCm/o/ATWnlvsd5qv8lsIVkZlaJqldRR+xXuu
+        RLHz9Mav9NgzzFERA0YY0Z56jpGikoywB7iBCbozXvPO5oY9YcuvdLoXELi3Rimf
+        LoqIyGv/dHepZvIIy/d+E7ltlQHLXdH0LMNyBRartVChR/p0G/YAzXDAgnARJm+J
+        SB7vUPBqFwFpkiIE0bRRDVDYW8VlNZta4V+hxb3iXuVHljuYUrIDh77VW3xNQyi5
+        YfKxO9c9PRhq7sfeBj3iB2qAGoODOU1whdaWXJeNIvYmkQJw81eu2rzHT6NHsbrD
+        CcUGvbVAO7cx8xZxLiT2jZlbeRrTM68Uq8zC0ujzHavrLUWvCcAcFdk8Un8UJbaF
+        W4B5La8ZAQUg0HwDavrOEXFbbdkuMT0BIMIxysxrcetqMdRcMjQlbjHz7RuROp4q
+        melLD0F7L8cXAafDRXXkTTpDmaLN8s9v2j953/RzY7lS1FPQMTduWbn4Pg75HrbS
+        XgEWsmhgtxSNSgtg/c+VyS9VAykAaP0J4mVWUJZtpw3T8wtkAVeb2zFjmOWay98e
+        GC9m9N32zdg6MZDLnAABIEhDCGhuB0QjHJaXHcQxbuy8T0mgG081s8spTZnU/74=
+        =v7Jf
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//f4YuazCNqBuU6RxLg7gbh2RQ7KQ9QDIPSh+YIBr2k9RJ
+        zSjTIR2cPu4JX7Bf9w378oyExhxe6bU00DKvfmQv+CPwjR/4NfzB+/UjmrOEmZqv
+        y/Gc/2ciT2csHiuAgmck/tKCdVLyXmlMpR+ru3LBVpXLc0wRqDLze9RKM22L5o5Y
+        Tkf5LCoj77ixhVWZJ/MUm1GlCKmtAJ5tZpSOUenSApSZ0mbRUMI6SEmLhf7ApmNo
+        FInztB8eMcgyV7vhEmhAiLTkB29kGh8Oe/TtDSmywhn/pTcs4tlY7fRfcxkJaYgw
+        sZFaF3b7/xhF04kJNEugKemTZTCOoXuPvjvDKQ0glojQQ36P5S01uyH1FOHAbItz
+        8xilRiU5lHuu7BsZcb8rU8qNYnpEzY3DX/Ccpl0AoPWjY925XB7C8H8z1kk8UxR1
+        +b3XXMktUugeTZeiFG2pJsp9dhiRqyuzvW73yJSdHjqZW+Tq4U2D9Je1WeZT4+Au
+        qTQh1uC2dRgQ0PMafX50aTxIK7lPxva+cOPgYeALXP58TCUqeNUyYQmvAGba7yyU
+        yec3Hz/SNLqEhSnOqCx+TXZOhV4PM8fTzpnNhqZQ2RX2uUXwXjuyAZ8fv3v5se8F
+        HvQGW8EvJaDSvLD5GjKblQqwNlFWf0HOPUf5UZSXV3MHsHLzYHKlOE4cJ778ih7S
+        XgGY+6q602ciOETbXexRAK4G0AaAY06iQqIvjqzTRmRgkftMI/8HAV2mfjfRuTXF
+        9DClJje/SpRp/fS6jXFyRCc1MysABsxcyopIhHPxf2iy4UiipC1c15Z9VVK4cL4=
+        =l9vN
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAAr6u7xDPFlylAf002AQkjASgSyCdLMD0LxXmTEihOxBnp
+        +ZcJN9cpuyCuDaIfSqGdDLUqZ6TuAfVaixtXbxT6Odl2q1DN/GaVkZbDVwGk/W3w
+        +lSjBz4miAcU9kaSFeeJ9BDEdqROduj8/fFc8jLyxpa51nnp6ON7wI3Uup3uNZN1
+        oEwcav8u9hrbE5glS6IMFpGQAhJmvzWH9mHWCQT7A3GGK3DsYBWPH685vVk80VBw
+        8IO35N2SMVD+ebvFbSnitBSOmSNUzHgv8DaBgJkcHb5EM8bCiZNI3VkbGdi8AmRx
+        wvuAclYkemq/bNu5I0sjpt/uxEOVqsymdPs+gOVgKceEy458ZfyRUPxV0Xp5Yi26
+        MzAas8LCL+m561L8MTt01CfXJKllIh1aeNJEWYKyTtIxnWfhHnhAfiwiRaX+sAdK
+        ApLFSCtwAf2fvpqaUY0PvAwKUNKyEBrncu9cBuqK6EDx5YVQul6Mo2nx6W64G7mj
+        IUGQOoRATZP4y9bJJJMNU5BfK9j7Fdhh/VirB1XSSWSlkUduv8PVx99iLejfnknB
+        b0LVS0RW0W+XgbM0yvjRhDATalrcuBX4R7voQPeGFlw//fdg0qepSe9OeAPA+RNm
+        YTjWVWqXOmGJQ46sms4P1Fhd5NKgyv7qAaZDVf2lDZOensbhwWFKw1R65PSbi4DS
+        XgEDIaRdmRPMHOGoHzcSieR+sxDvklEAWyfUMn8D8u8dkgs1u8WL3gGixDaPMvcF
+        JgS3PA6hl0JOi3+UgBWGh6gx+C/mr+6jly+IhWd78HAsbsJcGIrs4Zlu54T8jV4=
+        =8IWz
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdA7STwRBnvhKhEh9mdHz/GWujTMli/vbMrXv8WnZ1boUkw
+        9Qtj+soJcdr8XxDREm//Q7wgGZJSJe6dBdxW5NC10H7bYDFc9aNkbT0/ceMj0tBM
+        0l4BNU1LT9rZrkhGUTqA3Gs+bzP4xazBGuiucCkM1mbSvRAjWO2abLb17GKUWODr
+        1uDStVFrPOTqN/0/O1lAfk/Xv5LQO2X/xVMDD42i9txP9G8+rCF42gKdODWF+DsQ
+        =FVIu
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAAkUEvumeteWHZ31xbvLAWezQr75Q45DVzBAX6MJIPnCcz
+        ofMYuDjz/ujOES7UtAYrRekCW4R+PZQ2pcC3tbNHxKQjdxsA6cY68mBQLj+TJ0+F
+        15jlkAkL7utwOxOh8P1/yxO+hr3qZl6rmncQwiynRnyiAJa6FHK8dvAHVKhLWcRN
+        pxx2O5m8I/+sF2/XgVs0iq0KWG+WbwJWUlvWKJ+2LNvXDoPYD0sdo8G1hkuQGOLW
+        Lmc1xN4hbTzvgjTBoUt1HUEOgohau8TMWnT7x1jpMLBNqm0hQfcyNmBuK4vA3NYR
+        PjtMUvEuucjOrFvF1g+OaTQ3ZSkd431yqTHRbktZDXdCvhYhSfxJ2TKdqX5U+3p+
+        27hPOX5cVISd36T8Oxm7LTt2GSZp5JZJ2gzRuSn8HDEHHBa39+jmdsqmGMFjAJfU
+        amK3TNpLx9U/AGw9CYVyQxfnrRPArjuPXE+nVmuZVJhgOcex+5SAA6YRpzPLj5/I
+        bHv0zOQ+84ghaIPvA7OlehgE2DYQjFC7qMGV0Q/jEomzHmwaFLlbDiSX97SQM4+P
+        dwe2gbz5EfgVdXeSwyPH03W5Uq/D8GiNFASxe6ctfwY6G9cUJaY7gj+br2/WSjzc
+        bSQxbyA36q6tSR8sty4lOkRqfhvCsopnACe3UaPDD9aUPu5dkrPFD2DwGZqALjrS
+        XgGQM27HAK2eAWtmQk7wWZcK8EyeO4bPl/JX8hMU8xSnbHrFpY26RNY1C4mjqcnD
+        QoyU68TbPmGX522sseuygCNmEEM/5rhx6wwePH1X+C8WRHMmXyLjKD3eVkFJ3tA=
+        =EPrs
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ//arOC3Dpt+X+GzGZFPngYFGl8SHgx9vrbNcNdRQBEBhX0
+        RmkT3rBbXRNbJvZHW6YPzoMRzhDMHEs9osbr7RwpTQxpL4owFd1hx8bhDjZYQplC
+        Gfj1xNjL1iFsQV1kWx7dagpkDEoPVlPaDyTDyHkj/fmgg/aU4y5GVUHc6l7iClN9
+        fn5HL8/sCROAPteReXnwxIWmn/03lldh7VMYwKaVIpiTf3QZzEsHAOYT0EdEcapC
+        3d5ZhTDmOvOwy2PMfx5w5RpKXKe2cbhoS1N3KEHaZIochlvnvQHpVJ3jhn8YG8j9
+        bJ5tklEauoi1YHsnj5vzm8sgQMj/p5DJHALfVKxzAMCCe0AqcVpVGTW9SR1ZMUXW
+        p0UZOmeNBfqhcOIbKXW+Hj2oSZ25KGxiXZwydF51xnUT8rsau7nPYOgg+9YARAVl
+        USZd85OX/dZcDqhfK1YZjdV3GPiTHGFUrTz53sW/nHrcCCKXL17uADLr1Z/rk3Dm
+        dayNuUVhlqgV6Z0ts0Z9blz2X/Bz2c95TUTze+pUoXCP6oKcxGbrEfHBzJrhqeFa
+        PYGRyna1t96c3Az94bz2orX69Ij3QPyd2p2B0nlv+qYNk55J/aVPIfioZSamnDk9
+        NAQJksb2M7KIq1rjheWsf/CLZYHC1rcrhUnz5SYIXVDe8f3+uNc0JFGYPYZuF7DS
+        XgEa4Lw21RwQs3Es0wAZSnkku+yg1Lg2YJ6/d5xSZJs0c5mCYvvW3q9oTc8u+D3n
+        H1/Lu8HvZtHtGARagLqHw2MORNvoJXoCT0EhcPBK4PlJKSNye96U1ooNfwxbUMo=
+        =0Nal
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAAlYT9Xqnfvd7uWr/V8Ca5oKJ003yWKGwAMd06zyPmIYOK
+        ErTHC98r7LXuGaMcIUrJ+oLf6YipYB7PyHwfz+zpxhDRTPAxXTqkF1ecLi7qg2AV
+        Ez3Q1hpPJv1DWASrVfJgpnlQnQtnpqXQsInL7klGc10mtbgc2zHUndWFqjxtkAhl
+        IinLZHZVFaijFw10W+e6T0UUZ9WfIPdCOChcqVp5/86DDyl3S9dBLmAd7wywzbuH
+        i0y1uelIxLyYmzLxYTNgJwEHKzQvF6jrj40AjT8HtUD473ILD5M4p2vdvNCUANu9
+        1iF4q7YM5g6cgjGC29Y31wOAM4YzdkwNXJsUhn4ACzYNBAItXK7Aw0I8WK9AnUfq
+        lwmSirx5hi870GIfu/OYeNt4I3fWjm4qY1aFwoJJRWrUdH94I4P1O6xXZyTVqpmG
+        m0Ich3O16Ir1vS9oFLdFSFGP7UZgU7D5314OKXNsEGpFLGa9U7AG1ZPHGSb6tAQi
+        9Df7TsWxYVWKBU2PbI/D9StVlWDVilt2QiKtIcRwLs3/3JrzTPJd9tvUtw6Tyjw7
+        N12/SE3yHwWxVPUXF2AsopmOoHGh67Ki+6oc7xTmxtcJWSITUhBL16ZjMEEXFeHy
+        FMODciBLrXO1jWz65mkB32ttV+oPQuCdtFPTzuKneDhVBybuMJrx7DEIFaf5CmvS
+        XgFrqRe9fua4zRd9r9tJE4RSosQOAhmVgRVCJIg5B+qUGC0l2AwO4ro1+a02t6o7
+        uBGGRHeQYrGv6HVUd/xfirUj/mtrguiSSpOy3UZ5SHIlPxuj/2jf3WxVkU0QP5k=
+        =e4Qe
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdAqRvfYgKUyKqP1jy9+s3UQ+vqUWQVxC/zXkcXOs/G3kQw
+        27MDd3dcADzCI4qrHxc0umrFegUizTg9UmseMgSJnr7oWXtuh6ocjuEe+irXw0Di
+        0l4B7cvZtRObjrOUf0lupPAp2xPIIKekUcVSxiecn6z7zVUVUwpYvPmS8MBCFc5h
+        7ad0LWml36Rj5UkBE/ph0YgLvz7ZDoC1yiagBGVX59MTjjZsZBVpRecxZ+ztuaci
+        =68na
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdA95lt4L0inJjhMwQ2v5lvhW74zuvdpgktHsp5BSycbxcw
+        oUR2v3CcCHtNzWzgeWPm8L6JHRUJQWdg+XHsLujlZXsoqKirGI67NvToOk+yttsK
+        0lgBW9AG8bUVUdXNNPfhc/FN8OJbQ2cj3E2z5kI05ZrkcOoZVXaRfXJiZPQDg1Kz
+        LhuKymMDmXXsSVd/VdLbSXpfeEqMJjTsDS+bU/TZAcRRPKxj9PPDJIWQ
+        =Kpzf
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-15T21:23:56Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+ARAA2IaYLn8z593Kh+wAw2ecOXkW+B3qhi/x0qQLVw7Jc1hO
+        rVhrcTQoabL3elIIPZtxyTYIXq6EpPkSBMOBHO+tmqI8YsB5GvWtcGV1OBpRaZ3I
+        hgKjnxkJtaQizSZqZLgGUVXjMjcdkzTlIQfu7oGeTu8Ke1cwtOE1lvleDpHHK6gc
+        yRLJWsUfHdv3rCOmRCDtguc3NG7qzUUYcknPiFGx66hfnIaA0aJav2pqS3uuRwSD
+        Ay78U2PB7kYVg//Omz9BEuiUVhYsA0sl3hFVpJuKv7FQ9OcJOevQddfq90m2KGyo
+        2Lpligwtj3evPfPReLR1D16HaGuzknoB9883jD027+fGr4/IFWx7ieVZ9iGeD3jR
+        yw/GdHCMueq1pdtyw8ArREspGmZldEKY3Qw6sfRdd71DAeTkD1zzWORCEk6OQefY
+        YX5ByUAOTUHvTey4Uy5WCj3HOUMW71CnVpsU6lDSuqBUnFlMvELtcjlmEAwvscXz
+        WFpTzphaX1fIqruS4BAzMxpKVTI1V3bnrb6wFRFnsErVjrty24R2auaoHvgslROu
+        1QUTInC7JpFUpxiK9ke8xbhYlZ5JEhcxOXlfrZcVwlxziEZEqp429L/4gVz+IGVv
+        YQ4wU8ARBcXiEDEOmEl3tCxiprDlCeLpdSrqhq57/y7IMs6Fo7QrkA5XZG+mnfPS
+        XgHFg3iMBk0qKb6AiWiN8g3SHJtcehJgmAZsRxFRP329QKGGa+azQqT7Vp066keY
+        rOsmP8iwl+4KS71+cN9rLx/3U8EcSxRuMU6KtIKvhp7yfr2bhYo8P9JH2vrPTlk=
+        =lbdI
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0
diff --git a/inventories/external/host_vars/status.yaml b/inventories/external/host_vars/status.yaml
new file mode 100644
index 00000000..c2c26b30
--- /dev/null
+++ b/inventories/external/host_vars/status.yaml
@@ -0,0 +1,27 @@
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'resources/external/status/docker_compose/compose.yaml.j2') }}"
+docker_compose__configuration_files:
+  - name: "general.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/general.yaml') }}"
+  - name: "sites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/sites.yaml') }}"
+  - name: "services-chaosknoten.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/services-chaosknoten.yaml') }}"
+  - name: "websites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/websites.yaml') }}"
+  - name: "easterhegg-websites.yaml"
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/docker_compose/config/easterhegg-websites.yaml') }}"
+
+nginx__version_spec: ""
+nginx__deploy_redirect_conf: false
+nginx__configurations:
+  - name: status.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/status.hamburg.ccc.de.conf') }}"
+  - name: http_handler
+    content: "{{ lookup('ansible.builtin.file', 'resources/external/status/nginx/http_handler.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "status.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml
new file mode 100644
index 00000000..435a9bf8
--- /dev/null
+++ b/inventories/external/hosts.yaml
@@ -0,0 +1,24 @@
+all:
+  hosts:
+    status:
+      # TODO: Manually set up ufw on the host. Create a role for ufw.
+      ansible_host: status.hamburg.ccc.de
+      ansible_user: chaos
+base_config_hosts:
+  hosts:
+    status:
+docker_compose_hosts:
+  hosts:
+    status:
+nginx_hosts:
+  hosts:
+    status:
+certbot_hosts:
+  hosts:
+    status:
+infrastructure_authorized_keys_hosts:
+  hosts:
+    status:
+ansible_pull_hosts:
+  hosts:
+    status:
diff --git a/inventories/z9/group_vars/all.sops.yaml b/inventories/z9/group_vars/all.sops.yaml
new file mode 100644
index 00000000..7c25351b
--- /dev/null
+++ b/inventories/z9/group_vars/all.sops.yaml
@@ -0,0 +1,200 @@
+metrics__chaos_password: ENC[AES256_GCM,data:seOU504dZ9K21+NK1MBf9isee2L2rueP6Bl0F66R,iv:ZtQ516gzJQSSgvOOAzPF9MuarXqHSLXy37/9z85KoQ8=,tag:dIal6OxPLli+7DbzhjNFsA==,type:str]
+sops:
+  lastmodified: "2026-01-25T19:52:03Z"
+  mac: ENC[AES256_GCM,data:6JXc+K8fmANf22puWyllV5wVSxZSVnN+U7GM9lNhkxbUBM4AaIedIHOXz9zDaZh/nT6onrW2nhKNC00kWziaddOnBxBUCWUk7bDGea6qJMIk4GfyU0f/xX7mHpgYorF/KmQP1uvNNAryn7zeSfS8Vk27GFDPbBO3GvYlOZFUJD8=,iv:6X6uf9obhNix/qLrpiP3bw1CWM7dY+XAEdfhuTTmuVc=,tag:KJHK1Hc/uV8DOw/7txHfEw==,type:str]
+  pgp:
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/9GKyJ+6SzK5xucxIxUKPRdsxirJwd6LHuIDkVTr7JTjfi
+        sXQZKVtQ7ZXbbVgZKURLtsdbhayZoU/8xYCQsX4vzDeAKc4bS6X25PLxs2oBKCYB
+        2oWl/jhKSAtVjtgnPnxljiEGxkDKW2sKlfjdjMj9yOYyif35AoQ8pIr2Tg4U8Z9C
+        ofaWBejvqxgaIShXe4jio3SIiOLYwTnaYmkoSY3QEA3RjckzNmqRE4aX+csB27cI
+        Vt8aGrcNzM8gCfi8IM1ypLHLw7Fg0OntF91RAUExG9OZJm2rGZabUixxhOCf/ttk
+        UOq7Eq29xFr9mTzyoZC2zmaOt7O+PIu8FDOvkvCgNv89ewn00DjT7DYSXB0AnPRD
+        VahAi4VAjKU2RXXbfZArdCXJpCTM2OPnXBh8Bfx/7eTnu2O8EK8OFbWuOWja8Ogr
+        7z9bgsoK4Uva6F3BQcLlZppKmkLk0P8detZihvwNbS55kkkdsA9LiyYEoHpasWpG
+        HW4dcQOqyuKwGjLE7FsqPtlxmWD6psCK3GdHzKGQR9fbXfUyD+c0DmPgPh6roFW8
+        XzvRGw6YUrP7/wtvUH4zSLQbB6kqz6nO88isPoLpClyQ/3Khj9QLljCDQB+yRBIu
+        p3a2HISwt4HQzuckk8W4yKIDdzf86dXVEMqUe4JTe+vW9PPobnUEXrPgRBNZYD7S
+        XgHOfGiWknFPa8s4KCHZK9sLB2joWAJTtQnk4cuaXoIgamiXB0qgiArc43PsjstE
+        N6kvVXrFVgQ9Xlrp8XDJHOsUYAy8admA8KNQF+XQ+KeHgQGKKX1RjbBFunIkaOc=
+        =1Rdp
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2AQ//QgGTp9DYSoNWI5n0+9gMUP7asTRdRl7T+xT88k7cCO9Z
+        lNi86qeqiGGkqTffARBJNaq+ut/D7EKc6ivp+ewfySimM5E3ape3C6rulHybE/j8
+        3EpP4VW+5yA4Nq+CbZvzQb60oXR8LnGzVX1gePWwyQozVzRS72/hnxyecQYsc1IJ
+        OTQPSfclZXJO3k6fK+BrfHsjJkOpHYoLAnI/9ty9JBSuwGfzI+ur2Jimn0Y783Ou
+        orZNzxrRKfkIPjdFnWGY3i31nW9tnkEXLdsdOHfOu8Ahtdi2NhwReSv5hMKPXbOw
+        lxhL/Y1bG4ChgAAFVG5QYZ69tuzSov8XP2Wv6auVA7HC3H+689fNeO0C6GhDcVgc
+        LBF1nK/zJq95uxlSNy5dpTSzKqwlwRzvLOCPByXc3pLcDDW9Zp194bS/iDGfnfqe
+        UUPK9e0gX8TYOeQhF3K+H6JMdFO/uYbiaeVZWmvOV6jSiii0CXoGe4oVZqcfcfA3
+        RScUjLx0f2w4xQwU60ZmHsmvs2PmdBsNDPeQXrqeyAfgFReDoI1RLo+k+3khoAJE
+        LzzNFg6bVBx3rRazWoASlHYK8i6dTHpMBompPC+kmjorZnoqnTRX4bix0atsFY7g
+        vt8CVfqy8YKrVIGPZnDAsrZ3ecShIQFB6OfxgSb6nqN1K3NwFcjXWH05SJOfFR3S
+        XgGrU49/hKqHTmAGHbWoe54qkPj+WvRkeGccEnvtum8yrPpDpmYg+wyEm3JeQf1S
+        gCHS/j0pJS/CnnfgoUgkYCMokGvtSoTJgIE/2XTA/BFNRg0vc1Dgk/WonG33PDU=
+        =ev2Q
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//SxqxshraAR0pQf1lzhtZ5RHoNZJnaZKwic/pvJvIDUCA
+        6zotOpu478rK4w8zWdX1gfjve+iu4BkaB16lZqvsV6lLq80dT3yfeil9ETFElKuA
+        womIEdAafq8W71eTffUZ3Klrg/WjDVjeDRRKqz8vv9pd9MQbYmDhrjRG/ySP5qgZ
+        +/apRAOrYnbtzgjlPAfLIGD65jvS3JRE3gbZfpzzkLB8P5M1JVOUf15FxAZ2tyhO
+        PZ3FYC2JbCzftp0Iiksq8sl42Fl0FzOTLFQb0GhQ60tJatFVWhG31NeXdRRuLnQU
+        5bmanb2nJBroQJWM/8piG8npG8jhzRzeMTHboW5TezYAXBLxRQJct7pR9ZwDje2U
+        5j9VkNyKQ+wMJ2vMiyshserEe6gjc2/E+XYDheAPrFPqwGNklb6OSemm4vWwd6GK
+        HNqDxA/C0du1b1vm9CTLgk7utbEpspnNQnZh32iifSfiQ3Zl7FwTxnA/2Bj0csQ/
+        xrck7T2gzY39tOqXbq0QqIQA31BW4ukmxcAKn8pmJpguW0cBxDTaGNXQ4jo+8YtQ
+        MYYT4dR9S95MsOKWGREvMA0GMxzwbA2eMwZ7yUARCLVGD48MMiiDZcYqd03cnOO3
+        hGj+vy0FbsVdknztBDeGttUYHOtjb+XO4gF4sHdpaWxdF7kVVknNUtciWa+Kw4LS
+        XgGqWekdWhsKZ+bPboinUPY9e5vkgLueSWrQ0aqi5Pte9lQ3pYPqT2U51fJG5G9/
+        tYiofc0K7CB/qyxB7LpF5rtUla9oQQJd36xC0eO7laSapWiag2rzuIsMxR+4egA=
+        =a2qJ
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1AQ//U6R7Cb1kfojFwzVy9ky+y7Puhk7Jyog+jLabWhurkV30
+        RO4EeTXMEJ1gVU9qJDeHn7Fr1HbYr9cdTf1yw5Y23p+pBZA1wRTkxHctEk1KNDRW
+        8QdCmQOu8jTDc5cq0F6d6lD6vJpfjaQez5cT7dN9Eqp0jUsmQCSLmqmXvbNEv3fW
+        n+o/VsvtaqMTjhlPUHvhe/d0/YWvkp4xPycDVW/oYh2KE3QUV5AKUJSOLuSIFENy
+        f0hjnoz8xmY7eA20uXvTWPgUU9J+KCSgmy87wM/WkM3kjKWOUkijDFCsCWSEIx4W
+        E2iY6N7yaYBkKfQ6s+f77xg+vc7g1plheK3pdyYkYvgfeqg27QFV/3m80f0gULS4
+        bNrZKNRrMD+grgjB75cj14PRHGQcaZEouE7l2uCUNbR/hFIF1M2F91HAW61mVLv6
+        ZNluofRYqHf+YWUO4KtJwpfgfh0gsCF3KaeHnAA/Xy9e+7KRgWbAbsDIQr40Nqm1
+        Cbv/HqjHCeS7ylw3TmYcwFoGO1XoL/toSQQ4/y0JPMCae+MGslDm2o/1X1VqAnIZ
+        sdhcTKY8HJWxn8uc5MFG4Mr0PhMIXirhBBQLYXdVJ/tOj9yVU+gJZe3lv64uQgDZ
+        Ey1KESfJu98uwrPS3Dzy2YPbT7Gh58sOfHeaDoeZAu+YzQMOQ7V260vu0XXMgSfS
+        XgE3PiMBjbW4eypClEK6H5iSL4SjEm+NweQNkwGaxqLSsb7LuOtSkiEmf4mdQEnI
+        SI14d0nNv7ki0T59Ssmi65A49SXjvLzsCBE1DgeqVD8IwKCewma0dgkNErdyG4s=
+        =rV/a
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DerEtaFuTeewSAQdAdDLPgKw0A+eoKiYGIKxOFZHYVg0V4UmuIti0XC5RJCIw
+        IPu2/Y45X9L40RRhH8N9lazjLeJv5Lbo08hMlo/CgshZ0BJVot8mBAiH/R2DsVRC
+        0l4BL6ctQ/xivjWQBBhy/DCYVtDRv8JXIEXNJgU/+UjkSE8Auh4NASANg9GTcBBn
+        lukzOBGYF9nH69fAkVtZbNL5+dFoPLDPUzZTU19D15J6IJkt+gKPSzjbtWaJqIsQ
+        =dGU4
+        -----END PGP MESSAGE-----
+      fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fAQ/+LQ3yEzhjYXoDkE9olsl0lVxQ9FdCbqDHFJZAIReI0jqg
+        WF+0GmoMuG4kFZu+ju3vCWpT5kH84SUxOFXyaXp1TCfcJ1zCUno93fVssOL/9Sma
+        vVPVIXpTqJqFBOWJNOe7wNjvQiDE4TxjGC/FXr+hOoLZXrf7gdNaUXxZOb+vPZih
+        t79eZhxALGwmwsMdZxkA8ERCmNJet1/wn7s5vUjwrDYRZL2zGf4yocSCjwGYHOCs
+        j+DcrYG7Cd5J+CS8rKu2Yh5KEAfMhgMxGjK0HKUVPk1cQxOgronnM1vrij30S4+9
+        avNlOwAerg3RaFhXPj9UY7FGV+rZQY1CQKEWqr4AANkdDXb/LnLalwMBMcm+EDwT
+        zHxBhJ69QJmsZUP3Z5WQqxmyAux9+oodgehWKkY4sCR2huHuysbJNEStuI1HaTRj
+        ZJafiniHkFyQyTqc4wwJrRxkwJM6mVvcZdXuV7+QaEWr3FEF0t7tyEYUIRkUlJOQ
+        IUPDClDRLJnQGq11XT/QOlGfxET9fGoAkij1LrPqpvHxJ6IEGLMOPN4kw1yg02yO
+        u0HiB2wIUzKHJJ6vMR6zK3WY4MXCQISTZXpK7mILleRIIOWhw7C7gvlfuYkMT3fM
+        dXUQRhTblZXaeTxRuCUPqa0eGzac4UJBVoRAWXYiZWhdKxNJbyCMRQDcaOeho9/S
+        XgGENH9zFjI//pveCrlxx5BKDxTdqIn9R3iskbKbZRhVr+pU3IK4uCsUQlOBG3++
+        zxQinHgNbqA22clcuRMZ1NeDrzDfBLndsWuSeyWaAA9qEG9XjmjCRRzPGACoDLs=
+        =dywj
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+P4h9d4LPElJbVr4L3cE+6/9mhLF6n1hre14cCTSxTe20
+        HqpY7U9yE4G/1IfAE3pueOgc5FsLRPn8VnHAzy6ygt4/xXXzH6aACDiUtweqyExE
+        K39J9PLjczWb7XGbZc3YKoz5x0Q/93s+CdjK7piamb41bMRVbmffNtEceH8Gld9u
+        t8SI18F1yrRtXpK8FvzFLvA1jEt9sduPVq51bWG2LjMFaMrsm7hXt1ArUGsOoGN3
+        36E4VrVp6gp8BVa+apsUY3mHBi3hUE0h2tO4iEsi1qYr1OTn3v4Dn9oxKrYIIom2
+        hHszqVSq0fnIqoKOZbyUe2AdXtnTGpQQRxCBvtIEBNB1FS/CKCe7ceXVBZujU2Kd
+        JD3Lg5uXgkolfyjFCPzOp292xvJ83i7QMoTuVEw14PSjux3jAa4K3wpKUvF80ja2
+        ugGj3zTLAHdAV37lKO2WYZuMMJLKWKX1p9yKZqteJdiLQHH8f24dFZ2Vtoly/GKM
+        KzGJ1fimB6divQ8TOHVFAr1qDksk8zf1PBJ/IlWoBKv5IWwoikf42IOL/P2c/nk7
+        4pYwHrlk8y71Cgjw50K9/T/Ul0Ov6ay4FK+0vy+zbokSVczZKsrL4/Tc6s0S9ty6
+        SVKm7yL+BSGgZWmDNesYoRzboBT2mSb1N45ThUaeW7AwMo3hDJPjEkaFtZN3bqzS
+        XgEIFYvxWH6OEIl+VZ/J5qxxmi3Cz6XVzTliCnoTFUoVxHyOxN6HX0Jn/qRqmmlN
+        mJX4OT1FJ3WnqOHQ5Cm4403bm2H79mGCBKYiXPQeO/bVBh0mTbeYKRr8bjsm+rc=
+        =lIEt
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqAQ//Ue74vm+2K7chQcfdrY5GR0rPUKNiX9MMw9zgHpdyHlXa
+        FfL0NQbG8Rfc/6Yf7LH1sWMGED5Yvci3z+YkTWg8Fcv1pYQGj6Kul2L0aL4tvq/a
+        tdIJi+Ajp92jr+5jdae+GvJZedaHZYxykyeSe4/nk1j6k4u3TiVMBczk7z9701F+
+        ZFtG1SBRcqjZ/Vx36B6s+10f9ft7TWCIJfeTimBJV3fFt7r698vTQ+S1/uxo5Ik0
+        kQOtYDxsigBBeE0OX2ZBDyeGhfl/PZgN7GD7bgpjnfzDi+8kMXEMu4z88tOQulhk
+        qj+63irEydFCsMEC22XhLaqW8bjld0VAnkXv7DfoEbMt84XN6SejjDy6aXK9C0Qd
+        BIyQwTvsmgbInluw8Qu+GJPLLbY9qYjjuo5BbwUeBfiVxQaBYcm5lmPSKM0lq+Uq
+        fUYowpMS417L5kkp2yE/NmKOzi2ZuiFWMCpvPIvKea9zJxvEtIjohwtM86b4LH+j
+        7yie9gWu0bhBw9keKtIbRmgbsilp8E5OUHXgOT0sNWTLenQDsWQ9dmgvtpeEb9ax
+        6mw1QUpFz4CcHhuQixoI+q4y0SXcWxyN0U78U8igaELUtwpaRR7yf4VUJOEid+m1
+        Rzu5jLCuhlLmmW03W6Y/Vl+n0QOyEl0uPCRiRgYeUzKiYw6NRYHPezbJnmNAeKnS
+        XgFCdzLc5Jl6OqJfy4V0yJucGq72oKK1wdJi74PqTNs44CaeEW8tDhxVWm367e5b
+        Ve88LJyDhOrMi57aKcAJ12HoL8pI5hambJ0qSs9RKpnQIJH7U60MBBTCBHN3H4k=
+        =az/q
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA04/sIHLMEFJO8wCB5+N5QWPzwyefW49JuNr/O2A+tTcw
+        Rm/CybmXPnSCx7p8QLruOG0tz8kM+YoSthSWlC9/B6TZgKLyrMOvx1U/fSNjKC4Q
+        0l4BDFhVCnXKTQmfZtj5Qpwuj3H5fZ7QzKUQz542pvqN/fJVnc0Q4rQapKcU4AOx
+        JTdXpu6gP3FRGviA342GHJU0gq220vSzPu889dsdmtgNfAEQWPLVKKwjigDQN+SV
+        =2Eki
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DzAGzViGx4qcSAQdAxLZsKVzF30df0Zk7Eg9u7fLJzApid00aEcZVxHQnZ0kw
+        5SDeSOzzTue71lKcCyunbO1/e20jMrNVvYKQp0kKkNHpTWgjN0hW3vZt6zeLcrSo
+        0lgBTOoJykoj24Y9WvIaQbae2K6M35drO2c7nhVmTzibUe7XEJ3C+vbUySdSTd+0
+        WL1IjqZUGSUL4SUIW6kW0WFdSJ01O6vbXhw1gw7KwKMfBHgIUAzpENTW
+        =S45t
+        -----END PGP MESSAGE-----
+      fp: D2E9C0807BF681F5E164DAFC5EE1B61CD90954CD
+    - created_at: "2026-01-25T19:51:13Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA2pVdGTIrZI+AQ/8Dd/YnYUP9OA6qxJcerf9mCkQkC5PLehCPAOLOn4sNV5x
+        DnpdfAvgej1Vuy0CHK8//PAiEC7idLN+ictIdQgy0RaObp50tca44U2ssQOkmxcd
+        j5WpKKunHsKomksr7bRpwm/vtN4LoldQc7g1qaBlsaJE7iEOrB8I3n3fFhWD6xBG
+        TUzRe8r/M2/c25Agky9caILYvjm/etCsf/gZq3RwVvV48912JNqb+7o04vpj3MbO
+        AOsiEBCTNSZqN5XuRi/jCpQNe0p18M9irYkFWVe2be6Cb4wE2cdg904rC3K+v0QA
+        nwD6/bXWGI7WAF6nhvuiAS0vxmbvOePNI3KZ1CdEDeScqnAWUdkFuuAwmw0K7tHt
+        UJe/SlML6strnnjOGR6p3eeIjoDKtGBiqEjXYyEcXPVi8vFSd7muGcjLieyJUmfH
+        FVGA7bF+a6c4iTFSM2GNpANFV0qzZ/wa4aj9MqzOATTglQnr2LZJP7chnzoLyzx6
+        7cjTcWHsb3E+D7X37yF+mZAT6yvOoxaQNqTY6u1ZoY9NrGdJ1reudAlzg6k10cpf
+        O4Zww2Jjz5yEhvS9cTh8+bKOJYgKnbg/LLty/ade+rio4E0jn+a6VgRCqIMbGwgx
+        vf9ATU8S10/Es2cT6f99EpPgV0w9QCfhAGel/sjXk/zIT8rF2SbIlXf0/GK3yaXS
+        XgGrocZNe2RNZd3ZjsvtU6bBsPd9tekQLjC1vE6U/WXXPKapb6aOq2eL7Qb7QFu7
+        XSGN+YA/c9OwmtJLP3y5mGBowa6vWT1Uf6NweamPYJBpNG27Bt5yLlnEnaDZokw=
+        =9ri7
+        -----END PGP MESSAGE-----
+      fp: 878FEA3CB6A6F6E7CD80ECBE28506E3585F9F533
+  unencrypted_suffix: _unencrypted
+  version: 3.11.0
diff --git a/inventories/z9/group_vars/all.yaml b/inventories/z9/group_vars/all.yaml
new file mode 100644
index 00000000..9a312517
--- /dev/null
+++ b/inventories/z9/group_vars/all.yaml
@@ -0,0 +1,43 @@
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "{{ metrics__chaos_password }}"
+      }
+    }
+  }
+
+  prometheus.relabel "z9_common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "ccchh"
+    }
+    rule {
+      target_label = "site"
+      replacement = "z9"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.z9.ccchh.net"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.z9_common.receiver]
+  }
+
diff --git a/inventories/z9/host_vars/dooris.yaml b/inventories/z9/host_vars/dooris.yaml
index 5813e3a5..8ae5287f 100644
--- a/inventories/z9/host_vars/dooris.yaml
+++ b/inventories/z9/host_vars/dooris.yaml
@@ -7,9 +7,11 @@ certbot__certificate_domains:
   - "dooris.ccchh.net"
 certbot__new_cert_commands:
   - "systemctl reload nginx.service"
-certbot__http_01_port: 80
 
 nginx__version_spec: ""
+nginx__deploy_redirect_conf: false
 nginx__configurations:
   - name: dooris.ccchh.net
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/dooris.ccchh.net.conf') }}"
+  - name: http_handler
+    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
diff --git a/inventories/z9/host_vars/light.yaml b/inventories/z9/host_vars/light.yaml
index 0336d220..0c7e11d7 100644
--- a/inventories/z9/host_vars/light.yaml
+++ b/inventories/z9/host_vars/light.yaml
@@ -50,10 +50,22 @@ ola__configs:
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbdmx.conf') }}"
   - name: ola-usbserial
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/ola/ola-usbserial.conf') }}"
+
 nginx__version_spec: ""
 nginx__deploy_redirect_conf: false
 nginx__configurations:
   - name: light
     content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/light.conf') }}"
   - name: http_handler
-    content: "{{ lookup('ansible.builtin.file', 'resources/z9/light/nginx/http_handler.conf') }}"
+    content: "{{ lookup('ansible.builtin.file', 'resources/z9/dooris/nginx/http_handler.conf') }}"
+
+certbot__version_spec: ""
+certbot__acme_account_email_address: le-admin@hamburg.ccc.de
+certbot__certificate_domains:
+  - "light-werkstatt.ccchh.net"
+  - "light.ccchh.net"
+  - "light.z9.ccchh.net"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
+
+
diff --git a/inventories/z9/host_vars/yate.yaml b/inventories/z9/host_vars/yate.yaml
index d2dc5180..fecacb1e 100644
--- a/inventories/z9/host_vars/yate.yaml
+++ b/inventories/z9/host_vars/yate.yaml
@@ -6,4 +6,3 @@ docker_compose__configuration_files:
     content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regexroute.conf.j2') }}"
   - name: regfile.conf
     content: "{{ lookup('ansible.builtin.template', 'resources/z9/yate/docker_compose/regfile.conf.j2') }}"
-docker_compose__restart_cmd: "exec yate sh -c 'kill -1 1'"
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 9d5bb09c..319f8175 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -4,7 +4,7 @@ all:
       ansible_host: authoritative-dns.z9.ccchh.net
       ansible_user: chaos
     dooris:
-      ansible_host: 10.31.208.201
+      ansible_host: dooris.z9.ccchh.net
       ansible_user: chaos
     light:
       ansible_host: light.z9.ccchh.net
@@ -20,6 +20,7 @@ all:
 certbot_hosts:
   hosts:
     dooris:
+    light:
 docker_compose_hosts:
   hosts:
     dooris:
@@ -49,5 +50,11 @@ ola_hosts:
 proxmox_vm_template_hosts:
   hosts:
     thinkcccore0:
+alloy_hosts:
+  hosts:
+    authoritative-dns:
+    light:
+    yate:
+    dooris:
 ansible_pull_hosts:
   hosts:
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index d7bacac2..fe0cf78e 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -4,6 +4,16 @@
   roles:
     - base_config
 
+- name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
+  hosts: systemd_networkd_hosts
+  roles:
+    - systemd_networkd
+
+- name: Ensure nftables deployment on nftables_hosts
+  hosts: nftables_hosts
+  roles:
+    - nftables
+
 - name: Ensure deployment of infrastructure authorized keys
   hosts: infrastructure_authorized_keys_hosts
   roles:
@@ -54,11 +64,6 @@
   roles:
     - nginx
 
-- name: Ensure prometheus_node_exporter deployment on prometheus_node_exporter_hosts
-  hosts: prometheus_node_exporter_hosts
-  roles:
-    - prometheus_node_exporter
-
 - name: Configure unattended upgrades for all non-hypervisors
   hosts: all:!hypervisors
   become: true
@@ -73,10 +78,8 @@
 - name: Ensure Alloy is installed and Setup on alloy_hosts
   hosts: alloy_hosts
   become: true
-  tasks:
-    - name: Setup Alloy
-      ansible.builtin.include_role:
-        name: grafana.grafana.alloy
+  roles:
+    - alloy
 
 - name: Ensure ansible_pull deployment on ansible_pull_hosts
   hosts: ansible_pull_hosts
diff --git a/renovate.json b/renovate.json
index 7e604c1c..41787b7a 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,15 +1,23 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:recommended", // Included in config:best-practices anyway, but added for clarity.
-    "config:best-practices",
+    "config:recommended",
+    // Parts from config:best-practices:
+    // https://docs.renovatebot.com/presets-config/#configbest-practices
+    ":configMigration",
+    "abandonments:recommended",
+    "security:minimumReleaseAgeNpm",
+
     ":ignoreUnstable",
     ":disableRateLimiting",
     ":rebaseStalePrs",
-    ":label(renovate)",
-    "group:allDigest"
+    ":label(renovate)"
   ],
   "semanticCommits": "disabled",
+  "ignorePaths": [
+    "ansible_collections/**",
+    "galaxy-roles/**"
+  ],
   "packageRules": [
     // Create a package rule for grouping all stable non-major dependency updates together.
     // A combination of/inspired by:
@@ -29,11 +37,10 @@
       "matchPackageNames": ["docker.io/pretix/standalone"],
       "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     },
-    // Since Forgejo seems to clean up older tag versions, so older digests, disable digest pinning for our images.
     {
       "matchDatasources": ["docker"],
-      "matchPackageNames": ["git.hamburg.ccc.de/*"],
-      "pinDigests": false
+      "matchPackageNames": ["docker.io/pretalx/standalone"],
+      "versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     }
   ],
   "customManagers": [
diff --git a/requirements.yml b/requirements.yml
index e5538cc9..dffe9d35 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,8 +1,17 @@
 collections:
-  # Install a collection from Ansible Galaxy.
-  - name: debops.debops
-    version: ">=3.1.0"
-    source: https://galaxy.ansible.com
-  - name: community.sops
-    version: ">=2.2.4"
-    source: https://galaxy.ansible.com
+  # debops.debops
+  - source: https://github.com/debops/debops
+    type: git
+    version: "v3.2.5"
+  # community.sops
+  - source: https://github.com/ansible-collections/community.sops
+    type: git
+    version: "2.2.7"
+  # community.docker
+  - source: https://github.com/ansible-collections/community.docker
+    type: git
+    version: "5.0.5"
+  # grafana.grafana
+  - source: https://github.com/grafana/grafana-ansible-collection
+    type: git
+    version: "6.0.6"
diff --git a/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
new file mode 100644
index 00000000..4f3b49c5
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/acmedns.cfg.j2
@@ -0,0 +1,27 @@
+# https://github.com/joohoi/acme-dns?tab=readme-ov-file#configuration
+[general]
+protocol = "both"
+domain = "auth.acmedns.hamburg.ccc.de"
+nsname = "acmedns.hosts.hamburg.ccc.de"
+nsadmin = "noc.lists.hamburg.ccc.de"
+records = [
+    "auth.acmedns.hamburg.ccc.de. CNAME public-reverse-proxy.hamburg.ccc.de.",
+    "auth.acmedns.hamburg.ccc.de. NS acmedns.hosts.hamburg.ccc.de.",
+]
+
+[database]
+engine = "sqlite3"
+connection = "/var/lib/acme-dns/acme-dns.db"
+
+[api]
+ip = "0.0.0.0"
+port = "80"
+tls = "none"
+corsorigins = [
+    "*"
+]
+
+[logconfig]
+loglevel = "debug"
+logtype = "stdout"
+logformat = "text"
diff --git a/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
new file mode 100644
index 00000000..89768523
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/compose.yaml.j2
@@ -0,0 +1,22 @@
+---
+services:
+  oauth2-proxy:
+    container_name: oauth2-proxy
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.14.2
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    volumes:
+      - "./configs/oauth2-proxy.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    ports:
+      - 4180:4180
+
+  acmedns:
+    image: docker.io/joohoi/acme-dns:latest
+    ports:
+      - "[::]:53:53"
+      - "[::]:53:53/udp"
+      - 8080:80
+    volumes:
+      - ./configs/acmedns.cfg:/etc/acme-dns/config.cfg:ro
+      - ./data/acmedns:/var/lib/acme-dns
\ No newline at end of file
diff --git a/resources/chaosknoten/acmedns/docker_compose/index.html.j2 b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
new file mode 100644
index 00000000..1170cec7
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/index.html.j2
@@ -0,0 +1,74 @@
+<html>
+<head>
+<title>ACME DNS Register</title>
+<style>
+table, tr, th, td {
+    border-collapse: collapse;
+}
+caption {
+    caption-side: bottom;
+    padding: 2px 4px;
+}
+th, td {
+    border: 1px solid black;
+    padding: 2px 4px;
+}
+th {
+    text-align: left;
+}
+td {
+    font-family: "Courier", monospace;
+}
+</style>
+</head>
+<body>
+<h1>Register an Entry in ACME DNS</h1>
+
+<p>This is the page where you can create an entry in ACME DNS. Please only do so when you need a new entry; there is currently no way to remove entries once they have been created.</p>
+<p>See <a href="https://wiki.hamburg.ccc.de/infrastructure:services:acme_dns">the ACME DNS service</a> entry in the wiki for further details.</p>
+
+<p><button id="register">Register a new entry</button></p>
+
+<table id="results" style="display: none">
+<tr>
+    <th>Full Domain</th><td id="fulldomain">undefined</td>
+</tr>
+<tr>
+    <th>Subdomain</th><td id="subdomain">undefined</td>
+</tr>
+<tr>
+    <th>X-Api-User</th><td id="username">undefined</td>
+</tr>
+<tr>
+    <th>X-Api-Key</th><td id="password">undefined</td>
+</tr>
+<caption><b>Important!</b> This information will only be shown once. Please
+copy or otherwise save it immediately.</caption>
+</table>
+
+<p><b>Note: there is no way to delete registrations.</b> Each registration is small, so it's not an immediate problem, but please do not click register unless you are planning to really create a new entry.</p>
+
+<script>
+document.getElementById("register").addEventListener("click", (event) => {
+    const register = async () => {
+        const response = await fetch("/register", {
+            method: "POST"
+        });
+        if (!response.ok) {
+            console.log(response);
+            alert("Unable to register a new entry.");
+            return;
+        }
+        const registration = await response.json()
+        for (const key in registration) {
+            const e = document.getElementById(key);
+            if (e !== null) {
+                e.innerText = registration[key];
+            }
+        }
+        document.getElementById("results").style.display = "block";
+    }
+    register();
+});
+</script>
+</body>
diff --git a/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2 b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
new file mode 100644
index 00000000..f11eadf5
--- /dev/null
+++ b/resources/chaosknoten/acmedns/docker_compose/oauth2-proxy.cfg.j2
@@ -0,0 +1,13 @@
+reverse_proxy = true
+http_address="0.0.0.0:4180"
+cookie_secret="{{ secret__oidc_cookie_secret }}"
+email_domains="*"
+
+# dex provider
+oidc_issuer_url="https://id.hamburg.ccc.de/realms/ccchh"
+provider="oidc"
+provider_display_name="CCCHH ID"
+client_id="acmedns"
+client_secret="{{ secret__oidc_client_secret }}"
+redirect_url="https://acmedns.hamburg.ccc.de/oauth2/callback"
+
diff --git a/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
new file mode 100644
index 00000000..dd78d8c6
--- /dev/null
+++ b/resources/chaosknoten/acmedns/nginx/acmedns.hamburg.ccc.de.conf
@@ -0,0 +1,87 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen [::]:8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name acmedns.hamburg.ccc.de;
+
+    root /ansible_docker_compose/configs/html/;
+
+    ssl_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/acmedns.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/acmedns.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+    proxy_buffer_size 8k; # needed for oauth2-proxy to work correctly
+    port_in_redirect off;
+
+    location /oauth2/ {
+        proxy_pass       http://127.0.0.1:4180;
+        proxy_set_header Host                    $host;
+        proxy_set_header X-Real-IP               $remote_addr;
+        proxy_set_header X-Auth-Request-Redirect $request_uri;
+        # or, if you are handling multiple domains:
+        # proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+    }
+
+    location = /oauth2/auth {
+        proxy_pass       http://127.0.0.1:4180;
+        proxy_set_header Host             $host;
+        proxy_set_header X-Real-IP        $remote_addr;
+        proxy_set_header X-Forwarded-Uri  $request_uri;
+        # nginx auth_request includes headers but not body
+        proxy_set_header Content-Length   "";
+        proxy_pass_request_body           off;
+    }
+
+    location = / {
+        auth_request /oauth2/auth;
+        error_page 401 = @oauth2_signin;
+
+        index index.html;
+    }
+
+    location = /register {
+        auth_request /oauth2/auth;
+        error_page 401 = @oauth2_signin;
+
+        proxy_pass http://127.0.0.1:8080/register;
+    }
+
+    location = /update { # no auth by proxy required
+        proxy_pass http://127.0.0.1:8080/update;
+    }
+
+    location = /health { # no auth by proxy required
+        proxy_pass http://127.0.0.1:8080/health;
+    }
+
+    location @oauth2_signin {
+        return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
+    }
+}
diff --git a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2
index ffe491bd..c2108d8a 100644
--- a/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/ccchoir/docker_compose/compose.yaml.j2
@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/mariadb:11@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71
+    image: docker.io/library/mariadb:11
     environment:
       - "MARIADB_DATABASE=wordpress"
       - "MARIADB_ROOT_PASSWORD={{ secret__mariadb_root_password }}"
@@ -17,7 +17,7 @@ services:
     restart: unless-stopped
 
   app:
-    image: docker.io/library/wordpress:6-php8.1@sha256:75f79f9c45a587b283e47fd21c6e51077d0c9dbbba529377faaa0c28d5b8f5a4
+    image: docker.io/library/wordpress:6-php8.1
     environment:
       - "WORDPRESS_DB_HOST=database"
       - "WORDPRESS_DB_NAME=wordpress"
diff --git a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
index ff37e487..a8d71a99 100644
--- a/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
+++ b/resources/chaosknoten/ccchoir/nginx/ccchoir.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -43,12 +43,12 @@ server {
 
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
index d3ed9592..d213d615 100644
--- a/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/eh22-wiki/nginx/eh22.easterhegg.eu.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2
index 51aeb63e..0689820c 100644
--- a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2
@@ -3,11 +3,11 @@
 # - https://github.com/prometheus/alertmanager/blob/48a99764a1fc9279fc828de83e7a03ae2219abc7/doc/examples/simple.yml
 
 route:
-  receiver: 'ccchh-infrastructure-alerts'
-  group_by: [ "alertname", "site", "type", "hypervisor" ]
+  receiver: 'ntfy-ccchh'
+  group_by: [ "alertname", "site", "job", "hypervisor" ]
   group_wait: 30s
   group_interval: 5m
-  repeat_interval: 6h
+  repeat_interval: 26h
   routes:
     - receiver: "null"
       matchers:
@@ -16,49 +16,38 @@ route:
       matchers:
         - org = "ccchh"
         - severity = "critical",
-      repeat_interval: 18h
+      repeat_interval: 26h
       continue: true
     - receiver: ntfy-ccchh
       matchers:
       - org = "ccchh"
       - severity =~ "info|warning",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
     - receiver: ntfy-fux-critical
       matchers:
         - org = "fux"
         - severity = "critical",
-      repeat_interval: 18h
+      repeat_interval: 26h
       continue: true
     - receiver: email-fux-critical
       matchers:
         - org = "fux"
         - severity = "critical",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
     - receiver: ntfy-fux
       matchers:
         - org = "fux"
         - severity =~ "info|warning",
-      repeat_interval: 36h
+      repeat_interval: 52h
       continue: true
-    - receiver: ccchh-infrastructure-alerts
-      matchers:
-        - org = "ccchh"
-        - severity =~ "info|warning|critical"
 
 templates:
   - "/etc/alertmanager/templates/*.tmpl"
 
 receivers:
   - name: "null"
-  - name: "ccchh-infrastructure-alerts"
-    telegram_configs:
-      - send_resolved: true
-        bot_token: {{ secret__alertmanager_telegram_bot_token }}
-        chat_id: -1002434372415
-        parse_mode: HTML
-        message: {{ "'{{ template \"alert-message.telegram.ccchh\" . }}'" }}
 
   - name: "ntfy-ccchh-critical"
     webhook_configs:
diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
index d739b2fa..c2c312c2 100644
--- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
@@ -2,12 +2,13 @@
 services:
 
   prometheus:
-    image: docker.io/prom/prometheus:v3.7.2@sha256:23031bfe0e74a13004252caaa74eccd0d62b6c6e7a04711d5b8bf5b7e113adc7
+    image: docker.io/prom/prometheus:v3.9.1
     container_name: prometheus
     command:
       - '--config.file=/etc/prometheus/prometheus.yml'
       - '--web.enable-remote-write-receiver'
       - '--enable-feature=promql-experimental-functions'
+      - '--storage.tsdb.retention.time=28d'
     ports:
       - 9090:9090
     restart: unless-stopped
@@ -18,7 +19,7 @@ services:
       - prom_data:/prometheus
 
   alertmanager:
-    image: docker.io/prom/alertmanager:v0.28.1@sha256:27c475db5fb156cab31d5c18a4251ac7ed567746a2483ff264516437a39b15ba
+    image: docker.io/prom/alertmanager:v0.30.1
     container_name: alertmanager
     command:
       - '--config.file=/etc/alertmanager/alertmanager.yaml'
@@ -31,7 +32,7 @@ services:
       - alertmanager_data:/alertmanager
 
   grafana:
-    image: docker.io/grafana/grafana:12.2.1@sha256:35c41e0fd0295f5d0ee5db7e780cf33506abfaf47686196f825364889dee878b
+    image: docker.io/grafana/grafana:12.3.1
     container_name: grafana
     ports:
       - 3000:3000
@@ -45,7 +46,7 @@ services:
       - graf_data:/var/lib/grafana
 
   pve-exporter:
-    image: docker.io/prompve/prometheus-pve-exporter:3.5.5@sha256:79a5598906697b1a5a006d09f0200528a77c6ff1568faf018539ac65824454df
+    image: docker.io/prompve/prometheus-pve-exporter:3.8.0
     container_name: pve-exporter
     ports:
       - 9221:9221
@@ -58,7 +59,7 @@ services:
       - /dev/null:/etc/prometheus/pve.yml
 
   loki:
-    image: docker.io/grafana/loki:3.5.7@sha256:0eaee7bf39cc83aaef46914fb58f287d4f4c4be6ec96b86c2ed55719a75e49c8
+    image: docker.io/grafana/loki:3.6.4
     container_name: loki
     ports:
       - 13100:3100
@@ -69,7 +70,7 @@ services:
       - loki_data:/var/loki
 
   ntfy-alertmanager-ccchh-critical:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-ccchh-critical
     volumes:
       - ./configs/ntfy-alertmanager-ccchh-critical:/etc/ntfy-alertmanager/config
@@ -78,7 +79,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-fux-critical:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-fux-critical
     volumes:
       - ./configs/ntfy-alertmanager-fux-critical:/etc/ntfy-alertmanager/config
@@ -87,7 +88,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-ccchh:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-ccchh
     volumes:
       - ./configs/ntfy-alertmanager-ccchh:/etc/ntfy-alertmanager/config
@@ -96,7 +97,7 @@ services:
     restart: unless-stopped
 
   ntfy-alertmanager-fux:
-    image: docker.io/xenrox/ntfy-alertmanager:0.5.0@sha256:5fea88db3bf0257d98c007ab0c4ef064c6d67d7b7ceead7d6956dfa0a5cb333b
+    image: docker.io/xenrox/ntfy-alertmanager:0.5.0
     container_name: ntfy-alertmanager-fux
     volumes:
       - ./configs/ntfy-alertmanager-fux:/etc/ntfy-alertmanager/config
diff --git a/resources/chaosknoten/grafana/docker_compose/prometheus.yml b/resources/chaosknoten/grafana/docker_compose/prometheus.yml
index fd59034a..7f94ab04 100644
--- a/resources/chaosknoten/grafana/docker_compose/prometheus.yml
+++ b/resources/chaosknoten/grafana/docker_compose/prometheus.yml
@@ -82,41 +82,6 @@ scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: pve-exporter:9221
-  - job_name: hosts
-    static_configs:
-      # Wieske Chaosknoten VMs
-      - labels:
-          org: ccchh
-          site: wieske
-          type: virtual_machine
-          hypervisor: chaosknoten
-        targets:
-          - netbox-intern.hamburg.ccc.de:9100
-          - matrix-intern.hamburg.ccc.de:9100
-          - public-web-static-intern.hamburg.ccc.de:9100
-          - git-intern.hamburg.ccc.de:9100
-          - forgejo-actions-runner-intern.hamburg.ccc.de:9100
-          - eh22-wiki-intern.hamburg.ccc.de:9100
-          - mjolnir-intern.hamburg.ccc.de:9100
-          - woodpecker-intern.hamburg.ccc.de:9100
-          - penpot-intern.hamburg.ccc.de:9100
-          - jitsi.hamburg.ccc.de:9100
-          - onlyoffice-intern.hamburg.ccc.de:9100
-          - ccchoir-intern.hamburg.ccc.de:9100
-          - tickets-intern.hamburg.ccc.de:9100
-          - keycloak-intern.hamburg.ccc.de:9100
-          - onlyoffice-intern.hamburg.ccc.de:9100
-          - pad-intern.hamburg.ccc.de:9100
-          - wiki-intern.hamburg.ccc.de:9100
-          - zammad-intern.hamburg.ccc.de:9100
-          - pretalx-intern.hamburg.ccc.de:9100
-      - labels:
-          org: ccchh
-          site: wieske
-          type: physical_machine
-        targets:
-          - chaosknoten.hamburg.ccc.de:9100
-
 
 storage:
   tsdb:
diff --git a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
index c5b68e1a..98f7f40b 100644
--- a/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf
@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
index e2bf4a78..8a509bee 100644
--- a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
@@ -17,7 +17,6 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:50051 ssl;
-    listen 172.31.17.145:50051 ssl;
 
     http2 on;
 
@@ -59,7 +58,6 @@ server {
     server_name loki.hamburg.ccc.de;
 
     listen [::]:443 ssl;
-    listen 172.31.17.145:443 ssl;
 
     http2 on;
 
diff --git a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
index 2c525239..195b99dc 100644
--- a/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/grafana/nginx/metrics.hamburg.ccc.de.conf
@@ -9,7 +9,6 @@ server {
     allow 2a00:14b0:4200:3380::/64;
     allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
     # Z9
-    allow 2a07:c480:0:100::/56;
     allow 2a07:c481:1::/48;
     # fuxnoc
     allow 2a07:c481:0:1::/64;
@@ -18,7 +17,6 @@ server {
     server_name metrics.hamburg.ccc.de;
 
     listen [::]:443 ssl;
-    listen 172.31.17.145:443 ssl;
     http2 on;
 
     client_body_buffer_size 512k;
diff --git a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2 b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
index d91a2549..a260ab11 100644
--- a/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/keycloak/docker_compose/compose.yaml.j2
@@ -46,7 +46,7 @@ services:
       - "8080:8080"
 
   db:
-    image: docker.io/library/postgres:15.14@sha256:424e79b81868f5fc5cf515eaeac69d288692ebcca7db86d98f91b50d4bce64bb
+    image: docker.io/library/postgres:15.15
     restart: unless-stopped
     networks:
       - keycloak
diff --git a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
index 303b052c..82ba082d 100644
--- a/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/id.hamburg.ccc.de.conf
@@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
index 4a9cfe65..ecb7e2d4 100644
--- a/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/invite.hamburg.ccc.de.conf
@@ -3,12 +3,12 @@
 # Also see: https://www.keycloak.org/server/reverseproxy
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
index 2b0d919a..b2e7eece 100644
--- a/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/keycloak/nginx/keycloak-admin.hamburg.ccc.de.conf
@@ -7,12 +7,12 @@ server {
     ##listen [::]:443 ssl http2;
 
     # Listen on a custom port for the proxy protocol.
-    listen 8444 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml
index 8537ead0..cdfd70a2 100644
--- a/resources/chaosknoten/lists/docker_compose/compose.yaml
+++ b/resources/chaosknoten/lists/docker_compose/compose.yaml
@@ -1,7 +1,7 @@
 services:
   mailman-core:
     restart: unless-stopped
-    image: docker.io/maxking/mailman-core:0.5@sha256:cb8e412bb18d74480f996da68f46e92473b6103995e71bc5aeba139b255cc3d2 # Use a specific version tag (tag latest is not published)
+    image: docker.io/maxking/mailman-core:0.5 # Use a specific version tag (tag latest is not published)
     container_name: mailman-core
     hostname: mailman-core
     volumes:
@@ -25,7 +25,7 @@ services:
 
   mailman-web:
     restart: unless-stopped
-    image: docker.io/maxking/mailman-web:0.5@sha256:014726db85586fb53541f66f6ce964bf07e939791cfd5ffc796cd6d243696a18 # Use a specific version tag (tag latest is not published)
+    image: docker.io/maxking/mailman-web:0.5 # Use a specific version tag (tag latest is not published)
     container_name: mailman-web
     hostname: mailman-web
     depends_on:
@@ -56,7 +56,7 @@ services:
       - POSTGRES_DB=mailmandb
       - POSTGRES_USER=mailman
       - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz
-    image: docker.io/library/postgres:12-alpine@sha256:7c8f4870583184ebadf7f17a6513620aac5f365a7938dc6a6911c1d5df2f481a
+    image: docker.io/library/postgres:12-alpine
     volumes:
       - /opt/mailman/database:/var/lib/postgresql/data
     networks:
diff --git a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
index 55506866..0c2a3be0 100644
--- a/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/netbox/nginx/netbox.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2 b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
index 07e8d9ec..50df05d5 100644
--- a/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/ntfy/docker_compose/compose.yaml.j2
@@ -1,7 +1,7 @@
 ---
 services:
   ntfy:
-    image: docker.io/binwiederhier/ntfy:v2.14.0@sha256:5a051798d14138c3ecb12c038652558ab6a077e1aceeb867c151cbf5fa8451ef
+    image: docker.io/binwiederhier/ntfy:v2.15.0
     container_name: ntfy
     command:
       - serve
diff --git a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
index e7d404da..ebae48d1 100644
--- a/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/ntfy/nginx/ntfy.hamburg.ccc.de.conf
@@ -2,13 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl proxy_protocol;
+    listen [::]:8443 ssl proxy_protocol;
     http2 on;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2 b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
index 5c9a42a3..8bc37e93 100644
--- a/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/onlyoffice/docker_compose/compose.yaml.j2
@@ -4,7 +4,7 @@
 
 services:
   onlyoffice:
-    image: docker.io/onlyoffice/documentserver:9.1.0@sha256:34b92f4a67bfd939bd6b75893e8217556e3b977f81e49472f7e28737b741ba1d
+    image: docker.io/onlyoffice/documentserver:9.2.1
     restart: unless-stopped
     volumes:
       - "./onlyoffice/DocumentServer/logs:/var/log/onlyoffice"
diff --git a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
index 24715254..f3e77f17 100644
--- a/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/onlyoffice/nginx/onlyoffice.hamburg.ccc.de.conf
@@ -2,12 +2,13 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
index 70dc7e6a..790cf952 100644
--- a/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pad/docker_compose/compose.yaml.j2
@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=hedgedoc"
       - "POSTGRES_PASSWORD={{ secret__hedgedoc_db_password }}"
@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   app:
-    image: quay.io/hedgedoc/hedgedoc:1.10.3@sha256:ca58fd73ecf05c89559b384fb7a1519c18c8cbba5c21a0018674ed820b9bdb73
+    image: quay.io/hedgedoc/hedgedoc:1.10.5
     environment:
       - "CMD_DB_URL=postgres://hedgedoc:{{ secret__hedgedoc_db_password }}@database:5432/hedgedoc"
       - "CMD_DOMAIN=pad.hamburg.ccc.de"
diff --git a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
index 53d0a0df..cf49d232 100644
--- a/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pad/nginx/pad.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
index 243a468d..091d1133 100644
--- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2
@@ -3,7 +3,7 @@
 
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=pretalx"
       - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}"
@@ -15,7 +15,7 @@ services:
       - pretalx_net
 
   redis:
-    image: docker.io/library/redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd
+    image: docker.io/library/redis:8.4.0
     restart: unless-stopped
     volumes:
       - redis:/data
@@ -23,7 +23,7 @@ services:
       - pretalx_net
 
   static:
-    image: docker.io/library/nginx:1.29.3@sha256:f547e3d0d5d02f7009737b284abc87d808e4252b42dceea361811e9fc606287f
+    image: docker.io/library/nginx:1.29.4
     restart: unless-stopped
     volumes:
       - public:/usr/share/nginx/html
@@ -33,7 +33,7 @@ services:
       - pretalx_net
 
   pretalx:
-    image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
+    image: docker.io/pretalx/standalone:v2025.1.0
     entrypoint: gunicorn
     command:
       - "pretalx.wsgi"
@@ -78,7 +78,7 @@ services:
       - pretalx_net
 
   celery:
-    image: docker.io/pretalx/standalone:v2025.1.0@sha256:fb2d15f11bcae8bb15430084ed81a150cfdf7c79705450583b51e352ba486e8e
+    image: docker.io/pretalx/standalone:v2025.1.0
     command:
       - taskworker
     restart: unless-stopped
diff --git a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
index 0fa99e7f..a4f5bb93 100644
--- a/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
+++ b/resources/chaosknoten/pretalx/nginx/cfp.eh22.easterhegg.eu.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
index f12067ab..d66e9770 100644
--- a/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/pretalx/nginx/pretalx.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
index 165e1664..c5ef0ea1 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/acme_challenge.conf
@@ -4,33 +4,33 @@ map $host $upstream_acme_challenge_host {
     c3cat.de 172.31.17.151:31820;
     www.c3cat.de 172.31.17.151:31820;
     staging.c3cat.de 172.31.17.151:31820;
-    ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    www.ccchoir.de ccchoir-intern.hamburg.ccc.de:31820;
-    cloud.hamburg.ccc.de 172.31.17.143:31820;
+    ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:31820;
+    cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:31820;
     element.hamburg.ccc.de 172.31.17.151:31820;
     git.hamburg.ccc.de 172.31.17.154:31820;
-    grafana.hamburg.ccc.de 172.31.17.145:31820;
+    grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:31820;
     hackertours.hamburg.ccc.de 172.31.17.151:31820;
     staging.hackertours.hamburg.ccc.de 172.31.17.151:31820;
     hamburg.ccc.de 172.31.17.151:31820;
-    id.hamburg.ccc.de 172.31.17.144:31820;
-    invite.hamburg.ccc.de 172.31.17.144:31820;
-    keycloak-admin.hamburg.ccc.de 172.31.17.144:31820;
+    id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
+    keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:31820;
     matrix.hamburg.ccc.de 172.31.17.150:31820;
     mas.hamburg.ccc.de 172.31.17.150:31820;
     element-admin.hamburg.ccc.de 172.31.17.151:31820;
-    netbox.hamburg.ccc.de 172.31.17.167:31820;
-    onlyoffice.hamburg.ccc.de 172.31.17.147:31820;
-    pad.hamburg.ccc.de 172.31.17.141:31820;
-    pretalx.hamburg.ccc.de 172.31.17.157:31820;
+    netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:31820;
+    onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:31820;
+    pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:31820;
+    pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:31820;
     spaceapi.hamburg.ccc.de 172.31.17.151:31820;
     staging.hamburg.ccc.de 172.31.17.151:31820;
-    wiki.ccchh.net 172.31.17.146:31820;
-    wiki.hamburg.ccc.de 172.31.17.146:31820;
+    wiki.ccchh.net wiki.hosts.hamburg.ccc.de:31820;
+    wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:31820;
     www.hamburg.ccc.de 172.31.17.151:31820;
-    tickets.hamburg.ccc.de 172.31.17.148:31820;
-    sunders.hamburg.ccc.de 172.31.17.170:31820;
-    zammad.hamburg.ccc.de 172.31.17.152:31820;
+    tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:31820;
+    sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:31820;
+    zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:31820;
     eh03.easterhegg.eu 172.31.17.151:31820;
     eh05.easterhegg.eu 172.31.17.151:31820;
     eh07.easterhegg.eu 172.31.17.151:31820;
@@ -38,7 +38,7 @@ map $host $upstream_acme_challenge_host {
     eh11.easterhegg.eu 172.31.17.151:31820;
     eh20.easterhegg.eu 172.31.17.151:31820;
     www.eh20.easterhegg.eu 172.31.17.151:31820;
-    eh22.easterhegg.eu 172.31.17.165:31820;
+    eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:31820;
     easterheggxxxx.hamburg.ccc.de 172.31.17.151:31820;
     eh2003.hamburg.ccc.de 172.31.17.151:31820;
     www.eh2003.hamburg.ccc.de 172.31.17.151:31820;
@@ -73,11 +73,16 @@ map $host $upstream_acme_challenge_host {
     design.hamburg.ccc.de 172.31.17.162:31820;
     hydra.hamburg.ccc.de 172.31.17.163:31820;
     cfp.eh22.easterhegg.eu 172.31.17.157:31820;
-    ntfy.hamburg.ccc.de 172.31.17.149:31820;
+    ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:31820;
     cryptoparty-hamburg.de 172.31.17.151:31820;
     cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
     staging.cryptoparty-hamburg.de 172.31.17.151:31820;
     staging.cryptoparty.hamburg.ccc.de 172.31.17.151:31820;
+    spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:31820;
+    cpu.ccc.de 172.31.17.151:31820;
+    lokal.ccc.de 172.31.17.151:31820;
+    local.ccc.de 172.31.17.151:31820;
+    acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:31820;
     default "";
 }
 
diff --git a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
index 4a449f5b..a8b27fcd 100644
--- a/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
+++ b/resources/chaosknoten/public-reverse-proxy/nginx/nginx.conf
@@ -18,21 +18,21 @@ stream {
     resolver 212.12.50.158 192.76.134.90;
 
     map $ssl_preread_server_name $address {
-        ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        www.ccchoir.de ccchoir-intern.hamburg.ccc.de:8443;
-        cloud.hamburg.ccc.de cloud-intern.hamburg.ccc.de:8443;
-        pad.hamburg.ccc.de pad-intern.hamburg.ccc.de:8443;
-        pretalx.hamburg.ccc.de pretalx-intern.hamburg.ccc.de:8443;
-        id.hamburg.ccc.de 172.31.17.144:8443;
-        invite.hamburg.ccc.de 172.31.17.144:8443;
-        keycloak-admin.hamburg.ccc.de 172.31.17.144:8444;
-        grafana.hamburg.ccc.de 172.31.17.145:8443;
-        wiki.ccchh.net 172.31.17.146:8443;
-        wiki.hamburg.ccc.de 172.31.17.146:8443;
-        onlyoffice.hamburg.ccc.de 172.31.17.147:8443;
+        ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        www.ccchoir.de ccchoir.hosts.hamburg.ccc.de:8443;
+        cloud.hamburg.ccc.de cloud.hosts.hamburg.ccc.de:8443;
+        pad.hamburg.ccc.de pad.hosts.hamburg.ccc.de:8443;
+        pretalx.hamburg.ccc.de pretalx.hosts.hamburg.ccc.de:8443;
+        id.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        invite.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        keycloak-admin.hamburg.ccc.de keycloak.hosts.hamburg.ccc.de:8443;
+        grafana.hamburg.ccc.de grafana.hosts.hamburg.ccc.de:8443;
+        wiki.ccchh.net wiki.hosts.hamburg.ccc.de:8443;
+        wiki.hamburg.ccc.de wiki.hosts.hamburg.ccc.de:8443;
+        onlyoffice.hamburg.ccc.de onlyoffice.hosts.hamburg.ccc.de:8443;
         hackertours.hamburg.ccc.de 172.31.17.151:8443;
         staging.hackertours.hamburg.ccc.de 172.31.17.151:8443;
-        netbox.hamburg.ccc.de 172.31.17.167:8443;
+        netbox.hamburg.ccc.de netbox.hosts.hamburg.ccc.de:8443;
         matrix.hamburg.ccc.de 172.31.17.150:8443;
         mas.hamburg.ccc.de 172.31.17.150:8443;
         element-admin.hamburg.ccc.de 172.31.17.151:8443;
@@ -42,9 +42,9 @@ stream {
         hamburg.ccc.de 172.31.17.151:8443;
         staging.hamburg.ccc.de 172.31.17.151:8443;
         spaceapi.hamburg.ccc.de 172.31.17.151:8443;
-        tickets.hamburg.ccc.de 172.31.17.148:8443;
-        sunders.hamburg.ccc.de 172.31.17.170:8443;
-        zammad.hamburg.ccc.de 172.31.17.152:8443;
+        tickets.hamburg.ccc.de tickets.hosts.hamburg.ccc.de:8443;
+        sunders.hamburg.ccc.de sunders.hosts.hamburg.ccc.de:8443;
+        zammad.hamburg.ccc.de zammad.hosts.hamburg.ccc.de:8443;
         c3cat.de 172.31.17.151:8443;
         www.c3cat.de 172.31.17.151:8443;
         staging.c3cat.de 172.31.17.151:8443;
@@ -56,7 +56,7 @@ stream {
         eh11.easterhegg.eu 172.31.17.151:8443;
         eh20.easterhegg.eu 172.31.17.151:8443;
         www.eh20.easterhegg.eu 172.31.17.151:8443;
-        eh22.easterhegg.eu 172.31.17.165:8443;
+        eh22.easterhegg.eu eh22-wiki.hosts.hamburg.ccc.de:8443;
         easterheggxxxx.hamburg.ccc.de 172.31.17.151:8443;
         eh2003.hamburg.ccc.de 172.31.17.151:8443;
         www.eh2003.hamburg.ccc.de 172.31.17.151:8443;
@@ -90,12 +90,17 @@ stream {
         woodpecker.hamburg.ccc.de 172.31.17.160:8443;
         design.hamburg.ccc.de 172.31.17.162:8443;
         hydra.hamburg.ccc.de 172.31.17.163:8443;
-        cfp.eh22.easterhegg.eu pretalx-intern.hamburg.ccc.de:8443;
-        ntfy.hamburg.ccc.de 172.31.17.149:8443;
+        cfp.eh22.easterhegg.eu pretalx.hosts.hamburg.ccc.de:8443;
+        ntfy.hamburg.ccc.de ntfy.hosts.hamburg.ccc.de:8443;
         cryptoparty-hamburg.de 172.31.17.151:8443;
         cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
         staging.cryptoparty-hamburg.de 172.31.17.151:8443;
         staging.cryptoparty.hamburg.ccc.de 172.31.17.151:8443;
+        spaceapi.ccc.de spaceapiccc.hosts.hamburg.ccc.de:8443;
+        cpu.ccc.de 172.31.17.151:8443;
+        lokal.ccc.de 172.31.17.151:8443;
+        local.ccc.de 172.31.17.151:8443;
+        acmedns.hamburg.ccc.de acmedns.hosts.hamburg.ccc.de:8443;
     }
 
     server {
diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf
new file mode 100644
index 00000000..ca62a972
--- /dev/null
+++ b/resources/chaosknoten/router/nftables/nftables.conf
@@ -0,0 +1,95 @@
+#!/usr/sbin/nft -f
+
+## Variables
+
+# Interfaces
+define if_net1_v4_wan = "net1"
+define if_net2_v6_wan = "net2"
+define if_net0_2_v4_nat = "net0.2"
+define if_net0_3_ci_runner = "net0.3"
+
+# Interface Groups
+define wan_ifs = { $if_net1_v4_wan,
+                   $if_net2_v6_wan }
+define lan_ifs = { $if_net0_2_v4_nat,
+                   $if_net0_3_ci_runner }
+# define v4_exposed_ifs = { }
+define v6_exposed_ifs = { $if_net0_2_v4_nat }
+
+
+## Rules
+
+table inet reverse-path-forwarding {
+    chain rpf-filter {
+        type filter hook prerouting priority mangle + 10; policy drop;
+
+        # Only allow packets if their source address is routed via their incoming interface.
+        # https://github.com/NixOS/nixpkgs/blob/d9d87c51960050e89c79e4025082ed965e770d68/nixos/modules/services/networking/firewall-nftables.nix#L100
+        fib saddr . mark . iif oif exists accept
+    }
+}
+
+table inet host {
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname "lo" accept comment "allow loopback"
+
+        ct state invalid drop
+        ct state established,related accept
+
+		ip protocol icmp accept
+        # ICMPv6
+        # https://datatracker.ietf.org/doc/html/rfc4890#autoid-24
+        # Allowlist consisting of: "Traffic That Must Not Be Dropped" and "Traffic That Normally Should Not Be Dropped"
+        # Error messages that are essential to the establishment and maintenance of communications:
+        icmpv6 type { destination-unreachable, packet-too-big } accept
+        icmpv6 type { time-exceeded } accept
+        icmpv6 type { parameter-problem } accept
+        # Connectivity checking messages:
+        icmpv6 type { echo-request, echo-reply } accept
+        # Address Configuration and Router Selection messages:
+        icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } accept
+        # Link-Local Multicast Receiver Notification messages:
+        icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-done, mld2-listener-report } accept
+        # SEND Certificate Path Notification messages:
+        icmpv6 type { 148, 149 } accept
+        # Multicast Router Discovery messages:
+        icmpv6 type { 151, 152, 153 } accept
+
+        # Allow SSH access.
+        tcp dport 22 accept comment "allow ssh access"
+
+        # Allow DHCP server access.
+		iifname { $if_net0_2_v4_nat, $if_net0_3_ci_runner } udp dport 67 accept comment "allow dhcp server access"
+    }
+}
+
+table ip v4nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        oifname $if_net1_v4_wan masquerade
+    }
+}
+
+table inet forward {
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state invalid drop
+        ct state established,related accept
+
+        # Allow internet access.
+		meta nfproto ipv6 iifname $lan_ifs oifname $if_net2_v6_wan accept comment "allow v6 internet access"
+		meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
+
+        # Allow access to exposed networks from internet.
+        # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
+        meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
+    }
+}
diff --git a/resources/chaosknoten/router/systemd_networkd/00-net0.link b/resources/chaosknoten/router/systemd_networkd/00-net0.link
new file mode 100644
index 00000000..0c55d133
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/00-net0.link
@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:54:11:15
+Type=ether
+
+[Link]
+Name=net0
diff --git a/resources/chaosknoten/router/systemd_networkd/00-net1.link b/resources/chaosknoten/router/systemd_networkd/00-net1.link
new file mode 100644
index 00000000..ef04d043
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/00-net1.link
@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:9A:FB:34
+Type=ether
+
+[Link]
+Name=net1
diff --git a/resources/chaosknoten/router/systemd_networkd/00-net2.link b/resources/chaosknoten/router/systemd_networkd/00-net2.link
new file mode 100644
index 00000000..2a56f728
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/00-net2.link
@@ -0,0 +1,6 @@
+[Match]
+MACAddress=BC:24:11:AE:C7:04
+Type=ether
+
+[Link]
+Name=net2
diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev
new file mode 100644
index 00000000..a46afb49
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.2-v4_nat.netdev
@@ -0,0 +1,7 @@
+[NetDev]
+Name=net0.2
+Kind=vlan
+
+[VLAN]
+Id=2
+
diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev
new file mode 100644
index 00000000..0cd60db5
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/10-net0.3-ci_runner.netdev
@@ -0,0 +1,7 @@
+[NetDev]
+Name=net0.3
+Kind=vlan
+
+[VLAN]
+Id=3
+
diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network
new file mode 100644
index 00000000..a32d75ea
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network
@@ -0,0 +1,12 @@
+[Match]
+Name=net0
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+VLAN=net0.2
+VLAN=net0.3
+
+LinkLocalAddressing=no
+
diff --git a/resources/chaosknoten/router/systemd_networkd/20-net1.network b/resources/chaosknoten/router/systemd_networkd/20-net1.network
new file mode 100644
index 00000000..5c14d8d8
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/20-net1.network
@@ -0,0 +1,12 @@
+[Match]
+Name=net1
+
+[Network]
+DNS=212.12.50.158
+IPv6AcceptRA=no
+
+[Address]
+Address=212.12.48.123/24
+
+[Route]
+Gateway=212.12.48.55
diff --git a/resources/chaosknoten/router/systemd_networkd/20-net2.network b/resources/chaosknoten/router/systemd_networkd/20-net2.network
new file mode 100644
index 00000000..39d1f03f
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/20-net2.network
@@ -0,0 +1,12 @@
+[Match]
+Name=net2
+
+[Network]
+#DNS=212.12.50.158
+IPv6AcceptRA=no
+
+[Address]
+Address=2a00:14b0:4200:3500::130:2/112
+
+[Route]
+Gateway=2a00:14b0:4200:3500::130:1
diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
new file mode 100644
index 00000000..b15259d6
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.2-v4_nat.network
@@ -0,0 +1,29 @@
+[Match]
+Name=net0.2
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=v4-NAT
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+DHCPServer=true
+
+[DHCPServer]
+PoolOffset=100
+PoolSize=150
+
+[Address]
+Address=10.32.2.1/24
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:102::/64
+Assign=true
+Token=static:::1
diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network
new file mode 100644
index 00000000..9caca86c
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd/21-net0.3-ci_runners.network
@@ -0,0 +1,29 @@
+[Match]
+Name=net0.3
+Type=vlan
+
+[Link]
+RequiredForOnline=no
+
+[Network]
+Description=ci-runners
+
+# Masquerading done in nftables (nftables.conf).
+IPv6SendRA=yes
+
+DHCPServer=true
+
+[DHCPServer]
+PoolOffset=100
+PoolSize=150
+
+[Address]
+Address=10.32.3.1/24
+
+[IPv6SendRA]
+UplinkInterface=net2
+
+[IPv6Prefix]
+Prefix=2a00:14b0:42:103::/64
+Assign=true
+Token=static:::1
diff --git a/resources/chaosknoten/router/systemd_networkd_global_config.conf b/resources/chaosknoten/router/systemd_networkd_global_config.conf
new file mode 100644
index 00000000..2d3d8a34
--- /dev/null
+++ b/resources/chaosknoten/router/systemd_networkd_global_config.conf
@@ -0,0 +1,3 @@
+[Network]
+IPv4Forwarding=true
+IPv6Forwarding=true
diff --git a/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2 b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2
new file mode 100644
index 00000000..67e4b581
--- /dev/null
+++ b/resources/chaosknoten/spaceapiccc/docker_compose/compose.yaml.j2
@@ -0,0 +1,39 @@
+---
+services:
+    frontend:
+        #build: ./frontend
+        networks:
+            spaceapi-network:
+                ipv4_address: 172.16.238.10
+        image: gidsi/spaceapi-ccc-frontend:saved_from_old_host
+        restart: always
+        expose:
+            - "80"
+        depends_on:
+            - backend
+    backend:
+        #build: ./backend
+        networks:
+          - spaceapi-network
+        image: gidsi/spaceapi-ccc-backend:saved_from_old_host
+        restart: always
+        environment:
+            SHARED_SECRET: "{{ secret__spaceapiccc__shared_secret }}"
+            DOKU_WIKI_USER: "{{ secret__spaceapiccc__doku_ccc_de__username }}"
+            DOKU_WIKI_PASSWORD: "{{ secret__spaceapiccc__doku_ccc_de__password }}"
+        depends_on:
+            - database
+    database:
+        image: mongo:saved_from_old_host
+        networks:
+          - spaceapi-network
+        restart: always
+        volumes:
+          - ./data/database:/data/db
+
+networks:
+    spaceapi-network:
+        ipam:
+            driver: default
+            config:
+                - subnet: 172.16.238.0/24
diff --git a/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf b/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf
new file mode 100644
index 00000000..8904f5de
--- /dev/null
+++ b/resources/chaosknoten/spaceapiccc/nginx/spaceapi.ccc.de.conf
@@ -0,0 +1,42 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen [::]:8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    server_name spaceapi.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/spaceapi.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/spaceapi.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/spaceapi.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
+    # is transparent).
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location / {
+        proxy_pass http://172.16.238.10/;
+    }
+}
diff --git a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2 b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
index fbec2583..1df2bcae 100644
--- a/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/sunders/docker_compose/compose.yaml.j2
@@ -3,7 +3,7 @@
 
 services:
   db:
-    image: mariadb:12.0.2
+    image: mariadb:12.1.2
     command: --max_allowed_packet=3250585600
     environment:
       MYSQL_ROOT_PASSWORD: "{{ secret__sunders_db_root_password }}"
diff --git a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
index 04cc006c..185c005a 100644
--- a/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/sunders/nginx/sunders.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2 b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
index deb9f509..938883b0 100644
--- a/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/tickets/docker_compose/compose.yaml.j2
@@ -1,7 +1,7 @@
 ---
 services:
   database:
-    image: docker.io/library/postgres:15-alpine@sha256:64583b3cb4f2010277bdd9749456de78e5c36f8956466ba14b0b96922e510950
+    image: docker.io/library/postgres:15-alpine
     environment:
       - "POSTGRES_USER=pretix"
       - "POSTGRES_PASSWORD={{ secret__pretix_db_password }}"
@@ -13,7 +13,7 @@ services:
     restart: unless-stopped
 
   redis:
-    image: docker.io/library/redis:7.4.6@sha256:a9cc41d6d01da2aa26c219e4f99ecbeead955a7b656c1c499cce8922311b2514
+    image: docker.io/library/redis:7.4.7
     ports:
       - "6379:6379"
     volumes:
@@ -25,7 +25,7 @@ services:
       backend:
 
   pretix:
-    image: docker.io/pretix/standalone:2024.8@sha256:110bac37efa5f736227f158f38e421ed738d03dccc274dfb415b258ab0f75cfe
+    image: docker.io/pretix/standalone:2024.8
     command: ["all"]
     ports:
       - "8345:80"
diff --git a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
index 40882d8f..e93ff935 100644
--- a/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/tickets/nginx/tickets.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -38,11 +38,7 @@ server {
 
     location = / {
         #return 302 https://wiki.hamburg.ccc.de/infrastructure:service-overview#tickets_pretix;
-        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
-    }
-
-    location = /hackertours/eh22/ {
-        return 302 https://tickets.hamburg.ccc.de/hackertours/eh22ht/;
+        return 302 https://tickets.hamburg.ccc.de/hackertours/39c3ht/;
     }
 
     location / {
diff --git a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
index a564fc2f..d89b5b88 100644
--- a/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.ccchh.net.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
@@ -21,6 +21,6 @@ server {
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security "max-age=63072000" always;
-    
+
     return 302 https://wiki.hamburg.ccc.de$request_uri;
 }
diff --git a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
index ccdd2247..5065c1d7 100644
--- a/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/wiki/nginx/wiki.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
index c1f91827..b94cb5c2 100644
--- a/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
+++ b/resources/chaosknoten/zammad/nginx/zammad.hamburg.ccc.de.conf
@@ -2,12 +2,12 @@
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
     # Listen on a custom port for the proxy protocol.
-    listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
     # First set our proxy protocol proxy as trusted.
-    set_real_ip_from 172.31.17.140;
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
     # Then tell the realip_module to get the addreses from the proxy protocol
     # header.
     real_ip_header proxy_protocol;
diff --git a/resources/external/status/docker_compose/compose.yaml.j2 b/resources/external/status/docker_compose/compose.yaml.j2
new file mode 100644
index 00000000..ae5681be
--- /dev/null
+++ b/resources/external/status/docker_compose/compose.yaml.j2
@@ -0,0 +1,37 @@
+# https://gatus.io/
+# https://github.com/TwiN/gatus
+# https://github.com/TwiN/gatus/blob/master/.examples/docker-compose-postgres-storage/compose.yaml
+
+services:
+  database:
+    image: docker.io/library/postgres:18.1
+    volumes:
+      - ./database:/var/lib/postgresql
+    environment:
+      - "POSTGRES_DB=gatus"
+      - "POSTGRES_USER=gatus"
+      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
+    networks:
+      - gatus
+
+  gatus:
+    image: ghcr.io/twin/gatus:v5.34.0
+    restart: always
+    ports:
+      - "8080:8080"
+    environment:
+      - "GATUS_CONFIG_PATH=/config"
+      - "POSTGRES_DB=gatus"
+      - "POSTGRES_USER=gatus"
+      - "POSTGRES_PASSWORD={{ secret__gatus_db_password }}"
+      - "MATRIX_ACCESS_TOKEN={{ secret__gatus_matrix_access_token }}"
+      - "ACME_DNS_UPDATE_TEST_X_API_KEY={{ secret__gatus_acme_dns_update_test_x_api_key }}"
+    volumes:
+      - ./configs:/config
+    networks:
+      - gatus
+    depends_on:
+      - database
+
+networks:
+  gatus:
diff --git a/resources/external/status/docker_compose/config/easterhegg-websites.yaml b/resources/external/status/docker_compose/config/easterhegg-websites.yaml
new file mode 100644
index 00000000..97ba482c
--- /dev/null
+++ b/resources/external/status/docker_compose/config/easterhegg-websites.yaml
@@ -0,0 +1,305 @@
+# Easterhegg Websites and Websites (Redirects)
+# (hosted on public-web-static)
+# One could probably also generate this list from the public-web-static config.
+easterhegg-websites-defaults: &easterhegg_websites_defaults
+  group: Websites
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "12h"
+      send-on-resolved: true
+
+easterhegg-websites-redirects-defaults: &easterhegg_websites_redirects_defaults
+  group: Websites (Redirects)
+  interval: 15m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+endpoints:
+  # Websites
+  - name: eh03.easterhegg.eu
+    url: "https://eh03.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: eh05.easterhegg.eu
+    url: "https://eh05.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: eh07.easterhegg.eu
+    url: "https://eh07.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: eh09.easterhegg.eu
+    url: "https://eh09.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: eh11.easterhegg.eu
+    url: "https://eh11.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: eh20.easterhegg.eu
+    url: "https://eh20.easterhegg.eu"
+    <<: *easterhegg_websites_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"
+
+  # Websites (Redirects)
+  # eh03.easterhegg.eu
+  - name: eh2003.hamburg.ccc.de
+    url: "https://eh2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: www.eh2003.hamburg.ccc.de
+    url: "https://www.eh2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: easterhegg2003.hamburg.ccc.de
+    url: "https://easterhegg2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  - name: www.easterhegg2003.hamburg.ccc.de
+    url: "https://www.easterhegg2003.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easter(h)egg 2003*)"
+
+  # eh05.easterhegg.eu
+  - name: eh2005.hamburg.ccc.de
+    url: "https://eh2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: www.eh2005.hamburg.ccc.de
+    url: "https://www.eh2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: easterhegg2005.hamburg.ccc.de
+    url: "https://easterhegg2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  - name: www.easterhegg2005.hamburg.ccc.de
+    url: "https://www.easterhegg2005.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2005 - The workshop weekend*)"
+
+  # eh07.easterhegg.eu
+  - name: eh2007.hamburg.ccc.de
+    url: "https://eh2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.eh2007.hamburg.ccc.de
+    url: "https://www.eh2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: eh07.hamburg.ccc.de
+    url: "https://eh07.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.eh07.hamburg.ccc.de
+    url: "https://www.eh07.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: easterhegg2007.hamburg.ccc.de
+    url: "https://easterhegg2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  - name: www.easterhegg2007.hamburg.ccc.de
+    url: "https://www.easterhegg2007.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2007 - The Workshop weekend*)"
+
+  # eh09.easterhegg.eu
+  - name: eh2009.hamburg.ccc.de
+    url: "https://eh2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.eh2009.hamburg.ccc.de
+    url: "https://www.eh2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: eh09.hamburg.ccc.de
+    url: "https://eh09.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.eh09.hamburg.ccc.de
+    url: "https://www.eh09.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: easterhegg2009.hamburg.ccc.de
+    url: "https://easterhegg2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  - name: www.easterhegg2009.hamburg.ccc.de
+    url: "https://www.easterhegg2009.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2009*)"
+
+  # eh11.easterhegg.eu
+  - name: eh2011.hamburg.ccc.de
+    url: "https://eh2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.eh2011.hamburg.ccc.de
+    url: "https://www.eh2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: eh11.hamburg.ccc.de
+    url: "https://eh11.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.eh11.hamburg.ccc.de
+    url: "https://www.eh11.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: easterhegg2011.hamburg.ccc.de
+    url: "https://easterhegg2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  - name: www.easterhegg2011.hamburg.ccc.de
+    url: "https://www.easterhegg2011.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*Easterhegg 2011*)"
+
+  # eh20.easterhegg.eu
+  - name: www.eh20.easterhegg.eu
+    url: "https://www.eh20.easterhegg.eu"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"
+
+  - name: eh20.hamburg.ccc.de
+    url: "https://eh20.hamburg.ccc.de"
+    <<: *easterhegg_websites_redirects_defaults
+    conditions:
+      - "[status] == 200"
+      - "[certificate_expiration] > 48h"
+      - "[BODY] == pat(*EH20 - Back to root*)"
diff --git a/resources/external/status/docker_compose/config/general.yaml b/resources/external/status/docker_compose/config/general.yaml
new file mode 100644
index 00000000..53c620de
--- /dev/null
+++ b/resources/external/status/docker_compose/config/general.yaml
@@ -0,0 +1,38 @@
+storage:
+  type: postgres
+  path: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@database:5432/${POSTGRES_DB}?sslmode=disable"
+  maximum-number-of-results: 240 # Default are 100. 240 are 4h for 1m interval checks.
+  maximum-number-of-events: 1000 # Default are 50. Let's keep a long history here - 1000 should suffice for a year with around 3 events a day.
+
+ui:
+  title: CCCHH Status
+  description: Automated uptime monitoring and status page for CCCHH services. Powered by Gatus.
+  header: CCCHH Status
+  buttons:
+    - name: Website
+      link: "https://hamburg.ccc.de"
+    - name: Git
+      link: "https://git.hamburg.ccc.de"
+    - name: Kontakt & Impressum
+      link: "https://hamburg.ccc.de/imprint/"
+  default-sort-by: group
+
+alerting:
+  # matrix:
+  #   server-url: "https://matrix.nekover.se"
+  #   access-token: "${MATRIX_ACCESS_TOKEN}"
+  #   internal-room-id: "!jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ"
+  custom:
+    url: "https://matrix.nekover.se/_matrix/client/v3/rooms/%21jG755onbGAH-lZsZo8SRKtlsncSMvq7nzPhwCi5CgdQ/send/m.room.message"
+    method: "POST"
+    body: |
+      {
+        "msgtype": "m.text",
+        "body": "[ALERT_TRIGGERED_OR_RESOLVED]: [ENDPOINT_GROUP] - [ENDPOINT_NAME] - [ALERT_DESCRIPTION] - [RESULT_ERRORS]"
+      }
+    headers:
+      Authorization: "Bearer ${MATRIX_ACCESS_TOKEN}"
+
+
+# A bit more than the default 5 concurrent checks should be fine.
+concurrency: 15
diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml
new file mode 100644
index 00000000..2c7d59f0
--- /dev/null
+++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml
@@ -0,0 +1,311 @@
+# Services (Chaosknoten)
+services-chaosknoten-defaults: &services_chaosknoten_defaults
+  group: Services (Chaosknoten)
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+endpoints:
+  - name: ACME DNS (main page/login)
+    url: "https://acmedns.hamburg.ccc.de"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*OAuth2 Proxy*)"
+
+  - name: ACME DNS (health endpoint)
+    url: "https://acmedns.hamburg.ccc.de/health"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+
+  - name: ACME DNS (update endpoint)
+    url: "https://acmedns.hamburg.ccc.de/update"
+    <<: *services_chaosknoten_defaults
+    method: POST
+    # acme-dns validates that the value for the txt is 43 characters long.
+    # https://github.com/joohoi/acme-dns/blob/b7a0a8a7bcef39f6158dd596fe716594a170d362/validation.go#L34-L41
+    body: |
+      {
+        "subdomain": "c621ef99-3da9-4ef6-a152-3a82b9b720f8",
+        "txt": "________________gatus_test_________________"
+      }
+    headers:
+      X-Api-User: "b897048a-1526-42aa-bc24-e4dfd654b722"
+      X-Api-Key: "${ACME_DNS_UPDATE_TEST_X_API_KEY}"
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].txt == ________________gatus_test_________________"
+
+  - name: ACME DNS (DNS)
+    url: "acmedns.hosts.hamburg.ccc.de"
+    <<: *services_chaosknoten_defaults
+    dns:
+      query-name: "c621ef99-3da9-4ef6-a152-3a82b9b720f8.auth.acmedns.hamburg.ccc.de"
+      query-type: "TXT"
+    conditions:
+      - "[DNS_RCODE] == NOERROR"
+      # error: query type is not supported yet
+      # apparently TXT records aren't supported yet.
+      # - "[BODY] == ________________gatus_test_________________"
+
+  - name: CCCHH ID/Keycloak (main page/account console)
+    url: "https://id.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*JavaScript is required to use the Account Console.*)"
+
+  - name: CCCHH ID/Keycloak (ccchh realm)
+    url: "https://id.hamburg.ccc.de/realms/ccchh/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].realm == ccchh"
+
+  - name: ccchoir
+    url: "https://ccchoir.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*The Choir of the Chaos Computer Club*)"
+
+  - name: Cloud (status info)
+    url: "https://cloud.hamburg.ccc.de/status.php"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].installed == true"
+      - "[BODY].maintenance == false"
+
+  - name: Cloud (main page/login)
+    url: "https://cloud.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sign in to CCCHH*)"
+
+  - name: cow (main page/login)
+    url: "https://cow.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*mailcow UI*)"
+
+  - name: cow (SMTP port 25)
+    url: "tcp://cow.hamburg.ccc.de:25"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (SMTPS port 465)
+    url: "tls://cow.hamburg.ccc.de:465"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (SMTP with STARTTLS port 587)
+    url: "starttls://cow.hamburg.ccc.de:587"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (IMAP port 143)
+    url: "tcp://cow.hamburg.ccc.de:143"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: cow (IMAPS port 465)
+    url: "tls://cow.hamburg.ccc.de:465"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Design/penpot
+    url: "https://design.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Penpot - Design Freedom for Teams*)"
+
+  - name: EH22 Website/Wiki
+    url: "https://eh22.easterhegg.eu/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2025*)"
+
+  - name: Git
+    url: "https://git.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*CCCHH Git*)"
+
+  - name: GitLab
+    url: "https://gitlab.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Moin beim Gitlab des CCC Hamburg!*)"
+
+  - name: Grafana
+    url: "https://grafana.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sign in to CCCHH*)"
+
+  - name: Jitsi
+    url: "https://jitsi.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Jitsi Meet*)"
+
+  - name: Lists
+    url: "https://lists.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Mailing Lists*)"
+
+  - name: Matrix
+    url: "https://matrix.hamburg.ccc.de/_matrix/client/versions"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "has([BODY].versions) == true"
+      - "has([BODY].unstable_features) == true"
+
+  - name: Mumble (tcp)
+    url: "tcp://mumble.hamburg.ccc.de:64738"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Mumble (udp)
+    url: "udp://mumble.hamburg.ccc.de:64738"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: NetBox
+    url: "https://NetBox.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*NetBox*)"
+
+  - name: ntfy
+    url: "https://ntfy.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*ntfy web requires JavaScript*)"
+
+  - name: OnlyOffice
+    url: "https://onlyoffice.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*ONLYOFFICE Docs Community Edition installed*)"
+
+  - name: Pad
+    url: "https://pad.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*HedgeDoc - Ideas grow better together*)"
+
+  - name: Pretalx (main page)
+    url: "https://pretalx.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*pretalx*)"
+
+  - name: Pretalx (EH22/Easterhegg 2025)
+    url: "https://cfp.eh22.easterhegg.eu/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Easterhegg 2025*)"
+      - "[BODY] == pat(*pretalx*)"
+
+  - name: SpaceAPI
+    url: "https://spaceapi.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY].space == CCCHH"
+
+  - name: Surveillance under Surveillance
+    url: "https://sunders.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Surveillance under Surveillance*)"
+
+  - name: Tickets/pretix
+    url: "https://tickets.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*pretix*)"
+
+  - name: Wiki
+    url: "https://wiki.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*CCCHH Wiki*)"
+
+  - name: Woodpecker
+    url: "https://woodpecker.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Woodpecker*)"
+
+  - name: Zammad
+    url: "https://zammad.hamburg.ccc.de/"
+    <<: *services_chaosknoten_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*zammad*)"
diff --git a/resources/external/status/docker_compose/config/sites.yaml b/resources/external/status/docker_compose/config/sites.yaml
new file mode 100644
index 00000000..a3444a6e
--- /dev/null
+++ b/resources/external/status/docker_compose/config/sites.yaml
@@ -0,0 +1,24 @@
+# Sites
+sites-defaults: &sites_defaults
+  group: Sites
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+endpoints:
+  - name: Chaosknoten/IRZ42
+    url: "icmp://chaosknoten.hamburg.ccc.de"
+    <<: *sites_defaults
+    conditions:
+      - "[CONNECTED] == true"
+
+  - name: Z9
+    url: "icmp://185.161.129.129"
+    <<: *sites_defaults
+    conditions:
+      - "[CONNECTED] == true"
diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml
new file mode 100644
index 00000000..964a8669
--- /dev/null
+++ b/resources/external/status/docker_compose/config/websites.yaml
@@ -0,0 +1,209 @@
+# Websites, Websites (Staging) and Websites (Redirects)
+# (hosted on public-web-static)
+# One could probably also generate this list from the public-web-static config.
+websites-defaults: &websites_defaults
+  group: Websites
+  interval: 1m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 5
+      success-threshold: 2
+      minimum-reminder-interval: "6h"
+      send-on-resolved: true
+
+websites-staging-defaults: &websites_staging_defaults
+  group: Websites (Staging)
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+websites-redirects-defaults: &websites_redirects_defaults
+  group: Websites (Redirects)
+  interval: 5m
+  alerts:
+    # - type: matrix
+    - type: custom
+      failure-threshold: 3
+      success-threshold: 1
+      minimum-reminder-interval: "24h"
+      send-on-resolved: true
+
+endpoints:
+  # Websites
+  - name: branding-resources.hamburg.ccc.de
+    url: "https://branding-resources.hamburg.ccc.de/logo/sources.txt"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*file:       ccchh-logo.png*)"
+
+  - name: c3cat.de
+    url: "https://c3cat.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Cat Ears Operation Center*)"
+
+  - name: cpu.ccc.de
+    url: "https://cpu.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: cryptoparty-hamburg.de
+    url: "https://cryptoparty-hamburg.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
+
+  - name: element-admin.hamburg.ccc.de
+    url: "https://element-admin.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Loading Element Admin*)"
+
+  - name: element.hamburg.ccc.de
+    url: "https://element.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Sorry, Element requires JavaScript to be enabled.*)"
+
+  - name: hacker.tours
+    url: "https://hacker.tours"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      # Once suites support alerting, we can also monitor the target as well.
+      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hacker.tours/de/\">*)"
+
+  - name: hackertours.hamburg.ccc.de
+    url: "https://hackertours.hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      # Once suites support alerting, we can also monitor the target as well.
+      - "[BODY] == pat(*<meta http-equiv=\"refresh\" content=\"0; url=https://hackertours.hamburg.ccc.de/de/\">*)"
+
+  - name: hamburg.ccc.de
+    url: "https://hamburg.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
+
+  - name: spaceapi.ccc.de
+    url: "https://spaceapi.ccc.de"
+    <<: *websites_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Kein Javascript, keine Kekse.*)"
+
+# Websites (Staging)
+  - name: staging.c3cat.de
+    url: "https://staging.c3cat.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*c3cat.de Staging Environment*)"
+
+  - name: staging.cryptoparty-hamburg.de
+    url: "https://staging.cryptoparty-hamburg.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
+
+  - name: staging.hacker.tours
+    url: "https://staging.hacker.tours"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hacker.tours Staging Environment*)"
+
+  - name: staging.hackertours.hamburg.ccc.de
+    url: "https://staging.hackertours.hamburg.ccc.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hackertours.hamburg.ccc.de Staging Environment*)"
+
+  - name: staging.hamburg.ccc.de
+    url: "https://staging.hamburg.ccc.de"
+    <<: *websites_staging_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*hamburg.ccc.de Staging Environment*)"
+
+# Website (Redirects)
+  - name: www.c3cat.de
+    url: "https://www.c3cat.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Cat Ears Operation Center*)"
+
+  - name: cryptoparty.hamburg.ccc.de
+    url: "https://cryptoparty.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)"
+
+  - name: local.ccc.de
+    url: "https://local.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: lokal.ccc.de
+    url: "https://lokal.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cpu.ccc.de | aus den Dezentralen*)"
+
+  - name: staging.cryptoparty.hamburg.ccc.de
+    url: "https://staging.cryptoparty.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*cryptoparty-hamburg.de Staging Environment*)"
+
+  - name: www.hamburg.ccc.de
+    url: "https://www.hamburg.ccc.de"
+    <<: *websites_redirects_defaults
+    conditions:
+      - "[STATUS] == 200"
+      - "[CERTIFICATE_EXPIRATION] > 48h"
+      - "[BODY] == pat(*Wir sind der Chaos Computer Club der Hansestadt Hamburg.*)"
diff --git a/resources/external/status/nginx/http_handler.conf b/resources/external/status/nginx/http_handler.conf
new file mode 100644
index 00000000..c989edee
--- /dev/null
+++ b/resources/external/status/nginx/http_handler.conf
@@ -0,0 +1,14 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name status.hamburg.ccc.de;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}
diff --git a/resources/external/status/nginx/status.hamburg.ccc.de.conf b/resources/external/status/nginx/status.hamburg.ccc.de.conf
new file mode 100644
index 00000000..510966a8
--- /dev/null
+++ b/resources/external/status/nginx/status.hamburg.ccc.de.conf
@@ -0,0 +1,33 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    server_name status.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/status.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/status.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Port 443;
+    # This is https in any case.
+    proxy_set_header X-Forwarded-Proto https;
+    # Hide the X-Forwarded header.
+    proxy_hide_header X-Forwarded;
+    # Assume we are the only Reverse Proxy.
+    # Also provide "_hidden" for by, since it's not relevant.
+    proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
+
+    location / {
+        proxy_pass http://127.0.0.1:8080/;
+    }
+}
diff --git a/resources/z9/dooris/nginx/http_handler.conf b/resources/z9/dooris/nginx/http_handler.conf
new file mode 100644
index 00000000..8572664d
--- /dev/null
+++ b/resources/z9/dooris/nginx/http_handler.conf
@@ -0,0 +1,12 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}
diff --git a/resources/z9/light/nginx/http_handler.conf b/resources/z9/light/nginx/http_handler.conf
index d9b336c5..8572664d 100644
--- a/resources/z9/light/nginx/http_handler.conf
+++ b/resources/z9/light/nginx/http_handler.conf
@@ -1,14 +1,12 @@
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-    server_name _;
-
-    location /.well-known/acme-challenge/ {
-        autoindex on;
-        root /webroot-for-acme-challenge;
-    }
 
     location / {
         return 301 https://$host$request_uri;
     }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
 }
diff --git a/resources/z9/light/nginx/light.conf b/resources/z9/light/nginx/light.conf
index 9f70cf87..6217e045 100644
--- a/resources/z9/light/nginx/light.conf
+++ b/resources/z9/light/nginx/light.conf
@@ -1,15 +1,16 @@
 # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
 # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
     server_name light-werkstatt.ccchh.net;
 
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light-werkstatt.ccchh.net/privkey.pem;
     # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light-werkstatt.ccchh.net/chain.pem;
 
     # replace with the IP address of your resolver
     resolver 10.31.208.1;
@@ -25,15 +26,16 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    server_name light.z9.ccchh.net ;
+    server_name light.z9.ccchh.net;
 
-    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/light.z9.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.z9.ccchh.net/privkey.pem;
     # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/light.z9.ccchh.net/chain.pem;
 
     location / {
         return 307 https://light.ccchh.net$request_uri;
@@ -41,8 +43,9 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
     server_name light.ccchh.net;
 
diff --git a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2 b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2
index 52d57dfd..b6752faf 100644
--- a/resources/z9/waybackproxy/docker_compose/compose.yaml.j2
+++ b/resources/z9/waybackproxy/docker_compose/compose.yaml.j2
@@ -1,7 +1,7 @@
 services:
   # https://github.com/richardg867/WaybackProxy
   waybackproxy:
-    image: cttynul/waybackproxy:latest@sha256:e001d5b1d746522cd1ab2728092173c0d96f08086cbd3e49cdf1e298b8add22e
+    image: cttynul/waybackproxy:latest
     environment:
       DATE: 19990101
       DATE_TOLERANCE: 730
diff --git a/roles/alloy/defaults/main.yaml b/roles/alloy/defaults/main.yaml
new file mode 100644
index 00000000..09c99ee4
--- /dev/null
+++ b/roles/alloy/defaults/main.yaml
@@ -0,0 +1,44 @@
+alloy_config_default: |
+  prometheus.remote_write "default" {
+    endpoint {
+      url = "https://metrics.hamburg.ccc.de/api/v1/write"
+      basic_auth {
+        username = "chaos"
+        password = "chaos_password"
+      }
+    }
+  }
+
+  prometheus.relabel "common" {
+    forward_to = [prometheus.remote_write.default.receiver]
+    rule {
+      target_label = "org"
+      replacement = "noorg"
+    }
+    rule {
+      target_label = "site"
+      replacement = "nosite"
+    }
+    rule {
+      source_labels = ["instance"]
+      target_label = "instance"
+      regex  = "([^:]+)"
+      replacement = "${1}.hosts.test"
+      action = "replace"
+    }
+  }
+
+  logging {
+    level = "info"
+  }
+
+  prometheus.exporter.unix "local_system" {
+    enable_collectors = ["systemd"]
+  }
+
+  prometheus.scrape "scrape_metrics" {
+    targets           = prometheus.exporter.unix.local_system.targets
+    forward_to        = [prometheus.relabel.common.receiver]
+  }
+
+alloy_config_additional: ""
diff --git a/roles/alloy/tasks/main.yaml b/roles/alloy/tasks/main.yaml
new file mode 100644
index 00000000..5e3cd64c
--- /dev/null
+++ b/roles/alloy/tasks/main.yaml
@@ -0,0 +1,50 @@
+# https://github.com/grafana/grafana-ansible-collection/blob/main/roles/alloy/tasks/deploy.yml#L124
+- name: ensure alloy user exists
+  ansible.builtin.user:
+    name: alloy
+    system: true
+    append: true
+    create_home: false
+    state: present
+
+- name: ensure the `/etc/alloy/` config directory exists
+  ansible.builtin.file:
+    path: /etc/alloy
+    state: directory
+    mode: "0770"
+    owner: root
+    group: alloy
+  become: true
+
+- name: synchronize the additional configuration files directory, if present
+  when: alloy__additional_configs_dir is defined and alloy__additional_configs_dir != ""
+  block:
+    - name: ensure rsync is installed
+      ansible.builtin.apt:
+        name: rsync
+      become: true
+
+    - name: synchronize the additional configuration files directory, if present
+      ansible.posix.synchronize:
+        src: "{{ alloy__additional_configs_dir }}"
+        dest: /etc/alloy/additional
+        delete: true
+        recursive: true
+        use_ssh_args: true
+        rsync_opts:
+          - "--chown=root:alloy"
+      become: true
+
+- name: delete the additional configuration files directory, if not present
+  when: alloy__additional_configs_dir is not defined or alloy__additional_configs_dir == ""
+  ansible.builtin.file:
+    path: /etc/alloy/additional
+    state: absent
+  become: true
+
+- name: Setup Alloy
+  ansible.builtin.import_role:
+    name: grafana.grafana.alloy
+  vars:
+    alloy_config: "{{ alloy_config_default ~ alloy_config_additional }}"
+  become: true
diff --git a/roles/ansible_pull/tasks/main.yaml b/roles/ansible_pull/tasks/main.yaml
index 5abcd10e..61a2635f 100644
--- a/roles/ansible_pull/tasks/main.yaml
+++ b/roles/ansible_pull/tasks/main.yaml
@@ -3,6 +3,7 @@
     - name: ensure apt dependencies are installed
       ansible.builtin.apt:
         name:
+          - python3-pip
           - virtualenv
           - git
         state: present
diff --git a/roles/base_config/tasks/main.yaml b/roles/base_config/tasks/main.yaml
new file mode 100644
index 00000000..ab737b76
--- /dev/null
+++ b/roles/base_config/tasks/main.yaml
@@ -0,0 +1,34 @@
+# Ensure the ssh module is disabled, so a cloud-init config change doesn't regenerate the host keys for no reason.
+- name: check if cloud-init config file exists
+  ansible.builtin.stat:
+    path: /etc/cloud/cloud.cfg
+  register: base_config__stat_cloud_cfg
+
+- name: ensure the cloud-init ssh module is disabled
+  ansible.builtin.replace:
+    path: /etc/cloud/cloud.cfg
+    regexp: " - ssh$"
+    replace: " #- ssh"
+  become: true
+  when: base_config__stat_cloud_cfg.stat.exists
+
+# Ensure a base set of admin tools is installed.
+- name: ensure a base set of admin tools is installed
+  ansible.builtin.apt:
+    name:
+      - vim
+      - joe
+      - nano
+      - htop
+      - btop
+      - ripgrep
+      - fd-find
+      - tmux
+      - git
+      - curl
+      - rsync
+      - dnsutils
+      - usbutils
+      - kitty
+      - gpg
+  become: true
diff --git a/roles/certbot/meta/main.yaml b/roles/certbot/meta/main.yaml
index b4a1c6f7..9b678e9f 100644
--- a/roles/certbot/meta/main.yaml
+++ b/roles/certbot/meta/main.yaml
@@ -7,3 +7,4 @@ dependencies:
           major_versions:
             - 11
             - 12
+            - 13
diff --git a/roles/deploy_ssh_server_config/templates/sshd_config.j2 b/roles/deploy_ssh_server_config/templates/sshd_config.j2
index eefafa46..c967502c 100644
--- a/roles/deploy_ssh_server_config/templates/sshd_config.j2
+++ b/roles/deploy_ssh_server_config/templates/sshd_config.j2
@@ -17,7 +17,15 @@ HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 
+
+{% if ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "13" %}
+KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+{% elif ansible_facts["distribution"] == "Debian" and ansible_facts["distribution_major_version"] == "12" %}
+KexAlgorithms sntrup761x25519-sha512,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+{% else %}
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+{% endif %}
+
 
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json
index 49d41083..d55e4cb4 100644
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@@ -2,5 +2,13 @@
     "log-driver": "journald",
     "log-opts": {
         "tag": "{{.Name}}"
+    },
+    "ipv6": true,
+    "ip6tables": true,
+    "fixed-cidr-v6": "fd00:1::/64",
+    "default-network-opts": {
+        "bridge": {
+            "com.docker.network.enable_ipv6":"true"
+        }
     }
 }
diff --git a/roles/docker/meta/main.yaml b/roles/docker/meta/main.yaml
index b4a1c6f7..9b678e9f 100644
--- a/roles/docker/meta/main.yaml
+++ b/roles/docker/meta/main.yaml
@@ -7,3 +7,4 @@ dependencies:
           major_versions:
             - 11
             - 12
+            - 13
diff --git a/roles/docker/tasks/main/01_repo_setup.yaml b/roles/docker/tasks/main/01_repo_setup.yaml
index aa775212..63bdb918 100644
--- a/roles/docker/tasks/main/01_repo_setup.yaml
+++ b/roles/docker/tasks/main/01_repo_setup.yaml
@@ -9,7 +9,7 @@
 
 - name: Ensure Docker APT repository is added
   ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/debian {{ ansible_facts['distribution_release'] }} stable"
     filename: docker
     state: present
   become: true
diff --git a/roles/docker_compose/README.md b/roles/docker_compose/README.md
index d3204ecf..6f2c8413 100644
--- a/roles/docker_compose/README.md
+++ b/roles/docker_compose/README.md
@@ -7,17 +7,22 @@ A use case for the deployment of the additional configuration files is Composes
 
 ## Supported Distributions
 
-The following distributions are supported:
-
-- Debian 11
+Should work on Debian-based distributions.
 
 ## Required Arguments
 
-For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
+- `docker_compose__compose_file_content`: The content to deploy to the Compose file at `/ansible_docker_compose/compose.yaml`.
 
-## `hosts`
+## Optional Arguments
 
-The `hosts` for this role need to be the machines, for which you want to make sure the given Compose file is deployed and all services of it are up-to-date and running.
+- `docker_compose__env_file_content`: The content to deploy to the `.env` file at `/ansible_docker_compose/.env`.
+- `docker_compose__configuration_files`: A list of configuration files to deploy to the `/ansible_docker_compose/configs/` directory.
+- `docker_compose__configuration_files.*.name`: The name of the configuration file.
+- `docker_compose__configuration_files.*.content`: The content to deploy to the configuration file.
+- `docker_compose__build`: Whether or not to build images before starting containers.  
+  Defaults to `always`.
+- `docker_compose__pull`: Whether or not to pull images before starting containers.  
+  Defaults to `always`.
 
 ## Links & Resources
 
diff --git a/roles/docker_compose/defaults/main.yaml b/roles/docker_compose/defaults/main.yaml
index 13129726..621ee7b3 100644
--- a/roles/docker_compose/defaults/main.yaml
+++ b/roles/docker_compose/defaults/main.yaml
@@ -1,2 +1,3 @@
+docker_compose__build: always
 docker_compose__configuration_files: [ ]
-docker_compose__restart_cmd: ""
+docker_compose__pull: always
diff --git a/roles/docker_compose/handlers/main.yaml b/roles/docker_compose/handlers/main.yaml
index 49e064cd..2aff0fef 100644
--- a/roles/docker_compose/handlers/main.yaml
+++ b/roles/docker_compose/handlers/main.yaml
@@ -1,13 +1,11 @@
 - name: docker compose down
-  ansible.builtin.command:
-    cmd: /usr/bin/docker compose down
-    chdir: /ansible_docker_compose
+  community.docker.docker_compose_v2:
+    project_src: /ansible_docker_compose
+    state: absent
   become: true
-  changed_when: true  # This is always changed.
-- name: docker compose reload script
-  ansible.builtin.command:
-    cmd: /usr/bin/docker compose {{ docker_compose__restart_cmd }}
-    chdir: /ansible_docker_compose
+
+- name: docker compose restart
+  community.docker.docker_compose_v2:
+    project_src: /ansible_docker_compose
+    state: restarted
   become: true
-  changed_when: true  # Mark this as always changed (for now?).
-  when: docker_compose__restart_cmd != ""
diff --git a/roles/docker_compose/meta/argument_specs.yaml b/roles/docker_compose/meta/argument_specs.yaml
index c588ba00..664496e1 100644
--- a/roles/docker_compose/meta/argument_specs.yaml
+++ b/roles/docker_compose/meta/argument_specs.yaml
@@ -2,31 +2,20 @@ argument_specs:
   main:
     options:
       docker_compose__compose_file_content:
-        description: >-
-          The content of the Compose file at
-          `/ansible_docker_compose/compose.yaml`.
         type: str
         required: true
       docker_compose__env_file_content:
-        description: >-
-          The content of the .env file at
-          `/ansible_docker_compose/.env`.
         type: str
         required: false
       docker_compose__configuration_files:
-        description: >-
-          A list of configuration files to be deployed in the
-          `/ansible_docker_compose/configs/` directory.
         type: list
         elements: dict
         required: false
         default: [ ]
         options:
           name:
-            description: The name of the configuration file.
             type: str
             required: true
           content:
-            description: The content of the configuration file.
             type: str
             required: true
diff --git a/roles/docker_compose/meta/main.yaml b/roles/docker_compose/meta/main.yaml
index b9a6980e..cb7d8e04 100644
--- a/roles/docker_compose/meta/main.yaml
+++ b/roles/docker_compose/meta/main.yaml
@@ -1,10 +1,3 @@
 ---
 dependencies:
-  - role: distribution_check
-    vars:
-      distribution_check__distribution_support_spec:
-        - name: Debian
-          major_versions:
-            - 11
-            - 12
   - role: docker
diff --git a/roles/docker_compose/tasks/main.yaml b/roles/docker_compose/tasks/main.yaml
index 7b013048..a706ab23 100644
--- a/roles/docker_compose/tasks/main.yaml
+++ b/roles/docker_compose/tasks/main.yaml
@@ -59,7 +59,7 @@
     state: absent
   become: true
   loop: "{{ docker_compose__config_files_to_remove.files }}"
-  # notify: docker compose down
+  notify: docker compose restart
 
 - name: make sure all given configuration files are deployed
   ansible.builtin.copy:
@@ -70,45 +70,19 @@
     group: root
   become: true
   loop: "{{ docker_compose__configuration_files }}"
-  # notify: docker compose down
-  notify: docker compose reload script
+  notify: docker compose restart
 
-- name: Flush handlers to make "docker compose down" handler run now
+- name: Flush handlers to make "docker compose down" and "docker compose restart" handlers run now
   ansible.builtin.meta: flush_handlers
 
-- name: docker compose ps --format json before docker compose up
-  ansible.builtin.command:
-    cmd: /usr/bin/docker compose ps --format json
-    chdir: /ansible_docker_compose
+- name: docker compose up
+  community.docker.docker_compose_v2:
+    project_src: /ansible_docker_compose
+    state: present
+    build: "{{ docker_compose__build }}"
+    pull: "{{ docker_compose__pull }}"
+    remove_orphans: true
   become: true
-  changed_when: false
-  register: docker_compose__ps_json_before_up
-
-- name: docker compose up --detach --pull always --build
-  ansible.builtin.command:
-    cmd: /usr/bin/docker compose up --detach --pull always --build --remove-orphans
-    chdir: /ansible_docker_compose
-  become: true
-  changed_when: false
-  # The changed for this task is tried to be determined by the "potentially
-  # report changed" task together with the "docker compose ps --format json
-  # [...]" tasks.
-
-- name: docker compose ps --format json after docker compose up
-  ansible.builtin.command:
-    cmd: /usr/bin/docker compose ps --format json
-    chdir: /ansible_docker_compose
-  become: true
-  changed_when: false
-  register: docker_compose__ps_json_after_up
-
-# Doesn't work anymore. Dunno why.
-# TODO: Fix
-# - name: potentially report changed
-#   ansible.builtin.debug:
-#     msg: "If this reports changed, then the docker compose containers changed."
-#   changed_when: (docker_compose__ps_json_before_up.stdout | from_json | community.general.json_query('[].ID') | sort)
-#                 != (docker_compose__ps_json_after_up.stdout | from_json | community.general.json_query('[].ID') | sort)
 
 - name: Make sure anacron is installed
   become: true
diff --git a/roles/dokuwiki/meta/main.yml b/roles/dokuwiki/meta/main.yml
index b4a1c6f7..9b678e9f 100644
--- a/roles/dokuwiki/meta/main.yml
+++ b/roles/dokuwiki/meta/main.yml
@@ -7,3 +7,4 @@ dependencies:
           major_versions:
             - 11
             - 12
+            - 13
diff --git a/roles/foobazdmx/meta/main.yaml b/roles/foobazdmx/meta/main.yaml
deleted file mode 100644
index 386685c3..00000000
--- a/roles/foobazdmx/meta/main.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-dependencies:
-  - role: distribution_check
-    vars:
-      distribution_check__distribution_support_spec:
-        - name: Debian
-          major_versions:
-            - "11"
diff --git a/roles/foobazdmx/tasks/main.yaml b/roles/foobazdmx/tasks/main.yaml
index f6e60974..33197b5c 100644
--- a/roles/foobazdmx/tasks/main.yaml
+++ b/roles/foobazdmx/tasks/main.yaml
@@ -7,11 +7,7 @@
       - python3
       - python3-pip
       - python3-setuptools
-
-- name: Ensure python peotry is installed
-  become: true
-  ansible.builtin.pip:
-    name: poetry
+      - python3-poetry
 
 - name: Ensure foobazdmx user exists
   become: true
diff --git a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py
index 470f388d..79bd247a 100644
--- a/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py
+++ b/roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py
@@ -40,7 +40,6 @@ def remove_groups(response, user, backend, *args, **kwargs):
 def set_roles(response, user, backend, *args, **kwargs):
     # Remove Roles temporary
     user.is_superuser = False
-    user.is_staff = False
     try:
         groups = response['groups']
     except KeyError:
@@ -51,5 +50,4 @@ def set_roles(response, user, backend, *args, **kwargs):
 
     # Set roles is role (superuser or staff) is in groups
     user.is_superuser = True if 'superusers' in groups else False
-    user.is_staff = True if 'staff' in groups else False
     user.save()
diff --git a/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/roles/nextcloud/templates/nginx_nextcloud.conf.j2
index c15a6539..1beeaf3f 100644
--- a/roles/nextcloud/templates/nginx_nextcloud.conf.j2
+++ b/roles/nextcloud/templates/nginx_nextcloud.conf.j2
@@ -4,6 +4,7 @@
 server {
     # Listen on a custom port for the proxy protocol.
     listen 8443 ssl http2 proxy_protocol;
+    listen [::]:8443 ssl http2 proxy_protocol;
     # Make use of the ngx_http_realip_module to set the $remote_addr and
     # $remote_port to the client address and client port, when using proxy
     # protocol.
diff --git a/roles/nftables/README.md b/roles/nftables/README.md
new file mode 100644
index 00000000..81d8871a
--- /dev/null
+++ b/roles/nftables/README.md
@@ -0,0 +1,11 @@
+# Role `nftables`
+
+Deploys nftables.
+
+## Support Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+- `nftables__config`: nftables configuration to deploy.
diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml
new file mode 100644
index 00000000..3b72c54c
--- /dev/null
+++ b/roles/nftables/handlers/main.yaml
@@ -0,0 +1,5 @@
+- name: Restart nftables service
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: restarted
+  become: true
diff --git a/roles/nftables/meta/argument_specs.yaml b/roles/nftables/meta/argument_specs.yaml
new file mode 100644
index 00000000..aa562239
--- /dev/null
+++ b/roles/nftables/meta/argument_specs.yaml
@@ -0,0 +1,6 @@
+argument_specs:
+  main:
+    options:
+      nftables__config:
+        type: str
+        required: true
diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml
new file mode 100644
index 00000000..46ea18dc
--- /dev/null
+++ b/roles/nftables/tasks/main.yaml
@@ -0,0 +1,15 @@
+- name: ensure nftables is installed
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+  become: true
+
+- name: deploy nftables configuration
+  ansible.builtin.copy:
+    content: "{{ nftables__config }}"
+    dest: "/etc/nftables.conf"
+    mode: "0644"
+    owner: root
+    group: root
+  become: true
+  notify: Restart nftables service
diff --git a/roles/nginx/files/logging.conf b/roles/nginx/files/logging.conf
index 304996fc..3a399a62 100644
--- a/roles/nginx/files/logging.conf
+++ b/roles/nginx/files/logging.conf
@@ -1,2 +1,2 @@
 error_log  syslog:server=unix:/run/systemd/journal/dev-log,nohostname,severity=warn debug;
-access_log  syslog:server=unix:/run/systemd/journal/dev-log,nohostname,severity=info main;
+access_log off;
diff --git a/roles/nginx/meta/main.yaml b/roles/nginx/meta/main.yaml
index 02b00ac3..78bb7705 100644
--- a/roles/nginx/meta/main.yaml
+++ b/roles/nginx/meta/main.yaml
@@ -7,3 +7,4 @@ dependencies:
           major_versions:
             - "11"
             - "12"
+            - "13"
diff --git a/roles/nginx/tasks/main/02_repo_setup.yaml b/roles/nginx/tasks/main/02_repo_setup.yaml
index eaaec30e..b4720c14 100644
--- a/roles/nginx/tasks/main/02_repo_setup.yaml
+++ b/roles/nginx/tasks/main/02_repo_setup.yaml
@@ -15,13 +15,13 @@
 
 - name: Ensure NGINX APT repository is added
   ansible.builtin.apt_repository:
-    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
     state: present
   become: true
 
 - name: Ensure NGINX APT source repository is added
   ansible.builtin.apt_repository:
-    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx"
+    repo: "deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/nginx.asc] https://nginx.org/packages/debian/ {{ ansible_facts['distribution_release'] }} nginx"
     state: present
   become: true
 
diff --git a/roles/ola/meta/main.yaml b/roles/ola/meta/main.yaml
deleted file mode 100644
index 386685c3..00000000
--- a/roles/ola/meta/main.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-dependencies:
-  - role: distribution_check
-    vars:
-      distribution_check__distribution_support_spec:
-        - name: Debian
-          major_versions:
-            - "11"
diff --git a/roles/prometheus_node_exporter/meta/main.yaml b/roles/prometheus_node_exporter/meta/main.yaml
deleted file mode 100644
index 02b00ac3..00000000
--- a/roles/prometheus_node_exporter/meta/main.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-dependencies:
-  - role: distribution_check
-    vars:
-      distribution_check__distribution_support_spec:
-        - name: Debian
-          major_versions:
-            - "11"
-            - "12"
diff --git a/roles/prometheus_node_exporter/tasks/main.yaml b/roles/prometheus_node_exporter/tasks/main.yaml
deleted file mode 100644
index c138f18e..00000000
--- a/roles/prometheus_node_exporter/tasks/main.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-- name: make sure the `prometheus-node-exporter` package is installed
-  ansible.builtin.apt:
-    name: prometheus-node-exporter
-    state: present
-    allow_change_held_packages: true
-    update_cache: true
-  become: true
-
-- name: make sure `prometheus-node-exporter.service` is started and ansibled
-  ansible.builtin.systemd:
-    name: prometheus-node-exporter.service
-    state: started
-    enabled: true
-  become: true
diff --git a/roles/systemd_networkd/README.md b/roles/systemd_networkd/README.md
new file mode 100644
index 00000000..ac7f115d
--- /dev/null
+++ b/roles/systemd_networkd/README.md
@@ -0,0 +1,16 @@
+# Role `systemd_networkd`
+
+Deploys the given systemd-networkd configuration files.
+
+## Support Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+- `systemd_networkd__config_dir`: Directory with systemd-networkd configs to deploy.
+
+## Optional Arguments
+
+- `systemd_networkd__global_config`: systemd-networkd global configuration to deploy (see `man 5 networkd.conf`).  
+  Defaults to `` (the empty string);
diff --git a/roles/systemd_networkd/defaults/main.yaml b/roles/systemd_networkd/defaults/main.yaml
new file mode 100644
index 00000000..e84ed280
--- /dev/null
+++ b/roles/systemd_networkd/defaults/main.yaml
@@ -0,0 +1 @@
+systemd_networkd__global_config: ""
diff --git a/roles/systemd_networkd/meta/argument_specs.yaml b/roles/systemd_networkd/meta/argument_specs.yaml
new file mode 100644
index 00000000..81b046a5
--- /dev/null
+++ b/roles/systemd_networkd/meta/argument_specs.yaml
@@ -0,0 +1,6 @@
+argument_specs:
+  main:
+    options:
+      systemd_networkd__config_dir:
+        type: path
+        required: true
diff --git a/roles/systemd_networkd/tasks/main.yaml b/roles/systemd_networkd/tasks/main.yaml
new file mode 100644
index 00000000..cc8f4d9b
--- /dev/null
+++ b/roles/systemd_networkd/tasks/main.yaml
@@ -0,0 +1,32 @@
+- name: ensure rsync is installed
+  ansible.builtin.apt:
+    name: rsync
+    state: present
+  become: true
+
+- name: synchronize systemd-networkd configs
+  ansible.posix.synchronize:
+    src: "{{ systemd_networkd__config_dir }}"
+    dest: "/etc/systemd/network"
+    archive: false
+    recursive: true
+    delete: true
+  become: true
+
+- name: ensure global systemd-networkd config directory exists
+  ansible.builtin.file:
+    path: "/etc/systemd/networkd.conf.d"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure global systemd-networkd config is deployed
+  ansible.builtin.copy:
+    content: "{{ systemd_networkd__global_config }}"
+    dest: "/etc/systemd/networkd.conf.d/20-ansible.conf"
+    mode: "0644"
+    owner: root
+    group: root
+  become: true